Description
Can you abuse the oracle? An attacker was able to intercept communications between a bank and a fintech company. They managed to get the message (ciphertext) and the password that was used to encrypt the message. After some intensive reconassainance they found out that the bank has an oracle that was used to encrypt the password and can be found here nc titan.picoctf.net 62026. Decrypt the password and use it to decrypt the message. The oracle can decrypt anything except the password.
Setup
Download secret.enc (the message) and password.enc (the RSA ciphertext).
Interact with the oracle at titan.picoctf.net 62026 to encrypt a chosen value and decrypt manipulated ciphertexts.
Solution
- Step 1Encrypt a small multiplierAsk the oracle to encrypt the value 2. The result (c_a) will later be multiplied with the captured password ciphertext (c).E → 0x02
- Step 2Multiply and decryptSubmit c * c_a to the decrypt endpoint. The oracle refuses to decrypt the original password, but this scaled ciphertext is acceptable. Convert the hex response to an integer and divide by 2 to recover the password.p.sendline(str(c_a * c).encode())
- Step 3Use the recovered passwordFeed the plaintext password to OpenSSL to decrypt secret.enc and reveal the flag.openssl enc -aes-256-cbc -d -in secret.encExample automation script: from pwn import * context.log_level = 'critical' p = remote("titan.picoctf.net", 62026) with open("password.enc") as f: c = int(f.read()) p.sendline(b"E") p.sendline(b"\x02") c_a = int(p.recvline()) p.sendline(b"D") p.sendline(str(c_a * c).encode()) password = int(p.recvline(), 16) // 2 print(password.to_bytes((password.bit_length()+7)//8, 'big').decode())
Flag
picoCTF{su((3ss_(r@ck1ng_r3@_24bc...}
Decrypting secret.enc with the recovered password yields the flag above.