UofTCTF 2025: Enchanted Oracle

Only the most worthy can decrypt the enchanted oracle. Can you?

Author: atom

We are given the source code of a challenge server:

aes-cbc.py

from base64 import b64encode, b64decode
from Crypto.Cipher import AES
from Crypto.Util.Padding import pad, unpad

print("Welcome to the AES-CBC oracle!")
key = open("key", "rb").read()
while True:
    print("Do you want to encrypt the flag or decrypt a message?")
    print("1. Encrypt the flag")
    print("2. Decrypt a message")
    choice = input("Your choice: ")

    if choice == "1":
        cipher = AES.new(key=key, mode=AES.MODE_CBC)
        ciphertext = cipher.iv + \
            cipher.encrypt(pad(b"random", cipher.block_size))

        print(f"{b64encode(ciphertext).decode()}")

    elif choice == "2":
        line = input().strip()
        data = b64decode(line)
        iv, ciphertext = data[:16], data[16:]

        cipher = AES.new(key=key, mode=AES.MODE_CBC, iv=iv)
        try:
            plaintext = unpad(cipher.decrypt(ciphertext),
                              cipher.block_size).decode('latin1')
        except Exception as e:
            print("Error!")
            continue

        if plaintext == "I am an authenticated admin, please give me the flag":
            print("Victory! Your flag:")
            print(open("flag.txt").read())
        else:
            print("Unknown command!")

As the title might imply, what we have access to is a padding oracle: we give a message to the server, and it decrypts it and tells us whether the padding is correct.

As a reminder: padding is necessary because block ciphers like AES act on, well, blocks of a fixed size. For AES-128, that’s 128 bits, or 16 bytes. Not all of the messages you might want to encrypt are of a length multiple of 16 bytes. So you need a way to add bytes at the end in such a way that the decryption algorithm will know to remove them.

PKCS#7 padding specifically, the standard for AES, works by adding $n$ times the byte with value $n$ at the end of the messsage, where $n$ is the amount of bytes necessary to finish a block, between 1 and 16.

For example, if you have a message “wow” or 776f77 in hexadecimal, that’s 3 bytes. $n = 16 - 3 = 13$ , which is 0d in hexadecimal, so your padded message is 776f770d0d0d0d0d0d0d0d0d0d0d0d0d.

A padding oracle attack (see wikipedia link below, or description later below), allows us to decrypt blocks by just padding correctness. Our goal is, however, is not to decrypt, but to encrypt a message; or at least create a ciphertext that decrypts to the “I am an authenticated admin, please give me the flag” plaintext. How do we do that?

Well, you might know that CBC mode allows you to arbitrarily modify (xor) the plaintext of a block by xoring the ciphertext of the block before it (or, to modify the first block, the IV). This is quite obvious if you formulate CBC mode mathematically:

$P_i = \text{Decrypt}(C_i) \oplus C_{i-1}$

So, if you want to change block $P_i$ into some goal block $G$ , you can just set $C_{i-1} = \text{Decrypt}(C_i) \oplus G$ .

\begin{aligned} P_i &= \text{Decrypt}(C_i) \oplus (\text{Decrypt}(C_i) \oplus G) \\ &= (\text{Decrypt}(C_i) \oplus \text{Decrypt}(C_i)) \oplus G \\ &= G \end{aligned}

Doing this, however, means changing the input to $\text{Decrypt}$ for that block, which means $P_{i-1}$ now decrypts to garbage. This attack is thus limited when you only know e.g. a single ciphertext-plaintext pair.

But with the padding oracle, we can obtain $\text{Decrypt}(C_i)$ for any arbitrary $C_i$ . That’s what the padding oracle attack usually is!

This means we can repeat our trick: change $C_{i-1}$ to set $P_i$ to what we want, then use the padding oracle to learn what $P_{i-1}$ is, and change $C_{i-2}$ to change $P_{i-1}$ to what we want, so that it isn’t garbage anymore. Repeat until you reach $C_0$ , the IV. You’ve just encrypted a message as long as you wanted. No key needed. This attack is known as CBC-R.

So what even is a padding oracle attack?

Let’s say we have a function $O$ which takes two blocks, $A$ and $B$ , and tells us whether $A \oplus \text{Decrypt}(B)$ is validly padded. That’s our padding oracle.

To formalize for later: if we define, $T_n = [0]*(16-n) + [n]*n$ (that is, $T_1$ is the 00000000000000000000000000000001 block), $O(IV, C)$ being true means that the last $n$ bytes of $IV \oplus \text{Decrypt}(C)$ are equal to the last $n$ bytes of $T_n$ .

If we run our $O$ function 256 times, altering the last byte of the $A$ every time, there should be one time the padding oracle outputs that the padding is valid: when the last byte of $A \oplus \text{Decrypt}(B)$ is 1 (because 1 byte of value 1 satisfies the PKCS#7 rule we saw earlier). We now know the value of the last byte of $\text{Decrypt}(B)$ .

To algebra it up a bit:

$O(x, C)$ being true means that the last $n$ bytes of $\text{Decrypt}(C)$ are equal to the last $n$ bytes of $x \oplus T_n$ .
$O(x \oplus T_n, C)$ being true means that the last $n$ bytes of $\text{Decrypt}(C)$ are equal to the last $n$ bytes of $x$ .

So to reiterate: we knew nothing (0 bytes) of the plaintext, used only the padding oracle up to 256 times, and from that learned one byte of plaintext.

If we know $n-1$ bytes of $\text{Decrypt}(C)$ , we can run run $O(x \oplus T_n, C)$ 256 times, and then we’ll know $n$ bytes of $\text{Decrypt}(C)$ . Repeat until you know 16 bytes, and you have the entire block decrypted. You can then go on to the CBC-R encryption attack.

So now that we finally have all the pieces in place, let’s translate into code. First comes the standard utilities, and the message we’re trying to encrypt:

from pwn import *
from base64 import b64decode, b64encode
from Crypto.Util.Padding import pad

BLOCK = 16
def xor(x,y): return bytes([a^b for a,b in zip(x,y)])

goal = pad(b"I am an authenticated admin, please give me the flag", BLOCK)
goal_blocks = [goal[i:i+BLOCK] for i in range(0, len(goal), BLOCK)]

Remember that we’re attacking a server. Our $O$ padding oracle function sends a ciphertext to the network and receives a textual response we check for:

r = remote("34.162.82.42", 5000)
def is_validly_padded(ct):
    r.recvuntil(b"Your choice: ")
    r.sendline(b"2")
    r.sendline(b64encode(ct))
    res = r.recvline()
    if b"Unknown command!" in res:
        return True
    elif b"Error!" in res:
        return False
    else:
        raise Exception("???")

Now comes the attack: starting from the end, decrypt the previous block (the one which will come next in the ciphertext), and add a block to adjust it so it’s one of our goal blocks:

progress = 0
blocks = [bytes([13,37]*8)]
for goal_block in goal_blocks[::-1]:
    plaintext = [0]*16
    for target_n in range(1,17):
        target = [0]*(16-target_n) + [target_n]*target_n
        for x in range(256):
            plaintext[-target_n] = x
            if is_validly_padded(xor(plaintext, target) + blocks[-1]): break
        progress += 1; print(f"{int(100*progress/len(goal))}%")
    blocks.append(xor(plaintext, goal_block))

Finally, just send over our final ciphertext, our blocks (in reverse, of course):

r.recvuntil(b"Your choice: ")
r.sendline(b"2")
r.sendline(b64encode(b"".join(blocks[::-1])))
r.interactive()

And victory! The flag: uoftctf{y3s_1_kn3w_y0u_w3r3_w0r7hy!!!}

Home About Contact