Skip to content

Instantly share code, notes, and snippets.

@hakatashi

hakatashi/01-solve.sage

Last active March 10, 2021 14:06
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
Star You must be signed in to star a gist
Embed
What would you like to do?
Learn more about clone URLs
Download ZIP
zer0pts CTF 2021 OT or NOT OT solver script
Raw
01-solve.sage
from ptrlib import Socket
from sys import exit
con = Socket('crypto.ctf.zer0pts.com', 10130)
enc = con.recvlineafter('Encrypted flag: ')
p = int(con.recvlineafter('p = '))
bitsize = int(con.recvlineafter('key.bit_length() = '))
print('enc = {}'.format(enc))
print('p = {}'.format(p))
if p % 4 != 1:
print('failed')
exit()
F = GF(p)
n = F(-1)
t = n.sqrt()
if str(t).startswith('sqrt'):
print('failed')
exit()
t = int(t)
print('t = {}'.format(t))
key = [] # lowest first
for i in range((bitsize + 1) // 2):
con.sendlineafter('a = ', str(t).encode())
con.sendlineafter('b = ', str(p - t).encode())
con.sendlineafter('c = ', str(p - 1).encode())
con.sendlineafter('d = ', b'1337') # Not used
x = int(con.recvlineafter('x = '))
y = int(con.recvlineafter('y = '))
z = int(con.recvlineafter('z = ')) # Not used
print('x = {}'.format(x))
print('y = {}'.format(y))
print('z = {}'.format(z))
if 1 ^^ x <= 1:
b1 = 1 ^^ x
elif (p - 1) ^^ x <= 1:
b1 = (p - 1) ^^ x
elif t ^^ x <= 1:
b1 = t ^^ x
elif (p - t) ^^ x <= 1:
b1 = (p - t) ^^ x
else:
print('failed')
exit()
if 1 ^^ y <= 1:
b2 = 1 ^^ y
elif (p - 1) ^^ y <= 1:
b2 = (p - 1) ^^ y
elif t ^^ y <= 1:
b2 = t ^^ y
elif (p - t) ^^ y <= 1:
b2 = (p - t) ^^ y
else:
print('failed')
exit()
print('b1 = {}'.format(b1))
print('b2 = {}'.format(b2))
key.append(b1)
key.append(b2)
key.reverse()
print(''.join(map(str, key)))
Raw
02-decode.py
from base64 import b64decode
from Crypto.Cipher import AES
from Crypto.Util.number import long_to_bytes
key_n = 0b1011110110101000111010101110100101011111111111011000100111100001110101010011100010101011010111100000100111101011100101010110100101100111100010000100011100101001100000010011111000010100101100100010010110011010111110110110111101110110111100001111111001101000
key = long_to_bytes(key_n)
enc = b64decode('VpD9EOCUAfDYWp1OV1+pFLY/8M29GIay0mXFLTzfVKlGxHFF2yRC38WXlH63/0Kz')
print(len(enc))
iv = enc[0:16]
c = enc[16:]
print(len(iv))
print(len(c))
aes = AES.new(key=key, mode=AES.MODE_CBC, iv=iv)
flag = aes.decrypt(c)
print(flag)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment