[CSAW CTF Qualification Round 2017] - baby_crypt (Crypto 350)

題目資訊

The cookie is input + flag AES ECB encrypted with the sha256 of the flag as the key.

nc crypto.chal.csaw.io 1578

解法

是 AES ECB ，可以用 Chosen Plaintext Attack（選擇明文攻擊）。

原理

先送出 'a' * 31 會得到
+------------------+------------------+------------------+------------------+
| aaaaaaaaaaaaaaaa | aaaaaaaaaaaaaaa? | ???????????????? | ???????????????  |
+------------------+------------------+------------------+------------------+
       block0             block1             block2             block3       
cipher: 469ac6eba774ac471777f35c88d9dd6ad5da43b8e9f2dc31ad7a3bcabb271e59ac30cc07bdb589446fa1fe24fad8f4060569323ed7299f231ccf7192a4cde656
block1: d5da43b8e9f2dc31ad7a3bcabb271e59

再來送 'a' * 31 + ch ，窮舉 ch 。
+------------------+------------------+-----
| aaaaaaaaaaaaaaaa | aaaaaaaaaaaaaaaa | ...
+------------------+------------------+-----
block1: 469ac6eba774ac471777f35c88d9dd6a
+------------------+------------------+-----
| aaaaaaaaaaaaaaaa | aaaaaaaaaaaaaaab | ...
+------------------+------------------+-----
block1: 67d925436df7bd4674fd6197ec6d6ebf
+------------------+------------------+-----
| aaaaaaaaaaaaaaaa | aaaaaaaaaaaaaaac | ...
+------------------+------------------+-----
block1: 8b99be9db66cb5e2ad1f97b184cc9b5a
                                    .
                                    .
                                    .
+------------------+------------------+-----
| aaaaaaaaaaaaaaaa | aaaaaaaaaaaaaaaf | ...
+------------------+------------------+-----
block1: d5da43b8e9f2dc31ad7a3bcabb271e59

窮舉到 'f'，發現 block 的密文一樣，可知 flag 的第一個字是 'f'

再來每次減少 'a' 的數量
送 'a' * 30
+------------------+------------------+------------------+------------------+
| aaaaaaaaaaaaaaaa | aaaaaaaaaaaaaaf? | ???????????????? | ??????????????   |
+------------------+------------------+------------------+------------------+
窮舉 'a' * 30 + 'f' + ch ，得 ch = 'l'
+------------------+------------------+-----
| aaaaaaaaaaaaaaaa | aaaaaaaaaaaaaafl | ...
+------------------+------------------+-----

送 'a' * 29
+------------------+------------------+------------------+------------------+
| aaaaaaaaaaaaaaaa | aaaaaaaaaaaaafl? | ???????????????? | ?????????????    |
+------------------+------------------+------------------+------------------+
窮舉 'a' * 29 + 'fl' + ch ，得 ch = 'a'
+------------------+------------------+-----
| aaaaaaaaaaaaaaaa | aaaaaaaaaaaaafla | ...
+------------------+------------------+-----

送 'a' * 28
+------------------+------------------+------------------+------------------+
| aaaaaaaaaaaaaaaa | aaaaaaaaaaaafla? | ???????????????? | ????????????     |
+------------------+------------------+------------------+------------------+
窮舉 'a' * 28 + 'fla' + ch ，得 ch = 'g'
+------------------+------------------+-----
| aaaaaaaaaaaaaaaa | aaaaaaaaaaaaflag | ...
+------------------+------------------+-----

...

送 'a' * 0
+------------------+------------------+
| flag{Crypt0_is_s | 0_h@rd_t0_d0...? |
+------------------+------------------+
窮舉 'flag{Crypt0_is_s0_h@rd_t0_d0...' + ch ，得 ch = '}'
+------------------+------------------+
| flag{Crypt0_is_s | 0_h@rd_t0_d0...} |
+------------------+------------------+

就能得到整個 flag 了！

寫 script 解

from pwn import *
import string

r = remote('crypto.chal.csaw.io', 1578)

flag = '' # flag length is 32
ct = 31

while ct >= 0:
    payload = 'a' * ct
    r.recvuntil(': ')
    r.sendline(payload)
    r.recvuntil(': ')
    cipher = r.recvline().strip()
    block_validation = cipher[32:64]
    for ch in string.printable:
        r.recvuntil(': ')
        r.sendline(payload + flag + ch)
        r.recvuntil(': ')
        cipher = r.recvline().strip()
        block = cipher[32:64]
        if block == block_validation:
            flag += ch
            print flag
            ct -= 1
            break
    else:
        break

Flag: flag{Crypt0_is_s0_h@rd_t0_d0...}