NEKO

CSAW CTF 2018 Writeup

2018/09/17

To improve my English level and change my Chinglish to English,I am going to write article with English.
Fuck me ,i just cant get the point what the guys say in IRC.

Crypto

babycrypto

the hint is odd, but not too hard.
think about the xor, and get the flag.

1
2
3
4
  cat ciphertext.txt| base64 -D > data

xor -f data -s "\xff"
Leon is a programmer who aspires to create programs that help people do less. He wants to put automation first, and scalability alongside. He dreams of a world where the endless and the infinite become realities to mankind, and where the true value of life is preserved.flag{diffie-hellman-g0ph3rzraOY1Jal4cHaFY9SWRyAQ6aH}

just bruteforce the \xff.

Flatcrypt

I first tried to exploit the AES_CTR mode, but failed.
then i found the origin challenge at 2013 Plaid CTF, and i still failed to solve this challenge, what a shame.
I redo this challenge after the match.
The origin challenge:http://rikaard.blogspot.com/2013/04/plaidctf-crypto200-compression.html
The challenge belongs to Compression side channel attacks:
https://www.sjoerdlangkemper.nl/2016/08/23/compression-side-channel-attacks/
Summarize the vulnerability :

  • The most often used letters get the shortest representation.
  • Any phrase that is repeated only gets stored once.

for example:
test.py

1
2
3
4
5
import zlib
import sys
PROBLEM_KEY = 'neko'
print PROBLEM_KEY+sys.argv[1]
print len(zlib.compress(PROBLEM_KEY+sys.argv[1]))

let’s have try:

1
2
3
4
5
6
7
python test.py `python -c 'print "a"*20'`
nekoaaaaaaaaaaaaaaaaaaaa
14

python test.py `python -c 'print "o"*20'`
nekooooooooooooooooooooo
13

so we know the last letter is ‘o’

and via

1
2
3
4
5
6
7
python test.py `python -c 'print "io"*20'`
nekoioioioioioioioioioioioioioioioioioioioio
15

python test.py `python -c 'print "ko"*20'`
nekokokokokokokokokokokokokokokokokokokokoko
14

we know the last two letters are ‘ko’.

Now it’s easy to solve the challenge.

the attachment:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
import zlib
import os
from Crypto.Cipher import AES
from Crypto.Util import Counter
ENCRYPT_KEY = bytes.fromhex('0000000000000000000000000000000000000000000000000000000000000000')
# Determine this key.
# Character set: lowercase letters and underscore
PROBLEM_KEY = 'not_the_flag'
def encrypt(data, ctr):
return AES.new(ENCRYPT_KEY, AES.MODE_CTR, counter=ctr).encrypt(zlib.compress(data))
while True:
f = input("Encrypting service\n")
if len(f) < 20:
continue
enc = encrypt(bytes((PROBLEM_KEY + f).encode('utf-8')), Counter.new(64, prefix=os.urandom(8)))
print("%s%s" %(enc, chr(len(enc))))

the exp.py:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
from pwn import *
import string
dict=string.ascii_lowercase+'_'
r=remote('127.0.0.1',32770)
flag=''
count=[0 for i in dict]
for i in range(32):
for j in range(len(dict)):
payload=(dict[j]+flag)*20
junk= r.recvline()
r.sendline(payload)
l=r.recvline()[-2]
count[j]=ord(l)
print count,sorted(list(set(count)))
for k in dict:
print ' ', k,
if len(sorted(list(set(count))))==3:
print '\npls choose %s or %s: '%(dict[count.index(sorted(list(set(count)))[0])],dict[count.index(sorted(list(set(count)))[1])])
next_letter=raw_input().rstrip('\n')
flag=next_letter+flag
print flag
else:
flag=dict[count.index(min(count))]+flag
print '\n[*]flag:%s\n'%flag

but the first letter needs guess.

lowe

The hint is oblivious, but i don’t think it’s necessary.
Firstly, it’s a RSA low e attack.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
from Crypto.PublicKey import RSA
import gmpy
from Crypto.Util.number import *
pub=RSA.importKey(open("./pubkey.pem").read())
e= pub.e
n= pub.n
c=219135993109607778001201845084150602227376141082195657844762662508084481089986056048532133767792600470123444605795683268047281347474499409679660783370627652563144258284648474807381611694138314352087429271128942786445607462311052442015618558352506502586843660097471748372196048269942588597722623967402749279662913442303983480435926749879440167236197705613657631022920490906911790425443191781646744542562221829319509319404420795146532861393334310385517838840775182

i=0
while 1:
if gmpy.root((c+i*n),e)[1]==1:
print "yes"
m=gmpy.root((c+i*n),e)[0]
print m
print i
break
i=i+1

then just xor m with the file.enc:

1
2
3
4
5
6
7
8
from __future__ import print_function
from Crypto.Util.number import *

m=12950973085835763560175702356704747094371821722999497961023063926142573092871510801730909790343717206777660797494675328809965345887934044682722741193527531
key=long_to_bytes(m)
f=open('file.enc').read().decode('base64')
for i,j in zip(key,f):
print(chr(ord(i)^ord(j)),end='')

holywater

https://galhacktictrendsetters.wordpress.com/2018/09/17/csaw-quals-2018-holywater/

原文作者: n3k0

发表日期: September 17th 2018, 1:46:29

发出嘶吼: 没有魔夜2玩我要死了

CATALOG
  1. 1. Crypto
    1. 1.1. babycrypto
    2. 1.2. Flatcrypt
    3. 1.3. lowe
    4. 1.4. holywater