# CSAW 2013: slurp

We got the challange description:

We’ve found the source to the Arstotzka spies rendevous server, we must find out their new vault key.

nc 128.238.66.222 7788


with the following code:

## Analyze the Server

1. Request of an bruteforceable sha1 Task
2. Receive the agent number (index)
3. Receive the ephermal key (cEphemeral)
4. Sent the salt
5. Send the sEphemeral
6. Calculate the agreedKey/gennedKey
7. Recieve the gennedKey and reveal key if it was correct

So our task is to calculate gennedKey = hashToInt(hashToInt(N) ^ hashToInt(index), hashToInt(index), salt, cEphemeral, sEphemeral, agreedKey) Everything in this hash is known, besides of agreedKey. Therefore it is our task to calculate agreedKey = hashToInt(pow(cEphemeral * pow(storedKey, slush, N), sEphemeralPriv, N)) This leads us to a problem because we dont know storedKey, but thanks to the fact that N seems to be prime number and index is under our control, we are able to calculate a number with the order 4 (which means $i \mod N= i^{(4+1)} \mod N$ and only 4 possible values for $i^x \mod N$) and use this number as index. In many cases this leads to storedKey = 1 and with cEphemeral = 1 agreedKey is finally predictable.

So we wrote a client to connect against the server and catches the flag:

The script produces (sometimes / in most cases):

You must first solve a puzzle, a sha1 sum ending in 24 bit's set to 1, it must be of length 21 bytes, starting with hQxmgfPezYjCu4wo
Welcome to Arstotzka's check in server, please provide the agent number
Please provide your ephemeral key, can never be too careful
Well done comrade, the key to the vault is {We'd all be so much safer if all primes were so free and germane}