abc战队----2023LitCTFwp
WEB部分
就当无事发生生
思路:因为pull两次,又给了hint是 就当无事发生 提示 Github commit ,所以去探姬的博客去找,发现文章
因为pull两次一定在一次的提交里,去找对应4月29号的日期commit
通过关于页面看到探姬的github地址,并进入
接着找到博客搭建的仓库为
ProbiusOfficial.github.io 
进入仓库查看action,找他对应4月29号,就是下面这个
找到下面这个,点进去就看到了flag
所以答案为 LitCTF{g1thub_c0mmit_1s_s0_us3ful}
Http pro max plus
本题主要是HTTP协议伪造,由于题目要求本地访问,因此可以考虑xff协议伪造,但是题目禁止使用xff伪造,因此可以考虑使用Client-IP进行伪造。成功访问后题目要求通过某网站访问当前网站,因此需要进行refer伪造。成功访问后提示需要使用谷歌浏览器,因此需要修改User-agent值。成功访问后又提示需要通过特定地址的代理服务器才能访问某网站,我们自然无法真的使用代理服务器进行访问,但是可以逆向思维考虑php等后端语言是如何检测用户是否使用代理服务器的,因此可以伪造HTTP请求头中的via值来骗过后端。成功访问后可以得到一个php文件地址,访问后通过开发这工具打开控制台即可找到flag。
接着访问下面这个路径
1zjs
本地提示可能需要从js中寻找答案,根据往常经验,一般是通关后可以得到flag,随后查看各个js文件,但是没有找到相关提示。随后通过网页查找也没找到与flag相关的字段。本题难点在于提示藏在代码注释中,而注释往往容易被忽视,因此通过注释中的提示访问相关php文件即可得到flag。
得到jsfuck编码
将上面内容直接复制到控制台然后回车即可
这是什么?SQL!注一下
本题已经提示是SQL注入,只需要找到是何种注入方式即可。我们可以通过常见的注入类型来判断是那种注入方式,如果有源码则可以直接通过源码来判断。本题我们通过sqlmap进行扫描就可以直接得到答案。sqlmap一般需要先通过—dbs命令判断数据库(或—current-db判断当前查询关联的数据库),随后可以使用-D和—tables来读取指定数据库中的表,随后-D和-T以及—columns命令来查询指定数据库指定表的字段,最后在通过上面的内容就可以读取指定字段的内容。最后构造的命令如下:
根据构造的sqlmap语句,最终可以得到如下结果:
PHP是世界上最好的语言!!
远程代码执行问题,通过抓包构造请求。题目提示flag在根目录,因此我们可以发送请求,首先进行尝试构造php的系统执行语句发现可行。
再设置为<?php system(“cat /flag”)?>;即可查找到flag值。
导弹迷踪
本题属于前端代码审查,题目提示玩到第六关即可得到flag,方法一就是玩到第六关直接获取到flag,方法二就是查看相关源码,查找定义游戏结束逻辑的函数并查找本题flag。
答案是NSSCTF{y0uw1n_th1s!!!}
Follow me and hack me
本题根据题目含义直接构造POST请求并携带相应请求参数,发送请求后即可得到flag。
我Flag呢?
本题只需要打开开发者工具查看源码即可。需要注意的是控制台得到的是假的。
彩蛋
在“我Flag呢”题目中的控制台输入giveMeEgg(),得到隐藏flag
在“Follow me and hack me”根据提示消息,进行地址爆破,找到www.zip后下载压缩包,在.bak中发现
在“作业管理系统”通过访问github链接获得隐藏flag
在“狠狠的注入”搜索框中输入2即可得到隐藏flag
四个flag根据顺序进行拼接得到总flag
Vim yyds
控制台和网页文件无法发现有用的信息,使用dirsearch.py扫描发现有“/.index.php.swp”
访问下载文件,火绒会识别为病毒,在kali中打开发现
构造POST请求携带参数为Give_Me_Your_Flag的base64编码,且尝试携带参数ls cat等,最后输入cat /flag得到flag
ping
作业管理系统
Flag点击就送
开始是个输入框,随便输入个字符,回车是个一个拿flag的按钮
对其进行抓包,发现session有点特别,像是flask session
用晚上的flask session解密脚本对其尝试解密。发现能解密成功
根据提示,需要以admin用户权限登录进去,那就对 {“name”:”11”} 修改成 {“name”:”admin”} ,然后对其进行加密。
但是发现加密还需要一个关键字,尝试了几下,最后尝试出关键字为 LitCTF
加密后session为 eyJuYW1lIjoiYWRtaW4ifQ.ZGHA6g.qR6nGYItAoO5LfhzfyEB3u3sdbs
替换session,提交,得到flag
flag:NSSCTF{4c1c2f5e-c7e3-4450-8ad8-11f3f143b95d}
PWN部分
口算题卡
nc连接上后发现需要计算,在一次手算错误后,想着用Python代码解决1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36import socket
HOST = 'node6.anna.nssctf.cn' # 目标IP地址
PORT = 28064 # 目标端口
# 创建套接字
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
# 连接到目标地址和端口
s.connect((HOST, PORT))
# 发送消息
# s.sendall(b'Hello, world!')
# 接收响应
# 由于刚开始接收的不为计算,提前接收两次
s.recv(1024)
s.recv(1024)
while True:
data = s.recv(1024)
if not data:
break
# 分割接收的内容
li = data.decode().split()
# print(li[-3])
print(data)
# 对接收内容进行提取和分割并拼接
str1 = str(str(li[-3])+' '+str(li[-2])+' '+li[-1][:-1].strip())
print(str1.strip())
# 使用eval进行公式计算
result = eval(str1.strip())
print(result)
# 将结果发送
s.sendall(str(result).encode())
# 消耗掉回复
data2 = s.recv(1024)
print(data2)
在报错信息中找到答案
只需要nc一下~
连接nc后执行ls发现两个文件
输入cat Dockerfile,根据Dockerfile文件可知,开启环境为NSSCTF{123456},开启环境后将$FLAG输入到了flag.txt中,而ls却没有该文件,只能通过echo $FLAG得到flag
MISC部分
问卷
点开题目链接,问卷表里就是flag
NSSCTF{LitCTF_2023?It’s_time_to_g0to_zh1hu!!!}
【Minecraft】玩的开心~~~
下载指定版本我的世界,加入在线游戏,通过获得钻石并与村民交易得到flag
签到!(初级)
关注公众号发送签到,获得flag
OSINT 这是什么地方?!
百度识图搜图可得到一些信息
去谷歌搜索关键词:这条没人敢插队的路在哪里,找到知乎的一个链接https://www.zhihu.com/zvideo/1635440800472195073里面有
根据视频介绍这地点在陕西有色榆林新材料集团
所以答案是NSSCTF{陕西有色榆林新材料集团}
OSINT 探姬去哪了?_0
通过查看照片的详细信息,可以找到经纬度信息,
将经纬度信息输入到谷歌地图中
再根据图片中的中国电信在该周围进行搜索得到flag
OSINT 探姬去哪了?_1
根据照片中模糊的SANGEL
在百度地图中查找发现存在SANGEL HOTEL,点击即得到松果酒店
由于郑州存在多家松果酒店,再于美团中查找松果酒店,比对酒店大厅图片
发现农业路店的的图片和资料内的相仿,再于高德地图上查找该店的店名,即可得到 松果酒店(郑州农业路店)
OSINT 探姬去哪了?_2
根据在CTF小组群聊天记录,可以了解到去了hackingclub,通过高德地图查找即可得到flag
OSINT 探姬去哪了?_3
这羽毛球怎么只有一半啊(恼 (初级))
两仪生四象 (中级)
根据代码调试可知,该代码将*先分别对应位ascii的数字,再转换为10位二进制,再将该转换后的共90位二进制以三位分一组与逆转后的_hash字典进行对应并拼接每三位对应的字符,最后输出拼接好的字符串。
解码根据编码的过程先将给的字符串与_hash字典进行对应,得到拼接好的二进制,再对拼接好的字符串每十位一组进行进行二进制转换十进制,之后根据ascii编码转换为字符,输出字符串即可得到flag1
2
3
4
5
6
7
8
9
10
11
12
13data = '坤乾兑艮兑坎坤坤巽震坤巽震艮兑坎坤震兑乾坤巽坤艮兑震巽坤巽艮坤巽艮艮兑兑艮震兑乾坤乾坤坤兑艮艮坤巽坤坤巽坎坤兑离坎震艮兑坤巽坎艮兑震坤震兑乾坤乾坎坤兑坎坤震艮离坤离乾艮震艮巽震离震坤巽兑艮兑坎坤震巽艮坤离乾艮坎离坤震巽坎坤兑坤艮兑震巽震巽坎坤巽坤艮兑兑坎震巽兑'
encoded_text = ''
for i in range(0, len(data)):
try:
encoded_text += _hash[data[i]]
except KeyError:
encoded_text += " "
print(encoded_text)
ascii_str = ""
for i in range(0, len(encoded_text), 10):
byte = encoded_text[i:i+10]
ascii_str += chr(int(byte, 2))
print(ascii_str)
喜欢我的压缩包么 (初级)
爆破压缩包1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25import zipfile
import itertools
filename = "学习资料啊.zip"
def uncompress(file_name, pass_word):
with zipfile.ZipFile(file_name) as z_file:
try:
z_file.extractall("./", pwd=bytes(pass_word, 'utf8'))
except:
return False
return True
# chars是密码可能的字符集
chars = "0123456789"
for c in itertools.product(chars, repeat=6):
password = ''.join(c)
# print(password)
result = uncompress(filename, password)
if not result:
print('解压失败。', password)
else:
print('解压成功。', password)
break
得到密码为“解压成功。 114514”
What_1s_BASE (初级)
下载附件发现base加密 TGl0Q1RGe0tGQ19DcjR6eV9UaHVyM2RheV9WX21lXzUwfQ==
找解码网站进行解码
答案是LitCTF{KFC_Cr4zy_Thur3day_V_me_50}
404notfound (初级)
下载附件,将图片导入到notepad这个软件打开图片,使用ctrl+F搜索ctf发现flag
答案是LitCTF{Its_404_but_1ts_n0t_a_page}
Osint小麦果汁
解题
下载附件可以发现图片上有hacker&cratf,使用百度进行搜这个关键字,发现一个浙江的酒吧
答案是NSSCTF{黑客与精酿}
破损的图片(初级)
使用010打开附件,发现附件像是个png格式的图片,因为明文部分有IHDR字符,但是发现IHDR前面的格式不正确
查看png图片的格式得png图片前8个字节 89 50 4E 47 0D 0A 1A 0A 为 png的文件头(固定),更改后,并将附件后缀更改为png,查看图片得到flag
Take me hand (初级)
打开题目附件给的是一个流量包。使用wireshark进行打开
过滤tcp流
打开下面这个
进去发现flag为
REVERSE部分
世界上最棒的程序员
思路:使用IDA进行导入文,使用快捷键SHIFT+F12查看字符串发现
所以答案为LitCTF{I_am_the_best_programmer_ever}
ez_XOR
思路:将程序导入IDA pro ,查壳这一步我就省了。
接着寻找main函数
找到关键代码1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52int __cdecl main(int argc, const char **argv, const char **envp)
{
char *Format; // [esp+0h] [ebp-80h]
char *Str2; // [esp+4h] [ebp-7Ch]
const char **v6; // [esp+8h] [ebp-78h]
char Str1[50]; // [esp+1Ch] [ebp-64h] BYREF
_WORD v8[14]; // [esp+4Eh] [ebp-32h] BYREF
int v9; // [esp+6Ah] [ebp-16h]
int v10; // [esp+6Eh] [ebp-12h]
int v11; // [esp+72h] [ebp-Eh]
int v12; // [esp+76h] [ebp-Ah]
int v13; // [esp+7Ah] [ebp-6h]
__int16 v14; // [esp+7Eh] [ebp-2h]
__main();
strcpy((char *)v8, "E`}J]OrQF[V8zV:hzpV}fVF[t");
v8[13] = 0;
v9 = 0;
v10 = 0;
v11 = 0;
v12 = 0;
v13 = 0;
v14 = 0;
printf("Enter The Right FLAG:");
scanf("%s", Str1);
XOR(Str1, 3);
if ( !strcmp(Str1, (const char *)v8) )
{
printf("U Saved IT!\n");
return 0;
}
else
{
printf("Wrong!Try again!\n");
return main((int)Format, (const char **)Str2, v6);
}
}
对代码进行分析发现是将值E`}J]OrQF[V8zV:hzpV}fVF[t给了v8,分析关键的异或函数,双击进入XOR(Str1, 3);
size_t __cdecl XOR(char *Str, int a2)
{
size_t result; // eax
unsigned int i; // [esp+2Ch] [ebp-Ch]
for ( i = 0; ; ++i )
{
result = strlen(Str);
if ( i >= result )
break;
Str[i] ^= 3 * a2; //异或的规则
}
return result;
}
因为XOR(Str1, 3);传入a2应该是3,所以发现异或的规则是对输入的每一位和9进行异或,这里就是v8的值要被异或
脚本为:1
2
3a = "E`}J]OrQF[V8zV:hzpV}fVF[t"
b = "".join([chr(ord(c) ^ 9) for c in a])
print(b)
运行结果
所以答案是:LitCTF{XOR_1s_3asy_to_OR}
enbase64
将下载的附件导入IDA PRO进行代码上的逻辑分析
1.寻找main函数
2.分析关键代码
点击base函数发现了换表的函数 basechange(Source);
进入basechange函数
发现主要进行以下操作:1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81char *__cdecl basechange(char *Source)
{
char *result; // eax
char Destination[65]; // [esp+13h] [ebp-155h] BYREF
int v3[65]; // [esp+54h] [ebp-114h] BYREF
int j; // [esp+158h] [ebp-10h]
int i; // [esp+15Ch] [ebp-Ch]
memset(v3, 0, sizeof(v3));
v3[0] = 16;
v3[1] = 34;
v3[2] = 56;
v3[3] = 7;
v3[4] = 46;
v3[5] = 2;
v3[6] = 10;
v3[7] = 44;
v3[8] = 20;
v3[9] = 41;
v3[10] = 59;
v3[11] = 31;
v3[12] = 51;
v3[13] = 60;
v3[14] = 61;
v3[15] = 26;
v3[16] = 5;
v3[17] = 40;
v3[18] = 21;
v3[19] = 38;
v3[20] = 4;
v3[21] = 54;
v3[22] = 52;
v3[23] = 47;
v3[24] = 3;
v3[25] = 11;
v3[26] = 58;
v3[27] = 48;
v3[28] = 32;
v3[29] = 15;
v3[30] = 49;
v3[31] = 14;
v3[32] = 37;
v3[34] = 55;
v3[35] = 53;
v3[36] = 24;
v3[37] = 35;
v3[38] = 18;
v3[39] = 25;
v3[40] = 33;
v3[41] = 43;
v3[42] = 50;
v3[43] = 39;
v3[44] = 12;
v3[45] = 19;
v3[46] = 13;
v3[47] = 42;
v3[48] = 9;
v3[49] = 17;
v3[50] = 28;
v3[51] = 30;
v3[52] = 23;
v3[53] = 36;
v3[54] = 1;
v3[55] = 22;
v3[56] = 57;
v3[57] = 63;
v3[58] = 8;
v3[59] = 27;
v3[60] = 6;
v3[61] = 62;
v3[62] = 45;
v3[63] = 29;
result = strcpy(Destination, Source);
for ( i = 0; i <= 47; ++i )
{
for ( j = 0; j <= 63; ++j )
Source[j] = Destination[v3[j]];
result = strcpy(Destination, Source);
}
return result;
}
发现是对初始的base64表ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/进行换表操作
使用python代码将替换后的表算出来,脚本为:1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20def basechange(source):
destination = list(source)
v3 = [
16, 34, 56, 7, 46, 2, 10, 44, 20, 41, 59, 31, 51, 60, 61, 26, 5, 40, 21, 38,
4, 54, 52, 47, 3, 11, 58, 48, 32, 15, 49, 14, 37, 0, 55, 53, 24, 35, 18, 25,
33, 43, 50, 39, 12, 19, 13, 42, 9, 17, 28, 30, 23, 36, 1, 22, 57, 63, 8, 27,
6, 62, 45, 29
]
for i in range(48):
for j in range(64):
source[j] = destination[v3[j]]
destination = source[:]
return ''.join(destination)
if __name__ == '__main__':
s = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/"
result = basechange(list(s))
print(result)
所以替换后的base64表位gJ1BRjQie/FIWhEslq7GxbnL26M4+HXUtcpmVTKaydOP38of5v90ZSwrkYzCAuND
3.分析main函数发现了 basecheck(Str1);这个操作,进入函数分析1
2
3
4
5
6
7int __cdecl basecheck(char *Str1)
{
if ( !strcmp(Str1, "GQTZlSqQXZ/ghxxwhju3hbuZ4wufWjujWrhYe7Rce7ju") )
return puts("You are right!");
else
return puts("False");
}
加密后的结果应该是GQTZlSqQXZ/ghxxwhju3hbuZ4wufWjujWrhYe7Rce7ju
4.综上所述即可写出来base64的解密脚本1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21import base64
def custom_base64_decode(encoded_str, custom_chars):
base64_chars = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/"
# Generate translation table
trans_table = str.maketrans(custom_chars, base64_chars)
# Translate encoded string
translated_str = encoded_str.translate(trans_table)
# Decode translated string
decoded_str = base64.b64decode(translated_str)
return decoded_str
# Example usage
encoded_str = "GQTZlSqQXZ/ghxxwhju3hbuZ4wufWjujWrhYe7Rce7ju"
custom_chars = "gJ1BRjQie/FIWhEslq7GxbnL26M4+HXUtcpmVTKaydOP38of5v90ZSwrkYzCAuND"
decoded_str = custom_base64_decode(encoded_str, custom_chars)
print(decoded_str.decode("utf-8"))
5.运行结果为:
答案是LitCTF{B@5E64_l5_tooo0_E3sy!!!!!}
snake
参考:https://blog.csdn.net/qq_44808585/article/details/104148402
下载文件后发现为gyc文件,进行反编译,发现无magic number,通过测试文件进行编译后查看该python版本的magic number,使用010editor添加上magic number反编译成功,成功后找到flag那块代码直接运行即可得到flag1
2
3
4
5
6
7
8
9
10flag = [
30, 196,
52, 252, 49, 220, 7, 243,
3, 241, 24, 224, 40, 230,
25, 251, 28, 233, 40, 237,
4, 225, 4, 215, 40, 231,
22, 237, 14, 251, 10, 169]
for i in range(0, len(flag), 2):
flag[i], flag[i + 1] = flag[i + 1] ^ 136, flag[i] ^ 119
print(bytes(flag).decode())
CRYPTO
Hex?Hex!(初级)
打开附件结合题目发现了是16进制编码,使用16进制转字符串的解码网站解码https://www.bejson.com/convert/ox2str/
答案是LitCTF{tai111coollaaa!}
家人们!谁懂啊,RSA签到都不会 (初级)
下载附件发现了1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17from Crypto.Util.number import *
from secret import flag
m = bytes_to_long(flag)
p = getPrime(512)
q = getPrime(512)
e = 65537
n = p*q
c = pow(m,e,n)
print(f'p = {p}')
print(f'q = {q}')
print(f'c = {c}')
'''
p = 12567387145159119014524309071236701639759988903138784984758783651292440613056150667165602473478042486784826835732833001151645545259394365039352263846276073
q = 12716692565364681652614824033831497167911028027478195947187437474380470205859949692107216740030921664273595734808349540612759651241456765149114895216695451
c = 108691165922055382844520116328228845767222921196922506468663428855093343772017986225285637996980678749662049989519029385165514816621011058462841314243727826941569954125384522233795629521155389745713798246071907492365062512521474965012924607857440577856404307124237116387085337087671914959900909379028727767057
'''
使用网上计算RSA的脚本进行计算可得1
2
3
4
5
6
7
8
9
10
11
12
13
14from gmpy2 import *
from Crypto.Util.number import *
e = 65537
p = 12567387145159119014524309071236701639759988903138784984758783651292440613056150667165602473478042486784826835732833001151645545259394365039352263846276073
q = 12716692565364681652614824033831497167911028027478195947187437474380470205859949692107216740030921664273595734808349540612759651241456765149114895216695451
c = 108691165922055382844520116328228845767222921196922506468663428855093343772017986225285637996980678749662049989519029385165514816621011058462841314243727826941569954125384522233795629521155389745713798246071907492365062512521474965012924607857440577856404307124237116387085337087671914959900909379028727767057
n = p * q
phi_n = (p - 1) * (q - 1)
print(gcd(e, q - 1))
d = invert(e, (p - 1))
m = pow(c, d, p)
print(long_to_bytes(m))
所以答案是LitCTF{it_is_easy_to_solve_question_when_you_know_p_and_q}
梦想是红色的 (初级)
打开附件是核心价值观编码,在网上找核心价值观在线解码网站http://www.hiencode.com/cvencode.html解密:
答案:LitCTF{为之则易,不为则难}
原来你也玩原神 (初级)
https://www.bilibili.com/read/cv10220424
挨着对照出flag
你是我的关键词(Keyworld) (初级)
根据题目猜测为维吉尼亚算法加解密,搜索在线解密工具 http://www.hiencode.com/keyword.html
根据题目描述推测密钥为YOU尝试解密,得到flag
factordb (中级)
典型的RSA
打开题目附件可得
e = 65537
n = 87924348264132406875276140514499937145050893665602592992418171647042491658461
c = 87677652386897749300638591365341016390128692783949277305987828177045932576708
因为题目需要分解n,且提示factordbhttp://factordb.com/,所以找到在线网站进行分解n可得到两个数
275127860351348928173285174381581152299
319576316814478949870590164193048041239
接着使用网上的脚本进行修改计算可得,可能与其他队伍脚本相似,我们是在csdn找的脚本1
2
3
4
5
6
7
8
9
10
11
12import gmpy2
from Crypto.Util.number import long_to_bytes
e = 65537
n = 87924348264132406875276140514499937145050893665602592992418171647042491658461
c = 87677652386897749300638591365341016390128692783949277305987828177045932576708
p1 = 275127860351348928173285174381581152299
p2 = 319576316814478949870590164193048041239
phi = (p1 - 1) * (p2 - 1)
d = gmpy2.invert(e, phi
m = pow(c, d, n)
print (long_to_bytes(m))
所以答案是LitCTF{factordb!!!}
yafu (中级)
下载附件发现了1
2
3
4
5
6
7
8
9
10
11
12
13
14
15from Crypto.Util.number import *
from secret import flag
m = bytes_to_long(flag)
n = 1
for i in range(15):
n *=getPrime(32)
e = 65537
c = pow(m,e,n)
print(f'n = {n}')
print(f'c = {c}')
'''
n = 15241208217768849887180010139590210767831431018204645415681695749294131435566140166245881287131522331092026252879324931622292179726764214435307
c = 12608550100856399369399391849907846147170257754920996952259023159548789970041433744454761458030776176806265496305629236559551086998780836655717
'''
又是分解n
在网上找的题目里说的那个yafu工具分解n,工具下载地址https://onboardcloud.dl.sourceforge.net/project/yafu/1.34/yafu-1.34.zip
在文件夹下输入cmd可进行使用公具,接着运行命令
.\yafu-x64 factor(15241208217768849887180010139590210767831431018204645415681695749294131435566140166245881287131522331092026252879324931622292179726764214435307)
可得到15个数
分别为
P10 = 2201440207
P10 = 3354884521
P10 = 4171911923
P10 = 2719600579
P10 = 4044505687
P10 = 2758708999
P10 = 2767137487
P10 = 2585574697
P10 = 2906576131
P10 = 2315495107
P10 = 3355651511
P10 = 3989697563
P10 = 4021078331
P10 = 2151018733
P10 = 2923522073
接着使用网上的脚本进行修改计算可得,可能与其他队伍脚本相似,我们是在csdn找的脚本1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25import gmpy2
from Crypto.Util.number import long_to_bytes
n = 15241208217768849887180010139590210767831431018204645415681695749294131435566140166245881287131522331092026252879324931622292179726764214435307
e = 65537
c = 12608550100856399369399391849907846147170257754920996952259023159548789970041433744454761458030776176806265496305629236559551086998780836655717
p1 = 2201440207
p2 = 3354884521
p3 = 2719600579
p4 = 4171911923
p5 = 2315495107
p6 = 2758708999
p7 = 3989697563
p8 = 2923522073
p9 = 2151018733
p10 = 3355651511
p11 = 2906576131
p12 = 4044505687
p13 = 4021078331
p14 = 2585574697
p15 = 2767137487
phi = (p1 - 1) * (p2 - 1) * (p3 - 1)* (p4 - 1) * (p5 - 1)* (p6 - 1) * (p7 - 1)* (p8 - 1) * (p9 - 1)* (p10 - 1) * (p11 - 1)* (p12 - 1) * (p13 - 1)* (p14 - 1) * (p15 - 1)
d = gmpy2.invert(e, phi)
m = pow(c, d, n)
print (long_to_bytes(m))
运行结果为
所以答案是LitCTF{Mu1tiple3m4ll_prim5_fac7ors@re_uns4f5}
The same common divisor (高级)
题目给了n1,n3,c1,c2,e,根据代码中n1、n2、n3的运算规则,首先求出n2
再根据网上找的脚本求出结果
https://www.cnblogs.com/wandervogel/p/16805990.html#esayrsa21
2
3
4
5
6
7
8
9
10
11
12
13
14
15n1= 9852079772293301283705208653824307027320071498525390578148444258198605733768947108049676831872672654449631852459503049139275329796717506126689710613873813880735666507857022786447784753088176997374711523987152412069255685005264853118880922539048290400078105858759506186417678959028622484823376958194324034590514104266608644398160457382895380141070373685334979803658172378382884352616985632157233900719194944197689860219335238499593658894630966428723660931647038577670614850305719449893199713589368780231046895222526070730152875112477675102652862254926169713030701937231206405968412044029177246460558028793385980934233
n3= 4940268030889181135441311597961813780480775970170156650560367030148383674257975796516865571557828263935532335958510269356443566533284856608454193676600884849913964971291145182724888816164723930966472329604608512023988191536173112847915884014445539739070437180314205284883149421228744714989392788108329929896637182055266508625177260492776962915873036873839946591259443753924970795669864031580632650140641456386202636466624658715315856453572441182758855085077441336516178544978457053552156714181607801760605521338788424464551796638531143900048375037218585999440622490119344971822707261432953755569507740550277088437182
c1= 7066425618980522033304943700150361912772559890076173881522840300333719222157667104461410726444725540513601550570478331917063911791020088865705346188662290524599499769112250751103647749860198318955619903728724860941709527724500004142950768744200491448875522031555564384426372047270359602780292587644737898593450148108629904854675417943165292922990980758572264063039172969633878015560735737699147707712154627358077477591293746136250207139049702201052305840453700782016480965369600667516646007546442708862429431724013679189842300429421340122052682391471347471758814138218632022564279296594279507382548264409296929401260
c2= 854668035897095127498890630660344701894030345838998465420605524714323454298819946231147930930739944351187708040037822108105697983018529921300277486094149269105712677374751164879455815185393395371001495146490416978221501351569800028842842393448555836910486037183218754013655794027528039329299851644787006463456162952383099752894635657833907958930587328480492546831654755627949756658554724024525108575961076341962292900510328611128404001877137799465932130220386963518903892403159969133882215092783063943679288192557384595152566356483424061922742307738886179947575613661171671781544283180451958232826666741028590085269
n2 = n1^n3
e = 65537
# 正确 The same common divisor (高级)
import gmpy2
import binascii
p = gmpy2.gcd(n1,n2)
q = n1 // p #不论是用n1还是n2整除p得到的q,最后得到的都是同一个明文m
phi = (p-1)*(q-1)
d = gmpy2.invert(e,phi)
m = gmpy2.powmod(c1,d,n1)
print(binascii.unhexlify(hex(m)[2:]))
easy_math (中级)
chat一下1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29from Crypto.Util.number import *
from sympy.solvers import solve
from sympy import Symbol
n = 2230791374046346835775433548641067593691369485828070649075162141394476183565187654365131822111419512477883295758461313983481545182887415447403634720326639070667688614534290859200753589300443797
hint = 392490868359411675557103683163021977774935163924606169241731307258226973701652855448542714274348304997416149742779376023311152228735117186027560227613656229190807480010615064372521942836446425717660375242197759811804760170129768647414717571386950790115746414735411766002368288743086845078803312201707960465419405926186622999423245762570917629351110970429987377475979058821154568001902541710817731089463915930932142007312230897818177067675996751110894377356758932
# 求解p和q
x = Symbol('x')
y = Symbol('y')
equations = [x * y - n, x ** 3 - y ** 5 - hint]
solutions = solve(equations, [x, y])
# 选取满足p > q 的解
p, q = solutions[0]
if p < q:
p, q = q, p
print(p)
print(q)
c = 2168563038335029902089976057856861885635845445863841607485310134441400500612435296818745930370268060353437465666224400129105788787423156958336380480503762222278722770240792709450637433509537280
e = 65537
p = 7321664971326604351487965655099805117568571010588695608389113791312918573783115429227542573780838065461696504325762281209452761930184231131129306271846427
q = 304683618109085947723284393392507415311
n = p * q
phi = (p - 1) * (q - 1)
d = gmpy2.invert(e, phi)
m = pow(c, d, n)
print(libnum.n2s(int(m)))
SEEM和探姬的游戏
使用chatgpt,写的代码1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35MOD = 10**9 + 7
def dfs(u, fa):
sz[u] = 1
sum[u] = a[u]
for v in g[u]:
if v != fa:
dfs(v, u)
sz[u] += sz[v]
sum[u] += sum[v]
def dp(u, fa):
res = 0
for v in g[u]:
if v != fa:
res += dp(v, u) + (n - sz[v]) * sz[v] * (sum[v] - sum[u])
return res % MOD
if __name__ == '__main__':
n = int(input())
a = list(map(int, input().split()))
g = [[] for _ in range(n)]
for _ in range(n - 1):
u, v = map(int, input().split())
g[u - 1].append(v - 1)
g[v - 1].append(u - 1)
sz = [0] * n
sum = [0] * n
dfs(0, -1)
ans = 0
for u in range(n):
ans += dp(u, -1)
print(ans % MOD)
Small
使用chatgpt,写的代码1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31chat一下
from Crypto.Util.number import *
from sympy.solvers import solve
from sympy import Symbol
n = 2230791374046346835775433548641067593691369485828070649075162141394476183565187654365131822111419512477883295758461313983481545182887415447403634720326639070667688614534290859200753589300443797
hint = 392490868359411675557103683163021977774935163924606169241731307258226973701652855448542714274348304997416149742779376023311152228735117186027560227613656229190807480010615064372521942836446425717660375242197759811804760170129768647414717571386950790115746414735411766002368288743086845078803312201707960465419405926186622999423245762570917629351110970429987377475979058821154568001902541710817731089463915930932142007312230897818177067675996751110894377356758932
# 求解p和q
x = Symbol('x')
y = Symbol('y')
equations = [x * y - n, x ** 3 - y ** 5 - hint]
solutions = solve(equations, [x, y])
# 选取满足p > q 的解
p, q = solutions[0]
if p < q:
p, q = q, p
print(p)
print(q)
c = 2168563038335029902089976057856861885635845445863841607485310134441400500612435296818745930370268060353437465666224400129105788787423156958336380480503762222278722770240792709450637433509537280
e = 65537
p = 7321664971326604351487965655099805117568571010588695608389113791312918573783115429227542573780838065461696504325762281209452761930184231131129306271846427
q = 304683618109085947723284393392507415311
n = p * q
phi = (p - 1) * (q - 1)
d = gmpy2.invert(e, phi)
m = pow(c, d, n)
print(libnum.n2s(int(m)))
Prime
使用chatgpt,写的代码1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22def solve(m, e):
# 计算出每个质数的次数
cnt = [0] * m
for i in range(m):
cnt[i] = e[i]
# 计算出每个质数的幂次
p = [0] * m
p[0] = 1
for i in range(1, m):
p[i] = p[i - 1] * cnt[i - 1]
# 从小到大枚举质数,计算出最小的 n
n = 0
for i in range(m):
while pow(i + 1, n // p[i]) % (i + 1) == 0:
n += p[i]
return n
if __name__ == '__main__':
m = int(input())
e = list(map(int, input().split()))
ans = solve(m, e)
print(ans)
