masrt200@home:~$

Castors-CTF

Banner

Arithmetic

Solution

We needed to solve simple arithmetic operations but we have little time and they get troll-some! Sounds like a challenge description heh?

Use Sympy, its the best for these types of challenges!

Here my code:

from pwn import *
import re
from sympy import solve,Symbol,sympify

r=remote('chals20.cybercastors.com',14429)

print(r.recv())
r.sendline('')

mappings={'plus':'+','divided-by':'//','minus':'-','multiplied-by':'*','one':'1','two':'2','three':'3','four':'4','five':'5','six':'6','seven':'7','eight':'8','nine':'9','zero':'0'}
cn=0
while True:
	data=r.recv().decode()
	if 'castors' in data:
		print(data)
		break
	data=data.split(' ')
	print(data)
	for i in range(len(data)):
		if data[i] in mappings:
			data[i]=mappings[data[i]]
	data=' '.join(data)
	#print(data)
	num=re.findall(r'\d+',data)
	eqn=data[data.index(num[0]):data.index('?')]

	eq='x='+eqn
	#print(eqn)
	sympy_eq = sympify("Eq(" + eq.replace("=", ",") + ")")
	ans=solve(sympy_eq)
	print(ans)
	r.sendline(str(ans[0]))
	r.recvuntil('\n')

castorsCTF(n00b_pyth0n_4r17hm3t1c5}, pretty nooby!

Jigglypuff’s Song

crypto

Point: 479

Description:

Can you hear Jigglypuff’s song?

Solution:

This was a really easy chall… but the random pixel stream on the image kinda confused me! Half of the time, I just kept staring at the image and did nothing!

All we had to do was a basic steganography attack! Using LSB to conceal data in images doesn’t alter the image much, but MSB does a lot. As was the case here! Once that clicked, it was as easy as a sunny day!

from PIL import Image

im=Image.open('chal.png')
pixels=im.load()

#print(im.size,im.mode)

search=[]

s=''
for i in range(im.height):
	for j in range(im.width):
		a=pixels[j,i]
		r=bin(a[0])[2:].zfill(8)[0]
		g=bin(a[1])[2:].zfill(8)[0]
		b=bin(a[2])[2:].zfill(8)[0]
		s+=r+g+b

print(bytes.fromhex(hex(int(s,2))[2:]))

castorsCTF{r1ck_r0ll_w1ll_n3v3r_d3s3rt_y0uuuu} ::The Damn Author trolls you twice… once in the trailing bits part and the entire concealed message also contains Rick’s song twice!

Bagel Bytes

crypto

Point: 444

Description:

nc chals20.cybercastors.com 14420

Solution:

It was a imple ECB-oracle attack nothing much! All you had to do was notice that!

from pwn import *
import binascii

r=remote('chals20.cybercastors.com',14420)



def get_data(payload):
	r.recvuntil('choice: ')
	r.sendline('2')
	r.recvuntil('> ')
	r.sendline(payload)
	r.recvuntil(':\n')

	data=r.recvuntil('\n')[:-1]

	return data

flag=''
for i in reversed(range(0,48-len(flag))):
	payload='A'*i
	data=get_data(payload)

	print(len(data),i)
	for i in range(0,len(data),32):
		print(data[i:i+32])

	chars='castorsCTF}{I_L1k3_mua_1203456789abcdefghijklmnopqrstuvxyz?ABCDEFGHIJKLMNOPQRSTUVWXYZ'
	for j in chars:
		print('checking',j)
		check=payload+flag+j
		reply=get_data(check)
		if reply[:96]==data[:96]:
			flag+=j
			break

	print(flag)

castorsCTF{I_L1k3_muh_b4G3l5_3x7r4_cr15pY} -i- eazy-peasy!

Amazon

crypto

Points: 489

Description:

Are you watching the new series on Amazon?

Solution:

The hint was infront of us for this one! Amazon–> Amazon Prime –> Primes! Ascii representation of each character was multiplied by consecutive prime numbers!

a=['2', '3', '5', '7', '11', '13', '17', '19', '23', '29', '31', '37', '41', '43', '47', '53', '59', '61', '67', '71', '73', '79', '83', '89', '97', '101', '103', '107', '109', '113', '127', '131', '137', '139', '149', '151', '157', '163', '167', '173', '179', '181', '191', '193', '197', '199', '211', '223', '227', '229']
b=['198', '291', '575', '812', '1221', '1482', '1955', '1273', '1932', '2030', '3813', '2886', '1968', '4085', '3243', '5830', '5900', '5795', '5628', '3408', '7300', '4108', '10043', '8455', '6790', '4848', '11742', '10165', '8284', '5424', '14986', '6681', '13015', '10147', '7897', '14345', '13816', '8313', '18370', '8304', '19690', '22625']

for i in range(len(b)):
	print(chr(int(b[i])//int(a[i])),end='')

castorsCTF{N0_End_T0d4y_F0r_L0v3_I5_X3n0n}, how did the author expect us to find this before space were given in the ciphertext!

0x101 Dalmations

crypto

Points: 496

Description:

Response to Amazon: Nah, I only need to be able to watch 101 Dalmatians.

Solution:

It was exact the Amazon chall with one extra step! You couldn’t have possibly solved it without solving Amazon!

All we have to do was take the primes multiply them by the ascii representation of the chars, and take its modulus with 0x101!

(char*prime)%0x101

It just bruteforce to reverse it! Could have used modular inverses but eh!

p=['2', '3', '5', '7', '11', '13', '17', '19', '23', '29', '31', '37', '41', '43', '47', '53', '59', '61', '67', '71', '73', '79', '83', '89', '97', '101', '103', '107', '109', '113', '127', '131', '137', '139', '149', '151', '157', '163', '167', '173', '179', '181', '191', '193', '197', '199', '211', '223', '227', '229','239', '241' ,'251' ,'257', '263', '269','271' ,'277' ,'281' ,'283' ,'293' ,'307' ,'311','313','317']

a=['c6', '22', '3d', '29', 'c1', 'c5', '9c', 'f5', '85', 'e7', 'd7', '0e', '46', 'e6', '21', 'e7', 'dd', '8d', 'db', '43', 'a0', '34', '77', '04', '7f', '32', '13', '8c', 'c9', '01', '65', '78', '5f', 'c0', '14', '8e', '33', 'bf', 'bc', '02', '21', '79', 'e1', '5d', 'd3', '46', 'e0', 'ca', 'ee', '72', 'c2', '26', '38']
m=257
flag=''
for i in range(len(a)):
	for j in range(30,150):
		if (j*int(p[i]))%m==int(a[i],16):
			#print(j)
			#print(chr(j))
			flag+=chr(j)
	#print('\nlolol')

print(flag)

castorsCTF{1f_y0u_g07_th1s_w1th0u7_4ny_h1n7s_r3sp3c7}. I needed a lot of hints, so no respect for me I guess!