cryptofreemedium

Protocol Analysis 7: Mediation

metactf

Task: analyze a certificate-based authentication protocol exposed over HTTP and recover the flag from Bob. Solution: exploit an identity-misbinding mediation flaw by relaying Alice's opener to Bob, learning Bob's nonce, then getting Alice to sign that nonce for attacker-controlled identity mallory.

$ ls tags/ techniques/

rsa authentication certificate protocol_analysis dawgctf nonce_exchange identity_misbinding mediation_attack signature_relay

identity_misbindingmediation_attacksignature_relayresponder_identity_confusionnonce_substitution

Protocol Analysis 7: Mediation — metactf

Description

Alice send: pubA, A, certA, nA Bob recv: pubA, A, certA, nA Bob send: pubB, B, certB, nB, {B, nB, nA}privB Alice recv: pubX, X, certX, nX, {X, nX, nA}privX Alice send: {A, nX, nA}privA Bob recv: {A, nB, nA}privA Bob send: [FLAG]

Source: https://github.com/UMBCCyberDawgs/dawgctf-sp26/blob/main/Protocol%20Analysis%20(1-9)/Protocol_Analysis_chals.pdf

This challenge presents a simple authentication protocol between Alice and Bob. The goal is to drive the live service, satisfy Bob's authentication checks, and make him release the flag without possessing Alice's private key.

Recon

The service lives at https://protocols.live.

POST /model/7 creates a fresh protocol instance and returns a conn_id.
The same conn_id must be reused for both /alice and /bob inside that instance.
Empty content to /alice triggers Alice's first send.
Messages are pipe-delimited typed fields such as k:<hex>, n:<name>, d:<hex>, t:<text>.

Observed message shapes:

Alice first message:
k:<pubA>|n:alice|d:<certA>|d:<nA>

Bob reply:
k:<pubB>|n:bob|d:<certB>|d:<nB>|d:<sigB>

One subtle but important quirk is that signatures are verified over the literal typed-text framing, not over a reconstructed abstract tuple. Bob's signature verifies against:

t:n:bob|d:<nB>|d:<nA>

So when forging the attacker-controlled message for Alice, we must also sign the exact literal form:

t:n:mallory|d:<nB>|d:<nA>

Vulnerability

This protocol is vulnerable to an identity misbinding / mediation attack.

Bob signs (B, nB, nA), but Alice does not include Bob's identity, Bob's public key, or Bob's certificate in what she later signs. Alice only signs (A, nX, nA). That means an attacker can:

...

Analysis

Lorem ipsum dolor sit amet, consectetur adipiscing elit. Sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat.

$ python3 exploit.py --target 192.168.1.1 --port 8080
[*] Connecting to target...
[+] Shell obtained!

Excepteur sint occaecat cupidatat non proident, sunt in culpa qui officia deserunt mollit anim id est laborum.

🔒

Permission denied (requires auth)

Sign in to read this free writeup

This writeup is free — just sign in with GitHub to read it.

$ssh [email protected]