Solution for ASR has been added.

patrick-me · patrick-me · commit 9a8c5fe623da · 2015-05-07T02:46:44.000+03:00
diff --git a/ASR/solution/nepair b/ASR/solution/nepair
@@ -0,0 +1 @@
+-n 0x02cfc00c275c567f12f284d4864b152a2499962e25506d7e184fa2be1a0d50ddc905dde979dc27753c9060bb01ecfbb5406d1d78ce8dc8ca296b19c3204aa18ce69485a8bc9a57a1715085109a50181b37e48cd2627b8da380a152e971f246e5ab89e0cb5e76f551fd9925105f887ad39b2d8677331ab66802b5e4ac7466d7bf8b -e 0x0242a4b40a0abb560e50e47ce61926fc2af216c76ad6dc52e6e9a78e9b42609d575f30dd6dac3ac3233e862514d89eee389cba430f601f81a57f1b7e9158dc6f3a0070dee3791f9cbdb34b9de1b12cbb7da46eb0e9e605a975a0973b18255239a27988259312f1446886388be320d2897e1cf9841898d931776c3831306062f01d
diff --git a/ASR/solution/pqetuple b/ASR/solution/pqetuple
@@ -0,0 +1 @@
+-p 18332366563702812004827960767382231259638895239413282702812009894882946745998553209194850588719103121402937914114124705492672432051453957400966421943458751 -q 27570132131170104824343411575743642180767006452664381672813278738573428245458845155699724266932275812596878966520171881476555627563245277293094684982034229 -e 406337194415078969135388012199768851534892405717049052243569601877767720306971351962115455780742226903789914852797732475115620696182173145519244169134462893981827754911556903443954791096825007180380141420831124481112731502488517569927478504486615667200169344800534739661939136312208398465567840505121573367837
diff --git a/ASR/solution/private.key b/ASR/solution/private.key
@@ -0,0 +1,13 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIICOQIBAAKBgQLPwAwnXFZ/EvKE1IZLFSokmZYuJVBtfhhPor4aDVDdyQXd6XncJ3U8kGC7Aez7
+tUBtHXjOjcjKKWsZwyBKoYzmlIWovJpXoXFQhRCaUBgbN+SM0mJ7jaOAoVLpcfJG5auJ4MtedvVR
+/ZklEF+IetObLYZ3Mxq2aAK15Kx0Zte/iwKBgQJCpLQKCrtWDlDkfOYZJvwq8hbHatbcUubpp46b
+QmCdV18w3W2sOsMjPoYlFNie7jicukMPYB+BpX8bfpFY3G86AHDe43kfnL2zS53hsSy7faRusOnm
+Bal1oJc7GCVSOaJ5iCWTEvFEaIY4i+Mg0ol+HPmEGJjZMXdsODEwYGLwHQIgDCwQPH4iUFihfz18
+b8epCYLzO2r9l8thz3zOdX47QT0CQQFeBr2+s8lKeGiG0FsWa55NDi0h6ShCTLBfUM8BkBNmMbqz
+5VybaKajeDTGwHpZYBTgVf8hmloh/geJcuBfwJu/AkECDmf/q3wc9yzgKUNtaWuGf+krVnmSCXeS
+7Lhrf2SbygyjjT7emWpgpzw/EoJ2wCg4JBZBmmZ82d8F8imYYTy/NQIgDCwQPH4iUFihfz18b8ep
+CYLzO2r9l8thz3zOdX47QT0CIAwsEDx+IlBYoX89fG/HqQmC8ztq/ZfLYc98znV+O0E9AkAoVQGA
+5pcRKjARucSUlUIq/+XiZZ7qh9Ip7nSm+XCz90UyHEHBTsQ15YgfEfELeZATXLC2BXma+XZU4IIk
+TMRw
+-----END RSA PRIVATE KEY-----
diff --git a/ASR/solution/rsatool.py b/ASR/solution/rsatool.py
@@ -0,0 +1,165 @@
+#!/usr/bin/python2
+import base64, fractions, optparse, random
+import gmpy
+
+from pyasn1.codec.der import encoder
+from pyasn1.type.univ import *
+
+PEM_TEMPLATE = '-----BEGIN RSA PRIVATE KEY-----\n%s-----END RSA PRIVATE KEY-----\n'
+DEFAULT_EXP = 65537
+
+def factor_modulus(n, d, e):
+    """
+    Efficiently recover non-trivial factors of n
+
+    See: Handbook of Applied Cryptography
+    8.2.2 Security of RSA -> (i) Relation to factoring (p.287)
+
+    http://www.cacr.math.uwaterloo.ca/hac/
+    """
+    t = (e * d - 1)
+    s = 0
+
+    while True:
+        quotient, remainder = divmod(t, 2)
+
+        if remainder != 0:
+            break
+
+        s += 1
+        t = quotient
+
+    found = False
+
+    while not found:
+        i = 1
+        a = random.randint(1,n-1)
+
+        while i <= s and not found:
+            c1 = pow(a, pow(2, i-1, n) * t, n)
+            c2 = pow(a, pow(2, i, n) * t, n)
+
+            found = c1 != 1 and c1 != (-1 % n) and c2 == 1
+
+            i += 1
+
+    p = fractions.gcd(c1-1, n)
+    q = (n / p)
+
+    return p, q
+
+class RSA:
+    def __init__(self, p=None, q=None, n=None, d=None, e=DEFAULT_EXP):
+        """
+        Initialize RSA instance using primes (p, q)
+        or modulus and private exponent (n, d)
+        """
+
+        self.e = e
+
+        if p and q:
+            assert gmpy.is_prime(p), 'p is not prime'
+            assert gmpy.is_prime(q), 'q is not prime'
+
+            self.p = p
+            self.q = q
+        elif n and d:   
+            self.p, self.q = factor_modulus(n, d, e)
+        else:
+            raise ArgumentError('Either (p, q) or (n, d) must be provided')
+
+        self._calc_values()
+
+    def _calc_values(self):
+        self.n = self.p * self.q
+
+        phi = (self.p - 1) * (self.q - 1)
+        self.d = gmpy.invert(self.e, phi)
+
+        # CRT-RSA precomputation
+        self.dP = self.d % (self.p - 1)
+        self.dQ = self.d % (self.q - 1)
+        self.qInv = gmpy.invert(self.q, self.p)
+
+    def to_pem(self):
+        """
+        Return OpenSSL-compatible PEM encoded key
+        """
+        return PEM_TEMPLATE % base64.encodestring(self.to_der())
+
+    def to_der(self):
+        """
+        Return parameters as OpenSSL compatible DER encoded key
+        """
+        seq = Sequence()
+
+        for x in [0, self.n, self.e, self.d, self.p, self.q, self.dP, self.dQ, self.qInv]:
+            seq.setComponentByPosition(len(seq), Integer(x))
+
+        return encoder.encode(seq)
+
+    def dump(self, verbose):
+        vars = ['n', 'e', 'd', 'p', 'q']
+
+        if verbose:
+            vars += ['dP', 'dQ', 'qInv']
+
+        for v in vars:
+            self._dumpvar(v)
+
+    def _dumpvar(self, var):
+        val = getattr(self, var)
+
+        parts = lambda s, l: '\n'.join([s[i:i+l] for i in xrange(0, len(s), l)])
+
+        if len(str(val)) <= 40:
+            print '%s = %d (%#x)\n' % (var, val, val)
+        else:
+            print '%s =' % var
+            print parts('%x' % val, 80) + '\n'
+
+
+if __name__ == '__main__':
+    parser = optparse.OptionParser()
+
+    parser.add_option('-p', dest='p', help='prime', type='int')
+    parser.add_option('-q', dest='q', help='prime', type='int')
+    parser.add_option('-n', dest='n', help='modulus', type='int')
+    parser.add_option('-d', dest='d', help='private exponent', type='int')
+    parser.add_option('-e', dest='e', help='public exponent (default: %d)' % DEFAULT_EXP, type='int', default=DEFAULT_EXP)
+    parser.add_option('-o', dest='filename', help='output filname')
+    parser.add_option('-f', dest='format', help='output format (DER, PEM) (default: PEM)', type='choice', choices=['DER', 'PEM'], default='PEM')
+    parser.add_option('-v', dest='verbose', help='also display CRT-RSA representation', action='store_true', default=False)
+
+    try:
+        (options, args) = parser.parse_args()
+
+        if options.p and options.q:
+            print 'Using (p, q) to initialise RSA instance\n'
+            rsa = RSA(p=options.p, q=options.q, e=options.e)
+        elif options.n and options.d:
+            print 'Using (n, d) to initialise RSA instance\n'
+            rsa = RSA(n=options.n, d=options.d, e=options.e)
+        else:
+            parser.print_help()
+            parser.error('Either (p, q) or (n, d) needs to be specified')
+
+        rsa.dump(options.verbose)
+
+        if options.filename:
+            print 'Saving %s as %s' % (options.format, options.filename)
+
+
+            if options.format == 'PEM':
+                data = rsa.to_pem()
+            elif options.format == 'DER':
+                data = rsa.to_der()
+
+            fp = open(options.filename, 'wb')
+            fp.write(data)
+            fp.close()
+
+    except optparse.OptionValueError, e:
+        parser.print_help()
+        parser.error(e.msg)
+
diff --git a/ASR/solution/solution.html b/ASR/solution/solution.html
@@ -1,4 +1,89 @@
+Делаем следующие действия:
 
-Answer: STCTF#Dang3r0u51R5AMay83Vu1n3ra813#
+1. openssl rsa -pubin -in public.key -text
+
+Получаем:
+
+Public-Key: (1026 bit)
+Modulus:
+    02:cf:c0:0c:27:5c:56:7f:12:f2:84:d4:86:4b:15:
+    2a:24:99:96:2e:25:50:6d:7e:18:4f:a2:be:1a:0d:
+    50:dd:c9:05:dd:e9:79:dc:27:75:3c:90:60:bb:01:
+    ec:fb:b5:40:6d:1d:78:ce:8d:c8:ca:29:6b:19:c3:
+    20:4a:a1:8c:e6:94:85:a8:bc:9a:57:a1:71:50:85:
+    10:9a:50:18:1b:37:e4:8c:d2:62:7b:8d:a3:80:a1:
+    52:e9:71:f2:46:e5:ab:89:e0:cb:5e:76:f5:51:fd:
+    99:25:10:5f:88:7a:d3:9b:2d:86:77:33:1a:b6:68:
+    02:b5:e4:ac:74:66:d7:bf:8b
+Exponent:
+    02:42:a4:b4:0a:0a:bb:56:0e:50:e4:7c:e6:19:26:
+    fc:2a:f2:16:c7:6a:d6:dc:52:e6:e9:a7:8e:9b:42:
+    60:9d:57:5f:30:dd:6d:ac:3a:c3:23:3e:86:25:14:
+    d8:9e:ee:38:9c:ba:43:0f:60:1f:81:a5:7f:1b:7e:
+    91:58:dc:6f:3a:00:70:de:e3:79:1f:9c:bd:b3:4b:
+    9d:e1:b1:2c:bb:7d:a4:6e:b0:e9:e6:05:a9:75:a0:
+    97:3b:18:25:52:39:a2:79:88:25:93:12:f1:44:68:
+    86:38:8b:e3:20:d2:89:7e:1c:f9:84:18:98:d9:31:
+    77:6c:38:31:30:60:62:f0:1d
+
+2. Приводим к удобной записи N и e:
+
+ -n 0x02cfc00c275c567f12f284d4864b152a2499962e25506d7e184fa2be1a0d50ddc905dde979dc27753c9060bb01ecfbb5406d1d78ce8dc8ca296b19c3204aa18ce69485a8bc9a57a1715085109a50181b37e48cd2627b8da380a152e971f246e5ab89e0cb5e76f551fd9925105f887ad39b2d8677331ab66802b5e4ac7466d7bf8b
+q
+ -e 0x0242a4b40a0abb560e50e47ce61926fc2af216c76ad6dc52e6e9a78e9b42609d575f30dd6dac3ac3233e862514d89eee389cba430f601f81a57f1b7e9158dc6f3a0070dee3791f9cbdb34b9de1b12cbb7da46eb0e9e605a975a0973b18255239a27988259312f1446886388be320d2897e1cf9841898d931776c3831306062f01d
+
+3. Cохраняем их в отдельный файл "nepair" без перевода строки, (^ - начало строки, $ - конец строки): ^-n ... -e ...$
+
+4. Воспользуемся wiener_attack.py из https://ctfcrew.org/writeup/87
+   или модернизируем код из https://github.com/pablocelayes/rsa-wiener-attack/blob/master/RSAwienerHacker.py
+
+python wiener_attack.py `cat nepair`
+
+Получим факторизованное представление N:
+
+-p 18332366563702812004827960767382231259638895239413282702812009894882946745998553209194850588719103121402937914114124705492672432051453957400966421943458751
+-q 27570132131170104824343411575743642180767006452664381672813278738573428245458845155699724266932275812596878966520171881476555627563245277293094684982034229
+-e 406337194415078969135388012199768851534892405717049052243569601877767720306971351962115455780742226903789914852797732475115620696182173145519244169134462893981827754911556903443954791096825007180380141420831124481112731502488517569927478504486615667200169344800534739661939136312208398465567840505121573367837
+
+5. Cохраняем их в отдельнный файл "pqetuple" без перевода строки, (^ - начало строки, $ - конец строки): ^-p ... -q ... -e ...$
+
+6. И воспользуемся rsatool (https://github.com/ius/rsatool)
+
+python rsatool.py -o private.key `cat pqetuple`
 
-TODO: Some steps to gain answer.
+Получаем PEM private.key :
+
+Using (p, q) to initialise RSA instance
+
+n =
+2cfc00c275c567f12f284d4864b152a2499962e25506d7e184fa2be1a0d50ddc905dde979dc27753
+c9060bb01ecfbb5406d1d78ce8dc8ca296b19c3204aa18ce69485a8bc9a57a1715085109a50181b3
+7e48cd2627b8da380a152e971f246e5ab89e0cb5e76f551fd9925105f887ad39b2d8677331ab6680
+2b5e4ac7466d7bf8b
+
+e =
+242a4b40a0abb560e50e47ce61926fc2af216c76ad6dc52e6e9a78e9b42609d575f30dd6dac3ac32
+33e862514d89eee389cba430f601f81a57f1b7e9158dc6f3a0070dee3791f9cbdb34b9de1b12cbb7
+da46eb0e9e605a975a0973b18255239a27988259312f1446886388be320d2897e1cf9841898d9317
+76c3831306062f01d
+
+d =
+c2c103c7e225058a17f3d7c6fc7a90982f33b6afd97cb61cf7cce757e3b413d
+
+p =
+15e06bdbeb3c94a786886d05b166b9e4d0e2d21e928424cb05f50cf0190136631bab3e55c9b68a6a
+37834c6c07a596014e055ff219a5a21fe078972e05fc09bbf
+
+q =
+20e67ffab7c1cf72ce029436d696b867fe92b567992097792ecb86b7f649bca0ca38d3ede996a60a
+73c3f128276c028382416419a667cd9df05f22998613cbf35
+
+Saving PEM as private.key
+
+7. И так, мы нашли секретную экспоненту, d. И восстановили private.key. Время расшифровать secret.
+
+openssl rsautl -decrypt -inkey private.key -in secret
+
+Получаем ответ:
+
+Answer: STCTF#Dang3r0u51R5AMay83Vu1n3ra813#
diff --git a/ASR/solution/wiener_attack.py b/ASR/solution/wiener_attack.py
@@ -0,0 +1,74 @@
+#!/usr/bin/python
+import optparse
+from sympy.solvers import solve
+from sympy import Symbol
+
+def makeNextFraction(fraction):
+    (a,b) = fraction
+    res=b/a
+    a1=b%a
+    b1=a
+    return res, (a1,b1)
+
+def makeContinuedFraction(fraction):
+    (a,b) = fraction
+    v=[]
+    v.append(0)
+    while not a == 1:
+        r, fraction = makeNextFraction(fraction)
+        (a,b) = fraction
+        v.append(r)
+    v.append(b)
+    return v
+
+def makeIndexedConvergent(sequence, index):
+    (a,b)=(1,sequence[index])
+    while index>0:
+        index-=1
+        (a,b)=(b,sequence[index]*b+a)
+    return (b,a)
+
+def makeConvergents(sequence):
+    r=[]
+    for i in xrange(0,len(sequence)):
+        r.append(makeIndexedConvergent(sequence,i))
+    return r
+
+def solveQuadratic(a,b,c):
+    x = Symbol('x')
+    return solve(a*x**2 + b*x + c, x)
+
+def wienerAttack(N,e):
+    conv=makeConvergents(makeContinuedFraction((e,N)))
+    for frac in conv:
+        (k,d)=frac
+        if k == 0:
+            continue
+        phiN=((e*d)-1)/k
+        roots=solveQuadratic(1, -(N-phiN+1), N)
+        if len(roots) == 2:
+            p,q=roots[0]%N,roots[1]%N
+            if(p*q==N):
+                return p, q
+
+if __name__ == '__main__':
+    parser = optparse.OptionParser()
+    parser.add_option('-n', dest='n', help='modulus', type='int')
+    parser.add_option('-e', dest='e', help='public exponent', type='int')
+
+    try:
+        (options, args) = parser.parse_args()
+        
+        if options.n and options.e:
+            e=options.e
+            p, q = wienerAttack(options.n, options.e)
+            print "-p", p
+            print "-q", q
+            print "-e", e
+        else:
+            parser.print_help()
+            parser.error('n and e must be specified')
+
+    except optparse.OptionValueError, e:
+        parser.print_help()
+        parser.error(e.msg)

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1 @@`
	`1`	+-n 0x02cfc00c275c567f12f284d4864b152a2499962e25506d7e184fa2be1a0d50ddc905dde979dc27753c9060bb01ecfbb5406d1d78ce8dc8ca296b19c3204aa18ce69485a8bc9a57a1715085109a50181b37e48cd2627b8da380a152e971f246e5ab89e0cb5e76f551fd9925105f887ad39b2d8677331ab66802b5e4ac7466d7bf8b -e 0x0242a4b40a0abb560e50e47ce61926fc2af216c76ad6dc52e6e9a78e9b42609d575f30dd6dac3ac3233e862514d89eee389cba430f601f81a57f1b7e9158dc6f3a0070dee3791f9cbdb34b9de1b12cbb7da46eb0e9e605a975a0973b18255239a27988259312f1446886388be320d2897e1cf9841898d931776c3831306062f01d
Original file line number	Diff line number	Diff line change
`@@ -0,0 +1 @@`
	`1`	+-p 18332366563702812004827960767382231259638895239413282702812009894882946745998553209194850588719103121402937914114124705492672432051453957400966421943458751 -q 27570132131170104824343411575743642180767006452664381672813278738573428245458845155699724266932275812596878966520171881476555627563245277293094684982034229 -e 406337194415078969135388012199768851534892405717049052243569601877767720306971351962115455780742226903789914852797732475115620696182173145519244169134462893981827754911556903443954791096825007180380141420831124481112731502488517569927478504486615667200169344800534739661939136312208398465567840505121573367837