The earth has been taken over by cyborgs for a long time. We are a group of humans, called ‘The Rebellion’, fighting for our freedom. Lately, cyborgs have set up a lab where they insert microchips inside humans to track them down. Our team of IT experts has hacked one of the cyborgs’ mail servers. There is a suspicious encrypted mail which possibly contains information related to the location of the lab. Can you decrypt the message and find the coordinates of the lab?

Category: Crypto

Solver: lmarschk

For this challenge, we had three certificates and an encrypted S/MIME mail.

Walkthrough

  1. Get information about the sent message: openssl cms -verify -in challenge -noout -cmsout -print
  2. All certificates have a small e=3, probably vulnerable to small exponent attack (coppersmith attack)
  3. Find article with example
  4. Get modulus of all keys: openssl cms -verify -in challenge -noout -cmsout -print and put them into the convert script (as we weren’t able to instruct openssl to print out the single keys in a better format)
  5. Also get all the message itself, place it to the convert script
  6. Export result of convert.py to find.py
  7. Get moduli for all certs openssl x509 -in corius.crt -text -noout -modulus, beware to use the right order of certs and ciphertexts (encrypted symmetric keys for S/MIME)
  8. run find.py
  9. Have to use last bytes as key for AES
  10. Decrypt them
  11. Get flag: HTB{37.220464, -115.835938} (the coordinates point to Area 51, nice one ;)
lmm@lmm-think-05:~/Documents/htb/ctf_2020_nextcloud$ /usr/bin/python3 /home/lmm/Documents/htb/ctf_2020_nextcloud/crypto/baby_rebellion/solve_files/find.py
Key (as number): 986236757547332986472011617696226561292849812918563355472727826767720188564083584387121625107510786855734801053524719833194566624465665316622563244215340671405971599343902468620306327831715457360719532421388780770165778156818229863337344187575566725786793391480600129482653072861971002459947277805295727097226389568776499707662505334062639449916265137796823793276300221537201727072401742985542559596685092673521228140822200236743113743661549252453726123450722876929538747702356573783116366629850199080495560991841329893037292397105469646468169974589517743155241661412206332135106062078328116714879217688208691097
b'\x17p\x80@h\x87\x13\xf0!\xf9M\xd2\x82\xa4\x8b}\x9eH\xf3\xd0o\xdb\x90[c<t\xc3\x7f\xe7\xd8b\x9eH\xf3\xd0o\xdb\x90[c<t\xc3\x7f\xe7\xd8b\x9eH\xf3\xd0o\xdb\x90[c<t\xc3\x7f\xe7\xd8b\x9eH\xf3\xd0o\xdb\x90[c<t\xc3\x7f\xe7\xd8b\x9eH\xf3\xd0o\xdb\x90[c<t\xc3\x7f\xe7\xd8b\x9eH\xf3\xd0o\xdb\x90[c<t\xc3\x7f\xe7\xd8b\x9eH\xf3\xd0o\xdb\x90[c<t\xc3\x7f\xe7\xd8b\x9eH\xf3\xd0o\xdb\x90[c<t\xc3\x7f\xe7\xd8b\x9eH\xf3\xd0o\xdb\x90[c<t\xc3\x7f\xe7\xd8b\x9eH\xf3\xd0o\xdb\x90[c<t\xc3\x7f\xe7\xd8b\x9eH\xf3\xd0o\xdb\x90[c<t\xc3\x7f\xe7\xd8b\x9eH\xf3\xd0o\xdb\x90[c<t\xc3\x7f\xe7\xd8b\x9eH\xf3\xd0o\xdb\x90[c<t\xc3\x7f\xe7\xd8b\x9eH\xf3\xd0o\xdb\x90[c<t\xc3\x7f\xe7\xd8b\x9eH\xf3\xd0o\xdb\x90[c<t\xc3\x7f\xe7\xd8b\x9eH\xf3\xd0o\xdb\x90[c<t\xc3\x7f\xe7\xd8b\x9eH\xf3\xd0o\xdb\x90[c<t\xc3\x7f\xe7\xd8b\x9eH\xf3\xd0o\xdb\x90[c<t\xc3\x7f\xe7\xd8b\x9eH\xf3\xd0o\xdb\x90[c<t\xc3\x7f\xe7\xd8b\x9eH\xf3\xd0o\xdb\x90[c<t\xc3\x7f\xe7\xd8b\x9eH\xf3\xd0o\xdb\x90[c<t\xc3\x7f\xe7\xd8b\x9eH\xf3\xd0o\xdb\x90[c<t\xc3\x7f\xe7\xd8bU00G\xcf\xbd\xd13\xf5l\xe7F\x1c\x07&)\nWe are out of microchips. Me and my team need more supplies! Hurry up, everyone has to be microchipped! Deliver the package here:\nHTB{37.220464, -115.835938}\x02\x02'

flag