HNCTF2022

终于打完祥云杯了,两天的比赛真的累。这是之前做的一个联合新生赛,借这个新人友好的比赛学习了一下逆向的基础题型;crypto做完了,但只记录稍微复杂的题目。misc原本是想学python jail,但是捣鼓半天也只会简单的,希望有wp可以复现。

Misc

[Week1]silly_zip

zip文件是伪加密,但是他把前后都改了,所以两边都要把1改成0;解开以后是一张bmp图片,尝试查看低位隐写,没有找到;猜测是改变了图片的宽或者高,参考链接,计算正确的高度位77h,修改即可看见flag,这里我在没计算的情况下直接把高改大是失败的,应该是高度不能改的超过原本的大小,否则文件的大小就异常了。

[Week1]开局一张图(OSINT)

首先直接去百度搜索该图片,找到胶东屋脊,苹果之都,遂百度发现是烟台栖霞;根据栖霞地图可知湖应该是长春湖,以下信息百度很容易找到:湖的原名为庵里水库,因丘处机而得名,2010年设立旅游度假区。比较麻烦的是一和六两个问题,第六个问题必须找到该烟台政府网站上的title,其他新闻网站上的均不正确;而第一个问题很容易认为是苹果公园,因为图片里有三个苹果并且苹果公园的地标也是类似的大苹果;根据hint以及不断地搜索,找到滨湖公园,终于正确。
所以flag为nssctf{滨湖公园-长春湖-庵里水库-丘处机-2010-环长春湖2012山东省公路自行车锦标赛}

[Week1]线下单杀出题人(OSINT)

首先用EXIF查看A原图信息,得到拍摄经纬度为30 deg 47’ 12.96” N, 120 deg 44’ 23.48” E,定位发现是在嘉兴汽车北站,因为B图看起来像是公园,所以直接找周围的公园可定位到穆湖森林公园。在汽车北站和公园附近的酒店挨个排查,通过水壶和室内装饰锁定为亚芬汀精品酒店。

1
2
3
4
from hashlib import *
s = '嘉兴市南湖区禾兴北路506号亚芬汀精品酒店'.encode()
h = md5(s).hexdigest()
print(h)

[Week1]python2 input(JAIL)

1
2
3
eval(input())
__import__('os').system('ls')
__import__('os').system('cat flag')

[Week1]calc_jail_beginner_level1

过滤了i和b以及单双引号;

做了一些尝试,比如用chr来拼接出eval(‘input()’):

1
2
3
4
5
6
7
8
9
eval("eval(input())")

eval("eval('input()')")
是不一样的
前者执行的是 eval(input())
后者 eval("eval")这一层等价于eval,于是最终执行的是 eval('input'),所以只有input的效果了
当然如果是
eval("input()")
那么只会返回输入的字符串

最后采取读文件的方式绕过,简单粗暴…

1
open(chr(102)+chr(108)+chr(97)+chr(103)).read()

本质上eval只会执行一次,那么只需要把文件名用chr拼接即可,其他部分不能用chr拼接,否则返回的是命令的字符串。

[Week1]calc_jail_beginner_level2

payload长度不大于13,用input即可:

1
2
eval(input())
__import__('os').system('cat flag')

[WEEK2]Baldi’s Basics

1000次加减乘除,存一个比较简约的脚本以后直接用。

1
2
3
4
5
6
7
8
9
10
11
12
13
from pwn import *

io = remote('1.14.71.254',28715)
io.recvuntil(b'!\n')

for i in range(1000):
    print(i)
    io.recvline()
    r = io.recvline().strip()
    tmp = eval(r)
    io.sendline(str(tmp).encode())

io.interactive()

[WEEK3]看不见的代码

https://vii5ard.github.io/whitespace/解密。

[WEEK3]神秘的压缩包

crc32爆破,取可读字符拼接为:

1
passwordisClassicalencryptionishint6

得到密码解压,里面是一段可见乱码,和flag对照一下ascii码发现相差9,解密即可:

1
2
3
c = "]cX^r:X\jXiV`jVm\ipV`ek\ijk`e^t"
for i in c:
    print(chr(ord(i)+9),end='')

Re

[WEEK2]Easy_Android

jadx反编译整个apk,定位和flag有关的代码:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
public boolean checkSN(String userName, String sn) {
    if (userName == null) {
        return false;
    }
    try {
        if (userName.length() == 0 || sn == null || sn.length() != 22) {
            return false;
        }
        MessageDigest digest = MessageDigest.getInstance("MD5");
        digest.reset();
        digest.update(userName.getBytes());
        String hexstr = toHexString(digest.digest(), "");
        StringBuilder sb = new StringBuilder();
        for (int i = 0; i < hexstr.length(); i += 2) {
            sb.append(hexstr.charAt(i));
        }
        if (("flag{" + sb.toString() + "}").equalsIgnoreCase(sn)) {
            return true;
        }
        return false;
    } catch (NoSuchAlgorithmException e) {
        e.printStackTrace();
        return false;
    }
}

这里就是把username做了个md5哈希,然后取偶数下标的字符进行拼接,和sn进行比对,若一致则返回true,那么这个sn其实也就是flag了。写个python脚本即可:

1
2
3
4
5
6
from hashlib import *

user = 'Tenshine'
h = md5(user.encode()).hexdigest()
for i in range(0,len(h),2):
    print(h[i],end='')

[WEEK2]Packet

upx -d脱壳,base64加密,但是它把base表的大小写字母顺序换了,所以把密文的大小写交换解密即可。

1
2
3
4
5
6
import base64

s = 'TlJRQFBBdTs4alsrKFI6MjgwNi5p'
s = base64.b64decode(s)
for i in range(len(s)):
    print(chr(s[i]+i),end='')

[WEEK2]来解个方程?

解22维的矩阵方程即可,我用的sagemath,也可以用z3但是应该挺慢的。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
from sage.all import *

f = open("xishu.txt",'r')
m = []
v = []
L0 = [0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
L1 = [0,0,0,0,0,0,0,0,0,0,0,0,0]
L2 = [0,0,0,0,0,0,0,0,0,0,0]
L3 = [0,0,0,0]
for i in range(6):
    tmp = [int(j) for j in f.readline().strip().split(' ')]
    v.append(int(tmp[-1]))
    tmp1 = L0 + [tmp[-2]] + tmp[:-2]
    #print(tmp1)
    m.append(tmp1)
for i in range(9):
    tmp = [int(j) for j in f.readline().strip().split(' ')]
    v.append(int(tmp[-1]))
    
m1 = [[191,212,153,342,490,325,485,56,202],[22,348,185,134,153,24,22,460,207],[100,177,231,489,339,433,311,164,154],[82,257,337,68,466,470,22,270,360],[54,246,235,468,91,151,73,92,197],[343,241,377,131,243,233,55,376,242],[61,356,200,5,458,136,301,284,364],[71,154,55,406,107,17,80,71,66],[99,335,201,63,494,197,280,409,56]]
for i in m1:
    tmp = i[:4] + [0,0,0,0,0,0,0] + i[4:] + [0,0,0,0,0,0]
    m.append(tmp)
    #print(tmp)
for i in range(6):
    tmp = [int(j) for j in f.readline().strip().split(' ')]
    v.append(int(tmp[-1]))
    tmp1 = L3 + [tmp[-2]] + tmp[:-2] + L2
    #print(tmp1)
    m.append(tmp1)

v.append(1005746)
m.append(L3+[1173,186,2712,2136,3584,138,98]+L2)
mt = matrix(ZZ,m)
print(mt)
vec = vector(v)
print(vec)
sov = mt.solve_right(vec)
print(sov)
print(mt.rank())

[WEEK2]getflag

点击很多下能够出flag,所以静态patch修改条件即可,那么我们可以把条件改为点击次数大于1即出flag:

patch之后要记得apply patch to…

[WEEK2]e@sy_flower

最常见的花指令,参考链接,改为nop以后要用快捷键p创建函数,得到伪代码:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
int __cdecl __noreturn main(int argc, const char **argv, const char **envp)
{
  signed int v3; // kr00_4
  int i; // edx
  char v5; // cl
  unsigned int j; // edx
  int v7; // eax
  char v8; // [esp+0h] [ebp-44h]
  char v9; // [esp+0h] [ebp-44h]
  char Arglist[48]; // [esp+10h] [ebp-34h] BYREF

  sub_401020("please input flag\n", v8);
  sub_401050("%s", (char)Arglist);
  v3 = strlen(Arglist);
  for ( i = 0; i < v3 / 2; ++i )
  {
    v5 = Arglist[2 * i];
    Arglist[2 * i] = Arglist[2 * i + 1];
    Arglist[2 * i + 1] = v5;
  }
  for ( j = 0; j < strlen(Arglist); ++j )
    Arglist[j] ^= 0x30u;
  v7 = strcmp(Arglist, "c~scvdzKCEoDEZ[^roDICUMC");
  if ( v7 )
    v7 = v7 < 0 ? -1 : 1;
  if ( !v7 )
  {
    sub_401020("yes", v9);
    exit(0);
  }
  sub_401020("error", v9);
  exit(0);
}

先异或再置换:

1
2
3
4
5
6
7
8
9
c = 'c~scvdzKCEoDEZ[^roDICUMC'
len = 24
l = [chr(0x30^ord(i)) for i in c]

for i in range(0,12):
    tmp = l[2*i]
    l[2*i] = l[2*i + 1]
    l[2*i + 1] = tmp
print(''.join(l))

[WEEK2]TTTTTTTTTea

Tea加密算法。
注意整数类型内部存储:低地址存储低位,高地址存储高位。比如int a=1,则存储情况为0000(高地址) 0000 0000 0001(低地址)。所以key应该是unsigned int key1[4] = { 0x00010203,0x04050607,0x08090A0B,0x0C0D0E0F}尝试解密:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
#include<stdio.h>
#include<stdint.h>
#define DELTA 0x9981abcd

void tea_encrypt(unsigned int* v, unsigned int* key) {
    unsigned int l = v[0], r = v[1], sum = 0;
    for (size_t i = 0; i < 32; i++) { //进行32次迭代加密,Tea算法作者的建议迭代次数
        l += (((r << 4) ^ (r >> 5)) + r) ^ (sum + key[sum & 3]);
        sum += DELTA; //累加Delta的值
        r += (((l << 4) ^ (l >> 5)) + l) ^ (sum + key[(sum >> 11) & 3]); //利用多次双位移和异或将明文与密钥扩散混乱,并将两个明文互相加密
    }
    v[0] = l;
    v[1] = r;
}

void tea_decrypt(unsigned int* v, unsigned int* key) {
    unsigned int l = v[0], r = v[1], sum = 0;
    sum = DELTA * 32; //32次迭代累加后delta的值
    for (size_t i = 0; i < 32; i++) {
        r -= (((l << 4) ^ (l >> 5)) + l) ^ (sum + key[(sum >> 11) & 3]);
        sum -= DELTA;
        l -= (((r << 4) ^ (r >> 5)) + r) ^ (sum + key[sum & 3]);
    }
    v[0] = l;
    v[1] = r;
}


int main(int argc, char const* argv[]){
{
    unsigned int key1[4] = { 0x00010203,0x04050607,0x08090A0B,0x0C0D0E0F };//key1
    unsigned int v1[2] = { 876839116,-1532163725};
    
    tea_decrypt(v1, key1);
    printf("tea_decrypt:%x %x\n", v1[0], v1[1]);
    return 0;
}
}

Crypto

[Week1]littleprince

enc就是循环右移32位,每次enc完再右移得到的x其实就是flag的32位;并且题目的每组p和q都是质数,可以通过crt求出每轮的x;注意有几轮32位的x大于p乘q,即在crt求出结果以后要再加上一个pq才是正确结果。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
from Crypto.Util.number import *
from sympy.ntheory.modular import *
import string

table = string.printable

f = open('output.txt','r')
data = []
flag_ = ''
for i in range(14):
    tmp = [int(j) for j in f.readline().strip().split(' ')]
    mod = [tmp[0],tmp[1]]
    c = [tmp[2],tmp[3]]
    print(mod)
    print(c)
    # for ii in mod:
    #     print(isPrime(ii))
    m = crt(mod,c)
    print(m)
    m_ = m[0]
    print(long_to_bytes(m_))
    if i == 2 or i == 5 or i == 8:
        t = str(long_to_bytes(m_+m[1]))[2:-1]
    else:
        t = str(long_to_bytes(m_))[2:-1]
    flag_ = flag_ + t
print(flag_)

flag = ''
for i in range(len(flag_),0,-4):
    print(flag_[i-4:i])
    flag = flag + flag_[i-4:i]
print(flag)

[WEEK2]Chaos

加密的第二部分时间戳t是和0x66进行异或的,所以可以还原20位时间戳,并通过预测伪随机数还原enc;拿到enc之后我通过正向爆破获得了置换群,再逆运算mix还原flag。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
from hashlib import md5
import random
from functools import reduce

know = 'VVWPPRPUPTSQHW__WUQT'
for i in range(20):
    tmp = chr(ord(know[i])^0x66)
    print(tmp,end='')
print()
t = '001664636257.1991372'
s = 'NSSCTF{'
random.seed(md5((s+t).encode()).hexdigest())

f = open('output','rb').read()
flag_len = len(f) - 20
print(flag_len)
rnd = [random.getrandbits(8) for _ in range(flag_len)]
enc = bytes([i^j for (i,j) in zip(f,rnd)])
enc = str(enc)[2:-1]
print(enc)


def mix(k,msg):
    tmp = ''.join(reduce(lambda a,b:a+b,[[msg[j] for j in range(i,len(msg),9)] for i in k]))
    return tmp

# 正向爆破置换
# import itertools
#
# test = 'NSSCTF{'+'*'*25 + '}'
#
# for k in itertools.permutations([1,2,3,4,5,6,7,8],8):
#     k = [0] + list(k)
#     flag = 'NSSCTF{' + '*' * 25 + '}'
#     for i in range(128):
#         flag = demix(k,flag)
#     #print(flag)
#         if flag[0] == 'N' and flag[3] == 'S' and flag[9] == 'S' and flag[12] == 'T' and flag[15] == 'F' and flag[18] == '}' and flag[25] == '{' and flag[24] == 'C':
#             print(k)

# [0, 6, 8, 7, 3, 1, 5, 2, 4]
# NcnSmPiltSetTniFJw}akhtaC{_s_iu__

# 逆mix,我做的有点复杂
def demix(s):
    tmp = ['*']*33
    p1 = 17
    p2 = 25
    p3 = 13
    p4 = 29
    p5 = 21
    for i in range(4):
        tmp[9*i] = s[i]
        tmp[9*i+1]= s[p1+i]
        tmp[9*i+2]= s[p2+i]
        tmp[9*i+3]= s[p3+i]
        tmp[9*i+4]= s[p4+i]
        tmp[9*i+5]= s[p5+i]

    pp1 = 4
    pp2 = 10
    pp3 = 7

    for i in range(3):
        tmp[9*i+6] = s[pp1+i]
        tmp[9*i+7] = s[pp2+i]
        tmp[9*i+8] = s[pp3+i]
    return ''.join(tmp)

s = 'NcnSmPiltSetTniFJw}akhtaC{_s_iu__'
for i in range(128):
    s = demix(s)
print(s)

[WEEK3]Binomials

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
from Crypto.Util.number import *
from gmpy2 import *

n = 0xa65149a38fe4784da050db9390c5cc5d4b9ef376b40e6919b487aadec0bd4c6e683205f3bf1d6bb51fceb9e14965305183229184ec69b4e22b467ad2c08337e81a54219dd40160c9d84a4abdf95e05121a11737570b0924ed8941390a3e1fae259f745b76f4a0a23ece5cbcbda5269d7312329b105cd255d2a2ffaf905d32b6b42e64f1bd67039f526789e9065b41a9426a1e9a6e65746af7c4ca343ddbf1392073b566a37c2e66edeef47ecc4629dee6fa4f5dc839ffa6b2647eb0b6dced42bff46653e7205bf37e89d4c417fd41cf8d315448e593f08e2d1e8d7c4b299ce35f59bf45830f9efdaaf51f726e4466ef0fb583d8c6285b6a04477eba429a7fb81
e1,e2 = 0x10001,0x65537
c1,c2 = 0xa371721c01ab221a30fcf761b3a22cff4cb3401eb76db69743cba2d24225fe3edf05053674039928cf3a2e1ddc58f03cc90c3837cd43281b228952d5c28c5798092550176362fe6474b2f7e8c3af328999688161322d218e39a168dea95c1581ad0c367ce969f1f6531fe12240417350d0b1c7c9b257d261c91548dff2a4f15678585745e0adf9215997dc590999feb03bd32889e92688d2d30ff73edcb67791726f9e0eac9480d48e4e37bfd268fd22200534ece8e3eb59504c8bb4aa6e7153c8476655ee01d5a624f77a6c5149eacd6783ce894798467b2ecefa4199ce40d009817053f6816d36c2dcf985092ef56f2589571fead26e15640add0bc1a885a6,0x2ce039abd666a05b18f2831caca34a6800c495e439553ef40ceed62e881bc23b69b8f7526b57fef2b5fe7299173e5c271e934cb9240b1b5b5a18590be50b6359f5cd08d08607aaa039a37eabebb722dcc85449e335f96d580f936ec9e406b0be5298f8b5244155534a15db5cc8f24abad4acb6bbb83095bd151ef9dd2102a81865e2bb7e705d7f1a8a39f51c3990e20740ff3724bd6c5d52098200a445bf604e477dc3f6e849d1e0021252c52755c8402601020041cdc6f2ffa4cc901ef5ef21e00417a2e586c7d66c65927b67c86f239abe6ee6456a122ef557812dafad26e00ef22069381b3a2755824a1e6e3eb3c5af62316adea1d9ecd64e4f06bbd8926d
c = 0x99b0b0a6a427ed9e3b757ed516f396e4f2f88712a6ff38b954d189aa46642e55fcf550f9e5b378523f98f969ba6a3e70baa13f71ca92b7d0bfc248b22b91ac586f48d930d5c8180acb466a438d4abe338d1fdb6e3521a1ffab07908882e6e245466de85b2469ba6d273a46672c151430a9d5cc0521bf6b648727d5f188662ee130315e92ded631b366de1302b7617b5d132d3732ff7f76c95e7bbbf8f6aca7b15c427b1814778cb5ab7d60b250a4ed718d9d72666220df76205d537fc2672bbf15ffe2c03bb92b2b6bec6ad1cd46862c6bdfa4b2d2c3ff09b5b2d68268078578d2404fdc61c71d7f3fc678530ebcd283ef5594c6ebe44ecd19ba70f517efe69b

# 运算都在modn下进行,否则指数爆炸,计算很慢
t1 = pow(c1*pow(3,e1,n),e2,n)
t2 = pow(c2,e1,n)
q = gcd(t2-t1,n)
print(q)

p = n//q
f = (p-1)*(q-1)
d = invert(e1,f)
print(long_to_bytes(pow(c,d,n)))

[WEEK3]s1mple_block

爆破两字节即可

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
from pwn import *
from hashlib import *
import string

table = string.ascii_uppercase + string.ascii_lowercase + string.digits

io = remote('1.14.71.254',28683)
def proof():
    s1 = io.recvline()
    print(s1)
    p1 = s1.find(b'X+')
    p2 = s1.find(b')')
    p3 = s1.find(b'== ')
    s = s1[p1+2:p2]
    h = s1[p3+3:-1]
    h = h.decode()
    print(h)
    print(s)
    for i in itertools.product(table, repeat=4):
        d = ''.join(i).encode()
        dd = d + s
        #print(dd)
        if sha256(dd).hexdigest() == h:
            print(d)
            io.sendline(d)
            io.interactive()
proof()

import itertools
import hashlib
from Crypto.Cipher import AES
import binascii

c = b'6c3f85e5307f6aaec56a9cccf0a3c8d98992be4e3086cb4198d284a15ca8e660'
c = binascii.a2b_hex(c)
print(len(c))
print(c)
for i in itertools.product(range(256), repeat=2):
    rand = bytes(i)
    key = hashlib.md5(rand).digest()
    aes = AES.new(key,AES.MODE_ECB)
    tmp = aes.decrypt(c)
    if b'NSS' in tmp:
        print(tmp)

[WEEK3]AnyoneIsOk

给的是100组pem格式的公钥,可以用RSA库去批量提取n e,依次取两个n来求公因子,第22组和第43组存在公因子,即成功分解模数。需要注意这里的填充方式是PKCS1_OAEP,不能以pow(c,d,n)解密,要用Crypto.Cipher.PKCS1_OAEP解密。exp:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
import Crypto.PublicKey.RSA as RSA
from gmpy2 import *

l = []
for i in range(1,101):
   with open(f"data/{i}.pem", "r") as f:
      ciph = RSA.importKey(f.read())
   n = ciph.n
   e = ciph.e
   l.append(n)

for i in range(1,101):
   with open(f"data/{i}.pem", "r") as f:
      ciph = RSA.importKey(f.read())
   n = ciph.n
   e = ciph.e
   #print(e)
   for nn in l:
      if gcd(nn,n) != 1 and gcd(nn,n) != n:
         print(i,n,nn)

n22 = 18170543972130600065152757040329327385578620426300242180477762789459468642595136972262126726842072396361120565968601326463551691972675513849752672005415858441684424728082649999475766997119635974303450293428428331700864498709490563462145412926665682183754308918050419434469411302203132567441842045427990531791299594923554274829565712934905192687994493167195965002041302758441077302679849896158357228267187702900659834770484449796142249290936217291139214093913345437362674341034794069366989773301821057888105543395131552827382132347337876684294901365180636048209860728405803398203193264762380762438367127130177078419173
nn22 = 21886103916331042026471976707018077345373500709547608744926784021522268651263700774772687397750518326001924679732775066091506858661185642121499398192338368010820655135877006143244578578722332007743788346644606885565071643080532898877867989158334861970611431525040763020600094521366242776095408035919831393956939481070568641654142682465797917147204312882110766891434526789023700563204921709516366563136993814646102892048330479503154484145799108150890075955992511846323319816541673242667787642258236899777158100385745886020565584577959077111246540175908928657634787282695074433565252326039667911441110872163478106074101

p = gcd(n22,nn22)
#print(p)
q = nn22//p
assert p*q == nn22
f = (p-1)*(q-1)
e = 65537
d = invert(e,f)

print(nn22.bit_length())
with open("data/msg43", "rb") as f:
   c = f.read()

privkey = RSA.construct((int(nn22), e, int(d)))
from Crypto.Cipher import PKCS1_OAEP
# 解密
cipher_text = open(r"data/msg43", "rb").read()
ciphertxt = cipher_text
cipher = PKCS1_OAEP.new(privkey) #这里直接用privkey了
message = cipher.decrypt(ciphertxt)
print(message)

[WEEK3]Base42?

本质上就是进制转换,把flag每个字符的ascii码放在256进制下,再转成42进制去对照表完成加密;所以解密就是个逆过程,把42进制放在256进制下。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
alphabet = "0123456789aAbBcCdDeEfFgGhHiIjJkKlLmMnNoOpP"
cipher = '0gpnO5ffI310EEjF3LeHCf7LC7HnfhIN0LMK1E79Gdf1dFCN93nBL35eJfKMhkAM000000000000000008fb46HFH4pA4GKI'

for i in range(0,len(cipher),32):
    sum = 0
    tmp_c = cipher[i:i+32][::-1]
    count = -1
    for j in tmp_c:
        count = count + 1
        index = alphabet.index(j)
        sum = sum + index * 42**count
    flag = ''
    while sum!= 0 :
        flag = flag + chr(sum%256)
        sum //= 256
    print(flag[::-1])

[WEEK3]AES

简单的CBC漏洞,用前一组密文作为key解密。

1
2
3
4
5
6
7
8
9
10
from Crypto.Cipher import AES

ct = b'\x179\xb8l\x97\xbew\xc2\xd5f~\x8e\xdc\xf2\x9b\xabR\xa9a\xd2\xf4\xde\xd6|\xd1\x9f\xe9q\x1d\xfcm\xfbj\xe9\x9e\xab\xf5fL\xb3\xb5_\xa5\x16\x8e\x7f\x9fV`\x8b\x16\xa1\xa6)\x08\x97\x91\xbd3\x1d\xeb\\\x86\xa2\xd6\x94>\xf3\xfdt\xd9\x14\xf3\xfc\xe2\x02\xd6\xc4\xcfq"\x1a\x14~2]4\x9f\xc9\x88\xf8\x12\xb6\xa2\xd7\xec\x0b\x7f\xd4d\xdc\xc6\xb4]\x10u\xc6f\x97m\xccA\x82\x02\xa5gh\x85\x85Wz\xd9.\xff\x9bx\x99J\x0e\x86\x16\x90\xad\x1e\x17\x86\x95\xb8S\x17\xea\x93v\xd0'

flag = b''
for i in range(16,len(ct),16):
    key = ct[i-16:i]
    aes = AES.new(key,AES.MODE_ECB)
    flag = flag + aes.decrypt(ct[i:i+16])
print(flag)

[WEEK3]partialP

已知p高位攻击,coppersmith。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
from sage.all import *

c = 2226099021169425534206121605501718994593261953280046899345810118356590881389142531649792348146129153474985003929407172972982275439970723778495455838452638879586163957468972518078320159354264971816842073874550773309020013613432004074760802192607651584906352686468143648939740004838208640531785439362344039075       
n = 96928253979490973984593903132811649229014718994486532280648145898877952846656019305217095845257550421730063527538581223570539203247068060192535543753763017716750817560470547219370972835770943358384150269303529653434434525449357699107332781898776312692702549420939758722366794431784782973884379040574148608179      
p4 = 9605964225476901441398365225327926616880072280289780777971846998748464126891804587377933727304510424852546683782576240573278202121547956666293242671661056>>128
e = 65537
#p4为p去除二进制0低位的剩余位

e = 0x10001

pbits = 512
kbits = pbits - p4.nbits()
print(p4.nbits())

p4 = p4 << kbits
PR.<x> = PolynomialRing(Zmod(n))
f = x + p4
roots = f.small_roots(X=2^kbits, beta=0.4)

if roots:        
    p = p4+int(roots[0]) 
    print("n= "+str(n))
    print("p= "+str(p))
    print("q= "+str(n//p))

[WEEK3]babyCBC

cbc字节反转,理论可参考https://blog.csdn.net/qq_45698157/article/details/109746592
由于本题中的guest刚好是在第二个分组的起始位置,所以很容易修改,把该组和Admin及前一组明文做xor即可,给出exp:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
import time
from Crypto.Cipher import AES
import json
from Crypto.Util.Padding import pad,unpad
import binascii
from pwn import xor

plaintext = ''
payload = {'permission':'Guest','Time':f'{time.time()}','data':plaintext}
print(payload)
payload = pad(json.dumps(payload).encode(),16)
print(payload)

admin = b'Admin\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00'
guest = b'Guest\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00'
m = '11111111111111111'
c_hex = '5799e0ed7cef28f1d37699994209fa668f35719d6b50a766c3c64545423bc5198acc80fa9e5e45b0d65d384fa4d2615d9e35dacaf9750a503d5d96b7e9f10abe898b1b64b9eb50caffd057f2ac5c8683a9dadf82035a058af6acf8795c081ff7e527cc5b924e931e5be4183321e4ebdf'
iv = c_hex[:32]
c_hex = c_hex[32:]
c = binascii.a2b_hex(c_hex)
fake_c = xor(admin,c[:16])
fake_c = xor(fake_c,guest)
print(len(fake_c))
#fake_hex = c_hex[:32] + str(binascii.b2a_hex(fake_c))[2:-1] + c_hex[64:]
fake_hex = str(binascii.b2a_hex(fake_c))[2:-1] + c_hex[32:]
enc_flag = '71db4776b7ff1efb103db790992216b0f7299fc90e81459f8467aeb6a0ef861128c3b4eb6d8f136c75cd11127842588634893ea4e4705284f657cf3ba1e17739278b1ff3b4815c065aeef082112c4cf092f5b06c03899c824bc2676a5411a7a52ddbcf7251afdfe506bf3a20ef7db01030ad28e3d9b30a00467d557e181cc5564259b9986d444ee9d106987a0a4d38d58433d9d0b7bfe7844798bb466e6021041dc688041063454eb2e14325c0802ec1'
print(iv+'||'+fake_hex+enc_flag)
# 服务器解出的flag的hex形式
flag = '4e53534354467b42724f6e59615f5a61596348694b5f42726f6e79615f42726f6e79615f42726f6e79617d'
print(binascii.a2b_hex(flag))
# NSSCTF{BrOnYa_ZaYcHiK_Bronya_Bronya_Bronya}

这是伪造信息加上enc_flag解密得到的返回值,data里就是flag的hex:

[WEEK4]random

mt19937预测:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
from Crypto.Cipher import AES
from binascii import a2b_hex
from mt19937predictor import MT19937Predictor
from hashlib import *

f = open("output.txt", 'r').readlines()
random_32 = []
for i in f:
    random_32.append(int(i))

print(random_32)
Pre = MT19937Predictor()
for i in range(624):
    Pre.setrandbits(random_32[i],32)

for i in range(666-624):
    Pre.getrandbits(32)

c = a2b_hex('91fd1824ddc0a35e845e87f59e53a103334df418e6a65a7d7769699c3ca2119019361cd23a46a61d4e7f6cdff5f5200f586f90b66eabfd8ecff4ddf11ee444d37f80ada0bbe8af09e4fc32c1a51e3f29e2771b51c71d2ba4acb84fda61904b96')
iv = c[:16]
c = c[16:]
r = Pre.getrandbits(32)
key = bytes.fromhex(hex(r)[2:])
key = md5(key).digest()
cipher = AES.new(key,AES.MODE_CBC)
dec = AES.new(key,AES.MODE_CBC,iv)
print(dec.decrypt(c))

[WEEK4]square

有限域开根:

1
2
3
4
5
6
7
8
9
10
11
12
13
from Crypto.Util.number import *
n = 0xcaea4e2db0dc68029999cdad792fa1f9142117163af28f3230f7500ef748841554141ef35555ba23b95dc87f4c83f75dad14b6204dd4907fb75650fa7799def911f077b945f359e345bb9350c4a8268906c547e95e5819ef44ff124566a88fa2174ddfe3e895016df0036b59a50c6efb78724bde5d16a8a5cae45c918f329e462d10abe56ecdfae95bd13665260d0e8b648540d11f2447eef9aef3ea370faaecaab4c82ec1fe2bc83f2ce1b2793d95187eb2637e75700ba9745c253e928a4a603139dbf6b8bbf8111900a58be21a269992a9744c0284cf8f3ad7a3b95106d17af6baceac1acf543e425dc6317ab7f799a8ce19633b22e709eacb5d74ce4b56f9
e = 16
c = 0x2700a92e463d1c5da073b38d075a2da57c89ff9d658066c0bd38391cc60259a4fc992f1a6f1c5756d6e5934831fc0fbf7bfd85607f0d18781d30a4ab485e119af4f08b5fe7bf927aeaf7572b05dfec764d6ddda2b247b9f6b731300ece4209606d94c5708388d6e8efc1fa6e9c0cdda41cee95eb4a6b053b862fc43e55648973863f9874ee79ce4408277c9dc38fb26b44880e58f054b957c64fcf0d39c1fd496ad2fc5f5e5e70ba41422a4d945da299b5a695a4b7013a1f9ae1b629e395ffb0942d783d6e6be1f0888dfcb02d0aa1e9b7076e952a339bdc60f044f598afa2da28a4d7f094b959c8a8fefd5a11d10971cd681722f6868cf15a200cb910c591e1

P.<a>=PolynomialRing(Zmod(n),implementation='NTL')
f=a^e-c
mps=f.monic().roots()
print('ok')
print(mps)
for mpp in mps:
    if b'NSSCTF' in long_to_bytes(int(mpp[0])):
        print(long_to_bytes(int(mpp[0])))

扫一扫,分享到微信

微信分享二维码
本站总访问量: 总访客次数:

tag:

梦想是成为全栈佬并养一只猫