稍微有点阴间,但是血加成还是舒服
比如misc 500分的那个最后的部分、还有每道题的提交格式,嗐。
EasyWeb
第一个问问的是$fir == md5($fir)
弱比较,会把字符串类型转化成相同的,再进行比较。
绕过只需要找一个0e开头的并且md5之后也是0e开头,公网电脑一搜即可
payload:10.1.117.1:20000/?fir=0e215962017
回显得到TheFlagFi1e.php,访问之后发现叫输入password,查看源码说“md5加密,很安全”
依旧搜了之后发现,“ffifdyop”这个字符串,md5之后是276f722736c95d99e921722cf9ed621c,转字符串即’or’66�]��!r,��b(‘or’6乱码)
select * from admin where password=’'or 1 实现sql注入
传入ffifdyop,得到flag
flag{74f3002433d36d6465fddecd52af9422}
Simplecomputer
密码学的两道都是MT19937随机数,很有幸我做过有关线代密码的稍微了解一点的就是MT19937,因为ISCC和GKCTF。(主要是ISCC嫖了一份striving的脚本)
题目:
# using python 3.8.8
# This is a simple computer with over 2**100 GB Memory
from hashlib import md5
from secret import flag
import random
simple_list1 = [i for i in range(2 ** 32)]
simple_list2 = [i for i in range(2 ** 64)]
simple_list3 = [i for i in range(2 ** 128)]
choices = []
for i in range(100):
choices.append(random.choice(simple_list1))
choices.append(random.choice(simple_list2))
choices.append(random.choice(simple_list3))
print(choices[:-1])
assert flag.startswith("DASFLAG{") and flag.endswith("}")
assert flag[8:-1] == md5(str(choices[-1]).encode()).hexdigest()
这道题,还好比赛前一天我把我博客全部都给保存下来了。https://blog.csdn.net/qq_42880719/article/details/118251849
依旧是MT19937随机数预测,但是这个题是32bits,64bits,128bits循环,相当于每组可以提交7次,一共预测624次,正好是89组+32bits。而这道题一共给了100组,所以思路是用前面89组+第90组的32bits预测随机数,然后再输出之后的随机数,就能找到第100组输出的128bits的那个数
import random
from hashlib import md5
import randcrack
mask1=(1<<32)-1
mask2=(1<<64)-1
mask3=(1<<96)-1
rc=randcrack.RandCrack()
f = [95930399, 630811384192147677, 22862956546801916146249195902732184111, 4099257856, 2718983114440162754, 112977816959911448651187534007460155465, 1249371009, 8559516268278111923, 60111035663109648856650373006790028956, 319240083, 14560442381002068496, 128327428306490893846907050146390382511, 2770935087, 6122104916341184739, 131547441587682514710566757387297968912, 4179647084, 11984714834927466417, 1210759748505925081550369940047241904, 2898524587, 11069835926441745770, 99455744688744193582656472815689921470, 2730096881, 15054533924441295573, 144985445173202171411057575105147291456, 1806982352, 3797130347584773539, 204933079151506125541129775638434889208, 371325980, 2153993678800145719, 247878403659939359037598437909994197561, 2815863803, 15130911785995325101, 17955494106427799992215565864521676667, 130093703, 5322659125216836331, 186940250941644796242567551393862023174, 1046949150, 15763669661833016083, 259062557762901143943756963704122372705, 302062580, 7237494714606284949, 165465562428047650015569274915841896510, 2130675496, 8233850056608440864, 212969881913853084045502061340629641381, 1951820453, 13924898201019445140, 181104775261798062298271222324820328499, 2213422363, 5410373756279204425, 192092004591272770270432240857758419914, 2694040588, 15662161791352619736, 92303375603704514404332097019434252020, 3614058180, 846446395182720823, 155093316739288678623208023793622306975, 174983408, 9886261686632573484, 89308189762846095042418155129938495410, 2708353173, 9717016511726786943, 246545363268335466360169797528133329029, 3097264988, 4408052026651860451, 167502346806895071126138315560769602788, 2149769262, 8554456609791485714, 30302289886101288586812191447647001078, 79066507, 1559096331585360007, 297665581615453365950543513622956753026, 108225713, 9379535704837166429, 171711510001720001884446296608170885632, 150296361, 17431778100273675863, 77833884740703931704642431073568904852, 4008422647, 3468955214990968020, 221975289950429882007918898647169241737, 1565206353, 15759515087971712020, 1058977698524730546555543818531014275, 2727941728, 273621514300848893, 12255868124650289944438093018174231140, 2393083602, 5114212674398355049, 88608217340157884502868209375014470981, 1427054885, 5447916625104853307, 12294058127071138724577454274533868228, 1668499829, 16899242350054181148, 116142527294590517640438891869029401513, 1635219902, 9454748230190678509, 248077140706550980379041246809348934960, 1003956149, 10887903294798325711, 68683943365603770540408398010168423446, 1793637154, 10393186731816805839, 277065074290842703696984993204621414086, 3142776153, 11091998712538527708, 68880494960830126876952478946163740211, 2205417257, 12256720523080140000, 235796800923787714176302861552833040419, 3449826188, 4921625852304337389, 317639050123995784198985254800017950824, 590972465, 12223438278873623805, 257438908573736139168093089870735173432, 3791533953, 4618394124547595, 131014693991416233849146055439995924332, 1749175237, 10928998994830777074, 18385966159117647169753617474844057740, 2091688148, 17975357494845024328, 33234679624454945269443907193421284204, 1845914825, 410345794930215572, 195605765211848736234024067810604573838, 2247301104, 16695289131440312322, 300008480969595674884459144804069050935, 3737160140, 10275409907171269574, 237987870489682421561621527430470614545, 1561502426, 5700436337175381840, 121612504753369937912905160374634999096, 4184791743, 2634038584210570734, 212979540995676246188329597724213884277, 857564672, 5300004390621653734, 15211108884755331267414304071879916714, 2893487415, 13569910723041761482, 172656801397820802300731957404031744287, 1380746832, 5999977114785162343, 33852156658906348753742354346552975474, 3985411583, 16523654311594391115, 300520971540280588872675680288604495560, 415019702, 2380570526619252922, 9805992573889106690406867082601585521, 697504570, 14690295575116204434, 105409450853805433544834546684018363669, 2722489666, 14638341434000291348, 127623354841168495658506873716264048604, 890244929, 325645790902703655, 131534228171892681124371513773124179887, 2091893431, 17651886966295669692, 276606830961502792889108072057489491897, 3409775821, 1094357859899322287, 273239796524721681097306281752805583730, 726170651, 5017112475039106326, 248509477189870514593193210321950593787, 91712143, 12854466095607364371, 255092451130878688370208689956209514491, 1662785927, 15334764541212234191, 168421660098534979247608876342208719584, 3371784516, 14874200732125652788, 30659801771152056283740071485592896081, 1051408721, 18096388154039883583, 227162954777208763199705110779695830238, 2093838830, 12383912682161821471, 41180491341398182154615435329925045830, 3652039163, 14480955186509154704, 221766901492732021136222930336014947003, 1426673851, 13016770798161081150, 204125322318454582568868470348355324043, 224886893, 7822688215626373258, 50751124225338354219699320501075592077, 3545480652, 843096376421111953, 111094989551688468348093926217079885455, 2430296166, 1179593445975215678, 194097832042190422911221319403515725536, 1763252073, 17793051623583978608, 314809336831089296978787514680998593648, 251738079, 14315450639436659105, 69873405911877166548859054094613840224, 386495058, 10373755624731454497, 59510400513715783563673181241385415323, 2755087941, 4150992642530583790, 182177323350031718899380340006361970951, 257490160, 17691467337931556617, 49661063070622109241236813649851223773, 1226929493, 15836107907323447391, 25677480067201140888733208646566773513, 1679588563, 7172910993248225988, 80609121320733492619104188788047175476, 318293790, 7410149122319794445, 109791054962741723765498089997564023334, 1298963718, 11157435017446179451, 261124920338114579348234113629984983277, 230121794, 8242037484257542412, 252416846152546402223499930445901323747, 244877646, 1351119457131492155, 47930307890646593116063357549162380614, 4274042750, 14673612141331936098, 199378645254453572299332656606046662164, 2623853167, 4295407059377222132, 244431808361890969795849847628756548152, 1384622204, 11035088643288654183, 306508993161299607692736194762896752222, 2477197949, 3638314922156926485, 247266823514296041897697725947236888775, 3674903044, 2314124878779523292, 28681967804109801451115536588127365420, 244301384, 6242461677125671685, 170885077869948457411361822183835477795, 3098948208, 7341461474453929527, 313936660214353125192074885539414395107, 1872429873, 2282364658439944001, 37724396452519246388298023035047595321, 1866492296, 3474170053964652049, 226769169652033230696526521938989716020, 3501809002, 16134023969071856553, 284897520019875753705580217712893913519, 191155103, 12448487655608476174, 304500319351869596320458220157511621925, 82928820, 14260264076955600821, 26950006400816194367959288633650775212, 934464506, 12801350881599410110, 29318050884839521195036767708262930548, 2592592527, 16418204164862222748, 122618341062075052806764217634034965405, 1743634862, 746505541554455068, 325336444065514886378101723238007000317, 1729286141, 7988616072210161842, 319589732627675554033176532660941178132, 1166940113, 12574203370019159163, 140791481455954996741967337231464730734, 4240631002, 15168623864630995332, 154528956368200267345950537884432753335, 1910686780, 16404335587369416198, 114879036493204646190581392436547259559, 1037511556, 6053628212642486615, 135598678961254921686005320000274544459, 3591540494, 8994518600523820369]
rr = 0
i = 0
while rr<624:
r = int(f[i])
rc.submit(r&mask1)
i+=1
rr+=1
r = int(f[i])
rc.submit((r&mask1))
rr += 1
rc.submit((r&mask2)>>32)
i+=1
rr += 1
r = int(f[i])
rc.submit((r&mask1))
rr += 1
rc.submit((r&mask2)>>32)
rr += 1
rc.submit((r&mask3)>>64)
rr += 1
rc.submit(r>>96)
rr += 1
i+=1
for _ in range(11):
r=rc.predict_randrange(0,2**64-1)
print(r)
r=rc.predict_randrange(0,2**128-1)
print(r)
r=rc.predict_randrange(0,2**32-1)
print(r)
print('DASFLAG{'+md5(b'16317540724729659494409803211180539173').hexdigest()+'}')
print(md5(b'16317540724729659494409803211180539173').hexdigest())
flag即第二个print
0bad2614132eedd104cd485aaebb5664
Random4
题目:
import random
from gmpy2 import *
from Crypto.Util.number import *
FLAG = b'xxx'
f = open('output.txt', 'w+')
seed = random.getrandbits(32)
def _int32(x):
return int(0xFFFFFFFF & x)
class MT19937:
def __init__(self, seed):
self.mt = [0] * 624
self.mt[0] = seed
self.mti = 0
for i in range(1, 624):
self.mt[i] = _int32(1812433253 * (self.mt[i - 1] ^ self.mt[i - 1] >> 30) + i)
def extract_number(self):
if self.mti == 0:
self.twist()
y = self.mt[self.mti]
y = y ^ y >> 11
y = y ^ y << 7 & 2636928640
y = y ^ y << 15 & 4022730752
y = y ^ y >> 18
self.mti = (self.mti + 1) % 624
return _int32(y)
def twist(self):
for i in range(0, 624):
y = _int32((self.mt[i] & 0x80000000) + (self.mt[(i + 1) % 624] & 0x7fffffff))
self.mt[i] = (y >> 1) ^ self.mt[(i + 397) % 624]
if y % 2 != 0:
self.mt[i] = self.mt[i] ^ 0x9908b0df
def getrandbits(self, bits):
if bits == 32:
return self.extract_number()
elif bits < 32:
return self.extract_number() >> (32-bits)
elif bits > 32:
res = 0
for i in range(bits//32):
res |= self.extract_number()<<(32*i)
return res
mt = MT19937(seed)
print(mt.mt[random.getrandbits(32)%624], file=f)
r = lambda x: bytes([mt.getrandbits(8)])
P = getPrime(1024, randfunc=r)
Q = getPrime(1024, randfunc=r)
N = P*Q
assert gcd(seed, (P-1)*(Q-1)) == 1
print(powmod(bytes_to_long(FLAG), seed, N), file=f)
公网直接访问zbc53.top,根据striving这篇文章http://zbc53.top/archives/72/,找到MT19937的逆法,对比了一下,发现只需要逆init函数,找到seed,然后找到gcd之后等于1的,再看里面是否有flag内容就彳亍了。
脚本如下
from gmpy2 import invert
import gmpy2
from gmpy2 import *
import binascii
from Crypto.Util.number import *
from tqdm import tqdm
class MT19937:
def __init__(self, seed):
self.mt = [0] * 624
self.mt[0] = seed
self.mti = 0
for i in range(1, 624):
self.mt[i] = _int32(1812433253 * (self.mt[i - 1] ^ self.mt[i - 1] >> 30) + i)
def extract_number(self):
if self.mti == 0:
self.twist()
y = self.mt[self.mti]
y = y ^ y >> 11
y = y ^ y << 7 & 2636928640
y = y ^ y << 15 & 4022730752
y = y ^ y >> 18
self.mti = (self.mti + 1) % 624
return _int32(y)
def twist(self):
for i in range(0, 624):
y = _int32((self.mt[i] & 0x80000000) + (self.mt[(i + 1) % 624] & 0x7fffffff))
self.mt[i] = (y >> 1) ^ self.mt[(i + 397) % 624]
if y % 2 != 0:
self.mt[i] = self.mt[i] ^ 0x9908b0df
def getrandbits(self, bits):
if bits == 32:
return self.extract_number()
elif bits < 32:
return self.extract_number() >> (32 - bits)
elif bits > 32:
res = 0
for i in range(bits // 32):
res |= self.extract_number() << (32 * i)
return res
def _int32(x):
return int(0xFFFFFFFF&x)
def init(i,_mt):
mt = [_mt]
for j in range(i+1,624):
mt.append(_int32(1812433253 * (mt[-1] ^ mt[-1] >> 30) + j))
return mt[-1]
def invert_right(res,shift):
tmp = res
bits = len(bin(res)[2:])
for i in range(bits//shift):
res = tmp^res >>shift
return _int32(res)
def recover(last):
n = 1<<32
inv = invert(1812433253,n)
for i in range(623,0,-1):
last = ((last-i)*inv)%n
last = invert_right(last,30)
return last
_mt = 100176385
c = 7571652196092766090223186968087558579037842139444888198021178964714588918428192595419143310313602496376488070138966767698261219731901971329723666329289397709402485330671760821506879601328248124891987994732350640380957162534279887373825208046643057935110477288495767347874339752278312527376341171653341964866349488414265994501516173772247656668142437751412445921317071812554970172805235171477540302822784811317482339840833526886233494604510217374103068830159144334783219206523515296840693029930189771716952924259839709886180622612198146166363697344348786494017103284853009286490109212269809358401224990541417167758429
for i in tqdm(range(1,624)):
l_mt = init(i,_mt)
seed=recover(l_mt)
mt = MT19937(seed)
r = lambda x: bytes([mt.getrandbits(8)])
P = getPrime(1024, randfunc=r)
Q = getPrime(1024, randfunc=r)
N = P * Q
if(gcd(seed, (P-1)*(Q-1)) ==1 ):
L = (P-1)*(Q-1)
d=invert(seed,L)
m=pow(c,d,N)
flag=long_to_bytes(m)
if((b'DASCTF' in flag) or (b'flag' in flag) or (b'FLAG' in flag) or(b'dasctf' in flag)):
print(flag)
print(i)
上面import的库就不用问了,有几个可以删,懒得去试,反正跑出来就没管了
49%|████▊ | 303/623 [06:01<07:20, 1.38s/it]b’DASCTF{cbf5c7ec67b7083293f70f898162e3b6}’
flag:cbf5c7ec67b7083293f70f898162e3b6
Schoolboy
安卓re,但是题目要求很简单,只需要把密文base64解码,再s[i]^i即可
jadx-gui-1.2.0打开,找到核心函数
import base64
s = base64.b64decode('REBRQFBDfWY5MDgzOj9vbiNzdCcicXBxeiwteS0vfHtDQhZAFRwfWggJCgsMDQ4P')
for i in range(len(s)):
print(chr(s[i]^i),end='')
DASCTF{a192862aa3bf46dffb57b12bdcc4c199}
暴力一点
这题出着属实没多大意义
因为忘了hashcat和john的那个指令,就正好有软件,就用软件爆了
直接Accent OFFICE Password Recovery爆破,然后因为我没授权,只能知道密码是23**,然后通过手动二分法爆破,得到密码范围
手动测试得到密码2345
然后打开文档,flag在图片后面
flag{9c2965fa13be342b8e70a50410bc76bd}
blasting的附件
软件题,同[INSHack2018](not) so deep
John.wav看频谱得到第一段
然后2.png观察高度,发现和1.png相同,于是宽度也改成和1.png相同,得到两张类似的图,直接盲水印
提示是Deepsound
然后用deepsound2john.py,跑出join
python3 deepsound2john.py john.wav
john.wav:$dynamic_1529$7242ef6f559962f7e928afc8be404f611557e267
然后直接join这个
得到密码!@#$%^&*
然后DeepSound2.0,工具一梭,得到flag.txt
内容radio}
合起来flag{iheatradio},md5一下中间的即可
好像是下面那个
725456a7196c09b559ccd441738b0cae
(阴间玩意,我一直以为要加上deepsound
签到:
题忘了,反正就base16+base32+base64
然后有一血加成美滋滋,就看谁做的快
Alice
这题是真的阴间,本来风雨无阻,突然来个阴间东西。后面再说
首先是一个raw,内存文件
volatility -f Alien.raw imageinfo
是一个XP的镜像
volatility -f Alien.raw --profile=WinXPSP2x86 pslist
这再敏感不过了
cmd直接看cmdscan或者consoles
notepad直接看notepad和editbox
WinRAR直接filescan的时候grep zip、7z、rar即可
发现在桌面,有一个secret.7z
还有一个基本操作,扫描桌面/Desktop,这题是桌面
发现还有个Fakeflag.txt,那么就将7z和fakeflag都导出
volatility -f Alien.raw --profile=WinXPSP2x86 dumpfiles -Q 0x000000000221e540 -D ./
volatility -f Alien.raw --profile=WinXPSP2x86 dumpfiles -Q 0x0000000002245f40 -D ./
其中,打开fakeflag,得到的是这个东西:
𓅂='',𓂀=!𓅂+𓅂,𓁄=!𓂀+𓅂,𓊎=𓅂+{},𓆣=𓂀[𓅂++],𓊝=𓂀[𓇎=𓅂],𓏢=++𓇎+𓅂,𓆗=𓊎[𓇎+𓏢],𓂀[𓆗+=𓊎[𓅂]+(𓂀.𓁄+𓊎)[𓅂]+𓁄[𓏢]+𓆣+𓊝+𓂀[𓇎]+𓆗+𓆣+𓊎[𓅂]+𓊝][𓆗](𓁄[𓅂]+𓁄[𓇎]+𓂀[𓏢]+𓊝+𓆣+'`𓁄[𓅂]`')``
当然还是百度啦
然后如图,并把后缀改成html
会得到一个弹窗
此时看那个7z,发现加了密。那么密码就是,这个弹窗的内容(阴间起来了
𓁄[𓅂]
解压成功。得到secret.wav,看了看频谱图
好家伙,肾么寄吧。
后面就是复现环节了
解法是,用https://waver.ggerganov.com/来识别这段音频
我就想知道,这公网电脑不让拷贝,而且这个还需要播放,叫我怎么做。况且每次上去只有几分钟,这点时间根本就找不到需要用的工具,github访问也差。
方法就是,播放音频,在Spectrum播放音频,然后他听完之后点击messages即可看到flag。只能说出到省赛是真寄吧阴间
flag:ohhh_Y0u_find_the_Secr3t_between_dasctf_and_alien!!!