-
GitHub - p4-team/crypto-commons: Small python module for common CTF crypto functions
-
Quipquip: substitution cipher
-
Substitution Solver - www.guballa.de: substitution cipher
-
Decode.fr: old school ciphers
-
Modular conversion, encoding and encryption online — Cryptii: enigma
-
CSCBE2019 - Rosetta: multiple ciphers / alphabets / languages / fonts
-
Code-Breaking, Cipher and Logic Puzzle solving tools | Boxentriq
-
CyberChef: magic mode
-
kt.gy tools: decode string
-
GitHub - mwielgoszewski/python-paddingoracle: A portable, padding oracle exploit API
-
https://latacora.micro.blog/2018/04/03/cryptographic-right-answers.html
-
https://sockpuppet.org/blog/2013/07/22/applied-practical-cryptography/
import gmpy2
gmpy2.get_context().precision = 200000
m = gmpy2.root(c, 3)
gmpy2.isqrt(B * N // A)
hashlib.md5().update(b'foo').hexdigest()
# ~/code/guides/ctf/TFNS---writeups/2020-09-25-BalCCon/cryptosh/cryptsh.py
from Crypto.Cipher import AES
from Crypto.Util.strxor import strxor
from Crypto.Util.Padding import pad, unpad
# ~/code/guides/ctf/TFNS---writeups/2020-09-25-BalCCon/do_u_have_knowledge/server.py
from cryptography.hazmat.primitives.ciphers import Cipher, algorithms, modes
from cryptography.hazmat.backends import default_backend
cipher = Cipher(algorithms.AES(b'1234567890123456'), modes.ECB(), backend = default_backend())
- Hill cipher - https://github.com/t3rmin0x/CTF-Writeups/tree/master/DarkCTF/Crypto/Embrace%20the%20Climb#embrace-the-climb-
- https://en.wikipedia.org/wiki/Feistel_cipher
- indistinguishability under chosen-plaintext attack (IND-CPA)
- id
- CrackStation - Online Password Hash Cracking - MD5, SHA1, Linux, Rainbow Tables, etc.
- https://github.com/HashPals/Search-That-Hash/blob/main/search_that_hash/cracker/online_mod/online.py
- POSIX user account passwords (
/etc/passwd, /etc/shadow
)- ./misc.md#crypt
- md5 with salt
hashcat -m 20 -a 0 -o cracked.txt crackme.txt /usr/share/wordlists/rockyou.txt --force" # $hash:$salt
- The MD5 Message-Digest Algorithm
-
hs256 = hmac sha256
-
Given
AES_CTR(SHA1(msg), KEY)
(AES keystream unchanged):- length extension
- hmac value calculation:
mac_evil = mac_good ^ sha1(msg_good) ^ sha1(msg_evil)
ssdeep -s foo > fuzzy.db
ssdeep -s -a -m fuzzy.db foo bar
# foo matches fuzzy.db:foo (100)
# bar matches fuzzy.db:foo (0)
- GitHub - sdhash/sdhash: similarity digest hashing tool
- GitHub - ssdeep-project/ssdeep: Fuzzy hashing API and fuzzy hashing tool
md5sum <() # d41d8cd98f00b204e9800998ecf8427e
sha1sum <() # da39a3ee5e6b4b0d3255bfef95601890afd80709
sha256sum <() # e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
// [GRC's \| Password Haystacks: How Well Hidden is Your Needle?](https://www.grc.com/haystack.htm)
function grc(len) {
if(len < 1) {
return 0;
} else if (len == 1) {
return window.charsetsize;
}
return Math.pow(window.charsetsize, len - 1) + grc(len - 1);
}
console.log(grc(64));
// 110
>>> len(list(permutations([i for i in range(0,10)], 2)))
90
>>> int(factorial(10)/factorial(10-2))
90
>>> int(factorial(36)/factorial(36-8))
1220096908800
# MAC address
>>> int(factorial(16)/factorial(16-12))
871782912000
- GitHub - Ganapati/RsaCtfTool: RSA attack tool (mainly for ctf) - retreive private key from weak public key and/or uncipher data
- Factorizing big integers - http://factordb.com/
from Crypto.Util.number import getStrongPrime
f = b"[REDACTED]"
m = int.from_bytes(f, "big")
p = getStrongPrime(512)
q = getStrongPrime(512)
n = p * q
e = 65537
# https://en.wikipedia.org/wiki/RSA_(cryptosystem)#Encryption
c = pow(m, e, n)
# https://en.wikipedia.org/wiki/RSA_(cryptosystem)#Decryption
d = pow(e, -1, (p - 1) * (q - 1)) # modinv(e, phi(modulus))
m = pow(c, d, n)
- From public key: take modulus =
n
openssl rsa -inform PEM -pubin -in public.key -text -noout
- https://github.com/VulnHub/ctf-writeups/blob/master/2015/eko-party-pre-ctf/rsa-2070.md
- Small
e
: take cube root ofc
n = p
phi(N) = p - 1 d = modinv(e, p-1)
- Coppersmith's short pad + Franklin-Reiter related-message
- univariate polynomial
- bivariate polynomial
-
On length(known_prefix) >= length(key), full decryption is direct
~/code/snippets/ctf/crypto/xor_decrypt.py 'darkCTF{' <(printf '%s' '5552415c2b3525105a4657071b3e0b5f494b034515' | xxd -r -p) # 1337hack>'%lXjM$-*q.V ~/code/snippets/ctf/crypto/xor_decrypt.py '1337hack' <(printf '%s' '5552415c2b3525105a4657071b3e0b5f494b034515' | xxd -r -p) # darkCTF{kud0s_h4xx0r} ~/code/snippets/ctf/crypto/xor_decrypt.py 'darkCTF{kud0s_h4xx0r}' <(printf '%s' '5552415c2b3525105a4657071b3e0b5f494b034515' | xxd -r -p) # 1337hack1337hack1337h
-
Split message into aligned sequences, count frequencies of chars foreach column, take most frequent char and xor with expected most frequent char (e.g.
_
) to obtain key- Alterntive: xortool
- CTFtime.org / BalCCon2k20 CTF / Xoared / Writeup
-
Guessing key length + values by decrypted output byte range
- ~/code/guides/ctf/grayrepo/2017_flareon/flare10_shellphp/README.md
-
key length: ~/code/snippets/ctf/crypto/kasiski.py
-
letter frequency: ~/code/snippets/ctf/crypto/frequency_analysis.py
-
decrypt letters: ~/code/snippets/ctf/crypto/chi_squared.py
- known seed => bruteforce generated values
import random, string random.seed(1601405147.6444) alphabet = list(string.ascii_lowercase + string.digits) print("".join([random.choice(alphabet) for _ in range(32)])) # mq4fyjs6rlo5jjotg3xiwr76z8hm4chi
- CTFtime.org / BalCCon2k20 CTF / Two Sides of a Coin / Writeup
- ~/share/ctf/BalCCon2k20/two-sides-of-a-coin-solutions/
- CTFtime.org / BalCCon2k20 CTF / Two Sides of a Coin / Writeup
- small n-periodic
- https://ctftime.org/writeups?tags=prng&hidden-tags=prng
- https://www.cryptomathic.com/news-events/blog/generating-cryptographic-keys-with-random-number-generators-prng
- ~/Downloads/Not_So_Random_-_Exploiting_Unsafe_Random_Number_Generator_Use.pdf
- given known implementation, optionally seed range, and multiple generated values, then bruteforce seed
- GitHub - altf4/untwister: Seed recovery tool for PRNGs
- GitHub - kmyk/mersenne-twister-predictor: Predict MT19937 PRNG, from preceding 624 generated numbers. There is a specialization for the "random" of Python standard library.
- https://dragonsector.pl/docs/0ctf2016_writeups.pdf
- https://sasdf.github.io/ctf/tasks/2019/BalsnCTF/crypto/unpredictable/
- Lagrange Interpolation in finite field (i.e. Galois field)
F = GF(691) points = [(0, 125), (1, 492), (2, 670), (3, 39), ... , (688, 130), (689, 487), (690, 18)] R = F['x'] print(R.lagrange_polynomial(points))
- Transformation Matrix
from sage.all import * vals = vector(mod(enc(i), MOD) for i in range(FLAG_LEN)) coeffs = Matrix( [ [mod(i ** (FLAG_LEN - j - 1), MOD) for j in range(FLAG_LEN)] for i in range(FLAG_LEN) ] ) flag = coeffs.solve_right(points)
- https://crypto.stackexchange.com/questions/31019/if-you-encrypt-an-image-aes-is-it-still-an-image-and-can-you-view-it
- https://blog.filippo.io/the-ecb-penguin/
- https://crypto.stackexchange.com/questions/63145/variation-on-the-ecb-penguin-problem
head -n 4 Tux.ppm > header.txt tail -n +5 Tux.ppm > body.bin openssl enc -aes-128-ecb -nosalt -pass pass:"ANNA" -in body.bin -out body.ecb.bin cat header.txt body.ecb.bin > Tux.ecb.ppm
- fixed nonce => similar to repeating xor key, but using same keystream bytes across ciphertexts
Language | CSPRNG |
---|---|
.NET | RNGCryptoServerProvider() |
Java | java.security.SecureRandom() |
JavaScript (Node.js) | crypto.RandomBytes() |
PHP | random_bytes() |
Python | random.SystemRandom() |
-
https://blog.quarkslab.com/differential-fault-analysis-on-white-box-aes-implementations.html
-
https://www.ledger.com/ctf-complete-hw-bounty-still-ongoing-2-337-btc/
induce faults using GDB during the computation, retrieve the faulty result and then execute AES DFA (Differential Fault Analysis)
-
https://n00bcak.github.io/writeups/2021/04/08/AngstromCTF-2021.html
-
https://github.com/TFNS/writeups/tree/master/2020-04-25-IJCTF
-
https://github.com/TFNS/writeups/tree/master/2020-04-12-ByteBanditsCTF
-
https://github.com/TFNS/writeups/tree/master/2020-03-07-zer0ptsCTF/ror
-
https://github.com/TFNS/writeups/tree/master/2020-03-01-AeroCTF/magic
-
https://blog.quarkslab.com/differential-fault-analysis-on-white-box-aes-implementations.html
-
https://www.pcg-random.org/posts/visualizing-the-heart-of-some-prngs.html
- reproduce vizs
-
https://medium.com/@betable/tifu-by-using-math-random-f1c308c4fd9d
-
https://blog.malwarebytes.com/threat-analysis/2018/01/scarab-ransomware-new-variant-changes-tactics/
- identifying files in raw dumps - 1. hash the first k bytes of all known files; 2. take offsets matching a given sequence, hash the first k bytes at those offsets, then compare with known set
- discovering bugs due to unexpected magic byte sequences
Mostly just IDA, I managed to get a trace of lsass while CryptUnprotectData() was working and failing, then got a lucky break - I saw it derive a key from a byte sequence I knew (da 39 a3 ee...), that's the SHA-1 of the empty string! That led me to credentials being clobbered