Mike, the System Administrator, thought it would be a good idea to implement his own Elliptic Curve Diffie Hellman key exchange using unnamed curves to use across the network. We managed to capture network traffic of the key exchange along with an encrypted file transfer. See if you can read the contents of that file.
Note: The password to the AES192-CBC encrypted file is the shared key x and y coordinates from the key exchange concatenated together. (e.g. sharedKey = (12345,67890) password = “1234567890”)
ECDHぽいことを書いてある。pcapファイルを覗いてみるとまず二つの証明書が送られ、続いて暗号文が送られているだけのシンプルなパケットだった。ECDHらしいので、おくっているのはそれぞれ aG, bGと公開パラメータということになる。
-----BEGIN CERTIFICATE----- Q2VydGlmaWNhdGU6CiAgICBEYXRhOgogICAgICAgIFZlcnNpb246IDMgKDB4MikKICAgICAgICBTZXJpYWwgTnVtYmVyOgogICAgICAgICAgICBiOTo1OTpkYTpjNDpkNzozZjpiYzozMQogICAgU2lnbmF0dXJlIEFsZ29yaXRobTogYmFzZTY0CiAgICAgICAgSXNzdWVyOiBDID0gVVMsIFNUID0gVGV4YXMsIEwgPSBDb2xsZWdlIFN0YXRpb24sIE8gPSBUZXhhcyBBJk0gVW5pdmVyc2l0eSwgT1UgPSB0YW11Q1RGLCBDTiA9IEFsaWNlLCBlbWFpbEFkZHJlc3MgPSBhbGljZUB0YW11Y3RmLmVkdQogICAgICAgIFZhbGlkaXR5CiAgICAgICAgICAgIE5vdCBCZWZvcmU6IE9jdCAgOSAxMzowODoxMiAyMDE4IEdNVAogICAgICAgICAgICBOb3QgQWZ0ZXIgOiBOb3YgIDggMTM6MDg6MTIgMjAxOCBHTVQKICAgICAgICBTdWJqZWN0OiBDID0gVVMsIFNUID0gVGV4YXMsIEwgPSBDb2xsZWdlIFN0YXRpb24sIE8gPSBUZXhhcyBBJk0gVW5pdmVyc2l0eSwgT1UgPSB0YW11Q1RGLCBDTiA9IEFsaWNlLCBlbWFpbEFkZHJlc3MgPSBhbGljZUB0YW11Y3RmLmVkdQogICAgICAgIFN1YmplY3QgUHVibGljIEtleSBJbmZvOgogICAgICAgICAgICBQdWJsaWMgS2V5IEFsZ29yaXRobTogaWQtZWNQdWJsaWNLZXkKICAgICAgICAgICAgICAgIFB1YmxpYy1LZXk6CiAgICAgICAgICAgICAgICAgICAgNjE4MDEyOTI2NDcKICAgICAgICAgICAgICAgICAgICAyMjgyODgzODUwMDQKICAgICAgICAgICAgICAgIEFTTjEgT0lEOiBiYWRQcmltZTk2djQKICAgICAgICAgICAgICAgIENVUlZFOiBKdXN0Tm8KICAgICAgICAgICAgICAgICAgICBGaWVsZCBUeXBlOiBwcmltZS1maWVsZAogICAgICAgICAgICAgICAgICAgIFByaW1lOgogICAgICAgICAgICAgICAgICAgICAgICA0MTIyMjAxODQ3OTcKICAgICAgICAgICAgICAgICAgICBBOiAgIAogICAgICAgICAgICAgICAgICAgICAgICAxMDcxNzIzMDY2MTM4MjE2MjM2MjA5ODQyNDQxNzAxNDcyMjIzMTgxMwogICAgICAgICAgICAgICAgICAgIEI6ICAgCiAgICAgICAgICAgICAgICAgICAgICAgIDIyMDQzNTgxMjUzOTE4OTU5MTc2MTg0NzAyMzk5NDgwMTg2MzEyCiAgICAgICAgICAgICAgICAgICAgR2VuZXJhdG9yOgogICAgICAgICAgICAgICAgICAgICAgICA1Njc5Nzc5ODI3MgogICAgICAgICAgICAgICAgICAgICAgICAzNDkwMTg3Nzg2MzcKICAgICAgICBYNTA5djMgZXh0ZW5zaW9uczoKICAgICAgICAgICAgWDUwOXYzIFN1YmplY3QgS2V5IElkZW50aWZpZXI6IAogICAgICAgICAgICAgICAgRjA6NEU6QkY6ODc6OTI6MTY6OUI6RDY6NTM6REE6Q0M6NkQ6QUI6MjI6MEU6NDA6MjU6NDE6QzU6Q0MKICAgICAgICAgICAgWDUwOXYzIEF1dGhvcml0eSBLZXkgSWRlbnRpZmllcjogCiAgICAgICAgICAgICAgICBrZXlpZDpGMDo0RTpCRjo4Nzo5MjoxNjo5QjpENjo1MzpEQTpDQzo2RDpBQjoyMjowRTo0MDoyNTo0MTpDNTpDQwoKICAgICAgICAgICAgWDUwOXYzIEJhc2ljIENvbnN0cmFpbnRzOiBjcml0aWNhbAogICAgICAgICAgICAgICAgQ0E6VFJVRQogICAgU2lnbmF0dXJlIEFsZ29yaXRobTogZWNkc2Etd2l0aC1TSEEyNTYKICAgICAgICAgMzA6NDY6MDI6MjE6MDA6Y2M6M2M6ODQ6ZWI6MTk6NzM6ZTE6NjI6N2Y6ODE6Nzg6OTk6YzY6CiAgICAgICAgIDI2OmI4Ojg2OjllOjYxOjdlOjgyOjg3OmYxOjg1OjVjOjc1OmUxOjJkOjYwOjM3OjU1OmI2OgogICAgICAgICAwOTowMjoyMTowMDo4NTozMzphZjpkYzozNDowZjplNToxMzo4ZToyNjo4ODowNjphMzoxMzoKICAgICAgICAgZDE6YTI6ZWQ6ZDU6MDQ6Y2I6OWM6NTA6ZDE6YzQ6YTQ6NGQ6NDI6OTI6YmQ6Njk6NTY6MWEK -----END CERTIFICATE-----
-----BEGIN CERTIFICATE----- Q2VydGlmaWNhdGU6CiAgICBEYXRhOgogICAgICAgIFZlcnNpb246IDMgKDB4MikKICAgICAgICBTZXJpYWwgTnVtYmVyOgogICAgICAgICAgICBhODo0OTphYzo4Yzo4NDowZjo4NDpjZQogICAgU2lnbmF0dXJlIEFsZ29yaXRobTogZWNkc2Etd2l0aC1TSEEyNTYKICAgICAgICBJc3N1ZXI6IEMgPSBVUywgU1QgPSBUZXhhcywgTCA9IENvbGxlZ2UgU3RhdGlvbiwgTyA9IFRleGFzIEEmTSBVbml2ZXJzaXR5LCBPVSA9IHRhbXVDVEYsIENOID0gQm9iLCBlbWFpbEFkZHJlc3MgPSBib2JAdGFtdWN0Zi5lZHUKICAgICAgICBWYWxpZGl0eQogICAgICAgICAgICBOb3QgQmVmb3JlOiBPY3QgIDkgMTM6MTU6MzUgMjAxOCBHTVQKICAgICAgICAgICAgTm90IEFmdGVyIDogTm92ICA4IDEzOjE1OjM1IDIwMTggR01UCiAgICAgICAgU3ViamVjdDogQyA9IFVTLCBTVCA9IFRleGFzLCBMID0gQ29sbGVnZSBTdGF0aW9uLCBPID0gVGV4YXMgQSZNIFVuaXZlcnNpdHksIE9VID0gdGFtdUNURiwgQ04gPSBCb2IsIGVtYWlsQWRkcmVzcyA9IGJvYkB0YW11Y3RmLmVkdQogICAgICAgIFN1YmplY3QgUHVibGljIEtleSBJbmZvOgogICAgICAgICAgICBQdWJsaWMgS2V5IEFsZ29yaXRobTogaWQtZWNQdWJsaWNLZXkKICAgICAgICAgICAgICAgIFB1YmxpYy1LZXk6CiAgICAgICAgICAgICAgICAgICAgMTk2MzkzNDczMjE5CiAgICAgICAgICAgICAgICAgICAgMzUxNjExOTUyMTAKICAgICAgICAgICAgICAgIEFTTjEgT0lEOiBiYWRQcmltZTk2djQKICAgICAgICAgICAgICAgIENVUlZFOiBKdXN0Tm8KICAgICAgICAgICAgICAgICAgICBGaWVsZCBUeXBlOiBwcmltZS1maWVsZAogICAgICAgICAgICAgICAgICAgIFByaW1lOgogICAgICAgICAgICAgICAgICAgICAgICA0MTIyMjAxODQ3OTcKICAgICAgICAgICAgICAgICAgICBBOiAgIAogICAgICAgICAgICAgICAgICAgICAgICAxMDcxNzIzMDY2MTM4MjE2MjM2MjA5ODQyNDQxNzAxNDcyMjIzMTgxMwogICAgICAgICAgICAgICAgICAgIEI6ICAgCiAgICAgICAgICAgICAgICAgICAgICAgIDIyMDQzNTgxMjUzOTE4OTU5MTc2MTg0NzAyMzk5NDgwMTg2MzEyCiAgICAgICAgICAgICAgICAgICAgR2VuZXJhdG9yOgogICAgICAgICAgICAgICAgICAgICAgICA1Njc5Nzc5ODI3MgogICAgICAgICAgICAgICAgICAgICAgICAzNDkwMTg3Nzg2MzcKICAgICAgICBYNTA5djMgZXh0ZW5zaW9uczoKICAgICAgICAgICAgWDUwOXYzIFN1YmplY3QgS2V5IElkZW50aWZpZXI6IAogICAgICAgICAgICAgICAgODQ6MjU6NDM6NDU6MkM6MEM6N0U6MUM6ODU6QkM6RTk6QUY6NDQ6QkU6NDI6QTE6ODQ6RDY6RDI6MjcKICAgICAgICAgICAgWDUwOXYzIEF1dGhvcml0eSBLZXkgSWRlbnRpZmllcjogCiAgICAgICAgICAgICAgICBrZXlpZDo4NDoyNTo0Mzo0NToyQzowQzo3RToxQzo4NTpCQzpFOTpBRjo0NDpCRTo0MjpBMTo4NDpENjpEMjoyNwoKICAgICAgICAgICAgWDUwOXYzIEJhc2ljIENvbnN0cmFpbnRzOiBjcml0aWNhbAogICAgICAgICAgICAgICAgQ0E6VFJVRQogICAgU2lnbmF0dXJlIEFsZ29yaXRobTogZWNkc2Etd2l0aC1TSEEyNTYKICAgICAgICAgMzA6NDY6MDI6MjE6MDA6ZDQ6NDU6ODQ6MTg6ZTM6MDY6OGQ6YmI6M2I6ZTk6NGQ6Njg6YTk6CiAgICAgICAgIDU2OmY0OmFmOmUwOjI4OjIzOjI2OjdkOjRkOjFlOjg0OjJiOmU4OmM0OmQzOmFjOjg1OmE5OgogICAgICAgICBjODowMjoyMTowMDplOTplZjpiYzowZDpmYTozYTo4NTpjNDozOToxYToxNjozYjo2YTpjMDoKICAgICAgICAgNmE6M2Y6YWM6ZjI6N2E6NWY6NDk6ZWE6ODY6ZTQ6MTg6NWU6YWM6OTE6NzU6MzE6YjM6NWIK -----END CERTIFICATE-----
このデータがどうしてもダンプ出来なくてこ混ていたのだけど単にbase64decodeすればよかった。ひでぇな
$ cat a.crt | sed -e 1d -e 3d | base64 -d
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
b9:59:da:c4:d7:3f:bc:31
Signature Algorithm: base64
Issuer: C = US, ST = Texas, L = College Station, O = Texas A&M University, OU = tamuCTF, CN = Alice, emailAddress = alice@tamuctf.edu
Validity
Not Before: Oct 9 13:08:12 2018 GMT
Not After : Nov 8 13:08:12 2018 GMT
Subject: C = US, ST = Texas, L = College Station, O = Texas A&M University, OU = tamuCTF, CN = Alice, emailAddress = alice@tamuctf.edu
Subject Public Key Info:
Public Key Algorithm: id-ecPublicKey
Public-Key:
61801292647
228288385004
ASN1 OID: badPrime96v4
CURVE: JustNo
Field Type: prime-field
Prime:
412220184797
A:
10717230661382162362098424417014722231813
B:
22043581253918959176184702399480186312
Generator:
56797798272
349018778637
X509v3 extensions:
X509v3 Subject Key Identifier:
F0:4E:BF:87:92:16:9B:D6:53:DA:CC:6D:AB:22:0E:40:25:41:C5:CC
X509v3 Authority Key Identifier:
keyid:F0:4E:BF:87:92:16:9B:D6:53:DA:CC:6D:AB:22:0E:40:25:41:C5:CC
X509v3 Basic Constraints: critical
CA:TRUE
Signature Algorithm: ecdsa-with-SHA256
30:46:02:21:00:cc:3c:84:eb:19:73:e1:62:7f:81:78:99:c6:
26:b8:86:9e:61:7e:82:87:f1:85:5c:75:e1:2d:60:37:55:b6:
09:02:21:00:85:33:af:dc:34:0f:e5:13:8e:26:88:06:a3:13:
d1:a2:ed:d5:04:cb:9c:50:d1:c4:a4:4d:42:92:bd:69:56:1a
ということでパラメータがわかったので雑にsageに突っ込んでみる。なおsageのdiscrete_logは対数の底がreceiverになるので注意
A = 10717230661382162362098424417014722231813 B = 22043581253918959176184702399480186312 n = 412220184797 EC = EllipticCurve(GF(n), [A, B]) G = EC(56797798272, 349018778637) aG = EC(61801292647, 228288385004) bG = EC(196393473219, 35161195210) a = G.discrete_log(aG) b = G.discrete_log(bG) print("a={}".format(a)) print("b={}".format(b)) abG = a*b*G print("abG={}".format(abG))
出てきた
a=54628069049 b=6895697291 abG=(130222573707 : 242246159397 : 1)
あとはAES-CBCで解くだけCBCモードはivが必要なはずだけど、暗号文にふくまれているのかそれとも無くても最初のブロックが復号できないだけなので問題ないということだろうか。
そしてdecryptしたけど何やらゴミしか出てこない。いろいろ試したけど暗号文が悪かったらしくてwiresharkでhex viewにした文字列を保存して、unhexlifyする方法でうまくいった。
復号結果はかなり長い文字列で、その中にフラグが書いてあった gigem{Forty-two_said_Deep_Thought}
