两个文件：pub.key、flag.enc

vs code打开pub.key，是个公钥的样子。

—–BEGIN PUBLIC KEY—–
MDwwDQYJKoZIhvcNAQEBBQADKwAwKAIhAMAzLFxkrkcYL2wch21CM2kQVFpY9+7+
/AvKr1rzQczdAgMBAAE=
—–END PUBLIC KEY—–

然后用python的rsa模块解密会报错，像是格式不对。

pubkey = rsa.PublicKey.load_pkcs1(pk)

# raise ValueError('No PEM start marker "%r" found' % pem_start)

于是换成Crypto.PublicKey.RSA，可以了。

pubkey = Crypto.PublicKey.RSA.importKey(pk)
print(pubkey)
print(pubkey.n, pubkey.e)

# <_RSAobj @0xffff94d979d0 n(256),e>
# 86934482296048119190666062003494800588905656017203025617216654058378322103517 65537

用factordb.com对n做分解，可以解出p和q，然后就简单了，以下是脚本。

import gmpy2
import rsa
from Crypto.PublicKey import RSA
from Crypto.Cipher import PKCS1_OAEP

with open('./pub1.key',mode='rb') as fpk:
    pk = fpk.read()
# pubkey = rsa.PublicKey.load_pkcs1(pk)
pubkey = RSA.importKey(pk)
print(pubkey)
print(pubkey.n, pubkey.e)

n = 0xC0332C5C64AE47182F6C1C876D42336910545A58F7EEFEFC0BCAAF5AF341CCDD
e = 65537
p = 285960468890451637935629440372639283459
q = 304008741604601924494328155975272418463

phi = (p-1) * (q-1)
d = gmpy2.invert(e, phi)

with open('./flag.enc','rb+') as ff:
    cdata = ff.read()

# 用Crypto库，试了N次都报错，放弃了
# rsadata = RSA.construct((n, e, int(d), p, q))
# key1 = RSA.importKey(rsadata.exportKey())
# key1 = PKCS1_OAEP.new(key1)
# print(key1)
# print(key1.decrypt(cdata))

# rsa模块直接搞定
key = rsa.PrivateKey(n, e, int(d), p, q)
print(rsa.decrypt(cdata, key))

# Public RSA key at 0xFFFFA511FF10
# 86934482296048119190666062003494800588905656017203025617216654058378322103517 65537
# b'flag{decrypt_256}\n'