第七届XCTF国际网络攻防联赛总决赛
Post一下final做的一些题目。
Crypto
TSA
只需要向server发送\(t^e\cdot c\;mod\;n\)即可绕过限制,然后解得\(t\cdot flag\),除以\(t\)就是flag了,exp中\(t\)取的2:
from Crypto.Util.number import *
from pwn import *
e = 65537
sh = remote('172.35.3.154',10002)
n = int(sh.recvline().decode())
sh.recvuntil(b'>')
sh.sendline(b'1')
c = sh.recvline()
print(c)
c = c[19:-16].decode()
print(c)
c = int(c)
t = pow(2,e,n) * c % n
sh.recvuntil(b'>')
sh.sendline(b'2')
sh.sendline(str(t).encode())
m = sh.recvline()
print(m)
m = m[25:-48]
print(m)
print(long_to_bytes(int(m)//2))
# flag{9162ac59-fc92-4937-8fef-1669cddcaacf}
Three
一个简单的三方安全协议,理论上知道两方的交互信息就能得到所有秘密,但是题目的形式偏向misc,很多表述不清楚,让人做的难受...
根据Save_Data()函数:
def Save_Data(self):
#This is a default and optional function
#Compress all data once rebuild the function's answer
pwd=str(datetime.datetime.now())
pass
猜测压缩包密码大约就是在出题的时间附近,根据压缩包时间掩码爆破一下得到C的密码:2022-08-27 20:16:17.930813. 利用A C的信息能够还原flag,思路见exp:
from Crypto.Util.number import *
def Mul_loc_compute(x1, y1, x2, y2):
mulx = x1 * y1 + x1 * y2 + x2 * y1
return mulx
A0 = 28829613228241459
# 利用C中的掩码计算Y02
Y02 = 924422050091362838179268571917871 - 507036073644
A00 = 200254991086689
A01 = 200241552690281
A02 = A0 - A00 - A01
X00 = 200058430391504
X01 = 200401773940794
C02 = 924422050091355025836012334663090
# 这里需要去理解函数Mul_loc_compute,他接收的参数是Ai和Xi作为xi和yi
X02 = (C02 - A02 * X00) // (A02 + A00)
X0 = X00 + X01 + X02
B00 = 199957680670222
B01 = 200362172648094
B02 = Y02 - C02
B0 = B00 + B01 + B02
# 三段拼接
print(long_to_bytes(A0))
print(long_to_bytes(X0))
print(long_to_bytes(B0))
Misc
maze
from pwn import *
from hashlib import *
import string
import itertools
#context.log_level="debug"
table = string.ascii_letters + string.digits
io = remote('172.35.3.80',11410)
def proof():
s1 = io.recvuntil(b'[+] Plz tell me XXXX:')
p1 = s1.find(b'X+')
p2 = s1.find(b')')
p3 = s1.find(b'== ')
s = s1[p1+2:p2]
h = s1[p3+3:-1]
h = h.decode()
print(h)
print(s)
for i in itertools.product(table, repeat=4):
d = ''.join(i).encode()
dd = d + s
#print(dd)
if sha256(dd).hexdigest() in h:
print(d)
io.sendline(d)
#io.interactive()
break
proof()
io.recvuntil(b'There is your map of maze:\n')
maze = []
for i in range(750):
row = io.recvline()[13:].split()
row = [int(i) for i in row]
#print(row)
#print(len(row))
maze.append(row)
print(len(maze))
print(len(maze[0]))
arr = maze
brr = [[0] * 750 for i in range(0, 750)]
for i in range(0, 750):
for j in range(0, 750):
brr[i][j] = arr[i][j]
for i in range(1, 750):
for j in range(0, 750):
if j == 0:
arr[i][j] += max(arr[i- 1][j], arr[i-1][j+1])
elif j == 749:
arr[i][j] += max(arr[i-1][j], arr[i- 1][j-1])
else:
arr[i][j] += max(arr[i-1][j - 1], max(arr[i-1][j], arr[i-1][j+1]))
print(max(arr[749]))
crr = []
idx = arr[749].index(max(arr[749]))
crr.append(idx)
def has_duplicates(lst):
return len(lst) != len(set(lst))
for i in range(748, -1, -1):
if idx == 0:
if arr[i][idx] > arr[i][idx+1]:
idx = idx
else:
idx = idx + 1
crr.append(idx)
elif idx == 749:
if arr[i][idx] > arr[i][idx-1]:
idx = idx
else:
idx = idx - 1
crr.append(idx)
else:
if arr[i][idx] > arr[i][idx+1]:
m = idx
else:
m = idx + 1
if arr[i][m] > arr[i][idx-1]:
m = m
else:
m = idx - 1
idx = m
crr.append(idx)
crr = crr[::-1]
print('111',io.recvline())
res = ''
sum = 0
for i in range(0, 750):
res = res + ' ' +str(crr[i])
print(f'res = {res}')
io.sendline(res[1:].encode())
print(io.interactive())
# flag{Y0u_@rE_tHe_G@mE_M@aSter_0f_m@Ze}
shop
import numpy as np
from pwn import remote,context
import hashlib
def get_md5(matrix):
# 分割成一个1*14和7*14的矩阵
row1, row2 = matrix[0:1, :], matrix[1:, :]
# 计算每一行与第一行差的和的绝对值
result = np.sum(np.abs(row2[1:] - row2[0]), axis=1)
result = np.array(result)
min_value = np.min(result)
# 获取最小值在数组中的位置
min_indices = np.where(result == min_value)[0] + 1
# print("最小值{}在result中的位置是矩阵第{}行".format(min_value, min_indices + 1))
#获取最小值所在矩阵行的值
row = row2[min_indices]
# print(row)
# 找到row1中值为0的位置
zero_indices = np.where(row1 == 0)
# 将0位置替换成row中对应位置的值
row1[zero_indices] = row[zero_indices]
# print(row1)
flag = ''.join([str(i) for i in row1[0]])
# print(flag)
flag_md5 = hashlib.md5(flag.encode()).hexdigest()
return flag_md5
while True:
#context.log_level = "DEBUG"
r = remote('172.35.3.120',11409)
r.sendlineafter(b"please?", b"1234")
for i in range(10):
r.sendlineafter(b"Please input your good number:", b"0")
for i in range(20):
r.sendlineafter(b"Please input your good number:", b"3")
# r.recvall()
r.sendlineafter(b"Your answer is(Y/N):", b"y")
r.recvuntil(b'beginmatrix')
matrix = r.recvline().strip()
matrix = r.recvline().strip().decode()
matrix = matrix.split(',')
matrix = [int(i.strip('[').strip(']').strip(' ').strip('[').strip(']')) for i in matrix]
# print((matrix))
matrix = np.array(matrix)
matrix = matrix.reshape(8,14)
r.sendlineafter(b'Now, what is your answer?',get_md5(matrix))
c = r.recvline()
if b'flag{' in c:
print(c)
break
