[IceCTF 2018] Posted

Description

The challenge description speaks of a bitwise boi that has been posting things online. We are asked to find out what exactly he has been posting. Later on the hint 41 was also released.

The data: DychGDZJRRsEUTI0JDViVlxeZyFIBCM7MwosGRQCMCgZJCIrGCsoRkFIajcSKhBTGx9XeTV4MDlZB1Y=

Solution

The posted online hint is supposed to lead us towards looking for a url, while the bitwise indicates that we need to use a bitwise operation. Only the xor operation makes any real sense in this context, and it’s a classic technique, so we go with that. After the additional hint, we can assume that either we need to xor with 41 (which doesn’t work), or the key has a length 41.

Thinking that we’re looking for a url, we can try to use the known plaintext “https://” as a way to already find the first 8 bytes of the xor key. This gives us gSUhEsj4. We can then try to apply this key where it should repeat (assuming a length of 41 bytes), resulting in the following plaintext: /9bzoc9/. After a google search, we end up at an IceCTF related reddit post, which has the next part of the challenge, and which allows us to retrieve the entire 41-byte xor key by taking the xor of the ciphertext with the url: https://reddit.com/r/securityCTF/comments/9bzoc9/icectf_2018_613_september/.

The next step has WOxq0XzBfOeOVB/MESKaYVrBgpALdhIUZN02lldvIzUJc+s2zVeYW2TDGSUS6Law as a comment on that reddit post, with the reply/hint AES256:32.

Because we have no other way of finding a key, we can try taking the first 32 bytes/256 bits from the xor key used before. Decrypting the AES (ECB) with that key results in IceCTF{up_in_our_posts_stealing_our_keys} and padding.