This weekend I participate to the DawgCTF with the team hackers for the jilted generation. We finished 46th with 4530 points. Here are some writeup about the cryptography challenges.

Crypto

For most of the crypto challenges we are provided with client python script that allow to connect to the oracle service.

Take It Back Now, Y'all (25)

The first crypto challenge is a simple sanity check.

Here is the provided client:

# -*- coding: utf-8 -*-
"""
Created for Spring 2020 CTF
Cryptography 0
10 Points
Welcome to my sanity check.  You'll find this to be fairly easy.
The oracle is found at umbccd.io:13370, and your methods are:
    flg - returns the flag
    tst - returns the message after the : in "tst:..."

We connect using telnet and call the flg method.

telnet crypto.ctf.umbccd.io 13370
Trying 3.81.180.84...
Connected to crypto.ctf.umbccd.io.
Escape character is '^]'.
flg
DawgCTF{H3ll0_W0rld!}Connection closed by foreign host.

One Hop This Time, One Hop This Time (75)

The second one is nothing complicated either.

Here is the client:

# -*- coding: utf-8 -*-
"""
Created for Spring 2020 CTF
Cryptography 1
40 Points
Welcome to the one time pad oracle!
Our oracle's function is enc := key ^ msg | dec := key ^ ct
The oracle is found at umbccd.io:13371, and your methods are:
    flg - returns the encrypted flag
    enc - returns the encryption of the message after the : in "enc:..."
    dec - returns the decryption of the ciphertext after the : in "dec:..."

@author: pleoxconfusa
"""

We open a socket, grab the encrypted flag and decrypt it.

import socket

s = socket.socket()

port = 13371
host = 'crypto.ctf.umbccd.io'

# connect to the server on local computer
s.connect((host, port))

s.send(b'flg')
flag=(s.recv(1024))
print(flag)
s.send(b'dec:'+flag)
print(s.recv(1024))
s.close()

Right Foot Two Stomps (200)

Here is the provided client:

# -*- coding: utf-8 -*-
"""
Created for Spring 2020 CTF
Cryptography 2
100 Points
Welcome to the AES-CBC oracle!
Our oracle's function is AES-CBC.
The oracle is found at umbccd.io:13372, and your methods are:
    flg - returns the encrypted flag
    enc - returns the encryption of the message after the : in "enc:..."
          as 16 bytes of initialization vector followed by the ciphertext.
    dec - returns the decryption of the ciphertext after the : in "dec:<16 bytes iv>..."
          as a bytes string.

We open a socket, grab the encrypted flag, send some data to get the IV, and send back the flag with the IV to decrypt it.

import socket

s = socket.socket()

port = 13372
host = 'crypto.ctf.umbccd.io'

s.connect((host, port))

s.send(b'flg')
flag=(s.recv(1024))
#print(flag)
s.send(b'enc:test')
r=(s.recv(1024))
#print(r)
iv=r[0:16]
#print(iv)
s.send(b'dec:'+iv+flag)
r=(s.recv(1024))
print(r)
s.close()

b"\xd6z\xbd\xfb\x9a\x82\xb91\xa5\x12\n['\xfb\x92\xb5DawgCTF{!_Th0ugh7_Th3_C!ph3rt3x7_W@s_Sh0rt3r.}"

Left Foot Two Stomps (250)

This the only offline challenge and we didn't get any client for this one. The only information was the following:

n=960242069 e=347 c=346046109,295161774,616062960,790750242,259677897,945606673, 321883599,625021022,731220302,556994500,118512782,843462311,321883599,202294479, 725148418,725148418,636253020,70699533,475241234,530533280,860892522,530533280, 657690757,110489031,271790171,221180981,221180981,278854535,202294479,231979042, 725148418,787183046,346046109,657690757,530533280,770057231,271790171,584652061, 405302860,137112544,137112544,851931432,118512782,683778547,616062960,508395428, 271790171,185391473,923405109,227720616,563542899,770121847,185391473,546341739, 851931432,657690757,851931432,284629213,289862692,788320338,770057231,770121847

This looks like some RSA with "small numbers" ;)

We can easily factorise n. Once we know n we can compute phi.

n=960242069=151*6359219
Phi = (p-1)(q-1) = 150*6359218 = 953882700
e = 347
ed = 1 mod 953882700

Then, as we already know e we can compute d with a simple python loop.

>>> i = 347
>>> while (347*i%953882700 !=1):
...     i+=1
...
>>> i
5497883

We create a list c of the number as in the challenge description and decode every element using our RSA numbers.

>>> c=[346046109,295161774,616062960,<SNIP>,770057231,770121847]
>>> for elem in c:
...     print(chr((elem**5497883)%960242069))

This was a bit long as a single process is involved but at the end we got the following output: xhBQCUIcbPf7IN88AT9FDFsqEOOjNM8uxsFrEJZRRifKB1E=|key=visionary

I struggle a lot before thinking about that being a Vigenere cipher using the key visionary. At first I was thinking about AES-CBC (as the other challenges) but we don't have any IV here.

Once decrypted with the key we get the following: zJIOHIldUx7QF88MG9FMHxiMGAwNV8wckNjQWZATnxST1Q=

We decrypt the base64:

$ echo -ne 'czJIOHIldUx7QF88MG9FMHxiMGAwNV8wckNjQWZATnxST1Q=' | base64 -d
s2H8r%uL{@_<0oE0|b0`05_0rCcAf@N|ROT

And then a ROT47 give us the flag: DawgCTF{Lo0k_@t_M3_1_d0_Cr4p7o}

Here is the Cyber Chef recipe.

Slide To The Left (350)

The client code is exactly the same as "Right Foot Two Stomps".

# -*- coding: utf-8 -*-
"""
Created for Spring 2020 CTF
Cryptography 2.5
200 Points
Welcome to the AES-CBC oracle!
Our oracle's function is AES-CBC.
The oracle is found at umbccd.io:13373, and your methods are:
    flg - returns the encrypted flag
    enc - returns the encryption of the message after the : in "enc:..."
          as 16 bytes of initialization vector followed by the ciphertext.
    dec - returns the decryption of the ciphertext after the : in "dec:<16 bytes iv>..."
          as a bytes string.

@author: pleoxconfusa
"""

If we rerun the code for the previous challenge we get: b'We already did this one.'

Which is obviously is not the flag. We didn't solve this challenge in time. I tried solve it using Oracle padding but this was for the next challenge :(

Misc

There was one "Misc" challenge that actually was crypto.

Let Her Eat Cake! 75

We got some description and photo about Elizebeth Smith Friedman and then a cipher text

Hwyjpgxwkmgvbxaqgzcsnmaknbjktpxyezcrmlja? GqxkiqvcbwvzmmxhspcsqwxyhqentihuLivnfzaknagxfxnctLcchKCH{CtggsMmie_kteqbx}

This clearly look like some Polyalphabetic substitution. In fact this is a simple Viegenere cipher using the key AICGBIJC (we decode it using dcode.fr).

Howdoyoukeepaprogrammerintheshowerallday? GivehimabottleofshampoowhichsaysLatherrinserepeatDawgCTF{ClearEdge_crypto}

Wrapping up

This CTF was fun as there was a lot of task but "easy" ones. Which give you some need to continue solving the other ones.

I am really proud of the team as we get nice score!