Neon Core — HackTheBox

Description

Deep within the Neon Lab research facility, a classified blueprint has been encrypted using a mysterious cipher. Rumors whisper that the encryption scheme has a critical flaw, one that could allow someone skilled enough to unravel its secrets.

The server implements a custom block cipher over GF(257) with 16-byte blocks represented as 4×4 matrices. It provides:

1. Encryption oracle — encrypt arbitrary plaintext messages
2. Encrypted flag — the ciphertext of the secret blueprint

Cipher Structure

• Field: GF(257) (prime field, elements 0–256)
• S-box: S(x) = x³ applied element-wise to the 4×4 plaintext matrix
• S-box inverse: S_inv(x) = x¹⁷¹ (since 3·171 = 513 ≡ 1 mod 256, and |GF(257)*| = 256)
• Encryption: C = K · S(M) · L + T where K, L, T are secret random 4×4 matrices over GF(257)
• Key generation: entries are random in [0, 15], but this doesn't affect the attack

Analysis

Vulnerability: Element-wise S-box Before Linear Mixing

The critical flaw is that the S-box is applied element-wise to the plaintext matrix before the linear transformation K·_·L+T. This means changing a single byte at position (i,j) in the plaintext only affects entry (i,j) of S(M). The resulting ciphertext difference is a rank-1 matrix — the outer product of column i of K and row j of L:

ΔC = C_modified - C_base = δ · K[:,i] ⊗ L[j,:]

where δ = S(modified_byte) - S(base_byte) in GF(257).

Why Rank-1?

...