Tags: aes crypto
Rating:
# 435!
Here is the challenge code and Description
```
I have an encrypted message and the corresponding secret key, but some of their characters are missing. Can you help me find the flag?
Note: Missing characters are shown by *.
```
```python
import binascii
import hashlib
import sys
from Crypto.Cipher import AES
key = b'*XhN2*8d%8Slp3*v'
key_len = len(key)
def pad(message):
padding = bytes((key_len - len(message) % key_len) * chr(key_len - len(message) % key_len), encoding='utf-8')
return message + padding
def encrypt(message, key, iv):
aes = AES.new(key, AES.MODE_CBC, iv)
return aes.encrypt(message)
h = hashlib.sha256(key).hexdigest()
hidden = binascii.unhexlify(h)[:10]
message = b'CBC (Cipher Blocker Chaining) is an advanced form of block cipher encryption' + hidden
with open('flag', 'rb') as f:
IV = f.read().strip(b'TMUCTF{').strip(b'}')
print(binascii.hexlify(encrypt(pad(message), key, IV)))
```
and the output
```
9**********b4381646*****01********************8b9***0485******************************0**ab3a*cc5e**********18a********5383e7f**************1b3*******9f43fd66341f3ef3fab2bbfc838b9ef71867c3bcbb
Pretty output for 32 bit hex (16 bytes) for every block
block1: 9**********b4381646*****01******
block2: **************8b9***0485********
block3: **********************0**ab3a*cc
block4: 5e**********18a********5383e7f**
block5: ************1b3*******9f43fd6634
block6: 1f3ef3fab2bbfc838b9ef71867c3bcbb
```
# Solution
As we know the flag is `IV` and we can't bruteforce it because of large state space for it\
Also we know some characters are missing in output and the key\
We have last block of cipher text and also we have 13 bytes of the key with 3 bytes missing\
So we can bruteforce the key with just 16777216 keys possible
If we decrypt last block of the message and `xor` it with last block of the ciphertext we can compare last 5 bytes of the result with `9f43fd6634` which is last 5 bytes of previous block to ensure the key is correct
## BruteForce missing characters of the Key
```python
import binascii
import hashlib
import sys
from Crypto.Cipher import AES
from Crypto.Util.number import *
gkey = '*XhN2*8d%8Slp3*v'
key_len = len(gkey)
def brute_key():
key = gkey
check = bytes.fromhex('9f43fd6634')
for i in range(0, 256):
tindex1 = key.find('*')
key = key.replace('*', chr(i), 1)
for j in range(0, 256):
tindex2 = key.find('*')
key = key.replace('*', chr(j), 1)
for k in range(0, 256):
tindex3 = key.find('*')
key = key.replace('*', chr(k), 1)
h = hashlib.sha256(key.encode("latin")).hexdigest()
hidden = binascii.unhexlify(h)[:10]
message = b'CBC (Cipher Blocker Chaining) is an advanced form of block cipher encryption'
message += hidden
m = pad(message)
c1 = bytes.fromhex('1f3ef3fab2bbfc838b9ef71867c3bcbb')
b1 = m[-16:]
aes = AES.new(key.encode("latin"), AES.MODE_ECB)
c2 = repeating_xor_key(aes.decrypt(c1), b1)
if (c2[-5:] == check):
print(key)
print(key.encode('latin'))
print(c2)
tlist3 = list(key)
tlist3[tindex3] = "*"
key = "".join(tlist3)
tlist2 = list(key)
tlist2[tindex2] = "*"
key = "".join(tlist2)
tlist1 = list(key)
tlist1[tindex1] = "*"
key = "".join(tlist1)
```
Here is the result, we got a key
```
key = '0XhN2!8d%8Slp3Ov'
```
## Decrypt previous block
Now we should repeat the steps we did for last block until we reach first block and find `IV` which is our flag
```python
def find_IV():
key = "0XhN2!8d%8Slp3Ov"
h = hashlib.sha256(key.encode("latin")).hexdigest()
hidden = binascii.unhexlify(h)[:10]
message = b'CBC (Cipher Blocker Chaining) is an advanced form of block cipher encryption'
message += hidden
message = pad(message)
cipher = bytes.fromhex('1f3ef3fab2bbfc838b9ef71867c3bcbb')
block = message[-16:]
# cipher = c1
for i in range(2, 8):
print(hex(bytes_to_long(cipher)))
# print(block)
aes = AES.new(key.encode("latin"), AES.MODE_ECB)
cipher = repeating_xor_key(aes.decrypt(cipher), block)
block = message[i*-16:(i-1)*-16]
print(cipher)
```
And here is the result, The last Line is `IV` and actually the flag !!
```
0x1f3ef3fab2bbfc838b9ef71867c3bcbb
b'\x9c\x1a\x9d\x16y\\\x1b3Mn\xc4\x9fC\xfdf4'
0x9c1a9d16795c1b334d6ec49f43fd6634
b'^Yi\xdc\xdb\x9b\x18\xac3\x997\x858>\x7f2'
0x5e5969dcdb9b18ac33993785383e7f32
b'\x95\x93I\xe94\x81\x86\x9c\x83m\x90\r\xca\xb3\xa6\xcc'
0x959349e93481869c836d900dcab3a6cc
b'\x8b\xc6z\x00\xc0\xe5\x19\x8b\x9d\x03\x04\x85\x89S\xeb\x83'
0x8bc67a00c0e5198b9d0304858953eb83
b'\x9fJ\xc9\x03\x11\x8bC\x81db\xb3Q\x01\xa7\xb6\xfe'
0x9f4ac903118b43816462b35101a7b6fe
b'Y0U_D3CrYP73D_17'
```
```
Flag : TMUCTF{Y0U_D3CrYP73D_17}
```
[solution code](https://github.com/KooroshRZ/CTF-Writeups/blob/main/TMU2021/Crypto/435/solve.py)
> KouroshRZ for **AbyssalCruelty**