Web题:L0vephp
提示读取源代码,发现注释中有如下提示:
【B4Z0-@:OCnDf,】猜测是base家族编码,base85解出来为:get action
利用PHP伪协议读取,发现base被禁了,
于是采用utf-7:
还原得到:
将【316E4433782E706870】十六进制转换为字符串【1nD3x.php】
访问1nD3x.php
经过学长提示,发现可以用远程包含,利用include$_GET[1];可以完成,于是payload:
&1=data://text/plain,<?php system('ls /');
发现flag
拿到flag:
Web2:ezphp
分析代码:POST数据之后进行反序列化,反序列化的username等于一个字符串和password等于一个字符串,经测试,发现不是已经给出的字符串,看到两个等号想到弱类型比较,在php中0==‘abc’的值是True【字符串“admin”与数值0比较,先将admin强制转化成数值,由于“admin”是字符串,不包含数字,所以转化结果为0】
思路:只需传入一个序列化的数组,将username和password赋值为0即可
MISC:YLB绝密文件
下载附件打开,发现是个流量分析题,用wireshark打开分析,根据题目提示,我们需要提取出三个文件:
于是用http.request.method==POST 过滤所有的post包,看到有三次post的数据。
分别对应三个文件,一次提取出来即可
对应的三个文件为:
secret.cpython-38.pyc,反编译得到:
YLBSB.zip
解压发现YLBSB.xor
最后还有xor.py
分析xor.py可以得知YLBSB的二进制数据进行Base64编码之后再进行异或运算
所以得到解密脚本
#coding:utf-8
import base64
key = 'YLBSB?YLBNB!'
file = open("YLBSB.docx", "wb")
enc = open("YLBSB.xor", "rb")
plain = enc.read().decode()
count = 0
for c in plain:
d = chr(ord(c) ^ ord(key[count % len(key)]))
file.write(d.encode())
count = count + 1
with open('YLBSB.docx','rb') as fp:
data = base64.b64decode(fp.read().decode())
with open('1.doc','wb') as f:
f.write(data)
解码可得1.doc
得到doc直接ctrl+f搜索unctf发现结尾有flag字符串。
MISC:网络深处
根据提示,可以用软件将压缩包密码爆破出来:
大胆猜测以13开头,得到15975384265
解压得到音频文件,发现是一段噪音,放进Audacity分析一下:
发现波形没什么特别,于是习惯性的看一下频谱:发现提示
百度之后,了解到tupper指的是【tupper自我指涉公式】,此公式的二维图像与公式本身外观一样,根据官方的脚本,跑一下:
from functools import reduce
# tupper自我指涉公式
def Tupper_self_referential_formula():
k = 636806841748368750477720528895492611039728818913495104112781919263174040060359776171712496606031373211949881779178924464798852002228370294736546700438210687486178492208471812570216381077341015321904079977773352308159585335376746026882907466893864815887274158732965185737372992697108862362061582646638841733361046086053127284900532658885220569350253383469047741742686730128763680253048883638446528421760929131783980278391556912893405214464624884824555647881352300550360161429758833657243131238478311219915449171358359616665570429230738621272988581871
def f(x, y):
d = ((-17 * x) - (y % 17))
e = reduce(lambda x, y: x * y, [2 for x in range(-d)]) if d else 1
f = ((y // 17) // e)
g = f % 2
return 0.5 < g
for y in range(k + 16, k - 1, -1):
line = ""
for x in range(0, 107):
if f(x, y):
line += "0"
else:
line += " "
print(line)
if __name__ == '__main__':
if Tupper_self_referential_formula():
print(str(Tupper_self_referential_formula()))
拿到flag。这个题也有幸拿到了三血:
Crypto: 简单的RSA
e= 18437613570247445737704630776150775735509244525633303532921813122997549954741828855898842356900537746647414676272022397989161180996467240795661928117273837666615415153571959258847829528131519423486261757569454011940318849589730152031528323576997801788206457548531802663834418381061551227544937412734776581781
n= 147282573611984580384965727976839351356009465616053475428039851794553880833177877211323318130843267847303264730088424552657129314295117614222630326581943132950689147833674506592824134135054877394753008169629583742916853056999371985307138775298080986801742942833212727949277517691311315098722536282119888605701
c= 140896698267670480175739817539898638657099087197096836734243016824204113452987617610944986742919793506024892638851339015015706164412994514598564989374037762836439262224649359411190187875207060663509777017529293145434535056275850555331099130633232844054767057175076598741233988533181035871238444008366306956934
可以发现给的e非常大,这就会导致算出来的d非常小,十分容易被攻击,而这就是维纳攻击,可以利用攻击脚本解出d。
d= 74651354506339782898861455541319178061583554604980363549301373281141419821253
接下来破解密文就十分简单了,
from Crypto.Util.number import long_to_bytes
d= 74651354506339782898861455541319178061583554604980363549301373281141419821253
c= 140896698267670480175739817539898638657099087197096836734243016824204113452987617610944986742919793506024892638851339015015706164412994514598564989374037762836439262224649359411190187875207060663509777017529293145434535056275850555331099130633232844054767057175076598741233988533181035871238444008366306956934
n=147282573611984580384965727976839351356009465616053475428039851794553880833177877211323318130843267847303264730088424552657129314295117614222630326581943132950689147833674506592824134135054877394753008169629583742916853056999371985307138775298080986801742942833212727949277517691311315098722536282119888605701
m = pow(c, d, n)
plaintext = long_to_bytes(m)
print(plaintext)
拿到flag