OPPO杯SCUCTF2022

​ OPPO赞助的校赛,遗憾没拿到第一名,第一名貌似是研究生学长,tql膜了。

Misc

窗外的山

image.jpg看起来像是手机拍的照片,所以尝试用EXIF查看相关信息:

拿经纬度到google地图上去定位,发现就在彭州周围。根据‘绵延’的特征筛选了一下,猜测是九峰山脉。遂百度:https://chengdu.cncn.com/jingdian/jiufengshan/profile

再根据实景地图排除了几个,剩下天牙峰,长年峰,龙峰。一个个尝试直到正确提交flag。

Never Gonna Give Misc Up

又是这首歌QWQ。题目用歌词把类似于伪代码的描述混淆起来,刚开始以为是非常复杂的加密操作,还一句句分析。后来仔细想想貌似也就给了个key,给了个异或,解base64之后明文长度是44。key长度是23,于是直接把key*2和base64明文进行一波异或,就出了。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
import sys
import base64

key = 'Never Gonna Give You Up'*2
print(len(key))
# gonna encrypt rick
areYouRoll = 0
astleyCounter = 0
# astleyCounter = len(rick)

s = 'PQYDBgZGPFpfC1RFcA0VSBNrX0wNYRJ5XVsERkMlQg0LWBV0WhAHRmgORV0='
rick = base64.b64decode(s)
print(len(rick))
for i in range(44):
    print(chr(rick[i]^ord(key[i])),end='')
 
#scuctf{51e5e7dc-3209-4b78-a4cb-ce9533fbf1a0}

Unbroken RSA

这题确实是misc,和crypto没啥关系。这里的RSA没啥毛病,无法攻击。看到hint说task.py就是服务端的运行的文件,那么关键点就在于task.py是python2,而python2存在一个input rce,可参考:

https://www.heetian.com/info/912
https://hxp.io/blog/72/DEFCON-CTF-Quals-2020-notbefoooled/

所以这里我们尝试连接之后getshell,再cat flag:

Crypto

RingSA

把n转换到2^32下的多项式形式就能分解,可参考:https://ctftime.org/writeup/22977

exp:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
from sage.all import *
from Crypto.Util.number import long_to_bytes, bytes_to_long

flag = 87999482691830361247379297209239721526607759448870428543627708497225133998703525964882194413117149312447160453725061579823628178880528029445
n = 1626425208406583241292049076444714722533257035525114741592324091711725209911065562839042915374809556761672902667823144189049661717920928907519
e = 65537
c = 87999482691830361247379297209239721526607759448870428543627708497225133998703525964882194413117149312447160453725061579823628178880528029445

poly = sum(j * x^i for i,j in enumerate(Integer(n).digits(2^32)))
(p, _), (q, _) = poly.factor_list()
p, q = p(x=2^32), q(x=2^32)
assert p*q == n

d = inverse_mod(e, (p-1)*(q-1))
print(d)
print(long_to_bytes(int(pow(int(flag), int(d), int(n)))))
#flag{a2d3nf68de69-f1a33h6i25ka2s-d75a4skj54cz-1pz215cz7je}

无e烦

没给e也不需要e,用M来构造m即可用C来表示c,M是经过设计的应该不是随机的。构造的时候需要把M中的元素和m同时分解,对照基数进行组合。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
import gmpy2
from hashlib import md5
from Crypto.Util.number import *

m1 = 27869827573821748315559900687594988919
M =  [5579, 598603829, 260990180, 1021754, 776307182737258, 1024275153677530399, 4600527292991, 122745486818718559362816, 648394777237946314, 967584531487748385405909929860]
n =  80866130102261518785138247492226418988283622967107642931626670770991287290017575544856640708656070056599413982921939820092653964250560158534164684509508570827031257145358915936716873579275999289598802214938312512124960829274763697183422853018643009337211154573323694306354847681849997475073748060554116885743
c =  [31144948752006156956371408281561352243079201486174266637408555124157021185950319222361922834637592274602797401823142568566421878331058293593226929896870037754087323313283303137533025781672293482174192932461883863211124310703337677122102074722437833121327084819887896193852163626471460810662932603076534660804, 58749052925641223456561705208530964408557935651157882734266347388456853409033384416852410757712668576320121029921896159470323217774586441972199278374439949270876469606930228396601576234668190157650922636135501186357625172032576738756614273367295339284973641828226470658939082400779599258757898885883644801053, 40579637913832144242682484264514378732436426402443803846093953264515971181103912187778246987360607324323099933248625621555519103040756905979660584142448386505386901820391693230451974101594790778026848209779850319523275751832867671987115959904668387865788935422538240044475848660391245453237006973560308165704, 15835925903597045972140032459728544439513422823860173109658290670683594043875129538306223165929079184397089052592444654067130249396164980960356271754915481618011410536765933171454501338047351306704434512914546553962486447770536415910399995606608613315118790692706536805083836633281529931209281637891318353741, 4151494489564600318094655116793301906740457645167301450751640199360784554254420449223484211520605752417331051052221881536558310384015644237944026227453976543115190245641063933315808492207164476079528582238760181801532524373077098185522630038060400419605143520089304061730233240190827575204697167386552820873, 46450004515612124682062326769786875920262836498726465653281013385901400386040827258028783122454588622468817101329068510845265192227085655559383112363438579993120259202146869556553612006784560362028894578429513744992720306276354566189337126874210742595318199174149347871156773709876660547468111493256985790264, 5293675028656705650831635378836383447792200771454173820886211319500431128744638963226815998459995451887706586775256373154495638727831792733331349999470387188688842268193444623645723157924374339534474296911972302241786675561240710375985864649928838541714831703346767850719207370350131520678912020234750273930, 30043574658200438024547973628567719018751546081493990329929735757336474377209161041596827306653602292215720621453139092179169784224079738652396993819458373985141265627934492408720528950069791313892499982826159264170102770059863789006549726625129186587016838115681900755406881891907749234407979155358030945914, 49664459429620491137496885409272085607758468537571273414043041753461839754010622955053495314196284424560133883998315943659743474201365515603408943978523525179827702636431575706855973368124936003475671990897616340108065511459270017655645179716434335969764382936670154226518119191587925302403315274959019503422, 72335423827835340317296400031661018813932187781068379309839710979890568519179106231620831225764055797117609283378510499491626336945698456043068123495971189674660151501766805123602763163842302478047056395083249502992176542543200848695685618337947070448376674020551810665597616550148876318339506522538505673458]
# 验证
print(M[0]*gmpy2.invert(M[1],n)*gmpy2.invert(M[3],n) *M[5]*M[6]*M[8]%n == m1)
# 求解
m=c[0]*gmpy2.invert(c[1],n)*gmpy2.invert(c[3],n)*c[5]*c[6]*c[8]%n
print("SCUCTF{"+md5(str(m).encode()).hexdigest()+"}")
# SCUCTF{0bc5e3a135bc252623bb4a391c886c08}

just_math

proof部分的思路是找一个Carmichael数多次进行连接请求,会有较小概率通过1000次测试,发现因子较大的Carmichael数比较容易通过检验。找到的效果最好的是82929001,因子为281。proof勉强能够通过(大概几分钟的样子),当然,也可以多开几个终端跑。

后面一部分就是利用佩尔方程解:

参考:https://zhuanlan.zhihu.com/p/365860557

exp:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
import math
from pwn import *
from gmpy2 import *
from sage.all import *

# 29111881(211
# 82929001(281

# sage
def solve_pell (N , numTry = 1000):
    # 展开一千项
    sols = []
    cf = continued_fraction ( sqrt ( N ))
    for i in range ( numTry ):
        denom = cf . denominator ( i )
        numer = cf . numerator ( i )
        if numer ^2 - N * denom ^2 == 1:
            sols.append((ZZ(numer) , ZZ(denom)))
    return sols


def attack():
    while True:
        io = remote('43.155.90.127',10010)
        s1 = io.recvuntil(b':')
        #print(s1)

        io.sendline(b'82929001')
        j = io.recvline()
        if b'next' in j:
            print(j)
            break
    io.recvuntil(b'square')

    sols = solve_pell(6)[7:17]
    for i in range(10):
        x = 3 * sols[i][0] + 6 * sols[i][1]
        if x % 2 == 1:
            io.send(str((x-1)//2))
    print(io.recv(2000))

# 这里的解都是大于82929001的
# 125608561
# 1243396573
# 12308357173
# 121840175161
# 1206093394441
# 11939093769253
# 118184844298093
# 1169909349211681
# 11580908647818721
# 114639177128975533

if __name__ == '__main__':
    attack()
# scuctf{math_1s_4ttractive_hgczsasd_ksqwnad}

义神爱吃铜

proof part:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
from string import *
from pwn import *
from hashlib import *

table = ascii_letters+digits

io = remote('43.155.90.127',10020)
s = io.recvuntil(b'XXXX :')
print(s)

s1 = s.find(b"XXXX+")
s2 = s.find(b")")
l = s[s1+5:s2]
print(l)

s3 = s.find(b'==')
U  = str(s[s3+3:s3+67])[2:-1]
print(U)

for i in table:
    for j in table:
        for m in table:
            for n in table:
                X = bytes(i + j + m + n, encoding="utf-8")
                if sha256((X + l)).hexdigest() == U:
                    print(X)
                    io.sendline(X)
                    io.interactive()
 # 没有time限制,可以直接转成交互模式

copper部分用了个crt:

所以,g-x=k1p,g-y=k2q

又知道n的高位,所以只需要构造一个modnn(kp*kq)的多项式用copper梭:

解出之后和k1p,k2q做gcd得到p和q,后边就是正常解密过程。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
from sage.all import *
import gmpy2

x,y,g=0x793eca80acd6a34af098a9ef306a81c3ffedfe3e4ed83a3b2247c52f7be1f3779c5ecb4b093cff06ef1ec708bcc71a6cde200aaec6544db8d67f2d81e5533f17, 0x9ae4a2bc2a3df151d4eeab51d2d2de4b7a38b54aea3b73719f3557389bf26b868b2dc3255f960e24151ae439a35bd61c9cc497de1c9a4e7d7f74bfb4d8e82d4b, 0x60eed8bf1ecc808b3d51c6425c4a9fbc05c6916b29cee32129df17bbfcff6b026bf581b03c309ee363b99a8b292b4a4d1390050a32059dc697ef8800fd96b2f0eb048c7508414fd28881337be577bd0f05a32339e40267341d206ed875c68e3906b7f597aab49bcc536c8d2454162dc1356bcb326706df484b334f3f66c340aa
kp=g-x
kq=g-y
nn=kp*kq
n_=0x926ae1d6106b5e751544614c037d2323dedc572fb40b455c249640ffbe63aa660283e0c5a661a973ca169599ca5a1719cc6ffb648561d4aec3bc22bd9557bc2c7e26085cdfbb56ddc88ad58babc30000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
PR.<x>=PolynomialRing(Zmod(nn))
f=n_+x
root=f.small_roots(X=2^400,beta=0.45)
n=n_+int(root[0])
p=gmpy2.gcd(kp,n)
q=gmpy2.gcd(kq,n)
phi=(p-1)*(q-1)
e=65537
d=gmpy2.invert(e,phi)
c=0x77ddf54606a30fd9360f516ad600a95a365c322612ab620f186a5c2956029500d8481c0391f8e97aba3481ac5bc85afae9be3cf971c1a3f1ab880d5dde4bf8b3fa4a05fa95c3c39c57bf1762a2ae3f0868c74656b6d68a7a7231c20ed17cd8f64532fcf4f68e353d04fd2d1ac27329e829681c44ac510cafc5bcd3edfb32addb
m=hex(pow(c,d,n))[2:]
print(bytes.fromhex(m))

eccop

思路在代码注释里。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
# sage 椭圆曲线本身就是一个多项式,利用一元copper可恢复x
p = 93556643250795678718734474880013829509320385402690660619699653921022012489089
a = 66001598144012865876674115570268990806314506711104521036747533612798434904785
b = 25255205054024371783896605039267101837972419055969636393425590261926131199030
Zp = GF(p)
E = EllipticCurve(Zp, [1, 0, 0, a, b])
x,y=(1972225925711091012803863748535364155322813016048057253053648845117,2207546999484766654073894682641966221457667743364803779409621791076841301682)
x=x<<32
PR.<t>=PolynomialRing(Zmod(p))
f=(x+t)^3+a*(x+t)+b-y^2-y*(x+t)
root=f.small_roots(T=2^32,beta=1,epsilon=0.04)
x=x+int(root[0])
# 这里发现阶是部分光滑的,需要去除最大的两因子用p-h解,由于用来解离散对数的是小阶群,所以得到的是k模这个阶的余数
Q=E(x,y)
G=E(65601233721734480834214104242726402608050706178263282965281571500512937864868,89733492606578358712798671846709058421091702135878272152459729920322086520227)
primes = [8, 17, 31, 547, 19973, 36457, 44129, 3299267,15658671577]
ordd=E.order()
print(ordd)
logs=[]
for fac in primes:
    t=int(ordd)//int(fac)
    print('ok')
    log=discrete_log(t*Q,t*G,operation='+')
    print(log)
    logs+=[log]
print(crt(logs,primes))
# 根据k的长度爆破
from Crypto.Util.number import *
from tqdm import tqdm
n=3828323447966507442387008585400282392
print(n.bit_length())
mm=2328935992939051457609738343364339349
print(mm.bit_length())
for i in tqdm(range(2**20,2**21)):
    s=i*n+mm
    check=long_to_bytes(s)
    if b'scuctf' in check or b'SCUCTF' in check:
        print(check)
# b'SCUCTF{po_he1lm4n}'

扫一扫,分享到微信

微信分享二维码
本站总访问量: 总访客次数:

tag:

梦想是成为全栈佬并养一只猫