pwnhub冬季赛2022

Misc

游戏来咯

签到,注册游戏账号登录,在侧边栏看到flag1.

坐井观天

1
2
3
4
5
6
7
8
from pwn import *

io = remote('47.97.127.1',21542)
io.interactive()

# $ eval(input())
# __import__('os').system('cat flag')
# flag{5de8088410b719e42f82132163672a84}

证书里也有秘密

长亭的漏扫工具xray的证书解析,自己写的话比较麻烦,找到个项目,go build然后解析即可。

垃圾邮件分析

原本是个AI题,但是验证只需要10个数据,那么直接手动交互人工识别更简单。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
from pwn import *
from hashlib import *
import string
import itertools

table = string.ascii_uppercase + string.ascii_lowercase + string.digits

io = remote('47.97.127.1',28816)
def proof():
    s1 = io.recvline()
    print(s1)
    p1 = s1.find(b'(')
    p2 = s1.find(b')')
    p3 = s1.find(b'= ')
    s = s1[p1+1:p2-7]
    h = s1[p3+2:-1]
    h = h.decode()
    print(h)
    print(s)
    for i in itertools.product(table, repeat=4):
        d = ''.join(i).encode()
        dd = s + d
        #print(dd)
        if sha256(dd).hexdigest() == h:
            print(d)
            io.sendline(d)
            io.interactive()
            break
proof()
# 10次判定太简单,手动判定即可
# Good job! Just take it:
# flag{c2b776a605897dcfab302d7df7ca133a}

Crypto

ASR

m的加密没有padding,非预期可出:得到s之后,把s当作n用来解密,因为flag<s。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
RSA1 = 0x97be543979cb98c109103fa118c1c930ff13a6b2562166417021afd6e46cb0837a5cc5f4094fcea5fcc33efdfa495050e0fb8269922b3ee2d403210ed1ba339af2dc3d4e8952f0c784fcc655436cf255b98cdaf8080df47f6c28bc0bae68c713
RSA2 = 0xa887aa84f3a0bd8b79ed59a7bb98d8e58a85414f85cf2ddf53ff4bd9294bfdadf7d6d6adfe7fbed55fc71b5a6bfcfe79ced27e2f41e7546a8679daf5b63dda37
c = 0x2f62fb7e7e8e27823193119f8412050ade9084ade25261a5875da23a07d5d5145e72d460697984d8aa668a25822009a4fdc85df2b208941cd3219b312f21c3c7bc4ef7aa8c18b4f91a0e815fe1892fca0f72406e571fbd0fea2c4710c601165ccd7e8a5a828721a5e2c956b732223d683d1413ef393b5f80a431c52bf9099e22b8e27daafb9d3e055242b89b5419b8925744ccf348e1bea519225af8efe7dbcc202425251039cbfe6b892a7fcf7e9d72224ea9381e3fb32ab837139af4b4112a3c7a6571c88e7d6c5db4c3f91e25edd15eb5544ef2f29a9e1bb1062ec86f1902
N = 0x58a7ff25292651e1a8d82656d64fe3b458d6e688405e85aa6c02e0c33469ad3dbaef6c6eaf8faf22f2d15e80856ab7b90a40fd50c36f7b59932bc94e6fb4fabefa87b11bf4ef74df4ccf8d254f0c6812628df3c5b3786af35e3dde9c87b462d1a565af6f100750718ccb7235174947f00cec5836765150f1680d0c58a5f9ea2473a6033c218c75664dc53377dde9386f37e1a89d77e61a716129d290c5a41f81cd3490bab6fe51f232ab27cb1ac9c8eb88e908c12109a125b7439c25b6879283a17a3467823fbb089709eb836cfd03386cc4bf186eb45401472ab0bdec605fd7
e = 0x10001

from gmpy2 import *

s = gcd(N,RSA1)
RA = RSA1//s
print(bin(RA))
mul = N//s
assert mul * s == N

# 非预期
phi = s - 1
d = invert(e,phi)
from Crypto.Util.number import *
print(long_to_bytes(pow(c,d,s)))

预期解的话应该要用剪枝算法去分解$R\cdot A \cdot S$

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
RSA1 = 0x97be543979cb98c109103fa118c1c930ff13a6b2562166417021afd6e46cb0837a5cc5f4094fcea5fcc33efdfa495050e0fb8269922b3ee2d403210ed1ba339af2dc3d4e8952f0c784fcc655436cf255b98cdaf8080df47f6c28bc0bae68c713
RSA2 = 0xa887aa84f3a0bd8b79ed59a7bb98d8e58a85414f85cf2ddf53ff4bd9294bfdadf7d6d6adfe7fbed55fc71b5a6bfcfe79ced27e2f41e7546a8679daf5b63dda37
c = 0x2f62fb7e7e8e27823193119f8412050ade9084ade25261a5875da23a07d5d5145e72d460697984d8aa668a25822009a4fdc85df2b208941cd3219b312f21c3c7bc4ef7aa8c18b4f91a0e815fe1892fca0f72406e571fbd0fea2c4710c601165ccd7e8a5a828721a5e2c956b732223d683d1413ef393b5f80a431c52bf9099e22b8e27daafb9d3e055242b89b5419b8925744ccf348e1bea519225af8efe7dbcc202425251039cbfe6b892a7fcf7e9d72224ea9381e3fb32ab837139af4b4112a3c7a6571c88e7d6c5db4c3f91e25edd15eb5544ef2f29a9e1bb1062ec86f1902
N = 0x58a7ff25292651e1a8d82656d64fe3b458d6e688405e85aa6c02e0c33469ad3dbaef6c6eaf8faf22f2d15e80856ab7b90a40fd50c36f7b59932bc94e6fb4fabefa87b11bf4ef74df4ccf8d254f0c6812628df3c5b3786af35e3dde9c87b462d1a565af6f100750718ccb7235174947f00cec5836765150f1680d0c58a5f9ea2473a6033c218c75664dc53377dde9386f37e1a89d77e61a716129d290c5a41f81cd3490bab6fe51f232ab27cb1ac9c8eb88e908c12109a125b7439c25b6879283a17a3467823fbb089709eb836cfd03386cc4bf186eb45401472ab0bdec605fd7


def findp(p,q):
    if len(p)==256:
        pp=int(p,2)
        if RSA1%pp==0:
            print(pp)
            print(RSA1//pp)
    else:
        l=len(p)
        pp=int(p,2)
        qq=int(q,2)
        if (pp|qq)%(2**l)==RSA2%(2**l) and pp*qq%(2**l)==RSA1%(2**l):
            findp('1'+p,'1'+q)
            findp('1'+p,'0'+q)
            findp('0'+p,'1'+q)
            findp('0'+p,'0'+q)

findp('1','1')

大杂烩

flag和p q有关,所以我们的最终目的是要分解n。首先e的低位就是a,求b可以把给的点带入椭圆曲线方程计算。求d需要造个维纳格,这里需要做一点变形:$Sd_1=enc_1+k_1N \rightarrow d_1=(enc_1+k_1 N).t$

1
2
3
4
5
6
7
8
enc1 = 98662590652068949920571979585725979127266112216583776160769090971169664292493813021843624362593669574513220457664819153878956311077379392531742253343961645534972639309537402874636739745717765969720117162780620981639015788423324884640935466801234207019510919768602974162878323777374364290185048275714332671356
enc2 = 58738699705013897273174837829098879580829898980458718341881900446701910685043213698485036350888862454440118347362218485065377354137391792039111639199258042591959084091242821874819864955504791788260187064338245516327147327866373690756260239728218244294166383516151782123688633986853602732137707507845681977204
NN = 149794788177729409820185150543033616327574456754306207341321223589733698623477041345453230785413920341465642754285280273761269552897080096162195035057667200692677841848045965505750839903359478511509753781737513122660495056746669041957643882516287304836822410136985711091802722010788615177574143908444311475347

A = [[enc2,1],[NN,0]]
L=Matrix(ZZ,A)
tmp=L.LLL()
print(tmp)

求出d以后就可以用已知e d n的方法来分解n,最后做一个移位转字符即可。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
from Crypto.Util.number import *
import gmpy2
import random

n = 117749279680045360245987277946945707343578937283621512842997606104123872211782263906911929773756533011817679794905642225389185861207256322349591633257348367854563703050789889773031032949742664695416275919382068347995088593380486820784360816053546651916291080971628354468517506190756456913824397593128781030749
a = 1755716071599
N = 236038564943567983056828121309828109017
enc1 = 98662590652068949920571979585725979127266112216583776160769090971169664292493813021843624362593669574513220457664819153878956311077379392531742253343961645534972639309537402874636739745717765969720117162780620981639015788423324884640935466801234207019510919768602974162878323777374364290185048275714332671356
enc2 = 58738699705013897273174837829098879580829898980458718341881900446701910685043213698485036350888862454440118347362218485065377354137391792039111639199258042591959084091242821874819864955504791788260187064338245516327147327866373690756260239728218244294166383516151782123688633986853602732137707507845681977204
NN = 149794788177729409820185150543033616327574456754306207341321223589733698623477041345453230785413920341465642754285280273761269552897080096162195035057667200692677841848045965505750839903359478511509753781737513122660495056746669041957643882516287304836822410136985711091802722010788615177574143908444311475347

mask = 0x3ffffffffff
e_low = a
#print(e&mask)
print(e_low.bit_length())
X = 996
Y = 151729833458737979764886336489671975339
b = (Y ** 2 - X ** 3 - a * X)%N
e = a + b * 2 ** 42

d1 = 1118051836872760710925790177974923485721434630729839917104622531599012085778805696376125398218434332515040651866857417106717899073423532829576283671587324
print(d1.bit_length())
d2 = 1490307645430319095511255010328115542702206251159139554339698072781493976926650529688007738646519638596915659784020385914262312989530894410148472995625411
print(d2.bit_length())

d = d1 * 2**512 + d2

def getpq(n,e,d):
    while True:
        k = e * d - 1
        g = random.randint(0, n)
        while k%2==0:
            k=k//2
            temp=gmpy2.powmod(g,k,n)-1
            if gmpy2.gcd(temp,n)>1 and temp!=0:
                return gmpy2.gcd(temp,n)

# https://blog.csdn.net/weixin_44110537/article/details/107869682
p = getpq(n,e,d)
q = n//p
print(p)
print(q)

ph = p >> (512-150)
qh = q >> (512-151)
print(long_to_bytes(qh))
print(long_to_bytes(ph))

payorder

哈希长度拓展攻击,最基本的构造,没有魔改。直接扔个官方wp

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
from pwn import *
from base64 import b64decode, b64encode
import hashpumpy

context.log_level = 'debug'
while True:
    io = remote('47.97.127.1',28959)
    io.sendlineafter('> ', '2')
    io.sendlineafter('Which one? ', '9')
    io.recvuntil('Order: ')
    order = io.recvuntil(b'\n')[:-1]
    order = b64decode(order)
    print('order:',order)
    sp = order.rfind(b'&s=')
    sign = order[sp+3:]
    payment = order[:sp]
    print(sign, payment)

    fhash, content = hashpumpy.hashpump(sign, payment, b'&c=999', 18)
    print(fhash, content)
    payload = content + b'&s=' + fhash.encode()
    print(payload)
    payload = b64encode(payload)
    io.sendlineafter('> ', '3')
    io.sendlineafter('Order: ', payload)
    info = io.recvuntil('\n> ')
    if b'Invalid Order!' in info:
        io.close()
        continue
    else:
        io.interactive()

扫一扫,分享到微信

微信分享二维码
本站总访问量: 总访客次数:

tag:

梦想是成为全栈佬并养一只猫