TJCTF2022

​ 我还是太菜了。

Forensics

感觉forensics是作为签到出的。

fake-geoguessr

JS文件里，base64解码。

cool-school

stegsolve不同通道查看。

spongebobo

根据题意可知，图片高度修改过，于是把高改大能够看见flag。

sneaker-zipper

直接用winrar解压的话，找不到flag。用unzip解压，可以看到这样一个文件：

把原始解压数据全部导出，用notepad打开能够看到flag tjctf{sneakers_with_zippers_are_hip_no?_874d174bb26fcf95}

出题人的脚本：

from uuid import uuid4
from zipfile import ZipFile, ZIP_DEFLATED

flag = open('flag.txt').read()

with ZipFile('chall.zip', 'w') as zf:
  zf.writestr('flag/', flag, ZIP_DEFLATED)
  for _ in range(100):
     zf.writestr(f'flag/flag-{uuid4()}.txt', 'your flag is in another castle', ZIP_DEFLATED)

Crypto

rsa-apprentice

最简单的rsa。

flimsy-fingered-latin-teacher

或许算是键盘密码的一种？把每个字符换成键盘上对应的左边字符即可。

factor-master

#!/usr/local/bin/python -u

from Crypto.Util.number import getPrime, isPrime, getRandomInteger
import sys, random

print("Are you truly the master here?")
print()
print("We'll have to find out...")
print()

def fail():
    print("You are not the master!")
    sys.exit(1)

def challenge1():
    p = getPrime(44)
    q = getPrime(1024)
    n = p * q
    return [p, q], n

def challenge2():
    p = getPrime(1024)
    q = p + getRandomInteger(524)
    if q % 2 == 0: q += 1
    while not isPrime(q): q += 2
    n = p * q
    return [p, q], n

def challenge3():
    small_primes = [n for n in range(2,10000) if isPrime(n)]
    def gen_smooth(N):
        r = 2
        while True:
            p = random.choice(small_primes)
            if (r * p).bit_length() > N:
                return r
            r *= p
    p = 1
    while not isPrime(p):
        p = gen_smooth(1024) + 1
    q = getPrime(1024)
    n = p * q
    return [p, q], n

challenges = [challenge1, challenge2, challenge3]
responses = ["Okay, not bad.", "Nice job.", "Wow."]

for i, chal in enumerate(challenges):
    print(f"CHALLENGE {i+1}")
    factors, n = chal()
    factors.sort()
    print(f"n = {n}")
    guess = input("factors = ? ")
    if guess != " ".join(map(str,factors)):
        fail()
    print(responses[i])
    print()

print("Here's your flag:")
with open("flag.txt") as f:
    print(f.read().strip())

chall1用rho或者直接遍历试除，yafu即可。

chall2费马分解，很快。

def fermat(num):
    x = iroot(num,2)[0]
    if x * x < num:
        x += 1

    # y^2 = x^2 - num
    while (True):
        y2 = x * x - num
        y = iroot(y2,2)[0]
        if y * y == y2:
            break
        x += 1 #p q相差较大时遍历就很慢了
    m = [int(x + y), int(x - y)]
    m.sort()
    return m

chall3显然是Pollards_p_1，也很快。

def Pollards_p_1(N):
    l = []
    a = 2
    n = 2
    while True:
        a = pow(a, n, N)
        res = gcd(a-1, N)
        if res != 1 and res != N:
            l.append(int(res))
            l.append(int(N//res))
            break
        n += 1
    l.sort()
    return l

mac-master

#!/usr/local/bin/python -u
import hashlib
import os

with open("flag.txt") as f:
    FLAG = f.read()

QUERIED = set()
KEY = os.urandom(16)

print("Introducing Neil-MAC (NMAC), the future of hash-based message")
print("authentication codes!")
print()
print("No longer susceptible to those pesky length extension attacks!")
print()

def nmac(message):
    return hashlib.md5(message + KEY).hexdigest()

def query():
    print("What message would you like to query a tag for?")
    print("Enter message hex-encoded:")
    hex_message = input()
    message = bytes.fromhex(hex_message)
    QUERIED.add(message)
    print("Tag:", nmac(message))

def challenge():
    print("Challenge time!")
    print("Enter message hex-encoded:")
    hex_message = input()
    tag = input("Tag: ")
    message = bytes.fromhex(hex_message)
    if message in QUERIED:
        print("You already queried that message!")
    elif nmac(message) == tag:
        print("Nice job!")
        print("Flag:", FLAG)

while True:
    print("What do you want to do?")
    print("1) Query a message")
    print("2) Challenge")
    match input():
        case "1":
            query()
        case "2":
            challenge()
            break
        case _:
            print("???")

md5并不安全，其中一个特性是当两个等长的字符串有相同的md5值时，后边同时拼接任何相同字符串之后的字符串，md值仍然不变。

所以只要找到两个长度相同且碰撞的字符串即可。

morph-master

#!/usr/local/bin/python -u

from Crypto.Util.number import *

N = 1024
p = getPrime(N)
q = getPrime(N)
assert GCD(p * q, (p - 1) * (q - 1)) == 1

n = p * q
s = n ** 2
λ = (p - 1) * (q - 1) // GCD(p - 1, q - 1)
g = getRandomRange(1, s)
L = lambda x : (x - 1) // n
μ = pow(L(pow(g, λ, s)), -1, n)

def encrypt(m):
    r = getRandomRange(1, n)
    c = (pow(g, m, s) * pow(r, n, s)) % (s)
    return c

def decrypt(c):
    m = (L(pow(c, λ, s)) * μ) % n
    return m

print(f"public key (n, g) = ({n}, ?)")
print(f"E(4) = {encrypt(4)}")
print()
print("Encrypt 'Please give me the flag' for your flag:")
c = int(input())
m = decrypt(c)

if long_to_bytes(m) == b"Please give me the flag":
    print("Okay!")
    with open("flag.txt") as f:
        print(f.read())
else:
    print("Hmm... not quite.")

Paillier密码体制。本题需要对字符串Please ive me the flag进行加密，把密文传给服务器获得flag。但我们不知道加密参数r和g。题目给了一个密文：

$$c = g^4*r^n \mod n^2$$

我们只能由这个密文来构造目标密文。因为直到n，所以可以求出4模n的逆t。

$$4t\equiv1\mod n$$

计算4的密文c的t次方，再将其解密，会发现幂次上4被消掉了。

$$(g^4*r^n)^{\lambda.t}\equiv g^{4t\lambda} \equiv g^\lambda \mod n^2$$

那么只需要计算4的密文c的m*t次方发送给服务器即可，解密时就只剩下m了。

from Crypto.Util.number import *
from gmpy2 import *

n = 21538076603559098667143413455535267098408428473246545075423393122172459194498972157464099306849872941569421465267053513744561026677661497661544612770734541676576605829414499614801302354748794202237919002206625177647331490738602791935148799363634979058468913100639567532013450332320015030994201012069870039792388196426534171135010238584579591736320109952807142590507849679696825603789335797297078948754698326785777189327517749561450412933722331804880397102103649947975088763933263153648021816661566787291685024949023696377378010401474545607096492915701164461941726923716358892676178068913756969474139950757511748251751
c = 387554035019947702810813720305012873361942339600887318221278054247638549505531932126482645467956995743723834422099007661913465638309372372580394498558647775087576326037055938025305932930246105968512871804759941339198809082373573688741688603151409854339980722380124655942283190399407616526004159105574934166074114865747762759255199546653778465136743901867874098084335946203182618206186781912113438749934047341921274304083463437523184532213609873313308025727870360382748589557384237474276030749179735540787438451040474139687918889742259170771842255543128043679411223521492636395444747034537138277485794945279336394113471150945850875120070894319639627500633428304283242025646723945866869355232984961527091593861490809755810253806918191058785306481004365415942824771757051168324087484432602718299745076161068951214220460382977416621252844225546925500123859979152352095571556694865035622093466759882835412555109630587220432171621789597794278778658633234219548171031296334662303517965518634197427137478184494384320154372321281172967407022678772510610258824626102587285500342541072164193341798614828904791904016226542182411269842310920109701283819406392869858963673457329215897724970920758064182788606095091473286731709821903356689713204885
t = invert(4,n**2)
s = b"Please give me the flag"
l = bytes_to_long(s)
m = t*l
print(pow(c,m,n**2))

7sckp

#!/usr/local/bin/python -u

from Crypto.Cipher import AES
from Crypto.Random import get_random_bytes
import random
from time import time

key = get_random_bytes(16)
flag = open('flag.txt', 'rb').read().strip()


def pad(msg, block_size):
    random.seed(seed) # 伪随机数种子
    p = b''
    pad_len = block_size - (len(msg) % block_size)
    while len(p) < pad_len:
        b = bytes([random.randrange(256)])
        if b not in p:
            p += b

    return msg + p


def unpad(msg, block_size):
    random.seed(seed)
    p = b''
    while len(p) < block_size:
        b = bytes([random.randrange(256)])
        if b not in p:
            p += b

    if p[0] not in msg:
        raise ValueError('Bad padding')

    pad_start = msg.rindex(p[0]) # 注意rindex用法
    if msg[pad_start:] != p[:len(msg) - pad_start]:
        raise ValueError('Bad padding')

    return msg[:pad_start]


def encrypt(data):
    cipher = AES.new(key, AES.MODE_CBC)
    ct = cipher.encrypt(pad(data, AES.block_size))
    return cipher.iv + ct


def decrypt(data):
    iv = data[:AES.block_size]
    ct = data[AES.block_size:]
    cipher = AES.new(key, AES.MODE_CBC, iv=iv)
    return unpad(cipher.decrypt(ct), AES.block_size)


print('Hi! Welcome to our oracle, now extra secure because of our custom padding!')
seed = int(time() // 10) # 时间戳作为seed
print('We have this really cool secret here: ' + encrypt(flag).hex())


while True:
    try:
        decrypt(bytes.fromhex(input("Ciphertext: ")))
        print("ok")
    except:
        print("error!!!")
    print()

​ 这里的aes的pad方式不是PKCS5/7，但由于seed = int(time() // 10)，只要我们在连接服务器以后取一个time()，就能获取到和服务器同步的seed值（//10说明只要在10s内取time()，seed都和服务器一致）。那么利用seed就可以通过random生成同样的伪随机数序列（这里假设为0x01，0x02…）。

​ 拿到服务器给的密文，可以先把密文前的iv分离出来。然后可以搜索剩余字符串中的最后一个0x01找到padding的起始位置。既然知道iv，那么只要获得cbc解密的中间值（和iv异或之前的值），再把中间值和iv做异或就能拿到flag。下面就是padding attack了，考虑加解密只填充一个字节的情况：我们可以让iv的值前15个字节全是0x00，爆破最后一个字节（遍历2^256次），只要解密出的字符串的最后一个字节为加密时的伪随机数序列的第一个即可（此时服务器返回值为“ok“），那么把当前iv的最后一个字节和0x01异或就能得到中间值的最后一个字节。

​ 那如何获得倒数第二个字节？考虑加密时填充两个字节的情况：假设填充的是0x01，0x02，由于已知中间值最后一个字节，可以把它和0x02异或得到本轮iv的最后一个字节，那么现在对输入的iv的倒数第二个字节进行爆破，直到服务器返回”ok“，此时iv的倒数第二个字节和0x01的异或值即为中间值的倒数第二个字节。同理可以反复爆破出剩余的中间值，最后做异或得到flag。

​ 环境关了，没办法用exp打了。

cmplex-secrets

from sage.geometry.hyperbolic_space.hyperbolic_isometry import moebius_transform
from Crypto.Util.number import long_to_bytes
from Crypto.Cipher import AES
from Crypto.Util.Padding import pad

CC = ComplexField(1000)  # 1000控制数字精度
M = random_matrix(CC, 2, 2) # 莫比乌斯变换的系数矩阵
f = lambda z: moebius_transform(M, z)

for _ in range(3):
  z = CC.random_element()
  print(f'{z}, {f(z)}')

kz = CC.random_element()
print(kz)
kw = f(kz)

mod = 2^128
key = (kw.real() * mod).round() % mod # 实部
iv = (kw.imag() * mod).round() % mod # 虚部

cipher = AES.new(long_to_bytes(key), AES.MODE_CBC, iv=long_to_bytes(iv))
flag = open('flag.txt', 'rb').read().strip()
print(cipher.encrypt(pad(flag, AES.block_size)).hex())

output：

0.751252475104902150054380260470082424940942078488589894835886382094520190155911685470371563701050697369544183678751477257366099792755542882738643885424403515309537713563954860359663092864297857722224211735174822128973163115308255633275717637048280034121430229730706501004373373606840613994093199272904 + 0.841861668516763747294345674363435037443728024638358025489205420413810104159006020506652639342846307992268857781065122156824070983948139347566280848043828162904529025108794173434070438994770903784077684729182119999999898429743502486564839408270440285915918786473949066441772595234741831309205651684568*I, 0.201820552659701567278699820457045288901739276475853715712764100364937770257073328213893265099577849805388343984823145356791212924649323204732529753602937115951408753746134803411134175204452068540445902455697100192364440968304237174405996380992768382752192891217816103133892621205190519839564725222336 - 0.423816958824499168732085508644057100988923673137297816050916269940199941289657589117016109479205180610293129190788130020334848589072754129840997885723883185873975039584829641029595055712803537604372394828956037589154549949135860267390135900885507020456790920944606711851387870845794071809212463826331*I
0.776514793014311984655381138131509469524119992819474341428630456463062790504804085732082006149990815536681444111523509785092822425698382654446410973046444281734605680914187333689998896693689515515572759566347286867634521643581373917824881234446339954362247273943593098930150187397950843860306622863580 - 0.475941057343914186895589101614692640391909664493116855595391636931715883641297227266824525033304512086494648741752634404427477616507082658573651384315523503299684846939359967818427022483531221272993316410991540493338441862300216790766719914758162337707917622972274977542891277169823499536763125709585*I, -0.0829824818323282231623134481057668754985546957232604522537959371649871583122429186730368826584813431855656529072360381066022438542967328924620815379076055266869158774334279817117785958274749511064133235090193481885185609994694126394591206558758685625397685334044491178052667228923075424247180695156733 - 0.345968105333553918003350791800133871917169258067196813155704860190219573649329520234046050433552655043308191278482739184238585083866790899409442542622314116242407901893394617331646886924568686923321775812031833527308561174363131001702994010093133515271661218024100064870678806860802831198736170237818*I
-0.663391286734319736221346827623975650876654174129163479999853756391523203053535380294499772727456329988663661017976540801565872590854885766890888718844237565749376595356449959916640884087636566696028558587824118362193073284962397122081289899459328925814593804377359288230153455767585281669116316313838 - 0.541972552032528264213207333690290306273643909443286376166758545232778816979109002956992498760686744632107620506460722001053633042992521936775229761220922161685536981820475802554464255845679826910500220248396022338451861954865035006422732330447426553673873063666046382284940947655478871891111612590363*I, -0.581553240882262142181162436851132289784778023925017966570121189620721985017340981461901293038675551540555862372770197898969554728546495567114247578757093239302052370860105596035152108951138049420348497070193324989773752109127977897835841630760517346911518784515371336885087578772556126040706025016486 - 0.148891000802543728193673210236342762919468936522408931382020735274855877447158050594952372999611361659214905876927902350126036191702513383200942854542901034359507175169802518275202909250334785751232390353915118390153035895526806899854120766226305502441103032328925290052995543903563706593391160092495*I
-0.0968534235652319724025450700698245234813539980041800600675421557470079496692551704865634640081720474347208421764841452873771406009576502860884618489512416419757653899190683903143407896055069135527721841815213047414891185198812567191127563886853563460067525848162939956023227470365024430670027432479732 + 0.719846481319096444790392680396336625594155249590319099592967249434838543457064356759442590295332754722430981682955876722774704123394791814708454569343858536944427455385194480750097647064579948613218733596833670889225422205686067565808161860977900582097779526341740619742016067509756290527564777944900*I
02c0142e94bdb20796edd08352ffe716a03afdffc2926c99e79620873a47f5149a67213d8c97b53fce16fb78f66c28cd

​ 纯数学问题了，就作为了解吧。

​ 题目是一个默比乌斯变换，大致理解了下，就是一类从黎曼球面映射到自身的函数，可以用扩展复平面上的复数表示。

​ 给了三组函数的映射值（z和f（z）），我们需要求出系数矩阵，然后计算kz对应的函数值。由于此函数的复比不变性：

$$\frac{(z_1-z_3)(z_2-z_4)}{(z_1-z_4)(z_2-z_3)}=\frac{(w_1-w_3)(w_2-w_4)}{(w_1-w_4)(w_2-w_3)}$$

​ 可以推导：

$$(z_1-z_3)(z_2-z_4)(w_2-w_3)(w_1-w_4)=(z_1-z_4)(z_2-z_3)(w_1-w_3)(w_2-w_4)$$ $$A=(z_1-z_3)(z_2-z_4)(w_2-w_3),B=(z_1-z_4)(z_2-z_3)(w_1-w_3)$$

​ 所以：

$$w_4=\frac{Aw_1-Bw_2}{A-B}$$

z1,w1 = 0.751252475104902150054380260470082424940942078488589894835886382094520190155911685470371563701050697369544183678751477257366099792755542882738643885424403515309537713563954860359663092864297857722224211735174822128973163115308255633275717637048280034121430229730706501004373373606840613994093199272904 + 0.841861668516763747294345674363435037443728024638358025489205420413810104159006020506652639342846307992268857781065122156824070983948139347566280848043828162904529025108794173434070438994770903784077684729182119999999898429743502486564839408270440285915918786473949066441772595234741831309205651684568*I, 0.201820552659701567278699820457045288901739276475853715712764100364937770257073328213893265099577849805388343984823145356791212924649323204732529753602937115951408753746134803411134175204452068540445902455697100192364440968304237174405996380992768382752192891217816103133892621205190519839564725222336 - 0.423816958824499168732085508644057100988923673137297816050916269940199941289657589117016109479205180610293129190788130020334848589072754129840997885723883185873975039584829641029595055712803537604372394828956037589154549949135860267390135900885507020456790920944606711851387870845794071809212463826331*I
z2,w2 = 0.776514793014311984655381138131509469524119992819474341428630456463062790504804085732082006149990815536681444111523509785092822425698382654446410973046444281734605680914187333689998896693689515515572759566347286867634521643581373917824881234446339954362247273943593098930150187397950843860306622863580 - 0.475941057343914186895589101614692640391909664493116855595391636931715883641297227266824525033304512086494648741752634404427477616507082658573651384315523503299684846939359967818427022483531221272993316410991540493338441862300216790766719914758162337707917622972274977542891277169823499536763125709585*I, -0.0829824818323282231623134481057668754985546957232604522537959371649871583122429186730368826584813431855656529072360381066022438542967328924620815379076055266869158774334279817117785958274749511064133235090193481885185609994694126394591206558758685625397685334044491178052667228923075424247180695156733 - 0.345968105333553918003350791800133871917169258067196813155704860190219573649329520234046050433552655043308191278482739184238585083866790899409442542622314116242407901893394617331646886924568686923321775812031833527308561174363131001702994010093133515271661218024100064870678806860802831198736170237818*I
z3,w3 = -0.663391286734319736221346827623975650876654174129163479999853756391523203053535380294499772727456329988663661017976540801565872590854885766890888718844237565749376595356449959916640884087636566696028558587824118362193073284962397122081289899459328925814593804377359288230153455767585281669116316313838 - 0.541972552032528264213207333690290306273643909443286376166758545232778816979109002956992498760686744632107620506460722001053633042992521936775229761220922161685536981820475802554464255845679826910500220248396022338451861954865035006422732330447426553673873063666046382284940947655478871891111612590363*I, -0.581553240882262142181162436851132289784778023925017966570121189620721985017340981461901293038675551540555862372770197898969554728546495567114247578757093239302052370860105596035152108951138049420348497070193324989773752109127977897835841630760517346911518784515371336885087578772556126040706025016486 - 0.148891000802543728193673210236342762919468936522408931382020735274855877447158050594952372999611361659214905876927902350126036191702513383200942854542901034359507175169802518275202909250334785751232390353915118390153035895526806899854120766226305502441103032328925290052995543903563706593391160092495*I
z = -0.0968534235652319724025450700698245234813539980041800600675421557470079496692551704865634640081720474347208421764841452873771406009576502860884618489512416419757653899190683903143407896055069135527721841815213047414891185198812567191127563886853563460067525848162939956023227470365024430670027432479732 + 0.719846481319096444790392680396336625594155249590319099592967249434838543457064356759442590295332754722430981682955876722774704123394791814708454569343858536944427455385194480750097647064579948613218733596833670889225422205686067565808161860977900582097779526341740619742016067509756290527564777944900*I
A = (w1-w2)*(z-z2)*(z1-z3)
B = (w1-w3)*(z1-z2)*(z-z3)

kw = ((w3*A) - (w2*B)) / (A-B)

mod = 2^128
key = (kw.real() * mod).round() % mod
iv = (kw.imag() * mod).round() % mod

from Crypto.Cipher import AES
from libnum import n2s
cipher = AES.new(n2s(int(key)), AES.MODE_CBC, iv=n2s(int(iv)))
ct = bytes.fromhex("02c0142e94bdb20796edd08352ffe716a03afdffc2926c99e79620873a47f5149a67213d8c97b53fce16fb78f66c28cd")
print(cipher.decrypt(ct))

#tjctf{ar3_y0u_a_c1rcl3_0r_a_l1n3?}