known plaintext attack on EVP_aes_128_ctr stream cipher
"At this point, I tried to think of every way possible that I might be able to obtain the symmetric key and nonce, either from the program itself, or from an HTTP endpoint, but all of these roads led nowhere." Right? Spent so much time assuming it wouldn't be a crypto vuln and surely it was something else.
any chance you could upload the encryptor.exe pls? http://rev.chal.csaw.io:8129 is down, now that the CTF is over
I just included a link to encryptor.exe in the writeup, right above the first segment of solution code.