Flagvent 2025: Day 24

FV25.24 - XorMASS

Difficulty
easy

Categories
crypto

Description
Santa’s elves are busy making presents, but one of their most important tools is locked away in a safe. The only elf who knows the combination is on a mission delivering presents to the astronauts on the ISS. The elves know that the combination is in that elf’s notes, but the notes are encrypted. The connection between the North Pole and the ISS is very slow, so the key is arriving only one byte per day, so it will take 24 days for the full key to arrive. At this rate, the it wont arrive before Christmas Eve, and so the presents wont be ready. Help the elves decrypt the notes.

Author
villambarna

Solution

The only file we’re given is a data file: a binary blob containing arbitrary bytes.

From the challenge title, we assume we need to XOR these bytes to recover the original text. Unfortunately, brute forcing by XORing with every possible single byte (0–255) doesn’t yield anything useful. That suggests this isn’t a single-byte XOR and likely needs a multi-byte XOR using a key.

The challenge description mentions 24, which we predict is the key length.

To work out the actual key, we use xortool , which can analyse multi-byte XOR ciphers.

Let’s run the command, assuming a space is the most common character:

xortool -l 24 -c ' ' data

This gives us:

72 possible key(s) of length 24:
't5:istic$lx*r'r6a$i+g&g
't5:istic$lx*r'r6a$i+g5g
't5:istic$lx*r'r6a$i+ggg
't5:istic$lx*r'r6aki+g&g
't5:istic$lx*r'r6aki+g5g
...
Found 72 plaintexts with 95%+ valid characters
See files filename-key.csv, filename-char_used-perc_valid.csv

The suggested key isn’t quite right, but we can correct it pretty easily to: statisticalxorbreakinggg

Next, we decode the data using:

xortool-xor -f data -s "statisticalxorbreakinggg" > decoded.txt

This gives us:

MARLEY was dead, to begin with. There is no doubt whatever about
that.The register of his burial was signed by the clergyman, the clerk,
the undertaker, and the chief mourner. Scrooge signed it.And
Scrooge’s name  was good upon  ’Change, for anything he chose to put
his hand to.   The name of the three spirits, all lowercase, separated by commas gives you the code for the safe.
Old Marley was as dead as a door-nail.
Mind! I don’t mean to say that I know, of my own knowledge,
what there is particularly dead about a door-nail. I might have been
inclined, myself, to regard a coffin-nail as the deadest piece of
ironmongery in the trade.But the wisdom of our ancestors is in the
simile; and my unhallowed hands shall not disturb it, or the Country’s
done for. You will therefore permit me to repeat, emphatically, that
Marley was as dead as a door-nail.W}w &lbi0bm~cocefe/h(cq#$*4v/cev"j/j`<y]0CPy2[%\o&i@vtC2< :>B]M>o@:?

The first part of the decrypted text is lyrics from A Christmas Carol by Charles Dickens. In the middle, we see a clue: the names of the three spirits, all lowercase and separated by commas, give you the code for the safe.

We also see some extra bytes at the end of the output that aren’t decoded correctly with the XOR key.

So, using past,present,yet to come as a new XOR key, we try decoding the file again:

xortool-xor -f data -s "past,present,yet to come" > flag.txt

The end of the file now decodes correctly and produces:

The code for the safe is 1843,your flag:RlYyNXs0X0NocjFzdG00c19DNHIwbH0=

We Base64-decode this string to get our daily flag:

echo RlYyNXs0X0NocjFzdG00c19DNHIwbH0= | base64 -d

Flag:

FV25{4_Chr1stm4s_C4r0l}