From 977212ef81f42711ecec127188f2f4f75472ca52 Mon Sep 17 00:00:00 2001
From: Yan <yans@yancomm.net>
Date: Sat, 28 Sep 2024 00:28:41 -0700
Subject: [PATCH] add cpa-suffix

---
 cryptography/cpa-suffix/DESCRIPTION.md | 10 ++++++++++
 cryptography/cpa-suffix/run            | 26 ++++++++++++++++++++++++++
 cryptography/module.yml                |  6 ++++--
 3 files changed, 40 insertions(+), 2 deletions(-)
 create mode 100644 cryptography/cpa-suffix/DESCRIPTION.md
 create mode 100755 cryptography/cpa-suffix/run

diff --git a/cryptography/cpa-suffix/DESCRIPTION.md b/cryptography/cpa-suffix/DESCRIPTION.md
new file mode 100644
index 0000000..919da22
--- /dev/null
+++ b/cryptography/cpa-suffix/DESCRIPTION.md
@@ -0,0 +1,10 @@
+Okay, now let's complicate things slightly to increase the realism.
+It's rare that you can just craft queries for the plaintext that you want.
+However, it's less rare that you can isolate the _tail end_ of some data into its own block, and in ECB, this is bad news.
+We'll explore this concept in this challenge, replacing your ability to query substrings of the flag with just an ability to encrypt some bytes off the end.
+
+Show us that you can still solve this!
+
+----
+**HINT:**
+Keep in mind that, once you recover some part of the end of the flag, you can build a new codebook with additional prefixes of the known parts, and repeat the attack on the previous byte!
diff --git a/cryptography/cpa-suffix/run b/cryptography/cpa-suffix/run
new file mode 100755
index 0000000..5edea6b
--- /dev/null
+++ b/cryptography/cpa-suffix/run
@@ -0,0 +1,26 @@
+#!/opt/pwn.college/python
+
+from base64 import b64encode, b64decode
+from Crypto.Cipher import AES
+from Crypto.Util.Padding import pad
+from Crypto.Random import get_random_bytes
+
+flag = open("/flag", "rb").read().strip()
+
+key = get_random_bytes(16)
+cipher = AES.new(key=key, mode=AES.MODE_ECB)
+
+while True:
+    print("Choose an action?")
+    print("1. Encrypt chosen plaintext.")
+    print("2. Encrypt the tail end of the flag.")
+    if (choice := int(input("Choice? "))) == 1:
+        pt = input("Data? ").strip().encode()
+    elif choice == 2:
+        length = int(input("Length? "))
+        pt = flag[-length:]
+    else:
+        break
+
+    ct = cipher.encrypt(pad(pt, cipher.block_size))
+    print(f"Result: {b64encode(ct).decode()}")
diff --git a/cryptography/module.yml b/cryptography/module.yml
index 4082502..7c80b66 100644
--- a/cryptography/module.yml
+++ b/cryptography/module.yml
@@ -18,9 +18,11 @@ challenges:
 - id: level-4
   name: AES
 - id: cpa
-  name: Chosen-plaintext Attack
+  name: AES-ECB-CPA
 - id: cpa-http
-  name: CPA-over-HTTP
+  name: AES-ECB-CPA-HTTP
+- id: cpa-suffix
+  name: AES-ECB-CPA-Suffix
 - id: level-5
   name: level5
 - id: level-6