Hack The Box / Challenges / Crypto / Mission Impossible

Your mission, should you chose to accept it, is to decrypt the provided intercepted email, and follow the rabbit hole.

The email message is a file of 2352 bytes, look like a hex encoded message.

First thing I did was to try look around for KT-B42.. that's one of the few hints we get from the challenge. I couldn't find anything interesting.

Doing a first frequency analysis on two-byte (assuming it is originally in hex) codes, we get:

    83  49
    1   39
    12  34
    17  31
    10  31
    22  30
    4   28
    16  28
    0   27
    8   26
    7   26
    66  25
    29  25
    26  24
    27  22
    9   21
    94  20
    2   19
    15  19
    88  18
    28  18
    25  17
    18  17
    69  16
    67  16
    82  15
    68  15
    23  15
    21  15
    95  14
    85  14
    73  14
    31  14
    11  14
    84  13
    80  13
    3   13
    91  12
    81  12
    78  12
    77  12
    70  12
    64  12
    24  12
    14  12
    87  11
    5   11
    13  11
    89  10
    86  10
    79  10
    76  10
    20  10
    93  9
    71  9
    ...

For the first 50 most frequent codes. We can see that most of the codes are not being used. If we don't sort this frequency table, we see two clusters, one at the lowest valued codes, then another one at around 64 to 95. This leads to believe this is not a modern cipher.

The frequency distribution is not matching with english alphabet which means it shouldn't be a substitution cipher.

    83  49  4.17
    1   39  3.32
    12  34  2.89
    17  31  2.64
    10  31  2.64
    22  30  2.55
    4   28  2.38
    16  28  2.38
    0   27  2.30
    8   26  2.21
    7   26  2.21
    66  25  2.13
    29  25  2.13
    26  24  2.04
    27  22  1.87
    9   21  1.79
    94  20  1.70
    2   19  1.62
    15  19  1.62
    88  18  1.53
    28  18  1.53
    25  17  1.45
    18  17  1.45
    69  16  1.36
    67  16  1.36
    82  15  1.28
    68  15  1.28
    23  15  1.28
    21  15  1.28
    95  14  1.19
    85  14  1.19
    73  14  1.19
    31  14  1.19
    11  14  1.19
    84  13  1.11
    80  13  1.11
    3   13  1.11
    91  12  1.02
    81  12  1.02
    78  12  1.02
    77  12  1.02
    70  12  1.02
    64  12  1.02
    24  12  1.02
    14  12  1.02
    87  11  0.94
    5   11  0.94
    13  11  0.94
    89  10  0.85
    86  10  0.85
    ...

The english common text frequency distribution is:

E   12.7 %  T   9.1 %   A   8.2 %   O   7.5 %
I   7.0 %   N   6.7 %   S   6.3 %   H   6.1 %
R   6.0 %   L   4.0 %   D   4.3 %   C   2.8 %
U   2.8 %   M   2.4 %   W   2.4 %   F   2.2 %
G   2.0 %   Y   2.0 %   P   1.9 %   B   1.5 %
V   1.0 %   K   0.8 %   J   0.2 %   X   0.2 %
Q   0.1 %   Z   0.1 %

The fact that the message is lengthy 1176, can give an hint that statistics can be employed to crack the code.

Can we find an XOR code and key length such that we get the highest frequent code of around 12.7%? For this we build a lot of possible variations of this ciphertext:

  • For code ranging from 1 to 254
  • For repeating offset (key length) from 1 to 10

This leads to 2540 ciphertexts. The combination of code and key length that lead to the highest frequency value was "R" with key length of 5, still the highest frequency character has a frequency of 4.34%, much far from 12.7% we're aiming at.

var_C082_L05.msg 83     51      4.34
var_C089_L05.msg 83     50      4.25
var_C084_L08.msg 83     50      4.25
var_C066_L08.msg 83     50      4.25
var_C091_L05.msg 83     49      4.17
...

If this is a polyalphabetic cipher, we can also make a frequency analysis on a range of key lengths to check if the frequency distribution is more similar to English.

We can see that with a key size of 17 characters long, we've the following maximum frequency values:

...
l=17 offset=0 max_freq=13.01
l=17 offset=1 max_freq=13.01
l=17 offset=2 max_freq=20.24
l=17 offset=3 max_freq=10.12
l=17 offset=4 max_freq=11.56
l=17 offset=5 max_freq=14.46
l=17 offset=6 max_freq=11.56
l=17 offset=7 max_freq=11.56
l=17 offset=8 max_freq=10.12
l=17 offset=9 max_freq=8.67
l=17 offset=10 max_freq=14.46
l=17 offset=11 max_freq=21.68
l=17 offset=12 max_freq=8.67
l=17 offset=13 max_freq=10.12
l=17 offset=14 max_freq=14.46
l=17 offset=15 max_freq=15.90
l=17 offset=16 max_freq=14.46
...

And these values outline from the rest, this might be some clue. With the size, we can start trying to crack with bigams or trigrams. I don't feel monograms should work here...

TH :  2.71        EN :  1.13        NG :  0.89
HE :  2.33        AT :  1.12        AL :  0.88
IN :  2.03        ED :  1.08        IT :  0.88
ER :  1.78        ND :  1.07        AS :  0.87
AN :  1.61        TO :  1.07        IS :  0.86
RE :  1.41        OR :  1.06        HA :  0.83
ES :  1.32        EA :  1.00        ET :  0.76
ON :  1.32        TI :  0.99        SE :  0.73
ST :  1.25        AR :  0.98        OU :  0.72
NT :  1.17        TE :  0.98        OF :  0.71
...

THE :  1.81        ERE :  0.31        HES :  0.24
AND :  0.73        TIO :  0.31        VER :  0.24
ING :  0.72        TER :  0.30        HIS :  0.24
ENT :  0.42        EST :  0.28        OFT :  0.22
ION :  0.42        ERS :  0.28        ITH :  0.21
HER :  0.36        ATI :  0.26        FTH :  0.21
FOR :  0.34        HAT :  0.26        STH :  0.21
THA :  0.33        ATE :  0.25        OTH :  0.21
NTH :  0.33        ALL :  0.25        RES :  0.21
INT :  0.32        ETH :  0.24        ONT :  0.20
...

The code alphabet contains 103 unique codes.

The alphabet, if we consider bigrams, contains 103 distint codes. If we consider alphanumeric characters, upper and lower case, that give us 62. If we inclunde punctuation (23 codes), that gives us 85. Still, far from 103. In Trial 2 this path is explored, mapping a frequency sorted alphabet with the frequency sorted code list from the cipher message.

Trial 2

Assuming the message contains punctuation and other special characters, we can try to map the ciphertext alphabet into a more printable alphabet. Then, use some of the code cracking tools out there to try decrypt at least portions of the message.

To generate a possible alphabet, I've downloaded an email from Gmail and collected all unique characters, including whitespace and new lines. This lead to 88 characters, close but still not at least 103.

Using isprint function from standard libraries (either C or python) we get 100 unique codes. This is much closer.

Trial 3

In this experiment we take into consideration the fact that the description of the challenge refers that the message captured is an "email". If we capture an email communication, it is possible that the SMTP headers were also included. Considering a list of possible headers, we try to map these sequences of codes with the ciphertext codes looking for some consistence (say, if a code repeats, in case of a single byte key, it is expected that the message code is the same.)

A list of possible headers is: Received: From: Delivered-To: Date: To: Reply-To: Message-ID Summary: Comments: Message-Type Subject:

For example:

From: <[email protected]>
To: <[email protected]>
Date: Thu, 8 Mar 2018 10:43:37 +0100
Subject: bmw eml light

If we compare the ciphertext codes and map to the header:

2c 56 16 1d 1d 10 36 58 5f 41 4f 5e 7e 2b 20 09
 a  b  c  d  d  e  f  g  h  i  j  k  l  m  n  o
 R  e  c  e  i  v  e  d  :
 ...

We can't find one header that has the same character in both 4rd and 5rd offset. To validate the decryption key (single byte in this scenario), we decrypt the remaining of the ciphertext and check if the remaining codes match the header character.

The Received: text has the following codes:

52 65 63 65 69 76 65 64

There's only one key that leads to the first byte value and that is 0x7E:

2c ^ 7e = 52

However, the remaining bytes do not match:

52 65 63 65 69 76 65 64                           = Received:
52 28 68 63 63 6e 48 26 21 3f 31 20 00 55 5e ...  = (ciphertext ^ 0x7e)

From here we've two options:

  1. Try other header;
  2. Consider non-single byte keys.

The second option is basically a variation of Vigenere cipher, using binary codes and the XOR operator instead of addition (they aren't very different through, binary speaking.)

Trying with other headers, still considering single byte keys:

46 72 6f 6d 3a                                    = From:
46 3c 7c 77 77 7a 5c 32 35 2b 25 34 14 41 4a ...  = (ciphertext ^ 0x6a)

54 6f 3a                                          = To:
54 2e 6e 65 65 68 4e 20 27 39 37 26 06 53 58 ...  = (ciphertext ^ 0x78)

44 61 74 65 3a                                    = Date:
44 3e 7e 75 75 78 5e 30 37 29 27 36 16 43 48 ...  = (ciphertext ^ 0x68)

53 75 62 6a 65 63 74 3a                           = Subject:
53 29 69 62 62 6f 49 27 20 3e 30 21 01 54 5f ...  = (ciphertext ^ 0x7f)

And so on... Without even confirming in practice, if we think through, it would be impossible for this to work with a single byte key. Let c_i be the ciphertext code at position i, and k be our single byte key, and m_i our message character at position i:

m_0 = c_0 ^ k
m_1 = c_1 ^ k
m_2 = c_2 ^ k
m_3 = c_2 ^ k  <-- same ciphertext code as previous
m_4 = c_4 ^ k

It would be impossible to have m_2 != m_3 if both ciphertext code c_2 and key k are the same! So either the message contains two same characters or our key is not a single byte key.

In the next trial, we explore the multi-byte XOR key.

Trial 4

We've to guess what could be the message behind the ciphertext and from that, apply a XOR operation on the ciphertext using those possible message texts to get the key. With that we can get a piece of the key however we don't know its size, we might need to experiment with different sizes, applying the decryption key over different offsets.

To help us, we use a python helper script to get possible keys from potential messages texts:

From: <
From: "
To: "
To: <
Date: <
Date: "
Subject:

And applies a XOR on the ciphertext using these possible message texts. The result is the following:

2c 56 16 1d 1d 10 36
46 72 6f 6d 3a 20 3c        From: <
6a 24 79 70 27 30 0a        j$yp'0

2c 56 16 1d 1d 10 36
46 72 6f 6d 3a 20 22        From: "
6a 24 79 70 27 30 14        j$yp'0

2c 56 16 1d 1d
54 6f 3a 20 3c              To: <
78 39 2c 3d 21              x9,=!

2c 56 16 1d 1d
54 6f 3a 20 22              To: "
78 39 2c 3d 3f              x9,=?

2c 56 16 1d 1d 10
44 61 74 65 3a 20           Date: 
68 37 62 78 27 30           h7bx'0

2c 56 16 1d 1d 10 36 58 5f
53 75 62 6a 65 63 74 3a 20  Subject: 
7f 23 74 77 78 73 42 62 7f  .#twxsBb.

Something happens in the last option which is interesting, the key repeats the first character in the last position. This could mean nothing but could also mean the key size is 8 bytes long. Let's try to repeat it and decrypt the rest of the ciphertext:

Subject: b;)Xbkv!2$biRm6=a{ye ~#j5jgNrf/9urcT*k*u:/r^fo"hh(}Bb;58YAos%$37>qfNcurb;tjSfe>,9...

Unfortunately it doesn't lead to any good result. We can do a little script [1] to test different keys with different lengths:

$ python3 xorstream.py --input KT-B42.msg --key "6a 24 79 70 27 30 0a 00" --skipnull
XOR streaming input using the key: 6a 24 79 70 27 30 0a 00

00000000:  46 72 6f 6d 3a 20 3c 00  35 65 36 2e 59 1b 2a 00  |From: <.5e6.Y.*.|
00000010:  63 26 3f 23 3d 2a 1a 00  23 3a 6c 7c 26 26 5f 00  |c&?#=*..#:l|&&_.|
00000020:  6b 24 67 32 35 24 06 00  73 28 34 72 2d 20 1c 00  |k$g25$..s(4r- ..|
00000030:  7e 2d 78 3d 70 31 16 00  7a 25 65 6f 77 3e 0a 00  |~-x=p1..z%eow>..|
...

Trying different lengths and headers doesn't lead anywhere.

The next trial rationale was the following:

  • If we have text with punctuation symbols or other non-common symbols in classical ciphers, one of the simplest option is to use XOR with a binary key (that can contain printable characters of course)

  • Looking at the frequency analysis of the ciphertext, it can never be a monoalphabetic substituition cipher (~ XOR of single byte key) because for that to be possible the histogram needed to be transformed into english text histogram just by "transposition of the bars" in the x-axis.

  • One of the possibilities is being XOR stream cipher whose key is a block (as concluded by trial 3, couldn't be a single byte.)

In trial 5 we explore cracking a xor stream cipher with multi-byte key, using frequency analysis like bigrams or trigrams.

Trial 5

To speedup I decided to reuse some tool already done for cracking XOR stream cipher and found this:

https://wiremask.eu/tools/xor-cracker/

Plugging in the KT-B42 in binary, and for my surprise, it cracked most of the ciphertext, except some specific bytes. The most probable key length was 17 which match some previous tests I did on related to frequency analysis.

The output of the first possible key is:

$ xxd -c 17 key1.bin
00000000: 0467 656e 3120 5831 3274 652d 480a 4220 6c  .gen1 X12te-H.B l
00000011: 2a77 2069 3620 6120 7320 2672 2074 2028 65  *w i6 a s &r t (e
00000022: 3673 6167 2020 7765 2037 2063 2069 7620 64  6sag  we 7 c iv d
00000033: 6566 726f 2820 6f75 7265 2473 3665 7465 4b  efro( oure$s6eteK
00000044: 112d 4234 7720 2d20 6420 2672 3c70 7465 69  .-B4w - d &r<ptei
00000055: 3120 7769 3168 2079 6f30 3720 3572 6933 61  1 wi1h yo07 5ri3a
00000066: 3165 206b 2079 0d0a 662a 3720 2375 7231 68  1e k y..f*7 #ur1h
00000077: 2072 2069 2b73 7472 7526 3169 2a6e 736b 0d   r i+stru&1i*nsk.
00000088: 4f0d 0a54 2d69 7320 772c 296c 6562 6565 74  O..T-is w,)lebeet
00000099: 2d65 206c 2473 7420 6d20 3673 2467 6565 77  -e l$st m 6s$geew
000000aa: 2020 7472 246e 736d 6931 6576 2c61 2020 6d    tr$nsmi1ev,a  m
000000bb: 2469 6c2e 6549 6e20 6f37 2165 3720 742a 20  $il.eIn o7!e7 t* 
000000cc: 2c6e 6372 2061 7365 202a 3072 6573 6526 75  ,ncr ase *0rese&u
000000dd: 3769 7479 690d 0a61 6c29 656d 2073 7324 67  7ityi..al)em ss$g
000000ee: 2073 2028 2c6e 636c 7521 2c6e 2220 742d 65   s (,nclu!,n" t-e
000000ff: 656f 6e65 6562 656c 6f32 6c20 3269 6c29 20  eoneebelo2l 2il) 
00000110: 2765 2074 3761 736d 6931 3165 2120 742a 20  'e t7asmi11e! t* 
00000121: 3168 6520 0450 4920 7224 3168 2072 2031 68  1he .PI r$1h r 1h
00000132: 246e 2065 2861 696c 2e48 4f54 2d65 2004 50  $n e(ail.HOT-e .P
00000143: 0c20 7769 296c 206d 612e 2020 3675 7220 20  . wi)l ma.  6ur  
00000154: 3168 6520 2865 7373 6122 2020 2c73 2020 6e  1he (essa"  ,s  n
00000165: 2672 7970 3165 6420 7037 2a70 2072 6c3c 20  &ryp1ed p7*p rl< 
00000176: 2765 666f 3765 2075 7029 2a61 2169 6e22 20  'efo7e up)*a!in" 
00000187: 316f 2070 3765 7665 6e31 6562 2464 2021 61  1o p7even1eb$d !a
00000198: 3161 0d0a 6d74 6861 7465 2b65 3764 2007 6c  1a..mthate+e7d .l
000001a9: 2069 6368 206e 6261 632d 2072 6573 613c 73   ich nbac- resa<s
000001ba: 6574 6869 3620 6973 6e62 3120 3665 6330 72  ethi6 isnb1 6ec0r
000001cb: 202c 2062 3074 2077 6824 3120 216f 6536 20   , b0t wh$1 !oe6 
000001dc: 2d65 206b 2b6f 773f 296b 480a 1c6f 7565 63  -e k+ow?)kH..ouec
000001ed: 246e 2061 2663 6573 7365 3168 2c73 2004 50  $n a&cesse1h,s .P
000001fe: 0c20 6279 6550 4f53 542c 2b67 6561 6e65 65  . byePOST,+geanee
0000020f: 2b63 7279 3574 6564 2028 2073 3661 6720 20  +cry5ted ( s6ag  
00000220: 2c6e 2074 2d65 2066 6f37 2820 3e22 6d20 73  ,n t-e fo7( >"m s
00000231: 3661 6765 673a 2022 652b 2672 3c70 7420 64  6ageg: "e+&r<pt d
00000242: 1a73 7472 2c6e 6722 7d48 4f74 2a20 226a 22  .str,ng"}HOt* "j"
00000253: 6b20 4d61 2e65 2073 7537 2020 3c6f 7565 64  k Ma.e su7  <oued
00000264: 2a6e 2774 6566 6f72 6720 3120 316f 202d 65  *n'teforg 1 1o -e
00000275: 3d20 656e 266f 6465 202c 312e 480a 0d4f 49  = en&ode ,1.H..OI
00000286: 2320 796f 3020 6e65 6521 6574 2a20 7320 6e  # yo0 nee!et* s n
00000297: 2120 616e 3c6f 6e65 2024 656d 2073 7324 67  ! an<one $em ss$g
000002a8: 202c 2072 206d 656d 6220 3720 3168 6131 20   , r memb 7 1ha1 
000002b9: 2076 6572 3c20 6167 652b 3173 6220 7030 62   ver< age+1sb p0b
000002ca: 2969 6320 2e65 790d 0a2c 3620 6747 4511 2d  )ic .ey..,6 gGE.-
000002db: 2462 6c65 6720 6173 2032 206c 292e 207e 29  $bleg as 2 l). ~)
000002ec: 480a 0d0a 026f 6f64 2029 3063 2e20 6f30 74  H....ood )0c. o0t
000002fd: 6574 6865 3765 0d0a 2d65 1d31 7530 0d4f 0d  ethe7e..-e.1u0.O.
0000030e: 4f2d 2d2d 6820 4245 470c 0b20 1645 4317 45  O---h BEG.. .EC.E
0000031f: 1120 454e 0652 5950 5400 0120 0845 5316 41  . EN.RYPT.. .ES.A
00000330: 0245 202d 682d 2d0d 0a27 2463 7c33 3626 32  .E -h--..'$c|36&2
00000341: 7661 3961 2062 3630 6275 2631 7d39 3123 33  va9a b60bu&1}91#3
00000352: 2133 3735 7431 6333 6627 2039 2430 3472 61  !375t1c3f' 9$04ra
00000363: 7636 3235 2365 3038 6375 7131 7131 3823 34  v625#e08cuq1q18#4
00000374: 7131 6235 7c62 3730 647d 2039 7466 3126 35  q1b5|b70d} 9tf1&5
00000385: 7063 6535 7636 3565 6223 7166 2335 6472 33  pce5v65eb#qf#5dr3
00000396: 7766 3864 7162 6430 3621 2134 7d34 3320 31  wf8dqbd06!!4}43 1
000003a7: 2064 3237 2132 3964 3924 7c62 7464 6677 36   d27!29d9$|btdfw6
000003b8: 7635 3439 2666 3734 3577 7d61 7c30 3871 35  v549&f745w}a|08q5
000003c9: 7761 6231 2039 6631 6326 7235 2163 6377 34  wab1 9f1c&r5!ccw4
000003da: 7235 3564 7431 6636 3571 7231 7161 3920 30  r55dt1f65qr1qa9 0
000003eb: 2438 3963 7766 3266 6377 7563 2637 6573 34  $89cwf2fcwuc&7es4
000003fc: 7c34 3437 7166 6462 6575 2330 7262 3023 32  |447qfdbeu#0rb0#2
0000040d: 2661 3930 2034 3466 6171 7435 2134 6527 37  &a90 44faqt5!4e'7
0000041e: 2064 3063 7d34 3263 3024 7135 7730 3575 35   d0c}42c0$q5w05u5
0000042f: 7466 6433 2438 3932 6175 480a 682d 2d68 20  tfd3$892auH.h--h 
00000440: 004e 4420 1645 4352 4511 6545 0b43 521c 50  .ND .ECRE.eE.CR.P
00000451: 1145 4420 0845 5353 4102 0020 682d 2d68 0d  .ED .ESSA.. h--h.
00000462: 4f0d 0a54 2d69 7320 6d20 3673 2467 6565 77  O..T-is m 6s$geew
00000473: 2c6c 6c20 3665 6c66 2d21 2073 3172 7526 74  ,ll 6elf-! s1ru&t
00000484: 6569 6e20 7430 2073 6526 2a6e 2173 2e6b 2e  ein t0 se&*n!s.k.
00000495: 6b2e 2e                                     k..

Taking the line 473:

00000473: 2c6c 6c20 3665 6c66 2d21 2073 3172 7526 74  ,ll 6elf-! s1ru&t

From the original ciphertext:

00000473: 045d 1f53 1a55 020f 4014 0a00 0753 170f 11  .][email protected]...

We can recover the missing key bytes assuming the message is: "ill self-destruct"

$ echo -n "045d 1f53 1a55 020f 4014 0a00 0753 170f 11" > input.hex
$ python3 xorstream.py --input input.hex --key "`echo -n 'ill self-destruct' | xxd -p`" 
XOR streaming input using the key: 69 6c 6c 20 73 65 6c 66 2d 64 65 73 74 72 75 63 74

00000000:  6d 31 73 73 69 30 6e 69  6d 70 6f 73 73 21 62 6c  m1ssi0nimposs!bl
00000010:  65                                                e

6d 31 73 73 69 30 6e 69 6d 70 6f 73 73 21 62 6c 65

The key is then m1ssi0nimposs!ble !

The resulting message after decrypting with this key is:

Agent X121 -
Below is a secret message we received from our asset KT-B42 - decrypt it with your private key
for further instructions.

This will be the last message we transmit via email. In order to increase our security,
all messages (including the one below) will be trasmitted to the API rather than email.
The API will make sure the message is encrypted properly before uploading to prevent bad data
(that nerd Bleichenbacher says this isn't secure, but what does he know?).
You can access this API by POSTing an encrypted message in the form {"message": "encrypted_string"}
to "/". Make sure you don't forget to hex encode it.

If you need to send anyone a message, remember that every agents' public key
is "GET-able" as well. ;)

Good luck out there
- X100

---- BEGIN SECRET ENCRYPTED MESSAGE ----
bac936c23a9aeb60b0c1891f3d37511c3fbe9a047a3625fe08c041418f441b59b70d8e91f1c55ce5365ebf4ff5d732f8d4bd06dd4843e1ed27d29d9a9b1df263549cf74528a908452ab1e9f1cc75dcc24755d11f654714a9e0a89c2f2fc20cc7e6494474fdbe0f07b0f2ca90e44fa415d4eb7ed0c842c0a45205051fd3a892a0
---- END SECRET ENCRYPTED MESSAGE ----

This message will self-destruct in 10 seconds......

This completes the first part of the challenge!

Part 2

For the second part I began by trying to get the public certificates:

$ curl http://docker.hackthebox.eu:32502/X100 
-----BEGIN PUBLIC KEY-----
MHowDQYJKoZIhvcNAQEBBQADaQAwZgJhAINOs8vO0V7wpHYC99H2Xd0gGm1E570w
SPvTw7gWLATC/4043fNIRReysMuG+H0h8ym6Z/e0nCuq2u/557Rl+FB+3+6Xgu8Z
ZDxGttdGJVipZTND5VQ2gQ6rTRaHStSuGQIBAw==
-----END PUBLIC KEY-----

$ curl http://docker.hackthebox.eu:32502/X121 
-----BEGIN PUBLIC KEY-----
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC+g3YLdcc4LSBc4UzJRwvkrmFY
+r3YFX7rBNJptJIYmfRnbkphyjT+0SoEpZY42qQGkhLDwwtE1Q8FV7nRQ3IXT+bL
WES+brKrOfp9aIACZ15IbKdjuDa+TlFfpDcUs+cu3xCT5oJvZVD5UwCACkh5ppi0
zz8NVJoBHQMC/XCFjwIDAQAB
-----END PUBLIC KEY-----

Then tried to upload an encrypted message for validation:

$ curl -X POST http://docker.hackthebox.eu:32502/ --data '{"message" "bac936c23a9aeb60b0c1891f3d37511c3fbe9a047a3625fe08c041418f441b59b70d8e91f1c55ce5365ebf4ff5d732f8d4bd06dd4843e1ed27d29d9a9b1df263549cf74528a908452ab1e9f1cc75dcc24755d11f654714a9e0a89c2f2fc20cc7e6494474fdbe0f07b0f2ca90e44fa415d4eb7ed0c842c0a45205051fd3a892a0"}' -H "Content-Type: application/json"
{"message":"Message uploaded","status":"success"}

If we add a single byte to the message it will fail with:

$ curl -X POST http://docker.hackthebox.eu:32502/ --data '{"message": "bac936c23a9aeb60b0c1891f3d37511c3fbe9a047a3625fd4bd06dd4843e1ed27d29d9a9b1df263549cf74528a908452ab1e9f1cc75dcc24755d11f654714a9e0a89c2f2fc20cc7e6494474fdbe0f07b0f2ca90e44fa415d4eb7ed0c842c0a45205051fd3a892a000"}' -H "Content-Type: application/json"
{"reason":"Invalid padding","status":"error"}

Now, getting more details about the public key, we first save it to x121.cert.pem and call openssl to help us:

$ openssl rsa -pubin -in x121.cert.pem -noout -text -modulus 
Public-Key: (1024 bit)
Modulus:
    00:be:83:76:0b:75:c7:38:2d:20:5c:e1:4c:c9:47:
    0b:e4:ae:61:58:fa:bd:d8:15:7e:eb:04:d2:69:b4:
    92:18:99:f4:67:6e:4a:61:ca:34:fe:d1:2a:04:a5:
    96:38:da:a4:06:92:12:c3:c3:0b:44:d5:0f:05:57:
    b9:d1:43:72:17:4f:e6:cb:58:44:be:6e:b2:ab:39:
    fa:7d:68:80:02:67:5e:48:6c:a7:63:b8:36:be:4e:
    51:5f:a4:37:14:b3:e7:2e:df:10:93:e6:82:6f:65:
    50:f9:53:00:80:0a:48:79:a6:98:b4:cf:3f:0d:54:
    9a:01:1d:03:02:fd:70:85:8f
Exponent: 65537 (0x10001)
Modulus=BE83760B75C7382D205CE14CC9470BE4AE6158FABDD8157EEB04D269B4921899F4676E4A61CA34FED12A04A59638DAA4069212C3C30B44D50F0557B9D14372174FE6CB5844BE6EB2AB39FA7D688002675E486CA763B836BE4E515FA43714B3E72EDF1093E6826F6550F95300800A4879A698B4CF3F0D549A011D0302FD70858F

So we know that this is a 1024 public key, with exponent of 65537 and a certain modulus.

The secret message is:

00000000: bac9 36c2 3a9a eb60 b0c1 891f 3d37 511c  ..6.:..`....=7Q.
00000010: 3fbe 9a04 7a36 25fe 08c0 4141 8f44 1b59  ?...z6%...AA.D.Y
00000020: b70d 8e91 f1c5 5ce5 365e bf4f f5d7 32f8  ......\.6^.O..2.
00000030: d4bd 06dd 4843 e1ed 27d2 9d9a 9b1d f263  ....HC..'......c
00000040: 549c f745 28a9 0845 2ab1 e9f1 cc75 dcc2  T..E(..E*....u..
00000050: 4755 d11f 6547 14a9 e0a8 9c2f 2fc2 0cc7  GU..eG.....//...
00000060: e649 4474 fdbe 0f07 b0f2 ca90 e44f a415  .IDt.........O..
00000070: d4eb 7ed0 c842 c0a4 5205 051f d3a8 92a0  ..~..B..R.......

To proceeed, I simply followed the description of Bleichmeiner attack presented Practical Padding Oracle Attacks on RSA from Unive website [1], which for me is the best with many practical steps.

After a fair amount of requests we reach to:

...
Calculated new intervals in Step 3:
  a=0002f14a88ca19fb991c4a90e0746d428bd4fc076da468430842f9b8a25e1775c360bd4039b65de8128a5dd4ef384888996347413437ca45ec0791dc7471cc85ee1e8c629bb8af37f705488767ab287c453ac6d74bd0045e9783004854427b7768305f31735f546831735f626c33696368656e6233436b65725f66336c6c347c
  b=0002f14a88ca19fb991c4a90e0746d428bd4fc076da468430842f9b8a25e1775c360bd4039b65de8128a5dd4ef384888996347413437ca45ec0791dc7471cc85ee1e8c629bb8af37f705488767ab287c453ac6d74bd0045e9783004854427b7768305f31735f546831735f626c33696368656e6233436b65725f66336c6c347d
  d=0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001

$ echo 0002f14a88ca19fb991c4a90e0746d428bd4fc076da468430842f9b8a25e1775c360bd4039b65de8128a5dd4ef384888996347413437ca45ec0791dc7471cc85ee1e8c629bb8af37f705488767ab287c453ac6d74bd0045e9783004854427b7768305f31735f546831735f626c33696368656e6233436b65725f66336c6c347c | xxd -r -p > msg.bin
$ xxd msg.bin
00000000: 0002 f14a 88ca 19fb 991c 4a90 e074 6d42  ...J......J..tmB
00000010: 8bd4 fc07 6da4 6843 0842 f9b8 a25e 1775  ....m.hC.B...^.u
00000020: c360 bd40 39b6 5de8 128a 5dd4 ef38 4888  .`.@9.]...]..8H.
00000030: 9963 4741 3437 ca45 ec07 91dc 7471 cc85  .cGA47.E....tq..
00000040: ee1e 8c62 9bb8 af37 f705 4887 67ab 287c  ...b...7..H.g.(|
00000050: 453a c6d7 4bd0 045e 9783 0048 5442 7b77  E:..K..^...HTB{w
00000060: 6830 5f31 735f 5468 3173 5f62 6c33 6963  h0_1s_Th1s_bl3ic
00000070: 6865 6e62 3343 6b65 725f 6633 6c6c 347c  henb3Cker_f3ll4|

And there is the flag!

jemos / Apr, 11 2020