picoCTF 2026

1、cryptoamze

题目

LFSR Initial State:
[0, 0, 1, 0, 0, 1, 0, 1, 1, 1, 1, 0, 1, 1, 0, 0, 1, 0, 0, 1, 0, 1, 1, 0, 1, 0, 0, 1, 0, 1, 0, 1, 0, 1, 0, 0, 1, 1, 0, 1, 1, 0, 0, 0, 1, 0, 1, 1, 1, 1, 0, 0, 0, 1, 0, 0, 0, 1, 0, 1, 1, 0, 1, 1]
LFSR Taps:
[63, 61, 60, 58]
Encrypted Flag:
8f0e6d0f5b0dc1db201948b9e0cebd8f184b92a3e4793abf8dac3d9e135f39a638338e7e04fbddef0c6260a4eb758417

解答

from Crypto.Util.number import *
def lfsr_left(init_state,taps,num_bits):
    state=init_state[:]
    output=[]
    for _ in range(num_bits):
        out_bit=state[0]
        output.append(out_bit)
        feedback=0
        for t in taps:
            feedback ^=state[t]
        state=state[1:]+[feedback]
    return output

init=[0, 0, 1, 0, 0, 1, 0, 1, 1, 1, 1, 0, 1, 1, 0, 0, 1, 0, 0, 1, 0, 1, 1, 0, 1, 0, 0, 1, 0, 1, 0, 1, 0, 1, 0, 0, 1, 1, 0, 1, 1, 0, 0, 0, 1, 0, 1, 1, 1, 1, 0, 0, 0, 1, 0, 0, 0, 1, 0, 1, 1, 0, 1, 1]
taps=[63, 61, 60, 58]

bits=lfsr_left(init,taps,128)
num = 0
for bit in bits:
    num = (num << 1) | bit
key_bytes =long_to_bytes(num)
print(key_bytes.hex())

25ec96954d8bc45b2d7798a9fa0e1236

思路

首先这是一道LFSR左移问题，每次循环先输出最左边的位，再将抽头中的所有位进行异或生成反馈位，然后去除最左位，将反馈位加在最右边，循环128次得到一个128位序列，再将其转换为16字节AES密钥。再用cyberchef进行AES解密即可。

2、Shared Secrets

题目

from Crypto.Util.number import getPrime
from random import randint

# Public parameters
g = 2
p = getPrime(1048)

# Server's secret
a = randint(2, p-2)
A = pow(g, a, p)

# Client secret
b = '???'  

B = pow(g, b, p)

# Shared key
shared = pow(A, b, p)

# Encrypt flag
flag = b"picoCTF{...}"
enc = bytes([x ^ (shared % 256) for x in flag])

# Write challenge info
with open("file.txt", "w") as f:
    f.write(f"g = {g}\n")
    f.write(f"p = {p}\n")
    f.write(f"A = {A}\n")
    f.write(f"b = {b} \n")
    f.write(f"enc = {enc.hex()}\n")

g = 2
p = 2945889223405899717437265251282889237686559573793157647835455871476745956825847090445335342413729199710024517687795349222366793319464673474527753463753560669805788150720285098020316190185259452659032001767221627644083179050716771774653499262295349651622216757390737536877329949121301682270023803436930269461263978639
A = 1925392662772808546939197421118358205835520399582911779574770525906575552129444284907344977079741952528900583391955529233006061528791931270897227227254591808926119750957182872183751567174771844545921835638466409933832100662725178402589611293977249134084715246989581107542140315824588288700914611275677717166278179527
b = 2348305787882664061354385580996892615192009596530928729579256657766736150757668411620580993437412955274875319957944656861692190542466234368849284411648743737962591564126026461856185033358244834877514472038765378285629252363025584537954693907723097828741999592403090405128852699175959302315102762126018235816973308999
enc = 6178727e5245576a75794e6222726322654e23727028267372276c

解答

from Crypto.Util.number import *
import gmpy2
g = 2
p = 2945889223405899717437265251282889237686559573793157647835455871476745956825847090445335342413729199710024517687795349222366793319464673474527753463753560669805788150720285098020316190185259452659032001767221627644083179050716771774653499262295349651622216757390737536877329949121301682270023803436930269461263978639
A = 1925392662772808546939197421118358205835520399582911779574770525906575552129444284907344977079741952528900583391955529233006061528791931270897227227254591808926119750957182872183751567174771844545921835638466409933832100662725178402589611293977249134084715246989581107542140315824588288700914611275677717166278179527
b = 2348305787882664061354385580996892615192009596530928729579256657766736150757668411620580993437412955274875319957944656861692190542466234368849284411648743737962591564126026461856185033358244834877514472038765378285629252363025584537954693907723097828741999592403090405128852699175959302315102762126018235816973308999
enc_hex="6178727e5245576a75794e6222726322654e23727028267372276c"

shared=pow(A,b,p)
enc_bytes=bytes.fromhex(enc_hex)
flag = bytes([y ^ (shared % 256) for y in enc_bytes])
print(flag)

picoCTF{dh_s3cr3t_2ca97bc6}

思路

由题已知：g、p、A、b

$$则shared \equiv A^b \pmod p,又enc是flag和shared的低8位逐字节异或$$

将enc_bytes与shared的低8位再次异或即可得到flag

3、Related Message

题目

from Crypto.Util.number import getPrime, inverse, bytes_to_long, long_to_bytes, GCD

Message = bytes_to_long(b"[redacted]")
Message_fixed = bytes_to_long(b"[redacted]")
e = 0x11
p = getPrime(1024)
q = getPrime(1024)
phi = (p-1) * (q-1)
d = inverse(e, phi)
N = p*q

ciphertext = pow(Message, e, N)
ciphertext2 = pow(Message_fixed, e, N)

print(ciphertext, ciphertext2)
print(Message - Message_fixed)
print(N)
c1=3486364849772584627692611749053367200656673358261596068549224442954489368512244047032432842601611650021333218776410522726164792063436874469202000304563253268152374424792827960027328885841727753251809392141585739745846369791063025294100126955644910200403110681150821499366083662061254649865214441429600114378725559898580136692467180690994656443588872905046189428367989340123522629103558929469463071363053880181844717260809141934586548192492448820075030490705363082025344843861901475648208157572346004443100461870519699021342998731173352225724445397168276113254405106732294978648428026500248591322675321980719576323749
c2=201982790559548563915678784397933493721879152787419243871599124287434576744055997870874349538398878336345269929647585648144070475012256331468688792105087899416655051702630953882466457932737483198442642588375981620937494661378586614008496182135571457352400128892078765628319466855732569272509655562943410536265866312968101366413636251672211633011159836642751480632253423529271185888171036917413867011031963618529122680143291205470937752671602494831117301480813590683791618751348224964277861127486155552153012612562009905595646626759034581358425916638671884927506025703373056113307665093346439014722219878575598308124
m_=-3
N=17334845546772507565250479697360218105827285681719530148909779921509619103084219698006014339278818598859177686131922807448182102049966121282308256054696565796008642900453901629937223685292142986689576464581496406676552201407729209985216274086331582917892470955265888718120511814944341755263650688063926284195007148056359887333784052944201212155189546062807573959105963160320187551755272391293705288576724811668369745107148481856135696249862795476376097454818009481550162364943945249601744881676746859305855091288055082626399929893610275614840617858985993338556889612804266896309310999363054134373435198031731045253881

解答

from Crypto.Util.number import *
e = 0x11
c1=3486364849772584627692611749053367200656673358261596068549224442954489368512244047032432842601611650021333218776410522726164792063436874469202000304563253268152374424792827960027328885841727753251809392141585739745846369791063025294100126955644910200403110681150821499366083662061254649865214441429600114378725559898580136692467180690994656443588872905046189428367989340123522629103558929469463071363053880181844717260809141934586548192492448820075030490705363082025344843861901475648208157572346004443100461870519699021342998731173352225724445397168276113254405106732294978648428026500248591322675321980719576323749
c2=201982790559548563915678784397933493721879152787419243871599124287434576744055997870874349538398878336345269929647585648144070475012256331468688792105087899416655051702630953882466457932737483198442642588375981620937494661378586614008496182135571457352400128892078765628319466855732569272509655562943410536265866312968101366413636251672211633011159836642751480632253423529271185888171036917413867011031963618529122680143291205470937752671602494831117301480813590683791618751348224964277861127486155552153012612562009905595646626759034581358425916638671884927506025703373056113307665093346439014722219878575598308124
m_=-3
N=17334845546772507565250479697360218105827285681719530148909779921509619103084219698006014339278818598859177686131922807448182102049966121282308256054696565796008642900453901629937223685292142986689576464581496406676552201407729209985216274086331582917892470955265888718120511814944341755263650688063926284195007148056359887333784052944201212155189546062807573959105963160320187551755272391293705288576724811668369745107148481856135696249862795476376097454818009481550162364943945249601744881676746859305855091288055082626399929893610275614840617858985993338556889612804266896309310999363054134373435198031731045253881
import binascii
def franklin(n,e,c1,c2,a,b):
    PR.<x>=PolynomialRing(Zmod(n))
    g1=x^e-c2
    g2=(a*x+b)^e-c1

    def gcd(g1,g2):
        while g2:
            g1,g2=g2,g1 % g2
        return g1.monic()
    return -gcd(g1,g2)[0]

m=franklin(N,e,c1,c2,1,-3)
print(long_to_bytes(int(m))

picoCTF{m3ssage_w1th_typ0}

思路

$$由于m^e \equiv C_1 \pmod N,m_f^e \equiv C_2 \pmod N，又m=m_f-3$$

$$则m_f是（x-3)^e-C1 \equiv 0 \pmod N和x^e-C_2 \equiv 0 \pmod N的一个解，即x-m_f是两个方程的公因子$$

只需用辗转相除法求到两多项式的最大公因子即可。

4、shift registers

题目

from Crypto.Util.number import bytes_to_long, long_to_bytes
from Crypto.Random import get_random_bytes

key = bytes_to_long(get_random_bytes(126))

def steplfsr(lfsr):
    b7 = (lfsr >> 7) & 1
    b5 = (lfsr >> 5) & 1
    b4 = (lfsr >> 4) & 1
    b3 = (lfsr >> 3) & 1

    feedback = b7 ^ b5 ^ b4 ^ b3
    lfsr = (feedback << 7) | (lfsr >> 1)
    return lfsr

def encrypt_lfsr(pt_bytes):
    output = bytearray()
    lfsr = key & 0xFF
    for p in pt_bytes:
        lfsr = steplfsr(lfsr)
        ks = lfsr
        output.append(p ^ ks)
    return bytes_to_long(bytes(output))

pt = b"[redacted]" 
ct = encrypt_lfsr(pt)

print(long_to_bytes(ct).hex())

解答

from Crypto.Util.number import *
ct_hex = "21c1b705764e4bfdafd01e0bfdbc38d5eadf92991cdd347064e37444e517d661cea9"
ct = bytes.fromhex(ct_hex)

def steplfsr(lfsr):
    b7 = (lfsr >> 7) & 1
    b5 = (lfsr >> 5) & 1
    b4 = (lfsr >> 4) & 1
    b3 = (lfsr >> 3) & 1
    return ((b7 ^ b5 ^ b4 ^ b3) << 7) | (lfsr >> 1)

for state in range(256):
    lfsr = state
    plain = bytearray()
    for b in ct:
        lfsr = steplfsr(lfsr)
        plain.append(b ^ lfsr)
    if b'CTF' in plain or b'FLAG' in plain:
        print(plain)
        
picoCTF{l1n3ar_f33dback_sh1ft_r3g}

思路

题目用key的低8位作为lfsr的初始值，每个明文字节与当前的lfsr异或。

由于lfsr是8位的只有258中可能，故可以对初始状态进行爆破，先更新lfsr再与密文中的每个字节异或即可。

5、ClusterRSA

题目

n = 8749002899132047699790752490331099938058737706735201354674975134719667510377522805717156720453193651
e = 65537
ct = 3891158515405030211396309867177046660195995913985068178988858029936868358096672572274111514200511662

解答

from Crypto.Util.number import*
import gmpy2
n = 8749002899132047699790752490331099938058737706735201354674975134719667510377522805717156720453193651
e = 65537
ct = 3891158515405030211396309867177046660195995913985068178988858029936868358096672572274111514200511662

phi=(9671406556917033398454847-1)*(9671406556917033398439721-1)*(9671406556917033398314601-1)*(9671406556917033397931773-1)
d=gmpy2.invert(e,phi)
m=pow(ct,d,n)
flag=long_to_bytes(m)
print(flag)

picoCTF{mul71_rsa_0f2cedbf}

思路

注意到这个n并不大，考虑直接用工具因式分解。

$$又\phi(n)=\Pi_{i=1}^n p_i^{a_i}(1-\frac{1}{p_i})，计算出\phi(n)RSA解密即可$$

6、small trouble

题目

from Crypto.Util.number import getPrime, inverse, bytes_to_long
import random

# Generate two large primes (1048 bits each)
p = getPrime(1048)
q = getPrime(1048)
n = p * q
phi = (p - 1) * (q - 1)

# compute d
d = getPrime(256)

# Compute the public exponent
e = inverse(d, phi)

# Encrypt a flag
flag = b'picoCTF{...}'
m = bytes_to_long(flag)
c = pow(m, e, n)

# Output for the challenge
with open("message.txt", "w") as f:
    f.write(f"n = {n}\n")
    f.write(f"e = {e}\n")
    f.write(f"c = {c}\n")

n = 3897869790412593752904288326835024840047254707830942281974379578884930809842272736427280505562736550177433527584525949965302926067278591398744653604367294853533790823591871812971980025123504190171322740515372663830213304868615604133104735061194100742963363171802746628374941798109742078670411137966468303687442835254703449521462675971498644782485723199737641531515350135556951786223297319391937858044014674637108237279714942264562012505409233183964874582212605096337895230160677844884471657931702114100920915844297792627473740848950517624459922477366447397265596899932942421375429794448235293386940361213796966753404509881946198669
e = 996249549989443437789479822527021630798304887682374943095590933549034631079396088450987759280651352292710262772932285812066269565500982664582882896354999903605716955825495017669097086678368403213650831816930362944526926074247554724881095289740421378496056501372149991533599772164931009130712944006842445423905705856119964504114957695753808229305003114563223185574210883919607053254178947014124939130435179357958214892243789771714118685236479397308478116343914875563657568810714854892756923634023737953146449945673840886306304200678969684576433604557532596140737953800684754114016678525199834777702392199480096141197133317091686611
c = 3527767503997695759565321427528672551226638628578458595410521963175811434632556551988299896388752361983357620110155728021677577378108858927392970240471584462405045936287116292285670371813068908058617963701630816192464021583060624465921805901800894101651764155418228631396323972568885671375482577428993227464427029030875413472341248406072536869045073494259940681282673065570385466253143581195676723501583509455237266333465262539853700442591885843655663221613631656240496790085844506357258213304747042658689201668199316430243947182845679625941690105999239857921794606272923193769496415986842872515929210067342092070522559765109536945

解答

import time
from Crypto.Util.number import *
 
"""
Setting debug to true will display more informations
about the lattice, the bounds, the vectors...
"""
debug = True
 
"""
Setting strict to true will stop the algorithm (and
return (-1, -1)) if we don't have a correct 
upperbound on the determinant. Note that this 
doesn't necesseraly mean that no solutions 
will be found since the theoretical upperbound is
usualy far away from actual results. That is why
you should probably use `strict = False`
"""
strict = False
 
"""
This is experimental, but has provided remarkable results
so far. It tries to reduce the lattice as much as it can
while keeping its efficiency. I see no reason not to use
this option, but if things don't work, you should try
disabling it
"""
helpful_only = True
dimension_min = 7 # stop removing if lattice reaches that dimension
 
############################################
# Functions
##########################################
 
# display stats on helpful vectors
def helpful_vectors(BB, modulus):
    nothelpful = 0
    for ii in range(BB.dimensions()[0]):
        if BB[ii,ii] >= modulus:
            nothelpful += 1
 
    print (nothelpful, "/", BB.dimensions()[0], " vectors are not helpful")
 
# display matrix picture with 0 and X
def matrix_overview(BB, bound):
    for ii in range(BB.dimensions()[0]):
        a = ('%02d ' % ii)
        for jj in range(BB.dimensions()[1]):
            a += '0' if BB[ii,jj] == 0 else 'X'
            if BB.dimensions()[0] < 60:
                a += ' '
        if BB[ii, ii] >= bound:
            a += '~'
        print (a)
 
# tries to remove unhelpful vectors
# we start at current = n-1 (last vector)
def remove_unhelpful(BB, monomials, bound, current):
    # end of our recursive function
    if current == -1 or BB.dimensions()[0] <= dimension_min:
        return BB
 
    # we start by checking from the end
    for ii in range(current, -1, -1):
        # if it is unhelpful:
        if BB[ii, ii] >= bound:
            affected_vectors = 0
            affected_vector_index = 0
            # let's check if it affects other vectors
            for jj in range(ii + 1, BB.dimensions()[0]):
                # if another vector is affected:
                # we increase the count
                if BB[jj, ii] != 0:
                    affected_vectors += 1
                    affected_vector_index = jj
 
            # level:0
            # if no other vectors end up affected
            # we remove it
            if affected_vectors == 0:
                print ("* removing unhelpful vector", ii)
                BB = BB.delete_columns([ii])
                BB = BB.delete_rows([ii])
                monomials.pop(ii)
                BB = remove_unhelpful(BB, monomials, bound, ii-1)
                return BB
 
            # level:1
            # if just one was affected we check
            # if it is affecting someone else
            elif affected_vectors == 1:
                affected_deeper = True
                for kk in range(affected_vector_index + 1, BB.dimensions()[0]):
                    # if it is affecting even one vector
                    # we give up on this one
                    if BB[kk, affected_vector_index] != 0:
                        affected_deeper = False
                # remove both it if no other vector was affected and
                # this helpful vector is not helpful enough
                # compared to our unhelpful one
                if affected_deeper and abs(bound - BB[affected_vector_index, affected_vector_index]) < abs(bound - BB[ii, ii]):
                    print ("* removing unhelpful vectors", ii, "and", affected_vector_index)
                    BB = BB.delete_columns([affected_vector_index, ii])
                    BB = BB.delete_rows([affected_vector_index, ii])
                    monomials.pop(affected_vector_index)
                    monomials.pop(ii)
                    BB = remove_unhelpful(BB, monomials, bound, ii-1)
                    return BB
    # nothing happened
    return BB
 
""" 
Returns:
* 0,0   if it fails
* -1,-1 if `strict=true`, and determinant doesn't bound
* x0,y0 the solutions of `pol`
"""
def boneh_durfee(pol, modulus, mm, tt, XX, YY):
    """
    Boneh and Durfee revisited by Herrmann and May
    
    finds a solution if:
    * d < N^delta
    * |x| < e^delta
    * |y| < e^0.5
    whenever delta < 1 - sqrt(2)/2 ~ 0.292
    """
 
    # substitution (Herrman and May)
    PR.<u, x, y> = PolynomialRing(ZZ)
    Q = PR.quotient(x*y + 1 - u) # u = xy + 1
    polZ = Q(pol).lift()
 
    UU = XX*YY + 1
 
    # x-shifts
    gg = []
    for kk in range(mm + 1):
        for ii in range(mm - kk + 1):
            xshift = x^ii * modulus^(mm - kk) * polZ(u, x, y)^kk
            gg.append(xshift)
    gg.sort()
 
    # x-shifts list of monomials
    monomials = []
    for polynomial in gg:
        for monomial in polynomial.monomials():
            if monomial not in monomials:
                monomials.append(monomial)
    monomials.sort()
    
    # y-shifts (selected by Herrman and May)
    for jj in range(1, tt + 1):
        for kk in range(floor(mm/tt) * jj, mm + 1):
            yshift = y^jj * polZ(u, x, y)^kk * modulus^(mm - kk)
            yshift = Q(yshift).lift()
            gg.append(yshift) # substitution
    
    # y-shifts list of monomials
    for jj in range(1, tt + 1):
        for kk in range(floor(mm/tt) * jj, mm + 1):
            monomials.append(u^kk * y^jj)
 
    # construct lattice B
    nn = len(monomials)
    BB = Matrix(ZZ, nn)
    for ii in range(nn):
        BB[ii, 0] = gg[ii](0, 0, 0)
        for jj in range(1, ii + 1):
            if monomials[jj] in gg[ii].monomials():
                BB[ii, jj] = gg[ii].monomial_coefficient(monomials[jj]) * monomials[jj](UU,XX,YY)
 
    # Prototype to reduce the lattice
    if helpful_only:
        # automatically remove
        BB = remove_unhelpful(BB, monomials, modulus^mm, nn-1)
        # reset dimension
        nn = BB.dimensions()[0]
        if nn == 0:
            print ("failure")
            return 0,0
 
    # check if vectors are helpful
    if debug:
        helpful_vectors(BB, modulus^mm)
    
    # check if determinant is correctly bounded
    det = BB.det()
    bound = modulus^(mm*nn)
    if det >= bound:
        print ("We do not have det < bound. Solutions might not be found.")
        print ("Try with highers m and t.")
        if debug:
            diff = (log(det) - log(bound)) / log(2)
            print ("size det(L) - size e^(m*n) = ", floor(diff))
        if strict:
            return -1, -1
    else:
        print ("det(L) < e^(m*n) (good! If a solution exists < N^delta, it will be found)")
 
    # display the lattice basis
    if debug:
        matrix_overview(BB, modulus^mm)
 
    # LLL
    if debug:
        print ("optimizing basis of the lattice via LLL, this can take a long time")
 
    BB = BB.LLL()
 
    if debug:
        print ("LLL is done!")
 
    # transform vector i & j -> polynomials 1 & 2
    if debug:
        print ("looking for independent vectors in the lattice")
    found_polynomials = False
    
    for pol1_idx in range(nn - 1):
        for pol2_idx in range(pol1_idx + 1, nn):
            # for i and j, create the two polynomials
            PR.<w,z> = PolynomialRing(ZZ)
            pol1 = pol2 = 0
            for jj in range(nn):
                pol1 += monomials[jj](w*z+1,w,z) * BB[pol1_idx, jj] / monomials[jj](UU,XX,YY)
                pol2 += monomials[jj](w*z+1,w,z) * BB[pol2_idx, jj] / monomials[jj](UU,XX,YY)
 
            # resultant
            PR.<q> = PolynomialRing(ZZ)
            rr = pol1.resultant(pol2)
 
            # are these good polynomials?
            if rr.is_zero() or rr.monomials() == [1]:
                continue
            else:
                print ("found them, using vectors", pol1_idx, "and", pol2_idx)
                found_polynomials = True
                break
        if found_polynomials:
            break
 
    if not found_polynomials:
        print ("no independant vectors could be found. This should very rarely happen...")
        return 0, 0
    
    rr = rr(q, q)
 
    # solutions
    soly = rr.roots()
 
    if len(soly) == 0:
        print ("Your prediction (delta) is too small")
        return 0, 0
 
    soly = soly[0][0]
    ss = pol1(q, soly)
    solx = ss.roots()[0][0]
 
    #
    return solx, soly
 
def example(N,e,delta,m=None):
    ############################################
    # How To Use This Script
    ##########################################
 
    #
    # Lattice (tweak those values)
    #
 
    # you should tweak this (after a first run), (e.g. increment it until a solution is found)
    m = 4 if m == None else m # size of the lattice (bigger the better/slower)
 
    # you need to be a lattice master to tweak these
    t = int((1-2*delta) * m)  # optimization from Herrmann and May
    X = 2*floor(N^delta)  # this _might_ be too much
    Y = floor(N^(1/2))    # correct if p, q are ~ same size
 
    #
    # Don't touch anything below
    #
 
    # Problem put in equation
    P.<x,y> = PolynomialRing(ZZ)
    A = int((N+1)/2)
    pol = 1 + x * (A + y)
 
    #
    # Find the solutions!
    #
 
    # Checking bounds
    if debug:
        print ("=== checking values ===")
        print ("* delta:", delta)
        print ("* delta < 0.292", delta < 0.292)
        print ("* size of e:", int(log(e)/log(2)))
        print ("* size of N:", int(log(N)/log(2)))
        print ("* m:", m, ", t:", t)
 
    # boneh_durfee
    if debug:
        print ("=== running algorithm ===")
        start_time = time.time()
 
    solx, soly = boneh_durfee(pol, e, m, t, X, Y)
 
    # found a solution?
    if solx > 0:
        print ("=== solution found ===")
        if False:
            print ("x:", solx)
            print ("y:", soly)
 
        d = int(pol(solx, soly) / e)
        print ("private key found:", d)
    else:
        print ("=== no solution was found ===")
 
    if debug:
        print("=== %s seconds ===" % (time.time() - start_time))
    return d
 
if __name__ == "__main__":
    n =3897869790412593752904288326835024840047254707830942281974379578884930809842272736427280505562736550177433527584525949965302926067278591398744653604367294853533790823591871812971980025123504190171322740515372663830213304868615604133104735061194100742963363171802746628374941798109742078670411137966468303687442835254703449521462675971498644782485723199737641531515350135556951786223297319391937858044014674637108237279714942264562012505409233183964874582212605096337895230160677844884471657931702114100920915844297792627473740848950517624459922477366447397265596899932942421375429794448235293386940361213796966753404509881946198669
    e =996249549989443437789479822527021630798304887682374943095590933549034631079396088450987759280651352292710262772932285812066269565500982664582882896354999903605716955825495017669097086678368403213650831816930362944526926074247554724881095289740421378496056501372149991533599772164931009130712944006842445423905705856119964504114957695753808229305003114563223185574210883919607053254178947014124939130435179357958214892243789771714118685236479397308478116343914875563657568810714854892756923634023737953146449945673840886306304200678969684576433604557532596140737953800684754114016678525199834777702392199480096141197133317091686611
    c =3527767503997695759565321427528672551226638628578458595410521963175811434632556551988299896388752361983357620110155728021677577378108858927392970240471584462405045936287116292285670371813068908058617963701630816192464021583060624465921805901800894101651764155418228631396323972568885671375482577428993227464427029030875413472341248406072536869045073494259940681282673065570385466253143581195676723501583509455237266333465262539853700442591885843655663221613631656240496790085844506357258213304747042658689201668199316430243947182845679625941690105999239857921794606272923193769496415986842872515929210067342092070522559765109536945
    # the hypothesis on the private exponent (the theoretical maximum is 0.292)
    delta = 0.28 # this means that d < N^delta
    d = example(n,e,delta)
    print(long_to_bytes(int(pow(c,d,n))))

Boneh-Durfee

学习中，先存脚本

7、Timestamped Secrets

题目

from hashlib import sha256
import time
from Crypto.Cipher import AES
from Crypto.Util.Padding import pad

def encrypt(plaintext: str, timestamp: int) -> str:
    timestamp = int(time.time())
    key = sha256(str(timestamp).encode()).digest()[:16]
    cipher = AES.new(key, AES.MODE_ECB)
    padded = pad(plaintext.encode(), AES.block_size)
    ciphertext = cipher.encrypt(padded)
    return ciphertext.hex()

if __name__ == "__main__":
  
    plaintext = "picoCTF{...}"
    result = encrypt(plaintext, key)
    print(f"Hint: The encryption was done around {timestamp} UTC\n")
    print(f"Ciphertext (hex): {ciphertext.hex()}\n")

Hint: The encryption was done around 1770242633 UTC
Ciphertext (hex): 6d8330b05a68848fdf4b7ab057cd6eb070810e3febd76872b4a5e7627221a396

解答

from hashlib import sha256
from Crypto.Cipher import AES
from Crypto.Util.Padding import unpad

time=1770242633
c_hex="6d8330b05a68848fdf4b7ab057cd6eb070810e3febd76872b4a5e7627221a396"

key=sha256(str(time).encode()).digest()[:16]
cipher=AES.new(key,AES.MODE_ECB)
c=bytes.fromhex(c_hex)
p=cipher.decrypt(c)
flag=unpad(p,AES.block_size).decode()
print(flag)

思路

题目将一串时间先转换为字符串再用SHA256加密，得到32字节，再取前16字节作为AES密钥进行AES加密。

我们已知时间便可以算出key，又有c直接AES解密即可最后去除填充。