Outils pour utilisateurs

Outils du site


writeup:trust_the_future:crypto1

Crypto 1

Le challenge est contenu dans crypto.tar.gz. L'archive contient 4 certificats :

  • alice.crt
  • bob.crt
  • charly.crt
  • ca.crt

ca.crt contient le certificat de l'autorité qui a signé alice.crt, bob.crt et charly.crt.

[tlk:...rusthefuture/CRYPTO/writeup]$ openssl verify -CAfile ca.crt {alice,bob,charly}.crt
alice.crt: OK
bob.crt: OK
charly.crt: OK

L'archive contient aussi un fichier au format PKCS7. Ce fichier contient probablement le flag.

[tlk:...rusthefuture/CRYPTO/writeup]$ cat mail.p7m 
-----BEGIN PKCS7-----
MIIy1wYJKoZIhvcNAQcDoIIyyDCCMsQCAQAxggQ0MIIBYgIBADBKMDYxCzAJBgNV
BAYTAkZSMQ4wDAYDVQQHEwVQYXJpczEXMBUGA1UEAxQOY2FAZXhhbXBsZS5jb20C
EGOE4rIYS8v1jszxDKemVjwwDQYJKoZIhvcNAQEBBQAEggEAweI1fG/FPxzF4Odu
................................................................
ngZhYhPowaoP6t6Y/4IPJ8/5jT1m+nvubZchevOMsS59cbm6tN5WMhwg23LBN/yS
0IhYzJngTvAG7AQfEdK7lkaydXA2QqenK+yfbrANZc68hfcs/kKtG6YB7tPdHT90
AgFJd0WVl2aAZMmIHH4tdvq8jg00hM3MvLvN4GNVFM7Bg3YdC4lOn1rfemHuMzD2
UbWcSinMsvzSlmFRLelLM/dJoU/lWeVmTS3c5ShwSGocTXrgXZcB38ZizYlbumVG
CjrRmoXL4FCHS2Y=
-----END PKCS7-----
[tlk:...rusthefuture/CRYPTO/writeup]$ openssl asn1parse -in mail.p7m -dump       
    0:d=0  hl=4 l=13015 cons: SEQUENCE          
    4:d=1  hl=2 l=   9 prim: OBJECT            :pkcs7-envelopedData
   15:d=1  hl=4 l=13000 cons: cont [ 0 ]        
   19:d=2  hl=4 l=12996 cons: SEQUENCE          
   23:d=3  hl=2 l=   1 prim: INTEGER           :00
   26:d=3  hl=4 l=1076 cons: SET               
   30:d=4  hl=4 l= 354 cons: SEQUENCE          
   34:d=5  hl=2 l=   1 prim: INTEGER           :00
   37:d=5  hl=2 l=  74 cons: SEQUENCE          
   39:d=6  hl=2 l=  54 cons: SEQUENCE          
   41:d=7  hl=2 l=  11 cons: SET               
   43:d=8  hl=2 l=   9 cons: SEQUENCE          
   45:d=9  hl=2 l=   3 prim: OBJECT            :countryName
   50:d=9  hl=2 l=   2 prim: PRINTABLESTRING   :FR
   54:d=7  hl=2 l=  14 cons: SET               
   56:d=8  hl=2 l=  12 cons: SEQUENCE          
   58:d=9  hl=2 l=   3 prim: OBJECT            :localityName
   63:d=9  hl=2 l=   5 prim: PRINTABLESTRING   :Paris
   70:d=7  hl=2 l=  23 cons: SET               
   72:d=8  hl=2 l=  21 cons: SEQUENCE          
   74:d=9  hl=2 l=   3 prim: OBJECT            :commonName
   79:d=9  hl=2 l=  14 prim: T61STRING         :ca@example.com
   95:d=6  hl=2 l=  16 prim: INTEGER           :6384E2B2184BCBF58ECCF10CA7A6563C
  113:d=5  hl=2 l=  13 cons: SEQUENCE          
  115:d=6  hl=2 l=   9 prim: OBJECT            :rsaEncryption
  126:d=6  hl=2 l=   0 prim: NULL              
  128:d=5  hl=4 l= 256 prim: OCTET STRING      
      0000 - c1 e2 35 7c 6f c5 3f 1c-c5 e0 e7 6e b1 22 4b e8   ..5|o.?....n."K.
      0010 - f2 4e 88 39 25 1c f9 54-a9 80 90 c4 54 9f 1b af   .N.9%..T....T...
      0020 - b7 bc b1 00 6d d2 a9 82-d5 6c 1d 2d 3e 6b 42 21   ....m....l.->kB!
      0030 - 22 d0 1f 78 da 00 99 77-6b 78 91 62 e8 ce 94 ee   "..x...wkx.b....
      0040 - 3d 1e 7b 88 aa 81 75 db-b8 6f 2f 4a c6 53 61 bc   =.{...u..o/J.Sa.
      0050 - 94 9b 3b 90 46 07 41 ca-ee 6f 1a bd c5 bd 6c 52   ..;.F.A..o....lR
      0060 - 96 fb c8 f2 da ff 77 f7-11 0e a3 2d 33 0d 38 dd   ......w....-3.8.
      0070 - 2c a2 fe 13 e7 85 c8 6f-e2 21 0b 58 07 4c 2d a5   ,......o.!.X.L-.
      0080 - f4 40 79 4b a0 23 fc 98-b3 d1 e7 dc 97 9d ba c6   .@yK.#..........
      0090 - 67 2b 5c 19 ab f4 a9 1e-21 d5 e4 74 47 5b c0 9b   g+\.....!..tG[..
      00a0 - 78 91 0d 1f 8e 02 90 b3-8a e8 d7 56 e0 4d 7f 5e   x..........V.M.^
      00b0 - fb a6 4b fb 5a 0e 96 cd-3d e1 d8 2f 60 95 44 a4   ..K.Z...=../`.D.
      00c0 - 23 f6 66 d0 8b 63 26 22-29 68 7e 19 82 bc 8e 42   #.f..c&")h~....B
      00d0 - 4c 7b 52 66 b1 1a 59 03-66 25 f8 e9 2c 06 74 0a   L{Rf..Y.f%..,.t.
      00e0 - 3c 9d 8f 3c e8 7f eb 1f-44 44 bc 20 39 c8 c6 ff   <..<....DD. 9...
      00f0 - 0a b9 45 7d 8a a6 38 51-ec f3 c4 af 1a 23 28 fd   ..E}..8Q.....#(.
  388:d=4  hl=4 l= 355 cons: SEQUENCE          
  392:d=5  hl=2 l=   1 prim: INTEGER           :00
  395:d=5  hl=2 l=  75 cons: SEQUENCE          
  397:d=6  hl=2 l=  54 cons: SEQUENCE          
  399:d=7  hl=2 l=  11 cons: SET               
  401:d=8  hl=2 l=   9 cons: SEQUENCE          
  403:d=9  hl=2 l=   3 prim: OBJECT            :countryName
  408:d=9  hl=2 l=   2 prim: PRINTABLESTRING   :FR
  412:d=7  hl=2 l=  14 cons: SET               
  414:d=8  hl=2 l=  12 cons: SEQUENCE          
  416:d=9  hl=2 l=   3 prim: OBJECT            :localityName
  421:d=9  hl=2 l=   5 prim: PRINTABLESTRING   :Paris
  428:d=7  hl=2 l=  23 cons: SET               
  430:d=8  hl=2 l=  21 cons: SEQUENCE          
  432:d=9  hl=2 l=   3 prim: OBJECT            :commonName
  437:d=9  hl=2 l=  14 prim: T61STRING         :ca@example.com
  453:d=6  hl=2 l=  17 prim: INTEGER           :9F9D51BC70EF21CA5C14F307980A29D8
  472:d=5  hl=2 l=  13 cons: SEQUENCE          
  474:d=6  hl=2 l=   9 prim: OBJECT            :rsaEncryption
  485:d=6  hl=2 l=   0 prim: NULL              
  487:d=5  hl=4 l= 256 prim: OCTET STRING      
      0000 - 27 eb 5a 62 a3 11 df ae-cf 09 31 8b ef 7d 60 b9   '.Zb......1..}`.
      0010 - 8e a1 51 af 09 bd bf 2a-89 a8 84 61 7b 8a 8a 14   ..Q....*...a{...
      0020 - ff 6f 80 45 a8 fd 5d 89-56 f5 76 8c 32 a7 e4 7a   .o.E..].V.v.2..z
      0030 - b1 7f a0 8d 5f 7d 2e b5-90 c4 fc 82 96 a1 f7 00   ...._}..........
      0040 - 69 c3 38 cf a3 c1 31 a5-8f e0 5a 75 e3 6d 74 57   i.8...1...Zu.mtW
      0050 - ec c7 b1 bb 40 3c 1f f3-1f a6 6f b4 78 b1 f4 54   ....@<....o.x..T
      0060 - 83 25 b5 79 61 19 1a e1-bf dd d7 f5 af 6f ec 6f   .%.ya........o.o
      0070 - d9 4f 66 b1 bc 48 23 37-b5 79 ad 79 04 66 d1 f3   .Of..H#7.y.y.f..
      0080 - 3e db 09 aa 38 80 85 05-3d 3c 38 3f 91 a8 ec 40   >...8...=<8?...@
      0090 - db 15 03 65 73 5b 7e 2d-01 f1 72 e2 37 17 d3 1a   ...es[~-..r.7...
      00a0 - be 03 50 fa c6 73 06 73-c3 c7 0e e5 93 e8 00 8a   ..P..s.s........
      00b0 - 22 2d e4 0c f8 a6 26 15-d1 19 cd 11 9f e8 c3 0d   "-....&.........
      00c0 - a4 9e 7a 1d 35 96 27 9b-65 9e 72 c5 84 d6 d8 26   ..z.5.'.e.r....&
      00d0 - 2b 11 26 b8 c8 bc dc 09-a3 17 61 ee 74 6a 14 ad   +.&.......a.tj..
      00e0 - a7 ec 38 7a f2 c5 2c ba-bd d8 f4 43 df 1f 4c 5e   ..8z..,....C..L^
      00f0 - 70 c8 3b 82 a1 2f 3b bc-b2 14 94 68 9d 13 79 1f   p.;../;....h..y.
  747:d=4  hl=4 l= 355 cons: SEQUENCE          
  751:d=5  hl=2 l=   1 prim: INTEGER           :00
  754:d=5  hl=2 l=  75 cons: SEQUENCE          
  756:d=6  hl=2 l=  54 cons: SEQUENCE          
  758:d=7  hl=2 l=  11 cons: SET               
  760:d=8  hl=2 l=   9 cons: SEQUENCE          
  762:d=9  hl=2 l=   3 prim: OBJECT            :countryName
  767:d=9  hl=2 l=   2 prim: PRINTABLESTRING   :FR
  771:d=7  hl=2 l=  14 cons: SET               
  773:d=8  hl=2 l=  12 cons: SEQUENCE          
  775:d=9  hl=2 l=   3 prim: OBJECT            :localityName
  780:d=9  hl=2 l=   5 prim: PRINTABLESTRING   :Paris
  787:d=7  hl=2 l=  23 cons: SET               
  789:d=8  hl=2 l=  21 cons: SEQUENCE          
  791:d=9  hl=2 l=   3 prim: OBJECT            :commonName
  796:d=9  hl=2 l=  14 prim: T61STRING         :ca@example.com
  812:d=6  hl=2 l=  17 prim: INTEGER           :A6D4EF4DD38B1BB016D250C16A680470
  831:d=5  hl=2 l=  13 cons: SEQUENCE          
  833:d=6  hl=2 l=   9 prim: OBJECT            :rsaEncryption
  844:d=6  hl=2 l=   0 prim: NULL              
  846:d=5  hl=4 l= 256 prim: OCTET STRING      
      0000 - 04 99 1c 5b a4 88 2f 32-9b 03 b1 8e 2b 31 7f 4a   ...[../2....+1.J
      0010 - 54 90 5e d4 eb 83 2b 08-4a 42 ad 70 0a 0d 31 36   T.^...+.JB.p..16
      0020 - a1 4b b5 7d 61 d4 a1 98-2e 2c ab 0f f7 73 35 67   .K.}a....,...s5g
      0030 - 59 ee 4a d7 7c 19 82 e6-42 cf 57 43 32 ab 32 d1   Y.J.|...B.WC2.2.
      0040 - 09 95 2f de 62 21 d7 7c-35 e4 d0 b6 9e 55 93 92   ../.b!.|5....U..
      0050 - db e6 02 e5 33 6b d0 92-39 e8 5f 21 a7 0f 4a 82   ....3k..9._!..J.
      0060 - 49 07 af 75 c9 c3 72 d4-be 4c 15 e4 54 31 c3 5f   I..u..r..L..T1._
      0070 - e6 78 e2 64 60 17 d7 41-86 b3 b0 84 a4 1f 21 76   .x.d`..A......!v
      0080 - 55 a2 ed 26 2a a5 c3 00-ba 73 7a b0 df 27 0b d0   U..&*....sz..'..
      0090 - b3 8a 2f f2 15 a3 b5 db-3c bb 79 35 0d df ef 1a   ../.....<.y5....
      00a0 - 08 e4 0c b2 53 b5 06 d9-20 02 bb f4 ad 11 2a c1   ....S... .....*.
      00b0 - dd db 96 cd 45 39 a0 10-35 e7 6b 1c c5 c4 34 27   ....E9..5.k...4'
      00c0 - f4 6c 83 db aa 31 83 87-fe 2c 8c 7f aa 75 fc 00   .l...1...,...u..
      00d0 - 99 05 0c f9 86 71 01 5a-56 8c ff c5 6d ff 6f 8c   .....q.ZV...m.o.
      00e0 - b8 0a 6a 55 b4 cc b0 d8-25 aa 9d 99 09 8d da 5d   ..jU....%......]
      00f0 - 2e ec 7d 40 d0 bc cd a4-2d 9e 61 8a 09 ae c5 0a   ..}@....-.a.....
 1106:d=3  hl=4 l=11909 cons: SEQUENCE          
 1110:d=4  hl=2 l=   9 prim: OBJECT            :pkcs7-data
 1121:d=4  hl=2 l=  20 cons: SEQUENCE          
 1123:d=5  hl=2 l=   8 prim: OBJECT            :des-ede3-cbc
 1133:d=5  hl=2 l=   8 prim: OCTET STRING      
      0000 - 01 d4 ce 3a f4 d1 7a bb-                          ...:..z.
 1143:d=4  hl=4 l=11872 prim: cont [ 0 ]

Le fichier PCKS7 contient à la fin des données chiffrées avec du DES-EDE3-CBC. La taille de ces données est de 11872 octets, donc openssl ne nous donne pas les détails ici. Par contre, on a l'IV du DES3 : 01d4ce3af4d17abb. Au dessus de tout ça, on a 3 morceaux de 256 octets chacun. Avant chaque morceau, on a entier, c'est en fait le hash md5 de alice, bob et charly ! Avec un peu de guessing, on devine que ces morceaux de 256 octets sont en fait la clef DES3 chiffré avec les différents certificats.

En cherchant un peu sur l'internet, on trouve quelques infos sur le théorème des restes chinois. En fait, on peut faire cette attaque parce qu'on a un clair chiffré avec 3 clefs différentes qui ont toutes un exposant petit (0x3).

sage: c1 = 0xC1E2357C6FC53F1CC5E0E76EB1224BE8F24E8839251CF954A98090C4549F1BAFB7BCB1006DD2A982D56C1D2D3E6B422122D01F78DA0099776B789162E8CE94EE3D1E7B88AA8175DBB86F2F4AC65361BC949B3B90460741CAEE6F1ABDC5BD6C5296FBC8F2DAFF77F7110EA32D330D38DD2CA2FE13E785C86FE2210B58074C2DA5F440794BA023FC98B3D1E7DC979DBAC6672B5C19ABF4A91E21D5E474475BC09B78910D1F8E0290B38AE8D756E04D7F5EFBA64BFB5A0E96CD3DE1D82F609544A423F666D08B63262229687E1982BC8E424C7B5266B11A59036625F8E92C06740A3C9D8F3CE87FEB1F4444BC2039C8C6FF0AB9457D8AA63851ECF3C4AF1A2328FD
sage: c2 = 0x27EB5A62A311DFAECF09318BEF7D60B98EA151AF09BDBF2A89A884617B8A8A14FF6F8045A8FD5D8956F5768C32A7E47AB17FA08D5F7D2EB590C4FC8296A1F70069C338CFA3C131A58FE05A75E36D7457ECC7B1BB403C1FF31FA66FB478B1F4548325B57961191AE1BFDDD7F5AF6FEC6FD94F66B1BC482337B579AD790466D1F33EDB09AA388085053D3C383F91A8EC40DB150365735B7E2D01F172E23717D31ABE0350FAC6730673C3C70EE593E8008A222DE40CF8A62615D119CD119FE8C30DA49E7A1D3596279B659E72C584D6D8262B1126B8C8BCDC09A31761EE746A14ADA7EC387AF2C52CBABDD8F443DF1F4C5E70C83B82A12F3BBCB21494689D13791F
sage: c3 = 0x04991C5BA4882F329B03B18E2B317F4A54905ED4EB832B084A42AD700A0D3136A14BB57D61D4A1982E2CAB0FF773356759EE4AD77C1982E642CF574332AB32D109952FDE6221D77C35E4D0B69E559392DBE602E5336BD09239E85F21A70F4A824907AF75C9C372D4BE4C15E45431C35FE678E2646017D74186B3B084A41F217655A2ED262AA5C300BA737AB0DF270BD0B38A2FF215A3B5DB3CBB79350DDFEF1A08E40CB253B506D92002BBF4AD112AC1DDDB96CD4539A01035E76B1CC5C43427F46C83DBAA318387FE2C8C7FAA75FC0099050CF98671015A568CFFC56DFF6F8CB80A6A55B4CCB0D825AA9D99098DDA5D2EEC7D40D0BCCDA42D9E618A09AEC50A
sage: 
sage: n1 = 0xEFBA9C442084759DC9770021B03C2E2913053E770779316F92C5DBFCAE4D3682E64006E38FA6A3AC24CC13AD2E747A50E5735064549F590294E36F2A1B23DB29567B49C007F8F8C224D3CD19B81D3F198C540291C135965E549881B775EEE29684F0E6CD4C2A017BE38F2E78E070D503BE9EE3EA2C491E53DE9C705FEB973918A168F275D90D055778289598BD2377D79ACC1BA493F570C5C8301913CEF12CD513321F8F320D8EC8172182D03F33721F02DFCE24463AE7A6CAB7C3A0CBB7D2AB149D347A2C9ABDB81BE4B60CAECBF31CF79C4BA0081FC00BB0939A950CBACA5B7B79FF92AF273B0D01A7E183FF30C90F27705D18F70EBB32281C5A873ED0A90D
sage: n2 = 0xC0028301D5645483592E2117463A804454BD1AE33B1CBEF33D9CDFF86EFD46CB24BA1984874DAE3A4A3D3609D9607276F91DFAD38E9ED6B6BCE15F29C49E1C7E0B532AE2A1343AF3F8064B4A093F23F981624D4E08F901787B761847B4F0963512EAC13B5D47DA4295FF614501A3D7D7EDA6B4E6197B974A70BF11FDC5D619D50974415E209DE76C68F190DBCA5BB6F1963C1E0E987BE105FF9082EAE003C2051A4C95E3299D3C1BC64D5F8E95D40C7B27EEEA5EBCD9B54CD6B5655B0AB9AEAA15E976AE37EA228A151D2AFD5417D4BCBC3BFB396E6B10AF561CBE0FD0374081B7034585C54096849FF82B79A117E44AE8FDB5B304BC0D9CA297C2F4A57FF91F
sage: n3 = 0xCFA7854352FF9DF5E84AB10AB8F034F8106811D973BAB528BFCBD3DCBCFDF9FB5C398E23B58BA883F7C78F47C6694B4F042CDB8E54E856040F8A8A9ADBCA4C6D0813894C43352EB3EE19C1F76DF46DFD1B6BB38349BCE811036B0ED7ACFE2E5045FE4232F11DA3F113189A176964C206155342FD9E2E8AD11CBBCB85DFDF30E62AEA068F2DD7CEC6CF818D1E312BBA5FA6385461CA5ADCA0F95B6299FA366EEF8856416D72A42A93FD979E269D8FEA143870985FD353C85850FB4A11B6E4BA483CDC97F7E1717C34DF7D9E34DF83F67A9DA97ACA69926167D44C2CB3BB858EC041A244A6197D7F3B9AFD02A0562F13EACE6494F289184DAD16D2D995ED1ADC13
sage: e = 0x3
sage: 
sage: x = crt([c1, c2, c3], [n1, n2, n3]) # on calcule x avec les retes chinois
sage: 
sage: 
sage: clair = pow(x,1/e) # exposant = 3, donc on prend al racine cubique
sage: 
sage: print clair
986236757547332986472011617696226561292849812918563355472727826767720188564083584387121625107510786855734801053524719833194566624465665316622563244215340671405971599343902468620306327831715457360719532421388780770165778156818229863337344187575566725786793391480600129482653072861971002459947277805295727097226389568776499707662505334062639449916265137796823793276300221537201727072401742985542559596685092673521228140822200236743113743661549252453726123450722876929538747702356573783116366629850199080495560991841329893037292397105499226019760899853191673074428460162155990377643880703914381740846851667433938081
>>> hex(986236757547332986472011617696226561292849812918563355472727826767720188564083584387121625107510786855734801053524719833194566624465665316622563244215340671405971599343902468620306327831715457360719532421388780770165778156818229863337344187575566725786793391480600129482653072861971002459947277805295727097226389568776499707662505334062639449916265137796823793276300221537201727072401742985542559596685092673521228140822200236743113743661549252453726123450722876929538747702356573783116366629850199080495560991841329893037292397105499226019760899853191673074428460162155990377643880703914381740846851667433938081)
'0x1ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff004f8957408f0ea202c785b95e206b3ba8da3dba7aea08dca1L'

On a donc notre clef DES3 !! 4f8957408f0ea202c785b95e206b3ba8da3dba7aea08dca1

from Crypto.Cipher import DES3
import base64
 
with open('cipher.bin', 'rb') as f:
	data = f.read()
 
 
iv = "01D4CE3AF4D17ABB".decode("hex")
key = "4f8957408f0ea202c785b95e206b3ba8da3dba7aea08dca1".decode("hex")
cipher = DES3.new(key, DES3.MODE_CBC, iv)
dec = cipher.decrypt(data)
 
with open('challenge1.solve.tar.gz', 'wb') as f:
	f.write(dec.decode("base64"))
[tlk:...rusthefuture/CRYPTO/writeup]$ cat mail.p7m |  base64 -d | dd of=cipher.bin bs=1 skip=1147
11872+0 enregistrements lus
11872+0 enregistrements écrits
11872 octets (12 kB) copiés, 0,050452 s, 235 kB/s
[tlk:...rusthefuture/CRYPTO/writeup]$ python des3.py                                             
[tlk:...rusthefuture/CRYPTO/writeup]$ file challenge1.solve.tar.gz
challenge1.solve.tar.gz: gzip compressed data, last modified: Tue Oct  7 09:22:27 2014, from Unix
[tlk:...rusthefuture/CRYPTO/writeup]$ tar -xvf challenge1.solve.tar.gz                    
challenge2
token1
[tlk:...rusthefuture/CRYPTO/writeup]$ cat token1 
Token: sdiy&&g_vqkerfy_((512354 
writeup/trust_the_future/crypto1.txt · Dernière modification: 2015/02/26 17:48 par tlk