A Fine OTP Server

  • Cryptography, RSA
  • 79 points
  • Description: Connect to OTP generator server, and try to find one OTP. nc 66.172.27.77 35156

So in the OTP server, they give us a RSA modulus, an encrypted message, and the function used to encrypt the message. The One Time Pads are encrypted with:

def gen_otps():
  template_phrase = 'Welcome, dear customer, the secret passphrase for today is: '

  OTP_1 = template_phrase + gen_passphrase(18)
  OTP_2 = template_phrase + gen_passphrase(18)
  otp_1 = bytes_to_long(OTP_1)
  otp_2 = bytes_to_long(OTP_2)

  nbit, e = 2048, 3     

  privkey = RSA.generate(nbit, e = e)

  pubkey  = privkey.publickey().exportKey()

  n = getattr(privkey.key, 'n')
  r = otp_2 - otp_1
  if r < 0:
      r = -r

  IMP = n - r**(e**2)
  if IMP > 0:

      c_1 = pow(otp_1, e, n)

      c_2 = pow(otp_2, e, n)

  return pubkey, OTP_1[-18:], OTP_2[-18:], c_1, c_2

The template phrase is 60 bytes long, and OTP_1, which includes the passphrase, is 78 bytes, or 624 bits long. is on the order of 624*3 bits long. , so this doesn't wrap around the modulus! We just need to take the cubed root of one of the given messages, and provide that to the server to get the flag.

[email protected] ~ $ nc 66.172.27.77 35156

|-------------------------------------|
| Welcome to the S3cure OTP Generator |
|-------------------------------------|
| Guess the OTP and get the nice flag!|
| Options:
     [F]irst encrypted OTP
     [S]econd encrypted OTP
     [G]uess the OTP
     [P]ublic key
     [E]ncryption function
     [Q]uit
P
the public key is:
-----BEGIN PUBLIC KEY-----
MIIBIDANBgkqhkiG9w0BAQEFAAOCAQ0AMIIBCAKCAQEAvdBapg5SXCJHVikgokU0
c0LA67ftF9ZhIrqSETuq3N9ENeyJ8JJ2k4Yhd/6KSAmpeeKBBtCsdGRNTp9Fr0C3
UHHoilQNcY90nemQM9rXvqbHxv1jxqwzXzaa+PMIpYS1L4SuZCS6pg0EHyKyh8yA
hn0bYs++29n3JC3qMZTuUk9qaqmESXYN4h3E+7iagPQSlBOOf7j9oDRr+1xWLy6p
YhdGP5T9D0OLRK1YxtKxfKf2CNcbpmSQbWZsDNNf6XLE/bY/W2cqzLYM/kqelMUW
zCEkDkAB8rbqNMew3vXKPkzAutjOAgHHXyMki7drh69Iqh/PwUdEkFGVJM6qDTlV
nQIBAw==
-----END PUBLIC KEY-----

S
13424849164527521403756445050870196571038349263738328860728317613249912394547060932323343839684520029298203039106900245311207700034998334716959147080496357763457295947526957049778372756495200446608399891341545104439044387558803483395758936347236422777032750389168685961215888900831895812978537767135180444146730600624258885143451110857613987242815230302366387575914921806179951025936110822860493612676495094084562385780429368251618285138710394367778529362284103719513422256240065550184346443798331957264278917052649310159470104960346812700994655607599455558277625

Now if we just take the cubed root in python, with the following:

>>> import gmpy

>>> S =
13424849164527521403756445050870196571038349263738328860728317613249912394547060932323343839684520029298203039106900245311207700034998334716959147080496357763457295947526957049778372756495200446608399891341545104439044387558803483395758936347236422777032750389168685961215888900831895812978537767135180444146730600624258885143451110857613987242815230302366387575914921806179951025936110822860493612676495094084562385780429368251618285138710394367778529362284103719513422256240065550184346443798331957264278917052649310159470104960346812700994655607599455558277625
>>> gmpy.root(S,3)
(mpz(23766750386011171096524965335062551726344030679891013787685943574919990535673615479694411579744947646169980809461874073987449785044052175643595830657866834651236910043569261364887415705705L),
1)

>>> a =
23766750386011171096524965335062551726344030679891013787685943574919990535673615479694411579744947646169980809461874073987449785044052175643595830657866834651236910043569261364887415705705L

>>> import binascii

>>> binascii.unhexlify(hex(a)[2:-1])

'Welcome, dear customer, the secret passphrase for today is:
UEcAoQ9pGZ16DCWPPi'

If we enter UEcAoQ9pGZ16DCWPPi into our netcat session, we get our flag:

ASIS{0fae19fefbb44b37f9012b561698d19}

results matching ""

    No results matching ""