20210523-宁波市第四届网络安全大赛-CryptoSecWriteUp

Posted on 2021-10-08 Edited on 2022-09-10 In CTF-Crypto , WriteUp Views: Symbols count in article: 5.9k Reading time ≈ 5 mins.

RSA

黑板上写着一道题：
p=6FBC2F9E39
q=44CF33
e=17
求d？
答案就是flag

其实这些都是16进制的，然后求出来的d也要转换成16进制的大写

from gmpy2 import *
import hashlib
p = 0x6FBC2F9E39
q = 0x44CF33
e = 0x17
d = invert(e, (p-1)*(q-1))
# print(hex(d).upper())
m = hashlib.md5(hex(d).upper()[2:].encode()).hexdigest()
print(m.upper())
# 479A4D532737AC1EC3640F85E375B659

简单编码

[][(![]+[])[+[]]+(![]+[])[!+[]+!+[]]+(![]+[])[+!+[]]+(!![]+[])[+[]]][([][(![]+[])[+[]]+(![]+[])[!+[]+!+[]]+(![]+[])[+!+[]]+(!![]+[])[+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[][(![]+[])[+[]]+(![]+[])[!+[]+!+[]]+(![]+[])[+!+[]]+(!![]+[])[+[]]])[+!+[]+[+[]]]+([][[]]+[])[+!+[]]+(![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[+!+[]]+([][[]]+[])[+[]]+([][(![]+[])[+[]]+(![]+[])[!+[]+!+[]]+(![]+[])[+!+[]]+(!![]+[])[+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[][(![]+[])[+[]]+(![]+[])[!+[]+!+[]]+(![]+[])[+!+[]]+(!![]+[])[+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]]((!![]+[])[+!+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+([][[]]+[])[+[]]+(!![]+[])[+!+[]]+([][[]]+[])[+!+[]]+(+[![]]+[][(![]+[])[+[]]+(![]+[])[!+[]+!+[]]+(![]+[])[+!+[]]+(!![]+[])[+[]]])[+!+[]+[+!+[]]]+(!![]+[])[!+[]+!+[]+!+[]]+(+(!+[]+!+[]+!+[]+[+!+[]]))[(!![]+[])[+[]]+(!![]+[][(![]+[])[+[]]+(![]+[])[!+[]+!+[]]+(![]+[])[+!+[]]+(!![]+[])[+[]]])[+!+[]+[+[]]]+([]+[])[([][(![]+[])[+[]]+(![]+[])[!+[]+!+[]]+(![]+[])[+!+[]]+(!![]+[])[+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[][(![]+[])[+[]]+(![]+[])[!+[]+!+[]]+(![]+[])[+!+[]]+(!![]+[])[+[]]])[+!+[]+[+[]]]+([][[]]+[])[+!+[]]+(![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[+!+[]]+([][[]]+[])[+[]]+([][(![]+[])[+[]]+(![]+[])[!+[]+!+[]]+(![]+[])[+!+[]]+(!![]+[])[+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[][(![]+[])[+[]]+(![]+[])[!+[]+!+[]]+(![]+[])[+!+[]]+(!![]+[])[+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]][([][[]]+[])[+!+[]]+(![]+[])[+!+[]]+((+[])[([][(![]+[])[+[]]+(![]+[])[!+[]+!+[]]+(![]+[])[+!+[]]+(!![]+[])[+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[][(![]+[])[+[]]+(![]+[])[!+[]+!+[]]+(![]+[])[+!+[]]+(!![]+[])[+[]]])[+!+[]+[+[]]]+([][[]]+[])[+!+[]]+(![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[+!+[]]+([][[]]+[])[+[]]+([][(![]+[])[+[]]+(![]+[])[!+[]+!+[]]+(![]+[])[+!+[]]+(!![]+[])[+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[][(![]+[])[+[]]+(![]+[])[!+[]+!+[]]+(![]+[])[+!+[]]+(!![]+[])[+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]]+[])[+!+[]+[+!+[]]]+(!![]+[])[!+[]+!+[]+!+[]]]](!+[]+!+[]+!+[]+[!+[]+!+[]])+(![]+[])[+!+[]]+(![]+[])[!+[]+!+[]])()((![]+[])[+!+[]]+(![]+[])[!+[]+!+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]+(!![]+[])[+[]]+([][(![]+[])[+[]]+(![]+[])[!+[]+!+[]]+(![]+[])[+!+[]]+(!![]+[])[+[]]]+[])[+!+[]+[!+[]+!+[]+!+[]]]+[+!+[]]+[+!+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]+[+!+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]+[!+[]+!+[]+!+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]]+[!+[]+!+[]+!+[]]+[!+[]+!+[]+!+[]]+[!+[]+!+[]+!+[]+!+[]]+[!+[]+!+[]]+[!+[]+!+[]+!+[]]+[!+[]+!+[]]+[!+[]+!+[]+!+[]]+([+[]]+![]+[][(![]+[])[+[]]+(![]+[])[!+[]+!+[]]+(![]+[])[+!+[]]+(!![]+[])[+[]]])[!+[]+!+[]+[+[]]])

jsFuck丢进浏览器console里输出一下，得到

1	119178353342323

from Crypto.Util.number import *
import hashlib
t = 119178353342323
# t = long_to_bytes(t)
m = hashlib.md5('ld_jws'.encode()).hexdigest()
print(m.upper())

最终得到

1	flag{1E8FB0BC2025429CC885D2F794A89EB8}

nike

参考原题，第八届山东省网络安全技能大赛-MIX

(lambda __operator, __print, __g, __y: [(sys.setrecursionlimit(1000000), [[[[[(decode(cipher), None)[1] for __g['cipher'] in [('D6VNEIRAryZ8Opdbl3bOwqmBD+lmFXbcd/XfgHalqYBh1FDtbJo=')]][0] for __g['decode'], decode.__name__ in [(lambda cipher: (lambda __l: [(init(), [[[(lambda __after: (__print('sorry,you dont have the auth'), 0)[1] if (__l['auth'] == 1) else __after())(lambda: (lambda __items, __after, __sentinel: __y(lambda __this: lambda: (lambda __i: [[__this() for __l['result'] in [(__operator.iadd(__l['result'], chr((s[(__l['i'] % 256)] ^ ord(__l['cipher'][__l['i']])))))]][0] for __l['i'] in [(__i)]][0] if __i is not __sentinel else __after())(next(__items, __sentinel)))())(iter(range(len(__l['cipher']))), lambda: (__print(__l['result'].encode('base64')), None)[1], [])) for __l['auth'] in [(0)]][0] for __l['cipher'] in [(__l['cipher'].decode('base64'))]][0] for __l['result'] in [('')]][0])[1] for __l['cipher'] in [(cipher)]][0])({}), 'decode')]][0] for __g['init'], init.__name__ in [(lambda : (lambda __l: [[(lambda __items, __after, __sentinel: __y(lambda __this: lambda: (lambda __i: [(s.append(__l['i']), (k.append(ord(__l['key'][(__l['i'] % len(__l['key']))])), __this())[1])[1] for __l['i'] in [(__i)]][0] if __i is not __sentinel else __after())(next(__items, __sentinel)))())(iter(range(256)), lambda: (lambda __items, __after, __sentinel: __y(lambda __this: lambda: (lambda __i: [[[[[__this() for s[__l['j']] in [(__l['tmp'])]][0] for s[__l['i']] in [(s[__l['j']])]][0] for __l['tmp'] in [(s[__l['i']])]][0] for __l['j'] in [((((__l['j'] + s[__l['i']]) + k[__l['i']]) % 256))]][0] for __l['i'] in [(__i)]][0] if __i is not __sentinel else __after())(next(__items, __sentinel)))())(iter(range(256)), lambda: None, []), []) for __l['j'] in [(0)]][0] for __l['key'] in [('aV9hbV9ub3RfZmxhZw=='.decode('base64'))]][0])({}), 'init')]][0] for __g['k'] in [([])]][0] for __g['s'] in [([])]][0])[1] for __g['sys'] in [(__import__('sys', __g, __g))]][0])(__import__('operator', level=0), __import__('__builtin__', level=0).__dict__['print'], globals(), (lambda f: (lambda x: x(x))(lambda y: f(lambda: y(y)()))))

出来一个base64转一下，得到

1	flag{2BD8A9A8E61F7B31C1D46B387CB0278D}

但是这个交不上，然后用python2运行他给我们的脚本，发现出来的base64有些许不同

最后得到的是，只有几位之差

1	flag{2BD8A9A8E61F7B31C1D46O1X7CB0278D}

散乱的密文

没看出来，看别的师傅的