In candy_machine
, there is a server that will decrypt strings for us with a fixed, unknown secret key. If we provide a base64-encoded string that decrypts to "candykey", then the server will return a flag. In all other cases, it returns an error, and (except for the case of no key at all), it's always the same error.
The solution is to do a padding oracle attack via either a timing side-channel or a debugging side-channel.
The encryption scheme is:
- PKCS.7 pad
- AES-CBC encrypt, and include the IV at the beginning of the output.
- PKCS.7 pad