Internetwache CTF 2016: Bank (crypto 90)

Description

Everyone knows that banks are insecure. This one super secure and only allows only 20 transactions per session. I always wanted a million on my account.
Attachment: crypto90.zip

Exploit

In this challenge, we have to deposit 1000000 dollars in the account within 20 transactions to get the flag. To complete a transaction, we have to first initiate it by providing how much we want to deposit. Then, use the “hashcode” it returns to finalize the transaction. The problem is that we can only deposit 5000 dollars at a time, so we must tamper the “hashcode” to deposit more money.

The vulnerability in this challenge is that the “hashcode” it returns is just the result of xoring the plain text and a key. Since we know what the plain text is, we can easily retrieve the key and use it to create a “hashcode” of our own content. I created 20 transactions of 99999 dollars to get the flag.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24

from pwnlib.tubes.remote import remote

def sxor(s1, s2):
    return ''.join(chr(ord(a)^ord(b)) for a, b in zip(s1, s2))

def falsify(hashcode):
    key = sxor('TRANSACTION: 1000', hashcode.decode('hex'))
    return sxor('TRANSACTION:99999', key).encode('hex')


r = remote('188.166.133.53', 10061)

for i in range(20):
    print r.recvuntil('Command: ')
    r.sendline('create 1000')

    line = r.recvline()
    print line
    hashcode = line.split()[-1]

    print r.recvuntil('Command: ')
    r.sendline('complete ' + str(i) + ' ' + falsify(hashcode))

print r.recvuntil('Command: ')

Flag: IW{SHUT_UP_AND_T4K3_MY_M000NEYY}