→ Second hack.lu pre-ctf challenge(ECDSA) solution

| No TrackBacks
Fluxfingers posted their second pre-ctf challenge. It looks like "nc 0xbadcab1e.lu 9999"
Sending "test" as input we get the following response:
Using secp192r1, SHA-1.
connected at Tue Sep 13 23:03:25 2011.
Your message is test.
(r, s) = (0xe529012d41b1b2667c60764d75ab3318eda4043240bc003b, 0x79a546c30d1097473f675d3b9ee3fb55f9f6e6fd2127f8b)
As we can see SHA-1 is a signature hash function, and secp192r1 is an elliptic curve identificator. So, we have Elliptic curve, hash function and signature = ECDSA.
Sending same message to the server couple of times - we receive different signatures. But if we send same message two times fast enough:
$ echo "test" > /tmp/121
$ echo "test" > /tmp/122
$ perl -e 'foreach (1,2) {`nc -vvv 0xbadcab1e.lu 9999 < /tmp/12$_ >> /tmp/res`}' && cat /tmp/res

This is the signature generation machine.
Using secp192r1, SHA-1.
connected at Tue Sep 13 23:32:03 2011.
Your message is test.
(r, s) = (0x807baa0fd768f05ea851a8a48b0b3f509d02c0f1fc148e36, 0x5551c48119129b3e6bfc1a705d08455cde0fc10f527c1925)

This is the signature generation machine.
Using secp192r1, SHA-1.
connected at Tue Sep 13 23:32:03 2011.
Your message is test.
(r, s) = (0x807baa0fd768f05ea851a8a48b0b3f509d02c0f1fc148e36, 0x5551c48119129b3e6bfc1a705d08455cde0fc10f527c1925)
Boom! k value to be reused, and likely k is a timestamp. Let's check:
$ echo "test1" > /tmp/122
$ cat /dev/null > /tmp/res
$ perl -e 'foreach (1,2) {`nc -vvv 0xbadcab1e.lu 9999 < /tmp/12$_ >> /tmp/res`}' && cat /tmp/res

This is the signature generation machine.
connected at Tue Sep 13 23:36:53 2011.
Your message is test.
(r, s) = (0xf5e361f5e7e9936b1313ea2a8ad49a42f91fca30f232739d, 0xce8e2c43f6245d1f446a100baed038887c70e8e8fe5b2365)

This is the signature generation machine.
Using secp192r1, SHA-1.
connected at Tue Sep 13 23:36:53 2011.
Your message is test1.
(r, s) = (0xf5e361f5e7e9936b1313ea2a8ad49a42f91fca30f232739d, 0xe9a22b9c1feb92d719dc660ab8b3f25207105edb09d3e2ba)
e1 = sha1("test")
e2 = sha1("test1")
s1 = 0xce8e2c43f6245d1f446a100baed038887c70e8e8fe5b2365
s2 = 0xe9a22b9c1feb92d719dc660ab8b3f25207105edb09d3e2ba
compute k
k = ((s1-s2)**-1) * (e1-e2) (mod p) where **-1 is modular inverse

k = 1315957013
Is it a timestamp?
>>> datetime.datetime.fromtimestamp(k)
datetime.datetime(2011, 9, 14, 3, 36, 53)
Having k we can easily compute d:
d = r1**-1 (k*s-e1) mod n
d = 373503280115841781950920337998842730338017239909
ascii(AlwaysUseAFreshNonce)
To check if d is correct - sign message "test" using curve secp192r1 and found d.

No TrackBacks

TrackBack URL: http://smokedchicken.org/m/mt-tb.cgi/61

About this Entry

This page contains a single entry by kyprizel published on September 14, 2011 5:22 AM.

Funny thing about DEFCON CTF and IPv6 was the previous entry in this blog.

hack.lu CTF Power security tokens is the next entry in this blog.

Find recent content on the main index or look in the archives to find all content.