sys.path.append("/home/k1rit0/CTF/") import myCrypto.AMM as AMM
from sage.allimport *
from Crypto.Util.number import inverse, isPrime, long_to_bytes
LAM = 380 l = 5 M = [[0for _ inrange(l)] for _ inrange(l)] N = [21068286322889605292449387381402285403911455560141090214735354974440606624419616964297007580321013791067226167439872996226832500580037706653803152998537359002847432836899418650117306549893607343160006144352760334920785866221130409904894118963374929467323935674617670738402419178327965359202178162667267351040190371168301980935481660326630257816016921697149710082155701629870160350348818834688225753303057415885022226024601907498521621901308603324694768684738802528845831936410741399435491742825201984427922436831471812070309418640813794622730842698875782093607446798284303784522710493344963880678737688403891400189331, 12308853561607841041934092506744511689155586116240481655471529969953855274038227343811431655989608434591583673694139060863738492861944511267544267389946989849658784130545243679913412818685768313761630659910263680193434985838781131523993553907838129189461461476296694554655782825701774629683350764866069156868009043211117580921049441277102377562595106269789041165210135844474567428536421792003953066707002965308982249630472773112238349557943156998108879517471317999283500584387777397105486037127797366322210846034599129011995028171723686883387966414035624689126402104807914499946793228044511016295452985310557970379011, 30738697791225132085580847654714047571186902668616746842899304102159584623469816318757206927486219023390491315148910896488732403322767246394501024688827804510369382155878820868892068583525039291929122306306627213766241320525799308714371006850194133645674073652842238370607838910482032953868627367283394607836966578300168303793400060582848922857236410576441317474208136497407564188049755626445760675555940268390636610085726624705570165069943427799504990418468772678900305743541682004982830947893963522764021022122922104982911181491725457610355492465006313490505471915305370861395875195908816803244772843442663436627811, 8305502698327938163061403448570905343510072391121488812862051390404395134941843998819543534972233651342461635174480345500578515464031763529097882752145582280163441217012244252516496790390759043249994221367357315376275069348967721415258505344163223181510037360702185803627278919587509933485368201596116686196256578251198487468448008040978019816660838136301253757474040665970837583661727365857243232757366302995923446406792674664094421560455977644181219681801233665490911903627509944363786700632306093740157219837713108792604909612708233475959478546962262259340699913418281265092058666045625836471989209312154073075491, 9249057556737779363640590847304104073427145700484200097209450631890326978899167760679154628208658960714377959140386507599020762987984595928908203986925752986701463694818100098371494812801057184146507393471109418242580315774651644212154315684690259768215107765517606521494940441845123991021958309973443907208341450704221754039776849253367952771456447007511355415631917532484344389697848200615413029231558971975377100287746424454815515972611696776506127916905426006223842544245270081659891304287086426791583147370534686626291189249685625856952980692492700851557019098598454447260906380261199261945010423393013023715209 ]
for i inrange(l): N[i] = int(sqrt(N[i]))
for i inrange(1,l): M[i][i] = -N[0] M[0][i] = N[i] M[0][0] = 2 ** LAM L = Matrix(M).LLL()[0] assert L[0] % 2 ** LAM == 0
q = abs(L[0] // 2 ** LAM) n = N[0] a = (n - (n % q)) // q # Know high bit of p n = 9249057556737779363640590847304104073427145700484200097209450631890326978899167760679154628208658960714377959140386507599020762987984595928908203986925752986701463694818100098371494812801057184146507393471109418242580315774651644212154315684690259768215107765517606521494940441845123991021958309973443907208341450704221754039776849253367952771456447007511355415631917532484344389697848200615413029231558971975377100287746424454815515972611696776506127916905426006223842544245270081659891304287086426791583147370534686626291189249685625856952980692492700851557019098598454447260906380261199261945010423393013023715209 e = 65537 c = 596355871374007258796739088580480254690421307398563449520929804224579804032978250178898982384142847223103176953609592214108362545413436815340326688408982175941755069859344738153840235542651636279657627294019566968304679361239665444560606473133283058393087609946086549065553264454684624204753050326115020520403436076532095607286695957435489522985881581820635688415133423515447960953517405315231071959346343447601273197470177184887138457495799503680274625485150493280857586565387473867813858817367137470006514777542969192548145776362722942018998084778630461770023286812913356191141099060132770816764636107436181833654
_p = a**2 R = PolynomialRing(Zmod(n),'x') x = R.gens()[0] f = _p + x roots = f.small_roots(X=2 ** 368,beta = 0.4) if roots: p = _p + int(roots[0]) print(p) assert n % p == 0 q = n // p phi = (p-1) * (q-1) d = inverse_mod(e,phi) print(long_to_bytes(pow(c,d,n)))
p = 117235409029105051846806067899523247170361728684595002856792997268214583527481018331523314373480172502868245719103537926811678162691190783273715963938227870577908696266175564889962816950193051688136250287087726752359306820791879258724210723175953346754995614733931375012961016374642411090783817788045807125779 e = 4096 c = 9565562547953889050875342796317230683573917021053842636334550812905648260474828549598393988661413478381057558054348342995403993026447829846151651076469025927491897151314215230367392957203050021568190862146104714972731651005427897872753163387978990574633850084765886249824258759820964357075803586150088309646
R = PolynomialRing(Zmod(p),'x') R1 = [c] R2 = [] for _ inrange(12): for r in R1: x = R.gens()[0] f = x ^ 2 - r roots = f.roots() if roots: for root in roots: R2.append(root[0]) R1 = R2 R2 = [] print(R1) for m in R1: print(long_to_bytes(m))
from Crypto.Util.number import long_to_bytes , bytes_to_long , getPrime , inverse from Crypto.Cipher import AES import socketserver , signal import random import string from hashlib import sha256 import os flag = 'aaaaaaaaaaaaaaaa' q = 2**24
defto_mat(self,numlist): M =[] for i in numlist: M.append(self.to_vec(i , 40)) return M
defenc(self, key , m): key = self.to_mat(key) res = [] for i inrange(40): temp = 0 for j inrange(16): temp += m[j]* key[j][i] temp %= q res.append(temp) return res defhandle(self): # signal.alarm(120) # self.proof_of_work() self.genrsa() self._send(str(self.n)) self._send(str(self.e)) secret = [1] + [2*getrandbits(23)-1for _ inrange(15)] print(secret) self._send(b'Please generate key for me and I will give you my secret.But you have only two chances.') for i inrange(2): key = [] f0 = getrandbits(480) print(f0) key.append(f0) self._send(str(pow(f0 , self.e , self.n))) f0 += f0 << 480 for j inrange(15): self._send('key'+str(i+1) + ':') c = int(self._recv()) m = pow(c , self.d , self.n) f = m - f0 f %= self.n key.append(f) c = self.enc(key , secret) self._send('Thanks, here is your cipher:' + str(c)) self._send(b'do you know the secret?') guess = [int(i) for i in self._recv().split(b' ')] iflen(guess) == 16: for j inrange(16): if guess[j] != secret[j]: break else: self._send(b'congratulations. here is your flag:') self._send(flag) return0 else: self._send(b'L1near don\'t care.')
defto_mat(numlist): M =[] for i in numlist: M.append(to_vec(i , 40)) return M
CON = pwn.remote('172.27.176.1',10000) resp = CON.recvuntil('key1:\n').decode().split('\n') n = int(resp[0]) e = 65537 enc = int(resp[3]) for _ inrange(14): CON.sendline(str(shiftf0(enc,_)).encode()) resp = CON.recvuntil('key1:\n').decode() print(_,resp) CON.sendline(str(shiftf0(enc,_+1)).encode()) resp = CON.recvuntil('key2:\n').decode().split('\n')
_res = resp[0][29:-1].split(',') res =[] for i in _res: res += [int(i)] f0 = 0 for i in res[-20:]: f0 += i f0 = f0 << 24 f0 = f0 >> 24 key = [f0]+ [((i+1)* q**20 * f0 ) % n for i inrange(15)] M = matrix(Zmod(q),to_mat(key)) print(M.solve_left(vector(res)))