UniVsThreats 26 Quals CTF - Voyager's Last Command - Cryptography Writeup

791 words

4 minutes

UniVsThreats 26 Quals CTF - Voyager's Last Command - Cryptography Writeup

2026-02-27

Writeup

CTF

/

Security

/

Cryptography

Category: Cryptography

Flag: UVT{v0y4g3r_s1gn3d_1t5_0wn_d34th}

Challenge Description#

Year 2387 You have established an uplink to the Voyager-X probe via an emergency telemetry relay.

Analysis#

I started by pulling one full live transcript from the server so I could capture all public parameters and exactly three signatures in a single session.

1
timeout 8 bash -lc "printf 'SIGN 00\nSIGN 01\nSIGN 02\nQUIT\n' | nc 194.102.62.166 22869"

1
│  Curve   : secp256k1
2
│  LCG  a  : 0x8d047be6d23ed97a5f8e83d6ff20b1366123dc858503be002764b531cdac5597
3
│  Qx  :  0xf29323d459059cfd3e09fc375cf0054923ce8b7b8b579328631a533d24bd145d
4
│  Qy  :  0xf167a0ca58327b757fe28893ecd75dfce809f749950f8f8345db0a291c25fcdf
5
│  Data    :  3004b7c0d22488c063e58f8b9e62eabea30befcf12554e75
6
│             0a0e78744099abe9592a03f86adeb2bfc56add83645a856c
7
│  r  :  0x70c62034e4eaa385710a9109d801fe2097bdc89eabc6f49e0210743f61bedb5d
8
│  s  :  0x803d4f32de48090588a8f7b334ce00b684eaa056ed4e1182ff38f896b2e01df5
9
│  z  :  0x6e340b9cffb37a989ca544e6bb780a2c78901d3fb33738768511a30617afa01d
10
│  r  :  0xbae63fd8c48a268357ed1ecaaa1d2b98014998f6857d654f5115d31d5d378c37
11
│  s  :  0xa0faa3d959162d7abc890f8c949996119f2820a3c9f2ed0227d6a7745a38e876
12
│  z  :  0x4bf5122f344554c53bde2ebb8cd2b7e3d1600ad631c385a5d7cce23c7785459a
13
│  r  :  0xdb3577e944aee428d58d2f1e6d5c11d9c6ba35a290e684f6724d8e6daa7cb3f2
14
│  s  :  0x2e5417786a1197bfaa5ba8ecf7761f17c62653949269980e27eb140d8ed17948
15
│  z  :  0xdbc1b4c900ffe48d575b5da5c638040125f65db0fe3e24494b76ea986457d986

Those values were enough to model the nonce fault directly. With an LCG nonce stream, k2 = a*k1 + b and k3 = a*k2 + b, so k3 - (a+1)k2 + a*k1 = 0 (mod n). For ECDSA, k = (z + r*d) * s^{-1} (mod n), so substituting three signatures collapses to one linear equation in d. Because some services normalize signatures with s or n-s, I solved all 8 sign branches and accepted only the candidate where Q = d*G matched the provided public key.

smile

My first run hit a parser bug, not a math bug: I had parsed the boxed ciphertext lines too rigidly.

1
python3.12 /home/LIGHT/Downloads/solve_voyager.py

1
Traceback (most recent call last):
2
  File "/home/LIGHT/Downloads/solve_voyager.py", line 147, in <module>
3
    main()
4
  File "/home/LIGHT/Downloads/solve_voyager.py", line 135, in main
5
    ct = parse_ciphertext(text)
6
ValueError: Could not parse ciphertext

After loosening ciphertext extraction to read all hex chunks in the Data box, the exact same key-recovery equations worked immediately. The solver recovered d, verified the public key match, derived AES-128-ECB key as SHA-256(d)[:16], and decrypted the final directive to the flag.

1
python3.12 /home/LIGHT/Downloads/solve_voyager.py

1
Recovered d: 0xad2f34da51dc500a96f13174ec242a42e13975f23bfdeed81f5b11cf2ae45951
2
Sign branch (e1,e2,e3): (1, 1, 1)
3
Flag: UVT{v0y4g3r_s1gn3d_1t5_0wn_d34th}

Once d reconstructed and the AES plaintext matched the expected UVT{...} format, the challenge was done.

dance

Solution#

1
# !/usr/bin/env python3.12
2
import hashlib
3
import re
4
import socket
5
from itertools import product
6

7
from Crypto.Cipher import AES
8
from Crypto.Util.Padding import unpad
9
from ecdsa.ecdsa import generator_secp256k1
10

11
HOST = "194.102.62.166"
12
PORT = 22869
13

14
N = 0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEBAAEDCE6AF48A03BBFD25E8CD0364141
15

16
def recv_until(sock: socket.socket, token: bytes, timeout: float = 10.0) -> bytes:
17
    sock.settimeout(timeout)
18
    out = b""
19
    while token not in out:
20
        chunk = sock.recv(4096)
21
        if not chunk:
22
            break
23
        out += chunk
24
    return out
25

26
def recv_all(sock: socket.socket, timeout: float = 2.0) -> bytes:
27
    sock.settimeout(timeout)
28
    out = b""
29
    while True:
30
        try:
31
            chunk = sock.recv(4096)
32
        except TimeoutError:
33
            break
34
        if not chunk:
35
            break
36
        out += chunk
37
    return out
38

39
def parse_field(text: str, name: str) -> int:
40
    m = re.search(rf"{name}\s+:\s+0x([0-9a-f]+)", text)
41
    if not m:
42
        raise ValueError(f"Could not parse field {name}")
43
    return int(m.group(1), 16)
44

45
def parse_ciphertext(text: str) -> bytes:
46
    m = re.search(r"Data\s+:\s*(.*?)\n\s*└", text, flags=re.DOTALL)
47
    if not m:
48
        raise ValueError("Could not parse ciphertext")
49
    hex_parts = re.findall(r"[0-9a-f]{16,}", m.group(1))
50
    if not hex_parts:
51
        raise ValueError("Could not parse ciphertext hex chunks")
52
    return bytes.fromhex("".join(hex_parts))
53

54
def parse_signatures(text: str):
55
    sigs = re.findall(
56
        r"r\s+:\s+0x([0-9a-f]+).*?s\s+:\s+0x([0-9a-f]+).*?z\s+:\s+0x([0-9a-f]+)",
57
        text,
58
        flags=re.DOTALL,
59
    )
60
    if len(sigs) != 3:
61
        raise ValueError(f"Expected 3 signatures, got {len(sigs)}")
62
    return [(int(r, 16), int(s, 16), int(z, 16)) for r, s, z in sigs]
63

64
def inv(x: int) -> int:
65
    return pow(x % N, -1, N)
66

67
def recover_private_key(a: int, qx: int, qy: int, sigs):
68
    (r1, s1, z1), (r2, s2, z2), (r3, s3, z3) = sigs
69
    is1, is2, is3 = inv(s1), inv(s2), inv(s3)
70

71
    for e1, e2, e3 in product((1, -1), repeat=3):
72
        coeff = (e3 * r3 * is3 - (a + 1) * e2 * r2 * is2 + a * e1 * r1 * is1) % N
73
        const = (e3 * z3 * is3 - (a + 1) * e2 * z2 * is2 + a * e1 * z1 * is1) % N
74
        if coeff == 0:
75
            continue
76

77
        d = (-const * inv(coeff)) % N
78
        q = d * generator_secp256k1
79
        if q.x() == qx and q.y() == qy:
80
            return d, (e1, e2, e3)
81

82
    raise ValueError("No valid private key candidate found")
83

84
def derive_flag(d: int, ct: bytes) -> str:
85
    d_forms = [d.to_bytes(32, "big"), d.to_bytes(max(1, (d.bit_length() + 7) // 8), "big")]
86

87
    seen = set()
88
    for db in d_forms:
89
        if db in seen:
90
            continue
91
        seen.add(db)
92

93
        key = hashlib.sha256(db).digest()[:16]
94
        pt = AES.new(key, AES.MODE_ECB).decrypt(ct)
95

96
        for cand in (pt, unpad(pt, 16) if len(pt) % 16 == 0 else pt):
97
            m = re.search(rb"UVT\{[^}]+\}", cand)
98
            if m:
99
                return m.group(0).decode()
100

101
    raise ValueError("Failed to derive flag from decrypted plaintext")
102

103
def main():
104
    with socket.create_connection((HOST, PORT), timeout=10) as s:
105
        banner = recv_until(s, b"oracle@voyager-xi [3 sigs left] > ", timeout=10)
106
        s.sendall(b"SIGN 00\nSIGN 01\nSIGN 02\n")
107
        rest = recv_all(s, timeout=2)
108

109
    text = (banner + rest).decode("utf-8", errors="replace")
110

111
    a = parse_field(text, "LCG  a")
112
    qx = parse_field(text, "Qx")
113
    qy = parse_field(text, "Qy")
114
    ct = parse_ciphertext(text)
115
    sigs = parse_signatures(text)
116

117
    d, signs = recover_private_key(a, qx, qy, sigs)
118
    flag = derive_flag(d, ct)
119

120
    print(f"Recovered d: {hex(d)}")
121
    print(f"Sign branch (e1,e2,e3): {signs}")
122
    print(f"Flag: {flag}")
123

124
if __name__ == "__main__":
125
    main()

1
python3.12 solve.py

1
Recovered d: 0xad2f34da51dc500a96f13174ec242a42e13975f23bfdeed81f5b11cf2ae45951
2
Sign branch (e1,e2,e3): (1, 1, 1)
3
Flag: UVT{v0y4g3r_s1gn3d_1t5_0wn_d34th}