一、[安洵杯 2020]密码学?爆破就行了——sha256掩码爆破
1.题目:
#!/usr/bin/python2
import hashlib
from secret import SECRET
from broken_flag import BROKEN_FLAG
flag = 'd0g3{' + hashlib.md5(SECRET).hexdigest() + '}'
broken_flag = 'd0g3{71b2b5616**2a4639**7d979**de964c}'
assert flag[:14] == broken_flag[:14]
assert flag[16:22] == broken_flag[16:22]
assert flag[24:29] == broken_flag[24:29]
ciphier = hashlib.sha256(flag).hexdigest()
print(ciphier)
'''
ciphier = '0596d989a2938e16bcc5d6f89ce709ad9f64d36316ab80408cb6b89b3d7f064a'
'''
2.
import hashlib
cipher = '0596d989a2938e16bcc5d6f89ce709ad9f64d36316ab80408cb6b89b3d7f064a'
strings = '0123456789abcdef'
for a in strings:
for b in strings:
for c in strings:
for d in strings:
for e in strings:
for f in strings:
flag = 'd0g3{71b2b5616' + a + b + '2a4639' + c + d + '7d979' + e + f + 'de964c}'
if hashlib.sha256(flag.encode()).hexdigest() == cipher:
print(flag)
break
NSSCTF{71b2b5616ee2a4639a07d979ebde964c}
二、[HNCTF 2022 WEEK2]md5太残暴了——MD5爆破
1.题目:
小明养成了定期修改密码的好习惯,同时,他还是一个CTF爱好者。有一天,他突发奇想,用flag格式来设置密码,为了防止忘记密码,他还把密码进行了md5加密。为了避免被其他人看到全部密码,他还特意修改了其中部分字符为#。你能猜出他的密码吗?
plaintext = flag{#00#_P4ssw0rd_N3v3r_F0rg3t_63####}
md5 = ac7f4d52c3924925aa9c8a7a1f522451
PS: 第一个#是大写字母,第二个#是小写字母,其他是数字。
2.
import hashlib
string1 = 'ABCDEFGHIGKLMNOPQRSTUVWXYZ'
string2 = 'abcdefghijklmnopqrstuvwxyz'
string3 = '0123456789'
md5 = 'ac7f4d52c3924925aa9c8a7a1f522451'
for a in string1:
for b in string2:
for c in string3:
for d in string3:
for e in string3:
for f in string3:
flag = 'flag{'+ a + '00' + b + '_P4ssw0rd_N3v3r_F0rg3t_63' + c + d + e + f + '}'
if hashlib.md5(flag.encode()).hexdigest() == md5:
print(flag)
flag{G00d_P4ssw0rd_N3v3r_F0rg3t_638291}
三、[LitCTF 2023]Where is P?——p的高位攻击
1.题目:
from Crypto.Util.number import *
m=bytes_to_long(b'XXXX')
e=65537
p=getPrime(1024)
q=getPrime(1024)
n=p*q
print(p)
c=pow(m,e,n)
P=p>>340
print(P)
a=pow(P,3,n)
print("n=",n)
print("c=",c)
print("a=",a)
#n= 24479907029118467064460793139240403258697681144532146836881997837526487637306591893357774423547391867013441147680031968367449693796015901951120514250935018725570026327610524687128709707340727799633444550317834481416507364804274266363478822257132586592232042108076935945436358397787891169163821061005102693505011197453089873909085170776511350713452580692963748763166981047023704528272230392479728897831538235554137129584665886878574314566549330671483636900134584707867654841021494106881794644469229030140144595938886437242375435914268001721437309283611088568191856208951867342004280893021653793820874747638264412653721
#c= 6566517934961780069851397787369134601399136324586682773286046135297104713708615112015588908759927424841719937322574766875308296258325687730658550956691921018605724308665345526807393669538103819281108643141723589363068859617542807984954436567078438099854340705208503317269397632214274507740533638883597409138972287275965697689862321166613821995226000320597560745749780942467497435742492468670016480112957715214640939272457886646483560443432985954141177463448896521810457886108311082101521263110578485768091003174683555938678346359150123350656418123918738868598042533211541966786594006129134087145798672161268647536724
#a= 22184346235325197613876257964606959796734210361241668065837491428527234174610482874427139453643569493268653377061231169173874401139203757698022691973395609028489121048788465356158531144787135876251872262389742175830840373281181905217510352227396545981674450409488394636498629147806808635157820030290630290808150235068140864601098322473572121965126109735529553247807211711005936042322910065304489093415276688746634951081501428768318098925390576594162098506572668709475140964400043947851427774550253257759990959997691631511262768785787474750441024242552456956598974533625095249106992723798354594261566983135394923063605
2.解题:p右移340位后进行低加密指数攻击,先进行解密求P,然后求p,然后是正常的rsa解密
3.
import gmpy2
import libnum
# 低加密指数攻击解密
a = 22184346235325197613876257964606959796734210361241668065837491428527234174610482874427139453643569493268653377061231169173874401139203757698022691973395609028489121048788465356158531144787135876251872262389742175830840373281181905217510352227396545981674450409488394636498629147806808635157820030290630290808150235068140864601098322473572121965126109735529553247807211711005936042322910065304489093415276688746634951081501428768318098925390576594162098506572668709475140964400043947851427774550253257759990959997691631511262768785787474750441024242552456956598974533625095249106992723798354594261566983135394923063605
n = 24479907029118467064460793139240403258697681144532146836881997837526487637306591893357774423547391867013441147680031968367449693796015901951120514250935018725570026327610524687128709707340727799633444550317834481416507364804274266363478822257132586592232042108076935945436358397787891169163821061005102693505011197453089873909085170776511350713452580692963748763166981047023704528272230392479728897831538235554137129584665886878574314566549330671483636900134584707867654841021494106881794644469229030140144595938886437242375435914268001721437309283611088568191856208951867342004280893021653793820874747638264412653721
c = 6566517934961780069851397787369134601399136324586682773286046135297104713708615112015588908759927424841719937322574766875308296258325687730658550956691921018605724308665345526807393669538103819281108643141723589363068859617542807984954436567078438099854340705208503317269397632214274507740533638883597409138972287275965697689862321166613821995226000320597560745749780942467497435742492468670016480112957715214640939272457886646483560443432985954141177463448896521810457886108311082101521263110578485768091003174683555938678346359150123350656418123918738868598042533211541966786594006129134087145798672161268647536724
k = 0
while 1:
res = gmpy2.iroot(k * n + a,3)
if res[1] == True:
print(res[0]) # 即P
break
k += 1
P = p_high = 66302204855869216148926460265779698576660998574555407124043768605865908069722142097621926304390549253688814246272903647124801382742681337653915017783954290069842646020090511605930590064443141710086879668946
# sagemath,求p
# p_high = 66302204855869216148926460265779698576660998574555407124043768605865908069722142097621926304390549253688814246272903647124801382742681337653915017783954290069842646020090511605930590064443141710086879668946
# n= 24479907029118467064460793139240403258697681144532146836881997837526487637306591893357774423547391867013441147680031968367449693796015901951120514250935018725570026327610524687128709707340727799633444550317834481416507364804274266363478822257132586592232042108076935945436358397787891169163821061005102693505011197453089873909085170776511350713452580692963748763166981047023704528272230392479728897831538235554137129584665886878574314566549330671483636900134584707867654841021494106881794644469229030140144595938886437242375435914268001721437309283611088568191856208951867342004280893021653793820874747638264412653721
# c= 6566517934961780069851397787369134601399136324586682773286046135297104713708615112015588908759927424841719937322574766875308296258325687730658550956691921018605724308665345526807393669538103819281108643141723589363068859617542807984954436567078438099854340705208503317269397632214274507740533638883597409138972287275965697689862321166613821995226000320597560745749780942467497435742492468670016480112957715214640939272457886646483560443432985954141177463448896521810457886108311082101521263110578485768091003174683555938678346359150123350656418123918738868598042533211541966786594006129134087145798672161268647536724
#
# pbits = 1024
# kbits = 340
# p_high = p_high << kbits
# PR.<x> = PolynomialRing(Zmod(n))
# # f = x + p_high
# p0 = f.small_roots(X = 2 ^ kbits,beta = 0.4)[0]
# print(p_high + p0)
# p = 148500014720728755901835170447203030242113125689825190413979909224639701026120883281188694701625473553602289432755479244507504340127322979884849883842306663453018960250560834067472479033116264539127330613635903666209920113813160301513820286874124210921593865507657148933555053341577090100101684021531775022459
# 求flag
e = 65537
p = 148500014720728755901835170447203030242113125689825190413979909224639701026120883281188694701625473553602289432755479244507504340127322979884849883842306663453018960250560834067472479033116264539127330613635903666209920113813160301513820286874124210921593865507657148933555053341577090100101684021531775022459
q = n // p
phi = (p-1)*(q-1)
d = gmpy2.invert(e, phi)
m = pow(c,d,n)
print(libnum.n2s(int(m)))
NSSCTF{Y0U_hAV3_g0T_Th3_r1ghT_AnsW3r}
四、[LitCTF 2023]babyLCG——LCG求a、b、m、seed
1.题目:
from Crypto.Util.number import *
from secret import flag
m = bytes_to_long(flag)
bit_len = m.bit_length()
a = getPrime(bit_len)
b = getPrime(bit_len)
p = getPrime(bit_len+1)
seed = m
result = []
for i in range(10):
seed = (a*seed+b)%p
result.append(seed)
print(result)
"""
result = [699175025435513913222265085178805479192132631113784770123757454808149151697608216361550466652878, 193316257467202036043918706856603526262215679149886976392930192639917920593706895122296071643390, 1624937780477561769577140419364339298985292198464188802403816662221142156714021229977403603922943, 659236391930254891621938248429619132720452597526316230221895367798170380093631947248925278766506, 111407194162820942281872438978366964960570302720229611594374532025973998885554449685055172110829, 1415787594624585063605356859393351333923892058922987749824214311091742328340293435914830175796909, 655057648553921580727111809001898496375489870757705297406250204329094679858718932270475755075698, 1683427135823894785654993254138434580152093609545092045940376086714124324274044014654085676620851, 492953986125248558013838257810313149490245209968714980288031443714890115686764222999717055064509, 70048773361068060773257074705619791938224397526269544533030294499007242937089146507674570192265]
"""
2.LCG数学推导
3.python脚本
from functools import reduce
import gmpy2
import libnum
# 已知
result = [699175025435513913222265085178805479192132631113784770123757454808149151697608216361550466652878,
193316257467202036043918706856603526262215679149886976392930192639917920593706895122296071643390,
1624937780477561769577140419364339298985292198464188802403816662221142156714021229977403603922943,
659236391930254891621938248429619132720452597526316230221895367798170380093631947248925278766506,
111407194162820942281872438978366964960570302720229611594374532025973998885554449685055172110829,
1415787594624585063605356859393351333923892058922987749824214311091742328340293435914830175796909,
655057648553921580727111809001898496375489870757705297406250204329094679858718932270475755075698,
1683427135823894785654993254138434580152093609545092045940376086714124324274044014654085676620851,
492953986125248558013838257810313149490245209968714980288031443714890115686764222999717055064509,
70048773361068060773257074705619791938224397526269544533030294499007242937089146507674570192265]
# 第一阶段,获得模数m。一组数据即可,可以不使用列表
list1 = [s1 - s0 for s0, s1 in zip(result, result[1:])]
list2 = [t2 * t0 - t1 * t1 for t0, t1, t2 in zip(list1, list1[1:], list1[2:])]
m = gmpy2.gcd(list2[1], list2[2])
# m = abs(reduce(gcd, list2))
print(m)
# 第二阶段,获得常数A, B
A_son = result[2] - result[1]
A_mother_ni = gmpy2.invert(result[1] - result[0], m)
A = pow(A_son * A_mother_ni, 1, m)
# print(A)
B = pow(result[1] - A * result[0], 1, m)
# print(B)
# 第三阶段,逆推回seed
A_ni = gmpy2.invert(A, m)
seed = (result[0] - B) * A_ni % m
# print(seed)
flag = libnum.n2s(int(seed))
print(flag)
NSSCTF{31fcd7832029a87f6c9f760fcf297b2f}
五、[安洵杯 2020]easyaes——AES
1.题目:
#!/usr/bin/python
from Crypto.Cipher import AES
import binascii
from Crypto.Util.number import bytes_to_long
from flag import flag
from key import key
iv = flag.strip(b'd0g3{').strip(b'}') # 只保留{}内的内容,flag
LENGTH = len(key)
assert LENGTH == 16
hint = os.urandom(4) * 8 # 随机生成4字节,重复8次
print(bytes_to_long(hint)^bytes_to_long(key)) # 将hint与key进行异或
msg = b'Welcome to this competition, I hope you can have fun today!!!!!!'
def encrypto(message):
aes = AES.new(key,AES.MODE_CBC,iv)
return aes.encrypt(message)
print(binascii.hexlify(encrypto(msg))[-32:])
'''
56631233292325412205528754798133970783633216936302049893130220461139160682777
b'3c976c92aff4095a23e885b195077b66'
'''
2.解题:
加密流程:先将密文分组,然后每组生成密文与明文异或后,使用秘钥加密成密文,第一组加密,初始化向量充当密文
解密流程:将最后密文使用秘钥解密后,与前一组密文异或,得到部分明文,最后得到初始化向量
hint由重复八次的4个字节组成,key有15字节,所以异或后会有一部分hint保留,将hint转换为字符串,可以看到有部分重复的字节
由此推断,hint为 ‘}4$d’ * 8,然后异或可以得到key
import libnum
a = 56631233292325412205528754798133970783633216936302049893130220461139160682777
print(libnum.n2s(int(a)))
hint = '}4$d'
key = a ^ libnum.s2n(hint * 8)
print(libnum.n2s(int(key)))
#b'}4$d}4$d}4$d}4$d\x19\x04CW\x06CA\x08\x1e[I\x01\x04[Q\x19'
#b'd0g3{welcomeyou}'
然后将信息进行分组,解密
3.python脚本
import binascii
from Crypto.Cipher import AES
import libnum
from Crypto.Util.strxor import strxor
a = 56631233292325412205528754798133970783633216936302049893130220461139160682777
print(libnum.n2s(int(a)))
hint = '}4$d'
key = a ^ libnum.s2n(hint * 8)
print(libnum.n2s(int(key)))
key_bytes = libnum.n2s(int(key)) # 确保key是字节
# 确保密钥长度为 16 字节
key = key_bytes[:16] # 截取前 16 字节
print(f"Key: {key}")
msg = b'Welcome to this competition, I hope you can have fun today!!!!!!'
msgs = [msg[i:i+16] for i in range(0, len(msg), 16)]
msgs.reverse() # 将列表反转
IV = binascii.unhexlify('3c976c92aff4095a23e885b195077b66')
def decry(key, iv, ms):
aes = AES.new(key, AES.MODE_ECB) # 如果秘钥不是16,则需要进行填充或者截断
return strxor(aes.decrypt(iv), ms) # 将参数进行异或操作
for ms in msgs:
IV = decry(key, IV, ms)
print(b'd0g3{' + IV + b'}')
注意:将key转换为字节
NSSCTF{aEs_1s_SO0o_e4sY}