# decrypt then eval ## Description This server decrypts user input and evaluates it. Please use your magical malleability mastership to retrieve the flag! ```python= #!/usr/bin/env python3 from Crypto.Cipher import AES import os KEY = os.urandom(16) IV = os.urandom(16) FLAG = os.getenv('FLAG', 'DUCTF{testflag}') def main(): while True: ct = bytes.fromhex(input('ct: ')) aes = AES.new(KEY, AES.MODE_CFB, IV, segment_size=128) try: print(eval(aes.decrypt(ct))) except Exception: print('invalid ct!') if __name__ == '__main__': main() ``` ## Solvers * [name=wupo] ## Solution https://pycryptodome.readthedocs.io/en/latest/src/cipher/classic.html#cfb-mode The difficulty here is, that we need to provide an ecrpyted piece of python code, before we can access the key (KEY) and initialization vector (IV). To get a better understanding of what a valid input looks like, we define a fixed KEY and IV constant. ```python= from Crypto.Cipher import AES KEY = b'\xf5\x8c\xfbd\xad@U\xfc\xc7\xb39\x85\xff\x19\xf8\xfa' IV = b'\xf5\x8c\xfbd\xad@U\xfc\xc7\xb39\x85\xff\x19\xf8\xfa' FLAG = 'DUCTF{fake_flag}' def main(): while True: ct = bytes.fromhex(input('ct: ')) aes = AES.new(KEY, AES.MODE_CFB, IV, segment_size=128) try: print(eval(aes.decrypt(ct))) except Exception: print('invalid ct!') if __name__ == '__main__': main() ``` https://en.wikipedia.org/wiki/Malleability_(cryptography) https://en.wikipedia.org/wiki/File:BlockcipherModesofOperation.png https://pycryptodome.readthedocs.io/en/latest/src/cipher/classic.html#cfb-mode https://cryptanalysis.tymyrddin.dev/docs/notes/aes