asciioverflow (TUCTF)asciioverflow is a CTF team based out of the University of Tulsa.
http://asciioverflow.com/
Tue, 06 Sep 2016 14:32:18 -0500Tue, 06 Sep 2016 14:32:18 -0500Jekyll v3.1.6Secure Auth Writeup<p>NOTE:
This isn't a formal proof, it's an intro to the witchcraft that is public-private encryption.</p>
<p>Pre-Reqs:
A knowledge of modern algebra (aka abstract algebra) is extremely helpful in public key encryption.
Knowledge of how RSA works is assumed.
If you haven't been exposed to this yet, read the wiki on RSA.</p>
<p>There are two challenges here, first figure out the public key, then execute the RSA Blinding attack.</p>
<h2>Part 1, getting n and e</h2>
<p>How do you get n and e if you only have plaintext and signatures?</p>
<p>Step 1, get e. For this you have to guess. It is a common e (a hint given), and it is 65535.</p>
<p>Step 2, get n... This is not as trivial and requires an oracle (something that does encryption behind closed doors and gives us the results). You need a few signed messages to get the public key.</p>
<p>I will go over the steps / quasi proof for calculating N by using a small example.</p>
<p>Suppose the following:
$$q = 11$$
$$p = 3$$
$$n = qp = 33$$
$$\phi(n) = (q-1)(p-1) = 20$$
$$e = 7$$
$$d = 3$$</p>
<p>Now lets do some encrypting (remember, signing is encrypting something with your private key, so anyone with your public key can decrypt it)</p>
<p>$$m = plaintext$$
$$c = signature$$
$$d = private key$$
$$e = public key$$
$$n = modulus$$
$$\iff = if and only if$$</p>
<p>We know the basic formula to sign a message:
$$c = m^d \mod n$$</p>
<p>Now lets take it back to the original (how someone would verify the signature):
$$c^e \mod n = (m^d \mod n)^e \mod n = m^{de} \mod n = m$$</p>
<p>Now lets do that again, but take away the last modulus:
$$c^e = (m^d \mod n)^e = ? \neq n$$</p>
<p>What does this equal? Since the equation with the modulus was equal to m, when we take away the modulus we are left with the m plus some factor of n:
$$c^e = m + kn$$</p>
<p>If we subtract m we are left with:
$$c^e - m = kn + m - m = kn$$</p>
<p>How do we factor k out? We use gcd. This is where we need 2 messages: \(m_1\) and \(m_2\).</p>
<p>$$m_1^d \mod n = c_1$$
$$m_2^d \mod n = c_2$$</p>
<p>$$c_1^e-m_1 = k_1n$$
$$c_2^e-m_2 = k_2n$$</p>
<p>$$\gcd(c_1^e-m_1, c_2^e-m_2) = \gcd(k_1n, k_2n) = n$$</p>
<p>Lets give it a shot:
$$m_1 = 2$$
$$m_2 = 3$$</p>
<p>$$c_1 = 2^3 \mod 33 = 8$$
$$c_2 = 3^3 \mod 33 = 27$$</p>
<p>$$\gcd(8^7-2, 27^7-3) = \gcd(2097150, 10460353200) = 1650 \neq n$$</p>
<p>Ugh oh... It didn't work... Why?
Well lets break down the numbers.
We know \(c^e - m = kn\) so:
$$2097150 = 63550 \times 33$$
$$10460353200 = 316980400 \times 33$$</p>
<p>$$\gcd(63550, 316980400) = 50$$</p>
<p>$$1650 / 50 = 33 = n$$</p>
<p>So this leads us to a conclusion:</p>
<p>\(\gcd(c_1^e-m_1, c_2^e-m_2) = \gcd(k_1n, k_2n) = n \iff k_1\) and \(k_2\) are coprime</p>
<p>In the challenge we would have not been able to calculate k since we obviously didn't know n, so how do we determine if we got the right answer or not?</p>
<p>We play probabilities. we can keep chaining gcds together until out hearts content (or until we run out of space in mod n).
I would just do 3 or 4. The chances of a common factor in 4 Ks is pretty small [source needed].</p>
<p>So lets add another m to the equation:
$$m_3 = 4$$</p>
<p>$$c_3 = 4^3 \mod 33 = 31$$</p>
<p>$$\gcd(\gcd(8^7-2, 27^7-3), 31^7-4) = \gcd(1650, 27512614100) = 33$$</p>
<p>We got n! now what?</p>
<h2>Part 2, preforming a blinding rsa attack</h2>
<p>If you try to send the server the desired message, it kicks you. We need to craft a message such that we can get the signature on our desired message.</p>
<p>Lets do some more math!
we have
$$c = m^d \mod n$$</p>
<p>m is our message we want signed, but the server wont sign it.</p>
<p>Suppose we pick an arbitrary r that is coprime to n (and not 1)
$$r = 2..n$$</p>
<p>With that r, we generate a new m called m' as such:
$$m' = m r^e \mod n$$
since \(m'\neq m\), the server will sign it.</p>
<p>$$c' = m'^d \mod n$$</p>
<p>remember \(m' = m r^e \mod n\), so if we substitute and simplify:
$$c' = (m r^e \mod n)^d \mod n$$
$$c' = (m r^e)^d \mod n$$
$$c' = (m^d r^{ed}) \mod n$$</p>
<p>Remember \(a^{ed} \mod n = a\) is a primitive fact of rsa.</p>
<p>$$c' = (m^d r) \mod n$$</p>
<p>So now we have to get rid of the r. Since we chose r to be coprime to n, it has an inverse!
Now we just calculate \(r^{-1}\) using your favorite method (i.e. Euclidean algorithm)</p>
<p>and thus:</p>
<p>$$c = c' r^{-1} = (m^d r r^{-1}) \mod n = m^d \mod n$$</p>
<p>and we have our signature.</p>
Thu, 11 Aug 2016 00:00:00 -0500
http://asciioverflow.com/2016/08/11/secure-auth-writeup.html
http://asciioverflow.com/2016/08/11/secure-auth-writeup.htmlTUCTF 2016<p>TUCTF 2016 Happened! It was (hopefully) a good experience for all, and everyone learned something (hopefully). The staff certainly did.</p>
<p>We packaged up tuctf 2016 into a vm. <a href="http://download.asciioverflow.com/tuctf_2016/tuctf_2016.tar.gz">Download Link</a></p>
<p>If you want the escape from hell vm <a href="http://download.asciioverflow.com/tuctf_2016/EscapeFromHell.tar.gz">Download Link</a></p>
<p>We are working on getting write-ups on this site, but here is the github in the meantime:</p>
<p><a href="https://github.com/ctfs/write-ups-2016/tree/master/tu-ctf-2016">github write-ups</a></p>
<h2>How we did it</h2>
<p>If you are interested in the tools we used to run TUCTF, here they are:</p>
<h3>1. CTFd</h3>
<p>This is a CTF framework from NYU Poly. It is a great framework, although we did dev on it a bit before we deployed it.</p>
<h3>2. Google cloud</h3>
<p>Every challenge had it's own VM. If you want to spin up a simple vm, google cloud can get you 0 to shell in less than a minute. For us it was great, but there are some limitations (custom images are VERY hard, you basically have to use their pre-built images). Total cost was around $250, though a lot of that was downloading the escape from hell vm (overseas data is expensive as it turns out). We also messed with AWS, but google is so much more simple for this type of thing.</p>
<h3>3. Freenode and slack</h3>
<p>Communication is important. The hardest thing was dealing with the volume of communications.</p>
<p>That is it as far as software goes. Google gives you a $300 credit for a trial period, so we actually didn't spend any money on machines for this competition. Not including prizes, total cost was under $300, and we basically paid less than $50 out of pocket for misc expenses due to the google cloud credit.</p>
<h2>What we learned</h2>
<h3>1. Prepare for the unexpected</h3>
<p>We were going to be happy with, and thus prepared for, around 50 teams. We got over 800. We had to scramble to set up new vms and allocate all of the memory to prepare for it. Thankfully we used google cloud and it was pretty easy.</p>
<h3>2. Test your systems</h3>
<p>Thankfully there were few hitches in the ctf. We found some services that stress-tested our systems. The only major issues we had was with The Never Ending Crypto. This was a bug due to the random seed being reset every time a new person connected to it. Thankfully we were able to fix it quickly.</p>
<h3>3. Have your stuff together</h3>
<p>It took us a while to get prizes out. This was due to a couple of things, but mostly because we worked so much on the actual competition we forgot about prizes until after.</p>
<h3>4. Communication makes a good CTF</h3>
<p>As stated above, the volume of communication overwhelmed the admins. most of the time there were around three admins and a lot of you. Two of us spent almost the entire 48 hours on IRC talking with people. It was a long weekend, but it was worth it. We got a lot of positive feedback on the helpfulness of the admins. This is intended to be an intro CTF, so we helped people who had never touched a db do sql injection. It was a lot of fun seeing them go "OOOOHHH!" and getting flags. If we didn't get to you, we apologize, there were at most 5 of us and at least 800 of you.</p>
<p>Would we do it again?</p>
<p>Absolutely. See you guys for TUCTF 2017</p>
<ul>
<li>Author: themann</li>
</ul>
Wed, 06 Jul 2016 12:49:32 -0500
http://asciioverflow.com/general/2016/07/06/tuctf-2016.html
http://asciioverflow.com/general/2016/07/06/tuctf-2016.htmlgeneralWelcome to TUCTF!<p>Welcome to TUCTF's blog! We will post things from time to time about CTFs, and other.</p>
Wed, 06 Jul 2016 08:49:32 -0500
http://asciioverflow.com/general/2016/07/06/welcome-to-tuctf.html
http://asciioverflow.com/general/2016/07/06/welcome-to-tuctf.htmlgeneral