Blessed — HackTheBox

Description

"In their quest for materials and information, the crew finds themselves facing an unexpected challenge in a city governed by automated robots programmed to shoot non-registered residents on sight. Undeterred, they employ their hacking prowess to infiltrate the city's central control hub, where the robotic overlords oversee the administration of law and order"

A complex three-part cryptographic challenge combining:

1. BLS signatures with aggregation (vulnerable to rogue key attack)
2. EC-LCG (Elliptic Curve Linear Congruential Generator) PRNG with truncated outputs
3. Custom Zero-Knowledge Proof with predictable challenge bits

Goal: Call unveil_secrets with an aggregated BLS signature from ALL verified robots.

Analysis

Server Architecture

The server implements a SuperComputer class managing robots with BLS key pairs:

• 4 robots are pre-created at startup (already verified)
• Available commands: create, join, verify, list, unveil_secrets, exit
• Communication is JSON-based: send {"cmd": "...", ...}, receive JSON response
• To get the flag, ALL robots must be verified and provide an aggregated signature on b'unveil_secrets'

Vulnerability 1: BLS Rogue Key Attack

The server uses FastAggregateVerify without proper proof-of-possession (PoP). This is a classic vulnerability in BLS signature aggregation.

The Attack:

If we know the aggregate of all existing public keys sum(Pk_i), we can craft a malicious public key:

Pk' = sk * G1 - sum(Pk_i)

Where sk is a secret key we control (e.g., sk = 1337).

When all public keys are aggregated:

Pk_agg = sum(Pk_i) + Pk' = sum(Pk_i) + sk*G1 - sum(Pk_i) = sk * G1

Now bls.Sign(1337, b'unveil_secrets') passes FastAggregateVerify against the aggregated public key!

Vulnerability 2: EC-LCG PRNG Weakness

The PRNG uses P-256 curve with the recurrence:

W_{n+1} = W_n + G

...