Since we know all values used in multiplication with flag we can use z3 to get the flag. So we just need to change the flag value with Int('x{}') to make z3 find those values. Here is script that i used during the competition
The idea is doing hash length extension attack on sha1. In this case i used hashpump command line because hashpump python library doesn't work on my machine. Nothing special since we just need to add random value to make our new value not available in queries. Because we need to include first_part in our value, we can use mac_query function to get the signature first and add random value on it. Here is solver i used to implement the idea
from pwn import*import sysimport subprocessdefforge(known_hash,known_data,additional_data,key_length): output = subprocess.check_output(['hashpump', '-s', known_hash, '-d', known_data, '-a', additional_data, '-k', key_length]).decode().split("\n")
hmac = output[0]exec(f"global val;val = b'{output[1]}'")return val, hmacdefsign(payload): r.recvuntil(b": ") r.sendline(b"1") r.recvuntil(b": ") r.sendline(payload.hex().encode()) r.recvuntil(b": ")return r.recvline().strip().decode()defverify(payload,signature): r.recvuntil(b": ") r.sendline(b"2") r.recvuntil(b": ") r.sendline(payload.hex().encode()) r.recvuntil(b": ") r.sendline(signature)return r.recvline()defget_flag(payload,signature): r.recvuntil(b": ") r.sendline(b"3") r.recvuntil(b": ") r.sendline(payload.hex().encode()) r.recvuntil(b": ") r.sendline(signature)return r.recvline()# r = remote("127.0.0.1", 1234)r =remote("challenge.nahamcon.com", 31337)payload =b"I guess you are just gonna have to include this!"kh =sign(payload)new_payload, new_signature =forge(kh, payload.decode(), 'A'*8, '64')resp =verify(new_payload, new_signature.encode())resp =get_flag(new_payload, new_signature.encode())print(resp)r.interactive()
ForgeMe 2 (n solves)
Description
-
Solution
The idea is same like forge1 , but we need to brute the key length. Here is solver i used during the competition
We know that r*d is static, d is generated at initial run and r is calculated from k and G which is generated at initial run also. By using two different message we have
Since we can get value of h(m1) and h(m2) we can leak k using equation below
After getting value for k , we can get value for other unknown value which is d. To get value of d we can use equation below
Last step just sign new value using leaked value. Here is solver i used during competition
from pwn import*from Crypto.Util.number import*import hashlibdefget_sign(): r.recvuntil(b"Quit") r.sendline(b"1") r.recvuntil(b"Here is the question: ") quest = r.recvline().strip().decode()print(quest)for i in questions:if(i == quest): r.recvuntil(b"And here is the signature: (") tmp = r.recvline().strip().decode().split(", ") r1 = tmp[0] s1 = tmp[1][:-1]return r1, s1, questions.index(quest)return0,0,0defget_flag(answer,r1,s): r.recvuntil(b"Quit") r.sendline(b"2") r.recvuntil(b"message") r.sendline(answer) r.recvuntil(b"signature") r.sendline(r1) r.recvuntil(b"signature") r.sendline(s)print(r.recvline())print(r.recvline())print(r.recvline())print(r.recvline())# return r.recvline()questions = ["This game featured on the NES featured a character who rides on balloons.", "The annoying little deku fairy who helps The Hero Of Time through his quest to defeat Ganondorf and save Zelda."]
answers = ["Balloon Fight","Navi"]list_s = []list_h = []# r = process(["sage", "server.sage"])r =remote("challenge.nahamcon.com", 31337)whilelen(list_s)!=2: r1, s1, ind =get_sign()print(ind)if(r1 !=0):if(int(s1)notin list_s): list_s.append(int(s1)) ans ="What is "+answers[ind].upper()+"?" hsh =int(hashlib.sha512(ans.encode()).hexdigest(), 16) list_h.append(hsh)print(list_h)print(list_s)print(r1)n = 6864797660130609714981900799081393217269435300143305409394463459185543183397655394245057746333217197532963996371363321113864768612440380340372808892707005449
r1 =int(r1)m_h_diff = (list_h[0]- list_h[1]) % nr_inv =inverse(r1, n)answer ="kosong"payload =int(hashlib.sha512(answer.encode()).hexdigest(), 16)for k_try in (list_s[0]- list_s[1], list_s[0]+ list_s[1],-list_s[0]- list_s[1],-list_s[0]+ list_s[1]):try: k = ( m_h_diff *inverse(k_try, n) ) % n d = ((((list_s[0]* k % n) - list_h[0]) % n ) * r_inv ) % n s = ((payload + (r1*d))*inverse(k,n))%n resp =get_flag(answer.encode(), str(r1).encode(), str(s).encode())print(r1, s)exceptExceptionas e:print(e)continuer.interactive()