Aski (Binathlon 300)

Dil4rd — Tue, 11 Feb 2014 23:36:23 +0000

Category:

Event:

Olympic CTF 2014

Description:

Download Aski.

Solution:

After downloading file we can see that it's x86 ELF. The description tells us nothing, so the best way to understand what is it --- execution:) When we execute it, we will see a newly created conlose with very-very fast changing pictures (every picture is a set of ASCII symbols). Hmm.. maybe something intresting is hidden in those pictures?.. Let's take a look!

A simple search of symbols from last picture produced no results, so they seems to be encrypted, gziped or saved in unusual way. To understend it let's load our executable to IDA and start reversing.

After fast research it's became clear that the greater part of this binary are compilated parts of different open source projects (e.g. OpenSSL sources has been used for cryptographical purposes). From one hand, it seems to be a problem: big projects have template-like structure and it's own data representation, what makes fast research very hard. From other hand, such projects have good error messages with functions or file names, and in many cases big projects with template-like structure provide a set of functions, which allow easy enumeration of elements of input array and making simular actions under every single element. The most common way to realize such functionality is the next:

typedef void (*with_element)(element &el);
void for_each(array<element> arr, with_element foo);

According to this suggestion, the first thing we do is rearch for high-level function which enumerates pictures and write them to console. It's a function at address 0x0804ABB0:

Now everything we need is to set breakpoint at the end of function sub_804A910 or sub_804A460 and saw pictures. As practice has shown, it's better to set breakpoint at the end of function sub_804A460, because this function executes ones in conlose's pictures modification (e.g. at address 0x0804AA87).

The recived pictures are the next:

After some bruting (not all symbols can be easily recognised) we take a flag: "CTF+WINT3R+S3A50N". It's not very hard for 300 points:)

spy offers | Nike Air Jordan XXX Basketball Shoes/Sneakers 811006-101 Worldarchitecturefestival

mic

Triff — Sun, 09 Feb 2014 18:58:23 +0000

Category:

crypto

Event:

Olympic CTF 2014

Task:

Flags for free!

nc 109.233.61.11 3120

Source code also provided (file mic_server.py)

Solution:

So, first thing to do: open and read source file (whatever...)

Some interesting things: conversation with server consits of two parts: in the first part we send to server a big prime number (more than 100, but less than 200 binary places), then we send a base ( number, that greater than 1 but less than prime -1); stage two: server sends a flag mixed in our base. Flag is greater than our prime (from sources: assert 1 << 256 < FLAG < 1 << 512), so, in fact we receive only part of flag.

Server mixes flag into our base with following algorithm:

res = pow(g * FLAG, FLAG, p) * FLAG + FLAG

res %= p

So, if we send some different primes, we will get remainders of flag by modulo of sent primes... it looks like Chinese Remainder Theorem . But res = (g^FLAG * FLAG^FLAG)*FLAG + FLAG mod p, and even if get enough remainders, it would be easy, to extract pure FLAG. So we need a special g, to get rid of powered FLAG... maybe not one g...

Let base = p-g (p - our prime)

res2 = ((p-g)^FLAG * FLAG^FLAG)*FLAG + FLAG mod p

if FLAG is odd:

(p-g)^FLAG mod p = -(g^FLAG), so

res2 = (-(g^FLAG) * FLAG^FLAG)*FLAG + FLAG mod p

res1 = (g^FLAG * FLAG^FLAG)*FLAG + FLAG mod p

res1 + res2 = g^FLAG * FLAG^FLAG+1 + FLAG -(g^FLAG) * FLAG^FLAG+1+ FLAG mod p = 2*FLAG mod p

And it is main idea of our attack.

Send a two bases two server, some g, and prime - g, so then we can get a remainder of 2*FLAG by modulo of prime and use CRT to recover flag.. in case of even FLAG we should substract res2 from res1 instead of sum.

Lets wrute some code and pwn task.

I took six prime numbers from wiki's article abour RSA-numbers (RSA-100,110 and 120=) ). I think 6 numbers will be enough to use CRT.

Then i used this script to get six remainders:

g = 2
primes = [37975227936943673922808872755445627854565536638199, 40094690950920881030683735292761468389214899724061,
6122421090493547576937037317561418841225758554253106999, 5846418214406154678836553182979162384198610505601062333,
327414555693498015751146303749141488063642403240171463406883, 693342667110830181197325401899700641361965863127336680673013]

remainders = []

print "Receiving remainders..."
for i in xrange(0,6,1):
	conn = create_connection(('109.233.61.11', 3120));

	data = conn.recv(1024);
	conn.send(str(primes[i]) + "\n")
	sleep(0.1)

	data = conn.recv(1024);
	conn.send(str(g) + "\n")
	sleep(0.1)

	data = conn.recv(1024);
	res1 = data.split()[-1]

	conn = create_connection(('109.233.61.11', 3120));

	data = conn.recv(1024);
	conn.send(str(primes[i]) + "\n")
	sleep(0.1)

	data = conn.recv(1024);
	conn.send(str(primes[i]-g) + "\n")
	sleep(0.1)

	data = conn.recv(1024);
	res2 = data.split()[-1]

	remainders.append((int(res1)+int(res2))%primes[i])

When i got remainders, i used CRT to recover FLAG:

def extended_euclidean(a, b):	
	x = 0
	lastx = 1
	y = 1
	lasty = 0
	
	while b != 0:
		q = a // b
		a, b = b, a % b		
		x, lastx = (lastx - q * x, x)
		y, lasty = (lasty - q * y, y)
	return (a, lastx, lasty)
	
def inverse(var, module):
	v = extended_euclidean(var,module)
	return (v[0]==1)*(v[1] % module)

def CRT(RemList,ModulList):
	N  = reduce(mul,ModulList)        		# multiply ModulList together
	Ns = [N/mi for mi in ModulList]   		# create list of all N/multiply
	ys = [inverse(Ni, mi) for Ni,mi in zip(Ns,ModulList)] # get inverse elements of Ni by module mi
	return (reduce(add,[ri*Ni*yi for ri,Ni,yi in zip(RemList,Ns,ys)]) % N,N)

result =  CRT(remainders,primes)

And finally we can find flag: we shoud devide result by 2 and then decode it from hex:

f = result[0]/2
encoded_flag = str(hex(f))[2:-1]
flag = encoded_flag.decode("hex")

And the flag is CTF{cf5246e06b13432b9e1116ddef226455}

And here is full script to perform attack:

#!/usr/bin/env python
from socket import create_connection
from sys import *
from fractions import gcd
from numpy import random
from operator import *
from time import *

def extended_euclidean(a, b):	
	x = 0
	lastx = 1
	y = 1
	lasty = 0
	
	while b != 0:
		q = a // b
		a, b = b, a % b		
		x, lastx = (lastx - q * x, x)
		y, lasty = (lasty - q * y, y)
	return (a, lastx, lasty)
	
def inverse(var, module):
	v = extended_euclidean(var,module)
	return (v[0]==1)*(v[1] % module)

def CRT(RemList,ModulList):
	N  = reduce(mul,ModulList)        		# multiply ModulList together
	Ns = [N/mi for mi in ModulList]   		# create list of all N/multiply
	ys = [inverse(Ni, mi) for Ni,mi in zip(Ns,ModulList)] # get inverse elements of Ni by module mi
	return (reduce(add,[ri*Ni*yi for ri,Ni,yi in zip(RemList,Ns,ys)]) % N,N)

g = 2
primes = [37975227936943673922808872755445627854565536638199, 40094690950920881030683735292761468389214899724061,
6122421090493547576937037317561418841225758554253106999, 5846418214406154678836553182979162384198610505601062333,
327414555693498015751146303749141488063642403240171463406883, 693342667110830181197325401899700641361965863127336680673013]

remainders = []

print "Receiving remainders..."
for i in xrange(0,6,1):
	conn = create_connection(('109.233.61.11', 3120));

	data = conn.recv(1024);
	conn.send(str(primes[i]) + "\n")
	sleep(0.1)

	data = conn.recv(1024);
	conn.send(str(g) + "\n")
	sleep(0.1)

	data = conn.recv(1024);
	res1 = data.split()[-1]

	conn = create_connection(('109.233.61.11', 3120));

	data = conn.recv(1024);
	conn.send(str(primes[i]) + "\n")
	sleep(0.1)

	data = conn.recv(1024);
	conn.send(str(primes[i]-g) + "\n")
	sleep(0.1)

	data = conn.recv(1024);
	res2 = data.split()[-1]

	remainders.append((int(res1)+int(res2))%primes[i])

print "Using Chinese Remainder Theorem to recover flag..."

result =  CRT(remainders,primes)
f = result[0]/2
encoded_flag = str(hex(f))[2:-1]
flag = encoded_flag.decode("hex")
print flag

Running sports | Zapatillas de running Nike - Mujer

Attachments:

mic_server.py.txt

mic.py.txt

BalalaikaCr3w - Olympic CTF 2014

Aski (Binathlon 300)

mic