nullcon2022

2022-04-09

cookielover

sign.py:

#!/usr/bin/env sage

from Crypto.Util.number import bytes_to_long, long_to_bytes
from Crypto.PublicKey import RSA
from secret import flag
import sys

msg = 'I love cookies.'
key = RSA.importKey(open('privkey.pem','r').read())

def int_to_str(n):
	if n == 0:
		return ''
	return int_to_str(n // 256) + chr(n % 256)

def str_to_int(s):
	res = 0
	for char in s:
		res *= 256
		res += ord(char)
	return res

def sign(msg : bytes):
	#I will not talk about cookies.
	if b'cookie' in msg:
		return 0
	#no control characters allowed in message
	if any([c < 32 for c in msg]):
		return 0
	return pow(bytes_to_long(msg), key.d, key.n)

def verify(number : int):
	if str_to_int(msg) == pow(number, key.e, key.n):
		return flag
	else:
		return 'wrong signature'

def loop():
	while True:
		print('Choose an option:\n1:[text to sign]\n2:[number - signature to check]\n')
		sys.stdout.flush()
		cmd = sys.stdin.buffer.readline().strip()
		if cmd[:2] == b'1:':
			print(sign(cmd[2:]))
		elif cmd[:2] == b'2:':
			print(verify(int(cmd[2:].decode())))
		else:
			print('Wrong input format')

if __name__ == '__main__':
	try:
		loop()
	except Exception as err:
		print(repr(err))

pubkey.pem:

题目实现了一个交互系统，即RSA的签名和验证。要获得flag，需要把’I love cookies.’对应的签名值发送给服务器验证，但后端有限制，包含’cookie’字段的信息不能给予签名。那么解决方案就是把I love cookies对应的long分拆为几段相乘，分几次签名，最后把得到的签名相乘模n即可。当我们把对应的long分解后发现，无论如何组合，至少会有一个部分转字节以后包含控制字符，而控制字符会引发return 0，签名中止。所以这里的解决方案是将能组合转为非控制字符的因子先组合，最后还剩下一个2，只需要找一个字符（比如, 对应的ascii码为44）和2相乘，相乘以后值为88，满足大于32，可以通过验证。但是这样三部分返回的签名值的乘积实际上是I love cookies 和,相乘的值的签名。要得到目的签名，还需要单独提交一次,去签名，返回的签名值的逆乘上前三部分的积就是我们要找的签名值。最后将这个签名值提交获得flag。

脚本来自于hash小可爱：

from pwn import *
from Crypto.Util.number import *

p = remote('52.59.124.14', 10301)
n = 627899638620348165952388990522362943219167647703242555126529002762314824033856763779600883952817660826446193366180558404001743645736309588454828883085902718305151841122152492702789177388248278843151899277145366368497644816958932681194310493530735472278784913119515955737461424614381265051048363121603834763504324915645740970410151356775466957231658895331944477355558254745407352049029866844585699779615276876659171453548611760317083667131480857534167022256190387128240235942362100638580848234239994626580879318259554019293030331932909851115390444612931324590544216595532828392984535075519617908613735309535581818936579393182356672567588204231940696703902104442372182127756608305971949766096755370359256602310166623759046402739891910186296934546060117757733337481788717663789292120669952863240116069789409662118797757976324875166693470960188730286439673715780705054208551961776647376233377578685773466781298871624832223010430897754327042048709909951786009950779126218407497861049677284100165082818633096819398841034676325246453744426596960679469392024438909063059041031005468380750983790438412987580747308496905480963722915339379525187096258241609862382136863831836079727256351264365036343487660547253741547621662792064883655640794203
s1 = 6673 * 5
s2 = 189344417922901
s3 = 30051184098398543 * 2 * 44

def int_to_str(n):
    if n == 0:
        return ''
    return int_to_str(n // 256) + chr(n % 256)

pay1 = '1:' + int_to_str(s1)
p.recv()
p.sendline(pay1)
m1 = int(p.recvline()[:-1])
pay2 = '1:' + int_to_str(s2)
p.recv()
p.sendline(pay2)
m2 = int(p.recvline()[:-1])
pay3 = '1:' + int_to_str(s3)
p.recv()
p.sendline(pay3)
m3 = int(p.recvline()[:-1])
pay4 = '1:,'
p.recv()
p.sendline(pay4)
m4 = int(p.recvline()[:-1])

msign = m1 * m2 * m3 * inverse(m4, n) % n
pay5 = '2:' + str(msign)
p.sendline(pay5)
p.interactive()

# ENO{F4ct0r_and_Conqu3r!}