HSC-1th WP CRYPTO

2022-09-29 20:53:55 浏览数 (1)


HSC-1th WP CRYPTO

1. Easy SignIn

方法一:

十六进制 base64 base32 base64

方法二:

cyberchef直接梭

方法三:

ciphey一把梭

代码语言:javascript复制
flag{welc0me_to_my_s1gn_in}

2. AFFINE

flag{md5(result)}

仿射密码加密,先根据密文和明文,爆破各位置存在 flag 字符串情况下对应的 a,b 值,再解密整串密文。爆破求 a,b 。

Script1:

代码语言:javascript复制
letter=string.ascii_letters string.digits
s = 'xGJ13kkRK9QDfORQomFOf9NZs9LKVZvGqVIsVO9NOkorv'
  for a in range(1,128):
    for b in range(1,128):
    res = ''
    #求a关于26的乘法逆元
    x, y = get(a, 62)
    a1 = x % 62
    l= len(s)
    for i in range(l):
       cipher = a1 * (letter.index(s[i]) - b) % 62
       # res =chr(cipher   65)
       # print(cipher)
       res  = letter[cipher]
    if 'flag' in res:
       print(res)

Script2:

代码语言:javascript复制
import string
import hashlib
letter=string.ascii_letters string.digits
def encrypt(m, a, b):
  c = []
  for i in range(len(m)):
      ch=m[i]
      t=(letter.index(ch) * a   b) % 62
      c.append(letter[t])
    d = ''.join(c)
    return d
s='xGJ13kkRK9QDfORQomFOf9NZs9LKVZvGqVIsVO9NOkorv'
for a in range(50):
  for b in range(50):
    Cipher = encrypt('flag', a, b)
    for k in range(len(s)-3):
      if Cipher==s[k:k 4]:
        print(Cipher,a,b)
# korv 11 17
a=11
b=17
def decrypt(m, a, b):
  import gmpy2
  c = []
    for i in range(len(m)):
      ch=m[i]
      t=((letter.index(ch) - b) * gmpy2.invert(a,62)) % 62
      c.append(letter[t])
    d = ''.join(c)
    return d
m=decrypt(s, a, b)
print(m)
flag = hashlib.md5("".join(str(m)).encode("utf8")).hexdigest()
print(flag)
# Oh62Affine1sSti1lN0tSecureEnoughToProtectflag
# 2b9b99caae1cc49e5b5aacbc8cc22350
代码语言:javascript复制
flag{2b9b99caae1cc49e5b5aacbc8cc22350}

3.LINE-GENERATION-TEST

"Sorry, Tazmi, I can't hold you in my arms anymore" Who said that? flag{md5(result)}

希尔密码,逆矩阵得到12 18 2 19 5即RSCTF

md5加密得flag

代码语言:javascript复制
flag{e4163deba70420c58acb87abcab34141}

4.LATTICE

Part1,extending WienerAttack with two exponents

构造如下矩阵,对其进行格基规约找到最短向量

代码语言:javascript复制
c1 = 182xxx3
N = 2381xxx9
e1, e2 = 9835783xxx9, 173753xxx3
a = 730 / 2048
M1 = int(pow(N, 0.5))
M2 = int(pow(N, 1   a))
L2 = matrix(ZZ, [[N, -M1*N, 0, N**2],
                [0, M1*e1, -M2*e1, -e1 * N],
                [0, 0, M2*e2, -e2 * N],
                [0, 0, 0, e1 * e2]])
B = L2.LLL()[0]
A = B * L2 ^ (-1)
phi = int(e1 * A[1] // A[0])
print(long_to_bytes(pow(c1, gmpy2.invert(0x10001, phi), N)))
#b'89c63fd5-00c'

Part2 extending WienerAttack with three exponents

和 Part1 类似,实现一个这样的矩阵

代码语言:javascript复制
c2 = 73xxx3
N = 26xxx9
e1, e2, e3 = 2xxx9, 19xxx5, 1xxxx7
alpha2 = 818/2048
M1 = int(N**(3/2))
M2 = int(N)
M3 = int(N**(3/2   alpha2))
M4 = int(N**0.5)
M5 = int(N**(3/2   alpha2))
M6 = int(N**(1 alpha2))
M7 = int(N**(1 alpha2))
D = diagonal_matrix(ZZ, [M1, M2, M3, M4, M5, M6, M7, 1])
B = Matrix(ZZ, [ [1, -N, 0, N**2, 0, 0, 0, -N**3],
               [0, e1, -e1, -e1*N, -e1, 0, e1*N, e1*N**2],
               [0, 0, e2, -e2*N, 0, e2*N, 0, e2*N**2],
               [0, 0, 0, e1*e2, 0, -e1*e2, -e1*e2, -e1*e2*N],
               [0, 0, 0, 0, e3, -e3*N, -e3*N, e3*N**2],
               [0, 0, 0, 0, 0, e1*e3, 0, -e1*e3*N],
               [0, 0, 0, 0, 0, 0, e2*e3, -e2*e3*N],
               [0, 0, 0, 0, 0, 0, 0, e1*e2*e3] ]) 
* D
L = B.LLL()
v = Matrix(ZZ, L[0])
x = v * B**(-1)
phi = (e1*x[0, 1]/x[0, 0]).floor()
flag = pow(c2, gmpy2.invert(0x10001, phi), N)
print(long_to_bytes(flag))
#b'f-4ae0-b369-'

Part3 common private exponent

共享多组私钥,且私钥很小,只要满足

就可以构造形如下列矩阵恢复 d

大致的原理可以参考 la 佬博客

这里 n 是 2048 位的,d 是 890 位,至少需要 7 组

代码语言:javascript复制
nl=[2xxx1, 1xxx, 214xxx1, 27xxx99, 118xxx1, 15xxx1, 2081xxx]
el=[xxxx1, 11xxx, 62xxx3, 1123xxx7, 7xx33, 1xxxx13, 1xxxx]
cl=[269xxxx3, 1xxxx0, 6xxxx9, 9xxx7, 8xxx8, 196xxx5, 15xxx2]
times = 7
M = int(sqrt(nl[0]))
A = [[0 for _ in range(times   1)] for j in range(times   1)]
A[0][0] = M
for i in range(1   times):
 for j in range(1   times):
   if j != 0:
     if i == 0:
       A[i][j] = el[j - 1]
     if i == j:
       A[i][j] = -nl[i - 1]
A = Matrix(A)
C = A.LLL()
d = abs(C[0][0] // M)
print(long_to_bytes(pow(cl[0], d, nl[0])))
#b'5a3d94a20a2c'

拼凑起来套在一起就得到了 flag

代码语言:javascript复制
flag{89c63fd5-00cf-4ae0-b369-5a3d94a20a2c

5.RSA

费马分解RSA

再利用Rabin算法求 。

代码语言:javascript复制
n=124689085077258164778068312042204623310499608479147230303784397390856552161216990480107601962337145795119702418941037207945225700624
t=10
import gmpy2
for k in range(-1000000,1000000):
  x=gmpy2.iroot(k**2 4*t*n,2)
  if x[1]:
    p=(-k x[0])//(2*t)
    q=t*p k
    break
import gmpy2
from Crypto.Util.number import long_to_bytes,bytes_to_long
phi=(p-1)*(q-1)
e=57742
c=124689085077258164778068312042204623310499608479147230303784397390856552161216990480107601962337145795119702418941037207945225700624
t=gmpy2.gcd(e,phi)
d=gmpy2.invert(e//t,phi)
m=pow(c,d,n)
msg=gmpy2.iroot(m,t)
if msg[1]:
  print(long_to_bytes(msg[0]))
#flag{6d22773623d3d5c871692e9985de5f16}
代码语言:javascript复制
flag{6d22773623d3d5c871692e9985de5f16}

6.BABY-RSA

lfsr恢复高位p

代码语言:javascript复制
from Crypto.Util.number import*
f = open('key','rb').read()
key = str(f,encoding="utf-8")
def lfsr(status,mask):
  out = (status << 1) & 0xffffffff
  i=(status&mask)&0xffffffff
  lastbit=0
  while i!=0:
    lastbit^=(i&1)
    i=i>>1
  out^=lastbit
  return (out,lastbit)
  
status= 1
mask = 0b10110001110010011100100010110101
pp = ''
for i in range(len(str(key))):
  (status,out) = lfsr(status,mask)
  pp  = str(int(key[i]) ^ out)
pp = int(pp, 2)
print(hex(pp))

coppersmith恢复p

代码语言:javascript复制
n=93635433746653382838611456563401157565983287448706207567987790808
2672577469136416164833537806270543399904811756435663709442193088616
6369832353405527855104576202658647651524758179962855692461154859961
9035319901722797640991991571811677753079506904929698598299268089509
6412067808246044884792707448756861953656874030164998855547649020669
3181162301088156855926656544441682939839165455244630182978802660669
2554015762139410676798881642375868793646156649422342478962141952625
1093534592251283163238574173581012273013036652161283455656583862370
8828780093323310348242654778247293430853566054703991781432542625271
396246500576703
e=65537
pbits=1024
for i in range(0,256):
  p4 =0x807c1395b8128e6de865ab20dd2a39684f6831464553c65215cfe2861192657b6
938d227c75e902ae858fdbd8b118c8522c08a3bf978bb203bc1644fe526f2de55b0
65b050795800
  p4 = p4   int(hex(i), 16)
  kbits = pbits - p4.nbits()
  p4 = p4 << kbits
  PR.<x> = PolynomialRing(Zmod(n))
  f = x   p4
  roots = f.small_roots(X=2 ^ kbits, beta=0.4)
  if roots:
    p = p4   int(roots[0])
    print("n=", n)
    print("p=", p)
    print("q=", n // p)

普通rsa

代码语言:javascript复制
import gmpy2
from Crypto.Util.number import *
n=
9363543374665338283861145656340115756598328744870620756798779080826
7257746913641616483353780627054339990481175643566370944219308861663
6983235340552785510457620265864765152475817996285569246115485996190
3531990172279764099199157181167775307950690492969859829926808950964
1206780824604488479270744875686195365687403016499885554764902066931
8116230108815685592665654444168293983916545524463018297880266066925
5401576213941067679888164237586879364615664942234247896214195262510
9353459225128316323857417358101227301303665216128345565658386237088
2878009332331034824265477824729343085356605470399178143254262527139
6246500576703
p=
9022500628862702093326702442579764704296555448627367414547462902233
5483579168020321334177600624475358419458781387021577078957978886555
0662645143649512298718336117131446171558370233137567417160419931591
5509352276941674246168381004104536192633494611554748723427252091424
9496954864904467634471167509689549908477
q=
1037799137936510742142635030105940714249690733538416226046589748129
4002998062458411639830591826928312697116327962094519090758259792206
8185151061264528002313474791985042185827606404465614715082278876591
6004528092853543075827672659991342372777325066714638341019562139613
09366951706106789005830772784151863039339
e=65537
c=36413045370298157467271638945545573223820125399539481834063082311
7425957126360862197097367120200145695562245837130342475081501757810
4069924877881162707673935496925529412748663209884628320657034190702
3489248147942630414832603779605695308693866199214254153239129643059
7977690959820020223691282396886748569610169187958079900024071577801
0424877093758489309380968229017074542588151574195295436881889313935
7342821414474981345430531064639518649745123753140914407131650471885
9069343193859982234058893459171259299562233452279991456352863070568
7647950894928965913199772209825508001274120556508220248069647851360
567609656517789
phi = (p - 1) * (q - 1)
d = gmpy2.invert(e,phi)
m = pow(c,d,n)
print(long_to_bytes(m))
代码语言:javascript复制
flag{fbbce1e3aa690ebb49039241f940ed26}

红客突击队于2019年由队长k龙牵头,联合国内多位顶尖高校研究生成立。其团队从成立至今多次参加国际网络安全竞赛并取得良好成绩,积累了丰富的竞赛经验。团队现有三十多位正式成员及若干预备人员,下属联合分队数支。红客突击队始终秉承先做人后技术的宗旨,旨在打造国际顶尖网络安全团队。

0 人点赞