Contents

• What is CryptoHack?
• How do I play?
• How much coding is involved?
• Which programming language should I use?
• How can I install the tools that I need?
• Can I share my solutions?
• How do I play the Block Cipher Mode challenges?
• How do I play the interactive challenges?
• Is source code for the utils.listener module provided?
• How do the points/levels/trophies work?
• How does this compare to Cryptopals and MysteryTwister C3?
• Do you have an API?
• How can I support CryptoHack?
• Who made this?
• Contact Information?

What is CryptoHack?

CryptoHack is a free, fun platform for learning cryptography. The emphasis is on breaking bad implementations of "modern" crypto, such as AES, RSA, and Elliptic-curve. The format is a series of puzzles that teach small lessons and motivate further research.

We took inspiration from Capture The Flag contests but wanted to build something that's permanent, focusses exclusively on cryptography, and is more accessible.

How do I play?

To save your progress, you'll need to register an account and solve a simple cipher.

On the platform, there are several different types of challenges. They will see you:

• Downloading vulnerable source code and determining how to crack the output.
• Making web requests to a server and slowly extracting confidential data.
• Connecting to a port and performing a man-in-the-middle attack on two parties trying to communicate.

All challenges have the same goal which is to discover a piece of secret information called the "flag". A flag is a string of characters that looks like: crypto{th15_1s_4_fl4g}. After submitting the correct flag on the platform, you will receive points. Sometimes the flag is in a different format and if so, the challenge will clearly specify that.

How much coding is involved?

Most challenges involve coding up a small solution, however we provide snippets of Python source code which you can adapt to your own purposes.

Our provided source code deliberately contains terrible errors and should not be used as a reference for real production crypto.

Which programming language should I use?

Almost all of our challenges are written in Python 3, and we make extensive use of the PyCryptodome library to perform common cryptographic operations. A few of the more advanced challenges are written in Sage 9 (based on Python 3).

Python is a fantastic language for fast prototyping of cryptography. It's readable and has native support for large integers; strong mathematics modules that call directly into C code for maximum speed (e.g. gmpy2); even a built-in modular exponentiation operator (pow()). Finally, SageMath is the open source tool with the most sophisticated support for modern cryptography, and it's built on top of Python.

It's possible to write your solutions in a different language but it'll be harder.

How can I install the tools that I need?

We provide an official Docker image that contains all the recommended technologies installed. If you have Docker, it's as simple as running: docker run -p 127.0.0.1:8888:8888 -it hyperreality/cryptohack:latest

Alternatively, if you don't already have Python, you can install it on by following this guide. Next you'll need to install a few Python packages:

• PyCryptodome
• gmpy2
• pwntools

On Linux and Mac, this could be as simple as opening up a terminal then running pip install PyCryptodome gmpy2 pwntools. You may first need to install the Pip package manager (sudo apt install python3-pip on Ubuntu) and then gmpy2 dependencies (sudo apt install libgmp-dev libmpc-dev libmpfr-dev on Ubuntu). On Windows, check this guide for how to get the Python package manager pip working.

After the installation is complete, open up the Python interpreter and run from Crypto.Util import *; strxor.strxor(b"C", b"H"); the result should be b'\x0b'. If you get an error then see here for tips on resolving it.

Sage can be more difficult to install (especially on Windows) but it's only used for a few advanced challenges. On Ubuntu Linux it should be as easy as apt install sagemath. Check here for more instructions.

Can I share my solutions?

After you solve a challenge, a "Solutions" link will appear next to the challenge. On that page you will be able to post your solution scripts as private GitHub Gists, and read and upvote those submitted by other players.

To avoid spoiling the challenges for newcomers we ask that you only submit solutions using the feature we have provided on this website. Please do not publish solutions or writeups outside of the platform. However, for "Starter" challenges, and challenges worth 25 points or less, we make an exception – feel free to discuss those publicly.

How do I play the Block Cipher Mode challenges?

The block cipher challenges are built on top of web apps. Each one gives you the source code of the problem, and forms to interact with the functions defined. To automate your solution, you can call the functions directly by sending data as a GET parameter and receiving a JSON response, e.g.:

$ curl http://aes.cryptohack.org/ecb_oracle/encrypt/00000000000000000000000000000000/
{"ciphertext":"8b6a083e36541cb59840e2242de73e11e84bfaeb5722f80253120ab21da890037bbbcc054419106657728a2d4d368f6e"}

For fully scripting your answers, we recommend the Python Requests package (rather than cURL).

How do I play the interactive challenges?

Certain challenges on CryptoHack are designed to be dynamic. To solve the problem, you must collect and send data to exploit the weakness in the implementation.

The introductory challenges provide scripts to connect and automate your solutions to these which work across all platforms using the Python Pwntools module. See this tutorial for usage. This is by far our most recommended way of solving these challenges; there are alternatives but they always end up being more complicated than using pwntools which has become a staple of CTFs.

To communicate with the server, your data should be sent as a JSON object. Each challenge will specify the key values you need to send, and the values will be the data you are working with. For example, say you want to send some data to a server to encrypt, you might send the object {"encrypt": "656e63727970746d796d657373616765"}, and the server would then reply {"encrypted_data": "0e0b1a191c091f080006000a18041e0e"}.

Source code for these interactive challenges will usually be provided. The challenge function in the Challenge class will be called on your JSON-formatted input, and the server will process it accordingly.

Can I run the interactive challenges locally?

The source for the utils.listener module which runs dynamic challenges is available here. To run a challenge locally with it, place the listener file in a utils/ directory then run the challenge file using Python. Then you can connect to the challenge port on your own localhost.

For example:

cd $DIRECTORY_WITH_CRYPTOHACK_CHALLENGES
mkdir utils
wget https://cryptohack.org/static/listener.py
mv listener.py utils
python $CHALLENGE_NUMBER.py

How do the points/levels/trophies work?

Trophies are awarded for a total percentage complete for each category:

• Gold Trophy with Star: 100%
• Gold Trophy: 75%
• Silver Trophy: 50%
• Bronze Trophy: 25%

Solving challenges earns you points, and as you progress you will gain levels. You can see the total number of points needed to level up by visiting your user profile.

You can sync your level attainment to your profile on our Discord server. Just visit your user settings and follow the instructions.

How does this compare to Cryptopals and MysteryTwister C3?

Cryptopals is great and some of our challenges are adaptations of theirs. The main difference is that we aim to provide a more gamified environment where you don't have to code everything from the ground up—unless you want to.

MysteryTwister C3 offers many cryptography challenges covering various topics also in a less gamified way. Most of their challenges focus more on crypto design and didactical aspects (like a tutorial in differential cryptanalysis) and it includes many challenges with historic or "obscure" procedures and machines (like HandyCipher or Sigaba).

Do you have an API?

Yes, you can get information about a user (named USER for instance) in JSON format by making the following request:

$ curl https://cryptohack.org/api/user/USER/
  {                            
    "country": "gb",
    "first_bloods": 0,
    "joined": "22 Jul 2021",
    "level": 1,
    "rank": 17935,
    "score": 3,
    "solved_challenges": [
    { 
      "category": "Introduction",
      "date": "22 Jul 2021",        
      "name": "Great Snakes",
      "points": 3,
      "solves": 10000
    },
    ],
    "user_count": 26912,
    "username": "USER",
    "website": ""
}

There is also /api/site-stats/

How can I support CryptoHack?

CryptoHack is entirely free to play but we have operating costs. If you would like to contribute, we are grateful to receive donations via our Patreon. For a limited period we are giving away CryptoHack T-shirts to new patrons.

If you are part of a company that would like to sponsor us, you can advertise job openings to our talented players. For more information please contact us using the details at the bottom of this page.

Who made this?

CryptoHack was started as a passion project by two crypto amateurs from the UK:

• hyperreality, working as a devops engineer and security consultant
• Jack, a cryptography consultant with a background in theoretical physics

The platform is a fork of ColdCore.

Contact Information?

Have a cool challenge idea? Found a bug? Please contact us on our Discord server, Twitter, or email address which is admin [at] cryptohack [dot] org