CTF pure cock on new players in the process of division
"on top of this subject is on the top but we do not sub-ah."
Crypto - InfantRSA
topic:
真*签到题
p = 681782737450022065655472455411;
q = 675274897132088253519831953441;
e = 13;
c = pow(m,e,p*q) = 275698465082361070145173688411496311542172902608559859019841 There is still a script that is used to encrypt
#!/usr/bin/env python3
from secret import flag
assert flag.startswith(b'hgame{') and flag.endswith(b'}')
m = int.from_bytes(flag, byteorder='big')
p = 681782737450022065655472455411
q = 675274897132088253519831953441
e = 13
c = pow(m, e, p*q)
assert c == 275698465082361070145173688411496311542172902608559859019841 I did not go to script (digging) directly to search a bit to get started at the beginning of the knowledge of RSA , usually do not use Python because it was originally thought that the use WolframAlpha to calculate large numbers manually. Draft follows:
p 681782737450022065655472455411
q 675274897132088253519831953441
n=p*q 460390767897997184102969941508880171690097589571068900519251
φ=(p-1)(q-1) 460390767897997184102969941507523114055515479251893596110400
e(1<e<φ, gcd(e,φ)=1) 13
d(e*d mod φ=1) 141658697814768364339375366617699419709389378231351875726277
c=m^e mod n 275698465082361070145173688411496311542172902608559859019841
m 39062110472669388914389428064087335236334831991333245 Wherein calculating the private key d is substituted into Equation WolframAlpha directly as solving the equations, the solution obtained is
460390767897997184102969941507523114055515479251893596110400 * n + 141658697814768364339375366617699419709389378231351875726277, n ∈ Z Takes n = 0 (n is also effective when other integer), with WolframAlpha c ^ d mod n is calculated to obtain plaintext m
how to convert m flag it? View topic inside the script combined with Baidu, that use m.to_bytes in Python () function can be. Among two mandatory parameters, ByteOrder is big, length tested long length of the text is greater than the flag can be obtained according to the script text content flag is provided, the fill of 100 to almost the
final flag: hgame {t3Xt6O0k_R5A !!!}
Postscript:
"If I had known, Python can count large numbers ..." (next title information should first clear reason to start again, start to see if the subject inside the script py of this feature will detect and enhance solution title velocity)
theoretically public and private e d may be interchanged, i.e., plaintext ciphertext obtained by encrypting d, e by ciphertext decrypts
a solution to post Baidu d is: e ^ -1 mod φ, i.e. d φ e is the inverse mode, instead of -1 where e 1 / e meaning
Crypto - Affine
topic:
Some basic modular arithmetic... Casual working on a script py
#!/usr/bin/env python3
# -*- coding: utf-8 -*-
import gmpy2
from secret import A, B, flag
assert flag.startswith('hgame{') and flag.endswith('}')
TABLE ='zxcvbnmasdfghjklqwertyuiop1234567890QWERTYUIOPASDFGHJKLZXCVBNM'
MOD = len(TABLE)
cipher = ''
for b in flag:
i = TABLE.find(b)
if i == -1:
cipher += b
else:
ii = (A*i + B) % MOD
cipher += TABLE[ii]
print(cipher)
# A8I5z{xr1A_J7ha_vG_TpH410} Analyze logic, presumably take each character among the flag, in which the subscript i TABLE obtained through the operation of the new index II, and replace the original character in the corresponding characters in TABLE II, ciphertext
A8I5z{xr1A_J7ha_vG_TpH410} Because the encryption operation is performed for a single character, and the encryption process is independent of the position of a character in which the flag, the flag can attempt to recover portions
The first is the flag of the head. A815z must come from the hgame encrypted, the subscript of each character by analyzing the obtained correspondence relationship of the following (in brackets is the subscript characters in TABLE)
h(12)->A(46)
g(11)->8(33)
a(7)->I(43)
m(6)->5(30)
e(18)->z(0) python script analysis is as follows
TABLE = 'zxcvbnmasdfghjklqwertyuiop1234567890QWERTYUIOPASDFGHJKLZXCVBNM'
cry = 'hgame-A8I5z{xr1A_J7ha_vG_TpH410}'
for b in cry:
print(TABLE.find(b),end=' ') The core is encrypted ii = (A * i + B )% MOD, MOD TABLE length (62), although not familiar with the nature of the modulo, but considering g + h, m + a conversion in both groups presence of i + 1-> ii + 13, reason to believe that the value of a is 13 (without confirmation carefully, because it would not)
after the note while m + g, a + i in the difference between the two groups by the transformation h a ii difference but greater than, the value described (a * 11 + B) has been greater than the MOD, it means that ((6 * 13 + B) -30) * n = ((11 * 13 + B) -33), n is an integer of 2 to
sort out the relation formula obtained
B=-48+62/(n-1) B may get a value of 14, -17, -46, -47 (because decimal seems unable mod? So the solution directly rounded up)
to consider the results of transformation of character just e is 0, but also get a key formula child
13 * 18+B=62 * n
B=62n-234 14 B is basically determined
to A, B are substituted into the original encrypted encryption hgame script and found that when A = 13, B = 14 A8I5z results obtained, indicating that A, B should be correct encryption parameters
(the original code from secret assert row and all rows deleted, manually define a, B, and flag to the encrypted authentication)
further conjecture, which has a length of ciphertext portion 6 (TpH410), most likely crypto
encrypts obtained ciphertext is TjR41q, very similar to the original ciphertext, substantially determined crypto flag is the last paragraph
of the crypto replace sensitive digital conversion and similar verification and encryption, the finally obtained cRYpt0
Similarly, binding semantic analysis, the ciphertext portion of length 2 ( vG) is likely iS, but s, S, the results were not encrypted 5 G, then try in, iN finally obtained
was <-t, a <1 -h converted in the above process, then guess of semantics xr1A corresponding result for the myth, but after several attempts to prove this conjecture was wrong
before taking into account the mod will not lead to one correspondence between i and ii (in fact), so no one by one to find characters ciphertext correspondence relationship, but now After taking into account the way to go and have the correspondence relationship can narrow the search, then of A ~ Z, a ~ z and 0 to 9 all encryption, to obtain the corresponding relationship is as follows
原文:abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ1234567890
密文:IbTazt8AvBfi5wq4QjX1JKF2RkLWgeh6OClsy9xG3YDpnEcoMNHSUZmr7PVdu0 (In fact, one to one)
look-up table to obtain flag
final flag: hgame {M4th_u5Ed_iN_cRYpt0}
Postscript:
Here actually affine password decryption expression for i = (A ^ -1) ( ii - B)% MOD, A ^ -1 is the inverse element A mode MOD
Crypto - not_One-time
topic:
In cryptography, the one-time pad (OTP) is an encryption technique that cannot be cracked, but...
Just XOR ;P
nc 47.98.192.231 25001
hint: reduced key space There is also a script:
#!/usr/bin/env python3
# -*- coding: utf-8 -*-
import os, random
import string, binascii, base64
from secret import flag
assert flag.startswith(b'hgame{') and flag.endswith(b'}')
flag_len = len(flag)
def xor(s1, s2):
#assert len(s1)==len(s2)
return bytes( map( (lambda x: x[0]^x[1]), zip(s1, s2) ) )
random.seed( os.urandom(8) )
keystream = ''.join( [ random.choice(string.ascii_letters+string.digits) for _ in range(flag_len) ] )
keystream = keystream.encode()
print( base64.b64encode(xor(flag, keystream)).decode() ) Try to first try to directly run in linux system command
nc 47.98.192.231 25001 The following results
JTcLBwQzE3czQV8UPkoIYWtbVT4PYnB2CUFxUQEzVhw8IVYvR0cdZXUJTg== After attempts, each time the results obtained by running the command are not the same, guess the resulting ciphertext is encrypted by the script obtained, but the topic should be required to recover from the ciphertext which the flag
subject to the prompt "reduced key space "while the group inside the school also gave a knowledge of the site , but the site after reading only learned about when space is less than the plaintext space key encryption is not secure (should mean).
Analyze the code and found that there appeared a custom random number seed, guess this question about the pseudo-random number and may, however, further search found os.urandom () function is used to make random encryption key, which is the result of difficult execution expected, indicating that the pseudo-random number does not work in this direction
after searching in vain several times from "reduced key space" angle, I try to search from the title "one time pad" point of view, found that OTP is extremely safe. . . This question can not do
, however, come into contact with during the search MTP (Many Time Pad), by further search, I found an article explaining related content found mentioned in Many Time Pad is somewhat similar to this question. A plurality of plain paper entitled plurality of ciphertext obtained by the same encryption key, according to the request key ciphertext, and decrypted by a key target ciphertext; and this is the problem flag is encrypted random key requires solving flag. Both the request looks different, but since the encryption algorithm from among the XOR operation is commutative, this problem can be considered as the plaintext (random key) by the same key (flag) to give a series of encrypted ciphertext seek key (flag) .
Continued research articles have been several important information
1. If a ^ x = b, then b ^ x = a (XOR reflexivity)
2 provided the plain text m1, m2, ciphertext c1, c2, the there c1 ^ c2 = (m1 ^ key ) ^ (m2 ^ key) = m1 ^ key ^ key ^ m2 = m1 ^ m2
3. article inferences properly c1 ^ c2 meaningful letters, corresponding m1, m2 English letters is likely to be a space is a
third generalization is down, ^ c2 m1 is obtained by finding meaningful c1, m2 possible solutions
Corresponds to this question, can write the following pseudo-code:
定义密文集合
定义每一位的解集S
定义临时解集TMP
for(密文中的每一位i):
for(密文集合中的密文1,密文2):
结果=密文1[i]^密文2[i]
for(任意字符j,任意字符k):
if(任意字符j^任意字符k==结果):
TMP.加入元素(密文1[i]^j,密文2[i]^j,密文1[i]^k,密文2[i]^k)
if(S[i]是空集):
S[i]=TMP
else:
S[i]=求交集(TMP,S[i])
输出结果 The title conditions provided script, j and k are within the scope of letters and numbers, which is equivalent to a meaningful c1 ^ c2 defined conditions. The intersection of the process, it is the public part of each group of ciphertext obtained solution, in order to narrow the scope of the solution, but the feeling is still essentially violence
After the construction of the flag and its own original script with encryption key and write your own code to solve flag. The process of writing the code because too many pit (logic errors, flag range error, etc.) and buried himself in the lead for a long time debugging, the final code is as follows:
# # -*- coding: utf-8 -*-
import base64, string
from socket import socket
table = (string.ascii_letters + string.digits).encode() # 源于题目中随机key
# result = (string.ascii_letters + string.digits + '''{}_''').encode() #坑1
result = (string.printable).encode()
ciphers = []
for i in range(30): # 设定获取密文数量
sock = socket()
sock.connect(('47.98.192.231', 25001))
text=sock.recv(500)
ciphers.append(text)
sock.close()
for i in range(len(base64.b64decode(ciphers.pop(0)))):
lis=set()
for cur1 in ciphers:
for cur2 in ciphers:
cy1 = base64.b64decode(cur1)
cy2 = base64.b64decode(cur2)
if (cy1 == cy2):
continue
res=set()
tmp1 = cy1[i] ^ cy2[i]
for j in range(len(table)):
for k in range(len(table)):
if (j == k):
continue
tmp2 = table[j] ^ table[k]
if (tmp1 == tmp2): # 使c1^c2有意义
res1 = int(cy2[i] ^ table[j]).to_bytes(1, 'big')
res2 = int(cy2[i] ^ table[k]).to_bytes(1, 'big')
if (result.find(res1) != -1): # 缩小解范围
res.add(res1)
if (result.find(res2) != -1): # 坑2
res.add(res2)
if (lis == set()):
lis = res
if (res != set()):
tmp = lis.intersection(res)
if (tmp != set()):
lis.intersection_update(res)
else:
lis.update(res)
print(i,''.encode().join(lis)) Pit 1:
naively that flag which in addition only numbers and letters} {_ accidental, resulting solution 13,16,21,22,23,24,36 index is strange (even if a large number of ciphertext always solution is not unique, and there is no public part)
pit 2:
the beginning of the judgment that when the inner res1 and res2 are only the res1, res2 join in the result table res, it is clear that the logic error, because when res1 meet the conditions of res2 the result is unknown, erroneous results in the determination condition set is empty solution
sockXXX:
ads there alternatives to nc command, whereby the ciphertext can automatically obtain
The number of ciphertext open to substantially 40 to 60 can be uniquely determined flag, and tested 100 would be able to start and finish within 30min, still performance (it)
Final flag: hgame {r3us1nG + M3 $ 5age - && ~ rEduC3d_k3Y -5P4Ce}
Crypto - Reorder
topic:
We found a secret oracle and it looks like it will encrypt your input…
nc 47.98.192.231 25002 Ip and port with access to the NC, found to be an interactive program, the character input may be disrupted sequentially output
root@tesla:~# nc 47.98.192.231 25002
> 123
2 1 3
> acbvasdsdfasdfwefagda
fdcseaadadfswvsb a a f d g
> 1234567890
726 591 08 4 3 And after several input directly from the flag?
Rua!!!
mjg{L+e$hItUpm5a!u_m}iRA3nTT!e0P Obviously flag sequence is disrupted, in conjunction with the subject name, it should be in accordance with a correspondence relationship between the reduction flag, and this correspondence relationship is to be correspondence between the input and output
test as follows
root@tesla:~# nc 47.98.192.231 25002
> 1234567890zzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzz
zz3687952zz0z14zzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzz zzzzzzz z zz
> zzzzzzzzzz1234567890zzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzz
14zzzzzzz23z6zz5zz9zzzzz8zzzz70zzzzzzzzzzzzzzzzzz zzzzzzz z zz
> zzzzzzzzzzzzzzzzzzzz1234567890zzzzzzzzzzzzzzzzzzzzzzzzzzzzz
zzzzzzzzzzzzzzzz70z24351z896zzzzzzzzzzzzzzzzzzzzz zzzzzzz z zz
> zzzzzzzzzzzzzzzzzzzzzzzzzzzzzz1234567890zzzzzzzzzzzzzzzzzzz
zzzzzzzzzzzzzzzzzzzzzzzzzzzz2zz1zz5809z74zzzz36zz zzzzzzz z zz
> zzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzz1234567890zzzzzzzzz
zzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzz36zzzz1zz4528zz7z zzzzzz0 z 9z
> zzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzz1234567890
zzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzz9 146573z0 8 z2
> zzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzz1234567890
zzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzz2zzzzzzzz1z4zz3 70 96 58
> z
z
> z
z
> z
z
Rua!!!
+ma{Uj$eg5ItLhmpi!PmTuAR_0nT}3e! Find the corresponding flag can tell if the
final flag: hgame {jU $ t + 5ImpL3_PeRmuTATi0n !!}
Misc - Welcome to HGame!
topic:
欢迎大家参加 HGAME 2020!
来来来,签个到吧~
Li0tIC4uLi0tIC4tLi4gLS4tLiAtLS0tLSAtLSAuIC4uLS0uLSAtIC0tLSAuLi0tLi0gLi4tLS0gLS0tLS0gLi4tLS0gLS0tLS0gLi4tLS4tIC4uLi4gLS0uIC4tIC0tIC4uLi0t
注:若解题得到的是无hgame{}字样的flag花括号内内容,请手动添加hgame{}后提交。
【Notice】解出来的字母均为大写 According to CTF routine (may be so), I do not know decrypted plaintext Xiandiu base64 again, get a bunch of Morse code
.-- ...-- .-.. -.-. ----- -- . ..--.- - --- ..--.- ..--- ----- ..--- ----- ..--.- .... --. .- -- ...-- And then the corresponding decryption, get the contents of flag brackets (Morse code can not use Chinese encryption decryption tool, because the tool will first plaintext / ciphertext converted to Unicode, the above code will not directly correspond to the character)
w3lc0me_to_2020_hgam3 No topic before [Notice] section, led me to try to change the font submitted for a long time, and finally a full success to uppercase before submitting
the final flag: hgame {W3LC0ME_TO_2020_HGAM3}
Misc - Wallpaper
topic:
某天,ObjectNotFound给你发来了一个压缩包。
“给你一张我的新老婆的壁纸!怎样,好看吗?”
正当你疑惑不解的时候,你突然注意到了压缩文件的名字——“Secret”。
莫非其中暗藏玄机? Put up on the archive does not hold up
See the name to know the title is a diagram planted directly in the archive dragged out of the picture, rename zip suffix, then open
Found flag.txt is encrypted, a comment which said that the need to find the original P to open the station ID
思路一:百度得知P站ID一般为8位数字,那么直接bruteforce应该可行(手上没工具,未实现)
思路二:识图
考虑到识图网站处理图片文件的方式应该和本地的图片查看器方式相同,因此没有做图片与压缩包的分离操作,直接把源文件用来识图了
先丢百度识图上面直接识图,无果
后百度“P站识图”,找到了一个P站以图找ID的网站,查到图片的ID是76953815
打开flag.txt,却并没有看到flag,而是以下内容
\u68\u67\u61\u6d\u65\u7b\u44\u6f\u5f\u79\u30\u75\u5f\u4b\u6e\u4f\u57\u5f\u75\u4e\u69\u43\u30\u64\u33\u3f\u7d 两个16进制数结合前面的u前缀,猜测以上内容为utf-8编码,而且下划线的16进制utf-8编码为5f,且密文中刚好有多处\u5f,基本确定这是utf-8编码。但是由于缺少解码工具,只能手动解码出flag
解到一半想起百度提交搜索内容时是将中文转为utf-8编码以%xx的形式通过GET提交,遂将flag.txt中的\u替换为%,然后在百度官网地址后面添加以下内容
baidu?wd=%68%67%61%6d%65%7b%44%6f%5f%79%30%75%5f%4b%6e%4f%57%5f%75%4e%69%43%30%64%33%3f%7d 访问后即可在搜索框位置得到flag
最终flag:hgame{Do_y0u_KnOW_uNiC0d3?}
Web - 鸡尼泰玫
题目:
听说你球技高超? 之后给出了一个游戏网址,打开之后是一个类似BBTAN的游戏,每一次击球可以获得100分,当总分超过30000分时即可获得flag
游戏菜鸡自然是不会玩游戏的,直接F12,发现是一个js写的小游戏,当中定义了几个游戏中的类
然后在game类当中找到了globalScore和storageScore两个重要参数
尝试用以下命令修改
_main.game.storageScore=30000
_main.game.globalScore=30000 发现修改之后数据确实变成了30000,但是每次球撞到方块之后分数会变回原始分数
之后尝试在球即将落地时修改参数,成功
最终flag:hgame{j4vASc1pt_w1ll_tel1_y0u_someth1n9_u5efu1?!}
Web - Code World
题目:
Code is exciting! 直接访问目标地址,看到了403 Forbidden
感觉挺无从下手的,于是试了一下F12,发现源码里面有这么一行
console.log("This new site is building....But our stupid developer Cosmos did 302 jump to this page..F**k!") 百度了一下有关302的信息,结果直接找到一篇文章讲CTF题目当中遇到302的处理方法。Linux下使用curl访问网址默认是不会根据302跳转跳到新网址的,遂用curl访问该网址,得到以下结果
root@tesla:~# curl http://codeworld.hgame.day-day.work/
<html>
<head><title>405 Not Allowed</title></head>
<body bgcolor="white">
<center><h1>405 Not Allowed</h1></center>
<hr><center>nginx/1.14.0 (Ubuntu)</center>
</body>
</html> 405 Not Allowed说明当前的请求方法不被允许。因为curl不能发送自定义的请求头,所以决定还是用Fiddler的Composer功能试一下
用Fiddler抓了包,意外地发现Fiddler能抓到访问题目网址时的302返回和403返回,且302返回当中的内容正好是curl所得到的结果,说明用Fiddler直接访问题目网址即可。
打开Composer选项卡,填入网址,把所有的请求方法全部试了一遍
发现使用POST方法访问之后得到了以下结果
<center><h1>人鸡验证</h1><br><br>目前它只支持通过url提交参数来计算两个数的相加,参数为a<br><br>现在,需要让结果为10</center> 尝试直接在请求体部分添加a=10,没有反应;再尝试a=5+5,也没有反应
后来发现审题不仔细,应该是在url当中提交参数。遂再网址后添加?a=10,没有反应;再尝试?a=5%2B5,得到了以下结果(+号经url编码后得到%2B,可在百度搜索框当中尝试)
<center><h1>人鸡验证</h1><br><br>目前它只支持通过url提交参数来计算两个数的相加,参数为a<br><br>现在,需要让结果为10<br><h1>The result is: 10</h1><br>hgame{C0d3_1s_s0_S@_sO_C0ol!}</center> 最终flag:hgame{C0d3_1s_s0_S@_sO_C0ol!}
Web - 接 头 霸 王
题目:
HGAME Re:Dive 开服啦~ 直接访问题目地址,得到以下提示
You need to come from https://vidar.club/. 
通过百度得知需要在请求头里面加上
Referer: https://vidar.club/ 于是用Fiddler的Composer补完请求头之后提交,得到以下提示
You need to visit it locally. 之后基本就是得到提示→百度→改头的过程了,题目中涉及到的修改操作如下
You need to come from https://vidar.club/.
Referer: https://vidar.club/
You need to visit it locally.
X-Forwarded-For: 127.0.0.1
You need to use Cosmos Brower to visit.
User-Agent: Cosmos Brower
Your should use POST method :)
把请求方法由默认的GET改为POST
The flag will be updated after 2077, please wait for it patiently.
If-Unmodified-Since: Fri, 01 Jan 2077 00:00:00 GMT 其中最后一条只需要这个时间比响应头中的Last-Modified时间晚即可(相同也可以)
前几条百度上都挺好找的,就是最后一条网上似乎没有明确的介绍,于是就把所有和日期有关的头都试了一遍,找到了结果
最终flag:hgame{W0w!Your_heads_@re_s0_many!}
Web - Cosmos的博客
题目:
这里是 Cosmos 的博客,虽然什么东西都还没有,不过欢迎大家! 打开网页后内容如下:
大茄子让我把 flag 藏在我的这个博客里。但我前前后后改了很多遍,还是觉得不满意。不过有大茄子告诉我的版本管理工具以及 GitHub,我改起来也挺方便的。 按F12,没有发现任何有用信息。尝试直接
git clone http://cosmos.hgame.n3ko.co/ 也没有结果
之后直接找了一下CTF中有关git的题目,根据网上的信息,访问
http://cosmos.hgame.n3ko.co/.git/HEAD 得到以下内容
ref: refs/heads/master 说明该网站存在git泄露。在网上下了一个githacker的脚本,把网站上的git仓库直接下载下来,然后直接目录内搜索hgame,无果
根据网上的操作步骤,尝试查看仓库的历史版本,无果
之后随便翻阅仓库内的文件,意外发现GitHub上的仓库地址
clone到本地后再次尝试查看历史版本,结果与上一次不一样
尝试恢复,得到了flag文件,base64解码即可得到flag
最终flag:hgame{g1t_le@k_1s_danger0us_!!!!}
第一次做CTF类的题目,感觉自己还是太菜了,做出来的题目不足1/2,而且用时很长。之后看一下别人的writeup学习一下吧
2020.01.24