2021红帽杯 wp(持续更新~~)

2021红帽杯 wp(持续更新~~)

2021红帽杯wp

前言：

博客园不能用好久了，无奈转 以后尽量wp写详细一点，帮助自己，也帮助更多的人看懂 欢迎交流

misc

EBCDIC

签到题，很多人不看文件名，直接就点开看内容

啌亣捆咇凁攨mｐm檯剤仯蝠蝰?

第一个印象就是乱码，然后就一顿乱操作，但是题目已经给信息，这个是EBCDIC码，可能有些人不知道这个，可以借助搜索引擎，关于怎么转码这个，可以写脚本，借助linux，office直接打开，010转码都行，我这里用010转码

colorful_code

附件是data1文件和data2两个文件，先010分析一下

data1的数据大致如下

data2的数据大致如下

这里在不知道原理的情况情况下，只能猜，data2的前60字节没有什么特别的规律，但是后面的基本就是3个相同一组，data前60字节中最大为ff，又因为后面3个一组，很容易联想到是rgb！！！如果是rgb的情况，如何确保像素点的位置？data1的数据都是可见字符，那么很有可能就是告诉我们像素点的位置，编写脚本处理一下

from PIL import Image f_data1 = open('data1','r').read() data1 = f_data1.split(' ')[:-1] f_data2 = open('data2','rb').read() data2 = f_data2 res = [] for i in range(len(data2)//3): rgb = data2[i*3:(i+1)*3] r,g,b = rgb[0],rgb[1],rgb[2] res.append((r,g,b)) #print(res) img = Image.new('RGB',(37,191),(255,255,255)) for i in range(37): for j in range(191): img.putpixel((i,j),res[int(data1[i*191+j])]) img.show() img.save('flag.png')

得到图片

npiet的图片编程语言 ，在线网站解密一下： BertNase's Own - npiet fun!，

PicPic

附件太大。。。

crypto

primegame

from decimal import * import math import random import struct from flag import flag assert (len(flag) == 48) msg1 = flag[:24] msg2 = flag[24:] primes = [2] for i in range(3, 90): f = True for j in primes: if i * i < j: break if i % j == 0: f = False break if f: primes.append(i) getcontext().prec = 100 keys = [] for i in range(len(msg1)): keys.append(Decimal(primes[i]).ln()) sum_ = Decimal(0.0) for i, c in enumerate(msg1): sum_ += c * Decimal(keys[i]) ct = math.floor(sum_ * 2 ** 256) print(ct) sum_ = Decimal(0.0) for i, c in enumerate(msg2): sum_ += c * Decimal(keys[i]) ct = math.floor(sum_ * 2 ** 256) print(ct)

国外比赛的一个题，几乎就是一模一样，具体的原理可以看

exp可用以下这位大佬的

import math from decimal import * import random import struct getcontext().prec = int(100) primes = [2] for i in range(3, 100): f = True for j in primes: if i * i < j: break if i % j == 0: f = False break if f: primes.append(i) keys = [] for i in range(len(primes)): keys.append(Decimal(int(primes[i])).ln()) arr = [] for v in keys: arr.append(int(v * int(16) ** int(64))) ct = 597952043660446249020184773232983974017780255881942379044454676980646417087515453 def encrypt(res): h = Decimal(int(0)) for i in range(len(keys)): h += res[i] * keys[i] ct = int(h * int(16)**int(64)) return ct def f(N): ln = len(arr) A = Matrix(ZZ, ln + 1, ln + 1) for i in range(ln): A[i, i] = 1 A[i, ln] = arr[i] // N A[ln, i] = 64 A[ln, ln] = ct // N res = A.LLL() for i in range(ln + 1): flag = True for j in range(ln): if -64 <= res[i][j] < 64: continue flag = False break if flag: vec = [int(v + 64) for v in res[i][:-1]] ret = encrypt(vec) if ret == ct: print(N, bytes(vec)) else: print("NO", ret, bytes(vec)) for i in range(2, 10000): print(i) f(i)

hpcurve

import struct from random import SystemRandom p = 10000000000000001119 R. = GF(p)[] y=x f = y + y^7 C = HyperellipticCurve(f, 0) J = C.jacobian() es = [SystemRandom().randrange(p**3) for _ in range(3)] Ds = [J(C(x, min(f(x).sqrt(0,1)))) for x in (11,22,33)] q = [] def clk(): global Ds,es Ds = [e*D for e,D in zip(es, Ds)] return Ds def generate(): u,v = sum(clk()) rs = [u[i] for i in range(3)] + [v[i] for i in range(3)] assert 0 not in rs and 1 not in rs q = struct.pack('<'+'Q'*len(rs), *rs) return q flag = "flag{xxxxxxx}" text = 'a'*20+flag t = '' keys = generate() leng = len(keys) i = 0 for x in text: t += chr(ord(keys[i%leng])^^ord(x)) i+=1 print t.encode('hex') #for x,y in zip(RNG(),flag):

这个题居然也有原题，但是稍微不一样，改一下即可

hxp CTF 2020 - hyper | Joseph Surin | Joseph Surin Personal Blog (jsur.in)

import itertools import struct p = 10000000000000001119 R. = GF(p)[]; y=x f = y + prod(map(eval, 'yyyyyyy')) C = HyperellipticCurve(f, 0) J = C.jacobian() Ds = [J(C(x, min(f(x).sqrt(0,1)))) for x in (11,22,33)] enc = bytes.fromhex('66def695b20eeae3141ea80240e9bc7138c8fc5aef20532282944ebbbad76a6e17446e92de5512091fe81255eb34a0e22a86a090e25dbbe3141aff0542f5') known_pt = b"a"*20 + b"flag" rng_output = bytes(e^^m for e,m in zip(enc, known_pt)) blocks = [rng_output[i:i+8] for i in range(0, len(rng_output), 8)] ui = [int.from_bytes(r, 'little') for r in blocks] u = x^3 + ui[2]*x^2 + ui[1]*x + ui[0] L = GF(p).algebraic_closure() roots = [r[0] for r in u.change_ring(L).roots()] RR. = PolynomialRing(L) v = RR.lagrange_polynomial([(xi, f(xi).sqrt()) for xi in roots]) vi = [v.coefficients()[i].as_finite_field_element()[1] for i in range(3)] vi = [(int(-c), int(c)) for c in vi] for rs in itertools.product(*vi): q = struct.pack('<'+'Q'*len(rs), *rs) flag = bytes(k^^m for k,m in zip(2*(rng_output+q), enc)) print(flag)

re

直接被题目ak，后续复现~

pwn

只解出一个，后续有时间再一起复现~

web

find-it

访问robots.txt，发现

When I was a child,I also like to read Robots.txt Here is what you want:1ndexx.php

这个地方提示访问1ndexx.php，但是直接访问直接500，伪协议读取也不知道传参是什么，并且可能过滤了相关字样，就无解了，后来睡醒后想到可能隐含泄露信息，通过尝试，发现vim文件泄露

.1ndexx.php.swp

得到源码

php+HTML

I Can't view my php files?!

MySQL Server version:

33){ die("nonono."); } fwrite($hack,$a); fwrite($hack,$I_know_you_wanna_but_i_will_not_give_you_hhh); fclose($file); fclose($hack); ?>

通过code传参， 写入code的请求到hack.php，先

/?code=

然后访问hack.php即可

本人非web选手，其他web的wp可见其他师傅的wp(其实就是不会)

版权声明：本文内容由网络用户投稿，版权归原作者所有，本站不拥有其著作权，亦不承担相应法律责任。如果您发现本站中有涉嫌抄袭或描述失实的内容，请联系我们jiasou666@gmail.com 处理，核实后本网站将在24小时内删除侵权内容。