0x00 Basic Informations

Attachment

-rwxr-xr-x 1 sisubeny sisubeny 96406351 Jan  1  1970 chal*

Service

• nc chal.polyuctf.com 35075
• http://chal.polyuctf.com:35075

Hint

• I don't think anyone should sneak into the communication, so I disabled all internet access.

$ file ./chal 
./chal: ELF 64-bit LSB executable, ARM aarch64, version 1 (SYSV), dynamically linked, interpreter /lib/ld-linux-aarch64.so.1, for GNU/Linux 3.7.0, BuildID[sha1]=a18c556392ac4ed74a717b297e9ebdd28c018fb5, not stripped

0x01 First Connection

First, I used nc to connect to the service.

$ nc chal.polyuctf.com 35075
My Public Key: MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAqYzEd4RU7Ha1DVTJCZHgSNAfoinRmfODJkUqs4kDEcjVj48/gGXWHzX/vYR37OtpHqbVOgpbUZsdkJiufbrwLOXhtfHkwKP8/o/4sK116PWGTtZcakN3+6OE/ostu1DUxbb+ZzBHGAuWuKKjx/nEyLQNbCGmuqMhdhAp8pDF0ug2Hbq5dsgYfuPsBzAATrzcIeJGmgUtL9/xVxNL1L/bD9oc33+XaeVQVaZhmiwFS9irXK5J6EHvidyJTQRQJmLQX2/gkNqEsPg8YvKoGceWNtq/PHw+WwBadNoaaQX/D4RjO4lgCJHkn8tZxJYMLLkhb3XjEHwHF8j/XRCJBL3CLaZTMtgG66rV1RBtIWas1ID+d8lwoG7FCeJpOHf7CULxqe4fkzgfBOp1OltXxsAzo0oqx+yU2SI7uYaQoeYMeF6Wk1ImJqNchLXR375/uzw046WLwlzWTB2PdoEH1uKDrlU3c8Jx+T1KNL1guQXlSADThz4iNFMt5LZn6gSITX6XeSolQYrxzneXt1aT/GKZEzGYvM8cYGWF6LVhnB+4ELi5F5qGvYX6atTGlpRNYVhdD/8GW+gJqYU4PPbZKyjrL8g2HRz2yDmP5n/t56DFHUOBQ9NYoOtcXsPOk63E3NxI/0EYm+DnO/xJFpTFz1KW2487WXVyTJtm8eRwnlY6678CAwEAAQ==
Your Public Key: 

It's seems like it keeps the same custom RSA-wrapped command channel with Secure Communication so I modified the solved script for this challenge.

import base64
from pwn import context, remote
from cryptography.hazmat.primitives import serialization
from cryptography.hazmat.primitives.asymmetric import rsa

DEFAULT_HOST = "chal.polyuctf.com"
DEFAULT_PORT = 35075

def main():
    context.log_level = "error"
    io = remote(DEFAULT_HOST, DEFAULT_PORT)
    try:
        io.send(b" ")
        banner = io.recvuntil(b"Your Public Key: ")
        prefix, _, _ = banner.partition(b"Your Public Key: ")
        line = prefix.decode(errors="replace").strip().splitlines()[0]
        if not line.startswith("My Public Key: "):
            raise RuntimeError(f"unexpected banner: {line!r}")

        server_key_b64 = line.split(": ", 1)[1].strip()
        serialization.load_der_public_key(base64.b64decode(server_key_b64))

        private_key = rsa.generate_private_key(public_exponent=65537, key_size=4096)
        public_der = private_key.public_key().public_bytes(
            encoding=serialization.Encoding.DER,
            format=serialization.PublicFormat.SubjectPublicKeyInfo,
        )
        io.sendline(base64.b64encode(public_der))
        reply = io.recvline().decode(errors="replace").rstrip("\\r\\n")
        print(reply)
    finally:
        io.close()

if __name__ == "__main__":
    main()

Fortunately, its works!

0x02 Decompile the executable

Due to this is the advanced version of Secure Communication, you can literally decompile it by using completely same logic with last challenge!

Secure Communication

.
├── bundled
│   ├── index.js
│   └── public
│       ├── blog.html
│       ├── contact.html
│       └── index.html
└── metadata.json