crypto

Challenges

Scr4mbl3d

I like to confuse people. (Or I'm the one confused?)

❯ unzip -l scr4mbl3d.zip
Archive:  scr4mbl3d.zip
  Length      Date    Time    Name
---------  ---------- -----   ----
      130  1980-00-00 00:00   scr4mbl3d/out.txt
     1316  1980-00-00 00:00   scr4mbl3d/source.py
---------                     -------
     1446                     2 files

A custom block cipher tries to “look hard” by mixing SHA-256 and odd arithmetic. Under the hood it’s a Feistel network over $\mathbb{Z}_P$ (mod a 256-bit prime). No secret key. Everything (P, F, constants, schedule) is fixed and known. A Feistel network without a key is just a reversible permutation you can run backward and recover the plaintext.

#!/usr/bin/env python3

import sys
from os import path
from random import randint
from hashlib import sha256

P = 112100829556962061444927618073086278041158621998950683631735636667566868795947
ROUNDS = randint(26, 53)
CONSTANT = [(44 * i ^ 3 + 98 * i ^ 2 + 172 * i + 491) % P for i in range(ROUNDS)]
EXPONENT = 3

def split(x):
    chunk1 = x // P
    chunk2 = x % P
    return chunk1, chunk2

def merge(chunk1, chunk2):
    return chunk1 * P + chunk2

def ff(x):
    return ((x * EXPONENT) * 0x5DEECE66D) % P

def gg(x):
    digest = sha256(int(x).to_bytes(256)).digest()
    return int.from_bytes(digest) % P

def transform(x, y, i):
    u = x
    if i % 11 == 0:
        v = (y + ff(u)) % P
    else:
        v = (y + gg(u)) % P
    v = (v + CONSTANT[i]) % P
    return v, u

def encrypt(input):
    chunk1, chunk2 = split(input)
    for i in range(ROUNDS):
        if i % 5 == 0:
            chunk1, chunk2 = transform(chunk1, chunk2, i)
        else:
            chunk2, chunk1 = transform(chunk2, chunk1, i)
    output = merge(chunk1, chunk2)
    return output

if __name__ == "__main__":
    out_dir = sys.argv[1]
    flag = sys.argv[2].encode()

    input = int.from_bytes(flag)
    ciphertext = encrypt(input)

    with open(path.join(out_dir, "out.txt"), "w") as f:
        f.write(hex(ciphertext))

0x1ba2580d8128ef4aee52dbc4ac7c2d13b75361feb86d5085b4116865fb7fa8b3f851320e2c47a0887ce471d77709507323ee78fa6895dcf8b7116360d5c89ea9

Where is the Flag? The flag is encrypted using a custom block cipher and stored as the ciphertext. The original flag was converted to bytes (1), then to an integer (2), encrypted with a randomized number of rounds (26-53) (3), and output as hex (4).

How do we get it? 🚩

Create decrypt functions that undo each encryption step —
Since rounds are random (26-53), try all possibilities (smoll enough,hehe)
Look for results that decode to readable text starting with "snakectf{"

Script

from hashlib import sha256

P = 112100829556962061444927618073086278041158621998950683631735636667566868795947
CT = int("1ba2580d8128ef4aee52dbc4ac7c2d13b75361feb86d5085b4116865fb7fa8b3f851320e2c47a0887ce471d77709507323ee78fa6895dcf8b7116360d5c89ea9", 16)

def ff(x):  # matches challenge: multiply by EXPONENT (3), not power
    return (x * 3 * 0x5DEECE66D) % P

def gg(x):
    # challenge hashed an int(x) padded to 256 bytes; keep that to match
    return int.from_bytes(sha256(int(x).to_bytes(256, 'big')).digest(), 'big') % P

def consts(n):
    # NOTE: ^ is XOR in Python, exactly as in the challenge
    return [((44*i) ^ 3 + (98*i) ^ 2 + 172*i + 491) % P for i in range(n)]

def decrypt(ct, rounds):
    L, R = ct // P, ct % P
    C = consts(rounds)
    for i in range(rounds - 1, -1, -1):
        if i % 5 == 0:
            # inverse of (L,R) -> (R + F(L) + C, L)
            L, R = R, (L - (ff(R) if i % 11 == 0 else gg(R)) - C[i]) % P
        else:
            # inverse of (L,R) -> (R, L + F(R) + C)
            b = L
            a = (R - (ff(b) if i % 11 == 0 else gg(b)) - C[i]) % P
            L, R = a, b
    x = L * P + R
    return x.to_bytes((x.bit_length() + 7) // 8, 'big')

def encrypt(pt, rounds):  # for verification
    x = int.from_bytes(pt, 'big')
    L, R = x // P, x % P
    C = consts(rounds)
    for i in range(rounds):
        if i % 5 == 0:
            L, R = (R + (ff(L) if i % 11 == 0 else gg(L)) + C[i]) % P, L
        else:
            R, L = (L + (ff(R) if i % 11 == 0 else gg(R)) + C[i]) % P, R
    return L * P + R

def solver():
    for r in range(26, 54):
        pt = decrypt(CT, r)
        try:
            s = pt.decode()
        except UnicodeDecodeError:
            continue
        if "snakectf{" in s.lower():
            print("ROUNDS =", r)
            print(s)
            assert encrypt(pt, r) == CT
            return
    print("no flag found in 26..53 (shouldn't happen)")

solver()

❯ python sol.py
ROUNDS = 29
snakeCTF{Ev3ry7hing_1s_34s13r_w1th_F3is7el_bb5dcc5e0a39ff0b}

snakeCTF{Ev3ry7hing_1s_34s13r_w1th_F3is7el_bb5dcc5e0a39ff0b}

Unf33dMe

Easy structure but the choice of parameters make it as strong as a Babylonian defense.

❯ unzip -l unf33dme.zip
Archive:  unf33dme.zip
  Length      Date    Time    Name
---------  ---------- -----   ----
      324  1980-00-00 00:00   unf33dme/out.txt
     2430  1980-00-00 00:00   unf33dme/source.sage
---------                     -------
     2754                     2 files

TL;DR: The “Unf33dMe” hash is a simple per-word permutation where each 2-byte chunk of the flag is independently run through three cube-and-add steps with public constants, then the only cross-mixing is a final pairwise swap-and-add that couples words two at a time.

Because there’s no secret key and each word is only 16 bits, we can rebuild the public round constants (from SHAKE256("SNAKECTF")), and for each swapped pair directly brute-force one word, compute the other from the equation, and check it—repeat for the 12 pairs, join candidates, PKCS#7-unpad and keep the printable ASCII that looks like a flag.

Doing this yields the flag: snakeCTF{p0lys_4r3_m4g1c_:)_16f95932140b4fbe}.

#!/usr/bin/env sage
import sys
from os import path
from Crypto.Hash import SHAKE256
from Crypto.Util.Padding import pad
from Crypto.Util.number import bytes_to_long


class Babylon:
    def __init__(self):
        self.setParams()
        self.genConstants()

    def setParams(self):
        self.exp = 3
        self.p = 65537
        self.nbytes = self.p.bit_length() // 8
        self.F = GF(self.p)
        self.state_size = 24
        self.rounds = 3

    def genConstants(self):
        shake = SHAKE256.new()
        shake.update(b"SNAKECTF")
        self.constants = []
        for _ in range(self.rounds):
            self.constants.append(self.F(int.from_bytes(shake.read(self.nbytes), 'big')))

    def decompose(self, message):
        state = []
        padded_message = pad(message, self.state_size * self.nbytes)
        for i in range(0, len(padded_message), self.nbytes):
            chunk = bytes_to_long(padded_message[i:i + self.nbytes])
            state.append(chunk)
        return state

    def random(self):
        return [self.F.random_element() for _ in range(self.state_size)]

    def shuffle(self, state):
        for i in range(0, self.state_size, 2):
            t = state[i]
            state[i] = state[i + 1]
            state[i + 1] = t
        return state

    def add(self, state, constant):
        return [state[i] + constant for i in range(self.state_size)]

    def xor(self, a, b):
        return [a[i] + b[i] for i in range(self.state_size)]

    def sbox(self, state):
        return [(state[i]) ^ self.exp for i in range(self.state_size)]

    def round(self, state, r):
        state = self.sbox(state)
        state = self.add(state, self.constants[r])
        return state

    def permute(self, state, key):
        state = self.xor(state, key)
        for r in range(self.rounds):
            state = self.round(state, r)
        return state

    def hash(self, message):
        input = self.decompose(message)
        IV = self.random()
        output = self.permute(input, IV)
        digest = self.xor(output, self.shuffle(input))
        return digest, IV


if __name__ == "__main__":
    out_dir = sys.argv[1]
    flag = sys.argv[2].encode()

    babylon = Babylon()
    assert len(flag) < babylon.state_size * babylon.nbytes, len(flag)

    digest, IV = babylon.hash(flag)

    with open(path.join(out_dir, "out.txt"), "w") as f:
        f.write(f"{digest}\n{IV}")
        
# out.txt
[18840, 31254, 7668, 2508, 9028, 40087, 13926, 49817, 59529, 5447, 24798, 59648, 28190, 37202, 43195, 21784, 16974, 37175, 48106, 46196, 32798, 40361, 1921, 65016]
[48670, 1962, 17694, 598, 34425, 54036, 25778, 3049, 56622, 58561, 62531, 49295, 3325, 5067, 25993, 56181, 46518, 23511, 8319, 62958, 40466, 57256, 2332, 40044]

Where is the flag? The archive’s out.txt has two Python lists:

digest — 24 field elements (mod p=65537)
IV — 24 field elements used as the per-word “key”.

Those two lists are all you need to reconstruct (the flag) thanks to how the hash is built.

Script

from hashlib import shake_256

# --- params from source.sage ---
p = 65537
state_size = 24
rounds = 3
nbytes = 2
block_bytes = state_size * nbytes

# paste the two lists from out.txt
digest = [18840,31254,7668,2508,9028,40087,13926,49817,59529,5447,24798,59648,
          28190,37202,43195,21784,16974,37175,48106,46196,32798,40361,1921,65016]
IV     = [48670,1962,17694,598,34425,54036,25778,3049,56622,58561,62531,49295,
          3325,5067,25993,56181,46518,23511,8319,62958,40466,57256,2332,40044]

# round constants (public)
buf = shake_256(b"SNAKECTF").digest(rounds * nbytes)
C = [int.from_bytes(buf[i*nbytes:(i+1)*nbytes], "big") % p for i in range(rounds)]

def f_v(x, v):
    y = (x + v) % p
    for c in C:
        y = (pow(y, 3, p) + c) % p
    return y

def pkcs7_unpad(b: bytes) -> bytes:
    if not b: return b
    pad = b[-1]
    if 1 <= pad <= block_bytes and b.endswith(bytes([pad])*pad):
        return b[:-pad]
    return b

# solve each (even,odd) pair independently
pairs = []
for i in range(0, state_size, 2):
    d0, d1 = digest[i], digest[i+1]
    v0, v1 = IV[i], IV[i+1]
    cand = []
    for a in range(65536):                        # 16-bit word
        b = (d0 - f_v(a, v0)) % p
        if b < 65536 and (d1 - f_v(b, v1)) % p == a:
            cand.append((a, b))
    pairs.append(cand)

# combine candidates and filter
def words_to_bytes(ws):
    return b"".join(w.to_bytes(2, "big") for w in ws)

flag = None
def dfs(k, acc):
    global flag
    if flag: return
    if k == len(pairs):
        msg = pkcs7_unpad(words_to_bytes(acc))
        if (b"snakeCTF{" in msg and all(32 <= x <= 126 for x in msg) and msg.endswith(b"}")):
            flag = msg.decode("ascii")
        return
    for a, b in pairs[k]:
        dfs(k+1, acc + [a, b])

dfs(0, [])
print(flag)

❯ python hehe.py
snakeCTF{p0lys_4r3_m4g1c_:)_16f95932140b4fbe}

Free Start

It looks like it is impossible!
ncat --ssl freestart.challs.snakectf.org 1337

#!/usr/bin/env sage
from Anemoi_primitive.anemoi import *
from copy import deepcopy
import os
import signal
from random import randint

TIMEOUT = 200
FLAG = os.getenv("FLAG", "FLAG{this_is_a_fake_flag_for_testing_purposes}")
PRIME = 280989701


# SPONGE
class SPONGE:
    def __init__(self, prime):
        self.prime = prime
        self.n_bits_per_block = len(bin(prime)[2:]) - 1
        # Anemoi params
        self.l = 1
        self.alpha = 3
        self.n_rounds = 21

    def hash(self, message, initial_c):
        assert initial_c < self.prime
        # ABSORBING PHASE
        state = [[0], [initial_c]]
        for b in message:
            state[0][0] = (state[0][0] + b) % self.prime
            temp = deepcopy(state)
            permutation = ANEMOI(self.prime, self.alpha, self.n_rounds, self.l)
            state = permutation(temp[0], temp[1])
        return state[0][0]


# SERVICE
TEST = 100


def main():
    S = SPONGE(PRIME)
    print("For each of the given messages, you must give me a collision. Let's start!")
    # create message
    print(
        "The messages should be represented as a list of values comma separated such as 2, 3, 4, 5, 6"
    )
    while True:
        print(
            """ 
        MENU:
            1) Play
            2) Exit
            """
        )
        choice = input("> ")
        if choice == "1":
            passed_tests = 0
            while passed_tests < TEST:
                message = [randint(0, PRIME - 1) for _ in range(5)]
                initial_capacity = randint(0, PRIME - 1)
                print(f"The chosen message is: {message}")
                print(f"The initial capacity is: {initial_capacity}")
                hash_value = S.hash(message, initial_capacity)
                print(f"The corresponding hash value is {hash_value}")
                solvable = int(input("Is there solution? (0 means NO, 1 means YES): "))
                if solvable == 0:
                    continue
                elif solvable > 1:
                    break
                input_message = list(
                    map(int, input("Give me your message: ").strip().split(","))
                )
                if len(input_message) < 2:
                    print("Your message must have at least two blocks")
                    break
                if not all([v < PRIME for v in input_message]):
                    print("Your message must be composed of values in the field!")
                    break
                if "|".join(map(str, input_message)) in "|".join(map(str, message)):
                    print("Your message cannot contains subsequences of my message!")
                    break
                input_initial_capacity = int(input("Give me your initial capacity: "))
                your_hash_value = S.hash(input_message, input_initial_capacity)
                if your_hash_value != hash_value:
                    print("The hashes do not match!")
                    break
                else:
                    print("Congratulations!")
                    passed_tests += 1
            if passed_tests == TEST:
                print(f"Congratulations! Here is the flag: {FLAG}")
        elif choice == "2":
            break


if __name__ == "__main__":
    signal.alarm(TIMEOUT)
    main()

from sage.all import *
import itertools

# from original implementation https://github.com/anemoi-hash/anemoi-hash/blob/main/anemoi.sage

def is_mds(m):
    # Uses the Laplace expansion of the determinant to calculate the (m+1)x(m+1) minors in terms of the mxm minors.
    # Taken from https://github.com/mir-protocol/hash-constants/blob/master/mds_search.sage.

    # 1-minors are just the elements themselves
    if any(any(r == 0 for r in row) for row in m):
        return False

    N = m.nrows()
    assert m.is_square() and N >= 2

    det_cache = m

    # Calculate all the nxn minors of m:
    for n in range(2, N + 1):
        new_det_cache = dict()
        for rows in itertools.combinations(range(N), n):
            for cols in itertools.combinations(range(N), n):
                i, *rs = rows

                # Laplace expansion along row i
                det = 0
                for j in range(n):
                    # pick out c = column j; the remaining columns are in cs
                    c = cols[j]
                    cs = cols[:j] + cols[j + 1:]

                    # Look up the determinant from the previous iteration
                    # and multiply by -1 if j is odd
                    cofactor = det_cache[(*rs, *cs)]
                    if j % 2 == 1:
                        cofactor = -cofactor

                    # update the determinant with the j-th term
                    det += m[i, c] * cofactor

                if det == 0:
                    return False
                new_det_cache[(*rows, *cols)] = det
        det_cache = new_det_cache
    return True


def M_2(x_input, b):
    x = x_input[:]
    x[0] += b * x[1]
    x[1] += b * x[0]
    return x


def M_3(x_input, b):
    x = x_input[:]
    t = x[0] + b * x[2]
    x[2] += x[1]
    x[2] += b * x[0]
    x[0] = t + x[2]
    x[1] += t
    return x


def M_4(x_input, b):
    x = x_input[:]
    x[0] += x[1]
    x[2] += x[3]
    x[3] += b * x[0]
    x[1] = b * (x[1] + x[2])
    x[0] += x[1]
    x[2] += b * x[3]
    x[1] += x[2]
    x[3] += x[0]
    return x


def lfsr(x_input, b):
    x = x_input[:]
    l = len(x)
    for r in range(0, l):
        t = sum(b ** (2 ** i) * x[i] for i in range(0, l))
        x = x[1:] + [t]
    return x


def circulant_mds_matrix(field, l, coeff_upper_limit=None):
    if coeff_upper_limit == None:
        coeff_upper_limit = l + 1
    assert (coeff_upper_limit > l)
    for v in itertools.combinations_with_replacement(range(1, coeff_upper_limit), l):
        mat = matrix.circulant(list(v)).change_ring(field)
        if is_mds(mat):
            return (mat)
    # In some cases, the method won't return any valid matrix,
    # hence the need to increase the limit further.
    return circulant_mds_matrix(field, l, coeff_upper_limit + 1)


def get_mds(field, l):
    if l == 1:
        return identity_matrix(field, 1)
    if l <= 4:  # low addition case
        a = field.multiplicative_generator()
        b = field.one()
        t = 0
        while True:
            # we construct the matrix
            mat = []
            b = b * a
            t += 1
            for i in range(0, l):
                x_i = [field.one() * (j == i) for j in range(0, l)]
                if l == 2:
                    mat.append(M_2(x_i, b))
                elif l == 3:
                    mat.append(M_3(x_i, b))
                elif l == 4:
                    mat.append(M_4(x_i, b))
            mat = Matrix(field, l, l, mat).transpose()
            if is_mds(mat):
                return mat
    else:  # circulant matrix case
        return circulant_mds_matrix(field, l)

from sage.all import *
from Anemoi_primitive.anemoi_utilities import *
from copy import deepcopy

"""
Simple ANEMOI implementation
"""

"""
Constants from https://github.com/anemoi-hash/anemoi-hash
"""
PI_0 = 1415926535897932384626433832795028841971693993751058209749445923078164062862089986280348253421170679
PI_1 = 8214808651328230664709384460955058223172535940812848111745028410270193852110555964462294895493038196


def euler_phi(v):
    if is_prime(v):
        return v - 1
    else:
        factors = factor(v)
        phi = v
        for f in factors:
            phi *= (1 - 1 / f[0])

        return phi


"""
Simple ANEMOI in F_q^2l
"""


class ANEMOI:
    def __init__(self, q, alpha, nrounds, l):
        self.q = q
        self.alpha = alpha
        self.nrounds = nrounds
        self.l = l

        # generate the field
        self.F = GF(self.q)

        if is_prime(self.q):
            if gcd(self.alpha, self.q - 1) != 1:
                raise Exception("alpha should be coprime with phi(q)")

            self.degree = 2
            self.to_field = lambda x: self.F(x)
            self.from_field = lambda x: Integer(x)
        else:
            self.degree = 3
            self.to_field = lambda x: self.F.fetch_int(x)
            self.from_field = lambda x: x.integer_representation()

        # get the generator and the inv_generator
        self.g = self.F.multiplicative_generator()
        self.beta = self.g
        self.gamma = 0
        self.delta = self.g ** (-1)
        self.alpha_inv = pow(alpha, -1, euler_phi(self.q))

        # Choosing constants: self.C and self.D are built from the
        # digits of pi using an open butterfly
        self.C = []
        self.D = []
        pi_F_0 = self.F(PI_0 % self.q)
        pi_F_1 = self.F(PI_1 % self.q)
        for r in range(0, self.nrounds + 1):
            pi_0_r = pi_F_0 ** r
            self.C.append([])
            self.D.append([])
            for i in range(0, self.l):
                pi_1_i = pi_F_1 ** i
                pow_alpha = (pi_0_r + pi_1_i) ** self.alpha
                self.C[r].append(self.g * (pi_0_r) ** 2 + pow_alpha)
                self.D[r].append(self.g * (pi_1_i) ** 2 + pow_alpha + self.delta)

        self.mat = get_mds(self.F, self.l)

    """
        X, Y: lists of l values in F_q
    """

    def __call__(self, X, Y):
        if len(X) != self.l or len(Y) != self.l:
            raise Exception("wrong input size!")
        else:
            return self.hash([X, Y])

    """
    :param state is a list of 2*l values in F_q
    """

    def hash(self, state):
        for i in range(self.nrounds):
            state = self.forward_round(state, i)

        state = self.add_constants(state, self.nrounds)
        state = self.linear_layer(state)
        return state

    def verify(self, state, hash):
        return None

    """
    param: state -> list of elements in F_q
    """

    def add_constants(self, state, round_index):
        # pick the constants depending on alpha
        temp_state = deepcopy(state)

        for i in range(0, self.l):
            state[0][i] += self.C[round_index][i]
            state[1][i] += self.D[round_index][i]

        return state

    def linear_layer(self, state):
        x, y = state[0], state[1]
        x = self.mat * vector(x)
        y = self.mat * vector(y[1:] + [y[0]])
        # Pseudo-Hadamard transform on each (x,y) pair
        y += x
        x += y
        return [list(x), list(y)]

    def evaluate_sbox(self, _x, _y):
        x, y = _x, _y
        x -= self.beta * y ** self.degree
        y -= x ** self.alpha_inv
        x += (self.beta * y ** self.degree + self.delta)
        return x, y

    def evaluate_sbox_complete(self, state):
        """ Flystel evaluation """
        """Applies an open Flystel to the full state. """
        temp_state = deepcopy(state)
        for i in range(0, self.l):
            temp_state[0][i], temp_state[1][i] = self.evaluate_sbox(temp_state[0][i], temp_state[1][i])

        return temp_state

    def forward_round(self, state, round_index):
        state = self.add_constants(state, round_index)
        state = self.linear_layer(state)
        state = self.evaluate_sbox_complete(state)
        return state

tldr;

tldr; The service “hashes” messages with a 2-word sponge whose permutation is an invertible Anemoi round function (no secret key). Because the server lets us choose the initial capacity (free-start) and the permutation is fully public and invertible, we can pick any final (x,y) state with x = target hash, invert the permutation to the input of the last block, and use one extra message block to “steer” x to that input while keeping y fixed.

That yields a 2-block free-start collision for any target hash, avoiding any subsequence of the server’s message.

Where is da flag? 🚩— Will printed after passing 100 collision rounds:

if passed_tests == TEST:
    print(f"Congratulations! Here is the flag: {FLAG}")

Our job is to

Repeatedly craft valid collisions that match the server’s hash output.

How? The server reveals, for each round:

the random message message = [m0, m1, m2, m3, m4]
the random initial capacity initial_capacity = c0
the resulting hash h = S.hash(message, c0)

We must reply with (a different message, at least 2 blocks) + (our initial capacity) that hashes to the same h, and that doesn’t contain any 2-element subsequence from the server’s message. Do that 100 times

The vulnerability?

# challenge.py  (SPONGE.hash)
state = [[0], [initial_c]]         # x = 0, y = initial capacity  (l = 1)
for b in message:
    state[0][0] = (state[0][0] + b) % PRIME   # absorb *only* into x
    permutation = ANEMOI(PRIME, 3, 21, 1)     # public, fixed, invertible
    state = permutation(temp[0], temp[1])     # state <- P(state)
return state[0][0]                            # output x only

Result is: Given any target hash h, we can choose the final y, invert the permutation once to obtain the input that must go into the last permutation call, and then use a 2-block message to hit that input exactly while obeying the server’s constraints.

import ast
from pwn import process, remote
from sage.all import GF, Integer
# import random

PRIME = 280_989_701
ALPHA = 3
N_ROUNDS = 21

class AnemoiL1:
    def __init__(self, q, alpha, nrounds):
        self.q = q
        self.F = GF(q)
        self.alpha = alpha
        self.nrounds = nrounds

        self.g = self.F.multiplicative_generator()
        self.beta = self.g
        self.delta = self.g ** (-1)
        self.alpha_inv = pow(alpha, -1, q - 1)  # prime field -> phi(q)=q-1

        PI_0 = Integer("1415926535897932384626433832795028841971693993751058209749445923078164062862089986280348253421170679")
        PI_1 = Integer("8214808651328230664709384460955058223172535940812848111745028410270193852110555964462294895493038196")
        pi_F_0 = self.F(PI_0 % q)
        pi_F_1 = self.F(PI_1 % q)  # unused for l=1 but keep consistent

        self.C, self.D = [], []
        for r in range(nrounds + 1):
            pow_alpha = (pi_F_0**r + self.F(1)) ** self.alpha
            C_r = self.g * (pi_F_0**(2*r)) + pow_alpha
            D_r = self.g * (self.F(1)) + pow_alpha + self.delta
            self.C.append([C_r])
            self.D.append([D_r])

    def addC(self, x, y, r):  return (x + self.C[r][0], y + self.D[r][0])
    def addC_inv(self, x, y, r): return (x - self.C[r][0], y - self.D[r][0])

    def lin(self, x, y):      return (2*x + y, x + y)
    def lin_inv(self, x, y):  return (x - y, 2*y - x)

    def sbox(self, x, y):
        x = x - self.beta * (y**2)
        y = y - x**self.alpha_inv
        x = x + (self.beta * (y**2) + self.delta)
        return (x, y)

    def sbox_inv(self, x2, y1):
        x1 = x2 - (self.beta * (y1**2) + self.delta)
        y0 = y1 + (x1 ** self.alpha_inv)
        x0 = x1 + self.beta * (y0**2)
        return (x0, y0)

    def P(self, x, y):
        for r in range(self.nrounds):
            x, y = self.addC(x, y, r)
            x, y = self.lin(x, y)
            x, y = self.sbox(x, y)
        x, y = self.addC(x, y, self.nrounds)
        x, y = self.lin(x, y)
        return (x, y)

    def P_inv(self, x, y):
        x, y = self.lin_inv(x, y)
        x, y = self.addC_inv(x, y, self.nrounds)
        for r in range(self.nrounds - 1, -1, -1):
            x, y = self.sbox_inv(x, y)
            x, y = self.lin_inv(x, y)
            x, y = self.addC_inv(x, y, r)
        return (x, y)

def make_collision(target_hash, A: AnemoiL1):
    F = A.F
    p = int(F.characteristic())

    x2 = F(target_hash)
    y2 = F.random_element()             # FIX: sample from field, not randrange(modulus)
    x_in2, y_in2 = A.P_inv(x2, y2)

    x1_prime = F.random_element()       # FIX: same here
    b2 = int((x_in2 - x1_prime)) % p    # convert to int in [0,p)

    b1, cap = A.P_inv(x1_prime, y_in2)
    return [int(b1), b2], int(cap)

def solve():
    A = AnemoiL1(PRIME, ALPHA, N_ROUNDS)
    io = process(["sage", "-python", "challenge.py"])   # or: remote("freestart.challs.snakectf.org", 1337, ssl=True, sni="freestart.challs.snakectf.org")

    io.recvuntil(b">")
    io.sendline(b"1")

    passed = 0
    while passed < 100:
        io.recvuntil(b"The chosen message is:")
        M = ast.literal_eval(io.recvline().decode().strip())

        io.recvuntil(b"The initial capacity is:")
        _ = int(io.recvline().decode())

        io.recvuntil(b"The corresponding hash value is")
        h = int(io.recvline().decode())

        io.recvuntil(b"Is there solution?")
        io.sendline(b"1")

        while True:
            msg, cap = make_collision(h, A)
            if not any(msg == M[i:i+2] for i in range(len(M)-1)):
                break

        io.recvuntil(b"Give me your message:")
        io.sendline(f"{msg[0]},{msg[1]}".encode())
        io.recvuntil(b"Give me your initial capacity:")
        io.sendline(str(cap).encode())

        line = io.recvline().decode()
        if "Congratulations!" in line:
            passed += 1
            print(f"[+] round ok ({passed}/100)")
        else:
            raise SystemExit(f"server rejected our collision: {line.strip()}")

    # get flag
    for _ in range(8):
        s = io.recvline(timeout=2) or b""
        if b"Here is the flag" in s:
            print(s.decode().strip())
            break

solve()

❯ sage -python solve.sage
[+] Opening connection to freestart.challs.snakectf.org on port 1337: Done

[SERVER] hashcash -mCb28 qh8mua6IC4PQ1Rs3
Run this in another terminal, then paste the output line that starts with '1:' below.
Paste your hashcash stamp here: 1:28:250830:qh8mua6IC4PQ1Rs3::9z1M9SYXRCK0LiRv:Fr8jD
[+] round ok (1/100)
[+] round ok (2/100)
[+] round ok (3/100)
[+] round ok (4/100)
...
[+] round ok (96/100)
[+] round ok (97/100)
[+] round ok (98/100)
[+] round ok (99/100)
[+] round ok (100/100)
Congratulations! Here is the flag: snakeCTF{resultant_computation_can_help_a_lot_if_some_roots_are_easy_to_find_ac91ebf18ccc01d5}
[*] Closed connection to freestart.challs.snakectf.org port 1337

snakeCTF{resultant_computation_can_help_a_lot_if_some_roots_are_easy_to_find_ac91ebf18ccc01d5}

Triple-Flavor

Why settle for just one mode of operation when you can have 3?
ncat --ssl triple-flavor.challs.snakectf.org 1337

❯ unzip -l triple-flavor.zip
Archive:  triple-flavor.zip
  Length      Date    Time    Name
---------  ---------- -----   ----
     1701  1969-12-31 16:00   server.py
---------                     -------
     1701                     1 file

tbd-will write later (this is cool sh)

#!/usr/bin/env python3

from os import urandom, environ
from Crypto.Cipher import AES
from Crypto.Util.Padding import pad
from hashlib import sha256
from string import ascii_lowercase, digits
from secrets import choice
import signal

FLAG = environ.get("FLAG", "snakeCTF{fakeflag}")
TIMEOUT = environ.get("TIMEOUT", 300)
SECRET_LEN = 15
key_len = SECRET_LEN // 3
secret_token = ''.join([choice(ascii_lowercase + digits) for _ in range(SECRET_LEN)])
seeds = [secret_token[i:i+key_len] for i in range(0, len(secret_token), key_len)]
keys = [sha256(seed.encode()).digest()[:16] for seed in seeds]
ivs = [urandom(16), urandom(16)]


def xor(a:bytes, b:bytes):
    return bytes([x ^ y for x,y in zip(a, b)])


def encrypt(pt:bytes, keys:list, ivs:list) -> bytes:
    cipher1 = AES.new(keys[0], AES.MODE_ECB)
    cipher2 = AES.new(keys[1], AES.MODE_OFB, ivs[0])
    cipher3 = AES.new(keys[2], AES.MODE_CBC, ivs[1])

    ct1 = cipher1.encrypt(pad(pt, 16))
    ct2 = cipher2.encrypt(ct1)
    twks = [sha256(ivs[1] + i.to_bytes(1, 'big')).digest()[:16] for i in range(0, len(ct2)//16)]
    ct3 = cipher3.decrypt(xor(ct2, b''.join(twks)))

    return ct3


def main():
    print('Can you guess my secret token?')
    try:
        pt = bytes.fromhex(input('Give me a plaintext to encrypt (in hex): '))
        ct = encrypt(pt, keys, ivs)
        print(f'Ciphertext (in hex): {''.join([iv.hex() for iv in ivs]) + ct.hex()}')
        st = input('Give me your guess: ')
        if st == secret_token:
            print(f'Well done, here is the flag: {FLAG}')
        else:
            print('Nope.')
    except:
        exit('Something went wrong')


if __name__ == '__main__':
    signal.alarm(TIMEOUT)
    main()

Previousweb Nextmisc

Last updated 4 months ago

hashtagChallenges

hashtagScr4mbl3d

hashtagUnf33dMe

hashtagFree Start

hashtagtldr;

hashtagOur job is to

hashtagThe vulnerability?

hashtagTriple-Flavor