1 of 1

Easy Peasy

A one-time pad is unbreakable, but can you manage to recover the flag? (Wrap with picoCTF{}) nc mercury.picoctf.net 11188 otp.py

We are given a script otp.py and a remote service that serves the script. Let's analyse what it does.

It seems to first start up the process, then it loops an encrypt() function:

print("******************Welcome to our OTP implementation!******************")
c = startup(0)
while c >= 0:
	c = encrypt(c)

startup() has a short process:

So, it will read the flag from the file flag and the key from the file key. It will then grab the first len(flag) bytes of key.

Note this line:

is actually just an XOR operation that returns the result as a hex string. As such, it seems to use the bytes of key as a one-time-pad, XORing it with the flag and returning us the result.

Now let's move on to encrypt():

encrypt() does the same kind of thing, except with our input! The only difference is here:

The end point will be looped around to the start point, so once the first KEY_LEN bytes of the key file are used it will loop back around and start from the beginning. This makes it possible for us to gain the same OTP twice!

I'm going to use pwntools for this process. First we grab the encrypted flag:

Now I will feed a string of length KEY_LEN - enc_flag_len into the encrypt() function. Why? This will make the stop exactly 50000, meaning the next encryption will have a start of 0 again, generating the same OTP as it did for the original flag! Now because XOR is a involution - it undoes itself - we can send back the encrypted flag and it will undo the original XOR, returning us the flag!

Be careful that you decode the hex encoding and send the raw bytes!

The full script is as follows:

Easy Peasy

A one-time pad is unbreakable, but can you manage to recover the flag? (Wrap with picoCTF{}) nc mercury.picoctf.net 11188 otp.py

We are given a script otp.py and a remote service that serves the script. Let's analyse what it does.

It seems to first start up the process, then it loops an encrypt() function:

print("******************Welcome to our OTP implementation!******************")
c = startup(0)
while c >= 0:
	c = encrypt(c)

startup() has a short process:

KEY_FILE = "key"
KEY_LEN = 50000
FLAG_FILE = "flag"

def startup(key_location):
	flag = open(FLAG_FILE).read()
	kf = open(KEY_FILE, "rb").read()

	start = key_location
	stop = key_location + len(flag)

	key = kf[start:stop]
	key_location = stop

	result = list(map(lambda p, k: "{:02x}".format(ord(p) ^ k), flag, key))
	print("This is the encrypted flag!\n{}\n".format("".join(result)))

	return key_location

So, it will read the flag from the file flag and the key from the file key. It will then grab the first len(flag) bytes of key.

Note this line:

is actually just an XOR operation that returns the result as a hex string. As such, it seems to use the bytes of key as a one-time-pad, XORing it with the flag and returning us the result.

Now let's move on to encrypt():

encrypt() does the same kind of thing, except with our input! The only difference is here:

I'm going to use pwntools for this process. First we grab the encrypted flag:

Be careful that you decode the hex encoding and send the raw bytes!

The full script is as follows: