2021红帽杯 wp(持续更新~~)

2021红帽杯wp


前言:

  • 博客园不能用好久了,无奈转51cto
  • 以后尽量wp写详细一点,帮助自己,也帮助更多的人看懂
  • 欢迎交流

misc

EBCDIC


签到题,很多人不看文件名,直接就点开看内容

啌亣捆咇凁攨mpm檯剤仯蝠蝰?

第一个印象就是乱码,然后就一顿乱操作,但是题目已经给信息,这个是EBCDIC码,可能有些人不知道这个,可以借助搜索引擎,关于怎么转码这个,可以写脚本,借助linux,office直接打开,010转码都行,我这里用010转码

2021红帽杯 wp(持续更新~~)

colorful_code


附件是data1文件和data2两个文件,先010分析一下

data1的数据大致如下

2021红帽杯 wp(持续更新~~)

data2的数据大致如下

2021红帽杯 wp(持续更新~~)

这里在不知道原理的情况情况下,只能猜,data2的前60字节没有什么特别的规律,但是后面的基本就是3个相同一组,data前60字节中最大为ff,又因为后面3个一组,很容易联想到是rgb!!!如果是rgb的情况,如何确保像素点的位置?data1的数据都是可见字符,那么很有可能就是告诉我们像素点的位置,编写脚本处理一下

from PIL import Image

f_data1 = open('data1','r').read()
data1 = f_data1.split(' ')[:-1]

f_data2 = open('data2','rb').read()
data2 = f_data2

res = []
for i in range(len(data2)//3):
    rgb = data2[i*3:(i+1)*3]
    r,g,b = rgb[0],rgb[1],rgb[2]
    res.append((r,g,b))

#print(res)
img = Image.new('RGB',(37,191),(255,255,255))
for i in range(37):
    for j in range(191):
        img.putpixel((i,j),res[int(data1[i*191+j])])
img.show()
img.save('flag.png')

得到图片

2021红帽杯 wp(持续更新~~)

npiet的图片编程语言 ,在线网站解密一下: BertNase's Own - npiet fun!

2021红帽杯 wp(持续更新~~)

PicPic


附件太大。。。

crypto

primegame


from decimal import *
import math
import random
import struct
from flag import flag

assert (len(flag) == 48)
msg1 = flag[:24]
msg2 = flag[24:]
primes = [2]
for i in range(3, 90):
    f = True
    for j in primes:
        if i * i < j:
            break
        if i % j == 0:
            f = False
            break
    if f:
        primes.append(i)

getcontext().prec = 100
keys = []
for i in range(len(msg1)):
    keys.append(Decimal(primes[i]).ln())

sum_ = Decimal(0.0)
for i, c in enumerate(msg1):
    sum_ += c * Decimal(keys[i])

ct = math.floor(sum_ * 2 ** 256)
print(ct)

sum_ = Decimal(0.0)
for i, c in enumerate(msg2):
    sum_ += c * Decimal(keys[i])

ct = math.floor(sum_ * 2 ** 256)
print(ct)

国外比赛的一个题,几乎就是一模一样,具体的原理可以看

https://github.com/pcw109550/write-up/tree/master/2020/KAPO/Baby_Bubmi

exp可用以下这位大佬的

http://www.secmem.org/blog/2020/09/20/poka-science-war-hacking/

import math
from decimal import *
import random
import struct

getcontext().prec = int(100)

primes = [2]
for i in range(3, 100):
    f = True
    for j in primes:
        if i * i < j:
            break
        if i % j == 0:
            f = False
            break
    if f:
        primes.append(i)

keys = []
for i in range(len(primes)):
    keys.append(Decimal(int(primes[i])).ln())

arr = []
for v in keys:
    arr.append(int(v * int(16) ** int(64)))

ct = 597952043660446249020184773232983974017780255881942379044454676980646417087515453

def encrypt(res):
    h = Decimal(int(0))
    for i in range(len(keys)):
        h += res[i] * keys[i]

    ct = int(h * int(16)**int(64))
    return ct

def f(N):
    ln = len(arr)
    A = Matrix(ZZ, ln + 1, ln + 1)
    for i in range(ln):
        A[i, i] = 1
        A[i, ln] = arr[i] // N
        A[ln, i] = 64

    A[ln, ln] = ct // N

    res = A.LLL()

    for i in range(ln + 1):
        flag = True
        for j in range(ln):
            if -64 <= res[i][j] < 64:
                continue
            flag = False
            break
        if flag:
            vec = [int(v + 64) for v in res[i][:-1]]
            ret = encrypt(vec)
            if ret == ct:
                print(N, bytes(vec))
            else:
                print("NO", ret, bytes(vec))

for i in range(2, 10000):
    print(i)
    f(i)

hpcurve


import struct
from random import SystemRandom

p = 10000000000000001119
R.<x> = GF(p)[]
y=x
f = y + y^7
C = HyperellipticCurve(f, 0)
J = C.jacobian()

es = [SystemRandom().randrange(p**3) for _ in range(3)]
Ds = [J(C(x, min(f(x).sqrt(0,1)))) for x in (11,22,33)]
q = []

def clk():
    global Ds,es
    Ds = [e*D for e,D in zip(es, Ds)]
    return Ds

def generate():

    u,v = sum(clk())
    rs = [u[i] for i in range(3)] + [v[i] for i in range(3)]
    assert 0 not in rs and 1 not in rs
    q = struct.pack('<'+'Q'*len(rs), *rs)
    return q

flag = "flag{xxxxxxx}"
text = 'a'*20+flag
t = ''
keys = generate()
leng = len(keys)
i = 0
for x in text:
    t += chr(ord(keys[i%leng])^^ord(x))
    i+=1
print t.encode('hex')
#for x,y in zip(RNG(),flag):

这个题居然也有原题,但是稍微不一样,改一下即可

hxp CTF 2020 - hyper | Joseph Surin | Joseph Surin Personal Blog (jsur.in)

import itertools
import struct

p = 10000000000000001119

R.<x> = GF(p)[]; y=x
f = y + prod(map(eval, 'yyyyyyy'))
C = HyperellipticCurve(f, 0)
J = C.jacobian()
Ds = [J(C(x, min(f(x).sqrt(0,1)))) for x in (11,22,33)]

enc = bytes.fromhex('66def695b20eeae3141ea80240e9bc7138c8fc5aef20532282944ebbbad76a6e17446e92de5512091fe81255eb34a0e22a86a090e25dbbe3141aff0542f5')
known_pt = b"a"*20 + b"flag"

rng_output = bytes(e^^m for e,m in zip(enc, known_pt))

blocks = [rng_output[i:i+8] for i in range(0, len(rng_output), 8)]
ui = [int.from_bytes(r, 'little') for r in blocks]
u = x^3 + ui[2]*x^2 + ui[1]*x + ui[0]

L = GF(p).algebraic_closure()
roots = [r[0] for r in u.change_ring(L).roots()]

RR.<zz> = PolynomialRing(L)
v = RR.lagrange_polynomial([(xi, f(xi).sqrt()) for xi in roots])
vi = [v.coefficients()[i].as_finite_field_element()[1] for i in range(3)]
vi = [(int(-c), int(c)) for c in vi]

for rs in itertools.product(*vi):
    q = struct.pack('<'+'Q'*len(rs), *rs)

    flag = bytes(k^^m for k,m in zip(2*(rng_output+q), enc))
    print(flag)

re

直接被题目ak,后续复现~

pwn

只解出一个,后续有时间再一起复现~

web

find-it


访问robots.txt,发现

When I was a child,I also like to read Robots.txt
Here is what you want:1ndexx.php

这个地方提示访问1ndexx.php,但是直接访问直接500,伪协议读取也不知道传参是什么,并且可能过滤了相关字样,就无解了,后来睡醒后想到可能隐含泄露信息,通过尝试,发现vim文件泄露

.1ndexx.php.swp

得到源码

```php+HTML
<?php $link = mysql_connect('localhost', 'root'); ?>
<html>
<head>
<title>Hello worldd!</title>
<style>
body {
background-color: white;
text-align: center;
padding: 50px;
font-family: "Open Sans","Helvetica Neue",Helvetica,Arial,sans-serif;
}

#logo {
    margin-bottom: 40px;
}
</style>

</head>
<body>
<img id="logo" src="logo.png" />
<h1><?php echo "Hello My freind!"; ?></h1>
<?php if($link) { ?>
<h2>I Can't view my php files?!</h2>
<?php } else { ?>
<h2>MySQL Server version: <?php echo mysql_get_server_info(); ?></h2>
<?php } ?>
</body>
</html>
<?php

#Really easy...

$file=fopen("flag.php","r") or die("Unable 2 open!");

$I_know_you_wanna_but_i_will_not_give_you_hhh = fread($file,filesize("flag.php"));

$hack=fopen("hack.php","w") or die("Unable 2 open");

$a=$_GET['code'];

if(preg_match('/system|eval|exec|base|compress|chr|ord|str|replace|pack|assert|preg|replace|create|function|call|\~|\^|`|flag|cat|tac|more|tail|echo|require|include|proc|open|read|shell|file|put|get|contents|dir|link|dl|var|dump/',$a)){
die("you die");
}
if(strlen($a)>33){
die("nonono.");
}
fwrite($hack,$a);
fwrite($hack,$I_know_you_wanna_but_i_will_not_give_you_hhh);

fclose($file);
fclose($hack);
?>


通过code传参, 写入code的请求到hack.php,先

/?code=<?php phpinfo();



然后访问hack.php即可

~~**本人非web选手,其他web的wp可见其他师傅的wp**~~(其实就是不会)
上一篇:WordPress搭建安装


下一篇:5.6Misc wp