SEETF2022

​ 题目质量很好，后边慢慢复现。

Web

Sourceless Guessy Web (Baby Flag)

目录遍历，flag在根目录下的etc/passwd。payload：?page=../../../etc/passwd，这里如果不确定往回退几个目录可以多加几层../，最终会到根目录底下。
SEE{2nd_fl4g_n33ds_RCE_g00d_luck_h4x0r}

Misc

Regex101

有很多个txt文件，flag是其中一个txt的内容；给了flag格式，所以读出每个txt的内容然后正则过滤就行。

import re
f = open("flags.txt",'r')
for i in range(3000):
    m = f.readline().strip()
    if re.search(r"[A-Z]{5}[0-9]{5}[A-Z]{6}",m):
        print(m)

# SEE{RGSXG13841KLWIUO}

FORENSICS

Sniffed Traffic

首先分析http流量，可以看到传输了zip文件；导出http对象即可获取zip。

追踪tcp流，在32组发现zip密码：
hey!
what the? who is this
someone who stole your thingamajig. now whats the password?
im really not sure why i would willingly give you the password. but for the sake of story telling, here it is 49949ec89a41ed9bdd18c4ce74f37ae4
解开是stuff.stuff，winhex分析发现有压缩包的痕迹，所以binwalk再把最后一层zip分出来。需要密码而并非伪加密，于是爆破，得到解压密码john，解开就是flag。SEE{w1r35haRk_d0dod0_4c87be4cd5e37eb1e9a676e110fe59e3}

CRYPTO

Close Enough

p,q取的太接近了，费马分解n就行。

Lost Modulus

服务端对提交的m1和m2有限制：

assert m1.bit_length() >= 1600 and long_to_bytes(m1).startswith(b"SEE{")
assert 500 <= m2.bit_length() <= 600

需要在绕过这两个限制的条件下构造特定的m1和m2求n。得到n以后对n开$2^i$得到flag。通常构造明文关系是让m1和m2有倍数关系，但这题不知道e，不可行；于是想到幂次关系：

$$m_{2} ^3=m_{1}$$

服务端加密之后有：

$$c_{1}=m_{1} ^e \mod n$$ $$c_{2}=m_{2} ^ e \mod n$$

故c2^3 - c1为关于n的多项式。由于每次e都是随机的，所以同一组数据可以向服务器请求两次得到两个不同的多项式；两组数据做gcd可得到n。完整exp：

from Crypto.Util.number import *
from gmpy2 import *

m = b"SEE{"
t = getRandomNBitInteger(1600)
r = m + long_to_bytes(t)
rr = bytes_to_long(r)

m2 = iroot(rr,3)[0]
m1 = pow(m2,3)
print(m1)
print(m2)

# 需要两组数据做gcd
l1 = [23567680941583601735556045405295677828384777952241796469327058194988188091146299674631746598181119414103638879032060603260838407921994665418622633978877119213123524393064789118410275586099027688149980102283539233077321118628434918045581198338927080073348812294522379597309055248147216656226526810483001997666346729431930859203422705189471011094356386225010857012205006040152163494305897833318494634318398037405442057169746348358967630152106932333161843629426170318862377344592908730353792075124171864059476548498200785157846949291394602897320395990396832624099725194591106240609693698447122601251040645022252382310353123704870733570311668206858259028936796464861749988396540355269788407928335957470529523245334651573382485839842171049818988860039788419959860570227275392617055234176965465663188919283087507101272853070909615797053111205935125809990457007143991249883041673506364425478110669854444993173827021353741403221597729698249087239488730222445554585688824237170417929909330220860781373728186244550449767296687099390964660644531250, 14475889839670886872843385514083904927386202930350361939874782221849125227559884889683074440218102856145094765941382258412057148841148626828125930353134356785363448439581064712388008267828615592302557717804501053659551134205076190390901544824346778246738498693503216988533798118151831056012391027686600462557484860319364413275719601343404144795150392806010410819218563733551409388908933317174162344841950087394578501680417900524020980794449512258196458525615455501230348141439896383112629039769048043133010193757831479487784734294258324408034559175231004689004585639002727368174006093799045980603346643197830195224251928650239557752292230896158336088774154650737017656990373708313377648581637681066714326422085563249927621435132100555475478328244257003825162005424392459453805758085793619492389509906835345991722125831855431705761983898469898476186587557646397733251721551159211094442004641560878594372059576305266612497357636870309840722303608627640857693727546940089387703796929836084589779346835300719517341450055970739115295410156250]
l2 = [6124957517012544253583276263442626992978126515394553287685251466779676545068777944109839073061028057313738438279552184114489564202113987475554487692048417043378894686159297649643652821396225530969980026447009798720699897816769002127322743312915090779056267061555533274251846797980286646401974378879605590160090623077133286917420774588429145019013178007901039037485430704863400251436922065670553763824682319910624759928133096728812357485015715300867541368318996098165274317715833869181410253794568905056774703866231379721315483064777362792417366661830434954741644808541724752861427446511013713256029233270601604034380512580426571392950306613629374959238462468113018421790095392597751663741477793560859215353147630501964845051040071101181938514627552849619130323489636939267483316744615658496660646565622282630339154838029373605448769741806853734258867627070616737768725279078335092127019165822312467173611772464794225625123622484401706054685496110826736750907891361218580748177703696536922385003850458225820901589116659840709991455078125, 15527378828999526777560104144408150453986336495429344837457474581563767085653618374455975467384476131389391413309843595420516129611558445921886899865524147439854240971109181536061074449637745934010850116019654215223735833930004923757004996150025768026714238924300874489288822442988389172133285181294096909009225777581603504997887897282233374687357274002075546864027000118643241777520912515299803042238553248519366166514008795741606705631117903037678504937920911699122412091202350627789047916987064707003626970387008091938490434013478985537030582300726312945176968468861156690702019624809542256186846287874450863858370018455631610158308723734397005232906301550196759957947332836290845017652801796786784027039101976705266213437148649935086205090459214009236457536830128755457867552484666928594700759361976898538224035267368895274113410051167847501038565595733790793662841356286742880199687241482316690810492546527877361653575684524640728173769365415176396925621390215285566477186236465740572433603184423840507421225741982484129638671875000]
print(gcd(pow(l1[1],3)-l1[0],pow(l2[1],3)-l2[0]))
n = 28686561013111747525630069121468346440333609759413268951215743445246815392136304171128320147791215221157964672177830719103820519591217759770411600734376250640402446249268523009702376417311237331501657150839063542045685437658252499339097922145450718247727627777674294386548345347917754405541341290126750531479057239419443756932260787283403784880477383645938911407888069685586562949044985812720748420991562668057390731673632821528146612488016363889071438610922053531514439062931600373710861903006972398458837735843378575945824790851958045125125316289280914899524262909693030143270855738753031878766979591844299270127788620095890959709291390057244795982326301009216623268000578890133149730913722061786125553679149912448259125462453428541202302110654785521984270001383099057074207545052416742633204521418186769874190561999467096280475535468660407347080417721580411967733153727034927214874082107834391139068075416223281700325866000017550079888478486414865041075117744907960507311277234808103909767335361346167650222345738007499292144775390625

for i in range(10):
    m = int(iroot(n,2**i)[0])
    if b"SEE" in long_to_bytes(m):
        print(long_to_bytes(m))
# b'SEE{common_moduli_with_common_exponents_daf4ede8dda5c}'

UniveRSAlity

也是交互类题目，首先对上传的p和q有限制，p和q的高位固定，并且都为128bit：

p = int(input('p='))
        assert isPrime(p) and p.bit_length() == 128, 'p must be a 128-bit prime'
        assert str(float(math.pi)) in str(float(p)), 'p does not look like a certain universal constant'
        q = int(input('q='))
        assert isPrime(q) and q.bit_length() == 128, 'q must be a 128-bit prime'
        assert str(float(math.e)) in str(float(q)), 'q does not look like a certain universal constant'

其次需要上传d进行解密，并且明文json可通过token验证：

print('We will use e=65537 because it is good practice.')
      e = 65537
      m = bytes_to_long(js.encode())
      c = pow(m, e, p * q)

      # decode
      print('Now what should the corresponding value of d be?')
      d = int(input('d='))
      m = pow(c, d, p * q)
      
      # interpret as json
      js = json.loads(long_to_bytes(m).decode())
      assert js['token'] == token, 'Invalid token!'
      print('RSA test passed!')

最后，若js中有”flag”，才会打印flag：

if 'flag' in js:
          from secret import flag
          print(flag)

关于p和q的取值，只需要爆破低位取得prime即可；解密若直接传入真实的私钥d，则解出的json数据虽然可以通过验证并不会包含”flag”；所以需要伪造一个d，让解密出的json数据既有token键值对又有”flag”；那么问题转化为：伪造一个明文$fakem$，$fake_m=c^d\mod n$，已知$fake{m}$和c、n，求d。
为了能快速求离散对数，我们需要找到光滑的p和q，最后用ph算法和crt求解即可。exp：

from Crypto.Util.number import *
import json

e = 65537
p = 314159265358979300000000000000000010539
q = 271828182845904500000000000000000000701
n = p*q

# json数据测试 构造可以绕过的明文
token = "rltmvyFGNAI"
js = json.dumps({'token': token})
print(js)
m = js.encode()
m = bytes_to_long(m)

f = b'{"token":"rltmvyFGNAI","flag":8}'
print(json.loads(f))
fake_m = bytes_to_long(f)
print(fake_m.bit_length())

c = pow(m,e,n)
print()
print(c)

G =GF(p)
g = G(c)
h = G(fake_m)
k1 = discrete_log(h,g)
print(k1)

G1 = GF(q)
g1 = G1(c)
h1 = G1(fake_m)
k2 = discrete_log(h1,g1)
print(k2)

d = crt([k1,k2],[p-1,q-1])
print(d)
# 把d发送给服务器check获得flag
# SEE{pohlig-hellman_easy_as_pie_db01d3f24beda43e}

The True ECC

本质上是paper题，可参考m0leCon CTF 2020 Teaser — King Exchange，相关论文点击这里。只需要参考paper建立同构关系即可，exp：

from random import randint
from os import urandom
from Crypto.Cipher import AES
from Crypto.Util.Padding import pad, unpad
from hashlib import sha1
from typing import Tuple

class Ellipse:

    """Represents the curve x^2 + ay^2 = 1 mod p"""

    def __init__(self, a: int, p: int):

        self.a = a
        self.p = p

    def __repr__(self) -> str:
        return f"x^2 + {self.a}y^2 = 1 mod {self.p}"

    def __eq__(self, other: 'Ellipse') -> bool: # 判断曲线是否相同 equal
        return self.a == other.a and self.p == other.p

    def is_on_curve(self, pt: 'Point') -> bool: # 判断点是否在曲线上

        x, y = pt.x, pt.y
        a, p = self.a, self.p
        return (x*x + a * y*y) % p == 1

class Point:

    """Represents a point on curve"""

    def __init__(self, curve: Ellipse, x: int, y: int):

        self.x = x
        self.y = y
        self.curve = curve
        assert self.curve.is_on_curve(self)

    def __repr__(self) -> str:
        return f"({self.x}, {self.y})"

    def __add__(self, other: 'Point') -> 'Point': # 椭圆曲线的点加法

        x, y = self.x, self.y
        w, z = other.x, other.y
        a, p = self.curve.a, self.curve.p

        nx = (x*w - a*y*z) % p
        ny = (x*z + y*w) % p
        return Point(self.curve, nx, ny)

    def __mul__(self, n: int) -> 'Point': # 椭圆曲线数乘

        assert n > 0

        Q = Point(self.curve, 1, 0)
        while n > 0:
            if n & 1 == 1:
                Q += self
            self += self
            n = n//2
        return Q

    def __eq__(self, other: 'Point') -> bool: # 判断点是否相等
        return self.x == other.x and self.y == other.y

a, p = 376014, (1 << 521) - 1
F.<i> = GF(p ^ 2, modulus=x ^ 2 + a)

gx = 0x1bcfc82fca1e29598bd932fc4b8c573265e055795ba7d68ca3985a78bb57237b9ca042ab545a66b352655a10b4f60785ba308b060d9b7df2a651ca94eeb63b86fdb
gy = 0xca00d73e3d1570e6c63b506520c4fcc0151130a7f655b0d15ae3227423f304e1f7ffa73198f306d67a24c142b23f72adac5f166da5df68b669bbfda9fb4ef15f8e
ax, ay = 2138196312148079184382240325330500803425686967483863166176111074666553873369606997586883533252879522314508512610120185663459330505669976143538280185135503158,1350098408534349199229781714086607605984656432458083815306756044307591092126215092360795039519565477039721903019874871683998662788499599535946383133093677646
bx, by = 4568773897927114993549462717422746966489956811871132275386853917467440322628373530720948282919382453518184702625364310911519327021756484938266990998628406420,3649097172525610846241260554130988388479998230434661435854337888813320693155483292808012277418005770847521067027991154263171652473498536483631820529350606213
ct = b"q\xfa\xf2\xe5\xe3\xba.H\xa5\x07az\xc0;\xc4%\xdf\xfe\xa0MI>o8\x96M\xb0\xfe]\xb2\xfdi\x8e\x9e\xea\x9f\xca\x98\xf9\x95\xe6&\x1fB\xd5\x0b\xf2\xeb\xac\x18\x82\xdcu\xd5\xd5\x8e<\xb3\xe4\x85e\xddX\xca0;\xe2G\xef7\\uM\x8d0A\xde+\x9fu"

def phi(x,y):
    return x+y*i

def decrypt(shared: Point, ct: bytes) -> bytes:

    iv, ct = ct[:16], ct[16:]
    key = sha1(str(shared).encode()).digest()[:16]
    cipher = AES.new(key, AES.MODE_CBC, iv)
    pt = cipher.decrypt(ct)
    return unpad(pt, 16)

aa = phi(ax, ay).log(phi(gx, gy))
curve = Ellipse(a, p)
B = Point(curve, int(bx), int(by))
shared = B * int(aa)
print(decrypt(shared, ct))
# b'SEE{W4it_whaT_do_y0u_meaN_Ecc_d0esnt_Us3_e1Lipses}'