misc

1.OSINT-3

misc

1.美丽的风景照

gif分帧,按彩虹色排序

jqW2_Dg2C_7HLo8_6yRWh_3CaEK_ZXw8T_98Mz

jqW2

Dg2C

7HLo8

6yRWh

3CaEK

ZXw8T

98Mz

zM89

T8wXZ

KEaC3

hWRy6

8oLH7

C2gD

2Wqj

2.Guess!

猜一下就行了

3.湖心亭看雪

异或+分离zip+添加zip文件头+snow解密

ISCTF{y0U_H4v3_kN0wn_Wh4t_15_Sn0w!!!}

4.小蓝鲨的神秘文件

给了一个这文件ChsPinyinUDL.dat

谁有微软拼音自学习词库的导入导出算法? · Issue #58 · studyzy/imewlconverter

在这找到了转换算法:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
import sys
import os
import platform
import pypinyin

def str2sysstr(strout):
    sysstr = platform.system()
    if(sysstr =="Windows"):
        return strout.encode("gbk")
    else:
        return strout.encode("utf-8")

if __name__ == '__main__':
    if len(sys.argv)==2:
        user_word_file = sys.argv[1]
    else:
        user_word_file = r"E:\CTF\比赛\isctf\misc\wireshark\ChsPinyinUDL.dat"
    
    if not os.path.exists(user_word_file):
        print("file:",user_word_file,"not exist\n\n")
        print("use example")
        print( "user_word_exporter.exe")
        print( " : paser %USERPROFILE%\AppData\Roaming\Microsoft\InputMethod\Chs\ChsPinyinUDL.dat" )
        print( "user_word_exporter.exe dat_file_name")
        print( " : paser dat_file_name")
        sys.exit(1)
    
    fp = open(user_word_file,"rb")
    userword = open("user_word_microsoft_pinyin.txt","at")
    data = fp.read()
    cnt = int.from_bytes(data[12:16], byteorder='little', signed=False)
    user_word_base = 0x2400
    for i in range(cnt):
        cur_idx = user_word_base + i * 60
        word_len = int.from_bytes(data[cur_idx + 10:cur_idx + 11], byteorder='little', signed=False)
        word = data[cur_idx + 12 : cur_idx + 12 + word_len * 2 ].decode("utf-16")
        # -=-=-=-=-=-=--=-=-=-=-=-=-=-=--=-=-=-=-=-=-=-=-=-=
        # reference: https://www.jb51.net/article/167461.htm
        #
        # convert character to pinyin
        pinyin_str = '\t'
        pinyin_list = pypinyin.pinyin(word, style=pypinyin.NORMAL)
        # return [['shi'], ['shu'], ['ji'], ['shi'], ['zhang']]
        for i, py in enumerate(pinyin_list):   
            pinyin_str += py[0]
            if i+1 != word_len:  # not the last word, add space behind
                pinyin_str += ' '
        one_line = word + pinyin_str + '\t1'
        print(word + pinyin_str + '\t1')
        # -=-=-=-=-=-==-=-=-=-=-==-=-=-=-=-=-=---=-=-=-=-=-=-=-=
        userword.write(one_line + "\n")

    fp.close()
    userword.close()

输出结果如下:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
帮我优化这段代码        bang wo you hua zhe duan dai ma 1
不要乱动我的代码        bu yao luan dong wo de dai ma   1
不要动我原来的代码      bu yao dong wo yuan lai de dai ma       1
出题人说弗莱格在官网    chu ti ren shuo fu lai ge zai guan wang 1
出题人说弗莱格在那里    chu ti ren shuo fu lai ge zai na li     1
官网的新闻里    guan wang de xin wen li 1
弗莱格  fu lai ge       1
还有一些项目合作的机会  hai you yi xie xiang mu he zuo de ji hui        1
福州蓝鲨信息技术有限公司        fu zhou lan sha xin xi ji shu you xian gong si  1
机会是留给有准备的人    ji hui shi liu gei you zhun bei de ren  1
看看官网的新闻吧        kan kan guan wang de xin wen ba 1
你把简历投了再说        ni ba jian li tou le zai shuo   1
你去看看新闻动态呢      ni qu kan kan xin wen dong tai ne       1
你去找辅导员问问        ni qu zhao fu dao yuan wen wen  1
你去蓝鲨官网看看呗      ni qu lan sha guan wang kan kan bei     1
你这个脚本跑不了啊      ni zhe ge jiao ben pao bu liao a        1
他们招实习的    ta men zhao shi xi de   1
这次比赛你参加了吗      zhe ci bi sai ni can jia le ma  1
真的可以去试试  zhen de ke yi qu shi shi        1
在我原来的基础上修改    zai wo yuan lai de ji chu shang xiu gai 1

提示到官网新闻动态找

crypto

1

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
from Crypto.Util.number import *

p = getPrime(1024)
q = getPrime(1024)
N = p*q
e = 65537
msg = bytes_to_long(b"ISCTF{dummy_flag}")
ct1 = pow(msg, e, N)
ct2 = pow(msg, p+q, N)

print(f"{N = }")
print(f"{ct1 = }")
print(f"{ct2 = }")

"""
N = 17630258257080557797062320474423515967705950026415012912087655679315479168903980901728425140787005046038000068414269936806478828260848859753400786557270120330760791255046985114127285672634413513991988895166115794242018674042563788348381567565190146278040811257757119090296478610798393944581870309373529884950663990485525646200034220648901490835962964029936321155200390798215987316069871958913773199197073860062515329879288106446016695204426001393566351524023857332978260894409698596465474214898402707157933326431896629025197964209580991821222557663589475589423032130993456522178540455360695933336455068507071827928617
ct1 = 5961639119243884817956362325106436035547108981120248145301572089585639543543496627985540773185452108709958107818159430835510386993354596106366458898765597405461225798615020342640056386757104855709899089816838805631480329264128349465229327090721088394549641366346516133008681155817222994359616737681983784274513555455340301061302815102944083173679173923728968671113926376296481298323500774419099682647601977970777260084799036306508597807029122276595080580483336115458713338522372181732208078117809553781889555191883178157241590455408910096212697893247529197116309329028589569527960811338838624831855672463438531266455
ct2 = 11792054298654397865983651507912282632831471680334312509918945120797862876661899077559686851237832931501121869814783150387308320349940383857026679141830402807715397332316601439614741315278033853646418275632174160816784618982743834204997402866931295619202826633629690164429512723957241072421663170829944076753483616865208617479794763412611604625495201470161813033934476868949612651276104339747165276204945125001274777134529491152840672010010940034503257315555511274325831684793040209224816879778725612468542758777428888563266233284958660088175139114166433501743740034567850893745466521144371670962121062992082312948789
"""

欧拉定理

$ msg^{ϕ(N)}≡1\ mod\ N $

而 RSA 中:

$ ϕ(N)=(p−1)(q−1)=N−p−q+1 $

所以我们有:

$ msg^{N−p−q+1}≡1\ mod\ N $

两边同时乘以 msg_p_+q−1,得:

$ msg^{N+1}≡msg^{p+q}\ mod\ N→ ct2≡msg^{N+1}\ mod\ N $

$ ct1≡msg^{e}\ mod\ N $

计算一下发现:

$ gcd(e,N+1)=1 $

这样可以利用gcdext算出

$ ae+b(N+1)=1 $

1
2
from gmpy2
g, a, b = gmpy2.gcdext(e, N + 1)

有:

$ msg^1≡msg^{ea+b(N+1)}≡(msg^e)^a*(msg^{N+1})^b≡(ct1)^a*(ct2)^b\ \ mod\ N $

解题代码:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
from Cryptodome.Util.number import long_to_bytes
import gmpy2

N = ...
ct1 = ...
ct2 = ...
e = 65537

g, a, b = gmpy2.gcdext(e, N + 1)
ct1 = pow(ct1, a, N)
ct2 = pow(ct2, b, N)
m = (ct1 * ct2) % N
flag = long_to_bytes(m)
print(flag)

pwn

1.ez_fmt

考点:格式化字符串

前置:格式化字符串漏洞利用

参考:格式化字符串漏洞原理及其利用(附带pwn例题讲解)-CSDN博客

有两个比较好玩的输出:一个是%n,一个格式%\d$s

很久没写c了,有点手生

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
#include <stdio.h>

int main() 
{
	int cnt;
	printf("he%nllo\n", &cnt);
	printf("%d\n",cnt);

	printf("hello%n\n", &cnt);
	printf("%d",cnt);

	return 0;
}
//hello
//2
//hello
//5
//printf 在解析到 %n 时,会把“当前已经输出的字符数”写到传进来的那个指针指向的内存里,也就是 cnt 所在的位置
1
2
3
4
5
6
7
8
9
10
11
#include <stdio.h>
int main() {
    char a[] = "aaaa";
    char b[] = "bbbb";
    char c[] = "cccc";
    char d[] = "dddd";
    printf("%3$s  %2$s  %1$s", a, b, c);
    return 0;
} 
//cccc  bbbb  aaaa
//%\d$s限制了参数顺序打印,按照给定的参数序号来返回