Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Use standard openssl tool for Premium Paywall challenge

See original GitHub issue

The Premium Paywall challenge currently uses a third party web service to encrypt/decrypt the flag.

I suggest to use standard openssl instead. This way, users can better understand what algorithm including the mode of operation is actually used, without relying on the third party web service.

I will start working on a PR.

Issue Analytics

State:
Created 6 years ago
Comments:11 (9 by maintainers)

Top GitHub Comments

1reaction

bkimminichcommented, Dec 14, 2017

On the other hand, exposing the IV along with the key is bad practice enough, I suppose… 😉

So, @ingben, feel free to send that PR! One idea for that one: Maybe instead of making it trivial with the current

key = EA99A61D92D2955B1E9285B55BF2AD42
iv = 1337

you could do it slightly more obscured, like {iv}.{key} or {iv}#{key}, so the file contains

1234567890123456.EA99A61D92D2955B1E9285B55BF2AD42

1234567890123456#EA99A61D92D2955B1E9285B55BF2AD42

1reaction

ingbencommented, Dec 14, 2017

@irbian: You mean from the original challenge? The PHP source code on the page mentions it.

protected function getIV() {
        return '1234567890123456';
         //return mcrypt_create_iv(mcrypt_get_iv_size($this->cipher, $this->mode), MCRYPT_RAND);
         return openssl_random_pseudo_bytes(openssl_cipher_iv_length($this->method));
     }

Top Results From Across the Web

Use standard openssl tool for Premium Paywall challenge #419

This allows to get reproducible cipher texts with repeating encryption runs · There are no clues in the JuiceShop yet that point to...

bkimminich/juice-shop - Gitter

:wave: is the premium paywall challenge currently broken? no luck so far ... in a PR that uses a more standard tool (i.e....

Challenge solutions - Pwning OWASP Juice Shop

Use the bonus payload in the DOM XSS challenge. Solve the Perform a DOM XSS attack challenge; Turn on your computer's speakers! Paste...

security _check.docx - 1 Task 4 Unlock Premium Challenge to...

This is a cipher text that came out of an AES-encryption using AES256 in ... 6Task 4Premium Paywall: unblock Premium Challenge to access...

Pwning OWASP Juice Shop - GRIET SDC

description: 'O-Saft is an easy to use tool to show information about SSL ... Premium. Paywall. Unlock Premium Challenge to access exclusive content....