1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
from Crypto.Util.number import *
n = 16084923760264169099484353317952979348361855860935256157402027983349457021767614332173154044206967015252105109115289920685657394517879177103414348487477378025259589760996270909325371731433876289897874303733424115117776042592359041482059737708721396118254756778152435821692154824236881182156000806958403005506732891823555324800528934757672719379501318525189471726279397236710401497352477683714139039769105043411654493442696289499967521222951945823233371845110807469944602345293068346574630273539870116158817556523565199093874587097230314166365220290730937380983228599414137341498205967870181640370981402627360812251649
s = 280513550110197745829890567436265496990
c1 = 10607235400098586699994392584841806592000660816191315008947917773605476365884572056544621466807636237415893192966935651590312237598366247520986667580174438232591692369894702423377081613821241343307094343575042030793564118302488401888197517625333923710172738913771484628557310164974384462856047065486913046647133386246976457961265115349103039946802386897315176633274295410371986422039106745216230401123542863714301114753239888820442112538285194875243192862692290859625788686421276234445677411280606266052059579743874849594812733193363406594409214632722438592376518310171297234081555028727538951934761726878443311071990
c2 = 2665348075952836665455323350891842781938471372943896177948046901127648217780657532963063228780230203325378931053293617434754585479452556620021360669764370971665619743473463613391689402725053682169256850873752706252379747752552015341379702582040497607180172854652311649467878714425698676142212588380080361100526614423533767196749274741380258842904968147508033091819979042560336703564128279527380969385330845759998657540777339113519036552454829323666242269607225156846084705957131127720351868483375138773025602253783595007177712673092409157674720974653789039702431795168654387038080256838321255342848782705785524911705
c3 = 4881225713895414151830685259288740981424662400248897086365166643853409947818654509692299250960938511400178276416929668757746679501254041354795468626916196040017280791985239849062273782179873724736552198083211250561192059448730545500442981534768431023858984817288359193663144417753847196868565476919041282010484259630583394963580424358743754334956833598351424515229883148081492471874232555456362089023976929766530371320876651940855297249474438564801349160584279330339012464716197806221216765180154233949297999618011342678854874769762792918534509941727751433687189532019000334342211838299512315478903418642056097679717

R.<x, y, z> = Zmod(n)[]
I = ideal(x + y + z - s, x^17 - c1, y^17 - c2, z^17 - c3)
res = I.groebner_basis()

m1 = - Integer(res[0] - x) % n
m2 = - Integer(res[1] - y) % n
m3 = - Integer(res[2] - z) % n

m = (m3 << 256) + (m2 << 128) + Integer(m1)

print(long_to_bytes(m))
>>> b'flag{bf684fc7-5398-4bf3-ad5f-cfe3dc53a202}\x06\x06\x06\x06\x06\x06'

IntelligentAlice

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
from Crypto.Util import number
from Crypto.PublicKey import RSA
from hashlib import sha256


Usernames = ['Alice', 'Bob', 'Carol', 'Dan', 'Erin']
A = sha256( b'Alice' ).hexdigest()

PKs = []
Ciphers = []
B = []
for i in range(4):
name = Usernames[i+1]

pk = open(name+'Public.pem', 'rb').read()
PKs.append( RSA.importKey(pk) )

cipher = open(name+'Cipher.enc', 'rb').read()
Ciphers.append( number.bytes_to_long(cipher) )

data = '{"from": "'+A+'", "msg": "'+'\x00'*95+'", "to": "'+sha256( name.encode() ).hexdigest()+'"}'
B.append( number.bytes_to_long(data.encode()) )

PR = PolynomialRing(ZZ, 'x')
x = PR.gen()

Fs = []
for i in range(4):
f = PR( ( 2**608*x + B[i] )**PKs[i].e - Ciphers[i] )
ff = f.change_ring( Zmod(PKs[i].n) )
ff = ff.monic()
f = ff.change_ring(ZZ)
Fs.append(f)

F = crt( [ Fs[0]**2, Fs[1]**2, x*Fs[2], x*Fs[3] ], [ PKs[i].n for i in range(4) ] )

M = reduce( lambda x, y: x * y, [ PKs[i].n for i in range(4) ] )
FF = F.change_ring( Zmod(M) )

m = FF.small_roots(X=2**760, beta=7./8)[0]
print(number.long_to_bytes(m))
>>> b"Hahaha, Hastad's method don't work on this. Flag is flag{6b6c9731-5189-4937-9ead-310494b8f05b}."

Boom

wecangetanyE(x)wewantwe \:can \:get\: any \:E(x)\: we\: want

wecangetanyD(x)wewantwe \:can \:get\: any \:D(x)\: we\: want

image-20200729213900723

P0>P1>C1>C3>P3>P2>C2>C0P0 -> P1 -> C1 -> C3 -> P3 -> P2 -> C2 -> C0

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
from pwn import *
from Crypto.Util.number import *
import re
import string
import hashlib
import random


ADDRESS = '127.0.0.1'
PORT = 10001

sh = remote(ADDRESS, PORT)

def proof_of_work():
rec = sh.recvline().decode()
suffix = re.findall(r'\(XXXX\+(.*?)\)', rec)[0]
digest = re.findall(r'== (.*?)\n', rec)[0]

print(suffix, digest)

def f(x):
return hashlib.sha256((x + suffix).encode()).hexdigest() == digest

prefix = util.iters.mbruteforce(
f, string.ascii_letters + string.digits, 4, 'fixed')
return prefix


# prefix = proof_of_work()
# sh.sendlineafter('Give me XXXX:\n', prefix)

sh.recvuntil('Let\'s boom!!!\n\n')
sh.sendline('/enc ' + '0' * 32)

ee0 = int(sh.recvline().strip()[16:32], 16)


def enc(x):
sh.sendline('/enc ' + '0'*32 + hex(ee0 ^ x)[2:].zfill(16) )
c = int(sh.recvline().strip()[32:48], 16)
return c

def dec(x):
sh.sendline('/dec ' + '0'*32)
t = int(sh.recvline().strip()[16:32], 16)
x = t ^ x

sh.sendline('/dec ' + '0'*32 + hex(x)[2:].zfill(16))
m = int(sh.recvline().strip()[32:48], 16)
return m


p0 = bytes_to_long(b'cat flag')

d = 0x0200000282808082
p1 = p0 ^ d
c1 = enc(p1)
c3 = c1 ^ d
p3 = dec(c3)
p2 = p3 ^ d
c2 = enc(p2)
c0 = c2 ^ d

sh.sendline('/cmd ' + hex(c0)[2:].zfill(16))

sh.interactive()

image-20200729214004793

评论