Chasa, world’s most dangerous gangster, is planning to equip his team with new tools. There is a cargo ship arriving tomorrow morning and the coast guard needs your help to seize the cargo. Our investigators have found the crypto service used by Chasa and his team to communicate for these kind of jobs. Can you decrypt the broadcasted message and identify the container to be seized?

Category: Crypto

Solvers: 3mb0, mp455, lmarschk

For this challenge, we had the source code.

The server uses AES in CBC mode with a block and key size of 16 Bytes. The key is generated from /dev/urandom when starting the python server.

Encryption

  • the 16 Byte initialization vector is generated from /dev/urandom
  • the padding is generated according to PKCS7: padding is 1 to 16 bytes long and each padding byte is the number of padding bytes as hex
  • the data is encrypted with AES in CBC mode

Decrypting

  • the iv is extracted from the string
  • the hexstring is decoded using the iv and the key

Verifying We have only one byte padding

  • the decrypt function does not test the validity of the content of the encrypted message (leaked by source code), only the validity of the padding.
  • It is possible to zero out all bytes of the IV except of the last one –> Padding length of 1 Byte

Interacting with the server

  • the server sends 16 bytes iv and the 16 bytes encrypted flag (all hex)
  • the server tells for a hex string if the data can be decrypted (if the padding is correct)

Padding Oracle

  • See script, as the IV is directly XORed with the result of the decryption, we can test whether we can influence the IV in a way (chosen ciphertext attack) that we provide different IVs with different padding lengths. Therefore, we have a specific value we know corresponding to a specific outcome of the decryption we can use to decrypt the real encrypted ciphertext.
  • https://github.com/mpgn/Padding-oracle-attack

Attack Walkthrough

  1. Get ciphertext by connecting to the server:
lmm@lmm-think-05:~/Documents/htb/crypto_cargo$ nc docker.hackthebox.eu 30322
This crypto service is used for Chasa's delivery system!
Not your average gangster.
Options:
1. Get encrypted message.
2. Send your encrypted message.
1
48727196b317ee150c943a0a091fd54ee2f691f04ff105936017cc9b91c752fa
This crypto service is used for Chasa's delivery system!
Not your average gangster.
Options:
1. Get encrypted message.
2. Send your encrypted message.
^C
  1. Use the padding.py tool like this:
lmm@lmm-think-05:~/Documents/htb/crypto_cargo$ python3 padding.py -c 48727196b317ee150c943a0a091fd54ee2f691f04ff105936017cc9b91c752fa -l 16 -v
[+] Search value block :  1

[+] Test [Byte 255/256 - Block 1 ]: 48727196B317EE150C943A0A091FD5B0
[-] No padding found, but maybe the padding is length 01 :)
[+] Block M_Byte : 000000000000000000000000000000ff
[+] Block C_{i-1}: 48727196B317EE150C943A0A091FD54E
[+] Block Padding: 00000000000000000000000000000001

[+] Test [Byte 125/256 - Block 1 ]: 48727196B317EE150C943A0A091FAA4D
[+] Block M_Byte : 00000000000000000000000000007d01
[+] Block C_{i-1}: 48727196B317EE150C943A0A091FD54E
[+] Block Padding: 00000000000000000000000000000202

[+] Found 2 bytes : 7d01

[+] Test [Byte 051/256 - Block 1 ]: 48727196B317EE150C943A0A092FAB4C
[+] Block M_Byte : 00000000000000000000000000337d01
[+] Block C_{i-1}: 48727196B317EE150C943A0A091FD54E
[+] Block Padding: 00000000000000000000000000030303

[+] Found 3 bytes : 337d01

[+] Test [Byte 108/256 - Block 1 ]: 48727196B317EE150C943A0A6128AC4B
[+] Block M_Byte : 0000000000000000000000006c337d01
[+] Block C_{i-1}: 48727196B317EE150C943A0A091FD54E
[+] Block Padding: 00000000000000000000000004040404

[+] Found 4 bytes : 6c337d01

[+] Test [Byte 099/256 - Block 1 ]: 48727196B317EE150C943A6C6029AD4A
[+] Block M_Byte : 0000000000000000000000636c337d01
[+] Block C_{i-1}: 48727196B317EE150C943A0A091FD54E
[+] Block Padding: 00000000000000000000000505050505

[+] Found 5 bytes : 636c337d01

[+] Test [Byte 052/256 - Block 1 ]: 48727196B317EE150C94086F632AAE49
[+] Block M_Byte : 0000000000000000000034636c337d01
[+] Block C_{i-1}: 48727196B317EE150C943A0A091FD54E
[+] Block Padding: 00000000000000000000060606060606

[+] Found 6 bytes : 34636c337d01

[+] Test [Byte 114/256 - Block 1 ]: 48727196B317EE150CE1096E622BAF48
[+] Block M_Byte : 0000000000000000007234636c337d01
[+] Block C_{i-1}: 48727196B317EE150C943A0A091FD54E
[+] Block Padding: 00000000000000000007070707070707

[+] Found 7 bytes : 7234636c337d01

[+] Test [Byte 048/256 - Block 1 ]: 48727196B317EE1534EE06616D24A047
[+] Block M_Byte : 0000000000000000307234636c337d01
[+] Block C_{i-1}: 48727196B317EE150C943A0A091FD54E
[+] Block Padding: 00000000000000000808080808080808

[+] Found 8 bytes : 307234636c337d01

[+] Test [Byte 095/256 - Block 1 ]: 48727196B317EE4335EF07606C25A146
[+] Block M_Byte : 000000000000005f307234636c337d01
[+] Block C_{i-1}: 48727196B317EE150C943A0A091FD54E
[+] Block Padding: 00000000000000090909090909090909

[+] Found 9 bytes : 5f307234636c337d01

[+] Test [Byte 067/256 - Block 1 ]: 48727196B317A74036EC04636F26A245
[+] Block M_Byte : 000000000000435f307234636c337d01
[+] Block C_{i-1}: 48727196B317EE150C943A0A091FD54E
[+] Block Padding: 0000000000000a0a0a0a0a0a0a0a0a0a

[+] Found 10 bytes : 435f307234636c337d01

[+] Test [Byte 066/256 - Block 1 ]: 48727196B35EA64137ED05626E27A344
[+] Block M_Byte : 000000000042435f307234636c337d01
[+] Block C_{i-1}: 48727196B317EE150C943A0A091FD54E
[+] Block Padding: 00000000000b0b0b0b0b0b0b0b0b0b0b

[+] Found 11 bytes : 42435f307234636c337d01

[+] Test [Byte 067/256 - Block 1 ]: 48727196FC59A14630EA02656920A443
[+] Block M_Byte : 000000004342435f307234636c337d01
[+] Block C_{i-1}: 48727196B317EE150C943A0A091FD54E
[+] Block Padding: 000000000c0c0c0c0c0c0c0c0c0c0c0c

[+] Found 12 bytes : 4342435f307234636c337d01

[+] Test [Byte 123/256 - Block 1 ]: 487271E0FD58A04731EB03646821A542
[+] Block M_Byte : 0000007b4342435f307234636c337d01
[+] Block C_{i-1}: 48727196B317EE150C943A0A091FD54E
[+] Block Padding: 0000000d0d0d0d0d0d0d0d0d0d0d0d0d

[+] Found 13 bytes : 7b4342435f307234636c337d01

[+] Test [Byte 066/256 - Block 1 ]: 48723DE3FE5BA34432E800676B22A641
[+] Block M_Byte : 0000427b4342435f307234636c337d01
[+] Block C_{i-1}: 48727196B317EE150C943A0A091FD54E
[+] Block Padding: 00000e0e0e0e0e0e0e0e0e0e0e0e0e0e

[+] Found 14 bytes : 427b4342435f307234636c337d01

[+] Test [Byte 084/256 - Block 1 ]: 48293CE2FF5AA24533E901666A23A740
[+] Block M_Byte : 0054427b4342435f307234636c337d01
[+] Block C_{i-1}: 48727196B317EE150C943A0A091FD54E
[+] Block Padding: 000f0f0f0f0f0f0f0f0f0f0f0f0f0f0f

[+] Found 15 bytes : 54427b4342435f307234636c337d01

[+] Test [Byte 072/256 - Block 1 ]: 103623FDE045BD5A2CF61E79753CB85F
[+] Block M_Byte : 4854427b4342435f307234636c337d01
[+] Block C_{i-1}: 48727196B317EE150C943A0A091FD54E
[+] Block Padding: 10101010101010101010101010101010

[+] Found 16 bytes : 4854427b4342435f307234636c337d01


[+] Decrypted value (HEX): 4854427B4342435F307234636C337D01
[+] Decrypted value (ASCII): HTB{CBC_0r4cl3}

flag