Cryptography
Easy
100 points

Baby Pad

Recuite 2025 - HCMUS
6 tháng 10, 2025
Padding Oracle
AES-CBC
Cryptanalysis
Recuite 2025 - HCMUS
Cryptography

Baby Pad - Write-up

Challenge Information

  • Category: Cryptography
  • Difficulty: Medium - Hard
  • Vulnerability: Padding Oracle Attack on AES-CBC

Overview

This challenge implements an AES-CBC encryption oracle with a critical vulnerability: the server leaks information about padding validity. This is a classic Padding Oracle attack.

Vulnerability: Padding Oracle

Server provides:

  1. Encrypted flag (IV prepended)
  2. Oracle service to decrypt any ciphertext
  3. Crucial: Indicates whether padding is valid or not

Response from oracle:

  • Valid padding → "Message received!"
  • Invalid padding → "Can't read that"

Mathematical Analysis

CBC Mode Decryption

P[i] = Decrypt_key(C[i]) ⊕ C[i-1]

Attack Principle

By controlling IV (or previous ciphertext block), we can manipulate the plaintext after decryption to create valid padding, thereby recovering the entire plaintext one byte at a time.

Exploitation Strategy

Byte-by-Byte Recovery Algorithm

For each ciphertext block C[i]:
    intermediate[16] = empty array
    
    For byte_pos from 15 down to 0:
        padding_value = 16 - byte_pos  # 1, 2, 3, ..., 16
        
        # Set known bytes to create valid padding
        For k from (byte_pos+1) to 15:
            fake_iv[k] = intermediate[k] ⊕ padding_value
        
        # Brute force current byte
        For guess from 0 to 255:
            fake_iv[byte_pos] = guess
            
            If oracle(C[i], fake_iv) returns True:
                intermediate[byte_pos] = guess ⊕ padding_value
                break
    
    # Recover plaintext block
    plaintext = intermediate ⊕ C[i-1]

Complexity Analysis

  • Queries per byte: Average ~128 (worst case 256)
  • Queries per block: ~2048 (16 bytes × 128)
  • Total for flag: ~6000-8000 queries (totally feasible!)

Flag

BPCTF{Just_a_simple_padding_oracle_attack_to_warm_up_49fab148518a}

Key Takeaways

Defense Strategy

  1. Never leak padding validity - return generic error for all failures
  2. Use authenticated encryption - AES-GCM or ChaCha20-Poly1305
  3. Constant-time operations - even timing can leak information

Intrusion Insights

  • Padding oracle attacks are still relevant after 20+ years
  • A single bit of information leak can break the entire encryption system
  • CBC mode without authentication is very dangerous
  • Modern encryption needs to use AEAD modes

References

100
Points
Easy
Difficulty
Cryptography
Category

More Cryptography Challenges

Baby RSA 1

Medium
150 pts

Baby RSA 2

Medium
200 pts

Circle

Hard
250 pts