CryptoHack Parameter Injection
题目链接
connect socket.cryptohack.org 13371
你可以截获并伪造 Alice 和 Bob 基于 DH 密钥交换协议的所有数据,格式如下:
Intercepted from Alice: {"p": "?", "g": "?", "A": "?"}
Send to Bob:
Intercepted from Bob: {"B": "?"}
Send to Alice:
Intercepted from Alice: {"iv": "?", "encrypted_flag": "?"}
其中 DH 密钥交换协议的参数如下:
- \(p, \, g, \, a, \, b, \, A, \, B\)
- \(g = \operatorname{ord}(A)\)
- \(g^a = A \pmod p\),\(g^b = B \pmod p\)
- Secret: \(g, \, p, \, a, \, b\)
- Public: \(A, \, B\)
- Shared: \(K = g^{ab} \bmod n\)
其中采用的加密脚本为:
from Crypto.Cipher import AES
from Crypto.Util.Padding import pad, unpad
import hashlib
import os
from secret import shared_secret
FLAG = b'crypto{????????????????????????????}'
def encrypt_flag(shared_secret: int):
# Derive AES key from shared secret
sha1 = hashlib.sha1()
sha1.update(str(shared_secret).encode('ascii'))
key = sha1.digest()[:16]
# Encrypt flag
iv = os.urandom(16)
cipher = AES.new(key, AES.MODE_CBC, iv)
ciphertext = cipher.encrypt(pad(FLAG, 16))
# Prepare data to send
data = {}
data['iv'] = iv.hex()
data['encrypted_flag'] = ciphertext.hex()
return data
print(encrypt_flag(shared_secret))
解密脚本为
from Crypto.Cipher import AES
from Crypto.Util.Padding import *
import hashlib
def is_pkcs7_padded(message):
padding = message[-message[-1]:]
return all(padding[i] == len(padding) for i in range(0, len(padding)))
def decrypt_flag(shared_secret: int, iv: str, ciphertext: str):
# Derive AES key from shared secret
sha1 = hashlib.sha1()
sha1.update(str(shared_secret).encode('ascii'))
key = sha1.digest()[:16]
# Decrypt flag
ciphertext = bytes.fromhex(ciphertext)
iv = bytes.fromhex(iv)
cipher = AES.new(key, AES.MODE_CBC, iv)
plaintext = cipher.decrypt(ciphertext)
if is_pkcs7_padded(plaintext):
return unpad(plaintext, 16).decode('ascii')
else:
return plaintext.decode('ascii')
shared_secret = ?
iv = ?
ciphertext = ?
print(decrypt_flag(shared_secret, iv, ciphertext))
根据其采用共享密钥的特性,伪造 Bob 发出的公钥 \(B = 0\text{x}01\) 即可,截获 Alice 发送的对称密钥可以解出 flag。
解题脚本
import requests
from tqdm import *
from Crypto.Util.number import *
from pwn import *
from hashlib import *
from sympy import *
from gmpy2 import *
from Crypto.Cipher import AES
from Crypto.Util.Padding import pad, unpad
import hashlib
requests.adapters.DEFAULT_RETRIES = 100000
s = requests.Session()
s.timeout = (1000.0, 1000.0)
# g^a % p = A
# g^b % p = B
# connect socket.cryptohack.org 13371
alice = {"p": "0xffffffffffffffffc90fdaa22168c234c4c6628b80dc1cd129024e088a67cc74020bbea63b139b22514a08798e3404ddef9519b3cd3a431b302b0a6df25f14374fe1356d6d51c245e485b576625e7ec6f44c42e9a637ed6b0bff5cb6f406b7edee386bfb5a899fa5ae9f24117c4b1fe649286651ece45b3dc2007cb8a163bf0598da48361c55d39a69163fa8fd24cf5f83655d23dca3ad961c62f356208552bb9ed529077096966d670c354e4abc9804f1746c08ca237327ffffffffffffffff", "g": "0x02", "A": "0x01"}
A = int(alice["A"][2:], 16)
g = int(alice["g"][2:], 16)
bob = {"B": "0x01"}
B = int(bob["B"][2:], 16)
key = {"iv": "ffcfddfb14556d0dae9c5b1ac3fcf86c", "encrypted_flag": "761fa22d677a0172903201261e39ba5fd024c16313f13f060ad1f5eaf883c80e"}
iv = key["iv"]
encrypted_flag = key["encrypted_flag"]
def is_pkcs7_padded(message):
padding = message[-message[-1]:]
return all(padding[i] == len(padding) for i in range(0, len(padding)))
def decrypt_flag(shared_secret: int, iv: str, ciphertext: str):
# Derive AES key from shared secret
sha1 = hashlib.sha1()
sha1.update(str(shared_secret).encode('ascii'))
key = sha1.digest()[:16]
# Decrypt flag
ciphertext = bytes.fromhex(ciphertext)
iv = bytes.fromhex(iv)
cipher = AES.new(key, AES.MODE_CBC, iv)
plaintext = cipher.decrypt(ciphertext)
if is_pkcs7_padded(plaintext):
return unpad(plaintext, 16).decode('ascii')
else:
return plaintext.decode('ascii')
print(decrypt_flag(1, iv, encrypted_flag))
参数
Intercepted from Alice: {"p": "0xffffffffffffffffc90fdaa22168c234c4c6628b80dc1cd129024e088a67cc74020bbea63b139b22514a08798e3404ddef9519b3cd3a431b302b0a6df25f14374fe1356d6d51c245e485b576625e7ec6f44c42e9a637ed6b0bff5cb6f406b7edee386bfb5a899fa5ae9f24117c4b1fe649286651ece45b3dc2007cb8a163bf0598da48361c55d39a69163fa8fd24cf5f83655d23dca3ad961c62f356208552bb9ed529077096966d670c354e4abc9804f1746c08ca237327ffffffffffffffff", "g": "0x02", "A": "0x6fb4ca846603a054304c340cef2cb1164716b238cff04e68bdacf991f455139a3e2351839c312c81d321481bfb595af0d4a04b359616b61ba3a4789f0883bfaa92974a02453ea4ed9486c046fa0863f4c34028adaaaf4672337b808ac8e01a7d70327ea34de88f15f7c2bb16d079408b6f0769922875767528c0b47b410552ed743c30c006828e70e807c676bcfba2fcfc60a4dfac4c95395ca37e48ec143b20675932544458b54945c5115a9abc89bb729c6355ab255ba8984a7c1f29d76f25"}
Send to Bob: {"p": "0xffffffffffffffffc90fdaa22168c234c4c6628b80dc1cd129024e088a67cc74020bbea63b139b22514a08798e3404ddef9519b3cd3a431b302b0a6df25f14374fe1356d6d51c245e485b576625e7ec6f44c42e9a637ed6b0bff5cb6f406b7edee386bfb5a899fa5ae9f24117c4b1fe649286651ece45b3dc2007cb8a163bf0598da48361c55d39a69163fa8fd24cf5f83655d23dca3ad961c62f356208552bb9ed529077096966d670c354e4abc9804f1746c08ca237327ffffffffffffffff", "g": "0x02", "A": "0x6fb4ca846603a054304c340cef2cb1164716b238cff04e68bdacf991f455139a3e2351839c312c81d321481bfb595af0d4a04b359616b61ba3a4789f0883bfaa92974a02453ea4ed9486c046fa0863f4c34028adaaaf4672337b808ac8e01a7d70327ea34de88f15f7c2bb16d079408b6f0769922875767528c0b47b410552ed743c30c006828e70e807c676bcfba2fcfc60a4dfac4c95395ca37e48ec143b20675932544458b54945c5115a9abc89bb729c6355ab255ba8984a7c1f29d76f25"}
Intercepted from Bob: {"B": "0x1d0f76216b41d0fe7af051416585933dfc4e00a8a358b44c1e3992f88e7e926fd5a42b74e7fd6ac0dbc0cf636e559088c347179c28250282d4e9392aac7c769d6b75f51039ffbb63e82b897f8a119d7d89dc08b89e14d8c9bccd4ebebae8821f96c28935db3bf481a694925de8e8b0135ca4c432cab736b8d99dc67e280203fd06e522b38080dbeffbd7b0900f281b7d7455b9ba84a6131c2732e76fad0e88e68f10f2b2c6a876c0a9f73797f45d24c89259c7c3881d2b09078876c7b45cbb6c"}
Send to Alice: {"B": "0x01"}
Intercepted from Alice: {"iv": "ffcfddfb14556d0dae9c5b1ac3fcf86c", "encrypted_flag": "761fa22d677a0172903201261e39ba5fd024c16313f13f060ad1f5eaf883c80e"}
浙公网安备 33010602011771号