title: 第七届强网杯wp
date: 2023-12-17 16:08:10
categories: 比赛
tags: CTF
第七届"强网杯"全国网络安全挑战赛
misc
easyfuzz
通过nc连接的
满足为全部都是1后就能得到flag
首先一个一个试拿0试然后到Z可以试出必须为9位并且前面两位是什么都行
exp
from pwn import *
p=remote("101.200.122.251",12199)
bb=9
cc=""
vv=111111001
context.log_level='debug'
for j in range(32,128):
print("\n")
p.recvuntil("bytes):")
b=chr(j)+chr(j)+'qwbG'+chr(j)+chr(j)+'d'
print(b)
p.sendline(b)
c=p.recvuntil("\n")[-10:]
print(c)
print(type(c))
if vv != int(c):
print(f"得到{b}\n{c}")
break
# bb -= 1
# cc += str(chr(j))
# with open('a.txt', 'a') as f:
# f.write(vv + '\n') # 将vv写入文件
# vv = '11' + '0' * (bb - 2)
Pyjail ! It’s myFILTER !!!
打开后nc连接使用
flag藏在变量文件里面 直接open打开就能查看到
{print(open("/proc/1/environ").read())}
WEB
happygame(没有出)
web题我看了很久,硬是搞不懂他这个怎么happygame了
���11
\���HTTP/2 client preface string missing or corrupt. Hex dump for received bytes: 31310a
怎么看也不像http呀我还用nmap的-sV扫了一下
还是不行
可以得到的点就是这个输入什么能输出hex编码后的结果并且后面还有一个0a
输出超过24就不会显示0a了
并且前面的输出位数也能得到信息不同位数会发生变化得到的信息是
Z\^`bdfhjlnprtvxz|~80 82 84 86
到了86后就不会在增加了
转为hex可以知道
5a 5c 5e 60 62 64 66 68 6a 6c 6e 70 72 74 76 78 7a 7c 7e
每经过一位相当于增加了2
还用ciphey跑出来了这个
KEYS[] mgauoicwqkey
Crypto
guess game
这种游戏题最好玩了直接通过随机多次能够出flag
exp
from Crypto.Util.number import bytes_to_long, long_to_bytes
from os import urandom
from binascii import unhexlify
from pwn import *
context.log_level='debug'
class cipher:
def __init__(self, key, rounds=4):
self.key = key
self.rounds = rounds
self.sbox = [0xc, 0x5, 0x6, 0xb, 0x9, 0x0, 0xa, 0xd, 0x3, 0xe, 0xf, 0x8, 0x4, 0x7, 0x1, 0x2]
self.pbox = [0, 16, 32, 48, 1, 17, 33, 49, 2, 18, 34, 50, 3, 19, 35, 51, 4, 20, 36, 52, 5, 21, 37, 53, 6, 22, 38, 54, 7, 23, 39, 55, 8, 24, 40, 56, 9, 25, 41, 57, 10, 26, 42, 58, 11, 27, 43, 59, 12, 28, 44, 60, 13, 29, 45, 61, 14, 30, 46, 62, 15, 31, 47, 63]
self.rk = self.genrk(self.key)
def substitution(self, state):
output = 0
for i in range(16):
output += self.sbox[state >> (i*4) & 0xF] << (i*4)
return output
def permutation(self, state):
output = 0
for i in range(64):
output += ((state >> i) & 0x1) << self.pbox[i]
return output
def genrk(self, key):
rk = []
for i in range(1, self.rounds+1):
rk.append(key >> 16)
key = ((key & (2**19-1)) << 61) + (key >> 19)
key = (self.sbox[key >> 76] << 76)+(key & (2**76-1))
key ^= i << 15
return rk
def addrk(self, state, rk):
return state ^ rk
def encrypt(self, pt):
ct = b""
state = pt
for i in range(self.rounds-1):
state = self.addrk(state, self.rk[i])
state = self.substitution(state)
state = self.permutation(state)
state = self.addrk(state, self.rk[-1])
ct += long_to_bytes(state)
return ct
def hint(self, pt):
return self.encrypt(pt)
count = 0
success = 0
key = int.from_bytes(urandom(10), "big")
guess = list(map(int, list(bin(key)[2:].zfill(80))))
game = cipher(key)
ll=0
while True:
p=remote("47.97.69.130",22333)
f=open("曲线25.txt","a")
cc=0
dd=0
ll+=1
p.recvuntil(b"oken:")
p.sendline(b"icqc0ccfef5755b58ad320ede21cfa79")
p.recvuntil(b">")
p.sendline(b"2")
for i in range(len(guess)):
p.recvuntil(b">")
p.sendline(str(guess[i]))
gg=p.recvline()
if "Right!" in str(gg):
cc+=1
if "Wrong" in str(gg):
dd+=1
if cc>57:
print(gg)
print(f"成功了{cc}次")
break
print(gg)
print(f"成功了{cc}次")
print(f"错误了{dd}次")
f.write(f"第{ll}把,成功了{cc}次")
f.write(f"失败了{dd}次\n")
强网先锋
SpeedUp
通过计算跑出
SpeedUp
找到2的27次方
4495662081 去md5加密成sha256 flag{加密后的}