Chat App Pentest

As a pen tester for PPT (Premier Penetration Testing), you have been assigned to perform a penetration test on a chat application. Your goal is to check their encryption. The company for whom you are performing the test has been a bit cagey about sharing some of their code, but you think you have enough to get started. However, they did give you some sample data to help with your testing.

They gave you a series of message exchanges as examples.

Chat session 1 Key

For this session they provided a key, but only in it’s encrypted format. You can download it here. The keys are UTF-8 encoded.

Hint

Each block is one bit, and uses ecb so you can find and replace and then convert to utf-8.

What would a better method of sharing the key be?

Chat message encryption code analysis

You have been given the code to encrypt the messages. You can download it here.

What is the main problem with their CBC implementation?

What metadata is being leaked by the encryption?

Chat session 1 message decryption

You have been given a message from the chat application. You can download it here.

A reply from the recipient is also provided. You can download it here.

Chat session 2 analysis

You have been given a longer chat log. You can download it here.