After a long day, you sit around a campfire in the wild wild web with a few Sioux you met today. To celebrate friendship one of them takes out his wooden peace pipe and minutes later everyone seems to be pretty dizzy. You remember that their war chief "Makawee" started something to say about a secret tipi filled with fire-water (the good stuff). But when he noticed your interest he immediately stopped talking. You recall that "Makawee" spoke with "Wahkoowah" about that issue, but it ended with a fight. Since then Makawee wouldnt talk to Wahkoowah anymore. While they argued "Chapawee" wrote something down. Maybe you can exploit their dizzyness to find out the location of the tipi. 1432 1433 1434

Let’s analyze what we have:

  • 1432: Chapawee replies, he allows us to get some information on the crypto scheme that is being used, get a public key and save a public key associated with a name.
  • 1433: Wahkoowah replies, he asks who we are but we can say basically any name (including Makawee). He then shows us the public key associated with the name we said and then adheres to to protocol:
    • generate some random r_w
    • calculate magic: (pubk ^ rw) % p and send it to us
    • Expects some other value t_m, if we send that value it calculates a shared key =_ tm ^ (privk_w ^ -1) * g ^ r_w % p
    • Sends us a token
  • 1434: Makawee replies, also here he asks who we are but we can say almost any name apart from Wahkoowah, in fact he had an argument apparently and does not want to talk with him. Then he also adheres to the protocol.

If we could perform a Man-In-The-Middle attack we could relay messages between Wahkoowah and Makawee and get the flag, in fact if we manage to send to Makawee a valid token he will send us the flag. As we do not know how the token is computed MITM looks like the only option.

The trivial solution that probably already came to the mind of a careful reader is the following:

  • Get the public key of Wahkoowah
  • Register an account with that public key with a different name
  • Go to Wahkoowah and pretend to be Makawee, go to Makawee and tell him you are a user with the same public key of Wahkoowah
  • Relay messages between the two peers and get the flag

However this approach does not work, Makawee is smart enough to figure out the trick! He will not accept the public key of Wahkoowah. The only solution left is then to forge a public key pubk_w’ != pubk_w such that if we identify with that key to Makawee and then relay the messages we end up with a successful communication (i.e.: the two peers have the same shared key). Luckily it is possible to forge that key! In fact we can create a pubk_w’ = -_pubk_w % p _that works 50% of the times, and that’s definitely good enough.

We know that this works because when Makawee will compute t_m’ = (-pubk_w) ^ r_m % p, t_m’_ will be equal to _t_m = pubk_w ^ r_m % p if r_m is even, so roughly 50% of the times.

So I created a user called jolly with pubk_w’ with the service on port 1432, then here’s the dump of the communication

Hi, I’m Wahkoowah. Who are you? Too foggy… Makawee Oh its you, Im so sorry. Can we talk now? _ This is your key of truth_ _ 50e7e1957c1786a9442f0c9f372ec19f74f52839e9e38849b47438153f9d2483213a43ad2d988fab4a8707922060aaefe6504a70637596fbcf9d58362b23e5d5e2177fd4e919b80437bab51eda931e065b6d66fce343d7cb2b7c1ca26214792d461895095ae58354af0dec6e63869007e23835892f26aabc96fe3d9084a829b4d6c5b92c6f3e0dd9a70cbd5c72d6434f2b94d21c3b0c58a288c140642b813ffb1b632bc358b3a6af0124902acd8792202c848de7f9d5d98bee51ca69040c8a2457ad3fa6276d6510701b9a875df612e035322cad06579a0a11f5e7cb4ebb7b69171c38585fc0f4fe07b0c889442397029d05dc801026a0648d7aa8c847420e9c_ _ With magic I did this:_ _ abde1250558be4201d0269110d273be05d70f0623c27507dc57af293e4a96e06309b92cb55e73c62d8322fc8a9d8f89d4b2a0746c5cf7ff69aaf8002fb5abc437d40855bf159c2d77d77bded321d42e08f7bf89585c6e35cf7682b2a67a0fb013044c61affc7fbcc0186ff8a8c66c1285f60fe237f17f7e1e1852101cba170d685d6c055d90e95a0433c323cf01573d15e8d6d602a115dc63d87c9d88e40ed69d059e93e098c7c2309a228997e82d2842ad8418bff78157f5d1887a0672f8edfa80de07ff11cb32c4c0755562187af36136b5e1c2fa34b62735fec6106a044986501dee58b7a78f6dc0b058aa3857c23572d473e3e5b2cfdd62e2095e8a00956_ _ We continue our conversation, right?_

…let’s go to Makawee and send him the magic by Wahkoowah.

Hi, I’m, Makawee, and you are? Too bright here…_ jolly jolly … do I know you? _ This is your key of truth_ _ de7487c13a989341ebd84db6af20a1f07f2c705ea3de7c2b876c9a5f8e73211770b4bb64303fe2dd1f84bcf603107f4e37454ec37ff11046763b845177755e01860d3fff7241b7a171ee05a8cd7f3cd74a56562f41b428387dbb707183dec99ef14b7c5ac5e166609e31a66ff4bf009ef7bc372c74cd4c528b6b1f2ccff5b1f5293c1936327713a64ac121f450f647a2f8d1e44af1c8a96a2e49fea8add9e0a36b32b7b2c9650ae0a89c9c530e39bdd2200bdc2beea691cad4f2ffe3b786966ced70e1f00e5c47450a56d2638a3a8c4bcfe3ad4c3b767077af662bce13df85615a50fae4ac775af2e071e119f27da3a2470742854f94bfdd3ae107e95470d261_ _ With magic I did this:_ _ a85afa464fd43fb6d3aacc13359f9302736d1f504914e5d7bfdca86c9a5e36c525ada4465726841cc64a6b5e72f45efe42d725f81ade96cfce3c5d0a4b0ebc48aa8d57517a65547ce3d3c15622ca728ccf898d2e24ba9a2114b795f2a888c714c5ef76659febd5dd60766ff790f1f196ea98101140945efa34d56b98f8f751cf84f1466a0a68e980e4ea78d12fa99b5d873cad6d8334399e90125f013836ff48d97ecedbf4f38e4e0eab960ec054dcf76e38f3f7c633aaee470f16215cf8b0fcd7950a49221bd275b565453899a530add484a22c1d76f3604468f8ad217db220fffbd85a21fb5fb97f74df7318fb60b0d269a988f572328ade1c8b87aeb9adc7_ _ grml…_ abde1250558be4201d0269110d273be05d70f0623c27507dc57af293e4a96e06309b92cb55e73c62d8322fc8a9d8f89d4b2a0746c5cf7ff69aaf8002fb5abc437d40855bf159c2d77d77bded321d42e08f7bf89585c6e35cf7682b2a67a0fb013044c61affc7fbcc0186ff8a8c66c1285f60fe237f17f7e1e1852101cba170d685d6c055d90e95a0433c323cf01573d15e8d6d602a115dc63d87c9d88e40ed69d059e93e098c7c2309a228997e82d2842ad8418bff78157f5d1887a0672f8edfa80de07ff11cb32c4c0755562187af36136b5e1c2fa34b62735fec6106a044986501dee58b7a78f6dc0b058aa3857c23572d473e3e5b2cfdd62e2095e8a00956 Bit more truth is missing

…let’s go back to Wahkoowah and send him the magic by Makawee to get the token

We continue our conversation, right? a85afa464fd43fb6d3aacc13359f9302736d1f504914e5d7bfdca86c9a5e36c525ada4465726841cc64a6b5e72f45efe42d725f81ade96cfce3c5d0a4b0ebc48aa8d57517a65547ce3d3c15622ca728ccf898d2e24ba9a2114b795f2a888c714c5ef76659febd5dd60766ff790f1f196ea98101140945efa34d56b98f8f751cf84f1466a0a68e980e4ea78d12fa99b5d873cad6d8334399e90125f013836ff48d97ecedbf4f38e4e0eab960ec054dcf76e38f3f7c633aaee470f16215cf8b0fcd7950a49221bd275b565453899a530add484a22c1d76f3604468f8ad217db220fffbd85a21fb5fb97f74df7318fb60b0d269a988f572328ade1c8b87aeb9adc7 Now I can almost see it, the sheer truth _ ktObXrAsAFkZWx/kZEy4Czo6Dery/SLA9/ahrvmrzSdDAlAZ50v9+B6W4fqsqUcquEk=_

And now the final step: send the token to Makawee!

Bit more truth is missing ktObXrAsAFkZWx/kZEy4Czo6Dery/SLA9/ahrvmrzSdDAlAZ50v9+B6W4fqsqUcquEk= I knew you are able to see IT. Lets get drunk, I tell you where _ flag{FreeBoozeForEverone-Party!}_