HackTheBox Challenge sugar free candies (Crypto)

Challenge Synopsis

For years, strange signals pulsed through the air on the eve of October 31st. Some said it was the voice of an ancient witch, others believed it was a message from something far darker. A cryptic message, scattered in three parts, was intercepted by a daring group of villagers. Legend spoke of a deal made between the witch and a shadowy figure, but the true intent of their secret could only be revealed by those brave enough to decipher it before midnight, when the veil between worlds would thin. (Source)

Enumeration

❯ cat source.py
from Crypto.Util.number import bytes_to_long

FLAG = open("flag.txt", "rb").read()

step = len(FLAG) // 3
candies = [bytes_to_long(FLAG[i:i+step]) for i in range(0, len(FLAG), step)]

cnd1, cnd2, cnd3 = candies

with open('output.txt', 'w') as f:
    f.write(f'v1 = {cnd1**3 + cnd3**2 + cnd2}\n')
    f.write(f'v2 = {cnd2**3 + cnd1**2 + cnd3}\n')
    f.write(f'v3 = {cnd3**3 + cnd2**2 + cnd1}\n')
    f.write(f'v4 = {cnd1 + cnd2 + cnd3}\n')

❯ cat output.txt
v1 = 1181239096013650837744125294978177790419553719590172794906535790528758829840751110126012179328061375399196613652870424327167341710919767887891371258453
v2 = 2710472017687233737830986182523923794327361982506952801148259340657557362009893794103841036477555389231149721438246037558380601526471290201500759382599
v3 = 3448392481703214771250575110613977019995990789986191254013989726393898522179975576074870115491914882384518345287960772371387233225699632815814340359065
v4 = 396216122131701300135834622026808509913659513306193

Exploitation

❯ cat solve.py
#!/usr/bin/python3
from Crypto.Util.number import long_to_bytes
from sympy import symbols, solve

# Read the output.txt file
with open('output.txt', 'r') as f:
    data = f.read().splitlines()

# Extract the values from the file
v1 = int(data[0].split('=')[1].strip())
v2 = int(data[1].split('=')[1].strip())
v3 = int(data[2].split('=')[1].strip())
v4 = int(data[3].split('=')[1].strip())

# Define symbolic variables for cnd1, cnd2, cnd3
cnd1, cnd2, cnd3 = symbols('cnd1 cnd2 cnd3')

# Define the equations
eq1 = cnd1**3 + cnd3**2 + cnd2 - v1
eq2 = cnd2**3 + cnd1**2 + cnd3 - v2
eq3 = cnd3**3 + cnd2**2 + cnd1 - v3
eq4 = cnd1 + cnd2 + cnd3 - v4

# Solve the equations
solutions = solve([eq1, eq2, eq3, eq4], (cnd1, cnd2, cnd3))

# Extract the integers
cnd1_val = int(solutions[0][0])
cnd2_val = int(solutions[0][1])
cnd3_val = int(solutions[0][2])

# Convert integers to bytes and reconstruct the flag
flag = long_to_bytes(cnd1_val) + long_to_bytes(cnd2_val) + long_to_bytes(cnd3_val)
print("Flag:", flag.decode())

❯ ./solve.py
Flag: HTB{solving_equations_for_parts_of_the_flag_over_the_integers!}

Flag: HTB{solving_equations_for_parts_of_the_flag_over_the_integers!}