Web
Lottery
通过尝试swp,bak,git,发现其存在Git源码泄露(一开始还把403认成404)(实力眼瞎.jpg)
mark
之后把源码拖下来~
mark
审计代码,发现弱类型比较漏洞
mark
mark
利用json传bool值进行比较
mark
即可获得足够的钱数,购买flag即可。
mark
News Center
发现搜索型注入漏洞,构造payload。
mark
爆字段数
mark
爆表名('or 1=1 union select 1,2,group_concat(column_name) from information_schema.columns where table_name='secret_table'#)
mark
mark
拿flag
mark
Confusion1
打开网站,在404页面发现
mark
于是判断是存在任意文件读取漏洞,但是寻找了一波无果,于是怀疑是服务器模板注入(SSTI攻击)
于是测试<script>alert(42)</script> ,被waf拦截了
mark
于是再测试{{ 7+7 }} ,发现成功回显!
mark
于是确认漏洞存在且有waf,于是测试拦截词,发现至少有system,class,read被拦截,于是尝试使用传入额外参数的方式进行绕过,例如本来是要用{{ ''.__class__.__mro__[2].__subclasses__()[40]('/etc/passwd').read() }},构造payload拿到flag。但是由于class,mro,read均被拦截那么可以写为{{''[request.cookies.a][request.cookies.b][2][request.cookies.c]()[40]('/etc/passwd')[request.cookies.d]()}}并传入四个cookiea=__class__; b=__mro__; c=__subclasses__; d=read
发现成功!
mark
于是尝试读取文件,直接拿到flag
mark
PS:还尝试读取了一下salt,发现也是成功的。
mark
Reverse
Xman-babymips
又遇到了mips的题。。。拖进IDA分析,这时候百度到mips有两个好用的反编译器一个是Retdec,另一个是Jeb,首先尝试安装Retdec IDA插件版,额,发现需要去注册,但是Retdec开源后已经不提供API服务了,本地编译又不停的编译失败于是。。。。又没时间搭环境了。。。。于是又开始尝试JEB,JEB不兼容JDK10环境。。。emmmm又开始配环境。。。。。折腾了好久。。。。。终于。。。。成功了。
接着,。。。。(我真傻,真的,我单知道jeb能反编译MIPS,但我没想到。。。。反编译了我也不会。。。。)
于是。。。。。接着等官方WP。。。。
mark
Misc
X-man-Keyword
首先发现keyword,再加上隐写载体是图片于是联想到是否为LSB有效最低位隐写,于是上脚本尝试,用给出的lovekfc尝试,发现解出了内容,于是。。。。。
mark
mark
于是就没有于是了(╯‵□′)╯︵ ┻━┻ (掀桌子)
这一大堆是啥。。。。。。于是试了凯撒,栅栏,非等长栅栏(这里面连个CTF的T都没有啊喂(#`O′))
于是问了问出题人格式,确定是QCTF{SOMETHING}
彻底陷入僵局,后来又放出了hint
hint1:把给出的keyword放到前面试试
hint2:一种把关键词提前的置换
。。。。于是又是一波操作。。。行列置换。。非等长行列置换。。维吉尼亚密码。。。
┬─┬ ノ( ' - 'ノ) {摆好摆好)
为啥还是没有结果啊!(╯°Д°)╯︵ ┻━┻(再掀一次)
不说了。。。这个题等官方WP吧。。。。
X-man-A face
签到题。。不用多说了。。。补全一波二维码,
mark
mark
扫描二维码
mark
base32解密
mark
picture
看到提示(我承认我一开始没想到。。。。)解密图片,
mark
之后拿到加密逻辑脚本,发现是DES的实现脚本,写出解密脚本
#_*_ coding:utf-8 _*_
import re
import sys
ip= (58, 50, 42, 34, 26, 18, 10, 2,
60, 52, 44, 36, 28, 20, 12, 4,
62, 54, 46, 38, 30, 22, 14, 6,
64, 56, 48, 40, 32, 24, 16, 8,
57, 49, 41, 33, 25, 17, 9 , 1,
59, 51, 43, 35, 27, 19, 11, 3,
61, 53, 45, 37, 29, 21, 13, 5,
63, 55, 47, 39, 31, 23, 15, 7)
ip_1=(40, 8, 48, 16, 56, 24, 64, 32,
39, 7, 47, 15, 55, 23, 63, 31,
38, 6, 46, 14, 54, 22, 62, 30,
37, 5, 45, 13, 53, 21, 61, 29,
36, 4, 44, 12, 52, 20, 60, 28,
35, 3, 43, 11, 51, 19, 59, 27,
34, 2, 42, 10, 50, 18, 58, 26,
33, 1, 41, 9, 49, 17, 57, 25)
e =(32, 1, 2, 3, 4, 5, 4, 5,
6, 7, 8, 9, 8, 9, 10, 11,
12,13, 12, 13, 14, 15, 16, 17,
16,17, 18, 19, 20, 21, 20, 21,
22, 23, 24, 25,24, 25, 26, 27,
28, 29,28, 29, 30, 31, 32, 1)
p=(16, 7, 20, 21, 29, 12, 28, 17,
1, 15, 23, 26, 5, 18, 31, 10,
2, 8, 24, 14, 32, 27, 3, 9,
19, 13, 30, 6, 22, 11, 4, 25)
s=[ [[14, 4, 13, 1, 2, 15, 11, 8, 3, 10, 6, 12, 5, 9, 0, 7],
[0, 15, 7, 4, 14, 2, 13, 1, 10, 6, 12, 11, 9, 5, 3, 8],
[4, 1, 14, 8, 13, 6, 2, 11, 15, 12, 9, 7, 3, 10, 5, 0],
[15, 12, 8, 2, 4, 9, 1, 7, 5, 11, 3, 14, 10, 0, 6, 13]],
[[15, 1, 8, 14, 6, 11, 3, 4, 9, 7, 2, 13, 12, 0, 5, 10],
[3, 13, 4, 7, 15, 2, 8, 14, 12, 0, 1, 10, 6, 9, 11, 5],
[0, 14, 7, 11, 10, 4, 13, 1, 5, 8, 12, 6, 9, 3, 2, 15],
[13, 8, 10, 1, 3, 15, 4, 2, 11, 6, 7, 12, 0, 5, 14, 9]],
[[10, 0, 9, 14, 6, 3, 15, 5, 1, 13, 12, 7, 11, 4, 2, 8],
[13, 7, 0, 9, 3, 4, 6, 10, 2, 8, 5, 14, 12, 11, 15, 1],
[13, 6, 4, 9, 8, 15, 3, 0, 11, 1, 2, 12, 5, 10, 14, 7],
[1, 10, 13, 0, 6, 9, 8, 7, 4, 15, 14, 3, 11, 5, 2, 12]],
[[7, 13, 14, 3, 0, 6, 9, 10, 1, 2, 8, 5, 11, 12, 4, 15],
[13, 8, 11, 5, 6, 15, 0, 3, 4, 7, 2, 12, 1, 10, 14,9],
[10, 6, 9, 0, 12, 11, 7, 13, 15, 1, 3, 14, 5, 2, 8, 4],
[3, 15, 0, 6, 10, 1, 13, 8, 9, 4, 5, 11, 12, 7, 2, 14]],
[[2, 12, 4, 1, 7, 10, 11, 6, 8, 5, 3, 15, 13, 0, 14, 9],
[14, 11, 2, 12, 4, 7, 13, 1, 5, 0, 15, 10, 3, 9, 8, 6],
[4, 2, 1, 11, 10, 13, 7, 8, 15, 9, 12, 5, 6, 3, 0, 14],
[11, 8, 12, 7, 1, 14, 2, 13, 6, 15, 0, 9, 10, 4, 5, 3]],
[[12, 1, 10, 15, 9, 2, 6, 8, 0, 13, 3, 4, 14, 7, 5, 11],
[10, 15, 4, 2, 7, 12, 9, 5, 6, 1, 13, 14, 0, 11, 3, 8],
[9, 14, 15, 5, 2, 8, 12, 3, 7, 0, 4, 10, 1, 13, 11, 6],
[4, 3, 2, 12, 9, 5, 15, 10, 11, 14, 1, 7, 6, 0, 8, 13]],
[[4, 11, 2, 14, 15, 0, 8, 13, 3, 12, 9, 7, 5, 10, 6, 1],
[13, 0, 11, 7, 4, 9, 1, 10, 14, 3, 5, 12, 2, 15, 8, 6],
[1, 4, 11, 13, 12, 3, 7, 14, 10, 15, 6, 8, 0, 5, 9, 2],
[6, 11, 13, 8, 1, 4, 10, 7, 9, 5, 0, 15, 14, 2, 3, 12]],
[[13, 2, 8, 4, 6, 15, 11, 1, 10, 9, 3, 14, 5, 0, 12, 7],
[1, 15, 13, 8, 10, 3, 7, 4, 12, 5, 6, 11, 0, 14, 9, 2],
[7, 11, 4, 1, 9, 12, 14, 2, 0, 6, 10, 13, 15, 3, 5, 8],
[2, 1, 14, 7, 4, 10, 8, 13, 15, 12, 9, 0, 3, 5, 6, 11]]]
pc1=(57, 49, 41, 33, 25, 17, 9,
1, 58, 50, 42, 34, 26, 18,
10, 2, 59, 51, 43, 35, 27,
19, 11, 3, 60, 52, 44, 36,
63, 55, 47, 39, 31, 23, 15,
7, 62, 54, 46, 38, 30, 22,
14, 6, 61, 53, 45, 37, 29,
21, 13, 5, 28, 20, 12, 4);
pc2= (14, 17, 11, 24, 1, 5, 3, 28,
15, 6, 21, 10, 23, 19, 12, 4,
26, 8, 16, 7, 27, 20, 13, 2,
41, 52, 31, 37, 47, 55, 30, 40,
51, 45, 33, 48, 44, 49, 39, 56,
34, 53, 46, 42, 50, 36, 29, 32)
d = ( 1, 1, 2, 2, 2, 2, 2, 2, 1, 2, 2, 2, 2, 2, 2, 1)
__all__=['desencode']
class DES():
def __init__(self):
pass
def code(self,from_code,key,code_len,key_len):
output=""
trun_len=0
code_string=self._functionCharToA(from_code,code_len)
code_key=self._functionCharToA(key,key_len)
if code_len%16!=0:
real_len=(code_len/16)*16+16
else:
real_len=code_len
if key_len%16!=0:
key_len=(key_len/16)*16+16
key_len*=4
trun_len=4*real_len
for i in range(0,trun_len,64):
run_code=code_string[i:i+64]
l=i%key_len
run_key=code_key[l:l+64]
run_code= self._codefirstchange(run_code)
run_key= self._keyfirstchange(run_key)
for j in range(16):
code_r=run_code[32:64]
code_l=run_code[0:32]
run_code=code_r
code_r= self._functionE(code_r)
key_l=run_key[0:28]
key_r=run_key[28:56]
key_l=key_l[d[j]:28]+key_l[0:d[j]]
key_r=key_r[d[j]:28]+key_r[0:d[j]]
run_key=key_l+key_r
key_y= self._functionKeySecondChange(run_key)
code_r= self._codeyihuo(code_r,key_y)
code_r= self._functionS(code_r)
code_r= self._functionP(code_r)
code_r= self._codeyihuo(code_l,code_r)
run_code+=code_r
code_r=run_code[32:64]
code_l=run_code[0:32]
run_code=code_r+code_l
output+=self._functionCodeChange(run_code)
return output
def _codeyihuo(self,code,key):
code_len=len(key)
return_list=''
for i in range(code_len):
if code[i]==key[i]:
return_list+='0'
else:
return_list+='1'
return return_list
def _codefirstchange(self,code):
changed_code=''
for i in range(64):
changed_code+=code[ip[i]-1]
return changed_code
def _keyfirstchange (self,key):
changed_key=''
for i in range(56):
changed_key+=key[pc1[i]-1]
return changed_key
def _functionCodeChange(self, code):
lens=len(code)/4
return_list=''
for i in range(lens):
list=''
for j in range(4):
list+=code[ip_1[i*4+j]-1]
return_list+="%x" %int(list,2)
return return_list
def _functionE(self,code):
return_list=''
for i in range(48):
return_list+=code[e[i]-1]
return return_list
def _functionP(self,code):
return_list=''
for i in range(32):
return_list+=code[p[i]-1]
return return_list
def _functionS(self, key):
return_list=''
for i in range(8):
row=int( str(key[i*6])+str(key[i*6+5]),2)
raw=int(str( key[i*6+1])+str(key[i*6+2])+str(key[i*6+3])+str(key[i*6+4]),2)
return_list+=self._functionTos(s[i][row][raw],4)
return return_list
def _functionKeySecondChange(self,key):
return_list=''
for i in range(48):
return_list+=key[pc2[i]-1]
return return_list
def _functionCharToA(self,code,lens):
return_code=''
lens=lens%16
for key in code:
code_ord=int(key,16)
return_code+=self._functionTos(code_ord,4)
if lens!=0:
return_code+='0'*(16-lens)*4
return return_code
def _functionTos(self,o,lens):
return_code=''
for i in range(lens):
return_code=str(o>>i &1)+return_code
return return_code
def tohex(string):
return_string=''
for i in string:
return_string+="%02x"%ord(i)
return return_string
def tounicode(string):
return_string=''
string_len=len(string)
for i in range(0,string_len,2):
return_string+=chr(int(string[i:i+2],16))
return return_string
def desencode(from_code,key):
from_code=tohex(from_code)
key=tohex(key)
des=DES()
key_len=len(key)
string_len=len(from_code)
if string_len<1 or key_len<1:
print 'error input'
return False
key_code= des.code(from_code,key,string_len,key_len)
return key_code
# if __name__ == '__main__':
# if(desencode(sys.argv[1],'mtqVwD4JNRjw3bkT9sQ0RYcZaKShU4sf')=='e3fab29a43a70ca72162a132df6ab532535278834e11e6706c61a1a7cefc402c8ecaf601d00eee72'):
# print 'correct.'
# else:
# print 'try again.'
__all__=['desdecode']
class DES():
'''解密函数,DES加密与解密的方法相差不大
只是在解密的时候所用的子密钥与加密的子密钥相反
'''
def __init__(self):
pass
def decode(self,string,key,key_len,string_len):
output=""
trun_len=0
num=0
#将密文转换为二进制
code_string=self._functionCharToA(string,string_len)
#获取字密钥
code_key=self._getkey(key,key_len)
#如果密钥长度不是16的整数倍则以增加0的方式变为16的整数倍
real_len=(key_len/16)+1 if key_len%16!=0 else key_len/16
trun_len=string_len*4
#对每64位进行一次加密
for i in range(0,trun_len,64):
run_code=code_string[i:i+64]
run_key=code_key[num%real_len]
#64位明文初始置换
run_code= self._codefirstchange(run_code)
#16次迭代
for j in range(16):
code_r=run_code[32:64]
code_l=run_code[0:32]
#64左右交换
run_code=code_r
#右边32位扩展置换
code_r= self._functionE(code_r)
#获取本轮子密钥
key_y=run_key[15-j]
#异或
code_r= self._codeyihuo(code_r,key_y)
#S盒代替/选择
code_r= self._functionS(code_r)
#P转换
code_r= self._functionP(code_r)
#异或
code_r= self._codeyihuo(code_l,code_r)
run_code+=code_r
num+=1
#32互换
code_r=run_code[32:64]
code_l=run_code[0:32]
run_code=code_r+code_l
#将二进制转换为16进制、逆初始置换
output+=self._functionCodeChange(run_code)
return output
#获取子密钥
def _getkey(self,key,key_len):
#将密钥转换为二进制
code_key=self._functionCharToA(key,key_len)
a=['']*16
real_len=(key_len/16)*16+16 if key_len%16!=0 else key_len
b=['']*(real_len/16)
for i in range(real_len/16):
b[i]=a[:]
num=0
trun_len=4*key_len
for i in range(0,trun_len,64):
run_key=code_key[i:i+64]
run_key= self._keyfirstchange(run_key)
for j in range(16):
key_l=run_key[0:28]
key_r=run_key[28:56]
key_l=key_l[d[j]:28]+key_l[0:d[j]]
key_r=key_r[d[j]:28]+key_r[0:d[j]]
run_key=key_l+key_r
key_y= self._functionKeySecondChange(run_key)
b[num][j]=key_y[:]
num+=1
return b
#异或
def _codeyihuo(self,code,key):
code_len=len(key)
return_list=''
for i in range(code_len):
if code[i]==key[i]:
return_list+='0'
else:
return_list+='1'
return return_list
#密文或明文初始置换
def _codefirstchange(self,code):
changed_code=''
for i in range(64):
changed_code+=code[ip[i]-1]
return changed_code
#密钥初始置换
def _keyfirstchange (self,key):
changed_key=''
for i in range(56):
changed_key+=key[pc1[i]-1]
return changed_key
#逆初始置换
def _functionCodeChange(self, code):
return_list=''
for i in range(16):
list=''
for j in range(4):
list+=code[ip_1[i*4+j]-1]
return_list+="%x" %int(list,2)
return return_list
#扩展置换
def _functionE(self,code):
return_list=''
for i in range(48):
return_list+=code[e[i]-1]
return return_list
#置换P
def _functionP(self,code):
return_list=''
for i in range(32):
return_list+=code[p[i]-1]
return return_list
#S盒代替选择置换
def _functionS(self, key):
return_list=''
for i in range(8):
row=int( str(key[i*6])+str(key[i*6+5]),2)
raw=int(str( key[i*6+1])+str(key[i*6+2])+str(key[i*6+3])+str(key[i*6+4]),2)
return_list+=self._functionTos(s[i][row][raw],4)
return return_list
#密钥置换选择2
def _functionKeySecondChange(self,key):
return_list=''
for i in range(48):
return_list+=key[pc2[i]-1]
return return_list
#将十六进制转换为二进制字符串
def _functionCharToA(self,code,lens):
return_code=''
lens=lens%16
for key in code:
code_ord=int(key,16)
return_code+=self._functionTos(code_ord,4)
if lens!=0:
return_code+='0'*(16-lens)*4
return return_code
#二进制转换
def _functionTos(self,o,lens):
return_code=''
for i in range(lens):
return_code=str(o>>i &1)+return_code
return return_code
#将unicode字符转换为16进制
def tohex(string):
return_string=''
for i in string:
return_string+="%02x"%ord(i)
return return_string
def tounicode(string):
return_string=''
string_len=len(string)
for i in range(0,string_len,2):
return_string+=chr(int(string[i:i+2],16))
return return_string
#入口函数
def desdecode(from_code,key):
key=tohex(key)
des=DES()
key_len=len(key)
string_len=len(from_code)
if string_len%16!=0:
return False
if string_len<1 or key_len<1:
return False
key_code= des.decode(from_code,key,key_len,string_len)
return tounicode(key_code)
#测试
if __name__ == '__main__':
print desdecode('e3fab29a43a70ca72162a132df6ab532535278834e11e6706c61a1a7cefc402c8ecaf601d00eee72','mtqVwD4JNRjw3bkT9sQ0RYcZaKShU4sf')
运行,拿到结果
mark
Noise
对于这道堪称神题的题。。。。。一看到是音频题,为了保护我可怜弱小又无助的耳朵。。。
mark
我连听都没听,第一时间拖到AU里,唔。。。一番检查
检查历程:
1.诶~是不是频谱图里藏了东西(。・∀・)ノ
打开频谱图,拉伸,放大,移动。。。。。
看来是没东西了(。﹏。*)
2.诶~是不是文件本身藏了东西(。・∀・)ノ
打开clineteye。。fail。。。
看来是没东西了(。﹏。*)
3.诶~是不是曼彻斯特编码或者是二进制(。・∀・)ノ
局部放大。。。。。。
眼睛要瞎了(。﹏。*)
4.(╯' - ')╯︵ ┻━┻ (掀桌子)
接下来出题人适时的放出了提示。。。。
hint:左右耳听到的是不是有些不一样
ps.给我好好的听歌啊!
pss.你们根本就不懂友谊的魔法
hint2: 你知道通过消除人声获得伴奏的原理吗
last hint :make the wave inversion
emmmmm于是单声道提取,右声道反相,与左声道缩混,振幅增大80倍,得到了神似条形码的东西。。。
mark
一定是我姿势不对(内心OS),为了我眼睛的安危,我努力打消了这是摩斯电码,曼彻斯特编码,二进制编码的想法。。。。。。
就在当天晚上第二天凌晨出题人改了附件,给了一个采样率更高的文件。。。。。。。
mark
好了,耳朵也彻底废掉了。。。。并且当我单声道提取,右声道反相,与左声道缩混,振幅增大80倍时。。。我看着空无一物的轨道。。。彻底陷入了沉思。。。。。。
放弃,等官方WP,失去了梦想与希望。。。。。
Pwn
notebook
这个题据说很简单,但是也没有做出来
mark
也盲目分析一下好了。。。貌似漏洞点在这里
mark
mark
然后用各种姿势泄露system地址,执行/bash/sh。。。。。然后就getshell了?
准备膜一波官方WP。。。。
Xman-dice_game
PS:这个题我应该是想错了。。。。请访问【数据删除】观看正确答案!(顺便膜一波大大)
PPS:大大比较害羞~(_)
PPPS:想看答案的自己去搜吧~
这个题虽然没有做出来,但是这应该是一个64位的堆溢出
mark
通过变量覆盖,将
mark
的地址进行覆盖,进而cat flag。
Crypto
Xman-RSA
首先拿到了
mark
发现加密逻辑的脚本是混乱的
mark
根据猜测,可以确定以下对应关系
A-D B-M C-? D-E E-N F-W G-F H-O I-X J-G K-P L-Y M-H N-? O-? P-I Q-R R-A S-? T-S U-B V-K W-T X-C Y-L Z-U
于是还原加密逻辑代码
from gmpy2 import is_prime
from os import urandom
import base64
def bytes_to_num(b):
return int(b.encode('hex'),16)
def num_to_bytes(n):
b = hex(n)[2:-1]
b = '0' + b if len(n)%2 == 1 else b
return b.encode('hex')
def get_a_prime(l):
random_seed = urandom(l)
num = bytes_to_num(random_seed)
while True:
if is_prime(num):
break
num += 1
return num
def encrypt(s,e,n):
p = bytes_to_num(s)
p = pow(p, e, n)
return num_to_bytes(p).encode('hex')
def separate(n):
p = n % 4
t = (p*p) % 4
return t == 1
f = open('flag.txt','r')
flag = f.read()
msg1 = ""
msg2 = ""
for r in range(len(flag)):
if separate(r):
msg2 += flag[r]
else:
msg1 += flag[r]
p1 = get_a_prime(128)
p2 = get_a_prime(128)
p3 = get_a_prime(128)
n1 = p1*p2
n2 = p1*p3
e = 0x1001
c1 = encrypt(msg1,e,n1)
c2 = encrypt(msg2,e,n2)
print(c1)
print(c2)
e1 = 0x1001
e2 = 0x101
p4 = get_a_prime(128)
p5 = get_a_prime(128)
n3 = p4*p5
x1 = num_to_bytes(pow(n1,e1,n3)).encode('hex')
x2 = num_to_bytes(pow(n1,e2,n3)).encode('hex')
print(c1)
print(c2)
print(base64.u64encode(num_to_bytes(n2)))
print(base64.u64encode(num_to_bytes(n3)))
并以此写出解密代码
import gmpy2
import base64
import binascii
n=int(base64.b64decode("TmNVbWUhCXR1od3gBpM+HGMKK/4ErfIKITxomQ/QmNCZlzmmsNyPXQBiMEeUB8udO7lWjQTYGjD6k21xjThHTNDG4z6C2cNNPz73VIaNTGz0hrh6CmqDowFbyrk+rv53QSkVKPa8EZnFKwGz9B3zXimm1D+01cov7V/ZDfrHrEjsDkgK4ZlrQxPpZAPl+yqGlRK8soBKhY/PF3/GjbquRYeYKbagpUmWOhLnF4/+DP33ve/EpaSAPirZXzf8hyatL4/5tAZ0uNq9W6T4GoMG+N7aS2GeyUA2sLJMHymW4cFK5l5kUvjslRdXOHTmz5eHxqIV6TmSBQRgovUijlNamQ==").encode('hex'),16)
e1=0x1001
e2=0x101
msg1=0x2639c28e3609a4a8c953cca9c326e8e062756305ae8aee6efcd346458aade3ee8c2106ab9dfe5f470804f366af738aa493fd2dc26cb249a922e121287f3eddec0ed8dea89747dc57aed7cd2089d75c23a69bf601f490a64f73f6a583081ae3a7ed52238c13a95d3322065adba9053ee5b12f1de1873dbad9fbf4a50a2f58088df0fddfe2ed8ca1118c81268c8c0fd5572494276f4e48b5eb424f116e6f5e9d66da1b6b3a8f102539b690c1636e82906a46f3c5434d5b04ed7938861f8d453908970eccef07bf13f723d6fdd26a61be8b9462d0ddfbedc91886df194ea022e56c1780aa6c76b9f1c7d5ea743dc75cec3c805324e90ea577fa396a1effdafa3090
msg2=0x42ff1157363d9cd10da64eb4382b6457ebb740dbef40ade9b24a174d0145adaa0115d86aa2fc2a41257f2b62486eaebb655925dac78dd8d13ab405aef5b8b8f9830094c712193500db49fb801e1368c73f88f6d8533c99c8e7259f8b9d1c926c47215ed327114f235ba8c873af7a0052aa2d32c52880db55c5615e5a1793b690c37efdd5e503f717bb8de716303e4d6c4116f62d81be852c5d36ef282a958d8c82cf3b458dcc8191dcc7b490f227d1562b1d57fbcf7bf4b78a5d90cd385fd79c8ca4688e7d62b3204aeaf9692ba4d4e44875eaa63642775846434f9ce51d138ca702d907849823b1e86896e4ea6223f93fae68b026cfe5fa5a665569a9e3948a
gcd,s,t = gmpy2.gcdext(e1,e2)
if s < 0:
s = -s
msg1=gmpy2.invert(msg1,n)
if t < 0:
t = -t
msg2=gmpy2.invert(msg2,n)
n1 =gmpy2.powmod(msg1,s,n)*gmpy2.powmod(msg2,t,n)%n
n2 =int(base64.b64decode("PVNHb2BfGAnmxLrbKhgsYXRwWIL9eOj6K0s3I0slKHCTXTAUtZh3T0r+RoSlhpO3+77AY8P7WETYz2Jzuv5FV/mMODoFrM5fMyQsNt90VynR6J3Jv+fnPJPsm2hJ1Fqt7EKaVRwCbt6a4BdcRoHJsYN/+eh7k/X+FL5XM7viyvQxyFawQrhSV79FIoX6xfjtGW+uAeVF7DScRcl49dlwODhFD7SeLqzoYDJPIQS+VSb3YtvrDgdV+EhuS1bfWvkkXRijlJEpLrgWYmMdfsYX8u/+Ylf5xcBGn3hv1YhQrBCg77AHuUF2w/gJ/ADHFiMcH3ux3nqOsuwnbGSr7jA6Cw==").encode('hex'),16)
p = gmpy2.gcd(n1,n2)
q1 = n1//p
q2 = n2//p
d1 = gmpy2.invert(0x1001,(p-1)*(q1-1))
d2 = gmpy2.invert(0x1001,(p-1)*(q2-1))
c1 =0x1240198b148089290e375b999569f0d53c32d356b2e95f5acee070f016b3bef243d0b5e46d9ad7aa7dfe2f21bda920d0ac7ce7b1e48f22b2de410c6f391ce7c4347c65ffc9704ecb3068005e9f35cbbb7b27e0f7a18f4f42ae572d77aaa3ee189418d6a07bab7d93beaa365c98349d8599eb68d21313795f380f05f5b3dfdc6272635ede1f83d308c0fdb2baf444b9ee138132d0d532c3c7e60efb25b9bf9cb62dba9833aa3706344229bd6045f0877661a073b6deef2763452d0ad7ab3404ba494b93fd6dfdf4c28e4fe83a72884a99ddf15ca030ace978f2da87b79b4f504f1d15b5b96c654f6cd5179b72ed5f84d3a16a8f0d5bf6774e7fd98d27bf3c9839
c2 =0x129d5d4ab3f9e8017d4e6761702467bbeb1b884b6c4f8ff397d078a8c41186a3d52977fa2307d5b6a0ad01fedfc3ba7b70f776ba3790a43444fb954e5afd64b1a3abeb6507cf70a5eb44678a886adf81cb4848a35afb4db7cd7818f566c7e6e2911f5ababdbdd2d4ff9825827e58d48d5466e021a64599b3e867840c07e29582961f81643df07f678a61a9f9027ebd34094e272dfbdc4619fa0ac60f0189af785df77e7ec784e086cf692a7bf7113a7fb8446a65efa8b431c6f72c14bcfa49c9b491fb1d87f2570059e0f13166a85bb555b40549f45f04bc5dbd09d8b858a5382be6497d88197ffb86381085756365bd757ec3cdfa8a77ba1728ec2de596c5ab
m1 = pow(c1,d1,n1)
m2 = pow(c2,d2,n2)
print hex(m1)
print hex(m2)
b1 = hex(m1)
b1 = b1[2:]
b2 = hex(m2)
b2 = b2[2:]
f1 = binascii.a2b_hex(b1)
f2 = binascii.a2b_hex(b2)
print f1
print f2
flag=""
for r in range(len(f1)-1):
flag += f1[r]
flag += f2[r]
print flag
解题结果:
mark
最后总结
可见我二进制方面现在只会一点理论不会做题。。。。属于大概知道漏洞点但是不会利用的局面。。。。。
mark
凭着这次的名次应该能去深圳营进修了~
想到我能在深圳营提升二进制能力,我充满了掘森。
