NSUCRYPTO 2017

Posted on Tháng Mười 31, 2017 by bomotodo

This year is the second time I participate in the International Students’ Olympiad in Cryptography. The game is over, but the official results still not announced so I am not sure my solution is correct or not. However, I want to write how i found the solution. I will focus on the way to solution, not focus on algorithm because I am a noob. Please correct me if I am wrong in math (and English also, my English skill is very terrible)

This year I solved 4 challenges (maybe, because the result is pending). The solutions are following:

Problem 10: PIN code

We have 2 notes for this challenge:

The picture below the task is not linked with the task and was used only for decorative purposes. So, there is no any PIN codes or digits related to the problem.
A PIN code is an ARBITRARY number of ARBITRARY length (not 4).

I tried to choose some random value P then calculate the S i realize that most of them are 27, i was so surprised. However, there is something missing at the first time i read the challenge, i read more carefully and i found that the number P is an arbitrary number consisting of a few pairwise different digits in ascending order. Tried again with these numbers, the calculated S only had 1 value: 27. At this time, i knew the answer for this challenge but i didn’t know why. With a pen and a paper, i had my explanation:

Assume P is a number with 5 digits: P = abcde. We have A = 999*P = 1000*P – P

The solution of the numbers P satisfied this challenge’s condition will be as same as this one, but i was so lazy to write it generalize so i stopped here and insisted that my teammate (@cothan) help me to do it, hehe. He said that this challenge seem to be a secondary students’ test. Right, it was so easy, maybe it was used to encourage players.

Problem 5: A music lover

There are 2 remarks for this challenge:

You should invent a way how to apply one code to another.
Some arithmetic operations can also be used.

When i was doing this challenge, i didn’t know where i should begin. Too much thing in one picture:

The morse code at the top
The table with a lots numbers and letters
& symbol
A string with 11 letters

but in the description, they said that there are only 2 secret codes we need to know. I tried a lots of way. At the begining, i misunderstood that & operator is one of arithmetic operations, it wasted me a lots of time. I found that the morse string and the other string have same length (11). I was sure that 2 strings were belonged 2 secret codes Alex had used. And how about the table, still unknown. Trying to map these 2 strings with the table, i found that the letter O in the second string didn’t appear in the table so the table must be map with the morse string. After decoding the morse string i had STNEKMIHWAY.

However, i hadn’t known that a letter should be map with a number following or all of numbers following jet. If you don’t know which way to the destination, go all the way possible.

I tried to calculate sum of these numbers first, i get a list of numbers:

[4, 7, 5, 25, 25, 10, 4, 3, 5, 0, 6]

then add these numbers with the remain string i got EDVARDGRIEG

No meaning, i tried other way, just used a number following the letter in the table, i got a list:

[3, 1, 2, 8, 9, 2, 2, 3, 5, 0, 3]

this time i got DXSJBVERIED, seem to be better.

I thought that this string should be DISCOVERIED but it was wrong at 3 letters. I tried again, more carefully, but the result didn’t change. I tried some other similar way, still no hope. I wondered if the challenge correct or not. After discussing with my teammates, finally, one of my teammates (@quandoan a.k.a. qd) realized that EDVARDGRIEG is name of composer and pianist, lollllllllllllllllllllllllllllllllllllll. It is so sad when you find the secret but you dont know it is a secret then you waste the time for the wrong ways. F*ck my life! F*ck my knowledge about music. F*ck my “google search” skill. I hope that there is someone who doesn’t realize that like me, hoho.

Finally i knew that the & symbol was used to seperated 2 secret codes, lol. How noob i am.

Problem 8: Scientists

This challenge made me guess a lots. I tried anything possible, i searched for the biographies of those scientist. I thought about their year of birth, nationality, institution, school, award and honors, field, nobel prizes,….bla bla bla… .After wasting tons of time, i realized that i forgot 1 important thing: use brain. Fresh my mind and return to the beginning, read the description as careful as possible and i found something. I asked myself:

Why called set of paramaters? How many paramaters in a set? Why the secret was devided into 3 parts? Why a part was encrypted 3 times? One time is enough,… Too much questions so i can’t remember all of them. Just focus on some question above.

Why the secret was devided into 3 parts? The parts of plaintext was encrypted with a 48-bits cryptosystem? We need 3 times encrypt the plaintexts with same parameters to attack this cryptosystem?…
Why a part was encrypted 3 times? We need 3 ciphertexts of 1 plaintext with different parameters to attack this cryptosystem? This question make me remember to an attack on RSA cryptosystem that i did many times before. New hope.

Checked these scientists’ information again. I looked for some primes. Begin with the year of birth:

Charles Darwin : 1809 –> not prime

Tried with concatenation of the birthday:

Charles Darwin : 1221809 –> not prime

How about full birthday with the format DDMMYYYY

Charles Darwin: 12021809 –> prime
Michael Faraday: 22091791 –> prime
Werner Heisenberg: 5121901 –> prime
Johannes Kepler: 27121571 –> prime
Hans Christian Orsted: 14081777 –> prime
Mikhail Lomonosov: 19111711 –> prime

So magical, the light was right here. It couldn’t be a coincidence. I guessed that is RSA cryptosystem and the attack is using CRT to compute the plaintext which encrypted with small public exponent (e = 3). Check again for the sureness:

This meaned 3 divided phi(n) so i couldn’t compute the plaintext even if when i know phi(n) unless using CRT. No more doubt, almost reached the solution. The last thing to do was recover the plaintext with this such attack.

I also surprised when i did it, lol, so magical.

Conclusion:

The plaintext was PUTSTHEMINDINORDER
The property is: Birthday of them with format DDMMYYYY is a prime.
The cryptosystem is RSA, the attack is CRT with small public exp. (e = 3)
The whole sentence is: Mathematics should be studied if only for that it puts the mind in order

Problem 2: TwinPeaks

This challenge is so complicated for me. It make me waste a lots of papers, maybe a quarter of my notebook :'(. Wrote down, wrong, threw, repeated.

Note for the following sh!t i write:

a, b, c, d is the original 32-bits words (plaintext)
a’, b’, c’, d’ is the final 32-bits words (ciphertext)
+ operator is the coordinatewise sum modulo 2 which is as same as XOR operator

Applied tranformation as same as step 3 in the description:

a’ = a + c + S(c + d)
b’ = a + b + d + S(c + d)
c’ = a + c + d
d’ = b + d + S(c + d)

Did this tranformation 6 times i got the final result (other tranformations are not necessary so i will not write here):

a’ = d + X1 + X2 + X4 + X5 + X6 (1)
b’ = c + X1 + X2 + X5 + X6 (2)
c’ = b + X3 + X4 (3)
d’ = a + X2 + X3 + X4 + X6 (4)

with:

X1 = S(c + d) (5)
X2 = S(a + b + c + X1) (6)
X3 = S(a + b + X2) (7)
X4 = S(b + c + d + X3) (8)
X5 = S(c + d + X4) (9)
X6 = S(a + b + c + X1 + X5) (10)

Combined (1), (2) i got:

a’ + b’ = c + X1 + X2 + X4 + X5 + X6 + d + X1 + X2 + X5 + X6
= c + d + X4 (11)
==> X4 = a’ + b’ + c + d

Combined (1), (2), (3) i got:

a’ + b’ + c’ = b + c + d + X3 (12)
==> X3 = a’ + b’ + c’ + b + c + d

Combined (3), (4) i got:

c’ + d’ = a + b + X2 + X6 (13)

This challenge provided a link for testing the encrypt function, but it no longer available. At first, i tried with 128 bits 0 which is 00000000000000000000000000000000 in hexadecimal notation. The server returned 9EB684838EFA7E766FFAA1B6804583D4

Rewrite the fomula:

X1 = S(0)
X2 = S(X1)
X3 = S(X2) = a’ + b’ + c’
X4 = S(X3) = a’ + b’
X5 = S(X4)
X6 = S(X1 + X5)

I knew a’, b’, c’ after encypting 128-bits 0 so i could know X3 (input of function S) and X4 (output of function S). But i couldn’t control this input.

Called this X3 is XXX, i had

XXX = a’ + b’ + c’
= 0x9EB68483 + 0x8EFA7E76 + 0x6FFAA1B6
= 0x7fb65b43

I tried some way to control the input of S function. I spent long time to found out: if i input 4 32-bits words with format:

a = b != 0
c = d = 0

i could control the input of S function. Rewrite the formula:

X1 = S(0)
X2 = S(X1)
X3 = S(X2) = a’ + b’ + c’
X4 = S(b + X3) = a’ + b’
X5 = S(X4)
X6 = S(X1 + X5)

Noticed that this time the value of X3 equal to S(S(S(0))). It is as same as the value of XXX above. I knew this value, i could control the value of b so i could control the input of S function and got the output of arbitrary input (oracle).

At this time, i had an oracle, the remaining problem was how can i recover the plaintext within only ciphertext and an oracle.

Backed to the generalized fomula, tried to do something with these fomula.

Combined (8), (12), i got that:

X3 = S(a’ + b’ + c’)

Similar with (9), (11):

X4 = S(a’ + b’)

(2), (3), (4) ==> b’ + c’ + d’ = a + b + c + X1 + X5 (14)
(10), (14) ==> X6 = S(b’ + c’ + d’)
(6), (14) ==> X2 = S(b’ + c’ + d’ + X5)
(5), (11) ==> X1 = S(a’ + b’ + X4)
(7), (13) ==> X3 = S(c’ + d’ + X6)

I had an oracle, i had a way to calculate all value (X1, X2, X3, X4, X5, X6), Uh, i had a solution.

Tried to recover the plaintext of the ciphertext 59A0D027D032B394A0A47A9ED19C98A8. To compute X4, i need the output of function S with the input equal a’ + b’ (0x59A0D027 + 0xD032B394 = 0x899263b3). So i added this wanted input with XXX to get b value:

b = 0x899263b3 + 0x7fb65b43
= 0xf62438f0

then i encrypted f62438f0f62438f00000000000000000. The output could be used to calculate X4. The others were the same.

When i had all values of (X1, X2, X3, X4, X5, X6), it was very easy to compute the plaintext:

a = d’ + X2 + X3 + X4 + X6
b = c’ + X3 + X4
c = b’ + X1 + X2 + X5 + X6
d = a’ + X1 + X2 + X4 + X5 + X6

The plaintext was: 43abeccaa53cb953f35239e79cc900ee

Conclusion

That’s all. My team solved 2 another problems but my teammates did it so i don’t write it here. I only write what i did.

Thanks for the great challenges, i learned a lots . I haven’t tried hard like i did last week for a long time. I hope my boss can’t see this blog because i did those challenge almost the time at the office 😀 😀

I will participate nsucrypto 2018 for sure! 😀

ASIS Quals 2017 – Alice, Bob, and Rob – 202 points

Posted on Tháng Tư 9, 2017 by bomotodo

Description:

We have developed a miniature of a crypto-system. Can you break it?
We only want to break it, don’t get so hard on our system!

Here is the file.

There are 3 files: source code encrypt.py, encrypted file flag.enc, key flag.pub.

The algorithm is so easy, read 1 byte/time then compute it and ouput 2 bytes. The encrypt algorithm is just convert the 1-byte-plaintext into 2 matrixs then compute the products of the plaintext matrix and the key matrix. The result will be change 1 bit then save as output.

1-byte was encrypted with 4 bits plaintext. We can reverse the algorithm by check all of plaintext available (16 value). We can guess the plaintext by compute the product of the 4-bit plaintext and the key, if the result is different 1 bit with the encrypted byte, then it maybe the correct plaintext with this encrypt byte.

Here my sage script.

And here is my result.

ASIS Quals 2017 – unsecure ASIS sub-d – 132 points

Posted on Tháng Tư 9, 2017 by bomotodo

Description:
ASIS has many insecure sub-domains, but we think they are over HTTPS and attackers can’t leak the private data, what do you think?

Here is the pcap file.

This pcap shows the traffic of https protocol.

Untitled

After filter with “ssl.handshake.certificate”, i got 101 different certificates. Extract those certificates by a script. Then use openssl to get the modulus. Check gcd of those modulus one-by-one, we got the common prime of the 1st modulus and the 99th modulus. Untitled

Then, we can factor them and create a private key file then import to wireshark to decrypt the traffic. Open wireshark –> edit –> preferences –>SSL –> edit RSA key lists then add 2 private key files obove.

Untitled

File –> export objects –> HTTP to export flag.

ASIS Quals 2017 – F-4 Phantom – 176 points

Posted on Tháng Tư 9, 2017 by bomotodo

Description:

With F-4 Phantom II, we want to break the encryption! Please help us!!

‍‍‍nc 66.172.27.77 54979

Untitled

Here is the [K]ey generating fuction

As we can see, a prime p is chosen random, another number is created by change 2 bit of p, then find the prime next to that number as q. The modulus n=p*q.

Let len is the length of p in bits minus, k is a natural number smaller than len and l=len-k, we have:

$q=(p\pm2^{k}\pm2^{l}+x)$

with x is a small number.

n can be represented as:

$n=p*(p\pm2^{k}\pm2^{l}+x)$

Let $a=\pm2^{k-1}\pm2^{l-1}+\frac{x}{2}$ and $b=p\pm2^{k-1}\pm2^{l-1}+\frac{x}{2}$ , now we have:

$n=(b-a)(b+a)$

We have p and q is odd primes so their difference is an even number, it means x is even and a, b is integers. Morever the integer a is closely with $\pm2^{k-1}\pm2^{l-1}$ . So, if we know the random number k, we can factor n efficiently by travial method (similar to the Fermat’s factorization). Luckily, len is appropriate 540 so we have about 270 available value of k. Then we can brute force the value of k.

Now, extract the key by openssl:

By brute-forcing, we get k=117 and n be factored. Here is my script.

I got the elements, but i couldn’t find the modular inverse of e because e is a divisor of (p-1). So i used dq to compute m:

$dq\equiv e^{-1}\; mod\; (q-1)$

$m \equiv c^{dq}\;mod\;q$

but that result still isn’t the flag, after add some times of q, finally i got the flag:

ASIS{Still____We_Can_Solve_Bad_F4!}

ASIS Quals 2017 – A fine OTP server – 79 points

Posted on Tháng Tư 9, 2017 by bomotodo

Description:

Connect to OTP generator server, and try to find one OTP.

nc 66.172.27.77 35156

Here is the [E]ncryption function.

As we can see, the otp is the concatenation of template_phrase and 18-bytes passphrase and the encrypted OTP are compute as:

$c_1 \equiv otp_1^{3} \;mod\;n$

$c_2 \equiv otp_2^{3} \;mod\;n$

The server uses 2048-bits key and the public exponent is 3 (so small) and the otp is small too, so the cube of otp is smaller than the modulus. We can easily compute the otp by computing the cube root of encrypted OTP:

$c_1 = opt_1^{3}$

$otp_1=\sqrt[3]{c_1}$

I got an encrypted OTP then computed with sage:

Submit the OTP and get the flag 😀

That’s all for this challenge. So easy.

ASIS Quals 2017 – DLP – 158 points

Posted on Tháng Tư 9, 2017 by bomotodo

Description:

You should solve a DLP challenge, but how? Of course , you don’t expect us to give you a regular and boring DLP problem!

nc 146.185.143.84 28416

Untitled

Here is the [C]ryptography function

As we can see, that fuction random n and s then compute:

$enc\equiv (n+1)^{msg}\; mod\;n^{s+1}$

We have:

$(a+1)^{2}=a^{2}+2a+1$

$(a+1)^{3}=a^{3}+3a^{2}+3a+1=(a+3)*a^{2}+3a+1$

$(a+1)^{4}=a^{4}+4a^{3}+6a^{2}+4{a}+1=(a^{2}+4a+6)*a^{2}+4a+1$

Take a look at the Pascal’s triangle:

Untitled

We can easily realize that :

$(a+1)^{n}=X*a^{2}+n*a+1$

We don’t care whatever the value of X is. We compute:

$(a+1)^{n}\equiv a*n + 1\;mod\; n^{2}$

Then, if we have $(a+1)^{n}$ we can compute n efficiently, luckily we already had $(a+1)^{n}\;mod\;n^{s+1}$ with s+1 > 2

Now we compute n:

$enc\equiv (n+1)^{msg}\; mod\;n^{s+1}$

$enc\equiv (n+1)*msg+1\; mod \;n^{2}$

where (n+1)*msg+1 is smaller than $n^{2}$ then:

$msg=\frac{enc\%n^{2}-1}{n}$

I got the numbers like that

then compute:

Untitled

I wonder if it was an easy challange or i solved it with a different method. I joked with my friend that was a “paper with one line of code challenge” 😀 😀

ASIS Quals 2017 – Secured OTP server – 268 points

Posted on Tháng Tư 9, 2017 by bomotodo

Description:

Connect to OTP generator server, and try to find one OTP.
This is secure than first server 🙂

nc 66.172.33.77 12431

Untitled

Here is the [E]ncryption fuction

This challenge is similar to the “a fine OTP server“ challenge. The otp is the concatenation of template_phrase and 18-bytes passphrase and the encrypted OTP are compute as:

$c_1 \equiv otp_1^{3} \;mod\;n$ (1)

$c_2 \equiv otp_2^{3} \;mod\;n$

but now, the template_phrase is longer. So, the otp cubed now larger than the modulus n and we can’t compute the otp as the cube root of the encrypted OTP.

The server use 2048-bits key with the public exponent is 3. We can use openssl or python to extract the key.

Untitled

Let take a look at the equation:

$(a+b)^{3}=a^{3}+3a^{2}b+3ab^{2}+b^{3}$ (2)

Let the otp0 is the otp with the 18-null-bytes-passphrase, otherwise, otp0 is the concatenation of template_phrase and 18-bytes “\x00”, then we have the difference between otp0 and otp1 is the passphrase.

$otp_1=otp_0+passphrase_1$ (3)

Combine equations (1), (2) and (3), let a = otp0, b = passphrase1, we have:

$c_1\equiv otp_1^{3}\; mod\;n$
$c_1\equiv (otp_0+passphrase_0)^{3}\;mod\;n$
$c_1\equiv opt_0^{3}+3otp_0^{2}*passphrase_1+3otp_0*passphrase_1^{2}+passphrase_1^{3}\;mod\;n$

We can easily compute the encrypted of otp0:

$c_0\equiv otp_0^{3}\;mod\;n$

then :

$c_1\equiv c_0+3otp_0^{2}*passphrase_1+3otp_0*passphrase_1^{2}+passphrase_1^{3}\;mod\;n$

$c_1-c_0\equiv 3otp_0^{2}*passphrase_1+3otp_0*passphrase_1^{2}+passphrase_1^{3}\;mod\;n$

Now, we have the right-side of the equation is smaller than the modulus then we can tranform that congruence equation into polynomial equation:

$c_1-c_0 = 3otp_0^{2}*passphrase_1+3otp_0*passphrase_1^{2}+passphrase_1^{3}$

Now, we can easily compute the passphrase1 by solving the cubic equation.

Untitled

Submit the OTP and get the flag 😀

Untitled

That ‘s all and the flag is “ASIS{gj____Finally_y0u_have_found_This_is_Franklin-Reiter’s_attack_CongratZ_ZZzZ!_!!!}”.

SVATTT vòng loại – readit – 150 điểm

Posted on Tháng Mười Một 7, 2016 by bomotodo

Bài này cho 1 file pcap, mình cũng không biết làm gì cho tới khi có hint của BTC: “checksum”.

Để ý lại checksum của các packet từ 118.201.62.250 đến 192.168.1.77 ta thấy:

0x6544 ==> “eD”

0x6243 ==> “bC”

0x7742 ==> “wB”

0x6441 ==> “dA”

0x6440 ==> “d@”

0x643f ==> “d?”

……..

Screenshot from 2016-11-07 21:54:00.png

Để ý thấy mấy cái checksum nó không được random, byte cuối của checksum giảm dần nên mình đoán là nó không ảnh hưởng gì lắm đến flag (cùng lắm nó là số thứ tự 😀 )

Ghép tắt cả các byte đầu của checksum khả nghi theo thứ tự ta được chuỗi:

str = “ebwddd=E\x88YJIAY?\x88CYMJIAYP\x88AYd\x88YU\x84LUCLxD\x85YDUHYUPM\x83CK;”

Ta thấy “ebwddd” giống với format “SVATTT” nên đoán đây chỉ là subtitution đơn giản. Thử các kiểu ta thấy ascii(flag)=184-ascii(str). Chạy 1 vòng for ra được flag:

SVATTT{s0_now_y0u_know_h0w_T0_c4lcul@t3_tcp_chk5um}

SVATTT vòng loại – OTP chatbot – 400 điểm

Posted on Tháng Mười Một 7, 2016 by bomotodo

Lần đầu tiên được thi SVATTT, cảm gíac khá thú vị!

Sở trường của mình là crypto mà vào thi thấy chỉ có 1 bài crypto mà tận 400 điểm, mình cũng ngán nhảy qua làm những bài easy hơn để kiếm điểm nên đến khi cuộc thi kết thúc vẫn không có thời gian để xem kỹ bài này. Về nhà xem lại thì thấy bài này không đến nỗi khó, có thể nói là bài này qúa dễ so với con số 400 điểm. Hoặc cách giải của mình khôgn phải là cách gỉai mong muốn của BTC. Mình nghiêng về ý thứ 2 😀

nc chatbot.svattt.org 5555

Code

Ấn tượng đầu tiên sau khi đọc code là gía trị biến “encrypt_key” chỉ random 1 lần trong 1 session. Do đó, trong 1 lần kết nối ta có thể xem gía trị đó là cố định và chưa biết. Cả Flag và các “res” còn lại đều được encrypt bằng modulus đó (encrypt_key). Còn nếu các bạn không hiểu modulus hay RSA là gì thì tham khảo tại đây

Lan man đủ rồi, phần chính bắt đầu từ đây 😀

Netcat vào, chat “FLAG?” bot sẽ trả về:

enc_flag = encrypt(b2n(FLAG), encrypt_key)

và 1 cái signature, tạm thời mình không quan tâm tới gía trị này.

greet = [“‘sup bro”, “hey”, “*nods*”, “hey you get my snap?”]

Khi chat “hi” con bot sẽ chọn ngẫu nhiên 1 trong 4 string trong greet để encrypt rồi trả về:

enc = encrypt(b2n(res), encrypt_key)

= b2n(res) ^ 65537 % encrypt_key

==> b2n(res) ^ 65537 -enc =k * encrypt_key

Vì res chỉ mang 4 gía trị khi mình chat “hi” nên enc cũng chỉ mang 4 gía trị và ta có:

b2n(res_1) ^ 65537 – enc_1 = k_1 * encrypt_key = x_1

b2n(res_2) ^ 65537 – enc_2 = k_2 * encrypt_key =x_2

Và điều thú vị ở đây là: gcd(x_1, x_2) CÓ THỂ chính là encrypt_key

Dựa vào đó, ta có thể tìm encrypt_key bằng cách thu thập đủ 4 gía trị “enc” rồi test thử với từng “res”, gía trị nào tầm 100bytes là “chính nó” 😀 (theo thực tế thì trong tất cả gía trị tìm được chỉ có 1 nên không phải buâng khuâng :D)

Cứ thế reset kết nối và lập lại các bước để tìm ra gía trị encrypt_key cho đến khi tìm được encrypt_key có thể factor thành các prime nhỏ. Flag được tính dễ dàng bằng phi(encrypt_key) tính được từ các prime tìm được ở trên.

d = e^-1 % phi

flag = enc_flag ^d %n

Flag: SVATTT{CRT_CRT_CRT_101!!!!}

Đây là số liệu mình tìm được, các bạn tham khảo!

Bài này mình không dùng đến N, signature, hint đề cho cũng như CRT như trong flag đề cập nên không biết đây có phải là 1 expected solution không 😀

Boston Key Party CTF 2016- Bob’s hat-4 points

Posted on Tháng Ba 8, 2016 by bomotodo

Dữ kiện đề cho file (do sever đã đóng nên mình tạm lấy file trên mạng)

Decription: Alice and bob are close together, likely because they have a lot of things in common. This is why Alice asked him a small *q*uestion, about something cooler than a wiener.

Sau khi extract ra ta thấy có 3 file trong đó có 1 file encrypted, 1 file pub và 1 file zip đã được đặt pass. Ta có thể đoán được đề yêu cầu từ file encrypted và public key ta phải decrypt để có được key dùng cho file zip.

Dùng openssl để xem trong file pub có gì

openssl rsa -pubin -in almost_almost_almost_almost_there.pub -text

Screenshot from 2016-03-09 01:14:54.png

Ta có:

e=65537

n=9473874079694384096182353069577870140898775728758349266591973

0017973847138345511139064596113422435977583856843887008168202003

8559067080390134873493905718011414072450390115988105422320296345

6484879799853487225154966045427733650283818564293763757612153394

5369150901808833844341421315429263207612372324026271327

Muốn decrypt được ciphertext thì cần phải có được private key, muốn có được private key thì ta cần phải cố gắng factor được n. Ta biết nếu p và q xấp xỉ bằng nhau và xấp xỉ căn bậc 2 của n hay nói cách khác |p-q| rất nhỏ so với n thì ta có thể brute force để tìm p và q. Bằng 1 đoạn script sage nhỏ ta có thể tính được p và q dễ dàng.

a=int(pow(n,1/2))

if a%2==0:

a+=1

while 1:

if n % a == 0:

print a , “\n” , n/a

break

a+=2

Tính được p, q ta dễ dàng tìm được d và decrypt được cipher text.

Screenshot from 2016-03-09 02:19:50

m=XtCgoEKksjKFWlqOSxqsEhK/+tsr1k5c

Tìm được key đem extract file .zip ta lại được 3 file tương tự 😦 nhưng tên file thì ngắn hơn.Tương tự như trên dùng openssl để xem n và e. Ta được:

e2=65537

n2=1207117430092199941993878768520527286338218232820016866826373

908528791519744581452678229118497350284847054099950935565562007

942563342817268273622370244365148320932602276326621994849273139

0160090888745608542251360416595926195898999991852624141356869798

0750606419722847183884466865579933961646797811650439499767

Thử với cách cũ thấy brute force không thành công (qúa lâu), ta tìm cách khác. Ta tính thử GCD(n,n2). Ta thấy GCD này không bằng 1 tức n2 và n một ước chung khác 1, từ 1 ước đã biết của n2 ta có thể tìm ước còn lại của n2 1 cách dễ dàng bằng cách lấy n2 chia cho GCD (n , n2)

p2=973338280337025689313610984097159097146009477924233491943234

780149164161744361585622116861113893357611819679528244350360966316

8324106758595642231987246769

q2=12401828372292379853813876769631673931562555174641979554254424

4580382430586384170652843012668812424330178286638188116065565592

56084249679274024474025282343

Có p, q ta có thể tính được m tương tự như trên. Ta được:

m2=rlSpJ6HbP+cZXaOuSPOe4pgfevGnXtLt

Extract ta lại được 3 file, với file .pub ta được:

e3=65537

n3=859765629786054510709140349760823881041588485778835462364954

5462584626186357491015183008751788834205126626170046660764709588

72116943297480465011062429953197177411454325442255841630557883504

090074585678296578526833375040418484176613454408962791730859146

5828618442384534122739386366913053748919149466237339278512341

Thử với 2 cách ở trên đều không thành công, ta thử factor n với 1 tool online. Bingo! N3 được cấu thành từ 2 số nguyên tố trong đó có 1 số nguyên tố nhỏ nên dễ dàng được factor theo kiểu truyền thống. Ta được:

p3=54311

q3=158304142767773473275973624083670689370769915077762416888835

51145411843247882548682924285599213481992831334665255032617167035

63029484446024681944840695168929272912401402003748488576085661

291616936874073938205017092992285942965838621005705957893853656

06706350802643746830710894411204232176703046334374939501731

Từ p3, q3 ta được:

m3=hQdK+dKleMJqth/dofWyFaiWp3PW7jil

Ta lại được 3 file, ban tổ chức ra đề nhây thật 😦 nhưng có vẻ đây là file cuối cùng rồi vì trong file .zip là 1 file mang tên flag 🙂 Hi vọng.

e4=494466786000513792287609062860311555097422398326597057315592

49988210578539211813543612425990507831160407165259046991194935262

2005659538425671487860530404501989197538343973781889325245998400

27093290217612285214105791999673535556558448523448336314401414644

879827127064929878383237432895170442176211946286617205

n4=1096769317767533941413945645147207342367965840228428205076139

45978304098920529412415619708851314423671483225500317195833435789

1744914178718642603750662788855742326532564254342961137739738745

42733322600365156233965235292281146938652303374751525426102732530

711430473466903656428846184387282528950095967567885381

Ta thấy e4 có đến 1023 bits trong khi n chỉ có 1024 bits – Ta biết với số e càng lớn thì số d sẽ càng nhỏ, và nếu số d nhỏ hơn (n^0.25)/3 thì ta có thể tấn công bằng phương pháp Wiener attack, trên phần mô tả đề bài lại có đề cập đến Wiener nên cơ hội cao ta đang đi đúng hướng.Viết 1 đoạn code sage nhỏ để tính, ta thu được

p4=10843221374140991753173625949764386011485161421520044246309105

0534895005192579412727966814174970617340540814782805188355823533

21569961722963922828311576983

q4=101147922736606568746185687124064203441762204577905631780922

22929337786916374923318745284718351487926620784106195715878875311

958793629905453919697155685507

Từ p4, q4 ta được:

m4=/3aAP5dF2zmrPh9K6A4AqMLsIiYDk2C2

Extract ra ta được flag: BKPCTF{Its_not_you,_its_rsa_(that_is_broken)}

	Hi trong ASIS Quals 2017 – unsecu…
	bomotodo trong ASIS Quals 2017 – unsecu…
	Hi trong ASIS Quals 2017 – unsecu…
	ASIS Quals 2017… trong ASIS Quals 2017 – A fine…
	bomotodo trong SVATTT vòng loại – OTP c…