CryptoHack is a fun platform for learning cryptography. The emphasis is on breaking bad implementations of "modern" crypto, such as AES, RSA, and Elliptic-curve. The format is a series of puzzles that teach small lessons and motivate further research.
We took inspiration from Capture The Flag contests but wanted to build something that's permanent, focusses exclusively on cryptography, and is more accessible.
Cryptopals is great and some of our challenges are adaptations of theirs. The main difference is that we aim to provide a more gamified environment where you don't have to code everything from the ground up—unless you want to.
MysteryTwister C3 offers many cryptography challenges covering various topics also in a less gamified way. Most of their challenges focus more on crypto design and didactical aspects (like a tutorial in differential cryptanalysis) and it includes many challenges with historic or "obscure" procedures and machines (like HandyCipher or Sigaba).
You'll need to register an account and solve a simple cipher.
On the platform, there are several different types of challenges. They will see you:
All challenges have the same goal which is to discover a piece of secret information called the "flag". A flag is a string of characters that looks like: crypto{th15_1s_4_fl4g}
. After submitting the correct flag on the platform, you will receive points. Sometimes the flag is in a different format and if so, the challenge will clearly specify that.
Most challenges involve coding up a small solution, however we provide snippets of Python source code which you can adapt to your own purposes.
Our provided source code deliberately contains terrible errors and should not be used as a reference for real production crypto.Almost all of our challenges are written in Python 3, and we make extensive use of the PyCryptodome library to perform common cryptographic operations. A few of the more advanced challenges are written in Sage 9 (based on Python 3).
Python is a fantastic language for fast prototyping of cryptography. It's readable and has native support for large integers; strong mathematics modules that call directly into C code for maximum speed (e.g. gmpy2); even a built-in modular exponentiation operator (pow()
). Finally, SageMath is the open source tool with the most sophisticated support for modern cryptography, and it's built on top of Python.
docker run -p 127.0.0.1:8888:8888 -it hyperreality/cryptohack:latest
Some argue Python 2 was more convenient than Python 3 because it didn't draw a strong distinction between bytes and characters. But that was the source of many bugs and localisation issues, plus Python 2 is end of life now, so we don't use it.
It's possible to write your solutions in a different language but it'll be harder.
After you solve a challenge, a "Solutions" link will appear next to the challenge. On that page you will be able to post your solution scripts as private GitHub Gists, and read and upvote those submitted by other players.
To avoid spoiling the challenges for newcomers we ask that you only submit solutions using the feature we have provided on this website. Please do not publish solutions or writeups outside of the platform. However, for "Starter" challenges, and challenges worth 10 points or less, we make an exception – feel free to discuss those publicly.
The block cipher challenges are built on top of web apps. Each one gives you the source code of the problem, and forms to interact with the functions defined. To automate your solution, you can call the functions directly by sending data as a GET parameter and receiving a JSON response, e.g.:
$ curl http://aes.cryptohack.org/ecb_oracle/encrypt/00000000000000000000000000000000/
{"ciphertext":"8b6a083e36541cb59840e2242de73e11e84bfaeb5722f80253120ab21da890037bbbcc054419106657728a2d4d368f6e"}
For fully scripting your answers, we recommend the Python Requests package (rather than cURL).
Certain challenges on CryptoHack are designed to be dynamic. To solve the problem, you must collect and send data to exploit the weakness in the implementation.
The introductory challenges provide scripts to connect to these which work across all platforms using the telnetlib
module that's part of Python.
If you are on Mac or Linux, it's convenient to connect using netcat, which is easy to install if not installed already. You can run the nc
commands listed on the challenges. If you're on Windows, you can also install netcat but some users seem to have trouble here.
For some challenges, you will need to automate your communication with the server. We recommend the Python Pwntools library for this. See this tutorial for usage. Once again, this is more difficult on Windows. If you're on Windows, you can just continue working with telnetlib
, or maybe use Linux via WSL, a virtual machine, or our Docker container referenced above.
To communicate with the server, your data should be sent as a JSON object. Each challenge will specify the key values you need to send, and the values will be the data you are working with. For example, say you want to send some data to a server to encrypt, you might send the object {"encrypt": "656e63727970746d796d657373616765"}
, and the server would then reply {"encrypted_data": "0e0b1a191c091f080006000a18041e0e"}
.
challenge
function in the Challenge
class will be called on your JSON-formatted input, and the server will process it accordingly.
Trophies are awarded for a total percentage complete for each category:
Solving challenges earns you points, and as you progress you will gain levels. You can see the total number of points needed to level up by visiting your user profile.
You can sync your level attainment to your profile on our Discord server. Just visit your user settings and follow the instructions.
You are now level Current level