Damjan Cvetko

Damjan Cvetko

Developer, System Architect, Hacker.

2 minutes read

Challenge: Since Christmas is getting close, there has been a lot of fake news and Santa is getting some strange messages.

Elves are struggling to handle all security incidents, but they are busy also with some other things. Their intelligence intercepted some strange message:
a61e563297243b00602d82576e9732cc92446a62c772bf1c986ec7b53daa980e

They have seen also some words like Santa on the wire, but they are clueless about what do they mean.

Can you help them to solve this mystery, since the clock is ticking?

This one was impossible. The 32 bytes hinted to SHA256 but I couldn't figure out what to do with it. Bruteforcing for a day did not help, how could it… There was just no way to bruteforce the format that flags are usually in. “Fake news” and “incidents” made me think of some sort of responsible disclosure, Telegram, Signal… but then I just asked for help, it was 26th and I spent too much time this already.

The hind I got was “DES”, and well it kinda makes sense. There are a few options to DES, so I just brute forced all combinations. I knew part of the key, or at least I thought I knew. DES takes 8 bytes for a key and we already know part of it is “Santa”.

In the end, the right key was santa123, and it was luck I caught it. The right DES mode was DES-ECB.

$r = openssl_decrypt($raw, "des-ecb", $key, OPENSSL_RAW_DATA|OPENSSL_ZERO_PADDING);

Flag: xmas{You_better_watch_out!}

What did I learn: Stuff about DES. That bit 0 is ignored, that CBC will still decrypt the first block, but then fails. Padding is importiant.

Recent posts

See more

Categories

About