Tags: cbc crypto ecb 

Rating:

We have to send in some plaintext to encrypt, and get ciphertext back.
Then we have to classify if the cipher used is AES ECB or CBC.

If we send in a lot of a's, for example 128 a's, we can determine if this is ECB. This is because it encrypts block by block using the same key (without using the result of previous blocks to encrypt the next blocks like CBC).

If the first 64 hex characters of the ciphertext is the same as the last 64, that means this is ECB.
Below is a script that classify the cipher used. When we get it right, it asks us to send in more plaintext and classify even more ciphers.
After 176 rounds it just stops. Wait, where is our flag?

After doing some exploration, I had an idea to write a binary string based on if it was ECB or CBC. If it is ECB add a 0, and if it is CBC add a 1.
After all of the rounds we try to decode this back to ascii, and we get the flag!

script:
```python
#!/usr/bin/env python3
from pwn import *

input = "a"*128
binstring = ""

r = remote('crypto.chal.csaw.io', 5001)

r.recvline()
for i in range(0,200):
r.recvline()
r.sendline(input)

encrypted = r.recvline()
encrypted = encrypted[16:].decode().strip()

r.recvuntil("ECB or CBC?")
log.info(encrypted[:64])
log.info(encrypted[64:128])

if encrypted[:64] == encrypted[64:128]:
binstring += "0"
r.sendline("ECB")
else:
binstring += "1"
r.sendline("CBC")

log.info(binstring)
log.info(f"Count: {i}")
if (i == 175):
r.close()
flag = "".join([chr(int(binstring[i:i+8], 2)) for i in range(0, len(binstring), 8)])
log.success(flag)
break
else:
r.recvline().decode()
```