字数统计: 491   |   阅读时长≈ 2 分钟

蓝桥杯WriteUp

爬虫协议

访问目标靶场,寻找robots.txt

访问robots.txt

访问/eec3597adc3664f5500e39d7976d6006/目录下文件得到flag{217e5d33-427b-41a6-a922-e2295674f357}

packet

使用wireshark打开该流量包,选择合适的数据包追踪tcp流,如下得到flag的base64编码

解码得到flag{7d6f17a4-2b0a-467d-8a42-66750368c249}

Theorem

该题为RSA

使用工具分解大素数得到p和q

然后根据RSA算法解得原文,代码如下

1
2
3
4
5
6
7
8
9
10
11
n = 94581028682900113123648734937784634645486813867065294159875516514520556881461611966096883566806571691879115766917833117123695776131443081658364855087575006641022211136751071900710589699171982563753011439999297865781908255529833932820965169382130385236359802696280004495552191520878864368741633686036192501791
c =36423517465893675519815622861961872192784685202298519340922692662559402449554596309518386263035128551037586034375613936036935256444185038640625700728791201299960866688949056632874866621825012134973285965672502404517179243752689740766636653543223559495428281042737266438408338914031484466542505299050233075829
e = 65537
p = 9725277820345294029015692786209306694836079927617586357442724339468673996231042839233529246844794558371350733017150605931603344334330882328076640690156923
q = 9725277820345294029015692786209306694836079927617586357442724339468673996231042839233529246844794558371350733017150605931603344334330882328076640690156717
oula = (p-1)*(q-1)
print(oula)
d = inverse(e,oula)
print(d)
m = pow(c, d, n)
print(long_to_bytes(m))

得到flag

rc4

使用ida反编译,其中主要函数为sub_401005()

继续跟进

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
int __cdecl sub_401020(int a1, unsigned int a2, int a3, unsigned int a4)
{
  int result; // eax
  unsigned int k; // [esp+4Ch] [ebp-210h]
  char v6; // [esp+50h] [ebp-20Ch]
  char v7; // [esp+50h] [ebp-20Ch]
  unsigned int v8; // [esp+54h] [ebp-208h]
  unsigned int v9; // [esp+54h] [ebp-208h]
  unsigned int i; // [esp+58h] [ebp-204h]
  unsigned int j; // [esp+58h] [ebp-204h]
  unsigned int v12; // [esp+58h] [ebp-204h]
  char v13[512]; // [esp+5Ch] [ebp-200h]

  for ( i = 0; i < 0x100; ++i )
  {
    v13[i + 256] = i;
    v13[i] = *(_BYTE *)(a1 + i % a2);
  }
  v8 = 0;
  for ( j = 0; j < 0x100; ++j )
  {
    v8 = ((unsigned __int8)v13[j] + (unsigned __int8)v13[j + 256] + v8) % 0x100;
    v6 = v13[j + 256];
    v13[j + 256] = v13[v8 + 256];
    v13[v8 + 256] = v6;
  }
  v9 = 0;
  result = 0;
  v12 = 0;
  for ( k = 0; k < a4; ++k )
  {
    v12 = (v12 + 1) % 0x100;
    v9 = (v9 + (unsigned __int8)v13[v12 + 256]) % 0x100;
    v7 = v13[v12 + 256];
    v13[v12 + 256] = v13[v9 + 256];
    v13[v9 + 256] = v7;
    result = (unsigned __int8)v13[v9 + 256];
    LOBYTE(result) = v13[(result + (unsigned __int8)v13[v12 + 256]) % 256 + 256] ^ *(_BYTE *)(k + a3);
    *(_BYTE *)(k + a3) = result;
  }
  return result;
}

这里判断出上述代码对a3参数,也就是v5数组进行操作,所以flag就保存在该数组中。

起初采用代码进行复现,但生成的字符串乱码,所以采用ida动态调试,如下在0x00401252处打下断点

判断出保存在a1中

取eax地位即为v5数组保存的值

代码如下

1
2
3
4
5
6
7
v51 = "666c61677b31323630316232622d326631652d343638612d616534332d3932333931666637366566337d"
str2=[]
for i in range(0,len(v51),2):
    flag+=chr(int(v51[i:i+2],16))

print(flag)
print(len(flag))

得到flag为

flag{12601b2b-2f1e-468a-ae43-92391ff76ef3}

打赏
  • 版权声明: 本博客所有文章除特别声明外,著作权归作者所有。转载请注明出处!

扫一扫,分享到微信

微信分享二维码
  • Copyrights © 2021-2024 John Doe
  • 访问人数: | 浏览次数:

让我给大家分享喜悦吧!

微信