[0ctf 2016]rsa

JustG012

已于 2022-11-07 10:31:53 修改

阅读量239

点赞数 1

分类专栏： crypto 文章标签：安全 python crypto

于 2022-11-07 10:15:45 首次发布

本文链接：https://blog.csdn.net/shshss64/article/details/127725865

版权

crypto 专栏收录该内容

40 篇文章 2 订阅

订阅专栏

题目：

首先，我们审计题目，题目给了我们一个flag（c值）和public（n和e值），于是我们首先的第一步便是将我们可以得到三个值找出来：

with open('flag.enc','rb')as f:
    c=bytes_to_long(f.read())
    print(c)
c=2485360255306619684345131431867350432205477625621366642887752720125176463993839766742234027524
with open('public.pem','rb')as f:
    f1=f.read()
    con=RSA.importKey(f1)
n=con.n
e=con.e

print(n,e)
print(gmpy2.iroot(n,3)[1])
for i in range(0,100000):
    c+=i*n
    if gmpy2.iroot(c,3)[1]:
        print(long_to_bytes(gmpy2.iroot(c,3)[0]))

求得我们所需的c值和ne值：

n=23292710978670380403641273270002884747060006568046290011918413375473934024039715180540887338067
e=3

接着，我们观察题目，我首先的第一个想法是小明文爆破，结果没有得到所需的flag，再加上题目中出题人给的{easy？}，所以判断不是此类问题，于是，开始尝试常规的rsa求解，先将n值分解，解得：

p1=26440615366395242196516853423447
p2=27038194053540661979045656526063
p3=32581479300404876772405716877547

求出phi值，发现gcd（e，phi）=3，于是转换思路：

p = 26440615366395242196516853423447
q = 27038194053540661979045656526063
r = 32581479300404876772405716877547

x^3 mod p = ct mod p = 20827907988103030784078915883129
x^3 mod q = ct mod q = 19342563376936634263836075415482
x^3 mod r = ct mod r = 10525283947807760227880406671000

我们可以求解出三个函数分别对应的x值；

#sagemath
n=26440615366395242196516853423447
c=2485360255306619684345131431867350432205477625621366642887752720125176463993839766742234027524
m=c%n
PR.<x> = PolynomialRing(Zmod(n))
f = x^3-m
x0 = f.roots()
print(x0)
[(13374868592866626517389128266735, 1), (7379361747422713811654086477766, 1), (5686385026105901867473638678946, 1)]


n=27038194053540661979045656526063
c=2485360255306619684345131431867350432205477625621366642887752720125176463993839766742234027524
m=c%n
PR.<x> = PolynomialRing(Zmod(n))
f = x^3-m
x0 = f.roots()
print(x0)
[(19616973567618515464515107624812, 1)]

n=32581479300404876772405716877547
c=2485360255306619684345131431867350432205477625621366642887752720125176463993839766742234027524
m=c%n
PR.<x> = PolynomialRing(Zmod(n))
f = x^3-m
x0 = f.roots()
print(x0)
[(13404203109409336045283549715377, 1), (13028011585706956936052628027629, 1), (6149264605288583791069539134541, 1)]

求解出：

a=[13374868592866626517389128266735,7379361747422713811654086477766,5686385026105901867473638678946]
b=[19616973567618515464515107624812]
c=[13404203109409336045283549715377,13028011585706956936052628027629,6149264605288583791069539134541]

可以看到有3*1*3=9，也就是说有9种情况需要我们来讨论（使用中国剩余定理）

for x in a:
    for y in b:
        for z in c:
            m = crt(p1,p2,p3,x, y, z)
            m=long_to_bytes(m)
            if b'ctf{' in m:
                print(m)
                break

exp：

from Crypto.PublicKey import RSA
import gmpy2
from Crypto.Util.number import *


with open('flag.enc','rb')as f:
    c=bytes_to_long(f.read())
    print(c)
c=2485360255306619684345131431867350432205477625621366642887752720125176463993839766742234027524
with open('public.pem','rb')as f:
    f1=f.read()
    con=RSA.importKey(f1)
n=con.n
e=con.e

print(n,e)
print(gmpy2.iroot(n,3)[1])
for i in range(0,100000):
    c+=i*n
    if gmpy2.iroot(c,3)[1]:
        print(long_to_bytes(gmpy2.iroot(c,3)[0]))

p1=26440615366395242196516853423447
p2=27038194053540661979045656526063
p3=32581479300404876772405716877547
phi=(p1-1)*(p2-1)*(p3-1)

n=23292710978670380403641273270002884747060006568046290011918413375473934024039715180540887338067
e=3


#sagemath
n=26440615366395242196516853423447
c=2485360255306619684345131431867350432205477625621366642887752720125176463993839766742234027524
m=c%n
PR.<x> = PolynomialRing(Zmod(n))
f = x^3-m
x0 = f.roots()
print(x0)



n=27038194053540661979045656526063
c=2485360255306619684345131431867350432205477625621366642887752720125176463993839766742234027524
m=c%n
PR.<x> = PolynomialRing(Zmod(n))
f = x^3-m
x0 = f.roots()
print(x0)


n=32581479300404876772405716877547
c=2485360255306619684345131431867350432205477625621366642887752720125176463993839766742234027524
m=c%n
PR.<x> = PolynomialRing(Zmod(n))
f = x^3-m
x0 = f.roots()
print(x0)

def crt(p1,p2,p3,m1, m2, m3):
    sum=0
    sum=m1*p2*p3*gmpy2.invert(p2*p3,p1)+m2*p1*p3*gmpy2.invert(p1*p3,p2)+m3*p1*p2*gmpy2.invert(p1*p2,p3)
    return(sum%n)



a=[13374868592866626517389128266735,7379361747422713811654086477766,5686385026105901867473638678946]
b=[19616973567618515464515107624812]
c=[13404203109409336045283549715377,13028011585706956936052628027629,6149264605288583791069539134541]

for x in a:
    for y in b:
        for z in c:
            m = crt(p1,p2,p3,x, y, z)
            m=long_to_bytes(m)
            if b'ctf{' in m:
                print(m)
                break