This was a straightforward challenge. I was given an encoded flag, which was first XORed with a randomly generated key and then encoded in hex. The steps I followed were: first, decode the hex format, then applying the XOR operation. I knew the key is 5 characters long, so I divided the encoded flag into groups of 5. Since the flag starts with "THM{" and ends with "}", I was able to recover the key. Here’s the code:
from pwn import *
import re
# ignore warnings
import warnings
warnings.filterwarnings("ignore")
# ignore output of pwntools
context.log_level = "CRITICAL"
# function to get data
def get_data(io):
data = io.recvline()
return data
# function to decode from hex
def first_decode(value):
return bytes.fromhex(value)
# get key
def get_key(value):
# get first 5 chars and the next 5 and so one (because the key have len 5)
calupuri = [value[i:i+5] for i in range(0, len(value), 5)]
first_part = calupuri[0]
# I know the first 4 letters from the flag
flag_part = 'THM{'
# and also the last one
last_one = '}'
key_chars = [chr(ord(flag_part[i]) ^ ord(first_part[i])) for i in range(4)]
last = chr(ord(last_one)^ord(value[-1]))
key_chars.append(last)
return key_chars
# send the key and get the second flag
def second_flag(io,value):
key = ''.join(value)
io.sendlineafter("What is the encryption key? ",key)
return io.recvline()
# get the first flag
def first_flag(value,key):
calupuri = [value[i:i+5] for i in range(0, len(value), 5)]
flag = ''
for i in calupuri:
for j in range(len(i)):
flag += chr(ord(i[j])^ord(key[j]))
return flag
def main():
try:
ip = sys.argv[1].strip()
port = sys.argv[2].strip()
except IndexError:
print("{+} Usage %s <ip> <port>"%sys.argv[0])
print("{+} Example %s 10.10.10.10 1234"%sys.argv[0])
sys.exit(-1)
io = remote(str(sys.argv[1]),sys.argv[2])
# extract the encrypted flag from response
data = re.search(r"flag 1: ([0-9a-fA-F]+)", get_data(io).decode()).group(1)
decode_from_hex = first_decode(data).decode()
key = get_key(decode_from_hex)
output_flag2 = second_flag(io,key).decode()
flag2 = re.search(r"flag 2: (THM\{.*?\})",output_flag2).group(1)
print("Congrats, here is first flag: ",first_flag(decode_from_hex,key))
print("Congrats, here is the second flag: ",flag2)
if __name__ == "__main__":
main()