Cryptohack_SYMMETRIC CIPHERS(1)

最新推荐文章于 2024-07-12 16:16:27 发布

ligangsz1

最新推荐文章于 2024-07-12 16:16:27 发布

阅读量120

点赞数

文章标签： python 开发语言密码学

本文链接：https://blog.csdn.net/ligangsz/article/details/130548962

版权

SYMMETRIC STARTER Passwords as Keys

爆破：

import requests
import tqdm
from Crypto.Cipher import AES
import hashlib
from Crypto.Util.number import *
import tqdm
import random
import binascii

result = requests.get('http://aes.cryptohack.org/passwords_as_keys/encrypt_flag')
ciphertexthex = result.json()["ciphertext"]
print(ciphertexthex)
# ciphertexthex='c92b7734070205bdf6c0087a751466ec13ae15e6f1bcdd3f3a535ec0f4bbae66'
with open('D:/2023/crypto/words.txt', 'r')as f:
    for words in f.readlines():
        words=words.strip()
        #print(words)
        key_1 = hashlib.md5(words.encode()).hexdigest()
        key = bytes.fromhex(key_1)
        cipher = AES.new(key, AES.MODE_ECB)
        ciphertext = bytes.fromhex(ciphertexthex)
        decrypted = cipher.decrypt(ciphertext)
        if b'crypto{' in decrypted:
            print(decrypted)
            break
        #print(decrypted)

BLOCK CIPHERS ECB CBC WTF

CBC加密 ECB解密，key一样，消除iv等影响即可

result = requests.get('https://aes.cryptohack.org/ecbcbcwtf/encrypt_flag/')
ciphertexthex = result.json()["ciphertext"]
print(ciphertexthex)
iv=ciphertexthex[0:32]
c=ciphertexthex[32:]
c1=int(c[0:32],16)
c2=int(c[32:],16)
print(iv,c)
print(len(c))
result = requests.get('https://aes.cryptohack.org/ecbcbcwtf/decrypt/'+c)
plaintexthex = result.json()["plaintext"]
p1=int(plaintexthex[0:32],16)
p2=int(plaintexthex[32:],16)
iv=int(iv,16)
m1=p1^iv
m2=p2^c1
print(long_to_bytes(m1))
print(long_to_bytes(m2))

BLOCK CIPHERS ECB Oracle

盲注：


flag="crypto{p3n6u1n5"
while len(flag)<15:
    tmp0='a'*(15-len(flag))
    result = requests.get('https://aes.cryptohack.org/ecb_oracle/encrypt/'+tmp0.encode().hex())
    ciphertexthex = result.json()["ciphertext"]
    ctmp0=ciphertexthex[0:32]
    print(ctmp0)
    for kk in sprint:
        tmp0 = 'a' * (15 - len(flag)) + flag+kk
        result = requests.get('https://aes.cryptohack.org/ecb_oracle/encrypt/' + tmp0.encode().hex())
        ciphertexthex = result.json()["ciphertext"]
        ctmp1 = ciphertexthex[0:32]
        if ctmp1==ctmp0:
            flag+=kk
            print(flag)
            break
print(flag[-15:])
while len(flag)<31:
    tmp0 = 'a' * (31 - len(flag))
    result = requests.get('https://aes.cryptohack.org/ecb_oracle/encrypt/' + tmp0.encode().hex())
    ciphertexthex = result.json()["ciphertext"]
    ctmp0 = ciphertexthex[32:64]
    print(ctmp0)
    for kk in sprint:
        tmp0 =  flag[-15:] + kk
        result = requests.get('https://aes.cryptohack.org/ecb_oracle/encrypt/' + tmp0.encode().hex())
        ciphertexthex = result.json()["ciphertext"]
        ctmp1 = ciphertexthex[0:32]
        if ctmp1 == ctmp0:
            flag += kk
            print(flag)
            break

BLOCK CIPHERS Flipping Cookie

验证时IV可控

expires_at = "11231"
cookie = f"admin=False;expiry={expires_at}".encode()
print(cookie)
padded = pad(cookie, 16)
hex1=padded.hex()
print(hex1)
cookie = f"admin=True;expiry={expires_at}".encode()
print(cookie)
padded = pad(cookie, 16)
hex2=padded.hex()
print(hex2)
bb=int(hex1[0:32],16)^int(hex2[0:32],16)#改造iv

result = requests.get('https://aes.cryptohack.org/flipping_cookie/get_cookie/')
ciphertexthex = result.json()["cookie"]
print(ciphertexthex)
iv=ciphertexthex[0:32]
ivnew=hex(int(iv,16)^bb)[2:]#改造iv
c=ciphertexthex[32:]
print(iv,c,ivnew)
result = requests.get('https://aes.cryptohack.org/flipping_cookie/check_admin/'+c+"/"+ivnew)
print(result.text)