Category: ,

You can download the Cryptography Challenge, along with all the challenges for the 2016 Greek Qualifier CTF of European Cybersecurity Challenge, in this link. More details on the Greek ECSC 2016 Qualifier CTF event can be found here.

Points: 80

Challenge designer: Gavrila

Description: > A matryoshka doll, also known as a Russian nesting doll, or Russian doll, refers to a set of wooden dolls of decreasing size placed one inside another. The name “matryoshka” (матрёшка), literally “little matron”, is a diminutive dorm of Russian female first name “Matryona” (Матрёна) or “Matriosha”. The first Russian nested doll set was made in 1890 by Vasily Zvyozdochkin from a design by Sergey Malyutin, who was a folk crafts painter at Abramtsevo.

Write-up

Phase 1

We are given a PNG image with the following text.

 

The image is referencing the XOR cipher.

The key is equal to the value of the Fibonacci function with input 2016.

def fibonacci(n):
    a, b = 1, 1
    for i in range(n-1):
        a, b = b, a+b
    return a

c = "56444e29da2ce23f0182943154ea69dcb5dc324cb596730ffc957729dd8f20271fa94a872c8b6c760490" \
    "b7ae5b47cffae2218e206c98483e6e16ae3080cf123dbfb9d7ec347a974b5d2fe2f0cef1919a31f1721d" \
    "28b3ba74a0715be354c79b86e03d328c87b69b8172f0827d054aec4b3b0ab7fad81bbefdb0de33d21a368" \
    "c3191fb3f2f8b472e4b2788d32d3a658f208d28a358b462ced10f3636d9d6563e59a47fa3be4451f5c099" \
    "903f180a80ae"
k = fibonacci(2016)
k = '%x' % k
print 'key: ', k
m = int(c,16) ^ int(k,16)
m ='%x' % m
print "Your message is: ", m.decode('hex')
❯❯❯ python Phase1.py
key:  56444e29da2ce23f0182943154ea69dcb5dc324cb596730ffc957729dd8f20271fa94a872c8b6c760490b7ae5b47cffae2218e206c98483e6e16ae3080cf123dbfb9d7ec347a974b5d2fe2f0cef1919a31f1721d28b3ba74a0715be354c79b86e03d328c87b69b8172f0827d054aec4b3b0ab7fad81bbefdb0de75be7b51ac00b1d61f68e4674a2e42f8b65f1645eb45e858c62a9842aab46a4653abfa765a3cc10fc6cc687191a5fce05a6a24ae80
Your message is:  Flag 1 - Go deeper, deeper, deeper, deeper, deeper...

The 1st flag is: > Flag 1 – Go deeper, deeper, deeper, deeper, deeper…

Phase 2

In the PNG file we discover the following string:

❯❯❯ strings CryptoChallenge-BSidesAthens.png | grep -i xor                                          ⏎
XOR ME XOR ME XOR ME XOR ME XOR ME XOR ME XOR ME XOR ME XOR ME XOR ME XOR ME XOR ME XOR ME XOR ME XOR ME XOR ME XOR ME XOR ME XOR ME XOR

So, we proceed by XORing the file with the cryptographic key discovered in Phase 1.

key = "56444e29da2ce23f0182943154ea69dcb5dc324cb596730ffc957729dd8f20271" \
      "fa94a872c8b6c760490b7ae5b47cffae2218e206c98483e6e16ae3080cf123dbfb" \
      "9d7ec347a974b5d2fe2f0cef1919a31f1721d28b3ba74a0715be354c79b86e03d3" \
      "28c87b69b8172f0827d054aec4b3b0ab7fad81bbefdb0de75be7b51ac00b1d61f" \
      "68e4674a2e42f8b65f1645eb45e858c62a9842aab46a4653abfa765a3cc10fc6c" \
      "c687191a5fce05a6a24ae80"
f = open("CryptoChallenge-BSidesAthens.png",'rb')
data = f.read()
f.close()
decoded = ""
key = key.decode('hex')
for i in range(0, len(data)):
    decoded += chr(ord(data[i]) ^ ord(key[i % len(key)]))

f = open('data.out','wb')
f.write(decoded)
f.close()
❯❯❯ python Phase2.py
❯❯❯ strings data.out | grep -i flag
Flag 3 - Not deep enough.txteR
Flag 3 - Not deep enough.txtPK
Flag 2 - Go even deeper.txt
Flag 2 - Go even deeper.txt

The 2nd flag is: > Flag 2 – Go even deeper

Phase 3

❯❯❯ for i in $(strings data.zip| grep deeper | grep zip | \
    awk -F'.' '{print $1}' | sed -e 's/deeper//g' | sort -rnu); do \
        [ -f deeper${i}.zip ] && unzip deeper${i}.zip; \
    done
❯❯❯ unzip DeepEnough.zip
Archive:  DeepEnough.zip
 extracting: BsidesAthens.zip.AES
  inflating: Flag 3 - Not deep enough.txt
  inflating: keyring.sec
  inflating: message0.enc
  inflating: message1.enc
  inflating: message2.enc
  inflating: secure-message.py
❯❯❯ cat "Flag 3 - Not deep enough.txt"
'''
It took some great skills to reach this point! Congratulations!

Your next challenge will require a bit more effort.
Your objective is to decrypt the archive "BsidesAthens.zip.AES".
The password is long and the algorithm used is AES,
so if you are thinking about brute force, well..., it might
take a very, very, very, very long time.

But there is still hope. The password has been shared "securely"
by the author with three of the organisers and luckily you have
access to all three messages.

You have access to the code used to create the messages.

Maybe you will find some creative way to recover the password.
Good luck, you are almost there! ;)

IMPORTANT NOTE: if you run the script you may erase the original
messages, so it might be a good idea to keep a back-up.

'''

The 3rd flag is: > Flag 3 – Not deep enough

Phase 4

After checking the encryption code we can see that the encryption system used is RSA. The keyring stores the public key of three organisers and we can see that in all three cases the public coefficient is e = 3.

Since we have their public keys, the encrypted messages and a small public coefficient we can extract the message by using the Chinese Remainder Theorem

"""
Code provided by Gavrila
"""

def egcd(a, b):
    if a == 0:
        return (b, 0, 1)
    else:
        g, y, x = egcd(b%a, a)
        return (g, x-(b//a)*y, y)

def modinv(a, m):
    g, x, y = egcd(a, m)
    if g != 1:
        print("The selected value has no inverse.")
    else:
        return x % m

def CRT(n, a, lena):
    p = i = prod = 1; sm = 0
    for i in range(lena): prod *= n[i]
    for i in range(lena):
        p = prod // n[i]
        sm += a[i] * modinv(p, n[i]) * p
    return sm % prod

def invpow(x,n):
    high = 1
    while high ** n < x:
        high *= 2
    low = high/2
    while low < high:
        mid = (low + high) // 2 + 1
        if low < mid and mid**n < x:
            low = mid
        elif high > mid and mid**n > x:
            high = mid
        else:
            return mid
    return mid + 1

pk1=0xb292089cde4f37b0736252371552546e02d39d9f0ad0ae39815d4104132f0b332b525024d8a743c9b675f21238e602a754ae416d76d7dd9b724f34f778e11f6fc9b54214cb4297d1053a48129175dd526ca506ef29b1b9e85d3273605c9ab94cec387ca80674706eda8e1c195f979b6aa020379bc4b6fe62a6d540ba377a11a9
pk2=0xd0ab2e0e7e7dd2f67611a116691c545004f5d701ad106f796f8e4c2d3a1adfdff9cd698d5199b70b5d760f079532b8d23a1a84ed2274c6a7645df2fd5c0f21ba28a3f5859716cc032af0d56087912a82c620a7431767d55768592e090904bf8fa566980b579fcb36431ef736a43086126eb509f8b9614db86540713eb7b494b5
pk3=0xd745072c2055ee0fd2b0a09d2a0251e317c2dafdfbb10c86aa6507d70d53b440ac08271e919a521a4861e0b0ce49a1d591f9bbe49d2d697305639bfbafb7f40adf09c7bf9a82ef5c3a447ea96abc42ba5760e08e3b50ef061bec83684cc4d13d3da9296c450369a577dc6656d38005edf55985ecd7805baaa393dbd885078653

m0=0x96bc126341297a2a2d1861cd649bde1cedc1b6e85223d6946c759da2a04b44d97b7ef01881063c7a1342ed26f5527456f5cf1208c3f7d088f519fa11a9c498b6448a0de709f23380664418773a18e4d37234ad740ae4468e188b0aede0bf586aff4e76695bff5619b2fb701fd417ce0909970de41b4b004317eeb6f7deadf9bc
m1=0x6e6a7fc2c3f398c55820fa3f160121cee6ceeb3f2bd43b7ef28056cd85b29305d313b40a7fd7d33e8646e6302cdfbf857692902c806ba08bd3f9cd1586a976999c74932e910ba496a1da4a0287743c52cbba4e9a59c6cc3d3d91465dd7337ffae6879cade77f907a60acb947173a503f63d5ff32af0c4378fab3bdf083c4c7c3
m2=0x51b03f33c34963f49af063b7022abdde38f69b06b5cc25556893088ee6f46fe5b9ad54d09a3a4ac94b64a3e0a98eda69de4f21e787dcf4e3e3249b1ac283dc43fc9584f97606ee0a43b0d213cc845e7adfcccf884a52c4f85361dc13d6b1492200b59f385c44cb1427d9c92a2f9b5b4c2c5874b4dfc3983b9bdcf1622d619480
n = [pk1, pk2, pk3]
c = [m0, m1, m2]
plainPow3 = CRT(n, c, 3)

p = invpow(plainPow3, 3)
if p*p*p == plainPow3:
    key = "%x" % p
    print "Key used is: ", key
❯❯❯ python Phase4-a.py
Key used is:  791809cb7b659d323733b3583cf491d9151ce599e978d9895fa8c749a243e1daafea37aa69baff2e2e165a1b6fd7c26589d42993127550ff3846660cb14d2fe2

We get the following key: 0x791809cb7b659d323733b3583cf491d9151ce599e978d9895fa8c749a243e1daafea37aa69baff2e2e165a1b6fd7c26589d42993127550ff3846660cb14d2fe2.

Lets use the AES routine saved in the script to decrypt the file.

from .Cipher import AES
import hashlib
import os, random, struct

"""
Code provided by Gavrila
"""

def AESDecryptFile(key, in_filename, chunksize=24*1024):
    out_filename = os.path.splitext(in_filename)[0]
    with open(in_filename, 'rb') as infile:
        origsize = struct.unpack('<Q', infile.read(struct.calcsize('Q')))[0]
        iv = infile.read(16)
        decryptor = AES.new(key, AES.MODE_CBC, iv)
        with open(out_filename, 'wb') as outfile:
            while True:
                chunk = infile.read(chunksize)
                if len(chunk) == 0:
                    break
                outfile.write(decryptor.decrypt(chunk))
            outfile.truncate(origsize)

password = 0x791809cb7b659d323733b3583cf491d9151ce599e978d9895fa8c749a243e1daafea37aa69baff2e2e165a1b6fd7c26589d42993127550ff3846660cb14d2fe2
m = hashlib.md5()
m.update(str("%x" %password))
AESkey128b = m.hexdigest()
AESDecryptFile(AESkey128b, 'BsidesAthens.zip.AES')
❯❯❯ python Phase4-b.py
❯❯❯ unzip BsidesAthens.zip
Archive:  BsidesAthens.zip
  inflating: BsidesAthens.exe
  inflating: Flag 4 - Almost there.txt
❯❯❯ cat "Flag 4 - Almost there.txt"
WOW! This is amazing!
You have reached your last challenge.
Find the password and you're done.
Good luck!

The 4th flag is: > Flag 4 – Almost there

Phase 5

❯❯❯ file BsidesAthens.exe
BsidesAthens.exe: PE32 executable for MS Windows (console) Intel 80386 32-bit

We have a standard C++ binary

After checking the file with strings we can see there are some encoded looking ASCII strings.

Lets load the binary in a disassembler.

There is a conditional jump that checks if the password is correct or not.

Before that we can see a simple XOR routine.

The password is checked against XOR(“nbwqzlpkhb”, 3)

❯❯❯ python -c 'for c in "nbwqzlpkhb": print chr(ord(c)^3),' | sed -e 's/ //g'
matryoshka
C:\>BsidesAthens.exe
Please enter your key: matryoshka

Good job!
Flag 5 - Deep as it gets
You have amazing skills#,# but are you ready for a real challenge?
Maybe you should check: https://www.enisa.europa.eu/recruitment/vacancies
Press any key to continue ...

The 5th flag is: > Flag 5 – Deep as it gets

Share This

Share this post with your friends!