题目:
首先,我们审计题目,题目给了我们一个flag(c值)和public(n和e值),于是我们首先的第一步便是 将我们可以得到三个值找出来:
with open('flag.enc','rb')as f:
c=bytes_to_long(f.read())
print(c)
c=2485360255306619684345131431867350432205477625621366642887752720125176463993839766742234027524
with open('public.pem','rb')as f:
f1=f.read()
con=RSA.importKey(f1)
n=con.n
e=con.e
print(n,e)
print(gmpy2.iroot(n,3)[1])
for i in range(0,100000):
c+=i*n
if gmpy2.iroot(c,3)[1]:
print(long_to_bytes(gmpy2.iroot(c,3)[0]))
求得我们所需的c值和ne值:
n=23292710978670380403641273270002884747060006568046290011918413375473934024039715180540887338067
e=3
接着,我们观察题目,我首先的第一个想法是小明文爆破,结果没有得到所需的flag,再加上题目中出题人给的{easy?},所以判断不是此类问题,于是,开始尝试常规的rsa求解,先将n值分解,解得:
p1=26440615366395242196516853423447
p2=27038194053540661979045656526063
p3=32581479300404876772405716877547
求出phi值,发现gcd(e,phi)=3,于是转换思路:
p = 26440615366395242196516853423447 q = 27038194053540661979045656526063 r = 32581479300404876772405716877547x^3 mod p = ct mod p = 20827907988103030784078915883129 x^3 mod q = ct mod q = 19342563376936634263836075415482 x^3 mod r = ct mod r = 10525283947807760227880406671000我们可以求解出三个函数分别对应的x值;
#sagemath
n=26440615366395242196516853423447
c=2485360255306619684345131431867350432205477625621366642887752720125176463993839766742234027524
m=c%n
PR.<x> = PolynomialRing(Zmod(n))
f = x^3-m
x0 = f.roots()
print(x0)
[(13374868592866626517389128266735, 1), (7379361747422713811654086477766, 1), (5686385026105901867473638678946, 1)]
n=27038194053540661979045656526063
c=2485360255306619684345131431867350432205477625621366642887752720125176463993839766742234027524
m=c%n
PR.<x> = PolynomialRing(Zmod(n))
f = x^3-m
x0 = f.roots()
print(x0)
[(19616973567618515464515107624812, 1)]
n=32581479300404876772405716877547
c=2485360255306619684345131431867350432205477625621366642887752720125176463993839766742234027524
m=c%n
PR.<x> = PolynomialRing(Zmod(n))
f = x^3-m
x0 = f.roots()
print(x0)
[(13404203109409336045283549715377, 1), (13028011585706956936052628027629, 1), (6149264605288583791069539134541, 1)]
求解出:
a=[13374868592866626517389128266735,7379361747422713811654086477766,5686385026105901867473638678946]
b=[19616973567618515464515107624812]
c=[13404203109409336045283549715377,13028011585706956936052628027629,6149264605288583791069539134541]
可以看到有3*1*3=9,也就是说有9种情况需要我们来讨论(使用中国剩余定理)
for x in a:
for y in b:
for z in c:
m = crt(p1,p2,p3,x, y, z)
m=long_to_bytes(m)
if b'ctf{' in m:
print(m)
break
exp:
from Crypto.PublicKey import RSA
import gmpy2
from Crypto.Util.number import *
with open('flag.enc','rb')as f:
c=bytes_to_long(f.read())
print(c)
c=2485360255306619684345131431867350432205477625621366642887752720125176463993839766742234027524
with open('public.pem','rb')as f:
f1=f.read()
con=RSA.importKey(f1)
n=con.n
e=con.e
print(n,e)
print(gmpy2.iroot(n,3)[1])
for i in range(0,100000):
c+=i*n
if gmpy2.iroot(c,3)[1]:
print(long_to_bytes(gmpy2.iroot(c,3)[0]))
p1=26440615366395242196516853423447
p2=27038194053540661979045656526063
p3=32581479300404876772405716877547
phi=(p1-1)*(p2-1)*(p3-1)
n=23292710978670380403641273270002884747060006568046290011918413375473934024039715180540887338067
e=3
#sagemath
n=26440615366395242196516853423447
c=2485360255306619684345131431867350432205477625621366642887752720125176463993839766742234027524
m=c%n
PR.<x> = PolynomialRing(Zmod(n))
f = x^3-m
x0 = f.roots()
print(x0)
n=27038194053540661979045656526063
c=2485360255306619684345131431867350432205477625621366642887752720125176463993839766742234027524
m=c%n
PR.<x> = PolynomialRing(Zmod(n))
f = x^3-m
x0 = f.roots()
print(x0)
n=32581479300404876772405716877547
c=2485360255306619684345131431867350432205477625621366642887752720125176463993839766742234027524
m=c%n
PR.<x> = PolynomialRing(Zmod(n))
f = x^3-m
x0 = f.roots()
print(x0)
def crt(p1,p2,p3,m1, m2, m3):
sum=0
sum=m1*p2*p3*gmpy2.invert(p2*p3,p1)+m2*p1*p3*gmpy2.invert(p1*p3,p2)+m3*p1*p2*gmpy2.invert(p1*p2,p3)
return(sum%n)
a=[13374868592866626517389128266735,7379361747422713811654086477766,5686385026105901867473638678946]
b=[19616973567618515464515107624812]
c=[13404203109409336045283549715377,13028011585706956936052628027629,6149264605288583791069539134541]
for x in a:
for y in b:
for z in c:
m = crt(p1,p2,p3,x, y, z)
m=long_to_bytes(m)
if b'ctf{' in m:
print(m)
break
最终得到:b'\x02\xd1^\xcb\x84\x84RC\xf3J\x000ctf{HahA!Thi5_1s_n0T_rSa~}\n'