Skip to main content

Transparency

When you connect to a website over HTTPS, the first TLS message sent by the server is the ServerHello containing the server TLS certificate. Your browser verifies that the TLS certificate is valid, and if not, will terminate the TLS handshake. Verification includes ensuring that:

  • the name on the certificate matches the domain

  • the certificate has not expired

  • the certificate is ultimately signed (via a "chain of trust") by a root key of a Certificate Authority (CA) that's trusted by your browser or operating system

Since CAs have the power to sign any certificate, the security of the internet depends upon these organisations to issue TLS certificates to the correct people: they must only issue certificates to the real domain owners. However with Windows trusting root certificates from over 100 organisations by default, there's a number of opportunities for hackers, politics, or incompetence to break the whole model. If you could trick just a single CA to issue you a certificate for microsoft.com, you could use the corresponding private key to sign malware and bypass trust controls on Windows. CAs are strongly incentivised to be careful since their business depends upon people trusting them, however in practice they have failed several times.

In 2011 Comodo CA was compromised and the hacker was able to issue certificates for Gmail and other services. In 2016, Symantec was found to have issued over 150 certificates without the domain owner's knowledge, as well as 2400 certificates for domains that were never registered.

Due to such events, together with the fact that fraudulent certificates can take a long time to be discovered, since 2018 Certificate Transparency has been enforced by Google Chrome. Every CA must publish all certificates that they issue to a log, which anyone can search.

Attached is an RSA public key in PEM format. Find the subdomain of cryptohack.org which uses these parameters in its TLS certificate, and visit that subdomain to obtain the flag.

Solution

This WriteUp Solution is password protected by the flag of the challenge.
Given the public key and we have find subdomain of cryptohack which uses these parameters in its TLS certificate. So we have to find the subdomain which uses this public key. So we have to find SHA 256 hash of this public key. For that we can use this online tool [search.censys.io](search.censys.io)

After getting the hash we have to find the subdomain which uses this hash. So we have to search the subdomain which uses this we can find sha256 hash of this public key using python or openssl

solve.py
import hashlib
from Crypto.PublicKey import RSA

pem = open('transparency.pem', 'r').read()

key = RSA.importKey(pem).public_key()

der = key.exportKey(format='DER')

sha256 = hashlib.sha256(der)

sha256_fingerprint = sha256.hexdigest()

print(f"Public Key SHA256: {sha256_fingerprint}")
openssl pkey -outform der -pubin -in transparency.pem | sha256sum

we find sha256sum to be 29ab37df0a4e4d252f0cf12ad854bede59038fdd9cd652cbc5c222edd26d77d2 Now if you search this hash on search.censys.io in legacy certificate section you will find the subdomain which is hetransparencyflagishere.cryptohack.org

results

if you visit this subdomain you will get the flag which is crypto{thx_redpwn_for_inspiration}