PicoCTF - AES-ABC

tags: PicoCTF CTF Crypto

Background

What is PPM file?

Source code

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78

#!/usr/bin/env python from Crypto.Cipher import AES from key import KEY import os import math BLOCK_SIZE = 16 UMAX = int(math.pow(256, BLOCK_SIZE)) def to_bytes(n): s = hex(n) s_n = s[2:] if 'L' in s_n: s_n = s_n.replace('L', '') if len(s_n) % 2 != 0: s_n = '0' + s_n decoded = s_n.decode('hex') pad = (len(decoded) % BLOCK_SIZE) if pad != 0: decoded = "\0" * (BLOCK_SIZE - pad) + decoded return decoded def remove_line(s): # returns the header line, and the rest of the file return s[:s.index('\n') + 1], s[s.index('\n')+1:] def parse_header_ppm(f): data = f.read() header = "" for i in range(3): header_i, data = remove_line(data) header += header_i return header, data def pad(pt): padding = BLOCK_SIZE - len(pt) % BLOCK_SIZE return pt + (chr(padding) * padding) def aes_abc_encrypt(pt): cipher = AES.new(KEY, AES.MODE_ECB) ct = cipher.encrypt(pad(pt)) blocks = [ct[i * BLOCK_SIZE:(i+1) * BLOCK_SIZE] for i in range(len(ct) / BLOCK_SIZE)] iv = os.urandom(16) blocks.insert(0, iv) for i in range(len(blocks) - 1): prev_blk = int(blocks[i].encode('hex'), 16) curr_blk = int(blocks[i+1].encode('hex'), 16) n_curr_blk = (prev_blk + curr_blk) % UMAX blocks[i+1] = to_bytes(n_curr_blk) ct_abc = "".join(blocks) return iv, ct_abc, ct if __name__=="__main__": with open('flag.ppm', 'rb') as f: header, data = parse_header_ppm(f) iv, c_img, ct = aes_abc_encrypt(data) with open('body.enc.ppm', 'wb') as fw: fw.write(header) fw.write(c_img)

Recon

這一題也蠻有趣的，可以先看一下他怎麼加密的

1. 先把ppm file的header, data parse出來
2. 在51行用AES-ECB加密data，而我們知道ECB mode就很不安全
3. 在53行再把每一個block分出來並在開頭的地方插入initial vector
4. 57-62行的for-loop，就是把兩個block相加再mod UMAX就是對應的下一個block的值，意即:

\(c[0] \leftarrow Initial\ Vector=AES[0]\\ c[i+1] \leftarrow (AES[i+1]+c[i])\ \% \ 2^{128}\\ k*2^{128} \leftarrow AES[i+1]+c[i]-c[i+1],\ k \in \{0,1\}, \{AES[\ ], c[\ ]\} \in 2^{128}\) 所以綜上所述，我們可以把ciphertext還原成AES的版本，這樣應該可以看到flag的一些資訊，即使不知道一開始的key也可以(從最後面的block算回來) \(AES[i] \leftarrow k*2^{128}-c[i-1]+c[i]\)

Exploit

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77

#!/usr/bin/env python from Crypto.Cipher import AES # from key import KEY import os import math BLOCK_SIZE = 16 UMAX = int(math.pow(256, BLOCK_SIZE)) def to_bytes(n): s = hex(n) s_n = s[2:] if 'L' in s_n: s_n = s_n.replace('L', '') if len(s_n) % 2 != 0: s_n = '0' + s_n decoded = bytes.fromhex(s_n)#s_n.decode('hex') pad = (len(decoded) % BLOCK_SIZE) if pad != 0: decoded = b"\0" * (BLOCK_SIZE - pad) + decoded return decoded def remove_line(s): # returns the header line, and the rest of the file return s[:s.index(b'\n') + 1], s[s.index(b'\n')+1:] def parse_header_ppm(f): data = f.read() header = b"" for i in range(3): header_i, data = remove_line(data) header += header_i return header, data def pad(pt): padding = BLOCK_SIZE - len(pt) % BLOCK_SIZE return pt + (chr(padding) * padding) def abc_decrypt(ct): blocks = [ct[i * BLOCK_SIZE:(i+1) * BLOCK_SIZE] for i in range(len(ct) // BLOCK_SIZE)] k = 0 for idx in range(len(blocks)-1, 0, -1): curr_blk = int(blocks[idx].hex(), 16) prev_blk = int(blocks[idx-1].hex(), 16) if (k * UMAX + curr_blk - prev_blk) < 0: tmp = UMAX + curr_blk - prev_blk else: tmp = curr_blk - prev_blk blocks[idx] = to_bytes(tmp) pt_abc = b"".join(blocks) return pt_abc if __name__=="__main__": with open('body.enc.ppm', 'rb') as f: header, data = parse_header_ppm(f) pt_img = abc_decrypt(data) # iv, c_img, ct = aes_abc_encrypt(data) with open('body.dec.ppm', 'wb') as fw: fw.write(header) fw.write(pt_img)

Flag: picoCTF{d0Nt_r0ll_yoUr_0wN_aES}

Reference

AES-ABC Write up