HNCTF
文章目录
- HNCTF
- BabyPQ
- EZmath
- ez_Classic
- f=(?*?)
- MatrixRSA
- BabyAES
- Is this Iso?
BabyPQ
nc签到题,跟端口连接拿到n和phin
n= 83364501002320980990436866711482826016646968100023452408725794986955117709931957044024140298920294618304768663854534751412077760350674221847521356272102345381254712050794570004683574576122632462740260326527527634162716815359259765521372569538966103895628425119277838802391890256082977547347452821431878779439 phin= 83364501002320980990436866711482826016646968100023452408725794986955117709931957044024140298920294618304768663854534751412077760350674221847521356272102326775351973643573896078165088371467025260206640820676779767010492435732872190686870516000484337605905958699104861285763636380159411400510953674956394539424
然后解方程得到p,q
from z3 import *
n= 83364501002320980990436866711482826016646968100023452408725794986955117709931957044024140298920294618304768663854534751412077760350674221847521356272102345381254712050794570004683574576122632462740260326527527634162716815359259765521372569538966103895628425119277838802391890256082977547347452821431878779439
phin= 83364501002320980990436866711482826016646968100023452408725794986955117709931957044024140298920294618304768663854534751412077760350674221847521356272102326775351973643573896078165088371467025260206640820676779767010492435732872190686870516000484337605905958699104861285763636380159411400510953674956394539424
p_add_q=n-phin+1
p=Real('p')
q=Real('q')
solve(p*q==n,p+q==p_add_q)
print(p)
print(q)
把p输进去,得到flag
EZmath
正好之前写杭师大的题又遇到类似的
N=p2+q2
那么可以用sage中的two_squares(N)函数,求解出p,q,然后rsa解就行
#sage
N = 14131431108308143454435007577716000559419205062698618708133959457011972529354493686093109431184291126255192573090925119389094648901918393503865225710648658
p,q=two_squares(N)
print(p,q)
#python
from Crypto.Util.number import *
from gmpy2 import *c = 34992437145329058006346797890363070594973075282993832268508442432592383794878795192132088668900695623924153165395583430068203662437982480669703879475321408183026259569199414707773374072930515794134567251046302713509056391105776219609788157691337060835717732824405538669820477381441348146561989805141829340641
N = 14131431108308143454435007577716000559419205062698618708133959457011972529354493686093109431184291126255192573090925119389094648901918393503865225710648658
p = 82560919832754349126354116140838623696638559109075709234619471489244325313113
q = 85528507672457684655471526239900307861713918212607409966382024323034858694833
n = p*q**3
e=65537
phi=(p-1)*(q-1)*q**2
d=invert(e,phi)
m=pow(c,d,n)
print(long_to_bytes(m))
#H&NCTF{D0_Y0u_know_Complex_n3mbers?hahaha}
sage和python是存在一些不一样的
sage中^表示指数级而在python中^表示异或(老是弄混)
ez_Classic
题目:
hint:
I want to see what 2^11 DNA looks like in SageMath! But I heard that after e, which is often met with everyone in RSA, is subtracted by 1, it may be found in the base family.
密文:
𠣔𠧆𣣠𥪕鶪𢻠𥮚𤪍𥮱𤮵𤶋𦚤𡲪𢫐𢷊𡧕𢛠𦒌蒗𣯠𦖎骩𢻠𥮫𤪍𥢦𤮰𤲋𦚽𠚠𡓝𢷊𦙭𡎸𣛒𣋑𠻔𢛠𤺀𦚽𡾤𢳠𤪐𥪦𦚂𡮨𡻉𣃒𤃈𢻠𦖪𦂟𥢳蒿𣫠𦖢骩𣃠𥮣𤪍𥢱𦚰𡮨𠣉𣃠𥚖𥚤𦖏𥖟𥮀蒴𣫠𦚖𡆤𦙴𢂤𢇆𠛏𢋊𢻠𤲢𥢽𦚫𣂼𢗊𠣊𡟎𣛒𢻠𦚝𡮲𢟠𤾊𤲄𥮸𦂑𥂹𤾜𥮪𥢏𤺪𦚻𡖨𢗟𣧚𠟔𦙏𡲴𣃠骔𣻆𦙯𢚡𢋊𠧆𣫠𥢢𦚭𣾶
一开始看到密文还以为是啥古典加密,搜了一下生僻字方面的,无解
主要看到hint(提示真的很有用,但是我讨厌英文,下次多盯盯提示)
首先题目告诉我们就是古典密码,提示中But I heard that after e, which is often met with everyone in RSA, is subtracted by 1, it may be found in the base family。正常·RSA常用的e是65537,那么65537-1=65536,它可能在base家族中能被找到(好明显的提示啊,想不到/(ㄒoㄒ)/~~)
所以是base65536(好偏的加密,没见过)
Base65536 Decoding Tool Online Free (better-converter.com)
解得:
ԂƃಕԪhਚՍıյŋǤખФʧՓࠌޗOൎߩeਫՍĦҰŋƽࠀݎʧmญҰѬԈࠀȽङঐĦԂਕɘҪȺਪߟڳҿOഢߩeણՍıҰਕɂખФЏߟπմOഖऋtचƛπʜਢƽҫ༪ʟʂΑҰਝಕࡊɄƸՑڹʜɪՏҪȻਏߟڳԁOഖઔeƸoࡠʜƃഢҭඹ
奇怪的字符,肯定也是一种加密,再次看到提示2^11=2048,所以是base2048(这谁想得到,摔桌(╯▔皿▔)╯)
Encode and Decode Base2048 Online Tool | Nerdmosis
解得:
GAC & GCT CTA GTC CTT { CTA AGT AAA CAG CAG AGA AAG & AGT _ AAG CAC CGA ATT CAT TTC _ AGT CAG _ CAG TTC _ AGA ATC CAT TCG CAC ACA CAG CAT @ ATC ACG }
这里就很明显了,DNA的核苷酸序列,有一个DNA加密,拿脚本解密即可
f=(?*?)
首先根据hint:e=65537猜测是rsa加密
然后密文:ve9MPTSrRrq89z+I5EMXZg1uBvHoFWBGuzxhSpIwu9XMxE4H2f2O3l+VBt4wR+MmPJlS9axvH9dCn1KqFUgOIzf4gbMq0MPtRRp+PvfUZWGrJLpxcTjsdml2SS5+My4NIY/VbvqgeH2qVA==
很明显进行了base64加密,进行解密即可
再看到file1和file2,题目是f=(?*?),那么应该是根据这两个文件求到n,或者p,q(到这里一切都没有问题)
but怎么根据这两个文件求就是问题了
真的很难想到,是根据文件中的数字的末尾一位进行拼接,得到二进制数(摔桌╰(‵□′)╯)
这样得到p和q,正常rsa解密即可
import base64
from Crypto.Util.number import *
e = 65537
c = 've9MPTSrRrq89z+I5EMXZg1uBvHoFWBGuzxhSpIwu9XMxE4H2f2O3l+VBt4wR+MmPJlS9axvH9dCn1KqFUgOIzf4gbMq0MPtRRp+PvfUZWGrJLpxcTjsdml2SS5+My4NIY/VbvqgeH2qVA=='
c = bytes_to_long(base64.b64decode(c))
q = ''
p = ''
with open('file1.txt') as f:for i in f.readlines():if i.strip()[-1] == '1':p += '1' else:p += '0'with open('file2.txt') as f:for i in f.readlines():if i.strip()[-1] == '1':q += '1' else:q += '0'p = int(p,2)
q = int(q,2)
n = p * q
phi = (p - 1) * (q - 1)
d = inverse(e,phi)
print(long_to_bytes(pow(c,d,n)))
# H&NCTF{Y0u_s@cce3d3d_in_finding_the_meaning_0f_these_d0cuments}
MatrixRSA
题目:
from Crypto.Util.number import *
import osflag = b"H&NCTF{??????????????}" + os.urandom(73)p = getPrime(56)
q = getPrime(56)
n = p * qpart = [bytes_to_long(flag[13*i:13*(i+1)]) for i in range(9)]M = Matrix(Zmod(n),[[part[3*i+j] for j in range(3)] for i in range(3)
])e = 65537
C = M ** e
print(f"n = {n}")
print(f"C = {list(C)}")"""
n = 3923490775575970082729688460890203
C = [(1419745904325460721019899475870191, 2134514837568225691829001907289833, 3332081654357483038861367332497335), (3254631729141395759002362491926143, 3250208857960841513899196820302274, 1434051158630647158098636495711534), (2819200914668344580736577444355697, 2521674659019518795372093086263363, 2850623959410175705367927817534010)]
"""
解题分析:
这是一道矩阵RSA,之前都没见过这种
它把明文m填充之后,进行切片,构成一个3*3的矩阵,再在得到的M矩阵基础上乘上e次方
这方面的文章好少啊,但是我还是找到了一篇
『CTF』模 p 非奇异矩阵的群阶的计算 | CN-SEC 中文网
矩阵上的RSA,n是不大的,可以直接分解,主要还是求d的问题
这里我们求d需要通过求模p和模q的群阶,然后相乘得到模n的群阶(类似于phi),以此来求出d,还原出原矩阵,从而得到flag
根据矩阵的大小,确定阶
根据上图,有:模p的三阶矩阵群的阶为p(p-1)(p+1)(p^2+p+1)
解密代码:
from Crypto.Util.number import *
from gmpy2 import *n = 3923490775575970082729688460890203
c = [(1419745904325460721019899475870191, 2134514837568225691829001907289833, 3332081654357483038861367332497335), (3254631729141395759002362491926143, 3250208857960841513899196820302274, 1434051158630647158098636495711534), (2819200914668344580736577444355697, 2521674659019518795372093086263363, 2850623959410175705367927817534010)]
e = 65537
p=56891773340056609
q=68964114585148667#order_p = p*(p-1)*(p+1)*(p^2+p+1)
#order_q = q*(q-1)*(q+1)*(q^2+q+1)
#order = order_p * order_q即phiphi=p*(p-1)*(p+1)*(p^2+p+1) * q*(q-1)*(q+1)*(q^2+q+1)
d=invert(e,phi)C=Matrix(Zmod(n),3,3,c)#创建3*3的矩阵
M=C ** dflag = b""
for i in range(3):for j in range(3):m = int(M[i,j])flag += long_to_bytes(m)print(flag)
#H&NCTF{58bff5c1-4d5f-4010-a84c-8fbe0c0f50e8}
除此之外,还可以套用复数rsa中phi=(p2-1)(q2-1)来求(好像是题目数据的问题)
BabyAES
题目:
from Crypto.Cipher import AES
from Crypto.Util.Padding import pad
from secret import flag
import time
import randomflag = pad(flag,16)
assert b"H&NCTF" in flagseed = int(time.time())
random.seed(seed)
key = random.randbytes(16)
iv = random.randbytes(16)
aes = AES.new(key,AES.MODE_CBC,iv)
cipher = aes.encrypt(flag)print(f"cipher = {cipher}")"""
cipher = b'\x96H_hz\xe7)\x0c\x15\x91c\x9bt\xa4\xe5\xacwch\x92e\xd1\x0c\x9f\x8fH\x05\x9f\x1d\x92\x81\xcc\xe0\x98\x8b\xda\x89\xcf\x92\x01a\xe1B\xfb\x97\xdc\x0cG'
"""
解题分析:
AES的CBC模式加密,key和iv都是随机数产生的
随机数的种子是一个时间的 Unix 时间戳(以秒为单位),并将其转换为整数
时间戳,是从1970年1月1日(UTC/GMT的午夜)开始所经过的秒数(不考虑闰秒),用于表示一个时间点
正常来说,我们可以从时间戳的开始时间一直到目前的时间进行爆破,但是爆破不出来
我们看到文件的创建时间是:2020/8/21 7:57:34
试一下这个时间,成功解密(因为正好随机数的种子就是这个时间戳)
解密代码:
from datetime import *
from Crypto.Cipher import AES
import time
import random
# 指定时间
# given_time = datetime(2024, 5, 13, 9, 0, 0)
given_time = datetime(2020, 8, 21, 7, 57, 34)
# 转换为时间戳
seed=int(given_time.timestamp())cipher = b'\x96H_hz\xe7)\x0c\x15\x91c\x9bt\xa4\xe5\xacwch\x92e\xd1\x0c\x9f\x8fH\x05\x9f\x1d\x92\x81\xcc\xe0\x98\x8b\xda\x89\xcf\x92\x01a\xe1B\xfb\x97\xdc\x0cG'while 1:random.seed(seed)key = random.randbytes(16)iv = random.randbytes(16)aes = AES.new(key, AES.MODE_CBC, iv)flag = aes.decrypt(cipher)if b'H&NCTF' in flag:print(flag)breakseed -= 1
#H&NCTF{b1c11bd5-2bfc-404e-a795-a08a002aeb87}
python时间戳的转换:
given_time = datetime(年, 月, 日, 小时, 分钟, 秒) # 转换为时间戳 seed=int(given_time.timestamp())
Is this Iso?
题目:
from Crypto.Util.number import *
from random import *
from secret import flagdef nextPrime(p):while(not isPrime(p)):p += 1return p#part1 gen Fp and init supersingular curve
while(1):p = 2^randint(150,200)*3^randint(100,150)*5^randint(50,100)-1if(isPrime(p)):breakF.<i> = GF(p^2, modulus = x^2 + 1)
E = EllipticCurve(j=F(1728))
assert E.is_supersingular()#part2 find a random supersingular E
ways = [2,3,5]
for i in range(20):P = E(0).division_points(choice(ways))[1:]shuffle(P)phi = E.isogeny(P[0])E = phi.codomain()#part3 gen E1 E2 E3
E1 = Edeg1 = 2
P = E1(0).division_points(deg1)[1:]
shuffle(P)
phi1 = E1.isogeny(P[0])
E2 = phi1.codomain()deg2 = choice(ways)
P = E2(0).division_points(deg2)[1:]
shuffle(P)
phi2 = E2.isogeny(P[0])
E3 = phi2.codomain()#part4 leak
j1 = E1.j_invariant()
j2 = E2.j_invariant()
j3 = E3.j_invariant()m = bytes_to_long(flag)
n = getPrime(int(j3[0]).bit_length())*nextPrime(int(j3[0]))print("p =",p)
print("deg1 =",deg1)
print("deg2 =",deg2)
print("leak1 =",j1[0] >> 400 << 400)
print("leak2 =",j1[1] >> 5 << 5)
print("leak3 =",j2[0] >> 5 << 5)
print("leak4 =",j2[1] >> 400 << 400)
print("n =",n)
print("cipher =",pow(m,65537,n))
有点复杂,还在努力中
