All Writeups
Comprehensive collection of CTF challenges, solutions, and insights.
Raptor Weekly 2 - ECHELON Crypto 2 - 3.2 ; FREQUENCY
Recognizing a GCM nonce reuse vulnerability across two calibration reports, cancelling the keystream by XORing the ciphertexts, and recovering the anomaly report plaintext using a legacy diagnostic endpoint left running after decommission.
Raptor Weekly 2 - ECHELON Crypto 3 - 5.1 ; ECHELON
Assembling three named artifacts recovered across five prior challenges, a signing key exfiltrated in four fragments, a C2 handshake key, and a certificate-derived access key. Then computing their HMAC-SHA256 combination to authenticate to the CODEWORD tier.
Raptor Weekly 2 - ECHELON Crypto 1 - 2.2 ; DEAD DROP
Extracting an RC4 key hidden in a request ID header from the Tier 2 network capture and using it to decrypt an intercepted message that reveals the second half of a JWT signing secret.
DEADROP Crypto 6 - CIPHER7
Fourstage cryptographic chain, repair a corrupted Reed-Solomon encoded key file, solve the discrete logarithm problem on a backdoored elliptic curve with smooth group order via Pohlig-Hellman, locate a hidden nonce in a binary header, derive the AES key, and decrypt the final briefing.
DEADROP Crypto 5 - DSC-1.1
A fake internal cipher spec documents the agency's homemade DSC-1.1 block cipher, a 2-round Feistel with a trivially invertible round function. Read the spec, implement decryption, and recover the encrypted memo.
DEADROP Crypto 4 - DSA Again?
Two DSA signatures from the same key share an identical r value, a dead giveaway of nonce reuse. Recover the private key, forge a signature over the target authorization message, and submit it to the server.
DEADROP Crypto 3 - oracle_session.py
AES-CBC padding oracle attack against the agency's internal session token system. The oracle reveals one bit per query, valid or invalid PKCS#7 padding, which is enough to recover the full plaintext byte by byte.
DEADROP Crypto 2 - rsa_briefing.enc
RSA encrypted with e=3 and no padding. The message is small enough that m³ < n, so no modular reduction occurs and the ciphertext is simply the exact cube of the plaintext. Integer cube root recovers it directly.
DEADROP Crypto 1 - INTERCEPTED TRANSMISSION 774
Decrypting a Vigenère-ciphered field report by recovering the key from an acrostic hidden in the challenge description, first letter of each sentence spells PIGEON.
WHAMazon! Crypto 6 - Manifest Collision
Exploiting XOR keystream reuse across two ciphertexts, cancelling the key, identifying newline-heavy P2 via single-byte XOR brute force, then recovering the full key via known-plaintext crib drag to extract the flag.
WHAMazon! Crypto 5 - Signature Residue
Exploiting a weak (low) DSA nonce k to brute-force the signing secret, recover the private key x, and derive the flag via SHA-256.
WHAMazon! Crypto 4 - Sticky Note Security
Identifying a human-readable AES key from challenge lore, then decrypting by recognizing that a rushed engineer reused it as the IV.
WHAMazon! Crypto 3 - Quarantine Key Dump
Reconstructing n from p and q, diagnosing OAEP padding from garbled raw-RSA output, and decrypting with PyCryptodome's PKCS1_OAEP cipher.
WHAMazon! Crypto 2 - You got the key to this room?
Reconstructing a truncated RSA private exponent via brute force over the missing 4 hex digits, then using it to decrypt a raw RSA ciphertext.
WHAMazon! Crypto 1 - Workers are Exhausted
Identifying hex-encoded XOR ciphertext and brute-forcing the single-byte key using a known-plaintext crib from the flag format.