This is my write-up of a Miscellaneous challenge The Encrypted Flag on the CTF site 247CTF.com.
We have had enough of everybody reading our flags. Since all of our cryptography implementations have been broken, we decided not to roll our own!
First step is almost always checking what the file represents:
kali@kali:~$ file encrypted_flag.enc
encrypted_flag.enc: openssl enc'd data with salted password
We can see that it is an openssl encrypted data with salted password, but we have no idea which cipher and digest are used.
As the assignment is rated as easy, We can first try with the most poular cipher (AES-256-CBC) and digest (SHA256). The cipher is by default set to AES-256-CBC in bruteforce-salted-openssl:
kali@kali:~$ bruteforce-salted-openssl -t 50 -f /usr/share/wordlists/rockyou.txt -d sha256 encrypted_flag.enc -1
Warning: using dictionary mode, ignoring options -b, -e, -l, -m and -s.
Tried passwords: 14319218
Tried passwords per second: 596634.083333
Last tried password: (akapulko1)
Password candidate: (algorithm)crypto
Lucky us!
If this would be a bit more complicated and the exercise would not use the default values for cipher and digest, we would need to find them somehow.
Unfortunatly, OpenSSL is pretty good at hiding the info about underlying encryption used, so mostly we can guess.
The idea is to learn what we can and then brute force all the possible encryptions.
Lets see all the ciphers of openssl could use to encrypt the data:
$ openssl enc -ciphers > ciphers.list
The file is multi column:
Supported ciphers:
-aes-128-cbc -aes-128-cfb -aes-128-cfb1
-aes-128-cfb8 -aes-128-ctr -aes-128-ecb
-aes-128-ofb -aes-192-cbc -aes-192-cfb
-aes-192-cfb1 -aes-192-cfb8 -aes-192-ctr
...
But to iterate over it in a loop if needed, we need to convert it to one cipher per line:
aes-128-cbc
aes-128-cfb8
aes-128-ofb
aes-192-cfb1
aes-192-ecb
aes-256-cfb
aes-256-ctr
...
To achieve this, open the file with vim, use CTRL+V to visual select column, cut it and paste it to the end of the file. You can remove excessive trailing whitespaces by using :%s/\s\+$//e.
Next we can check the byte size of the contents:
kali@kali:~$ wc -c encrypted_flag.enc
64 encrypted_flag.enc
As 64 is divisible by 8, there is a great chance that the encryption uses block cipher. We can now ignore other cipher variants and delete them from the ciphers.list file.
When we have the list we can try to brute force the encryption:
kali@kali:~$ for cipher in $(cat ciphers.list); do bruteforce-salted-openssl -t 50 -f /usr/share/wordlists/rockyou.txt -c $cipher -d sha256 encrypted_flag.enc -1; done
Again if luck is on our side, the password should be broken, otherwise do the similar thing to get all the digest algorithms and iterate over them too:
openssl list -digest-algorithms
The iteration process and text manipulation is left for the reader :)
All we need to do now is decrypt the file with the cracked password:
kali@kali:~$ openssl aes-256-cbc -d -in encrypted_flag.enc -out flag.txt -k "(algorithm)crypto"
*** WARNING : deprecated key derivation used.
Using -iter or -pbkdf2 would be better.
kali@kali:~$ cat flag.txt
247CTF{xxxx}
I basically got the flag right away, in the first try, but sheer volume of trash in the current working directory obfuscated the flag.txt file, so I did not see it.
To be honest, I always seem to overextend this CTF tasks. So on this one, after false negative solution of the first try, I went full throttle in. By listing all openssl ciphers and storing them to a file, with the idea of iterating and brute forcing each one of them with rockyou.txt, I have complicated my life a bit. But on a bright side of the additional complications I have faced, now I have a solution to brute force files where cipher is unknown for my future endeavors.