Twisted Entangelement

Technical Walkthrough

Writeup

Challenge

• Name: Twisted-Entangelement
• Category: Crypto
• Difficulty: Medium
• Mode: hybrid

Summary

The service combines an unsafe elliptic-curve scalar-multiplication oracle with a deterministic “quantum” key exchange. Option 1 multiplies the server private key by arbitrary user-supplied points without validating curve membership. Using points from an invalid curve with smooth subgroup factors recovers the bounded private key by subgroup discrete logs and CRT. The private key then seeds the option 2 basis choices, letting us choose matching bases, complement the returned user bits, derive the AES key, and decrypt the flag.

Artifact Inventory

• files/a12c738e-4962-47e2-b1fc-f373dbb38f7c.zip: original HTB archive.
• files/extracted/twisted_entanglement/server.py: remote menu/service logic.
• files/extracted/twisted_entanglement/util.py: custom ECC, basis parsing, key generation, and AES encryption helpers.
• Remote service: <TARGET>:32252.

Analysis

The source audit found two linked weaknesses.

First, server.py option 1 accepts an arbitrary x,y pair and returns multiply(private_key, point, E). parseUserPoint() only parses integers; it does not validate that the point lies on the advertised secp256k1 curve. The group law in util.py uses only a = 0 and p, so points from other curves in the same y^2 = x^3 + b family can be used as invalid-curve subgroup oracles.

Second, option 2 calls generateKeys(basis, private_key). That function runs random.seed(private_key) before choosing server measurement bases, so recovering the private key also recovers the server basis sequence. When the user chooses the same basis as the server, the prepared entangled state is anti-correlated, so the returned user bits can be complemented to obtain the server bits. The AES key is SHA256(server_bits).

The final solver uses known-order points from the invalid curve order class with smooth factors:

• 10903
• 5290657
• 10833080827
• 22921299619447

It solves each subgroup discrete log, combines the residues with CRT, checks the source private-key bound, and then uses that private key to drive option 2.

Solve

Run:

python3 solve/solve.py

The script:

1. Queries option 1 with invalid-curve points.
2. Solves subgroup discrete logs locally.
3. Combines residues with CRT to recover the private key.
4. Recreates the deterministic basis sequence.
5. Queries option 2 with matching bases.
6. Complements the returned user bits, hashes the server bits, and decrypts AES-ECB.
7. Writes the candidate flag to loot/flag-candidate.txt.

The candidate was captured through the harness with:

python3 scripts/challenge_harness.py capture-flag Crypto/Twisted-Entangelement --from loot/flag-candidate.txt

Flag

Raw flag is stored in loot/flag.txt and intentionally not reproduced here.

Lessons

• Invalid-curve attacks are still viable when scalar multiplication accepts arbitrary coordinates and skips membership checks.
• For challenge services, source assertions must be validated against the live target; broad CRT attempts with unreliable low-order points can produce misleading residues.
• The “quantum” layer was not the hard part once the scalar was recovered; the deterministic PRNG seed turned basis selection into a normal protocol-state recovery problem.

Source-Backed Dossier

The sections below are merged from companion Markdown notes for the same case. They are rendered after sanitization so the article stays precise without publishing raw flags, credentials, or target-specific secrets.

Notes

Scope

• Challenge: Twisted-Entangelement
• Category: Crypto
• Difficulty: Medium
• Mode: hybrid
• Remote instance: none
• Start time: 2026-06-13T04:11:26Z
• Operator: harness
• State file: challenge-state.json

Harness Status

• Current phase: see challenge-state.json
• Next allowed actions: see next-action.json
• Raw flags and sensitive material stay in loot/ only. Do not paste them here.

Artifact Inventory

Evidence Ledger

Key Findings

• server.py option 1 is an arbitrary-point scalar multiplication oracle for private_key.
• util.py does not validate curve membership before scalar multiplication.
• Smooth-order invalid-curve points recover the bounded private key through subgroup discrete logs and CRT.
• The recovered key reproduces the service public key and seeds option 2 basis generation.
• Matching the server basis sequence makes the returned user key anti-correlated with the server key bits.
• solve/solve.py recovers the private key dynamically, decrypts the option 2 ciphertext, and writes the flag candidate under loot/.

RAG / Advisory Memory

RAG output is advisory only. Record evaluated retrievals with:

scripts/challenge_harness.py rag-record <workspace> --query "..." --tag MATCHED|PARTIAL|MISSING|<secret redacted>|GENERIC --validation "..."

Secrets/Flags

Raw flags and sensitive material stay in loot/ only. Use scripts/challenge_harness.py capture-flag to validate and record flag capture without printing the value.

Memory Summary

Metadata

• Platform: HackTheBox Challenges
• Category: Crypto
• Challenge: Twisted-Entangelement
• Difficulty: Medium
• Source workspace: <local workspace>

Validated Solve Chain

Concepts only. Do not include raw flags, reusable credentials, tokens, cookies, private keys, or live secrets.

1. Audit the source before remote interaction. The service exposes arbitrary-point scalar multiplication with the private key and does not validate curve membership.
2. Use an invalid curve in the same a = 0 family with smooth subgroup factors.
3. Submit known-order points to the scalar multiplication oracle and recover residues with subgroup discrete logs.
4. Combine residues with CRT until the private key is recovered under the source-bound assumption.
5. Validate the recovered scalar against the service public key.
6. Recreate the deterministic server basis sequence because option 2 seeds Python PRNG with the private key.
7. Choose matching bases, receive the user measurement bits, complement them to recover the server bits, hash them, and decrypt the AES ciphertext.

Reusable Lessons

• Invalid-curve attacks apply when point multiplication does not verify that supplied points lie on the intended curve.
• For y^2 = x^3 + b families, changing b can provide alternate curve orders with useful smooth factors while the same addition formulas still apply.
• When a protocol seeds randomness from an ECC private scalar, recovering the scalar can break later non-ECC stages.
• Entangled singlet-style measurements are anti-correlated when both sides use the same basis.

Dead Ends

• Broad CRT using unreliable very-low-order points can produce residues that do not validate against the public key. Always verify recovered CRT candidates against the advertised public key.
• Base-curve bounded BSGS was unnecessary once the intended smooth invalid-curve order class was used.

Tool Quirks

• A local PARI backend via cypari2 was useful for confirming invalid-curve orders and factors.
• BSGS for the largest smooth subgroup was feasible locally and did not require Sage.

Evidence Paths

• files/extracted/twisted_entanglement/server.py
• files/extracted/twisted_entanglement/util.py
• analysis/source-audit.md
• analysis/protocol-analysis.md
• solve/solve.py
• loot/private-key.txt
• loot/flag.txt

Ingestion Decision

• Proposed for LightRAG: yes
• Requires user approval before ingestion: yes

Hypothesis Board

Keep no more than 3 active hypotheses on Easy/Medium and 5 on Hard unless the user explicitly asks for breadth.

Closed Branches