Keys is a simple service to generate public and private key pair and store a public key.
General workflow is:
- Generate new private and public keys.
- The service asks user to send private key again to ensure user has saved it. Then check done the service answers "OK, you have generated the key with the comment: ..."
- You may request any public key for any user
Checksystem stores flags in comment field, so your task is to pass check in p.2.
- The service doesn't store the private key, but stores its hash generated by password_hash and than checks it using password_verify.
- password_hash function uses bcrypt by default and the docs says "Using the PASSWORD_BCRYPT as the algorithm, will result in the password parameter being truncated to a maximum length of 72 bytes".
- So, you should find how to generate first 72 bytes of a private key.
- When your "fake key" is done, make a request to generate.php to get a flag.
All private keys has the same prefix except 3 bytes. Thats too much for brute-force via network.
The easy method to reduce number of variants to brute-force is to generate a lot of public and private keys and collect statistic of that bytes.
See files below for details.