202204_DASCTF四月份赛_EasyReal

Tags:MD5,爆破,RSA

0x00. 题目

task.py

import random
import hashlib

flag = 'xxxxxxxxxxxxxxxxxxxx'
key = random.randint(1,10)
for i in range(len(flag)):
	crypto += chr(ord(flag[i])^key)
m = crypto的ascii十六进制
e = random.randint(1,100)
print(hashlib.md5(e))
p = 64310413306776406422334034047152581900365687374336418863191177338901198608319
q = xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
n = p*q
c = pow(m,e,n)
print(n)
print(c)
#37693cfc748049e45d87b8c7d8b9aacd
#4197356622576696564490569060686240088884187113566430134461945130770906825187894394672841467350797015940721560434743086405821584185286177962353341322088523
#3298176862697175389935722420143867000970906723110625484802850810634814647827572034913391972640399446415991848730984820839735665233943600223288991148186397

0x01. WP

简单分析了加密脚本,加密步骤如下:

  1. 用key与flag的每一个字母ASCII码进行异或
  2. 字符串转十六进制
  3. 随机(1-100)生成e
  4. RSA加密

解密步骤:

  1. 通过md5爆破e
  2. 常规破解RSA
  3. 十六进制转字符串
  4. 爆破key和flag

exp.py

#-*- coding: UTF-8 -*- 
import random
import hashlib
from Crypto.Util.number import *

emd5='37693cfc748049e45d87b8c7d8b9aacd'

n=4197356622576696564490569060686240088884187113566430134461945130770906825187894394672841467350797015940721560434743086405821584185286177962353341322088523

p=64310413306776406422334034047152581900365687374336418863191177338901198608319

e=0

c=3298176862697175389935722420143867000970906723110625484802850810634814647827572034913391972640399446415991848730984820839735665233943600223288991148186397

# 通过遍历反解md5
for i in range(1,101):
    md = hashlib.md5()
    md.update(str(i).encode())
    
    if md.hexdigest()==emd5:
        e=i
        
print('e=',e)
# e= 23

# 常规解RSA
q=n//p

phi_n = (p - 1) * (q - 1)

d = inverse(e, phi_n)

m = pow(c, d, n)

# 获得key混淆后的flag
mi = long_to_bytes(m).decode()

# 通过遍历循环爆破key以及对应的flag
for key in range(1,11):
    flag=""
    for i in range(len(mi)):
        flag += chr(ord(mi[i])^key)
    print(key,flag)

'''
1 oehnr^:8jfD:VJ9d:V>fVo=]:j}ot
2 lfkmq]9;ieG9UI:g9U=eUl>^9i~lw
3 mgjlp\8:hdF8TH;f8T<dTm?_8hmv
4 j`mkw[?=ocA?SO<a?S;cSj8X?oxjq
5 kaljvZ><nb@>RN=`>R:bRk9Y>nykp
6 hboiuY=?maC=QM>c=Q9aQh:Z=mzhs
7 icnhtX<>l`B<PL?b<P8`Pi;[<l{ir
8 flag{W31coM3_C0m3_7o_f4T3ctf}
9 gm`fzV20bnL2^B1l2^6n^g5U2bug|
10 dnceyU13amO1]A2o1]5m]d6V1avd
'''
posted @ 2025-08-31 22:12  JasonJHu  阅读(16)  评论(0)    收藏  举报