Created
January 14, 2018 12:06
-
-
Save lokori/ab86671fabc578ee1da6746387af745e to your computer and use it in GitHub Desktop.
Reaktor Java app challenge from Disobey 2018 CTF
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Reaktor's Java application CTF challenge from Disobey 2018 | |
It seems I was not the only one struggling with the Java application challenge. There was | |
JAR file and that's how it began. | |
After decompiling the JAR the main class contained code which didn't do anything. It looks like this: | |
String encryptedResult = "[3, 63, -54, -8, -45, -89, -91, 40, -111, -77, -76, -49, 119, 8, -46, 9, -70, 99, -12, 3, 124, 65, -66, 104, -18, 4, 64, 87, 6, -72, 68, 121, -32, -52, -104, 25, -54, 71, -84, -128, -35, -115, -74, -26, -30, -127, -96, -42]"; | |
String result = (String) null; | |
String url = (String) null; | |
fetchKey(url); | |
doStuff(new UrlStore("rand", 10, "rko.herokuapp.com")); | |
After looking at the class UrlStore, it was evident that it's supposed to download something from | |
http://rand10rko.herokuapp.com | |
HTTP GET and you get this: | |
"[-102, 110, -25, 74, -34, -117, -34, -19, 86, 80, -128, -125, 75, -23, -41, 52] [-94, -76, -67, -38, -15, 25, -69, 106, -30, 79, 97, 124, -67, 97, 64, -27]" | |
Obviously this is not a string, these are byte values because the value range is conveniently between -128..127. So we | |
have two 16 byte vectors and one 48 byte "encryptedResult". | |
Getting here took like 10 minutes and then I was stuck. What now? | |
After trying different things I finally googled for encryption algorithms using 16 byte initial vectors and keys. | |
And AES cipher just happens to use 16 byte initial vectors and keys. | |
Then it was just a matter of trying it out. | |
Here's some Java code to do the decryption: | |
import javax.crypto.Cipher; | |
import javax.crypto.spec.IvParameterSpec; | |
import javax.crypto.spec.SecretKeySpec; | |
public class Pasketus2 { | |
public static void main(String[] args) { | |
byte key1[] = {-102, 110, -25, 74, -34, -117, -34, -19, 86, 80, -128, -125, 75, -23, -41, 52}; | |
byte key2[] = {-94, -76, -67, -38, -15, 25, -69, 106 ,-30, 79, 97, 124, -67, 97, 64, -27}; | |
byte encryptedResult[] = | |
{3, 63, -54, -8, -45, -89, -91, 40, -111, -77, -76, -49, 119, 8, -46, 9, | |
-70, 99, -12, 3, 124, 65, -66, 104, -18, 4, 64, 87, 6, -72, 68, 121, | |
-32, -52, -104, 25, -54, 71, -84, -128, -35, -115, -74, - 26, -30, -127, -96, -42}; | |
char[] os = new char[48]; | |
try { | |
Cipher cipher = Cipher.getInstance("AES/CBC/NoPadding", "SunJCE"); | |
SecretKeySpec key = new SecretKeySpec(key1, "AES"); | |
cipher.init(Cipher.DECRYPT_MODE, key,new IvParameterSpec(key2)); | |
System.out.println("kakkel : !!" + new String(cipher.doFinal(encryptedResult),"UTF-8") + "!!"); | |
} catch (Exception e) { | |
e.printStackTrace(); | |
} | |
} | |
} | |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment