Old Crypto Server [Crypto]
Aero CTF 2020

Old Crypto Server

We found a very old crypto server. He has a secret that we want to get. However, he will not give it up so easily. Flag form for this task is "Aero{[0-9a-f]{32}}"

  • nc tasks.aeroctf.com 44323
  • File: -

Recon

We're given the source code to the python program that's listening on the challenge service. On connection, the program gives us a simple menu with some options:

1. Encrypt
2. Decrypt
3. Get server secret
4. Exit
>

Looking at the source code, options 1 and 2 don't seem useful. However, with option 3, we're asked to give a "salt" and then we get $$AESEncrypt_{ECB}(S_k, Pad(Salt|Flag))$$.

Since this is ECB mode, we know that we can leak the encrypted flag character by character since we control a prefix, which is the salt in this case. We do so by asking the server to give us the server secret with a padding that we control such that the next character we're trying to bruteforce is the last character in the block that contains our prefix.

We used a modified version of brute_ecb_suffix from p4's crypto commons which takes into account the fact that the suffix is not a multiple of the AES block size and uses a different alphabet to speed things up.

Solution

pip install crypto-commons

from pwn import *
from crypto_commons.generic import chunk

conn = remote("tasks.aeroctf.com", 44323)
print(conn.recvuntil("> "))

ALPHABET = [ord(x) for x in "1234567890abcdefAero{}"]


def encrypt(msg):
    conn.send_raw("3\n")
    conn.recvuntil('salt: ')
    conn.send_raw(msg + '\n')
    conn.recvuntil(": b'")
    encrypted = conn.recvuntil("'")[:-1]
    conn.recvuntil("> ")
    return b64d(encrypted)


def brute_ecb_suffix(encrypt_function, block_size=16,
                     expected_suffix_len=32, pad_char='A',
                     alphabet=list(range(256))):
    suffix = ""
    padding_len = block_size - (expected_suffix_len % block_size)
    padded_suffix_len = expected_suffix_len + padding_len
    recovery_block = padded_suffix_len / block_size - 1
    alphabet_chars = [chr(x) for x in alphabet]

    for i in range(padded_suffix_len - len(suffix) - 1, padding_len-1, -1):
        data = pad_char * i
        correct = chunk(encrypt_function(data),
                        block_size)[recovery_block]

        for char in alphabet_chars:
            test = data + suffix + char
            try:
                encrypted = chunk(encrypt_function(test),
                                  block_size)[recovery_block]

                if correct == encrypted:
                    suffix += char
                    print('FOUND', padded_suffix_len - i, char)
                    break

            except Exception as ex:
                pass

    return suffix


print(brute_ecb_suffix(encrypt,
                       block_size=16,
                       expected_suffix_len=38,
                       pad_char='A',
                       alphabet=ALPHABET))

Flag

[+] Opening connection to tasks.aeroctf.com on port 44323: Done
1. Encrypt
2. Decrypt
3. Get server secret
4. Exit
> 
('FOUND', 1, 'A')
('FOUND', 2, 'e')
('FOUND', 3, 'r')
('FOUND', 4, 'o')
...
Aero{5013a76ed3b98bae1e79169b3495f47a}

Aero{5013a76ed3b98bae1e79169b3495f47a}