Σ2333! の 博客
0%

BUUCTF 每日打卡 2021-5-18

发表于 更新于

BUUCTF 每日打卡 2021-5-18

引言

果然当鸽子会上瘾。。。 上周五打的国赛24小时不间断就离谱 原本打算通宵打,结果发现到半夜能写的都写了(指就写了一道 200 分的 rsa) 槽点太多,一时不知道从哪开始吐了 总之鸽了三天,今天就肝(水)一期国赛的那道 rsa 吧(咕咕咕)

[CISCN]rsa

加密代码如下:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
from flag import text,flag
import md5
from Crypto.Util.number import long_to_bytes,bytes_to_long,getPrime

assert md5.new(text).hexdigest() == flag[6:-1]

msg1 = text[:xx]
msg2 = text[xx:yy]
msg3 = text[yy:]

msg1 = bytes_to_long(msg1)
msg2 = bytes_to_long(msg2)
msg3 = bytes_to_long(msg3)

p1 = getPrime(512)
q1 = getPrime(512)
N1 = p1*q1
e1 = 3
print pow(msg1,e1,N1)
print (e1,N1)

p2 = getPrime(512)
q2 = getPrime(512)
N2 = p2*q2
e2 = 17
e3 = 65537
print pow(msg2,e2,N2)
print pow(msg2,e3,N2)
print (e2,N2)
print (e3,N2)

p3 = getPrime(512)
q3 = getPrime(512)
N3 = p3*q3
print pow(msg3,e3,N3)
print (e3,N3)
print p3>>200

从下往上观察加密代码,发现p3向右移位200位,所以是p高位泄露,采用coppersmith攻击得到p,q

进行解密,得到msg第三部分 代码如下:

1
2
3
4
5
6
7
8
9
10
11
from Crypto.Util.number import *

p3 = 11437038763581010263116493983733546014403343859218003707512796706928880848035239990740428334091106443982769386517753703890002478698418549777553268906496423
q3 = 9918033198963879798362329507637256706010562962487329742400933192721549307087332482107381554368538995776396557446746866861247191248938339640876368268930589
n3 = p3*q3
e3 = 65537
d3 = inverse(e3, (p3-1)*(q3-1))
c4 = 59213696442373765895948702611659756779813897653022080905635545636905434038306468935283962686059037461940227618715695875589055593696352594630107082714757036815875497138523738695066811985036315624927897081153190329636864005133757096991035607918106529151451834369442313673849563635248465014289409374291381429646
m3 = pow(c4, d3, n3)
m3_ = long_to_bytes(m3)
print(m3_)

结果为:b'nd black, and pale, and hectic red,-stricken multitudes: O thou,chariotest to their dark wintry bed'

观察第三部分加密代码,发现使用了相同的模数N2,所以采用共模攻击 代码如下:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
import gmpy2
from Crypto.Util.number import *

n2 = 111381961169589927896512557754289420474877632607334685306667977794938824018345795836303161492076539375959731633270626091498843936401996648820451019811592594528673182109109991384472979198906744569181673282663323892346854520052840694924830064546269187849702880332522636682366270177489467478933966884097824069977
e2 = 17
e3 = 65537
c2 = 54995751387258798791895413216172284653407054079765769704170763023830130981480272943338445245689293729308200574217959018462512790523622252479258419498858307898118907076773470253533344877959508766285730509067829684427375759345623701605997067135659404296663877453758701010726561824951602615501078818914410959610
c3 = 91290935267458356541959327381220067466104890455391103989639822855753797805354139741959957951983943146108552762756444475545250343766798220348240377590112854890482375744876016191773471853704014735936608436210153669829454288199838827646402742554134017280213707222338496271289894681312606239512924842845268366950
# s & t
gcd, s, t = gmpy2.gcdext(e2, e3)
if s < 0:
    s = -s
    c2 = gmpy2.invert(c2, n2)
if t < 0:
    t = -t
    c3 = gmpy2.invert(c3, n2)
plain = gmpy2.powmod(c2, s, n2) * gmpy2.powmod(c3, t, n2) % n2
m2_ = long_to_bytes(plain)
print(m2_)

结果为:b"n's being,, from whose unseen presence the leaves deaddriven, like ghosts from an enchanter fleeing,, a"

观察第一部分代码,由于e=3,所以采用小公钥指数攻击 代码如下:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
import gmpy2
from Crypto.Util.number import *

n1 = 123814470394550598363280518848914546938137731026777975885846733672494493975703069760053867471836249473290828799962586855892685902902050630018312939010564945676699712246249820341712155938398068732866646422826619477180434858148938235662092482058999079105450136181685141895955574548671667320167741641072330259009
e1 = 3
c1 = 19105765285510667553313898813498220212421177527647187802549913914263968945493144633390670605116251064550364704789358830072133349108808799075021540479815182657667763617178044110939458834654922540704196330451979349353031578518479199454480458137984734402248011464467312753683234543319955893

for k in range(0, 100):
    a, b = gmpy2.iroot(c1+k*n1, 3)
    if b == 1:
        m = a
        m1_ = long_to_bytes(m)
        print(m1_)
        break

结果为:b' wild West Wind, thou breath of Autum'

合并之后,结果为: O wild West Wind, thou breath of Autumn's being, Thou, from whose unseen presence the leaves dead Are driven, like ghosts from an enchanter fleeing, Yellow, and black, and pale, and hectic red, Pestilence-stricken multitudes: O thou, Who chariotest to their dark wintry bed 这不是雪莱的西风颂吗

最后进行md5加密 代码如下:

1
2
3
4
5
6
7
import hashlib

m = (m1_+m2_+m3_).decode('utf-8')
print(m)
hl = hashlib.md5()
hl.update(m.encode(encoding='utf-8'))
print(hl.hexdigest())

结果为:3943e8843a19149497956901e5d98639

结语

之前画的饼就鸽了 最近没有什么学习动力 希望继续坚持

欢迎关注我的其它发布渠道

-------- 本文结束 感谢阅读 --------