- 概述
- 题目
- 解法
HackTheBox 网站CTF靶场密码学相关题目TwoForOne,题目地址https://app.hackthebox.eu/challenges/twoforone,主要考点为RSA共模攻击。
题目下载附件并解压缩,得到4个文件
识别文件格式
使用openssl分析key1.pem
openssl rsa -pubin -in key1.pem -text -modulus
Public-Key: (2048 bit)
Modulus:
00:c6:ac:b8:df:48:6e:66:71:d4:a5:56:48:03:e1:
c3:21:4a:8e:27:4d:e0:ac:00:43:ec:28:c8:58:9f:
37:7c:7e:8d:30:8b:c3:e3:02:85:03:84:34:4b:a7:
98:88:85:62:0a:41:8e:6a:d9:55:57:82:84:fc:04:
f2:89:f1:26:b3:8a:01:81:62:51:ce:f9:a1:4f:d4:
c2:49:d9:6b:69:08:7f:a9:1b:2e:1a:db:dc:80:cb:
96:ff:0c:cb:61:29:d8:f6:73:7d:a8:50:c4:51:f2:
ed:3f:6c:b6:1c:36:89:1d:c9:24:d0:ab:28:f2:6a:
df:0e:d3:57:ce:84:8d:02:ff:e0:09:12:71:4c:cf:
63:72:c1:f4:10:80:e8:67:47:a0:30:3e:b5:cd:f6:
ce:91:2f:11:44:fd:4f:55:74:3c:79:68:75:a1:4f:
df:f8:f8:b6:62:15:0c:56:be:58:b0:92:39:77:1d:
c4:4d:96:90:79:c4:ad:8f:d9:93:bc:63:0b:78:55:
d2:e0:2e:8b:e1:68:24:dc:d5:ab:38:13:23:1c:17:
31:11:0a:8b:d0:28:d7:a1:df:ab:89:2e:75:29:45:
57:ba:fc:71:ae:af:5e:48:db:02:67:a6:db:63:d3:
50:f9:95:06:8e:e1:ca:d6:d3:2d:f1:1a:49:bd:24:
ba:97
Exponent: 65537 (0x10001)
Modulus=C6ACB8DF486E6671D4A5564803E1C3214A8E274DE0AC0043EC28C8589F377C7E8D308BC3E302850384344BA7988885620A418E6AD955578284FC04F289F126B38A01816251CEF9A14FD4C249D96B69087FA91B2E1ADBDC80CB96FF0CCB6129D8F6737DA850C451F2ED3F6CB61C36891DC924D0AB28F26ADF0ED357CE848D02FFE00912714CCF6372C1F41080E86747A0303EB5CDF6CE912F1144FD4F55743C796875A14FDFF8F8B662150C56BE58B09239771DC44D969079C4AD8FD993BC630B7855D2E02E8BE16824DCD5AB3813231C1731110A8BD028D7A1DFAB892E75294557BAFC71AEAF5E48DB0267A6DB63D350F995068EE1CAD6D32DF11A49BD24BA97
writing RSA key
-----BEGIN PUBLIC KEY-----
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAxqy430huZnHUpVZIA+HD
IUqOJ03grABD7CjIWJ83fH6NMIvD4wKFA4Q0S6eYiIViCkGOatlVV4KE/ATyifEm
s4oBgWJRzvmhT9TCSdlraQh/qRsuGtvcgMuW/wzLYSnY9nN9qFDEUfLtP2y2HDaJ
Hckk0Kso8mrfDtNXzoSNAv/gCRJxTM9jcsH0EIDoZ0egMD61zfbOkS8RRP1PVXQ8
eWh1oU/f+Pi2YhUMVr5YsJI5dx3ETZaQecStj9mTvGMLeFXS4C6L4Wgk3NWrOBMj
HBcxEQqL0CjXod+riS51KUVXuvxxrq9eSNsCZ6bbY9NQ+ZUGjuHK1tMt8RpJvSS6
lwIDAQAB
-----END PUBLIC KEY-----
得到
e = 65537 n = 0xC6ACB8DF486E6671D4A5564803E1C3214A8E274DE0AC0043EC28C8589F377C7E8D308BC3E302850384344BA7988885620A418E6AD955578284FC04F289F126B38A01816251CEF9A14FD4C249D96B69087FA91B2E1ADBDC80CB96FF0CCB6129D8F6737DA850C451F2ED3F6CB61C36891DC924D0AB28F26ADF0ED357CE848D02FFE00912714CCF6372C1F41080E86747A0303EB5CDF6CE912F1144FD4F55743C796875A14FDFF8F8B662150C56BE58B09239771DC44D969079C4AD8FD993BC630B7855D2E02E8BE16824DCD5AB3813231C1731110A8BD028D7A1DFAB892E75294557BAFC71AEAF5E48DB0267A6DB63D350F995068EE1CAD6D32DF11A49BD24BA97
同理使用openssl分析key2.pem,得到
e = 343223 n = 0xC6ACB8DF486E6671D4A5564803E1C3214A8E274DE0AC0043EC28C8589F377C7E8D308BC3E302850384344BA7988885620A418E6AD955578284FC04F289F126B38A01816251CEF9A14FD4C249D96B69087FA91B2E1ADBDC80CB96FF0CCB6129D8F6737DA850C451F2ED3F6CB61C36891DC924D0AB28F26ADF0ED357CE848D02FFE00912714CCF6372C1F41080E86747A0303EB5CDF6CE912F1144FD4F55743C796875A14FDFF8F8B662150C56BE58B09239771DC44D969079C4AD8FD993BC630B7855D2E02E8BE16824DCD5AB3813231C1731110A8BD028D7A1DFAB892E75294557BAFC71AEAF5E48DB0267A6DB63D350F995068EE1CAD6D32DF11A49BD24BA97解法
RSA基础知识可参考HackTheBox-Weak RSA
使用python库gmpy2分析,可以发现e不同,但n相同,且e互质,如下
In [1]: import gmpy2 In [2]: e1 = 65537 In [3]: e2 = 343223 In [4]: gmpy2.gcd(e1,e2) Out[4]: mpz(1)
e互质,n相同,属于RSA的共模攻击,利用gmpy2,解题代码如下
# coding: utf-8
import gmpy2
from Crypto.Util.number import long_to_bytes
e1 = 65537
e2 = 343223
n = 0xC6ACB8DF486E6671D4A5564803E1C3214A8E274DE0AC0043EC28C8589F377C7E8D308BC3E302850384344BA7988885620A418E6AD955578284FC04F289F126B38A01816251CEF9A14FD4C249D96B69087FA91B2E1ADBDC80CB96FF0CCB6129D8F6737DA850C451F2ED3F6CB61C36891DC924D0AB28F26ADF0ED357CE848D02FFE00912714CCF6372C1F41080E86747A0303EB5CDF6CE912F1144FD4F55743C796875A14FDFF8F8B662150C56BE58B09239771DC44D969079C4AD8FD993BC630B7855D2E02E8BE16824DCD5AB3813231C1731110A8BD028D7A1DFAB892E75294557BAFC71AEAF5E48DB0267A6DB63D350F995068EE1CAD6D32DF11A49BD24BA97
c1=int(open('./message1','rb').read().decode('base64').encode('hex'),16)
c2=int(open('./message2','rb').read().decode('base64').encode('hex'),16)
_, r, s = gmpy2.gcdext(e1, e2)
m = pow(c1, r, n) * pow(c2, s, n) % n
print long_to_bytes(m)
在python2环境运行后得到flag
