docs: Add crypto writeups

sbencoding · sbencoding · commit a79c78f7747f · 2023-03-25T18:14:28.000+01:00
diff --git a/crypto/ancient_encodings.md b/crypto/ancient_encodings.md
@@ -0,0 +1,11 @@
+# Ancient encodings (very easy)
+This challenge just base64 encodes the input, converts it to bytes and writes the hex representation.
+
+To solve this we just do the inverse operation on all of these in reverse order.
+
+```python
+import base64
+content = open('./output.txt', 'r').read()
+cont = bytes.fromhex(content[2:])
+print(base64.b64decode(cont).decode('utf-8'))
+```
diff --git a/crypto/multipage_recyclings.md b/crypto/multipage_recyclings.md
@@ -0,0 +1,97 @@
+# Multipage recyclings (easy)
+This challenge was about exploiting some leak from the encryption process.
+
+Let's see first how the challeng encrypts things:
+```python
+    def encrypt(self, message):
+        iv = os.urandom(16)
+
+        ciphertext = b''
+        plaintext = iv
+
+        blocks = self.blockify(message, 16)
+        for block in blocks:
+            ct = self.cipher.encrypt(plaintext)
+            encrypted_block = self.xor(block, ct)
+            ciphertext += encrypted_block
+            plaintext = encrypted_block
+
+        return ciphertext
+```
+
+* For the cipher AES ECB is used.
+* A random IV is chosen
+* The input is converted into 16 byte blocks
+* The IV is encrypted = `ct`
+* The plaintext block is xored with `ct` = `encrypted_block`
+* `encrypted_block` is used as IV for the next iteration
+
+Now let's see how the leak works:
+
+```python
+def leak(self, blocks):
+    r = random.randint(0, len(blocks) - 2)
+    leak = [self.cipher.encrypt(blocks[i]).hex() for i in [r, r + 1]]
+    return r, leak
+```
+
+Okay leak chooses 2 random consecutive blocks, encryptes them, and return the indices and the encrypted result.
+
+Finally let's look at how main uses these 2 functions:
+
+```python
+    aes = CAES()
+    message = pad(FLAG * 4, 16)
+
+    ciphertext = aes.encrypt(message)
+    ciphertext_blocks = aes.blockify(ciphertext, 16)
+
+    r, leak = aes.leak(ciphertext_blocks)
+```
+
+* The message will be the flag repeated 4 times.
+* We encrypt the message
+* We leak from the encrypted message
+
+From the output we know that blocks 3 and 4 were leaked.
+Now how can we exploit this?
+
+We know how a certain encrypted block is generated
+`E = encrypt(P) ^ C`, where
+* `E` is the new encrypted block
+* `P` is the IV for the current iteration
+* `C` is the current plaintext block
+
+But we know that `E` will become `P` in the next iteration:
+`F = encrypt(E) ^ D`, where
+* `F` is the new encrypted block
+* `E` is the encrypted block from the previous equation
+* `D` is the current plaintext block
+
+So for the second equation it is the case that we know:
+* `F` - because this is in the cipher text
+* `encrypt(E)` - because this is a block that was leaked
+
+So `D = F ^ encrypt(E)`.
+
+We can recover 2 plaintext blocks, by xoring an encrypted, leaked block with the cipher text block that has index one higher.
+
+Here is my script to solve the challenge:
+```
+ct = 'bc9bc77a809b7f618522d36ef7765e1cad359eef39f0eaa5dc5d85f3ab249e788c9bc36e11d72eee281d1a645027bd96a363c0e24efc6b5caa552b2df4979a5ad41e405576d415a5272ba730e27c593eb2c725031a52b7aa92df4c4e26f116c631630b5d23f11775804a688e5e4d5624'
+r = 3
+phrases = ['8b6973611d8b62941043f85cd1483244', 'cf8f71416111f1e8cdee791151c222ad']
+
+def blockify(message, size):
+    return [message[i:i + size] for i in range(0, len(message), size)]
+
+def xor(a, b):
+    return b''.join([bytes([_a ^ _b]) for _a, _b in zip(a, b)])
+
+ct = bytes.fromhex(ct)
+blocks = blockify(ct, 16)
+print(xor(blocks[4], bytes.fromhex(phrases[0])))
+print(xor(blocks[5], bytes.fromhex(phrases[1])))
+
+# HTB{CFB_15_w34k_w17h_l34kz}
+```
diff --git a/crypto/perfect_synchronization.md b/crypto/perfect_synchronization.md
@@ -0,0 +1,17 @@
+# Perfect synchronization (very easy)
+This challenge is about using frequency analysis to break encryption.
+
+The flag is encrypted, such that each character is passed to AES ECB encryption.
+This means that the same letters will generate the same cipher text as well.
+Further more the range of input is limited to upper case letters, curly braces `_`, and space.
+
+Now the challenge did drop the hint to use the `quipqiup` tool, however I couldn't manage to figure out during the contest how to make it work so I just did it by hand.
+
+I wrote a simple script to analyse the frequency of the strings.
+Here I have found 2 strings with frequency of 1, these must be the curly braces for the flag!
+
+Then we also know that before the opening brace the strings must correspond to HTB
+
+From here it was a matter of substituting all occurrences of a string with the letter we know it corresponds to, and then finding words we can guess the letters of, for example: `THE`, `THAT` already had most letters revealed, just by knowing `HTB`.
+
+I continued this process until enough letters were revealed so that the flag is completely known.
diff --git a/crypto/small_steps.md b/crypto/small_steps.md
@@ -0,0 +1,72 @@
+# Small steps (very easy)
+In this challenge textbook RSA will be exploited.
+
+```python
+    def __init__(self):
+        self.q = getPrime(256)
+        self.p = getPrime(256)
+        self.n = self.q * self.p
+        self.e = 3
+
+    def encrypt(self, plaintext):
+        plaintext = bytes_to_long(plaintext)
+        return pow(plaintext, self.e, self.n)
+```
+
+This is the RSA encrypt, implementation the challenge uses.
+
+We get the encrypted value, `n` and `e` from the remote.
+
+The vulnerability here is that `e` is too small, 3 in this case.
+When `e` is too small `M^e mod n` becomes `M^e` since it will never go above `n` for certain messages.
+
+This means that we can just take the third root of the encrypted message and get back the flag.
+
+Adapting the solver script with my solution in the `pwn` function
+
+```python
+# This script is not necessary for the challenge but may be useful in the
+# future.
+from pwn import *
+import gmpy2
+from Crypto.Util.number import long_to_bytes
+
+# This function takes in binary data and converts it to ASCII.
+def toAscii(data):
+    return data.decode().strip()
+
+
+# This function sends the string "E" to the server and retrieves the public key
+# and encrypted flag that are returned. The public key consists of two parts:
+# N and e.
+def choiceE():
+    r.sendlineafter(b"> ", b"E")
+    r.recvuntil(b"N: ")
+    N = eval(toAscii(r.recvline()))
+    r.recvuntil(b"e: ")
+    e = eval(toAscii(r.recvline()))
+    r.recvuntil(b"The encrypted flag is: ")
+    encrypted_flag = eval(toAscii(r.recvline()))
+    return N, e, encrypted_flag
+
+
+# This function serves as the main logic of the solver script. It calls
+# `choiceE()` to retrieve the public key and encrypted flag and prints them.
+def pwn():
+    N, e, encrypted_flag = choiceE()
+    print(N, e, encrypted_flag)
+    pt = gmpy2.iroot(encrypted_flag, e)
+    print(long_to_bytes(pt[0]))
+
+# This block handles the command-line flags when running `solver.py`. If the
+# `REMOTE` flag is set, the script connects to the remote host specified by the
+# `HOST` flag. Otherwise, it starts the server locally using `process()`.
+if __name__ == "__main__":
+    if args.REMOTE:
+        ip, port = args.HOST.split(":")
+        r = remote(ip, int(port))
+    else:
+        r = process(["python3", "server.py"])
+
+    pwn()
+```
