Carl Löndahl grocid

## gist:dcfd4b27021e3e2ee1f2ea335c97695d
### Keybase proof

I hereby claim:

  * I am grocid on github.
  * I am grocidpriv (https://keybase.io/grocidpriv) on keybase.
  * I have a public key ASASb4aUwYxPzhf1sfYoanTnJkUBj8hZfXjiHO5oJptkBwo

To claim this, I am signing this object:

## solution.sage
r = 16035153910445851154551409699248142732171827487155768001164757834222791792527289568231053747347938519802393160368946242599712239845011658706603130755769805572314173836986583742199803990683500283347128562664391646499596358912222668178295076530403243590614254320616617018116709707732304040376678570374241193047
payload = r + (p-r) * p
assert(pow(payload, payload, p) == r)

## solve.py
#!/usr/bin/env python2.7
import gmpy
import random
from pwn import *

def legendre_symbol(a, p):
    ls = pow(a, (p - 1)/2, p)
    if ls == p - 1:
        return -1
    return ls

## solve.py
p = 2^448 - 2^224 - 1
F=GF(p)
g=F(2)
# use that k * (0, 2) = (0, 2^k), define this to be h
h=F(260571191137716815341287411517193580203843541276741273922047807416174982227377817356425394246343714490986635819120516038840847423836513L)
G=[]
H=[]
X=[]
c=[]
N=[2, 641, 18287, 196687, 1466449, 2916841, 6700417, 1469495262398780123809, 167773885276849215533569, 596242599987116128415063, 37414057161322375957408148834323969]

## securityfestCTF19 - igiveemhell
import os
from Crypto.Util.strxor import strxor
from Crypto.Cipher import AES
from Crypto.Util.Padding import pad, unpad
from pwn import *

s = remote("igivethemhell-01.pwn.beer", 31337)
s.readuntil("Welcome! Encrypted flag is ")
data = s.recvline().strip()
data = "0" * (len(data) % 2) + data

## securityfestCTF19 - infantrsa
sage: n
808493201253189889201870335543001135601554189565265515581299663310211777902538379504356224725568544299684762515298676864780234841305269234586977253698801983902702103720999490643296577224887200359679776298145742186594264184012564477263982070542179129719002846743110253588184709450192861516287258530229754571
sage: e1=17612083435039538435027548324833878903098829050163163625471599511764464460956313942508578570555972697061266246
....: 65037550324
sage: e2=85509398135110549659975585192919679892196893419532801558009960966070280825622376115029201294472843693778747885
....: 6194680752
sage: a=621044266147023849688712506961435765257491308385958611483509212618354776698754113885283380553472029250381909907
....: 10140004959309317986819737535171899175916096417020638046402928378953260206034110421868707877131961348498746384384
....: 8774508968091261333459191715433931164437366476062407396306790590847798240200479849
sage: b=9099806794154189928468355733364094056780918756255539504959601116379706724690796267255777920618395

## gist:2a8a54f03358ded08b8c504ca7ad91bd
sage: p = 100000007
sage: R = GF(p)
sage: z = R(10).square_root()
sage: g = 17665922529512695488143524113273224470194093921285273353477875204196603230641896039854934719468650093602325707751568
sage: ((R(3)+z)^g-(R(3)-z)^g)/(2*z)
41322239

INSA{41322239}

## gist:30cc924e465f262263406d731706bdb0
def xor(a,b):
    return "".join(chr(ord(x) ^ ord(y)) for x,y in zip(a,b))

enc = "2146e5732091ee13f25966a751b85730938017cd1388cdbf66258299d000afce"
dec = b'\xea%]\xd2m\x89\x14\x8dVr\x01\x9as\xe4\xbd/\x91u\xe1W\x96\xea\x935\x99\xd5\xa8|\xf1\x90\xda'
fb = dec[:16]
lb = dec[16:] + "\x00"
assert(len(fb) == 16)
assert(len(lb) == 16)
desired_command = " & cat flag.txt"

## gist:1bdc70b041df6ab53b5064ce4f3d321e
import copy
import random

def find_coverage(g, G):
    cnt = 0
    for gg in G:
        if g in gg:
            cnt += 1
    return cnt

## gist:b9a5f91e0a5941be096b62ec7f2fb7b8
n = 26507591511689883990023896389022361811173033984051016489514421457013639621509962613332324662222154683066173937658495362448733162728817642341239457485221865493926211958117034923747221236176204216845182311004742474549095130306550623190917480615151093941494688906907516349433681015204941620716162038586590895058816430264415335805881575305773073358135217732591500750773744464142282514963376379623449776844046465746330691788777566563856886778143019387464133144867446731438967247646981498812182658347753229511846953659235528803754112114516623201792727787856347729085966824435377279429992530935232902223909659507613583396967
e = 65537
c = int(("cat flag").encode("hex"), 16)*2

print(base64.b64encode(hex(c)[2:-1].decode("hex")))
print(base64.b64encode("\x02"))
signed = 1405144233879919740224541274865217007024074695154474010291135904140033006041713585071760409875042722454112515126498012904477744710991992387867451635880411827737100373876103508302207985414525191471376949334723129492244386348288473583592520329255030361459267
	### Keybase proof

	I hereby claim:

	* I am grocid on github.
	* I am grocidpriv (https://keybase.io/grocidpriv) on keybase.
	* I have a public key ASASb4aUwYxPzhf1sfYoanTnJkUBj8hZfXjiHO5oJptkBwo

	To claim this, I am signing this object:
	r = 16035153910445851154551409699248142732171827487155768001164757834222791792527289568231053747347938519802393160368946242599712239845011658706603130755769805572314173836986583742199803990683500283347128562664391646499596358912222668178295076530403243590614254320616617018116709707732304040376678570374241193047
	payload = r + (p-r) * p
	assert(pow(payload, payload, p) == r)
	#!/usr/bin/env python2.7
	import gmpy
	import random
	from pwn import *

	def legendre_symbol(a, p):
	ls = pow(a, (p - 1)/2, p)
	if ls == p - 1:
	return -1
	return ls
	p = 2^448 - 2^224 - 1
	F=GF(p)
	g=F(2)
	# use that k * (0, 2) = (0, 2^k), define this to be h
	h=F(260571191137716815341287411517193580203843541276741273922047807416174982227377817356425394246343714490986635819120516038840847423836513L)
	G=[]
	H=[]
	X=[]
	c=[]
	N=[2, 641, 18287, 196687, 1466449, 2916841, 6700417, 1469495262398780123809, 167773885276849215533569, 596242599987116128415063, 37414057161322375957408148834323969]
	import os
	from Crypto.Util.strxor import strxor
	from Crypto.Cipher import AES
	from Crypto.Util.Padding import pad, unpad
	from pwn import *

	s = remote("igivethemhell-01.pwn.beer", 31337)
	s.readuntil("Welcome! Encrypted flag is ")
	data = s.recvline().strip()
	data = "0" * (len(data) % 2) + data
	sage: n
	808493201253189889201870335543001135601554189565265515581299663310211777902538379504356224725568544299684762515298676864780234841305269234586977253698801983902702103720999490643296577224887200359679776298145742186594264184012564477263982070542179129719002846743110253588184709450192861516287258530229754571
	sage: e1=17612083435039538435027548324833878903098829050163163625471599511764464460956313942508578570555972697061266246
	....: 65037550324
	sage: e2=85509398135110549659975585192919679892196893419532801558009960966070280825622376115029201294472843693778747885
	....: 6194680752
	sage: a=621044266147023849688712506961435765257491308385958611483509212618354776698754113885283380553472029250381909907
	....: 10140004959309317986819737535171899175916096417020638046402928378953260206034110421868707877131961348498746384384
	....: 8774508968091261333459191715433931164437366476062407396306790590847798240200479849
	sage: b=9099806794154189928468355733364094056780918756255539504959601116379706724690796267255777920618395
	sage: p = 100000007
	sage: R = GF(p)
	sage: z = R(10).square_root()
	sage: g = 17665922529512695488143524113273224470194093921285273353477875204196603230641896039854934719468650093602325707751568
	sage: ((R(3)+z)^g-(R(3)-z)^g)/(2*z)
	41322239

	INSA{41322239}
	def xor(a,b):
	return "".join(chr(ord(x) ^ ord(y)) for x,y in zip(a,b))

	enc = "2146e5732091ee13f25966a751b85730938017cd1388cdbf66258299d000afce"
	dec = b'\xea%]\xd2m\x89\x14\x8dVr\x01\x9as\xe4\xbd/\x91u\xe1W\x96\xea\x935\x99\xd5\xa8\|\xf1\x90\xda'
	fb = dec[:16]
	lb = dec[16:] + "\x00"
	assert(len(fb) == 16)
	assert(len(lb) == 16)
	desired_command = " & cat flag.txt"
	import copy
	import random

	def find_coverage(g, G):
	cnt = 0
	for gg in G:
	if g in gg:
	cnt += 1
	return cnt
	n = 26507591511689883990023896389022361811173033984051016489514421457013639621509962613332324662222154683066173937658495362448733162728817642341239457485221865493926211958117034923747221236176204216845182311004742474549095130306550623190917480615151093941494688906907516349433681015204941620716162038586590895058816430264415335805881575305773073358135217732591500750773744464142282514963376379623449776844046465746330691788777566563856886778143019387464133144867446731438967247646981498812182658347753229511846953659235528803754112114516623201792727787856347729085966824435377279429992530935232902223909659507613583396967
	e = 65537
	c = int(("cat flag").encode("hex"), 16)*2

	print(base64.b64encode(hex(c)[2:-1].decode("hex")))
	print(base64.b64encode("\x02"))
	signed = 1405144233879919740224541274865217007024074695154474010291135904140033006041713585071760409875042722454112515126498012904477744710991992387867451635880411827737100373876103508302207985414525191471376949334723129492244386348288473583592520329255030361459267