# Hacking Tube

## SCTF 2014 -- Code400

Code400 gave us a python script

After we analyze the code, we found that the key point is the key variable.
The key variable is a 6 bytes data. Since key[4] * (key[5]-5) has to be 17557, we know that there's only 2 conditions:
1. key[4] = 97 & key[5] = 186
2. key[4] = 181 & key[5] = 102

But we still know nothing about key[0] ~ key[4], so we'll have to use brute-force attack to get the rest of these 4 bytes.

The script told us the ciphertext:

But it didn't tell us what's the plaintext, which is

We kind of stuck in here for a while, before I google what the hell is "the answer to life the universe and everything"

And this is what google told me:

### 42

.........................WHAT THE F*CK?
How the hell are we suppose to know that?! (╯°д°)╯ ︵ ┻━┻
God damn it.....

So apparently, the plaintext is:

Now we got the ciphertext & plaintext, we can use brute-force attack to crack the whole key. The time complexity's about 256*256*256*256*2 ( key[4] & key[5] has only 2 conditions ), which is about 8.5 billion calculations. For me, I wrote a C++ program, with the help of the OpenSSL library, spent about 25 minutes to crack the key out.

key : \x81\x69\x37\x88\x61\xBA

But we're not done yet. After we got the right key, it will help us generate the right filename, which is:

After we enter the filename in the url (under the Code400 domain of course), we found a message. It gave us a ciphertext and a plaintext which is partialy decrypted:

I decode the base64 ciphertext, and found that there're 320 bytes data, which is same as the plaintext. And then I try to decrypt the whole plaintext, but unfortunately I failed -_- (I suck at crypto !). So I send this message to one of my teammate, who is good at it.

He found out that the actual ciphertext & plaintext were both only 64 bytes, they just repeat themselves 5 times (64*5 = 320). So he splitted the plaintext into 5 groups, observed the known plaintext ,do the cross-comparison and complete the whole plaintext:

U0NURntEMF95MHVfcjNhMWx5X2tuMHdfY3J5cHQwOXJhcGh5P30=============

It was another base64-encode string. So he base64-decode the whole string:

SCTF{D0_y0u_r3a1ly_kn0w_crypt09raphy?}

Thank goodness! Praise Jesus!
Finally, we get the flag!!!