Sunday, March 31, 2019

Sunshine CTF 2019 - 16-bit-AES

by Rafael "rasknikov" Correia

Description

Why so small?

nc aes.sunshinectf.org 4200

Author: ps_iclimbthings

Write-up

Short write-up here.

The server asked for a word to be encrypted and then asked the client to encrypt a given text using the same key:

Welcome, I'm using an AES-128 cipher with a 16-bit key in ECB mode.

I'll give you some help: give me some text, and I'll tell you what it looks like

Your text:
blah
1e6bd4581494f5505284c8cae40b7356

Ok, now encrypt this text with the same key: oQuHwqq0DhZmcIIC
blah
Wrong!

As the challenge said that the key had 16 bits I tried to brute force it, with no success.

And then I thought:

Why not use the challenge itself to encrypt the text for me?

First connection:

Welcome, I'm using an AES-128 cipher with a 16-bit key in ECB mode.

I'll give you some help: give me some text, and I'll tell you what it looks like

Your text:
a
99aeb873d384f79c1fdf7f6e221793c5

Ok, now encrypt this text with the same key: Kl7YX0PUxbPKAhME

Second connection:

Welcome, I'm using an AES-128 cipher with a 16-bit key in ECB mode.

I'll give you some help: give me some text, and I'll tell you what it looks like

Your text:
Kl7YX0PUxbPKAhME
b2b1110b5f30b338f6bf4cdd49c24f99

Back to first connection:

Ok, now encrypt this text with the same key: Kl7YX0PUxbPKAhME
b2b1110b5f30b338f6bf4cdd49c24f99

Correct! The flag is sun{Who_kn3w_A3$_cou1d_be_s0_vulner8ble?}

Maybe it was not the intended solution, but it worked. :)

Flag

sun{Who_kn3w_A3$_cou1d_be_s0_vulner8ble?}

Capture the Flag , Writeup , Cryptography