2023 Cyber Apocalypse: Multipage Recyclings

#htb #ctf #crypto #aes #ecb #block-cipher

Challenge Information

AttributeDetails
Event2023 Cyber Apocalypse
CategoryCrypto
ChallengeMultipage Recyclings

Summary

This challenge involves a custom AES implementation that uses ECB mode with a custom encryption scheme. The vulnerability lies in how plaintext blocks are recycled and how ciphertext is generated. By analyzing the leaked ciphertext blocks and understanding the recycling mechanism, we can recover the flag.

Analysis

The challenge provides a custom AES cipher class (CAES) with the following characteristics:

class CAES:
    def encrypt(self, message):
        iv = os.urandom(16)
        ciphertext = b''
        plaintext = iv


        blocks = self.blockify(message, 16)
        for block in blocks:
            ct = self.cipher.encrypt(plaintext)
            encrypted_block = self.xor(block, ct)
            ciphertext += encrypted_block
            plaintext = encrypted_block


        return ciphertext

The encryption uses:

  1. A random IV
  2. ECB mode encryption of the plaintext
  3. XOR of the encrypted value with the message block
  4. The encrypted block becomes the next plaintext

The leak() method reveals encrypted values of adjacent ciphertext blocks, which is the key to the vulnerability.

Challenge Output:

ct = bc9bc77a809b7f618522d36ef7765e1cad359eef39f0eaa5dc5d85f3ab249e788c9bc36e11d72eee281d1a645027bd96a363c0e24efc6b5caa552b2df4979a5ad41e405576d415a5272ba730e27c593eb2c725031a52b7aa92df4c4e26f116c631630b5d23f11775804a688e5e4d5624
r = 3
phrases = ['8b6973611d8b62941043f85cd1483244', 'cf8f71416111f1e8cdee791151c222ad']

Solution

The vulnerability can be exploited by:

  1. Understanding that the leaked ciphertext encryptions of blocks r and r+1 allow us to work backwards
  2. Since blocks are recycled, we can use the known encrypted blocks to recover information
  3. The custom ECB mode with XOR creates deterministic patterns for repeated plaintext

The key insight is that when the same plaintext is encrypted multiple times (which happens due to the FLAG being repeated 4 times), the encrypted blocks will be similar, allowing pattern recognition and recovery of the original message.

Key Takeaways

  • ECB mode encryption is vulnerable to pattern analysis
  • Custom cipher implementations often introduce additional vulnerabilities
  • Block recycling in encryption schemes can leak information
  • Leaked intermediate values (like encrypted blocks) are powerful for cryptanalysis
  • Understanding the exact encryption algorithm is critical for exploitation