What is CryptoHack?

CryptoHack is a fun platform for learning cryptography. The emphasis is on breaking bad implementations of "modern" crypto, such as AES, RSA, and Elliptic-curve. The format is a series of puzzles that teach small lessons and motivate further research.

We took inspiration from Capture The Flag contests but wanted to build something that's permanent, focusses exclusively on cryptography, and is more accessible.

How does this compare to Cryptopals and MysteryTwister C3?

Cryptopals is great and some of our challenges are adaptations of theirs. The main difference is that we aim to provide a more gamified environment where you don't have to code everything from the ground up—unless you want to.

MysteryTwister C3 offers many cryptography challenges covering various topics also in a less gamified way. Most of their challenges focus more on crypto design and didactical aspects (like a tutorial in differential cryptanalysis) and it includes many challenges with historic or "obscure" procedures and machines (like HandyCipher or Sigaba).

How do I play?

You'll need to register an account and solve a simple cipher.

On the platform, there are several different types of challenges. They will see you:

• Downloading vulnerable source code and determining how to crack the output.
• Making web requests to a server and slowly extracting confidential data.
• Connecting to a port and performing a man-in-the-middle attack on two parties trying to communicate.

All challenges have the same goal which is to discover a piece of secret information called the "flag". A flag is a string of characters that looks like: crypto{th15_1s_4_fl4g}. After submitting the correct flag on the platform, you will receive points. Sometimes the flag is in a different format and if so, the challenge will clearly specify that.

How much coding is involved?

Most challenges involve coding up a small solution, however we provide snippets of Python source code which you can adapt to your own purposes.

Our provided source code deliberately contains terrible errors and should not be used as a reference for real production crypto.

Which programming language should I use?

Almost all of our challenges are written in Python 3, and we make extensive use of the PyCryptodome library to perform common cryptographic operations. A few of the more advanced challenges are written in Sage 9 (based on Python 3).

Python is a fantastic language for fast prototyping of cryptography. It's readable and has native support for large integers; strong mathematics modules that call directly into C code for maximum speed (e.g. gmpy2); even a built-in modular exponentiation operator (pow()). Finally, SageMath is the open source tool with the most sophisticated support for modern cryptography, and it's built on top of Python.

We provide an official Docker image that contains all the recommended technologies installed.
If you have Docker, it's as simple as running: docker run -p 127.0.0.1:8888:8888 -it hyperreality/cryptohack:latest

Some argue Python 2 was more convenient than Python 3 because it didn't draw a strong distinction between bytes and characters. But that was the source of many bugs and localisation issues, plus Python 2 is end of life now, so we don't use it.

It's possible to write your solutions in a different language but it'll be harder.

Can I share my solutions?

After you solve a challenge, a "Solutions" link will appear next to the challenge. On that page you will be able to post your solution scripts as private GitHub Gists, and read and upvote those submitted by other players.

To avoid spoiling the challenges for newcomers we ask that you only submit solutions using the feature we have provided on this website. Please do not publish solutions or writeups outside of the platform. However, for "Starter" challenges, and challenges worth 10 points or less, we make an exception – feel free to discuss those publicly.

How do I play the Block Cipher Mode challenges?

The block cipher challenges are built on top of web apps. Each one gives you the source code of the problem, and forms to interact with the functions defined. To automate your solution, you can call the functions directly by sending data as a GET parameter and receiving a JSON response, e.g.:

$ curl http://aes.cryptohack.org/ecb_oracle/encrypt/00000000000000000000000000000000/
{"ciphertext":"8b6a083e36541cb59840e2242de73e11e84bfaeb5722f80253120ab21da890037bbbcc054419106657728a2d4d368f6e"}

For fully scripting your answers, we recommend the Python Requests package (rather than cURL).

How do I play the netcat challenges?

Certain challenges on CryptoHack are designed to be dynamic. To solve the problem, you must collect and send data to exploit the weakness in the implementation.

The introductory challenges provide scripts to connect to these which work across all platforms using the telnetlib module that's part of Python.

If you are on Mac or Linux, it's convenient to connect using netcat, which is easy to install if not installed already. You can run the nc commands listed on the challenges. If you're on Windows, you can also install netcat but some users seem to have trouble here.

For some challenges, you will need to automate your communication with the server. We recommend the Python Pwntools library for this. See this tutorial for usage. Once again, this is more difficult on Windows. If you're on Windows, you can just continue working with telnetlib, or maybe use Linux via WSL, a virtual machine, or our Docker container referenced above.

To communicate with the server, your data should be sent as a JSON object. Each challenge will specify the key values you need to send, and the values will be the data you are working with. For example, say you want to send some data to a server to encrypt, you might send the object {"encrypt": "656e63727970746d796d657373616765"}, and the server would then reply {"encrypted_data": "0e0b1a191c091f080006000a18041e0e"}.

Source code for these interactive challenges will sometimes be provided. The challenge function in the Challenge class will be called on your JSON-formatted input, and the server will process it accordingly.

How do the points/levels/trophies work?

Trophies are awarded for a total percentage complete for each category:

• Gold Trophy with Star: 100%
• Gold Trophy: 75%
• Silver Trophy: 50%
• Bronze Trophy: 25%

Solving challenges earns you points, and as you progress you will gain levels. You can see the total number of points needed to level up by visiting your user profile.

You can sync your level attainment to your profile on our Discord server. Just visit your user settings and follow the instructions.

Who made this?

CryptoHack was started as a passion project by two crypto amateurs from the UK:

• hyperreality, working as a devops engineer
• Jack, studying for a PhD in black holes

The platform is a fork of ColdCore.

More Questions?

Have a cool challenge idea? Found a bug? Want to find out more? Please contact us on our Discord server or Twitter.