Protocol Analysis 4: Real Security! — metactf

Description

The protocol manual describes an Alice-to-Bob request for sending the flag encrypted under a symmetric key and nonce.

English summary: the challenge provides a protocol PDF and a live service. The important twist is that the real accepted Bob request is not exactly the visible PDF wording, so we first need to recover Alice's actual message from the service and then abuse Bob's trust in attacker-chosen key material.

Summary

This challenge is a broken secure-channel design. Alice's first message includes a symmetric key and nonce, and Bob blindly trusts those values when encrypting the flag. By querying /alice with any syntactically valid placeholder such as t:hi, we learn the exact string Bob will accept, including the typo symetric. We can then talk to Bob directly, choose our own known key and nonce, receive the ciphertext, and decrypt it with /util/sym_decrypt.

Recon

The shared manual explains the protocol shape, but the live service is stricter than the visible PDF text: the accepted string must match Alice's real output exactly.

Sending any syntactically valid placeholder message to /alice, for example t:hi, causes Alice to reveal her actual first message:

t:Hello|n:bob|t:this is|n:alice|t:send me the flag encrypted under this symetric key and nonce|k:<key>|d:<nonce>

The critical detail is the typo: the accepted request contains symetric, not symmetric. The text also has to be exactly send me the flag encrypted under this symetric key and nonce.

Vulnerability

...