🐺 Verifier#

Welcome to my new verifier system, hope to be safe ;P Wolves are social animals

Code#

1
from Crypto.Util.number import *
2
from random import getrandbits
3

4
SIZE = 64
5
FLAG = bytes_to_long(b'NHNC{FAKE_FLAG}')
6
e = 37
7
p, q = getPrime(1024), getPrime(1024)
8
while ((p-1)*(q-1)) % e == 0 :
9
    p, q = getPrime(1024), getPrime(1024)
10
N = p*q
11

12
print("=== ICEDTEA Verifier 1.0 ===")
13

14
while True:
15
    OTP = getrandbits(SIZE)
16
    print(f"signed: {pow(OTP, e, N)}")
17
    TRIAL = int(input("OTP: "))
18
    if TRIAL == OTP:
19
        print(f"signed: {pow(FLAG, e, N)}")
20
        continue
21

22
    print(f"Invalid OTP, {OTP}")

To get the flag we need to do a two things. First we need to input the correct OTP, then we need to decrypt the RSA signed flag

Vulnerability#

The first vulnerability lies in using pythons getrandbits functions. Since pythons random library uses a Mersenne Twister we are able to predict the next input given a few inputs. We can use any Mersenne Twister cracker libarary in python like this

The second lies in being able to connect to the instance multiple times with different values of N. First we can get N from the multiple signed OTPs. Then we can do a Håstad’s broadcast attack to recover the signed flag

Exploit#

1
import math
2
from pwn import *
3
from mt19937_crack import RandomSolver
4
from Crypto.Util.number import *
5
from sympy.ntheory.modular import crt
6
import gmpy2
7

8
e=37
9
def getnextguess(l):
10
    randomSolver = RandomSolver()
11
    for i in l:
12
        randomSolver.submit_getrandbits(i, 64)
13
    return randomSolver
14

15
Nlist = []
16
flaglist = []
17

18
for _ in range(10):
19
    io = remote('160.187.199.7', 31337)
20

21
    io.recvline().decode() # get the introduction line
22

23
    #Set up lists for otps and calculating the N val
24
    otps = []
25
    ns = []
26

27
    for i in range(312):
28

29
        o = io.recvline()
30
        c = int(o.decode().split(':')[1].strip(" \n'")) # get the signed otp
31

32
        io.sendline(b"1")
33

34
        o = io.recvline()
35
        num = int(o.decode().split(',')[1].strip(" \n'")) # get the real otp
36

37
        otps.append(num)
38

39
        m = pow(num, e) - c
40
        ns.append(m)
41

42

43
    # Now we can find the N using the multiple signed OTPs
44
    N_candidate = ns[0]
45
    for i in range(1, len(ns)):
46
        N_candidate = math.gcd(N_candidate, ns[i])
47
    Nlist.append(N_candidate)
48

49
    s = getnextguess(otps)
50
    s.solve()
51

52
    io.recvline()
53
    io.sendline(str(s.getrandbits(64)).encode()) # Send the predicted OTP
54

55
    o = io.recvline()
56
    encrypted_flag = int(o.decode().split(':')[2].strip(" \n'"))
57

58
    flaglist.append(encrypted_flag)
59
    io.close()
60

61
    # Use chinese remainder theorem to get the flag using the values so far
62
    C, _ = crt(Nlist, flaglist)
63
    m_recovered, exact = gmpy2.iroot(C, e)
64
    print(long_to_bytes(m_recovered))

After running this code for a few minutes we can get our flag like so

1
[+] Opening connection to 160.187.199.7 on port 31337: Done
2
[*] Closed connection to 160.187.199.7 port 31337
3
b'\x94\xde\xa7lU\x14\xad'
4
[+] Opening connection to 160.187.199.7 on port 31337: Done
5
[*] Closed connection to 160.187.199.7 port 31337
6
b'a\x82Q\x04\xbb.\xe9\x98\x1a\xe7\xa6\xca\x88\xbd'
7
[+] Opening connection to 160.187.199.7 on port 31337: Done
8
[*] Closed connection to 160.187.199.7 port 31337
9
b';U\x82T\x85\xf2 \x86Z\x10\xfa\xdb\x1e\xc2\xd2%\xd9\xb0e)+'
10
[+] Opening connection to 160.187.199.7 on port 31337: Done
11
[*] Closed connection to 160.187.199.7 port 31337
12
b"'\xf1\xa2\x04\x91\xc6\xd8\x88(\x11\xad\xb1\xd4N*I\xc2$\xed\xa1J\x7f\x87w|\x03\xcb\xb1"
13
[+] Opening connection to 160.187.199.7 on port 31337: Done
14
[*] Closed connection to 160.187.199.7 port 31337
15
b'\x186\x9d\xad\xcf\x8c\xbf\x01\xa8N\xe7}\xfa\xa6\x1b\x18N&}\xc11\xd4o\x9a\xb2HP\xab\x8d$\x0f\xb8\xb1<\xa3'
16
[+] Opening connection to 160.187.199.7 on port 31337: Done
17
[*] Closed connection to 160.187.199.7 port 31337
18
b'\x0f\xb63\x8e\xc5\xb4\xa4K\xd88\x89\xc4\x17Ft\x86i\x0b\xb0\x8a>\x18\xb5R\x8d\x05\xac\xa7\xe3\xe9\xae\x02Bw\xf4\xbf\x08\x0f\r\xfc\xba\r'
19
[+] Opening connection to 160.187.199.7 on port 31337: Done
20
[*] Closed connection to 160.187.199.7 port 31337
21
b'\t\xe4@\x03\x996\xe1\xc3\x0f\x8a\xd5\x80I\x0e\xb0\xb2o\x83\x8e9\xb1\x19\x93\xc9\xb6\xec<D\x16g/l\xf8\x81\xdco\xfc\xb4j(\xefJ\xcd\xa8+A}\xe9\xd6'
22
[+] Opening connection to 160.187.199.7 on port 31337: Done
23
[*] Closed connection to 160.187.199.7 port 31337
24
b'NHNC{using_big_intergers_in_python_is_still_a_pain}'

Conclusion#

Don’t use pythons random library for OTPs since it can be predicted. Don’t let users get the same encrypted message with the same N or else it can be revealed.