Hackcon 2018 Writeup

この大会は2018/8/17 0:30(JST)~2018/8/17 12:30(JST)に開催されました。
今回もチームで参戦。結果は955点で461チーム中12位でした。
自分で解けた問題をWriteupとして書いておきます。

Join us! (Misc 5)

Telegram Channelにアクセスするとフラグの前半が書いてある。

d4rk{4ll_th3_

HackCon's18のGroup InfoのDESCRIPTIONの最後にフラグの後半が書いてある。

b3s7!}c0de
d4rk{4ll_th3_b3s7!}c0de

Caesar Salad (Junior/Facche 10)

https://www.geocachingtoolbox.com/index.php?lang=en&page=caesarCipherで復号。ROT13で復号できた。

d4rk{g1t_gud_c4es4r}c0de

Hoaxes and Hexes (Junior/Facche 20)

JPGファイルが与えられている。

$ strings maymays.jpg | grep d4rk
d4rk{1m_d0wn_h3r3}c0de
d4rk{1m_d0wn_h3r3}c0de

Salad Upgrades (Junior/Facche 20)

シーザー暗号のようだが、少し違うようだ。フラグの { の前までのアルファベットのインデックスを見てみる。

d(3) -> e(4)
4
r(17) -> u(20)
k(10) -> o(14)

シフトする数が1から順に増やしていると思われる。

import string

chars = string.lowercase

enc = 'e4uo{zo1b_1e_f0j4l10i}z0ce'

flag = ''
for i in range(len(enc)):
    if enc[i] in chars:
        flag += chars[(chars.index(enc[i]) - (i + 1)) % len(chars)]
    else:
        flag += enc[i]

print flag
d4rk{th1s_1s_r0t4t10n}c0de

Find Me, ASAP (Junior/Facche 20)

ASCIIコードが並んでいるので、文字に変換する。

with open('findme.txt', 'r') as f:
    data = f.read().strip()

codes = map(int, data.split(' '))

msg = ''
for code in codes:
    msg += chr(code)
print msg

変換結果は以下の通り。

ASCII abbreviated from American Standard Code for Information Interchange, is a character encoding standard for electronic communication. ASCII codes represent text in computers, telecommunications equipment, and other devices. Most modern character-encoding schemes are based on ASCII, although they support many additional characters.
ASCII is the traditional name for the encoding system; the Internet Assigned Numbers Authority (IANA) prefers the updated name US-ASCII, which clarifies that this system was developed in the US and based on the typographical symbols predominantly in use there.
ASCII is one of the IEEE milestones.
ASCII was developed from telegraph code. Its first commercial use was as a seven-bit teleprinter code promoted
by Bell data services. Work on the ASCII standard began on October 6, 1960, with the first meeting of the American Standards Association's (ASA) (now the American National Standards Institute or ANSI) X3.2 subcommittee. The first edition of the standard was d4rk{4sc11_n_gr3p}c0de published in 1963, underwent a major revision during 1967, and experienced its most recent update during 1986.[7] Compared to earlier telegraph codes, the proposed Bell code and ASCII were both ordered for more convenient sorting (i.e., alphabetization) of lists, and added features for devices other than teleprinters.
Originally based on the English alphabet, ASCII encodes 128 specified characters into seven-bit integers as shown by the ASCII chart above. Ninety-five of the encoded characters are printable: these include the digits 0 to 9, lowercase letters a to z, uppercase letters A to Z, and punctuation symbols. In addition, the original ASCII specification included 33 non-printing control codes which originated with Teletype machines; most of these are now obsolete.
For example, lowercase i would be represented in the ASCII encoding by binary 1101001 = hexadecimal 69 (i is the ninth letter) = decimal 105.
ASCII was first used commercially during 1963 as a seven-bit teleprinter code for American Telephone & Telegraph's TWX (TeletypeWriter eXchange) network. TWX originally used the earlier five-bit ITA2, which was also used by the competing Telex teleprinter system. Bob Bemer introduced features such as the escape sequence.[3] His British colleague Hugh McGregor Ross helped to popularize this work ?Eaccording to Bemer, "so much so that the c
ode that was to become ASCII was first called the Bemer-Ross Code in Europe". Because of his extensive work on
ASCII, Bemer has been called "the father of ASCII".
On March 11, 1968, U.S. President Lyndon B. Johnson mandated that all computers purchased by the United States
federal government support ASCII, stating:
I have also approved recommendations of the Secretary of Commerce regarding standards for recording the Standard Code for Information Interchange on magnetic tapes and paper tapes when they are used in computer operations. All computers and related equipment configurations brought into the Federal Government inventory on and after
July 1, 1969, must have the capability to use the Standard Code for Information Interchange and the formats prescribed by the magnetic tape and paper tape standards when these media are used.
ASCII was the most common character encoding on the World Wide Web until December 2007, when UTF-8 encoding surpassed it; UTF-8 is backward compatible with ASCII.

長文だがフラグが含まれていた。

d4rk{4sc11_n_gr3p}c0de

Twins (Steg 50)

2つのファイルが添付されていて、両方ともテキスト文字が並んでいる。同じ位置に同じ文字が書いてあるものを抜き出してみる。

with open('file1', 'rb') as f:
    data1 = f.read()

with open('file2', 'rb') as f:
    data2 = f.read()

flag = ''
for i in range(len(data1)):
    if data1[i] == data2[i]:
        flag += data1[i]
print flag
d4rk{lo0king_p4st_0ur_d1ff3renc3s}c0de

Diversity (Crypto 30)

スペース区切りで、2進数、8進数、10進数、16進数が並んでいる。目印は先頭にあり、以下の通りとなっている。

b: 2進数
o: 8進数
d: 10進数
x: 16進数

ASCII文字に変換する。

enc = 'b1001000 x69 d33 d32 o127 b1100101 o154 o143 b1101111 o155 o145 d32 o164 d111 d32 x48 b1100001 x63 o153 b1000011 o157 x6e d39 o61 b111000 x2c d32 d111 b1110010 d103 d97 x6e o151 x73 d101 d100 o40 d97 b1110011 b100000 x70 o141 o162 x74 d32 x6f x66 b100000 o105 b1110011 x79 b1100001 d39 d49 b111000 x20 b1100010 d121 b100000 x49 o111 b1001001 x54 b100000 b1000100 x65 x6c o150 x69 b101110 x20 o111 d110 b100000 o143 d97 d115 o145 o40 b1111001 b1101111 x75 b100111 x72 x65 x20 x73 x65 b1100101 b1101011 x69 o156 x67 d32 b1100001 o40 o162 x65 o167 b1100001 o162 o144 d32 x66 d111 x72 b100000 o171 x6f d117 b1110010 o40 d101 x66 x66 x6f x72 d116 o163 x2c b100000 d104 b1100101 d114 o145 x27 d115 x20 b1100001 d32 d102 d108 b1100001 x67 x20 x3a b100000 o144 x34 o162 x6b x7b o151 d95 d87 o151 x73 b100011 d95 x41 o61 x6c d95 b1110100 d52 d115 b1101011 d53 o137 o167 x33 d114 o63 o137 d116 b1101000 o151 o65 x5f x33 d52 o65 o171 o137 x58 b1000100 b1000100 b1111101 x63 d48 d100 d101 d46 b100000 o101 x6e b1111001 d119 b1100001 b1111001 x73 b101100 x20 o150 d111 b1110000 b1100101 o40 x79 o157 d117 b100000 b1101000 o141 x76 x65 b100000 d97 x20 o147 d111 b1101111 d100 b100000 b1110100 b1101001 d109 b1100101 d32 x3b x29'
codes = enc.split(' ')

flag = ''
for code in codes:
    if code[0] == 'b':
        flag += chr(int(code[1:], 2))
    elif code[0] == 'o':
        flag += chr(int(code[1:], 8))
    elif code[0] == 'd':
        flag += chr(int(code[1:], 10))
    elif code[0] == 'x':
        flag += chr(int(code[1:], 16))

print flag
d4rk{i_Wis#_A1l_t4sk5_w3r3_thi5_345y_XDD}c0de

Lite N' Easy (Crypto 50)

7 segment displayのデジタル表記を示している。テキストで同等の表示にする。
enc = '01001110-00100000-00111010-00001100-11011110-00011110-00000000-01100000-00101010-01111010-00100000-11110110-00111010-00000000-11111110-00001100-00111000-11011110-00000000-10111100-00001010-11011110-11011110-00101010-00000000-01110110-11011110-00001100-00001100-00111010-01010110-00000000-11111100-00001010-11111010-00101010-11110110-11011110-00000000-11101110-11011110-01111011-00000000-10001110-00001100-11111010-11110110-00000000-00100000-10110110-00000000-00011101-10011111-01111011-10110111-11111110-00001010-00100000-00101010-11110111-01111000-00111010-01100111-10001100-00111011-10101010-11011110'
codes = enc.split('-')

line1 = ''
for code in codes:
    if code[0] == '1':
        line1 += ' _  '
    else:
        line1 += '    '

line2 = ''
for code in codes:
    561
    if code[5] == '1':
        line2 += '|'
    else:
        line2 += ' '
    if code[6] == '1':
        line2 += '_'
    else:
        line2 += ' '
    if code[1] == '1':
        line2 += '|'
    else:
        line2 += ' '
    line2 += ' '

line3 = ''
for code in codes:
    561
    if code[4] == '1':
        line3 += '|'
    else:
        line3 += ' '
    if code[3] == '1':
        line3 += '_'
    else:
        line3 += ' '
    if code[2] == '1':
        line3 += '|'
    else:
        line3 += ' '
    if code[7] == '1':
        line3 += '.'
    else:
        line3 += ' '

flag = line1 + '\n' + line2 + '\n' + line3

with open('flag.txt', 'w') as f:
    f.write(flag)
以下のような表示となる。
                 _                           _           _           _       _       _   _               _                       _       _       _   _       _   _           _       _   _           _           _       _   _               _               _       _   _  
_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _
_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ . _ _ _ _ . _ . _ . _ . _ _ . _ _ . _ . _
途中までの文字は以下のようになっていると考えられる。
Violet Indigo Blue Green Yellow Orange Red. Flag is ????????
色の英語表記から、不明な英語表記の読み方を推測する。例えば、"m"は"Yellow"の"w"の上下逆さになっていることから推測できる。この結果、以下のようになると推測した。
Violet Indigo Blue Green Yellow Orange Red. Flag is L.E.d.s.Bring.Joy.To.me
d4rk{L.E.d.s.Bring.Joy.To.me}c0de

Ron, Adi and Leonard (Crypto 100)

eが非常に大きいので、Wiener's attackで復号する。
import math

def DevContinuedFraction(num, denum):
    partialQuotients = []
    divisionRests = []
    for i in range(int(math.log(denum, 2))):
        divisionRests = num % denum
        partialQuotients.append(num / denum)
        num = denum
        denum = divisionRests
        if denum == 0:
            break
    return partialQuotients

def DivergentsComputation(partialQuotients):
    (p1, p2, q1, q2) = (1, 0, 0, 1)
    convergentsList = []
    for q in partialQuotients:
        pn = q * p1 + p2
        qn = q * q1 + q2
        convergentsList.append([pn, qn])
        p2 = p1
        q2 = q1
        p1 = pn
        q1 = qn
    return convergentsList

def SquareAndMultiply(base,exponent,modulus):
    binaryExponent = []
    while exponent != 0:
        binaryExponent.append(exponent % 2)
        exponent = exponent / 2
    result = 1
    binaryExponent.reverse()
    for i in binaryExponent:
        if i == 0:
            result = (result * result) % modulus
        else:
            result = (result * result * base) % modulus
    return result

def WienerAttack(e, n, c):
    testStr = 42
    c = SquareAndMultiply(testStr, e, n)
    for C in DivergentsComputation(DevContinuedFraction(e, n)) :
        if SquareAndMultiply(c, C[1], n) == testStr :
            FullReverse(n, e, C)
            return C[1]
    return -1

def GetTheFlag(c, n, d) :
    p = pow(c, d, n)
    size = len('{:02x}'.format(p)) // 2
    print ''.join([chr((p >> j) & 0xff) for j in reversed(range(0, size << 3, 8))])

def find_invpow(x, n):
    high = 1
    while high ** n < x:
        high *= 2
    low = high / 2
    while low < high:
        mid = (low + high) // 2
        if low < mid and mid ** n < x:
            low = mid
        elif high > mid and mid ** n > x:
            high = mid
        else:
            return mid
    return mid + 1

def FullReverse(n, e, c) :
    phi = (e * c[1] - 1) // c[0]
    a = 1
    b = -(n - phi + 1)
    c = n
    delta = b * b - 4 * a * c
    if delta > 0 :
        x1 = (- b + find_invpow((b * b - 4 * a * c), 2)) / (2 * a)
        x2 = (- b - find_invpow((b * b - 4 * a * c), 2)) / (2 * a)
        if x1 * x2 == n:
            print 'p = ' + str(x1)
            print 'q = ' + str(x2)

if __name__ == "__main__":
    n = 744818955050534464823866087257532356968231824820271085207879949998948199709147121321290553099733152323288251591199926821010868081248668951049658913424473469563234265317502534369961636698778949885321284313747952124526309774208636874553139856631170172521493735303157992414728027248540362231668996541750186125327789044965306612074232604373780686285181122911537441192943073310204209086616936360770367059427862743272542535703406418700365566693954029683680217414854103

    e = 57595780582988797422250554495450258341283036312290233089677435648298040662780680840440367886540630330262961400339569961467848933132138886193931053170732881768402173651699826215256813839287157821765771634896183026173084615451076310999329120859080878365701402596570941770905755711526708704996817430012923885310126572767854017353205940605301573014555030099067727738540219598443066483590687404131524809345134371422575152698769519371943813733026109708642159828957941

    c = 305357304207903396563769252433798942116307601421155386799392591523875547772911646596463903009990423488430360340024642675941752455429625701977714941340413671092668556558724798890298527900305625979817567613711275466463556061436226589272364057532769439646178423063839292884115912035826709340674104581566501467826782079168130132642114128193813051474106526430253192254354664739229317787919578462780984845602892238745777946945435746719940312122109575086522598667077632

    d = WienerAttack(e, n, c)
    GetTheFlag(c, n, d)
d4rk{r3p34t3ed_RsA_1s_f0r_n00bs}c0de

Tripple FUN (Crypto 120)

IV(DESのkey)のブルートフォースで復号する。8/17に生成されたとみて、IVは34431600からスタートする。
PI = [58, 50, 42, 34, 26, 18, 10, 2,
      60, 52, 44, 36, 28, 20, 12, 4,
      62, 54, 46, 38, 30, 22, 14, 6,
      64, 56, 48, 40, 32, 24, 16, 8,
      57, 49, 41, 33, 25, 17, 9, 1,
      59, 51, 43, 35, 27, 19, 11, 3,
      61, 53, 45, 37, 29, 21, 13, 5,
      63, 55, 47, 39, 31, 23, 15, 7]

CP_1 = [57, 49, 41, 33, 25, 17, 9,
        1, 58, 50, 42, 34, 26, 18,
        10, 2, 59, 51, 43, 35, 27,
        19, 11, 3, 60, 52, 44, 36,
        63, 55, 47, 39, 31, 23, 15,
        7, 62, 54, 46, 38, 30, 22,
        14, 6, 61, 53, 45, 37, 29,
        21, 13, 5, 28, 20, 12, 4]

CP_2 = [14, 17, 11, 24, 1, 5, 3, 28,
        15, 6, 21, 10, 23, 19, 12, 4,
        26, 8, 16, 7, 27, 20, 13, 2,
        41, 52, 31, 37, 47, 55, 30, 40,
        51, 45, 33, 48, 44, 49, 39, 56,
        34, 53, 46, 42, 50, 36, 29, 32]

E = [32, 1, 2, 3, 4, 5,
     4, 5, 6, 7, 8, 9,
     8, 9, 10, 11, 12, 13,
     12, 13, 14, 15, 16, 17,
     16, 17, 18, 19, 20, 21,
     20, 21, 22, 23, 24, 25,
     24, 25, 26, 27, 28, 29,
     28, 29, 30, 31, 32, 1]

S_BOX = [
[[14, 4, 13, 1, 2, 15, 11, 8, 3, 10, 6, 12, 5, 9, 0, 7],
 [0, 15, 7, 4, 14, 2, 13, 1, 10, 6, 12, 11, 9, 5, 3, 8],
 [4, 1, 14, 8, 13, 6, 2, 11, 15, 12, 9, 7, 3, 10, 5, 0],
 [15, 12, 8, 2, 4, 9, 1, 7, 5, 11, 3, 14, 10, 0, 6, 13],
],
[[15, 1, 8, 14, 6, 11, 3, 4, 9, 7, 2, 13, 12, 0, 5, 10],
 [3, 13, 4, 7, 15, 2, 8, 14, 12, 0, 1, 10, 6, 9, 11, 5],
 [0, 14, 7, 11, 10, 4, 13, 1, 5, 8, 12, 6, 9, 3, 2, 15],
 [13, 8, 10, 1, 3, 15, 4, 2, 11, 6, 7, 12, 0, 5, 14, 9],
],
[[10, 0, 9, 14, 6, 3, 15, 5, 1, 13, 12, 7, 11, 4, 2, 8],
 [13, 7, 0, 9, 3, 4, 6, 10, 2, 8, 5, 14, 12, 11, 15, 1],
 [13, 6, 4, 9, 8, 15, 3, 0, 11, 1, 2, 12, 5, 10, 14, 7],
 [1, 10, 13, 0, 6, 9, 8, 7, 4, 15, 14, 3, 11, 5, 2, 12],
],
[[7, 13, 14, 3, 0, 6, 9, 10, 1, 2, 8, 5, 11, 12, 4, 15],
 [13, 8, 11, 5, 6, 15, 0, 3, 4, 7, 2, 12, 1, 10, 14, 9],
 [10, 6, 9, 0, 12, 11, 7, 13, 15, 1, 3, 14, 5, 2, 8, 4],
 [3, 15, 0, 6, 10, 1, 13, 8, 9, 4, 5, 11, 12, 7, 2, 14],
],  
[[2, 12, 4, 1, 7, 10, 11, 6, 8, 5, 3, 15, 13, 0, 14, 9],
 [14, 11, 2, 12, 4, 7, 13, 1, 5, 0, 15, 10, 3, 9, 8, 6],
 [4, 2, 1, 11, 10, 13, 7, 8, 15, 9, 12, 5, 6, 3, 0, 14],
 [11, 8, 12, 7, 1, 14, 2, 13, 6, 15, 0, 9, 10, 4, 5, 3],
], 
[[12, 1, 10, 15, 9, 2, 6, 8, 0, 13, 3, 4, 14, 7, 5, 11],
 [10, 15, 4, 2, 7, 12, 9, 5, 6, 1, 13, 14, 0, 11, 3, 8],
 [9, 14, 15, 5, 2, 8, 12, 3, 7, 0, 4, 10, 1, 13, 11, 6],
 [4, 3, 2, 12, 9, 5, 15, 10, 11, 14, 1, 7, 6, 0, 8, 13],
], 
[[4, 11, 2, 14, 15, 0, 8, 13, 3, 12, 9, 7, 5, 10, 6, 1],
 [13, 0, 11, 7, 4, 9, 1, 10, 14, 3, 5, 12, 2, 15, 8, 6],
 [1, 4, 11, 13, 12, 3, 7, 14, 10, 15, 6, 8, 0, 5, 9, 2],
 [6, 11, 13, 8, 1, 4, 10, 7, 9, 5, 0, 15, 14, 2, 3, 12],
],
[[13, 2, 8, 4, 6, 15, 11, 1, 10, 9, 3, 14, 5, 0, 12, 7],
 [1, 15, 13, 8, 10, 3, 7, 4, 12, 5, 6, 11, 0, 14, 9, 2],
 [7, 11, 4, 1, 9, 12, 14, 2, 0, 6, 10, 13, 15, 3, 5, 8],
 [2, 1, 14, 7, 4, 10, 8, 13, 15, 12, 9, 0, 3, 5, 6, 11],
]
]

P = [16, 7, 20, 21, 29, 12, 28, 17,
     1, 15, 23, 26, 5, 18, 31, 10,
     2, 8, 24, 14, 32, 27, 3, 9,
     19, 13, 30, 6, 22, 11, 4, 25]

PI_1 = [40, 8, 48, 16, 56, 24, 64, 32,
        39, 7, 47, 15, 55, 23, 63, 31,
        38, 6, 46, 14, 54, 22, 62, 30,
        37, 5, 45, 13, 53, 21, 61, 29,
        36, 4, 44, 12, 52, 20, 60, 28,
        35, 3, 43, 11, 51, 19, 59, 27,
        34, 2, 42, 10, 50, 18, 58, 26,
        33, 1, 41, 9, 49, 17, 57, 25]

SHIFT = [1,1,2,2,2,2,2,2,1,2,2,2,2,2,2,1]

def string_to_bit_array(text):
    array = list()
    for char in text:
        binval = binvalue(char, 8)
        array.extend([int(x) for x in list(binval)]) 
    return array

def bit_array_to_string(array): 
    res = ''.join([chr(int(y,2)) for y in [''.join([str(x) for x in bytes]) for bytes in  nsplit(array,8)]])   
    return res

def binvalue(val, bitsize): 
    binval = bin(val)[2:] if isinstance(val, int) else bin(ord(val))[2:]
    if len(binval) > bitsize:
        raise "binary value larger than the expected size"
    while len(binval) < bitsize:
        binval = "0"+binval 
    return binval

def nsplit(s, n):
    return [s[k:k+n] for k in xrange(0, len(s), n)]

ENCRYPT=1
DECRYPT=0

class des():
    def __init__(self):
        self.password = None
        self.text = None
        self.keys = list()

    def run(self, key, text, action=ENCRYPT, padding=False):
        if len(key) < 8:
            raise "Key Should be 8 bytes long"
        elif len(key) > 8:
            key = key[:8] 

        self.password = key
        self.text = text

        if padding and action==ENCRYPT:
            self.addPadding()
        elif len(self.text) % 8 != 0:
            raise "Data size should be multiple of 8"

        self.generatekeys() 
        text_blocks = nsplit(self.text, 8) 
        result = list()
        for block in text_blocks:
            block = string_to_bit_array(block)
            block = self.permut(block,PI)
            g, d = nsplit(block, 32) 
            tmp = None
            for i in range(16): 
                d_e = self.expand(d, E) 
                if action == ENCRYPT:
                    tmp = self.xor(self.keys[i], d_e)
                else:
                    tmp = self.xor(self.keys[15-i], d_e)
                tmp = self.substitute(tmp) 
                tmp = self.permut(tmp, P)
                tmp = self.xor(g, tmp)
                g = d
                d = tmp
            result += self.permut(d+g, PI_1) 
        final_res = bit_array_to_string(result)
        if padding and action==DECRYPT:
            return self.removePadding(final_res) 
        else:
            return final_res 

    def substitute(self, d_e):
        subblocks = nsplit(d_e, 6)
        result = list()
        for i in range(len(subblocks)): 
            block = subblocks[i]
            row = int(str(block[0])+str(block[5]),2)
            column = int(''.join([str(x) for x in block[1:][:-1]]),2) 
            val = S_BOX[i][row][column] 
            bin = binvalue(val, 4)
            result += [int(x) for x in bin]
        return result

    def permut(self, block, table):
        return [block[x-1] for x in table]

    def expand(self, block, table):
        return [block[x-1] for x in table]

    def xor(self, t1, t2):
        return [x^y for x,y in zip(t1,t2)]

    def generatekeys(self):
        self.keys = []
        key = string_to_bit_array(self.password)
        key = self.permut(key, CP_1) 
        g, d = nsplit(key, 28) 
        for i in range(16):
            g, d = self.shift(g, d, SHIFT[i]) 
            tmp = g + d 
            self.keys.append(self.permut(tmp, CP_2))

    def shift(self, g, d, n): 
        return g[n:] + g[:n], d[n:] + d[:n]

    def addPadding(self):
        pad_len = 8 - (len(self.text) % 8)
        self.text += pad_len * chr(pad_len)

    def removePadding(self, data):
        pad_len = ord(data[-1])
        return data[:-pad_len]

    def encrypt(self, key, text, padding=False):
        return self.run(key, text, ENCRYPT, padding)

    def decrypt(self, key, text, padding=False):
        return self.run(key, text, DECRYPT, padding)

if __name__ == '__main__':
    enc = '|\xb3Wm\x83\rE7h\xe3\xc0\xf1^Y\xf0\x8d\xa6I\x92\x9b\xa5\xbc\xdc\xca\x9d\xcd\xe9a0\xa3\x00\xf2\x13\x16]|\xae\xd8\x84\x88'
    for iv in range(34431600, 100000000):
        IV = str(iv).zfill(8)
        d = des()
        flag = d.decrypt(IV, d.decrypt(IV, d.decrypt(IV, enc)))
        if 'd4rk{' in flag:
            print IV
            print flag
            break
d4rk{0h_lol_t1m3_i5_n0t_A_g00d_s33d}c0de

TJCTF 2018 Writeup

この大会は2018/8/7 10:00(JST)~2018/8/13 10:00(JST)に開催されました。
今回もチームで参戦。結果は2315点(満点)で542チーム中3位でした。
自分で解けた問題をWriteupとして書いておきます。

Blank (Web 5)

HTMLソースを見ると、コメントにフラグが書いてある。

tjctf{50urc3_c0d3_n3v3r_l0535}

Trippy (Miscellaneous 5)

GIFファイルが与えられている。

$ strings be37fef78cfd6c7deda71154f567e6d0cfefbda1f80698c064bab469d3a54c58_trippy.gif | grep tjctf
tjctf{w0w}
tjctf{w0w}

Weird Logo (Forensics 5)

StegsolveでPNGファイルを開く。
Red plane 1でフラグが表示された。
f:id:satou-y:20180814104242p:plain

tjctf{in_plain_sight}

Discord! (MIscellaneous 5)

Discordにjoinする。#flagチャネルのメッセージにフラグが書いてある。

tjctf{d1sc0rd_1s_pr3tty_c0ol}

Cookie Monster (Web 10)

クッキーのflagパラメータにフラグが設定されている。
>
tjctf{c00ki3s_over_h0rs3s}

Central Savings Account (Web 10)

HTMLソースを見る。https://central_savings_account.tjctf.org/static/main.jsを見ると、パスワードはmd5が698967f805dea9ea073d188d73ab7390になるものとわかる。Googleで逆変換したデータを検索する。

avalon

Vinegar (Cryptography 15)

Vigenere暗号。キーの長さは9。先頭5文字はtjctfに復号されることから、キーの前半5文字だけ決定できる。残り4文字はブルートフォースハッシュ値が一致するものを探す。

import string
import hashlib
import itertools

def get_flag(s):
    flag = s[:5]
    flag += '{'
    flag += s[5:]
    flag += '}'
    return flag

target = '8304c5fa4186bbce7ac030d068fdd485040e65bf824ee70b0bdbac03862bec93'

al_l = string.lowercase

c = 'uucbxsimbjyaqyvzbzfdatshktkbde'
p_head = 'tjctf'
k_size = 9

k = ''
for i in range(len(p_head)):
    index = al_l.index(c[i]) - al_l.index(p_head[i])
    if index < 0:
        index += len(al_l)
    k += al_l[index]

for s in itertools.product(al_l, repeat=4):
    key = k + ''.join(s)
    p = ''
    for i in range(len(c)):
        index = al_l.index(c[i]) - al_l.index(key[i%k_size])
        if index < 0:
            index += 26
        p += al_l[index]
        flag = get_flag(p)
    if hashlib.sha256(flag).hexdigest() == target:
        print 'key =', key
        print 'flag =', flag
        break

実行結果は以下の通り。

key = blaisevig
flag = tjctf{onevinaigrettesaladplease}
tjctf{onevinaigrettesaladplease}

Caesar's Complication (Cryptography 20)

縦横斜めでtjctf{のシフト暗号を探す。見つけたらその部分を復号する。

import string

def ceaser(s, shift):
    chars = string.lowercase
    enc = ''
    for i in range(len(s)):
        if s[i] in chars:
            idx = chars.index(s[i]) + shift
            if idx >= 26:
                idx -= 26
            enc += chars[idx]
        else:
            enc += s[i]
    return enc

def get_enc_flag(tbl, x0, y0, x_vec, y_vec):
    enc_flag = ''
    x = x0
    y = y0
    while True:
        if x < -1 or x > 99 or y < 0 or  y > 99:
            break
        enc_flag += tbl[x][y]
        x += x_vec
        y += y_vec
    enc_flag = enc_flag[:enc_flag.find('}') + 1]
    return enc_flag

def decrypt_flag(s):
    for i in range(26):
        flag = ceaser(s, i)
        if flag.startswith(pre_flag):
            return flag
    return ''

pre_flag = 'tjctf{'
l = len(pre_flag)

words = []
for i in range(26):
    words.append(ceaser(pre_flag, i))

with open('puzzle', 'r') as f:
    lines = f.readlines()

tbl = []
for line in lines:
    tbl.append(list(line.strip()))

## across ##
for i in range(100):
    for j in range(101 - len(pre_flag)):
        parts = ''.join(tbl[i][j:j+l])
        for word in words:
            if parts == word:
                print 'across'
                enc_flag = get_enc_flag(tbl, i, j, 0, 1)

## down ##
for i in range(101 - len(pre_flag)):
    for j in range(100):
        parts = ''
        for k in range(len(pre_flag)):
            parts += tbl[i+k][j]
            for word in words:
                if parts == word:
                    print 'down'
                    enc_flag = get_enc_flag(tbl, i, j, 1, 0)

## right down ##
for i in range(101 - len(pre_flag)):
    for j in range(101 - len(pre_flag)):
        parts = ''
        for k in range(len(pre_flag)):
            parts += tbl[i+k][j+k]
            for word in words:
                if parts == word:
                    print 'right down'
                    enc_flag = get_enc_flag(tbl, i, j, 1, 1)

## left down ##
for i in range(101 - len(pre_flag)):
    for j in range(len(pre_flag), 100):
        parts = ''
        for k in range(len(pre_flag)):
            parts += tbl[i+k][j-k]
            for word in words:
                if parts == word:
                    print 'left down'
                    enc_flag = get_enc_flag(tbl, i, j, 1, -1)

## right up ##
for i in range(len(pre_flag), 100):
    for j in range(101 - len(pre_flag)):
        parts = ''
        for k in range(len(pre_flag)):
            parts += tbl[i-k][j+k]
            for word in words:
                if parts == word:
                    print 'right up'
                    enc_flag = get_enc_flag(tbl, i, j, -1, 1)

## left up ##
for i in range(len(pre_flag), 100):
    for j in range(len(pre_flag), 100):
        parts = ''
        for k in range(len(pre_flag)):
            parts += tbl[i-k][j-k]
            for word in words:
                if parts == word:
                    print 'left up'
                    enc_flag = get_enc_flag(tbl, i, j, -1, -1)

flag = decrypt_flag(enc_flag)
print flag

実行結果は以下の通り。

right up
tjctf{idesofmarch}
tjctf{idesofmarch}

Classic (Cryptography 40)

RSA暗号。Fermat法でnを素因数分解し、復号する。

from Crypto.Util.number import inverse

def isqrt(n):
    x = n
    y = (x + n // x) // 2
    while y < x:
        x = y
        y = (x + n // x) // 2
    return x

def fermat(n):
    x = isqrt(n) + 1
    y = isqrt(x * x - n)
    while True:
        w = x * x - n - y * y
        if w == 0:
            break
        elif w > 0:
            y += 1
        else:
            x += 1
    return x - y, x + y

e = 65537
n = 128299637852747781491257187842028484364103855748297296704808405762229741626342194440837748106022068295635777844830831811978557490708404900063082674039252789841829590381008343327258960595508204744589399243877556198799438322881052857422197506822302290812621883700357890208069551876513290323124813780520689585503
c = 43160414063424128744492209010823042660025171642991046645158489731385945722740307002278661617111192557638773493117905684302084789590107080892369738949935010170735247383608959796206619491522997896941432858113478736544386518678449541064813172833593755715667806740002726487780692635238838746604939551393627585159

p, q = fermat(n)

phi = (p - 1) * (q - 1)
d = inverse(e, phi)
m = pow(c, d, n)

flag = ('%x' % m).decode('hex')
print flag
tjctf{1_l1ke_squares}

RC4 took an L (Cryptography 40)

いろいろ調べたら、RC4ならぬLC4というのがあるらしい。
https://eprint.iacr.org/2017/339.pdf
alphabetは#_23456789abcdefghijklmnopqrstuvwxyzで問題と一致する。pythonでlc4ライブラリがあるので、それを使えば簡単に復号できる。

from lc4 import decrypt

key = 'pq_xc589r3nb#mgjtkh7w2dlfvy4eaoi6uzs'
ciphertext = 'wpwt#5ng4_qbitp#8mq59r_g866c4t59c6vy6tisj4af6bprfnbd_wrq2wjmr4ld_s26a7i#biiyqjolq8lus_wfusfkj8xv2qrrv3etab_marovc#uuoueyl'

flag = decrypt(key, ciphertext)
print flag

復号すると、以下の文字列。

i_hope_that_by_making_this_long_you_will_assume_substitution_cipher_and_go_to_quip_qiup_the_flag_is#elsie_four_is_not_rc4
tjctf{elsie_four_is_not_rc4}

Grid Parser (Forensics 45)

ZIP解凍し、xl/media/password.pngを取り出す。ファイルの後半がZIPになっているが、パスワードがかかっている。

$ fcrackzip -u -l 1-4 flag.zip


PASSWORD FOUND!!!!: pw == px

このパスワードで解凍したflag.txtにフラグが書いてある。

tjctf{n0t_5u5_4t_4LL_r1gHt?}

Bad Cipher (Reverse Engineering 50)

コードを読む。sはmessageをkeyの長さに振り分けたもの。

例)
message = "ABCDEFGHI"
key = "aaaa"
['AEI', 'BF', 'CG', 'DH']

■変換
[0]
0: ord('A') ^ ord(k[0]) ^ (a00>>2) -> (sp)
1: ord('E') ^ ord(k[0]) ^ (a01>>2) -> ,
2: ord('I') ^ ord(k[0]) ^ (a02>>2) -> #
[1]
0: ord('B') ^ ord(k[1]) ^ (a10>>2) -> #
1: ord('F') ^ ord(k[1]) ^ (a11>>2) -> /
[2]
0: ord('C') ^ ord(k[2]) ^ (a20>>2) -> "
1: ord('G') ^ ord(k[2]) ^ (a21>>2) -> .
[3]
0: ord('D') ^ ord(k[3]) ^ (a30>>2) -> %
1: ord('H') ^ ord(k[3]) ^ (a31>>2) -> (sp)

変換した後、組ごとに配列にするため、上記の例だとAEIのIは切り落とされる。あとはその順番で16進数表記でASCIIコードを表示する。

202322252c2f2e20
   # " % , / .

暗号の長さは112。56バイト。keyの長さはその約数になる。

1, 2, 4, 7, 8, 14, 28, 56

keyの長さは7バイトか8バイトあたりと考えられる。調整しながら確認していく。
7バイトだと、printableなフラグにならない。8バイトで復号した文字列がフラグになりそう。
keyの末尾2バイトはブルートフォースで復号を試し、フラグになるものを探す。

import itertools
import string

def d(c, k, skip):
    s = [''] * skip
    for i in range(skip):
        for j in range(len(c)/skip):
            s[i] += c[i+j*skip]
    for i in range(skip):
        a, d = 0, ''
        for j in range(len(s[i])):
            b = ord(s[i][j]) ^ ord(k[i]) ^ (a>>2)
            d += chr(b)
            a = ord(s[i][j])
        s[i] = d
    dec = ''
    for j in range(len(c)/skip):
        for i in range(skip):
            dec += s[i][j]
    return dec

def is_flag(s):
    if s[-1] != '}':
        return False

    for i in range(len(s)):
        code = ord(s[i])
        if code < 32 or code > 126:
            return False

    if s.count('}') > 1 or s.count('{') > 1:
        return False

    return True

enc = '473c23192d4737025b3b2d34175f66421631250711461a7905342a3e365d08190215152f1f1e3d5c550c12521f55217e500a3714787b6554'

for c in itertools.product(string.printable, repeat=2):
    known = 'tjctf{' + ''.join(c)
    key = ''
    for i in range(len(known)):
        code = int(enc[i*2:i*2+2], 16) ^ ord(known[i]) ^ (0>>2)
        key += chr(code)

    flag = d(enc.decode('hex'), key, len(key))
    if is_flag(flag):
        print flag

結果は以下の通りで、一つに定まらない。

tjctf{a4ybe_Wr=t3ing_mU_3ncRypX10N_MY5ilf_W4Snx_v_sm4R;}
tjctf{c4ybe_Wr?t3ing_mW_3ncRypZ10N_MY5klf_W4Snz_v_sm4R9}
tjctf{e4ybe_Wr9t3ing_mQ_3ncRyp\10N_MY5mlf_W4Sn|_v_sm4R?}
tjctf{g4ybe_Wr;t3ing_mS_3ncRyp^10N_MY5olf_W4Sn~_v_sm4R=}
tjctf{h4ybe_Wr4t3ing_m\_3ncRypQ10N_MY5`lf_W4Snq_v_sm4R2}
tjctf{i4ybe_Wr5t3ing_m]_3ncRypP10N_MY5alf_W4Snp_v_sm4R3}
tjctf{j4ybe_Wr6t3ing_m^_3ncRypS10N_MY5blf_W4Sns_v_sm4R0}
tjctf{k4ybe_Wr7t3ing_m__3ncRypR10N_MY5clf_W4Snr_v_sm4R1}
tjctf{l4ybe_Wr0t3ing_mX_3ncRypU10N_MY5dlf_W4Snu_v_sm4R6}
tjctf{m4ybe_Wr1t3ing_mY_3ncRypT10N_MY5elf_W4Snt_v_sm4R7}
tjctf{n4ybe_Wr2t3ing_mZ_3ncRypW10N_MY5flf_W4Snw_v_sm4R4}
tjctf{o4ybe_Wr3t3ing_m[_3ncRypV10N_MY5glf_W4Snv_v_sm4R5}
tjctf{p4ybe_Wr,t3ing_mD_3ncRypI10N_MY5xlf_W4Sni_v_sm4R*}
tjctf{q4ybe_Wr-t3ing_mE_3ncRypH10N_MY5ylf_W4Snh_v_sm4R+}
tjctf{r4ybe_Wr.t3ing_mF_3ncRypK10N_MY5zlf_W4Snk_v_sm4R(}
tjctf{t4ybe_Wr(t3ing_m@_3ncRypM10N_MY5|lf_W4Snm_v_sm4R.}
tjctf{v4ybe_Wr*t3ing_mB_3ncRypO10N_MY5~lf_W4Sno_v_sm4R,}
tjctf{x4ybe_Wr$t3ing_mL_3ncRypA10N_MY5plf_W4Sna_v_sm4R"}
tjctf{y4ybe_Wr%t3ing_mM_3ncRyp@10N_MY5qlf_W4Sn`_v_sm4R#}
tjctf{z4ybe_Wr&t3ing_mN_3ncRypC10N_MY5rlf_W4Snc_v_sm4R }
tjctf{`4ybe_Wr

英文として意味が通りそうなフラグを選んだら通った。

tjctf{m4ybe_Wr1t3ing_mY_3ncRypT10N_MY5elf_W4Snt_v_sm4R7}

Sarah's Cryptosystem (Cryptography 60)

問題のタイトルから暗号の種類を特定する。Cayley–Purser algorithmのようだ。以下を参考に復号する。

https://en.wikipedia.org/wiki/Cayley%E2%80%93Purser_algorithm
http://www.geocities.jp/midarekazu/matrix.html

以下が成り立つので、与えられたパラメータから復号する。

c * (gamma * beta - inv(alpha) * gamma) = inv(alpha) - beta
kai = c * gamma + e
lam = kai.inverse() * epsilon * kai
mu = lam * mu_prime * lam ※mu: 復号結果

復号結果は2×2の行列なので、0行0列、0行1列、1行0列、1行1列の順に数値を文字に変換して、結合する。

# solve.sage
n = 14678582949426387051583136040455803382111419934165976555967410717578108685173293909893707428060574534387147043662980233493070333867526564630646606195171973454732346210530445592981735448140608367433802310679262003264086048483330926831158965247002647763969506296491800206264566632210018217460947909473322948120728022781961264083482251077179808522571497366192225541800367737775624875274409378360680791167750022903325344080185661894498877429106792051549616294445505734756445036773060160075172879734624325424601794213946464848991659189822047433670420325360836239402912250660089868320598256013395839998681853749012528228581

alpha = matrix(Zmod(n), [[8775523445886632877189593855724016105923853238110388600944519847143895931293223855922653616887818042631073479198110684379321723227593601822918289162810287213179985843203577275519823312297337476543699814699295603780534270489652026567901889418668978700166470523932709861086261372827841681274942513882086473642725585135101230370081888674776607714279827857691943339921005145456087934796083827529605415734994951876822070091633768569949775791638494032484021726668931928950677970506977610850040146356447929936780822436403930820545470690234566354431325668976387986291875340697228987789945329449200068296170375614076050879785, 10914524698710595970321127027090232144165968780037471063432770955497704137163051702799686631313041237560141667848373235442103054608670912249269855896811394714345108278448088454633357108221934703236017373213591822419492870186573388565800341211631487277520861910315169726614530318669774452500398973789004100413146262726432287549267494369387541010183759368058060150046771812028618651061152940554853598757579002480497094323215709965636785996674504414081628163168221618141288158620642854534927045304055157302218392073869315722029506251754742712127700711498342611023211817174640260717060042688885087479683913557571909322741], [7157097076807988382820230716569936455045674994109312852250577929895736096519606523374055940413673063662855431457666708138113796135396777078373960733319810698100562529245781853196798527091875213512132913044623809323407761879224741043837559073372914528336917930561267239951428201709786511309170906978181350528532725746865810552547336005227276113230516321894984875520782802662233942788568094083797220677632043304323815963819260590985920987957137053105329635183018297003173809322151759301586528750262563904360082125151280110181914762714140881033279744601200352729150802483479611105828702510738590423345140053057578524340, 6713517055261601175137199194349037776884391949750887153570211478360609355102967635024812020436930124099492062499378568948225812905028941236992161990751892519351796091752765093957342028716103643486587421078902623905472869718701549301991454011667516034361143511456327353811233114869084210135013109411719670903088224240407539506990465851216587326439231276390112484389076650763830466007812636524179883923113881730406583476993810068817032731764701328227580833401955012377095618568561222016759038286127435444274370666887116694944714906875307424805468192270291152231535013278536905457590268616934245276058674669841799113000]])
beta = matrix(Zmod(n), [[12810735484592687475611067000733910475407959255726938964445865510797360682518042234111788624482348253873675205750379533519653600377466554571549725126735899237320794286392351216351163142150947930793285681157153739873680235151717822189508483187266968937840184927172004631125869801171730273839416495272679596762491128032081715204511086070136862783519124351766930742835431179567064478518796272613388247961834821952570326773065235010566961759660603378159648515475855652044014147336517739031539091701655351031055956799114677224875340483094077563775106615052814649767904459580694503137691824535465579841465656799088385158184, 5473642859795523867833744594642413120108472695987405903092128057784530587542920832212387191217752619328277772827610816009681072385077130472910935496153590538664127336809080066339982095054400770410661108644231317771694643744529400989304882179751725342517277312600577613299747065205530030840353840528208991751919855348274256156989437092383943692362355213688529247118405117679336493204906404070181358635721597885844629007865171487595667542012053680470870441869320997247103844383487375469966170305723116660050719640797029789529431834500103108427981321996630378373859429074160615524314703440598519278440916672490604153920], [13360817683734425907882869818387715917823570500779542648139881285594085839307884087170316732892285057644413961106686702548122776388566314151602576134967429938148568359628406913487102447957478975857422968377905367007255678006848155389204533214902608595212870988879519805436914172362269969647424235793945764717194382563938554317735619273113439313925766674058624269423418548409043902139520249198229905104623538910887468568657824562399052674509890480922031471957602349880575143764865589002518416822823718373354855636110399881258158604068094158661436001036363550606724638058264988946662672731808136009525669966413346830771, 11468410759599236635289052912588911752422573812150145093904993075149484717580340039481523574675433246733347559877762204982600910077123361122258919844601069472735734932609308953048318256198076234640234139592390905314780413453276360192939595448983886080692089673968929164049655081883685358729758224963749521058341303254696491886950891802778644958745186969893311825203619560214820869460365078215849849124479129495345651512821938654650764639191895571807669232427640112077550730446976794444904863440462011108462395868920803221927297239615558407269413543933560885245839360611664257149625120359949226340501748237522041814167]])
gamma = matrix(Zmod(n), [[8974468230919934099206660576279424449497301852364989153036761168858007344533698037386796827211384328629017837524968363275804995875927577734686609421586684272633348191411693574979321023787212983912221475247860537390362046603629961287235797201556980167513141941168597299233052362222944059064374704020090477871823209626756840704609536921524143960339208893818545992537157471214137960274837610171236744600814714862928730197678579742105704214054822862593357666332950197265426170385072044723785511598793270720596355301285113545159975155209975455186823617585677822352197860436786511800833967339913846225776224546725792541520, 9348474986948437407830611381930796417076181343543633204466467018618007961332994440548537170881111598282300398838403220784637434773325124478963236440587878188677991827315886822018947642220599876747471178815812118951916817010191177047705089048910549002617216646224139781669862185568251097552368622389943664551466943434989962245869206459898126080327957813064720085824151158276722547935648805466702908342289509228148396591724592467606473409258370670569095588764643480541155047718125969649815181530297399896574878462796500132797468732289756350942722963262157882852028757481193014591962402361412541547286212463585329356315], [6306347499602839310711897806816115365577798048588869401080589959551960579025882710953775758799196156090574498840338655413952106340930233167025430911291561146300436232756032168584609901161123027915957142144417373944831498112379530014743564725043850573029577893137274785944999828913842318958600038316305161651550987813123688899364506103198777508061052140024401991543826294645053810175935470329060181419638113822346335627126011428883634941577955928094830457687467602021018818112233819135752762796122449991940293951126794842445023346469946015215788444862522482934643865011428843298464296450568025153162421666513865829972, 10460558892626942486591136156075757543686422206929425172766487988979302284782458711707743391644192252658479654211588038112081380743223452728011518065689480909606243379075821247336392033167618986362705759995101660106860761650744887913049696267564350252223724264010048527822196072691569796251914527187015010584106518547809025845913716411807489385594922654444064967642748725710272671436875870600558952201656006726706186246198382807891707075834051796788676605755301264887244933074977001813150376143934759392995053660467071628525606350521290098742782796859849651804582344638795615115444324738258958494327221705047139386067]])
mu_prime = matrix(Zmod(n), [[9110140425150750491145178173245810683649850676433167642203918443227873747929200498497484988659356796565844607239572829879322347251589944478091113697792108086550736898839464575439745480624731810294886238002427135623698710042800014612820928298917430445137640355738788165343967441826643874136160621009753218683651627226187219386196831000264065035194030979035604667050555295409076871639269434935429836264844914788522151184701643589729070919260048693228620818713776827956449530727987176756766935883945609304801285829253475548773757845833684396147327615752864245759762697131554282702952182820064236136029154931285534920336, 3965680634933532371253173918575965512311075743978870329108827645259543845600676708465361739792712505100830375151369030591386585033111483748387572594721593780367638957423544648137126096616048548831526404791201118063342916940780558823392780847378257409456603871959593407713453397146511731920904022568991968961066446033963676957027561582191560877662951544766699653019054058615445793884586251692712331360647356139500007887786373834135022309564632684555593104495467262752494409415310095975103762605447355421569804147145717716270216276407829288807696993083792180120763011612628844075543633935302644043351200000415397765490], [11531027939277663954924629808580850615128112189088429194733892444735389287125194989846483062137239631428856897300952091045885111504233971340222047595797974590299676147530138095131682563465058026356505341896547427515760211337648937509712681168680093916223136691048129594400887163117578083595198924212238020929650571543544239651025512948151083606981283495326581076022774788713191375373448616247020080804624589709887909060660751012839089160151250018439586685425207828386848506215840120679779020276348065756876412067877471560174945643434266029362965328759176908923082695706418412446830824537449603065572349763237675405751, 920729326437589730826095157469278350649316030890671041698866840091079079560109369898686162156986131867647612585803281076434525638323194196281197301522301314276691124338087536821687420513860352733995693071965887098334916285637808557203009371600993398395622919226813090045525901909117810003835895044704787089673163783368582595086734902024400720579716370279086180005814810492044173344668033992612757135892010975432640563801946449146558990089998260694779271111218515320264883756992522656100346966776474372573294784374889012500155152418754863716677395313380366718512341128264823401715112635658331018694834964614709946974]])
epsilon = matrix(Zmod(n), [[7165571226081578603835883150774616488728231051550287925851522690184895637139822876962972947112432251543801438173797575868444468354880336070457468476668646627601203589691836971847199834387550427409515139148865668672460930793878765006885214789102699287706918802228358033100073207658646769916917956918825343988728574869415991085833912621668186850044268946624373249357696907897355173351832256550108577060760939032564672939219868381918863800411991549406942127512322082415984088851421306484618925402688553375021971356743060341861158734723134788643394112904978199797407328350398837621015931420540971820281023718934332599845, 5311927137961618089465719533669959680179138808868451304787316556962730054216658384560427124537238182468330318432740185730773011315312521714917801639551804882300325955312260236798444551041370383751633970374956257915677214485582117483657761988919505553702104281197415775417014673469569050740206878224979551841366120847702679675682180740324259166151472145699221113252321870669004434874193357913127321023174144885899598070482292843947693798831055666003932625354269654187369701819908413086086194211158098010905312163522905960656367473770480743567823177465080036681918250028808180971378615523862092243350157331116954510698], [5453403043375115387776266465045212861994650155363814552052041113915923817009277472100191728376696957972330437923466587434020093694118621324930290244063889644426827678183126312734629316012791372652267229717880892934548663470390609038951254084596015737291790063273550517220952776485662834693648438708321765082221299643494798339214081530177171662673636605795986063100859446521438876886565157432362462831922149860311355669958620420565847240178703164000319792911764660820039884624929685147146215415904174517092317941864314088161460161442692320572464940560312915345911620266153658276926959641065541429189055966572657819520, 8323469275066655448490909899298437394080014136310987828663208635319609649256368613984492690212315915186764103523691677459103067777742206989452982676893533104930578345264505397629965506625890692620772096629332559013546209414474810863008128641233795446820695233160679181797421280038279121493037666374980800557085234506092778791238441904325008190674790187457682574952384888322563227452064207503676722597347894574663980629407710256847944722991203811304660432558564858911789500224117526382180259239886812006033221746547987173629026862386738990593399748341700938726003025625367055626519666645593341751948026564983517392940]])

e = matrix(Zmod(n), [[1, 0], [0, 1]])

inv_alpha = alpha.inverse()
c = (inv_alpha - beta) * (gamma * beta - inv_alpha * gamma).inverse()
kai = c * gamma + e

lam = kai.inverse() * epsilon * kai
mu = lam * mu_prime * lam

msg = ''
for i in range(2):
    for j in range(2):
        msg += ('%x' % mu[i][j]).decode('hex')

print msg

実行結果は以下の通り。

The Cayley-Purser algorithm was a public-key cryptography algorithm published in early 1999 by 16-year-old Irishwoman Sarah Flannery, based on an unpublished work by Michael Purser, founder of Baltimore Technologies, a Dublin data security company. Flannery named it for mathematician Arthur Cayley. It has since been found to be flawed as a public-key algorithm, but was the subject of considerable media attention. Nice job! Your flag is tjctf{c0uld_th1s_b3_tH3_n3Xt_RS4?}
tjctf{c0uld_th1s_b3_tH3_n3Xt_RS4?}

Programmable Hyperlinked Pasta (Web 60)

HTMLソースを見ると、コメントに以下のように書いてある。

<!-- <a href="flag.txt">Here's a flag!</a> -->

https://programmable_hyperlinked_pasta.tjctf.org/flag.txtにアクセスすると、Forbidden表示。
https://programmable_hyperlinked_pasta.tjctf.org/?lang=flag.txtにアクセスしても何も表示されない、
https://programmable_hyperlinked_pasta.tjctf.org/?lang=../flag.txtにアクセスすると、フラグが表示された。

tjctf{l0c4l_f1l3_wh4t?}

Permutations (Cryptography 70)

emはmessageの文字の順序が変わったもので、順序を指定できる。変わった文字列について、RC4の暗号処理と同じ処理をしている。
http://inaz2.hatenablog.com/entry/2013/11/30/233649 を参考にして、RC4暗号の脆弱性を使う。
RC4はランダムな鍵に対して、暗号の2バイト目に偏りがあるという性質があるらしい。
1文字に対して、2**16回データを取れば、ほぼ確実に復元できそうだが、途中でサーバから接続を拒否される。
以下のようなコードで何回もデータを取得して、統計を取りながらmessageを推測する。

import socket
from collections import Counter

CHARS = 'abcdefghij'

def replace_2nd_str(pos):
    target = CHARS[pos]
    base = CHARS.replace(target, '')
    return base[0] + target + base[1:]

def recvuntil(s, tail):
    data = ''
    while True:
        if tail in data:
            return data
        data += s.recv(1)

s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect(('problem1.tjctf.org', 8007))


## index setting ##
idx = 9
print 'index =', idx
send_str = replace_2nd_str(idx)
print 'send_str =', send_str
###################

results = [0] * 256
for j in range(2**10):
    data = recvuntil(s, '\n')
    #print data
    #print send_str
    s.sendall(send_str + '\n')
    data = recvuntil(s, '\n')
    #print data
    second_value = int(data[2:4], 16)
    results[second_value] += 1

# Top 10 -> Guess
freq_map = dict((chr(i), n) for i, n in enumerate(results))
top10_freq = Counter(freq_map).most_common(10)
print top10_freq

10文字について統計を取る。意味がありそうな単語を考えながら、それぞれ回数が多いものを選択する。

ohbyteRC4!
tjctf{ohbyteRC4!}

Ssleepy (Forensics 70)

No.55パケットからkey.zipを抽出する。解凍すると、秘密鍵が入っている。WiresharkSSL秘密鍵を設定し、復号する。

IP address: 104.155.183.43
Port: 443
Protocol: http
Key File: server_key.pem

No.91パケットでflag.jpgをGETしている。SSL Streamからヘッダ部分を除いて保存する。
f:id:satou-y:20180814110915j:plain
JPG画像にフラグが書いてあった。

TJCTF{WIRESHARK_OR_SHARKWIRE?}

Affine (Cryptography 90)

RSA暗号。Linear Padding ありの Hastad's broadcast attack で復号する。

# solve.sage
import binascii
import hashlib

def get_sha1_val(n):
    s = str(n)
    return int(hashlib.sha1(s).hexdigest(), 16)

def hastads(cArray, nArray, e=3):
    if(len(cArray)==len(nArray)==e):
        for i in range(e):
            cArray[i] = Integer(cArray[i])
            nArray[i] = Integer(nArray[i])
        M = crt(cArray, nArray)
        return(Integer(M).nth_root(e, truncate_mode = 1))
    else:
        print("CiphertextArray, ModulusArray, need to be of the same length, and the same size as the public exponent")


def linearPaddingHastads(cArray, nArray, aArray, bArray, e=3, eps=1/8):
    if(len(cArray) == len(nArray) == len(aArray) == len(bArray) == e):
        for i in range(e):
            cArray[i] = Integer(cArray[i])
            nArray[i] = Integer(nArray[i])
            aArray[i] = Integer(aArray[i])
            bArray[i] = Integer(bArray[i])
        TArray = [-1] * e
        for i in range(e):
            arrayToCRT = [0] * e
            arrayToCRT[i] = 1
            TArray[i] = crt(arrayToCRT, nArray)
        P.<x> = PolynomialRing(Zmod(prod(nArray)))
        gArray = [-1] * e
        for i in range(e):
            gArray[i] = TArray[i] * (pow(aArray[i] * x + bArray[i], e) - cArray[i])
        g = sum(gArray)
        g = g.monic()

        roots = g.small_roots(epsilon=eps)
        if(len(roots) == 0):
            print("No Solutions found")
            return -1
        return roots[0]

    else:
        print("CiphertextArray, ModulusArray, and the linear padding arrays need to be of the same length," +
         "and the same size as the public exponent")

e = 7
c1 = 25675152793958719362334087721727391668448541269558474462058064394972159237000883064745181284990149430303994650254840808322285864424764662750758365258432516187277728432545121586632979071929720717372649852913892333751596445815629910986053617473309414117281508303864323015909729484176490149898837722699148713920
n1 = 54820850259230535713865762084053568598874165594889130921566357696567616458378223857125838179921247755779292651871389981326670333442531734034645787606469134086461755105756873542385262892705242036071092223909243076301288478970799478306200287979706335286360412748167842364774735931863312933459243303887522528391
c2 = 57308013526198545787982553948831809099851386105071990727531071444194085081579444566800636703889823370213270842463375590828873179217670044197203168310866488084951374039873986096323030668989182846970273681633505685451818817121768616521795719540659814758454867045257226628730810691032850312088913937303862882122
n2 = 67042885520113263257118582290915177726312067469305908421847091179458757706749309299748971618010292667467149507645154486731380778917902476712952533653072795121865441967660602104613553639256754364241221379654359806670189462881506603085709273149985124690193140730266494965592337203461719611664879731308442667263
c3 = 33110523123312260880081423555385443012303698172724771306631372977777151188742699147449635911533782126548764489332497744201412222554852174681172644368277681280915180074419448681945399626487120057542603151103185868489294327151872456579497138539267121640657739423771314684090862694233758364464062279576183369864
n3 = 89985903111062000750924862108702084890290895192415633459163185350709370560849833696152316610647261365568603949891418963071575903453535955968749606939308123918445104540664601366419086133203411546299071992836870605114904775854946592687074623268960160934703771624447420985649938872471694356563590766730197327403
c4 = 77165065219653079862788577409129548279406192392832794127838745876446556297639145098957541474822063761739525311525724748975610206392909917884098887559908520069178582499123002341170033386358914463615518679156743215944833734844115997551919528578190653678286086414529205023645066772036171138071616232877775605403
n4 = 144578302659584152347777465183436595903641766254529841392977311918530263082334666488588492466964216842999000372858566667614430156791250833413367447725549300629307438383795112436448806559178858641149273056506193797949883101855228392777056665762363186560765549679621056726762476210940818128164542265216341911939
c5 = 46271592501512251239515544795747628191312494429121209907428975357753036096630585200765478229722279396220792499619124493513510693983433382775572503427829128432022799757398620804968227918699155484285929229454795772848632082074482660485353695038777422951895467676109703028615278915540633833992415540610914983525
n5 = 81790853226916934420573308748178318312510297162048844558315472184092957619321358751015078340781526837894903889782215325030254199582839010410447598969896414596873084948080977190437730775429382394893464902480690706275903017575378639142460124842161392405763583944706204061213376653979366112584588092058682099417
c6 = 57972675706457917594665689255141579755155126009393865090298137419620210832764812601374723742797175858601067071946998126997761266747079093136254796588168914305806501548651843044824561414391997008162345918166144951125302582440652239957438322070733320483325829334015651431547367283983778089203231241439641536053
n6 = 73980671682765133866918944940688116769134506866614012447817086969352897977409302191352722713709039627538976182650104228953961415306661290440291237838436045597491167374142468246641210294363030243026142729058264151545938090328689572424665075464153066787542386012683130559707032305120020753104044623180909126389
c7 = 74509805178973331475079616531075721234040785222421585008716026412829278145513552037640729538030768473876697345668551073431575270064366725987077833033222424840594603003480258191710744801632493056419255044343812108962552981039079556936296909043802657927151112869685008200474696033705827864953556606633891316209
n7 = 101172221238421792469887500553169614463346581090545073620543862634624608075572127513912303221239410360993953141778328809955385117874857059456679461625991923555648318729750420461377497354534152316919725646852519813952867617919442629999348382422210047284124959833853082144643826524296782324540575133270263491143

nArr = [n1, n2, n3, n4, n5, n6, n7]
cArr = [c1, c2, c3, c4, c5, c6, c7]
aArr = [1] * 7
bArr = []
bArr.append(get_sha1_val(n1))
bArr.append(get_sha1_val(n2))
bArr.append(get_sha1_val(n3))
bArr.append(get_sha1_val(n4))
bArr.append(get_sha1_val(n5))
bArr.append(get_sha1_val(n6))
bArr.append(get_sha1_val(n7))

msg = linearPaddingHastads(cArr, nArr, aArr, bArr, e=e, eps=1/16)
msg = hex(int(msg))[2:]
if(msg[-1]=='L'):
    msg = msg[:-1]
if(len(msg)%2 == 1):
    msg = '0' + msg
flag = binascii.unhexlify(msg)
print flag
tjctf{b3ware_of_th3_g3n3ralization}

Volatile Virus (Forensics 130)

メモリダンプファイルが与えられている。
volatilityでいろいろ調査する。

$ volatility -f file_patched.dmp imageinfo
Volatility Foundation Volatility Framework 2.5
INFO    : volatility.debug    : Determining profile based on KDBG search...
          Suggested Profile(s) : Win7SP0x86, Win7SP1x86 (Instantiated with WinXPSP2x86)
                     AS Layer1 : IA32PagedMemoryPae (Kernel AS)
                     AS Layer2 : WindowsCrashDumpSpace32 (Unnamed AS)
                     AS Layer3 : FileAddressSpace (/mnt/hgfs/Shared/work/file_patched.dmp)
                      PAE type : PAE
                           DTB : 0x185000L
             KUSER_SHARED_DATA : 0xffdf0000L
           Image date and time : 2018-08-06 03:58:15 UTC+0000
     Image local date and time : 2018-08-05 20:58:15 -0700
$ volatility -f file_patched.dmp --profile=Win7SP1x86 pstree
Volatility Foundation Volatility Framework 2.5
Name                                                  Pid   PPid   Thds   Hnds Time
-------------------------------------------------- ------ ------ ------ ------ ----
 0x860b33a8:explorer.exe                             2292   2276     48   1248 2018-08-06 03:13:12 UTC+0000
. 0x86139d20:chrome.exe                              3968   2292     35   1264 2018-08-06 03:14:13 UTC+0000
.. 0x850d0d20:chrome.exe                             3500   3968      6    143 2018-08-06 03:16:00 UTC+0000
.. 0x85106030:chrome.exe                             3496   3968      6    127 2018-08-06 03:53:44 UTC+0000
.. 0x861c3d20:chrome.exe                             2896   3968      6    173 2018-08-06 03:54:08 UTC+0000
.. 0x8507b3e0:chrome.exe                              548   3968      6    155 2018-08-06 03:18:16 UTC+0000
.. 0x8617ab50:chrome.exe                             1108   3968      6    134 2018-08-06 03:53:57 UTC+0000
. 0x8506b030:python.exe                              2976   2292      1     58 2018-08-06 03:15:14 UTC+0000
. 0x861d6030:taskmgr.exe                             3880   2292      5    110 2018-08-06 03:53:21 UTC+0000
. 0x856c9ac0:VBoxTray.exe                            2436   2292     13    151 2018-08-06 03:13:16 UTC+0000
. 0x85115c00:DumpIt.exe                              3172   2292      6     93 2018-08-06 03:58:14 UTC+0000
 0x85d851d8:winlogon.exe                              416    372      3    110 2018-08-06 06:11:22 UTC+0000
 0x85d6f030:csrss.exe                                 380    372      8    310 2018-08-06 06:11:22 UTC+0000
. 0x861e7440:conhost.exe                             3436    380      2     40 2018-08-06 03:58:14 UTC+0000
. 0x861eb030:conhost.exe                             3108    380      2     34 2018-08-06 03:15:15 UTC+0000
 0x85d79d20:wininit.exe                               388    324      3     78 2018-08-06 06:11:22 UTC+0000
. 0x85da8398:services.exe                             476    388      7    204 2018-08-06 06:11:23 UTC+0000
.. 0x85f00478:taskhost.exe                           1416    476      9    204 2018-08-06 03:11:36 UTC+0000
.. 0x85dea030:VBoxService.ex                          648    476     11    118 2018-08-06 06:11:27 UTC+0000
.. 0x85df2b00:svchost.exe                             712    476      8    253 2018-08-06 03:11:29 UTC+0000
.. 0x84f41d20:svchost.exe                            1040    476      5     90 2018-08-06 03:11:43 UTC+0000
.. 0x8603c030:sppsvc.exe                              284    476      4    147 2018-08-06 03:11:42 UTC+0000
.. 0x84fb3030:wlms.exe                               1840    476      4     46 2018-08-06 03:11:40 UTC+0000
.. 0x85e9a528:svchost.exe                            1156    476     16    475 2018-08-06 03:11:33 UTC+0000
.. 0x85f4c178:svchost.exe                            1576    476     11    312 2018-08-06 03:11:37 UTC+0000
.. 0x85e333c8:svchost.exe                             892    476     32   1007 2018-08-06 03:11:30 UTC+0000
.. 0x85edb610:spoolsv.exe                            1324    476     13    277 2018-08-06 03:11:35 UTC+0000
.. 0x85f08618:svchost.exe                            1456    476     17    292 2018-08-06 03:11:36 UTC+0000
.. 0x85e29030:svchost.exe                             840    476     15    362 2018-08-06 03:11:30 UTC+0000
... 0x85df8878:dwm.exe                               2284    840      3     68 2018-08-06 03:13:12 UTC+0000
.. 0x85f8b998:cygrunsrv.exe                          1716    476      6    101 2018-08-06 03:11:39 UTC+0000
... 0x84f99870:cygrunsrv.exe                         1796   1716      0 ------ 2018-08-06 03:11:40 UTC+0000
.... 0x84fbfd20:sshd.exe                             1876   1796      4    100 2018-08-06 03:11:40 UTC+0000
.. 0x85eba7c0:SearchIndexer.                         2676    476     11    630 2018-08-06 03:13:21 UTC+0000
.. 0x85e1f460:svchost.exe                             800    476     19    435 2018-08-06 03:11:30 UTC+0000
... 0x851315c0:audiodg.exe                           3832    800      4    121 2018-08-06 03:55:37 UTC+0000
.. 0x85f4e338:svchost.exe                            1604    476     16    275 2018-08-06 03:11:37 UTC+0000
.. 0x85629890:svchost.exe                             584    476     10    349 2018-08-06 06:11:26 UTC+0000
... 0x8513f030:WmiPrvSE.exe                          2140    584      7    121 2018-08-06 03:58:15 UTC+0000
.. 0x85e2eb68:svchost.exe                             864    476     29    562 2018-08-06 03:11:30 UTC+0000
.. 0x85e6dd20:svchost.exe                            1020    476      6    116 2018-08-06 03:11:32 UTC+0000
.. 0x85f86030:svchost.exe                            3580    476     12    364 2018-08-06 03:13:43 UTC+0000
. 0x85daf030:lsass.exe                                484    388      7    577 2018-08-06 06:11:23 UTC+0000
. 0x85db0b90:lsm.exe                                  492    388     10    152 2018-08-06 06:11:23 UTC+0000
 0x84f4e248:csrss.exe                                 332    324     10    401 2018-08-06 06:11:21 UTC+0000
. 0x84fb1d20:conhost.exe                             1832    332      2     33 2018-08-06 03:11:40 UTC+0000
 0x84ed1b90:System                                      4      0     83    530 2018-08-06 06:11:13 UTC+0000
. 0x8561b718:smss.exe                                 252      4      2     29 2018-08-06 06:11:13 UTC+0000

この後、チームメンバがkeyloggerの分析をし、フラグの前半を割り出すことができた。

tjctf{th1s_1s_n0t_a_v1ru5_

Chromeを使っていることが分かっているので、volatilityのchromeプラグインで調べてみる。

$ volatility -f file_patched.dmp --profile=Win7SP1x86 chromedownloads --output-file=chromedownloads.txt
$ cat chromedownloads.txt
Row Id Current Path                                                                     Target Path                                                                      Start Time                 Received     Total Bytes  State Danger Interrupt End Time                   Opened Referer                                                          By Ext ID By Ext Name ETag                     Last Modified                  MIME Type                        Original MIME Type              
------ -------------------------------------------------------------------------------- -------------------------------------------------------------------------------- -------------------------- ------------ ------------ ----- ------ --------- -------------------------- ------ ---------------------------------------------------------------- --------- ----------- ------------------------ ------------------------------ -------------------------------- --------------------------------
    16 C:\Users\IEUser\Downloads\1FA71                                                  C:\Users\IEUser\Downloads\1FA71                                                  2018-08-06 03:20:29.210581         1023         1023     1      0         0 2018-08-06 03:20:29.466552      0 https://github.com/kakbkc/literate-sniffle/blob/master/1FA71                           "764c4bbf98...ae31efc16"                                application/octet-stream         application/octet-stream        
    15 C:\Users\IEUser\Downloads\1D218                                                  C:\Users\IEUser\Downloads\1D218                                                  2018-08-06 03:20:14.625735         1047         1047     1      0         0 2018-08-06 03:20:14.859907      0 https://github.com/kakbkc/literate-sniffle/blob/master/1D218                           "7ffee2ea0a...c9f5321eb"                                application/octet-stream         application/octet-stream        
    14 C:\Users\IEUser\Downloads\1CB1C                                                  C:\Users\IEUser\Downloads\1CB1C                                                  2018-08-06 03:20:10.236260         1057         1057     1      0         0 2018-08-06 03:20:10.472951      0 https://github.com/kakbkc/literate-sniffle/blob/master/1CB1C                           "d4b88cb6bf...476d36f43"                                application/octet-stream         application/octet-stream        
    13 C:\Users\IEUser\Downloads\1867D                                                  C:\Users\IEUser\Downloads\1867D                                                  2018-08-06 03:19:59.895695         1068         1068     1      0         0 2018-08-06 03:20:00.128268      0 https://github.com/kakbkc/literate-sniffle/blob/master/1867D                           "604922a225...d51e9633d"                                application/octet-stream         application/octet-stream        
    12 C:\Users\IEUser\Downloads\181F0                                                  C:\Users\IEUser\Downloads\181F0                                                  2018-08-06 03:19:53.215465         1080         1080     1      0         0 2018-08-06 03:19:53.543034      0 https://github.com/kakbkc/literate-sniffle/blob/master/181F0                           "2502cc1653...97cb5eab0"                                application/octet-stream         application/octet-stream        
    11 C:\Users\IEUser\Downloads\1568E                                                  C:\Users\IEUser\Downloads\1568E                                                  2018-08-06 03:19:23.810158         1017         1017     1      0         0 2018-08-06 03:19:24.096658      0 https://github.com/kakbkc/literate-sniffle/blob/master/1568E                           "5c2a1f0d58...9d05baa91"                                application/octet-stream         application/octet-stream        
    10 C:\Users\IEUser\Downloads\11B53                                                  C:\Users\IEUser\Downloads\11B53                                                  2018-08-06 03:19:18.350220         1096         1096     1      0         0 2018-08-06 03:19:18.605699      0 https://github.com/kakbkc/literate-sniffle/blob/master/11B53                           "a8761d8ac6...f2882d0e5"                                application/octet-stream         application/octet-stream        
     9 C:\Users\IEUser\Downloads\112E8                                                  C:\Users\IEUser\Downloads\112E8                                                  2018-08-06 03:19:12.694478         1044         1044     1      0         0 2018-08-06 03:19:12.999087      0 https://github.com/kakbkc/literate-sniffle/blob/master/112E8                           "5e4b476fe5...083dc87cd"                                application/octet-stream         application/octet-stream        
     8 C:\Users\IEUser\Downloads\0FB71                                                  C:\Users\IEUser\Downloads\0FB71                                                  2018-08-06 03:19:06.661971         1075         1075     1      0         0 2018-08-06 03:19:06.903977      0 https://github.com/kakbkc/literate-sniffle/blob/master/0FB71                           "cd9bd42dd9...eab91c4c1"                                application/octet-stream         application/octet-stream        
     7 C:\Users\IEUser\Downloads\0F32D                                                  C:\Users\IEUser\Downloads\0F32D                                                  2018-08-06 03:18:56.779744         1082         1082     1      0         0 2018-08-06 03:18:57.017832      0 https://github.com/kakbkc/literate-sniffle/blob/master/0F32D                           "2076f61c97...f6a944e10"                                application/octet-stream         application/octet-stream        
     6 C:\Users\IEUser\Downloads\0EDD0                                                  C:\Users\IEUser\Downloads\0EDD0                                                  2018-08-06 03:18:50.562136         1003         1003     1      0         0 2018-08-06 03:18:50.814568      0 https://github.com/kakbkc/literate-sniffle/blob/master/0EDD0                           "e9f58e519e...a62dbb302"                                application/octet-stream         application/octet-stream        
     5 C:\Users\IEUser\Downloads\0A314                                                  C:\Users\IEUser\Downloads\0A314                                                  2018-08-06 03:18:45.463460         1058         1058     1      0         0 2018-08-06 03:18:45.703668      0 https://github.com/kakbkc/literate-sniffle/blob/master/0A314                           "6a2f51de25...c01cabfa5"                                application/octet-stream         application/octet-stream        
     4 C:\Users\IEUser\Downloads\06910                                                  C:\Users\IEUser\Downloads\06910                                                  2018-08-06 03:18:41.046386         1034         1034     1      0         0 2018-08-06 03:18:41.295901      0 https://github.com/kakbkc/literate-sniffle/blob/master/06910                           "b53cc3a9e3...e291a6f00"                                application/octet-stream         application/octet-stream        
     3 C:\Users\IEUser\Downloads\02F60                                                  C:\Users\IEUser\Downloads\02F60                                                  2018-08-06 03:18:35.856466         1046         1046     1      0         0 2018-08-06 03:18:36.134028      0 https://github.com/kakbkc/literate-sniffle/blob/master/02F60                           "8e21943e7b...29abd624d"                                application/octet-stream         application/octet-stream        
     2 C:\Users\IEUser\Downloads\01F57                                                  C:\Users\IEUser\Downloads\01F57                                                  2018-08-06 03:18:29.093970         1073         1073     1      0         0 2018-08-06 03:18:29.530521      0 https://github.com/kakbkc/literate-sniffle/blob/master/01F57                           "fa35a6344f...c45d813c6"                                application/octet-stream         application/octet-stream        
    32 C:\Users\IEUser\Downloads\40131                                                  C:\Users\IEUser\Downloads\40131                                                  2018-08-06 03:23:26.140672         1070         1070     1      0         0 2018-08-06 03:23:26.439527      0 https://github.com/kakbkc/literate-sniffle/blob/master/40131                           "653e30b372...3f6961ac3"                                application/octet-stream         application/octet-stream        
    31 C:\Users\IEUser\Downloads\3F6A6                                                  C:\Users\IEUser\Downloads\3F6A6                                                  2018-08-06 03:23:02.705559         1054         1054     1      0         0 2018-08-06 03:23:02.990172      0 https://github.com/kakbkc/literate-sniffle/blob/master/3F6A6                           "34f6f31820...48e77c4fa"                                application/octet-stream         application/octet-stream        
    30 C:\Users\IEUser\Downloads\3F695                                                  C:\Users\IEUser\Downloads\3F695                                                  2018-08-06 03:22:49.613426         1022         1022     1      0         0 2018-08-06 03:22:49.930528      0 https://github.com/kakbkc/literate-sniffle/blob/master/3F695                           "7b3e698387...459760fb7"                                application/octet-stream         application/octet-stream        
    29 C:\Users\IEUser\Downloads\3F47B                                                  C:\Users\IEUser\Downloads\3F47B                                                  2018-08-06 03:22:44.468808         1030         1030     1      0         0 2018-08-06 03:22:44.710531      0 https://github.com/kakbkc/literate-sniffle/blob/master/3F47B                           "dc1ce400d0...c374645f2"                                application/octet-stream         application/octet-stream        
    28 C:\Users\IEUser\Downloads\3D0E8                                                  C:\Users\IEUser\Downloads\3D0E8                                                  2018-08-06 03:22:39.871725         1069         1069     1      0         0 2018-08-06 03:22:40.178677      0 https://github.com/kakbkc/literate-sniffle/blob/master/3D0E8                           "3f75b94b2b...7d4e73577"                                application/octet-stream         application/octet-stream        
    27 C:\Users\IEUser\Downloads\3ACBB                                                  C:\Users\IEUser\Downloads\3ACBB                                                  2018-08-06 03:22:33.382970         1078         1078     1      0         0 2018-08-06 03:22:33.624826      0 https://github.com/kakbkc/literate-sniffle/blob/master/3ACBB                           "86d55f0889...d1b595906"                                application/octet-stream         application/octet-stream        
    26 C:\Users\IEUser\Downloads\39617                                                  C:\Users\IEUser\Downloads\39617                                                  2018-08-06 03:22:24.349366         1052         1052     1      0         0 2018-08-06 03:22:24.606099      0 https://github.com/kakbkc/literate-sniffle/blob/master/39617                           "ca03142de0...6dfc3eaa0"                                application/octet-stream         application/octet-stream        
    25 C:\Users\IEUser\Downloads\3864C                                                  C:\Users\IEUser\Downloads\3864C                                                  2018-08-06 03:22:11.063842         1089         1089     1      0         0 2018-08-06 03:22:11.376036      0 https://github.com/kakbkc/literate-sniffle/blob/master/3864C                           "dcbf668df3...24240dbc7"                                application/octet-stream         application/octet-stream        
    24 C:\Users\IEUser\Downloads\2EEA8                                                  C:\Users\IEUser\Downloads\2EEA8                                                  2018-08-06 03:22:05.007278         1024         1024     1      0         0 2018-08-06 03:22:05.312084      0 https://github.com/kakbkc/literate-sniffle/blob/master/2EEA8                           "9020a6c4e8...0b871ad9b"                                application/octet-stream         application/octet-stream        
    23 C:\Users\IEUser\Downloads\2E887                                                  C:\Users\IEUser\Downloads\2E887                                                  2018-08-06 03:21:47.929673         1079         1079     1      0         0 2018-08-06 03:21:48.185013      0 https://github.com/kakbkc/literate-sniffle/blob/master/2E887                           "9fbaff54a7...673f956fc"                                application/octet-stream         application/octet-stream        
    22 C:\Users\IEUser\Downloads\2DD80                                                  C:\Users\IEUser\Downloads\2DD80                                                  2018-08-06 03:21:40.066016         1032         1032     1      0         0 2018-08-06 03:21:40.308089      0 https://github.com/kakbkc/literate-sniffle/blob/master/2DD80                           "4b0410585d...7389b6f3a"                                application/octet-stream         application/octet-stream        
    21 C:\Users\IEUser\Downloads\2BEA7.txt                                              C:\Users\IEUser\Downloads\2BEA7.txt                                              2018-08-06 03:21:30.449428            1            1     1      0         0 2018-08-06 03:21:30.471285      0                                                                                                                                                text/html                        text/html                       
    20 C:\Users\IEUser\Downloads\2B8A8                                                  C:\Users\IEUser\Downloads\2B8A8                                                  2018-08-06 03:20:58.119470         1100         1100     1      0         0 2018-08-06 03:20:58.360639      0 https://github.com/kakbkc/literate-sniffle/blob/master/2B8A8                           "059ee2729d...cf33d7ff0"                                application/octet-stream         application/octet-stream        
    19 C:\Users\IEUser\Downloads\2AC88                                                  C:\Users\IEUser\Downloads\2AC88                                                  2018-08-06 03:20:50.566815         1043         1043     1      0         0 2018-08-06 03:20:50.826217      0 https://github.com/kakbkc/literate-sniffle/blob/master/2AC88                           "05b222d677...996c5bd93"                                applicatio                                                       
    18 C:\Users\IEUser\Downloads\2757E                                                  C:\Users\IEUser\Downloads\2757E                                                  2018-08-06 03:20:41.000335         1053         1053     1      0         0 2018-08-06 03:20:41.286984      0 https://github.com/kakbkc/literate-sniffle/blob/master/2757E                           "e23853a2d6...76824c280"                                application/octet-stream         application/octet-stream        
    17 C:\Users\IEUser\Downloads\23882                                                  C:\Users\IEUser\Downloads\23882                                                  2018-08-06 03:20:34.361326         1021         1021     1      0         0 2018-08-06 03:20:34.644559      0 https://github.com/kakbkc/literate-sniffle/blob/master/23882                           "896c1142f0...edd78eccd"                                application/octet-stream         application/octet-stream        
     2 C:\Users\IEUser\Downloads\01F57                                                  C:\Users\IEUser\Downloads\01F57                                                  2018-08-06 03:18:29.093970         1073         1073     1      0         0 2018-08-06 03:18:29.530521      0 https://github.com/kakbkc/literate-sniffle/blob/master/01F57                           "fa35a6344f...c45d813c6"                                appl                                                             
    84 C:\Users\IEUser\Downloads\CEECF                                                  C:\Users\IEUser\Downloads\CEECF                                                  2018-08-06 03:29:43.146420         1087         1087     1      0         0 2018-08-06 03:29:43.479690      0 https://github.com/kakbkc/literate-sniffle/blob/master/CEECF                           "e9581fc02d...5a926cdbd"                                application/octet-stream         application/octet-stream        
    83 C:\Users\IEUser\Downloads\C9449                                                  C:\Users\IEUser\Downloads\C9449                                                  2018-08-06 03:29:38.767424         1056         1056     1      0         0 2018-08-06 03:29:39.013612      0 https://github.com/kakbkc/literate-sniffle/blob/master/C9449                           "30b6737b8d...ca10f5a50"                                application/octet-stream         application/octet-stream        
    82 C:\Users\IEUser\Downloads\C8B91                                                  C:\Users\IEUser\Downloads\C8B91                                                  2018-08-06 03:29:32.343223         1064         1064     1      0         0 2018-08-06 03:29:32.683042      0 https://github.com/kakbkc/literate-sniffle/blob/master/C8B91                           "38963bd2b3...cb71243c3"                                application/octet-stream         application/octet-stream        
    81 C:\Users\IEUser\Downloads\C6F9F                                                  C:\Users\IEUser\Downloads\C6F9F                                                  2018-08-06 03:29:24.047784         1004         1004     1      0         0 2018-08-06 03:29:24.337354      0 https://github.com/kakbkc/literate-sniffle/blob/master/C6F9F                           "f720daae37...a9a9ea1ac"                                application/octet-stream         application/octet-stream        
    80 C:\Users\IEUser\Downloads\C65BC                                                  C:\Users\IEUser\Downloads\C65BC                                                  2018-08-06 03:29:12.965569         1083         1083     1      0         0 2018-08-06 03:29:13.258249      0 https://github.com/kakbkc/literate-sniffle/blob/master/C65BC                           "693614e82e...578e3c5a5"                                application/octet-stream         application/octet-stream        
    79 C:\Users\IEUser\Downloads\C27CC                                                  C:\Users\IEUser\Downloads\C27CC                                                  2018-08-06 03:29:02.171294         1095         1095     1      0         0 2018-08-06 03:29:02.467588      0 https://github.com/kakbkc/literate-sniffle/blob/master/C27CC                           "c64750012f...be5764d82"                                application/octet-stream         application/octet-stream        
   101 C:\Users\IEUser\Downloads\FE6B8                                                  C:\Users\IEUser\Downloads\FE6B8                                                  2018-08-06 03:31:16.357418         1039         1039     1      0         0 2018-08-06 03:31:16.592000      0 https://github.com/kakbkc/literate-sniffle/blob/master/FE6B8                           "25f94491b9...29dca12df"                                application/octet-stream         application/octet-stream        
   100 C:\Users\IEUser\Downloads\FBA83                                                  C:\Users\IEUser\Downloads\FBA83                                                  2018-08-06 03:31:11.700473         1029         1029     1      0         0 2018-08-06 03:31:11.950191      0 https://github.com/kakbkc/literate-sniffle/blob/master/FBA83                           "bb4ae18417...1fef30a2c"                                application/octet-stream         application/octet-stream        
    99 C:\Users\IEUser\Downloads\FB986                                                  C:\Users\IEUser\Downloads\FB986                                                  2018-08-06 03:31:05.681886         1097         1097     1      0         0 2018-08-06 03:31:05.928082      0 https://github.com/kakbkc/literate-sniffle/blob/master/FB986                           "3725def745...9d69b8dd5"                                application/octet-stream         application/octet-stream        
    98 C:\Users\IEUser\Downloads\F425A                                                  C:\Users\IEUser\Downloads\F425A                                                  2018-08-06 03:31:01.555487         1020         1020     1      0         0 2018-08-06 03:31:01.854499      0 https://github.com/kakbkc/literate-sniffle/blob/master/F425A                           "b8e7f63ee7...48fa6b91d"                                application/octet-stream         application/octet-stream        
    97 C:\Users\IEUser\Downloads\F3FBC                                                  C:\Users\IEUser\Downloads\F3FBC                                                  2018-08-06 03:30:57.149637         1049         1049     1      0         0 2018-08-06 03:30:57.397036      0 https://github.com/kakbkc/literate-sniffle/blob/master/F3FBC                           "661b0e7646...1e942ac8f"                                application/octet-stream         application/octet-stream        
    96 C:\Users\IEUser\Downloads\ED80D                                                  C:\Users\IEUser\Downloads\ED80D                                                  2018-08-06 03:30:52.983809         1045         1045     1      0         0 2018-08-06 03:30:53.237701      0 https://github.com/kakbkc/literate-sniffle/blob/master/ED80D                           "a25c27c64d...f231556ef"                                application/octet-stream         application/octet-stream        
    95 C:\Users\IEUser\Downloads\E71C2                                                  C:\Users\IEUser\Downloads\E71C2                                                  2018-08-06 03:30:47.271597         1081         1081     1      0         0 2018-08-06 03:30:47.599151      0 https://github.com/kakbkc/literate-sniffle/blob/master/E71C2                           "c8a8a10cfa...009bbd2fc"                                application/octet-stream         application/octet-stream        
    94 C:\Users\IEUser\Downloads\E3CCD                                                  C:\Users\IEUser\Downloads\E3CCD                                                  2018-08-06 03:30:37.715785         1074         1074     1      0         0 2018-08-06 03:30:37.962243      0 https://github.com/kakbkc/literate-sniffle/blob/master/E3CCD                           "9d8a568280...0c2a4cc25"                                application/octet-stream         application/octet-stream        
    48 C:\Users\IEUser\Downloads\73830                                                  C:\Users\IEUser\Downloads\73830                                                  2018-08-06 03:25:45.761337         1026         1026     1      0         0 2018-08-06 03:25:46.059248      0 https://github.com/kakbkc/literate-sniffle/blob/master/73830                           "0da7c24dbb...a196d955c"                                application/octet-stream         application/octet-stream        
    47 C:\Users\IEUser\Downloads\730A4                                                  C:\Users\IEUser\Downloads\730A4                                                  2018-08-06 03:25:34.622880         1099         1099     1      0         0 2018-08-06 03:25:34.931338      0 https://github.com/kakbkc/literate-sniffle/blob/master/730A4                           "7ee1392079...1f82b7113"                                application/octet-stream         application/octet-stream        
    46 C:\Users\IEUser\Downloads\7139D                                                  C:\Users\IEUser\Downloads\7139D                                                  2018-08-06 03:25:27.377092         1011         1011     1      0         0 2018-08-06 03:25:27.668195      0 https://github.com/kakbkc/literate-sniffle/blob/master/7139D                           "7c43aca2a4...585268e68"                                application/octet-stream         application/octet-stream        
    45 C:\Users\IEUser\Downloads\6C45A                                                  C:\Users\IEUser\Downloads\6C45A                                                  2018-08-06 03:25:21.715661         1059         1059     1      0         0 2018-08-06 03:25:22.082701      0 https://github.com/kakbkc/literate-sniffle/blob/master/6C45A                           "15535de309...96a3f928c"                                application/octet-stream         application/octet-stream        
    44 C:\Users\IEUser\Downloads\69F38                                                  C:\Users\IEUser\Downloads\69F38                                                  2018-08-06 03:25:13.401479         1061         1061     1      0         0 2018-08-06 03:25:13.632098      0 https://github.com/kakbkc/literate-sniffle/blob/master/69F38                           "fbb89ac943...7e970c482"                                application/octet-stream         application/octet-stream        
    43 C:\Users\IEUser\Downloads\61923.txt                                              C:\Users\IEUser\Downloads\61923.txt                                              2018-08-06 03:25:02.828426            1            1     1      0         0 2018-08-06 03:25:02.887902      0                                                                                                                                                text/html                        text/html                       
    42 C:\Users\IEUser\Downloads\60291                                                  C:\Users\IEUser\Downloads\60291                                                  2018-08-06 03:24:33.913193         1041         1041     1      0         0 2018-08-06 03:24:34.160232      0 https://github.com/kakbkc/literate-sniffle/blob/master/60291                           "85dedde7e6...7d55e2e6f"                                application/octet-stream         application/octet-stream        
    41 C:\Users\IEUser\Downloads\5F5EC                                                  C:\Users\IEUser\Downloads\5F5EC                                                  2018-08-06 03:24:24.018538         1091         1091     1      0         0 2018-08-06 03:24:24.331415      0 https://github.com/kakbkc/literate-sniffle/blob/master/5F5EC                           "4eec83b7eb...49a55dcf3"                                application/octet-stream         application/octet-stream        
    40 C:\Users\IEUser\Downloads\5E7D2                                                  C:\Users\IEUser\Downloads\5E7D2                                                  2018-08-06 03:24:19.496683         1098         1098     1      0         0 2018-08-06 03:24:19.753267      0 https://github.com/kakbkc/literate-sniffle/blob/master/5E7D2                           "1953c35270...f9846fad3"                                application/octet-stream         application/octet-stream        
    39 C:\Users\IEUser\Downloads\5CD90                                                  C:\Users\IEUser\Downloads\5CD90                                                  2018-08-06 03:24:12.849979         1050         1050     1      0         0 2018-08-06 03:24:13.099006      0 https://github.com/kakbkc/literate-sniffle/blob/master/5CD90                           "3b57062764...c47b22ce0"                                application/octet-stream         application/octet-stream        
    38 C:\Users\IEUser\Downloads\5BEC8                                                  C:\Users\IEUser\Downloads\5BEC8                                                  2018-08-06 03:23:55.763479         1084         1084     1      0         0 2018-08-06 03:23:56.023106      0 https://github.com/kakbkc/literate-sniffle/blob/master/5BEC8                           "0c7c3138aa...ae5f96a54"                                application/octet-stream         application/octet-stream        
    37 C:\Users\IEUser\Downloads\5603A                                                  C:\Users\IEUser\Downloads\5603A                                                  2018-08-06 03:23:50.360605         1019         1019     1      0         0 2018-08-06 03:23:50.599211      0 https://github.com/kakbkc/literate-sniffle/blob/master/5603A                           "82d6d4bef3...acab55eef"                                application/octet-stream         application/octet-stream        
    36 C:\Users\IEUser\Downloads\521B6                                                  C:\Users\IEUser\Downloads\521B6                                                  2018-08-06 03:23:45.378551         1076         1076     1      0         0 2018-08-06 03:23:45.649116      0 https://github.com/kakbkc/literate-sniffle/blob/master/521B6                           "00b6a654e7...234e99e18"                                application/octet-stream         application/octet-stream        
    35 C:\Users\IEUser\Downloads\50D6C                                                  C:\Users\IEUser\Downloads\50D6C                                                  2018-08-06 03:23:40.875112         1048         1048     1      0         0 2018-08-06 03:23:41.112743      0 https://github.com/kakbkc/literate-sniffle/blob/master/50D6C                           "7d8c0a54d4...2af649c72"                                application/octet-stream         application/octet-stream        
    34 C:\Users\IEUser\Downloads\4581C                                                  C:\Users\IEUser\Downloads\4581C                                                  2018-08-06 03:23:36.767541         1013         1013     1      0         0 2018-08-06 03:23:37.049725      0 https://github.com/kakbkc/literate-sniffle/blob/master/4581C                           "d620bc6e86...44128f4db"                                application/octet-stream         application/octet-stream        
    33 C:\Users\IEUser\Downloads\445CD                                                  C:\Users\IEUser\Downloads\445CD                                                  2018-08-06 03:23:31.638008         1035         1035     1      0         0 2018-08-06 03:23:31.946005      0 https://github.com/kakbkc/literate-sniffle/blob/master/445CD                           "9129c5d34c...1cea4d942"                                application/octet-stream         application/octet-stream        
    63 C:\Users\IEUser\Downloads\9E87A                                                  C:\Users\IEUser\Downloads\9E87A                                                  2018-08-06 03:27:26.224723         1009         1009     1      0         0 2018-08-06 03:27:26.515086      0 https://github.com/kakbkc/literate-sniffle/blob/master/9E87A                           "30488dc0c0...f61f135cd"                                application/octet-stream         application/octet-stream        
    62 C:\Users\IEUser\Downloads\968C5                                                  C:\Users\IEUser\Downloads\968C5                                                  2018-08-06 03:27:19.748446         1015         1015     1      0         0 2018-08-06 03:27:20.018040      0 https://github.com/kakbkc/literate-sniffle/blob/master/968C5                           "0cca9be69d...e2c98cc33"                                application/octet-stream         application/octet-stream        
    61 C:\Users\IEUser\Downloads\94A69                                                  C:\Users\IEUser\Downloads\94A69                                                  2018-08-06 03:27:13.542001         1008         1008     1      0         0 2018-08-06 03:27:13.783899      0 https://github.com/kakbkc/literate-sniffle/blob/master/94A69                           "168e2ee061...947d2ac68"                                application/octet-stream         application/octet-stream        
    60 C:\Users\IEUser\Downloads\941F9                                                  C:\Users\IEUser\Downloads\941F9                                                  2018-08-06 03:27:08.781601         1093         1093     1      0         0 2018-08-06 03:27:09.037411      0 https://github.com/kakbkc/literate-sniffle/blob/master/941F9                           "416c390271...08c9a49bd"                                application/octet-stream         application/octet-stream        
    59 C:\Users\IEUser\Downloads\8C4F4                                                  C:\Users\IEUser\Downloads\8C4F4                                                  2018-08-06 03:27:01.298806         1038         1038     1      0         0 2018-08-06 03:27:01.560604      0 https://github.com/kakbkc/literate-sniffle/blob/master/8C4F4                           "1ff6c22b34...193a3cbf2"                                application/octet-stream         application/octet-stream        
    58 C:\Users\IEUser\Downloads\89A92                                                  C:\Users\IEUser\Downloads\89A92                                                  2018-08-06 03:26:55.237782         1033         1033     1      0         0 2018-08-06 03:26:55.561439      0 https://github.com/kakbkc/literate-sniffle/blob/master/89A92                           "fb649a8d80...9b0b3957c"                                application/octet-stream         application/octet-stream        
    57 C:\Users\IEUser\Downloads\86B54                                                  C:\Users\IEUser\Downloads\86B54                                                  2018-08-06 03:26:50.198751         1090         1090     1      0         0 2018-08-06 03:26:50.607796      0 https://github.com/kakbkc/literate-sniffle/blob/master/86B54                           "7e2c62612f...26674de41"                                application/octet-stream         application/octet-stream        
    56 C:\Users\IEUser\Downloads\8530A                                                  C:\Users\IEUser\Downloads\8530A                                                  2018-08-06 03:26:44.057507         1088         1088     1      0         0 2018-08-06 03:26:44.452215      0 https://github.com/kakbkc/literate-sniffle/blob/master/8530A                           "2489265ebc...d60bf991e"                                application/octet-stream         application/octet-stream        
    55 C:\Users\IEUser\Downloads\812F5                                                  C:\Users\IEUser\Downloads\812F5                                                  2018-08-06 03:26:38.362641         1072         1072     1      0         0 2018-08-06 03:26:38.646574      0 https://github.com/kakbkc/literate-sniffle/blob/master/812F5                           "51b3e8ac91...ae6c3505f"                                application/octet-stream         application/octet-stream        
    54 C:\Users\IEUser\Downloads\80CBD                                                  C:\Users\IEUser\Downloads\80CBD                                                  2018-08-06 03:26:31.951385         1006         1006     1      0         0 2018-08-06 03:26:32.314204      0 https://github.com/kakbkc/literate-sniffle/blob/master/80CBD                           "91b43321cd...8344c55aa"                                application/octet-stream         application/octet-stream        
    53 C:\Users\IEUser\Downloads\8042C                                                  C:\Users\IEUser\Downloads\8042C                                                  2018-08-06 03:26:26.076986         1014         1014     1      0         0 2018-08-06 03:26:26.368192      0 https://github.com/kakbkc/literate-sniffle/blob/master/8042C                           "55a605bb5d...8f165c4f4"                                application/octet-stream         application/octet-stream        
    52 C:\Users\IEUser\Downloads\792F1                                                  C:\Users\IEUser\Downloads\792F1                                                  2018-08-06 03:26:16.149983         1065         1065     1      0         0 2018-08-06 03:26:16.444677      0 https://github.com/kakbkc/literate-sniffle/blob/master/792F1                           "2dd7cf2bc1...e971704b8"                                application/octet-stream         application/octet-stream        
    51 C:\Users\IEUser\Downloads\792C1                                                  C:\Users\IEUser\Downloads\792C1                                                  2018-08-06 03:26:08.505413         1037         1037     1      0         0 2018-08-06 03:26:08.803285      0 https://github.com/kakbkc/literate-sniffle/blob/master/792C1                           "130be2e97a...cd070283d"                                application/octet-stream         application/octet-stream        
    50 C:\Users\IEUser\Downloads\7854}                                                  C:\Users\IEUser\Downloads\7854}                                                  2018-08-06 03:26:03.231024         1101         1101     1      0         0 2018-08-06 03:26:03.530371      0 https://github.com/kakbkc/literate-sniffle/blob/master/7854%7D                         "bd4a9a6fdf...1032aa4dc"                                application/octet-stream         application/octet-stream        
    49 C:\Users\IEUser\Downloads\76E08                                                  C:\Users\IEUser\Downloads\76E08                                                  2018-08-06 03:25:56.007012         1028         1028     1      0         0 2018-08-06 03:25:56.375122      0 https://github.com/kakbkc/literate-sniffle/blob/master/76E08                           "deefa3ea35...1a2473427"                                application/octet-stream         application/octet-stream        
    19 C:\Users\IEUser\Downloads\2AC88                                                  C:\Users\IEUser\Downloads\2AC88                                                  2018-08-06 03:20:50.566815         1043         1043     1      0         0 2018-08-06 03:20:50.826217      0 https://github.com/kakbkc/literate-sniffle/blob/master/2AC88                           "05b222d677...996c5bd93"                                application/octet-stream         application/octet-stream        
    78 C:\Users\IEUser\Downloads\C1728                                                  C:\Users\IEUser\Downloads\C1728                                                  2018-08-06 03:28:55.999586         1085         1085     1      0         0 2018-08-06 03:28:56.244801      0 https://github.com/kakbkc/literate-sniffle/blob/master/C1728                           "cd3182fd0f...80c8072bd"                                application/octet-stream         application/octet-stream        
    77 C:\Users\IEUser\Downloads\C113E                                                  C:\Users\IEUser\Downloads\C113E                                                  2018-08-06 03:28:50.989559         1027         1027     1      0         0 2018-08-06 03:28:51.288581      0 https://github.com/kakbkc/literate-sniffle/blob/master/C113E                           "d977db7243...ee9f7eb5c"                                application/octet-stream         application/octet-stream        
    76 C:\Users\IEUser\Downloads\BE1C4                                                  C:\Users\IEUser\Downloads\BE1C4                                                  2018-08-06 03:28:44.772122         1007         1007     1      0         0 2018-08-06 03:28:45.042258      0 https://github.com/kakbkc/literate-sniffle/blob/master/BE1C4                           "71bcb9b176...cbf591378"                                application/octet-stream         application/octet-stream        
    75 C:\Users\IEUser\Downloads\BD86F                                                  C:\Users\IEUser\Downloads\BD86F                                                  2018-08-06 03:28:38.858287         1077         1077     1      0         0 2018-08-06 03:28:39.088544      0 https://github.com/kakbkc/literate-sniffle/blob/master/BD86F                           "1f80c8c5b7...b4189d56c"                                application/octet-stream         application/octet-stream        
    74 C:\Users\IEUser\Downloads\BC391                                                  C:\Users\IEUser\Downloads\BC391                                                  2018-08-06 03:28:33.952930         1086         1086     1      0         0 2018-08-06 03:28:34.190035      0 https://github.com/kakbkc/literate-sniffle/blob/master/BC391                           "fe76cfc003...387ee9bdd"                                application/octet-stream         application/octet-stream        
    73 C:\Users\IEUser\Downloads\BA58C                                                  C:\Users\IEUser\Downloads\BA58C                                                  2018-08-06 03:28:28.281751         1063         1063     1      0         0 2018-08-06 03:28:28.530953      0 https://github.com/kakbkc/literate-sniffle/blob/master/BA58C                           "07f1bf0d2c...33a752530"                                application/octet-stream         application/octet-stream        
    72 C:\Users\IEUser\Downloads\BA557                                                  C:\Users\IEUser\Downloads\BA557                                                  2018-08-06 03:28:22.439906         1016         1016     1      0         0 2018-08-06 03:28:22.678121      0 https://github.com/kakbkc/literate-sniffle/blob/master/BA557                           "19c2c14c13...91ffc1a05"                                application/octet-stream         application/octet-stream        
    71 C:\Users\IEUser\Downloads\B85B6                                                  C:\Users\IEUser\Downloads\B85B6                                                  2018-08-06 03:28:18.238660         1060         1060     1      0         0 2018-08-06 03:28:18.480740      0 https://github.com/kakbkc/literate-sniffle/blob/master/B85B6                           "ad21aafe76...eda94936e"                                application/octet-stream         application/octet-stream        
    70 C:\Users\IEUser\Downloads\B0A91                                                  C:\Users\IEUser\Downloads\B0A91                                                  2018-08-06 03:28:11.556215         1025         1025     1      0         0 2018-08-06 03:28:11.826752      0 https://github.com/kakbkc/literate-sniffle/blob/master/B0A91                           "fd1c36b6f9...5b2e74bd5"                                application/octet-stream         application/octet-stream        
    69 C:\Users\IEUser\Downloads\AF4A5                                                  C:\Users\IEUser\Downloads\AF4A5                                                  2018-08-06 03:28:06.910125         1040         1040     1      0         0 2018-08-06 03:28:07.142490      0 https://github.com/kakbkc/literate-sniffle/blob/master/AF4A5                           "88cbeaab94...f5c8fc0d3"                                application/octet-stream         application/octet-stream        
    68 C:\Users\IEUser\Downloads\AB38B                                                  C:\Users\IEUser\Downloads\AB38B                                                  2018-08-06 03:28:00.475619         1010         1010     1      0         0 2018-08-06 03:28:00.721414      0 https://github.com/kakbkc/literate-sniffle/blob/master/AB38B                           "7d4577c52b...e3d9cce37"                                application/octet-stream         application/octet-stream        
    67 C:\Users\IEUser\Downloads\A7DFE                                                  C:\Users\IEUser\Downloads\A7DFE                                                  2018-08-06 03:27:49.789232         1036         1036     1      0         0 2018-08-06 03:27:50.054038      0 https://github.com/kakbkc/literate-sniffle/blob/master/A7DFE                           "7e4bb27c44...55c1d3c70"                                application/octet-stream         application/octet-stream        
    66 C:\Users\IEUser\Downloads\A7037                                                  C:\Users\IEUser\Downloads\A7037                                                  2018-08-06 03:27:44.603181         1018         1018     1      0         0 2018-08-06 03:27:44.946018      0 https://github.com/kakbkc/literate-sniffle/blob/master/A7037                           "b31939551b...56206d5d7"                                application/octet-stream         application/octet-stream        
    65 C:\Users\IEUser\Downloads\A5149                                                  C:\Users\IEUser\Downloads\A5149                                                  2018-08-06 03:27:37.921109         1066         1066     1      0         0 2018-08-06 03:27:38.186869      0 https://github.com/kakbkc/literate-sniffle/blob/master/A5149                           "9725eb77f3...9fe4e6b35"                                application/octet-stream         application/octet-stream        
    64 C:\Users\IEUser\Downloads\9E8A4                                                  C:\Users\IEUser\Downloads\9E8A4                                                  2018-08-06 03:27:32.321791         1071         1071     1      0         0 2018-08-06 03:27:32.566072      0 https://github.com/kakbkc/literate-sniffle/blob/master/9E8A4                           "95f0420248...0f7a97e67"                                application/octet-stream         application/octet-stream        
    53 C:\Users\IEUser\Downloads\8042C                                                  C:\Users\IEUser\Downloads\8042C                                                  2018-08-06 03:26:26.076986         1014         1014     1      0         0 2018-08-06 03:26:26.368192      0 https://github.com/kakbkc/literate-sniffle/blob/master/8042C                           "55a605bb5d...8f165c4f4"                                application/octet-                                               
    93 C:\Users\IEUser\Downloads\E2CDB                                                  C:\Users\IEUser\Downloads\E2CDB                                                  2018-08-06 03:30:31.606693         1031         1031     1      0         0 2018-08-06 03:30:31.842920      0 https://github.com/kakbkc/literate-sniffle/blob/master/E2CDB                           "8b9f5d8137...17cb4913c"                                application/octet-stream         application/octet-stream        
    92 C:\Users\IEUser\Downloads\E0B28                                                  C:\Users\IEUser\Downloads\E0B28                                                  2018-08-06 03:30:23.779289         1012         1012     1      0         0 2018-08-06 03:30:24.094131      0 https://github.com/kakbkc/literate-sniffle/blob/master/E0B28                           "3c2b64abce...6a69371c0"                                application/octet-stream         application/octet-stream        
    91 C:\Users\IEUser\Downloads\E0983                                                  C:\Users\IEUser\Downloads\E0983                                                  2018-08-06 03:30:18.161954         1042         1042     1      0         0 2018-08-06 03:30:18.419321      0 https://github.com/kakbkc/literate-sniffle/blob/master/E0983                           "4aab43dce2...0438bff0e"                                application/octet-stream         application/octet-stream        
    90 C:\Users\IEUser\Downloads\DE516                                                  C:\Users\IEUser\Downloads\DE516                                                  2018-08-06 03:30:13.547867         1055         1055     1      0         0 2018-08-06 03:30:13.796791      0 https://github.com/kakbkc/literate-sniffle/blob/master/DE516                           "f0a0e6827d...fd5259135"                                application/octet-stream         application/octet-stream        
    89 C:\Users\IEUser\Downloads\DA182                                                  C:\Users\IEUser\Downloads\DA182                                                  2018-08-06 03:30:06.105575         1092         1092     1      0         0 2018-08-06 03:30:06.407949      0 https://github.com/kakbkc/literate-sniffle/blob/master/DA182                           "82f7c3153f...f869f4229"                                application/octet-stream         application/octet-stream        
    88 C:\Users\IEUser\Downloads\D73C0                                                  C:\Users\IEUser\Downloads\D73C0                                                  2018-08-06 03:30:01.211194         1002         1002     1      0         0 2018-08-06 03:30:01.519693      0 https://github.com/kakbkc/literate-sniffle/blob/master/D73C0                           "acee12264b...e680834dd"                                application/octet-stream         application/octet-stream        
    87 C:\Users\IEUser\Downloads\D6A89                                                  C:\Users\IEUser\Downloads\D6A89                                                  2018-08-06 03:29:57.032125         1051         1051     1      0         0 2018-08-06 03:29:57.309602      0 https://github.com/kakbkc/literate-sniffle/blob/master/D6A89                           "0bcaade519...08a5adfd3"                                application/octet-stream         application/octet-stream        
    86 C:\Users\IEUser\Downloads\D4297                                                  C:\Users\IEUser\Downloads\D4297                                                  2018-08-06 03:29:52.690294         1062         1062     1      0         0 2018-08-06 03:29:52.935694      0 https://github.com/kakbkc/literate-sniffle/blob/master/D4297                           "a476df257e...c729cfcae"                                application/octet-stream         application/octet-stream        
    85 C:\Users\IEUser\Downloads\D2D9E                                                  C:\Users\IEUser\Downloads\D2D9E                                                  2018-08-06 03:29:47.513258         1005         1005     1      0         0 2018-08-06 03:29:47.814073      0 https://github.com/kakbkc/literate-sniffle/blob/master/D2D9E                           "5f76f11816...ebfc629d6"                                application/octet-stre                                          
    66 C:\Users\IEUser\Downloads\A7037                                                  C:\Users\IEUser\Downloads\A7037                                                  2018-08-06 03:27:44.603181         1018         1018     1      0         0 2018-08-06 03:27:44.946018      0 https://github.com/kakbkc/literate-sniffle/blob/master/A7037                           "b31939551b...56206d5d7"                                applicatio                                                       
    96 C:\Users\IEUser\Downloads\ED80D                                                  C:\Users\IEUser\Downloads\ED80D                                                  2018-08-06 03:30:52.983809         1045         1045     1      0         0 2018-08-06 03:30:53.237701      0 https://github.com/kakbkc/literate-sniffle/blob/master/ED80D                           "a25c27c64d...f231556ef"                                applicatio                                                       
    85 C:\Users\IEUser\Downloads\D2D9E                                                  C:\Users\IEUser\Downloads\D2D9E                                                  2018-08-06 03:29:47.513258         1005         1005     1      0         0 2018-08-06 03:29:47.814073      0 https://github.com/kakbkc/literate-sniffle/blob/master/D2D9E                           "5f76f11816...ebfc629d6"                                application/octet-stream         application/octet-stream        
    33 C:\Users\IEUser\Downloads\445CD                                                  C:\Users\IEUser\Downloads\445CD                                                  2018-08-06 03:23:31.638008         1035         1035     1      0         0 2018-08-06 03:23:31.946005      0 https://github.com/kakbkc/literate-sniffle/blob/master/445CD                           "9129c5d34c...1cea4d942"                                appl                                                             
    33 C:\Users\IEUser\Downloads\445CD                                                  C:\Users\IEUser\Downloads\445CD                                                  2018-08-06 03:23:31.638008         1035         1035     1      0         0 2018-08-06 03:23:31.946005      0 https://github.com/kakbkc/literate-sniffle/blob/master/445CD                           "9129c5d34c...1cea4d942"                                appl?                      €?      €?      €?            
    66 C:\Users\IEUser\Downloads\A7037                                                  C:\Users\IEUser\Downloads\A7037                                                  2018-08-06 03:27:44.603181         1018         1018     1      0         0 2018-08-06 03:27:44.946018      0 https://github.com/kakbkc/literate-sniffle/blob/master/A7037                           "b31939551b...56206d5d7"                                applicatioタ  ・・タ  ・         ・タ  ・・タ  ・・タ  ・        
    96 C:\Users\IEUser\Downloads\ED80D                                                  C:\Users\IEUser\Downloads\ED80D                                                  2018-08-06 03:30:52.983809         1045         1045     1      0         0 2018-08-06 03:30:53.237701      0 https://github.com/kakbkc/literate-sniffle/blob/master/ED80D                           "a25c27c64d...f231556ef"                                applicatioa.$.length-1?a         .Uw(a.$[b].Wr):a.Uw(a.$[        
$ volatility -f file_patched.dmp --profile=Win7SP1x86 chromedownloads --output=csv --output-file=chromedownloads.csv

Total Bytesは一部が1になっているのを除いて連番になっている。連番最終の1101のときにTarget Pathが7854}になっている。それぞれ順番につなげていけばいいのかもしれない。
重複しているものは1つのものとして結合し、2回結合することはしない。この連結させた結果を前に出てきたフラグの前半に結合させる。

def get_fname(s):
    return s[s.rfind('\\') + 1:]

with open('chromedownloads.csv', 'r') as f:
    lines = f.readlines()[1:]

d = {}
for line in lines:
    line = line.replace('\"', '').strip()
    target_path = line.split(',')[2]
    total_bytes = line.split(',')[5]
    #print get_fname(target_path), total_bytes
    if total_bytes != '1':
        d[total_bytes] = get_fname(target_path)

flag = 'tjctf{th1s_1s_n0t_a_v1ru5_'
for key, val in sorted(d.items()):
    flag += val

print flag

この結果は以下の通り。

tjctf{th1s_1s_n0t_a_v1ru5_D73C00EDD0C6F9FD2D9E80CBDBE1C494A699E87AAB38B7139DE0B284581C8042C968C5BA5571568EA70375603AF425A238823F6951FA712EEA8B0A9173830C113E76E08FBA833F47BE2CDB2DD8089A9206910445CDA7DFE792C18C4F4FE6B8AF4A560291E09832AC88112E8ED80D02F601D21850D6CF3FBC5CD90D6A89396172757E3F6A6DE516C94491CB1C0A3146C45AB85B669F38D4297BA58CC8B91792F1A51491867D3D0E8401319E8A4812F501F57E3CCD0FB71521B6BD86F3ACBB2E887181F0E71C20F32DC65BC5BEC8C1728BC391CEECF8530A3864C86B545F5ECDA182941F9C27CC11B53FB9865E7D2730A42B8A87854}
$ echo -n tjctf{th1s_1s_n0t_a_v1ru5_D73C00EDD0C6F9FD2D9E80CBDBE1C494A699E87AAB38B7139DE0B284581C8042C968C5BA5571568EA70375603AF425A238823F6951FA712EEA8B0A9173830C113E76E08FBA833F47BE2CDB2DD8089A9206910445CDA7DFE792C18C4F4FE6B8AF4A560291E09832AC88112E8ED80D02F601D21850D6CF3FBC5CD90D6A89396172757E3F6A6DE516C94491CB1C0A3146C45AB85B669F38D4297BA58CC8B91792F1A51491867D3D0E8401319E8A4812F501F57E3CCD0FB71521B6BD86F3ACBB2E887181F0E71C20F32DC65BC5BEC8C1728BC391CEECF8530A3864C86B545F5ECDA182941F9C27CC11B53FB9865E7D2730A42B8A87854} | md5sum
5f3edc3cc39b4771d3448fe20b5d6651  -
5f3edc3cc39b4771d3448fe20b5d6651

Real World CTF 2018 Quals 参戦

この大会は2018/7/28 11:00(JST)~2018/7/30 11:00(JST)に開催されました。
今回もチームで参戦。結果は0点で、ランク外でした。
check-inの問題ですら、よくわからず、答えにたどり着きませんでした。
全体的にわかりづらい問題が多く、難易度も高かったと思います。

CODE BLUE CTF 2018 Quals Writeup

この大会は2018/7/28 20:00(JST)~2018/7/29 20:00(JST)に開催されました。
今回もチームで参戦。結果は284点で542チーム中43位でした。
自分で解けた問題をWriteupとして書いておきます。

Sanity check

問題にフラグが書いてある。

CBCTF{sanity check}

lagalem (Crypto)

ElGmal暗号の問題。問題のパラメータは以下の通り。

g = 1468
h = 13176937611470940769675424427237214361327027262801017230328464476187661764921664954701796966426482598685480847329992216474898047298138546932927013411286080877561831522628228420965755215837424657249966873002314137994287169213354516263406270423795978394635388801400699885714033340665899016561199970830561882935631759522528099622669587315882980737349844878337007525538293173251532224267379685239505646821600410765279043812411429818495529092434724758640978876122625789495327928210547087547860489325326144621483366895679471870087870408957451137227143277719799927169623974008653573716761024220674229810095209914374390011024349L
A = 22171697832053348372915156043907956018090374461486719823366788630982715459384574553995928805167650346479356982401578161672693725423656918877111472214422442822321625228790031176477006387102261114291881317978365738605597034007565240733234828473235498045060301370063576730214239276663597216959028938702407690674202957249530224200656409763758677312265502252459474165905940522616924153211785956678275565280913390459395819438405830015823251969534345394385537526648860230429494250071276556746938056133344210445379647457181241674557283446678737258648530017213913802458974971453566678233726954727138234790969492546826523537158L
B = 21251918005448659289449540367076207273003136102402948519268321486936734267649761131906829634666742021555542747288804916060499331412675118289617172656894696939180508678248554638496093176525353583495353834532364036007392039073993229985968415793651145047522785446635657509992391925580677770086168373498842908951372029092354946478354834120976530860456422386647226785585577733215760931557612319244940761622252983954745116260878050222286503437408510241127875494413228131438716950664031868505118149350877745316461481208779725275726026031260556779604902294937659461052089402100729217965841272238065302532882861094831960922472L
p = 36416598149204678746613774367335394418818540686081178949292703167146103769686977098311936910892255381505012076996538695563763728453722792393508239790798417928810924208352785963037070885776153765280985533615624550198273407375650747001758391126814998498088382510133441013074771543464269812056636761840445695357746189203973350947418017496096468209755162029601945293367109584953080901393887040618021500119075628542529750701055865457182596931680189830763274025951607252183893164091069436120579097006203008253591406223666572333518943654621052210438476603030156263623221155480270748529488292790643952121391019941280923396132717L
q = 22703614806237330889410083770159223453128766013766321040706174044355426290328539338099711291079959714155244437030261032146984868113293511467274463709974076015468157237127672046781216262952714317506848836418718547505157984648161313592118697709984413028733405554946035544310954827596178187067728654513993575659442761349110567922330434847940441527278779320200714023296202983137830985906413366968841334238825204827013560287441312629166207563391639545363637173286538187147065563647798900324550559230799880457351250762884396716657695545274970206009025313609823106997020670498921913048309409470476279377425822906035488401579L

c1 = 33793492710782731124369494459076474097807208878884233971164269278616670211040150701930155825011078169703308214232135321652078394446224640155796276327836370352633498860894979473374779013668639507298858624745688704898736146513461608044730232178589141572128789087250031273718023043376262651608195761389064329854778210975268322619838848614213216968252753471982762060566109470077138563127080437316815457079933537918356467531614438670082804203944345043085444729429607433486011840510876970137900905036806208322070921744641554316383849334181081430914313498093196130476486829383116502543520979690739362110736793492207923196520816L
c2 = 5064525527428049600491919498697464537972502845819664938128937188305922639513846993504687207386360776106923020699628828454337579775714240066556800908455279363001454291677717261452161432964569952225095272897486314418226314084410743187186707224835212073276372184743923025929949904169574601792248026913036485498766503887136170182876527166516406031488332812278716443348188296343938621495282255755130158373758531773477662489309286204821174677297869253776424203299305194343234106107768105109553941283693258837262880530221857757115324039088850806164791445830838849835091131899191925571818438481246247468753757273234134261109718L

c1_ = 23858001256263338639930754561393744300621498668566466378945331004639513430979203635665722789744134073627181079853617277622660322019360636513261004488765082049390326032711679225336301342778034088938726495035474355141650387408421374480476173872396852119494181935635150757138413142985246448394125423745476143726661234600332521054350310909895716505182112634281850443223646354787752416535512150749925760599825164197040257221389261843550191277292909027805321111623815531377898276273229673439686502578126512634020924256597140201920931951309168862709610195813440797540084536725074915035709996827322859002529289313937152193672624L
c2_ = 16267453627205268534367753680421495469763757833841239080352379243552352542017520577799374052771731918885648298929081367071246911126370204338693352348289112387958308732218740188775134797384686955193576200043360689334709947260640015994980749571533954121908310007422239513584361571910193760719359731740480942535224174560848463926576528210476460419021197098876171728766893668501013719257464606515863038046180251018737679498423947578193874965936933252602254324298341970127449647765609487557270029347118240547476459496038940032926457872400805963990886019493151641503310555553381629104818030667858884055226529074481528015135269L

式を変形しながら、mを求める手段を考える。

c1  = pow(g, r1, p)
c1_ = pow(g, r2, p) = pow(g, (A * r1 + B), p)
    = pow(pow(g, r1, p), A, p) * pow(g, B, p) % p
    = pow(c1, A, p) * pow(g, B, p) % p
c2  = (m * pow(h, r1, p)) % p
c2_ = (m * pow(h, r2, p)) % p = (m * pow(h, (A * r1 + B), p)) % p
    = (m * pow(pow(h, r1, p), A, p) * pow(h, B, p)) % p
    = (m * pow(c2 * inverse(m, p), A, p) * pow(h, B, p)) % p
    = (m * pow(c2, A, p) * pow(inverse(m, p), A, p) * pow(h, B, p)) % p
    = (pow(c2, A, p) * pow(inverse(m, p), A-1, p) * pow(h, B, p)) % p

pow(inverse(m, p), A-1, p) = (c2_ * inverse(pow(c2, A, p), p) * inverse(pow(h, B, p), p)) % p

左辺はRSA暗号のような式だが、pは素数のため、さらに簡単にinverse(m, p)を計算できる。inverse(m, p)を計算できたら、そのinverseを求めればmになり、フラグがわかる。

from Crypto.Util.number import *

g = 1468
h = 13176937611470940769675424427237214361327027262801017230328464476187661764921664954701796966426482598685480847329992216474898047298138546932927013411286080877561831522628228420965755215837424657249966873002314137994287169213354516263406270423795978394635388801400699885714033340665899016561199970830561882935631759522528099622669587315882980737349844878337007525538293173251532224267379685239505646821600410765279043812411429818495529092434724758640978876122625789495327928210547087547860489325326144621483366895679471870087870408957451137227143277719799927169623974008653573716761024220674229810095209914374390011024349L
A = 22171697832053348372915156043907956018090374461486719823366788630982715459384574553995928805167650346479356982401578161672693725423656918877111472214422442822321625228790031176477006387102261114291881317978365738605597034007565240733234828473235498045060301370063576730214239276663597216959028938702407690674202957249530224200656409763758677312265502252459474165905940522616924153211785956678275565280913390459395819438405830015823251969534345394385537526648860230429494250071276556746938056133344210445379647457181241674557283446678737258648530017213913802458974971453566678233726954727138234790969492546826523537158L
B = 21251918005448659289449540367076207273003136102402948519268321486936734267649761131906829634666742021555542747288804916060499331412675118289617172656894696939180508678248554638496093176525353583495353834532364036007392039073993229985968415793651145047522785446635657509992391925580677770086168373498842908951372029092354946478354834120976530860456422386647226785585577733215760931557612319244940761622252983954745116260878050222286503437408510241127875494413228131438716950664031868505118149350877745316461481208779725275726026031260556779604902294937659461052089402100729217965841272238065302532882861094831960922472L
p = 36416598149204678746613774367335394418818540686081178949292703167146103769686977098311936910892255381505012076996538695563763728453722792393508239790798417928810924208352785963037070885776153765280985533615624550198273407375650747001758391126814998498088382510133441013074771543464269812056636761840445695357746189203973350947418017496096468209755162029601945293367109584953080901393887040618021500119075628542529750701055865457182596931680189830763274025951607252183893164091069436120579097006203008253591406223666572333518943654621052210438476603030156263623221155480270748529488292790643952121391019941280923396132717L
q = 22703614806237330889410083770159223453128766013766321040706174044355426290328539338099711291079959714155244437030261032146984868113293511467274463709974076015468157237127672046781216262952714317506848836418718547505157984648161313592118697709984413028733405554946035544310954827596178187067728654513993575659442761349110567922330434847940441527278779320200714023296202983137830985906413366968841334238825204827013560287441312629166207563391639545363637173286538187147065563647798900324550559230799880457351250762884396716657695545274970206009025313609823106997020670498921913048309409470476279377425822906035488401579L

c1 = 33793492710782731124369494459076474097807208878884233971164269278616670211040150701930155825011078169703308214232135321652078394446224640155796276327836370352633498860894979473374779013668639507298858624745688704898736146513461608044730232178589141572128789087250031273718023043376262651608195761389064329854778210975268322619838848614213216968252753471982762060566109470077138563127080437316815457079933537918356467531614438670082804203944345043085444729429607433486011840510876970137900905036806208322070921744641554316383849334181081430914313498093196130476486829383116502543520979690739362110736793492207923196520816L
c2 = 5064525527428049600491919498697464537972502845819664938128937188305922639513846993504687207386360776106923020699628828454337579775714240066556800908455279363001454291677717261452161432964569952225095272897486314418226314084410743187186707224835212073276372184743923025929949904169574601792248026913036485498766503887136170182876527166516406031488332812278716443348188296343938621495282255755130158373758531773477662489309286204821174677297869253776424203299305194343234106107768105109553941283693258837262880530221857757115324039088850806164791445830838849835091131899191925571818438481246247468753757273234134261109718L

c1_ = 23858001256263338639930754561393744300621498668566466378945331004639513430979203635665722789744134073627181079853617277622660322019360636513261004488765082049390326032711679225336301342778034088938726495035474355141650387408421374480476173872396852119494181935635150757138413142985246448394125423745476143726661234600332521054350310909895716505182112634281850443223646354787752416535512150749925760599825164197040257221389261843550191277292909027805321111623815531377898276273229673439686502578126512634020924256597140201920931951309168862709610195813440797540084536725074915035709996827322859002529289313937152193672624L
c2_ = 16267453627205268534367753680421495469763757833841239080352379243552352542017520577799374052771731918885648298929081367071246911126370204338693352348289112387958308732218740188775134797384686955193576200043360689334709947260640015994980749571533954121908310007422239513584361571910193760719359731740480942535224174560848463926576528210476460419021197098876171728766893668501013719257464606515863038046180251018737679498423947578193874965936933252602254324298341970127449647765609487557270029347118240547476459496038940032926457872400805963990886019493151641503310555553381629104818030667858884055226529074481528015135269L

c = (c2_ * inverse(pow(c2, A, p), p) * inverse(pow(h, B, p), p)) % p

phi = p - 1
d = inverse(A-1, phi)
inv_m = pow(c, d, p)

m = inverse(inv_m, p)
flag = ('%x' % m).decode('hex')
print flag
CBCTF{183a3ce8ed93df613b002252dfc741b2}

ISITDTU CTF 2018 Quals Writeup

この大会は2018/7/28 10:00(JST)~2018/7/29 4:00(JST)に開催されました。
今回もチームで参戦。結果は11883点で320チーム中2位でした。
自分で解けた問題をWriteupとして書いておきます。

WELCOME !!! (Misc)

Telegram Channelにフラグが書かれていた。

ISITDTU{Y0u_4r3_0nl1n3!!_3nj0y_th3_CTF}

Somewhere (Misc)

ソースを見るとhidden.cssを読み込んでいることが分かる。https://ctf.isitdtu.com/themes/DuyTan/static/css/hidden.cssにアクセスすると、フラグが表示された。

ISITDTU{y4y_y0u_f0und_m3!!!}

Play with ... (Misc)

0xffとXORをとると、PNGファイルになる。
f:id:satou-y:20180802214956p:plain
too low と書いてあるので、画像の高さを高くしてみる。
f:id:satou-y:20180802215110p:plain
鏡文字になっているので左右反転し、文字に起こす。

KVXHA3DFMFZWC3TUEBXG64RAMRUW22LOOV2GS33OEBSXQY3FNRWGK3TDMUQGC4DBOJ2G2ZLOORZSA2LNOBZ
HKZDFNZRWKIDUNBSSA3LFOQQG4ZLXFYQEI4TBO4QHAYLSOQQHI2DFNUQGQZJAMFXCA5DPEBUGKIDSN5XWMIDPN
ZWHSLRAJV2XG2LDEBWGKYLWMUQHGYLZEBSG633SOMQGQ2LNFYQFI33SMUQGE4TFMQQGM33SNUQGSZRAONU
WO2BAMNQXGZJAMFZSAZDPFYQFG5DBPFUW4ZZANBSSA3TPEBWG633LNFXGOIDJMYQGI3ZAN5YGS3TJN5XC4ICTM
VXHI2LNMVXHI4ZAO5QXSIDVNZSGK4TTORXW6ZBAMVXGIIDQMFZHI2LBNRUXI6JAMFXGIIDINFZS4IAKBJKHK4TOMV
SCA2LUEB2XAIDTNBXXK3DEEBXG6IDWMFWGYZLZEBRW65LTNFXCA2DFFYQFG4DFMFVWS3THEBXHK3LFOJXXK4ZAM
FZWWIDENFSCA2DPOJZGSYTMMUQHAYLDNNQWOZLTEBZWK5BOEBAXG2DBNVSWIIDIMVZHGZLMMYQGQYLTEBSGS
43UMFXHIIDDMFXCA43UOVSGSZLEEBWXE4ZOEBGGKZBAORUGK4TFMZXXEZJANF2HGIDNNFSGI3DFORXW4IDQMVZ
HAZLUOVQWYIDGOVWGM2LMNRSWIIDQOJXXM2LTNFXW4IDGOJQW423OMVZXGLRAIZWGCZZANFZSASKTJFKEIVCV
PM2G4XZUNZTTG3C7GBTF6MLNGRTTGX3IGNZDGIL5FYQFG3LBNRWCA2DFEBSHEYLXNYQGCZTUMVZCAYLNN5XGOID
FOZSXE6JAORUHEZLFEBXG6LRAIFWGYIDIMF3GS3THEBRHK5BAPFXXKIDFMR3WC4TEEBTWK3TJOVZSA5DIN52WO2BA
OJSW2YLSNMQG63TFFYQAUCSJNZZWS4DJMRUXI6JAORUGKIDTOVTGM2LDNFSW45BAMRUXGY3SMV2GS33OEBUW
24DSOVSGK3TDMUQHEZLTN5WHK5DJN5XCA43JOIQGQ2LNEBSGKY3JONUXMZLMPEXCAUDSN5RWKZLEEBUG65ZAM
FXHSIDFNZTWCZ3FMQQHM2LTNF2G64ROEBCXQ4DMMFUW4ZLEEBYHE33QOJUWK5DZEBXWMZRAN52XIIDQMVZH
AZLUOVQWYIDINFZSA6LPOUXCARTFMVWCA43PNRSCA33GMYQGMZLMOQQG4YLZEBZG643FEBWWK5BAPFXXKLRAK
5SSA43PEBSW45DSMVQXI2LFOMQGG5LMORUXMYLUMVSCAYLTORXW42LTNBSWIIDJOMXCAV3BOMQHG2LTORSXE
IDGN5ZCAZTFO4QGY33OM5SXEIDNOJZSA43VMRSGK3RAORQWYZLOOQQGEZLDN5WWKLRAIRXW4ZJANVQXSIDCN5
ZGKIDROVUXIIDFOZUWYIDPNRSCA3LINRSS4ICJMYQGY2LLMVWHSIDBNUQG6ZRAMJSWC5LUPEQHIYLTORSXGLRA

BASE32文字のようなので、デコードする。

Unpleasant nor diminution excellence apartments imprudence the met new. Draw part them he an to he roof only. Music leave say doors him. Tore bred form if sigh case as do. Staying he no looking if do opinion. Sentiments way understood end partiality and his.

Turned it up should no valley cousin he. Speaking numerous ask did horrible packages set. Ashamed herself has distant can studied mrs. Led therefore its middleton perpetual fulfilled provision frankness. Flag is ISITDTU{4n_4ng3l_0f_1m4g3_h3r3!}. Small he drawn after among every three no. All having but you edward genius though remark one.

Insipidity the sufficient discretion imprudence resolution sir him decisively. Proceed how any engaged visitor. Explained propriety off out perpetual his you. Feel sold off felt nay rose met you. We so entreaties cultivated astonished is. Was sister for few longer mrs sudden talent become. Done may bore quit evil old mhle. If likely am of beauty tastes.

文中にフラグがあった。

ISITDTU{4n_4ng3l_0f_1m4g3_h3r3!}

XOR (Crypto)

XOR keyは10バイト。計算して少し複雑な順番でXORをしているが、フラグの最初がISITDTU{で最後が}になることを使って、XOR keyを求め、復号する。

ISITDTU{*el*ome_to_ISITDTUCT*_C*ntest!_Hav3_a_g0*d_*ay._Hope_y0u_w1l*_3*j0y_and_hav3_a_h*gh*rank_1n_0ur_F1rs*_C*f_C0nt3st._Thank*}

1文字だけkeyがわからないが、{の後はWが来ると予想できることから復号する。

enc_flag = '1d14273b1c27274b1f10273b05380c295f5f0b03015e301b1b5a293d063c62333e383a20213439162e0037243a72731c22311c2d261727172d5c050b131c433113706b6047556b6b6b6b5f72045c371727173c2b1602503c3c0d3702241f6a78247b253d7a393f143e3224321b1d14090c03185e437a7a607b52566c6c5b6c034047'

m = []
for i in range(0, len(enc_flag), 2):
    m.append(int(enc_flag[i:i+2], 16))

idxes = []
for a in range(10):
    i = a
    for b in range(len(m)/10):
        if b % 2 != 0:
            idxes.append(i)
        else:
            idxes.append(i+10-(a+1+a))
        i += 10

FLAG_HEAD = 'ISITDTU{'
FLAG_TAIL = '}'

key = [-1] * 10
for i in range(len(FLAG_HEAD)):
    idx = idxes.index(i)
    key[9-i] = ord(FLAG_HEAD[i]) ^ m[idx]

print key

idx = idxes.index(len(m) - 1)
key[0] = ord(FLAG_TAIL) ^ m[idx]

FLAG_EXPECTED_FIRST = 'W'
idx = idxes.index(len(FLAG_HEAD))
key[1] = ord(FLAG_EXPECTED_FIRST) ^ m[idx]

flag = ''
for i in range(len(m)):
    idx = idxes.index(i)
    k = key[idx//(len(m)/10)]
    if k == -1:
        flag += '*'
    else:
        flag += chr(m[idx] ^ k)

print flag
ISITDTU{Welcome_to_ISITDTUCTF_C0ntest!_Hav3_a_g00d_day._Hope_y0u_w1ll_3nj0y_and_hav3_a_h1gh_rank_1n_0ur_F1rst_Ctf_C0nt3st._Thank5}

Love CryptoGraphy (Crypto)

mesに"ISITDTU"が含まれていることがわかっている。同じ文字は同じ数字になるので、該当箇所を探す。

I: 1470896290937720121923671834268680644293311486759008609851306976
S: 998119569566922793772397587105095499481847516084421474175736111
I: 1470896290937720121923671834268680644293311486759008609851306976
T: 2108440654988370562048343461399852810852299068780806568036885800
D: 549685894064591284908235658839357390847445522332458370260385633
T: 2108440654988370562048343461399852810852299068780806568036885800
U: 903564225292763328142142737672378470519554721949504047040621938

このことからm, c, nを求める。それから逆算すれば、復号できる。

from Crypto.Util.number import inverse

enc_nums = [360575205516272353647725959973923332922859934062623515990157287L, 147121471099487603100103942210642238821212368870164629959708554L, 973776523698456974485285268207248463304785539161797442415515724L, 973776523698456974485285268207248463304785539161797442415515724L, 1989542264845745277130976293069288745712944297723265109141551240L, 2251682090999461666252822948628263912168715816760972058692440747L, 147121471099487603100103942210642238821212368870164629959708554L, 500999802327659646334011021043663318493321568487210306739944859L, 147121471099487603100103942210642238821212368870164629959708554L, 690110490875978577594520719909097376417907156757045161010173205L, 1516765543474947948979702045905703600901480327048677973465980375L, 1446553245069254302636559515370833608116249509836384578091086589L, 1989542264845745277130976293069288745712944297723265109141551240L, 1351997900795094837006304665938116579153956715701467150955972416L, 1516765543474947948979702045905703600901480327048677973465980375L, 1684350025354504872471293852031961738394959051951467495881755709L, 2251682090999461666252822948628263912168715816760972058692440747L, 595555146601819111964265870476380347455614362622127733875059032L, 1162887212246775905745794967072682521229371127431632296685744070L, 2273208297668223674021740841367439832599822680128017390546893759L, 1800431576297426345870466594203854687788358709453430254871322894L, 2251682090999461666252822948628263912168715816760972058692440747L, 2273208297668223674021740841367439832599822680128017390546893759L, 1800431576297426345870466594203854687788358709453430254871322894L, 2251682090999461666252822948628263912168715816760972058692440747L, 1516765543474947948979702045905703600901480327048677973465980375L, 1989542264845745277130976293069288745712944297723265109141551240L, 1705876232023266880240211744771137658826065915318512827736208721L, 690110490875978577594520719909097376417907156757045161010173205L, 2251682090999461666252822948628263912168715816760972058692440747L, 1257442556520935371376049816505399550191663921566549723820858243L, 973776523698456974485285268207248463304785539161797442415515724L, 336232159647806534360613641076076296745797957139999484229936900L, 52566126825328137469849092777925209858919574735247202824594381L, 1022462615435388613059509906002942535658909493007045505935956498L, 2251682090999461666252822948628263912168715816760972058692440747L, 1470896290937720121923671834268680644293311486759008609851306976L, 998119569566922793772397587105095499481847516084421474175736111L, 1470896290937720121923671834268680644293311486759008609851306976L, 2108440654988370562048343461399852810852299068780806568036885800L, 549685894064591284908235658839357390847445522332458370260385633L, 2108440654988370562048343461399852810852299068780806568036885800L, 903564225292763328142142737672378470519554721949504047040621938L, 1422210199200788483349447196472986571939187532913760546330866202L, 1446553245069254302636559515370833608116249509836384578091086589L, 690110490875978577594520719909097376417907156757045161010173205L, 147121471099487603100103942210642238821212368870164629959708554L, 336232159647806534360613641076076296745797957139999484229936900L, 2178652953394064208391485991934722803637529885993099963411779586L, 430787503921965999990868490508793325708090751274916911365051073L, 171464516967953422387216261108489274998274345792788661719928941L, 1754562323760198518814436382566831731180189869163760891256649495L, 1565451635211879587553926683701397673255604280893926036986421149L, 430787503921965999990868490508793325708090751274916911365051073L, 1705876232023266880240211744771137658826065915318512827736208721L, 879221179424297508855030418774531434342492745026880015280401551L, 2178652953394064208391485991934722803637529885993099963411779586L, 879221179424297508855030418774531434342492745026880015280401551L, 1989542264845745277130976293069288745712944297723265109141551240L, 1611320887749107414609956895338420629863773121183595400601094548L, 879221179424297508855030418774531434342492745026880015280401551L, 430787503921965999990868490508793325708090751274916911365051073L, 336232159647806534360613641076076296745797957139999484229936900L, 973776523698456974485285268207248463304785539161797442415515724L, 973776523698456974485285268207248463304785539161797442415515724L, 1327654854926629017719192347040269542976894738778843119195752029L]

enc_S = enc_nums[37]
enc_T = enc_nums[39]
enc_U = enc_nums[42]

m = enc_T - enc_S
n = m - (enc_U - enc_T)
c = (enc_S - m * ord('S')) % n

mes = ''
for enc_num in enc_nums:
    code = ((enc_num - c) * inverse(m, n)) % n
    mes += chr(code)

print mes

実行結果は以下の通り。

Hello everybody, this is your flag: ISITDTU{break_LCG_unknown_all}
ISITDTU{break_LCG_unknown_all}

Baby (Crypto)

numerを指定。flagの値とのorのsha512を返す。各ビットの1とXORを取り変わらなければ1、変われば0になることを使って、1ビットずつフラグを割り出す。

import socket
from hashlib import *

def checkFlag(flag_bit, h):
    f = int(flag_bit, 2)
    if sha512(str(f)).digest().encode('hex') == h:
        return True
    else:
        return False

def convFlag(flag_bit):
    flag = ''
    for i in range(0, len(flag_bit), 8):
        flag += chr(int(flag_bit[i:i+8], 2))
    return flag

s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect(('35.185.178.212', 33337))

data = s.recv(1024)
data += s.recv(1024)
print data + '0'
s.sendall('0\n')
data = s.recv(1024)
data += s.recv(1024)
print data
h_flag = data.split('\n')[1]
print 'h_flag =', h_flag

bit = 0
flag_bit = ''
while True:
    number = 2**bit
    print number
    s.sendall(str(number) + '\n')
    data = s.recv(1024)
    data += s.recv(1024)
    print data
    h = data.split('\n')[1]
    if h == h_flag:
        flag_bit = '1' + flag_bit
    else:
        flag_bit = '0' + flag_bit

    if len(flag_bit) % 8 == 0:
        flag = convFlag(flag_bit)
        print flag
        if checkFlag(flag_bit, h_flag):
            break

    bit += 1

flag = convFlag(flag_bit)
print flag
ISITDTU{bit_flipping_is_fun}

Simple RSA (Crypto)

コードの以下の部分からおおよそpはNを10**6で割った数値の4乗根。

p = next_prime(p)
p1 = next_prime(p*10)
p2 = next_prime(p1*10)
p3 = next_prime(p2*10)
N = p*p1*p2*p3

その値から少しずつ調整し、各要素の乗算がNになるものを探す。素因数分解できれば、あとはMulti-prime RSAの復号の解き方で復号できる。

import gmpy
from Crypto.Util.number import *

def rev_next_prime(n):
    num = n - 1
    while True:
        if isPrime(num):
            return num
        num += 1

def chinese_remainder(n, a):
    sum = 0
    prod = reduce(lambda a, b: a*b, n)

    for n_i, a_i in zip(n, a):
        p = prod / n_i
        sum += a_i * gmpy.invert(p, n_i) * p
    return sum % prod

N = 603040899191765499692105412408128039799635285914243838639458755491385487537245112353139626673905393100145421529413079339538777058510964724244525164265239307111938912323072543529589488452173312928447289267651249034509309453696972053651162310797873759227949341560295688041964008368596191262760564685226946006231
e = 65537
c = 153348390614662968396805701018941225929976855876673665545678808357493865670852637784454103632206407687489178974011663144922612614936251484669376715328818177626125051048699207156003563901638883835345344061093282392322541967439067639713967480376436913225761668591305793224841429397848597912616509823391639856132

tmp_p = gmpy.root(N // (10**6), 4)[0]

while True:
    p = rev_next_prime(tmp_p)
    p1 = rev_next_prime(p*10)
    p2 = rev_next_prime(p1*10)
    p3 = rev_next_prime(p2*10)
    if p*p1*p2*p3 == N:
        break
    tmp_p -= 1

primes = []
primes.append(p)
primes.append(p1)
primes.append(p2)
primes.append(p3)

n_ary = []
a_ary = []
for p in primes:
    phi = p - 1
    d = gmpy.invert(e, phi)
    mk = pow(c, d, p)
    n_ary.append(p)
    a_ary.append(mk)

m = chinese_remainder(n_ary, a_ary)
flag = ('%x' % m).decode('hex')
print flag
ISITDTU{f6b2b7472273aacf803ecfe93607a914}

aes_cnv (Crypto)

$ nc 35.185.111.53 13337
******************************************************************
* Challenge created by chung96vn                                 *
* My blog: https://chung96vn.blogspot.com                        *
* From: AceBear Team                                             *
******************************************************************


Give me content of your request you want to encrypt: aaa
Your encypted: kO/CNrsWq0FJ7jA86Jjcb3zpu/AoSRxt4gXXpWlgOeYwqjZGfbXZZ8BKNaSvFbup
Give me encrypted of your request: kO/CNrsWq0FJ7jA86Jjcb3zpu/AoSRxt4gXXpWlgOeYwqjZGfbXZZ8BKNaSvFbup
Your request: aaa
Bye~~

以下、処理のメモ。

req: 暗号化する文字(Give me the flagで始まるものはダメ)
game.encode(req)を表示
enc: 暗号化文字
game.decode(enc)を表示
Give me the flagで始まるものの場合、フラグを表示

Give me the flagは16文字なので、1ブロック目しか気にする必要はない。以下のように調整すれば、1ブロック目の暗号化は同じになり、フラグが得られるはず。

aaaaaaaaaaaaaaa ^ IV1 =  Give me the flag ^ IV2
import socket
import re
from base64 import b64decode
from base64 import b64encode

def str_xor(s1, s2):
    return ''.join(chr(ord(a) ^ ord(b)) for a, b in zip(s1, s2))

s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect(('35.185.111.53', 13337))

data = s.recv(1024)
data += s.recv(1024)
plain1 = 'a' * 16
print data + plain1

s.sendall(plain1 + '\n')
data = s.recv(1024)
data += s.recv(1024)
print data[:-1],

pattern = 'Your encypted: (.+)'
m = re.search(pattern, data)
b64_enc = m.group(1)
enc = b64decode(b64_enc)
iv1 = enc[:16]
enc_body = enc[16:]

plain2 = 'Give me the flag'
iv2 = str_xor(str_xor(plain1, iv1), plain2)
enc = iv2 + enc_body
b64_enc = b64encode(enc)
print b64_enc

s.sendall(b64_enc + '\n')
data = s.recv(1024)
data += s.recv(1024)
print data
ISITDTU{chung96vn_i5_v3ry_h4nds0m3}

CTFZone 2018 Quals Writeup

この大会は2018/7/21 18:00(JST)~2018/7/23 6:00(JST)に開催されました。
今回もチームで参戦。結果は875点で637チーム中28位でした。
自分で解けた問題をWriteupとして書いておきます。

Welcome to CTFZone!

問題にフラグが書いてある。

ctfzone{2018}

Federation Workflow System (CRYPTO)

$ nc crypto-04.v7frkwrfyhsjtbpfcppnu.ctfz.one 7331
list</msg>
lorem.txt,flag.txt,admin.txt,password.txt</msg>

$ nc crypto-04.v7frkwrfyhsjtbpfcppnu.ctfz.one 7331
login</msg>
8150411504</msg>

$ nc crypto-04.v7frkwrfyhsjtbpfcppnu.ctfz.one 7331
file lorem.txt</msg>
N5VO/+EIu1GtkPR8HsxkQ8w/18vV42h0xVeBBL4R9QVTcJhPE9ZrqX23saQBdnKcwHp6fVMag+a+k57SMyVcsmRRmGJwWClSCSOUHh+FHyIiup5mHFUHpn1PsFV53GbesDRKE6NjBGpxKdf0iO7S/9GFJcqa5d4vR65QLG0Nw4YEigM2EgZB9F6s/Rrz9z/0sG6lDLEErtVAjungqmnmcYVfLcZ7TpV8GRXlJppwhwrJKwWSTowJ+68DomDZx3jEAxCmrE547TbL5ZVIpfynSNcVYL1mHI1PgWuM1/Rpojoofae4qviTFaDGtOEOOy+TwMuMR8LuVy2nXuKpPFUiOu9td2WKcQA+vf1zMKJPrbVQfBN1CFbZMX5Bgt6UVLuGAoSQn/t9pYMwQ2ourJV20GzmAOObhyQxe/12dBNaYmHTn4/zDJB35GOE7VKAYESVd5rGEZ25miUMLWQkUr+dYiCE3ylKFjkgGk8PGTDdCgdnytqK34gy8x5Lult3rUwQduHlriOa8UQ0awlVIeB7js5JtfgZ2jfSfSJAnw9xTN1yrnJnPaZr5Ofx+bmiwjS4vuHD/rr6DD1Rk2bp0aVSEji80QQbUjfvZitMqtN6IIYmtrWLnzwWOmFLNsugIojhY3OaXb5TdiJcPg58PI7cBfIJT6uYK3VlwQzdFQQAyZXzPclnq5FLE9FgNzeMIOtDHZbCh8SEFeGn3o80YPScJmWVc9WgysLDvaPHFsXxzEI=</msg>
$ nc crypto-04.v7frkwrfyhsjtbpfcppnu.ctfz.one 7331
file flag.txt</msg>
a0DGKiriDPsP6ILG+SxK2jhUPjEBcHHSJV7gpqcjiQA=</msg>
$ nc crypto-04.v7frkwrfyhsjtbpfcppnu.ctfz.one 7331
file admin.txt</msg>
wwXYDdGHxF4hjoO5/jOu62I1bZzDof2NwmkGrXCN8tZISxU9L1JJrvbTswK7LVd8XZvfDrRfF715j8DPDFFdDw==</msg>
$ nc crypto-04.v7frkwrfyhsjtbpfcppnu.ctfz.one 7331
file password.txt</msg>
26yRuctJGSszUouMVgPy2OyKuRFpaHaYlEvvxpZXO31Cz9KAgtd7whefNgExU2wX</msg>

$ nc crypto-04.v7frkwrfyhsjtbpfcppnu.ctfz.one 7331
file ../top_secret/server.log</msg>
+s9BHx3ZJ63gULLTNFtpwZyaziwmAjPXHs1ob6x28qVk4PHps81ItKmQ48h1xWJn</msg>
$ nc crypto-04.v7frkwrfyhsjtbpfcppnu.ctfz.one 7331
file ../top_secret/real.flag</msg>
aU+tYnYcQZ+kVti6l+aCEXfvGsdC4jgVpP1nL065BkXaM6MkmQ7MapG2uwT4+obq</msg>
$ nc crypto-04.v7frkwrfyhsjtb
file ../top_secret/aes.key</msg>
/XXk19YZgWPHK+QCzuyXuDclnD1kINNGDFWrcUNDBcBsm2rInegIuMXvFpJpSjdG</msg>
$ nc crypto-04.v7frkwrfyhsjtb
file totp.secret</msg>
tPT1pw0IliLk+Rg/dlUHoNf/z5M3bfY+uFelVQLzJbo=</msg>

各メニューの機能は以下の通り。

■list
以下を表示
・lorem.txt
・flag.txt
・admin.txt
・password.txt

■login
時刻(エポック秒数)を表示

■file
・content: 指定ファイル読み込み
 ・\x00が含まれている場合はそこまではファイル名とする。
・response: "<ファイル名>: <ファイルの内容>"
・encrypted_response: responseのAES暗号(ECB)

■admin
・check_totpでOKである場合にフラグが表示される。

../totp.secretの内容を復号する。あとはAES-ECBで1文字ずつはみ出させ、ブルートフォースで復号する。さらにサーバ時刻を取得し、その情報を復号データを使って、admin tokenを算出して提示すればフラグが得られる。

import hmac
import socket
from hashlib import sha1
from struct import pack, unpack
from base64 import b64decode
import string

totp_key = '../totp.secret'

block_size = 16
buff_size = 1024

def get_enc(file):
    host = 'crypto-04.v7frkwrfyhsjtbpfcppnu.ctfz.one'
    port = 7331
    snd_format = 'file %s</msg>'

    s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
    s.connect((host, port))

    snd_data = snd_format % file
    s.sendall(snd_data)
    data = s.recv(buff_size)
    print data
    return data.replace('</msg>', '')

def get_time():
    host = 'crypto-04.v7frkwrfyhsjtbpfcppnu.ctfz.one'
    port = 7331
    snd_format = 'login</msg>'

    s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
    s.connect((host, port))

    snd_data = snd_format
    s.sendall(snd_data)
    data = s.recv(buff_size)
    print data
    return data.replace('</msg>', '')

def snd_admin_tk(pin):
    host = 'crypto-04.v7frkwrfyhsjtbpfcppnu.ctfz.one'
    port = 7331
    snd_format = 'admin %s</msg>'

    s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
    s.connect((host, port))

    snd_data = snd_format % pin
    s.sendall(snd_data)
    data = s.recv(buff_size)
    print data
    return data.replace('</msg>', '')

key = ''
for i in range(48):
    file = totp_key + '\x00' * (i + 1)
    data = get_enc(file)
    correct_data = b64decode(data)[64:80]

    for c in string.hexdigits:
        try_file = totp_key + '\x00' * 2 + c + key
        print try_file
        pad = block_size - len(try_file) % block_size
        try_file = try_file + (pad * chr(pad))
        try_enc = get_enc(try_file)
        if b64decode(try_enc)[16:32] == correct_data:
            key = c + key
            break

print key

tm = int(get_time())
counter = pack('>Q', tm // 30)
print counter.encode('hex')
totp_hmac = hmac.new(key.encode('UTF-8'), counter, sha1).digest()
offset = ord(totp_hmac[19]) & 15
totp_pin = str((unpack('>I', totp_hmac[offset:offset + 4])[0] & 0x7fffffff) % 1000000)
token = totp_pin.zfill(6)
print token

msg = snd_admin_tk(token)
print msg
ctfzone{A74D92B6E05F4457375AC152286C6F51}

Meepwn CTF Quals 2018 Writeup

この大会は2018/7/14 4:00(JST)~2018/7/16 4:00(JST)に開催されました。
今回もチームで参戦。結果は940点で744チーム中61位でした。
自分で解けた問題をWriteupとして書いておきます。

Welcome (Misc)

問題にフラグが書いてある。

MeePwnCTF{welcome_to_meepwnctf_2018}

bazik (Crypto)

平文か以下の形式になっていることがわかっている。

Your OTP for transaction #731337 in ABCXYZ Bank is NNNNNNNNN.(NNNNNNNNN: 9桁の数字)

暗号が提示されるので、復号して9桁の数字を求める問題。平文の前半が分かっているので、Coppersmith's Attackで復号する。

$ nc 206.189.92.209 31333
	
Choose one:
1. Test the OTP
2. Get the public key
3. Get flag
2
-----BEGIN PUBLIC KEY-----
MIGdMA0GCSqGSIb3DQEBAQUAA4GLADCBhwKBgQC0PgHUVlh3cH1QKTsyKBEHBoDC
LejSAfudEhJ7ITULJwWMAJ5nhYH3eHb24/oEnIPHtnjR3yHN8gR2JKs0KY6Oc3jt
Vt6U6abIdkDt5YpLTk6klFSUtpfUjuy2vtyKo3WS6i5Z7TBX2q8/gUtYohPAhW/c
BtP1PaC4Ml27a/fZdQIBAw==
-----END PUBLIC KEY-----
	
Choose one:
1. Test the OTP
2. Get the public key
3. Get flag
3
encrypted dat: 37d243fe30baea0ceaa207ccae44334ffacecf3697445c2853ba0db0a472f3005e0fc5ab7523d4537e7a20d3e944dde0c5d4e92653152d51cb9ee6a9b4a957c4a3568436ae4545eb6ecf7fd12465c476cb59375b9b7da887854b8de90228e48682b8eab0db668920544d2b5bfe453d7cb206f9a5c00aaf6d06345f9962544bf1
send me otp to get flag >>>

ここでまず公開鍵のパラメータを取り出す。

from Crypto.PublicKey import RSA

pub_data = '''-----BEGIN PUBLIC KEY-----
MIGdMA0GCSqGSIb3DQEBAQUAA4GLADCBhwKBgQC0PgHUVlh3cH1QKTsyKBEHBoDC
LejSAfudEhJ7ITULJwWMAJ5nhYH3eHb24/oEnIPHtnjR3yHN8gR2JKs0KY6Oc3jt
Vt6U6abIdkDt5YpLTk6klFSUtpfUjuy2vtyKo3WS6i5Z7TBX2q8/gUtYohPAhW/c
BtP1PaC4Ml27a/fZdQIBAw==
-----END PUBLIC KEY-----
'''

pubkey = RSA.importKey(pub_data)
print 'n =', pubkey.n
print 'e =', pubkey.e

実行結果は以下の通り。

n = 126570387993773352057464496047518114039089955376411255273758820936424244005934231264031191100470471935989623362348875902002280486519035600680585067072794780485752362063129809129821906479269502815397703207234439049607596246154296610116751481620203765168805157880468117635796057965545347449889775012276948425077
e = 3

このパラメータを使って、暗号データを復号する。

# solve.sage
n = 126570387993773352057464496047518114039089955376411255273758820936424244005934231264031191100470471935989623362348875902002280486519035600680585067072794780485752362063129809129821906479269502815397703207234439049607596246154296610116751481620203765168805157880468117635796057965545347449889775012276948425077
e = 3
c = 0x37d243fe30baea0ceaa207ccae44334ffacecf3697445c2853ba0db0a472f3005e0fc5ab7523d4537e7a20d3e944dde0c5d4e92653152d51cb9ee6a9b4a957c4a3568436ae4545eb6ecf7fd12465c476cb59375b9b7da887854b8de90228e48682b8eab0db668920544d2b5bfe453d7cb206f9a5c00aaf6d06345f9962544bf1

beta = 1
epsilon = beta^2/7

nbits = n.nbits()
kbits = floor(nbits*(beta^2/e-epsilon))

msg = 'Your OTP for transaction #731337 in ABCXYZ Bank is XXXXXXXXXX'
msg = msg.replace('X', '\x00')
mbar = int(msg.encode('hex'), 16)

PR.<x> = PolynomialRing(Zmod(n))
f = (mbar + x)^e - c

x0 = f.small_roots(X=2^kbits, beta=1)[0]
real_msg = ('%x' % (mbar +x0)).decode('hex')
print real_msg

実行結果は以下の通り。

Your OTP for transaction #731337 in ABCXYZ Bank is 708540637.

得られたOTPを入力する。

send me otp to get flag >>> 708540637
MeePwnCTF{blackbox-rsa-is-0xd34d}
MeePwnCTF{blackbox-rsa-is-0xd34d}

esor (Crypto)

AES暗号CBCモードのivとkeyがわかっているので、暗号文を復号するだけ。

import socket
from Crypto.Cipher import AES

s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect(('206.189.92.209', 12345))

data = s.recv(256)
data += s.recv(256)
print data + '1'
s.sendall('1\n')
data = s.recv(256)
print data + '1'
s.sendall('1\n')
data = s.recv(256)
print data + '1'
s.sendall('1\n')
data = s.recv(256)
print data

iv = data.decode('hex')[:16]
enc = data.decode('hex')[16:]

encrypt_key = '\xff' * 32
_aes = AES.new(encrypt_key, AES.MODE_CBC, iv)
print _aes.decrypt(enc)
MeePwnCTF{pooDL3-this-is-la-vie-en-rose-P00dle!}