Giters

hva314 / PlaidCTF-2017

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

PlaidCTF-2017

Official write-up has been move to Blue's Little Blog

Zipper - 50

I have this alert when trying to unzip the file:

⮩ unzip zipper_50d3dc76dcdfa047178f5a1c19a52118.zip                                     
Archive:  zipper_50d3dc76dcdfa047178f5a1c19a52118.zip
warning:  filename too long--truncating.
:  bad extra field length (central)

From the alert, it sugests that the "file name" bytes and "extra length" bytes are not correct.
Here is a useful document about zip file: https://users.cs.jmu.edu/buchhofp/forensics/formats/pkzip.html

File:

00000000: 504b 0304 1400 0200 0800 fc99 924a 3ea9  PK...........J>.
00000010: 2e53 4600 0000 f600 0000 2923 1c00 0000  .SF.......)#....
00000020: 0000 0000 0000 5554 0900 035b c8f6 585b  ......UT...[..X[
00000030: c8f6 5875 780b 0001 04e8 0300 0004 e803  ..Xux...........
00000040: 0000 5350 2004 b814 082b f128 adaa 4acc  ..SP ....+.(..J.
00000050: d051 a8cc 2f55 c848 2c4b 5548 4e2c 2829  .Q../U.H,KUHN,()
00000060: 2d4a 4d51 28c9 4855 48cb 494c b7e2 0a70  -JMQ(.HUH.IL...p
00000070: 0e71 ab4e 3328 4acd 2b36 4c2e 8eaf 4cac  .q.N3(J.+6L...L.
00000080: ac25 c326 ea28 0100 504b 0102 1e03 1400  .%.&.(..PK......
00000090: 0200 0800 fc99 924a 3ea9 2e53 4600 0000  .......J>..SF...
000000a0: f600 0000 2923 1800 0000 0000 0100 0000  ....)#..........
000000b0: b481 0000 0000 0000 0000 0000 0000 5554  ..............UT
000000c0: 0500 035b c8f6 5875 780b 0001 04e8 0300  ...[..Xux.......
000000d0: 0004 e803 0000 504b 0506 0000 0000 0100  ......PK........
000000e0: 0100 4e00 0000 8800 0000 0000            ..N.........

Pretty short file, I'm just gonna change it by hand.
The 0800 replaced 2923, 8 is the length of the filename. We know the length base on the fact that there is 8-blank bytes at the location of "extra length" bytes.
The 666c 6167 2e74 7874 replaced 0000 0000 0000 0000. You can name it whatever you want, I just make it flag.txt in this case. exactly 8 characters of length.
Have 2 of those modifies both at the header and the end of the zip file. And this is what we have.

00000000: 504b 0304 1400 0200 0800 fc99 924a 3ea9  PK...........J>.
00000010: 2e53 4600 0000 f600 0000 0800 1c00 666c  .SF...........fl
00000020: 6167 2e74 7874 5554 0900 035b c8f6 585b  ag.txtUT...[..X[
00000030: c8f6 5875 780b 0001 04e8 0300 0004 e803  ..Xux...........
00000040: 0000 5350 2004 b814 082b f128 adaa 4acc  ..SP ....+.(..J.
00000050: d051 a8cc 2f55 c848 2c4b 5548 4e2c 2829  .Q../U.H,KUHN,()
00000060: 2d4a 4d51 28c9 4855 48cb 494c b7e2 0a70  -JMQ(.HUH.IL...p
00000070: 0e71 ab4e 3328 4acd 2b36 4c2e 8eaf 4cac  .q.N3(J.+6L...L.
00000080: ac25 c326 ea28 0100 504b 0102 1e03 1400  .%.&.(..PK......
00000090: 0200 0800 fc99 924a 3ea9 2e53 4600 0000  .......J>..SF...
000000a0: f600 0000 0800 1800 0000 0000 0100 0000  ................
000000b0: b481 0000 0000 666c 6167 2e74 7874 5554  ......flag.txtUT
000000c0: 0500 035b c8f6 5875 780b 0001 04e8 0300  ...[..Xux.......
000000d0: 0004 e803 0000 504b 0506 0000 0000 0100  ......PK........
000000e0: 0100 4e00 0000 8800 0000 0000            ..N.........

And we can extract it.

Huzzah, you have captured the flag:
PCTF{f0rens1cs_yay}

multicast - 175

Hastad's broadcast attack using Coppersmith method. We have 1 message, linearly padding, decrypted by multiple public keys (Ni, e=5) According to Theorem 2 (Hastad): If a large enough group of people is involved, the attacker can recover the plaintext Mi from all the ciphertext with similar methods

ai = [] # store all a1, a2, a3, a4, a5
bi = [] # store b1, b2, b3, b4, b5
ci = [] # store c1, c2, c3, c4, c5
ni = [] # store n1, n2, n3, n4, n5

we need to find all coefficient Ti's sastifying that Ti = 1 (mod Ni) if i=j and Ti = 0 (mod Nj) for all i!=j
by using Chinese Remainder Theorem

T = [] 
T.append(crt([1,0,0,0,0],ni))
T.append(crt([0,1,0,0,0],ni))
T.append(crt([0,0,1,0,0],ni))
T.append(crt([0,0,0,1,0],ni))
T.append(crt([0,0,0,0,1],ni))

According to Hastad's, we have g(x)= (Sigma)i*Ti*gi(x) that g(M) = 0 (mod (Pi)Ni)
By using coppersmith method, we can compute the root x[0] = M Hastad stated that M exist among roots of Coppersmith method, in this case we only have 1 root

N = ni[0]*ni[1]*ni[2]*ni[3]*ni[4]
P.<x> = PolynomialRing(Zmod(N))

# construct g(x)
g = 0
for i in range(len(ai)):
    g += (i+1)*T[i]*( (ai[i]*x + bi[i])^5 - ci[i])

# g(x) has to be monic polynomial in order to use coppersmith approach
g = g.monic()

# coppersmith method in Sage
M = g.small_roots()

# and we get the message
hex(int(M[0]))[2:-1].decode("hex")
'PCTF{L1ne4r_P4dd1ng_w0nt_s4ve_Y0u_fr0m_H4s7ad!}'

About