[MagTF] Tux_is_on_fire

Challenge by WelloWorld

Tux_is_on_fire is an easy-medium misc task. You get a port and an ip, You can connect with netcat and see the following:

Dear friend, let's start with an easy task. All you need to do is to do the next steps: Atbash(Book('elixir-electrons/linux/v?.?/source/kernel', 'W1snZm9yay5jJyw3XSxbJ21vZHVsZS5jJyw1Nl0sWydleGl0LmMnLDg2XSxbJ3Jlc291cmNlLmMnLDI5XSxbJ2t0aHJlYWQuYycsNV0sWydzaWduYWwuYycsMTQxXSxbJ2dyb3Vwcy5jJywyNDAwNF0sWydjcHUuYycsMjhdLFsnZnJlZXplci5jJyw0NzJdLFsnc21wLmMnLDg2XSxbJ2NyYXNoX2R1bXAuYycsNF0sWydkbWEuYycsOF0sWydNYWtlZmlsZScsMV0sWydkbWEuYycsOV0sWydzbXAuYycsMjc2Ml0sWydtb2R1bGUuYycsM10sWydleGl0LmMnLDYzMF0sWydjcHUuYycsOV0sWydmb3JrLmMnLDI0NzY3Nl0sWydrdGhyZWFkLmMnLDJdLFsna3RocmVhZC5jJywyOF0sWydyZXNvdXJjZS5jJywzMDRdLFsnTWFrZWZpbGUnLDg2XSxbJ2V4aXQuYycsMjldLFsnZm9yay5jJyw1XSxbJ3Jlc291cmNlLmMnLDEyMTkyMV0sWydyZXNvdXJjZS5jJyw4NjBdLFsnY3Jhc2hfZHVtcC5jJywxNzY0XSxbJ3Jlc291cmNlLmMnLDUyOF0sWydtb2R1bGUuYycsMTc1OV0sWydtb2R1bGUuYycsMzE0OTQzXSxbJ2NyYXNoX2R1bXAuYycsNzU5OV1d'))
Oh shit, I forgot what kernel version I chose.. Damn. 

So we see we need to do an Atbash decryption on a book cipher on the following base64 text:


We understand that book cipher means to get the page, and get the letter in the number place in the page. If you get all these and merge it to a string you will get a sentence that needs to get into the Atbash cipher. Also, to make it harder, I didn’t really tell the version of the kernel on the site I used to create that sentence, so they should run a brute force on every version. (I used 4.3)

We get the sentence:

printk(\"Nice! Go: %d\",int(2095))

printk is the printf to the kernel messages to user-space. Maybe the Challenge connected? We are trying to connect to 2095 port and we get a file in hex bytes, we are saving it to a file, and we run ‘file’ command to see what file is it, we discovered it is a kernel module. Running the executable (of course on a virtual machine) and having a look in the ‘dmesg’ shows us the string:

Good job, continue: YvhgUozt3evi

Doing an Atbash on that, shows us the flag: BestFlag3ver
Sending it to the first server, and get the real-flag: MagTF{K3rnel_Module_1s_The_Best!<3}