My writeup on Akasec CTF on the challs solved by my team ‘Bits & Pieces’ and we placed rank 13th on this ctf event, it was a pretty good run this time!
Crypto:
Lost
In the given code:
py
from random import getrandbitsfrom Crypto.Util.number import getPrime, bytes_to_longfrom SECRET import FLAGe = 2p = getPrime(256)q = getPrime(256)n = p * qm = bytes_to_long(FLAG)cor_m = m - getrandbits(160)if __name__ == "__main__":c = pow(m, e, n)print("n = {}\nc = {}\ncor_m = {}".format(n, c, cor_m))
We can identify that the getrandbits(160)
is a small range and we can exploit this vulnerablility using the “Coppersmith’s Attack” which helps us to find the potential value to decrypt the flag.
py
m=724154397787031699242933363312913323086319394176220093419616667612889538090840511506381320998293481458429167685676367015744314015744n=5113166966960118603250666870544315753374750136060769465485822149528706374700934720443689630473991177661169179462100732951725871457633686010946951736764639e=2c=329402637167950119278220170950190680807120980712143610290182242567212843996710001488280098771626903975534140478814872389359418514658167263670496584963653P.<x> = PolynomialRing(Zmod(n), implementation='NTL')pol = (m + x)**2 - croots = pol.small_roots(epsilon=1/50)print("Potential solutions:")for root in roots:a = root+mprint(root+m)
Here the code attempts to find small roots of the polynomial using the small_roots method with an epsilon value of 1/50. The small_roots method is used to find roots of a polynomial where the roots are known to be small relative to the modulus n.
py
roots = pol.small_roots(epsilon=1/50)
Then we iterate through the found roots, add each root to m, and prints the result. The addition of m to each root is done because the polynomial was defined as (m+x), so the roots found are offsets from m.
The encryption operation for RSA with exponent e can be written as: c = (m+k)2 mod n
where k is some small value. The polynomial (m+x)2 - c is constructed and the small roots method is used to find the possible values of k. By adding these roots back to m, the code attempts to recover the original plaintext m.
Flag: AKASEC{c0pp3r5m17h_4774ck_1n_1ov3_w17h_5m4ll_3xp0n3nts}
Twin
In the given code:
py
from Crypto.Util.number import getPrime, bytes_to_long, long_to_bytesfrom SECRET import FLAGe = 5p = getPrime(256)q = getPrime(256)n = p * qm1 = bytes_to_long(FLAG)m2 = m1 >> 8if __name__ == "__main__":c1, c2 = pow(m1, e, n), pow(m2, e, n)print("n = {}\nc1 = {}\nc2 = {}".format(n, c1, c2))
We need to exploit a specific relationship between the plaintext messages encrypted as c1 and c2 under the same RSA modulus and small exponent e=5. To find the missing value of the encrypted flag, let’s say ‘k’, It iterates over potential values of k, calculates the GCD of the resulting polynomials, and checks for non-trivial solutions that can be used to derive the plaintext.
py
e=5n=6689395968128828819066313568755352659933786163958960509093076953387786003094796620023245908431378798689402141767913187865481890531897380982752646248371131c1=3179086897466915481381271626207192941491642866779832228649829433228467288272857233211003674026630320370606056763863577418383068472502537763155844909495261c2=6092690907728422411002652306266695413630015459295863614266882891010434275671526748292477694364341702119123311030726985363936486558916833174742155473021704n1=nn2=ndef my_gcd(a, b):return a.monic() if b == 0 else my_gcd(b, a % b)R.<m2>=Zmod(n)[]for k in range(256):f1=(m2*256+k)^e-c1f2=m2^e-c2if(my_gcd(f1, f2).coefficients()[0] != 1): # finds the potentialres = (my_gcd(f1, f2).small_roots()[0] * 256) + kprint(long_to_bytes(Integer(res))) # prints the flag
If the leading coefficient of the GCD is not 1, it indicates a potential value which was at iteration 125 which converts to the ascii value }
. Then uses the small_roots method to find the potential message.
py
if(my_gcd(f1, f2).coefficients()[0] != 1): # finds the potential
The message is converted into a readable format, and prints it.
Flag: AKASEC{be_on_the_right_side_of_history_free_palestine}
My Calculus Lab
In the given code:
py
from Crypto.Cipher import AESfrom Crypto.Util.Padding import padimport hashlibimport sympy as spimport randomFLAG = b'REDACTED'key = random.getrandbits(7)x = sp.symbols('x')f = "REDACTED"f_prime = "REDACTED"f_second_prime = "REDACTED"assert(2*f_second_prime - 6*f_prime + 3*f == 0)assert(f.subs(x, 0) | f_prime.subs(x, 0) == 14)def encrypt(message, key):global fglobal xpoint = f.subs(x, key).evalf(100)point_hash = hashlib.sha256(str(point).encode()).digest()[:16]cipher = AES.new(point_hash, AES.MODE_CBC)iv = cipher.ivciphertext = cipher.encrypt(pad(message, AES.block_size))return iv.hex() + ciphertext.hex()encrypted = encrypt(FLAG, key)print(f"Key: {key}")print(f"Encrypted: {encrypted}")
On observing the above code we can clearly see that:
- The function f satisfies a second-order linear differential equation: 2f” - 6f- + 3f = 0
- Encryption key is derived by evaluating function f at a key value (7-bits)
- This key is then hashed using SHA-256 to generate the AES key.
To decrypt the message, we need to just reverse the process, that’s to solve the differential equation with various initial conditions and regenerate the AES key.
py
from Crypto.Cipher import AESfrom Crypto.Util.Padding import pad,unpadimport hashlibimport sympy as spimport randomimport mathfrom sympy import symbols, Function, Eq, dsolve, exp, Derivativex = sp.symbols('x')e=math.eKey=60Encrypted='805534c14e694348a67da0d75165623cf603c2a98405b34fe3ba8752ce24f5040c39873ec2150a61591b233490449b8b7bedaf83aa9d4b57d6469cd3f78fdf55'iv_hex=Encrypted[:32]ct=Encrypted[32:]iv=bytes.fromhex(iv_hex)c=bytes.fromhex(ct)pos14=[[0, 14], [2, 12], [2, 14], [4, 10], [4, 14], [6, 8], [6, 10], [6, 12], [6, 14], [8, 6], [8, 14], [10, 4], [10, 6], [10, 12], [10, 14], [12, 2], [12, 6], [12, 10], [12, 14], [14, 0], [14, 2], [14, 4], [14, 6], [14, 8], [14, 10], [14, 12], [14, 14]]x = symbols('x')y = Function('y')(x)# Define the differential equation 2y''-6y'+3y=0differential_eq = Eq(2*y.diff(x, x) - 6*y.diff(x) + 3*y, 0)for i in range(len(pos14)):# Define initial conditions y(0) = y0 and y'(0) = y1y0 = pos14[i][0] # Ey(x)y1 = pos14[i][1] # y'(x)initial_conditions = {y.subs(x, 0): y0, y.diff(x).subs(x, 0): y1}# Solve the differential equation with initial conditionssolution = dsolve(differential_eq, y, ics=initial_conditions)f=solution.rhspoint = f.subs(x, Key).evalf(100)point_hash = hashlib.sha256(str(point).encode()).digest()[:16]cipher = AES.new(point_hash, AES.MODE_CBC, iv)flag = cipher.decrypt(c)if b'AKASEC' in flag:print(flag)
We first define the differential Equation
py
y = Function('y')(x)differential_eq = Eq(2*y.diff(x, x) - 6*y.diff(x) + 3*y, 0)
Then iterate through all possible initial conditions, and every solution is evaluated and hashed at the key to derive the AES key.
py
for i in range(len(pos14)):y0 = pos14[i][0]y1 = pos14[i][1]initial_conditions = {y.subs(x, 0): y0, y.diff(x).subs(x, 0): y1}solution = dsolve(differential_eq, y, ics=initial_conditions) # Solve Diff eqf=solution.rhspoint = f.subs(x, Key).evalf(100) #evaluatepoint_hash = hashlib.sha256(str(point).encode()).digest()[:16] #hash
This regenerated AES derived key and IV is used to decrypt the cipher text.
py
cipher = AES.new(point_hash, AES.MODE_CBC, iv)flag = unpad(cipher.decrypt(c), AES.block_size)
Flag: AKASEC{d1d_y0u_3nj0y_c41cu1u5_101?}
Special thanks to @ckc9759
for helping with the solutions and writeup!