HackTheBox – Please, Don’t Share!

In this write-up we will be visiting theĀ Please, don’t share! challenge from HackTheBox.

Our intelligence service intercepted these strange messages which we saved in the messages.txt file. Are you able to help us decipher them?


We are given a file with the following contents.

source,destination,code,public
10.10.1.1,10.10.1.2,23snMFFUAzBkGou7QBwYgLrYjDX5bRPRk7yjjBDzfrxDGqgrZNLnkTtcDXQ9KLqJk17x4siBQNKzPnsssvuJEU5MT65uqHrPKyuNCPC87fFbswddaYJPM6RxccgcBwDj3PZF8MoigNy8QzuZD9VvtBibtsBSbEx4eHdcfQg3iDZGmZvJFfCtfnibjA9cdM5pe7mWBNXfuVrrdkEKcdGFa1o,27UsFJseRREXu6wjZRugHhKxwLD6jWbY9J5w2tTHp8ody1yvjp1phFXwPBerAYArE9BijQnaVqLXXPMa5LnVzJ3zTrwu4zLWb8nBfuBYqUmiynf5zne6X4uGu3hiWHGKwjnWJwDaSUsJspTqX6wNEGC1FmUHyK5wENojHFPNNuSFmGptLGEkjMki3kUki3m6SCFCDjPNMG8X56TfF4TZgfS
10.10.1.1,10.10.1.3,26GokGBknCFSn1LPRCuaKY2gAYdthgB5S4LvP93c5bUq148B3bZ6DdB8WxFAStgwo4dFnqrYuwm4xfaUnU8EZkavV23HtFBMCintShJfYcfXsQE9w2Pgu3v3Fc8Bu3dvTBc3APEU48uQpktFc7vMaKWrSWi1iNWNTqjXJTM5UzAfy7aB7yHzuQnmcuT2Uz9ZDn7UWGZCDUBaSt2TK3K1W6a,27UsFJseRREXu6wjZRugHhKxwLD6jWbY9J5w2tTHp8ody1yvjp1phFXwPBerAYArE9BijQnaVqLXXPMa5LnVzJ3zTrwu4zLWb8nBfuBYqUmiynf5zne6X4uGu3hiWHGKwjnWJwDaSUsJspTqX6wNEGC1FmUHyK5wENojHFPNNuSFmGptLGEkjMki3kUki3m6SCFCDjPNMG8X56TfF4TZgfS
10.10.1.1,10.10.1.4,23trvK6XXkuDNU6rv5GHLFnuTurqG9TQe7WyGiDNYp6682RUS7eK62ZkVfa6zKYL26whemo25HAzFdKsoKVgHGAGcN7bVj8k8by7M2rUKAZBXi3uV2g647swVWALJhF6ubyGzMATUKZtWs9y1eDgK9aLhN6Eyxn4em9TE2C6qngzdBbLAw9xx5rtsH3EAnrNr1aQWCSPL4ijuKj1os8DTLp,27UsFJseRREXu6wjZRugHhKxwLD6jWbY9J5w2tTHp8ody1yvjp1phFXwPBerAYArE9BijQnaVqLXXPMa5LnVzJ3zTrwu4zLWb8nBfuBYqUmiynf5zne6X4uGu3hiWHGKwjnWJwDaSUsJspTqX6wNEGC1FmUHyK5wENojHFPNNuSFmGptLGEkjMki3kUki3m6SCFCDjPNMG8X56TfF4TZgfS
10.10.1.1,10.10.1.5,22ixogk5Tg9gLHPmygE393u3W2KtXz4zG8Nrhwh8Ezjpeu4RrFVoYQ1E3RbPR4n8U7NS7FAFQRitxoMD5QPpKRYX3Ari3jfZqn66RkPr3tQAFKEYBPenZUVAEpeatCuNRvQiKAqJ2isKtHuu293KXgdRFuLd3rnopxwTgHfZTBLxDbsA2YQbpHTGbo3wwcJfMkP8ctV8v9HFvLdnBiYwxLn,27UsFJseRREXu6wjZRugHhKxwLD6jWbY9J5w2tTHp8ody1yvjp1phFXwPBerAYArE9BijQnaVqLXXPMa5LnVzJ3zTrwu4zLWb8nBfuBYqUmiynf5zne6X4uGu3hiWHGKwjnWJwDaSUsJspTqX6wNEGC1FmUHyK5wENojHFPNNuSFmGptLGEkjMki3kUki3m6SCFCDjPNMG8X56TfF4TZgfS
10.10.1.1,10.10.1.6,23t3v92vGrXgUjg11EHtAAb7jqNaM3ANcqHvAS2pGR1hVr5Kiwpyuu7oHE8BBDzTowGJbjc4x5nHwkuHUcZiJRfPQyMS3ETPYYCPWbffvsK4hETCevMsrehTWHMpin5y28LD3xnGiEeh4PUBJBwXMtuWDbSGRQuvDgrTr8k6vWULh9E6NDgwH7x3rTWxaugCWXNVhmbXq5twhwhzB4NPGLj,27UsFJseRREXu6wjZRugHhKxwLD6jWbY9J5w2tTHp8ody1yvjp1phFXwPBerAYArE9BijQnaVqLXXPMa5LnVzJ3zTrwu4zLWb8nBfuBYqUmiynf5zne6X4uGu3hiWHGKwjnWJwDaSUsJspTqX6wNEGC1FmUHyK5wENojHFPNNuSFmGptLGEkjMki3kUki3m6SCFCDjPNMG8X56TfF4TZgfS
10.10.1.1,10.10.1.7,23tKc5uLVSHr2ZSUhw58bEHVRomFrHQxo6QSy6GgQsbVCDfredgdiNgJHCznALsyBMHEfGhXrwzNctrWdvGprS7zYttJiDs5cL7ksGKp37Up8HHBVzkpzHrPqiS7jyzJf6iKKyomYFpiyWdaCrF9Aj7xCKkQYHRyPVe4jRPjj3FqE4VSmESJ7Xf82YQB5XQ1qus5LwQFG5CooF7H548X5Rw,27UsFJseRREXu6wjZRugHhKxwLD6jWbY9J5w2tTHp8ody1yvjp1phFXwPBerAYArE9BijQnaVqLXXPMa5LnVzJ3zTrwu4zLWb8nBfuBYqUmiynf5zne6X4uGu3hiWHGKwjnWJwDaSUsJspTqX6wNEGC1FmUHyK5wENojHFPNNuSFmGptLGEkjMki3kUki3m6SCFCDjPNMG8X56TfF4TZgfS
10.10.1.1,10.10.1.8,256eNHz889nPcTo8Z6tKA59jbHXFzcBZ9FpraGiv5hgdx5veXEhwBhe1qow952Npk5YiNGuriXHnv3RsWL3ZkzWvAPmycUwD8Gd94kFrLdtntsM5vHoNmsgb6ZHdiaYuhvTAkQGGrY4r4DZ36z2NWZLAx8RMG45buc9Rt3SFJm54HkrCcjPVkE8NmkBmuHMrd1ezdwkSkwkSt7wxQEoq7ez,27UsFJseRREXu6wjZRugHhKxwLD6jWbY9J5w2tTHp8ody1yvjp1phFXwPBerAYArE9BijQnaVqLXXPMa5LnVzJ3zTrwu4zLWb8nBfuBYqUmiynf5zne6X4uGu3hiWHGKwjnWJwDaSUsJspTqX6wNEGC1FmUHyK5wENojHFPNNuSFmGptLGEkjMki3kUki3m6SCFCDjPNMG8X56TfF4TZgfS
10.10.1.1,10.10.1.9,22hszR4g7Qu58TVpHdZLwRVXjRQiKunqRgjQLazWhHhcNUUnu1fJYADm4c4Xgqu5yruhBqejnGvbsb4Q87QeTJ6uxRD3tiUT4GN8MMwzoFbPeSnAKSqshWj5sfwy6fRUtGmLuTWm3scw3XXTwAnT1uugE591avUQ3XfwYpb1kRUDHcGz5FUsnYKVZ25odW8karrRm9RzZR1LFBSmt5934HM,27UsFJseRREXu6wjZRugHhKxwLD6jWbY9J5w2tTHp8ody1yvjp1phFXwPBerAYArE9BijQnaVqLXXPMa5LnVzJ3zTrwu4zLWb8nBfuBYqUmiynf5zne6X4uGu3hiWHGKwjnWJwDaSUsJspTqX6wNEGC1FmUHyK5wENojHFPNNuSFmGptLGEkjMki3kUki3m6SCFCDjPNMG8X56TfF4TZgfS
10.10.1.1,10.10.1.10,21WdrmmPKEeCuhADGN9A53JHmfxkb28bCsGBNrGfbMrqLJuDyi7azhaEeVk98CFjrcu3QAufnqAFB3sWkoedyTjLbU7PL5n61WGetE84KdYxLSwK94H3GnW16o8CnZAzKSUbovdW7b583THhvzGzvQMMptCTDBAHwSTyE988qf6nea9zzFubXqrbCRjsWWJhpXMxAYepYNMUvqWsjz8UE3a,27UsFJseRREXu6wjZRugHhKxwLD6jWbY9J5w2tTHp8ody1yvjp1phFXwPBerAYArE9BijQnaVqLXXPMa5LnVzJ3zTrwu4zLWb8nBfuBYqUmiynf5zne6X4uGu3hiWHGKwjnWJwDaSUsJspTqX6wNEGC1FmUHyK5wENojHFPNNuSFmGptLGEkjMki3kUki3m6SCFCDjPNMG8X56TfF4TZgfS
10.10.1.1,10.10.1.11,23t3yhAuaMWSkzyg5bwpwkcbwDW4b1vT7hKetYNsiW1SrS7kEd2Mz9SCoGM6qQ9QZRTYJUsbxP4U2qnsre3cdjhDBW3rqrhxK5XC12yo1HvujG5envGAyMwf4HpnZ1Z5NWcKkMpERMDpsJ8EbrnqLBTRPxW5UfzZHcvKwayp1KxwSzzwZTb671eSVAZkND4FHJApU1kht88vqitjBHUPp5H,27UsFJseRREXu6wjZRugHhKxwLD6jWbY9J5w2tTHp8ody1yvjp1phFXwPBerAYArE9BijQnaVqLXXPMa5LnVzJ3zTrwu4zLWb8nBfuBYqUmiynf5zne6X4uGu3hiWHGKwjnWJwDaSUsJspTqX6wNEGC1FmUHyK5wENojHFPNNuSFmGptLGEkjMki3kUki3m6SCFCDjPNMG8X56TfF4TZgfS

We notice that the contents comprise a list of tuples, in which the code and public parameters are encoded. At first glance, the code and public parameters seems to be base64 encoded, but attempting to decode them reveals that the strings cannot be decoded using base64. Trying out a couple of other base decoders, we find that the encoded strings can be successfully decoded using base58. However, the strings simply decode into large integer numerals.

With that out of the way, we need to figure out what to do with the decoded data. Googling various combinations of share and cipher, we stumble upon secret sharing. Furthermore, we find the following GitHub repository featuring a python library for performing secret sharing operations. Inside the GitHub repository we find the following code snippet for splitting a secret into shares.

>>> from secretsharing import secret_int_to_points, points_to_secret_int
>>> secret = 88985120633792790105905686761572077713049967498756747774697023364147812997770L
>>> shares = secret_int_to_points(secret, 2, 3)
[(1, 108834987130598118322155382953070549297972563210322923466700361825476188819879L), (2, 12892764390087251114834094135881113029625174256248535119246116278891435001755L), (3, 32742630886892579331083790327379584614547769967814710811249454740219810823864L)]

The output from the secret_int_to_points function contains large integer numerals similar to those decoded in our above data. However, the shares variable contains tuples of only two elements. Looking at our data again, we notice that the source and public parameters are the same for all entries in the list, and we can therefore assume that the destination and code parameters comprise these secret shares.

Inside the GitHub repository we furthermore find the following code snippet for compiling shares into a secret.

>>> points_to_secret_int(shares[0:2])
88985120633792790105905686761572077713049967498756747774697023364147812997770L

Following the above snippet, we can build a script to perform these steps for us. The final script should look as shown below. It should be mentioned that I tried various different mutations of the destination parameter before arriving at this solution. Initially, I thought that we needed just the last octet from the destination IP address, but through trial and error I found that we needed to convert the destination IP address to its integer equivalent.

from base58 import b58decode
from socket import inet_aton
from struct import unpack
from secretsharing import points_to_secret_int

def ip2int(addr):
    return unpack("!I", inet_aton(addr))[0]

messages = [
    ('10.10.1.1', '10.10.1.2', '23snMFFUAzBkGou7QBwYgLrYjDX5bRPRk7yjjBDzfrxDGqgrZNLnkTtcDXQ9KLqJk17x4siBQNKzPnsssvuJEU5MT65uqHrPKyuNCPC87fFbswddaYJPM6RxccgcBwDj3PZF8MoigNy8QzuZD9VvtBibtsBSbEx4eHdcfQg3iDZGmZvJFfCtfnibjA9cdM5pe7mWBNXfuVrrdkEKcdGFa1o', '27UsFJseRREXu6wjZRugHhKxwLD6jWbY9J5w2tTHp8ody1yvjp1phFXwPBerAYArE9BijQnaVqLXXPMa5LnVzJ3zTrwu4zLWb8nBfuBYqUmiynf5zne6X4uGu3hiWHGKwjnWJwDaSUsJspTqX6wNEGC1FmUHyK5wENojHFPNNuSFmGptLGEkjMki3kUki3m6SCFCDjPNMG8X56TfF4TZgfS'),
    ('10.10.1.1', '10.10.1.3', '26GokGBknCFSn1LPRCuaKY2gAYdthgB5S4LvP93c5bUq148B3bZ6DdB8WxFAStgwo4dFnqrYuwm4xfaUnU8EZkavV23HtFBMCintShJfYcfXsQE9w2Pgu3v3Fc8Bu3dvTBc3APEU48uQpktFc7vMaKWrSWi1iNWNTqjXJTM5UzAfy7aB7yHzuQnmcuT2Uz9ZDn7UWGZCDUBaSt2TK3K1W6a', '27UsFJseRREXu6wjZRugHhKxwLD6jWbY9J5w2tTHp8ody1yvjp1phFXwPBerAYArE9BijQnaVqLXXPMa5LnVzJ3zTrwu4zLWb8nBfuBYqUmiynf5zne6X4uGu3hiWHGKwjnWJwDaSUsJspTqX6wNEGC1FmUHyK5wENojHFPNNuSFmGptLGEkjMki3kUki3m6SCFCDjPNMG8X56TfF4TZgfS'),
    ('10.10.1.1', '10.10.1.4', '23trvK6XXkuDNU6rv5GHLFnuTurqG9TQe7WyGiDNYp6682RUS7eK62ZkVfa6zKYL26whemo25HAzFdKsoKVgHGAGcN7bVj8k8by7M2rUKAZBXi3uV2g647swVWALJhF6ubyGzMATUKZtWs9y1eDgK9aLhN6Eyxn4em9TE2C6qngzdBbLAw9xx5rtsH3EAnrNr1aQWCSPL4ijuKj1os8DTLp', '27UsFJseRREXu6wjZRugHhKxwLD6jWbY9J5w2tTHp8ody1yvjp1phFXwPBerAYArE9BijQnaVqLXXPMa5LnVzJ3zTrwu4zLWb8nBfuBYqUmiynf5zne6X4uGu3hiWHGKwjnWJwDaSUsJspTqX6wNEGC1FmUHyK5wENojHFPNNuSFmGptLGEkjMki3kUki3m6SCFCDjPNMG8X56TfF4TZgfS'),
    ('10.10.1.1', '10.10.1.5', '22ixogk5Tg9gLHPmygE393u3W2KtXz4zG8Nrhwh8Ezjpeu4RrFVoYQ1E3RbPR4n8U7NS7FAFQRitxoMD5QPpKRYX3Ari3jfZqn66RkPr3tQAFKEYBPenZUVAEpeatCuNRvQiKAqJ2isKtHuu293KXgdRFuLd3rnopxwTgHfZTBLxDbsA2YQbpHTGbo3wwcJfMkP8ctV8v9HFvLdnBiYwxLn', '27UsFJseRREXu6wjZRugHhKxwLD6jWbY9J5w2tTHp8ody1yvjp1phFXwPBerAYArE9BijQnaVqLXXPMa5LnVzJ3zTrwu4zLWb8nBfuBYqUmiynf5zne6X4uGu3hiWHGKwjnWJwDaSUsJspTqX6wNEGC1FmUHyK5wENojHFPNNuSFmGptLGEkjMki3kUki3m6SCFCDjPNMG8X56TfF4TZgfS'),
    ('10.10.1.1', '10.10.1.6', '23t3v92vGrXgUjg11EHtAAb7jqNaM3ANcqHvAS2pGR1hVr5Kiwpyuu7oHE8BBDzTowGJbjc4x5nHwkuHUcZiJRfPQyMS3ETPYYCPWbffvsK4hETCevMsrehTWHMpin5y28LD3xnGiEeh4PUBJBwXMtuWDbSGRQuvDgrTr8k6vWULh9E6NDgwH7x3rTWxaugCWXNVhmbXq5twhwhzB4NPGLj', '27UsFJseRREXu6wjZRugHhKxwLD6jWbY9J5w2tTHp8ody1yvjp1phFXwPBerAYArE9BijQnaVqLXXPMa5LnVzJ3zTrwu4zLWb8nBfuBYqUmiynf5zne6X4uGu3hiWHGKwjnWJwDaSUsJspTqX6wNEGC1FmUHyK5wENojHFPNNuSFmGptLGEkjMki3kUki3m6SCFCDjPNMG8X56TfF4TZgfS'),
    ('10.10.1.1', '10.10.1.7', '23tKc5uLVSHr2ZSUhw58bEHVRomFrHQxo6QSy6GgQsbVCDfredgdiNgJHCznALsyBMHEfGhXrwzNctrWdvGprS7zYttJiDs5cL7ksGKp37Up8HHBVzkpzHrPqiS7jyzJf6iKKyomYFpiyWdaCrF9Aj7xCKkQYHRyPVe4jRPjj3FqE4VSmESJ7Xf82YQB5XQ1qus5LwQFG5CooF7H548X5Rw', '27UsFJseRREXu6wjZRugHhKxwLD6jWbY9J5w2tTHp8ody1yvjp1phFXwPBerAYArE9BijQnaVqLXXPMa5LnVzJ3zTrwu4zLWb8nBfuBYqUmiynf5zne6X4uGu3hiWHGKwjnWJwDaSUsJspTqX6wNEGC1FmUHyK5wENojHFPNNuSFmGptLGEkjMki3kUki3m6SCFCDjPNMG8X56TfF4TZgfS'),
    ('10.10.1.1', '10.10.1.8', '256eNHz889nPcTo8Z6tKA59jbHXFzcBZ9FpraGiv5hgdx5veXEhwBhe1qow952Npk5YiNGuriXHnv3RsWL3ZkzWvAPmycUwD8Gd94kFrLdtntsM5vHoNmsgb6ZHdiaYuhvTAkQGGrY4r4DZ36z2NWZLAx8RMG45buc9Rt3SFJm54HkrCcjPVkE8NmkBmuHMrd1ezdwkSkwkSt7wxQEoq7ez', '27UsFJseRREXu6wjZRugHhKxwLD6jWbY9J5w2tTHp8ody1yvjp1phFXwPBerAYArE9BijQnaVqLXXPMa5LnVzJ3zTrwu4zLWb8nBfuBYqUmiynf5zne6X4uGu3hiWHGKwjnWJwDaSUsJspTqX6wNEGC1FmUHyK5wENojHFPNNuSFmGptLGEkjMki3kUki3m6SCFCDjPNMG8X56TfF4TZgfS'),
    ('10.10.1.1', '10.10.1.9', '22hszR4g7Qu58TVpHdZLwRVXjRQiKunqRgjQLazWhHhcNUUnu1fJYADm4c4Xgqu5yruhBqejnGvbsb4Q87QeTJ6uxRD3tiUT4GN8MMwzoFbPeSnAKSqshWj5sfwy6fRUtGmLuTWm3scw3XXTwAnT1uugE591avUQ3XfwYpb1kRUDHcGz5FUsnYKVZ25odW8karrRm9RzZR1LFBSmt5934HM', '27UsFJseRREXu6wjZRugHhKxwLD6jWbY9J5w2tTHp8ody1yvjp1phFXwPBerAYArE9BijQnaVqLXXPMa5LnVzJ3zTrwu4zLWb8nBfuBYqUmiynf5zne6X4uGu3hiWHGKwjnWJwDaSUsJspTqX6wNEGC1FmUHyK5wENojHFPNNuSFmGptLGEkjMki3kUki3m6SCFCDjPNMG8X56TfF4TZgfS'),
    ('10.10.1.1', '10.10.1.10', '21WdrmmPKEeCuhADGN9A53JHmfxkb28bCsGBNrGfbMrqLJuDyi7azhaEeVk98CFjrcu3QAufnqAFB3sWkoedyTjLbU7PL5n61WGetE84KdYxLSwK94H3GnW16o8CnZAzKSUbovdW7b583THhvzGzvQMMptCTDBAHwSTyE988qf6nea9zzFubXqrbCRjsWWJhpXMxAYepYNMUvqWsjz8UE3a', '27UsFJseRREXu6wjZRugHhKxwLD6jWbY9J5w2tTHp8ody1yvjp1phFXwPBerAYArE9BijQnaVqLXXPMa5LnVzJ3zTrwu4zLWb8nBfuBYqUmiynf5zne6X4uGu3hiWHGKwjnWJwDaSUsJspTqX6wNEGC1FmUHyK5wENojHFPNNuSFmGptLGEkjMki3kUki3m6SCFCDjPNMG8X56TfF4TZgfS'),
    ('10.10.1.1', '10.10.1.11', '23t3yhAuaMWSkzyg5bwpwkcbwDW4b1vT7hKetYNsiW1SrS7kEd2Mz9SCoGM6qQ9QZRTYJUsbxP4U2qnsre3cdjhDBW3rqrhxK5XC12yo1HvujG5envGAyMwf4HpnZ1Z5NWcKkMpERMDpsJ8EbrnqLBTRPxW5UfzZHcvKwayp1KxwSzzwZTb671eSVAZkND4FHJApU1kht88vqitjBHUPp5H', '27UsFJseRREXu6wjZRugHhKxwLD6jWbY9J5w2tTHp8ody1yvjp1phFXwPBerAYArE9BijQnaVqLXXPMa5LnVzJ3zTrwu4zLWb8nBfuBYqUmiynf5zne6X4uGu3hiWHGKwjnWJwDaSUsJspTqX6wNEGC1FmUHyK5wENojHFPNNuSFmGptLGEkjMki3kUki3m6SCFCDjPNMG8X56TfF4TZgfS'),
]

points = [(ip2int(b), int(b58decode(c))) for (a, b, c, d) in messages]

print ("%x" % points_to_secret_int(points)).decode('hex')

We can now run our script to decode the ciphertext.

And there you have it – the challenge has been solved!

Leave a Reply