2024 Cyber Apocalypse: Iced Tea

#htb #ctf #crypto #tea-cipher #block-cipher #ecb-mode

Challenge Information

AttributeDetails
Event2024 Cyber Apocalypse
CategoryCrypto
ChallengeIced Tea
DifficultyEasy

Summary

Iced Tea presents a custom block cipher implementation that is actually the TEA (Tiny Encryption Algorithm). The vulnerability is that the encryption key is provided in the output file. By identifying the cipher from the DELTA constant (0x9e3779b9) and implementing the TEA decryption algorithm, the flag can be recovered.

Analysis

The cipher uses:

  1. Block Size: 64 bits (8 bytes)
  2. Key Size: 128 bits (16 bytes), split into four 32-bit dwords
  3. DELTA Constant: 0x9e3779b9 (golden ratio related)
  4. Mode: ECB (Electronic Codebook)
  5. 32 Rounds: Standard TEA encryption rounds

Key recognition point: The DELTA constant 0x9e3779b9 uniquely identifies the TEA cipher. Searching for this constant online immediately reveals TEA cipher documentation and reference implementations.

Solution

Step 1: Identify the Cipher

The constant DELTA = 0x9e3779b9 appears in the encryption routine:

self.DELTA = 0x9e3779b9

Searching for this constant online reveals it belongs to the TEA (Tiny Encryption Algorithm) cipher defined by Wheeler and Needham.

Step 2: Implement TEA Decryption

From Wikipedia’s TEA documentation, the decrypt_block function:

from Crypto.Util.number import bytes_to_long as b2l, long_to_bytes as l2b


DELTA = 0x9e3779b9


def decrypt_block(key, ct):
    m0 = b2l(ct[:4])
    m1 = b2l(ct[4:])
    msk = (1 << 32) - 1


    s = 0xc6ef3720  # Starting sum value for reverse


    for i in range(32):
        m1 -= ((m0 << 4) + key[2]) ^ (m0 + s) ^ ((m0 >> 5) + key[3])
        m1 &= msk
        m0 -= ((m1 << 4) + key[0]) ^ (m1 + s) ^ ((m1 >> 5) + key[1])
        m0 &= msk
        s -= DELTA


    m = ((m0 << 32) + m1) & ((1 << 64) - 1)
    return l2b(m)

Step 3: Load Data and Decrypt

def load_data():
    with open('output.txt') as f:
        key = bytes.fromhex(f.readline().split(' : ')[1])
        enc_flag = bytes.fromhex(f.readline().split(' : ')[1])
    return key, enc_flag


def tea_ecb_decrypt(key, enc_flag):
    key = [b2l(key[i:i+4]) for i in range(0, len(key), 4)]
    blocks = [enc_flag[i:i+8] for i in range(0, len(enc_flag), 8)]
    flag = b''


    for ct in blocks:
        flag += decrypt_block(key, ct)


    return flag


key, enc_flag = load_data()
flag = tea_ecb_decrypt(key, enc_flag)
print(flag.rstrip(b'\x00').decode('utf-8'))

Key Points

  1. Key Size: The provided key is 16 bytes = 4 dwords
  2. Starting Sum: For 32 rounds of encryption, reverse iteration uses s = 32 * DELTA = 0xc6ef3720
  3. ECB Mode: Each block is decrypted independently
  4. Padding: PKCS7 padding is used and needs to be removed

Key Takeaways

  • Custom cipher implementations may actually be known algorithms (like TEA)
  • Cryptographic constants are unique identifiers for specific algorithms
  • Wikipedia and academic papers provide reference implementations for known ciphers
  • Providing the encryption key makes breaking the cipher trivial regardless of algorithm strength
  • TEA, while interesting historically, is superseded by AES for modern applications