@@ -3,7 +3,7 @@ title: WCTF 2019 BabyPwn
33date : ' 2019-07-06'
44lastmod : ' 2019-07-06T15:08:55+02:00'
55categories :
6- - articles
6+ - writeup
77tags :
88- pwn
99- crypto
@@ -168,7 +168,7 @@ To do so we have to carefully choose the parameters of the DH key exchange.
168168In function dh_exchange at 0x00411ae0 we are asked for 3 hex-encoded values
169169
170170```
171- p (in hexadecimal, length <= 1000) :
171+ p (in hexadecimal, length <= 1000) :
172172q (in hexadecimal, length <= 1000) :
173173g (in hexadecimal, 0x2 <= g <= 0x40 ) :
174174```
@@ -203,7 +203,7 @@ To at least complete the exchange, our parameters p, q, g need to satisfy some c
203203 if (q_bit_len_ge_200 < 0x200) {
204204 return 0;
205205 }
206-
206+
207207 ….
208208
209209p_min_1_mod_q = __gmpz_divisible_p(p_minus_1,q);
@@ -226,7 +226,7 @@ We will be prompted for g^a and then the server will compute the shared key as g
226226``` c
227227// function key_exchange@0x00412064
228228 BCryptGenRandom ((BCRYPT_ALG_HANDLE)0x0,nonce,0x40,2);
229- …..
229+ …..
230230 __ gmpz_set_str(b,nonce_hex,0x10);
231231 __ gmpz_powm(g_to_b,g,b,p);
232232 __ gmp_sprintf(local_8c4,&DAT_00418b38,g_to_b);
@@ -237,7 +237,7 @@ We will be prompted for g^a and then the server will compute the shared key as g
237237
238238### Solution
239239
240- So we need to find a way to choose g^a so that g^ab mod p = 0x0102030405060708091011121314151617181920212223242526272829303132
240+ So we need to find a way to choose g^a so that g^ab mod p = 0x0102030405060708091011121314151617181920212223242526272829303132
241241
242242The key insight to solve the challenge is that g^a = b-th root of 0x0102030405060708091011121314151617181920212223242526272829303132 mod p
243243
@@ -259,7 +259,7 @@ So mainly thanks to point 2 and 3 we can use *pohlig hellman* algorithm to solve
259259
260260To do so we repeatedly
261261
262- 1. generate q as a 0x200 bits prime, then we generate several (in my final exploit ~100) small primes
262+ 1. generate q as a 0x200 bits prime, then we generate several (in my final exploit ~100) small primes
2632632. check that p = 2 * q * primes + 1 is prime
264264Now that we have the correct p and q we can store them to use in the exploit
265265
0 commit comments