文章时间太早,图片丢失
# Crypto-RingRingRing
连上后先是让我们输验证码,MD5,这个没什么好说的,爆破一下就出了。
然后让我们给出满足条件
a**4 + b**4 + c**4 + d**4 = e**2
的 100 个 a,b,c,d,e
依旧是爆破,判断 sqrt(a**4 + b**4 + c**4 + d**4) 的值为整数时,依次输出 a,b,c,d,e 就可以了,输出 100 个之后返回就可以得到 flag
from pwn import*
from math import sqrt
r=remote('192.168.39.25',2378)
def myhash(text):
mysha = hashlib.md5()
mysha.update(text)
return mysha.hexdigest()
def passPoW(plain, cipher):
dic = string.digits+string.ascii_letters
for a0 in dic:
for a1 in dic:
for a2 in dic:
for a3 in dic:
for a4 in dic:
tmp = bytes((str(a0)+str(a1)+str(a2)+str(a3)+str(a4)+str(plain)).encode())
if(myhash(tmp)[0:5]==cipher):
return str(a0)+str(a1)+str(a2)+str(a3)+str(a4)
def q1():
num=0
for a in range(1,100):
for b in range(1,100):
for c in range(1,100):
for d in range(1,100):
if(sqrt(a**4 + b**4 + c**4 + d**4)%1==0):
print(r.recvuntil('a:').decode())
r.send(bytes(str(a).encode()))
#print(bytes(str(a).encode()))
print(r.recvuntil('b:').decode())
r.send(bytes(str(b).encode()))
#print(bytes(str(b).encode()))
print(r.recvuntil('c:').decode())
r.send(bytes(str(c).encode()))
#print(bytes(str(c).encode()))
print(r.recvuntil('d:').decode())
r.send(bytes(str(d).encode()))
#print(bytes(str(d).encode()))
print(r.recvuntil('e:').decode())
r.send(bytes(str(int(sqrt(a**4 + b**4 + c**4 + d**4))).encode()))
#print(bytes(str(int(sqrt(a**4 + b**4 + c**4 + d**4))).encode()))
print(r.recvline())
num+=1
print(num)
if(num == 100):
return
st = r.recvuntil(b'\n')
print(st.decode())
plain = st[36:40].decode()
print(plain)
cipher = st[50:-1].decode()
print(cipher)
res = passPoW(plain, cipher)
print(res)
print(r.recv().decode())
r.sendline(res.encode())
q1()
r.interactive()
