Google CTF – Wolf Spider (Crypto 125)

Continuing on from Eucalypt Forest – can you break Message Authentication in Wolf Spider

Summary: forging signatures by exploiting CBC padding oracle and hash length extenstion

Continue reading

PlaidCTF 2016 – sexec (Crypto 300)

If you need to securely grant execution privileges, what better way to do it than sexec?

This is running on


Summary: attacking a small instance of Ring-LWE based cryptosystem with Babai’s Nearest Vector algorithm.

Continue reading

PlaidCTF 2016 – Radioactive (Crypto 275)

We just got this fancy new cryptographic device and it seems to work great… for the most part. But sometimes the values it gives me are wrong. Maybe you could take a look for me.


Summary: fault attack on RSA signature (not RSA-CRT)

Continue reading

0CTF 2016 Quals – Equation (Crypto 2 pts)

Here is a RSA private key with its upper part masked. Can your recover the private key and decrypt the file?

Summary: recovering RSA key from part of the private key.


Continue reading

0CTF 2016 Quals – RSA? (Crypto 2 pts)

It seems easy, right?
Tip: openssl rsautl -encrypt -in FLAG -inkey public.pem -pubin -out flag.enc

Summary: factoring 300-bit modulus into 3 primes, extracting cube roots.

Continue reading

Boston Key Party CTF 2016 – Feistel (Crypto 5pts)

feistel – 5 – 15 solves : crypto: I just made a brand new cipher! Can you recover the key?

Summary: slide with a twist attack

Continue reading

Boston Key Party CTF 2016 – GCM (Crypto 9pts)

[8] : gsilvis counting magic – 9 – 4 solves : crypto: Here’s a verification/decryption server: . Get the GCM MAC key (the thing the server prints out on startup). We’ve given you one valid ciphertext to get you started. It has iv: [102 97 110 116 97 115 116 105 99 32 105 118] and tag: [119 179]

Summary: breaking AES-GCM with 2-byte tag

Continue reading

Boston Key Party CTF 2016 – HMAC-CRC (Crypto 5pts)

[3] : hmac_crc – 5 – 36 solves : crypto: We’re trying a new mac here at BKP—HMAC-CRC. The hmac (with our key) of “zupe zecret” is ‘0xa57d43a032feb286’. What’s the hmac of “BKPCTF”?

Summary: breaking HMAC-CRC (again)

Continue reading

MMA CTF 2015 – Motto Mijikai Address (Crypto/Web 100+300)

Login as admin and get the flag1.

Summary: breaking HMAC-CRC512

Continue reading

DEFCON CTF Survival Guide (2014)

vos and snk from MSLC share their basic view of Attack-Defence CTFs and tell random stories in their two-hour talk at Chaos Constructions 2014.

With English subtitles

CONFidence CTF 2015 – RSA2 (Crypto 500)

Find the flag

Summary: cube attack + recover python’s MersenneTwister state + leak 320/520 LSBs of one of the primes

Continue reading

CONFidence CTF 2015 – RSA1 (Crypto 400)

Find the flag

Summary: Coppersmith’s short pad attack

Continue reading

ASIS CTF Quals 2015 – Cross Check (Crypto 350)

The flag is encrypted by this code, can you decrypt it?

Summary: breaking RSA modulos with related primes.

Continue reading

VolgaCTF Quals 2015 – CPKC (Crypto 400) writeup


A home-brewed cryptosystem, should be easy to break. Its keyspace seems to be rather large though…


Summary: LLL-based attack on NTRUEncrypt-like cryptosystem.

Continue reading

PlaidCTF 2014 wheeeee writeup

Although it seems like The Plague’s messaging service is secure, there are bound to be bugs in any 20th century crypto system. We’ve recovered a version of the block cipher The Plague implemented. Use their online encryptor tool, at, to break the cipher and figure out Plague’s secret plans. NOTE: When the service sends you a hex-encoded string, respond with a hex-encoded string.

Continue reading