BUUCTF-CRYPTO-强网杯2019 Copperstudy

最新推荐文章于 2023-10-31 12:25:05 发布
最新推荐文章于 2023-10-31 12:25:05 发布
阅读量2.9k 收藏 6
点赞数 4
分类专栏: CRYPTO
版权声明:本文为博主原创文章,遵循 CC 4.0 BY-SA 版权协议,转载请附上原文出处链接和本声明。
本文链接:https://blog.csdn.net/zippo1234/article/details/109409929
版权
这篇博客详细记录了参与强网杯2019竞赛中Copperstudy挑战的过程,涉及RSA加密的各种攻击方式,包括已知e=3的RSA破解、高位攻击、低位攻击、短填充攻击Coppersmith Shortpad Attack以及Boneh and Durfee攻击等。通过逐层解密,最终成功获取flag。
摘要由CSDN通过智能技术生成

BUUCTF-CRYPTO-强网杯2019 Copperstudy


每天一题,只能多不能少

[强网杯2019] Copperstudy

题目分析

RSA套娃,各种类型的RSA,对于我现在的水平来说真的是难于上青天。鉴于道奇时隔32年又夺冠军(28日的事了),今天就先记录下来。以后慢慢看

  1. hash破解
  2. e=3
  3. 已知p高位攻击
  4. 已知d低位攻击
  5. 低加密指数广播攻击
  6. m高位相同,高位相同的m,短填充攻击Coppersmith Shortpad Attack
  7. Boneh and Durfee attack

开始

1.题目

给出一个远端环境,nc过去即可

2.第0层

[+]proof: skr=os.urandom(8)
[+]hashlib.sha256(skr).hexdigest()=b9f5a36134ba3b3b9a41c3ee519899f39fd85f231d9cb2d6c34415fcebe0aa8c
[+]skr[0:5].encode('hex')=13a03f1f32
[-]skr.encode('hex')=

破解一个原文8个字符的sha256,已知前5个字符。
使用hashcat爆破,记得加上–force参数,至少我这里是需要加上的,不然一直提示“No devices found/left.”

hashcat64.exe -a 3 --hex-salt -m 1420 b9f5a36134ba3b3b9a41c3ee519899f39fd85f231d9cb2d6c34415fcebe0aa8c:13a03f1f32 --potfile-disable ?b?b?b  -o res3.txt --outfile-format=2 --force

拼接即可

#!python3
# -*- coding: utf-8 -*-
# @Time : 2020/10/31 22:33
# @Author : A.James
# @FileName: tt0.py
import os
path="hashcat-5.1.0\\"
str1='b9f5a36134ba3b3b9a41c3ee519899f39fd85f231d9cb2d6c34415fcebe0aa8c'
str2='13a03f1f32'
with open(path+"res3.txt", 'r') as f:
    lines = f.readlines()
    last_line = lines[-1]
    #print(last_line)
    if(last_line[0:4]=="$HEX"):
        print(str2+last_line[5:11])
    else:
        print(str2+hex(last_line))

得到

13a03f1f321bdb17

输入,进入第1层

3.第1层

给出

[+]Generating challenge 1


  [+]n=13112061820685643239663831166928327119579425830632458568801544406506769461279590962772340249183569437559394200635526183698604582385769381159563710823689417274479549627596095398621182995891454516953722025068926293512505383125227579169778946631369961753587856344582257683672313230378603324005337788913902434023431887061454368566100747618582590270385918204656156089053519709536001906964008635708510672550219546894006091483520355436091053866312718431318498783637712773878423777467316605865516248176248780637132615807886272029843770186833425792049108187487338237850806203728217374848799250419859646871057096297020670904211 

[+]e=3

[+]m=random.getrandbits(512)

[+]c=pow(m,e,n)=15987554724003100295326076036413163634398600947695096857803937998969441763014731720375196104010794555868069024393647966040593258267888463732184495020709457560043050577198988363754703741636088089472488971050324654162166657678376557110492703712286306868843728466224887550827162442026262163340935333721705267432790268517

[+]((m>>72)<<72)=2519188594271759205757864486097605540135407501571078627238849443561219057751843170540261842677239681908736

[-]long_to_bytes(m).encode('hex')=

e=3的套路直接上

#!python3
# -*- coding: utf-8 -*-
# @Time : 2020/10/31 18:26
# @Author : A.James
# @FileName: tt1.py

from Crypto.Util.number import *
import gmpy2
import binascii
c=15987554724003100295326076036413163634398600947695096857803937998969441763014731720375196104010794555868069024393647966040593258267888463732184495020709457560043050577198988363754703741636088089472488971050324654162166657678376557110492703712286306868843728466224887550827162442026262163340935333721705267432790268517
m = gmpy2.iroot(c,3)[0]
print(long_to_bytes(m))
mm ='FLAG{2^8rsa7589693fc689c77c5f5262d654272427}'
print(binascii.hexlify(long_to_bytes(m)))

得到

b'464c41477b325e3872736137353839363933666336383963373763356635323632643635343237323432377d'

输入hex部分,进入第2关

4.第2层

给出:

[+]Generating challenge 2


  [+]n=12784625729032789592766625203074018101354917751492952685083808825504221816847310910447532133616954262271205877651255598995305639194329607493047941212754523879402744065076183778452640602625242851184095546100200565113016690161053808950384458996881574266573992526357954507491397978278604102524731393059303476350167738237822647246425836482533150025923051544431330502522043833872580483142594571802189321599016725741260254170793393777293145010525686561904427613648184843619301241414264343057368192416551134404100386155751297424616254697041043851852081071306219462991969849123668248321130382231769250865190227630009181759219 

[+]e=65537

[+]m=random.getrandbits(512)

[+]c=pow(m,e,n)=627824086157119245056478875800598959553774250161670787506083253960788230737588761787385686125828765665617567887904228030839535317987589608761534500003128247164233774794784231518212804270056404565710426613938264302998015421153393879729263551292024543756422702956470022959537221269172084619081368498693930550456153543628170306324206266216348386707008661128717431426237486511309767286175518238620230507201952867261283880986868752676549613958785288914989429224582849218395471672295410036858881836363364885164276983237312235831591858044908369376855484127614933545955544787160352042318378588039587911741028067576722790778

[+]((p>>128)<<128)=97522826022187678545924975588711975512906538181361325096919121233043973599759518562689050415761485716705615149641768982838255403594331293651224395590747133152128042950062103156564440155088882592644046069208405360324372057140890317518802130081198060093576841538008960560391380395697098964411821716664506908672

[-]long_to_bytes(m).encode('hex')=

这里的运算时<< >>位移运算,也就是p右移128位再左移128位,右移直接吞左移不足位补零,也就是说这里给出p的最后128位去除补0并转换为10进制的值。
求p、q

#!python3
# -*- coding: utf-8 -*-
# @Time : 2020/10/31 22:50
# @Author : A.James
# @FileName: tt2.py
p4 = 286593827663265980875510954967316219073448170030900062579915534986706486906458307884391633081975974889868808093084141196610789229262338742207816117361927894904776552676541036673244090334164798443162932914355966770450894047111793505063044583029134192122352988382684883337
n = 12784625729032789592766625203074018101354917751492952685083808825504221816847310910447532133616954262271205877651255598995305639194329607493047941212754523879402744065076183778452640602625242851184095546100200565113016690161053808950384458996881574266573992526357954507491397978278604102524731393059303476350167738237822647246425836482533150025923051544431330502522043833872580483142594571802189321599016725741260254170793393777293145010525686561904427613648184843619301241414264343057368192416551134404100386155751297424616254697041043851852081071306219462991969849123668248321130382231769250865190227630009181759219
pbits = 1024
kbits = pbits - p4.nbits()
print (p4.nbits())
p4 = p4 << kbits
PR.<x> = PolynomialRing(Zmod(n))
f = x + p4
x0 = f.small_roots(X=2^kbits, beta=0.4)[0]
print ("x:" ,hex(int(x0)))
p = p4+x0
print ("p: ", hex(int(p)))
assert n % p == 0
q = n/int(p)
print ("q: ", hex(int(q)))

得到

p=0x8ae08a8ccda172cc5768c98c935b06a185a5f86f1020ce864929dd61d0d6511141e94f589b4c10754fe4b278207414caedc5a0c47ca091ef3dad80c15b05776d4c574759b50106585973e7f7cda6d01db4bcfbb671151069287f276bb6c18d04cab2dfccf70a72a5edbc23fd636da989cb609b9f64429a11ce179a7e63951f07
q=0xbaaeffd0d50b8bbd0d9fcb6086388c65473593441b5551f0fdfa8d3a25e7bc7a3a905faeee4ef188c3f249aacbfa9f779efdc23a61542b66ad1ef884152ad7039a090617381793da84eda62f39959f1ed3c71e9fccfbf19c62d53b2a5a2e14d472b5dd10c7c9a0aa051ee14baff0349b96caabdd03516aa7c8b7a692431f11b5

有了p和q就是正常的RSA了。

#!python3
# -*- coding: utf-8 -*-
# @Time : 2020/10/31 23:02
# @Author : A.James
# @FileName: tt2-2.py
import gmpy2
import binascii

x=0xcb609b9f64429a11ce179a7e63951f07
p=0x8ae08a8ccda172cc5768c98c935b06a185a5f86f1020ce864929dd61d0d6511141e94f589b4c10754fe4b278207414caedc5a0c47ca091ef3dad80c15b05776d4c574759b50106585973e7f7cda6d01db4bcfbb671151069287f276bb6c18d04cab2dfccf70a72a5edbc23fd636da989cb609b9f64429a11ce179a7e63951f07
q=0xbaaeffd0d50b8bbd0d9fcb6086388c65473593441b5551f0fdfa8d3a25e7bc7a3a905faeee4ef188c3f249aacbfa9f779efdc23a61542b66ad1ef884152ad7039a090617381793da84eda62f39959f1ed3c71e9fccfbf19c62d53b2a5a2e14d472b5dd10c7c9a0aa051ee14baff0349b96caabdd03516aa7c8b7a692431f11b5
n = 12784625729032789592766625203074018101354917751492952685083808825504221816847310910447532133616954262271205877651255598995305639194329607493047941212754523879402744065076183778452640602625242851184095546100200565113016690161053808950384458996881574266573992526357954507491397978278604102524731393059303476350167738237822647246425836482533150025923051544431330502522043833872580483142594571802189321599016725741260254170793393777293145010525686561904427613648184843619301241414264343057368192416551134404100386155751297424616254697041043851852081071306219462991969849123668248321130382231769250865190227630009181759219
c = 627824086157119245056478875800598959553774250161670787506083253960788230737588761787385686125828765665617567887904228030839535317987589608761534500003128247164233774794784231518212804270056404565710426613938264302998015421153393879729263551292024543756422702956470022959537221269172084619081368498693930550456153543628170306324206266216348386707008661128717431426237486511309767286175518238620230507201952867261283880986868752676549613958785288914989429224582849218395471672295410036858881836363364885164276983237312235831591858044908369376855484127614933545955544787160352042318378588039587911741028067576722790778

e = 65537
phi = (p-1)*(q-1)
d = gmpy2.invert(e,phi)
m = pow(c,d,n)
print(hex(m))

得到:

464c41477b325e3872736136653237376633353564626536646133656464366633353664326462366436667d

输入进入下一层

5.第3层

给出:

[+]Generating challenge 3


  [+]n=92896523979616431783569762645945918751162321185159790302085768095763248357146198882641160678623069857011832929179987623492267852304178894461486295864091871341339490870689110279720283415976342208476126414933914026436666789270209690168581379143120688241413470569887426810705898518783625903350928784794371176183 

[+]e=3

[+]m=random.getrandbits(512)

[+]c=pow(m,e,n)=56164378185049402404287763972280630295410174183649054805947329504892979921131852321281317326306506444145699012788547718091371389698969718830761120076359634262880912417797038049510647237337251037070369278596191506725812511682495575589039521646062521091457438869068866365907962691742604895495670783101319608530

[+]d&((1<<512)-1)=787673996295376297668171075170955852109814939442242049800811601753001897317556022653997651874897208487913321031340711138331360350633965420642045383644955

[-]long_to_bytes(m).encode('hex')=

已知d的低位,上脚本

#!python3
# -*- coding: utf-8 -*-
# @Time : 2020/10/31 23:12
# @Author : A.James
# @FileName: tt3.py
def partial_p(p0, kbits, n):
    PR.<x> = PolynomialRing(Zmod(n))
    nbits = n.nbits()

    f = 2^kbits*x + p0
    f = f.monic()
    roots = f.small_roots(X=2^
最低0.47元/天 解锁文章
大熊何在
关注
  • 4
    点赞
  • 6
    收藏
    觉得还不错? 一键收藏
  • 0
    评论
专栏目录
BUUCTF 强网杯2019 Copperstudy
walker_feng的博客
09-30 1498
强网杯2019 Copperstudy ![强网杯2019](https://img-blog.csdnimg.cn/20200930195613457.png?x-oss-process=image/watermark,type_ZmFuZ3poZW5naGVpdGk,shadow_10,text_aHR0cHM6Ly9ibG9nLmNzZG4ubmV0L3dhbGtlcl9mZW5n,size_16,color_FFFFFF,t_70#pic_center)   做之前很爽,做之后更爽 前提说
BUUCTFCrypto题解——看我回旋踢
最新发布
ztf180的博客
06-30 268
得出flag{5cd1004d-86a5-46d8-b720-beb5ba0417e1}看题目首先想到凯撒密码——因为题目中表示“回旋踢”,应该是位移循环。synt应该对应flag。由此得出位移量位13。
强网杯2019 Copperstudy
m0_57291352的博客
08-13 1015
强网杯2019 Copperstudy 靶机:node4.buuoj.cn:25381
buuctf crypto
zbbjya的博客
05-16 883
之前做过的但是我不想写了大家看看别的大佬写的吧(我就给大家提供一个链接) 我觉得wp写的很棒大家好好看噢 版权声明:本文为CSDN博主「何以缘起」的原创文章,遵循CC 4.0 BY-SA版权协议,转载请附上原文出处链接及本声明。 原文链接:https://blog.csdn.net/qq_53315404/article/details/112161797 丢失的md5 打开是一个py文件,我也不太懂,先看看 我运行了一下发现运行不了 再试试放进kali里面运行看看 没反应然后去试试python2 看看
BUUCTF Crypto
qq_74388419的博客
04-26 658
Crypto
sm-crypto-master.zip
12-17
国密算法SM2公私钥加解密及签名验签以及前端js sm-crypto,附件说明及参考及测试方法;
Charm-Crypto-0.43_Python3.tar.gz
08-15
**Charm-Crypto-0.43_Python3.tar.gz** 是一个包含了Charm加密库的版本0.43的压缩文件,专为Python 3编程语言设计。这个库为开发者提供了一整套强大的加密工具,包括了身份基加密(IBE)、属性基加密(ABE)以及对称...
commons-crypto-1.0.0-API文档-中文版.zip
05-02
赠送jar包:commons-crypto-1.0.0.jar; 赠送原API文档:commons-crypto-1.0.0-javadoc.jar; 赠送源代码:commons-crypto-1.0.0-sources.jar; 赠送Maven依赖信息文件:commons-crypto-1.0.0.pom; 包含翻译后的API...
spring-security-crypto-5.5.2-API文档-中文版.zip
06-04
赠送jar包:spring-security-crypto-5.5.2.jar; 赠送原API文档:spring-security-crypto-5.5.2-javadoc.jar; 赠送源代码:spring-security-crypto-5.5.2-sources.jar; 赠送Maven依赖信息文件:spring-security-...
spring-security-crypto-5.6.1-API文档-中文版.zip
05-04
赠送jar包:spring-security-crypto-5.6.1.jar; 赠送原API文档:spring-security-crypto-5.6.1-javadoc.jar; 赠送源代码:spring-security-crypto-5.6.1-sources.jar; 赠送Maven依赖信息文件:spring-security-...
BUUCTF crypto
qq_45547935的博客
09-26 446
Quoted-printable Quoted-printable可译为“可打印字符引用编码”,编码常用在电子邮件中,如:Content-Transfer-Encoding: quoted-printable ,它是MIME编码常见一种表示方法! 在邮件里面我们常需要用可打印的ASCII字符 (如字母、数字与"=")表示各种编码格式下的字符!Quoted-printable将任何8-bit字节值可编码为3个字符:一个等号"=“后跟随两个十六进制数字(0–9或A–F)表示该字节的数值。例如,ASCII码换页符
buuctf -crypto
m0_74271951的博客
10-31 292
题目来源:BUUCTF 题目类型:Crypto Crypto中部分题详解 WP
BUUCTF Crypto(1)
Ghost_Jason的博客
01-11 712
MD5 ​ 打开题目文件(题目链接:MD5),发现密文: e00cf25ad42683b3df678c61f42c6bda 由密文我们可以知道是MD5 利用工具:https://www.cmd5.com/ 得出flag: flag{admin1} ​ 2. Url编码 ​ 打开题目文件(题目链接:Url编码),发现密文: %66%6c%61%67%7b%61%6e%64%20%31%3d%31%7d ​ 分析密文只有数字、标点符号、英文,可以判断为Url编码 利用工具:h.
BUUCTF——Crypto
weixin_50888622的博客
05-28 316
1.Md5 下载文件得到文件夹Md5 打开后得到题目 在网页中找到Md5在线解密https://cmd5.com/得到答案 得到答案flag{admin1} 2.Url编码 下载文件,得到压缩文件 打开文件夹得到题目 在网页中打开Url编码在线解密http://www.jsons.cn/urlencode/ 得到答案flag{and 1=1} 3.一眼就解密1 观察字符串,字符串最后有=,想到是base64加密,在网页中打开base64在线解密https://tool.ip138.com/ba
BUUCTF--Crypto
weixin_48295646的博客
05-21 837
6.password 内容: 姓名:张三 生日:19900315 key格式为key{xxxxxxxxxx} xxxxxxxxxx共十个,试试zs19900315 flag{zs19900315} 7.变异凯撒 加密密文:afZ_r9VYfScOeO_UL^RWUc 格式:flag{ }
BUUCTF Crypto 1
葜。的博客
01-18 1038
MD5 下载附件,直接md5解密,得到flag。 看我回旋踢 synt{5pq1004q-86n5-46q8-o720-oro5on0417r1} 看到题目,看格式猜测是凯撒密码, 直接解出flag。 Url编码 %66%6c%61%67%7b%61%6e%64%20%31%3d%31%7d 题目都给提示了 一眼就解密 果然一眼。。。 base64解码 摩丝 摩尔斯电码 直接解出flag 变异凯...
buuctf crypto rsa
01-22
buuctf crypto rsa是北京邮电大学举办的一场密码学竞赛。RSA是一种非对称加密算法,它使用了两个密钥:公钥和私钥。公钥用于加密数据,只有相应的私钥才能解密。在buuctf crypto rsa比赛中,参赛者需要通过解密RSA加密的数据来获取flag。通常情况下,需要对RSA算法进行分解因子攻击或者求解模数的方法来获取私钥,从而解密加密的数据。参赛者需要具备对RSA加密算法的理解和掌握,以及对相关攻击手段的熟练运用。此外,还需要熟悉一些常见的RSA加密算法的实现,例如使用不同的公钥长度或填充方式等。buuctf crypto rsa比赛不仅考察了参赛者对RSA加密算法的掌握能力,还需要他们具备密码学方面的综合能力,包括数学知识、算法实现、攻击手段等方面的综合应用能力。通过参与buuctf crypto rsa比赛,可以提高参赛者的密码学水平,丰富他们的技术经验,拓展他们的安全技术视野,从而更好地为网络安全事业做出贡献。
评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值