Derbycon CTF Crypto Challenge

I tried avoiding the Derbycon CTF. I really did. With more than 18,000 flags available, I knew that if I got sucked in, I’d have to go all in for the weekend. But the allure was too much. I dedicated a few hours on Saturday to checking out a few of the challenges and ended up nabbing about 65 flags (with the help of a few others). The majority of my points came from the crypto challenge, which is all I’ll be writing up today.

Discovering the challenge took a bit. On one of the hosts in the /16 scoped network there was a mocked up university website, pwnedu. In a subdirectory of the site was a list of faculty pages. One og the faculty had a few subfolders in their personal directory. One of these wasa folder called ‘crypto’ in the ‘homework’ directory. There were 3 files of interest here:

1) Assignment.cipher.txt
2) Assignment.plain.txt
3) secret.txt.

Two of these files, Assignment.cipher.txt and secret.txt were encrypted and thus unreadable. The other file, Assignment.plain.txt contained readable text, but the layout was… interesting.

In order to solve the challenge, you needed to decipher the encrypted message in the secret.txt file. The problem was that you had no information on exactly what was used to encrypt the message, or any key information. You had to figure out how to use the two ‘Assignment’ files to extract the secret message. Let’s start with what we can actually read, the Assigment.plain.txt file. As I mentioned previously, the layout was interesting at first glance. Each of the words in the file seemed to be laid out in columns, which made it difficult to read. So I made a copy and stripped it down to understand what was written inside.

Stripping out the extra whitespace yielded the following:

For this assignment your task is to take on the role of a code breaker.
You will use what we learned in class about crypto analysis , and some comon
cryptographic operations such as XOR.

You will also need to utilize your knowlege of block ciphers such as AES and
DES and the various modes these ciphers can be utilized in , especially ECB or ,
electronic code book. It will also help to understand other modes such as
CTR , or counter. An encoded copy of this assignment is provided. You
must use this plain text to perform a know plain text attack. Comparing the
content of this message with the provided cipher text copy will allow you to
discover enough information to enable you to decipher the contnet secret.txt.

Follow the instructions in secret.txt to reveal the FLAG. Come prepared to
identify the flag in class Tuesday.

A Cryptographers tale.

Once a upon a time Alice had a message she wanted to send Bob. Alice did not
want Jim to be able to read the message. She also need to send a meesage to
Jim , that ideally Bob would not read. Alice decided the best solution was
to protect her message with AES. Unfortunitly for Alice her computer is very
slow and has no dedicated cryptographic hardware. It was a wire wrap hand
built affir using individual transistors and a number of toggle switchs for
input.

Alice ‘s father was convinced all integrated circuits were bugged with listening
devices and would not all Alice to have anything in the house that utilized
them. He had not been right since the war. Alice accepted this though because
she felt all the tin foil clothing he provided her was quite stylish , she
liked her Sunday hat in particular. Things are what they are she thought.

The letter she needed to send Bob was very long. After several long afternoons
writing out her AES implementation in assembly , desk checking it two times ,
she was tired. Alice knew she should probably implement CBC or CTR modes but
the thought of many hours ahead of her converting her assembly to binary before
she could even start entering the program on the toggles lead Alice to decide
to just go with ECB and hope Jim would not be able to break the code.
Jim was the sort of idiot who could hardly count anyway.

Alice finished entering her program and letters one character at a time.
clearing the register each time. Finally Alice was able to send her messages to
both Bob and Jim in relative safety. She skipped a number of spaces and
punctuation to save time.

Alice was so excited by Bobs reply she could hardly put it down.

Alright, so there’s a bunch of information here, but the key pieces to solving it are as follows: Block Ciphers, Electronic Codebook, and known-plaintext attack. When you’re encrypting something using and ECB cipher, each block of data is encrypted individually with the provided key. This is different from other types of encryption modes like Cipher-Block-Chaining (CBC), where the result of encrypting the previous block are used when encrypting subsequent blocks. This means that, in ECB mode, if you have two blocks of data that are identical, the resulting ciphertext will be the same if the key used to encrypt the plaintext blocks are the same.

The original formatting yields the first clue. Each of the words is padded to 16 characters (128 bits), which is a typical block size. Any space not utilized by the letters of the word are filled with spaces. That means that when the message is encrypted, each word then becomes a separate block. We can use the contents of the Assignment.plain.txt and Assigment.cipher.txt to map a plaintext word to it’s encrypted equivalent. To verify, let’s take a look at the Assigment.cipher.txt. Here, I read in the file and spat out the ciphertext in hexadecimal representation, separated into blocks so I could match up the plaintext word to the ciphertext output.

The first word in the plaintext file is “For”. Using the first block of ciphertext from the encrypted file, the result was “e2ca86791386af2771f05dc2fcb15eac”. Unfortunately the word “For”, including the capital F, doesn’t show up again in the plaintext. Case matters! So another block was needed to compare. There are multiple instances of the word “for” in all lowercase in the plaintext file. And in both cases, the corresponding encrypted block showed up in the ciphertext file as “9973ea1b6d5fdec957798914dce2b09d”. Progress!

Using that information, each plaintext and ciphertext blocks were then mapped out so that I could do a lookup to determine what plaintext word was being represented by the ciphertext block.

With the hard part done, the decryption of the secret message was now possible. The process was something like this: read in each encrypted ciphertext block from secret.txt, and match the ciphertext hex output with the mapped file above. Which ever word matched the encrypted block was the same word in secret.txt. The plaintext content’s of secret.txt were:

“count the number of times Bob, Jim and Alice are in the tale. the FLAG is Alice Jim Bob and the count of each with no spaces.”

Therefore, the flag was AliceJimBobxyz where x y and z represent the number of times the words Alice, Jim and Bob appear in the Assignment.plain.txt file. A quick search yields the following: 12 instances of the word Alice, 5 instances of the word Jim, and 5 instances of the word Bob, resulting in the final flag of AliceJimBob1255 netting a cool 350 points.

Thanks to Anthony (@amillerrhodes) for helping me with the Python-fu required for parsing all the text for this challenge.