TKKCTF2025 - Zsm's blog

前言#

这次校赛正赛因为时间不够，自己有一个琢磨了很久的题没有端上来，后面有机会再来吧。

其实整体密码题的质量不算特别高？

题目#

Secure Vault#

他们说 AES 是对称加密算法，所以加密和解密本质上是一样的，对吧？

task.py

1
import os
2
import random
3
import string
4
import sys
5

6
from Crypto.Cipher import AES
7
from Crypto.Util.Padding import pad
8

9
ALPHABET = string.ascii_letters + string.digits
10

11
API_SECRET = ''.join(random.choices(ALPHABET, k=48))
12
KEY = os.urandom(32)
13

14
def get_flag():
15
    return os.environ.get('FLAG', 'xujc{test_flag_local}')
16

17
def encrypt_session(user_id):
18
    payload = user_id + API_SECRET
19
    padded_payload = pad(payload.encode(), 16)
20
    iv = os.urandom(16)
21
    cipher = AES.new(KEY, AES.MODE_CBC, iv=iv)
22
    return cipher.decrypt(padded_payload)
23

24
def main():
25
    print("=== Secure Vault ===", flush=True)
26
    while True:
27
        print("\n1. Generate Token")
28
        print("2. Admin Login")
29
        try:
30
            choice = input("> ").strip()
31
            if choice == '1':
32
                u = input("ID: ").strip()
33
                if len(u) < 16:
34
                    print("Error: ID too short.", flush=True)
35
                    continue
36
                print(f"Token: {encrypt_session(u).hex()}", flush=True)
37
            elif choice == '2':
38
                if input("Secret: ").strip() == API_SECRET:
39
                    print(f"Flag: {get_flag()}", flush=True)
40
                    sys.exit(0)
41
                else:
42
                    print("Access Denied.", flush=True)
43
                    sys.exit(0)
44
        except:
45
            sys.exit(0)
46

47
if __name__ == "__main__":
48
    main()

很经典的CBC攻击对吧

1
def encrypt_session(user_id):
2
    payload = user_id + API_SECRET
3
    padded_payload = pad(payload.encode(), 16)
4
    iv = os.urandom(16)
5
    cipher = AES.new(KEY, AES.MODE_CBC, iv=iv)
6
    return cipher.decrypt(padded_payload) # ⬅️ 错误所在！

逐字节恢复即可

1
import string
2
import sys
3

4
from pwn import *
5

6
HOST = '47.122.52.77'
7
PORT = 33101
8

9
ALPHABET = string.ascii_letters + string.digits
10

11
def xor(b1, b2):
12
    return bytes([a ^ b for a, b in zip(b1, b2)])
13

14
def get_token(io, user_id):
15
    io.sendlineafter(b'> ', b'1')
16
    io.sendlineafter(b'ID: ', user_id.encode())
17
    line = io.recvline().decode().strip()
18
    if "Token: " in line:
19
        return bytes.fromhex(line.split(": ")[1])
20
    return None
21

22
def solve():
23
    io = remote(HOST, PORT)
24

25
    known_secret = ""
26

27
    for i in range(48):
28
        offset = (15 - i) % 16
29
        pad_len = 16 + offset
30
        uid_target = "0" * pad_len
31

32
        token = get_token(io, uid_target)
33

34
        total_idx = pad_len + i
35
        block_idx = total_idx // 16
36

37
        r_target = token[block_idx*16 : (block_idx+1)*16]
38

39
        full_plaintext = (uid_target + known_secret).encode()
40
        p_prev_target = full_plaintext[(block_idx-1)*16 : block_idx*16]
41

42
        target_val = xor(r_target, p_prev_target)
43

44
        prefix = full_plaintext[total_idx-15 : total_idx]
45

46
        batch_uid = b"0" * 16
47
        candidates = []
48

49
        for char in ALPHABET:
50
            block = prefix + char.encode()
51
            batch_uid += block
52
            candidates.append(char)
53

54
        batch_token = get_token(io, batch_uid.decode())
55

56
        found_char = None
57

58
        for j, char in enumerate(candidates):
59
            k = j + 1
60

61
            r_guess = batch_token[k*16 : (k+1)*16]
62
            p_prev_guess = batch_uid[(k-1)*16 : k*16]
63

64
            computed_val = xor(r_guess, p_prev_guess)
65

66
            if computed_val == target_val:
67
                found_char = char
68
                break
69

70
        if found_char:
71
            known_secret += found_char
72
            sys.stdout.write(f"\r[+] Found {i+1}/48: {known_secret}")
73
            sys.stdout.flush()
74
        else:
75
            print(f"\n[-] Failed to find char at index {i}")
76
            break
77

78
    print("\n[*] Secret recovered!")
79

80
    io.sendlineafter(b'> ', b'2')
81
    io.sendlineafter(b'Secret: ', known_secret.encode())
82

83
    io.interactive()
84

85
if __name__ == '__main__':
86
    solve()

Isomorphia#

我们开发了一套校验系统。系统的开发者向我保证，他在代码里写了非常严格的结构检查逻辑，绝对不可能有任何黑客能混过去。

task.py

1
import os
2
import random as py_random
3
import sys
4
import traceback
5

6
from sage.all import *
7

8
FLAG = os.getenv('FLAG')
9

10
class Challenge:
11
    def __init__(self):
12
        self.q = 127
13
        self.n = 26
14
        self.k = 14
15
        self.F = GF(self.q)
16
        self.border = "┃"
17

18
        self.G = self._gen_random_basis()
19
        self.Q = self._gen_monomial()
20
        self.H = (self.G * self.Q).echelon_form()
21

22
    def _gen_random_basis(self):
23
        return random_matrix(self.F, self.k, self.n)
24

25
    def _gen_monomial(self):
26
        M = zero_matrix(self.F, self.n, self.n)
27
        indices = list(range(self.n))
28
        py_random.shuffle(indices)
29

30
        for r in range(self.n):
31
            while True:
32
                val = self.F.random_element()
33
                if val != 0:
34
                    M[r, indices[r]] = val
35
                    break
36
        return M
37

38
    def _print(self, *args):
39
        s = " ".join(map(str, args))
40
        sys.stdout.write(s + "\n")
41
        sys.stdout.flush()
42

43
    def _read(self):
44
        return sys.stdin.buffer.readline().decode('utf-8').strip()
45

46
    def start(self):
47

48
        self._print("┏━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┓")
49
        self._print(f"{self.border} .:::      Isomorphia       :::.", self.border)
50
        self._print("┗━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┛")
51

52
        while True:
53
            menu = f"{self.border} Options: \n"
54
            menu += f"{self.border}\t[G]et the G and H! \n"
55
            menu += f"{self.border}\t[S]olve the System! \n"
56
            menu += f"{self.border}\t[Q]uit"
57
            self._print(menu)
58

59
            try:
60
                line = self._read()
61
                if not line: break
62
                choice = line.lower()
63
            except Exception:
64
                break
65

66
            if choice == 'g':
67
                self._print(f"G = {self.G}")
68
                self._print(f"H = {self.H}")
69

70
            elif choice == 's':
71
                self._print(self.border, "Please send the matrix U row by row: ")
72
                try:
73
                    u_rows = []
74
                    for _ in range(self.k):
75
                        line = self._read()
76
                        if not line: raise ValueError("Empty input")
77
                        u_rows.append([int(x) for x in line.split(',')])
78

79
                    self._print(self.border, "Now, please send the matrix P row by row: ")
80
                    p_rows = []
81
                    for _ in range(self.n):
82
                        line = self._read()
83
                        if not line: raise ValueError("Empty input")
84
                        p_rows.append([int(x) for x in line.split(',')])
85
                    U_cand = matrix(self.F, u_rows)
86
                    P_cand = matrix(self.F, p_rows)
87

88
                    is_valid = True
89
                    if U_cand * self.G * P_cand != self.H:
90
                        is_valid = False
91
                    if not U_cand.is_invertible() or not P_cand.is_invertible():
92
                        is_valid = False
93
                    for row in P_cand:
94
                        if list(row).count(0) != self.n - 1:
95
                            pass
96

97
                    if is_valid:
98
                        self._print(self.border, f"Congrats, you got the flag: {FLAG}")
99
                        sys.exit(0)
100
                    else:
101
                        self._print(self.border, "Verification failed! Bye!!")
102
                        sys.exit(0)
103

104
                except Exception:
105
                    self._print(self.border, "Something went wrong with your input :| Quitting!")
106
                    sys.exit(0)
107

108
            elif choice == 'q':
109
                self._print(self.border, "Quitting...")
110
                sys.exit(0)
111
            else:
112
                self._print(self.border, "Bye...")
113
                sys.exit(0)
114

115
def main():
116
    try:
117
        if sys.stdout.encoding.lower() != 'utf-8':
118
            sys.stdout.reconfigure(encoding='utf-8')
119

120
        task = Challenge()
121
        task.start()
122
    except Exception:
123
        sys.stdout.write(f"\n[SERVER ERROR] {traceback.format_exc()}\n")
124
        sys.stdout.flush()
125

126
if __name__ == "__main__":
127
    main()

其实是后面那个题的非预期版本

核心漏洞在

1
for row in P_cand:
2
    if list(row).count(0) != self.n - 1:
3
        pass

这里因为直接是pass处理，根本没要求 P 是单项式矩阵，所以要求的过为宽泛了。

这就变成了一个线性代数题目了

令

$U = G_0^{-1}$

那么：

$UG = G_0^{-1}[G_0 \mid G_1] = [I_{14} \mid B]$

其中 $B = G_0^{-1}G_1$ 是一个 $14 \times 12$ 的矩阵。

把 $P$ 按行（26 行）拆成块矩阵：

$P = \begin{pmatrix} P_{11} & P_{12} \\ P_{21} & P_{22} \end{pmatrix}$

$P_{11}$ 是 $14 \times 14$
$P_{12}$ 是 $14 \times 12$
$P_{21}$ 是 $12 \times 14$
$P_{22}$ 是 $12 \times 12$

我们希望：

$[I \mid B] \begin{pmatrix} P_{11} & P_{12} \\ P_{21} & P_{22} \end{pmatrix} = [I \mid C]$

算一下这个乘积：

$[I \mid B]P = [I P_{11} + B P_{21} \mid I P_{12} + B P_{22}] = [P_{11} + B P_{21} \mid P_{12} + B P_{22}]$

为了让左边等于 $[I \mid C]$ ，只需要满足：

$P_{11} + B P_{21} = I_{14}$
$P_{12} + B P_{22} = C$

我们选一个最简单的方案：

取 $P_{21} = 0$ , $P_{11} = I_{14}$ , 这样自动满足 (1)
再取 $P_{22} = I_{12}$ (显然可逆)

那么只要设

$P_{12} = C - B P_{22} = C - B$

这样构造出来的 $P$ 是一个块上三角矩阵：

$P = \begin{pmatrix} I_{14} & C - B \\ 0 & I_{12} \end{pmatrix}$

对块上三角矩阵，行列式是对角块行列式的乘积：

$\det(P) = \det(I_{14}) \cdot \det(I_{12}) = 1 \cdot 1 = 1 \ne 0$

所以 $P$ 可逆。

而这时：

$UGP = [I \mid B]P = [I \mid (C - B) + B] = [I \mid C] = H$

所以这个 $U, P$ 一定能通过验证，拿到 flag。

exp.py

1
q = 127
2
F = GF(q)
3

4
G = Matrix(F, [
5
])
6
H = Matrix(F, [
7
])
8

9
G0 = G[:, 0:14]
10
G1 = G[:, 14:26]
11
H0 = H[:, 0:14]
12
C  = H[:, 14:26]
13

14
U = G0.inverse()
15
A = U * G
16
B = A[:, 14:26]
17

18
P11 = identity_matrix(F, 14)
19
P21 = Matrix(F, 12, 14, 0)
20
P22 = identity_matrix(F, 12)
21
P12 = C - B
22

23
P_top = P11.augment(P12)
24
P_bottom = P21.augment(P22)
25
P = P_top.stack(P_bottom)
26

27
assert U * G * P == H

Isomorphia_revenge#

上次的系统上线后被黑客秒破了，我们紧急修复了这个漏洞，并开除了实习生。现在，校验逻辑已经严丝合缝。这一次，纯粹的技巧已经救不了那群无聊的黑客了！

task.py

1
import os
2
import random as py_random
3
import sys
4
import traceback
5

6
from sage.all import *
7

8
FLAG = os.getenv('FLAG')
9

10
class Challenge:
11
    def __init__(self):
12
        self.q = 127
13
        self.n = 26
14
        self.k = 14
15
        self.F = GF(self.q)
16
        self.border = "┃"
17

18
        self.G = self._gen_random_basis()
19
        self.Q = self._gen_monomial()
20
        self.H = (self.G * self.Q).echelon_form()
21

22
    def _gen_random_basis(self):
23
        return random_matrix(self.F, self.k, self.n)
24

25
    def _gen_monomial(self):
26
        M = zero_matrix(self.F, self.n, self.n)
27
        indices = list(range(self.n))
28
        py_random.shuffle(indices)
29

30
        for r in range(self.n):
31
            while True:
32
                val = self.F.random_element()
33
                if val != 0:
34
                    M[r, indices[r]] = val
35
                    break
36
        return M
37

38
    def _print(self, *args):
39
        s = " ".join(map(str, args))
40
        sys.stdout.write(s + "\n")
41
        sys.stdout.flush()
42

43
    def _read(self):
44
        return sys.stdin.buffer.readline().decode('utf-8').strip()
45

46
    def start(self):
47

48
        self._print("┏━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┓")
49
        self._print(f"{self.border} .:::      Isomorphia       :::.", self.border)
50
        self._print("┗━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┛")
51

52
        while True:
53
            menu = f"{self.border} Options: \n"
54
            menu += f"{self.border}\t[G]et the G and H! \n"
55
            menu += f"{self.border}\t[S]olve the System! \n"
56
            menu += f"{self.border}\t[Q]uit"
57
            self._print(menu)
58

59
            try:
60
                line = self._read()
61
                if not line: break
62
                choice = line.lower()
63
            except Exception:
64
                break
65

66
            if choice == 'g':
67
                self._print(f"G = {self.G}")
68
                self._print(f"H = {self.H}")
69

70
            elif choice == 's':
71
                self._print(self.border, "Please send the matrix U row by row: ")
72
                try:
73
                    u_rows = []
74
                    for _ in range(self.k):
75
                        line = self._read()
76
                        if not line: raise ValueError("Empty input")
77
                        u_rows.append([int(x) for x in line.split(',')])
78

79
                    self._print(self.border, "Now, please send the matrix P row by row: ")
80
                    p_rows = []
81
                    for _ in range(self.n):
82
                        line = self._read()
83
                        if not line: raise ValueError("Empty input")
84
                        p_rows.append([int(x) for x in line.split(',')])
85
                    U_cand = matrix(self.F, u_rows)
86
                    P_cand = matrix(self.F, p_rows)
87

88
                    is_valid = True
89
                    if U_cand * self.G * P_cand != self.H:
90
                        is_valid = False
91
                    if not U_cand.is_invertible() or not P_cand.is_invertible():
92
                        is_valid = False
93
                    for row in P_cand:
94
                        if list(row).count(0) != self.n - 1:
95
                            is_valid=False
96
                            break
97

98
                    if is_valid:
99
                        self._print(self.border, f"Congrats, you got the flag: {FLAG}")
100
                        sys.exit(0)
101
                    else:
102
                        self._print(self.border, "Verification failed! Bye!!")
103
                        sys.exit(0)
104

105
                except Exception:
106
                    self._print(self.border, "Something went wrong with your input :| Quitting!")
107
                    sys.exit(0)
108

109
            elif choice == 'q':
110
                self._print(self.border, "Quitting...")
111
                sys.exit(0)
112
            else:
113
                self._print(self.border, "Bye...")
114
                sys.exit(0)
115

116
def main():
117
    try:
118
        if sys.stdout.encoding.lower() != 'utf-8':
119
            sys.stdout.reconfigure(encoding='utf-8')
120

121
        task = Challenge()
122
        task.start()
123
    except Exception:
124
        sys.stdout.write(f"\n[SERVER ERROR] {traceback.format_exc()}\n")
125
        sys.stdout.flush()
126

127
if __name__ == "__main__":
128
    main()

本质上就是修复了上题的漏洞，但是我忘记加时间限制了，硬爆有可能会出来，怪难受的，早知道狠心一点了😡。

这道题在学术界被称为线性码等价问题 (Linear Equivalence Problem, LEP)

如果你是osint大师的话，在询问ai后知道了问题，就可以开始搜索，不去找论文，直接找github的实现仓库即可

这个仓库的佬是概率性碰撞，差不多50%的几率这个题能出来，直接多运行几次就行

exp.py

1
from pwn import remote
2
from re import findall
3
# from sage.all import *
4

5
q = 127
6
k,n = 26,14
7
io = remote("127.0.0.1", "8989")
8
io.recvuntil(b'uit\n')
9
io.sendline(b'g')
10
io.recvuntil(b'G = ')
11
Glist = io.recvuntil(b'\nH')[:-2].decode()
12

13
io.recvuntil(b'= ')
14
Hlist = io.recvuntil('\n┃'.encode())[:-4].decode()
15
def parse_matrix(s):
16
    rows = s.split('\n')
17
    matrix = []
18
    for row in rows:
19
        if row.strip():
20
            matrix.append([int(x) for x in findall(r'\d+', row)])
21
    return matrix
22
F = GF(q)
23
G = matrix(F, parse_matrix(Glist))
24
H = matrix(F, parse_matrix(Hlist))
25

26
load("utils.sage")
27
load("lep_solver.sage")
28

29
q = 127
30
n = 26
31
k = 14
32

33
Fq = GF(q)
34

35
# G1 = random_matrix(Fq, k, n)
36
# Q = randomMonomial(n, q)
37
# G2 = (G1*Q).echelon_form()
38

39
result = lepCollSearch(G, H)
40
if result != None:
41
    U, P = result
42
    # assert G2 == U*G1*P
43
    assert H == U*G*P
44
    print("lepCollSearch succesfully recovered solution.")
45

46

47
_U,_P = result
48
print(_U*G*_P==H)
49
print(_U.dimensions())
50
print(_P.dimensions())
51
io.recvuntil(b"uit\n")
52
io.sendline(b"s")
53
io.recvuntil(b"Please send the matrix U row by row: ")
54
print(_U.dimensions())
55
print(_P)
56
for i in range(14):
57
    print(str(list(_U[i]))[1:-1])
58
    io.sendline(str(list(_U[i]))[1:-1].encode())
59
io.recvuntil(b"Now, please send the matrix P row by row: ")
60
for _ in range(n):
61
    print(str(list(_P[_]))[1:-1])
62
    io.sendline(str(list(_P[_]))[1:-1].encode())
63
io.interactive()
64
print(io.recvline().decode())

Matzs Nightmare（re)#

“今天我们宣布发布一款全新的编程语言：xujc！它完美的解决了C++迄今为止令人唾弃的内存管理问题……”

这是当时red让我测题的时候写的，个人感觉挺好玩的，如果你是re老手，当然我不是，可能会敏锐的发现这个是用什么写的。

我是后面在010中找到了mruby的头，然后手动分离，然后字节码逆向出来的，加密就是分块xor，主要是前面的分离，还是很好玩的

后话#

感谢师傅们可以来玩这次的tkkctf，希望师傅们也多多包含，这也算是我校跨出校门的第一步。

a ctfer on the load

前言#

题目#

Secure Vault#

Isomorphia#

Isomorphia_revenge#

Matzs Nightmare（re)#

后话#