0xL4ugh chals

README.md

@@ -46,7 +46,11 @@
             <td><a href="https://ctftime.org/event/1249/tasks/" target="_blank">CTFtime</a></td>
         </tr>
         <tr>
-            <td rowspan=1><a href="ctfs/0xL4ugh">0xL4ugh</a></td>
+            <td rowspan=2><a href="ctfs/0xL4ugh">0xL4ugh</a></td>
+            <td><a href="ctfs/0xL4ugh/2024">2024</a></td>
+            <td><a href="https://ctftime.org/event/2216/tasks/" target="_blank">CTFtime</a></td>
+        </tr>
+        <tr>
             <td><a href="ctfs/0xL4ugh/2021">2021</a></td>
             <td><a href="https://ctftime.org/event/1248/tasks/" target="_blank">CTFtime</a></td>
         </tr>

ctfs/0xL4ugh/2024/README.md

@@ -0,0 +1 @@
+[CTFtime Page](https://ctftime.org/event/2216)

ctfs/0xL4ugh/2024/crypto/L4ugh/Dockerfile

@@ -0,0 +1,10 @@
+FROM alpine:latest@sha256:51b67269f354137895d43f3b3d810bfacd3945438e94dc5ac55fdac340352f48
+ENV PAGER=''
+RUN apk add socat python3 py3-pip
+RUN adduser -D challenger
+RUN pip3 install setuptools wheel pycryptodome pycryptodomex --break-system-packages
+WORKDIR /home/challenger
+USER challenger
+COPY src/ .
+COPY exec.sh . 
+ENTRYPOINT ["sh","exec.sh"]

ctfs/0xL4ugh/2024/crypto/L4ugh/README.md

@@ -0,0 +1 @@
+My Decryptor Self Harms - Bit by Bit

ctfs/0xL4ugh/2024/crypto/L4ugh/build-docker.sh

@@ -0,0 +1,3 @@
+#!/bin/bash
+docker build -t l4ugh .
+docker run -dp 1337:1337 --rm -it l4ugh

ctfs/0xL4ugh/2024/crypto/L4ugh/exec.sh

@@ -0,0 +1,5 @@
+#!/bin/sh
+
+while true; do
+    socat TCP-LISTEN:1337,reuseaddr,fork SYSTEM:'python3 challenge.py'
+done

ctfs/0xL4ugh/2024/crypto/L4ugh/src/challenge.py

@@ -0,0 +1,66 @@
+from Crypto.Util.number import *
+from utils import * 
+
+Flag = '0xL4ugh{Fak3_Fl@g}'
+key = os.urandom(16)
+x = random.randint(2**10, 2**20)
+seed = "It's (666) the work of the devil..."
+print(seed)
+d = evilRSA(seed)
+d_evil = d >> (int(seed[6:9])//2)
+d_good = d %  pow(2,int(seed[6:9])//2)
+z='''1.d_evil
+2.d_good
+3.pass d to get to sec part
+Ex : {"option":"1"}
+d=d_evil+d_good
+'''
+print('all input data is in json')
+print(z)
+
+w='''1.get your token
+2.sign in'''
+while True:
+    test = json.loads(input('option:\t'))
+    if test['option'] == "1": 
+        Ns,es = RsaGen(d_evil)
+        print(f'Ns={Ns}')
+        print(f'es={es}')
+
+    if test['option'] == "2":
+        res = getrand(d_good)
+        print(f'RAND = {res}')
+
+    if test['option'] == "3":
+    # check = int(input('Enter the secret key to access admin privileges:\t'))
+        if int(test['d']) != d: 
+            print("you need to provide d to continue")
+            exit()
+        elif int(test['d']) == d:
+
+            z = json.loads(input(w))
+            if z['option'] == '1':
+                user = z['user']
+
+                data = {"id": x, "isadmin": False, "username": user}
+                print(data)
+                try:
+                    pt = json.dumps(data)
+                    ct = encrypt(pt)
+                    print(ct)
+                except json.JSONDecodeError as e:
+                    print(f"Error decoding JSON: {e}")
+                x += x
+            elif z['option'] == '2':
+                token = z['token']
+                dec = decrypt(token)
+                if dec is not None:
+                    print("Decrypted plaintext:", dec)
+                else:
+                    print("Decryption failed. cant decrypt :",dec) 
+                    continue    
+                flag(dec)
+
+
+
+main()

ctfs/0xL4ugh/2024/crypto/L4ugh/src/utils.py

@@ -0,0 +1,79 @@
+from Crypto.Util.number import * 
+from Crypto.Util.Padding import pad, unpad
+from Crypto.Cipher import AES
+import os
+import random
+import json
+key = os.urandom(16)
+Flag = '0xL4ugh{Fak3_Fl@g}'
+max_retries=19
+def evilRSA(seed):
+    d = 1 
+    while d.bit_length() != int(seed[6:9]): 
+        d = getPrime(int(seed[6:9]))
+        while not isPrime(d>>333):
+            d = getPrime(int(seed[6:9]))
+    return d 
+
+def RsaGen(d):
+    for _ in range(max_retries):
+        try:
+            Ns, es = [], []
+            for evilChar in '666':
+                p = getPrime(512)
+                q = getPrime(512)
+                phi = (p - 1) * (q - 1)
+                e = inverse(d, phi)
+                Ns.append(p * q)
+                es.append(e)
+
+            return Ns, es
+        except ValueError as e:
+            # Ignore the error and continue the loop
+            pass
+
+def getrand(good):
+    user_input = int(input("Enter your payload:\t"))
+    if user_input.bit_length() > (666//2): 
+        print("MEH")
+        return 
+    return [good*user_input + getPrime(666//2) for i in range(10)]
+
+def encrypt(pt):
+    IV = os.urandom(16)
+    cipher = AES.new(key, AES.MODE_CBC, IV)
+    encrypted = cipher.encrypt(pad(pt.encode(), 16))
+    return IV.hex() + encrypted.hex()
+
+def decrypt(ct):
+    try:
+        IV = bytes.fromhex(ct[:32])
+        cipher = AES.new(key, AES.MODE_CBC, IV)
+        decrypted = cipher.decrypt(bytes.fromhex(ct[32:]))
+    except ValueError as decryption_error:
+        print("AES Decryption Error:", decryption_error)
+        return None
+
+    try:
+        plaintext = unpad(decrypted, 16).decode()
+    except ValueError as unpadding_error:
+        print("Unpadding Error:", decrypted)
+        return None
+
+    return plaintext
+
+def flag(data):
+    data=json.loads(data)
+    print('1. Get Flag')
+    print('2.Exit')
+    while True:
+        print('1. Get Flag')
+        print('2.Exit')
+        z = json.loads(input())
+        if z['option'] == '1':
+            if isinstance(data, dict) and data['isadmin'] == True:
+                print(Flag)
+            else:
+                print('Try another time')
+        elif z['option'] == '2':
+            return

ctfs/0xL4ugh/2024/crypto/Poison/README.md

@@ -0,0 +1 @@
+

ctfs/0xL4ugh/2024/crypto/Poison/source.sage

@@ -0,0 +1,48 @@
+from random import *  
+from Crypto.Util.number import * 
+flag = b'REDACTED'
+#DEFINITION
+K = GF(0xfffffffffffffffffffffffffffffffeffffffffffffffff);a = K(0xfffffffffffffffffffffffffffffffefffffffffffffffc);b = K(0x64210519e59c80e70fa7e9ab72243049feb8deecc146b9b1)
+E = EllipticCurve(K, (a, b))
+G = E(0x188da80eb03090f67cbf20eb43a18800f4ff0afd82ff1012, 0x07192b95ffc8da78631011ed6b24cdd573f977a11e794811)
+
+#DAMAGE 
+def poison(val,index): 
+	val = list(val)
+	if val[index] == '1': 
+		val[index] = '0'
+	else: 
+		val[index] = '1'
+	return ''.join(val)
+
+my_priv = bin(bytes_to_long(flag))[2:]
+ms = []
+C1s = []
+C2s = []
+decs = []
+
+count = 0 
+
+while count < len(my_priv):
+	try: 
+		k = randint(2, G.order()-2)
+		Q = int(my_priv,2)*G
+		M = randint(2,G.order()-2)
+		M = E.lift_x(Integer(M));ms.append((M[0],M[1]))
+
+		C1 = k*G;C1s.append((C1[0],C1[1]))
+		C2 = M + k*Q;C2s.append((C2[0],C2[1]))
+
+		ind = len(my_priv)-1-count
+		new_priv = poison(my_priv,ind)
+		new_priv = int(new_priv,2)
+		dec = (C2 - (new_priv)*C1);decs.append((dec[0],dec[1]))
+		count +=1 
+	except: 
+		pass
+
+with open('out.txt','w') as f: 
+	f.write(f'ms={ms}\n')
+	f.write(f'C1s={C1s}\n')
+	f.write(f'C2s={C2s}\n')
+	f.write(f'decs={decs}')

ctfs/0xL4ugh/2024/crypto/RSA_GCD/README.md

@@ -0,0 +1 @@
+I think i might leaked something but i dont know what

ctfs/0xL4ugh/2024/crypto/RSA_GCD/chall2.py

@@ -0,0 +1,22 @@
+import math
+from Crypto.Util.number import *
+from secret import flag,p,q
+from gmpy2 import next_prime
+m = bytes_to_long(flag.encode())
+n=p*q
+
+
+power1=getPrime(128)
+power2=getPrime(128)
+out1=pow((p+5*q),power1,n)
+out2=pow((2*p-3*q),power2,n)
+eq1 = next_prime(out1)
+
+c = pow(m,eq1,n)
+
+
+with open('chall2.txt', 'w') as f:
+    f.write(f"power1={power1}\npower2={power2}\neq1={eq1}\nout2={out2}\nc={c}\nn={n}")
+
+
+

ctfs/0xL4ugh/2024/crypto/RSA_GCD/chall2.txt

@@ -0,0 +1,7 @@
+power1=281633240040397659252345654576211057861
+power2=176308336928924352184372543940536917109
+hint=411
+eq1=2215046782468309450936082777612424211412337114444319825829990136530150023421973276679233466961721799435832008176351257758211795258104410574651506816371525399470106295329892650116954910145110061394115128594706653901546850341101164907898346828022518433436756708015867100484886064022613201281974922516001003812543875124931017296069171534425347946706516721158931976668856772032986107756096884279339277577522744896393586820406756687660577611656150151320563864609280700993052969723348256651525099282363827609407754245152456057637748180188320357373038585979521690892103252278817084504770389439547939576161027195745675950581
+out2=224716457567805571457452109314840584938194777933567695025383598737742953385932774494061722186466488058963292298731548262946252467708201178039920036687466838646578780171659412046424661511424885847858605733166167243266967519888832320006319574592040964724166606818031851868781293898640006645588451478651078888573257764059329308290191330600751437003945959195015039080555651110109402824088914942521092411739845889504681057496784722485112900862556479793984461508688747584333779913379205326096741063817431486115062002833764884691478125957020515087151797715139500054071639511693796733701302441791646733348130465995741750305
+c=11590329449898382355259097288126297723330518724423158499663195432429148659629360772046004567610391586374248766268949395442626129829280485822846914892742999919200424494797999357420039284200041554727864577173539470903740570358887403929574729181050580051531054419822604967970652657582680503568450858145445133903843997167785099694035636639751563864456765279184903793606195210085887908261552418052046078949269345060242959548584449958223195825915868527413527818920779142424249900048576415289642381588131825356703220549540141172856377628272697983038659289548768939062762166728868090528927622873912001462022092096509127650036
+n=14478207897963700838626231927254146456438092099321018357600633229947985294943471593095346392445363289100367665921624202726871181236619222731528254291046753377214521099844204178495251951493800962582981218384073953742392905995080971992691440003270383672514914405392107063745075388073134658615835329573872949946915357348899005066190003231102036536377065461296855755685790186655198033248021908662540544378202344400991059576331593290430353385561730605371820149402732270319368867098328023646016284500105286746932167888156663308664771634423721001257809156324013490651392177956201509967182496047787358208600006325742127976151

ctfs/0xL4ugh/2024/misc/GitMeow/.dockerignore

@@ -0,0 +1,4 @@
+__pycache__ 
+solution.txt
+*.zip
+flag.txt

ctfs/0xL4ugh/2024/misc/GitMeow/Dockerfile

@@ -0,0 +1,13 @@
+FROM alpine:latest@sha256:51b67269f354137895d43f3b3d810bfacd3945438e94dc5ac55fdac340352f48
+ENV PAGER=''
+RUN apk add git
+RUN apk add python3
+COPY challenge.py /
+COPY flag.txt /
+COPY welcome.sh /
+RUN chmod +x /welcome.sh
+RUN ln /flag.txt /tmp/flag.txt  # In challenge Server flag file is named randomly 
+RUN adduser -D challenger
+WORKDIR /home/challenger
+USER challenger
+ENTRYPOINT ["sh","/welcome.sh"]

ctfs/0xL4ugh/2024/misc/GitMeow/README.md

@@ -0,0 +1 @@
+Just another annoying git challenge :)

ctfs/0xL4ugh/2024/misc/GitMeow/banner.py

@@ -0,0 +1,20 @@
+monkey="""
+┈┈╱▔▔▔▔▔╲┈┈┈HM┈HM
+┈╱┈┈╱▔╲╲╲▏┈┈┈HMMM
+╱┈┈╱━╱▔▔▔▔▔╲━╮┈┈
+▏┈▕┃▕╱▔╲╱▔╲▕╮┃┈┈
+▏┈▕╰━▏▊▕▕▋▕▕━╯┈┈
+╲┈┈╲╱▔╭╮▔▔┳╲╲┈┈┈
+┈╲┈┈▏╭━━━━╯▕▕┈┈┈
+┈┈╲┈╲▂▂▂▂▂▂╱╱┈┈┈
+┈┈┈┈▏┊┈┈┈┈┊┈┈┈╲┈
+┈┈┈┈▏┊┈┈┈┈┊▕╲┈┈╲
+┈╱▔╲▏┊┈┈┈┈┊▕╱▔╲▕
+┈▏ ┈┈┈╰┈┈┈┈╯┈┈┈▕▕
+┈╲┈┈┈╲┈┈┈┈╱┈┈┈╱┈╲
+┈┈╲┈┈▕▔▔▔▔▏┈┈╱╲╲╲▏
+┈╱▔┈┈▕┈┈┈┈▏┈┈▔╲▔▔
+┈╲▂▂▂╱┈┈┈┈╲▂▂▂╱┈
+
+Hmmmmmm... Try Harder 🐒
+"""

ctfs/0xL4ugh/2024/misc/GitMeow/build-docker.sh

@@ -0,0 +1,3 @@
+#!/bin/bash
+docker build -t gitmeow .
+docker run --rm -it gitmeow

ctfs/0xL4ugh/2024/misc/GitMeow/challenge.py

@@ -0,0 +1,53 @@
+import os
+from banner import monkey
+
+BLACKLIST = ["|", "\"", "'", ";", "$", "\\", "#", "*", "(", ")", "&", "^", "@", "!", "<", ">", "%", ":", ",", "?", "{", "}", "`","diff","/dev/null","patch","./","alias","push"]
+
+def is_valid_utf8(text):
+    try:
+        text.encode('utf-8').decode('utf-8')
+        return True
+    except UnicodeDecodeError:
+        return False
+
+def get_git_commands():
+    commands = []
+    print("Enter git commands (Enter an empty line to end):")
+    while True:
+        try:
+            user_input = input("")
+        except (EOFError, KeyboardInterrupt):
+            break
+
+        if not user_input:
+            break
+
+        if not is_valid_utf8(user_input):
+            print(monkey)
+            exit(1337)
+
+        for command in user_input.split(" "):
+            for blacklist in BLACKLIST:
+                if blacklist in command:
+                    print(monkey)
+                    exit(1337)
+
+
+        commands.append("git " + user_input)
+
+    return commands
+
+def execute_git_commands(commands):
+    for command in commands:
+        output = os.popen(command).read()
+        if "{f4k3_fl4g_f0r_n00b5}" in output:
+            print(monkey)
+            exit(1337)
+        else:
+            print(output)
+
+
+
+commands = get_git_commands()
+execute_git_commands(commands)
+