2022-03-31 一些后续

small weiner

来源：dvctf2022
Someone I hate sent me an insulting message using RSA. Can you retrieve his private key?

m = 0x596f7520686176652073756368206120736d616c6c207765696e65722e2049204841544520594f5521212121
N = 0x26553fbb7e4bd5bd48868a25f24d9cc5975aa8597f82110058e687dfa10dd0114c0d2011fa288dbd9d01c0a70dfa8212d5a218d513bdd8ebed9f75bc299e1461be8a23ed8ade96bc449d409fbbf5a328ee2ad3257e6c55a97641258730f74f4d3938f0df794546791ba2b1518b8d855e83f65f885d67aa000a01687ac605404e7bca681e51e6e195f77eb4785fcda0372e3d0fd90240f736243584677f89da4c6ab54d687897d5afb0801cc151c516b072aaa2d9aa8d39d34c230536cba077beaa88ff8e8940a5ba990cafd0b1326f209873a43a785d0c5477241fb6469b8c27c7d54908467a7525de18b2425901c0de3ed63472831c29818ce6efb0354c61f36b2e61146472e99209d198bc885ced0edb66eab62a968c9b98b49b756c689d69820ca1d97e1232c338084097078265ce79b25c1e37bc777247af3fee2ce7a87a697a120c0428327177cf6e934aa2d18e696474227d361a5c36992788c3b1aa8654b88852e897027d58b21576b25a5ffdcb9fbdc5167eb74f1c9082ae79ca0b89
e = 0xfc2e4d12eb69a42c074d9a0ddc6b84294f1e23d6eaa0ba53e9cb60ec0db203d31bdfb90eaca38189890ad26335ad6107cd234a415bfc73fc1bbd6c5d9da65249eebb57d889f91719cfdbd535ab19d2d317ffdf075870a62c6e05aac16c9b122e1c52d7dbeb2fb683514d0f463b58a4217f2e379e5a62be06e764e043a0eac5ac6af56816af926bcc4cd826ee1cfd4157496dc024042676503cec93de45c3c5e4dd9dcf85406a3cf93a9f784b9eef6e320cd9856aefff48df52127b98da8a0d207f588ce1c58e47419554590b1fa7fa3c38034f93a3a5112b6dd5e78c181abc2d972fbcb058575789c68c03f043bd4bf48d94fa7390c77f9fc033f3f01a5162d31056eb42a07397f3485b25396f93558466fc49ef80adea1e9d6c3d9edf529be5faf014669ae5f8e02433a2474d9c92fcc468d81aa0fd641a5647d55153713783a9e5d66fe70c9c2794325b28f20b751fb49359c4a8487bbfa7efc6270b7fa0ffe277276bba14027596d129fcbdef0a82aba24855bfd2155071b52c11da2d943

Flag format: dvCTF{d} with d in decimal (base 10)

上次尝试了离散对数没有解出来，

根据题目，尝试维纳攻击（在e过大或过小的情况下，可使用算法从e中快速推断出d的值。）
但是依旧没有解出来

翻到一篇大佬的博客

利用格约基可以解这道题

构造格子并用LLL格约基

然后解题

总的代码就是

# sagemath
m = 0x596f7520686176652073756368206120736d616c6c207765696e65722e2049204841544520594f5521212121
N = 0x26553fbb7e4bd5bd48868a25f24d9cc5975aa8597f82110058e687dfa10dd0114c0d2011fa288dbd9d01c0a70dfa8212d5a218d513bdd8ebed9f75bc299e1461be8a23ed8ade96bc449d409fbbf5a328ee2ad3257e6c55a97641258730f74f4d3938f0df794546791ba2b1518b8d855e83f65f885d67aa000a01687ac605404e7bca681e51e6e195f77eb4785fcda0372e3d0fd90240f736243584677f89da4c6ab54d687897d5afb0801cc151c516b072aaa2d9aa8d39d34c230536cba077beaa88ff8e8940a5ba990cafd0b1326f209873a43a785d0c5477241fb6469b8c27c7d54908467a7525de18b2425901c0de3ed63472831c29818ce6efb0354c61f36b2e61146472e99209d198bc885ced0edb66eab62a968c9b98b49b756c689d69820ca1d97e1232c338084097078265ce79b25c1e37bc777247af3fee2ce7a87a697a120c0428327177cf6e934aa2d18e696474227d361a5c36992788c3b1aa8654b88852e897027d58b21576b25a5ffdcb9fbdc5167eb74f1c9082ae79ca0b89
e = 0xfc2e4d12eb69a42c074d9a0ddc6b84294f1e23d6eaa0ba53e9cb60ec0db203d31bdfb90eaca38189890ad26335ad6107cd234a415bfc73fc1bbd6c5d9da65249eebb57d889f91719cfdbd535ab19d2d317ffdf075870a62c6e05aac16c9b122e1c52d7dbeb2fb683514d0f463b58a4217f2e379e5a62be06e764e043a0eac5ac6af56816af926bcc4cd826ee1cfd4157496dc024042676503cec93de45c3c5e4dd9dcf85406a3cf93a9f784b9eef6e320cd9856aefff48df52127b98da8a0d207f588ce1c58e47419554590b1fa7fa3c38034f93a3a5112b6dd5e78c181abc2d972fbcb058575789c68c03f043bd4bf48d94fa7390c77f9fc033f3f01a5162d31056eb42a07397f3485b25396f93558466fc49ef80adea1e9d6c3d9edf529be5faf014669ae5f8e02433a2474d9c92fcc468d81aa0fd641a5647d55153713783a9e5d66fe70c9c2794325b28f20b751fb49359c4a8487bbfa7efc6270b7fa0ffe277276bba14027596d129fcbdef0a82aba24855bfd2155071b52c11da2d943
c = pow(m,e,N)
s = floor(sqrt(N))
M = Matrix([[e, s], [N, 0]])
vector= M.LLL()
D = [abs(vector[i, 1]) // s for i in [0,1]]
for d in D:if pow(c,d,N) == m:print(d)break
# dvCTF{79070855007994582698354011721316587208400326157509581241514418985973605934731}

Secure Or Not Secure

来源：dvctf2022

I made secure application but i lost my cookie and now I can't connect. Can you help me?nc challs.dvc.tf 2600

nc进入

------ Welcome to my secure login system ------
1. Login
2. Register
3. Exit
-----------------------------------------------
>>> 2
Username: re
Password: re
Here is your cookie: wr2TBvKa+oU0HY7emHvxwwgozYdLN6f1q76CQ5o+ahBzZv0Qf9p2645P90f+TqW566M5wYbOeg==
------ Welcome to my secure login system ------
1. Login
2. Register
3. Exit
-----------------------------------------------
>>> 1
Cookie: wr2TBvKa+oU0HY7emHvxwwgozYdLN6f1q76CQ5o+ahBzZv0Qf9p2645P90f+TqW566M5wYbOeg==
You're not the admin! The cookie b'username=re\x00\x00\x00\x00\x00\x00;admin=False;password=re\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00' is invalid!
------ Welcome to my secure login system ------
1. Login
2. Register
3. Exit
-----------------------------------------------
>>> 2
Username: a
Password: a
Here is your cookie: wr2TBvKa+oU0DuvemHvxwwgozYdLN6f1q76CQ5o+ahBzZv0Qf9p2+OtP90f+TqW566M5wYbOeg==
------ Welcome to my secure login system ------
1. Login
2. Register
3. Exit
-----------------------------------------------
>>> 1
Cookie: \xc2\xbd\x93\x06\xf2\x9a\xfa\x854\x0e\xeb\xde\x98{\xf1\xc3\x08(\xcd\x87K7\xa7\xf5\xab\xbe\x82C\x9a>j\x10sf\xfd\x10\x7f\xdav\xf8\xebO\xf7G\xfeN\xa5\xb9\xeb\xa39\xc1\x86\xcez
Are you trying to cheat?!
------ Welcome to my secure login system ------
1. Login
2. Register
3. Exit
-----------------------------------------------
>>> 3

上次去对base进行了解码，没有解出来有用的东西
分析上面内容我们可以看到，当登录时使用的Cookie时注册得到的时候会返回You're not the admin!并且这时系统是可以通过Cookie推测出用户名是re，并且admin=False;而第二次尝试，我输入的Cookie不是注册得到，系统返回的是Are you trying to cheat?!

依旧参考那位师傅的博客，这位大佬直接想到了异或

将Cookie进行base64解码的结果例b'\xc2\xbd\x93\x06\xf2\x9a\xfa\x854\x1d\x8e\xde\x98{\xf1\xc3\x08(\xcd\x87K7\xa7\xf5\xab\xbe\x82C\x9a>j\x10sf\xfd\x10\x7f\xdav\xeb\x8eO\xf7G\xfeN\xa5\xb9\xeb\xa39\xc1\x86\xcez'与b'username=re\x00\x00\x00\x00\x00\x00;admin=False;password=re\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00'进行异或
不信邪的去看了下，发现确实是一样长的

然后将异或得到的结果与将admin改成True之后的再次进行异或
最后重新用base64封装好就能去登录了

非常佩服这位大佬，下面看大佬的代码

import base64def xor(var, key):return bytes(a ^ b for a, b in zip(var, key))cookie = 'cbCVPcNz4b9mfY8sFPIjV0AzXYy1UuuF9Kmzf7w7a6/j6ZsHVLndCeaQ9tGTeU61o1GKk7+llQ=='
enc = base64.b64decode(cookie)
plain = b'username=\x00\x00\x00\x00\x00\x00\x00\x00;admin=False;password=\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00'
a = b'admin=False;password=\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00'
b = b'admin=True;password=\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00'
c = enc[18:] #18 là vị trí admin tương ứng trong enc
key = xor(a,c)
tmp = xor(b,key)print(base64.b64encode(enc[:18]+ tmp ))
#b'cbCVPcNz4b9mfY8sFPIjV0AzXYy1UuuF5rqqaeJwer3j7YMaQuDgCeaQ9tGTeU61o1GKk7+l'

再瞻仰一下大佬的成功

Cwyptographic Owacle

来源：dvctf2022

Nya :3

nc challs.dvc.tf 2601

import ecdsa
import random
import hashlib
import time
from Crypto.Cipher import AES
from Crypto.Util.Padding import pad
from Crypto.Util.number import long_to_bytesFLAG = b'dvCTF{XXXXXXXXXXXXXXXXXXX}'def encrypt_flag(priv):key = long_to_bytes(priv)cipher = AES.new(key, AES.MODE_ECB)text = cipher.encrypt(pad(FLAG, 16))print(text.hex())m = 0print("Hiii ~~ Pwease feel fwee to use my sooper dooper cwyptographic owacle! ~~~~~~")
while True:print("[1] > Sign your own message ≧◡≦")print("[2] > Get the signed flag uwu ~~ ")print("[3] > Quit (pwease don't leave me)")try:n = int(input())if n<0 or n>3:raiseexcept:print("Nice try ಥ_ಥ")exit(1)if n==1:msg = input("What's your message senpai? (●´ω｀●) > ")G = ecdsa.NIST256p.generatororder = G.order()priv = random.randrange(1,order)Public_key = ecdsa.ecdsa.Public_key(G, G * priv)Private_key = ecdsa.ecdsa.Private_key(Public_key, priv)k = random.randrange(1, 2**128) if m==0 else int(time.time())*mm = int(hashlib.sha256(msg.encode()).hexdigest(),base=16)sig = Private_key.sign(m, k)print (f"Signature (r,s): ({sig.r},{sig.s})")elif n==2:if m==0:G = ecdsa.NIST256p.generatororder = G.order()priv = random.randrange(1,order)encrypt_flag(priv)else:print("Cya (◕︵◕) ")exit(1)

上次的尝试

Hiii ~~ Pwease feel fwee to use my sooper dooper cwyptographic owacle! ~~~~~~
[1] > Sign your own message ≧◡≦
[2] > Get the signed flag uwu ~~
[3] > Quit (pwease don't leave me)
1
What's your message senpai? (●´ω｀●) > re
Signature (r,s): (5574199079485227229736032865599767885817418344312674047445645256117624859582,51462972268344716865531777000256743426644776909735353695777643263919964904375)
[1] > Sign your own message ≧◡≦
[2] > Get the signed flag uwu ~~
[3] > Quit (pwease don't leave me)
2
3fbb20769e7cb4c00c5fd86a8ca8ba23f5b4b38dfa9cba4c9db98d45ca5a008e5658dfdcffcfcab9671fd038e299fcde
[1] > Sign your own message ≧◡≦
[2] > Get the signed flag uwu ~~
[3] > Quit (pwease don't leave me)
3
Cya (◕︵◕)

依旧只在这位大神这找到了解题
但是这道题并没有看懂解题过程，也不明白这个时间在这里意味着什么

还是贴一下大神的代码，等下次来看是不是能看懂

import ecdsa
import random
import libnum
import hashlib
import sys
import time
from Crypto.Cipher import AES
from Crypto.Util.Padding import pad,unpad
from Crypto.Util.number import long_to_bytes
from pwn import *
# connect server
p = remote('challs.dvc.tf', 2601)m = int(hashlib.sha256('a'.encode()).hexdigest(),base=16)
G = ecdsa.NIST256p.generator
order = G.order()def decrypt_flag(priv,enc):key = long_to_bytes(priv)enc = bytes.fromhex(enc)print(enc)cipher = AES.new(key, AES.MODE_ECB)flag = unpad(cipher.decrypt(enc),16)return flag# sign lần đầu
p.sendlineafter(b"[3] > Quit (pwease don't leave me)", b'1')
p.sendline(b'a')# sign lần 2
p.sendlineafter(b"[3] > Quit (pwease don't leave me)", b'1')
p.sendline(b'a')
k = int(time.time())*mp.recvuntil(b'\r\n')
p.recvuntil(b"What's your message senpai? (\xe2\x97\x8f\xc2\xb4\xcf\x89\xef\xbd\x80\xe2\x97\x8f) > ")
p.recvuntil(b"Signature (r,s): (")# Nhận r,s và encrypt_flag ở lần sign thứ 2
r = p.recvuntil(b',', drop = True)
s = p.recvuntil(b')\r\n', drop = True)
p.sendline(b'2')
p.recvuntil(b"[1] > Sign your own message \xe2\x89\xa7\xe2\x97\xa1\xe2\x89\xa6\r\n[2] > Get the signed flag uwu ~~ \r\n[3] > Quit (pwease don't leave me)\r\n")enc = p.recvuntil(b'\r\n', drop = True)
r = int(r.decode('utf-8'))
s = int(s.decode('utf-8'))
enc = enc.decode('utf-8')
# print(r,s)
# print(enc)# Brute force giá trị của k lưu vào mảng, có thể chênh lệch vài giây gì đó
maybekey = []
for i in range(10):a = int(time.time()-i)*mmaybekey.append(a)b = int(time.time()+i)*mmaybekey.append(b)
print(maybekey)# kết hợp k,m tìm lại priv rồi decrypt AES.MODE_ECB
r_inv = libnum.invmod(r, order)
for i in maybekey:try_private_key = (r_inv * ((i * s) - m)) % ordertry:flag = decrypt_flag(try_private_key,enc)print(flag)except:print("None")
# dvCTF{y0u_h4v3_500p32_d00p32_c2yp70_5kill5_uwu}

RSA

来源：dvctf2022

Easy

Our team has found a cipher text: there seems to be some clues to decipher it. Can you help us to read it?

n = 0x7CD1020889B4382BE84B3F14EAAE242755CC1BD56F431B348F4FF8F207A96F41AFCF3EBDF4C17CB6537AD4B01B9FF9497763B22D013B614C8FCDB0C34F9D88F1A523013791EDFEB1FBBA160799892C118892FB7F199C9957DF5A26DAB4D776E5226F06ACD05412F6DD2B1B75D24CE9DC2DDAC513BCB96CD9B97F9BEF8543A3A1phi = 0x7CD1020889B4382BE84B3F14EAAE242755CC1BD56F431B348F4FF8F207A96F41AFCF3EBDF4C17CB6537AD4B01B9FF9497763B22D013B614C8FCDB0C34F9D88F037D2317D3864035ECE8BCDD458711B788B5B3FDFD5164F7D736D0A56F416E8C16126E3868D73F54AF4D61F6033E069994319C849460C60A725A0F4DD97EDCC84e = 0x10001ct = 0x268D7D5F5593EA30F536635B58585620B51D2D143AFE4734635C259278D61413D0C89678E81EDF466B1E45E27EBF802F62F61263E499A516465163C7CB668F94258B3424C3E2BD76634923DECD670E4B6034F8FD00C76F9DAD00A72DB22B70B9408C89FCEE4C9B0D2D4B5664284328711BFAD57FBE1EDCC0854AAD57390DCAD6

Hint：There is another decoding step after the decryption!

一直不知道要解码解什么码，从十六进制转为十进制是我没想到的

n = 87649082972615446885156213990388141958462041885187282183358321369043253078954716183685582963065012168992348062798954305060720006415266001335650005751863897735171741039420405425935144397447296138110870810719506425543947491726403454512721294407851871180512317063750030012483422248351385763316752934512386876321
phi = 87649082972615446885156213990388141958462041885187282183358321369043253078954716183685582963065012168992348062798954305060720006415266001335650005751863878602037628450194440652151553598137526621296494079379835255789373284025572667141114891644303376103362880682087270696210666254302024051328494090372669885572
e = 65537
ct = 27072622593514815453879432614324701776473574595747953216191498481974488509392434673536099100283731897243171732583922534894433636848515336632487302801454568578704912185172822029407973421574599852974535422485632743936976338461213855442178470548247222162434148032907372865397517157263392748002249405715658427094

这有什么区别吗