Jump to content

Title: The Second Data Security Competition "Significant Cup" Data Security Competition WP

UKhackteam
UKhackteam
in Hacker Cracking / Penetration Testing / Cybersecurity

Featured Replies

Posted

1.pyc

Use pyc to decompile online to get the python source code:

#!/usr/bin/env python

# visit https://tool.lu/pyc/for more information

# Version: Python 3.8

import random

def encrypt_file(file_path):

random.seed(114514)

# WARNING: Decompyle incomplete

file_path='./flag'

encrypt_file(file_path)

Then use AI analysis to get its corresponding decryption script

import random

import os

def decrypt_data(encrypted_data):

random.seed(114514)

decrypted_data=bytearray()

for byte in encrypted_data:

key=random.randint(0, 128)

decrypted_data.append(byte ^ key)

return decrypted_data

def read_file(file_path, mode='rb'):

with open(file_path, mode) as file:

return file.read()

def write_file(file_path, data, mode='wb'):

with open(file_path, mode) as file:

file.write(data)

def decrypt_file(encrypted_file_path, output_file_path):

encrypted_data=read_file(encrypted_file_path)

decrypted_data=decrypt_data(encrypted_data)

write_file(output_file_path, decrypted_data)

if __name__=='__main__':

encrypted_file_path='flag.enc'

output_file_path='flag_decrypted.txt'

decrypt_file(encrypted_file_path, output_file_path)

#flag{U_R_g00d_at_do1n_pyc}

2.MWatch

Tip: When a data security researcher analyzes the data collected by smart devices in real time, he detects that a device user has had a high value. Please help analyze the highest value. flag{md5(data acquisition device name data reception device name value)}

Heart Rate appears many times, and you should look for this based on the description of the question. Only check the Heart Rate related

image-20240428205017240

image-20240428205017240

flag{md5(Mi Smart Band 5_Redmi K40_128)}

flag{453d8feda5adb6e7b4d54f71a9ce9e14}

3.BabyRSA

Tip: A certain employee has an initial value that generates prime numbers, and he ran this algorithm for a long time. The program accidentally terminal and accidentally deleted the initial value. Can the plain text be restored?

Source code:

#task.py

#!/usr/bin/env python3

# -*- coding: utf-8 -*-

from secret import flag,init

from Crypto.Util.number import *

from sage.all import *

from gmpy2 import iroot

m=bytes_to_long(flag.encode())

r=getPrime(128)

p=init

# for i in range(r-1):

# p +=next_prime(init)

# assert iroot(p,3)[1]==1

q=getPrime(12)

# N=p*q*r

N=r**4*q

e=getPrime(17)

c=pow(m,e,N)

print(f'r={r}')

print(f'e={e}')

print(f'c={c}')

# r=287040188443069778047400125757341514899

# e=96001

# c=7385580281056276781497978538020227181009675544528771975750499295104237912389096731847571930273208146186326124578668216163319969575131936068848815308298035625

Blast the 12-bit prime number to get q, and then decrypt it

from Crypto.Util.number import long_to_bytes, inverse

r=287040188443069778047400125757341514899

e=96001

c=7385580281056276781497978538020227181009675544528771975750499295104237912389096731847571930273208146186326124578668216163319969575131936068848815308298035625

# Assuming the modulus for the exponentiation should indeed be r**4

n=r**4

# Compute the modular inverse of e mod φ(n), where φ(n) could be a function of r, like (r-1)*(r**3)

# We need the correct value of φ(n) for the RSA decryption formula m=c^d mod n, where d=e^(-1) mod φ(n)

# Here, assuming φ(n)=r^4 - r^3 as a simplification, you might need to adjust this based on actual RSA setup

phi_n=r**4 - r**3

d=inverse(e, phi_n)

# Decrypt message

m=pow(c, d, n)

# Convert number to bytes

message=long_to_bytes(m)

print(message)

#flag{3b0ce326141ea4f6b5bf2f37efbd1b42}

4.Backpack

Backpack encryption, using the BKZ algorithm to solve a set of bases

#!/usr/bin/env python3

# -*- coding: utf-8 -*-

from sage.all import *

from secret import flag

from Crypto.Util.number import *

from math import log2

class Knapsack:

def __init__(self,n,m):

self.M=[]

self.n=n

self.m=self.pre(m)

self.A=0

self.B=0

def pre(self,m):

tmp_m=bin(m)[2:]

t=[]

for tmp in tmp_m:

t.append(int(tmp))

Return t

def get_M(self):

seq=[randint(2**34,2**35) for _ in range(self.n)]

self.M=seq

def calc_density(self):

t=log2(max(self.M))

d=self.n/t

print(d)

def enc(self):

self.get_M()

self.calc_density()

C=0

for t in range(len(self.m)):

C +=self.m[t] * self.M[t]

print(f'C={C}')

print(f'M={self.M}')

if __name__=='__main__':

m=bytes_to_long(flag.encode())

n=m.bit_length()

k=Knapsack(n,m)

k.enc()

# C=231282844744

# M=[27811518167, 19889199464, 19122558731, 19966624823, 25670001067, 30690729665, 23936341812, 31011714749, 30524482330, 21737374993, 17530717152, 19140841231, 33846825616, 17334386491, 28867755886, 29354544582, 21758322019, 27261411361, 31465376167, 26145493792, 27075307455, 33514052206, 25397635665, 21970496142, 30801229475, 22405695620, 18486900933, 27071880304, 17919853256, 18072328152, 21108080920]

Execute in sagemath:

from Crypto.Util.number import long_to_bytes

C=231282844744

M=[27811518167, 19889199464, 19122558731, 19966624823, 25670001067, 30690729665,

23936341812, 31011714749, 30524482330, 21737374993, 17530717152, 19140841231,

33846825616, 17334386491, 28867755886, 29354544582, 21758322019, 27261411361,

31465376167, 26145493792, 27075307455, 33514052206, 25397635665, 21970496142,

30801229475, 22405695620, 18486900933, 27071880304, 17919853256, 18072328152,

21108080920]

L=block_matrix([[1, matrix(ZZ, M).T], [0, C]]).LLL()

for row in L:

if row[-1]==0 and len(set(row[:-1]))==1:

# Assuming all elements in the row, except the last one, are the same

ans=[abs(i) for i in row[:-1]]

ans=int(''.join(map(str, ans)), 2)

print(long_to_bytes(ans))

5.Targeted Data Collection

import openpyxl

import requests

import time

from urllib.parse import urlencode

burp0_url='http://121.40.65.125:23328/submit'

def separate_name_and_id(input_file, output_file):

wb=openpyxl.load_workbook(input_file)

ws=wb.active

for row in ws.iter_rows(min_row=1, max_col=1, max_row=ws.max_row, values_only=True):

if row[0]:

name, id_number=row[0].split('----') #Extract name and identity card

print(name, id_number)

age=2024-int(id_number[6:10])

if(int(id_number[10:12])4):

age -=1

sexx=u'male'

burp0_json={'address': 'asd', 'age': str(age), 'ethnicity': 'as', 'experience': '1', 'idcard': id_number, 'name': 'a', 'phonenumber': '12312331233', 'position': 'as', 'sex': sexx}

sexx2=u'female'

burp0_json1={'address': 'asd', 'age': str(age), 'ethnicity': 'as', 'experience': '1', 'idcard': id_number, 'name': 'a', 'phonenumber': '12312331233', 'position': 'as', 'sex': sexx2}

try:

r0=requests.post(burp0_url, json=burp0_json)

r1=requests.post(burp0_url, json=burp0_json1)

print(r0.request.body)

print(r0.text,r1.text)

#time.sleep(0.5)

except requests.exceptions:

print('err')

#time.sleep(2)

#ws.append([name.strip(), id_number.strip()])

#wb.save(output_file)

wb.close()

if __name__=='__main__':

input_file='data1.xlsx'

output_file='separated_data.xlsx' #No use, it's discarded

separate_name_and_id(input_file, output_file)

6.weather

Review bundle.js

image-20240428213212351

image-20240428213230335

Take parameters to access

Image

7.mysql cleanup

Tip:

According to the requirements, to completely delete some user data from the database, please connect to the provided mysql container and delete all ctf tables, the user ids are 5142, 2123, 1169, and 8623. It is required to clean up these users thoroughly, and the residual data cannot be found in the server [, and other user data cannot be changed. When the operation is successful, the system will enter flag data in the ctf.flag table. (mysql ctf user password pswd@123)

DELETE FROM ShoppingCart WHERE user_id in ('5142','2123','1169','8623');

DELETE FROM TransactionHistory WHERE user_id in ('5142','2123','1169','8623');

DELETE FROM UserLog WHERE user_id in ('5142','2123','1169','8623');

DELETE FROM Wallet WHERE user_id in ('5142','2123','1169','8623');

DELETE FROM User WHERE id in ('5142','2123','1169','8623');

Rebuild the table and clear the remaining data after deletion

alter table User engine=innodb;

alter table UserLog engine=innodb;

alter table TransactionHistory engine=innodb;

alter table ShoppingCart engine=innodb;

alter table Orders engine=innodb;

image-20240428213639377

8.Phantom Square

There are only eight results for the third-level magic square, just try it a few more times

import hashlib

import random

import string

# Define the character set as alphanumeric characters

charset=string.ascii_letters + string.digits

while True:

# Generate a random 4-character string from the charset

rand_str=''.join(random.choice(charset) for _ in range(4)) + 'CyhQp8lsgzYjTNUD'

# Calculate the SHA-256 hash of the string

hash_output=hashlib.sha256(rand_str.encode()).hexdigest()

# Check if the hash matches the target hash

if hash_output=='11f8af166cc28e24b4646cc300436f4d4bf8e11b2327379331a3eca2d5fc7c0c':

print(rand_str[:4]) # Print the first 4 characters if a match is found

break

'''

[2, 7, 6, 9, 5, 1, 4, 3, 8]

[2, 9, 4, 7, 5, 3, 6, 1, 8]

[4, 3, 8, 9, 5, 1, 2, 7, 6]

[4, 9, 2, 3, 5, 7, 8, 1, 6]

[6, 1, 8, 7, 5, 3, 2, 9, 4]

[6, 7, 2, 1, 5, 9, 8, 3, 4]

[8, 1, 6, 3, 5, 7, 4, 9, 2]

[8, 3, 4, 1, 5, 9, 6, 7, 2]

4 3 8

9 5 1

2 7 6

'''

image-20240428214506459

  • Quote

    • Join the conversation

    You can post now and register later. If you have an account, sign in now to post with your account.
    Note: Your post will require moderator approval before it will be visible.

    Guest
    Reply to this topic...
    Go to topic listing

    Important Information

    HackTeam Cookie PolicyWe have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.