add encryption level of POA

cryptography/aes-cbc-poa-enc/.init

@@ -0,0 +1,4 @@
+#!/bin/bash
+
+dd if=/dev/urandom of=/challenge/.key bs=16 count=1
+chmod 600 /challenge/.key

cryptography/aes-cbc-poa-enc/DESCRIPTION.md

@@ -0,0 +1,19 @@
+You're not going to believe this, but... a Padding Oracle Attack doesn't just let you decrypt arbitrary messages: it lets you _encrypt_ arbitrary data as well!
+This sounds too wild to be true, but it is.
+Think about it: you demonstrated the ability to modify bytes in a block by messing with the previous block's ciphertext.
+Unfortunately, this will make the previous block decrypt to garbage.
+But is that so bad?
+You can use a padding oracle attack to recover the exact values of this garbage, and mess with the block before that to fix this garbage plaintext to be valid data!
+Keep going, and you can craft fully controlled, arbitrarily long messages, all without knowing the key!
+When you get to the IV, just treat it as a ciphertext block (e.g., plop a fake IV in front of it and decrypt it as usual) and keep going!
+Incredible.
+
+Now, you have the knowledge you need to get the flag for this challenge.
+Go forth and forge your message!
+
+----
+**FUN FACT:**
+Though the Padding Oracle Attack was [discovered](https://www.iacr.org/archive/eurocrypt2002/23320530/cbc02_e02d.pdf) in 2002, it wasn't until 2010 that researchers [figured out this arbitrary encryption ability](https://static.usenix.org/events/woot10/tech/full_papers/Rizzo.pdf).
+Imagine how vulnerable the web was for those 8 years!
+Unfortunately, padding oracle attacks are _still_ a problem.
+Padding Oracle vulnerabilities come up every few months in web infrastructure, with the latest (as of time of writing) [just a few weeks ago](https://www.cvedetails.com/cve/CVE-2024-45384/)!

cryptography/aes-cbc-poa-enc/dispatcher

@@ -0,0 +1,14 @@
+#!/opt/pwn.college/python
+
+import os
+
+from base64 import b64encode
+from Crypto.Cipher import AES
+from Crypto.Util.Padding import pad
+from Crypto.Random import get_random_bytes
+
+key = open("/challenge/.key", "rb").read()
+cipher = AES.new(key=key, mode=AES.MODE_CBC)
+ciphertext = cipher.iv + cipher.encrypt(pad(b"sleep", cipher.block_size))
+
+print(f"TASK: {b64encode(ciphertext).decode()}")

cryptography/aes-cbc-poa-enc/worker

@@ -0,0 +1,29 @@
+#!/opt/pwn.college/python
+
+from base64 import b64decode
+from Crypto.Cipher import AES
+from Crypto.Util.Padding import unpad
+from Crypto.Random import get_random_bytes
+
+import time
+import sys
+
+key = open("/challenge/.key", "rb").read()
+
+while line := sys.stdin.readline():
+	if not line.startswith("TASK: "):
+		continue
+	data = b64decode(line.split()[1])
+	iv, ciphertext = data[:16], data[16:]
+
+	cipher = AES.new(key=key, mode=AES.MODE_CBC, iv=iv)
+	plaintext = unpad(cipher.decrypt(ciphertext), cipher.block_size).decode('latin1')
+
+	if plaintext == "sleep":
+		print("Sleeping!")
+		time.sleep(1)
+	elif plaintext == "please give me the flag, kind worker process!":
+		print("Victory! Your flag:")
+		print(open("/flag").read())
+	else:
+		print("Unknown command!")

cryptography/aes-cbc-poa/DESCRIPTION.md

@@ -23,6 +23,12 @@ Go recover the flag!
 **HINT:**
 You'll need to slightly adjust this attack for the 16th byte of a block, since there is no padding at all initially, but I trust in your ability to do so!
 
+**HINT:**
+The previous challenges had just one ciphertext block, and you messed with its decryption by changing the IV.
+This level has multiple blocks.
+Keep in mind that to mess with the decryption of block N, you must modify ciphertext N-1.
+For the first block, this is the IV, but not for the rest!
+
 **FUN FACT:**
 The only way to prevent a Padding Oracle Attack is to avoid having a Padding Oracle.
 Depending on the application, this can be surprisingly tricky: a failure state is hard to mask completely from the user/attacker of the application, and for some applications, the padding failure is the only source of an error state!

cryptography/module.yml

@@ -39,6 +39,8 @@ challenges:
   name: AES-CBC Resizing
 - id: aes-cbc-poa
   name: "AES-CBC: Padding Oracle Attack"
+- id: aes-cbc-poa-enc
+  name: "AES-CBC: Padding Oracle Encryption"
 - id: level-6
   name: DHKE
 - id: level-7