CTF-writeups

Some CTF writeups


Project maintained by Qyn-CTF

s3-simple-secure-system (120pts, 39 solved) Reverse Engineering & Cryptography [Easy]

First look

We receive two files, a binary and some supposedly encrypted file, when we open the file in ida or ghidra, we can see it’s doing some RSA encryption from a key which is inside the binary.

Solving

Since the key is in the binary, we can simply extract it. The location is 0xE20, from there we copy 0x4A9 bytes and that’s our key:

308204A50201000282010100C37C4A396EAA92658D46D88740C2FD4080E45E5628DA8C6D32DB9ABCC73EDFEF6D606A90ECA9BAD7F157C3B9608453D2214B07257628ED44D66F1E82DA1CF3FFF0E0660F1E8CC45F77335EAA2E0CCE00CEE59DE86879CD7A5E663A5C9D4D4F9FDE2BAC860BCA6C4931B61D9CD6D9283C1A48DE686992C3654763E0537D69142A14CC0ED50F63C443F3B52C329406BD2D3F2EE6FC22A59A8BA43E129836A6DC1574219AFA596B7AD9085F3FFD97728A6B74E71425280E24A2E3DF4DA68187E9268942542B430B4DFB8071CE98D9CF5CDCCFCB8011A5C98E53A0C011063C06E13DF500137747134B5BE9EBF8B6E7DC4AAAC0A71B12A951792350483D3DECD46CF502030100010282010068E72CE9AF1287E7492E288A445D9F0BDB5F31A4A8DDC717DE7FEC84BBA36906923A7855773B0A1251E8181745CD1D32193DAB03166A961127C58FA906A51CE74EFB0CA9B66A32034CF35B2C95F3B724C5E2809FB45910C4471E32D97A6C7F7B39FD53E2C737046F2EE71CF30A74945BD47B202705E88544B74FC894E52ADB6F5D305B573A533FF9D6B13F18E7037549302DCC216DF6C3EABFE2E9939C71A1DF7E43395B7A70792CC7B0B685EAD014E6E3370C75CF7EB892297FFF2620D33FCFE8FF4A2439D394DF6BFCE71339173795E7479CDBA4E580325149C6ABEF53FAE40F17EF4FD8A182808FF68B3FC3241A379B316A181F30FB9EE3B6EDC00314430102818100EC2CD8588595CDFA4B3D247E55567605F91CDB0CAAA56E856F747241BA121001B18339DBF05A150CA07E916BB0631282912E6AE54C35695D2A72FEADFC3F64D7EF648DD90C847220C9B71A346BCDC6A3B48F89F07E2BBD65C66A67038C4F5AAED51ECDBB226D6403150B475C487AF30F2F1EE99EF62CA0EC9C4669E1D5D9DBC102818100D3E5111E4FF24C1D8AA9017341847DE3487E9AFD9C86A5CB0EAF0BFC35EBBE8209C6388A2DF632C5157D2180C01FD3A265C37AF4852059B9B960D4F31EA5098CED28F798DF2F91CF997C958366B771A1459678203218ED715C8CE9BDCFAA6832902924C6CEB8F77FB69C3B1FBEFE991D61B35D18009D725B8E13AD8F418D6E35028181008D82814EE91BCD833F39AF7812E1EF6DBCC9D16651893623B5986C2D7DB3FCEB46D57E018E8E2B3699A3BCB66DC5AEFD94C7DF3CECE0C3F512CE3C533B6530A341C95A44C6FF44F2E86A51C53F22D8F695E5BB9CE1BC8B8B43CBD55586E8B5493461749BC011136FD55820B5E6A7E4A32074C13E81FA53A1F2312E98266E970102818100A19AFFCE4D8CEF0E4CD58EDC97687416A710A026B27D62EF1638DCFC3327A3F94B79196011A3C69ED73FC3108DF6F812D068215B6239051587D3D935BEF681ED30676146FF59296CDA93D0F8119BF116DD9ADFED36281AD7AD8D6F2BABB93C94EBABE57796EC2D1F0367EE13CD382210ED95BD7773E8A0F240CEB33D21F2BACD02818100E81C9352869D5AC3E30B33CC9091C8E4EC4B66B12CE43C28D332B4E4B906AE2581DFB531797A121D1000772B0F0302EB82C14296938F0F94A560C5A90AD4EAF5A737FBB4DB5A7FA708F478BECC153A3E00C4514D2C400B56AB87CE492514756597DB325E158B1CF28CB0C7D8CA47E0E8CC5647A6588E7BBC6F7AA25141E165DC

We can convert this into a C array ->

input = """308204A50201000282010100C37C4A396EAA92658D46D88740C2FD4080E45E5628DA8C6D32DB9ABCC73EDFEF6D606A90ECA9BAD7F157C3B9608453D2214B07257628ED44D66F1E82DA1CF3FFF0E0660F1E8CC45F77335EAA2E0CCE00CEE59DE86879CD7A5E663A5C9D4D4F9FDE2BAC860BCA6C4931B61D9CD6D9283C1A48DE686992C3654763E0537D69142A14CC0ED50F63C443F3B52C329406BD2D3F2EE6FC22A59A8BA43E129836A6DC1574219AFA596B7AD9085F3FFD97728A6B74E71425280E24A2E3DF4DA68187E9268942542B430B4DFB8071CE98D9CF5CDCCFCB8011A5C98E53A0C011063C06E13DF500137747134B5BE9EBF8B6E7DC4AAAC0A71B12A951792350483D3DECD46CF502030100010282010068E72CE9AF1287E7492E288A445D9F0BDB5F31A4A8DDC717DE7FEC84BBA36906923A7855773B0A1251E8181745CD1D32193DAB03166A961127C58FA906A51CE74EFB0CA9B66A32034CF35B2C95F3B724C5E2809FB45910C4471E32D97A6C7F7B39FD53E2C737046F2EE71CF30A74945BD47B202705E88544B74FC894E52ADB6F5D305B573A533FF9D6B13F18E7037549302DCC216DF6C3EABFE2E9939C71A1DF7E43395B7A70792CC7B0B685EAD014E6E3370C75CF7EB892297FFF2620D33FCFE8FF4A2439D394DF6BFCE71339173795E7479CDBA4E580325149C6ABEF53FAE40F17EF4FD8A182808FF68B3FC3241A379B316A181F30FB9EE3B6EDC00314430102818100EC2CD8588595CDFA4B3D247E55567605F91CDB0CAAA56E856F747241BA121001B18339DBF05A150CA07E916BB0631282912E6AE54C35695D2A72FEADFC3F64D7EF648DD90C847220C9B71A346BCDC6A3B48F89F07E2BBD65C66A67038C4F5AAED51ECDBB226D6403150B475C487AF30F2F1EE99EF62CA0EC9C4669E1D5D9DBC102818100D3E5111E4FF24C1D8AA9017341847DE3487E9AFD9C86A5CB0EAF0BFC35EBBE8209C6388A2DF632C5157D2180C01FD3A265C37AF4852059B9B960D4F31EA5098CED28F798DF2F91CF997C958366B771A1459678203218ED715C8CE9BDCFAA6832902924C6CEB8F77FB69C3B1FBEFE991D61B35D18009D725B8E13AD8F418D6E35028181008D82814EE91BCD833F39AF7812E1EF6DBCC9D16651893623B5986C2D7DB3FCEB46D57E018E8E2B3699A3BCB66DC5AEFD94C7DF3CECE0C3F512CE3C533B6530A341C95A44C6FF44F2E86A51C53F22D8F695E5BB9CE1BC8B8B43CBD55586E8B5493461749BC011136FD55820B5E6A7E4A32074C13E81FA53A1F2312E98266E970102818100A19AFFCE4D8CEF0E4CD58EDC97687416A710A026B27D62EF1638DCFC3327A3F94B79196011A3C69ED73FC3108DF6F812D068215B6239051587D3D935BEF681ED30676146FF59296CDA93D0F8119BF116DD9ADFED36281AD7AD8D6F2BABB93C94EBABE57796EC2D1F0367EE13CD382210ED95BD7773E8A0F240CEB33D21F2BACD02818100E81C9352869D5AC3E30B33CC9091C8E4EC4B66B12CE43C28D332B4E4B906AE2581DFB531797A121D1000772B0F0302EB82C14296938F0F94A560C5A90AD4EAF5A737FBB4DB5A7FA708F478BECC153A3E00C4514D2C400B56AB87CE492514756597DB325E158B1CF28CB0C7D8CA47E0E8CC5647A6588E7BBC6F7AA25141E165DC"""

key = bytes.fromhex(input)

result = ", ".join(map(str, list(key)))
print(result)

And now we can copy a lot of code from ida/ghidra to solve the challenge:

//gcc solve.c -o rev -lssl -lcrypto
#include <stdio.h>
#include <string.h>
#include <openssl/x509v3.h>
#include <openssl/objects.h>
#include <openssl/pem.h>
#include <openssl/evp.h>

int main(int argc, char const *argv[])
{
	char keyBytes[0x4a9] = {
		48, 130, 4, 165, 2, 1, 0, 2, 130, 1, 1, 0, 195, 124, 74, 57, 110, 170, 146, 101, 141, 70, 216, 135, 64, 194, 253, 64, 128, 228, 94, 86, 40, 218, 140, 109, 50, 219, 154, 188, 199, 62, 223, 239, 109, 96, 106, 144, 236, 169, 186, 215, 241, 87, 195, 185, 96, 132, 83, 210, 33, 75, 7, 37, 118, 40, 237, 68, 214, 111, 30, 130, 218, 28, 243, 255, 240, 224, 102, 15, 30, 140, 196, 95, 119, 51, 94, 170, 46, 12, 206, 0, 206, 229, 157, 232, 104, 121, 205, 122, 94, 102, 58, 92, 157, 77, 79, 159, 222, 43, 172, 134, 11, 202, 108, 73, 49, 182, 29, 156, 214, 217, 40, 60, 26, 72, 222, 104, 105, 146, 195, 101, 71, 99, 224, 83, 125, 105, 20, 42, 20, 204, 14, 213, 15, 99, 196, 67, 243, 181, 44, 50, 148, 6, 189, 45, 63, 46, 230, 252, 34, 165, 154, 139, 164, 62, 18, 152, 54, 166, 220, 21, 116, 33, 154, 250, 89, 107, 122, 217, 8, 95, 63, 253, 151, 114, 138, 107, 116, 231, 20, 37, 40, 14, 36, 162, 227, 223, 77, 166, 129, 135, 233, 38, 137, 66, 84, 43, 67, 11, 77, 251, 128, 113, 206, 152, 217, 207, 92, 220, 207, 203, 128, 17, 165, 201, 142, 83, 160, 192, 17, 6, 60, 6, 225, 61, 245, 0, 19, 119, 71, 19, 75, 91, 233, 235, 248, 182, 231, 220, 74, 170, 192, 167, 27, 18, 169, 81, 121, 35, 80, 72, 61, 61, 236, 212, 108, 245, 2, 3, 1, 0, 1, 2, 130, 1, 0, 104, 231, 44, 233, 175, 18, 135, 231, 73, 46, 40, 138, 68, 93, 159, 11, 219, 95, 49, 164, 168, 221, 199, 23, 222, 127, 236, 132, 187, 163, 105, 6, 146, 58, 120, 85, 119, 59, 10, 18, 81, 232, 24, 23, 69, 205, 29, 50, 25, 61, 171, 3, 22, 106, 150, 17, 39, 197, 143, 169, 6, 165, 28, 231, 78, 251, 12, 169, 182, 106, 50, 3, 76, 243, 91, 44, 149, 243, 183, 36, 197, 226, 128, 159, 180, 89, 16, 196, 71, 30, 50, 217, 122, 108, 127, 123, 57, 253, 83, 226, 199, 55, 4, 111, 46, 231, 28, 243, 10, 116, 148, 91, 212, 123, 32, 39, 5, 232, 133, 68, 183, 79, 200, 148, 229, 42, 219, 111, 93, 48, 91, 87, 58, 83, 63, 249, 214, 177, 63, 24, 231, 3, 117, 73, 48, 45, 204, 33, 109, 246, 195, 234, 191, 226, 233, 147, 156, 113, 161, 223, 126, 67, 57, 91, 122, 112, 121, 44, 199, 176, 182, 133, 234, 208, 20, 230, 227, 55, 12, 117, 207, 126, 184, 146, 41, 127, 255, 38, 32, 211, 63, 207, 232, 255, 74, 36, 57, 211, 148, 223, 107, 252, 231, 19, 57, 23, 55, 149, 231, 71, 156, 219, 164, 229, 128, 50, 81, 73, 198, 171, 239, 83, 250, 228, 15, 23, 239, 79, 216, 161, 130, 128, 143, 246, 139, 63, 195, 36, 26, 55, 155, 49, 106, 24, 31, 48, 251, 158, 227, 182, 237, 192, 3, 20, 67, 1, 2, 129, 129, 0, 236, 44, 216, 88, 133, 149, 205, 250, 75, 61, 36, 126, 85, 86, 118, 5, 249, 28, 219, 12, 170, 165, 110, 133, 111, 116, 114, 65, 186, 18, 16, 1, 177, 131, 57, 219, 240, 90, 21, 12, 160, 126, 145, 107, 176, 99, 18, 130, 145, 46, 106, 229, 76, 53, 105, 93, 42, 114, 254, 173, 252, 63, 100, 215, 239, 100, 141, 217, 12, 132, 114, 32, 201, 183, 26, 52, 107, 205, 198, 163, 180, 143, 137, 240, 126, 43, 189, 101, 198, 106, 103, 3, 140, 79, 90, 174, 213, 30, 205, 187, 34, 109, 100, 3, 21, 11, 71, 92, 72, 122, 243, 15, 47, 30, 233, 158, 246, 44, 160, 236, 156, 70, 105, 225, 213, 217, 219, 193, 2, 129, 129, 0, 211, 229, 17, 30, 79, 242, 76, 29, 138, 169, 1, 115, 65, 132, 125, 227, 72, 126, 154, 253, 156, 134, 165, 203, 14, 175, 11, 252, 53, 235, 190, 130, 9, 198, 56, 138, 45, 246, 50, 197, 21, 125, 33, 128, 192, 31, 211, 162, 101, 195, 122, 244, 133, 32, 89, 185, 185, 96, 212, 243, 30, 165, 9, 140, 237, 40, 247, 152, 223, 47, 145, 207, 153, 124, 149, 131, 102, 183, 113, 161, 69, 150, 120, 32, 50, 24, 237, 113, 92, 140, 233, 189, 207, 170, 104, 50, 144, 41, 36, 198, 206, 184, 247, 127, 182, 156, 59, 31, 190, 254, 153, 29, 97, 179, 93, 24, 0, 157, 114, 91, 142, 19, 173, 143, 65, 141, 110, 53, 2, 129, 129, 0, 141, 130, 129, 78, 233, 27, 205, 131, 63, 57, 175, 120, 18, 225, 239, 109, 188, 201, 209, 102, 81, 137, 54, 35, 181, 152, 108, 45, 125, 179, 252, 235, 70, 213, 126, 1, 142, 142, 43, 54, 153, 163, 188, 182, 109, 197, 174, 253, 148, 199, 223, 60, 236, 224, 195, 245, 18, 206, 60, 83, 59, 101, 48, 163, 65, 201, 90, 68, 198, 255, 68, 242, 232, 106, 81, 197, 63, 34, 216, 246, 149, 229, 187, 156, 225, 188, 139, 139, 67, 203, 213, 85, 134, 232, 181, 73, 52, 97, 116, 155, 192, 17, 19, 111, 213, 88, 32, 181, 230, 167, 228, 163, 32, 116, 193, 62, 129, 250, 83, 161, 242, 49, 46, 152, 38, 110, 151, 1, 2, 129, 129, 0, 161, 154, 255, 206, 77, 140, 239, 14, 76, 213, 142, 220, 151, 104, 116, 22, 167, 16, 160, 38, 178, 125, 98, 239, 22, 56, 220, 252, 51, 39, 163, 249, 75, 121, 25, 96, 17, 163, 198, 158, 215, 63, 195, 16, 141, 246, 248, 18, 208, 104, 33, 91, 98, 57, 5, 21, 135, 211, 217, 53, 190, 246, 129, 237, 48, 103, 97, 70, 255, 89, 41, 108, 218, 147, 208, 248, 17, 155, 241, 22, 221, 154, 223, 237, 54, 40, 26, 215, 173, 141, 111, 43, 171, 185, 60, 148, 235, 171, 229, 119, 150, 236, 45, 31, 3, 103, 238, 19, 205, 56, 34, 16, 237, 149, 189, 119, 115, 232, 160, 242, 64, 206, 179, 61, 33, 242, 186, 205, 2, 129, 129, 0, 232, 28, 147, 82, 134, 157, 90, 195, 227, 11, 51, 204, 144, 145, 200, 228, 236, 75, 102, 177, 44, 228, 60, 40, 211, 50, 180, 228, 185, 6, 174, 37, 129, 223, 181, 49, 121, 122, 18, 29, 16, 0, 119, 43, 15, 3, 2, 235, 130, 193, 66, 150, 147, 143, 15, 148, 165, 96, 197, 169, 10, 212, 234, 245, 167, 55, 251, 180, 219, 90, 127, 167, 8, 244, 120, 190, 204, 21, 58, 62, 0, 196, 81, 77, 44, 64, 11, 86, 171, 135, 206, 73, 37, 20, 117, 101, 151, 219, 50, 94, 21, 139, 28, 242, 140, 176, 199, 216, 202, 71, 224, 232, 204, 86, 71, 166, 88, 142, 123, 188, 111, 122, 162, 81, 65, 225, 101, 220};

	char encrypted[256] = {
		63, 50, 209, 72, 8, 96, 5, 210, 118, 82, 21, 178, 55, 20, 156, 53, 107, 215, 131, 172, 45, 226, 174, 193, 183, 205, 206, 8, 92, 195, 128, 35, 86, 234, 74, 3, 247, 143, 47, 59, 88, 180, 51, 77, 183, 5, 214, 14, 227, 217, 240, 249, 215, 175, 12, 82, 91, 56, 110, 52, 65, 124, 255, 177, 251, 109, 135, 19, 142, 96, 242, 16, 58, 222, 162, 158, 237, 209, 91, 28, 11, 61, 200, 141, 168, 114, 210, 51, 158, 23, 6, 249, 0, 210, 110, 9, 2, 107, 165, 244, 197, 72, 157, 96, 60, 185, 245, 26, 168, 90, 229, 2, 183, 255, 0, 25, 37, 248, 27, 251, 55, 31, 169, 23, 246, 255, 107, 150, 30, 68, 156, 121, 49, 65, 133, 16, 95, 77, 32, 148, 123, 227, 71, 251, 170, 68, 231, 70, 141, 77, 69, 231, 71, 35, 103, 21, 223, 160, 150, 208, 236, 103, 254, 180, 214, 144, 57, 78, 83, 241, 188, 62, 234, 4, 193, 172, 176, 36, 42, 110, 32, 74, 75, 238, 76, 214, 175, 27, 0, 69, 8, 229, 174, 218, 80, 206, 73, 158, 61, 151, 124, 179, 160, 21, 111, 251, 138, 210, 218, 212, 37, 89, 10, 135, 228, 1, 9, 160, 168, 254, 177, 241, 157, 187, 107, 67, 24, 135, 173, 167, 241, 22, 237, 221, 233, 190, 166, 191, 193, 67, 98, 117, 17, 104, 1, 225, 225, 248, 141, 28, 85, 117, 227, 250, 249, 157};
	char decrypted[256]={};


	BIO *mem = BIO_new_mem_buf(keyBytes, 0x4a9);
	EVP_PKEY *pkey = d2i_PrivateKey_bio(mem, NULL);
	RSA *rsakey = EVP_PKEY_get1_RSA(pkey);
	printf("[+] Private key: \n");
	PEM_write_PrivateKey(stdout, pkey, NULL, NULL, 0, 0, NULL);

	int dec_len = RSA_private_decrypt(256, encrypted, decrypted, rsakey, 1);
	printf("\n[+] Data decrypted\n");
	printf("[+] Data Length = %d\n", dec_len);
	printf("[+] Data = %s\n", decrypted);
	return 0;
}

Which gives us the flag: CTF{67131493f75e92a06c5524b7c4c2be3513d992dafeb03e0e0296df0c5716155b}

Home