add mermaid chart

Author: st0ffregen

README.md

@@ -20,6 +20,34 @@ Flags, in contrast, are random character strings with no inherent semantics. To
 
 Because a leaky endpoint exposes these embeddings, an attacker can download the embedding of any document (potentially one containing a flag), replicate the same encoding process locally, and use the resulting lookup table to recover every character of the flag.
 
+### Attack Flow Chart
+
+```mermaid
+flowchart TD
+    A["🎯 Start: Get flag hint session ID"] --> B["👤 Register new attacker user"]
+    B --> C["🔐 Login as attacker"]
+    C --> D["📥 Import shared session containing flag"]
+    D --> E["🔍 Create search query with random characters"]
+    E --> F["📊 Search collection for documents"]
+    F --> G["🔤 Build character embedding lookup table<br/>by embedding all ASCII characters"]
+    G --> H["📄 For each found document:"]
+    H --> I["📊 Extract embedding vector and norm"]
+    I --> J["🧩 Reconstruct flag character by character<br/>using nearest neighbor matching"]
+    J --> K{"🚫 Does flag end with 'FAKE'?"}
+    K -->|Yes| L["⏭️ Skip this document"]
+    K -->|No| M["✅ Unformat and return flag"]
+    L --> N{"📝 More documents?"}
+    N -->|Yes| H
+    N -->|No| O["❌ No flag found"]
+    M --> P["🏁 Success: Flag recovered"]
+    
+    style A fill:#ffcccb
+    style P fill:#90EE90
+    style O fill:#ffcccb
+    style K fill:#FFE4B5
+    style G fill:#E6E6FA
+```
+
 ## Cryptographic Handshake Bypass (All-Zero IV Vulnerability)
 This vulnerability exists in the custom MCP (Model Context Protocol) authentication handshake mechanism for personal AI-agents. The service implements a challenge-response authentication system using AES CFB8 encryption, but contains a critical flaw in its cryptographic implementation.
 
@@ -41,6 +69,34 @@ The attacker can repeatedly attempt the handshake by:
 3. Eventually succeeding in authentication due to the deterministic nature of the encryption with known inputs
 4. Once authenticated, gaining access to the MCP interface to read chat sessions and retrieve flags
 
+### Attack Flow Chart
+
+```mermaid
+flowchart TD
+    A["🎯 Start: Get user ID and session ID<br/>from attack info"] --> B["🔢 Create all-zero client challenge<br/>(8 bytes of 0x00)"]
+    B --> C["🔄 Start handshake attempts<br/>(up to 5000 tries)"]
+    C --> D["📤 Send zero-byte client challenge<br/>to server"]
+    D --> E["📥 Receive server challenge,<br/>memory key, and IV"]
+    E --> F["⚠️ IV is all-zero due to vulnerability:<br/>var iv = new byte[16]"]
+    F --> G["🔐 Attempt authentication with<br/>zero-byte client credentials"]
+    G --> H{"✅ Authentication successful?"}
+    H -->|No| I{"🔄 More attempts left?"}
+    H -->|Yes| J["🎟️ Receive JWT token"]
+    I -->|Yes| D
+    I -->|No| K["❌ Attack failed after 5000 attempts"]
+    J --> L["🤖 Connect to MCP interface<br/>using JWT token"]
+    L --> M["📖 Read messages from<br/>target chat session"]
+    M --> N["🏴 Extract flag from messages<br/>(message[1]['content'])"]
+    N --> O["✅ Unformat and return flag"]
+    O --> P["🏁 Success: Flag recovered"]
+    
+    style A fill:#ffcccb
+    style F fill:#ff6b6b
+    style P fill:#90EE90
+    style K fill:#ffcccb
+    style H fill:#FFE4B5
+    style I fill:#FFE4B5
+```
 
 # enochecker_cli