HNCTF
文章目錄
- HNCTF
- BabyPQ
- EZmath
- ez_Classic
- f=(?*?)
- MatrixRSA
- BabyAES
- Is this Iso?
BabyPQ
nc簽到題,跟端口連接拿到n和phin
n= 83364501002320980990436866711482826016646968100023452408725794986955117709931957044024140298920294618304768663854534751412077760350674221847521356272102345381254712050794570004683574576122632462740260326527527634162716815359259765521372569538966103895628425119277838802391890256082977547347452821431878779439 phin= 83364501002320980990436866711482826016646968100023452408725794986955117709931957044024140298920294618304768663854534751412077760350674221847521356272102326775351973643573896078165088371467025260206640820676779767010492435732872190686870516000484337605905958699104861285763636380159411400510953674956394539424
然后解方程得到p,q
from z3 import *
n= 83364501002320980990436866711482826016646968100023452408725794986955117709931957044024140298920294618304768663854534751412077760350674221847521356272102345381254712050794570004683574576122632462740260326527527634162716815359259765521372569538966103895628425119277838802391890256082977547347452821431878779439
phin= 83364501002320980990436866711482826016646968100023452408725794986955117709931957044024140298920294618304768663854534751412077760350674221847521356272102326775351973643573896078165088371467025260206640820676779767010492435732872190686870516000484337605905958699104861285763636380159411400510953674956394539424
p_add_q=n-phin+1
p=Real('p')
q=Real('q')
solve(p*q==n,p+q==p_add_q)
print(p)
print(q)
把p輸進去,得到flag
EZmath
正好之前寫杭師大的題又遇到類似的
N=p2+q2
那么可以用sage中的two_squares(N)函數,求解出p,q,然后rsa解就行
#sage
N = 14131431108308143454435007577716000559419205062698618708133959457011972529354493686093109431184291126255192573090925119389094648901918393503865225710648658
p,q=two_squares(N)
print(p,q)
#python
from Crypto.Util.number import *
from gmpy2 import *c = 34992437145329058006346797890363070594973075282993832268508442432592383794878795192132088668900695623924153165395583430068203662437982480669703879475321408183026259569199414707773374072930515794134567251046302713509056391105776219609788157691337060835717732824405538669820477381441348146561989805141829340641
N = 14131431108308143454435007577716000559419205062698618708133959457011972529354493686093109431184291126255192573090925119389094648901918393503865225710648658
p = 82560919832754349126354116140838623696638559109075709234619471489244325313113
q = 85528507672457684655471526239900307861713918212607409966382024323034858694833
n = p*q**3
e=65537
phi=(p-1)*(q-1)*q**2
d=invert(e,phi)
m=pow(c,d,n)
print(long_to_bytes(m))
#H&NCTF{D0_Y0u_know_Complex_n3mbers?hahaha}
sage和python是存在一些不一樣的
sage中^表示指數級而在python中^表示異或(老是弄混)
ez_Classic
題目:
hint:
I want to see what 2^11 DNA looks like in SageMath! But I heard that after e, which is often met with everyone in RSA, is subtracted by 1, it may be found in the base family.
密文:
𠣔𠧆𣣠𥪕鶪𢻠𥮚𤪍𥮱𤮵𤶋𦚤𡲪𢫐𢷊𡧕𢛠𦒌蒗𣯠𦖎骩𢻠𥮫𤪍𥢦𤮰𤲋𦚽𠚠𡓝𢷊𦙭𡎸𣛒𣋑𠻔𢛠𤺀𦚽𡾤𢳠𤪐𥪦𦚂𡮨𡻉𣃒𤃈𢻠𦖪𦂟𥢳蒿𣫠𦖢骩𣃠𥮣𤪍𥢱𦚰𡮨𠣉𣃠𥚖𥚤𦖏𥖟𥮀蒴𣫠𦚖𡆤𦙴𢂤𢇆𠛏𢋊𢻠𤲢𥢽𦚫𣂼𢗊𠣊𡟎𣛒𢻠𦚝𡮲𢟠𤾊𤲄𥮸𦂑𥂹𤾜𥮪𥢏𤺪𦚻𡖨𢗟𣧚𠟔𦙏𡲴𣃠骔𣻆𦙯𢚡𢋊𠧆𣫠𥢢𦚭𣾶
一開始看到密文還以為是啥古典加密,搜了一下生僻字方面的,無解
主要看到hint(提示真的很有用,但是我討厭英文,下次多盯盯提示)
首先題目告訴我們就是古典密碼,提示中But I heard that after e, which is often met with everyone in RSA, is subtracted by 1, it may be found in the base family。正常·RSA常用的e是65537,那么65537-1=65536,它可能在base家族中能被找到(好明顯的提示啊,想不到/(ㄒoㄒ)/~~)
所以是base65536(好偏的加密,沒見過)
Base65536 Decoding Tool Online Free (better-converter.com)
解得:
????h???????Ф????O??e?????????m??????????????????O??e???????Ф??π?O??t??π???????Α?????????????????O??e?o??????
奇怪的字符,肯定也是一種加密,再次看到提示2^11=2048,所以是base2048(這誰想得到,摔桌(╯▔皿▔)╯)
Encode and Decode Base2048 Online Tool | Nerdmosis
解得:
GAC & GCT CTA GTC CTT { CTA AGT AAA CAG CAG AGA AAG & AGT _ AAG CAC CGA ATT CAT TTC _ AGT CAG _ CAG TTC _ AGA ATC CAT TCG CAC ACA CAG CAT @ ATC ACG }
這里就很明顯了,DNA的核苷酸序列,有一個DNA加密,拿腳本解密即可
f=(?*?)
首先根據hint:e=65537猜測是rsa加密
然后密文:ve9MPTSrRrq89z+I5EMXZg1uBvHoFWBGuzxhSpIwu9XMxE4H2f2O3l+VBt4wR+MmPJlS9axvH9dCn1KqFUgOIzf4gbMq0MPtRRp+PvfUZWGrJLpxcTjsdml2SS5+My4NIY/VbvqgeH2qVA==
很明顯進行了base64加密,進行解密即可
再看到file1和file2,題目是f=(?*?),那么應該是根據這兩個文件求到n,或者p,q(到這里一切都沒有問題)
but怎么根據這兩個文件求就是問題了
真的很難想到,是根據文件中的數字的末尾一位進行拼接,得到二進制數(摔桌╰(‵□′)╯)
這樣得到p和q,正常rsa解密即可
import base64
from Crypto.Util.number import *
e = 65537
c = 've9MPTSrRrq89z+I5EMXZg1uBvHoFWBGuzxhSpIwu9XMxE4H2f2O3l+VBt4wR+MmPJlS9axvH9dCn1KqFUgOIzf4gbMq0MPtRRp+PvfUZWGrJLpxcTjsdml2SS5+My4NIY/VbvqgeH2qVA=='
c = bytes_to_long(base64.b64decode(c))
q = ''
p = ''
with open('file1.txt') as f:for i in f.readlines():if i.strip()[-1] == '1':p += '1' else:p += '0'with open('file2.txt') as f:for i in f.readlines():if i.strip()[-1] == '1':q += '1' else:q += '0'p = int(p,2)
q = int(q,2)
n = p * q
phi = (p - 1) * (q - 1)
d = inverse(e,phi)
print(long_to_bytes(pow(c,d,n)))
# H&NCTF{Y0u_s@cce3d3d_in_finding_the_meaning_0f_these_d0cuments}
MatrixRSA
題目:
from Crypto.Util.number import *
import osflag = b"H&NCTF{??????????????}" + os.urandom(73)p = getPrime(56)
q = getPrime(56)
n = p * qpart = [bytes_to_long(flag[13*i:13*(i+1)]) for i in range(9)]M = Matrix(Zmod(n),[[part[3*i+j] for j in range(3)] for i in range(3)
])e = 65537
C = M ** e
print(f"n = {n}")
print(f"C = {list(C)}")"""
n = 3923490775575970082729688460890203
C = [(1419745904325460721019899475870191, 2134514837568225691829001907289833, 3332081654357483038861367332497335), (3254631729141395759002362491926143, 3250208857960841513899196820302274, 1434051158630647158098636495711534), (2819200914668344580736577444355697, 2521674659019518795372093086263363, 2850623959410175705367927817534010)]
"""
解題分析:
這是一道矩陣RSA,之前都沒見過這種
它把明文m填充之后,進行切片,構成一個3*3的矩陣,再在得到的M矩陣基礎上乘上e次方
這方面的文章好少啊,但是我還是找到了一篇
『CTF』模 p 非奇異矩陣的群階的計算 | CN-SEC 中文網
矩陣上的RSA,n是不大的,可以直接分解,主要還是求d的問題
這里我們求d需要通過求模p和模q的群階,然后相乘得到模n的群階(類似于phi),以此來求出d,還原出原矩陣,從而得到flag
根據矩陣的大小,確定階
根據上圖,有:模p的三階矩陣群的階為p(p-1)(p+1)(p^2+p+1)
解密代碼:
from Crypto.Util.number import *
from gmpy2 import *n = 3923490775575970082729688460890203
c = [(1419745904325460721019899475870191, 2134514837568225691829001907289833, 3332081654357483038861367332497335), (3254631729141395759002362491926143, 3250208857960841513899196820302274, 1434051158630647158098636495711534), (2819200914668344580736577444355697, 2521674659019518795372093086263363, 2850623959410175705367927817534010)]
e = 65537
p=56891773340056609
q=68964114585148667#order_p = p*(p-1)*(p+1)*(p^2+p+1)
#order_q = q*(q-1)*(q+1)*(q^2+q+1)
#order = order_p * order_q即phiphi=p*(p-1)*(p+1)*(p^2+p+1) * q*(q-1)*(q+1)*(q^2+q+1)
d=invert(e,phi)C=Matrix(Zmod(n),3,3,c)#創建3*3的矩陣
M=C ** dflag = b""
for i in range(3):for j in range(3):m = int(M[i,j])flag += long_to_bytes(m)print(flag)
#H&NCTF{58bff5c1-4d5f-4010-a84c-8fbe0c0f50e8}
除此之外,還可以套用復數rsa中phi=(p2-1)(q2-1)來求(好像是題目數據的問題)
BabyAES
題目:
from Crypto.Cipher import AES
from Crypto.Util.Padding import pad
from secret import flag
import time
import randomflag = pad(flag,16)
assert b"H&NCTF" in flagseed = int(time.time())
random.seed(seed)
key = random.randbytes(16)
iv = random.randbytes(16)
aes = AES.new(key,AES.MODE_CBC,iv)
cipher = aes.encrypt(flag)print(f"cipher = {cipher}")"""
cipher = b'\x96H_hz\xe7)\x0c\x15\x91c\x9bt\xa4\xe5\xacwch\x92e\xd1\x0c\x9f\x8fH\x05\x9f\x1d\x92\x81\xcc\xe0\x98\x8b\xda\x89\xcf\x92\x01a\xe1B\xfb\x97\xdc\x0cG'
"""
解題分析:
AES的CBC模式加密,key和iv都是隨機數產生的
隨機數的種子是一個時間的 Unix 時間戳(以秒為單位),并將其轉換為整數
時間戳,是從1970年1月1日(UTC/GMT的午夜)開始所經過的秒數(不考慮閏秒),用于表示一個時間點
正常來說,我們可以從時間戳的開始時間一直到目前的時間進行爆破,但是爆破不出來
我們看到文件的創建時間是:2020/8/21 7:57:34
試一下這個時間,成功解密(因為正好隨機數的種子就是這個時間戳)
解密代碼:
from datetime import *
from Crypto.Cipher import AES
import time
import random
# 指定時間
# given_time = datetime(2024, 5, 13, 9, 0, 0)
given_time = datetime(2020, 8, 21, 7, 57, 34)
# 轉換為時間戳
seed=int(given_time.timestamp())cipher = b'\x96H_hz\xe7)\x0c\x15\x91c\x9bt\xa4\xe5\xacwch\x92e\xd1\x0c\x9f\x8fH\x05\x9f\x1d\x92\x81\xcc\xe0\x98\x8b\xda\x89\xcf\x92\x01a\xe1B\xfb\x97\xdc\x0cG'while 1:random.seed(seed)key = random.randbytes(16)iv = random.randbytes(16)aes = AES.new(key, AES.MODE_CBC, iv)flag = aes.decrypt(cipher)if b'H&NCTF' in flag:print(flag)breakseed -= 1
#H&NCTF{b1c11bd5-2bfc-404e-a795-a08a002aeb87}
python時間戳的轉換:
given_time = datetime(年, 月, 日, 小時, 分鐘, 秒) # 轉換為時間戳 seed=int(given_time.timestamp())
Is this Iso?
題目:
from Crypto.Util.number import *
from random import *
from secret import flagdef nextPrime(p):while(not isPrime(p)):p += 1return p#part1 gen Fp and init supersingular curve
while(1):p = 2^randint(150,200)*3^randint(100,150)*5^randint(50,100)-1if(isPrime(p)):breakF.<i> = GF(p^2, modulus = x^2 + 1)
E = EllipticCurve(j=F(1728))
assert E.is_supersingular()#part2 find a random supersingular E
ways = [2,3,5]
for i in range(20):P = E(0).division_points(choice(ways))[1:]shuffle(P)phi = E.isogeny(P[0])E = phi.codomain()#part3 gen E1 E2 E3
E1 = Edeg1 = 2
P = E1(0).division_points(deg1)[1:]
shuffle(P)
phi1 = E1.isogeny(P[0])
E2 = phi1.codomain()deg2 = choice(ways)
P = E2(0).division_points(deg2)[1:]
shuffle(P)
phi2 = E2.isogeny(P[0])
E3 = phi2.codomain()#part4 leak
j1 = E1.j_invariant()
j2 = E2.j_invariant()
j3 = E3.j_invariant()m = bytes_to_long(flag)
n = getPrime(int(j3[0]).bit_length())*nextPrime(int(j3[0]))print("p =",p)
print("deg1 =",deg1)
print("deg2 =",deg2)
print("leak1 =",j1[0] >> 400 << 400)
print("leak2 =",j1[1] >> 5 << 5)
print("leak3 =",j2[0] >> 5 << 5)
print("leak4 =",j2[1] >> 400 << 400)
print("n =",n)
print("cipher =",pow(m,65537,n))
有點復雜,還在努力中
)
)
