simple rfid chall

DragonSecSI · Apr 14, 2022 · 93f9134 · 93f9134
1 parent b8a6f88
commit 93f9134
Show file tree

Hide file tree

Showing 6 changed files with 84 additions and 0 deletions.
diff --git a/challs/crapto/chall/keyfob.trace b/challs/crapto/chall/keyfob.trace
diff --git a/challs/crapto/challenge.yml b/challs/crapto/challenge.yml
@@ -0,0 +1,20 @@
+name: "Crapto"
+author: "CraftByte"
+category: "Misc"
+
+description: |
+  I touched my keyfob for free bubblegum and they stole my flag :(
+value: 200
+type: "standard"
+
+files:
+  - "chall/keyfob.trace"
+flags:
+  - "dctf{wh4t_15_g00d_prng_51fb12a0}"
+tags:
+  - "rfid"
+
+state: "visible"
+version: "0.1"
+
+ops:
diff --git a/challs/securecard/chall/card.trace b/challs/securecard/chall/card.trace
diff --git a/challs/securecard/challenge.yml b/challs/securecard/challenge.yml
@@ -0,0 +1,20 @@
+name: "Crapto"
+author: "CraftByte"
+category: "Misc"
+
+description: |
+  Our company now upgraded to secure cards, but I think they forgot to set something...
+value: 500
+type: "standard"
+
+files:
+  - "chall/card.trace"
+flags:
+  - "dctf{rf1d_15_c0mpl1c4t3d}"
+tags:
+  - "rfid"
+
+state: "visible"
+version: "0.1"
+
+ops:
diff --git a/challs/securecard/package.json b/challs/securecard/package.json
@@ -0,0 +1,14 @@
+{
+  "name": "rfid-chall",
+  "version": "1.0.0",
+  "description": "",
+  "main": "index.js",
+  "scripts": {
+    "test": "echo \"Error: no test specified\" && exit 1"
+  },
+  "author": "",
+  "license": "ISC",
+  "dependencies": {
+    "node-aes-cmac": "^0.1.1"
+  }
+}
diff --git a/challs/securecard/solve.js b/challs/securecard/solve.js
@@ -0,0 +1,30 @@
+const crypto = require("crypto");
+const aesCmac = require("node-aes-cmac").aesCmac;
+
+function calculateCmac(data, key, iv) {
+    return aesCmac(key, data, {iv: iv, returnAsBuffer:true})
+}
+
+const zeros = Buffer.from("00000000000000000000000000000000", "hex")
+
+let masterDecipher = crypto.createDecipheriv("aes-128-cbc", zeros, zeros);
+masterDecipher.setAutoPadding(false);
+let RndB = masterDecipher.update(Buffer.from("A71845BE528A7E8E08163D063D9542AA", "hex"));
+let RndA = masterDecipher.update(Buffer.from("2C2ABDA6A1F9DFF50B87376C30575BC3", "hex"));
+console.log('RndA:', RndA);
+console.log('RndB:', RndB);
+
+let key = Buffer.alloc(16);
+RndA.copy(key, 0, 0, 4);
+RndB.copy(key, 4, 0, 4);
+RndA.copy(key, 8, 12, 16);
+RndB.copy(key, 12, 12, 16);
+console.log('Key: ', key);
+
+let cmac1 = calculateCmac(Buffer.from("F501", "hex"), key)
+let cmac2 = calculateCmac(Buffer.from("0003000019000000", "hex"), key, cmac1)
+let cmac3 = calculateCmac(Buffer.from("BD01000000000000", "hex"), key, cmac2)
+
+let decipher = crypto.createDecipheriv("aes-128-cbc", key, cmac3);
+let decrypted = decipher.update(Buffer.from("4CBEB52C4915350EAFB5DCFCA952D950994C12A1CF070982339957B440A10A36017C", "hex"));
+console.log('Data:',decrypted.toString())