这是个入门级的比赛,没啥意思
Crypto
Vinegar
给了密钥的维吉尼亚密码,厨子
Encrypted flag: nmivrxbiaatjvvbcjsf
Key: secretkey
vigenerecipherisfun
n00bz{vigenerecipherisfun}RSA
e=3直接开根号就行
e = 3
n = 135112325288715136727832177735512070625083219670480717841817583343851445454356579794543601926517886432778754079508684454122465776544049537510760149616899986522216930847357907483054348419798542025184280105958211364798924985051999921354369017984140216806642244876998054533895072842602131552047667500910960834243
c = 13037717184940851534440408074902031173938827302834506159512256813794613267487160058287930781080450199371859916605839773796744179698270340378901298046506802163106509143441799583051647999737073025726173300915916758770511497524353491642840238968166849681827669150543335788616727518429916536945395813
>>> long_to_bytes(iroot(c,3)[0])
b'n00bz{crypt0_1s_1nc0mpl3t3_w1th0ut_rs4!!}'Vinegar 2
alphanumerical = 'abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ1234567890!@#$%^&*(){}_?'
matrix = []
for i in alphanumerical:
matrix.append([i])
idx=0
for i in alphanumerical:
matrix[idx][0] = (alphanumerical[idx:len(alphanumerical)]+alphanumerical[0:idx])
idx += 1
flag=open('../src/flag.txt').read().strip()
key='5up3r_s3cr3t_k3y_f0r_1337h4x0rs_r1gh7?'
assert len(key)==len(flag)
flag_arr = []
key_arr = []
enc_arr=[]
for y in flag: #flag各符号在alphanumerical中的偏移
for i in range(len(alphanumerical)):
if matrix[i][0][0]==y:
flag_arr.append(i)
for y in key: #key在alphanumerical中的偏移
for i in range(len(alphanumerical)):
if matrix[i][0][0]==y:
key_arr.append(i)
for i in range(len(flag)):
enc_arr.append(matrix[flag_arr[i]][0][key_arr[i]])
encrypted=''.join(enc_arr)
f = open('enc.txt','w')
f.write(encrypted)
维吉尼亚这东西有点绕
enc = '*fa4Q(}$ryHGswGPYhOC{C{1)&_vOpHpc2r0({'
flag = ''
for i in range(len(key)):
for j in range(len(alphanumerical)):
if enc[i]== matrix[j][0][key_arr[i]]:
flag += alphanumerical[j]
break
else:
print(i)
#n00bz{4lph4num3r1c4l_1s_n0t_4_pr0bl3m} Random
一个cpp的程序,预测随机数,但这里的random_shuffle没有置种子。导致每次结果相同。输入一次再导回来就行了。
#include<chrono>
#include<cstdlib>
#include<iostream>
#include<algorithm>
#include<string>
#include<fstream>
#include<thread>
#include<map>
using namespace std;
bool amazingcustomsortingalgorithm(string s) {
int n = s.size();
for (int i = 0; i < 69; i++) {
cout << s << endl;
bool good = true;
for (int i = 0; i < n - 1; i++)
good &= s[i] <= s[i + 1];
if (good)
return true;
random_shuffle(s.begin(), s.end());
this_thread::sleep_for(chrono::milliseconds(500));
}
return false;
}
int main() {
string s;
getline(cin, s);
map<char, int> counts;
for (char c : s) { //输入不重复,不能小于10或等于69
if (counts[c]) {
cout << "no repeating letters allowed passed this machine" << endl;
return 1;
}
counts[c]++;
}
if (s.size() < 10) {
cout << "this machine will only process worthy strings" << endl;
return 1;
}
if (s.size() == 69) {
cout << "a very worthy string" << endl;
cout << "i'll give you a clue'" << endl;
cout << "just because something says it's random mean it actually is" << endl;
return 69;
}
random_shuffle(s.begin(), s.end());
if (amazingcustomsortingalgorithm(s)) {
ifstream fin("flag.txt");
string flag;
fin >> flag;
cout << flag << endl;
}
else {
cout << "UNWORTHY USER DETECTED" << endl;
}
}
//'0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[]^_abcdefghijklmnopqrstuvwxyz'输入4761058239 就能得到0123456789
PWN
Think Outside the Box
pwn只有一个题,是个小游戏,3*3的黑白棋,机器先走,每一次都按可能的位置作了正确的选择。漏洞在于输入位置负数可越界,这样可以跳过第1步,后边再输入他的第2步就对不上号了。
所以第1步输入0,-1 后边再输入1行3个值就OK了
┌──(kali㉿kali)-[~/ctf/2408/tfc]
└─$ nc challs.n00bzunit3d.xyz 10431
Welcome to Tic-Tac-Toe! In order to get the flag, just win! The bot goes first!
_ | _ | _
---|---|---
_ | X | _
---|---|---
_ | _ | _
Move: 0,-1 跳过第1层判断
_ | _ | _
---|---|---
_ | X | _
---|---|---
_ | _ | _
Bot turn!
_ | _ | _
---|---|---
_ | X | _
---|---|---
_ | _ | _
Move: 2,2 第2步只判断1267 写8
_ | _ | _
---|---|---
_ | X | _
---|---|---
_ | _ | O
Bot turn!
_ | _ | _
---|---|---
_ | X | _
---|---|---
_ | _ | O
Move: 2,1 第3步只判断 2356 写7
_ | _ | _
---|---|---
_ | X | _
---|---|---
_ | O | O
Bot turn!
_ | _ | _
---|---|---
_ | X | _
---|---|---
_ | O | O
Move: 2,0 第4步成功
Returning!
_ | _ | _
---|---|---
_ | X | _
---|---|---
O | O | O
You won! Flag: n00bz{l173r4lly_0u7s1d3_7h3_b0x_L0L_35878ee9def0}Reverse
Vacation
一眼丁真异或3
$bytes = [System.Text.Encoding]::ASCII.GetBytes((cat .\flag.txt))
[System.Collections.Generic.List[byte]]$newBytes = @()
$bytes.ForEach({
$newBytes.Add($_ -bxor 3)
})
$newString = [System.Text.Encoding]::ASCII.GetString($newBytes)
echo $newString | Out-File -Encoding ascii .\output.txt
/*
>>> bytes([i^3 for i in b'm33ayxeqln\sbqjp\twk\{lq~'])
b'n00bz{from_paris\nth_xor}
*/Brain
brainfuck的串,通过观察数据栈应该是栈0位置加到flag再减回0
cmd = '>+++++++++++[<++++++++++>-]<[-]>++++++++[<++++++>-]<[-]>++++++++[<++++++>-]<[-]>++++++++++++++[<+++++++>-]<[-]>+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++[<++>-]<[-]>+++++++++++++++++++++++++++++++++++++++++[<+++>-]<[-]>+++++++[<+++++++>-]<[-]>+++++++++++++++++++[<+++++>-]<[-]>+++++++++++[<+++++++++>-]<[-]>+++++++++++++[<++++>-]<[-]>+++++++++++[<++++++++++>-]<[-]>+++++++++++++++++++[<+++++>-]<[-]>+++++++++++[<+++++++++>-]<[-]>++++++++[<++++++>-]<[-]>++++++++++[<++++++++++>-]<[-]>+++++++++++++++++[<+++>-]<[-]>+++++++++++++++++++[<+++++>-]<[-]>+++++++[<+++++++>-]<[-]>+++++++++++[<++++++++++>-]<[-]>+++++++++++++++++++[<+++++>-]<[-]>++++++++++++++[<+++++++>-]<[-]>+++++++++++++++++++[<++++++>-]<[-]>+++++++++++++[<++++>-]<[-]>+++++++[<+++++++>-]<[-]>+++++++++++[<++++++++++>-]<[-]>+++++++++++++++++[<++++++>-]<[-]>+++++++[<++++++>-]<[-]>+++++++++++[<+++++++++>-]<[-]>+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++[<+>-]<[-]>+++++++++++[<+++>-]<[-]>+++++++++++++++++++++++++[<+++++>-]<[-]'
ttt = []
op = [0]*1000
rip = 0
p = 0
while p<len(cmd):
i = cmd[p]
p += 1
if i == '>':
rip+=1
elif i == '<':
rip-=1
elif i == '+':
op[rip]+=1
if rip==0: ttt.append(op[0])
elif i == '-':
op[rip]-=1
if rip==0: ttt.append(op[0])
elif i == '.':
print('==>',chr(op[rip]))
elif i == ',':
op[rip] = ord(input('---->')[0])
elif i == '[':
if op[rip] == 0:
cnt = 1
while cnt != 0:
if cmd[p] == '[': cnt += 1
if cmd[p] == ']': cnt -= 1
p += 1
elif i == ']':
cnt = 1
p -= 1
while cnt!=0:
p -= 1
if cmd[p] == ']' : cnt += 1
if cmd[p] == '[' : cnt -= 1
#print(ttt)
for i in range(1, len(ttt)-1):
if ttt[i-1]<ttt[i]>ttt[i+1]:
print(chr(ttt[i]), end='')
print()
#n00bz{1_c4n_c0d3_1n_br41nf*ck!}FlagChecker
结了一个xlsm的文件,改成.zip解压得到vbProject.bin然后用olevba解包
D:\02024ctf\0803_n00bzCTF\r3_FlagChecker>olevba vbaProject.bin
olevba 0.60.2 on Python 3.10.4 - http://decalage.info/python/oletools
===============================================================================
FILE: vbaProject.bin
Type: OLE
-------------------------------------------------------------------------------
VBA MACRO ThisWorkbook.cls
in file: vbaProject.bin - OLE stream: 'VBA/ThisWorkbook'
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(empty macro)
-------------------------------------------------------------------------------
VBA MACRO Sheet1.cls
in file: vbaProject.bin - OLE stream: 'VBA/Sheet1'
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(empty macro)
-------------------------------------------------------------------------------
VBA MACRO Module1.bas
in file: vbaProject.bin - OLE stream: 'VBA/Module1'
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Sub FlagChecker()
Dim chars(1 To 24) As String
guess = InputBox("Enter the flag:")
If Len(guess) <> 24 Then
MsgBox "Nope"
End If
char_1 = Mid(guess, 1, 1)
char_2 = Mid(guess, 2, 1)
char_3 = Mid(guess, 3, 1)
char_4 = Mid(guess, 4, 1)
char_5 = Mid(guess, 5, 1)
char_6 = Mid(guess, 6, 1)
char_7 = Mid(guess, 7, 1)
char_8 = Mid(guess, 8, 1)
char_9 = Mid(guess, 9, 1)
char_10 = Mid(guess, 10, 1)
char_11 = Mid(guess, 11, 1)
char_12 = Mid(guess, 12, 1)
char_13 = Mid(guess, 13, 1)
char_14 = Mid(guess, 14, 1)
char_15 = Mid(guess, 15, 1)
char_16 = Mid(guess, 16, 1)
char_17 = Mid(guess, 17, 1)
char_18 = Mid(guess, 18, 1)
char_19 = Mid(guess, 19, 1)
char_20 = Mid(guess, 20, 1)
char_21 = Mid(guess, 21, 1)
char_22 = Mid(guess, 22, 1)
char_23 = Mid(guess, 23, 1)
char_24 = Mid(guess, 24, 1)
If (Asc(char_1) Xor Asc(char_8)) = 22 Then
If (Asc(char_10) + Asc(char_24)) = 176 Then
If (Asc(char_9) - Asc(char_22)) = -9 Then
If (Asc(char_22) Xor Asc(char_6)) = 23 Then
If ((Asc(char_12) / 5) ^ (Asc(char_3) / 12)) = 130321 Then
If (char_22 = char_11) Then
If (Asc(char_15) * Asc(char_8)) = 14040 Then
If (Asc(char_12) Xor (Asc(char_17) - 5)) = 5 Then
If (Asc(char_18) = Asc(char_23)) Then
If (Asc(char_13) Xor Asc(char_14) Xor Asc(char_2)) = 121 Then
If (Asc(char_14) Xor Asc(char_24)) = 77 Then
If 1365 = (Asc(char_22) Xor 1337) Then
If (Asc(char_10) = Asc(char_7)) Then
If (Asc(char_23) + Asc(char_8)) = 235 Then
If Asc(char_16) = (Asc(char_17) + 19) Then
If (Asc(char_19)) = 107 Then
If (Asc(char_20) + 501) = (Asc(char_1) * 5) Then
If (Asc(char_21) = Asc(char_22)) Then
MsgBox "you got the flag!"
End If
End If
End If
End If
End If
End If
End If
End If
End If
End If
End If
End If
End If
End If
End If
End If
End If
End If
End Sub
+----------+--------------------+---------------------------------------------+
|Type |Keyword |Description |
+----------+--------------------+---------------------------------------------+
|Suspicious|Xor |May attempt to obfuscate specific strings |
| | |(use option --deobf to deobfuscate) |
|Suspicious|Hex Strings |Hex-encoded strings were detected, may be |
| | |used to obfuscate strings (option --decode to|
| | |see all) |
|Suspicious|Base64 Strings |Base64-encoded strings were detected, may be |
| | |used to obfuscate strings (option --decode to|
| | |see all) |
+----------+--------------------+---------------------------------------------+好无聊啊,手搓!
>>> a = [-1]*25
>>> a[0]=0
>>> for i,v in enumerate(b'n00bz{'):
... a[i+1] = v
...
>>> a[8]=a[1]^22
>>> a[24]=ord('}')
>>> a[22] = a[6]^23
>>> iroot(130321,4)
(mpz(19), True)
>>> a[12]=19*5
>>> a[11]=a[22]
>>> a[17] = (5^a[12])+5
>>> a[10]=176-a[24]
>>> a[9]=a[22]-9
>>> a[15] = 14040//a[8]
>>> a[14] = a[24]^77
>>> a[7]=a[10]
>>> a[23]=235-a[8]
>>> a[18] = a[23]
>>> a[13]=121^a[2]^a[14]
>>> a[16]=a[17]+19
>>> a[19]=107
>>> a[20]=a[1]*5-501
>>> a[21]=a[22]
>>> bytes(a)
b'\x00n00bz{3xc3l_y0ur_sk1lls}'
586
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
