ctf writeups ✏️

2024

UMDCTF 2024

• Key Recovery: RSA wounded key recovery with wounded $n$
• attack of the worm: Adversarial image generation with limited number of changed pixels
• the worm strikes back: Adversarial patch generation on blackbox test set

GEEKCTF

• liquor: UTF-8 compatbile shared object shellcode
• HNP: Solve orthogonal vectors and hidden number problem with lattices
• SpARse: RSA wounded key recovery with diffusely wounded $d, p, q, d_p, d_q$.
• SafeBlog2: SQL injection with stored LIKE patterns
• PicBed: Request smuggling and Golang path cleaning bypass

2023

SekaiCTF 2023

• RandSubWare: Differential attack on 5 round SPN cipher
• Noisy CRC: Integrity check with non-irreducible polynomial
• Noisier CRC: CRT and smart brute force over lattice basis
• Diffecientwo: z3 to cause murmurhash3 collision in bloom filter
• cryptoGRAPHy 1: Understand graph encryption
• cryptoGRAPHy 2: Regenerate tree from edge list
• cryptoGRAPHy 3: Recover tree isomorphism

Bauhinia CTF 2023

• Quantum Entanglement: mt19937_64 MSB stream decays into LFSR
• VSCode: Recovering text and colors from VSCode minimap screenshot

GreyCTF 2023 Finals

• Baby Feistel: Invertible feistel cipher implies weak round key derivation function + Hensel lift
• Iterated Polynomials: Convert polynomial transformation into matrix discrete logarithm
• Smart: Cycle finding in random function
• AES confusion: AES decryption oracle + python PRNG recovery
• OTP 2: Variable juggling + recover small discrete logarithms
• POTP: Search and prune on product of polynomials

DEF CON CTF Qualifer 2023

• Artifact Bunker: Template injection into YAML file and leaking data from tar archive using partial zip overwrites

PlaidCTF 2023

• bivalves: Recover LFSR-like cipher state using z3
• fastrology: Recover javascript Math.random() PRNG state from rounded outputs using equations in $\mathbb{F}_2$
• The Other CSS: Break Content Scrambling System-like block cipher, summation LFSR and auth handshake using z3.

Hack-a-Sat 4 Qualifiers

• As Below: Automate static keygen for multiple wasm key checker binaries
• Leavenworth Street: Use docker forensics and crystal-lang binary reversing to understand judge service, then implement a grid maze solver in javascript
• Hyde Street: Automate static keygen for key checker binaries in javascript with access to source
• So Above: Automate static keygen for key checker binaries in javascript using iced-x86 and elfinfo

ACSC 2023

• Corrupted: RSA key recovery from censored private key
• Dual Signature Algorithm: Leak DSA key from nonce and key reuse with different modulus using CVP
• EasySSTI: Golang SSTI into RFI using echo Context scope
• Check_Number_63: Recover RSA key from modulus reuse across different $e$ with CVP
• ngo: Speed up LSFR with fast exponentiation
• Admin Dashboard: HTTP method confusion + forging LCG token
• Hardware is not so hard: SD / SPI packet carving
• serverless: Reverse obfuscated RSA function in webpage
• Merkle Hellman: Small cipher space on knapsack cryptosystem

2022

STACK The Flags 2022

• Encryptdle: Chosen plaintext attack on Camellia cipher
• jagacha: Recover python PRNG
• Pad the flag: Modified Bleichenbacher padding oracle attack
• MysteryCrypt: Meet-in-the-middle to break small key on feistel-like cipher
• ThatsALotOfRSA: Online queries for RSA key duplication

SECCON CTF 2022

• janken vs kurenaif: Recover seed for python PRNG
• witches_symmetric_exam: Chaining OFB padding oracle into ECB encryption oracle into GCM encryption / decryption oracle
• insufficient: Break multivariate polynomial shares with CVP
• this_is_not_lsb: RSA interval oracle and binary search
• BBB: Polynomial RNG parameter selection to make RNG cyclic + Hastad’s broadcast attack on RSA
• pqpq: Polynomial massaging to break RSA

WMCTF 2022

• ecc: Elliptic curve parameter recovery
• homo: Knapsack cryptosystem with weak parameter sizes
• nanoDiamond / nanoDiamond-rev: Using error correction codes to win Ulam’s game

UIUCTF 2022

• Bro-key-n: RSA key recovery from censored private key
• Sussy ML: Exploratory data analysis and clustering on intermediate image classifier output
• blackboxwarrior: imagehash.average_hash() collision
• mom can we have AES: MITM on toy handshake protocol + chosen plaintext attack on AES-ECB
• That-crete Log: Pohlig-Hellman on partially smooth prime
• Elliptic Clock Crypto: Discrete log on ellipse curve with smooth order

MCH 2022

• qEXMRY^7: Statistical analysis to revert XOR cipher
• Sharing is caring: Shamir’s Secret Sharing over integers
• Squaring Off: One prime Paillier

ImaginaryCTF 2022

• Poker: Recover python PRNG behind a modulo
• Secure Encoding: Base64: Revert substitution cipher on Base64 data using simulated annealing
• Living Without Expectations: Break learning with errors with CVP
• Lorge: Break RSA key with smooth primes using Pollard p-1 attack despite mitigations
• stream: Reverse binary and derive LCG key
• hash: Custom hash collision using z3
• otp: Biased one time pad

Google CTF 2022

• OCR: Leak images in a ML test set with specially crafted model weights
• Cycling: Recover RSA key from leaked $k\lambda(n)$

International Cybersecurity Challenge 2022

• Trademark: Attack-defense service with polynomial cryptosystem and authorization bypass

SEETF 2022

• Probability: Recover python PRNG from random.random() output + dynamic programming to win blackjack
• To Infinity: Pathfinding over finite field using CVP and continued fractions
• WeirdMachine: Assembly golf with awkward branching behaviour
• Welcome: Carving QR code from video with opencv
• Username Generator: XSS using window.name

2021

ACSC 2021

• Cowsay as a Service: Node.js server prototype pollution into shell injection
• Favorite Emojis: Server side request forgery into XSS
• Swap on Curve: Elliptic curve parameter recovery with swappable points
• Two Rabin: Polynomial massaging and coppersmith
• Wonderful Hash: Custom hash collision using meet in the middle attack
• RSA Stream: RSA related message
• NYONG Coin: Overwritten file carving with autopsy
• Pickle Rick: Recovering bytecode from python pickle

CTF.SG CTF 2021

• GRIC: Linear checksum parameter recovery
• Live From Serangoon Road: Recover LSFR state with z3
• TOTOTT: Detecting pseudorandom functions with math and statistics
• Which Lee?: Breaking toy neural network classifier with numerical instability

DSO-NUS CTF 2021

• Syscall Phobia: Shellcode with ROP to blacklisted instructions
• YALA (Part 1): Static .apk analysis and password cracking

2020 and earlier

STACK the Flags 2020

• Feed the Beast: blind SQLi via RSS feed parser
• You shall not pass!: Domain spoofing + XSS via postMessage and client side template injection
• IOT RSA Token: 1602 LCD protocol sniffing + forging RSA SecurID OTP

Facebook CTF 2019

• keybaseish: Generate valid RSA public key for a fixed signature

SwampCTF 2018

• Pagoda 1/2/3: Base64 but using chinese I-Ching hexagrams
• Orb of light 1/2/3: Quipquip + projectile math + fragmented image stego