THM W1seGuy Writeup: Learning XOR Weakness and Known Plaintext Attacks
This writeup covers the TryHackMe W1seGuy room. The objective is to understand XOR encryption weaknesses, known plaintext attacks, and repeating-key cryptographic flaws.
Introduction
The W1seGuy room demonstrates a classic cryptographic mistake: using XOR encryption with a short repeating key.
This challenge highlights how predictable plaintext combined with weak XOR implementations allows attackers to:
Recover encryption keys
Decrypt sensitive messages
Break poorly designed encryption systems
Retrieve hidden flags with minimal effort
The room is beginner-friendly while still teaching practical cryptographic concepts commonly seen in CTF challenges and insecure custom applications.
Lab Information
| Category | Value |
|---|---|
| Platform | TryHackMe |
| Room | W1seGuy |
| Difficulty | Easy |
| Focus Area | Cryptography |
Understanding the Challenge
When connecting to the target service on port 1337, the server displays an XOR-encrypted message along with a prompt requesting the encryption key.
Example:
This XOR encoded text has flag 1: <hex string>
What is the encryption key?
The challenge uses a repeating five-character XOR key.
Internally, the encryption logic works like this:
cipher[i] = plaintext[i] XOR key[i % 5]
hex_output = cipher.encode().hex()
Every new connection generates a different random key, but the encryption methodology remains unchanged.
Because XOR encryption is reversible and the plaintext format is partially predictable, the key can be recovered.
Understanding XOR Weakness
XOR encryption uses the XOR operation between plaintext and key bytes.
The important property of XOR is that applying the same operation twice restores the original data.
cipher = plaintext XOR key
plaintext = cipher XOR key
key = cipher XOR plaintext
This becomes dangerous when:
The plaintext format is predictable
The key is short
The key repeats
No randomness is introduced
All TryHackMe flags begin with:
THM{
This predictable prefix immediately leaks the first four plaintext bytes.
Additionally, the closing brace:
}
helps recover the final key byte.
With these known characters, the full five-character XOR key can be reconstructed.
Recovering Flag 1
The server provides the following XOR-encrypted hex string:
110e752a3f7427543f3b003e4c103b31725b3a2c04284a622e290a41391a373241613a373e772332
To recover the plaintext and derive the encryption key, the following Python script was used.
import string
xor_output = "110e752a3f7427543f3b003e4c103b31725b3a2c04284a622e290a41391a373241613a373e772332"
key = ''
key_length = 5
target_letters = ["T", "H", "M", "{", "}"]
decrypted_msg = ''
decode_xored = bytes.fromhex(xor_output).decode()
options = list(string.ascii_letters + string.digits)
def key_gen(encrypted_char, target):
for c in options:
if chr(ord(encrypted_char) ^ ord(c)) == target:
return c
for i in range(key_length):
if i < key_length - 1:
key += key_gen(decode_xored[i], target_letters[i])
else:
key += key_gen(decode_xored[-1], target_letters[i])
for i in range(len(decode_xored)):
decrypted_msg += chr(ord(decode_xored[i]) ^ ord(key[i % len(key)]))
print(f"The encryption key is: {key}")
print(f"The decrypted message is: {decrypted_msg}")
Script Output
The encryption key is: EF8QO
The decrypted message is: THM{p1alntExtAtt4ckcAnr3alLyhUrty0urxOr}
Flag 1 :
THM{p1alntExtAtt4ckcAnr3alLyhUrty0urxOr}
Recovering Flag 2
To retrieve the second flag, the correct five-character XOR key must be submitted during the same server connection.
The server provides another XOR-encrypted string:
0e2c230e3c6b05021b381f1c1a34382e500d1e2f1b0a1c462d3628171d192810174539281c210731
Using the same known plaintext technique, the derived key becomes:
ZdnuL
Now connect to the server and submit the key.
nc <IP> 1337
Server prompt:
What is the encryption key?
Submit:
ZdnuL
Server Response
Congrats! That is the correct key!
Here is flag 2: THM{BrUt3_ForC1nG_XOR_cAn_B3_FuN_nO?}
Flag 2 :
THM{BrUt3_ForC1nG_XOR_cAn_B3_FuN_nO?}
Why This Attack Works
This challenge is vulnerable because it combines several weak cryptographic design choices:
Repeating-key XOR encryption
Predictable plaintext format
Short encryption key
No randomization or salting
Direct exposure of encrypted output
Once even a small portion of plaintext becomes known, XOR relationships begin leaking key bytes rapidly.
This is why repeating-key XOR should never be used for secure encryption systems.
Lessons Learned
Key concepts demonstrated in this room include:
How XOR encryption works
Why repeating-key XOR is insecure
Known plaintext attack fundamentals
Recovering encryption keys from predictable data
Importance of randomness in cryptographic systems
Risks of custom cryptographic implementations
Conclusion
The W1seGuy room provides an excellent beginner-friendly introduction to cryptographic weaknesses caused by improper XOR implementations.
By exploiting predictable plaintext and repeating-key behavior, both encryption keys and hidden flags can be recovered efficiently.
This room is a strong practical example of why modern encryption standards exist and why custom cryptographic solutions often fail under analysis.
Tools Used
| Tool | Purpose |
|---|---|
| Python | XOR analysis and key recovery |
| Netcat | Connecting to the remote service |
| XOR Logic | Decrypting repeating-key ciphertext |
Thanks for reading.
![HTB Three Walkthrough [Tier 1]: Learning AWS S3 Enumeration and Bucket Exploitation](/_next/image?url=https%3A%2F%2Fcdn.hashnode.com%2Fuploads%2Fcovers%2F6a13c822551486ce6c514b17%2Fd9bd6589-e016-43b3-9d0d-2bb6b13c6f91.png&w=3840&q=75)
![HTB Dancing Walkthrough [Tier 1]: SMB Enumeration](/_next/image?url=https%3A%2F%2Fcdn.hashnode.com%2Fuploads%2Fcovers%2F6a13c822551486ce6c514b17%2Fd369ef3a-d73f-48e1-8208-c0c3b4ebd214.png&w=3840&q=75)
![HTB Fawn Walkthrough [Tier 0]: Learning FTP Enumeration and Anonymous Login](/_next/image?url=https%3A%2F%2Fcdn.hashnode.com%2Fuploads%2Fcovers%2F6a13c822551486ce6c514b17%2F89c459b9-e2fd-4c52-a9c0-a89078b2fbd7.png&w=3840&q=75)
