Thumbnail: ctflearn

CTFlearn 227 - BruXOR

by on under writeups
3 minute read

Write-up on CTFlearn’s challenge 227 - BruXOR. Brute, brute, brute! Challenge author: severus.


Crypto, 20 points

There is a technique called bruteforce. Message: q{vpln’bH_varHuebcrqxetrHOXEj No key! Just brute .. brute .. brute … :D


This challenge is about brute-force attacks, as described in the caption. A brute-force attack is to try every key or password of a certain length until we get the correct one. In this case, the key is not given, so we need to use brute force to find it. Then, we will be able to decrypt the message, which should give us the key.

Using trial and error or CyberChef’s “Magic” operation (explained later on), we can deduce the cipher used is a classical XOR cipher. There are other ways to do so, but these are the easiest in my opinion.

Let’s open up CyberChef to solve this challenge. CyberChef is an app allowing us to perform crypto functions (and more) quickly in the browser.

These are the two methods I suggest.

Method 1: XOR Bruteforce

In the Operations menu, search for “XOR Brute Force”. Take the XOR Brute Force block and drag it in the Recipe box. For now, let all parameters at their default state.

Now let’s input our ciphered message and check the Output log. It lists every 256 possible keys for a key of a 1-byte length alongside the decrypted result using it. By searching for a few seconds, we have found the flag! XOR Bruteforce

Method 2: CyberChef’s “Magic” Operation

Magic is a really powerful operation proper to CyberChef. Even if its name says so, it is not doing proper magic. Actually, it’s doing multiple tests and calculations to automatically find the encoding of the input data.

In the Operations menu, search for “Magic”. Take the Magic operation and drag it into Recipe box. Turn the intensive mode on and let the depth as it is (the depth signifies the maximum number of levels of recursion, in this case, 1 is enough).

Now let’s input our ciphered message and check the nice table which is displayed for us in the Output box. Magic Without RegEx

There are fewer results than with the other method, which makes our life easier to find the flag. But as you can see, the results are not perfect, so let’s filter them using a regular expression (RegEx).

Regular expressions are a way to filter patterns in a text. We will be using this RegEx: ^\w*{\w*} Let’s break it down so we understand better how it works:

  • The ^ character means the start of a line.
  • The \w characters mean any letter (uppercase or lowercase) or number.
  • The * character means “any amount of time”
  • The characters { and } are literally just those characters

Using that information, we could say that this RegEx means: Any string that starts with an unlimited amount of alphanumeric characters, then followed by an unlimited amount of alphanumeric characters surrounded by brackets.

Notice that this is exactly the description of a flag (ex.: flag{test_fl4g}).

If we insert this regular expression in the Crib parameter of our Magic operation and observe the result, we can see that only the flag’s row is output. Magic With RegEx

comments powered by Disqus