关于微信公众号

Crypto

小学生的密码学

最基础仿射加密

from Crypto.Util.number import inverse
from base64 import *
flag = ''.join(chr(((ord(i)-ord('a') - 6))*inverse(11,26)%26+ord('a')) for i in 'welcylk')
print('flag{'+b64encode(flag)+'}')

汉字的秘密

当铺密码，然后有点脑洞的移位密码

a=[69,74,62,67,118,83,72,77,86,55,71,57,82,57,64,63,51,107]
flag=''.join(chr(a[i]+(ord('f')-ord('e'))+i) for i in range(len(a)))

babycrypto

已知p高位，coppersmith，现成的exp一把梭

n = 
p = 
p_new = (p>>128)<<128
pbits = 1024
kbits = 128
pbar = p_new & (2^pbits-2^kbits)
PR.<x> = PolynomialRing(Zmod(n))
f = x + pbar
x0 = f.small_roots(X=2^kbits, beta=0.4)[0] # find root < 2^kbits with factor >= n^0.4
p = x0 + pbar

分解了n，之后这一题就结束了

Backdoor

p=k *M + (65537 ** a %M)；ROCA, 是一个CVE，github上也有现成轮子

#p,q=k*M+(65537**a %M)

# Hardcoded parameters for efficiency
# Found using params.py
param = \
{
  512: {
    "n": 39,
    "a_max": 62,
    "k_max": 37,
    "M": 0x924cba6ae99dfa084537facc54948df0c23da044d8cabe0edd75bc6,
    "M_prime": 0x1b3e6c9433a7735fa5fc479ffe4027e13bea,
    "m": 5,
    "t": 6,
    "c_a": 0x80000
  },
  1024: {
    "n": 71,
    "a_max": 134,
    "k_max": 37,
    "M": 0x7923ba25d1263232812ac930e9683ac0b02180c32bae1d77aa950c4a18a4e660db8cc90384a394940593408f192de1a05e1b61673ac499416088382,
    "M_prime": 0x24683144f41188c2b1d6a217f81f12888e4e6513c43f3f60e72af8bd9728807483425d1e,
    "m": 4,
    "t": 5,
    "c_a": 0x40000000
  },
  2048: {
    "n": 126,
    "a_max": 434,
    "k_max": 53,
    "M": 0x7cda79f57f60a9b65478052f383ad7dadb714b4f4ac069997c7ff23d34d075fca08fdf20f95fbc5f0a981d65c3a3ee7ff74d769da52e948d6b0270dd736ef61fa99a54f80fb22091b055885dc22b9f17562778dfb2aeac87f51de339f71731d207c0af3244d35129feba028a48402247f4ba1d2b6d0755baff6,
    "M_prime": 0x16928dc3e47b44daf289a60e80e1fc6bd7648d7ef60d1890f3e0a9455efe0abdb7a748131413cebd2e36a76a355c1b664be462e115ac330f9c13344f8f3d1034a02c23396e6,
    "m": 7,
    "t": 8,
    "c_a": 0x400000000
  }
}

# https://github.com/mimoo/RSA-and-LLL-attacks/blob/master/coppersmith.sage
def coppersmith_howgrave_univariate(pol, N, beta, mm, tt, XX):
    """
    Coppersmith revisited by Howgrave-Graham

    finds a solution if:
    * b|N, b >= N^beta , 0 < beta <= 1
    * |x| < XX
    """
    #
    # init
    #
    dd = pol.degree()
    nn = dd * mm + tt

    #
    # checks
    #
    if not 0 < beta <= 1 :
        raise ValueError("beta should belongs in (0, 1]")

    if not pol.is_monic():
        raise ArithmeticError("Polynomial must be monic.")


    #
    # Coppersmith revisited algo for univariate
    #

    # change ring of pol and x
    polZ = pol.change_ring(ZZ)
    x = polZ.parent().gen()

    # compute polynomials
    gg = []
    for ii in range(mm):
        for jj in range(dd):
            gg.append((x * XX)**jj * N**(mm - ii) * polZ(x * XX)**ii)
    for ii in range(tt):
        gg.append((x * XX)**ii * polZ(x * XX)**mm)

    # construct lattice B
    BB = Matrix(ZZ, nn)

    for ii in range(nn):
        for jj in range(ii+1):
            BB[ii, jj] = gg[ii][jj]

    # LLL
    BB = BB.LLL(early_red=True, use_siegel=True)

    # transform shortest vector in polynomial
    new_pol = 0
    for ii in range(nn):
        new_pol += x**ii * BB[0, ii] / XX**ii

    # factor polynomial
    potential_roots = new_pol.roots()

    return [i[0] for i in potential_roots]

# Top level of the attack, feeds the queue for the workers
def roca(N):

  # Key is not always of perfect size, infer from size
  keylength = int(log(N, 2))
  if keylength < 1000 :
    keylength = 512
  elif  keylength < 2000 :
    keylength = 1024
  elif keylength < 4000 :
    keylength = 2048
  else:
    keylength = 4096

  # bruteforce
  M_prime = param[keylength]['M_prime']
  c_prime = discrete_log(N, Mod(65537, M_prime))
  ord_prime = Zmod(M_prime)(65537).multiplicative_order()
  top = (c_prime + ord_prime)/2
  beta = 0.5
  mm = param[keylength]['m']
  tt = param[keylength]['t']

  XX = int((2*pow(N, beta)) / M_prime)

  # Bruteforce until p, q are found
  a_prime = floor(c_prime/2)
  while a_prime < top:

      # Construct polynomial
      m_inv = int(inverse_mod(M_prime, N))
      k_tmp = int(pow(65537, a_prime, M_prime))
      known_part_pol = int(k_tmp * m_inv)
      F = PolynomialRing(Zmod(N), implementation='NTL', names=('x',))
      (x,) = F._first_ngens(1)
      pol = x + known_part_pol

      # Get roots of polynomial using coppersmith
      roots = coppersmith_howgrave_univariate(pol, N, beta, mm, tt, XX)

      # Check if roots are p, q
      for root in roots:
        factor1 = k_tmp + abs(root) * M_prime
        if mod(N, factor1) == 0:
          factor2 = N // factor1
          return int(factor1), int(factor2)
      a_prime += 1


# Roca
p = 135879036921529661794648581653002330298301044224526679653380767028908108252308273197382392628515754461497140112085352276569074111872088188367336757057332590938346879044292991775026289443754785127606230777989486075849384095736865778026395017314284500188674246388734465652666728075877428904646726042443084490733
q = 136030166899916836494910593158841550636266310029556929683174827580476574762487106877006810987126725903225945843864212303796002840361299997548544768590518964089753416844749381816714973552330950849352052797513575852750175731227705787558580111648617297716840633123746097117675990517245812564173658065172087693179
#N = p*q
N=15518961041625074876182404585394098781487141059285455927024321276783831122168745076359780343078011216480587575072479784829258678691739
print ("[+] Factoring %i" % N)

factor1, factor2 = roca(N)

print ("[+] Found factors of N:")
print ("[+] p =" , factor1)
print ("[+] q =" , factor2)

分解n了，这一题结束了。

Misc

签到

进bilibili直播间复制

Pokémon

走到103，flag画在地板上了

问卷调查

pass

code obfuscation

首先用ps调好

然后因为这些空隙，直接扫可能是扫不出来的，这边推荐用支付宝扫码，然后扫的时候抖动你的手机，让画面模糊，把空隙给抖没了就能扫出来base(gkctf)

然后这张图下面有一个rar，经过测试密码是base58(gkctf)，解密后是给了一串js代码，网站js解密后地得到

for n in a b c d e f g h i j k l m n o p q r s t u v w x y z do eval An = "n"
    done
for n in A B C D E F G H I J K L M N O P Q R S T U V W X Y Z do eval An = "n"
    done
    num = 0
for n in a b c d e f g h i j do eval Bn = "n"
    num =
    $((num + 1)) done alert("Bk=' ';Bm='"';Bn='#';Bs=' (';Bt=')';By='.';Cb=';';Cc=' < ';Ce=' > ';Cl='_';Cn='{';Cp='}';Da='0 ';Db='1 ';Dc='2 ';Dd='3 ';De='4 ';Df=5 ';Dg='6 ';Dh='7 ';Di='8 ';Dj='9 ';")

字符替换，结合

得到

#include <stdio.h>
int main(){
	print("w3lc0me_4o_9kct5");
	retrun 0;
}

Harley Quinn

首先用AU把音频切掉，得到最后的电话音，然后用dtmf2num得到那一串数字

然后9键键盘加密得到ctfisfun，再用hint给的工具解密哈丽奎因那张图，得到flag.txt

Reverse

Check_1n

ida打开，搜索解密失败找到密码HelloWorld，然后开机，flag里头说让玩大砖块（真难），不过死了直接给flag，（还好）

Web

CheckIN

直接传一句话(base64encode)，蚁剑连上，然后功能被禁用完了，

putenv还在，

直接LD_PRELOAD绕disablie_fuc

system没法输出flag，改一改hack.c，直接重定向到文件里就好了。

最后再在一句话那里include一下我们的hack.php就好

cve版签到

安恒月赛也有，get_header 的trick，直接日内网，url=http://127.0.0.1%00.ctfhub.com

tips说host以123结尾

payload:url=http://127.0.0.123%00.ctfhub.com

---

转载请注明来源，欢迎对文章中的引用来源进行考证，欢迎指出任何有错误或不够清晰的表达。可联系QQ 643713081，也可以邮件至 643713081@qq.com