2022 catf1agctf 部分WriteUp

Crypto

怎么会多一个呢

在线网站分解出来三个素数,和普通rsa解题一致

1
2
3
4
5
6
7
8
9
10
11
12
13
import gmpy2
from Crypto.Util import number
n=73551482761993440116378276402850976017673970117685879384712768054097267028974244867004238587658366463106703581107613883463180833706377915593443986550610497954246664378469651
e = 65537
p = 2492374307
q = 4254843227
t = 6935768738605665705725288400892432256194550668863095515013942769049162888322407038880737120756913240675144540329112141837524407303580284917764285456453059
d = gmpy2.invert(e,(p-1)*(q-1)*(t-1))
c = 19088340804936031145050310701046663800140062626102387290922890724239533128878474005542684734507475562997222905703018409354867816494925059525377106444000231776165581716296665

m = pow(c,d,n)
print(number.long_to_bytes(m))
# catf1ag{5a1dbe0e-c6bc-11ec-9ffe-e8d8d18b16eb}

高实在是高

我看到题的时候发现e非常的小,就直接套低加密指数攻击那一套了

1
2
3
4
5
6
7
8
9
10
11
12
13
14
from gmpy2 import iroot
from Crypto.Util import number
n=12665183429254325580945372911206360706257079006954643947743121664454914089524916634832685040737214233687785325112424576039016165508146660290974828802710996880849185068704144690143915135774197938764858051298755021664568772363301699454954045374224914126975984844824184263131757665633324767483926757913457691303836308728657455890530401047029807132954324528617558308552469993676230342998368641468028935159530808062712526662606628371783359397956992056631816818089093174030024770769185589578769480295675152580623898653766068001693142399972844934629828827684074705324777912603273764730083438485014417283937379823019721736119
e=3
c=757846665709612710047622798901607696475966191486157677993807167873384365513676489731461790205050172225086169489914035089956311182880536480621453222154862896612205436092262339764782754486059223792491004753337631375452744373859969281558865685434771438386779285599911963081936786091339632323042550461240292308997539607661877861
high_m=911717829801678618100911351591485103708233783320853921932061644898078088242070960582223500287266227352502272
k = 0
while 1:
    res=iroot(c+k*n,e)
    if(res[1]==True):
        print(number.long_to_bytes(res[0]))
        break
    k=k+1
# catf1ag{852a6546-9d42-4b42-bcd6-73c7f4327627}

赛后看z1r0大师傅wp才发现是rsa中的已知明文m题型,看来rsa题还是得刷(orz)

用sage在线环境可以解出来

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
import binascii
def hexStr_to_str(hex_str):
    hex = hex_str.encode('utf-8')
    str_bin = binascii.unhexlify(hex)
    return str_bin.decode('utf-8')
def phase2(high_m, n, c):
    R.<x> = PolynomialRing(Zmod(n), implementation='NTL')
    m = high_m + x
    M = m((m^3 - c).small_roots()[0])
    print(hexStr_to_str(hex(int(M))[2:]))

n=12665183429254325580945372911206360706257079006954643947743121664454914089524916634832685040737214233687785325112424576039016165508146660290974828802710996880849185068704144690143915135774197938764858051298755021664568772363301699454954045374224914126975984844824184263131757665633324767483926757913457691303836308728657455890530401047029807132954324528617558308552469993676230342998368641468028935159530808062712526662606628371783359397956992056631816818089093174030024770769185589578769480295675152580623898653766068001693142399972844934629828827684074705324777912603273764730083438485014417283937379823019721736119
e=3
c=757846665709612710047622798901607696475966191486157677993807167873384365513676489731461790205050172225086169489914035089956311182880536480621453222154862896612205436092262339764782754486059223792491004753337631375452744373859969281558865685434771438386779285599911963081936786091339632323042550461240292308997539607661877861
high_m=911717829801678618100911351591485103708233783320853921932061644898078088242070960582223500287266227352502272

phase2(high_m, n, c)
# catf1ag{852a6546-9d42-4b42-bcd6-73c7f4327627}

我这边就安装了一下sage环境,在github上下载完成后,双击安装包即可,可以多看看sage中文文档

sage的使用

load()和attach()两种方法皆可,attach()会根据sage文件的修改加载,比较推荐

栓q

通过这篇博客可以知道短信息的内容部分使用的是unicode编码

1
2
3
4
5
string = [0x771F ,0x7684 ,0x662F ,0x6813 ,0x0051 ,0x7ED9 ,0x4F60 ,0x0066 ,0x006C ,0x0061,0x0067,0xFF1A,0x0063,0x0061,0x0074,0x0066,0x0031,0x0061,0x0067,0x007B,\
0x0066,0x0034,0x0065,0x0066,0x0037,0x0064,0x0064,0x0036,0x002D,0x0063,0x0064,0x0061,0x0031,0x002D,0x0031,0x0031]
for i in string:
    print(chr(i),end = "")
# 真的是栓Q给你flag:catf1ag{f4ef7dd6-cda1-11

但是只发现了一半的flag

原来是零宽度字符隐写……放上大佬总结的文章

在线网站:http://330k.github.io/misc_tools/unicode_steganography.html

1
# catf1ag{f4ef7dd6-cda1-11ec-860b-2cf05d95545}

怕是我少见多怪了(orz)