TL;DR: CBC padding oracle + Timing attack
It's known that AES-CBC encryption is short of integrity protection, which results in plenty of attacks—the BEAST attack, bit-flipping attack, and padding oracle attack to name a few. In this challenge, HMAC is thus added to prevent these attacks. However, the order to check the HMAC is mistakenly implemented, leading to another vulnerability that could be exploited to recover the whole plaintext.
First, let's have a look at the program control flow:
Following the AES decryption is the step to check padding. If the plaintext does not conform to the PKCS7 padding scheme, the program will print "Error!"
and return immediately, skipping the HMAC check below. If the padding check is passed, it will do the next HMAC check.
What is strange about the HMAC check is that it computes the mac
7777 times, which is quite a long time (compared to other operations). This is very important. The server responses earlier when the padding format is wrong! Even if we modify the ciphertext and cannot pass the HMAC check, we can still acquire some information about the padding by measuring the time between sending the request and receiving the error message. This means that we can still mount the CBC padding oracle attack, with timing information to determine whether the padding is ok, to recover the whole plaintext.
For the purpose of proof of concept, we can modify the last byte of the given ciphertext, send it to the server, wait for the response, and meanwhile, measure the time.
0 70.09196281433105ms
1 70.53399085998535ms
2 69.60463523864746ms
3 69.52619552612305ms
4 69.27323341369629ms
5 70.07908821105957ms
6 69.80299949645996ms
7 68.9241886138916ms
8 69.86689567565918ms
9 70.0218677520752ms
10 69.83304023742676ms
11 69.54693794250488ms
12 69.63682174682617ms
13 68.96018981933594ms
14 69.89383697509766ms
15 69.81396675109863ms
16 69.79799270629883ms
17 69.62990760803223ms
18 70.59693336486816ms
19 68.7570571899414ms
20 70.01614570617676ms
21 71.58613204956055ms
22 69.67687606811523ms
23 70.24788856506348ms
24 70.34873962402344ms
25 68.82596015930176ms
26 70.24884223937988ms
27 69.83399391174316ms
28 69.77486610412598ms
29 70.89710235595703ms
30 70.37115097045898ms
31 69.18001174926758ms
32 70.0368881225586ms
33 69.98920440673828ms
34 69.58699226379395ms
35 69.64588165283203ms
36 69.84615325927734ms
37 69.04888153076172ms
38 69.9009895324707ms
39 69.23413276672363ms
40 69.81611251831055ms
41 69.3662166595459ms
42 70.04308700561523ms
43 68.99905204772949ms
44 69.53096389770508ms
45 69.51212882995605ms
46 69.97418403625488ms
47 70.04594802856445ms
48 70.81174850463867ms
49 70.72091102600098ms
50 70.04404067993164ms
51 70.35183906555176ms
52 69.09012794494629ms
53 70.61100006103516ms
54 69.31304931640625ms
55 69.67592239379883ms
56 69.90909576416016ms
57 69.69690322875977ms
58 70.35112380981445ms
59 69.64898109436035ms
60 69.82088088989258ms
61 69.87905502319336ms
62 70.13297080993652ms
63 70.09410858154297ms
64 69.69332695007324ms
65 69.40603256225586ms
66 69.43988800048828ms
67 69.66495513916016ms
68 70.52278518676758ms
69 69.92793083190918ms
70 69.11587715148926ms
71 69.67806816101074ms
72 70.2211856842041ms
73 69.36502456665039ms
74 69.56076622009277ms
75 69.92602348327637ms
76 70.62816619873047ms
77 70.29509544372559ms
78 69.15593147277832ms
79 69.39506530761719ms
80 70.15490531921387ms
81 69.85187530517578ms
82 68.98307800292969ms
83 69.87786293029785ms
84 69.92626190185547ms
85 70.00184059143066ms
86 70.07217407226562ms
87 70.29986381530762ms
88 69.75913047790527ms
89 70.77765464782715ms
90 70.05906105041504ms
91 71.7778205871582ms
92 70.05906105041504ms
93 70.64676284790039ms
94 68.76277923583984ms
95 70.2219009399414ms
96 70.08576393127441ms
97 69.85807418823242ms
98 70.01590728759766ms
99 70.22285461425781ms
100 180.69005012512207ms
101 69.83518600463867ms
102 70.1439380645752ms
103 71.72298431396484ms
104 70.45340538024902ms
105 71.0899829864502ms
106 70.53184509277344ms
107 70.10102272033691ms
108 69.14401054382324ms
109 70.33491134643555ms
110 70.01399993896484ms
111 69.7622299194336ms
112 70.1906681060791ms
113 69.98562812805176ms
114 69.03386116027832ms
115 69.86808776855469ms
116 70.0080394744873ms
117 69.95892524719238ms
118 69.54669952392578ms
119 69.60320472717285ms
120 69.14710998535156ms
121 70.83702087402344ms
122 70.15800476074219ms
123 69.50712203979492ms
124 71.26402854919434ms
125 70.20902633666992ms
126 70.58501243591309ms
127 69.97108459472656ms
128 69.41795349121094ms
129 69.48590278625488ms
130 70.12605667114258ms
131 69.40484046936035ms
132 69.14281845092773ms
133 70.16897201538086ms
134 69.89789009094238ms
135 70.23906707763672ms
136 70.46008110046387ms
137 68.94898414611816ms
138 69.93508338928223ms
139 69.61703300476074ms
140 70.23096084594727ms
141 70.30797004699707ms
142 69.58317756652832ms
143 69.10014152526855ms
144 70.19901275634766ms
145 70.30892372131348ms
146 69.86188888549805ms
147 69.87595558166504ms
148 69.19002532958984ms
149 69.69499588012695ms
150 70.01996040344238ms
151 70.00994682312012ms
152 70.35303115844727ms
153 70.52373886108398ms
154 69.59295272827148ms
155 69.29683685302734ms
156 71.21491432189941ms
157 70.50228118896484ms
158 69.96893882751465ms
159 70.08004188537598ms
160 69.11516189575195ms
161 69.79107856750488ms
162 69.80609893798828ms
163 69.49925422668457ms
164 70.98793983459473ms
165 72.09992408752441ms
166 69.33999061584473ms
167 70.1909065246582ms
168 69.7481632232666ms
169 70.10602951049805ms
170 70.22380828857422ms
171 69.8399543762207ms
172 69.9319839477539ms
173 70.18303871154785ms
174 70.10674476623535ms
175 70.19710540771484ms
176 70.6167221069336ms
177 70.35017013549805ms
178 69.74577903747559ms
179 69.66137886047363ms
180 69.41485404968262ms
181 70.11103630065918ms
182 70.12581825256348ms
183 69.88191604614258ms
184 70.80698013305664ms
185 70.19901275634766ms
186 69.10276412963867ms
187 70.59502601623535ms
188 69.28896903991699ms
189 69.93484497070312ms
190 70.45412063598633ms
191 71.26903533935547ms
192 69.76008415222168ms
193 70.12629508972168ms
194 69.97394561767578ms
195 70.73187828063965ms
196 70.94883918762207ms
197 181.0009479522705ms
198 70.75691223144531ms
199 68.96805763244629ms
200 70.28388977050781ms
201 70.43600082397461ms
202 69.9000358581543ms
203 70.41525840759277ms
204 69.61917877197266ms
205 69.59795951843262ms
206 69.97394561767578ms
207 70.0218677520752ms
208 69.92912292480469ms
209 70.97697257995605ms
210 70.51491737365723ms
211 70.57595252990723ms
212 69.92101669311523ms
213 69.95010375976562ms
214 70.2199935913086ms
215 70.15705108642578ms
216 69.87810134887695ms
217 69.75793838500977ms
218 70.92499732971191ms
219 70.71685791015625ms
220 70.39403915405273ms
221 70.34516334533691ms
222 70.65320014953613ms
223 70.68395614624023ms
224 70.6629753112793ms
225 70.2371597290039ms
226 70.33896446228027ms
227 70.11890411376953ms
228 69.9777603149414ms
229 70.5718994140625ms
230 70.74785232543945ms
231 71.32077217102051ms
232 70.97792625427246ms
233 71.04992866516113ms
234 69.73099708557129ms
235 71.96784019470215ms
236 71.38299942016602ms
237 71.69389724731445ms
238 71.35796546936035ms
239 71.33984565734863ms
240 70.51491737365723ms
241 70.78814506530762ms
242 71.55394554138184ms
243 70.55902481079102ms
244 70.59574127197266ms
245 71.27094268798828ms
246 69.61321830749512ms
247 70.3740119934082ms
248 70.06311416625977ms
249 70.5111026763916ms
250 70.17922401428223ms
251 70.49012184143066ms
252 69.52881813049316ms
253 70.66702842712402ms
254 70.70207595825195ms
255 72.33285903930664ms
As we can see from the data above, when the padding check is not passed, the total time between sending the request and receiving the response is approximately 70ms, while it is about 180ms when the padding check is passed. The time difference is 110ms, which is quite sufficient to exploit.
What left to do is just implement the ordinary padding oracle attack to recover the password of admin and use it to login in the system and get flag.
PS: 7777 times HMAC calculation is intentionally made to help the player exploit easier. In the real world scenario, even if the HMAC calucation is only once, timing attack is still feasible by some techniques such as increasing the length of the ciphertext to make the HMAC calculation longer or applying statistical analysis to timing measurements.
PPS: In fact, the AES part in this challenge is a case of Encrypt-then-MAC. The correct way to do it during decryption is that, before any other operations, the HMAC MUST be checked first to prevent any modification on the ciphertext. Only if the HMAC check is passed can the decryption operation be done safely.
PPPS: Timing attack is a prominent side channel method to exploit cryptographic flaws in real world, while it is rare to meet in CTF.