Signing Factory - HTB
by f4k3h4ck3r - Friday July 5, 2024 at 07:33 PM
#1
Any hint for Signing Factory - https://app.hackthebox.com/challenges/Si...520Factory ?
Reply
#2
Done this one. And i'm open for trades for something that i miss.
i'm preferably trading solution <-> in exchange for solution. don't need just "your" flags.
Reply
#3
(07-06-2024, 02:18 PM)mazafaka555 Wrote: Done this one. And i'm open for trades for something that i miss.
i'm preferably trading solution <-> in exchange for solution. don't need just "your" flags.

Okey pm me i'll do
Reply
#4
any hint ?

I tried some rsa signature attacks but failed
Reply
#5
hello, I really appreciate the content, sometimes writeups can be used for better things, rather than just copy and paste flags.
Ban reason: Spamming | http://raiddfzn73ir6iyxlf7nwytnujiflddog...an-Appeals if you feel this is incorrect. (Permanent)
Reply
#6
from base64 import b64decode, b64encode from pwn import * from sympy import mod_inverse, factorint import hashlib import string import random import re # Configuration HOST = "localhost" # CHANGE THIS PORT = 1337 # CHANGE THIS golden_ratio = 2654435761 admin = "System_Administrator" def extract_base64_token(response):     match = re.search(r"Your session token is b'([A-Za-z0-9+/=]+)'", response)     if match:         return match.group(1)     else:         raise ValueError("Failed to extract Base64 token from response") def parse_e_n_from_response(response):     match = re.search(r"\(e,N\) = \((\d+),\s*(\d+)\)", response)     if match:         return int(match.group(1)), int(match.group(2))     else:         raise ValueError("Failed to parse e and n from response") def calculate_h_n_from_equations(equations):     equation_re = re.compile(r"equation\(unknown, (\d+), (\d+)\) = (\d+)")     unknowns = []     for match in equation_re.finditer(equations):         rnd = int(match.group(1))         equation_output = int(match.group(3))         inverse_rnd = mod_inverse(rnd, golden_ratio)         unknown = (equation_output * inverse_rnd) % golden_ratio         unknowns.append(unknown)     h_n = 1     for unknown in unknowns:         h_n *= unknown     return h_n def hash_username(username):     numeric_username = int(username.encode().hex(), 16)     h = hash_var(numeric_username)     return int(h) def hash_var(key):     return (((key % golden_ratio) * golden_ratio) >> 32) def reverse_hash_var(hashed):     shifted_value = hashed << 32     for candidate in range(golden_ratio):         if (((candidate % golden_ratio) * golden_ratio) >> 32) == hashed:             return candidate     return None def numeric_to_username(numeric_username):     hex_string = format(numeric_username, "x")     if len(hex_string) % 2 != 0:         hex_string = "0" + hex_string     return bytes.fromhex(hex_string).decode("utf-8") def reverse_hash_username(hashed_value):     numeric_username = reverse_hash_var(hashed_value)     return numeric_to_username(numeric_username) def get_auth_token(username, d, n):     numeric_username = int(username.encode().hex(), 16)     h = hash_var(numeric_username)     auth = pow(int(h), d, n)     return b64encode(str(auth).encode()).decode() def get_signature_and_public_key(p, plaintext):     p.sendline(b"0")     p.recvuntil(b"Enter a username: ")     p.sendline(plaintext.encode())     response = p.recvuntil(b"[+] Option >> ").decode()     token_base64 = extract_base64_token(response)     p.sendline(b"2")     equations = p.recvuntil(b"Enter the hash(N): ").decode()     h_n = calculate_h_n_from_equations(equations)     p.sendline(str(h_n).encode())     response = p.recv().decode()     e, n = parse_e_n_from_response(response)     auth = int(b64decode(token_base64).decode())     return auth, e, n def get_flag(p, auth_token):     p.sendline(b"1")     p.recvuntil(b"Enter your username: ")     p.sendline(admin.encode())     p.recvuntil(b"Enter your authentication token: ")     p.sendline(auth_token.encode())     response = p.recvline().decode()     return response def prepare_auth_token(forged_signature):     auth_token = b64encode(str(forged_signature).encode()).decode()     return auth_token def is_alphanumeric_latin(s):     latin_alphanumeric = set(string.ascii_letters + string.digits)     return all(char in latin_alphanumeric for char in s) def main():     p = remote(HOST, PORT)     factors = factorint(hash_username(admin))     ciphers = []     for factor in factors:         i = 1         numeric_username = reverse_hash_var(factor)         while True:             try:                 uname = numeric_to_username(numeric_username)                 if not is_alphanumeric_latin(uname):                     raise                 break             except:                 numeric_username = numeric_username + (golden_ratio * i)                 i += 1         cipher, e, n = get_signature_and_public_key(p, uname)         ciphers.append(cipher)     forged_signature = 1     for cipher in ciphers:         forged_signature = (forged_signature * cipher) % n     auth_token = prepare_auth_token(forged_signature)     response = get_flag(p, auth_token)     print(f"Server response: {response}")     p.close() if __name__ == "__main__":     main()
Reply
#7
(08-13-2024, 01:39 PM)x1rx Wrote:
from base64 import b64decode, b64encode from pwn import * from sympy import mod_inverse, factorint import hashlib import string import random import re # Configuration HOST = "localhost" # CHANGE THIS PORT = 1337 # CHANGE THIS golden_ratio = 2654435761 admin = "System_Administrator" def extract_base64_token(response):     match = re.search(r"Your session token is b'([A-Za-z0-9+/=]+)'", response)     if match:         return match.group(1)     else:         raise ValueError("Failed to extract Base64 token from response") def parse_e_n_from_response(response):     match = re.search(r"\(e,N\) = \((\d+),\s*(\d+)\)", response)     if match:         return int(match.group(1)), int(match.group(2))     else:         raise ValueError("Failed to parse e and n from response") def calculate_h_n_from_equations(equations):     equation_re = re.compile(r"equation\(unknown, (\d+), (\d+)\) = (\d+)")     unknowns = []     for match in equation_re.finditer(equations):         rnd = int(match.group(1))         equation_output = int(match.group(3))         inverse_rnd = mod_inverse(rnd, golden_ratio)         unknown = (equation_output * inverse_rnd) % golden_ratio         unknowns.append(unknown)     h_n = 1     for unknown in unknowns:         h_n *= unknown     return h_n def hash_username(username):     numeric_username = int(username.encode().hex(), 16)     h = hash_var(numeric_username)     return int(h) def hash_var(key):     return (((key % golden_ratio) * golden_ratio) >> 32) def reverse_hash_var(hashed):     shifted_value = hashed << 32     for candidate in range(golden_ratio):         if (((candidate % golden_ratio) * golden_ratio) >> 32) == hashed:             return candidate     return None def numeric_to_username(numeric_username):     hex_string = format(numeric_username, "x")     if len(hex_string) % 2 != 0:         hex_string = "0" + hex_string     return bytes.fromhex(hex_string).decode("utf-8") def reverse_hash_username(hashed_value):     numeric_username = reverse_hash_var(hashed_value)     return numeric_to_username(numeric_username) def get_auth_token(username, d, n):     numeric_username = int(username.encode().hex(), 16)     h = hash_var(numeric_username)     auth = pow(int(h), d, n)     return b64encode(str(auth).encode()).decode() def get_signature_and_public_key(p, plaintext):     p.sendline(b"0")     p.recvuntil(b"Enter a username: ")     p.sendline(plaintext.encode())     response = p.recvuntil(b"[+] Option >> ").decode()     token_base64 = extract_base64_token(response)     p.sendline(b"2")     equations = p.recvuntil(b"Enter the hash(N): ").decode()     h_n = calculate_h_n_from_equations(equations)     p.sendline(str(h_n).encode())     response = p.recv().decode()     e, n = parse_e_n_from_response(response)     auth = int(b64decode(token_base64).decode())     return auth, e, n def get_flag(p, auth_token):     p.sendline(b"1")     p.recvuntil(b"Enter your username: ")     p.sendline(admin.encode())     p.recvuntil(b"Enter your authentication token: ")     p.sendline(auth_token.encode())     response = p.recvline().decode()     return response def prepare_auth_token(forged_signature):     auth_token = b64encode(str(forged_signature).encode()).decode()     return auth_token def is_alphanumeric_latin(s):     latin_alphanumeric = set(string.ascii_letters + string.digits)     return all(char in latin_alphanumeric for char in s) def main():     p = remote(HOST, PORT)     factors = factorint(hash_username(admin))     ciphers = []     for factor in factors:         i = 1         numeric_username = reverse_hash_var(factor)         while True:             try:                 uname = numeric_to_username(numeric_username)                 if not is_alphanumeric_latin(uname):                     raise                 break             except:                 numeric_username = numeric_username + (golden_ratio * i)                 i += 1         cipher, e, n = get_signature_and_public_key(p, uname)         ciphers.append(cipher)     forged_signature = 1     for cipher in ciphers:         forged_signature = (forged_signature * cipher) % n     auth_token = prepare_auth_token(forged_signature)     response = get_flag(p, auth_token)     print(f"Server response: {response}")     p.close() if __name__ == "__main__":     main()

thanks alot for the share!
Reply
#8
(08-13-2024, 02:04 PM)0bfusc8 Wrote:
(08-13-2024, 01:39 PM)x1rx Wrote:
from base64 import b64decode, b64encode from pwn import * from sympy import mod_inverse, factorint import hashlib import string import random import re # Configuration HOST = "localhost" # CHANGE THIS PORT = 1337 # CHANGE THIS golden_ratio = 2654435761 admin = "System_Administrator" def extract_base64_token(response):     match = re.search(r"Your session token is b'([A-Za-z0-9+/=]+)'", response)     if match:         return match.group(1)     else:         raise ValueError("Failed to extract Base64 token from response") def parse_e_n_from_response(response):     match = re.search(r"\(e,N\) = \((\d+),\s*(\d+)\)", response)     if match:         return int(match.group(1)), int(match.group(2))     else:         raise ValueError("Failed to parse e and n from response") def calculate_h_n_from_equations(equations):     equation_re = re.compile(r"equation\(unknown, (\d+), (\d+)\) = (\d+)")     unknowns = []     for match in equation_re.finditer(equations):         rnd = int(match.group(1))         equation_output = int(match.group(3))         inverse_rnd = mod_inverse(rnd, golden_ratio)         unknown = (equation_output * inverse_rnd) % golden_ratio         unknowns.append(unknown)     h_n = 1     for unknown in unknowns:         h_n *= unknown     return h_n def hash_username(username):     numeric_username = int(username.encode().hex(), 16)     h = hash_var(numeric_username)     return int(h) def hash_var(key):     return (((key % golden_ratio) * golden_ratio) >> 32) def reverse_hash_var(hashed):     shifted_value = hashed << 32     for candidate in range(golden_ratio):         if (((candidate % golden_ratio) * golden_ratio) >> 32) == hashed:             return candidate     return None def numeric_to_username(numeric_username):     hex_string = format(numeric_username, "x")     if len(hex_string) % 2 != 0:         hex_string = "0" + hex_string     return bytes.fromhex(hex_string).decode("utf-8") def reverse_hash_username(hashed_value):     numeric_username = reverse_hash_var(hashed_value)     return numeric_to_username(numeric_username) def get_auth_token(username, d, n):     numeric_username = int(username.encode().hex(), 16)     h = hash_var(numeric_username)     auth = pow(int(h), d, n)     return b64encode(str(auth).encode()).decode() def get_signature_and_public_key(p, plaintext):     p.sendline(b"0")     p.recvuntil(b"Enter a username: ")     p.sendline(plaintext.encode())     response = p.recvuntil(b"[+] Option >> ").decode()     token_base64 = extract_base64_token(response)     p.sendline(b"2")     equations = p.recvuntil(b"Enter the hash(N): ").decode()     h_n = calculate_h_n_from_equations(equations)     p.sendline(str(h_n).encode())     response = p.recv().decode()     e, n = parse_e_n_from_response(response)     auth = int(b64decode(token_base64).decode())     return auth, e, n def get_flag(p, auth_token):     p.sendline(b"1")     p.recvuntil(b"Enter your username: ")     p.sendline(admin.encode())     p.recvuntil(b"Enter your authentication token: ")     p.sendline(auth_token.encode())     response = p.recvline().decode()     return response def prepare_auth_token(forged_signature):     auth_token = b64encode(str(forged_signature).encode()).decode()     return auth_token def is_alphanumeric_latin(s):     latin_alphanumeric = set(string.ascii_letters + string.digits)     return all(char in latin_alphanumeric for char in s) def main():     p = remote(HOST, PORT)     factors = factorint(hash_username(admin))     ciphers = []     for factor in factors:         i = 1         numeric_username = reverse_hash_var(factor)         while True:             try:                 uname = numeric_to_username(numeric_username)                 if not is_alphanumeric_latin(uname):                     raise                 break             except:                 numeric_username = numeric_username + (golden_ratio * i)                 i += 1         cipher, e, n = get_signature_and_public_key(p, uname)         ciphers.append(cipher)     forged_signature = 1     for cipher in ciphers:         forged_signature = (forged_signature * cipher) % n     auth_token = prepare_auth_token(forged_signature)     response = get_flag(p, auth_token)     print(f"Server response: {response}")     p.close() if __name__ == "__main__":     main()

thanks alot for the share!

Good luck, bro. The code could use some cleaning and refactoring.
Reply
#9
(08-13-2024, 01:39 PM)x1rx Wrote:
from base64 import b64decode, b64encode from pwn import * from sympy import mod_inverse, factorint import hashlib import string import random import re # Configuration HOST = "localhost" # CHANGE THIS PORT = 1337 # CHANGE THIS golden_ratio = 2654435761 admin = "System_Administrator" def extract_base64_token(response):     match = re.search(r"Your session token is b'([A-Za-z0-9+/=]+)'", response)     if match:         return match.group(1)     else:         raise ValueError("Failed to extract Base64 token from response") def parse_e_n_from_response(response):     match = re.search(r"\(e,N\) = \((\d+),\s*(\d+)\)", response)     if match:         return int(match.group(1)), int(match.group(2))     else:         raise ValueError("Failed to parse e and n from response") def calculate_h_n_from_equations(equations):     equation_re = re.compile(r"equation\(unknown, (\d+), (\d+)\) = (\d+)")     unknowns = []     for match in equation_re.finditer(equations):         rnd = int(match.group(1))         equation_output = int(match.group(3))         inverse_rnd = mod_inverse(rnd, golden_ratio)         unknown = (equation_output * inverse_rnd) % golden_ratio         unknowns.append(unknown)     h_n = 1     for unknown in unknowns:         h_n *= unknown     return h_n def hash_username(username):     numeric_username = int(username.encode().hex(), 16)     h = hash_var(numeric_username)     return int(h) def hash_var(key):     return (((key % golden_ratio) * golden_ratio) >> 32) def reverse_hash_var(hashed):     shifted_value = hashed << 32     for candidate in range(golden_ratio):         if (((candidate % golden_ratio) * golden_ratio) >> 32) == hashed:             return candidate     return None def numeric_to_username(numeric_username):     hex_string = format(numeric_username, "x")     if len(hex_string) % 2 != 0:         hex_string = "0" + hex_string     return bytes.fromhex(hex_string).decode("utf-8") def reverse_hash_username(hashed_value):     numeric_username = reverse_hash_var(hashed_value)     return numeric_to_username(numeric_username) def get_auth_token(username, d, n):     numeric_username = int(username.encode().hex(), 16)     h = hash_var(numeric_username)     auth = pow(int(h), d, n)     return b64encode(str(auth).encode()).decode() def get_signature_and_public_key(p, plaintext):     p.sendline(b"0")     p.recvuntil(b"Enter a username: ")     p.sendline(plaintext.encode())     response = p.recvuntil(b"[+] Option >> ").decode()     token_base64 = extract_base64_token(response)     p.sendline(b"2")     equations = p.recvuntil(b"Enter the hash(N): ").decode()     h_n = calculate_h_n_from_equations(equations)     p.sendline(str(h_n).encode())     response = p.recv().decode()     e, n = parse_e_n_from_response(response)     auth = int(b64decode(token_base64).decode())     return auth, e, n def get_flag(p, auth_token):     p.sendline(b"1")     p.recvuntil(b"Enter your username: ")     p.sendline(admin.encode())     p.recvuntil(b"Enter your authentication token: ")     p.sendline(auth_token.encode())     response = p.recvline().decode()     return response def prepare_auth_token(forged_signature):     auth_token = b64encode(str(forged_signature).encode()).decode()     return auth_token def is_alphanumeric_latin(s):     latin_alphanumeric = set(string.ascii_letters + string.digits)     return all(char in latin_alphanumeric for char in s) def main():     p = remote(HOST, PORT)     factors = factorint(hash_username(admin))     ciphers = []     for factor in factors:         i = 1         numeric_username = reverse_hash_var(factor)         while True:             try:                 uname = numeric_to_username(numeric_username)                 if not is_alphanumeric_latin(uname):                     raise                 break             except:                 numeric_username = numeric_username + (golden_ratio * i)                 i += 1         cipher, e, n = get_signature_and_public_key(p, uname)         ciphers.append(cipher)     forged_signature = 1     for cipher in ciphers:         forged_signature = (forged_signature * cipher) % n     auth_token = prepare_auth_token(forged_signature)     response = get_flag(p, auth_token)     print(f"Server response: {response}")     p.close() if __name__ == "__main__":     main()

thanks bro got it
Reply
#10
thanks bro for the sharing
Reply


Possibly Related Threads…
Thread Author Replies Views Last Post
  [FREE] 300+ Writeups PDF HackTheBox/HTB premium retired Tamarisk 360 91,871 03-28-2026, 09:28 AM
Last Post: catsweet
  [FREE] HTB-ProLabs APTLABS Just Flags kewlsunny 23 5,018 03-28-2026, 03:30 AM
Last Post: lulaladrow
  [MEGALEAK] HackTheBox ProLabs, Fortress, Endgame - Alchemy, 250 Flags, leak htb-bot htb-bot 87 10,241 03-27-2026, 07:22 PM
Last Post: stn
  HTB Eloquia User and Root Flags - Insane Box 69646B 13 2,994 03-27-2026, 06:14 PM
Last Post: vlxw
  HTB - ALL Challenges you Stuck in osamy7593 2 3,282 03-27-2026, 04:24 PM
Last Post: catsweet



 Users browsing this thread: 1 Guest(s)