This write Up present the resolution of the Save The World Crypto Challenge proposed during the BreizhCTF 2k18 this Week end.
This challenge has been solved 1 time and was rewarded of 275 points.
Introduction
This Challenge was presented with this message :
L’un de nos agents infiltré en Poldavie nous a envoyé un message suivi d’une trame Pcap, récupérez les codes de désactivation nucléaire afin d’éviter l’apocalypse !
followed by two files :
SOS.txt
bzh.pcap
The SOS.txt file contains the following message :
Je vous annonce que la Poldavie a officielement enclenché le processus d’attaque nucléaire.
Les missiles sont armés et sont programmés à se lancer le samedi 21 Avril 2018 09h AM GMT+2. Le monde entier est visé, tout les pays à l’exception de la Poldavie seront rayé des cartes.
Le seul moyen d’éviter l’apocapypse serait de trouver le code de désactivation nucléaire.
Ce code est contenu dans un serveur extrêmement sécurisé et accessible uniquement aux généraux Poldaves.
Néanmoins j’ai réussi à y avoir un accès physique et sniffer tout ce qui pouvait y entrer et sortir >pendant quelques minutes.
A première vue, pendant ce temps une vingtaine de généraux ont récupérés ce code sur le serveur :
Le serveur récupère la clé publique du général et lui envoi le code chiffré via RSA.
Pour l’instant c’est tout ce que j’ai pu en tirer, envoyez le tout à vos experts en cryptologie et >prions pour qu’ils puissent trouver un moyen de récupérer ce code…
N’oubliez pas, si le code n’est pas retrouvé avant 9h, nous sommes tous perdus…
Bond
We can extract from this message the following interesting informations :
The attached pcap contains the communications between the generals and the secure server
Around 20 generals recovered the wanted secret code
The secret code is ciphered by RSA
Analysis of the pcap file
Now let’s see what does contain the bzh.pcap :
The first reflex we can have is to open it on wireshark and see what does this pcap is looking. In that case, if we analyse a litte bit, we observe some communication between generals and the server.
We can determine :
All generals have differents IP addresses
The IP address of the Central server is **192.168.56.105**
The generals and the Central server communicate by simple tcp packets without encryption : The public keys used to the encryption are plain.
Extracting the TCP streams from the pcap
We know that around 20 generals recover the secret code in this pcap, in order to get all the streams of this pcap in differents files, I propose the following bash script :
Note : This script must be run from a no-root user
It will extract all the different tcp streams found in the bzh.pcap into the output directory.
This is the list of the extracted files :
exactly 20 tcp streams have been extracted, let see now what are they looking like :
We can clearly recognize the Public Key <-> cipher exchange, both encoded in base64.
Analysis of the RSA public keys
Now, analyze the public keys to determine if they are vulnerable to known attacks :
This is the information from the first public key (general-0.pcap) :
We can see that the key size is 2048 bits, and the public exponent 65537… Nothing show that a possible vulnerability exists.
You can run any existing tools to crack this key, but nothing will return. It seems to be a perfect secure public key :/ (for the time being)
But, we have to keep hope and analysing the other keys, because some keys later… we can fiund this key :
This public key (key5.pem) has been extracted from the general-5.cap stream.
The difference with the other common keys is that the public exponent is 3 !
And if we analyse all the keys, we cand find that 4 other keys have this small exponent !
This is the list of the keys that they have 3 as public exponent :
general-5.cap
general-6.cap
general-12.cap
general-15.cap
general-19.cap
It’s time to see what we can do with this… :)
Attacks against low public exponent : the Coppersmith's / Broadcast attack
A lot of attacks exists against low public exponent, but in our case one is the more suitable : the Coppersmith’s attack.
z
First, I will Introduce the technical attacks, from which mathematical properties this attack is possible.
And after that I will give an example by cracking the secret code of our chall :)
A little bit of mathematics :)
Some Reminder
RSA
Naively, we can assume that we can revover the cipher from the public exponent this way :
But it can’t work because :
That is why we use padding to ensure that M^e > N
For our attack, we will need a famous cryptographic algorithm : CRT - Chiness Remainder Theorem
Let M the plain message
Let (e1,N1), (e2,N2) and (e3,N3), 3 public key pairs such as e1 = e2 = e3 = 3 and N1 ≠ N2 ≠ N3
Let c1, c2, c3 : 3 ciphers respectively encrypted by the 3 public keys
Then :