This was a challenge consisting of exploitation of the AES-ECB weakness. The description of the challenge is as follows:
Hey ! I really want to buy a toil33t, however it is not available yet! 😦 Can you access to the administrative page and take one for me?
The challenge is available at http://toil33t.quals.nuitduhack.com
Going to the webpage, we note that stores a session id, which presumably is .
Fiddling around a bit with the registration, I could determine the json structure, which is
message = '{"username": "", "show_ad": false, "is_admin": false, "email": ""}'
I determined it using the data from http://toil33t.quals.nuitduhack.com/session and some more or less intelligent guessing (using padding and see which blocks change and which doesn’t).
Now, we know that AES-ECB has a peculiar property; any two encrypted blocks are pair-wise independent, meaning that if we alter (without changing its length) block 1, block 2 is necessarily unchanged. Obviously, that applies to ROT13 as well. Therefore, we can then obtain encrypted blocks for each such session, using corresponding username when registering. Creating three different sessions registering with username " "
, " true, "
and " "
, we get the following three ciphertexts structures (I have omitted the actual ciphertext data from the server for clarity).
['{"username": " "'] (1) [', "show_ad": fal'] (2) ['se, "is_admin": '] (3) ['false, "email": '] ['""}'] ['{"username": " '] ['true, '] (4) ['", "show_ad": fa'] ['lse, "is_admin":'] [' false, "email":'] [' ""}'] ['{"username": " '] [' ", "show'] ['_ad": false, "is'] ['_admin": false, '] ['"email": ""}'] (5)
Using blocks (1-3)+(4)+(5), i.e.,
['{"username": " "'] (1) 19b27c7be7ce08a575fed2894c1ba754 [', "show_ad": fal'] (2) 799a5dc4824d8f51e2a78524b1020705 ['se, "is_admin": '] (3) a6eaf0fe5db99c6755c21f277aff9502 ['true, '] (4) 32ee03defd1ef92d34a2c9c569024a61 ['"email": ""} '] (5) 3ac577b393f1e98a6bc16b426d1ce934
we are able to craft a session value which is
which gives the following:
This allowed us to access the admin panel and retrieve the flag
NDH{22cf96f723f08382606119fe574953b9}
. Nice!
Awesome, I could n’t continue it, I had a problem with my health yesterday …
Oh, sorry to hear that… hope you are better now!
Hello and thank you for posting the solution! Im not sure however if i understood the padding part and why is needed. Could you please explain it or give me a link where i can read more? Thanks in advance!
The padding part is there to make the decryption of the blocks into proper json-formatted data. I’ve added some additional explanation in the text 🙂
also, do you need a key to encrypt AES? thanks
You need a key to encrypt AES, but in this particular instance, the key is known only to the server and this is where encryption takes place. Using the method described above, we don’t need the key though.