//Fibodream

//Fibodream — Vianu CTF — Writeup

>TL;DR

• Flag: Vianu_CTF{16bc18d0ca25efa5e7c28aeff7f11f21d4de4de9}
• Summary: The provided ciphers.txt contains one SHA-256 hash per byte (each hash = sha256(single-character)). After decoding the hashes locally to a character-level ciphertext (length 51), the remote service acts as a per-position Caesar-like cipher: letters are shifted mod 26 (using a per-position key), digits are shifted mod 10 (per-position key), and punctuation like {, }, _ are unchanged. We recovered the keystream by querying the service with known plaintexts ('a'*n for letters and '0'*n for digits), then subtracted the keystream to obtain the cleartext flag.

>Files in this challenge

• ciphers.txt — the provided list of 51 SHA-256 hashes (one per character).
• decode_hashes.py — helper script that decodes ciphers.txt into the ciphertext by reversing SHA-256 on single bytes (uses a 0..255 single-byte preimage table).
• solve.py — end-to-end solver that decodes the hashes locally and queries the remote service to pull the keystream and decrypt the flag.

>Step 1 — Local analysis (decode ciphers.txt)

1. Look at ciphers.txt. It has 51 lines — each looks like a hex SHA-256 digest.
2. Hypothesis: each hash is sha256(s) for a small s (likely 1-character ASCII). Confirm by brute-force:

• compute sha256('0'), sha256('1'), ..., and single ASCII letters/symbols; many matches appear immediately (digits 0..9, letters, {, } etc).

1. There was one small gotcha: the file had a UTF‑8 BOM on the first line. Strip it before matching (or use .lstrip('\\ufeff')).

Command used to inspect (examples):

# quick tests (python):

python3 - <<'PY'

import hashlib

print(hashlib.sha256(b'0').hexdigest())

print(hashlib.sha256(b'a').hexdigest())

PY

Result of decoding ciphers.txt (character-level ciphertext):

Length = 51 (which matches the hint that the flag has 51 characters).

decode_hashes.py (what it does)

• Builds a map of SHA256(byte) -> byte for all byte values 0..255.
• Reads ciphers.txt (strips BOM), reverses each hash using that map, and prints the result.

(See the full script included below.)

>Step 2 — Remote oracle exploration

1. Start a quick probe with nc host port and send short strings to see how the remote encoder responds.
2. Observations from simple queries:

• printf 'a'*51 | nc HOST PORT returns a 51-character lowercase string; each returned character depends on position — this suggests a position-based shift (a per-position keystream applied to letters).
• printf '0'*51 | nc HOST PORT returns a 51-digit string; digits are being shifted mod 10 position-wise.
• Braces { and } and underscores appear to be sent through unchanged.

Reasoning: If the service applies a per-position shift (keystream) to letters and digits, then encrypting a known constant ('a'*n and '0'*n) returns the keystream mapped into letters/digits. Given ciphertext and keystream, plaintext is recovered by subtracting keystream modulo alphabet size.

How we derived decryption formulas

• For letters: ciphertext_char = (plaintext_char + key) mod 26 (in letter positions). So plaintext = (ciphertext - key) mod 26. We get key = (oracle('a') - 'a').
• For digits: ciphertext_digit = (plaintext_digit + key) mod 10. So subtract digit-wise with key obtained from oracle('0').

>Step 3 — Combine & retrieve the flag

1. Use decode_hashes.py or the identical logic in solve.py to obtain cipher (the character-level ciphertext).
2. Query remote using n = len(cipher):

• ks_letters = oracle('a'*n) → returns lowercase letters, each representing (key + 'a') at that position.
• ks_digits = oracle('0'*n) → returns digits representing keys for digit positions.

1. For each position i:

• If cipher[i] is lowercase letter: plaintext = (ord(cipher[i]) - ord('a') - (ord(ks_letters[i]) - ord('a'))) mod 26.
• If cipher[i] is uppercase letter: same, but using ord('A').
• If cipher[i] is digit: plaintext = (int(cipher[i]) - int(ks_digits[i])) mod 10.
• Else (e.g., {, }, _): copy as-is.

Result: Vianu_CTF{16bc18d0ca25efa5e7c28aeff7f11f21d4de4de9}

>Scripts (full source)

decode_hashes.py

#!/usr/bin/env python3

import hashlib

from pathlib import Path

def build_sha256_single_byte_reverse_map() -> dict[str, bytes]:

    out = {}

    for i in range(256):

        b = bytes([i])

        out[hashlib.sha256(b).hexdigest()] = b

    return out

def decode_hash_lines(path: Path) -> bytes:

    lines = [ln.strip().lstrip("\\ufeff") for ln in path.read_text().splitlines() if ln.strip()]

    rev = build_sha256_single_byte_reverse_map()

    decoded = bytearray()

    for h in lines:

        b = rev.get(h)

        if b is None:

            raise SystemExit(f"Unknown hash: {h}")

        decoded.extend(b)

    return bytes(decoded)

def main() -> None:

    msg = decode_hash_lines(Path("ciphers.txt"))

    print(msg.decode("latin-1"))

    print(f"length={len(msg)}")

if __name__ == "__main__":

    main()

solve.py (end-to-end)

#!/usr/bin/env python3

import argparse

import hashlib

import socket

from pathlib import Path

def build_sha256_single_byte_reverse_map() -> dict[str, bytes]:

    return {hashlib.sha256(bytes([i])).hexdigest(): bytes([i]) for i in range(256)}

def decode_hash_lines(path: Path) -> str:

    rev = build_sha256_single_byte_reverse_map()

    out = bytearray()

    for ln in path.read_text().splitlines():

        h = ln.strip().lstrip("\\ufeff")

        if not h:

            continue

        b = rev.get(h)

        if b is None:

            raise SystemExit(f"Unknown hash: {h}")

        out.extend(b)

    return out.decode("latin-1")

def oracle_encrypt(host: str, port: int, s: str, timeout: float) -> str:

    with socket.create_connection((host, port), timeout=timeout) as sock:

        sock.sendall((s + "\\n").encode())

        data = bytearray()

        while True:

            chunk = sock.recv(4096)

            if not chunk:

                break

            data.extend(chunk)

    return data.decode(errors="replace").strip()

def decrypt_with_keystream(cipher: str, ks_letters: str, ks_digits: str) -> str:

    if not (len(cipher) == len(ks_letters) == len(ks_digits)):

        raise ValueError("cipher/keystream length mismatch")

    kL = [ord(ch) - ord('a') for ch in ks_letters]

    kD = [int(ch) for ch in ks_digits]

    out = []

    for i, ch in enumerate(cipher):

        if 'a' <= ch <= 'z':

            out.append(chr((ord(ch) - 97 - kL[i]) % 26 + 97))

        elif 'A' <= ch <= 'Z':

            out.append(chr((ord(ch) - 65 - kL[i]) % 26 + 65))

        elif '0' <= ch <= '9':

            out.append(str((int(ch) - kD[i]) % 10))

        else:

            out.append(ch)

    return ''.join(out)

def main() -> None:

    ap = argparse.ArgumentParser(description="Solve VianuCTF fibodream")

    ap.add_argument("--host", default="185.213.240.231")

    ap.add_argument("--port", default=5123, type=int)

    ap.add_argument("--timeout", default=5.0, type=float)

    ap.add_argument("--file", default="ciphers.txt")

    args = ap.parse_args()

    cipher = decode_hash_lines(Path(args.file))

    n = len(cipher)

    ks_letters = oracle_encrypt(args.host, args.port, 'a' * n, args.timeout)

    ks_digits = oracle_encrypt(args.host, args.port, '0' * n, args.timeout)

    plain = decrypt_with_keystream(cipher, ks_letters, ks_digits)

    print(plain)

if __name__ == "__main__":

    main()

>Reproduction (quick)

1. Local decode only:

python3 decode_hashes.py

# prints: Hrvty_KHN{30gi27e5...}

1. Full solve (queries remote):

python3 solve.py  # default host/port set in script

# prints: Vianu_CTF{16bc18d0...}

If the remote host/port differ, run:

python3 solve.py --host <host> --port <port>

>Why this worked / how the idea came to be

• Seeing that every line was exactly 64 hex characters hinted strongly at SHA-256 digests.
• Many digests matched the SHA-256 of simple single characters (e.g., digits and letters), which suggested these were per-byte SHA-256 preimages (sha256 of a single byte).
• The next step was to look for how the service takes plaintext and turns it into ciphertext. Small probes ('a'*n and '0'*n) revealed a deterministic, position-wise shift for letters and digits, respectively. That led directly to computing the keystream and subtracting it.

>References

• SHA-2 / SHA-256: https://en.wikipedia.org/wiki/SHA-2
• Caesar cipher / modular shifts: https://en.wikipedia.org/wiki/Caesar_cipher