Real World CTF Finals 2019

Glad to participate in the on-site finals of Real World CTF in Beijing! Here I would like to share the solution to the challenges I solved.

Bank2

• Type: Crypto
• Keywords: Elliptic curve, Schnorr signature algorithm

Description

Our bank has invested in a HUGE security upgrade. Now we are equipped with the latest interactive multi-signature protocol to keep your assets safe. Your satisfaction is our first priority.

Solution

Similar to the challenge Bank in Real World CTF 2019 Quals (Ref), the server-side implements the Schnorr signature algorithm. The difference between these two implementations is the verifying function:

def cosi_verify(c, s, pk, m):
    if (not on_curve(pk)):
        print('Not on curve')
        return False
    cPrime = sha256(bytes_point(point_add(point_mul(G, s), point_mul(pk, n-c))) + m)
    if cPrime == c:
        return True
    return False

The main logic of the server’s code is:

# generate server's public-private key pair
sk, pk = generate_keys()
print('sk, pk =', sk, pk)
...
if msg[0] == '0': # withdraw
    ...
    if cosi_verify(C, S, pk, 'WITHDRAW'):
        req.sendall("Here is your coin: %s\n" % FLAG)
if msg[0] == '1': # deposit
    r = p - Random.random.randint(5, p/2**16)
    req.sendall("%s\n" % repr((point_mul(G, r), pk)))
    ...
    c = sha256(bytes_point(T) + 'DEPOSIT')
    s = r + c * sk
    req.sendall("%s\n" % repr(s))
    ...
    if cosi_verify(C, S, PK, 'DEPOSIT'):
        balance += 100
        req.sendall('Coin Deposited')

In the deposit method, T and PK are provided by us. The bug happens at line 14, it should be s = (r + c * sk) % n instead (credit to @fweasd). Notice that the s we received equals to p - r' + c * sk, where r' is around 240 bits. Since we know the value of p, c, we can calculate the value of sk = (s - p)//c + 1, which is the secret key of the server. Then, we sign the message "WITHDRAW" with the secret key and get the flag by the withdraw method.

Exploit:

G = ... # base point
n = ... # order of the group
p = ... # mod p

def sign(sk, msg):
    rn = 0x9453
    T = point_mul(G, rn)
    c = sha256(bytes_point(T) + msg)
    s = (rn + c * sk) % n
    return c, s, T

r = remote(host, port)
sk, pk = generate_keys()
c, s, T = sign(sk, 'DEPOSIT')
server_s = deposit(r, (T, pk), (c, s))

server_sk = (server_s - p) // c + 1
c, s, _ = sign(server_sk, 'WITHDRAW')
withdraw(r, (c, s))

# rwctf{2r0unD_Schn0Rr_1s_N07_5AfE._cHEck_tH3_0ak1aNDl9_p4p3r}

Montagy

• Type: Smart contract
• Keywords: Solidity inline assembly, EVM bytecode, z3

Solution

TL;DR

By the newPuzzle method, create a new puzzle that has the same tag value as one of the existing puzzles to pass the isOfficialChecksum check. Let our new puzzle call solve to the proxy contract, and the proxy contract will send out all the ether it has.

Detailed Write-up

In this challenge, our goal is to let the balance of the proxy contract become 0, and then we will receive the flag in a transaction sent from the game server.

The code of the proxy contract is:

pragma solidity ^0.5.11;

contract Montagy{
    address payable public owner;
    mapping(bytes32=>bool) isOfficialChecksum;
    ...
    
    modifier onlyPuzzle(){
        require(puzzleChecksum[msg.sender] != 0);
        _;
    }
    ...
    
    function registerCode(bytes memory a) public onlyOwner {
        isOfficialChecksum[tag(a)]=true;
    }
    
    function newPuzzle(bytes memory code) public onlyGameOn returns(address addr){
        bytes32 cs = tag(code);
        require(isOfficialChecksum[cs]);
        
        addr = deploy(code);
        lastchildaddr=addr;
        puzzleChecksum[addr] = cs;
    }
    
    function solve(string memory info) public onlyGameOn onlyPuzzle {
        owner.transfer(address(this).balance);
        winnerinfo = info;
    }
    ...
    
    function tag(bytes memory a) pure public returns(bytes32 cs){
        assembly{
            let groupsize := 16
            let head := add(a,groupsize)
            let tail := add(head, mload(a))
            let t1 := 0x21711730
            let t2 := 0x7312f103
            let m1,m2,m3,m4,p1,p2,p3,s,tmp
            for { let i := head } lt(i, tail) { i := add(i, groupsize) } {
                s := 0x6644498b
                tmp := mload(i)
                m1 := and(tmp,0xffffffff)
                m2 := and(shr(0x20,tmp),0xffffffff)
                m3 := and(shr(0x40,tmp),0xffffffff)
                m4 := and(shr(0x60,tmp),0xffffffff)
                for { let j := 0 } lt(j, 0x4) { j := add(j, 1) } {
                    s := and(add(s, 0x68696e74),0xffffffff)
                    p1 := sub(mul(t1, 0x10), m1)
                    p2 := add(t1, s)
                    p3 := add(div(t1,0x20), m2)
                    t2 := and(add(t2, xor(p1,xor(p2,p3))), 0xffffffff)
                    p1 := add(mul(t2, 0x10), m3)
                    p2 := add(t2, s)
                    p3 := sub(div(t2,0x20), m4)
                    t1 := and(add(t1, xor(p1,xor(p2,p3))), 0xffffffff)
                }
            }
            cs := xor(mul(t1,0x100000000),t2)
        }
    }
}

The full source code can be found on Ropsten: Proxy contract

By inspecting the transactions to the proxy contract, we may notice that the owner had registered and deployed two puzzles via the registerCode and newPuzzle methods. Also, their source code can be found on Ropsten: side contract 1, side contract 2. However, these two puzzles are not computationally feasible to solve.

How about creating a new puzzle that calls server.solve() directly? To make this happen, the new puzzle should be deployed via newPuzzle and should pass the isOfficialChecksum check at line 20. While only the owner is allowed to register a new checksum (tag value), we have to construct a new puzzle that has the same tag value as one of the existing puzzles.

First, write a contract which simply calls solve to the proxy contract:

contract P3 {
    Montagy public server;
    constructor() public {
        server = Montagy(0xD068fcC44525569fB593189c8f22827cF0f50f3f);
    }
    function do_solve() public {
        server.solve('balsn');
    }
}

Compile this contract and get its deploy bytecode. Note that whatever we pad at the end of the bytecode will not change the deploy result. Therefore, we choose to find proper padding to our bytecode to control its tag value. According to the source code of the proxy contract, to calculate the tag value, the method tag iterates from the start of the bytecode to the end. Since we can calculate the tag value of the unpadded bytecode beforehand, we only have to focus on the last iteration, where the padding is the input bytes.

Here is a script for finding proper padding:

from z3 import *

def find(last, target):
    t1, t2 = int(last[:8], 16), int(last[8:], 16)
    tar1, tar2 = int(target[:8], 16), int(target[8:], 16)

    s = 0x6644498b
    s = BitVecVal(s, 256)
    m1 = BitVec('m1', 256)
    m2 = BitVec('m2', 256)
    m3 = BitVec('m3', 256)
    m4 = BitVec('m4', 256)

    for j in range(4):
        s = (s + 0x68696e74) & 0xffffffff
        p1 = (t1<<4) - m1
        p2 = t1 + s
        p3 = (t1>>5) + m2
        t2 = (t2 + (p1^(p2^p3))) & 0xffffffff
        p1 = (t2<<4) + m3
        p2 = t2 + s
        p3 = (t2>>5) - m4
        t1 = (t1 + (p1^(p2^p3))) & 0xffffffff

    sol = Solver()
    sol.add(And(t1 == tar1, t2 == tar2))
    if sol.check():
        m = sol.model()
        m_l = map(lambda x: m[x].as_long(), [m4, m3, m2, m1])
        pad = 0
        for x in m_l:
            pad <<= 0x20
            pad |= x
        return hex(pad)[2:].zfill(32)
    else:
        raise Exception('No solution')

Append the padding to our deploy bytecode, and call newPuzzle in the proxy contract with the padded bytecode as the parameter. After our contract is deployed, call the do_solve method in our contract. All ether that the proxy contract has will be sent out, and then we will get the flag: rwctf{cOd3_i5_CH3ep_sHoW_mE_tHe_OPcdE...Oh_&&_1_CUP_of_T_PlEA53_:P}