Outils pour utilisateurs
writeup:trust_the_future:crypto1
Crypto 1
Le challenge est contenu dans crypto.tar.gz. L'archive contient 4 certificats :
- alice.crt
- bob.crt
- charly.crt
- ca.crt
ca.crt contient le certificat de l'autorité qui a signé alice.crt, bob.crt et charly.crt.
[tlk:...rusthefuture/CRYPTO/writeup]$ openssl verify -CAfile ca.crt {alice,bob,charly}.crt
alice.crt: OK
bob.crt: OK
charly.crt: OK
L'archive contient aussi un fichier au format PKCS7. Ce fichier contient probablement le flag.
[tlk:...rusthefuture/CRYPTO/writeup]$ cat mail.p7m
-----BEGIN PKCS7-----
MIIy1wYJKoZIhvcNAQcDoIIyyDCCMsQCAQAxggQ0MIIBYgIBADBKMDYxCzAJBgNV
BAYTAkZSMQ4wDAYDVQQHEwVQYXJpczEXMBUGA1UEAxQOY2FAZXhhbXBsZS5jb20C
EGOE4rIYS8v1jszxDKemVjwwDQYJKoZIhvcNAQEBBQAEggEAweI1fG/FPxzF4Odu
................................................................
ngZhYhPowaoP6t6Y/4IPJ8/5jT1m+nvubZchevOMsS59cbm6tN5WMhwg23LBN/yS
0IhYzJngTvAG7AQfEdK7lkaydXA2QqenK+yfbrANZc68hfcs/kKtG6YB7tPdHT90
AgFJd0WVl2aAZMmIHH4tdvq8jg00hM3MvLvN4GNVFM7Bg3YdC4lOn1rfemHuMzD2
UbWcSinMsvzSlmFRLelLM/dJoU/lWeVmTS3c5ShwSGocTXrgXZcB38ZizYlbumVG
CjrRmoXL4FCHS2Y=
-----END PKCS7-----
[tlk:...rusthefuture/CRYPTO/writeup]$ openssl asn1parse -in mail.p7m -dump
0:d=0 hl=4 l=13015 cons: SEQUENCE
4:d=1 hl=2 l= 9 prim: OBJECT :pkcs7-envelopedData
15:d=1 hl=4 l=13000 cons: cont [ 0 ]
19:d=2 hl=4 l=12996 cons: SEQUENCE
23:d=3 hl=2 l= 1 prim: INTEGER :00
26:d=3 hl=4 l=1076 cons: SET
30:d=4 hl=4 l= 354 cons: SEQUENCE
34:d=5 hl=2 l= 1 prim: INTEGER :00
37:d=5 hl=2 l= 74 cons: SEQUENCE
39:d=6 hl=2 l= 54 cons: SEQUENCE
41:d=7 hl=2 l= 11 cons: SET
43:d=8 hl=2 l= 9 cons: SEQUENCE
45:d=9 hl=2 l= 3 prim: OBJECT :countryName
50:d=9 hl=2 l= 2 prim: PRINTABLESTRING :FR
54:d=7 hl=2 l= 14 cons: SET
56:d=8 hl=2 l= 12 cons: SEQUENCE
58:d=9 hl=2 l= 3 prim: OBJECT :localityName
63:d=9 hl=2 l= 5 prim: PRINTABLESTRING :Paris
70:d=7 hl=2 l= 23 cons: SET
72:d=8 hl=2 l= 21 cons: SEQUENCE
74:d=9 hl=2 l= 3 prim: OBJECT :commonName
79:d=9 hl=2 l= 14 prim: T61STRING :ca@example.com
95:d=6 hl=2 l= 16 prim: INTEGER :6384E2B2184BCBF58ECCF10CA7A6563C
113:d=5 hl=2 l= 13 cons: SEQUENCE
115:d=6 hl=2 l= 9 prim: OBJECT :rsaEncryption
126:d=6 hl=2 l= 0 prim: NULL
128:d=5 hl=4 l= 256 prim: OCTET STRING
0000 - c1 e2 35 7c 6f c5 3f 1c-c5 e0 e7 6e b1 22 4b e8 ..5|o.?....n."K.
0010 - f2 4e 88 39 25 1c f9 54-a9 80 90 c4 54 9f 1b af .N.9%..T....T...
0020 - b7 bc b1 00 6d d2 a9 82-d5 6c 1d 2d 3e 6b 42 21 ....m....l.->kB!
0030 - 22 d0 1f 78 da 00 99 77-6b 78 91 62 e8 ce 94 ee "..x...wkx.b....
0040 - 3d 1e 7b 88 aa 81 75 db-b8 6f 2f 4a c6 53 61 bc =.{...u..o/J.Sa.
0050 - 94 9b 3b 90 46 07 41 ca-ee 6f 1a bd c5 bd 6c 52 ..;.F.A..o....lR
0060 - 96 fb c8 f2 da ff 77 f7-11 0e a3 2d 33 0d 38 dd ......w....-3.8.
0070 - 2c a2 fe 13 e7 85 c8 6f-e2 21 0b 58 07 4c 2d a5 ,......o.!.X.L-.
0080 - f4 40 79 4b a0 23 fc 98-b3 d1 e7 dc 97 9d ba c6 .@yK.#..........
0090 - 67 2b 5c 19 ab f4 a9 1e-21 d5 e4 74 47 5b c0 9b g+\.....!..tG[..
00a0 - 78 91 0d 1f 8e 02 90 b3-8a e8 d7 56 e0 4d 7f 5e x..........V.M.^
00b0 - fb a6 4b fb 5a 0e 96 cd-3d e1 d8 2f 60 95 44 a4 ..K.Z...=../`.D.
00c0 - 23 f6 66 d0 8b 63 26 22-29 68 7e 19 82 bc 8e 42 #.f..c&")h~....B
00d0 - 4c 7b 52 66 b1 1a 59 03-66 25 f8 e9 2c 06 74 0a L{Rf..Y.f%..,.t.
00e0 - 3c 9d 8f 3c e8 7f eb 1f-44 44 bc 20 39 c8 c6 ff <..<....DD. 9...
00f0 - 0a b9 45 7d 8a a6 38 51-ec f3 c4 af 1a 23 28 fd ..E}..8Q.....#(.
388:d=4 hl=4 l= 355 cons: SEQUENCE
392:d=5 hl=2 l= 1 prim: INTEGER :00
395:d=5 hl=2 l= 75 cons: SEQUENCE
397:d=6 hl=2 l= 54 cons: SEQUENCE
399:d=7 hl=2 l= 11 cons: SET
401:d=8 hl=2 l= 9 cons: SEQUENCE
403:d=9 hl=2 l= 3 prim: OBJECT :countryName
408:d=9 hl=2 l= 2 prim: PRINTABLESTRING :FR
412:d=7 hl=2 l= 14 cons: SET
414:d=8 hl=2 l= 12 cons: SEQUENCE
416:d=9 hl=2 l= 3 prim: OBJECT :localityName
421:d=9 hl=2 l= 5 prim: PRINTABLESTRING :Paris
428:d=7 hl=2 l= 23 cons: SET
430:d=8 hl=2 l= 21 cons: SEQUENCE
432:d=9 hl=2 l= 3 prim: OBJECT :commonName
437:d=9 hl=2 l= 14 prim: T61STRING :ca@example.com
453:d=6 hl=2 l= 17 prim: INTEGER :9F9D51BC70EF21CA5C14F307980A29D8
472:d=5 hl=2 l= 13 cons: SEQUENCE
474:d=6 hl=2 l= 9 prim: OBJECT :rsaEncryption
485:d=6 hl=2 l= 0 prim: NULL
487:d=5 hl=4 l= 256 prim: OCTET STRING
0000 - 27 eb 5a 62 a3 11 df ae-cf 09 31 8b ef 7d 60 b9 '.Zb......1..}`.
0010 - 8e a1 51 af 09 bd bf 2a-89 a8 84 61 7b 8a 8a 14 ..Q....*...a{...
0020 - ff 6f 80 45 a8 fd 5d 89-56 f5 76 8c 32 a7 e4 7a .o.E..].V.v.2..z
0030 - b1 7f a0 8d 5f 7d 2e b5-90 c4 fc 82 96 a1 f7 00 ...._}..........
0040 - 69 c3 38 cf a3 c1 31 a5-8f e0 5a 75 e3 6d 74 57 i.8...1...Zu.mtW
0050 - ec c7 b1 bb 40 3c 1f f3-1f a6 6f b4 78 b1 f4 54 ....@<....o.x..T
0060 - 83 25 b5 79 61 19 1a e1-bf dd d7 f5 af 6f ec 6f .%.ya........o.o
0070 - d9 4f 66 b1 bc 48 23 37-b5 79 ad 79 04 66 d1 f3 .Of..H#7.y.y.f..
0080 - 3e db 09 aa 38 80 85 05-3d 3c 38 3f 91 a8 ec 40 >...8...=<8?...@
0090 - db 15 03 65 73 5b 7e 2d-01 f1 72 e2 37 17 d3 1a ...es[~-..r.7...
00a0 - be 03 50 fa c6 73 06 73-c3 c7 0e e5 93 e8 00 8a ..P..s.s........
00b0 - 22 2d e4 0c f8 a6 26 15-d1 19 cd 11 9f e8 c3 0d "-....&.........
00c0 - a4 9e 7a 1d 35 96 27 9b-65 9e 72 c5 84 d6 d8 26 ..z.5.'.e.r....&
00d0 - 2b 11 26 b8 c8 bc dc 09-a3 17 61 ee 74 6a 14 ad +.&.......a.tj..
00e0 - a7 ec 38 7a f2 c5 2c ba-bd d8 f4 43 df 1f 4c 5e ..8z..,....C..L^
00f0 - 70 c8 3b 82 a1 2f 3b bc-b2 14 94 68 9d 13 79 1f p.;../;....h..y.
747:d=4 hl=4 l= 355 cons: SEQUENCE
751:d=5 hl=2 l= 1 prim: INTEGER :00
754:d=5 hl=2 l= 75 cons: SEQUENCE
756:d=6 hl=2 l= 54 cons: SEQUENCE
758:d=7 hl=2 l= 11 cons: SET
760:d=8 hl=2 l= 9 cons: SEQUENCE
762:d=9 hl=2 l= 3 prim: OBJECT :countryName
767:d=9 hl=2 l= 2 prim: PRINTABLESTRING :FR
771:d=7 hl=2 l= 14 cons: SET
773:d=8 hl=2 l= 12 cons: SEQUENCE
775:d=9 hl=2 l= 3 prim: OBJECT :localityName
780:d=9 hl=2 l= 5 prim: PRINTABLESTRING :Paris
787:d=7 hl=2 l= 23 cons: SET
789:d=8 hl=2 l= 21 cons: SEQUENCE
791:d=9 hl=2 l= 3 prim: OBJECT :commonName
796:d=9 hl=2 l= 14 prim: T61STRING :ca@example.com
812:d=6 hl=2 l= 17 prim: INTEGER :A6D4EF4DD38B1BB016D250C16A680470
831:d=5 hl=2 l= 13 cons: SEQUENCE
833:d=6 hl=2 l= 9 prim: OBJECT :rsaEncryption
844:d=6 hl=2 l= 0 prim: NULL
846:d=5 hl=4 l= 256 prim: OCTET STRING
0000 - 04 99 1c 5b a4 88 2f 32-9b 03 b1 8e 2b 31 7f 4a ...[../2....+1.J
0010 - 54 90 5e d4 eb 83 2b 08-4a 42 ad 70 0a 0d 31 36 T.^...+.JB.p..16
0020 - a1 4b b5 7d 61 d4 a1 98-2e 2c ab 0f f7 73 35 67 .K.}a....,...s5g
0030 - 59 ee 4a d7 7c 19 82 e6-42 cf 57 43 32 ab 32 d1 Y.J.|...B.WC2.2.
0040 - 09 95 2f de 62 21 d7 7c-35 e4 d0 b6 9e 55 93 92 ../.b!.|5....U..
0050 - db e6 02 e5 33 6b d0 92-39 e8 5f 21 a7 0f 4a 82 ....3k..9._!..J.
0060 - 49 07 af 75 c9 c3 72 d4-be 4c 15 e4 54 31 c3 5f I..u..r..L..T1._
0070 - e6 78 e2 64 60 17 d7 41-86 b3 b0 84 a4 1f 21 76 .x.d`..A......!v
0080 - 55 a2 ed 26 2a a5 c3 00-ba 73 7a b0 df 27 0b d0 U..&*....sz..'..
0090 - b3 8a 2f f2 15 a3 b5 db-3c bb 79 35 0d df ef 1a ../.....<.y5....
00a0 - 08 e4 0c b2 53 b5 06 d9-20 02 bb f4 ad 11 2a c1 ....S... .....*.
00b0 - dd db 96 cd 45 39 a0 10-35 e7 6b 1c c5 c4 34 27 ....E9..5.k...4'
00c0 - f4 6c 83 db aa 31 83 87-fe 2c 8c 7f aa 75 fc 00 .l...1...,...u..
00d0 - 99 05 0c f9 86 71 01 5a-56 8c ff c5 6d ff 6f 8c .....q.ZV...m.o.
00e0 - b8 0a 6a 55 b4 cc b0 d8-25 aa 9d 99 09 8d da 5d ..jU....%......]
00f0 - 2e ec 7d 40 d0 bc cd a4-2d 9e 61 8a 09 ae c5 0a ..}@....-.a.....
1106:d=3 hl=4 l=11909 cons: SEQUENCE
1110:d=4 hl=2 l= 9 prim: OBJECT :pkcs7-data
1121:d=4 hl=2 l= 20 cons: SEQUENCE
1123:d=5 hl=2 l= 8 prim: OBJECT :des-ede3-cbc
1133:d=5 hl=2 l= 8 prim: OCTET STRING
0000 - 01 d4 ce 3a f4 d1 7a bb- ...:..z.
1143:d=4 hl=4 l=11872 prim: cont [ 0 ]
Le fichier PCKS7 contient à la fin des données chiffrées avec du DES-EDE3-CBC. La taille de ces données est de 11872 octets, donc openssl ne nous donne pas les détails ici. Par contre, on a l'IV du DES3 : 01d4ce3af4d17abb. Au dessus de tout ça, on a 3 morceaux de 256 octets chacun. Avant chaque morceau, on a entier, c'est en fait le hash md5 de alice, bob et charly ! Avec un peu de guessing, on devine que ces morceaux de 256 octets sont en fait la clef DES3 chiffré avec les différents certificats.
En cherchant un peu sur l'internet, on trouve quelques infos sur le théorème des restes chinois. En fait, on peut faire cette attaque parce qu'on a un clair chiffré avec 3 clefs différentes qui ont toutes un exposant petit (0x3).
sage: c1 = 0xC1E2357C6FC53F1CC5E0E76EB1224BE8F24E8839251CF954A98090C4549F1BAFB7BCB1006DD2A982D56C1D2D3E6B422122D01F78DA0099776B789162E8CE94EE3D1E7B88AA8175DBB86F2F4AC65361BC949B3B90460741CAEE6F1ABDC5BD6C5296FBC8F2DAFF77F7110EA32D330D38DD2CA2FE13E785C86FE2210B58074C2DA5F440794BA023FC98B3D1E7DC979DBAC6672B5C19ABF4A91E21D5E474475BC09B78910D1F8E0290B38AE8D756E04D7F5EFBA64BFB5A0E96CD3DE1D82F609544A423F666D08B63262229687E1982BC8E424C7B5266B11A59036625F8E92C06740A3C9D8F3CE87FEB1F4444BC2039C8C6FF0AB9457D8AA63851ECF3C4AF1A2328FD sage: c2 = 0x27EB5A62A311DFAECF09318BEF7D60B98EA151AF09BDBF2A89A884617B8A8A14FF6F8045A8FD5D8956F5768C32A7E47AB17FA08D5F7D2EB590C4FC8296A1F70069C338CFA3C131A58FE05A75E36D7457ECC7B1BB403C1FF31FA66FB478B1F4548325B57961191AE1BFDDD7F5AF6FEC6FD94F66B1BC482337B579AD790466D1F33EDB09AA388085053D3C383F91A8EC40DB150365735B7E2D01F172E23717D31ABE0350FAC6730673C3C70EE593E8008A222DE40CF8A62615D119CD119FE8C30DA49E7A1D3596279B659E72C584D6D8262B1126B8C8BCDC09A31761EE746A14ADA7EC387AF2C52CBABDD8F443DF1F4C5E70C83B82A12F3BBCB21494689D13791F sage: c3 = 0x04991C5BA4882F329B03B18E2B317F4A54905ED4EB832B084A42AD700A0D3136A14BB57D61D4A1982E2CAB0FF773356759EE4AD77C1982E642CF574332AB32D109952FDE6221D77C35E4D0B69E559392DBE602E5336BD09239E85F21A70F4A824907AF75C9C372D4BE4C15E45431C35FE678E2646017D74186B3B084A41F217655A2ED262AA5C300BA737AB0DF270BD0B38A2FF215A3B5DB3CBB79350DDFEF1A08E40CB253B506D92002BBF4AD112AC1DDDB96CD4539A01035E76B1CC5C43427F46C83DBAA318387FE2C8C7FAA75FC0099050CF98671015A568CFFC56DFF6F8CB80A6A55B4CCB0D825AA9D99098DDA5D2EEC7D40D0BCCDA42D9E618A09AEC50A sage: sage: n1 = 0xEFBA9C442084759DC9770021B03C2E2913053E770779316F92C5DBFCAE4D3682E64006E38FA6A3AC24CC13AD2E747A50E5735064549F590294E36F2A1B23DB29567B49C007F8F8C224D3CD19B81D3F198C540291C135965E549881B775EEE29684F0E6CD4C2A017BE38F2E78E070D503BE9EE3EA2C491E53DE9C705FEB973918A168F275D90D055778289598BD2377D79ACC1BA493F570C5C8301913CEF12CD513321F8F320D8EC8172182D03F33721F02DFCE24463AE7A6CAB7C3A0CBB7D2AB149D347A2C9ABDB81BE4B60CAECBF31CF79C4BA0081FC00BB0939A950CBACA5B7B79FF92AF273B0D01A7E183FF30C90F27705D18F70EBB32281C5A873ED0A90D sage: n2 = 0xC0028301D5645483592E2117463A804454BD1AE33B1CBEF33D9CDFF86EFD46CB24BA1984874DAE3A4A3D3609D9607276F91DFAD38E9ED6B6BCE15F29C49E1C7E0B532AE2A1343AF3F8064B4A093F23F981624D4E08F901787B761847B4F0963512EAC13B5D47DA4295FF614501A3D7D7EDA6B4E6197B974A70BF11FDC5D619D50974415E209DE76C68F190DBCA5BB6F1963C1E0E987BE105FF9082EAE003C2051A4C95E3299D3C1BC64D5F8E95D40C7B27EEEA5EBCD9B54CD6B5655B0AB9AEAA15E976AE37EA228A151D2AFD5417D4BCBC3BFB396E6B10AF561CBE0FD0374081B7034585C54096849FF82B79A117E44AE8FDB5B304BC0D9CA297C2F4A57FF91F sage: n3 = 0xCFA7854352FF9DF5E84AB10AB8F034F8106811D973BAB528BFCBD3DCBCFDF9FB5C398E23B58BA883F7C78F47C6694B4F042CDB8E54E856040F8A8A9ADBCA4C6D0813894C43352EB3EE19C1F76DF46DFD1B6BB38349BCE811036B0ED7ACFE2E5045FE4232F11DA3F113189A176964C206155342FD9E2E8AD11CBBCB85DFDF30E62AEA068F2DD7CEC6CF818D1E312BBA5FA6385461CA5ADCA0F95B6299FA366EEF8856416D72A42A93FD979E269D8FEA143870985FD353C85850FB4A11B6E4BA483CDC97F7E1717C34DF7D9E34DF83F67A9DA97ACA69926167D44C2CB3BB858EC041A244A6197D7F3B9AFD02A0562F13EACE6494F289184DAD16D2D995ED1ADC13 sage: e = 0x3 sage: sage: x = crt([c1, c2, c3], [n1, n2, n3]) # on calcule x avec les retes chinois sage: sage: sage: clair = pow(x,1/e) # exposant = 3, donc on prend al racine cubique sage: sage: print clair 986236757547332986472011617696226561292849812918563355472727826767720188564083584387121625107510786855734801053524719833194566624465665316622563244215340671405971599343902468620306327831715457360719532421388780770165778156818229863337344187575566725786793391480600129482653072861971002459947277805295727097226389568776499707662505334062639449916265137796823793276300221537201727072401742985542559596685092673521228140822200236743113743661549252453726123450722876929538747702356573783116366629850199080495560991841329893037292397105499226019760899853191673074428460162155990377643880703914381740846851667433938081
>>> hex(986236757547332986472011617696226561292849812918563355472727826767720188564083584387121625107510786855734801053524719833194566624465665316622563244215340671405971599343902468620306327831715457360719532421388780770165778156818229863337344187575566725786793391480600129482653072861971002459947277805295727097226389568776499707662505334062639449916265137796823793276300221537201727072401742985542559596685092673521228140822200236743113743661549252453726123450722876929538747702356573783116366629850199080495560991841329893037292397105499226019760899853191673074428460162155990377643880703914381740846851667433938081) '0x1ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff004f8957408f0ea202c785b95e206b3ba8da3dba7aea08dca1L'
On a donc notre clef DES3 !! 4f8957408f0ea202c785b95e206b3ba8da3dba7aea08dca1
from Crypto.Cipher import DES3 import base64 with open('cipher.bin', 'rb') as f: data = f.read() iv = "01D4CE3AF4D17ABB".decode("hex") key = "4f8957408f0ea202c785b95e206b3ba8da3dba7aea08dca1".decode("hex") cipher = DES3.new(key, DES3.MODE_CBC, iv) dec = cipher.decrypt(data) with open('challenge1.solve.tar.gz', 'wb') as f: f.write(dec.decode("base64"))
[tlk:...rusthefuture/CRYPTO/writeup]$ cat mail.p7m | base64 -d | dd of=cipher.bin bs=1 skip=1147 11872+0 enregistrements lus 11872+0 enregistrements écrits 11872 octets (12 kB) copiés, 0,050452 s, 235 kB/s [tlk:...rusthefuture/CRYPTO/writeup]$ python des3.py [tlk:...rusthefuture/CRYPTO/writeup]$ file challenge1.solve.tar.gz challenge1.solve.tar.gz: gzip compressed data, last modified: Tue Oct 7 09:22:27 2014, from Unix [tlk:...rusthefuture/CRYPTO/writeup]$ tar -xvf challenge1.solve.tar.gz challenge2 token1 [tlk:...rusthefuture/CRYPTO/writeup]$ cat token1 Token: sdiy&&g_vqkerfy_((512354
writeup/trust_the_future/crypto1.txt · Dernière modification: 2015/02/26 17:48 par tlk
Outils de la page
Sauf mention contraire, le contenu de ce wiki est placé sous les termes de la licence suivante : CC Attribution-Share Alike 3.0 Unported
