Cube Root Attack
In this challenge, we get a message.eml
file containing an email:
Applications such as Outlook block downloading the file due to it's "malicious nature", but we can open the .eml
file in VS Code easily and extract two things:
Firstly, there is a secret.enc
file with base64-encoded ciphertext:
Secondly, there is a pubkey.der
file containing an RSA public key:
We'll use the gmpy2
iroot()
function to calculate the cube root:
And bingo bango, we get the flag as HTB{w34k_3xp0n3n7_ffc896}
.
Meet-in-the-middle attack on AES
We are given challenge.py
, which does the following:
Creates two keys
Key1 is cyb3rXm45!@#
+ 4 random bytes from 0123456789abcdef
Key2 is 4 random bytes from 0123456789abcdef
+ cyb3rXm45!@#
Encrypts the flag with Key1 using AES-ECB
Encrypts the encrypted flag with Key2 using AES-ECB
We can use a meet-in-the-middle attack to retreive both keys. The logic here is simple. Firstly, there are 16
possible characters for each of the 4 random bytes, which is easily bruteforceable ().
We can also encrypt a given input and get the result - I choose to send 12345678
as the hex-encoded plaintext and receive . For these keys, the encrypted flag is given as:
Now we have a known plaintext and ciphertext, we can use both one after the other and bruteforce possible keys. Note that the encryption looks like this:
We do not know what the intermediate value x
is, but we can use brute force to calculate it by
Looping through all possibilities for key1
and saving the encrypted version of 12345678
Looping through all possibilities for key2
and saving the decryption of 449e2eb...
Finding the intersection between the encryption with key1
and the decryption with key2
Once we find this intersection, we can use that to work back and calculate key1
and key2
, which we can then utilise to decrypt the flag.
And we get the flag as HTB{m337_m3_1n_7h3_m1ddl3_0f_3ncryp710n}
!
Common Mod, DIfferent e
In this challenge, we are given two sets of , and .
The plaintext encrypted to give is the same, and we can observe that the choice of is also the same, meaning the only difference is in the choice of . Here we can use some cool maffs with and to retrieve the original plaintext .
Firstly, if the greatest common divisor of and is , then there exists and such that
To calculate this, we can use the . But why is this helpful?
Well if we know that and and we know such that , we can then use this to calculate like this:
In practise is likely to be negative, and in modular arithmetic we use negative powers using the . Luckily, Sage can do this for us by default, so we can do even less steps:
And we get the flag as HTB{c0mm0n_m0d_4774ck_15_4n07h3r_cl4ss1c}
.
We get given challenge.py
and encrypted.bin
. Analysing challenge.py
:
And appends the result of that as the encrypted character in encrypted.bin
.
Gives us
So we can form two equations here using this information:
We subtract (2) from (1) to get that
And the resulting PDF has the flag HTB{4ff1n3_c1ph3r_15_51mpl3_m47h5}
within.
We can easily import the public key in Python and read the values for and using the Pycryptodome:
We can throw into FactorDB to see if the factors are known, but they are not. The more notable observation is that , which allows us to perform a cube root attack on the ciphertext.
The logic here is simple: because the message is quite short and the public modulus is quite large, a small value of such as may make it such that . This makes the modulus ineffective as and we can simply take the th root of the ciphertext to recover the plaintext.
It calculates two random values, and . For every byte in the plaintext file, it then calculates
The plaintext file appears to be letter.pdf
, and using this we can work out the values of and because we know the first 4 bytes of every PDF file are %PDF
. We can extract the first two bytes of encrypted.bin
and compare to the expected two bytes:
And we can multiply both sides by the modular multiplicative inverse of 43, i.e. , which is , to get that
And then we can calculate :
So now we have the values for and , it's simply a matter of going byte-by-byte and reversing it. I created a simple Sage script to do this with me, and it took a bit of time to run but eventually got the flag.