Nuit du Hack – Toil33t (AES-ECB challenge)

This was a challenge consisting of exploitation of the AES-ECB weakness. The description of the challenge is as follows:

Hey ! I really want to buy a toil33t, however it is not available yet! 😦 Can you access to the administrative page and take one for me?

The challenge is available at

Going to the webpage, we note that stores a session id, which presumably is \textsf{256-ROT13}(\textsf{AES-ECB}(json)).

Fiddling around a bit with the registration, I could determine the json structure, which is

message = '{"username": "", "show_ad": false, "is_admin": false, "email": ""}'

I determined it using the data from and some more or less intelligent guessing (using padding and see which blocks change and which doesn’t).

Now, we know that AES-ECB has a peculiar property; any two encrypted blocks are pair-wise independent, meaning that if we alter (without changing its length) block 1, block 2 is necessarily unchanged. Obviously, that applies to ROT13 as well. Therefore, we can then obtain encrypted blocks for each such session, using corresponding username when registering. Creating three different sessions registering with username " ", "  true,           " and "          ", we get the following three ciphertexts structures (I have omitted the actual ciphertext data from the server for clarity).

['{"username": " "'] (1)
[', "show_ad": fal'] (2)
['se, "is_admin": '] (3)
['false, "email": ']

['{"username": "  ']
['true,           '] (4)
['", "show_ad": fa']
['lse, "is_admin":']
[' false, "email":']
[' ""}']

['{"username": "  ']
['        ", "show']
['_ad": false, "is']
['_admin": false, ']
['"email": ""}'] (5)

Using blocks (1-3)+(4)+(5), i.e.,

['{"username": " "'] (1) 19b27c7be7ce08a575fed2894c1ba754
[', "show_ad": fal'] (2) 799a5dc4824d8f51e2a78524b1020705
['se, "is_admin": '] (3) a6eaf0fe5db99c6755c21f277aff9502
['true,           '] (4) 32ee03defd1ef92d34a2c9c569024a61
['"email": ""}    '] (5) 3ac577b393f1e98a6bc16b426d1ce934

we are able to craft a session value which is

\begin{array}{l}\texttt{19b27c7be7ce08a575fed2894c1ba754799a5dc4824d8f51e2a78524b1020705a6eaf0fe5db99c67} \\ \texttt{55c21f277aff950232ee03defd1ef92d34a2c9c569024a613ac577b393f1e98a6bc16b426d1ce934}\end{array}

which gives the following:

Skärmavbild 2016-04-02 kl. 23.41.13

This allowed us to access the admin panel and retrieve the flag

NDH{22cf96f723f08382606119fe574953b9}. Nice!

7 thoughts on “Nuit du Hack – Toil33t (AES-ECB challenge)

  1. Hello and thank you for posting the solution! Im not sure however if i understood the padding part and why is needed. Could you please explain it or give me a link where i can read more? Thanks in advance!

    1. The padding part is there to make the decryption of the blocks into proper json-formatted data. I’ve added some additional explanation in the text 🙂

    1. You need a key to encrypt AES, but in this particular instance, the key is known only to the server and this is where encryption takes place. Using the method described above, we don’t need the key though.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s