点击此处获得更好的阅读体验
WriteUp来源
https://dunsp4rce.github.io/csictf-2020/crypto/2020/07/21/Login-Error.html
by raghul-rajasekar
题目描述
We forgot our credentials, help us to get the flag.
题目考点
解题思路
On connecting to the server, we are presented with a prompt like this:
1 | We implemented a really cool AES-encryption for our login, however in the process we forgot the username and password to the admin account. |
Out of the two ciphertexts given, the first halves of each are the same. Hence, this is an indication that perhaps the first halves are a common IV value and the second halves are the encryptions of the plaintexts using AES in CBC mode. In CBC mode, the first block of plaintext is obtained by decrypting the first ciphertext block and XORing it with the IV value. Since only one block is present here, by changing the IV value sent for decryption, we could change the decrypted plaintext to anything we want. For example, for the username, assuming user
is a bytearray
containing the AES encryption of "user:c?i"
, we could turn it into a valid encryption of "user:csi"
by doing user[6] ^= ord('?') ^ ord('s')
, and similarly for the password. Submitting these new values gives us the flag.
Flag
1 | csictf{Sh4u!d_hav3_n0t_u5ed_CBC} |