dh.py

#! /usr/bin/env python2

from hashlib import sha256
from Crypto import Random
from Crypto.Random import random
from Crypto.Cipher import AES
from pwn import *

p = 174807157365465092731323561678522236549173502913317875393564963123330281052524687450754910240009920154525635325209526987433833785499384204819179549544106498491589834195860008906875039418684191252537604123129659746721614402346449135195832955793815709136053198207712511838753919608894095907732099313139446299843
q = (p - 1) / 2
g = 41899070570517490692126143234857256603477072005476801644745865627893958675820606802876173648371028044404957307185876963051595214534530501331532626624926034521316281025445575243636197258111995884364277423716373007329751928366973332463469104730271236078593527144954324116802080620822212777139186990364810367977
A = 118273972112639120186970068947944724773714770611796145560317038505039351377800437911584090954295445815108415228076067419564334318734103894856428799576147989726840111816497674618324630523684004675727128364154281009934628997112127793757633331795515579928803348552388657916707518365689221161578522942036857923828
B = g
a = 8568666222532

K = pow(B, a, p)

pw = "ThisIsMySecurePasswordPleaseGiveMeAShell\n"

BLOCK_SIZE = 16
R = Random.new()

def pad(m):
    o = BLOCK_SIZE - len(m) % BLOCK_SIZE
    return m + o * chr(o)

def unpad(p):
    return p[0:-ord(p[-1])]

def send_encrypted(KEY, m):
    IV = R.read(BLOCK_SIZE)
    aes = AES.new(KEY, AES.MODE_CBC, IV)
    c = aes.encrypt(pad(m))
    return (IV + c).encode('hex')

def read_encrypted(KEY, data):
    data = data.decode('hex')
    IV, data = data[:BLOCK_SIZE], data[BLOCK_SIZE:]
    aes = AES.new(KEY, AES.MODE_CBC, IV)
    m = unpad(aes.decrypt(data))
    return m

b = random.randint(1, 2**46)
B = pow(g, b, p)

r = remote("shell2017.picoctf.com", 22071)
r.recvuntil("A = ")
AA = r.recvline()
# print "AA = {}".format(AA)
A = int(AA)
r.recvuntil("B: ")
r.sendline(str(B))
K = pow(A, b, p)

KEY = sha256(str(K)).digest()

r.sendline(send_encrypted(KEY, pw))
r.sendline(send_encrypted(KEY, "cat flag.txt"))
v = r.recvline()[:-1]
print read_encrypted(KEY, v)