Description 今天做题的时候遇到一个$n = p^2*q$这么一个情况的题，记录一下 Attack 简而言之，我们只需要注意是针对$n = p^2q$的情况，$\phi_n=p(p-1)*(q-1)$就行了其他的攻击步骤照常

这道题记录一个疑问 Involved Knowledge RSA Private key decryption Topic public.key -----BEGIN PUBLIC KEY----- MIIBJDANBgkqhkiG9w0BAQEFAAOCAREAMIIBDAKCAQMlsYv184kJfRcjeGa7Uc/4 3pIkU3SevEA7CZXJfA44bUbBYcrf93xphg2uR5HCFM+Eh6qqnybpIKl3g0kGA4rv tcMIJ9/PP8npdpVE+U4Hzf4IcgOaOmJiEWZ4smH7LWudMlOekqFTs2dWKbqzlC59 NeMPfu9avxxQ15fQzIjhvcz9GhLqb373XDcn298ueA80KK6Pek+3qJ8YSjZQMrFT +EJehFdQ6yt6vALcFc4CB1B6qVCGO7hICngCjdYpeZRNbGM/r6ED5Nsozof1oMbt Si8mZEJ/Vlx3gathkUVtlxx/+jlScjdM7AFV5fkRi...

Involved Knowledge RSA Shared prime number Topic public1.pub -----BEGIN PUBLIC KEY----- MIICIDANBgkqhkiG9w0BAQEFAAOCAg0AMIICCAKCAQAma/gXML+bivU20mJu55PZ SjNAE6S0PQ2WV5sYIA7ZLbJ6lshW8cfohErN0TUIv+6O+hXSMFd4wrv27+f6akPE qeNL6LWjKqcnC9I03vbyYDZuLkfeoPwM9UHIuRUfU/l/LDOCkjkOkHN5SMufg66y OGc4wLDi9f8sET4QMerAVF/HZ7acpYYCu8QoWnOSy9KiVzKQMzKkaL+WcN2sbLsA 61zjixv7ybMHDmcyMKHb5VbfPsqMW19roYLV5luY3SlrhTogmyGg19Q3k7hYW3ca Jc7WLEbPD/OnlHMDLArNUYMyB9t0CdLNZZCHE6pbiMaNGS+rwGcqxHbWC...

Involved Knowledge RSA Adjacent Element Description import hashlib import sympy from Crypto.Util.number import * flag = 'GWHT{******}' secret = '******' assert(len(flag) == 38) half = len(flag) / 2 flag1 = flag[:half] flag2 = flag[half:] secret_num = getPrime(1024) * bytes_to_long(secret) p = sympy.nextprime(secret_num) q = sympy.nextprime(p) N = p * q e = 0x10001 F1 = bytes_to_long(flag1) F2 = bytes_to_long(flag2) c1 = F1 + F2 c2 = pow(F1, 3) + pow(F2, 3) assert(c2 <...

Involved Knowledge retlibc The leak of the write function checksec Arch: amd64-64-little RELRO: No RELRO Stack: No canary found NX: NX enabled PIE: No PIE (0x400000) 开启了NX，不能写入shellcode，一般这种情况下我们就往ROP上面考虑了 Running Program Input: 123(用户输入) Hello, World! Analyze main int __cdecl main(int argc, const char **argv, const char **envp) { vulnerable_function(argc, argv, envp); return write(1, "Hello, World!\n", 0xEuLL); } 执行vulnerable_function函数，然后输出Hello World! 我...

最近这段时间应该会陆陆续续补上以前做的pwn题的wp，再来复习一下 Involved Knowledge Format String Stackoverflow ret2libc Checksec Arch: amd64-64-little RELRO: Partial RELRO Stack: Canary found NX: NX enabled PIE: No PIE (0x400000) 64位，开启了Canary(金丝雀)和NX(堆栈不可执行)，那么如果有canary的话，我们在进行rop时首先就是要泄露canary Analyze main int __cdecl main(int argc, const char **argv, const char **envp) { init(argc, argv, envp); gift(); vuln(); return 0; } main函数里面依次执行三个函数init(),gift(),vuln()，依次跟进 init() unsigned...

Involved Knowledge 已知phi,n 分解n DSA K共享攻击 Description from Crypto.Util.number import getPrime, bytes_to_long, inverse, long_to_bytes from Crypto.PublicKey import DSA from hashlib import sha256 import random from secret import flag def gen(a): p = getPrime(a) q = getPrime(a) r = getPrime(a) x = getPrime(a) n = p*q*r*x phi = (p-1)*(q-1)*(r-1)*(x-1) return n, phi, [p, q, r, x] def sign(m, k, x, p, q, g): hm = bytes_to_long(sha256(m).digest()) r = pow(...