LoRexxar's Blog

hitcon2016 misc writeup

2016/10/11

hitcon閬囧埌浜嗗緢澶氭湁瓒g殑misc锛屽浜嗗緢澶氫笢瑗匡紝鎵浠ュ氨涓撻棬鏁寸悊涓涓獁p鍚с

Beelzemon

杩欐槸涓閬損pc棰樼洰

1
2
3
Beelzemon gives you two integers 1 <= k <= n <= 20.
It wants to know if you can split a set {a | -(2**n) <= a <= (2**n) - 1} into two sets A, B s.t. |A| = |B| and sum({a**k | a in A}) = sum({b**k | b in B}).
Give Beelzemon either A or B to save your life. (separate the numbers by space)

绠鍗曟弿杩颁笅棰樻剰

澶ф鏈夊嚑鐐癸細

1銆乲\n鍦1鍒20涔嬮棿锛屽苟涓攌<=n
2銆乤鏄竴涓粠-(2**n)(2**n)鐨勬暣鏁伴泦鍚
3銆丄\B涓厓绱犳暟閲忕浉绛夛紝骞朵笖鍜岀浉绛

杩欐椂鍊欐垜浠垜浠渶瑕佷竴浜涚悊璁烘敮鎸佷簡锛屽綋澶╁湪鍋氶鐨勬椂鍊欙紝鎴戞壘鍒颁簡杩欐牱涓绡囨枃绔

https://zhuanlan.zhihu.com/p/20559045

杩欓噷鏈変竴涓悊璁

鎵浠

浣嗘槸鎴戜滑鍙堥亣鍒颁簡涓涓棶棰橈紝棰樼洰涓渶瑕佸鍖呮嫭璐熸暟鐨勯泦鍚堝仛澶勭悊锛堝綋鏃朵篃娌℃兂鏄庣櫧锛夛紝鍚庣湅鏉ョ湅浜唚p鎵嶆槑鐧借繖閲

https://github.com/JulesDT/ctfWriteUps/tree/master/Hitcon%20Quals%202016/Beelzemon%20-%20PPC%20-%20150%20pts

璐翠笂瑙i鑴氭湰

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
import socket
import re
import operator
import time
def find_partition(int_list,n,k):
len_A=0; len_B=0; sum_A=0; sum_B=0
Aret = ""; Bret = ""
for i in range(0,len(int_list)):
int_list[i] += 2**n
int_list=int_list[::-1]
for nb in int_list:
if nb == 0:
if len_A < len_B:
len_A+=1
Aret+= str(-2**n)+ " "
else:
len_B+=1
Bret+= str(-2**n)+ " "
else:
if sum_A < sum_B:
sum_A+=(nb**k)
len_A+=1
Aret+=str(nb-(2**n))+ " "
else:
sum_B+=(nb**k)
len_B+=1
Bret+=str(nb-(2**n))+ " "
return (Aret)
def main():
begin = time.time()
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect(('52.198.217.117', 6666))
while True:
data = s.recv(2048)
print "Received:", data
if len(repr(data)) <=2 :
break;
mgex = re.search('([0-9]+) ([0-9]+)', repr(data))
if mgex != None:
n = long(mgex.group(1));
k = long(mgex.group(2));
mySet = range(-2**n,2**n);
partition = find_partition(mySet,n,k)
s.send(partition+'\n');
print "Connection closed."
s.close()
print "Process duration :", time.time() - begin
main()

杩欓噷鎴戜滑鐪嬪埌鍒楄〃閫氳繃浜嗗鐞

1
int_list[i] += 2**n

閫氳繃杩欐牱鐨勫鐞嗭紝鎵鏈夋湰鏉ョ殑璐熸暟灏辫澶勭悊鎴愪簡姝f暟锛岀劧鍚庡啀鎻掑叆缁撴灉鍒楄〃鐨勬椂鍊欏湪鍘绘帀锛岀劧鍚庡啀鍒╃敤鍒氭墠鐨勭悊璁猴紝灏卞彲浠ュ緱鍒扮粨鏋滀簡

hackpad

鍒氬紑濮嬬湅鍒颁笂鏉et 3娆★紝鐒跺悗灏眕ost鏆村姏璺戜粈涔堜笢瑗匡紝閿欒鐨勮繑鍥500锛屾纭殑杩斿洖200锛岄偅涔堢湅涓婂幓鍍忔槸鍦ㄨ窇cbc鐨刬v浜嗐

鎵浠ヨ繖閲屾槸padding oracle attack

web灏忕櫧涓婁篃鏈夋彁鍒拌繖绉嶆敾鍑绘柟寮

http://blog.zhaojie.me/2010/10/padding-oracle-attack-in-detail.html

绠鍗曟潵璇村氨鏄繖涓昏緫

1
2
3
鎺ュ彈鍒版纭殑瀵嗘枃涔嬪悗锛堝~鍏呮纭笖鍖呭惈鍚堟硶鐨勫硷級锛屽簲鐢ㄧ▼搴忔甯歌繑鍥烇紙200 - OK锛夈
鎺ュ彈鍒伴潪娉曠殑瀵嗘枃涔嬪悗锛堣В瀵嗗悗鍙戠幇濉厖涓嶆纭級锛屽簲鐢ㄧ▼搴忔姏鍑轰竴涓В瀵嗗紓甯革紙500 - Internal Server Error锛夈
鎺ュ彈鍒板悎娉曠殑瀵嗘枃锛堝~鍏呮纭級浣嗚В瀵嗗悗寰楀埌涓涓潪娉曠殑鍊硷紝搴旂敤绋嬪簭鏄剧ず鑷畾涔夐敊璇秷鎭紙200 - OK锛夈

閭d箞鎴戜滑闇瑕佹妸姣忎竴娆¤窇鍒扮殑xor 0x01,0x02,0x03锛岀劧鍚庡紓鎴栧搴斿瘑鏂囥

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
def xor_c(s, key):
r = ''
for c in s:
r += chr(key ^ ord(c))
return r
def xor_ss(s1, s2):
r = ''
for i in range(len(s1)):
r += chr(ord(s1[i]) ^ ord(s2[i]))
return r
def main():
bs = open('hackpad.pcap', 'rb').read()
i = 0x2634 -1
cs = []
j = 0
flag = ''
while i!=-1:
i = bs.find('POST / HTTP/1.1', i+1)
msg = bs.find('msg=', i)
res = bs.find('HTTP/1.1', msg)
if bs[res+9] == '2':
iv = bs[msg+4:msg+36]
c = bs[msg+36:msg+68]
if iv[0] != '0':
#print iv,
iv = xor_c(iv.decode('hex'), 0x10)
cs.append(c.decode('hex'))
if j != 0:
flag += xor_ss(cs[j-1], iv)
j += 1
#print iv.encode('hex'), c
print flag
if __name__ == "__main__":
main()

ps锛氳剼鏈槸鐪媤p鐨勬椂鍊欐嫋鏉ョ殑锛屽苟涓嶆槸鑷繁鍐欑殑Orz

RegExpert

鑰冮獙姝e垯鐨勯鐩紝鍋氶鐩殑鏃跺欑敱浜庡姝e垯瀹炲湪澶笉鐔熸倝浜嗭紝瀵艰嚧绗竴姝ラ兘娌℃湁杩囷紝鎵浠ヤ粖澶╀粩缁嗙爺绌朵笅銆

select

1
2
================= [SQL] =================
Please match string that contains "select" as a case insensitive subsequence.

涓婃潵绗竴姝ユ槸select锛屾潯浠舵槸蹇呴』姝e垯鍖归厤鍒版墍鏈夊寘鍚玸elect鐨勫瓙瀛楃涓诧紝鍦╯elect涓殑浠绘剰浣嶇疆閮藉彲浠ユ彃鍏ヤ换鎰忓瓧绗︺

浜庢槸褰撴椂鎴戠殑鍒濈増姝e垯鏄暱杩欐牱鐨

1
[Ss][A-Za-z]?[eE][A-Za-z]?[lL][A-Za-z]?[eE][A-Za-z]?[cC][A-Za-z]?[tT]

褰撶劧鏄湁闀垮害闄愬埗鐨

1
(?i)s.*e.*l.*e.*c.*t

閫掑綊姝e垯锛

1
2
=============== [a^nb^n] ================
Yes, we know it is a classical example of context free grammer.

瀹炶瘽瀹炶锛屾病鏈夌壒鍒悶鏄庣櫧杩欎釜棰樼殑鎰忔濓紝澶ф鏄閫掑綊璇硶?

杩欓噷搴旇闇瑕佺敤鍒皉uby鐨勮娉\g<1>?

payload:

1
^(a\g<1>?b)$

绱犳暟

1
2
================= [x^p] =================
A prime is a natural number greater than 1 that has no positive divisors other than 1 and itself.

杩欓噷闇瑕佸己鍒舵墍鏈夊厓绱犱负x锛屼负浜嗛伩鍏嶇┖鐨勬鍒欙紝鎵浠ユ垜浠渶瑕^xx+$缁撳熬

1
(?!(xx+)\1+$)^xx+$

鍥炴枃锛

1
Both "QQ" and "TAT" are palindromes, but "PPAP" is not.

鐪嬩笂鍘诲簲璇ュ悓鏍锋槸绫讳技浜庨掑綊鐨勫垽鏂柟寮忥紝鍙栧洖鏂囷紵鎴戜滑闇瑕佸尮閰峚xa鐨勬ā寮忥紝a涓轰换鎰忓瓧绗︿覆妯″紡

1
2
3
4
5
^(\w?|(\w)\g<1>\k<2>)$
鎴栬
((.)(\g<1>)\2|.?)

涓婁笅鏂囨晱鎰熻娉

1
2
============== [a^nb^nc^n] ==============
Is CFG too easy for you? How about some context SENSITIVE grammer?

缃戜笂鑳芥壘鍒扮浉搴旂殑璇硶

1
\A(?<AB>a\g<AB>b|){0}(?=\g<AB>c)a*(?<BC>b\g<BC>c|){1}\Z

鍙互绠鐣ュ埌

1
^(?=(a\g<1>?b)c)a+(b\g<2>?c)$

CATALOG
  1. 1. Beelzemon
  2. 2. hackpad
  3. 3. RegExpert
    1. 3.1. select
    2. 3.2. 閫掑綊姝e垯锛
    3. 3.3. 绱犳暟
    4. 3.4. 鍥炴枃锛
    5. 3.5. 涓婁笅鏂囨晱鎰熻娉