HSC-1th WP CRYPTO

admin 2025年2月15日23:50:22评论5 views字数 7479阅读24分55秒阅读模式

HSC-1th WP CRYPTO

1. Easy SignIn

方法一:

十六进制+base64+base32+base64

方法二:

cyberchef直接梭

方法三:

ciphey一把梭

flag{welc0me_to_my_s1gn_in}

2. AFFINE

flag{md5(result)}

仿射密码加密,先根据密文和明文,爆破各位置存在 flag 字符串情况下对应的 a,b 值,再解密整串密文。爆破求 a,b 。

Script1:

letter=string.ascii_letters+string.digitss = 'xGJ13kkRK9QDfORQomFOf9NZs9LKVZvGqVIsVO9NOkorv'  for a in range(1,128):    for b in range(1,128):    res = ''    #求a关于26的乘法逆元    x, y = get(a, 62)    a1 = x % 62    l= len(s)    for i in range(l):       cipher = a1 * (letter.index(s[i]) - b) % 62       # res+=chr(cipher + 65)       # print(cipher)       res += letter[cipher]    if 'flag' in res:       print(res)

Script2:

import stringimport hashlibletter=string.ascii_letters+string.digitsdef encrypt(m, a, b):  c = []  for i in range(len(m)):      ch=m[i]      t=(letter.index(ch) * a + b) % 62      c.append(letter[t])    d = ''.join(c)    return ds='xGJ13kkRK9QDfORQomFOf9NZs9LKVZvGqVIsVO9NOkorv'for a in range(50):  for b in range(50):    Cipher = encrypt('flag', a, b)    for k in range(len(s)-3):      if Cipher==s[k:k+4]:        print(Cipher,a,b)# korv 11 17a=11b=17def decrypt(m, a, b):  import gmpy2  c = []    for i in range(len(m)):      ch=m[i]      t=((letter.index(ch) - b) * gmpy2.invert(a,62)) % 62      c.append(letter[t])    d = ''.join(c)    return dm=decrypt(s, a, b)print(m)flag = hashlib.md5("".join(str(m)).encode("utf8")).hexdigest()print(flag)# Oh62Affine1sSti1lN0tSecureEnoughToProtectflag# 2b9b99caae1cc49e5b5aacbc8cc22350
flag{2b9b99caae1cc49e5b5aacbc8cc22350}

3.LINE-GENERATION-TEST

"Sorry, Tazmi, I can't hold you in my arms anymore" Who said that? flag{md5(result)}

HSC-1th WP CRYPTO

希尔密码,逆矩阵得到12 18 2 19 5即RSCTF

md5加密得flag

flag{e4163deba70420c58acb87abcab34141}

4.LATTICE

Part1,extending WienerAttack with two exponents 

构造如下矩阵,对其进行格基规约找到最短向量

HSC-1th WP CRYPTO

c1 = 182xxx3N = 2381xxx9e1, e2 = 9835783xxx9, 173753xxx3a = 730 / 2048M1 = int(pow(N, 0.5))M2 = int(pow(N, 1 + a))L2 = matrix(ZZ, [[N, -M1*N, 0, N**2],                [0, M1*e1, -M2*e1, -e1 * N],                [0, 0, M2*e2, -e2 * N],                [0, 0, 0, e1 * e2]])B = L2.LLL()[0]A = B * L2 ^ (-1)phi = int(e1 * A[1] // A[0])print(long_to_bytes(pow(c1, gmpy2.invert(0x10001, phi), N)))#b'89c63fd5-00c'

Part2 extending WienerAttack with three exponents 

和 Part1 类似,实现一个这样的矩阵

HSC-1th WP CRYPTO

c2 = 73xxx3N = 26xxx9e1, e2, e3 = 2xxx9, 19xxx5, 1xxxx7alpha2 = 818/2048M1 = int(N**(3/2))M2 = int(N)M3 = int(N**(3/2 + alpha2))M4 = int(N**0.5)M5 = int(N**(3/2 + alpha2))M6 = int(N**(1+alpha2))M7 = int(N**(1+alpha2))D = diagonal_matrix(ZZ, [M1, M2, M3, M4, M5, M6, M7, 1])B = Matrix(ZZ, [ [1, -N, 0, N**2, 0, 0, 0, -N**3],               [0, e1, -e1, -e1*N, -e1, 0, e1*N, e1*N**2],               [0, 0, e2, -e2*N, 0, e2*N, 0, e2*N**2],               [0, 0, 0, e1*e2, 0, -e1*e2, -e1*e2, -e1*e2*N],               [0, 0, 0, 0, e3, -e3*N, -e3*N, e3*N**2],               [0, 0, 0, 0, 0, e1*e3, 0, -e1*e3*N],               [0, 0, 0, 0, 0, 0, e2*e3, -e2*e3*N],               [0, 0, 0, 0, 0, 0, 0, e1*e2*e3] ]) * DL = B.LLL()v = Matrix(ZZ, L[0])x = v * B**(-1)phi = (e1*x[0, 1]/x[0, 0]).floor()flag = pow(c2, gmpy2.invert(0x10001, phi), N)print(long_to_bytes(flag))#b'f-4ae0-b369-'

Part3 common private exponent 

共享多组私钥,且私钥很小,只要满足

HSC-1th WP CRYPTO

就可以构造形如下列矩阵恢复 d

HSC-1th WP CRYPTO

大致的原理可以参考 la 佬博客

HSC-1th WP CRYPTO

这里 n 是 2048 位的,d 是 890 位,至少需要 7 组

nl=[2xxx1, 1xxx, 214xxx1, 27xxx99, 118xxx1, 15xxx1, 2081xxx]el=[xxxx1, 11xxx, 62xxx3, 1123xxx7, 7xx33, 1xxxx13, 1xxxx]cl=[269xxxx3, 1xxxx0, 6xxxx9, 9xxx7, 8xxx8, 196xxx5, 15xxx2]times = 7M = int(sqrt(nl[0]))A = [[0 for _ in range(times + 1)] for j in range(times + 1)]A[0][0] = Mfor i in range(1 + times): for j in range(1 + times):   if j != 0:     if i == 0:       A[i][j] = el[j - 1]     if i == j:       A[i][j] = -nl[i - 1]A = Matrix(A)C = A.LLL()d = abs(C[0][0] // M)print(long_to_bytes(pow(cl[0], d, nl[0])))#b'5a3d94a20a2c'

拼凑起来套在一起就得到了 flag

flag{89c63fd5-00cf-4ae0-b369-5a3d94a20a2c

5.RSA

费马分解RSA

HSC-1th WP CRYPTO

HSC-1th WP CRYPTO

再利用Rabin算法求 。

n=124689085077258164778068312042204623310499608479147230303784397390856552161216990480107601962337145795119702418941037207945225700624t=10import gmpy2for k in range(-1000000,1000000):  x=gmpy2.iroot(k**2+4*t*n,2)  if x[1]:    p=(-k+x[0])//(2*t)    q=t*p+k    breakimport gmpy2from Crypto.Util.number import long_to_bytes,bytes_to_longphi=(p-1)*(q-1)e=57742c=124689085077258164778068312042204623310499608479147230303784397390856552161216990480107601962337145795119702418941037207945225700624t=gmpy2.gcd(e,phi)d=gmpy2.invert(e//t,phi)m=pow(c,d,n)msg=gmpy2.iroot(m,t)if msg[1]:  print(long_to_bytes(msg[0]))#flag{6d22773623d3d5c871692e9985de5f16}
flag{6d22773623d3d5c871692e9985de5f16}

6.BABY-RSA

lfsr恢复高位p

from Crypto.Util.number import*f = open('key','rb').read()key = str(f,encoding="utf-8")def lfsr(status,mask):  out = (status << 1) & 0xffffffff  i=(status&mask)&0xffffffff  lastbit=0  while i!=0:    lastbit^=(i&1)    i=i>>1  out^=lastbit  return (out,lastbit)status= 1mask = 0b10110001110010011100100010110101pp = ''for i in range(len(str(key))):  (status,out) = lfsr(status,mask)  pp += str(int(key[i]) ^ out)pp = int(pp, 2)print(hex(pp))

coppersmith恢复p

n=9363543374665338283861145656340115756598328744870620756798779080826725774691364161648335378062705433999048117564356637094421930886166369832353405527855104576202658647651524758179962855692461154859961903531990172279764099199157181167775307950690492969859829926808950964120678082460448847927074487568619536568740301649988555476490206693181162301088156855926656544441682939839165455244630182978802660669255401576213941067679888164237586879364615664942234247896214195262510935345922512831632385741735810122730130366521612834556565838623708828780093323310348242654778247293430853566054703991781432542625271396246500576703e=65537pbits=1024for i in range(0,256):  p4 =0x807c1395b8128e6de865ab20dd2a39684f6831464553c65215cfe2861192657b6938d227c75e902ae858fdbd8b118c8522c08a3bf978bb203bc1644fe526f2de55b065b050795800  p4 = p4 + int(hex(i), 16)  kbits = pbits - p4.nbits()  p4 = p4 << kbits  PR.<x> = PolynomialRing(Zmod(n))  f = x + p4  roots = f.small_roots(X=2 ^ kbits, beta=0.4)  if roots:    p = p4 + int(roots[0])    print("n=", n)    print("p=", p)    print("q=", n // p)

普通rsa

import gmpy2from Crypto.Util.number import *n=9363543374665338283861145656340115756598328744870620756798779080826725774691364161648335378062705433999048117564356637094421930886166369832353405527855104576202658647651524758179962855692461154859961903531990172279764099199157181167775307950690492969859829926808950964120678082460448847927074487568619536568740301649988555476490206693181162301088156855926656544441682939839165455244630182978802660669255401576213941067679888164237586879364615664942234247896214195262510935345922512831632385741735810122730130366521612834556565838623708828780093323310348242654778247293430853566054703991781432542625271396246500576703p=90225006288627020933267024425797647042965554486273674145474629022335483579168020321334177600624475358419458781387021577078957978886555066264514364951229871833611713144617155837023313756741716041993159155093522769416742461683810041045361926334946115547487234272520914249496954864904467634471167509689549908477q=103779913793651074214263503010594071424969073353841622604658974812940029980624584116398305918269283126971163279620945190907582597922068185151061264528002313474791985042185827606404465614715082278876591600452809285354307582767265999134237277732506671463834101956213961309366951706106789005830772784151863039339e=65537c=3641304537029815746727163894554557322382012539953948183406308231174259571263608621970973671202001456955622458371303424750815017578104069924877881162707673935496925529412748663209884628320657034190702348924814794263041483260377960569530869386619921425415323912964305979776909598200202236912823968867485696101691879580799000240715778010424877093758489309380968229017074542588151574195295436881889313935734282141447498134543053106463951864974512375314091440713165047188590693431938599822340588934591712592995622334522799914563528630705687647950894928965913199772209825508001274120556508220248069647851360567609656517789phi = (p - 1) * (q - 1)d = gmpy2.invert(e,phi)m = pow(c,d,n)print(long_to_bytes(m))
flag{fbbce1e3aa690ebb49039241f940ed26}

复现环境:

http://ctf.hsc2019.site

红客突击队于2019年由队长k龙牵头,联合国内多位顶尖高校研究生成立。其团队从成立至今多次参加国际网络安全竞赛并取得良好成绩,积累了丰富的竞赛经验。团队现有三十多位正式成员及若干预备人员,下属联合分队数支。红客突击队始终秉承先做人后技术的宗旨,旨在打造国际顶尖网络安全团队。

HSC-1th WP CRYPTO

原文始发于微信公众号(中龙 红客突击队):HSC-1th WP CRYPTO

免责声明:文章中涉及的程序(方法)可能带有攻击性,仅供安全研究与教学之用,读者将其信息做其他用途,由读者承担全部法律及连带责任,本站不承担任何法律及连带责任;如有问题可邮件联系(建议使用企业邮箱或有效邮箱,避免邮件被拦截,联系方式见首页),望知悉。
  • 左青龙
  • 微信扫一扫
  • weinxin
  • 右白虎
  • 微信扫一扫
  • weinxin
admin
  • 本文由 发表于 2025年2月15日23:50:22
  • 转载请保留本文链接(CN-SEC中文网:感谢原作者辛苦付出):
                   HSC-1th WP CRYPTOhttps://cn-sec.com/archives/1990312.html
                  免责声明:文章中涉及的程序(方法)可能带有攻击性,仅供安全研究与教学之用,读者将其信息做其他用途,由读者承担全部法律及连带责任,本站不承担任何法律及连带责任;如有问题可邮件联系(建议使用企业邮箱或有效邮箱,避免邮件被拦截,联系方式见首页),望知悉.

发表评论

匿名网友 填写信息