grocid/securityfestCTF19 - igiveemhell

## securityfestCTF19 - igiveemhell
import os
from Crypto.Util.strxor import strxor
from Crypto.Cipher import AES
from Crypto.Util.Padding import pad, unpad
from pwn import *

s = remote("igivethemhell-01.pwn.beer", 31337)
s.readuntil("Welcome! Encrypted flag is ")
data = s.recvline().strip()
data = "0" * (len(data) % 2) + data
data = data.decode("hex")

iv = data[:16]
flag = data[16:]

print "GOT FLAG"

def enc_oracle(message, iv):
    s.readuntil(": ")
    s.send("1\n")
    s.recvuntil("):")
    s.send("%s,%s\n" % (iv.encode("hex"), message.encode("hex")))
    data = s.recvline().strip()
    data = "0" * (len(data) % 2) + data
    return data.decode("hex")

def dec_oracle(ciphertext):
    s.readuntil(": ")
    s.send("2\n")
    s.recvuntil("):")
    s.send("%s\n" % ciphertext.encode("hex"))

    if "decryption failed" in s.recvline():
        return False
    else:
        return True

def get_block(c, i):
    return c[i * 16: (i + 1) * 16]

partial = ""
for j in range(1, 17):
    for i in range(1, 256):
        guess = "\x00" * (16 - len(partial) - 1) + chr(i) + partial
        B = strxor(guess, "\x00" * (16 - j) + chr(j) * (j))
        A = enc_oracle("\x00"*16, B)[:16]
        blocks = [get_block(data, k) for k in range(0, len(data) // 16-1)]
        blocks[0] = strxor(blocks[0], B)
        blocks[1] = strxor(blocks[1], A)
        blocks = [A] + blocks
        payload = "".join(blocks)
        if dec_oracle(payload):
            partial = chr(i) + partial
            print (partial)
            break

print(partial)
	import os
	from Crypto.Util.strxor import strxor
	from Crypto.Cipher import AES
	from Crypto.Util.Padding import pad, unpad
	from pwn import *

	s = remote("igivethemhell-01.pwn.beer", 31337)
	s.readuntil("Welcome! Encrypted flag is ")
	data = s.recvline().strip()
	data = "0" * (len(data) % 2) + data
	data = data.decode("hex")

	iv = data[:16]
	flag = data[16:]

	print "GOT FLAG"

	def enc_oracle(message, iv):
	s.readuntil(": ")
	s.send("1\n")
	s.recvuntil("):")
	s.send("%s,%s\n" % (iv.encode("hex"), message.encode("hex")))
	data = s.recvline().strip()
	data = "0" * (len(data) % 2) + data
	return data.decode("hex")

	def dec_oracle(ciphertext):
	s.readuntil(": ")
	s.send("2\n")
	s.recvuntil("):")
	s.send("%s\n" % ciphertext.encode("hex"))

	if "decryption failed" in s.recvline():
	return False
	else:
	return True

	def get_block(c, i):
	return c[i * 16: (i + 1) * 16]

	partial = ""
	for j in range(1, 17):
	for i in range(1, 256):
	guess = "\x00" * (16 - len(partial) - 1) + chr(i) + partial
	B = strxor(guess, "\x00" * (16 - j) + chr(j) * (j))
	A = enc_oracle("\x00"*16, B)[:16]
	blocks = [get_block(data, k) for k in range(0, len(data) // 16-1)]
	blocks[0] = strxor(blocks[0], B)
	blocks[1] = strxor(blocks[1], A)
	blocks = [A] + blocks
	payload = "".join(blocks)
	if dec_oracle(payload):
	partial = chr(i) + partial
	print (partial)
	break

	print(partial)