# [IceCTF 2018] Posted

## Description

The challenge description speaks of a `bitwise boi`

that
has been posting things online. We are asked to find out what exactly he
has been posting. Later on the hint `41`

was also
released.

The data:
`DychGDZJRRsEUTI0JDViVlxeZyFIBCM7MwosGRQCMCgZJCIrGCsoRkFIajcSKhBTGx9XeTV4MDlZB1Y=`

## Solution

The `posted online`

hint is supposed to lead us towards
looking for a url, while the `bitwise`

indicates that we need
to use a bitwise operation. Only the xor operation makes any real sense
in this context, and it’s a classic technique, so we go with that. After
the additional hint, we can assume that either we need to xor with 41
(which doesn’t work), or the key has a length 41.

Thinking that we’re looking for a url, we can try to use the known
plaintext “https://” as a way to already find the first 8 bytes of the
xor key. This gives us `gSUhEsj4`

. We can then try to apply
this key where it should repeat (assuming a length of 41 bytes),
resulting in the following plaintext: `/9bzoc9/`

. After a
google search, we end up at an IceCTF related reddit post, which has the
next part of the challenge, and which allows us to retrieve the entire
41-byte xor key by taking the xor of the ciphertext with the url:
`https://reddit.com/r/securityCTF/comments/9bzoc9/icectf_2018_613_september/`

.

The next step has
`WOxq0XzBfOeOVB/MESKaYVrBgpALdhIUZN02lldvIzUJc+s2zVeYW2TDGSUS6Law`

as a comment on that reddit post, with the reply/hint
`AES256:32`

.

Because we have no other way of finding a key, we can try taking the
first 32 bytes/256 bits from the xor key used before. Decrypting the AES
(ECB) with that key results in
`IceCTF{up_in_our_posts_stealing_our_keys}`

and padding.