Open source 2020 quals challenges

Author: sroettger

2020/quals/crypto-chunk-norris/challenge.py

@@ -0,0 +1,40 @@
+#!/usr/bin/python3 -u
+#Copyright 2020 Google LLC
+#
+#Licensed under the Apache License, Version 2.0 (the "License");
+#you may not use this file except in compliance with the License.
+#You may obtain a copy of the License at
+#
+#    https://www.apache.org/licenses/LICENSE-2.0
+#
+#    Unless required by applicable law or agreed to in writing, software
+#    distributed under the License is distributed on an "AS IS" BASIS,
+#    WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+#    See the License for the specific language governing permissions and
+#    limitations under the License.
+
+import random
+from Crypto.Util.number import *
+import gmpy2
+
+a = 0xe64a5f84e2762be5
+chunk_size = 64
+
+def gen_prime(bits):
+  s = random.getrandbits(chunk_size)
+
+  while True:
+    s |= 0xc000000000000001
+    p = 0
+    for _ in range(bits // chunk_size):
+      p = (p << chunk_size) + s
+      s = a * s % 2**chunk_size
+    if gmpy2.is_prime(p):
+      return p
+
+n = gen_prime(1024) * gen_prime(1024)
+e = 65537
+flag = open("flag.txt", "rb").read()
+print('n =', hex(n))
+print('e =', hex(e))
+print('c =', hex(pow(bytes_to_long(flag), e, n)))

2020/quals/crypto-chunk-norris/flag.txt

@@ -0,0 +1 @@
+CTF{__donald_knuths_lcg_would_be_better_well_i_dont_think_s0__}

2020/quals/crypto-chunk-norris/output.txt

@@ -0,0 +1,3 @@
+n = 0xab802dca026b18251449baece42ba2162bf1f8f5dda60da5f8baef3e5dd49d155c1701a21c2bd5dfee142fd3a240f429878c8d4402f5c4c7f4bc630c74a4d263db3674669a18c9a7f5018c2f32cb4732acf448c95de86fcd6f312287cebff378125f12458932722ca2f1a891f319ec672da65ea03d0e74e7b601a04435598e2994423362ec605ef5968456970cb367f6b6e55f9d713d82f89aca0b633e7643ddb0ec263dc29f0946cfc28ccbf8e65c2da1b67b18a3fbc8cee3305a25841dfa31990f9aab219c85a2149e51dff2ab7e0989a50d988ca9ccdce34892eb27686fa985f96061620e6902e42bdd00d2768b14a9eb39b3feee51e80273d3d4255f6b19
+e = 0x10001
+c = 0x6a12d56e26e460f456102c83c68b5cf355b2e57d5b176b32658d07619ce8e542d927bbea12fb8f90d7a1922fe68077af0f3794bfd26e7d560031c7c9238198685ad9ef1ac1966da39936b33c7bb00bdb13bec27b23f87028e99fdea0fbee4df721fd487d491e9d3087e986a79106f9d6f5431522270200c5d545d19df446dee6baa3051be6332ad7e4e6f44260b1594ec8a588c0450bcc8f23abb0121bcabf7551fd0ec11cd61c55ea89ae5d9bcc91f46b39d84f808562a42bb87a8854373b234e71fe6688021672c271c22aad0887304f7dd2b5f77136271a571591c48f438e6f1c08ed65d0088da562e0d8ae2dadd1234e72a40141429f5746d2d41452d916

2020/quals/crypto-chunk-norris/solve.py

@@ -0,0 +1,47 @@
+#Copyright 2020 Google LLC
+#
+#Licensed under the Apache License, Version 2.0 (the "License");
+#you may not use this file except in compliance with the License.
+#You may obtain a copy of the License at
+#
+#    https://www.apache.org/licenses/LICENSE-2.0
+#
+#    Unless required by applicable law or agreed to in writing, software
+#    distributed under the License is distributed on an "AS IS" BASIS,
+#    WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+#    See the License for the specific language governing permissions and
+#    limitations under the License.
+
+import gmpy2
+import sympy
+from Crypto.Util.number import *
+
+n = 0xab802dca026b18251449baece42ba2162bf1f8f5dda60da5f8baef3e5dd49d155c1701a21c2bd5dfee142fd3a240f429878c8d4402f5c4c7f4bc630c74a4d263db3674669a18c9a7f5018c2f32cb4732acf448c95de86fcd6f312287cebff378125f12458932722ca2f1a891f319ec672da65ea03d0e74e7b601a04435598e2994423362ec605ef5968456970cb367f6b6e55f9d713d82f89aca0b633e7643ddb0ec263dc29f0946cfc28ccbf8e65c2da1b67b18a3fbc8cee3305a25841dfa31990f9aab219c85a2149e51dff2ab7e0989a50d988ca9ccdce34892eb27686fa985f96061620e6902e42bdd00d2768b14a9eb39b3feee51e80273d3d4255f6b19
+e = 0x10001
+c = 0x6a12d56e26e460f456102c83c68b5cf355b2e57d5b176b32658d07619ce8e542d927bbea12fb8f90d7a1922fe68077af0f3794bfd26e7d560031c7c9238198685ad9ef1ac1966da39936b33c7bb00bdb13bec27b23f87028e99fdea0fbee4df721fd487d491e9d3087e986a79106f9d6f5431522270200c5d545d19df446dee6baa3051be6332ad7e4e6f44260b1594ec8a588c0450bcc8f23abb0121bcabf7551fd0ec11cd61c55ea89ae5d9bcc91f46b39d84f808562a42bb87a8854373b234e71fe6688021672c271c22aad0887304f7dd2b5f77136271a571591c48f438e6f1c08ed65d0088da562e0d8ae2dadd1234e72a40141429f5746d2d41452d916
+
+a = 0xe64a5f84e2762be5
+chunk_size = 64
+
+a_inv = gmpy2.invert(a, 2**chunk_size)
+ab = n % 2**chunk_size
+abg = a_inv * ab * 2 % 2 ** chunk_size
+xab = (n - (abg << chunk_size)) % 2**(chunk_size*2)
+
+for x in sympy.divisors(xab):
+  if x.bit_length() <= chunk_size and xab // x <= x:
+    print('testing', hex(x))
+    chunks = n.bit_length() // (chunk_size*2)
+    p = 0
+    a = x
+    for i in range(chunks):
+      p += a << (i * chunk_size)
+      a = a * a_inv % 2**chunk_size
+    if n % p == 0:
+      print('factor found:', hex(p))
+      q = n//p
+      phi = (p-1)*(q-1)
+      assert gmpy2.gcd(e, phi) == 1
+      d = gmpy2.invert(e, phi)
+      print(long_to_bytes(pow(c, d, n)))
+      break 

2020/quals/crypto-sharky/challenge.py

@@ -0,0 +1,67 @@
+#! /usr/bin/python3
+#
+#Copyright 2020 Google LLC
+#
+#Licensed under the Apache License, Version 2.0 (the "License");
+#you may not use this file except in compliance with the License.
+#You may obtain a copy of the License at
+#
+#    https://www.apache.org/licenses/LICENSE-2.0
+#
+#    Unless required by applicable law or agreed to in writing, software
+#    distributed under the License is distributed on an "AS IS" BASIS,
+#    WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+#    See the License for the specific language governing permissions and
+#    limitations under the License.
+
+import binascii
+import os
+import sha256
+
+# Setup msg_secret and flag
+FLAG_PATH = 'data/flag.txt'
+NUM_KEYS = 8
+MSG = b'Encoded with random keys'
+
+with open(FLAG_PATH, 'rb') as f:
+  FLAG = f.read().strip()
+
+
+def sha256_with_secret_round_keys(m: bytes, secret_round_keys: dict) -> bytes:
+  """Computes SHA256 with some secret round keys.
+
+  Args:
+    m: the message to hash
+    secret_round_keys: a dictionary where secret_round_keys[i] is the value of
+      the round key k[i] used in SHA-256
+
+  Returns:
+    the digest
+  """
+  sha = sha256.SHA256()
+  round_keys = sha.k[:]
+  for i, v in secret_round_keys.items():
+    round_keys[i] = v
+  return sha.sha256(m, round_keys)
+
+
+def generate_random_round_keys(cnt: int):
+  res = {}
+  for i in range(cnt):
+    rk = 0
+    for b in os.urandom(4):
+      rk = rk * 256 + b
+    res[i] = rk
+  return res
+
+if __name__ == '__main__':
+  secret_round_keys = generate_random_round_keys(NUM_KEYS)
+  digest = sha256_with_secret_round_keys(MSG, secret_round_keys)
+  print('MSG Digest: {}'.format(binascii.hexlify(digest).decode()))
+  GIVEN_KEYS = list(map(lambda s: int(s, 16), input('Enter keys: ').split(',')))
+  assert len(GIVEN_KEYS) == NUM_KEYS, 'Wrong number of keys provided.'
+
+  if all([GIVEN_KEYS[i] == secret_round_keys[i] for i in range(NUM_KEYS)]):
+    print('\nGood job, here\'s a flag: {0}'.format(FLAG))
+  else:
+    print('\nSorry, that\'s not right.')

2020/quals/crypto-sharky/data/flag.txt

@@ -0,0 +1 @@
+CTF{sHa_roUnD_k3Ys_caN_b3_r3vERseD}

2020/quals/crypto-sharky/sha256.py

@@ -0,0 +1,92 @@
+#! /usr/bin/python3
+#Copyright 2020 Google LLC
+#
+#Licensed under the Apache License, Version 2.0 (the "License");
+#you may not use this file except in compliance with the License.
+#You may obtain a copy of the License at
+#
+#    https://www.apache.org/licenses/LICENSE-2.0
+#
+#    Unless required by applicable law or agreed to in writing, software
+#    distributed under the License is distributed on an "AS IS" BASIS,
+#    WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+#    See the License for the specific language governing permissions and
+#    limitations under the License.
+
+import struct
+
+class SHA256:
+
+  def __init__(self):
+    self.h = [
+        0x6a09e667, 0xbb67ae85, 0x3c6ef372, 0xa54ff53a, 0x510e527f, 0x9b05688c,
+        0x1f83d9ab, 0x5be0cd19
+    ]
+
+    self.k = [
+        0x428a2f98, 0x71374491, 0xb5c0fbcf, 0xe9b5dba5, 0x3956c25b, 0x59f111f1,
+        0x923f82a4, 0xab1c5ed5, 0xd807aa98, 0x12835b01, 0x243185be, 0x550c7dc3,
+        0x72be5d74, 0x80deb1fe, 0x9bdc06a7, 0xc19bf174, 0xe49b69c1, 0xefbe4786,
+        0x0fc19dc6, 0x240ca1cc, 0x2de92c6f, 0x4a7484aa, 0x5cb0a9dc, 0x76f988da,
+        0x983e5152, 0xa831c66d, 0xb00327c8, 0xbf597fc7, 0xc6e00bf3, 0xd5a79147,
+        0x06ca6351, 0x14292967, 0x27b70a85, 0x2e1b2138, 0x4d2c6dfc, 0x53380d13,
+        0x650a7354, 0x766a0abb, 0x81c2c92e, 0x92722c85, 0xa2bfe8a1, 0xa81a664b,
+        0xc24b8b70, 0xc76c51a3, 0xd192e819, 0xd6990624, 0xf40e3585, 0x106aa070,
+        0x19a4c116, 0x1e376c08, 0x2748774c, 0x34b0bcb5, 0x391c0cb3, 0x4ed8aa4a,
+        0x5b9cca4f, 0x682e6ff3, 0x748f82ee, 0x78a5636f, 0x84c87814, 0x8cc70208,
+        0x90befffa, 0xa4506ceb, 0xbef9a3f7, 0xc67178f2
+    ]
+
+  def rotate_right(self, v, n):
+    w = (v >> n) | (v << (32 - n))
+    return w & 0xffffffff
+
+  def compression_step(self, state, k_i, w_i):
+    a, b, c, d, e, f, g, h = state
+    s1 = self.rotate_right(e, 6) ^ self.rotate_right(e, 11) ^ self.rotate_right(e, 25)
+    ch = (e & f) ^ (~e & g)
+    tmp1 = (h + s1 + ch + k_i + w_i) & 0xffffffff
+    s0 = self.rotate_right(a, 2) ^ self.rotate_right(a, 13) ^ self.rotate_right(a, 22)
+    maj = (a & b) ^ (a & c) ^ (b & c)
+    tmp2 = (tmp1 + s0 + maj) & 0xffffffff
+    tmp3 = (d + tmp1) & 0xffffffff
+    return (tmp2, a, b, c, tmp3, e, f, g)
+
+  def compression(self, state, w, round_keys = None):
+    if round_keys is None:
+      round_keys = self.k
+    for i in range(64):
+      state = self.compression_step(state, round_keys[i], w[i])
+    return state
+
+  def compute_w(self, m):
+    w = list(struct.unpack('>16L', m))
+    for _ in range(16, 64):
+      a, b = w[-15], w[-2]
+      s0 = self.rotate_right(a, 7) ^ self.rotate_right(a, 18) ^ (a >> 3)
+      s1 = self.rotate_right(b, 17) ^ self.rotate_right(b, 19) ^ (b >> 10)
+      s = (w[-16] + w[-7] + s0 + s1) & 0xffffffff
+      w.append(s)
+    return w
+
+  def padding(self, m):
+    lm = len(m)
+    lpad = struct.pack('>Q', 8 * lm)
+    lenz = -(lm + 9) % 64
+    return m + bytes([0x80]) + bytes(lenz) + lpad
+
+  def sha256_raw(self, m, round_keys = None):
+    if len(m) % 64 != 0:
+      raise ValueError('m must be a multiple of 64 bytes')
+    state = self.h
+    for i in range(0, len(m), 64):
+      block = m[i:i + 64]
+      w = self.compute_w(block)
+      s = self.compression(state, w, round_keys)
+      state = [(x + y) & 0xffffffff for x, y in zip(state, s)]
+    return state
+
+  def sha256(self, m, round_keys = None):
+    m_padded = self.padding(m)
+    state = self.sha256_raw(m_padded, round_keys)
+    return struct.pack('>8L', *state)