0xGame2022 WP
0xGame2022 WP
Crytpo
Week 1
simpleBabyEasyRSA
了解RSA基本原理即可解答,直接放代码。
from Crypto.Util.number import *
import hashlib
p = 59
q = 97
e = 37
c = 3738
d = inverse(e,(p-1)*(q-1))
m = pow(c,d,p*q)
# 3015499
str = '3015499'.encode('utf-8')
md = hashlib.md5(str)
print(md.hexdigest())
Vigenère
这里直接使用在线网站(大部分题目直接使用在线网站是比自己写exp方便很多的)
Vigenere Solver - www.guballa.de
即可得到flag
Factor
首先使用在线网站对n进行分解,然后就和普通RSA没有什么区别了。
from Crypto.Util.number import *
# m = bytes_to_long(flag)
n = 177726843226591634556244030635816071333
# assert m < n
e = 0x10001
# c = pow(m, e, n)
#
# print(c)
# 49549088434190402681586345733724247189
c = 49549088434190402681586345733724247189
p = 9735957770491659841
q = n//p
phi = (p-1)*(q-1)
print(long_to_bytes(pow(c,inverse(e,phi),n)))
ext_Affine
本题考查仿射密码解密知识点。
\(alert:gcd(a,n)==1\)
$Encrypt:C\quad=\quad a*M+b \qquad (mod\quad n) $
$Decrypt: M\quad=\quad (C-b)*a^{-1}\quad (mod\quad n) $
思路肯定没有问题,但是结果有点问题不知道问题出在哪里了
补充:
放出hint后发现,在读取文件的时候没有设置rb格式所以读取稍有问题,修改代码后得到正确flag
from Crypto.Util.number import *
# with open('cipher.txt') as f:
# cipher = f.read()
with open('cipher.txt','rb') as f: #改过之后
cipher = f.read()
a = 27
b = 121
a_1 = inverse(a,128)
for i in cipher:
flag = ( ( ( ord(i) - b ) %128 ) * a_1 )%128
print(chr(flag),end='')
# 0xGame{U_kn0w|@^1ot_4bout~Pyth0n}
简单套娃
第一层是核心价值观编码:在线核心价值观编码 - Core values coding - 在线工具网 (wtool.com.cn)
第二层是阴阳怪气编码:阴阳怪气编码 (gitee.io)
第三层是Morse电码:
Week2
=Bézout=
nc上去发现第一部分proof of work是sha256认证,直接暴力破解就好了。
s = 'TbaXAjMB'
sha = '364e9cc68737c086611f90f122ddcb2a17dba5a6ac5f747349d0b59ca6602c52'
table = string.ascii_letters+string.digits
for i in table:
for j in table:
for k in table:
for l in table:
proof = i + j + k + l + s
if sha256(proof.encode()).hexdigest() == sha:
print(i+j+k+l)
break
然后紧接着跳出来第二部分,很明显是解同余方程,直接调用函数ext_gcd
a = 24114//6
b = 30438//6
_,x,y = gmpy2.gcdext(a,b)
print(x,y)
就可以得到flag
0xGame{you_know_how_to_interact_with_pwntools}
、
linearEquation
看到附件就知道是要解方程组,直接使用python的z3库即可。
from z3 import *
import hashlib
# for i in range(32):
# print('x%d = Int(\'x%d\')' % (i,i))
# with open('output.txt') as f:
# equaitons = f.readlines()
#
# for i in range(32):
# print('s.add(%s)'%equaitons[i])
s = Solver()
'''
中间部分省略,由上面注释部分生成
'''
# if s.check() == sat:
# print(s.model())
x_list = [4130286729,1842407621,1908777079,89155365,763601920,1709775682,2502694787,974751512,12709818,3977926013,2467028824,3795653268,4089088412,4041026542,2361686047,2258589262,483149607,4217977576,783620457,2984323532,3241492534,2553491708,1970630923,1653708118,75034618,2433063826,3519663525,417461604,1690492554,42128790,1806361262,3782713824]
# print(sum(x_list))
sum = 68580473339
md = hashlib.md5('68580473339'.encode('utf-8'))
print('0xGame{'+md.hexdigest()+'}')
# 0xGame{d23caedc66301966094bf8968610f61f}
RSA闯关
题目分为4部分,每部分的m都是上一部分的密文,总体上是一个串行的模式,所以总第四部分开始。
part 4
# part4
print('part4:')
m = c
p = getPrime(1024)
q = getPrime(1024)
n = p * q
e1 = 823
e2 = 827
c1 = pow(m, e1, n)
c2 = pow(m, e2, n)
print(f"c1 = {c1}")
print(f"c2 = {c2}")
print(f'n = {n}')
对于相同的m,用不同的e1和e2进行加密,这里是RSA常见的共模攻击(Same mod Attack)。原理如下
\(gcd(e_1,e_2)=1\)
\(\exists \ \ e_1x \ + \ e_2y \ = \ 1\)
则可以构造
\(m^{e_1*x}*m^{e_2*y}\equiv \ m^{1} \ \equiv m \ (mod \ n)\)
part 3
# part3
print('part3:')
m = c
p = getPrime(1024)
q = getPrime(1024)
n = p * q
e = 0x10001
c = pow(m, e, n)
print(f'n1 = {n}')
m_hint = bytes_to_long(hint)
p = getPrime(1024)
n = p * q
e = 0x10001
c_hint = pow(m_hint, e, n)
print(f'n2 = {n}')
print(f"c_hint = {c_hint}")
可以看到中间两个n使用了相同的q,所以直接求gcd得到q,进而p也是可解的。剩下的使用RSA基本思路即可。
part 2
# part2
print('part2:')
m = c
while True:
p = getPrime(256)
q = 2 * p - 1
if isPrime(q):
break
r = getPrime(256)
n = (p ** 2) * (q ** 3) * r
q = 2 * p - 1
r = n // p // p // q // q // q
phi = p * (p - 1) * (q ** 2) * (q - 1) * (r - 1)
e = 0x10001
c = pow(m, e, n)
e = 0x10001
d = inverse(e, phi)
print(f'p = {p}')
print(f'n = {n}')
呃呃,更没啥好说的了,p、q都知道,r也可以很容易求出。
part 1
# part1
print('part1:')
m = bytes_to_long(flag)
p = getPrime(512)
q = getPrime(512)
n = p * q
e = 5
c = pow(m, e, n)
print(f'n = {n}')
这部分就是低指数了,不过直接使用iroot开5次方无法得到正确答案。所以我采用了暴力破解的方式求出了最重的m
for i in range(100):
m = iroot(c+i*n,5)
if m[1]:
print(i)
print(long_to_bytes(m[0]))
break
Complete code
from Crypto.Util.number import *
from gmpy2 import *
from Algorithm.Same_mod_attack import *
# part4
c1 = 9078361566243923931453433235655548442655855925297849762834170634279782440176386162361175845447411925452440536363885489221360776073555926463975255326905638922390565414284680629357799512527773691276009031423377599372917213698291316223269863185821983356471150336545331992444135470581201015592546934895803603233714496806375582266021488376740973566067971171377376696739676668351989078245768566579430312381789763928896787230892629854943142188671250203690237420561985562568939519395990646242000804771019311031994084798126248041633375710435071152701495690196067180826646094418362227966248990190779434700525127330999576205403
c2 = 12177776162003265214893575222194987257070438203909939490896524118455743796605830818003435519762848552272241059418403518390909966083445568223047769437125388741650260643855866243844976422365885347004481452172768271389384606695863524445386834984939563686335088776216144173923094121825197018225369010379704707231069719085315847868962939479004164733530937883272062497573804335640040429427002585027258509179962910923328842082991111693056946212131251751202352180633674002081181776189622240094621381950470130292188270896292285264623566756488080661579679026084947009907677214940302660119264003701359714404829438298116109098858
n = 14030240067066681750909588505308848034761783265133340312144652793728120334984848299676691973630997860228334585084780567142583267241508872459495746147465287012511207543757701482011894061407632686585952604039659614267570771869230862091904009290811411173144016039144680108997615936869263338253711107240318817354345905789041695601640084081957736966556648022765868913061143917752122990399785349647514452618248194426911284810212654925532788132854712772334295140032083665199391450057318155421959795859937645872080008934829472830347990643737088885491045934515364200316439381396296113975664305689878031662485528015544354270191
e1 = 823
e2 = 827
m = same_mod_attack(e1,e2,c1,c2,n)
# part3
c = m
n1 = 15366889088720206462365176683482533771475038765899922246304161568426870328374352417380396654231031838308606185501644949132930223566330052875527300069440013396537288642394243440572453780188595977438549563350553795220825285867086201710340271331833567314282717818053503639202601281184963886414311276063351370392514246631613915966530559511182811214902930142301497062642020127200767773575622874178491764524627735580808973946630814640241598316693375333001863979963200190532552021172069905740730777328461596141791691176984619646698097163144730290275304802207549132742312305772773347199117833216411732334271813533947587335221
n2 = 20183388181244396840270604971327234348871288822322010757845683437514931959842693524118522620332345907816190233979463740070942867621461314257682562161455669676863270809215109867553547955455891544244660598280541169460595995979836132666968548336872337169229971614320624540103986072146724866807104701652693664361940168493838397000924419632475639380887065784985415455805447197724730216369636562749194600089463165474701372926961338986138771964038560621556333104655430975405632113198088493779517573588399048423998920358946322913978731589449991564968387399262236393754348689348364331583617892656413994899504317963936066746711
c_hint = 12120021785410200674936083975068492622806596845579817711207411931311673622528683733295899555542821765486413339677732337051154734922381291549341456901391897097071173557362462670207940577864049130086490199471016266752247947028119300006197925597902468232113412106835719324155978933609953160168249853647848792919491609758205614794158719549005912914647125869214028842543301994189007931419280489270222524804427348611393246242401221829752270244371023220680417679183759839375701147795748353616923267194525565792165688787118410950596647945293284284065635467684624433860537889580808687549562010274639326086182100555438472928477
q = gcd(n1,n2)
p1 = n1//q
p2 = n2//q
e = 0x10001
phi1 = (q-1)*(p1-1)
phi2 = (q-1)*(p2-1)
d1 = inverse(e,phi1)
d2 = inverse(e,phi2)
m_hint = pow(c_hint,d2,n2)
# print(long_to_bytes(m_hint)) However......There_is_no_hint
m = pow(c,d1,n1)
# part2
c = m
p = 74447194261899797806331260065953660447629801256490828189012933613329970709947
n = 2041966692549961348577589156815535814894383939477573453736803458531176718024423820279431442431002038195467272680340686126482697016165252765359529302961780051654184833220756878301874978169377654737275593641180065950107522278461981853325163973125649755001647509934635714847722574876087513598188126414206128734529793608240092700267723049259261257688980084854149645269724715087902044253045061617087644418347545737251946830621974361352738393315774363456001260686286821
q = 2 * p - 1
r = n // p // p // q // q // q
phi = p * (p - 1) * (q ** 2) * (q - 1) * (r - 1)
e = 0x10001
d = inverse(e, phi)
m = pow(c,d,n)
# part1
c = m
n = 61553578635593130900790335104330199899957479107753805370559935381319176517030435621892644394851110367233510867782247563759513582241371585326815640128560441855543132415804452658372689998329770879189234308679763515840663749100256299294925802306716380006559943335403696300844219318648209424221864526219684170323
e = 5
for i in range(100):
m = iroot(c+i*n,5)
if m[1]:
print(i)
print(long_to_bytes(m[0]))
break
# 0xGame{rsa-----just_so_so}
公平竞争
因为之前做过BUU的题目,所以对公平二字非常敏感,知道是playfair。不过由于一开始附件有问题没能很快做出😥😥😥
知道基本原理很容易求解,不过记得把密文中的x去掉
0xGame{emmmp1ayf4ir}
Web
Week1
Where_U_from
打开之后发现如下提示,直接访问路由
只能本地登录,于是进行X-Forwarded-For伪造。使用Burp抓包,在包内添加X-Forwarded-For:127.0.0.1
进入新的路由,发现提示需要进行登录,发现Response中Cookie值为0,于是继续添加Cookie: login=1,即可成功登录
最后获得提示需要进行POST请求,于是将报头改为POST即可获得flag
0xGame{http_head3r_m2tters}
Myrobots
本题考查robots协议robots协议_百度百科 (baidu.com)
直接访问路由/robots.txt可以得到
即可得到flag
0xgame{We1c0me!_Th1s_is_Your_Fl3g}
Login
先扫一下目录可以看到
直接进入admin.php会报错,所以先进入login.php
不难想到Username即为admin,重要的是密码。一开始考虑的是是否是SQL注入,还在尝试万能密码。忽然看到“五位密码很安全辣”,猜想应该用爆破。不过我是靠自己猜试出密码是01234的
进去之后发现了出题人的舔狗日记,于是F12试试,果然发现注释中有我们想要的flag
进入路由后即可获得flag
0xGame{d0nt_u3e_we2k_pas3wd}
