HTB-BusinessCTF2024: Crypto Bloom Bloom

keygen.py

from random import randint, shuffle
from Crypto.Util.number import getPrime
from hashlib import sha256

class BBS:
    def __init__(self, bits, length):
        self.bits = bits
        self.out_length = length

    def reset_params(self):
        self.state = randint(2, 2 ** self.bits - 2)
        self.m = getPrime(self.bits // 2) * getPrime(self.bits // 2) * randint(1, 2)

    def extract_bit(self):
        self.state = pow(self.state, 2, self.m)
        return str(self.state % 2)

    def gen_output(self):
        self.reset_params()
        out = ''
        for _ in range(self.out_length):
            out += self.extract_bit()
        return out

    def keygen(self):
        out = self.gen_output()
        print(f'OUT    {out}')
        key = sha256(out.encode()).digest()
        print(f'KEY    {key.hex()}')
        return key

encryptor = BBS(512, 256)

keys = []
for i in range(10):
    print(f'------{i}-------')
    keys.append(encryptor.keygen())

step1.py

from Crypto.Cipher import AES
import binascii

#keys values
keys = ["bd93b4a63868f8c6028d3fa30bdb4f2c15b96e2ec6ac85acfa7bac4b40c4c683","67f022195ee405142968ca1b53ae2513a8bab0404d70577785316fa95218e8ba"]

def decrypt(msg,key,iv):
    cipher = AES.new(key, AES.MODE_CBC, iv)
    plaintext = cipher.decrypt(msg)
    return plaintext

with open("output.txt","r") as f:
    lines = f.readlines()

next_step = ""
hold_array = eval(lines[0])
for arr in hold_array:
    stop = False
    for i in range(10):
        iv = arr[i][0]
        cipher= arr[i][1]
        for k in keys:
            output = decrypt(binascii.unhexlify(cipher),bytearray.fromhex(k),bytearray.fromhex(iv))
            try:
                test = output[0:10].decode() #check for UTF-8 text
                print(f'OUTPUT: {output}\n')
                stop = True
                break
            except:
                pass
        if stop:
            break

step2.py

from lagrange import lagrange

Instructions = '''
Welcome! If you see this you have successfully decrypted the first message. To get the symmetric key that decrypts the flag you need to do the following:

1. Collect all 5 shares from these messages
2. Use them to interpolate the polynomial in a finite field that will be revealed in another message
3. Convert the constant term of the polynomial to bytes and use it to decrypt the flag. Here is your first share!
'''

Share1 = (1, 27006418753792019267647881709336369603809025474153761185424552629526746515909)
Share2 = (2, 76590454267924193303526931251420387908730989759486987968207839464816350274449)
Share3 = (3, 67564500698667187837224046797217120599664632018519685208508601443605280795068)
Share4 = (4, 57120102994643471094254225269948720992016639286627873340589938545214763610538)
Share5 = (5, 87036956450994410488989322365773556006053008613964544744444104769020810012336)

#GF(88061271168532822384517279587784001104302157326759940683992330399098283633319)

gf = 88061271168532822384517279587784001104302157326759940683992330399098283633319
data = {'required_shares':2,'prime_mod':gf, 'shares':[Share1,Share2,Share3,Share4,Share5]}

print(hex(lagrange([Share1,Share2,Share3,Share4,Share5], gf)))

step3.py

from Crypto.Cipher import AES

def decrypt(msg,key):
    cipher = AES.new(key, AES.MODE_ECB)
    plaintext = cipher.decrypt(msg)
    return plaintext

cipher = "00cc03bebb6756fded9a55e772b665d3f98004163904713b83c0bfed06558e9ce57d1d50409179741b09d5f059d668d5fd7775892e403357200c5c516125cb53451f52d34f08e4e2885588c046360bfc44c84a3a4da194484d2ca414ba01e698221936ea8e372b6a3bf4af1c85a99e54df52b58d6a7a0add3752e88fa928c15d"
key = "315f346d5f793075725f6b33795f74305f6733745f7468335f666c3467313233"

print(f'OUTPUT {decrypt(bytearray.fromhex(cipher),bytearray.fromhex(key))}')