CTF: Don't try RSA at home

28/01/17 — capitol

channel

name:

Sudan - RSA is for everyone

category:

crypto

points:

100

Writeup

Our friends over at xil.se have written some challenges for a ctf named smash the stack at https://ctf.anti-network.org/

The challenge “RSA is for everyone” required you to send and retrieve messages with RSA. Fortunately it is really easy to implement RSA yourself in java (don’t try this at home kids).

The class for getting the RSA primitives looks like this (some code shamelessly stolen from Stack Overflow, like all real programmers do):

public class RSA {
    private final BigInteger p;
    private final BigInteger q;
    private final BigInteger n;
    private final BigInteger d;
    private final BigInteger e;

    public RSA() {
        int SIZE = 512;

        /* Step 1: Select two large prime numbers. Say p and q. */
        p = new BigInteger(SIZE, 15, new Random());
        q = new BigInteger(SIZE, 15, new Random());

        /* Step 2: Calculate n = p.q */
        n = p.multiply(q);

        /* Step 3: Calculate ø(n) = (p - 1).(q - 1) */
        BigInteger phiN = p.subtract(BigInteger.valueOf(1));
        phiN = phiN.multiply(q.subtract(BigInteger.valueOf(1)));

        BigInteger eTmp;
        /* Step 4: Find e such that gcd(e, ø(n)) = 1 ; 1 < e < ø(n) */
        do {
            eTmp = new BigInteger(2 * SIZE, new Random());
        } while ((eTmp.compareTo(phiN) != 1) || (eTmp.gcd(phiN).compareTo(BigInteger.valueOf(1)) != 0));
        e = eTmp;

        /* Step 5: Calculate d such that e.d = 1 (mod ø(n)) */
        d = e.modInverse(phiN);
    }

    public BigInteger getP() {
        return p;
    }

    public BigInteger getQ() {
        return q;
    }

    public BigInteger getN() {
        return n;
    }

    public BigInteger getD() {
        return d;
    }

    public BigInteger getE() {
        return e;
    }
}
		

With that in hand it was easy to respond to the questions in the challenge.

Solution

public class App {

    public static void main(String[] args) throws IOException {
        Socket attackTarget = new Socket("ctf1.xil.se", 4300);
        PrintWriter out = new PrintWriter(attackTarget.getOutputStream(), true);
        BufferedReader in = new BufferedReader(new InputStreamReader(attackTarget.getInputStream()));

        BigInteger n;
        BigInteger e;
        RSA rsa = new RSA();

        String in1;
        in.readLine();
        in.readLine();
        in.readLine();
        in.readLine();
        in.readLine();
        out.println("1");
        in.readLine();
        in.readLine();
        in1 = in.readLine();
        n = new BigInteger(in1.substring(2));
        in1 = in.readLine();
        e = new BigInteger(in1.substring(2));
        in.readLine();
        in.readLine();
        in.readLine();
        in.readLine();
        in.readLine();
        in.readLine();
        out.println("2");
        in.readLine();
        out.println(new BigInteger("RSA is for everyone".getBytes(StandardCharsets.ISO_8859_1)).modPow(e, n).toString(16));
        in.readLine();
        in.readLine();
        in.readLine();
        in.readLine();
        out.println(rsa.getN().toString(10));
        in.readLine();
        out.println(rsa.getE().toString(10));
        in.readLine();
        in1 = in.readLine();

        System.out.println("flag: " + new String(new BigInteger(in1, 16).modPow(rsa.getD(), rsa.getN()).toByteArray()));
    }
}

CTF: Solving smarttomcat challenge from Insomnihack Teaser 2017

23/01/17 — capitol

channel

category:

web

points:

50

Writeup

The Insomni’hack teaser 2017 was a fun CTF with a good spread between easy and hard challenges.

The smarttomcat challenge was an easy web challenge that was about attacking a badly secured tomcat server, as a user you where presented with a webpage that had an backend written in php, that backend called a tomcat server on localhost.

When looking at the form post data from the browser it became apparant that the url that the backend called was submitted by the form.

This enabled us to write a port scan as a simple bash loop:

for x in $(seq 1 65535); do echo $x >> /tmp/log && curl 'http://smarttomcat.teaser.insomnihack.ch/index.php' --data "u=http%3A%2F%2Flocalhost%3A$x%2F" >> /tmp/log;done

This didn’t really help us. And we realized that we could access the tomcat management url on the same port as the rest of the application. A simple google gave us the default username and password.

Solution

curl 'http://smarttomcat.teaser.insomnihack.ch/index.php' --data 'u=http://tomcat:tomcat@127.0.0.1:8080/manager/html'

CTF: A channel side door problem

17/01/17 — capitol

channel

We have discovered another door problem that needs to be solved, can any of you refrieve the flag that is stored behind this side door.

telnet 185.35.202.212 2220

or

telnet 2a02:ed06::2033 12346

Happy hacking!

CTF: Our lost door combination

14/01/17 — capitol

lock

We seems to have lost the code to one of our doors, could any of you amazing hackers help us open it with your hacking skills and get the flag?

telnet 185.35.202.212 2221

or

telnet 2a02:ed06::2033 12345

Happy hacking!

33c3: talks round-up

07/01/17 — fnords

All Computers Are Broken

‘Twas that most wonderful time of the year: CCC congress time!! 12000+ hackers from all over the planet were gathered in Hamburg for four days of glorious haxx, workshops, meetups, ctfs, raves, mainlining club mate……. and attending some talks along the way.

Here is a few fnords personal favourites from this year:

Lockpicking in the IoT It’s not really a hacker congress unless there is some lockpicking going on. Its fun to use BTLE for evil!

Where in the World Is Carmen Sandiego? I didn’t get to see this at the congress, but it was reccomended to me by several other people and I put it on my watch list. If you’ve ever booked a trip somewhere (or put a picture of your boarding card on instagram….protip: don’t do that), this talk is for you!

Keys of Fury The abstract for this talk mentioned teletext and then I knew I had to watch it. Best quote: “You really need to like it, because it takes forever”. More KYBDslöjd plz!

You can -j REJECT but you can not hide: Global scanning of the IPv6 Internet For all you ipv6 heads out there!

Shut Up and Take My Money! FinTech security and how to not do it right.

You can find all the talks from 33c3 here, go check them out!