Le challenge est contenu dans crypto.tar.gz. L'archive contient 4 certificats :
ca.crt
contient le certificat de l'autorité qui a signé alice.crt
, bob.crt
et charly.crt
.
[tlk:...rusthefuture/CRYPTO/writeup]$ openssl verify -CAfile ca.crt {alice,bob,charly}.crt alice.crt: OK bob.crt: OK charly.crt: OK
L'archive contient aussi un fichier au format PKCS7. Ce fichier contient probablement le flag.
[tlk:...rusthefuture/CRYPTO/writeup]$ cat mail.p7m -----BEGIN PKCS7----- MIIy1wYJKoZIhvcNAQcDoIIyyDCCMsQCAQAxggQ0MIIBYgIBADBKMDYxCzAJBgNV BAYTAkZSMQ4wDAYDVQQHEwVQYXJpczEXMBUGA1UEAxQOY2FAZXhhbXBsZS5jb20C EGOE4rIYS8v1jszxDKemVjwwDQYJKoZIhvcNAQEBBQAEggEAweI1fG/FPxzF4Odu ................................................................ ngZhYhPowaoP6t6Y/4IPJ8/5jT1m+nvubZchevOMsS59cbm6tN5WMhwg23LBN/yS 0IhYzJngTvAG7AQfEdK7lkaydXA2QqenK+yfbrANZc68hfcs/kKtG6YB7tPdHT90 AgFJd0WVl2aAZMmIHH4tdvq8jg00hM3MvLvN4GNVFM7Bg3YdC4lOn1rfemHuMzD2 UbWcSinMsvzSlmFRLelLM/dJoU/lWeVmTS3c5ShwSGocTXrgXZcB38ZizYlbumVG CjrRmoXL4FCHS2Y= -----END PKCS7----- [tlk:...rusthefuture/CRYPTO/writeup]$ openssl asn1parse -in mail.p7m -dump 0:d=0 hl=4 l=13015 cons: SEQUENCE 4:d=1 hl=2 l= 9 prim: OBJECT :pkcs7-envelopedData 15:d=1 hl=4 l=13000 cons: cont [ 0 ] 19:d=2 hl=4 l=12996 cons: SEQUENCE 23:d=3 hl=2 l= 1 prim: INTEGER :00 26:d=3 hl=4 l=1076 cons: SET 30:d=4 hl=4 l= 354 cons: SEQUENCE 34:d=5 hl=2 l= 1 prim: INTEGER :00 37:d=5 hl=2 l= 74 cons: SEQUENCE 39:d=6 hl=2 l= 54 cons: SEQUENCE 41:d=7 hl=2 l= 11 cons: SET 43:d=8 hl=2 l= 9 cons: SEQUENCE 45:d=9 hl=2 l= 3 prim: OBJECT :countryName 50:d=9 hl=2 l= 2 prim: PRINTABLESTRING :FR 54:d=7 hl=2 l= 14 cons: SET 56:d=8 hl=2 l= 12 cons: SEQUENCE 58:d=9 hl=2 l= 3 prim: OBJECT :localityName 63:d=9 hl=2 l= 5 prim: PRINTABLESTRING :Paris 70:d=7 hl=2 l= 23 cons: SET 72:d=8 hl=2 l= 21 cons: SEQUENCE 74:d=9 hl=2 l= 3 prim: OBJECT :commonName 79:d=9 hl=2 l= 14 prim: T61STRING :ca@example.com 95:d=6 hl=2 l= 16 prim: INTEGER :6384E2B2184BCBF58ECCF10CA7A6563C 113:d=5 hl=2 l= 13 cons: SEQUENCE 115:d=6 hl=2 l= 9 prim: OBJECT :rsaEncryption 126:d=6 hl=2 l= 0 prim: NULL 128:d=5 hl=4 l= 256 prim: OCTET STRING 0000 - c1 e2 35 7c 6f c5 3f 1c-c5 e0 e7 6e b1 22 4b e8 ..5|o.?....n."K. 0010 - f2 4e 88 39 25 1c f9 54-a9 80 90 c4 54 9f 1b af .N.9%..T....T... 0020 - b7 bc b1 00 6d d2 a9 82-d5 6c 1d 2d 3e 6b 42 21 ....m....l.->kB! 0030 - 22 d0 1f 78 da 00 99 77-6b 78 91 62 e8 ce 94 ee "..x...wkx.b.... 0040 - 3d 1e 7b 88 aa 81 75 db-b8 6f 2f 4a c6 53 61 bc =.{...u..o/J.Sa. 0050 - 94 9b 3b 90 46 07 41 ca-ee 6f 1a bd c5 bd 6c 52 ..;.F.A..o....lR 0060 - 96 fb c8 f2 da ff 77 f7-11 0e a3 2d 33 0d 38 dd ......w....-3.8. 0070 - 2c a2 fe 13 e7 85 c8 6f-e2 21 0b 58 07 4c 2d a5 ,......o.!.X.L-. 0080 - f4 40 79 4b a0 23 fc 98-b3 d1 e7 dc 97 9d ba c6 .@yK.#.......... 0090 - 67 2b 5c 19 ab f4 a9 1e-21 d5 e4 74 47 5b c0 9b g+\.....!..tG[.. 00a0 - 78 91 0d 1f 8e 02 90 b3-8a e8 d7 56 e0 4d 7f 5e x..........V.M.^ 00b0 - fb a6 4b fb 5a 0e 96 cd-3d e1 d8 2f 60 95 44 a4 ..K.Z...=../`.D. 00c0 - 23 f6 66 d0 8b 63 26 22-29 68 7e 19 82 bc 8e 42 #.f..c&")h~....B 00d0 - 4c 7b 52 66 b1 1a 59 03-66 25 f8 e9 2c 06 74 0a L{Rf..Y.f%..,.t. 00e0 - 3c 9d 8f 3c e8 7f eb 1f-44 44 bc 20 39 c8 c6 ff <..<....DD. 9... 00f0 - 0a b9 45 7d 8a a6 38 51-ec f3 c4 af 1a 23 28 fd ..E}..8Q.....#(. 388:d=4 hl=4 l= 355 cons: SEQUENCE 392:d=5 hl=2 l= 1 prim: INTEGER :00 395:d=5 hl=2 l= 75 cons: SEQUENCE 397:d=6 hl=2 l= 54 cons: SEQUENCE 399:d=7 hl=2 l= 11 cons: SET 401:d=8 hl=2 l= 9 cons: SEQUENCE 403:d=9 hl=2 l= 3 prim: OBJECT :countryName 408:d=9 hl=2 l= 2 prim: PRINTABLESTRING :FR 412:d=7 hl=2 l= 14 cons: SET 414:d=8 hl=2 l= 12 cons: SEQUENCE 416:d=9 hl=2 l= 3 prim: OBJECT :localityName 421:d=9 hl=2 l= 5 prim: PRINTABLESTRING :Paris 428:d=7 hl=2 l= 23 cons: SET 430:d=8 hl=2 l= 21 cons: SEQUENCE 432:d=9 hl=2 l= 3 prim: OBJECT :commonName 437:d=9 hl=2 l= 14 prim: T61STRING :ca@example.com 453:d=6 hl=2 l= 17 prim: INTEGER :9F9D51BC70EF21CA5C14F307980A29D8 472:d=5 hl=2 l= 13 cons: SEQUENCE 474:d=6 hl=2 l= 9 prim: OBJECT :rsaEncryption 485:d=6 hl=2 l= 0 prim: NULL 487:d=5 hl=4 l= 256 prim: OCTET STRING 0000 - 27 eb 5a 62 a3 11 df ae-cf 09 31 8b ef 7d 60 b9 '.Zb......1..}`. 0010 - 8e a1 51 af 09 bd bf 2a-89 a8 84 61 7b 8a 8a 14 ..Q....*...a{... 0020 - ff 6f 80 45 a8 fd 5d 89-56 f5 76 8c 32 a7 e4 7a .o.E..].V.v.2..z 0030 - b1 7f a0 8d 5f 7d 2e b5-90 c4 fc 82 96 a1 f7 00 ...._}.......... 0040 - 69 c3 38 cf a3 c1 31 a5-8f e0 5a 75 e3 6d 74 57 i.8...1...Zu.mtW 0050 - ec c7 b1 bb 40 3c 1f f3-1f a6 6f b4 78 b1 f4 54 ....@<....o.x..T 0060 - 83 25 b5 79 61 19 1a e1-bf dd d7 f5 af 6f ec 6f .%.ya........o.o 0070 - d9 4f 66 b1 bc 48 23 37-b5 79 ad 79 04 66 d1 f3 .Of..H#7.y.y.f.. 0080 - 3e db 09 aa 38 80 85 05-3d 3c 38 3f 91 a8 ec 40 >...8...=<8?...@ 0090 - db 15 03 65 73 5b 7e 2d-01 f1 72 e2 37 17 d3 1a ...es[~-..r.7... 00a0 - be 03 50 fa c6 73 06 73-c3 c7 0e e5 93 e8 00 8a ..P..s.s........ 00b0 - 22 2d e4 0c f8 a6 26 15-d1 19 cd 11 9f e8 c3 0d "-....&......... 00c0 - a4 9e 7a 1d 35 96 27 9b-65 9e 72 c5 84 d6 d8 26 ..z.5.'.e.r....& 00d0 - 2b 11 26 b8 c8 bc dc 09-a3 17 61 ee 74 6a 14 ad +.&.......a.tj.. 00e0 - a7 ec 38 7a f2 c5 2c ba-bd d8 f4 43 df 1f 4c 5e ..8z..,....C..L^ 00f0 - 70 c8 3b 82 a1 2f 3b bc-b2 14 94 68 9d 13 79 1f p.;../;....h..y. 747:d=4 hl=4 l= 355 cons: SEQUENCE 751:d=5 hl=2 l= 1 prim: INTEGER :00 754:d=5 hl=2 l= 75 cons: SEQUENCE 756:d=6 hl=2 l= 54 cons: SEQUENCE 758:d=7 hl=2 l= 11 cons: SET 760:d=8 hl=2 l= 9 cons: SEQUENCE 762:d=9 hl=2 l= 3 prim: OBJECT :countryName 767:d=9 hl=2 l= 2 prim: PRINTABLESTRING :FR 771:d=7 hl=2 l= 14 cons: SET 773:d=8 hl=2 l= 12 cons: SEQUENCE 775:d=9 hl=2 l= 3 prim: OBJECT :localityName 780:d=9 hl=2 l= 5 prim: PRINTABLESTRING :Paris 787:d=7 hl=2 l= 23 cons: SET 789:d=8 hl=2 l= 21 cons: SEQUENCE 791:d=9 hl=2 l= 3 prim: OBJECT :commonName 796:d=9 hl=2 l= 14 prim: T61STRING :ca@example.com 812:d=6 hl=2 l= 17 prim: INTEGER :A6D4EF4DD38B1BB016D250C16A680470 831:d=5 hl=2 l= 13 cons: SEQUENCE 833:d=6 hl=2 l= 9 prim: OBJECT :rsaEncryption 844:d=6 hl=2 l= 0 prim: NULL 846:d=5 hl=4 l= 256 prim: OCTET STRING 0000 - 04 99 1c 5b a4 88 2f 32-9b 03 b1 8e 2b 31 7f 4a ...[../2....+1.J 0010 - 54 90 5e d4 eb 83 2b 08-4a 42 ad 70 0a 0d 31 36 T.^...+.JB.p..16 0020 - a1 4b b5 7d 61 d4 a1 98-2e 2c ab 0f f7 73 35 67 .K.}a....,...s5g 0030 - 59 ee 4a d7 7c 19 82 e6-42 cf 57 43 32 ab 32 d1 Y.J.|...B.WC2.2. 0040 - 09 95 2f de 62 21 d7 7c-35 e4 d0 b6 9e 55 93 92 ../.b!.|5....U.. 0050 - db e6 02 e5 33 6b d0 92-39 e8 5f 21 a7 0f 4a 82 ....3k..9._!..J. 0060 - 49 07 af 75 c9 c3 72 d4-be 4c 15 e4 54 31 c3 5f I..u..r..L..T1._ 0070 - e6 78 e2 64 60 17 d7 41-86 b3 b0 84 a4 1f 21 76 .x.d`..A......!v 0080 - 55 a2 ed 26 2a a5 c3 00-ba 73 7a b0 df 27 0b d0 U..&*....sz..'.. 0090 - b3 8a 2f f2 15 a3 b5 db-3c bb 79 35 0d df ef 1a ../.....<.y5.... 00a0 - 08 e4 0c b2 53 b5 06 d9-20 02 bb f4 ad 11 2a c1 ....S... .....*. 00b0 - dd db 96 cd 45 39 a0 10-35 e7 6b 1c c5 c4 34 27 ....E9..5.k...4' 00c0 - f4 6c 83 db aa 31 83 87-fe 2c 8c 7f aa 75 fc 00 .l...1...,...u.. 00d0 - 99 05 0c f9 86 71 01 5a-56 8c ff c5 6d ff 6f 8c .....q.ZV...m.o. 00e0 - b8 0a 6a 55 b4 cc b0 d8-25 aa 9d 99 09 8d da 5d ..jU....%......] 00f0 - 2e ec 7d 40 d0 bc cd a4-2d 9e 61 8a 09 ae c5 0a ..}@....-.a..... 1106:d=3 hl=4 l=11909 cons: SEQUENCE 1110:d=4 hl=2 l= 9 prim: OBJECT :pkcs7-data 1121:d=4 hl=2 l= 20 cons: SEQUENCE 1123:d=5 hl=2 l= 8 prim: OBJECT :des-ede3-cbc 1133:d=5 hl=2 l= 8 prim: OCTET STRING 0000 - 01 d4 ce 3a f4 d1 7a bb- ...:..z. 1143:d=4 hl=4 l=11872 prim: cont [ 0 ]
Le fichier PCKS7 contient à la fin des données chiffrées avec du DES-EDE3-CBC. La taille de ces données est de 11872 octets, donc openssl ne nous donne pas les détails ici. Par contre, on a l'IV du DES3 : 01d4ce3af4d17abb
. Au dessus de tout ça, on a 3 morceaux de 256 octets chacun. Avant chaque morceau, on a entier, c'est en fait le hash md5 de alice, bob et charly ! Avec un peu de guessing, on devine que ces morceaux de 256 octets sont en fait la clef DES3 chiffré avec les différents certificats.
En cherchant un peu sur l'internet, on trouve quelques infos sur le théorème des restes chinois. En fait, on peut faire cette attaque parce qu'on a un clair chiffré avec 3 clefs différentes qui ont toutes un exposant petit (0x3).
sage: c1 = 0xC1E2357C6FC53F1CC5E0E76EB1224BE8F24E8839251CF954A98090C4549F1BAFB7BCB1006DD2A982D56C1D2D3E6B422122D01F78DA0099776B789162E8CE94EE3D1E7B88AA8175DBB86F2F4AC65361BC949B3B90460741CAEE6F1ABDC5BD6C5296FBC8F2DAFF77F7110EA32D330D38DD2CA2FE13E785C86FE2210B58074C2DA5F440794BA023FC98B3D1E7DC979DBAC6672B5C19ABF4A91E21D5E474475BC09B78910D1F8E0290B38AE8D756E04D7F5EFBA64BFB5A0E96CD3DE1D82F609544A423F666D08B63262229687E1982BC8E424C7B5266B11A59036625F8E92C06740A3C9D8F3CE87FEB1F4444BC2039C8C6FF0AB9457D8AA63851ECF3C4AF1A2328FD sage: c2 = 0x27EB5A62A311DFAECF09318BEF7D60B98EA151AF09BDBF2A89A884617B8A8A14FF6F8045A8FD5D8956F5768C32A7E47AB17FA08D5F7D2EB590C4FC8296A1F70069C338CFA3C131A58FE05A75E36D7457ECC7B1BB403C1FF31FA66FB478B1F4548325B57961191AE1BFDDD7F5AF6FEC6FD94F66B1BC482337B579AD790466D1F33EDB09AA388085053D3C383F91A8EC40DB150365735B7E2D01F172E23717D31ABE0350FAC6730673C3C70EE593E8008A222DE40CF8A62615D119CD119FE8C30DA49E7A1D3596279B659E72C584D6D8262B1126B8C8BCDC09A31761EE746A14ADA7EC387AF2C52CBABDD8F443DF1F4C5E70C83B82A12F3BBCB21494689D13791F sage: c3 = 0x04991C5BA4882F329B03B18E2B317F4A54905ED4EB832B084A42AD700A0D3136A14BB57D61D4A1982E2CAB0FF773356759EE4AD77C1982E642CF574332AB32D109952FDE6221D77C35E4D0B69E559392DBE602E5336BD09239E85F21A70F4A824907AF75C9C372D4BE4C15E45431C35FE678E2646017D74186B3B084A41F217655A2ED262AA5C300BA737AB0DF270BD0B38A2FF215A3B5DB3CBB79350DDFEF1A08E40CB253B506D92002BBF4AD112AC1DDDB96CD4539A01035E76B1CC5C43427F46C83DBAA318387FE2C8C7FAA75FC0099050CF98671015A568CFFC56DFF6F8CB80A6A55B4CCB0D825AA9D99098DDA5D2EEC7D40D0BCCDA42D9E618A09AEC50A sage: sage: n1 = 0xEFBA9C442084759DC9770021B03C2E2913053E770779316F92C5DBFCAE4D3682E64006E38FA6A3AC24CC13AD2E747A50E5735064549F590294E36F2A1B23DB29567B49C007F8F8C224D3CD19B81D3F198C540291C135965E549881B775EEE29684F0E6CD4C2A017BE38F2E78E070D503BE9EE3EA2C491E53DE9C705FEB973918A168F275D90D055778289598BD2377D79ACC1BA493F570C5C8301913CEF12CD513321F8F320D8EC8172182D03F33721F02DFCE24463AE7A6CAB7C3A0CBB7D2AB149D347A2C9ABDB81BE4B60CAECBF31CF79C4BA0081FC00BB0939A950CBACA5B7B79FF92AF273B0D01A7E183FF30C90F27705D18F70EBB32281C5A873ED0A90D sage: n2 = 0xC0028301D5645483592E2117463A804454BD1AE33B1CBEF33D9CDFF86EFD46CB24BA1984874DAE3A4A3D3609D9607276F91DFAD38E9ED6B6BCE15F29C49E1C7E0B532AE2A1343AF3F8064B4A093F23F981624D4E08F901787B761847B4F0963512EAC13B5D47DA4295FF614501A3D7D7EDA6B4E6197B974A70BF11FDC5D619D50974415E209DE76C68F190DBCA5BB6F1963C1E0E987BE105FF9082EAE003C2051A4C95E3299D3C1BC64D5F8E95D40C7B27EEEA5EBCD9B54CD6B5655B0AB9AEAA15E976AE37EA228A151D2AFD5417D4BCBC3BFB396E6B10AF561CBE0FD0374081B7034585C54096849FF82B79A117E44AE8FDB5B304BC0D9CA297C2F4A57FF91F sage: n3 = 0xCFA7854352FF9DF5E84AB10AB8F034F8106811D973BAB528BFCBD3DCBCFDF9FB5C398E23B58BA883F7C78F47C6694B4F042CDB8E54E856040F8A8A9ADBCA4C6D0813894C43352EB3EE19C1F76DF46DFD1B6BB38349BCE811036B0ED7ACFE2E5045FE4232F11DA3F113189A176964C206155342FD9E2E8AD11CBBCB85DFDF30E62AEA068F2DD7CEC6CF818D1E312BBA5FA6385461CA5ADCA0F95B6299FA366EEF8856416D72A42A93FD979E269D8FEA143870985FD353C85850FB4A11B6E4BA483CDC97F7E1717C34DF7D9E34DF83F67A9DA97ACA69926167D44C2CB3BB858EC041A244A6197D7F3B9AFD02A0562F13EACE6494F289184DAD16D2D995ED1ADC13 sage: e = 0x3 sage: sage: x = crt([c1, c2, c3], [n1, n2, n3]) # on calcule x avec les retes chinois sage: sage: sage: clair = pow(x,1/e) # exposant = 3, donc on prend al racine cubique sage: sage: print clair 986236757547332986472011617696226561292849812918563355472727826767720188564083584387121625107510786855734801053524719833194566624465665316622563244215340671405971599343902468620306327831715457360719532421388780770165778156818229863337344187575566725786793391480600129482653072861971002459947277805295727097226389568776499707662505334062639449916265137796823793276300221537201727072401742985542559596685092673521228140822200236743113743661549252453726123450722876929538747702356573783116366629850199080495560991841329893037292397105499226019760899853191673074428460162155990377643880703914381740846851667433938081
>>> hex(986236757547332986472011617696226561292849812918563355472727826767720188564083584387121625107510786855734801053524719833194566624465665316622563244215340671405971599343902468620306327831715457360719532421388780770165778156818229863337344187575566725786793391480600129482653072861971002459947277805295727097226389568776499707662505334062639449916265137796823793276300221537201727072401742985542559596685092673521228140822200236743113743661549252453726123450722876929538747702356573783116366629850199080495560991841329893037292397105499226019760899853191673074428460162155990377643880703914381740846851667433938081) '0x1ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff004f8957408f0ea202c785b95e206b3ba8da3dba7aea08dca1L'
On a donc notre clef DES3 !! 4f8957408f0ea202c785b95e206b3ba8da3dba7aea08dca1
from Crypto.Cipher import DES3 import base64 with open('cipher.bin', 'rb') as f: data = f.read() iv = "01D4CE3AF4D17ABB".decode("hex") key = "4f8957408f0ea202c785b95e206b3ba8da3dba7aea08dca1".decode("hex") cipher = DES3.new(key, DES3.MODE_CBC, iv) dec = cipher.decrypt(data) with open('challenge1.solve.tar.gz', 'wb') as f: f.write(dec.decode("base64"))
[tlk:...rusthefuture/CRYPTO/writeup]$ cat mail.p7m | base64 -d | dd of=cipher.bin bs=1 skip=1147 11872+0 enregistrements lus 11872+0 enregistrements écrits 11872 octets (12 kB) copiés, 0,050452 s, 235 kB/s [tlk:...rusthefuture/CRYPTO/writeup]$ python des3.py [tlk:...rusthefuture/CRYPTO/writeup]$ file challenge1.solve.tar.gz challenge1.solve.tar.gz: gzip compressed data, last modified: Tue Oct 7 09:22:27 2014, from Unix [tlk:...rusthefuture/CRYPTO/writeup]$ tar -xvf challenge1.solve.tar.gz challenge2 token1 [tlk:...rusthefuture/CRYPTO/writeup]$ cat token1 Token: sdiy&&g_vqkerfy_((512354