cryptohack,很不错的一个密码学习平台。
很适合没有基础的beginner系统进行学习
文章目录
注册平台账号
EJEXA JVAN KTGHXDC ITCI
罗马皇帝密码,那就是凯撒了
for i in range(26):
for j in c:
if j == ' ':
print(' ',end='')
continue
t = ss.index(j)
print(ss[(t+i)%26],end='')
print()
General
Encoding
第一题
>>> a =[99, 114, 121, 112, 116, 111, 123, 65, 83, 67, 73, 73, 95, 112, 114, 49, 110, 116, 52, 98, 108, 51, 125]
>>> ''.join(chr(i) for i in a)
'crypto{}'
第二题
63727970746f7b596f755f77696c6c5f62655f776f726b696e675f776974685f6865785f737472696e67735f615f6c6f747d
>>> from binascii import *
>>> unhexlify('63727970746f7b596f755f77696c6c5f62655f776f726b696e675f776974685f6865785f737472696e67735f615f6c6f747d')
b'crypto{}'
第三题
72bca9b68fc16ac7beeb8f849dca1d8a783e8acf9679bf9269f7bf
>>> c = '72bca9b68fc16ac7beeb8f849dca1d8a783e8acf9679bf9269f7bf'
>>> from base64 import b64encode as e
>>> unhexlify(c)
b'r\xbc\xa9\xb6\x8f\xc1j\xc7\xbe\xeb\x8f\x84\x9d\xca\x1d\x8ax>\x8a\xcf\x96y\xbf\x92i\xf7\xbf'
>>> e(unhexlify(c))
b'crypto//'
有点意思
第四题
>>> from number import *
>>> l2b(11515195063862318899931685488813747395775516287289682636499965282714637259206269)
b'crypto{}'
第五题
nc到服务器后,会给你一个加密方式type和一个加密后的字符串c
你需要解密c之后给服务器发送过去,重复100次
服务端代码:
要重复100次,所以肯定不能手动解,所以用pwntools的remote进行连续破解
from pwn import *
import json
r = remote('socket.cryptohack.org', 13377, level = 'debug')
def json_recv():
line = r.recvline()
return json.loads(line.decode())
def json_send(hsh):
request = json.dumps(hsh).encode()
r.sendline(request)
from binascii import *
from number import *
from base64 import b64decode as dd
from string import *
def rot13(x):
ss = ascii_lowercase
res = ''
for i in x:
if i in ss:
res += ss[(13+ss.index(i))%26]
else:res += i
return res
def dec(tp,c):
if tp == 'bigint':
m = unhexlify(c[2:]).decode()
elif tp == 'base64':
m = dd(c.encode()).decode()
elif tp == 'rot13':
m = rot13(c)
elif tp == 'hex':
m = l2b(int(c,16)).decode()
elif tp == 'utf-8':
m = ''.join(chr(i) for i in c)
return m
def func(received):
print("Received type: ",end='')
print(received["type"])
print("Received encoded value: ",end='')
print(received["encoded"])
c = received["encoded"]
tp = received['type']
to_send = {"decoded": dec(tp,c)}
print('to_sent:',to_send)
json_send(to_send)
rrr = json_recv()
print(rrr,'================',sep = '\n')
return rrr
rcvd = json_recv()
for i in range(100):
rcvd = func(rcvd)
得到flag
XOR
1. XOR Starter
将label的每一位与13进行异或
题目说了可以用pwntools里面的xor函数
>>> from pwn import *
>>> xor('label',13)
b'aloha'
crypto{aloha}
2. XOR Properties
题目给了如下信息
分别记为A、B、C、D,则flag = D ^ A ^ C
>>> a = 0xa6c8b6733c9b22de7bc0253266a3867df55acde8635e19c73313
>>> b = 0x37dcb292030faa90d07eec17e3b1c6d8daf94c35d4c9191a5e1e
>>> c = 0xc1545756687e7573db23aa1c3452a098b71a7fbf0fddddde5fc1
>>> d = 0x04ee9855208a2cd59091d04767ae47963170d1660df7f56f5faf
>>> f = d^a^c
>>> from number import *
>>> l2b(f)
b'crypto{}'
3.Favourite byte
73626960647f6b206821204f21254f7d694f7624662065622127234f726927756d
将数字转为byte型后为
>>> l2b(int('73626960647f6b206821204f21254f7d694f7624662065622127234f726927756d',16))
b"sbi`d\x7fk h! O!%O}iOv$f eb!'#Ori'um"
已知flag前几位,为crypto{,与解出的字符串对应前几位进行异或便可以得到secret
>>> xor(b"sbi`d\x7fk",b"crypto{")
b'\x10\x10\x10\x10\x10\x10\x10'
得到flag
>>> xor(b"sbi`d\x7fk h! O!%O}iOv$f eb!'#Ori'um",'\x10')
b'crypto{}'
4.You either know, XOR you don’t
0e0b213f26041e480b26217f27342e175d0e070a3c5b103e2526217f27342e175d0e077e263451150104
尝试同同样的步骤,找出异或的字符串
>>> c = l2b(int('0e0b213f26041e480b26217f27342e175d0e070a3c5b103e2526217f27342e175d0e077e263451150104',16))
>>> c
b"\x0e\x0b!?&\x04\x1eH\x0b&!\x7f'4.\x17]\x0e\x07\n<[\x10>%&!\x7f'4.\x17]\x0e\x07~&4Q\x15\x01\x04"
>>> xor(c[:7],'crypto{')
b'myXORke'
>>> xor(c[-1],'}')
b'y'
拼接起来可以得到一段有意义的语句myXORkey
猜测这就是加密的字符串
>>> xor(c,'myXORkey')
b'crypto{}'
5. Lemur XOR
这是个图片题
两个图片
lemur.png:
flag.png:
异或试试,使用PIL.Image模块和numpy模块
from PIL import Image as img
import numpy as np
ll = img.open(r".\lemur.png")
ff = img.open(r".\flag.png")
nl = np.array(ll)
nf = np.array(ff)
img.fromarray(nl^nf).show()
得到flag,在图片中
MATHEMATICS
1. Greatest Common Divisor
计算GCD
属实是零基础入门题了
>>> a = 66528; b = 52920
>>> from gmpy2 import *
>>> gcd
<built-in function gcd>
>>> gcd(a,b)
mpz(1512)
2. Extended GCD
要求扩展欧几里得算法
使用gmpy2库自带的gcdext()函数
>>> gcdext
<built-in function gcdext>
>>> p = 26513;q = 32321
>>> gcdext(p,q)
(mpz(1), mpz(10245), mpz(-8404))
按照要求,flag是-8404
3. Modular Arithmetic 1
解方程
11
≡
x
m
o
d
6
8146798528947
≡
y
m
o
d
17
11\equiv x\mod6\\ 8146798528947\equiv y\mod 17
11≡xmod68146798528947≡ymod17
解得
x
=
5
y
=
4
x=5\\y=4
x=5y=4
所以flag是4
4. Modular Arithmetic 2
费马小定理,当p为素数时,有
a
p
−
1
≡
1
m
o
d
p
a^{p-1}\equiv 1\mod p
ap−1≡1modp
答案1
5. Modular Inverting
求逆元
b是a对m的逆元,则在模m的情况下有 a b ≡ 1 m o d m ab\equiv 1\mod m ab≡1modm
使用gmpy2中的invert()函数
>>> invert(3,13)
mpz(9)
DATA FORMATS
1. Privaty-Enhanced Mail?
有点懵,啥意思
啊
给了一个pem文件,把里面的私钥信息解密出来即可
>>> c = open(r"./ppp").read()
>>> p = RSA.import_key(c)
>>> p.d
15682700288056331364787171045819973654991149949197959929860861228180021707316851924456205543665565810892674190059831330231436970914474774562714945620519144389785158908994181951348846017432506464163564960993784254153395406799101314760033445065193429592512349952020982932218524462341002102063435489318813316464511621736943938440710470694912336237680219746204595128959161800595216366237538296447335375818871952520026993102148328897083547184286493241191505953601668858941129790966909236941127851370202421135897091086763569884760099112291072056970636380417349019579768748054760104838790424708988260443926906673795975104689
私钥d即flag
2. CERTainly not
同样使用Crypto.RSA.import_key函数
>>> ddd = open(r".\der.der",'rb').read()
>>> p = RSA.import_key(ddd)
>>> p
RsaKey(n=22825373692019530804306212864609512775374171823993708516509897631547513634635856375624003737068034549047677999310941837454378829351398302382629658264078775456838626207507725494030600516872852306191255492926495965536379271875310457319107936020730050476235278671528265817571433919561175665096171189758406136453987966255236963782666066962654678464950075923060327358691356632908606498231755963567382339010985222623205586923466405809217426670333410014429905146941652293366212903733630083016398810887356019977409467374742266276267137547021576874204809506045914964491063393800499167416471949021995447722415959979785959569497, e=65537)
flag是整数内容的模,也就是n的值
3. SSH KEY
泪目了 他讲的好详细
主要是ssh,Secure Shell Protocol这个东西
为什么要有ssh?为了安全。
以及SSH为什么安全
依旧使用同样方法即可
>>> c = open(r"./bruce_rsa_6e7ecd53b443a97013397b1a1ea30e14.pub").read()
>>> p = RSA.import_key(c)
>>> p
RsaKey(n=3931406272922523448436194599820093016241472658151801552845094518579507815990600459669259603645261532927611152984942840889898756532060894857045175300145765800633499005451738872081381267004069865557395638550041114206143085403607234109293286336393552756893984605214352988705258638979454736514997314223669075900783806715398880310695945945147755132919037973889075191785977797861557228678159538882153544717797100401096435062359474129755625453831882490603560134477043235433202708948615234536984715872113343812760102812323180391544496030163653046931414723851374554873036582282389904838597668286543337426581680817796038711228401443244655162199302352017964997866677317161014083116730535875521286631858102768961098851209400973899393964931605067856005410998631842673030901078008408649613538143799959803685041566964514489809211962984534322348394428010908984318940411698961150731204316670646676976361958828528229837610795843145048243492909, e=65537)
flag还是n
4. Transparency
有点懵
给了一个PEM格式的公钥文件,打开文件可以得到以下信息
>>> from Crypto.PublicKey.RSA import *
>>> c = open(r".\transparency.pem").read()
>>> p = import_key(c)
>>> p
RsaKey(n=23421622285641341405633616890150413771071492791662619237015532689271209254675255214187772835143801809039951016782376679973376782695533167272817148034946155291022588458116896449130547957859630601417029406537713697722216484126508404669492574651738700785323627803802967097814192155713988206765677255996453746570221203605464683698139759068201745805643226602309648177720842369737425307662674524530757570626970232537549824005998393609021861773134215542450556839250804799098903483152012713520167414613141526302727512388972623173809195225592109964416682348203058784103484962051844890398766510080562420295832329553237528041393, e=65537)
要求是 找到cryptohack.org下的一个,用这些参数进行证书认证的,某个子域名,flag就在这个子域名中
没有什么思路,搜了下wp,是爆破的,但也只有一张图
使用Maltego分析网站域名
- 新建一个graph,从左侧Entity栏中拖入一个
Domain实体,并修改为cryptohack.org
- 右键实体,点击第一行的
All Transforms右侧的双箭头
开始了自动查询域名下的所有信息
包括该域名的子域名,IP地址,DNS服务器,联系人,地址,电话号等等
-
等待结果
使用
Ctrl+F搜索功能,查询题目的Transparentcy关键字或者直接查询flag字样
访问,得到flag
