狗儿

热爱的话就坚持吧~

0%

矿大CTF挑战赛题(非Re方向)

发表于 更新于 分类于

鸽了好久了

WEB

源代码

1574860097929

备份

想了很久的备份文件后缀,index.php~,index.php.bak,index.php.save等等,但是都无果。网上找到了学长的WP,才发现有些坑。

题目给出了两个.bak

1574861933899

然后手动验证可以发现3.bak和5.bak也存在。但是怎么想到的998.bak中又flag?

1
2
3
4
5
6
7
8
import requests
for i in range(1000):
    url = 'http://bxs.cumt.edu.cn/challenge/web/code/{}.bak'.format(i)
    r = requests.get(url)
    print(i)
    if 'flag' in r.text:
        print(r.text)
        break

1574862032725

其实这些题暑假很多都做过一遍了,但是肯定记不清楚当时具体怎么做的了,也实在不想把时间重复浪费掉,先这样吧,哪天累了可以做做这些题放松一下。

自动flag

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
import requests, json, urllib, re
s = requests.Session()
r = s.get(r'http://bxs.cumt.edu.cn/challenge/web/ctf0001/')
second = int(re.search(r'服务器时间:.+?\d{2}:\d{2}:(\d{2})', r.text).group(1))
print(second)
r = s.get(r'http://bxs.cumt.edu.cn/challenge/web/ctf0001/param1.php')
data = eval(urllib.parse.unquote('%5B%221%22%2C%226%22%2C%222%22%2C%228%22%2C%224%22%2C%222%22%2C%228%22%2C%224%22%2C%229%22%2C%221%22%2C%2210%22%5D'))
data = [int(i) for i in data]
print(data)
sum = 0
for i in range(1, len(data)):
    for j in range(0, len(data)//2):
        sum += data[i] * second + data[j]
print(sum)

r = s.get(r'http://bxs.cumt.edu.cn/challenge/web/ctf0001/param2.php?param={}'.format(sum))
print(json.loads(r.text)['f'].encode('utf-8').decode('unicode_escape'))

脚本不对哈,等有时间再看看

crypto

Crypto-RSA基础题1

秒出

Crypto-RSA基础题2

秒出

Crypto-RSA基础题3

秒出

Crypto-EasyRSAFile

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
import gmpy2, binascii
from Crypto.Util.number import bytes_to_long

#with open(r'EasyRSAFile/cumtflag.enc', 'rb')as f:
#    b = f.read()
#print(b)
b = b'\x10\xa2\x1d\xd5\x90\xb1\x11\xf1-\xd0\x1d\xa6fs$v\x94\xd3\xd3[\xfd\xa4\xa4\xff\x9a\xafg#\xbf*\xbf\x84'

c = bytes_to_long(b)
print('c:', c)

n = 0xC2636AE5C3D8E43FFB97AB09028F1AAC6C0BF6CD3D70EBCA281BFFE97FBE30DD
p = 275127860351348928173285174381581152299
q = 319576316814478949870590164193048041239

phi = (p-1)*(q-1)
e = 65537
d = gmpy2.invert(e, phi)
m = pow(c, d, n)

msg = binascii.unhexlify('0'+hex(m)[2:])
print(msg)



'''
iyzyi@ubuntu:~$ openssl rsa -pubin -in pubkey.pem -text -modulus
.RSA Public-Key: (256 bit)
Modulus:
    00:c2:63:6a:e5:c3:d8:e4:3f:fb:97:ab:09:02:8f:
    1a:ac:6c:0b:f6:cd:3d:70:eb:ca:28:1b:ff:e9:7f:
    be:30:dd
Exponent: 65537 (0x10001)
Modulus=C2636AE5C3D8E43FFB97AB09028F1AAC6C0BF6CD3D70EBCA281BFFE97FBE30DD
writing RSA key
-----BEGIN PUBLIC KEY-----
MDwwDQYJKoZIhvcNAQEBBQADKwAwKAIhAMJjauXD2OQ/+5erCQKPGqxsC/bNPXDr
yigb/+l/vjDdAgMBAAE=
-----END PUBLIC KEY-----
iyzyi@ubuntu:~$ 
'''




'''
D:\计算机\CTF\工具\MISC\工具包\RSA题目\yafu>yafu-x64.exe
factor(0xC2636AE5C3D8E43FFB97AB09028F1AAC6C0BF6CD3D70EBCA281BFFE97FBE30DD)


fac: factoring 87924348264132406875276140514499937145050893665602592992418171647042491658461
fac: using pretesting plan: normal
fac: no tune info: using qs/gnfs crossover of 95 digits

starting SIQS on c77: 87924348264132406875276140514499937145050893665602592992418171647042491658461

==== sieving in progress (1 thread):   36224 relations needed ====
====           Press ctrl-c to abort and save state           ====
36279 rels found: 17962 full + 18317 from 193516 partial, (3464.68 rels/sec)

SIQS elapsed time = 61.9747 seconds.
Total factoring time = 61.9917 seconds


***factors found***

P39 = 275127860351348928173285174381581152299
P39 = 319576316814478949870590164193048041239

ans = 1


D:\计算机\CTF\工具\MISC\工具包\RSA题目\yafu>
'''


# flag is cumtctf{AURor4'sRSA}

Crypto-RSACal

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
'''
import gmpy2
p=****** #不告诉你
q=****** #不告诉你
n=p*q
phi=(p-1)*(q-1)

m=****** #不告诉你
e=0xe6b1bee47bd63f615c7d0a43c529d219

d=gmpy2.invert(e,phi)

print(hex(p+q))
print(hex((p+1)*(q+1)))
print(hex(pow(m,e,n)))
'''

import gmpy2, binascii

o1 = 0x1232fecb92adead91613e7d9ae5e36fe6bb765317d6ed38ad890b4073539a6231a6620584cea5730b5af83a3e80cf30141282c97be4400e33307573af6b25e2ea
o2 = 0x5248becef1d925d45705a7302700d6a0ffe5877fddf9451a9c1181c4d82365806085fd86fbaab08b6fc66a967b2566d743c626547203b34ea3fdb1bc06dd3bb765fd8b919e3bd2cb15bc175c9498f9d9a0e216c2dde64d81255fa4c05a1ee619fc1fc505285a239e7bc655ec6605d9693078b800ee80931a7a0c84f33c851740  
c = 0xb40e900a689e9f307640d5c8de6ec65004547b6c9be3199715491807d7400b5a97d82c8e5c3cb8b2480215f5c244e3b58e8d0218a0bacd524b3b2d567be0f1492c27f1a022ed73ec5701b8a4a79411b9fd33deeb9eff7699e22521cd0b9ac09bcab766752e47b4c3f9a8dea333f91df8d2e5309c2002919733a0098acb48f4
phi = o2 - 2 * o1
n = o2 - o1 - 1
e=0xe6b1bee47bd63f615c7d0a43c529d219
d = gmpy2.invert(e, phi)
m = pow(c, d, n)
m_str = binascii.unhexlify(hex(m)[2:])
print(m_str)