Miscez_zip

题目

4096个压缩包套娃

我的解答:

写个脚本直接解压即可:

import zipfile name = '附件路径\\题目附件.zip'for i in range(4097):    f = zipfile.ZipFile(name , 'r')    f.extractall(pwd=name[:-4].encode())    name = f.filelist[0].filename    print(name[:-4],end="")    f.close()

得到

+-+++-++ +-+++++- +-+-++-- +-++++-- +-+-+-++ +-+++--+ +----+-- ++--+++- ++--++++ +--+++-- ++--+-+- ++---+++ ++--++-+ ++--+-+- ++---+++ +--+++-- +--+++-- +--++--+ ++--+++- +--++-+- ++--+--- +--+++-- ++--+--+ ++--++-- ++--+++- +--++-+- ++--+-+- ++---++- ++--+++- ++--+++- +--++-+- +--++-++ ++--+--+ +--++++- +--+++-- +--+++-- ++--+-++ +--++-+- +--++-++ +-----+-

一眼丁真01,将+改成0,-改成1

x='''01000100 01000001 01010011 01000011 01010100 01000110 01111011 00110001 00110000 01100011 00110101 00111000 00110010 00110101 00111000 01100011 01100011 01100110 00110001 01100101 00110111 01100011 00110110 00110011 00110001 01100101 00110101 00111001 00110001 00110001 01100101 01100100 00110110 01100001 01100011 01100011 00110100 01100101 01100100 01111101'''s=x.split(' ')print(''.join(chr(int(c,2)) for c in s))'DASCTF{10c58258ccf1e7c631e5911ed6acc4ed}'

easy取证

题目

我的解答:

一个取证问题,简单来分析一下:

本人是在windows下使用,参考:https://blog.csdn.net/m0_68012373/article/details/127419463

我们先查看镜像信息

volatility.exe -f mem.raw imageinfo

然后我们可以利用插件grep查找一下常见的信息,例如:zip,txt,docx,png,jpg等

测试之后发现桌面有个docx文档

volatility.exe -f mem.raw --profile Win7SP1x64 filescan | grep .docx

我们需要提取出来

volatility.exe -f mem.raw --profile=Win7SP1x64 dumpfiles -Q 0x000000003dceaf20 -D ./

得到

修改后缀为docx打开,复制内容到txt里面

一眼丁真snow隐写,但需要找到密码,我们使mimikatzmimikatz插件可以获取系统明文密码,网上有安装教程)获取密码

得到

H7Qmw_X+WB6BXDXa

然后直接解码即可

SNOW.EXE -C -p "H7Qmw_X+WB6BXDXa" White.txt

Cryptoso-large-e

题目

公钥

-----BEGIN PUBLIC KEY-----MIIBIDANBgkqhkiG9w0BAQEFAAOCAQ0AMIIBCAKBgQCl7ZhtXDOIFdSnnejtOn2WOdcqyzrvKMVFTIqSyPV3Tkj5m9ETc/rlvLJLcQvI0V6tr+u5Tq+zqWBQzsvRsvKt+ap0JW8up0qD1nGIvcJVdsWAjdse7AH/N3+xg8NrH3nO0OIWzMpkGH+4TVsOBu8MnhnR9SxTkDp+gUtHtPR/awKBgQChjp2PFfpCV4hrVyPJrKP2gHbW+o7mBNiUd3AvUcbkr7rA6Sj3tU33yGKIoXbmZC4rWNcuqrsoCPvIFl/YHYPKVDOl2PlLaDVi/Q5EymGkUfPXoZsScxvkZtkOt9XY4wWEeDMtxF/swnV0nhAUSJEHamFL3i0PAWf9uBddVheH4Q==-----END PUBLIC KEY-----
from Crypto.Util.number import *from Crypto.PublicKey import RSAfrom flag import flagimport randomm = bytes_to_long(flag)p = getPrime(512)q = getPrime(512)n = p*qe = random.getrandbits(1024)assert size(e)==1024phi = (p-1)*(q-1)assert GCD(e,phi)==1d = inverse(e,phi)assert size(d)==269pub = (n, e)PublicKey = RSA.construct(pub)with open('pub.pem', 'wb') as f :    f.write(PublicKey.exportKey())c = pow(m,e,n)print('c =',c)print(long_to_bytes(pow(c,d,n)))#c = 6838759631922176040297411386959306230064807618456930982742841698524622016849807235726065272136043603027166249075560058232683230155346614429566511309977857815138004298815137913729662337535371277019856193898546849896085411001528569293727010020290576888205244471943227253000727727343731590226737192613447347860

我的解答:

我们先分解公钥得到n,e

from gmpy2 import *from Crypto.Util.number import *from Crypto.PublicKey import RSA# 公钥提取with open("pub.pem","r",encoding="utf-8") as file:    text=file.read()key=RSA.import_key(text)e=key.en=key.nprint(e)print(n)113449247876071397911206070019495939088171696712182747502133063172021565345788627261740950665891922659340020397229619329204520999096535909867327960323598168596664323692312516466648588320607291284630435682282630745947689431909998401389566081966753438869725583665294310689820290368901166811028660086977458571233116518679305515263290840706715579691213922169271634579327519562902613543582623449606741546472920401997930041388553141909069487589461948798111698856100819163407893673249162209631978914843896272256274862501461321020961958367098759183487116417487922645782638510876609728886007680825340200888068103951956139343723

发现这个e很大,我们根据题目代码可知它跟n一个数量级。而d很小,想到维纳攻击或低解密指数攻击。但尝试无果有报错。问题就在于他的私钥太小d < N^0.292并不满足维纳或低解密d的要求。

因此我们需要爆出真正的满足题目条件的d,利用LLL-attacks解出d

详细解析可参考:https://github.com/Gao-Chuan/RSA-and-LLL-attacks/blob/master/boneh_durfee.sage

from __future__ import print_functionimport time############################################# Config##########################################"""Setting debug to true will display more informationsabout the lattice, the bounds, the vectors..."""debug = True"""Setting strict to true will stop the algorithm (andreturn (-1, -1)) if we don't have a correctupperbound on the determinant. Note that thisdoesn't necesseraly mean that no solutionswill be found since the theoretical upperbound isusualy far away from actual results. That is whyyou should probably use `strict = False`"""strict = False"""This is experimental, but has provided remarkable resultsso far. It tries to reduce the lattice as much as it canwhile keeping its efficiency. I see no reason not to usethis option, but if things don't work, you should trydisabling it"""helpful_only = Truedimension_min = 7 # stop removing if lattice reaches that dimension############################################# Functions########################################### display stats on helpful vectorsdef helpful_vectors(BB, modulus):    nothelpful = 0    for ii in range(BB.dimensions()[0]):        if BB[ii,ii] >= modulus:            nothelpful += 1    print(nothelpful, "/", BB.dimensions()[0], " vectors are not helpful")# display matrix picture with 0 and Xdef matrix_overview(BB, bound):    for ii in range(BB.dimensions()[0]):        a = ('%02d ' % ii)        for jj in range(BB.dimensions()[1]):            a += '0' if BB[ii,jj] == 0 else 'X'            if BB.dimensions()[0] = bound:            a += '~'        print(a)# tries to remove unhelpful vectors# we start at current = n-1 (last vector)def remove_unhelpful(BB, monomials, bound, current):    # end of our recursive function    if current == -1 or BB.dimensions()[0] = bound:            affected_vectors = 0            affected_vector_index = 0            # let's check if it affects other vectors            for jj in range(ii + 1, BB.dimensions()[0]):                # if another vector is affected:                # we increase the count                if BB[jj, ii] != 0:                    affected_vectors += 1                    affected_vector_index = jj            # level:0            # if no other vectors end up affected            # we remove it            if affected_vectors == 0:                print("* removing unhelpful vector", ii)                BB = BB.delete_columns([ii])                BB = BB.delete_rows([ii])                monomials.pop(ii)                BB = remove_unhelpful(BB, monomials, bound, ii-1)                return BB            # level:1            # if just one was affected we check            # if it is affecting someone else            elif affected_vectors == 1:                affected_deeper = True                for kk in range(affected_vector_index + 1, BB.dimensions()[0]):                    # if it is affecting even one vector                    # we give up on this one                    if BB[kk, affected_vector_index] != 0:                        affected_deeper = False                # remove both it if no other vector was affected and                # this helpful vector is not helpful enough                # compared to our unhelpful one                if affected_deeper and abs(bound - BB[affected_vector_index, affected_vector_index]) < abs(bound - BB[ii, ii]):                    print("* removing unhelpful vectors", ii, "and", affected_vector_index)                    BB = BB.delete_columns([affected_vector_index, ii])                    BB = BB.delete_rows([affected_vector_index, ii])                    monomials.pop(affected_vector_index)                    monomials.pop(ii)                    BB = remove_unhelpful(BB, monomials, bound, ii-1)                    return BB    # nothing happened    return BB""" Returns:* 0,0   if it fails* -1,-1 if `strict=true`, and determinant doesn't bound* x0,y0 the solutions of `pol`"""def boneh_durfee(pol, modulus, mm, tt, XX, YY):    """    Boneh and Durfee revisited by Herrmann and May        finds a solution if:    * d < N^delta    * |x| < e^delta    * |y| < e^0.5    whenever delta < 1 - sqrt(2)/2 ~ 0.292    """    # substitution (Herrman and May)    PR. = PolynomialRing(ZZ)    Q = PR.quotient(x*y + 1 - u) # u = xy + 1    polZ = Q(pol).lift()    UU = XX*YY + 1    # x-shifts    gg = []    for kk in range(mm + 1):        for ii in range(mm - kk + 1):            xshift = x^ii * modulus^(mm - kk) * polZ(u, x, y)^kk            gg.append(xshift)    gg.sort()    # x-shifts list of monomials    monomials = []    for polynomial in gg:        for monomial in polynomial.monomials():            if monomial not in monomials:                monomials.append(monomial)    monomials.sort()        # y-shifts (selected by Herrman and May)    for jj in range(1, tt + 1):        for kk in range(floor(mm/tt) * jj, mm + 1):            yshift = y^jj * polZ(u, x, y)^kk * modulus^(mm - kk)            yshift = Q(yshift).lift()            gg.append(yshift) # substitution        # y-shifts list of monomials    for jj in range(1, tt + 1):        for kk in range(floor(mm/tt) * jj, mm + 1):            monomials.append(u^kk * y^jj)    # construct lattice B    nn = len(monomials)    BB = Matrix(ZZ, nn)    for ii in range(nn):        BB[ii, 0] = gg[ii](0, 0, 0)        for jj in range(1, ii + 1):            if monomials[jj] in gg[ii].monomials():                BB[ii, jj] = gg[ii].monomial_coefficient(monomials[jj]) * monomials[jj](UU,XX,YY)    # Prototype to reduce the lattice    if helpful_only:        # automatically remove        BB = remove_unhelpful(BB, monomials, modulus^mm, nn-1)        # reset dimension        nn = BB.dimensions()[0]        if nn == 0:            print("failure")            return 0,0    # check if vectors are helpful    if debug:        helpful_vectors(BB, modulus^mm)        # check if determinant is correctly bounded    det = BB.det()    bound = modulus^(mm*nn)    if det >= bound:        print("We do not have det < bound. Solutions might not be found.")        print("Try with highers m and t.")        if debug:            diff = (log(det) - log(bound)) / log(2)            print("size det(L) - size e^(m*n) = ", floor(diff))        if strict:            return -1, -1    else:        print("det(L) < e^(m*n) (good! If a solution exists  polynomials 1 & 2    if debug:        print("looking for independent vectors in the lattice")    found_polynomials = False        for pol1_idx in range(nn - 1):        for pol2_idx in range(pol1_idx + 1, nn):            # for i and j, create the two polynomials            PR. = PolynomialRing(ZZ)            pol1 = pol2 = 0            for jj in range(nn):                pol1 += monomials[jj](w*z+1,w,z) * BB[pol1_idx, jj] / monomials[jj](UU,XX,YY)                pol2 += monomials[jj](w*z+1,w,z) * BB[pol2_idx, jj] / monomials[jj](UU,XX,YY)            # resultant            PR. = PolynomialRing(ZZ)            rr = pol1.resultant(pol2)            # are these good polynomials?            if rr.is_zero() or rr.monomials() == [1]:                continue            else:                print("found them, using vectors", pol1_idx, "and", pol2_idx)                found_polynomials = True                break        if found_polynomials:            break    if not found_polynomials:        print("no independant vectors could be found. This should very rarely happen...")        return 0, 0        rr = rr(q, q)    # solutions    soly = rr.roots()    if len(soly) == 0:        print("Your prediction (delta) is too small")        return 0, 0    soly = soly[0][0]    ss = pol1(q, soly)    solx = ss.roots()[0][0]    #    return solx, solydef example():    ############################################    # How To Use This Script    ##########################################    #    # The problem to solve (edit the following values)    #    # the modulus    e = 113449247876071397911206070019495939088171696712182747502133063172021565345788627261740950665891922659340020397229619329204520999096535909867327960323598168596664323692312516466648588320607291284630435682282630745947689431909998401389566081966753438869725583665294310689820290368901166811028660086977458571233    N = 116518679305515263290840706715579691213922169271634579327519562902613543582623449606741546472920401997930041388553141909069487589461948798111698856100819163407893673249162209631978914843896272256274862501461321020961958367098759183487116417487922645782638510876609728886007680825340200888068103951956139343723    # the hypothesis on the private exponent (the theoretical maximum is 0.292)    delta = .27 # this means that d < N^delta    #    # Lattice (tweak those values)    #    # you should tweak this (after a first run), (e.g. increment it until a solution is found)    m = 6 # size of the lattice (bigger the better/slower)    # you need to be a lattice master to tweak these    t = int((1-2*delta) * m)  # optimization from Herrmann and May    X = 2*floor(N^delta)  # this _might_ be too much    Y = floor(N^(1/2))    # correct if p, q are ~ same size    #    # Don't touch anything below    #    # Problem put in equation    P. = PolynomialRing(ZZ)    A = int((N+1)/2)    pol = 1 + x * (A + y)    #    # Find the solutions!    #    # Checking bounds    if debug:        print("=== checking values ===")        print("* delta:", delta)        print("* delta < 0.292", delta  0:        print("=== solution found ===")        if False:            print("x:", solx)            print("y:", soly)        d = int(pol(solx, soly) / e)        print("private key found:", d)    else:        print("=== no solution was found ===")    if debug:        print(("=== %s seconds ===" % (time.time() - start_time)))if __name__ == "__main__":    example()

之后直接解即可

import gmpy2from Crypto.Util.number import *d=663822343397699728953336968317794118491145998032244266550694156830036498673227937c = 6838759631922176040297411386959306230064807618456930982742841698524622016849807235726065272136043603027166249075560058232683230155346614429566511309977857815138004298815137913729662337535371277019856193898546849896085411001528569293727010020290576888205244471943227253000727727343731590226737192613447347860n=116518679305515263290840706715579691213922169271634579327519562902613543582623449606741546472920401997930041388553141909069487589461948798111698856100819163407893673249162209631978914843896272256274862501461321020961958367098759183487116417487922645782638510876609728886007680825340200888068103951956139343723m=pow(c,d,n)print(long_to_bytes(m))#DASCTF{6f4fadce-5378-d17f-3c2d-2e064db4af19}

matrixequation

题目

from sage.all import *import stringfrom myflag import finalflag, flagA = matrix([[0 for i in range(11)] for i in range(11)])for k in range(len(flag)):i, j = 5*k // 11, 5*k % 11A[i, j] = alphabet.index(flag[k])from hashlib import md5assert(finalflag == 'DASCTF{' + f'{md5(flag.encode()).hexdigest()}' + '}')key = getKey()R, leftmatrix, matrixU = keytmpMatrix = leftmatrix * matrixUX = A + RY = tmpMatrix * XE = leftmatrix.inverse() * Yf = open('output','w')f.write(str(E)+'\n')f.write(str(leftmatrix * matrixU * leftmatrix)+'\n')f.write(str(f'{leftmatrix.inverse() * tmpMatrix**2 * leftmatrix}\n'))f.write(str(f'{R.inverse() * tmpMatrix**8}\n'))A = matrix([[0 for i in range(11)] for i in range(11)])for k in range(len(flag)):i, j = 5*k // 11, 5*k % 11A[i, j] = alphabet.index(flag[k])from hashlib import md5assert(finalflag == 'DASCTF{' + f'{md5(flag.encode()).hexdigest()}' + '}')key = getKey()R, leftmatrix, matrixU = keytmpMatrix = leftmatrix * matrixUX = A + RY = tmpMatrix * XE = leftmatrix.inverse() * Yf = open('output','w')f.write(str(E)+'\n')f.write(str(leftmatrix * matrixU * leftmatrix)+'\n')f.write(str(f'{leftmatrix.inverse() * tmpMatrix**2 * leftmatrix}\n'))f.write(str(f'{R.inverse() * tmpMatrix**8}\n'))
[53 19 40  7 22 46 69 11 31 48 57][66 47 13 39  1 34 26 15 52 18 55][47  1  9 14 58 34 40 27  9  1 36][36 19 38 30 39 30 21 27  1  4 13][25 10 52 45 69 63  3 64 13 51 44][48  2 64 19 49 51 39 29 22 35 17][69 48 27 17 15 42 60 42 15 43  7][39 37 56  5 49 57 51 49  3 53 25][50 39  9 30 19 63 20 12  8 55 35][24 26 58 56 43 70 66 27 32 70 59][ 9 34 18 31 65  3 48 39 39 40 53][62 17 50 41  4  7  5  4 20 15 45][ 8 59 38 18 42 31 60 58 35  1 46][25 20 45 31 69 45 59 34 46 63 69][ 6  2 65 44 53 59 11 52 37 48 40][33 52  4  9  6  7 34  4 59 59  6][65 64 53 22 49 22 58 50 48 66 25][ 0 43 42 68 16 35 20 69  1 14 18][23 61 44 20 30 38 10 68 52 39  4][ 1  8 31 31 11 54 41 70 49 40  1][58 29 28 60 23 13 67 33 14 15  2][23 25 70  1 13 57 52 21 54 64 26][10  5 15 49 12 53 46 23 44 40 67][41 21 62 22 40 69 59  0 28 42 52][ 9 66 44  3 48  2 53  8 46 52  4][ 8 50 15 56 16 31 47  5 70  6 43][59 34 48  5 55 50 61 39 38  7 60][46 46  9 36 12 49 48 30 64 30 45][62 33  2 19  3 15 69 25  0 51 69][27 10 48 26 11 32  1 40 29 59 16][18 60 33 64 15 41 22  9 11 60 22][32 52 15 27  1 63 55 54 70 17 52][22 27 33 38 68 36 59 17 64 18 65][43 68 27 18 44 32 47 21 46 44 14][12 52 44 61 26 34 53 36 18  3 61][10 59 14  2 42 63 31  9 53  4 55][63 48 59 11 54  9 54 50 68  5 28][66 12 58 68 52 50  5 39 19  6 70][42 23 24 54 54 64  3 16 20 67 28][60 68 63 63 34  7  0 36  3 22 68][10 23  0  9 64  0 52  1 24 52 21][65 52 42  9 43 39 15  3 36 28 28][21 32 35 69 49 55  0 23  4 32 42][61 52 49 46 50 34 70 35 39  1 16]

我的解答:

线性代数问题,题目把flag转成了矩阵A,我们要做的就是求出A

已知题目信息(由于变量较长,这里用缩略单词代替)

R, S = random_matrix
S = L * U

E = L^(-1) * S * (A + R)
a = L * U * L
b = L^(-1) * S^2 * L
c = R^(-1) * S^8

求解过程

b * a^(-1) = L^(-1) * S (S = L * U = U * L)
a * b^(-1) * E = A + R (上式^(-1) * E)

a * b * a^(-1) = S^2 (define ss)
c * ss^(-4) = R^(-1)

a * b^(-1) * E – c * ss^(-4) = A (solve)

exp:

import reimport stringalphabet = string.printable[:71]p = len(alphabet)with open('output', 'r') as f:  data = f.read().split('\n')[:-1]data = [re.findall(r'\d+', d) for d in data]data = [[Integer(di) for di in d] for d in data]n = 11E = matrix(GF(p), data[:11])LUL = matrix(GF(p), data[11: 22])ULUL = matrix(GF(p), data[22: 33])RiLU8 = matrix(GF(p), data[33: 44])Ui = LUL * ULUL^(-1)Ri = RiLU8 * Ui * (ULUL^(-1))^3 * LUL^(-1)U = Ui^(-1)assert Ri * (LUL * U)^4 == RiLU8R = Ri^(-1)AR = Ui * EA = AR - Rprint(A)flag = ''for k in range(24):  i, j = 5*k // 11, 5*k % 11  flag += alphabet[A[i, j]]print(flag)  from hashlib import md5flag = 'DASCTF{' + f'{md5(flag.encode()).hexdigest()}' + '}'print(flag)