Skip to content

Instantly share code, notes, and snippets.

@hakatashi

hakatashi/01-solve.sage

Last active Mar 10, 2021
Embed
What would you like to do?
zer0pts CTF 2021 OT or NOT OT solver script
from ptrlib import Socket
from sys import exit
con = Socket('crypto.ctf.zer0pts.com', 10130)
enc = con.recvlineafter('Encrypted flag: ')
p = int(con.recvlineafter('p = '))
bitsize = int(con.recvlineafter('key.bit_length() = '))
print('enc = {}'.format(enc))
print('p = {}'.format(p))
if p % 4 != 1:
print('failed')
exit()
F = GF(p)
n = F(-1)
t = n.sqrt()
if str(t).startswith('sqrt'):
print('failed')
exit()
t = int(t)
print('t = {}'.format(t))
key = [] # lowest first
for i in range((bitsize + 1) // 2):
con.sendlineafter('a = ', str(t).encode())
con.sendlineafter('b = ', str(p - t).encode())
con.sendlineafter('c = ', str(p - 1).encode())
con.sendlineafter('d = ', b'1337') # Not used
x = int(con.recvlineafter('x = '))
y = int(con.recvlineafter('y = '))
z = int(con.recvlineafter('z = ')) # Not used
print('x = {}'.format(x))
print('y = {}'.format(y))
print('z = {}'.format(z))
if 1 ^^ x <= 1:
b1 = 1 ^^ x
elif (p - 1) ^^ x <= 1:
b1 = (p - 1) ^^ x
elif t ^^ x <= 1:
b1 = t ^^ x
elif (p - t) ^^ x <= 1:
b1 = (p - t) ^^ x
else:
print('failed')
exit()
if 1 ^^ y <= 1:
b2 = 1 ^^ y
elif (p - 1) ^^ y <= 1:
b2 = (p - 1) ^^ y
elif t ^^ y <= 1:
b2 = t ^^ y
elif (p - t) ^^ y <= 1:
b2 = (p - t) ^^ y
else:
print('failed')
exit()
print('b1 = {}'.format(b1))
print('b2 = {}'.format(b2))
key.append(b1)
key.append(b2)
key.reverse()
print(''.join(map(str, key)))
from base64 import b64decode
from Crypto.Cipher import AES
from Crypto.Util.number import long_to_bytes
key_n = 0b1011110110101000111010101110100101011111111111011000100111100001110101010011100010101011010111100000100111101011100101010110100101100111100010000100011100101001100000010011111000010100101100100010010110011010111110110110111101110110111100001111111001101000
key = long_to_bytes(key_n)
enc = b64decode('VpD9EOCUAfDYWp1OV1+pFLY/8M29GIay0mXFLTzfVKlGxHFF2yRC38WXlH63/0Kz')
print(len(enc))
iv = enc[0:16]
c = enc[16:]
print(len(iv))
print(len(c))
aes = AES.new(key=key, mode=AES.MODE_CBC, iv=iv)
flag = aes.decrypt(c)
print(flag)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment