BITSCTF 2026 - Super DES | kudaliar's blog

Challenge Overview

Category: Cryptography Objective: Exploit a flaw in a custom Triple DES encryption oracle to recover the secret key and decrypt the flag.

The server allows us to:

Choose k2 and k3 (both 8-byte DES keys with odd parity)
Select one of three encryption modes
Either encrypt the flag or encrypt our own plaintext

Key Observations

k1 is fixed throughout the session but unknown to us.
ultra_secure_v1: $E_{k1}(E_{k2}(E_{k3}(pt)))$ - Triple encryption (EEE mode).
ultra_secure_v2: $D_{k1}(E_{k2}(E_{k3}(pt)))$ - Decrypt with secret key as outer operation!

1. Vulnerability

The critical vulnerability lies in triple_des_ultra_secure_v2:

$\text{Output} = D_{k1}(E_{k2}(E_{k3}(\text{pad}(pt, 8))))$

Since we control k2, k3, and the input pt, we can make $E_{k2}(E_{k3}(\text{pad}(pt, 8)))$ equal any value we want. This effectively gives us a decryption oracle for the secret key $k_1$ !

2. Exploitation Strategy

Attack Flow

Get encrypted flag using ultra_secure_v1 with our chosen keys $k_2$ , $k_3$ : $C_1 = E_{k1}(E_{k2}(E_{k3}(F)))$ where $F = \text{pad}(\text{flag}, 8)$
Find auxiliary keys $k_2'$ , $k_3'$ such that $D_{k_3'}(D_{k_2'}(C_1))$ ends with PKCS7 padding \x01:
- This allows us to strip the last byte and send 15 bytes to the oracle.
- The server will re-add the padding, resulting in exactly the value we want.
Use ultra_secure_v2 as decryption oracle:
- Send $P = D_{k_3'}(D_{k_2'}(C_1))[:-1]$ (15 bytes).
- Server pads it back to 16 bytes with \x01.
- Server returns $C_2 = D_{k1}(C_1) = E_{k2}(E_{k3}(F))$ .
Recover the flag using the known keys $k_2$ , $k_3$ : $F = D_{k_3}(D_{k_2}(C_2))$ Then unpad to get the flag.

Why the Padding Trick?

The server always pads input with pad(pt, 8). To send exactly the value we want to the decryption oracle, we need to work around this padding. By finding keys where $D_{k_3'}(D_{k_2'}(C_1))$ ends with \x01:

We strip that byte (15 bytes remain).
The server adds \x01 back (16 bytes, original value restored).
The decryption oracle gives us exactly $D_{k1}(C_1)$ .

3. Exploit Code

1
#!/usr/bin/env python3
2
from Crypto.Cipher import DES
3
from Crypto.Util.Padding import unpad
4
from pwn import remote
5

6
def adjust_key(key8: bytes) -> bytes:
7
    out = bytearray()
8
    for b in key8:
9
        b7 = b & 0xFE
10
        ones = bin(b7).count("1")
11
        out.append(b7 | (ones % 2 == 0))
12
    return bytes(out)
13

14
def des_encrypt(key, data):
15
    cipher = DES.new(key, DES.MODE_ECB)
16
    return cipher.encrypt(data)
17

18
def des_decrypt(key, data):
19
    cipher = DES.new(key, DES.MODE_ECB)
20
    return cipher.decrypt(data)
21

22
def exploit():
23
    io = remote("20.193.149.152", 1340)
24

25
    # Step 1: Choose arbitrary k2, k3 and get encrypted flag
26
    k2_raw = b'\x01' * 8
27
    k3_raw = b'\x02' * 8
28
    k2 = adjust_key(k2_raw)
29
    k3 = adjust_key(k3_raw)
30

31
    io.recvuntil(b"enter k2 hex bytes >")
32
    io.sendline(k2.hex().encode())
33
    io.recvuntil(b"enter k3 hex bytes >")
34
    io.sendline(k3.hex().encode())
35
    io.recvuntil(b"4. exit")
36
    io.sendline(b"2")  # ultra secure v1
37
    io.recvuntil(b"enter option >")
38
    io.sendline(b"1")  # encrypt flag
39

40
    io.recvuntil(b"ciphertext : ")
41
    c1 = bytes.fromhex(io.recvline().strip().decode())
42
    print(f"[*] C1 = {c1.hex()}")  # C1 = E_k1(E_k2(E_k3(F)))
43

44
    # Step 2: Find k2', k3' where D_k3'(D_k2'(C1)) ends with 0x01
45
    print("[*] Brute-forcing auxiliary keys...")
46
    for i in range(256):
47
        for j in range(256):
48
            k2p = adjust_key(bytes([i] * 8))
49
            k3p = adjust_key(bytes([j] * 8))
50
            x = des_decrypt(k3p, des_decrypt(k2p, c1))
51
            if x[-1:] == b'\x01':
52
                p_full, k2p, k3p = x, k2p, k3p
53
                print(f"[*] Found keys at ({i}, {j})")
54
                break
55
        else:
56
            continue
57
        break
58

59
    # Step 3: Use ultra_secure_v2 as decryption oracle
60
    p = p_full[:-1]  # Strip the padding byte
61

62
    io.recvuntil(b"enter k2 hex bytes >")
63
    io.sendline(k2p.hex().encode())
64
    io.recvuntil(b"enter k3 hex bytes >")
65
    io.sendline(k3p.hex().encode())
66
    io.recvuntil(b"4. exit")
67
    io.sendline(b"3")  # ultra secure v2
68
    io.recvuntil(b"enter option >")
69
    io.sendline(b"2")  # encrypt own text
70
    io.recvuntil(b"enter hex bytes >")
71
    io.sendline(p.hex().encode())
72

73
    io.recvuntil(b"ciphertext : ")
74
    c2 = bytes.fromhex(io.recvline().strip().decode())[:len(c1)]
75
    print(f"[*] C2 = {c2.hex()}")  # C2 = D_k1(C1) = E_k2(E_k3(F))
76

77
    # Step 4: Decrypt using known k2, k3
78
    flag = unpad(des_decrypt(k3, des_decrypt(k2, c2)), 8)
79
    print(f"[+] Flag: {flag.decode()}")
80
    io.close()
81

82
if __name__ == "__main__":
83
    exploit()

4. Flag

BITSCTF{5up3r_d35_1z_n07_53cur3}