def challenge15() -> bool: GOOD = b"ICE ICE BABY\x04\x04\x04\x04" BAD_1 = b"ICE ICE BABY\x05\x05\x05\x05" BAD_2 = b"ICE ICE BABY\x01\x02\x03\x04" RESULT = b"ICE ICE BABY" flag = True if pkcs7_unpad(GOOD) != RESULT: flag = False try: pkcs7_unpad(BAD_1) except PKCS7Error: pass else: flag = False try: pkcs7_unpad(BAD_2) except PKCS7Error: pass else: flag = False return flag
def _oracle(iv: bytes, ct: bytes) -> bool: cbc = AESCipher(AESCipher.MODE_CBC, _KEY, iv=iv) try: pkcs7_unpad(cbc.decrypt(ct)) except PKCS7Error: return False return True
def _g_equal_p_minus_one() -> bool: g = _p - 1 a = DHClient(_p, g) b = DHClient(a.p, a.g) a.gen_session_key(b.public_key) b.gen_session_key(a.public_key) a_encrypted_msg = a.encrypt_msg(_msg) b_encrypted_msg = b.encrypt_msg(_msg) a_decrypted_msg = a.decrypt_msg(*b_encrypted_msg) b_decrypted_msg = b.decrypt_msg(*a_encrypted_msg) if a.public_key == g and b.public_key == g: key = g else: key = 1 key = sha1(key.to_bytes(floor(key.bit_length() / 8) + 1, "big"))[:16] iv = a_encrypted_msg[0] cbc = AESCipher(AESCipher.MODE_CBC, key, iv=iv) mitm_decrypted = pkcs7_unpad(cbc.decrypt(a_encrypted_msg[1])) return mitm_decrypted == a_decrypted_msg == b_decrypted_msg == _msg
def _attack(iv: bytes, ct: bytes) -> bytes: cipher_blocks = [iv] + get_blocks(ct) pt = b"" for i in reversed(range(1, len(cipher_blocks))): ct_block_previous = cipher_blocks[i - 1] ct_block_current = cipher_blocks[i] intermediate_block = b"" for j in reversed(range(16)): ctb_prefix = gen_random_bytes(j) ctb_suffix = b"" for k in range(len(intermediate_block)): ctb_suffix += bytes([(16 - j) ^ intermediate_block[k]]) n = 0 for m in range(256): ctb = ctb_prefix + bytes([m]) + ctb_suffix if _oracle(ctb, ct_block_current): n = m break intermediate_block = bytes([n ^ (16 - j)]) + intermediate_block pt = bytes([ct_block_previous[j] ^ int(intermediate_block[0]) ]) + pt return pkcs7_unpad(pt)
def _is_admin(token: bytes) -> bool: decrypted_token = pkcs7_unpad(_ctr.decrypt(token)) cookie = _parse_cookie(decrypted_token.decode("latin")) if cookie.get("admin", False) == "true": return True else: return False
def decrypt_msg(self, iv: bytes, msg: bytes) -> bytes: key = sha1( self._session_key.to_bytes( floor(self._session_key.bit_length() / 8) + 1, "big"))[:16] cbc = AESCipher(AESCipher.MODE_CBC, key, iv=iv) return pkcs7_unpad(cbc.decrypt(msg))
def challenge13() -> bool: cookie = _parse_cookie( pkcs7_unpad(_ecb.decrypt(_attacker())).decode("ascii")) if cookie["role"] == "admin": return True else: return False
def challenge34() -> bool: p = int.from_bytes( bytes.fromhex("ffffffffffffffffc90fdaa22168c234c4c6628b80dc1cd129024" "e088a67cc74020bbea63b139b22514a08798e3404ddef9519b3cd" "3a431b302b0a6df25f14374fe1356d6d51c245e485b576625e7ec" "6f44c42e9a637ed6b0bff5cb6f406b7edee386bfb5a899fa5ae9f" "24117c4b1fe649286651ece45b3dc2007cb8a163bf0598da48361" "c55d39a69163fa8fd24cf5f83655d23dca3ad961c62f356208552" "bb9ed529077096966d670c354e4abc9804f1746c08ca237327fff" "fffffffffffff"), "big", ) g = 2 msg = b"test" a = DHClient(p, g) b = DHClient(a.p, a.g) a.gen_session_key(b.p) b.gen_session_key(a.p) a_encrypted_msg = a.encrypt_msg(msg) b_encrypted_msg = b.encrypt_msg(msg) a_decrypted_msg = a.decrypt_msg(*b_encrypted_msg) b_decrypted_msg = b.decrypt_msg(*a_encrypted_msg) key = 0 key = sha1(key.to_bytes(floor(key.bit_length() / 8) + 1, "big"))[:16] iv = a_encrypted_msg[0] cbc = AESCipher(AESCipher.MODE_CBC, key, iv=iv) mitm_decrypted = pkcs7_unpad(cbc.decrypt(a_encrypted_msg[1])) return mitm_decrypted == a_decrypted_msg == b_decrypted_msg == msg
def test_pkcs7_padding_del_block(self): a = gen_random_bytes() b = Padding.pad(a, 16) c = pkcs7_unpad(b) assert c == a, "The result does not match the expected value"