• [0ctf 2016]rsa

    题目:

    首先,我们审计题目,题目给了我们一个flag(c值)和public(n和e值),于是我们首先的第一步便是 将我们可以得到三个值找出来:

    1. with open('flag.enc','rb')as f:
    2.     c=bytes_to_long(f.read())
    3.     print(c)
    4. c=2485360255306619684345131431867350432205477625621366642887752720125176463993839766742234027524
    5. with open('public.pem','rb')as f:
    6.     f1=f.read()
    7.     con=RSA.importKey(f1)
    8. n=con.n
    9. e=con.e
    10.  
    11. print(n,e)
    12. print(gmpy2.iroot(n,3)[1])
    13. for i in range(0,100000):
    14.     c+=i*n
    15.     if gmpy2.iroot(c,3)[1]:
    16.         print(long_to_bytes(gmpy2.iroot(c,3)[0]))

    求得我们所需的c值和ne值:

    1. n=23292710978670380403641273270002884747060006568046290011918413375473934024039715180540887338067
    2. e=3

    接着,我们观察题目,我首先的第一个想法是小明文爆破,结果没有得到所需的flag,再加上题目中出题人给的{easy?},所以判断不是此类问题,于是,开始尝试常规的rsa求解,先将n值分解,解得:

    1. p1=26440615366395242196516853423447
    2. p2=27038194053540661979045656526063
    3. p3=32581479300404876772405716877547

     求出phi值,发现gcd(e,phi)=3,于是转换思路:

    p = 26440615366395242196516853423447
q = 27038194053540661979045656526063
r = 32581479300404876772405716877547
    x^3 mod p = ct mod p = 20827907988103030784078915883129
x^3 mod q = ct mod q = 19342563376936634263836075415482
x^3 mod r = ct mod r = 10525283947807760227880406671000

    我们可以求解出三个函数分别对应的x值;

    1. #sagemath
    2. n=26440615366395242196516853423447
    3. c=2485360255306619684345131431867350432205477625621366642887752720125176463993839766742234027524
    4. m=c%n
    5. PR. = PolynomialRing(Zmod(n))
    6. f = x^3-m
    7. x0 = f.roots()
    8. print(x0)
    9. [(13374868592866626517389128266735, 1), (7379361747422713811654086477766, 1), (5686385026105901867473638678946, 1)]
    10.  
    11.  
    12. n=27038194053540661979045656526063
    13. c=2485360255306619684345131431867350432205477625621366642887752720125176463993839766742234027524
    14. m=c%n
    15. PR. = PolynomialRing(Zmod(n))
    16. f = x^3-m
    17. x0 = f.roots()
    18. print(x0)
    19. [(19616973567618515464515107624812, 1)]
    20.  
    21. n=32581479300404876772405716877547
    22. c=2485360255306619684345131431867350432205477625621366642887752720125176463993839766742234027524
    23. m=c%n
    24. PR. = PolynomialRing(Zmod(n))
    25. f = x^3-m
    26. x0 = f.roots()
    27. print(x0)
    28. [(13404203109409336045283549715377, 1), (13028011585706956936052628027629, 1), (6149264605288583791069539134541, 1)]

     求解出:

    1. a=[13374868592866626517389128266735,7379361747422713811654086477766,5686385026105901867473638678946]
    2. b=[19616973567618515464515107624812]
    3. c=[13404203109409336045283549715377,13028011585706956936052628027629,6149264605288583791069539134541]

    可以看到有3*1*3=9,也就是说有9种情况需要我们来讨论(使用中国剩余定理

    1. for x in a:
    2.     for y in b:
    3.         for z in c:
    4.             m = crt(p1,p2,p3,x, y, z)
    5.             m=long_to_bytes(m)
    6.             if b'ctf{' in m:
    7.                 print(m)
    8.                 break

    exp:

    1. from Crypto.PublicKey import RSA
    2. import gmpy2
    3. from Crypto.Util.number import *
    4.  
    5.  
    6. with open('flag.enc','rb')as f:
    7.     c=bytes_to_long(f.read())
    8.     print(c)
    9. c=2485360255306619684345131431867350432205477625621366642887752720125176463993839766742234027524
    10. with open('public.pem','rb')as f:
    11.     f1=f.read()
    12.     con=RSA.importKey(f1)
    13. n=con.n
    14. e=con.e
    15.  
    16. print(n,e)
    17. print(gmpy2.iroot(n,3)[1])
    18. for i in range(0,100000):
    19.     c+=i*n
    20.     if gmpy2.iroot(c,3)[1]:
    21.         print(long_to_bytes(gmpy2.iroot(c,3)[0]))
    22.  
    23. p1=26440615366395242196516853423447
    24. p2=27038194053540661979045656526063
    25. p3=32581479300404876772405716877547
    26. phi=(p1-1)*(p2-1)*(p3-1)
    27.  
    28. n=23292710978670380403641273270002884747060006568046290011918413375473934024039715180540887338067
    29. e=3
    30.  
    31.  
    32. #sagemath
    33. n=26440615366395242196516853423447
    34. c=2485360255306619684345131431867350432205477625621366642887752720125176463993839766742234027524
    35. m=c%n
    36. PR. = PolynomialRing(Zmod(n))
    37. f = x^3-m
    38. x0 = f.roots()
    39. print(x0)
    40.  
    41.  
    42.  
    43. n=27038194053540661979045656526063
    44. c=2485360255306619684345131431867350432205477625621366642887752720125176463993839766742234027524
    45. m=c%n
    46. PR. = PolynomialRing(Zmod(n))
    47. f = x^3-m
    48. x0 = f.roots()
    49. print(x0)
    50.  
    51.  
    52. n=32581479300404876772405716877547
    53. c=2485360255306619684345131431867350432205477625621366642887752720125176463993839766742234027524
    54. m=c%n
    55. PR. = PolynomialRing(Zmod(n))
    56. f = x^3-m
    57. x0 = f.roots()
    58. print(x0)
    59.  
    60. def crt(p1,p2,p3,m1, m2, m3):
    61.     sum=0
    62.     sum=m1*p2*p3*gmpy2.invert(p2*p3,p1)+m2*p1*p3*gmpy2.invert(p1*p3,p2)+m3*p1*p2*gmpy2.invert(p1*p2,p3)
    63.     return(sum%n)
    64.  
    65.  
    66.  
    67. a=[13374868592866626517389128266735,7379361747422713811654086477766,5686385026105901867473638678946]
    68. b=[19616973567618515464515107624812]
    69. c=[13404203109409336045283549715377,13028011585706956936052628027629,6149264605288583791069539134541]
    70.  
    71. for x in a:
    72.     for y in b:
    73.         for z in c:
    74.             m = crt(p1,p2,p3,x, y, z)
    75.             m=long_to_bytes(m)
    76.             if b'ctf{' in m:
    77.                 print(m)
    78.                 break

    最终得到:b'\x02\xd1^\xcb\x84\x84RC\xf3J\x000ctf{HahA!Thi5_1s_n0T_rSa~}\n'

  • 相关阅读:
    【BOOST C++ 12 函数式编程】(3) Boost.Boost.Bind
    vue独立提供模板下载功能
    鼠标参数以及选购DPI和报告率
    zabbix监控
    chromedriver依赖安装失败 解决办法
    NEON优化:性能优化经验总结
    集合框架----源码解读LikedeHashSet篇
    JavaScript高级
    Linux更新IP后如何配置网卡
    HTTP服务器
  • 原文地址:https://blog.csdn.net/shshss64/article/details/127725865