HACKvent 2020 - Day 23

01-01-2021 - 3 minutes, 26 seconds -

Challenge - Those who make backups are cowards!

Santa tried to get an important file back from his old mobile phone backup. Thankfully he left a post-it note on his phone with the PIN. Sadly Rudolph thought the Apple was real and started eating it (there we go again...). Now only the first of eight digits, a 2, is still visible...

But maybe you can do something to help him get his important stuff back?

Hints: If you get stuck, call Shamir

Solution

Today’s download was an encrypted backup of an iPhone. Luckily there is information out there on how to attack those. You extract a hash from the Manifest.plist file and attempt to crack it. Depending on the iTunes version, different algorithms are used which can make brute force unfeasible. We got the an easy one however 🙂

So we ran this script to get the hash, and then performed a masked bruteforce attack with hashcat on it, since the challenge description hinted on 8 digits with the first being a "2".

hashcat -m 14700 -a 3 hv20d23.hash 2?d?d?d?d?d?d?d

--> 20201225

So Santa's pin is the date of Christmas - how unguessable. So we unzip the backup, and find a video, a picture and two contacts. The image is a QR code!

And of course the QR Code Rickrolled us. The cat video was nice though. The two contacts were far more exciting: Both had a single letter as name and only an note as attributes.

M: 6344440980251505214334711510534398387022222632429506422215055328147354699502
N: 77534090655128210476812812639070684519317429042401383232913500313570136429769

Time to ask Shamir. Shamir was the S of RSA. So this is probably an (encrypted? so actually C?) message and the modulo N. Luckily the number used for N is known by factordb.com so we now know q and p:

250036537280588548265467573745565999443
310091043086715822123974886007224132083

By knowing this, and the fact that 65537 is often used as the exponent, we try to decipher the message:

using System;
using System.Numerics;
using System.Text;

var e = new BigInteger(65537);
var q = BigInteger.Parse("250036537280588548265467573745565999443");
var p = BigInteger.Parse("310091043086715822123974886007224132083");
var N = BigInteger.Parse("77534090655128210476812812639070684519317429042401383232913500313570136429769");

var m = BigInteger.Parse("6344440980251505214334711510534398387022222632429506422215055328147354699502");

var d = ModInv(e, (p - 1) * (q - 1));
var c = BigInteger.ModPow(m, d, N);
var bytes = c.ToByteArray(isBigEndian: true);
var output = Encoding.ASCII.GetString(bytes);
Console.WriteLine(output);

// https://stackoverflow.com/a/38198477/7131186
static BigInteger ModInv(BigInteger u, BigInteger v)
{
BigInteger inv, u1, u3, v1, v3, t1, t3, q;
BigInteger iter;
/* Step X1. Initialise */
u1 = 1;
u3 = u;
v1 = 0;
v3 = v;
/* Remember odd/even iterations */
iter = 1;
/* Step X2. Loop while v3 != 0 */
while (v3 != 0)
{
/* Step X3. Divide and "Subtract" */
q = u3 / v3;
t3 = u3 % v3;
t1 = u1 + q * v1;
/* Swap */
u1 = v1; v1 = t1; u3 = v3; v3 = t3;
iter = -iter;
}
/* Make sure u3 = gcd(u,v) == 1 */
if (u3 != 1)
return 0;   /* Error: No inverse exists */
/* Ensure a positive result */
if (iter < 0)
inv = v - u1;
else
inv = u1;
return inv;
}

And tada! Here is our Flag:

HV20{s0rry_n0_gam3_to_play}

Secret

But that's not the end of it. There is another flag hidden (unintentionally!) in this challenge!

So a secret challenge was created and the second flag could also be submitted. Now it just had to be found. After what felt like an eternity with an unsuccessful search of the backup, there were only two clues: A (photo) album in the backup apparently named "HV20" and a 3rd contact "Unknown" which could only be found by one of the many tried backup reading tools and which has only one web page stored. Unfortunately this one tool was a trial version and does not show the relevant information.

However, another approach brought (even if only by luck) the result, which is actually related to the hidden contact: Searching the whole decrypted backup for parts of the key:

findstr /S "HV" * > interesting_stuff.txt

http://SFYyMHtpVHVuM3NfYmFja3VwX2YwcmVuc2l4X0ZUV30=C66731B8-44AE-469B-9086-18A3A1F796B0

It is the Website information of our "unknown" contact! The domain-part of the link looks like it could be base64 - and it is!

HV20{iTun3s_backup_f0rensix_FTW}