I have a guest writeup this week for the EFF-CTF we did. Welcome Steven who I worked with to solve the EFF-CTF this week which was part of Enigma 2016 security conference. Take it away Steven:
Level0x3 for the EFF-CTF required cracking homebrew crypto. The level was as follows:
At first we tried “aaaa” as our input as a test.
Interesting, lets make sure it’s deterministic by checking the same input again.
hmm, everything changed.
We then tested a single character to see what the length of the output would be.
It’s looking as if one character becomes 4 numbers when encrypted. Lets test that theory:
“aa” becomes 8 numbers, so we are on the right path.
I had the idea to add the numbers up and see if them came to the same summation. Which they did! If that failed, I was going to check if some mathematical operation of the 4 numbers (or part of) would be the same. Failing that, perhaps one or more of the numbers were decoys and discarded when decrypted.
- 67+12+2+77 = 158
- 30+56+48+24 = 158
- 65+7+56+30 = 158
- 52+20+54+32 = 158
Yep! So, our theory is groups of 4 numbers add to the same sum. Lets make sure our ciphertext that we need to crack has groups of 4.
I used https://regex101.com with /[0-9]+/g
We can now use a chosen plain text attack, so we encrypt “abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ._ :1234567890′!”
We can then can map the output to each character in that list.
Kris created a script in Python that could do that for us:
#!/usr/bin/python c = map(int, open('ciphertext.txt', 'r').read().split()) alphacipher = map(int, open('alphabetciphered.txt', 'r').read().split()) alphabet = list("abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ._ :1234567890'!") # Generate a translation table translation =  for i in range(,len(alphacipher),4): j = alphacipher[i] + alphacipher[i+1] + alphacipher[i+2] + alphacipher[i+3] translation.append(j) # decipher ciphertext plaintext =  for i in range(,len(c),4): j = c[i] + c[i+1] + c[i+2] + c[i+3] plaintext.append(alphabet[translation.index(j)]) print "[+] Plaintext: " + "".join(plaintext)
Which when we run, gives us the flag:
root@kalimate:~/eff# python dec2.py [+] Plaintext: This week's decryption passphrase is: Don't BULLRUN me bro!