kioubit.dn42 Crypto #2 Part 1 Write-up

At first glance

api/getSessionForUser?username=guest&is_guest=true

api/checkSolution?session=...&solution=...

{
  "Captcha": "🐈 + 44455",
  "SessionData": {
    "Encrypted": "tWY4tD...qGb9mdkz7",
    "Metadata": "JmNhcHRjaGFfaW5kZXg9OSZpc192ZXJpZmllZD1mYWxzZQ=="
  },
  "SessionDataHmac": "PGq09Z41GoVbhFr6fsoubxQHrSc7+wAlwubzYXPktCA="
}

&captcha_index=9&is_verified=false

try to get a session with is_guest=false.
tamper with is_verified in the metadata.
replace Captcha with a trivial one.

None of these worked.

the server responds with "You are only allowed to create guest sessions using this api endpoint".
MAC authentication failed.
whether the CAPTCHA is modified or not, the server returns Incorrect captcha solution.

captcha.js

Looking into the encryption scheme

Encrypted

username	Encrypted
`a`	`tWY4...c4z5rJtOHe7Mqm267...oSIL5wamyo4=`
`b`	`tWY4...c4z4zmzRkkePoAAFU...oSIL5wamyo4=`
`aa`	`tWY4...c4z4xyzyxFwktLoup...SL+TLJpOp6c=`
`aaaaaaaaaaaaaaaaaaaaaaaaaa`	`tWY4...c4zwQ...AnNWK...FYlLmh...`
`aaaaaaaaaaaaaaabaaaaaaaaaa`	`tWY4...c4zwQ...AnMvM...atjLmh...`

atWY4...c4z5rJtOHe7Mqm267...oSIL5wamyo4=btWY4...c4z4zmzRkkePoAAFU...oSIL5wamyo4=aatWY4...c4z4xyzyxFwktLoup...SL+TLJpOp6c=aaaaaaaaaaaaaaaaaaaaaaaaaatWY4...c4zwQ...AnNWK...FYlLmh...aaaaaaaaaaaaaaabaaaaaaaaaatWY4...c4zwQ...AnMvM...atjLmh...

The first block was the same for all usernames.
Some trailing blocks were identical when username length was the same.
Changing a part of the username only affected certain blocks.

prefix | username | suffix

Recovering the suffix

&source=web&solution=12513026260501710149&guest_account=true

Getting on the leaderboard

Request a fresh session for the scoreboard name.
Submit the value to checkSolution.

is_verified=trueapi/controlPanel

OK - Logged in as guest user
Congratulations. You partially solved the challenge!
Username: Iris
Your username has been added to the leaderboard

Edited on 2026-04-08