Google Drive
Gist
Clipboard
or
or
By clicking below, you agree to our terms of service.
Sign in with Wallet
New to HackMD? Sign up
| Syntax | Example | Reference | |
|---|---|---|---|
| # Header | Header | 基本排版 | |
| - Unordered List |
|
||
| 1. Ordered List |
|
||
| - [ ] Todo List |
|
||
| > Blockquote | Blockquote |
||
| **Bold font** | Bold font | ||
| *Italics font* | Italics font | ||
| ~~Strikethrough~~ | |||
| 19^th^ | 19th | ||
| H~2~O | H2O | ||
| ++Inserted text++ | Inserted text | ||
| ==Marked text== | Marked text | ||
| [link text](https:// "title") | Link | ||
|  | Image | ||
| `Code` | Code |
在筆記中貼入程式碼 | |
| ```javascript var i = 0; ``` |
|
||
| :smile: |  |
Emoji list | |
| {%youtube youtube_id %} | Externals | ||
| $L^aT_eX$ | LaTeX | ||
| :::info This is a alert area. ::: |
This is a alert area. |
On a scale of 0-10, how likely is it that you would recommend HackMD to your friends, family or business associates?
Please give us some advice and help us improve HackMD.
Do you want to remove this version name and description?
Syncing
xxxxxxxxxx-
Any changes
Be notified of any changes
-
Mention me
Be notified of mention me
-
Unsubscribe
SubscribeCryptoCTF 2021
Challenge Name
Score
Challenge
Solution
Flag
Farm
Challenge
Explore the Farm very carefully!
Attachment:
Code Review
The key is the product of 14 random elements selected from \(GF(64)\).
Solution
Note that the product of two elements of \(GF(64)\) is still an element of \(GF(64)\). Inductively, the key lies in \(GF(64)\). That is, the key space is just 64 and hence we are able to brute-force the key.
Implementation
Salt and Pepper
Challenge
We send a username and password to the server, along with an authentication hash. These are all passed as parameters to the
auth_checkfunction, and the username containsn3T4Dm1n, the password containsP4s5W0rd, and the function returns true, we get the flag.Solution
The
check_authfunction uses two secrets,saltandpepper, which we know the length of, however we don't know the value of.The
check_authfunction calculates the authentication hash using the following lineSince these two secrets are hashed as well as our username and password, we cannot directly work out the authentication hash. However, we get given the MD5 hash of
salt, and the SHA1 hash ofpepper. Since both of the secret values are put as prefixes to our input, we can perform a hash length extension attack.HashPump is a useful tool to do this, as all we need to do is provide the parameters and the tool does most of the work for us. One thing that needed to be changed however is that since we get the raw hashes, we don't have any data to give to the tool, and Hashpump complains when we do that.
To get around this, I simply removed this check in the
main.cppfile (line 255) and recompiled it.First, we will create a MD5 of (
salt+padding+n3T4Dm1n) using the tool:giving an output of
Then, we will create our authentication hash by creating a SHA1 of (
pepper+padding+P4s5W0rd+95623660d3d04c7680a52679e35f041c)giving an output of
83875efbe020ced3e2c5ecc908edc98481eba47f should now be our authentication hash when we use
\x80\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x98\x00\x00\x00\x00\x00\x00\x00n3T4Dm1nas our username and\x80\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x98P4s5W0rdas our password (note that we remove the MD5 hash at the end as it gets added when theauth_checkfunction is called).Submitting these to the server gives us the flag.
RSAphantine
Challenge
RSA and solving equations, but should be a real mathematician to solve it with a diophantine equation?
Solution
This challenge gives us the following set of three equations and three unknowns \(x\), \(y\), and \(z\); it then generates parameters for RSA encryption using the following equations:
\[p = nextPrime(\frac{x^2+y^2+z^2}{2^{76}})\\ q = nextPrime(z^2+y^3- (xyz \oplus 67))\]
It doesn't look like we can attack the equations for \(p\) or \(q\) directly, so we solve the diophantine equations first:
\[2z^5-x^3+yz=47769... = a\\ x^4+y^5+xyz=89701... = b\\ y^6+2z^5+yz=47769... = c\]
Note that while the right hand side of the first and third equations appear to be the same, they are different numbers. We first compute \(c-a = x^3+y^6 = (x+y^2)(x^2-xy^2+y^4)\) by sum of cubes; factoring \(c-a\), we recover the factors \(3133713317731333\) and \(28413320364759425...\).
Plugging the equations into z3, we solve for \(x\), \(y\), and \(z\):
Flag
CCTF{y0Ur_jO8_C4l13D_Diophantine_An4LySI5!}
Triplet
Challenge
We need to send 3 pairs of primes followed by a keypair
e,dso thate,dis a valid keypair for each modulus generated by each pair.Most easy solutions are patched out, as
eanddboth have to be less than the lowest phi and greater than 1.Solution
Our main idea for this problem is to generate
phi_1,phi_2andphi_3in a way so thatphi_2is a multiple ofphi_1, andphi_3is a multiple ofphi_2. In this way, any valid keypair forphi_3(that also satisfies the length requirement) will also be a valid keypair forphi_1andphi_2and can be used to get the flag.We can generate primes as follows:
Now all we need to do is generate a valid keypair for
phi_3. To do this, recall that the values \(e\) and \(d\) satisfy the following equation:\[e * d \equiv 1 \mod \phi(n)\]
therefore
\[e * d = 1 + k * \phi(n)\]
If we find factors of \(1 + phi(n3)\), we should be able to find two numbers that are small enough to satisfy the length requirements, as the value \(k\) in the equation
\[\phi(n3) = k * \phi(n1)\]
should be small. We can just use something like factordb for this.
Once we do that, we submit everything to the server and get our flag.
Example input:
Rami
Challenge
The flag is encoded using a bunch of weird looking operations, and then we get the two files
g.encandh.encSolution
Firstly, we can deduce the flag length as 32 bytes by simply testing some letter repeated some number of times as the flag, then checking the length of the output and comparing it to the size of
g.enc.We will work through the steps in reverse order.
Step 1
Firstly, each file contains bytes, which we need to convert to a base 10 integer. Then, we need to convert this base 10 integer into a base 5 integer. We can do this quite easily with
gmpy2'sdigitsfunction.Step 2
These next steps add some elements of the list to other elements of the list. We can work out the value of
len(_) - cby just running the program with a random 32 byte flag, and then to reverse it, we just need to ensure that we change the addition to subtraction, and work in reverse order, as the later elements of the list are not affected by the earlier ones (but not vice versa).We also then need to trim \(c\) amound of 0's from the start of the list at the end. \(c\) can again be worked out by just running the program.
Step 3
This step simply takes the list \(f\) and duplicates it \(a\) and \(b\) times, storing them in \(g\) and \(h\). We can either manually find the repeating sequence, work out the values of \(a\) and \(b\) and simply split \(g\) into \(a\) chunks (or \(h\) into \(b\) chunks), or we can simply know the length of \(f\), and take the first \(len(f)\) elements of \(g\) to get the original \(f\).
Step 4
Our last step is again quite similar to step 2, we work out the length of \(f\) by running the program, and then going in reverse order, changing the addition to a subtraction instead. We can then obtain the flag by converting the list into a string, which should be the binary string of the flag.
Implementation
Putting this all together, this looks like this: