TypechoJoeTheme

Harvey

统计
登录
用户名
密码
/
注册
用户名
邮箱

HGAME 2021 WEEK2

2021-02-14
/
0 评论
/
47 阅读
/
879 字数
/
阅读时长 ≈ 3分钟
/
正在检测是否收录...
02/14

0X1Misc

1.Tools

工欲善其事,必先利其器。

附件(提取码:glal)

很明显看附件名就知道是F5隐写
首先我们查看属性得知其密码:!LyJJ9bi&M7E72*JyD,进而得到压缩包密码: e@317S*p1A4bIYIs1M

又是一层加密...
同样的处理方法,就是这次是steghide隐写,得到压缩包密码:u0!FO4JUhl5!L55%$&

好家伙!经典老套娃了
这回是Outguess隐写,同样的手法得到压缩包密码:@UjXL93044V5zl2ZKI

终于到最后一层加密了,JPHS隐写得到压缩包密码:xSRejK1^Z1Cp9M!z@H

最终将四块拼接起来组成一个完整的二维码,扫码得到flag:hgame{Taowa_is_N0T_g00d_but_T001s_is_Useful}

2.Telegraph:1601 6639 3459 3134 0892

他曾经最喜欢的曲师写的曲子,让人犹如漫步在星空之下,可如今他听见只觉得反胃。由于文件名过长,单独给出附件的md5: E5C3EE3F441B860B07A3ADCD98BFFC00
请将flag以hgame{your_flag_here}形式提交,flag为全大写。

附件(提取码:e397)

播放很明显有段掺杂着摩斯电码

整理得到如下:

-.-- --- ..- .-. ..-. .-.. .- --. .. ... ---... ....- --. ----- ----- -.. ... ----- -. --. -... ..- - -. ----- - ....- --. ----- ----- -.. -- .- -. ----- ...-- ----. ...-- .---- ----- -.- ..

Morse解得flag:hgame{4G00DS0NGBUTN0T4G00DMAN039310KI}

yourflagis:4g00ds0ngbutn0t4g00dman039310ki

3.Hallucigenia

“我们不仅弄错了他的上下,还颠倒了它的左右。”

lsb发现二维码

@SHBBIYPT{@{7@XQ3L$B5.png" title="@SHBBIYPT{@{7@XQ3L$B5.png">

扫码得到字符串(bushi 如下

gmBCrkRORUkAAAAA+jrgsWajaq0BeC3IQhCEIQhCKZw1MxTzSlNKnmJpivW9IHVPrTjvkkuI3sP7bWAEdIHWCbDsGsRkZ9IUJC9AhfZFbpqrmZBtI+ZvptWC/KCPrL0gFeRPOcI2WyqjndfUWlNj+dgWpe1qSTEcdurXzMRAc5EihsEflmIN8RzuguWq61JWRQpSI51/KHHT/6/ztPZJ33SSKbieTa1C5koONbLcf9aYmsVh7RW6p3SpASnUSb3JuSvpUBKxscbyBjiOpOTq8jcdRsx5/IndXw3VgJV6iO1+6jl4gjVpWouViO6ih9ZmybSPkhaqyNUxVXpV5cYU+Xx5sQTfKystDLipmqaMhxIcgvplLqF/LWZzIS5PvwbqOvrSlNHVEYchCEIQISICSZJijwu50rRQHDyUpaF0y///p6FEDCCDFsuW7YFoVEFEST0BAACLgLOrAAAAAggUAAAAtAAAAFJESEkNAAAAChoKDUdOUIk=

跑下脚本发现它并非字符串而应该是个png的二进制文件

附上脚本:

from base64 import b64decode 

open('flag', 'wb+').write(b64decode(open('flag.txt', 'rb').read()))

于是乎利用脚本将其反转得到png图片

附上脚本:

from base64 import b64decode 

open('flag.png', 'wb+').write(b64decode(open('flag.txt', 'rb').read()) [::-1])

定睛一看反过来就是flag:hgame{tenchi_souzou_dezain_bu}

4.DNS

A significant invention.

附件(提取码:6af6)

在DNS下发现一个域名 flag.hgame2021.cf

对其进行访问,查看源码发现关键信息:SPF

何为SPF?(百度一下我就知道
https://www.altn.com.cn/5728.html


最后nslookup查询其TXT记录得到flag:hgame{D0main_N4me_5ystem}

Windows-cmd查询命令:

nslookup
set q=txt
flag.hgame2021.cf

Linux-kali查询命令:

由于我用的是kali2020,我需要先切换到root权限再执行以下命令
dig -t txt flag.hgame2021.cf

0X2Web

1.LazyDogR4U

懒狗R4u把Flag藏起来了,但由于他是懒狗,所以flag藏的很不安全。
Challenge Address
http://ecdaa2e20e.lazy.r4u.top

www.zip下载源码
审计flag.php:引入了lazy.php 并且 发现满足 $_SESSION['username'] === 'admin' 即可获取flag

<?php
session_start();

require_once 'lazy.php';


if(!isset($_SESSION['username'])){
    die('您配吗?');
}
?>


<!DOCTYPE html>
<html lang="en">

<head>
    <meta charset="UTF-8">
    <meta name="viewport" content="width=device-width, initial-scale=1.0">
    <meta http-equiv="X-UA-Compatible" content="ie=edge">
    <title>Document</title>
    <link rel="stylesheet" href="static/style.css">
</head>

<body>
<form class="box" action="" method="post">
    <?php

    if($_SESSION['username'] === 'admin'){
        echo "<h3 style='color: white'>admin将于今日获取自己忠实的flag</h3>";
        echo "<h3 style='color: white'>$flag</h3>";
    }else{
        if($submit == "getflag"){
            echo "<h3 style='color: white'>{$_SESSION['username']}接近了问题的终点</h3>";
        }else{
            echo "<h3 style='color: white'>篡位者占领了神圣的页面</h3>";
        }
    }
        ?>
    <input type="submit" name="submit" value="getflag">
</form>
</body>

</html>

接着,审计lazy.php:发现可将 _GET_POST 传⼊的变量全部注册为普通变量造成变量覆盖

<?php
$filter = ["SESSION", "SEVER", "COOKIE", "GLOBALS"];

// 直接注册所有变量,这样我就能少打字力,芜湖~

foreach(array('_GET','_POST') as $_request){
    foreach ($$_request as $_k => $_v){
        foreach ($filter as $youBadBad){
            $_k = str_replace($youBadBad, '', $_k);
        }
        ${$_k} = $_v;
    }
}


// 自动加载类,这样我也能少打字力,芜湖~
function auto($class_name){
    require_once $class_name . ".php";
}
spl_autoload_register('auto');

于是将 _SESSION[username] 这个全局变量进行构造

payload:
flag.php?_SESSESSIONSION[username]=admin

最终得到flag:hgame{r4u~i5_@_l@zY-D0G}

2.Post to zuckonit

d1gg12 新学了HTML,一起来看看他写的在线博客吧!
Challenge Address
http://zuckonit.0727.site:7654

xss

3.200OK!!

今天你 PTSD 了吗?
Challenge Address
https://200ok.liki.link

sql注入

4.Liki的生日礼物

Liki生日快要到了,她想要一台switch,你能帮帮她么?
Challenge Address
https://birthday.liki.link

考查:条件竞争,在兑换劵时对其抓包然后多线程重复发包

登录进去可以发现只需购买52张就可以获取flag

打开burp进行抓包

进行intruder,选择Null payloads并生成100个payloads

选择10进程并发执行

Start Attack

刷新页面之后兑换即可得到flag:hgame{L0ck_1s_TH3_S0lllut!on!!!}

0X2Crypto

1.signin

签到题 233
Challenge Address https://mod.liki.link

from libnum import *
from Crypto.Util import number

from secret import FLAG

m = s2n(FLAG)
a = number.getPrime(1024)
p = number.getPrime(1024)

c = a ** p * m % p

print("a = {}".format(a))
print("p = {}".format(p))
print("c = {}".format(c))
# a = 139797327006915116125126834708569781257905890889214772754132967944560239477559427234818170821905966089190947970216980685309703521750454649892247689054657607174600902412798917747263330185879424486123329896583384878012975296270715665441346026354817476240516457708613238092696963533041009088500592879662166253257
# p = 151730388933509920208398125559765127290441122573229308376450817125256445382422908158672019884194306096919838130907844546729851309788163360015419981802510147036452621347724746013834845831207220493241621927858819016342531775639148674368365993683788605987857873546489688725060327903851376240619248166306123462663
# c = 88732386468504387282857878979411728549526363384046769757050721891386416926099771636774309722073926162140997385022007310495636448572530441526048408400076676269906889357399751593581177111658275917266905263737388647978425632263036544709572767498549738915832567940145078140586586992388462314474394590770638444139

m=c ⋅ a^(−1) mod p => flag:hgame{M0du1@r_m4th+1s^th3~ba5is-Of=cRypt0!!}

费马小定理:如果p是一个质数,而整数a不是p的倍数,则有a^(p-1)≡1(mod p)

附上脚本:

from libnum import *
import gmpy2

a = gmpy2.mpz(164082656705280243691125701366387366083595671395343593709662689631005563420712514013315976102671561607316385961761351750099262566476484522886282723886520916918141054995957297228003062477122757133630754605589171370142255727815498152265374544695303477525391985791134432904658602561841437101787689055904235722543)
p = gmpy2.mpz(119737975692964086468800522901334964831462403986044100108042760900964357796378935817727112428450685227062069911631189059668095468384251497619994295762904825142670700856495550090451162130895038569427260669297398177894831568054918372123884561767488134043298231005288709340276215664659982597587377569232740821383) 
c = gmpy2.mpz(61634913046503959178216377910203847308428571260648767327608998821120378164975042475439460895394673980137101460250286330274948376187417345460266021486815411513611233649751971142112272707408612929020818762110963149534344745362620646443064201836579453768233731326328543553543287448234680170625258920657056312732)
x = gmpy2.invert(a, p)
m = c * x % p

print(m) 
print(n2s(int(m))) 

2.gcd or more?

GCD...?
Challenge Address https://more.liki.link

from libnum import *
from secret import FLAG

p = 85228565021128901853314934583129083441989045225022541298550570449389839609019
q = 111614714641364911312915294479850549131835378046002423977989457843071188836271
n = p * q

cipher = pow(s2n(FLAG), 2, n)
print(cipher)
# 7665003682830666456193894491015989641647854826647177873141984107202099081475984827806007287830472899616818080907276606744467453445908923054975393623509539

Rabin,跑下脚本得到flag:hgame{3xgCd~i5_re4l1y+e@sy^r1ght?}

附上脚本

import gmpy2
import libnum

c = 7665003682830666456193894491015989641647854826647177873141984107202099081475984827806007287830472899616818080907276606744467453445908923054975393623509539
p = 85228565021128901853314934583129083441989045225022541298550570449389839609019
q = 111614714641364911312915294479850549131835378046002423977989457843071188836271

def rabin_decrypt(c, p, q, e=2):
    n=p*q
    mp = pow(c, (p + 1) // 4, p)
    mq = pow(c, (q + 1) // 4, q)
    yp = gmpy2.invert(p, q)
    yq = gmpy2.invert(q, p)
    r = (yp * p * mq + yq * q * mp) % n
    rr = n - r
    s = (yp * p * mq - yq * q * mp) % n
    ss = n - s
    return (r, rr, s, ss)

m = rabin_decrypt(c,p,q)

for i in range(4):
    try:
        print(bytes.fromhex(hex(m[i])[2:]))
    except:
        pass

3.WhitegiveRSA

N = 882564595536224140639625987659416029426239230804614613279163
e = 65537
c = 747831491353896780365654517748216624798517769637260742155527
Challenge Address https://www.baidu.com

这应该算是RSA入门题吧
先对N进行分解得到p,q(①.通过yafu分解n,命令行打开yafu,输入factor(n)即可;②.在线网站

接着跑下脚本就得出flag:hgame{w0w~yOU_kNoW+R5@!}

附上脚本

from Crypto.Util.number import *
import gmpy2

p = 857504083339712752489993810777
q = 1029224947942998075080348647219
e = 65537
c = 747831491353896780365654517748216624798517769637260742155527
n = p * q
d = gmpy2.invert(e,(p-1)*(q-1))
m = pow(c,d,n)

print(long_to_bytes(m))

4.The Password

Hint
Challenge Address https://1.oss.hgame2021.vidar.club/thepassword.html

The Password
Tinmix和朋友一起去玩密室逃脱,但是由于突发情况,Tinmix被锁在了一间密室里,于是开始四处摸索,昏暗的灯光下,Tinmix发现密室有一块大圆盘,被人工分割成了7块小圆盘,但由于刚开始没注意,每个圆盘已经被旋转过了,但Tinmix记住了旋转的过程和结果
$$
y_1=x_1⊕n_1⊕(x_1⋙7)⊕(x_1⋘3) \\
   y_2=x_2⊕n_2⊕(x_2⋙4)⊕(x_2⋘9) \\
   y_3=x_3⊕n_3⊕(x_3⋙2)⊕(x_3⋘5) \\
   y_4=x_4⊕n_4⊕(x_4⋙6)⊕(x_4⋘13) \\
   y_5=x_5⊕n_5⊕(x_5⋙8)⊕(x_5⋙16) \\
   y_6=x_6⊕n_6⊕(x_6⋙5)⊕(x_6⋘7) \\
   y_7=x_7⊕n_7⊕(x_7⋙2)⊕(x_7⋘5) \\
   \\
   (y_1,n_1) = (15789597796041222200,14750142427529922)\\
   (y_2,n_2) = (8279663441787235887,2802568775308984)\\
   (y_3,n_3) = (9666438290109535850,15697145971486341)\\
   (y_4,n_4) = (10529571502219113153,9110411034859362)\\
   (y_5,n_5) = (8020289479524135048,4092084344173014)\\
   (y_6,n_6) = (10914636017953100490,2242282628961085)\\
   (y_7,n_7) = (4622436850708129231,10750832281632461)\\
$$
定义
⋙表示循环右移
⋘表示循环左移
⊕表示异或运算
hint
HGAME
朗读
赞 · 22
赞赏
感谢您的支持,我会继续努力哒!

三合一收款

下面三种方式都支持哦

微信
QQ
支付宝
打开支付宝/微信/QQ扫一扫,即可进行扫码打赏哦
版权属于:

Harvey

本文链接:

https://blog.harvey.plus/index.php/Writeup/90.html(转载时请注明本文出处及文章链接)

望悉知:

请严格遵守网络安全法相关条例!一切分享仅用于学习!一切违法行为皆与本站无关!

评论 (0)
Harvey
最怕碌碌无为还叹平凡可贵
101 文章数
11 评论量

人生倒计时

今日已经过去小时
这周已经过去
本月已经过去
今年已经过去个月

标签云

微博热搜榜

  • 获取失败!

今日天气