BUUCTF Crypto RSA what writeup
我的博客:https://blog.slight-wind.com/
RSA & what writeup
RSA共模攻击 + Base64隐写
在 buu 刷到的一题,看到 N 用了两次,但 RSA 共模攻击解完发现还没结束…
from Crypto.Util.number import*
import base64def egcd(a, b):if a == 0:return (b, 0, 1)else:g, y, x = egcd(b % a, a)return (g, x - (b // a) * y, y)def CMA(n,e1,e2,c1,c2):s = egcd(e1, e2)s1 = s[1]s2 = s[2]if s1<0:s1 = - s1c1 = inverse(c1, n)elif s2<0:s2 = - s2c2 = inverse(c2, n)m = pow(c1,s1,n)*pow(c2,s2,n) % nreturn mf1=open("HUB1")
f2=open("HUB2")
N=f1.readline()
N=f2.readline()
e1,e2=f1.readline(),f2.readline()
f1.readline()
f2.readline()
c1,c2=f1.readline(),f2.readline()
ans=b''
cnt=0
while len(c1)!=0:cnt+=1ans+=long_to_bytes(CMA(int(N),int(e1),int(e2),int(c1),int(c2)))#print(base64.b64decode(temp))c1,c2=f1.readline(),f2.readline()
temp=b''
M=b''
print(ans)
for i in ans:k=long_to_bytes(i)#print(i," ",end="")if k==b'\n':M+=base64.b64decode(temp)temp=b''continuetemp+=k
print(M)
到这里可以解出来 base64 编码和解码后的明文。
b'VEhJUz==\nRkxBR3==\nSVN=\nSElEREVOLo==\nQ0FO\nWU9V\nRklORM==\nSVT=\nT1VUP4==\nRE8=\nWU9V\nS05PV9==\nQkFTRTY0P5==\nWW91bmdD\nVEhJTku=\nWU9V\nQVJF\nTk9U\nVEhBVE==\nRkFNSUxJQVI=\nV0lUSO==\nQkFTRTY0Lh==\nQmFzZTY0\naXO=\nYW==\nZ3JvdXA=\nb2b=\nc2ltaWxhcn==\nYmluYXJ5LXRvLXRleHR=\nZW5jb2Rpbme=\nc2NoZW1lc0==\ndGhhdD==\ncmVwcmVzZW50\nYmluYXJ5\nZGF0YW==\naW5=\nYW6=\nQVNDSUl=\nc3RyaW5n\nZm9ybWF0\nYnk=\ndHJhbnNsYXRpbmd=\naXS=\naW50b1==\nYT==\ncmFkaXgtNjQ=\ncmVwcmVzZW50YXRpb24u\nVGhl\ndGVybc==\nQmFzZTY0\nb3JpZ2luYXRlc8==\nZnJvbd==\nYY==\nc3BlY2lmaWN=\nTUlNRT==\nY29udGVudI==\ndHJhbnNmZXI=\nZW5jb2Rpbmcu\nVGhl\ncGFydGljdWxhct==\nc2V0\nb2b=\nNjR=\nY2hhcmFjdGVyc5==\nY2hvc2Vu\ndG+=\ncmVwcmVzZW50\ndGhl\nNjQ=\ncGxhY2UtdmFsdWVz\nZm9y\ndGhl\nYmFzZd==\ndmFyaWVz\nYmV0d2Vlbt==\naW1wbGVtZW50YXRpb25zLp==\nVGhl\nZ2VuZXJhbI==\nc3RyYXRlZ3n=\naXO=\ndG9=\nY2hvb3Nl\nNjR=\nY2hhcmFjdGVyc5==\ndGhhdA==\nYXJl\nYm90aN==\nbWVtYmVyc5==\nb2a=\nYS==\nc3Vic2V0\nY29tbW9u\ndG8=\nbW9zdM==\nZW5jb2RpbmdzLA==\nYW5k\nYWxzb8==\ncHJpbnRhYmxlLg==\nVGhpc9==\nY29tYmluYXRpb25=\nbGVhdmVz\ndGhl\nZGF0YW==\ndW5saWtlbHk=\ndG/=\nYmV=\nbW9kaWZpZWS=\naW5=\ndHJhbnNpdE==\ndGhyb3VnaN==\naW5mb3JtYXRpb26=\nc3lzdGVtcyw=\nc3VjaN==\nYXM=\nRS1tYWlsLD==\ndGhhdA==\nd2VyZQ==\ndHJhZGl0aW9uYWxseQ==\nbm90\nOC1iaXQ=\nY2xlYW4uWzFd\nRm9y\nZXhhbXBsZSw=\nTUlNRSdz\nQmFzZTY0\naW1wbGVtZW50YXRpb24=\ndXNlcw==\nQahDWiw=\nYahDeiw=\nYW5k\nMKhDOQ==\nZm9y\ndGhl\nZmlyc3Q=\nNjI=\ndmFsdWVzLg==\nT3RoZXI=\ndmFyaWF0aW9ucw==\nc2hhcmU=\ndGhpcw==\ncHJvcGVydHk=\nYnV0\nZGlmZmVy\naW4=\ndGhl\nc3ltYm9scw==\nY2hvc2Vu\nZm9y\ndGhl\nbGFzdA==\ndHdv\ndmFsdWVzOw==\nYW4=\nZXhhbXBsZQ==\naXM=\nVVRGLTcu'
解码后的明文:(出题人科普了一遍 base64??)
THIS FLAG IS HIDDEN.
CAN YOU FIND IT OUT?
DO YOU KNOW BASE64?
Young C THINK YOU ARE NOT THAT FAMILIAR WITH BASE64.
Base64 is a group of similar binary-to-text encoding schemes that represent binary data in an ASCII string format by translating it into a radix-64 representation.
The term Base64 originates from a specific MIME content transfer encoding.
The particular set of 64 characters chosen to represent the 64 place-values for the base varies between implementations.
The general strategy is to choose 64 character sthatare both members of a subset common to most encodings,
and also printable.
This combination leaves the data unlikely to be mod if iedintransit through in formation systems,
such as E-mail,that were tradition all ynot 8-bit clean.
[1]Forexample,MIME’s Base64 implement ation uses A\xa8CZ,a\xa8Cz,and 0\xa8C9 for the first 62 values.
Other variations share this property butdiffer in the symbols chosen for the last two values;an example is UTF-7.
明文里显然不能获得更多信息了,只能看那段 base64 编码,它的特别之处在于分了很多很多小段,不难想到(之前做过)base64隐写。
于是在网上嫖一段 base64 隐写脚本改一改用了。
exp:
from Crypto.Util.number import*
import base64
c = b'VEhJUz==\nRkxBR3==\nSVN=\nSElEREVOLo==\nQ0FO\nWU9V\nRklORM==\nSVT=\nT1VUP4==\nRE8=\nWU9V\nS05PV9==\nQkFTRTY0P5==\nWW91bmdD\nVEhJTku=\nWU9V\nQVJF\nTk9U\nVEhBVE==\nRkFNSUxJQVI=\nV0lUSO==\nQkFTRTY0Lh==\nQmFzZTY0\naXO=\nYW==\nZ3JvdXA=\nb2b=\nc2ltaWxhcn==\nYmluYXJ5LXRvLXRleHR=\nZW5jb2Rpbme=\nc2NoZW1lc0==\ndGhhdD==\ncmVwcmVzZW50\nYmluYXJ5\nZGF0YW==\naW5=\nYW6=\nQVNDSUl=\nc3RyaW5n\nZm9ybWF0\nYnk=\ndHJhbnNsYXRpbmd=\naXS=\naW50b1==\nYT==\ncmFkaXgtNjQ=\ncmVwcmVzZW50YXRpb24u\nVGhl\ndGVybc==\nQmFzZTY0\nb3JpZ2luYXRlc8==\nZnJvbd==\nYY==\nc3BlY2lmaWN=\nTUlNRT==\nY29udGVudI==\ndHJhbnNmZXI=\nZW5jb2Rpbmcu\nVGhl\ncGFydGljdWxhct==\nc2V0\nb2b=\nNjR=\nY2hhcmFjdGVyc5==\nY2hvc2Vu\ndG+=\ncmVwcmVzZW50\ndGhl\nNjQ=\ncGxhY2UtdmFsdWVz\nZm9y\ndGhl\nYmFzZd==\ndmFyaWVz\nYmV0d2Vlbt==\naW1wbGVtZW50YXRpb25zLp==\nVGhl\nZ2VuZXJhbI==\nc3RyYXRlZ3n=\naXO=\ndG9=\nY2hvb3Nl\nNjR=\nY2hhcmFjdGVyc5==\ndGhhdA==\nYXJl\nYm90aN==\nbWVtYmVyc5==\nb2a=\nYS==\nc3Vic2V0\nY29tbW9u\ndG8=\nbW9zdM==\nZW5jb2RpbmdzLA==\nYW5k\nYWxzb8==\ncHJpbnRhYmxlLg==\nVGhpc9==\nY29tYmluYXRpb25=\nbGVhdmVz\ndGhl\nZGF0YW==\ndW5saWtlbHk=\ndG/=\nYmV=\nbW9kaWZpZWS=\naW5=\ndHJhbnNpdE==\ndGhyb3VnaN==\naW5mb3JtYXRpb26=\nc3lzdGVtcyw=\nc3VjaN==\nYXM=\nRS1tYWlsLD==\ndGhhdA==\nd2VyZQ==\ndHJhZGl0aW9uYWxseQ==\nbm90\nOC1iaXQ=\nY2xlYW4uWzFd\nRm9y\nZXhhbXBsZSw=\nTUlNRSdz\nQmFzZTY0\naW1wbGVtZW50YXRpb24=\ndXNlcw==\nQahDWiw=\nYahDeiw=\nYW5k\nMKhDOQ==\nZm9y\ndGhl\nZmlyc3Q=\nNjI=\ndmFsdWVzLg==\nT3RoZXI=\ndmFyaWF0aW9ucw==\nc2hhcmU=\ndGhpcw==\ncHJvcGVydHk=\nYnV0\nZGlmZmVy\naW4=\ndGhl\nc3ltYm9scw==\nY2hvc2Vu\nZm9y\ndGhl\nbGFzdA==\ndHdv\ndmFsdWVzOw==\nYW4=\nZXhhbXBsZQ==\naXM=\nVVRGLTcu'def get_base64_diff_value(s1, s2):base64chars = b'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/'res = 0for i in range(len(s2)):if s1[i] != s2[i]:return abs(base64chars.index(s1[i]) - base64chars.index(s2[i]))return resdef solve_stego():line=b''bin_str=''for i in c:k=long_to_bytes(i)if k==b'\n':steg_line = linenorm_line = base64.b64encode(base64.b64decode(line))diff = get_base64_diff_value(steg_line, norm_line)#print(diff)pads_num = steg_line.count(b'=')if diff:bin_str += bin(diff)[2:].zfill(pads_num * 2)else:bin_str += '0' * pads_num * 2print(goflag(bin_str))line=b''continueline+=kdef goflag(bin_str):res_str = ''for i in range(0, len(bin_str), 8):res_str += chr(int(bin_str[i:i + 8], 2))return res_strif __name__ == '__main__':solve_stego()
最终得到字符串:7c86d8f7d6de33a87f7f9d6b005ce640 套上 flag{} 就可以了。
BUUCTF Crypto RSA what writeup相关推荐
- [buuctf] crypto全解——前84道(不建议直接抄flag)
buuctf crypto 1.MD5 2.Url编码 3.一眼就解密 4.看我回旋踢 5.摩丝 6.[BJDCTF 2nd]签到-y1ng 7.password 8.变异凯撒 9.Quoted-pr ...
- x509: certificate signed by unknown authority (possibly because of “crypto/rsa: verification error“
执行下面命令初始化k8s集群时 kubeadm init --pod-network-cidr 10.21.0.0/16 \--image-repository registry.cn-hangzho ...
- BUUCTF Crypto Rabbit
BUUCTF Crypto Rabbit 1.一个新的加密方式 2.下载题目 3.拿到在线[网站](http://www.jsons.cn/rabbitencrypt/)解密 1.一个新的加密方式 r ...
- BUUCTF Crypto [异性相吸] writeup题解
1.观察题目 2.解题思路 联想到密码学中明文和密钥进行异或操作进行加密的方式,用二进制形式打开两个文件,然后编写简单脚本对每一位进行异或操作即可得到答案: #include<iostream& ...
- 庆祝祖国成立72周年 做点题目之 BUUCTF Crypto 刷题
BUUCTF 刷题之 Crypto 部分wp 大二了,事情很多,省赛在即,速刷题,强技能,展风采! 文章目录 BUUCTF 刷题之 Crypto 部分wp 一.这是什么 二.[HDCTF2019]bb ...
- CTF Crypto RSA合集(新生赛难度)
食用简介 下面是本人新生赛时遇到的一些RSA密码题,题目名后大概写有类型便于查找 题目较多可以选择性食用 1.buuctf RSA 题目:在一次RSA密钥对生成中,假设p=473398607161,q ...
- BUUCTF——CRYPTO(记录不熟悉的题)(4)
目录 [WUSTCTF2020]大数计算 [网鼎杯 2020 青龙组]you_raise_me_up [UTCTF2020]basic-crypto [WUSTCTF2020]情书 [HDCTF201 ...
- 记录一道已知是n,(p-1)*(q-2)和(p-2)*(q-1)的RSA题目writeup
目录 题目 解题思路 解题脚本 题目 题目还是来源于qq群聊,是昨晚看到一个师傅问的,聊天记录中的图片如下: 这个图片还是比较容易ocr的,后面会给出解题脚本,就包括上面这些数字了. 解题思路 刚看到 ...
- buuctf crypto page 2
目录 robomunication Dangerous RSA Cipher [HDCTF2019]basic rsa [GXYCTF2019]CheckIn [GUET-CTF2019]BabyRS ...
最新文章
- cordova 学习笔记
- python paramiko sftp_python paramiko (ssh,sftp)
- BZOJ 2844 | HYSBZ - 2844albus就是要第一个出场——线性基
- Android 运行时异常 Binary XML file line # : Error inflating class
- Dev C++详细安装教程
- 大三软件工程小项目-小技术集合-读取XML文件及运行外部程序
- 《算法导论》读书笔记之第9章 中位数和顺序统计学
- .net core精彩实例分享 -- 面向对象编程
- 学子商城电子产品销售系统
- 5分钟学会五笔 (不用背口诀)
- 【Linux驱动开发】串口
- 最常见的社会工程攻击
- 生成均匀分布次序统计量的伪随机数 生成删失伪随机样本
- IOS:IOS集成开发和环境的介绍
- 如何利用Vue实现页面的局部刷新
- ubuntu 18.04 安装 搜狗拼音输入法只有中文标点,没有文字
- EVPN中ESI与EVI的区别
- 达内python培训靠谱吗
- 微信小程序“网络出错,轻触屏幕重新加载” -1202
- java实现剩余年假计算_通过参加工作日期计算出年假