cryptofreehard

Infosekurus Query

HackTheBox

Task: Custom auth system with RSA-encrypted passcode (13 key pairs), AES-ECB Merkle-Damgard hash oracle, and 2FA token verification. Solution: Leak phi via non-coprime exponent e=8192, recover passcode with successive square roots + CRT, exploit operator precedence bug in rxor to get true hash from oracle, then Merkle-Damgard length extension + offline brute-force of 12^5 candidates to forge 2FA token.

$ ls tags/ techniques/
brute_forcersacrtlength_extensionaes_ecbmerkle_damgardcustom_hashoperator_precedence_bugmodular_square_root
rsa_phi_leak_non_coprime_exponentsuccessive_modular_square_roots_crtmerkle_damgard_length_extensionoffline_hash_brute_forceoperator_precedence_exploitation

$ cat /etc/rate-limit

Rate limit reached (20 reads/hour per IP). Showing preview only — full content returns at the next hour roll-over.

Infosekurus Query — HackTheBox

Description

"I warned my boss, Mr. Dam, that guarding his sensitive data with a custom authentication system wasn't secure at all. He laughed and bet me that if I could somehow bypass it, he would give everyone in the office a promotion. Upon hearing this, the entire office UNIted is rooting for me..."

The server implements a custom authentication system with three options:

  1. Encrypted Passcode — RSA encryption of a secret passcode using one of 13 key pairs with different exponents
  2. Hash Oracle — Custom Merkle-Damgard hash (AES-ECB based) with a 27-byte input limit
  3. Authenticate — Submit the passcode, then guess a 2FA token derived from the hash of passcode + answer + randomized values

The hints in the description point to the attack: "Mr. Dam" → Merkle-Damgard construction, "UNIted" → combining/union of techniques.

Analysis

Component 1: RSA with phi leak

The Generator.encrypt() method has a critical vulnerability:

if GCD(self.phi, self.e) == 1:
    self.phi = None  # phi hidden when RSA is "correct"
# Otherwise phi is LEAKED in the response!

The 13 exponents are [65537, 4001, 11093, 7727, 32189, 19373, 8192, 7867, 599741, 919, 3697, 227, 9613]. Exponent at index 6 is e = 8192 = 2^13, which is always non-coprime with phi = (p-1)(q-1) since phi is always even. This means phi is leaked in the response for this key pair.

With N and phi, we factor N via the quadratic: p + q = N - phi + 1, p * q = N.

However, since GCD(e, phi) = GCD(2^13, (p-1)(q-1)) > 1, standard RSA decryption (d = e^{-1} mod phi) doesn't work. We need modular nth-root extraction.

Component 2: Operator precedence bug in rxor

...