Web
Lottery
通過嘗試swp,bak,git,發(fā)現(xiàn)其存在Git源碼泄露(一開始還把403認(rèn)成404)(實力眼瞎.jpg)
mark
之后把源碼拖下來~
mark
審計代碼非洲,發(fā)現(xiàn)弱類型比較漏洞
mark
mark
利用json傳bool值進(jìn)行比較
mark
即可獲得足夠的錢數(shù),購買flag即可闰蚕。
mark
News Center
發(fā)現(xiàn)搜索型注入漏洞,構(gòu)造payload连舍。
mark
爆字段數(shù)
mark
爆表名('or 1=1 union select 1,2,group_concat(column_name) from information_schema.columns where table_name='secret_table'#)
mark
mark
拿flag
mark
Confusion1
打開網(wǎng)站没陡,在404頁面發(fā)現(xiàn)
mark
于是判斷是存在任意文件讀取漏洞,但是尋找了一波無果索赏,于是懷疑是服務(wù)器模板注入(SSTI攻擊)
于是測試<script>alert(42)</script> 盼玄,被waf攔截了
mark
于是再測試{{ 7+7 }} ,發(fā)現(xiàn)成功回顯潜腻!
mark
于是確認(rèn)漏洞存在且有waf埃儿,于是測試攔截詞,發(fā)現(xiàn)至少有system融涣,class童番,read被攔截,于是嘗試使用傳入額外參數(shù)的方式進(jìn)行繞過威鹿,例如本來是要用{{ ''.__class__.__mro__[2].__subclasses__()[40]('/etc/passwd').read() }}剃斧,構(gòu)造payload拿到flag。但是由于class专普,mro悯衬,read均被攔截那么可以寫為{{''[request.cookies.a][request.cookies.b][2][request.cookies.c]()[40]('/etc/passwd')[request.cookies.d]()}}并傳入四個cookiea=__class__; b=__mro__; c=__subclasses__; d=read
發(fā)現(xiàn)成功!
mark
于是嘗試讀取文件檀夹,直接拿到flag
mark
PS:還嘗試讀取了一下salt,發(fā)現(xiàn)也是成功的策橘。
mark
Reverse
Xman-babymips
又遇到了mips的題炸渡。。丽已。拖進(jìn)IDA分析蚌堵,這時候百度到mips有兩個好用的反編譯器一個是Retdec,另一個是Jeb沛婴,首先嘗試安裝Retdec IDA插件版吼畏,額,發(fā)現(xiàn)需要去注冊嘁灯,但是Retdec開源后已經(jīng)不提供API服務(wù)了泻蚊,本地編譯又不停的編譯失敗于是。丑婿。性雄。没卸。又沒時間搭環(huán)境了。秒旋。约计。。于是又開始嘗試JEB迁筛,JEB不兼容JDK10環(huán)境煤蚌。。细卧。emmmm又開始配環(huán)境铺然。。酒甸。魄健。。折騰了好久插勤。沽瘦。。农尖。析恋。終于。盛卡。助隧。。成功了滑沧。
接著并村,。滓技。哩牍。。(我真傻令漂,真的膝昆,我單知道jeb能反編譯MIPS,但我沒想到叠必。荚孵。。纬朝。反編譯了我也不會收叶。。玄组。滔驾。)
于是谒麦。。哆致。绕德。。接著等官方WP摊阀。耻蛇。。胞此。
mark
Misc
X-man-Keyword
首先發(fā)現(xiàn)keyword臣咖,再加上隱寫載體是圖片于是聯(lián)想到是否為LSB有效最低位隱寫,于是上腳本嘗試漱牵,用給出的lovekfc嘗試夺蛇,發(fā)現(xiàn)解出了內(nèi)容,于是酣胀。刁赦。。闻镶。甚脉。
mark
mark
于是就沒有于是了(╯‵□′)╯︵ ┻━┻ (掀桌子)
這一大堆是啥。铆农。牺氨。。墩剖。猴凹。于是試了凱撒,柵欄涛碑,非等長柵欄(這里面連個CTF的T都沒有啊喂(#`O′))
于是問了問出題人格式精堕,確定是QCTF{SOMETHING}
徹底陷入僵局,后來又放出了hint
hint1:把給出的keyword放到前面試試
hint2:一種把關(guān)鍵詞提前的置換
蒲障。。瘫证。揉阎。于是又是一波操作。背捌。毙籽。行列置換。毡庆。非等長行列置換坑赡。烙如。維吉尼亞密碼。毅否。亚铁。
┬─┬ ノ( ' - 'ノ) {擺好擺好)
為啥還是沒有結(jié)果啊螟加!(╯°Д°)╯︵ ┻━┻(再掀一次)
不說了徘溢。。捆探。這個題等官方WP吧然爆。。黍图。曾雕。
X-man-A face
簽到題。助被。不用多說了剖张。。恰起。補全一波二維碼修械,
mark
mark
掃描二維碼
mark
base32解密
mark
picture
看到提示(我承認(rèn)我一開始沒想到。检盼。肯污。。)解密圖片吨枉,
mark
之后拿到加密邏輯腳本蹦渣,發(fā)現(xiàn)是DES的實現(xiàn)腳本,寫出解密腳本
#_*_ coding:utf-8 _*_
import re
import sys
ip= (58, 50, 42, 34, 26, 18, 10, 2,
60, 52, 44, 36, 28, 20, 12, 4,
62, 54, 46, 38, 30, 22, 14, 6,
64, 56, 48, 40, 32, 24, 16, 8,
57, 49, 41, 33, 25, 17, 9 , 1,
59, 51, 43, 35, 27, 19, 11, 3,
61, 53, 45, 37, 29, 21, 13, 5,
63, 55, 47, 39, 31, 23, 15, 7)
ip_1=(40, 8, 48, 16, 56, 24, 64, 32,
39, 7, 47, 15, 55, 23, 63, 31,
38, 6, 46, 14, 54, 22, 62, 30,
37, 5, 45, 13, 53, 21, 61, 29,
36, 4, 44, 12, 52, 20, 60, 28,
35, 3, 43, 11, 51, 19, 59, 27,
34, 2, 42, 10, 50, 18, 58, 26,
33, 1, 41, 9, 49, 17, 57, 25)
e =(32, 1, 2, 3, 4, 5, 4, 5,
6, 7, 8, 9, 8, 9, 10, 11,
12,13, 12, 13, 14, 15, 16, 17,
16,17, 18, 19, 20, 21, 20, 21,
22, 23, 24, 25,24, 25, 26, 27,
28, 29,28, 29, 30, 31, 32, 1)
p=(16, 7, 20, 21, 29, 12, 28, 17,
1, 15, 23, 26, 5, 18, 31, 10,
2, 8, 24, 14, 32, 27, 3, 9,
19, 13, 30, 6, 22, 11, 4, 25)
s=[ [[14, 4, 13, 1, 2, 15, 11, 8, 3, 10, 6, 12, 5, 9, 0, 7],
[0, 15, 7, 4, 14, 2, 13, 1, 10, 6, 12, 11, 9, 5, 3, 8],
[4, 1, 14, 8, 13, 6, 2, 11, 15, 12, 9, 7, 3, 10, 5, 0],
[15, 12, 8, 2, 4, 9, 1, 7, 5, 11, 3, 14, 10, 0, 6, 13]],
[[15, 1, 8, 14, 6, 11, 3, 4, 9, 7, 2, 13, 12, 0, 5, 10],
[3, 13, 4, 7, 15, 2, 8, 14, 12, 0, 1, 10, 6, 9, 11, 5],
[0, 14, 7, 11, 10, 4, 13, 1, 5, 8, 12, 6, 9, 3, 2, 15],
[13, 8, 10, 1, 3, 15, 4, 2, 11, 6, 7, 12, 0, 5, 14, 9]],
[[10, 0, 9, 14, 6, 3, 15, 5, 1, 13, 12, 7, 11, 4, 2, 8],
[13, 7, 0, 9, 3, 4, 6, 10, 2, 8, 5, 14, 12, 11, 15, 1],
[13, 6, 4, 9, 8, 15, 3, 0, 11, 1, 2, 12, 5, 10, 14, 7],
[1, 10, 13, 0, 6, 9, 8, 7, 4, 15, 14, 3, 11, 5, 2, 12]],
[[7, 13, 14, 3, 0, 6, 9, 10, 1, 2, 8, 5, 11, 12, 4, 15],
[13, 8, 11, 5, 6, 15, 0, 3, 4, 7, 2, 12, 1, 10, 14,9],
[10, 6, 9, 0, 12, 11, 7, 13, 15, 1, 3, 14, 5, 2, 8, 4],
[3, 15, 0, 6, 10, 1, 13, 8, 9, 4, 5, 11, 12, 7, 2, 14]],
[[2, 12, 4, 1, 7, 10, 11, 6, 8, 5, 3, 15, 13, 0, 14, 9],
[14, 11, 2, 12, 4, 7, 13, 1, 5, 0, 15, 10, 3, 9, 8, 6],
[4, 2, 1, 11, 10, 13, 7, 8, 15, 9, 12, 5, 6, 3, 0, 14],
[11, 8, 12, 7, 1, 14, 2, 13, 6, 15, 0, 9, 10, 4, 5, 3]],
[[12, 1, 10, 15, 9, 2, 6, 8, 0, 13, 3, 4, 14, 7, 5, 11],
[10, 15, 4, 2, 7, 12, 9, 5, 6, 1, 13, 14, 0, 11, 3, 8],
[9, 14, 15, 5, 2, 8, 12, 3, 7, 0, 4, 10, 1, 13, 11, 6],
[4, 3, 2, 12, 9, 5, 15, 10, 11, 14, 1, 7, 6, 0, 8, 13]],
[[4, 11, 2, 14, 15, 0, 8, 13, 3, 12, 9, 7, 5, 10, 6, 1],
[13, 0, 11, 7, 4, 9, 1, 10, 14, 3, 5, 12, 2, 15, 8, 6],
[1, 4, 11, 13, 12, 3, 7, 14, 10, 15, 6, 8, 0, 5, 9, 2],
[6, 11, 13, 8, 1, 4, 10, 7, 9, 5, 0, 15, 14, 2, 3, 12]],
[[13, 2, 8, 4, 6, 15, 11, 1, 10, 9, 3, 14, 5, 0, 12, 7],
[1, 15, 13, 8, 10, 3, 7, 4, 12, 5, 6, 11, 0, 14, 9, 2],
[7, 11, 4, 1, 9, 12, 14, 2, 0, 6, 10, 13, 15, 3, 5, 8],
[2, 1, 14, 7, 4, 10, 8, 13, 15, 12, 9, 0, 3, 5, 6, 11]]]
pc1=(57, 49, 41, 33, 25, 17, 9,
1, 58, 50, 42, 34, 26, 18,
10, 2, 59, 51, 43, 35, 27,
19, 11, 3, 60, 52, 44, 36,
63, 55, 47, 39, 31, 23, 15,
7, 62, 54, 46, 38, 30, 22,
14, 6, 61, 53, 45, 37, 29,
21, 13, 5, 28, 20, 12, 4);
pc2= (14, 17, 11, 24, 1, 5, 3, 28,
15, 6, 21, 10, 23, 19, 12, 4,
26, 8, 16, 7, 27, 20, 13, 2,
41, 52, 31, 37, 47, 55, 30, 40,
51, 45, 33, 48, 44, 49, 39, 56,
34, 53, 46, 42, 50, 36, 29, 32)
d = ( 1, 1, 2, 2, 2, 2, 2, 2, 1, 2, 2, 2, 2, 2, 2, 1)
__all__=['desencode']
class DES():
def __init__(self):
pass
def code(self,from_code,key,code_len,key_len):
output=""
trun_len=0
code_string=self._functionCharToA(from_code,code_len)
code_key=self._functionCharToA(key,key_len)
if code_len%16!=0:
real_len=(code_len/16)*16+16
else:
real_len=code_len
if key_len%16!=0:
key_len=(key_len/16)*16+16
key_len*=4
trun_len=4*real_len
for i in range(0,trun_len,64):
run_code=code_string[i:i+64]
l=i%key_len
run_key=code_key[l:l+64]
run_code= self._codefirstchange(run_code)
run_key= self._keyfirstchange(run_key)
for j in range(16):
code_r=run_code[32:64]
code_l=run_code[0:32]
run_code=code_r
code_r= self._functionE(code_r)
key_l=run_key[0:28]
key_r=run_key[28:56]
key_l=key_l[d[j]:28]+key_l[0:d[j]]
key_r=key_r[d[j]:28]+key_r[0:d[j]]
run_key=key_l+key_r
key_y= self._functionKeySecondChange(run_key)
code_r= self._codeyihuo(code_r,key_y)
code_r= self._functionS(code_r)
code_r= self._functionP(code_r)
code_r= self._codeyihuo(code_l,code_r)
run_code+=code_r
code_r=run_code[32:64]
code_l=run_code[0:32]
run_code=code_r+code_l
output+=self._functionCodeChange(run_code)
return output
def _codeyihuo(self,code,key):
code_len=len(key)
return_list=''
for i in range(code_len):
if code[i]==key[i]:
return_list+='0'
else:
return_list+='1'
return return_list
def _codefirstchange(self,code):
changed_code=''
for i in range(64):
changed_code+=code[ip[i]-1]
return changed_code
def _keyfirstchange (self,key):
changed_key=''
for i in range(56):
changed_key+=key[pc1[i]-1]
return changed_key
def _functionCodeChange(self, code):
lens=len(code)/4
return_list=''
for i in range(lens):
list=''
for j in range(4):
list+=code[ip_1[i*4+j]-1]
return_list+="%x" %int(list,2)
return return_list
def _functionE(self,code):
return_list=''
for i in range(48):
return_list+=code[e[i]-1]
return return_list
def _functionP(self,code):
return_list=''
for i in range(32):
return_list+=code[p[i]-1]
return return_list
def _functionS(self, key):
return_list=''
for i in range(8):
row=int( str(key[i*6])+str(key[i*6+5]),2)
raw=int(str( key[i*6+1])+str(key[i*6+2])+str(key[i*6+3])+str(key[i*6+4]),2)
return_list+=self._functionTos(s[i][row][raw],4)
return return_list
def _functionKeySecondChange(self,key):
return_list=''
for i in range(48):
return_list+=key[pc2[i]-1]
return return_list
def _functionCharToA(self,code,lens):
return_code=''
lens=lens%16
for key in code:
code_ord=int(key,16)
return_code+=self._functionTos(code_ord,4)
if lens!=0:
return_code+='0'*(16-lens)*4
return return_code
def _functionTos(self,o,lens):
return_code=''
for i in range(lens):
return_code=str(o>>i &1)+return_code
return return_code
def tohex(string):
return_string=''
for i in string:
return_string+="%02x"%ord(i)
return return_string
def tounicode(string):
return_string=''
string_len=len(string)
for i in range(0,string_len,2):
return_string+=chr(int(string[i:i+2],16))
return return_string
def desencode(from_code,key):
from_code=tohex(from_code)
key=tohex(key)
des=DES()
key_len=len(key)
string_len=len(from_code)
if string_len<1 or key_len<1:
print 'error input'
return False
key_code= des.code(from_code,key,string_len,key_len)
return key_code
# if __name__ == '__main__':
# if(desencode(sys.argv[1],'mtqVwD4JNRjw3bkT9sQ0RYcZaKShU4sf')=='e3fab29a43a70ca72162a132df6ab532535278834e11e6706c61a1a7cefc402c8ecaf601d00eee72'):
# print 'correct.'
# else:
# print 'try again.'
__all__=['desdecode']
class DES():
'''解密函數(shù)貌亭,DES加密與解密的方法相差不大
只是在解密的時候所用的子密鑰與加密的子密鑰相反
'''
def __init__(self):
pass
def decode(self,string,key,key_len,string_len):
output=""
trun_len=0
num=0
#將密文轉(zhuǎn)換為二進(jìn)制
code_string=self._functionCharToA(string,string_len)
#獲取字密鑰
code_key=self._getkey(key,key_len)
#如果密鑰長度不是16的整數(shù)倍則以增加0的方式變?yōu)?6的整數(shù)倍
real_len=(key_len/16)+1 if key_len%16!=0 else key_len/16
trun_len=string_len*4
#對每64位進(jìn)行一次加密
for i in range(0,trun_len,64):
run_code=code_string[i:i+64]
run_key=code_key[num%real_len]
#64位明文初始置換
run_code= self._codefirstchange(run_code)
#16次迭代
for j in range(16):
code_r=run_code[32:64]
code_l=run_code[0:32]
#64左右交換
run_code=code_r
#右邊32位擴(kuò)展置換
code_r= self._functionE(code_r)
#獲取本輪子密鑰
key_y=run_key[15-j]
#異或
code_r= self._codeyihuo(code_r,key_y)
#S盒代替/選擇
code_r= self._functionS(code_r)
#P轉(zhuǎn)換
code_r= self._functionP(code_r)
#異或
code_r= self._codeyihuo(code_l,code_r)
run_code+=code_r
num+=1
#32互換
code_r=run_code[32:64]
code_l=run_code[0:32]
run_code=code_r+code_l
#將二進(jìn)制轉(zhuǎn)換為16進(jìn)制柬唯、逆初始置換
output+=self._functionCodeChange(run_code)
return output
#獲取子密鑰
def _getkey(self,key,key_len):
#將密鑰轉(zhuǎn)換為二進(jìn)制
code_key=self._functionCharToA(key,key_len)
a=['']*16
real_len=(key_len/16)*16+16 if key_len%16!=0 else key_len
b=['']*(real_len/16)
for i in range(real_len/16):
b[i]=a[:]
num=0
trun_len=4*key_len
for i in range(0,trun_len,64):
run_key=code_key[i:i+64]
run_key= self._keyfirstchange(run_key)
for j in range(16):
key_l=run_key[0:28]
key_r=run_key[28:56]
key_l=key_l[d[j]:28]+key_l[0:d[j]]
key_r=key_r[d[j]:28]+key_r[0:d[j]]
run_key=key_l+key_r
key_y= self._functionKeySecondChange(run_key)
b[num][j]=key_y[:]
num+=1
return b
#異或
def _codeyihuo(self,code,key):
code_len=len(key)
return_list=''
for i in range(code_len):
if code[i]==key[i]:
return_list+='0'
else:
return_list+='1'
return return_list
#密文或明文初始置換
def _codefirstchange(self,code):
changed_code=''
for i in range(64):
changed_code+=code[ip[i]-1]
return changed_code
#密鑰初始置換
def _keyfirstchange (self,key):
changed_key=''
for i in range(56):
changed_key+=key[pc1[i]-1]
return changed_key
#逆初始置換
def _functionCodeChange(self, code):
return_list=''
for i in range(16):
list=''
for j in range(4):
list+=code[ip_1[i*4+j]-1]
return_list+="%x" %int(list,2)
return return_list
#擴(kuò)展置換
def _functionE(self,code):
return_list=''
for i in range(48):
return_list+=code[e[i]-1]
return return_list
#置換P
def _functionP(self,code):
return_list=''
for i in range(32):
return_list+=code[p[i]-1]
return return_list
#S盒代替選擇置換
def _functionS(self, key):
return_list=''
for i in range(8):
row=int( str(key[i*6])+str(key[i*6+5]),2)
raw=int(str( key[i*6+1])+str(key[i*6+2])+str(key[i*6+3])+str(key[i*6+4]),2)
return_list+=self._functionTos(s[i][row][raw],4)
return return_list
#密鑰置換選擇2
def _functionKeySecondChange(self,key):
return_list=''
for i in range(48):
return_list+=key[pc2[i]-1]
return return_list
#將十六進(jìn)制轉(zhuǎn)換為二進(jìn)制字符串
def _functionCharToA(self,code,lens):
return_code=''
lens=lens%16
for key in code:
code_ord=int(key,16)
return_code+=self._functionTos(code_ord,4)
if lens!=0:
return_code+='0'*(16-lens)*4
return return_code
#二進(jìn)制轉(zhuǎn)換
def _functionTos(self,o,lens):
return_code=''
for i in range(lens):
return_code=str(o>>i &1)+return_code
return return_code
#將unicode字符轉(zhuǎn)換為16進(jìn)制
def tohex(string):
return_string=''
for i in string:
return_string+="%02x"%ord(i)
return return_string
def tounicode(string):
return_string=''
string_len=len(string)
for i in range(0,string_len,2):
return_string+=chr(int(string[i:i+2],16))
return return_string
#入口函數(shù)
def desdecode(from_code,key):
key=tohex(key)
des=DES()
key_len=len(key)
string_len=len(from_code)
if string_len%16!=0:
return False
if string_len<1 or key_len<1:
return False
key_code= des.decode(from_code,key,key_len,string_len)
return tounicode(key_code)
#測試
if __name__ == '__main__':
print desdecode('e3fab29a43a70ca72162a132df6ab532535278834e11e6706c61a1a7cefc402c8ecaf601d00eee72','mtqVwD4JNRjw3bkT9sQ0RYcZaKShU4sf')
運行,拿到結(jié)果
mark
Noise
對于這道堪稱神題的題圃庭。锄奢。。剧腻。拘央。一看到是音頻題,為了保護(hù)我可憐弱小又無助的耳朵书在。灰伟。。
mark
我連聽都沒聽儒旬,第一時間拖到AU里栏账,唔帖族。。挡爵。一番檢查
檢查歷程:
1.誒~是不是頻譜圖里藏了東西(竖般。???)ノ
打開頻譜圖,拉伸了讨,放大捻激,移動。前计。胞谭。。男杈。
看來是沒東西了(丈屹。﹏。*)
2.誒~是不是文件本身藏了東西(伶棒。???)ノ
打開clineteye旺垒。。fail肤无。先蒋。。
看來是沒東西了(宛渐。﹏竞漾。*)
3.誒~是不是曼徹斯特編碼或者是二進(jìn)制(。???)ノ
局部放大窥翩。业岁。。寇蚊。笔时。。
眼睛要瞎了(仗岸。﹏允耿。*)
4.(╯' - ')╯︵ ┻━┻ (掀桌子)
接下來出題人適時的放出了提示。扒怖。右犹。。
hint:左右耳聽到的是不是有些不一樣
ps.給我好好的聽歌耙!
pss.你們根本就不懂友誼的魔法
hint2: 你知道通過消除人聲獲得伴奏的原理嗎
last hint :make the wave inversion
emmmmm于是單聲道提取盼忌,右聲道反相积糯,與左聲道縮混掂墓,振幅增大80倍,得到了神似條形碼的東西看成。君编。。
mark
一定是我姿勢不對(內(nèi)心OS)川慌,為了我眼睛的安危吃嘿,我努力打消了這是摩斯電碼,曼徹斯特編碼梦重,二進(jìn)制編碼的想法兑燥。。琴拧。降瞳。。蚓胸。
就在當(dāng)天晚上第二天凌晨出題人改了附件挣饥,給了一個采樣率更高的文件。沛膳。扔枫。。锹安。短荐。。
mark
好了八毯,耳朵也徹底廢掉了搓侄。。话速。讶踪。并且當(dāng)我單聲道提取,右聲道反相泊交,與左聲道縮混乳讥,振幅增大80倍時。廓俭。云石。我看著空無一物的軌道。研乒。汹忠。徹底陷入了沉思。。宽菜。谣膳。。铅乡。
放棄继谚,等官方WP,失去了夢想與希望阵幸。花履。。挚赊。诡壁。
Pwn
notebook
這個題據(jù)說很簡單,但是也沒有做出來
mark
也盲目分析一下好了咬腕。欢峰。。貌似漏洞點在這里
mark
mark
然后用各種姿勢泄露system地址涨共,執(zhí)行/bash/sh纽帖。。举反。挂签。贪染。然后就getshell了?
準(zhǔn)備膜一波官方WP。娃磺。仰坦。迈勋。
Xman-dice_game
PS:這個題我應(yīng)該是想錯了勉耀。。粗蔚。尝偎。請訪問【數(shù)據(jù)刪除】觀看正確答案!(順便膜一波大大)
PPS:大大比較害羞~(_)
PPPS:想看答案的自己去搜吧~
這個題雖然沒有做出來鹏控,但是這應(yīng)該是一個64位的堆溢出
mark
通過變量覆蓋致扯,將
mark
的地址進(jìn)行覆蓋,進(jìn)而cat flag当辐。
Crypto
Xman-RSA
首先拿到了
mark
發(fā)現(xiàn)加密邏輯的腳本是混亂的
mark
根據(jù)猜測抖僵,可以確定以下對應(yīng)關(guān)系
A-D B-M C-? D-E E-N F-W G-F H-O I-X J-G K-P L-Y M-H N-缘揪? O-耍群? P-I Q-R R-A S-义桂? T-S U-B V-K W-T X-C Y-L Z-U
于是還原加密邏輯代碼
from gmpy2 import is_prime
from os import urandom
import base64
def bytes_to_num(b):
return int(b.encode('hex'),16)
def num_to_bytes(n):
b = hex(n)[2:-1]
b = '0' + b if len(n)%2 == 1 else b
return b.encode('hex')
def get_a_prime(l):
random_seed = urandom(l)
num = bytes_to_num(random_seed)
while True:
if is_prime(num):
break
num += 1
return num
def encrypt(s,e,n):
p = bytes_to_num(s)
p = pow(p, e, n)
return num_to_bytes(p).encode('hex')
def separate(n):
p = n % 4
t = (p*p) % 4
return t == 1
f = open('flag.txt','r')
flag = f.read()
msg1 = ""
msg2 = ""
for r in range(len(flag)):
if separate(r):
msg2 += flag[r]
else:
msg1 += flag[r]
p1 = get_a_prime(128)
p2 = get_a_prime(128)
p3 = get_a_prime(128)
n1 = p1*p2
n2 = p1*p3
e = 0x1001
c1 = encrypt(msg1,e,n1)
c2 = encrypt(msg2,e,n2)
print(c1)
print(c2)
e1 = 0x1001
e2 = 0x101
p4 = get_a_prime(128)
p5 = get_a_prime(128)
n3 = p4*p5
x1 = num_to_bytes(pow(n1,e1,n3)).encode('hex')
x2 = num_to_bytes(pow(n1,e2,n3)).encode('hex')
print(c1)
print(c2)
print(base64.u64encode(num_to_bytes(n2)))
print(base64.u64encode(num_to_bytes(n3)))
并以此寫出解密代碼
import gmpy2
import base64
import binascii
n=int(base64.b64decode("TmNVbWUhCXR1od3gBpM+HGMKK/4ErfIKITxomQ/QmNCZlzmmsNyPXQBiMEeUB8udO7lWjQTYGjD6k21xjThHTNDG4z6C2cNNPz73VIaNTGz0hrh6CmqDowFbyrk+rv53QSkVKPa8EZnFKwGz9B3zXimm1D+01cov7V/ZDfrHrEjsDkgK4ZlrQxPpZAPl+yqGlRK8soBKhY/PF3/GjbquRYeYKbagpUmWOhLnF4/+DP33ve/EpaSAPirZXzf8hyatL4/5tAZ0uNq9W6T4GoMG+N7aS2GeyUA2sLJMHymW4cFK5l5kUvjslRdXOHTmz5eHxqIV6TmSBQRgovUijlNamQ==").encode('hex'),16)
e1=0x1001
e2=0x101
msg1=0x2639c28e3609a4a8c953cca9c326e8e062756305ae8aee6efcd346458aade3ee8c2106ab9dfe5f470804f366af738aa493fd2dc26cb249a922e121287f3eddec0ed8dea89747dc57aed7cd2089d75c23a69bf601f490a64f73f6a583081ae3a7ed52238c13a95d3322065adba9053ee5b12f1de1873dbad9fbf4a50a2f58088df0fddfe2ed8ca1118c81268c8c0fd5572494276f4e48b5eb424f116e6f5e9d66da1b6b3a8f102539b690c1636e82906a46f3c5434d5b04ed7938861f8d453908970eccef07bf13f723d6fdd26a61be8b9462d0ddfbedc91886df194ea022e56c1780aa6c76b9f1c7d5ea743dc75cec3c805324e90ea577fa396a1effdafa3090
msg2=0x42ff1157363d9cd10da64eb4382b6457ebb740dbef40ade9b24a174d0145adaa0115d86aa2fc2a41257f2b62486eaebb655925dac78dd8d13ab405aef5b8b8f9830094c712193500db49fb801e1368c73f88f6d8533c99c8e7259f8b9d1c926c47215ed327114f235ba8c873af7a0052aa2d32c52880db55c5615e5a1793b690c37efdd5e503f717bb8de716303e4d6c4116f62d81be852c5d36ef282a958d8c82cf3b458dcc8191dcc7b490f227d1562b1d57fbcf7bf4b78a5d90cd385fd79c8ca4688e7d62b3204aeaf9692ba4d4e44875eaa63642775846434f9ce51d138ca702d907849823b1e86896e4ea6223f93fae68b026cfe5fa5a665569a9e3948a
gcd,s,t = gmpy2.gcdext(e1,e2)
if s < 0:
s = -s
msg1=gmpy2.invert(msg1,n)
if t < 0:
t = -t
msg2=gmpy2.invert(msg2,n)
n1 =gmpy2.powmod(msg1,s,n)*gmpy2.powmod(msg2,t,n)%n
n2 =int(base64.b64decode("PVNHb2BfGAnmxLrbKhgsYXRwWIL9eOj6K0s3I0slKHCTXTAUtZh3T0r+RoSlhpO3+77AY8P7WETYz2Jzuv5FV/mMODoFrM5fMyQsNt90VynR6J3Jv+fnPJPsm2hJ1Fqt7EKaVRwCbt6a4BdcRoHJsYN/+eh7k/X+FL5XM7viyvQxyFawQrhSV79FIoX6xfjtGW+uAeVF7DScRcl49dlwODhFD7SeLqzoYDJPIQS+VSb3YtvrDgdV+EhuS1bfWvkkXRijlJEpLrgWYmMdfsYX8u/+Ylf5xcBGn3hv1YhQrBCg77AHuUF2w/gJ/ADHFiMcH3ux3nqOsuwnbGSr7jA6Cw==").encode('hex'),16)
p = gmpy2.gcd(n1,n2)
q1 = n1//p
q2 = n2//p
d1 = gmpy2.invert(0x1001,(p-1)*(q1-1))
d2 = gmpy2.invert(0x1001,(p-1)*(q2-1))
c1 =0x1240198b148089290e375b999569f0d53c32d356b2e95f5acee070f016b3bef243d0b5e46d9ad7aa7dfe2f21bda920d0ac7ce7b1e48f22b2de410c6f391ce7c4347c65ffc9704ecb3068005e9f35cbbb7b27e0f7a18f4f42ae572d77aaa3ee189418d6a07bab7d93beaa365c98349d8599eb68d21313795f380f05f5b3dfdc6272635ede1f83d308c0fdb2baf444b9ee138132d0d532c3c7e60efb25b9bf9cb62dba9833aa3706344229bd6045f0877661a073b6deef2763452d0ad7ab3404ba494b93fd6dfdf4c28e4fe83a72884a99ddf15ca030ace978f2da87b79b4f504f1d15b5b96c654f6cd5179b72ed5f84d3a16a8f0d5bf6774e7fd98d27bf3c9839
c2 =0x129d5d4ab3f9e8017d4e6761702467bbeb1b884b6c4f8ff397d078a8c41186a3d52977fa2307d5b6a0ad01fedfc3ba7b70f776ba3790a43444fb954e5afd64b1a3abeb6507cf70a5eb44678a886adf81cb4848a35afb4db7cd7818f566c7e6e2911f5ababdbdd2d4ff9825827e58d48d5466e021a64599b3e867840c07e29582961f81643df07f678a61a9f9027ebd34094e272dfbdc4619fa0ac60f0189af785df77e7ec784e086cf692a7bf7113a7fb8446a65efa8b431c6f72c14bcfa49c9b491fb1d87f2570059e0f13166a85bb555b40549f45f04bc5dbd09d8b858a5382be6497d88197ffb86381085756365bd757ec3cdfa8a77ba1728ec2de596c5ab
m1 = pow(c1,d1,n1)
m2 = pow(c2,d2,n2)
print hex(m1)
print hex(m2)
b1 = hex(m1)
b1 = b1[2:]
b2 = hex(m2)
b2 = b2[2:]
f1 = binascii.a2b_hex(b1)
f2 = binascii.a2b_hex(b2)
print f1
print f2
flag=""
for r in range(len(f1)-1):
flag += f1[r]
flag += f2[r]
print flag
解題結(jié)果:
mark
最后總結(jié)
可見我二進(jìn)制方面現(xiàn)在只會一點理論不會做題。世吨。澡刹。。屬于大概知道漏洞點但是不會利用的局面耘婚。。陆赋。沐祷。。
mark
憑著這次的名次應(yīng)該能去深圳營進(jìn)修了~
想到我能在深圳營提升二進(jìn)制能力攒岛,我充滿了掘森赖临。
