ALL the CTFS of Crypto2025 finally

crypto-simmetric/forge-another-cookie/attack.py

@@ -0,0 +1,40 @@
+#!/usr/bin/env python3
+
+from pwn import *
+from Cryptodome.Cipher import AES
+from Cryptodome.Util.Padding import pad, unpad
+from Cryptodome.Util.number import long_to_bytes, bytes_to_long
+HOST = "130.192.5.212"
+PORT = "6552"
+server = remote(HOST,PORT)
+sleepT = 0.1
+#21 bytes of cookie + username bytes to add
+"""firstBlock=b'username='+b'A'*7
+print(len(firstBlock))
+#secondBlock=pad(b'true',AES.block_size)
+thirdBlock=b'A'*9+b'&admin='
+print(len(firstBlock+thirdBlock))"""
+payload = b'A'*7+pad(b'true',AES.block_size)+b'B'*9
+# &admin in one block and false in another one
+# remove false and add true block
+print(server.recv(1024))
+sleep(sleepT)
+print(f"Sending:{payload,len(payload)}")
+server.send(payload)
+server.send(b'\n')
+sleep(sleepT)
+enc = server.recv(1024).strip().split(b'\n')[0]
+enc = int(enc)
+enc=long_to_bytes(enc)
+#print(enc[0:16])
+#print(enc[16:32])
+copypaste=enc[0:16]+enc[32:48]+enc[16:32]
+out=bytes_to_long(copypaste)
+sleep(sleepT)
+server.send(b'flag\n')
+print(server.recv(1024))
+sleep(sleepT)
+server.send(str(out))
+server.send(b'\n')
+print(server.recv(1024))
+sleep(sleepT)

crypto-simmetric/forge-another-cookie/chall.py

@@ -0,0 +1,94 @@
+from Cryptodome.Cipher import AES
+from Cryptodome.Util.Padding import pad, unpad
+from Cryptodome.Random import get_random_bytes
+from Cryptodome.Util.number import long_to_bytes, bytes_to_long
+#from secret import flag
+
+key = get_random_bytes(32)
+
+flag="puppa"
+
+def sanitize_field(field: str):
+    return field \
+        .replace("/", "_") \
+        .replace("&", "") \
+        .replace(":", "") \
+        .replace(";", "") \
+        .replace("<", "") \
+        .replace(">", "") \
+        .replace('"', "") \
+        .replace("'", "") \
+        .replace("(", "") \
+        .replace(")", "") \
+        .replace("[", "") \
+        .replace("]", "") \
+        .replace("{", "") \
+        .replace("}", "") \
+        .replace("=", "")
+
+
+def parse_cookie(cookie: str) -> dict:
+    parsed = {}
+    for field in cookie.split("&"):
+        key, value = field.strip().split("=")
+        key = sanitize_field(key.strip())
+        value = sanitize_field(value.strip())
+        parsed[key] = value
+
+    return parsed
+
+
+def login():
+    username = input("Username: ")
+    username = sanitize_field(username)
+
+    cipher = AES.new(key, AES.MODE_ECB)
+
+    cookie = f"username={username}&admin=false"
+    #cookie=f"username={'A'*11}&admin=false"
+    print(cookie.encode())
+    print(len(cookie.encode()))
+    print(pad(cookie.encode(),AES.block_size))
+    out = bytes_to_long(cipher.encrypt(pad(cookie.encode(), AES.block_size)))
+    print(len(long_to_bytes(out)))
+    print(out)
+    #print(len(bytes_to_long(cipher.encrypt(pad(cookie.encode(), AES.block_size)))))
+
+def get_flag():
+    cookie = int(input("Cookie: "))
+
+    cipher = AES.new(key=key, mode=AES.MODE_ECB)
+
+    try:
+        dec_cookie = unpad(cipher.decrypt(
+            long_to_bytes(cookie)), AES.block_size).decode()
+        print("Dec:"+dec_cookie)
+        token = parse_cookie(dec_cookie)
+        print(token)
+        if token["admin"] != 'true':
+            print("You are not an admin!")
+            return
+
+        print(f"OK! Your flag: {flag}")
+    except:
+        print("Something didn't work :C")
+
+
+if __name__ == "__main__":
+    login()
+
+    menu = \
+        "What do you want to do?\n" + \
+        "quit - quit the program\n" + \
+        "help - show this menu again\n" + \
+        "flag - get the flag\n" + \
+        "> "
+    while True:
+        cmd = input(menu).strip()
+
+        if cmd == "quit":
+            break
+        elif cmd == "help":
+            continue
+        elif cmd == "flag":
+            get_flag()