../

GCC-CTF 2024 - GCC News [crypto]

Difficulty : easy

Team : Phreaks2600

Source files

We’ve launched a brand new website with lots of articles about CTF world. Can you access it as a subscriber?

Introduction

We need to connect ourself as an admin abusing of a weak cryptographic signing method using a known seed to access to the subscriber restricted news page.

Recon

Interacting with the website

Accessing to the webpage at its address, we can either login or see the news.

But see the news need us to be logged as admin.

When creating an account and trying to access news page, the url look like this :

http://worker02.gcc-ctf.com:12087/news?token=51816479678544860789205817956792347222422223739416909533792838824330799892508088600548749347686978414433102103745516643115716031985693240243091851305710126012438456120411885440990451062207733612019150266443358710746141779660513712502912356256730590171496329015143780590064512898839213592087008040314904536688517272644527957355579296550263702755869863019492282564083007158478207437390306619837226534557048260824678363108194422787738684127780383714906987061676046665853308427857868198981215396222656764654866977510612110433711379600274374398826032658632188971438616021846678185052961795893909723564297305415934241385892668460580937&message=eyd0ZXN0MSc6IFtGYWxzZV19

Where the parameter message is base64 encoded “{’test1’: [False]}” and the parameter token is the message parameter encrypted with rsa

Reading the code

Here is the source code

  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148

from flask import Flask, render_template, request, redirect, url_for, jsonify
import hashlib
import base64
import json
import time
import random
import hashlib
from Crypto.Util.number import bytes_to_long, isPrime
import math

app = Flask(__name__)

def hash_string_sha256(message):
    message_bytes = message.encode('utf-8')
    sha256_hash = hashlib.sha256()
    sha256_hash.update(message_bytes)
    hashed_message = sha256_hash.digest()

    return int.from_bytes(hashed_message, byteorder='big')

def generate_signature(message, private_key):
    n, d = private_key
    hashed_message = hash_string_sha256(message)
    signature = pow(hashed_message, d, n)
    
    return signature

def verify_signature(msg, public_key, signature):
    initial_hash = hash_string_sha256(msg)
    
    n, e = public_key
    
    recoved_hash = pow(int(signature),e,n)
    
    return initial_hash == recoved_hash

@app.route('/')
def welcome():
    return render_template('welcome.html')

@app.route('/login', methods=['POST'])
def login():
    username = request.form.get('username')
    password = request.form.get('password')

    # Check if the user exists
    if username not in users:
        return redirect(url_for('login', reason='unknown_user'))

    # Check if the password is correct
    if password != users[username][0]:
        return redirect(url_for('login', reason='incorrect_password'))
    
    public_key, private_key = generate_key(username)
    
    public_key_users[username] = public_key
    
    signature = generate_signature(str({username : [users[username][1]]}), private_key)
    
    return redirect(url_for('news', token=signature, message=base64.b64encode(str({username : [users[username][1]]}).encode()).decode()))

@app.route('/news', methods=['GET'])
def news():
    signature = request.args.get('token')
    message = base64.b64decode(request.args.get('message')).decode()
    
    message = json.loads(message.replace("'", '"').replace("False", "false").replace("True", "true"))
    
    username = list(message.keys())[0]
    subscribe = list(message.values())[0][0]

    if signature:
        is_sign = verify_signature(str(message), public_key_users[username], signature)
        if is_sign:
            return render_template('news.html', username=username, subscribe=subscribe)

    return redirect(url_for('login', reason='unauthorized'))

@app.route('/login', methods=['GET'])
def show_login():
    # Extract the reason from the query parameters
    reason = request.args.get('reason')

    # Display a pop-up message based on the reason
    if reason == 'unknown_user':
        pop_up_message = "Unknown user. Please check your credentials."
    elif reason == 'incorrect_password':
        pop_up_message = "Incorrect password. Please try again."
    elif reason == 'unauthorized':
        pop_up_message = "Unauthorized access. Please log in."
    else:
        pop_up_message = None

    return render_template('login.html', pop_up_message=pop_up_message)

@app.route('/create_user', methods=['POST'])
def create_user():
    new_username = request.form.get('new_username')
    new_password = request.form.get('new_password')

    # Check if the username already exists
    if new_username in users:
        return redirect(url_for('login', reason='username_exists'))

    # Add the new user to the dictionary
    users[new_username] = [new_password, False]

    # Display a pop-up message
    pop_up_message = "Thanks for registering! The admin will soon activate your profile if you have subscribed."

    return render_template('login.html', pop_up_message=pop_up_message)

def generate_key(username):
    
	length = lambda x : len(bin(x)[2:])

	s = bytes_to_long(username.encode())

	random.seed(s)

	e = 0x1001
	phi = 0
    
	while math.gcd(phi,e) != 1:
		n = 1
		factors = []

		while length(n) < 2048:
			temp_n = random.getrandbits(48)
			if isPrime(temp_n):
				n *= temp_n
				factors.append(temp_n)
		phi = 1
		for f in factors:
			phi *= (f - 1)

	d = pow(e, -1, phi)

	return (n,e), (n,d)

# A simple dictionary to store user credentials and subscription status
users = {
    'GCC': ['securePassword', False]
}
public_key_users = {}

if __name__ == '__main__':
    app.run(debug=False)

There is a kind of handmade database to manage users.

The DB got the users, its password, a boolean (True or False) for describing the admin role and the public key of the users.

1
2
3
4

users = {
    'GCC': ['securePassword', False]
}
public_key_users = {}

When creating an user, it is appended to the dict of users :

users[new_username] = [new_password, False]

So when creating an “test1” account with “password” as password :

users[“test1”][0] = “password” users[“test1”][1] = False

And also filling the public key database:

public_key_users[test] = its public key

The public and private keys are generated with the random module and a seed based on the username. So knowing the username we can recover the public key and ce private key.

We can just reuse the challenge generate_key function for that :

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27

def generate_key(username):
    
	length = lambda x : len(bin(x)[2:])

	s = bytes_to_long(username.encode())

	random.seed(s)

	e = 0x1001
	phi = 0
    
	while math.gcd(phi,e) != 1:
		n = 1
		factors = []

		while length(n) < 2048:
			temp_n = random.getrandbits(48)
			if isPrime(temp_n):
				n *= temp_n
				factors.append(temp_n)
		phi = 1
		for f in factors:
			phi *= (f - 1)

	d = pow(e, -1, phi)

	return (n,e), (n,d)

Solving

Now we know how to recover the private key, the steps for solving are :

  • Create an user
  • Use the function generate_key to get it’s private_key and sign the message : {’test1’: [True]} which will give us our token.
  • Send a GET request with our forged token and message

So for test_1 using generate_key:

n = 1457342553157259295407930365261800696748888551794075108779100697531249469132443259759166251334393209534527011340120848417513504763172687425603817169965420203182841446416766927653960650018998669899183487322211178874589822726651093254803792218788609932755617725086287444735520634631250205847736080158111696592654206975607049821230615196941817479903763249457613376371498407355381921851845673217419213581082634290438881135049162320418983797388015232666055696476182329585445835040160266557584246137158655921759590380096558137315519737417711810732976599747165793134280706192438024871206616099076425065259626152010714200822870951819946361

e = 4097

d = 1169929132860778172266790416717795055395425023673769128941398634078612313645586470723460559979322746878492767894986894386607392692140809768119253135545569481619614863351561130269497874373374376730775005845964346721784822629714480091633306912534377109787422319793085109077376760278513449726222323801791791327104545390490456210290681860991997191841252970404345272643125273777571879120765801234951744562986758112686603976623970900646525392530237245486976063443733613254268981773171814398056537380882163353704864394235638123739162367944267985527667019876092910225809715528375163004211021207853239200740123762076468891204439491139858433

I can now sign the message and get my token :

1328296459116198513481005775994265654367244256157496762561215663749001313544888752691095431811838915662861275916069253599131094326519037807982403437366383963609593961610229519349629126583667198784483067627762487710405124208069398517977162311635739503788545076940068444011356528681958458727410341989686589824878872706145702838453900839690220411045955898590237403687023436729802836403464839928576644511341708090007448358389413162908097505464282026490604831559303689920713332959415629965026776263798033479321497305831022519726249152589296200270547520256311793654758651445601039583377445016016582341166189227484558460201850695658065

And encode {'test1': [True]} in base64: eyd0ZXN0MSc6IFtUcnVlXX0=

And send this GET request :

http://worker02.gcc-ctf.com:13307/news?token=1328296459116198513481005775994265654367244256157496762561215663749001313544888752691095431811838915662861275916069253599131094326519037807982403437366383963609593961610229519349629126583667198784483067627762487710405124208069398517977162311635739503788545076940068444011356528681958458727410341989686589824878872706145702838453900839690220411045955898590237403687023436729802836403464839928576644511341708090007448358389413162908097505464282026490604831559303689920713332959415629965026776263798033479321497305831022519726249152589296200270547520256311793654758651445601039583377445016016582341166189227484558460201850695658065&message=eyd0ZXN0MSc6IFtUcnVlXX0%3D

Flag GCC{f1x3d_533d_d154bl3_r4nd0mn355}