2024BaseCTFweek1wp

WTT0011

已于 2024-08-29 09:55:55 修改

阅读量1.1k

点赞数 24

分类专栏：比赛复现文章标签： web安全网络安全网络安全 ctf

于 2024-08-29 08:47:06 首次发布

本文链接：https://blog.csdn.net/CLAY0011/article/details/141662524

版权

比赛复现专栏收录该内容

21 篇文章 0 订阅

订阅专栏

misc

你也喜欢圣物吗

lsb隐写

得到key

lud1_lud1

解压，伪加密修复

BaseCTF{1u0_q1_x1_51k1}

根本进不去啊!

在线网站解

在线域名解析记录检测-在线Nslookup域名解析查询工具

BaseCTF{h0h0_th1s_15_dns_rec0rd}

海上遇到了鲨鱼

就导出这个文件

}67bf613763ca-50b3-4437-7a3a-b683fe51{FTCesaB

文字倒序工具,在线文字倒序去这个网站反转文字

BaseCTF{15ef386b-a3a7-7344-3b05-ac367316fb76}

正着看还是反着看呢？

jpg文件

with open("flag", 'rb') as f:
    with open("output.jpg", 'wb') as g:
        g.write(f.read()[::-1])

用脚本翻转一下

章若楠

分离一下

BaseCTF{h3ll0_h4cker}

Base

赛博厨子梭了

BaseCTF{we1c0me_to_b4sectf}

人生苦短，我用Python

猜谜题目

BaseCTF{s1Mpl3_1s_BeTt3r_Th4n_C0mPl3x}

长度检查: len(flag) != 38
我们的flag必须是38个字符长。
前缀检查: flag.startswith('BaseCTF{')
flag必须以BaseCTF{开头。
特定字符检查: flag.find('Mp') != 10
flag的第10和第11个字符应该是Mp。
后缀检查: flag[-3:] * 8 != '3x}3x}3x}3x}3x}3x}3x}3x}'
flag的倒数第三个字符到结尾应该是3x}。
结尾字符检查: ord(flag[-1]) != 125
flag的最后一个字符必须是}，因为125是}的ASCII码。
下划线检查: flag.count('_') // 2 != 2
flag中应该有4个下划线，因为4 // 2 == 2。
分割检查: list(map(len, flag.split('_'))) != [14, 2, 6, 4, 8]
flag在以_分割后，分割出的部分长度应该分别为14, 2, 6, 4, 8。
特定位置检查: flag[12:32:4] != 'lsT_n'
flag在第12到32个字符中，每隔4个字符应该是lsT_n。
大写字符检查: flag[:9]转为大写并用😺连接后应该为B😺A😺S😺E😺C😺T😺F😺{😺S。
数字检查: flag[-11]必须是数字且它的五次方等于1024，唯一符合的数字是4。
Base64编码检查: flag[-7:-3]的Base64编码应该是MG1QbA==，解码后应该是M1Qb。
倒序检查: flag[::-7].encode().hex()倒序编码后应该是7d4372733173，对应的字符串为{sr1}。
集合检查: flag[12::11]形成的集合应该为{'l', 'r'}。
特定字符编码检查: flag[21:27]应该为116, 51, 114, 95, 84, 104的ASCII字符，组成t3r_Th。
加权求和检查: sum(ord(c) * 2024_08_15 ** idx for idx, c in enumerate(flag[17:20])) == 41378751114180610。
字符类型检查: flag[0]是字母，flag[8]是小写字母，flag[13]是数字。
字符串替换检查: {whats} {up}字符串替换后，flag[13]和flag[15]对应的3替换为bro应该得到bro 1。
SHA1哈希检查: flag的SHA1哈希应该是e40075055f34f88993f47efb3429bd0e44a7f479。

BaseCTF{s1Mpl3_1s_BeTt3r_Th4n_C0mPl3x}

捂住X只耳

去Au，轨道分离立体声到单声道。

选中左声道，在效果中选择反相（上下）

然后 Ctrl + A 全选轨道，在轨道中选择混音->混音并渲染到新轨道。

是摩斯密码

..-. --- .-.. .-.. --- .-- -.-- --- ..- .-. .... . .- .-. -

改大写就好

BaseCTF{FOLLOWYOURHEART}

签到！DK 盾！

BaseCTF{2024_sp0n5ored_by_dkdun}

web

HTTP 是什么呀

根据提示写出相应的数据

跳转了网页，但没有flag，BP抓哥包

出现了base64的编码

解码

喵喵喵´•ﻌ•`

命令执行

?DT=system('ls /');

看到有flag

直接读取flag

?DT=system('cat /flag');

BaseCTF{8eb2a1c2-7de7-437b-bc16-fc3d783b797c}

md5绕过欸

数组烧过

构造

GET: ?name[]=1&name2[]=1

Post: password[]=2&password2[]=2

BaseCTF{7303a874-de8f-4423-86b6-3a1e7b84816a}

A Dark Room

右键查看源代码

BaseCTF{847ff058-c19d-4157-ad42-e9740823d7fe}

upload

上传一个php一句话木马文件，用蚁剑连接

BaseCTF{f726fc86-5dbf-4781-9179-bcf635bb2a4b}

Crypto

helloCrypto

from Crypto.Util.number import *
from Crypto.Cipher import AES
from Crypto.Util.Padding import pad
import random

flag=b'BaseCTF{}'

key=random.randbytes(16)
print(bytes_to_long(key))

my_aes=AES.new(key=key,mode=AES.MODE_ECB)
print(my_aes.encrypt(pad(flag,AES.block_size)))

# key1 = 208797759953288399620324890930572736628
# c = b'U\xcd\xf3\xb1 r\xa1\x8e\x88\x92Sf\x8a`Sk],\xa3(i\xcd\x11\xd0D\x1edd\x16[&\x92@^\xfc\xa9(\xee\xfd\xfb\x07\x7f:\x9b\x88\xfe{\xae'

AES加密

from Crypto.Util.number import *
from Crypto.Cipher import AES
from Crypto.Util.Padding import pad
key = 208797759953288399620324890930572736628
key = long_to_bytes(key)
flag = b'U\xcd\xf3\xb1 r\xa1\x8e\x88\x92Sf\x8a`Sk],\xa3(i\xcd\x11\xd0D\x1edd\x16[&\x92@^\xfc\xa9(\xee\xfd\xfb\x07\x7f:\x9b\x88\xfe{\xae'
my_aes=AES.new(key=key,mode=AES.MODE_ECB)
print(my_aes.decrypt(pad(flag,AES.block_size)))
#b'BaseCTF{b80bf679-1869-4fde-b3f9-d51b872d31fb}\x03\x03\x03\xcd\xc6\xd1d\xb2\xe8\xe6\xca\x12sJ\xaf\xa7<\x9f\xd0'

BaseCTF{b80bf679-1869-4fde-b3f9-d51b872d31fb}

你会算 md5 吗

import hashlib

flag='BaseCTF{}'

output=[]
for i in flag:
    my_md5=hashlib.md5()
    my_md5.update(i.encode())
    output.append(my_md5.hexdigest())
print("output =",output)
'''
output = ['9d5ed678fe57bcca610140957afab571', '0cc175b9c0f1b6a831c399e269772661', '03c7c0ace395d80182db07ae2c30f034', 'e1671797c52e15f763380b45e841ec32', '0d61f8370cad1d412f80b84d143e1257', 'b9ece18c950afbfa6b0fdbfa4ff731d3', '800618943025315f869e4e1f09471012', 'f95b70fdc3088560732a5ac135644506', '0cc175b9c0f1b6a831c399e269772661', 'a87ff679a2f3e71d9181a67b7542122c', '92eb5ffee6ae2fec3ad71c777531578f', '8fa14cdd754f91cc6554c9e71929cce7', 'a87ff679a2f3e71d9181a67b7542122c', 'eccbc87e4b5ce2fe28308fd9f2a7baf3', '0cc175b9c0f1b6a831c399e269772661', 'e4da3b7fbbce2345d7772b0674a318d5', '336d5ebc5436534e61d16e63ddfca327', 'eccbc87e4b5ce2fe28308fd9f2a7baf3', '8fa14cdd754f91cc6554c9e71929cce7', '8fa14cdd754f91cc6554c9e71929cce7', '45c48cce2e2d7fbdea1afc51c7c6ad26', '336d5ebc5436534e61d16e63ddfca327', 'a87ff679a2f3e71d9181a67b7542122c', '8f14e45fceea167a5a36dedd4bea2543', '1679091c5a880faf6fb5e6087eb1b2dc', 'a87ff679a2f3e71d9181a67b7542122c', '336d5ebc5436534e61d16e63ddfca327', '92eb5ffee6ae2fec3ad71c777531578f', '8277e0910d750195b448797616e091ad', '0cc175b9c0f1b6a831c399e269772661', 'c81e728d9d4c2f636f067f89cc14862c', '336d5ebc5436534e61d16e63ddfca327', '0cc175b9c0f1b6a831c399e269772661', '8fa14cdd754f91cc6554c9e71929cce7', 'c9f0f895fb98ab9159f51fd0297e236d', 'e1671797c52e15f763380b45e841ec32', 'e1671797c52e15f763380b45e841ec32', 'a87ff679a2f3e71d9181a67b7542122c', '8277e0910d750195b448797616e091ad', '92eb5ffee6ae2fec3ad71c777531578f', '45c48cce2e2d7fbdea1afc51c7c6ad26', '0cc175b9c0f1b6a831c399e269772661', 'c9f0f895fb98ab9159f51fd0297e236d', '0cc175b9c0f1b6a831c399e269772661', 'cbb184dd8e05c9709e5dcaedaa0495cf']
'''

每个字符都有md5 加密，只需要逐个爆破每个字符就行

import hashlib
output = ['9d5ed678fe57bcca610140957afab571', '0cc175b9c0f1b6a831c399e269772661', '03c7c0ace395d80182db07ae2c30f034', 'e1671797c52e15f763380b45e841ec32', '0d61f8370cad1d412f80b84d143e1257', 'b9ece18c950afbfa6b0fdbfa4ff731d3', '800618943025315f869e4e1f09471012', 'f95b70fdc3088560732a5ac135644506', '0cc175b9c0f1b6a831c399e269772661', 'a87ff679a2f3e71d9181a67b7542122c', '92eb5ffee6ae2fec3ad71c777531578f', '8fa14cdd754f91cc6554c9e71929cce7', 'a87ff679a2f3e71d9181a67b7542122c', 'eccbc87e4b5ce2fe28308fd9f2a7baf3', '0cc175b9c0f1b6a831c399e269772661', 'e4da3b7fbbce2345d7772b0674a318d5', '336d5ebc5436534e61d16e63ddfca327', 'eccbc87e4b5ce2fe28308fd9f2a7baf3', '8fa14cdd754f91cc6554c9e71929cce7', '8fa14cdd754f91cc6554c9e71929cce7', '45c48cce2e2d7fbdea1afc51c7c6ad26', '336d5ebc5436534e61d16e63ddfca327', 'a87ff679a2f3e71d9181a67b7542122c', '8f14e45fceea167a5a36dedd4bea2543', '1679091c5a880faf6fb5e6087eb1b2dc', 'a87ff679a2f3e71d9181a67b7542122c', '336d5ebc5436534e61d16e63ddfca327', '92eb5ffee6ae2fec3ad71c777531578f', '8277e0910d750195b448797616e091ad', '0cc175b9c0f1b6a831c399e269772661', 'c81e728d9d4c2f636f067f89cc14862c', '336d5ebc5436534e61d16e63ddfca327', '0cc175b9c0f1b6a831c399e269772661', '8fa14cdd754f91cc6554c9e71929cce7', 'c9f0f895fb98ab9159f51fd0297e236d', 'e1671797c52e15f763380b45e841ec32', 'e1671797c52e15f763380b45e841ec32', 'a87ff679a2f3e71d9181a67b7542122c', '8277e0910d750195b448797616e091ad', '92eb5ffee6ae2fec3ad71c777531578f', '45c48cce2e2d7fbdea1afc51c7c6ad26', '0cc175b9c0f1b6a831c399e269772661', 'c9f0f895fb98ab9159f51fd0297e236d', '0cc175b9c0f1b6a831c399e269772661', 'cbb184dd8e05c9709e5dcaedaa0495cf']
flag = ""
for i in output:
    for c in range(1,127):
        c = chr(c)
        my_md5 = hashlib.md5()
        my_md5.update(c.encode())
        if(my_md5.hexdigest()==i):
            flag += c
print(flag)
#BaseCTF{a4bf43a5-3ff9-4764-bda2-af8ee4db9a8a}

BaseCTF{a4bf43a5-3ff9-4764-bda2-af8ee4db9a8a}

ez_rsa

from Crypto.Util.number import *
import gmpy2
m=bytes_to_long(b'BaseCTF{th1s_is_fake_fl4g}')
e=65537
p=getPrime(512)
q=getPrime(512)
n=p*q
not_phi=(p+2)*(q+2)
c=pow(m,e,n)

print(n)
print(not_phi)
print(c)


'''
96557532552764825748472768984579682122986562613246880628804186193992067825769559200526147636851266716823209928173635593695093547063827866240583007222790344897976690691139671461342896437428086142262969360560293350630096355947291129943172939923835317907954465556018515239228081131167407674558849860647237317421
96557532552764825748472768984579682122986562613246880628804186193992067825769559200526147636851266716823209928173635593695093547063827866240583007222790384900615665394180812810697286554008262030049280213663390855887077502992804805794388166197820395507600028816810471093163466639673142482751115353389655533205
37077223015399348092851894372646658604740267343644217689655405286963638119001805842457783136228509659145024536105346167019011411567936952592106648947994192469223516127472421779354488529147931251709280386948262922098480060585438392212246591935850115718989480740299246709231437138646467532794139869741318202945
'''

import libnum
e=65537
n = 96557532552764825748472768984579682122986562613246880628804186193992067825769559200526147636851266716823209928173635593695093547063827866240583007222790344897976690691139671461342896437428086142262969360560293350630096355947291129943172939923835317907954465556018515239228081131167407674558849860647237317421
not_phi = 96557532552764825748472768984579682122986562613246880628804186193992067825769559200526147636851266716823209928173635593695093547063827866240583007222790384900615665394180812810697286554008262030049280213663390855887077502992804805794388166197820395507600028816810471093163466639673142482751115353389655533205
c = 37077223015399348092851894372646658604740267343644217689655405286963638119001805842457783136228509659145024536105346167019011411567936952592106648947994192469223516127472421779354488529147931251709280386948262922098480060585438392212246591935850115718989480740299246709231437138646467532794139869741318202945
phi = n-(not_phi-n-4)//2+1
d = libnum.invmod(e,phi)
m = pow(c,d,n)
print(libnum.n2s(m))
#BaseCTF{it_1s_ez!!}

BaseCTF{it_1s_ez!!}