Comment on page
LitCTF 2023

Web
我Flag呢？
查看html源码
<!--flag is here flag=NSSCTF{39609b1a-cc8d-4fe1-8ccf-594cd745632a} -->
Ping
Brupsuite 一把梭
Payload command=127.0.0.1%3bcat%20%2fflag&ping=Ping
Follow me and hack me
Brupsuite 一把梭
Payload /?CTF=Lit2023 Challenge=i'm_c0m1ng
Misc
喜欢我的压缩包么 (初级)
404notfound (初级)
Take me hand (初级)
wireshark一把梭
破损的图片(初级)
一眼顶针，鉴定为丢了文件头，怼个png进去试试
然后发现成了
这羽毛球怎么只有一半啊（恼 (初级)
import zlib
import struct
​
filename = 'ymq.png'
with open(filename, 'rb') as f:
    all_b = f.read()
    crc32key = int(all_b[29:33].hex(), 16)
    data = bytearray(all_b[12:29])
    n = 4095
    for w in range(n):
        width = bytearray(struct.pack('>i', w))
        for h in range(n):
            height = bytearray(struct.pack('>i', h))
            for x in range(4):
                data[x + 4] = width[x]
                data[x + 8] = height[x]
            crc32result = zlib.crc32(data)
            if crc32result == crc32key:
                print("宽为：", end="")
                print(width)
                print("高为：", end="")
                print(height)
                
#宽为：bytearray(b'\x00\x00\x063')
#高为：bytearray(b'\x00\x00\x08\xc5') 
OSINT 探姬去哪了?_0
在图片中包含地址位置信息，可以查到结果是 中国电信大厦
OSINT 探姬去哪了?_2
​https://hn.ifeng.com/c/8PcG1DDuKYm​
结果就是 NSSCTF{漫香音乐酒吧(农科路店)} 
OSINT 探姬去哪了?_3
通过 CTF 可以猜测探姬是学计算机，直接找计算机学院位于学校哪里，可以查出来位于 科学校区 ，第二问为第几教学楼，直接从 1 开始穷举，最后图片中显示 217 ，说明是在 2 层 217。
结果就是 NSSCTF{科学校区-第1教学楼-2层-217}
OSINT 这是什么地方？！
​https://m.weishi.qq.com/vise/share/index.html?id=79DecqCDn1IvxDk6v​
结果就是 陕西有色榆林新材料集团 
OSINT 小麦果汁
WiFi 名字为 Hacker & Craft
百度即可得到答案 黑客与精酿 
两仪生四象 (中级)
_hash = {"乾": "111", "兑": "011", "离": "101", "震": "001", "巽": "110", "坎": "010", "艮": "100", "坤": "000"}
​
encoded_text = "坤乾兑艮兑坎坤坤巽震坤巽震艮兑坎坤震兑乾坤巽坤艮兑震巽坤巽艮坤巽艮艮兑兑艮震兑乾坤乾坤坤兑艮艮坤巽坤坤巽坎坤兑离坎震艮兑坤巽坎艮兑震坤震兑乾坤乾坎坤兑坎坤震艮离坤离乾艮震艮巽震离震坤巽兑艮兑坎坤震巽艮坤离乾艮坎离坤震巽坎坤兑坤艮兑震巽震巽坎坤巽坤艮兑兑坎震巽兑"
​
__reverse_hash = {k: v for k, v in _hash.items()}
​
decoded_text = ""
for i in range(0, len(encoded_text)):
    try:
        decoded_text += __reverse_hash[encoded_text[i]]
    except KeyError:
        decoded_text += " "
​
print(decoded_text)
​
list = []
​
for i in range(0, len(decoded_text), 10):
    list.append(int(decoded_text[i:i + 10], 2))
​
print(bytes(list).decode())
​
# wh1ch_ag4in_pr0duced_the_3ight_Tr1grams
Crypto
Hex？Hex！
16 进制转字符串即可 LitCTF{tai111coollaaa!}
梦想是红色的
社会主义核心价值观加密/解密 - 一个工具箱 - 好用的在线工具都在这里！
LitCTF{为之则易,不为则难}
家人们！谁懂啊，RSA签到都不会
from Crypto.Util.number import *
# from secret import flag
#
# m = bytes_to_long(flag)
# p = getPrime(512)
# q = getPrime(512)
# c = pow(m,e,n)
# print(f'p = {p}')
# print(f'q = {q}')
# print(f'c = {c}')
# '''
import gmpy2
e = 65537
p = 12567387145159119014524309071236701639759988903138784984758783651292440613056150667165602473478042486784826835732833001151645545259394365039352263846276073
q = 12716692565364681652614824033831497167911028027478195947187437474380470205859949692107216740030921664273595734808349540612759651241456765149114895216695451
c = 108691165922055382844520116328228845767222921196922506468663428855093343772017986225285637996980678749662049989519029385165514816621011058462841314243727826941569954125384522233795629521155389745713798246071907492365062512521474965012924607857440577856404307124237116387085337087671914959900909379028727767057
# '''
n = p*q
phi = (p-1)*(q-1)
d = gmpy2.invert(e,phi)
m = pow(c,d,n)
print(long_to_bytes(m))
原来你也玩原神
​
​
YUANLAINIYEWANYUANSHENWWW
(校外)Euler
已知 n c 
m^2 mod n = c 
当e=2 可以认为是低指数，进行低指数加密攻击
n = 115140122725890943990475192890188343698762004010330526468754961357872096040956340092062274481843042907652320664917728267982409212988849109825729150839069369465433531269728824368749655421846730162477193420534803525810831025762500375845466064264837531992986534097821734242082950392892529951104643690838773406549
c = 406480424882876909664869928877322864482740577681292497936198951316587691545267772748204383995815523935005725558478033908575228532559165174398668885819826720515607326399097899572022020453298441
​
i = 0
while 1:
    if(iroot(c+i*n,2)[1]==1):
        print(iroot(c+i*n,2)[0])
        print(i)
        break
    i=i+1
​
​
print(long_to_bytes(637558173724466424603436405558898119893812260428714378729778210205931322986773019220025930769021))
LitCTF{a1a8887793acfc199182a649e905daab}
(校外)md5的破解
list = ['a', 'b', 'c', 'd', 'e', 'f', 'g', 'h', 'i', 'j', 'k', 'l', 'm', 'n', 'o', 'p', 'q', 'r', 's', 't', 'u', 'v',
        'w', 'x', 'y', 'z', '0', '1', '2', '3', '4', '5', '6', '7', '8', '9']
​
for i in list:
    for j in list:
        for p in list:
            for q in list:
                temp = "LitCTF{md5can%(0)s%(1)s3de%(2)srypt213thoughcr%(3)ssh}" % {'0': i, '1': j, '2': p, '3': q}
                tempp = md5(temp.encode()).hexdigest()
                if tempp == '496603d6953a15846cd7cc476f146771':
                    print(temp)
factordb (中级)
from Crypto.Util.number import *
import gmpy2
e = 65537
n = 87924348264132406875276140514499937145050893665602592992418171647042491658461
p = 275127860351348928173285174381581152299
q = 319576316814478949870590164193048041239
c = 87677652386897749300638591365341016390128692783949277305987828177045932576708
​
phi = (p-1)*(q-1)
d = gmpy2.invert(e, phi)
m = pow(c, d, n)
print(long_to_bytes(m))
yafu (中级)
import gmpy2
from Crypto.Util.number import *
​
n = 15241208217768849887180010139590210767831431018204645415681695749294131435566140166245881287131522331092026252879324931622292179726764214435307
c = 12608550100856399369399391849907846147170257754920996952259023159548789970041433744454761458030776176806265496305629236559551086998780836655717
e = 65537
​
phi = (2151018733 - 1) * (2201440207 - 1) * (2315495107 - 1) * (2585574697 - 1) * (2719600579 - 1) * (2758708999 - 1) * (2767137487 - 1) * (2906576131 - 1) * (2923522073 - 1) * (3354884521 - 1) * (3355651511 - 1) * (3989697563 - 1) * (4021078331 - 1) * (4044505687 - 1) * (4171911923 - 1)
d = gmpy2.invert(e, phi)
​
m = pow(c, d, n)
print(long_to_bytes(m))
(校外)P_Leak
一眼顶针，鉴定为 dp泄露
from gmpy2 import *
from Crypto.Util.number import *
​
e = 65537
n = 50612159190225619689404794427464916374543237300894011803225784470008992781409447214236779975896311093686413491163221778479739252804271270231391599602217675895446538524670610623369953168412236472302812808639218392319634397138871387898452935081756580084070333246950840091192420542761507705395568904875746222477
dp = 5892502924236878675675338970704766304539618343869489297045857272605067962848952532606770917225218534430490745895652561015493032055636004130931491316020329
c = 39257649468514605476432946851710016346016992413796229928386230062780829495844059368939749930876895443279723032641876662714088329296631207594999580050131450251288839714711436117326769029649419789323982613380617840218087161435260837263996287628129307328857086987521821533565738409794866606381789730458247531619
​
for i in range(1, e):
    if (dp * e - 1) % i == 0:
        if n % (((dp * e - 1) // i) + 1) == 0:
            p = ((dp * e - 1) // i) + 1
            q = n // (((dp * e - 1) // i) + 1)
            phi = (q - 1) * (p - 1)
            d = invert(e, phi)
            m = pow(c, d, n)
​
print(long_to_bytes(m))
(校外)e的学问
它不互素，那就让他互素！
import gmpy2
from Crypto.Util.number import *
e=74
p= 86053582917386343422567174764040471033234388106968488834872953625339458483149
q= 72031998384560188060716696553519973198388628004850270102102972862328770104493
c= 3939634105073614197573473825268995321781553470182462454724181094897309933627076266632153551522332244941496491385911139566998817961371516587764621395810123
n = p * q
phi = (p-1)*(q-1)
tmp = math.gcd(phi, e)
d = gmpy2.invert(e // tmp, phi)
m = pow(c, d, n)
m = gmpy2.iroot(m, tmp)
print(long_to_bytes(m[0]))
DASCTF Jul.2023
蓝桥杯 2023
Last modified 4mo ago