cryptohack,很不错的一个密码学习平台。
很适合没有基础的beginner系统进行学习
注册平台账号
EJEXA JVAN KTGHXDC ITCI
罗马皇帝密码,那就是凯撒了
for i in range(26):
for j in c:
if j == ' ':
print(' ',end='')
continue
t = ss.index(j)
print(ss[(t+i)%26],end='')
print()
General
Encoding
第一题
>>> a =[99, 114, 121, 112, 116, 111, 123, 65, 83, 67, 73, 73, 95, 112, 114, 49, 110, 116, 52, 98, 108, 51, 125]
>>> ''.join(chr(i) for i in a)
'crypto{}'
第二题
63727970746f7b596f755f77696c6c5f62655f776f726b696e675f776974685f6865785f737472696e67735f615f6c6f747d
>>> from binascii import *
>>> unhexlify('63727970746f7b596f755f77696c6c5f62655f776f726b696e675f776974685f6865785f737472696e67735f615f6c6f747d')
b'crypto{}'
第三题
72bca9b68fc16ac7beeb8f849dca1d8a783e8acf9679bf9269f7bf
>>> c = '72bca9b68fc16ac7beeb8f849dca1d8a783e8acf9679bf9269f7bf'
>>> from base64 import b64encode as e
>>> unhexlify(c)
b'r\xbc\xa9\xb6\x8f\xc1j\xc7\xbe\xeb\x8f\x84\x9d\xca\x1d\x8ax>\x8a\xcf\x96y\xbf\x92i\xf7\xbf'
>>> e(unhexlify(c))
b'crypto//'
有点意思
第四题
>>> from number import *
>>> l2b(11515195063862318899931685488813747395775516287289682636499965282714637259206269)
b'crypto{}'
第五题
nc到服务器后,会给你一个加密方式type
和一个加密后的字符串c
你需要解密c之后给服务器发送过去,重复100次
服务端代码:
要重复100次,所以肯定不能手动解,所以用pwntools
的remote
进行连续破解
from pwn import *
import json
r = remote('socket.cryptohack.org', 13377, level = 'debug')
def json_recv():
line = r.recvline()
return json.loads(line.decode())
def json_send(hsh):
request = json.dumps(hsh).encode()
r.sendline(request)
from binascii import *
from number import *
from base64 import b64decode as dd
from string import *
def rot13(x):
ss = ascii_lowercase
res = ''
for i in x:
if i in ss:
res += ss[(13+ss.index(i))%26]
else:res += i
return res
def dec(tp,c):
if tp == 'bigint':
m = unhexlify(c[2:]).decode()
elif tp == 'base64':
m = dd(c.encode()).decode()
elif tp == 'rot13':
m = rot13(c)
elif tp == 'hex':
m = l2b(int(c,16)).decode()
elif tp == 'utf-8':
m = ''.join(chr(i) for i in c)
return m
def func(received):
print("Received type: ",end='')
print(received["type"])
print("Received encoded value: ",end='')
print(received["encoded"])
c = received["encoded"]
tp = received['type']
to_send = {"decoded": dec(tp,c)}
print('to_sent:',to_send)
json_send(to_send)
rrr = json_recv()
print(rrr,'================',sep = '\n')
return rrr
rcvd = json_recv()
for i in range(100):
rcvd = func(rcvd)
得到flag
XOR
1. XOR Starter
将label
的每一位与13
进行异或
题目说了可以用pwntools
里面的xor
函数
>>> from pwn import *
>>> xor('label',13)
b'aloha'
crypto{aloha}
2. XOR Properties
题目给了如下信息
k1
k2 ^ k1
k2 ^ k3
flag ^ k1 ^ k2 ^ k3
分别记为A、B、C、D
,则flag = D ^ A ^ C
>>> a = 0xa6c8b6733c9b22de7bc0253266a3867df55acde8635e19c73313
>>> b = 0x37dcb292030faa90d07eec17e3b1c6d8daf94c35d4c9191a5e1e
>>> c = 0xc1545756687e7573db23aa1c3452a098b71a7fbf0fddddde5fc1
>>> d = 0x04ee9855208a2cd59091d04767ae47963170d1660df7f56f5faf
>>> f = d^a^c
>>> from number import *
>>> l2b(f)
b'crypto{}'
3.Favourite byte
73626960647f6b206821204f21254f7d694f7624662065622127234f726927756d
将数字转为byte型后为
>>> l2b(int('73626960647f6b206821204f21254f7d694f7624662065622127234f726927756d',16))
b"sbi`d\x7fk h! O!%O}iOv$f eb!'#Ori'um"
已知flag前几位,为crypto{
,与解出的字符串对应前几位进行异或便可以得到secret
>>> xor(b"sbi`d\x7fk",b"crypto{")
b'\x10\x10\x10\x10\x10\x10\x10'
得到flag
>>> xor(b"sbi`d\x7fk h! O!%O}iOv$f eb!'#Ori'um",'\x10')
b'crypto{}'
4.You either know, XOR you don’t
0e0b213f26041e480b26217f27342e175d0e070a3c5b103e2526217f27342e175d0e077e263451150104
尝试同同样的步骤,找出异或的字符串
>>> c = l2b(int('0e0b213f26041e480b26217f27342e175d0e070a3c5b103e2526217f27342e175d0e077e263451150104',16))
>>> c
b"\x0e\x0b!?&\x04\x1eH\x0b&!\x7f'4.\x17]\x0e\x07\n<[\x10>%&!\x7f'4.\x17]\x0e\x07~&4Q\x15\x01\x04"
>>> xor(c[:7],'crypto{')
b'myXORke'
>>> xor(c[-1],'}')
b'y'
拼接起来可以得到一段有意义的语句myXORkey
猜测这就是加密的字符串
>>> xor(c,'myXORkey')
b'crypto{}'
5. Lemur XOR
这是个图片题
ps.
lemur n. 狐猴
两个图片
lemur.png:
flag.png:
异或试试,使用PIL.Image
模块和numpy
模块
from PIL import Image as img
import numpy as np
ll = img.open(r".\lemur.png")
ff = img.open(r".\flag.png")
nl = np.array(ll)
nf = np.array(ff)
img.fromarray(nl^nf).show()
得到flag,在图片中
MATHEMATICS
1. Greatest Common Divisor
计算GCD
属实是零基础入门题了
>>> a = 66528; b = 52920
>>> from gmpy2 import *
>>> gcd
<built-in function gcd>
>>> gcd(a,b)
mpz(1512)
2. Extended GCD
要求扩展欧几里得算法
使用gmpy2库自带的gcdext()函数
>>> gcdext
<built-in function gcdext>
>>> p = 26513;q = 32321
>>> gcdext(p,q)
(mpz(1), mpz(10245), mpz(-8404))
按照要求,flag是-8404
3. Modular Arithmetic 1
解方程
11
≡
x
m
o
d
6
8146798528947
≡
y
m
o
d
17
11\equiv x\mod6\\ 8146798528947\equiv y\mod 17
11≡xmod68146798528947≡ymod17
解得
x
=
5
y
=
4
x=5\\y=4
x=5y=4
所以flag是4
4. Modular Arithmetic 2
费马小定理,当p为素数时,有
a
p
−
1
≡
1
m
o
d
p
a^{p-1}\equiv 1\mod p
ap−1≡1modp
答案1
5. Modular Inverting
求逆元
b是a对m的逆元,则在模m的情况下有 a b ≡ 1 m o d m ab\equiv 1\mod m ab≡1modm
使用gmpy2中的invert()
函数
>>> invert(3,13)
mpz(9)
DATA FORMATS
1. Privaty-Enhanced Mail?
有点懵,啥意思
啊
给了一个pem文件,把里面的私钥信息解密出来即可
>>> c = open(r"./ppp").read()
>>> p = RSA.import_key(c)
>>> p.d
15682700288056331364787171045819973654991149949197959929860861228180021707316851924456205543665565810892674190059831330231436970914474774562714945620519144389785158908994181951348846017432506464163564960993784254153395406799101314760033445065193429592512349952020982932218524462341002102063435489318813316464511621736943938440710470694912336237680219746204595128959161800595216366237538296447335375818871952520026993102148328897083547184286493241191505953601668858941129790966909236941127851370202421135897091086763569884760099112291072056970636380417349019579768748054760104838790424708988260443926906673795975104689
私钥d即flag
2. CERTainly not
PEM和DER是证书编码的两个方式,可以互相转化
PEM是可读的文本格式的,以"-----BEGIN XXX-----"开头,同样格式END结尾的文件,内容经过base64加密
DER是二进制文件,不能直接看懂,直接二进制方式读取
同样使用Crypto.RSA.import_key函数
>>> ddd = open(r".\der.der",'rb').read()
>>> p = RSA.import_key(ddd)
>>> p
RsaKey(n=22825373692019530804306212864609512775374171823993708516509897631547513634635856375624003737068034549047677999310941837454378829351398302382629658264078775456838626207507725494030600516872852306191255492926495965536379271875310457319107936020730050476235278671528265817571433919561175665096171189758406136453987966255236963782666066962654678464950075923060327358691356632908606498231755963567382339010985222623205586923466405809217426670333410014429905146941652293366212903733630083016398810887356019977409467374742266276267137547021576874204809506045914964491063393800499167416471949021995447722415959979785959569497, e=65537)
flag是整数内容的模
,也就是n
的值
3. SSH KEY
泪目了 他讲的好详细
主要是ssh,Secure Shell Protocol这个东西
明明简写是SSP为什么要叫SSH呢??????
为什么要有ssh?为了安全。
As the internet became increasingly hostile, people realised the need for both authentication and encryption for administrative network traffic
以及SSH为什么安全
依旧使用同样方法即可
>>> c = open(r"./bruce_rsa_6e7ecd53b443a97013397b1a1ea30e14.pub").read()
>>> p = RSA.import_key(c)
>>> p
RsaKey(n=3931406272922523448436194599820093016241472658151801552845094518579507815990600459669259603645261532927611152984942840889898756532060894857045175300145765800633499005451738872081381267004069865557395638550041114206143085403607234109293286336393552756893984605214352988705258638979454736514997314223669075900783806715398880310695945945147755132919037973889075191785977797861557228678159538882153544717797100401096435062359474129755625453831882490603560134477043235433202708948615234536984715872113343812760102812323180391544496030163653046931414723851374554873036582282389904838597668286543337426581680817796038711228401443244655162199302352017964997866677317161014083116730535875521286631858102768961098851209400973899393964931605067856005410998631842673030901078008408649613538143799959803685041566964514489809211962984534322348394428010908984318940411698961150731204316670646676976361958828528229837610795843145048243492909, e=65537)
flag还是n
4. Transparency
有点懵
给了一个PEM格式的公钥文件,打开文件可以得到以下信息
>>> from Crypto.PublicKey.RSA import *
>>> c = open(r".\transparency.pem").read()
>>> p = import_key(c)
>>> p
RsaKey(n=23421622285641341405633616890150413771071492791662619237015532689271209254675255214187772835143801809039951016782376679973376782695533167272817148034946155291022588458116896449130547957859630601417029406537713697722216484126508404669492574651738700785323627803802967097814192155713988206765677255996453746570221203605464683698139759068201745805643226602309648177720842369737425307662674524530757570626970232537549824005998393609021861773134215542450556839250804799098903483152012713520167414613141526302727512388972623173809195225592109964416682348203058784103484962051844890398766510080562420295832329553237528041393, e=65537)
要求是 找到cryptohack.org
下的一个,用这些参数进行证书认证的,某个子域名,flag就在这个子域名中
没有什么思路,搜了下wp,是爆破的,但也只有一张图
使用Maltego
分析网站域名
- 新建一个graph,从左侧Entity栏中拖入一个
Domain
实体,并修改为cryptohack.org
- 右键实体,点击第一行的
All Transforms
右侧的双箭头
开始了自动查询域名下的所有信息
包括该域名的子域名,IP地址,DNS服务器,联系人,地址,电话号等等
-
等待结果
使用
Ctrl+F
搜索功能,查询题目的Transparentcy
关键字或者直接查询flag
字样
访问,得到flag