Straightforward, and perhaps classic challenge. This takes advantage of the fact that both images are encrypted using the same xor key. We can leak information of the flag by xor the two ciphertext, or the two files given. There are different snippets of code which can do this, which weirdly is not available online. The following is to do xor on RGB values of pixel by pixel. daneallen from Cryptohack:

We are given a public RSA key that is used in the X509 certificate for the HTTPS connection to a Cryptohack domain. I solve it in the easy way, and uses a subdomain lookup site. A good one to use is crt.sh, and the query is https://crt.sh/?q=cryptohack.org, or https://subdomains.whoisxmlapi.com/. We can go over the list of subdomains to find the correct subdomain for the solution. We can instead solve this without using this comprehensive list of subdomains.

The name of the challenge is the name of the vulnerability CVE-2020-0601 on the crypto32.dll utility on the Microsoft Windows operating system. This vulnerability only targets ECC, and that an adversary can specify their own generator, private key and curve used, as Windows allows for this specifying arbitrary curve behavior. The same idea applies for this challenge. From the source code of the challenge, def search_trusted(self, Q): for host, cert in self.

Title suggest the use of MOV attack, which is a mapping from ECC to Bilinear Maps to solve DLP. More information can be found on Crypto StackExchange. The code is based on this writeup on HackTheBox by WizardAlfredo, which the following solution uses the implementation from. from Crypto.Hash import SHA1 from Crypto.Cipher import AES from Crypto.Util.Padding import pad, unpad import hashlib def is_pkcs7_padded(message): padding = message[-message[-1]:] return all(padding[i] == len(padding) for i in range(0, len(padding))) def decrypt_flag(shared_secret: int, iv: str, ciphertext: str): # Derive AES key from shared secret sha1 = hashlib.

Big kudos to ConnorM on the Cryptohack Discord for the help. This challenge is super sneaky, as the implementation looks very sound, and it bears great resemblance to the example of the Python-ecdsa module. I learnt two lessons from this. First, please do code fuzzing carefully - I was very close to the actual solution but simply missed the crucial idea. Second, do not make assumptions about one’s code - vulnerabilities can start from something very silly.