crypto-music is frequency(INS‘hAck CTF 2018)

比较有趣的一题，记录下来。

Music is frequency

Passionated by the sound of a nursery rhyme, we decided to build a new way to send private messages.
Find a way to decrypt our rsa private key to get your reward.
Because we are pretty bad musicians, we have decided to not take into account any rhythm and to round all used number to the closest.

题目同时提供的一张 Frere Jacques 歌曲的乐谱

还有两个文件:

#flag.enc
vzs9XGL8QMJcc/OSpU5p/Iz5VpPZ9dHp6KUeaJXD7U3iQ/K9+BiT5ku/ZLGXua04uDiZUqyCVq6Qz8ovC8W7gQYI10vTuVbg3JX0848caJQYm7QVBleUJQP77AN6WH94CcWSfhgTQ0hVcHrx80aFcfwHYFLNA8kSJRVw44mwxcMiXu5CjqghFSf9lYBSbdRlV9zr9MHua5+xo5JdYQ0s+kUpgo+8pioOupBIWrPeKM6hkwseQEpM3zbmvjs6honNkZmtXKjHik6LBt/SoZJghIvxrQnUJ6RbvZbLugAzaTeMg3ROL/n8ArUvAGOcw0QzjyrJpSU9iPm2y+VPnrpTDA==

#privatekey.bin
00000000h: 1D 1D 1D 1D 1D 72 75 76 79 7F 10 63 62 70 10 61 ; .....ruvy..cbp.a
00000010h: 62 79 66 71 64 75 10 7A 74 69 1D 1D 1C 1D 1D 3A ; byfqdu.zti.....:
00000020h: 7D 79 79 75 5F 47 79 73 70 71 7A 72 70 61 75 71 ; }yyu_Gyspqzrpauq
00000030h: 4A 7D 1B 6A 07 60 60 61 5A 09 5C 07 52 5E 79 70 ; J}.j.``aZ.\.R^yp
00000040h: 64 49 47 42 5A 55 58 7F 01 66 5C 5B 55 75 52 6B ; dIGBZUX..f\[UuRk
00000050h: 07 59 53 71 03 69 61 7F 73 53 5F 46 43 5F 46 58 ; .YSq.ia.sS_FC_FX
00000060h: 3A 72 65 03 48 53 68 4B 7E 45 79 4B 42 52 00 05 ; :re.HShK~EyKBR..
00000070h: 64 7B 05 47 61 45 47 73 02 5C 69 64 5D 72 78 1E ; d{.GaEGs.\id]rx.
00000080h: 64 53 73 73 58 4A 04 74 7E 49 04 59 48 5D 52 1F ; dSssXJ.t~I.YH]R.
00000090h: 7D 79 7B 5D 69 62 49 5B 5D 5B 7E 66 06 72 7C 52 ; }y{]ibI[][~f.r|R
000000a0h: 65 3A 56 67 7B 72 47 79 7D 40 53 64 43 7D 06 5B ; e:Vg{rGy}@SdC}.[
000000b0h: 5E 62 52 55 02 5D 59 77 4B 43 58 7D 41 48 5E 06 ; ^bRU.]YwKCX}AH^.
000000c0h: 7F 66 03 02 53 5A 62 5F 48 45 59 54 59 7D 77 76 ; .f..SZb_HEYTY}wv
000000d0h: 67 76 73 5D 49 5C 7D 72 7A 77 05 46 41 41 06 5C ; gvs]I\}rzw.FAA.\
000000e0h: 08 09 3A 05 57 7D 56 40 47 04 47 67 5F 08 09 76 ; ..:.W}V@G.Gg_..v
000000f0h: 7D 61 65 7F 74 48 5C 5B 7E 09 7D 65 05 77 64 1A ; }ae.tH\[~.}e.wd.
00000100h: 47 47 75 66 59 04 70 00 46 7D 72 7A 64 48 7F 7B ; GGufY.p.F}rzdH.{00000110h: 66 48 08 6A 76 01 5E 1E 07 7C 65 67 49 58 7E 40 ; fH.jv.^..|egIX~@
00000120h: 03 73 58 3A 51 59 61 00 62 01 74 50 43 44 75 59 ; .sX:QYa.b.tPCDuY
00000130h: 66 00 49 59 68 04 7D 7D 7E 4B 03 7B 09 02 53 59 ; f.IYh.}}~K.{..SY
00000140h: 5D 46 78 05 5A 68 40 7D 74 65 7E 01 74 7C 52 41 ; ]Fx.Zh@}te~.t|RA
00000150h: 64 73 53 01 01 45 65 67 05 04 53 77 4B 01 42 59 ; dsS..Eeg..SwK.BY
00000160h: 76 5E 40 61 3A 07 7F 61 69 6A 54 07 72 5F 47 73 ; v^@a:..aijT.r_Gs
00000170h: 49 59 74 52 47 49 45 7C 09 07 5E 7B 52 1F 05 61 ; IYtRGIE|..^{R..a
00000180h: 74 74 62 45 59 77 5F 62 43 54 60 78 75 71 61 71 ; ttbEYw_bCT`xuqaq
00000190h: 72 71 5F 79 72 71 73 5C 65 50 71 7A 74 72 60 41 ; rq_yrqs\ePqztr`A
000001a0h: 1F 71 09 03 5C 3A 51 7B 49 40 7D 57 5D 46 66 60 ; .q..\:Q{I@}W]Ff`
000001b0h: 64 5A 5A 67 05 66 59 76 07 58 1B 5A 5E 1A 58 57 ; dZZg.fYv.X.Z^.XW
000001c0h: 40 78 03 45 72 78 47 04 5F 41 76 52 73 55 56 4B ; @x.ErxG._AvRsUVK
000001d0h: 6A 64 78 5B 5B 77 5C 7D 5F 70 49 72 72 1A 02 5D ; jdx[[w\}_pIrr..]
000001e0h: 65 67 57 08 43 49 3A 09 75 75 7F 64 45 45 40 5E ; egW.CI:.uu.dEE@^
000001f0h: 47 09 65 66 43 56 72 1A 68 68 65 76 75 52 49 7B ; G.efCVr.hhevuRI{00000200h: 66 71 46 60 08 77 59 56 72 52 5F 57 68 73 71 1E ; fqF`.wYVrR_Whsq.
00000210h: 7A 60 58 62 63 7F 75 77 02 77 73 00 45 76 63 66 ; z`Xbc.uw.ws.Evcf
00000220h: 73 07 05 08 47 76 55 3B 03 05 5D 42 61 55 47 53 ; s...GvU;..]BaUGS
00000230h: 55 52 42 7B 46 75 02 60 57 49 07 02 40 6B 4A 77 ; URB{Fu.`WI..@kJw
00000240h: 05 63 75 66 74 5C 45 09 61 4B 65 5E 65 5E 01 52 ; .cuft\E.aKe^e^.R
00000250h: 47 60 77 05 76 51 48 01 4B 77 79 64 45 45 5E 48 ; G`w.vQH.KwydEE^H
00000260h: 46 51 57 71 06 1B 03 55 3B 59 1A 7B 68 47 69 1F ; FQWq...U;Y.{hGi.
00000270h: 7E 41 7F 7B 51 05 1F 7F 41 05 1F 68 00 70 4A 05 ; ~A.{Q...A..h.pJ.
00000280h: 78 73 58 58 54 73 62 5C 7B 5F 55 64 76 05 48 08 ; xsXXTsb\{_Udv.H.
00000290h: 5B 47 77 56 67 59 75 61 60 59 67 5C 7F 7A 50 6A ; [GwVgYua`Yg\.zPj
000002a0h: 41 5B 4A 7B 78 6A 02 47 7B 3A 5E 52 45 04 07 42 ; A[J{xj.G{:^RE..B
000002b0h: 66 40 41 62 58 02 54 47 42 06 50 09 44 71 04 49 ; f@AbX.TGB.P.Dq.I
000002c0h: 75 01 6A 7E 42 61 74 57 5B 68 06 73 49 5E 66 57 ; u.j~BatW[h.sI^fW
000002d0h: 07 75 7A 45 7D 1B 66 54 61 1F 02 6A 7E 02 70 1E ; .uzE}.fTa..j~.p.
000002e0h: 79 41 03 69 7E 7B 04 6A 09 45 3A 60 41 76 7D 49 ; yA.i~{.j.E:`Av}I
000002f0h: 04 75 73 57 69 75 70 4A 01 52 5A 56 7E 58 75 65 ; .usWiupJ.RZV~Xue
00000300h: 01 06 5D 51 08 77 4B 7D 1B 5F 53 79 63 5C 45 08 ; ..]Q.wK}._Syc\E.
00000310h: 58 7F 7B 40 46 55 7A 08 76 09 5F 7F 40 60 04 6A ; X.{@FUz.v._.@`.j
00000320h: 59 61 78 7E 68 64 74 55 46 5A 54 3B 54 69 79 7C ; Yax~hdtUFZT;Tiy|
00000330h: 5F 06 63 4A 7A 73 48 01 47 02 49 44 70 72 03 1A ; _.cJzsH.G.IDpr..
00000340h: 59 72 04 7A 7C 46 08 48 08 67 56 55 5F 68 74 5E ; Yr.z|F.H.gVU_ht^
00000350h: 61 67 59 75 59 64 63 79 48 47 62 67 72 40 7D 7D ; agYuYdcyHGbgr@}}
00000360h: 54 5B 7E 62 62 73 46 44 46 43 46 64 3B 08 47 7C ; T[~bbsFDFCFd;.G|
00000370h: 59 68 51 09 7B 66 69 41 5C 5B 55 09 66 61 4B 52 ; YhQ.{fiA\[U.faKR
00000380h: 57 67 5D 75 74 52 59 02 44 59 42 05 05 71 4A 51 ; Wg]utRY.DYB..qJQ
00000390h: 77 58 60 04 59 71 7C 5B 53 66 78 65 62 54 4A 74 ; wX`.Yq|[SfxebTJt
000003a0h: 49 45 7A 65 73 57 69 74 71 1E 7F 73 1A 3B 02 08 ; IEzesWitq..s.;..
000003b0h: 56 40 52 71 76 63 02 7E 7D 78 78 60 7F 03 65 5E ; V@Rqvc.~}xx`..e^
000003c0h: 67 60 49 40 71 7F 48 67 6A 01 73 5B 03 56 48 57 ; g`I@q.Hgj.s[.VHW
000003d0h: 56 67 7E 53 1F 62 5D 79 53 50 46 07 76 05 78 78 ; Vg~S.b]ySPF.v.xx
000003e0h: 56 71 48 4A 02 67 06 78 72 7E 7D 65 7D 05 3B 55 ; VqHJ.g.xr~}e}.;U
000003f0h: 62 1F 60 55 68 64 53 73 43 61 7F 5B 5B 73 44 1A ; b.`UhdSsCa.[[sD.
00000400h: 56 6A 6A 78 75 7E 52 58 52 5C 05 53 64 04 60 5B ; Vjjxu~RXR\.Sd.`[
00000410h: 64 79 73 77 44 56 76 5F 5E 44 7F 66 5E 61 62 49 ; dyswDVv_^D.f^abI
00000420h: 7C 43 63 61 7E 55 56 5B 09 04 4B 4B 57 63 03 3A ; |Cca~UV[..KKWc.:
00000430h: 53 6A 04 45 61 5D 64 55 69 74 58 68 60 52 7D 41 ; Sj.Ea]dUitXh`R}A
00000440h: 79 77 47 5A 7B 71 62 6B 53 52 60 06 52 67 02 08 ; ywGZ{qbkSR`.Rg..
00000450h: 71 76 49 7D 74 02 75 72 56 69 71 61 45 76 63 78 ; qvI}t.urViqaEvcx
00000460h: 5D 06 07 61 5C 59 1B 62 61 45 5B 63 7B 55 44 55 ; ]..a\Y.baE[c{UDU
00000470h: 3A 60 00 04 08 40 62 6B 5D 5F 65 43 56 73 40 62 ; :`...@bk]_eCVs@b
00000480h: 67 00 62 65 5D 48 69 73 61 7C 5B 5A 63 60 57 67 ; g.be]Hisa|[Zc`Wg
00000490h: 45 58 77 45 42 5F 03 5D 7D 64 7D 5C 68 54 5D 61 ; EXwEB_.]}d}\hT]a
000004a0h: 7F 52 06 69 49 75 65 5C 43 7C 1B 58 54 7B 40 70 ; .R.iIue\C|.XT{@p
000004b0h: 5B 3A 4A 48 5B 60 7B 1E 48 72 5A 67 65 7C 43 41 ; [:JH[`{.HrZge|CA
000004c0h: 7F 07 09 5C 55 45 74 02 04 52 5E 06 7B 60 4B 7A ; ...\UEt..R^.{`Kz
000004d0h: 47 5D 01 41 1F 7F 79 78 76 71 43 47 69 61 7A 6B ; G].A..yxvqCGiazk
000004e0h: 7C 43 09 01 07 52 07 64 64 09 59 03 69 7D 54 63 ; |C...R.dd.Y.i}Tc
000004f0h: 74 7B 3A 7D 68 40 5A 1F 7A 62 71 45 5C 61 76 61 ; t{:}h@Z.zbqE\ava
00000500h: 77 7D 04 49 6A 03 42 57 61 7B 72 57 60 74 78 53 ; w}.Ij.BWa{rW`txS
00000510h: 79 5F 1F 6A 5E 06 53 66 44 60 02 70 7B 7A 02 5F ; y_.j^.SfD`.p{z._
00000520h: 60 69 59 53 02 00 68 7A 77 48 09 43 52 46 5B 1F ; `iYS..hzwH.CRF[.
00000530h: 56 5C 06 3A 64 42 54 50 73 62 1F 57 61 40 09 67 ; V\.:dBTPsb.Wa@.g
00000540h: 41 64 73 7B 54 76 78 5E 02 74 5E 7F 6B 4A 41 79 ; Ads{Tvx^.t^.kJAy
00000550h: 64 74 52 42 65 68 5E 69 5B 43 66 09 7A 48 07 70 ; dtRBeh^i[Cf.zH.p
00000560h: 54 57 61 75 54 7F 42 5C 49 5F 75 03 49 7A 42 59 ; TWauT.B\I_u.IzBY
00000570h: 09 5B 40 04 3A 05 02 65 59 43 05 5B 49 00 46 59 ; .[@.:..eYC.[I.FY
00000580h: 47 06 05 6A 79 02 68 63 53 7C 5A 45 7A 7B 73 03 ; G..jy.hcS|ZEz{s.
00000590h: 7A 76 73 54 09 72 44 5A 01 62 75 41 41 52 79 00 ; zvsT.rDZ.buAARy.
000005a0h: 06 1B 54 41 64 01 47 77 06 62 48 70 00 50 58 53 ; ..TAd.Gw.bHp.PXS
000005b0h: 66 61 77 01 03 3A 6A 44 7B 56 5F 61 7B 73 56 71 ; faw..:jD{V_a{sVq
000005c0h: 48 49 79 00 66 58 43 5D 56 02 5F 76 40 01 49 57 ; HIy.fXC]V._v@.IW
000005d0h: 09 7E 57 49 03 05 46 08 55 7B 03 50 5A 77 41 5C ; .~WI..F.U{.PZwA\
000005e0h: 79 63 1F 5C 02 6A 40 61 79 62 42 40 79 72 69 7F ; yc.\.j@aybB@yri.
000005f0h: 48 63 51 53 65 5F 3A 47 56 60 42 7F 05 50 56 59 ; HcQSe_:GV`B..PVY
00000600h: 04 71 60 1F 5E 71 69 75 5A 5A 5D 06 77 77 52 41 ; .q`.^qiuZZ].wwRA
00000610h: 01 72 05 40 02 77 72 4B 48 68 5C 71 7B 44 7C 40 ; .r.@.wrKHh\q{D|@
00000620h: 54 55 71 63 1F 05 40 67 41 45 42 1E 7D 56 73 7F ; TUqc..@gAEB.}Vs.
00000630h: 73 74 06 56 55 02 45 3B 53 09 76 03 06 5C 41 55 ; st.VU.E;S.v..\AU
00000640h: 75 1B 4A 66 44 59 7B 61 5F 5D 5B 79 5E 40 5B 58 ; u.JfDY{a_][y^@[X
00000650h: 1B 01 40 59 4A 62 07 42 54 54 02 65 59 5C 51 5F ; ..@YJb.BTT.eY\Q_
00000660h: 76 69 07 4A 62 61 5F 66 6B 79 52 41 3B 1D 1D 1D ; vi.Jba_fkyRA;...
00000670h: 1D 1D 75 7E 74 10 62 62 71 11 60 63 78 67 71 65 ; ..u~t.bbq.`cxgqe
00000680h: 75 10 7B 75 69 1D 1D 1C 1C 1D                   ; u.{ui.....

比较明显的就是flag.enc和privatekey.bin对应密文和加密密钥，要想办法进行解密。
尝试用歌谱中每个音符对应的频率值对密钥进行解密但好像没有办法。

观察私钥文件中开头和结尾的内容，我们注意到密钥以 1d 1d 1d 1d 1d - 1d 1d 1c 1d 1d 开头并以 1d 1d 1d 1d 1d - 1d 1d 1c 1c 1d结尾。回忆普通私钥开头格式 -----BEGIN RSA PRIVATE KEY-----，与之有很高相似度。另外经过比对发现1d之间的字节数与BEGIN RSA PRIVATE KEY一致。

把加密过的密钥头和常见密钥头异或一下，得到一个串0000000101011101000000011000100

大概可以看出七个0是分隔符的情况下，第一个有效数据是 101011101 转化为十进制是 349，查一下C大调音符频率值

C - do - 261.6HZ
D - re - 293.6HZ
E - mi - 329.6HZ
F - fa - 349.2HZ
G - sol- 392HZ
A - la - 440HZ
B - si - 493.8HZ

这正是乐谱中第一个音符F的频率。

可以利用这个规律反解一下密钥。

from Crypto.Util import strxor
def xor(a,b):return strxor.strxor(a,b)
begin_c = b'\x1D\x1D\x1D\x1D\x1D\x72\x75\x76\x79\x7F\x10\x63\x62\x70\x10\x61\x62\x79\x66\x71\x64\x75\x10\x7A\x74\x69\x1D\x1D\x1C\x1D\x1D'
end_c = b'\x1D\x1D\x1D\x1D\x1D\x75\x7E\x74\x10\x62\x62\x71\x11\x60\x63\x78\x67\x71\x65\x75\x10\x7B\x75\x69\x1D\x1D\x1C\x1C\x1D'
begin_p = b'-----BEGIN RSA PRIVATE KEY-----'
end_p = b'-----END RSA PRIVATE KEY-----'
print(xor(begin_c, begin_p))
#print(xor(end_c, end_p))
def note2bin(freq):return format(freq, '016b')
def repeat(s, wanted):return (s * (wanted//len(s) + 1))[:wanted]
pk = open("privatekey.bin", "rb").read()
keystream = ""
notes = [349,392,440,349,349,392,440,349,440,466,523,440,466,523,523,587,523,466,440,349,523,587,523,466,440,349,349,262,349,349,262,349]
for n in notes:keystream += note2bin(n)
keystream = repeat(keystream, len(pk)).encode()
key = xor(pk, keystream)
with open("privatekey.pem", "w") as f:f.write(key.decode())

使用简单解密命令。

$ base64 -d flag.enc > flag.bin
$ openssl rsautl -decrypt -inkey privatekey.pem -in flag.bin -out decrypted.txt -raw

crypto-music is frequency(INS‘hAck CTF 2018)相关推荐

X-MAS CTF 2018 - Crypto - Hanukkah
参考链接 https://ctftime.org/task/7321 https://github.com/VoidHack/write-ups/tree/master/X-MAS%20CTF%202 ...
XJNU CTF 2018
@Time:2018/9/19 记一次对我这个新手来说,较为简单的CTF WEB web10 访问 http://ctf.xjnu.edu.cn:9900/web10/ 暗示使用sqlmap,没办法, ...
[Western CTF 2018]shrine
1NDEX 0x00 前言 0x01 brain.md 知识扩充 url_for get_flashed_messages() 0x02 rethink 0x00 前言 ssti复习贴一下源码 im ...
CTF各种资源：题目、工具、资料
目录题目汇总 Reverse 签到题 Web Web中等难度 Crypto 基础网站各类工具综合 Web Payloads 逆向 Pwn 取证题目汇总这里收集了我做过的CTF题目 Rever ...
CTF Web题部分WP
1.web2 听说聪明的人都能找到答案 http://123.206.87.240:8002/web2/ CTRL + u 查看源代码 2.计算器 http://123.206.87.240:8002 ...
CTF网络安全大赛介绍
赛事介绍 CTF竞赛模式分为以下三类: 一.解题模式(Jeopardy)在解题模式CTF赛制中,参赛队伍可以通过互联网或者现场网络参与,这种模式的CTF竞赛与ACM编程竞赛.信息学奥赛比较类似,以解决 ...
CTF 音频隐写大总结
赛题概览 Nuit du Hack CTF Qualifications: Here, kitty kitty! 环境 Windows 考察点 WAV音频文件隐写术 Python基础密码学工具 A ...
【CTF解题】BCTF2018-houseofatum-Writeup题解
先把ld和Libc给换成题目给的 patchelf --set-interpreter ./glibc-all-in-one/libs/2.26-0ubuntu2_amd64/ld-2.26.so - ...
必火CTF闯关(1)
CTF初级赛第一关右击检查元素可以发现有个判断语句,复制粘贴即可过关第二关把图片保存到桌面,打开后看到下一关地址复制到url中即可第四关 url解码即可第五关输入账号密码后,错误没有返回 ...

crypto-music is frequency(INS‘hAck CTF 2018)

Music is frequency

crypto-music is frequency(INS‘hAck CTF 2018)相关推荐

最新文章

热门文章