Interactive Coloring

drag iconDrag any color from the left toolbar to an area or text in the page. A blue outline will indicate a droppable element.

drag iconOn mobile, wait a tiny bit until you drag the color drop.

Wargames.MY December 2018 – aes-ecb-magic

We’re given the source of the encryption program and notice that the padding block size is hidden

And it’s using character “A” (0x41) as the padding.

The Flag is added to the input before encryption and there doesn’t seem to be any other leading or trailing text to the input besides the flag.

While we might not be able to retrieve the key but we can still retrieve the flag.

First we must figure out the block size.

We can start by incrementing the input size by 1 each time until a new block is generated

We see a new block of ciphertext generated upon entering the 10thCharacter and again at the 26thcharacter

Subtracting the two gives us our block length, in this case 26-10 = 16 bytes.
Considering we start off with three blocks, this gives us a little hint about the size of the flag.
3 blocks is 49 bytes, after removing our padding the flag is 39 characters.

Because of the nature of ECB, we know that identical blocks of plaintext will give us identical blocks of ciphertext and we can use this to our advantage.

To test our theory, we start off by inputting padding of one character less than the block length.
In this case that is 15 A’s.

The 16thcharacter slot should have been occupied by the first character of the flag when it was encrypted. So no we try different characters in that position until we receive an identical first block of ciphertext.

When we try ‘g’ the ciphertext is clearly different, but what happens when we try ‘w’

Bingo!.. It’s a match, and that’s the first character of our flag. We can proceed similarly to find the next character and so forth.

Once you’ve used up your padding, you can add more and use the existing characters of the flag you’ve discovered and continue on, except you’ll be comparing the next block of ciphertext. Until you reach the end.

That question mark gives us hope that it’s nearing the end of the flag a few guesses later.

Flag: wgmy{–ecb_1s_n0t_th4t_s3cure_right?–}

Now you should be able to do this in a way more elegant fashion using a padbuster script. But we did what needed to be done to get the flag… even if that meant doing it manually 😛

POC:

First block of the flag

 

References:

https://zachgrace.com/posts/attacking-ecb/

This website use cookies to ensure that you have the best experience on this website.