flag就是:不能说的秘密
下载附件,发现是伪加密,将0900改成0000后解压缩得到一个black.png
发现这个需要该长宽高,使用修改长宽高工具修改后得到结果:
5oSa5Lq66lqC5b+r5LmQ77yB77yB77yB
这串字符用base64解码得:愚人节快乐!
提交flag老不对,发现被耍了,于是想到把修改长宽高之后的图片放到kali里面用foremost爆破,发现里面还有个zip文件,但是这个文件是确确实实有密码的。
使用010editor查看,发现文件尾有key:eXVyZW5qaWU=
又使用base64解码得解压密码:yurenjie.输出解码后的结果,成功解压。
发现里面的照片又是被改了长宽高的,再次使用工具QWQ,得到flag:ctfshow{Th1s_i5_f1ag}
这个题目打开压缩包里面给了个提示:
学过高数的都知道,显然Σ(1/(n!))=e,e=2.718281828459…,这里取12位有效数字,则有效小数只有11位,四舍五入得到密码2.71828182846,输入密码解压成功。得到一个png和docx文件
Hint.png打不开,先打开阿尼亚哇库哇库!.docx,发现规律:每一行结尾都是‘。’,‘!’和‘?’,盲猜一手Ook加解密,需要把每行最后一个符号取出再在前面添加Ook即可。
这里有个问题就是docx文件里面的符号全是中文符号,需要转换成英文才可以解密。这时候我将正文内容放在txt文档里面并进行替换。
使用python写出Ook密文:
这里选择len(line)-2的原因是readlines之后读出来的每一行代表的那个列表的最后一个字符一定是换行符‘\n’(最后一行除外),最后将结果写在2.txt的时候最后一行的字符要转换成最后一行的最后一个标点符号,整理得Ook密文:
使用在线工具解码,得flag: ctfshow{4niya_KaWa1i!}
打开靶机,映入眼帘的就是一个滑稽
查看页面源代码发现是这个滑稽图片文本经base64加密后的内容。这里将?img的内容改成flag试一下,发现还是滑稽,并且路径也改的和初始页面一模一样。改成index.php还是一样。
这里burpsuite抓包看一下
发现在index.php13行报错,但是我这就是抓的index.php的包,而且抓包302,很明显是重定向。那我再试试一个其他的目录。
直接在该目录后面加上123,发现index.php的18行又报错了,所以问题一定出现在index.php上,但是刚刚尝试发现直接indedx.php并不可以,又看到网址img=ZmFjZS5wbmc=,明显base64加密,解密得到face.png
这里合理推测一下index.php也需要base64编码才可以访问,对index.php进行base64编码
直接输入http://e70b491d-3bfa-4aaf-9671-00e04a4d965b.challenge.ctf.show/aW5kZXgucGhw抓包发现和公关部一模一样
又尝试一下把?img=留下,再次抓包,出现了不一样的东西
图片变成了一个看不出来的东西,抓的包里面也出现了新的base64编码,再次解码,直接得到flag: ctfshow{1daa8315-a3e5-4dda-bd99-356f9e1ac642}
扫描到有app.zip ,查看
网站是用python的flask搭的框架
代码审计得知命令注入目录是url/hello
先判断输入信息
查看类
查看服务器用户名
查看配置信息
找到可利用的类 warnings.catch_warnings
最后注入 {{''.__class__.__base__.__subclasses__()[177].__init__.__globals__["__builtins__"].eval('__import__("os").popen("cd ..&&cat *lag").read()')}}
拿到flag
这题真好玩:一次base16解码+一次base32解码+一次base64解码就出来了
Flag: ctfshow{yu_ren_j1e_haPpy!!!}
拿到附件查看代码,发现进行了两次加密:一次是将flag进行交换值加密,一次是利用S_BOX的值对列表m的元素顺序进行16次变换。但是仔细列一下可以发现encrypt1其实并没有对m有任何实际影响,所以直接把encrypt2反解密即可。
m=[99, 111, 102, 11, 107, 49, 11, 53, 121, 48, 114, 117, 11, 95, 112, 95, 109, 115, 11, 95, 101, 95, 119, 117, 79, 123, 111, 48, 110, 95, 121, 116, 121, 125, 116, 11, 119, 11, 97, 67, 11, 11, 11, 11, 11, 99, 110, 104]
S_BOX=[9, 31, 32, 38, 20, 1, 22, 4, 8, 2, 11, 21, 7, 18, 46, 23, 34, 3, 19, 12, 45, 30, 27, 37, 5, 47, 28, 36, 0, 43, 39, 10, 29, 14, 40, 24, 33, 16, 17, 6, 42, 15, 26, 41, 44, 25, 35, 13]
for i in range(16):
m=[m[S_BOX.index(i)] for i in range(len(S_BOX))]
flag=''
for i in m:
flag+=chr(i)
print(flag)
得到flag: ctfshow{y0u_c5n_make_y0u1_own_CryptO}
打开脚本,发现flag被分成了两部分。
import gmpy2, libnum
from secret import flag1, flag2
m = libnum.s2n(flag1)
assert m.bit_length() < 200
B = gmpy2.next_prime(libnum.s2n(flag2))
A = (2022 - 2023 * m) % B
leak = pow(2, 2023, B)
print(A)
print(leak)
# 493275281479560936332761096886786925792234184811353209227551802099268192839677496844153534128991899414803550843408607188612593757622064753867565869035222715177143938385039508273050267347710495512806264863554858016145161165422812554800693811328453743229819656381224407015421235005940088439590887928051969351426291843586132741521121351667152673680122929827805479163871436776753859965413192837591532468372
# 238829196127128263156194898141748280130190920343265228257398802867203846004703877952990524473329125233083096275276064071930416561616135910190674099345267027039386328203653489152769309498199556401574021633071022874689081585677578010276529507102304828451681000682208089162940529052283763507244593173690786957816545746540436261888398732172965945762569416702401859253725696471593023885944262561159982327952
第一部分直接板子爆破
A = 493275281479560936332761096886786925792234184811353209227551802099268192839677496844153534128991899414803550843408607188612593757622064753867565869035222715177143938385039508273050267347710495512806264863554858016145161165422812554800693811328453743229819656381224407015421235005940088439590887928051969351426291843586132741521121351667152673680122929827805479163871436776753859965413192837591532468372
leak = 238829196127128263156194898141748280130190920343265228257398802867203846004703877952990524473329125233083096275276064071930416561616135910190674099345267027039386328203653489152769309498199556401574021633071022874689081585677578010276529507102304828451681000682208089162940529052283763507244593173690786957816545746540436261888398732172965945762569416702401859253725696471593023885944262561159982327952
n = 2^2023 - leak
PR.<x> = PolynomialRing(Zmod(n))
f = 2022 - 2023 * x - A
ans = f.monic().small_roots(X=2^201, beta=0.48)[0]
print(bytes.fromhex(hex(ans)[2::]))
得到前一半:ctfshow{UNKNOWN_MODULUS_
后面一半我要先找到B
根据上面的板子,m也是已知的,所以就可以使用最大公约数去试一下B
代码如下:
import gmpy2
import libnum
a=2**2023
b=238829196127128263156194898141748280130190920343265228257398802867203846004703877952990524473329125233083096275276064071930416561616135910190674099345267027039386328203653489152769309498199556401574021633071022874689081585677578010276529507102304828451681000682208089162940529052283763507244593173690786957816545746540436261888398732172965945762569416702401859253725696471593023885944262561159982327952
c=a-b
m=2438621860802508754666419561610531898810985542251330229087
d=2022-2023*m
e=493275281479560936332761096886786925792234184811353209227551802099268192839677496844153534128991899414803550843408607188612593757622064753867565869035222715177143938385039508273050267347710495512806264863554858016145161165422812554800693811328453743229819656381224407015421235005940088439590887928051969351426291843586132741521121351667152673680122929827805479163871436776753859965413192837591532468372
f=e-d
print(gmpy2.gcd(c,f))
g=gmpy2.gcd(c,f)
print(gmpy2.is_prime(g))
print(libnum.n2s(int(g)))
这里得到最大公因数判断出来正好还是个素数,顺便想着直接解个码,没想到直接出来了后一半:T0_BR1NG_L3UGHTER_AND_J@Y_TO_TH3_W0RLD}
所以flag: ctfshow{UNKNOWN_MODULUS_T0_BR1NG_L3UGHTER_AND_J@Y_TO_TH3_W0RLD}
附件下载发现是个sage文件,打开发现是ecc椭圆曲线加密
from Crypto.Util.number import *
from secret import flag
flag=bytes_to_long(flag)
a =getPrime(256)
b =getPrime(256)
p =getPrime(256)
m1=int(str(flag)[:5])-4585
m2=int(str(flag)[5:])
#EllipticCurve([a1, a2, a3, a4, a6]) -- y^2+(a1)xy+(a3)y=x^3+(a2)x^2+(a4)x+(a6)
E = EllipticCurve(GF(p), [a, b])
X=E.lift_x(m1)
Y=7*X
m = E.random_point()
G = E.random_point()
k = getPrime(256)
K = k * G
r = getPrime(256)
c1 = m + r * K
c2 = r * G
w2=m[0]*m2
print(f"p = {p}")
print(f"a = {a}")
print(f"b = {b}")
print(f"k = {k}")
print(f"E = {E}")
print(f'Y = {Y}')
print(f"c1 = {c1}")
print(f"c2 = {c2}")
print(f"w2 = {w2}")
'''
p = 71397796933602469825964946338224836258949974632540581233301840806613437378503
a = 106105288190268015217241182934677375171023341761047638573248022053052499733117
b = 76170541771321874396004434442157725545076211607587599314450304327736999807927
k = 58155941823118858940343657716409231510854647214870891375273032214774400828217
E = Elliptic Curve defined by y^2 = x^3 + 34707491256665545391276236596452538912073367128507057339946181246439062354614*x + 4772744837719404570039488103932889286126236975047018081148463521123562429424 over Finite Field of size 71397796933602469825964946338224836258949974632540581233301840806613437378503
Y = (33237936857741483513705672980652927705102229733798436323453609986072499230366 : 52619411226266177137991318059937693955038910547834999771526408984808553907338 : 1)
c1 = (37414446283406201193977113266234367761786780230360175925999700345196415953455 : 17037724145039910971426670298726906655653040365428438334942732090559637519851 : 1)
c2 = (60560423732267272277570046154733119097475794979191838027420415113112056962844 : 54372226143125971429691267751299496959531971082475860532181772357190222938465 : 1)
w2 = 16315249811700998894876359855091105114973337718373913477026230968747515636405
'''
首先flag又被分成了两半,但是这个是在转化为整数的时候吧前五位给搞走了,后面的其它位单独采取普通椭圆曲线加密,直接上板子出m2
p = 71397796933602469825964946338224836258949974632540581233301840806613437378503
a = 106105288190268015217241182934677375171023341761047638573248022053052499733117
b = 76170541771321874396004434442157725545076211607587599314450304327736999807927
k = 58155941823118858940343657716409231510854647214870891375273032214774400828217
E = EllipticCurve(GF(p),[a,b]) #建立椭圆曲线E
c1 = E(37414446283406201193977113266234367761786780230360175925999700345196415953455,17037724145039910971426670298726906655653040365428438334942732090559637519851)
c2 = E(60560423732267272277570046154733119097475794979191838027420415113112056962844,54372226143125971429691267751299496959531971082475860532181772357190222938465)
m = c1-k*c2
w2 = 16315249811700998894876359855091105114973337718373913477026230968747515636405
m2=w2//m[0]
print(m2)
但是m1我确实不怎么会求,所以就python爆破啦
m2=7196365442241205186856420688221367789171469258517476477
for i in range(100007196365442241205186856420688221367789171469258517476477,999997196365442241205186856420688221367789171469258517476478,10**55):
k=long_to_bytes(i)
if(k[:7]==b'ctfshow' or k[:7]==b'CTFSHOW'):
print(k)
m2一共55位,所以循环时变化量为10的55次方,爆破结果得flag: ctfshow{the_answer_is_it}
查看代码,经典coppersmith泄露p的加密。m此时与p做亦或运算
from Crypto.Util.number import *
from secret import flag
assert len(flag[8:-1])==23
m = bytes_to_long(flag)
p = getPrime(1024)
q = getPrime(1024)
n = p*q
e = 65537
c1 = m^p
c2 = pow(m,e,n)
print(f'c1 = {c1}')
print(f'c2 = {c2}')
print(f'n = {n}')
'''
c1 = 151198307301713399973545627808177783191262282577048906899567665485020342464366268384613589477129150406859219553325982275344405383612415523342568367197935454935162234419239807109194526080836070453102172720442102673200212658553214847476648456720629906051324248179394810385918370092764118401652990951968387233220
c2 = 7894512574379281106340582833782408137686355961537832816105517328532111343730615739255485918919146012721446905489729048235088965936700563973759759039693443386542070451737445467143517377017890468837697907596398070608179281207203217576205857817411996178441661371846647602166663752324880657668362355493701482869858528298247422875427747085642627978367348931707497113936723122393282697211257939351221141536029828744507560524637999804394951722319070365576391442828074457050403771353328835153787572457070779602728359333021922987279454923820866436212282592764768470608545881718922440010751845730974331917142224339664090863915
n = 20873587976264698212013861921447267548758723109929620330136081844796427967720295581580927324390713931549639540337285515365487607593546367886570408812338077846317206794057714877394609181224434104303259411081376607299962306250984285173463537669954845497211859940191392861121877814873939865829555350848523691546006073264112091406848179785659505299775196062799482197712761744192962658799557108701192680225134300686608396391566674966897700511638643429161735764600752699251493599533703928135311599575989253347234975026924804433742500175666009324057320386262109587593814197687132304704244158862263859846356497849518103755981
'''
直接上板子得到flag: ctfshow{m_xor_p_but_coppersmith}
import libnum
n = 20873587976264698212013861921447267548758723109929620330136081844796427967720295581580927324390713931549639540337285515365487607593546367886570408812338077846317206794057714877394609181224434104303259411081376607299962306250984285173463537669954845497211859940191392861121877814873939865829555350848523691546006073264112091406848179785659505299775196062799482197712761744192962658799557108701192680225134300686608396391566674966897700511638643429161735764600752699251493599533703928135311599575989253347234975026924804433742500175666009324057320386262109587593814197687132304704244158862263859846356497849518103755981
e = 65537
c = 7894512574379281106340582833782408137686355961537832816105517328532111343730615739255485918919146012721446905489729048235088965936700563973759759039693443386542070451737445467143517377017890468837697907596398070608179281207203217576205857817411996178441661371846647602166663752324880657668362355493701482869858528298247422875427747085642627978367348931707497113936723122393282697211257939351221141536029828744507560524637999804394951722319070365576391442828074457050403771353328835153787572457070779602728359333021922987279454923820866436212282592764768470608545881718922440010751845730974331917142224339664090863915
pbar = 151198307301713399973545627808177783191262282577048906899567665485020342464366268384613589477129150406859219553325982275344405383612415523342568367197935454935162234419239807109194526080836070453102172720442102673200212658553214847476648456720629906051324248179394810385918370092764118401652990951968387233220
PR.<x> = PolynomialRing(Zmod(n))
f = x + pbar
x0 = f.small_roots(X=2^400, beta=0.4)[0] # find root < 2^kbits with factor >= n^0.4
p = x0 + pbar
q = n // int(p)
d = inverse_mod(e, (p-1)*(q-1))
m=pow(c,d,n)
print(libnum.n2s(int(m)).decode())