KITCTFWe are a group of students, computer security enthusiasts and CTF players mostly from the Karlsruhe Institute of Technology. If you are interested in hacking with us, write us at team@kitctf.de or come to our weekly meetings. We meet every Thursday at 7 pm in the computer science building (50.34), room -120.
https://kitctf.de/
GPNCTF: Trapdoor author writeup<p>For the GPNCTF I wrote a crypto challenge. It was called Trapdoor and at least I thought about using advanced mathematics to solve it.</p>
<p>This is not your typical post where I show you my code and tell you why you are stupid and should start using Sage (you should, but that is not the point).
I will explain some ideas and mathematics I looked at when writing the challenge and when solving it myself. Be warned, it’s certainly not the most efficient or simplest solution.
Also, I stopped when it worked and did not dig any further, so there may be some bugs and oversights that just work somehow.
The relevant part for now was as follows:
The challenge looked like this:</p>
<div class="language-py highlighter-rouge"><div class="highlight"><pre class="highlight"><code>
<span class="n">flagFieldElem</span> <span class="o">=</span> <span class="n">a</span><span class="o">^</span><span class="n">expo</span>
<span class="c1">#all output below here is intended for solve
</span> <span class="k">print</span><span class="p">(</span><span class="sa">f</span><span class="s">"Field Base:</span><span class="si">{</span><span class="n">K</span><span class="p">.</span><span class="n">base</span><span class="p">().</span><span class="n">order</span><span class="p">()</span><span class="si">}</span><span class="s">"</span><span class="p">)</span>
<span class="k">print</span><span class="p">(</span><span class="sa">f</span><span class="s">"Field Expo:</span><span class="si">{</span><span class="n">log</span><span class="p">(</span><span class="n">K</span><span class="p">.</span><span class="n">order</span><span class="p">(),</span><span class="n">K</span><span class="p">.</span><span class="n">base</span><span class="p">().</span><span class="n">order</span><span class="p">())</span><span class="si">}</span><span class="s">"</span><span class="p">)</span>
<span class="k">print</span><span class="p">(</span><span class="sa">f</span><span class="s">"NumElems:</span><span class="si">{</span><span class="n">K</span><span class="p">.</span><span class="n">cardinality</span><span class="p">()</span><span class="si">}</span><span class="s">"</span><span class="p">)</span>
<span class="k">print</span><span class="p">(</span><span class="sa">f</span><span class="s">"gen:</span><span class="si">{</span><span class="n">K</span><span class="p">.</span><span class="n">modulus</span><span class="p">()</span><span class="si">}</span><span class="s">"</span><span class="p">)</span>
<span class="n">minpoly</span> <span class="o">=</span> <span class="n">flagFieldElem</span><span class="p">.</span><span class="n">minpoly</span><span class="p">()</span>
<span class="k">print</span><span class="p">(</span><span class="sa">f</span><span class="s">"Hash is:</span><span class="si">{</span><span class="n">minpoly</span><span class="p">(</span><span class="n">EVAL_VALUE</span><span class="p">)</span><span class="si">}</span><span class="s">"</span><span class="p">)</span>
</code></pre></div></div>
<p>The flag was encoded as an integer and a group element was generated by computing \(a^{flag}\) in a Galois field.
But what is a Galois field, how does it work, and how does it relate to polynomials?</p>
<h3 id="why-more-math">Why more math</h3>
<p>Obviously because it is fun. Joking aside, you probably know that \(^{\mathbb{Z}}/_{p\mathbb{Z}}\) is a field if p is a prime. A field in this context means that for all elements (except 0) there is not only an additive but also a multiplicative inverse. And you may have heard your professor or your friends talking about the fact that there are finite fields for every power of a prime number. But when you tried to construct such a field with, say, 25 elements, you (hopefully) failed because you simply could not find the “right way” to define your operations:
Consider \(^{\mathbb{Z}}/_{2\mathbb{Z}} \times ^{\mathbb{Z}}/_{5\mathbb{Z}}\). What would your \(\mathbb{1}\) element be? \((1,0)\) or \((1,1)\), neither will work (if you don’t believe me, try to find out where, it’s a great exercise).</p>
<h4 id="polynomials-for-the-win">Polynomials for the win</h4>
<p>We won’t worry too much about how to construct such fields in detail. The only thing we need to know for now is that we construct such fields L as extensions of other fields K. (Written \(L | K\))
This means that we start with a known field K (e.g. GF(5)) and then add new elements, for simplicity say we add only one element \(a\), more formally we add elements and then consider the smallest field containing the old field and the new elements we added.
The incredibly useful thing (at least for computer people) is that
the new field is then (at least in our case) equivalent to \(^{K[X]}/_{(m_a)}\), where \(m_a \in K[X]\) is the minimal polynomial of \(a\) in K[X]. The latter just means that all coefficients of \(m_a\) are in K (and that it is normed, but we don’t care about that) and \(m_a(a)=0\) and the degree of m is minimal.
Cool, now we have a way to represent such finite fields as polynomials modulo another polynomial.</p>
<h3 id="how-is-this-related-to-the-challenge-">How is this related to the challenge ??</h3>
<p><em>To be very “wrong” and imprecise for a moment: The thing is, we have seen that field extensions are just a fancy way of talking about polynomials and long division. Polynomials are vector spaces, and some vector space things can therefore also be done using field extensions.</em></p>
<p>Consider the map for an \(a \in L\):
\(L \rightarrow L |K \ \
x \mapsto x \cdot a\)
and look at the determinant of this map, this is called the field map \(N_{L|K}: L \rightarrow k,\ \ a \mapsto N_{L|K}(a)\).
This map has many cool properties like being multiplicative (i.e. a homomorphism of the unit groups) and if you consider an element \(a \in L\) with \(m_a = X^n \cdot \alpha_n + ... + \alpha_0\) then
\(N_{L|K}(a) = \pm \alpha_0\) the sign depending on the degree of the extension and the degree of the minimal polynomial. This was a step I had in mind when I created the challenge.
Using this, and the fact that we have multiple instances, we can reduce the key space enough to iterate the remaining possibilities to find the flag.</p>
<h3 id="iterating-the-possible-values">Iterating the possible values</h3>
<p>Galois Theory tells us even more (this was the initial starting point for this challenge…):
\(N_{L|K}(a) = \Pi_{\sigma \in GAL(L|K)} \sigma(a)\). To explain what Galois groups are would go too far but for finite fields we know that they are generated by Frobenius homomorphisms. This means that they are generated by \(x \mapsto x^p\) with p being the characteristic. Thus the norm boils down to \(N_{L|K}(a) = a^\alpha\) for the right \(\alpha\) which can simply be calculated or just be looked up on e.g. wikipedia. Thinking about this a bit longer (you want to get yourself familiar with the concept of primitive roots) we find out that solutions to equations of the form \(y = x^\alpha\) can be altered by the unit group. More formally, if \(\omega\) is a solution to the equation above and \(\phi^\alpha=1\) then \(\omega \cdot \phi\) is indeed also a solution. Personally I am not totally sure about the number of “nontrivial” solutions (or any other detail), so you might want to look this up for peace of mind.</p>
<p>If we now go back to the challenge we get that for one instance the possible values for the flag are a line. If we took two instances and they would intersect we would have found the flag. Sadly they don’t (again I don’t remember that part of the solve that well, so it is left as an exercise).
But this essentially means we can combine multiple instances to get an iterator that skips more elements. This construction is basically a kind of Chinese remainder theorem.
My solve script especially the last part is hideous, so I won’t publish it, but I have included the challenge handout <a href="https://files.ctf.kitctf.de/trapdoor/a053f0f33932977546aa3e9720188e42cd8a1c6921ce95908f5f35766e2f53d6/trapdoor.tar.gz">here</a> so feel free to try to solve it yourself.</p>
<h3 id="related-resources">Related resources</h3>
<p>If you want to know more about Galois theory, consider visiting a university course if you have the chance, otherwise there are many great online resources and books, such as <a href="https://www.maths.ed.ac.uk/~tl/gt/gt.pdf">this</a> (be warned that most of Galois theory is not about finite fields), but you will probably want to start with an introduction to groups and algebra in general first.</p>
Sat, 01 Jun 2024 00:00:00 +0000
https://kitctf.de/writeups/galois
https://kitctf.de/writeups/galoisIntro Talks 2024<p>Starting on the 25th of April, we will be holding introductory talks for the main categories of Capture the Flag.
We meet on Thursdays at 7pm in the CS building <a href="https://www.kit.edu/campusplan/">50.34</a>, <strong>room -101</strong>. Please bring a laptop if possible.</p>
<p><strong>Attention:</strong> This is not our customary meeting place. We meet there for space reasons.</p>
<ul>
<li>25.04.24: What are CTFs? & Web Security
<ul>
<li><a href="/talks/2024-04-25-intro/slides.pdf">Intro Slides</a>, <a href="/talks/2024-04-25-webintro/slides.pdf">Web Slides</a></li>
</ul>
</li>
<li>02.05.24: Reverse Engineering
<ul>
<li><a href="/talks/2024-05-02-revintro/slides.pdf">Rev Slides</a></li>
</ul>
</li>
<li>16.05.24: Binary Exploitation (room -10<strong>2</strong>)
<ul>
<li><a href="/talks/2024-05-16-pwnintro/slides.pdf">Pwn Slides</a></li>
</ul>
</li>
<li>06.06.24: Cryptography
<ul>
<li><a href="/talks/2024-06-06-cryptointro/slides.pdf">Crypto Slides</a></li>
</ul>
</li>
</ul>
Thu, 11 Apr 2024 00:00:00 +0000
https://kitctf.de/intro/
https://kitctf.de/intro/KalmarCTF 2024: Symmetry writeupFri, 29 Mar 2024 00:00:00 +0000
https://ik0ri4n.de/kalmarctf-24-symmetry
https://kitctf.de/writeups/kalmarctf24-symmetryGoogle Capture The Flag 2023: oldschool and UBF writeupFri, 29 Mar 2024 00:00:00 +0000
https://ik0ri4n.de/google-ctf-23
https://kitctf.de/writeups/googlectf_oldschool-and-ubfBraekerCTF 2024 – Injecting Commands – WriteupSun, 03 Mar 2024 00:00:00 +0000
https://intrigus.org/research/2024/03/03/braeker-ctf-2024-injecting-commands-writeup/
https://kitctf.de/writeups/braeker-ctf-injecting-commandsTalk: Frida Game Hacking<p>CTF challenges are usually well-behaved programs. But what do you do in more complex cases such as games, messenger applications (e.g. e2e encryption) or mobile applications (e.g. certificate pinning)?
Frida to the rescue!</p>
<p>The talk covers:</p>
<ul>
<li>how the frida architecture works.</li>
<li>how to ignore certificate errors in mobile applications.</li>
<li>a live demo on how to use frida to solve a game hacking challenge from an internal CTF.</li>
</ul>
<p>The slides can be found <a href="/talks/2023-12-07-frida-game-hacking/_game__hacking_with_frida.re.pdf">here</a> and the code of the live demo <a href="/talks/2023-12-07-frida-game-hacking/index.ts">here</a>.</p>
<p>The demo project has been set up like this:</p>
<div class="language-shell highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="nb">sudo </span>sysctl kernel.yama.ptrace_scope<span class="o">=</span>0
pip <span class="nb">install </span>frida-tools
frida-create <span class="nt">-t</span> agent
npm i
npm run watch
frida <span class="nt">-l</span> _agent.js craft <span class="c"># game has to already run</span>
</code></pre></div></div>
<p>The workshop was held on 2023-12-07.</p>
Wed, 20 Dec 2023 00:00:00 +0000
https://kitctf.de/learning/frida-game-hacking
https://kitctf.de/learning/frida-game-hackingTalk: Insecure GitHub Actions<p>You know GitHub Actions, these small building blocks that make your dev life easier… But they can also get you pwned in no time, if you are not careful.</p>
<p>The talk covers:</p>
<ul>
<li>the basic structure of a GitHub Actions workflow.</li>
<li>the general permission model of GitHub Actions.</li>
<li>insecure templating and executing user-controlled code in privileged workflows.</li>
<li>cache poisoning in workflows.</li>
</ul>
<p>The slides can be found <a href="/talks/2023-10-26-insecure-github-actions/insecure-github-actions.pdf">here</a>. The workshop was held on 2023-10-26.</p>
Thu, 02 Nov 2023 00:00:00 +0000
https://kitctf.de/learning/insecure-github-actions
https://kitctf.de/learning/insecure-github-actionsCSR23 simple-asmTue, 31 Oct 2023 00:00:00 +0000
https://wachter-space.de/2023/10/01/simple-asm/
https://kitctf.de/writeups/csr-simple-asmCyberSecurityRumble Quals & Finals 2023: Exterminate & PCaSTue, 31 Oct 2023 00:00:00 +0000
https://ik0ri4n.de/rumble-23
https://kitctf.de/writeups/csr-exterminate-pcasCyber Security Rumble Finals CTF 2023 – elkcip – WriteupTue, 31 Oct 2023 00:00:00 +0000
https://intrigus.org/research/2023/10/29/cyber-security-rumble-finals-ctf-2023-elkcip-writeup/
https://kitctf.de/writeups/csr-elkcip