$ cat writeup.md…
$ cat writeup.md…
metactf
Task: analyze a live certificate-based protocol where Bob returns a nested ciphertext meant for Alice and recover the hidden flag. Solution: abuse Alice's infinite final state as a decryption and re-encryption oracle to unwrap Bob's outer blob and then the inner flag ciphertext.
$ cat /etc/rate-limit
Rate limit reached (20 reads/hour per IP). Showing preview only — full content returns at the next hour roll-over.
Final challenge. In this one, Alice will stay in her last recv-send state infinitely. Can you get the flag?
English summary: the service exposes a live certificate-based Alice/Bob protocol at https://protocols.live. Bob sends a flag protected inside nested ciphertexts for Alice, and the goal is to recover it without Alice's private key by exploiting the protocol logic.
The relevant protocol behavior is:
pubA, alice, and certA.pubB, bob, certB, and an outer ciphertext encrypted to Alice.In practice, this turns Alice into a reusable decryption + re-encryption oracle.
If we send Alice a certified message under our own identity, she will:
d:<something>|n:<recipient>;d: payload if needed as part of her normal state handling; andThat behavior is fatal because Bob's secret is wrapped as nested ciphertexts for Alice. Since Alice never leaves her final state, we can ask her to peel one layer, then a second layer, and have each plaintext re-encrypted to Mallory.
Conceptually, Bob sends:
C_outer = Enc_A(d:Enc_A(flag)|n:bob)
So the challenge is really a chosen-ciphertext oracle attack caused by bad protocol state management.
...