Skip to content

Instantly share code, notes, and snippets.

@sdamashek

sdamashek/Phillips Decryption Service.md

Created May 15, 2016 14:35
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save sdamashek/160bc437ef8d31c91ab094eaf5266710 to your computer and use it in GitHub Desktop.
Save sdamashek/160bc437ef8d31c91ab094eaf5266710 to your computer and use it in GitHub Desktop.
Download ZIP
TJ CSL Writeup for Phillips Decryption Service (PACTF 2016)
Raw
Phillips Decryption Service.md

Phillips Decryption Service

The main idea behind this one was that we could encrypt any message we want, and then send it to the decryption service to be decrypted, unless that message was the encrypted flag.

Basically all we had to do was multiply the ciphertext by 2^e (where e is the public exponent), and then C^d = [f^e*2^e] = f^ed * 2^ed = 2f mod n, so the result of that decryption will be double the flag (see http://www.dtc.umn.edu/~odlyzko/doc/arch/rsa.attack.pdf).

First, getting the information about the public key:

samuel@samaritan ~/projects/pactf % openssl rsa -in pub.a82ac1b8c0d1.pem -pubin -noout -text                      
Public-Key: (2048 bit)
Modulus:
    00:b5:6f:4b:33:66:75:a4:9b:64:37:09:62:1e:10:
    67:2c:a9:f2:4f:ed:3e:df:f9:1d:03:62:cb:ec:88:
    ca:54:81:49:fb:12:9e:f6:9c:27:25:33:ac:9b:7d:
    ea:a2:d3:b6:91:39:8e:35:55:d8:cf:48:44:df:eb:
    c3:7f:17:ff:57:05:19:af:21:33:19:76:5d:12:bb:
    e8:04:7e:d9:e4:79:87:d9:7f:83:98:94:4a:4c:1b:
    4d:a7:06:d9:55:81:87:e4:7d:e3:d1:62:34:9d:08:
    98:0c:a7:0c:af:68:13:d6:0b:53:21:2b:70:09:aa:
    be:6c:ac:ca:8a:5d:54:5e:f2:91:0d:d6:a2:eb:ee:
    2f:35:6e:58:82:72:91:28:26:64:5a:38:cd:91:f6:
    f4:b7:75:e3:85:05:e9:a5:c6:b1:e0:5f:7b:a9:50:
    38:a4:17:92:e8:eb:5e:c5:76:ba:f3:ff:3d:ea:68:
    82:51:dc:5e:00:b9:bc:de:17:37:2f:97:16:f6:fc:
    7c:54:9b:7b:ce:b1:a8:34:a7:14:7c:a7:49:0c:4e:
    2d:38:2d:0a:81:b6:e5:67:c8:62:0d:3e:bb:21:51:
    d6:a9:da:6e:df:38:ed:b8:9c:1d:32:62:57:66:e4:
    1e:7d:a2:1c:98:d1:c3:78:1f:d9:f9:3b:e5:25:ec:
    dc:13
Exponent: 65537 (0x10001)

And now to implement the actual encryption:

from Crypto.Util.number import bytes_to_long,long_to_bytes
def hex_to_long(h):
    encrypted = []
    for i in range(0, len(h), 2):
            encrypted.append(int(h[i:i+2],16))
    return bytes_to_long(bytes(encrypted))

def long_to_hex(l):
    ret = ''
    b = list(long_to_bytes(l))
    for i in b:
        ret += hex(i)[2:].zfill(2)
    return ret

n = 22904014193930880335944401129410890610607480925989723500255413393366722348125011616028765815734541941279817402381448326863602546781681120821500204172937426074532535481242264218008857335013446918918195546121813347047264903290661994226460949886943218990271532234309324379756382495518494163453195677414443522416374867966154806480848285599145211230437502972243956307741194044582640656122103241236781693479499114537743802946567062105255005402481929043026564603733796293323344041650565762406159013935858770038542186069693481677974546185108495919519150399651640828377368378568811987383114599547347702168168169724370767109139
fl_enc = hex_to_long('88bac7248bef2fb94635c3571256f6076e6efc6446aa856e13007a7b278d633ba46febbd205ea335639c6405b02921ce8ba8647a86e41a9fcc2ee4485c04f7688bec47572a499a66f7e540c524a18d66efd3d65caa6fd49450a2a70c4cf9a040aac628e63fdfcf75ca87fcc8a0d28300058198f7585a4c4812e92214feea638198035d90ba22b03e9370f4661c39a53153509c552279906e621f981aac1e4b9d9f4d99eff56e8f141ee0eaac96e7962aea6ca0f4104fd3ec84f8d1a2ef6efa413c6482b2c0954ebfe7ceb2f1c75f1df31135e71895a75905e544eca3cafcef5f5e5a61acd339ae86786837577b041892ed40b971ec4194f9f20b2d1d29c70ca6')
to_enc = long_to_hex((fl_enc*(2**65537))%n)
print(to_enc)

This gives a result of 058556e4911b5f81e6551c39ccaf2c8129dc2aa2ce7aaf417db4155734fe137ad6da3bfd64e84d69f58015f6e1bae2b0af8d36a1e5109f28e932411e8e64d388fe867806561640d719a3f75858478f1c5659640c979e9945749bbee237163891e7beab72b26d8dc0c2229ed50fa69337782fa09bc268c987c1b3ee14f292066c17dddc82ef9568a5ff761ef74b1eefd3c1a6eae0e2ae9dc938ebf2b54ff9783f29f671a73f45caf7aeab110b485df77d9a54feed7e76477f3c841f5589efe94f750c543f3853789ecdbdb65668f8cff3057c2011a429658376f260138ff7cba0d542bab02ecf343b86f17d16d3fb3cfc768a5c42d8e408995e96a4182e91e402, and decrypting that:

samuel@samaritan ~/projects/pactf % nc 198.211.110.148 59292
Welcome to the PA secret decryption service!

Please enter the data you wish to have decrypted.
058556e4911b5f81e6551c39ccaf2c8129dc2aa2ce7aaf417db4155734fe137ad6da3bfd64e84d69f58015f6e1bae2b0af8d36a1e5109f28e932411e8e64d388fe867806561640d719a3f75858478f1c5659640c979e9945749bbee237163891e7beab72b26d8dc0c2229ed50fa69337782fa09bc268c987c1b3ee14f292066c17dddc82ef9568a5ff761ef74b1eefd3c1a6eae0e2ae9dc938ebf2b54ff9783f29f671a73f45caf7aeab110b485df77d9a54feed7e76477f3c841f5589efe94f750c543f3853789ecdbdb65668f8cff3057c2011a429658376f260138ff7cba0d542bab02ecf343b86f17d16d3fb3cfc768a5c42d8e408995e96a4182e91e402
Decrypting data from 173.73.71.25... Your decrypted data is:

ccd8c2cef660dee0b4bed2bece6060ccc8fa

Remember to decode your hex data!

Now we just have to divide that by two and convert it to ascii to obtain the flag!

dec = hex_to_long('ccd8c2cef660dee0b4bed2bece6060ccc8fa')
dec = long_to_hex(dec//2)

for i in range(0,len(dec),2):
    print(chr(int(dec[i:i+2],16)),end='')

Run that, and we get the flag, flag{0opZ_i_g00fd}.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment