2021红帽杯wp
前言:
- 博客园不能用好久了,无奈转51cto
- 以后尽量wp写详细一点,帮助自己,也帮助更多的人看懂
- 欢迎交流
misc
EBCDIC
签到题,很多人不看文件名,直接就点开看内容
啌亣捆咇凁攨mpm檯剤仯蝠蝰?第一个印象就是乱码,然后就一顿乱操作,但是题目已经给信息,这个是EBCDIC码,可能有些人不知道这个,可以借助搜索引擎,关于怎么转码这个,可以写脚本,借助linux,office直接打开,010转码都行,我这里用010转码
colorful_code
附件是data1文件和data2两个文件,先010分析一下
data1的数据大致如下
data2的数据大致如下
这里在不知道原理的情况情况下,只能猜,data2的前60字节没有什么特别的规律,但是后面的基本就是3个相同一组,data前60字节中最大为ff,又因为后面3个一组,很容易联想到是rgb!!!如果是rgb的情况,如何确保像素点的位置?data1的数据都是可见字符,那么很有可能就是告诉我们像素点的位置,编写脚本处理一下
from PIL import Image
f_data1 = open('data1','r').read()
data1 = f_data1.split(' ')[:-1]
f_data2 = open('data2','rb').read()
data2 = f_data2
res = []
for i in range(len(data2)//3):
rgb = data2[i*3:(i+1)*3]
r,g,b = rgb[0],rgb[1],rgb[2]
res.append((r,g,b))
#print(res)
img = Image.new('RGB',(37,191),(255,255,255))
for i in range(37):
for j in range(191):
img.putpixel((i,j),res[int(data1[i*191+j])])
img.show()
img.save('flag.png')得到图片
npiet的图片编程语言 ,在线网站解密一下: BertNase's Own - npiet fun!,
PicPic
附件太大。。。
crypto
primegame
from decimal import *
import math
import random
import struct
from flag import flag
assert (len(flag) == 48)
msg1 = flag[:24]
msg2 = flag[24:]
primes = [2]
for i in range(3, 90):
f = True
for j in primes:
if i * i < j:
break
if i % j == 0:
f = False
break
if f:
primes.append(i)
getcontext().prec = 100
keys = []
for i in range(len(msg1)):
keys.append(Decimal(primes[i]).ln())
sum_ = Decimal(0.0)
for i, c in enumerate(msg1):
sum_ += c * Decimal(keys[i])
ct = math.floor(sum_ * 2 ** 256)
print(ct)
sum_ = Decimal(0.0)
for i, c in enumerate(msg2):
sum_ += c * Decimal(keys[i])
ct = math.floor(sum_ * 2 ** 256)
print(ct)国外比赛的一个题,几乎就是一模一样,具体的原理可以看
https://github.com/pcw109550/write-up/tree/master/2020/KAPO/Baby_Bubmi
exp可用以下这位大佬的
http://www.secmem.org/blog/2020/09/20/poka-science-war-hacking/
import math
from decimal import *
import random
import struct
getcontext().prec = int(100)
primes = [2]
for i in range(3, 100):
f = True
for j in primes:
if i * i < j:
break
if i % j == 0:
f = False
break
if f:
primes.append(i)
keys = []
for i in range(len(primes)):
keys.append(Decimal(int(primes[i])).ln())
arr = []
for v in keys:
arr.append(int(v * int(16) ** int(64)))
ct = 597952043660446249020184773232983974017780255881942379044454676980646417087515453
def encrypt(res):
h = Decimal(int(0))
for i in range(len(keys)):
h += res[i] * keys[i]
ct = int(h * int(16)**int(64))
return ct
def f(N):
ln = len(arr)
A = Matrix(ZZ, ln + 1, ln + 1)
for i in range(ln):
A[i, i] = 1
A[i, ln] = arr[i] // N
A[ln, i] = 64
A[ln, ln] = ct // N
res = A.LLL()
for i in range(ln + 1):
flag = True
for j in range(ln):
if -64 <= res[i][j] < 64:
continue
flag = False
break
if flag:
vec = [int(v + 64) for v in res[i][:-1]]
ret = encrypt(vec)
if ret == ct:
print(N, bytes(vec))
else:
print("NO", ret, bytes(vec))
for i in range(2, 10000):
print(i)
f(i)hpcurve
import struct
from random import SystemRandom
p = 10000000000000001119
R.<x> = GF(p)[]
y=x
f = y + y^7
C = HyperellipticCurve(f, 0)
J = C.jacobian()
es = [SystemRandom().randrange(p**3) for _ in range(3)]
Ds = [J(C(x, min(f(x).sqrt(0,1)))) for x in (11,22,33)]
q = []
def clk():
global Ds,es
Ds = [e*D for e,D in zip(es, Ds)]
return Ds
def generate():
u,v = sum(clk())
rs = [u[i] for i in range(3)] + [v[i] for i in range(3)]
assert 0 not in rs and 1 not in rs
q = struct.pack('<'+'Q'*len(rs), *rs)
return q
flag = "flag{xxxxxxx}"
text = 'a'*20+flag
t = ''
keys = generate()
leng = len(keys)
i = 0
for x in text:
t += chr(ord(keys[i%leng])^^ord(x))
i+=1
print t.encode('hex')
#for x,y in zip(RNG(),flag):这个题居然也有原题,但是稍微不一样,改一下即可
hxp CTF 2020 - hyper | Joseph Surin | Joseph Surin Personal Blog (jsur.in)
import itertools
import struct
p = 10000000000000001119
R.<x> = GF(p)[]; y=x
f = y + prod(map(eval, 'yyyyyyy'))
C = HyperellipticCurve(f, 0)
J = C.jacobian()
Ds = [J(C(x, min(f(x).sqrt(0,1)))) for x in (11,22,33)]
enc = bytes.fromhex('66def695b20eeae3141ea80240e9bc7138c8fc5aef20532282944ebbbad76a6e17446e92de5512091fe81255eb34a0e22a86a090e25dbbe3141aff0542f5')
known_pt = b"a"*20 + b"flag"
rng_output = bytes(e^^m for e,m in zip(enc, known_pt))
blocks = [rng_output[i:i+8] for i in range(0, len(rng_output), 8)]
ui = [int.from_bytes(r, 'little') for r in blocks]
u = x^3 + ui[2]*x^2 + ui[1]*x + ui[0]
L = GF(p).algebraic_closure()
roots = [r[0] for r in u.change_ring(L).roots()]
RR.<zz> = PolynomialRing(L)
v = RR.lagrange_polynomial([(xi, f(xi).sqrt()) for xi in roots])
vi = [v.coefficients()[i].as_finite_field_element()[1] for i in range(3)]
vi = [(int(-c), int(c)) for c in vi]
for rs in itertools.product(*vi):
q = struct.pack('<'+'Q'*len(rs), *rs)
flag = bytes(k^^m for k,m in zip(2*(rng_output+q), enc))
print(flag)re
直接被题目ak,后续复现~
pwn
只解出一个,后续有时间再一起复现~
web
find-it
访问robots.txt,发现
When I was a child,I also like to read Robots.txt
Here is what you want:1ndexx.php这个地方提示访问1ndexx.php,但是直接访问直接500,伪协议读取也不知道传参是什么,并且可能过滤了相关字样,就无解了,后来睡醒后想到可能隐含泄露信息,通过尝试,发现vim文件泄露
.1ndexx.php.swp得到源码
```php+HTML
<?php $link = mysql_connect('localhost', 'root'); ?>
<html>
<head>
<title>Hello worldd!</title>
<style>
body {
background-color: white;
text-align: center;
padding: 50px;
font-family: "Open Sans","Helvetica Neue",Helvetica,Arial,sans-serif;
}
#logo {
margin-bottom: 40px;
}
</style></head>
<body>
<img id="logo" src="logo.png" />
<h1><?php echo "Hello My freind!"; ?></h1>
<?php if($link) { ?>
<h2>I Can't view my php files?!</h2>
<?php } else { ?>
<h2>MySQL Server version: <?php echo mysql_get_server_info(); ?></h2>
<?php } ?>
</body>
</html>
<?php
#Really easy...
$file=fopen("flag.php","r") or die("Unable 2 open!");
$I_know_you_wanna_but_i_will_not_give_you_hhh = fread($file,filesize("flag.php"));
$hack=fopen("hack.php","w") or die("Unable 2 open");
$a=$_GET['code'];
if(preg_match('/system|eval|exec|base|compress|chr|ord|str|replace|pack|assert|preg|replace|create|function|call|\~|\^|`|flag|cat|tac|more|tail|echo|require|include|proc|open|read|shell|file|put|get|contents|dir|link|dl|var|dump/',$a)){
die("you die");
}
if(strlen($a)>33){
die("nonono.");
}
fwrite($hack,$a);
fwrite($hack,$I_know_you_wanna_but_i_will_not_give_you_hhh);
fclose($file);
fclose($hack);
?>
通过code传参, 写入code的请求到hack.php,先
/?code=<?php phpinfo();
然后访问hack.php即可
~~**本人非web选手,其他web的wp可见其他师傅的wp**~~(其实就是不会)