Add WACon 2022

Author: pcw109550

README.md

@@ -1,5 +1,14 @@
 # my-ctf-challenges
 
+## [WACon 2022 Finals](https://wacon.world/)
+
+- [mcgonagall](WACon2022/Final/mcgonagall/) (Crypto)
+- [trinity](WACon2022/Final/trinity/) (Crypto)
+
+## [WACon 2022 Quals](https://wacon.world/)
+
+- [chukjibeop](WACon2022/Qual/chukjibeop) (Misc)
+
 ## [GoN 2022 Spring Open Qual](https://dreamhack.io/ctf/24/)
 
 - [trillionaire](https://dreamhack.io/wargame/challenges/475/) (BlockChain, Crypto)

WACon2022/Final/mcgonagall/.DS_Store

@@ -0,0 +1,2 @@
+__pycache__/
+*.sage.py

WACon2022/Final/mcgonagall/.gitignore

@@ -0,0 +1,25 @@
+# mcgonagall
+
+- Author : diff
+- Category : Crypto
+- Division : main
+
+# Description
+
+Again?
+
+# Flag
+
+`WACon{BKZ_with_nonce_bit_length_exposure}`
+
+# Deployment Guide
+
+`docker-compose up -d --build` at deploy directory
+
+# Distribution Guide
+
+Deploy tarball located at [deploy](./deploy)
+
+# External Writeups
+
+- [https://drive.google.com/file/d/1o0pkcq0YhV97FxTzxrHXRwYhtscATYfj/view](https://drive.google.com/file/d/1o0pkcq0YhV97FxTzxrHXRwYhtscATYfj/view)

WACon2022/Final/mcgonagall/README.md

@@ -0,0 +1,9 @@
+FROM ubuntu:20.04
+RUN apt-get update
+RUN apt-get install socat python3 python3-pip -y
+RUN pip3 install pycryptodome ecdsa
+WORKDIR /app
+COPY ./chall.py /app
+COPY ./flag.py /app
+EXPOSE 13337
+CMD ["socat", "TCP-LISTEN:13337,reuseaddr,fork", "EXEC:python3 chall.py,nofork,stderr"]

WACon2022/Final/mcgonagall/deploy/.DS_Store

@@ -0,0 +1,48 @@
+import signal
+from hashlib import sha256
+from random import choice, randint
+from secrets import randbits, token_bytes
+from string import ascii_uppercase, digits
+
+from ecdsa import SECP256k1, SigningKey
+
+from flag import flag
+
+
+def PoW():
+    s = "".join(choice(ascii_uppercase + digits) for _ in range(16))
+    print(s)
+    answer = input()
+    hash = sha256((s + answer).encode()).hexdigest()
+    assert hash[:6] == "000000"
+
+
+def main():
+    trials = 30
+    correct = 0
+    for _ in range(trials):
+        sk = SigningKey.generate(curve=SECP256k1)
+        pk = sk.privkey.secret_multiplier
+        print(sk.get_verifying_key().pubkey.point.x())
+        print(sk.get_verifying_key().pubkey.point.y())
+
+        info = 0
+        for _ in range(256):
+            msg = token_bytes(32)
+            klen = randint(250, 256)
+            sig = sk.sign(msg, k=randbits(klen))
+            info += 256 - klen
+            print(msg.hex(), sig.hex(), klen)
+
+        assert info >= pk.bit_length()
+
+        pk_ = int(input())
+        if pk_ == pk:
+            correct += 1
+
+    assert correct / trials >= 0.7
+    print(flag)
+
+
+if __name__ == "__main__":
+    [signal.alarm(1200), PoW(), main()]

WACon2022/Final/mcgonagall/deploy/Dockerfile

@@ -0,0 +1,6 @@
+version: '2.4'
+services:
+    mcgonagall:
+        build: ./
+        ports:
+            - "13337:13337"

WACon2022/Final/mcgonagall/deploy/chall.py

@@ -0,0 +1 @@
+flag = b"WACon{BKZ_with_nonce_bit_length_exposure}"

WACon2022/Final/mcgonagall/deploy/docker-compose.yml

@@ -0,0 +1,48 @@
+import signal
+from hashlib import sha256
+from random import choice, randint
+from secrets import randbits, token_bytes
+from string import ascii_uppercase, digits
+
+from ecdsa import SECP256k1, SigningKey
+
+from flag import flag
+
+
+def PoW():
+    s = "".join(choice(ascii_uppercase + digits) for _ in range(16))
+    print(s)
+    answer = input()
+    hash = sha256((s + answer).encode()).hexdigest()
+    assert hash[:6] == "000000"
+
+
+def main():
+    trials = 30
+    correct = 0
+    for _ in range(trials):
+        sk = SigningKey.generate(curve=SECP256k1)
+        pk = sk.privkey.secret_multiplier
+        print(sk.get_verifying_key().pubkey.point.x())
+        print(sk.get_verifying_key().pubkey.point.y())
+
+        info = 0
+        for _ in range(256):
+            msg = token_bytes(32)
+            klen = randint(250, 256)
+            sig = sk.sign(msg, k=randbits(klen))
+            info += 256 - klen
+            print(msg.hex(), sig.hex(), klen)
+
+        assert info >= pk.bit_length()
+
+        pk_ = int(input())
+        if pk_ == pk:
+            correct += 1
+
+    assert correct / trials >= 0.7
+    print(flag)
+
+
+if __name__ == "__main__":
+    [signal.alarm(1200), PoW(), main()]

WACon2022/Final/mcgonagall/deploy/flag.py

@@ -0,0 +1,108 @@
+#!/usr/local/bin/sage
+import os
+import time
+from hashlib import sha1, sha256
+
+from Crypto.Util.number import long_to_bytes as l2b
+from tqdm import tqdm
+
+os.environ["PWNLIB_NOTERM"] = "1"
+from pwn import *
+from sage.all import *
+
+# context.log_level = "DEBUG"
+p = 0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEFFFFFC2F
+b = 0x0000000000000000000000000000000000000000000000000000000000000007
+a = 0x0000000000000000000000000000000000000000000000000000000000000000
+n = 0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEBAAEDCE6AF48A03BBFD25E8CD0364141
+Gx = 0x79BE667EF9DCBBAC55A06295CE870B07029BFCDB2DCE28D959F2815B16F81798
+Gy = 0x483ADA7726A3C4655DA4FBFC0E1108A8FD17B448A68554199C47D08FFB10D4B8
+E = EllipticCurve(GF(p), [a, b])
+G = E(Gx, Gy)
+l = 256
+Z = Zmod(n)
+
+
+conn = remote("127.0.0.1", 13337)
+
+# PoW
+s = conn.recvline().rstrip().decode()
+assert len(s) == 16
+for i in tqdm(range(1 << 26)):
+    t = str(i)
+    hash = sha256((s + t).encode()).hexdigest()
+    if hash[:6] == "000000":
+        conn.sendline(t.encode())
+        break
+
+
+trial = 30
+success = 0
+for t in range(trial):
+    Px = int(conn.readline(keepends=False))
+    Py = int(conn.readline(keepends=False))
+
+    rs = [None for _ in range(l)]
+    ss = [None for _ in range(l)]
+    hs = [None for _ in range(l)]
+    cs = [None for _ in range(l)]
+    pubkey = E(Px, Py)
+    for i in range(l):
+        row = conn.readline(keepends=False).split()
+        r, s = int(row[1][:64], 16), int(row[1][64:], 16)
+        h = int.from_bytes(sha1(l2b(int(row[0], 16))).digest(), byteorder="big")
+        klen = int(row[2])
+        rs[i] = r
+        ss[i] = s
+        hs[i] = h
+        cs[i] = klen
+
+    print([(cs.count(kk), kk) for kk in range(248, 257)])
+    print(float(sum(cs) / l))
+
+    cs, rs, ss, hs = zip(*sorted(zip(cs, rs, ss, hs)))
+
+    ts = [None for _ in range(l)]
+    us = [None for _ in range(l)]
+    ls = [None for _ in range(l)]
+
+    for i in range(l):
+        sinv = int(1 / Z(ss[i]))
+        ts[i] = sinv * rs[i]
+        us[i] = (-sinv) * hs[i]
+        ls[i] = 256 + 1 - cs[i]
+
+    B = Matrix(ZZ, l + 2, l + 2)
+
+    for i in range(l):
+        li = ls[i] + 1
+        B[i, i] = (2 ^ li) * n
+        B[l, i] = (2 ^ li) * ts[i]
+        B[l + 1, i] = (2 ^ li) * us[i]
+    B[l, l] = 1
+    B[l + 1, l + 1] = n
+
+    beta = 15
+    pk = 0
+
+    st = time.time()
+    print(f"BKZ with beta = {beta}")
+    B = B.BKZ(block_size=beta)
+    for row in B:
+        guess = row[-2] % n
+        d1, d2 = guess, n - guess
+        if pubkey == d1 * G:
+            pk = d1
+            break
+        if pubkey == d2 * G:
+            pk = d2
+            break
+    print("Duration", time.time() - st)
+    print("pk: ", pk)
+    if pk != 0:
+        success += 1
+    print(f"# Success: {success} / {t + 1}")
+    conn.sendline(str(pk).encode())
+
+# flag
+print(conn.recvline())

WACon2022/Final/mcgonagall/deploy/mcgonagall_d956f9aac5ae540c3991ff6588d8906f63fd3992a4105add170b91410129e4fb.tar.gz

@@ -0,0 +1,9 @@
+FROM ubuntu:20.04
+RUN apt-get update
+RUN apt-get install socat python3 python3-pip -y
+RUN pip3 install pycryptodome ecdsa
+WORKDIR /app
+COPY ./chall_updated.py /app
+COPY ./flag.py /app
+EXPOSE 13337
+CMD ["socat", "TCP-LISTEN:13337,reuseaddr,fork", "EXEC:python3 chall.py,nofork,stderr"]

WACon2022/Final/mcgonagall/public/chall.py

@@ -0,0 +1,48 @@
+import signal
+from hashlib import sha256
+from random import choice, randint
+from secrets import randbits, token_bytes
+from string import ascii_uppercase, digits
+
+from ecdsa import SECP256k1, SigningKey
+
+from flag import flag
+
+
+def PoW():
+    s = "".join(choice(ascii_uppercase + digits) for _ in range(16))
+    print(s)
+    answer = input()
+    hash = sha256((s + answer).encode()).hexdigest()
+    assert hash[:6] == "000000"
+
+
+def main():
+    trials = 30
+    correct = 0
+    for _ in range(trials):
+        sk = SigningKey.generate(curve=SECP256k1)
+        pk = sk.privkey.secret_multiplier
+        print(sk.get_verifying_key().pubkey.point.x())
+        print(sk.get_verifying_key().pubkey.point.y())
+
+        info = 0
+        for _ in range(256):
+            msg = token_bytes(32)
+            klen = randint(250, 256)
+            sig = sk.sign(msg, k=randbits(klen))
+            info += 256 - klen
+            print(msg.hex(), sig.hex(), klen)
+
+        assert info >= pk.bit_length()
+
+        pk_ = int(input())
+        if pk_ == pk:
+            correct += 1
+
+    assert correct / trials >= 0.7
+    print(flag)
+
+
+if __name__ == "__main__":
+    [signal.alarm(1200), PoW(), main()]

WACon2022/Final/mcgonagall/solution/solve.sage

@@ -0,0 +1,6 @@
+version: '2.4'
+services:
+    mcgonagall:
+        build: ./
+        ports:
+            - "13337:13337"

WACon2022/Final/mcgonagall/src/Dockerfile

@@ -0,0 +1 @@
+flag = b"WACon{BKZ_with_nonce_bit_length_exposure}"

WACon2022/Final/mcgonagall/src/chall.py

@@ -0,0 +1,2 @@
+__pycache__/
+*.sage.py

WACon2022/Final/mcgonagall/src/docker-compose.yml

@@ -0,0 +1,25 @@
+# trinity
+
+- Author : diff
+- Category : Crypto
+- Division : main, junior
+
+# Description
+
+Push it to the limit.
+
+# Flag
+
+`WACon{Factoring_with_only_a_third_of_the_bits}`
+
+# Deployment Guide
+
+None. Local challenge to help saving the earth.
+
+# Distribution Guide
+
+Deploy tarball located at [./deploy]
+
+# External Writeups
+
+- [https://yunseok.notion.site/WACon-2022-2829178f13f04323acbf66da2e17740e](https://yunseok.notion.site/WACon-2022-2829178f13f04323acbf66da2e17740e)

WACon2022/Final/mcgonagall/src/flag.py

@@ -0,0 +1,19 @@
+#!/usr/bin/env python3
+from Crypto.Cipher import PKCS1_OAEP
+from Crypto.PublicKey import RSA
+from Crypto.Util.number import GCD, getPrime
+
+from flag import flag
+
+SIZE = 1024
+key = RSA.generate(SIZE, e=getPrime(SIZE // 12))
+n, e, p, q = key.n, key.e, key.p, key.q
+dp, dq = pow(e, -1, p - 1), pow(e, -1, q - 1)
+cipher = PKCS1_OAEP.new(key)
+assert GCD(2 * e, (e * dp - 1) // (p - 1)) == 1
+
+print(n)
+print(e)
+print(dp % (1 << 200))
+print(dq % (1 << 200))
+print(cipher.encrypt(flag).hex())

WACon2022/Final/trinity/.gitignore

@@ -0,0 +1,5 @@
+150521291786162634207005525778169708708522720074345927077420731185600563387046639806238339255757863868699490815776623273376348175253988894743885370764780600900302789673531599439459445183505805277387459741112034759427671859796591301689098407566045632882616152019038756129184959273344103972335895300046311701809
+30510532618964464063517147
+1277251830107045061098265337744483546719636547425635587593463
+230441702892751221228737480414520264502429400074470159039659
+9118ecc4581f2f200a07a34f64ec91caca2a2adbead4509311af96e76ccecbd042ea284c382b2caf40528c3c86d98f6e9c62c5f72d6e12a8a932f26ac2e32ab86ab85c64919c86a8c2632f5a625d6292947b5f59fb443f672a4e9047e2cb9e6d90e0fd81ac016ea03ed79269b8fbe9c442bd7d77e9278b15dde31f2adc920bd1