[ent0xE]

HTB{1_Gu3ss_d54_15_N07_4s_s3CuR3_A5_1_7h0u647}

To solve you need to write your script, which talks to the service, so it gets r,s, the hashed message and q. You discover the nonce must lie between 65500 and 1000000. With the right nonce you get the private key, with it you can retrieve the flag.
Bruteforce took me 20min (multithreaded)

[gfttjdb]

HTB{1_Gu3ss_d54_15_N07_4s_s3CuR3_A5_1_7h0u647}

To solve you need to write your script, which talks to the service, so it gets r,s, the hashed message and q. You discover the nonce must lie between 65500 and 1000000. With the right nonce you get the private key, with it you can retrieve the flag.
Bruteforce took me 20min (multithreaded)

hey Bro can u share the script ??

This forum account is currently banned. Ban Length: Permanent (N/A Remaining)
Ban Reason: Asking for rep is not allowed | /Thread-Free-HTB-All-Active-Challanges-Flags

[Steward]

Gettring the priv key is pretty easy it takes at most 3 minutes. Since you have r,s and hashed message from the admins vault as well as p,g and q, you can bruteforce the corresponding nonce and calculate the private key x. 

r_inv = pow(r, -1, q) 
priv = ((s * nonce - (int(h, 16))) * r_inv) % q

This can be done offline and it is pretty quick.

Getting the nonce for the flag is more time-consuming because it can only be done online.

Excuse me, How we could get nonce? we know that nonce is between 65500 and 1000000. But If we brute force this value:
```
for nonce in range(65500, 1000000):
    x = ((s * nonce - h) * r_inv) % q
```
how we will check if private key x is valid?

[zorox]

Gettring the priv key is pretty easy it takes at most 3 minutes. Since you have r,s and hashed message from the admins vault as well as p,g and q, you can bruteforce the corresponding nonce and calculate the private key x. 

r_inv = pow(r, -1, q) 
priv = ((s * nonce - (int(h, 16))) * r_inv) % q

This can be done offline and it is pretty quick.

Getting the nonce for the flag is more time-consuming because it can only be done online.

do we need to be online, and i don't see any hash message, all i have is r,s from new user account
- p,q,g from developer notes
but what is this hash message is it that text message we get from developer notes.
or maybe we can use our stored secret for getting priv key and do u have full script, i am sick of this challenge and eating me inside

[Steward]

Gettring the priv key is pretty easy it takes at most 3 minutes. Since you have r,s and hashed message from the admins vault as well as p,g and q, you can bruteforce the corresponding nonce and calculate the private key x. 

r_inv = pow(r, -1, q) 
priv = ((s * nonce - (int(h, 16))) * r_inv) % q

This can be done offline and it is pretty quick.

Getting the nonce for the flag is more time-consuming because it can only be done online.

do we need to be online, and i don't see any hash message, all i have is r,s from new user account
- p,q,g from developer notes
but what is this hash message is it that text message we get from developer notes.
or maybe we can use our stored secret for getting priv key and do u have full script, i am sick of this challenge and eating me inside

The hash message is not that text message we get from developer notes.
it is the text we get from the challenge after we reg user and send message to hash it to be able to check the hash and decrypt after all.
so we can use our stored secret but to get priv key we need parameters and nonce, not our message.

[fr34cker]

#!/usr/bin/env python3
from multiprocessing import Pool, cpu_count
import sys, time, gmpy2
from pwn import *

def check_k_range(args):
start, end, g, p, q, r = args
for k in range(start, end):
if k % 2000 == 0:
print(f"Trying k = {k}")
if pow(g, k, p) % q == r:
return k
return None

def find_k(g, p, q, r):
cores = cpu_count()
start = 65500
end = 10**6
chunk_size = (end - start) // cores
ranges = []
for i in range(cores):
chunk_start = start + (i * chunk_size)
chunk_end = chunk_start + chunk_size if i < cores - 1 else end
ranges.append((chunk_start, chunk_end, g, p, q, r))
with Pool(cores) as pool:
results = pool.map(check_k_range, ranges)
for result in results:
if result is not None:
return result
return None

def exploit(target):
ip, port = target.split(':')
port = int(port)
context.log_level = 'debug'
io = remote(ip, port)
io.recvuntil(b'>')
io.sendline(b'4')
buf = io.recvuntil(b'[+] Test user log (y/n) : ')
p = int(buf.decode().split('\n')[6].split(' = ')[1])
q = int(buf.decode().split('\n')[7].split(' = ')[1])
g = int(buf.decode().split('\n')[8].split(' = ')[1])
io.sendline(b'y')
io.recvuntil(b'Enter your password : ')
io.sendline(b'5up3r_53cur3_P45sw0r6')
buf = io.recvuntil(b'>')
r = int(buf.decode().split('\n')[1].split('((')[6].split(',')[0])
s = int(buf.decode().split('\n')[1].split('((')[6].split(',')[1][1:-1])
h = int(buf.decode().split('\n')[1].split('((')[6].split(',')[2].split(')]')[0].split("'")[1], 16)
print(f"Starting k search using {cpu_count()} cores...")
kx = find_k(g, p, q, r)
if not kx:
print("Failed to find k value")
return
print(f"Found k = {kx}")
io.sendline(b'3')
io.recvuntil(b'Please enter the username who stored the message : ')
io.sendline(b'ElGamalSux')
io.recvuntil(b'Please enter the message\'s request id: ')
io.sendline(b'3')
io.recvuntil(b'Please enter the message\'s nonce value : ')
io.sendline(str(kx).encode())
io.recvuntil(b'[+] Please enter the private key: ')
pri = ((kx * s - h) * gmpy2.invert(r, q)) % q
io.sendline(str(pri).encode())
response = io.recvall().decode()
print(response)

if __name__ == "__main__":
if len(sys.argv) != 2:
print(f"Usage: {sys.argv[0]} <ip:port>")
sys.exit(1)
target = sys.argv[1]
exploit(target)