From c9ebec10143cc0db79cd5b26dd7fcdfa6fa616b0 Mon Sep 17 00:00:00 2001 From: Yan Date: Sun, 29 Sep 2024 00:45:44 -0700 Subject: [PATCH] add encryption level of POA --- cryptography/aes-cbc-poa-enc/.init | 4 +++ cryptography/aes-cbc-poa-enc/DESCRIPTION.md | 19 ++++++++++++++ cryptography/aes-cbc-poa-enc/dispatcher | 14 ++++++++++ cryptography/aes-cbc-poa-enc/worker | 29 +++++++++++++++++++++ cryptography/aes-cbc-poa/DESCRIPTION.md | 6 +++++ cryptography/module.yml | 2 ++ 6 files changed, 74 insertions(+) create mode 100755 cryptography/aes-cbc-poa-enc/.init create mode 100644 cryptography/aes-cbc-poa-enc/DESCRIPTION.md create mode 100755 cryptography/aes-cbc-poa-enc/dispatcher create mode 100755 cryptography/aes-cbc-poa-enc/worker diff --git a/cryptography/aes-cbc-poa-enc/.init b/cryptography/aes-cbc-poa-enc/.init new file mode 100755 index 0000000..fc5fecd --- /dev/null +++ b/cryptography/aes-cbc-poa-enc/.init @@ -0,0 +1,4 @@ +#!/bin/bash + +dd if=/dev/urandom of=/challenge/.key bs=16 count=1 +chmod 600 /challenge/.key diff --git a/cryptography/aes-cbc-poa-enc/DESCRIPTION.md b/cryptography/aes-cbc-poa-enc/DESCRIPTION.md new file mode 100644 index 0000000..5a25d74 --- /dev/null +++ b/cryptography/aes-cbc-poa-enc/DESCRIPTION.md @@ -0,0 +1,19 @@ +You're not going to believe this, but... a Padding Oracle Attack doesn't just let you decrypt arbitrary messages: it lets you _encrypt_ arbitrary data as well! +This sounds too wild to be true, but it is. +Think about it: you demonstrated the ability to modify bytes in a block by messing with the previous block's ciphertext. +Unfortunately, this will make the previous block decrypt to garbage. +But is that so bad? +You can use a padding oracle attack to recover the exact values of this garbage, and mess with the block before that to fix this garbage plaintext to be valid data! +Keep going, and you can craft fully controlled, arbitrarily long messages, all without knowing the key! +When you get to the IV, just treat it as a ciphertext block (e.g., plop a fake IV in front of it and decrypt it as usual) and keep going! +Incredible. + +Now, you have the knowledge you need to get the flag for this challenge. +Go forth and forge your message! + +---- +**FUN FACT:** +Though the Padding Oracle Attack was [discovered](https://www.iacr.org/archive/eurocrypt2002/23320530/cbc02_e02d.pdf) in 2002, it wasn't until 2010 that researchers [figured out this arbitrary encryption ability](https://static.usenix.org/events/woot10/tech/full_papers/Rizzo.pdf). +Imagine how vulnerable the web was for those 8 years! +Unfortunately, padding oracle attacks are _still_ a problem. +Padding Oracle vulnerabilities come up every few months in web infrastructure, with the latest (as of time of writing) [just a few weeks ago](https://www.cvedetails.com/cve/CVE-2024-45384/)! diff --git a/cryptography/aes-cbc-poa-enc/dispatcher b/cryptography/aes-cbc-poa-enc/dispatcher new file mode 100755 index 0000000..e8d7962 --- /dev/null +++ b/cryptography/aes-cbc-poa-enc/dispatcher @@ -0,0 +1,14 @@ +#!/opt/pwn.college/python + +import os + +from base64 import b64encode +from Crypto.Cipher import AES +from Crypto.Util.Padding import pad +from Crypto.Random import get_random_bytes + +key = open("/challenge/.key", "rb").read() +cipher = AES.new(key=key, mode=AES.MODE_CBC) +ciphertext = cipher.iv + cipher.encrypt(pad(b"sleep", cipher.block_size)) + +print(f"TASK: {b64encode(ciphertext).decode()}") diff --git a/cryptography/aes-cbc-poa-enc/worker b/cryptography/aes-cbc-poa-enc/worker new file mode 100755 index 0000000..8bd847e --- /dev/null +++ b/cryptography/aes-cbc-poa-enc/worker @@ -0,0 +1,29 @@ +#!/opt/pwn.college/python + +from base64 import b64decode +from Crypto.Cipher import AES +from Crypto.Util.Padding import unpad +from Crypto.Random import get_random_bytes + +import time +import sys + +key = open("/challenge/.key", "rb").read() + +while line := sys.stdin.readline(): + if not line.startswith("TASK: "): + continue + data = b64decode(line.split()[1]) + iv, ciphertext = data[:16], data[16:] + + cipher = AES.new(key=key, mode=AES.MODE_CBC, iv=iv) + plaintext = unpad(cipher.decrypt(ciphertext), cipher.block_size).decode('latin1') + + if plaintext == "sleep": + print("Sleeping!") + time.sleep(1) + elif plaintext == "please give me the flag, kind worker process!": + print("Victory! Your flag:") + print(open("/flag").read()) + else: + print("Unknown command!") diff --git a/cryptography/aes-cbc-poa/DESCRIPTION.md b/cryptography/aes-cbc-poa/DESCRIPTION.md index 0aaa5ac..db13187 100644 --- a/cryptography/aes-cbc-poa/DESCRIPTION.md +++ b/cryptography/aes-cbc-poa/DESCRIPTION.md @@ -23,6 +23,12 @@ Go recover the flag! **HINT:** You'll need to slightly adjust this attack for the 16th byte of a block, since there is no padding at all initially, but I trust in your ability to do so! +**HINT:** +The previous challenges had just one ciphertext block, and you messed with its decryption by changing the IV. +This level has multiple blocks. +Keep in mind that to mess with the decryption of block N, you must modify ciphertext N-1. +For the first block, this is the IV, but not for the rest! + **FUN FACT:** The only way to prevent a Padding Oracle Attack is to avoid having a Padding Oracle. Depending on the application, this can be surprisingly tricky: a failure state is hard to mask completely from the user/attacker of the application, and for some applications, the padding failure is the only source of an error state! diff --git a/cryptography/module.yml b/cryptography/module.yml index 79bdb3b..7a56f92 100644 --- a/cryptography/module.yml +++ b/cryptography/module.yml @@ -39,6 +39,8 @@ challenges: name: AES-CBC Resizing - id: aes-cbc-poa name: "AES-CBC: Padding Oracle Attack" +- id: aes-cbc-poa-enc + name: "AES-CBC: Padding Oracle Encryption" - id: level-6 name: DHKE - id: level-7