$

$ Crypto: Aliens Eat Snacks

BITSCTF 2026 By TaklaMan
Flag: BITSCTF{7h3_qu1ck_br0wn_f0x_jump5_0v3r_7h3_l4zy_d0g}

Important Observations

  • aes.py is not standard AES:
    • Custom S-box (x^23 in GF(2^8), then XOR 0x63)
    • Only 4 rounds (ROUNDS = 4) instead of 10/12/14
  • output.txt contains:
    • key_hint: 26ab77cadcca0ed41b03c8f2e5 (26 hex chars = 13 bytes)
    • encrypted_flag: ...
    • 1000 known plaintext/ciphertext samples
  • Since AES key size is 16 bytes and hint is 13 bytes, likely only 3 bytes are missing.

Attack Strategy

  1. Parse one known (plaintext, ciphertext) pair from samples.
  2. Assume key layout: key = key_hint || unknown_3_bytes.
  3. Brute-force the missing 24 bits (2^24 possibilities).
  4. For each candidate:
    • Build 16-byte key.
    • Encrypt the known plaintext using the provided AES implementation.
    • Compare with known ciphertext.
  5. On match, recover full key and decrypt encrypted_flag block-by-block.

Why This Works

  • 24-bit key space is small enough for practical brute force.
  • The provided known pair gives a direct, exact validation oracle.
  • Reduced-round/custom AES does not help once key leakage (key_hint) is this large.

Recovered Key and Flag

  • Recovered key:
    • 26ab77cadcca0ed41b03c8f2e5cdec0c
  • Decrypted plaintext:
    • BITSCTF{7h3_qu1ck_br0wn_f0x_jump5_0v3r_7h3_l4zy_d0g}
    • Followed by 0c padding bytes (PKCS#7-like padding)