0x01 Level 0

這道題給了一個加密的文件，是base64的，一個public.key公鑰還有通往下一關的壓縮包。
首先，用openssl查看公鑰信息

openssl rsa -in public.key -pubin -text -modulus -noout

得到了公鑰信息

Public-Key: (2048 bit)
Modulus:
    00:94:a0:3e:6e:0e:dc:f2:74:10:52:ef:1e:ea:a8:
    89:d6:f9:8d:01:11:51:db:5e:90:92:48:fd:39:0c:
    70:87:24:d8:98:3c:f3:33:1c:ba:c5:61:c2:ce:2c:
    5a:f1:5e:65:b2:b2:46:91:56:b6:19:d5:d3:b2:a6:
    bb:a3:7d:56:93:99:4d:7e:4c:2f:aa:60:7b:3e:c8:
    fc:90:b2:00:62:4b:53:18:5b:a2:30:10:60:a8:21:
    ab:61:57:d7:e7:cc:67:1b:4d:cd:66:4c:7d:f1:1a:
    2a:1d:5e:50:80:c1:5e:45:12:3a:ba:4a:53:64:d8:
    72:1f:84:4a:ae:5c:55:02:e8:8e:56:4d:38:70:a5:
    16:36:d3:bc:14:3e:2f:ae:2f:31:58:ba:00:ab:ac:
    c0:c5:ba:44:3c:29:70:56:01:6b:57:f5:d7:52:d7:
    31:56:0b:ab:0a:e6:8d:ad:08:22:a9:1f:cb:6e:49:
    cc:01:4c:12:d2:ab:a3:a5:97:e5:10:49:19:7f:69:
    d9:3b:c5:53:53:71:00:18:60:cc:69:1a:06:64:3b:
    86:94:70:a9:da:82:fc:54:6b:06:23:43:2d:b0:20:
    eb:b6:1b:91:35:5e:53:a6:e5:d8:9a:84:bb:30:46:
    b8:9f:63:bc:70:06:2d:59:d8:62:a5:fd:5c:ab:06:
    68:81
Exponent: 65537 (0x10001)
Modulus=94A03E6E0EDCF2741052EF1EEAA889D6F98D011151DB5E909248FD390C708724D8983CF3331CBAC561C2CE2C5AF15E65B2B2469156B619D5D3B2A6BBA37D5693994D7E4C2FAA607B3EC8FC90B200624B53185BA2301060A821AB6157D7E7CC671B4DCD664C7DF11A2A1D5E5080C15E45123ABA4A5364D8721F844AAE5C5502E88E564D3870A51636D3BC143E2FAE2F3158BA00ABACC0C5BA443C297056016B57F5D752D731560BAB0AE68DAD0822A91FCB6E49CC014C12D2ABA3A597E51049197F69D93BC5535371001860CC691A06643B869470A9DA82FC546B0623432DB020EBB61B91355E53A6E5D89A84BB3046B89F63BC70062D59D862A5FD5CAB066881

將得到的Modulus是十六進制的，用python（比在線網(wǎng)站好用多了，直接int(0x94A0.....)）將它轉(zhuǎn)換為十進制的數(shù)，嘗試放到http://www.factordb.com/index.php進行分解，分解成功，得到

p = 250527704258269
q = 74891071972884336452892671945839935839027130680745292701175368094445819328761543101567760612778187287503041052186054409602799660254304070752542327616415127619185118484301676127655806327719998855075907042722072624352495417865982621374198943186383488123852345021090112675763096388320624127451586578874243946255833495297552979177208715296225146999614483257176865867572412311362252398105201644557511678179053171328641678681062496129308882700731534684329411768904920421185529144505494827908706070460177001921614692189821267467546120600239688527687872217881231173729468019623441005792563703237475678063375349

能分解原因是因為一個因數(shù)太小了。
然后利用這個p，q生成私鑰，用rsatools這個工具，在github上能夠找到。
生成priv.key。
在解密之前，要將加密文件base64解密，可以寫一個python腳本進行解密。
當用生成的私鑰進行解密的時候，openssl報錯了，所以可能是對明文進行填充了。關于填充的方式，感興趣的小伙伴可以看一下https://my.oschina.net/u/1377935/blog/749195
這道題是采用了oaep模式進行填充的，具體為什么我也不清楚，看了別人的writeup才知道的。
然后

openssl rsautl -decrypt -inkey priv.key -in encrypt.enc -out data.txt -oaep

得到密碼

0x02 Level 1

這道題還是老規(guī)矩，openssl查看Modulus信息，轉(zhuǎn)換到10進制，然后進行分解。
這次放到那個網(wǎng)站后發(fā)現(xiàn)分解不出來了，就很尷尬。。不過我們還有另外一個利器，叫做yafu，

yafu factor(n)

真的分解出來了p和q！

p=156956618844706820397012891168512561016172926274406409351605204875848894134762425857160007206769208250966468865321072899370821460169563046304363342283383730448855887559714662438206600780443071125634394511976108979417302078289773847706397371335621757603520669919857006339473738564640521800108990424511408496383
q=156956618844706820397012891168512561016172926274406409351605204875848894134762425857160007206769208250966468865321072899370821460169563046304363342283383730448855887559714662438206600780443071125634394511976108979417302078289773847706397371335621757603520669919857006339473738564640521800108990424511408496259

然后利用第一關的步驟，openssl解密，不過這里不同的是這里的padding使用了pkcs方式。
最后得到密碼

0x03 Level 2

老規(guī)矩，openssl查看公鑰，這次信息中除了n還有e，我們可以看到e和n的長度差不多，那么應該就是wiener attack，直接利用wiener attack利用腳本，輸入e和n，得到了d的值，利用rsatools

rsatools -e -d -n -o 

生成了rsa私鑰，利用這個私鑰用openssl進行解密，得到密碼

0x04 Level 3