For this challenge we can connect to a server and use the following commands:

```
encrypt - Encrypt with AES
flag - Encrypt flag
getkey - Set AES key
help - show this help
setkey - Set AES key
```

When we call the “flag” command a new random key will be set and it will be used to encrypt the flag. Clearly we can think of calling the “flag” command, then the “getkey” and simply decrypt the flag. Unfortunately this does not work as we can see from this log:

```
Welcome to the online AES encryption service
setkey 41414141414141414141414141414141
getkey
41414141414141414141414141414141
encrypt 414243444546
294c0453d172aa05bf819805966f9d8f
getkey
a24fd58526e7d1bb483c7f3293b24741
```

When I saw this I just thought “WTF?!”. Apparently after the first encryption the key is changed! After some research we found out that the key we got after the first encryption was the result of the AES Key Expansion.

We therefore had to write a function that gives us back the original master key from the derived key and use it to decrypt the flag. Luckily we found a mathematical representation of this invert function:

```
K(i-1, 4) = K(i, 3) XOR K(i, 4)
K(i-1, 3) = K(i, 2) XOR K(i, 3)
K(i-1, 2) = K(i, 1) XOR K(i, 2)
K(i-1, 1) = K(i, 1) XOR sub(shift(K(i-1, 4)) XOR RCON(i)
```

This script automates it all and gives back the flag :)