ångstromCTF writeup

#ångstromCTF writeup

ångstromCTF was held from March 13 to March 18,2020. We(team:KUDoS) are 107th out of 1782 teams getting 2505 points. I solved mainly crypto and got 470 points out of it.
(note: This is my first English write up, so I might make a mistake. please understand it and correct it if you can)

##Keysar (40pt)

Hey! My friend sent me a message... He said encrypted it with the key ANGSTROMCTF.
He mumbled what cipher he used, but I think I have a clue.
Gotta go though, I have history homework!!
agqr{yue_stdcgciup_padas}

Firstly, I tried Vigenere cipher, but it didn't work. After that, when i looked to the title, it rang a bell. it's keyed caesar!(shown as hint later). I googled it and got a flag

actf{yum_delicious_salad}

##Reasonably Strong Algorithm (70pt)

n = 126390312099294739294606157407778835887
e = 65537
c = 13612260682947644362892911986815626931

n is small enough to factorize here and found n = 9336949138571181619 * 13536574980062068373
that's p and q respectively and culculated totient (p-1 * q-1). Using this, got a decrypt key d and decoded the cipher as following

import gmpy2
n = 126390312099294739294606157407778835887
e = 65537
c = 13612260682947644362892911986815626931
p = 9336949138571181619
q = 13536574980062068373
totient = (p-1)*(q-1)
d = gmpy2.invert(e,totient)
m = pow(c,d,n)
s = bin(m)[2:].zfill(len(bin(m)[2:]) + (8 - len(bin(m)[2:])%8))
ans = ""
for i in range(0,len(s),8):
    ans += chr(int(s[i:i+8],2))

print(ans)

actf{10minutes}

##Wacko Images (90pt)

How to make hiding stuff a e s t h e t i c? And can you make it normal again? enc.png image-encryption.py
The flag is actf{x#xx#xx_xx#xxx} where x represents any lowercase letter and # represents any one digit number

I got a encrypted image file and code below.

from numpy import *
from PIL import Image

flag = Image.open(r"flag.png")
img = array(flag)

key = [41, 37, 23]

a, b, c = img.shape

for x in range (0, a):
    for y in range (0, b):
        pixel = img[x, y]
        for i in range(0,3):
            pixel[i] = pixel[i] * key[i] % 251
        img[x][y] = pixel

enc = Image.fromarray(img)
enc.save('enc.png')

In summary, All the brightness value of red, green, blue in the original picture are multiplied by [41,37, 23] and result in the remainder divided by 251
Firstly, i researched the remainder of dividing from 0 to 251 by 251 each color. As I expected, each remainder is independent! so I made a list each color. Based on the encrypted image, let the brightness value of each color to be the index of the remainder corresponded to the brightness value. (hard to explain... ;( )
I implemented this with the code below.

s_41 = [0, 41, 82, 123, 164, 205, 246, 36, 77, 118, 159, 200, 241, 31, 72, 113, 154, 195, 236, 26, 67, 108, 149, 190, 231, 21, 62, 103, 144, 185, 226, 16, 57, 98, 139, 180, 221, 11, 52, 93, 134, 175, 216, 6, 47, 88, 129, 170, 211, 1, 42, 83, 124, 165, 206, 247, 37, 78, 119, 160, 201, 242, 32, 73, 114, 155, 196, 237, 27, 68, 109, 150, 191, 232, 22, 63, 104, 145, 186, 227, 17, 58, 99, 140, 181, 222, 12, 53, 94, 135, 176, 217, 7, 48, 89, 130, 171, 212, 2, 43, 84, 125, 166, 207, 248, 38, 79, 120, 161, 202, 243, 33, 74, 115, 156, 197, 238, 28, 69, 110, 151, 192, 233, 23, 64, 105, 146, 187, 228, 18, 59, 100, 141, 182, 223, 13, 54, 95, 136, 177, 218, 8, 49, 90, 131, 172, 213, 3, 44, 85, 126, 167, 208, 249, 39, 80, 121, 162, 203, 244, 34, 75, 116, 157, 198, 239, 29, 70, 111, 152, 193, 234, 24, 65, 106, 147, 188, 229, 19, 60, 101, 142, 183, 224, 14, 55, 96, 137, 178, 219, 9, 50, 91, 132, 173, 214, 4, 45, 86, 127, 168, 209, 250, 40, 81, 122, 163, 204, 245, 35, 76, 117, 158, 199, 240, 30, 71, 112, 153, 194, 235, 25, 66, 107, 148, 189, 230, 20, 61, 102, 143, 184, 225, 15, 56, 97, 138, 179, 220, 10, 51, 92, 133, 174, 215, 5, 46, 87, 128, 169, 210]
s_37 = [0, 37, 74, 111, 148, 185, 222, 8, 45, 82, 119, 156, 193, 230, 16, 53, 90, 127, 164, 201, 238, 24, 61, 98, 135, 172, 209, 246, 32, 69, 106, 143, 180, 217, 3, 40, 77, 114, 151, 188, 225, 11, 48, 85, 122, 159, 196, 233, 19, 56, 93, 130, 167, 204, 241, 27, 64, 101, 138, 175, 212, 249, 35, 72, 109, 146, 183, 220, 6, 43, 80, 117, 154, 191, 228, 14, 51, 88, 125, 162, 199, 236, 22, 59, 96, 133, 170, 207, 244, 30, 67, 104, 141, 178, 215, 1, 38, 75, 112, 149, 186, 223, 9, 46, 83, 120, 157, 194, 231, 17, 54, 91, 128, 165, 202, 239, 25, 62, 99, 136, 173, 210, 247, 33, 70, 107, 144, 181, 218, 4, 41, 78, 115, 152, 189, 226, 12, 49, 86, 123, 160, 197, 234, 20, 57, 94, 131, 168, 205, 242, 28, 65, 102, 139, 176, 213, 250, 36, 73, 110, 147, 184, 221, 7, 44, 81, 118, 155, 192, 229, 15, 52, 89, 126, 163, 200, 237, 23, 60, 97, 134, 171, 208, 245, 31, 68, 105, 142, 179, 216, 2, 39, 76, 113, 150, 187, 224, 10, 47, 84, 121, 158, 195, 232, 18, 55, 92, 129, 166, 203, 240, 26, 63, 100, 137, 174, 211, 248, 34, 71, 108, 145, 182, 219, 5, 42, 79, 116, 153, 190, 227, 13, 50, 87, 124, 161, 198, 235, 21, 58, 95, 132, 169, 206, 243, 29, 66, 103, 140, 177, 214]
s_23 = [0, 23, 46, 69, 92, 115, 138, 161, 184, 207, 230, 2, 25, 48, 71, 94, 117, 140, 163, 186, 209, 232, 4, 27, 50, 73, 96, 119, 142, 165, 188, 211, 234, 6, 29, 52, 75, 98, 121, 144, 167, 190, 213, 236, 8, 31, 54, 77, 100, 123, 146, 169, 192, 215, 238, 10, 33, 56, 79, 102, 125, 148, 171, 194, 217, 240, 12, 35, 58, 81, 104, 127, 150, 173, 196, 219, 242, 14, 37, 60, 83, 106, 129, 152, 175, 198, 221, 244, 16, 39, 62, 85, 108, 131, 154, 177, 200, 223, 246, 18, 41, 64, 87, 110, 133, 156, 179, 202, 225, 248, 20, 43, 66, 89, 112, 135, 158, 181, 204, 227, 250, 22, 45, 68, 91, 114, 137, 160, 183, 206, 229, 1, 24, 47, 70, 93, 116, 139, 162, 185, 208, 231, 3, 26, 49, 72, 95, 118, 141, 164, 187, 210, 233, 5, 28, 51, 74, 97, 120, 143, 166, 189, 212, 235, 7, 30, 53, 76, 99, 122, 145, 168, 191, 214, 237, 9, 32, 55, 78, 101, 124, 147, 170, 193, 216, 239, 11, 34, 57, 80, 103, 126, 149, 172, 195, 218, 241, 13, 36, 59, 82, 105, 128, 151, 174, 197, 220, 243, 15, 38, 61, 84, 107, 130, 153, 176, 199, 222, 245, 17, 40, 63, 86, 109, 132, 155, 178, 201, 224, 247, 19, 42, 65, 88, 111, 134, 157, 180, 203, 226, 249, 21, 44, 67, 90, 113, 136, 159, 182, 205, 228]

from numpy import *
from PIL import Image

enc = Image.open(r"enc.png")
img = array(enc)

a, b, c = img.shape

for x in range (0, a):
    for y in range (0, b):
        pixel = img[x, y]
        for i in range(0,3):
            if i ==0:
                pixel[i] = s_41.index(pixel[i])
            if i ==1:
                pixel[i] = s_37.index(pixel[i])
            if i ==2:
                pixel[i] = s_23.index(pixel[i])
        img[x][y] = pixel

flag = Image.fromarray(img)
flag.save('flag.png')

and got a flag !

##Confused Streaming (100pt)

I made a stream cipher!
nc crypto.2020.chall.actf.co 20601

I was given a code as below

from __future__ import print_function
import random,os,sys,binascii
from decimal import *
try:
	input = raw_input
except:
	pass
getcontext().prec = 1000
def keystream(key):
	random.seed(int(os.environ["seed"]))
	e = random.randint(100,1000)
	while 1:
		d = random.randint(1,100)
		ret = Decimal('0.'+str(key ** e).split('.')[-1])
		for i in range(d):
			ret*=2
		yield int((ret//1)%2)
		e+=1
try:
	a = int(input("a: "))
	b = int(input("b: "))
	c = int(input("c: "))
	# remove those pesky imaginary numbers, rationals, zeroes, integers, big numbers, etc
	if b*b < 4*a*c or a==0 or b==0 or c==0 or Decimal(b*b-4*a*c).sqrt().to_integral_value()**2==b*b-4*a*c or abs(a)>1000 or abs(b)>1000 or abs(c)>1000:
		raise Exception()
	key = (Decimal(b*b-4*a*c).sqrt() - Decimal(b))/Decimal(a*2)
except:
	print("bad key")
else:
	flag = binascii.hexlify(os.environ["flag"].encode())
	flag = bin(int(flag,16))[2:].zfill(len(flag)*4)
	ret = ""
	k = keystream(key)
	for i in flag:
		ret += str(next(k)^int(i))
	print(ret

'key' equals to a solution that satisfies the equation ax^2 + bx + c = 0 (x is not imaginary number and is not integer , a,b,c are not 0 and within -1000 to 1000)
After culculated key**e (e:100~1000) , retrieved the digits after decimal point (that's ret), then ret turn to be ret*(2**d) (d:1~100)
the flag strings are encrypted to int((ret//1) %2)^(bit of flag)
number d is too small compared to number e ,so if key is under 0.5, regardless of number e,d, ret is always under 1.0 which means int((ret//1)%2) equals to 0. I let a,b,c to be 1,10,2 (key is about 0.2) and got flag's binary. It was decoded as below.

s = "01100001011000110111010001100110011110110110010001101111011101110110111001011111011101000110111101011111011101000110100001100101010111110110010001100101011000110110100101101101011000010110110001111101"
ans = ""
for i in range(0,len(s),8):
    ans += chr(int(s[i:i+8],2))

print(ans)

actf{down_to_the_decimal}

##one time bad (100pt)

My super secure service is available now!
Heck, even with the source, I bet you won't figure it out.
nc misc.2020.chall.actf.co 20301

Cautions! This is dirty solution!

The problem code is below

import random, time
import string
import base64
import os

def otp(a, b):
	r = ""
	for i, j in zip(a, b):
		r += chr(ord(i) ^ ord(j))
	return r


def genSample():
	p = ''.join([string.ascii_letters[random.randint(0, len(string.ascii_letters)-1)] for _ in range(random.randint(1, 30))])
	k = ''.join([string.ascii_letters[random.randint(0, len(string.ascii_letters)-1)] for _ in range(len(p))])

	x = otp(p, k)

	return x, p, k

random.seed(int(time.time()))

print("Welcome to my one time pad service!\nIt's so unbreakable that *if* you do manage to decrypt my text, I'll give you a flag!")
print("You will be given the ciphertext and key for samples, and the ciphertext for when you try to decrypt. All will be given in base 64, but when you enter your answer, give it in ASCII.")
print("Enter:")
print("\t1) Request sample")
print("\t2) Try your luck at decrypting something!")

while True:
	choice = int(input("> "))
	if choice == 1:
		x, p, k = genSample()
		print(base64.b64encode(x.encode()).decode(), "with key", base64.b64encode(k.encode()).decode())

	elif choice == 2:
		x, p, k = genSample()
		print(base64.b64encode(x.encode()).decode())
		a = input("Your answer: ").strip()
		if a == p:
			print(os.environ.get("FLAG"))
			break

		else:
			print("Wrong! The correct answer was", p, "with key", k)

In short, we have to send a byte p that is culculated by x^k. x is given, so if i found random k, got a flag.
the k's length is from 1 to 30 and the number of character is approx 50 which means the k would be the same letter with a probability of 1/1500
I just solved by brute-force

from pwn import *

random_binary = ""

p = remote("misc.2020.chall.actf.co", 20301)
mes = p.recv(1024)

for i in range(2000):
    sleep(0.5)
    print("now at",i)
    p.sendline("2")
    mes = p.recvuntil(b"Your answer: ")
    p.sendline("a")
    mes = p.recv(1024)
    if b"Wrong" in mes:
        continue
    else:
        print(mes)
        break

actf{one_time_pad_more_like_i_dont_like_crypto-1982309}

##clam clam clam (70pt)

clam clam clam clam clam clam clam clam clam nc misc.2020.chall.actf.co 20204 clam clam clam clam clam clam

When i connected to the server, i received a message in a row.

clam{clam_clam_clam_clam_clam}
malc{malc_malc_malc_malc_malc}
clam{clam_clam_clam_clam_clam}
malc{malc_malc_malc_malc_malc}
clam{clam_clam_clam_clam_clam}
malc{malc_malc_malc_malc_malc}
clam{clam_clam_clam_clam_clam}
malc{malc_malc_malc_malc_malc}
clam{clam_clam_clam_clam_clam}
malc{malc_malc_malc_malc_malc}
.
.
.
.

the hint said "U+000D", so i googled it, finding that it means '‎CARRIAGE RETURN'. I thought CARRIAGE RETURN was mixed with \n (break line)
I wrote a code below

from pwn import *

p = remote("misc.2020.chall.actf.co",20204)
mes = p.recvuntil(b"\x0d")
print(mes)

I got a message 'type "clamclam" for salvation', so I modified the code

from pwn import *

p = remote("misc.2020.chall.actf.co",20204)
mes = p.recvuntil(b"\x0d")
p.sendline(b"clamclam")
p.interactive()

actf{cl4m_is_my_f4v0rite_ctfer_in_th3_w0rld}