pwn.college-Playing With Programs - Dealing with Data

学习python pwn 以及在python中二进制、十进制、十六进制、UTF、Base64编码

1.What's the password?

hacker@data-dealings~whats-the-password:~$ cat /challenge/runme
#!/usr/bin/exec-suid -- /bin/python3 -I
import sys
print("Enter the password:")
entered_password = sys.stdin.buffer.read1().strip()
correct_password = b"qkmbifyb"
print(f"Read {len(entered_password)} bytes.")
if entered_password == correct_password:
    print("Congrats! Here is your flag:")
    print(open("/flag").read().strip())
else:
    print("Incorrect!")
    sys.exit(1)
hacker@data-dealings~whats-the-password:~$ /challenge/runme
Enter the password:
qkmbifyb
Read 8 bytes.
Congrats! Here is your flag:
pwn.college{464B55Z5TNKRobPM2gGh72uAmNR.0VO0YDNxwCO5YTNyEzW}

2. ... and again!

同上

3. Newline Troubles

hacker@data-dealings~newline-troubles:~$ cat /challenge/runme 
#!/usr/bin/exec-suid -- /bin/python3 -I
import sys
print("Enter the password:")
entered_password = sys.stdin.buffer.read1()              #相较于1，没有strip(),strip()用于去除数据两端的空白字符（如空格、换行符等）
if b"\n" in entered_password:
    print("Password has newlines /")
    print("Editors add them sometimes /")
    print("Learn to remove them.")
correct_password = b"khmissww"
print(f"Read {len(entered_password)} bytes.")
if entered_password == correct_password:
    print("Congrats! Here is your flag:")
    print(open("/flag").read().strip())
else:
    print("Incorrect!")
    sys.exit(1)
hacker@data-dealings~newline-troubles:~$ /challenge/runme         #第一种方法
Enter the password:
khmisswwRead 8 bytes.                                             输入密码后，用Ctrl+D  表示EOF结束
Congrats! Here is your flag:
pwn.college{0QUTsZASEa4rFlwYQFE7WM9-zcB.0VM1YDNxwCO5YTNyEzW}

hacker@data-dealings~newline-troubles:~$ echo -n "khmissww" | /challenge/runme   #第二种方法
Enter the password:
Read 8 bytes.
Congrats! Here is your flag:
pwn.college{0QUTsZASEa4rFlwYQFE7WM9-zcB.0VM1YDNxwCO5YTNyEzW}

hacker@data-dealings~newline-troubles:~$ echo -n "khmissww" > 2.txt    #第三种方法
hacker@data-dealings~newline-troubles:~$ cat 2.txt | /challenge/runme 
Enter the password:
Read 8 bytes.
Congrats! Here is your flag:
pwn.college{0QUTsZASEa4rFlwYQFE7WM9-zcB.0VM1YDNxwCO5YTNyEzW}

4. reasoning about file

hacker@data-dealings~reasoning-about-files:~$ cat /challenge/runme 
#!/usr/bin/exec-suid -- /bin/python3 -I

import sys


try:
    entered_password = open("xthd", "rb").read()
except FileNotFoundError:
    print("Input file not found...")
    sys.exit(1)
if b"\n" in entered_password:
    print("Password has newlines /")
    print("Editors add them sometimes /")
    print("Learn to remove them.")

correct_password = b"ezxrhapu"

print(f"Read {len(entered_password)} bytes.")


if entered_password == correct_password:
    print("Congrats! Here is your flag:")
    print(open("/flag").read().strip())
else:
    print("Incorrect!")
    sys.exit(1)
hacker@data-dealings~reasoning-about-files:~$ echo -n "ezxrhapu" > xthd
hacker@data-dealings~reasoning-about-files:~$ cat xthd | /challenge/runme
Read 8 bytes.
Congrats! Here is your flag:
pwn.college{0TzSiYibTFB0TS2FbZuwMuoqFTu.0lM1YDNxwCO5YTNyEzW}

5. Specifying filenames

hacker@data-dealings~specifying-filenames:~$ echo -n "mhwpsvqf" > 2.txt
hacker@data-dealings~specifying-filenames:~$ /challenge/runme 2.txt
Read 8 bytes.
Congrats! Here is your flag:
pwn.college{Upu-Ge1g7TJMmFnEKtg80v-85xO.01M1YDNxwCO5YTNyEzW}

6. Binary and hex encoding

hacker@data-dealings~binary-and-hex-encoding:~$ cat /challenge/runme 
#!/usr/bin/exec-suid -- /bin/python3 -I

import sys
print("Enter the password:")
entered_password = sys.stdin.buffer.read1()
correct_password = b"\xc4"
print(f"Read {len(entered_password)} bytes.")
entered_password = bytes.fromhex(entered_password.decode("l1"))   latin-1（也称为 ISO-8859-1）是一种常用的单字节编码，可以安全地将任意字节值映射到字符
if entered_password == correct_password:
    print("Congrats! Here is your flag:")
    print(open("/flag").read().strip())
else:
    print("Incorrect!")
    sys.exit(1)
hacker@data-dealings~binary-and-hex-encoding:~$ /challenge/runme 
Enter the password:
c4
Read 3 bytes.
Congrats! Here is your flag:
pwn.college{Qs2Ou7PmeBHm2z0b3McPSSKECcP.0FN1YDNxwCO5YTNyEzW}

7. More Hex

hacker@data-dealings~more-hex:~$ /challenge/runme 
Enter the password:
81f1d18181decfceRead 16 bytes.         #Ctrl+D
Congrats! Here is your flag:
pwn.college{MTjeSFz3M6bF8DceWPpx2aoLu9a.0VN1YDNxwCO5YTNyEzW}

8. Decoding Hex

hacker@data-dealings~decoding-hex:~$ python
Python 3.12.8 (main, Dec  3 2024, 18:42:41) [GCC 13.3.0] on linux
Type "help", "copyright", "credits" or "license" for more information.
>>> import pwn
>>> p = pwn.process("/challenge/runme")          #pwn.process() 方法用于启动一个新的本地进程
[x] Starting local process '/challenge/runme'
[+] Starting local process '/challenge/runme': pid 2245
>>> binary_data=b"f8e3b5eba8e7e9d3"
>>> password = bytes.fromhex(binary_data.decode("l1"))
>>> password
b'\xf8\xe3\xb5\xeb\xa8\xe7\xe9\xd3'
>>> p.write(password)                             #process.write() 发送的数据保持原样，没有任何额外字符被添加  process.send() 发送的数据会在原始数据后附加一个换行符
>>> p.readall()                                   #读取数据  process.recvall()持续读取数据，直到进程结束或没有更多数据可读
[x] Receiving all data
[x] Receiving all data: 0B
[*] Process '/challenge/runme' stopped with exit code 0 (pid 2245)
[x] Receiving all data: 124B
[+] Receiving all data: Done (124B)
b'Enter the password:\nRead 8 bytes.\nCongrats! Here is your flag:\npwn.college{k-187g0kZJKBPsYlqMULLeWIC83.0lN1YDNxwCO5YTNyEzW}\n'

9. decoding practice

hacker@data-dealings~decoding-practice:~$ python
Python 3.12.8 (main, Dec  3 2024, 18:42:41) [GCC 13.3.0] on linux
Type "help", "copyright", "credits" or "license" for more information.
>>> correct_password = b"1110010011011001100000101101110111111010101111001100010010011001"
>>> def decode_from_bits(s):
...     s = s.decode("latin1")
...     assert set(s) <= {"0", "1"}, "non-binary characters found in bitstream!"
...     assert len(s) % 8 == 0, "must enter data in complete bytes (each byte is 8 bits)"
...     return int.to_bytes(int(s, 2), length=len(s) // 8, byteorder="big")
... 
>>> correct_password = decode_from_bits(correct_password)
同上将correct_password输入到程序 

10. Encoding practice

hacker@data-dealings~encoding-practice:~$ python
Python 3.12.8 (main, Dec  3 2024, 18:42:41) [GCC 13.3.0] on linux
Type "help", "copyright", "credits" or "license" for more information.
>>> correct_password = b"\xe1\x94\xd4\xd2\xd9\x9d\xd0\xd6"
>>> binary_stream = ''.join(format(byte, '08b') for byte in correct_password)   
>>> binary_stream
'1110000110010100110101001101001011011001100111011101000011010110'
>>> binary_password = b'1110000110010100110101001101001011011001100111011101000011010110'
同上将binary_password 输入到程序

11.Hex encodeing ASCII

>>> correct_password = b"eewqcnzx"
>>> correct_password.hex()
'65657771636e7a78'
>>> entered_password = b'65657771636e7a78'
同上将entered_password 输入到程序

12. Nested encoding

hacker@data-dealings~nested-encoding:~$ python
Python 3.12.8 (main, Dec  3 2024, 18:42:41) [GCC 13.3.0] on linux
Type "help", "copyright", "credits" or "license" for more information.
>>> correct_password = b"pqpgkupc"
>>> entered_password = correct_password.hex().encode('latin-1')
>>> entered_password = entered_password.hex().encode('latin-1')
>>> entered_password = entered_password.hex().encode('latin-1')
>>> entered_password = entered_password.hex().encode('latin-1')
>>> with open("password","wb") as file:
...     file.write(entered_password)
... 
>>> 
[2]+  Stopped                 python                                          #  Ctrl+Z
hacker@data-dealings~nested-encoding:~$ /challenge/runme password
Read 128 bytes.
Congrats! Here is your flag:
pwn.college{QnRv_eK4D_eQPSmnjK5UPvaggNR.0FM2YDNxwCO5YTNyEzW}

13. UTF mixup

entered_password=correct_password.hex().encode('latin-1')
同上写入文件后执行

14. MOdifying Encoded data

entered_password = correct_password.decode("latin1").encode("utf-16")
同8将entered_password 输入到程序

15. Decoding Base64

entered_password = correct_password.hex().encode("l1")[::-1]
同8将entered_password 输入到程序

16. Encoding Base64

entered_password = base64.b64decode(correct_password.decode("l1"))
同8将entered_password 输入到程序

17.dealing with obfuscation

hacker@data-dealings~encoding-base64:~$ cat /challenge/runme 
#!/usr/bin/exec-suid -- /bin/python3 -I

import sys
import base64
print("Enter the password:")
entered_password = sys.stdin.buffer.read1()
correct_password = b"\xdb-\xefQ\xbb{\t%"
print(f"Read {len(entered_password)} bytes.")
entered_password = base64.b64decode(entered_password.decode("l1"))     #base64.b64decode()接受一个Base64编码的字符串 encoded_string,返回字节流    bytes.decode("l1")将字节对象解码为字符串
if entered_password == correct_password:
    print("Congrats! Here is your flag:")
    print(open("/flag").read().strip())
else:
    print("Incorrect!")
    sys.exit(1)
hacker@data-dealings~encoding-base64:~$ python
>>> import base64
>>> correct_password = b"\xdb-\xefQ\xbb{\t%"
>>> entered_password = base64.b64encode(correct_password)             #base64.b64encode()接受字节流，返回的也是字节流

18. dealing with obfuscation 2

>>> correct_password = b"4^W\x01\xbe\xbd\xa5A"
>>> import base64
>>> correct_password = base64.b64encode(correct_password)
>>> def encode_to_bits(s):
...     return b"".join(format(c, "08b").encode("latin1") for c in s)
... 
>>> correct_password = encode_to_bits(correct_password)
>>> correct_password = correct_password[::-1]
>>> correct_password = b"\xccwH>x\x1aUL"
>>> import base64
>>> correct_password = base64.b64encode(correct_password)
>>> correct_password = correct_password.hex().encode("l1")
>>> correct_password = correct_password[::-1]
>>> correct_password = correct_password.hex().encode("l1")
>>> entered_password = base64.b64encode(correct_password).hex().encode("l1").hex().encode("l1").hex().encode("l1")   #和题目反着来。只不过base64.b64encode返回的是字节所以不用再编码

python中字节对象的方法

# 创建一个字节对象
byte_data = b'Hello, World!'

# 使用 hex 方法 - 将字节对象转换为十六进制表示的字符串
hex_string = byte_data.hex()
print(f"Hexadecimal string: {hex_string}")

# 使用 fromhex 方法 - 静态方法，将十六进制字符串转换为字节对象                 也可以用string的方法bytes = str.encode('latin-1')将字符串 string_data 转换为字节流
from_hex_bytes = bytes.fromhex(hex_string)
print(f"From hexadecimal bytes: {from_hex_bytes}")

# 使用 count 方法 - 返回子字节串 'o' 在字节对象中出现的次数
count_o = byte_data.count(b'o')
print(f"Count of 'o': {count_o}")

# 使用 find 方法 - 返回子字节串 ',' 第一次出现的索引位置，如果未找到则返回 -1
find_comma = byte_data.find(b',')
print(f"Index of ',': {find_comma}")

# 使用 index 方法 - 返回子字节串 'W' 第一次出现的索引位置，如果未找到则抛出 ValueError 异常
index_W = byte_data.index(b'W')
print(f"Index of 'W': {index_W}")

# 使用 rfind 方法 - 返回子字节串 'l' 最后一次出现的索引位置，如果未找到则返回 -1
rfind_l = byte_data.rfind(b'l')
print(f"Last index of 'l': {rfind_l}")

# 使用 rindex 方法 - 返回子字节串 'd' 最后一次出现的索引位置，如果未找到则抛出 ValueError 异常
rindex_d = byte_data.rindex(b'd')
print(f"Last index of 'd': {rindex_d}")

# 使用 startswith 方法 - 检查字节对象是否以指定的前缀开头，返回布尔值
startswith_H = byte_data.startswith(b'H')
print(f"Starts with 'H': {startswith_H}")

# 使用 endswith 方法 - 检查字节对象是否以指定的后缀结尾，返回布尔值
endswith_bang = byte_data.endswith(b'!')
print(f"Ends with '!': {endswith_bang}")

# 使用 join 方法 - 将可迭代对象中的字节对象连接成一个新的字节对象，使用当前字节对象作为分隔符
joined_bytes = b'-'.join([b'a', b'b', b'c'])
print(f"Joined bytes: {joined_bytes}")

# 使用 split 方法 - 根据分隔符 ',' 分割字节对象，默认按空白字符分割，最多分割 maxsplit 次
split_bytes = byte_data.split(b', ')
print(f"Splitted bytes: {split_bytes}")

# 使用 replace 方法 - 将字节对象中的所有子字节串 'World' 替换为 'universe'，最多替换 count 次
replaced_bytes = byte_data.replace(b'World', b'universe')
print(f"Replaced bytes: {replaced_bytes}")

# 使用 decode 方法 - 将字节对象解码为字符串，使用指定的编码格式和错误处理方案
decoded_string = byte_data.decode('utf-8')
print(f"Decoded string: {decoded_string}")


# 使用 isalnum 方法 - 检查字节对象是否只包含字母和数字字符，返回布尔值
is_alnum = byte_data.isalnum()
print(f"Is alphanumeric: {is_alnum}")

# 使用 isalpha 方法 - 检查字节对象是否只包含字母字符，返回布尔值
is_alpha = byte_data.isalpha()
print(f"Is alphabetic: {is_alpha}")

# 使用 isdigit 方法 - 检查字节对象是否只包含数字字符，返回布尔值
is_digit = byte_data.isdigit()
print(f"Is digit: {is_digit}")

# 使用 lower 方法 - 将字节对象中的所有大写字母字符转换为小写，返回新的字节对象
lower_bytes = byte_data.lower()
print(f"Lowercase bytes: {lower_bytes}")

# 使用 upper 方法 - 将字节对象中的所有小写字母字符转换为大写，返回新的字节对象
upper_bytes = byte_data.upper()
print(f"Uppercase bytes: {upper_bytes}")

# 使用 capitalize 方法 - 将字节对象的第一个字母字符转换为大写，其余字母字符转换为小写，返回新的字节对象
capitalized_bytes = byte_data.capitalize()
print(f"Capitalized bytes: {capitalized_bytes}")

# 使用 title 方法 - 将字节对象中每个单词的首字母转换为大写，其余字母转换为小写，返回新的字节对象
titled_bytes = byte_data.title()
print(f"Titled bytes: {titled_bytes}")

# 使用 center 方法 - 将字节对象居中对齐，总宽度为 width，填充字符为 fillchar（默认为空格），返回新的字节对象
centered_bytes = byte_data.center(20, b'*')
print(f"Centered bytes: {centered_bytes}")

# 使用 ljust 方法 - 将字节对象左对齐，总宽度为 width，填充字符为 fillchar（默认为空格），返回新的字节对象
left_justified_bytes = byte_data.ljust(20, b'-')
print(f"Left justified bytes: {left_justified_bytes}")

# 使用 rjust 方法 - 将字节对象右对齐，总宽度为 width，填充字符为 fillchar（默认为空格），返回新的字节对象
right_justified_bytes = byte_data.rjust(20, b'+')
print(f"Right justified bytes: {right_justified_bytes}")

# 使用 zfill 方法 - 将字节对象左侧填充零字符，总宽度为 width，返回新的字节对象
zero_filled_bytes = byte_data.zfill(20)
print(f"Zero filled bytes: {zero_filled_bytes}")