2021DiceCTF - WriteUp
Introduction
This is a small write up and recurrence for 2021DiceCTF.
Pwn
babyrop
Analysis
Just a stack overflow and use csu to solve it. Notice that some registers are different for csu.
Exp
1 | from pwn import * |
flippidy
This writeup is referenced from TeamRocketIST
Analysis
This is a no-PIE program.
1 | Arch: amd64-64-little |
The main function asks for the size of note list. (The 8 * size
can be overflowed, such as 0x20010000
, and you can write a heap address to libc or ld, but can’t leak anything and keep going…)
1 | void __fastcall __noreturn main(__int64 a1, char **a2, char **a3) |
Choice 1 can add a 0x30 chunk.
1 | int add() |
Choice 2 can flip the note list.
1 | unsigned __int64 flip() |
If we set size as 1
, and add a chunk. Then when we flip the note list, there will have a double free
. We can use menu
to leak libc because it use some pointers to show menu.
1 | int menu() |
1 | .data:0000000000404020 menu_str dq offset aMenu ; DATA XREF: menu+2A↑o |
When we have libc base
, we can write one gadget
to free_hook
and getshell.
Exp
1 | #!/usr/bin/env python |
Crypto
garbled
This writeup is referenced from Joseph
Analysis
This is a Garbled Circuit
challenge. We should recover the inputs
to get flag.
1 | # obtain_flag.py |
The circuit
is as follow:
1 | { |
The g_tables
is as follow:
1 | g_tables = {5: [(5737111, 2983937), |
The evaluate_circuit
function is in yao.py
, it uses the circuit
, g_tables
and inputs
to update the keys
and evaluated
the gates
, and the evaluate_gate
function use decrypt
function to get lable
and validation
, if validation == 0
it will return the label
, if no label
return it will rasie an error.
1 | # yao.py |
The decrypt
function is in block_cipher.py
, it is an easy SPN block cipher
:
1 | # block_cipher.py |
So we can know the inputs
is 24-bit
. But these infomations are not enough for us to solve this challenge.
Let take a look at evaluate_garbled_circuit_example.py
, it gives us an example:
1 | """ |
The generate_garbled_circuit.py
is as follows, it use GarbledCircuit
and circuit
to generate the g_tables
and keys
:
1 | # generate_garbled_circuit.py |
And let take a look at GarbledCircuit
and GarbledGate
in yao.py
:
1 | # yao.py |
So we know the relationship between the keys
and g_tables
:
Assume the input labels(keys)
are [[a0,a1],[b0,b1]]
, and the output lable(key)
is [c0,c1]
, the g_tables
are [[l0,v0],[l1,v1],[l2,v2],[l3,v3]]
, so we can get:
1 | enc = [ |
And the Garbled Circuit
combine these output lable
as input lables
to generate more output lable
until end.
We have the early inputs lables
and g_tables
, so we can use MITM
to attack the Garbled Circuit
with validation
. And brute the order before random suffle
. So we can recover the keys
and finally get the flag.
Exp
1 | // exp.c |
1 | # exp.py |
benaloh
This writeup is referenced from defund
Analysis
This is a Benaloh cryptosystem challenge, the code is short:
1 | # benaloh |
The block size is r = 17
, we have public key
and encrypted flag
. But different from the standard Benaloh cryptosystem
, the nonce
of this challenge is generated with LCG
. But we don’t know a,u,c
.
So what can we do? Focus on the encrypted flag
, also called z
in this challenge. We can write its expression:
1 | z_i = (y ** m * u_i ** r) % n |
If we have more z-m pair
, then we can construct some multivariate polynomials with unkowned u,a,c
, use Gröbner basis reduction to help us for finding roots. It also preserves some key properties about the original set. In sagemath
the output just like this:
1 | [c^17 + 13458759594676198214694259395597811037811941351192625227467096501437492626016103500732912703741531580440688721418838601356917454469197042860724974820711811807100911025568783389529011375041774037357224005532374737711385620250882965751966936631506501563981475218917679272036145000202705372625367221715684331874911123897488465876418098777295294085721730060353781081936511989823993750197757906274895327225414708735228502620853964519743121169419595741484437884476968407623319417909836503756421684133026872563003628309754191206638310830457160948939228910390136165954060484629537550098482941917500740029457719651678576263154, u + 316517663849777910225660080408784696167924695113642531974131497480910378366220174342126802849049539663694903310250609244514828218236832782037217816236893097704270918578097042085736644370848172633750954486260895306171096242584274887827086225061772333809429993942553814439329476648071612609884623299988660650179852653163795008516189222405687351351109996651789580351715791017438004730807486178553378753383208033005732492151858373741617384858699269732745326858016880380595482272818312327147435234514885344494904297204434448240694768364394802707422951925732088102047687537430858233649919876359703515785224783225069089980*c, a + 1661216876440720795949971760316375297223780761108674238540808158213078980164656368815536594328510194746888627111987313473237775055677284466208525500885764198070567384544945702715900113900083864927826969971664844458658182797143288816769247910804809014527517142248172045349023280003970829981831679105885916798790488166987740245714277585192487684558508003531661909679977119963644699703649749483269350109143839889546691324949566145320193582552061487407920959141668364668452895857576184480913586198770372641315376888430566581697787292145901485440997213094118917877437294945649019459331559374549028782748215151722129896006] |
We can use these informations to help us for solving this challenge and finally get the flag.
Exp
1 | # exp.sage |
plagiarism
This writeup is referenced from mystiz
Analysis
This challenge is and Related Message Attack
on RSA:
1 | Two agents, Blex and Kane, have simultaneously known very secret message and transmitted it to Center. You know following: |
The difference from RuCTF Quals 2014: decrypt message is that e is bigger than before.
So the original method will fail due to runtime issues.
We can use HGCD instead of GCD to solve this challenge.
Exp
This code is written by the entire country of ireland
in discord
1 | import binascii |
Reverse
babymix
Analysis
Just use z3 to solve it.
Exp
1 | #!/usr/bin/env python |
References
https://ctf-wiki.org/pwn/linux/stackoverflow/medium-rop/#ret2csu
https://teamrocketist.github.io/2021/02/08/Pwn-DiceCTF2021-flippidy/
https://www.josephsurin.me/posts/2021-02-08-dicectf-2021-garbled
https://s3v3ru5.github.io/notes/DiceCTF2021#benaloh