Skip to content

Commit 0723665

Browse files
sudhackarsudhackar
committed
Added writeup of bad_apple of tum-ctf-teaser-2015
1 parent c497c7a commit 0723665

File tree

3 files changed

+100
-0
lines changed

3 files changed

+100
-0
lines changed

tum-ctf-teaser-2015/crypto/bad_apple/bad_apple.tar.xz

512 Bytes
Binary file not shown.

tum-ctf-teaser-2015/crypto/bad_apple/sudhackar/README.md

+90
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,90 @@
1+
[](ctf=tum-ctf-teaser-2015)
2+
[](type=crypto)
3+
[](tags=hash-length-extension-attack)
4+
[](tool=hashpump)
5+
6+
# bad_apple (crypto 15)
7+
8+
```
9+
Baby's 1st
10+
11+
ctf.link/assets/downloads/cry/bad_apple.tar.xz
12+
13+
try:
14+
ncat 1.ctf.link 1027 < good.bin
15+
expect:
16+
"hello"
17+
```
18+
19+
We are given a [tar archive](../bad_apple.tar.xz)
20+
It has a python file which is probably the source of the service
21+
22+
```python
23+
#!/usr/bin/env python3
24+
import sys, binascii
25+
from Crypto.Hash import SHA256
26+
27+
key = open('key.bin', 'rb').read()
28+
29+
message = sys.stdin.buffer.read(0x100)
30+
if len(message) < SHA256.digest_size:
31+
print('len')
32+
exit(0)
33+
34+
tag, message = message[:SHA256.digest_size], message[SHA256.digest_size:]
35+
36+
if SHA256.new(key + message).digest() != tag:
37+
print('bad')
38+
exit(0)
39+
40+
if b'hello pls' in message:
41+
print('hello')
42+
if b'flag pls' in message:
43+
print(open('flag.txt', 'r').read())
44+
```
45+
46+
Also
47+
48+
```bash
49+
$ xxd good.bin
50+
0000000: 2628 455f 6617 ecea 0248 95a4 8578 ebce &(E_f....H...x..
51+
0000010: 00fa 9204 983d 09b6 d175 7d05 dc43 0567 .....=...u}..C.g
52+
0000020: 6865 6c6c 6f20 706c 73 hello pls
53+
````
54+
55+
We see that the service uses sha256 to verify the signature and then process the message.
56+
We can use hash [Length Extension Attack](https://en.wikipedia.org/wiki/Length_extension_attack) to verify a request with a message 'flag pls'.
57+
58+
I use [hashpump](https://github.com/bwall/HashPump) to do the same. There is no information about the key. Hashpump needs a key length for the attack. We'll bruteforce that.
59+
60+
```python
61+
import hashpumpy
62+
original='hello pls'
63+
add='flag pls'
64+
hash_old='2628455f6617ecea024895a48578ebce00fa9204983d09b6d1757d05dc430567'
65+
limit=100
66+
for i in xrange(limit):
67+
f=open('lol/'+str(i),'w')
68+
l=hashpumpy.hashpump(hash_old,original,add,i)
69+
f.write(l[0].decode('hex')+l[1])
70+
f.close()
71+
```
72+
73+
will five me hundred files in lol directory.
74+
75+
```bash
76+
$ for i in {1..100}; do ncat 1.ctf.link 1027 < $i ; done
77+
bad
78+
bad
79+
.
80+
.
81+
hello
82+
hxp{M3rkL3_D4mg4rd_h4s_s0m3_Pr0bl3mZ}
83+
84+
bad
85+
^C
86+
```
87+
for keylength 32 it worked.
88+
89+
Flag
90+
> hxp{M3rkL3_D4mg4rd_h4s_s0m3_Pr0bl3mZ}

tum-ctf-teaser-2015/crypto/bad_apple/sudhackar/solve.py

+10
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,10 @@
1+
import hashpumpy
2+
original='hello pls'
3+
add='flag pls'
4+
hash_old='2628455f6617ecea024895a48578ebce00fa9204983d09b6d1757d05dc430567'
5+
limit=100
6+
for i in xrange(limit):
7+
f=open('lol/'+str(i),'w')
8+
l=hashpumpy.hashpump(hash_old,original,add,i)
9+
f.write(l[0].decode('hex')+l[1])
10+
f.close()

0 commit comments

Comments
 (0)