CTF Shell Club

Collection of CTF write ups made with <3.

© 2019. All rights reserved.

WPICTF - rsa-machine

14 Apr 2019

description: nc rsamachine.wpictf.xyz 31337 (or 31338 or 31339)

category: Crypto - 250

Once again this a RSA challenge, you can connect to the service rsamachine.wpictf.xyz, it will display the public key sign anything except getflag

nc rsamachine.wpictf.xyz 31337 
-----BEGIN PUBLIC KEY-----
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAm6U3u7cIcAvZpLoNnC7+
Ed6AtPq8q2G+P0h9SFfF4dY10Y6qC0Q76M6YjsHnxJVjB1hHpMRRZ1xEBETDDAEd
E0Q7fkE4nmo1zIlZ+GDc1Wh8yjFP5dgUUsV+gmpHpiV8bGf7fjbOUQQsr4Tdj36r
k/MECUJ1KirI6hxwjGbiv91QOtaWxHowklEew/qjcluvRXWQSny4QbBnEiDDlcc7
LsJNWC9vSrVSdJYzOq1AHg8OAj/9LwZBP4LKv5R1KeHmbHcA9YH7209KPRuoUq+8
yZT5dwcDOj7CIAi5ZZTNB+8JFye9P5Io7KLtjNfc2LuWFcmnD1L2Jkq1uaAKlDhW
xwIDAQAB
-----END PUBLIC KEY-----
sign something 
263143455915553814887752724380314073403898730047303403988419060491103813517683987149316936899917770854377052259279067668404252951681718316256673764873508758275796657584169673472618879593959868838554701949970086430857326767140906350258609046836933983182628811986955853432603640580199244364940762358967783650993395295484998136760749744014952178178481654620475181643286301429842971867932606572045849027337514537764615811040636337471022302207829370474793300200243702914208594827859646506339198480880761272715718921034602009369230231577795574179605634300263686633900298593950959943424333149187160061409252478269885226682

The author provided the challenge source code, we have to send getflag followed by its signature which will be verified in if privkey.verify(b'getflag', (signature,)):.

#!/usr/bin/python3

import sys

from Crypto.PublicKey import RSA

def run(inFile, outFile):
    privkey = RSA.generate(2048)
    pubkey = privkey.publickey().exportKey()

    outFile.write(pubkey + b'\n')

    while not outFile.closed:
        outFile.flush()

        line = inFile.readline()
        if not line: #EOF
            break

        line = line.rstrip(b'\n')
        if not line:
            continue

        try:
            [cmd, param] = line.split(maxsplit=1)
        except ValueError:
            outFile.write(b'Parameter required!\n')
            continue

        if cmd == b'sign':
            if param == b'getflag':
                outFile.write(b'No cheating!\n')
            else:
                (signature,) = privkey.sign(param, None)
                outFile.write(str(signature).encode() + b'\n')

        elif cmd == b'getflag':
            signature = int(param)
            if privkey.verify(b'getflag', (signature,)):
                outFile.write(b'[REDACTED]')
                break
            else:
                outFile.write(b'Bad signature!\n')

        else:
            outFile.write(b'Bad command ' + cmd + b'\n')

if __name__ == '__main__':
    run(sys.stdin.buffer, sys.stdout.buffer)

This is a classic RSA blinding attack, the full details about the attack are available at http://the2702.com/2015/09/07/RSA-Blinding-Attack.html. I made a python script based on the pwn lib to interact with the service.

import re
import codecs
import random
from Crypto.PublicKey import RSA
from binascii import unhexlify, hexlify
from pwn import *

srv = remote('rsamachine.wpictf.xyz', 31337)
pubkey = srv.recv().strip()
key = RSA.importKey(pubkey)
print("[!] Got public key")

M = int(hexlify("getflag"), 16)
N = key.n
e = key.e
r = 3 # random.randint(2, N-1)
mbis = (M * pow(r,e))  % N
messagebis = ("%2X" % mbis).decode('hex')

srv.send("sign " + messagebis + "\n")

sbis = srv.recv()
sbis = long(sbis.strip())  #sbis = pow(mbis, d) % N  
print("[!] Got S' : {}".format(sbis))

s = (sbis/r) % N 

srv.send("getflag {}\n".format(s))
print(srv.recv())

We got the flag after launching the script 3 times.

╰─$ python2 rsablind.py
[+] Opening connection to rsamachine.wpictf.xyz on port 31337: Done
[!] Got public key
[!] Got S' : 8055189041943281850539614428987268833243977988231476308451969394241131492275713532521566856414705140678584275459454061478877916901106021929082261596304029000380356771010090392077825985126904892021860846170710444878788617553685554227251040415596010342529263252780579779283805197748539892098561765320527416126709326474068550668984482014647358415646453014451009099645828063210244579362249356356992100432879012681260104886379237896331092235634504293978157618536973885986939804073798159721968127183030650941348417673375708632952880399373025493539732962654422773982210391960030492635331940490213507770535612609263131485740
WPI{m411e4b1e_cipher5_4re_d4ngerou5}
[*] Closed connection to rsamachine.wpictf.xyz port 31337

The flag was WPI{m411e4b1e_cipher5_4re_d4ngerou5}


Related Posts