NISRA Enlightened 2022 Writeup

# NISRA Enlightened 2022 Writeup ###### tags: `CTF` :::info 講師助教上課超讚 :100: ::: --- `flag format: NISRA{}` [TOC] ## Web ### White?White! 進去網頁後可以看到登入網頁鍵入 /admin.php 就可以看到這個畫面 ![](https://i.imgur.com/NvnbfqS.png) 不想通靈也可以用 dirsearch 沒試過 login.php 不過好像也可以登入進去 ![](https://i.imgur.com/pcbOpi9.png) 可以看到這邊冒出來一個 white.png 打開後 ![](https://i.imgur.com/HIALaG.png) NISRA{Thi3_15_n04_Wh143!!!!} ### robotto 照題目就搜 robot.txt 就行了 dirsearch 也可以 ![](https://i.imgur.com/ZsjPOE1.png) robot.txt ![](https://i.imgur.com/PIxjiIz.png) 進 username.html 後顯示 base 64 編碼 `dXNlcm5hbWU9YWRtaW4gcGFzc3dvcmQ9bmlzcmE=` 得出->username=admin password=nisra login 的頁面完全沒用進 flag.php?username=admin&password=nisra 噴出 NISRA{Th1s_is_p@ss_BY_G3T} --- ## Crypto I ### 応援するからね解出 Affine Cipher 的頭部 `NISRA{V1genereXzFzX24xY2UgNWYgNjMgNzIgNzkg NzAgNzQgMzAgN2Q=` 解 Base 64 `NISRA{V1genere_1s_n1ce 5f 63 72 79 70 74 30 7d` 解 ASCII `NISRA{V1genere_1s_n1ce_crypt0}` ~~(我沒用到Vigenere啊..)~~ ## Crypto II ### Big_E 部分題目 ```python= p = get_prime(1024) q = get_prime(1024) n = int(p) * int(q) d = 65537 m = math.lcm(p - 1, q - 1) e = pow(d, -1, m) c = pow(FLAG, e, n) print('c=',c) print('n=',n) print('e=',e) ``` ~~腳本重寫好累~~ 來用好東西 [decode.fr](https://www.dcode.fr/rsa-cipher) 解 NISRA{my_e_1s_s0_B1g} ### Smooth 同上腳本也差不多有好幾種破解方法可以用 Wiener's attack 試過是不行的 NISRA{n0t_a11_prime_numbers_are_safe} ### Discrete_Log 部分題目源代碼 ```python= while True: p, p_factors = get_smooth_prime(STATE, 1024, 16) if len(p_factors) != len(set(p_factors)): continue # Smoothness should be different or some might encounter issues. q, q_factors = get_smooth_prime(STATE, 1024, 17) if len(q_factors) == len(set(q_factors)): factors = p_factors + q_factors break c = pow(3, FLAG, p) print('c=',c) print('p=',p) ``` 可以用 sagemath 解，~~但我不想~~ ```python= import random import sympy from Crypto.Util.number import * p = 177526601402412564746364037602254903897960862310193561623223630528354595462136272294570613039667251971042885147687363449349700428014670436952111776522911176883713751980667118876680366510409208134053209256759162282145922337108414992150924511075912601283052106227502843070397786568484294021050830285824550017579 c = 75143215630955935319242739434382848517023740331262192586252907418488939171112349558713800833414031031250852789465084236778199733891707658194938612239949681635524461207419105314339029968351351101703090774871263924239242965937091540682850263026519268841782105061903771462358511499748535468802714465475427025515 e = 3 _flag = sympy.discrete_log(p,c,e) flag = long_to_bytes(_flag) print(flag) ``` 執行以上 discrete_log.py 噴出 NISRA{d1scre1e_l0g_1s_s0_m0g1c} --- ## OS ### Linux ```shell= cd lab/lab/lab/lab sudo cat a.out ``` NISRA{C0ngRatu1aTiOn!!!_Y0u_FiNd_Th3_fInaL_CTF_1N_ThiS_En1IghteNed} --- ## Reverse II ### Recap? Lab 0x03 ![](https://i.imgur.com/bGraR0s.png) 確認後改掉 local_c == local_10判斷式進入 _Z8get_flagv() ![](https://i.imgur.com/ytsHqll.png) 一樣修改掉 if...else 判斷式(或直接gdb) 丟進 gdb 後 ![](https://i.imgur.com/74doWMl.png) NISRA{dO_Yoou_heArd_aboUut_gGdb} ### Recap? Lab 0x04 這邊推薦 IDA Freeware~~的 UI~~ Shift + F12 大法解其他 CTF 的 Reverse 題就可以花時間在寫腳本破解了 ![](https://i.imgur.com/BWXikCN.png) NISRA{first_tiny_step_t0wards_ret2cod3} ### Pwn 0 - gdb 丟 gdb 分析 NISRA{debugger_1s_so_p0werful_1n_dyn4m1c_4n4lySis} --- ## Misc ### Not QRcode `A kind of barcode` 一看就是 Aztec code ![](https://i.imgur.com/qh5zF4a.png) 推薦工具 [Zxing](https://zxing.org/w/decode.jspx) ![](https://i.imgur.com/8xYZFUc.png) NISRA{M4tRIx_84rc0dE_noT_oN1Y_qRCODE} ### Decode the Enlightened `Frvpfr yjr <sf ,sm` -> Decode the Mad man ![](https://i.imgur.com/YCGDfDG.png) Keyboard code 解出來 NISRA{Key8Oard_M4g9C} ---