Add writeups from T0077

samueltangz · samueltangz · commit f6fccf14779e · 2020-11-13T21:18:21.000+08:00
diff --git a/ram/writeups/t0077/README.md b/ram/writeups/t0077/README.md
@@ -0,0 +1,45 @@
+# HKCERT CTF Challenge 2020 Writeup
+### Team: T0077 - HKUST
+### Challenge Name: RAM 拉姆 (Misc, 450 points)
+
+Solved by _Vincent_
+
+---
+
+Objective: Get user passwords from `memory.dmp` of RAM image
+
+Flag format: `hkcert20{(pw of flag01)_(pw of flag02)_(pw of flag03)_(pw of flag04)_(pw of flag05)}`
+
+---
+
+Reference: OtterCTF 2018 Memory Forensics Write-up (Part I)
+https://medium.com/@sbasu7241/otterctf-2018-memory-forensics-write-up-part-1-ea27a144a5d4
+
+Simply follow the steps of the above write-up :)
+
+1. Install `volatility`
+2. Identify the correct profile for the memory image using `imageinfo`, verify with `kdbgscan`
+
+![](https://i.imgur.com/EgUAOCu.png)
+
+![](https://i.imgur.com/mikpokj.png)
+
+3. Get the passwords using `hashdump`
+
+![](https://i.imgur.com/xPlTlLn.png)
+
+We now have all the passwords, hashed:
+
+```1
+flag01:1678ac6f5380c60363a91082d0699c74
+flag02:40e43aee94115e12541624221019423b
+flag03:186cb09181e2c2ecaac768c47c729904
+flag04:5c3b27ff63ae1e7e1b3221b19f00183c
+flag05:1597f8e3b872d5348767416f6921d346
+```
+
+Final step: crack the hashes
+
+![](https://i.imgur.com/OhE37Cw.png)
+
+Flag: `hkcert20{this_is_a_MD5_challenge}`
diff --git a/tenet/writeups/t0077/README.md b/tenet/writeups/t0077/README.md
@@ -0,0 +1,142 @@
+# HKCERT CTF Challenge 2020 Writeup
+### Team: T0077 - HKUST
+### Challenge Name: Tenet 天能 (Crypto, 492 points)
+
+Solved by _Vincent_
+#first_blood
+
+---
+
+Objective: Given encryption code, decipher this:
+`6255c24aa3dd8f58c5fcb41feb90f90e73e870db651d5a963498f062c2c1572430098acf05`
+
+---
+
+Observations: 
+
+1. AES Double-Key Encryption:
+$C=E(E(P, K_0, IV_0), K_1, IV_1)$
+$P=D(D(C, K_1, IV_1), K_0, IV_0)$
+$\Rightarrow$ Meet-in-the-middle attack?
+$D(C, K_1, IV_1)=E(P, K_0, IV_0)$
+2. The National Security Law in the near future requires first 13 bytes of keys to be zeros.
+`key1 = b'\0' * 13 + os.urandom(3)`
+`key2 = b'\0' * 13 + os.urandom(3)`
+$\Rightarrow$ Key search space = $2^{24}$
+3. Of course we don't know the whole plaintext, we just know it starts with `hkcert20{`. However, even having partial plaintext is useless for MiM attacks, unless...
+4. `mode=AES.MODE_CTR`
+
+$C_i=(P_i \oplus E_{CTR}(IV_0+i, K_0)) \oplus E_{CTR}(IV_1+i, K_1)\\
+\ \ \ \ =P_i \oplus (E_{CTR}(IV_0+i, K_0) \oplus E_{CTR}(IV_1+i, K_1))$
+
+$\Rightarrow P=C \oplus (E(\vec{0}, K_0, IV_0) \oplus E(\vec{0}, K_1, IV_1))$
+
+---
+
+Exhaust all $2^{24}$ keys, compute $E(\vec{0}, K, IV_0)$ and $E(\vec{0}, K, IV_1)$, label using the first 3 bytes of the keystreams.
+
+Then $\forall K_0, K_1$ s.t. $E(E(P, K_0, IV_0), K_1, IV_1)$`[:3] == b'hkc'`, check if `[:9] == b'hkcert20{'`
+
+---
+
+```python=
+from Crypto.Cipher import AES
+from Crypto.Util import Counter
+from Crypto.Util.number import bytes_to_long, long_to_bytes
+import os
+
+flaggie = b'hkcert20{'
+
+ciphervalue = 0x6255c24aa3dd8f58c5fcb41feb90f90e73e870db651d5a963498f062c2c1572430098acf05
+ciphertext = long_to_bytes(ciphervalue)
+
+head = bytes_to_long(flaggie[:3]) ^ bytes_to_long(ciphertext[:3])
+
+# In the future, we have not only time inversion but also quantum computers.
+# So, we need to encrypt twice to double the key size.
+class TenetAES():
+    def __init__(self, key0, key1):
+        self.aes128_0 = AES.new(key=key0, mode=AES.MODE_CTR, counter=Counter.new(128, initial_value=1))
+        self.aes128_01 = AES.new(key=key0, mode=AES.MODE_CTR, counter=Counter.new(128, initial_value=1))
+        self.aes128_1 = AES.new(key=key1, mode=AES.MODE_CTR, counter=Counter.new(128, initial_value=129))
+        self.aes128_11 = AES.new(key=key1, mode=AES.MODE_CTR, counter=Counter.new(128, initial_value=129))
+
+    def keystreams(self, n = 37):
+        return self.aes128_0.encrypt(b'\0' * n), self.aes128_1.encrypt(b'\0' * n)
+
+    def encrypt(self, s):
+        n = len(s)
+        x = self.aes128_1.encrypt(self.aes128_0.encrypt(s))
+        y = long_to_bytes(
+                bytes_to_long(self.aes128_01.encrypt(b'\0' * n)) 
+                ^ bytes_to_long(self.aes128_11.encrypt(b'\0' * n)) 
+                ^ bytes_to_long(s)
+            ) 
+        assert x == y
+        return x
+
+    def decrypt(self, data):
+        n = len(data)
+        x = self.aes128_0.decrypt(self.aes128_1.decrypt(data))
+        y = long_to_bytes(
+                bytes_to_long(self.aes128_01.encrypt(b'\0' * n)) 
+                ^ bytes_to_long(self.aes128_11.encrypt(b'\0' * n)) 
+                ^ bytes_to_long(data)
+            ) 
+        assert x == y
+        return x
+
+#with open('flag.txt') as f:
+#    flag = f.read()
+
+# The National Security Law in the near future requires first 13 bytes of
+# keys to be zeros.
+
+#key1 = b'\0' * 13 + os.urandom(3)
+#key2 = b'\0' * 13 + os.urandom(3)
+
+one = [[] for i in range(16777216)]
+two = [[] for i in range(16777216)]
+
+for i in range(16777216):
+    key1 = b'\0' * 13 + i.to_bytes(3, byteorder = 'big')
+    key2 = b'\0' * 13 + i.to_bytes(3, byteorder = 'big')
+    a, b = TenetAES(key1, key2).keystreams()
+    one[bytes_to_long(a[:3])].append(i)
+    two[bytes_to_long(b[:3])].append(i)
+
+for i in range(16777216):
+    for a in one[i]:
+        for b in two[i ^ head]:
+            key1 = b'\0' * 13 + a.to_bytes(3, byteorder = 'big')
+            key2 = b'\0' * 13 + b.to_bytes(3, byteorder = 'big')
+            aa, bb = TenetAES(key1, key2).keystreams()
+            aa = bytes_to_long(aa)
+            bb = bytes_to_long(bb)
+            x = (aa ^ bb ^ ciphervalue).to_bytes(37, byteorder='big')
+            assert x[:3] == b'hkc'
+            if x[:9] == flaggie:
+                print(key1)
+                print(key2)
+                print(x)
+```
+
+```python
+b'\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00+!0'
+b'\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00&\x84\xd2'
+b'hkcert20{7h3_b361nn1n6_15_7h3_3nd1n6}'
+```
+
+---
+
+P.S.
+
+![](https://i.imgur.com/39LHsr8.png)
+
+P.P.S. Official Hint: (viewed after contest)
+In "Tenet", red team and blue team meet in the middle.
+
+---
+
+###### _In memory of Neil_
+
diff --git a/tuning-keyboard/writeups/t0077/README.md b/tuning-keyboard/writeups/t0077/README.md
@@ -0,0 +1,38 @@
+# HKCERT CTF Challenge 2020 Writeup
+### Team: T0077 - HKUST
+### Challenge Name: Tuning Keyboard 通靈字盤 (Misc, 482 points)
+
+Solved by _Vincent_
+Written by _Starry Miracle_
+
+---
+
+Flag format: `hkcert20{...}`
+
+Description 描述：
+* Username: Guest 帳號： 訪客
+* Password: Guess 密碼： 猜測
+
+---
+
+Step 1. Look at the free hint! (isn't them cute?)
+
+![](https://i.imgur.com/rd43vn3.jpg)
+
+Step 2. Find out what is going on 
+
+- Unzip the file. You should find `0.jpg`, `1.jpg`, `flag.jpg` and `yaminogemu.html`.
+- Have a look at `yaminogemu.html` (after you find out that it is not a steganography challenge)
+- There is a comment in line 52, how about changing it to `q.innerText += ''+ok+''+dk+''+ek+''+ak+''+tk+''+hk;`
+- Some 1s and 0s shows up! Maybe this is the encoded flag?
+- However, after restarting and get the value of `q` again, the result changed...
+- It seems that `setTimeout` is not accurate enough to "get the frequency" of the challenge author
+
+Step 3. Solving the challenge :)
+
+- Write a solver that can simulate what the `setTimeout` in HTML
+![](https://imgur.com/RMxw4YU.jpg)
+- Since it is in group of 6, maybe the binarys are encoded in group of 6? (2^6 is ... 64!)
+Converting the binary to base64 we get`aGtjZXJ0MjB7SEEqTkEqU0V9`, and decoding this we get the flag.
+
+Flag: `hkcert20{HA*NA*SE}`
