9 - Was no really "impressed" by the challenges...
10 - The good ones were solved very quickly
11 - Idled on quite some channels
13 ## Day-19 Santa's Signature
15 `Can you forge Santa's signature?`
17 On connecton with netcat (`nc 3.93.128.89 1219`) we get the following:
20 Last christmas you gave me your public key,
21 to confirm it really is you please sign three
22 different messages with your private key.
24 Here is the public key you gave me:
25 -----BEGIN PUBLIC KEY-----
27 -----END PUBLIC KEY-----
28 Message 1 you signed (hex encoded):
31 Looking on the provided source I though the RSA looks a bit weird (=too easy). Classic secure RSA in pycryopto looks more like this: https://stackoverflow.com/a/58764650 (using `PKCS1_v1_5`).
32 Googling a bit reveals that if you use the simple `verify()` function you are using "TextBook-RSA" --> No padding --> unsecure.
33 There is a nice summary of "TextBook-RSA-Attacks": https://crypto.stackexchange.com/a/20087
34 We can see the following:
37 - signature of n−1 is n−1 (we have n as we get the pub key)
39 I started writing a script for communicating with the service and did not realize that this challenge was already solved...
40 But at least I could see that I was on the right track.
45 I've made a Byte Buffer as a Service (BBAAS)! The service is written in C#, but to avoid performance penalties, we use unsafe code which should have comparable performance to C++!
49 We also got the souce code.
50 On simply connecting via netcat I was not able to interact with the service.
52 Looking at the code one can see that its possible to send the service single byte encoded commands: allocate new byte array (with action/byte = 1), write a section of a byte array (action/byte=2) and read a section of a byte array(action/byte=3).
53 Each command has some additional parameters: index, offset and size.
54 I implemented those commands in golang (see below).
55 Analyzing the source further, we can see that no bounds checking is done and "unsafe" .NET is used, this enables unchecked pointer arithmetics in C# as like in C.
56 So we can write more or less arbitrarily (providing the "right" parameters).
58 I wrote a golang script which is more or less just bruteforcing the service to get any kind of output.
70 func reader(r *bufio.Reader) {
72 fmt.Println("READING...")
73 recvBuf := make([]byte, 1024)
74 n, err := r.Read(recvBuf[:])
81 fmt.Println(string(recvBuf))
82 fmt.Println("-------------------------------------------------")
87 func sendAllocate(w *bufio.Writer, len byte) {
93 err = w.WriteByte(len)
99 func sendWrite(w *bufio.Writer, index, offset, size byte) {
100 err := w.WriteByte(2)
104 err = w.WriteByte(index)
108 err = w.WriteByte(offset)
112 err = w.WriteByte(size)
118 func sendRead(w *bufio.Writer, index, offset, size byte) {
119 err := w.WriteByte(3)
123 err = w.WriteByte(index)
127 err = w.WriteByte(offset)
131 err = w.WriteByte(size)
137 func sendByte(w *bufio.Writer, c byte) error {
138 err := w.WriteByte(c)
147 conn, _ := net.Dial("tcp", "3.93.128.89:1208")
150 r := bufio.NewReader(conn)
153 w := bufio.NewWriter(conn)
155 //sendAllocate(w, 100)
156 //sendWrite(w, 10, 0, 100)
157 //sendWrite(w, 60, 0, 100)
158 //sendWrite(w, 100, 0, 100)
159 //sendWrite(w, 255, 0, 100)
164 for i := 0; i < 1500; i++ {
165 sendWrite(w, 0, byte(rand.Intn(255)), byte(rand.Intn(255)))
176 My goal was to somehow get a basic understanding of how the "actions" are working and to push shellcode somewhere to execute it later.
177 As I had to go afk, I pinged @dachleitner to solve it - and he did before I was back.