BUUCTF---bbbbbras

题目

p = 177077389675257695042507998165006460849
n = 37421829509887796274897162249367329400988647145613325367337968063341372726061
c = ==gMzYDNzIjMxUTNyIzNzIjMyYTM4MDM0gTMwEjNzgTM2UTN4cjNwIjN2QzM5ADMwIDNyMTO4UzM2cTM5kDN2MTOyUTO5YDM0czM3MjM

flag = "******************************"

nbit = 128

p = getPrime(nbit)
q = getPrime(nbit)
n = p*q

print p
print n

phi = (p-1)*(q-1)

e = random.randint(50000,70000)

while True:
	if gcd(e,phi) == 1:
		break;
	else:
		e -= 1;

c = pow(int(b2a_hex(flag),16),e,n)

print b32encode(str(c))[::-1]

# 2373740699529364991763589324200093466206785561836101840381622237225512234632

解题

分析题目给出来n,p和c的加密，对此可以得出q,base32加密并倒序的c
根据RSA加密算法，e,d未知，d无从下手，e的生成入手

点击查看代码

import gmpy2
import hashlib
import binascii
from Crypto.Util.number import *
'''
c = "==gMzYDNzIjMxUTNyIzNzIjMyYTM4MDM0gTMwEjNzgTM2UTN4cjNwIjN2QzM5ADMwIDNyMTO4UzM2cTM5kDN2MTOyUTO5YDM0czM3MjM"
print(c[::-1])
'''

c = 2373740699529364991763589324200093466206785561836101840381622237225512234632
p = 177077389675257695042507998165006460849
n = 37421829509887796274897162249367329400988647145613325367337968063341372726061
q = n//p
phi = (p-1)*(q-1)
for e in range(50000,70000):
    if(gmpy2.gcd(e,phi)==1):
        d = gmpy2.invert(e,phi)
        m = gmpy2.powmod(c,d,n)
        if 'flag' in str(long_to_bytes(m)):
            print('e = ', e)
            print(long_to_bytes(m))
            break

flag{rs4_1s_s1mpl3!#}