Home CTFs | DGHACK_2023 | Crypto | Cryptoneat
Post
Cancel

CTFs | DGHACK_2023 | Crypto | Cryptoneat

Posted Nov 30, 2023 Updated Dec 4, 2023
By Bat
2 min read

Cryptoneat

In this challenge, we have access to an HTML page that you can download here. In this page, we can see some kind of imported JS code from Crypto JS 3.1.9-1. After this big JS code, we can see another JS code more readable with functions to encrypt and decrypt messages using a password. When we get a quick look at the encrypt function, we can see that the function uses AES on the CTR mode and using padding (keep that in mind it will be useful later):

image

After those function declarations, we can see a big encrypted_message1 and a smaller one called encryptedMsg2. Looking more in detail what vulnerabilities may be exploited for this kind of AES (CTR mode), we find this blog. It tells us that cipher_text = message XOR key. It also tells us that if two messages have the same IV (initialise vector) and the same secret we could recover the content of a cipher text by just knowing one message and its plain text. Here we don’t seem to have a clear text but if we look closer to what we have, we can see that the length of the encryptedMsg2 and of the cryptoThanks are the relatively same:

image

The length difference is due to the padding we saw earlier. Let’s take P1 (respectively P2) as plaintext1 (respectively plaintext2) and C1 (respectively C2) as cipher_text1 (respectively cipher_text2). So, because we know that C1 = P1 XOR KEY and C2 = P2 XOR KEY if we can find the KEY, we could recover the content of P1 and P2. As we just said, we are assuming that P2 = "Build with love, kitties and flowers" and that C2_known = "C19FW3jqqqxd6G/z0fcpnOSIBsUSvD+jZ7E9/VkscwDMrdk9i9efIvJw1Fj6Fs0R"

Note that we removed the IV (first 32 characters each time). The IV isn’t part of the ciphered text it is concatenated to it.

With that in mind, we need to add the padding to P2 to get the same length as the C2 one. The length difference is 48-36 = 12 and 12 in hexadecimal is 0xC:

image

Getting the same length is very important because if we don’t have the same one, the XOR operation won’t work properly.

If we now XOR P2 (with the added padding of 0xC 12 times) converted to byte and C2 we get the KEY:

image

We can now use the XOR operation on P1 with the found KEY and we get the plain text:

image

Note that we decoded P1 without its IV.

When I run my code, I get the content of P1 in a file called p1.txt:

image

We can now go to the URL given and use the password My2uperPassphras3 to access the secret content and recover the flag:

image

The flag is DGHACK{w3ak_pa22word2_ar3n-t_n3at}. You can find my full code here.

CTFs, DGHACK_2023, Crypto
Crypto AES CTR IV Padding
This post is licensed under CC BY 4.0 by the author.
Recently Updated