misc

签到

curl -H "Range: bytes=6291450000-" --output /dev/stdout 

http://das.wetolink.com:8941/6GTest.file flag{51a295f02d6f591b49fb0fa9d9003c9b}

strange number

crypto

easyRSA

先找出e，再穷举flag。

hardRSA

题目脚本：

从题目看也是Coppersmith partial d的情况，只是这里由于$n$由$p、q、r$三个素数组成，因此需要我们重新推导同余方程

已知：$kbits = 540$、$p$、$qr$、$d_0$的值，$d_0 = d \mod 2^{kbits}$

推导如下：

通过上式可以求得所有的$s \mod 2^{kbits}$的值，同时我们知道

联立公式$1 \times q$和公式$2 \times k(p-1)$，可以得到公式

$$ed_0q = q + kq(p-1)(qr-s+1) \tag{3}$$

$$k(p-1)qr = kq(p-1)(s-q) \tag{4}$$

相加得到：

$$ed_0q + k(p-1)qr = q+kq(p-1)(qr-q+1)$$

即：

$$ed_0q + k(p-1)qr-k(p-1)q(qr-q+1) = q \mod 2^{kbits}$$

解上述同余方程，即可得到$q \mod 2^{kbits}$

由于$kbits=540$，而$q$只有$510 bits$，所以解出来的就是可能的$q$的值，再通过$qr % q==0$过滤即可

alicehomework

经典的背包问题，而且density也远远不足0.9408

web

APITest

最近新学了nodejs，什么，我写的 API 有问题？【大部分flag为此形式：flag{可见字符串}或DASCTF{可见字符串}，只需提交花括号内的可见字符串（大小写敏感）；如果flag为其他形式，题目中会单独说明。】

http://183.129.189.60:54800

有个原题 

https://xz.aliyun.com/t/7177#toc-6

第一步改成了 /becomeAdmin 来登录admin

其他步骤基本一致

1.随便登录一个用户

2.POST /becomeAdmin，利用javascript的sort特性得到admin权限

3./updateUser，增加查看secret的权限

4.查看/serverInfo 拿到 secret

5./init 传secret和上面拿到的一样，就拿到了admin的token了

6.用token访问/flag，拿到flag

apereocas

open /cas, getshell and flag in /flag【大部分flag为此形式：flag{可见字符串}或DASCTF{可见字符串}，只需提交花括号内的可见字符串（大小写敏感）；如果flag为其他形式，题目中会单独说明。】

http://183.129.189.60:55001

https://xpro-adl.91ctf.com/userdownload?filename=2007305f227ddc95f2e.war&type=attach&feature=custom

EXP直接打就可以了 https://github.com/langligelang/CAS_EXP

把源码里面的whoami改成其他命令，最后cat /flag

DASCTF{7754cef7ac0cc97ff61262d3c888d482}

pwn

SafeBox

沙箱，open和read，没有write

vmmap在0x10000，可以直接放置"/home/pwn/flag"

open后read，使用cmp比较，等于则使用jz进行死循环，否则ret退出

构造payload不能有'\x00'，可以用一些操作达到，这里我用右移

re

mobile

发现有init 下断点，dump出init以后的方程组

from scipy import linalg
import numpy as np
A = np.array([[13,144,129,36,58,38,53,40,103,125,97,19,68,132,31,148,150,96,118,37,30,143,134,37,96,42,129,84,111,66,13,48],
[127,111,102,17,111,100,120,73,34,144,78,86,133,48,64,141,110,15,10,37,128,119,68,104,137,12,97,29,46,11,116,116],
[131,124,54,57,55,122,74,123,57,44,63,131,81,86,56,92,31,118,98,135,66,115,51,128,102,67,41,40,41,144,53,84],
[105,121,74,132,40,66,62,61,18,103,107,51,133,85,132,137,52,42,69,79,70,147,54,43,50,145,54,69,58,58,47,136],
[74,42,58,65,62,134,53,56,143,74,70,84,33,112,36,61,41,17,93,111,66,85,62,37,133,149,144,41,103,55,16,125],
[132,117,53,57,104,125,10,78,19,34,25,126,134,139,90,22,138,142,56,87,43,116,39,74,105,61,54,48,62,136,87,129],
[68,132,28,102,69,71,36,72,59,114,96,55,71,75,126,76,89,106,116,33,138,143,144,15,65,86,61,79,64,24,62,10],
[99,14,24,141,45,68,25,124,120,108,29,71,38,10,83,63,121,44,30,112,107,85,66,82,56,137,39,34,39,58,116,125],
[45,62,120,103,55,148,56,81,89,99,51,113,80,79,102,41,27,46,62,33,74,70,100,56,37,129,102,112,137,13,48,145],
[52,61,60,47,57,80,111,150,44,78,16,59,131,24,45,106,51,78,146,19,113,105,137,16,47,96,84,33,89,135,60,139],
[60,123,121,10,28,65,43,111,144,118,11,26,37,84,103,12,14,57,126,54,27,116,78,103,128,73,135,107,102,63,98,78],
[60,67,58,48,119,54,78,10,45,46,120,138,67,27,148,61,69,29,34,104,116,55,72,98,88,137,72,86,118,79,29,113],
[67,62,119,70,136,125,47,145,27,80,75,69,40,145,37,37,97,41,114,90,99,87,144,130,66,10,42,43,144,130,71,110],
[112,123,138,117,118,52,64,120,90,140,95,122,22,33,123,29,147,100,133,92,106,39,48,101,30,149,86,117,15,61,28,96],
[76,36,111,139,53,16,93,74,132,24,123,49,91,24,87,40,32,74,130,73,13,135,88,46,105,53,40,49,48,63,15,34],
[131,89,133,145,112,124,81,129,105,78,121,69,10,129,133,27,123,108,117,121,55,122,38,128,136,53,81,29,70,45,127,40],
[134,133,51,63,124,110,47,117,75,34,148,29,112,90,87,83,123,25,20,148,81,38,95,129,117,72,48,33,104,38,21,143],
[114,141,18,75,71,113,120,48,37,59,102,133,120,80,113,49,138,23,78,75,11,141,76,72,17,23,118,61,105,83,66,135],
[113,83,105,92,102,24,58,126,46,23,34,83,89,62,102,69,16,102,103,147,46,28,101,42,20,17,27,11,132,133,119,68],
[65,41,95,41,134,135,135,53,38,131,93,71,82,49,115,48,80,68,50,51,28,90,101,34,24,145,75,146,120,60,93,112],
[24,82,139,150,113,128,36,130,47,32,93,53,122,39,96,19,131,33,42,123,80,113,108,24,73,117,131,81,29,66,20,149],
[28,124,56,35,59,120,96,113,87,111,80,123,134,64,87,87,114,146,123,23,125,55,115,61,36,77,124,105,23,141,110,49],
[112,85,116,86,54,150,85,86,108,86,45,36,87,122,51,54,75,44,104,103,35,128,143,73,69,13,47,38,68,12,122,50],
[65,27,109,105,60,124,90,12,51,61,26,143,140,37,65,13,52,139,77,89,138,114,107,23,141,23,85,74,119,106,90,116],
[20,64,138,52,23,97,52,38,135,65,26,134,135,14,143,32,110,52,50,80,133,66,69,90,78,20,147,28,115,27,93,48],
[81,96,121,62,145,94,10,22,105,23,125,105,42,130,139,85,29,19,38,51,98,139,85,80,106,55,41,42,149,145,12,74],
[18,132,72,121,138,97,104,74,40,81,33,103,113,85,32,29,146,88,27,137,36,126,32,56,37,29,82,89,79,100,87,72],
[90,93,68,87,52,75,138,122,138,84,141,13,59,113,102,119,137,55,27,146,52,18,65,78,44,135,139,88,107,138,116,16],
[44,100,139,101,13,76,68,17,56,74,72,27,102,28,70,108,46,39,34,46,142,17,141,60,52,103,136,70,20,102,147,98],
[55,17,14,33,77,134,147,75,124,60,82,116,26,146,49,110,44,128,54,147,107,58,66,143,24,90,22,92,139,73,141,129],
[134,84,27,62,46,34,58,144,43,136,107,11,82,95,24,117,57,113,73,44,91,141,44,60,128,142,96,57,127,60,74,54],
[138,119,118,61,130,146,11,65,92,82,60,114,54,139,148,84,110,141,142,84,21,70,54,120,48,93,104,98,39,103,29,104]])  # A代表系数矩阵
y = np.array([0x384E9, 0x3AFD0, 0x398A1, 0x3B564, 0x34B76, 0x3C62C, 0x37432, 0x32D5D,0x38F35, 0x353F9, 0x357BC, 0x36AD4, 0x3B78A, 0x41D2D, 0x2F302, 0x43F88,0x3D180, 0x3C9E2, 0x330D3, 0x3DBB3, 0x3D102, 0x3FA50, 0x3859F, 0x396B7,0x336FD, 0x35B83, 0x39701, 0x402F4, 0x36160, 0x3C29B, 0x373F5, 0x43A68])
x = linalg.solve(A, y)
print(x)   
flag = [102, 108, 97, 103, 123, 119, 101, 49, 49, 95, 121, 48, 117, 95,
 102, 48, 117, 110, 100, 95, 49, 55, 95, 99, 48, 110, 103, 114,
 52, 55, 122, 125]
flag = ""
for i in range(len(flag)):
    flag += chr(flag1[i])
print(flag)

相关实验：CTF实验室