Google CTF 2018: DM Collision (176 pts)

TL;DR: do horrible things to a one-way compression function by leveraging weak keys in the DES block cipher.

You can find the challenge files and my exploit code here.


Anatomy of a Man-in-the-Middle Phishing Campaign on Coinbase

In the summer after my freshman year of college, I had an internship with a startup that tries to defeat phishing attacks against enterprise corporations. As such, I spent a lot of time staring at phishing sites. Once, I showed a phishing campaign against MIT’s OWA email portal to my boss, and he blew my mind when he dug through the site and managed to find a publicly-accessible text file where the attackers were logging all the password attempts.

Ever since, I’ve been trying to replicate that same experience on every phishing attempt that comes my way, and for the first time since then, I managed to do it! The attack was targeting Coinbase, probably the most popular site for buying and selling cryptocurrencies. I’ll first describe the campaign, and then show how I discovered the password log file.


DEF CON Quals 2018: official (194 pts)

TL;DR: a 1 byte overflow allows you to induce a small bias in the nonce used in the DSA signing algorithm. Use LLL to exploit this bias to find the private key.

I also explore a more natural variant of the problem in which the bias is in the most significant byte of the nonce rather than the least significant, and recover the private key in this case as well.


Plaid CTF 2018: Wait Wait... Don't Shell Me (125 pts)

This problem was categorized under “Misc” and was worth only 125 points. Nevertheless, it was one of the harder challenges and received only 14 solves. ghostly_gray, fasano, and I worked on it for several hours over the course of the CTF, but we only solved it after the CTF had ended.

The challenge was themed around the NPR Quiz Show Wait Wait… Don’t Tell Me! and consisted solely of an address and port to connect to.


Puzzlehunting Resources

In the past four months I’ve had the experience of organizing a fledgling team for the MIT Mystery Hunt and helping organize, write, and run the second iteration of the Galactic Puzzle Hunt. In the process, I wrote / created a bunch of stuff related to puzzlehunting. This page will keep track of them all (as well as some earlier stuff I’ve made). I’ll periodically update this page as I create more stuff.


Blaze CTF 2018: shellcodeme (420 pts)

This was a simply-posed but tricky pwnable that ghostly_gray and I solved over the course of a long plane ride. We were given the source code (shown below) as well as the binary. Simply put, we had to write some x86-64 shellcode that used no more than 7 distinct bytes.


MIT Mystery Hunt 2018: The Puzzles

This year’s mystery hunt ended last Monday, and after a heroic effort, my team managed to be the twelfth and final team to finish. This hunt did have fewer puzzles than usual, but I don’t think anybody noticed. Puzzle quality was generally high across the board, and since the puzzles themselves were often longer than average (I think), it was all a wash. Below I’ve highlighted some puzzles of note (spoilers abound!):


New Year, Newsletters

One form of content that made a resurgence in my media diet last year was the newsletter. Like podcasts, newsletters have been around since the early years of the internet. Their appeal is obvious: instead of regularly visiting a website to read the news, just have it emailed straight to your inbox. I’ve found that newsletters are often better at providing context and perspective than traditional news outlets, which are often too busy breathlessly reporting latest-breaking updates.

Here are five newsletters that I’m currently subscribed to that I think are worth your time:


Survey of Discrete Log Algorithms

In 1999 Dan Boneh published a survey paper called “Twenty years of attacks on the RSA cryptosystem”. I like to tell people that if they read the entire paper they can solve just about every CTF challenge involving RSA.

This post is my attempt to do something similar with the discrete log problem, a primitive that underlies a bunch of cryptographic protocols including the Diffie-Hellman key exchange and the ElGamal encryption system. The algorithms all have similar-sounding names, and I wanted to just sit down and describe each of them to get them straight in my head.


CSAW CTF 2017: Realism (400 pts)

This problem was much like any other CTF reversing challenge, but instead of a Linux or Windows executable, the binary was a Master Boot Record (MBR) that needed to be run under the QEMU full-system emulator.

We’re given the command to boot the MBR, qemu-system-i386 -drive format=raw,file=realism, and we’re presented with this:

hello Simple, right? The entire MBR is only 512 bytes in size, so it’s not much to reverse.


Finding Collisions in MD4

On and off for the past couple of years, my friend Ray and I have been working through the Cryptopals Crypto Challenges, a series of exercises split across eight sets that explore modern cryptographic protocols and their weaknesses. The challenges start out pretty easy, but as you move forward, the attacks you’re asked to implement become increasingly difficult.

This post is about challenge 55, “MD4 Collisions.” In it, you’re asked to implement Wang’s 2004 attack on the MD4 hash function. The attack itself is pretty difficult: as far as Ray and I can tell, no one has posted a solution to it online. (There is this code from Bishop Fox, but it consists solely of a dense, 500-line, uncommented C program).

After several days of work, our script finally spit out a brand new collision:

first collision

In this post we’ll talk about the attack and our implementation in detail.


GoogleCTF 2017: RSA CTF Challenge

We are first presented with a simple HTML form that asks us to sign the word challenge in order to login. If we look at the source of the page, we find a hidden div that includes an RSA public key and references to base64 encoding and PKCS1v1.5 / MD5. Our goal then seems to be to forge a signature for challenge in PKCS1v1.5 format that will be accepted by the given public key.

If done properly, this is impossible, but because PKCS1v1.5 is such a brittle scheme, minor errors in its implementation can result in major security vulnerabilities.


A guide to MIT's campus network changes for the non-expert

There’s been a lot of buzz on dorm mailing lists and online forums about the changes that IS&T is making to MIT’s campus network. This post attempts to break down and explain the changes to a non-expert in networking in order to clear up some of the confusion surrounding the discussion.

First, a brief introduction to IP addresses and Network Address Translation (NAT):


GoogleCTF 2017: Rubik

GoogleCTF 2017 was held about a week ago; it was pretty difficult, but it had some cool challenges. This writeup is about one of the harder crypto challenges, Rubik.

We were given some Rust code that implements a version of Stickel’s Key Exchange protocol for the Rubik’s Cube Group. We were also given a service which executes this protocol and allows users to register public keys and login. Before we dive into the details of the protocol and the attack, let’s talk a little bit about Rubik’s Cubes.

Rubik’s Cube Theory

To talk about a series of moves that can be applied to a Rubik’s Cube, most people use Singmaster Notation. The six letters R, L, U, D, F, and B describe 90 degree clockwise turns to each of the six faces. A prime after a letter indicates a counter-clockwise turn. Finally, the letters x, y, and z, describe rotating the entire cube 90 degrees clockwise on the R, U, and F faces respectively. A prime after these letters describes the corresponding counter-clockwise rotation.

the six faces

This site allows you to apply a series of moves to a cube to explore the notation.


DEF CON Quals 2017: A story told through pictures

Last weekend was DEF CON Quals 2017, the annual qualifier round to the DEF CON CTF held in Las Vegas every year. Last year I tried the CTF on my own and managed to solve 1 challenge. This year I participated on Lab RATs, a joint collaboration between MIT Lincoln Labs, RPISec, and TechSec.

My friend Ray already recapped most of what went down during the weekend on his blog, so I don’t really feel the need to repeat any of it. Instead, let me tell the story of my past week entirely through pictures:


Configuring a Beaglebone Black as an Access Point

A few weeks ago some friends and I competed in the Google Games, a sort of hybrid between a puzzlehunt and a coding competition. It was a fun event, and we managed to come in first! As a prize, each member of our team received a slick backpack and a Google Home, a smart speaker like the Amazon Echo, but designed and built by Google.

Unfortunately, the Google Home (and for that matter all Chromecasts) can’t operate on MIT’s WiFi network because they use Universal Plug and Play (UPnP), a protocol that MIT blocks.

One common workaround to this issue is to setup a personal access point wired into the MIT network that the Google Home can then connect to. I didn’t have an access point lying around, but I remembered that I did have a BeagleBone Black that I got from an IAP Internet of Things class a couple years ago. I decided to configure it to function as an access point.

I’m not much of a tinkerer, and the resulting process ended up being fairly involved. It wouldn’t have been feasible without the help of the many people who built custom drivers and documented the steps they took online. This post is my form of repayment; hopefully it will be useful for someone in the future.


PlaidCTF 2017: Multicast (175 pts)

PlaidCTF, PPP’s annual capture the flag, was held this past weekend. Because of Google Games and other work, I didn’t spend a large amount of time on it, but I and others on TechSec did manage to solve a few of the challenges.

Multicast was one of the earliest challenges released. We were given two files: a sage program called generate.sage and a file with 20 large integers called data.txt. You can find both of these files and my exploit here.


I listen to more podcasts than you

You know those people in life who you’re sort of friends with but only talk to when you pass each other in the hallway? You make small talk about what you’ve been up to or some shared interest you have, and then you say “I gotta go to this thing, but it was great seeing to you. Later!” and then never speak to them again until the next hallway-happenstance.

I generally hate these interactions (and I confess that I’ll sometimes take a longer route to avoid them), but I’ve found lately that with with a certain set of people these meetings are bearable because we talk about one specific shared interest: podcasts.

Podcasts have been around forever, but they’ve only taken off relatively recently (mostly due to Serial). Despite their growing popularity, its still a relatively niche form of media: something like 45% of Americans haven’t even heard of the term “podcasting”.

I know this fact because last March was #trypod, a month-long campaign to get more Americans interested in podcasting. Several of the podcasts I subscribe to urged their listeners to recommend a podcast to a friend or post a recommendation to social media with the hashtag #trypod.

Well, March is now over and I never recommended a podcast to anyone, so this post is my form of atonement. I’m currently subscribed to 18 podcasts (and I listen to basically every episode of each one); below I’ve listed each of them along with a brief description of what its about and why I enjoy it.

(Don’t know how to get started listening to podcasts? Have Ira Glass teach you by watching this great video.)


AlexCTF 2017: Catalyst System (150 pts)

AlexCTF just finished this weekend and our team did pretty well, solving all but two of the challenges. In this post I’ll talk about my solution to one of the reverse engineering challenges, called “Catalyst system.” You can check out the raw binary here.


MIT Mystery Hunt 2017 [Part 3/3]

This is part 3 of a series of posts about the MIT Mystery Hunt. You can find part 1 and part 2 here.

I’ll use this last post to talk about the events and the final runaround.

First, the events. There were four of them based on Charisma, Constitution, Strength + Dexterity, and Wisdom + Intelligence. The Charisma event was some sort of speed-dating activity, the Constitution event involved massive bobble-heads that were reused from the Crossing the Charles procession, the Strength + Dexterity event was a human-sized crossover between Hungry Hungry Hippos and Bananagrams, and the Wisdom + Intelligence event was a pub quiz with a twist.


MIT Mystery Hunt 2017 [Part 2/3]

This is part 2 of a series of posts about the MIT Mystery Hunt. You can find part 1 here.

This post will attempt to address the two questions on everyone’s minds right now: why was hunt so short, and is this a problem? First, the why.

Why was hunt so short? Well, it wasn’t because there were too few puzzles or metas:

                | 2015      | 2016    | 2017
 "easy" puzzles | 57 (fish) | 0       | 67 (character)
  total puzzles | ~160      | ~160    | ~160
          metas | 12 - 15   | 12 - 21 | 15

This year’s hunt had close to 160 total puzzles and 15 metas, about the same as the numbers for prior years. It’s not clear what exactly counts as a meta because of subtleties such as meta-metas, puzzles that reference other puzzles, and puzzlehunts within puzzlehunts, but it’s safe to say that the hunt wouldn’t have been significantly longer had Setec simply included a couple additional character metas.

If it wasn’t the number of puzzles, it must be their difficulty, right? Puzzles that appeared in the character metas were meant to be easier than average, an intentional throwback to the 2015 hunt which included “fish” puzzles designed to be about 1/3 the difficulty of a normal Mystery Hunt puzzle. However, the number of fish puzzles and character puzzles was roughly the same, and the hunt had plenty of difficult puzzles.


MIT Mystery Hunt 2017 [Part 1/3]

The 2017 MIT Mystery Hunt ended last Sunday. When I describe the hunt to other people, I often tell them that it’s my favorite weekend of the year, and it is. I get to reunite with old friends, meet new people, and spend 3 straight days solving puzzles. Well, sometimes not quite 3 days, but more on that later.

This was my 6th Mystery Hunt, and the 3rd time I hunted on-site with ✈✈✈ Galactic Trendsetters ✈✈✈. This year we came in 4th, our best performance yet.

The hunt, run by Setec Astronomy and called “Monsters et Manus,” was themed around Dungeons and Dragons. The opening skit involved some D&D players getting sucked into their own game. To get out, they needed to defeat the evil sorcerer Mystereo Cantos (anagram of Setec Astronomy / Too Many Secrets) and recover the two-sided die (the coin!). The hunt structure involved two types of metapuzzles: 6 “character metas,” which were always pure metas and based on the D&D players and their roles, and 8 “quest metas,” which were often shell metas and represented various forays into the fantasy world. There were also 4 events scheduled throughout the weekend that were based on the six canonical attributes of D&D (charisma, constitution, wisdom, etc.). Each of the 6 characters had “levels” that represented how experienced he or she was. Levels could be increased through various mechanisms and puzzles were unlocked based on these levels.