Stucking on sign a ECDS Cookie NEED HELP


Viewing 0 reply threads
  • Author
    • #176001

      hi guys…
      actually i’m stucking on a CTF Challenge. The Topic is to sign a new cookie an login to a webapplication. The Vulnerability is like the PS3 Hack with ECDSA. Something is wrong in my Python Script and the generated Cookie will not work.

      can anyone help me to solve this riddle?

      import base64
      from base64 import b64encode
      from ecdsa import SECP256k1, util
      from urllib.parse import unquote
      from hashlib import sha256
      from ecdsa.numbertheory import inverse_mod
      from ecdsa import SigningKey, SECP256k1
      from urllib.parse import quote

      n_group = SECP256k1.order

      ## Decoding Cookie 1
      cookie1 = “c3RpYmUxLS0wRgIhAP%2F5e9V1Xu6kIEU6FDVSNdOC9kcvhWihiy8FehRgKXVWAiEAhRgxa%2FukMckoHQwp3pMRK2hLVQuNHVWoCRw%2FGv2KqfI%3D”

      m1, sig1 = base64.b64decode(unquote(cookie1).encode()).split(b’–‘)
      r1, s1 = util.sigdecode_der(sig1, n_group)
      z1 = util.string_to_number(sha256(m1).digest())

      ## Decoding Cookie 2
      cookie2 = “YWRtaW4tLTBFAiEA//l71XVe7qQgRToUNVI104L2Ry%2BFaKGLLwV6FGApdVYCIC0U6xeKmCP5vNm1Yvsft8BojbZM4efrHEfE3A69ovLA”
      m2, sig2 = base64.b64decode(unquote(cookie2).encode()).split(b’–‘)
      r2, s2 = util.sigdecode_der(sig2, n_group)
      z2 = util.string_to_number(sha256(m2).digest())

      ## Exploitation can only be done if r1=r2
      if r1 == r2:
      print(“[INFO] VULNERABLE, r1=r2 !!! {EVIL LAUGH}”)
      r = r1

      k = (((z1 – z2) % n_group) * inverse_mod(s1 – s2, n_group)) %n_group

      print(“got k:{:x}”.format(k))

      username = b’admin’

      norm = int(sha256(username).hexdigest(), 16)
      dA = (((s2*k) % norm) * inverse_mod(r1, n_group)) % n_group

      #print(“private key”, dA)
      print(“got dA: 0x{:x}”.format(dA) )

      sk = SigningKey.from_secret_exponent(dA, curve=SECP256k1, hashfunc=sha256)

      ## Payload / Message
      payload = b’admin’

      new_signature = sk.sign(payload, k=k, hashfunc=sha256, sigencode=util.sigencode_der)

      val = payload+b’–‘+new_signature

      cookie = quote(b64encode(val))

      print(“cookie1:”, cookie)


Viewing 0 reply threads
  • You must be logged in to reply to this topic.

Copyright ©2020 Caendra, Inc.

Contact Us

Thoughts, suggestions, issues? Send us an email, and we'll get back to you.


Sign in with Caendra

Forgot password?Sign up

Forgot your details?