**Lab:** PentesterLab (Hard) — Free Lab, December 2025

**Solved:** Among first 9 teams — No official solution published at time of writing

None
image by ChatGPT

## 📋 **Executive Summary**

This report details the exploitation of two critical vulnerabilities in a web authentication system:

1. **GCM Tag Truncation Vulnerability** — The server accepted 1-byte authentication tags, drastically reducing the cryptographic security of AES-GCM.

2. **Weak XOR-Based "Encryption"** — Username ciphertext was generated via a static XOR keystream, enabling trivial plaintext recovery and forgery.

Together, these flaws allowed an attacker to forge a valid authentication token for the `admin` user without knowing the server's encryption key.

## 🔍 **Attack Overview**

- **Objective:** Authenticate as the pre-existing `admin` user.

- **Constraints:** Registration of `admin` was blocked; only new usernames could be registered.

- **Exploitation Path:**

1. Register a similar-length username (e.g., `bdmin`).

2. Capture the issued authentication token.

3. Exploit GCM tag truncation to brute-force a valid 1-byte tag.

4. Reverse-engineer the XOR-based ciphertext generation.

5. Forge a token for `admin` using the derived keystream.

## 🧩 **Technical Analysis**

### **Token Format**

Authentication tokens followed the structure:

Base64(IV) | Base64(Ciphertext) | Base64(Tag)

- `IV`: 16-byte initialization vector

- `Ciphertext`: Variable length, matching username length

- `Tag`: Full 16-byte GCM authentication tag (insecurely truncated in validation)

### **Vulnerability 1: GCM Tag Truncation**

The server's GCM implementation incorrectly validated authentication tags by accepting **any tag length**, including 1 byte. This reduced the tag entropy from \(2^{128}\) to \(2⁸\), making brute-force attacks feasible.

### **Vulnerability 2: Static XOR Keystream**

Ciphertext generation was found to be:

Ciphertext[i] = Username[i] xor constant[i]

Where `constant` was a **static, repeating XOR keystream** derived per position. This was confirmed by registering usernames `bdmin` and `edmin` and comparing ciphertexts.

## ⚙️ **Exploitation Steps**

### **Step 1: Token Analysis and Initial Reconnaissance**

- Registered username `bdmin` (5 bytes, similar to target `admin`).

- Captured authentication token:

auth_token=nf-0DJk87W6CxnFa%7CNRGWhFo=%7Cf7SPQhdO5hvRrrqLWuwJlA==

- Decoded structure:

`IV (16B) | Ciphertext (5B) | Tag (16B)`

### **Step 2: Confirming GCM Tag Truncation Vulnerability**

- Lab hint indicated possible tag truncation.

- Tested login with 1‑byte tag while varying `ciphertext[0]` (256 values) and `tag[0]` (256 values).

- Successfully authenticated as `bdmin` with:

ciphertext[0] = 0x35

- **Vulnerability confirmed:** Server accepts 1‑byte GCM authentication tags.

### **Step 3: Brute‑Force Approach for `admin` (Without XOR Insight)**

- Assumption: encryption is byte‑wise (first plaintext byte maps to first ciphertext byte).

- Search space for forging `admin` token: 256x256

- With rate limiting (200 ms/request): estimated runtime ≈ 3.6 hours.

- This approach relies solely on **Vulnerability 1** (GCM tag truncation) + byte-wise assumption.

### **Step 4: Discovering XOR Relationship via `edmin`**

- During reconnaissance, registered `edmin` and repeated Step 2 brute‑force using the same IV.

ciphertext[0] = 0x32

- Support byte-wise assumption.

- Support further assumption of functional form: ciphertext = username xor key

- Validation (example for pos=0)

0x35(ciphertext[0]) xor 0x62(username[0] = [b]) = 0x57 for bdmin

0x32 xor 0x65(username[0] = [e]) = 0x57 for edmin

and this worked for other positions as well

- **Conclusion:** Ciphertext generated via:

ciphtertext[i] = username[i] xor K[i]

where `K` is a static XOR keystream (`K[0] = 0x57`).

### **Step 5: Direct Forgery of `admin` Token**

- Computed required `ciphertext[0]` for `admin` (`a` = `0x61`):

0x61 xor 0x57 = 0x36

- Only unknown remaining: 1‑byte `tag[0]` (256 possibilities).

- Brute‑force yielded valid tag. Final forged `admin` token:

auth_token=nf-0DJk87W6CxnFa%7CNhGWhFo=%7C1A

- Successfully authenticated as `admin` using forged token.

- Exploited two vulnerabilities:

1. **GCM tag truncation** → Reduced authentication strength to 1‑byte entropy.

2. **Static XOR keystream** → Enabled direct ciphertext computation.

Originally published at https://github.com/bkornpob/bkornpob.github.io/blob/main/pentesterlab/gcm-tag-truncation/story-complete-note.md

poc: https://github.com/bkornpob/bkornpob.github.io/blob/main/pentesterlab/gcm-tag-truncation/poc.md