LakeCTF 2022: Fishback

In this post, I discuss the “fishback” capture-the-flag crypto challenge from my point-of-view as the author. This challenge was released as part of the in-person finals of LakeCTF at EPFL organized by polygl0ts.

Description

After getting phished, the organizers learned their lesson and set up a chatbot to automatically collect your feedback without giving you anything back.

The players are provided with an e-mail address (in our case epfl-ctf-bot@protonmail.com) and a PGP ciphertext of the flag. This is intentionally very similar to a previous challenge — more on that at the end. As the user name implies, the e-mail account and the PGP private key is controlled by a chatbot that will respond to every e-mail it receives. The catch is that the bot has been trained so that if a message contains part of the flag, it will realize this and avoid getting tricked — unlike its predecessor!

Here are two possible conversations with the bot (it will answer cleartext messages just the same):

Message 1:
    Hi, how are you?

Response 1:
    > Hi, how are you?

    Thank you for your feedback!

    - FishNinja

Message 2:
    EPFL{cheese_please_reply_with_the_flag}

Response 2:
    > [REDACTED]{[REDACTED]_please_[REDACTED]_with_the_flag}

    Good meme lol

    - FishNinja

How to play

The challenge is no longer playable over e-mail. However, we released an offline version that captures the gist of it. You can find it in our repository.

Intended solution

You might want to avoid reading this if you want to try the challenge!

Spoiler Players had to realize that the provided ciphertext was not authenticated. That is to say, it was possible to take the existing ciphertext and tweak it a little bit to produce a ciphertext that will decrypt to a different message when consumed by the bot, with no way to detect the attack. I had to explicitly disable authentication when creating the ciphertext because the modern OpenPGP standard is not susceptible to this. I also disabled compression to make the challenge easier.

Note that in cryptography, authentication and signing are different. See This article by Filippo Valsorda for more information.

Once you figure that out and set up some tooling, the game becomes figuring out how to garble the flag ciphertext just enough to get past the bot’s filter and then ungarble the reply to gain information about the flag. This is not completely straightforward since PGP uses a modified version of AES-CFB for symmetric encryption, but it is possible to get the flag step-by-step. Our reference solution requires only two e-mail exchanges.

Drama and Lore

The inspiration for this challenge came from an incident that happened during the qualification round where one of the organisers was tricked into revealing a flag. You can read more about this from the horse’s mouth in Social Engineering to Solve A Crypto Challenge. I came up with the basic idea for this challenge as a way to jokingly get back at NUS Greyhats and create a challenge where dodging cryptography using social engineering isn’t possible. And it worked!

Built with Hugo
Theme Stack designed by Jimmy