On connecting to the server, the following text is shown:

```
$ nc challenge.ctf.games 32315
NINA: Hello! I found a flag, look!
dc0de91facbe90ee6f652167906ee0d17123cf9e746a63db4b4e7d93040f59331ead9be0b2fe
NINA: But I encrypted it with a very special nonce, the same length as the flag! I heard people say this encryption method is unbreakable! I'll even let you encrypt something to prove it!! What should we encrypt?
```

I tried various inputs, but nothing struck until I typed a flag from the another challenge as input.

```
flag{e04f962d0529a4289a685112bfldcdd3}
NINA: Ta-daaa!! I think this is called a 'one' 'time' 'pad' or something?
dc0de91face292ed3f3f7337c368b4d02c26cdce7d3537df40497c9b5509063c4aafceb5e3fe
NINA: Isn't that cool!?! Want to see it again?
Sorry, I forget already what was it you wanted to see again?
```

The first few characters of the ciphertext of the flag and the input I gave are very similar. So there has to be some common value.

After a while, my notice went towards the words **One time pad**. Immediately went to Google and find out possible solutions.

I was reminded of an attack called the **Known Plaintext Attack** which I had learnt in a network security class last year.

If the ciphertext and its corresponding plaintext is known, the one time pad can easily be retrieved by XORing the plaintext and ciphertext.

Having only learnt the theory to this, I wasn't sure how to actually XOR two values of different lengths and encodings (plaintext is in ascii, ciphertext is in hex).

I found a writeup for a very similar CTF challenge in my searches - CR2-Many time secrets - AlexCTF 2017.

This particular writeup used a tool called cribdrag, which includes a python script called xorstrings.py. This is exactly what I needed to complete this challenge.

I modified xorstrings.py by changing the parameters (`s1`

and `s2`

) to the plaintext and ciphertext respectively.

```
s1 = "dc0de91face292ed3f3f7337c368b4d02c26cdce7d3537df40497c9b5509063c4aafceb5e3fe".decode('hex')
s2 = "flag{e04f962d0529a4289a685112bfldcdd3}"
s3 = sxor(s1, s2)
# python2 syntax
print s3.encode('hex')
```

Running this returns the one-time-pad as output.

```
$ python xorstrings.py
ba618878d787a2d959064505a75881e21547f9fc450c56e9787c4daa676b60502eccaad1d083
```

Then I modified xorstrings.py again, this time changing the parameters to the one time pad and the flag's ciphertext, saved it as xorstrings1.py.

```
s1 = "ba618878d787a2d959064505a75881e21547f9fc450c56e9787c4daa676b60502eccaad1d083".decode('hex')
s2 = "dc0de91facbe90ee6f652167906ee0d17123cf9e746a63db4b4e7d93040f59331ead9be0b2fe".decode('hex')
s3 = sxor(s1, s2)
# python2 syntax
print s3
```

Running this returns the flag for the challenge!

```
$ python xorstrings1.py
flag{9276cdb76a3dd6b1f523209cd9c0a11b}
```

Flag: `flag{9276cdb76a3dd6b1f523209cd9c0a11b}`

## More writeups from HacktivityCon CTF 2021