蓝帽杯初赛2022

​ misc和取证都是常规题目，仅仅复现一下密码题目。

​ 这道题考察了openssl私钥格式解析和copper构造；比赛时没出主要还是因为对私钥结构不熟悉，觉得难度大就放弃了。
​ 题目给了私钥的首尾两段，我们需要对照格式去解析已知信息，参考这里；弄清楚私钥的格式以后，直接解析已知部分：

import base64
from Crypto.Util.number import *

b = '''
MIICXgIBAAKBgQDXFSUGqpzsBeUzXWtG9UkUB8MZn9UQkfH2Aw03YrngP0nJ3NwH
UFTgzBSLl0tBhUvZO07haiqHbuYgBegO+Aa3qjtksb+bH6dz41PQzbn/l4Pd1fXm
dJmtEPNh6TjQC4KmpMQqBTXF52cheY6GtFzUuNA7DX51wr6HZqHoQ73GQQIDAQAB
'''
b = base64.b64decode(b)
print(len(b))
print(b)
c = '''
yQvOzxy6szWFheigQdGxAkEA4wFss2CcHWQ8FnQ5w7k4uIH0I38khg07HLhaYm1c
zUcmlk4PgnDWxN+ev+vMU45O5eGntzaO3lHsaukX9461mA==
'''
c = base64.b64decode(c)
print(len(c))
print(c)

# n是0x028181后129位16进制
n = bytes_to_long(b'\00\xd7\x15%\x06\xaa\x9c\xec\x05\xe53]kF\xf5I\x14\x07\xc3\x19\x9f\xd5\x10\x91\xf1\xf6\x03\r7b\xb9\xe0?I\xc9\xdc\xdc\x07PT\xe0\xcc\x14\x8b\x97KA\x85K\xd9;N\xe1j*\x87n\xe6 \x05\xe8\x0e\xf8\x06\xb7\xaa;d\xb1\xbf\x9b\x1f\xa7s\xe3S\xd0\xcd\xb9\xff\x97\x83\xdd\xd5\xf5\xe6t\x99\xad\x10\xf3a\xe98\xd0\x0b\x82\xa6\xa4\xc4*\x055\xc5\xe7g!y\x8e\x86\xb4\\\xd4\xb8\xd0;\r~u\xc2\xbe\x87f\xa1\xe8C\xbd\xc6A')
# print(n.bit_length())  1024
print(len(b'\00\xd7\x15%\x06\xaa\x9c\xec\x05\xe53]kF\xf5I\x14\x07\xc3\x19\x9f\xd5\x10\x91\xf1\xf6\x03\r7b\xb9\xe0?I\xc9\xdc\xdc\x07PT\xe0\xcc\x14\x8b\x97KA\x85K\xd9;N\xe1j*\x87n\xe6 \x05\xe8\x0e\xf8\x06\xb7\xaa;d\xb1\xbf\x9b\x1f\xa7s\xe3S\xd0\xcd\xb9\xff\x97\x83\xdd\xd5\xf5\xe6t\x99\xad\x10\xf3a\xe98\xd0\x0b\x82\xa6\xa4\xc4*\x055\xc5\xe7g!y\x8e\x86\xb4\\\xd4\xb8\xd0;\r~u\xc2\xbe\x87f\xa1\xe8C\xbd\xc6A'))
# e在n后，注意标志位
e = (bytes_to_long(b[141:144]))
print(e)

print(len(b'\00\xe3\x01l\xb3`\x9c\x1dd<\x16t9\xc3\xb98\xb8\x81\xf4#\x7f$\x86\r;\x1c\xb8Zbm\\\xcdG&\x96N\x0f\x82p\xd6\xc4\xdf\x9e\xbf\xeb\xccS\x8eN\xe5\xe1\xa7\xb76\x8e\xdeQ\xecj\xe9\x17\xf7\x8e\xb5\x98'))
t = bytes_to_long(b'\00\xe3\x01l\xb3`\x9c\x1dd<\x16t9\xc3\xb98\xb8\x81\xf4#\x7f$\x86\r;\x1c\xb8Zbm\\\xcdG&\x96N\x0f\x82p\xd6\xc4\xdf\x9e\xbf\xeb\xccS\x8eN\xe5\xe1\xa7\xb76\x8e\xdeQ\xecj\xe9\x17\xf7\x8e\xb5\x98')
print(t)
dq_l = bytes_to_long(b'\xc9\x0b\xce\xcf\x1c\xba\xb35\x85\x85\xe8\xa0A\xd1\xb1') # 这里是d mod q-1的低位
print(dq_l)

​ 已知信息有n，e，q模p的逆，d mod q-1的部分(低位)。根据这些信息，可以构造copper：

​ 这里注意需要控制k的范围，由ed’ - 1 = k*(q-1)可知，k小于e，这个范围足够了，但是sage会跑的比较慢，可以尝试多进程分段：

n = 151036135413139226687867011199700639084856588533884431118047808395603993635242690166659649156476428533386350427603713487259266502837260466348398817558768025404903682189934563578605367223796247470920497617904900418615352839562681665973088711089128789315193951623751145385357347144960284983398745189236464272961
t = 11889246144866782519155392157369478059715977597114885585873502852127888907191116911762955888968046505980125449346852147369649024143226438553109462231463320
e = 0x10001
dq_l = 1043891160170747082120115133012365745

for k in range(65537):
    F.<x> = PolynomialRing(Zmod(n))
    if k%100 == 0:
        print("%d times"%k)
    q = (x * 2**120 + dq_l)
    f = q * e - 1   + k  # 在一元copper下 变成模p爆破k
#    f = k * q  
    TT= t*f*f-k*f
    # small_roots(TT,[2**(512-120),e],m=3,d=6)
    TT=TT.monic()
    sss = TT.small_roots(X = 2**(512-120),beta=0.4)
    if (len(sss)) != 0 :
        print(k)
        print(t)
        print(sss)

​ 最后得到d解rsa需要用他加密这个库，略微麻烦：

n = 151036135413139226687867011199700639084856588533884431118047808395603993635242690166659649156476428533386350427603713487259266502837260466348398817558768025404903682189934563578605367223796247470920497617904900418615352839562681665973088711089128789315193951623751145385357347144960284983398745189236464272961
t = 11889246144866782519155392157369478059715977597114885585873502852127888907191116911762955888968046505980125449346852147369649024143226438553109462231463320
e = 65537
dq_l = 1043891160170747082120115133012365745

k = 59199
dq_h = 8473541887500515583954330543610580482352988466308294038598683460069270949695742839059962985745363324600134512811492604
from Crypto.Util.number import *

dq = (dq_h * 2 ** 120 + dq_l)
q = (dq*e-1)//k + 1
print(q)

p = n // q
d = inverse(e, (p - 1) * (q - 1))

from Crypto.PublicKey import RSA

e = 65537
n = p * q
d = d
# 注意这里要用RSA.construct重新构建私钥结构
privkey = RSA.construct((int(n), e, int(d)))
f = open('privkey2.pem', 'wb')
# 导出pem格式
f.write(privkey.export_key('PEM'))
f.close()

from Crypto.PublicKey import RSA
from Crypto.Cipher import PKCS1_OAEP
# ssl格式加密则用ssl格式去解密
cipher_text = open(r"flag.enc", "rb").read()
ciphertxt = cipher_text
key = RSA.importKey(open(r"privkey2.pem").read())
cipher = PKCS1_OAEP.new(key)
message = cipher.decrypt(ciphertxt)
print(message)
# b'flag{f1bf5c44-e2b4-424f-baff-b38b73a82e72}'

​ 经测试，可以不需要重写PEM文件，直接用RSA.construct建立的key也能解：

n = 151036135413139226687867011199700639084856588533884431118047808395603993635242690166659649156476428533386350427603713487259266502837260466348398817558768025404903682189934563578605367223796247470920497617904900418615352839562681665973088711089128789315193951623751145385357347144960284983398745189236464272961
t = 11889246144866782519155392157369478059715977597114885585873502852127888907191116911762955888968046505980125449346852147369649024143226438553109462231463320
e = 65537
dq_l = 1043891160170747082120115133012365745

k = 59199
dq_h = 8473541887500515583954330543610580482352988466308294038598683460069270949695742839059962985745363324600134512811492604
from Crypto.Util.number import *

dq = (dq_h * 2 ** 120 + dq_l)
q = (dq*e-1)//k + 1
print(q)

p = n // q
d = inverse(e, (p - 1) * (q - 1))

from Crypto.PublicKey import RSA

e = 65537
n = p * q
d = d
# 注意这里要用RSA.construct重新构建私钥结构
privkey = RSA.construct((int(n), e, int(d)))
from Crypto.Cipher import PKCS1_OAEP
# ssl格式加密则用ssl格式去解密
cipher_text = open(r"flag.enc", "rb").read()
ciphertxt = cipher_text
cipher = PKCS1_OAEP.new(privkey) #这里直接用privkey了
message = cipher.decrypt(ciphertxt)
print(message)
# b'flag{f1bf5c44-e2b4-424f-baff-b38b73a82e72}'

​ 复现完毕，撒花~