Tags: aes crypto 

Rating:

Exploit:
```
from Crypto.Cipher import AES
import requests
import urllib
import binascii
import base64
import hashpumpy
import re

def pad(s):
return s + (16 - len(s) % 16) * chr(16 - len(s) % 16)

def unpad(s):
return s[:-ord(s[len(s)-1:])]

def decrypt(ct):
c = AES.new(key, AES.MODE_CBC, iv)
return unpad(c.decrypt(ct))

def encrypt(pt):
c = AES.new(key, AES.MODE_CBC, iv)
return c.encrypt(pad(pt))

url = 'https://decrypto-6213399b.challenges.bsidessf.net/'
s = requests.Session()
s.get(url)

user = binascii.unhexlify(s.cookies['user'])
key = base64.b64decode(urllib.unquote(s.cookies['rack.session'].split('--')[0]))[-32:]

iv = user[:16]
ct = user[16:]

sig, plain = hashpumpy.hashpump(s.cookies['signature'], decrypt(ct), '\nUID 0\n', 8)
s.cookies['signature'] = sig
s.cookies['user'] = binascii.hexlify(iv + encrypt(plain))

for line in re.findall(r' data.push\("(.+?)"\)', s.get(url).text):
print line
```

Output:
```
...your UID value is set to 0
...your NAME value is set to baseuser
...your SKILLS value is set to n/a
...your �@ value is set to
FLAG VALUE: <span>CTF{parse_order_matters}</span>


```