apex.py

from pwn import *
import base64
import string

# nc chall.bsidesalgiers.com 5002
r = remote('chall.bsidesalgiers.com', 5002)
pt = ""
blocksize = 16

def enc(s):    
    r.sendline(s)
    r.recvuntil(': ')
    data = r.recvline().decode().strip()
    dec = base64.b64decode(data).hex()
    return dec 

if __name__ == '__main__':
	pl = 'A'*15
	key = ''

	""" TEST
	r.recvuntil(': ')
	got = enc(pl)
	c1 = got[:32]
	print(got)
	print(c1)

	for i in range(ord('!'),ord('~')+1):
		# r.recvuntil(': ')
		got = enc(pl + chr(i))
		c2 = got[:32]
		print(i)
		if c1==c2:
			print(chr(i), i)
			break
	"""
	""" THE ATTACK
	https://amritabi0s.wordpress.com/2017/09/18/csaw-quals-2017-babycrypt-writeup/
	"""
	alphs = string.printable
	for k in range(10):
		b = ""
		for i in range(1,17):
			pl = "A"*(16-i)
			# r.recvuntil(': ')
			r.recv()

			g1 = enc(pl)
			g1 = g1[:32+k*32]
			print("String sent: ",pl)

			# for j in range(ord('!'),ord('~')+1):
			for j in alphs:
				# print(j)
				g2 = enc(pl+pt+b+j)
				g2 = g2[:32+k*32]
				if g1 == g2 and ord(j)!=10 and ord(j)!=0:
					print(ord(j), j)
					b += j
					if j=="}":
						print(pt+j,end="")
						exit()
					break
			# print("LAGGED!!!")
		pt += b
		print(pt)

# shellmates{I_though_AES_w4s_m1l1tary_gr4de_encryp7ion_1n_al1_m0des}