ilm0 - added spent hours and fixed formatting

[pub/jan/ctf-seminar.git] / writeups / ilm0 / seccon.md

# <u>SECCON 2019 Online CTF</u>



## Crazy-Repetition-of-Codes

**category**: crypto

**description**:

\-

___

We get a python source code for some kind of encryption.

### Recon + solution

**crc.py**

```python
import os
from Crypto.Cipher import AES

def crc32(crc, data):
  crc = 0xFFFFFFFF ^ crc
  for c in data:
    crc = crc ^ ord(c)
    for i in range(8):
      crc = (crc >> 1) ^ (0xEDB88320 * (crc & 1))
  return 0xFFFFFFFF ^ crc

key = b""

crc = 0
for i in range(int("1" * 10000)):
  crc = crc32(crc, "TSG")
assert(crc == 0xb09bc54f)
key += crc.to_bytes(4, byteorder='big')

crc = 0
for i in range(int("1" * 10000)):
  crc = crc32(crc, "is")
key += crc.to_bytes(4, byteorder='big')

crc = 0
for i in range(int("1" * 10000)):
  crc = crc32(crc, "here")
key += crc.to_bytes(4, byteorder='big')

crc = 0
for i in range(int("1" * 10000)):
  crc = crc32(crc, "at")
key += crc.to_bytes(4, byteorder='big')

crc = 0
for i in range(int("1" * 10000)):
  crc = crc32(crc, "SECCON")
key += crc.to_bytes(4, byteorder='big')

crc = 0
for i in range(int("1" * 10000)):
  crc = crc32(crc, "CTF!")
key += crc.to_bytes(4, byteorder='big')

flag = os.environ['FLAG']
assert(len(flag) == 32)

aes = AES.new(key, AES.MODE_ECB)
encoded = aes.encrypt(flag)
assert(encoded.hex() == '79833173d435b6c5d8aa08f790d6b0dc8c4ef525823d4ebdb0b4a8f2090ac81e')
```

If we try running the code we get an OverflowError:

`Traceback (most recent call last):`
  `File "crc.py", line 15, in <module>`
    `for i in range(int("1" * 10000)):`
`OverflowError: range() result has too many items`

The self-defined function crc32 calculates a CRC value(see TD) and this value is later added step-by-step to the key variable:

```python
def crc32(crc, data):
  crc = 0xFFFFFFFF ^ crc
  for c in data:
    crc = crc ^ ord(c)
    for i in range(8):
      crc = (crc >> 1) ^ (0xEDB88320 * (crc & 1))
  return 0xFFFFFFFF ^ crc
```

First it seemed, that this function sometimes returns random values, not the correct crc, but later this turned out to be due to the signing of results.

We test it if our theory works in practice too, the only difference seems to be, that this function always returns an unsigned 32-bit CRC value:

`print(crc32(0,"HELLO"))` > 3242484790
`print((binascii.crc32('HELLO')) % (1<<32))` > (-1052482506 % (1<<32)) > 3242484790

I focused for a long time here on finding some kind of mathematical vulnerability or a smart solution, but brute forcing seemed to be the only solution.

The code "builds" the ciphertext in 5 steps, these can be sequentially reversed, as they were sequentially appended. Let's reverse them one by one:

```python
for i in range(int("1" * 10000)):
  crc = crc32(crc, "TSG")
```

The operation does not use the CRC value as intended,rather than it will return it after `int("1" * 10000)` runs. We can make our code faster after reaching the first cycle (when the CRC value equals 0) and taking the modulus of the remaining steps.

```python
def get_crc(s):
    crc = 0
    steps = 0
    for i in range(0, int("1" * 10000)):
        crc = ((binascii.crc32(s)) % (1<<32))
        if crc == 0:
            steps = (i % 2 ** 32) + 1
            break
    rest = int("1" * 10000) % steps
    crc = 0
    for i in range(0, rest):
        crc = ((binascii.crc32(s)) % (1<<32))
    return crc % 2 ** 32
```

With this function we find the first cycle in the operation, then we apply apply it with the remaining value. 

An other problem was being able to use the `for` construct with our big range, normally we would get an Overflow error, but we can work around this by using `long_range` from the crypto_commons library instead.

Armed with this knowledge and tools (reversing the CRC operation takes some time, but not unrealistically long, ~8 mins/part) we can construct our attack:

```python
step1 = get_crc("TSG")    # 2962998607L
step2 = get_crc("is")     # 3836056187L
step3 = get_crc("here")   # 2369777541L
step4 = get_crc("at")     # 3007692607L
step5 = get_crc("SECCON") # 1526093488L
step6 = get_crc("CTF!")   # 3679021396L

step1_bytes = long_to_bytes(step1)
step2_bytes = long_to_bytes(step2)
step3_bytes = long_to_bytes(step3)
step4_bytes = long_to_bytes(step4)
step5_bytes = long_to_bytes(step5)
step6_bytes = long_to_bytes(step6)

combined_key = "".join(step1_bytes,step2_bytes,step3_bytes,step4_bytes,step5_bytes,step6_bytes,)

ciphertext_bytes = "79833173d435b6c5d8aa08f790d6b0dc8c4ef525823d4ebdb0b4a8f2090ac81e".decode("hex")
cipher = AES.new(combined_key, AES.MODE_ECB)
print(aes.decrypt(ciphertext_bytes))
```

It will take approximately an hour to get our results, we receive: SECCON{Ur_Th3_L0rd_0f_the_R1NGs}



### Technical details

Cyclic redundancy check (CRC):

> It is an error-detecting code used to determine if a block of data has been corrupted.

[https://www.cardinalpeak.com/understanding-the-cyclic-redundancy-check/]

CRC32 is calculated with the following polynomial formula:

x^32 + x^26 + x^23 + x^22 + x^16 + x^12 + x^11 + x^10 + x^8 + x^7 + x^5 + x^4 + x^2 + x + 1

This value is appended to transmitted data block to check the integrity of the received data. When the received data is divided by the received CRC value the rest should be 0.

As we saw, CRC operations are relatively easily reversible (even in our case, when they were not used in the way they were intended to). This makes them unsuitable for applications in cryptography.



### Lessons learned

- Approaching more complex crypto challenges
- CRC codes



## coffee_break

**category**: crypto

**description**:

The program "encrypt.py" gets one string argument and outputs ciphertext.

Example:

$ python encrypt.py "test_text"
gYYpbhlXwuM59PtV1qctnQ==
The following text is ciphertext with "encrypt.py".

FyRyZNBO2MG6ncd3hEkC/yeYKUseI/CxYoZiIeV2fe/Jmtwx+WbWmU1gtMX9m905

___

### Recon + solution

We are presented with a simple encryption scheme and a ciphertext:

**encrypt.py**:

```python
import sys
from Crypto.Cipher import AES
import base64


def encrypt(key, text):
    s = ''
    for i in range(len(text)):
        s += chr( ( ((ord(text[i]) - 0x20) + (ord(key[i % len(key)]) - 0x20)) % (0x7e -            0x20 + 1)) + 0x20)
    return s 

key1 = "SECCON"
key2 = "seccon2019"
text = sys.argv[1]

enc1 = encrypt(key1, text)
key=key2 + chr(0x00) * (16 - (len(key2) % 16))
cipher = AES.new(key, AES.MODE_ECB)
```

The first thing that becomes clear is that the encryption simply uses some kind of character substitution.

We are working with a cipher in ECB mode so we do not need an IV. We can use this same cipher to reverse the last step. Also, we are in the fortunate position of having access to all the keys used.

```python
ciphertext = "FyRyZNBO2MG6ncd3hEkC/yeYKUseI/CxYoZiIeV2fe/Jmtwx+WbWmU1gtMX9m905"
cipertext_2 = cipher.decrypt(base64.b64decode(ciphertext)).decode("ascii")
```

Now let's take a close look at the encryption function:

```python
def encrypt(key, text):
    s = ''
    for i in range(len(text)):
        s += chr( ( ((ord(text[i]) - 0x20) + (ord(key[i % len(key)]) - 0x20)) % (0x7e -            0x20 + 1)) + 0x20)
    return s 
```

We can reverse this operation by applying the operations in the reverse direction, so "+" for "-" and vice versa. The only tricky part is the modulo operation % (0x7e - 0x20 + 1) -> %95, but after some thinking around one can realize that most probably the flag is made up of human-readable ascii characters, and this operation will only apply to those characters with a value smaller than 32: we can work around this by simply adding 95 to these characters:

```python
def decrypt(key, s):
    plaintext = ""
    for i in range(len(s)):
        char_value = ord(s[i]) - ord(key[i % len(key)]) + 0x20

    if(char_value < 0x20):
        char_value += 95
    
    plaintext += chr(char_value)
return plaintext
```

Applying this function to the AES deciphered text with the key that was used for the encrypt function:

```python
print(decrypt(key1, ciphertext_2))
```

we get back the flag: SECCON{Success_Decryption_Yeah_Yeah_SECCON}

### Technical details

AES ECB mode:

![aes_ecb.png](seccon/aes_ecb.png)

[https://upload.wikimedia.org/wikipedia/commons/thumb/d/d6/ECB_encryption.svg/600px-ECB_encryption.svg.png]

This mode of operation is easily reversible, as there is no IV used and the steps are not chained.



## Sandstorm

**category**: misc, steg

**description**:

I've received a letter... Uh, Mr. Smith?

![sandstorm.png](seccon/sandstorm.png)

___

### Recon + solution

We receive a strange image, we should find a hidden message. The description reveals us, that we should work with some kind of steganography method. After trying around with Stegsolve and https://georgeom.net/StegOnline/ I did not find anything. But the image itself looks very unusual, maybe there's something in the noise. I tried different noise reduction and enhancement filters in gimp, but I only received even blurrier images. After a talk presented on 10.12.2019 I became aware that one should look into the description and not necessarily in the image itself first. The text "My name is Adam" reveals the underlying algorithm.

We are dealing with the Adam7 steganography algorithm, which has 7 passes as the name shows. To even numbered levels some unusual asymmetric rules apply, but the levels 1, 3, 5 can be easily reached with the application of matrix operations.

```python
import cv2
import numpy

image = cv2.imread('./sandstorm.png')

for level in range (1,4):
    image = image[0::2,0::2]
    filename = "level_" + str(7-level*2)
    cv2.imwrite(filename + '.png', image) 
```

On level 1 we find a QR-code, which resolves to the flag: 

![key.png](seccon/key.png)

SECCON{p0nlMpzlCQ5AHol6}

### Technical details

Adam7 interlacing algorithm:

> Adam7 is an interlacing algorithm for raster images, best known as the interlacing scheme optionally used in PNG images. An Adam7 interlaced image is broken into seven subimages, which are defined by replicating this 8×8 pattern across the full image.

```
1 6 4 6 2 6 4 6
7 7 7 7 7 7 7 7
5 6 5 6 5 6 5 6
7 7 7 7 7 7 7 7
3 6 4 6 3 6 4 6
7 7 7 7 7 7 7 7
5 6 5 6 5 6 5 6
7 7 7 7 7 7 7 7
```

[https://wikivisually.com/wiki/Adam7_algorithm]

The algorithm works with 8 x 8 rasters, this matrix represents which pixels are assigned to which levels. As mentioned in the solution part, the uneven numbered levels can be extracted with symmetrical and commutative matrix operations.

The fastest way to get to the first level would be to only take every 8th pixel horizontally and vertically.

### Lessons learned

- Look for clues in the task description!