This is a challenge from Cryptography section of Standcon 2021. The challenge wants us to forge a signature of a zip file.
Statement
I’ve always wanted to drive a vehicle on another planet! I found the website they used to install software on Ingenuity. Could you help me get access to it pretty please?
fromshutilimportrmtreeimportsubprocessimportzipfilefromCrypto.HashimportSHA512fromCrypto.PublicKeyimportRSAfromCrypto.SignatureimportPKCS1_v1_5SETUP_FILE='setup_script.py'SIGNATURE_FILE='signature.bin'ZIP_DIR='firmware/'# Checks if signature is correct
classSignature:def__init__(self,zip_filename='ingenuity_software-38575ea.zip'):self.zip_filename=zip_filenameself._updateDir()def__del__(self):self.zip.close()def_updateDir(self):self.zip=zipfile.ZipFile(self.zip_filename,'r')self.files=self.zip.namelist()def_checkValid(self):assertZIP_DIR+SETUP_FILEinself.filesassertZIP_DIR+SIGNATURE_FILEinself.filesdef_xor(self,str1,str2):assertlen(str1)==len(str2)returnbytes((b1^b2forb1,b2inzip(str1,str2)))def_calculateHash(self):try:self.files.remove(ZIP_DIR+SIGNATURE_FILE)except:passfinal=b'\x00'*64forfileinself.files:contents=self.zip.read(file)h=SHA512.new(data=file.encode())h.update(contents)final=self._xor(final,h.digest())self.files=self.zip.namelist()returnfinaldef_signFiles(self,hash,priv='private_key.der'):key=RSA.import_key(open(priv,'rb').read())digest=SHA512.new(hash)returnPKCS1_v1_5.new(key).sign(digest)def_verifySignature(self,hash,pub='static/keys/public_key.der'):key=RSA.import_key(open(pub,'rb').read())returnPKCS1_v1_5.new(key).verify(SHA512.new(hash),self.zip.read(ZIP_DIR+SIGNATURE_FILE))defgenSig(self,write=True):try:hash=self._calculateHash()sig=self._signFiles(hash)ifwriteisTrue:withzipfile.ZipFile(self.zip_filename,'a')aszipW:zipW.writestr(data=sig,zinfo_or_arcname=ZIP_DIR+SIGNATURE_FILE)except:print('Something went wrong')returnFalseself.zip.close()self._updateDir()returnsigdefcheckSig(self):try:self._checkValid()except:print('setup_script.py or signature.bin missing!')returnFalsetry:hash=self._calculateHash()returnself._verifySignature(hash)except:print('Something went wrong')returnFalse# Checks if zip file is legit
defcheckZip(file):returnzipfile.is_zipfile(file)# Runs setup script if signature is valid
defrunSetup(zip):path=zip.filename[:-4]+'/'zip.extractall(path=path)subprocess.run(['python',SETUP_FILE],cwd=path+ZIP_DIR)rmtree(path)
Observation
First thing to do is to try to break the public key. It might be misconfigured RSA.
We can use RSACtfTool to do this. But unfortunately, it is not vulnerable.
Usually if the private key is not retrivable, the only thing left for us to do is to try and exploit the hash function.
Observe that the hash function works by xor the hash for every files in the zip… This looks sus
Solution
And indeed it is vulnerable! The idea is to create two identical file so that their hash will be cancelled after xor both of them together.
But how do we create 2 identical file? As we have the restriction to not able to create 2 files with the same name…
This means that it is actually doing hash(file.encode() + file.content()).
And file.encode() is just the filepath of the file!
So we can just modify the filename to create 2 files with the same hash!
Example:
If we have a file
setup_script.py
print('hello')
The hash will be hash('setup_script.py' + 'print('hello')')
The identical file can be
setup_scr
ipt.pyprint('hello')
The hash will be hash('setup_scr' + 'ipt.pyprint('hello')')
These 2 files will have the same hash!
The challenge also provided us a valid zip with a valid signature. We need to insert our own setup_script.py with a reverse shell script to gain access to the server.