Outils pour utilisateurs

Outils du site


Decrypt It - Writeup by Maxima


$ ./cryptooo SECCON{*************************}
Encrypted(44): waUqjjDGnYxVyvUOLN8HquEO0J5Dqkh/zr/3KXJCEnw=

what's the key?



The binary takes an argument and shows us the encrypted argument, encoded in base64.

$ ./cryptooo aaaaaaaaaaaaaaaaaaa
Encrypted(28): 8yc36kAk+W405+OOjZ5l+sd+hg==

We can quickly notice that changing one character doesn't change the beginning of the encrypted argument:

$ ./cryptooo aaaaaaaaaaaaaaaaaab
Encrypted(28): 8yc36kAk+W405+OOjZ5l+sd+hQ==

Thus we can easily brute force character by character, using a Python script:

#!/usr/bin/env python3
import subprocess
import re
import base64
def encrypt(flag):
    if not flag:
        return b''
    print('Encrypting %s' % flag)
    p = subprocess.Popen(['./cryptooo', flag], stdout=subprocess.PIPE)
    buf = p.stdout.read().decode('ascii')
    groups = re.search(r'Encrypted\(\d+\): (.*)\n', buf)
    data = groups.group(1)
    return base64.b64decode(data)
charset = ''.join(chr(c) for c in range(32, 127))
encrypted = base64.b64decode('waUqjjDGnYxVyvUOLN8HquEO0J5Dqkh/zr/3KXJCEnw=')
flag = ''
while encrypt(flag) != encrypted:
    found = False
    for c in charset:
        if encrypted.startswith(encrypt(flag + c)):
            flag += c
            found = True
    assert found
print('Found flag: %s' % flag)

The flag is SECCON{Cry_Pto_Oo_Oo1Oo_oo_Oo_O}


Maxime Arthaud 2015/12/07 09:56

ctf/public/seccon/decrypt-it.txt · Dernière modification: 2016/10/15 20:17 de arthaum