ASCWG-Filtration-Phase 2020

Challenge1 300point:

Looking at the code we find that the flag is converted to an integer value and shifted 99998 bits to the left to give the last 200 decimal digits of the value.
lets convert the problem into equation:

c=flag⋅2⁹⁹⁹⁹⁸mod10²⁰⁰

we try to inverse 2⁹⁹⁹⁹⁸ on F10²⁰⁰, but they are not coprime so its not possible.
the prime factors of 10 is 2, 5
but φ(2)=1 it willnot affect so we choose 5
the equation will be:

c=flag⋅2⁹⁹⁹⁹⁸mod5²⁰⁰

using Euler’s theorem, we find :

(2⁹⁹⁹⁹⁸)^(−1)mod5²⁰⁰=(2⁹⁹⁹⁹⁸)^(φ(5²⁰⁰)−1)=(2⁹⁹⁹⁹⁸)^(5²⁰⁰−5¹⁹⁹−1)

so this is the equation to get the flag:
flag=c⋅(2⁹⁹⁹⁹⁸)^(−1)mod5²⁰⁰

python script:

c = 46186384884704143502810449626149776675765629346197308004864280982758330594138478052711607866947764263543620513433238646216483214982856318892731845815726243647558073159634372394623630437969797570363392
mod = 5 ** 200
phi = 5 * 200–5 * 199 
inv = pow(pow(2, 99998, mod), phi - 1, mod) 
print(((c * inv) % mod).to_bytes(50, byteorder='big'))

falg is :
ASCWG{Number_Ther0m_1s_1mportanmt_1n_Crypt0_12387}

Challenge3 600point:

First, i tried to get factors of n from online sources, found nothing so i tried to use some factorizing methods , and i found when using ferment factorization i got the following p and q using X-RSA tool .

p=48153446679245376966822046985112099446617981034794594214042780096131516418638366375608599332095159143650219571976756039936351280836582867794175112625879990923510369077946617421338536566796348803001717218384229667003185508514134592197193786758239794011461538791978511429725895132475565257089664121103110770817
q=48153446679245376966822046985112099446617981034794594214042780096131516418638366375608599332095159143650219571976756039936351280836582867794175112625874897500464997377986242441540940715154519674822662819026591330454041967249535003603147605312684911517825154805431323771837685531683672611660925609168788996827

after checking if they are prime or not with miller-rabin , i found that both are not prime
so i used ferment factorization again with the p and q i got earlier , and i got the following p`s and q`s

p1=6939268454184877330211144138413966814481101061382015473621711919814088916348213343387168181954880781520959109737312885406280110070698427014630125251119529
q1=6939268454184877330211144138413966814481101061382015473621711919814088916348213343387168181954880781520959109737312885406280110070698427014630125251118873

p2=6939268454184877330211144138413966814481101061382015473621711919814088916348213343387168181954880781520959109737312885406280110070698427014630125251119557
q2=6939268454184877330211144138413966814481101061382015473621711919814088916348213343387168181954880781520959109737312885406280110070698427014630125251118111

lets check if they are prime or not , and yes i found that they are primes ,
and that was it we got our prime numbers

python script:

p1=6939268454184877330211144138413966814481101061382015473621711919814088916348213343387168181954880781520959109737312885406280110070698427014630125251119529
q1=6939268454184877330211144138413966814481101061382015473621711919814088916348213343387168181954880781520959109737312885406280110070698427014630125251118873
p2=6939268454184877330211144138413966814481101061382015473621711919814088916348213343387168181954880781520959109737312885406280110070698427014630125251119557
q2=6939268454184877330211144138413966814481101061382015473621711919814088916348213343387168181954880781520959109737312885406280110070698427014630125251118111
n = 2318754427090927622417300593014303163027836982793164162950666250489681094136583599882469330682357229700000166714186122335692872792460409101465630110622887313064657894574037981904943176292533073634387002369380564791579428603519429963490374738649708747360755590037132507998435966068658633431918622092817702780128462915129741083129108481836485937804951555271147615962278158353917059561029043381242474374972583682945918237047674797098894662717409552897418650427548642489575961500481014997803061734956091625431696419759919121068387038071453059311371255995535187052409462363525765654622645413142987775053860188260137197659
e = 65537
ct = 1852258477078452495280071169336816541669321769289372837198526954361460776833319048556839287633046754304414868057993901219892835088957705515939202089076460374548771033553266251154753679870528816210706553445963568771841753267644973871132621342897934474998162148362874305941012572949171990616677298854465965898581914403406403426504250013897086136105989549801404176555930509653029014518314103310549883855327513190607775750086851774949594618287441246861446444592130784569563671269161854267497652454746479173284327272563799067627736512266913669944284375302659511122504002144054772208775215907860036195680830269422876824977
from Crypto.Util.number import long_to_bytes, inverse
phi=(p1–1)*(q1–1)*(p2–1)*(q2–1)
d = inverse(e, phi)
m = pow(ct, d, n)
print(long_to_bytes(m))

flag is :
ASCWG{you_need_fermat_factorization_to_solve_RSA_Small_diffrince_Prime_Attack_12312}’

Challenge4 300point:

we first create an account and see the cookies,

when we try increase the cookies value , we get invalid padding ,

so its AES CBC mode with wrong implementation , this Challenge is Padding Orcale Attack

lets use padbuster tool

perl padBuster.pl http://34.72.230.116/login.php APlJ0TpkHIGbd4enZ2w2AnjC8kdpvDdG 8 -cookies ctf=APlJ0TpkHIGbd4enZ2w2AnjC8kdpvDdG -plaintext user=admin

we got the admin cookie : GO2kOl%2Bzii%2Fh1kIPhNYjKwAAAAAAAAAA

flag is:

ASCWG{74af12231bd03f7bb5d79e0396e3b716e6dea3ef8c67e0b50e735c40bd42ffb9}

Challenge5 300point:

after looking at the python code , i thought it might be vulnerable to weak key attack , so i tried it

Python script:

from Crypto.Cipher import DES
import base64
import binascii
keys=["0101010101010101","FEFEFEFEFEFEFEFE" ,"E0E0E0E0F1F1F1F1","1F1F1F1F0E0E0E0E"]
cipher="kIi6qSDhcSVErHbkpy/M1hRHfDpr8TiaGbAIrKUXooxSXwNnaeJgTQ=="
def dec(plaintext,key): 
 cipher1=base64.b64decode(plaintext)
 cipher = DES.new(key, DES.MODE_ECB)
 return cipher.decrypt(cipher1)
for i in keys:
 key = binascii.unhexlify(i)
 print (i," : ",dec(cipher,key)

and that was the result :
0101010101010101 : b’\xaeS\x0b\xb7k\xc0^\x1e\x0c\xbf\x82\xfa\xed\xc9e\xc5V\xda\n\xfc\x0f\x18\x8a\x9f\x8c\x8f\xf4\x05\xf4\x13\x06\x0e\xe0\x00\xa3\x1d\xe0\x96\x10,’
FEFEFEFEFEFEFEFE : b’ASCWG{Welcome_to_des_weak_key_attack}***’
E0E0E0E0F1F1F1F1 : b”\xc2\xecP\x99\x06\x7f\xf7\xf8\xfa\x0c\xa5/]\x9f\x9fz\xdf’cyc\x1dx\x1a5\x97s\x12@\xee@\x9cwX\xa74\x8e\x07\xe6r”
1F1F1F1F0E0E0E0E : b’\x17\x90\xca\xf9\x8d\x1dmD+\x02\xfbr\x