MISC
简简单单附件
直接搜索flag字符串
flag{Good_b0y_W3ll_Done}
大黑阔的流量
导出的HTTP对象中存在upload_file.php
分离出一张中国地图
flag就在地图上但是看不清
尝试lsb隐写,查看颜色通道
flag{@GOOd_L4ck_B3r3@}
CRYPTO
泄露的信息
(1).计算q模p的逆元I;
(2).计算m1=(c^dp)modp;
(3).计算m2=(c^dq)modq;
(4).m=(((m1-m2)×I)modp)q+m2;
import gmpy2
p=0xfe792bcb26f9ff0de8798d29927165b3f3ad7cf1cf5a27ada547431b858d92cb750f18cbe4d02289e93fcd428f0f47c1b90472de6e78ee464af636622ae2dd1b2551f08da1ab859c6ac4ba87380e67ddcaab9a135db8cec17b06d5bc1b2696ff48609d9600f958d90d3599f500b62b575f7554212a4ebdbbd77758da8a51998e5830c774e66a5c4db4e0168eae2784c2b313f2ebdbc8dbb93d58aa24ab50d34cf359d3f8063863f0668aef3c75446c8a4f92c5396abc373d647487a3bf20685acc49f0ebf06c9004dd828da39ab906883e2f33561dd8a8a930fde54223ad51974999c5dd69e8ab01b75e9445bae7e89ab263c9ab0b2d51be54f3caf497c2f293
q=0xfe39300a3cbcd8bea6f1df22496d6f4261c68d947ea88bc747f03cec6fa414b847beffff60861dac8b490c67c9c5a010cdc9c02faa7a0c89c215e003a9c4d7a2feafd2c66d504b535d2d120376d6fbd61860ce5cb4149cd3b26c3d9bf0cb594b276e28195912b722a3f3cbcf071ebecfaff8e308809d3bdaa437c36c4b4989b25ab44f9695b5778a76804ef81ed1b97b79e5fb1a69b7fcb011cc0a76e419b9007d858a15934321eea0f4264af872fad3b3d71349a25b47c147948ff6c8d9f699b88fee83d336c2b936495e4ab02459ebfe98c95da36e8ccdbad211410e61079722aeb65ece590d71c648be6648c21bc41a82bb29a2b7a07d436ea14c402db0b5
c=0x8c8d2382d041073c5db01758960144a6ef6846b8d2985fb287e9512ee6219b96109e2210c5581375d09d0b61cc7d02ca52ae20a835bd7c215830f67e18cdc22b50bf9613e44a20e67fda65595302bb0ce14881501b30e42fcc41e268099f1ef78991cea18ac6b49558714b6a32162e3905246ab0956aa3d283bd4fd38ebc04a7ad0cea7fe1ead59b3966732a94f660d894f5a3b20df1f19a2ec28bacf34e22ad19dda38c8cc683854b8b79b17ac0baf9aa454917c34cb40e943f554dca369b9164b8df19c1f9e6bd459a97df701e55021b10d4a7420c2868c95f73cbaf790f5b022c8921d88ec2d5c9ced74928b1e34c608f56ddd7cd20d38c27cb48d48860e675705c1496da243787492209caf9d64b1848ba70ac4576eadcec55fa0aac0ddbbea06b254635c5db7c1d33cb1fd2a9a808b27d31c27c66c473617f7fdbd91c32bb1edb59573155191c52ec3e17e2c359e256b4c3c62c3576bf66f4448d1470232d01717a2f42f649948d81bb33f1349ec71b393fea1aa5f868b3817417caf7de7feeb9dd68291ddd627a5cf08de8903b47e586efaf74c88cfd72ae07a7cee2e022e9ea211c7f12774cbd25d6bb610a8071080d453eb8bac6e01810f0ddf121a226c49d10970a02ef17605dadf65e490eefd2f8158f0a70d94ef87aab5d0e25f54674f1562c505d8723855d9a2b619a10cf93cfcebc0f1036e58f7b56c3884c0b
dp= 0xdfe4d1f8ac47cf23e7706f99f8b733e3146a1fd9a20732f132453856dfc3e40a93ca55d20b7a4d90b8abf36b4c8d77373f7f4ed4b7437585f18ae09791870cfcd1a63bc619c89b1df675015a13d77db3846abfab705fdb33b17eaf4cf3adb4622092d59d463cae215e814565484f9befd1f9c6da183c6905240b7623286e66e7d7977ab261868f297c233629ca8e5438b9b9ce79b09034914ac22b64ee12dee96afa672b099073ea225354babd86defef33c77569ec1a436562b0dc0a10cc3058b7050aabdb446ca03cbbb93cc48c7b89e4abcfd4554a2794aeec72dae2b4b9365dc49d2a844e0ccabfbc5add9dde2fb4bf6175ff24b4f84b4748c4d4f1ef159
dq=0x866bc5c8b69b48c222de52e74d44c99c6ab0bd6ae4646430534a5e1b23ad18453ab0fba486839bd435453485fd2dd0ee372efda4b30dc92e070326afff92d1fda9710a3e5edae79e7405a5c9428165295de4cfc120fcbd67319d9f9bc5d577ad377e3ebe68447bf105894f49c519d48fe799c72910298db3f388f716b68c114f18ded27f30bdc630aa6f26ddd604b0e67a690340805446986d0938099288a931421a04951bbeb59fc9454eb275f5f595b24511ebe2edda1165817840f7c1b1f9831a6e8f22770bf4d5a4eaf38eb9ad625ab06e0c056083bd2748c5a2b8034f076cf730ed610d9d272d58a8e3f4fbc1b67d8c90718524e491ccfd5786e0a8e9a5
I = gmpy2.invert(q,p)
m1 = pow(c,dp,p)
m2 = pow(c,dq,q)
m = (((m1-m2)*I)%p)*q+m2
print(bytes.fromhex(hex(m)[2:]))
#flag{WOW_You_Can_Really_Decrypt}
baby_rsa
共模攻击,e=e1*e2,爆破分解e,
import libnum
import gmpy2
n=18941897966618549590482921932069269855566887560846003853615076099963108817185327262750999516754222357223603475688339480435312583490395860452876528267241529839128983282347116489462087590022946148697811918490562357700477812317981112859801696914920157218261227248163354934594592989948835696126525303358401172927693681573257245675773302383672536531760449692312660789004434502847176542175872828631412512434830044930393378761413148832473147778681111895140827684384523695468243679431394541437405220444389502412532816429448282704044345362927781837263473315252015292522704945829965688617978850430082494284515433755194353439337
c1=16526118626986017587535672306501535736692950947614409401612053801360048305344788074060161991592465238423703152619212847540401135865568611456448069291895155754469395615728785061984518496536397902069681784511121811306784617822082388392704359591309731536503001254216652492074215090776170134134687632575101823975955490855193514898535824814240480721772488425500309069255541262657807513487602741417690129808594555617044051707040663245698288030031495680697068057476361442627006464925235000245587220216985373423116156019250717175060849008225344903717354712612845144538174414672321666720723995449432568958322357146091477808460
c2=13095063120062097779974070527081507876693191121709938699390212467606444451673018463188917059026307468646743035133125440725404382070023081106408921203784833033918414311077921555812942741835149413503118131837527750773914147553704346395325785033066932850586170939707921231437443228445877551150362056106182544493023070856816826868331368624823083157497076460097194318268087043896775120421878080384043405389184733148396101712952408224574223075652024582768672259152893749081236671766957797998433416800582010130500789821457750906031155425082685565945551613263143888863898305690312122595860844005317675247247221445967298905015
e= 51359
e1e2 = e
def rsa_gong_N_def(e1, e2, c1, c2, n):
e1, e2, c1, c2, n = int(e1), int(e2), int(c1), int(c2), int(n)
print("e1,e2:", e1, e2)
s = gmpy2.gcdext(e1, e2)
print("mpz:", s)
s1 = s[1]
s2 = s[2]
if s1 < 0:
s1 = - s1
c1 = gmpy2.invert(c1, n)
elif s2 < 0:
s2 = - s2
c2 = gmpy2.invert(c2, n)
m = (pow(c1, s1, n) * pow(c2, s2, n)) % n
return int(m)
def de(c, e, n):
k = 0
while k < 1000:
mk = c + n * k
flag, true1 = gmpy2.iroot(mk, e)
if True == true1:
return flag
k += 1
for e1 in range(2, e1e2):
if e1e2 % e1 == 0:
e2 = e1e2 // e1
c = rsa_gong_N_def(e1, e2, c1, c2, n)
e = gmpy2.gcd(e1, e2)
m1 = de(c, e, n)
if m1: # 指定输出m1
print(libnum.n2s(int(m1)))
#flag{qwdu534qwf45qf23156qf165vurt54h}
RE
劳模编码
int __cdecl main(int argc, const char **argv, const char **envp)
{
unsigned __int8 input[8]; // [rsp+8h] [rbp-90h] BYREF
char output[100]; // [rsp+10h] [rbp-88h] BYREF
unsigned __int64 v6; // [rsp+78h] [rbp-20h]
v6 = __readfsqword(0x28u);
strcpy((char *)input, "Tan_OvO");
base64_encode(input, strlen((const char *)input), output);
__printf_chk(1LL, "Base64 Encoded: %sn", output);
return 0;
}
Tan_OvO经过base64_encode加密输出
void __fastcall base64_encode(const unsigned __int8 *input, int input_len, char *output)
{
__int64 v3; // r8
__int64 i; // rax
unsigned __int8 v5; // cl
unsigned __int8 v6; // al
unsigned __int8 v7; // bp
int v8; // edi
int v9; // ecx
int v10; // eax
unsigned __int8 char_array_4[4]; // [rsp+4h] [rbp-24h]
unsigned __int64 v12; // [rsp+8h] [rbp-20h]
v12 = __readfsqword(0x28u);
if ( input_len > 0 )
{
v3 = 0LL;
do
{
v5 = input[v3];
v6 = 0;
if ( input_len > (int)v3 + 1 )
v6 = input[v3 + 1];
v7 = 0;
if ( input_len > (int)v3 + 2 )
v7 = input[v3 + 2];
char_array_4[0] = v5 >> 2;
char_array_4[1] = (v6 >> 4) + ((16 * v5) & 0x30);
char_array_4[2] = (v7 >> 6) + ((4 * v6) & 0x3C);
char_array_4[3] = v7 & 0x3F;
for ( i = 0LL; i != 4; ++i )
output[4 * ((int)v3 / 3) + i] = base64chars[char_array_4[i]];
v3 += 3LL;
}
while ( input_len > (int)v3 );
}
v8 = input_len % 3;
if ( input_len % 3 == 1 )
{
v10 = 4 * (input_len / 3);
output[v10] = 61;
output[v10 + 1] = 61;
v9 = 2;
}
else
{
v9 = v8 == 2;
if ( v8 == 2 )
output[4 * (input_len / 3)] = 61;
}
output[4 * (input_len / 3) + v9] = 0;
}
是个base64,
把表换成这个
# coding:utf-8
#s = "i5jLW7S0GX6uf1cv3ny4q8es2Q+bdkYgKOIT/tAxUrFlVPzhmow9BHCMDpEaJRZN"
s = "%BCDE$#HIJK!MN&PQRS@UVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/"
def My_base64_encode(inputs):
# 将字符串转化为2进制
bin_str = []
for i in inputs:
x = str(bin(ord(i))).replace('0b', '')
bin_str.append('{:0>8}'.format(x))
#print(bin_str)
# 输出的字符串
outputs = ""
# 不够三倍数,需补齐的次数
nums = 0
while bin_str:
#每次取三个字符的二进制
temp_list = bin_str[:3]
if(len(temp_list) != 3):
nums = 3 - len(temp_list)
while len(temp_list) < 3:
temp_list += ['0' * 8]
temp_str = "".join(temp_list)
#print(temp_str)
# 将三个8字节的二进制转换为4个十进制
temp_str_list = []
for i in range(0,4):
temp_str_list.append(int(temp_str[i*6:(i+1)*6],2))
#print(temp_str_list)
if nums:
temp_str_list = temp_str_list[0:4 - nums]
for i in temp_str_list:
outputs += s[i]
bin_str = bin_str[3:]
outputs += nums * '='
print("Encrypted String:n%s "%outputs)
def My_base64_decode(inputs):
# 将字符串转化为2进制
bin_str = []
for i in inputs:
if i != '=':
x = str(bin(s.index(i))).replace('0b', '')
bin_str.append('{:0>6}'.format(x))
#print(bin_str)
# 输出的字符串
outputs = ""
nums = inputs.count('=')
while bin_str:
temp_list = bin_str[:4]
temp_str = "".join(temp_list)
#print(temp_str)
# 补足8位字节
if(len(temp_str) % 8 != 0):
temp_str = temp_str[0:-1 * nums * 2]
# 将四个6字节的二进制转换为三个字符
for i in range(0,int(len(temp_str) / 8)):
outputs += chr(int(temp_str[i*8:(i+1)*8],2))
bin_str = bin_str[4:]
print("Decrypted String:n%s "%outputs)
print()
print(" *************************************")
print(" * (1)encode (2)decode *")
print(" *************************************")
print()
num = input("Please select the operation you want to perform:n")
if(num == "1"):
input_str = input("Please enter a string that needs to be encrypted: n")
My_base64_encode(input_str)
else:
input_str = input("Please enter a string that needs to be decrypted: n")
My_base64_decode(input_str)
#flag{V#$uX092@w==}
WEB
Login
登录时发现登录窗口存在SQL注入。
通过注入获取到登录账号和口令
admin/Tan_0v0
flag{AABAA10AAAAAAAABBAAABA3949AAAABAAAAA59AAAAAAAAABAAAABAABAA56AABAA057AABAB20AABAB883AABAA}
AABB猜测可能是培根密码
AABAA -> E
10
AAAAAAAABBAAABA -> ADC
3949
AAAABAAAAA -> BA
59
AAAAAAAAABAAAABAABAAA -> ABBE
56
AABAA -> E
057
AABAB -> F
20
AABAB -> F
883
AABAA -> E
flag{E10ADC3949BA59ABBE56E057F20F883E}
原文始发于微信公众号(Hx0战队):2023年安徽省信息安全工程员技能大赛WP
免责声明:文章中涉及的程序(方法)可能带有攻击性,仅供安全研究与教学之用,读者将其信息做其他用途,由读者承担全部法律及连带责任,本站不承担任何法律及连带责任;如有问题可邮件联系(建议使用企业邮箱或有效邮箱,避免邮件被拦截,联系方式见首页),望知悉。
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论