The 11th Geek's Challenge Writeup


最近没什么事,打了一下极客大挑战,有些题还是很好的,汇总一下wp,主要是web和misc,有些特别简单的题就没写wp了

Misc

飞翔的刘壮

题目给的是一个apk文件,我们先用Apktool Box反编译一下

upload successful

反编译完成后有一个文件夹,我们粗略看一下会发现有unity3D的引擎

upload successful

u3d的文件在反编译后会存在一个叫Assembly-CSharp.dll的文件,这个文件是程序主要代码的存在点,我们找到它

upload successful

然后用dnspy或其他反编译软件打开它,就能看到源码,我们找到关键的生成flag部分

upload successful

很简单的一个逻辑,把上面的字符数组ascii往后加+1就可以了,写个python脚本

flag1 = ['R','X','B','z','e','k','3','o','o','x','a','0','q','c','^','0','r','^','r','/','^','h','m','s','d','q','2','s','h','m','8',' ','|']
flag = ""
for i in flag1:
    flag += chr(ord(i)+1)
print(flag)

就能得到flag了(PS:到底是re还是misc

吉普赛的歌姬

题目给了一个QQ号,我们搜索下

upload successful

资料这边没有什么奇怪的,我们进空间看看

upload successful

最近的空间动态只有两条,提到了一个叫DJ南方的和贴吧有关的东西,我们过去搜索看看

upload successful

可以发现有个人就叫DJ南方,点进去看看他的帖子

upload successful

有个帖子提到了题目名称的吉普赛歌姬,我们去网易云看看

在网易云电台的节目中,有一期叫Gypsy Bard,就是吉普赛歌姬,在评论中有这样一条

upload successful

最后发现在小号的QQ空间中有一个加锁的相册,需要密码,根据小号叫金秋雨,生日为2月6日,20岁,推测出密码jqy20000206,得到flag

upload successful

这道题目蛮有意思的,也让大家体验了一下社工的感觉,点个赞~

Crypto

childRSA

打开题目发现有三组n,c,然后e又特别小,直接猜到是低加密指数广播攻击

给出exp

import binascii,gmpy2

n =  [
0xe096219878f492bcdb2a2d03995521e7a65125733bae18e7d0005e35343fea3653698de60231d29b2d1b44a0b4ffd3183855b9042275f769e1702fa8843062df0938821db0258af40ab3cda8e54eb6ac826d545df91dfe76266cb01b1d6fad39e6ef13ce730c1c2395136b0bbdf22c6b0daba63701d71c6ae70d4e06935b9941,
0xa36b15a395edf3e99927f658e22d5f4aefd83434972c96cca5242a1aaa517ad83739451269723092dd9e73c00682dd3bbd74a985546def88196119b6d57b397283bc7b8b6029916df84284bec1725f6e5d3d29042af685c508a58ab6fb4e5bfeb326ae49330e3f4426abc1860ca4412feb976ee571075a47b854c9a6f5f0ebff,
0x9d4732db2539d1166dc6865670be11951bf49295bc8c472f34682a0fb7f2b3ba96dcfa1945c2e4685dfeae5255abe2ab3b7fb2282971bb16ce02d14082f71755e8a65c956e114336914a409a9f1158fb362a92c4e169fa3c460ea26fb5c6693447b14f1c3156a2d9308dd993d7ea708a00ad149fb77109d8a5f77de1703ba249
]
c =  [
0xff24bddc5a7b327535af92dba58c5d62a22d542e6ba1df6f91c98c7563d8e48e770fb623bfcc2f09ed49788293306ff709670b225da32ea134422d5e403b11c39ef6b144f96b2fe94b3aa136432ecea86a4069a4cb0b4d8570edb3fb5bb2cf0693184ef0c589887b012ebe6ea94e854a71a7eb768133d15e784e388976877db,
0x895f8283e2200bab1bf938ce3b5e42147b53a5178e436ea0b64a2380ba99776d5ba8046ef722858b20d9650ee68c09e905030f1634e0b32397b7b12236a5a301e5923a294ef1bdf16458f4fc8677370ce2ce3d0fd957da7466e5b104191d454455917147f3187b758c1c468db1b35514391e5b36bd1ac39e91bbb24fdbc07872,
0x3bead3d6760bff4de22562978d4722bb21ee4792ebdb32703b6df9ff5176e033e97ad8fc81467f4b3df7bd4e8bcae09462f3eca93a3da1cd9d7e8de3e464471fdd0b70112c1c738b0daa2a37a65331eaa8954b81b410f62a0280da32eb3e305782d5f774d814ca0adb13344687387cf72657dc21724bcf69da810d7635b99467
]
def CRT(mi, ai):
    assert(reduce(gmpy2.gcd,mi)==1)
    assert (isinstance(mi, list) and isinstance(ai, list))
    M = reduce(lambda x, y: x * y, mi)
    ai_ti_Mi = [a * (M / m) * gmpy2.invert(M / m, m) for (m, a) in zip(mi, ai)]
    return reduce(lambda x, y: x + y, ai_ti_Mi) % M
e=3
m=gmpy2.iroot(CRT(n, c), e)[0]
print(binascii.unhexlify(hex(m)[2:].strip("L")))

Simple calculation

题目给了个图片,要算出S0-S5

upload successful

同时题目给了hint,可以用中国剩余定理解线性同余方程组

由于本人数学能力不行,我就硬爆破了23333

dict1 = "ABCDEFGHIJKLMNOPQRSTUVWXYZ"
for s1 in range(0,26):
    for s2 in range(0,26):
        for s3 in range(0,26):
            for s4 in range(0,26):
                for s5 in range(0,26):
                    a1 = s1+s2+s3+s4+s5
                    a2 = s1+s2+s3+3*s4+5*s5
                    a3 = s1+2*s2+2*s3+3*s4+3*s5
                    a4 = s1+2*s2+5*s3+3*s4+s5
                    a5 = s1+2*s2+s3+2*s4+s5
                    if((a1%26 == 3) and (a2%26 == 7) and (a3%26 == 1) and (a4%26 == 1) and (a5%26 == 20)):
                        print(dict1[s1],dict1[s2],dict1[s3],dict1[s4],dict1[s5])

得到flag:SYC{TESNB}


文章作者: Peco
版权声明: 本博客所有文章除特別声明外,均采用 CC BY 4.0 许可协议。转载请注明来源 Peco !
  目录