天天看點
傳回

HGAME 2021 WEEK2

0X1Misc

1.Tools

工欲善其事,必先利其器。

附件(提取碼:glal)

很明顯看附件名就知道是F5隐寫

首先我們檢視屬性得知其密碼:

!LyJJ9bi&M7E72*JyD

,進而得到壓縮包密碼:

e@317S*p1A4bIYIs1M
HGAME 2021 WEEK2

又是一層加密...

同樣的處理方法,就是這次是steghide隐寫,得到壓縮包密碼:

u0!FO4JUhl5!L55%$&
HGAME 2021 WEEK2

好家夥!經典老套娃了

這回是Outguess隐寫,同樣的手法得到壓縮包密碼:

@UjXL93044V5zl2ZKI
HGAME 2021 WEEK2

終于到最後一層加密了,JPHS隐寫得到壓縮包密碼:

xSRejK1^Z1Cp9M!z@H
HGAME 2021 WEEK2

最終将四塊拼接起來組成一個完整的二維碼,掃碼得到flag:hgame{Taowa_is_N0T_g00d_but_T001s_is_Useful}

2.Telegraph:1601 6639 3459 3134 0892

他曾經最喜歡的曲師寫的曲子,讓人猶如漫步在星空之下,可如今他聽見隻覺得反胃。由于檔案名過長,單獨給出附件的md5: E5C3EE3F441B860B07A3ADCD98BFFC00

請将flag以hgame{your_flag_here}形式送出,flag為全大寫。

附件(提取碼:e397)

播放很明顯有段摻雜着摩斯電碼

HGAME 2021 WEEK2

整理得到如下:

-.-- --- ..- .-. ..-. .-.. .- --. .. ... ---... ....- --. ----- ----- -.. ... ----- -. --. -... ..- - -. ----- - ....- --. ----- ----- -.. -- .- -. ----- ...-- ----. ...-- .---- ----- -.- ..

複制

Morse解得flag:hgame{4G00DS0NGBUTN0T4G00DMAN039310KI}

yourflagis:4g00ds0ngbutn0t4g00dman039310ki

複制

3.Hallucigenia

“我們不僅弄錯了他的上下,還颠倒了它的左右。”

lsb發現二維碼

HGAME 2021 WEEK2

掃碼得到字元串(bushi 如下

gmBCrkRORUkAAAAA+jrgsWajaq0BeC3IQhCEIQhCKZw1MxTzSlNKnmJpivW9IHVPrTjvkkuI3sP7bWAEdIHWCbDsGsRkZ9IUJC9AhfZFbpqrmZBtI+ZvptWC/KCPrL0gFeRPOcI2WyqjndfUWlNj+dgWpe1qSTEcdurXzMRAc5EihsEflmIN8RzuguWq61JWRQpSI51/KHHT/6/ztPZJ33SSKbieTa1C5koONbLcf9aYmsVh7RW6p3SpASnUSb3JuSvpUBKxscbyBjiOpOTq8jcdRsx5/IndXw3VgJV6iO1+6jl4gjVpWouViO6ih9ZmybSPkhaqyNUxVXpV5cYU+Xx5sQTfKystDLipmqaMhxIcgvplLqF/LWZzIS5PvwbqOvrSlNHVEYchCEIQISICSZJijwu50rRQHDyUpaF0y///p6FEDCCDFsuW7YFoVEFEST0BAACLgLOrAAAAAggUAAAAtAAAAFJESEkNAAAAChoKDUdOUIk=

複制

跑下腳本發現它并非字元串而應該是個png的二進制檔案

HGAME 2021 WEEK2

附上腳本:

from base64 import b64decode 

open('flag', 'wb+').write(b64decode(open('flag.txt', 'rb').read()))

複制

于是乎利用腳本将其反轉得到png圖檔

附上腳本:

from base64 import b64decode 

open('flag.png', 'wb+').write(b64decode(open('flag.txt', 'rb').read()) [::-1])

複制

定睛一看反過來就是flag:hgame{tenchi_souzou_dezain_bu}

4.DNS

A significant invention.

附件(提取碼:6af6)

在DNS下發現一個域名

flag.hgame2021.cf
HGAME 2021 WEEK2

對其進行通路,檢視源碼發現關鍵資訊:SPF

何為SPF?(百度一下我就知道

https://www.altn.com.cn/5728.html

HGAME 2021 WEEK2

最後nslookup查詢其TXT記錄得到flag:hgame{D0main_N4me_5ystem}

HGAME 2021 WEEK2

Windows-cmd查詢指令:

nslookup
set q=txt
flag.hgame2021.cf

複制

Linux-kali查詢指令:

由于我用的是kali2020,我需要先切換到root權限再執行以下指令
dig -t txt flag.hgame2021.cf

複制

0X2Web

1.LazyDogR4U

懶狗R4u把Flag藏起來了,但由于他是懶狗,是以flag藏的很不安全。

Challenge Address

http://ecdaa2e20e.lazy.r4u.top

www.zip下載下傳源碼

審計flag.php:引入了lazy.php 并且 發現滿足

$_SESSION['username'] === 'admin'

即可擷取flag

<?php
session_start();

require_once 'lazy.php';


if(!isset($_SESSION['username'])){
    die('您配嗎?');
}
?>


<!DOCTYPE html>
<html lang="en">

<head>
    <meta charset="UTF-8">
    <meta name="viewport" content="width=device-width, initial-scale=1.0">
    <meta http-equiv="X-UA-Compatible" content="ie=edge">
    <title>Document</title>
    <link rel="stylesheet" href="static/style.css">
</head>

<body>
<form class="box" action="" method="post">
    <?php

    if($_SESSION['username'] === 'admin'){
        echo "<h3 style='color: white'>admin将于今日擷取自己忠實的flag</h3>";
        echo "<h3 style='color: white'>$flag</h3>";
    }else{
        if($submit == "getflag"){
            echo "<h3 style='color: white'>{$_SESSION['username']}接近了問題的終點</h3>";
        }else{
            echo "<h3 style='color: white'>篡位者占領了神聖的頁面</h3>";
        }
    }
        ?>
    <input type="submit" name="submit" value="getflag">
</form>
</body>

</html>

複制

接着,審計lazy.php:發現可将

_GET

_POST

傳⼊的變量全部注冊為普通變量造成變量覆寫

<?php
$filter = ["SESSION", "SEVER", "COOKIE", "GLOBALS"];

// 直接注冊所有變量,這樣我就能少打字力,蕪湖~

foreach(array('_GET','_POST') as $_request){
    foreach ($$_request as $_k => $_v){
        foreach ($filter as $youBadBad){
            $_k = str_replace($youBadBad, '', $_k);
        }
        ${$_k} = $_v;
    }
}


// 自動加載類,這樣我也能少打字力,蕪湖~
function auto($class_name){
    require_once $class_name . ".php";
}
spl_autoload_register('auto');

複制

于是将

_SESSION[username]

這個全局變量進行構造

payload:
flag.php?_SESSESSIONSION[username]=admin

複制

最終得到flag:hgame{r4u~i5_@_l@zY-D0G}

HGAME 2021 WEEK2

2.Post to zuckonit

d1gg12 新學了HTML,一起來看看他寫的線上部落格吧!

Challenge Address

http://zuckonit.0727.site:7654

xss

3.200OK!!

今天你 PTSD 了嗎?

Challenge Address

https://200ok.liki.link

sql注入

4.Liki的生日禮物

Liki生日快要到了,她想要一台switch,你能幫幫她麼?

Challenge Address

https://birthday.liki.link

考查:條件競争,在兌換劵時對其抓包然後多線程重複發包

登入進去可以發現隻需購買52張就可以擷取flag,打開burp進行抓包

HGAME 2021 WEEK2

進行intruder,選擇Null payloads并生成100個payloads

HGAME 2021 WEEK2

選擇10程序并發執行

HGAME 2021 WEEK2

Start Attack

HGAME 2021 WEEK2

重新整理頁面之後兌換即可得到flag:hgame{L0ck_1s_TH3_S0lllut!on!!!}

HGAME 2021 WEEK2

0X2Crypto

1.signin

簽到題 233

Challenge Address https://mod.liki.link

from libnum import *
from Crypto.Util import number

from secret import FLAG

m = s2n(FLAG)
a = number.getPrime(1024)
p = number.getPrime(1024)

c = a ** p * m % p

print("a = {}".format(a))
print("p = {}".format(p))
print("c = {}".format(c))
# a = 139797327006915116125126834708569781257905890889214772754132967944560239477559427234818170821905966089190947970216980685309703521750454649892247689054657607174600902412798917747263330185879424486123329896583384878012975296270715665441346026354817476240516457708613238092696963533041009088500592879662166253257
# p = 151730388933509920208398125559765127290441122573229308376450817125256445382422908158672019884194306096919838130907844546729851309788163360015419981802510147036452621347724746013834845831207220493241621927858819016342531775639148674368365993683788605987857873546489688725060327903851376240619248166306123462663
# c = 88732386468504387282857878979411728549526363384046769757050721891386416926099771636774309722073926162140997385022007310495636448572530441526048408400076676269906889357399751593581177111658275917266905263737388647978425632263036544709572767498549738915832567940145078140586586992388462314474394590770638444139

複制

m=c ⋅ a^(−1) mod p => flag:hgame{M0du1@r_m4th+1s^th3~ba5is-Of=cRypt0!!}

HGAME 2021 WEEK2
費馬小定理:如果p是一個質數,而整數a不是p的倍數,則有a^(p-1)≡1(mod p)

附上腳本:

from libnum import *
import gmpy2

a = gmpy2.mpz(164082656705280243691125701366387366083595671395343593709662689631005563420712514013315976102671561607316385961761351750099262566476484522886282723886520916918141054995957297228003062477122757133630754605589171370142255727815498152265374544695303477525391985791134432904658602561841437101787689055904235722543)
p = gmpy2.mpz(119737975692964086468800522901334964831462403986044100108042760900964357796378935817727112428450685227062069911631189059668095468384251497619994295762904825142670700856495550090451162130895038569427260669297398177894831568054918372123884561767488134043298231005288709340276215664659982597587377569232740821383) 
c = gmpy2.mpz(61634913046503959178216377910203847308428571260648767327608998821120378164975042475439460895394673980137101460250286330274948376187417345460266021486815411513611233649751971142112272707408612929020818762110963149534344745362620646443064201836579453768233731326328543553543287448234680170625258920657056312732)
x = gmpy2.invert(a, p)
m = c * x % p

print(m) 
print(n2s(int(m)))

複制

2.gcd or more?

GCD...?

Challenge Address https://more.liki.link

from libnum import *
from secret import FLAG

p = 85228565021128901853314934583129083441989045225022541298550570449389839609019
q = 111614714641364911312915294479850549131835378046002423977989457843071188836271
n = p * q

cipher = pow(s2n(FLAG), 2, n)
print(cipher)
# 7665003682830666456193894491015989641647854826647177873141984107202099081475984827806007287830472899616818080907276606744467453445908923054975393623509539

複制

Rabin,跑下腳本得到flag:hgame{3xgCd~i5_re4l1y+e@sy^r1ght?}

附上腳本

import gmpy2
import libnum

c = 7665003682830666456193894491015989641647854826647177873141984107202099081475984827806007287830472899616818080907276606744467453445908923054975393623509539
p = 85228565021128901853314934583129083441989045225022541298550570449389839609019
q = 111614714641364911312915294479850549131835378046002423977989457843071188836271

def rabin_decrypt(c, p, q, e=2):
    n=p*q
    mp = pow(c, (p + 1) // 4, p)
    mq = pow(c, (q + 1) // 4, q)
    yp = gmpy2.invert(p, q)
    yq = gmpy2.invert(q, p)
    r = (yp * p * mq + yq * q * mp) % n
    rr = n - r
    s = (yp * p * mq - yq * q * mp) % n
    ss = n - s
    return (r, rr, s, ss)

m = rabin_decrypt(c,p,q)

for i in range(4):
    try:
        print(bytes.fromhex(hex(m[i])[2:]))
    except:
        pass

複制

3.WhitegiveRSA

N = 882564595536224140639625987659416029426239230804614613279163

e = 65537

c = 747831491353896780365654517748216624798517769637260742155527

Challenge Address https://www.baidu.com

這應該算是RSA入門題吧

先對N進行分解得到p,q(①.通過yafu分解n,指令行打開yafu,輸入factor(n)即可;②.線上網站)

HGAME 2021 WEEK2

接着跑下腳本就得出flag:hgame{w0w~yOU_kNoW+R5@!}

附上腳本

from Crypto.Util.number import *
import gmpy2

p = 857504083339712752489993810777
q = 1029224947942998075080348647219
e = 65537
c = 747831491353896780365654517748216624798517769637260742155527
n = p * q
d = gmpy2.invert(e,(p-1)*(q-1))
m = pow(c,d,n)

print(long_to_bytes(m))

複制

4.The Password

Hint

Challenge Address https://1.oss.hgame2021.vidar.club/thepassword.html

The Password
Tinmix和朋友一起去玩密室逃脫,但是由于突發情況,Tinmix被鎖在了一間密室裡,于是開始四處摸索,昏暗的燈光下,Tinmix發現密室有一塊大圓盤,被人工分割成了7塊小圓盤,但由于剛開始沒注意,每個圓盤已經被旋轉過了,但Tinmix記住了旋轉的過程和結果
$$
y_1=x_1⊕n_1⊕(x_1⋙7)⊕(x_1⋘3) \\
   y_2=x_2⊕n_2⊕(x_2⋙4)⊕(x_2⋘9) \\
   y_3=x_3⊕n_3⊕(x_3⋙2)⊕(x_3⋘5) \\
   y_4=x_4⊕n_4⊕(x_4⋙6)⊕(x_4⋘13) \\
   y_5=x_5⊕n_5⊕(x_5⋙8)⊕(x_5⋙16) \\
   y_6=x_6⊕n_6⊕(x_6⋙5)⊕(x_6⋘7) \\
   y_7=x_7⊕n_7⊕(x_7⋙2)⊕(x_7⋘5) \\
   \\
   (y_1,n_1) = (15789597796041222200,14750142427529922)\\
   (y_2,n_2) = (8279663441787235887,2802568775308984)\\
   (y_3,n_3) = (9666438290109535850,15697145971486341)\\
   (y_4,n_4) = (10529571502219113153,9110411034859362)\\
   (y_5,n_5) = (8020289479524135048,4092084344173014)\\
   (y_6,n_6) = (10914636017953100490,2242282628961085)\\
   (y_7,n_7) = (4622436850708129231,10750832281632461)\\
$$
定義
⋙表示循環右移
⋘表示循環左移
⊕表示異或運算
hint

複制

...

上一篇: 2021 NEWSCTF
下一篇: luogu P1059 明明的随機數