【picoCTF 2022 一些题目的wp】

这里记录一下picoCTF 2022 中做出来的题目（WEB和Crypto以外的题目就不写了^ _ ^，因为只会签到题qwq）

WEB

1.Includes

打开开发者工具，在style.css中看见flag

2.Inspect HTML

查看源代码

3.Local Authority

密码找到

4.Search source

Ctrl+F 在文件中一个一个搜索查找flag

5.Forbidden Paths

绝对路径被过滤，就用相对路径

../../../../flag.txt

6.Power Cookie

直接锁定cookie

isAdmin=1

7.Roboto Sans

查看robots.txt

看到一行明显是base64加密

8.Secrets

不停的找就行了

9.SQLiLite

baby级别的SQL注入

万能密码

Crypto

1.basic-mod1 & basic-mod2

第一个就是纯纯的会取模就行了，直接放第二个的脚本

def extended_euclid_gcd(a: int, b: int) -> list:
    """
    Returns [gcd(a, b), x, y] where ax + by = gcd(a, b)
    """
    s, old_s = 0, 1
    t, old_t = 1, 0
    r, old_r = b, a
    while r != 0:
        quotient = old_r // r
        old_r, r = r, old_r - quotient * r
        old_s, s = s, old_s - quotient * s
        old_t, t = t, old_t - quotient * t
    return [old_r, old_s, old_t]


def modular_multiplicative_inverse(a: int, n: int) -> int:
    """
    Assumes that a and n are co-prime, returns modular multiplicative inverse of a under n
    """
    # Find gcd using Extended Euclid's Algorithm
    gcd, x, y = extended_euclid_gcd(a, n)
    # In case x is negative, we handle it by adding extra n
    # Because we know that modular multiplicative inverse of a in range n lies in the range [0, n-1]
    if x < 0:
        x += n
    return x


if __name__ == '__main__':
    list=[186,249,356, 395, 303, 337, 190, 393, 146, 174, 446, 127, 385, 400, 420 ,226, 76, 294, 144 ,90 ,291 ,445 ,137 ]
    for item in list:
        # print(item)
        tmp=modular_multiplicative_inverse(item%41,41)
        #print(tmp)
        if tmp >= 1 and tmp <= 26:
            print(chr(tmp+64),end="")
        elif tmp>=27 and tmp<=36:
            print(int(tmp-27),end="")
        else :
            print("_",end="")

2.credstuff

先在username.txt中找到cultiris，是在378行，于是对应的在password.txt中找到对应密码


凯撒密码解密

3.substitution0

替换密码
贴上c++脚本

#include <iostream>
#include<cstdio>
#include<cstring>



using namespace std;

int main() {
    char str[30]="IADNMLPFYEJSWBZVXUHKGROCQT";

    char str1[30]="ABCDEFGHIJKLMNOPQRSTUVWXYZ";

   char q[]="Kfm vydzDKL{5GA5717G710B_3R0SG710B_A1N36772}";
   char ch;
   
    for(int i=0;i<strlen(q);i++){
        char ch=q[i];
        if(isupper(ch))
        for(int j=0;j<=25;j++)
        {
            if(str[j]==ch)
        
        cout<<str1[j];
        }
        else if(islower(ch)){
            for(int j=0;j<=25;j++){
                if(str[j]==ch-32)
                cout<<char(str1[j]+32);
            }
        }
        else cout<<ch;
    }
    return 0;
}

4.transposition-trial

三个字符为一组，交换次序

5.Vigenere

维基利亚密码

6.Sum-O-Primes

很水的RSA题目，就利用一个小数学转换

(p-1)(q-1)=p*q-(p+q)+1

脚本

import gmpy2
import random
import hashlib
from hashlib import sha256
from Crypto.Util.number import *
import os

x = 0x1603fc8d929cb31edf62bcce2d06794f3efd095accb163e6f2b78941bd8c646d746369636a582aaac77c16a9486881a9e3db26d742e48c4adcc417ef98f310a0c5433ab077dd872530c3c3c77fe0c080d84154bfdb4c920df9617e986999104d9284516c7babc80dc53718d59032aefdf41b9be53957dea3f00a386b2666d446e
n = 0x75302ba292dc4bf47ffd690b8edc70ef1fcca5e148b2b9c1b60227788afcfe77a0097929ed3789fe51ac66f678c558244890a09ae4af3e7d098fd366a1c859edabbff1c9e164d5354968798107ae8518fcaab3743de58a141ffd26c1e16cb09fed1f6b0d68536ec7fba744ed120fea8c3a7ac1ebfa55d664d2f321fb44e814650147a9031f3bfa8f69d87393c7d88976d28d147398a355020bcb8e5613f0b29028b77db710e163ca1019fd3c3a065465ea457adec45243c385d12d3a1de3178f6ca05964be92e8b5bc24d420956de96ccc9ce39e70705660eb6b2f4e675aac7d6d7ba45c84223fc5819b37aa85beff1382f1c2c3b97603150f30c17f7e674441
c = 0x562888c70ce9a5c5ed9a0be1b6196f854ba2efcdb6dd0f79319ee9e1142659f90a6bae67481eb0f635f445d3c9889da84639beb84ff7159dcf4d3a389873dc90163270d80dbb9503cbc32992cb592069ba5b3eb2bbe410a3121d658f18e100f7bd878a25c27ab8c6c15b690fce1ca43288163c544bfce344bcd089a5f4733acc7dc4b6160718e3c627e81a58f650281413bb5bf7bad5c15b00c5a2ef7dbe7a44cce85ed5b1becd5273a26453cb84d327aa04ad8783f46d22d61b96c501515913ca88937475603437067ce9dc10d68efc3da282cd64acaf8f1368c1c09800cb51f70f784bd0f94e067af541ae8d20ab7bfc5569e1213ccdf69d8a81c4746e90c1
e=65537
phi=n-x+1


d=gmpy2.invert(e,phi)
print(d)

m=pow(c,d,n)
print(long_to_bytes(m))

7.rail-fence

栅栏密码加密/解密【W型】

8.morse-code

鉴定为纯纯的摩尔斯密码，用hint里面的软件可以较好的分析，不用听。

.-- … …- --…… …- --… …----. ----- -…_.-- …— ----- …- ----. … --…

转在线网站破解
在线破解摩尔斯

9.diffie-hellman

DH密钥交换（Diffie–Hellman key exchange）
这道题比较简单，算出密钥为5，作为凯撒密码的移位。
注意的是这道题凯撒密码是移动-5，需要对数字也移位，而且最后flag用小写字母

a = 'H98A9W_H6UM8W_6A_9_D6C_5ZCI9C8I_DI9D987F'
b = 'ABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789'
ans = ''
for i in a:
    if i == '_':
        ans += i
    else:
        ans += (b[(b.find(i) - 5) % len(b)])

print('picoCTF{' + ans.lower() + '}')

10.Very Smooth

CTF-CYRPTO-RSA-Smooth