一、[安洵杯 2020]密码学？爆破就行了——sha256掩码爆破

1.题目：

#!/usr/bin/python2
import hashlib 
from secret import SECRET
from broken_flag import BROKEN_FLAG


flag = 'd0g3{' + hashlib.md5(SECRET).hexdigest() + '}'
broken_flag = 'd0g3{71b2b5616**2a4639**7d979**de964c}'

assert flag[:14] == broken_flag[:14]
assert flag[16:22] == broken_flag[16:22]
assert flag[24:29] == broken_flag[24:29]


ciphier = hashlib.sha256(flag).hexdigest()
print(ciphier)


'''
ciphier = '0596d989a2938e16bcc5d6f89ce709ad9f64d36316ab80408cb6b89b3d7f064a'
'''

2.

import hashlib


cipher = '0596d989a2938e16bcc5d6f89ce709ad9f64d36316ab80408cb6b89b3d7f064a'
strings = '0123456789abcdef'
for a in strings:
    for b in strings:
        for c in strings:
            for d in strings:
                for e in strings:
                    for f in strings:
                        flag = 'd0g3{71b2b5616' + a + b + '2a4639' + c + d + '7d979' + e + f + 'de964c}'
                        if hashlib.sha256(flag.encode()).hexdigest() == cipher:
                            print(flag)
                            break

NSSCTF{71b2b5616ee2a4639a07d979ebde964c}

二、[HNCTF 2022 WEEK2]md5太残暴了——MD5爆破

1.题目：

小明养成了定期修改密码的好习惯，同时，他还是一个CTF爱好者。有一天，他突发奇想，用flag格式来设置密码，为了防止忘记密码，他还把密码进行了md5加密。为了避免被其他人看到全部密码，他还特意修改了其中部分字符为#。你能猜出他的密码吗？
plaintext = flag{#00#_P4ssw0rd_N3v3r_F0rg3t_63####}
md5 = ac7f4d52c3924925aa9c8a7a1f522451
PS: 第一个#是大写字母，第二个#是小写字母，其他是数字。

2.

import hashlib


string1 = 'ABCDEFGHIGKLMNOPQRSTUVWXYZ'
string2 = 'abcdefghijklmnopqrstuvwxyz'
string3 = '0123456789'
md5 = 'ac7f4d52c3924925aa9c8a7a1f522451'

for a in string1:
    for b in string2:
        for c in string3:
            for d in string3:
                for e in string3:
                    for f in string3:
                        flag = 'flag{'+ a + '00' + b + '_P4ssw0rd_N3v3r_F0rg3t_63' + c + d + e + f + '}'
                        if hashlib.md5(flag.encode()).hexdigest() == md5:
                            print(flag)

flag{G00d_P4ssw0rd_N3v3r_F0rg3t_638291}

三、[LitCTF 2023]Where is P?——p的高位攻击

1.题目：

from Crypto.Util.number import *
m=bytes_to_long(b'XXXX')
e=65537
p=getPrime(1024)
q=getPrime(1024)
n=p*q
print(p)
c=pow(m,e,n)
P=p>>340
print(P)
a=pow(P,3,n)
print("n=",n)
print("c=",c)
print("a=",a)
#n= 24479907029118467064460793139240403258697681144532146836881997837526487637306591893357774423547391867013441147680031968367449693796015901951120514250935018725570026327610524687128709707340727799633444550317834481416507364804274266363478822257132586592232042108076935945436358397787891169163821061005102693505011197453089873909085170776511350713452580692963748763166981047023704528272230392479728897831538235554137129584665886878574314566549330671483636900134584707867654841021494106881794644469229030140144595938886437242375435914268001721437309283611088568191856208951867342004280893021653793820874747638264412653721
#c= 6566517934961780069851397787369134601399136324586682773286046135297104713708615112015588908759927424841719937322574766875308296258325687730658550956691921018605724308665345526807393669538103819281108643141723589363068859617542807984954436567078438099854340705208503317269397632214274507740533638883597409138972287275965697689862321166613821995226000320597560745749780942467497435742492468670016480112957715214640939272457886646483560443432985954141177463448896521810457886108311082101521263110578485768091003174683555938678346359150123350656418123918738868598042533211541966786594006129134087145798672161268647536724
#a= 22184346235325197613876257964606959796734210361241668065837491428527234174610482874427139453643569493268653377061231169173874401139203757698022691973395609028489121048788465356158531144787135876251872262389742175830840373281181905217510352227396545981674450409488394636498629147806808635157820030290630290808150235068140864601098322473572121965126109735529553247807211711005936042322910065304489093415276688746634951081501428768318098925390576594162098506572668709475140964400043947851427774550253257759990959997691631511262768785787474750441024242552456956598974533625095249106992723798354594261566983135394923063605

2.解题：p右移340位后进行低加密指数攻击，先进行解密求P，然后求p，然后是正常的rsa解密

3.

import gmpy2
import libnum

# 低加密指数攻击解密
a = 22184346235325197613876257964606959796734210361241668065837491428527234174610482874427139453643569493268653377061231169173874401139203757698022691973395609028489121048788465356158531144787135876251872262389742175830840373281181905217510352227396545981674450409488394636498629147806808635157820030290630290808150235068140864601098322473572121965126109735529553247807211711005936042322910065304489093415276688746634951081501428768318098925390576594162098506572668709475140964400043947851427774550253257759990959997691631511262768785787474750441024242552456956598974533625095249106992723798354594261566983135394923063605
n = 24479907029118467064460793139240403258697681144532146836881997837526487637306591893357774423547391867013441147680031968367449693796015901951120514250935018725570026327610524687128709707340727799633444550317834481416507364804274266363478822257132586592232042108076935945436358397787891169163821061005102693505011197453089873909085170776511350713452580692963748763166981047023704528272230392479728897831538235554137129584665886878574314566549330671483636900134584707867654841021494106881794644469229030140144595938886437242375435914268001721437309283611088568191856208951867342004280893021653793820874747638264412653721
c = 6566517934961780069851397787369134601399136324586682773286046135297104713708615112015588908759927424841719937322574766875308296258325687730658550956691921018605724308665345526807393669538103819281108643141723589363068859617542807984954436567078438099854340705208503317269397632214274507740533638883597409138972287275965697689862321166613821995226000320597560745749780942467497435742492468670016480112957715214640939272457886646483560443432985954141177463448896521810457886108311082101521263110578485768091003174683555938678346359150123350656418123918738868598042533211541966786594006129134087145798672161268647536724
k = 0
while 1:
    res = gmpy2.iroot(k * n + a,3)
    if res[1] == True:
        print(res[0])  # 即P
        break
    k += 1
P = p_high = 66302204855869216148926460265779698576660998574555407124043768605865908069722142097621926304390549253688814246272903647124801382742681337653915017783954290069842646020090511605930590064443141710086879668946


# sagemath，求p
# p_high = 66302204855869216148926460265779698576660998574555407124043768605865908069722142097621926304390549253688814246272903647124801382742681337653915017783954290069842646020090511605930590064443141710086879668946
# n= 24479907029118467064460793139240403258697681144532146836881997837526487637306591893357774423547391867013441147680031968367449693796015901951120514250935018725570026327610524687128709707340727799633444550317834481416507364804274266363478822257132586592232042108076935945436358397787891169163821061005102693505011197453089873909085170776511350713452580692963748763166981047023704528272230392479728897831538235554137129584665886878574314566549330671483636900134584707867654841021494106881794644469229030140144595938886437242375435914268001721437309283611088568191856208951867342004280893021653793820874747638264412653721
# c= 6566517934961780069851397787369134601399136324586682773286046135297104713708615112015588908759927424841719937322574766875308296258325687730658550956691921018605724308665345526807393669538103819281108643141723589363068859617542807984954436567078438099854340705208503317269397632214274507740533638883597409138972287275965697689862321166613821995226000320597560745749780942467497435742492468670016480112957715214640939272457886646483560443432985954141177463448896521810457886108311082101521263110578485768091003174683555938678346359150123350656418123918738868598042533211541966786594006129134087145798672161268647536724
#
# pbits = 1024
# kbits = 340
# p_high = p_high << kbits
# PR.<x> = PolynomialRing(Zmod(n))
# # f = x + p_high
# p0 = f.small_roots(X = 2 ^ kbits,beta = 0.4)[0]
# print(p_high + p0)
# p = 148500014720728755901835170447203030242113125689825190413979909224639701026120883281188694701625473553602289432755479244507504340127322979884849883842306663453018960250560834067472479033116264539127330613635903666209920113813160301513820286874124210921593865507657148933555053341577090100101684021531775022459


# 求flag
e = 65537
p = 148500014720728755901835170447203030242113125689825190413979909224639701026120883281188694701625473553602289432755479244507504340127322979884849883842306663453018960250560834067472479033116264539127330613635903666209920113813160301513820286874124210921593865507657148933555053341577090100101684021531775022459
q = n // p
phi = (p-1)*(q-1)
d = gmpy2.invert(e, phi)
m = pow(c,d,n)
print(libnum.n2s(int(m)))

NSSCTF{Y0U_hAV3_g0T_Th3_r1ghT_AnsW3r}

四、[LitCTF 2023]babyLCG——LCG求a、b、m、seed

1.题目：

from Crypto.Util.number import *
from secret import flag

m = bytes_to_long(flag)
bit_len = m.bit_length()
a = getPrime(bit_len)
b = getPrime(bit_len)
p = getPrime(bit_len+1)

seed = m
result = []
for i in range(10):
    seed = (a*seed+b)%p
    result.append(seed)
print(result)
"""
result = [699175025435513913222265085178805479192132631113784770123757454808149151697608216361550466652878, 193316257467202036043918706856603526262215679149886976392930192639917920593706895122296071643390, 1624937780477561769577140419364339298985292198464188802403816662221142156714021229977403603922943, 659236391930254891621938248429619132720452597526316230221895367798170380093631947248925278766506, 111407194162820942281872438978366964960570302720229611594374532025973998885554449685055172110829, 1415787594624585063605356859393351333923892058922987749824214311091742328340293435914830175796909, 655057648553921580727111809001898496375489870757705297406250204329094679858718932270475755075698, 1683427135823894785654993254138434580152093609545092045940376086714124324274044014654085676620851, 492953986125248558013838257810313149490245209968714980288031443714890115686764222999717055064509, 70048773361068060773257074705619791938224397526269544533030294499007242937089146507674570192265]
"""

2.LCG数学推导

3.python脚本

from functools import reduce
import gmpy2
import libnum

# 已知
result = [699175025435513913222265085178805479192132631113784770123757454808149151697608216361550466652878,
          193316257467202036043918706856603526262215679149886976392930192639917920593706895122296071643390,
          1624937780477561769577140419364339298985292198464188802403816662221142156714021229977403603922943,
          659236391930254891621938248429619132720452597526316230221895367798170380093631947248925278766506,
          111407194162820942281872438978366964960570302720229611594374532025973998885554449685055172110829,
          1415787594624585063605356859393351333923892058922987749824214311091742328340293435914830175796909,
          655057648553921580727111809001898496375489870757705297406250204329094679858718932270475755075698,
          1683427135823894785654993254138434580152093609545092045940376086714124324274044014654085676620851,
          492953986125248558013838257810313149490245209968714980288031443714890115686764222999717055064509,
          70048773361068060773257074705619791938224397526269544533030294499007242937089146507674570192265]

# 第一阶段，获得模数m。一组数据即可，可以不使用列表
list1 = [s1 - s0 for s0, s1 in zip(result, result[1:])]
list2 = [t2 * t0 - t1 * t1 for t0, t1, t2 in zip(list1, list1[1:], list1[2:])]
m = gmpy2.gcd(list2[1], list2[2])
# m = abs(reduce(gcd, list2))
print(m)

# 第二阶段，获得常数A, B
A_son = result[2] - result[1]
A_mother_ni = gmpy2.invert(result[1] - result[0], m)
A = pow(A_son * A_mother_ni, 1, m)
# print(A)
B = pow(result[1] - A * result[0], 1, m)
# print(B)


# 第三阶段，逆推回seed
A_ni = gmpy2.invert(A, m)
seed = (result[0] - B) * A_ni % m
# print(seed)
flag = libnum.n2s(int(seed))
print(flag)

NSSCTF{31fcd7832029a87f6c9f760fcf297b2f}

五、[安洵杯 2020]easyaes——AES

1.题目：

#!/usr/bin/python
from Crypto.Cipher import AES
import binascii
from Crypto.Util.number import bytes_to_long
from flag import flag
from key import key

iv = flag.strip(b'd0g3{').strip(b'}')   # 只保留{}内的内容，flag

LENGTH = len(key)
assert LENGTH == 16

hint = os.urandom(4) * 8   # 随机生成4字节，重复8次
print(bytes_to_long(hint)^bytes_to_long(key))   # 将hint与key进行异或

msg = b'Welcome to this competition, I hope you can have fun today!!!!!!'

def encrypto(message):
    aes = AES.new(key,AES.MODE_CBC,iv)
    return aes.encrypt(message)

print(binascii.hexlify(encrypto(msg))[-32:])

'''
56631233292325412205528754798133970783633216936302049893130220461139160682777
b'3c976c92aff4095a23e885b195077b66'
'''

2.解题：

加密流程：先将密文分组，然后每组生成密文与明文异或后，使用秘钥加密成密文，第一组加密，初始化向量充当密文

解密流程：将最后密文使用秘钥解密后，与前一组密文异或，得到部分明文，最后得到初始化向量

hint由重复八次的4个字节组成，key有15字节，所以异或后会有一部分hint保留，将hint转换为字符串，可以看到有部分重复的字节

由此推断，hint为 ‘}4$d’ * 8，然后异或可以得到key

import libnum

a = 56631233292325412205528754798133970783633216936302049893130220461139160682777
print(libnum.n2s(int(a)))
hint = '}4$d'
key = a ^ libnum.s2n(hint * 8)
print(libnum.n2s(int(key)))

#b'}4$d}4$d}4$d}4$d\x19\x04CW\x06CA\x08\x1e[I\x01\x04[Q\x19'
#b'd0g3{welcomeyou}'

然后将信息进行分组，解密

3.python脚本

import binascii
from Crypto.Cipher import AES
import libnum
from Crypto.Util.strxor import strxor

a = 56631233292325412205528754798133970783633216936302049893130220461139160682777
print(libnum.n2s(int(a)))
hint = '}4$d'
key = a ^ libnum.s2n(hint * 8)
print(libnum.n2s(int(key)))
key_bytes = libnum.n2s(int(key))   # 确保key是字节


# 确保密钥长度为 16 字节
key = key_bytes[:16]  # 截取前 16 字节
print(f"Key: {key}")


msg = b'Welcome to this competition, I hope you can have fun today!!!!!!'
msgs = [msg[i:i+16] for i in range(0, len(msg), 16)]
msgs.reverse()  # 将列表反转
IV = binascii.unhexlify('3c976c92aff4095a23e885b195077b66')


def decry(key, iv, ms):
    aes = AES.new(key, AES.MODE_ECB)     # 如果秘钥不是16，则需要进行填充或者截断
    return strxor(aes.decrypt(iv), ms)   # 将参数进行异或操作


for ms in msgs:
    IV = decry(key, IV, ms)
print(b'd0g3{' + IV + b'}')

注意：将key转换为字节

NSSCTF{aEs_1s_SO0o_e4sY}