# DaVinciCTF - 2021 - CTF Community ## Crypto --- ### Decode Retrieve the flag: 59'9#5$9[=S-B7S-N8W)Y<#<Q,&Y] --- Solved by Nameless, the flag has been encoding with UUencoding, online solvers provide the following flag: **dvCTF{w3b_3ncryp710n}** --- ### Substitution Rm xibkgltizksb, z hfyhgrgfgrlm xrksvi rh z nvgslw lu vmxibkgrmt rm dsrxs fmrgh lu kozrmgvcg ziv ivkozxvw drgs xrksvigvcg, zxxliwrmt gl z urcvw hbhgvn; gsv "fmrgh" nzb yv hrmtov ovggvih (gsv nlhg xlnnlm), kzrih lu ovggvih, girkovgh lu ovggvih, nrcgfivh lu gsv zylev, zmw hl uligs. Gsv ivxvrevi wvxrksvih gsv gvcg yb kviulinrmt gsv rmevihv hfyhgrgfgrlm. Hfyhgrgfgrlm xrksvih xzm yv xlnkzivw drgs gizmhklhrgrlm xrksvih. Rm z gizmhklhrgrlm xrksvi, gsv fmrgh lu gsv kozrmgvcg ziv ivziizmtvw rm z wruuvivmg zmw fhfzoob jfrgv xlnkovc liwvi, yfg gsv fmrgh gsvnhvoevh ziv ovug fmxszmtvw. Yb xlmgizhg, rm z hfyhgrgfgrlm xrksvi, gsv fmrgh lu gsv kozrmgvcg ziv ivgzrmvw rm gsv hznv hvjfvmxv rm gsv xrksvigvcg, yfg gsv fmrgh gsvnhvoevh ziv zogvivw. Gsviv ziv z mfnyvi lu wruuvivmg gbkvh lu hfyhgrgfgrlm xrksvi. Ru gsv xrksvi lkvizgvh lm hrmtov ovggvih, rg rh gvinvw z hrnkov hfyhgrgfgrlm xrksvi; z xrksvi gszg lkvizgvh lm ozitvi tilfkh lu ovggvih rh gvinvw klobtizksrx. Z nlmlzokszyvgrx xrksvi fhvh urcvw hfyhgrgfgrlm levi gsv vmgriv nvhhztv, dsvivzh z klobzokszyvgrx xrksvi fhvh z mfnyvi lu hfyhgrgfgrlmh zg wruuvivmg klhrgrlmh rm gsv nvhhztv, dsviv z fmrg uiln gsv kozrmgvcg rh nzkkvw gl lmv lu hvevizo klhhryrorgrvh rm gsv xrksvigvcg zmw erxv evihz. weXGU{xi1kg3w_x1ks3i} --- As it is indicated in the title of the challenge, this is substitution cipher. Letter frequency analysis will provide the most recurrent letter for which we can assume to be the letter "e". Then,we recognized the flag at the end of the cipher text. The following non-optimized python does the job: ``` ct="""Rm xibkgltizksb, z hfyhgrgfgrlm xrksvi rh z nvgslw lu vmxibkgrmt rm dsrxs fmrgh lu kozrmgvcg ziv ivkozxvw drgs xrksvigvcg, zxxliwrmt gl z urcvw hbhgvn; gsv "fmrgh" nzb yv hrmtov ovggvih (gsv nlhg xlnnlm), kzrih lu ovggvih, girkovgh lu ovggvih, nrcgfivh lu gsv zylev, zmw hl uligs. Gsv ivxvrevi wvxrksvih gsv gvcg yb kviulinrmt gsv rmevihv hfyhgrgfgrlm. Hfyhgrgfgrlm xrksvih xzm yv xlnkzivw drgs gizmhklhrgrlm xrksvih. Rm z gizmhklhrgrlm xrksvi, gsv fmrgh lu gsv kozrmgvcg ziv ivziizmtvw rm z wruuvivmg zmw fhfzoob jfrgv xlnkovc liwvi, yfg gsv fmrgh gsvnhvoevh ziv ovug fmxszmtvw. Yb xlmgizhg, rm z hfyhgrgfgrlm xrksvi, gsv fmrgh lu gsv kozrmgvcg ziv ivgzrmvw rm gsv hznv hvjfvmxv rm gsv xrksvigvcg, yfg gsv fmrgh gsvnhvoevh ziv zogvivw. Gsviv ziv z mfnyvi lu wruuvivmg gbkvh lu hfyhgrgfgrlm xrksvi. Ru gsv xrksvi lkvizgvh lm hrmtov ovggvih, rg rh gvinvw z hrnkov hfyhgrgfgrlm xrksvi; z xrksvi gszg lkvizgvh lm ozitvi tilfkh lu ovggvih rh gvinvw klobtizksrx. Z nlmlzokszyvgrx xrksvi fhvh urcvw hfyhgrgfgrlm levi gsv vmgriv nvhhztv, dsvivzh z klobzokszyvgrx xrksvi fhvh z mfnyvi lu hfyhgrgfgrlmh zg wruuvivmg klhrgrlmh rm gsv nvhhztv, dsviv z fmrg uiln gsv kozrmgvcg rh nzkkvw gl lmv lu hvevizo klhhryrorgrvh rm gsv xrksvigvcg zmw erxv evihz. weXGU{xi1kg3w_x1ks3i}""".lower() sub={} sub["w"]="d" sub["e"]="v" sub["x"]="c" sub["g"]="t" sub["u"]="f" sub["v"]="e" sub["r"]="i" sub["m"]="n" sub["n"]="m" sub["i"]="r" sub["b"]="y" sub["k"]="p" sub["l"]="o" sub["t"]="g" sub["a"]="n" sub["l"]="o" sub["h"]="s" sub["z"]="a" sub["f"]="u" sub["y"]="b" sub["s"]="h" sub["o"]="l" sub["d"]="w" sub["c"]="x" sub["j"]="q" sub["q"]="h" _="" print(ct) print("======") for elt in ct: if elt in sub.keys(): _+=sub[elt] else: _+=elt print(_) ``` Output: ```shell= in cryptography, a substitution cipher is a method of encrypting in which units of plaintext are replaced with ciphertext, according to a fixed system; the "units" may be single letters (the most common), pairs of letters, triplets of letters, mixtures of the above, and so forth. the receiver deciphers the text by performing the inverse substitution. substitution ciphers can be compared with transposition ciphers. in a transposition cipher, the units of the plaintext are rearranged in a different and usually quite complex order, but the units themselves are left unchanged. by contrast, in a substitution cipher, the units of the plaintext are retained in the same sequence in the ciphertext, but the units themselves are altered. there are a number of different types of substitution cipher. if the cipher operates on single letters, it is termed a simple substitution cipher; a cipher that operates on larger groups of letters is termed polygraphic. a monoalphabetic cipher uses fixed substitution over the entire message, whereas a polyalphabetic cipher uses a number of substitutions at different positions in the message, where a unit from the plaintext is mapped to one of several possibilities in the ciphertext and vice versa. dvctf{cr1pt3d_c1ph3r} ``` **dvctf{cr1pt3d_c1ph3r}** --- ### Bootless RSA This challenge starts with the provided file: ``` { "N": 148818474926605063920889194160313225216327492347368329952620222220173505969004341728021623813340175402441807560635794342531823708335067243413446678485411066531733814714571491348985375389581214154895499404668547123130986872208497176485731000235899479072455273651103419116166704826517589143262273754343465721499, "e": 3, "ct": 4207289555943423943347752283361812551010483368240079114775648492647342981294466041851391508960558500182259304840957212211627194015260673748342757900843998300352612100260598133752360374373 } ``` As the public exponent is small, there is a chance that we can decrypt the ciphertext "ct" by calculate its cubic root: ``` n=148818474926605063920889194160313225216327492347368329952620222220173505969004341728021623813340175402441807560635794342531823708335067243413446678485411066531733814714571491348985375389581214154895499404668547123130986872208497176485731000235899479072455273651103419116166704826517589143262273754343465721499 e=3 ct=4207289555943423943347752283361812551010483368240079114775648492647342981294466041851391508960558500182259304840957212211627194015260673748342757900843998300352612100260598133752360374373 import gmpy c= gmpy.root(ct,3)[0] print(c) import binascii print(binascii.unhexlify(hex(c)[2:])) ``` Gives the output: ```shell= 161436153337866397698230350131849911745245662937350542382627197 b'dvCTF{RS4_m0dul0_inf1nity}' ``` **dvCTF{RS4_m0dul0_inf1nity}** ### The more, the less --- Someone is trying to get in touch with me, but I do not have access to my RSA private key anymore. Can you help me decrypt this file? --- A "super-secret" file is provided: ``` { "N": 31599415905194296507531163994468257280886159280045654346389430217405819290199334738577568528414824952061262558727052291045816515870348057534996441596560396962516719727878569643953152119895297353348080193869479088114850667155373326828408666807238584625432868509009967976378084883283066242914464294233411627, "e": 65537, "ct": 11371525982887248215036029303506383319725323173791816242922348267059091038845164126422411329763551336318264887183213679689757761368186436315189029720350805092964515239812759488055450797557376437081404871060787004042110689348646779529227539692241991396962852995556540999064671425810298104591755058349120054 } ``` In this case, N is factored in 4 factors. ``` p=2715012803 q=73038144973268535275920197472661886117932030510423949891205041038353924830738251238127 r=122292395736421852773703087479073197467899993060671630547432160599400345642934010526544671364817 s=1303040714225236316914247837592023713767455507463490984564764762906695038672913859186489193574070334540706541230951 n=31599415905194296507531163994468257280886159280045654346389430217405819290199334738577568528414824952061262558727052291045816515870348057534996441596560396962516719727878569643953152119895297353348080193869479088114850667155373326828408666807238584625432868509009967976378084883283066242914464294233411627 assert p*q*r*s== n ct=11371525982887248215036029303506383319725323173791816242922348267059091038845164126422411329763551336318264887183213679689757761368186436315189029720350805092964515239812759488055450797557376437081404871060787004042110689348646779529227539692241991396962852995556540999064671425810298104591755058349120054 e=65537 import binascii from sympy.crypto.crypto import rsa_private_key primes=[p,q,r,s] args = primes+[e] d=rsa_private_key(*args)[1] print(d) print(binascii.unhexlify(hex(pow(ct,d,n))[2:])) ``` The output is: ```shell= 6584396894763859350397777058772191315434955845579448367659947743522693402197722167367070056716200272554309783178370989453639260523769116700416926883951033889841583907977899119902688261774744032719536317165030898907602823217983229958722788956280667181973802592206529013269068507689191072955691796170473473 b'dvCTF{rs4_f4ctor1z4t10n!!!}' ``` **dvCTF{rs4_f4ctor1z4t10n!!!}** ### Flipping tables ``` ┳━┳ ヽ(ಠل͜ಠ)ノ nc challs.dvc.tf 3333 ``` No description, let's connect with Netcat. ```shell= What do you want me to encrypt? 44 !E(input || flag) = 1910046cc3235c9cff28b5ff988422bf943ea9cb6e8ec05f3d0890f044486626 What do you want me to encrypt? 44 E(input || flag) = e6effb933cdca36300d74a00677bdd406bc1563491713fa0c2f76f0fbbb799d9 What do you want me to encrypt? 444444444444444444444444444444444444444444444444444444444444444444444444444444444444444 E(input || flag) = I only talk hex, sorry! ``` Ok, it speaks hex and sometimes apply a modification to the result. After some test, it is an ECB oracle. Flag is on the right, we control the input, let's modify the input... ``` import socket import binascii import time import string def parse(txt): return txt.split("=")[1].lstrip().rstrip() # Size KEYSIZE = 16 # Create socket cx = socket.socket() cx.connect(("104.248.198.185",3333)) flag="" print(binascii.hexlify(flag)) while len(flag)!=24: nb=len(flag) offset = nb // KEYSIZE pos = nb % KEYSIZE #print((pos,offset)) msg = "a"*(offset+1)*KEYSIZE msg = msg msg = msg[-(1)*KEYSIZE+pos+1:] if pos !=15: pass else: msg="" print((len(msg),msg)) if len(flag)==0: print(cx.recv(1024)) cx.send(binascii.hexlify(msg)+"\n") time.sleep(1) # target print("Target Aquisition") target =cx.recv(1024) while not target.startswith("E"): cx.send(binascii.hexlify(msg)+"\n") target =cx.recv(1024) time.sleep(1) target=parse(target)[offset*2*KEYSIZE:(offset+1)*2*KEYSIZE] print("Target : "+target) # find flag for elt in string.printable: _= "a"*(offset+1)*KEYSIZE+flag _ = _[-(1)*KEYSIZE+1:]+elt # target cx.send(binascii.hexlify(_)+"\n") res =cx.recv(1024) while not res.startswith("E"): cx.send(binascii.hexlify(_)+"\n") res =cx.recv(1024) time.sleep(1) res=parse(res) if pos==15: res=res[offset*2*KEYSIZE:(offset+1)*2*KEYSIZE] if res.find(target)>-1: flag+=elt print(flag) print("========") break if flag.endswith("}"): break print(flag) ``` Provides the following output: ```shell= python flipping.py (15, 'aaaaaaaaaaaaaaa') What do you want me to encrypt? Target Aquisition Target : c482689bd9a2b1660d8cfd74903e70b2 d ======== (14, 'aaaaaaaaaaaaaa') Target Aquisition Target : 6a2f1841801b34b396f11aca66efc355 dv ======== (13, 'aaaaaaaaaaaaa') Target Aquisition Target : 6c4db44049093b10a427ac701f4ed392 dvC ======== (12, 'aaaaaaaaaaaa') Target Aquisition Target : 1cb07875e43591c9e2007ee250ec29af dvCT ======== (11, 'aaaaaaaaaaa') Target Aquisition Target : 58818c36b2fcb5735dd723a0fc1db757 dvCTF ======== (10, 'aaaaaaaaaa') Target Aquisition Target : 2024884d4a5f02869ed25d2ee0080e77 dvCTF{ ======== (9, 'aaaaaaaaa') Target Aquisition Target : 48df535565ebb32ede4fcbe5b7d2183a dvCTF{3 ======== (8, 'aaaaaaaa') Target Aquisition Target : 081552860fddf68f73ca0aa4633f641a dvCTF{3C ======== (7, 'aaaaaaa') Target Aquisition Target : a42e1b116a3819d9645e94fe943824f5 dvCTF{3CB ======== (6, 'aaaaaa') Target Aquisition Target : 2aa9a5272aa4676f964069baa3c209a9 dvCTF{3CB_ ======== (5, 'aaaaa') Target Aquisition Target : c26abbf7d1b35d0a9144b00d0957311d dvCTF{3CB_4 ======== (4, 'aaaa') Target Aquisition Target : 30cc4efbc1cb3a9955bfb5df640879ed dvCTF{3CB_4n ======== (3, 'aaa') Target Aquisition Target : da4cea8f00448b4f28b7c096152eed51 dvCTF{3CB_4ng ======== (2, 'aa') Target Aquisition Target : 559674c57f070ac6caaa9fccfc02de6b dvCTF{3CB_4ngr ======== (1, 'a') Target Aquisition Target : 36d2eda00bce57fe4097ed5a2d336068 dvCTF{3CB_4ngry ======== (0, '') Target Aquisition Target : 7caafa90873c58d4640dd8b9894c929a dvCTF{3CB_4ngry_ ======== (15, 'aaaaaaaaaaaaaaa') Target Aquisition Target : 075e1a449a876b9d8f9bc785b0779570 dvCTF{3CB_4ngry_0 ======== (14, 'aaaaaaaaaaaaaa') Target Aquisition Target : a2d50d6ed70d44871442e81fd7c06ae6 dvCTF{3CB_4ngry_0r ======== (13, 'aaaaaaaaaaaaa') Target Aquisition Target : 6da62f85eb19365b3a9ea5217bf3cd31 dvCTF{3CB_4ngry_0r4 ======== (12, 'aaaaaaaaaaaa') Target Aquisition Target : dac6cc293e05770a04d8d58c455e07ff dvCTF{3CB_4ngry_0r4c ======== (11, 'aaaaaaaaaaa') Target Aquisition Target : 5db4b2056c30a8f01a988bd1f17f2a9a dvCTF{3CB_4ngry_0r4cl ======== (10, 'aaaaaaaaaa') Target Aquisition Target : d7ff5c8f54cc7f42cf7353a7345b42e3 dvCTF{3CB_4ngry_0r4cl3 ======== (9, 'aaaaaaaaa') Target Aquisition Target : 18f77807d91f685f7c9ec14b59a479d9 dvCTF{3CB_4ngry_0r4cl3} ======== dvCTF{3CB_4ngry_0r4cl3} ``` **dvCTF{3CB_4ngry_0r4cl3}** ### Z340 but not 340 Solved with K3RM1T and Mini-Glome, --- http://challs.dvc.tf:2340/ Flag format: dvCTF{password you find} --- Direct reference to the Zodiac Killer cryptogram... ![](https://i.imgur.com/a3aYrYp.png) This deciphers to: ``` IRONSCPOPOWTOUTCY AEHETTOHLTDUOEVCE HIPEOHSRDAECETRME OYENSEPAOYVLAITHD EINONSOEEVFIELSDH DAPSAUDMCERIFNTEE NDPNACISCAAEONUGH TIGOECSUDOULREUGN LIOSENOYSOOMOLBEA ``` If we read the text from the diagonale with two steps right and one step down, we get: ``` I HOPE ROU ARE HAVING LOTS OF FUN IN TRYING TO SODVE THIS CHALLENGE PLEASE DO NOT CIDDPEOPDE THANC YOU THE PASSWORD IS CUOTEMONAIDOOVEYOUSOMUCHENDDCUOTHINSMALLCAPSOCARBYEEEEEEEE ``` we can read the following sentence: *CUOTE MONA I DOOVE YOU SO MUCH ENDDCUOTH IN SMALL CAPS OCAR BYEEEEEEEE* We try the flag **dvCTF{monailooveyousomuch}** and it works !! --- ## Stegano ### Read --- `131 flags` `10 points (reduced)` "Just read !" --- *An image was given :* ![](https://i.imgur.com/7EbJxbr.png) At first, I thought it was a QR code. I quickly abandoned this idea and used [stegsolver](https://github.com/eugenekolo/sec-tools/blob/master/stego/stegsolve/stegsolve/stegsolve.jar) I decided immediately to use the _stereogram solver_ function. Starting with an offset of 0, I had nothing interesing, but I knew the flag was there ![](https://i.imgur.com/JVGgYYZ.png) > Damn the flag is omnipresent I randomly choose to check from 1280 to 0 A minute later... ![](https://i.imgur.com/yKfm2f0.png) Foud the flag with an offset of **1120** ! Flag : **dvCTF{th4t5_4_l0t_0f_n0153}** ### Pidieff --- 166 Flags 25 points (reduced) --- A pdf was given, with boring text which I will spare you My instinct told me to check with binwalk first, wich was a success : ![](https://i.imgur.com/UEOpLkV.png) I immedialtry decided to extract all files from this pdf ```shell= binwalk --dd=".*" super_secret.pdf ``` ![](https://i.imgur.com/zLjnqSb.png) The flag is in the `6A.txt` file Flag : **dvCTF{look_at_the_files}** --- That's all folks ! **J'y crois moyen** & **Electro**