2021红帽杯wp

前言:

  • 博客园不能用好久了,无奈转51cto
  • 以后尽量wp写详细一点,帮助自己,也帮助更多的人看懂
  • 欢迎交流

misc

EBCDIC

签到题,很多人不看文件名,直接就点开看内容

啌亣捆咇凁攨mpm檯剤仯蝠蝰?

第一个印象就是乱码,然后就一顿乱操作,但是题目已经给信息,这个是EBCDIC码,可能有些人不知道这个,可以借助搜索引擎,关于怎么转码这个,可以写脚本,借助linux,office直接打开,010转码都行,我这里用010转码

colorful_code

附件是data1文件和data2两个文件,先010分析一下

data1的数据大致如下

data2的数据大致如下

这里在不知道原理的情况情况下,只能猜,data2的前60字节没有什么特别的规律,但是后面的基本就是3个相同一组,data前60字节中最大为ff,又因为后面3个一组,很容易联想到是rgb!!!如果是rgb的情况,如何确保像素点的位置?data1的数据都是可见字符,那么很有可能就是告诉我们像素点的位置,编写脚本处理一下

from PIL import Imagef_data1 = open('data1','r').read()data1 = f_data1.split(' ')[:-1]f_data2 = open('data2','rb').read()data2 = f_data2res = []for i in range(len(data2)//3):    rgb = data2[i*3:(i+1)*3]    r,g,b = rgb[0],rgb[1],rgb[2]    res.append((r,g,b))#print(res)img = Image.new('RGB',(37,191),(255,255,255))for i in range(37):    for j in range(191):        img.putpixel((i,j),res[int(data1[i*191+j])])img.show()img.save('flag.png')

得到图片

npiet的图片编程语言 ,在线网站解密一下: BertNase's Own - npiet fun!,

PicPic

附件太大。。。

crypto

primegame

from decimal import *import mathimport randomimport structfrom flag import flagassert (len(flag) == 48)msg1 = flag[:24]msg2 = flag[24:]primes = [2]for i in range(3, 90):    f = True    for j in primes:        if i * i < j:            break        if i % j == 0:            f = False            break    if f:        primes.append(i)getcontext().prec = 100keys = []for i in range(len(msg1)):    keys.append(Decimal(primes[i]).ln())sum_ = Decimal(0.0)for i, c in enumerate(msg1):    sum_ += c * Decimal(keys[i])ct = math.floor(sum_ * 2 ** 256)print(ct)sum_ = Decimal(0.0)for i, c in enumerate(msg2):    sum_ += c * Decimal(keys[i])ct = math.floor(sum_ * 2 ** 256)print(ct)

国外比赛的一个题,几乎就是一模一样,具体的原理可以看

https://github.com/pcw109550/write-up/tree/master/2020/KAPO/Baby_Bubmi

exp可用以下这位大佬的

http://www.secmem.org/blog/2020/09/20/poka-science-war-hacking/

import mathfrom decimal import *import randomimport structgetcontext().prec = int(100)primes = [2]for i in range(3, 100):    f = True    for j in primes:        if i * i < j:            break        if i % j == 0:            f = False            break    if f:        primes.append(i)keys = []for i in range(len(primes)):    keys.append(Decimal(int(primes[i])).ln())arr = []for v in keys:    arr.append(int(v * int(16) ** int(64)))ct = 597952043660446249020184773232983974017780255881942379044454676980646417087515453def encrypt(res):    h = Decimal(int(0))    for i in range(len(keys)):        h += res[i] * keys[i]    ct = int(h * int(16)**int(64))    return ctdef f(N):    ln = len(arr)    A = Matrix(ZZ, ln + 1, ln + 1)    for i in range(ln):        A[i, i] = 1        A[i, ln] = arr[i] // N        A[ln, i] = 64    A[ln, ln] = ct // N    res = A.LLL()    for i in range(ln + 1):        flag = True        for j in range(ln):            if -64 <= res[i][j] < 64:                continue            flag = False            break        if flag:            vec = [int(v + 64) for v in res[i][:-1]]            ret = encrypt(vec)            if ret == ct:                print(N, bytes(vec))            else:                print("NO", ret, bytes(vec))for i in range(2, 10000):    print(i)    f(i)

hpcurve

import structfrom random import SystemRandomp = 10000000000000001119R.<x> = GF(p)[]y=xf = y + y^7C = HyperellipticCurve(f, 0)J = C.jacobian()es = [SystemRandom().randrange(p**3) for _ in range(3)]Ds = [J(C(x, min(f(x).sqrt(0,1)))) for x in (11,22,33)]q = []def clk():    global Ds,es    Ds = [e*D for e,D in zip(es, Ds)]    return Dsdef generate():    u,v = sum(clk())    rs = [u[i] for i in range(3)] + [v[i] for i in range(3)]    assert 0 not in rs and 1 not in rs    q = struct.pack('<'+'Q'*len(rs), *rs)    return qflag = "flag{xxxxxxx}"text = 'a'*20+flagt = ''keys = generate()leng = len(keys)i = 0for x in text:    t += chr(ord(keys[i%leng])^^ord(x))    i+=1print t.encode('hex')#for x,y in zip(RNG(),flag):

这个题居然也有原题,但是稍微不一样,改一下即可

hxp CTF 2020 - hyper | Joseph Surin | Joseph Surin Personal Blog (jsur.in) 

import itertoolsimport structp = 10000000000000001119R.<x> = GF(p)[]; y=xf = y + prod(map(eval, 'yyyyyyy'))C = HyperellipticCurve(f, 0)J = C.jacobian()Ds = [J(C(x, min(f(x).sqrt(0,1)))) for x in (11,22,33)]enc = bytes.fromhex('66def695b20eeae3141ea80240e9bc7138c8fc5aef20532282944ebbbad76a6e17446e92de5512091fe81255eb34a0e22a86a090e25dbbe3141aff0542f5')known_pt = b"a"*20 + b"flag"rng_output = bytes(e^^m for e,m in zip(enc, known_pt))blocks = [rng_output[i:i+8] for i in range(0, len(rng_output), 8)]ui = [int.from_bytes(r, 'little') for r in blocks]u = x^3 + ui[2]*x^2 + ui[1]*x + ui[0]L = GF(p).algebraic_closure()roots = [r[0] for r in u.change_ring(L).roots()]RR.<zz> = PolynomialRing(L)v = RR.lagrange_polynomial([(xi, f(xi).sqrt()) for xi in roots])vi = [v.coefficients()[i].as_finite_field_element()[1] for i in range(3)]vi = [(int(-c), int(c)) for c in vi]for rs in itertools.product(*vi):    q = struct.pack('<'+'Q'*len(rs), *rs)    flag = bytes(k^^m for k,m in zip(2*(rng_output+q), enc))    print(flag)

re

直接被题目ak,后续复现~

pwn

只解出一个,后续有时间再一起复现~

web

find-it

访问robots.txt,发现

When I was a child,I also like to read Robots.txtHere is what you want:1ndexx.php

这个地方提示访问1ndexx.php,但是直接访问直接500,伪协议读取也不知道传参是什么,并且可能过滤了相关字样,就无解了,后来睡醒后想到可能隐含泄露信息,通过尝试,发现vim文件泄露

.1ndexx.php.swp

得到源码

```php+HTML
<?php $link = mysql_connect('localhost', 'root'); ?>
<html>
<head>
<title>Hello worldd!</title>
<style>
body {
background-color: white;
text-align: center;
padding: 50px;
font-family: "Open Sans","Helvetica Neue",Helvetica,Arial,sans-serif;
}

#logo {    margin-bottom: 40px;}</style>

</head>
<body>
<img id="logo" src="logo.png" />
<h1><?php echo "Hello My freind!"; ?></h1>
<?php if($link) { ?>
<h2>I Can't view my php files?!</h2>
<?php } else { ?>
<h2>MySQL Server version: <?php echo mysql_get_server_info(); ?></h2>
<?php } ?>
</body>
</html>
<?php

#Really easy...

$file=fopen("flag.php","r") or die("Unable 2 open!");

$I_know_you_wanna_but_i_will_not_give_you_hhh = fread($file,filesize("flag.php"));

$hack=fopen("hack.php","w") or die("Unable 2 open");

$a=$_GET['code'];

if(preg_match('/system|eval|exec|base|compress|chr|ord|str|replace|pack|assert|preg|replace|create|function|call|\~|\^|`|flag|cat|tac|more|tail|echo|require|include|proc|open|read|shell|file|put|get|contents|dir|link|dl|var|dump/',$a)){
die("you die");
}
if(strlen($a)>33){
die("nonono.");
}
fwrite($hack,$a);
fwrite($hack,$I_know_you_wanna_but_i_will_not_give_you_hhh);

fclose($file);
fclose($hack);
?>

通过code传参, 写入code的请求到hack.php,先

/?code=<?php phpinfo();

然后访问hack.php即可~~**本人非web选手,其他web的wp可见其他师傅的wp**~~(其实就是不会)
©著作权归作者所有:来自51CTO博客作者寒江寻影的原创作品,如需转载,请注明出处,否则将追究法律责任

更多相关文章

  1. PHP:OOP基础/类(对象抽象化的结果)与对象 (类实例化结果)/构造方
  2. 教你 Shiro + SpringBoot 整合 JWT
  3. 炫酷,SpringBoot+Echarts实现用户访问地图可视化(附源码)
  4. 通过 nginx-proxy 实现自动反向代理和 HTTPS
  5. 类的重定向,命名空间和内容的访问
  6. 虚假软件更新滥用NetSupport远程访问工具
  7. eNSP:访问控制列表 ACL
  8. 痞子衡嵌入式:超级下载算法(RT-UFL)开发笔记(3) - 统一FlexSPI驱动
  9. PHP获取访问URL指定参数值

随机推荐

  1. android拔掉耳机后音乐自动暂停
  2. 进入 android market 网页 或是应用
  3. Android(安卓)Glide 基于4.8.0的源码分析
  4. Android编程心得-Service数据绑定初步
  5. Android(安卓)使用Oprofile分析结果系统
  6. Android(安卓)利用属性动画实现PopupWind
  7. Android(安卓)如何让EditText不自动获取
  8. Appium 在 Android(安卓)UI 测试中的应用
  9. android中将复杂json对象进行数据转换
  10. Android(安卓)Studio 报错 ERROR: A prob