Post

HackTheBox Interception Writeup

Posted
By x3ric
3 min read

Explore the basics of cybersecurity in the Interception Challenge on Hack The Box. This medium-level Challenge introduces encryption reversal and file handling concepts in a clear and accessible way, perfect for beginners.

https://app.hackthebox.com/challenges/521

Description

In the midst of escalating conflict between the nations of Luson and Oumara, a recent invasion by Oumara has sparked suspicions about the existence of an internal communication channel. Fearing further strikes, the Luson government takes proactive measures to counter Oumara's attacks. You were assigned the task of investigating their secure channel and determining whether you can obtain any sensitive information. Eventually, you gain access to the channel and even manage to send encrypted messages of your own. Can you reveal Oumara's secret plans to safeguard your nation from potential future invasions?

Exploitation

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75

#!/usr/bin/env python3
from hashlib import sha256
from math import gcd
from pwn import process, remote, sys, context
from sage.all import PolynomialRing, primes, Zmod
from Crypto.Util.number import bytes_to_long, long_to_bytes

context.log_level = 'error'

def get_process():
    if len(sys.argv) > 1:
        ip, port = sys.argv[1].split(':')
        remote(ip, int(port))
    else:
        print(f"Usage: {sys.argv[0]} <ip:port>.")
        sys.exit(1)

def exploit_channel():
    e = 65537
    guessed_greet = bytes_to_long(b'Hey!')
    guessed_greet_e = pow(guessed_greet, e)
    guessed_ans = bytes_to_long(b'Bye!')
    guessed_ans_e = pow(guessed_ans, e)
    n = 0
    while True:
        io = get_process()
        try:
            io.recvuntil(b'We say : ')
            enc_greet = int(io.recvline().decode(), 16)
            enc_anss = set()
            while len(enc_anss) < 3:
                io.sendlineafter(b'> ', b'S')
                io.sendlineafter(b'You say : ', hex(guessed_greet_e).encode())
                io.recvuntil(b'Nice! We say : ')
                enc_anss.add(int(io.recvline().decode(), 16))
            n = max(gcd(guessed_greet_e - enc_greet, guessed_ans_e - enc_ans) 
                    for enc_ans in enc_anss)
            for p in primes(100):
                if n % p == 0:
                    n //= p
            if n.bit_length() == 2048 and n & 1:
                break
            io.close()
        except Exception:
            io.close()
            continue
    io.sendlineafter(b'> ', b'F')
    io.sendlineafter(
        b'Before giving you the token, you must prove me that you know the public key : ',
        sha256(str(n).encode()).hexdigest().encode(),
    )
    io.recvuntil(b'Here is your token : ')
    token = int(io.recvline().decode())
    d = 1024 - 643
    q_H = (token >> d) << d
    x = PolynomialRing(Zmod(n), names='x').gens()[0]
    q_L = int((x + q_H).small_roots(X=2 ** d, beta=0.499)[0])
    q = q_H + q_L
    assert n % q == 0 and 1 < q < n
    p = n // q
    phi_n = (p - 1) * (q - 1)
    exp = pow(0xdeadbeef, n, phi_n)
    key = long_to_bytes(pow(0x1337, exp, n))[:16]
    io.sendlineafter(b'> ', b'R')
    io.sendlineafter(b'Enter decryption key : ', key.hex().encode())
    return io.recvall().decode()

def main():
    try:
        print(exploit_channel())
    except Exception as e:
        print(f"Exploit failed: {e}")

if __name__ == '__main__':
    main()

Summary

The Interception Challenge on Hack The Box is a medium-level task that focuses on cryptographic exploitation and reverse engineering. The scenario involves investigating a secure communication channel between two nations, Luson and Oumara, to uncover sensitive information and prevent future invasions. The challenge requires analyzing an encrypted communication protocol and extracting the public key modulus (n) by exploiting the RSA encryption scheme. The provided Python script automates the process of interacting with the channel, guessing encrypted messages, and calculating the private key components (p and q) to decrypt the token. By leveraging mathematical techniques such as the Greatest Common Divisor (GCD) and polynomial root-finding, the script successfully decrypts the token and retrieves the flag. This challenge highlights the importance of understanding cryptographic vulnerabilities and demonstrates how mathematical tools can be used to break encryption schemes. It serves as an excellent exercise for those interested in cryptography and cybersecurity.

challenge
htb challenge writeup linux crypto
This post is licensed under CC BY 4.0 by the author.