古典base
动态的靶机,给了一串类似base64的东西
开了三个之后发现都是Y开头的
1
2
3
| YxQT3O3hRWNimRjOclIW2NtVhSOiv1GNdlI23Z1EsTY3xUyON21DGLlhMTO9
Ymh3NjQiZ5RWYj0mMhFjC3cvt2O50DLjYjO1EzMkZgR2diJDZ2ATYthCM4BGY9=
YmQG3O2URDO3mMWZcxEm2YtYhSO1v0DYd3gT3M3QsTY4zESOM41T2LhFRTN9
|
把flag的格式给base64一下
1
2
3
| from base64 import *
print(b64encode(b'ctfshow'))
|
可以想到古典是栅栏,然后手撕
TooYoungRSA
题目
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
| from nevergonnagiveyouup import n, e
import secrets
from hashlib import sha256
from Crypto.Cipher import AES
from Crypto.Util.Padding import pad
if __name__ == "__main__":
with open("flag.txt", "rb") as f:
flag = f.read().strip()
k = secrets.randbelow(n)
print(f"ck = {pow(k, e, n)}")
key = sha256(str(k).encode()).digest()
cipher = AES.new(key, AES.MODE_ECB)
print(f"ct = {cipher.encrypt(pad(flag, AES.block_size)).hex()}")
while True:
nevergonnaletyoudown = int(input("I just wanna tell you how i'm feeling... "))
assert nevergonnaletyoudown >= 0
print(f"gotta make you understand: {pow(nevergonnaletyoudown, e, n)}")
|
前面环境出问题了,应该是少了nevergonnagiveyouup文件,但是尚师傅教我一招
![image-20220520214706006]()
但是似乎还有问题,后面正常了wtf
不知道$n$那就选择明文攻击,不知道$e$那就爆破
exp如下
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
| from hashlib import sha256
from Crypto.Cipher import AES
from Crypto.Util.number import *
from sage import gcd
c2 = 19535400766445292482811161013376907248
c4 = 204578055089703260122470734791918729510
c8 = 82713691067655249915741921923364231419
n = gcd(c2 ** 2 - c4, c2 ** 3 - c8)
c = 26115541544723216809887468997141815198
p = 12708054401900097883
q = 17618330243237476607
for e in range(0x1000100):
d = inverse(e, n - p - q + 1)
k = pow(c, d, n)
key = sha256(str(k).encode()).digest()
cipher = AES.new(key, AES.MODE_ECB)
ct = bytes.fromhex(
'3334b996bc217636c0791f1e7ee651006cd936eb0893c253999db87ccacabafb2cd383f1fa14b122c6d2465881a12241')
m = cipher.decrypt(ct)
if m.startswith(b'ctfshow') or m.startswith(b'flag'):
print(m)
break
|
