NCS Competition 2021 Writeup
Search…
CH02 - 500pts
Briefing
Below are 4 messages, 2 of them are insecure... find the flag!2e310d15730618003c27392502592f1b016e1b1c36450519130227271e1d6f3935381618340a740404152d0063160106490a0a050d013d2e313c0d45350d0c026f3d236b361120191e373c1c3a080e0c2b041b060c2749020b354105271616532f27772f1c204811111745320b10021717
Solution
- 1.First, we guess that the cipher being used is a one-time pad since two of the hexadecimal strings are the same length.
- 2.So we have cipher text one
2e310d15730618003c27392502592f1b016e1b1c364505191302and cipher text two313c0d45350d0c026f3d236b361120191e373c1c3a080e0c2b04that were both encrypted using the same one-time pad key. If the key for a one-time pad is used twice, it can be broken using crib dragging. - 3.Basically, XORing the cipher texts gives you the same result as XORing the original messages. The math works out as follows (from this crib dragging article):1cipher1 = msg1 ^ key2cipher2 = msg2 ^ key3cipher1 ^ cipher2 = (msg1 ^ key) ^ (msg2 ^ key)4cipher1 ^ cipher2 = msg1 ^ msg2 ^ key ^ key5cipher1 ^ cipher2 = msg1 ^ msg2 ^ 06cipher1 ^ cipher2 = msg1 ^ msg2Copied!This is useful because XORing the two cipher texts removes the key from the problem.
- 4.We can XOR the two cipher texts using [CyberChef (click for recipe)](https://gchq.github.io/CyberChef/#recipe=From_Hex('Auto')XOR(%7B'option':'Hex','string':'313c0d45350d0c026f3d236b361120191e373c1c3a080e0c2b04'%7D,'Standard',false)To_Hex('None',0)&input=MmUzMTBkMTU3MzA2MTgwMDNjMjczOTI1MDI1OTJmMWIwMTZlMWIxYzM2NDUwNTE5MTMwMg) to get
1f0d0050460b1402531a1a4e34480f021f5927000c4d0b153806. This hexadecimal string is equal to the two messages XORed together. Therefore, we can start guessing parts of a message to decode both cipher texts and get the flag. SpiderLabs/cribdrag makes this easy. - 5.
python2 cribdrag.py 1f0d0050460b1402531a1a4e34480f021f5927000c4d0b153806:1Your message is currently:20 __________________________3Your key is currently:40 __________________________5Please enter your crib: flag6*** 0: "yaa7"7*** 1: "kl1!"82: "f<'l"93: "6*js"10*** 4: " gue"11*** 5: "mxc4"126: "rn2}"137: "d?{}"148: "5v{)"159: "|v/S"1610: "|"U/"1711: "(X)h"1812: "R$ne"19*** 13: ".ccx"2014: "in~>"2115: "[email protected]"22*** 16: "y5Fg"23*** 17: "?Kak"2418: "Alm*"2519: "f`,l"26*** 20: "j!jr"2721: "+gt_"28*** 22: "myYa"29Enter the correct position, 'none' for no match, or 'end' to quit: 430Is this crib part of the message or key? Please enter 'message' or 'key': message31Your message is currently:320 ____flag__________________33Your key is currently:340 ____ gue__________________35Please enter your crib: the36*** 0: "keep"37*** 1: "yh5f"382: "t8#+"393: "$.n4"40*** 4: "2cq""415: "|gs"426: "`j6:"437: "v;:"448: "'rn"459: "nr+"4610: "n&Qh"4711: ":\-/"4812: "@ j""4913: "<gg?"5014: "{jzy"5115: "vw<"52*** 16: "k1B "5317: "-Oe,"54*** 18: "Shim"5519: "td(+"5620: "x%n5"5721: "9cp"5822: "}]&"59Enter the correct position, 'none' for no match, or 'end' to quit: 060Is this crib part of the message or key? Please enter 'message' or 'key': message61Your message is currently:620 the flag__________________63Your key is currently:640 keep gue__________________65Please enter your crib: is66*** 0: "?dsp"671: "-i#f"682: " 95+"693: "p/x4"70*** 4: "fbg""715: "+}qs"72*** 6: "4k :"73*** 7: "":i:"74*** 8: "ssin"759: ":s="76*** 10: ":'Gh"7711: "n];/"7812: "!|""79*** 13: "hfq?"8014: "/kly"8115: ""v*"82*** 16: "?0T "83*** 17: "yNs,"8418: "im"8519: " e>+"8620: ",$x5"8721: "mbf"8822: "+|K&"89Enter the correct position, 'none' for no match, or 'end' to quit: 890Is this crib part of the message or key? Please enter 'message' or 'key': message91Your message is currently:920 the flag is ______________93Your key is currently:940 keep guessin______________95Please enter your crib: g for960: "x-f?4"971: "j 6)y"98*** 2: "gp df"993: "7fm{p"1004: "!+rm!"1015: "l4d<h"102*** 6: "s"5uh"1037: "es|u<"1048: "4:|!F"1059: "}:([:"10610: "}nR'}"10711: ").`p"108*** 12: "Shimm"10913: "//dp+"110*** 14: "h"y6U"111*** 15: "e??Hr"11216: "xyAo~"11317: ">fc?"11418: "@ j"y"11519: "g,+dg"116*** 20: "kmmzJ"11721: "*+sWt"118Enter the correct position, 'none' for no match, or 'end' to quit: 12119Is this crib part of the message or key? Please enter 'message' or 'key': key120Your message is currently:1210 the flag is Shimm_________122Your key is currently:1230 keep guessing for_________124Please enter your crib: the flag125*** 0: "keep gue"126*** 1: "yh5fmxc4"1272: "t8#+rn2}"1283: "$.n4d?{}"1294: "2cq"5v{)"1305: "|gs|v/S"1316: "`j6:|"U/"1327: "v;:(X)h"1338: "'rnR$ne"1349: "nr+.ccx"13510: "n&Qhin~>"13611: ":\-/[email protected]"13712: "@ j"y5Fg"13813: "<gg??Kak"13914: "{jzyAlm*"14015: "vw<f`,l"141*** 16: "k1B j!jr"14217: "-Oe,+gt_"143*** 18: "ShimmyYa"144Enter the correct position, 'none' for no match, or 'end' to quit: 18145Is this crib part of the message or key? Please enter 'message' or 'key': key146Your message is currently:1470 the flag is Shimm_ShimmyYa148Your key is currently:1490 keep guessing for_the flag150Please enter your crib: for the flag1510: "ybrp2cq"5v{)"1521: "ko"f|gs|v/S"1532: "f?4+`j6:|"U/"1543: "6)y4v;:(X)h"1554: " df"'rnR$ne"1565: "m{psnr+.ccx"1576: "rm!:n&Qhin~>"1587: "d<h::\-/[email protected]"1598: "[email protected] j"y5Fg"1609: "|u<<gg??Kak"16110: "|!Fh{jzyAlm*"16211: "([:/vw<f`,l"16312: "R'}"k1B j!jr"16413: ".`p?-Oe,+gt_"165*** 14: "immyShimmyYa"166Enter the correct position, 'none' for no match, or 'end' to quit: 14167Is this crib part of the message or key? Please enter 'message' or 'key': key168Your message is currently:1690 the flag is ShimmyShimmyYa170Your key is currently:1710 keep guessing for the flagCopied!
Flag
ShimmyShimmyYaLast modified 1yr ago