心得体会：GPT好GPT妙GPT呱呱呱叫

其他：有点乱凑合看 没做出来的懒得搞了

应急响应：

1.应急响应主线

1.提交堡垒机中留下的flag

flag:palu{2025_qiandao_flag}

2.提交WAF中隐藏的flag

palu{2025_waf}

爆搜

3.提交Mysql中留下的flag

palu{Mysql_@2025}

4.提交攻击者的攻击IP

192.168.20.107

查看waf服务器登录日志，发现192.168.20.107 IP存在攻击行为

5.提交攻攻击者最早攻击时间flag格式为palu{xxxx-xx-xx-xx-xx-xx}

palu{2025-05-05-00:04:40}

6.提交web服务泄露的关键文件名

7.题解泄露的邮箱地址

8.提交立足点服务器ip地址

192.168.20.108

日志

9.提交攻击者使用的提权的用户和密码

parloo/parloo

查看ssh服务器用户列表，发现多了后门用户parloo

尝试弱口令等组合密码登录成功

10.提交攻击者留下的的文件内容作为flag提交

palu{hi_2025_parloo_is_hack}

12.提交攻击者攻击恶意服务器连接地址作为flag提交

47.101.213.153:8082

14.找到系统中存在信息泄露的服务运行端口作为flag提交

8081

15.提交Parloo公司项目经理的身份证号作为flag提交

16.提交存在危险功能的操作系统路径作为flag提交。flag格式为palu{/xxx/xxx}

/admin/parloo

18.提交攻击者留下的恶意账户名称md5后作为flag进行提交。 格式为palu{md5{xxxxx}}

hack

查询结果： md5(hack,32) = d78b6f30225cdc811adfe8d4e7c9fd34

19.提交内部群中留下的flag并提交

20.请提交攻击者使用维护页面获取到的敏感内容作为flag进行提交

palu{Server_Parloo_2025}

/var/log/parloo/command.log

21.提交获取敏感内容IP的第一次执行命令时间作为flag进行提交。flag格式为palu{xxxx-xx-xx:xx:xx:xx}

2025-05-04 15:30:38

22.提交攻击者使用的恶意ip和端口flag格式为palu{xx.xx.xx.xx:xxxx}

10.12.12.13/9999

23.提交重要数据的明文内容作为flag提交

palu{Password-000}

根据gitea里黑客留下的代码

def custom_encrypt(text, key):    encrypted = []    key_bytes = [ord(c) for c in key]    for i, char in enumerate(text):        shifted = ord(char) + (i % 5 + 1)        xor_key = key_bytes[i % len(key_bytes)]        xored = shifted ^ xor_key        substituted = ((xored & 0x0F) << 4) | ((xored & 0xF0) >> 4)        encrypted.append(f"{substituted:02x}")    return "".join(encrypted)

反向推理，明文应该是palu{}

密文在palu3的桌面上

写个脚本爆一下

def nibble_swap(x):    return ((x & 0x0F) << 4) | ((x & 0xF0) >> 4)def get_key_char(plain_char, cipher_byte, position):    """从已知的明文字符和对应的密文字节反推密钥字符"""    # 1. 解密时先交换高低位    swapped = nibble_swap(cipher_byte)    # 2. 计算原始字符的偏移值    shifted_plain = ord(plain_char) + (position % 5 + 1)    # 3. 求解密钥字符: key[i] = swapped ^ shifted_plain    key_char = swapped ^ shifted_plain    return key_chardef recover_key(known_plaintext, ciphertext_hex):    """从已知的明文片段和对应的密文中恢复密钥"""    ciphertext_bytes = bytes.fromhex(ciphertext_hex)    recovered_key = []    for i, char in enumerate(known_plaintext):        if i < len(ciphertext_bytes):            key_byte = get_key_char(char, ciphertext_bytes[i], i)            recovered_key.append(chr(key_byte))    return ''.join(recovered_key)def custom_decrypt(cipher_hex, key):    """使用给定的密钥解密密文"""    data = bytes.fromhex(cipher_hex)    kb = [ord(c) for c in key]    res = []    for i, b in enumerate(data):        x = nibble_swap(b)        shifted = x ^ kb[i % len(kb)]        orig = shifted - ((i % 5) + 1)        res.append(chr(orig))    return "".join(res)# 已知信息ciphertext = "c3a1c3c13e326020c3919093e1260525045e"known_plaintext = "palu{"  # 已知的明文前缀# 恢复密钥并解密partial_key = recover_key(known_plaintext, ciphertext)print(f"根据已知明文推导的部分密钥: {partial_key}")# 尝试使用该密钥解密partial_plaintext = custom_decrypt(ciphertext, partial_key)print(f"使用推导的密钥解密结果: {partial_plaintext}")# 如果发现部分密钥形成某种模式，可以尝试扩展它if partial_key.startswith("MySec"):    complete_key = "MySecretKey"  # 猜测完整密钥    complete_plaintext = custom_decrypt(ciphertext, complete_key)    print(f"使用完整猜测密钥 '{complete_key}' 解密结果: {complete_plaintext}")

palu{Password-000}

25.提交恶意程序的外联地址

88.173.90.103

反编译ipconfig.exe

26.提交攻击这使用的恶意dnslog域名作为flag进行提交

27.提交寻找反序列化漏洞的端口作为flag进行提交

9999

java 9999

28.提交web服务泄露的密钥作为flag进行提交

QZYysgMYhG6/CzIJlVpR2g==

30.提交攻击者在server中留下的账户密码作为flag进行提交。flag格式为palu{username/password}

palu{parloohack/123456}

31.提交攻击者维权方法的名称作为flag进行提交

parloohack_script.service

32.提交攻击者留下的木马md5后作为flag进行提交

4123940b3911556d4bf79196cc008bf4

36.提交恶意用户的数量作为flag进行提交

99

37.提交恶意用户的默认密码作为flag进行提交

123456

38.提交业务数据中攻击者留下的信息作为flag进行提交

palu{crP1ZIVfqrkfdhGy}

39.提交私人git仓库中留下的内容作为flag进行提交

palu{FO65SruuTukdpBS5}

ubuntu@ubuntu:/opt/1panel/apps/gitea/gitea/data/git/repositories/admin/palu.git$ git log --all --oneline260a8c1 (HEAD -> main) 添加 paluubuntu@ubuntu:/opt/1panel/apps/gitea/gitea/data/git/repositories/admin/palu.git$ git show 260a8c1commit 260a8c162aa488637ba70ac453ead89a7b3fb7ef (HEAD -> main)Author: admin <[email protected]>Date:   Tue May 13 18:08:09 2025 +0000    添加 paludiff --git a/palu b/palunew file mode 100644index 0000000..b920082--- /dev/null+++ b/palu@@ -0,0 +1 @@+cGFsdXtGTzY1U3J1dVR1a2RwQlM1fQ== No newline at end of fileubuntu@ubuntu:/opt/1panel/apps/gitea/gitea/data/git/repositories/admin/palu.git$ 

40.提交存在在mysql服务器中的恶意程序的MD5作为flag进行提交

.a

ba7c9fc1ff58b48d0df5c88d2fcc5cd1

41.提交恶意程序中模拟c2通信的函数名称作为flag进行提交

sudo strings /root/.a[sudo] password for ubuntu: /lib64/ld-linux-x86-64.so.2bj>D6oM5iputsexitsetuidfopenfork__libc_start_main__cxa_finalizefcloseprintffwritelibc.so.6GLIBC_2.2.5GLIBC_2.34_ITM_deregisterTMCloneTable__gmon_start___ITM_registerTMCloneTablePTE1u+UH/tmp/.malware_log.txtThis is a simulated malicious log file.Hidden file created: /tmp/.malware_log.txtFailed to create hidden file.Simulating network communication to C2 server...Simulated malicious dataData sent: %sCreating child process...Child process running.Child process created successfully.Failed to create child process.Attempting privilege escalation...Privilege escalation successful.Privilege escalation failed.Simulating file encryption...File encrypted: %sSimulating malicious behavior on Linux...Malware simulation complete.9*3$"GCC: (Ubuntu 13.3.0-6ubuntu2~24.04) 13.3.0Scrt1.o__abi_tagcrtstuff.cderegister_tm_clones__do_global_dtors_auxcompleted.0__do_global_dtors_aux_fini_array_entryframe_dummy__frame_dummy_init_array_entryey.cpp__FRAME_END___DYNAMIC__GNU_EH_FRAME_HDR_GLOBAL_OFFSET_TABLE__Z18create_hidden_filev_Z30simulate_network_communicationv__libc_start_main@GLIBC_2.34_ITM_deregisterTMCloneTableputs@GLIBC_2.2.5_Z19simulate_encryptionv_Z29simulate_privilege_escalationv_edatafclose@GLIBC_2.2.5_finiprintf@GLIBC_2.2.5__data_start__gmon_start____dso_handle_IO_stdin_used_end__bss_startmain_Z20create_child_processvfopen@GLIBC_2.2.5exit@GLIBC_2.2.5fwrite@GLIBC_2.2.5__TMC_END___ITM_registerTMCloneTablesetuid@GLIBC_2.2.5__cxa_finalize@GLIBC_2.2.5_initfork@GLIBC_2.2.5.symtab.strtab.shstrtab.interp.note.gnu.property.note.gnu.build-id.note.ABI-tag.gnu.hash.dynsym.dynstr.gnu.version.gnu.version_r.rela.dyn.rela.plt.init.plt.got.plt.sec.text.fini.rodata.eh_frame_hdr.eh_frame.init_array.fini_array.dynamic.data.bss.comment

simulate_network_communication

42.提交恶意程序创建隐藏文件的名称作为flag提交

.malware_log.txt

43.提交恶意程序中模拟权限提升的函数作为flag进行提交

simulate_privilege_escalation

44.提交被钓鱼上线的用户名作为flag进行提交

palu{Parloo-子怡}

45.提交恶意程序的所在路径作为flag进行提交

palu{C:UsersPublicNwtcacherecvParloo-沉沉}

46.分析恶意程序的反连地址作为flag进行提交

45.101.213.153

47.提交恶意c2的服务器登录的账号密码作为flag进行提交。flag格式为palu{username/password}

2.应急响应-畸形的爱

1.攻击者ip地址1：

2.攻击者ip地址2：

4.flag1：

5.flag2: 

6.flag3:

7.钓鱼文件的哈希32位大写：

8.webshell密码1：

在shell.php一句话

9.攻击者开放端口：

爆搜攻击者ip，分析木马的外联IP

palu{1133,1144,8084}

10.webshell密码2：

11.隐藏账户的密码：

12.攻击者的邮箱：

13.flag4：

CTF：

1.循环锁链

# 加密函数：链式 XOR 环def encrypt_flag(flag_bytes):    encrypted = bytearray(len(flag_bytes))    for i in range(len(flag_bytes)):        prev = encrypted[i - 1] if i > 0 else encrypted[-1]        encrypted[i] = flag_bytes[i] ^ prev    return bytes(encrypted)# 解密函数：暴力找起点 + 环形链式 XOR 解锁def decrypt_chain(cipher, known_prefix=b"palu{"):    prefix_len = len(known_prefix)    for start in range(len(cipher)):        decrypted = bytearray(len(cipher))        for i in range(prefix_len):            decrypted[(start + i) % len(cipher)] = known_prefix[i]        for i in range(prefix_len, len(cipher)):            idx = (start + i) % len(cipher)            prev_idx = (start + i - 1) % len(cipher)            decrypted[idx] = cipher[prev_idx] ^ decrypted[prev_idx]        for i in range(start - 1, start - len(cipher), -1):            idx = i % len(cipher)            next_idx = (i + 1) % len(cipher)            decrypted[idx] = cipher[idx] ^ decrypted[next_idx]        if decrypted[start:start + prefix_len] == known_prefix:            return bytes(decrypted)    return None# 示例使用if __name__ == "__main__":    # 原始明文    flag = b"palu{iC7uDoJJMAWnIhkkCNiIoCZZVmiPrk9}"    encrypted = encrypt_flag(flag)    print("[*] Encrypted (hex):", encrypted.hex())    decrypted = decrypt_chain(encrypted)    if decrypted:        print("[+] Decrypted flag:", decrypted.decode())    else:        print("[-] Decryption failed.")#palu{iC7uDoJJMAWnIhkkCNiIoCZZVmiPrk9}

2.轮回密码

import base64def samsara_decrypt(cipher_bytes, key_word):    cycle_step = len(key_word) % 6 + 1    key = key_word    # 逆异或操作    phase3_xor = bytes([c ^ key[i % len(key)] for i, c in enumerate(cipher_bytes)])    # 循环左移恢复phase2    n = cycle_step    phase2_bytes = bytes([((c << n) & 0xFF) | (c >> (8 - n)) for c in phase3_xor])    try:        phase1_bytes = base64.b85decode(phase2_bytes)    except:        return None    # 循环左移恢复明文    original_bytes = bytes([((c << n) & 0xFF) | (c >> (8 - n)) for c in phase1_bytes])    return original_bytes# 示例使用if __name__ == "__main__":    key = b"Bore"    # 假设密文是用户提供的轮回密文（需要正确编码为字节）    cipher_text = "y¦_›6>X¬y–!,!n¡mSaÜñüë—9¼6™"    cipher_bytes = cipher_text.encode('latin-1')    flag_bytes = samsara_decrypt(cipher_bytes, key)    if flag_bytes:        print("Flag:", flag_bytes.decode('latin-1'))    else:        print("解密失败")#palu{reincarnation_cipher}

3.RSA_Quartic_Quandary

import mathfrom Crypto.Util.number import long_to_bytes# 从 output.txt 中读取参数params = {}with open('/mnt/data/output.txt', 'r') as f:    for line in f:        if '=' in line:            key, value = line.strip().split('=')            params[key.strip()] = int(value.strip())n = params['n']e = params['e']c = params['c']s = params['s']# 恢复 p 和 q 的函数def recover_p_q(n: int, s: int):    A2 = s + 2 * n * n    A = math.isqrt(A2)    if A * A != A2:        raise ValueError("A² 不是完全平方数")    sum2 = A + 2 * n    diff2 = A - 2 * n    r1 = math.isqrt(sum2)    r2 = math.isqrt(diff2)    if r1 * r1 != sum2 or r2 * r2 != diff2:        raise ValueError("p+q 或 p−q 的平方不成立")    p = (r1 + r2) // 2    q = (r1 - r2) // 2    if p * q != n:        raise ValueError("p*q ≠ n")    return p, q# 执行计算p, q = recover_p_q(n, s)phi = (p - 1) * (q - 1)d = pow(e, -1, phi)m = pow(c, d, n)flag = long_to_bytes(m).decode()flag#palu{This_is_a_fake_flag_change_it_for_real_use}

4.欧几里得

c = 1426774899479339414711783875769670405758108494041927642533743607154735397076811133205075799614352194241060726689487117802867974494099614371033282640015883625484033889861# Try all possible 2-byte valuesfor i in range(65536):  # 2^16 possibilities    # Convert to bytes, repeat 35 times, then back to integer    potential_m2 = int.from_bytes(i.to_bytes(2, 'big') * 35, 'big')    # Compute potential flag value    potential_m1 = c - potential_m2    # Convert to bytes and check if it starts with "palu{"    try:        flag = potential_m1.to_bytes((potential_m1.bit_length() + 7) // 8, 'big')        if flag.startswith(b'palu{') and flag.endswith(b'}'):            print(f"Found flag: {flag.decode()}")            break    except:        continue    # palu{48b635a7a2474ef743e333478b67a2f5}

5.易如反掌

from sage.all import Matrix, ZZimport hashlibfrom math import logdef find_e(N_list, E_list, bit_d=800, lll_kwargs=None):    r = len(N_list)    assert len(E_list) == r,     # 放大因子 M = 2^bit_d    M = ZZ(2) ** bit_d    # 构造 (r+1)x(r+1) 的格基矩阵    B = Matrix(ZZ, r+1)    # 第一行： [M, E[0], E[1], ..., E[r-1]]    B[0,0] = M    for i, Ei in enumerate(E_list, start=1):        B[0,i] = Ei    # 对角线填充 -N[i-1]^2    for i, Ni in enumerate(N_list, start=1):        B[i,i] = -Ni**2    # 执行 LLL 规约    if lll_kwargs is None:        lll_kwargs = {}    L = B.LLL(**lll_kwargs)    # 在规约结果中搜索第 0 列能被 M 整除的向量    candidates = []    for v in L.rows():        coeff = v[0]        if coeff % M == 0:            d_candidate = abs(coeff // M)            # 验证 d 的大小合理性            if 1 < d_candidate < 2**bit_d:                candidates.append(d_candidate)    return candidates# —— 主流程 —— ## 题目提供的 N 列表N = [23796646026878116589547283793150995927866567938335548416869023482791889761195291718895745055959853934513618760888513821480917766191633897946306199721200583177442944168533218236080466338723721813833112934172813408785753690869328477108925253250272864647989241887047368829689684698870160049332949549671046125158024445929082758264311584669347802324514633164611600348485747482925940752960745308927584754759033237553398957651216385369140164712159020014009858771182426893515016507774993840721603911101735647966838456333878426803669855790758035721418868768618171692143354466457771363078719423863861881209003100274869680348729, 19552522218179875003847447592795537408210008360038264050591506858077823059915495579150792312404199675077331435544143983146080988327453540449160493126531689234464110427289951139790715136775261122038034076109559997394039408007831367922647325571759843192843854522333120187643778356206039403073606561618190519937691323868253954852564110558105862497499849080112804340364976236598384571278659796189204447521325485338769935361453819608921520780103184296098278610439625935404967972315908808657494638735904210709873823527111315139018387713381604550946445856087746716671838144925662314348628830687634437271225081272705532826343, 20588310030910623387356293638800302031856407530120841616298227518984893505166480372963166394317326422544430837759332223527939420321960057410073228508230111170414845403161052128790464277007579491219950440477721075788978767309211469555824310913593208232853272958011299985202799390532181335087622499894389777412111445377637396650710486263652440053717323053536700098339137819966260269752816515681602936416736576044630343136577023173210517247609888936337876211461528203642347119434700140264859102502126842250671976238033270367185358966766106988830596616311824691409766437473419074865115209866730272194297815209976737570183, 18468380817178794606027384089796802449939260582378979728469492439450780893746976934315768186829245395964644992296264093276556001477514083927556578752836255491334765496791841945178275793885002188397918857222419803612711637177559554489679414049308077300718317502586411333302434329130562745942681716547306138457088216901181646333860559988117376012816579422902808478175975263110581667936249474308868051767856694498210084853797453949193117835061402537058150493808371384063278793041752943930928932275052745657700368980150842377283198946138726219378646040515809994704174471793592322237777371900834531014326150160506449286179]# 题目提供的 E 列表E = [229904181453273080302209653709086531153804577507365859149808244958841045687064628362978517491609413507875726243121473678430010600891588643092042173698830147997497783886459583186019270582236955524620567373560535686287255124958954671737097645556109314142383275516997850786599322033792080045303427363366927030304214333894247469120513426641296678531965795930756543043851154646310114366477311633838078242963665452936523438928643273392454483600446242320078010627755587492056369779661382734170244060951095344418599686788550312205964136120979823565225768814898285224838691541122088693411388097496320157113230752327025862802020421665288007529320920942060329299409362236414929126050037144149017275031336018100081931062647888329912802477032857776085190828105602067426203163344931483638271679183910241511044338001446584634203146294743522375846913845041274967653508735863706778364499099286484552570083394223973734909997825522191349543295855925973354640349809770822075226834555111927586299176453943116511915434890643239957459427390624136283086434711471863737451011157026905191204496081860277138227247744470804087252965368757930797560277881668806206419629425126031049566579233056222579590529869798537893505779097868221221068867624660759084762471141, 374749619911728044650812367560174497001343067563440477135516664935394734686391543012901514676044211541958613458868769659861216149364768233000844624035620893309356372294598009760824255187442531508754966566917198975934706398309982525100772311586501118200858124845012643495006029930202324305874402291277845166060497038915773767003006049720519011634861166208163030159519901867416488082395270295488885724507937683469910251316231210838654273986152493722244271430422693265608430755620420680629979226285393465423870727975987787149515374769359243334743541460110042872587610309611770320600248289328406805995688596910226273861759369388105641549933915686192055533242723330981192183310876306968103333706140401422550917946410378174896274789619184565321544130428008804628699594759946577979319393247067750024729672029363433673084437510430506410293512293930056667971242862448029841846596288648691077795207341975907335202945548990662460491169957175452745622341245617265849042542964819126377775749222973138584978725470886059043251544634105653274564085280013340679259157119014619894553239015777411757887293044706448625760604242512494466386343040583010961386979963779928616733980046763291988848903515836247301007113187121999960487508948748354549628160741, 111738429639840672983162926852338651562094139707285850255632987705635459657893186493838711733560515475806567653354737245246745810892238414756414117557971683747269900627524702653772058841085258035513296218047505149691384287812041721130367506731427022265277885965948486359682023555050085264531256406043361391744086539522028829421284667293339869140564699750714145488199268791908205712660933607330454849730499840287271163350865799682565216636393526339218836244889719975150503253630419647851422620890082315396457329065508602521784001607236788620811397449483104884860551374031790663030220424841642241965983726516537123807061999084476076850833658360594525986997125319941689903869138176347916707622148840226672408554102717625456819726220575710494929111642866840516339713870850732638906870325693572445316904688582043485093120585767903009745325497085286577015692005747499504730575062998090846463157669448943725039951120963375521054164657547731579771203443617489609201617736584055562887243883898406182052632245189418568410854530995044542628531851356363297989653392057214167031332353949367816700838296651167799441279086074308299608106786918676697564002641234952760724731325383088682051108589283162705846714876543662335188222683115878319143239781, 185935167438248768027713217055147583431480103445262049361952417166499278728434926508937684304985810617277398880507451351333771783039360671467147075085417403764439214700549777320094501151755362122677245586884124615115132430034242191429064710012407308619977881929109092467325180864745257810774684549914888829203014922855369708286801194645263982661023515570231007900615244109762444081806466412714045462184361892356485713147687194230341085490571821445962465385514845915484336766973332384198790601633964078447446832581798146300515184339036127604597014458389481920870330726947546808739829589808006774479656385317205167932706748974482578749055876192429032258189528408353619365693624106394913101463023497175917598944803733849984703912670992613579847331081015979121834040110652608301633876167262248103403520536210279949844194696898862249482809107840303473964914083996538912970715834110371196970613332286296427286356036576876121010776933023901744994067564045429384172315640135483480089769992730928266885675143187679290648773060781987273082229827156531141515679114580622348238382074084270808291251400949744720804368426414308355267344210055608246286737478682527960260877955900464059404976906697164610891962198768354924180929300959036213841843941]# 调用函数candidates = find_e(N, E, bit_d=800, lll_kwargs={"eta": 0.501})# 输出结果if candidates:    print(f"找到 {len(candidates)} 个候选 d:")    for d in candidates:        # 计算位长度，兼容 SageMath Integer        bit_length = d.bit_length() if hasattr(d, 'bit_length') else int(log(d, 2)) + 1        print(f"d = {d}")        print(f"d 的位数: {bit_length}")        flag = "palu{" + hashlib.md5(str(d).encode()).hexdigest() + "}"        print(f"Flag: {flag}n")else:    print("未找到合适的 d 候选")

找到 1 个候选 d:

d = 4179423138350648633511603754580428752783447242202659775128505849773750010739782037758703319498715813081743032947622794072010600485826874110735478135715298345482643471515080914168066457318628922553866888869769462396548904235402414462199207661

d 的位数: 800

Flag: palu{b1fc01a38bae760451bcffe777e51b1d}

6.星际广播站

任意文件下载，下载源码app.py

找到数据库

先爆破出所有密码

import randomimport stringfrom gmssl import sm3, func# SM3 哈希函数def sm3_hash(data):    if isinstance(data, str):        data = data.encode('utf-8')    hash_bytes = sm3.sm3_hash(func.bytes_to_list(data))    return hash_bytes# 生成用户密码def generate_password(username):    characters = string.ascii_letters + string.digits    random.seed(username)    password = "".join(random.choices(characters, k=6))    return password# 从 users.db 提取的 password_hashdb_password_hashes = {    "1": "ca83068078d2bc06ac4c04924f99b477a0a35a12f659464e42e4ee96afd8f353",    "2": "3bd3bbac07672f601b144792552b694cd34fb18abc49bb104efac3b7fcb84d22",    "3": "add18805784bd36c9f9eac096e50b5fd117835470dc1c4f8d713e283530114dc",    "4": "4ed0d44cf690a18831cc9f740bccb2430acc1e2938cab3af58e6354195b2e749",    "5": "6ddb90db3b0c561c5838f38b5f9e248f43f0bc546f88d1074c356ee8d5aa5061",    "6": "62b83cc0db41dc7117d51119ce942212930378aa5a3ec16819e7893bbcfb13b5",    "7": "9c154c21c08bfd1769b5b0f4bf792b13ed874265aa6583cf523f0bc42c855164",    "8": "19a5cb911f0ee25c5472c3c1de1c61da819dfacc1480934f1f1faf6326d86ea7",    "9": "36a7fa0d8c739fd54b74cf9cb14b5954ede0c4f90d78d5fa1eeb4efbd200d401",    "10": "b840b769bd66983c4b3e29b9468391daf31d7abcc6cf11cac824a0c507689922",    "11": "880bc791064b7725438adefc0c118f58a2ee879a6f3d4577eb6f9016cdbd3ad3",    "12": "6b6053a722debb8fcd035bf016cbbc36332b7e790f35ac07e24290d00012604e",    "13": "c5ec53ebd07ab62b107b50ce80dc25800086402fcab9b8b3733547a482504e7f",    "14": "9d2a21aa504093b158765311601e056ef9387d2505f186d6f8063ed8593ea564",    "15": "bf9d7ef811c7c0d6cf654135997d7b155c15911da8d1f933e8aa3716b6cd198c",    "16": "9921ea0d6c980859fc6ab00ff15b928a2b0bce57c88a1cfb913a946a1e198991",    "17": "716e8600514b137d943dedc44b03653678356719b8830e066e2fa78f017e6606",    "18": "0daa30e39aa3113993320f2694c1e358576842139dd881fa6ac679047418eb69",    "19": "84dec0c459053a7a92a1a6817c7d105c9a7a9ef99cecc7d27cc27e41c97eb144",    "20": "a63884546cda24daa047b5a39fbbbb8b619f306910868f1c1d041fdea9cd959e",    "21": "b24a377810a1761892c1edce0155c6859f759a95b2d096e0d59bde2254db6a6f",    "22": "ab0df6f9124aa97d66a658e15b3d9fd6dc9fff9f048fc979ed122e5b0f6328f0",    "23": "2fe0edfe5d473c81605d607be5ce514d17a1c327b41ee9c5947c41d21726dc79",    "24": "245e60f9b40954e0d4ccecd8b6ed9722a3116e7cbabfc51fbe1bd3e120e08cbc",    "25": "e3b9f5b9e331286ed950bdb513360249ff6d92d0ee3b6ad3e49faef2b7b3c190",    "26": "dcebc0008a8910be149c49a638f0f39d99354bb2190d716a1276c35cfbac841b",    "27": "a075d2161ac5ea3a6f07de7f265d056d45f79362fa6de4af5e32c0fe38ae5838",    "28": "788c567e1b86c4db83cb20fe839f36995e97ed3d2a086f0b7231c733a6f7d7a8",    "29": "9f5fa54911638b1b2cd401453ad4b83733216b690bd3161442c21441f714b314",    "30": "d1dc4b53fe264c759aa9f768f607eb6cc75472419befe1f58eee944e492c3ec0",    "31": "e3192b5a6415abf5847fa528c7d4d161e4caffd05c3400fac452869c5fa1d8e2",    "32": "36032240cbedc6c318167c9eed7b42ccfdeec02ec2f77d92e2197cc7f92cf229",    "33": "ffc75cffcc52f0dfde4ab6a59174663d9e0bbfd9ca25feb6f4d675736ee799c5",    "34": "98dd184c40970c073e242f153a27231b1381c9a8d29b98e28b502521757b029a",    "35": "badaae3845b05a68b2ee973a9b72fc5d34ebbcc92a9be93883057aa855830750",    "36": "241681b4bb45ba3b82da48128f31954757477e840352f83c2d7e7da337591077",    "37": "3233178fd22f0da4a4ae03c7ca5fe1f76751a902a76d9571897bef754fe586d5",    "38": "2d28e4525ce25a5aa19d9f45263fcbdbf4cf5a9e176b82616885f69ee688ad48",    "39": "d597db5e08ac8b93e323576a63ce7a9e8c70d292b281a10871f70f89928f1632",    "40": "d52bca484bddaa72ce2143ed15fd550d56aaf30f9d054d8756e6e2f6f0438b13",    "41": "5680f7ef67f8a511b2aebabb22d8513e82170c38072a53de8c41b81f4c91d722",    "42": "200b84f06c6a58711250cbdb0f37aea2ba2e7d2a9e3ed07c13653231c7c121e0",    "43": "b154abb0b00b748da4e78502145e94507d680d27811a4b325cf7657f71de5f4e",    "44": "65cb9ffa60e4a90ac50f7351f1f91cae17e0c1097fd1b157edee7a388012d7ee",    "45": "6f153feebde21d7ab274b31e2b46545432ae53b0765e60f612adc4b7a9bf03ee",    "46": "6ea15497a2c6fafaab9ea998ef7cc457908e19a60f7a47af8215af9ed4812a7c",    "47": "e4df5587f84e22709ae8dcb23a280456f920f28d72d84e4f90d56b8cbcfb563f",    "48": "59b312aa74f531b0beba2a37d7bf3027d32f26c439265f17b54bae9817f743da",    "49": "2277ee25146c1fc6f97e685e55a33184fb949d88a090056a5ee82bdd8a086539",    "50": "463c6fa10bdb8e65781420899417f6c59898920dc6fa636a09aa7273f546a0c5",    "51": "a917e8d06a6a29d883de76bd55a971ebca6956b22013e72d328f23b55e104bca",    "52": "2a6e0b8adc098287c3bc2ef87cf729da8cfdb07b3e05ab3a6f405edde2b2885a",    "53": "a3b6706c9183b51e86c0b657604df28811c9c004d474f07a3e7cdab4dcc2c960",    "54": "1496f35bb11c8196faedfe6b706a43704a082c5455eeaf58a36aa95d0bd30f48",    "55": "9496a5d368ca3a473cd17e06dec6de5f6e7fc746c96814c176fc1fd1de5bff84",    "56": "7e16045490fd7c6bef66db191f98b468f4bd35fdb5d25247c96f2fae2a2c0c65",    "57": "b6c84ff0caf2f22b9f732e156ce6b1252758beacefd64cfce93146ebdec16cce",    "58": "97501cef124a06251bbf4b17fbf49caab801107eab9d9b848895fb9d9c22b772",    "59": "5e0503a2524bf96326edf5d16ead58d2359965ba72aacbb3ec308165fd234227",    "60": "85d300463cf0d6fe3040db9c9882b220a773779d6a7445e10321cb2de48ea1c4",    "61": "8b7be0dc769a8907ce0af2ce50801440278c7173c873de6b45fda2cd66985a8e",    "62": "af529389a41cb4609cbc6cd4ad749d19fb8d5a18437ab8d6022cb86dc4540548",    "63": "21b24abd861a2d1259f3ab5c92852b13e302f81767dd31ff5a73fe837cde1667",    "64": "b349ac77c96b1e62d62b9b34f755ca9d8db238cf07e267153abc862e1ac2b9fa",    "65": "cb350c45f13daebdaa4e28cd23de23cd726f0f8c8182de3f9f29070c3244e80e",    "66": "986eb63c46abb1beda4b5be0e06be56021be98d5793af69fefd92257f403af5c",    "67": "71e6d02aeaea65df5e9d690fe54095960068935a3e040c56b7fe4238b0237662",    "68": "d2d92924dc90fd393ab066a9996c75c52ce765a3db04b643a2edbfa97ba85eb6",    "69": "9abfae7e3e6a00eebae2dfe1bcd6be39162d3399e1657e15aee3da42147a04fd",    "70": "d62012a82f42527398fba99aa7317431cb7cc78c62681d076e3651121f07e01c",    "71": "866cf76e06e4be28faae4521aef72ba50966579ee8b5731fd092b97b1150f8c5",    "72": "cbbf33a72cfff87a6130a8cfd039b3eea6446ae3e4b3cafc772bdfb156a3e238",    "73": "5601f0f3600ab42400b087fdb22e7272affbabd170da6c59a7173367f761dfa5",    "74": "5742e8113d8c17e024734feddf6d1e577b11c25988031aaf337cb6c2da896662",    "75": "25de19204e2e136c404e10d2516bd8ee1b496624ad07d1991fc2511da3eeede9",    "76": "7948ad4a784a5f85ba17d7e14ad40d568a414099b10c056198e4e8e89e2552e9",    "77": "8cdffcad8a9cf414c29c240970919b3082b3acb516b46621ac291fbd698389be",    "78": "99a9fe8c987739c170064471382bf6c1f9ddcefdbceee4ce2754496cb4cf0148",    "79": "d2a5a0824fd55085a4e01f0d5698d80e5efa56c46866bcb24c7d108b2efb5e7e",    "80": "bda873ccbc7c7f03d34030c14eb59219678943fd995eb11362b18fea460830d2",    "81": "d59e4f5e15f088d19f0662513ce995e8498196545907230ea21b3393c88ecfa1",    "82": "fe5429921ef6a6151f492b4fa1af9349218e77bee0dd692367ee4abc83f8f496",    "83": "ae407b0192615106c2aa7440328241402063b887c18f89138b24fda8229378b2",    "84": "7c5b77eca47ff4b2b2a194e77e300db25566dc7c738abfecbdfb21349e8c1060",    "85": "85bb6a3dda95584c5c74a12af9a98944443eecc9b5028af5c6434847fe684d41",    "86": "5a0af8d31f99e74f9afc4faea35c3299ed38499347ec7c663ed8f117de7734e7",    "87": "ef1fba14f6f253f5d3c71ac1ceb72b62725cb1ef41d6282d8cdcf4aa4b295dc9",    "88": "203719f3a5389316ba74037bcbf7ca06417b7f9c23017f0e782d76292b4f8cec",    "89": "d2179324effc018eb23d2a2fc7a05faa6984f3aba3a2694bd1d8f26cbc08671b",    "90": "2b1c60de4f551b17e8bef6bcec71b2a4de6aa1836a9f0b14254db2f7822257a0",    "91": "3590d36d05caa8eb345c5a5e63d8c81a9a82b42345fcf20bf4ba60e67b6d6b69",    "92": "99d3d033c4f17b5198768a7a15a1e5624cd66e060f2d94ee1c304f4d6ea5338d",    "93": "5dbfe36f86eebed926c00d58a1c5431d2e44344b2128f3607ad95efaa5d96803",    "94": "1c2cf50e2191ab9180cf05914e187f250576387e429a3797609e9b07c8705365",    "95": "5d473d94a285cac94400e7defeb9166acd34fd0f0111ad2585265a6a4b66cb41",    "96": "0b97ce24141affe369cfc3e041e3066fa9d8c38a93ebff67feb5aabf3fd10475",    "97": "fb95345f161c5e8548eb5970cfc140c42f0ed22d90ce2419168f1e474777a190",    "98": "d9fced3def25bc93a5e7c7afcc4c1dd9fc509e9f2bfdc42b44562e5e8f10e904",    "99": "ce2467ecd92d59102bb56e01c2a46cdb8eef8155f13daf79ac7a774738302e6e",    "100": "01d00ef4f83231b519e5b63be5b4d67b02f6169568e9fc9780160f946da04c92",    "101": "17d27ea6b1bd50cf2362d2c1d6ce94102b995cd35457dccd42460e62c41f7229",    "102": "c6b506d04cd9ac70c8bf57f9d4559a6c6c77671694e563d2ad2d6dbd426e4977",    "103": "502db04ad7484483a874a53309986f17984999a2e5df512f7ed7a062be88a3c7",    "104": "4e311cdad29dddc6c48c58efcc5803f7ee618f94d54356af14a021a6379c9506",    "105": "186708b856de9b4c6ca52cfa0950b97a4130b1205030d111bff97e7dc09b1b6e",    "106": "a58d771ddb9b0d2d379f8df83bceb0563742f6a2de155ba6b7dfd518f29d5051",    "107": "7d6a1f06e51e28f93e44f002f72ec5526a0a2bdc4c34cc76ef546e5bcff07cf9",    "108": "617a2b4b36bbdbf29a48139e3f46de0165ed264dcd44ad51785854e61e4d91c9",    "109": "1f301814385bee3b8d65674a9e2c522bd83671fc041d8b9fe1d7f4f9f2242fa5",    "110": "2925206d544eb6fba164179287b8ecffba44e3549b509d2324a68a76eac2e549",    "111": "5df0e1bb4cb964693094af19465f14e245d434c02fccd09aaa0417e0fa040f5e",    "112": "8fa0490157a0150a252df5dbd51a585d26ac7842175ade50c33849901d4e83d0",    "113": "c91f818a3d7928ac29bb3e3edb2d28d829b08eab27e923f93f7d3ac3307d0733",    "114": "7b573c3cf64740de5e3fd05653a2e9dfd45b67e845e895ea0321336e3855a70b",    "115": "5d96da48111a8e90ae7d6276a25ba768e7ad85a31f9fbb89af06e7ad5e596870",    "116": "af525054c771f23789177cff429c18f8f000cca3968621a737b75ce5b8cfb09c",    "117": "accf563d067d009353cf2473d586c9602e722bd41427e3b85a6f0161141d5af5",    "118": "24e378dc2225134e104da6559a04d12b38bedbc4b62b43951ea2863452dba340",    "119": "c26a04a4e3555025d3c4f29fe230a9f03fe2bd4b0eb14a2d0c57f4d4aa5db95d",    "120": "58de9182e081155ce9cda84dfa9306bac0c7de9079178bbe4183a7c7ada2ed3b",    "121": "456e683f3618015edc7ada65ac00c3658d64fed17c77635019f576cf80a31379",    "122": "938ae1431cb630b58480a5ef6fbc5573fc9b8fdb17df9618a3c01c58870f820b",    "123": "3c80f2da88ad177fbb135075a15b3435e3b33258241bf2229cee5b5046dc0190",    "124": "753be15ac34e3f8c1744c4bd5b448b4333a1d5caf9fa9b0f44ee9fa741803480",    "125": "2f39de2b2613334fe4dccfbc461faa5405e280afce40a4eef7a5121b7a932d98",    "126": "27baf235ca5e1d14c09fe92bba63ec6126df69f5c7499d56e1b448a8cccf91c7",    "127": "d7d181914e674c94d8287aa6ab37d0bc75bea29a22450afc7ef9a81f80ba1452",    "128": "cbdbf76ba20b67046b632e96e0b0b424e7ec396d703fb9db4806a68061bff379",}# 破解所有用户的密码passwords = {}for i in range(1, 129):  # 用户 1 到 128    username = str(i)    password = generate_password(username)    calculated_hash = sm3_hash(password)    if calculated_hash == db_password_hashes[username]:        passwords[username] = password        print(f"用户名: {username}, 密码: {password}, 哈希匹配")    else:        print(f"用户名: {username}, 密码: {password}, 哈希不匹配")# 保存密码到文件with open("user_passwords.txt", "w") as f:    f.write("用户名,密码n")    for username, password in passwords.items():        f.write(f"{username},{password}n")print("密码已保存到 user_passwords.txt")print(f"成功破解 {len(passwords)} 个用户的密码")

登录进去看

广播攻击

e = 127

写个脚本批量获取C值

import requestsfrom bs4 import BeautifulSoupimport csvimport time# 读取 user_passwords.txtpasswords = {}with open("user_passwords.txt", "r") as f:    reader = csv.reader(f)    next(reader)  # 跳过标题行    for row in reader:        passwords[row[0]] = row[1]# 读取 n_values.csv（假设格式为 username,N）n_values = {}with open("n_values2.csv", "r") as f:    reader = csv.reader(f)    next(reader)    for row in reader:        n_values[row[0]] = int(row[1])base_url = "http://challenge.qsnctf.com:31127"session = requests.Session()data = []  # 存储 (N, C) 对# 登录用户 1 到 73 并获取 Cfor i in range(1, 129):    username = str(i)    if username not in passwords or username not in n_values:        print(f"缺少数据: username={username}")        continue    password = passwords[username]    n_value = n_values[username]    # 提交登录请求    login_url = f"{base_url}/login"    form_data = {        "username": username,        "password_hash": password    }    response = session.post(login_url, data=form_data, allow_redirects=False)    if response.status_code == 302 and response.headers.get("Location") == "/dashboard":        print(f"登录成功: {username}")        # 访问 dashboard        dashboard_url = f"{base_url}/dashboard"        response = session.get(dashboard_url)        # 解析 HTML        soup = BeautifulSoup(response.text, 'html.parser')        c_tag = soup.find("span", class_="data-value")        if c_tag:            c_value = int(c_tag.text.strip())            data.append((n_value, c_value))            print(f"获取 C: username={username}, C={c_value}")        else:            print(f"无法解析 C 值: username={username}")    else:        print(f"登录失败: username={username}, status_code={response.status_code}")    # 避免请求过快    time.sleep(1)# 保存 (N, C) 对到 nc_pairs.txtwith open("nc_pairs2.txt", "w") as f:    writer = csv.writer(f)    for n, c in data:        writer.writerow([n, c])print(f"收集到 {len(data)} 个 (N, C) 对")print("数据已保存到 nc_pairs2.txt")

之后解密

from gmpy2 import irootfrom functools import reducefrom sympy import mod_inversefrom math import gcdimport randomfrom Crypto.Util.number import long_to_bytesdef are_pairwise_coprime(nums):    for i in range(len(nums)):        for j in range(i + 1, len(nums)):            if gcd(nums[i], nums[j]) != 1:                return False    return Truedef crt(a, m):    N = reduce(lambda x, y: x * y, m)    x = 0    for i in range(len(a)):        Ni = N // m[i]        Mi = mod_inverse(Ni, m[i])        x += a[i] * Ni * Mi    return x % N# 读取 nc_pairs.txt（处理空行）n = []c = []with open("nc_pairs2.txt", "r") as f:    lines = f.readlines()    for line in lines:        line = line.strip()        if line:  # 跳过空行            n_c = line.split(',')            if len(n_c) == 2:                try:                    n.append(int(n_c[0]))                    c.append(int(n_c[1]))                except ValueError:                    print(f"无效行: {line}")e = 127# 验证数据print(f"读取到 {len(n)} 个 (N, C) 对")assert len(n) >= e, f"需要至少 {e} 个 (N, C) 对，当前只有 {len(n)} 个"assert len(c) == len(n), "N 和 C 数量不匹配"indices = random.sample(range(len(n)), e)n = [n[i] for i in indices]c = [c[i] for i in indices]# 检查互素if not are_pairwise_coprime(n):    print("模数 N 不两两互素，尝试其他对")    exit(1)# 执行 CRTme = crt(c, n)print(f"CRT 结果 (me): {me}")# 开 E 次方m, exact = iroot(me, e)if exact:    flag = long_to_bytes(m).decode('utf-8')    print(f"解密结果 (整数): {m}")    print(f"Flag: {flag}")

Flag: palu{ed77d005085d4ddd94ca9aba647da50e}

7.时间循环的信使

def extract_flag(log_path):    entries = []    start_seen = False    with open(log_path, 'r') as f:        for line in f:            line = line.strip()            # 标记开始            if 'start_of_cycle' in line:                start_seen = True                continue            # 标记结束            elif 'end_of_cycle' in line:                break            # 跳过非标准格式行            if not start_seen or '|' not in line:                continue            timestamp_str, value = line.split('|', 1)            # 只保留8位全相同字符组成的值            if len(value) == 8 and all(c == value[0] for c in value):                entries.append((int(timestamp_str), value))    # 按时间戳升序排序    entries.sort(key=lambda x: x[0])    # 提取每条记录中首字符，拼接为十六进制字符串    hex_str = ''.join(v[0] for _, v in entries)    # 解码为 ASCII 字符串    flag = bytes.fromhex(hex_str).decode('utf-8')    return flag

8.时空折叠

# 提取十六进制部分（例如：00000000fe）raw_hex_matches = re.findall(r"at ([0-9a-fA-F]+) ns", log_data)# 解码逻辑处理decoded_bytes = []for hex_str in raw_hex_matches:    value = int(hex_str, 16)    low_byte = value & 0xFF    filtered = low_byte & 0x7F    decoded_byte = filtered ^ 0x0E    decoded_bytes.append(decoded_byte)# 尝试转换为字符串try:    flag_final = bytes(decoded_bytes).decode('utf-8')except Exception as e:    flag_final = f"解码失败: {e}"flag_final

9.时空交织的密语

解析时间戳

每 4 字节为一个整数，代表 UNIX 时间戳，按大端格式读取。

提取低位值

对每个时间戳取低位（timestamp % 16），即提取出“秒数”的低 4 位，转为 16 进制字符。

拼接十六进制字符串

将所有十六进制字符依次拼接，构成一个 hex 编码字符串。

去除填充噪声

根据题目提示，数据开头和结尾可能存在填充字符。对 hex 串进行修剪，移除非 ASCII 或不完整字符对。

转换为明文

将最终的十六进制串转为 ASCII，即可得到隐藏信息。

import structdef extract_flag_from_timestamps(file_path):    with open(file_path, 'rb') as f:        content = f.read()    # 将每4字节解析为大端时间戳整数    timestamps = [struct.unpack('>I', content[i:i+4])[0] for i in range(0, len(content), 4)]    # 每个时间戳对16取模，得到低位值，转为十六进制字符    hex_digits = [format(ts % 16, 'x') for ts in timestamps]    # 拼接为 hex 字符串并修剪首尾    hex_string = ''.join(hex_digits)[1:-1]    # 转为明文    try:        message = bytes.fromhex(hex_string).decode('utf-8')    except Exception:        message = "解码失败，可能存在非 UTF-8 字符"    return message# 执行flag = extract_flag_from_timestamps('timestream.bin')print("Recovered flag:", flag)

palu{Time_1s_B1nary_Whisper}

10.量子迷宫

文件编码识别

初步检查 .b85 后缀，猜测为某种 Base85 编码（可能是标准 Ascii85 或 Python 的 Base85）。

结构观察

解码后出现大量 QUBIT|0⟩ 和 QUBIT|1⟩ 的形式。可以推测这是二进制比特流的变种表达。

提取有效数据

将每个 QUBIT|x⟩ 中的 x 提取出来组成纯二进制串，然后每 8 位转为 ASCII 字符。

import base64, rewith open('quantum_log.b85', 'rb') as f:    raw = f.read()# 解码尝试：优先 Base85，失败则切换 Ascii85try:    decoded = base64.b85decode(raw)except Exception:    decoded = base64.a85decode(raw)text = decoded.decode('utf-8', errors='ignore')bits = re.findall(r"QUBIT|([01])⟩", text)bit_str = ''.join(bits)# 每8位还原字符flag = ''.join(chr(int(bit_str[i:i+8], 2)) for i in range(0, len(bit_str), 8) if len(bit_str[i:i+8]) == 8)#palu{aea437c12b149750383fe56727ec5344}

11.签到

关注公众号。。。

12.TopSecret

pdf复制扔gpt一把出

palu{You_re_a_real_50w}

13.screenshot

14.几何闪烁的秘密

分帧，有字母的组成flag

15.问卷调查

16.catbank

palu{895ce430e61e41c695435c041f315508}

转账到刚好1000000就出flag

17.catnet

改header

爆破一下

palu{68f5c24c7035470fb0a55b2a616f320e}

18.ezblog

app.jar 发现assets路由可以下载文件，直接下载源码，查看key

palu{7baaef896aba4d139b4f63208bd8f7b9}

19.PositionalXOR

# positional_xor_decrypt.pydef decrypt_positional_xor(file_path):    with open(file_path, 'rb') as f:        encrypted = f.read()    decrypted = bytes([b ^ i for i, b in enumerate(encrypted)])    try:        return decrypted.decode('utf-8')    except UnicodeDecodeError:        return decryptedif __name__ == "__main__":    flag = decrypt_positional_xor("encrypted.bin")    print("Decrypted flag:", flag)#Decrypted flag: palu{PositionalXOR_sample}

20.Asymmetric

RSA

from Crypto.Util.number import inverse, long_to_bytesdef decrypt_rsa_with_factors(factors, e, c):    """使用已知的质因数解密RSA密文"""    # 计算N    n = 1    for factor in factors:        n *= factor    print(f"计算得到的N = {n}")    # 计算欧拉函数φ(n)    phi = 1    for factor in factors:        phi *= (factor - 1)    print(f"欧拉函数φ(n) = {phi}")    # 计算私钥d    d = inverse(e, phi)    print(f"计算得到私钥d = {d}")    # 使用私钥解密    m = pow(c, d, n)    print(f"解密后的数字: {m}")    # 尝试将数字转换为ASCII字符串    try:        # 先尝试直接转换        plaintext = long_to_bytes(m).decode('utf-8')        print(f"解密后的明文: {plaintext}")        return plaintext    except:        # 如果直接转换失败，尝试处理十六进制表示        print("尝试通过十六进制解析...")        hex_text = hex(m)[2:]        if len(hex_text) % 2 == 1:            hex_text = '0' + hex_text        # 输出十六进制和二进制供参考        print(f"十六进制: {hex_text}")        print(f"二进制: {bin(m)[2:]}")        try:            # 尝试从十六进制转换为ASCII            bytes_data = bytes.fromhex(hex_text)            ascii_text = bytes_data.decode('utf-8', errors='replace')            print(f"从十六进制转换得到: {ascii_text}")            return ascii_text        except Exception as e:            print(f"十六进制转换出错: {e}")            # 尝试字节一个个转换            result = ""            try:                byte_chunks = [m.to_bytes((m.bit_length() + 7) // 8, byteorder='big')]                for chunk in byte_chunks:                    result += chunk.decode('utf-8', errors='replace')                print(f"字节转换得到: {result}")                return result            except Exception as e:                print(f"字节转换出错: {e}")                # 最后尝试查看每个字节的ASCII表示                bytes_array = m.to_bytes((m.bit_length() + 7) // 8, byteorder='big')                readable = ''.join([chr(b) if 32 <= b <= 126 else '.' for b in bytes_array])                print(f"可打印字符: {readable}")                return readable# 主函数def main():    # 给定的RSA参数和质因数    factors = [3, 47, 2287, 3101092514893, 100000000000000003]    e = 65537    c = 94846032130173601911230363560972235    # 解密过程    plaintext = decrypt_rsa_with_factors(factors, e, c)    print("n最终明文结果:", plaintext)if __name__ == "__main__":    main()# palu{3a5Y_R$A}

原文始发于微信公众号（取证与溯源）：第二届“Parloo杯”CTF 应急响应挑战赛初赛WP