2025 Cyber Apocalypse: Crypto Traces

Challenge Information

Attribute	Details
Event	2025 Cyber Apocalypse
Category	Cryptography
Challenge	Crypto Traces

The Crypto Traces challenge presents “EldoriaNet v0.1”, a mystical IRC-inspired server that encrypts messages using AES in Counter (CTR) mode. The vulnerability lies in improper counter initialization and reuse, allowing attackers to decrypt messages and extract plaintext without the encryption key.

Analysis

Application Architecture

EldoriaNet Server (server.py):

from db import *
from Crypto.Util import Counter
from Crypto.Cipher import AES
import os
from time import sleep
from datetime import datetime

class MiniIRCServer:
    def __init__(self, host, port):
        self.host = host
        self.port = port
        self.key = os.urandom(32)  # Random 256-bit key

    def output_message(self, msg):
        enc_body = self.encrypt(msg.encode()).hex()
        print(enc_body, flush=True)
        sleep(0.001)

    def encrypt(self, msg):
        encrypted_message = AES.new(self.key, AES.MODE_CTR, counter=Counter.new(128)).encrypt(msg)
        return encrypted_message

    def decrypt(self, ct):
        return self.encrypt(ct)

Key Vulnerability: Counter Reuse

The critical vulnerability is in how the CTR mode counter is initialized:

Issue: Counter.new(128) creates a new counter starting from 0 for EVERY encryption operation.

Impact: If the same key is used with counter values starting from 0 repeatedly, the keystream will be identical for different messages, allowing attackers to:

XOR encrypted messages together to cancel out the key
Use known plaintext attacks
Recover partial or full plaintext

CTR Mode Weakness

CTR (Counter) mode security depends on:

Unique (key, nonce, counter) tuples for every message
The vulnerability here resets the counter to 0 for each message with the same key
This creates identical keystreams for different messages

Solution

Step 1: Understand CTR Mode

CTR mode works by:

Encrypting counter values: E_K(counter), E_K(counter+1), …
XORing the encrypted counters with plaintext
If counter is reused, keystream repeats

Step 2: Collect Encrypted Messages

Interact with the server to collect multiple encrypted messages:

# Connect to EldoriaNet and collect messages
messages = []
for i in range(10):
    # Send a message and capture encrypted response
    encrypted = capture_encrypted_message()
    messages.append(encrypted)

Step 3: Exploit Counter Reuse

If two messages are encrypted with the same key and counter sequence:

C1 = P1 XOR Keystream
C2 = P2 XOR Keystream
C1 XOR C2 = P1 XOR P2

If you know P1, you can recover P2:

P2 = C1 XOR C2 XOR P1

Step 4: Known Plaintext Attack

Many IRC commands follow known patterns:

import os

# Known IRC command patterns
known_plaintext = b"JOIN #channel"
encrypted_msg = bytes.fromhex("abcd1234...")

# Try to recover keystream
keystream = bytes(a ^ b for a, b in zip(encrypted_msg[:13], known_plaintext))

# Use recovered keystream to decrypt other messages
decrypted = bytes(a ^ b for a, b in zip(encrypted_msg, keystream))

Step 5: Extract Channel Information

Once you can decrypt messages, extract:

Channel names
Member lists
Private messages

Step 6: Retrieve the Flag

The flag is typically stored in:

A private channel message
User credentials
Server configuration

Key Code Snippets

Vulnerable Encryption:

def encrypt(self, msg):
    # VULNERABLE: Counter always starts from 0
    encrypted_message = AES.new(self.key, AES.MODE_CTR, counter=Counter.new(128)).encrypt(msg)
    return encrypted_message

Proper Implementation:

def encrypt(self, msg):
    # CORRECT: Use unique nonce/counter for each message
    nonce = os.urandom(8)  # Unique nonce per message
    cipher = AES.new(self.key, AES.MODE_CTR, nonce=nonce)
    return nonce + cipher.encrypt(msg)

Key Takeaways

CTR Mode Vulnerability: Reusing counter values with the same key completely breaks security
Nonce Criticality: Every encryption must use a unique (key, nonce) pair in CTR mode
Known Plaintext Attacks: IRC protocols have predictable message patterns that enable KPA
Keystream Reuse: Never reuse the same keystream for different plaintexts
Stream Cipher Weakness: Stream ciphers are catastrophically broken by counter/IV reuse
Implementation Details Matter: Even small mistakes in counter management can lead to complete compromise

Tools Used

Python: For cryptographic analysis and attacks
PyCryptodome: For AES and counter operations
Socket Programming: For server communication

References

AES-CTR Mode: https://en.wikipedia.org/wiki/Block_cipher_mode_of_operation#CTR
Counter Mode Attacks: https://crypto.stackexchange.com/questions/2791/why-must-iv-key-pairs-not-be-reused-in-ctr-mode
Known Plaintext Attack: https://en.wikipedia.org/wiki/Known-plaintext_attack