**Description**: The aliens have learned the stupidity of their misunderstanding of Kerckhoffs's principle. Now they're going to use a well-known stream cipher (AES in CTR mode) with a strong key. And they'll happily give us poor humans the source because they're so confident it's secure!

**Stars**: 1/5

**Downloadable**:
output.txt - encrypted file
phasestream3.py - encryption algorithm

**Goal**: To find a vulnerability of the algorithm and decrypt the flag

**Solution**:

It turns out that most of the Stream Ciphers are vulnerable to a Crib-Dragging attack if you use the same key-nonce pair for multiple (more than 1) payloads. This is exactly a case here where we have a test payload with known plaintext, and the real payload, encrypted with the same key and nonce.

Good article about this here: https://medium.com/@fhbro/crib-dragging-plain-text-attack-5a61a0bcd80d

And a tool I used to recover the flag: https://github.com/SpiderLabs/cribdrag

We first use xorstring.py tool (or any other xor implementation really) to xor both ciphertexts:

```bash
python2 cribdrag/xorstrings.py "464851522838603926f4422a4ca6d81b02f351b454e6f968a324fcc77da30cf979eec57c8675de3bb92f6c21730607066226780a8d4539fcf67f9f5589d150a6c7867140b5a63de2971dc209f480c270882194f288167ed910b64cf627ea6392456fa1b648afd0b239b59652baedc595d4f87634cf7ec4262f8c9581d7f56dc6f836cfe696518ce434ef4616431d4d1b361c" "4b6f25623a2d3b3833a8405557e7e83257d360a054c2ea"
0d27743012155b01155c027f1b41302955203114002413
```

Then we use a cribdrag.py tool to get the first plaintext from the xor by providing the second known plaintext:

https://github.com/lasq88/CTF/blob/main/HTB%20Cyber%20Apocalypse%202021/crypto_ps3/writeup/cribdragging.png

Original writeup (https://github.com/lasq88/CTF/tree/main/HTB%20Cyber%20Apocalypse%202021/crypto_ps3).