from Crypto.Util.number import * from secret import * flag_part = flag_content + '#' + secret_token p = getPrime(512) q = getPrime(512)
m = bytes_to_long(flag_part.encode())
e = 5 n = p*q
c = pow(m,e,n)
print('n =', n) print('c =', c) print('flag_part =', flag_part) print() print('--- hint begin ---') print('flag = "flag{" + flag_part + "}"') print('type of secret_token is', type(secret_token)) print('length of secret_token is', len(secret_token))
# n = 131889193322687215946601811511407251196213571687093913054335139712633125177496800529685285401802802683116451016274353008428347997732857844896393358010946452397522017632024075459908859131965234835870443110233375074265933004741459359128684375786221535003839961829770182916778717973782408036072622166388614214899 # c = 11188201757361363141578235564807411583085091933389381887827791551369738717117549969067660372214366275040055647621817803877495473068767571465521881010707873686036336475554105314475193676388608812872218943728455841652208711802376453034141883236142677345880594246879967378770573385522326039206400578260353074379 # flag_part = sm4ll_r00ts_is_brilliant#◼️◼️◼️◼️◼️◼️◼️◼️ # # --- hint begin --- # flag = "flag{" + flag_part + "}" # type of secret_token is <class 'str'> # length of secret_token is 8
根据题目提示,可以看出是rsa的m高位泄露攻击:
将first_part 字节转换成十进制
1 2 3 4
from Crypto.Util.number import * high_m=b'sm4ll_r00ts_is_brilliant#00000000' print(bytes_to_long(high_m)) # high_m = 13365484987144638321487231038779529936591301518920854766433948366068803286609968
n = 131889193322687215946601811511407251196213571687093913054335139712633125177496800529685285401802802683116451016274353008428347997732857844896393358010946452397522017632024075459908859131965234835870443110233375074265933004741459359128684375786221535003839961829770182916778717973782408036072622166388614214899 c = 11188201757361363141578235564807411583085091933389381887827791551369738717117549969067660372214366275040055647621817803877495473068767571465521881010707873686036336475554105314475193676388608812872218943728455841652208711802376453034141883236142677345880594246879967378770573385522326039206400578260353074379 high_m= 13365484987144638321487231038779529936591301518920854766433944893740507058929664
R.<x> = PolynomialRing(Zmod(n), implementation='NTL') m = high_m + x M = m((m^5 - c).small_roots()[0]) print(M)
# M = 13365484987144638321487231038779529936591301518920854766433952055361547196905266
解密M:将十进制转换成字节
1 2 3 4 5
from Crypto.Util.number import *
M = 13365484987144638321487231038779529936591301518920854766433952055361547196905266 print(long_to_bytes(M).decode('utf-8', errors='ignore')) # sm4ll_r00ts_is_brilliant#cc0dac72
from Crypto.Util.number import * from hashlib import *
m = 2180240512138982889935733758776025289492848542072999905411903898302427496814336475436552230920326681809745778470583226987 n = 25505131259827344749407187081729819350996141100990518281765117676936124636084125400315049858697199427401342785804654120926568235761577895862889807660442415521870277729420875825744007886870384790308986342360349597392841568418588521694478184632631896474390291958350681472768485356865513284619086754437723630874827593280089682939629265210875169009057935264259019861755270570945614034505771690412042781423771110441028258110022746603974882162934979726300741541857444013708508946471384525030286343828680432038605288717842755346907256658746733811881247992925881684393431852248253701825024590345480994598867741811599162649467 S_ = 5510086561842250138908875342533294108331951659612671466695801343686972919443402163401521040457640602756777910081639191753436122171756174730531385913865951826869995984787102439679170684422717808771260217541439878677750508065703064081375473845405916674327932798153100574555933448570618732842365795738120491532398081467312017203933413296779070611024124965772787502242499016884537233028947865288037718074352448773759363242111080540630360902388540661831992776707600133253329779003707938065020121645530719140954554800986771763343191398210100325971573069812381693089384221441735278736889673500218274673196333806222266248844379127652366 S = 11422623501509574650959962952004985925543723972567988534433510888436662069119800576321679344425052011563473005275801787271861671898318523033415642388512047035650991047953319601346912194462122313366888126100093635969476696871403883687946617575837061694813669883782221006701704487938500886952347003631626326127154081787016692856628561200386941683756397734100698520464199249811238013146899352390453500132666840606585760306723894654933077094375810666168464835756607377998959675132305971721109661644231613426322675350973373434138686086023265910883509514575554429502214217460059521619625693750938117427832654792355808803321
e = 65537 p = GCD(pow(S_, e, n) - pow(m, 1, n), n) q = n // p