# THM W1seGuy Writeup: Learning XOR Weakness and Known Plaintext Attacks

* * *

## Introduction

The W1seGuy room demonstrates a classic cryptographic mistake: using XOR encryption with a short repeating key.

This challenge highlights how predictable plaintext combined with weak XOR implementations allows attackers to:

*   Recover encryption keys
    
*   Decrypt sensitive messages
    
*   Break poorly designed encryption systems
    
*   Retrieve hidden flags with minimal effort
    

The room is beginner-friendly while still teaching practical cryptographic concepts commonly seen in CTF challenges and insecure custom applications.

* * *

## Lab Information

| Category | Value |
| --- | --- |
| Platform | TryHackMe |
| Room | W1seGuy |
| Difficulty | Easy |
| Focus Area | Cryptography |

* * *

## Understanding the Challenge

When connecting to the target service on port `1337`, the server displays an XOR-encrypted message along with a prompt requesting the encryption key.

Example:

```text
This XOR encoded text has flag 1: <hex string>
What is the encryption key?
```

The challenge uses a repeating five-character XOR key.

Internally, the encryption logic works like this:

```text
cipher[i] = plaintext[i] XOR key[i % 5]
hex_output = cipher.encode().hex()
```

Every new connection generates a different random key, but the encryption methodology remains unchanged.

Because XOR encryption is reversible and the plaintext format is partially predictable, the key can be recovered.

* * *

## Understanding XOR Weakness

XOR encryption uses the XOR operation between plaintext and key bytes.

The important property of XOR is that applying the same operation twice restores the original data.

```text
cipher = plaintext XOR key
plaintext = cipher XOR key
key = cipher XOR plaintext
```

This becomes dangerous when:

*   The plaintext format is predictable
    
*   The key is short
    
*   The key repeats
    
*   No randomness is introduced
    

All TryHackMe flags begin with:

```text
THM{
```

This predictable prefix immediately leaks the first four plaintext bytes.

Additionally, the closing brace:

```text
}
```

helps recover the final key byte.

With these known characters, the full five-character XOR key can be reconstructed.

* * *

## Recovering Flag 1

The server provides the following XOR-encrypted hex string:

```text
110e752a3f7427543f3b003e4c103b31725b3a2c04284a622e290a41391a373241613a373e772332
```

To recover the plaintext and derive the encryption key, the following Python script was used.

```python
import string

xor_output = "110e752a3f7427543f3b003e4c103b31725b3a2c04284a622e290a41391a373241613a373e772332"
key = ''
key_length = 5
target_letters = ["T", "H", "M", "{", "}"]
decrypted_msg = ''

decode_xored = bytes.fromhex(xor_output).decode()
options = list(string.ascii_letters + string.digits)

def key_gen(encrypted_char, target):
    for c in options:
        if chr(ord(encrypted_char) ^ ord(c)) == target:
            return c

for i in range(key_length):
    if i < key_length - 1:
        key += key_gen(decode_xored[i], target_letters[i])
    else:
        key += key_gen(decode_xored[-1], target_letters[i])

for i in range(len(decode_xored)):
    decrypted_msg += chr(ord(decode_xored[i]) ^ ord(key[i % len(key)]))

print(f"The encryption key is: {key}")
print(f"The decrypted message is: {decrypted_msg}")
```

* * *

### Script Output

```text
The encryption key is: EF8QO
The decrypted message is: THM{p1alntExtAtt4ckcAnr3alLyhUrty0urxOr}
```

* * *

### Flag 1 :

```text
THM{p1alntExtAtt4ckcAnr3alLyhUrty0urxOr}
```

* * *

## Recovering Flag 2

To retrieve the second flag, the correct five-character XOR key must be submitted during the same server connection.

The server provides another XOR-encrypted string:

```text
0e2c230e3c6b05021b381f1c1a34382e500d1e2f1b0a1c462d3628171d192810174539281c210731
```

Using the same known plaintext technique, the derived key becomes:

```text
ZdnuL
```

Now connect to the server and submit the key.

```bash
nc <IP> 1337
```

Server prompt:

```text
What is the encryption key?
```

Submit:

```text
ZdnuL
```

* * *

### Server Response

```text
Congrats! That is the correct key!
Here is flag 2: THM{BrUt3_ForC1nG_XOR_cAn_B3_FuN_nO?}
```

* * *

### Flag 2 :

```text
THM{BrUt3_ForC1nG_XOR_cAn_B3_FuN_nO?}
```

* * *

## Why This Attack Works

This challenge is vulnerable because it combines several weak cryptographic design choices:

*   Repeating-key XOR encryption
    
*   Predictable plaintext format
    
*   Short encryption key
    
*   No randomization or salting
    
*   Direct exposure of encrypted output
    

Once even a small portion of plaintext becomes known, XOR relationships begin leaking key bytes rapidly.

This is why repeating-key XOR should never be used for secure encryption systems.

* * *

## Lessons Learned

Key concepts demonstrated in this room include:

*   How XOR encryption works
    
*   Why repeating-key XOR is insecure
    
*   Known plaintext attack fundamentals
    
*   Recovering encryption keys from predictable data
    
*   Importance of randomness in cryptographic systems
    
*   Risks of custom cryptographic implementations
    

* * *

## Conclusion

The W1seGuy room provides an excellent beginner-friendly introduction to cryptographic weaknesses caused by improper XOR implementations.

By exploiting predictable plaintext and repeating-key behavior, both encryption keys and hidden flags can be recovered efficiently.

This room is a strong practical example of why modern encryption standards exist and why custom cryptographic solutions often fail under analysis.

* * *

## Tools Used

| Tool | Purpose |
| --- | --- |
| Python | XOR analysis and key recovery |
| Netcat | Connecting to the remote service |
| XOR Logic | Decrypting repeating-key ciphertext |

* * *

Thanks for reading.
