NCTF2024-crypto

NCTF2024-Crypto

拼尽全力就写出两题，已经不想思考了，都不难，只是细节(指数据处理)有点麻烦。

sign

题目

from Crypto.Util.number import *
from util import *
from os import getenv
from Crypto.Util.Padding import pad
from random import Random
from Crypto.Cipher import AES
from hashlib import md5

string = open('secret.txt').read().strip().encode()
flag = getenv('FLAG').encode()

if __name__=='__main__':
    Keys = []
    for m in string:
        f = FHE()
        s = long_to_bytes(Random().getrandbits(20000))
        for i in s[4:]:
            Keys.extend(f.encrypt([i]))

        for i in s[:4]:
            Keys.extend(f.encrypt([i * (m & 0x03) % 0x101]))
            m >>= 2
        
    assert len(Keys) == 30000

    print(f'[+] Your ciphertext: {AES.new(md5(string).digest(),AES.MODE_ECB).encrypt(pad(flag,16)).hex()}')
    input(f'[+] The keys to retrieve the global internet connection are as follows:')
    for i in range(30000):
        print(f'[+] {Keys[i]}')

util.py

from os import urandom
from Crypto.Util.number import *

def getrandint(n:int):
    return int.from_bytes(urandom(n//8+1)) % pow(2,n)

class FHE:
    def __init__(self):
        self.p = getPrime(77)
        self.pubkeys = []
        for _ in range(16):
            self.pubkeys.append(self.p * getrandint(177) + (getrandint(17) << 8))

    def encrypt(self,msg:list[int] | bytes):
        result = []
        for m in msg:
            tmp = 0
            shuffle_base = urandom(16)
            for i in shuffle_base:
                x,y = divmod(i,16)
                tmp += x*self.pubkeys[y] + y*self.pubkeys[x]
            result.append(tmp + m)
        return result

分析

s = long_to_bytes(Random().getrandbits(20000))，先生成的32bits在s的低位，总共有625个32bits，而我们需要的m在最高位，即最后生成的32bits。显然我们需要打MT19937预测出最后这一个32bits，前面624*32=19968刚刚好够用，现在就是要解出这前面的19968位
分析FHE()，通过观察，shuffle_base生成的这十六轮随机无法预测，随意最后结果可以简化为result=p*A+256*B+m，分析得出m=result%p%256,所以我们现在需要求出p
显然p*A>>256*B>>m，通过AGCD可以求出p，参考AGCD近似最大公约数问题 | 独奏の小屋
打完MT19937后就没什么密码学方面的难点了，主要就是一些数据处理

EXP

from Crypto.Util.number import *
from util import *
from random import *
from sage.all import *
from tqdm import *
from pwn import *
from Crypto.Cipher import AES
from hashlib import md5

sh=remote("39.106.16.204",13589)

sh.recvuntil(b'ciphertext: ')
ciphertext=sh.recvline().strip().decode()
sh.recvuntil(b' follows:')
sh.sendline(b'')
Keys=[]
for i in range(30000):
    sh.recvuntil(b'[+] ')
    key=sh.recvline().strip().decode()
    Keys.append(int(key))

sh.close()

assert len(Keys) == 30000

stri=""
RNG = Random()
length = 19968
def construct_a_row(RNG):
    row = []
    for i in range(624):
        t1 = bin(RNG.getrandbits(32))[2:].zfill(32)
        for tt in t1:
            row+=tt
    return row
"""L = []
for i in trange(length):
    state = [0]*624
    temp = "0"*i + "1"*1 + "0"*(length-1-i)
    for j in range(624):
        state[j] = int(temp[32*j:32*j+32],2)
    RNG.setstate((3,tuple(state+[624]),None))
    L.append(construct_a_row(RNG))
L = Matrix(GF(2),L)
save(L, "matrix.sobj")"""
#自己测试的时候已经生成好了，这里节省时间
L = load("matrix.sobj")

for i in range(0,30000,2500):

    le=10
    rho=22
    xs=Keys[i:i+le]

    #https://hasegawaazusa.github.io/agcd-note.html
    A = ZZ(pow(2, rho + 1))
    B = matrix(xs[1:])
    C = matrix.diagonal([-xs[0]] * (le - 1))
    M = matrix.block([[A, B], [ZZ(0), C]])
    M = M.LLL()
    q0 = ZZ(M[0, 0] / A).abs()
    e0 = ZZ(xs[0] % q0)
    p = ZZ((xs[0] - e0) / q0)

    gift=[int(j%p%256) for j in Keys[i:i+2500]]
    gift=[(gift[j]<<24)+(gift[j+1]<<16)+(gift[j+2]<<8)+gift[j+3] for j in range(0,len(gift),4)]
    gift=gift[::-1]
    known = []
    for j in gift[1:]:
        for k in bin(j)[2:].zfill(32):
            known+=k
    print("[+] solve_left ",end="")
    s = L.solve_left(vector(GF(2),known))
    print("ok!")
    init = "".join(list(map(str,s)))
    state = []
    for j in range(624):
        state.append(int(init[32*j:32*j+32],2))
        

    prng = Random()
    prng.setstate(tuple([3, tuple(state+[624]), None]))
    for _ in range(624):
        prng.getrandbits(32)

    s=long_to_bytes(prng.getrandbits(32))
    m=[j%p%256 for j in Keys[i+2500-4:i+2500]]
    m=[(m[j]*inverse_mod(s[j],0x101))%0x101 for j in range(4)]
    x=0
    for j in m[::-1]:
        x=(x<<2)+j
    print(x)
    stri+=bytes([x])

print(AES.new(md5(stri).digest(),AES.MODE_ECB).decrypt(ciphertext))

archav

题目

from Crypto.Util.number import *
from os import urandom,getenv
from functools import reduce
from Crypto.Cipher import AES

class LCG:
    def __init__(self,seed:int) -> None:
        self.p = getPrime(1024)
        self.a = getPrime(1023)
        self.b = getPrime(1023)
        self.status = seed

    def next(self) -> int:
        ret = self.status
        self.status = (self.status * self.a + self.b) % self.p
        return ret
    
def crystal_trick(m:bytes) -> bytes:
    m = bytearray(m)
    for i in range(len(m)):
        m[i] = reduce(lambda x,y: x^y^urandom(1)[0],m[:i],m[i])
    return m

class RSA:
    def __init__(self):
        p = getStrongPrime(1024)
        q = getStrongPrime(1024)
        self.p = p
        self.N = p * q
        self.e = 65537
        self.d = pow(self.e, -1, (p-1)*(q-1))

    def encrypt(self,m:int) -> int:
        return pow(m,self.e,self.N)
    
    def decrypt(self,c:int) -> int:
        return pow(c,self.d,self.N) 

class MyRSA1(RSA):
    def encrypt(self,m:bytes) -> bytes:
        return super().encrypt(int.from_bytes(m)).to_bytes(256)
    
    def decrypt(self,c:bytes) -> bytes:
        return super().decrypt(int.from_bytes(c)).to_bytes(256)

class MyRSA2(RSA):
    def encrypt(self,m:bytes) -> bytes:
        return pow(int.from_bytes(m),self.e,self.N).to_bytes(256,'little')
    
    def decrypt(self,c:bytes) -> bytes:
        m = pow(int.from_bytes(c),self.d,self.N).to_bytes(256,'little')
        print('Hibiscus is here to trick your decryption result!!')
        return crystal_trick(m)

menu = '''
Welcome to NCTF 2025 arcahv challenge!

--- Menu ---
[1] View encrypted flag and hint
[2] Play with the decryption orcale
[3] Get some random numbers for fun
[4] Exit

Your Option > '''


if __name__=='__main__':
    print('Loading, please wait...')
    
    # flag = open('flag.txt').read().strip().encode()
    flag = getenv('FLAG').encode()
    attempts = 75
    r1 = MyRSA1()
    r2 = MyRSA2()
    hint1 = r2.encrypt(r1.p.to_bytes(128))

    key = urandom(16)
    hint2 = AES.new(key,AES.MODE_ECB).encrypt(r1.N.to_bytes(256))

    def flag_and_hint():
        print(f'Encrypted flag: {r1.encrypt(flag).hex()}')
        print(f'Hint1: {hint1.hex()}')
        print(f'Hint2: {hint2.hex()}')

    def rsachal(): 
        global attempts

        print("Since you didn't v Hibiscus 50 on crazy thursday, Hibiscus decided to do some trick on your decryption result!")
        print(f'Your pubkey:({hex(r2.N)[2:]},{hex(r2.e)[2:]})')

        while attempts > 0:
            if input('Do you still want to try decryption(y/[n])?') != 'y':
                break

            c = bytes.fromhex(input(f'You have {attempts} remaining access to decryption orcale!\nYour ciphertext(in hex):'))
            print(f'Result: {r2.decrypt(c).hex()}')
            attempts -= 1
        
        if attempts == 0:
            print('Unfortunately, you are out of decryption attempts! Come back again on nctf2026 ~')

    
    def lcgchal():
        lcg = LCG(int.from_bytes(key))

        print('Tempering with LCG generator, please wait...')
        while urandom(1)[0] & 0xff:
            lcg.next()
        
        hexnums = ''.join(hex(lcg.next())[2:] for _ in range(5))
        if len(hexnums) % 16:
            hexnums = hexnums.zfill((len(hexnums) // 16 + 1) * 16)
        
        idx = 0
        while input('Do you want another unsigned long long number(y/[n])?') == 'y':
            print(int(''.join(hexnums[idx:idx+16]),16))
            idx = (idx + 16) % len(hexnums)

    def bye():
        print('Hope you have fun during the challenge XD:)')
        exit(0)

    fundc = {1:flag_and_hint,2:rsachal,3:lcgchal,4:bye}

    while True:
        opt = input(menu)
        if len(opt) == 0 or opt not in '1234':
            opt = '4'
        fundc[int(opt)]()

分析

第一层LCG，没啥难点，就是只给5个数据需要点运气才能利用GCD求出来模数，中间出错基本就是这里问题，多试几次就好了。

第二层RSA bytes orcale，ctf-wiki上讲的很详细了RSA 选择明密文攻击 - CTF Wiki。

之后显然只有75轮是不够的，最多也是只能得到75*8=600位的p，最后打一个高位攻击就好了。主要就是可以先自己运行127轮，将 $256^{127}p$ 构造到 $r_2.N$ 这个数量级上（应该是可以直接设置上限了，我懒得思考了），然后再跟服务器交互。

EXP

from Crypto.Util.number import *
from Crypto.Cipher import AES
from gmpy2 import *
import decimal
from sage.all import *

from pwn import *

sh=remote("39.106.16.204",13620)
#context.log_level = 'debug'

sh.recvuntil(b'Option > ')
sh.sendline(b'1')

sh.recvuntil(b'flag: ')
ciphertext=bytes_to_long(bytes.fromhex(sh.recvline().strip().decode()))

sh.recvuntil(b'Hint1: ')
Hint1=bytes.fromhex(sh.recvline().strip().decode())

sh.recvuntil(b'Hint2: ')
Hint2=bytes.fromhex(sh.recvline().strip().decode())


sh.recvuntil(b'Option > ')
sh.sendline(b'3')


s=[]
for idx in range(0,1280,16):
    sh.recvuntil(b'(y/[n])?')
    sh.sendline(b'y')
    s.append(int(sh.recvline().strip().decode()))
    
s=[int(''.join([hex(j)[2:].zfill(16) for j in s[i:i+16]]),16) for i in range(0,80,16)]

length=len(s)
t = []
for i in range(1,length):
    t.append(s[i]-s[i-1])
all_n = []
for i in range(1,length-3):
    all_n.append(gcd((t[i+1]*t[i-1]-t[i]*t[i]), (t[i+2]*t[i]-t[i+1]*t[i+1])))

for n in all_n:
    n=int(abs(n))
    if n.bit_length()<1024 and isPrime(n):
        continue
    a=(s[2]-s[1])*invert((s[1]-s[0]),n)%n
    ani=invert(a,n)
    b=(s[1]-a*s[0])%n

    #这里可能找不到正确的LCG的p
    print("find p")

    seed=s[0]
    while True:
        seed=int((seed-b)*inverse(a,n) % n)
        if seed.bit_length()<=128:
            break
    seed=long_to_bytes(seed)
    print("find key")
    print(seed)
    
    #这里不对还是因为上面p找不对
    r1n=bytes_to_long(AES.new(seed,AES.MODE_ECB).decrypt(Hint2))
    

    sh.recvuntil(b'(y/[n])?')
    sh.sendline(b'n')

    sh.recvuntil(b'Option > ')
    sh.sendline(b'2')

    sh.recvuntil(b'Your pubkey:(')
    r2n=int(sh.recvuntil(b',').strip().decode()[:-1],16)
    r2e=int(sh.recvline().strip().decode()[:-1],16)

    # https://ctf-wiki.org/crypto/asymmetric/rsa/rsa_chosen_plain_cipher/#rsa-byte-oracle
    c=int.from_bytes(Hint1,'little')
    
    decimal.getcontext().prec = int(2048)
    L = decimal.Decimal(int(0))
    R = decimal.Decimal(int(r2n))

    #自测
    #127*8=1016 差不多将r1.p乘到跟r2.N一个数量级了
    for i in range(127):
        c = (c * pow(256, r2e, r2n)) % r2n

        interval=(R-L)/int(256)
        L=L+interval*int(0)
        R=L+interval

    for _ in range(75):
        sh.recvuntil(b'(y/[n])?')
        sh.sendline(b'y')

        c = int((c * pow(256, r2e, r2n)) % r2n)

        sh.recvuntil(b'(in hex):')
        #这里不zfill服务器会报错
        sh.sendline(hex(c)[2:].zfill(512).encode())

        sh.recvuntil(b'Result: ')
        x=bytes.fromhex(sh.recvline().strip().decode())
        res=int.from_bytes(x,'little')
        res=int(res%256)


        for j in range(256):
            if int(-j*r2n%256)==res:
                interval=(R-L)/int(256)
                L=L+interval*j
                R=L+interval


    high_p=(int(R)>>440)<<440

    PR.<x> = PolynomialRing(Zmod(r1n))
    f = high_p + x
    x = f.small_roots(X = 2^440,beta = 0.4)
    p=int(high_p+x[0])

    q=int(r1n//p)

    e=65537
    d=inverse(e,(p-1)*(q-1))
    print(long_to_bytes(int(pow(int(ciphertext),int(d),int(r1n)))))

ctf > wp

#crypto

NCTF2024-crypto

http://example.com/2025/03/23/nctf2024/

作者

Naby

发布于

2025年3月23日

许可协议

AI小项目之springboot+vue 下一篇