0x01 前言
pragyanCTF 2022的一道Crypto题目名为Blind_Scout,题目给了5个pub.pem证书,一个cipher.txt,记录下RSA题目中给了多个证书时如何求解flag。
0x02 求解
下载附件得到了5个pem证书和一个cipher.txt,利用factordb网站无法分解N,利用RSA公私钥分解网站发现5个证书的E都等于65537;
编写程序查找五个模的公因子:
from Crypto.PublicKey import RSA
from math import gcd
def checkMods():
pubkeys = []
for i in range(1,6):
with open(f'pub{i}.pem', 'r') as f:
data = ''.join(f.readlines())
pubkeys.append(RSA.importKey(data).n)
for i in range(len(pubkeys)):
for j in range(i+1,len(pubkeys)):
if(gcd(pubkeys[i], pubkeys[j]) > 1):
print("n1:", pubkeys[i])
print("n2:", pubkeys[j])
# n1= 139229890174356928383088549129245036948938806722711464862841222986608785150613883498167306194093032677719223119572005996306712688496438417316494164302391841951524192906735079393658893193657703115629569163391053129315864720324029971949625294486467313990931665248372153504002783908891387654449725452212287159201
# n2= 101161661751053118637914710199746673148562047871140335509175578628741566652286044786249911039214575951065666659147024241651904803989200275100763740454941451873121829810224182434134426874274394842340443470905741436982244070427906868936123947495427750689793787251736335878699753312245001791230360774169153125961
发现了公钥pub2和pub4的模有公因子,接下来就是常规的解RSA题目:
from base64 import b64decode
from libnum import s2n,n2s
from Crypto.Util.number import isPrime
e = 65537
n1= 139229890174356928383088549129245036948938806722711464862841222986608785150613883498167306194093032677719223119572005996306712688496438417316494164302391841951524192906735079393658893193657703115629569163391053129315864720324029971949625294486467313990931665248372153504002783908891387654449725452212287159201
n2= 101161661751053118637914710199746673148562047871140335509175578628741566652286044786249911039214575951065666659147024241651904803989200275100763740454941451873121829810224182434134426874274394842340443470905741436982244070427906868936123947495427750689793787251736335878699753312245001791230360774169153125961
p = gcd(n1,n2)
q1 = n1//p
q2 = n2//p
assert p*q1 == n1
assert p*q2 == n2
phi1 = (p-1)*(q1-1)
phi2 = (p-1)*(q2-1)
from gmpy2 import invert
d1 = int(invert(e,phi1))
d2 = int(invert(e,phi2))
ct = "Z9jO5jqN9+fKNYJ14xA3QV96x4AlIIjOwoGSSq2D0G6ddMnKipNJkS2n0IS3blQAMym5dnzKC5MIetKikgozmzruuKDn2Xbkdv529Na2MXizJEMTxP/ioYzUFl2rJfg7xvyrNxEyPRWoJievmjpnum2pkrWAknAb+6Hj0Qv5yIo="
ct = s2n(b64decode(ct))
pt1 = n2s(pow(ct, d1, n1))
pt2 = n2s(pow(ct, d2, n2))
print(pt1)
print(pt2)
得到flag:p_ctf{010100_100000101100_100110100000111010100010100110100010111001010100111000}
但提交显示不对,再看下题目名为Blind_Scout,应该还有一层加密,经过检索发现是:https://www.dcode.fr/braille-alphabet利用该网站解密获得flag:I_AM_DAREDEVIL
0x03 总结
在解RSA题目时,附件如果有多个证书,可以看N是否相等,如果相等可以考虑共模攻击,如果E相等,可以考虑求解模的公因子从而分解N。
