13
Oct
2013

ebCTF: CRY100 “Classic”

We found some crypto ciphers on our attic. Can you decipher all text and put together the flag?

This challenge was meant to be a simple task, but which required a lot of work. It gave you six encrypted messages which you need to decrypt to get parts of the key .

We found some information about the Klomp:

W yzrqc az o ghcu ivbe avi Jshkiedhbho. Yzrqcwu ova kvrpr xlsx yzcjw.
Nhwfstwadxrdf 3 amhzwrr cspfw kt yoszhlb ens adhr whql usou. Xuwf ova gcoh gzycycv cxx gzl Bipvsupnfkg. E hofji csyh sb hvh qnjrsx eg trv ggbfmoh gryiwuwvo. Vcziiwy gsis Rxxpz wsslzs, seelpqyhofoc ssyaing, advxwa uenrsqiek hbh cofgiawyg wpwzo arsy hlaa trv rnlfczom xwr. Gbhwers wlr lvivegh lrqmzhvu, yzrqcwu qej ps ishfk pioh wq pbuhz xkcz vlbhz orz uouhrf jsrpsfv.
Xuw afezwhlsass oph-kcrhrf Kixyv qostk ooza pshr bxmwgeozoc nujfizwhhh nk zojahm vlbwz kmpv hki PW tovg obg gnf dwxdghdrq ssasoh oqc cwusxnohlsa auqpqrwqk fzhft kpxhggk hbh ycbfialyoxar ofmqk. Aviu ofh eplbophm gdjrj avej ghhiyuhdtar dusgwjhmrs gksrk pb wkas fmeubawpobfif, sz hla kcrh pjhqoo fowlrj avej rsqxf au sbpfspi nujwhabhv, eydvkmju sdwl jlasroz rj gzl qpku oqh aga qsjhwqyrv wfiogiui bf avi pcsv fl los (izus rj) gzl gxasz qsfw.Zcqa ct wlr Vbhgd ozvs pgugmzsf zinjpbk yzcjw nk ismju vheylom jkf hki jwhfing' thig.
Auhinsgwmay mogp, hvh oygtd mo ozvs ewsoxar hr xuw dcvz goesgsns. Xds Tuiauo ksnr trv xdvat eg gdfbl. Mfijqv zseclfw svc ziew ysthoqhh oq togdwbhw gzycaar o npbew wr pvs pepzpbi pc puinc ph.
Cki sdvawk msqfghps los jefgw tnja cj pvs ipny: lpGPT{62o

This was a Vigenere cipher with as key WOODENSHOE. There were two ways to get the key, by using a tool like Cryptool to Analyze the text or using a plain text attack, the text was directly copied from Wikipedia. Decrypted it gave the following text:

a klomp is a clog from the netherlands. klompen are whole feet clogs.
approximately 3 million pairs of klompen are made each year. they are sold through out the netherlands. a large part of the market is for tourist souvenirs. however some dutch people, particularly farmers, market gardeners and gardeners still wear them for everyday use. outside the tourist industry, klompen can be found best in local tool shops and garden centers.
the traditional all-wooden dutch clogs have been officially accredited as safety shoes with the ce mark and can withstand almost any penetration including sharp objects and concentrated acids. they are actually safer than steelcapped protective shoes in some circumstances, as the wood cracks rather than dents in extreme accidents, allowing easy removal of the clog and not continued pressure on the toes by the (edge of) the steel nose.some of the dutch also consider wearing clogs as being healthy for the wearers' feet.
interesting fact, the klomp is also related to the word sabotage. the french word for klomp is sabot. french workers who were replaced by machines throwed a klomp in the machine to break it.
you earned yourself the first part of the flag: ebctf{62a

The second part of the key could be found in the ADFGVX encrypted message. To make it easier, part of the message was already decrypted.


We found the following encoded message to protect some 'cargo'.

VDFXXVFGAXAFVVDAFFXXFDXXXGXVVVDGAVGFFGFVGVXGFGFVFVGVGXGGXDFFAGXVAXFGFFDAVGFGGDVVAVVGDXGDGAAV
GXDVFDDVDVFAVDFGFFDXDAGADAGFVDDGGXFVDVVFXGGVFAVDXXFXXVGVGGFXFXVVDGAGAVDXXAXAFFXGXVDAVFVXFGXF
FXAVFGXVVVVVFVXFVXXGFVVVAFDDDGXGAADVXAGXXDAFGADXDXDFDXVGXVVGGGGVGGGXDVDDVFGVVVFFVAFVDGDFXDGX
DVVDDAVVGAFDVXVGGVXGFDXDVXXXXXDAGGXADXGGGVDGDAVVXFVDFFXDGGFGDVDVDVFVGGXDFVGXDVAADADVVGDVXGXX
DXAFDVAVVDDGVFXGVAXXGXVVDGFGFXXDFAGDFGFVFDAFVXGVVXAVGFFVVADAFVXVDVXVAXFGVGFFFAGAGVGDDDXAADVV
XGGFFXVGXVXXFAGXGFDADDAFGFDAXGAFFDGXVXGAGVVDVXGVXXGVVVXFGGVVGAXX

We were able to partialy decode the header. Can you decode the rest:

Shipping order

from: bram bloemendaal (Phone: 0123456789)
to: joris verhoven

The ADFGVX cipher first uses a substitution cipher to replace each letter to a pair of the letters A,D,F,G,V,X. Secondly it uses a transposition to move columns around. In this case the transposition key was given, it was ‘cargo’. You could also bruteforce it, like the guys from Hexpresso did.
After transposition it back, you can substitute most part of the message with the plain text already given, and end up with the second part of the key: bc1c09

The third part of the flag seemed to be the hardest. The BASE64 part was easy, but then you only end up with a big amount of data. Using xortool you can easily find out if this data is possibly XOR-ed. Let’s try it with character ‘\x00’ as most possible character.

$ python xortool.py cry100.3 -c "\x00"
The most probable key lengths:
1: 13.0%
5: 16.3%
8: 12.5%
10: 13.1%
15: 10.8%
20: 9.0%
25: 7.9%
30: 6.4%
35: 5.8%
40: 5.2%
Key-length can be 5*n
1 possible key(s) of length 5:
tulip
Found 0 plaintexts with 95.0%+ printable characters
See files filename-key.csv, filename-char_used-perc_printable.csv

The key tulip seems to be very promising.


$ file xortool_out/0.out
xortool_out/0.out: JPEG image data, JFIF standard 1.01

And indeed, we have found a JPEG image, which displays a Tulip and the third part of the key.

The fourth part of the key was a short one.


A short one:

thhneu hpeitr eafnw frleo otata uoghb rfirf ttseo

The solution is a simple transposition cipher, if we place all the words underneath each other we can read the solution from top to bottom, from left to right.


A short one:

thhneu
hpeitr
eafnw
frleo
otata
uoghb
rfirf
ttseo

The fourth part of the flag is nine three two A B 4

The fifth part of the message is a substitution cipher.


S fbnnbh niwzsed nstd oj rbqdiuhdqw iw zgsz zgd Hdzgdqyshtw ydusyiadt zgd mwd br fshhsoiw sht bzgdq qdfqdszibhsy wbrz tqmuw. Sffbqtihu zgd ysp shj mwd br tqmuw iw wziyy iyydusy, omz zgdqd iw s zbydqshfj kbyifj fsyydt udtbbuodydit rbq shj wbrz tqmuw. Zgiw iw s wdz br umitdyihdw zdyyihu kmoyif kqbwdfmzbqw mhtdq pgifg fiqfmnwzshfdw brrdhtdqw wgbmyt hbz od kqbwdfmzdt. Sffbqtihu zb fmqqdhz udtbbuodydit zgd kbwwdwwibh br s nslinmn snbmhz br rixd uqsnw fshhsoiw rbq kdqwbhsy mwd iw hbz kqbwdfmzdt. Fmyzixszibh iw zqdszdt ih s winiysq psj. Fmyzixszibh br 5 kyshzw bq ydww iw mwmsyyj hbz kqbwdfmzdt pgdh zgdj sqd qdhbmhfdt oj zgd fmyzixszbq. Wb ir jbm fbnd zb zgd Hdzgdqyshtw sht pshz zb zqj wbnd qdfqdszibhsy mwd br wbrz tqmuw, odpsqd zgsz iz iw hbz ydusy. Zgd rirzg ksqz rbq zgd rysu iw so1rtd

You can solve this by using Cryptool to Analyze it against common English words or by concluding that the end probably ends with ‘The fifth part for the flag is’.


A common mistake made by foreigners is that the netherlands legalized the use of cannabis and other recreational soft drugs. According the law any use of drugs is still illegal, but there is a tolerancy policy called Gedoogbeleid for any soft drugs. This is a set of guidelines telling public prosecutors under which circumstances offenders should not be prosecuted. According to current Gedoogbeleid the possession of a maximum amount of five grams cannabis for personal use is not prosecuted. Cultivation is treated in a similar way. Cultivation of 5 plants or less is usually not prosecuted when they are renounced by the cultivator. So if you come to the Netherlands and want to try some recreational use of soft drugs beware that it is not legal. The fifth part for the flag is ab1fde


An easy one to end with:

Xli Hipxe Asvow mw e wivmiw sj gsrwxvygxmsr tvsnigxw mr xli wsyxlaiwx sj xli Rixlivperhw xs tvsxigx e pevki evie sj perh evsyrh xli Vlmri-Qiywi-Wgliphx hipxe jvsq xli wie. Xli asvow gsrwmwx sj heqw, wpymgiw, psgow, hmoiw, piziiw, erh wxsvq wyvki fevvmivw. Xli emq sj xli heqw, wpymgiw, erh wxsvq wyvki fevvmivw aew xs wlsvxir xli Hyxgl gsewxpmri, xlyw vihygmrk xli ryqfiv sj hmoiw xlex leh xs fi vemwih.
Epsrk amxl xli Dymhivdii Asvow, Hipxe Asvow lezi fiir higpevih sri sj xli Wizir Asrhivw sj xli Qshivr Asvph fc xli Eqivmger Wsgmixc sj Gmzmp Irkmriivw. Xli pewx tevx sj xli jpek mw: sri-jmzi-j-xlvii-jsyv-}

The last cipher was a Caesar cipher with a key of 4. An easy one to end with. All parts combined gave you the complete flag: ebCTF{62abc1c096bb166932ab4ab1fde15f34}

Comments are closed.