BalalaikaCr3w - Boston Key Party 2014

risc_emu

villytiger — Wed, 05 Mar 2014 13:59:22 +0000

Category:

pwn

Event:

Boston Key Party 2014

Task:

Pwning : 100

nobody cares about this service nc 54.218.22.41 4545

http://bostonkeyparty.net/challenges/emu-c7c4671145c5bb6ad48682ec0c58b831

Solution:

Connected to the server I was prompted to enter some byte code of the RISC CPU in base64. OK, let's look at the executable through disasm magnifier. After downloading file command said me that it is ELF for x86-64. I started reading opcodes in the binary and found that after decoding base64 input in this beautiful C++ code memcpy betrayer is used to copy decoded data into some global buffer. Look at this (dump from my mind):

So, that's pretty easy to get what we need. Just send 152 bytes with special address on the end. The first byte of the buffer is checked for being greater or equal to 9, and after that main::fun is called with buffer + 1 as the first parmeter.

There is only one problem remained. This is the gap between the byte code buffer and the function pointer. After doing memcpy our risc emulator checks that first 4 bytes of this gap still contain some cookie written in the beginning of the main function. Here is the mind dump with the function producing this cookie:

Now we just need to brute force the server time (hope the server is properly synced) and run system("cat key | nc ctfcrew.org 1337"). Or run ls -al if you aren't assured about flag file name. See the full solution in the attachment.

Authentic Sneakers | Releases Nike Shoes

Attachments:

fuck-the-emu.cpp_.txt

MITM II: Electric Boogaloo (Crypto 200)

Triff — Sat, 01 Mar 2014 22:32:47 +0000

Category:

crypto

Event:

Boston Key Party 2014

Task:

Chisa and Arisu are trying to tell each other two halves of a very important secret! They think they're safe, because they know how cryptography works---but can you learn their terrible, terrible secret? They're available as services at 54.186.6.201:12346 and 54.186.6.201:12345 respectively.

http://bostonkeyparty.net/challenges/mitm2-632e4ecc332baba0943a0c6471dec2c6.tar.bz2

Solution:

This was a nice task. Classic Man-in-the-Middle attack and nothing more. First, i downloaded source files (They are attached to this article - mitm2.zip). There were four files in the archive: arisu.py, chisa.py, mitmlib.py and curve25519.py. As you might guess, curve25519.py contains realization of the elliptic cryptography. So i decided to open arisu.py and chisa.py first, in hope, that they would contain source code of servers running in given ip-addresses. And they indeed contained it.

Servers start:

KEY = ""
CHECK = ""

if __name__ == "__main__":
    HOST = sys.argv[1]
    PORT = int(sys.argv[2])

    KEY = open('chisa.txt', 'r').read()[:-1]
    CHECK = open('check.txt', 'r').read()[:-1]
    server = ThreadedServer((HOST, PORT), ServerHandler)
    server.allow_reuse_address = True
    server.serve_forever()

It's same for Arisu - only another key file.

And servers work:

Arisu:

    def handle(self):
        #if not self.captcha():
            #return self.fail("You're a robot!")
        self.request.sendall("アリスです")
        if not (self.request.recv(50) == "千佐だよ"):
            return self.fail("You're not Chisa!")

        secretshare1, publicshare1 = mitmlib.mkshare()

	to_send = str(publicshare1[0]) + "," + str(publicshare1[1])
        self.request.sendall(to_send)

	got = self.request.recv(2048).split(',')
        publicshare2 = tuple([int(got[0]), int(got[1])])
        aeskey = mitmlib.mksecret(secretshare1, publicshare2)

        slices = zip(CHECK[0::2], CHECK[1::2])
        for a, b in slices:
            self.request.sendall(mitmlib.encrypt(aeskey, a))
            if b != mitmlib.decrypt(aeskey, self.request.recv(400)):
                self.fail("That's wrong!")

        self.request.sendall(mitmlib.encrypt(aeskey, "FLAG PART ONE: {" + KEY + "}\n"))
	print mitmlib.decrypt(aeskey, self.request.recv(400))

        self.request.sendall(mitmlib.encrypt(aeskey, "じゃ!"))
        self.request.recv(100)
        self.request.close()

Chisa:

    def handle(self):
        #if not self.captcha():
            #return self.fail("You're a robot!")
        if not (self.request.recv(50) == "アリスです"):
            return self.fail("You're not Alice!")
        self.request.sendall("千佐だよ")

        secretshare2, publicshare2 = mitmlib.mkshare()

        got = self.request.recv(2048).split(',')
        publicshare1 = tuple([int(got[0]), int(got[1])])

        to_send = str(publicshare2[0]) + "," + str(publicshare2[1])
        self.request.sendall(to_send)
        aeskey = mitmlib.mksecret(secretshare2, publicshare1)

        slices = zip(CHECK[0::2], CHECK[1::2])
        for a, b in slices:
            if a != mitmlib.decrypt(aeskey, self.request.recv(400)):
                self.fail("That's wrong!")
            self.request.sendall(mitmlib.encrypt(aeskey, b))

        print mitmlib.decrypt(aeskey, self.request.recv(400))
        self.request.sendall(mitmlib.encrypt(aeskey, "FLAG PART TWO: {" + KEY + "}\n"))

        self.request.recv(100)
        self.request.sendall(mitmlib.encrypt(aeskey, "じゃ!"))
        self.request.close()

Thoose parts contain algorithm of conversation. At the beginning Arisu and Chisa send each other something like "hello":

Arisu:

    self.request.sendall("アリスです")
    if not (self.request.recv(50) == "千佐だよ"):
        return self.fail("You're not Chisa!")

Chisa:

    if not (self.request.recv(50) == "アリスです"):
        return self.fail("You're not Alice!")
    self.request.sendall("千佐だよ")

You might notice, that Arisu starts the conversation and Chisa only replies.

Next step is a public key exchange:

Arisu:

    secretshare1, publicshare1 = mitmlib.mkshare()

    to_send = str(publicshare1[0]) + "," + str(publicshare1[1])
    self.request.sendall(to_send)

    got = self.request.recv(2048).split(',')
    publicshare2 = tuple([int(got[0]), int(got[1])])
    aeskey = mitmlib.mksecret(secretshare1, publicshare2)

Chisa:

    secretshare2, publicshare2 = mitmlib.mkshare()

    got = self.request.recv(2048).split(',')
        publicshare1 = tuple([int(got[0]), int(got[1])])

    to_send = str(publicshare2[0]) + "," + str(publicshare2[1])
    self.request.sendall(to_send)
    aeskey = mitmlib.mksecret(secretshare2, publicshare1)

Girls just send a public key to each other and then calculate session key.

And the last part: they send some messages to each other, and the last but one contains a flag:

Arisu:

        slices = zip(CHECK[0::2], CHECK[1::2])
        for a, b in slices:
            self.request.sendall(mitmlib.encrypt(aeskey, a))
            if b != mitmlib.decrypt(aeskey, self.request.recv(400)):
                self.fail("That's wrong!")

        self.request.sendall(mitmlib.encrypt(aeskey, "FLAG PART ONE: {" + KEY + "}\n"))
	print mitmlib.decrypt(aeskey, self.request.recv(400))

        self.request.sendall(mitmlib.encrypt(aeskey, "じゃ!"))
        self.request.recv(100)
        self.request.close()

Chisa:

        slices = zip(CHECK[0::2], CHECK[1::2])
        for a, b in slices:
            if a != mitmlib.decrypt(aeskey, self.request.recv(400)):
                self.fail("That's wrong!")
            self.request.sendall(mitmlib.encrypt(aeskey, b))

        print mitmlib.decrypt(aeskey, self.request.recv(400))
        self.request.sendall(mitmlib.encrypt(aeskey, "FLAG PART TWO: {" + KEY + "}\n"))

        self.request.recv(100)
        self.request.sendall(mitmlib.encrypt(aeskey, "じゃ!"))
        self.request.close()

Now i've found everythingi need to interfere in communication between Arisu and Chisa to steal a flag. I opened text editor and wrote python script. First, i generated my own key pair like Arisu and Chisa did:

mySecretKey, myPublicKey = mitmlib.mkshare()

Then i sent hello girls:

Arisu = Sock("54.186.6.201:12345", timeout=30)
Chisa = Sock("54.186.6.201:12346", timeout=30)

hello = Arisu(1024)
print "=== Arisu ---> Chisa ==="
print "Hello: " + hello + "\n"
Chisa.send(hello)
sleep(0.25)

hello = Chisa.recv(1024)
print "=== Arisu <--- Chisa ==="
print "Hello: " + hello + "\n"
Arisu(hello)
sleep(0.25)

Next step: send my own public key to Chisa and Arisu instead of their own, save their keys and evaluate secret keys for each connection:

ArisuPubKeyArr = Arisu.recv(1024).split(',')
print "=== Arisu ---> Chisa ==="
print "Try to send: " + str(ArisuPubKeyArr[0]) + "," + str(ArisuPubKeyArr[1])
print "Really sent: " + myPublicKeyStr + "\n"
Chisa.send(myPublicKeyStr)
sleep(0.25)

ChisaPubKeyArr = Chisa.recv(1024).split(',')
print "=== Arisu <--- Chisa ==="
print "Try to send: " + str(ChisaPubKeyArr[0]) + "," + str(ChisaPubKeyArr[1])
print "Really sent: " + myPublicKeyStr + "\n"
Arisu.send(myPublicKeyStr)
sleep(0.25)

ArisuPubKey = tuple([int(ArisuPubKeyArr[0]), int(ArisuPubKeyArr[1])])
ChisaPubKey = tuple([int(ChisaPubKeyArr[0]), int(ChisaPubKeyArr[1])])

ArisuAesKey = mitmlib.mksecret(mySecretKey, ArisuPubKey)
ChisaAesKey = mitmlib.mksecret(mySecretKey, ChisaPubKey)

And the last part: i have to recieve messages from Arisu, decrypt them on myArisu secret key, reencrypt them on myChisa secret key and send to Chisa, and i have to do the same thing for Chisa's messages:

try:
	for i in xrange(0,25,1):

		some_slice = Arisu.recv(1024)
		print "=== Arisu ---> Chisa ==="
		print "Try to send: " + some_slice

		decrypted_slice = mitmlib.decrypt(ArisuAesKey, some_slice)
		encrypted_slice = mitmlib.encrypt(ChisaAesKey, decrypted_slice)

		print "Decrypted: " + decrypted_slice
		print "Really sent: " + encrypted_slice + "\n"

		Chisa.send(encrypted_slice)
		sleep(0.35)


		some_slice = Chisa.recv(1024)
		print "=== Arisu <--- Chisa ==="
		print "Try to send: " + some_slice

		decrypted_slice = mitmlib.decrypt(ChisaAesKey, some_slice)
		encrypted_slice = mitmlib.encrypt(ArisuAesKey, decrypted_slice)

		print "Decrypted: " + decrypted_slice
		print "Really sent: " + encrypted_slice + "\n"

		Arisu.send(encrypted_slice)
		sleep(0.35)
except Exception, e:
	print e

The last but one message for Arisu and Chisa is a part of flag:

=== Arisu ---> Chisa ===
Try to send: cSAt1FxoXq5dtROo6YL9VE/Ln95Gd/l6GxDSmsidTuAkbSANizH6b2Y1RXSwss0Z
Decrypted: FLAG PART ONE: {I dunno, }

Really sent: 4VW4ebDKPVXVDDzoiYjvjf1Q4VtX/pZP63WUrsRfqzRlEOCy0Q0ryOVFACILC0ai

=== Arisu <--- Chisa ===
Try to send: 3RZwKsSLLWMKwLlEr/h8X7xousf6B59UuiU+R+sMwL/uwHI2yY9KoyM9wpL/jsS4U4QlrcPzEiMrK7IMXFs38F8xEKilV6fx0DcnCs6ZvME=
Decrypted: FLAG PART TWO: {go fanwank something!}

Really sent: bqW46ykWazNT+gR9ykJHgAWNVa5HrrDhmzXNjekgpebPB43a+0y3bvFkaAZFCZdMP5pMpgpa/rUDX2gD01w5ItYcDLWQXzbpd4hO/OTr8Zg=

Flag: I dunno, go fanwank something!

Sports brands | Air Jordan 1 Retro High OG 'University Blue' — Ietp

Attachments:

mitm2.zip

mitm.py.txt

Xorxes the Hash (Crypto 200)

Triff — Sat, 01 Mar 2014 12:13:05 +0000

Category:

crypto

Event:

Boston Key Party 2014

Task:

Xorxes is a hash collision challenge. The goal is to find a second preimage for the input string "Klaatubaradanikto". Submit it as the flag. UPDATE: It has been pointed out that there are multiple solutions. The flag is the one with md5sum '7179926e4253a0b405090df67f62c543'. (Use `echo -n FLAG | md5sum'.) UPDATE THE SECOND: The solution is short.

http://bostonkeyparty.net/challenges/xorxes-ad7b52380d3ec704b28954c80119789a.py

Solution:

First, take a look on xorxes-hash sript. Inside we can find a comment about xorxes algorithm:

# Xorxes Hash uses message blocks of 8-bits, with a 224-bit chaining variable.
#
#   (m_0)       (m_1)         ... (m_n)  = input message blocks
#     |           |                 |
#   SHA224      SHA224        ... SHA224    
#     |           |                 |
#  V-(+)-[>>>56]-(+)-[>>>56]- ... --+--- = chaining variable 
#
#  chaining variable + (message length mod 24) = hash output
#

You can see, that hash function is very simple. It's just xors SHA224 hash for every byte of message together and shift buffer to the right, after each xoring. We can rewrite function a bit:

Xorxes(m) =R(...R( R(IV + H(m[0]) ) + H(m[1]) )...) + H(m[len(m)-1]) + len%24,

where R is a right shifting, H is a SHA224 hash and + is a xor, m[i] is a i-byte of message. But xoring is a commutative operation and right shifting is distributive over xor. So we can open bracers and get:

Xorxes(m) = R^len(m)-1(IV) + R^len(m)-1(H(m[0])) + Rlen(m)-2(H(m[1])) + Rlen(m)-3(H(m[2])) + ... + R(H(m[len(m)-2])) + H(m[len(m)-1])

We can also notice, thath R⁴ = R⁰ (cos shifting buffer of length 224 four times to the right equal to not shifting at all), so all addends will be splited in four groups:

Xorxes(m) = {H(m[len(m)-1]) + H(m[len(m)-5]) + ... } + R({ H(m[len(m)-2]) + H(m[len(m)-6]) + ... }) + R²({ H(m[len(m)-3) + H(m[len(m)-7]) + ... }) + R³({ H(m[len(m)-4) + H(m[len(m)-8]) + ... }) + Rlen(m)-1(IV)

Now it's obvious, that hash doesn't depent on order of bytes of each group in message due to commutativity of xor operation. And message "11112222" will have same hash as "22221111" and "12122121". So we can split bytes of given message and generate new messages as all possible permutation of this bytes inside their own groups. Thoose new messags will ahve same hash like original messages. And then we must find one message with md5 hash '7179926e4253a0b405090df67f62c543'.

So let's do some python here:

#!/usr/bin/python
import itertools
import hashlib
import sys

MD5 = '7179926e4253a0b405090df67f62c543'

group1 = "Ktrno"
group2 = "luai"
group3 = "abdk"
group4 = "aaat"

all_variants = 24*24*24*120
count = 0

for g1 in itertools.permutations(group1):
	for g2 in itertools.permutations(group2):
		for g3 in itertools.permutations(group3):
			for g4 in itertools.permutations(group4):
				result = ''
				for i in xrange(0,17,1):
					if i%4 ==0:
						result+=(g1[i/4])
					if i%4 ==1:
						result+=(g2[i/4])
					if i%4 ==2:
						result+=(g3[i/4])
					if i%4 ==3:
						result+=(g4[i/4])
				md5 = hashlib.new('md5')
				md5.update(result)
				hashed = md5.hexdigest()
				if hashed == MD5:
					print "Flag: " + result
					exit(0)
	count+=13824
	sys.stdout.write( "Progress: " + str(100*count/all_variants) + "%\r" )
	sys.stdout.flush()

It takes some time to generate all possible 4!*4!*4!*5! = 1658880 variants, but after several seconds we get a flag: radaniktKlaatubao

Flag: radaniktKlaatubao

Running Sneakers Store | Preview: Nike Air Force 1 "Tear-Away" Fauna Brown - Gov

Attachments:

xorxes-ad7b52380d3ec704b28954c80119789a.py.txt

xorxer_bruter.py.txt