目录
web
Git Leakage
一眼丁真git泄露,上githack
python GitHack.py http://week-2.hgame.lwsec.cn:31730/.git/
直接cat
v2board
存在越权漏洞
通过 authorizetion 可以越权
注册一个账户然后登录,抓包
获得authorizetion
然后访问
/api/v1/admin/user/fetch?pageSize=10¤t=1
misc
Sign In Pro Max
Part1, is seems like baseXX: QVl5Y3BNQjE1ektibnU3SnN6M0tGaQ== Part2, a hash function with 128bit digest size and 512bit block size: c629d83ff9804fb62202e90b0945a323 Part3, a hash function with 160bit digest size and 512bit block size: 99f3b3ada2b4675c518ff23cbd9539da05e2f1f8 Part4, the next generation hash function of part3 with 256bit block size and 64 rounds: 1838f8d5b547c012404e53a9d8c76c56399507a2b017058ec7f27428fda5e7db Ufwy5 nx 0gh0jf61i21h, stb uzy fqq ymj ufwyx ytljymjw, its'y ktwljy ymj ktwrfy.
part1:
f51d3a18
part2:
f91c
part3:
4952
part4:
a3ed翻译:第3部分的下一代哈希函数,具有256位块大小和64个循环 就是sha256
0.0.0.0,查不到
另外一个网站解出来第一个字母是a,而且是4位,直接上脚本爆破
import hashlib
for i in range(32, 127):# 使用 for 循环逐个尝试所有的字母
for j in range(32, 127):
for k in range(32, 127):
m = hashlib.sha256() #获取一个 sha256 加密算法对象
m.update(str('a'+chr(i) + chr(j) + chr(k) ).encode("utf-8"))
des = m.hexdigest()
if'1838f8d5b547c012404e53a9d8c76c56399507a2b017058ec7f27428fda5e7db'in des:
print(chr(i)+chr(j)+chr(k))
#3edpart5:
0bc0ea61d21c
quipqiup - cryptoquip and cryptogram solver
flag:
hgame{f51d3a18-f91c-4952-a3ed-0bc0ea61d21c}
Tetris Master
非预期:
ssh连上之后直接中止(ctrl+c)可以进入bash脚本
预期:
差点眼瞎(doge
bytectf2022原题官方wp:Docs
直接抄payload
x[$(cat /flag)]
ssh连接:选择n输入分数:
x[$(cat /flag)]
然后速度叠高高
hgame{Bash_Game^Also*Can#Rce}
Tetris Master Revenge
差点眼瞎(doge
bytectf2022原题官方wp:Docs
直接抄payload
x[$(cat /flag)]
ssh连接:选择n输入分数:
x[$(cat /flag)]
然后速度叠高高
hgame{Bash_Game^Also*Can#Rce^reVenge!!!!}
crazy_qrcode
直接扫附件的password图片,发现扫不出来,看这个二维码,应该是缺少了一点数据
QRazyBox - QR Code Analysis and Recovery Toolkit
对二维码纠错:
查看它的mask数据,为4
纠错:H4(纠错等级最高,mask为4)
保存后再次扫描得到压缩包密码
QDjkXkpM0BHNXujs
解压后是25张二维码的碎片
组成5x5的矩阵,拼接成二维码(这里0为原图,1为右旋转90度,2为180度,3为270度,?不知道)(观察一下图片,注意对应二维码的4个角的正方形很easy猜出来(doge
[1, 2, ?, 3, ? [1, 2, 1, 3, 2
0, 3, ?, ?, 3 0, 3, 0, 1, 3
?, 0, 3, 1, 2 =>> 0, 0, 3, 1, 2
1, 1, 0, 3, 3 1, 1, 0, 3, 3
?, ?, 2, 3, 2] 2, 2, 2, 3, 2] 鼠鼠我啊,一次次试?试麻了捏
不会ps只能用word的菜狗捏呜呜呜
hgame{Cr42y_qrc0de}
crypto
RSA 大冒险1
nc连接好像限制时间,先看题目,写好脚本,每个关先跑,然后直接check就行
1:
from Crypto.Util.number import *
import gmpy2
c=0x4fa6749f8752c125f02ff9693c6a5d7d7ff1f1a01281357a8c3dbabf62dca1b7d5fa90303fb15a231c
e=65537
p=291699513036853266535722701504355096451
n=352559474696049083899094233796982246511345626932629585752957686785382902770701432159148425064753461
qr=n//p
q=1112916422465999645746169042831
r=1086010777762387692372092522281
phi=(p-1)*(q-1)*(r-1)
d=gmpy2.invert(e,phi)
m=pow(c,d,n)
print(long_to_bytes(m))
#m<n_But_also_m<p2:
这里加密完后又重新获取q,但p相同,打印出来的n有公约数p,获取两次公钥
from Crypto.Util.number import *
import gmpy2
c=0x5aa6dc857dad1ad500a8e232db40061256e5031f7d380cac04d2fa6ae29794da89f2678762e4d6025e662c236eb59811bfef2719869056ca8598f85fa364ba34331050db2f816b395d4cf25d8b7d6e4870275b5d1c2f592b5703bcdad20366b4f7fccd7f4437c52c2c54e2dd08a0529a67d3543c73c0c0c3fd585c04d64d2660
e=65537
n1=101470497871618171123531372355390843880667230881434659340516587013041464811917935090650144001247820694802925995240478335650611664148611143734391258679562615334037988037518713089369816857518899207723089754476172520648450566530825999971354781633380504455064887024396044349032977648121779489416702164166664516763
n2=83610910114953190284550272927711553709306438616846511857143713556197210051230124269545817355057611924852890567925575711635879765335119346572620434809276812152153833006105817234115670866065019741624622164448784928858228739487687894941355890572760329447003051814221401060844739924713447298283022352831075760787
p=GCD(n1,n2)
q=n1//p
phi=(p-1)*(q-1)
d=gmpy2.invert(e,phi)
m=pow(c,d,n1)
print(long_to_bytes(m))
#make_all_modulus_independent3:
import gmpy2
import libnum
def de(c, e, n):
k = 0
while True:
mm = c + n*k
result, flag = gmpy2.iroot(mm, e)
if True == flag:
return result
k += 1
e= 3
n=24937227802423996614472106833709861668074877515007480779160157365991609813951057078198033187884929149157782672806599326916906301613245793829544660486211884803340549674454399424858008792128578390649702436804821796916788940060074429497147066673763333296329945081250450816933256397420727493580730034455814314720618649841371707891915844225303420929835657074356868241338137727442682336126896190848998544032912910397206433534044733095109153098683260948756760594327673352749166024810402986552378004689081086504492171022504269326312118880123814237529282540704047882038139422317429954815451571883196998715174504059325636537327
c=175676150266389034871939328995776510962784850899786406938470431252524921971416046919681615255672239546788036183781506620199080350106630731150472671459868118127777490321605728735132000951567026204049866038467737793202140016003595652842795584319912169388104655297636562842021108125193390877832657592921701
m=de(c,e,n)
print(m)
print(libnum.n2s(int(m)).decode())
#encrypt_exponent_should_be_bigger4:
跟2差不多,重新获取e,但n相同,生成不同的密文
import libnum
import gmpy2
n=67462170135195663668024400345361646721248802272893635296095221370593941019568099814536456260352883938352363389082968339171362532135603548701422873293263634383991895051446485093790928481355157993682551347627341490373709505341900155631127943447072375687586523366931429520636539960769428307002921298840491676941
e1=105767
e2=100669
c1=0x310852fbf32d37e54ce1b86a563e98258e8d954d5da1a14c852c4b37a8798d2fd8ed01e6f31b35f943fd47e95135afcdcfc7f0ea40f6f0cebdb145ec990222ac3b3058190d478379cab2d1e4364e2201adb8653e14e1cdf56282cb86cbabfaddb4c7c4f918eb2b194138f543f50c98e121d4d08d254f178e39e20eed637e3374
c2=0x3a6e7657749ac597818eb2fc5076e4cd03a9f500d05dbed195f1e48693a7a08a3e9ed4e68aaeeaf4aa5eb7b45ff721cab8765adf35e0095972c0cf6ffb6346f3cc53bc748de2eca91221fb12576cc160b596e919c67d3344db0183a5fe2846d5f79c74113f05902f4dad56a60fb83642a1c8b8ccc6e5132ed58f0fe1640ad80a
def exp_def(e1,e2,c1,c2,n):
s,s1,s2 = gmpy2.gcdext(e1, e2)
m = (pow(c1,s1,n) * pow(c2 ,s2 ,n)) % n
return int(m)
m=exp_def(e1,e2,c1,c2,n)
print(libnum.n2s(m))
#never_uese_same_modulus
Rabin
风大的工具一把梭(doge
Rabin特征:
Rabin密码体制则取e=2。
exp:
from gmpy2 import *
import libnum
import hashlib
p=65428327184555679690730137432886407240184329534772421373193521144693375074983
q=98570810268705084987524975482323456006480531917292601799256241458681800554123
c=0x4e072f435cbffbd3520a283b3944ac988b98fb19e723d1bd02ad7e58d9f01b26d622edea5ee538b2f603d5bf785b0427de27ad5c76c656dbd9435d3a4a7cf556
e=2
n=p*q
inv_p = gmpy2.invert(p, q)
inv_q = gmpy2.invert(q, p)
mp = pow(c, (p + 1) // 4, p)
mq = pow(c, (q + 1) // 4, q)
a = (inv_p * p * mq + inv_q * q * mp) % n
b = n - int(a)
c = (inv_p * p * mq - inv_q * q * mp) % n
d = n - int(c)
#因为rabin 加密有四种结果,全部列出。
aa=[a,b,c,d]
for i in aa:
print(i)
print(libnum.n2s(int(i)))
#b"hgame{That'5_s0_3asy_to_s@lve_r@bin}"Reverse
before_main
变表base64
表:
qaCpwYM2tO/RP0XeSZv8kLd6nfA7UHJ1No4gF5zr3VsBQbl9juhEGymc+WTxIiDK
密文:
AMHo7dLxUEabf6Z3PdWr6cOy75i4fdfeUzL17kaV7rG=
新年快乐
爆竹声中一岁除,春风送暖入屠苏。——宋代王安石《元日》。