XCTF-攻防世界-密码学crypto-高手进阶区-writeup

目录

0x00 告诉你个秘密

0x01 cr3-what-is-this-encryption

0x02 flag_in_your_hand

0x03 Broadcast

0x04 你猜猜

0x05 工业协议分析2

0x06 wtc_rsa_bbq

0x07 工控安全取证

0x08 简单流量分析

0x09 cr4-poor-rsa

0x0A enc

---

0x00 告诉你个秘密

密文：分成了两段

636A56355279427363446C4A49454A7154534230526D6843
56445A31614342354E326C4B4946467A5769426961453067

Hex->text

cjV5RyBscDlJIEJqTSB0RmhC
VDZ1aCB5N2lKIFFzWiBiaE0g

 base64->text

r5yG lp9I BjM tFhB
T6uh y7iJ QsZ bhM 

 在键盘敲一遍，每一组包围的键就是密码

T O N G
Y U A N
TONGYUAN

---

0x01 cr3-what-is-this-encryption

Fady同学以为你是菜鸟，不怕你看到他发的东西。他以明文形式将下面这些东西发给了他的朋友，他严重低估了我们的解密能力

p=0xa6055ec186de51800ddd6fcbf0192384ff42d707a55f57af4fcfb0d1dc7bd97055e8275cd4b78ec63c5d592f567c66393a061324aa2e6a8d8fc2a910cbee1ed9
q=0xfa0f9463ea0a93b929c099320d31c277e0b0dbc65b189ed76124f5a1218f5d91fd0102a4c8de11f28be5e4d0ae91ab319f4537e97ed74bc663e972a4a9119307
e=0x6d1fdab4ce3217b3fc32c9ed480a31d067fd57d93a9ab52b472dc393ab7852fbcb11abbebfd6aaae8032db1316dc22d3f7c3d631e24df13ef23d3b381a1c3e04abcc745d402ee3a031ac2718fae63b240837b4f657f29ca4702da9af22a3a019d68904a969ddb01bcf941df70af042f4fae5cbeb9c2151b324f387e525094c41
c=0x7fe1a4f743675d1987d25d38111fae0f78bbea6852cba5beda47db76d119a3efe24cb04b9449f53becd43b0b46e269826a983f832abb53b7a7e24a43ad15378344ed5c20f51e268186d24c76050c1e73647523bd5f91d9b6ad3e86bbf9126588b1dee21e6997372e36c3e74284734748891829665086e0dc523ed23c386bb520

题中给出了p、q、e、c，符合RSA的特征，根据已知信息算出解密密钥d进行解密即可

from Crypto.Util.number import long_to_bytes

p=0xa6055ec186de51800ddd6fcbf0192384ff42d707a55f57af4fcfb0d1dc7bd97055e8275cd4b78ec63c5d592f567c66393a061324aa2e6a8d8fc2a910cbee1ed9
q=0xfa0f9463ea0a93b929c099320d31c277e0b0dbc65b189ed76124f5a1218f5d91fd0102a4c8de11f28be5e4d0ae91ab319f4537e97ed74bc663e972a4a9119307
e=0x6d1fdab4ce3217b3fc32c9ed480a31d067fd57d93a9ab52b472dc393ab7852fbcb11abbebfd6aaae8032db1316dc22d3f7c3d631e24df13ef23d3b381a1c3e04abcc745d402ee3a031ac2718fae63b240837b4f657f29ca4702da9af22a3a019d68904a969ddb01bcf941df70af042f4fae5cbeb9c2151b324f387e525094c41
c=0x7fe1a4f743675d1987d25d38111fae0f78bbea6852cba5beda47db76d119a3efe24cb04b9449f53becd43b0b46e269826a983f832abb53b7a7e24a43ad15378344ed5c20f51e268186d24c76050c1e73647523bd5f91d9b6ad3e86bbf9126588b1dee21e6997372e36c3e74284734748891829665086e0dc523ed23c386bb520


def exgcd(a, n):
    if n == 0:
        return 1, 0
    else:
        x, y = exgcd(n, a % n)
        x, y = y, x - (a // n) * y
        return x, y


def getReverse(a, n):
    re, y = exgcd(a, n)
    while(re < 0):
        re += n
    return re


if __name__ == "__main__":
    d = getReverse(e, (p - 1)*(q - 1))
    n = p * q
    m = pow(c, d, n)
    plaintext = long_to_bytes(m)
    print(plaintext)

---

0x02 flag_in_your_hand

附件是一个html文件和一份js代码

js代码中的核心部分如下，需要使函数饭回true

function ck(s) {
    try {
        ic
    } catch (e) {
        return;
    }
    var a = [118, 104, 102, 120, 117, 108, 119, 124, 48,123,101,120];
    if (s.length == a.length) {
        for (i = 0; i < s.length; i++) {
            if (a[i] - s.charCodeAt(i) != 3)
                return ic = false;
        }
        return ic = true;
    }
    return ic = false;
}

通过Python解密得到字符串s

#!/usr/bin/python
# -*- coding=utf -*-

a = [118, 104, 102, 120, 117, 108, 119, 124, 48,123,101,120]
for i in a:
    print(chr(i-3), end='')

---

0x03 Broadcast

题目描述：粗心的Alice在制作密码的时候，把明文留下来，聪明的你能快速找出来吗？

本来以为题目又开始忽悠了，没想到真这么实诚

msg = 'Hahaha, Hastad\'s method don\'t work on this. Flag is flag{fa0f8335-ae80-448e-a329-6fb69048aae4}.'

0x04 你猜猜

我们刚刚拦截了，敌军的文件传输获取一份机密文件，请君速速破解。

密文：

504B03040A0001080000626D0A49F4B5091F1E0000001200000008000000666C61672E7478746C9F170D35D0A45826A03E161FB96870EDDFC7C89A11862F9199B4CD78E7504B01023F000A0001080000626D0A49F4B5091F1E00000012000000080024000000000000002000000000000000666C61672E7478740A0020000000000001001800AF150210CAF2D1015CAEAA05CAF2D1015CAEAA05CAF2D101504B050600