文章 标签 分类 关于 友链
/images/zsm.jpg

Moectf 强壮密码人部分题解

 published on  included in CTF

前言

打moectf的时候顺便看了看训练场的强壮密码人,题目还不错,写一下。

题目

0rsa0

task.py

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39

from Crypto.Util.number import *
from flag import flag

assert flag[0:7] == b'moectf{'
assert flag[-1:] == b'}'
flag = flag[7:-1]
assert len(flag) == 32

m1 = bytes_to_long(flag[0:16])
m2 = bytes_to_long(flag[16:32])

def enc1(m):
    p = getPrime(512)
    q = getPrime(512)
    n = p * q
    e = 3
    c = pow(m,e,n)
    return n,e,c

def enc2(m):
    p = getPrime(512)
    q = getPrime(512)
    e = 65537
    d = inverse(e,(p-1)*(q-1))
    n = p * q 
    dp2 = d % (p-1)
    c = pow(m,e,n)
    return n,e,c,dp2

n1,e1,c1 = enc1(m1)
n2,e2,c2,dp2 = enc2(m2)

print("n1="+ str(n1))
print("e1="+ str(e1))
print("c1="+ str(c1))
print("n2="+ str(n2))
print("e2="+ str(e2))
print("c2="+ str(c2))
print("dp2="+ str(dp2))

思路:

Read More
 Crypto

LILCTF2025

 published on  included in CTF

前言

rank19,略微遗憾,最后区块链没做出来,下面把wp汇总一下

Crypto(zsm)

ez_math

task.py

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37

from sage.all import *
from Crypto.Util.number import *
from tqdm import tqdm
from random import randint
from Crypto.Cipher import AES
from Crypto.Util.Padding import pad

flag = b'LILCTF{test_flag}'

p = getPrime(64)
P = GF(p)

key = randint(2**62, p)

def mul(vector, c):
    return [vector[0]*c, vector[1]*c, vector[2]*c, vector[3]*c, vector[4]*c]

v1 = [getPrime(64), getPrime(64), getPrime(64), getPrime(64), getPrime(64)]
v2 = [getPrime(64), getPrime(64), getPrime(64), getPrime(64), getPrime(64)]
v3 = [getPrime(64), getPrime(64), getPrime(64), getPrime(64), getPrime(64)]
v4 = [getPrime(64), getPrime(64), getPrime(64), getPrime(64), getPrime(64)]
v5 = [getPrime(64), getPrime(64), getPrime(64), getPrime(64), getPrime(64)]
a, b, c, d, e = getPrime(64), getPrime(64), getPrime(64), getPrime(64),  0

A = matrix(P, [v1, v2, v3, v4, v5])
B = matrix(P, [mul(v1,a), mul(v2,b), mul(v3, c), mul(v4, d), mul(v5, e)])
C = A.inverse() * B
D = C**key

key = pad(long_to_bytes(key), 16)
aes = AES.new(key,AES.MODE_ECB)
msg = aes.encrypt(pad(flag, 64))

print(f"p = {p}")
print(f'C = {[i for i in C]}'.replace('(', '[').replace(')', ']'))
print(f'D = {[i for i in D]}'.replace('(', '[').replace(')', ']'))
print(f"msg = {msg}")

矩阵B是对角矩阵L*矩阵A得到,C=A^{-1}B=A^{-1}LA,显而易见就是矩阵的相似变换,lambda1 和 lambda2 正是矩阵 C 的两个特征值,直接打就行了

Read More
 Crypto

HTB Editor&Cypher

 published on  included in 靶场

Editor

外网打点

rustscan不知道为什么扫不出来8080,感觉被资本做局了

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39

nmap -sC -sV -Pn -p- 10.10.11.80 --min-rate=5000
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-08-05 13:06 CST
Nmap scan report for 10.10.11.80
Host is up (0.11s latency).
Not shown: 52865 filtered tcp ports (no-response), 12667 closed tcp ports (conn-refused)
PORT     STATE SERVICE VERSION
22/tcp   open  ssh     OpenSSH 8.9p1 Ubuntu 3ubuntu0.13 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   256 3e:ea:45:4b:c5:d1:6d:6f:e2:d4:d1:3b:0a:3d:a9:4f (ECDSA)
|_  256 64:cc:75:de:4a:e6:a5:b4:73:eb:3f:1b:cf:b4:e3:94 (ED25519)
80/tcp   open  http    nginx 1.18.0 (Ubuntu)
|_http-title: Did not follow redirect to http://editor.htb/
|_http-server-header: nginx/1.18.0 (Ubuntu)
8080/tcp open  http    Jetty 10.0.20
| http-cookie-flags: 
|   /: 
|     JSESSIONID: 
|_      httponly flag not set
| http-title: XWiki - Main - Intro
|_Requested resource was http://10.10.11.80:8080/xwiki/bin/view/Main/
| http-robots.txt: 50 disallowed entries (15 shown)
| /xwiki/bin/viewattachrev/ /xwiki/bin/viewrev/ 
| /xwiki/bin/pdf/ /xwiki/bin/edit/ /xwiki/bin/create/ 
| /xwiki/bin/inline/ /xwiki/bin/preview/ /xwiki/bin/save/ 
| /xwiki/bin/saveandcontinue/ /xwiki/bin/rollback/ /xwiki/bin/deleteversions/ 
| /xwiki/bin/cancel/ /xwiki/bin/delete/ /xwiki/bin/deletespace/ 
|_/xwiki/bin/undelete/
| http-webdav-scan: 
|   WebDAV type: Unknown
|   Allowed Methods: OPTIONS, GET, HEAD, PROPFIND, LOCK, UNLOCK
|_  Server Type: Jetty(10.0.20)
|_http-server-header: Jetty(10.0.20)
| http-methods: 
|_  Potentially risky methods: PROPFIND LOCK UNLOCK
|_http-open-proxy: Proxy might be redirecting requests
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 106.22 seconds

先把域名加进去,然后访问80发现什么都没有bro,看看8080,发现了xwiki这个词 直接在网上搜一下,找到CVE

Read More
 渗透

Terminal Configuration

 published on  included in 配置 杂谈

前言

最近看了一些关于终端的视频,心血来潮,所以自己也更新一下我的配置和软件,正好感觉iterm2有点老且卡

kitty

一个印度佬开发的终端模拟器,非常的nb,看了一下,是go&python&c混合开发的,性能也是非常的好,所以这里换成kitty.

Read More
 终端

Seccon beginner 2025 Wp

 published on  included in CTF

整体概况

rank 135/880

感觉可以更高的,毕竟没有一直打,这次主要水了一下cry和re,下面是整体题目情况

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25

## crypto

### seesaw (100pt / 612 solves)

### 01-Translator (100pt / 280 solves)

### Elliptic4b (272pt / 171 solves)

### Golden Ticket (491pt / 35 solves)

### mathmyth (452pt / 79 solves)

## reversing

### CrazyLazyProgram1 (100pt / 654 solves)

### CrazyLazyProgram2 (100pt / 468 solves)

### D-compile (100pt / 335 solves)

### wasm_S_exp (100pt / 330 solves)

### MAFC (339pt / 144 solves)

### code_injection (441pt / 88 solves)

*号的是没出来的

Read More
 Crypto

Mocsctf2025 Wp

 published on  included in CTF

前言

澳门的一个比赛,奖品比较好,就冲了xd,复盘一下,后面会补题

web

shuke-beita

这个真的是签到了xd,f12进去可以看见一行(document.body.innerHTML = "请关闭开发者工具以继续使用本网站"),我们比较叛逆,直接打开,然后运行游戏抓个包,f12里面就看见flag了,无敌了

Read More
 Crypto