PicoCTF - SRA
tags: PicoCTF CTF Crypto
Source code
:::spoiler Source Code
from Crypto.Util.number import getPrime, inverse, bytes_to_long
from string import ascii_letters, digits
from random import choice
pride = "".join(choice(ascii_letters + digits) for _ in range(16))
gluttony = getPrime(128)
greed = getPrime(128)
lust = gluttony * greed
sloth = 65537
envy = inverse(sloth, (gluttony - 1) * (greed - 1))
anger = pow(bytes_to_long(pride.encode()), sloth, lust)
print(f"{anger = }")
print(f"{envy = }")
print("vainglory?")
vainglory = input("> ").strip()
if vainglory == pride:
print("Conquered!")
with open("/challenge/flag.txt") as f:
print(f.read())
else:
print("Hubris!")
:::
Recon
這一題也蠻有趣的,有給$e, d, c$,而我們知道$ed\equiv 1\ (mod\ \phi(n))$但目前不知道$n$是多少,這也是這一題比較難的地方,不過仔細看$p, q$的bits range只有128 bits,感覺有機會可以爆破,試想:
\(e*d-1=\phi(n) * k=(p-1)*(q-1)*k\)
所以我們只要先用online tool,分析所有的質因數,再暴力破解看可能的$p$有多少就可以了
:::spoiler Screenshot
:::
Exploit
- Note: 使用以下的script,需要利用這個online tool,然後把結果以逗號分開,再用list的方式當作input, e.g.
[2, 2, 2, 2, 2, 2, 3, 3, 3, 3, 5, 7, 17, 19, 151, 2363909, 75519055285493, 6681450981644264152589, 118264780684392418025651473217] - Note2: 我寫的script沒辦法處理候選的$p$有三個以上的情況,因為我懶得寫,所以它會自動斷線再重新連線重新計算一次,以我的經驗大約3-4次就可以拿到flag了 ```python= from pwn import * from itertools import combinations from Crypto.Util.number import isPrime, inverse, long_to_bytes
context.arch = ‘amd64’
這個寫法超屌,要學起來,來自Martin Carlisle大大
def sub_lists (l): comb = [] for i in range(1,len(l)+1): comb += [list(j) for j in combinations(l, i)] return comb
def main(): r = remote(“saturn.picoctf.net”, 64350)
1 |
|
if name == ‘main’:
while not main():
main()
```
Flag: picoCTF{7h053_51n5_4r3_n0_m0r3_2b7ad1ae}