Juice-shop: Use standard openssl tool for Premium Paywall challenge

Created on 8 Dec 2017  路  11Comments  路  Source: bkimminich/juice-shop

The Premium Paywall challenge currently uses a third party web service to encrypt/decrypt the flag.

I suggest to use standard openssl instead. This way, users can better understand what algorithm including the mode of operation is actually used, without relying on the third party web service.

I will start working on a PR.

challenge

All 11 comments

There are some things to consider.

  • https://aesencryption.net/ currently defaults to CBC with a static IV of 1234567890123456.
  • This allows to get reproducible cipher texts with repeating encryption runs
  • There are no clues in the JuiceShop yet that point to these defaults.

Thus, I would suggest the following

  • use openssl
  • still use a static IV
  • but give a hint to the IV in the premium.key file
  • with the hint, the user also has the chance to derive that CBC is probably the correct mode
  • Encryption
    openssl enc -e -aes-256-cbc -in plaintext -a -A -K EA99A61D92D2955B1E9285B55BF2AD42 -iv 1337

  • Decryption
    openssl enc -d -aes-256-cbc -in ciphertext -a -A -K EA99A61D92D2955B1E9285B55BF2AD42 -iv 1337

Where did you get the IV data? :D it was the missing piece for some recovery I was doing

@irbian: You mean from the original challenge? The PHP source code on the page mentions it.

protected function getIV() {
        return '1234567890123456';
         //return mcrypt_create_iv(mcrypt_get_iv_size($this->cipher, $this->mode), MCRYPT_RAND);
         return openssl_random_pseudo_bytes(openssl_cipher_iv_length($this->method));
     }

@bkimminich I think I will do another PR and increase the IV size to the block size of AES. Afaik this is how the spec requires it to be.

But using it not as specified is a nice example of using good crypto in the wrong way! I could make this an extra challenge or extend the existing "Wrong crypto" challenge accordingly...

On the other hand, exposing the IV along with the key is bad practice enough, I suppose... ;-)

So, @ingben, feel free to send that PR! One idea for that one: Maybe instead of making it _trivial_ with the current

key = EA99A61D92D2955B1E9285B55BF2AD42
iv = 1337

you could do it slightly more obscured, like {iv}.{key} or {iv}#{key}, so the file contains

1234567890123456.EA99A61D92D2955B1E9285B55BF2AD42

or

1234567890123456#EA99A61D92D2955B1E9285B55BF2AD42

Sorry, been kind of busy. Will look into this shortly.

Don't worry, no rush.

Note: The next version of Juice Shop will be 7.x, so it'd be totally fine if the change is incompatible w/ the way the challenge previously worked.

Finally made the update #450. I would really like to add a new crypto challenge. No cool idea yet, though...

This thread has been automatically locked because it has not had recent activity after it was closed. :lock: Please open a new issue for regressions or related bugs.

Was this page helpful?
0 / 5 - 0 ratings