Broken Decryptor

Technical Walkthrough

Writeup

Challenge

• Name: Broken-Decryptor
• Category: Crypto
• Difficulty: Medium
• Mode: hybrid

Summary

The provided source implements an AES-CTR service with a broken decrypt menu and a flawed encrypt menu. The encrypt function resets CTR to the same IV for each request, then XORs the ciphertext with random bytes where 0x00 is replaced by 0xff.

That replacement creates a missing-value oracle: for any fixed plaintext byte and position, every output byte can appear except plaintext_byte xor keystream_byte. Repeating zero encryptions and flag encryptions reveals two missing-value vectors; XORing those vectors recovers the flag.

The live deployment used fresh key/IV state per connection, so samples could not be mixed across sockets. The final solve grouped samples per connection, computed possible flag-byte candidates from each connection, and intersected the candidate sets until every flag byte was unique.

Artifact Inventory

• files/a12c734a-18b6-4899-89cf-e9bc932b3f4b.zip: original challenge archive.
• analysis/extracted/challenge.py: complete Python service source.
• Remote service: <TARGET>:31068.
• Hashes and file type details are in analysis/artifact-inventory.json, analysis/file-types.txt, and analysis/sha256sums.txt.

Analysis

Relevant source behavior from analysis/extracted/challenge.py:

• key and iv are generated at process startup.
• encrypt(data) constructs a fresh AES-CTR object with the same counter initial value each call.
• The encrypt output is:

data xor keystream xor otp

• otp comes from os.urandom(len(data)).replace(b'\x00', b'\xff').
• Therefore an OTP byte can never be zero, and byte value 0xff is twice as likely as ordinary values.
• For fixed plaintext and position, the impossible output value is plaintext_byte xor keystream_byte.

The decrypt path is not useful. main() passes decrypt(unhex(ct)), so decrypt() receives bytes, but then calls data.encode(), which raises and is swallowed by the broad exception handler.

Local validation:

• analysis/local-simulation.txt and analysis/local-simulation-latest.txt show the missing-value recovery works against a dummy flag under the same distribution.
• analysis/remote-solve.txt closed the first remote branch: mixing multiple sockets as if they shared one keystream produced impossible evidence for a single keystream.
• analysis/remote-intersection-solve.txt shows the final per-connection intersection run. Round one resolved all positions uniquely.

Solve

The solve script is solve/solve.py.

The final remote command used:

cd <local workspace>
python3 -u solve/solve.py \
  --host <TARGET> \
  --port 31068 \
  --strategy intersection \
  --workers 20 \
  --per-worker-samples 750 \
  --rounds 2 \
  --output loot/flag-candidate.txt

The script:

1. Opens independent connections.
2. For each connection, collects repeated get_flag and zero-plaintext encryption samples.
3. Builds candidate flag-byte sets from missing output values within that connection only.
4. Intersects candidate sets across connections.
5. Stops when every position has one printable candidate and the result matches the expected HTB flag format.

The harness then copied the validated candidate to loot/flag.txt.

Flag

Raw flag is stored in loot/flag.txt and intentionally not reproduced here.

Lessons

• When randomness excludes one byte value, repeated outputs can become a missing-value oracle.
• Do not assume source-level process globals are shared across remote sockets; validate deployment behavior.
• If each connection has independent crypto state, compute per-connection candidate sets and combine only the final plaintext candidates.

Source-Backed Dossier

The sections below are merged from companion Markdown notes for the same case. They are rendered after sanitization so the article stays precise without publishing raw flags, credentials, or target-specific secrets.

Notes

Scope

• Challenge: Broken-Decryptor
• Category: Crypto
• Difficulty: Medium
• Mode: hybrid
• Remote instance: <TARGET>:31068
• Start time: 2026-06-13T12:57:32Z
• Operator: harness
• State file: challenge-state.json

Harness Status

• Current phase: see challenge-state.json
• Next allowed actions: see next-action.json
• Raw flags and sensitive material stay in loot/ only. Do not paste them here.

Artifact Inventory

Evidence Ledger

Key Findings

• analysis/extracted/challenge.py is the full service source.
• The service uses AES-CTR, but recreates the counter from the same iv on every encryption inside one process.
• encrypt(data) returns AES_CTR(data) xor otp, where otp is random bytes with 0x00 replaced by 0xff.
• Because otp can never contain 0x00, each byte position has exactly one impossible output value for a fixed plaintext and keystream.
• Repeated zero-plaintext encryption samples reveal the missing keystream byte per position.
• Repeated flag encryption samples reveal the missing flag_byte xor keystream_byte per position.
• XORing those two missing-value vectors recovers the flag for one key/IV context.
• The live service did not behave as a single global key/IV across sockets; mixed parallel samples observed all 256 values for zero plaintext, so that branch was closed.
• The final solve used independent per-connection candidate sets and intersected them across 20 connections with 750 samples each.
• solve/solve.py reproduces the final collection and writes the candidate to loot/flag-candidate.txt.

RAG / Advisory Memory

RAG output is advisory only. Record evaluated retrievals with:

scripts/challenge_harness.py rag-record <workspace> --query "..." --tag MATCHED|PARTIAL|MISSING|<secret redacted>|GENERIC --validation "..."

Secrets/Flags

Raw flags and sensitive material stay in loot/ only. Use scripts/challenge_harness.py capture-flag to validate and record flag capture without printing the value.

Memory Summary

Metadata

• Platform: HackTheBox Challenges
• Category: Crypto
• Challenge: Broken-Decryptor
• Difficulty: Medium
• Source workspace: <local workspace>

Validated Solve Chain

Concepts only. Do not include raw flags, reusable credentials, tokens, cookies, private keys, or live secrets.

1. Audited the Python source and identified AES-CTR reset to the same IV on each encryption request.
2. Observed that encryption XORs ciphertext with random bytes after replacing 0x00 with 0xff.
3. Modeled this as a missing-value oracle: for fixed plaintext and byte position, exactly one output value is impossible.
4. Validated the oracle locally with a dummy flag.
5. Tested a shared-keystream parallel collection branch and closed it when live samples showed fresh key/IV behavior per connection.
6. Solved by grouping samples per connection, deriving candidate plaintext byte sets, and intersecting candidates across independent connections.

Reusable Lessons

• Missing-byte distributions can be exploitable even when ciphertext is masked with fresh randomness.
• Check remote deployment state before mixing samples across connections.
• Candidate-set intersection can recover plaintext when each connection has independent keystream but the hidden message is constant.

Dead Ends

• Treating all remote connections as one shared key/IV context. Live zero-plaintext samples eventually observed all 256 values, which cannot happen for one fixed missing-value oracle.

Tool Quirks

• The local environment lacked some optional crypto tools (sympy, z3, sage, pwntools, hashcat), but Python and PyCryptodome were sufficient.
• The remote service was slow per request, so the final collector needed bounded parallel per-connection sampling.

Evidence Paths

• analysis/extracted/challenge.py
• analysis/source-audit.md
• analysis/research/direct-source-crypto-model.md
• analysis/local-simulation.txt
• analysis/remote-solve.txt
• analysis/remote-intersection-solve.txt
• solve/solve.py
• loot/flag.txt

Ingestion Decision

• Proposed for LightRAG: yes
• Requires user approval before ingestion: yes

Hypothesis Board

Keep no more than 3 active hypotheses on Easy/Medium and 5 on Hard unless the user explicitly asks for breadth.

Closed Branches