$ cat writeup.md…
$ cat writeup.md…
HackTheBox
Task: ECC oracle with missing point validation + quantum key exchange using Bell states and Python PRNG. Solution: invalid-curve attack via singular curve y^2=x^3 recovers private key in one query, then PRNG prediction + Bell-state anti-correlation recovers AES key.
$ cat /etc/rate-limit
Rate limit reached (20 reads/hour per IP). Showing preview only — full content returns at the next hour roll-over.
"In our company, we use Elliptic Curve Cryptography to encrypt our internal communications. Fearing the consequences that the rise of quantum computing will bring, we decided to implement a new key exchange scheme. While researching Quantum Cryptography, we came across a strange concept called entanglement and decided to incorporate it into our server."
We are given a server with two menu options:
The exploit is a true two-stage chain:
The relevant code is in twisted_entanglement/server.py and twisted_entanglement/util.py.
server.py exposes this behavior:
point = parseUserPoint(user_point) public_key = multiply(private_key, point, E)
The curve parameters are secp256k1-style:
p = 115792089237316195423570985008687907853269984665640564039457584007908834671663 a = 0 b = 7
However, util.py implements point addition and doubling using only a and p:
def add(P, Q, a, m): ... if (P[0] == Q[0] and P[1] == Q[1]): S = ((3 * (pow(P[0], 2)) + a) * eea(2 * P[1], m)[1]) % m else: S = ((Q[1] - P[1]) * eea((Q[0] - P[0]) % m, m)[1]) % m
The implementation never checks whether a user-supplied point lies on the intended curve
y^2 = x^3 + 7 (mod p), and it never uses b = 7 in the group law.
So the bug is not a weakness in secp256k1 itself. The actual issue is:
b,That is exactly an invalid-curve vulnerability.
...
$ grep --similar