当前位置：首页 > news >正文

202204_DASCTF四月份赛_EasyReal

news 2025/10/19 19:05:57

Tags:MD5爆破,RSA

0x00. 题目

task.py

import random
import hashlibflag = 'xxxxxxxxxxxxxxxxxxxx'
key = random.randint(1,10)
for i in range(len(flag)):crypto += chr(ord(flag[i])^key)
m = crypto的ascii十六进制
e = random.randint(1,100)
print(hashlib.md5(e))
p = 64310413306776406422334034047152581900365687374336418863191177338901198608319
q = xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
n = p*q
c = pow(m,e,n)
print(n)
print(c)
#37693cfc748049e45d87b8c7d8b9aacd
#4197356622576696564490569060686240088884187113566430134461945130770906825187894394672841467350797015940721560434743086405821584185286177962353341322088523
#3298176862697175389935722420143867000970906723110625484802850810634814647827572034913391972640399446415991848730984820839735665233943600223288991148186397

0x01. WP

简单分析了加密脚本，加密步骤如下：

用key与flag的每一个字母ASCII码进行异或
字符串转十六进制
随机(1-100)生成e
RSA加密

解密步骤：

通过md5爆破e
常规破解RSA
十六进制转字符串
爆破key和flag

exp.py

#-*- coding: UTF-8 -*- 
import random
import hashlib
from Crypto.Util.number import *emd5='37693cfc748049e45d87b8c7d8b9aacd'n=4197356622576696564490569060686240088884187113566430134461945130770906825187894394672841467350797015940721560434743086405821584185286177962353341322088523p=64310413306776406422334034047152581900365687374336418863191177338901198608319e=0c=3298176862697175389935722420143867000970906723110625484802850810634814647827572034913391972640399446415991848730984820839735665233943600223288991148186397# 通过遍历反解md5
for i in range(1,101):md = hashlib.md5()md.update(str(i).encode())if md.hexdigest()==emd5:e=iprint('e=',e)
# e= 23# 常规解RSA
q=n//pphi_n = (p - 1) * (q - 1)d = inverse(e, phi_n)m = pow(c, d, n)# 获得key混淆后的flag
mi = long_to_bytes(m).decode()# 通过遍历循环爆破key以及对应的flag
for key in range(1,11):flag=""for i in range(len(mi)):flag += chr(ord(mi[i])^key)print(key,flag)'''
1 oehnr^:8jfD:VJ9d:V>fVo=]:j}ot
2 lfkmq]9;ieG9UI:g9U=eUl>^9i~lw
3 mgjlp\8:hdF8TH;f8T<dTm?_8hmv
4 j`mkw[?=ocA?SO<a?S;cSj8X?oxjq
5 kaljvZ><nb@>RN=`>R:bRk9Y>nykp
6 hboiuY=?maC=QM>c=Q9aQh:Z=mzhs
7 icnhtX<>l`B<PL?b<P8`Pi;[<l{ir
8 flag{W31coM3_C0m3_7o_f4T3ctf}
9 gm`fzV20bnL2^B1l2^6n^g5U2bug|
10 dnceyU13amO1]A2o1]5m]d6V1avd
'''

查看全文

http://www.sczhlp.com/news/56601/