Press "Enter" to skip to content

Tag: aes

[CSAW2017] baby_crypt

Solution In this question, the socket service will be based on our input and append the flag in the end to do aes cbc encryption.   In AES ecb mod encryption, each block is 16bytes (32 hex). For example: Block1 Block2 Block3 aaaaaaaaaaaaaaaa bbbbbbbbbbbbbbbb cccccccccccccccc   If there are not 16 bytes, it will use the padding to fill in. For example: Block1 Block2 Block3 aaaaaaaaaaaaaaaa bbbbbbbbbbbbbbbb ccccccccc0000000   In this question, the blocks will be like this: Block1 Block2 Block3 inputinputinputi flag{xxxxxxxxxx xxxxxxxxxxxxxxx}   So we can control the value of block1. What if we just input 15 character as out input? The first character of flag will be stored in Block1: Block1 Block2 Block3 inputinputinputf lag{xxxxxxxxxxx xxxxxxxxxxxxxx}0   So, we can make the block like this to brute force the flag: Block1 Block2 Block3 … aaaaaaaaaaaaaaaX aaaaaaaaaaaaaaaf lag{xxxxxxxxxxx … Block1 Block2 Block3 … aaaaaaaaaaaaaafX aaaaaaaaaaaaaafl ag{xxxxxxxxxxxx … Block1 Block2 Block3 … aaaaaaaaaaaaaflX aaaaaaaaaaaaafla g{xxxxxxxxxxxxx …   To test all printable value in X. If Block1 equals to Block2. Which means the first characters are correct. Based on this concept, i wrote a script to test it automatically.

Leave a Comment