CursedCTF 2024 Quals Writeup

CTF writeup

この大会は2024/3/30 9:00(JST)~2024/4/1 13:00以降(不明)に開催されました。
今回もチームで参戦。結果は4049点で3002チーム中39位でした。
自分で解けた問題をWriteupとして書いておきます。

sanity-check (misc)

問題にフラグが書いてあった。

cursedctf{cursedctf{cursedctf{cursedctf{cursedctf{cursedctf{flag}}}}}}

Geoguessra (osint)

画像を少しだけ右側、下側を削り、画像検索する。一番近い景色と思われるエトナ山がフラグとして通った。

cursedctf{etna}

Geoguessr6 (osint)

奥の建造物を焦点に置き、画像検索すると、以下のぺージなどが見つかった。

https://haikyo.info/s/6400.html

モントーク空軍基地の辺りであることがわかる。

cursedctf{montauk}

Geoguessrm (osint)

海を中心に画像検索すると、アラル海の写真が見つかる。

cursedctf{aral-sea}

Geoguessr4 (osint)

上を1/3位削り、下を少し削って画像検索すると、似たような建物が集中している箇所が以下のページなどで見つかる。

https://www.booking.com/hotel/gl/jomsborg-ilulissat.ja.html

このあたりの場所はIlulissatという地域。

cursedctf{ilulissat}

LETSGOOOOOOOOOOO2 (osint)

BURGERSのシールが貼られているブロックがある。Googleで「LEGO BURGERS」を調べる。
以下のページなどで「レゴ シティ バーガートラック 60404」が見つかった。

https://www.amazon.co.jp/%E3%83%AC%E3%82%B4-LEGO-%E3%83%90%E3%83%BC%E3%82%AC%E3%83%BC%E3%83%88%E3%83%A9%E3%83%83%E3%82%AF-%E3%81%AF%E3%81%9F%E3%82%89%E3%81%8F%E3%81%8F%E3%82%8B%E3%81%BE-60404/dp/B0CFW2KC3H?th=1
cursedctf{60404}

ezpwn (pwn)

Ghidraでデコンパイルする。

undefined8 main(void)

{
  vuln();
  return 0;
}

void vuln(void)

{
  int iVar1;
  size_t sVar2;
  char local_28 [32];
  
  printf("Hi! what\'s your name? ");
  gets(local_28);
  iVar1 = strcmp(local_28,"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA");
  if (iVar1 == 0) {
    sVar2 = strlen(local_28);
    print_flag(sVar2 & 0xffffffff);
  }
  return;
}

void print_flag(uint param_1)

{
  printf("Congrats! Your flag is: cursed{ez_buffer_overflow?_%d}\n",(ulong)param_1);
  return;
}

print_flag関数の引数で渡しているのは、"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"の長さ。

>>> s = "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
>>> len(s)
42
cursed{ez_buffer_overflow?_42}

Crypto Curses (crypto)

画像ファイルにあるURLから末尾1文字だけ見えないので、16進数の総当たりで該当するページを見つける。結果以下のURLで見つかった。

https://chat.openai.com/share/5a19884d-dc6f-421a-b5ea-153cbbce3877

復号した文字列は以下のように記載されている。

This is a secret message. It's a coming after, but it's spending him with a weird.

最後に以下がフラグであることが記載されている。

cursed{secret}
cursed{secret}

viewing (crypto)

各URLについて、リンク先とその値を記録する。

http://adfoc.us/852190101943995
→https://people.cs.rutgers.edu/~rp1110/viewing/key_0_6e82a44556266aa26ca13f817c3ec36f.txt
→bb8d8662f042380e02c5464f4ff8f9a4fa64d24b28a624709be929bc8317041b5d73dc784cd295c123

http://adfoc.us/852190102765961
→https://people.cs.rutgers.edu/~rp1110/viewing/key_10_0a148e7cdf3f72a15c808f32f73cfa8c.txt
→66780007a3aa4b2c96fc79dd83aa12fe362f38a42ccc4355d8a0d0079446354bb478990cdf3ab03fcb

http://adfoc.us/852190102765962
→https://people.cs.rutgers.edu/~rp1110/viewing/key_11_a0780e0f29eb255059be3b8c28b680b8.txt
→fcf16461d105e1872731a750b12d65b68ce2a5048cf42fa0a9ff951335c164c607dddc11a96015da61

http://adfoc.us/852190102765963
→https://people.cs.rutgers.edu/~rp1110/viewing/key_12_be4350c7b7e1e5499e9ed6afae203ac8.txt
→273f9f067fc3235c33ba79bc76217886d6542d80981bc8d794da24d30f61893f61f73432853ff475b4

http://adfoc.us/852190102765964
→https://people.cs.rutgers.edu/~rp1110/viewing/key_13_0453a62de62861b1038f6a1163f1219b.txt
→0235827a65e17fa7177188a7c9101a68b99f8bd99f5d242b32be16cb3bd073f9c8093640db9be60c6f

http://adfoc.us/852190102765965
→https://people.cs.rutgers.edu/~rp1110/viewing/key_14_9e39eec4d0458911dc16c89f76dd9cdb.txt
→88e530d66bf0cdada3179eb54b73c0936ba889375726940dc6c03051e0a4f3f035d406a5c088289411

http://adfoc.us/852190102765966
→https://people.cs.rutgers.edu/~rp1110/viewing/key_1_529956d3c980661884867365e0a59f99.txt
→41bbccfaa873b521b2ad3d543dfaac12d6883c2cc16934a14d22a305882d47d91972263c3c20192135

http://adfoc.us/852190102765967
→https://people.cs.rutgers.edu/~rp1110/viewing/key_15_b94c56972d5d076c09b6decbc526ade3.txt
→20da55588306639e2cb4960b11f46b172ac99a1df688b7d72d7ea907f6810548df7babe6974d889a37

http://adfoc.us/852190102765968
→https://people.cs.rutgers.edu/~rp1110/viewing/key_16_8c2d5d7d92f15e1e12b0761bd49868f1.txt
→c58b4aec3534b9b0e6ebf16c176e40965e9a8d5df6b1a6ad19128d22e3d9715778cf49d34b7276b717

http://adfoc.us/852190102765969
→https://people.cs.rutgers.edu/~rp1110/viewing/key_17_5938a92009a9b03d196e63175597f6c7.txt
→7bda9fef8d591cc7e61996dc949d1a7fb72bc4787fae6827b58e4a2b750a05fe865aaa4e1ff8c972e1

http://adfoc.us/852190102765970
→https://people.cs.rutgers.edu/~rp1110/viewing/key_18_c78fcc81608acfbe142aea69b8fe5211.txt
→96e0fff512e15ecc75abd38bbacaf34022b9d4cbd67a2d90278f7d5cf3312df0a511cfcdedc71eed86

http://adfoc.us/852190102765971
→https://people.cs.rutgers.edu/~rp1110/viewing/key_19_857fabe656d69c230623282cc41db3bf.txt
→98c0112acab6b179a80bbccd93457a658928e3d6e2cf97f05e1a117610f4087d9422e2baab27aa0283

http://adfoc.us/852190102765972
→https://people.cs.rutgers.edu/~rp1110/viewing/key_20_d0165f0d4bd62a43f4da4a00f60036bf.txt
→f4f6d525f6e6277dc9adf42b31fd441b7570d34b5cc5a3a0a5092e3db474e442dab496382398da4eb2

http://adfoc.us/852190102765973
→https://people.cs.rutgers.edu/~rp1110/viewing/key_21_be70a99c81494e8d2ae810f6d42f105e.txt
→100ac93d5213b69f1c017900f0bfc228ffc6c3984f440d5107d9d265cdc948b86333b3aca3790134cc

http://adfoc.us/852190102765974
→https://people.cs.rutgers.edu/~rp1110/viewing/key_22_5f2a3c66990a9af3d89446e7198b334c.txt
→b1fa0ddbcfc85ff22763633bcb67072ff3d2425712d1040b0abadd0071acb92e5c8816fbef7492887c

http://adfoc.us/852190102765975
→https://people.cs.rutgers.edu/~rp1110/viewing/key_2_3453c485088298a8b933fd31548a15be.txt
→ca1a9844e53122e7010aa0bd6ab42f683edc4596bdfd420701a6799c467bac6df81f03867dc598b0a1

http://adfoc.us/852190102765976
→https://people.cs.rutgers.edu/~rp1110/viewing/key_23_6ab4ff044a413eedf57433735b77f62f.txt
→0ea674736b0da0ed81405d715293f5164a24eef539eb7e0261fe8466612e92ac465bbcd9ca35cfb035

http://adfoc.us/852190102765977
→https://people.cs.rutgers.edu/~rp1110/viewing/key_24_f6e77321965b825bf72a3a1e1a025756.txt
→2ff74bc660c9461301f579538bbd1223567e80dbd31bbbeb73714b9f57220a49b26fc328e697502260

http://adfoc.us/852190102765978
→https://people.cs.rutgers.edu/~rp1110/viewing/key_25_bcea729783b4b183b55857e5fca0beca.txt
→0e11256e0f065d41bb9dcfd54eab98f02699a33c9ff66290b64df628ae286045ec656fe90387305471

http://adfoc.us/852190102765979
→https://people.cs.rutgers.edu/~rp1110/viewing/key_26_c6e751662b38b049ce3ae344baf5d55f.txt
→4c1d1555238f290dd4fd6eea0f7a07394cdf305031ca2ba5a7f711b012cbdb2f00a40a7799af30e93f

http://adfoc.us/852190102765980
→https://people.cs.rutgers.edu/~rp1110/viewing/key_27_60622e6e871094fc1df9850f4f63b04f.txt
→6e53a5c148d9963b1a13258a4e0a6b02609011840236ff8c9515f9ffe9f9e0f6f80eefdbc637861c0e

http://adfoc.us/852190102765981
→https://people.cs.rutgers.edu/~rp1110/viewing/key_28_c532c4a1624e64d7f759405f718efeac.txt
→75748318d94836b8c776f61b2a54a678d7a132c22640de820428c1380f942b58b1d4181b091cca2ab1

http://adfoc.us/852190102765982
→https://people.cs.rutgers.edu/~rp1110/viewing/key_29_61c870f7d0d98e9aa3aac0fe693ffcd9.txt
→1303116778362a6f60e80df792ca3488b3d811e6668e59b22c0bac612796d7d8aef82c5de9cea20f5a

http://adfoc.us/852190102765983
→https://people.cs.rutgers.edu/~rp1110/viewing/key_30_a59ea600157ba2729ea1ae6427a06b32.txt
→d9003a17802955cfb31f6fcd867882de37d6efa5eb637baa7e7b053f25c7a47917850027cf06ad303b

http://adfoc.us/852190102765984
→https://people.cs.rutgers.edu/~rp1110/viewing/key_31_59ae2d81571fd694a9d6b97242d09c58.txt
→38ae99ad6ff121ab815cd8d22290c895ec8db9bed90305e9acd3a7b414474414cc1a288fdc951247d3

http://adfoc.us/852190102765985
→https://people.cs.rutgers.edu/~rp1110/viewing/key_3_e2b65d2204515cf541319f36f70a1b67.txt
→afb9f249b270319f5560cfd7b1d50414d13b2de33abe5a762ad838db43c04f2237f31b3bf4fd5a3d75

http://adfoc.us/852190102765986
→https://people.cs.rutgers.edu/~rp1110/viewing/key_4_f44dbdc50e1156b68c65aa105c73712d.txt
→f6f09b7fbc99e45acc936d81d6b65a0debd3c9e223943dd9978d5b039aaad363ca5a7a84cb2ef3dd82

http://adfoc.us/852190102765987
→https://people.cs.rutgers.edu/~rp1110/viewing/key_5_f43cfac7016698fd69ed7db8bb8e61cd.txt
→709d2925a03518fb8340bb78dd9975140939b80b1fbc4c887766f363b3ff53fe9bc82c03dba634d7d9

http://adfoc.us/852190102765988
→https://people.cs.rutgers.edu/~rp1110/viewing/key_6_718bd3c866d00d7c4cd68f4cf9533f52.txt
→7a59d849a6dfbf99e0fae195f8e1e9c91a40faec68cc3f9843671bd7f8885f735321552d233c6e77ab

http://adfoc.us/852190102765989
→https://people.cs.rutgers.edu/~rp1110/viewing/key_7_6bdb0ff81cc265b5ee620e9790e40694.txt
→76ca355bffa7e7e74c0075be1034458a7bcc752b257202bbc5855b6e80c725e814d005ec719f091f1f

http://adfoc.us/852190102765990
→https://people.cs.rutgers.edu/~rp1110/viewing/key_8_c7ba4e619320ceff8ae1364b3eb72ab1.txt
→daaa65b40827c0afe9695900292abd4f901f71a125db33ccfcee081b17523453d447c943989c820a8d

http://adfoc.us/852190102765991
→https://people.cs.rutgers.edu/~rp1110/viewing/key_9_1d72ffcd7ba902d2f1d09975aa900c07.txt
→bdd3d80f40e547c5a83cfbddfa63690db1979782d73b68d027610b9f47d0252e77f09312cb4f69f181

http://adfoc.us/852190102765992
→https://people.cs.rutgers.edu/~rp1110/viewing/out.txt
→697b1d14cd4c761d7b69b7bf11646855353777e150db8b1a3e1605f6b2a9ba05f318252c5a6ba7ecec

32個のkeyとout.txtの情報が得られた。この情報から逆算し、フラグを求める。

#!/usr/bin/env python3
PERM_1 = {0: 120, 1: 224, 2: 249, 3: 98, 4: 88, 5: 4, 6: 210, 7: 54, 8: 83, 9: 63, 10: 153, 11: 245, 12: 203, 13: 139, 14: 137, 15: 39, 16: 217, 17: 1, 18: 90, 19: 107, 20: 72, 21: 96, 22: 191, 23: 112, 24: 199, 25: 113, 26: 16, 27: 160, 28: 58, 29: 214, 30: 236, 31: 51, 32: 91, 33: 147, 34: 145, 35: 226, 36: 208, 37: 114, 38: 13, 39: 175, 40: 187, 41: 184, 42: 243, 43: 146, 44: 87, 45: 6, 46: 247, 47: 131, 48: 100, 49: 136, 50: 110, 51: 71, 52: 55, 53: 242, 54: 89, 55: 228, 56: 252, 57: 144, 58: 215, 59: 200, 60: 251, 61: 38, 62: 21, 63: 232, 64: 48, 65: 115, 66: 135, 67: 121, 68: 240, 69: 8, 70: 148, 71: 173, 72: 60, 73: 198, 74: 84, 75: 80, 76: 17, 77: 241, 78: 219, 79: 2, 80: 33, 81: 101, 82: 77, 83: 134, 84: 128, 85: 161, 86: 29, 87: 119, 88: 181, 89: 20, 90: 149, 91: 157, 92: 150, 93: 227, 94: 165, 95: 117, 96: 37, 97: 85, 98: 42, 99: 32, 100: 231, 101: 185, 102: 81, 103: 127, 104: 69, 105: 65, 106: 156, 107: 196, 108: 220, 109: 162, 110: 47, 111: 103, 112: 223, 113: 132, 114: 41, 115: 99, 116: 0, 117: 53, 118: 93, 119: 170, 120: 195, 121: 171, 122: 202, 123: 22, 124: 111, 125: 15, 126: 244, 127: 254, 128: 169, 129: 76, 130: 19, 131: 43, 132: 179, 133: 167, 134: 26, 135: 230, 136: 97, 137: 159, 138: 49, 139: 206, 140: 155, 141: 138, 142: 197, 143: 142, 144: 5, 145: 30, 146: 28, 147: 176, 148: 229, 149: 7, 150: 250, 151: 130, 152: 166, 153: 211, 154: 218, 155: 140, 156: 82, 157: 92, 158: 106, 159: 62, 160: 216, 161: 56, 162: 178, 163: 238, 164: 64, 165: 124, 166: 59, 167: 118, 168: 102, 169: 182, 170: 11, 171: 151, 172: 44, 173: 205, 174: 67, 175: 253, 176: 109, 177: 9, 178: 201, 179: 73, 180: 186, 181: 180, 182: 31, 183: 248, 184: 34, 185: 36, 186: 116, 187: 61, 188: 222, 189: 192, 190: 239, 191: 177, 192: 122, 193: 133, 194: 204, 195: 50, 196: 94, 197: 164, 198: 194, 199: 95, 200: 237, 201: 213, 202: 10, 203: 209, 204: 104, 205: 154, 206: 188, 207: 24, 208: 183, 209: 27, 210: 189, 211: 174, 212: 126, 213: 45, 214: 143, 215: 212, 216: 221, 217: 23, 218: 234, 219: 123, 220: 193, 221: 158, 222: 255, 223: 141, 224: 163, 225: 75, 226: 18, 227: 70, 228: 3, 229: 105, 230: 246, 231: 35, 232: 152, 233: 86, 234: 233, 235: 108, 236: 40, 237: 79, 238: 74, 239: 172, 240: 125, 241: 207, 242: 78, 243: 46, 244: 14, 245: 235, 246: 168, 247: 25, 248: 190, 249: 66, 250: 225, 251: 12, 252: 129, 253: 52, 254: 57, 255: 68}
PERM_2 = {120: 0, 224: 1, 249: 2, 98: 3, 88: 4, 4: 5, 210: 6, 54: 7, 83: 8, 63: 9, 153: 10, 245: 11, 203: 12, 139: 13, 137: 14, 39: 15, 217: 16, 1: 17, 90: 18, 107: 19, 72: 20, 96: 21, 191: 22, 112: 23, 199: 24, 113: 25, 16: 26, 160: 27, 58: 28, 214: 29, 236: 30, 51: 31, 91: 32, 147: 33, 145: 34, 226: 35, 208: 36, 114: 37, 13: 38, 175: 39, 187: 40, 184: 41, 243: 42, 146: 43, 87: 44, 6: 45, 247: 46, 131: 47, 100: 48, 136: 49, 110: 50, 71: 51, 55: 52, 242: 53, 89: 54, 228: 55, 252: 56, 144: 57, 215: 58, 200: 59, 251: 60, 38: 61, 21: 62, 232: 63, 48: 64, 115: 65, 135: 66, 121: 67, 240: 68, 8: 69, 148: 70, 173: 71, 60: 72, 198: 73, 84: 74, 80: 75, 17: 76, 241: 77, 219: 78, 2: 79, 33: 80, 101: 81, 77: 82, 134: 83, 128: 84, 161: 85, 29: 86, 119: 87, 181: 88, 20: 89, 149: 90, 157: 91, 150: 92, 227: 93, 165: 94, 117: 95, 37: 96, 85: 97, 42: 98, 32: 99, 231: 100, 185: 101, 81: 102, 127: 103, 69: 104, 65: 105, 156: 106, 196: 107, 220: 108, 162: 109, 47: 110, 103: 111, 223: 112, 132: 113, 41: 114, 99: 115, 0: 116, 53: 117, 93: 118, 170: 119, 195: 120, 171: 121, 202: 122, 22: 123, 111: 124, 15: 125, 244: 126, 254: 127, 169: 128, 76: 129, 19: 130, 43: 131, 179: 132, 167: 133, 26: 134, 230: 135, 97: 136, 159: 137, 49: 138, 206: 139, 155: 140, 138: 141, 197: 142, 142: 143, 5: 144, 30: 145, 28: 146, 176: 147, 229: 148, 7: 149, 250: 150, 130: 151, 166: 152, 211: 153, 218: 154, 140: 155, 82: 156, 92: 157, 106: 158, 62: 159, 216: 160, 56: 161, 178: 162, 238: 163, 64: 164, 124: 165, 59: 166, 118: 167, 102: 168, 182: 169, 11: 170, 151: 171, 44: 172, 205: 173, 67: 174, 253: 175, 109: 176, 9: 177, 201: 178, 73: 179, 186: 180, 180: 181, 31: 182, 248: 183, 34: 184, 36: 185, 116: 186, 61: 187, 222: 188, 192: 189, 239: 190, 177: 191, 122: 192, 133: 193, 204: 194, 50: 195, 94: 196, 164: 197, 194: 198, 95: 199, 237: 200, 213: 201, 10: 202, 209: 203, 104: 204, 154: 205, 188: 206, 24: 207, 183: 208, 27: 209, 189: 210, 174: 211, 126: 212, 45: 213, 143: 214, 212: 215, 221: 216, 23: 217, 234: 218, 123: 219, 193: 220, 158: 221, 255: 222, 141: 223, 163: 224, 75: 225, 18: 226, 70: 227, 3: 228, 105: 229, 246: 230, 35: 231, 152: 232, 86: 233, 233: 234, 108: 235, 40: 236, 79: 237, 74: 238, 172: 239, 125: 240, 207: 241, 78: 242, 46: 243, 14: 244, 235: 245, 168: 246, 25: 247, 190: 248, 66: 249, 225: 250, 12: 251, 129: 252, 52: 253, 57: 254, 68: 255}

def bxor(a, b): return bytes(x ^ y for x, y in zip(a, b))

KEYS = [
    'bb8d8662f042380e02c5464f4ff8f9a4fa64d24b28a624709be929bc8317041b5d73dc784cd295c123',
    '41bbccfaa873b521b2ad3d543dfaac12d6883c2cc16934a14d22a305882d47d91972263c3c20192135',
    'ca1a9844e53122e7010aa0bd6ab42f683edc4596bdfd420701a6799c467bac6df81f03867dc598b0a1',
    'afb9f249b270319f5560cfd7b1d50414d13b2de33abe5a762ad838db43c04f2237f31b3bf4fd5a3d75',
    'f6f09b7fbc99e45acc936d81d6b65a0debd3c9e223943dd9978d5b039aaad363ca5a7a84cb2ef3dd82',
    '709d2925a03518fb8340bb78dd9975140939b80b1fbc4c887766f363b3ff53fe9bc82c03dba634d7d9',
    '7a59d849a6dfbf99e0fae195f8e1e9c91a40faec68cc3f9843671bd7f8885f735321552d233c6e77ab',
    '76ca355bffa7e7e74c0075be1034458a7bcc752b257202bbc5855b6e80c725e814d005ec719f091f1f',
    'daaa65b40827c0afe9695900292abd4f901f71a125db33ccfcee081b17523453d447c943989c820a8d',
    'bdd3d80f40e547c5a83cfbddfa63690db1979782d73b68d027610b9f47d0252e77f09312cb4f69f181',
    '66780007a3aa4b2c96fc79dd83aa12fe362f38a42ccc4355d8a0d0079446354bb478990cdf3ab03fcb',
    'fcf16461d105e1872731a750b12d65b68ce2a5048cf42fa0a9ff951335c164c607dddc11a96015da61',
    '273f9f067fc3235c33ba79bc76217886d6542d80981bc8d794da24d30f61893f61f73432853ff475b4',
    '0235827a65e17fa7177188a7c9101a68b99f8bd99f5d242b32be16cb3bd073f9c8093640db9be60c6f',
    '88e530d66bf0cdada3179eb54b73c0936ba889375726940dc6c03051e0a4f3f035d406a5c088289411',
    '20da55588306639e2cb4960b11f46b172ac99a1df688b7d72d7ea907f6810548df7babe6974d889a37',
    'c58b4aec3534b9b0e6ebf16c176e40965e9a8d5df6b1a6ad19128d22e3d9715778cf49d34b7276b717',
    '7bda9fef8d591cc7e61996dc949d1a7fb72bc4787fae6827b58e4a2b750a05fe865aaa4e1ff8c972e1',
    '96e0fff512e15ecc75abd38bbacaf34022b9d4cbd67a2d90278f7d5cf3312df0a511cfcdedc71eed86',
    '98c0112acab6b179a80bbccd93457a658928e3d6e2cf97f05e1a117610f4087d9422e2baab27aa0283',
    'f4f6d525f6e6277dc9adf42b31fd441b7570d34b5cc5a3a0a5092e3db474e442dab496382398da4eb2',
    '100ac93d5213b69f1c017900f0bfc228ffc6c3984f440d5107d9d265cdc948b86333b3aca3790134cc',
    'b1fa0ddbcfc85ff22763633bcb67072ff3d2425712d1040b0abadd0071acb92e5c8816fbef7492887c',
    '0ea674736b0da0ed81405d715293f5164a24eef539eb7e0261fe8466612e92ac465bbcd9ca35cfb035',
    '2ff74bc660c9461301f579538bbd1223567e80dbd31bbbeb73714b9f57220a49b26fc328e697502260',
    '0e11256e0f065d41bb9dcfd54eab98f02699a33c9ff66290b64df628ae286045ec656fe90387305471',
    '4c1d1555238f290dd4fd6eea0f7a07394cdf305031ca2ba5a7f711b012cbdb2f00a40a7799af30e93f',
    '6e53a5c148d9963b1a13258a4e0a6b02609011840236ff8c9515f9ffe9f9e0f6f80eefdbc637861c0e',
    '75748318d94836b8c776f61b2a54a678d7a132c22640de820428c1380f942b58b1d4181b091cca2ab1',
    '1303116778362a6f60e80df792ca3488b3d811e6668e59b22c0bac612796d7d8aef82c5de9cea20f5a',
    'd9003a17802955cfb31f6fcd867882de37d6efa5eb637baa7e7b053f25c7a47917850027cf06ad303b',
    '38ae99ad6ff121ab815cd8d22290c895ec8db9bed90305e9acd3a7b414474414cc1a288fdc951247d3'
]
ct = '697b1d14cd4c761d7b69b7bf11646855353777e150db8b1a3e1605f6b2a9ba05f318252c5a6ba7ecec'
KEYS = [bytes.fromhex(k) for k in KEYS]
ct = bytes.fromhex(ct)

for k in KEYS[::-1]:
    roundkey = k
    for round in range(35):
        ct = bxor(ct, roundkey)
        roundkey = bytes(PERM_1[x] for x in roundkey)
        roundkey = bytes(PERM_2[x] for x in roundkey)

FLAG = ct.decode()
print(FLAG)

cursed{th4nk5_f0R_th3_c4Sh_8907d34e13a93}

hashbash (crypto)

サーバ処理の概要は以下の通り。

・inp: 16進数表記でhashにする文字列→hexデコード
・inpの長さは2以上であることをチェック
・hash_vals: HASH_ALGSの各アルゴリズムとその値のペアの辞書オブジェクト
・辞書オブジェクトの各アルゴリズムとその値を表示
・各アルゴリズムで値が3つ重複したら、フラグを表示
・各アルゴリズムで値が4つ重複したら、フラグ2を表示
・各アルゴリズムで値が5つ以上重複したら、フラグ3を表示

試しに0000を指定してみたら、フラグが表示された。

$ nc chals.4.cursedc.tf 31347
Enter string to hash (in hex): 0000
hash_bkdr(input) = 0x0
hash_djb2(input) = 0x1505
hash_js(input) = 0x4e67c6a7
hash_loselose(input) = 0x0
hash_sdbm(input) = 0x0
hash_crc32(input) = 0x41d912ff
Collision found! flag: cursed{bash_hash_make_cash}

cursed{bash_hash_make_cash}

fuck-joseph (crypto)

https://www.dcode.fr/prime-factors-decompositionでnを素因数分解する。

n = 75629683263434000464256062537146260915414088592541977770372518611110392769911 × 103749244738821801782446603878316975490744140733056657767774654036053137570499

あとは通常通り、RSA暗号の復号を行う。

#!/usr/bin/env python3
from Crypto.Util.number import *

e = 0x10001
n = 7846522518417589248988270000148869175483871909654188312830201338531351693904665461071052407652236904088895038751386311924570942790683843571278725648455589
c = 1946110978290405473570099039854806688094550945176127267787841744655801986217136119749922835315145822060478526423855096901944949875018840782662648593492571

p = 75629683263434000464256062537146260915414088592541977770372518611110392769911
q = 103749244738821801782446603878316975490744140733056657767774654036053137570499
assert n == p * q

phi = (p - 1) * (q - 1)
d = inverse(e, phi)
m = pow(c, d, n)
flag = long_to_bytes(m).decode()
print(flag)

cursed{s0rry_j0s3ph_y0u_4r3_t00_g00d}