BuildCTF Crypto方向wp

OVO开门爽！开到南天门了兄弟 - by abbb

经典rsa，给出了p，q的平方，直接开根就行
exp:

from Crypto.Util.number import *
import gmpy2

P =  8279853330757234669136483032750824826175777927506575083710166412897012079466955769715275604152872242147320194640165649152928984919315754419447729793483984130396358578571137956571302516202649076619076831997922675572705848199504309232044502957866317011212505985284129365522570368395368427388904223782742850616983130885152785650513046301920305069822348366931825404271695876688539675285303882189060671184911139742554710018755565518014777733322795522710234091353878298486498244829638878949389690384488573338138825642381687749888102341379254137445546306796258092762099409409285871651688611387507673794784257901946892698481
Q =  9406643503176766688113904226702477322706664731714272632525763533395380298320140341860043591350428258361089106233876240175767826293976534568274153276542755524620138714767338820334748140365080856474253334033236457092764244994983837914955286808153784628739327217539701134939748313123071347697827279169952810727995681780717719971161661561936180553161888359929479143712061627854343656949334882218260141557768868222151468471946884225370009706900640851492798538458384449294042930831359723799893581568677433868531699360789800449077751798535497117004059734670912829358793175346866262442550715622833013235677926312075950550681
n =  8825283482190476005946253343638820879559355306860912268128891241513310054066424567824202757539757712177309282694997613217968336164050770152277369601415394249781577415456224120102543968285035647514461364611734338073523454354376992783551035395558194171202680855182868766563277697325690226849316944101739491659812174054898519492145495098671439125714086449826697343692081109131564556220174583970363431110462222473013021825770267803249515893736989430146194199936335153936611196467225599746830873958085287665223190767137404366840055297859554490123389877396965710177279558954630222879974581602069901175074777191362537419581
e =  65537
c =  27915082942179758159664000908789091022294710566838766903802097394437507062054409033932303966820096232375646873480427485844733381298467171069985418237873120984132166343258345389477844339261488318588760125230979340678006871754125487279212120945061845738130108370814509280317816067243605608952074687396728904772649873860508240809541545939219624254878900291126739390967820141036260712208555574522131446556595562330969209665291757386246648060990840787769772160549862538116370905306402293764494501838709895355570646716245976733542014165663539815972755562821443411642647981898636761822107221203966296758350547477576411216744594534002057673625678188824476543288048956124565509473100550838563085585434675727358831610724920550213350035792170323729397796947598697983084347567191009236345815968927729025919066227704728180060805553787151862426034275526605154807840695498644070184681962311639338273469859838505348823417234722270798882384367058630064108155240680307754557472476430983184039474907188578578484589833812196216551783354411797156409948499012005963943728564803898150155735762695825658678475746559900705796814512838380193603178657226033406812810314960142251012223576984115642351463684724512456778548853002653596485899854303126091917273560

p = gmpy2.iroot(P, 2)[0]
q = gmpy2.iroot(Q, 2)[0]
phi = (p-1)*(q-1)
d = inverse(e, phi)
m = pow(c, d, n)
print(long_to_bytes(m))
# BuildCTF{We1c0Me_b@cK_To_7uNiOr_h19H!!!}

ez_matrix - by abbb

$P*G=Q\\ P*(G+I)=Q+P=X\\ P=X*(G+I)^{-1}$

推导发现求出p后异或可以得到q，然后是正常rsa
exp:

from Crypto.Util.number import *
c = 5750862006780374919287214285692236210204656897730327429454502213453716609006462693326927544526483929921956237739564314742381291228170724611684726314766300684189083862768843433748971907962075938141567163713163231477418107343867114651242407427262164467193346523730926798966915657982552864539513197192523866321569716738540583056085357621328692775578162692288348251605475475005408200801081747601745630186390866011595954211521326069111983199120520535552104591110478015154646709731714695120857959832894595677697407284511806934799265823961155753765208975629786832407640872204810033141414096894416317703257346937008503926274
x= 89144063720545532404936347749976033995959352088369581593483294017916269127126015515514164556238892315116219488234599276283755643115494368387307879815221830970632672104176330851649236203019768799744400071934922875736029236458980333704716550922984411453411523931115952319603510996580835848026227775168231757398
g=[[0,0,1,0,1,1,1,0,0,1,0,0,0,0,1,1,0,0,1,0,0,1,0,0,0,1,0,0,1,1,0,0],
[1,0,1,0,0,0,0,1,0,1,1,1,1,1,0,1,0,1,1,1,0,1,0,0,0,1,1,0,0,0,0,1],
[0,1,0,1,1,1,1,1,0,1,1,0,1,0,0,1,0,0,0,1,1,0,1,1,0,1,1,1,1,0,0,0],
[0,1,1,1,0,1,0,0,0,0,1,0,0,1,0,0,0,0,0,0,0,1,1,1,1,0,1,0,1,1,0,1],
[0,1,0,1,1,1,1,0,1,0,0,1,0,0,1,1,0,0,1,1,1,0,1,0,0,1,0,0,1,0,1,1],
[1,1,1,0,0,1,0,0,0,1,0,1,0,0,0,0,1,0,0,0,0,1,0,1,0,0,0,0,0,0,1,1],
[1,0,1,0,1,1,1,0,1,1,1,0,1,1,1,1,0,0,0,0,0,0,1,0,1,0,1,0,0,1,0,0],
[1,0,1,0,1,0,1,0,1,1,0,1,1,1,0,0,1,0,1,0,0,1,0,0,0,1,1,1,1,0,1,0],
[0,0,1,0,1,1,1,0,1,1,1,0,0,1,0,0,0,0,0,1,0,0,0,1,0,0,1,0,1,0,1,1],
[1,0,0,0,0,0,0,1,1,1,1,1,1,0,1,1,0,0,0,0,0,0,0,1,0,1,1,0,1,1,1,1],
[1,0,0,0,1,1,0,0,1,1,0,1,1,0,1,1,1,1,1,1,0,0,0,0,0,0,0,0,0,1,1,1],
[0,0,1,1,1,0,1,0,0,0,1,0,1,0,1,1,1,0,0,1,1,1,0,1,0,1,1,1,1,0,0,0],
[1,1,0,0,1,1,0,1,0,1,0,1,0,0,1,0,0,0,0,0,1,0,1,1,1,0,1,0,1,1,0,1],
[1,0,0,0,1,1,0,0,1,1,1,1,0,0,0,1,0,0,1,1,1,1,0,0,1,0,0,1,0,1,1,0],
[1,0,0,1,1,1,0,1,1,1,0,0,0,1,1,0,0,0,1,1,0,0,1,1,0,0,0,0,0,1,1,1],
[1,0,0,1,0,0,1,0,1,1,1,1,0,0,1,1,1,1,0,0,1,0,1,1,0,0,0,0,1,1,1,0],
[0,1,0,0,0,1,0,0,1,0,0,0,0,0,0,0,1,0,1,1,0,0,1,0,1,1,1,1,1,0,0,1],
[0,0,0,1,0,1,1,1,1,0,1,1,1,1,0,0,0,0,1,0,0,0,0,0,0,1,1,0,1,1,0,1],
[0,0,1,1,1,1,1,0,0,1,0,0,1,1,1,0,0,0,0,1,1,1,0,0,1,0,0,1,0,1,0,0],
[0,1,0,0,0,0,1,0,1,1,0,1,0,1,0,1,1,0,0,1,0,0,0,0,0,0,1,1,0,0,1,1],
[1,0,0,0,0,0,0,0,1,1,1,1,0,1,1,0,0,1,0,1,0,1,1,1,1,0,1,1,0,0,0,1],
[0,0,0,0,0,0,1,0,1,1,1,1,1,0,1,0,0,0,1,1,0,1,1,1,0,0,1,1,1,1,1,1],
[0,1,0,1,1,0,0,1,0,0,1,1,1,0,0,0,0,1,1,1,1,1,1,1,1,1,1,1,0,1,1,1],
[1,1,0,0,0,1,1,0,1,1,0,0,0,0,0,0,1,0,0,1,0,1,1,0,0,1,0,0,1,0,1,1],
[1,1,0,0,0,0,0,1,1,0,0,0,1,1,1,1,1,1,0,1,1,1,1,1,1,0,0,1,0,1,1,0],
[0,1,1,1,0,1,0,1,0,0,1,0,0,0,0,1,1,1,0,0,0,0,1,1,1,0,0,0,0,1,0,0],
[0,1,0,1,1,0,0,0,0,1,1,1,1,1,1,0,1,0,1,0,1,0,1,1,0,0,1,1,0,0,1,0],
[1,1,1,1,1,0,1,1,0,0,0,1,0,0,1,0,0,0,0,1,0,0,1,1,0,1,1,0,0,0,1,1],
[1,1,1,1,1,1,1,0,1,1,1,0,0,1,0,1,0,1,1,0,0,0,0,1,1,1,0,1,0,0,0,0],
[0,1,1,1,1,0,0,1,1,0,1,1,1,0,1,1,0,1,0,0,0,1,0,1,1,0,0,0,0,0,1,1],
[0,1,1,0,1,0,1,0,1,0,1,0,0,0,1,1,1,1,0,0,0,0,1,1,0,1,0,1,1,1,1,1],
[0,1,1,0,1,1,0,1,1,0,1,0,0,1,0,0,0,1,1,0,1,0,1,1,0,0,1,1,0,1,1,1]]
xor_binary = bin(x).replace('0b', '').zfill(1024)
X = matrix(GF(2), [list(map(int, xor_binary[i:i+32])) for i in range(0, len(xor_binary), 32)])
G = matrix(GF(2),g)
E = identity_matrix(GF(2),32)
L = E+G
I = L^(-1)
P = X*I
p = ''
for i in range(32):
    for j in range(32):
        p += str(P[i][j])
p = int(p,2)
q = x^^p
d = inverse(65537,(p-1)*(q-1))
m = pow(c,d,p*q)
print(long_to_bytes(m))
#BuildCTF{78e09053-bc0a-4fdc-9dec-0f107bf9ba43}

ezzzzz_RSA - by abbb

$h_1 = \text{pow}(2024 \cdot p_1 + 2023 \cdot q, 113, n_1)$

$h_2 = \text{pow}(2023 \cdot p_1 + 2024 \cdot q, 629, n_1)$

$a = \text{pow}(2023, 113 \cdot 629, n_1)$

$b = \text{pow}(2024, 113 \cdot 629, n_1)$

$c = \text{pow}(h_1, 629, n_1)$

$d = \text{pow}(h_2, 113, n_1)$

$w = \left( (c \cdot a) \mod n_1 - (d \cdot b) \mod n_1 \right) \mod n_1$

对h1和h2进行变形构造相减消去p1的部分，然后和n1做gcd就可以还原q,尝试把p也还原，结果搞不出来，发现flag不是很长，就直接用q解rsa了(话说h0有什么用)
exp:

from Crypto.Util.number import *
import gmpy2
n1 = 19957426023169626195602761840035904096149402534966487535713447987366768645542881124782551268978342063458430846877824210659778126281705984711061190351636497944943321988950188171159903717348936556346198638311950016136865425015037098270040031872702873264144372191898253134939805153141701819590164140250130420280491966786900651186941317959556066730959744279963976065565436153399679475410040773637142677936926894677919242351610457296203864806991539480593546084449323017670431590012312526757477514457145686070196978477495658962519391041011847512041022828710693830661412217389320600888361578917153088073678587422269955710471
n2 = 11933661747067216317642315621042074566046499785197709817779978157416906347669444374234313329064859622960743743511735672614999566264025648698589886185056758071718319964262619819143757922916624196354313322456534266520150543008117888101349920396737532937616502689667208207329048979872222563877933742673021891249520999021187404065706388700711208445628041386956459398271230236018476964839399245143666534359113777846535151773174701732284280083586580489995666306373839417946648196140879978268472361473557375951972193618245984950374326806423407152520541682571610372434453778172497925696535270204943842467472100237854318244291
c = 20080676122944896238797522372441559951736929534371084097400233944319893926800196694449564534150770085554349952433141815637324753386484549616573636001763815852095984830828952020047938406909274311785306299061021662484544371813739713520361343350959698642021322243662988875917088108399877176033404097457939417134483333264562602633853694382014472747500159100723626314928476484037666519857604568300967071868151508142784271042600815406853978696857309760951105852288354603503207383899902135741426285551161292195639862478256231538619968275273876467583013024899054710124331145912185471501398910765579441956531091561893256832468
h0 = 2996726009726260695732821166504040344731102637047682432884058857493935625094258046641569918904978173116793673563730117949606727933902262668880339210084101176866383602543966179840353633735507442926707342258391362245904850297416642271123328980812931025677857373199540129280097315832907023777052101133649877194495480543646472133854655383755313968952550827443970931104462445312146328606862802196901953935238972759852435882720786570965542286278549107402918041194008845717507735786897968734831064393337773557817839343449001368565856921138408039931608804233595980497557733714560035682416265029819340316734845279080134432704
h1 = 19843160604742228074331688651361052208481287636527838615063387670722213224954610448720065937378201545177278841575633697012434074186046556843292068835752113384756149944114298949115412819730843598288637259467085268861201775723817790428386595559040938133481222229290199923979132846871398172318539492741755408720073350962388138453341677009547616238262211176727424067946020683742262782319735286357465817786446238528187722959357444676512705451504136333336415880020502524009647940182721264953084120705872870651891290569527156804993340563927419561415555818468261824287933683736509372616293569615247228388443284457740072850735
h2 = 15147052684674827267989051566164167603473413362261253296001082161136918959833294463185335416662127368473980239667918561600741667513285708843081475074688239507330230558331408877583246661862040918410036936505307437329914363201630212163952357444441705663871720438955166472073576526814546767805314463827075388036712200327696168965762177567346966479399896578190111819130000991594490932388132188241726654756368698998232826340969288082645860324404980143489489946490266439447342461483490582149239131554246756547000945718737195930407251232848166108751122870333559461452459416252942341423373918245090162970624108991537972775066
a = pow(2023,113*629,n1)
b = pow(2024,113*629,n1)
c = pow(h1,629,n1)
d = pow(h2,113,n1)
w = ((c*a)%n1-(d*b)%n1)%n1
q = gmpy2.gcd(w,n1)
d = inverse(65537,q-1)
m = pow(c,d,q)
print(long_to_bytes(m))
#BuildCTF{29g5blh5-7829-5k38-a836-9bk54h291h6}

gift - by abbb

给了关于p,q的方程，由于gift只有40位，先求p,q的近似，再用高位copper去还原准确的p,q，创建一个实数域，定义多项式f，并求解它的根来得到近似。然后创建多项式环，通过small_roots找到小根，相加得到准确值
exp:

from Crypto.Util.number import *

c = 101383046356447336426623798470530695448361708798731382238747567108067236241251384089401506320741815081024352908156466877907424203888923965647318146770258139921360377246187637085549628797640957048672797430217647039035455011311505942632107576730906489223641894279483592789523228409885925263914621255862261546919
n = 131097719698687108485813302886652389604731026998272796315024695395496199386497660846418712521921387496051077394308820230360184411431376692252923609505060476542577219656866593501271690536991944882324175509626138475159461332403161471880082192150081456601522403673111515117219716055561941951891570977025178643791
gift = 46635322848619790584491725916282901439691751328335921415278638528896063068132242718070261114525516272650970256270551306096774004921902972838212903368063625872

gift = gift // 2024
# 创建实数域和多项式
RF = RealField(512) 
x = polygen(RF)
# 定义多项式并求根
f = x * (gift - x) - n
e = 0x10001
p = int(f.roots()[1][0])  # 获取p的近似值
# 计算p的高位
p4 = int(p >> 100)
pbits = 512
p4 = p4 << 100
# 寻找小根
PR.<y> = PolynomialRing(Zmod(n))
f = y + p4
x0 = f.small_roots(X=2**100, beta=0.4)[0]
# 计算准确的p，q
p = p4 + x0
assert n % p == 0
q = n // int(p)
d = inverse(e, (int(p) - 1) * (int(q) - 1))
m = int(pow(c, d, n))
print(long_to_bytes(m))
#BuildCTF{M@y_b3_S0m3th1ng_go_wr0ng}

girls_band_cry_pto - by abbb

通过

$𝑁[𝑖+1]=(𝐴⋅𝑁[𝑖]+𝐵)mod𝑀$

线性同余法生成伪随机数序列,计算伪随机数序列的差值，利用它们的线性关系来恢复参数A,B和模数M,从而推导出初始值p,q
exp:

from functools import reduce
from math import gcd
from Crypto.Util.number import *

# 已知的伪随机数序列和密文
sequence = [
    37382128984932009103055100236038298684187701771245912912208816283882352432386956435965036367810667394024993955812239704879381327228911265588017046627348503,
    78860822396220922181257740301787328387654351181949135165584053897837116358564567613593406267620270397593757280733139576593428399156673217202739776358215953,
    71961258377748802736482119449608198361898650603044501972923193831637292104436919483148544126546157761435847502622416800596454167412705966674707485447149592,
    87271087644907910379168026089161507515679859469787715709089631773745967695993043069981508275969979669395420678260957179827954920361899134388830957711827969,
    72060448202158281754256475874109091993193239479491265267010728401711694585210195554635415348891139571830347004379216450772696235700910532153698412887476412,
    198822737610698203376629161658629276556973499054887457432530950247888991546498594767954251786997515337433684733300663470799887569646159225800449429896258899,
    186920895499932700150962847893153648403293237986492275627558112493385728113172211076262656795948951216023567806119078906412693819469136004563793414149643278,
    56472634592713718635518027850351194341092172882542912776939953869983486542308422043454035086533070566859787384014556343587278097326244663175874047755695694,
    42665120723108982921319232615099077060109901818313520605789700720605479528247045699344736360219784997528870841912999130951916510491705708498185762196467897,
    205629005887807114384057131575309344114082007367662384600399313743755704623421415135564859072125246431180953419843187244789534372794288258609006920825136808
]
c = 51846448616255629242918159354807752786692784645460532308823434086479848425723111371477823327980874708898952566998637230358105087254392989515438172155717708590176244736140994735777168368143405720703501031813936741444894000217727880068767785957507824708838189619286341612305393812568642372035793481458142583420
e = 1384626

# 扩展欧几里得算法
def egcd(a, b):
    if a == 0:
        return (b, 0, 1)
    g, y, x = egcd(b % a, a)
    return (g, x - (b // a) * y, y)

# 模逆计算
def modinv(a, m):
    g, x, y = egcd(a, m)
    if g != 1:
        raise Exception('modular inverse does not exist')
    return x % m

# 破解未知增量
def crack_unknown_increment(states, modulus, multiplier):
    increment = (states[1] - states[0] * multiplier) % modulus
    return modulus, multiplier, increment

# 破解未知乘数
def crack_unknown_multiplier(states, modulus):
    multiplier = (states[2] - states[1]) * modinv(states[1] - states[0], modulus) % modulus
    return crack_unknown_increment(states, modulus, multiplier)

# 破解未知模数
def crack_unknown_modulus(states):
    diffs = [s1 - s0 for s0, s1 in zip(states, states[1:])]
    zeroes = [t2 * t0 - t1 * t1 for t0, t1, t2 in zip(diffs, diffs[1:], diffs[2:])]
    modulus = abs(reduce(gcd, zeroes))
    return crack_unknown_multiplier(states, modulus)

modulus, multiplier, increment = crack_unknown_modulus(sequence)
print('A =', multiplier)
print('B =', increment)
print('N =', modulus)

# p
p = (sequence[0] - increment) * modinv(multiplier, modulus) % modulus
print('p =', p)

d = inverse(e // 6, p - 1)
m = int(pow(c, d, p))
print(long_to_bytes(m))

# BuildCTF{crypt0_15_s0_e@5y!}

mitm - by abbb

穷举法生成所有可能的 3 字符密钥组合，利用 AES 加密和解密的中间结果进行匹配。用每个可能的 key0 加密已知明文 leak，再用每个可能的 key1 加密其结果，存储中间值。然后使用每个可能的 key2 和 key3 解密已知密文 cipher，检查解密后的结果是否与中间值匹配，从而找到合适的密钥组合。最后通过重建完整的密钥解密目标密文 enc_flag，获得flag
exp:

import itertools
from hashlib import sha256
from Crypto.Cipher import AES
from Crypto.Util.Padding import unpad

# 定义可用的字符集合
note = b'Crypt_AES*42$@'
possible_chars = list(note)

# 生成所有可能的长度为3的密钥组合
possible_keys = [bytes(p) for p in itertools.product(possible_chars, repeat=3)]

leak = b'Hello_BuildCTF!!'
cipher = b'\xb9q\x04\xa3<\xf0\x11-\xe9\xfbo:\x9aQn\x81'
enc_flag = b'q\xcf\x08$%\xb0\x86\xee\x1a(b\x7f\xf8\x86\xbd\xd0\xa7\xee\xd9\x9d2\x82a7H=a\x13\x87e\xad\xd2b\x8e\x07\xa5\xddo\xc0\xf3N\xd4b\xc9o\x88$\xc7\xf4p\xc1\x1e,\xed\xcc\x94\x8c\xf4\x00\xa5\xe0-\xf7\xc5'

# 计算前两轮加密的中间值
middle_dict = {}
print("计算前两轮的中间值...")
for idx1, key0_candidate in enumerate(possible_keys):
    key0 = sha256(key0_candidate).digest()
    enc1 = AES.new(key0, AES.MODE_ECB).encrypt(leak)
    for key1_candidate in possible_keys:
        key1 = sha256(key1_candidate).digest()
        middle = AES.new(key1, AES.MODE_ECB).encrypt(enc1)
        middle_dict[middle] = (key0_candidate, key1_candidate)
    if idx1 % 100 == 0:
        print(f"已处理 {idx1} / {len(possible_keys)} 个 key0_candidate")

# 计算后两轮解密的中间值并匹配
print("计算后两轮的解密值并匹配...")
found = False
for idx2, key2_candidate in enumerate(possible_keys):
    key2 = sha256(key2_candidate).digest()
    for key3_candidate in possible_keys:
        key3 = sha256(key3_candidate).digest()
        dec1 = AES.new(key3, AES.MODE_ECB).decrypt(cipher)
        dec2 = AES.new(key2, AES.MODE_ECB).decrypt(dec1)
        if dec2 in middle_dict:
            key0_candidate, key1_candidate = middle_dict[dec2]
            print("找到匹配的密钥组合！")
            print(f"key0_candidate: {key0_candidate}")
            print(f"key1_candidate: {key1_candidate}")
            print(f"key2_candidate: {key2_candidate}")
            print(f"key3_candidate: {key3_candidate}")
            found = True
            break
    if found:
        break
    if idx2 % 100 == 0:
        print(f"已处理 {idx2} / {len(possible_keys)} 个 key2_candidate")

if not found:
    print("未找到匹配的密钥组合。")
else:
    # 重建完整的密钥并解密 enc_flag
    key0 = sha256(key0_candidate).digest()
    key1 = sha256(key1_candidate).digest()
    key2 = sha256(key2_candidate).digest()
    key3 = sha256(key3_candidate).digest()

    # 拼接所有的密钥并计算 enc_key
    enc_key = sha256(key0 + key1 + key2 + key3).digest()
    decrypted_flag_padded = AES.new(enc_key, AES.MODE_ECB).decrypt(enc_flag)
    flag = unpad(decrypted_flag_padded, AES.block_size)

    print("解密得到的 flag：")
    print(flag.decode()) 

ominous - by abbb

测试发现cipher//(2**200)时已经有flag干扰，用flag开头尝试爆破用的哪个字和200以内的数，爆破出来之后直接爆破后面生成的3个随机数以及汉字出现的位置。
1 -> 将密文转换为基本形式，通过减去已知字符的加权值，得到一个可操作的数值。
2 -> 遍历所有字符组合和权重，逐步调整以寻找符合条件的明文
3 -> 检查解密得到的字节串是否包含特定子串和有效字符
exp:

from Crypto.Util.number import *
from itertools import permutations
from tqdm import tqdm
import string

cipher = 11174132013050242293373893046306047184706656363469879247040688497021

# 基础值计算
x1 = cipher // (2**200)
x2 = cipher - ord('啊') * 119 * 2**200
flag_word = (string.ascii_letters + string.digits + '{}@_!').encode()

# 生成字符排列
ominous_dic = ['米', '斯', '诺']
permutations_list = list(permutations(ominous_dic, 3))

# 穷举可能的组合
for i in tqdm(range(200)):
    for j in range(200):
        for k in range(200):
            for p, q, r in permutations_list:
                # 计算可能的明文值
                m = cipher - ord('啊') * 119 * 2**200 - i * ord(p) * 2**150 - j * ord(q) * 2**100 - k * ord(r) * 2**50
                u = long_to_bytes(m)
                
                # 验证解密结果
                if b"BuildCTF" in u and all(y in flag_word for y in u):
                    print(u)

# BuildCTF{Wh@t_i5_0m1nous!!!}

where is my n? - by abbb

推理出

$e*d-1=kphi$

(有点像光滑攻击？)
把ed-1分解，结果放到集合k中，遍历k得到phi，由nexy_prime可知phi开根后的下一个素数就是q,再整除得到p
exp:

from Crypto.Util.number import *
from gmpy2 import *
from itertools import permutations

c = 107973408658512316248795675829719026556281556876279221462095299771897472835817102507431099132436173117611783572607408542140665445616624626408781699266046553444252772105867617770124779786841928535661872891635303381758336724610931502145965143374870804147444436791292512235485326451051756451904673491759905663466
e = 65537
d = 62036379179617188220635702722848631787124203142048526951004487465970915306760341332025319712290841316288636152355908585406155087541334717529113872233640624205650204907669681116401961584897042519881342485819364897891612540596760113597723865477121348794797592568686540283535491492936074500143092361821406613969

factors = [2, 2, 2, 2, 3, 3, 7, 11, 17, 61, 179, 827, 9439]
combinations = list(permutations(factors, 3))

# 穷举所有因子组合以找到有效的 p 和 q
for i, j, w in combinations:
    phi = (e * d - 1) // (i * j * w)
    p = iroot(phi, 2)[0]
    p = next_prime(p)  
    q = (phi // (p - 1)) + 1
    d0 = inverse(e, (p - 1) * (q - 1))
    
    # 验证 d0 是否与给定的 d 相等
    if d0 == d:
        m = pow(c, d, p * q)
        print(long_to_bytes(m))

# BuildCTF{Y0u_F1nd_7he_n_success7u1_!}

我这辈子就是被古典给害了 - by abbb

用开头九位去还原一下key的前九位，发现第九位是B，猜测开始拼接flag，于是将前面的greeting作为key求解一下AES得到flag
exp:

from Crypto.Cipher import AES
import string
from tqdm import tqdm

# 定义字符映射字典
dict1 = {chr(i + 65): i for i in range(26)}  
dict2 = {i: chr(i + 65) for i in range(26)}  

# AES 解密
def AES_dec(key, value):
    key = (key * 2).encode()  
    cipher = AES.new(key, AES.MODE_ECB)  
    plaintext = cipher.decrypt(value)  
    return plaintext

c1 = 'HLMPWKGLYSWFACEWBYRSUKYFAXZFXDKOTZHHSLFCXNICAHPGRIFUF'
c = b'\x92T{\x1f\x0f"\xbd\xbb\xfa|O\x11\x83\xa0\xec.\x15]\x9f\x9a\xe5\x85Z\x9f@yUm\xbb\xdc\x93\x08\xe5\x8b\xd5\x98\x84\xfa\x91\xe8\xde\x1b}\xcd\x9056\xa3\xbf\xdb\x85J\xcc\xec\x812T\x11\xa7Tl\x15\xf6"'
know = "BUILDCTFX"

l = []
for i in c1:
    for j in range(26):
        if dict2[j] == i:
            l.append(j)

# 生成密钥
key = ''
for k in range(len(know)):
    b = (l[k] - dict1[know[k]]) % 26  
    for w in string.ascii_uppercase:
        if dict1[w] == b: 
            key += w
            break  

print(f"生成的密钥: {key}")

key1 = 'GREETING'  
decrypted_message = AES_dec(key1, c)
print(decrypted_message)

Ju5t_d3c0de_1t! - by abbb

e是base64编码，p,q,c是二进制，直接全部转换，提示解出m后要减去key才能得到flag(这里base转化卡了好久，后来试了一下65537，没想到直接成了，算不算是一种非预期)
exp:

from Crypto.Util.number import *

e = 65537
c = int("10110011010010110101101101011110100001010100101110111011101101111101101001000010111010010011101111001111111000000001111000000010101", 2)
p = int("1100010000110101100011011010101011111101001101010011001010110111100011110110101111000101100001011011001100110010010111111100110000001111010111111101111001100111100011100110110011101011111011100111010011000100011001101101111011010110000011011100101010010101110001011011010111001010101101100101011111101000110010111000011010111001101001", 2)
q = int("11000010010010011110101110100011011100101101100100011011100010111000011110111000000011111100010100100000101101010101000101101101101011011100001101111010001010010011001010110010110101001100100011010110100011110011101110101110111110100000011110101010011011111010111100011000011111001000010101100100011110010000010001110010101100100111001", 2)
key = 592924741013363689040199750462798275514934297277010275281372369969899775117892551575873706970423924419480394766364097497072075403342004187895966953143489192628648965081601335846012859223829286606349019

n = p * q
phi_n = (p - 1) * (q - 1)
d = inverse(e, phi_n)
m = pow(c, d, n)
flag = m - key
flag_bytes = long_to_bytes(flag)
print(flag_bytes.decode())

# BuildCTF{I_l1k3_crypt0_5o_h4rd!}