/tags/cry/ Recent content in Cry on Zero's Blog Hugo en-us Wed, 11 Mar 2026 22:12:00 +0700 /posts/htb-crypto-raining-primes/ Wed, 11 Mar 2026 22:12:00 +0700 /posts/htb-crypto-raining-primes/ <h2 id="challenge-summary">Challenge Summary</h2> <ul> <li><strong>Name:</strong> Raining Primes</li> <li><strong>Category:</strong> Crypto</li> <li><strong>Difficulty:</strong> Hard</li> <li><strong>Goal:</strong> Recover the flag from an RSA-wrapped AES ciphertext.</li> </ul> <pagevault hint="Ask bz for access"> <h2 id="root-cause">Root Cause</h2> <p>The service uses one hidden 640-bit prime <code>r</code> in multiple places:</p> <ul> <li>Prime oracle outputs <code>x = a*r + b</code> where: <ul> <li><code>a</code> is 384-bit random</li> <li><code>b</code> is 256-bit random</li> </ul> </li> <li>RSA primes are generated with the same form: <ul> <li><code>p = a*r + b</code>, <code>q = c*r + d</code></li> </ul> </li> <li>Key update transforms each AES key bit via: <ul> <li><code>bit' = ((k0 * k1) mod r) mod 2</code></li> </ul> </li> </ul> <p>This creates two exploitable links:</p> /posts/htb-quantum-phase-madness/ Wed, 04 Mar 2026 10:55:00 +0700 /posts/htb-quantum-phase-madness/ <h2 id="challenge-summary">Challenge Summary</h2> <ul> <li><strong>Name:</strong> Phase Madness</li> <li><strong>Category:</strong> Quantum</li> <li><strong>Difficulty:</strong> Medium-Hard</li> <li><strong>Goal:</strong> Recover all encoded bytes from qubit phase rotations.</li> </ul> <pagevault hint="Ask bz for access"> <h2 id="root-cause">Root Cause</h2> <p>Each flag byte is encoded directly as a rotation angle in degrees.</p> <p>From source:</p> <ul> <li>index <code>% 3 == 0</code>: <code>RX(byte)</code></li> <li>index <code>% 3 == 1</code>: <code>RY(byte)</code></li> <li>index <code>% 3 == 2</code>: <code>H</code> then <code>RZ(byte)</code></li> </ul> <p>The service lets us:</p> <ul> <li>choose qubit index,</li> <li>apply extra known rotations (<code>RX/RY/RZ</code>),</li> <li>receive high-shot measurement counts.</li> </ul> <p>That is enough to estimate sin/cos components and recover the original angle (thus byte).</p> /posts/htb-quantum-flagportation/ Wed, 04 Mar 2026 10:50:00 +0700 /posts/htb-quantum-flagportation/ <h2 id="challenge-summary">Challenge Summary</h2> <ul> <li><strong>Name:</strong> Flagportation</li> <li><strong>Category:</strong> Quantum</li> <li><strong>Difficulty:</strong> Easy-Medium</li> <li><strong>Goal:</strong> Decode all teleported 2-bit symbols and recover the flag.</li> </ul> <pagevault hint="Ask bz for access"> <h2 id="root-cause">Root Cause</h2> <p>The challenge is a teleportation protocol correctness trap. The server reveals:</p> <ul> <li>encoding basis (<code>Z</code> or <code>X</code>),</li> <li>Bell-side measurement bits (<code>qubit 0</code>, <code>qubit 1</code>),</li> <li>then asks user operations before measuring receiver (<code>qubit 2</code>).</li> </ul> <p>If the correction mapping is wrong, decoded bits are wrong.</p> <p>Correct mapping for this implementation:</p> /posts/htb-quantum-global-hyperlink-zone/ Wed, 04 Mar 2026 10:45:00 +0700 /posts/htb-quantum-global-hyperlink-zone/ <h2 id="challenge-summary">Challenge Summary</h2> <ul> <li><strong>Name:</strong> Global Hyperlink Zone</li> <li><strong>Category:</strong> Quantum</li> <li><strong>Difficulty:</strong> Medium</li> <li><strong>Goal:</strong> Satisfy the hidden hyperlink pattern check and print the flag.</li> </ul> <pagevault hint="Ask bz for access"> <h2 id="root-cause">Root Cause</h2> <p>The server checks only a specific relationship between measured bitstreams (<code>shares</code>) and does not constrain users to a trusted circuit template.</p> <p>From source analysis, success requires:</p> <ul> <li><code>shares[0] == shares[1] == shares[3]</code></li> <li><code>shares[2] == shares[4]</code></li> <li><code>shares[2] != shares[0]</code></li> <li>and no share may be all-0 or all-1 bytes.</li> </ul> <p>Because arbitrary gate sequences are allowed, we can construct a circuit that enforces exactly those relations.</p> /posts/htb-crypto-neon-core/ Sat, 28 Feb 2026 16:25:00 +0700 /posts/htb-crypto-neon-core/ <h2 id="challenge-summary">Challenge Summary</h2> <ul> <li><strong>Name:</strong> Neon Core</li> <li><strong>Category:</strong> Crypto</li> <li><strong>Difficulty:</strong> Medium</li> <li><strong>Goal:</strong> Recover the hidden configuration blueprint (flag) from the encrypted output.</li> </ul> <pagevault hint="Ask bz for access"> <h2 id="root-cause">Root Cause</h2> <p>The service encrypts each 16-byte block as a 4x4 matrix over <strong>GF(257)</strong> using:</p> <p>$$ C = K \cdot S(M) \cdot L + T, \quad S(x)=x^3 $$</p> <p>where <code>K</code>, <code>L</code>, and <code>T</code> are fixed per service instance.</p> <p>Although this looks nonlinear, the nonlinearity is only the per-element cube. After lifting each input byte to $u_i = m_i^3$, the full block transform is affine linear:</p> /posts/htb-crypto-shambles/ Sat, 28 Feb 2026 14:55:00 +0700 /posts/htb-crypto-shambles/ <h2 id="challenge-summary">Challenge Summary</h2> <ul> <li><strong>Name:</strong> Shambles</li> <li><strong>Category:</strong> Crypto</li> <li><strong>Difficulty:</strong> Medium</li> <li><strong>Goal:</strong> Trigger the withdraw condition that drops target balance to zero and get the flag.</li> </ul> <pagevault hint="Ask bz for access"> <h2 id="root-cause">Root Cause</h2> <p>The service decrypts user-supplied token ciphertext with AES-CBC and runs PKCS#7 unpad before JWT verification.</p> <p>Error behavior leaks padding validity:</p> <ul> <li>Invalid padding → <code>Decryption error!</code></li> <li>Valid padding but bad JWT/signature → different response (<code>Validation error!</code> path)</li> </ul> <p>That creates a classic <strong>CBC padding oracle</strong>.</p> /posts/htb-crypto-popo/ Fri, 27 Feb 2026 17:15:00 +0700 /posts/htb-crypto-popo/ <h2 id="challenge-summary">Challenge Summary</h2> <ul> <li><strong>Name:</strong> POPO</li> <li><strong>Category:</strong> Crypto</li> <li><strong>Difficulty:</strong> Medium</li> <li><strong>Goal:</strong> Recover the secret plaintext from a flawed Paillier-based service.</li> </ul> <pagevault hint="Ask bz for access"> <h2 id="root-cause">Root Cause</h2> <p>The service is Paillier-like with:</p> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-text" data-lang="text"><span style="display:flex;"><span>g = n + 1 </span></span><span style="display:flex;"><span>c = g^m * r^n mod n^2 </span></span></code></pre></div><p>but it adds an &ldquo;optimization&rdquo; switch:</p> <ul> <li>first positive non-secret message computes normally</li> <li>later positive non-secret messages use <code>local = m</code> (skipping <code>g^m</code>)</li> </ul> <p>Also, a fixed <code>r</code> is reused unless explicitly supplied.</p> /posts/htb-crypto-remeeting-the-wheel/ Fri, 27 Feb 2026 17:10:00 +0700 /posts/htb-crypto-remeeting-the-wheel/ <h2 id="challenge-summary">Challenge Summary</h2> <ul> <li><strong>Name:</strong> ReMeeting the Wheel</li> <li><strong>Category:</strong> Crypto</li> <li><strong>Difficulty:</strong> Medium</li> <li><strong>Goal:</strong> Recover the AES key from RSA data and decrypt the final secret.</li> </ul> <pagevault hint="Ask bz for access"> <h2 id="root-cause">Root Cause</h2> <p>The AES key is not random 128/256-bit material. Instead, it is constructed as:</p> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-python" data-lang="python"><span style="display:flex;"><span>key1 <span style="color:#f92672">=</span> randint(<span style="color:#ae81ff">2</span><span style="color:#f92672">^</span><span style="color:#ae81ff">20</span>, <span style="color:#ae81ff">2</span><span style="color:#f92672">^</span><span style="color:#ae81ff">21</span>) </span></span><span style="display:flex;"><span>key2 <span style="color:#f92672">=</span> randint(<span style="color:#ae81ff">2</span><span style="color:#f92672">^</span><span style="color:#ae81ff">20</span>, <span style="color:#ae81ff">2</span><span style="color:#f92672">^</span><span style="color:#ae81ff">21</span>) </span></span><span style="display:flex;"><span>k <span style="color:#f92672">=</span> key1 <span style="color:#f92672">*</span> key2 </span></span></code></pre></div><p>So <code>k</code> is only about 40–42 bits. The challenge publishes:</p> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-text" data-lang="text"><span style="display:flex;"><span>c = k^e mod n </span></span></code></pre></div><p>with standard RSA parameters. This structure enables a meet-in-the-middle recovery.</p> /posts/htb-crypto-aliens/ Fri, 27 Feb 2026 17:05:00 +0700 /posts/htb-crypto-aliens/ <h2 id="challenge-summary">Challenge Summary</h2> <ul> <li><strong>Name:</strong> AliEnS</li> <li><strong>Category:</strong> Crypto</li> <li><strong>Difficulty:</strong> Medium</li> <li><strong>Goal:</strong> Recover the hidden flag from a custom AES-ECB oracle.</li> </ul> <pagevault hint="Ask bz for access"> <h2 id="root-cause">Root Cause</h2> <p>The service builds plaintext as:</p> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-text" data-lang="text"><span style="display:flex;"><span>aaes.pad(user_input) || aaes.pad(FLAG) </span></span></code></pre></div><p>where:</p> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-python" data-lang="python"><span style="display:flex;"><span>aaes<span style="color:#f92672">.</span>pad(x) <span style="color:#f92672">=</span> x <span style="color:#f92672">+</span> P[:(<span style="color:#f92672">-</span>len(x) <span style="color:#f92672">%</span> <span style="color:#ae81ff">16</span>)] <span style="color:#f92672">+</span> P </span></span><span style="display:flex;"><span>P <span style="color:#f92672">=</span> <span style="color:#e6db74">&#34;CryptoHackTheBox&#34;</span> <span style="color:#75715e"># 16 bytes</span> </span></span></code></pre></div><p>Then it encrypts with <strong>AES-ECB</strong> and a <strong>fresh random key per query</strong>.</p> <p>A fresh key blocks classic cross-query byte-at-a-time attacks. But ECB still leaks equality <strong>within the same response</strong>: equal plaintext blocks produce equal ciphertext blocks under that query key.</p> /posts/htb-crypto-twisted-entanglement/ Fri, 27 Feb 2026 13:15:00 +0700 /posts/htb-crypto-twisted-entanglement/ <h2 id="challenge-summary">Challenge Summary</h2> <ul> <li><strong>Name:</strong> Twisted Entanglement</li> <li><strong>Category:</strong> Crypto</li> <li><strong>Difficulty:</strong> Medium</li> <li><strong>Goal:</strong> Recover the server private key and decrypt the encrypted flag.</li> </ul> <pagevault hint="Ask bz for access"> <h2 id="root-cause">Root Cause</h2> <p>The challenge exposes scalar multiplication on attacker-controlled points with curve params fixed only as:</p> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-text" data-lang="text"><span style="display:flex;"><span>a = 0, p = secp256k1 prime </span></span></code></pre></div><p>but it does <strong>not</strong> verify that user points belong to the intended curve subgroup.</p> <p>That enables an <strong>invalid-curve / small-subgroup attack</strong>:</p> <ul> <li>send crafted points with known small order <code>q</code></li> <li>observe <code>k*P</code> from the server</li> <li>recover <code>k mod q</code> by brute-force discrete log in tiny subgroup</li> <li>combine residues with CRT to recover the bounded private key (<code>k &lt; 8748541127929402731638</code>)</li> </ul> <p>Then option 2 seeds Python RNG with that <code>k</code>, so basis choices become predictable and AES key is recoverable.</p> /posts/htb-crypto-shamirs-secret/ Fri, 27 Feb 2026 11:35:00 +0700 /posts/htb-crypto-shamirs-secret/ <h2 id="challenge-summary">Challenge Summary</h2> <ul> <li><strong>Name:</strong> Shamir&rsquo;s Secret</li> <li><strong>Category:</strong> Crypto</li> <li><strong>Difficulty:</strong> Medium</li> <li><strong>Goal:</strong> Recover the hidden flag from a custom share-encryption service.</li> </ul> <pagevault hint="Ask bz for access"> <h2 id="root-cause">Root Cause</h2> <p>The service returns 64 pairs <code>(x, y)</code> where only 32 are genuine polynomial evaluations and 32 are random noise.</p> <p>For a message <code>m</code>, real pairs satisfy:</p> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-text" data-lang="text"><span style="display:flex;"><span>y = f(x) mod 2^1024 </span></span><span style="display:flex;"><span>f(t) = m + a1*t + a2*t^2 + ... + a31*t^31 </span></span></code></pre></div><p>The same hidden 64-bit mask decides which indices are real/fake for the whole process.</p> /posts/htb-crypto-quick-maffs/ Fri, 27 Feb 2026 09:58:00 +0700 /posts/htb-crypto-quick-maffs/ <h2 id="challenge-summary">Challenge Summary</h2> <ul> <li><strong>Name:</strong> quick maffs</li> <li><strong>Category:</strong> Crypto</li> <li><strong>Difficulty:</strong> Hard</li> <li><strong>Goal:</strong> Recover the plaintext triplet and reconstruct the flag.</li> </ul> <h2 id="root-cause">Root Cause</h2> <p>The service encrypts three related plaintext chunks under the same RSA modulus/exponent pair:</p> <ul> <li><code>c1 = m1^e mod N</code></li> <li><code>c2 = m2^e mod N</code></li> <li><code>c3 = m3^e mod N</code></li> <li>and leaks <code>m1 + m2 + m3 = hint</code></li> </ul> <p>Because <code>e</code> is a prime <code>&lt; 1024</code>, we can iterate candidate exponents and solve the algebraic system directly.</p> /posts/htb-crypto-yalm/ Fri, 27 Feb 2026 02:26:00 +0700 /posts/htb-crypto-yalm/ <h2 id="challenge-summary">Challenge Summary</h2> <ul> <li><strong>Name:</strong> YALM</li> <li><strong>Category:</strong> Crypto</li> <li><strong>Difficulty:</strong> Medium</li> <li><strong>Goal:</strong> Recover encrypted secret despite hidden RSA modulus.</li> </ul> <pagevault hint="Ask bz for access"> <h2 id="root-cause">Root Cause</h2> <p>Server encrypts with RSA (<code>e=3</code>) but does not reveal <code>n</code>.</p> <p>However, test endpoint leaks comparison against <code>n</code>:</p> <ul> <li>if plaintext <code>&lt; n</code> → accepted</li> <li>if plaintext <code>&gt;= n</code> → <code>Too many messages!</code></li> </ul> <p>So we can recover exact <code>n</code> by binary searching this boundary.</p> <p>Then ciphertext equation is:</p> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-text" data-lang="text"><span style="display:flex;"><span>c = (prefix || flag)^3 mod n </span></span></code></pre></div><p>With known prefix and small unknown suffix (flag), this becomes a univariate small-root problem solved by Coppersmith.</p> /posts/htb-crypto-birds-of-randomness/ Fri, 27 Feb 2026 02:24:00 +0700 /posts/htb-crypto-birds-of-randomness/ <h2 id="challenge-summary">Challenge Summary</h2> <ul> <li><strong>Name:</strong> Birds of randomness</li> <li><strong>Category:</strong> Crypto</li> <li><strong>Difficulty:</strong> Medium</li> <li><strong>Goal:</strong> Predict destination coordinates within 6 guesses and retrieve the flag.</li> </ul> <pagevault hint="Ask bz for access"> <h2 id="root-cause">Root Cause</h2> <p>Station coordinates are generated as <code>d*G</code> on a fixed ECC curve, where <code>d = x*y*z</code> from a weak PRNG state triplet with tiny moduli (<code>~30k</code>).</p> <p>That puts <code>d</code> in a bounded range:</p> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-text" data-lang="text"><span style="display:flex;"><span>d &lt; 30269 * 30307 * 30323 ≈ 2.78e13 </span></span></code></pre></div><p>A bounded discrete log is feasible with BSGS.</p> /posts/htb-crypto-rhome/ Fri, 27 Feb 2026 02:22:00 +0700 /posts/htb-crypto-rhome/ <h2 id="challenge-summary">Challenge Summary</h2> <ul> <li><strong>Name:</strong> Rhome</li> <li><strong>Category:</strong> Crypto</li> <li><strong>Difficulty:</strong> Easy</li> <li><strong>Goal:</strong> Recover shared secret and decrypt AES-encrypted flag.</li> </ul> <pagevault hint="Ask bz for access"> <h2 id="root-cause">Root Cause</h2> <p>The challenge builds prime <code>p = 2*q*r + 1</code>, then sets generator:</p> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-text" data-lang="text"><span style="display:flex;"><span>g = h^(2r) mod p </span></span></code></pre></div><p>This forces <code>g</code> into the subgroup of order <code>q</code> (small, ~42-bit). So both public keys <code>A = g^a</code>, <code>B = g^b</code> leak exponents modulo small <code>q</code>, making discrete log feasible.</p> <h2 id="exploit-strategy">Exploit Strategy</h2> <ol> <li>Query <code>(p,g,A,B)</code> and ciphertext.</li> <li>Factor <code>p-1</code>, identify small prime subgroup order <code>q</code>.</li> <li>Solve <code>a = dlog_g(A)</code> and <code>b = dlog_g(B)</code> modulo <code>q</code>.</li> <li>Recompute shared secret <code>ss = g^(ab mod q)</code>.</li> <li>Derive AES key from <code>sha256(ss)[:16]</code> and decrypt.</li> </ol> <h2 id="solve-script-full-poc">Solve Script (Full PoC)</h2> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-python" data-lang="python"><span style="display:flex;"><span><span style="color:#75715e">#!/usr/bin/env python3</span> </span></span><span style="display:flex;"><span><span style="color:#f92672">import</span> re </span></span><span style="display:flex;"><span><span style="color:#f92672">import</span> argparse </span></span><span style="display:flex;"><span><span style="color:#f92672">from</span> hashlib <span style="color:#f92672">import</span> sha256 </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#f92672">from</span> pwn <span style="color:#f92672">import</span> remote </span></span><span style="display:flex;"><span><span style="color:#f92672">from</span> sympy <span style="color:#f92672">import</span> factorint </span></span><span style="display:flex;"><span><span style="color:#f92672">from</span> sympy.ntheory <span style="color:#f92672">import</span> discrete_log </span></span><span style="display:flex;"><span><span style="color:#f92672">from</span> Crypto.Cipher <span style="color:#f92672">import</span> AES </span></span><span style="display:flex;"><span><span style="color:#f92672">from</span> Crypto.Util.Padding <span style="color:#f92672">import</span> unpad </span></span><span style="display:flex;"><span><span style="color:#f92672">from</span> Crypto.Util.number <span style="color:#f92672">import</span> long_to_bytes </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#66d9ef">def</span> <span style="color:#a6e22e">recv_menu</span>(io): </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">return</span> io<span style="color:#f92672">.</span>recvuntil(<span style="color:#e6db74">b</span><span style="color:#e6db74">&#39;&gt; &#39;</span>)<span style="color:#f92672">.</span>decode(errors<span style="color:#f92672">=</span><span style="color:#e6db74">&#39;ignore&#39;</span>) </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#66d9ef">def</span> <span style="color:#a6e22e">parse_params</span>(blob): </span></span><span style="display:flex;"><span> p <span style="color:#f92672">=</span> int(re<span style="color:#f92672">.</span>search(<span style="color:#e6db74">r</span><span style="color:#e6db74">&#39;p = (\d+)&#39;</span>, blob)<span style="color:#f92672">.</span>group(<span style="color:#ae81ff">1</span>)) </span></span><span style="display:flex;"><span> g <span style="color:#f92672">=</span> int(re<span style="color:#f92672">.</span>search(<span style="color:#e6db74">r</span><span style="color:#e6db74">&#39;g = (\d+)&#39;</span>, blob)<span style="color:#f92672">.</span>group(<span style="color:#ae81ff">1</span>)) </span></span><span style="display:flex;"><span> A <span style="color:#f92672">=</span> int(re<span style="color:#f92672">.</span>search(<span style="color:#e6db74">r</span><span style="color:#e6db74">&#39;A = (\d+)&#39;</span>, blob)<span style="color:#f92672">.</span>group(<span style="color:#ae81ff">1</span>)) </span></span><span style="display:flex;"><span> B <span style="color:#f92672">=</span> int(re<span style="color:#f92672">.</span>search(<span style="color:#e6db74">r</span><span style="color:#e6db74">&#39;B = (\d+)&#39;</span>, blob)<span style="color:#f92672">.</span>group(<span style="color:#ae81ff">1</span>)) </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">return</span> p, g, A, B </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#66d9ef">def</span> <span style="color:#a6e22e">main</span>(): </span></span><span style="display:flex;"><span> ap <span style="color:#f92672">=</span> argparse<span style="color:#f92672">.</span>ArgumentParser() </span></span><span style="display:flex;"><span> ap<span style="color:#f92672">.</span>add_argument(<span style="color:#e6db74">&#39;--host&#39;</span>, required<span style="color:#f92672">=</span><span style="color:#66d9ef">True</span>) </span></span><span style="display:flex;"><span> ap<span style="color:#f92672">.</span>add_argument(<span style="color:#e6db74">&#39;--port&#39;</span>, required<span style="color:#f92672">=</span><span style="color:#66d9ef">True</span>, type<span style="color:#f92672">=</span>int) </span></span><span style="display:flex;"><span> args <span style="color:#f92672">=</span> ap<span style="color:#f92672">.</span>parse_args() </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> io <span style="color:#f92672">=</span> remote(args<span style="color:#f92672">.</span>host, args<span style="color:#f92672">.</span>port) </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> recv_menu(io) </span></span><span style="display:flex;"><span> io<span style="color:#f92672">.</span>sendline(<span style="color:#e6db74">b</span><span style="color:#e6db74">&#39;1&#39;</span>) </span></span><span style="display:flex;"><span> p, g, A, B <span style="color:#f92672">=</span> parse_params(recv_menu(io)) </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> io<span style="color:#f92672">.</span>sendline(<span style="color:#e6db74">b</span><span style="color:#e6db74">&#39;3&#39;</span>) </span></span><span style="display:flex;"><span> ct_blob <span style="color:#f92672">=</span> recv_menu(io) </span></span><span style="display:flex;"><span> ct <span style="color:#f92672">=</span> bytes<span style="color:#f92672">.</span>fromhex(re<span style="color:#f92672">.</span>search(<span style="color:#e6db74">r</span><span style="color:#e6db74">&#39;encrypted = ([0-9a-f]+)&#39;</span>, ct_blob)<span style="color:#f92672">.</span>group(<span style="color:#ae81ff">1</span>)) </span></span><span style="display:flex;"><span> io<span style="color:#f92672">.</span>close() </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> fac <span style="color:#f92672">=</span> factorint(p <span style="color:#f92672">-</span> <span style="color:#ae81ff">1</span>) </span></span><span style="display:flex;"><span> q_small <span style="color:#f92672">=</span> <span style="color:#66d9ef">None</span> </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">for</span> f <span style="color:#f92672">in</span> fac: </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">if</span> <span style="color:#ae81ff">35</span> <span style="color:#f92672">&lt;=</span> int(f)<span style="color:#f92672">.</span>bit_length() <span style="color:#f92672">&lt;=</span> <span style="color:#ae81ff">43</span>: </span></span><span style="display:flex;"><span> q_small <span style="color:#f92672">=</span> int(f) </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">break</span> </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">if</span> q_small <span style="color:#f92672">is</span> <span style="color:#66d9ef">None</span>: </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">raise</span> <span style="color:#a6e22e">SystemExit</span>(<span style="color:#e6db74">&#39;small subgroup order not found&#39;</span>) </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> a <span style="color:#f92672">=</span> discrete_log(p, A, g, order<span style="color:#f92672">=</span>q_small) </span></span><span style="display:flex;"><span> b <span style="color:#f92672">=</span> discrete_log(p, B, g, order<span style="color:#f92672">=</span>q_small) </span></span><span style="display:flex;"><span> ss <span style="color:#f92672">=</span> pow(g, (a <span style="color:#f92672">*</span> b) <span style="color:#f92672">%</span> q_small, p) </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> key <span style="color:#f92672">=</span> sha256(long_to_bytes(ss))<span style="color:#f92672">.</span>digest()[:<span style="color:#ae81ff">16</span>] </span></span><span style="display:flex;"><span> pt <span style="color:#f92672">=</span> unpad(AES<span style="color:#f92672">.</span>new(key, AES<span style="color:#f92672">.</span>MODE_ECB)<span style="color:#f92672">.</span>decrypt(ct), <span style="color:#ae81ff">16</span>) </span></span><span style="display:flex;"><span> print(pt<span style="color:#f92672">.</span>decode()) </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#66d9ef">if</span> __name__ <span style="color:#f92672">==</span> <span style="color:#e6db74">&#39;__main__&#39;</span>: </span></span><span style="display:flex;"><span> main() </span></span></code></pre></div><h2 id="run">Run</h2> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span>python3 solve.py --host &lt;ip&gt; --port &lt;port&gt; </span></span></code></pre></div><h2 id="result">Result</h2> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-text" data-lang="text"><span style="display:flex;"><span>HTB{00ps_wh4t_4_sm411_0rd3r} </span></span></code></pre></div></pagevault> /posts/htb-crypto-embryonic-plant/ Fri, 27 Feb 2026 02:20:00 +0700 /posts/htb-crypto-embryonic-plant/ <h2 id="challenge-summary">Challenge Summary</h2> <ul> <li><strong>Name:</strong> Embryonic Plant</li> <li><strong>Category:</strong> Crypto</li> <li><strong>Difficulty:</strong> Easy</li> <li><strong>Goal:</strong> Recover AES key and decrypt encrypted flag.</li> </ul> <pagevault hint="Ask bz for access"> <h2 id="root-cause">Root Cause</h2> <p>Service prints:</p> <ul> <li><code>n = p*q*r</code></li> <li>five consecutive RNG states from:</li> </ul> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-text" data-lang="text"><span style="display:flex;"><span>s_{i+1} = (s_i * p + q) mod r </span></span></code></pre></div><p>Same <code>p,q,r</code> are RSA factors and used to derive private exponent <code>d</code>; AES key is <code>sha256(d)</code>.</p> <p>Leaking several states lets us recover the LCG modulus/parameters, which also recovers RSA factors.</p> /posts/htb-crypto-quantum-safe/ Fri, 27 Feb 2026 02:18:00 +0700 /posts/htb-crypto-quantum-safe/ <h2 id="challenge-summary">Challenge Summary</h2> <ul> <li><strong>Name:</strong> Quantum-Safe</li> <li><strong>Category:</strong> Crypto</li> <li><strong>Difficulty:</strong> Easy</li> <li><strong>Goal:</strong> Recover flag from matrix-based encoding output.</li> </ul> <pagevault hint="Ask bz for access"> <h2 id="root-cause">Root Cause</h2> <p>The challenge encodes each character with:</p> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-text" data-lang="text"><span style="display:flex;"><span>y = [ord(c), a, b] * P + r </span></span></code></pre></div><ul> <li><code>P</code> is public and invertible.</li> <li><code>a,b</code> are small random values in <code>[0,100]</code>.</li> <li><code>r</code> is a fixed unknown offset vector.</li> </ul> <p>Because <code>P</code> is invertible and noise is bounded, we can recover <code>r</code> and decode all rows exactly.</p> /posts/htb-crypto-protein-cookies/ Fri, 27 Feb 2026 02:16:00 +0700 /posts/htb-crypto-protein-cookies/ <h2 id="challenge-summary">Challenge Summary</h2> <ul> <li><strong>Name:</strong> Protein Cookies</li> <li><strong>Category:</strong> Crypto</li> <li><strong>Difficulty:</strong> Easy</li> <li><strong>Goal:</strong> Access protected <code>/program</code> content and recover flag.</li> </ul> <pagevault hint="Ask bz for access"> <h2 id="root-cause">Root Cause</h2> <p>Cookie signature uses SHA-512 over a construction equivalent to:</p> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-text" data-lang="text"><span style="display:flex;"><span>sig = SHA512(secret || payload) </span></span></code></pre></div><p>This is vulnerable to length extension. We can append <code>&amp;isLoggedIn=True</code> and forge a valid new signature without knowing <code>secret</code>.</p> <h2 id="exploit-strategy">Exploit Strategy</h2> <ol> <li>Obtain guest <code>login_info</code> cookie.</li> <li>Parse payload+digest.</li> <li>Perform SHA-512 length-extension with guessed secret length.</li> <li>Send forged cookie to <code>/program</code>.</li> <li>Extract flag from returned PDF/content.</li> </ol> <h2 id="solve-script-full-poc">Solve Script (Full PoC)</h2> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-python" data-lang="python"><span style="display:flex;"><span><span style="color:#75715e">#!/usr/bin/env python3</span> </span></span><span style="display:flex;"><span><span style="color:#f92672">import</span> base64 </span></span><span style="display:flex;"><span><span style="color:#f92672">import</span> argparse </span></span><span style="display:flex;"><span><span style="color:#f92672">import</span> requests </span></span><span style="display:flex;"><span><span style="color:#f92672">from</span> hashpumpy <span style="color:#f92672">import</span> hashpump </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#66d9ef">def</span> <span style="color:#a6e22e">main</span>(): </span></span><span style="display:flex;"><span> ap <span style="color:#f92672">=</span> argparse<span style="color:#f92672">.</span>ArgumentParser() </span></span><span style="display:flex;"><span> ap<span style="color:#f92672">.</span>add_argument(<span style="color:#e6db74">&#39;--base&#39;</span>, required<span style="color:#f92672">=</span><span style="color:#66d9ef">True</span>, help<span style="color:#f92672">=</span><span style="color:#e6db74">&#39;e.g. http://&lt;ip&gt;:&lt;port&gt;&#39;</span>) </span></span><span style="display:flex;"><span> ap<span style="color:#f92672">.</span>add_argument(<span style="color:#e6db74">&#39;--secret-len&#39;</span>, type<span style="color:#f92672">=</span>int, default<span style="color:#f92672">=</span><span style="color:#ae81ff">16</span>) </span></span><span style="display:flex;"><span> args <span style="color:#f92672">=</span> ap<span style="color:#f92672">.</span>parse_args() </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> s <span style="color:#f92672">=</span> requests<span style="color:#f92672">.</span>Session() </span></span><span style="display:flex;"><span> s<span style="color:#f92672">.</span>get(args<span style="color:#f92672">.</span>base <span style="color:#f92672">+</span> <span style="color:#e6db74">&#39;/program&#39;</span>, allow_redirects<span style="color:#f92672">=</span><span style="color:#66d9ef">True</span>, timeout<span style="color:#f92672">=</span><span style="color:#ae81ff">10</span>) </span></span><span style="display:flex;"><span> guest <span style="color:#f92672">=</span> s<span style="color:#f92672">.</span>cookies<span style="color:#f92672">.</span>get(<span style="color:#e6db74">&#39;login_info&#39;</span>) </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">if</span> <span style="color:#f92672">not</span> guest: </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">raise</span> <span style="color:#a6e22e">SystemExit</span>(<span style="color:#e6db74">&#39;missing guest cookie&#39;</span>) </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> payload_b64, sig_b64 <span style="color:#f92672">=</span> guest<span style="color:#f92672">.</span>split(<span style="color:#e6db74">&#39;.&#39;</span>, <span style="color:#ae81ff">1</span>) </span></span><span style="display:flex;"><span> payload <span style="color:#f92672">=</span> base64<span style="color:#f92672">.</span>b64decode(payload_b64) </span></span><span style="display:flex;"><span> sig_hex <span style="color:#f92672">=</span> base64<span style="color:#f92672">.</span>b64decode(sig_b64)<span style="color:#f92672">.</span>decode() </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> append <span style="color:#f92672">=</span> <span style="color:#e6db74">b</span><span style="color:#e6db74">&#39;&amp;isLoggedIn=True&#39;</span> </span></span><span style="display:flex;"><span> new_sig_hex, forged_payload <span style="color:#f92672">=</span> hashpump(sig_hex, payload<span style="color:#f92672">.</span>decode(<span style="color:#e6db74">&#39;latin1&#39;</span>), append<span style="color:#f92672">.</span>decode(<span style="color:#e6db74">&#39;latin1&#39;</span>), args<span style="color:#f92672">.</span>secret_len) </span></span><span style="display:flex;"><span> forged_cookie <span style="color:#f92672">=</span> ( </span></span><span style="display:flex;"><span> base64<span style="color:#f92672">.</span>b64encode(forged_payload<span style="color:#f92672">.</span>encode(<span style="color:#e6db74">&#39;latin1&#39;</span>))<span style="color:#f92672">.</span>decode() <span style="color:#f92672">+</span> <span style="color:#e6db74">&#39;.&#39;</span> <span style="color:#f92672">+</span> </span></span><span style="display:flex;"><span> base64<span style="color:#f92672">.</span>b64encode(new_sig_hex<span style="color:#f92672">.</span>encode())<span style="color:#f92672">.</span>decode() </span></span><span style="display:flex;"><span> ) </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> r <span style="color:#f92672">=</span> requests<span style="color:#f92672">.</span>get(args<span style="color:#f92672">.</span>base <span style="color:#f92672">+</span> <span style="color:#e6db74">&#39;/program&#39;</span>, headers<span style="color:#f92672">=</span>{<span style="color:#e6db74">&#39;Cookie&#39;</span>: <span style="color:#e6db74">f</span><span style="color:#e6db74">&#39;login_info=</span><span style="color:#e6db74">{</span>forged_cookie<span style="color:#e6db74">}</span><span style="color:#e6db74">&#39;</span>}, timeout<span style="color:#f92672">=</span><span style="color:#ae81ff">10</span>) </span></span><span style="display:flex;"><span> print(<span style="color:#e6db74">&#39;status:&#39;</span>, r<span style="color:#f92672">.</span>status_code) </span></span><span style="display:flex;"><span> print(r<span style="color:#f92672">.</span>text[:<span style="color:#ae81ff">400</span>]) </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#66d9ef">if</span> __name__ <span style="color:#f92672">==</span> <span style="color:#e6db74">&#39;__main__&#39;</span>: </span></span><span style="display:flex;"><span> main() </span></span></code></pre></div><h2 id="run">Run</h2> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span>python3 solve.py --base http://&lt;ip&gt;:&lt;port&gt; </span></span></code></pre></div><h2 id="result">Result</h2> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-text" data-lang="text"><span style="display:flex;"><span>HTB{l1ght_w31ght_b4b3h!} </span></span></code></pre></div></pagevault> /posts/htb-crypto-rsaiseasy/ Fri, 27 Feb 2026 02:14:00 +0700 /posts/htb-crypto-rsaiseasy/ <h2 id="challenge-summary">Challenge Summary</h2> <ul> <li><strong>Name:</strong> RSAisEasy</li> <li><strong>Category:</strong> Crypto</li> <li><strong>Difficulty:</strong> Easy</li> <li><strong>Goal:</strong> Recover two RSA-encrypted halves of the flag.</li> </ul> <pagevault hint="Ask bz for access"> <h2 id="root-cause">Root Cause</h2> <p>Given values follow:</p> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-text" data-lang="text"><span style="display:flex;"><span>n1 = p*q </span></span><span style="display:flex;"><span>n2 = q*z </span></span><span style="display:flex;"><span>leak = n1*E + n2 </span></span></code></pre></div><p>So:</p> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-text" data-lang="text"><span style="display:flex;"><span>gcd(n1, leak) = gcd(p*q, n1*E + q*z) = q </span></span></code></pre></div><p>Once <code>q</code> is recovered, both RSA systems collapse.</p> <h2 id="exploit-strategy">Exploit Strategy</h2> <ol> <li>Compute <code>q = gcd(n1, leak)</code>.</li> <li>Recover <code>p = n1 // q</code> and decrypt <code>c1</code>.</li> <li>Recover <code>n2</code> from <code>leak % n1</code> (check valid branch <code>r</code> or <code>r+n1</code>).</li> <li>Decrypt <code>c2</code> and concatenate both parts.</li> </ol> <h2 id="solve-script-full-poc">Solve Script (Full PoC)</h2> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-python" data-lang="python"><span style="display:flex;"><span><span style="color:#75715e">#!/usr/bin/env python3</span> </span></span><span style="display:flex;"><span><span style="color:#f92672">from</span> math <span style="color:#f92672">import</span> gcd </span></span><span style="display:flex;"><span><span style="color:#f92672">from</span> Crypto.Util.number <span style="color:#f92672">import</span> long_to_bytes </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># paste challenge constants</span> </span></span><span style="display:flex;"><span>n1 <span style="color:#f92672">=</span> <span style="color:#f92672">...</span> </span></span><span style="display:flex;"><span>c1 <span style="color:#f92672">=</span> <span style="color:#f92672">...</span> </span></span><span style="display:flex;"><span>c2 <span style="color:#f92672">=</span> <span style="color:#f92672">...</span> </span></span><span style="display:flex;"><span>leak <span style="color:#f92672">=</span> <span style="color:#f92672">...</span> </span></span><span style="display:flex;"><span>e <span style="color:#f92672">=</span> <span style="color:#ae81ff">0x10001</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span>q <span style="color:#f92672">=</span> gcd(n1, leak) </span></span><span style="display:flex;"><span>p <span style="color:#f92672">=</span> n1 <span style="color:#f92672">//</span> q </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span>phi1 <span style="color:#f92672">=</span> (p <span style="color:#f92672">-</span> <span style="color:#ae81ff">1</span>) <span style="color:#f92672">*</span> (q <span style="color:#f92672">-</span> <span style="color:#ae81ff">1</span>) </span></span><span style="display:flex;"><span>d1 <span style="color:#f92672">=</span> pow(e, <span style="color:#f92672">-</span><span style="color:#ae81ff">1</span>, phi1) </span></span><span style="display:flex;"><span>part1 <span style="color:#f92672">=</span> long_to_bytes(pow(c1, d1, n1)) </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span>r <span style="color:#f92672">=</span> leak <span style="color:#f92672">%</span> n1 </span></span><span style="display:flex;"><span>part2_candidates <span style="color:#f92672">=</span> [] </span></span><span style="display:flex;"><span><span style="color:#66d9ef">for</span> k <span style="color:#f92672">in</span> (<span style="color:#ae81ff">0</span>, <span style="color:#ae81ff">1</span>): </span></span><span style="display:flex;"><span> n2 <span style="color:#f92672">=</span> r <span style="color:#f92672">+</span> k <span style="color:#f92672">*</span> n1 </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">if</span> n2 <span style="color:#f92672">&lt;=</span> <span style="color:#ae81ff">0</span> <span style="color:#f92672">or</span> n2 <span style="color:#f92672">%</span> q <span style="color:#f92672">!=</span> <span style="color:#ae81ff">0</span>: </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">continue</span> </span></span><span style="display:flex;"><span> z <span style="color:#f92672">=</span> n2 <span style="color:#f92672">//</span> q </span></span><span style="display:flex;"><span> phi2 <span style="color:#f92672">=</span> (q <span style="color:#f92672">-</span> <span style="color:#ae81ff">1</span>) <span style="color:#f92672">*</span> (z <span style="color:#f92672">-</span> <span style="color:#ae81ff">1</span>) </span></span><span style="display:flex;"><span> d2 <span style="color:#f92672">=</span> pow(e, <span style="color:#f92672">-</span><span style="color:#ae81ff">1</span>, phi2) </span></span><span style="display:flex;"><span> m2 <span style="color:#f92672">=</span> long_to_bytes(pow(c2, d2, n2)) </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">if</span> all(<span style="color:#ae81ff">32</span> <span style="color:#f92672">&lt;=</span> b <span style="color:#f92672">&lt;</span> <span style="color:#ae81ff">127</span> <span style="color:#66d9ef">for</span> b <span style="color:#f92672">in</span> m2): </span></span><span style="display:flex;"><span> part2_candidates<span style="color:#f92672">.</span>append(m2) </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#66d9ef">if</span> <span style="color:#f92672">not</span> part2_candidates: </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">raise</span> <span style="color:#a6e22e">SystemExit</span>(<span style="color:#e6db74">&#39;no valid second part&#39;</span>) </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span>flag <span style="color:#f92672">=</span> (part1 <span style="color:#f92672">+</span> part2_candidates[<span style="color:#ae81ff">0</span>])<span style="color:#f92672">.</span>decode() </span></span><span style="display:flex;"><span>print(flag) </span></span></code></pre></div><h2 id="run">Run</h2> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span>python3 solve.py </span></span></code></pre></div><h2 id="result">Result</h2> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-text" data-lang="text"><span style="display:flex;"><span>HTB{1_m1ght_h4v3_m3ss3d_uP_jU$t_4_l1ttle_b1t?} </span></span></code></pre></div></pagevault> /posts/htb-crypto-xorxorxor/ Fri, 27 Feb 2026 02:12:00 +0700 /posts/htb-crypto-xorxorxor/ <h2 id="challenge-summary">Challenge Summary</h2> <ul> <li><strong>Name:</strong> xorxorxor</li> <li><strong>Category:</strong> Crypto</li> <li><strong>Difficulty:</strong> Easy</li> <li><strong>Goal:</strong> Decrypt XOR-encrypted flag.</li> </ul> <pagevault hint="Ask bz for access"> <h2 id="root-cause">Root Cause</h2> <p>The challenge encrypts flag bytes with a repeating random 4-byte key:</p> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-python" data-lang="python"><span style="display:flex;"><span>xored[i] <span style="color:#f92672">=</span> flag[i] <span style="color:#f92672">^</span> key[i <span style="color:#f92672">%</span> <span style="color:#ae81ff">4</span>] </span></span></code></pre></div><p>HTB flags start with <code>HTB{</code>, so we can recover all 4 key bytes directly from the first 4 ciphertext bytes.</p> <h2 id="exploit-strategy">Exploit Strategy</h2> <ol> <li>Parse hex ciphertext.</li> <li>Compute key from known prefix <code>b'HTB{'</code>.</li> <li>XOR-decrypt the full ciphertext with repeating key.</li> </ol> <h2 id="solve-script-full-poc">Solve Script (Full PoC)</h2> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-python" data-lang="python"><span style="display:flex;"><span><span style="color:#75715e">#!/usr/bin/env python3</span> </span></span><span style="display:flex;"><span><span style="color:#f92672">import</span> argparse </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#66d9ef">def</span> <span style="color:#a6e22e">xor_repeat</span>(data: bytes, key: bytes) <span style="color:#f92672">-&gt;</span> bytes: </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">return</span> bytes(b <span style="color:#f92672">^</span> key[i <span style="color:#f92672">%</span> len(key)] <span style="color:#66d9ef">for</span> i, b <span style="color:#f92672">in</span> enumerate(data)) </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#66d9ef">def</span> <span style="color:#a6e22e">main</span>(): </span></span><span style="display:flex;"><span> ap <span style="color:#f92672">=</span> argparse<span style="color:#f92672">.</span>ArgumentParser() </span></span><span style="display:flex;"><span> ap<span style="color:#f92672">.</span>add_argument(<span style="color:#e6db74">&#39;--hex&#39;</span>, required<span style="color:#f92672">=</span><span style="color:#66d9ef">True</span>, help<span style="color:#f92672">=</span><span style="color:#e6db74">&#39;ciphertext hex from challenge output&#39;</span>) </span></span><span style="display:flex;"><span> args <span style="color:#f92672">=</span> ap<span style="color:#f92672">.</span>parse_args() </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> ct <span style="color:#f92672">=</span> bytes<span style="color:#f92672">.</span>fromhex(args<span style="color:#f92672">.</span>hex) </span></span><span style="display:flex;"><span> known <span style="color:#f92672">=</span> <span style="color:#e6db74">b</span><span style="color:#e6db74">&#39;HTB{&#39;</span> </span></span><span style="display:flex;"><span> key <span style="color:#f92672">=</span> bytes(ct[i] <span style="color:#f92672">^</span> known[i] <span style="color:#66d9ef">for</span> i <span style="color:#f92672">in</span> range(<span style="color:#ae81ff">4</span>)) </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> pt <span style="color:#f92672">=</span> xor_repeat(ct, key) </span></span><span style="display:flex;"><span> print(<span style="color:#e6db74">&#39;key =&#39;</span>, key<span style="color:#f92672">.</span>hex()) </span></span><span style="display:flex;"><span> print(pt<span style="color:#f92672">.</span>decode(errors<span style="color:#f92672">=</span><span style="color:#e6db74">&#39;ignore&#39;</span>)) </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#66d9ef">if</span> __name__ <span style="color:#f92672">==</span> <span style="color:#e6db74">&#39;__main__&#39;</span>: </span></span><span style="display:flex;"><span> main() </span></span></code></pre></div><h2 id="run">Run</h2> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span>python3 solve.py --hex &lt;ciphertext_hex&gt; </span></span></code></pre></div><h2 id="result">Result</h2> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-text" data-lang="text"><span style="display:flex;"><span>HTB{rep34t3d_x0r_n0t_s0_s3cur3} </span></span></code></pre></div></pagevault> /posts/htb-crypto-baby-time-capsule/ Fri, 27 Feb 2026 02:10:00 +0700 /posts/htb-crypto-baby-time-capsule/ <h2 id="challenge-summary">Challenge Summary</h2> <ul> <li><strong>Name:</strong> Baby Time Capsule</li> <li><strong>Category:</strong> Crypto</li> <li><strong>Difficulty:</strong> Easy</li> <li><strong>Goal:</strong> Recover the plaintext flag from repeated RSA encryptions under fresh moduli.</li> </ul> <pagevault hint="Ask bz for access"> <h2 id="root-cause">Root Cause</h2> <p>The service keeps encrypting the <strong>same message</strong> with RSA exponent <code>e = 5</code>, but with different fresh moduli <code>(n_i)</code>.</p> <p>When we collect at least <code>e</code> ciphertexts from pairwise-coprime moduli, Håstad&rsquo;s broadcast attack applies:</p> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-text" data-lang="text"><span style="display:flex;"><span>c_i = m^e mod n_i </span></span></code></pre></div><p>Using CRT, we reconstruct <code>m^e</code> over <code>N = ∏n_i</code>, then compute the exact integer 5th root.</p> /posts/htb-crypto-broken-decryptor/ Wed, 25 Feb 2026 05:35:00 +0700 /posts/htb-crypto-broken-decryptor/ <h2 id="challenge-summary">Challenge Summary</h2> <ul> <li><strong>Name:</strong> Broken Decryptor</li> <li><strong>Category:</strong> Crypto</li> <li><strong>Difficulty:</strong> Medium</li> <li><strong>Target:</strong> Recover server flag from encryption oracle behavior</li> </ul> <pagevault hint="Ask bz for access"> <h2 id="root-cause">Root Cause</h2> <p>This challenge combines two critical mistakes:</p> <ol> <li><strong>AES-CTR stream reuse</strong> with fixed <code>key</code> and <code>iv</code> for every encryption call.</li> <li><strong>Biased OTP generation</strong>:</li> </ol> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-python" data-lang="python"><span style="display:flex;"><span>otp <span style="color:#f92672">=</span> os<span style="color:#f92672">.</span>urandom(len(data))<span style="color:#f92672">.</span>replace(<span style="color:#e6db74">b</span><span style="color:#e6db74">&#39;</span><span style="color:#ae81ff">\x00</span><span style="color:#e6db74">&#39;</span>, <span style="color:#e6db74">b</span><span style="color:#e6db74">&#39;</span><span style="color:#ae81ff">\xff</span><span style="color:#e6db74">&#39;</span>) </span></span></code></pre></div><p>Replacing <code>0x00</code> means each byte position can only produce <strong>255 possible OTP values</strong>, not 256. That creates a forbidden-byte leak: after enough samples at one position, the single unseen byte is the hidden pre-OTP byte.</p> /posts/htb-crypto-mysterybox/ Wed, 25 Feb 2026 05:35:00 +0700 /posts/htb-crypto-mysterybox/ <h2 id="challenge-summary">Challenge Summary</h2> <ul> <li><strong>Name:</strong> mysterybox</li> <li><strong>Category:</strong> Crypto</li> <li><strong>Difficulty:</strong> Medium</li> <li><strong>Goal:</strong> Forge a valid signature for the protected admin message and retrieve the flag.</li> </ul> <pagevault hint="Ask bz for access"> <h2 id="root-cause">Root Cause</h2> <p>The server implements <strong>textbook RSA signatures</strong> directly over raw integers:</p> <ul> <li><code>sign(m) = m^d mod n</code></li> <li><code>verify(m, s)</code> checks <code>s^e mod n == m</code></li> </ul> <p>There is <strong>no hashing</strong> and <strong>no padding</strong> (e.g., no PKCS#1 v1.5/PSS). This makes signatures multiplicatively malleable:</p> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-text" data-lang="text"><span style="display:flex;"><span>sig(m1 * m2) = sig(m1) * sig(m2) mod n </span></span></code></pre></div><p>The app blocks signing the exact admin message, but it still signs related values, which is enough to forge an admin signature.</p> /posts/0x2-learn-ctf-cryptography/ Mon, 23 Feb 2026 23:40:00 +0700 /posts/0x2-learn-ctf-cryptography/ <h2 id="table-of-contents">Table of Contents</h2> <ul> <li><a href="#error-code--merkle-hellman-implementation-bug">error-code — Merkle-Hellman implementation bug</a></li> <li><a href="#nito--truncated-state-recovery-with-coppersmith">nito — truncated-state recovery with Coppersmith</a></li> <li><a href="#lack-of-entropy--deterministic-rsa-prime-relation">Lack of Entropy — deterministic RSA prime relation</a></li> <li><a href="#a-joke-cipher--broken-key-exchange-leaks-plaintext-multiplier">a-joke-cipher — broken key exchange leaks plaintext multiplier</a></li> <li><a href="#d-phi-enc--recovering-rsa-factors-from-encrypted-%CF%86-and-d">d-phi-enc — recovering RSA factors from encrypted φ and d</a></li> </ul> <hr> <h2 id="error-code--merkle-hellman-implementation-bug">error-code — Merkle-Hellman implementation bug</h2> <h3 id="summary">Summary</h3> <ul> <li><strong>Category:</strong> Cryptography</li> <li><strong>Challenge:</strong> <code>error-code</code></li> <li><strong>Core scheme:</strong> Merkle-Hellman knapsack (subset-sum)</li> <li><strong>Given files:</strong> <code>chall.py</code>, <code>output</code></li> <li><strong>Recovered flag:</strong></li> </ul> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-text" data-lang="text"><span style="display:flex;"><span>CBC{4_cl4ss1c_subs3t_sum_pr0blem_r1ght_9c209955} </span></span></code></pre></div><h3 id="problem-statement-practical">Problem statement (practical)</h3> <p>The challenge author says they implemented Merkle-Hellman, but decryption does not work. The job is to identify the implementation error and recover the plaintext.</p>