ISCTF 2025 WriteUp - Q1uJu's House

CRYPTO#

Power tower#

题目：

1
from Crypto.Util.number import *
2
import random
3
from numpy import number
4

5
m = b'ISCTF{****************}'
6
flag = bytes_to_long(m)
7
n = getPrime(256)
8
t = getPrime(63)
9
l = pow(2,pow(2,t),n)
10
c = flag ^ l
11
print(t)
12
print(n)
13
print(c)
14

15

16
'''
17
t = 6039738711082505929
18
n = 107502945843251244337535082460697583639357473016005252008262865481138355040617
19
c = 114092817888610184061306568177474033648737936326143099257250807529088213565247
20
'''

\begin{aligned} flag=c\oplus l=c\oplus 2^{2^t}\pmod{n}\\ 2^{2^t}\equiv2^{2^t~mod~\varphi(n)} \pmod{n} \end{aligned}

原题链接：[CryptoCTF 2019]Time Capsule

exp.py：

1
from Crypto.Util.number import long_to_bytes
2

3
t = 6039738711082505929
4
n = 107502945843251244337535082460697583639357473016005252008262865481138355040617
5
c = 114092817888610184061306568177474033648737936326143099257250807529088213565247
6
# factordb n
7
# n = 127 * 841705194007 * 1005672644717572752052474808610481144121914956393489966622615553
8
p, q, r = 127, 841705194007, 1005672644717572752052474808610481144121914956393489966622615553
9
phi = (p - 1) * (q - 1) * (r - 1)
10
l = pow(2, pow(2, t, phi), n)
11
flag = c ^ l
12
print(long_to_bytes(flag).decode())
13
# ISCTF{Euler_1s_v3ry|useful!!!!!}

easy_RSA#

题目：

1
from Crypto.Util.number import *
2

3
p = getPrime(1024)
4
q = getPrime(1024)
5
N = p*q
6
e = 65537
7
msg = bytes_to_long(b"ISCTF{dummy_flag}")
8
ct1 = pow(msg, e, N)
9
ct2 = pow(msg, p+q, N)
10
print(f"{N = }")
11
print(f"{ct1 = }")
12
print(f"{ct2 = }")
13
"""
14
N = ...
15
ct1 = ...
16
ct2 = ...
17
"""

p + q在模n同余式的加密指数上等价于N + 1。

m^{N+1}\equiv m^{\varphi(N)+p+q}\equiv m^{p+q}\pmod{N}

这里e和N + 1互素，所以直接共模打就好了。

原题链接：[WHY2025 CTF]Somkracht 65537

exp.py：

1
from Crypto.Util.number import long_to_bytes
2
from gmpy2 import gcdext
3

4
N = ...
5
e = 65537
6
ct1 = ...
7
ct2 = ...
8
g, s1, s2 = gcdext(e, N + 1)
9
m = pow(ct1, s1, N) * pow(ct2, s2, N) % N
10
print(long_to_bytes(m).decode())
11
# ISCTF{Congratulations_you_master_Mathematical_ability}

baby_math#

题目：

1
from Crypto.Util.number import bytes_to_long
2

3
print(len(flag))
4
R = RealField(1000)
5
a,b = bytes_to_long(flag[:len(flag)//2]),bytes_to_long(flag[len(flag)//2:])
6
x   = R(...)
7
enc = a*cos(x)+b*sin(x)
8
# ...

直接基础格打就行，原题链接:[CyberSpaceCTF 2024]trendy windy trigonity。

exp.py：

1
# SageMath 10.7
2
from Crypto.Util.number import long_to_bytes
3

4
R = RealField(1000)
5
x = R(...)
6
c = ...
7
cx = int(cos(x) * 2 ** 1000)
8
sx = int(sin(x) * 2 ** 1000)
9
c = (c * 2 ** 1000)
10
M = matrix(ZZ, [[1, 0, cx],
11
                [0, 1, sx],
12
                [0, 0, -c]])
13
L = M.LLL()[0]
14
print((long_to_bytes(L[0])+long_to_bytes(L[1])).decode())
15
# ISCTF{164a3221-7306-4024-88c3-4ef557b86895}

baby_equation#

题目：

1
from Crypto.Util.number import *
2
from secret import a,b
3
flag = b'ISCTF{***********}'
4
c = bytes_to_long(flag)
5

6
4*b**6-2*a**3+3*a*c = ...
7
b**5+6*c**3+2*a*b*c = ...
8
3*a**3-3*a*c-3*b**6 = ...

原题链接：[陕西省省赛2023]ezmath

1
# SageMath 10.7
2
from Crypto.Util.number import long_to_bytes
3
from sage.matrix.matrix2 import Matrix
4

5
def resultant(f1, f2, var):
6
    return Matrix.determinant(f1.sylvester_matrix(f2, var))
7

8
R.<a, b, c> = PolynomialRing(ZZ)
9
f1 = 4 * b ** 6 - 2 * a ** 3 + 3 * a * c - ...
10
f2 = b ** 5 + 6 * c ** 3 + 2 * a * b * c - ...
11
f3 = 3 * a ** 3 - 3 * a * c - 3 * b ** 6 + ...
12
h1 = resultant(f1, f2, a)
13
h2 = resultant(f1, f3, a)
14
h3 = resultant(h1, h2, b)
15
m = int(h3.univariate_polynomial().roots()[0][0])
16
print(long_to_bytes(m).decode())
17
# ISCTF{y0u_93t_7h3_3qu4710n_50lv3}

小蓝鲨的LFSR系统#

题目：

1
import secrets
2
import binascii
3

4
def simple_lfsr_encrypt(plaintext, init_state):
5
    mask = [random.randint(0,1) for _ in range(128)]
6

7
    state = init_state.copy()
8
    for _ in range(256):
9
        feedback = sum(state[i] & mask[i] for i in range(128)) % 2
10
        state.append(feedback)
11

12
    key = bytes(int(''.join(str(bit) for bit in mask[i*8:(i+1)*8]), 2)
13
               for i in range(16))
14

15
    keystream = (key * (len(plaintext)//16 + 1))[:len(plaintext)]
16
    return bytes(p ^ k for p, k in zip(plaintext, keystream)), mask

Sage秒了。

exp.py：

1
# SageMath 10.7
2

3
initState = [...]
4
outputState = [...]
5
ciphertext = bytes.fromhex('...')
6
F2 = GF(2)
7
allState = initState + outputState
8
n_eq  = 256
9
n_var = 128
10
rows = []
11
for t in range(n_eq):
12
    rows.append(allState[t:t + n_var])
13
M = Matrix(F2, rows)
14
b = vector(F2, outputState)
15
mask_vec = M.solve_right(b)
16
mask = [int(bit) for bit in mask_vec]
17
key = bytes(int(''.join(str(bit) for bit in mask[i * 8:(i + 1) * 8]), 2) for i in range(16))
18
keystream = (key * (len(ciphertext) // 16 + 1))[:len(ciphertext)]
19
print(bytes(c ^^ k for c, k in zip(ciphertext, keystream)).decode())
20
# ISCTF{lf5R_jUst_So_s0}

小蓝鲨的RSA密文#

题目：

1
import json, secrets
2
from Crypto.Util.number import getPrime, bytes_to_long
3
from Crypto.Cipher import AES
4
from Crypto.Util.Padding import pad
5

6
e = 3
7
N = getPrime(512) * getPrime(512)
8

9
a2_high = a2 >> LOW_BITS
10

11
aes_key = secrets.token_bytes(16)
12
m = bytes_to_long(aes_key)
13

14
f = a2 * (m * m) + a1 * m + a0
15

16
c = (pow(m, e) + f) % N
17

18
iv = secrets.token_bytes(16)
19
cipher = AES.new(aes_key, AES.MODE_CBC, iv=iv)
20
ct = cipher.encrypt(pad(FLAG, 16))

题目其实就是给了一个多项式的值，然后给出了三项系数以及一项系数的高位。关键就是怎么从多项式中恢复系数的低位以及原本的密钥值。多项式如下：

f=x^3+a_2x^2+a_1x+a_0

其中给出了c = f(m) % n，a2_high = a2 >> 16，下面令H = a2_high，L = a2 - H << 16。我们有：

\begin{aligned} c=m^3+(H+L)m^2+a_1m+a_0\\ G(m):=m^3+Hm^2+a_1m+a_0-c=-Lm^2 \end{aligned}

这个时候可以推出，实际真的m满足：

\begin{aligned} G(m)<0\\ -G(m)=Lm^2,0\le L\le 2^{16}\\ \Rightarrow -G(m)\le2^{16}m^2,m^2|-G(m) \end{aligned}

而求个导数可以发现，G(x)在x > 0上是单调递增的，所以一定有正实根r，且m < r，可以用二分法在整数上找到一个数k，使得

G(k)<0,G(k+1)>0\Rightarrow floor(r)=k,m\le k

然后从k开始往下枚举m，就可以找到唯一符合条件的(m, L)，搜索区间也就是|m - r|的大小可以估算一下：

\begin{aligned} G(m)\approx G(r)+G'(r)(m-r)\\ G(r)=0,G(m)=-Lm^2\approx -Lr^2\\ m-r\approx -\frac{Lr^2}{G'(r)}\approx-\Theta(L) \end{aligned}

可以估算出|m - r|大概和L同级别，而L < 2 ** 16，所以区间可以取[k - 2 ** 16, k]。

exp.py：

1
# SageMath 10.7
2
from Crypto.Cipher import AES
3
from Crypto.Util.number import *
4
from Crypto.Util.Padding import unpad
5

6
N  = ...
7
c  = ...
8
a2_high = 9012778
9
LOW_BITS = 16
10
a1 = 621315
11
a0 = 452775142
12
iv = bytes.fromhex("...")
13
ct = bytes.fromhex("...")
14
H = a2_high << LOW_BITS
15
R.<x> = PolynomialRing(ZZ)
16
G = x ** 3 + H * x ** 2 + a1 * x + a0 - c
17
low = ZZ(0)
18
high = ZZ(1)
19
while G(high) <= 0:
20
    high *= 2
21
while low + 1 < high:
22
    mid = (low + high) // 2
23
    if G(mid) > 0:
24
        high = mid
25
    else:
26
        low = mid
27
k = low
28
bound = 1 << 16
29
m_found = None
30
a2_low = None
31
for d in range(bound + 1):
32
    m = k - d
33
    if m <= 0:
34
        break
35
    Gm = G(m)
36
    if Gm >= 0:
37
        continue
38
    num = -Gm
39
    if num >= (1 << 16) * m * m:
40
        continue
41
    if num % (m * m) != 0:
42
        continue
43
    L = num // (m * m)
44
    if 0 <= L < (1 << 16):
45
        m_found = m
46
        a2_low = L
47
        break
48
assert c == m_found ** 3 + ((a2_high << LOW_BITS) + a2_low) * m_found ** 2 + a1 * m_found + a0
49
key = int(m_found).to_bytes(16, "big")
50
cipher = AES.new(key, AES.MODE_CBC, iv=iv)
51
pt = unpad(cipher.decrypt(ct), 16)
52
print(pt.decode())
53
# ISCTF{i7_533M5_Lik3_You_R34lLy_UNd3R574nd_Polinomials_4nD_RSA}

沉迷数学的小蓝鲨#

题目：

y² = x³ + 3x + 27 (mod p)

Q(0xa61ae2f42348f8b84e4b8271ee8ce3f19d7760330ef6a5f6ec992430dccdc167, 0x8a3ceb15b94ee7c6ce435147f31ca8028d1dd07a986711966980f7de20490080)

k= ?

最终flag请将解出k值的16进制转换为32位md5以ISCTF{}包裹提交

小蓝鲨最近沉迷于椭圆曲线，但是有一个椭圆曲线问题它始终做不出来，据说它广泛应用于区块链技术。如果你可以帮助小蓝鲨解决这个问题，它将会给予你丰厚的报酬。

HINT1：你验证过基点 G 真的在曲线上吗？(这只是个ez题，别想太复杂）

HINT2：G是这条曲线上的冒牌货，但代数运算不在乎，因为计算机可不是数学家

反正是凑着凑着对上脑电波了，无效曲线攻击，在La佬的博客翻到了。具体也不难理解，就是这个曲线给的a是对的，b是错误的，我们需要找一个b'满足基点G和Q，然后具体是哪条曲线就只能爆了，在常用区块链曲线里找就行。

exp.py：

1
# SageMath 10.7
2
from hashlib import md5
3
from math import isqrt
4

5
xQ = 0xa61ae2f42348f8b84e4b8271ee8ce3f19d7760330ef6a5f6ec992430dccdc167
6
yQ = 0x8a3ceb15b94ee7c6ce435147f31ca8028d1dd07a986711966980f7de20490080
7
a_attack = 3
8
candidates = [
9
    {
10
        "name": "SM2",
11
        "p": 0xFFFFFFFEFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF00000000FFFFFFFFFFFFFFFF,
12
        "Gx": 0x32C4AE2C1F1981195F9904466A39C9948FE30BBFF2660BE1715A4589334C74C7,
13
        "Gy": 0xBC3736A2F4F6779C59BDCEE36B692153D0A9877CC62A474002DF32E52139F0A0
14
    },
15
    {
16
        "name": "NIST P-256 (secp256r1)",
17
        "p": 0xffffffff00000001000000000000000000000000ffffffffffffffffffffffff,
18
        "Gx": 0x6b17d1f2e12c4247f8bce6e563a440f277037d812deb33a0f4a13945d898c296,
19
        "Gy": 0x4fe342e2fe1a7f9b8ee7eb4a7c0f9e162bce33576b315ececbb6406837bf51f5
20
    },
21
    {
22
        "name": "secp256k1",
23
        "p": 0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEFFFFFC2F,
24
        "Gx": 0x79BE667EF9DCBBAC55A06295CE870B07029BFCDB2DCE28D959F2815B16F81798,
25
        "Gy": 0x483ada7726a3c4655da4fbfc0e1108a8fd17b448a68554199c47d08ffb10d4b8
26
    }
27
]
28
O = None
29
def inv_mod(x, p):
30
    return pow(x, p - 2, p)
31

32
def point_add(P, Q, p, a, b):
33
    if P is None:
34
        return Q
35
    if Q is None:
36
        return P
37
    x1, y1 = P
38
    x2, y2 = Q
39
    if x1 == x2 and (y1 + y2) % p == 0:
40
        return O
41
    if P == Q:
42
        num = (3 * x1 * x1 + a) % p
43
        den = (2 * y1) % p
44
    else:
45
        num = (y2 - y1) % p
46
        den = (x2 - x1) % p
47
    lam = (num * inv_mod(den, p)) % p
48
    x3 = (lam * lam - x1 - x2) % p
49
    y3 = (lam * (x1 - x3) - y1) % p
50
    return (x3, y3)
51

52
def scalar_mul(k, P, p, a, b):
53
    R = O
54
    N = P
55
    while k > 0:
56
        if k & 1:
57
            R = point_add(R, N, p, a, b)
58
        N = point_add(N, N, p, a, b)
59
        k >>= 1
60
    return R
61

62
def is_on_curve(P, p, a, b):
63
    if P is None:
64
        return True
65
    x, y = P
66
    return (y * y - (x ** 3 + a * x + b)) % p == 0
67

68
def bsgs(G, Q, p, a, b, N):
69
    m = isqrt(N) + 1
70
    # baby steps: jG
71
    table = {}
72
    R = O
73
    for j in range(m):
74
        if R not in table:
75
            table[R] = j
76
        R = point_add(R, G, p, a, b)
77
    # giant steps: Q - i * (mG)
78
    mG = scalar_mul(m, G, p, a, b)
79
    neg_mG = (mG[0], (-mG[1]) % p)
80
    R = Q
81
    for i in range(m + 1):
82
        if R in table:
83
            j = table[R]
84
            k = i * m + j
85
            if k < N:
86
                return k
87
        R = point_add(R, neg_mG, p, a, b)
88
    return None
89

90
for item in candidates:
91
    name = item['name']
92
    p = item['p']
93
    Gx = item['Gx']
94
    Gy = item['Gy']
95
    b_prime = (pow(Gy, 2, p) - pow(Gx, 3, p) - a_attack * Gx) % p
96
    lhs_Q = pow(yQ, 2, p)
97
    rhs_Q = (pow(xQ, 3, p) + a_attack * xQ + b_prime) % p
98
    if lhs_Q == rhs_Q:
99
        print(f"\n[+] 命中! 系统使用的是 {name} 的 p 和 G")
100
        print(f"[+] 实际生效的 b' = {hex(b_prime)}")
101
        G = (Gx, Gy)
102
        Q = (xQ, yQ)
103
        assert is_on_curve(G, p, a_attack, b_prime)
104
        assert is_on_curve(Q, p, a_attack, b_prime)
105
        N = 2_000_000
106
        print(f"[*] 使用 BSGS 在 [0, {N}) 上求 k 使得 Q = kG ...")
107
        k = bsgs(G, Q, p, a_attack, b_prime, N)
108
        if k is None:
109
            print("[-] 在设定范围内未找到 k，可适当增大 N 再试。")
110
            break
111
        print(f"[SUCCESS] k = {k} (dec) = {hex(k)}")
112
        flag = md5(hex(k)[2:].encode()).hexdigest()
113
        print(f"ISCTF{{{flag}}}")
114
        break
115
    else:
116
        print(f"[-] {name} 不匹配。")
117
"""
118
[-] SM2 不匹配。
119
[-] NIST P-256 (secp256r1) 不匹配。
120

121
[+] 命中! 系统使用的是 secp256k1 的 p 和 G
122
[+] 实际生效的 b' = 0x92c4cc831269ccfaff1ed83e946adeeaf82c096e76958573f2287becbb17b19d
123
[*] 使用 BSGS 在 [0, 2000000) 上求 k 使得 Q = kG ...
124
[SUCCESS] k = 954761 (dec) = 0xe9189
125
ISCTF{43896099feea21a3d5804863075e1aaa}
126
"""

小蓝鲨的密码箱#

题目：

小蓝鲨有一个神秘的black-box，里面藏着它最珍贵的秘密。小蓝鲨告诉我们，只有知道密码箱的运算逻辑，你才能知道它的秘密。

黑盒，笑的，就测呗，先固定(a, b, c)，修改m，发现密文一直在变，flag一直不变，说明flag的加密只依赖(a, b, c)，和m无关，然后观察flag长度一直是 43，可以推测明文长度。然后开始瞎试，固定(a, b)换c，会发现密文一直在c的范围内，很明显说明c应该是模数。

然后选(a, b, c) = (1, 1, 97)，明文根据长度取 43 个 0，对应密文为 43 个 31（十六进制）。

选(a, b, c) = (1, 1, 89)时也是 43 个 31（十六进制）。有点敏感了，好像是仿射加密hhhhh，那怎么拿flag呢，发现a和b都不能取 0，那取 1 吧，然后c = 129，得到加密后的 flag 值减一转 ascii 就行了。最新靶机的测试结果：

加密结果

原文: 0000000000000000000000000000000000000000000

密文:

31 31 31 31 31 31 31 31 31 31 31 31 31 31 31 31 31 31 31 31 31 31 31 31 31 31 31 31 31 31 31 31 31 31 31 31 31 31 31 31 31 31 31

Flag:

4a 54 44 55 47 7c 63 39 31 63 35 65 39 31 2e 32 3a 33 3a 2e 35 32 63 38 2e 63 34 64 33 2e 31 3a 64 34 38 38 65 66 65 63 67 65 7e

使用的参数: a=1, b=1, c=129

1
c = "4a 54 44 55 47 7c 63 39 31 63 35 65 39 31 2e 32 3a 33 3a 2e 35 32 63 38 2e 63 34 64 33 2e 31 3a 64 34 38 38 65 66 65 63 67 65 7e"
2
c_list = c.split(" ")
3
for i in c_list:
4
    print(chr(int(i, 16) - 1), end="")
5
# ISCTF{b80b4d80-1929-41b7-b3c2-09c377dedbfd}

小蓝鲨的费马谜题#

题目：

1
import random
2
import math
3

4
p = get_prime(1024)
5
q = get_prime(1024)
6
n = p * q
7
e = 65537
8

9
m = bytes_to_long(flag)
10
c = pow(m, e, n)
11

12
bases = get_primes_up_to(100)
13

14
hints = []
15
for i in range(len(bases)):
16
    for j in range(i+1, len(bases)):
17
        hint_value = (pow(bases[i], p-1, n) + pow(bases[j], p-1, n)) % n
18
        hints.append((bases[i], bases[j], hint_value))

给了 50 组，爆一下找gcd(hint - 2, n)不为 1 的就是p了。

\begin{aligned} hint\equiv b_i^{p-1}+b_j^{p-1}\pmod{n}\\ hint\equiv b_i^{p-1}+b_j^{p-1}\pmod{p}\equiv 2\pmod{n} \end{aligned}

exp.py：

1
from Crypto.Util.number import long_to_bytes
2
from gmpy2 import gcd, invert
3

4
n = ...
5
e = ...
6
c = ...
7
hint_vals = [...]
8
for hint_val in hint_vals:
9
    p = gcd(hint_val - 2, n)
10
    if p != 1:
11
        q = n // p
12
        phi = (p - 1) * (q - 1)
13
        d = invert(e, phi)
14
        m = pow(c, d, n)
15
        print(long_to_bytes(m).decode())
16
        break
17
# ISCTF{M0dIFi3D_f3RM47_7H30r3m_I5_fUn_8U7_h4rD3r!}

持续更新中~

CRYPTO#

Power tower#

easy_RSA#

baby_math#

baby_equation#

小蓝鲨的LFSR系统#

小蓝鲨的RSA密文#

沉迷数学的小蓝鲨#

小蓝鲨的密码箱#

小蓝鲨的费马谜题#