纯 ****。

DSASignatureData

给了一堆数据、签名和公钥,让你验证签名,纯写代码属于是。流量里面的内容可以这样提取:

1
tshark -r data.pcapng -T fields -Y 'http.request.method == "POST"' -e http.request.uri.query.parameter -e http.file_data > data.pcapng.txt

验证签名的代码:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
from Crypto.PublicKey import DSA
from Crypto.Hash import SHA256
from Crypto.Signature import DSS
from Crypto.PublicKey.DSA import DsaKey
from tqdm import tqdm
import base64
import json
import os

post_data: dict[int, dict[str, str]] = {}
with open('data.pcapng.txt', 'rt') as pcapng_data:
    for line in pcapng_data:
        if not line: continue
        param, data = line.split('\t')
        username = int(param.split('=')[1])
        user_data = json.loads(data)
        post_data[username] = user_data

public_keys: dict[int, DsaKey] = {}
for root, dirs, files in os.walk('public'):
    for file in tqdm(files):
        with open(os.path.join(root, file), 'rt') as src:
            username = int(file[-8:-4])
            public_key = DSA.import_key(src.read())
            public_keys[username] = public_key

signatures: dict[int, dict[str, str]] = {}
with open('data-sign.csv', 'rt') as src:
    header = src.readline().strip().split(',')
    for line in src:
        username, name_signature, idcard_signature, phone_signature = \
            line.strip().split(',')
        signatures[int(username)] = {
            'name': name_signature,
            'idcard': idcard_signature,
            'phone': phone_signature}

def verify_signature(public_key: DsaKey, message: str, signature: str) -> bool:
    h = SHA256.new(message.encode('utf-8'))
    verifier = DSS.new(public_key, 'fips-186-3')
    try:
        verifier.verify(h, base64.b64decode(signature))
        return True
    except (ValueError, TypeError):
        return False

with open('result.csv', 'wt', encoding='utf-8') as output:
    output.write('userid,name,idcard,phone\n')
    for username, data in tqdm(sorted(post_data.items())):
        if all(verify_signature(
                public_keys[username], data[key], signatures[username][key])
                for key in ['name', 'idcard', 'phone']): continue
        output.write(
            f"{username},{data['name']},{data['idcard']},{data['phone']}\n")

matrixRSA

H&NCTF 2024 的原题,A Matrix Extension of the RSA Cryptosystem 论文的实现。具体思路可以去看这篇文章

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
from gmpy2 import invert

p_high = 9707529668721508094878754383636813058761407528950189013789315732447048631740849315894253576415843631107370002912949379757275
n = 132298777672085547096511087266255066285502135020124093900452138262993155381766816424955849796168059204379325075568094431259877923353664926875986223020472585645919414821322880213299188157427622804140996898685564075484754918339670099806186873974594139182324884620018780943630196754736972805036038798946726414009
C = [[130700952989014311434434028098810412089294728270156705618326733322297465714495704072159530618655340096705383710304658044991149662060657745933090473082775425812641300964472543605460360640675949447837208449794830578184968528547366608180085787382376536622136035364815331037493098283462540849880674541138443271941, 71108771421281691064141020659106224750236412635914570166893031318860027728093402453305986361330527563506168063047627979831630830003190075818824767924892107148560048725155587353683119195901991465464478196049173060097561821877061015587704803006499153902855903286456023726638247758665778434728734461065079337757, 67999998657112350704927993584783146575182096185020115836188544590466205688442741039622382576899587857972463337900200038021257164640987281308471100297698062626107380871262596623736773815445544153508352926374272336154553916204320257697068627063236060520725376727528604938949588845448940836430120015498687885615],
     [ 23893343854815011808020457237095285782125931083991537368666368653089096539223297567339111502968295914745423286070638369517207554770793304994639155083818859208362057394004419565231389473766857235749279110546079776040193183912062870294579472815588333047561915280189529367474392709554971446978468118280633281993,  9711323829269829751519177755915164402658693668631868499383945203627197171508441332211907278473276713066275283973856513580205808517918096017699122954464305556795300874005627001464297760413897074044080665941802588680926430030715299713241442313300920463145903399054123967914968894345491958980945927764454159601, 44904507975955275578858125671789564568591470104141872573541481508697254621798834910263012676346204850278744732796211742615531019931085695420000582627144871996018850098958417750918177991375489106531511894991744745328626887250694950153424439172667977623425955725695498585224383607063387876414273539268016177401],
     [ 67805732998935098446255672500407441801838056284635701147853683333480924477835278030145327818330916280792499177503535618310624546400536573924729837478349680007368781306805363621196573313903080315513952415535369016620873765493531188596985587834408434835281527678166509365418905214174034794683785063802543354572, 13486048723056269216825615499052563411132892702727634833280269923882908676944418624902325737619945647093190397919828623788245644333036340084254490542292357044974139884304715033710988658109160936809398722070125690919829906642273377982021120160702344103998315875166038849942426382506293976662337161520494820727, 95932690738697024519546289135992512776877884741458439242887603021792409575448192508456813215486904392440772808083658410285088451086298418303987628634150431725794904656250453314950126433260613949819432633322599879072805834951478466009343397728711205498602927752917834774516505262381463414617797291857077444676]]
e = 65537

# [1] 先用 Coppersmith 攻击算出 p

kbits = 100
pbar = p_high << kbits

PR.<x> = PolynomialRing(Zmod(n))
f = x + pbar
roots = f.small_roots(X=2^kbits, beta=0.4)
p = pbar + int(roots[0])
q = n // p

assert p * q == n

# [2] 按照论文实现 d 的计算

gp = (p**2-p)*(p**2-1)
gq = (q**2-q)*(q**2-1)
g = gp * gq

d = invert(e, g)

# [3] 解密

C = Matrix(Zmod(n), C)
M = C ** d

flag = b''
for row in M:
    for cell in row:
        flag += int.to_bytes(int(cell), 23, 'big')

print(flag)

This article is authored by luoingly and is licensed under CC BY-NC 4.0

Permalink: https://luoingly.top/post/gcsis-s8-quals-writeup/