BCTF warmup 50
这是一道关于RSA的解密题;首先,我们要明白,通常是公钥加密、私钥解密,私钥签名、公钥验证。这个题目中给出的是一个公钥和一段密文。
刚开始一直以为和验证签名有关,费劲脑汁也想不出来怎么办。下面介绍些思路。
首先,利用openssl分析公钥的格式,获得modulus和expoent。
方法一:利用openssl asn1parse来分析公钥格式
root@bt:~/Desktop# openssl asn1parse -in publickey.pub
:d= hl= l= cons: SEQUENCE
:d= hl= l= cons: SEQUENCE
:d= hl= l= prim: OBJECT :rsaEncryption
:d= hl= l= prim: NULL
:d= hl= l= prim: BIT STRING
那么在偏移为19处就是证书的expoent和modulus的信息。
root@bt:~/Desktop# openssl asn1parse -in publickey.pub -i -strparse
:d= hl= l= cons: SEQUENCE
:d= hl= l= prim: INTEGER :0367198D6B5614E95813ADD8F22A4717BC72BE1EABD933D1B86944FDB75B8ED230BE62D7D1B69D222095C128C86F82012ECB116191FD9D018A6D02F84DB27BC51A21307DC86F4BF771C691C143E5ABE549B5BD2D6EB1A21FD6270E7E1B48FE0611FBB2E1B0B3524E6F4DE8B4E4A345DA44A13DE825B72608DB6C7C4A40B78266E6C87BBFDEF6B48381D49C4507A58BCD47B76D64B45908B158BD7EBC4DACB0B1CFD6C2C19574F40EB2EFD0E9E10DC7005CAD39BCAF52B9EAC3873368D69031C5E724684A44F068EFD1D3DC096D9B5D6411E58BDEE43E46B99A0D0494B9DB28195AF901AFF130D4A6E203DAD08DA57FA7E40262A5BADB2A323EDA28B44696AB305D
:d= hl= l= prim: INTEGER :F3959D978E02EB9F06DEF3F335D8F8AFD7609951DDAC60B714B6C22AF0FA912F210B34206BD24A9601C78DF4A0275F107FD3AB552D95057EB934E71BDDCD7045C24B18587B8C8FCF5ADD4C5D83F0C77C94DC9C50CBE438E2B67BAFD31633B6AAF1781D90C3AD6F03D037B3321801B23546D483E67E26067F7B22347DDBC0C2D592CE814CBF5DFCCC141437F14E0B3990F88061E5F0BAE5F01E3FA70DB0E9605E7CFD575E9C81EFEEC529C33FD9037A20FD8ACD513AC9637768313E63F9838AE3511CDD0A9A2B516F2148C8D475A360A06359449739EECD251ABB42B014573E439F2FA4573557B25699FFC11E631CE8EE975A86E7E272BCF5F76A93450348FE3F
则第二行的十六进制就是modulus,第三行的十六进制则是expoent。观察到这里,expoent几乎和modulus一样长。
方法二:利用openssl rsa来获得modulus和expoent。
root@bt:~/Desktop# openssl rsa -in publickey.pub -pubin -modulus -text
Modulus ( bit):
:::8d:6b:::e9:::ad:d8:f2:2a::
:bc::be:1e:ab:d9::d1:b8:::fd:b7:5b:
8e:d2::be::d7:d1:b6:9d::::c1::c8:
6f:::2e:cb::::fd:9d::8a:6d::f8:
4d:b2:7b:c5:1a:::7d:c8:6f:4b:f7::c6::
c1::e5:ab:e5::b5:bd:2d:6e:b1:a2:1f:d6::
0e:7e:1b::fe:::fb:b2:e1:b0:b3::4e:6f:
4d:e8:b4:e4:a3::da::a1:3d:e8::b7:::
db:6c:7c:4a::b7:::e6:c8:7b:bf:de:f6:b4:
::d4:9c:::a5:8b:cd::b7:6d::b4::
:b1::bd:7e:bc:4d:ac:b0:b1:cf:d6:c2:c1::
:f4:0e:b2:ef:d0:e9:e1:0d:c7::5c:ad::bc:
af::b9:ea:c3::::d6:::c5:e7:::
4a::f0::ef:d1:d3:dc::6d:9b:5d:::e5:
8b:de:e4:3e::b9:9a:0d:::b9:db:::5a:
f9::af:f1::d4:a6:e2::da:d0:8d:a5:7f:a7:
e4:::a5:ba:db:2a::3e:da::b4:::ab:
:5d
Exponent:
:f3::9d::8e::eb:9f::de:f3:f3::d8:
f8:af:d7::::dd:ac::b7::b6:c2:2a:f0:
fa::2f::0b:::6b:d2:4a:::c7:8d:f4:
a0::5f::7f:d3:ab::2d:::7e:b9::e7:
1b:dd:cd:::c2:4b:::7b:8c:8f:cf:5a:dd:
4c:5d::f0:c7:7c::dc:9c::cb:e4::e2:b6:
7b:af:d3:::b6:aa:f1::1d::c3:ad:6f::
d0::b3::::b2:::d4::e6:7e:::
7f:7b:::7d:db:c0:c2:d5::ce::4c:bf:5d:
fc:cc::::f1:4e:0b:::f8:::e5:f0:
ba:e5:f0:1e:3f:a7:0d:b0:e9::5e:7c:fd::5e:
9c::ef:ee:c5::c3:3f:d9::7a::fd:8a:cd:
:3a:c9:::::3e::f9::8a:e3::1c:
dd:0a:9a:2b::6f:::c8:d4::a3::a0::
::::ee:cd::1a:bb::b0:::3e::
9f:2f:a4::::b2:::ff:c1:1e::1c:e8:
ee::5a::e7:e2::bc:f5:f7:6a:::::
fe:3f
Modulus=367198D6B5614E95813ADD8F22A4717BC72BE1EABD933D1B86944FDB75B8ED230BE62D7D1B69D222095C128C86F82012ECB116191FD9D018A6D02F84DB27BC51A21307DC86F4BF771C691C143E5ABE549B5BD2D6EB1A21FD6270E7E1B48FE0611FBB2E1B0B3524E6F4DE8B4E4A345DA44A13DE825B72608DB6C7C4A40B78266E6C87BBFDEF6B48381D49C4507A58BCD47B76D64B45908B158BD7EBC4DACB0B1CFD6C2C19574F40EB2EFD0E9E10DC7005CAD39BCAF52B9EAC3873368D69031C5E724684A44F068EFD1D3DC096D9B5D6411E58BDEE43E46B99A0D0494B9DB28195AF901AFF130D4A6E203DAD08DA57FA7E40262A5BADB2A323EDA28B44696AB305D
同样的,我们获得了modulus和expoent。
由于expoent很大,可以使用Wiener攻击来得到d,从而对信息解密。
求d的python脚本使用了https://github.com/pablocelayes/rsa-wiener-attack上的,稍微修改了下。
import ContinuedFractions, Arithmetic
import sys
sys.setrecursionlimit(1000000)
def hack_RSA(e,n):
'''
Finds d knowing (e,n)
applying the Wiener continued fraction attack
'''
frac = ContinuedFractions.rational_to_contfrac(e, n)
convergents = ContinuedFractions.convergents_from_contfrac(frac) for (k,d) in convergents: #check if d is actually the key
if k!=0 and (e*d-1)%k == 0:
phi = (e*d-1)//k
s = n - phi + 1
# check if the equation x^2 - s*x + n = 0
# has integer roots
discr = s*s - 4*n
if(discr>=0):
t = Arithmetic.is_perfect_square(discr)
if t!=-1 and (s+t)%2==0:
print("Hacked!")
return d
if __name__ == "__main__":
e = 0xF3959D978E02EB9F06DEF3F335D8F8AFD7609951DDAC60B714B6C22AF0FA912F210B34206BD24A9601C78DF4A0275F107FD3AB552D95057EB934E71BDDCD7045C24B18587B8C8FCF5ADD4C5D83F0C77C94DC9C50CBE438E2B67BAFD31633B6AAF1781D90C3AD6F03D037B3321801B23546D483E67E26067F7B22347DDBC0C2D592CE814CBF5DFCCC141437F14E0B3990F88061E5F0BAE5F01E3FA70DB0E9605E7CFD575E9C81EFEEC529C33FD9037A20FD8ACD513AC9637768313E63F9838AE3511CDD0A9A2B516F2148C8D475A360A06359449739EECD251ABB42B014573E439F2FA4573557B25699FFC11E631CE8EE975A86E7E272BCF5F76A93450348FE3F
n = 0x367198D6B5614E95813ADD8F22A4717BC72BE1EABD933D1B86944FDB75B8ED230BE62D7D1B69D222095C128C86F82012ECB116191FD9D018A6D02F84DB27BC51A21307DC86F4BF771C691C143E5ABE549B5BD2D6EB1A21FD6270E7E1B48FE0611FBB2E1B0B3524E6F4DE8B4E4A345DA44A13DE825B72608DB6C7C4A40B78266E6C87BBFDEF6B48381D49C4507A58BCD47B76D64B45908B158BD7EBC4DACB0B1CFD6C2C19574F40EB2EFD0E9E10DC7005CAD39BCAF52B9EAC3873368D69031C5E724684A44F068EFD1D3DC096D9B5D6411E58BDEE43E46B99A0D0494B9DB28195AF901AFF130D4A6E203DAD08DA57FA7E40262A5BADB2A323EDA28B44696AB305D
d = hack_RSA(e,n)
print d
#d为:4221909016509078129201801236879446760697885220928506696150646938237440992746683409881141451831939190609743447676525325543963362353923989076199470515758399
解密的脚本,参考自:http://rickgray.me/2015/03/23/bctf2015-writeup.html 写得很简单,但很清晰
import binascii n = 0x367198D6B5614E95813ADD8F22A4717BC72BE1EABD933D1B86944FDB75B8ED230BE62D7D1B69D222095C128C86F82012ECB116191FD9D018A6D02F84DB27BC51A21307DC86F4BF771C691C143E5ABE549B5BD2D6EB1A21FD6270E7E1B48FE0611FBB2E1B0B3524E6F4DE8B4E4A345DA44A13DE825B72608DB6C7C4A40B78266E6C87BBFDEF6B48381D49C4507A58BCD47B76D64B45908B158BD7EBC4DACB0B1CFD6C2C19574F40EB2EFD0E9E10DC7005CAD39BCAF52B9EAC3873368D69031C5E724684A44F068EFD1D3DC096D9B5D6411E58BDEE43E46B99A0D0494B9DB28195AF901AFF130D4A6E203DAD08DA57FA7E40262A5BADB2A323EDA28B44696AB305D
d = 4221909016509078129201801236879446760697885220928506696150646938237440992746683409881141451831939190609743447676525325543963362353923989076199470515758399L
c = 0x1e04304936215de8e21965cfca9c245b1a8f38339875d36779c0f123c475bc24d5eef50e7d9ff5830e80c62e8083ec55f27456c80b0ab26546b9aeb8af30e82b650690a2ed7ea407dcd094ab9c9d3d25a93b2140dcebae1814610302896e67f3ae37d108cd029fae6362ea7ac1168974c1a747ec9173799e1107e7a56d783660418ebdf6898d7037cea25867093216c2c702ef3eef71f694a6063f5f0f1179c8a2afe9898ae8dec5bb393cdffa3a52a297cd96d1ea602309ecf47cd009829b44ed3100cf6194510c53c25ca7435f60ce5f4f614cdd2c63756093b848a70aade002d6bc8f316c9e5503f32d39a56193d1d92b697b48f5aa43417631846824b5e86 m = hex(pow(c,d,n)).rstrip("L")
print m
print binascii.unhexlify(m[2:])
#0x424354467b3965745265613479217d
#BCTF{9etRea4y!}
参考文献:
http://www.ruanyifeng.com/blog/2013/06/rsa_algorithm_part_one.html
http://stackoverflow.com/questions/3116907/rsa-get-exponent-and-modulus-given-a-public-key
http://www.openssl.org/docs/apps/openssl.html
https://github.com/pablocelayes/rsa-wiener-attack
http://rickgray.me/2015/03/23/bctf2015-writeup.html
BCTF warmup 50的更多相关文章
- hduoj 4710 Balls Rearrangement 2013 ACM/ICPC Asia Regional Online —— Warmup
http://acm.hdu.edu.cn/showproblem.php?pid=4710 Balls Rearrangement Time Limit: 6000/3000 MS (Java/Ot ...
- 记一次坑爹的RSA旅程____快哭了555555555(来自实验吧的warmup的wp和感想)
这么简单的题目搞了我那么久,森森感觉自己菜的不行....哎,努力吧少年,BXS已经全国第二了. 嗯,废话不说,这道题目来自实验吧的"warmup",附上链接 http://www. ...
- PHPer不能不看的50个细节!
1.用单引号代替双引号来包含字符串,这样做会更快一些.因为PHP会在双引号包围的字符串中搜寻变量, 单引号则不会,注意:只有echo能这么做,它是一种可以把多个字符串当作参数的"函数&quo ...
- 【noip 2016】 蚯蚓(50分)(earthworm)
50分小程序,写了2天- 题目在这里 一个单调队列,写的都是p=0的点,考试的时候要是弄到这些分的话--不说了-- 羡慕AC的神犇啊,54行的满分程序,而我-- #include <iostre ...
- 50个jQuery插件可将你的网站带到另一个高度
Web领域一直在发生变化并且其边界在过去的每一天都在发生变化(甚至不能以小时为计),随着其边界的扩展取得了许多新发展.在这些进步之中,开发者的不断工作创造了更大和更好的脚本,这些脚本以插件方式带来更好 ...
- SQL 2008升级SQL 2008 R2完全教程或者10.00.1600升级10.50.1600
http://blog.csdn.net/feng19821209/article/details/8571571 SQL 2008升级SQL 2008 R2完全教程或者10.00.1600升级10. ...
- 50个新的汉化Demo!纯前端 Wijmo 放大招
Wijmo 是为企业应用程序开发而推出的一系列包含 HTML5 和 JavaScript 的开发控件,包含 Wijmo 5 . Wijmo 3 及面向企业级应用的控件金融图表.FlexSheet 和 ...
- 数据见50条常用sql
问题及描述: --1.学生表 Student(Sid,Sname,Sage,Ssex) --Sid 学生编号,Sname 学生姓名,Sage 出生年月,Ssex 学生性别 --2.课程表 Course ...
- IIS 7.5 Application Warm-Up Module
http://www.cnblogs.com/shanyou/archive/2010/12/21/1913199.html 有些web应用在可以处理用户访问之前,需要装载很多的数据,或做一些花费很大 ...
随机推荐
- tcpdump 抓包让wireshark来分析
在linux下面用tcpdump 抓包非常方便, 但是抓的包要提取出来进行分析, 还是得用wireshark来过滤分析比较方便. 下面先介绍一下 TCPDUMP 的使用 例:tcpdump host ...
- virtualbox 复制多个虚拟机 (宿主机redhat)
我用VirtualBox做了一个winxp虚拟镜像. 想实现不重新安装而直接复制几个,也就是同时装载几个虚拟机. 但是直接复制已安装好机子的vdi文件,系统会报uuid已存在的错误. 所以,就需要修改 ...
- nyoj 927 The partial sum problem(dfs)
描述 One day,Tom’s girlfriend give him an array A which contains N integers and asked him:Can you choo ...
- Power Strings(kmp妙解)
Power Strings Time Limit : 6000/3000ms (Java/Other) Memory Limit : 131072/65536K (Java/Other) Tota ...
- JS正则表达式大全【转】
正则表达式中的特殊字符 字符 含意 \ 做为转意,即通常在"\"后面的字符不按原来意义解释,如/b/匹配字符"b",当b前面加了反斜杆后/\b/,转意为匹配一个 ...
- 解决的方法:warning: Clock skew detected. Your build may be incomplete.
因为时钟同步问题.出现 warning: Clock skew detected. Your build may be incomplete.这种警告, 解决的方法: find . -type f ...
- 告示:CSDN博客通道支持Windows Live Writer写blog离线好友
尊敬的各位CSDN用户: 您好! 为了更好的服务客户.CSDN已经支持Windows Live Writer离线写博客啦.Windows Live Writer于2014年5月29日正式上线啦!欢迎大 ...
- css属性pointer-events
绝对定位元素盖住链接或添加某事件handle的元素后,那么该链接的默认行为(页面跳转)或元素事件将不会被触发.现在Firefox3.6+/Safari4+/Chrome支持一个称为pointer-ev ...
- css系列教程--color direction line-height letter-spacing
css标签:colorcolor:用法color:指定文本的颜色color:red/#fff/unicode; direction:用法 direction:定义文本的方向.dirction:ltr/ ...
- .net 加密错误:填充无效,无法移除
今天用System.Security.Cryptography加密.使用了AesManaged,报错:填充无效,无法移除.分析是解密失败,密文损坏,或者KEY,IV不正确. using (AesMan ...