BUUCTF Crypto writeup

考虑到大部分人有直接抄答案的习惯,所以只给一些hint和关键步骤

Part1#

md5#

打开的md5即是flag

Url编码#

Url解码即可

一眼就解密#

base64解码

看我回旋踢#

凯撒密码

摩丝#

摩斯密码

password#

根据社工信息生成密码:zx19900315

变异凯撒#

凯撒的基础上做偏移,n+4

Quoted-printable#

http://ctf.ssleye.com/quoted.html

Rabbit#

http://www.jsons.cn/rabbitencrypt/

篱笆墙的影子#

https://www.qqxiuzi.cn/bianma/zhalanmima.php

RSA#

已知p,q,e,求d

丢失的MD5#

改一下运行就行

Alice与Bob#

大数分解

rsarsa#

已知p,q,e,c,求m

大帝的密码武器#

凯撒密码

Windows系统密码#

Windows ntlm,解hash即可

信息化时代的步伐#

http://code.mcdvisa.com/

传统知识+古典密码#

根据https://baike.baidu.com/item/%E5%85%AD%E5%8D%81%E7%94%B2%E5%AD%90/2615886?fr=aladdin找到对应数字,加上60获得ascii码,然后栅栏

凯撒?替换?呵呵!#

https://quipqiup.com/

RSA1#

P,q,dp,dq,c求m,推导可见https://skysec.top/2018/08/25/RSA%E4%B9%8B%E6%8B%92%E7%BB%9D%E5%A5%97%E8%B7%AF-2/

萌萌哒的八戒#

猪圈密码

old-fashion#

quipquip暴力分析

权限获得第一步#

ntlm解密

世上无难事#

quipquip

RSA3#

RSA共模攻击

RSA2#

dp泄露

1
2
3
4
5
6
7
8
for i in range(1,e):                   
if(dp*e-1)%i == 0:
if n%(((dp*e-1)//i)+1) == 0:
p=((dp*e-1)//i)+1
q=n//(((dp*e-1)//i)+1)
phi=(q-1)*(p-1)
d=gp.invert(e,phi)
m=pow(c,d,n)

异性相吸#

都是38字节,以比特位单位,异或,转成字节即可

还原大师#

明文只有4个字节不知道,爆破即可

Unencode解码#

找个网站直接解码

RSA#

小整数分解n

[AFCTF2018]Morse#

莫斯电码直接转

RSAROLL#

小整数分解

Part2#

robomunication#

音频,莫斯电码,耐心点

Dangerous RSA#

小e,爆破

Cipher#

playfair

[HDCTF2019]basic rsa#

n = p*q = (p+1)(q+1)-1-(p+q)

[GXYCTF2019]CheckIn#

Base64 + rot 47

达芬奇密码#

斐波那契数列

rsa2#

大e,维纳攻击

密码学的心声#

八进制

RSA5#

明文相同攻击,遍历所有n,求互相之间的gcd,找到p

[BJDCTF2020]这是base??#

base64换表

传感器#

曼切斯特编码

rot#

Rot13

[NCTF2019]Keyboard#

键盘加密,9键,例如ooo,代表9上的第三个字母

[NCTF2019]childRSA#

pollar’s p-1分解n

这是什么#

Jsfuck

[HDCTF2019]bbbbbbrsa#

爆破e

[MRCTF2020]古典密码知多少#

栅栏密码

[WUSTCTF2020]佛说:只能四天#

佛论解密http://hi.pcmoe.net/buddha.html

得到社会主义核心价值观编码

然后栅栏

然后凯撒

然后base32

[BJDCTF2020]RSA#

爆破e,共p

[MRCTF2020]天干地支+甲子#

天干地支的数字 + 60

[BJDCTF2020]rsa_output#

共模攻击

[MRCTF2020]vigenere#

维吉尼亚https://www.guballa.de/vigenere-solver

[ACTF新生赛2020]crypto-rsa0#

常规rsa

[BJDCTF2020]signin#

16进制转ascii

[MRCTF2020]keyboard#

同NCTF 2019 Keyboard

[WUSTCTF2020]babyrsa#

小整数分解n

RSA4#

广播攻击

[GWCTF 2019]BabyRSA#

p,q接近,费马分解

SameMod#

rsa共模攻击

一张谍报#

https://blog.csdn.net/weixin_30460489/article/details/95697477

yxx#

xor

Part3#

浪里淘沙#

什么玩意,https://blog.csdn.net/seven749/article/details/109208589

这是什么觅🐎#

https://www.cnblogs.com/vict0r/p/13562808.html

[BJDCTF2020]easyrsa#

z=Fraction(1,Derivative(arctan(p),p))-Fraction(1,Derivative(arth(q),q))

即z = p2+q2,用初中数学解得p,q

[AFCTF2018]Vigenère#

同前面的维吉尼亚

[ACTF新生赛2020]crypto-rsa3#

p,q接近,费马分解

[NCTF2019]babyRSA#

k(p-1)*(q-1)==ed-1,p和q很接近,通过爆破k获得p和q,https://blog.csdn.net/weixin_44110537/article/details/107214109

[AFCTF2018]你能看出这是什么加密么#

标准RSA

[AFCTF2018]可怜的RSA#

分解n

[RoarCTF2019]babyRSA#

考察威尔逊定理

-1 % A = (A-1)! %A = B!(B+1)...(A-1) % A,借此可以求出p和q

[RoarCTF2019]RSA#

A=(((y%x)**5)%(x%y))**2019+y**316+(y+1)/x

根据A的值我们知道((y%x)**5)%(x%y)只能为1,然后简单的爆破x,y的值即可

1
2
y = 83
x = 2

根据质数分布规律可以爆破出p和q

然后再爆破e即可

RSA & what#

共模攻击 + Base64隐写 https://www.cnblogs.com/vict0r/p/13282901.html

[MRCTF2020]babyRSA#

常规,根据质数规律求p

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
def solve():
P = [0 for i in range(17)]
P[9] = 206027926847308612719677572554991143421
for i in range(10,17):
P[i] = sympy.nextprime(P[i-1])
for i in range(8,-1,-1):
P[i] = preprime(P[i+1])
phi = 1
n = 1
for i in range(17):
phi = phi*(P[i]-1)
n = n*P[i]
P_factor=213671742765908980787116579976289600595864704574134469173111790965233629909513884704158446946409910475727584342641848597858942209151114627306286393390259700239698869487469080881267182803062488043469138252786381822646126962323295676431679988602406971858136496624861228526070581338082202663895710929460596143281673761666804565161435963957655012011051936180536581488499059517946308650135300428672486819645279969693519039407892941672784362868653243632727928279698588177694171797254644864554162848696210763681197279758130811723700154618280764123396312330032986093579531909363210692564988076206283296967165522152288770019720928264542910922693728918198338839

e = 65537
d = inverse(e,phi)
p = pow(P_factor,d,n)
p = sympy.nextprime(p)
Q_1 = 103766439849465588084625049495793857634556517064563488433148224524638105971161051763127718438062862548184814747601299494052813662851459740127499557785398714481909461631996020048315790167967699932967974484481209879664173009585231469785141628982021847883945871201430155071257803163523612863113967495969578605521
Q_2 = 151010734276916939790591461278981486442548035032350797306496105136358723586953123484087860176438629843688462671681777513652947555325607414858514566053513243083627810686084890261120641161987614435114887565491866120507844566210561620503961205851409386041194326728437073995372322433035153519757017396063066469743
sub_Q = 168992529793593315757895995101430241994953638330919314800130536809801824971112039572562389449584350643924391984800978193707795909956472992631004290479273525116959461856227262232600089176950810729475058260332177626961286009876630340945093629959302803189668904123890991069113826241497783666995751391361028949651
Q = pow(sub_Q, Q_2 ,Q_1)
q = sympy.nextprime(Q)
phi = (p-1)*(q-1)
n = p*q
d = inverse(e,phi)
c = 1709187240516367141460862187749451047644094885791761673574674330840842792189795049968394122216854491757922647656430908587059997070488674220330847871811836724541907666983042376216411561826640060734307013458794925025684062804589439843027290282034999617915124231838524593607080377300985152179828199569474241678651559771763395596697140206072537688129790126472053987391538280007082203006348029125729650207661362371936196789562658458778312533505938858959644541233578654340925901963957980047639114170033936570060250438906130591377904182111622236567507022711176457301476543461600524993045300728432815672077399879668276471832
m = pow(c,d,n)
print(long_to_bytes(m))

[WUSTCTF2020]dp_leaking_1s_very_d@angerous#

dp泄露攻击

[NPUCTF2020]EzRSA#

lcm(p-1,q-1)过大,遍历下倍数可以得到p和q,注意e是合数,除以2后是质数,因此转换为求m^2,最后开平方根

Part4#

[MRCTF2020]Easy_RSA#

解方程求p,已知ed和n求q

Part5#

[GKCTF 2021]Random#

PRNG

1
2
3
4
5
6
7
8
9
10
11
12
from mt19937predictor import MT19937Predictor
from hashlib import md5
with open("random.txt",'r') as f:
content =f.read().split('\n')[:-1]
predictor = MT19937Predictor()
for i in range(104):
predictor.setrandbits(int(content[3*i]),32)
predictor.setrandbits(int(content[3*i+1]),64)
predictor.setrandbits(int(content[3*i]),96)

flag = md5(str(predictor.getrandbits(32)).encode()).hexdigest()
print(flag)

Part6#

Part7#

评论