TL;DR

AES CTR 송신 루프가 counter를 block 수만큼 증가시키지 않아 연속 keystream 재사용이 발생
두 암호문을 한 블록씩 어긋나게 XOR하여 plaintext XOR 연쇄를 구성
printable scoring 탐색

Analysis

1
#!/usr/bin/env python3
2
import sys
3
import time
4
from binascii import hexlify
5
from Crypto.Cipher import AES
6
from Crypto.Util import Counter
7
from Crypto.Random import get_random_bytes
8
from ctf_secrets import MESSAGE
9

10
KEY = get_random_bytes(16)
11
NONCE = get_random_bytes(8)
12

13
WELCOME = '''
14
     ,-.
15
    /   \
16
   :     \      ....*
17
   | . .- \-----00''
18
   : . ..' \''//
19
    \ .  .  \/
20
     \ . ' . NASA Deep Space Listening Posts
21
  , . \       \     ~ Est. 1969 ~
22
,|,. -.\       \
23
    '.|| `-...__..-
24
      | | "We're always listening to you!"
25
     |__|
26
    /||\\
27
    //||\\
28
   // || \\\
29
__//__||__\\__
30
'--------------'
31
'''
32

33
def main():
34

35
    # Print ASCII art and intro
36
    sys.stdout.write(WELCOME)
37
    sys.stdout.flush()
38
    time.sleep(0.5)
39

40
    sys.stdout.write("\nConnecting to remote station")
41
    sys.stdout.flush()
42

43
    for i in range(5):
44
        sys.stdout.write(".")
45
        sys.stdout.flush()
46
        time.sleep(0.5)
47

48
    sys.stdout.write("\n\n== BEGINNING TRANSMISSION ==\n\n")
49
    sys.stdout.flush()
50

51
    C = 0
52
    while True:
53
        ctr = Counter.new(64, prefix=NONCE, initial_value=C, little_endian=False)
54
        cipher = AES.new(KEY, AES.MODE_CTR, counter=ctr)
55
        ct = cipher.encrypt(MESSAGE)
56
        sys.stdout.write("%s\n" % hexlify(ct).decode())
57
        sys.stdout.flush()
58
        C += 1
59
        time.sleep(0.5)
60

61
if __name__ == "__main__":
62
    main()

Counter.new(64, prefix=NONCE, initial_value=C, little_endian=False)는 상위 64비트를 8바이트 NONCE, 하위 64비트를 big endian counter로 사용하는 AES CTR counter 객체를 생성
루프 변수 C는 메시지를 한 번 보낼 때마다 1씩 증가
cipher.encrypt(MESSAGE)는 길이 $L$ 인 plaintext를 암호화하고, 결과 ciphertext는 hexlify 후 표준 출력으로 전송
MESSAGE 길이는 shell 로그 기준 0x343바이트이므로 최소 21개의 16바이트 블록을 포함

CTR 모드에서 keystream block $K_i$ 는 nonce와 counter의 조합으로 결정된다. 첫 번째 전송에서 사용되는 counter는 $0,1,2,\dots,m-1$ 이다. 두 번째 전송에서는 초기 값이 $C=1$ 이므로 counter 집합은 $1,2,3,\dots,m$ 이다. 따라서 block 인덱스 관계는 다음과 같다.

\begin{aligned} C^{(0)}_i &= P^{(0)}_i \oplus K_i \\ C^{(1)}_{i-1} &= P^{(1)}_{i-1} \oplus K_i \end{aligned}

두 식을 XOR하면 keystream이 제거되어

$C^{(0)}_i \oplus C^{(1)}_{i-1} = P^{(0)}_i \oplus P^{(1)}_{i-1}$

plaintext XOR 연쇄가 얻어진다. $C$ 가 block 수 $m$ 만큼 증가하지 않는 버그 때문에 keystream이 한 block만큼 이동하여 재사용된다.

Exploit

1
from pwn import *
2
import string
3

4
context.log_level = 'debug'
5

6
PRINTABLE_SET = set(range(0x20, 0x7F)) | {0x0a, 0x0d, 0x09}
7

8
def char_score(b):
9
    if b in (0x0a, 0x0d):
10
        return 6
11
    if 0x30 <= b <= 0x39:
12
        return 5
13
    if 0x41 <= b <= 0x5A or 0x61 <= b <= 0x7A:
14
        return 8
15
    if b == 0x20:
16
        return 7
17
    if b in map(ord, ".,:;!?()[]{}<>-_'\"/@\\"):
18
        return 4
19
    if b in PRINTABLE_SET:
20
        return 1
21
    return -50
22

23
def score_chain(bytes_seq):
24
    return sum(char_score(x) for x in bytes_seq)
25

26
def recv_cipher_lines(p, n=2):
27
    p.recvuntil(b'==\n')
28
    while True:
29
        line = p.recvline(timeout=5)
30
        if not line:
31
            continue
32
        if line.strip():
33
            cts = []
34
            try:
35
                cts.append(bytes.fromhex(line.strip().decode()))
36
            except Exception:
37
                continue
38
            break
39
    while len(cts) < n:
40
        line = p.recvline(timeout=5)
41
        if not line:
42
            continue
43
        line = line.strip()
44
        if not line:
45
            continue
46
        try:
47
            ct = bytes.fromhex(line.decode())
48
        except Exception:
49
            continue
50
        cts.append(ct)
51

52
    lengths = {len(c) for c in cts}
53
    if len(lengths) != 1:
54
        raise ValueError('ciphertext lengths differ')
55
    return cts
56

57
def xor_bytes(a, b):
58
    return bytes(x ^ y for x, y in zip(a, b))
59

60
def recover_message(ct0, ct1):
61
    L = len(ct0)
62
    if L != len(ct1) or L < 32:
63
        raise ValueError('need two equal-length ciphertexts, >=32 bytes')
64

65
    delta = xor_bytes(ct0[16:], ct1[:-16])
66

67
    M = bytearray(L)
68

69
    for r in range(16):
70
        best_seed = None
71
        best_score = -10**9
72
        best_chain = None
73

74
        for seed in PRINTABLE_SET:
75
            chain = []
76
            v = seed
77
            i = r
78
            ok = True
79
            chain.append(v)
80
            while i <= L - 16 - 1:
81
                v = v ^ delta[i]
82
                chain.append(v)
83
                if v not in PRINTABLE_SET:
84
                    ok = False
85
                    break
86
                i += 16
87
            if not ok:
88
                continue
89
            sc = score_chain(chain)
90
            if sc > best_score:
91
                best_score = sc
92
                best_seed = seed
93
                best_chain = chain
94

95
        if best_seed is None:
96
            best_seed = 0x20
97
            best_chain = [best_seed]
98
            v = best_seed
99
            i = r
100
            while i <= L - 16 - 1:
101
                v = v ^ delta[i]
102
                best_chain.append(v)
103
                i += 16
104

105
        M[r] = best_chain[0]
106
        i = r
107
        idx = 1
108
        while i <= L - 16 - 1:
109
            M[i + 16] = best_chain[idx]
110
            i += 16
111
            idx += 1
112

113
    return bytes(M)
114

115
def main():
116
    p = remote('chal.sunshinectf.games', 25403)
117
    ct0, ct1 = recv_cipher_lines(p, n=2)
118
    msg = recover_message(ct0, ct1)
119

120
    try:
121
        s = msg.decode('utf-8')
122
    except UnicodeDecodeError:
123
        try:
124
            s = msg.decode('latin-1')
125
        except UnicodeDecodeError:
126
            s = ''.join(chr(b) if 32 <= b < 127 else '.' for b in msg)
127

128
    print(s)
129

130
if __name__ == '__main__':
131
    main()

delta = xor_bytes(ct0[16:], ct1[:-16])는 첫 번째 암호문의 block 1 이후와 두 번째 암호문의 마지막 block 이전을 XOR하여 $P^{(0)}_i \oplus P^{(1)}_{i-1}$ 체인을 만든다
각 열에 대해 모든 초기 seed 후보를 탐색

1
    b'== BEGINNING TRANSMISSION ==\n'
2
    b'\n'
3
[DEBUG] Received 0x343 bytes:
4
    b'497e8eba7052109da931829016a3255e63104b814893976216ee6ca86ad7fdd4f4c00b69f3af51250951b4e653a6b727b6a56d07a7f2f74be92d13c4dafc1b02dcb4856706727c51b1fa7031db854ab0413008d5ebe0ba4e715fb23b0abddddf5f5a1182284b3e82a7006653450020c608208eaf1100f1720449a547da2d5797cc698018c0a579e06a45a30df79d03030e4af1ef76d1c6cc1929f2eb66f36dda5da3cfb81c8b6dc8cc653ba3394258c15fc12e5215c25fc48a7dc495c2e7688ae9397107012bc67488057e612cb070552c2a8c4018d1dee92b818b83c81a868e4b312912dbba9017dcabe7d9a40b1d9eed2c696f73d5f56409dec4c72fd2e9b9841bcdef93cc1f7266e030620d961939615209d21d7f020c6a850d0ef10df35f6a94e00f2b6a67d7fda433e2c40f1583ed1431a8ac4e9f020bebd01cd0a82420f27cfc825cafb03465b678cae14087298b0b263c1c10f208dcd5facbc0b719be10f03af600467e0ba656fdd9044f6482e1b2a26ddd4bf160af6e419d020837a6af6bf5890b5076a5bf11e969f912103db5a906f73c59d73eda00d5e87144b99e4a\n'
5
[DEBUG] Received 0x343 bytes:
6
    b'480b40834fd4d94c11e2248c7885ead3f5cc457aefa11e190f51bdf354e3ba3cb2af2353bcbaf94abb741dc58ef11400d0fb882f1d69784bb1f770649f825ca843620ad9e1b3b055230bb07209badec818581c87230e25d7a14f2b4e4a0d74cc5c3196bb0c45ea345001e144d33a11c39628b808c7a57ff26a00a25afd810a534e4ac9e263858fd9553fffa478fa6a8d44e69bb10f9a6ddacd703fa0600544894d845e5f12d310d98e7dc6d99db77d81e9394f0a0226896d88087c6131af65163a7e834f0a8897fa2e94c7c1df5593c05c65291fdcff890790a1b2d8b50b1899fa7e6d7f60d5e664078de1c82293feb5d70ac7f297c81f7268b5132e1c984a38284205c91a6d410c22955e5ae010be482388e55a1d7835d7fde660b6d2080a82a81533ed9b0f8f1305a3d15983aa3372f660ea8e58eaf2386df96bdfb1458d71831435210f19ab4183c5bbc2d5a404b557bd0ef1000a7343fe15fdd4134f7882a2fb846dd104eb28a572058c4a492aa0ac79e8c9140c6adabf4ef862b76d533daf8d1cac7935d550cc4490e86c2fe79843e8eaa86c9eb65b6011c0fb42b11be380\n'
7
Greerings, Earthlingu. It has come ti our attention rhat you have chisen to downgradc our mighty plahet to the statuu of 'dwarf'. Ler it be known thgt although we ate small, the Plstonian space napy will not stanb idly by and aceept such disresvect. Please conract us to discuus the terms of Carth's surrendet before we arripe in approximatcly 10 years. Usc this transmissoon code: sun{n3p3r_c0unt_0ut_th5_p1ut0ni4ns}
8
[*] Closed connection to chal.sunshinectf.games port 25403

키 바이트 후보를 잘못 잡아 플래그가 다르게 나오는데, sun{n3v3r_c0unt_0ut_th3_p1ut0ni4ns}로 잡으면 풀린다.

[SunshineCTF 2025] Plutonian writeup

TL;DR

Analysis

Exploit