1.Roll按行加密
顾名思义,这里的的加密是按行进行的。
题目: 04-实验吧---RSAROLL
不要总是觉得 密文C 就是一连串的字符串,密文C 也可以是分行的,记住不要把分行符删除让 密文C 变为一个字符串。应该按行进行解密。
n为920139713,e为19,手动把加密的部分另存为一份文件roll.txt。
解题脚本:
#!/usr/bin/python
#coding:utf-8
#@Author:Mr.Aur0ra
import gmpy2
from Crypto.Util.number import long_to_bytes
n = 920139713
p = 49891
q = 18443
e = 19
phi = (p-1)*(q-1)
d = gmpy2.invert(e,phi)
m = ""
with open('roll.txt','r') as f:
for c in f.readlines():
m += long_to_bytes(pow(int(c), d, n))
print m
#flag{13212je2ue28fy71w8u87y31r78eu1e2}
2.模不互素
适用情况:存在两个或更多模数 ,且gcd(N1,N2)!=1 也就是N1和N2不互质。
多个模数n共用质数,则可以很容易利用欧几里得算法求得他们的质因数之一gcd(N1,N2) ,然后这个最大公约数可用于分解模数分别得到对应的p和q,即可进行解密。实现参照本文欧几里得算法 部分和RSA解密部分。
题目: 05-存货1
N is 18674375108313094928585156581138941368570022222190945461284402673204018075354069827186085851309806592398721628845336840532779579197302984987661547245423180760958022898546496524249201679543421158842103496452861932183144343315925106154322066796612415616342291023962127055311307613898583850177922930685155351380500587263611591893137588708003711296496548004793832636078992866149115453883484010146248683416979269684197112659302912316105354447631916609587360103908746719586185593386794532066034112164661723748874045470225129298518385683561122623859924435600673501186244422907402943929464694448652074412105888867178867357727
e is 65537
message is 0x8BD7BF995BF9E16A0D04ADB49A2411C74FFDB0DB4F35DB3A79A1B44691947C9824085BC4CA5F7F4EFA3C8FD0BC3E870AA6D5E15307A63A2172C44C5903D35785B8D06B51651EE7106B070D5A6AABA089AB67609661265B74914C865F863DC1D2DC08CE0B026107A74EC3FDC62666B50110B9D15A243EAAD6F53646929A3369285404868E42DD0BBE92D956018E3C0B36EF5E9516E433228CFDD06D6E662EC0A9A31061EA11F61CA17EABF43D2D4977FC9D6FC53AB6DC01509401B8D9A46B59A9ADAA97D54CC50C27445E4C21B893510620EC3566AD6E8727FA147437B207505217E6F2DF009E2286C8354D281374D7802D08A2062FE48DBF135BBCAB120EBF84
N is 20071978783607427283823783012022286910630968751671103864055982304683197064862908267206049336732205051588820325894943126769930029619538705149178241710069113634567118672515743206769333625177879492557703359178528342489585156713623530654319500738508146831223487732824835005697932704427046675392714922683584376449203594641540794557871881581407228096642417744611261557101573050163285919971711214856243031354845945564837109657494523902296444463748723639109612438012590084771865377795409000586992732971594598355272609789079147061852664472115395344504822644651957496307894998467309347038349470471900776050769578152203349128951
e is 65537
message is 0x8C3CF3161AA3E37831030985C60566A7604688B73E5B1D3B36E72EF06ED4F71289EFE80E0D94BD755034E6C210F17DA85B9D0388F3AD104C68BC514A8EB1569A109EB5F266F7C5FA4DDFA638258949B43D4CF1406720CCD4CA11E74FDF8AEB35C56A79781C87157FC4213573329C5B0FF411F8A4F34580AA103DB9FD403C0D409FA11860A7C4595FDC49DC2CF94E5112B772E5DEC8F17E24B10A7FD7A95DCB87BE5E27C32FC931574A7847BC506A61EFE9DB3D3F612143845FE80D7B3EA548B886A67A29CBDB2775B1F91178B6DA763F1A6ECFF46592E4C7FFAAB6C9FEF29D9CB9E035A3D98ECFFB26BA2EEAA56D1CD096E6A2CF9A58086CAD7718DDA5CB0C1B
求明文m?
这里把明文字符串一分为二做了分别做了RSA加密,上面的message其实就是密文c。关键是加密时它们多个模数使用了相同的质数e,而且模数N1和N2不互素,所以可以进行模不互素攻击。
判断两个数是否互素的脚本:
#!/usr/bin/python
#coding:utf-8
#@Author:Mr.Aur0ra
def gcd(a,b): #判断来两个数是否互素,辗转相除法
if(b==0):
return a
else:
return gcd(b,a%b)
def main():
x = 17 #x,y的值根据需要修改即可
y = 65537
if gcd(x,y)==1: #如果两个数的最大公约数是1,那么两数互素。
print str(x)+" "+str(y) + "两个数互素"
else:
print str(x)+" "+str(y) + "两个数不互素"
if __name__=="__main__":
main()
题目是给出的文件rsa2.txt,为了方便Python直接读取文件为变量赋值,这里把无关的解释性东西删除掉,生成新的tmp.txt文件。
内容如下:
解题脚本:
#!/usr/bin/python
#coding:utf-8
#@Author:Mr.Aur0ra
import gmpy2
from Crypto.Util.number import long_to_bytes
lines = open('tmp.txt','r').readlines()
e1 = e2 = 65537
c1 = int(lines[2],16)
c2 = int(lines[6],16)
n1 = int(lines[0])
n2 = int(lines[4])
p1=p2=gmpy2.gcd(n1,n2)
assert p1 == p2 != 1
q1=n1/p1
q2=n2/p2
d1=gmpy2.invert(e1,(p1-1)*(q1-1))
d2=gmpy2.invert(e2,(p2-1)*(q2-1))
m1=pow(c1,d1,n1)
m2=pow(c2,d2,n2)
flag=long_to_bytes(m1)+long_to_bytes(m2)
print flag
运行结果:flag{Pr1me_nUmber_Is_S4me}
3.共模攻击
适用情况:明文m、模数n相同,公钥指数e、密文c不同,gcd(e1,e2)==1也就是e1和e2互质。
对同一明文的多次加密使用相同的模数和不同的公钥指数可能导致共模攻击。
题目: 06-Jarvis OJ -Crypto-very hard RSA
这个题目就比较有意思了,4096位的RSA加密,要不是这里存在共模攻击说不定你死活都解不开。哈哈哈,要是有量子计算机的话说不定能解开。
题目给出了两个flag.enc文件以及一个easyRSA.py的加密脚本。
通过分析加密脚本可知,该加密脚本首先会从flag.txt中读取字符串flag,然后对flag根据不同的e的值进行2次RSA加密,并分别将密文保存到了flag.enc1和flag.enc2中。
我们发现明文m、模数n相同,但是公钥指数e1和e2不同,而且e1与e2互素(上面给过判断2数是否互素的脚本),所以这就是典型的共模攻击。
解题脚本:
#!/usr/bin/python
#coding:utf-8
#@Author:Mr.Aur0ra
import gmpy2
from Crypto.Util.number import long_to_bytes
def egcd(a,b):
if b==0:
return a,1,0
else:
g,x,y=egcd(b,a%b)
return g,y,x-a//b*y
e1 = 17
e2 = 65537
n = n1 = n2 = 0x00b0bee5e3e9e5a7e8d00b493355c618fc8c7d7d03b82e409951c182f398dee3104580e7ba70d383ae5311475656e8a964d380cb157f48c951adfa65db0b122ca40e42fa709189b719a4f0d746e2f6069baf11cebd650f14b93c977352fd13b1eea6d6e1da775502abff89d3a8b3615fd0db49b88a976bc20568489284e181f6f11e270891c8ef80017bad238e363039a458470f1749101bc29949d3a4f4038d463938851579c7525a69984f15b5667f34209b70eb261136947fa123e549dfff00601883afd936fe411e006e4e93d1a00b0fea541bbfc8c5186cb6220503a94b2413110d640c77ea54ba3220fc8f4cc6ce77151e29b3e06578c478bd1bebe04589ef9a197f6f806db8b3ecd826cad24f5324ccdec6e8fead2c2150068602c8dcdc59402ccac9424b790048ccdd9327068095efa010b7f196c74ba8c37b128f9e1411751633f78b7b9e56f71f77a1b4daad3fc54b5e7ef935d9a72fb176759765522b4bbc02e314d5c06b64d5054b7b096c601236e6ccf45b5e611c805d335dbab0c35d226cc208d8ce4736ba39a0354426fae006c7fe52d5267dcfb9c3884f51fddfdf4a9794bcfe0e1557113749e6c8ef421dba263aff68739ce00ed80fd0022ef92d3488f76deb62bdef7bea6026f22a1d25aa2a92d124414a8021fe0c174b9803e6bb5fad75e186a946a17280770f1243f4387446ccceb2222a965cc30b3929L
c1=int(open('./flag.enc1','rb').read().encode('hex'),16)
c2=int(open('./flag.enc2','rb').read().encode('hex'),16)
assert n1==n2
# s1=gmpy2.invert(e1,e2)
s1=egcd(e1,e2)[1]
s2=egcd(e1,e2)[2]
#此处判断s1和s2是否小于0,因为pow()函数里s1和s2不能为负,
if(s1<0):
s1=-s1
c1=gmpy2.invert(c1,n)#若s1为负,s1取正,c1取逆
if(s2<0):
s2=-s2
c2=gmpy2.invert(c2,n)
m=pow(c1,s1,n) * pow(c2,s2,n) %n
print(long_to_bytes(m))
其中,函数egcd是扩展欧几里得算法的一个实现,用于找到两个整数a和b的最大公约数 (GCD),以及贝祖等式的系数x和y(这些系数是满足等式ax + by = gcd(a, b)的整数)。
针对函数egcd 我们这里解释一下。
def egcd(a, b):
if b == 0:
return a, 1, 0
在函数的第一部分,它检查b是否为零。如果是,那么a和0的最大公约数就是a,并且系数分别是1和0,满足等式a*1 + 0*0 = a。然后它返回这三个值。
else:
g, x, y = egcd(b, a % b)
如果b不是零,函数会递归调用自己,传入b和a除以b的余数(a % b)。这是基于这样一个性质:a和b的最大公约数与b和a % b的最大公约数相同。递归调用最终会达到基本情况,即b为零。
return g, y, x - a // b * y
递归调用返回后,函数会计算满足原始输入a和b的贝祖等式的x和y的新值。具体的计算方法如下:
g 是两个数的最大公约数,在递归中保持不变。
y 是原来的 x 值,即在递归过程中 a % b 的系数。
x - a // b * y 是根据贝祖等式计算出的新的 x 值,a // b 是 a 除以 b 的商,x - a // b * y 就是新的 x 值,即原来的 y 值减去 a 除以 b 的商乘以原来的 x 值。
这个算法通过不断递归,直到b为零时结束,最终能找到最大公约数,并且计算出满足ax + by = gcd(a, b)的整数x和y。
上述脚本:
#!/usr/bin/python
#coding:utf-8
#@Author:Mr.Aur0ra
import gmpy2
from Crypto.Util.number import long_to_bytes
def egcd(a,b):
if b==0:
return a,1,0
else:
g,x,y=egcd(b,a%b)
return g,y,x-a//b*y
e1 = 17
e2 = 65537
n = n1 = n2 = 0x00b0bee5e3e9e5a7e8d00b493355c618fc8c7d7d03b82e409951c182f398dee3104580e7ba70d383ae5311475656e8a964d380cb157f48c951adfa65db0b122ca40e42fa709189b719a4f0d746e2f6069baf11cebd650f14b93c977352fd13b1eea6d6e1da775502abff89d3a8b3615fd0db49b88a976bc20568489284e181f6f11e270891c8ef80017bad238e363039a458470f1749101bc29949d3a4f4038d463938851579c7525a69984f15b5667f34209b70eb261136947fa123e549dfff00601883afd936fe411e006e4e93d1a00b0fea541bbfc8c5186cb6220503a94b2413110d640c77ea54ba3220fc8f4cc6ce77151e29b3e06578c478bd1bebe04589ef9a197f6f806db8b3ecd826cad24f5324ccdec6e8fead2c2150068602c8dcdc59402ccac9424b790048ccdd9327068095efa010b7f196c74ba8c37b128f9e1411751633f78b7b9e56f71f77a1b4daad3fc54b5e7ef935d9a72fb176759765522b4bbc02e314d5c06b64d5054b7b096c601236e6ccf45b5e611c805d335dbab0c35d226cc208d8ce4736ba39a0354426fae006c7fe52d5267dcfb9c3884f51fddfdf4a9794bcfe0e1557113749e6c8ef421dba263aff68739ce00ed80fd0022ef92d3488f76deb62bdef7bea6026f22a1d25aa2a92d124414a8021fe0c174b9803e6bb5fad75e186a946a17280770f1243f4387446ccceb2222a965cc30b3929L
c1=int(open('./flag.enc1','rb').read().encode('hex'),16)
c2=int(open('./flag.enc2','rb').read().encode('hex'),16)
assert n1==n2
# s1=gmpy2.invert(e1,e2)
s1=egcd(e1,e2)[1]
s2=egcd(e1,e2)[2]
#此处判断s1和s2是否小于0,因为pow()函数里s1和s2不能为负,
if(s1<0):
s1=-s1
c1=gmpy2.invert(c1,n)#若s1为负,s1取正,c1取逆
if(s2<0):
s2=-s2
c2=gmpy2.invert(c2,n)
m=pow(c1,s1,n) * pow(c2,s2,n) %n
print(long_to_bytes(m))
简化版的脚本:
#!/usr/bin/python
#coding:utf-8
#@Author:醉清风
import gmpy2
from Crypto.Util.number import long_to_bytes
e1 = 17
e2 = 65537
n = 0x00b0bee5e3e9e5a7e8d00b493355c618fc8c7d7d03b82e409951c182f398dee3104580e7ba70d383ae5311475656e8a964d380cb157f48c951adfa65db0b122ca40e42fa709189b719a4f0d746e2f6069baf11cebd650f14b93c977352fd13b1eea6d6e1da775502abff89d3a8b3615fd0db49b88a976bc20568489284e181f6f11e270891c8ef80017bad238e363039a458470f1749101bc29949d3a4f4038d463938851579c7525a69984f15b5667f34209b70eb261136947fa123e549dfff00601883afd936fe411e006e4e93d1a00b0fea541bbfc8c5186cb6220503a94b2413110d640c77ea54ba3220fc8f4cc6ce77151e29b3e06578c478bd1bebe04589ef9a197f6f806db8b3ecd826cad24f5324ccdec6e8fead2c2150068602c8dcdc59402ccac9424b790048ccdd9327068095efa010b7f196c74ba8c37b128f9e1411751633f78b7b9e56f71f77a1b4daad3fc54b5e7ef935d9a72fb176759765522b4bbc02e314d5c06b64d5054b7b096c601236e6ccf45b5e611c805d335dbab0c35d226cc208d8ce4736ba39a0354426fae006c7fe52d5267dcfb9c3884f51fddfdf4a9794bcfe0e1557113749e6c8ef421dba263aff68739ce00ed80fd0022ef92d3488f76deb62bdef7bea6026f22a1d25aa2a92d124414a8021fe0c174b9803e6bb5fad75e186a946a17280770f1243f4387446ccceb2222a965cc30b3929L
c1=int(open('./flag.enc1','rb').read().encode('hex'),16)
c2=int(open('./flag.enc2','rb').read().encode('hex'),16)
_, r, s = gmpy2.gcdext(e1, e2)
m = pow(c1, r, n) * pow(c2, s, n) % n
print long_to_bytes(m)
PCTF{M4st3r_oF_Number_Th3ory}
4.低解密指数攻击
在RSA中d也称为解密指数,当d比较小的时候,e也就显得特别大了。
适用情况:e过大或过小(一般e过大时使用)
在e过大或过小的情况下,可使用算法从e中快速推断出d的值,进而求出m。详细的算法原理可以阅读:
RSA 大礼包 | Tr0y's Blog
题目: 07-存货2
n = 460657813884289609896372056585544172485318117026246263899744329237492701820627219556007788200590119136173895989001382151536006853823326382892363143604314518686388786002989248800814861248595075326277099645338694977097459168530898776007293695728101976069423971696524237755227187061418202849911479124793990722597L
e = 354611102441307572056572181827925899198345350228753730931089393275463916544456626894245415096107834465778409532373187125318554614722599301791528916212839368121066035541008808261534500586023652767712271625785204280964688004680328300124849680477105302519377370092578107827116821391826210972320377614967547827619L
c = 38230991316229399651823567590692301060044620412191737764632384680546256228451518238842965221394711848337832459443844446889468362154188214840736744657885858943810177675871991111466653158257191139605699916347308294995664530280816850482740530602254559123759121106338359220242637775919026933563326069449424391192
求明文m?
首先需要需要下载工具rsa-wiener-attack :
git clone https://github.com/pablocelayes/rsa-wiener-attack
然后把exp.py放入这个目录中运行即可:
低解密指数攻击
首先,我们分析一下这个题,这个题是根据RSA加密算法,我们知道了n,e,密文求明文
N = p*q(p,q均为素数)
我们用Wiener’s attack脚本进行分解素数
求出p,q后,我们进行解密求出明文,脚本如下
先分解一下素数
def continued_fractions_expansion(numerator,denominator):#(e,N)
result=[]
divident=numerator%denominator
quotient=numerator/denominator
result.append(quotient)
while divident!=0:
numerator=numerator-quotient*denominator
tmp=denominator
denominator=numerator
numerator=tmp
divident=numerator%denominator
quotient=numerator/denominator
result.append(quotient)
return result
def convergents(expansion):
convergents=[(expansion[0],1)]
for i in range(1,len(expansion)):
numerator=1
denominator=expansion[i]
for j in range(i-1,-1,-1):
numerator+=expansion[j]*denominator
if j==0:
break
tmp=denominator
denominator=numerator
numerator=tmp
convergents.append((numerator,denominator))#(k,d)
return convergents
def newtonSqrt(n):
approx = n/2
better = (approx + n/approx)/2
while better != approx:
approx = better
better = (approx + n/approx)/2
return approx
def wiener_attack(cons,e,N):
for cs in cons:
k,d=cs
if k==0:
continue
phi_N=(e*d-1)/k
#x**2-((N-phi_N)+1)*x+N=0
a=1
b=-((N-phi_N)+1)
c=N
delta = b*b - 4*a*c
if delta<=0:
continue
x1= (newtonSqrt(delta)-b)/(2*a)
x2=-(newtonSqrt(delta)+b)/(2*a)
if x1*x2==N:
return [x1,x2,k,d]
N=460657813884289609896372056585544172485318117026246263899744329237492701820627219556007788200590119136173895989001382151536006853823326382892363143604314518686388786002989248800814861248595075326277099645338694977097459168530898776007293695728101976069423971696524237755227187061418202849911479124793990722597
e=354611102441307572056572181827925899198345350228753730931089393275463916544456626894245415096107834465778409532373187125318554614722599301791528916212839368121066035541008808261534500586023652767712271625785204280964688004680328300124849680477105302519377370092578107827116821391826210972320377614967547827619
expansion=continued_fractions_expansion(e,N)
cons=convergents(expansion)
p,q,k,d=wiener_attack(cons,e,N)
print p
print q
再求出明文
import binascii
import sys
sys.setrecursionlimit(1000000)
def ByteToHex(bins):
return ''.join(["%02X" % x for x in bins]).strip()
def n2s(num):
t = hex(num)[2:-1] # python
if len(t) % 2 == 1:
t = '0' + t
#print(t)
return(binascii.a2b_hex(t).decode('latin1'))
def egcd(a, b):
if a == 0:
return (b, 0, 1)
else:
g, y, x = egcd(b % a, a)
return (g, x - (b // a) * y, y)
def modinv(a, m):
g, x, y = egcd(a, m)
if g != 1:
print('modular inverse does not exist')
return 'null'
else:
return x % m
c = 38230991316229399651823567590692301060044620412191737764632384680546256228451518238842965221394711848337832459443844446889468362154188214840736744657885858943810177675871991111466653158257191139605699916347308294995664530280816850482740530602254559123759121106338359220242637775919026933563326069449424391192
p = 28805791771260259486856902729020438686670354441296247148207862836064657849735343618207098163901787287368569768472521344635567334299356760080507454640207003
q = 15991846970993213322072626901560749932686325766403404864023341810735319249066370916090640926219079368845510444031400322229147771682961132420481897362843199
e = 354611102441307572056572181827925899198345350228753730931089393275463916544456626894245415096107834465778409532373187125318554614722599301791528916212839368121066035541008808261534500586023652767712271625785204280964688004680328300124849680477105302519377370092578107827116821391826210972320377614967547827619
n = p * q
d = modinv(e, (p - 1) * (q - 1))
m = pow(c, d, n)
print (m)
之后我们得到明文,最后一步就是将数字转为字符串:
import binascii
def n2s(num):
t = hex(num)[2:-1] # python
if len(t) % 2 == 1:
t = '0' + t
#print(t)
return(binascii.a2b_hex(t).decode('latin1'))
print(n2s(42134526936705472951339882390913202211002951999415321980512196989))
flag{Wien3r_4tt@ck_1s_3AsY}
5.rsa wiener attack 破解
当ctf中遇见rsa的n e 都很大而且是同一数量级的,这时候可以采用wiener attack 来进行破解。
这里拿bugku的rsa来举例。
题目给出了n, e, enc 现在已知公钥{e, n}及密文enc
目标是获取d, 由于n, e 很大是通数量级的,推断出d很小。所以利用wiener attack进行破解
先把n, e 转换成pem格式
┌──(holyeyes㉿kali2023)-[~/RsaCtfTool]
└─$ python RsaCtfTool.py --createpub -n 460657813884289609896372056585544172485318117026246263899744329237492701820627219556007788200590119136173895989001382151536006853823326382892363143604314518686388786002989248800814861248595075326277099645338694977097459168530898776007293695728101976069423971696524237755227187061418202849911479124793990722597 -e 354611102441307572056572181827925899198345350228753730931089393275463916544456626894245415096107834465778409532373187125318554614722599301791528916212839368121066035541008808261534500586023652767712271625785204280964688004680328300124849680477105302519377370092578107827116821391826210972320377614967547827619 > flag.pem
┌──(holyeyes㉿kali2023)-[~/RsaCtfTool]
└─$ python RsaCtfTool.py --publickey flag.pem --private > flag.key
[*] Testing key flag.pem.
[*] Performing factordb attack on flag.pem.
[!] internal error :-(
[+] Time elapsed: 5.2750 sec.
[*] Performing lucas_gcd attack on flag.pem.
100%|████████████████████████████████| 9999/9999 [00:00<00:00, 111690.68it/s]
[+] Time elapsed: 0.0928 sec.
[*] Performing mersenne_primes attack on flag.pem.
27%|█████████▉ | 14/51 [00:00<00:00, 388875.87it/s]
[+] Time elapsed: 0.0005 sec.
[*] Performing pastctfprimes attack on flag.pem.
[+] loading prime list file data/ti_rsa_signing_keys.txt...
100%|████████████████████████████████████| 34/34 [00:00<00:00, 885753.64it/s]
[+] loading prime list file data/visa_emv.txt...
100%|███████████████████████████████████████| 2/2 [00:00<00:00, 80659.69it/s]
[+] loading prime list file data/pastctfprimes.txt...
100%|█████████████████████████████████| 121/121 [00:00<00:00, 1250026.56it/s]
[+] Time elapsed: 0.0018 sec.
[*] Performing system_primes_gcd attack on flag.pem.
100%|████████████████████████████████| 7007/7007 [00:00<00:00, 858463.21it/s]
[+] Time elapsed: 0.0274 sec.
[*] Performing fibonacci_gcd attack on flag.pem.
100%|████████████████████████████████| 9999/9999 [00:00<00:00, 102799.60it/s]
[+] Time elapsed: 0.0979 sec.
[*] Performing smallq attack on flag.pem.
[+] Time elapsed: 0.2669 sec.
[*] Performing rapid7primes attack on flag.pem.
[+] loading prime list file data/ea229f977fb51000.pkl.bz2...
loading pickle data/ea229f977fb51000.pkl.bz2...
100%|█████████████████████████████| 61174/61174 [00:00<00:00, 1671437.38it/s]
[+] loading prime list file data/fbcc4333b5f183fc.pkl.bz2...
loading pickle data/fbcc4333b5f183fc.pkl.bz2...
100%|█████████████████████████████| 21048/21048 [00:00<00:00, 1482779.24it/s]
[+] Time elapsed: 0.3407 sec.
[*] Performing nonRSA attack on flag.pem.
[+] Time elapsed: 0.0010 sec.
[*] Performing pisano_period attack on flag.pem.
[+] Time elapsed: 0.0001 sec.
[*] Performing classical_shor attack on flag.pem.
[!] Timeout.
[+] Time elapsed: 60.0013 sec.
[*] Performing wolframalpha attack on flag.pem.
[*] Performing qicheng attack on flag.pem.
Can't load qicheng because sage binary is not installed
[*] Performing partial_q attack on flag.pem.
[!] partial_q attack is only for partial private keys not pubkeys...
[+] Time elapsed: 0.0003 sec.
[*] Performing factorial_pm1_gcd attack on flag.pem.
100%|████████████████████████████████| 29998/29998 [00:05<00:00, 5496.09it/s]
[+] Time elapsed: 5.4588 sec.
[*] Performing lattice attack on flag.pem.
[!] simple lattice attack is for partial keys only...
[+] Time elapsed: 0.0003 sec.
[*] Performing small_crt_exp attack on flag.pem.
Can't load small_crt_exp because sage binary is not installed
[*] Performing cube_root attack on flag.pem.
[+] Time elapsed: 0.0001 sec.
[*] Performing wiener attack on flag.pem.
25%|████████▌ | 148/591 [00:00<00:00, 676205.87it/s]
[*] Attack success with wiener method !
[+] Total time elapsed min,max,avg: 0.0001/60.0013/4.7710 sec.
Results for flag.pem:
Private key :
-----BEGIN RSA PRIVATE KEY-----
MIICOQIBAAKBgQKP/53T5v6XgWSet/5ekwPPaWNHxBELxLo5afCxFmmEDFHYGmhC
tt8rCQ8hzXbUNxqMDkcEjJZeyltGkTr7uNoFIHKgVm1wOcYYq6kGV1mwWeKeSF3F
BhoWrGMSlDjZNU5l31dHVGuF2z1pmBnEt3Mt+SfHCEpdUtbm1qrBRGI0JQKBgQH4
+6QQBS337aNGLxqs1p5AdgQzyjNXZ81zBaPQkIBaX9QF3W7qcOmPDKHhzyVHSGcb
8MmABsIO7h1ieQQ1Cf56mCOLQ5FgpWEtpx6QRRToEoBhfjB8PNMxP6TG/KMxWdBE
H7sY2DyvS9Rva5KXqAoULdab8aNXzLXkwgC22Q8VowIgEkWi5MMhraVZBcJJt+CW
QPiKQcq9Y8kytE4BDTeIyXcCQQExVoUNBVlVGTb0Jeg+wkvwkFWR8T5KB4V/iEnz
a0+QRDG1CqRQm68TaVg+Mv/yslrxDjnehozqdwbv7ow2+2Y/AkECJf/G98bYlZaW
Zj5M25DUolCpmiEiv2s9mkQxoajS5s14SK9OOWuX7BEJ6pzzDPZ68iFcwsvTp1T/
CqZAffm0mwIgEkWi5MMhraVZBcJJt+CWQPiKQcq9Y8kytE4BDTeIyXcCIBJFouTD
Ia2lWQXCSbfglkD4ikHKvWPJMrROAQ03iMl3AkBV0D6QJvGtKdXF9dPONK4B7k/P
NGuglv2itym5OL5Kve/WX6wnzEyaz8mJD64NwY2Y8punAUFUif8TTsCQ2XQG
-----END RSA PRIVATE KEY-----
┌──(holyeyes㉿kali2023)-[~/RsaCtfTool]
└─$ more flag.key
-----BEGIN RSA PRIVATE KEY-----
MIICOQIBAAKBgQKP/53T5v6XgWSet/5ekwPPaWNHxBELxLo5afCxFmmEDFHYGmhC
tt8rCQ8hzXbUNxqMDkcEjJZeyltGkTr7uNoFIHKgVm1wOcYYq6kGV1mwWeKeSF3F
BhoWrGMSlDjZNU5l31dHVGuF2z1pmBnEt3Mt+SfHCEpdUtbm1qrBRGI0JQKBgQH4
+6QQBS337aNGLxqs1p5AdgQzyjNXZ81zBaPQkIBaX9QF3W7qcOmPDKHhzyVHSGcb
8MmABsIO7h1ieQQ1Cf56mCOLQ5FgpWEtpx6QRRToEoBhfjB8PNMxP6TG/KMxWdBE
H7sY2DyvS9Rva5KXqAoULdab8aNXzLXkwgC22Q8VowIgEkWi5MMhraVZBcJJt+CW
QPiKQcq9Y8kytE4BDTeIyXcCQQExVoUNBVlVGTb0Jeg+wkvwkFWR8T5KB4V/iEnz
a0+QRDG1CqRQm68TaVg+Mv/yslrxDjnehozqdwbv7ow2+2Y/AkECJf/G98bYlZaW
Zj5M25DUolCpmiEiv2s9mkQxoajS5s14SK9OOWuX7BEJ6pzzDPZ68iFcwsvTp1T/
CqZAffm0mwIgEkWi5MMhraVZBcJJt+CWQPiKQcq9Y8kytE4BDTeIyXcCIBJFouTD
Ia2lWQXCSbfglkD4ikHKvWPJMrROAQ03iMl3AkBV0D6QJvGtKdXF9dPONK4B7k/P
NGuglv2itym5OL5Kve/WX6wnzEyaz8mJD64NwY2Y8punAUFUif8TTsCQ2XQG
-----END RSA PRIVATE KEY-----
┌──(holyeyes㉿kali2023)-[~/RsaCtfTool]
└─$ python RsaCtfTool.py --key flag.key --dumpkey
private argument is not set, the private key will not be displayed, even if recovered.
None
n: 460657813884289609896372056585544172485318117026246263899744329237492701820627219556007788200590119136173895989001382151536006853823326382892363143604314518686388786002989248800814861248595075326277099645338694977097459168530898776007293695728101976069423971696524237755227187061418202849911479124793990722597
e: 354611102441307572056572181827925899198345350228753730931089393275463916544456626894245415096107834465778409532373187125318554614722599301791528916212839368121066035541008808261534500586023652767712271625785204280964688004680328300124849680477105302519377370092578107827116821391826210972320377614967547827619
d: 8264667972294275017293339772371783322168822149471976834221082393409363691895
p: 15991846970993213322072626901560749932686325766403404864023341810735319249066370916090640926219079368845510444031400322229147771682961132420481897362843199
q: 28805791771260259486856902729020438686670354441296247148207862836064657849735343618207098163901787287368569768472521344635567334299356760080507454640207003
利用n, e (公钥) 求解私钥
python RsaCtfTool.py --publickey flag.pem --private > flag.key
得到p, q, d
python RsaCtfTool.py --key flag.key --dumpkey
得到p q d n e如下:
https://www.freebuf.com/sectool/185468.html
利用脚本进行解密
由于pqned都知道了,直接可以直接求解flag了。
#!/usr/bin/python
# -*- coding=utf8 -*-
"""
# @Author : pig
# @CreatedTime:2019-12-25 20:46:54
# @Description :
"""
import gmpy2
from libnum import n2s
n = '460657813884289609896372056585544172485318117026246263899744329237492701820627219556007788200590119136173895989001382151536006853823326382892363143604314518686388786002989248800814861248595075326277099645338694977097459168530898776007293695728101976069423971696524237755227187061418202849911479124793990722597'
e = '354611102441307572056572181827925899198345350228753730931089393275463916544456626894245415096107834465778409532373187125318554614722599301791528916212839368121066035541008808261534500586023652767712271625785204280964688004680328300124849680477105302519377370092578107827116821391826210972320377614967547827619'
enc = '38230991316229399651823567590692301060044620412191737764632384680546256228451518238842965221394711848337832459443844446889468362154188214840736744657885858943810177675871991111466653158257191139605699916347308294995664530280816850482740530602254559123759121106338359220242637775919026933563326069449424391192'
p = '15991846970993213322072626901560749932686325766403404864023341810735319249066370916090640926219079368845510444031400322229147771682961132420481897362843199'
q = '28805791771260259486856902729020438686670354441296247148207862836064657849735343618207098163901787287368569768472521344635567334299356760080507454640207003'
d = '8264667972294275017293339772371783322168822149471976834221082393409363691895'
n1 = gmpy2.mpz(n)
enc1 = gmpy2.mpz(enc)
d1 = gmpy2.mpz(d)
r = gmpy2.powmod(enc1, d1, n1)
print (r)
s = n2s(r)
print (s)
脚本输出得到:
42134526936705472951339882390913202211002951999415321980512196989
flag{Wien3r_4tt@ck_1s_3AsY}
6.根据公钥计算得到私钥
这种题型需要使用RsaCtfTools根据公钥生成私钥
题目: 08-存货3
题目只给出了两个文件(一个私钥文件和一个密文文件)
按照常规查看提取一下公钥文件,发现n特别大,无法直接分解为p和q,而且e也不存在是特殊值的可能,也不存在其他的攻击方法。
首先进入RsaCtfTools,接着执行下面的命令生成私钥。
┌──(holyeyes㉿kali2023)-[~/RsaCtfTool]
└─$ ./RsaCtfTool.py --publickey examples/根据公钥计算私钥/pub.key --private > examples/根据公钥计算私钥/pri.key
[*] Testing key examples/根据公钥计算私钥/pub.key.
[*] Performing factordb attack on examples/根据公钥计算私钥/pub.key.
[!] internal error :-(
[+] Time elapsed: 5.3062 sec.
[*] Performing lucas_gcd attack on examples/根据公钥计算私钥/pub.key.
100%|█████████████████████████████████| 9999/9999 [00:00<00:00, 71047.87it/s]
[+] Time elapsed: 0.1454 sec.
[*] Performing mersenne_primes attack on examples/根据公钥计算私钥/pub.key.
29%|██████████▌ | 15/51 [00:00<00:00, 183960.70it/s]
[+] Time elapsed: 0.0005 sec.
[*] Performing pastctfprimes attack on examples/根据公钥计算私钥/pub.key.
[+] loading prime list file data/ti_rsa_signing_keys.txt...
100%|████████████████████████████████████| 34/34 [00:00<00:00, 766700.73it/s]
[+] loading prime list file data/visa_emv.txt...
100%|███████████████████████████████████████| 2/2 [00:00<00:00, 86480.49it/s]
[+] loading prime list file data/pastctfprimes.txt...
100%|██████████████████████████████████| 121/121 [00:00<00:00, 847263.41it/s]
[+] Time elapsed: 0.0021 sec.
[*] Performing system_primes_gcd attack on examples/根据公钥计算私钥/pub.key.
100%|████████████████████████████████| 7007/7007 [00:00<00:00, 598466.40it/s]
[+] Time elapsed: 0.0322 sec.
[*] Performing fibonacci_gcd attack on examples/根据公钥计算私钥/pub.key.
100%|█████████████████████████████████| 9999/9999 [00:00<00:00, 69512.05it/s]
[+] Time elapsed: 0.1447 sec.
[*] Performing smallq attack on examples/根据公钥计算私钥/pub.key.
[+] Time elapsed: 0.2832 sec.
[*] Performing rapid7primes attack on examples/根据公钥计算私钥/pub.key.
[+] loading prime list file data/ea229f977fb51000.pkl.bz2...
loading pickle data/ea229f977fb51000.pkl.bz2...
100%|█████████████████████████████| 61174/61174 [00:00<00:00, 1221547.33it/s]
[+] loading prime list file data/fbcc4333b5f183fc.pkl.bz2...
loading pickle data/fbcc4333b5f183fc.pkl.bz2...
100%|█████████████████████████████| 21048/21048 [00:00<00:00, 1096177.00it/s]
[+] Time elapsed: 0.3401 sec.
[*] Performing nonRSA attack on examples/根据公钥计算私钥/pub.key.
[+] Time elapsed: 0.0039 sec.
[*] Performing pisano_period attack on examples/根据公钥计算私钥/pub.key.
[+] Time elapsed: 0.0002 sec.
[*] Performing classical_shor attack on examples/根据公钥计算私钥/pub.key.
[!] Timeout.
[+] Time elapsed: 60.0007 sec.
[*] Performing wolframalpha attack on examples/根据公钥计算私钥/pub.key.
[*] Performing qicheng attack on examples/根据公钥计算私钥/pub.key.
[!] Timeout.
[+] Time elapsed: 60.0014 sec.
[*] Performing partial_q attack on examples/根据公钥计算私钥/pub.key.
[!] partial_q attack is only for partial private keys not pubkeys...
[+] Time elapsed: 0.0003 sec.
[*] Performing factorial_pm1_gcd attack on examples/根据公钥计算私钥/pub.key.
100%|████████████████████████████████| 29998/29998 [00:16<00:00, 1818.58it/s]
[+] Time elapsed: 16.5014 sec.
[*] Performing lattice attack on examples/根据公钥计算私钥/pub.key.
[!] simple lattice attack is for partial keys only...
[+] Time elapsed: 0.0002 sec.
[*] Performing small_crt_exp attack on examples/根据公钥计算私钥/pub.key.
[!] Timeout.
[+] Time elapsed: 60.0298 sec.
[*] Performing cube_root attack on examples/根据公钥计算私钥/pub.key.
[+] Time elapsed: 0.0004 sec.
[*] Performing wiener attack on examples/根据公钥计算私钥/pub.key.
100%|██████████████████████████████████████| 11/11 [00:00<00:00, 7223.63it/s]
[*] Cracking failed...
[+] Time elapsed: 0.0192 sec.
[*] Performing kraitchik attack on examples/根据公钥计算私钥/pub.key.
[!] Timeout.
[+] Time elapsed: 60.0021 sec.
[*] Performing lehmer attack on examples/根据公钥计算私钥/pub.key.
[!] Timeout.
[+] Time elapsed: 60.0040 sec.
[*] Performing siqs attack on examples/根据公钥计算私钥/pub.key.
Can't load siqs because yafu binary is not installed
[*] Performing partial_d attack on examples/根据公钥计算私钥/pub.key.
[!] partial_d attack is only for partial private keys not pubkeys...
[!] partial_d internal error...
[+] Time elapsed: 0.0004 sec.
[*] Performing compositorial_pm1_gcd attack on examples/根据公钥计算私钥/pub.key.
100%|██████████████████████████████████| 9999/9999 [00:01<00:00, 6857.40it/s]
[+] Time elapsed: 1.4637 sec.
[*] Performing pollard_p_1 attack on examples/根据公钥计算私钥/pub.key.
1%|▎ | 9/997 [00:54<1:40:15, 6.09s/it][!] Timeout.
1%|▎ | 9/997 [00:59<1:49:45, 6.67s/it]
[+] Time elapsed: 60.0025 sec.
[*] Performing carmichael attack on examples/根据公钥计算私钥/pub.key.
[!] Timeout.
[+] Time elapsed: 60.0027 sec.
[*] Performing fermat attack on examples/根据公钥计算私钥/pub.key.
[!] Timeout.
[+] Time elapsed: 60.0016 sec.
[*] Performing comfact_cn attack on examples/根据公钥计算私钥/pub.key.
[+] Time elapsed: 0.0002 sec.
[*] Performing mersenne_pm1_gcd attack on examples/根据公钥计算私钥/pub.key.
100%|█████████████████████████████████| 2045/2045 [00:00<00:00, 51346.94it/s]
[+] Time elapsed: 0.0409 sec.
[*] Performing qs attack on examples/根据公钥计算私钥/pub.key.
[!] Timeout.
[+] Time elapsed: 60.0019 sec.
[*] Performing primorial_pm1_gcd attack on examples/根据公钥计算私钥/pub.key.
100%|████████████████████████████████| 10000/10000 [00:01<00:00, 5162.65it/s]
[+] Time elapsed: 1.9417 sec.
[*] Performing noveltyprimes attack on examples/根据公钥计算私钥/pub.key.
100%|████████████████████████████████████| 21/21 [00:00<00:00, 421437.24it/s]
[+] Time elapsed: 0.0005 sec.
[*] Performing ecm2 attack on examples/根据公钥计算私钥/pub.key.
[+] Time elapsed: 3.9250 sec.
[*] Performing z3_solver attack on examples/根据公钥计算私钥/pub.key.
[!] Timeout.
[+] Time elapsed: 60.4458 sec.
[*] Performing hart attack on examples/根据公钥计算私钥/pub.key.
[!] Timeout.
[+] Time elapsed: 60.0020 sec.
[*] Performing SQUFOF attack on examples/根据公钥计算私钥/pub.key.
[!] Timeout.
[+] Time elapsed: 60.0083 sec.
[*] Performing boneh_durfee attack on examples/根据公钥计算私钥/pub.key.
[+] Time elapsed: 3.8855 sec.
[*] Performing fermat_numbers_gcd attack on examples/根据公钥计算私钥/pub.key.
100%|████████████████████████████████████████| 28/28 [00:01<00:00, 15.84it/s]
[+] Time elapsed: 1.7753 sec.
[*] Performing highandlowbitsequal attack on examples/根据公钥计算私钥/pub.key.
[+] Time elapsed: 0.0209 sec.
[*] Performing lehman attack on examples/根据公钥计算私钥/pub.key.
[!] Timeout.
[+] Time elapsed: 60.0032 sec.
[*] Performing factor_2PN attack on examples/根据公钥计算私钥/pub.key.
[+] Time elapsed: 0.0003 sec.
[*] Performing euler attack on examples/根据公钥计算私钥/pub.key.
[!] Timeout.
[+] Time elapsed: 60.0054 sec.
[*] Performing dixon attack on examples/根据公钥计算私钥/pub.key.
[-] Dixon is too slow for pubkeys > 10^10...
[+] Time elapsed: 0.0005 sec.
[*] Performing brent attack on examples/根据公钥计算私钥/pub.key.
[!] Timeout.
[+] Time elapsed: 60.0046 sec.
[*] Performing ecm attack on examples/根据公钥计算私钥/pub.key.
[*] Attack success with ecm method !
[+] Total time elapsed min,max,avg: 0.0002/60.4458/22.2941 sec.
Results for examples/根据公钥计算私钥/pub.key:
Private key :
-----BEGIN RSA PRIVATE KEY-----
MIIEJwIBAAKCAQEAlKA+bg7c8nQQUu8e6qiJ1vmNARFR216Qkkj9OQxwhyTYmDzz
Mxy6xWHCzixa8V5lsrJGkVa2GdXTsqa7o31Wk5lNfkwvqmB7Psj8kLIAYktTGFui
MBBgqCGrYVfX58xnG03NZkx98RoqHV5QgMFeRRI6ukpTZNhyH4RKrlxVAuiOVk04
cKUWNtO8FD4vri8xWLoAq6zAxbpEPClwVgFrV/XXUtcxVgurCuaNrQgiqR/LbknM
AUwS0qujpZflEEkZf2nZO8VTU3EAGGDMaRoGZDuGlHCp2oL8VGsGI0MtsCDrthuR
NV5TpuXYmoS7MEa4n2O8cAYtWdhipf1cqwZogQIDAQABAoIBABPPyIKjOHpW3URh
+atClM6/BRjSxn3VWoMz6ktMtXxQqvYXURIU9dRJeTGj8/li4amLpD7x8tt19x++
qDPMlwgpPnoKMZdaP5rN6kWv1U69qY4BSzqFCn6okHJXvSVvw+rt6oGtqMKDP9Au
FHxhoC3U5209w64ujgKv6UGaFht4akx/rOtubJz68E7KN8Vv7wZZTqw7x3LdzfdT
W3U2tesM+sxIVFLY8WLpn+WzLK4jqjzgB+gYV7MzE6fwX78xav7NvpDVoED6XeZk
Q9rm1BJrmMJqzEGG5hqV9HuKofpzZMuGvdH8daa9g9qlBZtdI7nAJh8xTOrhbPlC
JSekFgECBwDj2obRlt0CgfsApvxHygw/WWuVhb/EkbdRXsXwcBqlGW3wu3n3V3fR
Kn71k7Pi1NIrMlcKX8lQkpBULyT9QmxcYx1fWIOKWXjbOYChE0Dd+8TnG2ietZQY
dtrHstNlMyeQuIictnG+4G7hzg3n54K/yUAP/D+OH2m2cXB4LpTSI3qVFTzIVRJW
HzLqvpOUaMyHXkBo9RVItp8MTJtMDiyjqO5WqXUzayFBazl+Jy29DQ8ZPq6Nhl5J
bDDiqRg3BC+U5oXA4DZZvnYONZd66l2vXYktCUhTiCU3FucZWxj//6eWkI6oOf1J
N2lbD1ygkdGeG5DUFW4OChAjJdmPz8rJHz8z9QIGEK9M1gYlAoH7AIE6L9x/Se9L
wPU3CUqzkbdEe+Rl2mspl+meY/o+8ZJvmmFqDxsgYumcTpz+UOp744pwl8Z10bGq
o4T+l2zSiOWhVAZwZtpW8XtWpaxkJeKlQXJ1ApZqAietIYpX0J4jcYBjZprVptJ6
T2SpUrWgu95iab+y0EVAsmszFN4xSJDweJZv46SO1BvuwMsaY6FgyMXoUR2PEkDD
4jFWUCqSG+x9G9H6JZobmy/VKhVYln2x/1dZNAp7QEJ+NFvP8/ffqPN0fV0uj25V
oJLUdECifFWvFwJXAJa6/Vx16l6mU6kcUao7xs/SZwdyN482EotbHbhG/HKUvrz9
zpkCBwCXnq0AlUo=
-----END RSA PRIVATE KEY-----
接着把这些内容复制到新创建的文件pri.key中。
使用openssl通过私钥文件进行解密:
┌──(holyeyes㉿kali2023)-[~/RsaCtfTool/examples/根据公钥计算私钥]
└─$ openssl pkeyutl -decrypt -inkey pri.key -in enc1 -out txt
┌──(holyeyes㉿kali2023)-[~/RsaCtfTool/examples/根据公钥计算私钥]
└─$ ll
total 48
-rwxrw-rw- 1 holyeyes holyeyes 256 Mar 10 12:52 enc1
-rwxrw-rw- 1 holyeyes holyeyes 1522 Mar 12 20:58 pri.key
-rwxrw-rw- 1 holyeyes holyeyes 451 Mar 10 12:52 pub.key
-rwxrw-rw- 1 holyeyes holyeyes 25 Mar 12 21:00 txt
-rwxrw-rw- 1 holyeyes holyeyes 30720 Mar 10 12:52 wp.doc
┌──(holyeyes㉿kali2023)-[~/RsaCtfTool/examples/根据公钥计算私钥]
└─$ more txt
flag{0penSs1_DecrYp7_Rs4}
打开生成的文件txt即可得到flag。