VNCTF-ezmath

服务端代码

from Crypto.Util.number import*
import random
from secret import flag,check
from hashlib import sha256
import socketserver
import signal
import string 

table = string.ascii_letters+string.digits
class Task(socketserver.BaseRequestHandler):
    def _recvall(self):
        BUFF_SIZE = 2048
        data = b''
        while True:
            part = self.request.recv(BUFF_SIZE)
            data += part
            if len(part) < BUFF_SIZE:
                break
        return data.strip()

    def send(self, msg, newline=True):
        try:
            if newline:
                msg += b'\n'
            self.request.sendall(msg)
        except:
            pass

    def recv(self, prompt=b''):
        self.send(prompt, newline=False)
        return self._recvall()

    def proof_of_work(self):
        proof = (''.join([random.choice(table)for _ in range(20)])).encode()
        sha = sha256(proof).hexdigest().encode()
        self.send(b"[+] sha256(XXXX+" + proof[4:] + b") == " + sha )
        XXXX = self.recv(prompt = b'[+] Plz Tell Me XXXX :')
        if len(XXXX) != 4 or sha256(XXXX + proof[4:]).hexdigest().encode() != sha:
            return False
        return True

    def handle(self):
        proof = self.proof_of_work()
        if not proof:
            self.request.close()
        counts = 0
        signal.alarm(60)
        for i in range(777):
            times = getPrime(32)
            self.send(b'plz give me the ' + str(times).encode() + b'th (n) that satisfying (2^n-1) % 15 == 0:')
            n = int(self.recv())
            a , ret = check(times,n)
            if a == True:
                self.send(ret.encode())
                counts += 1
            else:
                self.send(ret.encode())
        if counts == 777:
            self.send(b'You get flag!')
            self.send(flag)
        else:
            self.send(b'something wrong?')
        self.request.close()

class ThreadedServer(socketserver.ThreadingMixIn, socketserver.TCPServer):
    pass

class ForkedServer(socketserver.ForkingMixIn, socketserver.TCPServer):
    pass

if __name__ == "__main__":
    HOST, PORT = '0.0.0.0', 10001
    print("HOST:POST " + HOST+":" + str(PORT))
    server = ForkedServer((HOST, PORT), Task)
    server.allow_reuse_address = True
    server.serve_forever() 

前面四个字符只需要爆破一下就可以，后面需要找出满足 (2^n-1) % 15 == 0 的第几个n来，比如满足该条件的第一个n为4，第二个n为8，这就是个等差数列。
An = 4n

import hashlib   #包含库
from pwn import *
import string
#context(arch = 'i386',os = 'linux')
r = remote('node4.buuoj.cn',28620) #连接
t = r.recvline()
print(r.recv())
a = str(t[16:32],'utf-8')
s = str(t[37:-1],'utf-8')
x = ''
print("t = ",t)
print("a = ",a)
print("s = ",s)

# s1 = '49b1eafc509dcd2420608934717fcea73ed476659159cb65b938db6f362234ea'
# a1 = 'FTuXanqOblgkg4yS'
# print("s1 = ", s1)
# print("a1 = ",a1)
def xxx(a,s):   #爆破
    for j1 in range(32,128):
        for j2 in range(32,128):
            for j3 in range(32,128):
                for j4 in range(32,128):
                    t = ''
                    t = chr(j1) + chr(j2) + chr(j3) + chr(j4) + a
                    if hashlib.sha256(t.encode('utf-8')).hexdigest() == s:
                        c = chr(j1)+chr(j2)+chr(j3)+chr(j4)
                        print(c)
                        return c                       
x = xxx(a,s)  #调用函数
r.sendline(x)
# t1 = r.recvline()
# num = int(t1[16:26])
# num *= 4
# r.sendline(num)  
count = 0
for i in range(777):
    t1 = r.recvline()
    num = int(str(t1[16:26],'utf-8'))  #需要转换编码格式
    num *= 4
    print("t1=",t1)
    # print("num=",num)
    str1 = str(num)    #这里要有个转为字符串，因为服务端代码接受后有个int()函数转换，如果int()里面接收到的是数字会报错。
    count += 1
    r.sendline(str1)
    print(r.recvline(),"count=",count)

print(r.recv())
print(r.recv())