ALL the CTFS of Crypto2025 finally

crypto-simmetric/fool-the-oracle-v4/attack-old.py

@@ -0,0 +1,81 @@
+#!/usr/bin/env python3
+from pwn import *
+
+HOST = "130.192.5.212"
+PORT = "6543"
+
+server = remote(HOST,PORT)
+sleepT = 0.1
+
+firstBlock=b"CRYPTO25{e3ab216"
+#If the pad generated is correct the second and third block are equal
+#Then I guessed the random pad
+for i in range(16):
+  pad=b'A'*i
+  secondBlock=b'B'*16
+  thirdBlock=b'B'*16
+  server.send(b'enc\n')
+  server.recv(1024)
+  sleep(sleepT)
+  #The second pad can be whatever
+  toSend = pad + secondBlock + thirdBlock
+  print(f"Sending {toSend} with len {len(toSend)}")
+  server.send( toSend.hex())
+  server.send(b'\n')
+  sleep(sleepT)
+  ciphertext = server.recv(1024)
+  ciphertext = bytes.fromhex(ciphertext.strip(b" >").split(b"\n")[0].decode('utf-8'))
+  if ciphertext[16:32] == ciphertext[32:48]:
+      PAD_NUM=i
+      print(f"Found the right padding num:{PAD_NUM}")
+      break
+firstBlock=b"CRYPTO25{e3ab216"
+secondBlock="9-39d5-43aa-bde7"
+thirdBlock="-02286c2e2e56}"
+flag="CRYPTO25{e3ab2169-39d5-43aa-bde7-02286c2e2e56}"
+lastBlock=b'A'*16
+#lastBlock=firstBlock
+flagGuessed=b''
+#beginning=32
+#end=48
+beginning=48
+end=64
+flag=b''
+
+for j in range(1,3):
+    print(f"{'-'*5} Finding block n:{j+1} {'-'*5}")
+    for i in range(16):
+        beforePad = b'A'*PAD_NUM
+        pad = lastBlock[(i+1):]
+        #pad =  b'A'*(16 - (len(flagGuessed)+1) )
+        fPayload =  pad + flagGuessed
+        for guess in string.printable:
+            guess = bytes(guess,'utf-8')
+            server.send(b'enc\n')
+            server.recv(1024)
+            sleep(sleepT)
+            #The second pad can be whatever
+            toSend = beforePad + fPayload+guess+pad
+            print(f"Payload len: {len(fPayload+guess)} Pad len: {len(pad)}")
+            print(f"Sending {toSend} with len {len(toSend)}")
+            server.send( toSend.hex())
+            server.send(b'\n')
+            sleep(sleepT)
+            ciphertext = server.recv(1024)
+            ciphertext = bytes.fromhex(ciphertext.strip(b" >").split(b"\n")[0].decode('utf-8'))
+            if ciphertext[16:32] == ciphertext[beginning:end]:
+                #print(f"Block1:{ciphertext[0:16]} Block2:{ciphertext[16:32]}")
+                print(f"Matched guess: {guess}")
+                flagGuessed += guess
+                print(f"Already Guessed: {flagGuessed}")
+                break
+            sleep(sleepT)
+    lastBlock=flagGuessed
+    flag+=lastBlock
+    print(f"Entire block guessed:{lastBlock}")
+    flagGuessed=b''
+    beginning+=16
+    end+=16
+    if(b'}' in flagGuessed):
+        break
+print(flag)

crypto-simmetric/fool-the-oracle-v4/attack.py

@@ -0,0 +1,165 @@
+#!/usr/bin/env python3
+
+from Cryptodome.Random import get_random_bytes
+from pwn import *
+HOST = "130.192.5.212"
+PORT = "6544"
+lenFlag = len("CRYPTO25{}")+36 # 46 total
+server = remote(HOST, PORT)
+#padding1 + padding2 = 10
+PAD_NUM = 10
+#AES block 16
+#server.send(b"enc\n")
+flagGuessed = b''
+sleepT = 0.1
+pad1Len = 0
+pad2Len = 0
+#print(server.recv(1024))
+# Indovina
+for i in range(1,6):
+  pad=b'A'*(16-i)
+  secondBlock=b'B'*16
+  thirdBlock=b'B'*16
+  print(server.recvline())
+  print(server.recvline())
+  print(server.recvline())
+  print(server.recvline())
+  server.send(b'enc\n')
+  toSend = pad + secondBlock + thirdBlock
+  print(f"Sending {toSend} with len {len(toSend)}")
+  server.send( toSend.hex())
+  server.send(b'\n')
+  ciphertext = server.recvline().strip(b"> >").strip()
+  ciphertext = bytes.fromhex(ciphertext.decode('utf-8'))
+  if ciphertext[16:32] == ciphertext[32:48]:
+          pad1Len = i
+          pad2Len = 10-i
+          print(f"Found the right padding num:{pad1Len} and second pad len:{pad2Len}")
+          break
+assert(pad1Len <= 6)
+assert(pad2Len > 0)
+print('-------')
+pad2Guessed = b''
+sleepT = 0.1
+# Conoscere pad2 serve solo per indovinare il primo blocco
+for i in range(pad2Len):
+        pad1 = b'A' * (16-pad1Len)
+        data = b'B' * (16 - (len(pad2Guessed)+1) )
+        fPayload =  data + pad2Guessed
+        for g in range(255):
+            assert(g != 255)
+            server.recvline()
+            server.recvline()
+            server.recvline()
+            server.recvline()
+            guess = g.to_bytes()
+            server.send(b'enc\n')
+            toSend = pad1 + fPayload + guess + data
+            print(f"Sending {toSend} with len {len(toSend)} and PAD2Len:{pad2Len} len Fpayload:{len(fPayload)} and len data:{len(data)}")
+            server.send( toSend.hex())
+            server.send(b'\n')
+            ciphertext = server.recvline().strip(b"> >").strip()
+            ciphertext = bytes.fromhex(ciphertext.decode('utf-8'))
+            if ciphertext[16:32] == ciphertext[32:48]:
+              print(f"Matched guess: {guess}")
+              pad2Guessed += guess
+              print(f"Already Guessed: {pad2Guessed}")
+              break
+assert(len(pad2Guessed) == pad2Len)
+print(f"FOUND PADDING 2:{pad2Guessed}")
+# Mi servono 6 byte di padding
+firstBlock = b'CRYPTO25{'
+# flag CRYPTO25{df0b0f03-0bd4-4dc8
+# CRYPTO25{df0b0f03-0bd4-4dc8-9043-bcdac301684c}
+#firstBlock = b'CRYPTO25{df0b0f0'
+#secondBlock =b''
+#secondBlock = b'3-0bd4-4dc8-9043'
+firstBlock = b''
+secondBlock = b''
+thirdBlock = b''
+# Devo tagliare il PADDING2 quindi mando un blocco che contiene il PADDING2 - i primi X Byte + blocco che gia' conosco + guess
+# Dopo mando X Byte di A in modo che in questo blocco finiscano gli stessi byte del padding2 che ho tagliato
+# Comparo il terzo blocco che sara' PADDIN2 tagliato + Byte della flag che ho + Byte della flag che voglio indovinare
+pad1 = b'A' * (16 - pad1Len)
+for i in range(7):
+  for guess in string.printable:
+      server.recvline()
+      server.recvline()
+      server.recvline()
+      server.recvline()
+
+      guess = bytes(guess,'utf-8')
+
+      server.send(b'enc\n')
+      # Lunghezza che mi serve per avere blocco + guess nel blocco che mando
+      lenNeeded = 16 - len(firstBlock) - 1
+      # Questo blocco fa da cuscinetto e serve solo per tagliare i primi byte che ignoro del padding2 aggiunti dal server
+      # Se devo scartare i primi 3 byte quindi questo sara' 16 - 3 byte lungo
+      useless = b'Z' * (16 - (pad2Len - lenNeeded))
+      if(pad2Len > lenNeeded ):
+        #       1 Blocco + 2 Blocco da controllare                               + 3 blocco inutile
+        toSend = pad1 + pad2Guessed[(pad2Len - lenNeeded):] + firstBlock + guess + useless
+      #print(f"Payload len: {len(fPayload+pad2Guessed+guess+fPayload)}")
+      print(f"Sending {toSend} with len {len(toSend)} len data:{len(data)}")
+      server.send( toSend.hex())
+      server.send(b'\n')
+      ciphertext = server.recvline().strip(b"> >").strip()
+      ciphertext = bytes.fromhex(ciphertext.decode('utf-8'))
+      if ciphertext[16:32] == ciphertext[48:64]:
+        print(f"Matched guess: {guess}")
+        firstBlock += guess
+        print(f"FLAG Already Guessed: {firstBlock}")
+        break
+for i in range(16):
+  for guess in string.printable:
+      server.recvline()
+      server.recvline()
+      server.recvline()
+      server.recvline()
+
+      guess = bytes(guess,'utf-8')
+
+      server.send(b'enc\n')
+      # Per indovinare il secondo blocco possiamo usare il primo, tagliandolo in base a quanto
+      # conosco del secondo blocco, metto sempre in mezzo un blocco cuscinetto (alla fine e' meglio avere due blocchi cuscinetto) che include byte a caso
+      # + padding2 messo dal server
+      # + i byte della flag che gia' conosco e voglio tagliare, in modo che quelli del secondo blocco della flag siano comparabili con guess
+
+      useless = b'Z' * (32 - pad2Len - (len(secondBlock) + 1))
+      toSend = pad1 + firstBlock[len(secondBlock)+1:] + secondBlock + guess + useless
+      print(f"Sending {toSend} len first+second+guess:{len(firstBlock[len(secondBlock)+1:]+secondBlock+guess)} len useless:{len(useless)} len pad2:{pad2Len}")
+      server.send( toSend.hex())
+      server.send(b'\n')
+      ciphertext = server.recvline().strip(b"> >").strip()
+      ciphertext = bytes.fromhex(ciphertext.decode('utf-8'))
+      if ciphertext[16:32] == ciphertext[64:80]:
+        print(f"Matched guess: {guess}")
+        secondBlock += guess
+        print(f"FLAG Already Guessed: {firstBlock + secondBlock}")
+        break
+for i in range(16):
+  for guess in string.printable:
+      server.recvline()
+      server.recvline()
+      server.recvline()
+      server.recvline()
+
+      guess = bytes(guess,'utf-8')
+
+      server.send(b'enc\n')
+      # Per indovinare il secondo blocco possiamo usare il primo, tagliandolo in base a quanto
+      # conosco del secondo blocco, metto sempre in mezzo un blocco cuscinetto che include byte a caso + padding2 messo dal server
+      # + i byte della flag che gia' conosco e voglio tagliare, in modo che quelli del secondo blocco della flag siano comparabili con guess
+
+      useless = b'Z' * (48 - pad2Len - (len(thirdBlock) + 16 + 1))
+      toSend = pad1 + secondBlock[len(thirdBlock)+1:] + thirdBlock + guess + useless
+      print(f"Sending {toSend} len second+third+guess:{len(secondBlock[len(thirdBlock)+1:]+thirdBlock+guess)} len useless:{len(useless)} len pad2:{pad2Len}")
+      server.send( toSend.hex())
+      server.send(b'\n')
+      ciphertext = server.recvline().strip(b"> >").strip()
+      ciphertext = bytes.fromhex(ciphertext.decode('utf-8'))
+      if ciphertext[16:32] == ciphertext[80:96]:
+        print(f"Matched guess: {guess}")
+        thirdBlock += guess
+        print(f"FLAG Already Guessed: {firstBlock + secondBlock + thirdBlock}")
+        break

crypto-simmetric/fool-the-oracle-v4/attack.py.bak

@@ -0,0 +1,123 @@
+#!/usr/bin/env python3
+
+from Cryptodome.Random import get_random_bytes
+from pwn import *
+HOST = "130.192.5.212"
+PORT = "6544"
+lenFlag = len("CRYPTO25{}")+36 # 46 total
+server = remote(HOST, PORT)
+#padding1 + padding2 = 10
+PAD_NUM = 10
+#AES block 16
+#server.send(b"enc\n")
+flagGuessed = b''
+sleepT = 0.1
+pad1Len = 0
+pad2Len = 0
+#print(server.recv(1024))
+for i in range(1,6):
+  pad=b'A'*(16-i)
+  secondBlock=b'B'*16
+  thirdBlock=b'B'*16
+  print(server.recvline())
+  print(server.recvline())
+  print(server.recvline())
+  print(server.recvline())
+  server.send(b'enc\n')
+  toSend = pad + secondBlock + thirdBlock
+  print(f"Sending {toSend} with len {len(toSend)}")
+  server.send( toSend.hex())
+  server.send(b'\n')
+  ciphertext = server.recvline().strip(b"> >").strip()
+  ciphertext = bytes.fromhex(ciphertext.decode('utf-8'))
+  if ciphertext[16:32] == ciphertext[32:48]:
+          pad1Len = i
+          pad2Len = 10-i
+          print(f"Found the right padding num:{pad1Len} and second pad len:{pad2Len}")
+          break
+assert(pad1Len <= 6)
+assert(pad2Len > 0)
+print('-------')
+pad2Guessed = b''
+sleepT = 0.1
+for i in range(pad2Len):
+        pad1 = b'A' * (16-pad1Len)
+        data = b'B' * (16 - (len(pad2Guessed)+1) )
+        fPayload =  data + pad2Guessed
+        for g in range(255):
+            assert(g != 255)
+            print(server.recvline())
+            print(server.recvline())
+            print(server.recvline())
+            print(server.recvline())
+            guess = g.to_bytes()
+            server.send(b'enc\n')
+            toSend = pad1 + fPayload + guess + data
+            print(f"Sending {toSend} with len {len(toSend)} and PAD2Len:{pad2Len}")
+            server.send( toSend.hex())
+            server.send(b'\n')
+            ciphertext = server.recvline().strip(b"> >").strip()
+            ciphertext = bytes.fromhex(ciphertext.decode('utf-8'))
+            print(ciphertext)
+            #print(server.recv(4096))
+            #sleep(3)
+            """try:
+                    ciphertext = server.recv(4096)
+                    ciphertext = bytes.fromhex(ciphertext.strip(b" >").split(b'\n')[0].strip().decode('utf-8'))
+                    #print(ciphertext)
+                    #ciphertext = bytes.fromhex(ciphertext.strip(b" >").split(b"\n")[0].decode('utf-8'))
+            except:
+                    ciphertext = bytes.fromhex(ciphertext.split(b'\n')[4].strip(b" >").decode('utf-8'))
+                    #print(f"ERROR CIPHER:{ciphertext}")
+                    #g = g - 1
+
+            if ciphertext[16:32] == ciphertext[32:48]:
+              print(f"Matched guess: {guess}")
+              pad2Guessed += guess
+              print(f"Already Guessed: {pad2Guessed}")
+              break
+            #sleep(sleepT)"""
+assert(len(pad2Guessed) == pad2Len)
+print(f"FOUND PADDING 2:{pad2Guessed}")
+#sleep(1000)
+firstBlock = b''
+#already guessed 280043
+for i in range(3):
+  for j in range(16):
+    pad1 = b'A' * (16-pad1Len)
+    #data = b'B'*(16-pad2Len-(j+1))
+    data =  b'B'*(16 - pad2Len - (len(firstBlock)+1) )
+    fPayload =  data + firstBlock
+    for guess in string.printable:
+      guess = bytes(guess,'utf-8')
+      server.send(b'enc\n')
+            #server.recv(1024)
+      sleep(sleepT)
+            #The second pad can be whatever
+      #if(len(firstBlock)>0):
+      #  toSend = pad1 + fPayload + firstBlock + guess + data
+      #$else:
+      toSend = pad1 + fPayload + pad2Guessed + guess + fPayload
+      print(f"Payload len: {len(fPayload+pad2Guessed+guess+fPayload)}")
+      print(f"Sending {toSend} with len {len(toSend)} and PAD2Len:{pad2Len}")
+      server.send( toSend.hex())
+      server.send(b'\n')
+      sleep(sleepT)
+            #print(server.recv(4096))
+            #sleep(3)
+      try:
+        ciphertext = server.recv(4096)
+        ciphertext = bytes.fromhex(ciphertext.strip(b" >").split(b'\n')[0].strip().decode('utf-8'))
+                    #print(ciphertext)
+                    #ciphertext = bytes.fromhex(ciphertext.strip(b" >").split(b"\n")[0].decode('utf-8'))
+      except:
+        ciphertext = bytes.fromhex(ciphertext.split(b'\n')[4].strip(b" >").decode('utf-8'))
+                    #print(f"ERROR CIPHER:{ciphertext}")
+                    #g = g - 1
+
+        if ciphertext[16:32] == ciphertext[32:48]:
+          print(f"Matched guess: {guess}")
+
+        firstBlock += guess
+        print(f"FLAG Already Guessed: {firstBlock}")
+        break

crypto-simmetric/fool-the-oracle-v4/chall.py

@@ -0,0 +1,44 @@
+from Crypto.Cipher import AES
+from Crypto.Util.Padding import pad, unpad
+from Crypto.Random import get_random_bytes
+from random import randint
+from secret import flag
+
+assert (len(flag) == len("CRYPTO25{}") + 36)
+
+key = get_random_bytes(24)
+padding1_len = randint(1, 6)
+padding1 = get_random_bytes(padding1_len)
+padding2 = get_random_bytes(10 - padding1_len)
+flag = flag.encode()
+
+
+def encrypt() -> bytes:
+    data = bytes.fromhex(input("> ").strip())
+    payload = padding1 + data + padding2 + flag
+
+    cipher = AES.new(key=key, mode=AES.MODE_ECB)
+    print(cipher.encrypt(pad(payload, AES.block_size)).hex())
+
+
+def main():
+    menu = \
+        "What do you want to do?\n" + \
+        "quit - quit the program\n" + \
+        "enc - encrypt something\n" + \
+        "help - show this menu again\n" + \
+        "> "
+
+    while True:
+        cmd = input(menu).strip()
+
+        if cmd == "quit":
+            break
+        elif cmd == "help":
+            continue
+        elif cmd == "enc":
+            encrypt()
+
+
+if __name__ == '__main__':
+    main()