W1seGuy

This was a straightforward challenge. I was given an encoded flag, which was first XORed with a randomly generated key and then encoded in hex. The steps I followed were: first, decode the hex format, then applying the XOR operation. I knew the key is 5 characters long, so I divided the encoded flag into groups of 5. Since the flag starts with "THM{" and ends with "}", I was able to recover the key. Here’s the code:

from pwn import * 
import re
# ignore warnings
import warnings
warnings.filterwarnings("ignore")
# ignore output of pwntools
context.log_level = "CRITICAL"

# function to get data
def get_data(io):
	data = io.recvline()
	return data 
	
# function to decode from hex
def first_decode(value):
	return bytes.fromhex(value)

# get key
def get_key(value):
	# get first 5 chars and the next 5 and so one (because the key have len 5)
	calupuri = [value[i:i+5] for i in range(0, len(value), 5)]
	first_part = calupuri[0]
	# I know the first 4 letters from the flag
	flag_part = 'THM{'
	# and also the last one
	last_one = '}'
	key_chars = [chr(ord(flag_part[i]) ^ ord(first_part[i])) for i in range(4)]
	last = chr(ord(last_one)^ord(value[-1]))
	key_chars.append(last)
	return key_chars

# send the key and get the second flag
def second_flag(io,value):
	key = ''.join(value)
	io.sendlineafter("What is the encryption key? ",key)
	return io.recvline()

# get the first flag 
def first_flag(value,key):
	calupuri = [value[i:i+5] for i in range(0, len(value), 5)]
	flag = ''
	for i in calupuri:
		for j in range(len(i)):
			flag += chr(ord(i[j])^ord(key[j]))
	return flag

def main():
	try:
		ip = sys.argv[1].strip()
		port = sys.argv[2].strip()
	except IndexError:
		print("{+} Usage %s <ip> <port>"%sys.argv[0])
		print("{+} Example %s 10.10.10.10 1234"%sys.argv[0])
		sys.exit(-1)
	
	io = remote(str(sys.argv[1]),sys.argv[2])
	# extract the encrypted flag from response
	data = re.search(r"flag 1: ([0-9a-fA-F]+)", get_data(io).decode()).group(1)
	decode_from_hex = first_decode(data).decode()
	key = get_key(decode_from_hex)
	
	output_flag2 = second_flag(io,key).decode()
	flag2 = re.search(r"flag 2: (THM\{.*?\})",output_flag2).group(1)
	print("Congrats, here is first flag: ",first_flag(decode_from_hex,key))
	print("Congrats, here is the second flag: ",flag2)

if __name__ == "__main__":
	main()

Last updated