## Utils

In [6]:
from Crypto.Util.number import bytes_to_long,long_to_bytes
from Crypto.Cipher import AES
from Crypto.Util.Padding import pad, unpad
import hashlib
def hex_to_bigint(h): 
    return bytes_to_long(bytes.fromhex(h[2:]))




def is_pkcs7_padded(message):
    padding = message[-message[-1]:]
    return all(padding[i] == len(padding) for i in range(0, len(padding)))


def decrypt_flag(shared_secret: int, iv: str, ciphertext: str):
    # Derive AES key from shared secret
    sha1 = hashlib.sha1()
    sha1.update(str(shared_secret).encode('ascii'))
    key = sha1.digest()[:16]
    # Decrypt flag
    ciphertext = bytes.fromhex(ciphertext)
    iv = bytes.fromhex(iv)
    cipher = AES.new(key, AES.MODE_CBC, iv)
    plaintext = cipher.decrypt(ciphertext)

    if is_pkcs7_padded(plaintext):
        return unpad(plaintext, 16).decode('ascii')
    else:
        return plaintext.decode('ascii')

# STARTER

### Diffie-Hellman Starter 1

In [6]:
def mul_inv(a, p): 
    return a**(p-2)%p  # using fermat's little thm 

p = 991 
g = 209 

mul_inv(g,p)

569

### Diffie-Hellman Starter 2

If $g^{(i-1)} \equiv 1 \bmod p $ it means it will generate a subgroup and won't generate whole group

In [13]:
p = 28151 

def is_gen(g, p):
    for i in range(2,p): 
        if pow(g, i-1, p ) == 1: 
            return False 
    return True 
     
for i in range(1,p): 
    if is_gen(i, p): 
        print(i)
        break 

7


### Diffie-Hellman Starter 3

In [3]:
g =  2 
a = 972107443837033796245864316200458246846904598488981605856765890478853088246897345487328491037710219222038930943365848626194109830309179393018216763327572120124760140018038673999837643377590434413866611132403979547150659053897355593394492586978400044375465657296027592948349589216415363722668361328689588996541370097559090335137676411595949335857341797148926151694299575970292809805314431447043469447485957669949989090202320234337890323293401862304986599884732815
p = 2410312426921032588552076022197566074856950548502459942654116941958108831682612228890093858261341614673227141477904012196503648957050582631942730706805009223062734745341073406696246014589361659774041027169249453200378729434170325843778659198143763193776859869524088940195577346119843545301547043747207749969763750084308926339295559968882457872412993810129130294592999947926365264059284647209730384947211681434464714438488520940127459844288859336526896320919633919

pow(g,a,p)

1806857697840726523322586721820911358489420128129248078673933653533930681676181753849411715714173604352323556558783759252661061186320274214883104886050164368129191719707402291577330485499513522368289395359523901406138025022522412429238971591272160519144672389532393673832265070057319485399793101182682177465364396277424717543434017666343807276970864475830391776403957550678362368319776566025118492062196941451265638054400177248572271342548616103967411990437357924

### Diffie-Hellman Starter 4

Alice calculated $ A = g^a $ you calculate B as $ B = g^b$

Shared secret is $A^b$ or $B^a$ that each party can compute with their own information 

In [11]:
g =  2 
p = 2410312426921032588552076022197566074856950548502459942654116941958108831682612228890093858261341614673227141477904012196503648957050582631942730706805009223062734745341073406696246014589361659774041027169249453200378729434170325843778659198143763193776859869524088940195577346119843545301547043747207749969763750084308926339295559968882457872412993810129130294592999947926365264059284647209730384947211681434464714438488520940127459844288859336526896320919633919
b = 12019233252903990344598522535774963020395770409445296724034378433497976840167805970589960962221948290951873387728102115996831454482299243226839490999713763440412177965861508773420532266484619126710566414914227560103715336696193210379850575047730388378348266180934946139100479831339835896583443691529372703954589071507717917136906770122077739814262298488662138085608736103418601750861698417340264213867753834679359191427098195887112064503104510489610448294420720
A =  70249943217595468278554541264975482909289174351516133994495821400710625291840101960595720462672604202133493023241393916394629829526272643847352371534839862030410331485087487331809285533195024369287293217083414424096866925845838641840923193480821332056735592483730921055532222505605661664236182285229504265881752580410194731633895345823963910901731715743835775619780738974844840425579683385344491015955892106904647602049559477279345982530488299847663103078045601

pow(A,b,p)

1174130740413820656533832746034841985877302086316388380165984436672307692443711310285014138545204369495478725102882673427892104539120952393788961051992901649694063179853598311473820341215879965343136351436410522850717408445802043003164658348006577408558693502220285700893404674592567626297571222027902631157072143330043118418467094237965591198440803970726604537807146703763571606861448354607502654664700390453794493176794678917352634029713320615865940720837909466

### Diffie-Hellman Starter 5

In [14]:
p = 2410312426921032588552076022197566074856950548502459942654116941958108831682612228890093858261341614673227141477904012196503648957050582631942730706805009223062734745341073406696246014589361659774041027169249453200378729434170325843778659198143763193776859869524088940195577346119843545301547043747207749969763750084308926339295559968882457872412993810129130294592999947926365264059284647209730384947211681434464714438488520940127459844288859336526896320919633919
g = 2 
A =  112218739139542908880564359534373424013016249772931962692237907571990334483528877513809272625610512061159061737608547288558662879685086684299624481742865016924065000555267977830144740364467977206555914781236397216033805882207640219686011643468275165718132888489024688846101943642459655423609111976363316080620471928236879737944217503462265615774774318986375878440978819238346077908864116156831874695817477772477121232820827728424890845769152726027520772901423784
b = 197395083814907028991785772714920885908249341925650951555219049411298436217190605190824934787336279228785809783531814507661385111220639329358048196339626065676869119737979175531770768861808581110311903548567424039264485661330995221907803300824165469977099494284722831845653985392791480264712091293580274947132480402319812110462641143884577706335859190668240694680261160210609506891842793868297672619625924001403035676872189455767944077542198064499486164431451944

shared_secret = pow(A,b,p)
iv = '737561146ff8194f45290f5766ed6aba'
ciphertext = '39c99bf2f0c14678d6a5416faef954b5893c316fc3c48622ba1fd6a9fe85f3dc72a29c394cf4bc8aff6a7b21cae8e12c'

print(decrypt_flag(shared_secret, iv, ciphertext))

crypto{sh4r1ng_s3cret5_w1th_fr13nd5}


# MAN IN THE MIDDLE

### Parameter Injection

The idea is that we send Alice $B = 1$ , so she uses her private key $a$ and raises $B^a$ resulting in $1$, she encrypts with $1$ so we know the key

In [1]:
#!/usr/bin/env python3

import telnetlib
import json
import re 

HOST = "socket.cryptohack.org"
PORT = 13371

tn = telnetlib.Telnet(HOST, PORT)


def readline():
    return tn.read_until(b"\n")

def json_recv():
    blob = readline().decode("utf-8")
    match = re.search(r'\{.*\}', blob)

    if match:
        # Extract the matched JSON portion
        json_str = match.group(0)
        
        try:
            # Attempt to load JSON from the extracted portion
            data = json.loads(json_str)
            # If successful, you can now work with the JSON data
            return data
        except json.JSONDecodeError as e:
            print(f"Error decoding JSON: {e}")
    else:
        print("No JSON data found in the blob.")

def json_send(hsh):
    request = json.dumps(hsh).encode()
    tn.write(request)


  import telnetlib


In [3]:
response = json_recv()


request = {
    "p": "0xffffffffffffffffc90fdaa22168c234c4c6628b80dc1cd129024e088a67cc74020bbea63b139b22514a08798e3404ddef9519b3cd3a431b302b0a6df25f14374fe1356d6d51c245e485b576625e7ec6f44c42e9a637ed6b0bff5cb6f406b7edee386bfb5a899fa5ae9f24117c4b1fe649286651ece45b3dc2007cb8a163bf0598da48361c55d39a69163fa8fd24cf5f83655d23dca3ad961c62f356208552bb9ed529077096966d670c354e4abc9804f1746c08ca237327ffffffffffffffff", 
    "g": "0x02", 
    "A": "0x7ebefc520ed938a1c3fcfe6500847d62ab5a8f54b206c504080cb5f2fe87c4413d6e8be17abc4da288a245dedc2cb80d0d0a8af110e5e94a5125f1853d4b2b5fff1b7c4976c435bd5d90292de50ff2419fa4f27dfe86e0d3a44ddb37a217554b6e946334deb4acb0b6bd0b3642cbf884788900c77f51c78a2f06cdaec29ad6d9a96ec6f0635b0f83974d86105607417e4d2fc35fc0ab68a0a7337a4433e6a1fd59e2097504f17e754a4c52748dd275e246e29b7ebffb9b5acffc5b3c2c43e1d4"
}

json_send(request)
response = json_recv()

request = {
    "B": "0x1"
}


json_send(request)
response = json_recv()

iv = response['iv']
c = response["encrypted_flag"]

decrypt_flag(1,iv,c)


'crypto{n1c3_0n3_m4ll0ry!!!!!!!!}'

### Export-grade

<code> nc socket.cryptohack.org 13379 </code>

When promted send to bob json <code>{"supported": "[DH64]"}</code>

He then will take DH64 and generate B 

To alice send <code>{"chosen":"DH64"}</code> 

She then will encrypt the message with weak DH64, use discrete_log() from sagemath to get b 

Can't get sage to work in notebook, so code will be here

```python
sage: B = 0x7a6dab57d7fcf64d
sage: p = 0xde26ab651b92a129
sage: g = 2
sage: Fp = GF(p)
sage: discrete_log(B, Fp(g))

```

Calculate shared secret with A,b you got from before mod p 

Decrypt

In [4]:
Alice =  {"p": "0xde26ab651b92a129", "g": "0x2", "A": "0x464d8d7d49d2a853"}
A = hex_to_bigint(Alice["A"])
g = 2 
p = hex_to_bigint(Alice["p"]) 

Bob =  {"B": "0x7a6dab57d7fcf64d"}
B = hex_to_bigint(Bob["B"]) 


Alice = {"iv": "f674d0b7e391d80da92a4c00dc069d30", "encrypted_flag": "edffd6721be4abd8a5bfa8540768d98d9815fb412d19c456798a813b19852ed4"}
IV = Alice["iv"]
c = Alice["encrypted_flag"]

# sage math discrete_log()
b = 6157687296341116995
secret = pow(A,b,p)

decrypt_flag(secret,IV,c)


'crypto{d0wn6r4d35_4r3_d4n63r0u5}'

### Static Client

Let's see when we send A = 1 to Bob

In [24]:
Bob = {"iv": "bf494806f4a017cd94f66cb6158363b3", "encrypted": "42cf9781c3a7eba77220c8c42af6f149e599783d7c87e77df739df3e3210f8079a66ddbbcfe9f56cbc46cf3a73183e2a135f79cf3f4a7ced1435b6457bf23357efe236aa1d1f2b72a20864156a3427c4"}
k = 1 
IV = Bob["iv"]
c = Bob["encrypted"]

print(decrypt_flag(k,IV,c))

Hey, what's up. I got bored generating random numbers did you see?


So Bob will always encrypt with same static b, now we send forgery with p,A and we change g to be A, now Bob will take $g^b = A^b$, giving you the secret Alice used to encrypt, now just decrypt it
 
Used nc to do this, had some problem automating with telnetlib, may change it.

In [26]:
Alice = {"iv": "b908e78211ac4fbd64229b0a5fa8f253", "encrypted": "cf7972b934d9af62790e18299e3f44c25f12f68f19006ea1dbec9743f5c63d73"}
IV = Alice["iv"]
c = Alice["encrypted"]
k = hex_to_bigint("0x9dc62f0a69726f56a78576256b9fcba8b52dc712b6f4beec7cb8919dac02416bf5ab3cb1e1272f8e183aa161c9ec79dc241c0602c5c27b8bb9605736ad82458eafe7db24baf85d3e052f7f4b136f602a67d769441c23fba33b54f3ebe1645a40a3c637f70759a7d133959d0f738adcc1e638b5b9ad452cd02527cd9eebc5ae29c4663171b1d20afe020c993d6f97ce7f1840f76630963d2fbfbc98817f7d54f63369f0e6871bfea36b7bade79bf43f6403ce57eac5dfd5ce035b3912c92ebc9b")

decrypt_flag(k,IV,c)

'crypto{n07_3ph3m3r4l_3n0u6h}'

# GROUP THEORY

### Additive

They both choose a,b 

Alice calculates $ A = ag$ and this is her public key 

If we can intercept this we can easily compute

$ a = A*g^{-1}$

Now it's easy, we compute shared secret with $k_{priv} = a*B \bmod(p)$

In [20]:
HOST = "socket.cryptohack.org"
PORT = 13380

tn = telnetlib.Telnet(HOST, PORT)

response = json_recv()
p = hex_to_bigint(response['p']) 
g = hex_to_bigint(response['g']) 
A = hex_to_bigint(response['A']) 

response = json_recv()
B = hex_to_bigint(response['B']) 

response = json_recv()
IV = response['iv']
c = response['encrypted']

a = gmpy2.divm(A,g,p) 
secret = a*B%p

decrypt_flag(secret,IV,c)


'crypto{cycl1c_6r0up_und3r_4dd1710n?}'

# MISC

### Script Kiddie

So basically there is bug in implementation 
```python 
def generate_public_int(g, a, p):
    return g ^ a % p
```

So because the order of operation this will be calculated as <code>g ^ (a%p)</code> now since $a<p$ it is same as $g^a$ 
So basically we can just xor with $g$ to get back the $b$ param and calculate our shared secret

In [5]:
p =  2410312426921032588552076022197566074856950548502459942654116941958108831682612228890093858261341614673227141477904012196503648957050582631942730706805009223062734745341073406696246014589361659774041027169249453200378729434170325843778659198143763193776859869524088940195577346119843545301547043747207749969763750084308926339295559968882457872412993810129130294592999947926365264059284647209730384947211681434464714438488520940127459844288859336526896320919633919
g =  2
A = 539556019868756019035615487062583764545019803793635712947528463889304486869497162061335997527971977050049337464152478479265992127749780103259420400564906895897077512359628760656227084039215210033374611483959802841868892445902197049235745933150328311259162433075155095844532813412268773066318780724878693701177217733659861396010057464019948199892231790191103752209797118863201066964703008895947360077614198735382678809731252084194135812256359294228383696551949882
B =  652888676809466256406904653886313023288609075262748718135045355786028783611182379919130347165201199876762400523413029908630805888567578414109983228590188758171259420566830374793540891937904402387134765200478072915215871011267065310188328883039327167068295517693269989835771255162641401501080811953709743259493453369152994501213224841052509818015422338794357540968552645357127943400146625902468838113443484208599332251406190345653880206706388377388164982846343351
iv =  'c044059ae57b61821a9090fbdefc63c5'
encrypted_flag = 'f60522a95bde87a9ff00dc2c3d99177019f625f3364188c1058183004506bf96541cf241dad1c0e92535564e537322d7'


b = B^g 

ss = A^b %p 

print(decrypt_flag(ss, iv, encrypted_flag))


crypto{b3_c4r3ful_w1th_y0ur_n0tati0n}


### Matrix

The matrix is encrtyped with $e$ to decrypt we need to get $d$, $d=e^{-1} \mod (\phi(n) \phi(n)) = e^{-1} \bmod |G|$, where $G$ is order of the group 

Entire solution is in <code>matrix.sage</code>

In [1]:
print('crypto{there_is_no_spoon_66eff188}')

crypto{there_is_no_spoon_66eff188}
