Add cvctf

cryptoversectf-2022/Crypto/1337/README.md

@@ -0,0 +1,23 @@
+# 1337
+
+## Description
+
+A leet challenge.
+
+## Solution
+
+A challenge on basic Sage usage: `PolynomialRing`, `Ideal` and `variety` are very powerful. (I learned it from a past CTF and thought it's good to put in beginner CTFs.)
+
+```py
+a = [213929627434382339098735177055751649916, 19199104003461693263250446715340616788, 81305572597778258494448971196865605263, 204055349607012377951682156574173649079, 2268211308285612387872477045295901103]
+p = 231609284865232306744388160907453774453
+
+from Crypto.Util.number import long_to_bytes
+
+P.<x,y,z,w> = PolynomialRing(FiniteField(p))
+I = Ideal([x+y**3+z**3+w**7-a[0],y+z**3+w**3+x**7-a[1],z+w**3+x**3+y**7-a[2],w+x**3+y**3+z**7-a[3], x+y+z+w-a[4]])
+ans = I.variety()
+
+for _,v in ans[0].items():
+    print(long_to_bytes(int(v)).decode(), end='')
+```

cryptoversectf-2022/Crypto/1337/challenge/player.sage

@@ -0,0 +1,28 @@
+from Crypto.Util.number import inverse, bytes_to_long, getPrime
+
+FLAG = b"cvctf{REDACTED}"
+step = len(FLAG) // 4
+parts = []
+for i in range(0, len(FLAG), step):
+    parts.append(bytes_to_long(FLAG[i:i+step]))
+
+P = getPrime(128)
+ZmodP = Zmod(P)
+a, b, c, d = parts
+x, y, z, w = ZmodP(a), ZmodP(b), ZmodP(c), ZmodP(d)
+
+print("P:", P)
+print("L:", x^1+y^3+z^3+w^7)
+print("E:", y^1+z^3+w^3+x^7)
+print("E:", z^1+w^3+x^3+y^7)
+print("E:", w^1+x^3+y^3+z^7)
+print("T:", x+y+z+w)
+
+'''
+P: 231609284865232306744388160907453774453
+L: 213929627434382339098735177055751649916
+E: 19199104003461693263250446715340616788
+E: 81305572597778258494448971196865605263
+E: 204055349607012377951682156574173649079
+T: 2268211308285612387872477045295901103
+'''

cryptoversectf-2022/Crypto/1337/solution/solve.sage

@@ -0,0 +1,9 @@
+a = [213929627434382339098735177055751649916, 19199104003461693263250446715340616788, 81305572597778258494448971196865605263, 204055349607012377951682156574173649079, 2268211308285612387872477045295901103]
+p = 231609284865232306744388160907453774453
+
+from Crypto.Util.number import long_to_bytes
+P.<x,y,z,w> = PolynomialRing(FiniteField(p))
+I = Ideal([x+y**3+z**3+w**7-a[0],y+z**3+w**3+x**7-a[1],z+w**3+x**3+y**7-a[2],w+x**3+y**3+z**7-a[3], x+y+z+w-a[4]])
+ans = I.variety()
+for _,v in ans[0].items():
+    print(long_to_bytes(int(v)).decode(), end='')

cryptoversectf-2022/Crypto/Big Rabin/README.md

@@ -0,0 +1,38 @@
+# Big Rabin
+
+## Description
+
+Rabin cryptosystem, but big.
+
+## Solution
+
+Brute-force the possible plaintexts.
+
+```py
+from Crypto.Util.number import *
+from gmpy2 import *
+from sympy.ntheory.modular import *
+from sympy.ntheory.residue_ntheory import nthroot_mod
+
+x = [] # truncated
+c = # truncated
+e = 2
+
+y = []
+for i in x:
+    y.append(nthroot_mod(c,e,i))
+    y.append(i - nthroot_mod(c,e,i))
+yy = []
+
+for i in range(1024):
+    s = bin(i)[2:].rjust(10,'0')
+    yyy = []
+    for j in range(10):
+        yyy.append(y[j*2+int(s[j])])
+    yy.append(yyy)
+
+for i in yy:
+    m = long_to_bytes(crt(x,i)[0])
+    if b'cvctf' in m:
+        print(m[256:].decode())
+```

cryptoversectf-2022/Crypto/Big Rabin/challenge/chall.py

@@ -0,0 +1,16 @@
+from Crypto.Util.number import *
+from secret import flag
+import os, functools
+
+primes = []
+e = 2
+
+for _ in range(10):
+    primes.append(getPrime(1024))
+
+n = functools.reduce((lambda x, y: x * y), primes)
+m = bytes_to_long(os.urandom(256) + flag)
+c = pow(m,e,n)
+
+print(primes)
+print(c)

cryptoversectf-2022/Crypto/Big Rabin/challenge/out.txt

@@ -0,0 +1,2 @@
+[132226521510073241868478441993015354148527265070844601764638529221288504976410393924935295341036464167430758516679806086101355913069828507720078706111518764763860261405919471828890271375290465307125060869008747651304555905840414020300749769085263330846399185059492965396066022852144378645140305287757847727023, 166975174848900885230261330388360938761353252820281468924803320138144055905644086619356255132048410411366729267993937675260638228144755335215429145353099164053352619775669398053052968467143600192845905417256960156392197454820487653509257937973672298884564792967995269332679341948473655565516611128690668584197, 142872473239232009830855192451471368852668441691782565721008089294877340422457402592626252955869775729973997252931251666144198844354316321876779014522642204671232774572604583775513634884566978553917344483379779100930174962243024555704822801010773572545801848379806701640868474072068588187164478666117032536743, 130892261245352215748569386846911862074603359546553143534975947107064714450388455394151437883146319257061620436858323988107585895908396306525917087044899379090234252879747887675884686106229697448906503338648983178690152813231281939068998489985753607854487974314966395013411365168104897566924065151568253685389, 145551848922783998528416786343973572472474320126254044570241048099740111725992313257532536785462269965641550642274572312923944315477621869191221368417595336738285091021747216596626016115302578007940230744568897790622831057456985073420219248560391242735855176398817027832854071167392464605267378738681409692207, 109114236141132256858265781393324161877680502794260375634936389144130052076205935445884813005428724784271974614143303830651751053233628886067941762333164941597521613761267981323595507523576850094910118775698465333491285382926211396415210206640863838245229759501252816392805326580130465854590783194264915510107, 149012332254098169883676747964911319691822361308399858421962733809406243673749451302379098919202789878055459506619587309704672105656774201994079016346228841284249488225321663757366441960504330961474614423041525751882565821073188367282242863442968249947378755695090610366079747622976283329590239856372835372077, 89933039054622081733083753412036389257663070424046675225077590968264124467545748005665094466078872143690347802061705503577114736109829239359006199434519375691332381519569498638696542565602083683732367191126621738256117168725047465248935955872366458549695968621135516743160437309215563157049376939290044627313, 144740324082556719196755949987638484388687025029996662925584432266650207893213563830207448527247219434052744033623084777776494559920370369824340095295242250589124486762879342972124012161218261244077906297847144914260263449001263793071999861655844579640626513700692813426335252087586488036788977420619650395281, 177890920322792684381488228351207885958275622324411726844780096159974211995797980616696403624147387087872691406579164096185188544912293856215282348681231390887966279317515097280087518605104367297949995780275322107787760838983798771894346399852645638599662743887567463532610893557114956013160076360765011538011]
+22946885822002467171903084240416288222260709393342086666614067405740711654751859628586773085727309553476558484713992238684106955555407130896914013459177345438724868201174752650162646056513628813995822388584081951435555201995181471800953753065805537239004801790261801117451703491741695068405051052528468868702342710290967199025172882590726554624329641303992754921465060035494584473179143361525585375327174333664171595698051318950929679219084654514302582298457923944861686107213448365614170278678031637593258899000503650392461910041826689785746033611685952405642342168822481363285927108889621327497879411676118996705939126347323933488709432561266681241083588173377314801049718139453233426105928769665280701332464661007393707855685695381234000934601768404436981039966731154784057035002881385480733918721892505780861028743718627723983889337589245505471761609164355615583667187016246477658779583361278419641451588063893642706807003172297981383003084552004900791931139372946360714784486527322818344413194151333823878001862478897096198700081692897370151996011935154686270934438172865531978260775218635723194626200021562057411503822135701039014960850609050136539744310043850114618082256447659795677305772357979166562438839947373438799197847335503006808051165456399906449288192895712634565545914245083072956245576112332273453809567266070539909722697964638524279759280287013618910074497709507375042069373384981213251042198281

cryptoversectf-2022/Crypto/Big Rabin/challenge/secret.py

@@ -0,0 +1 @@
+flag = b"cvctf{r4b1n_Cryp70_K1nd4_c0mpL1C4t3d?}"

cryptoversectf-2022/Crypto/Big Rabin/solution/solve.py

@@ -0,0 +1,26 @@
+from Crypto.Util.number import *
+from gmpy2 import *
+from sympy.ntheory.modular import *
+from sympy.ntheory.residue_ntheory import nthroot_mod
+
+x = [132226521510073241868478441993015354148527265070844601764638529221288504976410393924935295341036464167430758516679806086101355913069828507720078706111518764763860261405919471828890271375290465307125060869008747651304555905840414020300749769085263330846399185059492965396066022852144378645140305287757847727023, 166975174848900885230261330388360938761353252820281468924803320138144055905644086619356255132048410411366729267993937675260638228144755335215429145353099164053352619775669398053052968467143600192845905417256960156392197454820487653509257937973672298884564792967995269332679341948473655565516611128690668584197, 142872473239232009830855192451471368852668441691782565721008089294877340422457402592626252955869775729973997252931251666144198844354316321876779014522642204671232774572604583775513634884566978553917344483379779100930174962243024555704822801010773572545801848379806701640868474072068588187164478666117032536743, 130892261245352215748569386846911862074603359546553143534975947107064714450388455394151437883146319257061620436858323988107585895908396306525917087044899379090234252879747887675884686106229697448906503338648983178690152813231281939068998489985753607854487974314966395013411365168104897566924065151568253685389, 145551848922783998528416786343973572472474320126254044570241048099740111725992313257532536785462269965641550642274572312923944315477621869191221368417595336738285091021747216596626016115302578007940230744568897790622831057456985073420219248560391242735855176398817027832854071167392464605267378738681409692207, 109114236141132256858265781393324161877680502794260375634936389144130052076205935445884813005428724784271974614143303830651751053233628886067941762333164941597521613761267981323595507523576850094910118775698465333491285382926211396415210206640863838245229759501252816392805326580130465854590783194264915510107, 149012332254098169883676747964911319691822361308399858421962733809406243673749451302379098919202789878055459506619587309704672105656774201994079016346228841284249488225321663757366441960504330961474614423041525751882565821073188367282242863442968249947378755695090610366079747622976283329590239856372835372077, 89933039054622081733083753412036389257663070424046675225077590968264124467545748005665094466078872143690347802061705503577114736109829239359006199434519375691332381519569498638696542565602083683732367191126621738256117168725047465248935955872366458549695968621135516743160437309215563157049376939290044627313, 144740324082556719196755949987638484388687025029996662925584432266650207893213563830207448527247219434052744033623084777776494559920370369824340095295242250589124486762879342972124012161218261244077906297847144914260263449001263793071999861655844579640626513700692813426335252087586488036788977420619650395281, 177890920322792684381488228351207885958275622324411726844780096159974211995797980616696403624147387087872691406579164096185188544912293856215282348681231390887966279317515097280087518605104367297949995780275322107787760838983798771894346399852645638599662743887567463532610893557114956013160076360765011538011]
+c = 22946885822002467171903084240416288222260709393342086666614067405740711654751859628586773085727309553476558484713992238684106955555407130896914013459177345438724868201174752650162646056513628813995822388584081951435555201995181471800953753065805537239004801790261801117451703491741695068405051052528468868702342710290967199025172882590726554624329641303992754921465060035494584473179143361525585375327174333664171595698051318950929679219084654514302582298457923944861686107213448365614170278678031637593258899000503650392461910041826689785746033611685952405642342168822481363285927108889621327497879411676118996705939126347323933488709432561266681241083588173377314801049718139453233426105928769665280701332464661007393707855685695381234000934601768404436981039966731154784057035002881385480733918721892505780861028743718627723983889337589245505471761609164355615583667187016246477658779583361278419641451588063893642706807003172297981383003084552004900791931139372946360714784486527322818344413194151333823878001862478897096198700081692897370151996011935154686270934438172865531978260775218635723194626200021562057411503822135701039014960850609050136539744310043850114618082256447659795677305772357979166562438839947373438799197847335503006808051165456399906449288192895712634565545914245083072956245576112332273453809567266070539909722697964638524279759280287013618910074497709507375042069373384981213251042198281
+e = 2
+
+y = []
+for i in x:
+    y.append(nthroot_mod(c,e,i))
+    y.append(i - nthroot_mod(c,e,i))
+yy = []
+
+for i in range(1024):
+    s = bin(i)[2:].rjust(10,'0')
+    yyy = []
+    for j in range(10):
+        yyy.append(y[j*2+int(s[j])])
+    yy.append(yyy)
+
+for i in yy:
+    m = long_to_bytes(crt(x,i)[0])
+    if b'cvctf' in m:
+        print(m[256:].decode())

cryptoversectf-2022/Crypto/RSA 3/README.md

@@ -0,0 +1,116 @@
+# RSA 3
+
+## Description
+
+Secrets are hidden under the randomness.
+
+`nc 137.184.215.151 22629`
+
+## Solution
+
+Simple Hastad's Broadcast Attack. We can query server until receiving enough ciphertexts on `e=17`. 
+
+The "randomness" happens with low probability, so we can actually query a bit more ciphertexts then do a subset to avoid the randomness.
+
+Solve script referenced some code from crypto-attacks repo.
+
+```py
+from sage.all import crt, ZZ
+from math import gcd
+from pwn import *
+from Crypto.Util.number import *
+import random
+
+# log level
+context.log_level = 'error'
+
+def lcm(a):
+    if len(a) == 1:
+        return a[0]
+    return a[0] * lcm(a[1:]) // gcd(a[0], lcm(a[1:]))
+
+def fast_crt(X, M, segment_size=8):
+    """
+    Uses a divide-and-conquer algorithm to compute the CRT remainder and least common multiple.
+    :param X: the remainders
+    :param M: the moduli (not necessarily coprime)
+    :param segment_size: the minimum size of the segments (default: 8)
+    :return: a tuple containing the remainder and the least common multiple
+    """
+    assert len(X) == len(M)
+    assert len(X) > 0
+    while len(X) > 1:
+        X_ = []
+        M_ = []
+        for i in range(0, len(X), segment_size):
+            if i == len(X) - 1:
+                X_.append(X[i])
+                M_.append(M[i])
+            else:
+                X_.append(crt(X[i:i + segment_size], M[i:i + segment_size]))
+                M_.append(lcm(M[i:i + segment_size]))
+        X = X_
+        M = M_
+
+    return X[0], M[0]
+
+def attack(e, c):
+    """
+    Recovers the plaintext from a ciphertext, encrypted using a very small public exponent (e.g. e = 3).
+    :param e: the public exponent
+    :param c: the ciphertext
+    :return: the plaintext
+    """
+    return int(ZZ(c).nth_root(e))
+
+def hastad(N, e, c):
+    """
+    Recovers the plaintext from e ciphertexts, encrypted using different moduli and the same public exponent.
+    :param N: the moduli
+    :param e: the public exponent
+    :param c: the ciphertexts
+    :return: the plaintext
+    """
+    assert e == len(N) == len(c), "The amount of ciphertexts should be equal to e."
+
+    for i in range(len(N)):
+        for j in range(len(N)):
+            if i != j and gcd(N[i], N[j]) != 1:
+                raise ValueError(f"Modulus {i} and {j} share factors, Hastad's attack is impossible.")
+
+    c, _ = fast_crt(c, N)
+    return attack(e, c)
+
+e = 17
+N = []
+ct = []
+while len(N) < 30:
+    io = remote("137.184.215.151", 22629)
+    io.recvuntil(b"n = ")
+    n = int(io.recvline().strip())
+    io.recvuntil(b"e = ")
+    e = int(io.recvline().strip())
+    if e != 17:
+        io.close()
+        continue
+    io.recvuntil(b"c = ")
+    c = int(io.recvline().strip())
+    io.close()
+    N.append(n)
+    ct.append(c)
+    print(f"{len(N)} / 30")
+
+# Because some ct are randomly changed (with a chance of 10%), we need to randomly query N/ct
+# Choose random 17 indices from N and ct
+while True:
+    indices = random.sample(range(len(N)), 17)
+    N_curr = [N[i] for i in indices]
+    ct_curr = [ct[i] for i in indices]
+    try:
+        pt = hastad(N_curr, e, ct_curr)
+    except:
+        continue
+    if "cvctf" in long_to_bytes(pt).decode():
+        print(long_to_bytes(pt).decode())
+        break
+```

cryptoversectf-2022/Crypto/RSA 3/challenge/Dockerfile

@@ -0,0 +1,34 @@
+FROM python:3.9-slim-buster
+WORKDIR /home/ctf
+RUN useradd -m ctf
+RUN apt-get update && \
+    apt-get install -y lib32z1 xinetd && \
+    echo "Connection banned." > /etc/banner_fail
+RUN pip3 install pycryptodome
+
+RUN cp -R /lib* /home/ctf && \
+    cp -R /usr/lib* /home/ctf
+RUN mkdir /home/ctf/dev && \
+    mknod /home/ctf/dev/null c 1 3 && \
+    mknod /home/ctf/dev/zero c 1 5 && \
+    mknod /home/ctf/dev/random c 1 8 && \
+    mknod /home/ctf/dev/urandom c 1 9 && \
+    chmod 666 /home/ctf/dev/*
+RUN mkdir /home/ctf/bin && \
+    cp /bin/sh /home/ctf/bin && \
+    cp /bin/ls /home/ctf/bin && \
+    cp /bin/cat /home/ctf/bin
+
+COPY ./ctf.xinetd /etc/xinetd.d/ctf
+COPY . .
+RUN chmod +x /home/ctf/start.sh && \
+    chown -R root:ctf /home/ctf && \
+    chmod -R 750 /home/ctf
+
+CMD ["/home/ctf/start.sh"]
+
+EXPOSE 9999
+
+# docker build --tag rsa .
+# docker run -d --publish 22629:9999 --name rsa rsa
+# docker run --rm --publish 22629:9999 --name rsa rsa

cryptoversectf-2022/Crypto/RSA 3/challenge/ctf.xinetd

@@ -0,0 +1,18 @@
+service ctf
+{
+    disable = no
+    socket_type = stream
+    protocol    = tcp
+    wait        = no
+    user        = root
+    type        = UNLISTED
+    port        = 9999
+    bind        = 0.0.0.0
+    server      = /usr/local/bin/python
+    server_args = /home/ctf/server.py
+    banner_fail = /etc/banner_fail
+    # safety options  
+    per_source  = 10 # the maximum instances of this service per source IP address    
+    rlimit_cpu  = 1 # the maximum number of CPU seconds that the service may use    
+    #rlimit_as  = 1024M # the Address Space resource limit for the service
+}

cryptoversectf-2022/Crypto/RSA 3/challenge/secret.py

@@ -0,0 +1 @@
+flag = b"cvctf{Hastad_with_e=65537_might_be_slow}"

cryptoversectf-2022/Crypto/RSA 3/challenge/server.py

@@ -0,0 +1,16 @@
+from Crypto.Util.number import *
+import random
+from secret import flag
+
+es = [17, 19, 23, 29, 31, 63357]
+e = random.choice(es)
+p = getPrime(1024)
+q = getPrime(1024)
+n = p * q
+m = bytes_to_long(flag)
+c = pow(m, e, n)
+
+if not random.randint(0, 10):
+    c = (1 << len(bin(c)[2:])) | c
+
+print(f"n = {n}\ne = {e}\nc = {c}")

cryptoversectf-2022/Crypto/RSA 3/challenge/start.sh

@@ -0,0 +1,6 @@
+#!/bin/sh
+# Add your startup script
+
+# DO NOT DELETE
+/etc/init.d/xinetd start;
+sleep infinity;