[IceCTF 2018] Posted


The challenge description speaks of a bitwise boi that has been posting things online. We are asked to find out what exactly he has been posting. Later on the hint 41 was also released.



The posted online hint is supposed to lead us towards looking for a url, while the bitwise indicates that we need to use a bitwise operation. Only the xor operation makes any real sense in this context, and it’s a classic technique, so we go with that. After the additional hint, we can assume that either we need to xor with 41 (which doesn’t work), or the key has a length 41.

Thinking that we’re looking for a url, we can try to use the known plaintext “https://” as a way to already find the first 8 bytes of the xor key. This gives us gSUhEsj4. We can then try to apply this key where it should repeat (assuming a length of 41 bytes), resulting in the following plaintext: /9bzoc9/. After a google search, we end up at an IceCTF related reddit post, which has the next part of the challenge, and which allows us to retrieve the entire 41-byte xor key by taking the xor of the ciphertext with the url: https://reddit.com/r/securityCTF/comments/9bzoc9/icectf_2018_613_september/.

The next step has WOxq0XzBfOeOVB/MESKaYVrBgpALdhIUZN02lldvIzUJc+s2zVeYW2TDGSUS6Law as a comment on that reddit post, with the reply/hint AES256:32.

Because we have no other way of finding a key, we can try taking the first 32 bytes/256 bits from the xor key used before. Decrypting the AES (ECB) with that key results in IceCTF{up_in_our_posts_stealing_our_keys} and padding.