The Art of Capture Discussion [FORENSICS] [HINTS] [HTB]

Hell yeah. It took only 0.1 seconds to recover the AES Key!

from Crypto.Cipher import AES
from Crypto.Util import Counter
import base64
import string

def xor_string(data: bytes, key: int) -> bytes:
    result = bytearray(data)
    k = key
    for i in range(len(result)):
        for f in [0, 8, 16, 24]:
            result[i] ^= ((k >> f) & 0xFF)
        k = (k + 1) & 0xFFFFFFFF
    return bytes(result)

def is_valid_key(data: bytes) -> bool:
    try:
        decoded_str = data.decode('utf-8')
        return len(decoded_str) == 16 and all(c in string.ascii_letters + string.digits for c in decoded_str)
    except UnicodeDecodeError:
        return False

def decrypt(key: bytes, enc) -> bytes:
    iv,enc = enc[:16],enc[16:]
    ctr = Counter.new(128, initial_value=int.from_bytes(iv, byteorder="big"))
    cipher = AES.new(key, AES.MODE_CTR, counter=ctr)
    try:
        dec = cipher.decrypt(enc)
        return dec
    except ValueError:
        return None
    return None

def isPrintable(b: bytes) -> bool:
    try:
        b.decode()
        return True
    except UnicodeDecodeError:
        return False


def brute_force_key(xored_key: bytes):
    enc = "QllpQVtOWU5fRlVWXF9LQbP96KXlOv6w8Ij0NocWw43Sn2eKCKbbrdzQvEOHFeGkWwyF6HI/8mnIvJDLT7s6CNUr1PuWY3G1IAsZW/VzMmBHPeyObC/l9GfNaQoKntLhQ7jvCGg4MYrbifRwyIN3XFWRBk0S+K3StdoUOpmDsw8y"
    enc = base64.decodebytes(enc.encode())
    for key in range(2_147_483_648):  # 2^31 = 2147483648
        key = xor_string(xored_key, key)
        if is_valid_key(key):
            if not isPrintable(decrypt(key,enc) ):
                continue
            return key
    print("No valid key found.")
    return None

if __name__ == "__main__":
    xored_aes_key = base64.b64decode('opO2j7SMi7iSsoqVh5uZpA==')
    recovered_aes_key = brute_force_key(xored_aes_key)
    print("AES Key: ", recovered_aes_key)
    enc = "QllpQVtOWU5fRlVWXF9LQbP96KXlOv6w8Ij0NocWw43Sn2eKCKbbrdzQvEOHFeGkWwyF6HI/8mnIvJDLT7s6CNUr1PuWY3G1IAsZW/VzMmBHPeyObC/l9GfNaQoKntLhQ7jvCGg4MYrbifRwyIN3XFWRBk0S+K3StdoUOpmDsw8y"
    enc = base64.decodebytes(enc.encode())
    print(decrypt(recovered_aes_key, enc))
1 Like