Puzzle given to us:
A Web application is given to us in which it allows us to download a certificate that we can use to upload and login into the system as citizen. The objective is to find a way to login as king.
Recommended Tools:
-
Analysing the File:
Analyzing the downloaded file, it contains only 1 line (btw the below line is "randomized" every time you download from the server)
vDxkdtmGels=KUdOWbuM0mE=
this file seems like 2 x base 64 to me, lets decode it... seems garbish.. hmmm i wonder wth is it...
so let's ignore the garbish ascii for now and we hex the decoded value.
let's then modify the contents by changing the end bytes of the 1st block and encode it back to base64. Submit the cert up... we see a popup: padding error.
Crap its the padding oracle problem as i had suspected =(
Solving the Puzzle:
Padding Oracle has been used in some captcha algorithm. However such approach is vulnerable to attack. We are given 2 things the IV and the crypted message. So i guess the 2 x base64 given to us means this.
The attack begins like this... we do not touch the crypted message rather we modify the IV (initialization vector) so that we are able to decipher what is the intermediate value of this padding oracle problem. Once the intermediate value is deciphered, we would have solved 90% of the puzzle. What we can do now is to xor the intended plaintext with the intermediate value and use it as the IV.
Note: there are few errors that the web application will prompt to us... they are
- Padding Error = the IV caused the plaintext padding to be malformed. Theoritically, if there are 2 empty space in a block the block should be "a b c d e f 0x02 0x02" the hex 02 indicates how many padded bytes there are. if the IV caused the plain text to be "a b c d e f 0x01 0x02" This will cause padding error.
- Class Error = this is generated when you change the IV until the web application logic is unable to determine which class you belong to. For instance lets say you are a citizen and somehow you changed one of the byte making it into citazen. This will generate a class Error.
the above is a brief summary of how an attacker would approach this problem. Now for step by step illustration.
- Decode base64
- Hex it
- Generate 256 different last byte
- upload to server to test result
- only 1 successful login, the rest are all padding error
- The plain text last byte is a 0x01 [Reason: if the last byte is 0x02, we should get 2 non padding error]
- since we know the plain text (0x01) and we know the IV hex, we can derive the intermediate value by (0x01 ^ IV's last byte)
- Now we repeat step 3 to 7 to get the 2nd last byte of the intermediate value but this time we form the IV in such a way that the last byte of the plain text become 0x02
- After bruteforcing for 256 times we will only have 1 class error and the rest are padding error... the class error indicates that we found the correct IV for the last 2nd byte to force that plain text into 0x02. We can derive the IV for the 2nd last byte.
- the above steps repeats until we get the full intermediate value.
Once we got the intermediate value, we can derive the plain text easily by taking the IM xor with the IV. We found that the plain text is actually nezitic0x01 which stands for citizen and 1 padding. So using my spider sense we can change this plaintext into king followed by 4 padding... which is ...gnik0x040x040x040x04 and xor with the IM to get the IV needed to do the spoofing job. We re encode the data back into base 64 and resubmit the ctf file to the server. =D we are logged in as the king!
My orginal CTF File contents is: vDxkdtmGels=KUdOWbuM0mE=
My edited CTF File contents is: tTd3dKnrHV4=KUdOWbuM0mE=
cheers
Elucidator
No comments:
Post a Comment