Challenge 40

Welcome to challenge 40. You need to guess the secret that is hidden in Java, Docker, Kubernetes, Vault, AWS or GCP.

Insecure Encryption Key - Part 2

A developer encrypted a secret using AES and stored its base64 encoded value in a json file. But where to leave the key? What about just leaving the key inside the file with the secret? That way, every secret can have its own key easily! Can you find the secret?

The challenge file is called secrchallenge.json and can be found in the executables folder.

Answer to solution :

This challenge can be solved by decrypting the base64 encoded secret in secrchallenge.json. You can do this either by:

  1. Using an online aes decryption tool like

    • Copy the value of secret from secrchallenge.json and paste it into the textbox of the decryptor.

    • Ensure the input format is Base64 and the cipher mode is ECB.

    • Use the value of key from secrchallenge.json as decryption key and click on Decrypt to get the secret.

  2. Using the terminal

    • Launch the terminal while you are in the executables directory.

    • Copy the value of key from secrchallenge.json and type in echo -n "3Ulyfmfgro6uh1cN" | xxd -p. This gives you the decryption key in hexadecimal format.

    • Copy the value of secret from secrchallenge.json.

    • Then, use the obtained decryption key to decrypt the by typing echo "7RwunHeLkY7c0TCTLRMOGCIeX0jWiYibAexA0unYGDI=" | openssl enc -a -d -aes-128-ecb -K 33556c79666d6667726f36756831634e -out

    • Copy the secret from the file in the executables folder.

Why should we not store the encryption key and the secret together?

Storing an encryption key and the data it encrypts together is generally considered a bad practice because it undermines the security provided by encryption.

In such scenarios, an attacker has the key the moment the file is in his possession.

It is always recommended to store your encryption keys securely.