out = "" for index in range(15,20): for i in range(len(key2)): p = process("./right_or_left") p.recvuntil("What's The Secret Key?\n") p.sendline(key2[index:i+1]) resp = p.recv(1024) if"ASIS"in resp: out += key2[index:i] + ":" + resp info(key2[index:i] + ":" + resp) with open("/root/Desktop/out","wb") as f: f.write(out) f.close()
#define M 37 #define q (2+M/M) #define v (q/q) #define ef ((v+q)/2) #define f (q-v-ef) #define k (8-ef) structb{int64_t y[13];}S;int m=1811939329,N=1,t[1<<26]={2},a,*p,i,e=73421233,s,c,U=1;g(d,h){for(i=s;i<1<<25;i*=2)d=d*1LL*d%m;for(p=t;p<t+N;p+=s)for(i=s,c=1;i;i--)a=p[s]*(h?c:1LL)%m,p[s]=(m*1U+*p-a)*(h?1LL:c)%m,*p=(a*1U+*p)%m,p++,c=c*1LL*d%m;}l(){while(e/=2){N*=2;U=U*1LL*(m+1)/2%m;for(s=N;s/=2;)g(136,0);for(p=t;p<t+N;p++)*p=*p*1LL**p%m*U%m;for(s=1;s<N;s*=2)g(839354248,1);for(a=0,p=t;p<t+N;)a+=*p<<(e&1),*p++=a%10,a/=10;}}z(n){int y=3,j,c;for(j=2;j<=n;){l();for(c=2;c<=y-1;c++){l();if(y%c==0)break;}if(c==y){l();j++;}y++;}l();return y-1;}main(a, pq) char* pq;{int b=sizeof(S),y=b,j=M;l();int x[M]={b-M-sizeof((shortint) a),(b>>v)+(k<<v)+ (v<<(q|ef)) + z(v+(ef<<v)),(z(k*ef)<<v)-pow(ef,f), z(( (j-ef*k)|(ef<<k>>v)/k-ef<<v)-ef),(((y+M)&b)<<(k/q+ef))-z(ef+v),((ef<<k)-v)&y,y*v+v,(ef<<(q*ef-v-(k>>ef)))*q-v,(f<<q)|(ef<<(q*f+k))-j+k,(z(z(z(z(z(v)))))*q)&(((j/q)-(ef<<v))<<q)|(j+(q|(ef<<v))),y|(q+v),(ef<<ef)-v+ef*(((j>>ef)|j)-v+ef-q+v),(z(j&(b<<ef))&(z(v<<v)<<k))-(q<<v)-q,(k<<q)+q,(z(y)>>(ef<<v))+(z(k+v))-q,(z(z(k&ef|j))&b|ef|v<<f<<q<<v&ef>>k|q<<ef<<v|k|q)+z(v<<v)+v,(ef>>v)*q*z(k-v)+z(ef<<ef&q|k)+ef,z(k<<k)&v&k|y+k-v,z(f>>ef|k>>ef|v|k)*(ef>>v)*q,(ef<<k-ef<<v>>q<<ef*ef)-j+(ef<<v),z(ef*k)*z(v<<v)+k-v,z((z(k)<<z(v)))&y|k|v,z(ef<<ef<<v<<v)/ef+z(v<<ef|k|(b>>q)&y-f)-(ef<<q)+(k-v)-ef,k<<(ef+q)/z(ef)*z(q)&z(k<<k)|v,((z(y|j>>k*ef))%ef<<z(v<<v<<v)>>q<<q|j)/ef+v,(j-ef<<ef<<v*z(v>>v<<v)>>ef)/ef%z(k<<j)+q,z(k-v)+k|z(ef<<k>>v<<f)-z(q<<q)*ef>>v,(z(ef|y&j|k)%q|j+ef<<z(k|ef)%k<<q|ef|k<<ef<<q/ef|y/ef+j>>q)&k<<j|ef+v,84,z(v*ef<<ef<<q)*q%ef<<k|k|q-v,((z(20)*v)|(f>>q)|(k<<k))/ef-(ef<<(v*q+ef))-(k<<q)+z(k)-q};while(j--){putchar(x[M-v-j]);}printf(" From ASIS With Love <3\n");return0;}
Solution
見到堆疑似 C 既野 , 咁試下直接拍落visual studio 行下啦 , 同埋嘗試補番d data type比佢 , 然後等左幾分鐘就出左flag了了
#define M 37 #define q (2+M/M) #define v (q/q) #define ef ((v+q)/2) #define f (q-v-ef) #define k (8-ef) structb {int64_t y[13]; }S; int m = 1811939329, N = 1, t[1 << 26] = { 2 }, a, *p, i, e = 73421233, s, c, U = 1;
voidg(long d,long h){ for (i = s; i<1 << 25; i *= 2)d = d * 1LL * d%m; for (p = t; p<t + N; p += s)for (i = s, c = 1; i; i--)a = p[s] * (h ? c : 1LL) % m, p[s] = (m * 1U + *p - a)*(h ? 1LL : c) % m, *p = (a * 1U + *p) % m, p++, c = c * 1LL * d%m; }
voidl(){ while (e /= 2) { N *= 2; U = U * 1LL * (m + 1) / 2 % m; for (s = N; s /= 2;)g(136, 0); for (p = t; p<t + N; p++)*p = *p * 1LL * *p%m*U%m; for (s = 1; s<N; s *= 2)g(839354248, 1); for (a = 0, p = t; p<t + N;)a += *p << (e & 1), *p++ = a % 10, a /= 10; } }
intz(int n){ int y = 3, j, c; for (j = 2; j <= n;) { l(); for (c = 2; c <= y - 1; c++) { l(); if (y%c == 0)break; }if (c == y) { l(); j++; }y++; }l(); return y - 1; }
intmain(){int b = sizeof(S), y = b, j = M; l(); int x[M] = { b - M - sizeof((shortint)a),(b >> v) + (k << v) + (v << (q | ef)) + z(v + (ef << v)),(z(k*ef) << v) - pow(ef,f), z(((j - ef*k) | (ef << k >> v) / k - ef << v) - ef),(((y + M)&b) << (k / q + ef)) - z(ef + v),((ef << k) - v)&y,y*v + v,(ef << (q*ef - v - (k >> ef)))*q - v,(f << q) | (ef << (q*f + k)) - j + k,(z(z(z(z(z(v)))))*q)&(((j / q) - (ef << v)) << q) | (j + (q | (ef << v))),y | (q + v),(ef << ef) - v + ef*(((j >> ef) | j) - v + ef - q + v),(z(j&(b << ef))&(z(v << v) << k)) - (q << v) - q,(k << q) + q,(z(y) >> (ef << v)) + (z(k + v)) - q,(z(z(k&ef | j))&b | ef | v << f << q << v&ef >> k | q << ef << v | k | q) + z(v << v) + v,(ef >> v)*q*z(k - v) + z(ef << ef&q | k) + ef,z(k << k)&v&k | y + k - v,z(f >> ef | k >> ef | v | k)*(ef >> v)*q,(ef << k - ef << v >> q << ef*ef) - j + (ef << v),z(ef*k)*z(v << v) + k - v,z((z(k) << z(v)))&y | k | v,z(ef << ef << v << v) / ef + z(v << ef | k | (b >> q)&y - f) - (ef << q) + (k - v) - ef,k << (ef + q) / z(ef)*z(q)&z(k << k) | v,((z(y | j >> k*ef)) % ef << z(v << v << v) >> q << q | j) / ef + v,(j - ef << ef << v*z(v >> v << v) >> ef) / ef%z(k << j) + q,z(k - v) + k | z(ef << k >> v << f) - z(q << q)*ef >> v,(z(ef | y&j | k) % q | j + ef << z(k | ef) % k << q | ef | k << ef << q / ef | y / ef + j >> q)&k << j | ef + v,84,z(v*ef << ef << q)*q%ef << k | k | q - v,((z(20)*v) | (f >> q) | (k << k)) / ef - (ef << (v*q + ef)) - (k << q) + z(k) - q }; while (j--) { putchar(x[M - v - j]); }printf(" From ASIS With Love <3\n"); return0; }
defdecrypt(round): enc = open("FLAG.enc", "rb").read() enc = bin(bytes_to_long(enc))[2:] dec = "" for r in range(round): for i in range(0, len(enc), 3): dec += enc[i:i+2] enc = dec dec = "" return enc[:-1]
def o0O(): print('Input an English word to be translated into a Haforli word: ') inputWord = raw_input().strip().split(' ')[0] reversedWord = inputWord[::-1] Ooo = '' o0oOoO00o = len(reversedWord) - 1 if ooOO00oOo(reversedWord) else len(reversedWord) print o0oOoO00o for i in range(0, o0oOoO00o, 2): Ooo += reversedWord[i + 1] + reversedWord[i]
if ooOO00oOo(reversedWord): Ooo += reversedWord[-1] print Ooo output = '' for s in Ooo: if not s.isalpha(): output += s + s elif s.isupper(): output += s + random.choice(string.ascii_uppercase) else: output += s + random.choice(string.ascii_lowercase)
print('Your translated word: {0}'.format(output))
if __name__ == '__main__': print(welcomeText) o0O()
咁就睇應該都係可逆既 , 所以就寫左下面條script解
1 2 3 4 5 6 7 8 9 10 11 12 13
defdecrypt(enc): enc = enc[::-1] tmp = "" out = "" for i in range(1, len(enc), 2): tmp += enc[i] for i in range(0, len(tmp), 2): try: out += tmp[i+1] + tmp[i] except: out += tmp[i] return out print decrypt("da}}rilwwe00yt____mfotfysf__11ty11mg__lphyer__tyrt33__algv33uc44nrgely44ys____mvozfpsw__11tv11mf{{letsfmmgcutbic")
def chinese_remainder(n, a): sum = 0 prod = reduce(lambda a, b: a*b, n)
for n_i, a_i in zip(n, a): p = prod / n_i sum += a_i * gmpy.invert(p, n_i) * p return sum % prod
c = 20318623659277133784436863405159350994457887674343039464217662595169547155252162707757860373904591558880102908865139317161642898188843552485749556428171374190436116308993843078746618097974105761149153341729931060530612128761115767471801348290177493316532913006382242873832659641556157675014368433683567068217
n = 134907508240262137946502074360739103059110939023118055674568339675274978708216465550239395185797633495974788047880328560410956605895894497803797294715631963939546472939054512693762329563642230731635928665937542607055460883018173012233396950213422702996807273870440698007181387418977498579818700406673368084937
let bookMessages = [ 'A great book indeed!', 'Best content you can get out there.', 'Best-seller & #1 10 times in a row.', 'Featured and recommended by us.', ];
[{"name":"Beloved"},{"name":"Catch-22"},{"name":"Lolita"},{"name":"Nineteen Eighty-Four"},{"name":"The Catcher in the Rye"},{"name":"The Grapes of Wrath"},{"name":"The Great Gatsby"},{"name":"The Sound and the Fury"},{"name":"Ulysses"}]
"<?php\n\/\/ timctf{f0und_f1rst_p4rt___wh4t_n3xt}\n\n\/\/ Can you get the second part? :^)\n"
BookDir
承上題我地可以任意讀file之後 , 咁就順手讀埋 booklist.php睇下有冇flag啦
1
"<?php\n\n$headers = getallheaders();\n\nfunction waf($str) {\n return str_replace('..\/', '', $str);\n}\n\nif (isset($_GET['f'])) {\n ini_set('open_basedir', '\/var\/www\/site\/');\n \/\/ ^ I wonder why that is.. ?\n\n echo json_encode(file_get_contents('list\/' . waf($_GET['f'])));\n} else {\n ini_set('open_basedir', '\/var\/www\/site\/books\/');\n\n $dir = '.';\n if (isset($headers['X-Dir'])) {\n $dir = $headers['X-Dir']; \/\/ waf()? might be too easy for the first stage :^)\n\n \/\/ artificial hack to check for \/ as last char after replacement\n if ($dir[strlen($dir) - 1] !== '\/') {\n $dir = '.';\n }\n }\n\n $files = [];\n foreach (array_diff(scandir('list\/' . $dir), ['..', '.']) as $file) {\n $files[] = ['name' => $file];\n }\n\n echo json_encode($files);\n}\n"
結果係無既 , 咁順手試埋再上一層個.htaccess先
1
"<Files .htaccess>\n Order allow,deny\n Deny from all\n<\/Files>\n\n<Files w0w_y0u_g0t_m3___.php>\n Order allow,deny\n Deny from all\n<\/Files>\n\nRewriteEngine On\nRewriteRule ^(?:books\/list)\\b.* \/403.php\n"
