exploit_svattt2021

1. import base64,struct,time
2. from telnetlib import Telnet
3. from providers.mac.sha256 import Sha256MP
4. from providers.mac.crc32 import Crc32MP
5. from providers.mac.rsa1024 import Rsa1024MP
6. from providers.mac.dsa512 import Dsa512MP
7. from providers.mac.aes256_xor import Aes256XorMP
8. from providers.serialization.concat import ConcatenatorSP
9. from cvcb import CovidVaccinationCertificateBuilder
10.  
11. from Crypto.Util import number
12. from sympy import Matrix,Symbol,QQ
13. from sympy.ntheory import residue_ntheory
14. # from sha256_padding import SHA256,brute_force_len_padding
15.  
16. class SHA256:
17.  
18.     def __init__(self, debug=False):
19.         self.debug=debug
20.         self.h = [
21.             0x6a09e667, 0xbb67ae85, 0x3c6ef372, 0xa54ff53a, 0x510e527f, 0x9b05688c,
22.             0x1f83d9ab, 0x5be0cd19
23.         ]
24.  
25.         self.k = [
26.             0x428a2f98, 0x71374491, 0xb5c0fbcf, 0xe9b5dba5, 0x3956c25b, 0x59f111f1,
27.             0x923f82a4, 0xab1c5ed5, 0xd807aa98, 0x12835b01, 0x243185be, 0x550c7dc3,
28.             0x72be5d74, 0x80deb1fe, 0x9bdc06a7, 0xc19bf174, 0xe49b69c1, 0xefbe4786,
29.             0x0fc19dc6, 0x240ca1cc, 0x2de92c6f, 0x4a7484aa, 0x5cb0a9dc, 0x76f988da,
30.             0x983e5152, 0xa831c66d, 0xb00327c8, 0xbf597fc7, 0xc6e00bf3, 0xd5a79147,
31.             0x06ca6351, 0x14292967, 0x27b70a85, 0x2e1b2138, 0x4d2c6dfc, 0x53380d13,
32.             0x650a7354, 0x766a0abb, 0x81c2c92e, 0x92722c85, 0xa2bfe8a1, 0xa81a664b,
33.             0xc24b8b70, 0xc76c51a3, 0xd192e819, 0xd6990624, 0xf40e3585, 0x106aa070,
34.             0x19a4c116, 0x1e376c08, 0x2748774c, 0x34b0bcb5, 0x391c0cb3, 0x4ed8aa4a,
35.             0x5b9cca4f, 0x682e6ff3, 0x748f82ee, 0x78a5636f, 0x84c87814, 0x8cc70208,
36.             0x90befffa, 0xa4506ceb, 0xbef9a3f7, 0xc67178f2
37.         ]
38.  
39.     def set_state(self,h):
40.         self.h=h
41.  
42.     def rotate_right(self, v, n):
43.         w = (v >> n) | (v << (32 - n))
44.         return w & 0xffffffff
45.  
46.  
47.     ## only d & h change value other change location
48.     ## Now, we need to figure out what d and h are, from tmp2 and tmp3.
49.     def compression_step(self, state, k_i, w_i):
50.         a, b, c, d, e, f, g, h = state
51.         s1 = self.rotate_right(e, 6) ^ self.rotate_right(e, 11) ^ self.rotate_right(e, 25)
52.         ch = (e & f) ^ (~e & g)
53.         tmp1 = (h + s1 + ch + k_i + w_i) & 0xffffffff
54.         s0 = self.rotate_right(a, 2) ^ self.rotate_right(a, 13) ^ self.rotate_right(a, 22)
55.         maj = (a & b) ^ (a & c) ^ (b & c)
56.         tmp2 = (tmp1 + s0 + maj) & 0xffffffff
57.         tmp3 = (d + tmp1) & 0xffffffff
58.         return (tmp2, a, b, c, tmp3, e, f, g)
59.  
60.  
61.     def compression(self, state, w, round_keys = None): ## ?? same round key for
62.         if round_keys is None:
63.             round_keys = self.k
64.         for i in range(64):## compress 64 time?? only 8 key
65.             state = self.compression_step(state, round_keys[i], w[i])
66.             if self.debug: print(f"Round {i}:",state)
67.         return state
68.  
69.     def compute_w(self, m):
70.         w = list(struct.unpack('>16L', m))
71.         for _ in range(16, 64):
72.             a, b = w[-15], w[-2]
73.             s0 = self.rotate_right(a, 7) ^ self.rotate_right(a, 18) ^ (a >> 3)
74.             s1 = self.rotate_right(b, 17) ^ self.rotate_right(b, 19) ^ (b >> 10)
75.             s = (w[-16] + w[-7] + s0 + s1) & 0xffffffff
76.             w.append(s)
77.         return w
78.  
79.     def padding(self, m, lm_=None):
80.         lm = lm_ if lm_ else len(m)
81.         lpad = struct.pack('>Q', 8 * lm)
82.         lenz = -(lm + 9) % 64
83.         return m + bytes([0x80]) + bytes(lenz) + lpad
84.  
85.     def sha256_raw(self, m, round_keys = None):
86.         if len(m) % 64 != 0:
87.             raise ValueError('m must be a multiple of 64 bytes')
88.         state = self.h
89.         if self.debug: print(f"Init state:\n{state}")
90.         for i in range(0, len(m), 64):
91.             block = m[i:i + 64]
92.             w = self.compute_w(block)
93.             s = self.compression(state, w, round_keys)
94.             state = [(x + y) & 0xffffffff for x, y in zip(state, s)]
95.             if self.debug:print(f"New state:\n{state}")
96.         return state # 8 * 4_bytes
97.  
98.     def sha256(self, m, round_keys = None, lm_=None):
99.         m_padded = self.padding(m,lm_) # first get padding mess
100.         state = self.sha256_raw(m_padded, round_keys)
101.         return struct.pack('>8L', *state)
102.  
103. def brute_force_len_padding(message):
104.     sha256 = SHA256()
105.     len_prepadding = 32
106.     dump = sha256.padding(b'A'*len_prepadding+message)
107.     return dump[len_prepadding:]
108.  
109.  
110. ip,port = '34.124.243.167',1337
111. # ip,port = '127.0.0.1',1337
112.  
113. sage_service = '127.0.0.1',65535
114.  
115. def banner(t):
116.     resp = t.read_until(b'\n');print(resp)
117.     resp = t.read_until(b'\n');print(resp)
118.  
119. def choose_mod(t,mod):
120.     t.write(f'{mod}\n'.encode())
121.  
122. def generate_mac(t):
123.     todo = False
124.    
125. def verify_mac(t):
126.     todo = False
127.    
128. def get_cert(t,mod,cid,cname):
129.     t.write(f"{mod}\n".encode())
130.     t.write(base64.b64encode(cid)+b'\n')
131.     t.write(base64.b64encode(cname)+b'\n')
132.     resp = t.read_until(b'\n');print(resp)
133.     return base64.b64decode(resp)
134.  
135. def get_public_info(t):
136.     resp = t.read_until(b'\n');print(resp)
137.     return b'' if resp==b'\n' else base64.b64decode(resp)
138.  
139. def send_cert(t,cert):
140.     t.write(base64.b64encode(cert)+b'\n')
141.  
142. def check_correct_status(choice):
143.     t = Telnet(ip,port)
144.     banner(t)
145.     sp = ConcatenatorSP()
146.     cid,cname=b'AAAAAA',b'AAAAAA'
147.     if choice == 1:
148.         mp = Aes256XorMP()
149.     elif choice == 2:
150.         mp = Crc32MP()
151.     elif choice == 3:
152.         mp = Dsa512MP()
153.     elif choice == 4:
154.         mp = Rsa1024MP()
155.         builder = CovidVaccinationCertificateBuilder(mp, sp)
156.         cert = get_cert(t,choice,cid,cname)
157.         pub_key = get_public_info(t)
158.     elif choice == 5:
159.         mp = Sha256MP()
160.         builder = CovidVaccinationCertificateBuilder(mp, sp)
161.         cert = get_cert(t,choice,cid,cname)
162.         pub_key = get_public_info(t)
163.         data,signature = split_cert(mp,cert)
164.         send_cert(t,cert)
165.         resp = t.read_until(b'\n');print(resp)
166.         # t.interact()
167.    
168. def split_cert(mp,signature):
169.     data,hash_ = signature[:-mp.get_mac_size()],signature[-mp.get_mac_size():]
170.     return data,hash_
171.  
172. def submit(chall, flag):
173.     import requests,re
174.     s = requests.Session()
175.     # x_polaris_sid=; session=; x_polaris_sd=IoYr8eJdcJ0p/Aj7ilBSP8bAXgi5h55NqMNZ3UGG33dJEcotEinSMnhe0u08IV5Lt62YG|BrqFwcL6/yiTLnZuWokU0iRKWerwiSeucxEUHcNWlwe1CWVUJyLE2|2p7ubdNw
176.     cookies = {"x_polaris_sid":"B5f2mEvdr4||11y|h6Oj7sFqen8lLFYRX1Rx","polaris_sc":"blevvfs1vc0tbfu287jj0bp0rfme5f5v8c7o17ucofjts0", "x_polaris_cid": "bl605j2hsinoocvkhvi82ml71su4a03es7q2kov0bhuuo0",
177.     # "session":"ef991cb0-b980-4cf1-b886-5a5d919a0925.SJqwC4we5KvDtkfOVzfGeYPHwSE"}
178.     "session":"8eadefe3-7bd1-4aff-b762-7cc1ce2a6ac5.165NyFLL4mpk7VeCXog_f6GN71c"}
179.     data = {"team":"BkSec.Oggy",
180.     "daemon": chall,"action": "submit-flag","flag": flag}
181.     # r = s.post('https://ascis.1337.edu.vn/submitflag_API', data={"team":"Nupakachi","daemon":"Pwn02","action": "submit-flag","flag":"abc"}, proxies={'http': 'http://192.168.169.133:8080/', 'https': 'https://192.168.169.133:8080/'}, cookies=cookies, verify=False)
182.     r = s.post('https://ascis.1337.edu.vn/submitflag_API', data=data, cookies=cookies)
183.     # print(r.text)
184.     print(re.search(r'alert(.*?)</script', r.text).group(1))
185.  
186. def solve5():
187.     t = Telnet(ip,port)
188.     banner(t)
189.     choice = 5
190.     mp = Sha256MP()
191.     cid,cname=b'AAAAAA',b'AAAAAA'
192.     cert = get_cert(t,choice,cid,cname)
193.     pub_key = get_public_info(t)
194.    
195.     # print(cert)
196.     data,signature = split_cert(mp,cert)
197.     # print(data,signature);input()
198.    
199.     state = list(struct.unpack('>8L', signature))
200.     sha256 = SHA256()
201.     sha256.set_state(state)
202.     message_padding = b'|'+sp.serialize({
203.             b"issuer": b"vnsecurity",
204.             b"citizen_id": b"admin",
205.             b"citizen_name": b"admin",
206.             b"doses": (2).to_bytes(1, "big")  # hopefully no one will take more than 255 doses :D
207.         })
208.     lm_ = len(sha256.padding(message_padding))
209.     new_sig = sha256.sha256(message_padding,lm_=lm_+len(message_padding))
210.     mess = brute_force_len_padding(data)
211.     fake_cert = mess+message_padding+new_sig
212.     send_cert(t,fake_cert)
213.     # print(fake_cert,sp.deserialize(fake_cert))
214.     # print(cert)
215.     # send_cert(t,cert)
216.     resp = t.read_until(b'\n');print(resp)
217.     return resp
218.  
219. def solve4():
220.     choice =4
221.     t = Telnet(ip,port)
222.     banner(t)
223.     mp = Rsa1024MP()
224.     sp = ConcatenatorSP()
225.    
226.     cid,cname=b'AAAAA',b'BBBBBBBBBBBBBBBB'
227.     cert = get_cert(t,choice,cid,cname)
228.     n,e,d = [int(i,16) for i in get_public_info(t).split(b',')]
229.     mp.n,mp.e,mp.d = n,e,d
230.     data = sp.serialize({
231.                 b"issuer": b"vnsecurity",
232.                 b"citizen_id": b"admin",
233.                 b"citizen_name": b"admin",
234.                 b"doses": (2).to_bytes(1, "big")  # hopefully no one will take more than 255 doses :D
235.             })
236.     signature = mp.generate_mac(data)
237.     fake_cert = data+signature
238.     send_cert(t,fake_cert)
239.     resp = t.read_until(b'\n');print(resp)
240.     return resp
241.  
242. def solve4_1():
243.     choice = 4
244.  
245. def solve1():
246.     choice = 1
247.     t = Telnet(ip,port)
248.     banner(t)
249.     mp = Aes256XorMP()
250.     sp = ConcatenatorSP()
251.    
252.     cid,cname=b'AAAAA',b'BBBBBBBBBBBBBBBB'
253.     cert = get_cert(t,choice,cid,cname)
254.     pub_key = get_public_info(t)
255.     data,signature = split_cert(mp,cert)
256.     block_size = 16
257.     data += b'\x00' * (-len(data) % block_size)
258.    
259.     fake_mess = sp.serialize({
260.                 b"issuer": b"vnsecurity",
261.                 b"citizen_id": b"admin",
262.                 b"citizen_name": b"admin",
263.                 b"doses": (2).to_bytes(1, "big")  # hopefully no one will take more than 255 doses :D
264.             })
265.     fake_cert=data+fake_mess+b'\x00' * (-len(fake_mess) % block_size)+fake_mess+signature
266.     # print(fake_cert)
267.     send_cert(t,fake_cert)
268.     resp = t.read_until(b'\n');print(resp)
269.     return resp
270.  
271. def root_ring(q,var,f):
272.     t = Telnet(*sage_service)
273.     tmp = f'''F = PolynomialRing(GF({q}),'{var}');{var}=F.gens()[0]'''.replace('\n','')
274.     t.write(f"{tmp}\n".encode())
275.     # t.write(f'solve(f,{var},solution_dict=True)\n'.encode()) # bof ??
276.     t.write(f'f.roots()\n'.encode()) # return [(x,exp),] => x**exp
277.     resp=t.read_until(b'\n');print(resp)
278.     resp = resp.decode().replace('x',str(var))
279.     return eval(resp[:-1])
280.  
281. def discrete_log(a,b,p):
282.     t = Telnet(*sage_service)
283.     t.write(f"a=(GF({p})({a}))\n".encode())
284.     t.write(f"a.log(GF({p})({b}))\n".encode())
285.     resp = t.read_until(b'\n')
286.     return eval(resp[:-1])
287.  
288. def solve3():
289.     choice = 3
290.     t = Telnet(ip,port)
291.     banner(t)
292.     mp = Dsa512MP()
293.     sp = ConcatenatorSP()
294.    
295.     p = 0x299279f0e8cafde76b4377a707943c616f734b60c0d1817f105a1b739688b94a81ed4b77275f588910fd3562a8c52ee8cd69cb9b3696c3af80b7a8b7f28944b
296.     h = 2
297.     q = (p - 1) // h
298.     g = pow(2021, h, p)
299.    
300.     cid,cname=b'AAAAAA',b'AAAAAA'
301.     cert = get_cert(t,choice,cid,cname)
302.     pub_key = int(get_public_info(t),16)
303.     block_size = 64
304.     data,signature = split_cert(mp,cert)
305.     r,s = int.from_bytes(signature[:block_size],'big'),int.from_bytes(signature[block_size:],'big')
306.     fake_mess = sp.serialize({
307.                 b"issuer": b"vnsecurity",
308.                 b"citizen_id": b"admin",
309.                 b"citizen_name": b"admin",
310.                 b"doses": (2).to_bytes(1, "big")  # hopefully no one will take more than 255 doses :D
311.             })
312.     x = discrete_log(pub_key,g,p) ## p order small
313.     mp.x=x
314.     mp.y=pub_key
315.     fake_cert = fake_mess+mp.generate_mac(fake_mess)
316.     # print(fake_cert)
317.     send_cert(t,fake_cert)
318.     resp = t.read_until(b'\n');print(resp)
319.     return resp
320.  
321. ## ASCIS{d48da7e497ed368f2cef647bbe84c44c}
322. if __name__=='__main__':
323.     # while True:
324.     # choice = 1
325.     choice = 2
326.     # choice = 3
327.     # choice = 4
328.     # choice = 5 # OK
329.     sp = ConcatenatorSP()
330.     if choice == 1:
331.         mp = Aes256XorMP()
332.     elif choice == 2:
333.         mp = Crc32MP()
334.     elif choice == 3:
335.         mp = Dsa512MP()
336.     elif choice == 4:
337.         mp = Rsa1024MP()
338.     elif choice == 5:
339.         mp = Sha256MP()
340.     builder = CovidVaccinationCertificateBuilder(mp, sp)
341.     # check_correct_status(choice);input()
342.     # resp = solve1()
343.     resp = solve3()
344.     # resp = solve4()
345.     # resp = solve4_1()
346.     # resp = solve5()
347.     # submit("Crypto01", resp)
348.    
349.    
350.    
351.