Mix

Category: Crypto

Points: 330

Description:

At the BASEment no. 65536, A man is irritated with SHIFT key in his KEYBOARD as it’s a sticky key, A kid is having chocolate icecream with a SPOON.

Author: Whit3_D3vi1

Given: flag.txt && chall_encrypted.txt

Writeup

I opened flag.txt and got absolutely pwned :(

If you opened this then you are a n00b

From the hint, we can see that the uppercase letters are telling us something. It seems this encrypted text is in base65536. Here is a link to a decoder. After decoding, we get the following output:

flag 1:
Yjod od s lrunpstf djogy vo[jrtyrcy jrtr od upi g;sh xj4t-}U-i+dit4+

flag 2:
3030313130313030203031313130303130203030313130303131203031303131313131203030313130313030203031313130313131203030313130303131203031313130303131203030313130303030203031313031313031203030313130303131203031303131313131203031313130313131203031313031303031203030313130313131203031313031303030

flag 3:
MTExMTExMTExMTAwMTAwMDEwMTAxMDExMTAxMDExMTExMTEwMTAxMTExMTExMTExMDExMDExMDExMDExMDAwMDAxMTAxMDAxMDAxMDAxMDAwMDAwMDAwMDAwMDAwMDAwMTAxMDAxMTAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMTAxMDAwMDAwMDAwMDAwMTAxMDAwMTAxMDAxMDAwMTAxMDAxMTExMTExMTAwMTAxMDAxMDExMTExMTExMTAwMTAxMDAxMTAwMDAwMDAwMDAwMDAwMTAxMDAxMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMTAxMDExMTExMTExMTExMTExMTExMTExMDAxMDEwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAxMDEwMDAwMDAwMDAxMDEwMDExMDAwMDAwMDAxMDEwMDAxMDEwMTExMTAwMTAxMDAxMDExMTExMTExMTExMTExMTExMTExMDAxMDEwMDExMDExMDExMTExMTExMTExMTAwMTAxMA==

Looks like we know what to do now!

Flag 1: Keyboard Shift Cipher

# After plugging and chugging
zh3r0{Y0u_sur3_

Flag 2: Hex -> Binary -> ASCII

# Hex to Binary
00110100 01110010 00110011 01011111 00110100 01110111 00110011 01110011 00110000 01101101 00110011 01011111 01110111 01101001 00110111 01101000

# Binary to ASCII
4r3_4w3s0m3_wi7h

Flag 3: Spoon Cipher

_411_7h3_ski115}

Combining the flags together gives us the flag.

Flag

zh3r0{Y0u_sur3_4r3_4w3s0m3_wi7h_411_7h3_ski115} props to birch for helping me out on this one


RSA-Warmup

Category: Crypto

Points: 20

Description:

RSA is one of the first public-key cryptosystems and is widely used for secure data transmission. In such a cryptosystem, the encryption key is public and distinct from the decryption key which is kept secret. You all know this :p here is a warmup question.

nc crypto.zh3r0.ml 8451

Author : Finch

Writeup

Right away, I connect to crypto.zh3r0.ml on 8451:

$ nc crypto.zh3r0.ml 8451
N: 377527856297171022669430056458716981263384258911465530298564047397682287642100531751631168955623627172831784659749005505789640040456392136544756565404399136372321247852095482514289004599548556755136227142622582929120287466843804001721473294727815058414197945673495141542166225440016738784813546536980135143334440970683
e 65537
CT: 95948178426011852526092427535011433312244071609714551743388577712830026414291835888189885830916269208524310224012724690007902199693329646995676301990765789834069875091787078165512725155603953938812696365285032576235285424419104188074925160749412987648492099796143791507498570035439690972646885220025246628999734089438

Looks like we get the public key information and the ciphertext. Simple enough. Our goal here is to retrieve the private key from this information. Well, the value we really want the private exponent - d.

A tool I always like to use for RSA challenges is RsaCtfTool (you can find a link under Resources). We can pass in our modulus (n) and public exponent - e and have it run through the attacks. The –private option indicates we want to extract the private key and the –dumpkey option dumps the information we want found from the private key extracted. That is, assuming we successfully extract the private key.

Here is the command I used:

$ ~/tools/RsaCtfTool/RsaCtfTool.py -n 377527856297171022669430056458716981263384258911465530298564047397682287642100531751631168955623627172831784659749005505789640040456392136544756565404399136372321247852095482514289004599548556755136227142622582929120287466843804001721473294727815058414197945673495141542166225440016738784813546536980135143334440970683 -e 65537 --private --dumpkey

Output:

[*] Testing key /tmp/tmp6ccy5el8.
[*] Performing boneh_durfee attack on /tmp/tmp6ccy5el8.
[*] Performing comfact_cn attack on /tmp/tmp6ccy5el8.
[*] Performing cube_root attack on /tmp/tmp6ccy5el8.
[*] Performing ecm attack on /tmp/tmp6ccy5el8.
[*] ECM Method can run forever and may never succeed, timeout set to 30sec. Hit Ctrl-C to bail out.
[*] Performing ecm2 attack on /tmp/tmp6ccy5el8.
[*] ECM2 Method can run forever and may never succeed, timeout set to 30sec. Hit Ctrl-C to bail out.
[*] Performing factordb attack on /tmp/tmp6ccy5el8.

Results for /tmp/tmp6ccy5el8:

Private key :
-----BEGIN RSA PRIVATE KEY-----
MIICMAIBAAKBhH0sgDnDQ1mkNuUnZO/mpoyDR4g75cI6VYtbA4pXLtfgJVnD4lep
6qT//hwsoqi2fgAZ3dyqj+shvwZ3q/w0OA1P6dGPVREz65H3WRxlkqXhbm8LIz2O
RG8+aiXtGuKOcP7U4gN/vdUv/Ma+loHW9nH4EXb3MUtVex8YHlDCGoOinu2puwID
AQABAoGESKHl1Uc9GEbSh7BtlDlcsY3sf+/hK0HBF7iUhMLWreXpJgNHjr3Odzx5
WQZBXzpwOsqreCqYpF+KeW+GUVYuUy8+wNOrHDNd7h7tvkewyp6b4lSani14jhtX
yyfcuUIxW+dEXWQmZScR2hHCmv+7moyKhErMn6DC8vy/Rqjoio9PXf8hAgUA1L0y
zwKBgQCWoNGhjoAaFWOI78WpjnlCfL9F6R/LtDPvODWGiZozKkCT4bl41uS7tk5f
TfQSZHsDXRz5M3rxRzdw8VupI1y7YtrfkZ9KH80PAdDxFhrrKxWmBqOCxVW5kQkR
8BRJ4ZQRxV0blUJfEkm0/VLCUE7VsESlhOXZLG3ySESDznZFVQIECkYc1wKBgGAP
cYFJgpKf31leKD2I2fY33je0g42Cf7horWH+cTN+F673vjO9QCQiEHshGK1+HSE5
CZg3Z4ll9Ip3sg/8uE/crF713JMGEt0mOFz3zvT5BhZal353YMM2JoWlCRtQ3AA1
ULqdhrVg0Va2U0gOtSf8ANtaFMdaWUexJNi2G6D9AgRh9WJR
-----END RSA PRIVATE KEY-----
n: 377527856297171022669430056458716981263384258911465530298564047397682287642100531751631168955623627172831784659749005505789640040456392136544756565404399136372321247852095482514289004599548556755136227142622582929120287466843804001721473294727815058414197945673495141542166225440016738784813546536980135143334440970683
e: 65537
d: 219061435757608963852907672365350121299489108161668187742617152085491396400767315113244112175489996960042494385717319659862230149219931086843159575463511365277827147675298287172908252862749761614617624713298567307138000590141729337640164470545650707611179689947921461153334557400166620309314271542064731256728948965153
p: 3569169103
q: 105774718261414643504894773952859969398705247872775147212901346074910894364004173593125259370940942265808856706263212742427923018041544482277436257803557237722821688298161725545534905578708456267597648522685472470627370962883683799983145067231020199273028937702729839399869484256268016557693917294055466091861

Nice! Looks like we extracted our private exponent. Here is a small python snippet to get the plaintext.

from pwn import *
from Crypto.Util.number import long_to_bytes

n = 377527856297171022669430056458716981263384258911465530298564047397682287642100531751631168955623627172831784659749005505789640040456392136544756565404399136372321247852095482514289004599548556755136227142622582929120287466843804001721473294727815058414197945673495141542166225440016738784813546536980135143334440970683
d = 219061435757608963852907672365350121299489108161668187742617152085491396400767315113244112175489996960042494385717319659862230149219931086843159575463511365277827147675298287172908252862749761614617624713298567307138000590141729337640164470545650707611179689947921461153334557400166620309314271542064731256728948965153
c = 95948178426011852526092427535011433312244071609714551743388577712830026414291835888189885830916269208524310224012724690007902199693329646995676301990765789834069875091787078165512725155603953938812696365285032576235285424419104188074925160749412987648492099796143791507498570035439690972646885220025246628999734089438

m = pow(c,d,n)
flag = long_to_bytes(m).decode("utf-8")
log.success("Flag: {}".format(flag))

I use log.success() from pwntools cause it satisfies me to see the green plus so no hate.

Output:

$ python3 rsa_warmup.py
[+] Flag: zh3r0{RSA_1s_Fun}

Flag

zh3r0{RSA_1s_Fun}

Resources

RsaCtfTool - https://github.com/Ganapati/RsaCtfTool

RSA - https://en.wikipedia.org/wiki/RSA_(cryptosystem)


Hastad’s Message

Category: Crypto

Points: 411

Description:

My friend Hastad send me a message but I am not able to read it. Only thing I know is its different each time.

nc crypto.zh3r0.ml 7419

Author : Finch

Writeup

Reading the description and thinking about the title, we can infer that this is most likely going to be solved by Hastad’s RSA Attack. There are some informative resources on Hastad’s Attack at the bottom if you want to read and/or watch a video on it.

To sum it up, we need three moduli and three ciphertexts. The attack uses some math to get a common modulus (I think). The attack also assumes the public exponent (e) is equal to 3.

The description notes that the message is different every time, which is great because we need three different sets of moduli and ciphertexts:

$ nc crypto.zh3r0.ml 7419
N: 26329166984869041859634971942295508914086614756052649916715153888481838019446543659757155645116769584381237080447776835739170987527005814400394577761822009408643187035265928122611444675831972885388102505246050837141849411862111709116367913126692684315075812292118346525048043797743758647556197949162237012170765715489491252692831466048959316256355759727145883803064149037619208929139388737790411400133521644550402190755308716121097770368356659540585535532884876043170632478721624029571816011724967994226508693012935776285118552199186117433633100216881935216628735559281536730218432968021046737952051819658181259878149
CT: 13696674950433813895298041308045632529884066637106066434055761656634216946840402487500825692707297939337436811238475042408363119793161341988647831099617176608938843866551309386288691680095479772354016097889400273737533478113841958286151723116643033653995679615401212762174200830205198481421530614785072197545914307879082057254025517014619994399588859878772462750995973467253943907234301821576044216582246803850068027473821303077367989380520821734878595978138848610208844611305492117585477951318789794473666584152555731215918034102977914334062154485456843361952486458602554626960263460610725474127818677875972933875249

$ nc crypto.zh3r0.ml 7419
N: 22384216895184126503119624343320021821638233110863325898706560403197645878203817745790238197708416046618344094882982335720692685468281691146289903360608759314465378437068825261171471235483378433538257668429402907303532447870966095573819297418602601260325774195925269436319325981924076560794365192162562834753664301926653212755937853868506740496963626939832399258562954489056198250858902550995248399935612478913709617862129428374409234539923710672573540043364314100184572466402179424456471569591284089542460776340545139186988771394267096966020039348514804567035515030274507835577689524596337772418323549448243343361831
CT: 5353345346883089467141269968761525262677279170329666694797265115044928760952816917862665148190263741954651283587445076390324149524694842134461309999700504892826865511676944998156648254220372877253984503837884294212054018245851450555353751434222671390020506217356501583459507087748067302175421725020578101235352346674097473733309611211213878072286974934049276260742702782327298570150180281510979146190959585950244494373491367198797787947700591295353932747947492989216240541566454657386123685140779948477566980018178539683614588716842717894118803413424004986059577548748432511218870669050221814751292921897431242248941

$ nc crypto.zh3r0.ml 7419
N: 22424243940237609093986181521248901242782094037697873373836836736493013117260495680987607769354269320561576377180539010732084017919614407493417604713138573086392460341825569544329294333785416106775326335231740978161329178536710032114103565077914290391270889095078548028956464075135014835042893633426595475887865312994493395174535036307668304725413758492249582598657435602203689640301841897950479233122713167542454482902649867247742813614034808103280371220185593639727153149613933683852108452848538974235423325030571301060804485909616787540913079701564237236038710949156042408869849909619744500748736648228888569573589
CT: 14248998542824914719750911379086920493500471888638705238133866311748059581683708422549036932370027910990304631217481702400469486898162095317239864189584616787472445614519498539566076996422644593520710194926830242522562819000277287688504181287249564196723442838873910913236286542856580569459769886968942760506614856615797894115905258930225533376037968554243022975808731677888560753976786112293175192882447689169089532325198116284561341385989363237692683318157037034971649251468292971739244270525145089816866123381203273750512577151312036713011523059957036531932480131619100026838056618714367910138597216504150041537796

I used echo to put each value into n1, n2, n3, c1, c2, and c3. I did this because the tool I am using passes these files in as arguments. Now, let’s run the tool:

$ python ~/tools/RSA-Hastad/rsaHastad.py n1 n2 n3 c1 c2 c3 -v


        ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
                RSA Hastad Attack
                 JulesDT -- 2016
                 License GNU/GPL
        ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
##
## 13696674950433813895298041308045632529884066637106066434055761656634216946840402487500825692707297939337436811238475042408363119793161341988647831099617176608938843866551309386288691680095479772354016097889400273737533478113841958286151723116643033653995679615401212762174200830205198481421530614785072197545914307879082057254025517014619994399588859878772462750995973467253943907234301821576044216582246803850068027473821303077367989380520821734878595978138848610208844611305492117585477951318789794473666584152555731215918034102977914334062154485456843361952486458602554626960263460610725474127818677875972933875249
## Guessed as decimal input
##
##
## 5353345346883089467141269968761525262677279170329666694797265115044928760952816917862665148190263741954651283587445076390324149524694842134461309999700504892826865511676944998156648254220372877253984503837884294212054018245851450555353751434222671390020506217356501583459507087748067302175421725020578101235352346674097473733309611211213878072286974934049276260742702782327298570150180281510979146190959585950244494373491367198797787947700591295353932747947492989216240541566454657386123685140779948477566980018178539683614588716842717894118803413424004986059577548748432511218870669050221814751292921897431242248941
## Guessed as decimal input
##
##
## 14248998542824914719750911379086920493500471888638705238133866311748059581683708422549036932370027910990304631217481702400469486898162095317239864189584616787472445614519498539566076996422644593520710194926830242522562819000277287688504181287249564196723442838873910913236286542856580569459769886968942760506614856615797894115905258930225533376037968554243022975808731677888560753976786112293175192882447689169089532325198116284561341385989363237692683318157037034971649251468292971739244270525145089816866123381203273750512577151312036713011523059957036531932480131619100026838056618714367910138597216504150041537796
## Guessed as decimal input
##

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Decoded Hex :
1ff486017316ddb482dd84be39ff75bba80868b195a1df065bbc83184ba949f68f229da7c1e0a9087fe97189100113cfbe4c1271fc8e2c003d135633095019af55f988f8b790a28ebba20192f28b5fe30417d67cbcede052775c74fa889e22be57ad2519f978ebd34209a621c73024e95bf5ea84ef24d9407a4a010e097e1a903fdefd1b8be92ddd94f47395b6ef5192da1c19f66169729a9a4719abd38c44007af74468c915a936c0f27aeb8ccaf223687ceff1be530c8e0881355f80bc6a576c682d
---------------------------

In Ascii: [random stuff]

Hmmmm that didn’t work. Maybe we can try to change the value of e to a different prime? I edited the script to use 5 instead of 3 for e. Let’s run it again:

$ python ~/tools/RSA-Hastad/rsaHastad.py n1 n2 n3 c1 c2 c3 -v


        ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
                RSA Hastad Attack
                 JulesDT -- 2016
                 License GNU/GPL
        ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
##
## 13696674950433813895298041308045632529884066637106066434055761656634216946840402487500825692707297939337436811238475042408363119793161341988647831099617176608938843866551309386288691680095479772354016097889400273737533478113841958286151723116643033653995679615401212762174200830205198481421530614785072197545914307879082057254025517014619994399588859878772462750995973467253943907234301821576044216582246803850068027473821303077367989380520821734878595978138848610208844611305492117585477951318789794473666584152555731215918034102977914334062154485456843361952486458602554626960263460610725474127818677875972933875249
## Guessed as decimal input
##
##
## 5353345346883089467141269968761525262677279170329666694797265115044928760952816917862665148190263741954651283587445076390324149524694842134461309999700504892826865511676944998156648254220372877253984503837884294212054018245851450555353751434222671390020506217356501583459507087748067302175421725020578101235352346674097473733309611211213878072286974934049276260742702782327298570150180281510979146190959585950244494373491367198797787947700591295353932747947492989216240541566454657386123685140779948477566980018178539683614588716842717894118803413424004986059577548748432511218870669050221814751292921897431242248941
## Guessed as decimal input
##
##
## 14248998542824914719750911379086920493500471888638705238133866311748059581683708422549036932370027910990304631217481702400469486898162095317239864189584616787472445614519498539566076996422644593520710194926830242522562819000277287688504181287249564196723442838873910913236286542856580569459769886968942760506614856615797894115905258930225533376037968554243022975808731677888560753976786112293175192882447689169089532325198116284561341385989363237692683318157037034971649251468292971739244270525145089816866123381203273750512577151312036713011523059957036531932480131619100026838056618714367910138597216504150041537796
## Guessed as decimal input
##

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Decoded Hex :
497473206772656174207468617420796f75206861766520636f6d652074696c6c20686572652e2041732070726f6d69736564206865726520697320796f757220666c61673a207a683372307b5253415f31735f306e335f6f665f7468335f623473745f656e637279707431306e5f42753636797d
---------------------------
As Ascii :
Its great that you have come till here. As promised here is your flag: zh3r0{RSA_1s_0n3_of_th3_b4st_encrypt10n_Bu66y}
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Flag

zh3r0{RSA_1s_0n3_of_th3_b4st_encrypt10n_Bu66y}

Resources

Video - https://www.youtube.com/watch?v=aS57JCzJw_o

Python Script - https://github.com/JulesDT/RSA-Hastad