Numbers Go Brr

I wrote an amazing encryption service. It is definitely flawless, so I’ll encrypt the flag and give it to you.

By jocelyn (@jocelyn3270 on discord)

nc betta.utctf.live 7356

We’re provided a Python source file:

1
#!/usr/bin/env python3
2
from Crypto.Cipher import AES
3
from Crypto.Util.Padding import pad
4
import time
5

6
seed = int(time.time() * 1000) % (10 ** 6)
7
def get_random_number():
8
    global seed
9
    seed = int(str(seed * seed).zfill(12)[3:9])
10
    return seed
11

12
def encrypt(message):
13
    key = b''
14
    for i in range(8):
15
        key += (get_random_number() % (2 ** 16)).to_bytes(2, 'big')
16
    cipher = AES.new(key, AES.MODE_ECB)
17
    ciphertext = cipher.encrypt(pad(message, AES.block_size))
18
    return ciphertext.hex()
19

20
print("Thanks for using our encryption service! To get the encrypted flag, type 1. To encrypt a message, type 2.")
21
while True:
22
    print("What would you like to do (1 - get encrypted flag, 2 - encrypt a message)?")
23
    user_input = int(input())
24
    if(user_input == 1):
25
        break
26

27
    print("What is your message?")
28
    message = input()
29
    print("Here is your encrypted message:", encrypt(message.encode()))
30

31

32
flag = open('./src/flag.txt', 'r').read()
33
print("Here is the encrypted flag:", encrypt(flag.encode()))

So, basically, we’re provided an AES oracle. It is seeded with a random number in the range [0, 10**6), which is used to calculate the keys for all encryptions.

10**6 is a small seed space. Therefore, this challenge is as simple as brute-forcing the seed. We can simply ask for the encrypted flag, and try all possible seeds (and each resulting key for the first encryption) and try to decrypt to get the flag! See the following implementation:

1
from pwn import *
2
from Crypto.Cipher import AES
3
from binascii import *
4
from tqdm import trange
5

6
p = remote('betta.utctf.live', 7356)
7
# seed = int(time.time() * 1000) % (10 ** 6)
8
def get_random_number():
9
    global seed
10
    seed = int(str(seed * seed).zfill(12)[3:9])
11
    return seed
12

13
p.recvuntil(b'?\n')
14
p.sendline(b'1')
15
ct = p.recvline().decode('ascii')[:-1].split(' ')[-1]
16

17
def decrypt(ct):
18
    key = b''
19
    for i in range(8):
20
        key += (get_random_number() % (2 ** 16)).to_bytes(2, 'big')
21
    cipher = AES.new(key, AES.MODE_ECB)
22
    pt = cipher.decrypt(ct)
23
    return pt
24

25
for seed in trange(10**6):
26
    pt = decrypt(unhexlify(ct))
27
    if b'flag' in pt:
28
        print(pt)
29
        break

Run the script to get the flag!

1
utflag{deep_seated_and_recurring_self-doubts}