ASCWG Finals Writeups

Neroli
Written by Neroli on
ASCWG Finals Writeups

Ascwg Crypto

Summary

Arab Security CyberWargames Finals 2020

Forensics

easy peasy (Forensics)

First i got a RAR file after extracting i got a raw file called challenge.raw

using binwalk on it image

i got another RAR file which contains the flag but it was secured with password

image

so i used john the ribber to crack it with rockyou wordlist image

so i extraced the Flag.txt.txt file and i got the Flag: ASCWG{M3moRy_f0Rens!Cs_ar3_FuN}

looky LUKS (Forensics)

I got RAR file contians challenge.img file

using file command i knew that it’s a LUKS file image

I don’t have enough background about it so i read this wiki and this article

when i tried to mount the file i got that i need to get password :

image

so to crack it we need to get the header to get the hash image

now i know that the Payload offset is 4096 so using dd

image

I used hashcat on my Teammate Mahmoud Anas laptop to crack the hash and we got the password xavier

so i mounted the Luks (which take me like 15 min to mount it becasue u never do what u know in ctfs :) ) file and got the flag: image

Diasassembled (Forensics)

First i got a RAR file which contains 1162 png image all images names were base64 encoded image

so i decoded 3 of them and it was like coordinates (x’s and y’s) having another look at he images i got that all these images needs to be orders in their places which is the name of each image… like puzzle

so first thing i used PIL but i got bad result

So i got another idea

I know that their is command in linux called convert which can merge images horizontally and vertically

so all i need to do is merging all the images which has the same y coordinate horizntally and then merge them all vertically but this caused error since the images are not ordered

so after like (30 min of bad scripts becasue i am a Competitve programmer so i always think about efficiency XD)

i started to think in another way (since it’s 900 points challenge XD)

all i needed to do is get the area that i need to draw which is (max y value * max x value) which were (83 * 13)

and iterate over the rectangle coordinates and append all the images line by line (horizontally) then merge all the lines (vertically)

and here is the final script:

import base64
from os import listdir
from os.path import isfile, join
import os

mypath = './'
onlyfiles = [f for f in listdir(mypath) if isfile(join(mypath, f))]

def mergerH(command, outfile):
    os.system('convert ' + command + ' +append ' + outfile)


def mergerV(command, outfile):
    os.system('convert ' + command + ' -append ' + outfile)


for y in range(0, 83):
    command = ''
    for x in range(0, 14):
        try:
            filename = str(x) + '_' + str(y) + '\n'
            filename = base64.b64encode(filename.encode())
            filename = filename.decode()
            filename += '.png'
            command += filename + ' '
        except:
            pass
    mergerH(command, str(y)+'.png')

command = ''
for i in range(0, 84):
    filename = str(i) +'.png'
    command += filename + ' '

mergerV(command, 'flag.png')

and here is our flag

flag

Crypto

hybrid

first i got this encryption script:

from Crypto.Util import number
import gmpy

m = open("flag.txt").read().replace("\n","")
phi = open("phi.txt").read().replace("\n","")

n = 733779191446801744899342108168226802992682163418792963599360850735375357455149979963798696015161197475414024468033389300951694130144996818665824371318592531337165298759687824316944720456405675505162655503575794947374005869172615489638110272658753196202920853560741805676845416811037858748952036992904987436436305070974548294634539634801990942494632039639997750615092947743413718521647333154278856325718278411799389746268450832747014683725257304667674508399893700585665857805431255846507842167088538394622439932419732551109371563524462274634618135383588224491819316026576502189587830733272736383804826745750346676275381694162218907532199742744234494583745211574842002723757725331355540304942746757973848238312752019843407574782457030601680230342220205032750800522763368978779642050636007667833604220218253864829008534150019797632511068212565709143837742993793579734266511459683596315626111107
e = 65537

d = str(gmpy.invert(e,long(phi)))
c = ""
count = 0
for i in m:
    c += chr(ord(i) ^ ord(d[count]))
    count +=1
    count = count % len(d) 


f = open("data.txt","w")
f.write("n = "+str(n)+"\n")
f.write("e = "+str(e)+"\n")
f.write("c = "+str(int(c.encode("hex") ,16)))
f.close()

and data.txt:

n = 733779191446801744899342108168226802992682163418792963599360850735375357455149979963798696015161197475414024468033389300951694130144996818665824371318592531337165298759687824316944720456405675505162655503575794947374005869172615489638110272658753196202920853560741805676845416811037858748952036992904987436436305070974548294634539634801990942494632039639997750615092947743413718521647333154278856325718278411799389746268450832747014683725257304667674508399893700585665857805431255846507842167088538394622439932419732551109371563524462274634618135383588224491819316026576502189587830733272736383804826745750346676275381694162218907532199742744234494583745211574842002723757725331355540304942746757973848238312752019843407574782457030601680230342220205032750800522763368978779642050636007667833604220218253864829008534150019797632511068212565709143837742993793579734266511459683596315626111107
e = 65537
c = 3761829741272145283141558702847898018685351301385367354966819695378446980283150871815816812877

after doing some tests on n to factor it i knew that it has multifactors so i used primefact

to get n factors to get phi to get d

and xored c with d

from Crypto.Util.number import long_to_bytes, inverse


nt = 733779191446801744899342108168226802992682163418792963599360850735375357455149979963798696015161197475414024468033389300951694130144996818665824371318592531337165298759687824316944720456405675505162655503575794947374005869172615489638110272658753196202920853560741805676845416811037858748952036992904987436436305070974548294634539634801990942494632039639997750615092947743413718521647333154278856325718278411799389746268450832747014683725257304667674508399893700585665857805431255846507842167088538394622439932419732551109371563524462274634618135383588224491819316026576502189587830733272736383804826745750346676275381694162218907532199742744234494583745211574842002723757725331355540304942746757973848238312752019843407574782457030601680230342220205032750800522763368978779642050636007667833604220218253864829008534150019797632511068212565709143837742993793579734266511459683596315626111107
e = 65537


n = [860162287,721530503,697546723,573061571,750977569,783910709,1051830467,644972563,688334561,691314517,743713247,572521289,774946919,582692641,884355679,903424853,1004009729,600682493,1039227863,958778917,966077327,670102193,561417721,1040089021,651419281,815101709,653079907,893203361,975999839,750559349,804799643,917581321,1009063973,964596943,707889719,861858913,590455427,788447813,537662557,665450171,832898491,860874631,703814261,614954729,761193451,1032959927,728913859,1037337241,867673993,962207927,549121801,540560863,977799637,1050746933,923753287,998001427,626225011,831524879,924357067,976586389,1013426387,700141627,732399917,669930689,997849583,1055505511,980219081,707138093,537575729,716852509,843804551,910960003,922930891,822585983,983059709,985938179,584780591,690074491,804222511,977934701,1014800093,854386829,733599463,758568427,800673689,1048011233,949351411,569013943,957628829,1060805561,1061454599,1043950867,831266693,753949741,755354023,885034793,1068538567,874820909,982249127,793835137]
pr = 1

phi = 1
for i in n:
    phi *= (i-1)
    
d = str(inverse(e,phi))
c = 3761829741272145283141558702847898018685351301385367354966819695378446980283150871815816812877
c = hex(c)[2:]
c = bytes.fromhex(c).decode()

flag = ''
count = 0
for i in range(len(c)):
    print(chr(ord(c[i]) ^ ord(d[i])), end='')

which gaved me the flag: ASCWG{RSA_W1TH_X0R_M@Y_B3_S3CURE_?_!_!}

Hashes

I got encryption script:

import hashlib

flag = open("flag.txt").read().replace("\n","")
cipher = open("cipher.txt","w")
hash = ""
for char in flag:
    hash+=hashlib.sha512(hashlib.md5(hashlib.sha512(char).hexdigest()).hexdigest()).hexdigest()
hash = hash[::-1].encode("base64")

cipher.write(hash)

and cipher.txt:

MGFhNzYyOWUxNDhmMmYzOWQ5NzQ5MDI3NjQxYWFmNGQ1YTVlMmEwNWIzMmViYjI5YjQzZGZlYjFj
ZjQxNzdhZDI2ZjZkMmYxZjhjMWQzN2QyZWVmNjc5M2QyODc0NTdhZjczYjQzNGE0MjhiNTdjNmQ5
YzE1ZWMwNjljNzhmYjlmZDFlODk2MDA5YzBjYWE0Zjg5MWQ4YTE5YmY1YmE0NDAxOTA1YzBlMjVj
NTE4ZDhhNmE4NjUwYmY2NjdiOGE5ZTMwN2Y5YjYyMjA4ZTMwNTBkMzJkMjcyODNkYzEzZjJlNGQ3
ZTU2YjRmMDZmODMwODJlOTcxMTM3NzM0OWM4ODNmZWEyYmM3ZmY0MTIwN2ExZGZmYTkyOTAyOWZk
YmQzN2NmMjYyZTE3NjJiM2U3MDY2YWRmMmE4YzVmZTk3NmZiNmM4YjUzMjk4OWFhOGIxMzE4YjZj
NDZkZGJjYmRmMDk0M2U3MjAxMjg2NzM0ODM4MDVkMTkwZDBhZjU2NmU1ZTI2MDgzNThmMTkxOGEx
NThjZTYyYWMwOGI0MzdhYTlkMWM2OTMyNDUzZWVmZmMxODQ0YTgzMWYzOWY3MDJlZmRiMWE0M2Mw
ZTMxNzU3MjBjYzgzZjUwMGYyMDJmYzQzMjA5Y2Q0NjRlNDVlZjNjODI0MTMzNDcwOTkxMjExZGIy
OTZkODdkODk3OGMwNWY3MmNkY2YyMjEzNDRlOGExODZlMWIwZTljZWE5ZDA5MzJmODY5ZjdmY2Vi
NWVlNzk3YTQwOTc5OTQ5MDU1YWI1ODljNDI4ZGFmN2RhZmUzZTUyYzUyYzBhODZhMzFiMzdlZjhm
OGMyNzAyYWMwYzliZmUyNjA4MzU4ZjE5MThhMTU4Y2U2MmFjMDhiNDM3YWE5ZDFjNjkzMjQ1M2Vl
ZmZjMTg0NGE4MzFmMzlmNzAyZWZkYjFhNDNjMGUzMTc1NzIwY2M4M2Y1MDBmMjAyZmM0MzIwOWNk
NDY0ZTQ1ZWYzYzgyNDEzMzQ3MDk5MTIxMWRiZmQxZTg5NjAwOWMwY2FhNGY4OTFkOGExOWJmNWJh
NDQwMTkwNWMwZTI1YzUxOGQ4YTZhODY1MGJmNjY3YjhhOWUzMDdmOWI2MjIwOGUzMDUwZDMyZDI3
MjgzZGMxM2YyZTRkN2U1NmI0ZjA2ZjgzMDgyZTk3MTEzNzczNDljODgzZmVhMmJjN2ZmNDEyMDdh
MWRmZmE5MjkwMjlmZGJkMzdjZjI2MmUxNzYyYjNlNzA2NmFkZjJhOGM1ZmU5NzZmYjZjOGI1MzI5
ODlhYThiMTMxOGI2YzQ2ZGRiY2JkZjA5NDNlNzIwMTI4NjczNDgzODA1ZDE5MGQwYWY1NjZlNTI5
NmQ4N2Q4OTc4YzA1ZjcyY2RjZjIyMTM0NGU4YTE4NmUxYjBlOWNlYTlkMDkzMmY4NjlmN2ZjZWI1
ZWU3OTdhNDA5Nzk5NDkwNTVhYjU4OWM0MjhkYWY3ZGFmZTNlNTJjNTJjMGE4NmEzMWIzN2VmOGY4
YzI3MDJhYzBjOWJmZTI2MDgzNThmMTkxOGExNThjZTYyYWMwOGI0MzdhYTlkMWM2OTMyNDUzZWVm
ZmMxODQ0YTgzMWYzOWY3MDJlZmRiMWE0M2MwZTMxNzU3MjBjYzgzZjUwMGYyMDJmYzQzMjA5Y2Q0
NjRlNDVlZjNjODI0MTMzNDcwOTkxMjExZGJlMjYwODM1OGYxOTE4YTE1OGNlNjJhYzA4YjQzN2Fh
OWQxYzY5MzI0NTNlZWZmYzE4NDRhODMxZjM5ZjcwMmVmZGIxYTQzYzBlMzE3NTcyMGNjODNmNTAw
ZjIwMmZjNDMyMDljZDQ2NGU0NWVmM2M4MjQxMzM0NzA5OTEyMTFkYmZkMWU4OTYwMDljMGNhYTRm
ODkxZDhhMTliZjViYTQ0MDE5MDVjMGUyNWM1MThkOGE2YTg2NTBiZjY2N2I4YTllMzA3ZjliNjIy
MDhlMzA1MGQzMmQyNzI4M2RjMTNmMmU0ZDdlNTZiNGYwNmY4MzA4MmU5NzExMzc3MzQ5Yzg4Mjk2
ZDg3ZDg5NzhjMDVmNzJjZGNmMjIxMzQ0ZThhMTg2ZTFiMGU5Y2VhOWQwOTMyZjg2OWY3ZmNlYjVl
ZTc5N2E0MDk3OTk0OTA1NWFiNTg5YzQyOGRhZjdkYWZlM2U1MmM1MmMwYTg2YTMxYjM3ZWY4Zjhj
MjcwMmFjMGM5YmZlMjYwODM1OGYxOTE4YTE1OGNlNjJhYzA4YjQzN2FhOWQxYzY5MzI0NTNlZWZm
YzE4NDRhODMxZjM5ZjcwMmVmZGIxYTQzYzBlMzE3NTcyMGNjODNmNTAwZjIwMmZjNDMyMDljZDQ2
NGU0NWVmM2M4MjQxMzM0NzA5OTEyMTFkYmUyNjA4MzU4ZjE5MThhMTU4Y2U2MmFjMDhiNDM3YWE5
ZDFjNjkzMjQ1M2VlZmZjMTg0NGE4MzFmMzlmNzAyZWZkYjFhNDNjMGUzMTc1NzIwY2M4M2Y1MDBm
MjAyZmM0MzIwOWNkNDY0ZTQ1ZWYzYzgyNDEzMzQ3MDk5MTIxMWRiM2ZlYTJiYzdmZjQxMjA3YTFk
ZmZhOTI5MDI5ZmRiZDM3Y2YyNjJlMTc2MmIzZTcwNjZhZGYyYThjNWZlOTc2ZmI2YzhiNTMyOTg5
YWE4YjEzMThiNmM0NmRkYmNiZGYwOTQzZTcyMDEyODY3MzQ4MzgwNWQxOTBkMGFmNTY2ZTVmZDFl
ODk2MDA5YzBjYWE0Zjg5MWQ4YTE5YmY1YmE0NDAxOTA1YzBlMjVjNTE4ZDhhNmE4NjUwYmY2Njdi
OGE5ZTMwN2Y5YjYyMjA4ZTMwNTBkMzJkMjcyODNkYzEzZjJlNGQ3ZTU2YjRmMDZmODMwODJlOTcx
MTM3NzM0OWM4ODNmZWEyYmM3ZmY0MTIwN2ExZGZmYTkyOTAyOWZkYmQzN2NmMjYyZTE3NjJiM2U3
MDY2YWRmMmE4YzVmZTk3NmZiNmM4YjUzMjk4OWFhOGIxMzE4YjZjNDZkZGJjYmRmMDk0M2U3MjAx
Mjg2NzM0ODM4MDVkMTkwZDBhZjU2NmU1ZTI2MDgzNThmMTkxOGExNThjZTYyYWMwOGI0MzdhYTlk
MWM2OTMyNDUzZWVmZmMxODQ0YTgzMWYzOWY3MDJlZmRiMWE0M2MwZTMxNzU3MjBjYzgzZjUwMGYy
MDJmYzQzMjA5Y2Q0NjRlNDVlZjNjODI0MTMzNDcwOTkxMjExZGJlMjYwODM1OGYxOTE4YTE1OGNl
NjJhYzA4YjQzN2FhOWQxYzY5MzI0NTNlZWZmYzE4NDRhODMxZjM5ZjcwMmVmZGIxYTQzYzBlMzE3
NTcyMGNjODNmNTAwZjIwMmZjNDMyMDljZDQ2NGU0NWVmM2M4MjQxMzM0NzA5OTEyMTFkYjI5NmQ4
N2Q4OTc4YzA1ZjcyY2RjZjIyMTM0NGU4YTE4NmUxYjBlOWNlYTlkMDkzMmY4NjlmN2ZjZWI1ZWU3
OTdhNDA5Nzk5NDkwNTVhYjU4OWM0MjhkYWY3ZGFmZTNlNTJjNTJjMGE4NmEzMWIzN2VmOGY4YzI3
MDJhYzBjOWJmZmQxZTg5NjAwOWMwY2FhNGY4OTFkOGExOWJmNWJhNDQwMTkwNWMwZTI1YzUxOGQ4
YTZhODY1MGJmNjY3YjhhOWUzMDdmOWI2MjIwOGUzMDUwZDMyZDI3MjgzZGMxM2YyZTRkN2U1NmI0
ZjA2ZjgzMDgyZTk3MTEzNzczNDljODhkZTMwMzhkNThiZDJjYzk4YjVjNmZmZjU0Y2YzNGQwYjU0
ZTIzODM1ZDE5MGJiMjFmNjZlNGE1OGU5YjdlODQ5YTIxYzNjMmNkYTRhNzU3NGY1OGI3MGMwZjU2
NzczYTViNGYwYTA1MTY0MDliMjkzYjJhYzhkN2JlZDZlYzkxMjJkYWRlZjg5NzJiZTczZWExYjU1
Yjg5OGNlMzc0ZTg4MTZjOGU0ZTYyYjUxZmVhZDkwMDMxZDNkOWJlNDA4OTEwNmYxNjVkYjZmYjIy
ZWRhZTJhMjY2YWFlODM4N2M0YWI4OWJhNjZhODQ1MTk3MjE4NzE2YjZjMGY1ZjRiNmIxMmRhZGVm
ODk3MmJlNzNlYTFiNTViODk4Y2UzNzRlODgxNmM4ZTRlNjJiNTFmZWFkOTAwMzFkM2Q5YmU0MDg5
MTA2ZjE2NWRiNmZiMjJlZGFlMmEyNjZhYWU4Mzg3YzRhYjg5YmE2NmE4NDUxOTcyMTg3MTZiNmMw
ZjVmNGI2YjFjOTQ4MjAwMGY0OGFlZmIyNjFlNTY2MTczNTc2ODBlOTk3YWUwN2JjMGRiNWQxMDZk
Njc2MmFiZTdkY2JiODBkNzFhYzhlOGIwMjVmMWE1YjkzZmJiOThiZDdhYjhlZGNlZWYxNmRjMjIz
MGI2ZTNmMzgzZjVjMDIxYTFkNGEwNWZkMWU4OTYwMDljMGNhYTRmODkxZDhhMTliZjViYTQ0MDE5
MDVjMGUyNWM1MThkOGE2YTg2NTBiZjY2N2I4YTllMzA3ZjliNjIyMDhlMzA1MGQzMmQyNzI4M2Rj
MTNmMmU0ZDdlNTZiNGYwNmY4MzA4MmU5NzExMzc3MzQ5Yzg4MTVlNDI2ZmMxMDNlZGZlODA0Mjg0
MDdjNzc2YTdjNWUwMzBmMTE3NmQyYjBlMzVjZTJkZjNmYmYyMzhhMjA5Njk5OGMwZWJkZDRhYTBi
YWFkMjNmOGE2MjIzNDEyOGVkZjJmMTZhZmZkNjY5MWRhNWQ1MWFjZmIxNDFiNDcyNGIyOTZkODdk
ODk3OGMwNWY3MmNkY2YyMjEzNDRlOGExODZlMWIwZTljZWE5ZDA5MzJmODY5ZjdmY2ViNWVlNzk3
YTQwOTc5OTQ5MDU1YWI1ODljNDI4ZGFmN2RhZmUzZTUyYzUyYzBhODZhMzFiMzdlZjhmOGMyNzAy
YWMwYzliZmZkMWU4OTYwMDljMGNhYTRmODkxZDhhMTliZjViYTQ0MDE5MDVjMGUyNWM1MThkOGE2
YTg2NTBiZjY2N2I4YTllMzA3ZjliNjIyMDhlMzA1MGQzMmQyNzI4M2RjMTNmMmU0ZDdlNTZiNGYw
NmY4MzA4MmU5NzExMzc3MzQ5Yzg4NjNlNzcyMDRiMjA1MGUxYTE3YWMwMGM4NTkzNDYzMTRlYWEy
YzBhMzVmYzczNDEwZTM2OGI4YWY2ZDc3NDk5NzUzYjMzMTViZWIwODIwMWVkZGI1OGQ5ZWQ3YTdh
NTUyZjQ2YmY5Y2RmZjg0MDE1YzhiZDY2YWQ0MTNkMTEwNzc4ODJiM2Y0OTQ1MjVlYjAyYWVmMzIx
MDJlNWUwOTFiNTBjYjU4ZDllOTk2Yzk5OWNjMTA1MmY3ZmU3ODRmNWU4ZmUzNjY5MjFiZWY2ZTI3
MTQzZmI3MTI5ZjcxNDYyOGNlODZhZGI4YzE0YjMxNGU3YTJhOWFhYzZiNzlhZGQ3NTFkMzE2YzAx
MTM5ZTdhMmU0M2I0ODA5Yzg0NTFjOWJkOGVmMDRjZWVlZWRjOThjNTg5MzRjMTkyYjZhZWFkZWJh
ZDc0OTE1MjA4YTM0ZGM0MjU5YjY4MWI3MzIyZGRkZTc0Y2NmNmVmODFjYjg1YmM3ZGZlMWZmMzY0
OWJjMGUzMGFmZjI5N2U0ZTgxNTdlZTRiZjhiZjhiZTVjM2Q1NzUxMzUyMGFkNDIzOTkwOWQ3MjNl
MDEzMjI2NmFjZjEyOWJkNDU1NGZlOGQwNmRhYjg1NDNhOTMyYTRlYjYyMzUyMWViNjIyYmE0ZWNh
YzJkYWZmY2ExODc4YmY0OGI3NzliMjczZDE3M2UzYWFlOTg0MjkxNTY3OWE4MmZjMTUwOGYwNzRl
ZDFmZGM3MmU1MmNhZDVjMzc5MWRjY2IzNzVjOWNlMWU0NjI0ZmYxMDM1ZTg1NzIzYWNlNDQ2NDc1
YzBlOGIzYTQzOTE2NTcxYTY5ZTM3MTA5NWVkZjkyYzUzYWZkMWU4OTYwMDljMGNhYTRmODkxZDhh
MTliZjViYTQ0MDE5MDVjMGUyNWM1MThkOGE2YTg2NTBiZjY2N2I4YTllMzA3ZjliNjIyMDhlMzA1
MGQzMmQyNzI4M2RjMTNmMmU0ZDdlNTZiNGYwNmY4MzA4MmU5NzExMzc3MzQ5Yzg4MWQ5ZGU3Y2Zi
ZTljMjJlZDI3M2NlZGRhOGMwZTNhY2U3YTU0MWZlMjFkM2YzMTQ3MDMxMjBlZjJkYzk0YWMwYmJi
MThmMWZjZDQ2Y2E3ZjY3ODkxODhjNTFhZjdmODZiNzFkN2FlZjg1MTM3ZTRkMjI4MWFkMTk1ZTVh
NjRmMzEzMDU4Yzc2NTRjNGU5YzFhYzE3YzllYTc0MzkyYmNlYjI0ZjhjN2VjODZiNTFkZmRmYTA0
M2Q0OGZlMTAzMzkzN2M5YjY4MDZiYWE5MGQzOGUwZmM3NGI5ZTBhYjlmMWE4OGU3MDY1MzU0ZGQw
NTdmNTY2MGZmZDJlYjQ1NzE4ODI4NzNlNmViODBjNzUwMTQ4Y2E5N2E3OGI4ZTdhMWUwYjdlM2Nj
OTBiYzNlNzE1OGNhMjZlNTg4MDU5OWZlNzdjZWU0MWI5NWQzMmU2ODZhOGNhOGZlMTBiMWQ5ZGJl
M2ZmNTQ1YWMwYTMzZWQ5OTcxOWU3MTJjZjdmOTE3NDExZTAyZWQ2NjdlMDNhNGU2Nzc1MzYzMjY3
NTdlNDZjNGZjMjhkMTAwMjFmZWFlYmY3MGFiY2VhOGE0YzU0N2YwZjA3NjJlYWQ1OGE0NTc2Njg5
NjAzMDQ3ZjNmMmI4NjUzOTE5NTZjZGIzYTg4MzkwMzM1YTM0OGJkYjEwM2E3Mjk2NjNjOTJhMmE4
ZjZhYmI3ZjZmMjg5MjU3YmU3NGVmNDA2YTFhNjU0Mjg5MjE5YjNjNTU0NzlmOWYyMDEzMWEyNDVj
MWY1MzFmMzk2YzUzNzVhZjU5ZWZlNmJjYjI2ZmM1MTBmODZhNjIxNWY4MzdjNDRjZTU0ODMxOGVm
MWZkYjAxMGVjNTYyMjFmNGI3ZjIxZTc4MjE2OGU0NzhiZDVmMTcxZThmZjhkYmM1YzE0OTc5Mzgy
OGQ0OWE4YjI1NGRjN2E2NjYyOTEzZmY2ZDMxYzU1MDdlODA5MzQ3N2VjM2ZjYTM2Y2IzMzI2NmRi
ZGFkMmQ0MDcxOTkyZjAxZTliYzk0ODIwMDBmNDhhZWZiMjYxZTU2NjE3MzU3NjgwZTk5N2FlMDdi
YzBkYjVkMTA2ZDY3NjJhYmU3ZGNiYjgwZDcxYWM4ZThiMDI1ZjFhNWI5M2ZiYjk4YmQ3YWI4ZWRj
ZWVmMTZkYzIyMzBiNmUzZjM4M2Y1YzAyMWExZDRhMDVlNDM4OWEzNTBhYjU5ZmNkMDY0YjYxZjdi
MzI2Nzc4ZTg1OTJiYzkzMjA4ZGQzOGMyYzMyYThmYzQyMGZiNzc0YjEzMmRmMjg3ZDZlOTBhZDMw
YWE3NTkzYmRhNWRhMTViNTVjNWYwOWYyODY0YWM4NWY3NDBiMjhhZjk3MTdkZTE1ZTQyNmZjMTAz
ZWRmZTgwNDI4NDA3Yzc3NmE3YzVlMDMwZjExNzZkMmIwZTM1Y2UyZGYzZmJmMjM4YTIwOTY5OThj
MGViZGQ0YWEwYmFhZDIzZjhhNjIyMzQxMjhlZGYyZjE2YWZmZDY2OTFkYTVkNTFhY2ZiMTQxYjQ3
MjRiODgyYjNmNDk0NTI1ZWIwMmFlZjMyMTAyZTVlMDkxYjUwY2I1OGQ5ZTk5NmM5OTljYzEwNTJm
N2ZlNzg0ZjVlOGZlMzY2OTIxYmVmNmUyNzE0M2ZiNzEyOWY3MTQ2MjhjZTg2YWRiOGMxNGIzMTRl
N2EyYTlhYWM2Yjc5YWRkNzUxMDQxYjRlNmI0ZGM4YjA1ZjU3YzE4ODc3MDQ5YWRjZjYyOWQ5ZmYw
YTYzMzBlZGE4NDc0YjY0Yjc5ZWNiYTI4ZWI5Njk5Y2FhZjIyMjI2Mjg1NTgyOWQ1OWYzNmVlY2E4
NzhiM2RjNDRlYjZkNDZiYWQ4ZWYyMzFjYjI5NzYyOQ==

so it seems that it’s hashing every flag character and append it to ciphertext then reverse it and encode it with base64

so the weakness here that if i got the innermost input…. the multihashing become useless

so all i need to do is bruteforce the printable characters and hash it in the same way and compare it with each hash i got

so to be more clear:

if our plane text is: ‘SECRET’

our cipher text is: base64(rev(sha512(md5(sha512(each character)))))

so i wrote this simple script with my friend Mahmoud and we got the flag:

import base64
import hashlib

c = open('cipher.txt').read()
c = c.replace('\n', '')

b = base64.b64decode(c)
b = b[::-1]


def enc(txt):
    return hashlib.sha512(hashlib.md5(hashlib.sha512(txt.encode('utf-8')).hexdigest().encode('utf-8')).hexdigest().encode('utf-8')).hexdigest()

flag = ''


for i in range(0, len(b)):
    h = b[i:i+128]
    h = h.decode()
    for c in range(0,256):
        try:
            if enc(str(chr(c))) == h:
                flag += chr(c)
        except:
            pass

print(flag)

ACSWG{Brute_F@RCE_1S_G00D_1337_7331_3317_3137_}

Retrive

we got an encryption script:

from Crypto.Util.number import getPrime
from gmpy import invert
def generate_key():
    p = getPrime(2048)
    q = getPrime(2048)
    n = p*q
    phi = (p-1) * (q-1)
    e = 65537
    d = invert(e,phi)
    return [n,e,d]

m = "ASCWG{y0u_N33d_t0_Brut3_F0rce_th3_???}"
m = int(m.encode("hex"),16)
n,e,d = generate_key()
c = pow(m,e,n)
print "n = " , n
print "e = " ,e
print "c =",c

and c.txt:

n =  876566193838643237337037920433795395573374494439847624125385186386835670267615151865098745626775955776093005136573336594225795853288612401732675263511044369610643107788969933380308966296368853370342299577287721981114487406530956439312605695190916394624794947543008200996555824410091666127523908085602231209361792478776410877076888333247731536986964520985826391032724092756503520728675425243410598251490041662376499017516031354615443801594990171009789066223085666376506651130694586816909765257490655359598764448201972907006552712592359832076831449528162845622085187680039752386917638159778358501612689078221288768506095617646584977689778168775244944940754640428162121779159713615864545373630589517739480041685204898020498897150024659849650137706680607429904678286830423552034212968345168786930394033886118487755695408749531035093665089023658776744679123489557498803084931515122125872209565805780974038555647525297280449197815947206811507039476379978178227948956939287471769147030714588752817587402141286308265488394250857135469355999116760185590145541923393956102918954578026603681023546352683233943437403177607371005525105556052647623797414693596959480739968475803643210012082334972585491836570866138920752937790968378241237334539741
e =  65537
c = 50423365462223754926258130508333729507591338946389232993927416356397813609630082901065628999339238485797666399820826108019185899034418587932574100242741171545584155935738684194850397205415114141757555652038117842779989453467312001210216882334829972216065340743680393415862438814524581080670083590548348048857760554550737040684503631821931495383119153231294458992365341096770173216880436925891892303409282118998437238511507799330980860970580283865238958688730050628166452225308220296582574916401284227618808886352604625809424257929880999115121852970111670130157251706541043336875497776236002536707914909824427907853005098805568813345743125421221126029219358222153652926946515854823586278913614872736714077040426294670803571765863871770541158097065630542563760859963818818564306964335900936804624971263060469051147522366500260917487649295038676727824471401365516551898207907163352878181099533324423266298541882681454099876005303861352749938624642162065114121305377632631163771373596450657300893012099392095762449126286406969595033889245616377701666788882986799484780786853142699953327087663804243726310393803765185300094349658941306879523687762914924166069216225493181485871584266122421952690581199085496269689191977348149262399232601

from the challenge decription it seems that we need to bruteforce 3 characters i thought it’s a rabbit hole but i wrote simple script and left it running while solving another challnge and i got the flag:

from Crypto.Util.number import long_to_bytes, inverse, bytes_to_long
from brute import brute

n =  876566193838643237337037920433795395573374494439847624125385186386835670267615151865098745626775955776093005136573336594225795853288612401732675263511044369610643107788969933380308966296368853370342299577287721981114487406530956439312605695190916394624794947543008200996555824410091666127523908085602231209361792478776410877076888333247731536986964520985826391032724092756503520728675425243410598251490041662376499017516031354615443801594990171009789066223085666376506651130694586816909765257490655359598764448201972907006552712592359832076831449528162845622085187680039752386917638159778358501612689078221288768506095617646584977689778168775244944940754640428162121779159713615864545373630589517739480041685204898020498897150024659849650137706680607429904678286830423552034212968345168786930394033886118487755695408749531035093665089023658776744679123489557498803084931515122125872209565805780974038555647525297280449197815947206811507039476379978178227948956939287471769147030714588752817587402141286308265488394250857135469355999116760185590145541923393956102918954578026603681023546352683233943437403177607371005525105556052647623797414693596959480739968475803643210012082334972585491836570866138920752937790968378241237334539741
e =  65537
cg = 50423365462223754926258130508333729507591338946389232993927416356397813609630082901065628999339238485797666399820826108019185899034418587932574100242741171545584155935738684194850397205415114141757555652038117842779989453467312001210216882334829972216065340743680393415862438814524581080670083590548348048857760554550737040684503631821931495383119153231294458992365341096770173216880436925891892303409282118998437238511507799330980860970580283865238958688730050628166452225308220296582574916401284227618808886352604625809424257929880999115121852970111670130157251706541043336875497776236002536707914909824427907853005098805568813345743125421221126029219358222153652926946515854823586278913614872736714077040426294670803571765863871770541158097065630542563760859963818818564306964335900936804624971263060469051147522366500260917487649295038676727824471401365516551898207907163352878181099533324423266298541882681454099876005303861352749938624642162065114121305377632631163771373596450657300893012099392095762449126286406969595033889245616377701666788882986799484780786853142699953327087663804243726310393803765185300094349658941306879523687762914924166069216225493181485871584266122421952690581199085496269689191977348149262399232601



def encrypt(txt):
    txt = txt.encode()
    m = bytes_to_long(txt)
    c = pow(m , e, n)
    return c

f = 'ASCWG{y0u_N33d_t0_Brut3_F0rce_th3_'

for s in brute(length=3):
    ct = encrypt(f+ s + '}')
    if ct == cg:
        print(f+s+"}")

ASCWG{y0u_N33d_t0_Brut3_F0rce_th3_k3y}

I hope that i didn’t forgot any challenge it was fun and i want to thank my team to be in top 3 :).

Comments

comments powered by Disqus

Explore more like this

Crypto
ASCWG Crypto - Qualifications Writeups

ASCWG Crypto - Qualifications Writeups

Crypto Challenge with Number Theory

Neroli Neroli 03 Sep 2020