With 正规子群 (Triode, adwa, Ov3)

Crypto

RSAabc

题目

Cryptonite-MIT/niteCTF-2024

Solution

from Crypto.Util.number import *
from output import ns, cts

c = "mrgπeτfΟΔςoΝeηiδyegsλexlwVαehιΠπμZe"


def reverse_alphabet(char):
    if char == "e":
        return "_"
    elif char in string.ascii_uppercase:
        return chr(155 - ord(char))
    elif char in string.ascii_lowercase:
        return chr(219 - ord(char))
    else:
        return "?"


def fac(n):
    for p in range(2, 2**26):
        if n % p == 0:
            q = n // p
            break
    return p, q


def googly(number, position):
    mask = 1 << position
    return number ^ mask


def RSA_de(c, e, p, q):
    d = inverse(e, (p - 1) * (q - 1))
    return long_to_bytes(pow(c, d, p * q))


e = 65537
t = ""
for i in c:
    t += reverse_alphabet(i)
print(t)
message = ""
for i in range(len(t)):
    if t[i] == "?":
        p, q = fac(ns[i])
        ct = cts[i]
        for j in range(ct.bit_length()):
            m = RSA_de(googly(ct, j), e, p, q)
            if len(m) == 1:
                message += m.decode()
    else:
        message += t[i]
    print(message)

R Stands Alone

加密代码：

from Crypto.Util.number import *

def gen_keys():
    while True:
        a = getPrime(128)
        b = getPrime(128)
        A = a+b
        B = a-b 
        
        p = ((17*A*A*A) - (15*B*B*B) - (45*A*A*B) + (51*A*B*B)) // 8

        if isPrime(p) :
            return a, b, p
    
p, q, r = gen_keys()
e = 65537
n = p*q*r

flag = b"nite{REDACTED}"

ct = pow(bytes_to_long(flag), e, n)
print(f"{r =}")
print(f"{ct =}")

"""OUTPUT :
r = 17089720847522532186100904495372954796086523439343401190123572243129905753474678094845069878902485935983903151003792259885100719816542256646921114782358850654669422154056281086124314106159053995410679203972646861293990837092569959353563829625357193304859110289832087486433404114502776367901058316568043039359702726129176232071380909102959487599545443427656477659826199871583221432635475944633756787715120625352578949312795012083097635951710463898749012187679742033
ct =583923134770560329725969597854974954817875793223201855918544947864454662723867635785399659016709076642873878052382188776671557362982072671970362761186980877612369359390225243415378728776179883524295537607691571827283702387054497203051018081864728864347679606523298343320899830775463739426749812898275755128789910670953110189932506526059469355433776101712047677552367319451519452937737920833262802366767252338882535122186363375773646527797807010023406069837153015954208184298026280412545487298238972141277859462877659870292921806358086551087265080944696281740241711972141761164084554737925380675988550525333416462830465453346649622004827486255797343201397171878952840759670675361040051881542149839523371605515944524102331865520667005772313885253113470374005334182380501000
"""

非预期：

已知$n=pqr$，$p,q$是512位的整数，但是给出的$r$是1539位的整数，如果$r$要大于flag，那么flag的长度必须大于192，这种情况十分罕见，所以考虑flag小于$r$，可以直接使用$r$来得到flag：

from Crypto.Util.number import *

r = ...
ct = ...
e = 65537

d = inverse(e, r - 1)
m = pow(ct, d, r)

print(long_to_bytes(m))

运行就可以得到flag：nite{7h3_Latt1c3_kn0ws_Ur_Pr1m3s_very_vvery_v3Ry_w3LLL}

预期: (Lattice)

# task: R Stands Alone
"""
def gen_keys():
    while True:
        a = getPrime(512)
        b = getPrime(512)
        A = a+b
        B = a-b 
        
        p = ((17*A*A*A) - (15*B*B*B) - (45*A*A*B) + (51*A*B*B)) // 8

        if isPrime(p) :
            return a, b, p
"""

# 对 p 简单约简, 得到下式子, 设 p = a, q = b, r = ((17*A*A*A) - (15*B*B*B) - (45*A*A*B) + (51*A*B*B)) // 8
# r = p**3 + 16 * q**3

from sage.all import Zmod, ZZ, matrix, inverse_mod, GF
from functools import reduce
import Cryptodome.Util.number as cun

r = 17089720847522532186100904495372954796086523439343401190123572243129905753474678094845069878902485935983903151003792259885100719816542256646921114782358850654669422154056281086124314106159053995410679203972646861293990837092569959353563829625357193304859110289832087486433404114502776367901058316568043039359702726129176232071380909102959487599545443427656477659826199871583221432635475944633756787715120625352578949312795012083097635951710463898749012187679742033
ct = 583923134770560329725969597854974954817875793223201855918544947864454662723867635785399659016709076642873878052382188776671557362982072671970362761186980877612369359390225243415378728776179883524295537607691571827283702387054497203051018081864728864347679606523298343320899830775463739426749812898275755128789910670953110189932506526059469355433776101712047677552367319451519452937737920833262802366767252338882535122186363375773646527797807010023406069837153015954208184298026280412545487298238972141277859462877659870292921806358086551087265080944696281740241711972141761164084554737925380675988550525333416462830465453346649622004827486255797343201397171878952840759670675361040051881542149839523371605515944524102331865520667005772313885253113470374005334182380501000

e = 65537

# adwa solution

R = Zmod(r)["x"]
x = R.gen()
f = x**3 + 16
root = f.roots()[0][0]
M = matrix(ZZ, [[1, root], [0, r]])

# by adwa:
# 似乎 ax^n + by^n, 都可以用格解决
# f = x ** 7 - 7
# e = f.roots()[0][0]
# 压力来到了 roots 函数, (其实就是个有限域求根)

b, a = map(abs, M.LLL()[0])
b, a = [int(i) for i in [a, b]]
print(f"a = {a}\nb = {b}")
print(f"{cun.isPrime(a) = }, {cun.isPrime(b) = }")

phi = reduce(lambda x, y: x * (y - 1), [a, b, r], 1)
n = a * b * r
d = cun.inverse(e, phi)
m = pow(ct, d, n)
print(f"{m = }")
print(cun.long_to_bytes((m)))

output

a = 10072783682149096496560021303116377805854549188797262439950559674169510967907458008084848733118235190641349698455196677635952366670230109231872222236754559
b = 9036110971390653235054772621128562083119528851536791839942998633782706649988009159574634878901931842244724499813215803519063457860914973719080269319085089
cun.isPrime(a) = 1, cun.isPrime(b) = 1
m = 1224543274432953164098494823673082544474888158727042278518055942472603042171050926269717319080882631327061394998314354487201417153661
b'nite{7h3_Latt1c3_kn0ws_Ur_Pr1m3s_very_vvery_v3Ry_w3LLL}'

offical solution

solve.py

Quadrillion Matrices

加密代码：

from Crypto.Util.number import *
from secret import gen_matrix
from sage.all import *
import random

p = getPrime(256)

with open('flag', 'rb') as f:
    flag = bin(bytes_to_long(f.read()))[2:]

inp = []
out = []

for i in flag:
    M = gen_matrix(p)
    inp.append(list(M))
    out.append(list((M**(random.randrange(3+int(i), p, 2))) * (M**(random.randrange(3, p, 2)))) )

with open('out', 'w') as f:
    f.write(str(p) + '\n')
    f.write(str(inp) + '\n')
    f.write(str(out))

解法1: 二次剩余

设flag的二进制位数为$n$，对于flag的第$i$（$0\le i\le n-1$）个二进制位，程序在$GF(p)$下生成了一个$2\times2$的矩阵$M_i$，若该位为1，则输出该矩阵的随机奇数次幂，若为0则返回该矩阵的随机偶数次幂。

这种加密方法很像在$GF(p)$下使用数的二次剩余对flag进行逐位加密，经过测试发现，总存在可逆矩阵$P$，使得$P^{-1}M_iP$为一对角矩阵，所以我们可以取出与其相似的对角矩阵中的左上角的元素$m_i$，设该矩阵在乘方过程中使用的指数为$e_i$，则可以知道，与结果矩阵$M_i^{e_i}$相似的对角矩阵的左上角元素$m'_i$必满足$m_i'\equiv m^{e_i}\pmod{p}$。

测试可以发现，对于任意的$i(0\le i\le n-1)$，$m_i$总是模$p$的非二次剩余（估计是故意的，不然为什么不让我们看gen_matrix呢），那么如果$m_i$对应的位为1，那么$m_i'$就必是模$p$的非二次剩余，若对应位为0，则$m_i'$必是模$p$的二次剩余，那么我们便可以通过如下代码来还原出flag：

from Crypto.Util.number import*

def Legendre(x, p):
    res = pow(x, (p-1)//2, p) % p
    if res == p-1:
        return -1
    else:
        return res
    
p = 83085158192945668035830892261182081607877951584711798696185940250894132426657
Ms = [...] #这里是inp
Ps = [...] #这里是out

s = ""
for i in range(len(Ms)):
    M = matrix(GF(p), Ms[i])
    P = matrix(GF(p), Ps[i])
    x = M.jordan_form(subdivide = False,transformation = False)[0][0]
    y = P.jordan_form(subdivide = False,transformation = False)[0][0]
    b = Legendre(int(x), p) * Legendre(int(y), p)
    
    if b == 1:
        s += "1"
    else:
        s += "0"

print(long_to_bytes(int(s, 2)))

运行就可以得到flag：nite{0ur_b4tt1e_w4s_l0g3ndr3}

在这里采用了判断$\left(\frac{m_i}{p}\right)\left(\frac{m_i'}{p}\right)$是否为1的方式来判断（其实不用）

解法2: Matrix DLP

AST 读数据

sage code

import ast  # 用于将字符串转换为 Python 字面量
from tqdm import trange  # 用于显示进度条

def parse_out_file(filename):
    with open(filename, 'r') as f:
        # 读取文件内容
        lines = f.readlines()

    # 解析素数 p
    p = int(lines[0].strip())  # 第一行是 p

    # 解析 inp 和 out
    inp = ast.literal_eval(lines[1].strip())  # 第二行是 inp，解析为 Python 对象（列表）
    out = ast.literal_eval(lines[2].strip())  # 第三行是 out，解析为 Python 对象（列表）

    return p, inp, out


p, inp, out = parse_out_file('out')

# line count
print(f'len(inp) = {len(inp)}')

y_list= []

# 对每一组 inp 和 out 进行处理
for i in trange(len(inp)):
    # 将每一组 inp 和 out 转换为矩阵
    G = matrix(GF(p), inp[i])  # 输入矩阵 G
    H = matrix(GF(p), out[i])  # 输出矩阵 H

    # 计算 Jordan 标准形
    G_Jor, P = G.jordan_form(transformation=True)
    H_Jor = ~P * H * P  # 逆

    # 获取 g 和 y
    g = G_Jor[0, 0]  # G_jordan 的第一个元素
    y = H_Jor[0, 0] 

    y_list.append(y)

    # 打印调试信息
    print(f"Processing pair {i+1}:")
    print(f"y: {y}")
    print(f"g: {g}")

    # 调用 cado-nfs 进行离散对数计算
    # d = call_cado_discrete_log(y, g, p)
    """
    d = discrete_log(y, g, p)
    if d is not None:
        print("Discrete Log Result:", d)
    else:
        print("Failed to compute discrete log.")
    """

# 输出 y 列表
print(f'y_list = {y_list}')

python code

import re
import paramiko
import time


def execute_remote_command(host, port, username, password, command):
    """
    通过 SSH 远程执行命令并返回结果

    :param host: 远程主机地址
    :param port: 远程主机的 SSH 端口，通常是 22
    :param username: 登录远程主机的用户名
    :param password: 登录远程主机的密码
    :param command: 需要执行的命令
    :return: 命令的标准输出结果
    """
    start_time = time.time()
    try:
        ssh = paramiko.SSHClient()

        ssh.set_missing_host_key_policy(paramiko.AutoAddPolicy())

        ssh.connect(host, port=port, username=username, password=password)

        stdin, stdout, stderr = ssh.exec_command(command)

        result = stdout.read().decode("utf-8")
        error = stderr.read().decode("utf-8")

        if error:
            if result:
                return f"[+] stderr + stdout : \n{error}\n{result}"
            return f"[e] stderr: \n{error}"

        return result

    except Exception as e:
        return f"An error occurred: {str(e)}"

    finally:
        end_time = time.time()
        print(f"[*] Time: {end_time - start_time:.2f}s")

def call_server_solve(p, y, parameters_snapshot=None, p_1=None):
    """
    Executes a series of remote commands to factorize a number and solve a discrete logarithm problem.

    Args:
        p (int): The modulus for the discrete logarithm problem.
        y (list of int): The list of target values for the discrete logarithm problem.
        parameters_snapshot (str, optional): The snapshot of parameters from a previous run. Defaults to None.
        p_1 (int, optional): The largest prime factor of p-1. Defaults to None.

    Returns:
        str: The result of the discrete logarithm problem.
    """
    # 针对这道题 yafu & sage 分解速度比 cado-nfs 快很多
    def call_sage_factor():
        """
        Executes a SageMath command to factorize (p-1) on a remote server and returns the largest factor.

        This function constructs a command to run SageMath in Python mode, which factors (p-1) using SageMath's
        factor function. It then executes this command on a remote server using the provided connection details
        (host, port, username, password). The result of the factorization is parsed to extract the largest factor.

        Returns:
            int: The largest factor of (p-1).

        Prints:
            The constructed command, the factorization result, and the largest factor of (p-1).
        """
        print(f"[+] factor(p-1)")
        # command = ["/root/tools/cado-nfs/cado-nfs-notlog.py", str(p - 1)]  # 太慢了
        command = [
            "sage",
            "--python",
            "-c",
            f"'from sage.all import *; print(factor({p - 1}))'",
        ]
        command = " ".join(command)
        print(f"[*] Command: {command}")
        result = execute_remote_command(host, port, username, password, command)

        print(f"[+] Factor result:")
        print(result)

        p_1 = max(map(int, re.findall(r"\d+", result)))
        print(f"[*] p-1: {p_1}")
        return p_1

    def call_cado_dlp_pre(p_1):
        print(f"[+] DLP")
        command = [
            # '/root/tools/cado-nfs/cado-nfs-notlog.py',
            "/root/tools/cado-nfs/cado-nfs.py",
            "--dlp",
            f"-ell={str(p_1)}",  # p - 1 下的大素数
            f"{p}",  # mod
        ]
        command = " ".join(command)
        print(f"[*] Command: {command}")
        result = execute_remote_command(host, port, username, password, command)
        # print(result)

        log_line = ""
        for line in result.split("\n")[-5:]:
            if "parameters_snapshot" in line:
                log_line = line
                break

        # Info:root: If you want to compute one or several new target(s), run /root/tools/cado-nfs/cado-nfs.py /tmp/cado.09rskpij/p40.parameters_snapshot.0 target=<target>[,<target>,...]
        parameters_snapshot = log_line.split()[-2]
        return parameters_snapshot

    def call_cado_dlp_final(parameters_snapshot, y):
        """
        Executes the CADO-NFS tool with the given parameters and target value.

        Args:
            parameters_snapshot (str): The parameters snapshot to be used with the CADO-NFS tool.
            y (Union[str, list]): The target value(s) to be solved. Can be a string or a list of strings.

        Returns:
            str: The result of the CADO-NFS execution, typically the second last line of the output.

        Raises:
            Exception: If there is an error in executing the remote command.

        Example:
            result = call_cado_dlp_final("params.txt", "123456789")
            result = call_cado_dlp_final("params.txt", ["123456789", "987654321"])
        """
        print(f"[+] DLP - y")
        if isinstance(y, list):  # 如果是列表
            y_str = ','.join(str(item) for item in y)
        else:
            y_str = y
        # y_str = ','.join(str(item) for item in y)
        command = [
            "/root/tools/cado-nfs/cado-nfs.py",
            f"{parameters_snapshot}",
            f"target={y_str}",  # 要解的值
        ]
        command = " ".join(command)
        print(f"[*] Command: {command}")
        result = execute_remote_command(host, port, username, password, command)
        print(f"[+] DLP - y")
        print(result)
        result = result.split("\n")[-2]
        return result

    if parameters_snapshot is None:
        if p_1 is None:
            p_1 = call_sage_factor()
        parameters_snapshot: str = call_cado_dlp_pre(p_1=p_1)
        print(f"[+] {parameters_snapshot = }")  # /tmp/cado.09rskpij/p40.parameters_snapshot.0
    result: str = call_cado_dlp_final(parameters_snapshot=parameters_snapshot, y=y)
    print(f"[+] Found power = {result}")

p = 83085158192945668035830892261182081607877951584711798696185940250894132426657
y = 38275396840526527363691738995166987173984288723560549280651393005341714385133
g = 76007941008271543967488190561298125117466679150316512965528865400937616020618

y_list = [38275396840526527363691738995166987173984288723560549280651393005341714385133, 75372042237778670881814475896745182881276763623505482919052240206181431259232, 39152260654598149209615958930934787123546667536974568656113695676839976551569, 47627048015341786581470360863205162167676340419666134816357043552730056916589, 45241831063018648318964497176076003386652089396015387438527644939402870845082, 57389522151925577337266471029979344047989744929196521657974463501523387935288, 59476413348673369244561740782803109851689609083240350222876097473992327554819, 60662530925525577644968674716621175547462826831266003216330565898113125668234, 75468534644643809344555035733724325418098342649024580525198496245279517849088, 17585607857545645293375825279190878082679911059157539332664083331037310456329, 46682383797746925259644681014383892821157227402696169622951656493046448137285, 80640010929656720033769017011214756854203107633807192320072391230137882855743, 60006204233234591257666546297977997270317887130369327015979611041671669591600, 39019332937935647746919061128772781153066817039801439793105800763675975511951, 55617296244137387372493358384238413637829467803019750428236583713089988355684, 65709480371502827846928828513640802215300009086026220645251850792733519322258, 75585749176883966054869037774267788370742508515430845543834481979469457033987, 52882892531062445057387592429647054358126021666972528793751879150865716647446, 65857117503092766184175392330908714614089830895564862835372058369971793025916, 25395725003511318279516822095045374883988766319097741924629908025859132790923, 70649567818911770922439385766008991990574868094686786515288838838450926470299, 63449108601321394691909822574955723780562378794198986615768566788230942303939, 65246897119619863319750716165223780762188416734302449320027841788344917760682, 82792236975891624108221118077948433529214294809796455681495445023875397830692, 7468061369219930765413468935669560411955684443743958945328542853313409624207, 41686816942687898599278030630279786040349610522773944254329952839347834588055, 23106399250461718062404285228056886555419070627039369803407391503023505273107, 53353129959992172240363028688521251072414359621122433983768803467277860580469, 50789024092013350821447170561263626559188509515251207354256526603771035569705, 21574226617446271692796192660909454597022961002188941894542058466752333152384, 21761345730049327587229727102933471954097172214516041202402675609461351091681, 41387142246805169958928663963494626136913436274433935078616826621386579374319, 77037557236590868311494743567127161447359258230598568488453473077969439463448, 55890300111045435840659626111865060084142350136272768267994881978164087942416, 10449826043898942599317227869560045718495608961685531816950955115833795946008, 616934865462577466492698480026223589433938568883509858764627414267945825404, 62978792184614284997360003315882231088064408692252539920864690649120091918193, 35069018047452300641491583523437741862101625974180692591505833407276040946330, 26434473376319991122231708248409335262726843147331060205586074406551351683992, 16904221668009840799177620503211590656748433370993591144157529839328930945454, 77454892632257130629478123649745010701969124633958043066027067539606054199060, 33049178606234345652456109654379152585592706561275350234121028320555863398580, 45957619457621193683755487257368432204430031215066030026361611361907741154232, 5538699643158301963613461480049575605858748733007505606548745851586218825547, 632373356271681210905932334950289498589402805979812028477469706456242904035, 25178461528358296467944034915719164454652714282560108808759849582848148849761, 2224438355994687522854814313949498108601357569036027814018349770319192449048, 61493038589851456784534517685201245830355335482361213822177936866105616778040, 20450297026580765753977214097764531927621409871979289328822881142084003923398, 10030189645697136656844304630476820186380531511270651947260820948062911196135, 5675415517592546196581797122715892115468948883559575125896128186184713875622, 70627727144248893000060036804715507350935401238275961170787796124409656226458, 46095452653322796621226462615448213193097685861044456984478148794794392800960, 51174163676564159237963863580390140865104745881387508471154639780315532953322, 37710073027756387364155338651778498144571955599017112943233083085653698670394, 43819591847658848392863980177655296291369893623636956771652771886938779827909, 21817273498143616448694302621838090963767026751718399220389491659083973823032, 46407436468119034452420302085206749374983990597141949143547335524625081987297, 69865992958734416057348398728352290095878663938192568929669262626603524154560, 55154664382849146164779370990999756725691225179999669879567645394869485872490, 2619447761938578859165818930847056609177541346444410402227731398417179190457, 34828300226901915684554125703339504402366692468695721211461696289397944697366, 6324755640879653226420458783412507038109984968732843584091002987703951066647, 34010141569561204858985791286584574769092219300885363252922268573763162908821, 70476025085951067085653363959745206445720544989129461376650825661292394153935, 55037302020243462489624967699420342658243691441591583875975361737617478116346, 54955920920289582182573957260018895358919510152270300628067418480928624095655, 69353934319246949219449410008022797955371092540712387592508428792055327987921, 12486341122666307260803159468073869392119423494403903845745103004147959545495, 27175582818162225384396147032099238152329733118868210294056996647976558372844, 74891398309680288677920040378749992689476146449399662182246663172827410953820, 30323874337295658369590541680850644911619154647295827617284900016580583710045, 58416178828713501564583411810137100042757955368196829044703700383149767349289, 46772941653293848233552260787249348610509399528885214975209443311501993569673, 29707294937621657754352669644465702578543279972443776339796536951962391794538, 24510649464448853173666747277005156731540308753324315358894043285354506650139, 31351383541948927526046074354519005171538223307734296026906224827094610828072, 13446320887940683855597841078653232425146179054141125969722188462615629329917, 11481170979385274443413150094627360577672648173617432093444758132361465428048, 80197623266474632663440408625746799742392622114810996980940728865776948492034, 49657814756449322653144803843405839630293253851814860002413408981310971582552, 60798186495443296786307662010595489882399155553891383778357009558016423796856, 50112180201848819634268612332880817505155599586108521792459656040878942143942, 54345733793383633212174046411390190203561839523094672771186583379847245705397, 10088505853976169552747044316678467671796693349003017554609606745193659679392, 20299959738465323722966174175754992048038581074378394767048608326689179579456, 77330815734616063155681888198170364877006096585820781160274778629460253721119, 57197253949376772749366466695496248773761886623225730071088219465907364135056, 7423687296380901233488261040232215834819053108316388560289303071193613438374, 12635926259081963163266556985815922488669619204527591390895257363806453326329, 62370286207598776881263352143003479376477578850522510264370842943667051170241, 78711041351678230036666336867810395645214987722936226282957889049462394100017, 78232160634642013185401015852110889607386025672043760391867420525293249692178, 67285093835036399019112646600357202926708520128732986824934053053651655062698, 37066653661898289070026820711010534064559534400853316160368026395878591260490, 33558167429046328472753668109609813401556719433721588658486790256061046035022, 25186535868128122898055706272674444088245655109105581843653583548035659440497, 30416361301938566203231694366715698383826161798811998585505238637565261532374, 17601238281814902090510644766928053349805805931066945652767719858942132014693, 65780902739972846740008208085804422605664924995718641128398716805186896182790, 48513522507139859250577688279023158345168281226015701740527821371859958829227, 20795241930803453187062705572580207542984123889504376059033909386161751438651, 36245838235146084556815373729583984387765516130527225988939048043759621913799, 2577428231361054947472022969241390412532245121380873754420427624782684119467, 57282286728835747006755000588893772279697594779534186893686333225852555508020, 63702169160025874697682446336600844054749488150645692177594503676050535378824, 9656239312473099865887360042349815607622087997312044182700716804923872767122, 20070073999029566654110018900510742433138474512132581411657260439824402576826, 29172930737975314488777998751039668119147909521330733098044524681377616017532, 54689375481953751862494389902251171658915550892398893286873312346850242532784, 43623785600298133318478648696311461403813687730807266214502663523434770920716, 57342093546890543430347389340375852691292777183394052521436583306186075447116, 16701242154101939204171444749838957063553596122905458717057030036413908126934, 24079920324753139728718739749220193203793291180799246907813709680187965222426, 39833128525276033194108199236695095187512280415568699020321386833495040492476, 64484332262312180153596243646798041852087919318856201872669101479973918110387, 45605729443066336347087360355991322495181921006822721800415421361168805530031, 71245168865680368072675773997354428895362375617745035343578405591721316005977, 8108220280666595348091764541704858455239636825137671315373764632435897442424, 79960727970239026442535343866977345750593346409867425128213907127218737991378, 51342425712085375989797126583609554995283668443435557414299073721728622278312, 55365077252732219763756110077983179943728479451413568742254826473979759077737, 29642780502249667927537608265470617637310076070312210890196385602885000831481, 67476409960031115555282492465754656614390496414130479511761728307389463045964, 39006302380250013995648733193362162923124972309877188654311623450395610304031, 22648553834601979964630666197779207455551917897566603966396873058356300687048, 51792658406270709871507529479571124049131067564275210484773234623854746329061, 57106465587879729069581622740560353688892026222056493603266631741845237457770, 31954326676585144855748485353861437255048026447863913314330365030999277746719, 80189719986462913011168756167123394843370004889504577748852299249393823671135, 47427869143534277307534025270700496427358364088388259654783559809236127199744, 79175642240400958099243705762199809858914960828211226699296967517183541098987, 26866224285291046919215799083795305829896220501339688743536036239920765499379, 60540019220688973884160451965177208608006015423184813870101348806260801377903, 20855898243876799457340475001536559098519275521461030104072152516473119471290, 23564759496325014161145458675282116916983087053285851606397414974555465296430, 6096695554752074258000914469534015651382130480286127328036968859882415328615, 9959293155520543588747946097751742755623124508804509200274424594723069277778, 67717619356063091636114615972214851242128981892768214296903988967786399234939, 30551614302383032587507129680730749610426139167277400836349158240220049359548, 33030229546645528226760934520139066675061038296357973539796788741232275177230, 3020063198929190441516046065402409187188044224595404680902197807116126582635, 60485069605641006125093164961174495065842334948682119844857767963530230342991, 55569033987161374097129667294970163302773417478326219356140833343603211590836, 5153987588994694689085205309955694974578703771090573993631940055587514230933, 73346870579441225742410779203249167341808673567372579966190594122619762082280, 75429046793876436675903033372541326774901210614791188890319027524471988483306, 42970061829531360473148874025272851224661938135284452607349143015195106206611, 5829634360923160713226621079291261626296741256224726440395739442465834338054, 5342034110866644635334127931647675374680943036422197818756505018310162300271, 499037633183763226979840397639726420583973783910518901314017507772470999899, 48268626349787770873300581553742161933701330572943941297349074094909813505932, 73100875984061398088701553595447425299388559033526464566273442458631629210707, 37809407741218364966958806111277680974568978529004666562988031023430130499727, 35769796525752806587036395815567644011720530429052035819489918250816319496754, 42717088604683114594448482376703694710187535688210380606294801228408172288378, 20029322906941898604689119097963689093015155241406853343932924698575558527423, 45742235432487199746661030943164227631429642224832677508197786179416996148366, 53441617521115304644486393643377692432099195641856764650595027444608016479803, 31030717289268908404004886994184883110138681872490303445234127787678414274789, 10642549330575231895360956728209219109838044025208330041288080033322392878452, 33910852895308927879133952568242720550121582555338117670684206773232917483869, 31905283229865688825770460337429987291814712810306069786844012903504884882859, 65973012024911579344257548212400010709380887573186592292956112052864704180908, 65372850635617916960398640519671077533953145267196702382333250534611663319564, 51189686364589559029647825088411592199177160991253666630251358618775833232304, 31430342442912743358296871359046362690016644149328867632716352223626093723268, 76265225388425495167546061311437348955272057163611631503260119479931239314084, 30026521036660510270811495879011180809773339038598800469767248658889549952355, 65970927782209468792021783571273418345199521368434948798192894312033954294976, 24960472242842510874823416578096221429594082299252262118563968460413025589249, 3753002972015212273504997053346818391058013417905552763931665542720826584638, 3806588985231391873123170428382074546968060982568974890846898492172836564626, 9196246891188917897927386393760314875280795254024350139359871298217398927196, 32071787164620407966678644065504999656364903009859707696234828186993606981399, 71675127517324260378303867760147665633088050495135623813778374570564315957416, 5328429009082981248318117310432714847360536027694951484492076480367682843197, 4496659673175231764507867462596402285237569231602019241531596849341647257531, 51893356943083934986427718269435289301841150234275125987872167276358067600913, 36653693556867119175549860641404628753472192105071295118643635103512310352953, 18767408878345769751783156982979346976897625669396081060647455059095622242683, 61940576955235802714241814053419908170381240095466178980639238018645468799884, 68024664987113849139777488376041634977378450073179188892430355987561052086811, 32511652439311451040609109567344732108104038901833309856250812806845391954672, 14290573112832022032319834227847672750299486810808420140798078357991356045270, 73430084280145264536503438519188849949628267810357244718129198748763219186703, 42047569251222969994092735239854126084275657952690803474138395571541434839002, 56098874603872763670209833003600508163910151794444486535084731212208280983380, 58277079241109289633157453957567636392651875554852408566796557658084488050284, 29165537887133312454428501872915693025386224622855763630799762461301831304159, 74221927979620366822899107293963005970651180959620750078370535414651784779030, 23440296654621021041304010998852804901122444171310186048771924664651572712455, 25327689177348778658534224816959103466015458782594764861992510739163763103160, 49731937714991891510579449385239729557557665105847785852519108604463392640047, 4408362327518145004952729011985907444948217344994848557910981892911347014810, 18910920083229026889963332824726594025788942715975991577537759979299704920065, 26965079788460744729521834264078157780634524477616706388393540629657060078084, 71729644735759885943026337210533222557648601412782237957528496187885494670536, 21049708666725055720660797006934999771721190195287951421054370768297669869034, 13383792428488329189146638063398764632612881695756062808794481177776199766338, 60731145925627841199256788059830686658641768438844462890979449621668792169992, 72998828679556340518988091920096606253814957613434731815101971406809734941890, 24164876926647309166783478889372365380799633500398837868999594318527250101775, 73626166839671490575569395054202517268020781409003383089570426061279652876064, 2032568988874355349979839008320200957514113186265325317959193087036855550185, 69287556407759020746055789076803414366350405434648341649035703947183327354796, 65100371597147552478714509199742768418142433621541498686606771599158802614661, 61043371840247218774750199370084864147559625839194753245074739581009937258076, 49894497641652569996286399811646216785645260394794791764856740392070722720239, 74590574158467101198559222460091525712449081567398042413465752122023536600911, 51018508249298045961776166453176998596756652662046572681862010729161298089252, 53707039995297888460608717390492638586863790377944856425276435502416372590406, 24216757324717489549829077825955698305403403801997903777773434090316662410109, 68199245929435678585268515094403986354530591983730938650333707481782884939710, 13181973540880959427566946899967013189481602134060731420679179712853484160520, 42982440290664339906377791743432847278883344526850936507933396182430699956217, 58054668068362885553393850291772206319211093158661272969611189304526667129071, 75850419626127835560449108413061932440697071098829381287735353087289576472918, 65628848364994264192928086464337670578842631585438421093978489225991563546932, 6077104255973510873595844012585678913743650592153965145174995654167700582022, 45214074982513336633491985369804945015528514730172172947762506893586623439882, 42439117508818859401741947689723148048564950861513553926275387481640840995669, 75230698983164117240816222927881004232959959317050964345112646129350716251061, 39499768701181193983528336218239875866966366235708147978798741531710791323736, 69581461111249177827424657934122883281548377742627129162579092572057506348646, 40369021557842650834828855657493439284017399937735536189168970693608947375477, 71196755136437138422489067672606522393507412988975625464628461403498263599643, 44159614562108131179656228594240236479142450714621134086071144444752915149535, 13822360374796266701286012983733589375673779900341516025481325244084169193345, 48400242280065146780163307573950905337202909941681298388617477999555411187023, 25419274077883823926734522104994486169496841905673017941869825845690309348176]


# 如果终止此脚本, 远程服务器上的 task 并不会终止, 介意的话需要手动在服务器上 kill task
call_server_solve(p=p, y=y)

# 如果你已经本地 factor, Example:
# p_1=168186319382284594212168148575721713247686155578894826885804432209
# call_server_solve(p=p, y=y, p_1=p_1)
# 如果你已经计算过一次 DLP, 则填入参数 PATH, Example:
# parameters_snapshot 在程序 log, 执行本 Exploit 也会输出当次运行的 log
# parameters_snapshot = '/tmp/cado.rwb77l2z/p75.parameters_snapshot.1'
# call_server_solve(p=p, y=y_list, parameters_snapshot=parameters_snapshot, p_1=p_1)

# output
# [+] Found power = 86331857607825639715178184533715675532469109413820225385621882413,166368848130354833842690912110185858674932332114737185604483135157,154615793665758322511433697481418872424403317317534641077024646966,161066977350218030458820583998309487368515276930719651806971003336,14268034257448557274330114739116205611059052742507614264987907101,160572806423582733116685672719113608131073805047846032788095660926,38712507713273172292390142046586952957875886053853974573707834117,120759830770239282654879518969403712292477108864229243464404388019,62201814322511155840938222261234301038208394279580350536809009074,128437763242696985395373796125761781769701597077762319833471554396,119291690104247094181454335629522928431333221443771046615343157723,29913159699215472819550103318735503240760628407036878378200211998,43691579543144745210882661196524393423876447430273262935058338405,115351608700426111580824288390517535675019723051333094709687455667,34877832189547547715796332493779722143466389946472869150707158527,138218052914547298693501580910471064351386470003695520453696638488,2364120759800594106560448160660938108612037569239806035976446747,140767225369375443012430347519707457331769025640627581849813222033,87771637242785726623956020663592816000846370757773753436573016303,165775920546560305530491229314401569890679144068142236301911809602,21547579585863238666090727828028053068312283690512913980768631712,109839151057927630207152642113570011616672078439656696078263909097,137034681930333918007827724369050597248466052207526193083044873333,21535842458958267145217687581265956889641225068049347943149764702,72070265317335912820518748595970522352532487281488596124410839197,142740514834235272836784562033252393122999062411957438041898376202,118584064736396376439356769186809850977120911243319589524067217033,82635338849831188922823395555623560083470119637124916166880325769,149189046036978217001266789337618116966974730205473200063783542410,65551146039551890163953148351955401187803924499388270502740360472,46757401731122680785373726425745242964079185072216435222669725115,79833482578456058888794723446524973051407374136980533696617768257,95624850614466391884635715667152498785800064460587850268812244873,62948647933128882302964448302955411396796454458519163287995454290,30744387575994050669318378170192050082603709652089271469684155319,165358163338814207098682547327388660402609718328654848060326569021,45239981781261047026879058559455091973140408095036386069398439370,94875010325929812731247389435281133050901488925831490588268334026,139063656886479923753253362392659421379029651581581402959122011675,71245945179698769520982664419493267431184709064701340147112349736,33355546041965465436426170314878430061047503061911800497587674089,41962200096242723544188624160781811192346562245655421290616962566,30764406712120847689877404984886993442082731404972478520435337368,97510538813489901311353503407203865912315576781190655148069858429,162299817501697718088236271652155228363448790503393005697137759599,81390590246568765860746668048172682213049951582241954553450859573,57058415821107914471898473572358173473643686188463561605997922285,50158677745603190357304727763808101421302559285106024994692595551,98445559228736748182666399669483385060744395888120950484127015222,142202717809689876554866973699332884856215481266784008285798383613,9181273747982447394391434926907125203278733480060203077717425174,159843689726514628698889530971731918815563207519321435510132464639,133932694070078645540179205251270616817736274121472183201822221029,79643484954561777933184802500452822300898744288047783034675923030,78454363808582718767147716077268141751387576200848593852898152081,37162772211560017449783948824930875749270388787384839215122610503,79714188313706084816843194923533378670762848475454665993657486,123616481752449815048404302516318137736949446487595501448946175699,53220521101774653819774564324814949360589482596746148710913414413,72448345797213189919001570704358579164076923228773635332006194969,147357276403353460026888887114351179181944687423395259517138425576,15387165994798347117353751391861303977789821316741103168693678441,69365679388136146806882672063081248539904031253712232284606841228,25316343998575618644683114050019269787473907521883903971535232852,118589111999609149674458501552704865977572102140862699610085435073,128619031126655879856695180366580435112013362315456664586963969707,147776546073333755522112357025895490994837837608341987950506776682,86734445087164599332109014774993758785166103912572199069699945511,128711127629329650077557132477399262542020620984781101986110687950,128127864184730149976114811240197503829531716237935981890085778810,117098819744741707050573164782209594221279023793693248457347369588,154054330428031541801789663727065307552672969990106693100003316851,31595384902890076259533184027426399342045299508557406312489909196,81057199794102491662069971323309013068397646401189395414100032206,21876387704189883475652202928245523052606617205886111624037801384,2092599255272600523086316064556687934525712224375604124107408010,123826856570598977785472717511079583902218593402699116364998719529,13359319679448743784480737719762281582174341693469510112149870022,140987468747970727923723805527950783079150749223466537452084893228,98802761570141750225090665084702998969214969510278603458024657300,40775904065577999186489567653288792564210312152472399623005858011,115226787207775826362599030157771600472644866529712832295005691030,146254874214296081617578192184095727651228553471421210733587024756,148907246739758866262010561920465076874257413739354854182912930481,25170057922303133169638305654514132949063817428834562579833797480,140293366795426504741800035529360048997475465705893117532246401983,160506606685803262676706006884456097206489688438883323358896786195,13526126395158501502291921572839720684427625691754774627432992173,154255095210515652559113941035442654869695949868736712074431268266,34665313101281947899881873884399556878863791656838748130226538678,54320029498842032681989629181512794261248123437660249588681101013,126924411684805721953841847825096703205045432006811843862349392061,134208837347204149141791456071717617325428446299224256988200986292,69102410673356931289913838461740785294563550245971370207116096579,21336527419493833697696472751197849514209976288289584598875230418,35830212905863316017849664614322534720140932468612105100018747746,64585109756656013527861207547712909612752485814433730580082434274,399169319822618058152924962810014289316289463788164434379677835,48526193969907068361908249684166225455702714392602341014035494750,94533033578985588150592620368181494311449540244557799615767405306,98319184816310908827205790630096849503388077946337153424005131614,76934306582146110610516211026391694344506586956417682906507688014,34385218945067053522375970300714018465543518973966333211161864665,134696939815660932615340769422829416660788376169988905370671704768,94433494699166578092280389524873536655721734401094306725559646270,122854734570362863294258771594232916662006313061999329400047753853,159825910987586898735501857796927445726596879195832389300792542590,8698945240217121050809725981345622870130489035915698030881596102,104674097520392445561065532890578216928318485246537866107106421837,29577701263512905997388570779178796711625122036529985371297778254,20724995327827329056425900157709017390157944585459853148984564466,67714385874090355448822824675084778467679208471369757816795278642,37253534074925172550506681870356258215750452338557007743708258988,125483513592632362295616176342195022475756132113765988089234100550,162458121483052776914585658810399454533189660920627897682129470350,161603833153622319576147879329761495315328207477698307623306031924,92026325172421070159227415591206260167608446295134676469875995593,80962459274187310957198698870921776896321092461635985113679058394,30852206403008886183966641576704776943233327637520990871292174417,133014754081612674627138849111405662402365955935747149933785547093,94630959370973574459894285432516975248566249078195223594697438716,51683216548142050680465942741075643632065014049712010311684206465,19934033884865902605057922687684722049465123212752919408331613970,69490913549134691300358907923777817648681828677505531801786550220,109010354297587382974288648061379665696229940241033027167463290069,63812065378188203253554738122738478984152821089618983201244650249,92492376827312535226347427002455123617590922592999785314786021987,152484222754529204168606968742073658587112343609708090170409984186,10030621311402494837219230708826340458381218884750742557103152801,80231387659299917828346062523745890221143782204439920571819153045,76624866716096923964308849027336752476605421726245750259781250269,138417640413468537837916382873666232176086807660395253504321451532,97364227081761559840944838654139656798207716934161088538580833501,128607767703387869529920321989616073587608247992395261220300420807,18318566829020661930682951051712541270281183084940898277195060192,77606747946649264467024700353460240387881889745190868524876164450,45996290487352028989103203335129739414558956572417429378817244167,64418601124738966937542920330636354583368772569909819370112540063,105112898282225159896409355034977176629095717174270691639098622981,48737965708076240055639072995919214162971793553244905450149314379,35922270653196208488751367653082975391876971419998540234074955410,101318130395823407400586998125352796086909976578587808238421315492,9688392868125424104950320247471735374361734941486375517573385976,126209349540291075106667331065440007580365127613422871025383725119,66499564529549606630971049727727452970322141309453487132344601947,110443152609633525348863933269578990756104562766277372937128531378,161981480033906679235688103291767398370137190427278534118887720969,104764244477768150722187286080953612669552207162878684203583813987,60274563692063399049442370438563498265820160281413442315645301843,115217891623364079597127225274548781810437685167575434164626964161,32860307331052989259714114607440922008357949164233560521665805458,5835904337259196971825874494688096692749537680353656836315294417,10972276003821655303793613452621313136525072672064489492036653798,65151435075854173237459498217742822924996626178964286433081304252,38858660205800466102762553759556747159633142861566560018201532405,157544488393375545286757837481603664366614081023069196188076619250,119150685724432280954435625259554122361862278159416583273734337030,33366176149893855497723685302988536126892128210452867587883040656,14298701327596369950893329358618749266547855931937703669414517416,119698348443992582129340903793056460568509746122132647697191638428,67949355859740795615253920847018266305758024991192338280096807666,64544506580591070448460448142105248801368646188065947519356404319,23703683560943198861991981706714155104647300547890901049206297088,86330095833164179778636529873395567999811019861384167543864555852,86107786318936180268857455364226275922028618149063730661759243280,48843923976370580283751221126597696421777263484797878919361785925,151398150468686736960166753283940625334573036781561617963966303341,74110235952290771493546134810681867250628994450012712265688659063,50383068346699152195787255570972476915532060881539727681319169236,106029725460112448758103471439455413371558828496719837624938579401,49093994528971289507921040334117232915296577334796476380215908948,100758720539333891728759803570329252955878517948399583863849092806,61280902530025952770875881277336033655890815675708352139230836997,27979895874949481340862469176157435234873329693132269456678901739,2483419441821497900516807796777589164767375758289791002440450802,110407548826932897160095715793344246559001467824254600386935276719,98952456816581728051315015887299834761012351335710695827665349715,102007668243768631144020895258786883683790773933781247649167567383,101422363197456544178047857104024050784104004874275719608679727705,78491906286548373247186478251802376312859786027375114808374567540,146078984215216073731914810550975403899157367421401115655387497360,48630588000828444681686390063311619234668711115756094321177414722,142935294152109996749168662358877270399052779808825343197118718335,24420403258599625193870123612079737920845337422391089397287790926,114381246809032849339182111854777004321445405109280971032651835462,33729285916961709269614696176574770032606923447438089346942472287,23366365079124527380444804673147998195864347181123316327153570383,148248513101997009716794591691226727118433130671422816233316201386,98574701060867408359622629026480913239557205693807384112534452861,68717129481034206524309974919837791320911640676753507835228616103,50497006697940334923629910379892695837554544224778616317508027609,158335573945215957833062696224647341007091376271815032025066894304,161219709735565272188932488737423519127681218494247335420179064487,83203256569716453272029344917596159648984908630197523765236568090,31022047968464375018126409147930644012577170670042689201645724408,10023782101182159077850708167288905319058233510046483839458925119,87349139311096413302361987380141402394667038681182683047844261719,14277986262645134089001457992581334095418584703514271775322133562,105173125964240376994170815994017734766803897809829941524779665893,75839897954653133069197927340109916039509605855124327802655243599,102902386543101143198897505952391616349042065100492462408306670316,114929529518407730907936876689419455785932729025002007016768175060,67790490555206401086581683138487055915978801853166894313726543993,38638701718759837749140929398309963541374249565578944435857404169,32671628464791289108279420728881656656599163161463016925924292046,79880848376919088936696743958994928606242117087097169533467349545,83847084186068034339330750253406312510421586167838414174755384454,134631181637120535833347703569521539126498037749946059000298161934,135399468943433278129381981554437527935255041345091435736275549686,31372781292423447358808366479527945136094945713711724743091065852,23152422363850171498390908194703892613395303610561889243840650978,87994884291172685883443181147619237521266375470594114223388774071,78768869251327777432253994032864729237539659035508692807063794556,120801934760468198986644685163366240170579581622430842649859514158,154592056748316936456631763241584353379942806790065585407074699634,13189123652729886357602856913300182047043927308569190749878308001,120011907691593770138796146832936862451891390052221446407390845464,48191258523704609585916110708178545461706472999202344673250452546,31088814188752737633857970519021877619841632489190748121560567262,3992609357239502118165211274917450663171723713795447471889658964,47974910464536185349457477709699794449172283580944761446181242969,87137969643716630737906517968536152504289186702412077664106852204,151859771244720896133466595371934574351099951093022504535584544494,146964349902215088266586447736828929343555883402522593231337539012,159017933372273513903970232108116008071322515063498279141076989370,43535291627026084969896515012128411557797271702966233710958433240,34859293592647882896733560102971536108663030018154438915245998612,3010123452121833909185460086507695089310761874330739365810680198,124753012594914483276934796155679098268353560795346037610080202903,91628524281942402170893249971822323268295999751168805598934632405,25632198210697718332839724588663192643969935161059000052687125362


# 读入结果
# https://tover.xyz/p/DLP-Knapsack-notKnapsack/#Cado-nfs%E4%B8%8EDLP
"""
with open('/tmp/cado.xxxxxxxx/pxx.logquery', 'r') as f:
  query = f.read().split('\n')[:-1]
  query = [[int(qi) for qi in q.split(' ')] for q in query]

logs = {}
for q in query:
  logs[q[0]] = q[1]
"""

本题可复用的部分已经写完, 剩下的不想写了

La Casa de Papel

题目

import hashlib
import base64
import pyfiglet

def secret():
    return "XXXXXXXXXXXXXXXXXXXXX"  # Length = 21

def md5(secret, msg):
    hash = hashlib.md5(secret + msg).hexdigest().encode()
    return base64.b64encode(hash).decode()

def menu(secret):
    while True:
        print("\n1. Practice Convo")
        print("2. Let's Fool Alice!")
        print("3. Crack the Vault")
        print("4. Exit")
        choice = input("Choose an option: ")
        if choice == '1':
            practice_convo(secret)
        elif choice == '2':
            fool_alice(secret)
        elif choice == '3':
            crack_the_vault()
        elif choice == '4':
            print("Exiting...")
            break
        else:
            print("Invalid choice. Please try again.")

def practice_convo(secret):
    message = input("Send a message: ")
    hash = md5(secret, message.encode('latin-1'))
    print(f"Here is your encrypted message: {hash}")

def fool_alice(secret):
    print("\nBot: Okay, let's see if you're the real deal. What's your name?")
    user_name = input("Your name: ").encode('latin-1')
    user_name = user_name.decode('unicode_escape').encode('latin-1')
    print("\nBot: Please provide your HMAC")
    user_hmac = input("Your HMAC: ").encode('latin-1')

    if b"Bob" in user_name:
        hash = base64.b64decode(md5(secret, user_name))
        if user_hmac == hash:
            print("\nAlice: Oh hey Bob! Here is the vault code you wanted:")
            with open('secret.txt', 'r') as file:
                secret_content = file.read()
                print(secret_content)
        else:
            print("\nAlice: LIARRRRRRR!!")
    else:
        print("\nAlice: IMPOSTERRRR")

def crack_the_vault():
    print("\nVault Person: Enter password")
    passs = input("Password: ")

    with open('secret.txt', 'r') as file:
        secret_content = file.read().strip()
        if passs == secret_content:
            with open('flag.txt', 'r') as flag_file:
                flag_content = flag_file.read().strip()
                print(f"\nVault Unlocked! The flag is: {flag_content}")
        else:
            print("Incorrect password!")

if __name__ == "__main__":
    secret_key = secret().encode()
    ascii_art = pyfiglet.figlet_format("La Casa de Papel")
    print(ascii_art)
    menu(secret_key)

Solution

from pwn import *
import base64

def f():
    while 1:
        a = r.recvline(keepends=True)
        if b"Exit" in a:
            break

r = remote("la-casa-de-papel.chals.nitectf2024.live", 1337, ssl=True)
f()
r.recvuntil(b"Choose an option: ")
r.sendline(b"1")
r.recvuntil(b"Send a message: ")
r.sendline(b"Bob")
my_hash = base64.b64decode(r.recvline(keepends=True).strip()[32:])
f()
r.recvuntil(b"Choose an option: ")
r.sendline(b"2")
r.recvline(keepends=True)
r.recvuntil(b"Your name: ")
r.sendline(b"Bob")
r.recvline(keepends=True)
r.recvuntil(b"Your HMAC:")
r.sendline(my_hash)
r.recvline(keepends=True)
r.recvline(keepends=True)
secret = r.recvline(keepends=True).strip()
f()
r.recvuntil(b"Choose an option: ")
r.sendline(b"3")
r.recvline(keepends=True)
r.recvuntil(b"Password: ")
r.sendline(secret)
r.recvline(keepends=True)
print(r.recvline(keepends=True))

Misc

und3rC0VEr

任务是找到 admin 用户的登陆密码，题目贴心地给出了如何装载虚拟机，实际上根本没用到

用DiskGenius装载 router-disk1.vmdk 发现似乎打不开，用 DiskGenius 恢复数据

一个个文件找可以在分区二中找到一个 ovf-env.xml，其内容如下：

从中可以找到登陆密码为 pwn_m3_d4ddy，所以flag就是 nite{pwn_m3_d4ddy}

Artificial Intelligence

Mumbo Dumbo

跑个 PoW 之后连接上靶机，然后让它写一段用于使用 Base64 编码 flag 的 Python 代码就可以搞到 flag 了