# 第四届 美团MTCTF Write-up (Crypto)

#### Symbol

md5后提交正确，多一嘴，md5默认32位小写（不用像我一样把4种都试一遍

#### hamburgerRSA

from Crypto.Util.number import *

nbit = 64

while True:
p, q = getPrime(nbit), getPrime(nbit)
PP = int(str(p) + str(p) + str(q) + str(q))
QQ = int(str(q) + str(q) + str(p) + str(p))
if isPrime(PP) and isPrime(QQ):
break

n = PP * QQ
m = bytes_to_long(flag.encode())
c = pow(m, 65537, n)
print('n =', n)
print('c =', c)



p,q中一个为19位一个为20位（因为如果都是20或19位的话PP和QQ肯定不是质数）

N=177269125756508652546242326065138402971542751112423326033880862868822164234452280738170245589798474033047460920552550018968571267978283756742722231922451193

low=str(N)[-19:]
high=str(N)[:19]

for i in ['']+[str(i) for i in range(10)]:
n=int(high+i+low)
f=factor(n)
if len(f)==2:
print(f)


from Crypto.Util.number import*
PP=978854293858047442997885429385804744291810985831791386711718109858317913867117
QQ=181098583179138671171810985831791386711797885429385804744299788542938580474429
phi=(PP-1)*(QQ-1)
n=PP*QQ
c=47718022601324543399078395957095083753201631332808949406927091589044837556469300807728484035581447960954603540348152501053100067139486887367207461593404096
d=inverse(65537,phi)
m=pow(c,d,n)
print(long_to_bytes(m))


#### Remeo’s Encrypting Machine

from Crypto.Util.number import*
from Crypto.Cipher import AES
import socketserver
import signal
assert len(msg) == 32

return msg + bytes([0 for i in range((16 - len(msg))%16)])

def _recvall(self):
BUFF_SIZE = 2048
data = b''
while True:
part = self.request.recv(BUFF_SIZE)
data += part
if len(part) < BUFF_SIZE:
break
return data.strip()

def send(self, msg, newline=True):
try:
if newline:
msg += b'\n'
self.request.sendall(msg)
except:
pass

def recv(self):
return self._recvall()

right_num = 0
while 1:
str1 = self.recv().strip()[:8]
true_num = 0
self.send(b'False!')
break
else:
true_num = i + 1

if right_num > true_num:
continue
else:
right_num = true_num

check = b''
for i in range(0x2000):

return True,check[:16]

return False

def handle(self):
signal.alarm(100)
if _ == 1:
assert msg.decode() == final_check.hex()
self.send(b'Good Morning Master!')
self.send(flag)

pass

class ForkedServer(socketserver.ForkingMixIn, socketserver.TCPServer):
pass

if __name__ == "__main__":
HOST, PORT = '0.0.0.0', 9999
print("HOST:POST " + HOST+":" + str(PORT))
server.serve_forever()


exp：(参考自4XWi11的博客)

from pwn import *
from tqdm import tqdm
from string import printable
import time
import sys

#context.log_level = 'debug'

table = printable
length = len(printable)

pwd = ''
t = pwd
index = 0
i = 0
tip = 1

for _ in range(8):
while 1:
io = remote('127.0.0.1', 9999)
tip = 1
try:
signal.alarm(105)
for i in tqdm(range(index, length)):
t = pwd + table[i]
io.recvline()
io.sendline(t.encode())
feedback = io.recvline()
if b'False!' in feedback:
tip = 0
continue
elif b'Success' in feedback:
pwd = t
tip = 1
assert 1 == 0
signal.alarm(0)
except:
io.close()
if tip:
pwd = t
if len(pwd) == 8:
print(pwd)
io.recvline()
io.recvline()
sys.exit(0)
index = 0
break
else:
index = i
io.close()
continue

posted @ 2021-12-12 08:34  上辰  阅读(323)  评论(3编辑  收藏  举报