LitCTF复现

2023.5.13-2023.5.14

拼凑的队随便打打总共解了38个题，4481分在一千多个队排118名，我反正是不大满意┗( ▔, ▔ )┛

不懂就问，这是MiHoYoCTF吗？

Web

导弹迷踪

你是一颗导弹，你需要，飞到最后！（通过6道关卡就能拿到flag哦~

不打游戏，直接F12找源代码，在game.js里找到flag：

var Messages = {
    START: {
        title: getLevelString,
        text:  function () {return 'CLICK TO BEGIN';}
    },
    CRASH: {
        title: function () {return 'CRASHED';},
        text:  function () {return 'CLICK TO RETRY';}
    },
    GAME_OVER: {
        title: function () {return 'GAME OVER';},
        text:  function () {return 'CLICK TO START AGAIN';}
    },
    FINISH: {
        title: function () {return 'LEVEL COMPLETED';},
        text:  function () {if (mLevel === 6) {return 'GOT F|L|A|G {y0u_w1n_th1s_!!!}';} else {return 'CLICK TO CONTINUE';}},
    }
};

Crypto

大部分题实在是太简单了水一下，一些简单题我认为应该进misc充数。

Hex？Hex！

如果你也和我一样知道hex的话，那我觉得，这件事，太酷啦！

附件：4c69744354467b746169313131636f6f6c6c616161217d

直接hex解码得到flag。

梦想是红色的

自由友善公正公正敬业法治自由自由和谐平等自由自由公正法治诚信民主……

核心价值观编码。

原来你也玩原神

旅行者收到了一封奇怪的来信，是提瓦特大陆的语言！

提瓦特通用字母表，最后一行一眼flag，直接对照得到flag。

家人们！谁懂啊，RSA签到都不会

from Crypto.Util.number import *
from secret import flag

m = bytes_to_long(flag)
p = getPrime(512)
q = getPrime(512)
e = 65537
n = p*q
c = pow(m,e,n)
print(f'p = {p}')
print(f'q = {q}')
print(f'c = {c}')
'''
p = 12567387145159119014524309071236701639759988903138784984758783651292440613056150667165602473478042486784826835732833001151645545259394365039352263846276073
q = 12716692565364681652614824033831497167911028027478195947187437474380470205859949692107216740030921664273595734808349540612759651241456765149114895216695451
c = 108691165922055382844520116328228845767222921196922506468663428855093343772017986225285637996980678749662049989519029385165514816621011058462841314243727826941569954125384522233795629521155389745713798246071907492365062512521474965012924607857440577856404307124237116387085337087671914959900909379028727767057
'''

给pq了，直接解就出。

yafu

from Crypto.Util.number import *
from secret import flag

m = bytes_to_long(flag)
n  = 1
for i in range(15):
    n *=getPrime(32)
e = 65537
c = pow(m,e,n)
print(f'n = {n}')
print(f'c = {c}')
'''
n = 15241208217768849887180010139590210767831431018204645415681695749294131435566140166245881287131522331092026252879324931622292179726764214435307
c = 12608550100856399369399391849907846147170257754920996952259023159548789970041433744454761458030776176806265496305629236559551086998780836655717
'''

n由小质数生成，yafu能爆，但是实际上我觉得用totient直接出phi才是最快的方法。

factordb

e = 65537
n = 87924348264132406875276140514499937145050893665602592992418171647042491658461
c = 87677652386897749300638591365341016390128692783949277305987828177045932576708

n很小，网站直接分解。

P_Leak

from Crypto.Util.number import *
e=65537
m=bytes_to_long(b'xxxx')
p=getPrime(512)
q=getPrime(512)
n=p*q
phi=(p-1)*(q-1)
d=inverse(e,phi)
dp=d%(p-1)
c=pow(m,e,n)
print("dp=",dp)
print("n=",n)
print("c=",c)
#dp= 5892502924236878675675338970704766304539618343869489297045857272605067962848952532606770917225218534430490745895652561015493032055636004130931491316020329
#n= 50612159190225619689404794427464916374543237300894011803225784470008992781409447214236779975896311093686413491163221778479739252804271270231391599602217675895446538524670610623369953168412236472302812808639218392319634397138871387898452935081756580084070333246950840091192420542761507705395568904875746222477
#c= 39257649468514605476432946851710016346016992413796229928386230062780829495844059368939749930876895443279723032641876662714088329296631207594999580050131450251288839714711436117326769029649419789323982613380617840218087161435260837263996287628129307328857086987521821533565738409794866606381789730458247531619

dp泄露。

md5的破解

from Crypto.Util.number import *
from hashlib import md5
from secret import flag

#flag全是由小写字母及数字组成
m=md5(flag).hexdigest()
print(flag[:13]+flag[15:18]+flag[19:34]+flag[35:38])
print(m)
# b'LitCTF{md5can3derypt213thoughcrsh}'
# 496603d6953a15846cd7cc476f146771

一个爆破题，不过这题还是比较容易出小差错的，需要细心：

import hashlib
import string

flag=b'LitCTF{md5can3derypt213thoughcrsh}'
n='496603d6953a15846cd7cc476f146771'
book=string.ascii_lowercase+string.digits
c1='LitCTF{md5can'
c2='3de'
c3='rypt213thoughcr'
c4='sh}'
for a in book:
    for b in book:
        for c in book:
            for d in book:
                k=c1+a+d+c2+b+c3+c+c4
                m=hashlib.md5(k.encode()).hexdigest()
                if m==n:
                    print('flag : ',k)

e的学问

from Crypto.Util.number import *
m=bytes_to_long(b'xxxxxx')
p=getPrime(256)
q=getPrime(256)
e=74
n=p*q
c=pow(m,e,n)
print("p=",p)
print("q=",q)
print("c=",c)
#p= 86053582917386343422567174764040471033234388106968488834872953625339458483149
#q= 72031998384560188060716696553519973198388628004850270102102972862328770104493
#c= 3939634105073614197573473825268995321781553470182462454724181094897309933627076266632153551522332244941496491385911139566998817961371516587764621395810123

经典的e和phi不互素题目。

from Crypto.Util.number import *
import gmpy2

e=74
p= 86053582917386343422567174764040471033234388106968488834872953625339458483149
q= 72031998384560188060716696553519973198388628004850270102102972862328770104493
c= 3939634105073614197573473825268995321781553470182462454724181094897309933627076266632153551522332244941496491385911139566998817961371516587764621395810123
n=p*q
a=gmpy2.gcd((p-1)*(q-1),e)
b=e//a
phi=(p-1)*(q-1)
d=gmpy2.invert(b,phi)
m_a=pow(c,d,n)
print(long_to_bytes(gmpy2.iroot(m_a,a)[0]))

我测你vva

public class Encrypto{
    public static void main(String[] args) {
        String flag="";
        int cipher;
        char[] arr;
        arr=flag.toCharArray();
        for(int i=0; i<flag.length(); i++) {
           if(i%2==0){
            cipher=Integer.valueOf(arr[i]);
            cipher=cipher+i;
            System.out.print((char)cipher);
           }
           if(i%2!=0){
            cipher=Integer.valueOf(arr[i]);
            cipher=cipher-i;
            System.out.print((char)cipher);
           }
        }
    }
}
//cipher=HYEQJvPZ~X@+Bp

这段Java代码实现了一个简单的加密算法，将原始字符串中间奇数位和偶数位的字符按不同的方式处理：

对于位于偶数位置的字符，将该字符的编码值加上它所在的位置，得到密文中的对应字符；对于位于奇数位置的字符，将该字符的编码值减去它所在的位置，得到密文中的对应字符。

直接反推flag：

cipher = "HYEQJvPZ~X@+Bp"
flag = ""

for i in range(len(cipher)):
    if i % 2 == 0:
        cipher_code = ord(cipher[i])
        plain_code = cipher_code - i
        flag += chr(plain_code)
    else:
        cipher_code = ord(cipher[i])
        plain_code = cipher_code + i
        flag += chr(plain_code)

print(flag)

The same common divisor

from Crypto.Util.number import *
m=bytes_to_long(b'xxxxxx')
e=65537
p=getPrime(1024)
q1=getPrime(1024)
q2=getPrime(1024)
n1=p*q1
n2=p*q2
c1=pow(m,e,n1)
c2=pow(m,e,n2)
n3=n1^n2
print('n1=',n1)
print('n3=',n3)
print('c1=',c1)
print('c2=',c2)
#n1= 9852079772293301283705208653824307027320071498525390578148444258198605733768947108049676831872672654449631852459503049139275329796717506126689710613873813880735666507857022786447784753088176997374711523987152412069255685005264853118880922539048290400078105858759506186417678959028622484823376958194324034590514104266608644398160457382895380141070373685334979803658172378382884352616985632157233900719194944197689860219335238499593658894630966428723660931647038577670614850305719449893199713589368780231046895222526070730152875112477675102652862254926169713030701937231206405968412044029177246460558028793385980934233
#n3= 4940268030889181135441311597961813780480775970170156650560367030148383674257975796516865571557828263935532335958510269356443566533284856608454193676600884849913964971291145182724888816164723930966472329604608512023988191536173112847915884014445539739070437180314205284883149421228744714989392788108329929896637182055266508625177260492776962915873036873839946591259443753924970795669864031580632650140641456386202636466624658715315856453572441182758855085077441336516178544978457053552156714181607801760605521338788424464551796638531143900048375037218585999440622490119344971822707261432953755569507740550277088437182
#c1= 7066425618980522033304943700150361912772559890076173881522840300333719222157667104461410726444725540513601550570478331917063911791020088865705346188662290524599499769112250751103647749860198318955619903728724860941709527724500004142950768744200491448875522031555564384426372047270359602780292587644737898593450148108629904854675417943165292922990980758572264063039172969633878015560735737699147707712154627358077477591293746136250207139049702201052305840453700782016480965369600667516646007546442708862429431724013679189842300429421340122052682391471347471758814138218632022564279296594279507382548264409296929401260
#c2= 854668035897095127498890630660344701894030345838998465420605524714323454298819946231147930930739944351187708040037822108105697983018529921300277486094149269105712677374751164879455815185393395371001495146490416978221501351569800028842842393448555836910486037183218754013655794027528039329299851644787006463456162952383099752894635657833907958930587328480492546831654755627949756658554724024525108575961076341962292900510328611128404001877137799465932130220386963518903892403159969133882215092783063943679288192557384595152566356483424061922742307738886179947575613661171671781544283180451958232826666741028590085269

pq共用同一个因子，n2用异或求出来，直接解就行：

from Crypto.Util.number import *
import gmpy2

c1= 7066425618980522033304943700150361912772559890076173881522840300333719222157667104461410726444725540513601550570478331917063911791020088865705346188662290524599499769112250751103647749860198318955619903728724860941709527724500004142950768744200491448875522031555564384426372047270359602780292587644737898593450148108629904854675417943165292922990980758572264063039172969633878015560735737699147707712154627358077477591293746136250207139049702201052305840453700782016480965369600667516646007546442708862429431724013679189842300429421340122052682391471347471758814138218632022564279296594279507382548264409296929401260
n1= 9852079772293301283705208653824307027320071498525390578148444258198605733768947108049676831872672654449631852459503049139275329796717506126689710613873813880735666507857022786447784753088176997374711523987152412069255685005264853118880922539048290400078105858759506186417678959028622484823376958194324034590514104266608644398160457382895380141070373685334979803658172378382884352616985632157233900719194944197689860219335238499593658894630966428723660931647038577670614850305719449893199713589368780231046895222526070730152875112477675102652862254926169713030701937231206405968412044029177246460558028793385980934233
n3= 4940268030889181135441311597961813780480775970170156650560367030148383674257975796516865571557828263935532335958510269356443566533284856608454193676600884849913964971291145182724888816164723930966472329604608512023988191536173112847915884014445539739070437180314205284883149421228744714989392788108329929896637182055266508625177260492776962915873036873839946591259443753924970795669864031580632650140641456386202636466624658715315856453572441182758855085077441336516178544978457053552156714181607801760605521338788424464551796638531143900048375037218585999440622490119344971822707261432953755569507740550277088437182
n2=n1^n3
e=65537
p=gmpy2.gcd(n1,n2)
q=n1//p
phi=(p-1)*(q-1)
d=gmpy2.invert(e,phi)
m=pow(c1,d,n1)
print(long_to_bytes(m))

Virginia

Ysexj lrk rzmkses os wilj hhks joa rtsy xzmktye yt xuim ehgy joa ofsz blnz yz pohv tnjx fxtx yuzc dxjlmy fyd nzr tnjx fuw cegq! Orkfx wnfe yuz haty eo jwpas;lz wnjce etf wgse tu lz;bk bsaz dzu cfyt zt me,hjnaaxp yuz sabj znrd znk qtfk fyd usp cnfyck yz du fwl zmp tnnygy dzu cfyt zt oo.Sfj yuz sabj pnuzrh nfapospsy yz mgpp yuz dwkje,ettfgn ycigqd tu rlkk dzu yycotl,pnuzrh ytcrub eo qjpp etf harln,kszumm sovj eo sfve etf hguay? Gqhaex auz dzuxxpll ny ozmpry’xsokx.Tf etf fkjw tnfe iz mfrzx joa,ne pxtmahqj hawes zmp ozmpr vjcsus, eou.Yse nfapojdt uk aeuuwe jty’t tjneyxlroqj hgap tnj meyy zf kapreysitl;ehkd uuyy xaqj ehk rzsz tq ebjcyzmtnm ysaz hzmkx llusr tnjtr cfj.Hguaitjds rnps ltc tntde cmz cxd,ehuxp wnt suxy, ehuxp wnt sabj degwnhki,lnj ysoyj hhu mlvk yciki,qox tyle ysee hln guarkhtazj ehk nxpuweathp ol upovqp,wnt sabj eoahsej yseow wibjd.Luap bkltny bttn f dmoqp,gxths cneh g ptsy fyd ksos cneh g ypax.Yse hwtgnypsz kftawp woqw arblyy gp bgxpd us l fuwrozypn vfdt, etf cgs’e gu ty wkqw it qtfkzytoq joa qpt mt zf etfr vfdt lftlawps gso hkfctghsey.Bset dzu cjce htcn,etf wkwp cxdtnm fyd kapretye gwzuti joa bls yrtlosr.Loap yuzc lokp su ysaz bset dzu jnp,yuz'ce zmp otj hhu nd ssnwitl lnj jgexdznk fcoaso yuz ts iwjitl.
Uwegxp skso tnnd mkxdamj eo zmzsk upovqp wnt xegs dosjehosr tu dzu,zt ehuxp wnt sabj eoahsej dzux qtfk ny otj hae tc attehkw,eo zmzsk bso sfve etf ssnwe cmpn etf rkfwle spej ne,tu ysoyj ehgy xaqj joa xpe zmp bxnrhzjc soip ol ysitld wnjy yuz lrk wparqj duby,tu ysoyj hhu dzu cfyt zt wez yses pyoc ysaz dzu guarkhtazj ehknc fxnpnjxsiv.Fyd ok joa izn’z, izn’z bzrxd,yozmtnm gld cnwl nfapks eo etf,yuz hirq uuyy xiyx zuz ty tnj zpvtctastte yz bxnrhzjy surpotj’d dgd hizm ehox xeyxlgk.Rj pgxdwuwo iy szt g wpgaqlr Ifpsgw aayxhoxi,lnj yse ksn frfr=[86, 116, 128, 80, 98, 85, 139, 122, 134, 114, 125, 136, 117, 123, 129, 127, 128, 128, 142, 130, 140, 147, 127, 132, 131, 136, 151, 134, 152, 164] -Cgjdax

单表替换，直接放网站：

There are moments in life when you miss someone so much that you just want to pick them from your dreams and hug them for real! Dream what you want to dream;go where you want to go;be what you want to be,because you have only one life and one chance to do all the things you want to do.May you have enough happiness to make you sweet,enough trials to make you strong,enough sorrow to keep you human,enough hope to make you happy? Always put yourself in others’shoes.If you feel that it hurts you,it probably hurts the other person, too.The happiest of people don’t necessarily have the best of everything;they just make the most of everything that comes along their way.Happiness lies for those who cry,those who hurt, those who have searched,and those who have tried,for only they can appreciate the importance of people,who have touched their lives.Love begins with a smile,grows with a kiss and ends with a tear.The brightest future will always be based on a forgotten past, you can’t go on well in lifeuntil you let go of your past failures and heartaches.When you were born,you were crying and everyone around you was smiling.Live your life so that when you die,you're the one who is smiling and everyone around you is crying.
Please send this message to those people who mean something to you,to those who have touched your life in one way or another,to those who make you smile when you really need it,to those that make you see the brighter side of things when you are really down,to those who you want to let them know that you appreciate their friendship.And if you don’t, don’t worry,nothing bad will happen to you,you will just miss out on the opportunity to brighten someone’s day with this message.My password is not a regular Caesar password,and the enc flag=[86, 116, 128, 80, 98, 85, 139, 122, 134, 114, 125, 136, 117, 123, 129, 127, 128, 128, 142, 130, 140, 147, 127, 132, 131, 136, 151, 134, 152, 164] -Caesar

给了最后一组数据，提示Caesar，实际用了变异凯撒：

l=[86, 116, 128, 80, 98, 85, 139, 122, 134, 114, 125, 136, 117, 123, 129, 127, 128, 128, 142, 130, 140, 147, 127, 132, 131, 136, 151, 134, 152, 164]
for i in l:
    print(chr(i-l.index(i)-10),end='')

babyLCG

from Crypto.Util.number import *
from secret import flag

m = bytes_to_long(flag)
bit_len = m.bit_length()
a = getPrime(bit_len)
b = getPrime(bit_len)
p = getPrime(bit_len+1)

seed = m
result = []
for i in range(10):
    seed = (a*seed+b)%p
    result.append(seed)
print(result)
"""
result = [699175025435513913222265085178805479192132631113784770123757454808149151697608216361550466652878, 193316257467202036043918706856603526262215679149886976392930192639917920593706895122296071643390, 1624937780477561769577140419364339298985292198464188802403816662221142156714021229977403603922943, 659236391930254891621938248429619132720452597526316230221895367798170380093631947248925278766506, 111407194162820942281872438978366964960570302720229611594374532025973998885554449685055172110829, 1415787594624585063605356859393351333923892058922987749824214311091742328340293435914830175796909, 655057648553921580727111809001898496375489870757705297406250204329094679858718932270475755075698, 1683427135823894785654993254138434580152093609545092045940376086714124324274044014654085676620851, 492953986125248558013838257810313149490245209968714980288031443714890115686764222999717055064509, 70048773361068060773257074705619791938224397526269544533030294499007242937089146507674570192265]
"""

用了LCG，已知每一轮的seed，先求模数再求a再求b，最后逆推flag：

from Crypto.Util.number import *
import gmpy2

s = [699175025435513913222265085178805479192132631113784770123757454808149151697608216361550466652878, 193316257467202036043918706856603526262215679149886976392930192639917920593706895122296071643390, 1624937780477561769577140419364339298985292198464188802403816662221142156714021229977403603922943, 659236391930254891621938248429619132720452597526316230221895367798170380093631947248925278766506, 111407194162820942281872438978366964960570302720229611594374532025973998885554449685055172110829, 1415787594624585063605356859393351333923892058922987749824214311091742328340293435914830175796909, 655057648553921580727111809001898496375489870757705297406250204329094679858718932270475755075698, 1683427135823894785654993254138434580152093609545092045940376086714124324274044014654085676620851, 492953986125248558013838257810313149490245209968714980288031443714890115686764222999717055064509, 70048773361068060773257074705619791938224397526269544533030294499007242937089146507674570192265]

x0, x1, x2, x3, x4 = s[0], s[1], s[2], s[3], s[4]
t0, t1, t2, t3 = x1-x0, x2-x1, x3-x2, x4-x3
p = gmpy2.gcd(t3*t1-t2*t2, t2*t0-t1*t1)
a = (x2-x1)*gmpy2.invert((x1-x0), p) % p
b = (x1-a*x0) % p
m = gmpy2.invert(a, p)*(s[0]-b) % p
print(long_to_bytes(m))

隐晦的聊天记录

出题人:6c73d5240a948c86981bc294814d
某不知名收件人：收到消息attack at dawn
出题人:xxxxxxxxxxxxxxxxxxxxxxxxxxxx
某不知名收件人：收到消息Monday or Thur
已知出题人和收件人手中的密钥相同，请解出出题人第二次发送的密文呢。

OTP，直接解就能出：

c1='6c73d5240a948c86981bc294814d'
m1='attack at dawn'
m2='Monday or Thur'
res=''
for i in m1:
    res+=hex(ord(i))[2:]
key=hex(int(res,16)^int(c1,16))[2:]
res=''
for i in m2:
    res+=hex(ord(i))[2:]
flag=hex(int(res,16)^int(key,16))[2:]
print(flag)

Where is P?

from Crypto.Util.number import *
m=bytes_to_long(b'XXXX')
e=65537
p=getPrime(1024)
q=getPrime(1024)
n=p*q
print(p)
c=pow(m,e,n)
P=p>>340
print(P)
a=pow(P,3,n)
print("n=",n)
print("c=",c)
print("a=",a)
#n= 24479907029118467064460793139240403258697681144532146836881997837526487637306591893357774423547391867013441147680031968367449693796015901951120514250935018725570026327610524687128709707340727799633444550317834481416507364804274266363478822257132586592232042108076935945436358397787891169163821061005102693505011197453089873909085170776511350713452580692963748763166981047023704528272230392479728897831538235554137129584665886878574314566549330671483636900134584707867654841021494106881794644469229030140144595938886437242375435914268001721437309283611088568191856208951867342004280893021653793820874747638264412653721
#c= 6566517934961780069851397787369134601399136324586682773286046135297104713708615112015588908759927424841719937322574766875308296258325687730658550956691921018605724308665345526807393669538103819281108643141723589363068859617542807984954436567078438099854340705208503317269397632214274507740533638883597409138972287275965697689862321166613821995226000320597560745749780942467497435742492468670016480112957715214640939272457886646483560443432985954141177463448896521810457886108311082101521263110578485768091003174683555938678346359150123350656418123918738868598042533211541966786594006129134087145798672161268647536724
#a= 22184346235325197613876257964606959796734210361241668065837491428527234174610482874427139453643569493268653377061231169173874401139203757698022691973395609028489121048788465356158531144787135876251872262389742175830840373281181905217510352227396545981674450409488394636498629147806808635157820030290630290808150235068140864601098322473572121965126109735529553247807211711005936042322910065304489093415276688746634951081501428768318098925390576594162098506572668709475140964400043947851427774550253257759990959997691631511262768785787474750441024242552456956598974533625095249106992723798354594261566983135394923063605

这题大概需要三步，爆破P，然后一个copper求p，最后常规的RSA解密：爆破P可以根据位数来爆。

import gmpy2
from Crypto.Util.number import *

n = 24479907029118467064460793139240403258697681144532146836881997837526487637306591893357774423547391867013441147680031968367449693796015901951120514250935018725570026327610524687128709707340727799633444550317834481416507364804274266363478822257132586592232042108076935945436358397787891169163821061005102693505011197453089873909085170776511350713452580692963748763166981047023704528272230392479728897831538235554137129584665886878574314566549330671483636900134584707867654841021494106881794644469229030140144595938886437242375435914268001721437309283611088568191856208951867342004280893021653793820874747638264412653721
c = 6566517934961780069851397787369134601399136324586682773286046135297104713708615112015588908759927424841719937322574766875308296258325687730658550956691921018605724308665345526807393669538103819281108643141723589363068859617542807984954436567078438099854340705208503317269397632214274507740533638883597409138972287275965697689862321166613821995226000320597560745749780942467497435742492468670016480112957715214640939272457886646483560443432985954141177463448896521810457886108311082101521263110578485768091003174683555938678346359150123350656418123918738868598042533211541966786594006129134087145798672161268647536724
a = 22184346235325197613876257964606959796734210361241668065837491428527234174610482874427139453643569493268653377061231169173874401139203757698022691973395609028489121048788465356158531144787135876251872262389742175830840373281181905217510352227396545981674450409488394636498629147806808635157820030290630290808150235068140864601098322473572121965126109735529553247807211711005936042322910065304489093415276688746634951081501428768318098925390576594162098506572668709475140964400043947851427774550253257759990959997691631511262768785787474750441024242552456956598974533625095249106992723798354594261566983135394923063605

i = 0
while 1:
    print(i)
    if gmpy2.iroot(n * i + a, 3)[1]:
        P=gmpy2.iroot(n * i + a, 3)[0]
        break
    i += 1
P=P<<340

PR.<x> = Zmod(n)[]
f = int(P) + x
pp = f.small_roots(X=2^340,beta=0.4)[0]

p = (P << 340) + pp
assert n % p == 0
e = 65537
phi = p - 1
d = inverse_mod(e, phi)
m = pow(c, d, p)
print(long_to_bytes(int(m)))

baby_xor

from Crypto.Util.number import *
from secret import flag

m = bytes_to_long(flag)
assert len(flag)==32
p = getPrime(512)
q = getPrime(512)
n = p*q
e = 65537
c1 = p^m
c2 = pow(m,e,n)
print(f'n = {n}')
print(f'c1 = {c1}')
print(f'c2 = {c2}')

"""
n = 139167681803392690594490403105432649693546256181767408269202101512534988406137879788255103631885736461742577594980136624933914700779445704490217419248411578290305101891222576080645870988658334799437317221565839991979543660824098367011942169305111105129234902517835649895908656770416774539906212596072334423407
c1 = 11201139662236758800406931253538295757259990870588609533820056210585752522925690049252488581929717556881067021381940083808024384402885422258545946243513996
c2 = 112016152270171196606652761990170033221036025260883289104273504703557624964071464062375228351458191745141525003775876044271210498526920529385038130932141551598616579917681815276713386113932345056134302042399379895915706991873687943357627747262597883603999621939794450743982662393955266685255577026078256473601
"""

看起来也是一个copper题，这次的已知p位数刚好是一半，理论上是不够进行copper的，需要爆破几位，同时可以根据epsilon来增加精度：

from Crypto.Util.number import *
from tqdm import tqdm

n = 139167681803392690594490403105432649693546256181767408269202101512534988406137879788255103631885736461742577594980136624933914700779445704490217419248411578290305101891222576080645870988658334799437317221565839991979543660824098367011942169305111105129234902517835649895908656770416774539906212596072334423407
c1 = 11201139662236758800406931253538295757259990870588609533820056210585752522925690049252488581929717556881067021381940083808024384402885422258545946243513996
c2 = 112016152270171196606652761990170033221036025260883289104273504703557624964071464062375228351458191745141525003775876044271210498526920529385038130932141551598616579917681815276713386113932345056134302042399379895915706991873687943357627747262597883603999621939794450743982662393955266685255577026078256473601

P=(c1>>256)<<256

for i in tqdm(range(256)):
    PR.<x>=Zmod(n)[]
    f=P+(i<<248)+x
    x0=f.small_roots(X=2^248,beta=0.4,epsilon=0.01)
    if x0:
        break

p=P+(i<<248)+x0[0]
assert n%p==0
e = 65537
d=inverse_mod(e,p-1)
m=pow(c2,d,p)
print(long_to_bytes(int(m)))

Misc

很多非常简单的题队友帮忙做了我就不弄了。

这羽毛球怎么只有一半啊（恼

一张纳西妲的图，缺了一半直接改一下高度就得到flag了。

【Minecraft】玩得开心~~~

【Mincemeat】服务器地址 43.248.184.94:20023
版本为 1.19.2

给了服务器和版本号，进服之后主城找村民1个钻石兑换flag，直接挖就完事了。

两仪生四象

_hash = {"乾": "111", "兑": "011", "离": "101", "震": "001", "巽": "110", "坎": "010", "艮": "100", "坤": "000"}

_reverse_hash = {v: k for k, v in _hash.items()}

text = "LitCTF{*********}"

text = text[7:-1]

binary_text = ''.join(format(ord(c), '010b') for c in text)

encoded_text = ""
for i in range(0, len(binary_text), 3):
    try:
        encoded_text += _reverse_hash[binary_text[i:i + 3]]
    except KeyError:
        encoded_text += " "

print(encoded_text)

""" 
encoded_text = "坤乾兑艮兑坎坤坤巽震坤巽震艮兑坎坤震兑乾坤巽坤艮兑震巽坤巽艮坤巽艮艮兑兑艮震兑乾坤乾坤坤兑艮艮坤巽坤坤巽坎坤兑离坎震艮兑坤巽坎艮兑震坤震兑乾坤乾坎坤兑坎坤震艮离坤离乾艮震艮巽震离震坤巽兑艮兑坎坤震巽艮坤离乾艮坎离坤震巽坎坤兑坤艮兑震巽震巽坎坤巽坤艮兑兑坎震巽兑" 
"""

八卦转三位二进制，但是这题有个地方做了一些手脚：

binary_text = ''.join(format(ord(c), '010b') for c in text)

这里format函数把每个字符转为10位2进制，不够的位数在前面补0，就导致转三位二进制的八卦的时候会错开，不过不影响，写个脚本就出了：

book1='乾兑离震巽坎艮坤'
book2=['111','011','101','001','110','010','100','000']

encoded_text = "坤乾兑艮兑坎坤坤巽震坤巽震艮兑坎坤震兑乾坤巽坤艮兑震巽坤巽艮坤巽艮艮兑兑艮震兑乾坤乾坤坤兑艮艮坤巽坤坤巽坎坤兑离坎震艮兑坤巽坎艮兑震坤震兑乾坤乾坎坤兑坎坤震艮离坤离乾艮震艮巽震离震坤巽兑艮兑坎坤震巽艮坤离乾艮坎离坤震巽坎坤兑坤艮兑震巽震巽坎坤巽坤艮兑兑坎震巽兑"

b=''
for j in encoded_text:
    b += book2[book1.index(j)]
print('NSSCTF{',end='')
for i in range(0,len(b),10):
    print(chr(int(b[i:i+10],2)),end='')
print('}',end='')

雪山的秘密

题目描述:
芬德尼尔的人民尝试了各种办法都没能让银白古树重新焕发生机，只能在寒天之钉带来的风雪中走向毁灭。这个国家的历史仅有数十年，如同公主的青春一样短暂，在提瓦特大陆成千上万年的岁月中只不过是昙花一现。但雪葬之都的故事并未就此结束。五百年前，坎瑞亚王朝的覆灭催生了大量腐化魔兽，其中就包括袭击蒙德的毒龙杜林。根据《林间风·龙之书》的记载，风龙特瓦林在风神巴巴托斯的帮助下击杀了杜林，它的尸骸坠落到蒙德南部的龙脊雪山上。

打开题目，为一段两分多钟的摩斯密码音频，手动识别一下，或者使用网站：Morse Code Adaptive Audio Decoder | Morse Code World

3.2-..3-.23-.32-32.-3..-/..2-223-.32-322-..3-..2-/2.2-3..-232-223-..2-.32-/3.2-..3-.23-3.3-..3-/.32-32.-322-.3.-/.3.-33.-22.-23.-..3-.23-..2-3..-/.2.-..3-2.2-3..-.23-/23.-.33-.32-2.2-3..-/3.2-223-322-332-3..-233-

识别了一部分之后直接百度，查到了：原神机器人暗号的秘密 - 哔哩哔哩 (bilibili.com)

这摩斯破译后的结果其实是雪山小宝发的密文，按照小宝编号按序列顺序排列：

Hu-16180 3.2-..3-.23-.32-32.-3..-
Hu-21030 ..2-223-.32-322-..3-..2-
Hu-31122 2.2-3..-232-223-..2-.32-
Hu-42318 3.2-..3-.23-3.3-..3-
Hu-57104 .32-32.-322-.3.-
GN/Hu-68513 .3.-33.-22.-23.-..3-.23-..2-3..-
Hu-73011 .2.-..3-2.2-3..-.23-
Hu-81122 23.-.33-.32-2.2-3..-
Hu-96917 3.2-223-322-332-3..-233-

将密码转换为0，1，2表示的三进制数，.等于0，-等于空格（分隔符），2等于1，3等于2。

Hu-16180 201 002 012 021 210 200
Hu-21030 001 112 021 211 002 001
Hu-31122 101 200 121 112 001 021
Hu-42318 201 002 012 202 002
Hu-57104 021 210 211 020
GN/Hu-68513 020 220 110 120 002 012 001 200
Hu-73011 010 002 101 200 012
Hu-81122 120 022 021 101 200
Hu-96917 201 112 211 221 200 122

后转回10进制，数字都包含在26内，转为英文字母：

Hu-16180 S B E G U R

Hu-21030 A N G V B A

Hu-31122 J R P N A G

Hu-42318 S B E T B

Hu-57104 G U V F

GN/Hu-68513 F X L O B E A R

Hu-73011 C B J R E

Hu-81122 O H G J R

Hu-96917 S N V Y R Q

最后ROT13：

Hu-16180 F O R T H E

Hu-21030 N A T I O N

Hu-31122 W E C A N T

Hu-42318 F O R G O

Hu-57104 T H I S

GN/Hu-68513 S K Y B O R N E

Hu-73011 P O W E R

Hu-81122 B U T W E

Hu-96917 F A I L E D

按照题目的要求得到flag：

NSSCTF{FOR_THE_NATION_WE_CANT_FORGO_THIS_SKYBORNE_POWER_BUT_WE_FAILED}