# Writeups

## Writeup "beyond the mountain" (crypto) from backdoorctf 2021

by: dorianr

[This challenges had a mountainous flavor text, now lost to history.]

In short, the task is to provide vectors flipping specific bits in an encryption scheme resembling ring learning with errors.

1 solve / 500 points

## Writeup md5flow (crypto/pwn) from DamCTF 2021

by: dorianr

Ok, so maybe that artisan hash wasn’t such a great idea. Let’s use a standard cryptographic hash instead.

Hint: The server is running ubuntu 18.04

nc chals.damctf.xyz 31656

3 solves / 499 points

## Writeup "R u SAd?" from PlaidCTF 2019

by: dorianr

Description:

Tears dripped from my face as I stood over the bathroom sink. Exposed again! The tears melted into thoughts, and an idea formed in my head. This will surely keep my secrets safe, once and for all. I crept back to my computer and began to type.

## Writeup Dr. Evil from Midnightsun CTF 2019 (Quals)

by: fhred
Challenge description: Categories: network | pwned! Points: 893 Solves: 8 We have managed to intercept communications from Dr. Evil’s base but it seems to be encrypted. Can you recover the secret message. Download: dr_evil.tar.gz (containing dr-evil.pcap) The TAR archive contains a .pcap file of a TLS v1.2 connection between 10.0.2.15 (Client) and 52.15.194.28 (Server). The TLS connction uses the TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 cipher suite and the Server is authenticated with a DigiCert certificate.

## Writeup EZDSA from Midnightsun CTF 2019 (Quals)

by: xomex
Ezdsa | crypto Points: 223 Solves: 57 Someone told me not to use DSA, so I came up with this. Service: nc ezdsa-01.play.midnightsunctf.se 31337 Download: EZDSA.tar.gz (containing ezdsa.py) We are presented with a service. When connecting with the service we can choose to sign some data or to quit. Quitting does exactly what you’d think it does. When choosing to sign some data you must encode them as base 64 and are given back two numbers.

## Writeup Open-gyckel-krypto from Midnightsun CTF 2019 (Quals)

by: dorianr

Primes are fun, don’t google translate me bro

## Writeup Polyshell from Midnightsun CTF 2019 (Quals)

by: dorianr

Description:

You might be cool, but are you 5 popped shells cool?
Service: nc polyshell-01.play.midnightsunctf.se 30000
Hint: The syscalls should be made using standard Linux syscall calling convention


## Writeup Tulpan257 from Midnightsun CTF 2019 (Quals)

by: dorianr

We made a ZK protocol with a bit of HFS-flair to it!

Correction of description, prover does not take a string, but a polynomial

by: dorianr

## Challenge

Description:

<<<320881698662242726122152659576060496538921409976895582875089953705144841691963343665651276480485795667557825130432466455684921314043200553005547236066163215094843668681362420498455007509549517213285453773102481574390864574950259479765662844102553652977000035769295606566722752949297781646289262341623549414376262470908749643200171565760656987980763971637167709961003784180963669498213369651680678149962512216448400681654410536708661206594836597126012192813519797526082082969616915806299114666037943718435644796668877715954887614703727461595073689441920573791980162741306838415524808171520369350830683150672985523901>>>

n = 483901264006946269405283937218262944021205510033824140430120406965422208942781742610300462772237450489835092525764447026827915305166372385721345243437217652055280011968958645513779764522873874876168998429546523181404652757474147967518856439439314619402447703345139460317764743055227009595477949315591334102623664616616842043021518775210997349987012692811620258928276654394316710846752732008480088149395145019159397592415637014390713798032125010969597335893399022114906679996982147566245244212524824346645297637425927685406944205604775116409108280942928854694743108774892001745535921521172975113294131711065606768927
e = 65537

Service: http://36.110.234.253

by: dorianr

## Challenge

Organize those rectangular things that take physical space!

https://books.web.ctfcompetition.com/

A website is given along with its source where you can create an account and add books with some metadata.

by: xomex

## Challenge (46 solves, 210 points)

You discover this cat enthusiast chat app, but the annoying thing about it is that you’re always banned when you start talking about dogs. Maybe if you would somehow get to know the admin’s password, you could fix that.
https://cat-chat.web.ctfcompetition.com/

We are given a chat website. When entering it we are redirected to a random room and are greeted by a message.

by: xomex

## Challenge (74 solves, 158 points)

(Attachment containing challenge.py, flag.txt, key_pub.pem)
nc perfect-secrecy.ctfcompetition.com 1337

Looking at the description and the given files we can guess, that flag.txt is the flag encrypted with RSA under key_pub.pem, which turns out to be correct. Furthermore we can guess that challenge.py is running on the server, which is also correct.

It seems our goal is to use the server to decrypt the flag for us.

by: BastiH96

## Challenge: “Win the game 1,000,000 times to get the flag.”

To get things started, I ran the apk in Anbox. We are greeted by a Tic-Tac-Toe implementation. Now from the challenge we know that we have to win the game 1 million times to get the flag. Being an avid gamer, I took this challenge and just went on a 1 million games winning streak, thanks for reading this Write-Up.

Jokes aside, this would not be a challenge, as the used AI seems to play really random, so we basically win after 3 turns anyway. So lets get us a real challenge.

by: ablu

## Challenge

Building the future web, together.

http://amp.2018.teamrois.cn


by: dorianr

## Challenge

We were given a binary smcauth together with a verilog file smcauth_syn.v and a server address. It can act as server:

./smcauth verify --secret aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa --netlist smcauth_syn.v [--listen ip:port]

and client:

./smcauth auth --secret aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa --netlist smcauth_syn.v [--verifier ip:port]

The client tells us whether the secret was "correct", or rather whether the circuit specified by --netlist evaluates to true, taking the client's and server's secret as input.

May 14 13:31:42.775 INFO authentication successful

May 14 13:31:57.274 WARN authentication failed

At this point, it is pretty obvious that we need to obtain the server's secret.

## Writeup Yunnyit from ASIS 2018 CTF

by: dorianr

First a disclaimer, we did not actually solve this challenge during the competition, but the servers were left running…

A server is provided: nc 37.139.22.174 22555

It greets us with the following text:

|-------------------------------------|
| Welcome to the Yunnyit crypto task! |
|-------------------------------------|
| Options:                            |
| [M]ixed encryption function of FLAG |
| [D]ecrypting cipher                 |
| [E]ncryption & decryption function  |
| [F]LAG encrypting...                |
| [Q]uit                              |
|-------------------------------------|
Submit a printable string X, such that sha256(X)[-6:] = 92730d