仅供个人记录代码，推导过程少

Klamkin

We need to have a correct solution!

└─# nc 04.cr.yp.toc.tf 13777
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|  Hello, now we are finding the integer solution of two divisibility  |
|  relation. In each stage send the requested solution. Have fun :)    |
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| We know (ax + by) % q = 0 for any (a, b) such that (ar + bs) % q = 0
| and (q, r, s) are given!
| Options: 
|       [G]et the parameters 
|       [S]end solution 
|       [Q]uit
G
| q = 329335574766968741186052075315246564257
| r = 306358792328555921680917962458023839995
| s = 220691171809677699150893540983509314674
| Options: 
|       [G]et the parameters 
|       [S]end solution 
|       [Q]uit
S
| please send requested solution like x, y such that y is 12-bit: 
78693180357665300583563698390631044285, 2048
| good job, try to solve the next challenge :P
| please send requested solution like x, y such that y is 13-bit: 
157386360715330601167127396781262088570, 4096

$$ax + by\equiv 0(\bmod q) \\ ar + bs \equiv 0(\bmod q)$$

分别乘上$r$和$x$，相减：

$$b(ry-xs)\equiv 0(\bmod q)$$

恒成立要求$q|ry-xs$，即$y\equiv r^{-1}s\cdot x(\bmod q)$。

from Crypto.Util.number import *
from pwn import *
import gmpy2
import re

context.log_level = 'DEBUG'
conn = remote('04.cr.yp.toc.tf', 13777)


conn.recvuntil(b'[Q]uit')
conn.sendline('G')
conn.recvline()
EXTRACT_EXPR = re.compile(r"^\| (\w+) = (\d+)$")
q = int(EXTRACT_EXPR.findall(conn.recvline(keepends=False).decode())[0][1])
r = int(EXTRACT_EXPR.findall(conn.recvline(keepends=False).decode())[0][1])
s = int(EXTRACT_EXPR.findall(conn.recvline(keepends=False).decode())[0][1])
v = (inverse(r, q) * s) % q

conn.recvuntil(b'[Q]uit')
conn.sendline('S')
conn.recvline()
EXTRACT_EXPR = re.compile(r"^\| please send requested solution like x, y such that (\w+) is (\d+)-bit: $")
while True:
    try:
        c, n = EXTRACT_EXPR.findall(conn.recvline(keepends=False).decode())[0]
    except:
        break
    if c == 'y':
        y = 1 << (int(n) - 1)
        x = (inverse(v, q) * y) % q
    else:
        x = 1 << (int(n) - 1)
        y = (v * x) % q
    conn.sendline(f'{x}, {y}')
    conn.recvline()
    
# b'| Congrats, you got the flag: CCTF{f1nDin9_In7Eg3R_50Lut1Ons_iZ_in73rEStIn9!}\n'

Baphomet

#!/usr/bin/env python3

from base64 import b64encode
from flag import flag

def encrypt(msg):
	ba = b64encode(msg.encode('utf-8'))
	baph, key = '', ''

	for b in ba.decode('utf-8'):
		if b.islower():
			baph += b.upper()
			key += '0'
		else:
			baph += b.lower()
			key += '1'

	baph = baph.encode('utf-8')
	key = int(key, 2).to_bytes(len(key) // 8, 'big')

	enc = b''
	for i in range(len(baph)):
		enc += (baph[i] ^ key[i % len(key)]).to_bytes(1, 'big')

	return enc

enc = encrypt(flag)
f = open('flag.enc', 'wb')
f.write(enc)
f.close()

flag.enc中共48bytes，因此key的长度是6bytes。根据CCTF{的base64编码可以知道baph头，从而计算出key。

from Crypto.Util.number import *
import base64

with open('flag.enc', 'rb') as f:
    content = [i for i in f.read()]

head = [ord(i) for i in 'q0nurN']
key = [content[i] ^ head[i] for i in range(len(head))]
baph = ''.join([chr(content[i] ^ key[i % len(key)]) for i in range(len(content))])
ba = ''.join(list(map(lambda x: x.upper() if x.islower() else x.lower(), m)))

print(base64.b64decode(ba.encode()))
# CCTF{UpP3r_0R_lOwER_17Z_tH3_Pr0bL3M}