网安实践4-Crypto

T1.格密码

找到一道原题,代码几乎一样

近期一些CTF比赛的题目(MISC+CRYPTO) - Hannibal0x の Blog

1
2
3
4
5
6
7
8
9
10
11
12
13
14
from Crypto.Util.number import *
import gmpy2
from flag import flag

def encrypt(plaintext):
    p = getStrongPrime(3072) 
    m = bytes_to_long(plaintext)
    r = getRandomNBitInteger(1024)
    while True:
        f = getRandomNBitInteger(1024)
        g = getStrongPrime(768)
        h = gmpy2.invert(f, p) * g % p
        c = (r * h + m * f) % p
        return (h, p, c)

看不懂密码学拿解密代码改一改

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
h= 311970364425799366998489758816351964614898164597015962390522858760089331210269507769408330245745888541705059882396722340774681935443615888403494901415226651295201132556613291289590900246992553502513664561058230713840616052310750850144077552701142563872837663789636304968423919464707545482008647087312063949024744195318160335652074407874634742273493108112212110123691909346846612115479023950119286716243604630664235633831784083300431161225131883065150778501178458601885263943907964612851841356128492283759401129349655263360496418606534637831065564054627124545266130146585012568948018083420026867791483624987951876329968315410612748989452628410331813540143425873481351220499681815979569479285905651270208308396719282247586008816711527598915797885618862654168623002012746684102245733757428828517277952675441290263051618987121956646671901357370585784409633697165339182406341764320293630983680416055584947772382282259966044517683538433409836256995980804901093405108581243143413703339657071622279140236369465154220363993923085583049720512383384577159975134910449465903227555419552492606439149153015674603047695345700309870206034743317361786333732070962362572427411597266252707397451423195512449103367120235737550650354427690243524900449675
p= 958396606448120961344481821891302529131234571519205540072533929007120447482644938027839069855225984909598017115601687321093037138370623689366302399472755221666720998204960391688686871213784218139146955110040572010513513710257471193690475085340782434134757767894370195789546551282060123540167285748706110004061656181247087025993389812671658906912145384679566372037915179523706023309666826191629634851598509448675340758156737530185937223948687001934035933966720541257653562031308634592003639145311246147664928094381997264652669457904886666262851691565920076364034433600062253014377522558972668765617631467665085324790312091927917199333642804731490452686230714946707520153374983386856748968281865500447110447064499127304576389450231449458997253721401398074788997192735673939296531420329207264490272774186484762804708405995307032141715953080254098506768585899454119852852002578252291310329200959476618660765556861112558404254680356703540148703891793429589128285327230398620737214653509556883409293525132433655639546382948760666188308135216174434756100646981938900940757869329579150360836505992616459066632938605335205569767007863591747811468281490752448411521431430302168214014717351186242150709061058943921599462022604009950194741903607
c= 767158168672362136291238223905378538545444315829681403660668665037917788547250510431680762324989504337886911129872811283399423182492713085621340850466620775416712732614020830060267436728824312319343522189998875569791210615658554329492772575522352284894778864900683043087475949382767603528807809596004213194946687583749277851731545121301799909443549367647188538291294493900118514585149301404415365107375148502163345229200555520367376148986792681776613941685900525114359918025093194374564154918465789098039688273260831196880453048787881692220588699313824407443049610470566611891830120455606865304514498141918370250200060333776115471607369861567714061571248634366226901360555240991881037749649258353302128601187117945261098036478588953880956746052307508140721683848770369771427200654010686745459084737649483182116223928908511586372587312845173805333061611628627699056444060210866689908925857413693914088384801590539118419817748706914585535977225375257595014121709225398146804929559026288825337416874187757876993164395155899845807880799091660701491902131855351054079661782867046531376623992742661604584530403794933640735943298254524984623808363772872836875750554022138997087590785362832339405833456398277842368920260448389099114876068641

# Construct lattice.
v1 = vector(ZZ, [1, h])
v2 = vector(ZZ, [0, p])
m = matrix([v1,v2]);

# Solve SVP.
shortest_vector = m.LLL()[0]
f, g = shortest_vector
if f < 0:
    f = -f
if g < 0:
    g = -g

# Decrypt.
a = f * c % p % g
m = a * inverse_mod(f, g) * inverse_mod(f, g) % g
print(hex(m)) 
# 766d637b4c3474746963655f49355f7072657474795f656173795f4630725f552121217d

hex解码一下得到flag

vmc{L4ttice_I5_pretty_easy_F0r_U!!!}

T2.签名算法

看代码nonce是随机的,以为没法做,nc脸上去发现每次签名r相同,因此nonce是固定的,即k共享

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
❯ nc 10.12.153.8 31539

Welcome to Hust Signer. 
What do you want to do?
1) Make signature
2) Get the flag 
>1
34705452163096362550088533735564930085489802406439052255, 5575093540335095931762919420534746169532440392768986557355, 1053674520760038124359502110783630886
❯ nc 10.12.153.8 31539

Welcome to Hust Signer. 
What do you want to do?
1) Make signature
2) Get the flag 
>1
34705452163096362550088533735564930085489802406439052255, 1543509685086703115590790680094992130950572761005237727533, 237478124173899114110326705808973799422

DSA - CTF Wiki

如果在两次签名的过程中共享了k,我们就可以进行攻击。

假设签名的消息为m1,m2,显然,两者的r的值一样,此外

$s_1\equiv (H(m_1)+xr)k^{-1} \bmod q$

$s_2\equiv (H(m_2)+xr)k^{-1} \bmod q$

这里我们除了x和k不知道剩下的均知道,那么

$s_1k \equiv H(m_1)+xr$

$s_2k \equiv H(m_2)+xr$

两式相减

$k(s_1-s_2) \equiv H(m_1)-H(m_2) \bmod q$

此时 即可解出k,进一步我们可以解出x。

在ECDSA算法中,pq 是椭圆曲线的参数,具体取决于选择的椭圆曲线。常见的椭圆曲线参数如下:

  • p: 一个大素数,确定了有限域Fp的大小。
  • q: 另一个素数,通常是p的一个小素因子,用于确定椭圆曲线的阶N,即椭圆曲线上的点的数量。

在你的代码中,使用了ecdsa库,但没有直接给出椭圆曲线的参数。一般来说,库中会预设一些常用的椭圆曲线,如NIST标准推荐的曲线。如果没有明确指定的话,可以假定代码使用的是NIST P-192曲线,其参数为:

  • p: 6277101735386680763835789423207666416083908700390324961279
  • q: 6277101735386680763835789423176059013767194773182842284081
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
#!/usr/bin/env python

import random
from ecdsa import ecdsa as ec 
from datetime import datetime
import hashlib
import gmpy2



p = 6277101735386680763835789423207666416083908700390324961279
q = 6277101735386680763835789423176059013767194773182842284081

str1 = "34705452163096362550088533735564930085489802406439052255, 5575093540335095931762919420534746169532440392768986557355, 1053674520760038124359502110783630886"
str2 = "34705452163096362550088533735564930085489802406439052255, 1543509685086703115590790680094992130950572761005237727533, 237478124173899114110326705808973799422"

msg = "18:28:48:get_flag"


r1, s1, m1 = (int(k) for k in str1.split(", "))
r2, s2, m2 = (int(k) for k in str2.split(", "))

r = r1
ds = s2 - s1
dm = m2 - m1
k = gmpy2.mul(dm, gmpy2.invert(ds, q))
k = gmpy2.f_mod(k, q)
tmp = gmpy2.mul(k, s1) - m1
x = tmp * gmpy2.invert(r, q)
x = gmpy2.f_mod(x, q)


RNG = random.Random()

g = ec.generator_192
N = g.order()
secret = x
PUBKEY = ec.Public_key(g, g * secret)
PRIVKEY = ec.Private_key(PUBKEY, secret)


hash = int(hashlib.md5(msg.encode()).hexdigest(), 16)
nonce = RNG.randrange(1, N)
signature = PRIVKEY.sign(hash, nonce)
print(f"{signature.r}, {signature.s}")
# 2079140469307508490797060536582491378355026873688689686229, 4998325838731312664960109441221576998116808485050203751346
1
2
3
4
5
6
7
8
9
10
❯ nc 10.12.153.8 31539

Welcome to Hust Signer. 
What do you want to do?
1) Make signature
2) Get the flag 
>2
Get signature for md5("18:28:48:get_flag")
233965655868685294179885764706615503304106608081701366113, 900437174388923868020574756506745236638121610998829116916
Congratulation! Here is your flag:vmc{mnY8MJLSxhqe4Yr8pxcXpOK4Y2FZ4wg0}

T3.RSA

https://blog.csdn.net/qq_51999772/article/details/121800073

Winer

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
from Crypto.Util.number import *
import gmpy2,sympy


N1=27682578737141139764880192910976946263355689816882797515059917479242862799083599745594956880258244112867559722435850732812023189662581052511287867553308318268020022386306820424829898858029986193412922645944359409248568131057377380697236238480724883073062491532254626363468032145049953168789073328812076794158602028961853986034378144749656228541552641207393473830715156452473432130040360471566096165146087202836036783304640579183082301858529818598032339821237841219774124710789761912675044056265735587753304064079484844965820681168729776560497921764083742448045654891113500035063474318442078036531813957551086231747079155691690001433127187382636049871228279519466735719768798574776353687049667125384146566107739705553580693984918816215940308884007192621418304753551998125658993859095063641090798574130161651257890916914325076137436869018454577522833
C1=14360977893873474578201937159000122429359790977572665232657843468076201963407780015131857192621550737338805880514393357390576423731328871867241029260294051045710144482989801857054158816998897546124709802730198690244128545073634486145786763294634081834588146373913232490890078533918320777534358739106486350300547206365723045306767038214923412032633833255742963954701475401704385045019069883734625251436409851588044241336835452728962860280865504000103361559688861149086469939940113748174610019620309023214292662384279070127090992947332945432141695583191136521301940116585610033790348125114471980285332011918355578839128892075058698885319243593345096734776497817461251643381989958326810478500026684389358920342021836572511688796450072700142033952403561408907486022094802237175920044147084170050294965826258250618675638343726352907476393474128674488943
E1=138906518221471521524404330039616633297752765534176570868900039237133419857485415639423196636068397237296224442083213768630488100717977884415342104239280950424735129147986053115335928783190377695248250926374734988108972136349625965753649992146322810352768246041575396721661142246729747572832017510241749082431

N2=27682578737141139764880192910976946263355689816882797515059917479242862799083599745594956880258244112867559722435850732812023189662581052511287867553308576254232706953290519059976159239205559295965110148734449650209977235953163255494808056707188551192674128213090005439928085856216617642935948961573449294338310127166077195263402939848861686214485115686799032901147314759348481062418109120418661302585413868782602282463165171129063197961455779193665041902822948963032580054067050227612838335828201043413949164885293325493829570131849345344856137656453666135670724974184749115550720826497558763320127218251970576144750319782121194483563545371157323166968983176013145267856898865437101799958588342741257457472036311490402279982286349929050116350394664561659857216725849236910894778018502118673902399095646487808462155207034764432342699549109080808769
C2=11293777290569693972360166961981727494638218221438571150393361751316389824613571820229370915191500766619410597117671232443452691634734112652285521806824284959073558010661204730954928847260946403867297932862687770449632506087883187920107766050673462588812979708792790888354008526054467620780053118019643408427959406056087370960170992834047890080269663747877143270683069575318397144844481262382463469080755423097527007161449411933936669451476467352049264455203632729909164666006688294056405955940041007137719228484035343153943155100892867641033645111253109951972003798413524003505574000784399458705347262353155363413513341797868942085136977548116650815336000627353933708913237438841909324920070013498153627767891674969586034872104569344923832761239959420543717354211689339868787331074579605476477152218068810732089913023456240425720821047030224659918
E2=138906518221471521524404330039616633297752765534176570868900039237133419857485415639423196636068397237296224442083213768630488100717977884415342104239280950424735129147986053115335928783190377695248250926374734988108972136349625965753649992146322810352768246041575396721661142246729747572832017510241749082619


def exgcd(x,y):
    mult = []
    if y > x:
        x,y = y,x
    while y:
        mult.append(x//y)
        x,y = y,x % y
    return mult

mult = exgcd(N2,N1) # N1<N2

for n in range(len(mult)):
    temp = mult[:n]
    num = 0 # 分子
    deno = 1 # 分母
    for x in temp[::-1]:
        num,deno = deno, deno * x + num
    if N2 % deno == 0 and deno != 1:
        Q2 = deno
        print(Q2)
        break
Q1 = sympy.prevprime(Q2)
P1 = gmpy2.iroot(N1 // Q1,2)[0]
P2 = gmpy2.iroot(N2 // Q2,2)[0]
fai_n1 = (P1-1)*P1*(Q1-1)
fai_n2 = (P2-1)*P2*(Q2-1)
d1 = gmpy2.invert(E1,fai_n1)
d2 = gmpy2.invert(E2,fai_n2)
m1 = pow(C1,d1,N1)
m2 = pow(C2,d2,N2)
print(bytes.decode(long_to_bytes(m1)),end="")
print(bytes.decode(long_to_bytes(m2))) 
1
2
3
❯ python exp.py
10301044893491417230262098983568612323528116996677758760422518992562527438110447051022517514963283820163794498351668075963249416069471548218466748958216169
vmc{Y0u_Ar3_real11ly_sm4rt_in_rrssaa}

T4.分组密码

给了加密的IV和密文,需要给出IV和密文使解密明文从HUSTCTFer!______变为AdminAdmin!_____

CBC字节翻转

2020湖湘杯-CRYPTO-简单的密码3 WriteUp (CBC字节翻转) - lnjoy - 博客园

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
#!/usr/bin/env python
from Crypto.Cipher import AES

key = bytes.fromhex("f34ec0d35a26506625ccb7f4780242ef")
iv = bytes.fromhex("783c29c115a4328766aafb1f1fa4c3ca")

token = b'HUSTCTFer!______'
cipher = AES.new(key, AES.MODE_CBC, iv)
code = cipher.encrypt(token)


token1 = b'HUSTCTFer!______'
token2 = b'AdminAdmin!_____'
iv2 = b''
for i in range(16):
    k = token1[i]^token2[i]^iv[i]
    iv2 += k.to_bytes()

iv = iv2

cipher = AES.new(key, AES.MODE_CBC, iv)
token = cipher.decrypt(code)

print(token)
# AdminAdmin!_____

修改IV后解密结果发生改变,因此拿到token后,提取出IV,修改IV,重新发送token即可实现修改解密结果

1
2
3
4
5
6
7
8
9
10
11
12
13
14
token = "1cf96b2516e92fca93a9147fb253abfc2f0ed4b954f2c27eb3977e6fa9f38948"
iv = bytes.fromhex(token[:32])

token1 = b'HUSTCTFer!______'
token2 = b'AdminAdmin!_____'
iv2 = b''
for i in range(16):
    k = token1[i]^token2[i]^iv[i]
    iv2 += k.to_bytes()

iv = iv2
token = iv.hex() + token[32:]
print(token)
# 15c855183bfc0dc288e66a7fb253abfc2f0ed4b954f2c27eb3977e6fa9f38948
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
❯ nc 10.12.153.8 31049
Only admin can get the flag ! 

Enter your choice:
1) Create HUSTCTFer Account
2) Create Admin Account
3) Login
4) Exit
1
here is your token: 1cf96b2516e92fca93a9147fb253abfc2f0ed4b954f2c27eb3977e6fa9f38948 

Enter your choice:
1) Create HUSTCTFer Account
2) Create Admin Account
3) Login
4) Exit
3
Enter your token > 
15c855183bfc0dc288e66a7fb253abfc2f0ed4b954f2c27eb3977e6fa9f38948
Hello Admin! Here is your FLAG: vmc{jNxhbisN4dyTwMHvtDsnCfgfbukw1kdd}

T5.Hill密码

已知一个密码体制是Z127上的三阶Hill密码,明密文空间均为ASCII码为0-126的字符,短块处理方式为:如果明文是3的整数倍,则补充3个空格’\x20’;如果明文不是3的整数倍,那么就补充1到2个空格直到明文总长度为3的倍数。现在已知一密文为

>u\x10l9\npI,0\x04^J\x00ib\x03\x0c\x158d\x1f\x08Ixk\nF\x19fz\x14PT\x04\x03>R~

它是对vmc{}型flag加密的结果

不会写了

ctf-wp
#Crypto
网安实践4-Crypto
https://blog.noxke.icu/2024/06/16/ctf_wp/网安实践4-Crypto/
作者
noxke
发布于
2024年6月16日
许可协议