Cryptography

القيصر الصغير

This challenge is a Caesar Cipher with a small twist, Handout:

from egypt import محمد_رمضان
def التشفير(النص):
    النص_المشفر = ""
    for حرف in النص:
        النص_المشفر += chr(((حرف) + محمد_رمضان * 5) % 256)
    return النص_المشفر

النص = b"REDACTED"
النص_المشفر = (التشفير(النص))

print(النص_المشفر)

Since we all know that Mohammad Ramadan = 1, our solver should look something like this:

ct = b'Uqf~lwtzsixHYKYm9spd~5zdk5wd~5zwdu9wy6h6u9y65s'
flag = ''
for i in ct:
    flag += chr(i  - 5)
    
print(flag)

# PlaygroundsCTF{Th4nk_y0u_f0r_y0ur_p4rt1c1p4t10n}

NotSoBabyRSA

This is an RSA challenge that tests the competitors knowledge in modular arithmetic and the RSA cipher

from Crypto.PublicKey import RSA
from Crypto.Util.number import bytes_to_long
from random import randint

FLAG = b"REDACTED"
key = RSA.generate(2048)
n = key.n
e = key.e
p = key.p
q = key.q
phi = (p-1)*(q-1)
coeff = randint(1,2**1024)

ct = pow(bytes_to_long(FLAG), e, n)

with open("out.txt", "w") as f:
    f.write(f"e = {e}\\n")
    f.write(f"phi = {phi}\\n")
    f.write(f"ct = {ct}\\n")
    f.write(f"hint = {coeff * phi + p}\\n")

We have, e and phi so we can find d easily, but our bottleneck is that we don’t have N. This is what the hint is for, let’s work out the math behind it.

$$hint = coeff \times phi + p \newline \to hint \mod phi \equiv coeff *phi + p \mod phi \newline \equiv (coeff * phi) \mod phi + p \mod phi \newline \text {Since phi > p, p mod phi = p} \newline \equiv 0 + p \mod phi = p$$

So we have found p by taking hint % phi, now what we have p we can find q through phi thus finding N and breaking the encryption.

from Crypto.Util.number import *
e = 65537
phi = 22252059767191628213686269923550918466514556095718454355165487876212210042902512235466879654483456946425339939630332123373070610861978032641036769394687306065133457782047000737646012734574708243779878702796676880304773026331970265865563482201902213773401935525070342789630609249451297138419324527417706432939161831004010945981262204111549579591136851462878110040834628052606282279600752492602268142909665311586670088584877305808427995341132871133590702019242934894841646820641963380844193501147607394477559133105115605676776453120545196783998160115109245212957419072332329260204681158981943471613299096279320611901408
ct = 7487513392805281320020821228815838530393100681899722996521156929013128981749267847123083927473474437250065101826145882598964943701979376229164252243817179617956750851638734244561560870851434791870329947587761957799492071466293409788488637493888696552782176278479158234684156806503441826814543070260882338383602524028033304423497625264097614619892750908454123706980227808652116205222826719696074660729984587075966039537626371869181798938672291276714789617761108485432749493055410057969359775648166786267549750149259376009480247197369418823946423245660938830554461992596618289629818521468132029008837658517200600182974
hint = 3102549700716471604272133991221428061037218505949681857660761386956318993188444305199487096163182871844881676763785930672696384950415479206532153456120236817518735946946222300270351409770921866514521764852504710727970233542767784601619718425279440489928938729445426772743151497970269749153857242373473563340064158698310177980068817462081355409876988043237956275853736714781629878899944397243489362768101056010339642071758090894192048533914459938764491819929178335815241575412994798094315675694615947077837861137354498632529849072889450466768115902839785739215182722766750875909398546046941230273782994128087501747209927811284914059323448695154033832341124961310708853098254914025220329858403824553264283752892117512171230868825247975542010780862495154205819873946988892354419134743650520241834006924095813697810698021188119648594802353096693251516258098009853570474710354666561151603069384594968449769633717489801331476901035

p = hint % phi
q = phi // (p-1) + 1
n = p*q
d = inverse(e, phi)
m = pow(ct, d, n)
print(long_to_bytes(m))
# PlaygroundsCTF{P3n_and_P4p3r_4r3_4ll_y0u_n33d_t0_cr4ck_RSA}

Building Pyramids

Handout:

from math import sin
from Crypto.Util.number import getRandomInteger
from Crypto.Cipher import AES
from hashlib import sha256
from Crypto.Util.Padding import pad
Flag = b"REDACTED"
x = getRandomInteger(1024)

key = float(str(sin(x) + 1)[:6])

# print(key)

def encrypt_flag(flag, key=key):
    key = sha256(str(key).encode()).digest() [:16]
    cipher = AES.new(key, AES.MODE_ECB)
    return cipher.encrypt(flag)

with open("out.txt", "w") as f:
    f.write(str(encrypt_flag(pad(Flag, 16))))

If we try adding a print line to see what our key tends to look like, and we notice its either 0.xxxx or 1.xxxx so basically in the range of sin(x) + 1 with rounding to the 4th decimal point, this means we have 20,000 possible keys. bruteforcable.

from Crypto.Cipher import AES
from hashlib import sha256
from Crypto.Util.Padding import unpad

ct = b'\\xd9\\xa1:m\\xad\\x02\\xd9j\\x04\\n_h\\x81}\\r\\x8e\\xe1\\xc4}\\x86\\xad1\\x83\\xad\\xbaPo\\xaa\\x9e\\xd6\\x03n\\x8ek\\xa1\\xea3\\xdf\\xf4\\xe5\\xc9\\xc8\\t\\x04\\xc7\\xc2\\xe6\\xdbT\\xbdTq\\x0ed\\x08F\\xf8\\xcc6&\\x03\\xc0\\xc0\\xb1'

def decrypt_flag(ciphertext, key):
    key = sha256(str(key).encode()).digest()[:16]
    cipher = AES.new(key, AES.MODE_ECB)
    return cipher.decrypt(ciphertext)
from numpy import arange

for i in range(0, 2, 0.0001):
    key = i.round(4)
    if b"Play" in decrypt_flag(ct, key):
        print(unpad(decrypt_flag(ct, key),16).decode())
        break
        
# PlaygroundsCTF{3L_H4R4M_15_PR0ud_0f_Y0u}

Simple RSA

Classic RSA challenge, encrypting char by char

from Crypto.Util.number import *

Flag = b"REDACTED"

p = getPrime(1024)
q = getPrime(1024)

assert p != q

n = p*q

e = 0x10001

ct = []
for c in Flag:
    ct.append((pow((c), e, n)))

with open("out.txt", "w") as f:
    f.write(f'ct = {str(ct)}\\n')
    f.write(f'n = {str(n)}')

This challenge is similar to Giza Cipher except you’ll have to generate the table by encrypting all printable characters with the public key and comparing with the given ciphertext list

from Crypto.Util.number import * 
import string

ct = [..,..
n = ..

printables = string.printable
enc_printables = [pow(ord(c), 0x10001, n) for c in printables]

for c in ct:
    if c in enc_printables:
        print(printables[enc_printables.index(c)], end='')
    else:
        print(c, end='')
print()
# PlaygroundsCTF{S1mpl3_5ub5717u710n:3}

Calc 101

Let’s look at our source

import sys
import sympy as sp
from random import randint
from Crypto.Cipher import AES
from Crypto.Util.Padding import pad
from hashlib import sha256
import os 

flag = "PlaygroundsCTF{FAKE_FLAG_FOR_TESTING}".encode()

sys.set_int_max_str_digits(1000000)
x = sp.symbols('x')

poly = x**70 - 100*x**8 + 99*x**169 - 100*x**2 + 1

def encrypt(pt, key):
    key = sha256(key).digest()[:16]
    cipher = AES.new(key, AES.MODE_ECB)
    return cipher.encrypt(pad(pt, 16))

def get_derivative(n,inp,poly=poly):
    for i in range(n):
        poly = sp.diff(poly)

    return poly.subs(x,inp)

def main():
    randx = randint(1, 2**1024)
    n = abs(int(input("enter a positive integer: ")))
    key = get_derivative(n,randx)
    ct = encrypt(flag, str(key).encode())
    print(f"Here is the ciphertext: {ct.hex()}")    

if __name__ == "__main__":
    main()

Usually in these challenges we try to look for ways to make our key predictable, since we can differentiate the polynomial as many times as we want, we can differentiate it so many times it becomes 0, making any random input into the function output a 0 as the encryption key.

from pwn import * 
from Crypto.Cipher import AES
from hashlib import sha256
from Crypto.Util.Padding import unpad

r = remote("URL",00000)

r.recvuntil(b"integer: ")

r.sendline(b"10000") # or any number > 169

r.recvuntil(b"text: ")

ct = r.recvline().strip()
r.close()

ct = bytes.fromhex(ct.decode())

def decrypt(ct, k):
    key = sha256(k).digest()[:16]
    cipher = AES.new(key, AES.MODE_ECB)
    return cipher.decrypt(ct)

    
pt = decrypt(ct, str(0).encode())
print(unpad(pt, 16).decode())