2025PolarCTF春季赛

Zsm published on 2025-03-22 included in CTF

前言

去南京的路上，顺手写写

题目

crypto

RSA1-2

task

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76


import os
from Crypto.Util.number import *
from typing import Union
from flag import flag

bits = 512


def polar(msg: Union[bytes, bytearray], length: int) -> bytes:
    assert length > len(msg), "指定的长度必须大于原始消息长度加 1。"
    return bytes(msg) + b'\x00' + os.urandom(length - len(msg) - 1)


def unpolar(msg: Union[bytes, bytearray]) -> bytes:
    msg = bytes(msg)
    assert b'\x00' in msg, "输入的字节串中不包含分隔符。"
    return msg.split(b'\x00')[0]


def getflag1(m):
    result = []
    for i in range(2):
        result.append(getPrime(bits))
    p, q = result
    if p <= q:
        p, q = q, p
    e = 0x10001
    n = p * q
    c = pow(m, e, n)
    hint = pow(2024 * p + 2025, q, n)
    print('---------- getflag 1 ----------')
    print(f'{c = }')
    print(f'{n = }')
    print(f'{hint = }')


def getflag2(m):
    result = []
    for i in range(2):
        result.append(getPrime(bits))
    p, q = result
    n = p * q
    hint1 = pow(m, p, n)
    hint2 = pow(m, q, n)
    print('---------- getflag 2 ----------')
    print(f'{hint1 = }')
    print(f'{hint2 = }')
    print(f'{n = }')



def getflag3(m):
    result = []
    for i in range(2):
        result.append(getPrime(bits))
    p, q = result
    e = 0x10001
    n = p * q
    g = 20242025
    hint = pow(g + p * 1111, e, n)
    c = pow(m, e, n)
    print('---------- getflag 3 ----------')
    print(f'{c = }')
    print(f'{n = }')
    print(f'{hint = }')


assert len(flag) == 42
mm = []
for i in range(0, 42, 14):
    mm.append(bytes_to_long(polar(flag[i:i + 14], bits // 4 - 1)))

m1, m2, m3 = mm
getflag1(m1)
getflag2(m2)
getflag3(m3)

三个很经典的数论题堆到了一起，额，后面补长度，其实没啥区别，直接写就行了，如果想看细节推导的话，可以等我下周写（

Hgctf2025

Zsm published on 2025-03-09 included in CTF

前言

质量挺高的一场新生赛，老登大乱斗（），这里只写一部分wp

crypto题目

baby_factor

task

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16


from Crypto.Util.number import *
def create():
    pl  = []
    for i in range(3):
        pl.append(getPrime(1024))
    return sorted(pl)
pl = create()
m=b'NSSCTF{xxx}'
p,q,r = pl[0],pl[1],pl[2]
e = 65537
n = p*q*r
phi = (p-1)*(q-1)*(r-1)
c=pow(bytes_to_long(m),e,n)
print(f'n={n}')
print(f'phi={phi}')
print(f'c={c}')

好像是出题人数据问题 exp

ApoorvCTF 2025

Zsm published on 2025-03-09 included in CTF

前言

赛时就做了两题，跟着佬的wp复现一下

题目

Genjutsu_Labyrinth

task

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33


from sympy import primerange
import random
from collections import deque

def generate(size):
    grid = [[random.randint(0, 9) for col in range(size)] for row in range(size)]
    grid[0][0] = 0
    return grid

def encrypt(n, a, b, mod=101):
    return (a * n + b) % mod

def build_encrypted_grid(grid, a, b, mod=101):
    size = 10
    encry_grid = []
    for y in range(size):
        row = []
        for x in range(size):
            enc_val = encrypt(grid[y][x], a, b, mod)
            row.append(str(enc_val).zfill(2))
        encry_grid.append(row)
    return encry_grid

def optimize(grid):
    #hidden
    pass

grid = generate(10)
a = random.choice(list(primerange(2, 12)))
b = random.choice(range(101))
encry_grid = build_encrypted_grid(grid, a, b, mod=101)

#nc chals1.apoorvctf.xyz 4002

generate是正常一个10*10的迷宫，每个数字0-9，起点是0 encrypt是正常的线性同余加密 optimize没啥用 build_encrypted_grid是生成一个没个数加密后的矩阵，并且输出为字符串，比如5->05

HMV JO2024

Zsm published on 2025-03-07 included in 靶场

JO2024

靶场链接

https://hackmyvm.eu/machines/machine.php?vm=JO2024

日常扫描

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33


┌──(parallels㉿kali-linux-2024-2)-[~]
└─$ sudo arp-scan -l
Interface: eth0, type: EN10MB, MAC: 00:1c:42:fd:ba:b5, IPv4: 192.168.31.187
WARNING: Cannot open MAC/Vendor file ieee-oui.txt: Permission denied
WARNING: Cannot open MAC/Vendor file mac-vendor.txt: Permission denied
Starting arp-scan 1.10.0 with 256 hosts (https://github.com/royhills/arp-scan)
192.168.31.1    58:ea:1f:38:ff:17       (Unknown)
192.168.31.106  08:00:27:91:df:4a       (Unknown)
192.168.31.186  42:60:96:7b:26:bd       (Unknown: locally administered)
192.168.31.210  f4:6d:3f:27:e6:fb       (Unknown)

8 packets received by filter, 0 packets dropped by kernel
Ending arp-scan 1.10.0: 256 hosts scanned in 1.841 seconds (139.05 hosts/sec). 4 responded
                                                                             
┌──(parallels㉿kali-linux-2024-2)-[~]
└─$ nmap -sC -sV 192.168.31.106 
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-03-07 16:22 CST
Nmap scan report for 192.168.31.106 
Host is up (0.0039s latency).
Not shown: 998 closed tcp ports (conn-refused)
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 9.2p1 Debian 2+deb12u3 (protocol 2.0)
| ssh-hostkey: 
|   256 e7:ce:f2:f6:5d:a7:47:5a:16:2f:90:07:07:33:4e:a9 (ECDSA)
|_  256 09:db:b7:e8:ee:d4:52:b8:49:c3:cc:29:a5:6e:07:35 (ED25519)
80/tcp open  http    Apache httpd 2.4.61 ((Debian))
|_http-title: Paris 2024 Olympic Games
|_http-server-header: Apache/2.4.61 (Debian)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 8.21 seconds
                                                                

网页没有什么危险信息，轻微爆破一下目录

HMV Smol

Zsm published on 2025-03-07 included in 靶场

Smol

靶场链接

https://hackmyvm.eu/machines/machine.php?vm=Smol

日常扫描

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19


┌──(parallels㉿kali-linux-2024-2)-[~]
└─$ nmap -sC -sV 192.168.31.25
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-03-06 20:18 CST
Nmap scan report for 192.168.31.25
Host is up (0.0023s latency).
Not shown: 998 closed tcp ports (conn-refused)
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.9 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   3072 44:5f:26:67:4b:4a:91:9b:59:7a:95:59:c8:4c:2e:04 (RSA)
|   256 0a:4b:b9:b1:77:d2:48:79:fc:2f:8a:3d:64:3a:ad:94 (ECDSA)
|_  256 d3:3b:97:ea:54:bc:41:4d:03:39:f6:8f:ad:b6:a0:fb (ED25519)
80/tcp open  http    Apache httpd 2.4.41 ((Ubuntu))
|_http-server-header: Apache/2.4.41 (Ubuntu)
|_http-title: Did not follow redirect to http://www.smol.hmv
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 7.60 seconds

设置一下重定向，最下面有Proudly powered by WordPress | PopularFX Theme wpscan启动！

HMV publisher

Zsm published on 2025-03-05 included in 靶场

publisher

靶场链接

https://hackmyvm.eu/machines/machine.php?vm=Publisher

日常扫描

ip给了是 . . . 8

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20


┌──(kali㉿kali)-[~]
└─$ nmap -sV -sC -T4 -Pn -p- 192.168.31.8  
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-03-04 20:46 HKT
Nmap scan report for 192.168.31.8
Host is up (0.0017s latency).
Not shown: 65533 closed tcp ports (reset)
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.10 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   3072 44:5f:26:67:4b:4a:91:9b:59:7a:95:59:c8:4c:2e:04 (RSA)
|   256 0a:4b:b9:b1:77:d2:48:79:fc:2f:8a:3d:64:3a:ad:94 (ECDSA)
|_  256 d3:3b:97:ea:54:bc:41:4d:03:39:f6:8f:ad:b6:a0:fb (ED25519)
80/tcp open  http    Apache httpd 2.4.41 ((Ubuntu))
|_http-server-header: Apache/2.4.41 (Ubuntu)
|_http-title: Publisher's Pulse: SPIP Insights & Tips
MAC Address: 08:00:27:E4:F1:F5 (Oracle VirtualBox virtual NIC)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 15.56 seconds

dirb和dirsearch都扫不出来什么东西，换gobuster试试