AI时代确实很不适应,加上本身就菜,做不到像其他师傅那样可以抗着AI强度出大家都解决不了的0解题,简单总结一下自己一直以来在密码题上面的贡献,感觉也该找找新的地方做事了。
我很喜欢ctf这种特别的学习模式,不同于教科书一个原理接一个原理的死板学习法,通过实际调试代码能够快速掌握到相关知识点。因为没有人带着学习,自己打了很长一段时间的ctftime那种全国性质的赛事,大部分都是用ctfd起一个简单平台,题目也是线性提升,即使什么都不懂也能快速融入ctf成为不爆0的选手。
其中我很喜欢一类题目:整体处理得干净明了,没有太多前置知识,考点也不复杂化(俗称套娃),选手一眼能看出考点,然后学习并解出,看到选手们根据题目一点一点对上思路,然后解出对于我来说会感觉很欣慰(?),不过后期的AI时代大家不需要理解原理就能解出,甚至是wp也用AI自动生成,也许从这个时候开始对于我来说ctf的意义已经被AI吞噬干净了吧。
BaseCTF应该是我自认为开始比较有代表性的出题经历,前面像tpcup、vyctf等比赛只是单纯引用一些以前学到的题目,当时出了ez_math、mid_math、hard_math,这些算是开始按照自己的理解在出题, 其中hard_math基于LLL原理进行了简单的延伸,主要只是展示一下mid_math的出题思路,出题思路源于代数中的行列式:
import numpy as np
from Crypto.Util.number import *
a, b, c, d = [getPrime(128) for _ in range(4)]
point1 = a * d
point2 = b * c
matrix2 = [[0, a, b], [0, c, d]]
flag = b"flag{test_flag}"
flag = bytes_to_long(flag)
def randomArray():
upper = [[1, 0, 0], [0, 1, 0], [0, 0, 1]]
low = [[1, 0, 0], [0, 1, 0], [0, 0, 1]]
for i in range(3):
for j in range(i+1, 3):
upper[i][j] = getPrime(128)
low[j][i] = getPrime(128)
result = np.array(upper) @ np.array(low)
return result
A = np.array([[flag, 0, 0]] + matrix2)
B = randomArray()
C = randomArray()
MAT = C @ A @ B
print(point1)
print(point2)
print(MAT)
'''
65540596822333029826884315503808996273733737079814345540607878287618419734231
45151244176940366132774311848077675849486332018843894072137609985463616792271
[[9259505595451159514948336330303511539525155092949382077995385373332083424570340733825203563332256599256361679775371565817159463557158551820090084800254999338417057682355404780422980119717238594927467956675771042145306399815569005775907169857728757334979422594358
3700462282298785820527479428312072678870010244861115107206951164684911761755437333209293039456840068340334559453608012512177623936248784897843503284633804083281388001236742261832974291349480314135560368365574114042082002559069958228523318326290833422846224288247
20791012146351643571145217310876690226642338279942557085580439219377325884045305279931904540467264182713135410067252835618936836675270813727053937054168296298149405902638242278868020381541490973458957704137657413376043351193]
[3802535350808074374431476757195874789213113083310705049856269457737583463559458126494122484246497049005001474007088865512110432486291568737501434666990689483191924384489484665070592656641925905986397402822195880143437724155134584374613878027218950975919679551229
1519642544380087919293814751485424198320747098741960781639133554268321708273309194651985562222274023623071346914239982055028526526058064787882720065775210796950963778381575914964024929110539407721461321785325399699126116201001806816030960662346173275101476487421
8538097185709421082644083672229287227818939415260987123718318427750267353075860559170390896769087600458156859498331152566368881938040799840806164389020986990994328370205184734637870147251004626759120887684269603636183629300]
[17987668490992083132878642797176089621188858356259455169173987325310681186627844776077058221612169421636403546746899152917309634315569997105261046388995579843528014810244648968375990949478033964619008761814039733347955609163
7188579142941521685422767412932555782658469950638690886255638896617687421517941457682493542615460990114218059246938237257830976937359020731335958068934235967457123039874441635435388736524907036941379695243043923900290273902
40388963560266769813551191613694768219344365780650048155838802242681775019274045964917142477325170274191702615504062392461666558731638338001971723737440974198823443420018559746335727687]]
'''
已知存在一个矩阵A:
\[A=\begin{bmatrix} flag & 0 & 0 \\ 0 & a & b \\ 0 & c & d \end{bmatrix}\]其中 a, b, c, d 为随机数, 我们明显可以将其看作一个分块矩阵:
\[A=\begin{bmatrix} flag & 0 \\ 0 & A_{abcd} \end{bmatrix}, \\ A_{abcd}=\begin{bmatrix} a & b \\ c & d \end{bmatrix}\]即对A求行列式有:
\[|A|=|flag|*|A_{abcd}|\]对于二阶矩阵我们可以计算:
\[|A_{abcd}|=a*d-b*c\]其中已给出point1, point2, 我们可以计算出矩阵B、C的行列式, 即只需要知道矩阵的行列式即可求出flag, 对于矩阵B有:
\[B = B_{upper} * B_{low} , C = C_{upper} * C_{low}\]其中upper为主对角线为1的上三角矩阵, low为主对角线为1的下三角矩阵, 易得知:
\[|B|=1 , |C|=1\]又有:
\[MAT = C * A * B\]故有:
\[|MAT| = |A|\]我们可以通过以下方式计算flag:
point1 = 65540596822333029826884315503808996273733737079814345540607878287618419734231
point2 = 45151244176940366132774311848077675849486332018843894072137609985463616792271
MAT = [[9259505595451159514948336330303511539525155092949382077995385373332083424570340733825203563332256599256361679775371565817159463557158551820090084800254999338417057682355404780422980119717238594927467956675771042145306399815569005775907169857728757334979422594358,
3700462282298785820527479428312072678870010244861115107206951164684911761755437333209293039456840068340334559453608012512177623936248784897843503284633804083281388001236742261832974291349480314135560368365574114042082002559069958228523318326290833422846224288247,
20791012146351643571145217310876690226642338279942557085580439219377325884045305279931904540467264182713135410067252835618936836675270813727053937054168296298149405902638242278868020381541490973458957704137657413376043351193],
[3802535350808074374431476757195874789213113083310705049856269457737583463559458126494122484246497049005001474007088865512110432486291568737501434666990689483191924384489484665070592656641925905986397402822195880143437724155134584374613878027218950975919679551229,
1519642544380087919293814751485424198320747098741960781639133554268321708273309194651985562222274023623071346914239982055028526526058064787882720065775210796950963778381575914964024929110539407721461321785325399699126116201001806816030960662346173275101476487421,
8538097185709421082644083672229287227818939415260987123718318427750267353075860559170390896769087600458156859498331152566368881938040799840806164389020986990994328370205184734637870147251004626759120887684269603636183629300],
[17987668490992083132878642797176089621188858356259455169173987325310681186627844776077058221612169421636403546746899152917309634315569997105261046388995579843528014810244648968375990949478033964619008761814039733347955609163,
7188579142941521685422767412932555782658469950638690886255638896617687421517941457682493542615460990114218059246938237257830976937359020731335958068934235967457123039874441635435388736524907036941379695243043923900290273902,
40388963560266769813551191613694768219344365780650048155838802242681775019274045964917142477325170274191702615504062392461666558731638338001971723737440974198823443420018559746335727687]]
from sage.all import *
from Crypto.Util.number import *
print(long_to_bytes(det(matrix(MAT)) // (point1 - point2)))
# b'BaseCTF{E439646E-1768-18B3-DC4B-483C40C5340C}'
这场比赛时当时生活正面临着极大的困境,出题思路阻塞严重,庆幸的是自己对密码算法不再是只能简单使用了,当时出了ez_math, new_bag两题,ez_math基于rsa原理将数扩展到了矩阵,new_bag则是一个简单的背包问题,我想考察BKZ的基本应用,不过读的论文太早了,自己在限制的时候也限制得比较小,大家采用了各种不同解法完成题目,让我也学习到了好多新的知识,主要只简单举一下ez_math:
from sage.all import *
from Crypto.Util.number import *
from uuid import uuid4
flag = b'LitCTF{'+ str(uuid4()).encode() + b'}'
flag = bytes_to_long(flag)
len_flag = flag.bit_length()
e = 65537
p = getPrime(512)
P = GF(p)
A = [[flag, getPrime(len_flag)],
[getPrime(len_flag), getPrime(len_flag)]]
A = matrix(P, A)
B = A ** e
print(f"e = {e}")
print(f"p = {p}")
print(f"B = {list(B)}".replace('(', '[').replace(')', ']'))
# e = 65537
# p = 8147594556101158967571180945694180896742294483544853070485096002084187305007965554901340220135102394516080775084644243545680089670612459698730714507241869
# B = [[2155477851953408309667286450183162647077775173298899672730310990871751073331268840697064969968224381692698267285466913831393859280698670494293432275120170, 4113196339199671283644050914377933292797783829068402678379946926727565560805246629977929420627263995348168282358929186302526949449679561299204123214741547], [3652128051559825585352835887172797117251184204957364197630337114276860638429451378581133662832585442502338145987792778148110514594776496633267082169998598, 2475627430652911131017666156879485088601207383028954405788583206976605890994185119936790889665919339591067412273564551745588770370229650653217822472440992]]
rsa使用p,q计算n作为公钥,这里将p直接当作n使用,2×2 矩阵下的群会进化为一般线性群,有
\[|GL(2,p)|=(p^2−1)(p^2−p)\]可以直接计算:
from sage.all import *
from Crypto.Util.number import *
e = 65537
p = 8147594556101158967571180945694180896742294483544853070485096002084187305007965554901340220135102394516080775084644243545680089670612459698730714507241869
B = [[2155477851953408309667286450183162647077775173298899672730310990871751073331268840697064969968224381692698267285466913831393859280698670494293432275120170, 4113196339199671283644050914377933292797783829068402678379946926727565560805246629977929420627263995348168282358929186302526949449679561299204123214741547], [3652128051559825585352835887172797117251184204957364197630337114276860638429451378581133662832585442502338145987792778148110514594776496633267082169998598, 2475627430652911131017666156879485088601207383028954405788583206976605890994185119936790889665919339591067412273564551745588770370229650653217822472440992]]
phi= (p**2-1) * (p**2-p)
d=inverse(e,phi)
P = GF(p)
B = matrix(P, B)
B =B **d
print(long_to_bytes(int(B[0][0])))
#b'LitCTF{13dd217e-9a67-4093-8a1b-d2592c45ba82}'
考虑到叫ez_math,当时留了个口,即使只知道rsa也是可以通过p-1做出来的,因为(p^2-1)=(p+1)(p-1), 选择参数时直接选在了(p-1)上。
这次出题差不多完成了自己一直以来的想法,共计ez_math,mid_math两题,同样的思路在ez_math中强调代数中的特征向量,然后将mid_math作为主要考题。
from sage.all import *
from Crypto.Util.number import *
from tqdm import tqdm
from random import randint
from Crypto.Cipher import AES
from Crypto.Util.Padding import pad
flag = b'LILCTF{test_flag}'
p = getPrime(64)
P = GF(p)
key = randint(2**62, p)
def mul(vector, c):
return [vector[0]*c, vector[1]*c, vector[2]*c, vector[3]*c, vector[4]*c]
v1 = [getPrime(64), getPrime(64), getPrime(64), getPrime(64), getPrime(64)]
v2 = [getPrime(64), getPrime(64), getPrime(64), getPrime(64), getPrime(64)]
v3 = [getPrime(64), getPrime(64), getPrime(64), getPrime(64), getPrime(64)]
v4 = [getPrime(64), getPrime(64), getPrime(64), getPrime(64), getPrime(64)]
v5 = [getPrime(64), getPrime(64), getPrime(64), getPrime(64), getPrime(64)]
a, b, c, d, e = getPrime(64), getPrime(64), getPrime(64), getPrime(64), 0
A = matrix(P, [v1, v2, v3, v4, v5])
B = matrix(P, [mul(v1,a), mul(v2,b), mul(v3, c), mul(v4, d), mul(v5, e)])
C = A.inverse() * B
D = C**key
key = pad(long_to_bytes(key), 16)
aes = AES.new(key,AES.MODE_ECB)
msg = aes.encrypt(pad(flag, 64))
print(f"p = {p}")
print(f'C = {[i for i in C]}'.replace('(', '[').replace(')', ']'))
print(f'D = {[i for i in D]}'.replace('(', '[').replace(')', ']'))
print(f"msg = {msg}")
#p = 14668080038311483271
#C = [[11315841881544731102, 2283439871732792326, 6800685968958241983, 6426158106328779372, 9681186993951502212], [4729583429936371197, 9934441408437898498, 12454838789798706101, 1137624354220162514, 8961427323294527914], [12212265161975165517, 8264257544674837561, 10531819068765930248, 4088354401871232602, 14653951889442072670], [6045978019175462652, 11202714988272207073, 13562937263226951112, 6648446245634067896, 13902820281072641413], [1046075193917103481, 3617988773170202613, 3590111338369894405, 2646640112163975771, 5966864698750134707]]
#D = [[1785348659555163021, 3612773974290420260, 8587341808081935796, 4393730037042586815, 10490463205723658044], [10457678631610076741, 1645527195687648140, 13013316081830726847, 12925223531522879912, 5478687620744215372], [9878636900393157276, 13274969755872629366, 3231582918568068174, 7045188483430589163, 5126509884591016427], [4914941908205759200, 7480989013464904670, 5860406622199128154, 8016615177615097542, 13266674393818320551], [3005316032591310201, 6624508725257625760, 7972954954270186094, 5331046349070112118, 6127026494304272395]]
#msg = b"\xcc]B:\xe8\xbc\x91\xe2\x93\xaa\x88\x17\xc4\xe5\x97\x87@\x0fd\xb5p\x81\x1e\x98,Z\xe1n`\xaf\xe0%:\xb7\x8aD\x03\xd2Wu5\xcd\xc4#m'\xa7\xa4\x80\x0b\xf7\xda8\x1b\x82k#\xc1gP\xbd/\xb5j"
特征向量对于我来说一直很具有诱惑性,不同于特征值,通过特征向量降低矩阵幂运算是代数中一个有效的应用方式,题目本质上提供了一个模p下的5x5随机矩阵A,1x5随机向量e,B=A*e, 现在构造A到B的变换C,有D=C^key, 需要求key用于解出flag。
\[A*C=A*e=B\]可以看出本题是一个简单的离散对数问题,只是扩展到矩阵上,一般情况下直接求key的话算力开销很高,因为A到B的变换C进行了降维,无法求取行列式直接求离散对数拿到结果,但是我们可以反过来思考,变换C的本质是B=Ae,可以对角化,理论上试图求CC, 我们可以通过变换转换为
\[PAP^(-1)=C\]再计算
\[D=PA*e*eP^(-1)\]参考以上思路,我们可以通过特征向量重新构建一组矩阵,对角化基下,原矩阵幂运算
\[D=C^{key}\]被简化为各特征值的标量幂运算:
from sage.all import *
from Crypto.Util.number import *
from Crypto.Util.Padding import pad
from Crypto.Cipher import AES
from tqdm import tqdm
p = 14668080038311483271
C = [[11315841881544731102, 2283439871732792326, 6800685968958241983, 6426158106328779372, 9681186993951502212], [4729583429936371197, 9934441408437898498, 12454838789798706101, 1137624354220162514, 8961427323294527914], [12212265161975165517, 8264257544674837561, 10531819068765930248, 4088354401871232602, 14653951889442072670], [6045978019175462652, 11202714988272207073, 13562937263226951112, 6648446245634067896, 13902820281072641413], [1046075193917103481, 3617988773170202613, 3590111338369894405, 2646640112163975771, 5966864698750134707]]
D = [[1785348659555163021, 3612773974290420260, 8587341808081935796, 4393730037042586815, 10490463205723658044], [10457678631610076741, 1645527195687648140, 13013316081830726847, 12925223531522879912, 5478687620744215372], [9878636900393157276, 13274969755872629366, 3231582918568068174, 7045188483430589163, 5126509884591016427], [4914941908205759200, 7480989013464904670, 5860406622199128154, 8016615177615097542, 13266674393818320551], [3005316032591310201, 6624508725257625760, 7972954954270186094, 5331046349070112118, 6127026494304272395]]
msg = b"\xcc]B:\xe8\xbc\x91\xe2\x93\xaa\x88\x17\xc4\xe5\x97\x87@\x0fd\xb5p\x81\x1e\x98,Z\xe1n`\xaf\xe0%:\xb7\x8aD\x03\xd2Wu5\xcd\xc4#m'\xa7\xa4\x80\x0b\xf7\xda8\x1b\x82k#\xc1gP\xbd/\xb5j"
P = GF(p)
C = matrix(P, C)
D = matrix(P, D)
C_eigen = matrix(GF(p), [vector(v) for eig, vecs, alg_mult in C.eigenvectors_left() for v in vecs])
C_Basis = C_eigen*C*C_eigen.inverse()
D_Basis = C_eigen*D*C_eigen.inverse()
n = []
m = []
for i in tqdm(range(5)):
if D_Basis[i, i] != 0 and C_Basis[i, i] != 0:
m_flag = discrete_log(P(D_Basis[i, i]), P(C_Basis[i, i]))
m.append(m_flag)
n_order = P(C_Basis[i, i]).multiplicative_order()
n.append(n_order)
key = crt(m, n)
key = pad(long_to_bytes(key), 16)
aes = AES.new(key,AES.MODE_ECB)
flag = aes.decrypt(msg)
print(flag)
# b'LILCTF{Are_y0u_5till_4wake_que5t1on_m4ker!}\x15\x15\x15\x15\x15\x15\x15\x15\x15\x15\x15\x15\x15\x15\x15\x15\x15\x15\x15\x15\x15'
当时我记得好像出了一个ez_adic和ez_lattice,有点忘记了当时为什么没有上ez_padic的题目,当时同时在赶几个比赛,时间比较紧凑,ez_adic简单考了p进数,可以通过中国剩余定理直接求出,ez_lattice算是问题比较大的一题,所以重新整理了一类题目,不过当时出现了一些严重的非预期,不需要LLL即可得到flag。
from sage.all import *
from Crypto.Util.number import *
from uuid import uuid4
_flag = b'mcctf{'+ str(uuid4()).encode() + b'}'
v = 10
len_flag = len(_flag)//v
flag = [bytes_to_long( _flag[len_flag*i:len_flag*(i+1)] if i+1<v else _flag[len_flag*i:] ) for i in range(v)]
n = getPrime(1024)
k = getPrime(320)
h = [(pow(i, -1, n) * k) % n for i in flag]
print('n =', n)
print('h =', h)
#n = 101058037881577920580002375991533361443161573598172872401436929130908010655347634552777064174546568575027746607488492099154312267724394462943506690144947830040343315369562513570527692894685015573081207528621819747699733304080614793374057284273387848357708739112531677281801323793173090364390370736467003582917
#h = [65238694465386915975309840141683615649716012162296959248563569592374718661731701206400896806537952397410032261877378530686978759625292099657084619983375773255755144153781457417211674091516407534881571548771997217431814162001948536903510439216595988996202297986689400937900640116301788349788192250828531102128, 32068430839487144716294122362877372185693231094331598085462142396101367356886620469702732239532304931830205469549873073426114974524345753699104479003686428551918989837919692818874041699167857438504796702427222322750641837975840611428682636854000155270647980139296254355022602725831316373502464385756822509507, 48045538813319220884490922546018868575029946351799253696566675045038593914426407040185597260237676046539039366729571890778376978523204708113947916683959718708951574554301326506033685253589648114421528029323355988178699924863264060114597711724540199556277259170518549061045104668001222710528847166168767224549, 75123995948950968391603159591624639368414690146643442871589447787252191810497231696845253418339980365162413355185111520483921331823652266243697559776174240013810488917495610598469082493126712875223200656678886780170706766832861117452830161713449328056483280254149803408052080851148204725932967126493489495389, 42343824812526091206264281076069981510653655573870037741842182418474719039360760283698683250943728878536765635239317776400805788012233353293622608102030711446811052604409325460820893599261928948443614050545507085890105202716250838690843035633052646253790841787346488131868389877735682981371140434336342163669, 37628269352817676029356094741613805749594096808670358767615556155530757612666502454541938594622721603313749449559343049177509738095358796943332112708078541782706675648358891508089680020008921913219362413211208103447607363315907316039312691994345309495981824477958094292712571053294153865686883217285045072976, 73095252261793287281307332092278639250704283375416144614680921495193800381044097746018933097918509033128787939821334122567907138901258104948978871755972801343922472074421943147663482695952043375035475082008819785709339730299175470843123204596279944349658280821397882576553260815905563725407952447607089415633, 8361412049519617647068414326705006074844850312921172001754491320379019244806566558657382200324831784028297924464089518976736942901670220750313172374617027089856976338617784260689863433040095122712749142220670740521573738642943802961154307094774904173422138158314888817191233893356292405644600013350124816088, 62352524946552767010792198212753557220884107271554779577796506420796971189249469475111704305722210605467500390830564039781429821148651682920442985923243637249469873109032519540399258091710648539664160224041270628257896923843424376128648420038693104506093124335294407330397776591999820661062819804224881373090, 45213281711383478082421649210599256239528608897580799695344082282030442480159495245224471785682835728050988008519768665616995327124516724160052452164034157361068252085880379351444661551341271829125924017634986473455126215443151677035338594360564464453084451500811436155828884254112395862897223575590665873227]
题目算比较简单的格密码题型,稍微在上面做了点变式,将flag切分后在维度进行了扩展,已知将flag切分为10段,对每段进行:
\[h_i = flag_i^{-1} \times k \mod{n}\]现在已知各行的h与n,我们可以构造一个矩阵求格计算出k,然后反代出flag,但是我忘记了因为各段之间没有联系,其实也可以直接分别将flag各段格出后再拼出flag:
from sage.all import *
from Crypto.Util.number import *
n = 101058037881577920580002375991533361443161573598172872401436929130908010655347634552777064174546568575027746607488492099154312267724394462943506690144947830040343315369562513570527692894685015573081207528621819747699733304080614793374057284273387848357708739112531677281801323793173090364390370736467003582917
h = [
65238694465386915975309840141683615649716012162296959248563569592374718661731701206400896806537952397410032261877378530686978759625292099657084619983375773255755144153781457417211674091516407534881571548771997217431814162001948536903510439216595988996202297986689400937900640116301788349788192250828531102128,
32068430839487144716294122362877372185693231094331598085462142396101367356886620469702732239532304931830205469549873073426114974524345753699104479003686428551918989837919692818874041699167857438504796702427222322750641837975840611428682636854000155270647980139296254355022602725831316373502464385756822509507,
48045538813319220884490922546018868575029946351799253696566675045038593914426407040185597260237676046539039366729571890778376978523204708113947916683959718708951574554301326506033685253589648114421528029323355988178699924863264060114597711724540199556277259170518549061045104668001222710528847166168767224549,
75123995948950968391603159591624639368414690146643442871589447787252191810497231696845253418339980365162413355185111520483921331823652266243697559776174240013810488917495610598469082493126712875223200656678886780170706766832861117452830161713449328056483280254149803408052080851148204725932967126493489495389,
42343824812526091206264281076069981510653655573870037741842182418474719039360760283698683250943728878536765635239317776400805788012233353293622608102030711446811052604409325460820893599261928948443614050545507085890105202716250838690843035633052646253790841787346488131868389877735682981371140434336342163669,
37628269352817676029356094741613805749594096808670358767615556155530757612666502454541938594622721603313749449559343049177509738095358796943332112708078541782706675648358891508089680020008921913219362413211208103447607363315907316039312691994345309495981824477958094292712571053294153865686883217285045072976,
73095252261793287281307332092278639250704283375416144614680921495193800381044097746018933097918509033128787939821334122567907138901258104948978871755972801343922472074421943147663482695952043375035475082008819785709339730299175470843123204596279944349658280821397882576553260815905563725407952447607089415633,
8361412049519617647068414326705006074844850312921172001754491320379019244806566558657382200324831784028297924464089518976736942901670220750313172374617027089856976338617784260689863433040095122712749142220670740521573738642943802961154307094774904173422138158314888817191233893356292405644600013350124816088,
62352524946552767010792198212753557220884107271554779577796506420796971189249469475111704305722210605467500390830564039781429821148651682920442985923243637249469873109032519540399258091710648539664160224041270628257896923843424376128648420038693104506093124335294407330397776591999820661062819804224881373090,
45213281711383478082421649210599256239528608897580799695344082282030442480159495245224471785682835728050988008519768665616995327124516724160052452164034157361068252085880379351444661551341271829125924017634986473455126215443151677035338594360564464453084451500811436155828884254112395862897223575590665873227
]
flag = b""
for i in h:
M = matrix(
[[n, 0],
[i, 1]]
)
reduced = M.LLL()
flag += long_to_bytes(abs(reduced[0,1]))
# b'mcctf{f670d7a5-80db-4b7a-86f3-466a0e1e7daf}'
当然我还忘记一个更大的问题,flag切分以后存在其中一段可以被预测,可以预测然后反代出k,进而计算flag:
from Crypto.Util.number import *
n = 101058037881577920580002375991533361443161573598172872401436929130908010655347634552777064174546568575027746607488492099154312267724394462943506690144947830040343315369562513570527692894685015573081207528621819747699733304080614793374057284273387848357708739112531677281801323793173090364390370736467003582917
h = [
65238694465386915975309840141683615649716012162296959248563569592374718661731701206400896806537952397410032261877378530686978759625292099657084619983375773255755144153781457417211674091516407534881571548771997217431814162001948536903510439216595988996202297986689400937900640116301788349788192250828531102128,
32068430839487144716294122362877372185693231094331598085462142396101367356886620469702732239532304931830205469549873073426114974524345753699104479003686428551918989837919692818874041699167857438504796702427222322750641837975840611428682636854000155270647980139296254355022602725831316373502464385756822509507,
48045538813319220884490922546018868575029946351799253696566675045038593914426407040185597260237676046539039366729571890778376978523204708113947916683959718708951574554301326506033685253589648114421528029323355988178699924863264060114597711724540199556277259170518549061045104668001222710528847166168767224549,
75123995948950968391603159591624639368414690146643442871589447787252191810497231696845253418339980365162413355185111520483921331823652266243697559776174240013810488917495610598469082493126712875223200656678886780170706766832861117452830161713449328056483280254149803408052080851148204725932967126493489495389,
42343824812526091206264281076069981510653655573870037741842182418474719039360760283698683250943728878536765635239317776400805788012233353293622608102030711446811052604409325460820893599261928948443614050545507085890105202716250838690843035633052646253790841787346488131868389877735682981371140434336342163669,
37628269352817676029356094741613805749594096808670358767615556155530757612666502454541938594622721603313749449559343049177509738095358796943332112708078541782706675648358891508089680020008921913219362413211208103447607363315907316039312691994345309495981824477958094292712571053294153865686883217285045072976,
73095252261793287281307332092278639250704283375416144614680921495193800381044097746018933097918509033128787939821334122567907138901258104948978871755972801343922472074421943147663482695952043375035475082008819785709339730299175470843123204596279944349658280821397882576553260815905563725407952447607089415633,
8361412049519617647068414326705006074844850312921172001754491320379019244806566558657382200324831784028297924464089518976736942901670220750313172374617027089856976338617784260689863433040095122712749142220670740521573738642943802961154307094774904173422138158314888817191233893356292405644600013350124816088,
62352524946552767010792198212753557220884107271554779577796506420796971189249469475111704305722210605467500390830564039781429821148651682920442985923243637249469873109032519540399258091710648539664160224041270628257896923843424376128648420038693104506093124335294407330397776591999820661062819804224881373090,
45213281711383478082421649210599256239528608897580799695344082282030442480159495245224471785682835728050988008519768665616995327124516724160052452164034157361068252085880379351444661551341271829125924017634986473455126215443151677035338594360564464453084451500811436155828884254112395862897223575590665873227
]
m0 = bytes_to_long(b"mcct")
k = (h[0] * m0) % n
flag = b""
for i in h:
m_i = long_to_bytes((pow(i, -1, n) * k) % n)
flag += m_i
print(flag)
#b'mcctf{f670d7a5-80db-4b7a-86f3-466a0e1e7daf}'
(关键我还忘记最开始怎么准备的exp了,以后有时间试着做一做)
好像也背了点锅,主要出了ClairautDH,后来发现存在重大bug又重新补了一道ClairautDH-Revenge,本来打算出两道题来着,后来确实燃尽了。ClairautDH确实应该算脑洞打开的一题,记得以前和其他师傅聊过AI冲击下很难出适合新生但能防范AI的题目,队伍进行选拔时很难区分选手的真实实力。刚好前段时间有人找我设计密码系统涉及到DH密钥交换,麻省理工的积分决赛也打完不久,之前看比赛时顺便自己顺便用AI简单求了一下积分,没求出来,于是有了将微积分应用于密钥交换的灵感。
# task.py
import hashlib
from sympy import symbols, diff, simplify, Integer
from Crypto.Cipher import AES
from Crypto.Util.Padding import pad, unpad
from Crypto.Util.number import long_to_bytes, bytes_to_long
import os
import random
from secret import flag, f
# 共享函数和flag
x, y = symbols('x y')
'''
Bob and Alice share a function f(x, y). Whenever they need to generate a shared secret key, they can temporarily use the following method.
We provide a simple example.
'''
#f = x*y + x + y
def AES_enc(msg, key):
key_hash = hashlib.sha256(long_to_bytes(key)).digest()
cipher = AES.new(key_hash[:16], AES.MODE_ECB)
return cipher.encrypt(pad(msg, AES.block_size))
def AES_dec(msg, key):
key_hash = hashlib.sha256(long_to_bytes(key)).digest()
cipher = AES.new(key_hash[:16], AES.MODE_ECB)
return unpad(cipher.decrypt(msg), AES.block_size)
# --- 第一步:Alice ---
alice_x = Integer(random.getrandbits(128))
f_x = diff(f, x).subs(x, alice_x)
print(f"\\partial F/ \\partial x: {simplify(f_x)}")
# --- 第二步:Bob ---
bob_y = Integer(random.getrandbits(128))
print(diff(f, y))
f_y = diff(f, y).subs(y, bob_y)
print(f"\\partial F/ \\partial y: {simplify(f_y)}")
# --- 第三步:Alice ---
secret_scalar = abs(int(diff(f_y, x).subs(x, alice_x)))
secret = AES_enc(flag, secret_scalar)
print(f"secret: {bytes_to_long(secret)}")
# --- 第四步:Bob ---
secret_scalar_bob = abs(int(diff(f_x, y).subs(y, bob_y)))
decrypted_flag = AES_dec(secret, secret_scalar_bob)
# 验证
assert decrypted_flag == flag
print('Bob get flag.')
题目基于偏微分的克莱罗定理,对于连续可微函数的混合偏导数相等,密钥交换需要有一个正向容易逆向困难的计算方式保障个人生成的密钥安全,这里的体现是函数微分容易积分困难。
已知各偏导数表达式很容易还原方程,进而解出共享密钥,故在公开偏微分方程时进行降纬处理,原题目就变成了已知两个微分投影求出原始函数。
相比数学方法,求取积分更倾向于找感觉,我们可以通过偏导函数未进行微分的另一维度去猜测原始函数的大概轮廓,从而进行还原,例如如下输出:
'''
\partial F/ \partial x: 1091410879207163423527614718617914148888*y**3 + 81254019297725586260762901144707066777558658481431202628329889377193662772828317753114607046787850201807677669860192 - 1/y
\partial F/ \partial y: 677492876058731304548321124430382899202536309194603058276767059068971723406326*x**2 + x/112915479343121884091386854071730483200422718199100509712794509844828620567721 + 25706026840600906043088759983422158599436354716595565472703098295727374823141571327891394051094542563877396658316435605977006168485141809993256872220352031815049004360456983843517338282006837806
secret: 29541001074036648052457017922472446898167742481813256589556212172626042913295772830659172788048290288920622639932811
Bob get flag.
'''
通过\(\partial F/ \partial x\)可以大致窥见函数与\(my^3 - n/y\)有关,从\(\partial F/ \partial y\)可以猜测函数形似\(mx^2 + x/n\), 我们可以激进地猜测函数大致为
\[mx^2y^3 - nx/y\]直接求导回推, 也可以谨慎对已知信息排查密钥(毕竟未进行取模运算),有个神奇的地方是gemini能够直接精准地还原函数(PS. 至今不明白它怎么知道我为了简化难度没带系数?函数选择是尽量精简过的而不是求导过程将复杂函数变简单的?)
以\(\partial F/ \partial y\)为例,保守计算可以猜测\(x^2\)处倾向为一个复合函数的计算结果,即:
\[dy = f′(g(x))⋅g′(x)⋅dx\]结合x的偏导可以猜测系数与\(3(y^2)\)具有相关性,故有其中的EXP如下所示:
import hashlib
from sympy import symbols, diff, root
from Crypto.Cipher import AES
from Crypto.Util.Padding import pad, unpad
from Crypto.Util.number import long_to_bytes, bytes_to_long
def AES_dec(msg, key):
key_hash = hashlib.sha256(long_to_bytes(key)).digest()
cipher = AES.new(key_hash[:16], AES.MODE_ECB)
return unpad(cipher.decrypt(msg), AES.block_size)
def find_y(_y):
n = 3
while True:
if _y % n == 0:
q = _y // n
y = root(q, 2)
if y == int(y):
return y
n += 1
y = symbols("y")
f_x = 1091410879207163423527614718617914148888*y**3 + 81254019297725586260762901144707066777558658481431202628329889377193662772828317753114607046787850201807677669860192 - 1/y
secret = 29541001074036648052457017922472446898167742481813256589556212172626042913295772830659172788048290288920622639932811
_y = 677492876058731304548321124430382899202536309194603058276767059068971723406326
result = find_y(_y)
secret_scalar_bob = abs(int(diff(f_x, y).subs(y, result)))
decrypted_flag = AES_dec(long_to_bytes(secret), secret_scalar_bob)
print(decrypted_flag)
其实我本意是不太想记录AI类题目来着, 我用于训练AI的电脑被单独隔离开, 与打比赛的电脑分别单独存放, 但是学着写一点东西总是好的, 万一以后需要了呢(笑).
CNN又称卷积神经网络, 算是大部分入门AI的第一课, 我记得当时是看了3b1b的视频1, 了解了个大概后自己按照一些相关博客试着用numpy搭建了一个简单的模型2, 可惜识别效率太低, 就不分享了. 3b1b的可视化做得很好, 就不过多赘述了.
如果卷积的变量是序列\(x(n)\)和\(h(n)\),则卷积的结果为:
\[x(n) * h(n) = \sum{x(i)h(n-i)}\]卷积神经网络使用了卷积运算, 用于捕捉图像中的局部特征.
实际上在比赛刚开始的时候我只看了这一题, 描述如下:
🔥 Welcome, Pokémon Trainer! 🔥 Hello there! Welcome to the world of Pokémon! 🌍⚡ I’m Professor Oak, the leading Pokémon researcher, and I’ve been working on an advanced Pokédex upgrade that can automatically classify Pokémon types using cutting-edge neural networks. This breakthrough could revolutionize how trainers understand their Pokémon! BUT… there’s been a slight hiccup in the lab. 😰 My Pikachu got a little too excited and—well, let’s just say a few crucial data files were shocked into oblivion. ⚡💥 Now, the entire system is scrambled, and I need your help to restore order and complete the classifier! Now.. For further details, access the PDF. Heads up!! It’s password protected. The password is the name of the pokemon Ash first captured. Good Luck Trainer !!!
UG9rZW1vbkNOTgrilJzilIDilIAgSW5pdGlhbCBJbnB1dDogKDI1NiwgMjU2LCA0KQrilIIK4pSc4pSA4pSAIEZlYXR1cmUgRXh0cmFjdGlvbiBMYXllcnMK4pSCICAg4pSc4pSA4pSAIENvbnYyRCAoNC0+MzIpCuKUgiAgIOKUnOKUgOKUgCBCYXRjaE5vcm0yRCAK4pSCICAg4pSc4pSA4pSAIFJlTFUgQWN0aXZhdGlvbgrilIIgICDilJzilIDilIAgTWF4UG9vbDJEKEsgU2l6ZSA9IDMpCuKUgiAgIOKUnOKUgOKUgCBEcm9wb3V0IChwPTAuMjUpCuKUggrilJzilIDilIAgRGVlcGVyIFByb2Nlc3NpbmcK4pSCICAg4pSc4pSA4pSAIENvbnYyRCgzMi0+NjQpCuKUgiAgIOKUnOKUgOKUgCBCYXRjaE5vcm0yRCAoNjQpCuKUgiAgIOKUnOKUgOKUgCBSZUxVIEFjdGl2YXRpb24K4pSCICAg4pSc4pSA4pSAIE1heFBvb2wyRChLIFNpemUgPSAzKQrilIIgICDilJzilIDilIAgRHJvcG91dCAocD0wLjI1KQrilIIK4pSc4pSA4pSAIE1vcmUgRmVhdHVyZSBFeHRyYWN0aW9uCuKUgiAgIOKUnOKUgOKUgCBDb252MkQoNjQtPjEyOCkK4pSCICAg4pSc4pSA4pSAIEJhdGNoTm9ybTJECuKUgiAgIOKUnOKUgOKUgCBSZUxVIEFjdGl2YXRpb24K4pSCICAg4pSc4pSA4pSAIE1heFBvb2wyRChLIFNpemUgPSAzKQrilIIgICDilJzilIDilIAgRHJvcG91dCAocD0wLjI1KQrilIIK4pSc4pSA4pSAIEZ1bGx5IENvbm5lY3RlZCBMYXllcnMK4pSCICAg4pSc4pSA4pSAIEZsYXR0ZW4K4pSCICAg4pSc4pSA4pSAIExpbmVhciAoNTEyIE5ldXJvbnMpCuKUgiAgIOKUnOKUgOKUgCBCYXRjaE5vcm0xRArilIIgICDilJzilIDilIAgRHJvcG91dCAocD0wLjUpCuKUgiAgIOKUnOKUgOKUgCBMaW5lYXIK4pSCICAg4pSc4pSA4pSAIFNvZnRtYXggQWN0aXZhdGlvbgrilIIK4pSU4pSA4pSAIE91dHB1dDogMTggY2xhc3Nlcw==
另外还有一个pdf文件, 密码为caterpie, 点开后有如下内容:
Welcome, Pokémon Trainer!
Hello there! Welcome to the world of Pokémon!
I’m Professor Oak, the leading Pokémon researcher, and I’ve been working on an advanced Pokédex upgrade that can automatically classify Pokémon types using cutting-edge neural networks. This breakthrough could revolutionize how trainers understand their Pokémon!
BUT… there’s been a slight hiccup in the lab.
My Pikachu got a little too excited and—well, let’s just say a few crucial data files were shocked into oblivion. Now, the entire system is scrambled, and I need your help to restore order and complete the classifier!
Your mission: Train a CNN model to classify Pokémon by type and help me get the Pokédex back on track. Are you up for the challenge, Trainer? Let’s GO!
Notebook link: https://www.kaggle.com/code/gl3mon/apoorvquestion Dataset link: https://www.kaggle.com/datasets/gl3mon/apoorvctf
很遗憾当我得知密码是绿毛虫的时候已经找不到页面了, 所以直接简单复盘一下代码部分, 核心源码如下:
class PokemonCNN(nn.Module):
def __init__(self):
super().__init__()
self.conv1 = nn.Conv2d(4, 32, kernel_size=2)
self.bn1 = nn.BatchNorm2d(32)
self.relu = nn.ReLU()
self.pool = nn.MaxPool2d(kernel_size=3)
self.drop1 = nn.Dropout(0.25)
self.conv2 = nn.Conv2d(32, 64, kernel_size=2)
self.bn2 = nn.BatchNorm2d(64)
self.relu2 = nn.ReLU()
self.pool2 = nn.MaxPool2d(kernel_size=3)
self.drop2 = nn.Dropout(0.25)
self.conv3 = nn.Conv2d(64, 128, kernel_size=2)
self.bn3 = nn.BatchNorm2d(128)
self.relu3 = nn.ReLU()
self.pool3 = nn.MaxPool2d(kernel_size=3)
self.drop3 = nn.Dropout(0.25)
self.flatten = nn.Flatten()
self.fc1 = nn.Linear(10368, 512)
self.bn4 = nn.BatchNorm1d(512)
self.drop4 = nn.Dropout(0.5)
self.fc2 = nn.Linear(512, 18)
self.softmax = nn.Softmax()
def forward(self, x):
x = self.pool(F.relu(self.bn1(self.conv1(x))))
x = self.drop1(x)
x = self.pool(F.relu(self.bn2(self.conv2(x))))
x = self.drop2(x)
x = self.pool(F.relu(self.bn3(self.conv3(x))))
x = self.drop3(x)
x = self.flatten(x)
x = self.fc1(x)
x = self.bn4(x)
x = self.drop4(x)
x = self.fc2(x)
x = self.softmax(x)
return x
emmmm, 题目好像有点复杂了, 据描述需要使用GPU T4x2, 不过结合之前学习deepseek的一些经验, 理论上是可以加入以下代码修改的:
def __init__(self):
self.device = "cuda" if pt.cuda.is_available() else "cpu"
print(f"Using device: {self.device}")
然后先进第一题:
Question 1: What is the seed of the given code?
程序中给出了提示: I have not mentioned the seed for security reasons. But I'll let you in on a little secret. It's the pokemon number for charizard., 但是理解不了, 复盘的时候我直接上了爆破:
from EXP.pwn import *
def test(num):
io("./test")
print(r())
s(str(num).encode())
data = bool(r() == b'> Incorrect answer for question 1.\n')
close()
return data
for i in range(10000):
if test(i):
continue
else:
print(i)
break
# [*] Stopped process './test' (pid 613)
# 151
不是很理解喷火龙为什么是151总之, 但是拿到了种子编号, 可以直接修改为pt.manual_seed(151).
Question 2: What’s the number of input features of the first linear layer?
跑不出来, 直接放代码, 有时间再慢慢说.
import torch as pt
import torch.nn.functional as F
import torch.nn as nn
pt.manual_seed(151) # I have not mentioned the seed for security reasons. But I'll let you in on a little secret. It's the pokemon number for charizard.
from torch.utils.data import Dataset, DataLoader
from torchvision import datasets
from torchvision.transforms import ToTensor
import matplotlib.pyplot as plt
import os
import pandas as pd
from torchvision.io import read_image
class CTFDataset(Dataset):
def __init__(self, annotation_file, img_dir, transform = None, target_transform = None):
self.img_labels = pd.read_csv(annotation_file, index_col=0)
self.label_mapping = {
'Bug': 0, 'Dark': 1, 'Dragon': 2, 'Electric': 3, 'Fairy': 4,
'Fighting': 5, 'Fire': 6, 'Flying': 7, 'Ghost': 8, 'Grass': 9,
'Ground': 10, 'Ice': 11, 'Normal': 12, 'Poison': 13, 'Psychic': 14,
'Rock': 15, 'Steel': 16, 'Water': 17
}
self.img_labels['class'] = self.img_labels['type'].map(self.label_mapping)
self.img_dir = img_dir
self.transform = transform
self.target_transform = target_transform
def __len__(self):
return len(self.img_labels)
def __getitem__(self, idx):
img_path = os.path.join(self.img_dir, self.img_labels.iloc[idx]['type'], f'{self.img_labels.iloc[idx]["pkn"]}'+'.png')
image = None
try:
image = read_image(img_path).to(pt.float32)
except:
image = pt.zeros(4, 256, 256)
label = self.img_labels.iloc[idx]['class']
if self.transform:
image = self.transform(image)
if self.target_transform:
label = self.target_transform(label)
return image, label
ds = CTFDataset(
annotation_file = '/kaggle/input/apoorvctf/final_y.csv',
img_dir = '/kaggle/input/apoorvctf/train',
)
train_dataloader = DataLoader(ds, batch_size=4, shuffle=False)
class PokemonCNN(nn.Module):
def __init__(self):
super().__init__()
self.conv1 = nn.Conv2d(4, 32, kernel_size=2)
self.bn1 = nn.BatchNorm2d(32)
self.relu = nn.ReLU()
self.pool = nn.MaxPool2d(kernel_size=3)
self.drop1 = nn.Dropout(0.25)
self.conv2 = nn.Conv2d(32, 64, kernel_size=2)
self.bn2 = nn.BatchNorm2d(64)
self.relu2 = nn.ReLU()
self.pool2 = nn.MaxPool2d(kernel_size=3)
self.drop2 = nn.Dropout(0.25)
self.conv3 = nn.Conv2d(64, 128, kernel_size=2)
self.bn3 = nn.BatchNorm2d(128)
self.relu3 = nn.ReLU()
self.pool3 = nn.MaxPool2d(kernel_size=3)
self.drop3 = nn.Dropout(0.25)
self.flatten = nn.Flatten()
self.fc1 = nn.Linear(10368, 512)
self.bn4 = nn.BatchNorm1d(512)
self.drop4 = nn.Dropout(0.5)
self.fc2 = nn.Linear(512, 18)
self.softmax = nn.Softmax()
def forward(self, x):
x = self.pool(F.relu(self.bn1(self.conv1(x))))
x = self.drop1(x)
x = self.pool(F.relu(self.bn2(self.conv2(x))))
x = self.drop2(x)
x = self.pool(F.relu(self.bn3(self.conv3(x))))
x = self.drop3(x)
x = self.flatten(x)
x = self.fc1(x)
x = self.bn4(x)
x = self.drop4(x)
x = self.fc2(x)
x = self.softmax(x)
return x
sum(dict(pk.named_parameters())["fc1.weight"][0]) = tensor(-3.6320, grad_fn=<AddBackward0>)
dict(pk.named_parameters())["fc2.weight"][2][15] = tensor(-0.0241, grad_fn=<SelectBackward0>)
# apoorvctf{P1k4chu_0ch0t0n4_pr1nc3ps}
没想到国内也有比赛单开了一个赛道, 有时间试着跟wp学习学习.
3Blue1Brown.【官方双语】深度学习之神经网络的结构 Part 1 ver 2.0[EB/OL].bilibili.https://www.bilibili.com/video/BV1bx411M7Zx.2017-10-19 ↩
qxcheng.用numpy实现CNN卷积神经网络[EB/OL].博客园.https://www.cnblogs.com/qxcheng/p/11729773.html.2019-10-23 ↩
c = 41371441628678749855341069318913940139183366190092850457791401944637484881722387130432528789403867120983310612023037050412981687401539375118177921234958241549652642148049464476777138721957300380163011255302922062871368980358844918698066643476906429304993326666393192819367202508911333287188748033044647
e = 3
n = 125533848452137763185016834412259349043987425043688722410453579918645013940088212764269073831951730407180201649381111989694930753816422349270797992511026080967667823475550286796327579680655909172631694714891168782703472181155691095137469432249992072921349964218538827606766136606019411932023475455088911
e很小, 模n很大, 理论上可以直接开根求解.
from Crypto.Util.number import *
from gmpy2 import iroot
c = 41371441628678749855341069318913940139183366190092850457791401944637484881722387130432528789403867120983310612023037050412981687401539375118177921234958241549652642148049464476777138721957300380163011255302922062871368980358844918698066643476906429304993326666393192819367202508911333287188748033044647
e = 3
n = 125533848452137763185016834412259349043987425043688722410453579918645013940088212764269073831951730407180201649381111989694930753816422349270797992511026080967667823475550286796327579680655909172631694714891168782703472181155691095137469432249992072921349964218538827606766136606019411932023475455088911
k = 0
while 1:
#c+k*n 开3次方
res = iroot(c+k*n,e)
if(res[1] == True):
print(b'FMCTF'+long_to_bytes(res[0])+b'}') #转为字符串
break
k=k+1
#b'FMCTFBru7ef0rce_1s_s0me71mes_4n_effective_W4y!!!}'
flag = "FMCTF{REDACTED}"
def enc(data : str):
result = []
for i in range(len(data)):
result.append(
(
(
ord(data[i - 1]) +
ord(data[i]) +
ord(data[(i + 1) % len(data)])
) % 256)
.to_bytes()
)
return b''.join(result)
print(enc(flag))
open("./flag.enc", "wb").write(enc(flag))
主要实现对每一位字符的前后两位进行加和后取模, 本质上只需要获取其中两位就可以获取剩余的字符, 难点主要可能是实现算法了.
flag = "FMCTF{REDACTED}"
mess = open("./flag.enc", "rb").read()
flag_1 = ord(flag[0])
flag_2 = ord(flag[1])
flag_3 = ord(flag[2])
return_flag = 'FM'
n = 3
i = 1
for _ in range(16):
for j in range(65, 126):
if mess[i] == (flag_1 + flag_2 + j) % 256:
return_flag += chr(j)
flag_1 = flag_2
flag_2 = j
i += 1
print(return_flag)
# FMCTF{broken_circle_is_not_fun_at_all}
from Crypto.Util.number import getPrime
import os
flag = os.getenv("FLAG", "FMCTF{F4K3_FL49}")
m = int(flag.encode().hex(), 16)
p = getPrime(512)
q = getPrime(512)
n = p*q
e = 65537
c = pow(m, e, n)
hint = p+q
print(f"{hint = }")
print(f"{n = }")
print(f"{c = }")
# hint = 17469292153344571442220879753705314094982989674618803961044325274734902918518047825543639089360378046111761829828690097867206972174713085299385569035446604
# n = 72178676992512160441554160179592383158203955928083976740488546189244761660478121450369459709272987174826935459768807973546852656122370605905453926547673003297830819475396600384101353650933279529161854454268770358323854195264696322371766082303954604264551309576730976571309522883511488619775495703381232031179
# c = 58920849369961001974878540043377399205173235403895163231084588694712964281923344842680972991777380071418111292770515352012869237864259800540355713208626735820573601770413846338478651482053989341163751620131823006414875347921150338651475973491744075397194132475674270761198474531891598902225518350430719735601
经典数学问题, 已知:
\[\left\{\begin{matrix} p*q=n \\ p+q=hint \end{matrix}\right.\]可以设p表达q, 然后解方程.
from sage.all import *
from Crypto.Util.number import *
e = 65537
hint = 17469292153344571442220879753705314094982989674618803961044325274734902918518047825543639089360378046111761829828690097867206972174713085299385569035446604
n = 72178676992512160441554160179592383158203955928083976740488546189244761660478121450369459709272987174826935459768807973546852656122370605905453926547673003297830819475396600384101353650933279529161854454268770358323854195264696322371766082303954604264551309576730976571309522883511488619775495703381232031179
c = 58920849369961001974878540043377399205173235403895163231084588694712964281923344842680972991777380071418111292770515352012869237864259800540355713208626735820573601770413846338478651482053989341163751620131823006414875347921150338651475973491744075397194132475674270761198474531891598902225518350430719735601
p_ = var('p_')
approx_p = int((p_*(hint - p_) - n).roots()[0][0])
p = int(approx_p)
q = n//p
d = pow(e, -1, (p-1)*(q-1))
print(long_to_bytes(pow(c, d, n)))
# b'FMCTF{rSA_34SY_P34SY_L3M0N_5QU33ZY}'
from pwn import *
FLAG = os.environ.get("FLAG", "FMCTF{F4K3_FL49}").encode()
key = os.urandom(7)
encryptedFlag = xor(FLAG, key).hex()
print(f"encryptedFlag = {encryptedFlag}")
# encryptedFlag = a850d725cb56b0de4fcb40de72a4df56a72ec06cafa75ecb41f51c95
key是随机生成的7位字符, 但是已知flag头有”FMCTF{}”, 可以反向求解出key, 然后解密.
from pwn import xor
# 给定的加密后的十六进制字符串
encrypted_flag_hex = "a850d725cb56b0de4fcb40de72a4df56a72ec06cafa75ecb41f51c95"
encrypted_flag = bytes.fromhex(encrypted_flag_hex)
known_prefix = b"FMCTF{"
key = []
for i in range(6):
key_byte = encrypted_flag[i] ^ known_prefix[i]
key.append(key_byte)
last_index = len(encrypted_flag) - 1
key_byte_6 = encrypted_flag[last_index] ^ 0x7D # 0x7D是'}'
key.append(key_byte_6)
full_key = bytes(key)
decrypted = xor(encrypted_flag, full_key)
print(decrypted)
# b'FMCTF{X0R_1S_L1K3_MAGIC_0x1}'
import random
from Crypto.PublicKey import RSA
from Crypto.Util.number import *
def nextPrime(prim):
if isPrime(prim):
return prim
else:
return nextPrime(prim+1)
p = getPrime(512)
q = nextPrime(p+1)
while p%4 != 3 or q%4 !=3:
p = getPrime(512)
q = nextPrime(p+1)
n = p*q
m = bytes_to_long( open('flag.txt','rb').read() )
c = pow(m, e, n)
rsa = RSA.construct((n, e))
print(rsa.exportKey().decode())
print(f"cipher: { long_to_bytes(c) }")
'''
-----BEGIN PUBLIC KEY-----
MIGcMA0GCSqGSIb3DQEBAQUAA4GKADCBhgKBgGjpRi/Hr5oN5NS219dZrq6nW7AC
Y7fUItXAvbgy0TtagVKO2goQiOssL331b7zRjMvdHkEBR4bTd+hHblmynO+2//fz
4DmVgdgMnrP54+2RSzguEGS1ONX4MpJonBsEGGc1IOiKECiwIbl4DkyTxl6AnFsz
ZI2E+lLDZnX5P44FAgEQ
-----END PUBLIC KEY-----
cipher: b'\x10\xc4\xbf\xfapg\xee\x00\xe4\xcd\x00\xb4i\xf5\x801\xdd\xafm\xb1\xad\x8dy\x01\xaa\x14\xd1\xa3\x14[\xdf\xc8c\xb1\xf4\xcb\xcf\xf0\xf9\x83\x85%\x19\xd2d>N\x9aR\xa4\xba\xc9\xda\xd8\xe4\xa2\x9cg%.\xac\xd7\xb5\x95\x7f\x87\x04?\xf7\xe4\x06(\xe7l\x1c"c\x95\x90z\xd4\x8b\x9f\x1b\x00\xc67\xe4\x82g\xc4b\x10\x8c\xe7s[\x95-TB+Z;\xe4\x00\x11<\xc51K\xec\x94ZL\xb2\xf9\x7fp<\xe6C\xf8\x7f\x90\x0bG\xcf'
'''
这题涉及了基本的对rsa的pem文件使用, 可以使用Crypto库自带的解析工具直接获取n, e参数, 然后找到p, q相近, 可以直接开根去找相邻素数, 密码手快乐题了. 拿到结果后实际上是无法直接求出私钥的, 因为存在以下信息:
p = getPrime(512)
q = nextPrime(p+1)
while p%4 != 3 or q%4 !=3:
p = getPrime(512)
q = nextPrime(p+1)
p, q均满足模4于3, 在获取e的时候会发现能被4整除, 在求phi时p-1, q-1也均能够被4整除, e与phi不互素, 无法直接使用其中一个素数取phi求解, 也就是说存在以下情况:
\[\begin{matrix} gcd(e, (q-1)) = 4 \\ gcd(e, (p-1)) = 4 \end{matrix}\]这里需要使用中国剩余定理直接取出flag, 可以使用以下方法获取p与q的根:
def find_res(gen):
R = PolynomialRing(Zmod(gen), 'x')
x = R.gen()
f = x ** e - c
f = f.monic()
res = f.roots()
return res
函数求解的res是多项式\(f=x^e-c\)在模gen(即分别是p与q)意义下的根, 其中c是密文数据, \(x^e\mod{gen}\)中的x为模gen意义下的密文信息, 分别调用p, q可以得到不同模gen意义下与flag加密数据的差值, 多项式的sage函数可以参考sakana联队的维护sage文档1. 求解如下所示:
from sage.all import *
from Crypto.PublicKey import RSA
from Crypto.Util.number import *
import gmpy2
def find_res(gen):
R = PolynomialRing(Zmod(gen), 'x')
x = R.gen()
f = x ** e - c
f = f.monic()
res = f.roots()
return res
rsa = '''-----BEGIN PUBLIC KEY-----
MIGcMA0GCSqGSIb3DQEBAQUAA4GKADCBhgKBgGjpRi/Hr5oN5NS219dZrq6nW7AC
Y7fUItXAvbgy0TtagVKO2goQiOssL331b7zRjMvdHkEBR4bTd+hHblmynO+2//fz
4DmVgdgMnrP54+2RSzguEGS1ONX4MpJonBsEGGc1IOiKECiwIbl4DkyTxl6AnFsz
ZI2E+lLDZnX5P44FAgEQ
-----END PUBLIC KEY-----
'''
cipher = b'\x10\xc4\xbf\xfapg\xee\x00\xe4\xcd\x00\xb4i\xf5\x801\xdd\xafm\xb1\xad\x8dy\x01\xaa\x14\xd1\xa3\x14[\xdf\xc8c\xb1\xf4\xcb\xcf\xf0\xf9\x83\x85%\x19\xd2d>N\x9aR\xa4\xba\xc9\xda\xd8\xe4\xa2\x9cg%.\xac\xd7\xb5\x95\x7f\x87\x04?\xf7\xe4\x06(\xe7l\x1c"c\x95\x90z\xd4\x8b\x9f\x1b\x00\xc67\xe4\x82g\xc4b\x10\x8c\xe7s[\x95-TB+Z;\xe4\x00\x11<\xc51K\xec\x94ZL\xb2\xf9\x7fp<\xe6C\xf8\x7f\x90\x0bG\xcf'
c = bytes_to_long(cipher)
data = RSA.import_key(rsa)
n = data.n
e = data.e
temp=gmpy2.iroot(n,2)[0]
p = gmpy2.next_prime(temp)
q = n//int(p)
phi = (n-1)*(q-1)
for i in find_res(p):
for j in find_res(q):
# 中国剩余定理
m =crt([int(i[0]),int(j[0])],[p,q])
flag = long_to_bytes(m)
if flag.startswith(b'FMCTF{'):
print(flag)
# b'FMCTF{S0lv3d_w1th_R4b1n_fx777}'
from math import gcd
from Crypto.Util.number import getPrime, inverse
from random import randint
import secrets
import time
with open("flag.txt") as f:
flag = f.readline()
class Paillier:
def __init__(self, bits):
self.bits = bits
self.pub, self.priv = self.keygen()
def lcm(self, a, b):
return a * b // gcd(a, b)
def keygen(self):
while True:
p = getPrime(self.bits)
q = getPrime(self.bits)
if p != q:
break
n = p * q
Lambda = self.lcm(p - 1, q - 1)
g = n + 1
mu = inverse(Lambda, n)
return ((n, g), (Lambda, mu))
def encrypt(self, m):
(n, g) = self.pub
n_sq = n * n
while True:
r = randint(1, n - 1)
if gcd(r, n) == 1:
break
c = (pow(g, m, n_sq) * pow(r, n, n_sq)) % n_sq
return c
def decrypt(self, c):
(n, g) = self.pub
(Lambda, mu) = self.priv
n_sq = n * n
x = pow(c, Lambda, n_sq)
m = (((x - 1) // n) * mu) % n
return m
def get_keys(self):
return self.pub, self.priv
if __name__ == "__main__":
print("Welcome to the Secure Gate Challenge!")
paillier = Paillier(256)
pub, priv = paillier.get_keys()
print('(n,g)=', pub)
nums = [secrets.randbits(16) for _ in range(4)]
res = (nums[0] + nums[1]) + (nums[2] - nums[3])
ciphers = [paillier.encrypt(i) for i in nums]
print('c1 =', ciphers[0])
print('c2 =', ciphers[1])
print('c3 =', ciphers[2])
print('c4 =', ciphers[3])
try:
start_time = time.time()
pass_code = int(input("Can you open the gate? If so, insert the passcode fast: "))
if time.time() - start_time > 60:
print("Too slow! Time's up!")
exit()
pass_decode = paillier.decrypt(pass_code)
if res == pass_decode:
print(f"Wow! You opened it, The flag is: {flag}")
else:
print("Nope, Maybe next time :(")
except Exception as e:
print("Invalid input or error occurred:", str(e))
exit()
Paillier同态加密问题2, 运行题目可以得知需要使用给出的四个密文c1、c2、c3、c4计算出\(c1*c2*c3*c4^{-1}\mod {n^2}\), 然后把结果作为pass_code输入, 其中(n, g)是已知的, 可以直接提取计算n_sq = n * n, 求出密文. 值得注意的是里面进行了时间限制, 推荐使用pwntools直接交互.
from pwn import *
import re
#r = remote('seal-the-deal.fmc.tf',2003)
r = process(['python', 'server.py'])
r.recvline()
pub_line = r.recvline().decode().strip()
n, g = map(int, re.findall(r'\d+', pub_line))
ciphers = []
for _ in range(4):
line = r.recvline().decode().strip()
c = int(line.split(' = ')[1])
ciphers.append(c)
c1, c2, c3, c4 = ciphers
n_sq = n * n
product = (c1 * c2) % n_sq
product = (product * c3) % n_sq
inv_c4 = pow(c4, -1, n_sq)
pass_code = (product * inv_c4) % n_sq
r.sendline(str(pass_code).encode())
print(r.recvall())
# b'Can you open the gate? If so, insert the passcode fast: Wow! You opened it, The flag is: FMCTF{P41ll13r_h0m0m0rph1c_3n4bl35_c0mpu7at10n_0n_c1ph3r5}'
#!/usr/local/bin/python
import random
import time
from Crypto.Cipher import AES
from Crypto.Util.Padding import pad
MAX_ATTEMPTS = 1000
def encrypt_flag(flag):
key = random.getrandbits(128).to_bytes(16, 'big')
iv = random.getrandbits(128).to_bytes(16, 'big')
cipher = AES.new(key, AES.MODE_CBC, iv)
encrypted = cipher.encrypt(pad(flag.encode(), AES.block_size))
return encrypted
def main():
random.seed(time.time())
encrypted_flag = encrypt_flag(open('./flag.txt').read())
print("\n✨ Welcome to the **Guess the Number Challenge v1**! ✨")
print("🕵️♂️ Can you uncover the secret behind the encrypted flag?")
print("📜 Use your intelligence, strategy, and the hints provided to succeed!")
print("Your task: Use your wits and strategy to uncover hints to decrypt the flag.")
print(f"\nHere is your encrypted flag: \n{encrypted_flag.hex()}")
print("\nBut don't worry, I'm generous. I've precomputed 1000 random hints for you!")
print(f"You have {MAX_ATTEMPTS} attempts to guess the right index.\n")
hints = [random.getrandbits(32) for _ in range(1000)]
for attempt in range(1, MAX_ATTEMPTS + 1):
print(f"Attempt {attempt}/{MAX_ATTEMPTS}")
try:
index = int(input("Enter an index (0-999): ").strip())
if 0 <= index < 1000:
print(f"🔑 Hint at index {index}: {hints[index]}")
else:
print("❌ Invalid index! Please enter a number between 0 and 999.\n")
except ValueError:
print("❌ Invalid input! Please enter a valid integer.\n")
print("\n✨ Your attempts are over! But don't give up just yet.")
print("✨ Your attempts are over! Good luck solving the challenge!\n")
print("🔍 Don't forget: The key to solving the challenge lies in these random hints. Goodbye!")
if __name__ == "__main__":
main()
这两题差不多, 可以直接参考下面.
#!/usr/local/bin/python
import os
import random
from Crypto.Cipher import AES
from Crypto.Util.Padding import pad
MAX_ATTEMPTS = 10
def encrypt_flag(flag, iv):
key = random.getrandbits(128).to_bytes(16, 'big')
cipher = AES.new(key, AES.MODE_CBC, iv*2)
encrypted = cipher.encrypt(pad(flag.encode(), AES.block_size))
return encrypted
def main():
secureSeed = os.urandom(8)
random.seed(secureSeed)
hints = [random.getrandbits(32) for _ in range(624)]
encrypted_flag = encrypt_flag(open('./flag.txt').read(), secureSeed)
print("\n✨ Welcome to the **Guess the Number Challenge v2**! ✨")
print("🕵️♂️ Your mission: Decode the encrypted flag by uncovering critical hints.")
print("📊 We've precomputed 624 random numbers using a secure PRNG.")
print(f"❗ But there's a catch: You can only access {MAX_ATTEMPTS} of them.")
print("🔑 Choose your indices wisely to uncover the key!")
print("\n📜 Instructions:")
print("1️⃣ You have 624 unique random numbers that are critical for decrypting the flag.")
print("2️⃣ Enter an index (0-623) to reveal a hint.")
print(f"3️⃣ You only have {MAX_ATTEMPTS} attempts, so choose wisely!")
print("4️⃣ Use your understanding of randomness to crack the secure seed.")
print(f"\n🔒 Here is your encrypted flag: \n{encrypted_flag.hex()}")
print(f"\nGood luck! You have {MAX_ATTEMPTS} attempts to guess the correct index.\n")
for attempt in range(1, MAX_ATTEMPTS + 1):
print(f"Attempt {attempt}/{MAX_ATTEMPTS}")
try:
index = int(input("Enter an index (0-624): ").strip())
if 0 <= index < 624:
print(f"Hint at index {index}: {hints[index]}\n")
else:
print("❌ Invalid index! Please enter a number between 0 and 624.\n")
except ValueError:
print("❌ Invalid input! Please enter a valid integer.\n")
print("✨ Your attempts are over! Good luck solving the challenge!\n")
print("🔍 Remember, the flag is encrypted. Use your hints wisely. Goodbye!")
if __name__ == "__main__":
main()
可以使用random库POC脚本进行攻击,3, 有点麻烦, 刚好最近忙, 有时间单独开一个博客写.
sakana_ctf.欢迎来到Sage社区[EB/OL].gitee.https://gitee.com/sakana_ctf/sagemath/blob/master/sakana/polynomial/basic.md.2023-11-22 ↩
| joey.应用密码学 | Paillier同态加密算法简介[EB/OL].gitee.https://zhuanlan.zhihu.com/p/557034854.2023-08-29 |
StackeredSAS.Python random playground[EB/OL].github.https://github.com/StackeredSAS/python-random-playground.2024-04-16 ↩
与题主面临了差不多的困境, 搜索了一下刚好找到文章, 于是也学着修改并记录一下. 首先是解包, 看起来似乎是一个electron程序, chromium加一(悲):
cd resources
# 解包asar文件
npx asar extract app.asar app
# 打包asar文件
npx asar pack app app.asar
这里的npx实际来自于nodejs的npm管理包, 但是我在archwiki上反应过archwsl1不兼容的问题1, 虽然明确是二进制文件/usr/sbin/node存在问题, 但目前没能力解决, 当前使用的替代方案是直接在官网下载, 官网的包是直接包含npx的2.
这里在学习时先照着改了一下功能, 直接找到./app/dist/electron/main.js文件, 其中有函数function Bt(e), 测试了一下, 主题是有上限的(会出bug), 只能直接修改掉其他主题(这里是把one dark主题改掉了, 感觉属于很没什么用的主题):
function Bt(e) {
const { theme: t } = e.getAll();
return {
label: "&Theme",
id: "themeMenu",
submenu: [
//...
{
label: "Sakana Light",
type: "radio",
id: "graphite",
checked: "graphite" === t,
click(e, t) {
Oe("graphite");
},
},
],
};
}
找到./app/dist/electron/renderer.js如下形式的文件:
46024: (e, t, i) => {
"use strict";
i.r(t), i.d(t, { default: () => s });
var n = i(87537),
o = i.n(n),
r = i(23645),
a = i.n(r)()(o());
a.push([
e.id,
":root {...", // 这里是对应的主题css信息, 虽然是一条长串, 不过可以通过一些特殊手法解决.
"",
{
version: 3,
sources: [
"webpack://./src/renderer/assets/themes/one-dark.theme.css",
],
names: [],
mappings:
"AAAA;EACE,SAAS...",
sourceRoot: "",
},
]);
const s = a;
},
这里直接复制到新的css的信息到新的文件(比如theme.css), 因为存在格式化字符, 可以使用python完成格式化:
Reverse = True#False
with open("theme.css", "r") as f:
data = f.readlines()
if Reverse:
new_data = data[0].replace('\\r','\r').replace('\\n', '\n')
else:
new_data = ''
for i in data:
new_data += i[:-1].replace('\r', '\\r')
new_data += '\\n'
new_data = new_data
with open("theme.css", "w") as f:
f.write(new_data)
将python文件保存在theme.css相同路径, 并通过修改Reverse为True和False实现还原文件格式.
我挺喜欢的居中来着, UIysses的标题居中其实做得挺好, 不过做的是只要属于标题一律居中, 我期望的是大标题居中, 小标题依然左对齐, 于是在编辑过程中可以添加上:
/* --- Font type ------------------------------------------------ */
h1, h2, h3 {
text-align: center;
}
稍微改完主题以后稍微往上翻一下, 同样是./app/dist/electron/renderer.js中也存在导出配置的编辑内容, 我认为默认改为自己编写的导出的内容, 可以先定义到if ("academic" === d)位置, 重写成以下逻辑:
if ("academic" === d) {
const { userDataPath: e } = global.marktext.paths,
t = ne().join(e, "themes/export", d);
if ((0, Bt.zE)(t))
try {
h += We().readFileSync(t, "utf8");
} catch (e) {}
}
else if ("liber" === d) h += TA();
else {
h += SA();
}
但是实际测试了一下并没有生效, 反而出现了奇怪的问题, 至于导出文件的模板可以直接参考修改主题.
其实很多问题到后面反而没有解决, 最近一堆事情忙得不可开交, 也发现了默认博客的一堆局限, 有时间想重新偷个框架来慢慢改, 后续要是能把单文件打开的问题一起解决的话再好好重写一下这篇记录.
CryingN.wsl1安装nodejs无法运行[EB/OL].archwiki.https://bbs.archlinuxcn.org/viewtopic.php?pid=62419#p62419.2025-03-04 ↩
古兰精.linux服务器安装nodeJS步骤及踩坑记录(解决node -v报错cannot execute binary file: Exec format error的问题 - 在Linux中安装适用于arm64位的nodejs)以及node环境项目部署[EB/OL].博客园.https://www.cnblogs.com/goloving/p/14788900.html.2021-05-20 ↩
“男娘”是一个源自日本的俚语,用于描绘男性在穿着或性格上展现出的女性特质。它既可以指代跨性别者,即那些生理上为男性但心理上认同为女性或具有女性特质的人,也涵盖那些出于爱好或表演需要而扮演女性角色的男性。在日本,男娘文化已经发展得相对成熟,并受到了一定的社会关注1。
随着全球化的进程,男娘文化逐渐从日本传播到其他国家,包括中国等。在中国,男娘文化也逐渐受到一些年轻人的关注和追捧,特别是在二次元文化、cosplay等领域中。
男娘文化在不同国家和地区的社会接受度存在差异。在一些地方,男娘仍然被视为异类文化,受到社会的歧视和排斥。然而,在一些时尚和文化活动中,如cosplay和舞蹈演出等,男娘文化也受到了一定的欢迎和接受。
男娘群体通常具有一些共同的特征,如柔软的发丝、娇嫩的皮肤、小巧的身材等女性化的外表特征。他们的言谈举止也通常更加柔和、温暖,表现出女性的柔弱及美好。此外,男娘的爱好也更加多元化,可能包括看恋爱剧、购物、跳舞、唱歌和做手工艺品等女性化的爱好。
男娘现象的发展还受到多种心理因素的影响。例如,家庭环境、社会环境等对男性心理的影响可能导致一些男性在性别认同上产生困惑或偏差。变声期声调异常、环境雌激素等生理因素也可能对男性产生女性化倾向起到一定作用。
男娘现象不仅仅是对性别认同和表达的一种探索,更深刻反映了社会对男性和女性角色定位的刻板印象和束缚。在私有制为主导的经济体制下,青少年和年轻人普遍面临着就业竞争激烈、经济压力巨大的挑战。这些压力可能促使他们寻求一种能够暂时逃离现实的方式来舒缓内心的焦虑和矛盾。因此,“男娘”现象可以视为这些个体在面对社会现实和阶级差异时的一种自我表达和寻求认同的方式。
当前主要从社会学, 统计学和心理学等角度对南梁现象进行了一定的研究。
通过文献研究方法,从测量工具、调查过程和估计结果3个方面分别梳理了西方国家和中国的当前对于男娘现象的研究,这些研究试图通过收集男娘群体的基本信息(如年龄、性别认同、兴趣爱好等)来描绘这一群体的特征,然而,由于男娘群体相对小众且分散,数据收集的难度较大,导致目前关于男娘现象的统计数据相对有限,且可能存在偏差2。
尽管数据有限,但一些研究仍然尝试对男娘现象进行趋势分析。例如,通过观察社交媒体上关于男娘话题的讨论热度、男娘相关产品的销量等数据,来推断男娘现象的流行程度和发展趋势。
这些分析表明,男娘现象在某些地区和群体中呈现出逐渐增长的趋势,尤其是在年轻一代中更为普遍。
统计学研究还关注男娘现象背后的社会背景和影响因素。例如,性别角色的模糊化、社会文化的多元化以及互联网的普及等因素都被认为是推动男娘现象发展的重要因素。
这些因素共同作用于社会结构之中,使得越来越多的男性开始探索和尝试不同的性别表达方式,包括男娘这种相对边缘化的性别表达方式。
心理学研究认为,男娘现象反映了部分男性在性别认同上的困惑和探索。这些男性可能对传统性别角色定位感到不满或压抑,因此通过男娘这种性别表达方式来寻求自我认同和内心满足。
心理动力学理论认为,男娘现象可能源于个体在成长过程中对性别角色的冲突和矛盾。这些冲突和矛盾在个体心理内部产生张力,进而推动个体去探索和尝试不同的性别表达方式。
对于男娘现象的研究仍然存在着一些局限。例如,数据收集的困难导致研究结果可能存在偏差;研究方法相对单一,缺乏跨学科的综合研究;对男娘现象的社会文化背景和深层次心理机制的探讨还不够深入等。
综上所述,当前对于男娘现象的研究在统计学和心理学等学术领域都取得了一定的进展,但仍然存在着一些局限和挑战。未来需要进一步加强跨学科的综合研究,采用更加多样化和创新性的研究方法,以全面深入地探讨男娘的现象。
以下参考个人体质, 服装, 姿态三个维度对男娘的特征进行分析3.
男娘的个人体质可能因个体差异而异,但一般而言,他们可能更注重身体的保养和塑造,以适应女装的需求。一些男娘可能会通过健身、饮食调整等方式来改善身体线条,使自己更符合女性化的审美标准。
有氧运动是消耗卡路里、减少体脂的最佳选择,有助于全身脂肪的燃烧,减少体脂率,塑造健康的身体线条, 以跑步、游泳、跳绳、骑自行车等有氧运动为益, 力量训练可以通过提升肌肉量来塑造身体曲线,尤其是针对女性想要塑造的胸部、腰部和臀部曲线, 但是过度进行力量训练会导致肌肉线条过于硬朗,反而与女性化气质不符, 应考虑适当为益。
人体所需的七大营养素是指:碳水化合物、脂肪、蛋白质、水、微生素、矿物质和膳食纤维。这些营养素在人体的功效包括:提供能量、构成和修复机体组织、调节代谢以维持机体的正常生理和生化功能。可见,饮食营养的合理与否直接关系机体功能4。
减脂阶段应当保持轻微的热量赤字,而增肌阶段则需要摄入适量的热量盈余, 可以通过计算每日基础代谢率(BMR)5:
\[基础代谢率 = ((脉率 + 脉压差) - 111) * 100\%\]并根据个人目标(减脂、增肌或保持体型)设定适合的热量摄入目标, 蛋白质是肌肉生长和修复的基础,对于塑造女性化身体线条至关重要, 建议每公斤体重摄入1.5-2克的优质蛋白质, 碳水化合物应适当控制在能够为运动提供能量即可,建议多选择谷物、蔬菜、水果等富含纤维的碳水来源, 脂肪有助于体内激素的分泌、皮肤的健康等,建议选择橄榄油、坚果、鱼类等富含不饱和脂肪的食品。
同时,男娘也应该关注自己的皮肤状况,保持肌肤的细腻和光滑,为化妆打下良好的基础, 为了提升男娘的整体形象,更加符合女性化的审美标准,化妆品的选择、化妆品的应用以及指甲护理都是非常重要的方面。以下是对这三个方面的详细分析。
其中洁面产品应选择温和、无刺激的洁面乳或洁面啫喱,以去除面部污垢和多余油脂,保持肌肤清洁, 使用含有保湿成分的爽肤水,以平衡肌肤水油平衡,为后续护肤打下良好基础, 根据肤质可以选择适合自己的面霜或乳液,以提供必要的滋润和保湿。
底妆可以选择质地轻薄、易于涂抹的BB霜或CC霜,以均匀肤色、遮盖瑕疵,使肌肤看起来更加细腻、有光泽, 瑕疵膏可以针对黑眼圈、痘痘、色斑等进行瑕疵,可以选择与自己肤色相近的遮瑕膏进行遮盖。
彩妆主要分为眼影、眼线、睫毛膏和唇膏等,以突出眼部轮廓、增加眼部立体感、放大眼睛效果以及增添唇部魅力, 其中可以进行如下选择:
在涂抹底妆产品时,可采用拍打或按压的方式,使产品更加贴合肌肤,避免产生厚重感。应该注意颈部与面部的色差,可选择与面部肤色相近的底妆产品,对颈部进行适当修饰,使整体肤色更加均匀。
在画眼影时,可采用渐变色的方式,从眼窝处向眼尾逐渐加深颜色,以营造出层次感。画眼线时,可沿着上眼睑轻轻描绘,注意保持线条流畅、自然。刷睫毛膏时,可采用Z字形刷法,从睫毛根部开始刷起,使睫毛更加浓密、卷翘。
在涂抹唇膏或口红前,可先使用润唇膏进行打底,以保持唇部滋润、柔软。根据个人肤色和喜好,选择合适的唇膏或口红颜色进行涂抹。涂抹时可采用从中间向两侧的方式,使唇色更加均匀、自然。
应该定期修剪指甲,保持指甲长度适中。过长的指甲容易断裂、感染,适度修剪可减少相关风险, 选用合适的产品温和去除手部死皮,通常一周一次即可。过度角化会导致指甲变厚、不平滑,影响外观及功能。
款式选择:男娘在服装选择上通常倾向于女性化的款式,如连衣裙、短裙、高跟鞋、丝袜等。他们可能会根据自己的喜好和身材特点来挑选合适的服装,以展现自己的女性魅力。
细节处理:男娘在服装细节上也十分讲究,如领口、袖口、裙摆等部位的设计和处理。他们可能会通过精致的细节来提升自己的整体形象,使自己更加符合女性化的审美标准。
身体语言:男娘在姿态上通常会注重女性化的身体语言,如优雅的坐姿、轻盈的步态等。他们可能会通过观察女性模特或学习女性舞蹈等方式来提升自己的姿态和气质。
表情管理:男娘在表情管理上也可能更注重女性化的表达,如微笑、眨眼等动作。这些表情的运用可以使他们看起来更加温柔、可爱,增强整体的女性化效果。
自信展现:最重要的是,男娘在姿态上会展现出一种自信和从容。他们不会因为自己的特殊喜好而感到尴尬或不安,而是敢于展示自己的个性和风格,成为自己人生舞台上的主角。
从学术角度研究,“男娘”现象作为日本起源的一种文化表达,描绘了男性在穿着与性格上展现的女性特质,涵盖了跨性别者与角色扮演者。该文化随着全球化进程传播至包括中国在内的多国,尤其在二次元与cosplay领域受到年轻群体的关注。社会接受度因地域而异,但逐渐在某些文化和时尚活动中获得认可。
男娘群体通常具有女性化的外表特征、言谈举止及多元化爱好,其发展受家庭、社会及生理因素影响,反映了性别认同的困惑与探索,以及对传统性别角色束缚的挑战。当前研究主要从社会学、统计学和心理学角度展开,面临数据收集困难、研究方法单一等局限。
男娘特征分析涉及个人体质(如健身、饮食、皮肤保养)、服装选择与细节处理,以及女性化的身体语言、表情管理和自信展现, 未来研究需加强跨学科综合,采用多样化方法,以全面深入探讨男娘现象。
大门向外开123.男娘伪娘越来越多[EB/OL].CSDN.https://baijiahao.baidu.com/s?id=1815392855789209159&wfr=spider&for=pc.2024-11-11 ↩
杨雪燕.LGBT人群的数量估计:国际经验和中国挑战[J].中国性科学,2020,29(01):148-152. ↩
三叶.好想做个女孩子[M].一千零一夜COS剧社,2020. ↩
范龙泉,崔小珍.浅谈饮食营养与人体健康[J].智慧健康,2020,6(07):87-89.DOI:10.19335/j.cnki.2096-1219.2020.07.036. ↩
吕海宏.新编内分泌代谢疾病实验室手册[J].甘肃民族出版社.2016.25 ↩
以下是MT19937的实现代码1:
def _int32(x):
return int(0xFFFFFFFF & x)
class MT19937:
def __init__(self, seed):
self.mt = [0] * 624
self.mt[0] = seed
self.mti = 0
for i in range(1, 624):
self.mt[i] = _int32(1812433253 * (self.mt[i - 1] ^ self.mt[i - 1] >> 30) + i)
def twist(self):
for i in range(0, 624):
y = _int32((self.mt[i] & 0x80000000) + (self.mt[(i + 1) % 624] & 0x7fffffff))
self.mt[i] = (y >> 1) ^ self.mt[(i + 397) % 624]
if y % 2 != 0:
self.mt[i] = self.mt[i] ^ 0x9908b0df
def getstate(self):
if self.mti == 0:
self.twist()
y = self.mt[self.mti]
y = y ^ y >> 11
y = y ^ y << 7 & 2636928640
y = y ^ y << 15 & 4022730752
y = y ^ y >> 18
self.mti = (self.mti + 1) % 624
return _int32(y)
其中_int32(x)函数用于强制将数据取到32bits, MT19937类中的函数可以稍微花点时间分析一下.
初始函数__init__()中, 初始化624个32bits的随机数储存在mt列表中, 其中初始种子往后具有(1812433253 * (self.mt[i - 1] ^ self.mt[i - 1] >> 30) + i) % 2^32的随机关系, 置初始的mt列表指针mti=0.
生成32位的随机数y, 如果指针走完mt列表的一轮, 则调用twist()旋转mt列表, mti指针
如果能获得连续的624个32bits数据(或者说需要获取19968bits数据), 就可以获取算法的所有状态2.
catalyst.梅森旋转算法(MT19937)及其逆向详解[EB/OL].知乎.https://zhuanlan.zhihu.com/p/599672127.2024-02-05. ↩
huangx607087.huangx607087对PRNG-MT19937的深一步学习[EB/OL].个人博客.https://huangx607087.online/2021/07/10/Explore-MT19937/#0x03-%E7%BB%99%E5%87%BA%E4%BB%BB%E6%84%8F19937%E4%B8%AAbit-upd-2025-01-22.2021-07-10. ↩
VTF开发过程中我们想引入插件概念, 其中vpn实现内网功能是我们很在意其中一种插件, 于是我们决定从wireguard开始学习, 在学习之前更重要的是能把程序先用起来. 于是跟着学了一下部署流程. WireGuard与其他VPN项目相比,代码量小、性能高、配置简单, 是基于udp传输的高效vpn。
以debian为例安装wireguard:
sudo apt install wireguard
wg -v
wireguard-tools v1.0.20210914 - https://git.zx2c4.com/wireguard-tools/
除此以外还需要安装以下配置工具:
sudo apt install iptables
我认为在组内赋予满权限已经够了, 只给了770权限, 有时间慢慢研究一下最小权限分配应该怎么做好一点1, 在/etc/wireguard生成服务器的公私钥对:
cd /etc
chmod 770 wireguard
cd wireguard
umask 077
mkdir key
wg genkey | tee server_privatekey | wg pubkey > key/server_publickey
除此之外进行通信还需要配置对应的客户端公私钥对发起访问:
wg genkey | tee client[编号]_privatekey | wg pubkey > key/client[编号]_publickey
创建配置文件/etc/wireguard/wg0.conf:
echo "[Interface]
Address = # ifconfig:ip/24 服务端虚拟网段
SaveConfig = true
PrivateKey = $(cat server_privatekey)
ListenPort = 7890
[Peer]
PublicKey = $(cat client_publickey)
AllowedIPs = # ifconfig:ip + 1/32 client1虚拟网段
[Peer]
PublicKey = $(cat client_publickey)
AllowedIPs = # ifconfig:ip + 1/32 client2虚拟网段
" > wg0.conf
如果设置本地防火墙需要放行对应端口, 如上文配置需要放行7890/udp:
sudo ufw allow 7890/udp
这里采用了腾讯云服务器, 直接设置安全组放行对应端口即可.
# 启动WireGuard
wg-quick up wg0
# 停止WireGuard
wg-quick down wg0
可以通过以下代码快速重启服务:
wg-quick down wg0 && wg-quick up wg0
客户端可以分别配置规则如下的配置文件:
echo "[Interface]
PrivateKey = $(cat client_privatekey)
Address = # ifconfig:ip+1/24 客户端对应预设的虚拟网段
ListenPort = 8080
DNS = 8.8.8.8
[Peer]
PublicKey = $(cat server_publickey)
Endpoint = [服务器IP地址]:7890
AllowedIPs = [VPN虚拟网段]/24, [内网资源网段]/24
PersistentKeepalive = 25" > client.conf
我们可以通过访问内网资源的ip测试连接是否成功:
ping [内网IP]
如果发包成功则说明基础的VPN搭建成功.
在VPN部署中存在让客户端的所有网络流量都经由服务器的公网出口进行访问的手段, 这种功能被称为全隧道模式, 全隧道模式需要做到虚拟网段搭建、流量转发、NET地址伪造3个部分, 为了使流量通经由服务器访问, 需要设置客户端配置:
AllowedIPs = 0.0.0.0/0
在服务器中可以通过以下方式设置流量转发:
echo "net.ipv4.ip_forward = 1" >> /etc/sysctl.conf
sysctl -p
在配置项可以对配置文件/etc/wireguard/wg0.conf进行以下预设:
PostUp = iptables -t nat -A POSTROUTING ! -o wg0 -j MASQUERADE
PostDown = iptables -t nat -D POSTROUTING ! -o wg0 -j MASQUERADE
用于在开启或结束时自动配置NET中MASQUERADE的转发规则.
有时候反复设置往往会使规则出现问题, 以至于无法有效转发流量, 可以通过以下脚本验证net规则:
sudo iptables -t nat -L -n -v
可以检查POSTROUTING段是否有一条固定的规则在正常转发, 如果出现冲突需要进行重设, 以下提供一个最基础的方法清理所有POSTROUTING规则:
sudo iptables -t nat -F POSTROUTING
systemctl enable wg-quick@wg0
杨林伟.组网神器WireGuard安装与配置教程(超详细)[EB/OL].CSDN.https://blog.csdn.net/qq_20042935/article/details/127089626.2022-09-28. ↩
想养女儿了, 结果只是想让女儿能听见就好困难, 作为一个微调苦手, 后来想了一下, 还是好好地重新开始从deepseek-r1学习, 才发现在进行小模型部署中存在了大量正常情况不会面临的问题, 于是打算在解决过程中把情况记录一下, 方便大家解决问题. 作为开源产品, 相比起望而却步不如先用起来.
这也是一个比较抽象的问题, 数据源比较容易, 直接在huggingface找到最小模型, 考虑到大部分人难以下载, 也可以从镜像源进行拉取, 以下提供了hf-mirror. 但是源码在GitHub找到deepseek-r1会发现里面竟然只有论文, 喵了个咪, 谁教你这么用仓库的. 但是问题不大, 说明书有如下提示:
DeepSeek-R1 Models Please visit DeepSeek-V3 repo for more information about running DeepSeek-R1 locally.
NOTE: Hugging Face’s Transformers has not been directly supported yet.
注意了, 官方有说撇开责任说: 没有直接支持, 这是人干的事吗?! 可以先去deepseek-v3获取源码及相关说明书, 然后根据说明书调试下载的r1数据, 出问题的话就是后话了.
跟随运行调整数据:
python convert.py --hf-ckpt-path /app/inference/DeepSeek-V3 --save-path /app/inference/DeepSeek-V3-Demo --n-experts 128 --model-parallel 4
可能会面临以下情况:
0%| | 0/163 [00:00<?, ?it/s]
Traceback (most recent call last):
File "convert.py", line 96, in
main(args.hf_ckpt_path, args.save_path, args.n_experts, args.model_parallel)
File "convert.py", line 51, in main
with safe_open(file_path, framework="pt", device="cpu") as f:
safetensors_rust.SafetensorError: Error while deserializing header: HeaderTooLarge
我在#557上有帮忙过这个问题, 根源是git-lfs插件没有使用好, 导致.safetensors文件下载失败(或者假成功, 可以比较以下文件大小和hash), 可以通过下载lfs插件进行拉取:
apt install git git-lfs
git lfs install
git lfs clone https://...
对于archlinux可以使用:
sudo pacman -S git git-lfs
git lfs install
git clone https://...
或者直接在源上一个一个下载数据文件, 好处是到底有没有下载成功是明显能看见的, 解决以后应该可以正常处理了(吗?)
可以参考#330, 很遗憾我注意到的时候这个issues已经关闭了, 我们可以分析一下错误信息:
file: convert.py. line 63: assert key in mapping
这是在使用convert.py脚本的过程中爆出的经典错误, 对main()函数(实际上函数内传入了4个变量, 不过因为只是对错误进行整理, 且官方代码中已经对变量进行了解释, 我们无需对变量进行研究)进行分析, 通过调试可以发现在model中R1的key模型节点相比R3预设中多了k_proj和v_proj节点, 我第一反应是找ds问个明白, 得到提示模型可能是其他的架构(如LLaMA).
这里有个小插曲, 朋友有使用oLLama快速部署了一个简单的模型, 但因为是被封装好的, 自行调整这一步相对会变得麻烦, 我还是想试试能不能尽可能透明地处理好属于自己的模型.
关键是”LLama”这个东西, 因为ds提出了在我认知中重合的东西, 且这个名字在其他deepseek-r1的相关数据模型中也存在过, 于是我尝试去了解了Llama, Llama是由Meta开源出来的一个大模型.
我们的思路应该换一换, 现在来认识一下DeepSeek-r1数据源的名字吧:
很遗憾Qwen的官方群并没有给出一个明确的回复(可能负责答疑的人也不理解那些节点到底是用来做什么的吧, 笑), 不过我找到了这样一段代码1:
from transformers import AutoTokenizer, AutoModelForCausalLM
import torch
class DeepSeekModel:
def __init__(self, model_path="./DeepSeek-R1-Distill-Qwen-1.5B"):
self.device = "cuda" if torch.cuda.is_available() else "cpu"
print(f"Using device: {self.device}")
# 加载tokenizer和模型
self.tokenizer = AutoTokenizer.from_pretrained(model_path, trust_remote_code=True)
self.model = AutoModelForCausalLM.from_pretrained(
model_path,
trust_remote_code=True,
torch_dtype=torch.float16 if self.device == "cuda" else torch.float32
).to(self.device)
# 设置模型为评估模式
self.model.eval()
def generate_response(self, prompt, max_length=2048, temperature=0.7):
try:
# 对输入进行编码
inputs = self.tokenizer(prompt, return_tensors="pt").to(self.device)
# 生成回答
with torch.no_grad():
outputs = self.model.generate(
**inputs,
max_length=max_length,
temperature=temperature,
top_p=0.9,
pad_token_id=self.tokenizer.pad_token_id,
eos_token_id=self.tokenizer.eos_token_id
)
# 解码输出
response = self.tokenizer.decode(outputs[0], skip_special_tokens=True)
return response
except Exception as e:
print(f"生成回答时发生错误: {str(e)}")
return None
def main():
# 初始化模型
model = DeepSeekModel()
# 测试对话
while True:
user_input = input("\n请输入您的问题 (输入 'quit' 退出): ")
if user_input.lower() == 'quit':
break
response = model.generate_response(user_input)
if response:
print("\nDeepSeek:", response)
if __name__ == "__main__":
main()
当然在正式运行的时候最好根据自己的系统情况改善到适合运行, 但是我们应该明确重要的是, 至少现在我们可以用上这些我们不知道用途的数据了, 接下来 需要以这些代码为基础进行调试, (下次接着写).
很遗憾我曾以为这个问题能很快解决, 但是需要进行更麻烦的处理, 在一切成功后我会尝试重新整理一份源码以供使用.
很恨自己什么都不会, 每当看见身边的人努力后就能取得成绩, 相比之下自己是真的糟糕透了. 之前一场比赛因为自己的问题什么都没拿到, 结束后很痛苦, 有人问我以后有什么打算, 我说想好好学习一下AI了, 实际上一篇论文也没看懂.
后来刚好有deepseek的声音, 于是决定自己亲自部署一个(在此之前只是摸了一下minigpt, 源码看起来一言难尽), 过程中其实遇到了很多问题, 包括微调, 资源限制, 空闲时间太少等等等等, 我想起一位师傅说过: “要拼命地去学”, 实际上我也做不到拼命, 我太会逃避了, 不过很多人也是这样. 因为自己以往的一些经验, 遭遇错误后我尝试一点一点进行了排查, 才慢慢有了这篇文章, 往好了说我现在能够继续往下走了, 可是实际上从简历上看我也还是什么都没做到.
人生是一场痛苦的马拉松, 之前聊剧本的时候我想夹带一点私货, 我提出一个场景: 让女朋友抱着他说”没事了, 可以不用继续痛苦了”, 后来讨论了一下, 我们认为这个场景应该在死去以后以意识流的形式呈现. 虽然看起来有点地狱, 但是我有想过, 其实对于大部分人的痛苦是看不到尽头的.
越是温柔, 看到的越多, 也就越容易沉浸在绝望之中, 不想继续痛苦估计只有在一切结束了吧.
llama.本地化部署DeepSeek-R1-Distill-Qwen-1.5B[EB/OL].CSDN.https://blog.csdn.net/harebert/article/details/145392582.2025.01.29 ↩
第六届青少赛线下AWDP, 参考末心师傅的文档1, fix部分主要题目有四道:
经典的python类DJango框架, 文件结构为:
服务脚本用于定义Django框架, 直接找到app01/myfunc.py, 很容易可以找到简单的sql注入的waf:
def waf(sql):
blacklists = ['union select', 'sleep', 'benchmark', 'columns', 'load_file', 'local', 'outfile', 'dumpfile', 'file']
for blacklist in blacklists:
if blacklist in sql:
print(blacklist)
return False
return True
除此之外还有其他几个waf函数, 那么要想防止注入, 需要从可能的注口下手, 在vim中直接进行:/waf搜索找到对应的位置, 检查到在index类中存在一段函数:
sql = "select * from app01_user where username = '"+login_username+"';"
xiaoxi = ""
if waf(login_username):
cursor.execute(sql)
result = cursor.fettchall()
if result:
xiaoxi = result[0][3]
else:
xiaoxi = "No NO N0!"
很暴力的一个方法, 顺便学了一手, 除了eval以外execute函数也应该是一个要被重点检查的函数.
陌心师傅提供了一个基本的修复方法, 直接增强waf(这大概需要考察web手在处理手段的基本素养了, 多出题还是有好处的):
def waf(sql):
blacklists = ["union select", "sleep", "benchmark","columns","load_file","local","outfile","dumpfile","file","union","select",
"select","and","*","x09","x0a","x0b","x0c","x0d","xa0","x00","x26","x7c","or","into","from","where","join","sleexml","extractvalue","+","regex","copy","read","file","create","grand","dir","insert","link","server","drop","=",">","<",";"]
for blacklist in blacklists:
if blacklist in sql:
print(blacklist)
return False
return True
上了php的通防脚本, 防御成功了, 有时间我也写点自己的逆天想法(所以现在先鸽着).
golang会编译为二进制文件, 需要有强大的patch技巧, 这里只进行记录:
IDA64打开easygo文件, 找到loc_49B5DE处汇编显示:
loc__49B5DE:
xchg ax, ax
call main_backdoor
jmp short loc_49B5E9
继续追踪, 发现有调用cat /flag和/bin/bash两个部分, 既然是AWDP, 不难想象出官方的EXP, 直接暴力修改db部分, 将cat /flag修改为echo 1234, 个人思考了一下, 直接用retdec逆出来然后暴力改文件可能也是可以的?
function wafrce($str){
return !preg_match("/openlog|syslog|readlink|symlink|popepassthru|stream_socket_server|scandir|assert|pcntl_exec|fwrite|curl|system|eval|assert|flag|passthru|exec|chroot|chgrp|chown|shell_exec|proc_open|proc_get_status|popen|ini_alter|ini_restore/i", $str);
}
function wafsqli($str){
return !preg_match("/select|and|\*|\x09|\x0a|\x0b|\x0c|\x0d|\xa0|\x00|\x26|\x7c|or|into|from|where|join|sleexml|extractvalue|+|regex|copy|read|file|create|grand|dir|insert|link|server|drop|=|>|<|;|\"|\'|\^|\|/i", $str);
}
function wafxss($str){
return !preg_match("/\'|http|\"|\`|cookie|<|>|script/i", $str);
}
function waf($s){
if (preg_match("/select|flag|union|\\$|'|"|--|#|\0|into|alert|img|prompt|set|/*|x09|x0a|x0b|x0c|x0d|xa0|%|<|>|^|x00|#|x23|[0-9]|file|=|or|x7c|select|and|flag|into|where|x26|'|"|union|`|sleep|benchmark|regexp|from|count|procedure|and|ascii|substr|substring|left|right|union|if|case|pow|exp|order|sleep|benchmark|into|load|outfile|dumpfile|load_file|join|show|select|update|set|concat|delete|alter|insert|create|union|or|drop|not|for|join|is|between|group_concat|like|where|user|ascii|greatest|mid|substr|left|right|char|hex|ord|case|limit|conv|table|mysql_history|flag|count|rpad|&|*|.|/is",$s)||strlen($s)>50){
header("Location: /");
die();
}
}
然后是kar3a师傅在网鼎杯的记录, 据说有点像ciscn, 有时间也看看那边的题目2.
php题, 直接丢D盾里面, 找到可疑引用:
<?php
$action = (isset($_GET['action']) ? $_GET['action'] : 'home.php');
if (file_exists($action)) {
include $action;
} else {
echo "File not found!";
}
?>
D盾其实在长城杯半决赛过程中我们有配置过, 现在看来awd和awdp还是共通的, 只不过没了搅混水的过程(不过某种意义上添加一点选手间后期的斗智斗勇会更有意思, 个人感觉), 发现用户传入的$action没有进行过滤, 可以直接通过目录穿越, payload:?action=../../../../flag
防御手段是构造一个黑名单防止目录穿越:
<?php
$action = (isset($_GET['action']) ? $_GET['action'] : 'home.php');
$deny_ext = array("..","../");
if (in_array($action, $deny_ext)){
if (file_exists($action)) {
include $action;
} else {
echo "File not found!";
}
}
?>
buu上有原题, /admin进入后台, 是目录穿越:
function downloadBak() {
$file_name = $_GET['file'];
$file_dir = $this->config['path'];
if (!file_exists($file_dir . "/" . $file_name)) { //检查文件是否存在
return false;
exit;
} else {
$file = fopen($file_dir . "/" . $file_name, "r"); // 打开文件
// 输入文件标签
header('Content-Encoding: none');
header("Content-type: application/octet-stream");
header("Accept-Ranges: bytes");
header("Accept-Length: " . filesize($file_dir . "/" . $file_name));
header('Content-Transfer-Encoding: binary');
header("Content-Disposition: attachment; filename=" . $file_name); //以真实文件名提供给浏览器下载
header('Pragma: no-cache');
header('Expires: 0');
//输出文件内容
echo fread($file, filesize($file_dir . "/" . $file_name));
fclose($file);
exit;
}
}
【强网杯】第六届强网杯青少年线下赛AWDP复盘[EB/OL].个人博客.https://moxin1044.github.io/articles/57061.html.2024.10.28. ↩
一次awdplus经历(网鼎杯线下赛)[EB/OL].个人博客.https://www.cnblogs.com/karsa/p/14062819.html.2020.11.30 ↩
第六届青少赛线下AWDP, 参考末心师傅的文档1, fix部分主要题目有四道:
经典的python类DJango框架, 文件结构为:
服务脚本用于定义Django框架, 直接找到app01/myfunc.py, 很容易可以找到简单的sql注入的waf:
def waf(sql):
blacklists = ['union select', 'sleep', 'benchmark', 'columns', 'load_file', 'local', 'outfile', 'dumpfile', 'file']
for blacklist in blacklists:
if blacklist in sql:
print(blacklist)
return False
return True
除此之外还有其他几个waf函数, 那么要想防止注入, 需要从可能的注口下手, 在vim中直接进行:/waf搜索找到对应的位置, 检查到在index类中存在一段函数:
sql = "select * from app01_user where username = '"+login_username+"';"
xiaoxi = ""
if waf(login_username):
cursor.execute(sql)
result = cursor.fettchall()
if result:
xiaoxi = result[0][3]
else:
xiaoxi = "No NO N0!"
很暴力的一个方法, 顺便学了一手, 除了eval以外execute函数也应该是一个要被重点检查的函数.
陌心师傅提供了一个基本的修复方法, 直接增强waf(这大概需要考察web手在处理手段的基本素养了, 多出题还是有好处的):
def waf(sql):
blacklists = ["union select", "sleep", "benchmark","columns","load_file","local","outfile","dumpfile","file","union","select",
"select","and","*","x09","x0a","x0b","x0c","x0d","xa0","x00","x26","x7c","or","into","from","where","join","sleexml","extractvalue","+","regex","copy","read","file","create","grand","dir","insert","link","server","drop","=",">","<",";"]
for blacklist in blacklists:
if blacklist in sql:
print(blacklist)
return False
return True
上了php的通防脚本, 防御成功了, 有时间我也写点自己的逆天想法(所以现在先鸽着).
golang会编译为二进制文件, 需要有强大的patch技巧, 这里只进行记录:
IDA64打开easygo文件, 找到loc_49B5DE处汇编显示:
loc__49B5DE:
xchg ax, ax
call main_backdoor
jmp short loc_49B5E9
继续追踪, 发现有调用cat /flag和/bin/bash两个部分, 既然是AWDP, 不难想象出官方的EXP, 直接暴力修改db部分, 将cat /flag修改为echo 1234, 个人思考了一下, 直接用retdec逆出来然后暴力改文件可能也是可以的?
function wafrce($str){
return !preg_match("/openlog|syslog|readlink|symlink|popepassthru|stream_socket_server|scandir|assert|pcntl_exec|fwrite|curl|system|eval|assert|flag|passthru|exec|chroot|chgrp|chown|shell_exec|proc_open|proc_get_status|popen|ini_alter|ini_restore/i", $str);
}
function wafsqli($str){
return !preg_match("/select|and|\*|\x09|\x0a|\x0b|\x0c|\x0d|\xa0|\x00|\x26|\x7c|or|into|from|where|join|sleexml|extractvalue|+|regex|copy|read|file|create|grand|dir|insert|link|server|drop|=|>|<|;|\"|\'|\^|\|/i", $str);
}
function wafxss($str){
return !preg_match("/\'|http|\"|\`|cookie|<|>|script/i", $str);
}
function waf($s){
if (preg_match("/select|flag|union|\\$|'|"|--|#|\0|into|alert|img|prompt|set|/*|x09|x0a|x0b|x0c|x0d|xa0|%|<|>|^|x00|#|x23|[0-9]|file|=|or|x7c|select|and|flag|into|where|x26|'|"|union|`|sleep|benchmark|regexp|from|count|procedure|and|ascii|substr|substring|left|right|union|if|case|pow|exp|order|sleep|benchmark|into|load|outfile|dumpfile|load_file|join|show|select|update|set|concat|delete|alter|insert|create|union|or|drop|not|for|join|is|between|group_concat|like|where|user|ascii|greatest|mid|substr|left|right|char|hex|ord|case|limit|conv|table|mysql_history|flag|count|rpad|&|*|.|/is",$s)||strlen($s)>50){
header("Location: /");
die();
}
}
然后是kar3a师傅在网鼎杯的记录, 据说有点像ciscn, 有时间也看看那边的题目2.
php题, 直接丢D盾里面, 找到可疑引用:
<?php
$action = (isset($_GET['action']) ? $_GET['action'] : 'home.php');
if (file_exists($action)) {
include $action;
} else {
echo "File not found!";
}
?>
D盾其实在长城杯半决赛过程中我们有配置过, 现在看来awd和awdp还是共通的, 只不过没了搅混水的过程(不过某种意义上添加一点选手间后期的斗智斗勇会更有意思, 个人感觉), 发现用户传入的$action没有进行过滤, 可以直接通过目录穿越, payload:?action=../../../../flag
防御手段是构造一个黑名单防止目录穿越:
<?php
$action = (isset($_GET['action']) ? $_GET['action'] : 'home.php');
$deny_ext = array("..","../");
if (in_array($action, $deny_ext)){
if (file_exists($action)) {
include $action;
} else {
echo "File not found!";
}
}
?>
buu上有原题, /admin进入后台, 是目录穿越:
function downloadBak() {
$file_name = $_GET['file'];
$file_dir = $this->config['path'];
if (!file_exists($file_dir . "/" . $file_name)) { //检查文件是否存在
return false;
exit;
} else {
$file = fopen($file_dir . "/" . $file_name, "r"); // 打开文件
// 输入文件标签
header('Content-Encoding: none');
header("Content-type: application/octet-stream");
header("Accept-Ranges: bytes");
header("Accept-Length: " . filesize($file_dir . "/" . $file_name));
header('Content-Transfer-Encoding: binary');
header("Content-Disposition: attachment; filename=" . $file_name); //以真实文件名提供给浏览器下载
header('Pragma: no-cache');
header('Expires: 0');
//输出文件内容
echo fread($file, filesize($file_dir . "/" . $file_name));
fclose($file);
exit;
}
}
【强网杯】第六届强网杯青少年线下赛AWDP复盘[EB/OL].个人博客.https://moxin1044.github.io/articles/57061.html.2024.10.28. ↩
一次awdplus经历(网鼎杯线下赛)[EB/OL].个人博客.https://www.cnblogs.com/karsa/p/14062819.html.2020.11.30 ↩