In [4]:
#!/usr/bin/env python3
from Crypto.Util.number import long_to_bytes
from Crypto.Random import get_random_bytes
from Crypto.Hash import SHA256
from Crypto.Cipher import AES

import telnetlib
import json

# Change this to REMOTE = False if you are running against a local instance of the server
REMOTE = True

# Remember to change the port if you are re-using this client for other challenges
PORT = 50400

if REMOTE:
    host = "aclabs.ethz.ch"
else:
    host = "localhost"

tn = telnetlib.Telnet(host, PORT)

def readline():
    return tn.read_until(b"\n")

def json_recv():
    line = readline()
    return json.loads(line.decode())

def json_send(req):
    request = json.dumps(req).encode()
    tn.write(request + b"\n")
    

# Idea
We will perform the "Meet-in-the-middle" attack, i.e., exploit the fact that $E_{k_1}(p) = D_{k_2}(c_2) = c_1$.

In [3]:
# Generate all possible combination of 2 bytes key and SHA256 them
ciphers = set()
for i in range(256):
    for j in range(256):
        key = SHA256.new(bytes([i, j])).digest()
        ciphers.add(AES.new(key, AES.MODE_ECB))

In [8]:
# Send the random plaintext, get the ciphertext and store them into a dictionary
plaintext = get_random_bytes(16)
ctxt_dict = set()
# Compute the encryption with all keys
for cipher in ciphers:
  ctxt_dict.add(cipher.encrypt(plaintext))

for i in range(64):
  guess_bit = 1
  json_send({
    "command": "query",
    "m": plaintext.hex()
  })
  ctxt_hex = json_recv()["res"]
  ctxt = bytes.fromhex(ctxt_hex)

  # Bruteforce D_k2(ctxt2) 
  for cipher in ciphers:
    ctxt_guess = cipher.decrypt(ctxt)
    if ctxt_guess in ctxt_dict:
      guess_bit = 0
      break
  # if we cannot decrypt, then PRP world
  json_send({
  "command": "guess",
  "b": guess_bit
  })
  mess = json_recv()['res']
  print(mess)

json_send({
    "command": "flag"
})
flag = json_recv()["flag"]
print(flag)

attemp:  1
Good! (1/64)
attemp:  2
Good! (2/64)
attemp:  3
Good! (3/64)
attemp:  4
Good! (4/64)
attemp:  5
Good! (5/64)
attemp:  6
Good! (6/64)
attemp:  7
Good! (7/64)
attemp:  8
Good! (8/64)
attemp:  9
Good! (9/64)
attemp:  10
Good! (10/64)
attemp:  11
Good! (11/64)
attemp:  12
Good! (12/64)
attemp:  13
Good! (13/64)
attemp:  14
Good! (14/64)
attemp:  15
Good! (15/64)
attemp:  16
Good! (16/64)
attemp:  17
Good! (17/64)
attemp:  18
Good! (18/64)
attemp:  19
Good! (19/64)
attemp:  20
Good! (20/64)
attemp:  21
Good! (21/64)
attemp:  22
Good! (22/64)
attemp:  23
Good! (23/64)
attemp:  24
Good! (24/64)
attemp:  25
Good! (25/64)
attemp:  26
Good! (26/64)
attemp:  27
Good! (27/64)
attemp:  28
Good! (28/64)
attemp:  29
Good! (29/64)
attemp:  30
Good! (30/64)
attemp:  31
Good! (31/64)
attemp:  32
Good! (32/64)
attemp:  33
Good! (33/64)
attemp:  34
Good! (34/64)
attemp:  35
Good! (35/64)
attemp:  36
Good! (36/64)
attemp:  37
Good! (37/64)
attemp:  38
Good! (38/64)
attemp:  39
Good! (39/64)
atte