Tags: crypto ecb 

Rating:

I could provide a script for this write up, but honestly I think it's a lot easier to explain how to do it manually. So, if you do all 10 transactions somewhat randomly and then view the transactions, it becomes very clear that it is using ECB, the transaction is just `<sender id><receiver id><transaction ammount>` all encoded however they were, it doesn't really matter. (This is verified if you give a failed encrypted transaction, it will tell you the transaction format). With this information, you can view the 20 listed transactions to extract your id, the ids of the three users, and the encoded value that they sent. Furthermore, if you look at the special transaction, it tells you that it's worth 500 dollars. From this, we can view the encrypted transaction and extract the encrypted value of $500. In my case, these values were as follows:

my id: c5dfb849d2633ee054b7fb2b2b303d08

first id: 69d03a78057d10e19d9397a0b89a967e

second id: 1605edc1b3fbba02d49f7764a41a3491

third id: 9abfc29e9b39b342b87ec03bcfe21be7

500 ammt: 5ea121b5f1cb3b4607e555a8bc87fbb4

Therefore, we can just put these together in any order we want and have a valid transaction. For example, `69d03a78057d10e19d9397a0b89a967ec5dfb849d2633ee054b7fb2b2b303d085ea121b5f1cb3b4607e555a8bc87fbb4` would send 500 dollars from user 1's account, to my account. Repeat this for all three user accounts and then you have enough money to buy the flag!

`flag{bank$_sh0uld_n07_us3_ECB}`