# Nuit du Hack – Toil33t (AES-ECB challenge)

This was a challenge consisting of exploitation of the AES-ECB weakness. The description of the challenge is as follows:

Hey ! I really want to buy a toil33t, however it is not available yet! 😦 Can you access to the administrative page and take one for me?

The challenge is available at http://toil33t.quals.nuitduhack.com

Going to the webpage, we note that stores a session id, which presumably is $\textsf{256-ROT13}(\textsf{AES-ECB}(json))$.

Fiddling around a bit with the registration, I could determine the json structure, which is

message = '{"username": "", "show_ad": false, "is_admin": false, "email": ""}'

I determined it using the data from http://toil33t.quals.nuitduhack.com/session and some more or less intelligent guessing (using padding and see which blocks change and which doesn’t).

Now, we know that AES-ECB has a peculiar property; any two encrypted blocks are pair-wise independent, meaning that if we alter (without changing its length) block 1, block 2 is necessarily unchanged. Obviously, that applies to ROT13 as well. Therefore, we can then obtain encrypted blocks for each such session, using corresponding username when registering. Creating three different sessions registering with username " ", "  true,           " and "          ", we get the following three ciphertexts structures (I have omitted the actual ciphertext data from the server for clarity).

['{"username": " "'] (1)
['false, "email": ']
['""}']

['true,           '] (4)
[' false, "email":']
[' ""}']

['        ", "show']
['"email": ""}'] (5)


Using blocks (1-3)+(4)+(5), i.e.,

['{"username": " "'] (1) 19b27c7be7ce08a575fed2894c1ba754
['true,           '] (4) 32ee03defd1ef92d34a2c9c569024a61
['"email": ""}    '] (5) 3ac577b393f1e98a6bc16b426d1ce934


we are able to craft a session value which is

$\begin{array}{l}\texttt{19b27c7be7ce08a575fed2894c1ba754799a5dc4824d8f51e2a78524b1020705a6eaf0fe5db99c67} \\ \texttt{55c21f277aff950232ee03defd1ef92d34a2c9c569024a613ac577b393f1e98a6bc16b426d1ce934}\end{array}$

which gives the following:

This allowed us to access the admin panel and retrieve the flag

NDH{22cf96f723f08382606119fe574953b9}. Nice!

## 7 thoughts on “Nuit du Hack – Toil33t (AES-ECB challenge)”

1. yanapermana says:

Awesome, I could n’t continue it, I had a problem with my health yesterday …

2. helloworld568916609 says:

Hello and thank you for posting the solution! Im not sure however if i understood the padding part and why is needed. Could you please explain it or give me a link where i can read more? Thanks in advance!

1. The padding part is there to make the decryption of the blocks into proper json-formatted data. I’ve added some additional explanation in the text 🙂

3. helloworld568916609 says:

also, do you need a key to encrypt AES? thanks

1. You need a key to encrypt AES, but in this particular instance, the key is known only to the server and this is where encryption takes place. Using the method described above, we don’t need the key though.