CTF|2021DASCTF八月挑战赛Writeup CTF|python

【CTF|2021DASCTF八月挑战赛Writeup】
2021DASCTF八月挑战赛Writeup

MISC
- 签到
- 寒王'sblog
- stealer
CRYPTO
- easymath
- let's play with rsa~
- ezRSA

MISC 签到看看公告就有啦(嘿嘿嘿，真-签到题)

flag{welcome_to_dasctf_aug}

寒王’sblog 到给的博客里面看，可以看到写了关于outguess隐写的内容，整个博客就博客头像一个图片，猜测是图片，拿博客内容里面的密码试，不对。仔细观察博客，要找到flag.jpg就行了，因为之前有过搭建博客的经验，就决定到这个博客的搭建的平台gitee去寻找，找到gitee上的仓库

文章图片

找到最新上传的文件，找到flag.jpg

文章图片

在装有outguess的lunix系统下使用outguess的命令

outguess -k "hahahahahahaha" -r flag.jpg out.txt

得到flag

flag{50aa7fe02602264e7d8102746416cd74}

stealer 方法一
打开流量包，过滤DNS，发现有很多重复的数据，过滤ip

dns and ip.src=https://www.it610.com/article/=172.27.221.13

将info取出，观察发现是图片的base64编码，将字符串进行编辑方便转码。

字符串的变化如下：原字符串： Standard query 0x6a7a A iVBORw0KGgoAAAANSUhEUgAABMoAAAMxCAIAAACVY8g6AAAAAXNSR0IAr-.s4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsMAAA7DAcdvqGQAAP-.lSURBVHhe7P1HlBzZmd6NUxtqjrShdtzoHB6ttMROswlNp/U9OiGKwd-.f8KbRDtXw3hdQMGWBgjcF1432aDZN04MUySGHMxqvgUajGWg*6fsoffpL-.ctf.com.cn OPT 操作： 1、去除多余字符串”Standard query 0x6a7a A”、”ctf.com.cn OPT”、”-.” 2、将“*”替换为“+” 转化后字符串：iVBORw0KGgoAAAANSUhEUgAABMoAAAMxCAIAAACVY8g6AAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsMAAA7DAcdvqGQAAPlSURBVHhe7P1HlBzZmd6NUxtqjrShdtzoHB6ttMROswlNp/U9OiGKwdf8KbRDtXw3hdQMGWBgjcF1432aDZN04MUySGHMxqvgUajGWg+6fsoffpL

然后拿到图片
方法二(别人的做法，没弄懂)
使用tshark命令(linux安装)

tshark -rdump.pcapng -T fields -e dns.qry.name-Y "udp and dns.flags.response==0"> res.txt

from Crypto.Util.number import * import base64with open('D:\\桌面\\res.txt','r')as f: lines=f.readlines() tmp=[] # tmp1=[] for i,line in enumerate(lines): if '-.ctf.com.cn' in line: line1=line.strip().replace("-.ctf.com.cn","").replace('-.',"").replace("*","+") tmp.append(line1) # tmp1.append(len(line1)) b=''.join(tmp) # print(b) b1=base64.b64decode(b.encode()) open('res.png','wb').write(b1) # print(tmp1)

拿到图片

文章图片

flag(有点坑，只要输{}里面的md5就行)（md5里面没有o、l，所以图片里面的就是0和1）

1d3f729ac02bbc15f00adccd79207ab0

CRYPTO easymath 题目：

assert(len(open('flag.txt', 'rb').read()) < 50) assert(str(int.from_bytes(open('flag.txt', 'rb').read(), byteorder='big') << 10000).endswith( '1862790884563160582365888530869690397667546628710795031544304378154769559410473276482265448754388655981091313419549689169381115573539422545933044902527020209259938095466283008'))

解题脚本：

import gmpy2 r = 1862790884563160582365888530869690397667546628710795031544304378154769559410473276482265448754388655981091313419549689169381115573539422545933044902527020209259938095466283008 y = r //(2 ** 175) flag=(y*gmpy2.invert((2 ** 9825),(5 ** 175)))%(5 ** 175) t=int(flag).to_bytes(50,byteorder='big') print(t)

推理过程看大佬详细的WP
let’s play with rsa~ 题目：

from sympy import isprime,nextprime from Crypto.Util.number import getPrime as getprime ,long_to_bytes,bytes_to_long,inverse flag='flag{***************}' def play(): p=getprime(1024) q=getprime(1024) n=p*q e=65537 print "Hello,let's play rsa~\n" print 'Now,I make some numbers,wait a second\n' n1=getprime(200) n2=getprime(200) number=n1*n2 print "Ok,i will send two numbers to you,one of them was encoded.\n" print "Encode n1:%d,\n"%(pow(n1,e,n)) print "And n2:%d.\n"%n2 print "Information that can now be made public:the public key (n,e):(%d,%d)\n"%(n,e) while True: try: c=int(raw_input("ok,now,tell me the value of the number (encode it for safe):")) except: print "Sorry,the input is illeagal, and the integer is accept~" else: break d=inverse(e,(p-1)*(q-1)) m=pow(c,d,n) if m==number: print "It's easy and interesting,didn't it?\n" print "This is the gift for you :"+flag else: print "Emmmmm,there is something wrong, bye~\n" if __name__ == '__main__': play()

题目给出n、e、pow(n1,e,n)、n2，求c
c = n u m b e r e m o d n = ( n 1 ? n 2 ) e m o d n = ( ( n 1 e m o d n ) ? ( n 2 e m o d n ) ) m o d n c=number^e modn=(n1*n2)^e modn=((n1^e modn)*(n2^emodn))modn c=numberemodn=(n1?n2)emodn=((n1emodn)?(n2emodn))modn
解题脚本：
(nc连上后会给出n、e、pow(n1,e,n)、n2）(这边以我nc得到的为例解题)

a = 12961409879680531683887750211274207457513312084569696075205671038512045983337591135848947097185699604453906986636309421174482607699320759296109315315716510712493223473758909665964696575970829701893860144925111613206750829054110563245759651636500800410800611799341091945238575572204744180794490600917575137957033704047292694479180193784052662788188456092611151703198998693787287001909323881137356776611226888433795185583110831437797736663143463934550216639249647171621868213923613785097805958460050341741859668930711065658867650077543948915545547210086665007538174470035036590197762464220663633877458187978934543610137 n2 = 975655394741265791809418303766264964352618962129532647048963 n=17984939304898650803158254840695698991976109768815074321859078838424106854968841553367705813676890566467526226777393337854287622085939699972674300671017434385268427211627149875201145197397614084981293689781191198014025392826496825995772507143839566355038037041002531894155725475951426118850290776380334951977592054772067742756171095427402698085736400771503751576111160577981596580675760373492947131376839865309631659266553436954094643785398989702090587019292927772255810184788705872695851653803767757272932373185881635106333541090761339331432007675440553128966093172385018789133381793617410838502288664808530049842759 e = 65537 c = (a * pow(n2, e, n)) % n print(c)

提交c返回得到flag
ezRSA 题目：

from secret import flag from Crypto.Util.number import * from random import getrandbits from hashlib import sha256 class EzRsa: def __init__(self): self.E = 0x10001 self.P = getPrime(1024) self.Q = getPrime(1024) while GCD((self.P-1)*(self.Q-1), self.E) != 1: self.Q = getPrime(1024) self.N = self.P*self.Q def encrypt(self): f = getrandbits(32) c = pow(f, self.E, self.N) return (f, c) def encrypt_flag(self, flag): f = bytes_to_long(flag) c = pow(f, self.E, self.N) return c def proof(): seed = getrandbits(32) print(seed) sha = sha256(str(seed).encode()).hexdigest() print(f"sha256({seed>>18}...).hexdigest() = {sha}") sha_i = input("plz enter seed: ") if sha256(sha_i.encode()).hexdigest() != sha: exit(0) if __name__ == "__main__": proof() print("welcome to EzRsa") print(""" 1. Get flag 2. Encrypt 3. Insert 4. Exit """) A = EzRsa() coin = 5 while coin > 0: choose = input("> ") if choose == "1": print( f"pow(flag,e,n) = {A.encrypt_flag(flag)}\ne = 0x10001") exit(0) elif choose == "2": f, c = A.encrypt() print(f"plain = {f}\ncipher = {c}") coin -= 1 elif choose == "3": q = getrandbits(1024) n = A.P*q f = getrandbits(32) c = pow(f, 0x10001, n) print(f"plain = {f}\ncipher = {c}") coin -= 1 elif choose == "4": print("bye~") else: print("wrong input") print("Now you get the flag right?")

给你5个coin，1次选择选项1，剩下四次选择选项2、3，当然是平均分配啦。得到四组f、c，两组同q解n，两组不同q解p

2选项 k1n=m21^e-c21 k2n=m22^e-c22 如果gcd(k1,k2)!=1: 那么gcd(k1n,k2n)=k5n3选项 k3p*q=m31^e-c31 k4p*q=m32^e-c32 如果gcd(k3,k4)!=1: 那么gcd(k3p*q,k4p*q)=k6p

注意！！要考虑不互素的情况
解题脚本：

import gmpy2 import libnumm21 = 432540985 c21 = 7166105329146126000346846799091650898966999155559872071334165373085824639643357340387736867673948949437295645705541881374251463627954867215153754248479607455314501625059368006554456541594829525164594977575051605373580652734948771955132736124144931483976254038698037906320691536102595142817254635128316548640526742258396037736624974201452775566498749686521125689117077825614676728737889758051136033004868110506865885780994503922363995103685835021430586212695942148526088098869737679103317241698921778369133664568044970132074560250492688801256203642144910896398777358726349100245228945110134579964713795561704675625836m22 = 832433238 c22 = 7068072774444874580843417684352862167509575799447044790925098273022805484339636628726051282308361580345803607470642836938247714174670185418844448110396620415640990336788728326764477161069207367942449417003955828316228120602384920985161057720856713726319102264142124823852191253035614776899528170161081527818980079567071942336953307505627425190268269896232927663142207335803294770668174075896648763132547865986794466490963711592538821527241565132434315309203043850884330880471384804577858687121008366255392040964137615612622718249221451373050550035988762430971866909043093506143514830259205676124914411640454949769514m31 = 803092604 c31 = 9858061312093654496768968596097501224678614520625887945733170012236020650884606662567525945230720496908398041384708999618217120424456835837520254472794298782801785322426682540037835690902209518506529355172493693012753783133447141964001801908108246725869203422002782991435705743052764243289474944794105647964810575201516329006631623431476942605223169157252417903703894306636035587745490699125350078705206470856005724867576219806201586124846417599897712607698931227973794077078199208851048569386781383768930174636782623527857434298933738057735468619183445620008223850132708634891907499854374991187011529197042230646959m32 = 407827977 c32 = 9863511828345122655318417789758326362972155249380521046094363106330914667719541369853161354832638229300504131579973818373987565381237053514335756148865347534946328612468008346912307466621874348634289579602255609545387098973079063492763912905225505720948250925345458151757932596246692755570051379007452621160936151870226301905454456709756228915895779952880287559823982391786349058583700592960020679432834444698462657381016169068254820248864870315358313005721370177632775087124268837165293488573472585505563114178522926629394131843183761480379187251213034958089397342815187352111820752209064084639988490442466085392363c = 7381125776751959446383348016580510257704798119845665945201944033052555935656713698467247959233790127327214355429648255631628985300458608740078555958883489917944617439105827815224630836947733765684747756636698321010977136609738673905945624585893659056271171662069018034510708480585607431573246586211145591759329437967929837683542135674353508920055645757133194288396748112704213294483816147806206043194476131284869098739640171544518373288980710485452989822448431998651248525720045903096843189714992580406453445524466346573496924330678123163145497572043186951795043533663444724588959680284679456217293084234000618759022 e = 0x10001# 3选项，求p def p_def(p): k = 1 while 1: if gmpy2.is_prime(p): return p elif p % (k) == 0 and k != 1: p = p // k else: k += 1# 2选项求q def q_def(n, p): k = 1 q = n // p while 1: if gmpy2.is_prime(q): return q elif p % (k) == 0 and k != 1: q = q // k else: k += 1kp = gmpy2.gcd(m31 ** e - c31, m32 ** e - c32) p=p_def(kp) kn = gmpy2.gcd(m21 ** e - c21, m22 ** e - c22) #print(kn) q=q_def(kn,p) n=p*qprint(n==p*q) phi=(p-1)*(q-1) d=gmpy2.invert(e,phi) flag=pow(c,d,n) print(flag) print(libnum.n2s(int(flag)))