强网杯2018 - nextrsa - Writeup

强网杯2018 - nextrsa - Writeup

原文地址:M4x@10.0.0.55

所有代码均已上传至我的github

俄罗斯套娃一样的rsa题目,基本把我见过的rsa套路出了一遍,值得记录一下

level 0

QWB_nextrsa [master●] python exp.py
[+] Opening connection to 39.107.33.90 on port 9999: Done
[*] Switching to interactive mode
ok!
Firstly, please give me the proof of your work!
x=chr(random.randint(0,0xff))+chr(random.randint(0,0xff))+chr(random.randint(0,0x1f))
hashlib.sha256(x).hexdigest()[0:8]=='372c8af8'
@ x.encode('hex')=[*] Got EOF while reading in interactive
$  

发送teamtoken后,到第0关,较简单,爆破sha256即可,此时代码如下:

QWB_nextrsa [master●] cat exp.py 
#!/usr/bin/env python
# -*- coding: utf-8 -*-
__Auther__ = 'M4x'

from pwn import *
from hashlib import sha256
#  context.log_level = "debug"

def brute(cipher):
    #  success("cipher -> {}".format(cipher))
    #  print type(cipher) 
    for a in xrange(0, 0xff):
        for b in xrange(0, 0xff):
            for c in xrange(0, 0xff):
                x = chr(a) + chr(b) + chr(c)
                if sha256(x).hexdigest()[0: 8] == cipher:
                    #  success("x -> {}".format(x))
                    return x
    print "not found"

if __name__ == "__main__":
    io = remote("39.107.33.90", 9999)
    
    token = "icq9bae582b7f5d9ab6caed7d40150be"
    io.sendlineafter(":", token)

    io.recvuntil("=='")
    cipher = io.recvuntil("'", drop = True)
    x = brute(cipher)
    io.sendlineafter(")=", x.encode('hex'))
    success("Level 1 Clear!")

    io.interactive()
    io.close()

碰撞失败的话多次尝试即可

level 1

为了方便后续处理,先写一个解rsa的函数,可以参考python使用libnum,gmpy2快速解RSA

def rsa(n, p, q, e, c):
    assert n == p * q

    d = invert(e, (p - 1) * (q - 1))
    m = pow(c, d, n)

    return m

下一关,给了n,e,c,并且经过尝试,n,c是不变的,只有c在改变

QWB_nextrsa [master●] python exp.py
[+] Opening connection to 39.107.33.90 on port 9999: Done
[+] Level 1 Clear!
[*] Switching to interactive mode
ok!


input format:almost hex(m).replace("L","")

=next-rsa=
# n=0xc4606b153b9d06d934c9ff86a3be5610266387d82d11f3b4e354b1d95fc7e577
# e=0x10001
# c=0xa87fc50517b50db03a038c93c2a2c2c36de67660920da8720b787fedc3e19dd9
@ m=[*] Got EOF while reading in interactive
$ 

尝试在在线网站分解n,发现能直接分解

p = 289540461376837531747468286266019261659

q = 306774653454153140532319815768090345109

那么直接解开就可以了,此时代码如下:

QWB_nextrsa [master●] cat exp.py 
#!/usr/bin/env python
# -*- coding: utf-8 -*-
__Auther__ = 'M4x'

from pwn import *
from hashlib import sha256
from gmpy2 import invert
#  context.log_level = "debug"

def brute(cipher):
    #  success("cipher -> {}".format(cipher))
    #  print type(cipher) 
    for a in xrange(0, 0xff):
        for b in xrange(0, 0xff):
            for c in xrange(0, 0xff):
                x = chr(a) + chr(b) + chr(c)
                if sha256(x).hexdigest()[0: 8] == cipher:
                    #  success("x -> {}".format(x))
                    return x
    print "not found"

def rsa(n, p, q, e, c):
    assert n == p * q

    d = invert(e, (p - 1) * (q - 1))
    m = pow(c, d, n)

    return m

fmt = lambda m: hex(m).replace("L", "")

if __name__ == "__main__":
    io = remote("39.107.33.90", 9999)
    
    token = "icq9bae582b7f5d9ab6caed7d40150be"
    io.sendlineafter(":", token)

    io.recvuntil("=='")
    cipher = io.recvuntil("'", drop = True)
    x = brute(cipher)
    io.sendlineafter(")=", x.encode('hex'))
    success("Level 1 Clear!")

    io.recvuntil("# n=")
    n = int(io.recvuntil("\n", drop = True), 16)
    io.recvuntil("# e=")
    e = int(io.recvuntil("\n", drop = True), 16)
    io.recvuntil("# c=")
    c = int(io.recvuntil("\n", drop = True), 16)
    p =  289540461376837531747468286266019261659
    q = 306774653454153140532319815768090345109
    m = fmt(rsa(n, p, q, e, c))    
    io.sendlineafter("m=", m)
    success("Level 2 Clear!")

    io.interactive()
    io.close()

level 2

QWB_nextrsa [master●] python exp.py 
[+] Opening connection to 39.107.33.90 on port 9999: Done
[+] Level 1 Clear!
[+] Level 2 Clear!
[*] Switching to interactive mode
ok!
=next-rsa=
# n=0x92411fa0c93c1b27f89e436d8c4698bcf554938396803a5b62bd10c9bfcbf85a483bd87bb2d6a8dc00c32d8a7caf30d8899d90cb8f5838cae95f7ff5358847db1244006c140edfcc36adbdcaa16cd27432b4d50d2348b5c15c209364d7914ef50425e4c3da07612cc34e9b93b98d394b43f3eb0a5a806c70f06697b6189606eb9707104a7b6ff059011bac957e2aae9ec406a4ff8f8062400d2312a207a9e018f4b4e961c943dfc410a26828d2e88b24e4100162228a5bbf0824cf2f1c8e7b915efa385efeb505a9746e5d19967766618007ddf0d99525e9a41997217484d64c6a879d762098b9807bee46a219be76941b9ff31465463981e230eecec69691d1
# e=0x6f6b385dd0f06043c20a7d8e5920802265e1baab9d692e7c20b69391cc5635dbcaae59726ec5882f168b3a292bd52c976533d3ad498b7f561c3dc01a76597e47cfe60614f247551b3dbe200e2196eaa001a1d183886eeacddfe82d80b38aea24de1a337177683ed802942827ce4d28e20efef92f38f1b1a18c66f9b45f5148cceabfd736de8ac4a49e63a8d35a83b664f9f3b00f822b6f11ff13257ee6e0c00ca5c98e661ea594a9e66f2bd56b33d9a13f5c997e67a37fcf9a0c7f04d119fe1ba261127357e64a4b069aefed3049c1c1fe4f964fd078b88bedd064abea385cfebd65e563f93c12d34eb6426e8aa321033cfd8fe8855b9e74d07fe4f9d70de46f
# c=0x2add7528efe278a70a43f97fc5af83bbaab1238364735d998de005d7feb1a8ab931c7410f0f785db455857b8154a68de318bfffd2099c5b06d6a5e859b3812752e0c28dd626dfa1c26e1dbf8bc43686de75863da5f9df96331d81302cb6269e9d71661b03910726db6add3b8b2f7629cc981800f88376ae5541b0e6b072a72bd22505cde978b5a8433c7279407083d585cc6e0d74bff7e1a62b1e895fccc0144145528f3c32433a1a66cb85fb16749ac1e9ff176bedf8fbf2157a616bcd8e457e7ac571df1c8e07b31c8eaa47f01dee15367389ea0d0e40fc58f2a2658d220922b046eb1fb78e99ccb4c166c9cf5750a91b17b21ef8d80a131466ed98e5c4d4a
@ m=$  

给了n,e,c,求出m,发现e很大,直接尝试wiener attack

QWB_nextrsa [master●] python rsa-wiener-attack/RSAwienerHacker.py 0x92411fa0c93c1b27f89e436d8c4698bcf554938396803a5b62bd10c9bfcbf85a483bd87bb2d6a8dc00c32d8a7caf30d8899d90cb8f5838cae95f7ff5358847db1244006c140edfcc36adbdcaa16cd27432b4d50d2348b5c15c209364d7914ef50425e4c3da07612cc34e9b93b98d394b43f3eb0a5a806c70f06697b6189606eb9707104a7b6ff059011bac957e2aae9ec406a4ff8f8062400d2312a207a9e018f4b4e961c943dfc410a26828d2e88b24e4100162228a5bbf0824cf2f1c8e7b915efa385efeb505a9746e5d19967766618007ddf0d99525e9a41997217484d64c6a879d762098b9807bee46a219be76941b9ff31465463981e230eecec69691d1 0x6f6b385dd0f06043c20a7d8e5920802265e1baab9d692e7c20b69391cc5635dbcaae59726ec5882f168b3a292bd52c976533d3ad498b7f561c3dc01a76597e47cfe60614f247551b3dbe200e2196eaa001a1d183886eeacddfe82d80b38aea24de1a337177683ed802942827ce4d28e20efef92f38f1b1a18c66f9b45f5148cceabfd736de8ac4a49e63a8d35a83b664f9f3b00f822b6f11ff13257ee6e0c00ca5c98e661ea594a9e66f2bd56b33d9a13f5c997e67a37fcf9a0c7f04d119fe1ba261127357e64a4b069aefed3049c1c1fe4f964fd078b88bedd064abea385cfebd65e563f93c12d34eb6426e8aa321033cfd8fe8855b9e74d07fe4f9d70de46f
--------------------------
Hacked!
42043
QWB_nextrsa [master●] 

求出了d,就可以解出明文了,代码太长就不贴了,所有代码都放在了我的github中了

level 3

QWB_nextrsa [master●] python exp.py 
[+] Opening connection to 39.107.33.90 on port 9999: Done
[+] Level 1 Clear!
[+] Level 2 Clear!
[+] Level 3 Clear!
[*] Switching to interactive mode
ok!
=next-rsa=
# n=0x79982a272b9f50b2c2bc8b862ccc617bb39720a6dc1a22dc909bbfd1243cc0a03dd406ec0b1a78fa75ce5234e8c57e0aab492050906364353b06ccd45f90b7818b04be4734eeb8e859ef92a306be105d32108a3165f96664ac1e00bba770f04627da05c3d7513f5882b2807746090cebbf74cd50c0128559a2cc9fa7d88f7b2d
# e=0x3
# c=0x381db081852c92d268b49a1b9486d724e4ecf49fc97dc5f20d1fad902b5cdfb49c8cc1e968e36f65ae9af7e8186f15ccdca798786669a3d2c9fe8767a7ae938a4f9115ae8fed4928d95ad550fddd3a9c1497785c9e2279edf43f04601980aa28b3b52afb55e2b34e5b175af25d5b3bd71db88b3b31e48a177a469116d957592c
# b=0xfedcba98765432100000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
# m=b+x (x:64bit)
@ x=[*] Got EOF while reading in interactive
$ 

已知n,c,e和明文的高位,本来看到e=3是想用低加密指数爆破的,尝试了一下没有出结果才注意到实际上我们已经有了明文的高位,这时才想起来在Coppersmith中有相关的介绍,同时也找到了一篇相关的博客,使用sage可以跑出结果,sage代码如下:

QWB_nextrsa [master●] cat copper.sage 
# partial_m.sage

n = 0x79982a272b9f50b2c2bc8b862ccc617bb39720a6dc1a22dc909bbfd1243cc0a03dd406ec0b1a78fa75ce5234e8c57e0aab492050906364353b06ccd45f90b7818b04be4734eeb8e859ef92a306be105d32108a3165f96664ac1e00bba770f04627da05c3d7513f5882b2807746090cebbf74cd50c0128559a2cc9fa7d88f7b2d
e = 3

m = randrange(n)
c = pow(m, e, n)

beta = 1
epsilon = beta^2/7

nbits = n.nbits()
kbits = floor(nbits*(beta^2/e-epsilon))
#mbar = m & (2^nbits-2^kbits)
mbar = 0xfedcba98765432100000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
c = 0x381db081852c92d268b49a1b9486d724e4ecf49fc97dc5f20d1fad902b5cdfb49c8cc1e968e36f65ae9af7e8186f15ccdca798786669a3d2c9fe8767a7ae938a4f9115ae8fed4928d95ad550fddd3a9c1497785c9e2279edf43f04601980aa28b3b52afb55e2b34e5b175af25d5b3bd71db88b3b31e48a177a469116d957592c
print "upper %d bits (of %d bits) is given" % (nbits-kbits, nbits)

PR.<x> = PolynomialRing(Zmod(n))
f = (mbar + x)^e - c

print m
x0 = f.small_roots(X=2^kbits, beta=1)[0]  # find root < 2^kbits with factor = n
print mbar + x0
print x0

使用sagemath运行即可得到缺失的明文

可以使用在线运行sage的网站

level 4

QWB_nextrsa [master●] python exp.py
[+] Opening connection to 39.107.33.90 on port 9999: Done
[+] Level 1 Clear!
[+] Level 2 Clear!
[+] Level 3 Clear!
[+] Level 4 Clear!
[*] Switching to interactive mode
ok!
=next-rsa=
# n=0x78e2e04bdc50ea0b297fe9228f825543f2ee0ed4c0ad94b6198b672c3b005408fd8330c36f55d36fb129d308c23e5cb8f4d61aa7b058c23607cef83d63c4ed0f066fc0b3c0062a2ac68c75ca8035b3bd7a320bdf29cfcf6cc30377743d2a8cc29f7c588b8043412366ab69ec824309cb1ef3851d4fb14a1f0a58e4a1193f5518fa1d0c159621e1f832b474182593db2352ef05101bf367865ad26efe14fce977e9e48d3310a18b67991958d1a01bd0f3276a669866f4deaef2a68bfaefd35fe2ba5023a22c32ae8b2979c26923ee3f855363f18d8d58bb1bc3b7f585c9d9f6618c727f0f7b9e6f32af2864a77402803011874ed2c65545ced72b183f5c55d4d1
# e=0x10001
# nextprime(p)*nextprime(q)=0x78e2e04bdc50ea0b297fe9228f825543f2ee0ed4c0ad94b6198b672c3b005408fd8330c36f55d36fb129d308c23e5cb8f4d61aa7b058c23607cef83d63c4ed0f066fc0b3c0062a2ac68c75ca8035b3bd7a320bdf29cfcf6cc30377743d2a8cc29f7c588b8043412366ab69ec824309cb1ef3851d4fb14a1f0a58e4a1193f5a58ee70a59ac06b64dbe04b876ff69436b78cf03371f2062707897bf4e580870e42b5e62709b69f6d4939ac5641ea0f29de44aaee8f2fcd0f66aaa720b584f7c801e52ce7cd41db45ceb99ebd7b51bef8d0cd2deb5c50b59f168276c9c98d46a1c37bd3d6ef81f2c6e89028680a172e00d92dd8b392135112dd16efab57d00b26b9
# c=0x1c3588ac81ec3d1b439cfd2d5e6e8a5a95c8f95aaeff1b0ba49276ade80435323f307a17006ae2ffb4ca321e54387d9b33ed7ccda3117f7bc8d247ffd2ccdd67b7e2aad3d908d0a5187a73d13d532c1cf41758e2743bd4359bf72a99bbf0d716bb171cf636bd56acee9551cbb8af25f32583facbd25aed232659d24580c5a30a080e2860790a65422f7c442559c3042d37fdd7e8c1dd604252a2cbff8c74e5a0b6a0dfb9dcfed9eed515705ab9214dcf2dabce7b354040940613d065918079b3197da948b6d1d7daccc417069f7102fd2525e879fe69b6d5fb39e1dd6c0a9a9087dcc809294d7774efb42829f6124dff4af44f308977d1f91422c63073176026
@ m=$  

这一步的解决方式第一次遇到,比赛结束后也听许多表哥说了他们的方法,一个比一个精彩,这里介绍一下广外表哥和kira大佬的两种方法

  • pq = n
  • (p + x)(q + y) = n'

-> xy + py + qx = t(t = n' - n)

-> xq2 + (xy - t)q + ny = 0

则该方程有素数接即可,可爆破x,y

实现脚本

QWB_nextrsa [master●] cat next.py 
#!/usr/bin/env python
# -*- coding: utf-8 -*-
__Auther__ = 'M4x'


from gmpy2 import is_prime as prime
from gmpy2 import iroot

n = 15260473398916071686287752340249158279343013077145667794514717692352941873466690686288442204714585854869226872705293008837554012949598044297596015507031315006195230644722581744643756573982729344499452200116366327869178694692162014446578711956663348262932703160394101606708475725742890049311933691849747707673216322758418530420118502556719323543077771821163439824876751874675862075401986796272014746925015772045578403357300038192830197985871077621213669817380577176611560467051848951044963527185916781094981810804641387975398361694935093473717039550361644252381923994841138817152748279477868854093033234031994635408593
nn = 15260473398916071686287752340249158279343013077145667794514717692352941873466690686288442204714585854869226872705293008837554012949598044297596015507031315006195230644722581744643756573982729344499452200116366327869178694692162014446578711956663348262932703160394101606708475725742890049311933691849747707914818082716474881224336472709074679047145667796106895298086129057288449508218237679974321952279429832707229303594474494519945899481320231091983665654947081839784375373657345023890332691371443571370016623789041883821610353473726465037590414008198228956920913181526550775524028059426312173493877228564452496582329

#  print nn > n
t = nn - n
f1 = lambda x, y: pow(x * y - t, 2) - 4 * n * x * y
f2 = lambda x, y, s: (t - x * y - s) / (2 * x)

for x in xrange(1, 3000):
    for y in xrange(1, 3000):
        print x, y
        if f1(x, y) >= 0:
            s, b = iroot(f1(x, y), 2)
            if b:
                if prime(f2(x, y, int(s))):
                    print "Success"
                    print f2(x, y, int(s))
                    exit()

一分钟左右即可爆破出q

另一种方法:

虽然比较麻烦,但分解那一步秒出

level 5

QWB_nextrsa [master●] python exp.py 
[+] Opening connection to 39.107.33.90 on port 9999: Done
[+] Level 1 Clear!
[+] Level 2 Clear!
[+] Level 3 Clear!
[+] Level 4 Clear!
[+] Level 5 Clear!
[*] Switching to interactive mode
ok!
=next-rsa=
# n=0x1daf9fab45ff83e751bf7dd1b625879b3a8c89d4a086e0806b31e2a2cc1c4c1bc8694db643acc4911f3d143c1951f006df9e0a7282b65839d84b36102b8f2307c4eaa561e65435350d9cb2b978ace582535ae00d948546520252d0f59d82dcfa59bac33812da5b12c18de35bfbabfa481aa9d59a7ba00bc74cc1b55077c1ff72aff50493
# e=0x10001
# c=0xdcb90409d48b54a73e408d16f5df6d4cc49183cd47eb8ccbc27837fecdf902233979895e8d789a30ca13ff0d9f452321c62864ea153aa7f9d4ed6af885a580d740a906230da76e1f8905e17ecad03f31ce2aaf1ad4f3a4416c80e4d1d220b85d90a533acb57f958c4bc87e21be0f3e3293cdd2698fa5cfeb6cceca7e26aba90bf7e4c62
@ m=$  

下意识的就上yafu了(p,q相差过大或过小),秒解

QWB_nextrsa [master●] yafu "factor(@)" -batchfile ./n_yafu


=== Starting work on batchfile expression ===
factor(89533915895730376845429388317318135465963715353319668296037460436832261571698764116420554922112987252021884948875657862384344377649170583262156985771188545996699834706518979095963558441172283692904190696321256561220096609285943746235694660754929195042921609910688164136057366713317326844870724924355344603175946880147)
=============================================
fac: factoring 89533915895730376845429388317318135465963715353319668296037460436832261571698764116420554922112987252021884948875657862384344377649170583262156985771188545996699834706518979095963558441172283692904190696321256561220096609285943746235694660754929195042921609910688164136057366713317326844870724924355344603175946880147
fac: using pretesting plan: normal
fac: no tune info: using qs/gnfs crossover of 95 digits
div: primes less than 10000
fmt: 1000000 iterations
rho: x^2 + 3, starting 1000 iterations on C317 
rho: x^2 + 2, starting 1000 iterations on C317 
rho: x^2 + 1, starting 1000 iterations on C317 
pm1: starting B1 = 150K, B2 = gmp-ecm default on C317
Total factoring time = 6.6791 seconds


***factors found***

P9 = 743675299
P309 = 120393827811847730665892922601047874074897457839754965824187553709286586875999984122668238470178081377988439748992735957987417809407665405412580451688753139556272709693049760814986485709769800614157806922562929660004878835280427602632657375319022388348710785821982994403660254841027504457789884082670526620753

ans = 1

eof; done processing batchfile

level 6

QWB_nextrsa [master●] python exp.py 
[+] Opening connection to 39.107.33.90 on port 9999: Done
[+] Level 1 Clear!
[+] Level 2 Clear!
[+] Level 3 Clear!
[+] Level 4 Clear!
[+] Level 5 Clear!
[+] Level 6 Clear!
[*] Switching to interactive mode
ok!
=next-rsa=
# n=0x7003581fa1b15b80dbe8da5dec35972e7fa42cd1b7ae50a8fc20719ee641d6080980125d18039e95e435d2a60a4d5b0aaa42d5c13b0265da4930a874ddadcd9ab0b02efcb4463a33361a84df0c02dfbd05c0fdc01e52821c683bd265e556412a3f55e49517778079cb1c1c1c22ef8a6e0bccd5e78888ff46167a471f6bff25664a34311c5cb8d6c1b1e7ac2ab0e6676d594734e8f7013b33806868c151316d0cf762a50066c596244fd70b4cb021369aae432e174da502a806e7a8ab13dad1f1b83ac73c0e9e39648630923cbd5726225f17cc0d15afadb7d2c2952b6e092ffc53dcff2914bfddedd043bbdf9c6f6b6b5a6269c5bd423294b9deac4f268eaadb
# e=0x3
# c=0xb2ab05c888ab53d16f8f7cd39706a15e51618866d03e603d67a270fa83b16072a35b5206da11423e4cd9975b4c03c9ee0d78a300df1b25f7b69708b19da1a5a570c824b2272b163de25b6c2f358337e44ba73741af708ad0b8d1d7fa41e24344ded8c6139644d84dc810b38450454af3e375f68298029b7ce7859f189cdae6cfaf166e58a22fe5a751414440bc6bce5ba580fd210c4d37b97d8f5052a69d31b275c53b7d61c87d8fc06dc713e1c1ce05d7d0aec710eba2c1de6151c84d7bc3131424344b90e3f8947322ef1a57dd3a459424dd31f65ff96f5b8130dfd33111c59f3fc3a754e6f98a836b4fc6d21aa74e676f556aaa5a703eabe097140ec9d98
@ m=$  

e只有3,这次应该是低加密指数攻击了

QWB_nextrsa [master●] cat smallE.py 
#!/usr/bin/env python
# -*- coding: utf-8 -*-
__Auther__ = 'M4x'

from gmpy2 import iroot

n=0x7003581fa1b15b80dbe8da5dec35972e7fa42cd1b7ae50a8fc20719ee641d6080980125d18039e95e435d2a60a4d5b0aaa42d5c13b0265da4930a874ddadcd9ab0b02efcb4463a33361a84df0c02dfbd05c0fdc01e52821c683bd265e556412a3f55e49517778079cb1c1c1c22ef8a6e0bccd5e78888ff46167a471f6bff25664a34311c5cb8d6c1b1e7ac2ab0e6676d594734e8f7013b33806868c151316d0cf762a50066c596244fd70b4cb021369aae432e174da502a806e7a8ab13dad1f1b83ac73c0e9e39648630923cbd5726225f17cc0d15afadb7d2c2952b6e092ffc53dcff2914bfddedd043bbdf9c6f6b6b5a6269c5bd423294b9deac4f268eaadb
e=0x3
c=0xb2ab05c888ab53d16f8f7cd39706a15e51618866d03e603d67a270fa83b16072a35b5206da11423e4cd9975b4c03c9ee0d78a300df1b25f7b69708b19da1a5a570c824b2272b163de25b6c2f358337e44ba73741af708ad0b8d1d7fa41e24344ded8c6139644d84dc810b38450454af3e375f68298029b7ce7859f189cdae6cfaf166e58a22fe5a751414440bc6bce5ba580fd210c4d37b97d8f5052a69d31b275c53b7d61c87d8fc06dc713e1c1ce05d7d0aec710eba2c1de6151c84d7bc3131424344b90e3f8947322ef1a57dd3a459424dd31f65ff96f5b8130dfd33111c59f3fc3a754e6f98a836b4fc6d21aa74e676f556aaa5a703eabe097140ec9d98

i = 0
while True:
    if iroot(c + i * n, 3)[1] == True:
        print "Success!"
        print iroot(c + i * n, 3)
        break
    i += 1
QWB_nextrsa [master●] python smallE.py 
Success!
(mpz(1040065794283452835234332386718771782674284350646994660717501540629408351835476084209765388377794921102504315677880363816181535636530953053269277563867522157300904962146145717252718887520146030078204232460775L), True)

level 7

QWB_nextrsa [master●] python exp.py
[+] Opening connection to 39.107.33.90 on port 9999: Done
[+] Level 1 Clear!
[+] Level 2 Clear!
[+] Level 3 Clear!
[+] Level 4 Clear!
[+] Level 5 Clear!
[+] Level 6 Clear!
[+] Level 7 Clear!
[*] Switching to interactive mode
ok!
=next-rsa=
# n1=0xb4e9991d2fac12b098b01118d960eb5470261368e7b1ff2da2c66b4302835aa845dd50a4f749fea749c6d439156df6faf8d14ce2a57da3bac542f1843bfc80dfd632e7a2ef96496a660d8c5994aea9e1b665097503558bc2756ab06d362abe3777d8c1f388c8cd1d193955b70053382d330125bdc2cdc836453f1a26cec1021cbb787977336b2300f38c6ba881a93d2a2735f8f0d32ea2d0e9527eb15294dd0867c8030d1f646bd121c01706c247cd1bf4aa209d383ffb748b73ec1688dc71812675834b4b12d27a63b5b8fcc47394d16897ff96af49f39d8d5b247553fbf8fac7be08aab43d9ce5659cd5cfaf7d73edbcfe854d997ae4b28d879adf86641707
# e1=0x10001
# c1=0x3a10c58ed3e8f9eade48dad7d36518dabeeca3d169c848f3b4b2bb027220e13d8b071c55046b14213e966ad9c381e5cad9773d455aa0d36ddff9b9f24873d0979f1caff95d9569e4f312514c7e01979b39c466aa2d27ad521ae3c1ea2025ca2290185b3d79da4f6e4c7e77a70f206bd5c41eec65fd64f86c317b8207ca511b8297b597cb9c24afa652c1f1c7f2d8ca61cf4a63b17df165e4c02dc19578305f276cb81fdfadf0ffc8b86e13297f2692edf7e6324878bb8ca960a050af6b0ada8ba4accd72c7d2c74a41e98d801093e4cc5b1572b8e6be9f270c30759543986180bb4fc6863e14638ea74863dbdd1624cfdedaedb99dfd48901e7d4b486a7b13ea
# n2=0xc31344c753e25135d5eed8febaa57dd7020b503a5569bdd4ae6747b5c36436dc1c4d7ead77bfc1034748bcc630636bae1c8f4ca5dee8246b3d6f3e8b14e16487733b14ec8e587e07a7a6de45859d32d241eaf7746c45ff404f1a767ab77e8493ae8141fee0bcf4e9b7c455415b6945fa60de928b01dfa90bbf0d09194f93db7a1663121d281c908f0e38237f63c2b856f99c6029d993f9afb5fbbb762044d97943ff34023486c4cf1db9ffdc439d9f5ff331b606374c7133d61e4614fac3ea7faaf54563338b736282658e7925b224577091831351a28679a8d6f8e7ba16685b2769bb49b79f8054b29c809d68aca0f2c5e3f1fd0e3ef6c21f756e3c44a40439
# e2=0x10001
# c2=0xbefa7d62f15cafc81d098fdd524411537e948d83266ef22848f44d2e43d1f1388a26bb21c8fb08b571c7cbd6630d6f2b409c85c68a6419e472941e4978f60b93e1ce850344dbe99f1918cb5b8c35075bbdca82fa233d1300f108e4b75ce10d7b0ffa145bceffbc7a5204bf9c119f77af191091f25140aedcdd333b631b240ddad3108c96084dffe6e49e04880908fa02c02edb58e2f27919d707151adb6787384ca28050f8d77418cc1733187d7695f57127be8d6174562723679ba39790d7f2306271b9d8f4d2bdde9ed798af00074ec7da3a7f1ffeb4fc6a61804e51c0f92d384dc62b80fd44492588af26ac0185a23f86c46a7ffdec9fcf31b02b08b63001
@ m1=$  

给了n1,c1,n2,c2,且n无法分解,尝试公约数分解

QWB_nextrsa [master●] cat gcdN.py 
#!/usr/bin/env python
# -*- coding: utf-8 -*-
__Auther__ = 'M4x'

from libnum import gcd

n1=0xb4e9991d2fac12b098b01118d960eb5470261368e7b1ff2da2c66b4302835aa845dd50a4f749fea749c6d439156df6faf8d14ce2a57da3bac542f1843bfc80dfd632e7a2ef96496a660d8c5994aea9e1b665097503558bc2756ab06d362abe3777d8c1f388c8cd1d193955b70053382d330125bdc2cdc836453f1a26cec1021cbb787977336b2300f38c6ba881a93d2a2735f8f0d32ea2d0e9527eb15294dd0867c8030d1f646bd121c01706c247cd1bf4aa209d383ffb748b73ec1688dc71812675834b4b12d27a63b5b8fcc47394d16897ff96af49f39d8d5b247553fbf8fac7be08aab43d9ce5659cd5cfaf7d73edbcfe854d997ae4b28d879adf86641707
#  e1=0x10001
#  c1=0x3a10c58ed3e8f9eade48dad7d36518dabeeca3d169c848f3b4b2bb027220e13d8b071c55046b14213e966ad9c381e5cad9773d455aa0d36ddff9b9f24873d0979f1caff95d9569e4f312514c7e01979b39c466aa2d27ad521ae3c1ea2025ca2290185b3d79da4f6e4c7e77a70f206bd5c41eec65fd64f86c317b8207ca511b8297b597cb9c24afa652c1f1c7f2d8ca61cf4a63b17df165e4c02dc19578305f276cb81fdfadf0ffc8b86e13297f2692edf7e6324878bb8ca960a050af6b0ada8ba4accd72c7d2c74a41e98d801093e4cc5b1572b8e6be9f270c30759543986180bb4fc6863e14638ea74863dbdd1624cfdedaedb99dfd48901e7d4b486a7b13ea
n2=0xc31344c753e25135d5eed8febaa57dd7020b503a5569bdd4ae6747b5c36436dc1c4d7ead77bfc1034748bcc630636bae1c8f4ca5dee8246b3d6f3e8b14e16487733b14ec8e587e07a7a6de45859d32d241eaf7746c45ff404f1a767ab77e8493ae8141fee0bcf4e9b7c455415b6945fa60de928b01dfa90bbf0d09194f93db7a1663121d281c908f0e38237f63c2b856f99c6029d993f9afb5fbbb762044d97943ff34023486c4cf1db9ffdc439d9f5ff331b606374c7133d61e4614fac3ea7faaf54563338b736282658e7925b224577091831351a28679a8d6f8e7ba16685b2769bb49b79f8054b29c809d68aca0f2c5e3f1fd0e3ef6c21f756e3c44a40439
# e2=0x10001
# c2=0xbefa7d62f15cafc81d098fdd524411537e948d83266ef22848f44d2e43d1f1388a26bb21c8fb08b571c7cbd6630d6f2b409c85c68a6419e472941e4978f60b93e1ce850344dbe99f1918cb5b8c35075bbdca82fa233d1300f108e4b75ce10d7b0ffa145bceffbc7a5204bf9c119f77af191091f25140aedcdd333b631b240ddad3108c96084dffe6e49e04880908fa02c02edb58e2f27919d707151adb6787384ca28050f8d77418cc1733187d7695f57127be8d6174562723679ba39790d7f2306271b9d8f4d2bdde9ed798af00074ec7da3a7f1ffeb4fc6a61804e51c0f92d384dc62b80fd44492588af26ac0185a23f86c46a7ffdec9fcf31b02b08b63001

print "p -> {}".format(gcd(n1, n2))
print "q1 -> {}".format(n1 / gcd(n1, n2))
print "q2 -> {}".format(n2 / gcd(n1, n2))
QWB_nextrsa [master●] python gcdN.py 
p -> 172556869675477627998498055209836071784247150005171563227746896156122872188366409207785861691629822624239290434962401079375795926547190033528901472629460098214484911362406299395686098456884802352767604762878851834535300869832185076070001884294619607750730223241159644270340312192959960438465036924150469626273
q1 -> 132351070426725062043554691080648210190952108157658335988407251230007075283172499240825840919032041018784725171991038079646749244434399109751200470150528052302049968282955114052567000382702788528085267361900807404612963675383296948833387201551997975485346080119293646868147213281855400241807127491238274887591
q2 -> 142712204088308994057536283419724413794506016166476894328600394909477811164746138340181564452439035177705892406900049909054445185976447566687912817760888522575392942071446149843167125603211027327213321217046810724727383186248415705825602583825139689729004506328064673686005047611032077069064661986088327406489

level 8

QWB_nextrsa [master●] python exp.py  
[+] Opening connection to 39.107.33.90 on port 9999: Done
[+] Level 1 Clear!
[+] Level 2 Clear!
[+] Level 3 Clear!
[+] Level 4 Clear!
[+] Level 5 Clear!
[+] Level 6 Clear!
[+] Level 7 Clear!
[+] Level 7 Clear!
[+] Level 8 Clear!
[*] Switching to interactive mode
ok!
=next-rsa=
# c1=pow(m,e1,n),c2=pow(m,e2,n)
# n=0xace2aa1121d22a2153389fba0b5f3e24d8721f5e535ebf5486a74191790c4e3cdd0316b72388e7de8be78483e1f41ca5c930df434379db76ef02f0f8cd426348b62c0155cdf1d5190768f65ce23c60a4f2b16368188954342d282264e447353c62c10959fee475de08ec9873b84b5817fecb74899bedde29ef1220c78767f4de11ef1756404494ae1ce4af184cbc1c7c6de8e9cd16f814bca728e05bc56b090112f94fff686bf8122a3b199eb41080860fa0689ed7dbc8904184fb516b2bbf6b87a0a072a07b9a26b3cda1a13192c03e24dec8734378d10f992098fe88b526ce70876e2c7b7bd9e474307dc6864b4a8e36e28ce6d1b43e3ab5513baa6fa559ff
# e1=0xac8b
# c1=0x9e84763bdbe246fad0a9cd52fda6233e6128a6210efaf3e6dea4fe272f78ad1f8f5cc7022f62f4f542341128e42d6fd10e67c5f96edbd243917c0151289f7228e44019b8c65a541d7306b398465e26b69cab36cc61e4ac094832b4299bbaf4630b722a0fb4f1997053be97e926f94afb55a0bb6ef00ab694e2f595d9eb8ca96c49f5cbbe194529f68a1aaf6f5151484b471285ba8fc8cd30b55612f35a74dc68e255c363579a80d27ce5090873ac719ba59f2492c91fd28bcce26b6a02bae005cbbd2a4cfe5b93442be8664d2313d412e7e09f545c64b7b74bbc408b6e574d0d300135cba8d6c1d73737d59baca9992ede644d856eb4cfcda562a75743e4b491
# e2=0x1091
# c2=0x9817fdc7b31a8f9cde1794096d3aa2bc6fe06fe34d4b7c9ca9a77982adf67fd4a7e636659553f4168a16757dc3a75e54ff850b9a94a5270f4f75502c7055a3a389df2ea6b00784a4e78e66901b427253c0f343f127e0ff162a349bb14eb4c1453fc6daace19bba4940d77c435686ef3b59f732072cde2e148d1a64f9682b3f1ceb9a000d87e180a1f9eb20c59dbebc13ddb2e07b64db89217f40369aeec878a45d99909ab2a3e4cdb74aa68890c941315ae289d6667200c53f9a32c8a64bfc74e62898ac03c460f945a13f11ee28860a3cd07526c30aa92eb89442a76549fe4ed8a43d14fdeeb350e90443a3a586db719f8610eb5d4a8f5bd1e481b5ef6e96ef
@ m=$  

一个n,多组c,e,采用共模攻击

共模攻击写在最后的脚本里了

level 9

QWB_nextrsa [master●] python exp.py 
[+] Opening connection to 39.107.33.90 on port 9999: Done
[+] Level 0 Clear!
[+] Level 1 Clear!
[+] Level 2 Clear!
[+] Level 3 Clear!
[+] Level 4 Clear!
[+] Level 5 Clear!
[+] Level 6 Clear!
[+] Level 6 Clear!
[+] Level 7 Clear!
[+] Level 8 Clear!
[*] Switching to interactive mode
ok!
=next-rsa=
# c1=pow(m,e,n1),c2=pow(m,e,n2),c3=pow(m,e,n3)
# e=0x3
# n1=0x43d819a4caf16806e1c540fd7c0e51a96a6dfdbe68735a5fd99a468825e5ee55c4087106f7d1f91e10d50df1f2082f0f32bb82f398134b0b8758353bdabc5ba2817f4e6e0786e176686b2e75a7c47d073f346d6adb2684a9d28b658dddc75b3c5d10a22a3e85c6c12549d0ce7577e79a068405d3904f3f6b9cc408c4cd8595bf67fe672474e0b94dc99072caaa4f866fc6c3feddc74f10d6a0fb31864f52adef71649684f1a72c910ec5ca7909cc10aef85d43a57ec91f096a2d4794299e967fcd5add6e9cfb5baf7751387e24b93dbc1f37315ce573dc063ecddd4ae6fb9127307cfc80a037e7ff5c40a5f7590c8b2f5bd06dd392fbc51e5d059cffbcb85555
# c1=0x5517bdd6996b54aa72c2a9f1eec2d364fc71880ed1fa8630703a3c38035060b675a144e78ccb1b88fa49bad2ed0c6d5ad0024d4bb18e7d87f3509b0dbf238a0d1ff33f48ffc99c1bdf2f2547a193e7ab66eec562a7bc3f9521f70d453ff6d1fdb24de40b3f621ca6be6606440d09d0f302d5806e7cebc9b612522f181baa43373d6827ffd794916ffcc205147c8d88a59d2fce4bbcdfd6a4934fb72d5f74be79a1bd64b4305865c9d20eb96d8bd7976440a4bc326fdb5b9a04bac3762a664346a175f1029f448bb421506f3dfeb75d6531f89f0b92a7e66e295ede5928ec8301a202d5c9fd528cda84190c2b47f423af1a59c63ae6253d1903c83ae158f9b42
# n2=0x60d175fdb0a96eca160fb0cbf8bad1a14dd680d353a7b3bc77e620437da70fd9153f7609efde652b825c4ae7f25decf14a3c8240ea8c5892003f1430cc88b0ded9dae12ebffc6b23632ac530ac4ae23fbffb7cfe431ff3d802f5a54ab76257a86aeec1cf47d482fec970fc27c5b376fbf2cf993270bba9b78174395de3346d4e221d1eafdb8eecc8edb953d1ccaa5fc250aed83b3a458f9e9d947c4b01a6e72ce4fee37e77faaf5597d780ad5f0a7623edb08ce76264f72c3ff17afc932f5812b10692bcc941a18b6f3904ca31d038baf3fc1968d1cc0588a656d0c53cd5c89cedba8a5230956af2170554d27f524c2027adce84fd4d0e018dc88ca4d5d26867
# c2=0x3288e3ea8c74fd004e14b66a55acdcbcb2e9bd834b0f543514e06198045632b664dac3cf8578cde236a16bef4a1246de692ec6a61ce507a220fa04e09044632787ba42b856cb13be6e905c20b493004822888d3c44c6fc367c7af0287f1683f08baae5bb650902067908e93246af3954d62437aa14248529fd07c8902b9403920b6550f12d1c398881cd7fc8b5f096f38c33df21887bfe989fb011a9deade2370d90347510b76f1f3e3dedf09c148675ea8919878c8ac188253b78886d906cd1f3aee5484d6d13fb4bbad233f670f825fa618adbf0705ed4e31b60957f5c28cfd1febd13370630a6c94990e341d38918a9c1faa614fd14cdd41b7bc8461f2f0c
# n3=0x280f992dd63fcabdcb739f52c5ed1887e720cbfe73153adf5405819396b28cb54423d196600cce76c8554cd963281fc4b153e3b257e96d091e5d99567dd1fa9ace52511ace4da407f5269e71b1b13822316d751e788dc935d63916075530d7fb89cbec9b02c01aef19c39b4ecaa1f7fe2faf990aa938eb89730eda30558e669da5459ed96f1463a983443187359c07fba8e97024452087b410c9ac1e39ed1c74f380fd29ebdd28618d60c36e6973fc87c066cae05e9e270b5ac25ea5ca0bac5948de0263d8cc89d91c4b574202e71811d0ddf1ed23c1bc35f3a042aac6a0bdf32d37dede3536f70c257aafb4cfbe3370cd7b4187c023c35671de3888a1ed1303
# c3=0xb0c5ee1ac47c671c918726287e70239147a0357a9638851244785d552f307ed6a049398d3e6f8ed373b3696cfbd0bce1ba88d152f48d4cea82cd5dafd50b9843e3fa2155ec7dd4c996edde630987806202e45821ad6622935393cd996968fc5e251aa3539ed593fe893b15d21ecbe6893eba7fe77b9be935ca0aeaf2ec53df7c7086349eb12792aefb7d34c31c18f3cd7fb68e8a432652ef76096096e1a5d7ace90a282facf2d2760e6b5d98f0c70b23a6db654d10085be9dcc670625646a153b52c6c710efe8eb876289870bdd69cb7b45813e4fcfce815d191838926e9d60dd58be73565cff0e10f4e80122e077a5ee720caedc1617bf6a0bb072bbd2dab0
@ m=[*] Got EOF while reading in interactive
$  

e = 3,给了三组数据,使用广播攻击,广播攻击也写在最后的脚本里了

flag

最终脚本

太长,就不贴出来了,放到github上了

reference

https://err0rzz.github.io/2017/11/14/CTF中RSA套路/#共模攻击

http://www.cnblogs.com/pcat/p/7508205.html

https://github.com/pablocelayes/rsa-wiener-attack

https://github.com/mimoo/RSA-and-LLL-attacks

more

初次之外,还见过已知p高位的,可以参考whctf-untitled

以及修复证书的,参考Jarvis OJ 600分的RSA

posted @ 2018-03-26 21:33  M4x  阅读(9462)  评论(0编辑  收藏  举报