HackTheBox BBGun06 Challenge

https://app.hackthebox.com/challenges/380

Description

We have received reports from CloudCompany that resources are involved in malicious activity similar to attempting unauthorized access to remote hosts on the Internet. We have since shut down the server and locked the SA. While we were trying to investigate what the entry point was, we discovered a phishing email from CloudCompany's IT department. You've since notified the vendor, and they've provided the source code of the email signing server for a security assessment. We've identified an outdated RSA verification code implementation, which we believe could be the cause of why the threat actors were able to impersonate the vendor. Can you replicate the attack and notify them of any possible misuse?

Exploitation

#!/usr/bin/python3
from Crypto.PublicKey import RSA
from Crypto.Util.number import long_to_bytes
from gmpy2 import iroot
from pwn import log, re, remote, sys

def main():
    if len(sys.argv) != 2:
        log.warning(f'Usage: python {sys.argv[0]} <host:port>')
        exit(1)
    host, port = sys.argv[1].split(':')
    r = remote(host, int(port))
    r.recvuntil(b'certificate: \n')
    cert = RSA.import_key(r.recvuntil(b'-----END PUBLIC KEY-----').decode())
    n, e = cert.n, cert.e
    forged_min = int((b'\x00\x01' + b'\xff' *   1 + b'\x000!0\t\x06\x05+\x0e\x03\x02\x1a\x05\x00\x04\x14\xdb}\xdd?yeA\xdaO\x80]yHo\xd3w\x07\x9c2p').ljust(256, b'\x00').hex(), 16)
    forged_max = int((b'\x00\x01' + b'\xff' * 217 + b'\x000!0\t\x06\x05+\x0e\x03\x02\x1a\x05\x00\x04\x14\xdb}\xdd?yeA\xdaO\x80]yHo\xd3w\x07\x9c2p').ljust(256, b'\xff').hex(), 16)
    perfect_cube_range = range(iroot(forged_min, e)[0], iroot(forged_max, e)[0])
    regex = re.compile(b'\x00\x01\xff+?\x00(.{15})(.{20})', re.DOTALL)
    keylength = len(long_to_bytes(n))
    for t in perfect_cube_range:
        clearsig = (t ** e).to_bytes(keylength, 'big')
        m = regex.match(clearsig)
        if m and m.groups() == (b'0!0\t\x06\x05+\x0e\x03\x02\x1a\x05\x00\x04\x14', b'\xdb}\xdd?yeA\xdaO\x80]yHo\xd3w\x07\x9c2p'):
            break
    r.sendafter(b'Enter the signature as hex: ', hex(t)[2:].encode())
    log.success(f'Flag: {r.recv().decode()}')
    r.close()

if __name__ == '__main__':
    main()

Summary

BBGun06: exploit the RSA structure, recover the missing secret, and decrypt the flag.