前言:
这次拿了805.。。行吧难度比上次de1还要难一点,总体而言6000个队伍能拿800就挺好了(bushi
还是有点不甘心,继续努力吧,争取下次网鼎能入围。
misc 签到
这个题也没截图。。。就是玩个猜猜看,玩完后填写队伍的token在alter弹窗上就行了,然后看控制台就有flag了。。。。
虚幻2
这题。。。我的痛苦
虽说一开始思路就对了,也成功分离出三张图片,可惜拼的方式不对,结束的时候问了带师傅们知道是根据GBR三个色块的顺序进行拼接
使用Stegsolve分离三个RGB色块后,
进行GBR顺序的拼接出来了这么一个东西(把三张图逆时针90度后一列一列拼)
可以手动拼也可以直接脚本冲出来,这里贴一个大佬的脚本
from PIL import Image
# import itertools
p = ['G','B','R']
# p1 = Image.open('file.png')
R_pixels = []
G_pixels = []
B_pixels = []
for i in range(3):
if i == 0:
p1 = Image.open(p[i]+'.png').convert('L')
a,b = p1.size
for x in range(a):
if x < 1:
continue
pixel = []
for y in range(b):
if y < 2 or y > 33:
continue
pp = p1.getpixel((x,y))
pixel.append(pp)
else:
G_pixels.append(pixel)
elif i == 1:
p1 = Image.open(p[i] + '.png').convert('L')
a, b = p1.size
for x in range(a):
if x < 1 or x > 10:
continue
pixel = []
for y in range(b):
if y < 2 or y > 33:
continue
pp = p1.getpixel((x, y))
pixel.append(pp)
else:
B_pixels.append(pixel)
else:
p1 = Image.open(p[i] + '.png').convert('L')
a, b = p1.size
for x in range(a):
if x < 2:
continue
pixel = []
for y in range(b):
if y < 2 or y > 33:
continue
pp = p1.getpixel((x, y))
pixel.append(pp)
else:
R_pixels.append(pixel)
b = Image.new('L',(10,10),255)
w = Image.new('L',(10,10),0)
n_p = Image.new('L',(310,310),0)
for i in range(11):
if i != 10:
for j in range(len(G_pixels[i])):
if G_pixels[i][j] == 0:
n_p.paste(w,(i*30,j*10))
elif G_pixels[i][j] == 255:
n_p.paste(b,(i*30,j*10))
for j in range(len(B_pixels[i])):
if B_pixels[i][j] == 0:
n_p.paste(w,(i*30+10,j*10))
elif B_pixels[i][j] == 255:
n_p.paste(b,(i*30+10,j*10))
for j in range(len(R_pixels[i])):
if R_pixels[i][j] == 0:
n_p.paste(w,(i*30+20,j*10))
elif R_pixels[i][j] == 255:
n_p.paste(b,(i*30+20,j*10))
else:
for j in range(len(G_pixels[i])):
if G_pixels[i][j] == 0:
n_p.paste(w,(i*30,j*10))
elif G_pixels[i][j] == 255:
n_p.paste(b,(i*30,j*10))
n_p.save('res.png')
把这个图片旋转后
然后旋转后进行镜像,把左下角改成符合汉信码的标识,如下图
然而缺左边这么一块,给的提示是说要暴力补全,于是来个骚操作,随便补个色块然后马赛克糊上。。。就行了
flag{eed70c7d-e530-49ba-ad45-80fdb7872e0a}
哈哈,我想骂人
web反序列化
这题是个反序列化。反序列化知识请参考
http://z.mofalongmao.xyz/wordpress/index.php/2020/04/21/phpserialize/
源码如下
<?php
include("flag.php");
highlight_file(__FILE__);
class FileHandler {
protected $op;
protected $filename;
protected $content;
function __construct() {
$op = "1";
$filename = "/tmp/tmpfile";
$content = "Hello World!";
$this->process();
}
public function process() {
if($this->op == "1") {
$this->write();
} else if($this->op == "2") {
$res = $this->read();
$this->output($res);
} else {
$this->output("Bad Hacker!");
}
}
private function write() {
if(isset($this->filename) && isset($this->content)) {
if(strlen((string)$this->content) > 100) {
$this->output("Too long!");
die();
}
$res = file_put_contents($this->filename, $this->content);
if($res) $this->output("Successful!");
else $this->output("Failed!");
} else {
$this->output("Failed!");
}
}
private function read() {
$res = "";
if(isset($this->filename)) {
$res = file_get_contents($this->filename);
}
return $res;
}
private function output($s) {
echo "[Result]: <br>";
echo $s;
}
function __destruct() {
if($this->op === "2")
$this->op = "1";
$this->content = "";
$this->process();
}
}
function is_valid($s) {
for($i = 0; $i < strlen($s); $i++)
if(!(ord($s[$i]) >= 32 && ord($s[$i]) <= 125))
return false;
return true;
}
if(isset($_GET{'str'})) {
$str = (string)$_GET['str'];
if(is_valid($str)) {
$obj = unserialize($str);
}
}
经过代码审计,了解到需要进行绕过核心部分,反序列化执行前会执行__desturct()魔法函数,这里要绕过op变量,所以使op为2即可绕过,直接在dw生成反序列化内容进行手修改即可
生成内容:
O:11:"FileHandler":3:{s:5:"*op";N;s:11:"*filename";N;s:10:"*content";N;}
修改为
O:11:"FileHandler":3:{s:2:"op";i:2;s:11:"*filename";N;s:10:"*content";N;}
再次进行审计,发现is_valid()只会识别只能出现ascii值在32-125之间的字符,但是其中的变量有是protected类型的变量,所以如果输入%00截断字符会被检测,不过php7.1对类型检测不严格,所以当成public进行注入即可
最后payload修改为:
O:11:"FileHandler":3:{s:2:"op";i:2;s:8:"filename";s:8:"flag.php";s:7:"content";N;}
即可在F12内查看
CryptoBOOM
向来都是不做密码学的,然后群里一哥们跟我说这题挺简单然后就了做
题目:http://z.mofalongmao.xyz/boom.zip(单击即可下载)
运行后就是简单答题。。。依次是
en5oy、74、68、31、89127561
然后就闪退了= =
没办法记事本打开一看
妥了,手动拼接flag:
flag{en5oy_746831_89127561}
you raise me up
我以为这题很难。。看都没看,就看当时解题的人挺多的javafile也挺多解出来的然而我不会x
一个py里面是这玩意,虽然没接触过密码学,但是之前也看到过不少类似的题目
#!/usr/bin/env python
# -*- coding: utf-8 -*-
from Crypto.Util.number import *
import random
n = 2 ** 512
m = random.randint(2, n-1) | 1
c = pow(m, bytes_to_long(flag), n)
print 'm = ' + str(m)
print 'c = ' + str(c)
# m = 391190709124527428959489662565274039318305952172936859403855079581402770986890308469084735451207885386318986881041563704825943945069343345307381099559075
# c = 6665851394203214245856789450723658632520816791621796775909766895233000234023642878786025644953797995373211308485605397024123180085924117610802485972584499
解法就是sage离散对数求解算e
m = 391190709124527428959489662565274039318305952172936859403855079581402770986890308469084735451207885386318986881041563704825943945069343345307381099559075
c = 6665851394203214245856789450723658632520816791621796775909766895233000234023642878786025644953797995373211308485605397024123180085924117610802485972584499
n = 2 ** 512
m = Mod(m,n)
c = Mod(c,n)
discrete_log(c,m)
然后flag就来了
flag{5f95ca93-1594-762d-ed0b-a9139692cb4a}
哈哈,有人一道虚幻就进线我就羡慕死了,哪能咋办,酸就完事了5555555555555
暂无评论内容