[ACTF2023]复现

最新推荐文章于 2024-11-05 15:32:33 发布
最新推荐文章于 2024-11-05 15:32:33 发布
阅读量428 收藏 2
点赞数 1
分类专栏: crypto 文章标签: python
版权声明:本文为博主原创文章,遵循 CC 4.0 BY-SA 版权协议,转载请附上原文出处链接和本声明。
本文链接:https://blog.csdn.net/shshss64/article/details/134169323
版权

 MDH

源题:

from hashlib import sha256
from secret import flag

r = 128
c = 96
p = 308955606868885551120230861462612873078105583047156930179459717798715109629
Fp = GF(p)

def gen():
    a1 = random_matrix(Fp, r, c)
    a2 = random_matrix(Fp, r, c)
    A = a1 * a2.T
    return (a1, a2), A

sk_alice, pk_alice = gen()
sk_bob, pk_bob = gen()
shared = (sk_alice[0].T * pk_bob * sk_alice[1]).trace()
ct = int(sha256(str(int(shared)).encode()).hexdigest(), 16) ^^ int.from_bytes(flag, 'big')

with open('output.txt', 'wb') as f:
    f.write(str(ct).encode() + b'\n')
    f.write(str(list(pk_alice)).encode() + b'\n')
    f.write(str(list(pk_bob)).encode() + b'\n')

思路:本题思路很简单,高等代数,sk_alice[0].T * pk_bob * sk_alice[1]和pk_bob*pk_alice.T的迹的大小是相等的。

exp:

from hashlib import sha256
from Crypto.Util.number import*

r = 128
c = 96
p = 308955606868885551120230861462612873078105583047156930179459717798715109629
Fp = GF(p)

f = open('output.txt','r')
ct = eval(f.readline())
a1 = eval(f.readline())
a2 = eval(f.readline())

pk_alice = matrix(Fp,a1)
pk_bob = matrix(Fp,a2)
# print(pk_alice)
# print(pk_bob)
shared = (pk_bob*pk_alice.T).trace()
m = int(sha256(str(int(shared)).encode()).hexdigest(), 16) ^^ ct
print(long_to_bytes(m))

claw crane

源码:

!/usr/bin/env python3
from Crypto.Util.number import (
    bytes_to_long, long_to_bytes
)
from hashlib import md5
import os, signal
import sys
import random

BITS = 128

class ClawCrane(object):
    def __init__(self) -> None:
        self.seed = bytes_to_long(os.urandom(BITS//8))
        self.bless = 0
        self.score = 0
    
    def get_input(self, prompt="> "):
        print(prompt, end="")
        sys.stdout.flush()
        return input()
    
    def check_pos(self, pos, moves):
        col, row = 0, 0
        for move in moves:
            if move == "W":
                if row < 15: row += 1
            elif move == "S":
                if row > 0: row -= 1
            elif move == "A":
                if col > 0: col -= 1
            elif move == "D":
                if col < 15: col += 1
            else:
                return -1
        print(col, row)
        return pos == [col, row]
    
    def gen_chaos(self, inp):
        def mapping(x):
            if x=='W': return "0"
            if x=='S': return "1"
            if x=='A': return "2"
            if x=='D': return "3"
        vs = int("".join(map(mapping, inp)), 4)
        chaos = bytes_to_long(md5(
                    long_to_bytes((self.seed + vs) % pow(2,BITS))
                ).digest())
        self.seed = (self.seed + chaos + 1) % pow(2,BITS)
        return chaos
    
    def destiny_claw(self, delta):
        bits = bin(delta)[2:]
        if len(bits) < 128+self.bless:
            bits += "0"*(128+self.bless - len(bits))
        c = random.choice(bits)
        if c=='0': return True
        else: return False
    
    def run(self):
        pos = [random.randrange(1,16), random.randrange(1,16)]
        moves = self.get_input(f"i am at {pos}, claw me.\nYour moves: ")
        if len(moves) > 100:
            print("too many steps")
            return
        if not self.check_pos(pos, moves):
            print("sorry, clawed nothing")
            return
        r = self.gen_chaos(moves[:64])
        print(f"choas: {r}")
        p, q = map(int, self.get_input(f"give me your claw using p,q and p,q in [0, 18446744073709551615] (e.g.: 1,1): ").split(","))
        if not (p>0 and p<pow(2,BITS//2) and q>0 and q<pow(2,BITS//2)):
            print("not in range")
            return
        delta = abs(r*q - p*pow(2,BITS))
        if self.destiny_claw(delta):
            self.score += 10
            self.bless = 0
            print("you clawed it")
        else:
            self.bless += 16
            print("sorry, clawed nothing")
        

def main():
    signal.alarm(600)
    cc = ClawCrane()
    for _ in range(256):
        try:
            cc.run()
            print(f"your score: {cc.score}")
        except:
            print(f"abort")
            break
    if cc.score >= 2220:
        print(f"flag: {open('/flag.txt').read()}")
        
if __name__ == "__main__":
    main()

思路:在本题目中我们需要绕过proof验证、check_pos的位置验证和以下

chaos = bytes_to_long(md5(
            long_to_bytes((self.seed + vs) % pow(2,BITS))
        ).digest())
self.seed = (self.seed + chaos + 1) % pow(2,BITS)

首先:

proof验证:我们知道是将十六进制数输入,进行sha1操作与已知输出对比,相同即可通过,我们在输入的十六进制数的前六位未知,直接爆破即可。

check_pos的位置验证:我们观察源码,源码是通过构造的输入序列(‘A’,'B','C','D'),对此时在(0,0)的点进行位移输入到随机确认的pos位置上,若最终移动的位置相同,即可通过。

由于  r = self.gen_chaos(moves[:64]),moves是我们自己输入的,此时函数仅仅需要前64位进行运算获得r的值,我们需要固定r的值的大小,所以此时便在seed上做文章,令每次输入的vs都在上一个vs的基础上减去(chaos + 1),此时,输出的chaos值固定。

于是,check_pos的位置验证中,我们输入序列的前64位由上述r取值中确认,我们需要计算出64次移动后的位置,再寻找到pos点的移动所需里程。

完成上述操作后,开始运算,当cc.score >= 2220时,我们即可得到flag的值

exp:

import itertools
from Crypto.Util.number import *
from hashlib import md5
import gmpy2
from pwn import *
from tqdm import tqdm
from hashlib import *
from time import *

BITS = 128


def proof():
    sh.recvuntil(b'sha1(prefix+"')
    k = sh.recvuntil(b'"')[:-1]
    sh.recvuntil(b')==')
    cc = sh.recvuntil(b'\n')[:-1]
    sh.recvuntil(b'prefix = ?\n')
    String = b'0123456789abcdef'
    #     print(k,cc)

    start = time()
    for i1, i2, i3, i4, i5, i6 in tqdm(itertools.product(String, String, String, String, String, String)):
        kk = str(chr(i1)) + str(chr(i2)) + str(chr(i3)) + str(chr(i4)) + str(chr(i5)) + str(chr(i6)) + k.decode()
        # print(kk,k.decode())
        # print(sha1(kk.encode()).hexdigest(),cc.decode())
        if sha1(kk.encode()).hexdigest() == cc.decode():
            print(kk[:6])
            sh.sendline(kk[:6].encode())
            break
    end = time()
    print(f"consume {end - start} time")


def check_pos(pos, moves):
    col, row = int(pos[0]), int(pos[1])
    for move in moves:
        if move == "W":
            if row < 15: row += 1
        elif move == "S":
            if row > 0: row -= 1
        elif move == "A":
            if col > 0: col -= 1
        elif move == "D":
            if col < 15: col += 1
        else:
            return -1
    print(col, row)
    return [col, row]


def solve_chaos(la_chaos, idx):
    def mapping(x):
        if x == '0': return "W"
        if x == '1': return "S"
        if x == '2': return "A"
        if x == '3': return "D"

    New_vs = (-la_chaos - 1) * (idx - 1) % (2 ^ 128)
    target = New_vs % 4
    new_vs = ''
    while New_vs:
        if target == 0:
            new_vs += 'W'
            New_vs = New_vs // 4
        if target == 1:
            new_vs += 'S'
            New_vs = New_vs // 4
        if target == 2:
            new_vs += 'A'
            New_vs = New_vs // 4
        if target == 3:
            new_vs += 'D'
            New_vs = New_vs // 4
        target = New_vs % 4
    #         print(new_vs)
    new_vs = new_vs[::-1]
    if len(new_vs) != 64:
        new_vs = mapping("0") * (64 - len(new_vs)) + new_vs
    print('solve_chaos:', new_vs)
    return new_vs


def solve_pos(cu_pos, new_pos, sol):
    x0, y0 = cu_pos
    x1, y1 = new_pos
    if x0 < x1:
        sol += 'D' * ((x1 - x0) % 16)
    else:
        sol += 'A' * ((x0 - x1) % 16)
    if y0 < y1:
        sol += 'W' * ((y1 - y0) % 16)
    else:
        sol += 'S' * ((y0 - y1) % 16)
    return sol


def solve_pq(chaos):
    K = matrix(ZZ, [[2 ^ 128, 0], [chaos, 1]])
    KK = K.LLL()
    #     print(num)
    v = K.solve_left(KK[0])
    p, q = v[0], v[1]
    return abs(p), abs(q)


for i in range(1, 10000):
    print(f'Try {i} times')
    sh = process(['python3', 'server.py'])
    proof()
    Assert, chaos, idx, failure, success = 0, -1, 0, 0, 0
    p, q = 0, 0

    try:
        while idx < 256:
            idx += 1
            print(f'----------The {idx} quarters---------')
            sh.recvuntil(b'i am at ')
            pos = eval(sh.recvuntil(b']'))
            sh.recvuntil(b'Your moves: ')
            x1, y1 = int(pos[0]), int(pos[1])
            #             print(pos,x1,y1,chaos)
            vs = solve_chaos(chaos, idx)
            #             print(vs)
            x0, y0 = check_pos((0, 0), vs)
            moves = solve_pos((x0, y0), (x1, y1), vs)
            sh.sendline(moves.encode())
            sh.recvuntil(b'choas: ')
            chaos = int(sh.recvuntil(b'\n')[:-1])
            if not p and not q:
                p, q = solve_pq(chaos)
                x = abs(chaos * q - p * pow(2, 128))
                print(bin(x)[2:].count('1'))
                print(bin(x)[2:])
                if bin(x)[2:].count('1') > 23:
                    break
            print(abs(chaos * q - p * pow(2, 128)))
            sh.recvuntil(b'give me your claw using p,q and p,q in [0, 18446744073709551615] (e.g.: 1,1): ')
            sh.sendline(f'{p},{q}'.encode())

            ding = sh.recvline()
            #             print(ding)

            sh.recvuntil(b'your score: ')
            score = sh.recvuntil(b'\n')[:-1]
            print('Your score: ', score)

        sh.interactive()
    except:
        continue

EazyRSA

源码:

from secret import flag
from Crypto.Util.number import *


def genKey(nbits, dbits):
    bbits = (nbits // 2 - dbits) // 2

    while True:
        a = getRandomNBitInteger(dbits)
        b = getRandomNBitInteger(bbits)
        c = getRandomNBitInteger(bbits)
        p1 = a * b * c + 1
        if isPrime(p1):
            # print("p1 =", p1)
            break

    while True:
        d = getRandomNBitInteger(dbits)
        p2 = b * c * d + 1
        if isPrime(p2):
            # print("p2 =", p2)
            break

    while True:
        e = getRandomNBitInteger(bbits)
        f = getRandomNBitInteger(bbits)
        q1 = e * d * f + 1
        p3 = a * e * f + 1
        if isPrime(q1) and isPrime(p3):
            # print("p3 =", p3)
            # print("q1 =", q1)
            break

    while True:
        d_ = getRandomNBitInteger(dbits)
        if GCD(a * b * c * d * e * f, d_) != 1:
            continue
        e_ = inverse(d_, a * b * c * d * e * f)
        k1 = (e_ * d_ - 1) // (a * b * c * d * e * f)
        assert e_ * d_ == (a * b * c * d * e * f) * k1 + 1
        q2 = k1 * e * f + 1
        q3 = k1 * b * c + 1
        if isPrime(q2) and isPrime(q3):
            # print("q2 =", q2)
            # print("q3 =", q3)
            # print("e =", e_)
            # print("d =", d_)
            break

    n1 = p1 * q1
    n2 = p2 * q2
    n3 = p3 * q3
    
    assert pow(pow(0xdeadbeef, e_, n1), d_, n1) == 0xdeadbeef
    assert pow(pow(0xdeadbeef, e_, n2), d_, n2) == 0xdeadbeef
    assert pow(pow(0xdeadbeef, e_, n3), d_, n3) == 0xdeadbeef

    return(e_, n1, n2, n3)


nbits = 0x600
dbits = 0x210

m = bytes_to_long(flag)
e, n1, n2, n3 = genKey(nbits, dbits)
c = pow(m, e, n1)

print("c =", c)
print("e =", e)
print("n1 =", n1)
print("n2 =", n2)
print("n3 =", n3)

# c = 63442255298812942222810837512019302954917822996915527697525497640413662503768308023517128481053593562877494934841788054865410798751447333551319775025362132176942795107214528962480350398519459474033659025815248579631003928932688495682277210240277909527931445899728273182691941548330126199931886748296031014210795428593631253184315074234352536885430181103986084755140024577780815130067722355861473639612699372152970688687877075365330095265612016350599320999156644
# e = 272785315258275494478303901715994595013215169713087273945370833673873860340153367010424559026764907254821416435761617347240970711252213646287464416524071944646705551816941437389777294159359383356817408302841561284559712640940354294840597133394851851877857751302209309529938795265777557840238332937938235024502686737802184255165075195042860413556866222562167425361146312096189555572705076252573222261842045286782816083933952875990572937346408235562417656218440227
# n1 = 473173031410877037287927970398347001343136400938581274026578368211539730987889738033351265663756061524526288423355193643110804217683860550767181983527932872361546531994961481442866335447011683462904976896894011884907968495626837219900141842587071512040734664898328709989285205714628355052565784162841441867556282849760230635164284802614010844226671736675222842060257156860013384955769045790763119616939897544697150710631300004180868397245728064351907334273953201
# n2 = 327163771871802208683424470007561712270872666244394076667663345333853591836596054597471607916850284565474732679392694515656845653581599800514388800663813830528483334021178531162556250468743461443904645773493383915711571062775922446922917130005772040139744330987272549252540089872170217864935146429898458644025927741607569303966038195226388964722300472005107075179204987774627759625183739199425329481632596633992804636690274844290983438078815836605603147141262181
# n3 = 442893163857502334109676162774199722362644200933618691728267162172376730137502879609506615568680508257973678725536472848428042122350184530077765734033425406055810373669798840851851090476687785235612051747082232947418290952863499263547598032467577778461061567081620676910480684540883879257518083587862219344609851852177109722186714811329766477552794034774928983660538381764930765795290189612024799300768559485810526074992569676241537503405494203262336327709010421

 思路:造格即可

exp:

from sage.all import *
from Crypto.Util.number import *
import random

c = 63442255298812942222810837512019302954917822996915527697525497640413662503768308023517128481053593562877494934841788054865410798751447333551319775025362132176942795107214528962480350398519459474033659025815248579631003928932688495682277210240277909527931445899728273182691941548330126199931886748296031014210795428593631253184315074234352536885430181103986084755140024577780815130067722355861473639612699372152970688687877075365330095265612016350599320999156644
e = 272785315258275494478303901715994595013215169713087273945370833673873860340153367010424559026764907254821416435761617347240970711252213646287464416524071944646705551816941437389777294159359383356817408302841561284559712640940354294840597133394851851877857751302209309529938795265777557840238332937938235024502686737802184255165075195042860413556866222562167425361146312096189555572705076252573222261842045286782816083933952875990572937346408235562417656218440227
n1 = 473173031410877037287927970398347001343136400938581274026578368211539730987889738033351265663756061524526288423355193643110804217683860550767181983527932872361546531994961481442866335447011683462904976896894011884907968495626837219900141842587071512040734664898328709989285205714628355052565784162841441867556282849760230635164284802614010844226671736675222842060257156860013384955769045790763119616939897544697150710631300004180868397245728064351907334273953201
n2 = 327163771871802208683424470007561712270872666244394076667663345333853591836596054597471607916850284565474732679392694515656845653581599800514388800663813830528483334021178531162556250468743461443904645773493383915711571062775922446922917130005772040139744330987272549252540089872170217864935146429898458644025927741607569303966038195226388964722300472005107075179204987774627759625183739199425329481632596633992804636690274844290983438078815836605603147141262181
n3 = 442893163857502334109676162774199722362644200933618691728267162172376730137502879609506615568680508257973678725536472848428042122350184530077765734033425406055810373669798840851851090476687785235612051747082232947418290952863499263547598032467577778461061567081620676910480684540883879257518083587862219344609851852177109722186714811329766477552794034774928983660538381764930765795290189612024799300768559485810526074992569676241537503405494203262336327709010421

M  =  int(random.randint(n1,2*n2) ** 0.5)
K = matrix([[M,e,e,e],[0,-n1,0,0],[0,0,-n2,0],[0,0,0,-n3]])
KK =  K.LLL()
d = int(KK[0][0]/M)
m = pow(c,d,n1)
print(long_to_bytes(int(m)))

MidRSA

源码:

from secret import flag
from Crypto.Util.number import *


def genKey(nbits, dbits):
    bbits = (nbits // 2 - dbits) // 2

    while True:
        a = getRandomNBitInteger(dbits)
        b = getRandomNBitInteger(bbits)
        c = getRandomNBitInteger(bbits)
        p1 = a * b * c + 1
        if isPrime(p1):
            # print("p1 =", p1)
            break

    while True:
        d = getRandomNBitInteger(dbits)
        p2 = b * c * d + 1
        if isPrime(p2):
            # print("p2 =", p2)
            break

    while True:
        e = getRandomNBitInteger(bbits)
        f = getRandomNBitInteger(bbits)
        q1 = e * d * f + 1
        p3 = a * e * f + 1
        if isPrime(q1) and isPrime(p3):
            # print("p3 =", p3)
            # print("q1 =", q1)
            break

    while True:
        d_ = getRandomNBitInteger(dbits)
        if GCD(a * b * c * d * e * f, d_) != 1:
            continue
        e_ = inverse(d_, a * b * c * d * e * f)
        k1 = (e_ * d_ - 1) // (a * b * c * d * e * f)
        assert e_ * d_ == (a * b * c * d * e * f) * k1 + 1
        q2 = k1 * e * f + 1
        q3 = k1 * b * c + 1
        if isPrime(q2) and isPrime(q3):
            # print("q2 =", q2)
            # print("q3 =", q3)
            # print("e =", e_)
            print("d =", d_)
            break

    n1 = p1 * q1
    n2 = p2 * q2
    n3 = p3 * q3
    
    assert pow(pow(0xdeadbeef, e_, n1), d_, n1) == 0xdeadbeef
    assert pow(pow(0xdeadbeef, e_, n2), d_, n2) == 0xdeadbeef
    assert pow(pow(0xdeadbeef, e_, n3), d_, n3) == 0xdeadbeef

    return(e_, n1, n2, n3)


nbits = 0x600
dbits = 0x240

m = bytes_to_long(flag)
e, n1, n2, n3 = genKey(nbits, dbits)
c = pow(m, e, n1)

print("c =", c)
print("e =", e)
print("n1 =", n1)
print("n2 =", n2)
print("n3 =", n3)


# c = 598823083137858565473505718525815255620672892612784824187302545127574115000325539999824374357957135208478070797113625659118825530731575573239221853507638809719397849963861367352055486212696958923800593172417262351719477530809870735637329898331854130533160020420263724619225174940214193740379571953951059401685115164634005411478583529751890781498407518739069969017597521632392997743956791839564573371955246955738575593780508817401390102856295102225132502636316844
# e = 334726528702628887205076146544909357751287869200972341824248480332256143541098971600873722567713812425364296038771650383962046800505086167635487091757206238206029361844181642521606953049529231154613145553220809927001722518303114599682529196697410089598230645579658906203453435640824934159645602447676974027474924465177723434855318446073578465621382859962701578350462059764095163424218813852195709023435581237538699769359084386399099644884006684995755938605201771
# n1 = 621786427956510577894657745225233425730501124908354697121702414978035232119311662357181409283130180887720760732555757426221953950475736078765267856308595870951635246720750862259255389006679454647170476427262240270915881126875224574474706572728931213060252787326765271752969318854360970801540289807965575654629288558728966771231501959974533484678236051025940684114262451777094234017210230731492336480895879764397821363102224085859281971513276968559080593778873231
# n2 = 335133378611627373902246132362791381335635839627660359611198202073307340179794138179041524058800936207811546752188713855950891460382258433727589232119735602364790267515558352318957355100518427499530387075144776790492766973547088838586041648900788325902589777445641895775357091753360428198189998860317775077739054298868885308909495601041757108114540069950359802851809227248145281594107487276003206931533768902437356652676341735882783415106786497390475670647453821
# n3 = 220290953009399899705676642623181513318918775662713704923101352853965768389363281894663344270979715555659079125651553079702318700200824118622766698792556506368153467944348604006011828780474050012010677204862020009069971864222175380878120025727369117819196954091417740367068284457817961773989542151049465711430065838517386380261817772422927774945414543880659243592749932727798690742051285364898081188510009069286094647222933710799481899960520270189522155672272451

思路:相比于EazyRSA题目,提高了dbits的比特数,使得无法计算,此时我们需要爆破一定的高位即可。

exp:

from sage.all import *
from Crypto.Util.number import *
import random
from tqdm import tqdm

c = 598823083137858565473505718525815255620672892612784824187302545127574115000325539999824374357957135208478070797113625659118825530731575573239221853507638809719397849963861367352055486212696958923800593172417262351719477530809870735637329898331854130533160020420263724619225174940214193740379571953951059401685115164634005411478583529751890781498407518739069969017597521632392997743956791839564573371955246955738575593780508817401390102856295102225132502636316844
e = 334726528702628887205076146544909357751287869200972341824248480332256143541098971600873722567713812425364296038771650383962046800505086167635487091757206238206029361844181642521606953049529231154613145553220809927001722518303114599682529196697410089598230645579658906203453435640824934159645602447676974027474924465177723434855318446073578465621382859962701578350462059764095163424218813852195709023435581237538699769359084386399099644884006684995755938605201771
n1 = 621786427956510577894657745225233425730501124908354697121702414978035232119311662357181409283130180887720760732555757426221953950475736078765267856308595870951635246720750862259255389006679454647170476427262240270915881126875224574474706572728931213060252787326765271752969318854360970801540289807965575654629288558728966771231501959974533484678236051025940684114262451777094234017210230731492336480895879764397821363102224085859281971513276968559080593778873231
n2 = 335133378611627373902246132362791381335635839627660359611198202073307340179794138179041524058800936207811546752188713855950891460382258433727589232119735602364790267515558352318957355100518427499530387075144776790492766973547088838586041648900788325902589777445641895775357091753360428198189998860317775077739054298868885308909495601041757108114540069950359802851809227248145281594107487276003206931533768902437356652676341735882783415106786497390475670647453821
n3 = 220290953009399899705676642623181513318918775662713704923101352853965768389363281894663344270979715555659079125651553079702318700200824118622766698792556506368153467944348604006011828780474050012010677204862020009069971864222175380878120025727369117819196954091417740367068284457817961773989542151049465711430065838517386380261817772422927774945414543880659243592749932727798690742051285364898081188510009069286094647222933710799481899960520270189522155672272451

for i in tqdm(range(70000,2^20)):
    t1 = bin(i)[2:].zfill(21)
    h = int('1'+t1[:3],2) << 0x23c
    h1 = int(t1[3:9],2) << 1338
    h2 = int(t1[9:15],2) << 1338
    h3 = int(t1[15:21],2) << 1338
    M = Matrix(QQ,[[-e,-e,-e,2^766,0,0,0,0],
                    [n1,0,0,0,0,0,0,0],
                    [0,n2,0,0,0,0,0,0],
                    [0,0,n3,0,0,0,0,0],
                    [-h*e,-h*e,-h*e,0,2^(1338),0,0,0],
                    [-h1,0,0,0,0,2^1338,0,0],
                    [0,-h2,0,0,0,0,2^1338,0],
                    [0,0,-h3,0,0,0,0,2^1338]])
# e_*d_-k1*n1,n1
    res = M.LLL()
    d = int(res[0][3]//2^766) + h
    if b'ACTF' in long_to_bytes(ZZ(pow(c,d,n1))):
        print(long_to_bytes(ZZ(pow(c,d,n1))))
【CTF】2023Ciscn WEB方向题解
Sapphire037的博客
05-29 2607
比赛体验一般,一黑灯基本上题都烂掉。
[ACTF2020 新生赛]Upload
2301_80156923的博客
12-17 387
尝试修改后缀为:php1,php2, php3, php4, php5, phps, pht, phtm, phtml。说明只能上传jpg,png,gif等后缀的文件,那接下来我们就抓包修改数据包信息,尝试修改文件的类型。经过尝试最后发现后缀改为phtml 文件能够被解析。然后用蚁剑连接,打开终端查看就可以获得flag。鼠标移到灯泡上显示可以上传文件。该题可在BUUCTF里找到。先上传一个php文件试试。
[2022 ACTF]web题目复现
cosmoslin的博客
07-06 1732
查看dockerfile发现题目使用环境为goahead5.1.4,联想到p神对于该漏洞的复现记录,我们有两种方法解题:GoAhead环境变量注入复现踩坑记hack.c 编译 exp.py exp.py 简单看一下代码逻辑:server.js 整个题目通过websockets通信,当api为getflag时传入flagbot 这里发现admin登录没有任何限制,那么我们登录admin再传入getflag即可 原型链污染: xss: ToLeSion 考点: TLS-Poison 一篇文章带你读懂 TLS
[AmateursCTF 2023] 太难了
weixin_52640415的博客
07-21 741
MT19937 梅森旋转randint的取值过程
ACTF2023 Cypto
qq_41626232的博客
10-30 591
也是稍微花了一点时间给队里面的密码签到一下。
爬虫学习笔记(十五)——加密解密
别呀的博客
07-25 2954
文章目录一、概念和作用1.1、概念1.2、**作用**1.3、常用加密方式二、字符编码2.1、进制间转换方法(python)2.2、unicode三、Base64编码原理3.1、概念3.2、作用3.3、Base64编码表3.4、文本到base64格式的转换3.5、BASE64编码补码四、单向加密4.1、概念4.2、常见方法4.2.1、md5加密4.2.2、sha加密五、对称加密5.1、概念与简介5.2、DES5.2.1、概念5.2.2、DES加密原理5.2.3、python实现DES加密 一、概念和作用 1
【密码学RSA】DASCRF八月挑战赛_ezRSA
serendipity1130的博客
09-07 776
1.nc远程连接: nc node4.buuoj.cn 29831 2.查看task: from secret import flag from Crypto.Util.number import * from random import getrandbits from hashlib import sha256 class EzRsa: def __init__(self): self.E = 0x10001 self.P = getPrime(
[SWPUCTF 2023 秋季新生赛] WEB 部分题目复现
m0_63138919的博客
10-22 411
本文为2023年SWPU NSS 秋季招新赛 (校外赛道) 的部分题解复现 针对自己没做出来的
[ACTF2020 新生赛]Upload1
2201_75556700的博客
09-11 809
1、点开题目链接,页面显示如下,上传test.jpg里面包含一句话木马。3、不关浏览器的代理,在bp中将该包放行。2、使用bp抓包修改后缀,点击发送。5、在根目录中找到flag。
ACTF2022 rsa leak
m0_62506844的博客
07-12 1353
之前是不想写这个wp的,但是这两天突然想起来这道题发现没有留exp,怕下次遇到,浅记一下 首先对于leak(rp,rq),可以通过某种手段,来找到rp和rq n很小可以直接分解 首先是打表爆破: 得到 rp=405771 rq=11974933 网上学到了一种新方法 中间相遇攻击哇塞这个不就是打表爆破吗,还以为能学到新东西!!? 知道rp和rq后,可以参考论文 A New Attack on Special-Structed RSA Primes 伪代码: 复现: 下面给出不用论文的wp: 每次复现论文
matlab的90个实例.rar_actf8x_matlab基础知识的90个实例
09-24
MATLAB(Matrix Laboratory)是一种强大的数学计算软件,广泛应用于工程计算、数据分析、算法开发和图形化界面构建等领域。本资源“matlab的90个实例.rar”提供了MATLAB的基础知识,通过90个实例帮助初学者掌握其...
actf_2019_babyheap
qq_53062301的博客
08-22 295
和之前一道堆题目比较像也是一道uaf题目,题目也是一道经典菜单题目,也是具有create,delete,printf,exit四个功能,create函数中会申请两个chunk,其中一个大小为0x10,另一个大小供用户输入,0x10的大小chunk中保存了一个指向输入处的指针,还保存了一个函数指针,printf函数中调用了这个指针,delete函数中没有将指针置空,存在uaf漏洞,大致思路就是申请两个大于0x10的chunk,然后释放,再申请一个0x10大小的chunk,系统就会把之前两个0x10大小的chu
自助餐剩余食品识别图像分割系统:教学内容全覆盖
sgcsdn99的博客
11-04 1364
数据集信息展示在本研究中,我们使用的数据集名为“9_5_Merged”,该数据集专门用于训练改进YOLOv8-seg的自助餐剩余食品识别图像分割系统。该数据集包含71个类别,涵盖了丰富多样的食品种类,旨在提高模型对不同类型剩余食品的识别和分割能力。通过对这些类别的细致划分,我们希望能够实现更高精度的图像分割,进而优化自助餐剩余食品的管理和利用。
【anaconda】使用记录
zhuyan108的博客
11-05 309
window11 下安装anaconda。
探索 Python 的新天地:Helium 库揭秘
AIGC搞起
11-04 793
在自动化测试和网页交互的领域,Selenium 是一个强大的工具,但它的复杂性和陡峭的学习曲线让许多开发者望而却步。Helium库的出现,以其简洁的 API 和易用性,为 Python 开发者提供了一个新的选择。它不仅简化了 Selenium 的使用,还自带 WebDriver,减少了配置的复杂性。Helium 以其简洁的 API 和易用性,为 Python 开发者提供了一个强大的 Selenium 替代方案。它不仅减少了代码量,还简化了 WebDriver 的管理,使得自动化测试和网页交互变得更加容易。
01_IAR新建CC2530工程
nanxl1的博客
11-02 1041
由于很多Zigbee商家提供的教程未有从零建立CC2530工程的讲解,可能会导致后面的开发中出现一些琐碎的问题。本文将以**LED流水灯**为例,从0到1用**IAR**建立CC2530工程。
Python小游戏21——拼图小游戏
cxh666888_的博客
11-05 990
如果图像大小不同,你需要调整tile_size和图像缩放代码。初始化Pygame:使用pygame.init()来初始化Pygame库,这是使用Pygame进行任何游戏开发的第一步。更新屏幕:使用pygame.display.flip()或pygame.display.update()来更新屏幕显示。调整图像大小:使用pygame.transform.scale()来调整图像的大小,以适应拼图游戏的需求。设置屏幕尺寸:使用pygame.display.set_mode()来设置游戏的屏幕尺寸和模式。
cleanfid库的fid使用,及其使用CLIP模型clip_vit_b_32计算FID
百年孤独百年的博客
11-02 971
这篇博客详细介绍了如何使用 cleanfid 库计算 Fréchet Inception Distance (FID),特别是利用 CLIP 模型 clip_vit_b_32 计算 FID 分数来评估生成图像的质量。内容涵盖了 FID 的概念和原理、cleanfid 库的安装与配置、从缓存中加载与手动加载模型的方法,以及解决可能遇到的依赖问题。通过这篇教程,可以掌握使用 cleanfid 库计算fid的完整流程,并能够解决服务器环境中遇到的联网与模型下载问题。
Python的自然语言生成与对话系统介绍
最新发布
余生的博客
11-05 696
自然语言生成(Natural Language Generation,NLG)和对话系统是人工智能领域的重要研究方向。NLG 涉及将计算机理解的信息转换为自然语言文本,而对话系统则涉及计算机与用户之间的自然语言交互。Python 作为一种易于学习、易于使用的编程语言,在这两个领域中发挥了重要作用。核心概念与联系核心算法原理和具体操作步骤数学模型公式详细讲解具体最佳实践:代码实例和详细解释说明实际应用场景工具和资源推荐总结:未来发展趋势与挑战。
ACTF gogogo
09-06
ACTF是指Attack and Defense CTF,是一种网络安全竞赛形式。在ACTF比赛中,参赛队伍需要在规定的时间内攻击对手的系统并保护自己的系统免受攻击。参赛队伍需要在攻防过程中发现漏洞、修补漏洞、攻击对手并保护自己的...
评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值