HackTheBox Bloom Bloom Challenge

https://app.hackthebox.com/challenges/703

Description

Since the fallout, most of the world’s fertile land has been transformed into wasteland, leaving survivors struggling to produce enough food to sustain their communities. With traditional agriculture in ruins, they recall that, in the years before the disaster, agricultural scientists were developing genetically modified crops that could thrive in extreme conditions. Rumors point to a hidden agricultural research zone where these scientists experimented with advanced genetic seeds. This zone is believed to contain experimental crops, advanced equipment, and crucial research that could empower communities to rebuild agriculture from the ground up. Undeterred, the survivors embark on a grueling journey lasting several days in pursuit of the zone. At last, they arrive to find a vast area buried in sand but equipped with sophisticated watering systems and supplies to nurture the genetic crops. To their surprise, the zone is defended by humanoid robotic guards armed with automatic weapons. It’s clear that accessing the area safely requires a secret password; otherwise, the robots are likely to open fire. Worse yet, these robots teleport unpredictably throughout the zone, making their movements almost impossible to predict. Can you extract information from their movements, predict their next move and devise a strategy to eliminate all of them?

Exploitation

#!/usr/bin/python3
from sage.all import *
from hashlib import sha256
from Crypto.Cipher import AES
from Crypto.Util.Padding import unpad
from Crypto.Util.number import long_to_bytes
import re

with open('output.txt') as f:
    data = f.read().split('\n')
enc_messages = eval(data[0])
enc_flag = bytes.fromhex(data[1])
key = sha256(b'0'*256).digest()
shares = []
for i in range(len(enc_messages)):
    for iv, ct in enc_messages[i]:
        try:
            cipher = AES.new(key, AES.MODE_CBC, bytes.fromhex(iv))
            dec = unpad(cipher.decrypt(bytes.fromhex(ct)), 16).decode()
            shares.append(eval(dec.split('#: ')[1]))
            if i == len(enc_messages) - 1:
                p = int(re.search(r'\d+', dec).group())
            break
        except:
            pass
assert len(shares) == 5
F = GF(p)
PR = PolynomialRing(F, 'x')
P = PR.lagrange_polynomial(shares)
key = long_to_bytes(int(list(P)[0]))
flag = unpad(AES.new(key, AES.MODE_ECB).decrypt(enc_flag), 16)
print(flag.decode())

Summary

Bloom Bloom: abuse the AES misuse, derive the missing key material, and decrypt the flag.