🚩
HACKBOOK OF A HACKER
  • README
  • CTF Writeups
    • Intigriti Challenges
      • 1223
    • ASIS CTF quals 2022
      • Beginner Ducks
    • CSAW 2022
      • Dockreleakage
      • My Little Website
      • Word Wide Web
    • Cybersecurityrumble CTF 2022
      • Crymeplx
      • Revmeplx
    • HTB University CTF 2023
      • Rev
        • Windowsofopportunity
    • Metared 2022
      • 1x02..ware
      • Backwards
    • Reply CTF 2022
      • Dungeons And Breakfast
    • Teamitaly CTF 2022
      • Flag Proxy
    • MOCA CTF 2024 Quals
      • RaaS [WEB]
  • Smart Contracts Security
    • Code 4 Rena
      • High Risk Findings
        • Anyone Can Pass Any Proposal
        • Arithmetic Rounding
        • Can Vote Multiple Times By Transferring NFT In Same Block As Proposal
        • Never Ending Proposal
        • Reusing Signatures
        • Signature Verification Can Be Bypass With Zero Address
        • Untyped Data Signing
        • Wrong Calculation Of Apr
      • Low Risk Non Critical
        • Dont Check If Some Entity Actually Exists
      • Medium Risk Findings
        • Bypass Signature Validity Check
        • Copy Of Lack Of Verification In Hashes
        • Function May Run Out Of Gas Leading To Loss
        • Incorrect Initialization Of Smart Contracts With Access Control Issue
        • Invalid Signature Lead To Access Control
        • Lack Of Checks If One Entity Get Hacked
        • Lack Of Verification In Hashes
        • Missing Upper Limit
        • Missing Zero Address Checks
        • Possible Dos Because Unbounded Loop Can Run Out Of Gas
        • Too Much Trust To Certain Roles
        • Unreversable Actions
        • Useless Nft
  • T.I.L.
    • 16 09 22
Powered by GitBook
On this page
  1. CTF Writeups
  2. Cybersecurityrumble CTF 2022

Crymeplx

CRY | 100 pts - 170 solves

PreviousCybersecurityrumble CTF 2022NextRevmeplx

Last updated 1 year ago

Description: Awesome service. Now I don't need to encrypt anything myself! Connect via: nc chall.rumble.host 2734

We had a service to netcat with: nc chall.rumble.host 2734 and the source code to download & unzip. Looking at the source code, the program ask for input and then encrypt the flag and the input with AES-CTR-128 mode.

from Crypto.Cipher import AES
from secret import flag
import os

kwargs = {"nonce": os.urandom(8)}
key = os.urandom(16)

def encrypt(msg):
    aes = AES.new(key, AES.MODE_CTR, **kwargs)
    return aes.encrypt(msg).hex()

print(encrypt(flag))
q = input("Encrypt this string:").encode()
print(encrypt(q))

This's how AES CTR works:

The vulnerability here is that the Nonce is reused for all the encryptions, and as the name says, it should be used only (n)once. So, the encryption of flag is done with:

Ciphertext1 = flag ⊕ AES(Key, Nonce)

and the encryption of user input:

Ciphertext2 = input ⊕ AES(Key, Nonce)

Note that we used the same Nonce and Key pair, so we can say that:

AES(Key, Nonce) = flag ⊕ Ciphertext1 AES(Key, Nonce) = input ⊕ Ciphertext2

Therefore:

flag ⊕ Ciphertext1 = input ⊕ Ciphertext2 flag = input ⊕ Ciphertext2 ⊕ Ciphertext1 Let's write our exploit:

from pwn import *
import binascii

context.log_level = 'debug'
p = remote('chall.rumble.host', 2734)

enc_flag = binascii.unhexlify(p.recvline().strip())
input = 'A' * len(enc_flag)
p.sendlineafter('Encrypt this string:', input)
enc_input = binascii.unhexlify(p.recvline().strip())

flag = xor(input, enc_input, enc_flag)
log.success(f'{flag=}')