Miscez_zip
题目
4096个压缩包套娃
我的解答:
写个脚本直接解压即可:
import zipfile name = '附件路径\\题目附件.zip'for i in range(4097): f = zipfile.ZipFile(name , 'r') f.extractall(pwd=name[:-4].encode()) name = f.filelist[0].filename print(name[:-4],end="") f.close()
得到
+-+++-++ +-+++++- +-+-++-- +-++++-- +-+-+-++ +-+++--+ +----+-- ++--+++- ++--++++ +--+++-- ++--+-+- ++---+++ ++--++-+ ++--+-+- ++---+++ +--+++-- +--+++-- +--++--+ ++--+++- +--++-+- ++--+--- +--+++-- ++--+--+ ++--++-- ++--+++- +--++-+- ++--+-+- ++---++- ++--+++- ++--+++- +--++-+- +--++-++ ++--+--+ +--++++- +--+++-- +--+++-- ++--+-++ +--++-+- +--++-++ +-----+-
一眼丁真01,将+改成0,-改成1
x='''01000100 01000001 01010011 01000011 01010100 01000110 01111011 00110001 00110000 01100011 00110101 00111000 00110010 00110101 00111000 01100011 01100011 01100110 00110001 01100101 00110111 01100011 00110110 00110011 00110001 01100101 00110101 00111001 00110001 00110001 01100101 01100100 00110110 01100001 01100011 01100011 00110100 01100101 01100100 01111101'''s=x.split(' ')print(''.join(chr(int(c,2)) for c in s))'DASCTF{10c58258ccf1e7c631e5911ed6acc4ed}'
easy取证
题目
我的解答:
一个取证问题,简单来分析一下:
本人是在windows下使用,参考:https://blog.csdn.net/m0_68012373/article/details/127419463
我们先查看镜像信息
volatility.exe -f mem.raw imageinfo
然后我们可以利用插件grep查找一下常见的信息,例如:zip,txt,docx,png,jpg等
测试之后发现桌面有个docx文档
volatility.exe -f mem.raw --profile Win7SP1x64 filescan | grep .docx
我们需要提取出来
volatility.exe -f mem.raw --profile=Win7SP1x64 dumpfiles -Q 0x000000003dceaf20 -D ./
得到
修改后缀为docx打开,复制内容到txt里面
一眼丁真snow隐写,但需要找到密码,我们使用mimikatz
(mimikatz插件可以获取系统明文密码,网上有安装教程)获取密码
得到
H7Qmw_X+WB6BXDXa
然后直接解码即可
SNOW.EXE -C -p "H7Qmw_X+WB6BXDXa" White.txt
Cryptoso-large-e
题目
公钥
-----BEGIN PUBLIC KEY-----MIIBIDANBgkqhkiG9w0BAQEFAAOCAQ0AMIIBCAKBgQCl7ZhtXDOIFdSnnejtOn2WOdcqyzrvKMVFTIqSyPV3Tkj5m9ETc/rlvLJLcQvI0V6tr+u5Tq+zqWBQzsvRsvKt+ap0JW8up0qD1nGIvcJVdsWAjdse7AH/N3+xg8NrH3nO0OIWzMpkGH+4TVsOBu8MnhnR9SxTkDp+gUtHtPR/awKBgQChjp2PFfpCV4hrVyPJrKP2gHbW+o7mBNiUd3AvUcbkr7rA6Sj3tU33yGKIoXbmZC4rWNcuqrsoCPvIFl/YHYPKVDOl2PlLaDVi/Q5EymGkUfPXoZsScxvkZtkOt9XY4wWEeDMtxF/swnV0nhAUSJEHamFL3i0PAWf9uBddVheH4Q==-----END PUBLIC KEY-----
from Crypto.Util.number import *from Crypto.PublicKey import RSAfrom flag import flagimport randomm = bytes_to_long(flag)p = getPrime(512)q = getPrime(512)n = p*qe = random.getrandbits(1024)assert size(e)==1024phi = (p-1)*(q-1)assert GCD(e,phi)==1d = inverse(e,phi)assert size(d)==269pub = (n, e)PublicKey = RSA.construct(pub)with open('pub.pem', 'wb') as f : f.write(PublicKey.exportKey())c = pow(m,e,n)print('c =',c)print(long_to_bytes(pow(c,d,n)))#c = 6838759631922176040297411386959306230064807618456930982742841698524622016849807235726065272136043603027166249075560058232683230155346614429566511309977857815138004298815137913729662337535371277019856193898546849896085411001528569293727010020290576888205244471943227253000727727343731590226737192613447347860
我的解答:
我们先分解公钥得到n,e
from gmpy2 import *from Crypto.Util.number import *from Crypto.PublicKey import RSA# 公钥提取with open("pub.pem","r",encoding="utf-8") as file: text=file.read()key=RSA.import_key(text)e=key.en=key.nprint(e)print(n)113449247876071397911206070019495939088171696712182747502133063172021565345788627261740950665891922659340020397229619329204520999096535909867327960323598168596664323692312516466648588320607291284630435682282630745947689431909998401389566081966753438869725583665294310689820290368901166811028660086977458571233116518679305515263290840706715579691213922169271634579327519562902613543582623449606741546472920401997930041388553141909069487589461948798111698856100819163407893673249162209631978914843896272256274862501461321020961958367098759183487116417487922645782638510876609728886007680825340200888068103951956139343723
发现这个e很大,我们根据题目代码可知它跟n一个数量级。而d很小,想到维纳攻击或低解密指数攻击。但尝试无果有报错。问题就在于他的私钥太小d < N^0.292
并不满足维纳或低解密d的要求。
因此我们需要爆出真正的满足题目条件的d,利用LLL-attacks解出d
详细解析可参考:https://github.com/Gao-Chuan/RSA-and-LLL-attacks/blob/master/boneh_durfee.sage
from __future__ import print_functionimport time############################################# Config##########################################"""Setting debug to true will display more informationsabout the lattice, the bounds, the vectors..."""debug = True"""Setting strict to true will stop the algorithm (andreturn (-1, -1)) if we don't have a correctupperbound on the determinant. Note that thisdoesn't necesseraly mean that no solutionswill be found since the theoretical upperbound isusualy far away from actual results. That is whyyou should probably use `strict = False`"""strict = False"""This is experimental, but has provided remarkable resultsso far. It tries to reduce the lattice as much as it canwhile keeping its efficiency. I see no reason not to usethis option, but if things don't work, you should trydisabling it"""helpful_only = Truedimension_min = 7 # stop removing if lattice reaches that dimension############################################# Functions########################################### display stats on helpful vectorsdef helpful_vectors(BB, modulus): nothelpful = 0 for ii in range(BB.dimensions()[0]): if BB[ii,ii] >= modulus: nothelpful += 1 print(nothelpful, "/", BB.dimensions()[0], " vectors are not helpful")# display matrix picture with 0 and Xdef matrix_overview(BB, bound): for ii in range(BB.dimensions()[0]): a = ('%02d ' % ii) for jj in range(BB.dimensions()[1]): a += '0' if BB[ii,jj] == 0 else 'X' if BB.dimensions()[0] = bound: a += '~' print(a)# tries to remove unhelpful vectors# we start at current = n-1 (last vector)def remove_unhelpful(BB, monomials, bound, current): # end of our recursive function if current == -1 or BB.dimensions()[0] = bound: affected_vectors = 0 affected_vector_index = 0 # let's check if it affects other vectors for jj in range(ii + 1, BB.dimensions()[0]): # if another vector is affected: # we increase the count if BB[jj, ii] != 0: affected_vectors += 1 affected_vector_index = jj # level:0 # if no other vectors end up affected # we remove it if affected_vectors == 0: print("* removing unhelpful vector", ii) BB = BB.delete_columns([ii]) BB = BB.delete_rows([ii]) monomials.pop(ii) BB = remove_unhelpful(BB, monomials, bound, ii-1) return BB # level:1 # if just one was affected we check # if it is affecting someone else elif affected_vectors == 1: affected_deeper = True for kk in range(affected_vector_index + 1, BB.dimensions()[0]): # if it is affecting even one vector # we give up on this one if BB[kk, affected_vector_index] != 0: affected_deeper = False # remove both it if no other vector was affected and # this helpful vector is not helpful enough # compared to our unhelpful one if affected_deeper and abs(bound - BB[affected_vector_index, affected_vector_index]) < abs(bound - BB[ii, ii]): print("* removing unhelpful vectors", ii, "and", affected_vector_index) BB = BB.delete_columns([affected_vector_index, ii]) BB = BB.delete_rows([affected_vector_index, ii]) monomials.pop(affected_vector_index) monomials.pop(ii) BB = remove_unhelpful(BB, monomials, bound, ii-1) return BB # nothing happened return BB""" Returns:* 0,0 if it fails* -1,-1 if `strict=true`, and determinant doesn't bound* x0,y0 the solutions of `pol`"""def boneh_durfee(pol, modulus, mm, tt, XX, YY): """ Boneh and Durfee revisited by Herrmann and May finds a solution if: * d < N^delta * |x| < e^delta * |y| < e^0.5 whenever delta < 1 - sqrt(2)/2 ~ 0.292 """ # substitution (Herrman and May) PR. = PolynomialRing(ZZ) Q = PR.quotient(x*y + 1 - u) # u = xy + 1 polZ = Q(pol).lift() UU = XX*YY + 1 # x-shifts gg = [] for kk in range(mm + 1): for ii in range(mm - kk + 1): xshift = x^ii * modulus^(mm - kk) * polZ(u, x, y)^kk gg.append(xshift) gg.sort() # x-shifts list of monomials monomials = [] for polynomial in gg: for monomial in polynomial.monomials(): if monomial not in monomials: monomials.append(monomial) monomials.sort() # y-shifts (selected by Herrman and May) for jj in range(1, tt + 1): for kk in range(floor(mm/tt) * jj, mm + 1): yshift = y^jj * polZ(u, x, y)^kk * modulus^(mm - kk) yshift = Q(yshift).lift() gg.append(yshift) # substitution # y-shifts list of monomials for jj in range(1, tt + 1): for kk in range(floor(mm/tt) * jj, mm + 1): monomials.append(u^kk * y^jj) # construct lattice B nn = len(monomials) BB = Matrix(ZZ, nn) for ii in range(nn): BB[ii, 0] = gg[ii](0, 0, 0) for jj in range(1, ii + 1): if monomials[jj] in gg[ii].monomials(): BB[ii, jj] = gg[ii].monomial_coefficient(monomials[jj]) * monomials[jj](UU,XX,YY) # Prototype to reduce the lattice if helpful_only: # automatically remove BB = remove_unhelpful(BB, monomials, modulus^mm, nn-1) # reset dimension nn = BB.dimensions()[0] if nn == 0: print("failure") return 0,0 # check if vectors are helpful if debug: helpful_vectors(BB, modulus^mm) # check if determinant is correctly bounded det = BB.det() bound = modulus^(mm*nn) if det >= bound: print("We do not have det < bound. Solutions might not be found.") print("Try with highers m and t.") if debug: diff = (log(det) - log(bound)) / log(2) print("size det(L) - size e^(m*n) = ", floor(diff)) if strict: return -1, -1 else: print("det(L) < e^(m*n) (good! If a solution exists polynomials 1 & 2 if debug: print("looking for independent vectors in the lattice") found_polynomials = False for pol1_idx in range(nn - 1): for pol2_idx in range(pol1_idx + 1, nn): # for i and j, create the two polynomials PR. = PolynomialRing(ZZ) pol1 = pol2 = 0 for jj in range(nn): pol1 += monomials[jj](w*z+1,w,z) * BB[pol1_idx, jj] / monomials[jj](UU,XX,YY) pol2 += monomials[jj](w*z+1,w,z) * BB[pol2_idx, jj] / monomials[jj](UU,XX,YY) # resultant PR. = PolynomialRing(ZZ) rr = pol1.resultant(pol2) # are these good polynomials? if rr.is_zero() or rr.monomials() == [1]: continue else: print("found them, using vectors", pol1_idx, "and", pol2_idx) found_polynomials = True break if found_polynomials: break if not found_polynomials: print("no independant vectors could be found. This should very rarely happen...") return 0, 0 rr = rr(q, q) # solutions soly = rr.roots() if len(soly) == 0: print("Your prediction (delta) is too small") return 0, 0 soly = soly[0][0] ss = pol1(q, soly) solx = ss.roots()[0][0] # return solx, solydef example(): ############################################ # How To Use This Script ########################################## # # The problem to solve (edit the following values) # # the modulus e = 113449247876071397911206070019495939088171696712182747502133063172021565345788627261740950665891922659340020397229619329204520999096535909867327960323598168596664323692312516466648588320607291284630435682282630745947689431909998401389566081966753438869725583665294310689820290368901166811028660086977458571233 N = 116518679305515263290840706715579691213922169271634579327519562902613543582623449606741546472920401997930041388553141909069487589461948798111698856100819163407893673249162209631978914843896272256274862501461321020961958367098759183487116417487922645782638510876609728886007680825340200888068103951956139343723 # the hypothesis on the private exponent (the theoretical maximum is 0.292) delta = .27 # this means that d < N^delta # # Lattice (tweak those values) # # you should tweak this (after a first run), (e.g. increment it until a solution is found) m = 6 # size of the lattice (bigger the better/slower) # you need to be a lattice master to tweak these t = int((1-2*delta) * m) # optimization from Herrmann and May X = 2*floor(N^delta) # this _might_ be too much Y = floor(N^(1/2)) # correct if p, q are ~ same size # # Don't touch anything below # # Problem put in equation P. = PolynomialRing(ZZ) A = int((N+1)/2) pol = 1 + x * (A + y) # # Find the solutions! # # Checking bounds if debug: print("=== checking values ===") print("* delta:", delta) print("* delta < 0.292", delta 0: print("=== solution found ===") if False: print("x:", solx) print("y:", soly) d = int(pol(solx, soly) / e) print("private key found:", d) else: print("=== no solution was found ===") if debug: print(("=== %s seconds ===" % (time.time() - start_time)))if __name__ == "__main__": example()
之后直接解即可
import gmpy2from Crypto.Util.number import *d=663822343397699728953336968317794118491145998032244266550694156830036498673227937c = 6838759631922176040297411386959306230064807618456930982742841698524622016849807235726065272136043603027166249075560058232683230155346614429566511309977857815138004298815137913729662337535371277019856193898546849896085411001528569293727010020290576888205244471943227253000727727343731590226737192613447347860n=116518679305515263290840706715579691213922169271634579327519562902613543582623449606741546472920401997930041388553141909069487589461948798111698856100819163407893673249162209631978914843896272256274862501461321020961958367098759183487116417487922645782638510876609728886007680825340200888068103951956139343723m=pow(c,d,n)print(long_to_bytes(m))#DASCTF{6f4fadce-5378-d17f-3c2d-2e064db4af19}
matrixequation
题目
from sage.all import *import stringfrom myflag import finalflag, flagA = matrix([[0 for i in range(11)] for i in range(11)])for k in range(len(flag)):i, j = 5*k // 11, 5*k % 11A[i, j] = alphabet.index(flag[k])from hashlib import md5assert(finalflag == 'DASCTF{' + f'{md5(flag.encode()).hexdigest()}' + '}')key = getKey()R, leftmatrix, matrixU = keytmpMatrix = leftmatrix * matrixUX = A + RY = tmpMatrix * XE = leftmatrix.inverse() * Yf = open('output','w')f.write(str(E)+'\n')f.write(str(leftmatrix * matrixU * leftmatrix)+'\n')f.write(str(f'{leftmatrix.inverse() * tmpMatrix**2 * leftmatrix}\n'))f.write(str(f'{R.inverse() * tmpMatrix**8}\n'))A = matrix([[0 for i in range(11)] for i in range(11)])for k in range(len(flag)):i, j = 5*k // 11, 5*k % 11A[i, j] = alphabet.index(flag[k])from hashlib import md5assert(finalflag == 'DASCTF{' + f'{md5(flag.encode()).hexdigest()}' + '}')key = getKey()R, leftmatrix, matrixU = keytmpMatrix = leftmatrix * matrixUX = A + RY = tmpMatrix * XE = leftmatrix.inverse() * Yf = open('output','w')f.write(str(E)+'\n')f.write(str(leftmatrix * matrixU * leftmatrix)+'\n')f.write(str(f'{leftmatrix.inverse() * tmpMatrix**2 * leftmatrix}\n'))f.write(str(f'{R.inverse() * tmpMatrix**8}\n'))
[53 19 40 7 22 46 69 11 31 48 57][66 47 13 39 1 34 26 15 52 18 55][47 1 9 14 58 34 40 27 9 1 36][36 19 38 30 39 30 21 27 1 4 13][25 10 52 45 69 63 3 64 13 51 44][48 2 64 19 49 51 39 29 22 35 17][69 48 27 17 15 42 60 42 15 43 7][39 37 56 5 49 57 51 49 3 53 25][50 39 9 30 19 63 20 12 8 55 35][24 26 58 56 43 70 66 27 32 70 59][ 9 34 18 31 65 3 48 39 39 40 53][62 17 50 41 4 7 5 4 20 15 45][ 8 59 38 18 42 31 60 58 35 1 46][25 20 45 31 69 45 59 34 46 63 69][ 6 2 65 44 53 59 11 52 37 48 40][33 52 4 9 6 7 34 4 59 59 6][65 64 53 22 49 22 58 50 48 66 25][ 0 43 42 68 16 35 20 69 1 14 18][23 61 44 20 30 38 10 68 52 39 4][ 1 8 31 31 11 54 41 70 49 40 1][58 29 28 60 23 13 67 33 14 15 2][23 25 70 1 13 57 52 21 54 64 26][10 5 15 49 12 53 46 23 44 40 67][41 21 62 22 40 69 59 0 28 42 52][ 9 66 44 3 48 2 53 8 46 52 4][ 8 50 15 56 16 31 47 5 70 6 43][59 34 48 5 55 50 61 39 38 7 60][46 46 9 36 12 49 48 30 64 30 45][62 33 2 19 3 15 69 25 0 51 69][27 10 48 26 11 32 1 40 29 59 16][18 60 33 64 15 41 22 9 11 60 22][32 52 15 27 1 63 55 54 70 17 52][22 27 33 38 68 36 59 17 64 18 65][43 68 27 18 44 32 47 21 46 44 14][12 52 44 61 26 34 53 36 18 3 61][10 59 14 2 42 63 31 9 53 4 55][63 48 59 11 54 9 54 50 68 5 28][66 12 58 68 52 50 5 39 19 6 70][42 23 24 54 54 64 3 16 20 67 28][60 68 63 63 34 7 0 36 3 22 68][10 23 0 9 64 0 52 1 24 52 21][65 52 42 9 43 39 15 3 36 28 28][21 32 35 69 49 55 0 23 4 32 42][61 52 49 46 50 34 70 35 39 1 16]
我的解答:
线性代数问题,题目把flag转成了矩阵A,我们要做的就是求出A
已知题目信息(由于变量较长,这里用缩略单词代替)
R, S = random_matrix
S = L * UE = L^(-1) * S * (A + R)
a = L * U * L
b = L^(-1) * S^2 * L
c = R^(-1) * S^8
求解过程
b * a^(-1) = L^(-1) * S (S = L * U = U * L)
a * b^(-1) * E = A + R (上式^(-1) * E)a * b * a^(-1) = S^2 (define ss)
c * ss^(-4) = R^(-1)a * b^(-1) * E – c * ss^(-4) = A (solve)
exp:
import reimport stringalphabet = string.printable[:71]p = len(alphabet)with open('output', 'r') as f: data = f.read().split('\n')[:-1]data = [re.findall(r'\d+', d) for d in data]data = [[Integer(di) for di in d] for d in data]n = 11E = matrix(GF(p), data[:11])LUL = matrix(GF(p), data[11: 22])ULUL = matrix(GF(p), data[22: 33])RiLU8 = matrix(GF(p), data[33: 44])Ui = LUL * ULUL^(-1)Ri = RiLU8 * Ui * (ULUL^(-1))^3 * LUL^(-1)U = Ui^(-1)assert Ri * (LUL * U)^4 == RiLU8R = Ri^(-1)AR = Ui * EA = AR - Rprint(A)flag = ''for k in range(24): i, j = 5*k // 11, 5*k % 11 flag += alphabet[A[i, j]]print(flag) from hashlib import md5flag = 'DASCTF{' + f'{md5(flag.encode()).hexdigest()}' + '}'print(flag)