Rating: 5.0
We are given a CT:
69 35 41 01 1C 9E 75 78 5D 48 FB F0 84 CD 66 79 55 30 49 4C 56 D2 73 70 12 45 A8 BA 85 C0 3E 53 73 1B 78 2A 4B E9 77 26 5E 73 BF AA 85 9C 15 6F 54 2C 73 1B 58 8A 66 48 5B 19 84 B0 80 CA 33 73 5C 52 0C 4C 10 9E 32 37 12 0C FB BA CB 8F 6A 53 01 78 0C 4C 10 9E 32 37 12 0C FB BA CB 8F 6A 53 01 78 0C 4C 10 9E 32 37 12 0C FB BA CB 8F 6A 53 01 78 0C 4C 10 9E 32 37 12 0C 89 D5 A2 FC
The title of the task gives us a hint, that that's an xor with md5. The length of md5 is 16 bytes. There are repeating 16-byte sequences at the end of the CT. Let's assume this file is zero-padded, this repeating sequence (01 78 0C 4C 10 9E 32 37 12 0C FB BA CB 8F 6A 53) is the md5 and xor it.
<span> 00000000 68 4d 4d 4d 0c 00 47 4f 4f 44 00 4a 4f 42 0c 2a |hMMM..GOOD.JOB.*|
</span><span> 00000010 54 48 45 00 46 4c 41 47 00 49 53 00 4e 4f 54 00 |THE.FLAG.IS.NOT.|
</span><span> 00000020 72 63 74 66 5b 77 45 11 4c 7f 44 10 4e 13 7f 3c |rctf[wE.L.D.N..<|
</span><span> 00000030 55 54 7f 57 48 14 54 7f 49 15 7f 0a 4b 45 59 20 |UT.WH.T.I...KEY |
</span><span> 00000040 5d 2a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |]*..............|
</span><span> 00000050 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
</span><span> 00000060 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
</span><span> 00000070 00 00 00 00 00 00 00 00 00 00 72 6f 69 73 |..........rois|
</span>We get some text, but it contains errors and there's 0x00 between words. May be the text was padded with spaces? Let's xor it with 0x20:
00000000 48 6d 6d 6d 2c 20 67 6f 6f 64 20 6a 6f 62 2c 0a |Hmmm, good job,.|
<span> 00000010 74 68 65 20 66 6c 61 67 20 69 73 20 6e 6f 74 20 |the flag is not |
</span><span> 00000020 52 43 54 46 7b 57 65 31 6c 5f 64 30 6e 33 5f 1c |RCTF{We1l_d0n3_.|
</span><span> 00000030 75 74 5f 77 68 34 74 5f 69 35 5f 2a 6b 65 79 00 |ut_wh4t_i5_*key.|
</span><span> 00000040 7d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 |}. |
</span><span> 00000050 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 | |
</span><span> 00000060 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 | |
</span><span> 00000070 20 20 20 20 20 20 20 20 20 20 52 4f 49 53 | ROIS|
</span>Now there are errors only on every 16'th position. May be there was '*' after the word "key" too? After xor'ing it with 0000000000000000000000000000002a we get the plain text:
<span> Hmmm, good job, the flag is not
</span><span> RCTF{We1l_d0n3_6ut_wh4t_i5_*key*}
</span><span>
</span><span>
</span><span>
</span><span> ROIS
</span>The md5(key) is 21582c6c30be1217322cdb9aebaf4a59, but that's not the flag.
Let's put it into a text file and use hashcat upon a well-known password dictionary:
<span> hashcat -m 0 -a 0 hash.txt rockyou.txt
</span>It gives us md5('that') = 21582c6c30be1217322cdb9aebaf4a59
After several submits I've got the right flag:
<span> RCTF{We1l_d0n3_6ut_wh4t_i5_that}
</span>
