发表更新2 分钟读完 (大约339个字)

rsa-smooth攻击

涉及知识点

光滑数:指能分解成小素数乘积的正整数

B-光滑数:若一个光滑数的最大小质数因子<=B,则称该光滑数为B-光滑数

阅读更多
发表更新Writeup3 分钟读完 (大约394个字)

HZNUCTF2024

HZNUCTF2024

ez_encode

cyberchef 一把嗦了

image-20240414204833256

sign-up

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
from gmpy2 import *
from Crypto.Util.number import *
from secret import flag

p=getPrime(1024)
q=next_prime(p+(p>>500))

e=0x10001

n=p*q

c=pow(bytes_to_long(flag),e,n)

print("n=",n)
print("c=",c)

其中q=next_prime(p+(p>>500))指的是:$ q= [p+\frac{1}{2^{500}}p] +r $

即 $ q = [(1+\frac{1}{2^{500}}p] +r $, r是为了将q凑为质数的整数。

$ \therefore n = p\ast q = [(1+ \frac{1}{2^{500}})p^2]+rp$

$ \therefore (1+\frac{1}{2^{500}})n = ((1+ \frac{1}{2^{500}})p)^2 + (1+\frac{1}{2^{500}})rp > ((1+\frac{1}{2^{500}})p)^2 ——①$

q2=[(1+12500)p+r]2=((1+12500)p)2+2[(1+12500)rp]+r2——②\because q^2 = [(1+\frac{1}{2^{500}})p + r]^2 = ((1+\frac{1}{2^{500}})p)^2 + 2[(1+\frac{1}{2^{500}})rp] + r^2 ——②

易知,②式大于①式

经过比较得[(1+12500)p]2<[(1+12500)n]<[(1+12500)p+r]2\therefore 经过比较得 [(1+\frac{1}{2^{500}})p]^2 < [(1+\frac{1}{2^{500}})n]< [(1+\frac{1}{2^{500}})p + r]^2

通过开方缩小范围得

$(1+\frac{1}{2^{500}})p < \sqrt{(1 + \frac{1}{2^{500}})n} < (1+\frac{1}{2^{500}})p +r = q $

所以,(1+12500)n\sqrt{(1+\frac{1}{2^{500}})n}的下一个素数即为q

q = next_prime(iroot((n + (n >> 500)), 2)[0])

ez_rsa

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
from Crypto.Util.number import *
from flag import flag

def keygen(nbit = 32):
	while True:
		k = getRandomNBitInteger(nbit)
		p = 3*k**17 + 3*k**11 - 53*k**7 + 12*k**5 - 114*k + 27329
		q = 5*k**13 - 7*k**11 + 43*k**5 - 313*k**3 - 14*k + 18869
		if isPrime(p) and isPrime(q):
			return p, q

def encrypt(msg, n, e = 65537):
	m = bytes_to_long(msg)
	return pow(m, e, n)

p, q = keygen()
n = p * q
enc = encrypt(flag, n)
print(f'n = {n}')
print(f'enc = {enc}')

根据题目得到一个关于k的多项式方程组

用sage求解多项式

1
2
3
4
5
6
7
var('k')
p = 3*k**17 + 3*k**11 - 53*k**7 + 12*k**5 - 114*k + 27329
q = 5*k**13 - 7*k**11 + 43*k**5 - 313*k**3 - 14*k + 18869

eq=p*q==n

solve(eq,[k])

即可求得k,再求得p,q解一般rsa即可

你知道什么叫第二重要极限吗?

a=limx0(a1x+a2x++anxn)nxa = \lim_{x \to 0} (\frac{a_1^x+a_2^x+\cdots+a_n^x}{n})^{\frac{n}{x}}

你知道什么叫做第二重要极限吗?

其中

1
2
3
a_i = [1,9,9,8,4,6,1,9,9,4,8,1,4]   

flag="HZNUCTF{"+md5(res)+"}"

使用在线工具求得极限后md5加密即可

发表更新平台搭建2 分钟读完 (大约363个字)

GZCTF搭建笔记

新建用户

为了方便管理,新建一个用户进行操作

1
sudo adduser GZCTF

给用户赋予使用docker的权限

1
sudo usermod -aG docker GZCTF

配置文件

新建appsettings.json

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
{
  "AllowedHosts": "*",
  "ConnectionStrings": {
    "Database": "Host=db:5432;Database=gzctf;Username=postgres;Password=<String1>"
      //<String1>换成数据库密码,随机密码且长度足够
  },
  "Logging": {
    "LogLevel": {
      "Default": "Information",
      "Microsoft": "Warning",
      "Microsoft.Hosting.Lifetime": "Information"
    }
  },
    //邮箱配置
  "EmailConfig": {
    "SendMailAddress": "[email protected]",		// 填入邮箱
    "UserName": "ctf_noreply",				// 发件人名称
    "Password": "UWPTINWMFPQVMPAH",			// 邮箱密码,部分服务商需要填入授权码
    "Smtp": {
      "Host": "smtp.163.com",				// 此处为163邮箱服务器,具体自定
      "Port": 465
    }
  },
  "XorKey": "<String2>",					// 自定XorKey
  "ContainerProvider": {
    "Type": "Docker",
    "PublicEntry": "xx.xx.xx.xx",			// 域名或IP配置,用于容器生成,域名不带http/https
    "DockerConfig": {
      "SwarmMode": false,
      "Uri": ""								// 本地配置Docker因此此处置空
    }
  },
  "RequestLogging": false,
  "DisableRateLimit": false,
  "RegistryConfig": {
    "UserName": "",
    "Password": "",
    "ServerAddress": ""
  },
    
    //谷歌验证码配置
  "GoogleRecaptcha": {
    "VerifyAPIAddress": "https://www.recaptcha.net/recaptcha/api/siteverify",
    "Sitekey": "",
    "Secretkey": "",
    "RecaptchaThreshold": "0.5"
  }
}

新建docker-compose.yml

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
version: '3.0'
services:
  gzctf:
    image: gztime/gzctf:latest
    restart: always
    environment:
      - "GZCTF_ADMIN_PASSWORD=<String3>" # <String3>换成管理员账户密码,账号为Admin
    ports:
      - "80:80" # 对外端口号,前为外部端口。
    networks:
      default:
    volumes:
      - "./data/files:/app/uploads"
      - "./appsettings.json:/app/appsettings.json:ro"
      - "./logs:/app/log"
      - "./data/keys:/root/.aspnet/DataProtection-Keys"
      # - "./k8sconfig.yaml:/app/k8sconfig.yaml:ro"
      - "/var/run/docker.sock:/var/run/docker.sock"
    depends_on:
      - db

  db:
    image: postgres:alpine
    restart: always
    environment:
      - "POSTGRES_PASSWORD=<String1>" # 数据库密码,务必要和appsettings.json中的配置一致
    networks:
      default:
    volumes:
      - "./data/db:/var/lib/postgresql/data"

networks:
  default:
    driver: bridge
    ipam:
      config:
        - subnet: 192.168.12.0/24

运行容器

1
docker-compose up -d

报错解决

关注我

分类

归档

链接

最新文章

标签

CTF5
GZCTF1
HZNUCTF20241
ISCTF1
NSSCCTF_Round_#171
NTACTF1
SHCTF1
SICTF1
Writeup2
litctf1
wp1
writeup4
×