Mike, the System Administrator, thought it would be a good idea to implement his own Elliptic Curve Diffie Hellman key exchange using unnamed curves to use across the network. We managed to capture network traffic of the key exchange along with an encrypted file transfer. See if you can read the contents of that file.
Note: The password to the AES192-CBC encrypted file is the shared key x and y coordinates from the key exchange concatenated together. (e.g. sharedKey = (12345,67890) password = “1234567890”)
ECDHぽいことを書いてある。pcapファイルを覗いてみるとまず二つの証明書が送られ、続いて暗号文が送られているだけのシンプルなパケットだった。ECDHらしいので、おくっているのはそれぞれ aG, bGと公開パラメータということになる。
-----BEGIN CERTIFICATE----- Q2VydGlmaWNhdGU6CiAgICBEYXRhOgogICAgICAgIFZlcnNpb246IDMgKDB4MikKICAgICAgICBTZXJpYWwgTnVtYmVyOgogICAgICAgICAgICBiOTo1OTpkYTpjNDpkNzozZjpiYzozMQogICAgU2lnbmF0dXJlIEFsZ29yaXRobTogYmFzZTY0CiAgICAgICAgSXNzdWVyOiBDID0gVVMsIFNUID0gVGV4YXMsIEwgPSBDb2xsZWdlIFN0YXRpb24sIE8gPSBUZXhhcyBBJk0gVW5pdmVyc2l0eSwgT1UgPSB0YW11Q1RGLCBDTiA9IEFsaWNlLCBlbWFpbEFkZHJlc3MgPSBhbGljZUB0YW11Y3RmLmVkdQogICAgICAgIFZhbGlkaXR5CiAgICAgICAgICAgIE5vdCBCZWZvcmU6IE9jdCAgOSAxMzowODoxMiAyMDE4IEdNVAogICAgICAgICAgICBOb3QgQWZ0ZXIgOiBOb3YgIDggMTM6MDg6MTIgMjAxOCBHTVQKICAgICAgICBTdWJqZWN0OiBDID0gVVMsIFNUID0gVGV4YXMsIEwgPSBDb2xsZWdlIFN0YXRpb24sIE8gPSBUZXhhcyBBJk0gVW5pdmVyc2l0eSwgT1UgPSB0YW11Q1RGLCBDTiA9IEFsaWNlLCBlbWFpbEFkZHJlc3MgPSBhbGljZUB0YW11Y3RmLmVkdQogICAgICAgIFN1YmplY3QgUHVibGljIEtleSBJbmZvOgogICAgICAgICAgICBQdWJsaWMgS2V5IEFsZ29yaXRobTogaWQtZWNQdWJsaWNLZXkKICAgICAgICAgICAgICAgIFB1YmxpYy1LZXk6CiAgICAgICAgICAgICAgICAgICAgNjE4MDEyOTI2NDcKICAgICAgICAgICAgICAgICAgICAyMjgyODgzODUwMDQKICAgICAgICAgICAgICAgIEFTTjEgT0lEOiBiYWRQcmltZTk2djQKICAgICAgICAgICAgICAgIENVUlZFOiBKdXN0Tm8KICAgICAgICAgICAgICAgICAgICBGaWVsZCBUeXBlOiBwcmltZS1maWVsZAogICAgICAgICAgICAgICAgICAgIFByaW1lOgogICAgICAgICAgICAgICAgICAgICAgICA0MTIyMjAxODQ3OTcKICAgICAgICAgICAgICAgICAgICBBOiAgIAogICAgICAgICAgICAgICAgICAgICAgICAxMDcxNzIzMDY2MTM4MjE2MjM2MjA5ODQyNDQxNzAxNDcyMjIzMTgxMwogICAgICAgICAgICAgICAgICAgIEI6ICAgCiAgICAgICAgICAgICAgICAgICAgICAgIDIyMDQzNTgxMjUzOTE4OTU5MTc2MTg0NzAyMzk5NDgwMTg2MzEyCiAgICAgICAgICAgICAgICAgICAgR2VuZXJhdG9yOgogICAgICAgICAgICAgICAgICAgICAgICA1Njc5Nzc5ODI3MgogICAgICAgICAgICAgICAgICAgICAgICAzNDkwMTg3Nzg2MzcKICAgICAgICBYNTA5djMgZXh0ZW5zaW9uczoKICAgICAgICAgICAgWDUwOXYzIFN1YmplY3QgS2V5IElkZW50aWZpZXI6IAogICAgICAgICAgICAgICAgRjA6NEU6QkY6ODc6OTI6MTY6OUI6RDY6NTM6REE6Q0M6NkQ6QUI6MjI6MEU6NDA6MjU6NDE6QzU6Q0MKICAgICAgICAgICAgWDUwOXYzIEF1dGhvcml0eSBLZXkgSWRlbnRpZmllcjogCiAgICAgICAgICAgICAgICBrZXlpZDpGMDo0RTpCRjo4Nzo5MjoxNjo5QjpENjo1MzpEQTpDQzo2RDpBQjoyMjowRTo0MDoyNTo0MTpDNTpDQwoKICAgICAgICAgICAgWDUwOXYzIEJhc2ljIENvbnN0cmFpbnRzOiBjcml0aWNhbAogICAgICAgICAgICAgICAgQ0E6VFJVRQogICAgU2lnbmF0dXJlIEFsZ29yaXRobTogZWNkc2Etd2l0aC1TSEEyNTYKICAgICAgICAgMzA6NDY6MDI6MjE6MDA6Y2M6M2M6ODQ6ZWI6MTk6NzM6ZTE6NjI6N2Y6ODE6Nzg6OTk6YzY6CiAgICAgICAgIDI2OmI4Ojg2OjllOjYxOjdlOjgyOjg3OmYxOjg1OjVjOjc1OmUxOjJkOjYwOjM3OjU1OmI2OgogICAgICAgICAwOTowMjoyMTowMDo4NTozMzphZjpkYzozNDowZjplNToxMzo4ZToyNjo4ODowNjphMzoxMzoKICAgICAgICAgZDE6YTI6ZWQ6ZDU6MDQ6Y2I6OWM6NTA6ZDE6YzQ6YTQ6NGQ6NDI6OTI6YmQ6Njk6NTY6MWEK -----END CERTIFICATE-----
-----BEGIN CERTIFICATE----- Q2VydGlmaWNhdGU6CiAgICBEYXRhOgogICAgICAgIFZlcnNpb246IDMgKDB4MikKICAgICAgICBTZXJpYWwgTnVtYmVyOgogICAgICAgICAgICBhODo0OTphYzo4Yzo4NDowZjo4NDpjZQogICAgU2lnbmF0dXJlIEFsZ29yaXRobTogZWNkc2Etd2l0aC1TSEEyNTYKICAgICAgICBJc3N1ZXI6IEMgPSBVUywgU1QgPSBUZXhhcywgTCA9IENvbGxlZ2UgU3RhdGlvbiwgTyA9IFRleGFzIEEmTSBVbml2ZXJzaXR5LCBPVSA9IHRhbXVDVEYsIENOID0gQm9iLCBlbWFpbEFkZHJlc3MgPSBib2JAdGFtdWN0Zi5lZHUKICAgICAgICBWYWxpZGl0eQogICAgICAgICAgICBOb3QgQmVmb3JlOiBPY3QgIDkgMTM6MTU6MzUgMjAxOCBHTVQKICAgICAgICAgICAgTm90IEFmdGVyIDogTm92ICA4IDEzOjE1OjM1IDIwMTggR01UCiAgICAgICAgU3ViamVjdDogQyA9IFVTLCBTVCA9IFRleGFzLCBMID0gQ29sbGVnZSBTdGF0aW9uLCBPID0gVGV4YXMgQSZNIFVuaXZlcnNpdHksIE9VID0gdGFtdUNURiwgQ04gPSBCb2IsIGVtYWlsQWRkcmVzcyA9IGJvYkB0YW11Y3RmLmVkdQogICAgICAgIFN1YmplY3QgUHVibGljIEtleSBJbmZvOgogICAgICAgICAgICBQdWJsaWMgS2V5IEFsZ29yaXRobTogaWQtZWNQdWJsaWNLZXkKICAgICAgICAgICAgICAgIFB1YmxpYy1LZXk6CiAgICAgICAgICAgICAgICAgICAgMTk2MzkzNDczMjE5CiAgICAgICAgICAgICAgICAgICAgMzUxNjExOTUyMTAKICAgICAgICAgICAgICAgIEFTTjEgT0lEOiBiYWRQcmltZTk2djQKICAgICAgICAgICAgICAgIENVUlZFOiBKdXN0Tm8KICAgICAgICAgICAgICAgICAgICBGaWVsZCBUeXBlOiBwcmltZS1maWVsZAogICAgICAgICAgICAgICAgICAgIFByaW1lOgogICAgICAgICAgICAgICAgICAgICAgICA0MTIyMjAxODQ3OTcKICAgICAgICAgICAgICAgICAgICBBOiAgIAogICAgICAgICAgICAgICAgICAgICAgICAxMDcxNzIzMDY2MTM4MjE2MjM2MjA5ODQyNDQxNzAxNDcyMjIzMTgxMwogICAgICAgICAgICAgICAgICAgIEI6ICAgCiAgICAgICAgICAgICAgICAgICAgICAgIDIyMDQzNTgxMjUzOTE4OTU5MTc2MTg0NzAyMzk5NDgwMTg2MzEyCiAgICAgICAgICAgICAgICAgICAgR2VuZXJhdG9yOgogICAgICAgICAgICAgICAgICAgICAgICA1Njc5Nzc5ODI3MgogICAgICAgICAgICAgICAgICAgICAgICAzNDkwMTg3Nzg2MzcKICAgICAgICBYNTA5djMgZXh0ZW5zaW9uczoKICAgICAgICAgICAgWDUwOXYzIFN1YmplY3QgS2V5IElkZW50aWZpZXI6IAogICAgICAgICAgICAgICAgODQ6MjU6NDM6NDU6MkM6MEM6N0U6MUM6ODU6QkM6RTk6QUY6NDQ6QkU6NDI6QTE6ODQ6RDY6RDI6MjcKICAgICAgICAgICAgWDUwOXYzIEF1dGhvcml0eSBLZXkgSWRlbnRpZmllcjogCiAgICAgICAgICAgICAgICBrZXlpZDo4NDoyNTo0Mzo0NToyQzowQzo3RToxQzo4NTpCQzpFOTpBRjo0NDpCRTo0MjpBMTo4NDpENjpEMjoyNwoKICAgICAgICAgICAgWDUwOXYzIEJhc2ljIENvbnN0cmFpbnRzOiBjcml0aWNhbAogICAgICAgICAgICAgICAgQ0E6VFJVRQogICAgU2lnbmF0dXJlIEFsZ29yaXRobTogZWNkc2Etd2l0aC1TSEEyNTYKICAgICAgICAgMzA6NDY6MDI6MjE6MDA6ZDQ6NDU6ODQ6MTg6ZTM6MDY6OGQ6YmI6M2I6ZTk6NGQ6Njg6YTk6CiAgICAgICAgIDU2OmY0OmFmOmUwOjI4OjIzOjI2OjdkOjRkOjFlOjg0OjJiOmU4OmM0OmQzOmFjOjg1OmE5OgogICAgICAgICBjODowMjoyMTowMDplOTplZjpiYzowZDpmYTozYTo4NTpjNDozOToxYToxNjozYjo2YTpjMDoKICAgICAgICAgNmE6M2Y6YWM6ZjI6N2E6NWY6NDk6ZWE6ODY6ZTQ6MTg6NWU6YWM6OTE6NzU6MzE6YjM6NWIK -----END CERTIFICATE-----
このデータがどうしてもダンプ出来なくてこ混ていたのだけど単にbase64decodeすればよかった。ひでぇな
$ cat a.crt | sed -e 1d -e 3d | base64 -d Certificate: Data: Version: 3 (0x2) Serial Number: b9:59:da:c4:d7:3f:bc:31 Signature Algorithm: base64 Issuer: C = US, ST = Texas, L = College Station, O = Texas A&M University, OU = tamuCTF, CN = Alice, emailAddress = alice@tamuctf.edu Validity Not Before: Oct 9 13:08:12 2018 GMT Not After : Nov 8 13:08:12 2018 GMT Subject: C = US, ST = Texas, L = College Station, O = Texas A&M University, OU = tamuCTF, CN = Alice, emailAddress = alice@tamuctf.edu Subject Public Key Info: Public Key Algorithm: id-ecPublicKey Public-Key: 61801292647 228288385004 ASN1 OID: badPrime96v4 CURVE: JustNo Field Type: prime-field Prime: 412220184797 A: 10717230661382162362098424417014722231813 B: 22043581253918959176184702399480186312 Generator: 56797798272 349018778637 X509v3 extensions: X509v3 Subject Key Identifier: F0:4E:BF:87:92:16:9B:D6:53:DA:CC:6D:AB:22:0E:40:25:41:C5:CC X509v3 Authority Key Identifier: keyid:F0:4E:BF:87:92:16:9B:D6:53:DA:CC:6D:AB:22:0E:40:25:41:C5:CC X509v3 Basic Constraints: critical CA:TRUE Signature Algorithm: ecdsa-with-SHA256 30:46:02:21:00:cc:3c:84:eb:19:73:e1:62:7f:81:78:99:c6: 26:b8:86:9e:61:7e:82:87:f1:85:5c:75:e1:2d:60:37:55:b6: 09:02:21:00:85:33:af:dc:34:0f:e5:13:8e:26:88:06:a3:13: d1:a2:ed:d5:04:cb:9c:50:d1:c4:a4:4d:42:92:bd:69:56:1a
ということでパラメータがわかったので雑にsageに突っ込んでみる。なおsageのdiscrete_logは対数の底がreceiverになるので注意
A = 10717230661382162362098424417014722231813 B = 22043581253918959176184702399480186312 n = 412220184797 EC = EllipticCurve(GF(n), [A, B]) G = EC(56797798272, 349018778637) aG = EC(61801292647, 228288385004) bG = EC(196393473219, 35161195210) a = G.discrete_log(aG) b = G.discrete_log(bG) print("a={}".format(a)) print("b={}".format(b)) abG = a*b*G print("abG={}".format(abG))
出てきた
a=54628069049 b=6895697291 abG=(130222573707 : 242246159397 : 1)
あとはAES-CBCで解くだけCBCモードはivが必要なはずだけど、暗号文にふくまれているのかそれとも無くても最初のブロックが復号できないだけなので問題ないということだろうか。
そしてdecryptしたけど何やらゴミしか出てこない。いろいろ試したけど暗号文が悪かったらしくてwiresharkでhex viewにした文字列を保存して、unhexlifyする方法でうまくいった。
復号結果はかなり長い文字列で、その中にフラグが書いてあった gigem{Forty-two_said_Deep_Thought}