BITSCTF 2026 - Super DES - Cryptography Writeup

372 words

2 minutes

BITSCTF 2026 - Super DES - Cryptography Writeup

2026-02-22

Writeup

CTF

/

Security

/

Cryptography

Category: Cryptography

Flag: BITSCTF{5up3r_d35_1z_n07_53cur3}

Challenge Description#

Given server.py. Remote: nc 20.193.149.152 1340. Description: “I heard triple des is deprecated, so I made my own.”

The server generates random k1 at startup, then lets us choose k2 and k3:

1
def triple_des_ultra_secure_v1(pt, k2, k3):
2
    return E_k1(E_k2(E_k3(pad(pt))))
3

4
def triple_des_ultra_secure_v2(pt, k2, k3):
5
    return D_k1(E_k2(E_k3(pad(pt))))

(k2 == k3 is blocked, but k2 != k3 is allowed.)

Analysis#

DES has semi-weak key pairs such that $E_{k_a}(E_{k_b}(x)) = x$ for specific distinct key pairs. One valid pair:

k2 = 01FE01FE01FE01FE
k3 = FE01FE01FE01FE01

So in ultra_secure_v1: $C_{flag} = E_{k1}(E_{k2}(E_{k3}(pad(flag)))) = E_{k1}(pad(flag))$

Solution#

Use semi-weak pair to collapse encryption to $C_{flag} = E_{k1}(pad(flag))$ . Then for arbitrary k2, k3, if we pick plaintext so that $pad(pt) = D_{k3}(D_{k2}(C_{flag}))$ , querying ultra_secure_v2 gives $D_{k1}(C_{flag}) = pad(flag)$ .

The practical caveat: we must brute-force random (k2,k3) until $D_{k3}(D_{k2}(C_{flag}))$ has valid PKCS#7 structure.

File used: solve_super_des.py

1
# !/usr/bin/env python3
2
from pwn import remote
3
from Crypto.Cipher import DES
4
from Crypto.Util.Padding import unpad
5
from Crypto.Random import get_random_bytes
6

7
HOST, PORT = "20.193.149.152", 1340
8

9
def adjust_key(key8: bytes) -> bytes:
10
    out = bytearray()
11
    for b in key8:
12
        b7 = b & 0xFE
13
        ones = bin(b7).count("1")
14
        out.append(b7 | (ones % 2 == 0))
15
    return bytes(out)
16

17
def wait_k2_prompt(io):
18
    io.recvuntil(b"enter k2 hex bytes >")
19

20
def query(io, k2: bytes, k3: bytes, option: int, mode: int, pt_hex: str | None = None) -> bytes:
21
    wait_k2_prompt(io)
22
    io.sendline(k2.hex().encode())
23
    io.recvuntil(b"enter k3 hex bytes >")
24
    io.sendline(k3.hex().encode())
25

26
    io.recvuntil(b"enter option >")
27
    io.sendline(str(option).encode())
28

29
    io.recvuntil(b"enter option >")
30
    io.sendline(str(mode).encode())
31

32
    if mode == 2:
33
        io.recvuntil(b"enter hex bytes >")
34
        io.sendline(pt_hex.encode())
35

36
    line = io.recvline_contains(b"ciphertext")
37
    return bytes.fromhex(line.decode().split(":", 1)[1].strip())
38

39
def main():
40
    io = remote(HOST, PORT)
41

42
    # Step 1: semi-weak pair so E_k2(E_k3(x)) = x
43
    k2w = bytes.fromhex("01FE01FE01FE01FE")
44
    k3w = bytes.fromhex("FE01FE01FE01FE01")
45

46
    # Cflag = E_k1(pad(flag))
47
    cflag = query(io, k2w, k3w, option=2, mode=1)
48
    print(f"[+] Cflag ({len(cflag)} bytes): {cflag.hex()}")
49

50
    # Step 2: find k2,k3 where D_k3(D_k2(cflag)) is valid PKCS#7
51
    attempts = 0
52
    while True:
53
        attempts += 1
54
        k2 = adjust_key(get_random_bytes(8))
55
        k3 = adjust_key(get_random_bytes(8))
56
        if k2 == k3:
57
            continue
58

59
        pre = DES.new(k3, DES.MODE_ECB).decrypt(DES.new(k2, DES.MODE_ECB).decrypt(cflag))
60
        try:
61
            chosen_pt = unpad(pre, 8)
62
        except ValueError:
63
            continue
64

65
        print(f"[+] Found valid candidate after {attempts} attempts")
66

67
        # Step 3: v2 returns pad(flag)
68
        out = query(io, k2, k3, option=3, mode=2, pt_hex=chosen_pt.hex())
69
        flag = unpad(out, 8)
70
        print(f"[+] Flag bytes: {flag}")
71
        print(f"[+] Flag: {flag.decode()}")
72
        break
73

74
    io.close()
75

76
if __name__ == "__main__":
77
    main()

Run:

1
python3 solve_super_des.py

Output:

1
[+] Cflag (40 bytes): 72922fe6db8bbc21825f1f3a5a9d336e82ef77555946655ed1529579670aab074df19b7d7a35e007
2
[+] Found valid candidate after 6 attempts
3
[+] Flag bytes: b'BITSCTF{5up3r_d35_1z_n07_53cur3}'
4
[+] Flag: BITSCTF{5up3r_d35_1z_n07_53cur3}