'
7 |
8 | def mac(msg):
9 | print(SECRET+msg)
10 | return hashlib.sha1(SECRET + msg).hexdigest()
11 |
12 | @route('/')
13 | def index():
14 | f = 'sample.gif'
15 | return template(INDEX, mac=mac('f=' + f), file=f)
16 |
17 | @route('/files/')
18 | def dir():
19 | return FILES
20 |
21 | @route('/files//')
22 | def download(umac):
23 | delim = msg = ''
24 | for k,v in request.query.allitems():
25 | msg += delim + k + '=' + v
26 | delim = '&'
27 | print(len(msg))
28 | if mac(msg) == umac:
29 | return static_file(request.query.f, root='./files')
30 | else:
31 | return redirect('/files/' + mac('f=dont.gif') + '/?f=dont.gif')
32 |
33 |
34 |
35 | run(host='0.0.0.0', port=8888)
36 |
--------------------------------------------------------------------------------
/34C3 - JuniorsCTF/kim/kimSolve.py:
--------------------------------------------------------------------------------
1 | import requests
2 | import hlextend
3 |
4 | base = "http://35.198.133.163:1337/files/"
5 | sha = hlextend.new('sha1')
6 |
7 | for saltLen in range(13, 20, 1):
8 | print("Attempting with len(SECRET)= " + str(saltLen))
9 |
10 | query = sha.extend('&f=flag', "f=sample.gif", saltLen, "952bb2a215b032abe27d24296be099dc3334755c")
11 | umac = sha.hexdigest()
12 |
13 | query = repr(query).replace("\\\\x","%")[1:-1]
14 | url = base + umac + "/?" + query
15 | r = requests.get(url)
16 |
17 | # if no redirect, success!
18 | if(url == r.url):
19 | print("Hash found!\n")
20 | print("Url: " + url)
21 | print("\nFlag: " + r.text)
22 | break
23 |
--------------------------------------------------------------------------------
/34C3 - JuniorsCTF/nohtyp/README.md:
--------------------------------------------------------------------------------
1 | # nohtyp - easy
2 |
3 | We love [snakes](./nohtyp.py).
4 |
5 | Hints:
6 | ```
7 | $ cat flag | md5sum
8 |
9 | 5a76c600c2ca0f179b643a4fcd4bc7ac
10 | ```
11 |
12 | ## Solution
13 |
14 | The question looks very daunting with everything written in a single line and variable names consisting of only underscores.
15 | So let's edit it first by splitting it into multiple lines.
16 |
17 | #Edit 1
18 | 
19 |
20 | Now let's give the variables some meaningful names and convert the hex values to normal characters.
21 |
22 | #Edit 2
23 | 
24 |
25 | After reorganizing the code and cleaning it up a bit, we get the following:
26 |
27 | #Edit 3
28 | 
29 |
30 | [Here's](./modified.py) the more readable version of the question.
31 |
32 | The script is accepting user input as the flag and checking if it contains these strings:
33 |
34 | 1)`34C3_`
35 |
36 | 2)`mo4r`
37 |
38 | 3)`tzzzz`
39 |
40 | Moreover the `split('_')[3]` implies there must be 3 underscores. Along with these checks, the script is performing the `addXor()` function on the flag and reverse(flag) and checking if this list of values is equal to the reverse of a list of numbers (given by `l` in the above image).
41 |
42 | Now we can check the strings (1), (2), (3) stated above at each position of the flag and perform the reverse of the `addXor()` function by using the corresponding values from `l` and deduce the flag step by step.
43 |
44 | Following these steps, we'll end up with something like `34C3_mo4r_****4kes_tzzzz`. We can simply bruteforce the remaining 4 characters and check if the flag's md5 matches with `5a76c600c2ca0f179b643a4fcd4bc7ac`.
45 |
46 | The bruteforce and md5 check might require a script, but the previous steps can be done manually. Here's a snippet of the reverse of `addXor()` function for generating possible pairs of characters in the flag:
47 | ```
48 | def findPairs(idx):
49 | pairs = []
50 | for i in range(128):
51 | j = (l[idx]-i)^21
52 | if (l[23-idx]-j)^21 == i:
53 | pairs += [[chr(i),chr(j)]]
54 | return pairs
55 | ```
56 |
57 | However I automated everything in my script and here's the flag it gave: `34C3_mo4r_schn4kes_tzzzz`
58 |
59 | Script: [solve.py](./solve.py)
60 |
--------------------------------------------------------------------------------
/34C3 - JuniorsCTF/nohtyp/images/edit1.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/AdityaVallabh/ctf-write-ups/91ce9552768d8db44f9456311b3513490f60d3c6/34C3 - JuniorsCTF/nohtyp/images/edit1.png
--------------------------------------------------------------------------------
/34C3 - JuniorsCTF/nohtyp/images/edit2.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/AdityaVallabh/ctf-write-ups/91ce9552768d8db44f9456311b3513490f60d3c6/34C3 - JuniorsCTF/nohtyp/images/edit2.png
--------------------------------------------------------------------------------
/34C3 - JuniorsCTF/nohtyp/images/edit3.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/AdityaVallabh/ctf-write-ups/91ce9552768d8db44f9456311b3513490f60d3c6/34C3 - JuniorsCTF/nohtyp/images/edit3.png
--------------------------------------------------------------------------------
/34C3 - JuniorsCTF/nohtyp/modified.py:
--------------------------------------------------------------------------------
1 |
2 | addXor=lambda x,y:x+(y^21)
3 | printResult = {False: lambda: print('Almost!!'), True: lambda: print('Correct!')}
4 |
5 | # l = reverse of the given list
6 | l = [160,155,208,160,190,215,237,134,210,126,212,222,224,238,128,240,164,213,183,192,162,178,163,162][::-1]
7 |
8 |
9 | def check(flag):
10 |
11 | if 'mo4r' in flag and '34C3_' in flag and flag.split('_')[3] == 'tzzzz':
12 | revFlag = flag[::-1]
13 | ascFlag = list(map(ord,flag))
14 | ascRevFlag = list(map(ord,flag))
15 |
16 | if [addXor(*pair) for pair in zip(ascFlag, ascRevFlag)] == l:
17 | return True
18 |
19 | return False
20 |
21 | flag = input()
22 | printResult[check(flag)]()
23 |
--------------------------------------------------------------------------------
/34C3 - JuniorsCTF/nohtyp/nohtyp.py:
--------------------------------------------------------------------------------
1 | ____=input;__________________=print;___________=____();_________=map;__________=ord;_______________=zip;____________________________=list;___=21;_____=lambda ______,_______:______+(_______^___);______________={not not not ___ and not not ___:lambda:__________________('\x41\x6c\x6d\x6f\x73\x74\x21\x21'),not not ___ and not not ___:lambda:__________________('\x43\x6f\x72\x72\x65\x63\x74\x21')};______________[[_____(*________) for ________ in _______________(____________________________(_________(__________,___________)),____________________________(_________(__________,___________))[::-1])][::-1]==[160,155,208,160,190,215,237,134,210,126,212,222,224,238,128,240,164,213,183,192,162,178,163,162] and 'mo4r' in ___________ and '34C3_' in ___________ and ___________.split('_')[3] == 'tzzzz']()
2 |
3 |
--------------------------------------------------------------------------------
/34C3 - JuniorsCTF/nohtyp/solve.py:
--------------------------------------------------------------------------------
1 | import hashlib
2 | import string
3 |
4 | l = [160, 155, 208, 160, 190, 215, 237, 134, 210, 126, 212, 222, 224, 238, 128, 240, 164, 213, 183, 192, 162, 178, 163, 162][::-1]
5 | #l = [162, 163, 178, 162, 192, 183, 213, 164, 240, 128, 238, 224, 222, 212, 126, 210, 134, 237, 215, 190, 160, 208, 155, 160]
6 |
7 | # returns a list of flags containing the given substr
8 | def getFlags(flag, substr):
9 | flags = []
10 | for i in range(24 - len(substr)):
11 | tmp = ""
12 | for j in range(len(substr)):
13 | tmp += chr((l[i+j]-ord(substr[j]))^21)
14 | if all(c in string.printable and c not in string.whitespace for c in tmp):
15 | tmp = tmp[::-1]
16 | tmpIdx = 23-i-len(tmp)+1
17 |
18 | newFlag = list(flag)
19 | newFlag[i:i+len(substr)] = list(substr)
20 | newFlag[tmpIdx:tmpIdx+len(substr)] = list(tmp)
21 | newFlag = ''.join(newFlag)
22 |
23 | flags += [newFlag]
24 | return flags
25 |
26 | # returns a list of possible pairs of chars at given index
27 | def findPairs(idx):
28 | pairs = []
29 | for i in range(128):
30 | j = (l[idx]-i)^21
31 | if (l[23-idx]-j)^21 == i:
32 | pairs += [[chr(i),chr(j)]]
33 | return pairs
34 |
35 | # computes the md5sum of given file
36 | def md5(fname):
37 | hash_md5 = hashlib.md5()
38 | with open(fname, "rb") as f:
39 | for chunk in iter(lambda: f.read(4096), b""):
40 | hash_md5.update(chunk)
41 | return hash_md5.hexdigest()
42 |
43 | # method to find letters at index 10, 11, 12, 13
44 | def bruteForce(flag):
45 |
46 | msg = list(flag)
47 | p1 = findPairs(10)
48 | p2 = findPairs(11)
49 |
50 | for i in p1:
51 | msg[10] = i[0]
52 | msg[13] = i[1]
53 | for j in p2:
54 | msg[11] = j[0]
55 | msg[12] = j[1]
56 | flag = ''.join(msg) + '\n'
57 | with open("tmp","w") as f:
58 | f.write(flag)
59 | if md5("tmp") == "5a76c600c2ca0f179b643a4fcd4bc7ac":
60 | print('\nFlag found: ' + flag)
61 | return True
62 |
63 | return False
64 |
65 | def main():
66 | flag = '*'*24
67 | subs = []
68 |
69 | # flag should contain '34C3_'
70 | flags1 = getFlags(flag, "34C3_")
71 | subs += ['34C3_', 'tzzzz']
72 |
73 | # discard flags not having both '34C3_' and 'tzzzz'
74 | flags1 = list(filter(lambda f: all(sub in f for sub in subs), flags1))
75 | print('flags1 = ' + str(flags1))
76 |
77 | for flag1 in flags1:
78 | # flag should contain 'm04r'
79 | flags2 = getFlags(flag1, "mo4r")
80 | subs += ['mo4r']
81 |
82 | # discard flags not having any of '34C3_', 'tzzzz' and 'mo4r'
83 | flags2 = list(filter(lambda f: all(sub in f for sub in subs), flags2))
84 | print('flags2 = ' + str(flags2))
85 |
86 | for flag2 in flags2:
87 | # flag should contain totally 3 undersores, 2 we already have
88 | flags3 = getFlags(flag2, "_")
89 |
90 | # discard flags not having any of '34C3_', 'tzzzz' and 'mo4r' and discard those not having 3 underscores
91 | flags3 = list(filter(lambda f: all(sub in f for sub in subs), flags3))
92 | flags3 = list(filter(lambda f: f.count('_') == 3, flags3))
93 | print('flags3 = ' + str(flags3))
94 | for flag3 in flags3:
95 | # bruteforce remaining characters (only 4 left at this stage)
96 | if bruteForce(flag3):
97 | return
98 |
99 | if __name__ == '__main__':
100 | main()
101 |
--------------------------------------------------------------------------------
/3DSCTF/Capo Di Tutti Capi/README.md:
--------------------------------------------------------------------------------
1 | # Capo Di Tutti Capi - 456 Points
2 |
3 | ### Help the FBI
4 |
5 | Server: capoditutticapi01.3dsctf.org
6 |
7 | Port: 8001
8 |
9 | ## Solution:
10 |
11 | Script: [solve.py](./solve.py)
12 |
13 | TL;DR Apply the Caesar shift on c using r and then Substitution Cipher on both c and p!
14 |
15 | As soon as you connect and type "start" you're given a tuple [c, r, t] something like this:
16 |
17 | 
18 |
19 | Hmm, the "c" looks like the set of alphabet scrambled, there's a number "r" and the "t" looks like the actual ciphertext we're supposed to decipher.
20 |
21 | Something says the "r" is probably the "rotation" that needs to be applied over the characters but let's not jump to conclusions.
22 |
23 | I wrote a script for fetching a bunch of these strings as each time it gave a different one and grouped some strings together as they looked like the encryption of the same message with different (c, r). This is what I got:
24 |
25 | 
26 |
27 | If you analyze the relation between "r" and the letters between ciphers of the same message, you'll notice it just seems to be a shift over the alphabet "c". So we're right, the "r" indeed stands for rotation!
28 |
29 | Let's make this variable 0 and shift the "c" corresponding to the shift number (apply ROT(c, -r)).
30 |
31 | 
32 |
33 | Now we're just left with the "c" and "p". I couldn't think of anything else other than simply replacing every corresponding alphabet in "c" with it's corresponding letter in the alphabet according to it's position. Let's do it and see what we get.
34 |
35 | 
36 |
37 | Voila! The message got decrypted!
38 |
39 | We're not given much time in the question to do this manually, so I wrote a script to automate it and sure enough, after Page 10/10 we're greeted with the flag:
40 |
41 | `3DS{k33p_y0Ur_fr13nDs_cl0S3_AND_y0uR_fL4Gs_cLOs3R}`
42 |
43 | Here's what the script yielded:
44 |
45 | 
46 |
--------------------------------------------------------------------------------
/3DSCTF/Capo Di Tutti Capi/images/demo.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/AdityaVallabh/ctf-write-ups/91ce9552768d8db44f9456311b3513490f60d3c6/3DSCTF/Capo Di Tutti Capi/images/demo.png
--------------------------------------------------------------------------------
/3DSCTF/Capo Di Tutti Capi/images/list.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/AdityaVallabh/ctf-write-ups/91ce9552768d8db44f9456311b3513490f60d3c6/3DSCTF/Capo Di Tutti Capi/images/list.png
--------------------------------------------------------------------------------
/3DSCTF/Capo Di Tutti Capi/images/list2.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/AdityaVallabh/ctf-write-ups/91ce9552768d8db44f9456311b3513490f60d3c6/3DSCTF/Capo Di Tutti Capi/images/list2.png
--------------------------------------------------------------------------------
/3DSCTF/Capo Di Tutti Capi/images/list3.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/AdityaVallabh/ctf-write-ups/91ce9552768d8db44f9456311b3513490f60d3c6/3DSCTF/Capo Di Tutti Capi/images/list3.png
--------------------------------------------------------------------------------
/3DSCTF/Capo Di Tutti Capi/images/page1.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/AdityaVallabh/ctf-write-ups/91ce9552768d8db44f9456311b3513490f60d3c6/3DSCTF/Capo Di Tutti Capi/images/page1.png
--------------------------------------------------------------------------------
/3DSCTF/Capo Di Tutti Capi/solve.py:
--------------------------------------------------------------------------------
1 | #!/usr/bin/python3
2 |
3 | import socket
4 |
5 | # The main method
6 | def main():
7 | s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
8 | s.connect(("capoditutticapi01.3dsctf.org", 8001)) # Connect to host
9 | data = s.recv(1024).decode("utf-8")
10 | print(data, end='')
11 | s.send(str.encode("start"))
12 | print("start")
13 |
14 | # Iterate through the Pages
15 | for _ in range(10):
16 | data = s.recv(1024).decode("utf-8")
17 | print(data, end='')
18 | data = s.recv(1024).decode("utf-8") # Get the question
19 | print(data, end='')
20 | crt = extractTuple(data) # Get the tuple [c, r, t]
21 | ptxt = substituteCipher(caesarShift(crt))[2] # Apply decryption algo
22 | print(ptxt)
23 | s.send(str.encode(ptxt)) # Send the answer
24 |
25 | data = s.recv(1024).decode("utf-8")
26 | print(data, end='')
27 | data = s.recv(1024).decode("utf-8")
28 | print(data, end='') # Print the flag
29 |
30 | # The ROT() function
31 | def caesarShift(s):
32 | a = s[0]
33 | a += a[:s[1]]
34 | a = a[s[1]:]
35 | return [a, 0, s[2]]
36 |
37 | # The Substitution function
38 | def substituteCipher(s):
39 | alpha = "abcdefghijklmnopqrstuvwxyz"
40 | for i in range(26):
41 | s[2] = s[2].replace(s[0][i], alpha[i])
42 | s[0] = s[0].replace(s[0][i], alpha[i])
43 | for i in range(26):
44 | s[2] = s[2].replace(s[0][i], s[0][i].upper())
45 | s[0] = s[0].replace(s[0][i], s[0][i].upper())
46 | return s
47 |
48 | # Extract the tuple from the data reeceived
49 | def extractTuple(text):
50 | crt = text.split("[c, r, p]: [",2)[1] # Get the tuple part
51 | crt = crt.split("]")[0].split(", ", 2) # Get the c, r, p values
52 | crt[1] = int(crt[1]) # Typecast r
53 | return crt
54 |
55 | if __name__ == "__main__":
56 | main()
57 |
--------------------------------------------------------------------------------
/CSAW Finals 2017/LuPiN/README.md:
--------------------------------------------------------------------------------
1 | # Crypto-200 LuPiN
2 |
3 | ### A post-quantum cryptosystem solvable by LayPersoNs.
4 | #### Script: [lpn_chal.py](./lpn_chal.py)
5 | #### Solution: [solve.py](./solve.py)
6 | #### The LPN Problem
7 | The question sure does look daunting at first look. And it gets scarier when you realize that LuPiN points to the Learning Parity with Noise (LPN) problem which is conjectured to be a "hard" problem and apparently doesn't even succumb to quantum algorithms! However, no worries. This challenge seems to implement a simpler, modified version of the LPN problem making it easier to crack.
8 | #### Solution
9 | So we're given the base64 of serialized matrices A, B, u and c. At first glance, we realize the encoding is done with a public key (A, B) and in order to decrypt the message, we require the secret key. So we either have to crack the secret key from the given parameters or somehow reverse the equations and get back the original message without it.
10 | If you look at the encryption method- MultiBitEnc(), two equations stand out.
11 | ```
12 | 1) u = f.T.dot(A) % 2
13 | 2) c = (f.T.dot(B) + np.array(v+[0]*(n-len(v))).T) % 2
14 | ```
15 | Equation (2) is roughly,
16 | ```
17 | 3) c = f.T.dot(B) + v
18 | ```
19 | In this equation, we know the matrices c and B. Whereas f and v are unknowns and v contains the flag. Now f can be obtained from equation (1) as we know A and u.
20 | Therefore rewriting the equations gives:
21 | ```
22 | 4) fT = u.dot(np.linalg.pinv(A)) % 2 // fT = u.dot(inv(A))
23 | 5) v = (c - fT.dot(B)) % 2
24 | ```
25 | That's it! That's all we need for cracking this question! It's just simple math!
26 | Since nc doesn't work now that the contest is over, you can run the script against lpn_chal.py and my sim_nc() method would do that for you.
27 | Now, the outputs of lpn_chal.py were printed using the repr() method and a quick Google search reveals the reverse of it is literal_eval() and deserializing would give us back the original matrices. Plugging the values into our equations (4) and (5) and unpacking v gives:
28 | #### `flag{gl4d_y0u_d1d_n0t_turn_1nt0_a_w4r3w0lf}`
29 | However, the decryption might have to be attempted multiple times (so be patient :P) probably due to excess "noise" created during encryption (Not exactly sure, would be glad to know why).
30 |
--------------------------------------------------------------------------------
/CSAW Finals 2017/LuPiN/lpn_chal.py:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env python2
2 | import json
3 | import numpy as np
4 | import os
5 | import reedsolo
6 | import struct
7 |
8 | flag = 'flag{To get the real flag, solve the problem against the live server.}'
9 |
10 | randprob = lambda: float(struct.unpack('>i) for i in range(8)] for c in s]))
17 | pack = lambda x: (lambda t: ''.join(chr(sum(t[8*i:8*i+8])) for i in range(len(t)/8)))([(b<<(i%8)) for i,b in enumerate(x)])
18 | serialize_mat = lambda X: '%s;%s' % (','.join(str(i) for i in X.shape), pack(X.reshape((product(X.shape),))).encode('base64'))
19 | deserialize_mat = lambda s: (lambda (dims,data): np.array(unpack(data.decode('base64'))).reshape(map(int,dims.split(','))))(s.split(';'))
20 |
21 | def MultiBitKeyGen(n):
22 | t = 1.0/n
23 | S = randbitmat((n, n))
24 | A = randbitmat((2*n, n))
25 | E = ber((2*n, n), t)
26 | B = (A.dot(S) + E) % 2
27 | return {'pk': (A, B, t), 'sk': S}
28 |
29 | def MultiBitEnc((A, B, t), s):
30 | n = A.shape[1]
31 | v = unpack(s)
32 | f = ber((2*n,), t)
33 | u = f.T.dot(A) % 2
34 | c = (f.T.dot(B) + np.array(v+[0]*(n-len(v))).T) % 2
35 | return (u, c)
36 |
37 | def MultiBitDec(S, (u,c)):
38 | d = (c + S.T.dot(u)).T % 2
39 | return pack(d)
40 |
41 | def serialize_key(key):
42 | (A,B,t) = key['pk']
43 | S = key['sk']
44 | ser = {'pk': (serialize_mat(A), serialize_mat(B), t), 'sk': serialize_mat(S)}
45 | return json.dumps(ser)
46 |
47 | def get_values(m):
48 | rs_bytes = 20
49 | codec = reedsolo.RSCodec(rs_bytes)
50 | try:
51 | with open("lpn.key", "r") as f:
52 | key = json.loads(f.read())
53 | key['pk'][0] = deserialize_mat(key['pk'][0])
54 | key['pk'][1] = deserialize_mat(key['pk'][1])
55 | key['sk'] = deserialize_mat(key['sk'])
56 | except IOError as e:
57 | assert e.strerror == 'No such file or directory'
58 | key = MultiBitKeyGen(800)
59 | with open("lpn.key", "w") as f:
60 | f.write(serialize_key(key))
61 | #print key
62 | ctxt = MultiBitEnc(key['pk'], bytes(codec.encode(m)))
63 | #print ctxt
64 | ptxt = codec.decode(bytearray(MultiBitDec(key['sk'], ctxt)))
65 | #print ptxt
66 | return (key, ctxt, ptxt)
67 |
68 | if __name__ == '__main__':
69 | #assert get_values("A"*20)[2][:20] == "A"*20
70 | key, ctxt, ptxt = get_values(flag)
71 | print("A: %r\nB: %r\nu: %r\nc: %r" % tuple(map(serialize_mat, (key['pk'][0], key['pk'][1], ctxt[0], ctxt[1]))))
72 |
--------------------------------------------------------------------------------
/CSAW Finals 2017/LuPiN/solve.py:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env python2
2 | import numpy as np
3 | import socket
4 | from ast import literal_eval
5 |
6 | # Taken as it is from lpn_chal.py
7 | unpack = lambda s: list(__import__('itertools').chain(*[[1&(ord(c)>>i) for i in range(8)] for c in s]))
8 | pack = lambda x: (lambda t: ''.join(chr(sum(t[8*i:8*i+8])) for i in range(len(t)/8)))([(b<<(i%8)) for i,b in enumerate(x)])
9 | deserialize_mat = lambda s: (lambda (dims,data): np.array(unpack(data.decode('base64'))).reshape(map(int,dims.split(','))))(s.split(';'))
10 |
11 | # The actual decryption method ;)
12 | def crackTheCipher(A, B, u, c):
13 | fT = u.dot(np.linalg.pinv(A)) % 2
14 | v = np.int_(c - fT.dot(B)) % 2
15 | flag = pack(v)
16 | return flag
17 |
18 | # To get the data from the live server and write to a file
19 | def nc():
20 | s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
21 | s.connect(("crypto.chal.csaw.io", 1922))
22 | f = open("lpnData","w")
23 | while 1:
24 | data = s.recv(1024)
25 | if data == "":
26 | break
27 | f.write(data)
28 | f.close()
29 |
30 | # To get the data from local lpn_chal.py instead of the live server
31 | def sim_nc():
32 | import subprocess
33 | with open("lpnData", "w+") as output:
34 | subprocess.call(["python", "./lpn_chal.py"], stdout=output);
35 |
36 | # Reads the variables from the file
37 | def readFile():
38 | f = open("lpnData", "r")
39 | As = literal_eval(f.readline()[3:])
40 | Bs = literal_eval(f.readline()[3:])
41 | us = literal_eval(f.readline()[3:])
42 | cs = literal_eval(f.readline()[3:])
43 | f.close()
44 | return As, Bs, us, cs
45 |
46 | if __name__ == '__main__':
47 | print("Decrypting...")
48 | while True:
49 | #nc()
50 | sim_nc()
51 | As, Bs, us, cs = readFile()
52 |
53 | As = deserialize_mat(As)
54 | Bs = deserialize_mat(Bs)
55 | us = deserialize_mat(us)
56 | cs = deserialize_mat(cs)
57 |
58 | flag = crackTheCipher(As, Bs, us, cs)
59 |
60 | if(flag.startswith("flag{")):
61 | print("Success!\n\n" + flag.split("}")[0] + "}\n")
62 | break
63 | else:
64 | print("Attempting decryption again...")
65 |
--------------------------------------------------------------------------------
/CSAW Finals 2018/Disastrous Security Apparatus/README.md:
--------------------------------------------------------------------------------
1 | # Disastrous Security Apparatus - 400pts
2 |
3 | Here's the challenge task from the crypto category:
4 |
5 | 
6 |
7 |
8 | Good Luck, k?
9 |
10 | Author: Paul Kehrer, Trail of Bits.
11 |
12 | [http://crypto.chal.csaw.io:1000](http://crypto.chal.csaw.io:1000)
13 |
14 | Update: Please message us (@tnek or @ghost) on IRC if you have a solver for this challenge that works locally but doesn't work remotely.
15 |
16 | Files: [main.py](./main.py)
17 |
18 |
19 |
20 | ## The Overview
21 |
22 | The title of the challenge hints us that this question is about DSA or Digital Signature Algorithm.
23 | DSA is a public-key cryptosystem where the messages are signed by the signer's private key (`x`) and the signatures are verified by the signer's corresponding public key (`y`).
24 | Downloading the given source code, we realize it is a simple Flask application with 7 routes defined:
25 |
26 | - `/`
27 |
28 | The index page greeting us
29 |
30 | - `/public_key`
31 |
32 | Displays the DSA public key of the server listing `p`, `q`, `g` and `y`
33 |
34 | - `/challenge`
35 |
36 | Displays the Fernet encrypted ciphertext of the word `challenged!`
37 |
38 | - `/sign/`
39 |
40 | Signs the given `data` with the private key on the server using the SHA1 hashing algorithm
41 |
42 | - `/capture`
43 |
44 | This endpoint only accepts POST requests with `challenge` and `signature` as inputs. It first Fernet decrypts the ciphertext given in `challenge` and then verifies its signature against the given one using SHA256 hashing algorithm.
45 |
46 | If there's no error in the above steps, the flag is displayed to us!
47 |
48 | - `/forgotpass`
49 |
50 | Displays a url with a random 64-bit number at the end
51 |
52 | - `/resetpass/`
53 |
54 | Hasn't been implemented yet
55 |
56 | It's clear that we'll get the flag only if we can produce a valid signature of any data signed using SHA-2. Unfortunately we only know the signature signed using SHA-1 obtained via `/challenge`. We somehow need to forge a valid signature and get the flag.
57 |
58 | I immediately downloaded the code and set up a local server for faster responses and easy debugging. I went through the code once and noticed some endpoints were unnecessary like `/`, `/resetpass`, and `/forgotpass` because there was no `login` system right, why do we need these features? To simplify the challenge, I removed these but put them at the back of my head (which turns out to be useful later!).
59 |
60 | My friend and I tried doing the math to somehow manipulate the equations used for signing and verifying and create a fake signature but it basically boiled down to bruteforcing the private key `x` which isn't feasible. I went to the Wikipedia page for [Digital Signature Algorithm](https://en.wikipedia.org/wiki/Digital_Signature_Algorithm) and read that the random value `k` used in generating the signature is very critical to the signing algorithm.
61 |
62 | Apparently the ECDSA private key used by Sony to sign software for the PlayStation 3 game console was easily recovered because they didn't use a new random key for each signature.
63 |
64 | Cool! So maybe there's a way to predict the value of `k` during signing. The challenge uses python's random module to generate random numbers and visiting the docs of the module, I notice a warning:
65 |
66 | 
67 |
68 | That means the random module is breakable! Searching around for a bit, I realize the PRNG is based on [`Mersenne Twister`](https://en.wikipedia.org/wiki/Mersenne_Twister) which is a general-purpose PRNG and not exactly cryptographically secure. Then I come across this very useful repo on GitHub: [https://github.com/tna0y/Python-random-module-cracker](https://github.com/tna0y/Python-random-module-cracker).
69 |
70 | It basically takes 612 32-bit random numbers and predicts the internal state matrix of the PRNG and outputs the most probable random numbers that might generate next. Ohh! So this is where the `/forgotpass` will be useful! The random value at the end of the resetpass link can be given as input to this script to predict the value of `k`!
71 |
72 | ## The Solution
73 |
74 | **Script: [solve.py](solve.py)**
75 |
76 | I cloned the repo, imported it into my script and coded up a scraper that feeds the random numbers from `/forgotpass` to the Cracker. But there was a slight problem. The Cracker is for 32-bit random numbers and the challenge deals only with 64-bit numbers. My friend and I searched for a bit and switched the Mersenne Twister coeffecients in `RandCrack` with their 64-bit counterparts but it didn't seem to work. Then I had the following hunch: *What if there's a relation between 2 consecutive 32-bit numbers and 1 64-bit number generated from the same seed?* I put this theory to test:
77 |
78 | ```py
79 | >>> import random
80 | >>> import time
81 | >>> seed = time.time()
82 | >>> random.seed(seed)
83 | >>> r1 = random.getrandbits(32)
84 | >>> r2 = random.getrandbits(32)
85 | >>> random.seed(seed)
86 | >>> n = random.getrandbits(64)
87 | >>> n == (r1 << 32) + r2
88 | False
89 | >>> n == (r2 << 32) + r1
90 | True
91 | ```
92 |
93 | The second statement returned `True`! Great! So they are indeed related via bit-shift and addition! Now we can continue working on the Cracker and use this relation wherever needed. Here's the function which feeds the random numbers to the cracker and predicts `k`. It takes the an object of `RandCrack` and the Fernet ciphertext returned by `/challenge`:
94 |
95 | ```py
96 | def get_numbers(cracker, data):
97 | l = [requests.get(base+'/forgotpass').text for _ in range(312)]
98 | d = eval(requests.get(base+'/sign/'+data).text)
99 | r, s = d['r'], d['s']
100 | pk = eval(requests.get(base+'/public_key').text)
101 |
102 | for i in range(312):
103 | n = l[i].split('/')[-1]
104 | n = binascii.unhexlify(n)
105 | n = struct.unpack('>Q', n)[0]
106 | r1 = n & (0xffffffff)
107 | r2 = (n & (0xffffffff00000000)) >> 32
108 | assert (n == ((r2 << 32) + r1))
109 | cracker.submit(r1)
110 | cracker.submit(r2)
111 | k = cracker.predict_randrange(2, pk['q'])
112 | return pk, r, s, k
113 | ```
114 |
115 | It returns the `public_key`, `r`, `s` and *hopefully* the correctly predicted `k`. Now we can do some math and get the private key `x` from this data. We know that:
116 | ```
117 | s = kinv * (h + r * x) % q
118 | s * k = (h + r * x) % q
119 | (s * k) % q = (h + r * x) % q
120 | (s * k - h) % q = (r * x) % q
121 | ((s * k - h) * rinv) % q = x % q
122 | ```
123 | Hence,
124 | ```
125 | x = ((s * k - h) * rinv) % q
126 | ```
127 |
128 | Here `kinv` and `rinv` are the modular inverses of `k` and `r` respectively wrt. `q`. We can verify this value of `x` by checking if `y == g ** x % q` or `y == pow(g, x, q)`. If it returns `True` then we've successfully extracted the private key and can now forge a valid signature for any data using any hash.
129 |
130 | Let's use the same `r` and same `data` (the Fernet ciphertext) but let's sign it using SHA-256. We get the new value of `s` as:
131 |
132 | `forge_s = kinv * (h2 + r * x) % q`
133 |
134 | Here `h2` is the SHA-256 sum of `data` interpreted as an integer.
135 | We can use the `encode_dss_signature()` function to encode `(r, forge_s)` into a signature and `POST` this value along with the `data` containing the corresponding Fernet ciphertext to the `/capture` endpoint and get the flag!
136 |
137 | **`flag{NowyourereadytocrackthePS3YeahSonydidthiswithECDSA}`**
138 |
139 | P.S.
140 | - You can set-up the challenge on your `localhost` by generating your own DSA-key or by simply copying this [ctf.key](https://github.com/osirislab/CSAW-CTF-2018-Finals/blob/master/crypto/distastrous_security_apparatus/ctf.key) to your directory, setting the `CSAW_FLAG` environment variable and running [main.py](main.py)
141 | - During the challenge, the solution worked on localhost but not remotely so when I contacted the admin as the Update suggested, they gave me a different url on which the script worked perfectly and we got the flag.
142 |
--------------------------------------------------------------------------------
/CSAW Finals 2018/Disastrous Security Apparatus/cracker.py:
--------------------------------------------------------------------------------
1 |
2 | class RandCrack:
3 |
4 | def __init__(self):
5 | self.counter = 0
6 | self.mt = []
7 | self.state = False
8 |
9 | def submit(self, num):
10 | if self.state:
11 | print("Already got enough bits")
12 | return
13 | bits = self._to_bitarray(num)
14 |
15 | assert(all([x == 0 or x == 1 for x in bits]))
16 | self.counter +=1
17 | self.mt.append(self._harden_inverse(bits))
18 | if self.counter == 624:
19 | self._regen()
20 | self.state = True
21 |
22 | def _predict_32(self):
23 | if not self.state:
24 | print("Didn't recieve enough bits to predict")
25 | return 0
26 | if self.counter >= 624:
27 | self._regen()
28 | self.counter += 1
29 |
30 | return self._harden(self.mt[self.counter-1])
31 |
32 | def predict_getrandbits(self,k):
33 | if not self.state:
34 | print("Didn't recieve enough bits to predict")
35 | return 0
36 | if k == 0:
37 | return 0
38 | words = (k-1) // 32 + 1
39 | res = []
40 | for i in range(words):
41 | r = self._predict_32()
42 | if k < 32:
43 | r = [0]*(32-k) +r[:k]
44 | res = r + res
45 | k -= 32
46 | return self._to_int(res)
47 |
48 | def predict_randbelow(self, n):
49 | k = n.bit_length()
50 | r = self.predict_getrandbits(k)
51 | while r >= n:
52 | r = self.predict_getrandbits(k)
53 | return r
54 |
55 | def predict_randrange(self, start, stop=None, step=1, _int=int):
56 | # Adopted messy code from random.py module
57 | # In fact only changed _randbelow() method calls to predict_randbelow()
58 | istart = _int(start)
59 | if istart != start:
60 | raise ValueError("non-integer arg 1 for randrange()")
61 | if stop is None:
62 | if istart > 0:
63 | return self.predict_randbelow(istart)
64 | raise ValueError("empty range for randrange()")
65 |
66 | # stop argument supplied.
67 | istop = _int(stop)
68 | if istop != stop:
69 | raise ValueError("non-integer stop for randrange()")
70 | width = istop - istart
71 | if step == 1 and width > 0:
72 | return istart + self.predict_randbelow(width)
73 | if step == 1:
74 | raise ValueError("empty range for randrange() (%d,%d, %d)" % (istart, istop, width))
75 |
76 | # Non-unit step argument supplied.
77 | istep = _int(step)
78 | if istep != step:
79 | raise ValueError("non-integer step for randrange()")
80 | if istep > 0:
81 | n = (width + istep - 1) // istep
82 | elif istep < 0:
83 | n = (width + istep + 1) // istep
84 | else:
85 | raise ValueError("zero step for randrange()")
86 |
87 | if n <= 0:
88 | raise ValueError("empty range for randrange()")
89 |
90 | return istart + istep*self.predict_randbelow(n)
91 |
92 | def predict_randint(self, a,b):
93 | return self.predict_randrange(a, b+1)
94 |
95 | def predict_choice(self, seq):
96 | try:
97 | i = self.predict_randbelow(len(seq))
98 | except ValueError:
99 | raise IndexError('Cannot choose from an empty sequence')
100 | return seq[i]
101 |
102 | def _to_bitarray(self, num):
103 | k = [int(x) for x in bin(num)[2:]]
104 | return [0] * (32-len(k)) + k
105 |
106 | def _to_int(self, bits ):
107 | return int("".join(str(i) for i in bits), 2)
108 |
109 | def _or_nums(self, a, b):
110 | if len(a) < 32:
111 | a = [0]* (32-len(a))+a
112 | if len(b) < 32:
113 | b = [0]* (32-len(b))+b
114 |
115 | return [x[0] | x[1] for x in zip(a, b)]
116 |
117 | def _xor_nums(self, a, b):
118 | if len(a) < 32:
119 | a = [0]* (32-len(a))+a
120 | if len(b) < 32:
121 | b = [0]* (32-len(b))+b
122 |
123 | return [x[0] ^ x[1] for x in zip(a, b)]
124 |
125 | def _and_nums(self, a, b):
126 | if len(a) < 32:
127 | a = [0]* (32-len(a))+a
128 | if len(b) < 32:
129 | b = [0]* (32-len(b))+b
130 |
131 | return [x[0] & x[1] for x in zip(a, b)]
132 |
133 |
134 |
135 |
136 | def _decode_harden_midop(self, enc, and_arr, shift):
137 |
138 | NEW = 0
139 | XOR = 1
140 | OK = 2
141 | work = []
142 | for i in range(32):
143 | work.append((NEW,enc[i]))
144 | changed = True
145 | while changed:
146 | changed = False
147 | for i in range(32):
148 | status = work[i][0]
149 | data = work[i][1]
150 | if i >= 32-shift and status == NEW:
151 | work[i] = (OK,data)
152 | changed = True
153 | elif i < 32-shift and status == NEW:
154 | if and_arr[i] == 0:
155 | work[i] = (OK, data)
156 | changed = True
157 | else:
158 | work[i] = (XOR, data)
159 | changed = True
160 | elif status == XOR:
161 | i_other = i+shift
162 | if work[i_other][0] == OK:
163 | work[i] = (OK, data ^ work[i_other][1])
164 | changed = True
165 |
166 | return [x[1] for x in work]
167 |
168 |
169 | def _harden(self, bits):
170 | bits = self._xor_nums(bits, bits[:-11])
171 | bits = self._xor_nums(bits, self._and_nums(bits[7:] + [0] * 7 , self._to_bitarray(0x9d2c5680)))
172 | bits = self._xor_nums(bits, self._and_nums(bits[15:] + [0] * 15 , self._to_bitarray(0xefc60000)))
173 | bits = self._xor_nums(bits, bits[:-18])
174 | return bits
175 |
176 | def _harden_inverse(self, bits):
177 | # inverse for: bits = _xor_nums(bits, bits[:-11])
178 | bits = self._xor_nums(bits, bits[:-18])
179 | # inverse for: bits = _xor_nums(bits, _and_nums(bits[15:] + [0] * 15 , _to_bitarray(0xefc60000)))
180 | bits = self._decode_harden_midop(bits, self._to_bitarray(0xefc60000), 15)
181 | # inverse for: bits = _xor_nums(bits, _and_nums(bits[7:] + [0] * 7 , _to_bitarray(0x9d2c5680)))
182 | bits = self._decode_harden_midop(bits, self._to_bitarray(0x9d2c5680), 7)
183 | # inverse for: bits = _xor_nums(bits, bits[:-11])
184 | bits = self._xor_nums(bits, [0] * 11 + bits[:11]+[0] * 10)
185 | bits = self._xor_nums(bits, bits[11:21])
186 |
187 | return bits
188 |
189 |
190 | def _regen(self):
191 | # C code translated from python sources
192 | N = 624
193 | M = 397
194 | MATRIX_A = 0x9908b0df
195 | LOWER_MASK = 0x7fffffff
196 | UPPER_MASK = 0x80000000
197 | mag01 = [self._to_bitarray(0), self._to_bitarray(MATRIX_A)]
198 |
199 | l_bits = self._to_bitarray(LOWER_MASK)
200 | u_bits = self._to_bitarray(UPPER_MASK)
201 |
202 | for kk in range(0,N-M):
203 | y = self._or_nums(self._and_nums( self.mt[kk], u_bits), self._and_nums(self.mt[kk+1],l_bits))
204 | self.mt[kk] = self._xor_nums(self._xor_nums( self.mt[kk+M] , y[:-1]) , mag01[y[-1] & 1])
205 |
206 | for kk in range(N-M-1, N-1):
207 | y = self._or_nums(self._and_nums( self.mt[kk], u_bits), self._and_nums(self.mt[kk+1],l_bits))
208 | self.mt[kk] = self._xor_nums(self._xor_nums( self.mt[kk+(M-N)] , y[:-1]) , mag01[y[-1] & 1])
209 |
210 | y = self._or_nums(self._and_nums( self.mt[N-1], u_bits), self._and_nums(self.mt[0],l_bits))
211 | self.mt[N-1] = self._xor_nums(self._xor_nums( self.mt[M-1] , y[:-1]) , mag01[y[-1] & 1])
212 |
213 | self.counter = 0
214 |
215 |
216 | if __name__ == "__main__":
217 | import random, time
218 |
219 | print("Testing random module cracker...")
220 |
221 | cracker = RandCrack()
222 |
223 | random.seed(time.time())
224 |
225 | for i in range(624):
226 | cracker.submit(random.randint(0,4294967294))
227 |
228 | print("Guessing next 32000 random bits success rate: {}%"
229 | .format(sum([random.getrandbits(32)==cracker.predict_getrandbits(32) for x in range(1000)])/10))
230 |
231 |
232 |
233 |
--------------------------------------------------------------------------------
/CSAW Finals 2018/Disastrous Security Apparatus/images/challenge.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/AdityaVallabh/ctf-write-ups/91ce9552768d8db44f9456311b3513490f60d3c6/CSAW Finals 2018/Disastrous Security Apparatus/images/challenge.png
--------------------------------------------------------------------------------
/CSAW Finals 2018/Disastrous Security Apparatus/images/warning.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/AdityaVallabh/ctf-write-ups/91ce9552768d8db44f9456311b3513490f60d3c6/CSAW Finals 2018/Disastrous Security Apparatus/images/warning.png
--------------------------------------------------------------------------------
/CSAW Finals 2018/Disastrous Security Apparatus/main.py:
--------------------------------------------------------------------------------
1 | import binascii
2 | import hashlib
3 | import json
4 | import os
5 | import random
6 | import struct
7 |
8 | from cryptography.exceptions import InvalidSignature
9 | from cryptography.fernet import Fernet, InvalidToken
10 | from cryptography.hazmat.backends import default_backend
11 | from cryptography.hazmat.primitives import hashes
12 | from cryptography.hazmat.primitives.asymmetric.rsa import _modinv
13 | from cryptography.hazmat.primitives.serialization import load_pem_private_key
14 |
15 | from flask import Flask, abort, request
16 |
17 |
18 | app = Flask(__name__)
19 |
20 |
21 | with open("ctf.key", "rb") as f:
22 | pem_data = f.read()
23 |
24 | ctf_key = load_pem_private_key(
25 | pem_data, password=None, backend=default_backend()
26 | )
27 |
28 | CSAW_FLAG = os.getenv("CSAW_FLAG")
29 | FERNET = Fernet(Fernet.generate_key())
30 |
31 |
32 | @app.route("/capture", methods=["POST"])
33 | def capture():
34 | sig = binascii.unhexlify(request.form["signature"])
35 | challenge = request.form["challenge"].encode("ascii")
36 | try:
37 | FERNET.decrypt(challenge)
38 | except InvalidToken:
39 | abort(400)
40 | try:
41 | ctf_key.public_key().verify(sig, challenge, hashes.SHA256())
42 | return "flag{%s}" % CSAW_FLAG
43 | except InvalidSignature:
44 | abort(400)
45 |
46 |
47 | @app.route("/challenge")
48 | def challenge():
49 | return FERNET.encrypt(b"challenged!")
50 |
51 |
52 | @app.route("/sign/")
53 | def signer(data):
54 | r, s = sign(ctf_key, data)
55 | return json.dumps({"r": r, "s": s})
56 |
57 |
58 | @app.route("/forgotpass")
59 | def returnrand():
60 | # Generate a random value for the reset URL so it isn't guessable
61 | random_value = binascii.hexlify(struct.pack(">Q", random.getrandbits(64)))
62 | return "https://innitech.local/resetpass/{}".format(
63 | random_value.decode("ascii")
64 | )
65 |
66 |
67 | @app.route("/resetpass/")
68 | def resetpass(key):
69 | # TODO: Implement this later. Innitech doesn"t utilize users in this system
70 | # right now anyway.
71 | return "", 500
72 |
73 |
74 | @app.route("/public_key")
75 | def public_key():
76 | pn = ctf_key.private_numbers()
77 | return json.dumps({
78 | "g": pn.public_numbers.parameter_numbers.g,
79 | "q": pn.public_numbers.parameter_numbers.q,
80 | "p": pn.public_numbers.parameter_numbers.p,
81 | "y": pn.public_numbers.y
82 | })
83 |
84 |
85 | @app.route("/")
86 | def main():
87 | return "Welcome to Innitech. Good luck!"
88 |
89 |
90 | def sign(ctf_key, data):
91 | data = data.encode("ascii")
92 | pn = ctf_key.private_numbers()
93 | g = pn.public_numbers.parameter_numbers.g
94 | q = pn.public_numbers.parameter_numbers.q
95 | p = pn.public_numbers.parameter_numbers.p
96 | x = pn.x
97 | k = random.randrange(2, q)
98 | kinv = _modinv(k, q)
99 | r = pow(g, k, p) % q
100 | h = hashlib.sha1(data).digest()
101 | h = int.from_bytes(h, "big")
102 | s = kinv * (h + r * x) % q
103 | return (r, s)
104 |
105 |
106 | if __name__ == "__main__":
107 | app.run(host="0.0.0.0")
108 |
--------------------------------------------------------------------------------
/CSAW Finals 2018/Disastrous Security Apparatus/solve.py:
--------------------------------------------------------------------------------
1 | #!/usr/bin/python3
2 | from cryptography.hazmat.primitives.asymmetric.rsa import _modinv
3 | from cryptography.hazmat.primitives import hashes
4 | from cryptography.hazmat.primitives.serialization import load_pem_private_key
5 | from cryptography.hazmat.backends import default_backend
6 | from cryptography.hazmat.primitives.asymmetric.utils import decode_dss_signature, encode_dss_signature
7 | from cracker import RandCrack
8 |
9 | import binascii
10 | import struct
11 | import requests
12 | import hashlib
13 | import sys
14 |
15 | base = 'http://localhost:5000'
16 |
17 | def get_numbers(cracker, data):
18 | l = []
19 | for _ in range(312):
20 | sys.stdout.write('{}/312\r'.format(_))
21 | l.append(requests.get(base+'/forgotpass').text)
22 |
23 | d = eval(requests.get(base+'/sign/'+data).text)
24 | r, s = d['r'], d['s']
25 | pk = eval(requests.get(base+'/public_key').text)
26 |
27 | for i in range(312):
28 | n = l[i].split('/')[-1]
29 | n = binascii.unhexlify(n)
30 | n = struct.unpack('>Q', n)[0]
31 | r1 = n & (0xffffffff)
32 | r2 = (n & (0xffffffff00000000)) >> 32
33 | assert (n == ((r2 << 32) + r1))
34 | cracker.submit(r1)
35 | cracker.submit(r2)
36 | k = cracker.predict_randrange(2, pk['q'])
37 | return pk, r, s, k
38 |
39 | def forge(data, pk, r, s, k):
40 | p, q, g, y = pk['p'], pk['q'], pk['g'], pk['y']
41 | h1 = int(hashlib.sha1(data.encode()).hexdigest(), 16)
42 | h2 = int(hashlib.sha256(data.encode()).hexdigest(), 16)
43 | kinv = _modinv(k, q)
44 |
45 | x = ((s*k - h1) * _modinv(r, q)) % q
46 | assert y == pow(g,x,p), 'Error extracting private key'
47 |
48 | forge_s = kinv * (h2 + r * x) % q
49 | signature = encode_dss_signature(r, forge_s).hex()
50 | return signature, data
51 |
52 | def capture(signature, challenge):
53 | d = {
54 | 'signature': signature,
55 | 'challenge': challenge
56 | }
57 | return requests.post(base+'/capture', d).text
58 |
59 | def solve():
60 | cracker = RandCrack()
61 | data = requests.get(base+'/challenge').text
62 |
63 | print('Cracking k...')
64 | pk, r, s, k = get_numbers(cracker, data)
65 |
66 | print('Forging signature...')
67 | signature, challenge = forge(data, pk, r, s, k)
68 |
69 | print('Capturing the flag...')
70 | flag = capture(signature, challenge)
71 | print(flag)
72 |
73 | if __name__ == '__main__':
74 | solve()
75 |
--------------------------------------------------------------------------------
/CSAW Quals 2018/Algebra/README.md:
--------------------------------------------------------------------------------
1 |
2 |
3 | # Algebra - 200
4 |
5 | ### Are you a real math wiz?
6 |
7 | nc misc.chal.csaw.io 9002
8 |
9 | ## Solution:
10 |
11 | Script: [algebra.py](./algebra.py)
12 |
--------------------------------------------------------------------------------
/CSAW Quals 2018/Algebra/algebra.py:
--------------------------------------------------------------------------------
1 | import sympy
2 | from sympy.solvers import solve
3 | from pwn import remote
4 |
5 | def find(a):
6 | X = sympy.Symbol('X')
7 | left, right = a.split('=')
8 | eqn = left + '-(' + right + ')'
9 | try:
10 | sol = solve(eval(eqn), X)[0]
11 | except:
12 | sol = 0
13 | return str(eval(str(sol)))
14 |
15 | def recv(sh):
16 | return sh.recvline().decode('ascii')[:-1]
17 |
18 | def main():
19 | sh = remote('misc.chal.csaw.io', 9002)
20 | print(recv(sh)); print(recv(sh)); print(recv(sh)); print(recv(sh)); print(recv(sh)); print(recv(sh))
21 | i = 0
22 | while True:
23 | i += 1
24 | print(recv(sh))
25 | data = recv(sh)
26 | print(sh.recv().decode('ascii'))
27 | print(data)
28 | if 'flag' in data:
29 | break
30 | r = find(data)
31 | print(r)
32 | sh.sendline(r)
33 | print('Solved: ' + str(i))
34 |
35 | if __name__ == '__main__':
36 | main()
--------------------------------------------------------------------------------
/CSAW Quals 2018/Take an L/README.md:
--------------------------------------------------------------------------------
1 | # Take an L - 200
2 |
3 | ### Fill the grid with L's but avoid the marked spot for the W
4 |
5 |
6 | nc misc.chal.csaw.io 9000
7 |
8 | The origin is at (0,0) on the top left
9 |
10 |
11 | [description.pdf](./description.pdf)
12 |
13 | ## Solution
14 |
15 | Script: [tiling.py](./tiling.py)
16 |
--------------------------------------------------------------------------------
/CSAW Quals 2018/Take an L/description.pdf:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/AdityaVallabh/ctf-write-ups/91ce9552768d8db44f9456311b3513490f60d3c6/CSAW Quals 2018/Take an L/description.pdf
--------------------------------------------------------------------------------
/CSAW Quals 2018/Take an L/tiling.py:
--------------------------------------------------------------------------------
1 |
2 | from pwn import remote
3 |
4 | sol = ''
5 |
6 | def get_quad(n,o,p):
7 | if p[0]-o[0] < n/2 and p[1]-o[1] < n/2:
8 | return 1
9 | if p[0]-o[0] < n/2 and p[1]-o[1] >= n/2:
10 | return 2
11 | if p[0]-o[0] >= n/2 and p[1]-o[1] < n/2:
12 | return 3
13 | if p[0]-o[0] >= n/2 and p[1]-o[1] >= n/2:
14 | return 4
15 |
16 | def fill_tiles(n, o, p):
17 | assert (p[0]-o[0] < n and p[1]-o[1] < n)
18 | global sol
19 | if n == 2:
20 | blocks = [
21 | (o[0], o[1]),
22 | (o[0]+1, o[1]),
23 | (o[0], o[1]+1),
24 | (o[0]+1, o[1]+1)
25 | ]
26 | l = []
27 | for block in blocks:
28 | if not block == p:
29 | l.append(block)
30 | sol += '({},{}), ({},{}), ({},{})\n'.format(l[0][0],l[0][1], l[1][0],l[1][1], l[2][0],l[2][1])
31 | return
32 |
33 | quad = get_quad(n,o,p)
34 | o1 = o
35 | o2 = (o[0],o[1]+n/2)
36 | o3 = (o[0]+n/2,o[1])
37 | o4 = (o[0]+n/2,o[1]+n/2)
38 |
39 | p1 = (o[0]+n/2-1, o[1]+n/2-1)
40 | p2 = (o[0]+n/2-1, o[1]+n/2)
41 | p3 = (o[0]+n/2, o[1]+n/2-1)
42 | p4 = (o[0]+n/2, o[1]+n/2)
43 |
44 | if quad == 1:
45 | sol += '({},{}), ({},{}), ({},{})\n'.format(p2[0],p2[1], p3[0],p3[1], p4[0],p4[1])
46 | fill_tiles(n/2, o1, p)
47 | fill_tiles(n/2, o2, p2)
48 | fill_tiles(n/2, o3, p3)
49 | fill_tiles(n/2, o4, p4)
50 | elif quad == 2:
51 | sol += '({},{}), ({},{}), ({},{})\n'.format(p1[0],p1[1], p3[0],p3[1], p4[0],p4[1])
52 | fill_tiles(n/2, o1, p1)
53 | fill_tiles(n/2, o2, p)
54 | fill_tiles(n/2, o3, p3)
55 | fill_tiles(n/2, o4, p4)
56 | elif quad == 3:
57 | sol += '({},{}), ({},{}), ({},{})\n'.format(p1[0],p1[1], p2[0],p2[1], p4[0],p4[1])
58 | fill_tiles(n/2, o1, p1)
59 | fill_tiles(n/2, o2, p2)
60 | fill_tiles(n/2, o3, p)
61 | fill_tiles(n/2, o4, p4)
62 | elif quad == 4:
63 | sol += '({},{}), ({},{}), ({},{})\n'.format(p1[0],p1[1] ,p2[0],p2[1], p3[0],p3[1])
64 | fill_tiles(n/2, o1, p1)
65 | fill_tiles(n/2, o2, p2)
66 | fill_tiles(n/2, o3, p3)
67 | fill_tiles(n/2, o4, p)
68 |
69 |
70 | sh = remote('misc.chal.csaw.io', 9000)
71 | print(sh.recvuntil('dimensions '))
72 | n = int(sh.recvline().split('x')[0])
73 | print(sh.recvuntil(': '))
74 | p = eval(sh.recvline())
75 |
76 | sol = ''
77 | fill_tiles(n, (0,0), p)
78 | for tile in sol.split('\n')[:-1]:
79 | print(tile)
80 | sh.sendline(tile)
81 | print(sh.recv())
82 |
83 |
--------------------------------------------------------------------------------
/DCTF/Get Admin/README.md:
--------------------------------------------------------------------------------
1 | # Get Admin - 220
2 |
3 |
4 | This is a very unexpected gig for me. However, I'm busy with other projects so can you please give me a hand to test this. For free, of course. :-)
5 |
6 | Files: [https://dctf.def.camp/dctf-18-quals-81249812/get-admin.zip](https://dctf.def.camp/dctf-18-quals-81249812/get-admin.zip)
7 |
8 | Target: [https://admin.dctfq18.def.camp/](https://admin.dctfq18.def.camp/)
9 |
10 |
11 | ## Solution
12 |
13 | ### Overview
14 | The website is pretty basic, it lets you register an account with your name, password, email and lets you login. If your `id` is `1` (i.e. if you are `admin`), it prints the flag else says `Try Harder` (for all other users). There's an option to update your profile if needed and an option to logout.
15 |
16 | When we login to the website, it sets a cookie in our browser which is `AES-128-CBC` encrypted and contains our `id` (automatically set at the time of registration), `username`and `email` along with the `CRC-32 checksum`. Along with this encrypted data, it contains a `length` in the end which gives the length of the decrypted plaintext cookie. Odd. This was an unnecessary piece of information for this encryption/decryption scheme. We'll see later how this was used to exploit the decryption.
17 |
18 | ### Encryption of the Cookie
19 | Let's get to specifics. As soon as we login, the following cookie is set in `index.php`:
20 | ```php
21 | setcookie('user',encryptCookie([
22 | 'id' => $userid,
23 | 'username' => $_POST['username'],
24 | 'email' => $row['email'],
25 | ]), time()+60*60*24*30);
26 | ```
27 |
28 | Here's `encryptCookie()` function from `config.php` along with its helper functions:
29 | ```php
30 | function encryptCookie($arr) {
31 | $cookie = compress($arr);
32 | $arr['checksum'] = crc32($cookie);
33 | return encrypt(compress($arr), AES_KEY, AES_IV);
34 | }
35 |
36 | function compress($arr) {
37 | return implode('÷', array_map(function ($v, $k) { return $k.'¡'.$v; }, $arr, array_keys($arr) ));
38 | }
39 |
40 | function encrypt($plaintext, $key, $iv) {
41 | $length = strlen($plaintext);
42 | $ciphertext = openssl_encrypt($plaintext, 'AES-128-CBC', $key, OPENSSL_RAW_DATA, $iv);
43 | return base64_encode($ciphertext) . sprintf('%06d', $length);
44 | }
45 | ```
46 |
47 | `compress()` simply serializes the array into a string where key-value pairs are separated by a `÷` and inserts `¡` between each key and value. For example if `id = 1337, username = testac, email = fake@mail.com` then `compress()` returns `id¡1337÷username¡testac÷email¡fake@mail.com`.
48 |
49 | `encryptCookie()` takes `id`, `username` and `email` as inputs, calculates the `CRC-32` checksum of the serialized cookie, appends it to the cookie again. Now we get: `id¡1337÷username¡testac÷email¡fake@mail.com÷checksum¡2160329226`
50 |
51 | This string is then encrypted with `AES-128-CBC` and the length of the above string `70` (`¡` and `÷` are counted as length `2` each) padded with `0s` is appended to the resulting `base64` string. So this is our final cookie:
52 | `Rx5R751nNLFTDmwdj248byPKYFCReDmb8cTlK8m53X3TLG5WpUwYv+8zN0Ur2YVZ0q7giK51kNvFRjr36elyKiunyw6aPYR1BAE9dF6+7KU=000070`
53 |
54 | ### Decryption of the Cookie
55 |
56 | In `index.php`, if the cookie is already set but `_SESSION['userid']` is not, it tries to decrypt the cookie and if the `id` in it is greater than `0`, sets the `_SESSION['userid']` variable and redirects us to `admin.php`. Here's `decryptCookie()` and its helper function from `config.php`:
57 | ```php
58 | function decryptCookie($cypher) {
59 | return decompress(decrypt($cypher, AES_KEY, AES_IV));
60 | }
61 |
62 | function decrypt($ciphertext, $key, $iv) {
63 | $length = intval(substr($ciphertext, -6, 6));
64 | $ciphertext = substr($ciphertext, 0,-6);
65 | $output = openssl_decrypt(base64_decode($ciphertext), 'AES-128-CBC', $key, OPENSSL_RAW_DATA, $iv);
66 | if($output == FALSE) {
67 | echo('Decryption error (0).');
68 | die();
69 | }
70 | return substr($output, 0, $length);
71 | }
72 | ```
73 |
74 | `decryptCookie()` takes the encrypted cookie, separates the `length` from the ciphertext, decrypts the cipher and returns only the first `length` characters of the decrypted cookie. Mhmm. This is then passed to `decompressed()`:
75 |
76 | ```php
77 | function decompress($cookie) {
78 | if(preg_match('/[^\x00-\x7F]+\ *(?:[^\x00-\x7F]| )*/im',$cookie, $m) == 0) {
79 | echo('Decryption error (1).');
80 | return false;
81 | }
82 |
83 | $t = explode("÷", $cookie);
84 |
85 | $arr = [];
86 | foreach($t as $el) {
87 | $el = explode("¡", $el);
88 | $arr[$el[0]] = $el[1];
89 | }
90 |
91 | if(!isset($arr['checksum'])) {
92 | echo('Decryption error (2).');
93 | return false;
94 | }
95 |
96 | $checksum = intval($arr['checksum']);
97 | unset($arr['checksum']);
98 | $cookie = compress($arr);
99 | if($checksum != crc32($cookie)) {
100 | echo('Decryption error (3).');
101 | return false;
102 | }
103 |
104 | return $arr;
105 | }
106 | ```
107 |
108 | The `decrypt()` function:
109 | - Checks if the decrypted cookie matches the regex
110 | - Constructs the array from its serialized form
111 | - Extracts the expected CRC-32 checksum
112 | - Computes the CRC-32 checksum of the remaining data
113 | - Checks if the two checksums match
114 | - Returns the array containing the user data
115 |
116 | This is then given back to `index.php` and it then redirects us to `admin.php`. There, if our `id == 1`, the flag is printed but as we are regular users, our `id > 1`.
117 |
118 | ### The Vulnerability
119 |
120 | During registration, the website put no restrictions on the characters entered in the `email` field. Think what happens if I put my email as `fake@mail.com÷id¡1`.
121 | My cookie would then be: `id¡1337÷username¡testac÷email¡fake@mail.com÷id¡1` along with its checksum. While decryption, due to the way `decompress()` is constructing the array, the array would be `id¡1÷username¡testac÷email¡fake@mail.com` as the latter `id` replaces the value of the former one. This is exactly what we want!
122 |
123 | But unfortunately the `CRC-32` checksum fails as the expected checksum (`checksum=732808468`) would be of the original data with 2 `id`s whereas the resulting one (`checksum=3870551952`) is of the data with only 1 `id`. Let's inject the checksum too then!
124 |
125 | Modifying our email to include the checksum of the data with `id=1`, our new cookie will be: `id¡1337÷username¡testac÷email¡fake@mail.com÷id¡1÷checksum¡3870551952`
126 |
127 | This will then be appended with its checksum giving: `id¡1337÷username¡testac÷email¡fake@mail.com÷id¡1÷checksum¡3870551952÷checksum¡2104704402`
128 |
129 | But now, our checksum gets overwritten by the new one just like we overwrote the previous value of `id`. This is where the `length` comes into picture! If we reduce the `length` only upto the first checksum (i.e. the first `77` characters), the `decompress()` function thinks that's the original checksum and decrypts the cookie without any errors!
130 |
131 | That is all we need to do to get `ADMIN ACCESS`!
132 |
133 | 1. Register with the following details:
134 | - username: `testac`
135 | - email: `fake@mail.com÷id¡1÷checksum¡3870551952`
136 | 2. Login and get your cookie (will result in `Decryption Error (3)`)
137 | 3. Logout, change the length in the cookie to `000077` and set the cookie
138 | 4. Navigate to admin.php
139 |
140 | And we have the flag!
141 |
142 | 
143 |
144 | **`DCTF{4EF853DFC818AFEC39497CD1B91625F9E6E19D34D8E43E56722026F26A95F13E} `**
145 |
--------------------------------------------------------------------------------
/DCTF/Get Admin/flag.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/AdityaVallabh/ctf-write-ups/91ce9552768d8db44f9456311b3513490f60d3c6/DCTF/Get Admin/flag.png
--------------------------------------------------------------------------------
/DCTF/Message/README.md:
--------------------------------------------------------------------------------
1 | # Message - 50
2 |
3 | I just typed this secret [message](./message.txt) with my new encoding algorithm.
4 |
5 | ## Solution
6 |
7 | The message consists of lowercase letters, a few digits, periods, commas and spaces. It starts out with `wsxcvasdfghrfvbnhyt...`. This string is a concatenation of `wsxcv`, `asdfgh`, `rfvbnhyt`. Why did I split the message in this way? Well, these letters are adjacent to each other in the `qwerty-style` keyboard layout.
8 |
9 | We notice that these strings appear a lot of times in the message so looks like we need to substitute each one with something more meaningful. Now, if we trace out the motion of the letters on the keyboard, `wsxcv` looks like an `L`, `asdfgh` is probably `_` and `rfvbnhyt` looks like an `O`. Let's decrypt more and see what we get:
10 | ```
11 | wsxcv -> L
12 | rfvbnhyt -> O
13 | mnbvcdrtghu -> R
14 | wsxcde -> ?
15 | zaqwdrtgb -> M
16 |
17 | wsx -> I
18 | nbvcxswefr -> ?
19 | iuyhnbv -> S
20 | wsxcvfr -> U
21 | zaqwdrtgb -> M
22 |
23 | asdfgh, qwerty, zxcvbn -> _
24 | ```
25 |
26 | Turns out our guess is right! Ignoring the underscores, the first two words are `LOR?M I?SUM` which is obviously the popular dummy text `LOREM IPSUM`!
27 |
28 | Replacing the strings with the letters in this manner, we obtain the final decrypted message:
29 |
30 |
31 | LOREM IPSUM IS SIMPLY DUMMY TEXT OF THE PRINTING AND TYPESETTING INDUSTRY
32 | LOREM IPSUM HAS BEEN THE INDUSTRY'S STANDARD DUMMY TEXT EVER SINCE THE 1500S, WHEN AN UNKNOWN PRINTER TOOK A GALLEY OF TYPE AND SCRAMBLED IT TO MAKE A TYPE SPECIMEN BOOK
33 | IT HAS SURVIVED NOT ONLY FIVE CENTURIES, BUT ALSO THE LEAP INTO ELECTRONIC TYPESETTING, REMAINING ESSENTIALLY UNCHANGED
34 | IT WAS POPULARISED IN THE 1960S WITH THE RELEASE OF LETRASET SHEETS CONTAINING LOREM IPSUM PASSAGES, AND MORE RECENTLY WITH DESKTOP PUBLISHING SOFTWARE LIKE ALDUS PAGEMAKER INCLUDING VERSIONS OF LOREM IPSUM
35 | DCTF{B66ECAAA90AD05DF5DAB33D71A8F70934408F3A5847A4C5C38DB75891B0F0E32}LOREM IPSUM IS SIMPLY DUMMY TEXT OF THE PRINTING AND TYPESETTING INDUSTRY
36 | LOREM IPSUM HAS BEEN THE INDUSTRY'S STANDARD DUMMY TEXT EVER SINCE THE 1500S, WHEN AN UNKNOWN PRINTER TOOK A GALLEY OF TYPE AND SCRAMBLED IT TO MAKE A TYPE SPECIMEN BOOK
37 | IT HAS SURVIVED NOT ONLY FIVE CENTURIES, BUT ALSO THE LEAP INTO ELECTRONIC TYPESETTING, REMAINING ESSENTIALLY UNCHANGED
38 | IT WAS POPULARISED IN THE 1960S WITH THE RELEASE OF LETRASET SHEETS CONTAINING LOREM IPSUM PASSAGES, AND MORE RECENTLY WITH DESKTOP PUBLISHING SOFTWARE LIKE ALDUS PAGEMAKER INCLUDING VERSIONS OF LOREM IPSUM.
39 |