GKCTF2020WP-Crypto Misc

Crypto

小学生的密码学

题目

e(x)=11x+6(mod26)

密文：welcylk

（flag为base64形式）

我的解答：

考点：仿射密码，已知a,b

结果base64加密即可

flag{c29yY2VyeQ==}

汉字的秘密

题目

你能看出汉字的奥秘吗？ 答案形式：flag{小写字母}

王壮 夫工 王中 王夫 由由井 井人 夫中 夫夫 井王 土土 夫由

土夫 井中 士夫 王工 王人 土由 由口夫

我的解答：

考点：当铺密码

方式一：随波逐流工具一把梭 flag{you_are_good}

方式二：代码

dh = '田口由中人工大土士王夫井羊壮'
ds = '00123455567899'

cip = '王壮 夫工 王中 王夫 由由井 井人 夫中 夫夫 井王 土土 夫由 土夫 井中 士夫 王工 王人 土由 由口夫'
s = ''
for i in cip:
	if i in dh:
		s += ds[dh.index(i)]
	else:
		s += ' '
#print(s)

ll = s.split(" ")
t = ''
for i in range(0,len(ll)):
	t += chr(int(ll[i])+i+1)
print('t=', t, '\t\tt.lower()=', t.lower())
#flag{you_are_good}

babycrypto

题目

# n:0xb119849bc4523e49c6c038a509a74cda628d4ca0e4d0f28e677d57f3c3c7d0d876ef07d7581fe05a060546fedd7d061d3bc70d679b6c5dd9bc66c5bdad8f2ef898b1e785496c4989daf716a1c89d5c174da494eee7061bcb6d52cafa337fc2a7bba42c918bbd3104dff62ecc9d3704a455a6ce282de0d8129e26c840734ffd302bec5f0a66e0e6d00b5c50fa57c546cff9d7e6a978db77997082b4cb927df9847dfffef55138cb946c62c9f09b968033745b5b6868338c64819a8e92a827265f9abd409359a9471d8c3a2631b80e5b462ba42336717700998ff38536c2436e24ac19228cd2d7a909ead1a8494ff6c3a7151e888e115b68cc6a7a8c6cf8a6c005L
# e:65537
# enc:1422566584480199878714663051468143513667934216213366733442059106529451931078271460363335887054199577950679102659270179475911101747625120544429262334214483688332111552004535828182425152965223599160129610990036911146029170033592055768983427904835395850414634659565092191460875900237711597421272312032796440948509724492027247376113218678183443222364531669985128032971256792532015051829041230203814090194611041172775368357197854451201260927117792277559690205342515437625417792867692280849139537687763919269337822899746924269847694138899165820004160319118749298031065800530869562704671435709578921901495688124042302500361
# p>>128<<128:0xe4e4b390c1d201dae2c00a4669c0865cc5767bc444f5d310f3cfc75872d96feb89e556972c99ae20753e3314240a52df5dccd076a47c6b5d11b531b92d901b2b512aeb0b263bbfd624fe3d52e5e238beeb581ebe012b2f176a4ffd1e0d2aa8c4d3a2656573b727d4d3136513a931428b00000000000000000000000000000000L

我的解答：

考点:经典的高位泄露攻击

先恢复p

#sage
p=0xe4e4b390c1d201dae2c00a4669c0865cc5767bc444f5d310f3cfc75872d96feb89e556972c99ae20753e3314240a52df5dccd076a47c6b5d11b531b92d901b2b512aeb0b263bbfd624fe3d52e5e238beeb581ebe012b2f176a4ffd1e0d2aa8c4d3a2656573b727d4d3136513a931428b00000000000000000000000000000000
n = 0xb119849bc4523e49c6c038a509a74cda628d4ca0e4d0f28e677d57f3c3c7d0d876ef07d7581fe05a060546fedd7d061d3bc70d679b6c5dd9bc66c5bdad8f2ef898b1e785496c4989daf716a1c89d5c174da494eee7061bcb6d52cafa337fc2a7bba42c918bbd3104dff62ecc9d3704a455a6ce282de0d8129e26c840734ffd302bec5f0a66e0e6d00b5c50fa57c546cff9d7e6a978db77997082b4cb927df9847dfffef55138cb946c62c9f09b968033745b5b6868338c64819a8e92a827265f9abd409359a9471d8c3a2631b80e5b462ba42336717700998ff38536c2436e24ac19228cd2d7a909ead1a8494ff6c3a7151e888e115b68cc6a7a8c6cf8a6c005
PR.<x> = PolynomialRing(Zmod(n))
f=p+x
x0=f.small_roots(X=2^128,beta=0.4)[0]
print(x0)
print(p+x0)
#194744276640369236134349576809641082787
#160734387026849747944319274262095716650717626398118440194223452208652532694713113062084219512359968722796763029072117463281356654614167941930993838521563406258263299846297499190884495560744873319814150988520868951045961906000066805136724505347218275230562125457122462589771119429631727404626489634314291445667

有了p就好办了

import gmpy2
import binascii

e = 65537
n = 0xb119849bc4523e49c6c038a509a74cda628d4ca0e4d0f28e677d57f3c3c7d0d876ef07d7581fe05a060546fedd7d061d3bc70d679b6c5dd9bc66c5bdad8f2ef898b1e785496c4989daf716a1c89d5c174da494eee7061bcb6d52cafa337fc2a7bba42c918bbd3104dff62ecc9d3704a455a6ce282de0d8129e26c840734ffd302bec5f0a66e0e6d00b5c50fa57c546cff9d7e6a978db77997082b4cb927df9847dfffef55138cb946c62c9f09b968033745b5b6868338c64819a8e92a827265f9abd409359a9471d8c3a2631b80e5b462ba42336717700998ff38536c2436e24ac19228cd2d7a909ead1a8494ff6c3a7151e888e115b68cc6a7a8c6cf8a6c005
c = 1422566584480199878714663051468143513667934216213366733442059106529451931078271460363335887054199577950679102659270179475911101747625120544429262334214483688332111552004535828182425152965223599160129610990036911146029170033592055768983427904835395850414634659565092191460875900237711597421272312032796440948509724492027247376113218678183443222364531669985128032971256792532015051829041230203814090194611041172775368357197854451201260927117792277559690205342515437625417792867692280849139537687763919269337822899746924269847694138899165820004160319118749298031065800530869562704671435709578921901495688124042302500361
p=160734387026849747944319274262095716650717626398118440194223452208652532694713113062084219512359968722796763029072117463281356654614167941930993838521563406258263299846297499190884495560744873319814150988520868951045961906000066805136724505347218275230562125457122462589771119429631727404626489634314291445667
q=n//p
phi=(p-1)*(q-1)
d=gmpy2.invert(e,phi)
m=pow(c,d,n)
print(binascii.unhexlify(hex(m)[2:]))

#b'flag{3d0914a1-1e97-4822-a745-c7e20c5179b9}'

Backdoor

题目

p=k*M+(65537**a %M)

task.py

#!/usr/bin/python
from Crypto.Util.number import *
from Crypto.PublicKey import RSA
import gmpy2, binascii
import base64
from FLAG import flag

def rsa_encrypt(message):
    with open('./pub.pem' ,'r') as f:
        key = RSA.import_key(f.read())
    e = key.e
    n = key.n
    c = pow(bytes_to_long(flag), e, n)

    ciphertext = binascii.hexlify(long_to_bytes(c))
    return ciphertext

if __name__ == "__main__":
    text = base64.b64encode(rsa_encrypt(flag))
    with open('flag.enc','wb') as f:
        f.write(text)

pub.pem

-----BEGIN PUBLIC KEY-----
MFMwDQYJKoZIhvcNAQEBBQADQgAwPwI4BXdHlrMB4cf0C0lFBWiLH94h9tX/zmNv
8WfYXjfXp7dJPjPBfUQXolyiSmcWMUzxhuFpltz8Z5sCAwEAAQ==
-----END PUBLIC KEY-----

flag.enc

MDIxNDJhZjdjZTcwZmUwZGRhZTExNmJiN2U5NjI2MDI3NGVlOTI1MmE4Y2I1MjhlN2ZkZDI5ODA5YzJhNjAzMjcyN2MwNTUyNjEzM2FlNDYxMGVkOTQ0NTcyZmYxYWJmY2QwYjE3YWEyMmVmNDRhMg==

我的解答：

考点：RSALib-cve漏洞

首先对密文进行base64解码

02142af7ce70fe0ddae116bb7e96260274ee9252a8cb528e7fdd29809c2a6032727c05526133ae4610ed944572ff1abfcd0b17aa22ef44a2

然后再公钥分解得到e,n

e = 65537
n = 15518961041625074876182404585394098781487141059285455927024321276783831122168745076359780343078011216480587575072479784829258678691739

有了n就可以分解得到p,q

p:3386619977051114637303328519173627165817832179845212640767197001941
q:4582433561127855310805294456657993281782662645116543024537051682479

题目给了提示：p=k*M+(65537**a %M) 发现是一个cve漏洞复现：
参考：https://asecuritysite.com/encryption/copper

[Back] With the ROCA (Return of the Coppersmith Attack) vulnerability an RSA private key can be recovered from the knowledge of the public key [article]. It has the CVE identifier of CVE-2017-15361. The vulnerability related to the Infineon RSA library on the Infineon Trusted Platform Module (TPM) firmware. It affected BitLocker with TPM 1.2 and YubiKey 4. In this case we calculate the prime number with Prime=k×M+(65537amodM):
The library uses the value of 39 (1…167) for the number of primes used to generate M for key sizes of 512 to 960-bits, then 71, 126 and 225 values are used for the key intervals 992–1952 bits; 1984–3936 bits; and 3968–4096 bits, respectively. 

意思就是rsalib的素数生成有漏洞，不够随机，实际上的生成方式是用p=k*M+(65537**a %M)生成的，其中M为前x个素数乘积。
因此我们确定了M值，a和k理论上也不会相差太远，暴力碰撞一下，秒出p q

from Crypto.Util import number
from gmpy2 import *

vals=39
M=1
n = mpz(15518961041625074876182404585394098781487141059285455927024321276783831122168745076359780343078011216480587575072479784829258678691739)
primes = [2, 3, 5, 7, 11, 13, 17, 19, 23, 29, 31, 37, 41, 43, 47, 53, 59, 61, 67, 71, 73, 79, 83, 89, 97, 101, 103, 107, 109, 113, 127, 131, 137, 139, 149, 151, 157, 163, 167, 173, 179, 181, 191, 193, 197, 199, 211, 223, 227, 229, 233, 239, 241, 251, 257, 263, 269, 271, 277, 281, 283, 293, 307, 311, 313, 317, 331, 337, 347, 349, 353, 359, 367, 373, 379, 383, 389, 397, 401, 409, 419, 421, 431, 433, 439, 443, 449, 457, 461, 463, 467, 479, 487, 491, 499, 503, 509, 521, 523, 541, 547, 557, 563, 569, 571, 577, 587, 593, 599, 601, 607, 613, 617, 619, 631, 641, 643, 647, 653, 659, 661, 673, 677, 683, 691, 701, 709, 719, 727, 733, 739, 743, 751, 757, 761, 769, 773, 787, 797, 809, 811, 821, 823, 827, 829, 839, 853, 857, 859, 863, 877, 881, 883, 887, 907, 911, 919, 929, 937, 941, 947, 953, 967, 971, 977, 983, 991, 997, 1009, 1013, 1019, 1021, 1031, 1033, 1039, 1049, 1051, 1061, 1063, 1069, 1087, 1091, 1093, 1097, 1103, 1109, 1117, 1123, 1129, 1151, 1153, 1163, 1171, 1181, 1187, 1193, 1201, 1213, 1217, 1223, 1229, 1231, 1237, 1249, 1259, 1277, 1279, 1283, 1289, 1291, 1297, 1301, 1303, 1307, 1319, 1321, 1327, 1361, 1367, 1373, 1381, 1399, 1409, 1423, 1427, 1429, 1433, 1439, 1447, 1451, 1453, 1459, 1471, 1481, 1483, 1487, 1489, 1493, 1499, 1511, 1523, 1531, 1543, 1549, 1553, 1559, 1567, 1571, 1579, 1583, 1597, 1601, 1607, 1609, 1613, 1619, 1621, 1627, 1637, 1657, 1663, 1667, 1669, 1693, 1697, 1699, 1709, 1721, 1723, 1733, 1741, 1747, 1753, 1759, 1777, 1783, 1787, 1789, 1801, 1811, 1823, 1831, 1847, 1861, 1867, 1871, 1873, 1877, 1879, 1889, 1901, 1907, 1913, 1931, 1933, 1949, 1951, 1973, 1979, 1987, 1993, 1997, 1999, 2003, 2011, 2017, 2027, 2029, 2039, 2053, 2063, 2069, 2081, 2083, 2087, 2089, 2099, 2111, 2113, 2129, 2131, 2137, 2141, 2143, 2153, 2161, 2179, 2203, 2207, 2213, 2221, 2237, 2239, 2243, 2251, 2267, 2269, 2273, 2281, 2287, 2293, 2297, 2309, 2311, 2333, 2339, 2341, 2347, 2351, 2357, 2371, 2377, 2381, 2383, 2389, 2393, 2399, 2411, 2417, 2423, 2437, 2441, 2447, 2459, 2467, 2473, 2477, 2503, 2521, 2531, 2539, 2543, 2549, 2551, 2557, 2579, 2591, 2593, 2609, 2617, 2621, 2633, 2647, 2657, 2659, 2663, 2671, 2677, 2683, 2687, 2689, 2693, 2699, 2707, 2711, 2713, 2719, 2729, 2731, 2741, 2749, 2753, 2767, 2777, 2789, 2791, 2797, 2801, 2803, 2819, 2833, 2837, 2843, 2851, 2857, 2861, 2879, 2887, 2897, 2903, 2909, 2917, 2927, 2939, 2953, 2957, 2963, 2969, 2971, 2999]

for x in range(0, vals):
    M=M*primes[x]

for a in range(1,20):
    for k in range(50):
        p=mpz(k*M+(65537**a %M))
        if is_prime(p):
            q = mpz(n//p)
            if is_prime(q):
                print('p=%d\nq=%d'%(p,q))
#p=4582433561127855310805294456657993281782662645116543024537051682479
#q=3386619977051114637303328519173627165817832179845212640767197001941

有了p,q直接解就行了。

import gmpy2
import binascii

e = 65537
n = 15518961041625074876182404585394098781487141059285455927024321276783831122168745076359780343078011216480587575072479784829258678691739
c = int("02142af7ce70fe0ddae116bb7e96260274ee9252a8cb528e7fdd29809c2a6032727c05526133ae4610ed944572ff1abfcd0b17aa22ef44a2",16)
p=4582433561127855310805294456657993281782662645116543024537051682479
q=3386619977051114637303328519173627165817832179845212640767197001941
phi=(p-1)*(q-1)
d=gmpy2.invert(e,phi)
m=pow(c,d,n)
print(binascii.unhexlify(hex(m)[2:]))

#b'flag{760958c9-cca9-458b-9cbe-ea07aa1668e4}'

Misc

签到

题目

https://live.bilibili.com/772947

我的解答：

公屏右上角。

flag{Welcome_To_GKCTF_2020}

Pokémon

题目

比赛累了吧,怀旧一把，我在103号道路等你

Pokémon 说明是windows编码的，只是游戏简单操作说明 flag格式为flag{flag_is_here}

游戏说明：

操作说明：小键盘上下左右键控制方向。 Z X C A S D为功能键。

怀旧一把，玩游戏给flag

我的解答：

根据题目文件及描述，我们肯定需要玩这个游戏才行。

使用gba模拟器打开，使用金手指游戏辅助开穿墙直达103道路获得flag。

flag{PokEmon_14_CutE}

问卷调查

题目

各位辛苦了，这里是一份小小的问卷，填完就有 flag 哦~

https://jinshuju.net/f/n0U96I

我的解答：

填问卷即可。

flag{I_W4nt_t0_Fu4k_GKCTF}

code obfuscation

题目

提示：压缩包密码是加密过的

我的解答：

题目给了一张倾斜的二维码，使用ps调一下，因为图片中有白线分割，所以顺便把白色部分去掉然后内容拼接完整（不留空白线就行，不用那么标准！）

得到

扫描二维码得到 base(gkctf)但提交不对，根据提示可知有压缩包

使用010打开图片

kali分离出来，提示密码是加密过的，那我们使用base加密扫描二维码得到的结果试试，发现是base58加密 CfjxaPF

得到

eval(function(p,a,c,k,e,d){e=function(c){return(c<a?"":e(parseInt(c/a)))+((c=c%a)>35?String.fromCharCode(c+29):c.toString(36))};if(!''.replace(/^/,String)){while(c--)d[e(c)]=k[c]||e(c);k=[function(e){return d[e]}];e=function(){return'\\w+'};c=1;};while(c--)if(k[c])p=p.replace(new RegExp('\\b'+e(c)+'\\b','g'),k[c]);return p;}('15 n 14 a b c d e f g h i j k l m n o p q r s t u v w x y z 10 11 17="n"12 15 n 14 A B C D E F G H I J K L M N O P Q R S T U V W X Y Z 10 11 17="n"12 13=0 15 n 14 a b c d e f g h i j 10 11 16="n"13=$((13+1))12 1g("1f=\' \';1e=\'"\';16=\'#\';1j=\'(\';1i=\')\';1h=\'.\';1a=\';\';19=\'<\';18=\'>\';1d=\'1c\';1b=\'{\';1k=\'}\';1t=\'0\';1u=\'1\';1s=\'2\';1r=\'3\';1n=\'4\';1m=\'5\';1l=\'6\';1q=\'7\';1p=\'8\';1o=\'9\';")',62,93,'||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||do|eval|done|num|in|for|Bn|An|Ce|Cc|Cb|Cn|_|Cl|Bm|Bk|alert|By|Bt|Bs|Cp|Dg|Df|De|Dj|Di|Dh|Dd|Dc|Da|Db'.split('|'),0,{}))

根据js压缩、混淆、加密的特点 js压缩、混淆和加密 - 简书 (jianshu.com)

可以判断这就是js压缩混淆，使用在线工具解码 JS混淆加密压缩 - 站长工具 (chinaz.com)

for n in a b c d e f g h i j k l m n o p q r s t u v w x y z do eval An = "n"
    done
for n in A B C D E F G H I J K L M N O P Q R S T U V W X Y Z do eval An = "n"
    done
    num = 0
for n in a b c d e f g h i j do eval Bn = "n"
    num =
    $((num + 1)) done alert("Bk=' ';Bm='"
        ';Bn='#
        ';Bs=' (';Bt=')
        ';By='.
        ';Cb=';
        ';Cc=' < ';Ce=' > ';Cl='
        _ ';Cn=' {
            ';Cp='
        }
        ';Da='
        0 ';Db='
        1 ';Dc='
        2 ';Dd='
        3 ';De='
        4 ';Df='
        5 ';Dg='
        6 ';Dh='
        7 ';Di='
        8 ';Dj='
        9 ';")

分析代码可知是替换密码表，注意：字母的替换实际上是以A为开头的密文，比如密文Am实际上在明文中就是m

c = "$Bn$Ai$An$Ac$Al$Au$Ad$Ae$Bk$Cc$As$At$Ad$Ai$Ao$By$Ah$Ce$Ai$An$At$Bk$Am$Aa$Ai$An$Bs$Bt$Cn$Ap$Ar$Ai$An$At$Bs$Bm$Aw$Dd$Al$Ac$Da$Am$Ae$Cl$De$Ao$Cl$Dj$Ak$Ac$At$Df$Bm$Bt$Cb$Ar$Ae$At$Au$Ar$An$Bk$Da$Cb$Cp"
dic = {"Bk":' ',"Bm":'"',"Bn":'#',"Bs":"(","Bt":")","By":".","Cb":";","Cc":"<","Ce":">","Cl":"_","Cn":"{","Cp":"}","Da":"0","Db":"1","Dc":"2","Dd":"3","De":"4","Df":"5","Dg":"6","Dh":"7","Di":"8","Dj":"9"}
ls = c.split("$")
print(ls)
for i in ls:
    if "A" in i:
        print(i[1],end="")
    if i in dic:
        print(dic[i],end="")
#w3lc0me_4o_9kct5

Harley Quinn

题目

Ivy给Harley发了一个短信……算了，编不下去了，先听后看就完事了……

音频解码可能有误差，密码为有意义的无空格小写短句 解密版本为1.25

hint:电话音&九宫格

FreeFileCamouflage，下载的文件可能显示乱码

我的解答：

压缩包打开得到wav和一张jpeg。Audacity打开wav，拉到曲末，切换频谱图

典型的拨号音，DTMF解一下

dtmf2num.exe 2.wav

得到

222833344477773338866

根据提示 ，九宫格解码得到ctfisfun

使用提示软件FreeFileCamouflage对图片解码

flag{Pudd1n!!_y0u_F1nd_m3!}

Sail a boat down the river

题目

提示1：闪烁的光芒

提示2：是一行不是一列

提示3：加密方式很常见

我的解答：

附件给了一个flag.mp4和有密码的vocal.rar。

观看一下mp4发现一个二维码 ,扫码得到 https://pan.baidu.com/s/1tygt0Nm_G5fTfVFlgxVcrQ

但发现没有提取码。。。

分析Hint（闪烁的光芒）再看一下视频发现一个闪烁灯。在此位置会很快闪烁。

使用Kinovea打开，一帧一帧地仔细看闪烁的部分（注意Kinovea没有帧数的说法，每0.03秒的时长即是一帧）

发现闪烁只有两种形式，连续三帧都有闪烁，或者只有一帧闪烁之后熄灭（由于所展现的信息很短，猜测大概率是Morse），分别对应-，.

得到 -.-- .-- ---.. --.

解码得到 JW8G

0 8 1 7 4 0 0 0 0
3 0 2 0 6 8 0 0 0
4 0 6 5 0 0 8 2 0
0 3 0 0 0 0 0 5 6
7 0 4 3 0 9 2 0 1
1 2 0 0 0 0 0 4 0
0 5 9 0 0 4 1 0 8
0 0 0 1 8 0 9 0 2
0 0 0 0 9 7 4 6 0

密文:
efb851bdc71d72b9ff668bddd30fd6bd
密钥:
第一列九宫格从左到右从上到下

使用数独工具解码 https://shudu.gwalker.cn/

根据提示：是一行不是一列，得到 52693795149137

再根据提示3：加密方式很常见。想到AES加密 http://tool.chacuo.net/cryptaes

GG0kc.tf这个应该就是压缩包密码，解压得到

百度发现是乐谱文件，需要用Overture打开，下载链接： https://www.bear20.com/pcwin/42/725931042.html

下载完试用即可不要购买。

打开文件后查找即可，会发现

flag{gkctf_is_fun}