Srdnlen2025 | Confusion - ByteTheCookies

Introduction#

Confusion was a crypto CTF from Srdnlen CTF 2025.

1
#!/usr/bin/env python3
2

3
from Crypto.Cipher import AES
4
from Crypto.Util.Padding import pad, unpad
5
import os
6

7
# Local imports
8
FLAG = os.getenv("FLAG", "srdnlen{REDACTED}").encode()
9

10
# Server encryption function
11
def encrypt(msg, key):
12
    pad_msg = pad(msg, 16)
13
    blocks = [os.urandom(16)] + [pad_msg[i:i + 16] for i in range(0, len(pad_msg), 16)]
14

15
    b = [blocks[0]]
16
    for i in range(len(blocks) - 1):
17
        tmp = AES.new(key, AES.MODE_ECB).encrypt(blocks[i + 1])
18
        b += [bytes(j ^ k for j, k in zip(tmp, blocks[i]))]
19

20
    c = [blocks[0]]
21
    for i in range(len(blocks) - 1):
22
        c += [AES.new(key, AES.MODE_ECB).decrypt(b[i + 1])]
23

24
    ct = [blocks[0]]
25
    for i in range(len(blocks) - 1):
26
        tmp = AES.new(key, AES.MODE_ECB).encrypt(c[i + 1])
27
        ct += [bytes(j ^ k for j, k in zip(tmp, c[i]))]
28

29
    return b"".join(ct)
30

31

32
KEY = os.urandom(32)
33

34
print("Let's try to make it confusing")
35
flag = encrypt(FLAG, KEY).hex()
36
print(f"|\n|    flag = {flag}")
37

38
while True:
39
    print("|\n|  ~ Want to encrypt something?")
40
    msg = bytes.fromhex(input("|\n|    > (hex) "))
41

42
    plaintext = pad(msg + FLAG, 16)
43
    ciphertext = encrypt(plaintext, KEY)
44

45
    print("|\n|  ~ Here is your encryption:")
46
    print(f"|\n|   {ciphertext.hex()}")

The challenge acts as an encryption oracle in 3 steps:

$\quad b_0 := R \\\quad b_i := E(m_i) \oplus m_{i-1} \quad i \ge 1$
$\quad c_0 := R \\\quad c_i := D(b_i) \quad i \ge 1$
$\quad ct_0 := R \\\quad ct_i := E(c_i) \oplus c_{i-1} \quad i \ge 1$

Where $m$ is our input message, padded, split into blocks and prefixed with the random block $R$ , meanwhile $D$ and $E$ are AES decryption and encryption. Notice how $ct_i = b_i \oplus c_{i-1}$ since $E(c_i) = E(D(b_i)) = b_i$ .

Solution#

Encryption utlity function:

1
# encrypt and return the nth block
2
def encrypt(r, msg: bytes, block: int = -1):
3
    r.sendlineafter(b'x) ', msg.hex().encode())
4
    r.recvuntil(b'n:\n|\n|   ')
5
    ct = bytes.fromhex(r.recvline().rstrip().decode())
6
    if 0 <= block < len(ct) // 16:
7
        return ct[16*block:16*(block + 1)]
8
    return ct

Since the flag is appended to the end of our input, we can recover the first block with a simple chosen-prefix ECB attack, which I’m doing using my library cryptils. With dec0 we can calculate a decryption of a 16 long bytestring of zeros, which I’ll use to recover the rest of the flag:

1
def dec0(r):
2
    msg1 = os.urandom(16)
3
    enc_msg1 = encrypt(r, msg1, 1)
4
    msg2 = os.urandom(16)
5
    enc_msg2 = encrypt(r, msg2, 1)
6
    val = xor(enc_msg2, msg1)
7

8
    ct3 = encrypt(r, enc_msg1 + msg1 + msg2, 3)
9

10
    return xor(ct3, val)

Also notice how the second block the oracle gives us is a plain encryption of the first block of input.

Let’s call the output of dec0 simply $D(0)$ and set $F_i$ to be the $i$ th block of the flag, with $F_0$ being the random block at the start, we can write each block of the flag’s ciphertext we received at the start as: $C_i := E(F_i) \oplus F_{i-1} \oplus D(E(F_{i-1}) \oplus F_{i-2})$

Let’s take a look at the fourth block after asking the oracle to encrypt $\ F_0 \mid F_1 \mid D(0)$ : $ct_3 = b_3 \oplus D(b_2) =E(D(0)) \oplus F_1 \oplus D(E(F_1) \oplus F_0) = F_1 \oplus D(E(F_1) \oplus F_0)$ $T := ct_3 \oplus C_2 = F_1 \oplus D(E(F_1) \oplus F_0) \oplus E(F_2) \oplus F_1 \oplus D(E(F_1) \oplus F_0) = E(F_2)$

Let’s then generate a random block $V$ and ask for the encryption of $\ T \mid D(0) \mid V$ : $ct_3 = b_3 \oplus D(b_2) = E(V) \oplus D(0) \oplus D(E(D(0)) \oplus T) = E(V) \oplus D(0) \oplus D(T) = E(V) \oplus D(0) \oplus D(E(F_2)) = E(V) \oplus D(0) \oplus F_2$

We know both $E(V)$ and $D(0)$ and can therefore recover $F_2$ . The process can then be repeated for successive blocks:

1
def main():
2
    r = remote('confusion.challs.srdnlen.it', 1338) if args.REMOTE else process('./chall.py')
3

4
    r.recvuntil(b' = ')
5
    ct_flag = blockify(bytes.fromhex(r.recvline().rstrip().decode()))
6

7
    D0 = dec0(r)
8

9
    flag = chosen_prefix(lambda b: encrypt(r, b, 1), string.printable, length=16)
10
    curr, prev = flag, ct_flag[0]
11

12
    for i in range(2, len(ct_flag)):
13
        ct3 = encrypt(r, prev + curr + D0, 3)
14
        enc_next = xor(ct_flag[i], ct3)
15

16
        msg = os.urandom(16)
17
        enc_msg = encrypt(r, msg, 1)
18
        enc = encrypt(r, enc_next + D0 + msg, 3)
19

20
        prev = curr
21
        curr = xor(enc, xor(enc_msg, D0))
22

23
        flag += curr
24

25
    print('flag:', unpad(flag, 16).decode())
26

27
    r.close()

flag: srdnlen{I_h0p3_th15_Gl4ss_0f_M1rt0_w4rm3d_y0u_3n0ugh}