[NSSCTF 2022 Spring Recruit] Crypto wp

已于 2022-03-22 22:38:59 修改
阅读量2.1k 收藏 1
点赞数
分类专栏: CTF 文章标签: python
于 2022-03-22 22:37:36 首次发布
版权声明:本文为博主原创文章,遵循 CC 4.0 BY-SA 版权协议,转载请附上原文出处链接和本声明。
本文链接:https://blog.csdn.net/bestkasscn/article/details/123673328
版权

[NSSCTF 2022 Spring Recruit] Crypto wp

classic

题目

UZZJAM{UIXETGR7TMWD42SKTCWEP4AG_mhrlmshnayfihzl}

第一层是凯撒密码

NSSCTF{NBQXMZK7MFPW42LDMVPXI4TZ_fakeflagtrybase}

稍微有点英语基础就知道fakeflagtrybase是假flag,然后去试base,最后用base32解NBQXMZK7MFPW42LDMVPXI4TZ得have_a_nice_try,用NSSCTF{}包裹就行。

factor

题目

n=240546297453496858231088405356129350257,你能把这个整数分解成两个素数的积吗?=> n = p * q
flag:NSSCTF{md5(min(p,q)+max(p,q))}

素数分解问题,属于RSA算法中的数学问题,是基于这样的事实:生成大素数是容易的,但是给定一个大数(两个素数的乘积),找出它的因子(素数分解)是困难的。常用分解素数方法:1.yafu
2.sage 3.factordb在线网站,这里讲第一种。
在这里插入图片描述自己去网上找yafu的包,下载好后进入目录下打开cmd输入yafu-x64.exe启动,启动后使用factor(n)
即可分解,分解出p = 13891650093628440437, q = 17315890900809982861,拼接后再md5加密即可得到flag

Vigenere

题目

Ulw prodw ybspv bc a yainoxav ctsyg , nmp znwaf kqpjilr wef spq xsexx ik gpyz eumyr oavupyl xhcwhvvpr. FLCCLX{eeztlh_xewvu_lpy}Uhwe gf vuf wltqe wpkgjry pref wxrsc ztc tzw rrswgg. Ovwjaboi'k esfwlkzf mk tvl suvvok sl k lgl qs ssdx , rak kgifr cbxdk kvnhik yboe tgvok thbn lg fljry .Produced by .Zyd ak kzqejmsad , ljr qigive ozq ubw vxctafa vo lsgn slspqt bestkasscn jgkovwj ka ulw uklsfer csla onvk , vuf twhzlw ojb jw ykkshwf oz hwldifq mapak mral Yqq cikmywk vgfumfr yn zao bopq hxlq .
仔细找找key吧

不出意外的话比较有意义的,最有可能是key的单词只有Produced by bestkasscn。一个个试就行了。

rrrsssaaa

题目

from Crypto.Util.number import *
import gmpy2
from functools import reduce
from secret import flag

p = getPrime(1024)
i = 0
while True:
    r = p * 5 + i
    if isPrime(r):
        i = 0
        break
    else:
        i += 1
while True:
    q = p * 10 + i
    if isPrime(q):
        break
    else:
        i += 1

n = p * q * r
e = 65537
c = pow(bytes_to_long(flag.encode()), e, n)
print('c=' + str(c))
print('p3=' + str(pow(p, 3, n)))
print('q3=' + str(pow(q, 3, n)))
print('r3=' + str(pow(r, 3, n)))
# n = 44571911854174527304485400947383944661319242813524818888269963870884859557542264803774212076803157466539443358890313286282067621989609252352994203884813364011659788234277369629312571477760818634118449563652776213438461157699447304292906151410018017960605868035069246651843561595572415595568705784173761441087845248621463389786351743200696279604003824362262237505386409700329605140703782099240992158439201646344692107831931849079888757310523663310273856448713786678014221779214444879454790399990056124051739535141631564534546955444505648933134838799753362350266884682987713823886338789502396879543498267617432600351655901149380496067582237899323865338094444822339890783781705936546257971766978222763417870606459677496796373799679580683317833001077683871698246143179166277232084089913202832193540581401453311842960318036078745448783370048914350299341586452159634173821890439194014264891549345881324015485910286021846721593668473
# c = 11212699652154912414419576042130573737460880175860430868241856564678915039929479534373946033032215673944727767507831028500814261134142245577246925294110977629353584372842303558820509861245550773062016272543030477733653059813274587939179134498599049035104941393508776333632172797303569396612594631646093552388772109708942113683783815011735472088985078464550997064595366458370527490791625688389950370254858619018250060982532954113416688720602160768503752410505420577683484807166966007396618297253478916176712265476128018816694458551219452105277131141962052020824990732525958682439071443399050470856132519918853636638476540689226313542250551212688215822543717035669764276377536087788514506366740244284790716170847347643593400673746020474777085815046098314460862593936684624708574116108322520985637474375038848494466480630236867228454838428542365166285156741433845949358227546683144341695680712263215773807461091898003011630162481
# p3 = 891438237083490546089708018947678893226384856270496377765399277417697191150845296075484241536063149330788867177806265725641352439792185047059884077696267280233195764685547392586251429555216372682368991273055524268769223153988946085858123028200360359212117360701384933036871231911448311911374115683475228820531478240539549424647154342506853356292956506486091063660095505979187297020928573605860329881982122478494944846700224611808246427660214535971723459345029873385956677292979041143593821672034573140001092625650099257402018634684516092489263998517027205660003413512870074652126328536906790020794659204007921147300771594986038917179253827432120018857213350120695302091483756021206199805521083496979628811676116525321724267588515105188480380865374667274442027086789352802613365511142499668793725505110436809024171752137883546327359935102833441492430652019931999144063825010678766130335038975376834579129516127516820037383067
# q3 = 44571911854174527304485400947383944661319242813524818888269963870884859557542264803774212076803157466539443358890313286282067621989609252352994203884813364011659788234277369629312571477760818634118449563652776213438461157699447304292906151410018017960605868035069246651843561595572415595568705784173761440671033435053531971051698504592848580356684103015611323747688216493729331061402058160819388999663041629882482138465124920580049057123360829897432472221079140360215664537272316836767039948368780837985855835419681893347839311156887660438769948501100287062738217966360434291369179859862550767272985972263442512061098317471708987686120577904202391381040801620069987103931326500146536990700234262413595295698193570184681785854277656410199477649697026112650581343325348837547631237627207304757407395388155701341044939408589591213693329516396531103489233367665983149963665364824119870832353269655933102900004362236232825539480774
# r3 = 22285955927087263652242700473691972330659621406762409444134981935442429778771132401887106038401578733269721679445156643141033810994804626176497101942406682005829894117138684814656285738880409317059224781826388106719230578849723652146453075705009008980302934017534623325921780797786207797784352892086880720749202442492937918619992591614713131681306874944356693778359565004415437554407990089293135634916859631279984463829118336826115430997439527110961309956466956650522900331263720500751112297418506140413317489683875995326726992533904683800042127871963320754241310699432792081707870167598822650064976439270556418985242630368723264289700246406905189810458354474959276748887369363592834205660349184660073395182450526542246354364903399132116153732074081050985584216815493617906868615192465631416955706457835185743023758573279838341229835613609332206338401219168119635681832981552328638132500079074010106995297184587143613134093145

exp

from Crypto.Util.number import *
import gmpy2
from functools import reduce
from secret import flag

n = 44571911854174527304485400947383944661319242813524818888269963870884859557542264803774212076803157466539443358890313286282067621989609252352994203884813364011659788234277369629312571477760818634118449563652776213438461157699447304292906151410018017960605868035069246651843561595572415595568705784173761441087845248621463389786351743200696279604003824362262237505386409700329605140703782099240992158439201646344692107831931849079888757310523663310273856448713786678014221779214444879454790399990056124051739535141631564534546955444505648933134838799753362350266884682987713823886338789502396879543498267617432600351655901149380496067582237899323865338094444822339890783781705936546257971766978222763417870606459677496796373799679580683317833001077683871698246143179166277232084089913202832193540581401453311842960318036078745448783370048914350299341586452159634173821890439194014264891549345881324015485910286021846721593668473
c = 11212699652154912414419576042130573737460880175860430868241856564678915039929479534373946033032215673944727767507831028500814261134142245577246925294110977629353584372842303558820509861245550773062016272543030477733653059813274587939179134498599049035104941393508776333632172797303569396612594631646093552388772109708942113683783815011735472088985078464550997064595366458370527490791625688389950370254858619018250060982532954113416688720602160768503752410505420577683484807166966007396618297253478916176712265476128018816694458551219452105277131141962052020824990732525958682439071443399050470856132519918853636638476540689226313542250551212688215822543717035669764276377536087788514506366740244284790716170847347643593400673746020474777085815046098314460862593936684624708574116108322520985637474375038848494466480630236867228454838428542365166285156741433845949358227546683144341695680712263215773807461091898003011630162481
p3 = 891438237083490546089708018947678893226384856270496377765399277417697191150845296075484241536063149330788867177806265725641352439792185047059884077696267280233195764685547392586251429555216372682368991273055524268769223153988946085858123028200360359212117360701384933036871231911448311911374115683475228820531478240539549424647154342506853356292956506486091063660095505979187297020928573605860329881982122478494944846700224611808246427660214535971723459345029873385956677292979041143593821672034573140001092625650099257402018634684516092489263998517027205660003413512870074652126328536906790020794659204007921147300771594986038917179253827432120018857213350120695302091483756021206199805521083496979628811676116525321724267588515105188480380865374667274442027086789352802613365511142499668793725505110436809024171752137883546327359935102833441492430652019931999144063825010678766130335038975376834579129516127516820037383067
q3 = 44571911854174527304485400947383944661319242813524818888269963870884859557542264803774212076803157466539443358890313286282067621989609252352994203884813364011659788234277369629312571477760818634118449563652776213438461157699447304292906151410018017960605868035069246651843561595572415595568705784173761440671033435053531971051698504592848580356684103015611323747688216493729331061402058160819388999663041629882482138465124920580049057123360829897432472221079140360215664537272316836767039948368780837985855835419681893347839311156887660438769948501100287062738217966360434291369179859862550767272985972263442512061098317471708987686120577904202391381040801620069987103931326500146536990700234262413595295698193570184681785854277656410199477649697026112650581343325348837547631237627207304757407395388155701341044939408589591213693329516396531103489233367665983149963665364824119870832353269655933102900004362236232825539480774
r3 = 22285955927087263652242700473691972330659621406762409444134981935442429778771132401887106038401578733269721679445156643141033810994804626176497101942406682005829894117138684814656285738880409317059224781826388106719230578849723652146453075705009008980302934017534623325921780797786207797784352892086880720749202442492937918619992591614713131681306874944356693778359565004415437554407990089293135634916859631279984463829118336826115430997439527110961309956466956650522900331263720500751112297418506140413317489683875995326726992533904683800042127871963320754241310699432792081707870167598822650064976439270556418985242630368723264289700246406905189810458354474959276748887369363592834205660349184660073395182450526542246354364903399132116153732074081050985584216815493617906868615192465631416955706457835185743023758573279838341229835613609332206338401219168119635681832981552328638132500079074010106995297184587143613134093145

p = gmpy2.iroot(p3, 3)[0]
i = 0
while True:
    q = p * 5 + i
    if isPrime(q):
        i = 0
        break
    else:
        i += 1

while True:
    r = p * 10 + i
    if isPrime(r):
        i = 0
        break
    else:
        i += 1
phiN = (p - 1) * (q - 1) * (r - 1)
e = 2
while True:
    try:
        print(e)
        d = gmpy2.invert(e, phiN)
        m = long_to_bytes(pow(c, d, n))
        if b'NSSCTF' in m:
            print(m)
            break
        else:
            e = gmpy2.next_prime(e)
    except:
        e = gmpy2.next_prime(e)
        pass

automatic

题目

from Crypto.Util.number import *
import random
from secret import flag
import socketserver
import string

table = string.ascii_letters + string.digits


class Task(socketserver.BaseRequestHandler):
    def _recvall(self):
        BUFF_SIZE = 2048
        data = b''
        while True:
            part = self.request.recv(BUFF_SIZE)
            data += part
            if len(part) < BUFF_SIZE:
                break
        return data.strip()

    def send(self, msg, newline=True):
        try:
            if newline:
                msg += b'\n'
            self.request.sendall(msg)
        except:
            pass

    def recv(self, prompt=b''):
        self.send(prompt, newline=False)
        return self._recvall()

    def proof_of_work(self):
        proof = (''.join([random.choice(table) for _ in range(20)])).encode()
        self.send(b'welcome to NSS,GL & HF')
        self.send(b'do you know what automated RSA solver is?')
        self.send(b'I don\'t know but I want you show me that')
        p = getPrime(128)
        q = getPrime(128)
        n = p * q
        e1 = getPrime(24)
        e2 = getPrime(24)
        c1 = pow(bytes_to_long(proof), e1, n)
        c2 = pow(bytes_to_long(proof), e2, n)
        self.send(b'n='+str(n).encode())
        self.send(b'e1=' + str(e1).encode())
        self.send(b'e2=' + str(e2).encode())
        self.send(b'c1=' + str(c1).encode())
        self.send(b'c2=' + str(c2).encode())
        XXXX = self.recv(prompt=b'[+] Plz Tell Me proof :')
        if len(XXXX) != 20 or XXXX != proof:
            return False
        return True

    def handle(self):
        proof = self.proof_of_work()
        if not proof:
            self.request.close()
        counts = 0
        for i in range(777):
            proof = self.proof_of_work()
            if proof:
                self.send("correct".encode())
                counts += 1
            else:
                self.send("incorrect".encode())
        if counts == 777:
            self.send(b'You get flag!')
            self.send(flag)
        else:
            self.send(b'something wrong?')
        self.request.close()


class ThreadedServer(socketserver.ThreadingMixIn, socketserver.TCPServer):
    pass


class ForkedServer(socketserver.ForkingMixIn, socketserver.TCPServer):
    pass


if __name__ == "__main__":
    HOST, PORT = '0.0.0.0', 12000
    print("HOST:POST " + HOST + ":" + str(PORT))
    server = ForkedServer((HOST, PORT), Task)
    server.allow_reuse_address = True
    server.serve_forever()

exp

from pwn import *
import string
from Crypto.Util.number import *
import sys

sys.setrecursionlimit(1000000)


def egcd(a, b):
    if a == 0:
        return b, 0, 1
    else:
        g, y, x = egcd(b % a, a)
        return g, x - (b // a) * y, y


def modinv(a, m):
    g, x, y = egcd(a, m)
    if g != 1:
        raise Exception('modular inverse does not exist')
    else:
        return x % m


def CommonMode(e1, e2, c1, c2, n):
    s = egcd(e1, e2)
    s1 = s[1]
    s2 = s[2]

    if s1 < 0:
        s1 = - s1
        c1 = modinv(c1, n)
    elif s2 < 0:
        s2 = - s2
        c2 = modinv(c2, n)
    m = (pow(c1, s1, n) * pow(c2, s2, n)) % n
    return long_to_bytes(m).decode()


# 创建由大小写字母和数字组成的字典
dir = string.ascii_letters + string.digits
# 自己改环境
p = remote("112.124.34.157", 12000)

for i in range(77):
    p.recvuntil('n=')
    n = int(p.recvline().strip().decode())
    p.recvuntil('e1=')
    e1 = int(p.recvline().strip().decode())
    p.recvuntil('e2=')
    e2 = int(p.recvline().strip().decode())
    p.recvuntil('c1=')
    c1 = int(p.recvline().strip().decode())
    p.recvuntil('c2=')
    c2 = int(p.recvline().strip().decode())
    res = CommonMode(e1, e2, c1, c2, n)
    p.sendlineafter('[+] Plz Tell Me proof :', res)
    print("i=" + str(i))
p.recvuntil('You get flag!')
print(p.recvlines(2))

建议学一下pwntools的用法

bestkasscn
关注
  • 0
    点赞
  • 1
    收藏
    觉得还不错? 一键收藏
  • 打赏
    打赏
  • 0
    评论
专栏目录
NISACTF 2022 writeup
st1cky的博客
03-29 3万+
周末两天的比赛 WEB(11/12)、PWN(5/6)、Reverse(3/6)、Crypto(3/7)、Misc(8/12) WEB没有AK还是略有遗憾,到后面实在做不动了。 第一次写这么长的WP… WEB checkin <?php error_reporting(0); include "flag.php"; // ‮⁦NISACTF⁩⁦Welcome to if ("jitanglailo" == $_GET[ahahahaha] &‮⁦+!!⁩⁦& "‮⁦ Flag!.
recruit
03-22
recruit
CyberFastTrack_SP2020:Cyber​​ FastTrack 2020SpringCTF的文章和解决方案的集合
03-08
Cyber​​ FastTrack 2020年Spring 现在比赛已经结束,我们可以自由地“鼓励”分享解决方案和文章(根据比赛开始前计划组织者发送的电子邮件)。 作为赢家,我能够完成95%的挑战,但不幸的是,在进行FE06和BM03时,时间和精力都用光了。 这些是按问题类型和难度组织的: 一般的 简单 中等的 二进制漏洞利用 简单 中等的 BM03 (未解决) 难的 极端 法证 简单 中等的 难的 网络 中等的 难的 逆向工程 中等的 难的 极端 网络漏洞 简单 中等的 难的
CTF刷题第一周
qq_62660611的博客
11-10 1445
第一周刷题记录
一些简单的NSSCTF的web wp(SPWU篇)
2303_79513877的博客
03-17 682
另:若遇到===这样的强类型比较,方法一就失效了,方法二仍然有效,或者还可以使用软件fastcoll进行md5碰撞,生成两个字符串使得他们的md5值相同。方法一: 可以使用带0e开头的数字穿进行传递参数,因为php会将0e开头的数字转化为0,故此时md5值相等,而两个变量值不相等;方法二: 可以传递数组,如name[]=123,password[]=456,md5不能加密数组,故两个md5返回的都是null。由题查看根目录下文件,查看f…可以发现此时判断md5值是否一样用的是==,这是php的弱类型比较,
[CISCN 2021 华南赛区]rsa Writeup
bestkasscn的博客
05-16 757
[CISCN 2021 华南赛区]rsa 题目描述 from flag import text,flag import md5 from Crypto.Util.number import long_to_bytes,bytes_to_long,getPrime assert md5.new(text).hexdigest() == flag[6:-1] msg1 = text[:xx] msg2 = text[xx:yy] msg3 = text[yy:] msg1 = bytes_to_long(
百度语音合成data:audio/x-mpeg;base64转mp3
热门推荐
z19980115的博客
06-24 51万+
百度语音base64转mp3
记一次[NSSCTF 2022 Spring Recruit]babyphp
dangwobucunzai的博客
03-10 427
第三个if,这里要求b1!=b2,但是又要求md5值相同,在这里也同样是用到了数组绕过,如果md5() 中传入的不是字符串而是数组,不但md5()函数不会报错,结果还会返回null,在强比较(===)里面null=null为true绕过,b1与b2设置不同的值即可,此处传参 b1[]=1&b2[]=2 即可绕过。$a和$b都传入md5()后,得到值为0e开头的数据,会将其识别为科学计数法,结果都为零。通过观察代码,可发现需要通过四个if判断才能拿到我们的flag。这里我使用的是数组绕过,传参 a[]=1。
[NSSCTF 2022 Spring Recruit]classic
squnfan的博客
12-13 69
发现flag错误,再观察,fakeflagtrybase再用ciphey解一下得到flag{have a nice try},发现还不对看题解发现是flag{have_a_nice_try} QAQ。打开附件得到密文UZZJAM{UIXETGR7TMWD42SKTCWEP4AG_mhrlmshnayfihzl}直接用ciphey。
NSSCTF Crypto靶场练习,21-30wp
Sciurdae的博客
12-11 1052
题目也只给了 flag 和 n,flag应该是加密过后的c;小明文攻击的情况就三种,e = 3,e = 2,e = 1;观察文本里有俩个等号,如果是base的话,这俩个等号应该在结尾才对。也是RSA,有了e1*e2的值。也是可以用爆破,依次爆e1和e2的值。试了一下,发现是base32,得到flag NSSCTF{have_a_nice_tey}俩个模数n,以及同一个q,可以先用共享素数攻击,可以得到p和q1。再用凯撒密码,试试。附件打开,RSA加密,根据rsa公式计算。用在线网站解一下,发现可以解。
NSSCTF】-刷题笔记
ZhangAweio的博客
05-02 528
这句话说明,只要我们上传的名字中包含 “.”的都会返回 403 “bad filename”这条代码就有意思了,明显是执行SQL语句的代码,插入 一个 id 和 文件地址 ,加文件名称。我们只需要 插入一个 文件名为 /flag 的就可以拿到 flag 了。看到条件大于65分就给你 flag,我们直接修改js代码。后面改成100 ,我们每次点的时候就的100分。这个题目就有意思了,考的的是python web。提示有个/source,我们打开它。我们将它关键的部分进行代码审计,,我们打开F12 看看有啥,
NSSCTF做题(5)
wwwwyyyrre的博客
09-30 7909
注意 PHP>=5.3.0压缩包需要是zip协议压缩,rar不行,将木马文件压缩后,改为其他任意格式的文件都可以正常使用。然后,将文件的内容作为响应返回。其中a,b1,b2都可以用数组绕过,因为a是正则绕过,b是MD5绕过,接下来看c c强调了要传入c1不等于c2 c1,c2都要是字符串,c1c2的MD5值要相等 所以c就不能用数组绕过,可以用科学计数法0e绕过。它检查请求中是否包含文件,将文件保存到目录中,使用 生成唯一 ID,将 ID 和文件路径插入到数据库中的表中,最后将用户重定向到路由。
招聘系统的springboot后端spring-recruit.zip
最新发布
05-15
该项目利用了基于springboot + vue + mysql的开发...Java、Python、Node.js、Spring Boot、Django、Express、MySQL、PostgreSQL、MongoDB、React、Angular、Vue、Bootstrap、Material-UI、Redis、Docker、Kubernetes
recruit-system
03-06
recruit-system
Recruit Management System-开源
05-10
这是一个由应用程序和数据库组成的开源软件项目。
AIFE_recruit
05-06
(AIFE_recruit)用于地球招聘预测的AI 项目介绍 要研究的问题 方法 项目大纲 数据输入 从以下数据源进一步关注数据类型和集 数据准备和初始分析 可能的ML算法在此范围内进行聚类 以前的数据可视化 测试与评分数据...
NSS [CISCN 2022 西南]rsa
shshss64的博客
11-05 325
基础数论
Crypto学习笔记
wyhbbbb的博客
11-28 379
看到密码中插着的两个=,可以看出来不是简单的base64,而是通过栅栏密码加密过后的。由题目中提示可以知道key=23。利用在线维吉尼亚解密工具即可。在解密文章中出现了flag。今年是本世纪的第23年呢。共享素数类的都可以用。
NSSCTF刷题wp——Crypto入门
YougerXen的博客
04-10 1934
NSSCCTF Crypto 探索 Crypto入门 [鹤城杯 2021]easy_crypto ID:453 公正公正公正诚信文明公正民主公正法治法治诚信民主自由敬业公正友善公正平等平等法治民主平等平等和谐敬业自由诚信平等和谐平等公正法治法治平等平等爱国和谐公正平等敬业公正敬业自由敬业平等自由法治和谐平等文明自由诚信自由平等富强公正敬业平等民主公正诚信和谐公正文明公正爱国自由诚信自由平等文明公正诚信富强自由法治法治平等平等自由平等富强法治诚信和谐 社会主义核心价值观密码,直接解,在线工具 解出后得fl
ModuleNotFoundError: No module named recruit
12-27
根据提供的引用内容,报错信息"ModuleNotFoundError: No module named recruit"表示在运行过程中找不到名为"recruit"的模块。这可能是因为你没有安装或导入该模块。 要解决这个问题,你可以按照以下步骤进行操作: ...

“相关推荐”对你有帮助么?

  • 非常没帮助
  • 没帮助
  • 一般
  • 有帮助
  • 非常有帮助
提交
评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包

打赏作者

bestkasscn

你的鼓励将是我创作的最大动力

¥1 ¥2 ¥4 ¥6 ¥10 ¥20
扫码支付:¥1
获取中
扫码支付

您的余额不足,请更换扫码支付或充值

打赏作者

实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值