攻防世界-Crypto-说我作弊需要证据
2019-07-16 本文已影响5人
简言之_
题目信息
根据题目描述将十六进制数(n,e)转换为十进制值,然后再分解n:在线分解
Alice: n=0x53a121a11e36d7a84dde3f5d73cf = 38456719616722997*44106885765559411
Bob: n=0x99122e61dc7bede74711185598c7 = 49662237675630289*62515288803124247
公钥: e = 0x10001 = 65537
下载附件得到一个数据包,打开追踪流发现信息,我们注意到从Alice(192.168.0.13)和Bob(192.168.0.37)的每个数据包都包含base64编码的有效负载。
image
随便选择几条base64进行解密,解码得到序列号,数据和签名
SEQ = 4; DATA = 0x2c29150f1e311ef09bc9f06735acL; SIG = 0x1665fb2da761c4de89f27ac80cbL;
SEQ = 13; DATA = 0x3b04b26a0adada2f67326bb0c5d6L; SIG =0x2e5ab24f9dc21df406a87de0b3b4L;
SEQ = 2; DATA = 0x8a03676745df01e16745145dd212L; SIG = 0x1378c25048c19853b6817eb9363aL;
SEQ = 20; DATA = 0x674880905956979ce49af33433L; SIG = 0x198901d5373ea225cc5c0db66987L;
SEQ = 0; DATA = 0x633282273f9cf7e5a44fcbe1787bL; SIG = 0x2b15275412244442d9ee60fc91aeL;
SEQ = 28; DATA = 0x19688f112a61169c9090a4f9918dL; SIG =0x1448ac6eee2b2e91a0a6241e590eL;
猜测应该是解密数据部分,便可以得到flag。
求解私钥:
from Crypto.PublicKey import RSA
import gmpy
n = long(3104649130901425335933838103517383)
e = long(65537)
p = 49662237675630289
q = 62515288803124247
d = long(gmpy.invert(e, (p-1)*(q-1)))
rsa = RSA.construct( (n, e, d) )
使用私钥就可以可以解密数据
decrypted=rsa.decrypt(long('0x2c29150f1e311ef09bc9f06735acL', 16))
print str(hex(decrypted)).strip('0x').rstrip('L').decode('hex')
这会产生换行符(\ n 0x0a)。
查看其余的解码数据包,我们注意到每个数据都包含一个加密字符。将解密的字符放在输出字符串中的序列号的位置是有意义的。我们现在需要解决的是具有相同序列号的多个数据包的问题。为了从好的数据包中分离出坏消息,我们需要使用Alice的私钥来检查签名是否与数据包匹配。
解密脚本:
准备:
1.我首先需要pcapng
另存为pcap文件
2.需要python库:gmpy2,pycrypto,pypcapfile
3.将脚本和
bob_alice_encrypted.pcap
放在一起,然后运行脚本image
from Crypto.PublicKey import RSA
import gmpy2
# Alice's public encryption parameters
n1 = long(1696206139052948924304948333474767)
e = long(65537)
# Bob's
n2 = long(3104649130901425335933838103517383)
# Yes! We can factorize the n
p1 = 38456719616722997
q1 = 44106885765559411
p2 = 49662237675630289
q2 = 62515288803124247
# that means we can find the decryption exponent d
phi1 = (p1-1)*(q1-1)
phi2 = (p2-1)*(q2-1)
d1 = long(gmpy2.invert(e, phi1))
d2 = long(gmpy2.invert(e, phi2))
# now construct the RSA with all the parameters
rsa1 = RSA.construct( (n1, e, d1) )
rsa2 = RSA.construct( (n2, e, d2) )
# and decrypt the messages from a pcap file!
from pcapfile import savefile
cf = savefile.load_savefile(open("bob_alice_encrypted.pcap"))
output = {}
for p in cf.packets:
pack = str(p.packet)[136:].decode('hex').decode('base64')
if 'DATA' in pack:
seq = int(pack.split(';')[0].split(' ')[2])
data = pack[16:].split(';')[0][:-1]
sig = long(pack.split(';')[2].split(' = ')[1], 16)
m = long(data, 16)
decrypted = rsa2.decrypt(m)
sigcheck = rsa1.sign(decrypted, '')[0]
val = str(hex(decrypted)).strip('0x').rstrip('L').zfill(2).decode('hex')
if sig == sigcheck:
output[seq] = val
print ''.join(output.values())