0x01 Level 0
这道题给了一个加密的文件,是base64的,一个public.key公钥还有通往下一关的压缩包。
首先,用openssl查看公钥信息
openssl rsa -in public.key -pubin -text -modulus -noout
得到了公钥信息
Public-Key: (2048 bit)
Modulus:
00:94:a0:3e:6e:0e:dc:f2:74:10:52:ef:1e:ea:a8:
89:d6:f9:8d:01:11:51:db:5e:90:92:48:fd:39:0c:
70:87:24:d8:98:3c:f3:33:1c:ba:c5:61:c2:ce:2c:
5a:f1:5e:65:b2:b2:46:91:56:b6:19:d5:d3:b2:a6:
bb:a3:7d:56:93:99:4d:7e:4c:2f:aa:60:7b:3e:c8:
fc:90:b2:00:62:4b:53:18:5b:a2:30:10:60:a8:21:
ab:61:57:d7:e7:cc:67:1b:4d:cd:66:4c:7d:f1:1a:
2a:1d:5e:50:80:c1:5e:45:12:3a:ba:4a:53:64:d8:
72:1f:84:4a:ae:5c:55:02:e8:8e:56:4d:38:70:a5:
16:36:d3:bc:14:3e:2f:ae:2f:31:58:ba:00:ab:ac:
c0:c5:ba:44:3c:29:70:56:01:6b:57:f5:d7:52:d7:
31:56:0b:ab:0a:e6:8d:ad:08:22:a9:1f:cb:6e:49:
cc:01:4c:12:d2:ab:a3:a5:97:e5:10:49:19:7f:69:
d9:3b:c5:53:53:71:00:18:60:cc:69:1a:06:64:3b:
86:94:70:a9:da:82:fc:54:6b:06:23:43:2d:b0:20:
eb:b6:1b:91:35:5e:53:a6:e5:d8:9a:84:bb:30:46:
b8:9f:63:bc:70:06:2d:59:d8:62:a5:fd:5c:ab:06:
68:81
Exponent: 65537 (0x10001)
Modulus=94A03E6E0EDCF2741052EF1EEAA889D6F98D011151DB5E909248FD390C708724D8983CF3331CBAC561C2CE2C5AF15E65B2B2469156B619D5D3B2A6BBA37D5693994D7E4C2FAA607B3EC8FC90B200624B53185BA2301060A821AB6157D7E7CC671B4DCD664C7DF11A2A1D5E5080C15E45123ABA4A5364D8721F844AAE5C5502E88E564D3870A51636D3BC143E2FAE2F3158BA00ABACC0C5BA443C297056016B57F5D752D731560BAB0AE68DAD0822A91FCB6E49CC014C12D2ABA3A597E51049197F69D93BC5535371001860CC691A06643B869470A9DA82FC546B0623432DB020EBB61B91355E53A6E5D89A84BB3046B89F63BC70062D59D862A5FD5CAB066881
将得到的Modulus是十六进制的,用python(比在线网站好用多了,直接int(0x94A0.....))将它转换为十进制的数,尝试放到http://www.factordb.com/index.php进行分解,分解成功,得到
p = 250527704258269
q = 74891071972884336452892671945839935839027130680745292701175368094445819328761543101567760612778187287503041052186054409602799660254304070752542327616415127619185118484301676127655806327719998855075907042722072624352495417865982621374198943186383488123852345021090112675763096388320624127451586578874243946255833495297552979177208715296225146999614483257176865867572412311362252398105201644557511678179053171328641678681062496129308882700731534684329411768904920421185529144505494827908706070460177001921614692189821267467546120600239688527687872217881231173729468019623441005792563703237475678063375349
能分解原因是因为一个因数太小了。
然后利用这个p,q生成私钥,用rsatools这个工具,在github上能够找到。
生成priv.key。
在解密之前,要将加密文件base64解密,可以写一个python脚本进行解密。
当用生成的私钥进行解密的时候,openssl报错了,所以可能是对明文进行填充了。关于填充的方式,感兴趣的小伙伴可以看一下https://my.oschina.net/u/1377935/blog/749195
这道题是采用了oaep模式进行填充的,具体为什么我也不清楚,看了别人的writeup才知道的。
然后
openssl rsautl -decrypt -inkey priv.key -in encrypt.enc -out data.txt -oaep
得到密码
0x02 Level 1
这道题还是老规矩,openssl查看Modulus信息,转换到10进制,然后进行分解。
这次放到那个网站后发现分解不出来了,就很尴尬。。不过我们还有另外一个利器,叫做yafu,
yafu factor(n)
真的分解出来了p和q!
p=156956618844706820397012891168512561016172926274406409351605204875848894134762425857160007206769208250966468865321072899370821460169563046304363342283383730448855887559714662438206600780443071125634394511976108979417302078289773847706397371335621757603520669919857006339473738564640521800108990424511408496383
q=156956618844706820397012891168512561016172926274406409351605204875848894134762425857160007206769208250966468865321072899370821460169563046304363342283383730448855887559714662438206600780443071125634394511976108979417302078289773847706397371335621757603520669919857006339473738564640521800108990424511408496259
然后利用第一关的步骤,openssl解密,不过这里不同的是这里的padding使用了pkcs方式。
最后得到密码
0x03 Level 2
老规矩,openssl查看公钥,这次信息中除了n还有e,我们可以看到e和n的长度差不多,那么应该就是wiener attack,直接利用wiener attack利用脚本,输入e和n,得到了d的值,利用rsatools
rsatools -e -d -n -o
生成了rsa私钥,利用这个私钥用openssl进行解密,得到密码
