HackCon 2017 - Write-ups

Information#

Version#

By Version Comment
noraj 1.0 Creation

CTF#

  • Name : HackCon 2017
  • Website : hackcon.in
  • Type : Online
  • Format : Jeopardy
  • CTF Time : link

5 - Welcome - Bonus#

Welcome to Hackcon 2017. This is organised by a couple of students from IIIT Delhi, along with our techfest esya. Some of us are organising our first CTF, have fun and let us know how it was.

$ curl http://esya.iiitd.edu.in/ | grep d4rk
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
  2 52017    2  1193    0     0   1835      0  0:00:28 --:--:--  0:00:28  1835                              <!----The flag is d4rk{w3lc0m3_t0_35y4_2017}c0de---->

10 - RSA - 1 - Bacche#

Go read about RSA and how it works, then try to solve this.

p = 152571978722786084351886931023496370376798999987339944199021200531651275691099103449347349897964635706112525455731825020638894818859922778593149300143162720366876072994268633705232631614015865065113917174134807989294330527442191261958994565247945255072784239755770729665527959042883079517088277506164871850439

q = 147521976719041268733467288485176351894757998182920217874425681969830447338980333917821370916051260709883910633752027981630326988193070984505456700948150616796672915601007075205372397177359025857236701866904448906965019938049507857761886750656621746762474747080300831166523844026738913325930146507823506104359

c = 8511718779884002348933302329129034304748857434273552143349006561412761982574325566387289878631104742338583716487885551483795770878333568637517519439482152832740954108568568151340772337201643636336669393323584931481091714361927928549187423697803637825181374486997812604036706926194198296656150267412049091252088273904913718189248082391969963422192111264078757219427099935562601838047817410081362261577538573299114227343694888309834727224639741066786960337752762092049561527128427933146887521537659100047835461395832978920369260824158334744269055059394177455075510916989043073375102773439498560915413630238758363023648

e = 65537

I created a script rsa.py:

#!/usr/bin/python2
# credit : http://jhafranco.com/2012/01/29/rsa-implementation-in-python/
def int2Text(number, size):
    text = "".join([chr((number >> j) & 0xff)
                    for j in reversed(range(0, size << 3, 8))])
    return text.lstrip("\x00")
# credit : http://stackoverflow.com/questions/4798654/modular-multiplicative-inverse-function-in-python
def egcd(a, b):
    if a == 0:
        return (b, 0, 1)
    else:
        g, y, x = egcd(b % a, a)
        return (g, x - (b // a) * y, y)
def modinv(a, m):
    g, x, y = egcd(a, m)
    if g != 1:
        raise Exception('modular inverse does not exist')
    else:
        return x % m
p = 152571978722786084351886931023496370376798999987339944199021200531651275691099103449347349897964635706112525455731825020638894818859922778593149300143162720366876072994268633705232631614015865065113917174134807989294330527442191261958994565247945255072784239755770729665527959042883079517088277506164871850439
q = 147521976719041268733467288485176351894757998182920217874425681969830447338980333917821370916051260709883910633752027981630326988193070984505456700948150616796672915601007075205372397177359025857236701866904448906965019938049507857761886750656621746762474747080300831166523844026738913325930146507823506104359
e = 65537
c = 8511718779884002348933302329129034304748857434273552143349006561412761982574325566387289878631104742338583716487885551483795770878333568637517519439482152832740954108568568151340772337201643636336669393323584931481091714361927928549187423697803637825181374486997812604036706926194198296656150267412049091252088273904913718189248082391969963422192111264078757219427099935562601838047817410081362261577538573299114227343694888309834727224639741066786960337752762092049561527128427933146887521537659100047835461395832978920369260824158334744269055059394177455075510916989043073375102773439498560915413630238758363023648
phi = (p-1)*(q-1)
d = modinv(e, phi)
n = p*q
m_int = pow(c,d,n)
print int2Text(m_int, len(str(m_int)))

And executed it:

$ python2 rsa.py
d4rk{s1mpl3_rsa_n0t_th1s_34sy_next_time}c0de

10 - flag.txt - Bacche#

Even google won't be able to find the flag.

Still you can try if you want: http://defcon.org.in:6061/

Search engine bots have to ignore disallow stuff from robots.txt and we are looking for flag.txt:

$ curl http://defcon.org.in:6061/robots.txt
User-agent: *
Disallow: /500786fbfb9cadc4834cd3783894239d

$ curl http://defcon.org.in:6061/500786fbfb9cadc4834cd3783894239d/flag.txt
The flag is
d4rk{r0b075_7x7_4r3_v3ry_c0mm0n}c0de

20 - Xrrrr - Bacche#

Now, what is this code, can you break it?

file.txt

File is a long hex string, we must xor it to decode it:

$ xortool -x file.txt
The most probable key lengths:
   2:   11.8%
   6:   19.8%
   8:   9.2%
  12:   14.8%
  14:   6.9%
  18:   11.1%
  20:   5.3%
  24:   8.6%
  30:   6.9%
  36:   5.6%
Key-length can be 3*n
Key-length can be 4*n
Key-length can be 6*n
Most possible char is needed to guess the key!

$ xortool -x -l 6 -o file.txt && grep -ri d4rk xortool_out
100 possible key(s) of length 6:
rxqbqd
sypcpe
pzs`sf
q{rarg
v|ufu`
...
Found 58 plaintexts with 95.0%+ printable characters
See files filename-key.csv, filename-char_used-perc_printable.csv
xortool_out/94.out:and maces, the Asuras in large numbers vomited blood and lay prostrate on the earth. Cut off from the trunks with sharp double-edged swords, heads adorned with bright gold, fell continually on the field of battle. Their bodies drenched in gore, the great Asuras lay dead everywhere. It seemed as if red-dyed mountain peaks d4rk{Try_r34ding_mahabharata_s0met1me}c0de lay scattered all around. And when the Sun rose in his splendour, thousands of warriors struck one another with weapons. And cries of distress were heard everywhere. The warriors fighting at a distance from one another brought one another down by sharp iron missiles, and those fighting at close quarters slew one another with blows of their fists. And the air was filled with shrieks of distress. Everywhere were heard the alarming sounds,--'cut', 'pierce', 'at them', 'hurl down', 'advance'.

50 - RSA - 2 - Crypto#

No p,q this time. LOL, what will you do now?

n = 109676931776753394141394564514720734236796584022842820507613945978304098920529412415619708851314423671483225500317195833435789174491417871864260375066278885574232653256425434296113773973874542733322600365156233965235292281146938652303374751525426102732530711430473466903656428846184387282528950095967567885381

e = 49446678600051379228760906286031155509742239832659705731559249988210578539211813543612425990507831160407165259046991194935262200565953842567148786053040450198919753834397378188932524599840027093290217612285214105791999673535556558448523448336314401414644879827127064929878383237432895170442176211946286617205

c = 103280644092615059984518332609100925251130437801342718478803923990158474621180283788652329522078935869010936203566024336697568861166241737937884153980866061431062015970439320809653170936674539901900312536610219900459284854811622720209705994060764318380465515920139663572083312965314519159261624303103692125635

Thanks to http://hacktracking.blogspot.fr/2014/10/wieners-attack-against-rsa-small-values.html we can use the following Wiener attack script (python):

#!/usr/bin/python
from sympy.solvers import solve
from sympy import Symbol
def partial_quotiens(x, y):
        pq = []
        while x != 1:
                pq.append(x / y)
                a = y
                b = x % y
                x = a
                y = b
        #print pq
        return pq
def rational(pq):
        i = len(pq) - 1
        num = pq[i]
        denom = 1
        while i > 0:
                i -= 1
                a = (pq[i] * num) + denom
                b = num
                num = a
                denom = b
        #print (num, denom)
        return (num, denom)
def convergents(pq):
        c = []
        for i in range(1, len(pq)):
                c.append(rational(pq[0:i]))
        #print c
        return c
def phiN(e, d, k):
        return ((e * d) - 1) / k
# e = 17993
# n = 90581
# wiener_attack(e, n) --> p =  239, q =  379
e = 49446678600051379228760906286031155509742239832659705731559249988210578539211813543612425990507831160407165259046991194935262200565953842567148786053040450198919753834397378188932524599840027093290217612285214105791999673535556558448523448336314401414644879827127064929878383237432895170442176211946286617205
n = 109676931776753394141394564514720734236796584022842820507613945978304098920529412415619708851314423671483225500317195833435789174491417871864260375066278885574232653256425434296113773973874542733322600365156233965235292281146938652303374751525426102732530711430473466903656428846184387282528950095967567885381
pq = partial_quotiens(e, n)
c = convergents(pq)
x = Symbol('x')
for (k, d) in c:
        if k != 0:
                y = n - phiN(e, d, k) + 1
                roots = solve(x**2 - y*x + n, x)
                if len(roots) == 2:
                        p = roots[0]
                        q = roots[1]
                        if p * q == n:
                                print 'p = ', p
                                print 'q = ', q
                                break
$ python2 wiener.py
p =  10114792273660656874618568712406420344176220457790563178092222929337786916374923318745284718351487926620784106195715878875311958793629905453919697155685507
q =  10843221374140991753173625949764386011485161421520044246309105053489500519257941272796681417497061734054081478280518835582353321569961722963922828311576983

Let's read the message with our first python script:

#!/usr/bin/python2
# credit : http://jhafranco.com/2012/01/29/rsa-implementation-in-python/
def int2Text(number, size):
    text = "".join([chr((number >> j) & 0xff)
                    for j in reversed(range(0, size << 3, 8))])
    return text.lstrip("\x00")
# credit : http://stackoverflow.com/questions/4798654/modular-multiplicative-inverse-function-in-python
def egcd(a, b):
    if a == 0:
        return (b, 0, 1)
    else:
        g, y, x = egcd(b % a, a)
        return (g, x - (b // a) * y, y)
def modinv(a, m):
    g, x, y = egcd(a, m)
    if g != 1:
        raise Exception('modular inverse does not exist')
    else:
        return x % m
p = 10114792273660656874618568712406420344176220457790563178092222929337786916374923318745284718351487926620784106195715878875311958793629905453919697155685507
q = 10843221374140991753173625949764386011485161421520044246309105053489500519257941272796681417497061734054081478280518835582353321569961722963922828311576983
e = 49446678600051379228760906286031155509742239832659705731559249988210578539211813543612425990507831160407165259046991194935262200565953842567148786053040450198919753834397378188932524599840027093290217612285214105791999673535556558448523448336314401414644879827127064929878383237432895170442176211946286617205
c = 103280644092615059984518332609100925251130437801342718478803923990158474621180283788652329522078935869010936203566024336697568861166241737937884153980866061431062015970439320809653170936674539901900312536610219900459284854811622720209705994060764318380465515920139663572083312965314519159261624303103692125635
phi = (p-1)*(q-1)
d = modinv(e, phi)
n = p*q
m_int = pow(c,d,n)
print int2Text(m_int, len(str(m_int)))
$ python2 rsa.py
d4rk{1_70ld_y0u_th15_would_8e_more_difficult}c0de

50 - Noobcoder - Web#

A junior recently started doing PHP, and makes some random shit. He uses gedit as his go-to editor with a black theme thinking it was sublime.

So he made this login portal, I am sure he must have left something out. Why don't you give it a try?

Server: http://defcon.org.in:6062

Note: dirbuster is NOT required for this question

We look for the php auth page:

$ curl http://defcon.org.in:6062/index.php | grep -i post
                    <form class="form-signin" method="POST" name = "loginpage" action = "checker.php">

So the page is checker.php and we now look for temp file (i.e. ending with ~):

$ curl http://defcon.org.in:6062/checker.php\~
<html>
<head>
</head>
<body>
<?php
if ($_POST["username"] == $_POST["password"] && $_POST["password"] !== $_POST["username"])
	echo "congratulations the flag is d4rk{TODO}c0de";
else
	echo "nice try, but try again";
?>
</body>
</html>

Bingo, as .php~ is not recognize as php by the web server it allow us to download it without serving it as php.

To log in we will need to use some PHP Magic Tricks: Type Juggling.

So we log in with username: 0000 and password: 0e12 (== int(0)) and get the flag: d4rk{l0l_g3dit_m4ster_roxx}c0de.

Share