ctfshow 密码挑战
2024-04-16 13:41:08
真·biginner
给出了m<<10000十进制的后175位。
化为数学公式就是
m*2^10000 %10^175=c
m= c*2^-10000 mod 10^175
m= c*2^-10000 mod 5^175
import gmpy2
from Crypto.Util.number import *
c=1002773875431658367671665822006771085816631054109509173556585546508965236428620487083647585179992085437922318783218149808537210712780660412301729655917441546549321914516504576
a=5**175
m=c*gmpy2.powmod(2,-10000,a) %a
print(long_to_bytes(m))
^o^
我们知道
m^o^(2^2^_ mod n)=c
已知 m o _ c
就是只要求
2^2^_ mod n
这里好像因为数据太大算不出来
看了大佬的wp
设2^_=x*phi+k
2^(x*phi+k) mod n
2^(x*phi)*2^k mod n
根据欧拉定理 2^phi mod n =1
所以上式变为 2^k mod n 而 k=2^_ mod phi
n可以分解
from Crypto.Util.number import *
import gmpy2
n=126176329335043454027341235009057683290541781096785538088437185779950106283534462102786883
o=22456023784134158064387550786352078427103553489348641216173010466267938277785173301732037264951635050700506776189809535326121257316490294752439819127486709456258090566784874248887194200916292508316349668172694553726134727726937633467532396106605496205841004277926961591604901357597262377953003319850049478502819166543968493292912201066602832545685929727421332846592671475883986049409546411338070434784675992855275254782158499562211464363321053581615280674425860714715529804670567409115827118589244016504450514019111124308126165185658681843519312254372108072512792854040590016772780908271525769845284796145687079308339
_=1138895128842708275167
c=22456023784134158064387550786352078427103553489348641216173010466267938277785173301732037264951635050700506776189809535326121257316490294752439819127486709456258090566784874248887194200916292508316349668172694553726134727726937633467532396106605496205841004277926961591604901357597262377953003319850049478502819166543968493292912201066602832545685929727421332846592671475883986049409546411338070434784675992855275254782158499562211464363321053581615280674425860714715529804670567409115827118589244016504450514019111124308126165145471041075065947806083270394708336810934202426175949363009508477208686445248781032485832phi=611738358 * 648863388 * 775357618 * 806952672 * 834612802 * 848994660 * 856368370 * 914351298 * 940957050 * 973139886
a=pow(2,_,phi)
b=pow(2,a,n)
print(long_to_bytes(c^o^b))so Damn big e?
给了三组n c e
e很大尝试winner和boneh 都不行
提示是***D***ɪғғᴇʀᴇɴᴄᴇ?ɴo!
difference?
d应该是相同的
n1 = 0x7e503bdb2d037da083601c2945b668bbad980789cb4671b20fee013295319cc43a5b4defca704474c793fa2bd86eacd5552da0f0dc37a42eafd379d9216c0f3a1687ca42c5aa40500435374495fa0ebce37340bf6f98046c58443497457e4e442206a322ecfb60ee846f7aeb1e72f6804609a194ba9e28d6449a0e06d214525ce043afffd96eb9cb8e09b16722153ba5198bce185b5ad24b845b39a0940e5b9a7ad896c3e472b5d49cdb5956b91ef069d81fe399fcf5f3f02f465896bbf4ecbde7ba9cda0c510f14ba2b0673173c7916c284bf7a63613225ece3563a6d843ef06d731d0404646b97a4bc4a3ec4e77751d3c5fd280bf8b0277ae1cade8b1fbdf9
e1 = 0x45a1ee446ca0df0720f77b576f8c197a5033f5cefec5bc8a2ddd9da021ff389d8991e1822abbe9efe60204094c252195f6a4c898ce4f4ee0ef726bd0fcfe7741749bd9cc1cbbec83cc133743d4c746c2736da2452bfeaea1d031f10719f33fa4ef3b8878951b2b70cead75a608d883968a17cd04f19eb3a58e5d55e01790658248a0a26404131a070d3b3c9cb4a1d9d98eadc392199300fbf5ee472296e36dccef2e796b9b51e6693767d40336875ab62c41231ea9fb90bcad4df203b4459abb8d0e402de474cd802e2bfbc01d3b2d55f96b44ceec56ad6c4f3809cfa30b102bc5edc1607c613734571e1dbdb13ace896d1931a53fc9088ead61d78bc30fe78d
c1 = 0x5b4331a4de52d57c7ff77ae03a75b96629c76509d0fd003c27966ca0bd8a7e1a835eee6fe9b02afe78507b43e9efdb9c13f7cbdacd5d18d45ca98ab5538fbf6500a9b314e7e260bab673ae8a38c41b056bea895953ad7257cf30b9a1ba598a1ef01b251964feb2a63e09d8b699a14f1bf3d464809dab3c514fe7c6f59be9c434a694215ebafe547035323f90a661b9c5c73208ef0cbc21c0e9abbdaa65cc4bbaf8c2c47841aefcabd89bbaa3a6f2a9df6d3d8a0eedbec7c28c94fb369b426449b7d6ec5daed4d07df92d057e02cacbfdda0c94afce396dda307c8cc6ecd51c084fa2cfe3a31edde97018ba0de31b8cdeabe34f51ceebdf8834340605d5d71279
n2 = 0x878717447ff85bff1c360384309b5731edffd0ade56117d3b8b72b2ab9296633437e3f5fb09c57e8658c1dc1de5d7a9ba003923d3e9d8e124afe71c6fd0c9985988961198c5c21ed46dfad45399ec9d4c6a6a0ca793e5c721333db2ceed863bc919544024a2a630e9788e9f5afadbd3a291bbda804ed70c6e9b9a599cb3a4d14ed9325000c19d988a79af2e44ff1e14766a0465837125107a9c2cf7a76980d6f86aaf9f926ea0e46d641d3478112de0824bf9c5e726a7d5b7c92cbc1906d3d778e9a612290e043e2b3afd4f0a806254640772fd25980b009b4136d685e52725482ac61e1b679d13eb0d2b06df080fffc677a1b9afbcf327fba6a3ed8fbc7e22d
e2 = 0x837ebb33e9bbb4a5662d484099db6a435c68d630acdfe317aed1a089fcb9deb4df3c328a36c8f1f14045374e8cd4a75e6480bc04489fbf86a1d324b6c2c31ce11dd50d6cb75f9be5b01d2b756aac22f3c7c17f42b47b9bba52575912faa482214158c935ea1d943d62f2a5242c00771a983b1428edbefbe43b8bcad116e6a110ebc3305f622fe131596889450b16a69b8567086939f7f4766f3cb93c1cc63c0ee1f6b2a4ce0de084b760e1f7dd3d5542a4f958969f0b17f5268eddb78b68d3348ef0e6be831c3846325985170f06ad25f5af5a04ada0f2aa3c93ad8c940966248698e72d6f029b0af9af91634aae13319faf985ce77ec4c35b416a8100050c7d
c2 = 0x26049d5d64a85ad3e89d7933a0d296651d566d71314485d2c4c74e8fa462f0c95d43daca9bbbc2557efd7441286e5de65b6067f9df6eb6b9ece0439f7ce7b0ee5e97607b3de1f7e591461469482975e9e2161e5ef1664b44d994c2d294884e0ddaab5c19a1a292d057dc517c9b4cb2dbdcfdbab02972cfd0a7d00f34320c4bc887ea2531ecf188e50e0f33995770b54affe30ebbce85bff955aa66c8e28e5708b0f3d3f52f07dbe5bf155968a65deb94f877ae7904b3dbc848e29d465452a07c373799a30452985e5b9933a57ca2d5227c40fed42e9537435c9f3221749db451c3861bbf57a4901f81d6794d0ad10ba882e8ba99e320cb12edd0b8c7194ded33
n3 = 0xd0a6712277676e497a6c09871e09ca7e87a0a09cc9c7a402ff12617eb2da499651724c4bfc4bdee713062c93ac852d627954cd59ed95b97d4ace621d8b86b867b9ff4b58c45c83f51fb4dcb12a15eaba0bf7370c29b1178a1bee585c4263ac7c1f0846bf4b5d2e8be1ec7bbaa023a8439deaaeeebd04d1188692a2223820c447606662e27af3f1fc45332dcea5214b05946d65e73bc8e9a17dc5093a2b0241b5166e6310e9bd0e1a20f9a5cb0f1925ba00b71bff78b058a167ee5dcadf428e1d3e4c077710dc073025a7813160fe825c8e3c81ef5e5070226b5d89a1ce86e91b3ce7cf3b5d590fa467a8defb2f96083291a74996dff53dfc44883a6a1c2e4651
e3 = 0x25b452f7ef6177efeb93d117aa856ca788713ff813af2f577246ed3a0a8cf244032197abd38c42677a0b7a3693108207b71ac7c934cc96d8cfafbe27e1a3ecda72796f0c09d9308e14f62be5bd913bb28afb6f92dc7a362e871d0f8667b9f44ffa2bcd240c554da99fe159599d68a9f7c4aa869b44edb382315b3ffb75bd2b12ba60f7ac667551756d13cb88e2be3f9959ab99fc4a063b8b53d208950f6db139d486f5f7351fa75010ad5177c07e4b2226298678518dd5145be36d4901c69949800f5e63be0b9fd7297eb204d76fd8c87217ea30a5495add4b5d901caabc929ee72de78d6ed3ae760c985ff58703f46046352d17926db6bcd57839c0a3ca9cfd
c3 = 0x874354398f60a93239229e47157f12c2c5b34886cacfe9b236ec545a5dc503c9e5cd38552eeb024d7562fed842368bde2e1744b222aa5f857684de402924a1b493c715a679ad17ab2251c1ad8e92fa83f45c4fb33154e09de088704acd4f14a4d3f8099aba4e2e2a4bc3baf35f32485ca67de3338cf0fd2276af6eb35751b0378709cb2aaff033146bc5d2f94fde12cb2286173af2f582b1841db9fb136667f2f90aca690f6041ad84380ecb86b443949d05bee5a08305b26f3efd53d0ae6e2e9cae6c4b4c36b2ae7d826117512e4c1d12dcce75b35d55b737970e3dc809c04b5aa309583e6a9650bd58415805be3c8175bf9546b24c8ce833a402f9b5d2ef35Ns = [n1, n2, n3]
es = [e1, e2, e3]
cs = [c1, c2, c3]N = max(Ns)
k = 3
delta = 0.375
epsilon = sqrt(5) * N^(delta-1/2)n = k
C = int(3^(n+1) * 2 ^ ((n+1)*(n-4)/4) * epsilon^(-n-1))M = Matrix(ZZ, [[1, -int(C * es[0] / (Ns[0] + 1)), -int(C * es[1] / (Ns[1] + 1)), -int(C * es[2] / (Ns[2] + 1))],[0, C, 0, 0],[0, 0, C, 0],[0, 0, 0, C]])K = M.LLL()
need_x = K * M.inverse()
x, y1, y2, y3 = -need_x[0]
print(x, y1, y2, y3)
ys = [y1, y2, y3]
print(type(x))print(Ns[0])
print(type(es[0]))
# print(x)
# print(ys[0])
print(int(es[0] * x / ys[0]))Ss = [abs(int(Ns[i] + 1 - es[i] * x / ys[i])) for i in range(3)]
Ds = [int(sqrt(Ss[i]^2 - 4 * Ns[i])) for i in range(3)]
pas = [int((Ss[i] + Ds[i])/2) for i in range(3)]# print(pas)
# print(ciphertexts[0]['p'])
# print(ciphertexts[0]['p'] - pas[0])ps = []
for i in range(3):PR.<x> = PolynomialRing(Zmod(Ns[i]))f = x + pas[i]f = f.monic()# print(f)p_solve = f.small_roots(X = 2 ** 160, beta=0.42) # ps.append(int(p_solve[0] + pas[i]))print(ps)def decrypt(c, d, n):return pow(c, d, n)from Crypto.Util.number import *for i in range(3):q = Ns[i] // ps[i]d = inverse(es[i], (ps[i] - 1) * (q-1))print(long_to_bytes(decrypt(cs[i], d, Ns[i])))
大佬的脚本
Lousy RSA
代码审计
已知 e n
c0 = (r*2^24)^e mod n
c1 = (c^3 mod n + r*2^24)^e mod n
就是Coppersmith’s Shortpad attack
直接套脚本
# Franklin-Reiter attack against RSA.
# If two messages differ only by a known fixed difference between the two messages
# and are RSA encrypted under the same RSA modulus N
# then it is possible to recover both of them.# Inputs are modulus, known difference, ciphertext 1, ciphertext2.
# Ciphertext 1 corresponds to smaller of the two plaintexts. (The one without the fixed difference added to it)
def franklinReiter(n,e,r,c1,c2):R.<X> = Zmod(n)[]f1 = X^e - c1f2 = (X + r)^e - c2# coefficient 0 = -m, which is what we wanted!return Integer(n-(compositeModulusGCD(f1,f2)).coefficients()[0])# GCD is not implemented for rings over composite modulus in Sage# so we do our own implementation. Its the exact same as standard GCD, but with# the polynomials monic representationdef compositeModulusGCD(a, b):if(b == 0):return a.monic()else:return compositeModulusGCD(b, a % b)def CoppersmithShortPadAttack(e,n,C1,C2,eps=1/30):"""Coppersmith's Shortpad attack!Figured out from: https://en.wikipedia.org/wiki/Coppersmith's_attack#Coppersmith.E2.80.99s_short-pad_attack"""import binasciiP.<x,y> = PolynomialRing(ZZ)ZmodN = Zmod(n)g1 = x^e - C1g2 = (x+y)^e - C2res = g1.resultant(g2)P.<y> = PolynomialRing(ZmodN)# Convert Multivariate Polynomial Ring to Univariate Polynomial Ringrres = 0for i in range(len(res.coefficients())):rres += res.coefficients()[i]*(y^(res.exponents()[i][1]))diff = rres.small_roots(epsilon=eps)recoveredM1 = franklinReiter(n,e,diff[0],C1,C2)print(recoveredM1)print("Message is the following hex, but potentially missing some zeroes in the binary from the right end")print(hex(recoveredM1))print("Message is one of:")# for i in range(8):# msg = hex(Integer(recoveredM1*pow(2,i)))# if(len(msg)%2 == 1):# msg = '0' + msg# if(msg[:2]=='0x'):# msg = msg[:2]# print(binascii.unhexlify(msg))n = 174324486246368706797369875696431154949507985109580823636508797586027916444803631093979820096354080131009188697471459585235480269518884904218296080625677554764210808485701518333455709354167598696733122008278355512171891384681986269483195309509133593018767111011832503457483041663404694035291873770757106015449
e = 3
C1, C2 = 88554857474269339852350542587956796788714004892624376338962263744306147590687055479228330665088129549575464328512236397812387501900150260467472351323852483274115510618656195946027819867866634308043212616446284716554910529549810773289873546024253185922156211258677734456543059298007223415035206559594581502103, 112732326999517888611419175089443524302591653761429814923847106037636816337706802444535563232240653892157472132168410061883415326501881505694114629236915564055116316663500118393388695858293682251173885215276730055163639055888657121111458082026971631310339083682125210709877457091022108330866304123178910694286CoppersmithShortPadAttack(e,n,C1,C2,eps=1/30)
ctfshow 密码挑战相关推荐
- ctfshow每周挑战-极限命令执行
极限命令执行1 <?php //本题灵感来自研究一直没做出来的某赛某题时想到的姿势,太棒啦~. //flag在根目录flag里,或者直接运行根目录getflagerror_reporting(0 ...
- ctfshow密码easyrsa5
题目描述 e = 2841004786931616423276957124525054688917944103019064654346046433658550641019222526983275845 ...
- ctfshow萌新红包题writeup
ctfshow萌新专属红包题writeup 题目来源:https://ctf.show/ 这一题是ctfshow平台上面2月17日更新的一个萌新红包题,当天在官方交流群内知道晚上会有一个萌新红包题之后 ...
- 4个终于被破解的世界密码
4个终于被破译的世界级密码 严酷的魔王 2012-02-02 20:16:01 历史上诞生了不少千奇百怪的诡异密码.这些被密码有的至今仍未被破译,有的经过各路高手不懈努力,终于被解开.死理性派今天就讲 ...
- 【CTFSHOW】web入门 NodeJS
文章目录 写在前面 web334 web335 web336 web337 web338 web339 web340 web341 web342 web343 web344 参考资料 写在前面 web ...
- mysql协议解析器_mysql协议解析
目录 目录 1 交互过程 1.1 握手认证阶段 1.2 命令执行阶段 2 基本类型 2.1 整型值 2.2 字符串(以NULL结尾)(Null-Terminated String) 2.3 二进制数据 ...
- mysql long类型_怒肝两个月MySQL源码,我总结出这篇2W字的MySQL协议详解(超硬核干货)!!...
点击上方蓝色"冰河技术",关注并选择"设为星标" 持之以恒,贵在坚持,每天进步一点点! 作者个人研发的在高并发场景下,提供的简单.稳定.可扩展的延迟消息队列框架 ...
- 易安卓手机APP教程
易安卓简介: E4A-[易安卓]是一款于 2013 年 06 月 01 日正式发布的.定位于为企业.站长.开发者.网络公司.各种手持设备等等基于安卓系统下的 APP 开发的全中文安卓编程语言,本语言的 ...
- 软考网络工程师(八)
第八章 网络安全 8.1 网络安全威胁分类和基本加密技术 网络威胁: 窃听 假冒 重放.重复一份报文或报文的一部分,以便产生一个被授权效果. 流量分析.通过对网上信息流的观察和分析推断出网上传输的有用 ...
最新文章
- 在Java Build Path中找不到超类“javax.servlet.http.HttpServlet”[重复]
- apache php linux 安全,Centos7环境下的apache和php安全设置及优化 | 彬菌
- 【知识点】Java常用类库
- socket编程实现回声客户端
- Set函数、Get函数、点语法和类方法
- Python爬取网站上面的数据很简单,但是如何爬取APP上面的数据呢
- 《oracle每天一练》Oracle冷备份与数据恢复
- python烧录单片机_mac实现烧写51单片机
- 3dmax用vr渲染还是cr渲染器?
- 超硬核Java工程师秋招回忆录+面经汇总,为了拿BAT的研发offer我都做了那些准备?
- 使用xml配置文件实现HSF框架和EDAS注册服务器的发布-订阅模式
- PDF写出:使用fop输出为pdf格式文件的Demo
- 使用Java制作一个魂斗罗游戏
- Win10安装Apache和PHP
- SQL基础教程【日】MICK著 孙淼 罗勇译 ISBN 978-7-115-32269-2
- Eloquent: 修改器
- 关于笔记本电脑修改显示器刷新频率后,重新开机时会自动修改为上一次的频率问题
- 聪明的笨鸟(人-AI试验版)
- UE4+手柄对应按键测试
- IDEA 卡住半天,buid(编译)不动——解决办法(适用于maven和gradle)及定位全过程...