http://qtnes.com/tags/mtls/Recent content in Mtls on QtnesHugoen-usWed, 15 Apr 2026 00:00:00 +0000http://qtnes.com/posts/4---handshake---breaking-aes-cbc-via-iv-recovery-and-cbc-malleability/Wed, 15 Apr 2026 00:00:00 +0000http://qtnes.com/posts/4---handshake---breaking-aes-cbc-via-iv-recovery-and-cbc-malleability/<h2 id="overview">Overview</h2> <p>Handshake was a cryptography challenge disguised as a network one. The APK connected to a mutual TLS C2 server, logged in with hardcoded credentials, and received an AES-CBC-encrypted flag. The AES key was in the APK. The IV was not.</p> <p>Everything needed to decrypt the flag was recoverable, but it required understanding how CBC block chaining works and exploiting the fact that one of the two ciphertext blocks behaves independently of the IV.</p>