Possibly Related Threads…

robinia · (This post was last modified: Dec 06, 2024, 08:07 AM by robinia.)

Shambles wants to login. 1 It want token so we give empty token.
1. Send your credentials: {"username": "D-Cryp7", "password": "Cryp70Gr47Hy!", "token": ""}

We got token from Shambles server: in my case Token: 751ae85130675f0873c0d0df3e2fe19a337407a13059a1f4714eb508162e1a157cc2c42c9c3a74f66a96740e8f6a4e05772b839c3cc4478994e1e5755e1a73a43a8dddd4d563d2d22c09ca5554c248ea772993b94d08ae625746c6ebef17475536167c4fd89ccb5f71fbba9cafbe9e555442c9decfce82e855b9674cafeb26a0535ba9cfad26a3d2099fd3d0c71483c9

try [2] Retrieve user data
server talks back and gives:
> 2
Encrypted data: 127286d816634b1e0f0ce88e8f2ccd807c10ddd25ca463a44fade082ae2b80d9

option 3:

| [3] Draw money |
| [4] Exit |
|--------------------------------------------------------|

> 3
Insert your card number: ?

x1rx · Dec 06, 2024, 12:02 PM

There is the padding oracle attack in option1 , I can decrypt jwt token so far . And since the challenge name is Shambles , something like AES CBC Mac Shambles comes up from google search

QBhFTzL7GAF8rIhqAUTt · Dec 06, 2024, 05:41 PM

you are my brother's man <3

This forum account is currently banned. Ban Length: Permanent (N/A Remaining)
Ban Reason: Leeching | http://c66go4clkqodr7tdjfu76jztjs7w7d3fajdeypxn73v4ju3dt7g5yyyd.onion/Forum-Ban-Appeals if you feel this is incorrect.

robinia · (This post was last modified: Dec 06, 2024, 06:58 PM by robinia.)

[DEBUG] KEY: cbb9b2dfc0461c8cfc1c7a5ac3caf055
[DEBUG] IV: ec8b906c5a76ae2810165d35e01eba00

> 1
Send your credentials: {"username": "D-Cryp7", "password": "Cryp70Gr47Hy!", "token": ""}
/home/kali/Desktop/challenge/Shambles/crypto_shambles/./modserv.py:69: DeprecationWarning: datetime.datetime.utcnow() is deprecated and scheduled for removal in a future version. Use timezone-aware objects to represent datetimes in UTC: datetime.datetime.now(datetime.UTC).
"exp": datetime.datetime.utcnow() + datetime.timedelta(days=1)
Token: 7799221ad61d94fc7ed3db5747c2b180d10025ec55107ef8850d10875bc7b8cbe6823407cb9a74ad29a9ec4542cd3aaf657a73b1d4f3159d58eb2523e00efb67e7cbe7083e8c0046198ee1d7c1a7eed10abec962836234fdb8254a32279e25b3f9f4cd0c322927491f8354665e980659d651081e8d80d1231f23cc4825bbbe26f81893b6e7c16c4bf76dbda715c3fdd7

> 2
Encrypted data: 7dc0408afb32e34d73b2ba7c2656aed97cda0f3d173b71b2f1b8c063a21b3ded
|--------------------------------------------------------|

|--------------------------------------------------------|
| Welcome to our information server |

> 3
Insert your card number: 1111-2222-3333-4444
Quantity: 500
Withdrawal successful! Remaining balance: 500.0
|--------------------------------------------------------|

> 3
Insert your card number: 1111-2222-3333-4444
Quantity: 500

Hey! You have managed to drop the target account to zero! Here's your flag: CTF{example_flag}

with the local server.py Smile

robinia · Dec 06, 2024, 08:10 PM

But now how translate and do this this to the online environment.
for the local server file i did

# Log KEY and IV for debugging
print(f"[DEBUG] KEY: {KEY.hex()}")
print(f"[DEBUG] IV: {IV.hex()}")

x1rx · (This post was last modified: Dec 07, 2024, 07:05 AM by x1rx.)

Got it .

Use padding oracle with CBC Shambles

1 - find IV from option 1 --> we know fist block of JWT eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9
2 - CardNumber = 16 digit --> find cardnumber with IV
3 - Find Second block of encrypted data which is balance --> well known 4 digits Smile

))

then get the flag

(Dec 07, 2024, 06:55 AM)mhsoraa Wrote:
(Dec 07, 2024, 06:24 AM)x1rx Wrote: Got it .

Use padding oracle with CBC Shambles

1 - find IV from option 1 --> we know fist block of JWT eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9
2 - CardNumber = 16 digit --> find cardnumber with IV
3 - Find Second block of encrypted data which is balance --> well known 4 digits ))

then get the flag

How to find IV (1) with first block?

bro, look for the padding oracle vulnerability at option1

robinia · (This post was last modified: Dec 08, 2024, 12:34 PM by robinia.)

Now wetry the online server with python script

from pwn import *

def get_token():
try:
server = remote("94.237.51.150", 51542, timeout=5) # Add timeout
print("
[*]Connected to server.")

# Wait for the menu prompt
server.recvuntil(b"> ")
print("
[*]Received menu prompt.")

# Choose option 1 (Login)
server.sendline(b"1")
print("
[*]Sent login option.")

# Send credentials
creds = '{"username": "D-Cryp7", "password": "Cryp70Gr47Hy!", "token": ""}'
server.sendline(creds.encode())
print("
[*]Sent credentials.")

# Read response incrementally to prevent hanging
response = b""
while True:
try:
chunk = server.recv(timeout=2) # Set a small timeout for each read
if not chunk:
break
response += chunk
print(f"
[*]Received chunk: {chunk.decode()}")
except EOFError:
print("[!] EOF received.")
break
server.close()
# Decode and parse the response for the token
response = response.decode()
print(f"[+] Full response: {response}")
if "Token:" in response:
token = response.split("Token:")[1].strip()
return token[:32], token[32:] # IV_HEX, CIPHERTEXT_HEX
else:
raise Exception("Failed to retrieve token!")
except Exception as e:
print(f"[!] Error: {e}")
server.close()
return None, None
# Run the script
iv_hex, ciphertext_hex = get_token()
if iv_hex and ciphertext_hex:
print(f"[+] IV_HEX: {iv_hex}")
print(f"[+] CIPHERTEXT_HEX: {ciphertext_hex}")
else:
print("[!] Token retrieval failed.")
///////
it gives me
[+] IV_HEX: d35d18f22bd8e984ab7eb312f13ece77
[+] CIPHERTEXT_HEX: 95bd7a3a9106999efcb4f2ae9b6c8e67072f0586b3027dfbfd3b30d202eb4a3fcd4045e1a719dae9c90b2fe948a520e98194381aa4a892853ec88e8e20a6f5755185ca7b25b9b1b09ad377d96dff31b0a2f0b1fe221e797ac0370fdd929f877783160c2058bbbe16f28d9c97c84eb5ff807b47675aba4df78d9db2badb7dc5a0
we now can go further with Padding Oracle Attack

Steward · Dec 15, 2024, 02:58 PM

if we go further with Padding Oracle Attack how can we decrypt encrypted user data if we only can influence token on the authentication step?

we can decrypt block using

def is_valid_padding(ciphertext):

    try:

        server = remote(SERVER_IP, SERVER_PORT, timeout=5)

        server.recvuntil(b"> ")

        server.sendline(b"1")

        creds = json.dumps({"username": "D-Cryp7", "password": "Cryp70Gr47Hy!", "token": ciphertext.hex()})

        server.sendline(creds.encode())

        response = server.recv(timeout=2).decode()

        server.close()

        return "Decryption error!" not in response

    except Exception as e:

        print(f"[!] Connection error: {e}")

        return False

def decrypt_block(previous_block, current_block):

    intermediate = [0] * BLOCK_SIZE

    plaintext = [0] * BLOCK_SIZE

    for padding_length in range(1, BLOCK_SIZE + 1):

        padding_byte = padding_length

        modified_block = bytearray(previous_block)

        for i in range(1, padding_length):

            modified_block[-i] ^= intermediate[-i] ^ padding_byte

        for guess in range(256):

            modified_block[-padding_length] = previous_block[-padding_length] ^ guess ^ padding_byte

            if is_valid_padding(modified_block + current_block):

                intermediate[-padding_length] = guess ^ padding_byte

                plaintext[-padding_length] = intermediate[-padding_length] ^ previous_block[-padding_length]

                break

    return bytes(plaintext)

but it does not work against encrypted user data

robinia · Jan 30, 2025, 10:56 AM

PKCS#7 not correct?
i tried with

////// exploit.py

from pwn import *
import json
import re

SERVER_IP = "94.237.54.69"
SERVER_PORT = 47940
BLOCK_SIZE = 16

def print_progress(current, total, prefix="", suffix=""):
bar_length = 40
filled = int(round(bar_length * current / float(total)))
percent = round(100.0 * current / float(total), 1)
bar = '#' * filled + '-' * (bar_length - filled)
print(f"\r{prefix} [{bar}] {percent}% {suffix}", end="")
if current == total:
print()

def is_hex(s):
"""Check if the string is a valid hexadecimal number."""
return re.fullmatch(r'^[0-9a-fA-F]+$', s) is not None

def get_token®:
r.recvuntil(b"> ")
r.sendline(b"1")
r.recvuntil(b"Send your credentials: ")
credentials = json.dumps({"username": "D-Cryp7", "password": "Cryp70Gr47Hy!", "token": ""})
r.sendline(credentials.encode())
resp = r.recvuntil(b"|--------------------------------------------------------|\n").decode()
token_hex = resp.split("Token: ")[1].split()[0]

if not is_hex(token_hex):
raise ValueError(f"Invalid hexadecimal token: {token_hex}")

print(f"[+] Obtained token (first 32 chars): {token_hex[:32]}...")
return bytes.fromhex(token_hex)

def retrieve_data®:
r.recvuntil(b"> ")
r.sendline(b"2") # Request encrypted data

# Read until the line containing "Encrypted data:"
r.recvuntil(b"Encrypted data: ")

# Read the encrypted data line
encrypted_data_line = r.recvline().strip().decode()

# Debug: Print the raw response for inspection
print(f"[DEBUG] Raw response from server: {encrypted_data_line}")

# Extract hexadecimal data (assuming it's the only hexadecimal string in the line)
hex_data = re.search(r'([0-9a-fA-F]+)', encrypted_data_line)
if not hex_data:
raise ValueError(f"No hexadecimal data found in response: {encrypted_data_line}")

hex_data = hex_data.group(1)

# Validate the extracted hexadecimal data
if not is_hex(hex_data):
raise ValueError(f"Invalid hexadecimal encrypted data: {hex_data}")

encrypted_data = bytes.fromhex(hex_data)
return encrypted_data

def is_valid_padding(r, ciphertext):
r.recvuntil(b"> ")
r.sendline(b"1")
r.recvuntil(b"Send your credentials: ")
token_hex = ciphertext.hex()
creds = json.dumps({"username": "D-Cryp7", "password": "Cryp70Gr47Hy!", "token": token_hex})
r.sendline(creds.encode())
resp = r.recv(timeout=10).decode()
return "Decryption error!" not in resp

def decrypt_block(r, prev_block, cipher_block):
intermediate = bytearray(16)
print(f"\n[+] Decrypting new block: {cipher_block.hex()}")

for pad_len in range(1, BLOCK_SIZE + 1):
current_byte = BLOCK_SIZE - pad_len
total_guesses = 256
print(f"[+] Decrypting byte {current_byte} (0x{current_byte:02x})")

for guess in range(256):
print_progress(guess, total_guesses-1,
prefix=f" Byte {current_byte} guesses",
suffix=f"Testing 0x{guess:02x}")

modified_prev = bytearray(prev_block)
for pos in range(current_byte + 1, BLOCK_SIZE):
modified_prev[pos] = prev_block[pos] ^ intermediate[pos] ^ pad_len
modified_prev[current_byte] = prev_block[current_byte] ^ guess ^ pad_len

if is_valid_padding(r, bytes(modified_prev) + cipher_block):
intermediate[current_byte] = guess
print(f"\n[+] Found valid byte {current_byte}: 0x{guess:02x}")
break

plaintext = bytes([intermediate[i] ^ prev_block[i] for i in range(16)])
print(f"[+] Decrypted block: {plaintext.hex()} → ASCII: {plaintext.decode(errors='replace')}")
return plaintext

def decrypt_data(r, iv, ciphertext):
blocks = [ciphertext[i:i+16] for i in range(0, len(ciphertext), 16)]
plaintext = b''
prev_block = iv

print(f"\n[+] Starting decryption of {len(blocks)} blocks:")
for i, block in enumerate(blocks):
print(f"\n[=== Decrypting block {i+1}/{len(blocks)} ===]")
plaintext_block = decrypt_block(r, prev_block, block)
plaintext += plaintext_block
prev_block = block

# Attempt to remove padding (if valid)
try:
padding_length = plaintext[-1]
if padding_length > BLOCK_SIZE or padding_length == 0:
print(f"[!] Warning: Invalid padding length ({padding_length}). Skipping padding removal.")
else:
plaintext = plaintext[:-padding_length]
except IndexError:
print("[!] Warning: No padding found. Returning full decrypted data.")

return plaintext

def extract_structured_data(decrypted):
"""Extract structured data (e.g., credit card numbers) from the decrypted output."""
# Look for patterns like XXXX-XXXX-XXXX-XXXX or XXXX XXXX XXXX XXXX
pattern = re.compile(r'(\d{4}[- ]?\d{4}[- ]?\d{4}[- ]?\d{4})')
matches = pattern.findall(decrypted.decode(errors='replace'))
if matches:
return matches[0] # Return the first match
return None

def main():
# Step 1: Login and get token
print("[=== Step 1: Login and Get Token ===]")
r = remote(SERVER_IP, SERVER_PORT, timeout=10)
token = get_token®
input("\nPress Enter to proceed to Step 2...")

# Step 2: Retrieve user data
print("\n[=== Step 2: Retrieve User Data ===]")
encrypted_data = retrieve_data®
print(f"[+] Received encrypted data: {encrypted_data.hex()}")
input("\nPress Enter to proceed to Step 3...")

# Step 3: Decryption attack
print("\n[=== Step 3: Decryption Attack ===]")
iv = token[:16] # Use the first 16 bytes of the token as the IV
print(f"[+] Using IV from token: {iv.hex()}")
decrypted = decrypt_data(r, iv, encrypted_data)

# Extract structured data (e.g., credit card numbers)
structured_data = extract_structured_data(decrypted)
if structured_data:
print(f"\n[+] DECRYPTED DATA: {structured_data}")
else:
print(f"\n[!] No structured data found in decrypted output.")
print(f"[!] FULL DECRYPTED DATA (hex): {decrypted.hex()}")
print(f"[!] FULL DECRYPTED DATA (ASCII): {decrypted.decode(errors='replace')}")

r.close()

if __name__ == "__main__":
main()

////////

i got!

[+] Decrypted block: fd6d15cebd88cd0f6b6e0ad84b14e7d8 → ASCII: m\x15ν \x0fkn
K\x14
[!] Warning: Invalid padding length (216). Skipping padding removal.

[!] No structured data found in decrypted output.
[!] FULL DECRYPTED DATA (hex): 9f10c92b119c45a26f2416212a140950fd6d15cebd88cd0f6b6e0ad84b14e7d8
[!] FULL DECRYPTED DATA (ASCII): \x10 +\x11 E o$\x16!*\x14 P m\x15ν \x0fkn
K\x14
[*]Closed connection to 94.237.54.69 port 47940

pwns4k3 · Jan 30, 2025, 12:01 PM

(Jan 30, 2025, 10:56 AM)robinia Wrote: PKCS#7 not correct?
i tried with

////// exploit.py

from pwn import *
import json
import re

SERVER_IP = "94.237.54.69"
SERVER_PORT = 47940
BLOCK_SIZE = 16

def print_progress(current, total, prefix="", suffix=""):
bar_length = 40
filled = int(round(bar_length * current / float(total)))
percent = round(100.0 * current / float(total), 1)
bar = '#' * filled + '-' * (bar_length - filled)
print(f"\r{prefix} [{bar}] {percent}% {suffix}", end="")
if current == total:
print()

def is_hex(s):
"""Check if the string is a valid hexadecimal number."""
return re.fullmatch(r'^[0-9a-fA-F]+$', s) is not None

def get_token®:
r.recvuntil(b"> ")
r.sendline(b"1")
r.recvuntil(b"Send your credentials: ")
credentials = json.dumps({"username": "D-Cryp7", "password": "Cryp70Gr47Hy!", "token": ""})
r.sendline(credentials.encode())
resp = r.recvuntil(b"|--------------------------------------------------------|\n").decode()
token_hex = resp.split("Token: ")[1].split()[0]

if not is_hex(token_hex):
raise ValueError(f"Invalid hexadecimal token: {token_hex}")

print(f"[+] Obtained token (first 32 chars): {token_hex[:32]}...")
return bytes.fromhex(token_hex)

def retrieve_data®:
r.recvuntil(b"> ")
r.sendline(b"2") # Request encrypted data

# Read until the line containing "Encrypted data:"
r.recvuntil(b"Encrypted data: ")

# Read the encrypted data line
encrypted_data_line = r.recvline().strip().decode()

# Debug: Print the raw response for inspection
print(f"[DEBUG] Raw response from server: {encrypted_data_line}")

# Extract hexadecimal data (assuming it's the only hexadecimal string in the line)
hex_data = re.search(r'([0-9a-fA-F]+)', encrypted_data_line)
if not hex_data:
raise ValueError(f"No hexadecimal data found in response: {encrypted_data_line}")

hex_data = hex_data.group(1)

# Validate the extracted hexadecimal data
if not is_hex(hex_data):
raise ValueError(f"Invalid hexadecimal encrypted data: {hex_data}")

encrypted_data = bytes.fromhex(hex_data)
return encrypted_data

def is_valid_padding(r, ciphertext):
r.recvuntil(b"> ")
r.sendline(b"1")
r.recvuntil(b"Send your credentials: ")
token_hex = ciphertext.hex()
creds = json.dumps({"username": "D-Cryp7", "password": "Cryp70Gr47Hy!", "token": token_hex})
r.sendline(creds.encode())
resp = r.recv(timeout=10).decode()
return "Decryption error!" not in resp

def decrypt_block(r, prev_block, cipher_block):
intermediate = bytearray(16)
print(f"\n[+] Decrypting new block: {cipher_block.hex()}")

for pad_len in range(1, BLOCK_SIZE + 1):
current_byte = BLOCK_SIZE - pad_len
total_guesses = 256
print(f"[+] Decrypting byte {current_byte} (0x{current_byte:02x})")

for guess in range(256):
print_progress(guess, total_guesses-1,
prefix=f" Byte {current_byte} guesses",
suffix=f"Testing 0x{guess:02x}")

modified_prev = bytearray(prev_block)
for pos in range(current_byte + 1, BLOCK_SIZE):
modified_prev[pos] = prev_block[pos] ^ intermediate[pos] ^ pad_len
modified_prev[current_byte] = prev_block[current_byte] ^ guess ^ pad_len

if is_valid_padding(r, bytes(modified_prev) + cipher_block):
intermediate[current_byte] = guess
print(f"\n[+] Found valid byte {current_byte}: 0x{guess:02x}")
break

plaintext = bytes([intermediate[i] ^ prev_block[i] for i in range(16)])
print(f"[+] Decrypted block: {plaintext.hex()} → ASCII: {plaintext.decode(errors='replace')}")
return plaintext

def decrypt_data(r, iv, ciphertext):
blocks = [ciphertext[i:i+16] for i in range(0, len(ciphertext), 16)]
plaintext = b''
prev_block = iv

print(f"\n[+] Starting decryption of {len(blocks)} blocks:")
for i, block in enumerate(blocks):
print(f"\n[=== Decrypting block {i+1}/{len(blocks)} ===]")
plaintext_block = decrypt_block(r, prev_block, block)
plaintext += plaintext_block
prev_block = block

# Attempt to remove padding (if valid)
try:
padding_length = plaintext[-1]
if padding_length > BLOCK_SIZE or padding_length == 0:
print(f"[!] Warning: Invalid padding length ({padding_length}). Skipping padding removal.")
else:
plaintext = plaintext[:-padding_length]
except IndexError:
print("[!] Warning: No padding found. Returning full decrypted data.")

return plaintext

def extract_structured_data(decrypted):
"""Extract structured data (e.g., credit card numbers) from the decrypted output."""
# Look for patterns like XXXX-XXXX-XXXX-XXXX or XXXX XXXX XXXX XXXX
pattern = re.compile(r'(\d{4}[- ]?\d{4}[- ]?\d{4}[- ]?\d{4})')
matches = pattern.findall(decrypted.decode(errors='replace'))
if matches:
return matches[0] # Return the first match
return None

def main():
# Step 1: Login and get token
print("[=== Step 1: Login and Get Token ===]")
r = remote(SERVER_IP, SERVER_PORT, timeout=10)
token = get_token®
input("\nPress Enter to proceed to Step 2...")

# Step 2: Retrieve user data
print("\n[=== Step 2: Retrieve User Data ===]")
encrypted_data = retrieve_data®
print(f"[+] Received encrypted data: {encrypted_data.hex()}")
input("\nPress Enter to proceed to Step 3...")

# Step 3: Decryption attack
print("\n[=== Step 3: Decryption Attack ===]")
iv = token[:16] # Use the first 16 bytes of the token as the IV
print(f"[+] Using IV from token: {iv.hex()}")
decrypted = decrypt_data(r, iv, encrypted_data)

# Extract structured data (e.g., credit card numbers)
structured_data = extract_structured_data(decrypted)
if structured_data:
print(f"\n[+] DECRYPTED DATA: {structured_data}")
else:
print(f"\n[!] No structured data found in decrypted output.")
print(f"[!] FULL DECRYPTED DATA (hex): {decrypted.hex()}")
print(f"[!] FULL DECRYPTED DATA (ASCII): {decrypted.decode(errors='replace')}")

r.close()

if __name__ == "__main__":
main()

////////

i got!

[+] Decrypted block: fd6d15cebd88cd0f6b6e0ad84b14e7d8 → ASCII: m\x15ν \x0fkn
K\x14
[!] Warning: Invalid padding length (216). Skipping padding removal.

[!] No structured data found in decrypted output.
[!] FULL DECRYPTED DATA (hex): 9f10c92b119c45a26f2416212a140950fd6d15cebd88cd0f6b6e0ad84b14e7d8
[!] FULL DECRYPTED DATA (ASCII): \x10 +\x11 E o$\x16!*\x14 P m\x15ν \x0fkn
K\x14
[*]Closed connection to 94.237.54.69 port 47940

Why not try implementing something that works? e.g.: https://www.nccgroup.com/us/research-blo...g-oracles/

Possibly Related Threads…
Thread		Author	Replies	Views	Last Post
	[FREE] HackTheBox All Cheatsheets	Tamarisk	2	326	3 hours ago Last Post: hibreackignos
	CBBH Write Ups	hiddenhacker	22	6,187	5 hours ago Last Post: Usercomplex
	[FREE] 300+ Writeups PDF HackTheBox/HTB premium retired	Tamarisk	368	91,455	5 hours ago Last Post: Usercomplex
	[MEGALEAK] HackTheBox ProLabs, Fortress, Endgame - Alchemy, 250 Flags, leak htb-bot	htb-bot	86	7,773	Yesterday, 11:39 PM Last Post: my4ri0d0
	rev_dudidudida	cavour13	1	246	Yesterday, 12:25 AM Last Post: 0xcreep