CryptoHack Export-grade

CryptoHack Parameter Injection 的加强版

connect socket.cryptohack.org 13379

Alice 与 Bob 使用遗留数据库进行计算,格式如下:

Intercepted from Alice: {"supported": ["DH1536", "DH1024", "DH512", "DH256", "DH128", "DH64"]}
Send to Bob:
Intercepted from Bob: {"chosen": "?"}"}
Send to Alice:
Intercepted from Alice: {"p": "?", "g": "?", "A": "?"}
Intercepted from Bob: {"B": "?"}
Intercepted from Alice: {"iv": ?", "encrypted_flag": "?"}

默认情况下,Bob会选择 DH1024 密钥交换协议,我们可以将 support 参数改为 ["DH64"],这样 Bob 仅有一种选择方法,由于 DH64 数字较小并不安全的性质,截获公钥 \(A, \, B\) 计算其离散对数 \(a, \, b\),可以计算出共享密钥 \(g^{ab} \bmod p\),带入解密脚本即可。

题解脚本

import requests
from tqdm import *
from Crypto.Util.number import *
from pwn import *
from hashlib import *
from sympy import *
from gmpy2 import *
from Crypto.Cipher import AES
from Crypto.Util.Padding import pad, unpad
import hashlib

requests.adapters.DEFAULT_RETRIES = 100000
s = requests.Session()
s.timeout = (1000.0, 1000.0)

alice = {"p": "0xde26ab651b92a129", "g": "0x2", "A": "0xa8de885b5072dc7e"}
p = int(alice["p"][2:], 16)
A = int(alice["A"][2:], 16)
g = int(alice["g"][2:], 16)

bob = {"B": "0x9ad7d8aa2c8a5c8a"}
B = int(bob["B"][2:], 16)

key = {"iv": "b8e6575d29c51e34089325cd826c41bd", "encrypted_flag": "e6dfe6b952e6291a81a0f13549da828e84a59702e91982a17278e68d97a0639c"}
iv = key["iv"]
encrypted_flag = key["encrypted_flag"]

def is_pkcs7_padded(message):
    padding = message[-message[-1]:]
    return all(padding[i] == len(padding) for i in range(0, len(padding)))

def decrypt_flag(shared_secret: int, iv: str, ciphertext: str):
    # Derive AES key from shared secret
    sha1 = hashlib.sha1()
    sha1.update(str(shared_secret).encode('ascii'))
    key = sha1.digest()[:16]
    # Decrypt flag
    ciphertext = bytes.fromhex(ciphertext)
    iv = bytes.fromhex(iv)
    cipher = AES.new(key, AES.MODE_CBC, iv)
    plaintext = cipher.decrypt(ciphertext)

    if is_pkcs7_padded(plaintext):
        return unpad(plaintext, 16).decode('ascii')
    else:
        return plaintext.decode('ascii')

b = discrete_log(p, B, g)
share_secret = pow(A, b, p)
print(decrypt_flag(share_secret, iv, encrypted_flag))

参数

Intercepted from Alice: {"supported": ["DH1536", "DH1024", "DH512", "DH256", "DH128", "DH64"]}
Send to Bob: {"supported": ["DH64"]}
Intercepted from Bob: {"chosen": "DH64"}
Send to Alice: {"chosen": "DH64"}
Intercepted from Alice: {"p": "0xde26ab651b92a129", "g": "0x2", "A": "0xa8de885b5072dc7e"}
Intercepted from Bob: {"B": "0x9ad7d8aa2c8a5c8a"}
Intercepted from Alice: {"iv": "b8e6575d29c51e34089325cd826c41bd", "encrypted_flag": "e6dfe6b952e6291a81a0f13549da828e84a59702e91982a17278e68d97a0639c"}
posted @ 2025-02-28 13:18  YipChip  阅读(108)  评论(0)    收藏  举报