Pwnable.kr crypto1 writeup

crypto1.md

Pwnable.kr crypto1 writeup

ihciah@gmail.com

In this challenge we can input username and password, then the server return an encrypted string of {username}-{password}-{cookie} in which the cookie is not known.

Since CBC is used, each 32 word in encrypted string is encrypted by last block and 16 word in original string.

So let's enter "A"*16 as username, and enter different password, the first 32 word of the encrypted data is the same.

So we can brute-force the cookie through trying each bit of cookie.

Case A: Username = "-"*13 + x Password = "" So String = "-"*15 + x

Case B: Username = "-"*13 Password = "" So String = "-"*15 + cookie

We can change x and compare first, second, third... 32 bit.

Write a simple script to exploit it:

you_will_never_guess_this_sugar_honey_salt_cookie

Calculate PW through hashlib.sha256("admin"+"you_will_never_guess_this_sugar_honey_salt_cookie").hexdigest()

Input username admin and password to get the flag.

crypto1.py

from pwn import *
import string

cookie = "a"
alphabet = string.ascii_lowercase + string.digits + "_-"

def getkey(a):
    p=remote("pwnable.kr",9006)
    p.recvuntil("ID")
    p.sendline(a)
    p.recvuntil("PW")
    p.sendline("")
    r=p.recvuntil(")")
    p.close()
    return r[r.find("(")+1:r.find(")")]
def guess(n):
    global cookie
    count=((n+2)/16+1)*32
    pre_padding = "-"*(15-n+16*((n+2)/16))+cookie[:n]
    real = "-"*(13-n+16*((n+2)/16))
    key = getkey(real)[:count]
    print "count:",count
    print "pre_padding:",pre_padding
    print "real:",real
    print "key:",key
    for i in alphabet:
        print i
    for i in alphabet:
        print i
        if getkey(pre_padding+i)[:count]==key:
            print "cookie got:",n,i
            cookie=cookie[:n]+i+cookie[n+1:]
            return
    print "Error."
    print "Guessed:",cookie[:n-1]
    assert(False)

map(guess,range(0,64))
print cookie