https://app.hackthebox.com/challenges/341

Description

Intrigued by the fact that you have found something your father made, and with much confidence that you can be useful to the team, you rush excitedly to integrate “Jenny” into the spaceship’s main operating system. For weeks, everything went smoothly, until you ran into a meteor storm. Having little to no data of training, the AI is now malfunctioning. Ulysses freaks out because he can no longer control the spaceship due to the AI overriding his manual commands. Big banging noises terrify your crew members. Everything is shaking. It’s time to act. Do you think you can temporarily shut down “Jenny” until she becomes more sophisticated?

Exploitation

#!/usr/bin/env python3
from hashlib import sha256
import binascii

def decrypt_block(eblock, block):
    pt = bytearray(32)
    for i in range(32):
        pt[i] = (eblock[i] - block[i] + 256) % 256
    return bytes(pt)

def main():
    ct = bytes.fromhex('d56591f1e1cbcb77c98473266bb8b3938db1ea6e8751604bced6ff262e954b8243e085580d650d757af55475e3a8e7030da53a5080a7c6a117e2537c4c8dcdfa9af11f91d12619caf796a4d12d0cbb085ca62b1dca39465a03ed967c10e944dd4f7bce176d1c81cefed8ec1316add4a1aead3a21199bdb4d84986f00bba5bfc6b899f065811c2b244d384ed93483ea3adc633fc267a072a3952657f1d8ec88a8335fe6a26589af63671bc00c4c8f2bb580d318cf8350dcc9257044ee4ffaffbe8391ac11c6bd224ea0a2cca4b4378b58e3c687ea7f80d1db46dfb4d842e1fd797c651646ea6651c53db8edd315a6204695bc35bc26e80b05284660b03068d9b0')
    block0 = b'Command executed: cat secret.txt'
    px = bytearray()
    eblock0 = ct[:32]
    h = sha256(eblock0 + block0).digest()
    for ic in range(1, len(ct) // 32):
        cx0 = ct[ic*32:(ic+1)*32]
        px0 = decrypt_block(cx0, h)
        h = sha256(cx0 + px0).digest()
        px.extend(px0)
    print(px.decode())

if __name__ == "__main__":
    main()

Summary

Jenny From The Block: reduce the hash constraint to a small search, test candidates, and recover the flag.