[ CTF ]【天格】战队WriteUp- 2022年第三届“网鼎杯”网络安全大赛(青龙组)
2022年第三届“网鼎杯”网络安全大赛(青龙组)部分题目附件
已解题列表
- 【Misc】签到
- 【Crypto】crypto405
- 【Crypto】crypto091
- 【Pwn】pwn135
- 【Reverse】re693
- 【Reverse】re694
【Misc】签到
flag{7c98c564-94c1-41aa-978d-d42ca16ee46d}
【Crypto】crypto405
首先p和k都未知,但是p是16位的素数,k都是小于p的。flag格式是flag{。所以第一步想法是爆破p,前五位得到方程组求k。
R.< k1, k2, k3, k4, k5 >= PolynomialRing(ZZ)
k=[k1,k2,k3,k3,k4,k5]
flag=b'flag{'
for i in range(len(flag)):
grasshopper = flag[i]
for j in range(5):
k[j] = grasshopper = grasshopper * k[j]
print('Grasshopper#'+str(i).zfill(2)+':',grasshopper)
输出结果:
Grasshopper#00: 102*k1*k2*k3^2*k4
Grasshopper#01: 1192407267456*k1^5*k2^4*k3^5*k4
Grasshopper#02: 1918196473060530916599580974905403195260928*k1^15*k2^10*k3^9*k4
Grasshopper#03: 56112321905504104058889432264614118677688107359359075763851172322711550767834986156510191423865157053692191440896*k1^35*k2^20*k3^14*k4
Grasshopper#04: 53396244662367707127856864007524389027579357260572582679744127850279999404450619312604004485139827409110793046460181646479623909080635340073160838110289140978788817626824929446784411034165296270303004366240008622426141394072733814130556872463873302593536*k1^70*k2^35*k3^20*k4
flag格式,得到前五个方程。然k有很多种情况,拿对应的k和p解密即可。然后就写解密逆函数。
from gmpy2 import *
c = ['2066',
'a222',
'cbb1',
'dbb4',
'deb4',
'b1c5',
'33a4',
'c051',
'3b79',
'6bf8',
'2131',
'2c40',
'91ba',
'7b44',
'5f25',
'0208',
'7edb',
'62b5',
'cec5',
'5ab3',
'3c46',
'c272',
'714b',
'9e0b',
'48ee',
'44cc',
'05a0',
'3da3',
'11b1',
'259f',
'899d',
'a130',
'e58f',
'23f3',
'5829',
'6beb',
'3681',
'0054',
'a189',
'2765',
'c63d',
'bc68']
C = [int(i, 16) for i in c]
from gmpy2 import *
def get_key(p, As):
a1, a2, a3, a4, a5 = As
R.< k1, k2, k3, k4, k5 >= PolynomialRing(Zmod(p))
f1 = 102 * k1 * k2 * k3 * k4 * k5
f2 = 1192407267456 * k1 ^ 5 * k2 ^ 4 * k3 ^ 3 * k4 ^ 2 * k5
f3 = 1918196473060530916599580974905403195260928 * k1 ^ 15 * k2 ^ 10 * k3 ^ 6 * k4 ^ 3 * k5
f4 = 56112321905504104058889432264614118677688107359359075763851172322711550767834986156510191423865157053692191440896 * k1 ^ 35 * k2 ^ 20 * k3 ^ 10 * k4 ^ 4 * k5
f5 = 53396244662367707127856864007524389027579357260572582679744127850279999404450619312604004485139827409110793046460181646479623909080635340073160838110289140978788817626824929446784411034165296270303004366240008622426141394072733814130556872463873302593536 * k1 ^ 70 * k2 ^ 35 * k3 ^ 15 * k4 ^ 5 * k5
I = ideal([f1 - a1, f2 - a2, f3 - a3, f4 - a4, f5 - a5])
res = I.groebner_basis()
k = []
for i in res:
s = p - int(str(i).split('+ ')[1])
k.append(s) # 得到k
return k
for p in range(2**16,2**15,-1):
if is_prime(p):
flag = ''
k = get_key(p, C[:5])
for i in range(len(c)):
t = C[i]
s = 1
for j in range(5):
s *= k[j]
t = t * invert(s, p) % p
k[0] = t * k[0] % p
k[1] = k[1] * k[0] % p
k[2] = k[2] * k[1] % p
k[3] = k[3] * k[2] % p
k[4] = k[4] * k[3] % p
flag += chr(t)
if flag[-1]=='}':
print(flag)
flag{749d39d4-78db-4c55-b4ff-bca873d0f18e}
【Crypto】crypto091
根据提示是13位号码,那就是8617000000000格式的:
import hashlib
for password in range(8617000000000,8617099999999):
password=str(password)
hash_password = hashlib.sha256(password.encode("utf-8")).hexdigest()
if hash_password == "c22a563acc2a587afbfaaaa6d67bc6e628872b00bd7e998873881f7c6fdc62fc" :
print(hash_password)
print("flag{"+password+"}")
break
flag{8617091733716}
【Pwn】pwn135
还是查看附件以后尝试进行连通。加上头尾再连通,
然后看看题目给出的附件,感觉这题应该可以使用内置函数,然后找了一下v8读取文件内容和js打印函数相关资料
from pwn import *
p=remote("47.94.157.80", 34698)
p.sendlineafter(b"Send your code, ending with <EOF>",b"const flag=read('flag')")
p.sendline(b"console.log(flag)")
p.sendline(b"<EOF>")
p.interactive()
(这道题。。非预期了)
flag{78686b26-1146-4c58-b75b-3673549848fd}
【Reverse】re693
附件丢进vscode中识别是go语言,然后在goland编译后发现
Input the first function, which has 6 parameters and the third named gLIhR:
Input the second function, which has 3 callers and invokes the function named cHZv5op8rOmlAkb6
意思是:
输入第一个函数,它有6个参数,第三个函数名为gLIhR:
输入第二个函数,它有3个调用者并调用名为cHZv5op8rOmlAkb6
直接搜索gLIhR
然后搜索cHZv5op8rOmlAkb6
最后按照要求输入后返回flag
func main() {
var nFAzj, CuSkl string
jjxXf := []byte{
37, 73, 151, 135, 65, 58, 241, 90, 33, 86, 71, 41, 102, 241, 213, 234, 67, 144, 139, 20, 112, 150, 41, 7, 158, 251, 167, 249, 24, 129, 72, 64, 83, 142, 166, 236, 67, 18, 211, 100, 91, 38, 83, 147, 40, 78, 239, 113, 232, 83, 227, 47, 192, 227, 70, 167, 201, 249, 156, 101, 216, 159, 116, 210, 152, 234, 38, 145, 198, 58, 24, 183, 72, 143, 136, 234, 246}
KdlaH := []byte{
191, 140, 114, 245, 142, 55, 190, 30, 161, 18, 200, 7, 21, 59, 17, 44, 34, 181, 109, 116, 146, 145, 189, 68, 142, 113, 0, 33, 46, 184, 21, 33, 66, 99, 124, 167, 201, 88, 133, 20, 211, 67, 133, 250, 62, 28, 138, 229, 105, 102, 125, 124, 208, 180, 50, 146, 67, 39, 55, 240, 239, 203, 230, 142, 20, 90, 205, 27, 128, 136, 151, 140, 222, 92, 152, 1, 222, 138, 254, 246, 223, 224, 236, 33, 60, 170, 189, 77, 124, 72, 135, 46, 235, 17, 32, 28, 245}
fmt.Print(MPyt9GWTRfAFNvb1(jjxXf))
nFAzj="kZlXDJH3OZN4Mayd"
fmt.Print(kZlXDJH3OZN4Mayd(KdlaH))
CuSkl="UhnCm82SDGE0zLYO"
vNvUO:=GwSqNHQ7dPXpIG64(nFAzj)
YJCya := ""
mvOxK := YI3z8ZxOKhfLmTPC(CuSkl)
if mvOxK != nil {
YJCya = mvOxK()
}
if YJCya != "" && vNvUO != "" {
fmt.Printf("flag{%s%s}\n", vNvUO, YJCya)
}
}
flag{3a4e76449355c4148ce3da2b46019f75}
【Reverse】re694
用IDA打开发现是FUK
查壳看看是否加壳
用010 Editor打开
把签名FUK改为UPX
然后脱壳
脱壳后再用IDA打开,找到main函数
其中sub_140011235是异或0x66,然后查看sub_1400111E5找到了
d=[0x4B,0x48,0x79,0x13,0x45,0x30,0x5C,0x49,0x5A,0x79,0x13,0x70,0x6D,0x78,0x13,0x6F,0x48,0x5D,0x64,0x64]
for i in range(len(d)):
d[i]=((d[i]^0x50)-10)
for i in range(len(d)):
x=chr(d[i]^0x66)
print(x,end='')
flag{why_m0dify_pUx_SheLL}