# Inctfj quals
### ACE
#### Author :[Pavani](https://twitter.com/Paavani21)
### Description
Arthur Scherbius: I will protect German information using my machine
Alan Turing : No , I can break your machine :)
Arthur Scherbius: Well, I will count upto 3, Get my message from **LDOFKDCGIAGCCOTKMGSTSV**.
Note 1. seperate words using space
Note 2. Make sure its in all UPPERCASE
Note 3. flag : inctfj{message}
### Difficuilty level
easy
### points
150
### short writeup
This is the easiest challenge in crypto …
nothing much to do…
If you see the description, we have some conversation over there, It tells you that this machine is some encryption machine which was to in some war, it is nothing but world war.
And characters in this conversation are Enigma machine inventors and breakers.
However, now you know that it is an Enigma machine…
Now, use the enigma machine to decrypt the text.
Here we have to select rotors to mount. It is I, II, III if you observe the last line in the conversation.
#### flag : inctfj{QUALIFIED TO BECOME AN ACE}
### FL!p3
#### Author: [Pavani](https://twitter.com/Paavani21)
### Description
One strange man told me to replace it!!!
### Difficuilty level
medium
### points
200
### chall file
```python=
from Crypto.Cipher import AES
from Crypto.Util.Padding import pad,unpad
from time import sleep
from secret import flag
from os import urandom
import sys
key = urandom(16)
iv = urandom(16)
def encryption_oracle(pt,iv):
return (AES.new(key,AES.MODE_CBC,iv)).encrypt(pad(pt,16))
def decryption_oracle(ct,iv):
return unpad((AES.new(key,AES.MODE_CBC,iv)).decrypt(ct),16)
if __name__ == "__main__":
auth_message = b"admin=no!"
auth_cookie = iv+encryption_oracle(auth_message,iv)
print("auth_message = ",auth_message)
print("auth_cookie = ",auth_cookie.hex())
user_input = bytes.fromhex(input("Input authorized information that is required to get the flag: ").strip())
try:
decrypt_cookie = decryption_oracle(user_input[16:],user_input[:16])
print(decrypt_cookie)
if b"admin=yes" == decrypt_cookie:
print("Wow... you got it , here you go...", flag)
else:
exit()
except:
print("try again!!!")
```
### Writeup
If you see how this server is working, it is giving you some encrypted data in hex and asking you to give some input.
Now, let’s see the given script. Here we used `CBC encryption` from `AES`. Here, given plain text is admin=no! . You will get a flag if plain text is `admin=yes`.let `auth_cookie` be `ciphertext(ct)` and `auth_message` be `plaintext(pt)`.
So now you have to give some input that pretends plaintext has `admin=yes`.
### CBC mode decryption
Here plaintext of $n^{th}$ block depends on ciphertext $n-1^{th}$ block and present decrypt(${C_n}$).
$$ {P_n} = C_{n-1} \oplus decrypt(C_{n}) $$
1.Now you have to change last three bits to get the flag.
2. Use xor operation between nth block of ct,pt and n-1th block of ct. (here change bits of IV to change bits of pt(admin=no!)"
3.change bits of n-1th block(iv in this challenge) in such a way that would give admin=yes in plaintext(pt).
Now, try this challenge again. If you didn't get,then look up the script.
```python=
from pwn import *
host,port = "gc1.eng.run",32041
io = remote(host,port)
io.recvline()
ct = io.recvline()[len("auth_cookie = "):-1]
ct = ct.decode()
ct = bytes.fromhex(ct)
ct1 = ct[:16]
ct1 = list(ct1)
ct1[8] = ct1[8]^ ord('!') ^ ord('s')
ct1[7] = ct1[7]^ ord('o') ^ ord('e')
ct1[6] = ct1[6]^ ord('n') ^ ord('y')
ct1 = bytes(ct1)
ct = (ct1+ct[16:]).hex()
io.recvuntil(b"Input authorized information that is required to get the flag: ")
io.sendline(ct.encode())
io.recv()
io.recv()
```
**flag:** ``inctfj{fl1ppY_HaPpY_Tr33_fr13nds}``
Sign in with Wallet
Connect another wallet