From 214087661e2b1f7e6e598ed492df1047daa1135f Mon Sep 17 00:00:00 2001 From: j4ck4l-24 Date: Thu, 13 Jun 2024 00:25:03 +0530 Subject: [PATCH] script error resolved --- content/ctf-writeups/bcactf_5.0/crypto.md | 28 ++++++++++---------- content/ctf-writeups/bcactf_5.0/forensics.md | 4 +-- content/ctf-writeups/bcactf_5.0/misc.md | 10 +++---- 3 files changed, 21 insertions(+), 21 deletions(-) diff --git a/content/ctf-writeups/bcactf_5.0/crypto.md b/content/ctf-writeups/bcactf_5.0/crypto.md index ef4102a..3cf0a51 100644 --- a/content/ctf-writeups/bcactf_5.0/crypto.md +++ b/content/ctf-writeups/bcactf_5.0/crypto.md @@ -63,7 +63,7 @@ cipher 2 - bdoloeinbdjmmyg <- THIS ONE - I made an rsa encrypter to send my messages but it seems to be inconsistent... - Netcat Links: `nc challs.bcactf.com 31452` ### Server Files -- [rsa_encrypter.py](./assets/scripts/RSAEncrypter/rsa_encrypter.py) +- [rsa_encrypter.py](../assets/scripts/RSAEncrypter/rsa_encrypter.py) ## Encryption - There is an `encode` function that takes the flag as `plaintext`, generates random `p` and `q` and encrypts the flag using RSA with `e = 3`. It returns the `ciphertext` and `modulus`. @@ -71,7 +71,7 @@ cipher 2 - bdoloeinbdjmmyg <- THIS ONE ## Decryption ### Scripts -- [solve.py](./assets/scripts/RSAEncrypter/solve.py) +- [solve.py](../assets/scripts/RSAEncrypter/solve.py) ### Explanation - So, after getting 3 results of `encode` we use Chinese Remainder Theorem to get `m^3^ mod (n1*n2*n3)` which is `m^3^` itself as `n1*n2*n3` is 3072 bits long, way bigger than `m^3^`. - Now that we have `m^3^` we can simply find its cube root to get the `plaintext` @@ -88,7 +88,7 @@ cipher 2 - bdoloeinbdjmmyg <- THIS ONE - After realizing how insecure the systems of many companies are (they're always getting hacked), I decided to start offering Encryption as a Service (EaaS). With such a strong guarantee of security, I'll even give you the source code AND my encrypted super secret flag. - Netcat Links: `nc challs.bcactf.com 31704` ### Server Files -- [server.py](./assets/scripts/Encryptor-Shop/server.py) +- [server.py](../assets/scripts/Encryptor-Shop/server.py) ## Encryption - The server generates 3 large primes of order 1024 bits `p,q,r`. @@ -98,7 +98,7 @@ cipher 2 - bdoloeinbdjmmyg <- THIS ONE ## Decryption ### Server Files -- [solve.py](./assets/scripts/Encryptor-Shop/solve.py) +- [solve.py](../assets/scripts/Encryptor-Shop/solve.py) ### Explanation - Since we have `p*q` and now `p*r` , we can use gcd to get the prime `p`. - Now we can extract `r` from the second modulus and solve the RSA since we have both primes. @@ -115,7 +115,7 @@ cipher 2 - bdoloeinbdjmmyg <- THIS ONE - I made this cool service that lets you protect your secrets with state-of-the-art encryption. It's so secure that we don't even tell you the key we used to encrypt your message! - Netcat Link: `nc challs.bcactf.com 31594` ### Server Files -- [server.py](./assets/scripts/cha-cha-slide/server.py) +- [server.py](../assets/scripts/cha-cha-slide/server.py) ## Encryption - The server is using `ChaCha20` for enryption which is a stream cipher. @@ -130,7 +130,7 @@ cipher 2 - bdoloeinbdjmmyg <- THIS ONE ## Decryption ### Scripts -- [solve.py](./assets/scripts/cha-cha-slide/solve.py) +- [solve.py](../assets/scripts/cha-cha-slide/solve.py) ### Explanation - First we recieve the encrypted secret message. - Then we send as many '\x00' bytes as the length of the ciphertext. @@ -148,8 +148,8 @@ cipher 2 - bdoloeinbdjmmyg <- THIS ONE ## Source - My friend seems to be communicating something but I can't make out anything. Why do we live so close to Chernobyl anyways? ### Server Files -- [message.py](./assets/scripts/rad-be-damned/message.py) -- [output.txt](./assets/scripts/rad-be-damned/output.txt) +- [message.py](../assets/scripts/rad-be-damned/message.py) +- [output.txt](../assets/scripts/rad-be-damned/output.txt) ## Encryption - The script reads the flag from a file and uses it as `plaintext` @@ -161,11 +161,11 @@ cipher 2 - bdoloeinbdjmmyg <- THIS ONE ## Decryption ### Scripts -- [solve.py](./assets/scripts/rad-be-damned/solve.py) +- [solve.py](../assets/scripts/rad-be-damned/solve.py) ### Explanation - As this is a stream cipher we don't need to reverse or understand the `encrypt` function as we could just brute the byte. - First we work on the `rad` function which is randomly flipping one bit. - - We split the ciphertext from [output.txt](./assets/scripts/rad-be-damned/output.txt) into blocks of 12 bits and then work on them separately. + - We split the ciphertext from [output.txt](../assets/scripts/rad-be-damned/output.txt) into blocks of 12 bits and then work on them separately. - For every block , `rad` function could have either flipped one of the first 8 bits which is the byte itself or one of the last 4 bits which acts as a `checksum`. - First we loop for the first 8 bytes and flipping one bit in an iteration, then encrypting the byte formed by the first 8 bits using the `encrypt` function to get its result. - If the last 4 bits of the encryption result matches with the `checksum`, then that byte is the actual byte from the `plaintext`. @@ -184,8 +184,8 @@ cipher 2 - bdoloeinbdjmmyg <- THIS ONE ## Source - My client is a bit picky with the primes they are willing to use... ### Server Files -- [superstitious-2.py](./assets/scripts/superstitious2/superstitious-2.py) -- [superstitious-2.txt](./assets/scripts/superstitious2/superstitious-2.txt) +- [superstitious-2.py](../assets/scripts/superstitious2/superstitious-2.py) +- [superstitious-2.txt](../assets/scripts/superstitious2/superstitious-2.txt) ## Encryption - The script generates 2 primes p and q using the mask `((1<<1024)-1)//3` which is `0b01010101....` @@ -196,7 +196,7 @@ cipher 2 - bdoloeinbdjmmyg <- THIS ONE ## Decryption ### Scripts -- [solve.py](./assets/scripts/superstitious2/solve.py) +- [solve.py](../assets/scripts/superstitious2/solve.py) ### Explanation - So we start will `p,q = 0,0`. - Then we run a loop guess the next 2 bits in each iteration. @@ -219,7 +219,7 @@ author: Thomas >Cinnamon Dynamics, an innovative technology company, provides a service for the public to execute short scripts to query some limited information about the company. To combat abuse, they've instated a requirement for all scripts to be approved by a company employee before they can be executed. Approved scripts are granted a "script token" that allows them to be executed an indefinite amount of times, so long as the script is not modified. Unfortunately, it seems that malicious actors have managed to circumvent the security system... **Resources**: Web servers: challs.bcactf.com:31077 -Static resources: [server.js](./assets/scripts/cinamon/server.js) +Static resources: [server.js](../assets/scripts/cinamon/server.js) ## Solution diff --git a/content/ctf-writeups/bcactf_5.0/forensics.md b/content/ctf-writeups/bcactf_5.0/forensics.md index c4d8e24..58c3f88 100644 --- a/content/ctf-writeups/bcactf_5.0/forensics.md +++ b/content/ctf-writeups/bcactf_5.0/forensics.md @@ -357,14 +357,14 @@ But due to the speed of the wav file some of the dtmf tones get overlapped in th ```47656*6*6D3#315B656*6A6D606531B46D31B4676531434A424A54463147656*B16*686#653#19546768BA316A626*6*316062B831636531B3656A6DB364656431666DB331B2B5626*68B4B83162BABAB5B3626#6A6531B1B5B3B16DBA65BA3#1919466DB3316A6762B33131A13*316B65B431686#6465B731A1B7A6A23#19466DB3316A6762B33131A23*316B65B431686#6465B731A1B7ABA33#19466DB3316A6762B33131A33*316B65B431686#6465B731A1B7A66A3#19466DB3316A6762B33131AA3*316B65B431686#6465B731A1B7AAA73#19466DB3316A6762B33131A43*316B65B431686#6465B731A1B7A3633#19466DB3316A6762B33131A53*316B65B431686#6465B731A1B7A6663#19466DB3316A6762B33131A63*316B65B431686#6465B731A1B7AA653#19466DB3316A6762B33131AB3*316B65B431686#6465B731A1B7A5A83#19466DB3316A6762B33131A73*316B65B431686#6465B731A1B7A66A3#19466DB3316A6762B33131A83*316B65B431686#6465B731A1B7AAA73#19466DB3316A6762B331A2A13*316B65B431686#6465B731A1B7A2A83#19466DB3316A6762B331A2A23*316B65B431686#6465B731A1B7A6663#19466DB3316A6762B331A2A33*316B65B431686#6465B731A1B7A2643#19466DB3316A6762B331A2AA3*316B65B431686#6465B731A1B7ABA33#19466DB3316A6762B331A2A43*316B65B431686#6465B731A1B7A1623#19466DB3316A6762B331A2A53*316B65B431686#6465B731A1B7A4A53#19466DB3316A6762B331A2A63*316B65B431686#6465B731A1B7A5A83#19466DB3316A6762B331A2AB3*316B65B431686#6465B731A1B7A6663#19466DB3316A6762B331A2A73*316B65B431686#6465B731A1B7A66A3#19466DB3316A6762B331A2A83*316B65B431686#6465B731A1B7A3653#19466DB3316A6762B331A3A13*316B65B431686#6465B731A1B7A6663#19466DB3316A6762B331A3A23*316B65B431686#6465B731A1B7A66A3#19466DB3316A6762B331A3A33*316B65B431686#6465B731A1B7A3A63#19466DB3316A6762B331A3AA3*316B65B431686#6465B731A1B7A3633#19466DB3316A6762B331A3A43*316B65B431686#6465B731A1B7A1A33#19466DB3316A6762B331A3A53*316B65B431686#6465B731A1B7A6663#19466DB3316A6762B331A3A63*316B65B431686#6465B731A1B7A1A23#19466DB3316A6762B331A3AB3*316B65B431686#6465B731A1B7A3A63#19466DB3316A6762B331A3A73*316B65B431686#6465B731A1B7ABA33#19466DB3316A6762B331A3A83*316B65B431686#6465B731A1B7A5AA3#19466DB3316A6762B331AAA13*316B65B431686#6465B731A1B7AAA83#19466DB3316A6762B331AAA23*316B65B431686#6465B731A1B7A1A43#191919516*6562BA6531676D6*6431BB67686*6531BB6531BA656#6431B86DB531B3626#646D60316B62B363626B6531B46762B431B86DB531BA676DB56*6431686#6465B731686#B46D31B46D316B65B431B4676531666*626B3#195B67656#31B86DB53BB3653166686#68BA6765643*3160626C6531BAB5B36531B46D31BBB362B131B4676531666*626B31686#31B4676531B1B36DB165B331666DB36062B43#19B7B16453655B45666#6DA443B4B653655547B7B5A7B443B36C6#B85567A2A3A7446D6*BA5B67A26DB9AB6A6#5544B86B48B76C4A48B4BBBAA1A5B64#A75A646C46B1545153B6564#556A5354B46D5AABB945556266AB4D4#48AA6#A155B456B5486*68A8436A5166B7454A586044485DA445AAB349425567584B56A8BB4D4648``` Then we do the keys substituition as replacing `123A456B789C*0#D` by `0123456789ABCDEF` and print the hex decoded value using solve.py -[Script 1](./assets/scripts/Touch_Tone_Telephone/solve.py) +[Script 1](../assets/scripts/Touch_Tone_Telephone/solve.py) Then we get the following message: ![Image 1](./assets/images/forensics/Touch_Tone_Telephone/Touch_Tone_Telephone_1.png) Now comes the part to reverse this code so we write another code to solve this task as script.py -[Script 2](./assets/scripts/Touch_Tone_Telephone/script.py) which extract the characters of the flag based on the given indices of the garbage given in the end. +[Script 2](../assets/scripts/Touch_Tone_Telephone/script.py) which extract the characters of the flag based on the given indices of the garbage given in the end. And that reveals us our flag: diff --git a/content/ctf-writeups/bcactf_5.0/misc.md b/content/ctf-writeups/bcactf_5.0/misc.md index 4be7bac..9c8d473 100644 --- a/content/ctf-writeups/bcactf_5.0/misc.md +++ b/content/ctf-writeups/bcactf_5.0/misc.md @@ -11,7 +11,7 @@ math: True You'll need a miracle to get this flag. The server requires you to solve an easy addition problem, but you only get the flag if the bits magically flip to form another answer. ## Resoruces -[main.js](./assets/scripts/misc/main.js) +[main.js](../assets/scripts/misc/main.js) ```js const readline = require("readline"); const fs = require("fs"); @@ -67,7 +67,7 @@ async function run() { run(); ``` -[eslint.config.mjs](./assets/scripts/misc/eslint.config.mjs) +[eslint.config.mjs](../assets/scripts/misc/eslint.config.mjs) ```mjs import globals from "globals"; @@ -159,7 +159,7 @@ How can you access variables in python? ## Resoruces -[deploy.py](./assets/scripts/misc/pyjail1/deploy.py) +[deploy.py](../assets/scripts/misc/pyjail1/deploy.py) ```py def sanitize(letter): print("Checking for contraband...") @@ -200,7 +200,7 @@ What in python is evaluated to a number? ## Resoruces -[main.py](./assets/scripts/misc/main.py) +[main.py](../assets/scripts/misc/main.py) ```py def sanitize(letter): print("Checking for contraband...") @@ -254,7 +254,7 @@ What in python is evaluated to a number? ## Resoruces -[main.py](./assets/scripts/misc/pyjail1/main.py) +[main.py](../assets/scripts/misc/pyjail1/main.py) ```py def sanitize(letter): print("Checking for contraband...")