parloo杯2025 wp
逆向
xor
c="qcoq~Vh{e~bccocH^@Lgt{gt|g"
j=1
for i in c:
print(chr(ord(i)^j),end="")
j+=1gogogo
for a3 in range(256):
encrypted = [
0xbf,0xb1,0xbd,0xc7,0xce,0x96,0x80,0x98,0x82,0x9a,
0x7f,0xaf,0xc1,0xb3,0xbf,0xc4,0xcd
]
flag = []
for i in range(len(encrypted)):
decrypted = (encrypted[i] - a3 - i % 5) % 256
flag.append(decrypted)
flag_str = bytes(flag)
if b'palu{' in flag_str:
print(flag_str)
breakweb
猫猫银行
注册1和2
2转账负数给1 发现2的余额变成负数
再次转账100000给1即可
palu{d14811a4124344d99b60f3b6c98a59e5}
密码
轮回
import base64
def rotate_left(c, n):
return ((c << n) | (c >> (8 - n))) & 0xFF
def samsara_decrypt(cipher, key_word):
cycle_step = len(key_word) % 6 + 1
# 第一步:异或key得到phase3的数据
xor_phase3 = bytes([c ^ key_word[i % len(key_word)] for i, c in enumerate(cipher)])
# 第二步:循环左移cycle_step位,得到phase2的base85数据
phase2_encoded = bytes([rotate_left(c, cycle_step) for c in xor_phase3])
# 第三步:base85解码得到phase1的数据
phase1 = base64.b85decode(phase2_encoded)
# 第四步:循环左移cycle_step位,得到原始数据
plaintext = bytes([rotate_left(c, cycle_step) for c in phase1])
return plaintext
hex_str = "79a6815f9b36193e58ac7996212c216ea16d531f61dcf1fceb15189739bc113699"
cipher = bytes.fromhex(hex_str)
key = b'Bore'
plain = samsara_decrypt(cipher, key)
print("明文:", plain.decode())循环
ciphertext = bytes.fromhex("110D190E122A7442312B2500070C163927210300280D2720262C19000C3B0439221952440D")
known_plain = b"palu{"
plain = list(known_plain)
for i in range(len(known_plain), len(ciphertext)):
prev_c = ciphertext[i-1]
prev_p = plain[i-1]
current_p = prev_c ^ prev_p
plain.append(current_p)
print(bytes(plain).decode('ascii', errors='replace'))欧几里得
from Crypto.Util.number import long_to_bytes
c = 1426774899479339414711783875769670405758108494041927642533743607154735397076811133205075799614352194241060726689487117802867974494099614371033282640015883625484033889861
s = 0
current = 1 # 2^(0)
for _ in range(35):
s += current
current *= (2**16)
found = False
for x in range(65536):
temp = c - x * s
if temp < 0:
continue
b = long_to_bytes(temp)
if b.startswith(b'palu{'):
print("找到flag:", b.decode())
found = True
break
if not found:
print("未找到符合条件的x值。")RSA
import math
from Crypto.Util.number import long_to_bytes
n = 125997816345753096048865891139073286898143461169514858050232837657906289840897974068391106608902082960171083817785532702158298589600947834699494234633846206712414663927142998976208173208829799860130354978308649020815886262453865196867390105038666506017720712272359417586671917060323891124382072599746305448903
e = 65537
c = 16076213508704830809521504161524867240789661063230251272973700316524961511842110066547743812160813341691286895800830395413052502516451815705610447484880112548934311914559776633140762863945819054432492392315491109745915225117227073045171062365772401296382778452901831550773993089344837645958797206220200272941
s = 35935569267272146368441512592153486419244649035623643902985220815940198358146024590300394059909370115858091217597774010493938674472746828352595432824315405933241792789402041405932624651226442192749572918686958461029988244396875361295785103356745756304497466567342796329331150560777052588294638069488836419744297241409127729615544668547101580333420563318486256358906310909703237944327684178950282413703357020770127158209107658407007489563388980582632159120621869165333921661377997970334407786581024278698231418756106787058054355713472306409772260619117725561889350862414726861327985706773512963177174611689685575805282
A = s + 2 * (n ** 2)
p_sq_plus_q_sq = math.isqrt(A)
assert p_sq_plus_q_sq ** 2 == A, "A"
B = p_sq_plus_q_sq + 2 * n
sum_pq = math.isqrt(B)
assert sum_pq ** 2 == B, "B"
discriminant = sum_pq ** 2 - 4 * n
sqrt_disc = math.isqrt(discriminant)
assert sqrt_disc ** 2 == discriminant, "Discriminant"
p = (sum_pq + sqrt_disc) // 2
q = (sum_pq - sqrt_disc) // 2
assert p * q == n, "p and q"
phi = (p - 1) * (q - 1)
d = pow(e, -1, phi)
m = pow(c, d, n)
print(long_to_bytes(m).decode())星际空间站
非预期了
/file/download?path=/proc/self/environ
直接拿到flag
misc
日志
import re
log_data = """
[1970-01-01 08:00:00] System boot sequence initiated
[1970-01-01 08:00:00] SYSTEM ALERT: Time anomaly detected at 00000000fe ns
[1970-01-01 08:00:00] SYSTEM ALERT: Time anomaly detected at 10000000ef ns
[1970-01-01 08:00:00] SYSTEM ALERT: Time anomaly detected at 20000000e2 ns
[1970-01-01 08:00:00] SYSTEM ALERT: Time anomaly detected at 30000000fb ns
[1970-01-01 08:00:00] SYSTEM ALERT: Time anomaly detected at 40000000f5 ns
[1970-01-01 08:00:00] SYSTEM ALERT: Time anomaly detected at 50000000da ns
[1970-01-01 08:00:00] SYSTEM ALERT: Time anomaly detected at 60000000e6 ns
[1970-01-01 08:00:00] SYSTEM ALERT: Time anomaly detected at 70000000e7 ns
[1970-01-01 08:00:00] SYSTEM ALERT: Time anomaly detected at 80000000fd ns
[1970-01-01 08:00:00] SYSTEM ALERT: Time anomaly detected at 90000000d1 ns
[1970-01-01 08:00:00] SYSTEM ALERT: Time anomaly detected at 100000000e7 ns
[1970-01-01 08:00:00] SYSTEM ALERT: Time anomaly detected at 110000000fd ns
[1970-01-01 08:00:00] SYSTEM ALERT: Time anomaly detected at 120000000d1 ns
[1970-01-01 08:00:00] SYSTEM ALERT: Time anomaly detected at 130000000cf ns
[1970-01-01 08:00:00] SYSTEM ALERT: Time anomaly detected at 140000000d1 ns
[1970-01-01 08:00:00] SYSTEM ALERT: Time anomaly detected at 150000000dd ns
[1970-01-01 08:00:00] SYSTEM ALERT: Time anomaly detected at 160000000ef ns
[1970-01-01 08:00:00] SYSTEM ALERT: Time anomaly detected at 170000000e3 ns
[1970-01-01 08:00:00] SYSTEM ALERT: Time anomaly detected at 180000000fe ns
[1970-01-01 08:00:00] SYSTEM ALERT: Time anomaly detected at 190000000e2 ns
[1970-01-01 08:00:00] SYSTEM ALERT: Time anomaly detected at 200000000eb ns
[1970-01-01 08:00:00] SYSTEM ALERT: Time anomaly detected at 210000000d1 ns
[1970-01-01 08:00:00] SYSTEM ALERT: Time anomaly detected at 220000000c8 ns
[1970-01-01 08:00:00] SYSTEM ALERT: Time anomaly detected at 230000000e2 ns
[1970-01-01 08:00:00] SYSTEM ALERT: Time anomaly detected at 240000000ef ns
[1970-01-01 08:00:00] SYSTEM ALERT: Time anomaly detected at 250000000e9 ns
[1970-01-01 08:00:00] SYSTEM ALERT: Time anomaly detected at 260000000d1 ns
[1970-01-01 08:00:00] SYSTEM ALERT: Time anomaly detected at 270000000cd ns
[1970-01-01 08:00:00] SYSTEM ALERT: Time anomaly detected at 280000000e6 ns
[1970-01-01 08:00:00] SYSTEM ALERT: Time anomaly detected at 290000000ef ns
[1970-01-01 08:00:00] SYSTEM ALERT: Time anomaly detected at 300000000e0 ns
[1970-01-01 08:00:00] SYSTEM ALERT: Time anomaly detected at 310000000e9 ns
[1970-01-01 08:00:00] SYSTEM ALERT: Time anomaly detected at 320000000eb ns
[1970-01-01 08:00:00] SYSTEM ALERT: Time anomaly detected at 330000000d1 ns
[1970-01-01 08:00:00] SYSTEM ALERT: Time anomaly detected at 340000000c3 ns
[1970-01-01 08:00:00] SYSTEM ALERT: Time anomaly detected at 350000000eb ns
[1970-01-01 08:00:00] SYSTEM ALERT: Time anomaly detected at 360000000af ns
[1970-01-01 08:00:00] SYSTEM ALERT: Time anomaly detected at 370000000af ns
[1970-01-01 08:00:00] SYSTEM ALERT: Time anomaly detected at 380000000f3 ns
[1970-01-01 08:00:00] System entering chronostasis mode
"""
hex_values = re.findall(r"Time anomaly detected at [0-9a-fA-F]*([0-9a-fA-F]{2}) ns", log_data)
print("提取的十六进制值:", hex_values)
flag_chars = []
for hex_val in hex_values:
decoded_char = int(hex_val, 16) ^ 0x8E
flag_chars.append(decoded_char)
flag = bytes(flag_chars).decode("ascii")
print("解码结果:", flag)topSecret
在pdf中找到:
cGFsdXtZb3VfcmVfYV9yZWFsXzUwd30==
palu{You_re_a_real_50w}
截图
本来要打国际赛,但是晚上8点才开始,所以下午打了一会儿parloo
压缩包都没下载,应急响应没法写,但是这比赛一共也才只花了几个小时去打而已
题目比较简单,没啥意思
许可协议:
CC BY 4.0