TL;DR

recovering 150 unknown letters under a strict UTF-8 decoding barrier: touching any ciphertext block beyond the IV randomizes an entire plaintext block and almost always causes decrypt error

Analysis

Service behavior

From server.py

The server generates: a random AES key - secrets.token_bytes(16)
- a random 150-letter secret from string.ascii_letters
- magic_key = json.dumps({"key": secret})
It prints encrypted_word: <base64(IV||AES-CBC(pad^3(magic_key)))>
It runs 10000 rounds of
- read a line q
- if q == magic_key: print the flag
- then decode as base64 and print a decryption oracle result
  - decrypt error if AES-CBC decrypt / any of the three unpad calls / UTF-8 decode fails
  - json error if UTF-8 succeeds but JSON parse fails
  - ok if JSON parse succeeds and has key

make any target block become $P_0$

I can only safely work on $P_0$ , but the secret spans many blocks. The server accepts an IV from the ciphertext we submit, so we can reframe the ciphertext.

Let the original ciphertext be $IV_0 \| C_0 \| C_1 \| \dots \| C_{12}$

For any $i \ge 1$ , build a new ciphertext by dropping the prefix and setting the IV to the previous ciphertext block

$CT_i = C_{i-1} \| C_i \| C_{i+1} \| \dots \| C_{12}$

Now the first plaintext block under $CT_i$ is $P'_0 = D_K(C_i) \oplus C_{i-1} = P_i$

So we can attack each original block $P_i$ as if it were the first block.

This is why truncation is safe

AES-CBC decrypt works block-by-block; dropping leading blocks does not affect later blocks.
PKCS#7 unpadding only checks the end, which we keep intact.
The server only requires the input length to be at least 3 blocks

The two oracles we build from the server responses

1. Quote-injection JSON oracle (exact letter recovery from an “ok” baseline)

Suppose we have a ciphertext that decrypts to valid JSON and thus returns “ok”

Inside JSON, the key value is a string. If we turn one of its bytes into a literal quote “(0x22), the string terminates early and the remaining characters break JSON syntax, causing “json error”.

Because IV flips let us XOR any chosen byte of $P_0$ , we can test is the plaintext byte equal to candidate $c$ ? by applying

$\Delta = \text{ord}(c) \oplus 0x22$ $IV[j] \leftarrow IV[j] \oplus \Delta$

The solver avoids false positives by first probing with a/b If at least one of those probes still returns “ok”, the real letter is lowercase.

Otherwise, treat it as uppercase.

2. UTF-8 lead-byte oracle

For suffix ciphertexts $CT_i$ , the plaintext is not JSON, so the baseline is json error

I can turn UTF-8 decoding into a 1-bit test by forcing a 2-byte UTF-8 sequence

Valid 2-byte UTF-8: lead in $[0xC2,0xDF]$ , continuation in $[0x80,0xBF]$ .
Any ASCII letter $x$ satisfies $x \oplus 0xC0 \in [0x80,0xBF]$ .

So for a position pos in the first block, we do two IV flips

Flip byte pos by $\Delta$

Flip byte pos+1 by $0xC0$

Then UTF-8 decoding succeeds iff the modified pos byte is a valid lead

$b(\Delta) = \mathbf{1}\big[(p \oplus \Delta) \in [0xC2,0xDF]\big]$

The server tells us whether decoding succeeded via decrypt error

decrypt error means invalid UTF-8: $b(\Delta)=0$
json error (ok) means UTF-8 survived: $b(\Delta)=1$

This provides a membership test over the unknown byte $p$ .

Limitation (XOR-1 ambiguity): The interval $[0xC2,0xDF]$ is invariant under XOR 1, meaning

for any $x$ in that interval, $x \oplus 1$ is also in the interval. Therefore $b(\Delta)$ cannot distinguish $p$ from $p \oplus 1$ for any choice of $\Delta$ .

A-Za-z, XOR 1 partitions letters into 28 classes: most are pairs like {b,c}, {d,e}, ..., {B,C}, ... plus four singletons {a}, {A}, {z}, {Z}.

The UTF-8 oracle can identify which class the byte belongs to, but not which element of the pair.

The solver performs a decision tree over these classes by choosing deltas that split the remaining class set as evenly as possible until one class remains.

Bridging the oracles

The quote-injection oracle only works when the baseline is ok, but a suffix plaintext starts with letters and therefore returns json error

We fix this by rewriting the first 9 bytes into the known JSON prefix {"key": " using IV flips.

For a suffix $CT_i$ , the first plaintext block is $P_i$ . Its first 9 bytes are unknown letters $u_0..u_8$ . Using the UTF-8 oracle we narrow each $u_j$ to a set $S_j$ of size 1 or 2.

So there are at most $|S_0 \times \dots \times S_8| \le 2^9 = 512$

choices for $(u_0..u_8)$ .

Exploit

1
HOST_DEFAULT = "cbc-magic-word.seccon.games"
2
PORT_DEFAULT = 3333
3

4
MAGIC_LEN = 150
5
MAGIC_PREFIX = '{"key": "'
6
MAGIC_SUFFIX = '"}'
7
MAGIC_PREFIX_BYTES = MAGIC_PREFIX.encode()
8
QUOTE = ord('"')
9

10

11
@dataclass
12
class Remote:
13
    sock: socket.socket
14
    buf: bytearray
15

16
    @classmethod
17
    def connect(cls, host: str, port: int, timeout: float) -> "Remote":
18
        sock = socket.create_connection((host, port), timeout=timeout)
19
        sock.settimeout(timeout)
20
        return cls(sock=sock, buf=bytearray())
21

22
    def close(self) -> None:
23
        try:
24
            self.sock.close()
25
        except OSError:
26
            pass
27

28
    def _recv_more(self) -> None:
29
        chunk = self.sock.recv(4096)
30
        if not chunk:
31
            raise EOFError("connection closed")
32
        self.buf.extend(chunk)
33

34
    def recv_until(self, token: bytes) -> bytes:
35
        while True:
36
            idx = self.buf.find(token)
37
            if idx != -1:
38
                end = idx + len(token)
39
                out = bytes(self.buf[:end])
40
                del self.buf[:end]
41
                return out
42
            self._recv_more()
43

44
    def recv_line(self) -> bytes:
45
        while True:
46
            idx = self.buf.find(b"\n")
47
            if idx != -1:
48
                end = idx + 1
49
                out = bytes(self.buf[:end])
50
                del self.buf[:end]
51
                return out
52
            self._recv_more()
53

54
    def send_line(self, line: str) -> None:
55
        self.sock.sendall(line.encode() + b"\n")
56

57

58
def flip_plaintext_byte(iv_ciphertext: bytes, plaintext_pos: int, delta: int) -> bytes:
59
    if not (0 <= delta <= 0xFF):
60
        raise ValueError("delta must fit in a byte")
61
    if len(iv_ciphertext) < 16 + 16:
62
        raise ValueError("ciphertext too short")
63

64
    out = bytearray(iv_ciphertext)
65
    block_index = plaintext_pos // 16  # 0-based plaintext block (IV is block -1)
66
    offset = plaintext_pos % 16
67

68
    if block_index == 0:
69
        out[offset] ^= delta  # IV
70
        return bytes(out)
71

72
    prev_cipher_offset = 16 + (block_index - 1) * 16 + offset
73
    if prev_cipher_offset >= len(out):
74
        raise ValueError("plaintext_pos out of range for ciphertext")
75
    out[prev_cipher_offset] ^= delta
76
    return bytes(out)
77

78

79
def query(remote: Remote, iv_ciphertext: bytes) -> str:
80
    remote.recv_until(b"> ")
81
    remote.send_line(base64.b64encode(iv_ciphertext).decode())
82
    line = remote.recv_line().decode(errors="replace").strip()
83
    if line not in {"ok", "json error", "decrypt error"}:
84
        raise ValueError(f"unexpected response: {line!r}")
85
    return line
86

87

88
def split_iv_ciphertext(iv_ciphertext: bytes) -> tuple[bytes, list[bytes]]:
89
    if len(iv_ciphertext) < 32 or len(iv_ciphertext) % 16 != 0:
90
        raise ValueError("unexpected ciphertext length")
91
    iv = iv_ciphertext[:16]
92
    ct = iv_ciphertext[16:]
93
    blocks = [ct[i : i + 16] for i in range(0, len(ct), 16)]
94
    return iv, blocks
95

96

97
def build_suffix_ciphertext(blocks: list[bytes], iv0: bytes, start_block: int) -> bytes:
98
    if not (0 <= start_block < len(blocks)):
99
        raise ValueError("start_block out of range")
100
    if start_block == 0:
101
        return iv0 + b"".join(blocks)
102
    return blocks[start_block - 1] + b"".join(blocks[start_block:])
103

104

105
def xor1_letter_classes() -> list[tuple[str, ...]]:
106
    letters = set(string.ascii_letters)
107
    seen: set[str] = set()
108
    classes: list[tuple[str, ...]] = []
109
    for ch in string.ascii_letters:
110
        if ch in seen:
111
            continue
112
        mate = chr(ord(ch) ^ 1)
113
        if mate in letters:
114
            cls = tuple(sorted((ch, mate)))
115
        else:
116
            cls = (ch,)
117
        for c in cls:
118
            seen.add(c)
119
        classes.append(cls)
120
    classes.sort()
121
    return classes
122

123

124
XOR1_LETTER_CLASSES = xor1_letter_classes()
125
_LEAD2_BYTES = frozenset(range(0xC2, 0xE0))
126

127

128
def _class_expected_bit(cls: tuple[str, ...], delta: int) -> int:
129
    rep = cls[0]
130
    return 1 if ((ord(rep) ^ delta) in _LEAD2_BYTES) else 0
131

132

133
def _choose_delta_best_split(candidates: list[tuple[str, ...]]) -> int:
134
    best: tuple[int, int, int] | None = None
135
    best_delta: int | None = None
136
    for delta in range(256):
137
        ones = sum(_class_expected_bit(cls, delta) for cls in candidates)
138
        zeros = len(candidates) - ones
139
        if zeros == 0 or ones == 0:
140
            continue
141
        key = (abs(zeros - ones), -min(zeros, ones), delta)
142
        if best is None or key < best:
143
            best = key
144
            best_delta = delta
145
    if best_delta is None:
146
        raise RuntimeError("no splitting delta found; bug")
147
    return best_delta
148

149

150
def _lead2_utf8_oracle(remote: Remote, base_ct: bytes, pos: int, delta: int) -> bool:
151
    if not (0 <= pos < 15):
152
        raise ValueError("pos must be within first block (0..14)")
153
    b = bytearray(base_ct)
154
    b[pos] ^= delta
155
    b[pos + 1] ^= 0xC0
156
    return query(remote, bytes(b)) != "decrypt error"
157

158

159
def recover_xor1_class(remote: Remote, base_ct: bytes, pos: int) -> tuple[str, ...]:
160
    candidates = list(XOR1_LETTER_CLASSES)
161
    while len(candidates) > 1:
162
        delta = _choose_delta_best_split(candidates)
163
        bit = 1 if _lead2_utf8_oracle(remote, base_ct, pos, delta) else 0
164
        candidates = [cls for cls in candidates if _class_expected_bit(cls, delta) == bit]
165
    return candidates[0]
166

167

168
def build_ok_ciphertext_from_prefix_guess(
169
    base_ct: bytes, guessed_first9: bytes, prefix_bytes: bytes
170
) -> bytes:
171
    if len(guessed_first9) != 9:
172
        raise ValueError("guessed_first9 must be 9 bytes")
173
    if len(prefix_bytes) != 9:
174
        raise ValueError("prefix_bytes must be 9 bytes")
175
    iv_base = base_ct[:16]
176
    rest = base_ct[16:]
177
    iv = bytearray(iv_base)
178
    for j in range(9):
179
        iv[j] = iv_base[j] ^ guessed_first9[j] ^ prefix_bytes[j]
180
    return bytes(iv) + rest
181

182

183
def quote_oracle(remote: Remote, base_ct: bytes, plaintext_pos: int, candidate: str) -> bool:
184
    delta = ord(candidate) ^ QUOTE
185
    ct = flip_plaintext_byte(base_ct, plaintext_pos, delta)
186
    return query(remote, ct) == "ok"
187

188

189
def recover_letter(remote: Remote, base_ct: bytes, plaintext_pos: int) -> str:
190
    ok_a = quote_oracle(remote, base_ct, plaintext_pos, "a")
191
    ok_b = quote_oracle(remote, base_ct, plaintext_pos, "b")
192

193
    if ok_a or ok_b:
194
        alphabet = string.ascii_lowercase
195
        if not ok_a:
196
            return "a"
197
        if not ok_b:
198
            return "b"
199
        candidates = alphabet[2:]
200
    else:
201
        alphabet = string.ascii_uppercase
202
        candidates = alphabet
203

204
    for ch in candidates:
205
        if not quote_oracle(remote, base_ct, plaintext_pos, ch):
206
            return ch
207

208
    raise RuntimeError("no candidate matched; oracle assumptions broken")
209

210

211
def main() -> int:
212
    parser = argparse.ArgumentParser()
213
    parser.add_argument("--host", default=HOST_DEFAULT)
214
    parser.add_argument("--port", default=PORT_DEFAULT, type=int)
215
    parser.add_argument("--timeout", default=30.0, type=float)
216
    args = parser.parse_args()
217

218
    remote = Remote.connect(args.host, args.port, timeout=args.timeout)
219
    try:
220
        banner = remote.recv_line().decode(errors="replace").strip()
221
        if not banner.startswith("encrypted_word: "):
222
            raise ValueError(f"unexpected banner: {banner!r}")
223
        b64 = banner.split("encrypted_word: ", 1)[1].strip()
224
        full_ct = base64.b64decode(b64)
225
        iv0, blocks = split_iv_ciphertext(full_ct)
226
        if len(blocks) != 13:
227
            raise ValueError(f"unexpected block count: {len(blocks)}")
228

229
        recovered_key = []
230
        for k in range(7):
231
            pos = len(MAGIC_PREFIX) + k
232
            ch = recover_letter(remote, full_ct, pos)
233
            recovered_key.append(ch)
234
            print(f"[block0 {k+1}/7] {''.join(recovered_key)}", file=sys.stderr)
235

236
        for i in range(1, 10):
237
            base_ct = build_suffix_ciphertext(blocks, iv0, i)
238
            classes = [recover_xor1_class(remote, base_ct, pos) for pos in range(9)]
239
            options = [[ord(ch) for ch in cls] for cls in classes]
240

241
            ok_ct = None
242
            ok_first9 = None
243
            for combo in itertools.product(*options):
244
                guessed = bytes(combo)
245
                ct_try = build_ok_ciphertext_from_prefix_guess(base_ct, guessed, MAGIC_PREFIX_BYTES)
246
                if query(remote, ct_try) == "ok":
247
                    ok_ct = ct_try
248
                    ok_first9 = guessed
249
                    break
250

251
            start = 9
252
            end = 16 if i < 9 else 15
253
            tail = []
254
            for pos in range(start, end):
255
                tail.append(recover_letter(remote, ok_ct, pos))
256
            block_letters = ok_first9.decode() + "".join(tail)
257
            recovered_key.append(block_letters)
258
            print(f"[block{i}] {block_letters}", file=sys.stderr)
259

260
        key_str = "".join(recovered_key)
261
        if len(key_str) != MAGIC_LEN:
262
            raise RuntimeError(f"internal length mismatch: {len(key_str)} != {MAGIC_LEN}")
263

264
        magic = MAGIC_PREFIX + key_str + MAGIC_SUFFIX
265
        print(magic, file=sys.stderr)
266

267
        remote.recv_until(b"> ")
268
        remote.send_line(magic)
269

270
        out = []
271
        while True:
272
            try:
273
                out.append(remote.recv_line())
274
            except EOFError:
275
                break
276
        sys.stdout.write(b"".join(out).decode(errors="replace"))
277
        return 0
278
    finally:
279
        remote.close()
280

281

282
if __name__ == "__main__":
283
    raise SystemExit(main())

[SECCON CTF 14] cbc-magic-word writeup