2021红帽杯 wp(持续更新~~)
2021红帽杯wp
前言:
- 博客园不能用好久了,无奈转51cto
- 以后尽量wp写详细一点,帮助自己,也帮助更多的人看懂
- 欢迎交流
misc
EBCDIC
签到题,很多人不看文件名,直接就点开看内容
啌亣捆咇凁攨mpm檯剤仯蝠蝰?
第一个印象就是乱码,然后就一顿乱操作,但是题目已经给信息,这个是EBCDIC码,可能有些人不知道这个,可以借助搜索引擎,关于怎么转码这个,可以写脚本,借助linux,office直接打开,010转码都行,我这里用010转码
colorful_code
附件是data1文件和data2两个文件,先010分析一下
data1的数据大致如下
data2的数据大致如下
这里在不知道原理的情况情况下,只能猜,data2的前60字节没有什么特别的规律,但是后面的基本就是3个相同一组,data前60字节中最大为ff,又因为后面3个一组,很容易联想到是rgb!!!如果是rgb的情况,如何确保像素点的位置?data1的数据都是可见字符,那么很有可能就是告诉我们像素点的位置,编写脚本处理一下
from PIL import Imagef_data1 = open('data1','r').read()data1 = f_data1.split(' ')[:-1]f_data2 = open('data2','rb').read()data2 = f_data2res = []for i in range(len(data2)//3): rgb = data2[i*3:(i+1)*3] r,g,b = rgb[0],rgb[1],rgb[2] res.append((r,g,b))#print(res)img = Image.new('RGB',(37,191),(255,255,255))for i in range(37): for j in range(191): img.putpixel((i,j),res[int(data1[i*191+j])])img.show()img.save('flag.png')
得到图片
npiet的图片编程语言 ,在线网站解密一下: BertNase's Own - npiet fun!,
PicPic
附件太大。。。
crypto
primegame
from decimal import *import mathimport randomimport structfrom flag import flagassert (len(flag) == 48)msg1 = flag[:24]msg2 = flag[24:]primes = [2]for i in range(3, 90): f = True for j in primes: if i * i < j: break if i % j == 0: f = False break if f: primes.append(i)getcontext().prec = 100keys = []for i in range(len(msg1)): keys.append(Decimal(primes[i]).ln())sum_ = Decimal(0.0)for i, c in enumerate(msg1): sum_ += c * Decimal(keys[i])ct = math.floor(sum_ * 2 ** 256)print(ct)sum_ = Decimal(0.0)for i, c in enumerate(msg2): sum_ += c * Decimal(keys[i])ct = math.floor(sum_ * 2 ** 256)print(ct)
国外比赛的一个题,几乎就是一模一样,具体的原理可以看
https://github.com/pcw109550/write-up/tree/master/2020/KAPO/Baby_Bubmi
exp可用以下这位大佬的
http://www.secmem.org/blog/2020/09/20/poka-science-war-hacking/
import mathfrom decimal import *import randomimport structgetcontext().prec = int(100)primes = [2]for i in range(3, 100): f = True for j in primes: if i * i < j: break if i % j == 0: f = False break if f: primes.append(i)keys = []for i in range(len(primes)): keys.append(Decimal(int(primes[i])).ln())arr = []for v in keys: arr.append(int(v * int(16) ** int(64)))ct = 597952043660446249020184773232983974017780255881942379044454676980646417087515453def encrypt(res): h = Decimal(int(0)) for i in range(len(keys)): h += res[i] * keys[i] ct = int(h * int(16)**int(64)) return ctdef f(N): ln = len(arr) A = Matrix(ZZ, ln + 1, ln + 1) for i in range(ln): A[i, i] = 1 A[i, ln] = arr[i] // N A[ln, i] = 64 A[ln, ln] = ct // N res = A.LLL() for i in range(ln + 1): flag = True for j in range(ln): if -64 <= res[i][j] < 64: continue flag = False break if flag: vec = [int(v + 64) for v in res[i][:-1]] ret = encrypt(vec) if ret == ct: print(N, bytes(vec)) else: print("NO", ret, bytes(vec))for i in range(2, 10000): print(i) f(i)
hpcurve
import structfrom random import SystemRandomp = 10000000000000001119R.<x> = GF(p)[]y=xf = y + y^7C = HyperellipticCurve(f, 0)J = C.jacobian()es = [SystemRandom().randrange(p**3) for _ in range(3)]Ds = [J(C(x, min(f(x).sqrt(0,1)))) for x in (11,22,33)]q = []def clk(): global Ds,es Ds = [e*D for e,D in zip(es, Ds)] return Dsdef generate(): u,v = sum(clk()) rs = [u[i] for i in range(3)] + [v[i] for i in range(3)] assert 0 not in rs and 1 not in rs q = struct.pack('<'+'Q'*len(rs), *rs) return qflag = "flag{xxxxxxx}"text = 'a'*20+flagt = ''keys = generate()leng = len(keys)i = 0for x in text: t += chr(ord(keys[i%leng])^^ord(x)) i+=1print t.encode('hex')#for x,y in zip(RNG(),flag):
这个题居然也有原题,但是稍微不一样,改一下即可
hxp CTF 2020 - hyper | Joseph Surin | Joseph Surin Personal Blog (jsur.in)
import itertoolsimport structp = 10000000000000001119R.<x> = GF(p)[]; y=xf = y + prod(map(eval, 'yyyyyyy'))C = HyperellipticCurve(f, 0)J = C.jacobian()Ds = [J(C(x, min(f(x).sqrt(0,1)))) for x in (11,22,33)]enc = bytes.fromhex('66def695b20eeae3141ea80240e9bc7138c8fc5aef20532282944ebbbad76a6e17446e92de5512091fe81255eb34a0e22a86a090e25dbbe3141aff0542f5')known_pt = b"a"*20 + b"flag"rng_output = bytes(e^^m for e,m in zip(enc, known_pt))blocks = [rng_output[i:i+8] for i in range(0, len(rng_output), 8)]ui = [int.from_bytes(r, 'little') for r in blocks]u = x^3 + ui[2]*x^2 + ui[1]*x + ui[0]L = GF(p).algebraic_closure()roots = [r[0] for r in u.change_ring(L).roots()]RR.<zz> = PolynomialRing(L)v = RR.lagrange_polynomial([(xi, f(xi).sqrt()) for xi in roots])vi = [v.coefficients()[i].as_finite_field_element()[1] for i in range(3)]vi = [(int(-c), int(c)) for c in vi]for rs in itertools.product(*vi): q = struct.pack('<'+'Q'*len(rs), *rs) flag = bytes(k^^m for k,m in zip(2*(rng_output+q), enc)) print(flag)
re
直接被题目ak,后续复现~
pwn
只解出一个,后续有时间再一起复现~
web
find-it
访问robots.txt,发现
When I was a child,I also like to read Robots.txtHere is what you want:1ndexx.php
这个地方提示访问1ndexx.php,但是直接访问直接500,伪协议读取也不知道传参是什么,并且可能过滤了相关字样,就无解了,后来睡醒后想到可能隐含泄露信息,通过尝试,发现vim文件泄露
.1ndexx.php.swp
得到源码
```php+HTML
<?php $link = mysql_connect('localhost', 'root'); ?>
<html>
<head>
<title>Hello worldd!</title>
<style>
body {
background-color: white;
text-align: center;
padding: 50px;
font-family: "Open Sans","Helvetica Neue",Helvetica,Arial,sans-serif;
}
#logo { margin-bottom: 40px;}</style>
</head>
<body>
<img id="logo" src="logo.png" />
<h1><?php echo "Hello My freind!"; ?></h1>
<?php if($link) { ?>
<h2>I Can't view my php files?!</h2>
<?php } else { ?>
<h2>MySQL Server version: <?php echo mysql_get_server_info(); ?></h2>
<?php } ?>
</body>
</html>
<?php
#Really easy...
$file=fopen("flag.php","r") or die("Unable 2 open!");
$I_know_you_wanna_but_i_will_not_give_you_hhh = fread($file,filesize("flag.php"));
$hack=fopen("hack.php","w") or die("Unable 2 open");
$a=$_GET['code'];
if(preg_match('/system|eval|exec|base|compress|chr|ord|str|replace|pack|assert|preg|replace|create|function|call|\~|\^|`|flag|cat|tac|more|tail|echo|require|include|proc|open|read|shell|file|put|get|contents|dir|link|dl|var|dump/',$a)){
die("you die");
}
if(strlen($a)>33){
die("nonono.");
}
fwrite($hack,$a);
fwrite($hack,$I_know_you_wanna_but_i_will_not_give_you_hhh);
fclose($file);
fclose($hack);
?>
通过code传参, 写入code的请求到hack.php,先
/?code=<?php phpinfo();
然后访问hack.php即可~~**本人非web选手,其他web的wp可见其他师傅的wp**~~(其实就是不会)
©著作权归作者所有:来自51CTO博客作者寒江寻影的原创作品,如需转载,请注明出处,否则将追究法律责任
更多相关文章
- PHP:OOP基础/类(对象抽象化的结果)与对象 (类实例化结果)/构造方
- 教你 Shiro + SpringBoot 整合 JWT
- 炫酷,SpringBoot+Echarts实现用户访问地图可视化(附源码)
- 通过 nginx-proxy 实现自动反向代理和 HTTPS
- 类的重定向,命名空间和内容的访问
- 虚假软件更新滥用NetSupport远程访问工具
- eNSP:访问控制列表 ACL
- 痞子衡嵌入式:超级下载算法(RT-UFL)开发笔记(3) - 统一FlexSPI驱动
- PHP获取访问URL指定参数值