SekaiCTF 2023 Challenges

project-sekai-ctf · Aug 29, 2023 · a4a933b · a4a933b
commit a4a933b
Show file tree

Hide file tree

Showing 910 changed files with 463,041 additions and 0 deletions.
diff --git a/.gitmodules b/.gitmodules
@@ -0,0 +1,3 @@
+[submodule "reverse/azusawas-gacha-world"]
+	path = reverse/azusawas-gacha-world
+	url = https://github.com/jktrn/azusawas-gacha-world
diff --git a/LICENSE b/LICENSE
diff --git a/LICENSE.content.md b/LICENSE.content.md
diff --git a/README.md b/README.md
@@ -0,0 +1,145 @@
+<div align="center">
+
+# ![Banner][Banner]
+
+![Code License: AGPL v3][Code License]
+![Non-Code License: CC BY-NC-SA 4.0][Non-Code License]
+![Stars][Stars]
+
+This repository contains official **source code** and **writeups** for challenges from [SekaiCTF 2023][CTFTime Event].
+
+[CTFTime Event][CTFTime Event] •
+[Website][Website] •
+[Discord][Discord] •
+[Blog][Blog] •
+[Twitter][Twitter]
+
+---
+
+</div>
+
+## Cryptography
+
+<img src="https://files.catbox.moe/lwcdks.svg" width=250 align="right">
+
+| Name                                     | Author     | Difficulty | Solves |
+| ---------------------------------------- | ---------- | ---------- | ------ |
+| [cryptoGRAPHy 1](crypto/cryptography-1/) | sahuang    | Easy (1)   | 76     |
+| [cryptoGRAPHy 2](crypto/cryptography-2/) | sahuang    | Normal (2) | 55     |
+| [Noisy CRC](crypto/noisy-crc/)           | Utaha      | Hard (3)   | 49     |
+| [cryptoGRAPHy 3](crypto/cryptography-3/) | sahuang    | Expert (4) | 31     |
+| [Diffecientwo](crypto/diffecientwo/)     | deut-erium | Expert (4) | 13     |
+| [Noisier CRC](crypto/noisier-crc/)       | Utaha      | Expert (4) | 8      |
+| [RandSubWare](crypto/randsubware/)       | deut-erium | Master (5) | 6      |
+
+## Forensics
+
+<img src="https://files.catbox.moe/lkdane.svg" width=250 align="right">
+
+| Name                                              | Author        | Difficulty | Solves |
+| ------------------------------------------------- | ------------- | ---------- | ------ |
+| [Eval Me](forensics/eval-me)                      | Guesslemonger | Easy (1)   | 303    |
+| [DEF CON Invitation](forensics/defcon-invitation) | sahuang       | Normal (2) | 148    |
+| [Infected](forensics/infected)                    | Legoclones    | Hard (3)   | 80     |
+| [Dumpster Dive](forensics/dumpster-dive)          | Guesslemonger | Hard (3)   | 26     |
+
+## Miscellaneous
+
+<img src="https://files.catbox.moe/b6cssb.png" width=250 align="right">
+
+| Name                                                                                            | Author        | Difficulty | Solves |
+| ----------------------------------------------------------------------------------------------- | ------------- | ---------- | ------ |
+| [I love this world](misc/i-love-this-world)                                                     | pamLELcu      | Easy (1)   | 166    |
+| [QR God](misc/qr-god)                                                                           | Guesslemonger | Normal (2) | 13     |
+| [A letter from the HRM](misc/a-letter-from-the-human-resource-management)                       | pamLELcu      | Hard (3)   | 44     |
+| [SSH](misc/ssh)                                                                                 | hfz           | Hard (3)   | 18     |
+| [[Blockchain] Re-Remix](misc/re-remix)                                                          | Yanhui        | Hard (3)   | 9      |
+| [[Blockchain] Play for Free](misc/play-for-free)                                                | Yanhui        | Expert (4) | 7      |
+| [SekaiCTFCorp](misc/sekaictfcorp)                                                               | irogir        | Expert (4) | 4      |
+| [Just Another Pickle Jail](misc/just-another-pickle-jail)                                       | Quasar        | Master (5) | 5      |
+
+## PPC
+
+<img src="https://files.catbox.moe/44ugey.png" width=250 align="right">
+
+| Name                                                                   | Author            | Difficulty | Solves |
+| ---------------------------------------------------------------------- | ----------------- | ---------- | ------ |
+| [Wiki Game](ppc/wiki-game)                                             | sahuang           | Easy (1)   | 284    |
+| [Purple Sheep Apple Rush](ppc/purple-sheep-and-the-apple-rush)         | Lior              | Hard (3)   | 35     |
+| [Mikusweeper](ppc/mikusweeper)                                         | sahuang, pamLELcu | Hard (3)   | 50     |
+| [Project Sekai Event Planner](ppc/project-sekai-event-planner)         | SEEM, sahuang     | Master (5) | 2      |
+
+## Binary Exploitation
+
+<img src="https://files.catbox.moe/z947xz.png" width=250 align="right">
+
+| Name                                           | Author       | Difficulty | Solves |
+| ---------------------------------------------- | ------------ | ---------- | ------ |
+| [Cosmic Ray](pwn/cosmic-ray)                   | Rench        | Easy (1)   | 149    |
+| [Network Tools](pwn/network-tools)             | Johnathan    | Normal (2) | 110    |
+| [Text Sender](pwn/text-sender)                 | Johnathan    | Hard (3)   | 31     |
+| [Algorithm Multitool](pwn/algorithm-multitool) | Zafirr       | Expert (4) | 2      |
+| [Hibana](pwn/hibana)                           | nyancat0131  | Expert (4) | 0      |
+| [Notification](pwn/notification)               | Piers        | Expert (4) | 1      |
+| [[Blockchain] The Bidding](pwn/the-bidding)    | Triacontakai | Master (5) | 7      |
+
+## Reverse Engineering
+
+<img src="https://files.catbox.moe/s8gk6b.png" width=250 align="right">
+
+| Name                                                                   | Author    | Difficulty | Solves |
+| ---------------------------------------------------------------------- | --------- | ---------- | ------ |
+| [Azusawa’s Gacha World](https://github.com/jktrn/azusawas-gacha-world) | enscribe  | Easy (1)   | 250    |
+| [Guardians of the Kernel](reverse/guardians-of-the-kernel)             | Iy3dMejri | Normal (2) | 93     |
+| [Teyvat Travel Guide](reverse/teyvat-travel-guide)                     | sahuang   | Hard (3)   | 31     |
+| [Sahuang Flag Checker](reverse/sahuang-flag-checker)                   | Iy3dMejri | Expert (4) | 13     |
+| [Conquest of Camelot](reverse/conquest-of-camelot)                     | sahuang   | Expert (4) | 10     |
+
+## Web
+
+<img src="https://files.catbox.moe/j0zw08.svg" width=250 align="right">
+
+| Name                                   | Author   | Difficulty | Solves |
+| -------------------------------------- | -------- | ---------- | ------ |
+| [Scanner Service](web/scanner-service) | irogir   | Easy (1)   | 146    |
+| [Frog-WAF](web/frog-waf)               | irogir   | Hard (3)   | 29     |
+| [Chunky](web/chunky)                   | rik      | Hard (3)   | 16     |
+| [Golf Jail](web/golf-jail)             | Strellic | Expert (4) | 16     |
+| [Leakless Note](web/leakless-note)     | Strellic | Master (5) | 4      |
+
+## License
+
+Any **program** and/or **source code** in this repository is licensed under the [GNU Affero General Public License version 3][agpl]:
+
+> SEKAI CTF 2023 Challenges and Solutions  
+> Copyright (C) 2023 Project SEKAI CTF team and contributors
+>
+> This program is free software: you can redistribute it and/or modify
+> it under the terms of the GNU Affero General Public License as published
+> by the Free Software Foundation, either version 3 of the License, or
+> (at your option) any later version.
+>
+> This program is distributed in the hope that it will be useful,
+> but WITHOUT ANY WARRANTY; without even the implied warranty of
+> MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+> GNU Affero General Public License for more details.
+>
+> You should have received a copy of the GNU Affero General Public License
+> along with this program.  If not, see <https://www.gnu.org/licenses/>.
+
+Any **non-code/program content** (writeups, READMEs, descriptions) in this repository is licensed under a [Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License (CC BY-NC-SA 4.0)](cc-by-nc-sa):
+
+> [SEKAI CTF 2023 Challenges and Solutions](https://github.com/project-sekai-ctf/sekaictf-2023/) by Project SEKAI CTF team and contributors is licensed under a [Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License][cc-by-nc-sa].
+
+[Banner]: https://files.catbox.moe/sps53u.png
+[Stars]: https://img.shields.io/github/stars/project-sekai-ctf/sekaictf-2023?color=FFA803&style=for-the-badge
+[CTFTime Event]: https://ctftime.org/event/1923
+[Website]: https://ctf.sekai.team/
+[Blog]: https://sekai.team/
+[Twitter]: https://twitter.com/projectsekaictf
+[Discord]: https://discord.gg/6gk7jhCgGX
+
+[agpl]: https://www.gnu.org/licenses/agpl-3.0.en.html
+[cc-by-nc-sa]: https://creativecommons.org/licenses/by-nc-sa/4.0/
+[Non-Code License]: https://img.shields.io/badge/non--code%20license-CC%20BY--NC--SA%204.0-3cc4c7?style=for-the-badge
+[Code License]: https://img.shields.io/badge/code%20license-AGPL--3.0-db67d2?style=for-the-badge
diff --git a/crypto/README.md b/crypto/README.md
@@ -0,0 +1,13 @@
+# Cryptography
+
+<img src="https://files.catbox.moe/lwcdks.svg" align="right" width=300>
+
+| Name                              | Author     | Difficulty | Solves |
+| --------------------------------- | ---------- | ---------- | ------ |
+| [cryptoGRAPHy 1](cryptography-1/) | sahuang    | Easy (1)   | 76     |
+| [cryptoGRAPHy 2](cryptography-2/) | sahuang    | Normal (2) | 55     |
+| [Noisy CRC](noisy-crc/)           | Utaha      | Hard (3)   | 49     |
+| [cryptoGRAPHy 3](cryptography-3/) | sahuang    | Expert (4) | 31     |
+| [Diffecientwo](diffecientwo/)     | deut-erium | Expert (4) | 13     |
+| [Noisier CRC](noisier-crc/)       | Utaha      | Expert (4) | 8      |
+| [RandSubWare](randsubware/)       | deut-erium | Master (5) | 6      |
diff --git a/crypto/cryptography-1/README.md b/crypto/cryptography-1/README.md
@@ -0,0 +1,21 @@
+## cryptoGRAPHy 1
+
+| Author  | Difficulty | Points | Solves | First Blood    | Time to Blood |
+| ------- | ---------- | ------ | ------ | -------------- | ------------- |
+| sahuang | Easy (1)   | 100    | 76     | Black Bauhinia | 34 minutes    |
+
+---
+
+### Description
+
+> Graphs have gained an increasing amount of attention in the world of Cryptography. They are used to model many real-world problems ranging from social media to traffic routing networks. Designing a secure Graph Encryption Scheme (GES) is important as querying plaintext graph database can leak sensitive information about the users.
+>
+> In this challenge I have implemented a novel GES. Please help me verify if the cryptosystem works.
+>
+> **❖ Note**  
+> `lib.zip` remains unchanged in this series. The flag for this challenge will be used to access the next one when unlocked.
+
+### Challenge Files
+
+* [lib.zip](dist/lib)
+* [server.py](dist/server.py)
diff --git a/crypto/cryptography-1/challenge/Dockerfile b/crypto/cryptography-1/challenge/Dockerfile
@@ -0,0 +1,19 @@
+FROM python:3.9-slim-buster
+
+RUN apt-get update -y && \
+    apt-get install -y lib32z1 xinetd && \
+    pip3 install networkx pycryptodome && \
+    apt-get clean && \
+    rm -rf /var/lib/apt/lists/*
+
+RUN useradd -m user && \
+    chown -R root:root /home/user
+
+COPY app /home/user/
+COPY xinetd /etc/xinetd.d/user
+
+WORKDIR /home/user
+
+EXPOSE 9999
+
+CMD ["/usr/sbin/xinetd", "-dontfork"]
diff --git a/crypto/cryptography-1/challenge/app/DES.py b/crypto/cryptography-1/challenge/app/DES.py
@@ -0,0 +1,68 @@
+from __future__ import annotations
+from typing import *
+from Crypto.Random import get_random_bytes
+from itertools import product
+from multiprocessing import Pool
+import utils
+
+class DESClass:
+    '''
+    Implementation of dictionary encryption scheme
+    '''
+    def __init__(self, encrypted_db: dict[bytes, bytes] = {}):
+        self.encrypted_db = encrypted_db
+
+    def keyGen(self, security_parameter: int) -> bytes:
+        '''
+        Input: Security parameter
+        Output: Secret key
+        '''
+        return get_random_bytes(security_parameter)
+
+    def encryptDict(self, key: bytes, plaintext_dx: dict[bytes, bytes], cores: int) -> dict[bytes, bytes]:
+        '''
+        Input: A key and a plaintext dictionary
+        Output: An encrypted dictionary EDX
+        '''
+        encrypted_db = {}
+        chunk = int(len(plaintext_dx)/cores)
+        iterable = product([key], plaintext_dx.items())
+
+        with Pool(cores) as pool:
+            for ct_label, ct_value in pool.istarmap(encryptDictHelper, iterable, chunksize=chunk):   
+                encrypted_db[ct_label] = ct_value
+        return encrypted_db
+
+    def tokenGen(self, key: bytes, label: bytes) -> bytes:
+        '''
+        Input: A key and a label
+        Output: A token on label
+        '''
+        K1 = utils.HashMAC(key, b'1'+label)[:16]
+        K2 = utils.HashMAC(key, b'2'+label)[:16]
+        return K1 + K2
+
+    def search(self, search_token: bytes, encrypted_db: dict[bytes, bytes]) -> bytes:
+        '''
+        Input: Search token and EDX
+        Output: The corresponding encrypted value.
+        '''
+        K1 = search_token[:16]
+        K2 = search_token[16:]
+        hash_val = utils.Hash(K1)
+        if hash_val in encrypted_db:
+            ct_value = encrypted_db[hash_val]
+            return utils.SymmetricDecrypt(K2, ct_value)
+        else:
+            return b''
+
+def encryptDictHelper(key, dict_item):
+    label = dict_item[0]
+    value = dict_item[1]
+
+    K1 = utils.HashMAC(key, b'1'+label)[:16]
+    K2 = utils.HashMAC(key, b'2'+label)[:16]
+
+    ct_label = utils.Hash(K1)
+    ct_value = utils.SymmetricEncrypt(K2, value)
+    return ct_label, ct_value
diff --git a/crypto/cryptography-1/challenge/app/GES.py b/crypto/cryptography-1/challenge/app/GES.py
@@ -0,0 +1,106 @@
+from __future__ import annotations
+from typing import *
+from multiprocessing import Pool
+from itertools import product
+from Crypto.Random import get_random_bytes
+
+import networkx as nx
+import gc
+import DES
+import utils
+
+DES = DES.DESClass({})
+
+class GESClass:
+    '''
+    Implementation of graph encryption scheme
+    '''
+    def __init__(self, cores: int, encrypted_db: dict[bytes, bytes] = {}):
+        self.encrypted_db = encrypted_db
+        self.cores = cores
+
+    def keyGen(self, security_parameter: int) -> bytes:
+        '''
+        Input: Security parameter
+        Output: Secret key key_SKE||key_DES
+        '''
+        key_SKE = get_random_bytes(security_parameter)
+        key_DES = DES.keyGen(security_parameter)
+        return key_SKE + key_DES
+
+    def encryptGraph(self, key: bytes, G: nx.Graph) -> dict[bytes, bytes]:
+        '''
+        Input: Secret key and a graph G
+        Output: Encrypted graph encrypted_db
+        '''
+        SPDX = computeSPDX(key, G, self.cores)
+
+        key_DES = key[16:]    
+        EDB = DES.encryptDict(key_DES, SPDX, self.cores)
+
+        del(SPDX)
+        gc.collect()
+
+        return EDB
+
+    def tokenGen(self, key: bytes, query: tuple(int,int)) -> bytes:
+        key_DES = key[16:]
+        label = utils.pair_to_bytes(query)
+        return DES.tokenGen(key_DES, label)
+
+    def search(self, token: bytes, encrypted_db: dict[bytes, bytes]) -> Tuple(bytes, bytes):
+        '''
+        Input: Search token
+        Output: (tokens, cts)
+        '''
+        resp, tok = b"", b""
+        curr = token
+
+        while True:
+            value = DES.search(curr, encrypted_db)
+            if value == b'':
+                break
+            curr = value[:32]
+            resp += value[32:]
+            tok += curr
+        return tuple([tok, resp])
+
+def computeSDSP(G: nx.Graph, root):
+    '''
+    Input: Graph G and a root
+    Output: Tuples of the form ((start, root), (next_vertex, root))
+    '''
+    paths = nx.single_source_shortest_path(G, root)
+
+    S = set()
+    for _, path in paths.items():   
+        path.reverse()
+        if len(path) > 1:
+            for i in range(len(path)-1):
+                label = (path[i], root)
+                value = (path[i+1],root)
+                S.add((label, value))
+    return S
+
+def computeSPDX(key: bytes, G: nx.Graph, cores: int) -> dict[bytes, bytes]:
+    SPDX = {}
+    chunk = round(len(G.nodes())/cores)
+
+    key_SKE = key[:16]
+    key_DES = key[16:]
+
+    with Pool(cores) as pool:
+        iterable = product([G], G)
+
+        for S in pool.istarmap(computeSDSP, iterable, chunksize=chunk):
+            for pair in S:
+                label, value = pair[0], pair[1]
+                label_bytes = utils.pair_to_bytes(label)
+                value_bytes = utils.pair_to_bytes(value)
+
+                if label_bytes not in SPDX:
+                    token = DES.tokenGen(key_DES, value_bytes)
+                    ct = utils.SymmetricEncrypt(key_SKE,value_bytes)
+                    ct_value = token + ct
+                    SPDX[label_bytes] = ct_value
+    return SPDX
diff --git a/crypto/cryptography-1/challenge/app/SECRET.py b/crypto/cryptography-1/challenge/app/SECRET.py
@@ -0,0 +1,13 @@
+from utils import *
+
+flag = "SEKAI{GES_15_34sy_2_br34k_kn@w1ng_th3_k3y}"
+
+def decrypt(u: int, v: int, ct: bytes, key: bytes) -> str:
+    key_SKE = key[:16]
+    ans = [u]
+
+    for i in range(0, len(ct), 32):
+        curr = ct[i:i+32]
+        pt = SymmetricDecrypt(key_SKE, curr).decode()
+        ans.append(int(pt.split(',')[0]))
+    return " ".join(map(str, ans))