[Crypto] []root

CTFtime.org / BSides San Francisco CTF / []rootCTFtime

Our guy inside e-corp was able to get that packet capture of their backend PKI you asked for. Unfortunately it seems they’re using TLS to protect the modulus fetch. Now, I have been told that the best crackers in the world can do this in 60 minutes. Unfortunately I need someone who can do it in 60 seconds.

Note: Flag does not follow the "Flag:" format but is recognizable

e_corp_pki.pcapng

e_corp_pki.pcapng를 와이어샤크를 통해 열면 아래와 같은 모습이다.

서버 인증서와 RSA 퍼블릭 키를 갖고 있는 Server Hello에 해당하는11번 프레임으로부터 n과 e를 알아낸다.

e는 31337이다.

n 값을 hex에서 decimal로 변환하면 아래와 같다.

❯ python -c "print(int('0x726f6f7400000000000000000000000000000000001b000000000000000000000000001ffffb0000000000000000000000001ffffb0000000000000000000000001fffff7777777b00000000000000001ffffffffffffb00000000000000001ffffffffffb0000000000000000001ffffffffffb0000000000000000001ffffffffffffb00000000000000001fffff2222222b00000000000000001ffffb0000000000000000000000001ffffb0000000000000000000000001ffffb0000000000000000000000001ffffb0000000000000000000000001ffffb0000000000000000000000001ffffb0000000000000000000000001ffffb00000000000000265293c4422be3532638feeb2a635e865e5bccd4862d1491f8e46ed41afdab32ab1e913c296c45a723a371cc4ad218d273a494ac501a1c677576b84d3a1700b24e38f3d7c8090c952767f8a9da532eb4496a953fa2b2641f93af58321e491ad6b3e1f6600ea1757635a2d47562dff2f245bfc8ed511420931de246d56334d8897d6465b227f6c095ece1ad994c7551f08dbc21f8b40691ee51f5f72d052d9352062f90b0e7c52c2eb18196c2c985101af4eac67499396c6241ad4f2439ed11f87d67e73a239b865c45d65a61cf0f56082de831b97fb28ae8222a7195e0ec06c08281ffc16e7106e77e68b8c4510424beeb5582fe21cc345f53534682b75c368d73c9', 16))"
119514949101869418903318873112867362646835071069241106524305309393065463453656568774743760570131693630159578791023971219610889380592598543536351234572467281587006324435481617535146537233169791976943380665697114009764947413190424965605151568078201516319476934559728328089096265594820785319942352507655193149106742096711100954500911687865197173709176323170965183162767042434738106978751911965481346436431672573623281881734153294758147557422163198312359915688282919868328721978258906227136067834058632472297370857579705187167410321575782375360591482072103305682978126915060591553714123014075758332542543138964874724542072396937584280625337262888775332970921021304750133076287918708895881009630077473404974677880966925170111450054682589858406625668247502091263399827525224215993035344424566568011928443888310172591327112851125472052921219080258671669993973898127049957265386657286586085405099815473365810806674154776699651214819118383817272562813199977233417411126959716068072338393084310289588450441128514416597910759814182527294940228828417785903441042114817369303389645545333054503129561885740632378715731405799144085706505382819066670726261358910837171602305916072912729756717338147737273166145500948558122541808933901885205278570148809

decimal로 변환한 n 값을 http://factordb.com에 넣으면 아래와 같이 p와 q 값을 얻을 수 있다.

p: 345709341936068338730678003778405323582109317075021198605451259081268526297654818935837545259489748700537817158904946124698593212156185601832821337576558516676594811692389205842412600462658083813048872307642872332289082295535733483056820073388473845450507806559178316793666044371642249466611007764799781626418800031166072773475575269610775901034485376573476373962417949231752698909821646794161147858557311852386822684705642251949742285300552861190676326816587042282505137369676427345123087656274137257931639760324708350318503061363031086796994100943084772281097123781070811610760735943618425858558459014484742232018933
q: 345709341936068338730678003778405323582109317075021198605451259081268526297654818935837545259489748700537817158904946124698593212156185601832821337576558516676594811692389205842412600462658083813048872307642872332289082295535733483056820073388473845450507806559178316793666044371642249466611007764799781626418800031166072773475575269610775901034485376573476373962417949231752698909821646794161147858557311852386822684705642251949742285300552861190676326816587042282505137369676427345123087656274137257931639760324708350318503061363031086796994100943084772281097123781070811610760735943618425858558459014484742232019973

아래의 파이썬 코드를 통해 프라이빗 키를 계산해 priv.key 파일로 저장한다.

from Crypto.PublicKey import RSA
import gmpy2

n = 119514949101869418903318873112867362646835071069241106524305309393065463453656568774743760570131693630159578791023971219610889380592598543536351234572467281587006324435481617535146537233169791976943380665697114009764947413190424965605151568078201516319476934559728328089096265594820785319942352507655193149106742096711100954500911687865197173709176323170965183162767042434738106978751911965481346436431672573623281881734153294758147557422163198312359915688282919868328721978258906227136067834058632472297370857579705187167410321575782375360591482072103305682978126915060591553714123014075758332542543138964874724542072396937584280625337262888775332970921021304750133076287918708895881009630077473404974677880966925170111450054682589858406625668247502091263399827525224215993035344424566568011928443888310172591327112851125472052921219080258671669993973898127049957265386657286586085405099815473365810806674154776699651214819118383817272562813199977233417411126959716068072338393084310289588450441128514416597910759814182527294940228828417785903441042114817369303389645545333054503129561885740632378715731405799144085706505382819066670726261358910837171602305916072912729756717338147737273166145500948558122541808933901885205278570148809
e = 31337
p = 345709341936068338730678003778405323582109317075021198605451259081268526297654818935837545259489748700537817158904946124698593212156185601832821337576558516676594811692389205842412600462658083813048872307642872332289082295535733483056820073388473845450507806559178316793666044371642249466611007764799781626418800031166072773475575269610775901034485376573476373962417949231752698909821646794161147858557311852386822684705642251949742285300552861190676326816587042282505137369676427345123087656274137257931639760324708350318503061363031086796994100943084772281097123781070811610760735943618425858558459014484742232018933
q = 345709341936068338730678003778405323582109317075021198605451259081268526297654818935837545259489748700537817158904946124698593212156185601832821337576558516676594811692389205842412600462658083813048872307642872332289082295535733483056820073388473845450507806559178316793666044371642249466611007764799781626418800031166072773475575269610775901034485376573476373962417949231752698909821646794161147858557311852386822684705642251949742285300552861190676326816587042282505137369676427345123087656274137257931639760324708350318503061363031086796994100943084772281097123781070811610760735943618425858558459014484742232019973
assert(n == p * q)

phi = (p - 1) * (q - 1)
d = int(gmpy2.invert(e, phi))
key = RSA.construct((n, e, d))

f = open('priv.key', 'w')
f.write(key.exportKey().decode())
f.close()

생성된 priv.key를 와이어샤크에 로드하여 복호화된 TLS 트래픽을 확인한다.

먼저, e_corp_pki.pcapng를 열고 Preferences > Protocols > TLS > Edit에서 아래와 같이 키를 로드하고 OK를 누른다.

e_corp_pki.pcapng에 명시된 문제의 조건에 맞게 IP 주소는 4.3.2.1, 포트는 443, 프로토콜은 http로 설정하였다.

아래와 같이 11번 프레임을 오른쪽 클릭한 후 TLS 스트림을 추적한다.

결과는 아래와 같다.

non-zero bytes가 연속으로 나오는 뒷 부분만 떼어내어 디코딩하는 파이썬 코드는 아래와 같다.

import binascii

flag = '666c61673a7768656e5f736f6c76696e675f70726f626c656d735f6469675f61745f7468655f726f6f74735f696e73746561645f6f665f6a7573745f6861636b696e675f61745f7468655f6c6561766573'

try:
    print(binascii.unhexlify(flag).decode())
except:
    print(binascii.unhexlify('0' + flag).decode())

flag:when_solving_problems_dig_at_the_roots_instead_of_just_hacking_at_the_leaves