> For the complete documentation index, see [llms.txt](https://docs.cooku222.kr/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://docs.cooku222.kr/security/crypto/dreamhack/dreamhack-line-ctf-2021-babycrypto1.md).

# \[Dreamhack] \[LINE CTF 2021] babycrypto1

문제 출처 :<https://dreamhack.io/wargame/challenges/386>

[ \[LINE CTF 2021\] babycrypto1 dreamhack.io](https://dreamhack.io/wargame/challenges/386)

***

```
#!/usr/bin/env python
from base64 import b64decode
from base64 import b64encode
import socket
import multiprocessing

from Crypto.Cipher import AES
from Crypto.Random import get_random_bytes
from Crypto.Util.Padding import pad, unpad
import hashlib
import sys

class AESCipher:
    def __init__(self, key):
        self.key = key

    def encrypt(self, data):
        iv = get_random_bytes(AES.block_size)
        self.cipher = AES.new(self.key, AES.MODE_CBC, iv)
        return b64encode(iv + self.cipher.encrypt(pad(data, 
            AES.block_size)))

    def encrypt_iv(self, data, iv):
        self.cipher = AES.new(self.key, AES.MODE_CBC, iv)
        return b64encode(iv + self.cipher.encrypt(pad(data, 
            AES.block_size)))

    def decrypt(self, data):
        raw = b64decode(data)
        self.cipher = AES.new(self.key, AES.MODE_CBC, raw[:AES.block_size])
        return unpad(self.cipher.decrypt(raw[AES.block_size:]), AES.block_size)

flag = open("flag", "rb").read().strip()

COMMAND = [b'test',b'show']

def run_server(client, aes_key, token):
    client.send(b'test Command: ' + AESCipher(aes_key).encrypt(token+COMMAND[0]) + b'\n')
    client.send(b'**Cipher oracle**\n')
    client.send(b'IV...: ')
    iv = b64decode(client.recv(1024).decode().strip())
    client.send(b'Message...: ')
    msg = b64decode(client.recv(1024).decode().strip())
    client.send(b'Ciphertext:' + AESCipher(aes_key).encrypt_iv(msg,iv) + b'\n\n')
    while(True):
        client.send(b'Enter your command: ')
        tt = client.recv(1024).strip()
        tt2 = AESCipher(aes_key).decrypt(tt)
        client.send(tt2 + b'\n')
        if tt2 == token+COMMAND[1]:
            client.send(b'The flag is: ' + flag)
            client.close()
            break

if __name__ == '__main__':
    server = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
    server.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1)
    server.bind(('0.0.0.0', 16001))
    server.listen(1)

    while True:
        client, address = server.accept()

        aes_key = get_random_bytes(AES.block_size)
        token = b64encode(get_random_bytes(AES.block_size*10))[:AES.block_size*10]

        process = multiprocessing.Process(target=run_server, args=(client, aes_key, token))
        process.daemon = True
        process.start()
```

\- AES CBC 키/토큰 생성 -> test 명령어를 포함한 메시지를 암호화해서 보여주고 초기화 벡터와 메시지를 받으면 CBC 암호문을 생성해주는 오라클을 제공한다. (CBC는 블록 암호화 방식 중 하나로, 평문을 블록 단위(보통 16바이트)로 나눈 뒤, 이전 블록의 암호문과 XOR한 후 암호화하는 방식) -> 사용자가 암호문을 보낼 수 있고 이 암호문은 복호화될 수 있다. -> 그 복호화 결과가 token+b'show' 와 일치하면 플래그를 반환한다.&#x20;

```
import base64
from Crypto.Cipher import AES
from pwn import *

r = remote('host8.dreamhack.games', 22354)
r.recvuntil(b'test Command: ')
enc_test = base64.b64decode(r.recvuntil(b'\n'))
iv = enc_test[-32:-16]
r.sendline(base64.b64encode(iv))
r.sendline(base64.b64encode(b'show'))
r.recvuntil(b'Ciphertext:')
enc_show = base64.b64decode(r.recvuntil(b'\n'))
r.recvuntil(b'command: ')
r.sendline(base64.b64encode(enc_test[:-16] + enc_show[16:]))
r.interactive()
```

플래그는 하단과 같다.&#x20;

```
DH{8a380d0456c0e6c160403c48f6a7fbbb7a37e09b}
```

&#x20;

<br>


---

# Agent Instructions
This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com.

## Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.cooku222.kr/security/crypto/dreamhack/dreamhack-line-ctf-2021-babycrypto1.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.