Description : I managed to generate strong parameters for our diffie-hellman key exchange, i think my message is now safe.
Author : wepfen (me ofc)
TL;DR
notice that $ g \equiv p-1 \equiv -1 \mod p $
And when this happens, modular arithmetic tell us that $g^{k} \equiv (-1)^{k} \mod p$ which is either 1 or -1
So the shared key is actually g-1, decrypt the flag with it
Introduction
For this challenge we have a python script generating diffie hellman parameters and use the shared secret sha256 hash as a AES key to encrypt the flag.
I made this challenge so everyone can solve a challenge and have its shot of dopamine <3.
p =1740527743356518530873219004517954317742405916450945010211514630307030225825627940655848700898186119703288416676610512180281414181211686282526701502342109420226095690170506537523420657033019751819646839624557146950127906808859045989204720555752289247833349649020285507405445896768256093961814925065500513967524214087124440421275882981975756344900858314408284866222751684730112931487043308502610244878601557822285922054548064505819094588752116864763643689272130951g =1740527743356518530873219004517954317742405916450945010211514630307030225825627940655848700898186119703288416676610512180281414181211686282526701502342109420226095690170506537523420657033019751819646839624557146950127906808859045989204720555752289247833349649020285507405445896768256093961814925065500513967524214087124440421275882981975756344900858314408284866222751684730112931487043308502610244878601557822285922054548064505819094588752116864763643689272130950ciphertext = f2803af955eebc0b24cf872f3c9e3c1fdd072c6da1202fe3c7250fd1058c0bc810b052cf99ebfe424ce82dc31a3ba94f
Diffie Hellman reminder
Before reading the code, here’s a quick recap of diffie hellman key exchange.
We got two person Alice and Bob who want to talk securely by encrypting their message with the same key. But they can’t scream this key in front of everyone, because some eavesdroppers can steal this key to decrypt their conversation.
So instead, they exchange the key using mathematics.
Two public variables are selected and shared by Alice and Bob : g and p. p is a prime number and g is used to generate public keys.
$$A \equiv g^{a} \mod p$$
Then Bob does the same with it’s private key b and send its public key B to Alice and receive Alice’s public key.
Then they compute the shared secret s that will be the symmectric key to encrypt their communication :
$$ s \equiv A^{b} \equiv (g^{a})^{b} \equiv g^{ab}\mod p $$$$ s \equiv B^{a} \equiv (g^{b})^{a} \equiv g^{ba}\mod p $$
Actually reading the code
First a prime p is randomly generated and the generator g is equal to $p-1$
1
2
p = getPrime(1536)g = p-1
A generator is, as his name suggest, used to generate a group of number by computing $g^{k} \mod p$. So if wrongly chosen, the group of number can be small and so it can compromise the robustness of the key exchange.
The private keys a and b are randomly chosen
1
2
a = getPrime(1536)b = getPrime(1536)
The public keys A and B are computed using the generator and the private keys
1
2
A =pow(g, a, p)B =pow(g, b, p)
The shared secret is computed
1
2
3
assertpow(A, b, p)==pow(B, a, p)C =pow(B, a, p)
Finally the shared secret is used as a key and the flag is encrypted with it
One may think it is a classic diffie hellman key exchange but by quickly looking at the DHKE wiki page, we can understand that the chosen generator is uncommon.
Knowing a little bit of modular arithmetic (or just testing out the code), we can figure out that using $g = p-1$ makes every power of g equal to 1 or -1 mod p.
So, the public keys A and B, which are a power of g,are either 1 or -1 :
$$ g \equiv p-1 \mod p $$$$ g \equiv -1 \mod p $$$$ (-1)^{k} \equiv \pm 1 \mod p$$
It is equal to 1 if k is even.
And it is equal to 1 if k is odd.
Which put the username, the password hash in sha256, the filename and the size in a JSON and store it in metadata attribute.
It adds padding at the end of it by substracting the length of the metadata with 300. So the metadata length is maximum 300 characters.
Now looking at the encrypt() function in openzed:
1
2
3
4
5
6
7
defencrypt(self, data): cipher = AES_CBC_ZED(self.user, self.password) self.encrypted = cipher.encrypt(data) self.encrypted = zlib.compress(self.encrypted)# just for the lorereturn self.encrypted
It calls aes_cbc_zed python file, encrypt the data with the latter and compress the result with zlib (for the lore of the ‘secure’ compressed container).
It sets the specified username and password, generate a key using derive_password and generate an iv.
Let’s derive_password()
1
2
3
defderive_password(self):for i inrange(100): self.key = sha256(self.password).digest()[:16]
Well, I badly messed up my code resulting in using the password hash as the key and having at the same time, the password hash in the metadata. Thanks to dolipr4necrypt0 who noticed that.
It was supposed to hashes the password 100 times in a row taking the 16 first bytes each times , and store the result in self.key.
But i messed up, and actually it just hash the password one time.
It should have been that :
1
2
3
4
defderive_password(self): self.key = self.password
for i inrange(100): self.key = sha512(self.key).digest()[:16]
I use sha512 so that the player cannot recover the the key with the sha256 hash of the password in the metadata.
Well, it leaks a pretty useful part of the password, we miss the last three characters, which allow us to bruteforce 256**3 == 16777216 possiblities (doable).
And usually, the IV is supposed safe to share and is necessary to decrypt files, so it is given.
Reading encrypt(), we see that that the return value is iv + ciphertext.
1
2
3
4
5
6
7
8
defencrypt(self, plaintext:bytes): iv = self.iv
ciphertext =b"" ecb_cipher = AES.new(key=self.key, mode=AES.MODE_ECB)[...]return iv + ciphertext
And decrypt() function extract IV from the cipertext:
So, we can recover the part of the password from there and bruteforce the 3 last bytes.
Solving
So knowing that, we can extract the ciphertext from the output file flag.txt.ozed.
Remember that the file is made of the ‘OZED’ magic byte followed by 300 bytes of metadata and then, the ciphertext which is composed of the IV followed by the ciphertext.
Then to get the IV we can read from the ozed file and get 16 bytes after 304 bytes:
Intended (by bruteforcing the 3 remaining bytes of the password)
We extracted the IV we can get the first 13 bytes of the password :
1
part_password = iv[3:16]
Now we got two solutions:
naive : bruteforce the three lasts bytes of the password and try to decrypt each time until we find PWNME in the plaintext. (10 minutes to solve)
less naive : bruteforce the three lasts bytes of the password, hash the candidates and compare it with password_hash in the metadata. (10 sec to solve). Doing that, we only derive the password (which take a lot of ressources), only if we know we got the correct password.
Description : Patched OpenZed an made it more secure.
Author : wepfen (still me)
TL;DR
When requesting the flag, the key doesn’t change, only the IV does.
Notice that the flag has a length of 16 bytes, and so, is encrypted with AES CFB. The IV is encrypted and then xored with the flag.
Request a flag a keep the IV, send 16 bytes with the same IV used for the flag and encrypt it. Compares the resulting ciphertext with the encrypted flag.
Or, send 16 null bytes with the same IV, resulting in the IV encrypted and xor it with the encrypted flag.
Introduction
This challenge is as My ZED but with some patches and with a web interface.
On the web interface, we can choose to :
request an encrypted flag
encrypt a file and submit optional username, password and IV
decrypt a file by giving username and password
I will just focus on the edited parts since I already explained My ZED.
importosimportioimportstringfromflaskimport Flask, render_template, send_file, request
fromopenzedlibimport openzed
app = Flask(__name__, template_folder="./web/templates", static_folder="./web/static")FLAG = os.getenv("FLAG","PWNME{flag_test}")KEY = os.urandom(16)USER =b"pwnme"assertlen(FLAG)<=16@app.route('/', methods=['GET'])defhome():return render_template('index.html')@app.route('/encrypt_flag/', methods=['GET'])defencrypt_flag():#chiffrer avec des creds random file = openzed.Openzed(USER, KEY,'flag.txt.ozed') file.encrypt(FLAG.encode()) file.generate_container()#tricking flask into thinking the data come from a file encrypted = io.BytesIO(file.secure_container)return send_file( encrypted, mimetype='text/plain', as_attachment=False, download_name='flag.txt.ozed')@app.route('/encrypt/', methods=['POST'])defencrypt_file():if request.form["username"]and request.form["password"]: username = request.form["username"].encode() password =bytes.fromhex(request.form["password"])else: username = USER
password = KEY
if request.form["iv"]:try: iv = request.form["iv"]except:return"Please submit iv hex encoded"else: iv =Noneifnot request.files ornot request.files["file"].filename:return"Please upload a file" filename = request.files["file"].filename
file_to_encrypt = request.files['file'] data = file_to_encrypt.stream.read() file = openzed.Openzed(username, password, filename, iv) file.encrypt(data) file.generate_container() encrypted = io.BytesIO(file.secure_container)return send_file( encrypted, mimetype='text/plain', as_attachment=False, download_name=filename+".ozed")@app.route('/decrypt/', methods=['POST'])defdecrypt_file():ifnot request.form["username"]:return"Please submit an username"ifnot request.form["password"]:return"Please submit a password"try:bytes.fromhex(request.form["password"])except:return"Please submit the password hex encoded"ifnot request.files ornot request.files["file"].filename:return"Please upload a file" username = request.form["username"].encode() password =bytes.fromhex(request.form["password"]) filename = request.files["file"].filename
file_to_decrypt = request.files['file'] data = file_to_decrypt.stream.read() file = openzed.Openzed(username, password, filename) file.secure_container = data
decrypted = file.decrypt_container(file.secure_container) decrypted = io.BytesIO(decrypted["data"])return send_file( decrypted, mimetype='text/plain', as_attachment=False, download_name=filename+".dec")# 10 MB = 2**20 * 10if __name__ =="__main__": app.config['MAX_CONTENT_LENGTH']=1*1024*1024 app.run(debug=False, host='0.0.0.0', port=5000)
I removed the size value from the metadata in openzed.py and added the future to submit an IV at the creation of the instance. If no IV is submitted, then a random one will be chosen.
openzed.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
defgenerate_iv(self, iv):if iv ==None: self.iv = os.urandom(16)returntry: iv =bytes.fromhex(iv)iflen(iv)!=16:raiseValueError("IV should have a length of 16") self.iv = iv
exceptExceptionas e:raise e
I also removed the size value from the metadata and edited the derive_password function from aes_cbc_zed.py :
aes_cbc_zed.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
classAES_CBC_ZED:def __init__( self, user :str, password :str, iv :bytes): self.user = user
self.iv = iv
self.password = password
self.derive_password()[...]defderive_password(self): salt =b"LESELFRANCAIS!!!" self.key = PBKDF2(self.password, salt,16, count=10000, hmac_hash_module=SHA256)
Web interface endpoints
Reading app.py :
1
2
3
4
5
FLAG = os.getenv("FLAG","PWNME{flag_test}")KEY = os.urandom(16)USER =b"pwnme"assertlen(FLAG)<=16
We can understand that the key is defined once, so when requesting the flag multiple times, the same key will be used until we deploy another instance. Also, the user is “pwnme”.
Requesting /encrypt_flag/, we get the flag encrypted with the key generated at the start :
1
2
3
4
5
6
7
8
9
@app.route('/encrypt_flag/', methods=['GET'])defencrypt_flag():#chiffrer avec des creds random file = openzed.Openzed(USER, KEY,'flag.txt.ozed') file.encrypt(FLAG.encode()) file.generate_container()return send_file(encrypted, mimetype='text/plain', as_attachment=False, download_name='flag.txt.ozed')
If one submit an user and a password, the file will be encrypted with it.
Else, the user and the key defined at the start of the instance will be used.
And after that, the file will be encrypted and returned to us.
Finally, looking at /decrypt/ :
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
@app.route('/decrypt/', methods=['POST'])defdecrypt_file():ifnot request.form["username"]:return"Please submit an username"ifnot request.form["password"]:return"Please submit a password"try:bytes.fromhex(request.form["password"])except:return"Please submit the password hex encoded"ifnot request.files ornot request.files["file"].filename:return"Please upload a file"
We must submit an username and a password but not an IV because the IV is supposed to already be inside the ciphertext.
fromopenzedlibimport openzed
fromtqdmimport tqdm
importrequestsimportreimportioimportzlibURL ="http://127.0.0.1:5000/"# request the encrypt file and get the filenameflag_enc = requests.get(URL+"encrypt_flag/")d = flag_enc.headers['content-disposition']filename = re.findall("filename=(.+)", d)[0]# create a openzed object with an user with same length as in the ciphertext, any password, # any iv as in the ciphertext and the filename we recovered beforeflag_enc_openzed = openzed.Openzed(b"pwnme",b"idk", filename)# load the flag ciphertext and read it's metadata to get the correct values and recover the IV# We can also recover the IV manually by reading flag_encflag_enc_openzed.secure_container = flag_enc.content
flag_enc_openzed.read_metadata()iv = flag_enc_openzed.parsed_metadata["iv"]# Now we can start to craft a payload# We will encrypt it through /encrypt_file endpointflag_ciphertext = flag_enc_openzed.secure_container[304:]flag =[0]*16# trick requests into thinking file.content come from a file by using io.BytesIO# empty password and username so the oracle KEY and USER get usedfor i in tqdm(range(255)): payload =[i]*16 r = requests.post(URL+"/encrypt/", files={'file':('file.txt', io.BytesIO(bytearray(payload)))}, data ={"iv": iv,"username":"","password":""}) tmp_ozed = openzed.Openzed(b"pwnme",b"idk", filename, iv) tmp_ozed.secure_container = r.content
# the ciphertext is compressed, openzed.py.openzed.encrypt my_ct = zlib.decompress(tmp_ozed.secure_container[304:]) flag_ct = zlib.decompress(flag_ciphertext)for counter, tupl inenumerate(zip(my_ct, flag_ct)):if tupl[0]== tupl[1]: flag[counter]= i
print(bytes(flag))print(bytes(flag))
Flag : PWNME{zEd_15_3z}
Conclusion
With these challenges and the blockchains ones, it was my first time creating challenges.
I learnt a lot during the design stage but made some mistakes resulting in unintended solves.
I will do more challenges for sure but next time, I will try to make more shorter challenge like easy diffy or test more carefully my challenges.
