HSC-1th WP CRYPTO
1. Easy SignIn
方法一:
十六进制+base64+base32+base64
方法二:
cyberchef直接梭
方法三:
ciphey一把梭
flag{welc0me_to_my_s1gn_in}2. AFFINE
flag{md5(result)}
仿射密码加密,先根据密文和明文,爆破各位置存在 flag 字符串情况下对应的 a,b 值,再解密整串密文。爆破求 a,b 。
Script1:
letter=string.ascii_letters+string.digitss = 'xGJ13kkRK9QDfORQomFOf9NZs9LKVZvGqVIsVO9NOkorv'for a in range(1,128):for b in range(1,128):res = ''x, y = get(a, 62)a1 = x % 62l= len(s)for i in range(l):cipher = a1 * (letter.index(s[i]) - b) % 62res += letter[cipher]if 'flag' in res:print(res)
Script2:
import stringimport hashlibletter=string.ascii_letters+string.digitsdef encrypt(m, a, b):c = []for i in range(len(m)):ch=m[i]t=(letter.index(ch) * a + b) % 62c.append(letter[t])d = ''.join(c)return ds='xGJ13kkRK9QDfORQomFOf9NZs9LKVZvGqVIsVO9NOkorv'for a in range(50):for b in range(50):Cipher = encrypt('flag', a, b)for k in range(len(s)-3):if Cipher==s[k:k+4]:print(Cipher,a,b)a=11b=17def decrypt(m, a, b):import gmpy2c = []for i in range(len(m)):ch=m[i]t=((letter.index(ch) - b) * gmpy2.invert(a,62)) % 62c.append(letter[t])d = ''.join(c)return dm=decrypt(s, a, b)print(m)flag = hashlib.md5("".join(str(m)).encode("utf8")).hexdigest()print(flag)
flag{2b9b99caae1cc49e5b5aacbc8cc22350}3.LINE-GENERATION-TEST
"Sorry, Tazmi, I can't hold you in my arms anymore" Who said that? flag{md5(result)}
希尔密码,逆矩阵得到12 18 2 19 5即RSCTF
md5加密得flag
flag{e4163deba70420c58acb87abcab34141}4.LATTICE
Part1,extending WienerAttack with two exponents
构造如下矩阵,对其进行格基规约找到最短向量
c1 = 182xxx3N = 2381xxx9e1, e2 = 9835783xxx9, 173753xxx3a = 730 / 2048M1 = int(pow(N, 0.5))M2 = int(pow(N, 1 + a))L2 = matrix(ZZ, [[N, -M1*N, 0, N**2],[0, M1*e1, -M2*e1, -e1 * N],[0, 0, M2*e2, -e2 * N],[0, 0, 0, e1 * e2]])B = L2.LLL()[0]A = B * L2 ^ (-1)phi = int(e1 * A[1] // A[0])print(long_to_bytes(pow(c1, gmpy2.invert(0x10001, phi), N)))#b'89c63fd5-00c'
Part2 extending WienerAttack with three exponents
和 Part1 类似,实现一个这样的矩阵
c2 = 73xxx3N = 26xxx9e1, e2, e3 = 2xxx9, 19xxx5, 1xxxx7alpha2 = 818/2048M1 = int(N**(3/2))M2 = int(N)M3 = int(N**(3/2 + alpha2))M4 = int(N**0.5)M5 = int(N**(3/2 + alpha2))M6 = int(N**(1+alpha2))M7 = int(N**(1+alpha2))D = diagonal_matrix(ZZ, [M1, M2, M3, M4, M5, M6, M7, 1])B = Matrix(ZZ, [ [1, -N, 0, N**2, 0, 0, 0, -N**3],[0, e1, -e1, -e1*N, -e1, 0, e1*N, e1*N**2],[0, 0, e2, -e2*N, 0, e2*N, 0, e2*N**2],[0, 0, 0, e1*e2, 0, -e1*e2, -e1*e2, -e1*e2*N],[0, 0, 0, 0, e3, -e3*N, -e3*N, e3*N**2],[0, 0, 0, 0, 0, e1*e3, 0, -e1*e3*N],[0, 0, 0, 0, 0, 0, e2*e3, -e2*e3*N],[0, 0, 0, 0, 0, 0, 0, e1*e2*e3] ])* DL = B.LLL()v = Matrix(ZZ, L[0])x = v * B**(-1)phi = (e1*x[0, 1]/x[0, 0]).floor()flag = pow(c2, gmpy2.invert(0x10001, phi), N)print(long_to_bytes(flag))#b'f-4ae0-b369-'
Part3 common private exponent
共享多组私钥,且私钥很小,只要满足
就可以构造形如下列矩阵恢复 d
大致的原理可以参考 la 佬博客
这里 n 是 2048 位的,d 是 890 位,至少需要 7 组
nl=[2xxx1, 1xxx, 214xxx1, 27xxx99, 118xxx1, 15xxx1, 2081xxx]el=[xxxx1, 11xxx, 62xxx3, 1123xxx7, 7xx33, 1xxxx13, 1xxxx]cl=[269xxxx3, 1xxxx0, 6xxxx9, 9xxx7, 8xxx8, 196xxx5, 15xxx2]times = 7M = int(sqrt(nl[0]))A = [[0 for _ in range(times + 1)] for j in range(times + 1)]A[0][0] = Mfor i in range(1 + times):for j in range(1 + times):if j != 0:if i == 0:A[i][j] = el[j - 1]if i == j:A[i][j] = -nl[i - 1]A = Matrix(A)C = A.LLL()d = abs(C[0][0] // M)print(long_to_bytes(pow(cl[0], d, nl[0])))#b'5a3d94a20a2c'
拼凑起来套在一起就得到了 flag
flag{89c63fd5-00cf-4ae0-b369-5a3d94a20a2c5.RSA
费马分解RSA
再利用Rabin算法求 。
n=124689085077258164778068312042204623310499608479147230303784397390856552161216990480107601962337145795119702418941037207945225700624t=10import gmpy2for k in range(-1000000,1000000):x=gmpy2.iroot(k**2+4*t*n,2)if x[1]:p=(-k+x[0])//(2*t)q=t*p+kbreakimport gmpy2from Crypto.Util.number import long_to_bytes,bytes_to_longphi=(p-1)*(q-1)e=57742c=124689085077258164778068312042204623310499608479147230303784397390856552161216990480107601962337145795119702418941037207945225700624t=gmpy2.gcd(e,phi)d=gmpy2.invert(e//t,phi)m=pow(c,d,n)msg=gmpy2.iroot(m,t)if msg[1]:print(long_to_bytes(msg[0]))#flag{6d22773623d3d5c871692e9985de5f16}
flag{6d22773623d3d5c871692e9985de5f16}6.BABY-RSA
lfsr恢复高位p
from Crypto.Util.number import*f = open('key','rb').read()key = str(f,encoding="utf-8")def lfsr(status,mask):out = (status << 1) & 0xffffffffi=(status&mask)&0xfffffffflastbit=0while i!=0:lastbit^=(i&1)i=i>>1out^=lastbitreturn (out,lastbit)status= 1mask = 0b10110001110010011100100010110101pp = ''for i in range(len(str(key))):(status,out) = lfsr(status,mask)pp += str(int(key[i]) ^ out)pp = int(pp, 2)print(hex(pp))
coppersmith恢复p
n=9363543374665338283861145656340115756598328744870620756798779080826725774691364161648335378062705433999048117564356637094421930886166369832353405527855104576202658647651524758179962855692461154859961903531990172279764099199157181167775307950690492969859829926808950964120678082460448847927074487568619536568740301649988555476490206693181162301088156855926656544441682939839165455244630182978802660669255401576213941067679888164237586879364615664942234247896214195262510935345922512831632385741735810122730130366521612834556565838623708828780093323310348242654778247293430853566054703991781432542625271396246500576703e=65537pbits=1024for i in range(0,256):p4 =0x807c1395b8128e6de865ab20dd2a39684f6831464553c65215cfe2861192657b6938d227c75e902ae858fdbd8b118c8522c08a3bf978bb203bc1644fe526f2de55b065b050795800p4 = p4 + int(hex(i), 16)kbits = pbits - p4.nbits()p4 = p4 << kbitsPR.<x> = PolynomialRing(Zmod(n))f = x + p4roots = f.small_roots(X=2 ^ kbits, beta=0.4)if roots:p = p4 + int(roots[0])print("n=", n)print("p=", p)print("q=", n // p)
普通rsa
import gmpy2from Crypto.Util.number import *n=9363543374665338283861145656340115756598328744870620756798779080826725774691364161648335378062705433999048117564356637094421930886166369832353405527855104576202658647651524758179962855692461154859961903531990172279764099199157181167775307950690492969859829926808950964120678082460448847927074487568619536568740301649988555476490206693181162301088156855926656544441682939839165455244630182978802660669255401576213941067679888164237586879364615664942234247896214195262510935345922512831632385741735810122730130366521612834556565838623708828780093323310348242654778247293430853566054703991781432542625271396246500576703p=90225006288627020933267024425797647042965554486273674145474629022335483579168020321334177600624475358419458781387021577078957978886555066264514364951229871833611713144617155837023313756741716041993159155093522769416742461683810041045361926334946115547487234272520914249496954864904467634471167509689549908477q=103779913793651074214263503010594071424969073353841622604658974812940029980624584116398305918269283126971163279620945190907582597922068185151061264528002313474791985042185827606404465614715082278876591600452809285354307582767265999134237277732506671463834101956213961309366951706106789005830772784151863039339e=65537c=3641304537029815746727163894554557322382012539953948183406308231174259571263608621970973671202001456955622458371303424750815017578104069924877881162707673935496925529412748663209884628320657034190702348924814794263041483260377960569530869386619921425415323912964305979776909598200202236912823968867485696101691879580799000240715778010424877093758489309380968229017074542588151574195295436881889313935734282141447498134543053106463951864974512375314091440713165047188590693431938599822340588934591712592995622334522799914563528630705687647950894928965913199772209825508001274120556508220248069647851360567609656517789phi = (p - 1) * (q - 1)d = gmpy2.invert(e,phi)m = pow(c,d,n)print(long_to_bytes(m))
flag{fbbce1e3aa690ebb49039241f940ed26}复现环境:
http://ctf.hsc2019.site
原文始发于微信公众号(中龙 红客突击队):HSC-1th WP CRYPTO
免责声明:文章中涉及的程序(方法)可能带有攻击性,仅供安全研究与教学之用,读者将其信息做其他用途,由读者承担全部法律及连带责任,本站不承担任何法律及连带责任;如有问题可邮件联系(建议使用企业邮箱或有效邮箱,避免邮件被拦截,联系方式见首页),望知悉。
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论