Tháng Tư | 2017

ASIS Quals 2017 – Alice, Bob, and Rob – 202 points

Posted on Tháng Tư 9, 2017 by bomotodo

Description:

We have developed a miniature of a crypto-system. Can you break it?
We only want to break it, don’t get so hard on our system!

Here is the file.

There are 3 files: source code encrypt.py, encrypted file flag.enc, key flag.pub.

The algorithm is so easy, read 1 byte/time then compute it and ouput 2 bytes. The encrypt algorithm is just convert the 1-byte-plaintext into 2 matrixs then compute the products of the plaintext matrix and the key matrix. The result will be change 1 bit then save as output.

1-byte was encrypted with 4 bits plaintext. We can reverse the algorithm by check all of plaintext available (16 value). We can guess the plaintext by compute the product of the 4-bit plaintext and the key, if the result is different 1 bit with the encrypted byte, then it maybe the correct plaintext with this encrypt byte.

Here my sage script.

And here is my result.

ASIS Quals 2017 – unsecure ASIS sub-d – 132 points

Posted on Tháng Tư 9, 2017 by bomotodo

Description:
ASIS has many insecure sub-domains, but we think they are over HTTPS and attackers can’t leak the private data, what do you think?

Here is the pcap file.

This pcap shows the traffic of https protocol.

Untitled

After filter with “ssl.handshake.certificate”, i got 101 different certificates. Extract those certificates by a script. Then use openssl to get the modulus. Check gcd of those modulus one-by-one, we got the common prime of the 1st modulus and the 99th modulus. Untitled

Then, we can factor them and create a private key file then import to wireshark to decrypt the traffic. Open wireshark –> edit –> preferences –>SSL –> edit RSA key lists then add 2 private key files obove.

Untitled

File –> export objects –> HTTP to export flag.

ASIS Quals 2017 – F-4 Phantom – 176 points

Posted on Tháng Tư 9, 2017 by bomotodo

Description:

With F-4 Phantom II, we want to break the encryption! Please help us!!

‍‍‍nc 66.172.27.77 54979

Untitled

Here is the [K]ey generating fuction

As we can see, a prime p is chosen random, another number is created by change 2 bit of p, then find the prime next to that number as q. The modulus n=p*q.

Let len is the length of p in bits minus, k is a natural number smaller than len and l=len-k, we have:

$q=(p\pm2^{k}\pm2^{l}+x)$

with x is a small number.

n can be represented as:

$n=p*(p\pm2^{k}\pm2^{l}+x)$

Let $a=\pm2^{k-1}\pm2^{l-1}+\frac{x}{2}$ and $b=p\pm2^{k-1}\pm2^{l-1}+\frac{x}{2}$ , now we have:

$n=(b-a)(b+a)$

We have p and q is odd primes so their difference is an even number, it means x is even and a, b is integers. Morever the integer a is closely with $\pm2^{k-1}\pm2^{l-1}$ . So, if we know the random number k, we can factor n efficiently by travial method (similar to the Fermat’s factorization). Luckily, len is appropriate 540 so we have about 270 available value of k. Then we can brute force the value of k.

Now, extract the key by openssl:

By brute-forcing, we get k=117 and n be factored. Here is my script.

I got the elements, but i couldn’t find the modular inverse of e because e is a divisor of (p-1). So i used dq to compute m:

$dq\equiv e^{-1}\; mod\; (q-1)$

$m \equiv c^{dq}\;mod\;q$

but that result still isn’t the flag, after add some times of q, finally i got the flag:

ASIS{Still____We_Can_Solve_Bad_F4!}

ASIS Quals 2017 – A fine OTP server – 79 points

Posted on Tháng Tư 9, 2017 by bomotodo

Description:

Connect to OTP generator server, and try to find one OTP.

nc 66.172.27.77 35156

Here is the [E]ncryption function.

As we can see, the otp is the concatenation of template_phrase and 18-bytes passphrase and the encrypted OTP are compute as:

$c_1 \equiv otp_1^{3} \;mod\;n$

$c_2 \equiv otp_2^{3} \;mod\;n$

The server uses 2048-bits key and the public exponent is 3 (so small) and the otp is small too, so the cube of otp is smaller than the modulus. We can easily compute the otp by computing the cube root of encrypted OTP:

$c_1 = opt_1^{3}$

$otp_1=\sqrt[3]{c_1}$

I got an encrypted OTP then computed with sage:

Submit the OTP and get the flag 😀

That’s all for this challenge. So easy.

ASIS Quals 2017 – DLP – 158 points

Posted on Tháng Tư 9, 2017 by bomotodo

Description:

You should solve a DLP challenge, but how? Of course , you don’t expect us to give you a regular and boring DLP problem!

nc 146.185.143.84 28416

Untitled

Here is the [C]ryptography function

As we can see, that fuction random n and s then compute:

$enc\equiv (n+1)^{msg}\; mod\;n^{s+1}$

We have:

$(a+1)^{2}=a^{2}+2a+1$

$(a+1)^{3}=a^{3}+3a^{2}+3a+1=(a+3)*a^{2}+3a+1$

$(a+1)^{4}=a^{4}+4a^{3}+6a^{2}+4{a}+1=(a^{2}+4a+6)*a^{2}+4a+1$

Take a look at the Pascal’s triangle:

Untitled

We can easily realize that :

$(a+1)^{n}=X*a^{2}+n*a+1$

We don’t care whatever the value of X is. We compute:

$(a+1)^{n}\equiv a*n + 1\;mod\; n^{2}$

Then, if we have $(a+1)^{n}$ we can compute n efficiently, luckily we already had $(a+1)^{n}\;mod\;n^{s+1}$ with s+1 > 2

Now we compute n:

$enc\equiv (n+1)^{msg}\; mod\;n^{s+1}$

$enc\equiv (n+1)*msg+1\; mod \;n^{2}$

where (n+1)*msg+1 is smaller than $n^{2}$ then:

$msg=\frac{enc\%n^{2}-1}{n}$

I got the numbers like that

then compute:

Untitled

I wonder if it was an easy challange or i solved it with a different method. I joked with my friend that was a “paper with one line of code challenge” 😀 😀

ASIS Quals 2017 – Secured OTP server – 268 points

Posted on Tháng Tư 9, 2017 by bomotodo

Description:

Connect to OTP generator server, and try to find one OTP.
This is secure than first server 🙂

nc 66.172.33.77 12431

Untitled

Here is the [E]ncryption fuction

This challenge is similar to the “a fine OTP server“ challenge. The otp is the concatenation of template_phrase and 18-bytes passphrase and the encrypted OTP are compute as:

$c_1 \equiv otp_1^{3} \;mod\;n$ (1)

$c_2 \equiv otp_2^{3} \;mod\;n$

but now, the template_phrase is longer. So, the otp cubed now larger than the modulus n and we can’t compute the otp as the cube root of the encrypted OTP.

The server use 2048-bits key with the public exponent is 3. We can use openssl or python to extract the key.

Untitled

Let take a look at the equation:

$(a+b)^{3}=a^{3}+3a^{2}b+3ab^{2}+b^{3}$ (2)

Let the otp0 is the otp with the 18-null-bytes-passphrase, otherwise, otp0 is the concatenation of template_phrase and 18-bytes “\x00”, then we have the difference between otp0 and otp1 is the passphrase.

$otp_1=otp_0+passphrase_1$ (3)

Combine equations (1), (2) and (3), let a = otp0, b = passphrase1, we have:

$c_1\equiv otp_1^{3}\; mod\;n$
$c_1\equiv (otp_0+passphrase_0)^{3}\;mod\;n$
$c_1\equiv opt_0^{3}+3otp_0^{2}*passphrase_1+3otp_0*passphrase_1^{2}+passphrase_1^{3}\;mod\;n$

We can easily compute the encrypted of otp0:

$c_0\equiv otp_0^{3}\;mod\;n$

then :

$c_1\equiv c_0+3otp_0^{2}*passphrase_1+3otp_0*passphrase_1^{2}+passphrase_1^{3}\;mod\;n$

$c_1-c_0\equiv 3otp_0^{2}*passphrase_1+3otp_0*passphrase_1^{2}+passphrase_1^{3}\;mod\;n$

Now, we have the right-side of the equation is smaller than the modulus then we can tranform that congruence equation into polynomial equation:

$c_1-c_0 = 3otp_0^{2}*passphrase_1+3otp_0*passphrase_1^{2}+passphrase_1^{3}$

Now, we can easily compute the passphrase1 by solving the cubic equation.

Untitled

Submit the OTP and get the flag 😀

Untitled

That ‘s all and the flag is “ASIS{gj____Finally_y0u_have_found_This_is_Franklin-Reiter’s_attack_CongratZ_ZZzZ!_!!!}”.

	Hi trong ASIS Quals 2017 – unsecu…
	bomotodo trong ASIS Quals 2017 – unsecu…
	Hi trong ASIS Quals 2017 – unsecu…
	ASIS Quals 2017… trong ASIS Quals 2017 – A fine…
	bomotodo trong SVATTT vòng loại – OTP c…