added BCACTF 5.0 writeups

content/ctf-writeups/_index.md

@@ -4,6 +4,7 @@ toc: true
 ---
 
 {{< cards >}}
+  {{< card link="bcactf_5.0" title="BCACTF 5.0" icon="pencil">}}
   {{< card link="byu-ctf" title="BYUCTF'24" icon="pencil" >}}
   {{< card link="bo1lers-ctf" title="Bo1lersCTF'24" icon="pencil" >}}
   {{< card link="amateur-ctf" title="AmateurCTF'24" icon="pencil" >}}

content/ctf-writeups/bcactf_5.0/_index.md

@@ -0,0 +1,10 @@
+---
+title: BCACTF 5.0
+toc: true
+---
+{{< cards >}}
+  {{< card link="crypto" title="Crypto Writeups" icon="pencil" >}}
+  {{< card link="forensics" title="Forensics Writeups" icon="pencil" >}}
+  {{< card link="misc" title="Misc Writeups" icon="pencil" >}}
+  {{< card link="web" title="Web Writeups" icon="pencil" >}}
+{{< /cards >}}

content/ctf-writeups/bcactf_5.0/assets/scripts/Encryptor-Shop/server.py

@@ -0,0 +1,37 @@
+from Crypto.Util.number import *
+
+p = getPrime(1024)
+q = getPrime(1024)
+r = getPrime(1024)
+n = p * q
+phi = (p - 1) * (q - 1)
+e = 65537
+d = pow(e, -1, phi)
+
+print("Welcome to the enc-shop!")
+print("What can I encrypt for you today?")
+
+
+for _ in range(3):
+    message = input("Enter text to encrypt: ")
+    m = bytes_to_long(message.encode())
+    c = pow(m, e, n)
+    print(f"Here is your encrypted message: {c}")
+    print(f"c = {c}")
+    print("Here is the public key for your reference:")
+    print(f"n = {n}")
+    print(f"e = {e}")
+
+print("Thank you for encrypting with us!")
+print("In order to guarantee the security of your data, we will now let you view the encrypted flag.")
+x=input("Would you like to view it? (yes or no) ")
+
+if x.lower() == "yes":
+    with open("flag.txt", "r") as f:
+        flag = f.read().strip()
+    m = bytes_to_long(flag.encode())
+    n = p*r
+    c = pow(m, e, n)
+    print(f"Here is the encrypted flag: {c}")
+    print("Here is the public key for your reference:")
+    print(f"n = {n}")

content/ctf-writeups/bcactf_5.0/assets/scripts/Encryptor-Shop/solve.py

@@ -0,0 +1,29 @@
+from pwn import *
+
+r = remote('challs.bcactf.com',31704)
+# context.log_level = 'debug'
+
+r.recvuntil(b': ')
+r.sendline(b'\x00')
+r.recvuntil(b'n = ')
+n = int(r.recvline().decode().strip())
+for i in range(2):
+    r.recvuntil(b': ')
+    r.sendline(b'\x00')
+r.recvuntil(b') ')
+r.sendline(b'yes')
+r.recvuntil(b': ')
+c = int(r.recvline().decode().strip())
+r.recvuntil(b'n = ')
+n2 = int(r.recvline().decode().strip())
+
+import math
+p = math.gcd(n,n2)
+r = n2//p
+phi = n2-p-r+1
+e = 65537
+d = pow(e,-1,phi)
+m = pow(c,d,n2)
+
+from Crypto.Util.number import *
+print(long_to_bytes(m).decode())

content/ctf-writeups/bcactf_5.0/assets/scripts/RSAEncrypter/rsa_encrypter.py

@@ -0,0 +1,18 @@
+from Crypto.Util.number import getPrime, bytes_to_long, long_to_bytes
+
+
+message = open("./flag.txt").read().encode('utf-8')  
+
+
+def encode():
+    n = getPrime(512)*getPrime(512)
+    ciphertext = pow(bytes_to_long(message), 3, n)
+    return (ciphertext, n)
+
+print("Return format: (ciphertext, modulus)")
+print(encode())
+sent = input("Did you recieve the message? (y/n) ")
+while sent=='n':
+    print(encode())
+    sent = input("How about now? (y/n) ")
+print("Message acknowledged.")

content/ctf-writeups/bcactf_5.0/assets/scripts/RSAEncrypter/solve.py

@@ -0,0 +1,24 @@
+from pwn import *
+
+r = remote('challs.bcactf.com',31452)
+# context.log_level = 'debug'
+
+r.recvuntil(b')\n')
+ct1,n1 = eval(r.recvline().decode().strip())
+r.recvuntil(b') ')
+r.sendline(b'n')
+ct2,n2 = eval(r.recvline().decode().strip())
+r.recvuntil(b') ')
+r.sendline(b'n')
+ct3,n3 = eval(r.recvline().decode().strip())
+r.recvuntil(b') ')
+r.sendline(b'y')
+
+from sympy.ntheory.modular import crt
+m_cube = crt([n1,n2,n3] , [ct1,ct2,ct3])[0]
+
+from gmpy2 import iroot
+m = int(iroot(m_cube,3)[0])
+
+from Crypto.Util.number import *
+print(long_to_bytes(m).decode())

content/ctf-writeups/bcactf_5.0/assets/scripts/Touch_Tone_Telephone/script.py

@@ -0,0 +1,16 @@
+# Define the input string
+input_string = "xpdReWEfno4BtvReUHxu8tBrknyUh128DolsWh1oz7cnUDygIxkCItws05vN8SdkFpTPRvVNUcRTtoS7zEUaf7ONI3n0UtVuIli9BcPfxECYmDI_4E3rJAUhYGV9wOFI"
+
+# Define the list of hexadecimal indices
+hex_indices = [
+    0x61, 0x72, 0x6c, 0x38, 0x2b, 0x6f, 0x3e, 0x59, 0x6c, 0x38, 
+    0x19, 0x6f, 0x1d, 0x72, 0x0a, 0x45, 0x59, 0x6f, 0x6c, 0x2e, 
+    0x6f, 0x6c, 0x26, 0x2b, 0x02, 0x6f, 0x01, 0x26, 0x72, 0x53, 
+    0x39, 0x04
+]
+
+# Extract characters based on the indices
+resultant_string = ''.join(input_string[index] for index in hex_indices)
+
+# Print the resultant string
+print(resultant_string)

content/ctf-writeups/bcactf_5.0/assets/scripts/Touch_Tone_Telephone/solve.py

@@ -0,0 +1,15 @@
+# Define the mapping
+mapping = {
+    '1': '0', '2': '1', '3': '2', 'A': '3', '4': '4', '5': '5', '6': '6', 'B': '7',
+    '7': '8', '8': '9', '9': 'A', 'C': 'B', '*': 'C', '0': 'D', '#': 'E', 'D': 'F'
+}
+
+# The encoded string
+encoded_str = ("47656*6*6D3#315B656*6A6D606531B46D31B4676531434A424A54463147656*B16*686#653#19546768BA316A626*6*316062B831636531B3656A6DB364656431666DB331B2B5626*68B4B83162BABAB5B3626#6A6531B1B5B3B16DBA65BA3#1919466DB3316A6762B33131A13*316B65B431686#6465B731A1B7A6A23#19466DB3316A6762B33131A23*316B65B431686#6465B731A1B7ABA33#19466DB3316A6762B33131A33*316B65B431686#6465B731A1B7A66A3#19466DB3316A6762B33131AA3*316B65B431686#6465B731A1B7AAA73#19466DB3316A6762B33131A43*316B65B431686#6465B731A1B7A3633#19466DB3316A6762B33131A53*316B65B431686#6465B731A1B7A6663#19466DB3316A6762B33131A63*316B65B431686#6465B731A1B7AA653#19466DB3316A6762B33131AB3*316B65B431686#6465B731A1B7A5A83#19466DB3316A6762B33131A73*316B65B431686#6465B731A1B7A66A3#19466DB3316A6762B33131A83*316B65B431686#6465B731A1B7AAA73#19466DB3316A6762B331A2A13*316B65B431686#6465B731A1B7A2A83#19466DB3316A6762B331A2A23*316B65B431686#6465B731A1B7A6663#19466DB3316A6762B331A2A33*316B65B431686#6465B731A1B7A2643#19466DB3316A6762B331A2AA3*316B65B431686#6465B731A1B7ABA33#19466DB3316A6762B331A2A43*316B65B431686#6465B731A1B7A1623#19466DB3316A6762B331A2A53*316B65B431686#6465B731A1B7A4A53#19466DB3316A6762B331A2A63*316B65B431686#6465B731A1B7A5A83#19466DB3316A6762B331A2AB3*316B65B431686#6465B731A1B7A6663#19466DB3316A6762B331A2A73*316B65B431686#6465B731A1B7A66A3#19466DB3316A6762B331A2A83*316B65B431686#6465B731A1B7A3653#19466DB3316A6762B331A3A13*316B65B431686#6465B731A1B7A6663#19466DB3316A6762B331A3A23*316B65B431686#6465B731A1B7A66A3#19466DB3316A6762B331A3A33*316B65B431686#6465B731A1B7A3A63#19466DB3316A6762B331A3AA3*316B65B431686#6465B731A1B7A3633#19466DB3316A6762B331A3A43*316B65B431686#6465B731A1B7A1A33#19466DB3316A6762B331A3A53*316B65B431686#6465B731A1B7A6663#19466DB3316A6762B331A3A63*316B65B431686#6465B731A1B7A1A23#19466DB3316A6762B331A3AB3*316B65B431686#6465B731A1B7A3A63#19466DB3316A6762B331A3A73*316B65B431686#6465B731A1B7ABA33#19466DB3316A6762B331A3A83*316B65B431686#6465B731A1B7A5AA3#19466DB3316A6762B331AAA13*316B65B431686#6465B731A1B7AAA83#19466DB3316A6762B331AAA23*316B65B431686#6465B731A1B7A1A43#191919516*6562BA6531676D6*6431BB67686*6531BB6531BA656#6431B86DB531B3626#646D60316B62B363626B6531B46762B431B86DB531BA676DB56*6431686#6465B731686#B46D31B46D316B65B431B4676531666*626B3#195B67656#31B86DB53BB3653166686#68BA6765643*3160626C6531BAB5B36531B46D31BBB362B131B4676531666*626B31686#31B4676531B1B36DB165B331666DB36062B43#19B7B16453655B45666#6DA443B4B653655547B7B5A7B443B36C6#B85567A2A3A7446D6*BA5B67A26DB9AB6A6#5544B86B48B76C4A48B4BBBAA1A5B64#A75A646C46B1545153B6564#556A5354B46D5AABB945556266AB4D4#48AA6#A155B456B5486*68A8436A5166B7454A586044485DA445AAB349425567584B56A8BB4D4648")
+
+# Decode the string
+decoded_str = ''.join(mapping.get(char, char) for char in encoded_str)
+
+bytes_obj = bytes.fromhex(decoded_str)
+result_string = bytes_obj.decode("utf-8")
+print(result_string) 

content/ctf-writeups/bcactf_5.0/assets/scripts/cha-cha-slide/server.py

@@ -0,0 +1,36 @@
+from Crypto.Cipher import ChaCha20
+
+from os import urandom
+
+key = urandom(32)
+nonce = urandom(12)
+
+secret_msg = urandom(16).hex()
+
+def encrypt_msg(plaintext):
+    cipher = ChaCha20.new(key=key, nonce=nonce)
+    return cipher.encrypt(plaintext.encode()).hex()
+
+print('Secret message:')
+print(encrypt_msg(secret_msg))
+
+print('\nEnter your message:')
+user_msg = input()
+
+if len(user_msg) > 256:
+    print('\nToo long!')
+    exit()
+
+print('\nEncrypted:')
+print(encrypt_msg(user_msg))
+
+print('\nEnter decrypted secret message:')
+decrypted_secret_msg = input()
+
+if len(decrypted_secret_msg) == len(secret_msg):
+    if decrypted_secret_msg == secret_msg:
+        with open('../flag.txt') as file:
+            print('\n' + file.read())
+        exit()
+
+print('\nIncorrect!')

content/ctf-writeups/bcactf_5.0/assets/scripts/cha-cha-slide/solve.py

@@ -0,0 +1,17 @@
+from pwn import *
+from Crypto.Util.number import *
+
+r = remote('challs.bcactf.com',31100)
+context.log_level = 'debug'
+r.recvuntil(b':\n')
+ct = r.recvline().decode().strip()
+payload = b'0'*(len(ct)//2)
+xor2 = int.from_bytes(payload,'big')
+ct = int(ct,16)
+r.recvuntil(b':\n')
+r.sendline(payload)
+r.recvuntil(b':\n')
+xor = int(r.recvline().decode().strip(),16)
+pt = ct^xor^xor2
+r.sendline(long_to_bytes(pt))
+r.interactive()

content/ctf-writeups/bcactf_5.0/assets/scripts/cinamon/server.js

@@ -0,0 +1,89 @@
+import { createHash, timingSafeEqual } from 'crypto'
+import { spawn } from 'child_process'
+import { readFileSync } from 'fs'
+import { join } from 'path'
+
+import express from 'express'
+
+const PORT = 3000
+
+const secretKey = readFileSync('secret-key.txt', 'utf-8')
+
+const app = express()
+
+app.set('view engine', 'ejs')
+
+app.use(express.urlencoded({ extended: true }))
+
+app.get('/', (_req, res) => {
+    res.render('index')
+})
+
+const safeCompare = (a, b) => {
+    a = Buffer.from(a, 'utf-8')
+    b = Buffer.from(b, 'utf-8')
+
+    return a.length === b.length && timingSafeEqual(a, b)
+}
+
+app.post('/execute', (req, res) => {
+    const { token, script } = req.body
+
+    if (typeof token !== 'string' || typeof script !== 'string') {
+        return res.render('execute', {
+            error: 'Token and script must be provided and must be strings.'
+        })
+    }
+
+    if (!script.trim().length) {
+        return res.render('execute', {
+            error: 'Please provide a script to execute.'
+        })
+    }
+
+    const hash = createHash('sha256')
+        .update(secretKey)
+        .update(Buffer.from(script.replaceAll('\r\n', '\n'), 'binary'))
+
+    if (!safeCompare(hash.digest('hex'), token)) {
+        return res.render('execute', {
+            error: 'Script token is invalid! ' +
+                'Contact a Cinnamon Dynamics employee to get your script ' +
+                'approved and receive a valid token for it.'
+        })
+    }
+
+    const child = spawn('deno', ['run', '--allow-read=.', '-'], {
+        cwd: join(process.cwd(), 'files'),
+        env: { ...process.env, NO_COLOR: 1 }
+    })
+
+    let stdout = ''
+    let stderr = ''
+
+    child.stdout.on('data', data => stdout += data.toString('utf-8'))
+    child.stderr.on('data', data => stderr += data.toString('utf-8'))
+
+    child.stdin.write(req.body.script)
+    child.stdin.end()
+
+    let timedOut = false
+
+    child.on('exit', exitCode => {
+        res.render('execute', {
+            error: timedOut ? 'Process timed out.' : null,
+            stdout: stdout.trim(),
+            stderr: stderr.trim(),
+            exitCode
+        })
+    })
+
+    setTimeout(() => {
+        if (!child.killed) {
+            timedOut = true
+            child.kill('SIGKILL')
+        }
+    }, 1_000)
+})
+
+app.listen(PORT, () => console.log(`Server listening on port ${PORT}`))

content/ctf-writeups/bcactf_5.0/assets/scripts/misc/eslint.config.mjs

@@ -0,0 +1,31 @@
+import globals from "globals";
+import pluginJs from "@eslint/js";
+
+
+export default [
+  {files: ["**/*.js"], languageOptions: {sourceType: "commonjs"}},
+  {languageOptions: { globals: globals.browser }},
+  pluginJs.configs.recommended,
+  {
+    rules: {
+        "no-unused-vars": "error",
+        "no-octal": "error",
+        "for-direction": "error",
+        "getter-return": "error",
+        "no-async-promise-executor": "error",
+        "no-compare-neg-zero": "error",
+        "no-cond-assign": "error",
+        "no-constant-condition": "error",
+        "no-control-regex": "error",
+        "no-dupe-args": "error",
+        "no-dupe-keys": "error",
+        "no-duplicate-case": "error",
+        "no-empty": "error",
+        "no-empty-character-class": "error",
+        "no-ex-assign": "error",
+        "no-extra-boolean-cast": "error",
+        "no-extra-semi": "error",
+        "no-invalid-regexp": "error",
+    }
+  }
+];