Protocol Analysis 9: Oracle — metactf

Description

Final challenge. In this one, Alice will stay in her last recv-send state infinitely. Can you get the flag?

English summary: the service exposes a live certificate-based Alice/Bob protocol at https://protocols.live. Bob sends a flag protected inside nested ciphertexts for Alice, and the goal is to recover it without Alice's private key by exploiting the protocol logic.

Analysis

The relevant protocol behavior is:

1. Alice sends pubA, alice, and certA.
2. Bob replies with pubB, bob, certB, and an outer ciphertext encrypted to Alice.
3. That outer ciphertext contains two fields: the inner ciphertext of the flag encrypted to Alice, and Bob's name.
4. Alice's final receive/send state loops forever instead of terminating.

In practice, this turns Alice into a reusable decryption + re-encryption oracle.

If we send Alice a certified message under our own identity, she will:

• decrypt attacker-controlled ciphertext addressed to Alice;
• parse the resulting plaintext as d:<something>|n:<recipient>;
• decrypt the nested d: payload if needed as part of her normal state handling; and
• re-encrypt the resulting plaintext to the public key named in the attacker-supplied certified identity.

That behavior is fatal because Bob's secret is wrapped as nested ciphertexts for Alice. Since Alice never leaves her final state, we can ask her to peel one layer, then a second layer, and have each plaintext re-encrypted to Mallory.

Conceptually, Bob sends:

C_outer = Enc_A(d:Enc_A(flag)|n:bob)

So the challenge is really a chosen-ciphertext oracle attack caused by bad protocol state management.

Solution

...