Challenges from https://sites.google.com/view/cyberyolk/home


Topic For Me

Challenge:

from Crypto.Cipher import AES
from Crypto.Util.Padding import *
import os
import random
from secrets import FLAG

class Random():
    a, b, c = random.getrandbits(32), random.getrandbits(32), random.getrandbits(32)
    def __init__(self, s):
        self.randsss = s
    def randommm(self):
        self.randsss = (self.b * self.randsss + self.c) % self.a
        return self.randsss
    def result(self):
        return self.a,self.b,self.c

def encrypt(key, m):
    message = pad(m, 16)
    cipher = AES.new(key, AES.MODE_ECB)
    enkripsi = cipher.encrypt(message)
    return enkripsi.hex().encode()

key = os.urandom(16)
seed = random.randint(1111111111111111, 9999999999999999)
lol = Random(seed)
topic = [seed]
for i in range(10):
    topic.append(lol.randommm())
topicccc = [encrypt(key, str(i).encode()) for i in topic]
count = 0

while True:
    print('''=========================================
    1. Next topic
    2. Test ur topic
    3. Topic for me
    4. Guess my next topic
    5. My topic now
    6. Exit
=========================================''')
    pilihan = input("Choose: ")
    
    if pilihan == '1':
        count += 1
        if count >= 8:
            print('Limited..')
            exit(0)
        else:
            print('Next topic:', topicccc[count])
    
    elif pilihan == '2':
        topicccc_input = input('Topic that you want to test: ')
        topicccc = encrypt(key, topicccc_input.encode())
        print('My topic is:', topicccc)
    
    elif pilihan == '3':
        topicccc_input = input('Topic for me: ')
        result = encrypt(key, (topicccc_input + str(topic[count])).encode())
        print('Recv:', result)
    
    elif pilihan == '4':
        niiii = int(input("What's my last topic? "))
        if niiii == topic[-1]:
            print(f'GG {FLAG}')
        else:
            print(f'Wrong...')
        exit()
    
    elif pilihan == '5':
        print(f"Topic now: {topicccc[count]}")
    
    elif pilihan == '6':
        print('Bye!')
        exit()
    
    else:
        print("Wrong!")
        exit()


Solve:


First we use option 3 as an encryption oracle to do an AES-ECB padding attack and recover the first few LCG states.

Then we can recover the LCG parameters and use those to send the next (11th) value and get the flag.


from pwn import remote, process
from string import digits
from tqdm import tqdm

def encryption_oracle(io, x):
    io.read()
    io.sendline(b"3")
    io.read()
    io.sendline(str(x).encode())
    return io.readline().decode().split()[1][2:-1]

def ecb_attack(io, l):
    k = 32
    n_of_zeros = k
    n_known_bytes = 0
    known_bytes = []
    recovered = []
    for _ in tqdm(range(l)):
        for i in digits:
            i = ord(i)
            plaintext = (n_of_zeros -2 - 2*n_known_bytes)* "0" + "".join([str(item) for item in known_bytes]) + str(hex(i)).replace("0x","").zfill(2) + (n_of_zeros - 2 - 2*n_known_bytes) * "0"
            ciphertext = encryption_oracle(io, bytes.fromhex(plaintext).decode())
            block_1 = ciphertext[:k]
            block_2 = ciphertext[k:k*2]
            if(block_1 == block_2):
                recovered.append(i)
                n_known_bytes +=1
                known_bytes.append(str(hex(i)).replace("0x","").zfill(2))
                break
    return int(bytes(recovered))

def recover_states(io):
    states = []
    for _ in range(7):
        s = ecb_attack(io, 16)
        states.append(s)
        io.read()
        io.sendline(b"1")
    return states

def recover_lcg_params(states):
    PR.<b,c> = PolynomialRing(ZZ)
    g1, g2, a = Ideal([x1*b+c-x2 for x1, x2 in zip(states[:-1], states[1:])]).groebner_basis()
    b = g1.univariate_polynomial().roots()[0][0] % a
    c = g2.univariate_polynomial().roots()[0][0] % a
    return a, b, c

def solve():
    #io = remote("0.tcp.ap.ngrok.io", "11985")
    io = process(["python", "chall.py"])

    states = recover_states(io)
    a, b, c = recover_lcg_params(states)

    x = states[0]
    for _ in range(10):
        x = (b*x+c) % a

    io.read()
    io.sendline(b"4")
    io.read()
    io.sendline(str(x).encode())
    flag = io.read().decode()
    if "Wrong" in flag:
        error()
    print(flag)

while True:
    try:
        solve()
        break
    except:
        pass

# CBY{how_D1d_u_do_th4t_9514aff45418e1aa1eea6202c50800c1}



RSA bytes


Challenge:

from Crypto.Util.number import *
import random

FLAG = b"TEST FLAG"

e = 5

BITS = 2048
p = getPrime(BITS)
q = getPrime(BITS)

m = bytes_to_long(b'\x00' * (random.randint(600,1000) - len(FLAG)) + FLAG + b'\x00' * (random.randint(1500,2000)))

n = p*q

c = pow(m,e,n)


print(f'n = {n}')
print(f'e = {e}')
print(f'c = {c}')

"""
n = 496553172952338257429613822617554107145822780479790401738411444953437634064707594018570133871682263473411940351848724394937508804401288412219967714831108133506369945508035417741392304276947638823613717267279155101660561183603472289691979229104091463059669634120336518894318043265857776983468068001318456579199276072114294446602495630767520360959418685174067147545127852198319168700026431255071641653647839452356271689739651515361412862332565654272035044894500284003104044145660915955633458885800367338099919805320442695438408394781344424723432336997983548042677708563204781614158288397543088668856503859389413599747327850362963672465046637419803884885003550773191056851727670398476530126988782259059433379934827108232878320494248873420421286832176626532873798074414773873542330468087985362267149957444017533084681403735979378272972372187205378605429192118731753675439133233184280361958229085083180513560683779330208603603028570275464268076042132173909181872974924009438890439472454372641820615987175625808171246380009006436545065068515219635137250707652066699055894814985108071018078368892936689465640249497578188669128938036419560485854903721920240578447745140719793795848914288048753996691618989313222739505089608087739157177295327
e = 5
c = 42729023748008322573086075213269910095495737443714618247505368643713636477597112280646818649515139769791158995940513350361806020750053174066405302528416506076070711327693999675450692985302560127672150920973612167206051530938176488844792805825611428089574042315466177628517601926095347783403072797433271995640278318867012367213447198499467580850482397835327903005417690666669058927715382192843772932214723337377364795401440978445180075614789288927170901049493818899607573063363669905510320654527623128979447057098490519948282834928628648084232912410684206319505822612110905140339880163362229290005325002056831357604747352758443861383067114569197450110909857320696916014065626479797579582272279296213935847707344476814429944511657656710217685524258824789180054458086735221269073850858161908416672520210015583677271697124983880433238900334088976317931389769196927408326182220063128835174562957959141076416508651796679234921723149916958951654253839601371602689411951971512226846408018424666801874486975002752595421823878163450415772522642604836590616886853734882263726143268853275024004241667937027690646437361455938886209548008011708933797902273117711537410307557977895505100330470554545036844684361574648905888233127632227817297767550
"""


Solve:

e is low and the padding is weird so we can factor with coppersmith.


from Crypto.Util.number import long_to_bytes

n = 496553172952338257429613822617554107145822780479790401738411444953437634064707594018570133871682263473411940351848724394937508804401288412219967714831108133506369945508035417741392304276947638823613717267279155101660561183603472289691979229104091463059669634120336518894318043265857776983468068001318456579199276072114294446602495630767520360959418685174067147545127852198319168700026431255071641653647839452356271689739651515361412862332565654272035044894500284003104044145660915955633458885800367338099919805320442695438408394781344424723432336997983548042677708563204781614158288397543088668856503859389413599747327850362963672465046637419803884885003550773191056851727670398476530126988782259059433379934827108232878320494248873420421286832176626532873798074414773873542330468087985362267149957444017533084681403735979378272972372187205378605429192118731753675439133233184280361958229085083180513560683779330208603603028570275464268076042132173909181872974924009438890439472454372641820615987175625808171246380009006436545065068515219635137250707652066699055894814985108071018078368892936689465640249497578188669128938036419560485854903721920240578447745140719793795848914288048753996691618989313222739505089608087739157177295327
e = 5
c = 42729023748008322573086075213269910095495737443714618247505368643713636477597112280646818649515139769791158995940513350361806020750053174066405302528416506076070711327693999675450692985302560127672150920973612167206051530938176488844792805825611428089574042315466177628517601926095347783403072797433271995640278318867012367213447198499467580850482397835327903005417690666669058927715382192843772932214723337377364795401440978445180075614789288927170901049493818899607573063363669905510320654527623128979447057098490519948282834928628648084232912410684206319505822612110905140339880163362229290005325002056831357604747352758443861383067114569197450110909857320696916014065626479797579582272279296213935847707344476814429944511657656710217685524258824789180054458086735221269073850858161908416672520210015583677271697124983880433238900334088976317931389769196927408326182220063128835174562957959141076416508651796679234921723149916958951654253839601371602689411951971512226846408018424666801874486975002752595421823878163450415772522642604836590616886853734882263726143268853275024004241667937027690646437361455938886209548008011708933797902273117711537410307557977895505100330470554545036844684361574648905888233127632227817297767550

for b in range(1500,2000):
    PR.<x> = PolynomialRing(Zmod(n))
    f = (x * 256**b)**e - c
    roots = f.monic().small_roots(X = 256**40)
    if roots != []:
        flag = long_to_bytes(int(roots[0]))
        print(flag)

# CBY{RSA_homomorphic_yeah_yeah_yeah}



RSA me


Challenge:

p, q = getPrime(1024), getPrime(1024
e = 0x10001

c = pow(flag, e, p*q)
c2 = pow(p+q,  e, n)
c3 = pow(p-q, e, n)

print(n,e,c,c2,c3)

"""
n = 15295433384723770530827409610182357116454229477956688195770369730433682157415496577013348874545675737243729102857532975938047960447845810379447111133693580948187062322959669079357879473459000858069231097456735393118347362913789121580325283961707554605156055243121744578519540988276348471466969059558434070053052462082713759313300625458558939326813486881547812379172466351943610098309975366796436378071994581811038534101913286245999396467741996394037418876891050042591753882287089503981097238454969648769009573823446930073801585838233799089804501684286206207631485727950917173578695431696653673212336088220667479126053
e = 65537
c1 = 4477492045240481663741384823512696088433083082776884932707107194250268953926957841606311644052357695534081010869398212209871626819887296408096614873444229845053837224155421714465544444777700800122841554541747178296537574313754451574121442957825301892104097958775998026969839905128201580933199419465346898220930132904016762699393301282759393595327195257229372457324522872320078603796695990202429961740003968432328962904669471003534121886328116144111346861789499220977758902320653590170180625833571912296359139455860677488960725385376291816143385333712610872928200456270713993152460391448064491984185978578924653716258
c2 = 3080764229983925114451845936233080451561563814351395071704480651913954909857687469161704455813880507958916132104420882076759851729361420261087766977071110089263770277221593973416385927012070863810333192140028903042121976439236117468858596982751377783095481683781868399208006962483939640479966433944623937014236091009347789904533566665588271784341714704820168362487806731687909363776259099066056980047343201528569801891577195683233330501475075690903939870372517153074805049523774045449997321399861580209734126016868143280703089944343378216032094152107592776084773045542025336588748666644642511024578598172722344394046
c3 = 15153974511561806057689086858743360876332426715853171552613665570420926817563530665751632130849603043675787049819890008627105187357107040997538995095843944532308789424079874146800825007106475967285255726668734586559853598353729914671745712625909164016357808302462629570618221014885304046637112158688297062292547206461645005481523609568358442793481934275246317347022509350547254438434255892812790171058238731125487188802813495051077028070879498683772641048420449007255292880294447912349585429480140038026918568997265067720139953162921199710112607684747698463207162701443330814918210214029342775973245868721954223369929
"""


Solve:

Adding c2 and c3:

\[c2 + c3 \equiv (p+q)^e + (p-q)^e \text{ (mod n)}\]

When expanding the binomials, the ‘middle’ terms dividing pq are all 0 mod n:

\[c2 + c3 \equiv p^e + q^e + p^e - q^e \text{ (mod n)}\] \[p^e \equiv \frac{c2 +c3}{2} \text{ (mod n)}\]

Now we have a multiple of p and can get p with gcd.

from Crypto.Util.number import long_to_bytes
from math import gcd

n = 15295433384723770530827409610182357116454229477956688195770369730433682157415496577013348874545675737243729102857532975938047960447845810379447111133693580948187062322959669079357879473459000858069231097456735393118347362913789121580325283961707554605156055243121744578519540988276348471466969059558434070053052462082713759313300625458558939326813486881547812379172466351943610098309975366796436378071994581811038534101913286245999396467741996394037418876891050042591753882287089503981097238454969648769009573823446930073801585838233799089804501684286206207631485727950917173578695431696653673212336088220667479126053
e = 65537
c1 = 4477492045240481663741384823512696088433083082776884932707107194250268953926957841606311644052357695534081010869398212209871626819887296408096614873444229845053837224155421714465544444777700800122841554541747178296537574313754451574121442957825301892104097958775998026969839905128201580933199419465346898220930132904016762699393301282759393595327195257229372457324522872320078603796695990202429961740003968432328962904669471003534121886328116144111346861789499220977758902320653590170180625833571912296359139455860677488960725385376291816143385333712610872928200456270713993152460391448064491984185978578924653716258
c2 = 3080764229983925114451845936233080451561563814351395071704480651913954909857687469161704455813880507958916132104420882076759851729361420261087766977071110089263770277221593973416385927012070863810333192140028903042121976439236117468858596982751377783095481683781868399208006962483939640479966433944623937014236091009347789904533566665588271784341714704820168362487806731687909363776259099066056980047343201528569801891577195683233330501475075690903939870372517153074805049523774045449997321399861580209734126016868143280703089944343378216032094152107592776084773045542025336588748666644642511024578598172722344394046
c3 = 15153974511561806057689086858743360876332426715853171552613665570420926817563530665751632130849603043675787049819890008627105187357107040997538995095843944532308789424079874146800825007106475967285255726668734586559853598353729914671745712625909164016357808302462629570618221014885304046637112158688297062292547206461645005481523609568358442793481934275246317347022509350547254438434255892812790171058238731125487188802813495051077028070879498683772641048420449007255292880294447912349585429480140038026918568997265067720139953162921199710112607684747698463207162701443330814918210214029342775973245868721954223369929

p = gcd((c2+c3)*pow(2, -1, n) , n)
q = n//p
d = pow(e, -1, (p-1)*(q-1))
print(long_to_bytes(pow(c1, d, n)))
# CBY{aaaaa_modulus_sama_aaaa_rsa3}