forked from RaaCT0R/CTF-Challenges
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathexploit.sage
44 lines (33 loc) · 1.65 KB
/
exploit.sage
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
from Crypto.Cipher import AES
MULT = 10**11
kb1, ic1 = 4570202134012687580005071129200476945625821613980, 31020634442404276336820538929941614215700357571144
kb2, ic2 = 5522173316860240978089416307407870842335915227900, 34788496561380896247486644841834767173970270575362
kb3, ic3 = 1478296679338551790545930016006966717759069509840, 34024000394165154334507454055942629110169490484699
'''
x, y = var('x y')
b1, b2, b3 = kb1-x, kb2-x, kb3-x
c1, c2, c3 = ic1-y, ic2-y, ic3-y
eq1 = b3^2 + c3^2 == b1^2 + c1^2
eq2 = b3^2 + c3^2 == b2^2 + c2^2
x,y = solve([eq1,eq2],x,y)[0]
'''
b1, b2, b3, c1, c2, c3 = var('b1 b2 b3 c1 c2 c3')
eq1 = b1-b2==kb1-kb2
eq2 = b3-b2==kb3-kb2
eq3 = c1-c2==ic1-ic2
eq4 = c3-c2==ic3-ic2
eq5 = b1^2+c1^2==b2^2+c2^2
eq6 = b1^2+c1^2==b3^2+c3^2
b1, b2, b3, c1, c2, c3 = solve([eq1, eq2, eq3, eq4, eq5, eq6], b1, b2, b3, c1, c2, c3)[0]
print('[+] keynum with b1: {0}'.format(hex(int(kb1 / MULT - int(b1.right_hand_side() / MULT)))))
print('[+] keynum with b2: {0}'.format(hex(int(kb2 / MULT - int(b2.right_hand_side() / MULT)))))
print('[+] ivnum with c1: {0}'.format(hex(int(ic1 / MULT - int(c1.right_hand_side() / MULT)))))
print('[+] ivnum with c2: {0}'.format(hex(int(ic2 / MULT - int(c2.right_hand_side() / MULT)))))
keynum = int(kb1 / MULT - int(b1.right_hand_side() / MULT))
ivnum = int(ic1 / MULT - int(c1.right_hand_side() / MULT))
cipher_text = bytes.fromhex('838371cd89ad72662eea41f79cb481c9bb5d6fa33a6808ce954441a2990261decadf3c62221d4df514841e18c0b47a76')
key = int.to_bytes(keynum, 16, "big")
iv = int.to_bytes(ivnum, 16, "big")
cipher = AES.new(key, AES.MODE_CBC, iv=iv)
enc = cipher.decrypt(cipher_text)
print ('[+] Plaintext: {0}'.format(enc))