update 2021年09月27日 15:39:25

.gitignore

@@ -1,6 +1,7 @@
 push.sh
 /assets/Temp
 /1earn/Develop/*
+/1earn/Security/Crypto/RSA.md
 /1earn/Security/RedTeam/Web安全/靶场/sqli-labs-WalkThrough.md
 /1earn/Security/安全资源/靶机/VulnHub/symfonos/symfonos6-WalkThrough.md
 /1earn/Security/RedTeam/语言安全/*

1earn/Integrated/Linux/Power-Linux.md

@@ -5261,7 +5261,9 @@ setenforce 0    # 关闭 selinux
 
 - docker timeout
   ```bash
-  echo "nameserver 114.114.114.114" > /etc/resolv.conf
+  echo "nameserver 8.8.8.8" > /etc/resolv.conf
+  sudo systemctl daemon-reload
+  sudo systemctl restart docker
   ```
 
 - 容器 "Exited (0)" 自动退出

1earn/Integrated/Linux/Speed-Linux.md

@@ -1341,14 +1341,14 @@ iptables-restore </root/firewall_rules.backup	# 恢复规则
 iptables -F  		# 清除防火墙配置
 ```
 
+### ufw
+
 **Ubuntu 关闭防火墙**
 ```bash
 ufw disable
 ```
 
-### ufw
-
-见 [ufw.md](./实验/ufw.md)
+更多内容见 [ufw.md](./实验/ufw.md)
 
 ---
 
@@ -1435,6 +1435,12 @@ rm /var/lib/apt/lists/lock
 aptitude install <packagename>	# 该工具会想方设法的帮助你安装(提示依赖、其他安装包等等)
 ```
 
+**dpkg: error: parsing file '/var/lib/dpkg/updates/0023' near line 0**
+```bash
+rm /var/lib/dpkg/updates/*
+apt-get update
+```
+
 **禁用 Ubuntu 自动更新**
 ```bash
 nano /etc/apt/apt.conf.d/20auto-upgrades

1earn/Security/BlueTeam/笔记/内存取证.md

@@ -247,7 +247,7 @@ VMWare 虚拟机在暂停或挂起时, 内存状态信息会保存在以. Vmss 
 
 - Bin2Dmp
     ```bash
-    # 据说可以从 vmem 转为 dmp,但我测试时未成功
+    # 将 vmem 文件转为 dmp 文件
     Bin2Dmp.exe vmware.vmem vmware.dmp
     ```
 
@@ -274,10 +274,11 @@ VMWare 虚拟机在暂停或挂起时, 内存状态信息会保存在以. Vmss 
 
 # 内存分析
 
-**内存取证工具**
+**内存分析工具**
 - [Volatility](../../安全工具/Volatility.md) - Volatility Framwork 是一款开源的基于 Python 开发的内存分析框架，它自带的分析插件支持分析内存镜像中所保留的历史网络连接信息、历史进程、历史命令记录等等。
 - [Elcomsoft Forensic Disk Decryptor](https://cn.elcomsoft.com/efdd.html) - 即时访问保存在加密的 BitLocker，FileVault 2，PGP，TrueCrypt 和 VeraCrypt 存储中的数据。该工具从 RAM 捕获数据，休眠和页面文件中提取加密密钥，或使用纯文本密码或托管密钥来解密存储在加密容器中的文件和文件夹，或者将加密卷装载为新的驱动器号，以便进行实时访问。
 - [gleeda/memtriage](https://github.com/gleeda/memtriage) - 集成了 Winpmem 和 Volatility 的工具
 - WinHex
 - 取证大师
 - [makomk/aeskeyfind](https://github.com/makomk/aeskeyfind) - 该工具用于在内存转储中寻找 AES 密钥
+- Passware Kit Forensic - 用于从内存、磁盘中恢复密码

1earn/Security/BlueTeam/笔记/磁盘取证.md

@@ -115,6 +115,7 @@ xmount --in ewf --out vdi --cache ~/tmp/MyDisk.cache ~/tmp/cyq.E?? ~/mnt0
     7z x xxx.vmdk -o/tmp
     ```
 - [MFTExplorer](https://ericzimmerman.github.io/#!index.md)
+- Passware Kit Forensic - 用于从内存、磁盘中恢复密码
 
 **光盘镜像**
 - UItralSO

1earn/Security/CTF/CTF.md

@@ -111,6 +111,10 @@ AWD
 
 # 知识点学习
 
+## Web
+
+- [CTF中的命令执行绕过](https://mp.weixin.qq.com/s/fs-IKJuDptJeZMRDCtbdkw)
+
 ## Misc
 
 - [ctf001 | Glun](http://www.glun.top/2020/05/23/ctf01/)
@@ -284,6 +288,9 @@ AWD
 
 ### 羊城杯
 
+**2021**
+- [2021年“羊城杯”网络安全大赛部分Writeup](https://blog.csdn.net/qq_42815161/article/details/120260053)
+
 **2020**
 - [羊城杯-Reverse-WP](https://www.zrzz.site/2020/09/11/%E7%BE%8A%E5%9F%8E%E6%9D%AF-Reverse-WP/)
 - [羊城杯Easy Java题解](https://zhzhdoai.github.io/2020/09/11/%E7%BE%8A%E5%9F%8E%E6%9D%AFEasy-Java%E9%A2%98%E8%A7%A3/)
@@ -318,6 +325,9 @@ AWD
 
 ### 祥云杯
 
+**2021**
+- [2021第二届“祥云杯”网络安全大赛 部分Writeup](https://blog.csdn.net/qq_42815161/article/details/119867158)
+
 **2020**
 - [祥云杯-Writeup](https://mp.weixin.qq.com/s/D2hdFISbttaezhnqnHFEsQ)
 - [祥云杯2020 部分WriteUp](https://mp.weixin.qq.com/s/CP3-W8VcLokQNYMSbXw9wg)
@@ -331,6 +341,14 @@ AWD
 
 ---
 
+### 陇剑杯
+
+**2021**
+- [陇剑杯 个人 ’WriteUp‘](http://www.snowywar.top/?p=2554)
+- [安全-陇剑杯2021（部分）](https://blog.csdn.net/smallfox233/article/details/120291706)
+
+---
+
 ### 2020
 
 **宁波市第三届网络安全大赛**
@@ -444,6 +462,9 @@ AWD
 
 ### XCTF
 
+**2021 RCTF**
+- [RCTF-2021 部分WriteUp](https://mp.weixin.qq.com/s/EnncNONPhgrZCgeYDE5Q2A)
+
 **2020 wmctf**
 - [Nobody knows BaoTa better than me WriteUp](https://www.zhaoj.in/read-6660.html)
 - [W&MCTF_Dalabengba](http://www.fzwjscj.xyz/index.php/archives/37/)
@@ -491,6 +512,9 @@ AWD
 
 ### DASCTF
 
+**21.8**
+- [2021DASCTF八月挑战赛Writeup](https://blog.csdn.net/qq_42815161/article/details/120010131)
+
 **20.8**
 - [DASCTF 八月赛 Crypto 部分Writeup](https://www.anquanke.com/post/id/215484)
 - [DASCTF八月赛学习](https://troyess.com/2020/09/07/DASCTF%E5%85%AB%E6%9C%88%E8%B5%9B%E5%AD%A6%E4%B9%A0/)

1earn/Security/CTF/writeup/2020-10-全国网络与信息安全管理职业技能大赛江苏场.md

@@ -144,3 +144,97 @@ key:a46dc78d0798c844
 ![](../../../../assets/img/Security/CTF/writeup/2020-10-全国网络与信息安全管理职业技能大赛江苏场-writeup/16.png)
 
 ![](../../../../assets/img/Security/CTF/writeup/2020-10-全国网络与信息安全管理职业技能大赛江苏场-writeup/17.png)
+
+---
+
+# Crypto
+
+## RSA1
+
+
+```
+XH想要给YF发送一个重要文件，为了不被他人窃取到，XH向YF索要了他的公钥文件信息。
+YF将他现在使用的公钥发送给了XH：
+-----BEGIN PUBLIC KEY-----
+MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC0XAw5rV1kqGzeJ1SDB5pTkgO9
+RSBgCPm0l5DtdXUDGIJ3dbVC6TOQUHSNFrJPB6AeaSqagyfQCVSUv2EzO/3PLvox
+b7hxazHIA2eMZiM3sHcIV9RTdx9pJorDUSB2fV9cnQUiK2smr8X1dt9RCmygpSCf
+Ny0ZUYq3DfP/HuErmQIDAQAB
+-----END PUBLIC KEY-----
+XH用公钥对这个重要的文件进行了加密，然后将密文文件发送给YF：
+UtowVjnLpRLTx2oBQlLKDP5cSfvXsz5RB/zO7nqfT6V3wgyK04JOXppCCY/p55rONh2+AZ7NAm3wvu4UwKwZxnw7qtRDSRL6bGZISyrJnyjEXfZHcOSf5BNcjQkJQYRbfN85Z3Ycg+84ABdF+jP7ekQaYikp2duqCoFBJYQcOWw=
+但是XH没想到HZ那居然存有YF一组以前用过的私钥信息{n,e,d}：
+{126652791247329858012081502617335427176078480967667235544422134698198761482081791188813953951941166617081546172312960216751960777234759603468040766428093969369837780011477003514642408424390144176644572101310535367720328881391192872513206457534291258525724324556727750428833407076738446023533405981578792872857,11666173,78440145437642026565505218176077635100043568658968467746538509828225145179636090827892006864282536091633117590477854513613339188289472952126032503980856086589942743747087799102224535294351908895347839402204845161252154330813186873353157721693911405483196449338177610947843869107506937519564559825768669662629}
+就这样，XH发送的文件泄露了。
+XH发送给YF的信息即为key文件信息。
+```
+
+```py
+# coding=utf-8
+import random
+import libnum
+
+d = 78440145437642026565505218176077635100043568658968467746538509828225145179636090827892006864282536091633117590477854513613339188289472952126032503980856086589942743747087799102224535294351908895347839402204845161252154330813186873353157721693911405483196449338177610947843869107506937519564559825768669662629
+e = 11666173
+n = 126652791247329858012081502617335427176078480967667235544422134698198761482081791188813953951941166617081546172312960216751960777234759603468040766428093969369837780011477003514642408424390144176644572101310535367720328881391192872513206457534291258525724324556727750428833407076738446023533405981578792872857
+
+k = e * d - 1
+
+r = k
+t = 0
+while True:
+    r = r // 2
+    t += 1
+    if r % 2 == 1:
+        break
+
+success = False
+
+for i in range(1, 101):
+    g = random.randint(0, n)
+    y = pow(g, r, n)
+    if y == 1 or y == n - 1:
+        continue
+
+    for j in range(1, t):
+        x = pow(y, 2, n)
+        if x == 1:
+            success = True
+            break
+        elif x == n - 1:
+            continue
+        else:
+            y = x
+
+    if success:
+        break
+    else:
+        continue
+
+if success:
+    p = libnum.gcd(y - 1, n)
+    q = n // p
+    print('P: ' + '%s' % p)
+    print('Q: ' + '%s' % q)
+else:
+    print('Cannot compute P and Q')
+```
+
+```py
+from Crypto.Util.number import *
+import gmpy2
+
+c=0x52da305639cba512d3c76a014252ca0cfe5c49fbd7b33e5107fcceee7a9f4fa577c20c8ad3824e5e9a42098fe9e79ace361dbe019ecd026df0beee14c0ac19c67c3baad4434912fa6c66484b2ac99f28c45df64770e49fe4135c8d090941845b7cdf3967761c83ef38001745fa33fb7a441a622929d9dbaa0a814125841c396c
+e=65537
+p=9626976998826419276843416143425596889733974434851882744368169052238235836115584054010100532560561818209484869817186516716761718401370275591484387689682663
+q=13156029277183223805880847083808239023127130161857296889657452481663176035839817652134147518151213582890894140345326262383715549586968078944271185038023039
+d=72222837702293535768001433019745480940909791273992705292676564657233076187624711236528298321435910688825725064493033694255981783829248148386523941024928314873171902399507717591254570081837629624858628871549140866333768191888355910619817655799523654014573134778364308643953515513914429171468097991764936866609
+
+n=p*q
+d=gmpy2.invert(e,(q-1)*(p-1))
+
+print(pow(c, d, n))
+print(long_to_bytes(pow(c, d, n)))
+```
+
+key:12e791ac27df4c99

1earn/Security/CTF/writeup/2021-9-全国网络与信息安全管理职业技能大赛江苏场.md

@@ -0,0 +1,71 @@
+# Misc
+
+`赛后复现`
+
+## hardstego
+
+给出一个压缩包,里面有 hardstego.png
+
+png 图片猜测可能有 lsb 隐写,用 Stegsolve 分离得到一个压缩包
+
+![](../../../../assets/img/Security/CTF/writeup/2021-9-全国网络与信息安全管理职业技能大赛江苏场/1.png)
+
+解压得到 cute.jpg ,尝试多种 jpg 隐写方式无果,010 打开发现有未知数据流在文件末尾
+
+![](../../../../assets/img/Security/CTF/writeup/2021-9-全国网络与信息安全管理职业技能大赛江苏场/2.png)
+
+手动分离一下是一模一样的图片,按照套路要么盲水印要么 xor
+
+Stegsolve 中用 image combiner 得到 flag
+
+![](../../../../assets/img/Security/CTF/writeup/2021-9-全国网络与信息安全管理职业技能大赛江苏场/3.jpg)
+
+---
+
+# Crypto
+
+`赛后复现`
+
+## easyRSA
+
+```py
+from flag import flag
+from Crypto.Util.number import *
+
+p = getPrime(1024)
+q = getPrime(1024)
+e = 65537
+n = p*q
+
+m = bytes_to_long(flag)
+
+print n
+print pow(m, e, n)
+print p>>256<<256
+
+# output
+# 26406507468595611843852094067483173843988114465094045314324958205247973393878612589146897816881236818219902539975703710689353618174826904300589643161784341674436810639999244652231756242284615955258973430337702733454791782484002773967293198343866259490519754466626455660967042613249021854707331393440280088268816341057924652807723419166490363777181753297185283416885627445213950857480287818564281651822264024891956284486733856518809532470029519647769749231421957169481281821885757924521580543834665554242403238567286205389138437021157096962185096308108489101554724344868500500476691994206988217768341711716527866730487
+# 22371088752722216457725632164373582195669473128756299754645443284929524768654545905154985577175225182544638209286885657892360668965805613727315024761409924679131145149936406239774150607378706790494820180586939668429812955766507811860718575149988809217701964019618239260041070894375952033566803105327100696642244951676616707205397327491933042019560545721027871057909242509336729865025061616686254481161431063503607378134616485979961926628954536592552923269161255759846497309277397441639921544384778106116567555705005440627393593876072210594939647990615797269482726733444406876986888296295032722008287447468255108089357
+# 159945952275533485818121954231313618960321976049710904254772419907677971914439101482974923293074598678164025819370654132149566696084245679106109087142916286461708005676333840438629476722637189134626565206159794947442549588155962485884562239895738265024295739578695834796427810095412842888401159276765814718464
+```
+
+已知高位攻击,用 sage 脚本改下位数跑就可以了
+```
+n = 26406507468595611843852094067483173843988114465094045314324958205247973393878612589146897816881236818219902539975703710689353618174826904300589643161784341674436810639999244652231756242284615955258973430337702733454791782484002773967293198343866259490519754466626455660967042613249021854707331393440280088268816341057924652807723419166490363777181753297185283416885627445213950857480287818564281651822264024891956284486733856518809532470029519647769749231421957169481281821885757924521580543834665554242403238567286205389138437021157096962185096308108489101554724344868500500476691994206988217768341711716527866730487
+p_fake = 159945952275533485818121954231313618960321976049710904254772419907677971914439101482974923293074598678164025819370654132149566696084245679106109087142916286461708005676333840438629476722637189134626565206159794947442549588155962485884562239895738265024295739578695834796427810095412842888401159276765814718464
+
+pbits = 1024
+kbits = 256
+pbar = p_fake & (2^pbits-2^kbits)
+print("upper %d bits (of %d bits) is given" % (pbits-kbits, pbits))
+
+PR.<x> = PolynomialRing(Zmod(n))
+f = x + pbar
+
+x0 = f.small_roots(X=2^kbits, beta=0.4)[0]  # find root < 2^kbits with factor >= n^0.3
+print(hex(int(x0 + pbar)))
+```
+
+得到 p=0xe3c545d18d3292c89e6075bdf276824fac4887651f2aa17c1aae5cf7c1638fe280a2f636b3eb5b549239e75519e217610fc59f7b8ffac8cab87a047efc8499b09121ff486cbf929ebb6880092b0a89d4901b13eabdaae047e2f9821b78bb98814c88e444a7a2db5e9f3789a5855791c29cbdd5debbed8eba0714d80cc1583e71
+
+解密得 flag{f4f41143a6fc8f8f7365c6ccb5e3cb78}