Cover Image

HTB Crypto Challenges

 March 27, 2021    HackTheBox


Alice sent two times the same message to Bob.

We throw the two .pem files in Crypto Playground and get two RSA public keys with the same modulo. The encryption is vulnerable to a common modulus attack:

from base64 import b64decode, b64encode
from libnum import xgcd, invmod, n2s

e1 = int('', 16)
e2 = int('', 16)
N = int('', 16)
c1 = ''
c2 = ''

c1 = int.from_bytes(b64decode(c1), 'big')
c2 = int.from_bytes(b64decode(c2), 'big')

def common_modulus(e1, e2, c1, c2, N):
    # Extended Euclidean algorithm
    a, b, d = xgcd(e1,e2)

    # Invert negative factor
    if b < 0:
        c2 = invmod(c2, N)
        b = -b
    if a < 0:
        c1 = invmod(c1, N)
        a = -a

    # Get the message (c1^a * c2^b) % N
    m = (pow(c1,a,N) * pow(c2,b,N)) % N
    return [m, a, b, d]

m, _, _, _ = common_modulus(e1,e2,c1,c2,N)
flag = n2s(m)


Who needs AES when you have XOR?

We get a program that XORs a key with the flag and the resulting cipher is found in the output.txt. The first 4 characters "134af6e1" are know to be "HTB{" so we can use CyberChef and the XOR Brute Force function to calculate the key which is "5b1eb49a".


The Bank of the World is under attack. Hackers found a way in and locked the admins out. However, the netcat authentication by the intruders is not perfectly secure. Could you help the admins log in?

First we obtain the ciphertext of username cdmin and password g0ld3n_b0y. The first block (i.e. the first 16 bytes) of this ciphertext is the ciphertext of logged_username=, the ciphertext of this block is also the IV for our second block (CBC Mode). In decryption mode the IV is XORed with the result of the decryption function, we can thus modify bits in the second block by flipping the corresponding bit in the IV.

The binary representation of a is 1100001, the binary representation of c is 1100011. We thus need to flip the second bit of the first byte of the ciphertext giving as a modified ciphertext which when fed into the program decrypts to <16 random bytes>admin&password=g0ld3n_b0y giving us the flag.

Or you can automate this task using any character instead of a, e.g. b:

k = 'cipher from bdmin + g0ld3n_b0y'

from binascii import unhexlify, hexlify

c = unhexlify(k)
cc = ord('a') ^ ord('b')
ccc = hexlify(bytearray([c[0] ^ cc]) + c[1:])