isctf2024_crypto

Zsm published on 2024-12-12 included in CTF

前言

本来以为社会组没有奖，就只写了crypto和一部分misc，结果结束了又说前十有奖，呜呜呜

题目

我和小蓝鲨的秘密

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25


from PIL import Image
from Crypto.Util.number import bytes_to_long, long_to_bytes
import numpy as np

n = 29869349657224745144762606999
e = 65537

original_image_path = "flag.jpg"
img = Image.open(original_image_path)
img = img.convert("RGB")

img_array = np.array(img)
h, w, _ = img_array.shape

encrypted_array = np.zeros((h, w, 3), dtype=object)
for i in range(h):
    for j in range(w):
        r, g, b = int(img_array[i, j, 0]), int(img_array[i, j, 1]), int(img_array[i, j, 2])

        encrypted_array[i, j, 0] = pow(r, e, n)
        encrypted_array[i, j, 1] = pow(g, e, n)
        encrypted_array[i, j, 2] = pow(b, e, n)

np.save("encrypted_image.npy", encrypted_array)
print("图片已加密并保存为 encrypted_image.npy")

思路：就是很简单图片rsa，可以直接，遍历，n很小，可以直接分解 exp

moectf2024_crypto

Zsm published on 2024-12-12 included in CTF

题目

现代密码学指北

task:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18


from Crypto.Util.number import bytes_to_long, getPrime
from secret import flag
p = getPrime(128)
q = getPrime(128)
n = p*q
e = 65537
m = bytes_to_long(flag)
c = pow(m, e, n)
print(f"n = {n}")
print(f"p = {p}")
print(f"q = {q}")
print(f"c = {c}")
'''
n = 40600296529065757616876034307502386207424439675894291036278463517602256790833
p = 197380555956482914197022424175976066223
q = 205695522197318297682903544013139543071
c = 36450632910287169149899281952743051320560762944710752155402435752196566406306
'''

正常解密即可 exp

Vuln AdmX_new & Empire_LupinOne

Zsm published on 2024-12-12 included in 靶场

AdmX_new

靶场链接

https://download.vulnhub.com/admx/AdmX_new.7z

日常扫描

只有80端口开放，直接访问没什么东西，dirb扫描出来wordpress，访问看看，发现很慢，burp抓包发现重定向到192.168.159.145

Vuln EvilBox: One & BoredHackerBlog_Cloud_AV

Zsm published on 2024-12-12 included in 靶场

EvilBox: One

靶场链接

https://www.vulnhub.com/entry/evilbox-one,736/

日常扫描

发现这玩意靶机（这个需要自己配置一下网卡） nmap扫描端口没有用，dis或者是dirb扫一下发现这几个，一个一个点进去看一眼，http://192.168.64.4/secret/ 网页是纯白的，

wsl2 + arch + sagemath

Zsm published on 2024-12-12 included in CTF

前言

为什么要这样搞呢，主要是自己太闲了（被打），还是因为win环境下的sagemath版本低，bug多，而且还不能pwn交互，虽然在vm里面可以搞，但是我又嫌打开虚拟机麻烦，所以就wsl2了。

串烧_crypto复现

Zsm published on 2024-12-12 included in CTF

前言

打了香港，日本的比赛，还有蜀道山，感觉这几个题都很好，但是都不会（），写个记录一下，顺便总结

题目

seccon/reiwa_rot13

task

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28


from Crypto.Util.number import *
import codecs
import string
import random
import hashlib
from Crypto.Cipher import AES
from Crypto.Random import get_random_bytes
from flag import flag

p = getStrongPrime(512)
q = getStrongPrime(512)
n = p*q
e = 137

key = ''.join(random.sample(string.ascii_lowercase, 10))
rot13_key = codecs.encode(key, 'rot13')

key = key.encode()
rot13_key = rot13_key.encode()

print("n =", n)
print("e =", e)
print("c1 =", pow(bytes_to_long(key), e, n))
print("c2 =", pow(bytes_to_long(rot13_key), e, n))

key = hashlib.sha256(key).digest()
cipher = AES.new(key, AES.MODE_ECB)
print("encyprted_flag = ", cipher.encrypt(flag))

思路：当时比赛第一眼看过去，e很小，就在想是不是富兰克林，然后想利用rot13的性质去写，发现没用，然后就想通过c1和c2直接去构造富兰克林攻击，发现一直不对。正确想法应该是bytes_to_long转换的时候形成的富兰克林，每一位可以看作$$256^i$$，然后相加，害蠢了。