{"componentChunkName":"component---src-templates-post-template-js","path":"/ctf-googlectf-en","result":{"data":{"markdownRemark":{"id":"72d08977-3cc9-5a8e-a142-52340c6090eb","html":"
\n

This page has been machine-translated from the original page.

\n
\n

We participated in Google CTF 2023 (held from June 24) as 0nePadding and finished in 195th place.

\n

This time we solved one problem each from Rev, Crypto, and Misc.

\n

In the past two years we participated but failed to solve any problems and didn’t even make the scoreboard, so this felt like an opportunity to recognize some growth.

\n

\n \n \n \n \n \n \n \n \n

\n

The Crypto problem was also one I couldn’t solve alone — being able to solve it by consulting with team members made me realize that 0nePadding as a team was operating more actively than last year.

\n

I’ll review the unsolved problems later; for now, here’s a summary of just the ones we solved.

\n\n

Table of Contents

\n\n

ZERMATT(Rev)

\n
\n

Roblox made lua packing popular, since we’d like to keep hanging out with the cool kids, he’s our take on it.

\n
\n

A very long, obfuscated Lua script file is provided as the challenge binary.

\n

Formatting and displaying the obfuscated script reveals about 3000 lines, with convoluted processing at the top as shown below.

\n

\n \n \n \n \n \n \n \n \n

\n

Looking closely, the return value of passing two byte strings to the function v7 is used as a key for Lua’s global environment variable _G.

\n

I used the following script to examine the results of each operation.

\n
local v0 = string.char;\nlocal v1 = string.byte;\nlocal v2 = string.sub;\nlocal v3 = bit32 or bit;\nlocal v4 = v3.bxor;\nlocal v5 = table.concat;\nlocal v6 = table.insert;\nlocal function v7(v24, v25)\n    local v26 = 0;\n    local v27;\n    while true do\n        if (v26 == 1) then\n            return v5(v27);\n        end\n        if (v26 == 0) then\n            v27 = {};\n            for v44 = 1, #v24 do\n                v6(v27, v0(\n                    v4(v1(v2(v24, v44, v44 + 1)), v1(v2(v25, 1 + ((v44 - 1) % #v25), 1 + ((v44 - 1) % #v25) + 1))) % 256));\n            end\n            v26 = 1;\n        end\n    end\nend\n\nprint(v7(\"\\79\\15\\131\\30\\40\\13\\20\\203\", \"\\59\\96\\237\\107\\69\\111\\113\\185\"))\nprint(v7(\"\\55\\2\\190\\232\\63\\247\", \"\\68\\118\\204\\129\\81\\144\\122\"))\nprint(v7(\"\\12\\180\\100\\225\", \"\\110\\205\\16\\132\\107\\85\\33\\139\"))\nprint(v7(\"\\243\\205\\101\\215\\89\\95\", \"\\128\\185\\23\\190\\55\\56\\100\"))\nprint(v7(\"\\240\\94\\174\\46\",\"\\147\\54\\207\\92\\126\\115\\131\"))\nprint(v7(\"\\109\\25\\35\\60\\115\\10\", \"\\30\\109\\81\\85\\29\\109\"))\nprint(v7(\"\\239\\234\\115\", \"\\156\\159\\17\\52\\214\\86\\190\"))\nprint(v7(\"\\175\\186\\253\\180\\178\\169\", \"\\220\\206\\143\\221\"))\nprint(v7(\"\\213\\149\\104\\47\", \"\\178\\230\\29\\77\\119\\184\\172\"))\nprint(v7(\"\\235\\225\\172\\3\\21\\112\", \"\\152\\149\\222\\106\\123\\23\"))\nprint(v7(\"\\167\\216\\54\", \"\\213\\189\\70\\150\\35\"))\nprint(v7(\"\\28\\78\\87\\120\\13\", \"\\104\\47\\53\\20\"))\nprint(v7(\"\\12\\172\\66\\130\\29\\168\", \"\\111\\195\\44\\225\\124\\220\"))\nprint(v7(\"\\191\\217\\68\\12\\118\", \"\\203\\184\\38\\96\\19\\203\"))\nprint(v7(\"\\199\\55\\96\\124\\83\\218\", \"\\174\\89\\19\\25\\33\"))\nprint(v7(\"\\6\\46\\6\\90\", \"\\107\\79\\114\\50\\46\\151\\231\"))\nprint(v7(\"\\204\\61\\163\\173\\57\", \"\\160\\89\\198\\213\\73\\234\\89\\215\"))\nprint(v7(\"\\194\\77\\101\\178\\251\\203\\94\", \"\\165\\40\\17\\212\\158\"))\nprint(v7(\"\\53\\224\\205\\5\\54\\50\\228\\205\\9\\49\\42\\224\", \"\\70\\133\\185\\104\\83\"))\nprint(v7(\"\\217\\7\\68\\72\\38\", \"\\169\\100\\37\\36\\74\"))\nprint(v7(\"\\67\\5\\139\\167\\83\\20\", \"\\48\\96\\231\\194\"))\nprint(v7(\"\\150\\198\\74\\15\\46\\18\", \"\\227\\168\\58\\110\\77\\121\\184\\207\"))\nprint(v7(\"\\177\\122\\62\\179\\69\", \"\\197\\27\\92\\223\\32\\209\\187\\17\"))\nprint(v7(\"\\238\\13\\79\\194\\248\\8\", \"\\155\\99\\63\\163\"))\nprint(v7(\"\\144\\141\\223\\180\\128\\187\\129\\144\", \"\\228\\226\\177\\193\\237\\217\"))
\n

Running this decodes strings like the following.

\n

It becomes clear that these strings are being passed as arguments to store functions in variables.

\n

\n \n \n \n \n \n \n \n \n

\n

This gave us the flag.

\n

The animation shown on a correct answer was very stylish.

\n

\n \n :\n\n assert 4096 % config.it == 0\n assert config.it == 8\n assert 4096 % config.bits == 0\n assert config.bits == 512\n\n # Find prime value of specified bits a specified amount of times\n seed = 211286818345627549183608678726370412218029639873054513839005340650674982169404937862395980568550063504804783328450267566224937880641772833325018028629959635\n lcg = LCG(seed)\n primes_arr = []\n \n dump = True\n items = 0\n dump_file = open(\"dump.txt\", \"w\")\n\n primes_n = 1\n while True:\n for i in range(config.it):\n while True:\n prime_candidate = lcg.next()\n if dump:\n dump_file.write(str(prime_candidate) + '\\n')\n items += 1\n if items == 6:\n dump = False\n dump_file.close()\n if not isPrime(prime_candidate):\n continue\n elif prime_candidate.bit_length() != config.bits:\n continue\n else:\n primes_n *= prime_candidate\n primes_arr.append(prime_candidate)\n break\n \n # Check bit length\n if primes_n.bit_length() > 4096:\n print(\"bit length\", primes_n.bit_length())\n primes_arr.clear()\n primes_n = 1\n continue\n else:\n break\n\n # Create public key 'n'\n n = 1\n for j in primes_arr:\n n *= j\n print(\"[+] Public Key: \", n)\n print(\"[+] size: \", n.bit_length(), \"bits\")\n\n # Calculate totient 'Phi(n)'\n phi = 1\n for k in primes_arr:\n phi *= (k - 1)\n\n # Calculate private key 'd'\n d = pow(config.e, -1, phi)\n\n # Generate Flag\n assert config.flag.startswith(b\"CTF{\")\n assert config.flag.endswith(b\"}\")\n enc_flag = bytes_to_long(config.flag)\n assert enc_flag < n\n\n # Encrypt Flag\n _enc = pow(enc_flag, config.e, n)\n\n with open (\"flag.txt\", \"wb\") as flag_file:\n flag_file.write(_enc.to_bytes(n.bit_length(), \"little\"))\n\n # Export RSA Key\n rsa = RSA.construct((n, config.e))\n with open (\"public.pem\", \"w\") as pub_file:\n pub_file.write(rsa.exportKey().decode())\n

LCG (Linear Congruential Generator) produces a sequence of pseudorandom numbers using the recurrence Xn+1 = (m*Xn + c) mod n.

\n

The initial seed value was hardcoded in the challenge script, but the three values m, c, and n are not given.

\n

However, the first 6 generated values are provided as dump.txt.

\n

Since it seemed possible to determine m, c, and n from these values and identify the prime sequence used for key generation, I researched this with my teammates and found the following article.

\n

Reference: Predicting Pseudorandom Numbers Generated by the Linear Congruential Generator - s4tt01237’s diary

\n

It appears that the LCG parameters can be determined from a few initial output values by finding the modulus from the GCD of certain derived values, then solving simultaneous equations based on the modulus.

\n

Using this approach, I was able to determine all three values m, c, and n with the following script.

\n
from Crypto.Util.number import inverse, GCD\nfrom functools import reduce\n\nprime_candidates = [2166771675595184069339107365908377157701164485820981409993925279512199123418374034275465590004848135946671454084220731645099286746251308323653144363063385,\n6729272950467625456298454678219613090467254824679318993052294587570153424935267364971827277137521929202783621553421958533761123653824135472378133765236115,\n2230396903302352921484704122705539403201050490164649102182798059926343096511158288867301614648471516723052092761312105117735046752506523136197227936190287,\n4578847787736143756850823407168519112175260092601476810539830792656568747136604250146858111418705054138266193348169239751046779010474924367072989895377792,\n7578332979479086546637469036948482551151240099803812235949997147892871097982293017256475189504447955147399405791875395450814297264039908361472603256921612,\n2550420443270381003007873520763042837493244197616666667768397146110589301602119884836605418664463550865399026934848289084292975494312467018767881691302197]\n\ndef solve_unknown_increment(states, A, M):\n    B = (states[1] - A * states[0]) % M\n    return B\n\ndef solve_unknown_multiplier(states, M):\n    A = (states[2] - states[1]) * inverse((states[1] - states[0]), M)\n    return A\n\ndef solve_unknown_modulus(states):\n    diffs = [X_1 - X_0 for X_0, X_1 in zip(states, states[1:])]\n    multiples_of_M = [T_2 * T_0 - T_1 ** 2 for T_0, T_1, T_2, in zip(diffs, diffs[1:], diffs[2:])]\n\n    # GCD(GCD(multiples_of_M[0],multiples_of_M[1]), multiples_of_M[2])\n    M = reduce(GCD, multiples_of_M)\n    return M\n\ndef test_unknown_modulus():\n    M = solve_unknown_modulus(prime_candidates)\n    M = solve_unknown_modulus(prime_candidates)\n    A = solve_unknown_multiplier(prime_candidates, M)\n    B = solve_unknown_increment(prime_candidates, A, M)\n\n    print(M)\n    print(A)\n    print(B)\n\ntest_unknown_modulus()
\n

Now I just need to determine e to generate the private key for flag decryption.

\n

For e, since the RSA public key provided was 2048-bit RSA size, I guessed 65537.

\n

Using the information determined so far, I created the following script and was able to decrypt the flag.

\n
import struct\nfrom Crypto.PublicKey import RSA\nfrom Crypto.Util.number import long_to_bytes, bytes_to_long, isPrime\n\nclass LCG:\n    lcg_m = -6569199283741144524805092313800498379912765081239722709390321881123001934591054674566684669798886054155292305172680411106681470919005032801138448184653164447435662736622686458913807769346396147888409387744295360132038094168945987371927904880766531430748616858146076625544135687000281908879673294160897281532\n    lcg_c = 3910539794193409979886870049869456815685040868312878537393070815966881265118275755165613835833103526090552456472867019296386475520134783987251699999776365\n    lcg_n = 8311271273016946265169120092240227882013893131681882078655426814178920681968884651437107918874328518499850252591810409558783335118823692585959490215446923\n\n    def __init__(self, lcg_s):\n        self.state = lcg_s\n\n    def next(self):\n        self.state = (self.state * self.lcg_m + self.lcg_c) % self.lcg_n\n        return self.state\n\n\nif __name__ == '__main__':\n\n    it = 8\n    bits = 512\n\n    # Find prime value of specified bits a specified amount of times\n    seed = 211286818345627549183608678726370412218029639873054513839005340650674982169404937862395980568550063504804783328450267566224937880641772833325018028629959635\n    lcg = LCG(seed)\n    primes_arr = []\n    items = 0\n    primes_n = 1\n    while True:\n        for i in range(it):\n            while True:\n                prime_candidate = lcg.next()\n\n                if not isPrime(prime_candidate):\n                    continue\n                elif prime_candidate.bit_length() != bits:\n                    continue\n                else:\n                    primes_n *= prime_candidate\n                    primes_arr.append(prime_candidate)\n                    break\n        \n        # Check bit length\n        if primes_n.bit_length() > 4096:\n            # print(\"bit length\", primes_n.bit_length())\n            primes_arr.clear()\n            primes_n = 1\n            continue\n        else:\n            break\n    \n    # print(primes_arr)\n    # print(len(primes_arr))\n\n    # Create public key 'n'\n    n = 1\n    for j in primes_arr:\n        n *= j\n    # Calculate totient 'Phi(n)'\n    phi = 1\n    for k in primes_arr:\n        phi *= (k - 1)\n\n    # print(\"[+] n: \", n)\n    # print(\"[+] size: \", n.bit_length(), \"bits\")\n    # print(\"[+] phi: \", phi)\n\n    rsa = RSA.construct((n, 65537))\n    key = rsa.exportKey().decode()\n    # print(key)\n\n    d = pow(65537, -1, phi)\n    # print(\"[+] d: \", d)\n\n    with open(\"flag.txt\", \"rb\") as f:\n        data = f.read()\n        c = int.from_bytes(data, \"little\")\n        # print(c)\n\n    # print(c)\n    m = pow(c, d, n)\n    flag = long_to_bytes(m)\n    print(flag)\n\n    # enc_flag = b'L\\x13\\x17\\xea\\x9e\\x10\\x13hy\\x90kK\\xdb? \\xd5z7\\t\\xeb\\xf3n\\xf1\\xd0\\xc1\\xad\\x15\\xf8ZN\\x9c\\xd9\\xef\\xbcz\\xcc\\xed\\xd9:p\\xf0\\x1e\\x97%T\\xdb\\xb0\\'I\\x17\\x83mLi6\\x1b\\xd8 \\x93%\\xe9\\xcd\\x0f*\\x9e\\x1fJ\\xb3\\xb4\\xeahnT\\x92\\xea<<\\x159\\xba\\xb9vo\\xf3\\x9b\\x8b\\xf3\\xe93?p\\xad`\\xd6\\xa6T\\x85m\\x06\\xd6\\xb1\\xd1\\x8djQ\\xe4\\xf3Z\\xf5\\x10\\xd7)G\\x91\\x13\\x1c\\xc6O\\x0b8;\\xed\\x89\\'\\xf42\\x92\\x03\\xa4\\x80)y\\x10\\xdc\\x0b;\\x03\\xf6\\xff\\x06C~;\\xde\\xf4\\xf9\\xd0\\xd1\\xcc\\xfd\\x10\\x95\\x9a\\xa9\\\\\\x91X{\\xb6M\\xe1d\\xf4\\xf57\\xbd\\x8a,\\x07K\\xd7B\\x1c\\xe5\\xd1p=5\\x01\\x08\\xb3\\xafA\\x00\\xad\\x90I\\x1b\\tdt\\x9c\\x08\\xf2\\xd2n\\xd8%\\x1e\\xa4H\\xb7G\\xb5\\xc1\\tG$h\\xa2\\xe7z\\xcf\\xf9\\xba\\x17}\\'&\\x05\\x1ecF\\xc0\\x86\\xc7\\xd9\\xd1\\r2!\\xe1\\xa1Z\\xabp\\xfe\\x14C\\xd0.+T\\x87\\x9dP\\x17\\xfc\\xb6\\x94\\x98\\x90q\\xe3P\\x1fPn\\x07\\xf1+;\\xcc\\xd3/\\x0f\\xde\\x0eZL\\xa7\\xd5\\xce\\x1dF\\x9c#\\xdea\\xcc,\\xbe\\xc0O\\xb06\\xbdi \\xf9w\\xa1\\xac\\x97\\xfd\\x93\\x91c\\xf5\\xee\\xd2U\\xe32\\xd7\\xe8\\xed\\x90\\xa4.Q\\xca\\xdc\\x8btF<\\xbb\\xfe?\\xdf\\xf4\\xfd\\xde\\xee^\\xf3G\\x8a\\xb8<\\xa0\\x04U\\xfb1>a:\\xaf\\xfb+\\xf3\\x10\\x15\\x9d\\x04Md\\x9c^\\xda\\xd3A\\x14\\x9eV\\x05\\xfd\\xdcC\\xa1\\xf8\\xb4\\xf8\\\\\\xb9\\x89Bb?\\x13\\xf1s3\\x98i\\xb4e\\x15\\xa6@\\xab\\xbbR\\x80\\x1e\\xd9\\xb4\\xd8U\\xd6qC\\xff\\xff\\xa7bFN\\t\\x0f\\xa7|\\xa1\\x80r\\xb6\\xa5\\xa8!\\xbc\\xe1\\x08\\xc2t\\xe0\\xa1\\xc2\"4%v\\x91\\xeeKg\\x98E\\x0e\\xa4z\\xb5\\x01o\\x9d\\tS\\x92\\xf3\\x1d\\x1e\\xa3\\xe7\\xce\\xb99s`\\x9ao\"\\xe2Z\\xddg\\x902\\x12\\x15\\xd6N<\\xebH2;\\x93\\x81`\\xa39\\x07\\xc6\\xc0%Wc\\xf6\\x82\\x819\\xe0\\x99=\\xc5\\x9a\\x95\\x9bR\\xf4>|@\\xe6)\\xf1L\\x17\\n\\n\\xa4\\xac#d\\xd9\\x13\\'\\x16\\xf9v\\x02'\n    # print(len(enc_flag))\n    \n\n    # text = b\"myflag\"\n    # enc_flag = bytes_to_long(text)\n    # _enc = pow(enc_flag, 65537, n)\n    # with open (\"myflag.txt\", \"wb\") as flag_file:\n    #     flag_file.write(_enc.to_bytes(n.bit_length(), \"little\"))\n    # with open(\"myflag.txt\", \"rb\") as f:\n    #     data = f.read()\n    #     number = int.from_bytes(data, \"little\")\n    #     print(number)\n\n    # m = pow(number, d, n)\n    # flag = long_to_bytes(m)\n    # print(flag)
\n

PAPAPAPA(Misc)

\n
\n

Is this image really just white?

\n
\n

A completely white JPEG like the one below is provided as the challenge binary.

\n

Apparently a flag is hidden somewhere in this image.

\n

\n \n \n \n \n \n \n \n \n

\n

As expected, analyzing with common tools does not yield the flag.

\n

Scanning the bytecode also revealed nothing suspicious.

\n

Since images like this often use LSB steganography, I extracted RGB values for all pixels with the following script, but no pixels other than #FFFFFF were found.

\n
from PIL import Image\n\ndef get_pixel_rgb(image_path):\n    img = Image.open(image_path)\n    pixels = img.load()\n    width, height = img.size\n\n    rgb_values = []\n    for y in range(height):\n        for x in range(width):\n            r, g, b = pixels[x, y]\n            rgb_values.append((r, g, b))\n\n    return rgb_values\n\nimage_path = \"white.jpg\"\nrgb_values = get_pixel_rgb(image_path)\nfor rgb in rgb_values:\n    for px in rgb:\n        if px != 255:\n            print(rgb)
\n

I was a bit stuck here, but trying ImageMagick revealed that despite the image size being 512×512, the sampling-factor was 3x1,3x1,3x1.

\n

It appears this image uses chroma subsampling.

\n
./magick identify -verbose white.jpg\n>\njpeg:colorspace: 2\njpeg:sampling-factor: 3x1,3x1,3x1
\n

JPEG is a compression format that divides an image into small square units and mathematically encodes the color and brightness of each square.

\n

These squares are defined as 8×8 pixels, meaning JPEG dimensions should always be multiples of 8.

\n

JPEG may use a technique called chroma subsampling to reduce image resolution and file size.

\n

Chroma subsampling exploits the fact that human vision is more sensitive to luminance than color.

\n

Specifically, by intentionally reducing color information relative to luminance information, images can be made smaller (lower resolution) while maintaining their visual appearance (image quality).

\n

Chroma subsampling is typically at a 2×2 ratio, but this image was set to 3×1.

\n

When JPEG uses chroma subsampling, the block size becomes the basic 8×8 multiplied by the maximum sampling factor among the image components.

\n

So in this case, the block size is 24×8.

\n

Reference: JPEG - Simple English Wikipedia, the free encyclopedia

\n

Reference: Chroma subsampling - Wikipedia

\n

Reference: Structure of Image Data

\n

Reference: Chroma subsampling in JPG compression

\n

Reference: About JPEG’s YCbCr - awm-Tech

\n

Here I notice that the width of the 512×512 challenge image is not a multiple of 24.

\n

When a chroma-subsampled image’s dimensions are not multiples of the block size, the overflow is treated as padding, and the image size recorded in the SOF segment (which stores the JPEG file type and key parameters) is forced to subtract the padding.

\n

This causes the padding area to disappear from the displayed image.

\n

Incidentally, images hidden in the padding area cannot be recovered simply by enlarging the image in a standard image viewer.

\n

In such cases, we directly overwrite the byte sequence specifying the JPEG image size within the SOF segment.

\n
def modify_sof0_segment(jpeg_path, new_width, new_height):\n    with open(jpeg_path, \"rb\") as file:\n        jpeg_data = bytearray(file.read())\n\n    # Search for SOF0 segment position\n    sof0_marker = b'\\xff\\xc0'\n    sof0_start = jpeg_data.find(sof0_marker)\n\n    # Find and display SOF0 segment parameter positions\n    parameter_start = sof0_start + 5\n    print(\"Original SOF0 width : {}\".format(int.from_bytes(jpeg_data[parameter_start:parameter_start + 2],\"big\")))\n    print(\"Original SOF0 height : {}\".format(int.from_bytes(jpeg_data[parameter_start + 2:parameter_start + 4],\"big\")))\n\n    # Convert new width and height to bytes\n    new_width_bytes = new_width.to_bytes(2, byteorder='big')\n    new_height_bytes = new_height.to_bytes(2, byteorder='big')\n\n    # Replace width and height\n    jpeg_data[parameter_start:parameter_start + 2] = new_width_bytes\n    jpeg_data[parameter_start + 2:parameter_start + 4] = new_height_bytes\n\n    print(\"New SOF0 width : {}\".format(int.from_bytes(jpeg_data[parameter_start:parameter_start + 2],\"big\")))\n    print(\"New SOF0 height : {}\".format(int.from_bytes(jpeg_data[parameter_start + 2:parameter_start + 4],\"big\")))\n\n    # Save the modified JPEG file\n    modified_jpeg_path = \"modified.jpg\"\n    with open(modified_jpeg_path, \"wb\") as file:\n        file.write(jpeg_data)\n        print(\"==> Saved new JPEG\")\n\n# Example usage\njpeg_path = \"white.jpg\"\nnew_width = 512\nnew_height = 528\nmodify_sof0_segment(jpeg_path, new_width, new_height)
\n

Ultimately, creating the solver above and changing the image width to 528 allowed me to retrieve the flag hidden in the padding area.

\n

\n \n \n \n \n \n \n \n \n

\n

Summary

\n

It was a great opportunity to feel a sense of growth.

\n

However, the top ranks are still far off, so I’ll keep training.

\n

Since Google CTF’s official writeups are thorough and helpful, I’ll challenge the unsolved problems again.

\n

Reference: google/google-ctf: Google CTF

","fields":{"slug":"/ctf-googlectf-en","tagSlugs":["/tag/ctf-en/","/tag/rev-en/","/tag/forensic-en/","/tag/crypto-en/","/tag/english/"]},"frontmatter":{"date":"2023-06-27","description":"Writeup for Google CTF 2023.","tags":["CTF (en)","Rev (en)","Forensic (en)","Crypto (en)","English"],"title":"Google CTF 2023 Writeup","socialImage":{"publicURL":"/static/c7b638e2d319149851871f13c096b89f/ctf-googlectf.png"}}}},"pageContext":{"slug":"/ctf-googlectf-en"}},"staticQueryHashes":["251939775","401334301","825871152"]}