LitCTF 2026 WriteUp - Q1uJu's House

Crypto#

lit_xor_two_story#

题目：

1
#!/usr/bin/env python3
2
"""
3
LitCTF2026 — One-time pad reused for two messages (40 bytes each).
4

5
Players receive output.txt and README; they do not receive secret.py.
6
"""
7
from __future__ import annotations
8

9
import argparse
10
import os
11
from pathlib import Path
12

13
try:
14
    from secret import M1_FLAG
15
except ImportError:
16
    raise SystemExit(
17
        "secret.py (organizer) is required to generate ciphertext; "
18
        "players work from output.txt only."
19
    )
20

21
# Public second message — duplicated in README for contestants.
22
M2_KNOWN = b"litctf2026_xor_keystream_reuse_40bytes!!"
23

24
assert len(M1_FLAG) == len(M2_KNOWN) == 40
25

26

27
def xor_bytes(a: bytes, b: bytes) -> bytes:
28
    return bytes(x ^ y for x, y in zip(a, b))
29

30

31
def main() -> None:
32
    parser = argparse.ArgumentParser()
33
    parser.add_argument(
34
        "--write",
35
        type=Path,
36
        help="Write hex lines to file.",
37
    )
38
    args = parser.parse_args()
39

40
    n = len(M1_FLAG)
41
    k = os.urandom(n)
42
    c1 = xor_bytes(M1_FLAG, k)
43
    c2 = xor_bytes(M2_KNOWN, k)
44

45
    lines = [
46
        f"c1 = {c1.hex()}",
47
        f"c2 = {c2.hex()}",
48
        f"len = {n}",
49
    ]
50
    text = "\n".join(lines) + "\n"
51
    print(text, end="")
52
    if args.write:
53
        args.write.write_text(text, encoding="utf-8")
54

55

56
if __name__ == "__main__":
57
    main()
58

59
# c1 = 5f70a847ce12759e156e3cad1aa9530a119386a02ffc1c31bf14ab7a0a82ccc108f8476f75c98a28
60
# c2 = 5f70a847ce123cc153283ca710ae7f042b8490a238eb2228970fad6a2694f2985dc5557e69e5f474
61
# len = 40

c_1=M_1\oplus k,c_2=M_2\oplus k

故有

M_1=c_1\oplus k=c1\oplus(c_2\oplus M_2)

exp.py：

1
from Crypto.Util.strxor import strxor
2

3
M2_KNOWN = b"litctf2026_xor_keystream_reuse_40bytes!!"
4
c1 = bytes.fromhex("5f70a847ce12759e156e3cad1aa9530a119386a02ffc1c31bf14ab7a0a82ccc108f8476f75c98a28")
5
c2 = bytes.fromhex("5f70a847ce123cc153283ca710ae7f042b8490a238eb2228970fad6a2694f2985dc5557e69e5f474")
6
k = strxor(c2, M2_KNOWN)
7
M1_FLAG = strxor(c1, k)
8
print(M1_FLAG.decode())
9
# litctf{otp_reuse_never_twice_same_key__}

lit_elgamal_handshake#

题目：

1
#!/usr/bin/env python3
2
"""
3
LitCTF2026 — ElGamal handshake (story)
4
Someone left debug logging on; the private exponent x was printed alongside ciphertext.
5
"""
6
from __future__ import annotations
7

8
import argparse
9
from pathlib import Path
10
from random import randrange
11

12
from Crypto.Util.number import bytes_to_long, getPrime, getRandomRange
13

14
try:
15
    from secret import FLAG
16
except ImportError as e:
17
    raise SystemExit("secret.py (FLAG) is required to encrypt.") from e
18

19

20
def generate_elgamal_keypair(bits: int = 512) -> tuple[int, int, int, int]:
21
    p = getPrime(bits)
22
    for _ in range(1000):
23
        g = getRandomRange(2, min(6, p - 1))
24
        if pow(g, (p - 1) // 2, p) != 1:
25
            break
26
    else:
27
        raise RuntimeError("could not find suitable g")
28
    x = randrange(2, p - 1)
29
    y = pow(g, x, p)
30
    return p, g, y, x
31

32

33
def main() -> None:
34
    parser = argparse.ArgumentParser()
35
    parser.add_argument(
36
        "--write",
37
        type=Path,
38
        help="Write captured output to this file (for organizers).",
39
    )
40
    args = parser.parse_args()
41

42
    p, g, y, x = generate_elgamal_keypair(bits=512)
43
    k = randrange(1, p - 2)
44
    m = bytes_to_long(FLAG)
45
    if m >= p:
46
        raise ValueError("flag too large for chosen p — shorten FLAG")
47

48
    c1 = pow(g, k, p)
49
    c2 = (m * pow(y, k, p)) % p
50

51
    lines = [
52
        "=== Public key (p, g, y) ===",
53
        f"p = {p}",
54
        f"g = {g}",
55
        f"y = {y}",
56
        "",
57
        "=== Ciphertext (c1, c2) ===",
58
        f"c1 = {c1}",
59
        f"c2 = {c2}",
60
        "",
61
        "# [DEBUG] prod accidentally logged the long-term secret:",
62
        f"x = {x}",
63
    ]
64
    text = "\n".join(lines) + "\n"
65
    print(text, end="")
66
    if args.write:
67
        args.write.write_text(text, encoding="utf-8")
68

69

70
if __name__ == "__main__":
71
    main()
72

73
# === Public key (p, g, y) ===
74
# p = 9000784855376359808051354825193962042770028561343848432778443672755982397391267124312572697249531643069409873722736348916207732622884411596948807031140651
75
# g = 3
76
# y = 269130883529708333054320571854006406481346665463416017026083074488011546059928157925990665431751017523964760326934454181952822744463714981243407307134357
77

78
# === Ciphertext (c1, c2) ===
79
# c1 = 5245857426274383693193378669425243235151460522527004924092730024427525619244222247576829782077334810173274945751493387545849499010408499951268967774043627
80
# c2 = 6059939492718262451327758167005534191200936922719178843825888167191062504030471358635203794720371216217447404436172970111033824674731063386612549785069654
81

82
# # [DEBUG] prod accidentally logged the long-term secret:
83
# x = 633366293219022684108628483753423657477324253833657141033762971761747669344649667887002347907882241246119223126492863291886751205505360049793728851371884

y\equiv g^x\pmod{p},c_1\equiv g^k\pmod{p},c_2\equiv m*y^k\pmod{p}

所以我们有：

y^k=(g^x)^k,m\equiv c_2\cdot(y^k)^{-1}=c_2\cdot(c_1^x)\pmod{p}

exp.py：

1
from Crypto.Util.number import long_to_bytes, inverse
2

3
# === Public key (p, g, y) ===
4
p = 9000784855376359808051354825193962042770028561343848432778443672755982397391267124312572697249531643069409873722736348916207732622884411596948807031140651
5
g = 3
6
y = 269130883529708333054320571854006406481346665463416017026083074488011546059928157925990665431751017523964760326934454181952822744463714981243407307134357
7
# === Ciphertext (c1, c2) ===
8
c1 = 5245857426274383693193378669425243235151460522527004924092730024427525619244222247576829782077334810173274945751493387545849499010408499951268967774043627
9
c2 = 6059939492718262451327758167005534191200936922719178843825888167191062504030471358635203794720371216217447404436172970111033824674731063386612549785069654
10
# [DEBUG] prod accidentally logged the long-term secret:
11
x = 633366293219022684108628483753423657477324253833657141033762971761747669344649667887002347907882241246119223126492863291886751205505360049793728851371884
12
inv = inverse(pow(c1, x, p), p)
13
m = c2 * inv % p
14
print(long_to_bytes(m).decode())
15
# litctf{elgamal_leak_makes_happy_decrypt}

lit_rsa_neighbor#

题目：

1
#!/usr/bin/env python3
2
"""
3
LitCTF2026 — RSA where q is 'far' along the prime line but still close enough to p for Fermat.
4
"""
5
from __future__ import annotations
6

7
import argparse
8
from pathlib import Path
9

10
import gmpy2
11
from Crypto.Util.number import bytes_to_long, getPrime
12

13
try:
14
    from secret import FLAG, NEXT_PRIME_STEPS
15
except ImportError as e:
16
    raise SystemExit(
17
        "secret.py is required to generate output (FLAG, NEXT_PRIME_STEPS)."
18
    ) from e
19

20
E = 65537
21

22

23
def main() -> None:
24
    parser = argparse.ArgumentParser()
25
    parser.add_argument(
26
        "--write",
27
        type=Path,
28
        help="Write n, c to this file.",
29
    )
30
    args = parser.parse_args()
31

32
    p = getPrime(512)
33
    q = p
34
    for _ in range(NEXT_PRIME_STEPS):
35
        q = int(gmpy2.next_prime(q))
36

37
    n = p * q
38
    m = bytes_to_long(FLAG)
39
    if m >= n:
40
        raise ValueError("flag too large for n")
41

42
    c = pow(m, E, n)
43

44
    lines_players = [f"{n = }", f"{c = }", f"e = {E}"]
45
    text = "\n".join(lines_players) + "\n"
46
    print(text, end="")
47
    if args.write:
48
        args.write.write_text(text, encoding="utf-8")
49

50

51
if __name__ == "__main__":
52
    main()
53

54
# n = 139637440016232025690294457609899605991056011052010466558411851317943636600860419882966079629826706361935550982744312593243181819999590825159611186779613601241742349986440676188542381451066058816661317621009248513651083772907520139375108426466691332559612971244160246310746215067136490772061317571744230078911
55
# c = 81172369642931859390486697024961350889751244109623802937988620847486863147682579984823958801948701482096140632580173113959531836503723522945335985723867818778699337807630592078265626995722998378992215523352858561923474395550395284015986525513984910021995657780411466237306614109262460764382539311725297619429
56
# e = 65537

q是由p多步gmpy2.next_prime出来的，两数直接不会差很大，直接费马分解即可。

exp.py：

1
from math import gcd
2
from gmpy2 import invert, iroot
3
from Crypto.Util.number import *
4

5
n = 139637440016232025690294457609899605991056011052010466558411851317943636600860419882966079629826706361935550982744312593243181819999590825159611186779613601241742349986440676188542381451066058816661317621009248513651083772907520139375108426466691332559612971244160246310746215067136490772061317571744230078911
6
c = 81172369642931859390486697024961350889751244109623802937988620847486863147682579984823958801948701482096140632580173113959531836503723522945335985723867818778699337807630592078265626995722998378992215523352858561923474395550395284015986525513984910021995657780411466237306614109262460764382539311725297619429
7
e = 65537
8
MAX_SIZE = 100000
9
# Fermat 无穷递降法
10
n0 = iroot(n, 2)[0] + 1
11
m = 0
12
for i in range(MAX_SIZE):
13
    nn = (n0 + i) ** 2 - n
14
    if iroot(nn, 2)[1]:
15
        m = iroot(nn, 2)[0]
16
        break
17
assert gcd((n0 + m), n) == n0 + m
18
p = n0 + m
19
q = n // p
20
phi = (p - 1) * (q - 1)
21
d = invert(e, phi)
22
m = pow(c, d, n)
23
print(long_to_bytes(m).decode())
24
# litctf{rsa_fermat_finds_close_primes}

lit_tiny_key_aes#

题目：

1
#!/usr/bin/env python3
2
"""
3
LitCTF2026 — AES-128-ECB with a mostly fixed key (weak operational policy).
4
"""
5
from __future__ import annotations
6

7
import argparse
8
from pathlib import Path
9

10
from Crypto.Cipher import AES
11
from Crypto.Util.Padding import pad
12

13
try:
14
    from secret import FLAG, UNKNOWN_KEY_SUFFIX
15
except ImportError as e:
16
    raise SystemExit(
17
        "secret.py is required to generate ciphertext (contains FLAG and key suffix)."
18
    ) from e
19

20
KEY_PREFIX = b"LitCTF2026!!!"  # 13 bytes; 3 bytes brute-forced
21
assert len(KEY_PREFIX) + len(UNKNOWN_KEY_SUFFIX) == 16
22

23

24
def encrypt_aes_ecb_pkcs7(plaintext: bytes, key: bytes) -> bytes:
25
    cipher = AES.new(key, AES.MODE_ECB)
26
    return cipher.encrypt(pad(plaintext, AES.block_size))
27

28

29
def main() -> None:
30
    parser = argparse.ArgumentParser()
31
    parser.add_argument(
32
        "--write",
33
        type=Path,
34
        help="Write ciphertext hex to this file.",
35
    )
36
    args = parser.parse_args()
37

38
    key = KEY_PREFIX + UNKNOWN_KEY_SUFFIX
39
    c = encrypt_aes_ecb_pkcs7(FLAG, key)
40
    line = f"c = {c!r}\n"
41
    print(line, end="")
42
    if args.write:
43
        args.write.write_text(line, encoding="utf-8")
44

45

46
if __name__ == "__main__":
47
    main()
48

49
# c = b"\x0c\xdb'`\xc91\xf7\x05\x91+\x0fM\xed\xbc\x9b\xf1\xd8D\xcd\xfd\x0c\xb9\xb6\xb2J<\x86\x19\x06K\xb3\xa2\xa4\x18\x87<v\xac\x1bbu#\xaa\xb5I\x7f\xd8\xd3"

爆破后三位密钥就行。

exp.py：

1
from tqdm import trange
2
from Crypto.Cipher import AES
3
from Crypto.Util.Padding import unpad
4

5
KEY_PREFIX = b"LitCTF2026!!!"
6
C = b"\x0c\xdb'`\xc91\xf7\x05\x91+\x0fM\xed\xbc\x9b\xf1\xd8D\xcd\xfd\x0c\xb9\xb6\xb2J<\x86\x19\x06K\xb3\xa2\xa4\x18\x87<v\xac\x1bbu#\xaa\xb5I\x7f\xd8\xd3"
7
for x in trange(1 << 24):
8
    suffix = x.to_bytes(3, "big")
9
    key = KEY_PREFIX + suffix
10
    pt = AES.new(key, AES.MODE_ECB).decrypt(C)
11
    try:
12
        msg = unpad(pt, AES.block_size)
13
    except ValueError:
14
        continue
15
    if msg.startswith(b"litctf{"):
16
        print("key =", key)
17
        print("suffix =", suffix)
18
        print("flag =", msg.decode())
19
        break
20
else:
21
    print("not found")
22
#  22%|██▏       | 3645953/16777216 [00:18<01:06, 196630.17it/s]
23
# key = b'LitCTF2026!!!7\xa2\x01'
24
# suffix = b'7\xa2\x01'
25
# flag = litctf{aes_tiny_brut3_for_the_win!}

持续更新中~

Crypto#

lit_xor_two_story#

lit_elgamal_handshake#

lit_rsa_neighbor#

lit_tiny_key_aes#