Verifier 2 midnightsun 2020 quals

verifier2.py

from hashlib import sha1
from binascii import unhexlify, hexlify
import requests
import ecdsa
from ecdsa.numbertheory import inverse_mod
from Crypto.Util.number import bytes_to_long, long_to_bytes
from pwn import *

curve = ecdsa.NIST192p
order = curve.order # n

sess = remote("verifier2-01.play.midnightsunctf.se", 31337)
sess.recvuntil("> ")

msg1 = "kek1"
msg2 = "kek2"
m1 = ecdsa.util.string_to_number(sha1(msg1.encode()).digest())
m2 = ecdsa.util.string_to_number(sha1(msg2.encode()).digest())
z = (m1 - m2) % order

sess.send("1\n")
sess.recvuntil("message> ")
sess.send(msg1 + "\n")
line = sess.recvline()
sess.recvuntil("> ")

sig1 = unhexlify(line[11:-1])
r, s1 = bytes_to_long(sig1[:len(sig1)//2]), bytes_to_long(sig1[len(sig1)//2:])
print((r, s1))



sess.send("1\n")
sess.recvuntil("message> ")
sess.send(msg2 + "\n")
line = sess.recvline()
sess.recvuntil("> ")

sig2 = unhexlify(line[11:-1])
r2, s2 = bytes_to_long(sig2[:len(sig2)//2]), bytes_to_long(sig2[len(sig2)//2:])
print((r2,s2))

assert r == r2

candidate = s1 - s2
k = (z*inverse_mod(candidate, order)) % order
print("Recovered k")
print(k)
print()

d = (((s1*k - m1) % order)*inverse_mod(r, order)) % order
print("Recovered d")
print(d)
print()

sk = ecdsa.SigningKey.from_secret_exponent(d, curve=curve)

ans = sk.sign(b"please_give_me_the_flag", k=k)

sig = hexlify(ans)

print("Generated signature")
print(sig)
print()

sess.send("3\n")
sess.recvuntil("signature> ")
sess.send(sig + b"\n")
print(sess.recvline())