HSCTF-部分writeup
2024-04-25 12:12:37
1.XORed
根据题意,我们很容易发现这是一个异或加密,根据异或的运算法则,我们很容易解密,下面是我们的writeup
Key1 = 0x5dcec311ab1a88ff66b69ef46d4aba1aee814fe00a4342055c146533
Key13 = 0x9a13ea39f27a12000e083a860f1bd26e4a126e68965cc48bee3fa11b
Key235 = 0x557ce6335808f3b812ce31c7230ddea9fb32bbaeaf8f0d4a540b4f05
Key145 = 0x7b33428eb14e4b54f2f4a3acaeab1c2733e4ab6bebc68436177128eb
Key34 = 0x996e59a867c171397fc8342b5f9a61d90bda51403ff6326303cb865a
FlagKey12345= 0x306d34c5b6dda0f53c7a0f5a2ce4596cfea5ecb676169dd7d5931139
Key45=Key1^Key145
key12345=Key1^Key13^Key235^Key145^Key34^Key45
Flag=FlagKey12345^key12345
print hex(Flag)[2:-1].decode("hex")2.Chonky E
题目中提到一种加密算法Schmidt-Samoa cryptosystem。我们查询其原理大致是选择两个素数p,q,令N=pow(p,2)*q,c=pow(m,N,N)。其解密公式也是先算出d=pow(N,-1,lcm(p-1,q-1)),再解密m=pow(c,d,p*q)。由于Schmidt-Samoa cryptosystem和开始的RSA使用相同的p,q。而RSA宫要不已知且e接近n。所以我们先使用winner-attack计算出d,phin。再将n分解。然后根据RSA的p,q对Schmidt-Samoa cryptosystem解密
import gmpy2
e = 91043118409828550796773745518585981151180206101005135117565865602978722878478494447048783557571813980525643725323377488249838860897784683927029906188947001149632101513367258267329961684034661252866484981926055087386190015432964608927947646476193251820354738640453947833718397360834701566765504916472450194494897616371452996381159817427887623703639133290358520498419049175941584678802701606995099241245926884172985004839801270005583030514286561971825047719421487004569752638468907609110285739083279629747310953086535889932550905065172805818862336335628248528993024112446002398466115161473573451161053837400091893285717
n = 156749047558583013960513267351769479915110440411448078412590565797031533622509813352093119636835511977253033854388466854142753776146092587825440445182008237325262012698034419137157047927918635897378973846177552961727126115560551970797370239385129543828686170774323306933202481728884019420422360360849592983818405154473369790181636472137741865440233383956571081122982223602667853668754338360008279002325576495573847568301584365514417593244726435632222027817410359417329310347952169273512510934251453361933794586716533950489973436393834189505450956622286216819440777162804798432330933357058175885674184582816364542591313
#winner-attack算得
d= 0x5baecf6f9f0a1bd295e9650b4a10b4a717db030223e803f8e964a18ab9bcfc0954a8f410cc00177ad9f6a0d581e12c6dfd0672dd6e5c3ef37e108e91d39ba4fdL
phi= 0x4d9b10f2117ddad53727e6ce6599681f7275049e10057e06a66272a5c384f8f6c1f259836af50469b66c560e7d6999ed7071ccf5ff8e199e286ad18118d2a289b76861b73f1bebb3b2dde9ceee3e2b702695ccbd76a42f2c9f05f799e2f8b692eb1dc66c3b3ae3ea9e82d80bb9de3bb2c78df34641dc4b914e648db89ed9159b932a6aeee2b18b80205d08951091b4c422c8bfc2c7112d408519a0bfe846213eb7203e7a26f431f1cab48a2be9e694bf460a68adbe8a7e9f7a45a78c4c1f4a7939c585aa8282ce40d7e456819edfa3d65b1e2288db85c2eb8faf573e785273c79a0746706e3a047b5ec3b6ce6c302336df9e0f2f7e0adff5535dc96e452d70840L
cc=16267540901004879123859424672087486188548628828063789528428674467464407443871599865993337555869530486241139138650641838377419734897801380883629894166353225288006148210453677023750688175192317241440457768788267270422857060534261674538755743244831152470995124962736526978165448560149498403762447372653982922113772190234143253450918953235222315161964539311032659628670417496174123483045439359846360048774164337257829398345686635091862306204455687347443958931441225500856408331795261329035072585605404416473987280037959184981453888701567175803979981461050532113072292714696752692872526424122826696681194705563391161137426703690900733706866842363055967856443765215723398555522126909749236759332964873221973970368877565410624895160438695006432021529071866881905134494489266801004903504121740435965696128048690741210812963902631391765192187570107372453917327060678806282122942318369245760773848604249664378721970318257356486696764545
a=1
b=(phi-1-n)
c=n
delat=pow(b,2)-4*a*c
ii=gmpy2.iroot(delat,2)
p=(ii[0]-b)/(2*a)
q=n//p
assert p*q==n
NN=pow(p,2)*q
d=gmpy2.invert(NN,gmpy2.lcm((p-1),(q-1)))
m=pow(cc,d,n)
print hex(m)[2:].decode("hex")3.Morbid
经查询,我们发现这是一个首先将数字对应到摩斯电码,再将摩斯电码转为明文的解密过程。其中数字[1,2,3,4,5,6,7,8,9]对应字符['..', '.-', '.x', '-.', '--', '-x', 'x.', 'x-', 'xx'],但是我们不知道具体那个数字对应哪一个字符。然后摩斯密码中一个x表示字母之间的分割符,两个x表示单词之间的分隔符。我们据此对密文解密——首先对[1,2,3,4,5,6,7,8,9]和['..', '.-', '.x', '-.', '--', '-x', 'x.', 'x-', 'xx']之间的关系进行爆破。将不同的对应关系一一带入尝试解密,知道可以正确解密且密文中有flag字样表明我们爆破成功
import itertools
c="118289293938434193849271464117429364476994241473157664969879696938145689474393647294392739247721652822414624317164228466"
zimucodebook = {"a": ".-","b": "-...","c": "-.-.","d": "-..","e": ".","f": "..-.","g": "--.","h": "....","i": "..","j": ".---","k": "-.-","l": ".-..","m": "--","n": "-.","o": "---","p": ".--.","q": "--.-","r": ".-.","s": "...","t": "-","u": "..-","v": "...-","w": ".--","x": "-..-","y": "-.--","z": "--..","0": "-----","1": ".----","2": "..---","3": "...--","4": "....-","5": ".....","6": "-....","7": "--...","8": "---..","9": "----.",".": ".-.-.-",",": "--..--","?": "..--..","'": ".----.","!": "-.-.--","/": "-..-.","(": "-.--.",")": "-.--.-","&": ".-...",":": "---...",";": "-.-.-.","=": "-...-","+": ".-.-.","-": "-....-","_": "..--.-","\"": ".-..-.","$": "...-..-","@": ".--.-."," ": ""
}
zhuan1=['..', '.-', '.x', '-.', '--', '-x', 'x.', 'x-', 'xx']
revzimucodebook={}
for key, value in zimucodebook.items():revzimucodebook[value] = key
for perm in itertools.permutations(range(9)):m1=cfor i in range(9):m1=m1.replace(str(i+1),zhuan1[perm[i]])words = m1.split('x')try:mm="".join(revzimucodebook[word] for word in words)if "flag" in mm:print mmbreakexcept KeyError:continue
3.Randomization 1,Randomization 2
比较简单得逆向,使用了线性方程产生随机数列,根据逆向得到的线性方程和题目中给出得初始数,直接对后面得数字进行预测即可
4.Unexpected
根据题目易知不同的RSA机密公钥的n之间最大公约数不为1.根据这一点我们很快就可以对RSA做分解,解出私钥对密文求解
import gmpy2
N1 = 3895738302299059518129198422310169628530536557191890566210939781698372336257482186582163630847612416277492034959243510457939210010336159061758606919109259916143600981918456942199762738624796190838889500238780675229383463267807384154074134251073572174392024892486431125499446924573006208711810847272390619510395812856188247531815920797526102562723333957594242603466996229335924848954210939152042149332307810693239925149256224795031982752752336401872520016106145667479144091130160998875256860809091721275069193773739370057334041922519998813268278574260846083883264261920589114740823464192397850923545998904365370408113
N2 = 3036683903819675505741091164945461947189004916494633766372176282409409694958701211748277050499101511956962003835932755555293255586827283990400451317444723234406968971873530093281591689832798646915816609347861047534121792409030834659241904646743453387504496246791081682741245482378149293399372654558929658582070853972454887854658545741800574343930155288517185535533201220281739954820271979667081052363406511938025061398551356675540358212449132781674832812796443378476387659729623581274433769056775163718782871879747276327458473970177451591251859530403032170215968101310739004163533767679394201611410832974546802038041
N3 = 4793455677299549137382284585015750073239112414361680529255951318217960300841340399094743130287927996565298160174555422185410320841942637374406558835150138631140265626020072464652973386772727192540062051929655235552439145036105501434801984612127808829810146844869487529177642676245549299371487478280457673839725488195812744535928488844735950540356920273038857127652414836352483913807655170699520816765863272825856765769043174406026964068017257738085400965661973681558654658747878342173984592411085018242201038877382766239487564503728442821348064764166024851080258629751476765613997512620274759264076272801682962144457
E = 65537
C1 = 396708474546125804352894757436683688457291028695044217325853929491171136935487190613513217479209066321213697066977005912522338337419604329864854419961723570625025089500459612736934675744115710978556346050350466970024450696226499749911198313775828281699871502987873199226066403667788132060336882800770615332190939846610876881382430101512212915247532319827304296610854802037475047119525110795533529161852951539770153761419387662527094415537933400873451490021233979268224054475360645920086811082803271848565851436058022797610887635287190533293980480191482625531855511415716253479184799509403767653927424232672209598509
C2 = 355006513750551550798931713354683491263062473879176656452255051848683497534660576981575518851351256702360823676609578259232763677292692743319345273559085724516350773319337226043634439282120083618718026203533033564167432280901197175559735572797382863132012675404876908914335941746393221402727788260354881773319480220225939283398326940847106630716629330817737251316474369640273632208347751866683363389016722969822345738247486942531821199790024647950924227337611907877819668593060172268197128413003269501597578146759488894526193598933152416894414296396043283131502951693668167550687432080480619240585408701379144341703
C3 = 924835278307680480966328618545268895077532556525413716080960421925985654497130329688156219485942736928562517552888163928270855659413958949301590302010862666331053838345196518237383846281768395909801043955047640003147798786793258813501366000503338638933238548605016169865688228297750780710248359326295693845663887055907900967535999885217905972006140096240831305484619796964713673839223632057905454213937054336962510051529266336629730913756688411854427999570223208667606703681762027957427028839409594591627448224813082072169775916331655060221445546199171668136050686471357710989346885039441000083764142021784018773006q=gmpy2.gcd(N1,N2)
r=gmpy2.gcd(N2,N3)
p=gmpy2.gcd(N1,N3)
d1=gmpy2.invert(E,(p-1)*(q-1))
d2=gmpy2.invert(E,(r-1)*(q-1))
d3=gmpy2.invert(E,(p-1)*(r-1))
m1=pow(C1,d1,N1)
m2=pow(C2,d2,N2)
m3=pow(C3,d3,N3)
print hex(m1)[2:].decode("hex")+ hex(m2)[2:].decode("hex")+ hex(m3)[2:].decode("hex")5.smolE
本题使用相同的RSA加密体系对有着不同填充的明文加密。这里我们可以首先使用Random Padding Attack计算两个明文之间的差值是多少,然后使用Related Message Attacks计算出明文。注意这里由于对明文进行的填充,但我们不知道填充有多少位,所以我们需要爆破明文左移1位到8位的情况
Random Padding Attack:
Related Message Attacks:
writeup如下——我们首先使用Random Padding Attack计算两个明文之间的差,再使用Related Message Attacks计算出明文的值
N = 163741039289512913448211316444208415089696281156598707546239939060930005300801050041110593445808590019811244791595198691653105173667082682192119631702680644123546329907362913533410257711393278981293987091294252121612050351292239086354120710656815218407878832422193841935690159084860401941224426397820742950923
E = 3
C1 = 110524539798470366613834133888472781069399552085868942087632499354651575111511036068021885688092481936060366815322764760005015342876190750877958695168393505027738910101191528175868547818851667359542590042073677436170569507102025782872063324950368166532649021589734367946954269468844281238141036170008727208883C2 = 42406837735093367941682857892181550522346220427504754988544140886997339709785380303682471368168102002682892652577294324286913907635616629790484019421641636805493203989143298536257296680179745122126655008200829607192191208919525797616523271426092158734972067387818678258432674493723618035248340048171787246777PR.<x> = PolynomialRing(Zmod(N))
f = x^9+(3*C1-3*C2)*x^6+(3*C1^2+21*C1*C2+3*C2^2)*x^3+(C1-C2)^3
x0 = f.small_roots(X=2^64, beta=0.2)[0]b=x0
fenzi=b*(C2+2*C1-b^3)
fenmu=C2-C1+2*(b^3)
m1=(fenzi/fenmu)%N
m2=m1+b
print m1
print m2接下来我们去掉明文填充
import gmpy2
def shuchu(mingwenstr):if mingwenstr[len(mingwenstr)-1]=='L':mingwenstr=mingwenstr[2:len(mingwenstr)-1]else:mingwenstr=mingwenstr[2:len(mingwenstr)]if not len(mingwenstr)%2==0:mingwenstr='0'+mingwenstri=len(mingwenstr)mingwen=""while i>=1:str1=mingwenstr[i-2:i]if int(str1,16)>33 and int(str1,16)<128:mingwen=chr(int(str1,16))+mingwenelse :mingwen=" "+mingweni=i-2print mingwenm1=1426051161596273413795556654328320105145439332147585418507576775870780450590379567453641429082640842935901398525237698534587016076610446383728128936582478631369081375319103785503713430762835018940932512662482247881629813321166872870577809910090459052486979919351413039719867069160
shuchu(hex(m1<<7))
6.Extremely Complex Challenge
我们已知椭圆曲线的b,p和椭圆曲线上的基点P一个Q,求私钥。我们首先根据点将椭圆曲线的参数a求出。然后我们暴力求解私钥
b=54575449882
p=404993569381
xp=391109997465
yp=167359562362
xpinv=inverse_mod(xp,p)
a=(((yp)^2-(xp)^3-b)*inverse_mod(xp,p))%p
E=EllipticCurve(GF(p), [a,b])
Ep=E([391109997465, 167359562362])
Eq=E([209038982304, 168517698208])
d1 = discrete_log(Eq, Ep, Ep.order(), operation="+")
print d1HSCTF-部分writeup相关推荐
- 2021年中国工业互联网安全大赛核能行业赛道writeup之usb流量分析
目录 一.USB协议 二.键盘流量 三.鼠标流量 四.writeup 附件题:usb流量分析 题目描述: 具体描述忘记了o(╯□╰)o 大概意思是有个U盘插到电脑上,然后经过一些操作导致该电脑重启了. ...
- 2021年中国工业互联网安全大赛核能行业赛道writeup之鱿鱼游戏
目录 一.尝试 二.Writeup 附加题 鱿鱼游戏(来自最近一部很火的韩剧) 题目描述: 小王由于操作不规范,误将不明U盘插入到上位机中,导致上位机中的某些关键文件被加密,但攻击者在U盘中还留下了一 ...
- 2018湖湘杯海选复赛Writeup
2018湖湘杯Writeup 0x01 签到题 0x02 MISC Flow 0x03 WEB Code Check 0x04 WEB Readflag 0x05 WEB XmeO 0x06 Reve ...
- php upload ctf,强网杯CTF防御赛ez_upload Writeup
这是强网杯拟态防御线下赛遇到的web题目,本来是不打算分享Writeup的,但是由于问的人很多,于是这里分享给大家. ez_upload这题算是非常经典的堆叠black trick的题目,算是比较典型 ...
- 安恒赛php_安恒11月月赛周周练writeup
前言 11月月赛 完美错过时间,正好有周周练,基本都是一样月赛的web,记录下write up 手速要快 这题是10月月赛中的一题,直接看我上次的writeup:安恒月赛(十)web-2题writeu ...
- 南京邮电大学网络攻防训练平台(NCTF)-异性相吸-Writeup
南京邮电大学网络攻防训练平台(NCTF)-异性相吸-Writeup 题目描述 文件下载地址 很明显,文件之间进行亦或就可得到flag,不再多说,直接上脚本 1 #coding:utf-8 2 file ...
- 社团的CTF逆向题WriteUp
最近社团弄了CTF比赛,然后我就帮忙写了逆向的题目,这里写一下WriteUp,题目和源码在附件中给出 一个简单的逆向:one_jmp_to_flag.exe 这题算是签到题,直接OD智能搜索就完事了, ...
- CTF-i春秋网鼎杯第一场misc部分writeup
CTF-i春秋网鼎杯第一场misc部分writeup 最近因为工作原因报名了网鼎杯,被虐了几天后方知自己还是太年轻!分享一下自己的解题经验吧 minified 题目: 一张花屏,png的图片,老方法, ...
- NCTF2019 -- PWN部分writeup
pwn学习总结(二) -- PWN部分writeup warmup easy_rop warmup 查看程序防护: 查看反汇编: 已知条件: 开启了溢出检测 开启了沙盒模式,只能调用libc中的ope ...
- 攻防世界-web-shrine-从0到1的解题历程writeup
题目环境分析 首先开启靶机获取到题目如下 import flask import os app = flask.Flask(__name__) app.config['FLAG'] = os.envi ...
最新文章
- 生成各种统计图的C#方法
- 什么是RosBE及其安装使用、第一次生成ReactOS的VS工程失败
- 人工智能 | 人脸识别研究报告(概念篇)
- QML基础类型之var
- MyBatis 源码解读-environmentsElement()
- Thinkphp 使用过程中,模型中使用其它表却总是没起作用的解决办法
- PAT 乙级 1027. 打印沙漏(20) Java版
- RISC-V学习资料:《手把手教你设计CPU——RISC-V处理器》
- 从FindBugs中学Java【四】
- [xsy1515]小学生数学题
- 斐讯k2路由器刷华硕固件做桥接中继
- 2021年5月CCAA注册审核员考试认证通用基础真题
- CSF文件格式播放器
- 微信小程序 图片显示不完全
- 源代码加密几种简单方法
- chromium的下载和编译
- 数据库课程大作业——数据分析与数据管理系统实践
- 关于最近网上谣言传的很凶的 “太吾绘卷” 游戏源代码的问题。
- 研究股票?我们偷偷告诉你一个算法
- hdu Find Integer (6441)(大费马定理)