SECCON 2016 – Vigenere Crypto (100)

Following the SECCON writeups here is a crypto challenge.

We get the following challenge.

 

Vigenere

k: ????????????
p: SECCON{???????????????????????????????????}
c: LMIG}RPEDOEEWKJIQIWKJWMNDTSR}TFVUFWYOCBAJBQ

k=key, p=plain, c=cipher, md5(p)=f528a6ab914c1ecf856a1d93103948fe

 |ABCDEFGHIJKLMNOPQRSTUVWXYZ{}
-+----------------------------
A|ABCDEFGHIJKLMNOPQRSTUVWXYZ{}
B|BCDEFGHIJKLMNOPQRSTUVWXYZ{}A
C|CDEFGHIJKLMNOPQRSTUVWXYZ{}AB
D|DEFGHIJKLMNOPQRSTUVWXYZ{}ABC
E|EFGHIJKLMNOPQRSTUVWXYZ{}ABCD
F|FGHIJKLMNOPQRSTUVWXYZ{}ABCDE
G|GHIJKLMNOPQRSTUVWXYZ{}ABCDEF
H|HIJKLMNOPQRSTUVWXYZ{}ABCDEFG
I|IJKLMNOPQRSTUVWXYZ{}ABCDEFGH
J|JKLMNOPQRSTUVWXYZ{}ABCDEFGHI
K|KLMNOPQRSTUVWXYZ{}ABCDEFGHIJ
L|LMNOPQRSTUVWXYZ{}ABCDEFGHIJK
M|MNOPQRSTUVWXYZ{}ABCDEFGHIJKL
N|NOPQRSTUVWXYZ{}ABCDEFGHIJKLM
O|OPQRSTUVWXYZ{}ABCDEFGHIJKLMN
P|PQRSTUVWXYZ{}ABCDEFGHIJKLMNO
Q|QRSTUVWXYZ{}ABCDEFGHIJKLMNOP
R|RSTUVWXYZ{}ABCDEFGHIJKLMNOPQ
S|STUVWXYZ{}ABCDEFGHIJKLMNOPQR
T|TUVWXYZ{}ABCDEFGHIJKLMNOPQRS
U|UVWXYZ{}ABCDEFGHIJKLMNOPQRST
V|VWXYZ{}ABCDEFGHIJKLMNOPQRSTU
W|WXYZ{}ABCDEFGHIJKLMNOPQRSTUV
X|XYZ{}ABCDEFGHIJKLMNOPQRSTUVW
Y|YZ{}ABCDEFGHIJKLMNOPQRSTUVWX
Z|Z{}ABCDEFGHIJKLMNOPQRSTUVWXY
{|{}ABCDEFGHIJKLMNOPQRSTUVWXYZ
}|}ABCDEFGHIJKLMNOPQRSTUVWXYZ{

Vigenere cipher
https://en.wikipedia.org/wiki/Vigen%C3%A8re_cipher

Again they are giving us an enormous clue with the title and even a link to the wikipedia. It wasn’t being too difficult.

If the above wasn’t enough they provided us with the charset and the md5 of the reply with which the great master Patatas built the following scripts to resolve the challenge, first a known text attack is performed using the text we know from the flag:

 

<?php
function vigenere_decrypt_customcharset($txt, $clave, $charset) {
 $lentxt = strlen($charset);
 $lenkey = strlen($clave);

 $txt2 = '';
 for($i=0; $i<strlen($txt); $i++) {
 $c = strpos($charset, $txt[$i]); // caracter texto
 $x = strpos($charset, $clave[$i%$lenkey]); // caracter clave
 if($x!==FALSE and $c!==FALSE) {
 $txt2 .= $charset[($c - $x + $lentxt) % $lentxt]; // aplicar vigenere
 } else {
 $txt2 .= '?'; // aplicar vigenere
 //echo "X";
 }
 }
 return $txt2;
}

$charset = 'ABCDEFGHIJKLMNOPQRSTUVWXYZ{}';

$p = 'SECCON{???????????????????????????????????}';
$c = 'LMIG}RPEDOEEWKJIQIWKJWMNDTSR}TFVUFWYOCBAJBQ';

// PRIMERA PARTE

$key1 = vigenere_decrypt_customcharset($c, $p, $charset);
echo "KEY1: $key1\n\n";
?>

This gives us the following result:

php vigenere_part1.php 
 SECCON{???????????????????????????????????}
KEY1: VIGENER???????????????????????????????????R

As we only know the first 7 characters we can see that the first part of the key is “VIGENERE”. With this, knowing the key length and the md5 we can perform a brute force attack against the rest of the key:

<?php
/* ---------------------------------------------------
 	VIGENERE
--------------------------------------------------- */
function vigenere_decrypt_customcharset($txt, $clave, $charset) {
 $lentxt = strlen($charset);
 $lenkey = strlen($clave);

 $txt2 = '';
 for($i=0; $i<strlen($txt); $i++) {
 $c = strpos($charset, $txt[$i]); // caracter texto
 $x = strpos($charset, $clave[$i%$lenkey]); // caracter clave
 if($x!==FALSE and $c!==FALSE) {
 $txt2 .= $charset[($c - $x + $lentxt) % $lentxt]; // aplicar vigenere
 } else {
 $txt2 .= '?'; // aplicar vigenere
 //echo "X";
 }
 }
 return $txt2;
}
$charset = 'ABCDEFGHIJKLMNOPQRSTUVWXYZ{}';

$p = 'SECCON{???????????????????????????????????}';
$c = 'LMIG}RPEDOEEWKJIQIWKJWMNDTSR}TFVUFWYOCBAJBQ';

$keyx = 'VIGENERE';

for($i=0; $i<strlen($charset); $i++) {
for($j=0; $j<strlen($charset); $j++) {
for($k=0; $k<strlen($charset); $k++) {
for($l=0; $l<strlen($charset); $l++) {

	$key = $keyx . $charset[$i]. $charset[$j] . $charset[$k] . $charset[$l];
	$p2 = vigenere_decrypt_customcharset($c, $key, $charset);
	echo "PLAIN: $p2\n\n";
	$md5 = md5($p2);
	if($md5=='f528a6ab914c1ecf856a1d93103948fe') {
		echo "FOUND!! $key $p2\n";
		exit;
	}
}}}}

?>

Execute the script and in less than 2 seconds we get the key:

php vigenere_part2.php
CLAVE: VIGENEREAAAA
PLAIN: SECCON{ADOEEBCDEDEFGJWMNKLMNOPQRUFWYVWXYYZ}

CLAVE: VIGENEREAAAB
PLAIN: SECCON{ADOEDBCDEDEFGJWMMKLMNOPQRUFWXVWXYYZ}

CLAVE: VIGENEREAAAC
PLAIN: SECCON{ADOECBCDEDEFGJWMLKLMNOPQRUFWWVWXYYZ}

CLAVE: VIGENEREAAAD
PLAIN: SECCON{ADOEBBCDEDEFGJWMKKLMNOPQRUFWVVWXYYZ}
.....
CLAVE: VIGENERECODC
PLAIN: SECCON{ABABCBCDEDEFGHIJLKLMNOPQRSTTWVWXYYZ}

CLAVE: VIGENERECODD
PLAIN: SECCON{ABABBBCDEDEFGHIJKKLMNOPQRSTTVVWXYYZ}

CLAVE: VIGENERECODE
PLAIN: SECCON{ABABABCDEDEFGHIJJKLMNOPQRSTTUVWXYYZ}

FOUND!! VIGENERECODE SECCON{ABABABCDEDEFGHIJJKLMNOPQRSTTUVWXYYZ}

And there is the key “VIGENERECODE” and the flag:

SECCON{ABABABCDEDEFGHIJJKLMNOPQRSTTUVWXYYZ}

Again the clues help us a lot in the investigation part and we could limit ourselves to resolve the challenge.

Hope you enjoyed it, greetings!!!

 

This entry was posted in ctf, forensic, seccon, writeups. Bookmark the permalink.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.