Details

This challenge was given to the HackTheBox University CTF 2022. It was a crypto challenge of medium difficulty. The source code is given

Description

Few people on this planet studied wandlore. It was known that the wand selects the wizard, but a good wand seller should be able to guess it with at most 3 suggestions. During the 190th Great Wizard Examination, the last question was created by Olivender, the greatest wand seller of all time. It was considered one of the most difficult questions of the last decade. Can you solve it?

Overview

The program takes a string of hexadecimal characters from standard input then converts it into bytes. The resulting string of bytes is encrypted with AES using a random key and a custom block cipher.

The user is allowed to input only 3 strings and the flag is printed if 2 different inputs have the same encrypted representation.

The vulnerability in the program is found in the method used to store old inputs. The characteristics list stores the user inputs to check if the user gives the same input multiple times. But during the encryption, the program is padding the given string to fit in the block length. This uses the pad function from Crypto.Util.Padding

The problem is that the value is added to the saved input list before applying the padding.

Solution

To solve the challenge, the program has to get the same encrypted string twice. Adding a print statement in the provided code, one can see that given the input 00, the program encrypts the string Property: \x00\x05\x05\x05\x05\x05

It can be observed that sending the 000505050505 will result in the same string being encrypted and it is different from the first.

Passing these value to the server, the output will be:

What properties should your magic wand have?
Property: 00
bd826ccc114c9425bafa6cd920901db9
Property: 000505050505
bd826ccc114c9425bafa6cd920901db9
HTB{435_cu570m_m0d35_4nd_hm4c_423_fun!}