NewStarCTF-Week1-Sdegree

web

泄漏的秘密

robot.txt
www.zip
直接下载就行

Begin of HTTP

![PW68%LL_OE[]5)35GFX(I0.png
![LXL53@1GFULO17FWV404(X.png

r.c.e

![`I8D9)FD$_6E7O1{4J{7IW.png

begin of php

前面4个比较简单，基本都是数组，最后一个我用了
这里两个脚本，他的作用就是无字母数字rce

<?php



$myfile = fopen("xor_rce.txt", "w");
$contents="";
for ($i=0; $i < 256; $i++) { 
        for ($j=0; $j <256 ; $j++) { 

                if($i<16){
                        $hex_i='0'.dechex($i);
                }
                else{
                        $hex_i=dechex($i);
                }
                if($j<16){
                        $hex_j='0'.dechex($j);
                }
                else{
                        $hex_j=dechex($j);
                }
                $preg = '/[a-z0-9]/i'; //根据题目给的正则表达式修改即可
                if(preg_match($preg , hex2bin($hex_i))||preg_match($preg , hex2bin($hex_j))){
                                        echo "";
    }
  
                else{
                $a='%'.$hex_i;
                $b='%'.$hex_j;
                $c=(urldecode($a)^urldecode($b));
                if (ord($c)>=32&ord($c)<=126) {
                        $contents=$contents.$c." ".$a." ".$b."\n";
                }
        }

}
}
fwrite($myfile,$contents);
fclose($myfile);

# -*- coding: utf-8 -*-

# author yu22x

# import requests
import urllib
from sys import *
import os
def action(arg):
   s1=""
   s2=""
   for i in arg:
       f=open("xor_rce.txt","r")
       while True:
           t=f.readline()
           if t=="":
               break
           if t[0]==i:
               #print(i)
               s1+=t[2:5]
               s2+=t[6:9]
               break
       f.close()
   output="(\""+s1+"\"^\""+s2+"\")"
   return(output)
   
while True:
   param=action(input("\n[+] your function:") )+action(input("[+] your command:"))+";"
   print(param)

Begin of Upload

直接禁用js，就可以上传了，然后蚁剑连接

ErrorFlask

传1会报错，答案就在源代码里
![)NAHX{W@0U@4BF7]GJ2F@QT.png](https://img-blog.csdnimg.cn/img_convert/011571520f4c1169a8039f57f04d467f.png)

EasyLogin

先注册，然后注意到

将自己的0改成1
进入命令行界面
ctrl d退出
发现有admin账户，返回包有一个假的flag
有源代码得知，是md5加密
于是生成一个字典

import hashlib

md5_dict = {}

for i in range(1000000):
    # 使用字符串格式化确保生成的字符串是6位长度
    input_string = "{:06}".format(i)
    md5_hash = hashlib.md5(input_string.encode()).hexdigest()
    md5_dict[input_string] = md5_hash

# 打印前几个MD5值以进行检查
for key, value in list(md5_dict.items())[:10]:
    print(f"{key}: {value}")

# 保存MD5字典到文件
with open("md5_dictionary.txt", "w") as file:
    for key, value in md5_dict.items():
        file.write(f"{value}\n")

misc

CyberChef’s Secret

base系列加密套娃
就不停的的一个一个试就行
第一个是base32
gprRdQCoa6VMNpWA1K1rjW7dWBgadzFcSrixdcX69YxLeKn8L
第二个是base58
ZmxhZ3tCYXNlXzE1X1MwX0Vhc3lfXl9efQ==
最后一个base64
flag{Base_15_S0_Easy_^_}

空白格

https://vii5ard.github.io/whitespace/
![81PM}7V]0K~FC`}M)A]9B{5.png](https://img-blog.csdnimg.cn/img_convert/a2863d4f325bacb0999949122e013999.png)
粘贴进去就行
flag{w3_h4v3_to0_m4ny_wh1t3_sp4ce_2a5b4e04}

压缩包们

先加文件头50 4B 03 04
然后发现是损毁的压缩包
有一段密文提示密码是6位
010打开发现14 00 00 00
第三个部分不是单数
改为14 00 09 00
这样就好了
爆破即可

得到flag
flag{y0u_ar3_the_m4ter_of_z1111ppp_606a4adc}

隐秘的眼睛

![~LA)4X]%O@_4_TLMNY$9EQH.png](https://img-blog.csdnimg.cn/img_convert/b2bb2959221a6a3a1a4bb407f25bb367.png)

机密图片

![T62(8ZY``Y7B5MYJ%U0(JX.png
flag{W3lc0m3_t0_N3wSt4RCTF_2023_7cda3ece}

流量！鲨鱼！

![5XBO{1R5_0OI)IB{CUL(NY.png
![)Y2%G4SA4}AO}F0{C4CV8R.png

crypto

babyxor

# coding:utf-8
import itertools

from Crypto.Util.number import *
import string

hex_string = "e9e3eee8f4f7bffdd0bebad0fcf6e2e2bcfbfdf6d0eee1ebd0eabbf5f6aeaeaeaeaeaef2"
c = bytes.fromhex(hex_string)
# m = b'flag{'
key = bytes_to_long(b'\x8f')
s = b''
for i in c:
    s = s + long_to_bytes(key ^ i)
print(s)

babyrsa

import gmpy2
from Crypto.Util.number import long_to_bytes

a = '2217990919<10> · 2338725373<10> · 2370292207<10> · 2463878387<10> · 2706073949<10> · 2794985117<10> · 2804303069<10> · 2923072267<10> · 2970591037<10> · 3207148519<10> · 3654864131<10> · 3831680819<10> · 3939901243<10> · 4093178561<10> · 4278428893'
a = a.split('<10> · ')
# print(a)
n = 17290066070594979571009663381214201320459569851358502368651245514213538229969915658064992558167323586895088933922835353804055772638980251328261
phi = 1
e = 65537
for i in a:
    phi = phi * (int(i)-1)
d = gmpy2.invert(e,phi)
c = 14322038433761655404678393568158537849783589481463521075694802654611048898878605144663750410655734675423328256213114422929994037240752995363595
m = gmpy2.powmod(c,d,n)
print(long_to_bytes(m))

Caesar’s Secert

凯撒密码
![X_BUIF%5XZ%(ZC_HCQF9$L.png

Fence

Vigenère

brainfuck

https://www.w3cschool.cn/tryrun/runcode?lang=brainfuck
这个网站

babyencoding

![]3~9YTF0%)KU9(PGORES}@0.png](https://img-blog.csdnimg.cn/img_convert/356843298d6c9bdbdb56bbfb2edb6476.png)
flag{dazzling_encoding#4e0ad4

c55192c992036ef623372601ff3a}
flag{dazzling_encoding#4e0ad4f0ca08d1e1d0f10c0c7afe422fea7c55192c992036ef623372601ff3a}

Affine

ciphertext_hex = "dd4388ee428bdddd5865cc66aa5887ffcca966109c66edcca920667a88312064"
ciphertext = bytes.fromhex(ciphertext_hex)
modulus = 256

def decrypt(ciphertext, key):
    a_inv, b = key
    plaintext = []
    for c in ciphertext:
        p = (a_inv * (c - b)) % modulus
        plaintext.append(p)
    return bytes(plaintext)

def mod_inv(a, m):
    g, x, _ = egcd(a, m)
    if g != 1:
        raise Exception('Modular inverse does not exist')
    else:
        return x % m

def egcd(a, b):
    if a == 0:
        return (b, 0, 1)
    else:
        g, x, y = egcd(b % a, a)
        return (g, y - (b // a) * x, x)

found = False
for a_inv in range(modulus):
    if found:
        break
    for b in range(modulus):
        try:
            decrypted_text = decrypt(ciphertext, (a_inv, b)).decode(errors="ignore")
            if "flag" in decrypted_text.lower():
                found = True
                print(f"Key found: a_inv = {a_inv}, b = {b}")
                print(f"Decrypted Text: {decrypted_text}")
                break
        except Exception as e:
            continue

if not found:
    print("无法找到合适的密钥")

![LC_8VZH$40I61$L}V}{31.png

babyaes

from Crypto.Cipher import AES
from Crypto.Util.number import *

a = 3657491768215750635844958060963805125333761387746954618540958489914964573229
enc_flag = b'>]\xc1\xe5\x82/\x02\x7ft\xf1B\x8d\n\xc1\x95i'
a = a ^ 1
#_a = b'\x08 \x16 \x11 % \xa0 \xa6 \xc5 \xcb ^ \x02 \x99 N F ` \xea , \xeb L \x08 b \xc1 \x98 \xc2 \x07 \x8f \xa3 \xc1 O % q \xfc , '
key = b'\x08\x16\x11%\xa0\xa6\xc5\xcb^\x02\x99NF`\xea,'
key = bytes_to_long(key)
iv = key ^ a
key = b'\x08\x16\x11%\xa0\xa6\xc5\xcb^\x02\x99NF`\xea,\x08\x16\x11%\xa0\xa6\xc5\xcb^\x02\x99NF`\xea,'
iv = b'\xe3Z\x19Ga>\x07\xcc\xd1\xa1X\x01c\x11\x16\x00'
aes = AES.new(key, AES.MODE_CBC, iv)
# 解密enc_flag
dec_flag = aes.decrypt(enc_flag)
print(dec_flag)

flag{firsT_cry_Aes}

Small d

import gmpy2
import libnum

def continuedFra(x, y):
    cf = []
    while y:
        cf.append(x // y)
        x, y = y, x % y
    return cf
def gradualFra(cf):
    numerator = 0
    denominator = 1
    for x in cf[::-1]:
        numerator, denominator = denominator, x * denominator + numerator
    return numerator, denominator
def solve_pq(a, b, c):
    par = gmpy2.isqrt(b * b - 4 * a * c)
    return (-b + par) // (2 * a), (-b - par) // (2 * a)
def getGradualFra(cf):
    gf = []
    for i in range(1, len(cf) + 1):
        gf.append(gradualFra(cf[:i]))
    return gf


def wienerAttack(e, n):
    cf = continuedFra(e, n)
    gf = getGradualFra(cf)
    for d, k in gf:
        if k == 0: continue
        if (e * d - 1) % k != 0:
            continue
        phi = (e * d - 1) // k
        p, q = solve_pq(1, n - phi + 1, n)
        if p * q == n:
            return d

n= 19873634983456087520110552277450497529248494581902299327237268030756398057752510103012336452522030173329321726779935832106030157682672262548076895370443461558851584951681093787821035488952691034250115440441807557595256984719995983158595843451037546929918777883675020571945533922321514120075488490479009468943286990002735169371404973284096869826357659027627815888558391520276866122370551115223282637855894202170474955274129276356625364663165723431215981184996513023372433862053624792195361271141451880123090158644095287045862204954829998614717677163841391272754122687961264723993880239407106030370047794145123292991433
e= 8614531087131806536072176126608505396485998912193090420094510792595101158240453985055053653848556325011409922394711124558383619830290017950912353027270400567568622816245822324422993074690183971093882640779808546479195604743230137113293752897968332220989640710311998150108315298333817030634179487075421403617790823560886688860928133117536724977888683732478708628314857313700596522339509581915323452695136877802816003353853220986492007970183551041303875958750496892867954477510966708935358534322867404860267180294538231734184176727805289746004999969923736528783436876728104351783351879340959568183101515294393048651825
c= 6755916696778185952300108824880341673727005249517850628424982499865744864158808968764135637141068930913626093598728925195859592078242679206690525678584698906782028671968557701271591419982370839581872779561897896707128815668722609285484978303216863236997021197576337940204757331749701872808443246927772977500576853559531421931943600185923610329322219591977644573509755483679059951426686170296018798771243136530651597181988040668586240449099412301454312937065604961224359235038190145852108473520413909014198600434679037524165523422401364208450631557380207996597981309168360160658308982745545442756884931141501387954248
d=wienerAttack(e, n)
m=pow(c, d, n)
print(libnum.n2s(m).decode())

![TNUWI639_}H(XO5A]72XB_N.png](https://img-blog.csdnimg.cn/img_convert/33d08595c4ab0858855e642ad1b455d1.png)

re

easyRE

简单的字符串拼接
右键给v5[x]赋值常量可以修改常量的显示格式

ELF

s进入encode混淆后赋值v6
v6进入base64编码后赋值s1,与字符串比较
python库base64.decode()解密字符串，暴力破解flag每一位

判断之前用(char)转换类型，防止类型提升符号错误扩展。

KE

带壳程序，用exeinfo检测为upx，下面的lamer info是一些脱壳方法的参考

下载开源upx程序参数-d脱壳


将输入字符串各字符+1后与enc比较，双击enc查看enc定义为byte数组，shift+E提取数据

shitf+f7

提示打开段定义。
发现所有qword对齐的段名称接起来是flag

task

v6为char*类型，但是却用dword访问取值，然后将这些值和array[i]^0x12345678后比较。
因此需要先输出这些值。

最好用hex输出，这样可以一字节一字节进行分割。
获得结果后，要注意这玩意儿是大端存储，需要4字节一逆以byte输出。