I solved $\frac{6}{8}$ challenge crypto [osu!gaming CTF 2024](https://ctf.osugaming.lol/)
### crypto/ROSSAU
```
My friend really likes sending me hidden messages, something about a public key with n = 5912718291679762008847883587848216166109 and e = 876603837240112836821145245971528442417. What is the name of player with the user ID of the private key exponent? (Wrap with osu{})
```
Challenge này yêu cầu ta tính private key **d**
Thoáng qua ta thấy e ở đây rất lớn tôi dùng [``wiener attack``](https://en.wikipedia.org/wiki/Wiener%27s_attack)
```python
import RSA_owiener
from Crypto.Util.number import*
n = 5912718291679762008847883587848216166109
e = 876603837240112836821145245971528442417
d = RSA_owiener.attack(e, n)
if d is None:
print("Failed")
else:
print(f"{d = }")
# 124493
```
- Khi có private key **d** thì flag chính là tên người dùng trên [osu](https://osu.ppy.sh/) có ID là 124493
### crypto/base 727
```python
import binascii
flag = open('flag.txt').read()
def encode_base_727(string):
base = 727
encoded_value = 0
for char in string:
encoded_value = encoded_value * 256 + ord(char)
encoded_string = ""
while encoded_value > 0:
encoded_string = chr(encoded_value % base) + encoded_string
encoded_value //= base
return encoded_string
encoded_string = encode_base_727(flag)
print(binascii.hexlify(encoded_string.encode()))
# 06c3abc49dc4b443ca9d65c8b0c386c4b0c99fc798c2bdc5bccb94c68c37c296ca9ac29ac790c4af7bc585c59d
```
Như tiêu đề của challenge, bài này mã hóa rất đơn giản ta chỉ cần đảo ngược lại quá trình mã hóa là sẽ lấy được flag.
```python
import binascii
flag = "06c3abc49dc4b443ca9d65c8b0c386c4b0c99fc798c2bdc5bccb94c68c37c296ca9ac29ac790c4af7bc585c59d"
def decode_base_727(string):
de_value = 0
for char in string:
de_value = de_value * 727 + ord(char)
de_string = ""
while de_value > 0:
de_string = chr(de_value % 256) + de_string
de_value //= 256
return de_string
de_string = decode_base_727(binascii.unhexlify(flag).decode())
print(de_string)
```
### crypto/korean-offline-mafia
```python
I've been hardstuck for years, simply not able to rank up... so I decided to try and infiltrate the Korean offline mafia for some help. I've gotten so close, getting in contact, but now, to prove I'm part of the group, I need to prove I know every group member's ID (without giving it away over this insecure communication). The only trouble is... I don't! Can you help?
```
> nc chal.osugaming.lol 7275
```python
from topsecret import n, secret_ids, flag
import math, random
assert all([math.gcd(num, n) == 1 for num in secret_ids])
assert len(secret_ids) == 32
vs = [pow(num, 2, n) for num in secret_ids]
print('n =', n)
print('vs =', vs)
correct = 0
for _ in range(1000):
x = int(input('Pick a random r, give me x = r^2 (mod n): '))
assert x > 0
mask = '{:032b}'.format(random.getrandbits(32))
print("Here's a random mask: ", mask)
y = int(input('Now give me r*product of IDs with mask applied: '))
assert y > 0
# i.e: if bit i is 1, include id i in the product--otherwise, don't
val = x
for i in range(32):
if mask[i] == '1':
val = (val * vs[i]) % n
if pow(y, 2, n) == val:
correct += 1
print('Phase', correct, 'of verification complete.')
else:
correct = 0
print('Verification failed. Try again.')
if correct >= 10:
print('Verification succeeded. Welcome.')
print(flag)
break
```
Challenge này ta chú ý đoạn điều kiện để server trả về flag
```python
for i in range(32):
if mask[i] == '1':
val = (val * vs[i]) % n
if pow(y, 2, n) == val:
correct += 1
print('Phase', correct, 'of verification complete.')
else:
correct = 0
print('Verification failed. Try again.')
if correct >= 10:
print('Verification succeeded. Welcome.')
print(flag)
break
```
Tôi thấy nếu ở chỗ input ``x = int(input('Pick a random r, give me x = r^2 (mod n): '))``
Ví dụ nếu n = 5 ta có $5^2 mod 5 = 0$
Tương tự đó ở ``y = int(input('Now give me r*product of IDs with mask applied: '))`` hay ``if pow(y, 2, n) == val:`` thì ta chỉ cần nhập tương tự như kia
Tức là bài này ta chỉ cần nhập x = y = n là là ``correct``
Solution chạy bằng lúa
```
patriot@Nitro:/mnt/c/Users/piroxxx/Downloads$ nc chal.osugaming.lol 7275
proof of work:
curl -sSfL https://pwn.red/pow | sh -s s.AAATiA==.QsoBQjo4GdpztXiyfh1E8g==
solution: s.JkivLt2J/ez71uWrIsmk9dvgf+lGKE6r5f262Cw17nyHuKycgmOByjgiOkNRWFdYYzh3ADzf5AAr8bkZuhoTlFFJAZyNWhXEk7Y/vrr2KxzhvpU64KElWGrvheLMBTPXj+ORk5ppGKm/TcW4RX77hid0vuYxejVgtgV25d8sru5NW+l4Y5nNU2WRVz8n2zDKr+m1xUDDs2zVvlrbCqgr5g==
n = 127065271926831953829075435795779161413833625790937903632507803948456546315363951012628967625137524987630310358727885075791147997786165834290015104663544334943097795607318784623877555709432254007987036792912055232108170428981314621636112866695628891544476820238732869726592273172162728945930329074829450057467
vs = [31005360692828771386596353653543080975611848310275677906468025883091275536545167105261124978438034147369188014602835017411169298219342736416588987721898236006802048428404041584458078499270366055804924314464708385993225538155867778051617636634963113851057969608562494259051877395015398693466973087730499566816, 17003437166562532515844106142524538192236293899469976413289579740724428355550116481428488291812235319677070040082605038993073040331140608920350241120022851558346432621670007181699937945547373727724759938611690319982732107888720517628308820580311202134000460906280625430109296787202502455537645045333723875752, 29174185611116220962799861273321049541177801510857918591464872309427445827132983964415082854825522385424024880171489587050870327940507996424702159659128701464907642376464689444333141169481878286907345745404828547335614802358867901971902132545117165403375274703755554934141448611451802010293341880379370554561, 125460590004305449147598588597557979060854193390844088734591499750759733001199888802591738726623448330311758719958038839952378685281112813215510694177186929054969282542095414098207160009054665089179363764003511090704679824298401019113194375501442314588314578517699812773773019403193586734854985273328635385055, 19961294398306208246516388863238101732563713331299984864649284895060139019545904701008851276488071800446599645920026490167722906555546322707624066875634270141393732401477451591847349367408737337443347321838579886436683791129742451743718669743273896717234716046751184390492739638845925077804129476280894587678, 85759222192752433194230697887711126281106122783081924950901615172513157367176074634125033381905762875617483238087728494458681538256649219217623424520916997213186188830148291657362762967628984919300629388058437915776797004797233986842897245030445740378865717209897013176637432910563576770716288211875307537517, 85756446259856921508787301328839382632358568749059657140427887760093397703593939932207573717990801926895166230152544896721929259636016715518976734411563923826677102375960841166413322973739298659736043313753661245283753764679577053027839731159065511835543011526555470830658319777501171567780422415764654992056, 82388131875829029661101368892682715986939359081248501091530913224018273957577087466263577726214250285693305077844539728656326817171067073853850608506120849994426900463296485737789551617317170895674315973559170374018674736805141600527972171162907019499396489435300753463848663364800413387059802301944791967154, 61874622466735870459569083231063053251267849847000913303657112974804972902993400011219498998891866923360766164579107153740819838758946654392655104600224167442300655739937590833004721216390278521069704959271872181745467822038505719847771201473641058909334550358152794876346560209282634319394970440121173945552, 696456830160336345571399183079182741633849680581905262467031047063176916643115772014345688408518942964376072396456547900927062045479626987185284640272622480349326540389607018847447286302777265518431029908665242525779132608960411992603618266965991610156140888732414587461875885957790157094122534925159346689, 71804202927858745830267764119644267668129650849943354839400674871922181310019705024971084995567979858935550418547572368395805873047838678582034544829126818329655094801668736612934902996138698939011569804762884310261018579282273855111801383769541884936774208421184998499608044833422057806517766421872161132886, 106022129909231001763061571981224795908743244297610781372585165509220208538934481499465999219069414858130465495020451194529977735536353918041012038153453667083523463694391202798426848791814698095144964507083362144746009311262885344497647348164258983213008548680124197839483415994938575552424579467559364226394, 79780917201979725745607358268721020007826777143384453736848699642700745672137173971736311615633907786242787949553655269760889512741694366981329213468801870502366422166155726704782007053727452518531937861897316842120152867293007447953786050973095793666505368420908012089034040670612704915966483909560525727895, 71557442214224827391469508394615301961602393583435791994377869878166990967262275214062328407117187137475555170232198898164685460045507551050582228050707942188085718362485298023919336310901655232305201374173084046735689446183908677611125291513420419391257086412077716834947280648573355262416021905501885448081, 67594286124920462476627135231382127257002190779316200841220884236048746008966783849077000692260673412618118130199139132355982916586542143504156315436305992979554984024473698424640430169503131050669710368164448012799563109078824274602902218944141689141292330786328930992108442995656576429460357487607953684648, 101583462751604776803243993092916816311165997626216071624266181903436631387504324465830005005386962747575225905966606713728165379859319120868463362676191328036131523437697792122960792959701853400135227605129646395597066487494604129199511056307707630333472846727757095032870573194684669438190245204424382540227, 29043532212255484957446139638896400984289208179934060026479276758708631324599797061541074121781125966015258864597551222042987263443007351938876659168617793511003131118910137322436111104004390147581694271638980718344008124629582446582217883153690914798022031966640578663222585208907959178728356893175434723610, 113340247020681948079695872194976603365438756195928636169270488788917611617814113546377399221147222383967017644725891131669673531498667023285512916587556607375207726512057338389146049968613792335715667746005162571620120695763511785836708610889000014042339862130979073911779127629605240998224547392575047876682, 46955518876625368675822179494683910075678740531193723819896673420339533169552243807905153158613702064339351238345928246687600501515910421042905452498300246264603811562471815530515808019347916054179239559497819912359365282659383474647330398618675852858416854053277986827281681810780557251419111207395384329582, 120049618241681569909297331132748153780024599551354169447395482524979354550145095689508448686689137027749682317450210890592755207357509317097636185840145549723162917702190119496725634407024403910897248195711908599301017670168856033698276539121376856533747174795130257635826700269955484116577244261132111699782, 60432471682725082811759129481935215387315232681862328001741140440791554213018023010489880896595833371259778283949132264865412666062423360678545503784341426955365066642545574839397376104725781749864189394942679623268519980669230151124096948927295064323127086412146079703473349033037612579125128356650817487456, 37418483423666402839690378221246465625830777504746117806684279632733829251216330191017630819870365706918196686286152419906279282424710986544493588315677256309469899069653777460941985890670325799772557996489677861822249868822961811308197155317508879408561403754321591134754997450382970689051378137266750684150, 94174305519000724791322723317329750424096787028033711704339348290558759801740049477712054371174943463065457783285954839036454616821525907268058171065879142917786495838108198662366655161612057302696631811010611011255432667247182226813098616120103551428491424725197433682478003725612614176776020744086919222541, 24164241604266297223727480356209579709626597863679665322047206314565390941211173439548364239141231528592770594273872245081689352467521934142614188404599821263744908154769724757582237869492893025673929736513067776621594315983578685131819723930259557347442783311769159432538118936437741231426466439416046894515, 74622351574515732429790381710009931007866489477834175140157124276528406761996848988548319863921078012073579268829764616677869729971070246760618409482467230230803686916114021420025321663417775786933625703525549140238175443629067327379706879303686757054222768671452028284790228129715765919768466932861580177320, 33937434233671439880375735724709263151905800341491069761198253595974939676740898135994731926683522580603065238113188655760345413710993518921798283138295535808198625333887785443443202146206856012920897507527127519126218980262002819131272588055386977789016168450026793837491263146307483296161517902030713517377, 10565046949406254527259004982669830730136541099125452731723342603077281798643238458884681573548361200290844403261801977491071537055797916302144525394519319159626752240186678311227956848271289073464355638512015901912643836265454790756672118181585365806395738728791224300698625162338483047206782990009007697670, 45811173098907052453006784108724539278636502672866844019358000284740987849657198740051498233451460856145761002845913988279624670560647919319575981910876044410412471633476034363962715376923711191994020783024820681562347221375725447749166869482488722405826252864632495369187682453210518381724556170610428602786, 37611584083840831490614982219698954124380150735010410340428124992949372626303544516341138055985977817455320480587362067024966082099429303253313338863882848425274492128334874580589539103195746970062266826430461363725325127697110242929749428596070134635340701183252297726266360348704483104671237230680814287901, 63566257454663927502592210664825649462300912342152118232791252636924231391880938521602773487560023194335856577303191126352162460670337534320352698547886676856711838450730563961823133844577285769273115911949304965589463357010794272474951671929048390288857822150939329767267412994414792438086489683307370084703, 4382509570704473659016023535170200173820928728265283666614190827403468236099707584217820071734335424735984543344162682931307960434798257881978990978766599003220115166247656988541408469257367969448130796067767889157154616317680686438607572706708714502749949797831276453814186123967065644440309075672960825747, 119585523909572054887470634581863538142805156350226237796155733329562580962263310326370106947802333782405813135361772225815937510220709539567577696634536092564064682426435237869943718053754860155062301650004865386777823106520550443602415692105791093795113771899736853625134293105156697170557701359916135902683]
Pick a random r, give me x = r^2 (mod n): 127065271926831953829075435795779161413833625790937903632507803948456546315363951012628967625137524987630310358727885075791147997786165834290015104663544334943097795607318784623877555709432254007987036792912055232108170428981314621636112866695628891544476820238732869726592273172162728945930329074829450057467
Here's a random mask: 11111111000010010110011011010111
Now give me r*product of IDs with mask applied: 127065271926831953829075435795779161413833625790937903632507803948456546315363951012628967625137524987630310358727885075791147997786165834290015104663544334943097795607318784623877555709432254007987036792912055232108170428981314621636112866695628891544476820238732869726592273172162728945930329074829450057467
Phase 1 of verification complete.
Pick a random r, give me x = r^2 (mod n): 127065271926831953829075435795779161413833625790937903632507803948456546315363951012628967625137524987630310358727885075791147997786165834290015104663544334943097795607318784623877555709432254007987036792912055232108170428981314621636112866695628891544476820238732869726592273172162728945930329074829450057467
Here's a random mask: 00111110110101010001011000000011
Now give me r*product of IDs with mask applied: 127065271926831953829075435795779161413833625790937903632507803948456546315363951012628967625137524987630310358727885075791147997786165834290015104663544334943097795607318784623877555709432254007987036792912055232108170428981314621636112866695628891544476820238732869726592273172162728945930329074829450057467
Phase 2 of verification complete.
Pick a random r, give me x = r^2 (mod n): 127065271926831953829075435795779161413833625790937903632507803948456546315363951012628967625137524987630310358727885075791147997786165834290015104663544334943097795607318784623877555709432254007987036792912055232108170428981314621636112866695628891544476820238732869726592273172162728945930329074829450057467
Here's a random mask: 10110001010111100111001010100100
Now give me r*product of IDs with mask applied: 127065271926831953829075435795779161413833625790937903632507803948456546315363951012628967625137524987630310358727885075791147997786165834290015104663544334943097795607318784623877555709432254007987036792912055232108170428981314621636112866695628891544476820238732869726592273172162728945930329074829450057467
Phase 3 of verification complete.
Pick a random r, give me x = r^2 (mod n): 127065271926831953829075435795779161413833625790937903632507803948456546315363951012628967625137524987630310358727885075791147997786165834290015104663544334943097795607318784623877555709432254007987036792912055232108170428981314621636112866695628891544476820238732869726592273172162728945930329074829450057467
Here's a random mask: 10110001010100001100110011111010
Now give me r*product of IDs with mask applied: 127065271926831953829075435795779161413833625790937903632507803948456546315363951012628967625137524987630310358727885075791147997786165834290015104663544334943097795607318784623877555709432254007987036792912055232108170428981314621636112866695628891544476820238732869726592273172162728945930329074829450057467
Phase 4 of verification complete.
Pick a random r, give me x = r^2 (mod n): 127065271926831953829075435795779161413833625790937903632507803948456546315363951012628967625137524987630310358727885075791147997786165834290015104663544334943097795607318784623877555709432254007987036792912055232108170428981314621636112866695628891544476820238732869726592273172162728945930329074829450057467
Here's a random mask: 10101001000111000101110100100001
Now give me r*product of IDs with mask applied: 127065271926831953829075435795779161413833625790937903632507803948456546315363951012628967625137524987630310358727885075791147997786165834290015104663544334943097795607318784623877555709432254007987036792912055232108170428981314621636112866695628891544476820238732869726592273172162728945930329074829450057467
Phase 5 of verification complete.
Pick a random r, give me x = r^2 (mod n): 127065271926831953829075435795779161413833625790937903632507803948456546315363951012628967625137524987630310358727885075791147997786165834290015104663544334943097795607318784623877555709432254007987036792912055232108170428981314621636112866695628891544476820238732869726592273172162728945930329074829450057467
Here's a random mask: 11001101011001001001100011111111
Now give me r*product of IDs with mask applied: 127065271926831953829075435795779161413833625790937903632507803948456546315363951012628967625137524987630310358727885075791147997786165834290015104663544334943097795607318784623877555709432254007987036792912055232108170428981314621636112866695628891544476820238732869726592273172162728945930329074829450057467
Phase 6 of verification complete.
Pick a random r, give me x = r^2 (mod n): 127065271926831953829075435795779161413833625790937903632507803948456546315363951012628967625137524987630310358727885075791147997786165834290015104663544334943097795607318784623877555709432254007987036792912055232108170428981314621636112866695628891544476820238732869726592273172162728945930329074829450057467
Here's a random mask: 11000101010110100011111000110101
Now give me r*product of IDs with mask applied: 127065271926831953829075435795779161413833625790937903632507803948456546315363951012628967625137524987630310358727885075791147997786165834290015104663544334943097795607318784623877555709432254007987036792912055232108170428981314621636112866695628891544476820238732869726592273172162728945930329074829450057467
Phase 7 of verification complete.
Pick a random r, give me x = r^2 (mod n): 127065271926831953829075435795779161413833625790937903632507803948456546315363951012628967625137524987630310358727885075791147997786165834290015104663544334943097795607318784623877555709432254007987036792912055232108170428981314621636112866695628891544476820238732869726592273172162728945930329074829450057467
Here's a random mask: 10101000110101011001110001110110
Now give me r*product of IDs with mask applied: 127065271926831953829075435795779161413833625790937903632507803948456546315363951012628967625137524987630310358727885075791147997786165834290015104663544334943097795607318784623877555709432254007987036792912055232108170428981314621636112866695628891544476820238732869726592273172162728945930329074829450057467
Phase 8 of verification complete.
Pick a random r, give me x = r^2 (mod n): 127065271926831953829075435795779161413833625790937903632507803948456546315363951012628967625137524987630310358727885075791147997786165834290015104663544334943097795607318784623877555709432254007987036792912055232108170428981314621636112866695628891544476820238732869726592273172162728945930329074829450057467
Here's a random mask: 00110001100101100100010011000000
Now give me r*product of IDs with mask applied: 127065271926831953829075435795779161413833625790937903632507803948456546315363951012628967625137524987630310358727885075791147997786165834290015104663544334943097795607318784623877555709432254007987036792912055232108170428981314621636112866695628891544476820238732869726592273172162728945930329074829450057467
Phase 9 of verification complete.
Pick a random r, give me x = r^2 (mod n): 127065271926831953829075435795779161413833625790937903632507803948456546315363951012628967625137524987630310358727885075791147997786165834290015104663544334943097795607318784623877555709432254007987036792912055232108170428981314621636112866695628891544476820238732869726592273172162728945930329074829450057467
Here's a random mask: 01011010011101001001001100001100
Now give me r*product of IDs with mask applied: 127065271926831953829075435795779161413833625790937903632507803948456546315363951012628967625137524987630310358727885075791147997786165834290015104663544334943097795607318784623877555709432254007987036792912055232108170428981314621636112866695628891544476820238732869726592273172162728945930329074829450057467
Phase 10 of verification complete.
Verification succeeded. Welcome.
osu{congrats_now_can_you_help_me_rank_up_pls}
```
### crypto/no-dorchadas
```python
from hashlib import md5
from secret import flag, secret_slider
from base64 import b64encode, b64decode
assert len(secret_slider) == 244
dorchadas_slider = b"0,328,33297,6,0,B|48:323|61:274|61:274|45:207|45:207|63:169|103:169|103:169|249:199|249:199|215:214|205:254,1,450.000017166138,6|6,1:1|2:1,0:0:0:0:"
def sign(beatmap):
hsh = md5(secret_slider + beatmap)
return hsh.hexdigest()
def verify(beatmap, signature):
return md5(secret_slider + beatmap).hexdigest() == signature
def has_dorchadas(beatmap):
return dorchadas_slider in beatmap
MENU = """
--------------------------
| [1] Sign a beatmap |
| [2] Verify a beatmap |
--------------------------"""
def main():
print("Welcome to the osu! Beatmap Signer")
while True:
print(MENU)
try:
option = input("Enter your option: ")
if option == "1":
beatmap = b64decode(input("Enter your beatmap in base64: "))
if has_dorchadas(beatmap):
print("I won't sign anything with a dorchadas slider in it >:(")
else:
signature = sign(beatmap)
print("Okay, I've signed that for you: " + signature)
elif option == "2":
beatmap = b64decode(input("Enter your beatmap in base64: "))
signature = input("Enter your signature for that beatmap: ")
if verify(beatmap, signature) and has_dorchadas(beatmap):
print("How did you add that dorchadas slider?? Anyway, here's a flag: " + flag)
elif verify(beatmap, signature):
print("Signature is valid!")
else:
print("Signature is invalid :(")
except:
print("An error occurred!")
exit(-1)
main()
```
Sau khi đọc đoạn code tôi cần phải bypass qua điều kiện
Tôi đã tìm [``Lenth extension attack``](https://en.wikipedia.org/wiki/Length_extension_attack) để giải quyết nó
Solution demo
```python
patriot@Nitro:~$ nc chal.osugaming.lol 9727
proof of work:
curl -sSfL https://pwn.red/pow | sh -s s.AAAH0A==.taQ4GJTgw+Sq7D/bDsUTjA==
solution: s.JMtrthv2gE8n6PnGKXRLrUfukJyeyu8uBeEsOt573M+IQpIl3h1nllaY+Xqi89WrdvFRyMqXP4mzpbWR6tssRaLXUqNdqOih0hBUdmmpDmWR76GnAEXTToI1CHB0jGiJrz88kASvOPjv8FeLjyb2fpGFwH4sQd4htZbCrckFKjhpf22aIT7zaXLzrhEt90OgYtc6TMgdbeZAO48zULXQ2A==
Welcome to the osu! Beatmap Signer
--------------------------
| [1] Sign a beatmap |
| [2] Verify a beatmap |
--------------------------
Enter your option: 1
Enter your beatmap in base64: bHVvbmc==
Okay, I've signed that for you: b2946d690f35b9d33793fd96f2e2d74c
--------------------------
| [1] Sign a beatmap |
| [2] Verify a beatmap |
--------------------------
Enter your option: 2
Enter your beatmap in base64: bHVvbmeAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADIBwAAAAAAADAsMzI4LDMzMjk3LDYsMCxCfDQ4OjMyM3w2MToyNzR8NjE6Mjc0fDQ1OjIwN3w0NToyMDd8NjM6MTY5fDEwMzoxNjl8MTAzOjE2OXwyNDk6MTk5fDI0OToxOTl8MjE1OjIxNHwyMDU6MjU0LDEsNDUwLjAwMDAxNzE2NjEzOCw2fDYsMToxfDI6MSwwOjA6MDowOg==
Enter your signature for that beatmap: 1666d911ad437cbc4fe02ffe5ba41a2a
How did you add that dorchadas slider?? Anyway, here's a flag: osu{s3cr3t_sl1d3r_i5_th3_burp_5l1d3r_fr0m_Feiri's_Fake_Life}
--------------------------
| [1] Sign a beatmap |
| [2] Verify a beatmap |
--------------------------
Enter your option:
```
### crypto/wysi-prime
```python
from Crypto.Util.number import isPrime, bytes_to_long
import random
import os
def getWYSIprime():
while True:
digits = [random.choice("727") for _ in range(272)]
prime = int("".join(digits))
if isPrime(prime):
return prime
# RSA encryption using the WYSI primes
p = getWYSIprime()
q = getWYSIprime()
n = p * q
e = 65537
flag = bytes_to_long(os.getenv("FLAG", b"osu{fake_flag_for_testing}"))
ciphertext = pow(flag, e, n)
print(f"{n = }")
print(f"{e = }")
print(f"{ciphertext = }")
n = 2160489795493918825870689458820648828073650907916827108594219132976202835249425984494778310568338106260399032800745421512005980632641226298431130513637640125399673697368934008374907832728004469350033174207285393191694692228748281256956917290437627249889472471749973975591415828107248775449619403563269856991145789325659736854030396401772371148983463743700921913930643887223704115714270634525795771407138067936125866995910432010323584269926871467482064993332990516534083898654487467161183876470821163254662352951613205371404232685831299594035879
e = 65537
ciphertext = 2087465275374927411696643073934443161977332564784688452208874207586196343901447373283939960111955963073429256266959192725814591103495590654238320816453299972810032321690243148092328690893438620034168359613530005646388116690482999620292746246472545500537029353066218068261278475470490922381998208396008297649151265515949490058859271855915806534872788601506545082508028917211992107642670108678400276555889198472686479168292281830557272701569298806067439923555717602352224216701010790924698838402522493324695403237985441044135894549709670322380450
```
Chall này ta chỉ cần chú ý ở hàm ``getWYSIprime()`` 2 só nguyên tố p và q được cấu tạo từ **2, 7**
Ý tưởng bài này mình chỉ cần recover lại 2 số **p, q**
```python
from Crypto.Util.number import *
n = 2160489795493918825870689458820648828073650907916827108594219132976202835249425984494778310568338106260399032800745421512005980632641226298431130513637640125399673697368934008374907832728004469350033174207285393191694692228748281256956917290437627249889472471749973975591415828107248775449619403563269856991145789325659736854030396401772371148983463743700921913930643887223704115714270634525795771407138067936125866995910432010323584269926871467482064993332990516534083898654487467161183876470821163254662352951613205371404232685831299594035879
e = 65537
ciphertext = 2087465275374927411696643073934443161977332564784688452208874207586196343901447373283939960111955963073429256266959192725814591103495590654238320816453299972810032321690243148092328690893438620034168359613530005646388116690482999620292746246472545500537029353066218068261278475470490922381998208396008297649151265515949490058859271855915806534872788601506545082508028917211992107642670108678400276555889198472686479168292281830557272701569298806067439923555717602352224216701010790924698838402522493324695403237985441044135894549709670322380450
nums = [("7", "7", 1)]
while True:
nums2 = []
for p, q, i in nums:
pi = int(p)
qi = int(q)
if pi * qi == n:
p = int(p)
q = int(q)
print(f"{p = }")
print(f"{q = }")
print(long_to_bytes(pow(ciphertext, pow(e, -1, (p-1)*(q-1)), p*q)))
exit()
if (n - pi * qi) % (10**i) != 0:
continue
nums2.append(("2" + p, "2" + q, i + 1))
nums2.append(("2" + p, "7" + q, i + 1))
nums2.append(("7" + p, "2" + q, i + 1))
nums2.append(("7" + p, "7" + q, i + 1))
nums = nums2
```
### crypto/secret_map
Thấy rằng, challenge cho 1 file [``Alfakyun. - KING.osz``](https://ctf.osugaming.lol/uploads/2cdc85778a40b176f4541bc782650cf933dd9997083d69e928cd9b4b85e0c189/Alfakyun.%20-%20KING.osz)
Khi mở ra thì ta thấy nó là 1 file game của osugaming, file game
Nhưng chúng tôi đã cẩn thận hơn sử dụng $binwalk$ để tìm các file ẳn trong đó
Khi đó chúng tôi tiến hành convert **Alfakyun. - KING.osz** **=>** **Alfakyun. - KING.zip**
Mở file python **enc.py** tôi nghi ngờ flag được giấu trong đó
```python
import os
xor_key = os.urandom(16)
with open("flag.osu", 'rb') as f:
plaintext = f.read()
encrypted_data = bytes([plaintext[i] ^ xor_key[i % len(xor_key)] for i in range(len(plaintext))])
with open("flag.osu.enc", 'wb') as f:
f.write(encrypted_data)
```
Đây chỉ là phép xor bình thường
Tôi giải mã file như sau
```python
from pwn import xor
data = b"osu file format v14"
data = (data[:16])
with open("flag.osu.enc","rb") as file:
enc = file.read()
key = b'\xd1B,s\xdc\xf0\xcf\xd3\x11\xbb\xae;\xef2I\x97'
x = bytes([enc[i] ^ key[i % len(key)] for i in range(len(enc))])
print(x.hex())
```
Sau khi decrypt ra tôi thấy một đem so sánh với file ``Alfakyun. - KING (QuintecX) [ryuk eyeka's easy].osu``
File gốc:
File sau khi decrypt
Tôi tiến hành copy file sau khi decrypt và thay file cho file ``Alfakyun. - KING (QuintecX) [ryuk eyeka's easy].osu`` và đổi đuôi folder thành ``.osz``
Khi mở và chơi game ta sẽ có flag
> osu{xor_xor_xor_by_frums}
Sign in with Wallet
Connect another wallet