BlackAlps 22 - Polynomial 1 and 2
Textbook RSA and Rabin except we use irreducible polynomials of prime degrees instead of primes, making factorization possible.
Textbook RSA and Rabin except we use irreducible polynomials of prime degrees instead of primes, making factorization possible.
Find 40 discrete logarithm fixed points to solve the challenge. The range check allows to solve the equation with the Chinese remainder theorem with a negative value.
*Cryptocurrency scammer was caught and laptop confiscated, use strings to recover command used to access his wallet and patch + decompile python pyc file to regenerate bip39 mnemonic and recreate the private key.
Cryptocurrency scammer was caught and laptop confiscated, build volatility 3 linux profile and find the bash command using linux.bash.Bash.
XPS file which looks corrupt but in fact it is a OpenType font inside scrambled using Microsoft custom algorithm and then using fontdrop website to recover his secret.
A ransomware encrypted PNG files, we retrieve the initial infection program, and use a xor attack to recover the flag.
A ransomware encrypted some text file, but the user has already used an online paste website to save it. Read the firefox profiles backuped by snap and find tin the history the url of the paste.
Discrete logarigm of in the multiplicative groups of a square prime.
Elliptic curve discrete logarithm with unknown curve parameters and unknown y coordinate.
Simple serial check algorithm solved with Z3 solver.
Execute an unscrambling function to get the compare algorithm. Then figure out what the algorithm does to recover the flag.
Key recovery attack of a stream cipher which turn out to be the A5/2 cipher from GSM. Existing attacks apply to recover the secret key.
Shellcode writing on RISC-V platform to dump the RAM were the flag lies.
Shamir secret sharing scheme. Only the prime number to perform computations is unknown but using anyone allows to recover the secret.
Schnorr signature with a Blum-Blum-Schub PRNG to generate the nonce. Since the quadratic equation can be solved in the prime group the private key can be recover from two consecutive signatures.
RSA signing messages interface. Applying the Wiener attack reveal the private key which is the flag.
Reverse challenge which is finally a maze. A move is encoded on 2 bit of a character given as input. The combination which gets you out of the maze is the flag. We present here three different ways to solve the challenge.
RSA encrypted flag but each flag bit is encrypted at a time with random padding. The padding is a square thus using computing the Jacobi symbol for each bit encryption reveals the flag.
RSA encrypted flag and prime inverses are given
A serial connection gives access to a basic filesystem. Repairing the filesystem with debug tools and adjusting an offset gives access to protected data.
An ssh access to a Lego Mindstorms platform: ev3dev is given to control three motors of a robot arm. The goal is to open the fridge door.
A file was given with instruction matching G-code instructions. Render the file gave the flag.
Basic Stack buffer overflow in an arm binary
LoRa1: Use LoRa dev board to listen to the EU 868.1MHZ and received the flag LoRa2: Scan all the EU frequencies and SpreadFactor to get the flag LoRa3: Find the flag on the LoRa base station
We’re given a ssh username, server ip and public key using ECDSA, along with a _very secure RNG_ python script used to generate the ECDSA key. Exploiting a weakness in the RNG, we can enumerate all possible keys and find the private key to log on the server.
The binary ask for an input and do a ton of computation on it. solved using an angr script.
The binary ask for a password and use RunPE technic to create a new process. Two technic can be used, first is to dump the PE when the program copy it, second is to break on SetThreadContext and put a breakpoint on the new entrypoint.
A sequence of command line escape codes is sent over the network and forms the flag if read with the tool more.
An interactive server implements a login challenge with a variant of Diffie-Hellman on the group of permutations of the Rubik’s cube. After computing a discrete logarithm on this (non-abelian) group, we can compute the handshake to log in as admin and obtain the flag.
We’re given two files: an ELF binary counter
, and some data code
. The goal of the challenge is then to find the output of ./counter 9009131337
. Keywords: reverse engineering, virtual machine, hailstone sequence, fibonnaci modulo
We’re given a webapp performing text2speech on a maximium of 4 tweets. Exploiting an remote command injection in the dockerized script generating the audio allows to decode remotely the flag before exfiltrating it using text2speech.
The flag is encrypted with ElGamal and an additional layer of custom fully-homomorphic encryption. We can recover the FHE key under known-message attack by solving a linear system. The group used for ElGamal is weak (its order has small prime factors), so we can compute a discrete logarithm to recover the secret exponent and decrypt the flag.
The same flag is encrypted 5 times with RSA small public exponent and linear padding. The generalization of Håstad’s broadcast attack and the Coppersmith method allow to recover the flag.
In this post I will explain a neat way to use our own python, Qt 5.6, PyQt 5.6 version with IDA Pro, then how to use a chrooted Arch Linux 32bit to run IDA Pro in order not to pollute our host with pesky lib32-XX packages and Finally I will document installation and configuration of some useful IDA Pro plugins.
A Python byte code file was provided without the source code. After its decompilation, we noticed that each 5-byte slice of the flag was hash with MD5 and compared. After brute forcing the hashes contained in the file we got the flag.
A sever shows us random looking numbers and we have to predict the output of the next number. The numbers were generated using a linear congruential generator. Using the Marsaglia method we were ale to fully recover the parameters of the PRNG and thus predict the number sequence.
Elf binary asking for a flag. The binary was packed by UPX then poorly obfusctated using the movfusator, just looking at the assembly, a mov R2, 0xXX pattern appears, using a ida script to grab all mov R2 yield the flag.
Elf binary asking for username/password, the username is used to compute a seed to srand, which then get use to substract rand() with every 4 bytes of the password.
We received a USB PCAP of an update transaction between a computer and Amazon Kindle. After reconstructing the update, we used a tool called KindleTool in order to deobfuscate the binary, then we used some python code to inflate the malformed gzip inside.
C++ binary with weird strings inside, using a table of indexes with this strings led us to the flag.
Part of the private RSA key is deleted. However, we can extract e,d,p,q which is sufficient to reconstruct the private key.
The audio file spectogram displays the flag.
RSA signature over an unknown elliptic curve.
The challenge is to create a plaintext with a given prefix that will result in a AES CBC-MAC mode using PKCS#7 padding.
This challenge is about a binary with a custom implemented heap. With a use after free, it is possible to corrupt the double linked free list and have the address of a chunk written at an arbitrary address. With that we overwrite the saved return pointer with the address of the shellcode and pop a shell.
Remote binary asks for 13 values, looking at the binary we find out that the condition is a system of linear equations over 32-bit signed integers. We find the equations from the binary and solve them to find the unique solution.
To authenticate on a server we had to provide a message signed with a RSA private key. Hopefully the server allows us to sign any message except the one requested with the same key.
Here is another solution to a pwn challenge. They are no vulnerability per say, but a rather interesting way of getting code execution through floating point arithmetics.
Here is a solution to the second pwn challenge butterfly
. This is not your usual buffer overflow, but rather a nice demonstration on how bit flips can be dangerous!
This entry level pwnabel challenge proposes a use-after-free vulnerability that is used to inject commands in a call to system.
Public-key based authentication protocol for which we had to write a client, after finding credentials through SQL injection.
A PCAP including a base64 zip file and a cleartext password; a wrong CRC preventing straightforward decryption.
Kriptovor is a real ransomware, we analyzed the pcap, found the privatekey in the second email send by the malware, we then installed Delphi and use the lockbox3 library to decrypt with the RSA private key the AES key that was used to encrypt the flag.
After connecting to a socket, we received some character that looks like morse code. We use a python script to decode it, then it looks like base36, we decode it and we found a string asking us to send the sha256 of it. We send it back using the same encoding scheme which gave us the flag.
We received a invest.pcapng file which contains a schematic, encrypted files and a binary chain. Once the binary chain was passed in the schematic we obtained a password to decrypt with OpenSSL the files. The resulting file is a Word document with the Flag inside.
The task is a usb pcap where two files were transfered. The trick was to take each odd packet number and take 0x708 of each to create the first file, use the even for the 2nd file. We were left with two Libreoffice ods file. In the 2nd one, we found a table and a weird alphabetic suite which used against the table give us the flag.
We got a pcap, the problem was obvious from the challenge name (heartbleed). Given the RSA-2048 pubkey we sought for prime numbers of around 1024 bits in the pcaps, then reconstructed the private key and used it to decrypt the encrypted part of the session, which contained the flag.
The microwave application is used to let your microwave tweets you favorite food. We identified two vulnerabilities in the binary: a string format and a buffer overflow. The string format allowed us to leak the canary and some addresses of the libc. Those were then used to exploit the buffer overflow and access the flag.