- the three ciphers are AES-ECB, AES-CBC, AES-CFB
- security of the keys are 24 bits each
- AES-CFB is a stream cipher that encrypts/decrypts data by by encrypting an IV with AES, then XORing the result with the plaintext/ciphertext
- we have access to a encryption and decryption oracle
- firstly, obtain a plaintext/ciphertext pair $(p, c, IV_1, IV_2)$
- next, guess the 2^24 possible keys and ask the oracle to decrypt $(c \oplus E_{k_3}(IV_2) \oplus E_{k_3}(r), IV_1, r)$ for some arbitrary $r$
- if the key guess is correct, the result will be the same as our original plaintext $p$
- a problem is that 2^24 takes way too long (and there's a timeout), so instead just guess up to 2^16 and run the script many many times. it works with ~1/256 probability
- this takes ages on the remote, so set up a few droplets in the same region as the server and wait a while...
- perform a meet-in-the-middle attack to recover the other two keys (complexity is 2^25)

there are much better solutions (see hellman's writeup or #ctf-challenges in the cryptohack discord server) that don't involve an excessive number of oracle requests


Original writeup (https://jsur.in/posts/2021-03-07-zer0pts-ctf-2021-crypto-writeups#three-aes).