把压缩文件解压,得到crypto.zip
和jiami.py
,而前者中包含有jiami.py
,构造一个zip出来查看CRC,发现是同一文件,所以进行明文攻击。
打开AESencrypt.py
,查看代码:
# -*- coding:utf8 -*-
from Crypto.Cipher import AES
s=open('next.zip','rb').read()
BS=16
pad_len=BS-len(s)%BS
padding=chr(pad_len)*pad_len
s+=padding
key='我后来忘了'
n=0x48D6B5DAB6617F21B39AB2F7B14969A7337247CABB417B900AE1D986DB47D971
e=0x10001
m=long(key.encode('hex'),16)
c=pow(m,e,n)
c='0{:x}'.format(c).decode('hex')
with open('RSA.encrypt','wb') as f:
f.write(c)
obj=AES.new(key,AES.MODE_ECB)
with open('AES.encryt','wb') as f:
f.write(obj.encrypt(s))
由c='0{:x}'.format(c).decode('hex')
发现是python2的代码(似乎还多写了个0…)
发现key被RSA加密了,给出了n和e,将n分解(当p、q的取值差异过大或过于相近的时候,使用yafu可以快速的把n值分解出p、q值)
解出两个质数是177334994338425644535647498913444186659
和185783328357334813222812664416930395483
使用gmpy2
解出d = 21459038613121460434132216103140795081593356519819592462521069311922260546829
d = gmpy2.invert(e,(p-1)*(q-1))
#21459038613121460434132216103140795081593356519819592462521069311922260546829
(其实用RSA-Tool2
也行,这样就没必要装gmpy2
了)
以16进制读取RSA.encrypt
文件,得到68c2e12fadebbd344e82fa9e1eac0f0bde5aecbd7840f18352cf761f872233d
再转化为数字
#python3
byte = open("RSA.encrypt" , "rb").read()
hexstr = binascii.b2a_hex(byte).decode("utf-8")
c = int(hexstr,16)
#python2.7
c = int(open("RSA.encrypt" , "rb").read().encode('hex'),16)
使用RSA-Tool2
(需要把字母转为大写,神奇的bug…)或使用python代码解密
#python3
from Crypto.Cipher import AES
import binascii
def HextoAscii(hexnum):
hexStr = str(hexnum).replace("0x","")
return binascii.a2b_hex(hexStr).decode("utf-8")
c = 0x068C2E12FADEBBD344E82FA9E1EAC0F0BDE5AECBD7840F18352CF761F872233D
n = 0x48D6B5DAB6617F21B39AB2F7B14969A7337247CABB417B900AE1D986DB47D971
e = 0x10001
p = 185783328357334813222812664416930395483
q = 177334994338425644535647498913444186659
d = 21459038613121460434132216103140795081593356519819592462521069311922260546829
m=pow(c,d,n)
print(m)
hexnum = hex(m)
print(HextoAscii(hexnum))
#python2.7
from Crypto.Cipher import AES
c = 0x068c2e12fadebbd344e82fa9e1eac0f0bde5aecbd7840f18352cf761f872233d#read RSA.encrypt
n = 0x48D6B5DAB6617F21B39AB2F7B14969A7337247CABB417B900AE1D986DB47D971
e = 0x10001
p = 185783328357334813222812664416930395483
q = 177334994338425644535647498913444186659
d = 21459038613121460434132216103140795081593356519819592462521069311922260546829
m=pow(c,d,n)
print(m)
key = "{:x}".format(m).decode('hex')
print(key)
m=132172197780003798270878941356862694777
16进制就是636F70795F5F77686974655F5F6B6579
HexDecode得到copy__white__key
修改一下AESencrypt.py
,然后运行,得到next.zip
代码如下:
from Crypto.Cipher import AES
s=open('AES.encryt','rb').read()
BS=16
pad_len=BS-len(s)%BS
padding=chr(pad_len)*pad_len
s+=padding
key='copy__white__key'
obj=AES.new(key,AES.MODE_ECB)
with open('next.zip','wb') as f:
f.write(obj.decrypt(s))
解压缩next.zip
得到三个文件
查看encrypt.py
,代码如下
from base64 import *
s=open('flag.jpg','rb').read()
s='-'.join(map(b16encode,list(s)))
s=map(''.join,zip(*(s.split('-'))))
with open('first','wb') as f:
f.write(b16decode(s[0]))
with open('second','wb') as f:
f.write(b16decode(s[1]))
发现是把flag.jpg拆成两部分,都使用base16 decode了一次
from base64 import *
s = [0,1]
with open('first','rb') as f:
s[0] = b16encode(f.read())
with open('second','rb') as f:
s[1] = b16encode(f.read())
s=map(''.join,zip(*s))
s=b16decode(''.join(s))
with open('flag.jpg','wb') as f:
f.write(s)
(可自行保存分析)
按照惯例,肯定是藏在文件尾,010Editor打开,提取出尾部文件
发现是psd文件
key为copy__white__key
,这是一个提示,把背景导出为png
使用stegsolve打开,点一下左箭头,得到一个二维码,解码得到flag
参考:
CryMisc__writeup
CTF中RSA套路
RSA史上最强剖析,从小白变大神,附常用工具使用方法及CTF中RSA典型例题