190
0
0

Magic Padding Oracle [picoCTF 2018]

Published at October 11, 2018 6:35 a.m.

Problem

Can you help us retreive the flag from this crypto service? Connect with nc 2018shell3.picoctf.com 4966. We were able to recover some Source Code.

pkcs.py
python
#!/usr/bin/python2
import os
import json
import sys
import time

from Crypto.Cipher import AES

cookiefile = open("cookie", "r").read().strip()
flag = open("flag", "r").read().strip()
key = open("key", "r").read().strip()

welcome = """
Welcome to Secure Encryption Service version 1.1
"""
def pad(s):
  return s + (16 - len(s) % 16) * chr(16 - len(s) % 16)

def isvalidpad(s):
  return ord(s[-1])*s[-1:]==s[-ord(s[-1]):]

def unpad(s):
  return s[:-ord(s[len(s)-1:])]

def encrypt(m):
  IV="This is an IV456"
  cipher = AES.new(key.decode('hex'), AES.MODE_CBC, IV)
  return IV.encode("hex")+cipher.encrypt(pad(m)).encode("hex")

def decrypt(m):
  cipher = AES.new(key.decode('hex'), AES.MODE_CBC, m[0:32].decode("hex"))
  return cipher.decrypt(m[32:].decode("hex"))
  

# flush output immediately
sys.stdout = os.fdopen(sys.stdout.fileno(), 'w', 0)
print welcome
print "Here is a sample cookie: " + encrypt(cookiefile)

# Get their cookie
print "What is your cookie?"
cookie2 = sys.stdin.readline()
# decrypt, but remove the trailing newline first
cookie2decoded = decrypt(cookie2[:-1])

if isvalidpad(cookie2decoded):
   d=json.loads(unpad(cookie2decoded))
   print "username: " + d["username"]
   print "Admin? " + d["is_admin"]
   exptime=time.strptime(d["expires"],"%Y-%m-%d")
   if exptime > time.localtime():
      print "Cookie is not expired"
   else:
      print "Cookie is expired"
   if d["is_admin"]=="true" and exptime > time.localtime():
      print "The flag is: " + flag
else:
   print "invalid padding"

Solution

CBCのPadding Orackle Attackは、さらに悪用すると、文字をあとから継ぎ足していくことで好きな文字列を作成可能。

ruby
require 'socket'

def attack(ct, &try_decrypt)
  bs = 16
  blocks = ct.chars.each_slice(bs).map(&:join)

  (blocks.length-1).downto(1) do |k|
    plain = ?? * bs
    iv = "\x00" * bs

    1.upto(bs) do |n|
      256.times do |i|
        iv[-n] = i.chr
        data = iv + blocks[k]

        if try_decrypt.call(data) then
          plain = iv.bytes.zip(blocks[k-1].bytes).map{|x,y| n^x^y}.pack("C*")
          iv = plain.bytes.zip(blocks[k-1].bytes).map{|x,y| (n+1)^x^y}.pack("C*")
          break
        end
      end
    end
    p plain

    blocks[k] = plain
  end

  blocks[0] = "?" * bs
  blocks.join
end

want = '{"expires":"2999-01-01","username":"poeeeeeeeee","is_admin":"tru'
str = ['4dfdacead33f1fdf0580901129a2ec56'].pack("H*")
pred = ['7f7ee59558d62d81db804a3b8ce1c557'].pack("H*")

loop do
  plain = attack("\x00"*16 + pred){|ct|
    begin
      res = false
      s = TCPSocket.new('2018shell3.picoctf.com', 4966) rescue retry
      s.puts ct.unpack("H*")[0]
      l = ''
      begin
        l = s.readpartial(10000) until l.include? 'invalid padding'
      rescue EOFError
        res = true
      end
    rescue
      retry
    end
    s.close
    res
  }[16,16]
  str = pred + str
  pred = want[-16,16].bytes.zip(plain.bytes).map{|x,y| x^y}.pack("C*")
  want = want[0...-16]
  p pred+str
end