# Hacking Tube

## HITCON CTF 2016 Quals -- Hackpad

Category: Crypto & Forensics
Points: 150

I did not look at this challenge at first, until I found that many teams have already solved this one except us, so I decide to give it a try :P

It first gave us a pcap file. Several of my teammates have already extract some information before I started to solve the challenge. To be brief, these packets contain the following message:

First is the encrypted secret:

And the packets that contain the information of the decrypt message:

Looks like someone was sending a bunch of encrypted message, and try to let the server decrypt the message for him. I also found that we can split the encrypted message by every 32 character:

Notice the line that marked "here!", the string is actually identical to sencond half of 00000000000000000000000000000000997d9369c74c82abba4cc3b1bfc65f02.

I suck at crypto, so at first I just keep inspecting the decrypt message info, hoping that I can find some special pattern so I can use it to decrypt the secret. And of course I failed miserably, until I notice that some of the decrypt request were failed -- the server response with the code 500 ( or 403 ) instead of 200. And that's the moment I started to think "Wait a minute...this looks familiar...isn't this the pattern of the padding oracle attack ?" And so I start googling about the padding oracle attack.

And guess what ? It IS the padding oracle attack !

So with the help of this writeup posted by MSLC, I figured out that to decrypt the message 997d9369c74c82abba4cc3b1bfc65f02 (let's call it C1), first we'll have to find the value of AES_Decrypt(C1), which can be done by xor-ing the value of 67acd06f7f7b28762310ce1213fccb11(last attacker's ciphertext) and 10101010101010101010101010101010(padding). After we get the value of AES_Decrypt(C1), we can decrypt C1 by doing AES_Decrypt(C1) xor C0. C0 is the first block of the ciphertext, which is 3ed2e01c1d1248125c67ac637384a22d in this case.

And so I wrote a script to decrypt the whole message:

ggg is a file that store the value of encrypt(secret) and all the last attacker's ciphertext ( grab it from pcap file with the help of strings & grep )

And so we have the decrypted message:

flag: hitcon{H4cked by a de1ici0us pudding '3'}