526互联

NSSCTF 2nd WP

发布时间 2023-08-30 00:39:08作者: lmarch2

NSSCTF 2nd WP

MISC

gift_in_qrcode

import qrcode
from PIL import Image
from random import randrange, getrandbits, seed
import os
import base64

flag = os.getenv("FLAG")
if flag == None:
    flag = "flag{test}"

secret_seed = randrange(1, 1000)
seed(secret_seed)
reveal = []
for i in range(20):
    reveal.append(str(getrandbits(8)))
target = getrandbits(8)
reveal = ",".join(reveal)

img_qrcode = qrcode.make(reveal)
img_qrcode = img_qrcode.crop((35, 35, img_qrcode.size[0] - 35, img_qrcode.size[1] - 35))

offset, delta, rate = 50, 3, 5
img_qrcode = img_qrcode.resize(
    (int(img_qrcode.size[0] / rate), int(img_qrcode.size[1] / rate)), Image.LANCZOS
)
img_out = Image.new("RGB", img_qrcode.size)
for y in range(img_qrcode.size[1]):
    for x in range(img_qrcode.size[0]):
        pixel_qrcode = img_qrcode.getpixel((x, y))
        if pixel_qrcode == 255:
            img_out.putpixel(
                (x, y),
                (
                    randrange(offset, offset + delta),
                    randrange(offset, offset + delta),
                    randrange(offset, offset + delta),
                ),
            )
        else:
            img_out.putpixel(
                (x, y),
                (
                    randrange(offset - delta, offset),
                    randrange(offset - delta, offset),
                    randrange(offset - delta, offset),
                ),
            )

img_out.save("qrcode.png")
with open("qrcode.png", "rb") as f:
    data = f.read()
print("This my gift:")
print(base64.b64encode(data).decode(), "\n")

print(target)

ans = input("What's your answer:")
if ans == str(target):
    print(flag)
else:
    print("No no no!")

题目所给附件内容如上

分析过后发现直接输入打印出的target即可获得flag

Magic Docker

题目提示执行命令,docker run randark/nssctf-round15-magic-docker

执行过后发现要求输入secrect

查看docker文件

发现app文件下的miain.py文件为

import click
import random
import sys
import os
from time import sleep

@click.command()
@click.option('--secret',help='default=none,between 0 and 100',type=int)
def func(secret):
    if str(secret)==str(answer):
        print("Congratulations!")
        print("But where is your flag?  (=‵ω′=)")
    else:
        print("No! You don't know anything about docker!")
        print("How dare you! ")

BANNER="""
███╗   ██╗███████╗███████╗ ██████╗████████╗███████╗    ██████╗ ███╗   ██╗██████╗            
████╗  ██║██╔════╝██╔════╝██╔════╝╚══██╔══╝██╔════╝    ╚════██╗████╗  ██║██╔══██╗           
██╔██╗ ██║███████╗███████╗██║        ██║   █████╗       █████╔╝██╔██╗ ██║██║  ██║           
██║╚██╗██║╚════██║╚════██║██║        ██║   ██╔══╝      ██╔═══╝ ██║╚██╗██║██║  ██║           
██║ ╚████║███████║███████║╚██████╗   ██║   ██║         ███████╗██║ ╚████║██████╔╝           
╚═╝  ╚═══╝╚══════╝╚══════╝ ╚═════╝   ╚═╝   ╚═╝         ╚══════╝╚═╝  ╚═══╝╚═════╝            
                                                                                            
███╗   ███╗ █████╗  ██████╗ ██╗ ██████╗    ██████╗  ██████╗  ██████╗██╗  ██╗███████╗██████╗ 
████╗ ████║██╔══██╗██╔════╝ ██║██╔════╝    ██╔══██╗██╔═══██╗██╔════╝██║ ██╔╝██╔════╝██╔══██╗
██╔████╔██║███████║██║  ███╗██║██║         ██║  ██║██║   ██║██║     █████╔╝ █████╗  ██████╔╝
██║╚██╔╝██║██╔══██║██║   ██║██║██║         ██║  ██║██║   ██║██║     ██╔═██╗ ██╔══╝  ██╔══██╗
██║ ╚═╝ ██║██║  ██║╚██████╔╝██║╚██████╗    ██████╔╝╚██████╔╝╚██████╗██║  ██╗███████╗██║  ██║
╚═╝     ╚═╝╚═╝  ╚═╝ ╚═════╝ ╚═╝ ╚═════╝    ╚═════╝  ╚═════╝  ╚═════╝╚═╝  ╚═╝╚══════╝╚═╝  ╚═╝
                                                                                            

"""

if __name__ == "__main__":
    os.system("rm -f /flag")
    print(BANNER)
    random.seed("NSSCTF 2nd")
    answer=random.randint(0,100)
    if len(sys.argv)<2:
        print("You need to give me the secret!")
    else:
        func()

若按照预设命令执行完main.py后,容器会删除flag文件

所以我们自定义docker启动命令

直接执行cat /flag

image-20230829233059165

gift_in_qrcode(revenge)

链接一下得到一堆Base64编码

先写个脚本解码Base64保存为png

import base64

# Paste the Base64 encoded string here
base64_string = "your_base64_string_here"

# Decode the Base64 string
decoded_data = base64.b64decode(base64_string)

# Save the decoded data as a PNG file
with open("image.png", "wb") as f:
    f.write(decoded_data)

扫码得到二十个随机数

根据计算随机数种子,并计算下一个随机数,输入程序中即可拿到flag

image-20230830001558332

image-20230830001615052

然后最无脑的爆破来了

为什么要爆这么久,早知道我再多爆一会的..

from pwn import *

count = 0
while True:
    conn = remote("node5.anna.nssctf.cn", 28380)
    conn.recvline().decode()
    conn.recvline().decode()
    conn.recv().decode()

    conn.sendline(str('110').encode())

    count += 1
    print('count:', count)

    output = conn.recvline().decode()
    if 'No no no!' not in output:
        print(output)
        break

image-20230830001858060

Crypto

EzRSA

发现e - 3 ,低加密指数爆破

脚本一把梭

import binascii
import gmpy2

e = 3
# 读入 n, 密文
n = 115383855234466224643769657979808398804254899116842846340552518876890834212233960206021018541117724144757264778086129841154749234706140951832603640953383528482125663673926452745186670807057426128028379664506531814550204605131476026038420737951652389070818761739123318769460392218629003518050621137961009397857

c = 5329266956476837379347536739209778690886367516092584944314921220156032648621405214333809779485753073093853063734538746101929825083615077

i = 0
while 1:
    res = gmpy2.iroot(c+i*n,3)
    if(res[1] == True):
        m=res[0]
        print(binascii.unhexlify(hex(m)[2:].strip("L")))
        break
    print("i="+str(i))
    i = i+1

NSSCTF{Rea1_Si9n3n}

FunnyEncrypt

image-20230830002659009

本来想看看能不能词频分析的,结果发现完全对不到

只好根据已知的nssctf和前面的一堆话里面寻找符合预感的字符与字母对应关系 , 慢慢对应着可以找到的