AES-128-CBC // PADDING ORACLE

Break the Cipher

The CipherVault platform uses AES-CBC encrypted tokens for authentication. An admin token containing the flag has been intercepted. The validation endpoint leaks padding information. Exploit the padding oracle to decrypt the admin token.

Your Token

Get your encrypted user session token from the API.


                

                

                    

                    
Admin Token

                    
The encrypted admin token. Contains the flag.

                    
                    

                

                

                    

                    
Validate Token

                    
Test a token against the validation oracle.

                    
                    
                    

                

            


            

                
Challenge Files

                

                    
                         encrypt.py
                        Encryption script (source)
                    
                

            


            

                
API Reference

                

                    

                        GET /api/token
                        Get your encrypted user token
                    

                    

                        GET /api/admin-token
                        Get the encrypted admin token (contains flag)
                    

                    

                        POST /api/validate
                        Validate a token — the padding oracle
                    

                    

                        POST /api/verify-flag
                        Submit the flag
                    

                

            


            

                
 Submit Flag