This is my write-up of a Cryptography challenge An Exclusive Key on the CTF site 247CTF.com.
We XOR encrypted this file, but forgot to save the password. Can you recover the password for us and find the flag?
The tool of choice for this assignment was xortool.
First idea was that the key was simply the flag. So as we know the structure of the flag, we can try a part of the key. We will be using what is known as Known-plaintext attack.
$ xortool-xor -r "247ctf{" -f exclusive_key
<!DoctY^A^S/9a9&n\2h4="&2j;2&ps4>i#j;'
Making progress, we can observe <!DoctY at the very beginning of the file, there is high probability
that we are working with an html file based on the document type declaration.
As we can see, D and Y are capital, so we can assume that oct should be to, we could calculate xor or just try to make our guessed key all capital letters.
$ xortool-xor -r "247CTF{" -f exclusive_key
<!DOCTY^A^S/^YA^Y&n\2H^T^]"&2j^[^R^Fps4>I^CJ;'<l^^ZVoi^V^Mb^R^G|d$v^U
So we are now more certain that the key is the flag itself, to continue, we can use xortool again, to try to guess the full key.
24ctf.com has keys in format 24CTF{32-hex}, full flag size is 40 bytes, so lets put that length in the xortool.
kali@kali:~/Documents/247ctf/cryptography/anexclusivekey$ xortool -l 40 -o exclusive_key
100 possible key(s) of length 40:
'gab\x16\x01\x13.67mg4kd77l:ac`a0dl`#c6606gram3ab(
'f`c\x17\x00\x12/76lf5je66m;`ba`1ema"b7717fs`l2`c)
'ec`\x14\x03\x11,45oe6if55n8cabc2fnb!a4424epco1c`*
'dba\x15\x02\x10-54nd7hg44o9b`cb3goc `5535dqbn0ba+
"cef\x12\x05\x17*23ic0o`33h>egde4`hd'g2242cvei7ef,
...
Found 35 plaintexts with 95%+ valid characters
See files filename-key.csv, filename-char_used-perc_valid.csv
We got lucky, the tool found 35 possible keys and generated the corresponding plain texts. To get the one we need, we can grep all of the keys with the known part of the key.
kali@kali:~/Documents/247ctf/cryptography/anexclusivekey$ cat xortool_out/filename-key.csv | grep 247CTF
xortool_out/14.out;b"247CTF{cb82a>1bb9o4654e195v6ccec2'48f47}"
So proposed key from xortool is:
247CTF{cb82a>1bb9o4654e195v6ccec2'48f47}
As the 32 bytes in the flag should be all hex, we can see that the key is not 100% correct.
Confirm that with printing the plain text.
$ cat xortool_out/14.out
There are parts of the text that are not decrypted right.
Exploit:
#!/usr/bin/env python
from pwn import *
x = open('exclusive_key').read()
out = xor(x, '247CTF{cb82a>1bb9o4654e195v6ccec2'48f47}')
print out
$ ./exploit.py > decode.html
We need to replace > and ' with the right characters. We can calculate them with XOR (character from encrypted text xor guessed character from plaintext).
When we do that, it still won’t be correct.
So try to find the last wrong character to get the password. Count the errors in the decrypted text.