server runs on
nc crypto.ctf.nullcon.net 5000
can you get the flag?
We are given a server.py.
This challenge wants us to forge a message that is encoded with AES CTR, and there’s a MAC code(GHASH)
AES CTR is relatively simple to forge, given a plaintext(pt) and a ciphertext(ct), if the nonce is the same, pt^ct is always constant.
GHASH function is a pseudo-hashing function.
First it calculates
c = AES.new(key, AES.MODE_ECB).encrypt(nonce + bytes(3) + b'\x01')
H = AES.new(key, AES.MODE_ECB).encrypt(bytes(16))
and splits the ciphertext into blocks of 128 bits(b1,b2,b3...)
The GHASH is then calculated by c+b1H^1+b2H^2+...+bnH^n where n is the number of blocks and each of the summand is under mod n
c constant for a fixed nonce, and H is constant throughout, this suggests a nonce reuse attack. Luckily the nonce is calculated using sessionid + Random.get_random_bytes(2), so nonce reuse will be very common.
Since we need to forge 2 blocks in the final payload, our payload should be 2 blocks
First we find 2 plaintext-ciphertext pairs with the same nonce, we label them as pt11+pt12,pt21+pt22 and ct11+ct12,ct21+ct22(where xxx1 is the first block and xxx2 is the second block), and the respective GHASH as g1,g2.
The GASHes in terms of the pt,ct,c,H are :
g1=c+ct11*H+ct12*H**2
g2=c+ct21*H+ct22*H**2
Supposing ct12=ct22(equivalent to pt11=pt12), c and H can easily be found:
g1-g2=ct11*H-ct21*H
H=(g1-g2)/(ct11-ct21) (mod n)
c=g1-ct11*H-ct12*H**2 (mod n)
Forging is now very simple. The text we want to forge is f="may i please have the flag"
Let the nonce be the nonce that was repeated(so that we know what c is)
The ciphertext is simply pt11^f^ct11
GASH is c+f1*H+f2*H**2 where f1 is the first 16 characters/128 bits
Full exploit: solve.py
p.s. A much simpler way of getting c is literally xoring the last block of the ciphertext with the plaintext, since c=AESECB(k,nonce+'\x00\x00\x00\x01) and the first plaintext is xored with the exact same value
Flag:
hackim19{forb1dd3n_made_e4sy_a7gh12}