Crypto

I have no clue of rust and no clue of crypto, but then with no challenge I stood crying in the rain and rusted. Category: Crypto Solver: SchizophrenicFish2nds, Greenscreen23 Flag: GPNCTF{backp4ck_r4p_crap,_yap-yap,_yack1ty-yack} Writeup Context We are given a file with Rust source code and an output file. To get around my limited Rust knowledge, I asked ChatGPT to translate the challenge source doe into Python [4]. Here we can more easily see that the output consists of a subset sum problem, more precisely it closely resembles a Merkle-Hellman scheme. ...

You know when they say the preimages of a hashfunction should be hard to compute and than they choose some weak primitive recursive function. I present to you a revolutionary solution that builds upon (quite literally) one of the largest problems of computer science. Try bruteforcing this. Category: Crypto Solver: SchizophrenicFish2nds, Greenscreen23 Flag: GPNCTF{I_H0pe_y0u_d1d_N0T_BrUT3F0RC3_Th15?_D1d_Y0U!!_3s2l1j} Writeup Context In this challenge, we are given the source code to generate “hashes” of the secret flag, and the outputs of several execution of this code. The flag is split into 4 byte chunks, then processed using the chain() and keyedAck() functions. ...

You read the title and thought Blockchain? You were successfully baited. Like the people before you, you now have to solve this challenge. Category: Crypto Solver: SchizophrenicFish2nds Flag: GPNCTF{One_T1me_p4ds_m4y_n3v3r_b3_r3u53d!!!} Writeup We are given a ciphertext that was produced as $ C = P \oplus K $ for some random, repeating 5 byte key $K$. Since we know several letters of the plaintext, we can compute the key as $ K = P \oplus C $ for the first 5 bytes, then perform the encryption operation to get $ C \oplus K = P \oplus K \oplus K = P \oplus 0 = P$ ...

I have developed a new, revolutionary cipher that is not constrained to one block cipher. It is safe and secure. If you are not convinced, I will provide a flag to anyone who manages to win the ‘In No Desirable Case Attacks Possible’ (IND-CPA) mode. Category: Crypto Solver: Greenscreen23, SchizophrenicFish2nds Flag: GPNCTF{stop_breaking_it_It_is_even_called_safe} Writeup Context We are presented with an IND-CPA game for an AES cipher with a custom block mode. ...

Somewhere under a big pile of paper I found some notes about this really cool encryption algorithm. I updated it to the digital age in the hope that it is much safer now. Category: Crypto Solver: Greenscreen23 Flag: GPNCTF{itturnsoutthatbitsdonotmakecolumnartransposedifficultenoughatleastifyouencodeitwithasciigjnogoandbreakdoppelwuerfeltheflagendshereenjoyreadingsomemoretextihopeyoulikedthechallenge} Writeup Context We are given a rust file that encrypts the bits of the flag using a transposition cipher with a random key. The flag bits are split into blocks of an unknown key length, which are arranged as rows in a table, without any padding in the last row. The columns of the table are then permuted according to the key and concatinated column by column. This ciphertext is given. ...

Okay honestly I don’t know how I can possibly justify this. Either this is hard or I fucked up spectacular. No this challenges has not been playtested. But a solve script exists. Note from the infra team: No authors were hurt in the making of this CTF. They were insane already… Category: Crypto Solver: Greenscreen23, SchizophrenicFish2nds, 3mb0 Flag: GPNCTF{F1eLd_Th30ry_is_fun!11_05ba} Writeup Disclaimer: We are not mathematicians and many of these terms were new to us. This writeup therefore will include no proof but rather observations we had. We will also try to explain concepts we feel are beneficial to understanding the challenge (and sage code). ...

“Random nonces? Where we’re going, we don’t need random nonces!” - D. Brown Category: crypto Solver: 3mb0, nh1729 Flag: HTB{buzzw0rd_s0up_h45_n3v3r_t45t3d_s0_g00d} Writeup For this challenge, we were given a python script that processes the flag and some other file alongside its output and additional files used . import random from Crypto.Util.number import bytes_to_long from functools import reduce def buzzor(b1, b2): return bytes([_b1 ^ _b2 for _b1, _b2 in zip(b1, b2)]) def buzzrandom(): return bytes([random.randrange(0, 2) for _ in range(keylen)]) flag = bytes_to_long(open("flag.txt", "rb").read()) buzzwords = open("bee_movie.txt", "rb").read() keylen = 0xbb buzzword_soup = [buzzwords[i:i+keylen] for i in range(0, len(buzzwords), keylen)][:-1] buzzcount = len(buzzword_soup) with open("output.txt", "w") as f: while flag: bit = flag & 1 flag >>= 1 output = "" for _ in range(0xb): keycount = random.randrange(buzzcount//4, buzzcount//2) keys = random.sample(buzzword_soup, keycount) out = reduce(buzzor, keys) if bit: output += out.hex() else: output += buzzor(out, buzzrandom()).hex() f.write(output + "\n") From the script we learn that every line in the output corresponds to one bit of the flag. ...

Sometimes, you can find patterns in seemingly random things… Category: crypto Solver: 3mb0, nh1729 Flag: HTB{n01sy_LF5R-1s_n0t_l0ud_3n0ugh} Writeup For this challenge, we were given a python script that processes the flag alongside its output. import random from hashlib import sha512 class LFSR: def __init__(self, state, taps): self.state = list(map(int, list("{:0128b}".format(state)))) self.taps = taps def clock(self): outbit = self.state[0] newbit = sum([self.state[t] for t in self.taps]) & 1 self.state = self.state[1:] + [newbit] return outbit key = random.getrandbits(128) G = LFSR(key, [0, 1, 2, 7, 3]) [G.clock() for _ in range(256)] stream = [G.clock() for _ in range(5000)] noise = [int(random.random() > 0.95) for _ in range(5000)] stream = [x ^ y for x, y in zip(stream, noise)] print(stream) flag = open("flag.txt", "rb").read() enc = bytes([x ^ y for x, y in zip(sha512(str(key).encode()).digest(), flag)]) print(enc.hex()) The script generates a key of 128 random bits and uses it as IV for a linear feedback shift register (LFSR) and encryptes the flag with the sha512 of the key. We get the encrypted flag and 5000 bits of output from the LFSR, which are generated after 256 clocks. However, about 5% of the 5000 bits are flipped at random before. ...

Steam Technologies is a service provider which uses strictly steam-powered computers. They have recently developed a new type of oracle taking advantage of the steam-power architecture. They offer a huge price in case someone decrypts the message from their service. Are you up for the challenge? Category: crypto Solver: n1k0, nh1729 Flag: HTB{m4ng3r5_4tt4ck_15_c001_4nd_und3rv4lu3d} Writeup We need to decrypt an RSA ciphertext and for that we are provided with the ciphertext, the public key, and an oracle. We can query the oracle with ciphertexts, it decrypts them with the private key belonging to the provided public key, and then responds with the byte length of the decrypted message. ...

Jones and his crew have started a long journey to discover the legendary treasure left by the guardians of time in the early beginnings of the universe. Mr Jones, though, is wanted by the government for his crimes as a pirate. Our agents entered his base and discovered digital evidence about the way captain Jones contacts with his closest friends back home. We managed to get his last message, sent to his best friend. Could you help us decrypt it? ...

Your mechanical arm needs to be replaced. Unfortunately, Steamshake Inc which is the top mechanical arm transplants has a long waiting list. You have found a SQL injection vulnerability and recovered two tables from their database. Could you take advantage of the information in there to speed things up? Don’t forget, you have a date on Monday! Category: crypto Solver: n1k0 Flag: HTB{t3ll_m3_y0ur_s3cr37_w17h0u7_t3ll1n9_m3_y0ur_s3cr37_15bf7w} Writeup In the provided source code we see that we need to provide a signed message (ECDSA) for a specific appointment to get the flag. Additionally, there is a list of appointments and a list of signatures for these appointments. So probably we need to use this to forge a signature. It is suspicious that we also get the 7 least significant bits of the nonce k, which is used for signing. A quick research on malleability and private key recovery of ECDSA signatures [1][2] reveals that not only the reuse of k or a bias in its selection poses a security issue, but also leakage of the nonce, even partially, can be used to recover the private key if enough signatures are provided. ...

After a long investigation we have revealed the enemy’s service, which provides their agents with any needed documents. Recent events indicate that there are double agents among us. We need to read the double_agents.txt file in order to identify their names and treat them accordingly. Can you do it? Category: crypto Solver: kh1 Flag: HTB{1v_sh01d_b3_r4nd0m} Writeup When connecting to the server, it sends Welcome, agent! Request a document: When sending something after this, the server interprets it as hexadecimal data and decodes it. If the decoded data is a multiple of 16 bytes long, it is decrypted (using AES in CBC mode) and the content of the file with the decrypted string as name is returned. ...

Our domain has been attacked. An APT group has taken over our server and they have locked us out. Our incident response team was able to find some files added on the upload directory but havent been able to extract any information from them. Could you help us login back? Category: crypto Solver: Miroka, HTTP418, kh1 Flag: HTB{15b_4tt4ck5_4r3_c001} Writeup What we got encryption.py - the script used to encrypt the new password leaks - the script’s variables n, rp, and rq new_password - the encrypted new password encryption.py resembles RSA encryption with two primes p and q that are slightly above square numbers and the variables rp = 228 and rq = 75 tell us, how much above. We have also given the implicit RSA-e-Variable of the public key as it is a constant in the encryption.py. ...

There is serious suspicion that John is a double agent. We found the cipher in his trash can. It looks like he extracted the message and forgot to get rid of the evidence. Can you decrypt the secret message? Category: crypto Solver: kh1 Flag: HTB{m1551ng_v4lu35_m4k3_m3_s1ck} Writeup flag.txt contains a list of 32 lists containing 32 numbers from 0 to 255 each. This is a One-Time-Pad with 32 parts, xoring the lists and interpreting the result as ascii code gives the flag. ...

The earth has been taken over by cyborgs for a long time. We are a group of humans, called ‘The Rebellion’, fighting for our freedom. Lately, cyborgs have set up a lab where they insert microchips inside humans to track them down. Our team of IT experts has hacked one of the cyborgs’ mail servers. There is a suspicious encrypted mail which possibly contains information related to the location of the lab. Can you decrypt the message and find the coordinates of the lab? ...

I am the Doctor and I am in huge trouble. Rumors have it, you are the best time machine engineer in the galaxy. I recently bought a new randomiser for Tardis on Yquantine, but it must be counterfeit. Now every time I want to time travel, I will end up in a random year. Could you help me fix this? I need to find Amy and Rory! Daleks are after us. Did I say I am the Doctor? ...

Chasa, world’s most dangerous gangster, is planning to equip his team with new tools. There is a cargo ship arriving tomorrow morning and the coast guard needs your help to seize the cargo. Our investigators have found the crypto service used by Chasa and his team to communicate for these kind of jobs. Can you decrypt the broadcasted message and identify the container to be seized? Category: Crypto Solvers: 3mb0, mp455, lmarschk ...

A rogue employe managed to steal a file from his work computer, he encrypted the file with RSA before he got apprehended. We only managed to recover the public key, can you help us decrypt this ciphertext? Category: Crypto Solvers: 3mb0, lmarschk, HTTP418, miroka For this challenge, we had a public RSA key with 1026 Bit and a file that was encrypted with the corresponding private key. First approach: manual generate private key We analyzed the given public key with openssl rsa -noout -text -inform PEM -in pubkey.pem -pubin: ...