Using the URLs obtained in the previous post, we can access Zone 3 for both Heat and Snow Miser. Let's see if we can obtain the URLs for Zone 4.
Heat Miser
Connecting to Zone 3 for Heat Miser, we are presented with the following:
In the description for this Zone, we are given a link to Zone 4 (that was easy!). For consistency, we'll consider this the end of the zone, and pick back up in the next post since we will technically be aiming to retrieve the link for Zone 5. We have a bit of work to do for Snow Miser, anyways.
Snow Miser
Connecting to Zone 3 for Snow Miser, we are presented with the following:
This challenge required a bit of thinking. In the Zone description, we are told that "those of you with access to Zone 4 should have received an encryption key. This key can be used to decrypt the URL for Zone 4." So, right off the bat, we know that we need to acquire or enumerate an encryption key.
We are also told that we can "verify [our] key" by encrypting the original Zone 4 URL with our key, and seeing if we retrieve the appropriate ciphertext. If so, we can decrypt the other given ciphertext to retrieve the new Zone 4 URL.
With that being said, how do we retrieve the encryption key? Or do we even need the key? A hint was given in the challenge description questions. The description asks "On Snow Miser's Zone 3 page, why is using the same key multiple times a bad idea?" This question tells us for sure that the same key was used to encrypt both the original and new Zone 4 URLs. So, we are given one plaintext URL, and two ciphertexts.
Having these three elements allows us to perform a Stream Cipher Attack. Let's take a look at how this attack pertains to our situation. In this situation, we are looking for the new URL N. Our given information is as follows:
- "Old" plaintext URL for Zone 4, O
- Ciphertext of old URL Co, which is O xor K
- Ciphertext of new URL Cn, which is N xor K
One of the main properties of the xor operation is that it is symmetrical. This means that the same key can be used to encrypt or decrypt a message. Also, as the article explains, the xor operation is commutative. Therefore, we can perform the Stream Cipher Attack by computing (Co xor Cn) to get (O xor N). Then, we can compute (O xor N) xor O to get our desired N. This will be our new URL. Here is the Python implementation of this:
>>> cipher1 = '20d916c6c29ee53c30ea1effc63b1c72147eb86b998a25c0cf1bf66939e8621b3132d83abb1683df619238'
>>> cipher2 = '20d916c6c29ee54343e81ff1b14c1372650cbf19998f51b5c51bf66f49ec62184034a94fc9198fa9179849'
>>> plaintext1 = 'zone-4-F7677DA8-3D77-11E2-BB65-E4BF6188709B'
>>> plaintext2 = ''
>>> key = []
>>> for i in range(0,len(cipher1),2):
... key.append(int(cipher1[i:i+2],16) ^ int(cipher2[i:i+2],16))
...
>>> for i in range(0,len(plaintext1)):
... plaintext2 = plaintext2 + chr(ord(plaintext1[i]) ^ key[i])
...
>>> plaintext2
'zone-4-9D469367-B60E-4E08-BDF1-FED7CC74AF33'
We can use this URL to gain access to Zone 4.
The Stream Cipher Attack may be a bit to understand on the surface. Let me know if you have any questions or comments below.
As always, please don't hesitate to leave comments or suggestions below. Solve this Zone a different way? Let me know!
- Jordan
