Who uses this instead of 2FA, and why on earth would they do that?
Anyway, I broke into a server, but I can't get past this authentication. I managed to exfiltrate something that's running there, but I have no clue what to do with it.
nc spclr.ch 1337
After some reverse engineering of the pyc file (through e.g. uncompyle6), we are faced with an ECC signature. This turns out to be a Schnorr signature over the secp256k1 curve.
Since Schnorr signatures are known to be broken if the random nonce is reused with the same key (and different messages), we might try to target this.
Analysing the code some more, we find that the string formatting that happens to seed the randomness actually discards most of the precision from the time measurement: time is a floating point value in seconds, and
"%d" formats it as an integer. This means that two nonces generated within the same second will be the same. When developing an exploit, we can easily verify this by testing if the value for
t is identical between both signatures.
Now we only need to find two different messages that we can get signed. Unfortunately, the code checks our input against a single whitelisted option. Except that's not quite what happens: our messages is first stripped before that check, but the unstripped message is the one being signed. This means we can sign one regular message, and one message with added whitespace in the front or the back.
We can then recover the private key in the classical way, sign the server's challenge, and obtain the flag.
(Solve script: https://imaginaryctf.org/f/QGNwl)