https://app.hackthebox.com/challenges/477

Description

As your investigation progressed, a clue led you to a local bar where you met an undercover agent with valuable information. He spoke of a famous astronomy scientist who lived in the area and extensively studied the relic. The scientist wrote a book containing valuable insights on the relic's location, but encrypted it before he disappeared to keep it safe from malicious intent. The old man disclosed that the book was hidden in the scientist's house and revealed two phrases that the scientist rambled about before vanishing.

Exploitation

#!/usr/bin/env python3
from Crypto.Cipher import AES
from binascii import unhexlify

def blockify(message, size):
    return [message[i:i + size] for i in range(0, len(message), size)]

def xor_bytes(a, b):
    return bytes([_a ^ _b for _a, _b in zip(a, b)])

def analyze_encryption():
    ct = unhexlify('b25bc89662197c6462188e5960eea4fbef11424b8ebdcd6b45c8f4240d64f5d1981aab0e299ff75ce9fba3d5d78926543e5e8c262b81090aef60518ee241ab131db902d2582a36618f3b9a85a35f52352d5499861b4a878fac1380f520fe13deb1ca50c64f30e98fa6fdc070d02e148f')
    r = 3
    phrases = ['5fe633e7071e690fbe58a9dace6f3606', '501ccdc4600bc2dcf350c6b77fcf2681']
    leak1 = unhexlify(phrases[0])
    leak2 = unhexlify(phrases[1])
    blocks = blockify(ct, 16)
    pt_block1 = xor_bytes(blocks[r + 1], leak1)
    pt_block2 = xor_bytes(blocks[r + 2], leak2)
    flag = pt_block2[-15:].decode() + pt_block1.decode()
    return flag

def main():
    flag = analyze_encryption()
    print(flag+ '}')

if __name__ == "__main__":
    main()

Summary

Multipage Recyclings: abuse the AES misuse, derive the missing key material, and decrypt the flag.