Hack For A Change 2026 - Encrypted Audit Logs

Posted on In Views: Disqus:

Decrypt tampered audit log entries to reconstruct evidence of unauthorized access.

Initial Analysis

The challenge provides a secure audit log export from “ClinCore Health Systems”. Scanning through the logs, several EncryptedToken entries are visible, formatted as Base32 strings.

A critical clue is found in the logs: 

1
[2026-03-15 16:00:05] ENCRYPT: Cipher config: XOR mode=repeating key_len=4

This indicates that the tokens are encrypted using a repeating 4-byte XOR key.

Solution

While most tokens in the log decode to fragmented text, the token on line 108 (YX2THEVPQ4LNRIMFCHIKFUCBRL2IGF6567KEFW7Q2AK5XIUEJXI7FUCE33VQ====) decodes to raw binary data, suggesting it contains the flag.

Since the flag format is SDG{...}, we can perform a known-plaintext attack to recover the 4-byte XOR key by XORing the first 4 bytes of the ciphertext with SDG{.

1
2
3
4
5
6
7
8
9
10
11
12
import base64

# The tampered token (line 108)
ct = base64.b32decode("YX2THEVPQ4LNRIMFCHIKFUCBRL2IGF6567KEFW7Q2AK5XIUEJXI7FUCE33VQ====")

# Use "SDG{" as known plaintext to derive the 4-byte XOR key
known = b"SDG{"
key = bytes([ct[i] ^ known[i] for i in range(4)])

# Decrypt with repeating 4-byte key
plaintext = bytes([ct[i] ^ key[i % 4] for i in range(len(ct))])
print(plaintext.decode())

Key Recovery: - Ciphertext (hex): c5f53392... - Known Plaintext: 5344477b (SDG{) - Derived Key: 96b174e9

Flag

SDG{96b174e94a5cb2c4ae62faa24598da07}