DASCTF NOV Xeasyrsa

easyrsa

1.先分解两数的平方和得到p,q

from gmpy2 import *
from Crypto.Util.number import *
n=86073852484226203700520112718689325205597071202320413471730820840719099334770
p1,q=two_squares(n)
print(p,q)

200170033707580057053975766783012322797,214489650309129059054871357172058931331

2.根据weak_prime攻击分解出n2

from tqdm import tqdm
import gmpy2


class success(Exception):
    pass


def attack_weak_prime(basenum, exp, n):
    m = basenum^exp
    k = len(n.str(base=basenum))//(2*exp) + 1
    c = gmpy2.iroot(2*k^3, int(2))
    print(c)
    # assert c[1] == True
    tmp = int(c[0])

    try:
        for c in tqdm(range(1, tmp)):
            amount = 2*k+1
            M = Matrix(RationalField(), amount, amount)
            for i in range(amount):
                M[i, i] = 1
                M[i, amount-1] = c*m^(2*k-i)
            M[amount-1, amount-1] = -c*n

            new_basis = M.LLL(delta=0.75)
            for j in range(amount):
                last_row = list(new_basis[j])
                last_row[-1] = last_row[-1]//(-c)

                poly = sum(e * x^(k*2-i) for i,e in enumerate(last_row))
                fac = poly.factor_list()
                if len(fac) == 3:
                    p_poly, q_poly,r_poly = fac
                    p_coefficient = p_poly[0].list()
                    q_coefficient = q_poly[0].list()
                    r_coefficient = r_poly[0].list()
                    ap = sum(m^i * j for i,j in enumerate(p_coefficient))
                    bq = sum(m^i * j for i,j in enumerate(q_coefficient))
                    cr = sum(m^i * j for i,j in enumerate(r_coefficient))
                    p = gcd(ap, n)
                    q = gcd(bq, n)
                    r = gcd(cr, n)
                    if (p*q*r == n) and (p != 1) and (q != 1):
                        raise success

    except:
        print ('n =', n)
        print ('p =', p)
        print ('q =', q)
        print ('r =', r)
        print ('p*q*r == n ?', bool(p*q*r == n))


if __name__ == '__main__':
    print ('[+] Weak Prime Factorization Start!')
    print ('-------------------------------------------------------------------------------------------------------------------------------')
    basenum, exp = (5, 55)
    n = 77582485123791158683121280616703899430016469065264033598472741751344256774648355531493586310864150337351815051848231793841751148287075688226384710343269278032576253497728407800522536152937473072438970839941923618053297480433385258911357458745700958378269978384670108026994918504237309072908971746160378531040480539649223970964653553804442759847964633088481940435582792404175653758785321463055628690804551479982557193366035172983893595403859872458966844805671311011033726279121149599533093604586152158331657286488305064843651636225644328162652701896037366058322959361248649656784810609391313
    attack_weak_prime(basenum, exp, n)

[+] Weak Prime Factorization Start!
-------------------------------------------------------------------------------------------------------------------------------
(mpz(32), True)
  0%|          | 0/31 [00:02<?, ?it/s]n = 77582485123791158683121280616703899430016469065264033598472741751344256774648355531493586310864150337351815051848231793841751148287075688226384710343269278032576253497728407800522536152937473072438970839941923618053297480433385258911357458745700958378269978384670108026994918504237309072908971746160378531040480539649223970964653553804442759847964633088481940435582792404175653758785321463055628690804551479982557193366035172983893595403859872458966844805671311011033726279121149599533093604586152158331657286488305064843651636225644328162652701896037366058322959361248649656784810609391313
p = 65852498339760915228594889597136378107876107334695562152983809050259001488139010835535729480582643283480229654777004862320849604335829446520865511011593811440123502620735962409526109695434570356277
q = 42974281584522050062504679441184925920720278381761957641733614118720547476055402383959476142344396618643274705251619494499668048977089541037606316780609473959806621223833644762635231018066406261919
r = 27414656307685249691067705927388582241684529669740981719565564735302197575673076783872355553268011939023273356472727941960439764826793614011976095106476097211511966378338911454193294048309326195251
p*q*r == n ? True

3.通过有限域开方求出flag

from gmpy2 import *
from Crypto.Util.number import *
p = 65852498339760915228594889597136378107876107334695562152983809050259001488139010835535729480582643283480229654777004862320849604335829446520865511011593811440123502620735962409526109695434570356277
q = 42974281584522050062504679441184925920720278381761957641733614118720547476055402383959476142344396618643274705251619494499668048977089541037606316780609473959806621223833644762635231018066406261919
r = 27414656307685249691067705927388582241684529669740981719565564735302197575673076783872355553268011939023273356472727941960439764826793614011976095106476097211511966378338911454193294048309326195251
c= 260434870216758498838321584935711394249835963213639852217120194663627852693180232036075839403208332707552953757185774603238436545434522971149891312380970896040823539050341723863717581297624370198483155582245220695123793458717418658539983101802256991837534210806768587736557644192367876024337837658337683388449336720569707094997412847022794461117019613124291022681935875774139147643806772608929174881451749463825639214096129554621195116737322890163556732291246108250543079041977037626755130422879778449546701988814607595746282148723362288451970833214072743929855505520539885650891349827459470540263153862109871050950881032032388185414677989393461533362690744724752363346530211163516319373099647590952338730
while True:
    p=next_prime(p)
    q=next_prime(q)
    r=next_prime(r)
    if (p-1)%7==0 and (q-1)%7 ==0 and (r-1)%7==0 :
        break
print('p=',p)
print('q=',q)
print('r=',r)
n=p*q*r
e=7
P.<a> = PolynomialRing(Zmod(p),implementation='NTL')
f = a^e - c
m1=f.roots()
#print(m1)
P.<a> = PolynomialRing(Zmod(q),implementation='NTL')
f = a^e - c
m2=f.roots()
#print(m2)
P.<a> = PolynomialRing(Zmod(r),implementation='NTL')
f = a^e - c
m3=f.roots()
#print(m3)

for i in m1:
    for j in m2:
        for h in m3:
            m = CRT_list([int(i[0]),int(j[0]),int(h[0])],[p,q,r])
            flag = long_to_bytes(int(m))
            if b'DASCTF' in flag:
                print(flag)

p= 65852498339760915228594889597136378107876107334695562152983809050259001488139010835535729480582643283480229654777004862320849604335829446520865511011593811440123502620735962409526109695434570389431
q= 42974281584522050062504679441184925920720278381761957641733614118720547476055402383959476142344396618643274705251619494499668048977089541037606316780609473959806621223833644762635231018066406292679
r= 27414656307685249691067705927388582241684529669740981719565564735302197575673076783872355553268011939023273356472727941960439764826793614011976095106476097211511966378338911454193294048309326229291
b'DASCTF{I_d0nt_kn0w_wh@t_i_w@nt_t0_d0_ju3t_d0_it_attack_we@k_prim4!!!}'