[watevrCTF 2019]Crypto over the intrawebs

題目

import socket, select, signal, string import sys, os, time, random import threadingHOST = '198.51.100.0' PORT = 1337 USERNAME = "Houdini"s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) s.connect((socket.gethostname(), PORT)) key = int(s.recv(1240).decode("utf-8").split(" ")[1])def encrypt(plaintext):global USERNAMEglobal keyplaintext = USERNAME + ": " + plaintextout = [random.randint(0, 9999), random.randint(0, 999)]for i in range(len(plaintext)):out.append((out[i+1] + ((out[i] * ord(plaintext[i])) ^ (key+out[i+1]))) ^ (key*out[i])) import socket, select, signal, string import sys, os, time, random import threadingHOST = '198.51.100.1' PORT = 1337 USERNAME = "nnewram"s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) s.connect((socket.gethostname(), PORT)) key = int(s.recv(1240).decode("utf-8").split(" ")[1])def encrypt(plaintext):global USERNAMEglobal keyplaintext = USERNAME + ": " + plaintextout = [random.randint(0, 9999), random.randint(0, 999)]for i in range(len(plaintext)):out.append((out[i+ import socket, threading import sys, os import random, signalPORT = 1337 KEY = random.randint(0, 100000000000000000000000) s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) s.bind((socket.gethostname(), PORT)) s.listen(5) client_list = []def relay_message(message, sender):global client_listfor client in client_list:if client != sender:try:client[0].send(message)except:client[0].close()client_list.remove(client)def client_reciever(socket):print(socket)while True:message = socket[0].recv(500000)if not message:breakprint("Message from: " + socket[1][0] + "\nContent: " + message.decode("utf-8"))relay_message(message, socket)def main():while True:client, address = s.accept() # accept all incomming clientsclient_list.append((client, address))print("Incomming user: " + address[0])client.send(bytes("KEY: " + str(KEY), "utf-8"))client_thread = threading.Thread(target=client_reciever, args=((client, address), ))client_thread.start()#this is only for closing the sockets after sigsegv def handler_signals(signum, frame):global runglobal ss.close()print("----Closed Server----")sys.exit() signal.signal(signal.SIGINT, handler_signals) signal.signal(signal.SIGTERM, handler_signals) #this is only for closing the sockets after sigsegvmain()

解題

題意大概是有兩個客戶端通過服務端在聊天,但是聊天內容是加密的.flag就藏在通話中.

問題的關鍵是要找到key。（可以知道key的大致范圍）

解題代碼

out=[8886, 42, 212351850074573251730471044, 424970871445403036476084342 ,5074088654060645719700112791577634658478525829848, 17980375751459479892183878405763572663247662296, 121243943296116422476619559571200060016769222670118557978266602062366168 ,242789433733772377162253757058605232140494788666115363337105327522154016 ,2897090450760618154631253497246288923325478215090551806927512438699802516318766105962219562904, 7372806106688864629183362019405317958359908549913588813279832042020854419620109770781392560] #out.append((out[i+1] + ((out[i] * ord(plaintext[i])) ^ (key+out[i+1]))) ^ (key*out[i])) plain='Houdini:' from z3 import* for count in range(2,78):key=BitVec('key',count)s=Solver()for i in range(8):s.add(((out[i + 1] + ((out[i] * ord(plain[i])) ^ (key + out[i + 1]))) ^ (key * out[i]))==out[i+2])s.check()res=s.model()res = res[key].as_long().realf=open('conversation.txt','r').readlines()x=[]for j in f:x.append(j.strip())flag=''for j in range(1,len(x),2):li=x[j].split(' ')for k in range(1,len(li)):li[k]=eval(li[k])for k in range(1,len(li)-2):try:flag += chr(((res + li[k + 1]) ^ (((res * li[k]) ^ li[k + 2]) - li[k + 1])) // li[k])except:breakif 'watevr{' in flag:print(flag)break# Houdini: uhm, is this thing working? # nnewram: yeah, hi # Houdini: hi nnew # Houdini: so eh, do you have it? # nnewram: id ont know what you mean # nnewram: *dont # nnewram: have what? # Houdini: :bruh: # Houdini: you know, the thing # nnewram: what, thing? # Houdini: the flag.... # nnewram: oooooh # nnewram: right # nnewram: sure let me get it # nnewram: one second # Houdini: kk # nnewram: yeah here you go # nnewram: watevr{Super_Secure_Servers_are_not_always_so_secure} # Houdini: niceeeee # Houdini: thank you # Houdini: oh wait, we should probably remove the code # nnewram: yeah that's actually kinda smart # Houdini: ok cya later # nnewram: cya#watevr{Super_Secure_Servers_are_not_always_so_secure}

總結

以上是生活随笔為你收集整理的2021-12-27的全部內容，希望文章能夠幫你解決所遇到的問題。

如果覺得生活随笔網站內容還不錯，歡迎將生活随笔推薦給好友。