• WEB
  • 爬虫协议
• MISC
  • packet
• CRYPTO
  • cc
  • Theorem
• REVERSE
  • 欢乐时光
  • rc4

WEB

爬虫协议

flag:flag{d4f3e494-ad31-4bad-b7a7-1b3fa5d79090}

根据题目描述和靶机的提示，猜测是靶机的robots.txt有东西，点进发现了

User-agent: *
Disallow: /cgi-bin/
Disallow: /tmp/
Disallow: /cf8e87e5986d8d59571fdcf83e1c32cc/

进入 /cf8e87e5986d8d59571fdcf83e1c32cc/ 发现了 [ c4e2e73cbce2ab6b4d7222638f0e440f](http://eci-2ze1m49co3n0jy59a9yi.cloudeci1.ichunqiu.com/cf8e87e5986d8d59571fdcf83e1c32cc/c4e2e73cbce2ab6b4d7222638f0e440f) 点进去就是flag

MISC

packet

flag:flag{7d6f17a4-2b0a-467d-8a42-66750368c249}

流量分析，wireshark打开导出HTTP，发现flag的base64编码

ZmxhZ3s3ZDZmMTdhNC0yYjBhLTQ2N2QtOGE0Mi02Njc1MDM2OGMyNDl9Cg== ，解码得到flag

CRYPTO

cc

flag:flag{6500e76e-15fb-42e8-8f29-a309ab73ba38}

cyberchef实操题，使用离线cyberchef反推解密aes即可

Theorem

flag:flag{5f00e1b9-2933-42ad-b4e1-069f6aa98e9a}

isqrt函数快速发现相邻的p和q，从而得到flag

from Crypto.Util.number import *

from gmpy2 import *

n = 94581028682900113123648734937784634645486813867065294159875516514520556881461611966096883566806571691879115766917833117123695776131443081658364855087575006641022211136751071900710589699171982563753011439999297865781908255529833932820965169382130385236359802696280004495552191520878864368741633686036192501791

e = 65537

c = 36423517465893675519815622861961872192784685202298519340922692662559402449554596309518386263035128551037586034375613936036935256444185038640625700728791201299960866688949056632874866621825012134973285965672502404517179243752689740766636653543223559495428281042737266438408338914031484466542505299050233075829

sn = isqrt ( n )

q = next_prime ( sn )

p = n // q

phi_n = ( p - 1 ) * ( q - 1 )

d = invert ( e , phi_n )

m = pow ( c , d , n )

print ( long_to_bytes ( m ) )

REVERSE

欢乐时光

flag:flag{efccf8f0-0c97-12ec-82e0-0c9d9242e335}

变种tea加密算法

主要加密逻辑：

与一般的tea算法不同，每次加密都改变了整个数据的值，但是按照逻辑反推同样可以解决

	sum = 0;
	v10 = a1 [ 10 ];
for ( int k = 0 ; k < 151 ; ++k ) {
	sum -= 1640531527 ;
	q = ( sum >> 2 ) & 3 ;
	for ( i = 0; i < 10 ; ++i ){
	v1 = a1 [ i + 1 ] ;
	v0 = & a1 [ i ] ;
	*v0 += ( ( v1 ^ sum ) + ( v10 ^ ( key [ q ^ i & 3 ] ) ) ) ^ ( ( ( 4 * v1 ) ^ ( v10 >> 5 ) ) + ( ( v1 >> 3 ) ^ ( 16 * v10 ) ) ) ;
	v10 = *v0;
	}
	v4 = &a1 [ 10 ] ;
	*v4 += ( ( a1 [ 0 ] ^ sum ) + ( v10 ^ ( key [ q ^ i & 3 ] ) ) ) ^ ( ( ( 4 * a1 [ 0 ] ) ^ ( v10 >> 5 ) ) + ( ( a1 [ 0 ] >> 3 ) ^ ( 16 * v10 ) ) ) ;
	v10 = *v4 ;
}

#include <bits/stdc++.h>

int main() {
	
	uint32_t key[4] = {0x79696755 , 0x67346F6C , 0x69231231 , 0x5F674231 };
	uint32_t a1[11] = {0x480AC20C , 0xCE9037F2 , 0x8C212018 , 0xE92A18D , 0xA4035274 , 0x2473AAB1 , 0xA9EFDB58 , 0xA52CC5C8 , 0xE432CB51 , 0xD04E9223 , 0x6FD07093};
	uint32_t delta = 0x61C88647 , sum = -151 * delta ;
	for ( int l = 0 ; l < 151 ; ++l ) {
	uint32_t q = ( sum >> 2 ) & 3 ;
	uint32_t v10 = a1 [ 9 ] ;
	uint32_t *v4 = &a1 [ 10 ] ;
	*v4 -= ( ( a1 [ 0 ] ^ sum ) + ( v10 ^ ( key [ q ^ 10 & 3 ] ) ) ) ^ ( ( ( 4 * a1 [ 0 ] ) ^ ( v10 >> 5 ) ) + ( ( a1 [ 0 ] >> 3 ) ^ ( 16 * v10 ) ) ) ;
	for ( int i = 9 ; i >= 0 ; --i ) {
		uint32_t v1 = a1 [ i + 1 ] ;
		uint32_t *v0 = & a1 [ i ] ;
		if ( i != 0 )
		*v0 -= ( ( v1 ^ sum ) + ( a1 [ i - 1 ] ^ ( key [ q ^ i & 3 ] ) ) ) ^ ( ( ( 4 * v1 ) ^ ( a1 [ i - 1 ] >> 5 ) ) + ( ( v1 >> 3 ) ^ ( 16 * a1 [ i - 1 ] )) ) ;
		else
		*v0 -= ( ( v1 ^ sum ) + ( a1 [ 10 ] ^ ( key [ q ^ i & 3 ] ) ) ) ^ ( ( ( 4 * v1 ) ^ ( a1 [ 10 ] >> 5 ) ) + ( ( v1 >> 3 ) ^ ( 16 * a1 [ 10 ] ) ) ) ;
		}
	sum += delta ;
	}
	for ( int i = 0 ; i <= 10 ; ++i ) {
		for ( int j = 0 ; j < 4 ; ++j ) {
		printf("%c", a1[i] & 0xff ) ;
		a1[i] >>= 8 ;
	}
}
	return 0;
}

rc4

flag:flag{12601b2b-2f1e-468a-ae43-92391ff76ef3}

查看main函数

int __cdecl main_0(int argc, const char **argv, const char **envp)
{
size_t v4; // [esp+50h] [ebp-3Ch]
char v5[44]; // [esp+54h] [ebp-38h] BYREF
char Str[12]; // [esp+80h] [ebp-Ch] BYREF
strcpy(Str, "gamelab@");
v5[0] = -74;
v5[1] = 66;
v5[2] = -73;
v5[3] = -4;
v5[4] = -16;
v5[5] = -94;
v5[6] = 94;
v5[7] = -87;
v5[8] = 61;
v5[9] = 41;
v5[10] = 54;
v5[11] = 31;
v5[12] = 84;
v5[13] = 41;
v5[14] = 114;
v5[15] = -88;
v5[16] = 99;
v5[17] = 50;
v5[18] = -14;
v5[19] = 68;
v5[20] = -117;
v5[21] = -123;
v5[22] = -20;
v5[23] = 13;
v5[24] = -83;
v5[25] = 63;
v5[26] = -109;
v5[27] = -93;
v5[28] = -110;
v5[29] = 116;
v5[30] = -127;
v5[31] = 101;
v5[32] = 105;
v5[33] = -20;
v5[34] = -28;
v5[35] = 57;
v5[36] = -123;
v5[37] = -87;
v5[38] = -54;
v5[39] = -81;
v5[40] = -78;
v5[41] = -58;
v4 = strlen(Str);
sub_401005(Str, v4, v5, 42);
printf("%s\n", Str);
return 0;
}

程序的逻辑是直接输出Str字符串，但是途中进行了RC4加密，没有输出出结果，使用动态调试，查看v5加密后的值