博客主页 😶
ciscn校内赛wp

Author:

xuanSAMA

©

Wordage:

共计 14584 字

needs:

约 3 分钟

Popular:

231 ℃

Created:

目 录

记录一下.

welcome

拿到文件是个加密的压缩包,010editor打开看到目录区和头区都是0900可以知道是真加密,由提示知道密码是小明生日,用字典生成器生成可能的密码合集,直接用Elcomsoft Password Recovery进行爆破获得密码20161011,打开后是一个全黑的png图片,一样用010editor打开

图片的两个IDAT区域被修改为了CTBU该回去发现图片正常访问,但还是没有flag,有可能是图片隐写,修改图片长度获取flag

guanyu

下载下来,发现是个模型文件,先在模型中找了找感觉不太可能,然后以压缩包形式打开从model.dat里直接获取了flag

shark

流量分析,从请求信息来看是在data中获取的flag,将http文件全部导出,打开data文件,是一个数组文件看着这值应该是ascii码解码直接获取flag

dota

b站搜原视频在对应时间找到flag

cheers

根据描述找出莫岳恒学长的b站账号,动态第一条发现杠哥发的一部分flag,在莫岳恒学长那条动态对应的视频下的评论中找到了flag

do you like archives revenge

下载下来是一个压缩包,直接用手一个个解压不太现实,直接选择python脚本

import os
import shutil
import zipfile
import tarfile


def decompress_file(file_path):
    """
    解压文件函数
    :param file_path: 压缩文件路径
    """
    # 判断文件是否存在
    if not os.path.exists(file_path):
        print(f"File {file_path} not exist!")
        return

    # 获取文件名和文件夹路径
    file_name = os.path.basename(file_path)
    folder_path = os.path.dirname(file_path)

    # 判断文件类型,并进行相应的解压操作
    if file_name.endswith(".zip"):
        with zipfile.ZipFile(file_path, "r") as zip_ref:
            zip_ref.extractall(folder_path)
    elif file_name.endswith(".tar") or file_name.endswith(".tar.gz") or file_name.endswith(".tgz"):
        with tarfile.open(file_path, "r:*") as tar_ref:
            tar_ref.extractall(folder_path)

    # 删除原始压缩文件
    os.remove(file_path)

    # 遍历解压出来的文件,如果发现还有压缩文件,则再次进行解压操作
    for file in os.listdir(folder_path):
        file_path = os.path.join(folder_path, file)
        if zipfile.is_zipfile(file_path) or tarfile.is_tarfile(file_path):
            decompress_file(file_path)


# 测试代码,解压指定文件夹下的所有压缩文件
source_folder = "./ge"
for root, dirs, files in os.walk(source_folder):
    for file in files:
        file_path = os.path.join(root, file)
        if zipfile.is_zipfile(file_path) or tarfile.is_tarfile(file_path):
            decompress_file(file_path)

解压后获得最后一个压缩包,发现是加密的,在压缩包中并没有发现0900类似的特征,感觉不像zip,直接用Winrar的修复功能直接揭秘出来了,打开获得flag

1337

最先是想在原视频找看了好久没找到,结果在5月10的聊天记录中发现flag

gsh

题目获得信息chatgpt做终端,直接尝试/flag成功获取flag

magic-digit-5

题目所说直接把原字符串进行Md5加密放入flag就是flag

base-ctbu

利用chatgpt写出解题函数

# 解码函数
def base_ctbu_decode(s):
    base_ctbu_alphabet = 'ABCDEFGHIJKLMNOPQRSTUVWXYZgsdxco6'
    binary_str = ''
    # 将密文每五个字符分为一段,解析出对应的二进制数据
    for c in s:
        binary_str += bin(base_ctbu_alphabet.index(c))[2:].rjust(5, '0')
    # 将所有的二进制数据合并成一个二进制串,并转化为字符串
    return ''.join([chr(int(binary_str[i:i+8], 2)) for i in range(0, len(binary_str), 8)])

# 调用解码函数解密密文
print(base_ctbu_decode('MZWGCZssNJgSINgoMNUEAsTHGNPXIgDFMVSWKXgBJRYEQQBYGMsXg666')) # Congratulations, you solved the challenge successfully.

获取flag

assccciiiiiiiii

由代码知道芝士一个字符出现的次数就是它对应ascii的位数,数字就是它的位置

python直接解密

the = "0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111112222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333344444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444455555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555556666666666666666666666666666666666666666666666666666666666666666666666666666666666666666666666666666666666666666666777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777888888888888888888888888888888888888888888888888899999999999999999999999999999999999999999999999991010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111112121212121212121212121212121212121212121212121212121212121212121212121212121212121212121212121212121212121212121212121212121212121212121212121212121212121212121212121212121212121212121212121212121212121212121212121212121212121212121213131313131313131313131313131313131313131313131313131313131313131313131313131313131313131313131313131313131313141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141415151515151515151515151515151515151515151515151515151515151515151515151515151515151515151515151515151515151515151515151515151515151515151515151515151515151515151515151515151515151515151515151515161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161617171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717181818181818181818181818181818181818181818181818181818181818181818181818181818181818181818181818181818181818181818181818181818181818181818181818181818181818181818181818181818181818181818181818181818181818181818181818181818181818181819191919191919191919191919191919191919191919191919191919191919191919191919191919191919191919191919191919191919191919191919191919191919191919191919191919191919191919191919191919191919191919191919191919191919191919191919191919191920202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020212121212121212121212121212121212121212121212121212121212121212121212121212121212121212121212121212121212121212121212121212121212121212121212121212121212121212121212121212121212121212121212121212121212121212121212121212122222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222323232323232323232323232323232323232323232323232323232323232323232323232323232323232323232323232323232323232323232323232323232323232323232323232323232323232323232323232323232323232323232323232323232323242424242424242424242424242424242424242424242424242424242424242424242424242424242424242424242424242424242424242424242424242424242424242424242424242424242424242424242424242424242424242424242425252525252525252525252525252525252525252525252525252525252525252525252525252525252525252525252526262626262626262626262626262626262626262626262626262626262626262626262626262626262626262626262626262626262626262626262626262626262626262626262626262626262626262626262626262626262626262626262626262626262626262626262626262727272727272727272727272727272727272727272727272727272727272727272727272727272727272727272727272727272828282828282828282828282828282828282828282828282828282828282828282828282828282828282828282828282828282828282828282828282828282828282828282828282828282828282828282828282828282828282828282828282828282828282828282828282828282828282828282828282828282828"
num = 0
ttt = 0
tempNum = 0
flag = ""

while num < len(the):
    while the[num:num + len(str(ttt))] == str(ttt):
        tempNum += 1
        num += len(str(ttt))
    flag += chr(tempNum)
    tempNum = 0
    ttt += 1

print(flag)

emperor

利用chatgpt写出脚本

import itertools

alphabet = bytes(range(32, 127))
encrypted_flag = b'39.4HF2@,A52,;.:_,\3,5]:,6P,o.2@.?J'

for key in itertools.count():
    decrypted_flag = bytes([alphabet[(c - key) % len(alphabet)] for c in encrypted_flag])
    if decrypted_flag.startswith(b'flag{'):
        print(decrypted_flag)
        break

RuShA

rsa加密,质因数分解获取到了P q直接运行rsa的解密脚本获取明文,转化为二进制再转化为对应的ascii码获取到flag

wall

分析源码可知是将对应的字符类似字典一样换成对应的字符串,用python写一个字典去进行文件替换

# 密文字典
encrypted_chars = {'a': '5a0f92fc99e8d1e5ea1677f987139c9c', 'b': '336766cfc9273d47294374c4456bd7e6',
               'c': 'ab11f422e2ab0e5a672df60ac4d9978b', 'd': '04f44abda2d59984299dd1e56fedc671',
               'e': '036f4d8d3c925c472af18052d047c6fb', 'f': '5b6d034b1552dd4c08199e32bebee520',
               'g': 'bab20c076199ae86e5d92ea1edc1aa8f', 'h': '34a7aee723181478d6fe343788a109f9',
               'i': '678a06a066ee8e6cf70bf53415fab592', 'j': 'cbd04e40d3e97ee1ca9ff95752614618',
               'k': '0ec19b0e7976c4e6dfc0534803bb43f3', 'l': 'c62600a4b61358c21fb85b7c2945a332',
               'm': 'e56d228da8a800aa54cdc5e9c925f262', 'n': '32e17a8fa2ad89536fd354d090bace19',
               'o': 'f0ade343e3c05f8f71b58006e583933a', 'p': 'cb317151da3b66e0e6584d753baf3e01',
               'q': '8b5878a92246878e9291037d1d4bd064', 'r': '3d668242905a3a4bc4ec7a905b2c7677',
               's': '5a20662ff34f416e9f3abca66341c5c4', 't': '5ec5e06fc44cd2e99edcb67dd66ba1cb',
               'u': 'b5768fc110d3e481fc2cab777698809d', 'v': 'ffa9532cdfdaa513471a51bfedf9022d',
               'w': 'a171eda69cfbf433539ff32da4945f1f', 'x': '981fa79016ab8ae14d60998c7704bb5d',
               'y': '51b969ba3459798991e5d4d87f54e073', 'z': '67252b0bb8e9903969a8e8d0a971ca63',
               'A': 'c07ffaf369a4853d34a2003c1c3f5c06', 'B': '125b3bc5f336a0b2baf4e2c6b2f052f0',
               'C': 'd5a7d119d6d19950cc872bfde0b94c2e', 'D': 'e0a3a14c698c2ff493c0da81fc811cc7',
               'E': '112904b32851e5381e3b8ae028e92ccb', 'F': '384fddb523563d8e3a559bf077c22168',
               'G': 'acc874bcc5a8555c269a080acd59279e', 'H': 'ebea16b847782d7ebb2415722b44ad10',
               'I': '32512f9482e8c7c125c04685ac86f796', 'J': '5b2740b2c1542130490b75d88650fa50',
               'K': 'ab8447bcc2fbbacb6a5e48e338012a46', 'L': '385ac9cddde1de5be2ee318a2709bcaf',
               'M': '3d6a3db691b627ac086e351d21fba44e', 'N': '1fef12d140914d31c17349a22ab1b00e',
               'O': '17e434e1201600d31b1a6b6da9977bad', 'P': 'e902610b80f75b2d77becd914bcf5461',
               'Q': 'c0b92ac23b1cc4665c53020cd6c8262e', 'R': '8a7643d64f010706b206528c9513e573',
               'S': 'be7cdfccb4327b28312b99bb2776df81', 'T': 'f3ab52d0dab3e888e9f11d7170d0a3d5',
               'U': '1741ad5607cf1395693de4e03244a0b8', 'V': 'ffd2286b17224e320a106aa6037a5a33',
               'W': '9a491f19d9cbc5b2f5321ffcd1ffb98c', 'X': '748c91af7880d9e4b654a7b0086c75f8',
               'Y': '8a6026ad6887f67cf798fbf4e1debe25', 'Z': 'b3693036b7928c98e46d3d5b1bb5d53f',
               '0': '4312ef16a9e53149b0e4289d8a1c292c', '1': '37b8464c61284dfb3bafd47bb883c20a',
               '2': '255c6e619a1a1679cc3fd3c506e06c3c', '3': 'c255163951f0003f300168c9ed863e38',
               '4': '0d4bf2556609bde9bdf7e154f0bc01d0', '5': '389b3cbf9bdc47727aa3d60d960b4b7a',
               '6': '804256547141e1414f335a93d0aee2c9', '7': '91335eadbca437e6c96889da774186c2',
               '8': 'fad58ae4e9a6698aa3438b28f6f745cd', '9': 'e82c249a79d044b3c4891b8077736906',
               '{': '113780962f6031c7a4e00173bfcee17d', '_': '909e2c7a0962fdd07016dbb3c368e015',
               '}': '303ce188742781b005773b41173f8cfa'}

# 将密文字典的键值对互换,得到明文字
encrypted_flag = '5b6d034b1552dd4c08199e32bebee520c62600a4b61358c21fb85b7c2945a3325a0f92fc99e8d1e5ea1677f987139c9cbab20c076199ae86e5d92ea1edc1aa8f113780962f6031c7a4e00173bfcee17da171eda69cfbf433539ff32da4945f1f112904b32851e5381e3b8ae028e92ccb37b8464c61284dfb3bafd47bb883c20a37b8464c61284dfb3bafd47bb883c20a909e2c7a0962fdd07016dbb3c368e0155ec5e06fc44cd2e99edcb67dd66ba1cb34a7aee723181478d6fe343788a109f937b8464c61284dfb3bafd47bb883c20a389b3cbf9bdc47727aa3d60d960b4b7a909e2c7a0962fdd07016dbb3c368e01537b8464c61284dfb3bafd47bb883c20a5a20662ff34f416e9f3abca66341c5c4909e2c7a0962fdd07016dbb3c368e01532e17a8fa2ad89536fd354d090bace194312ef16a9e53149b0e4289d8a1c292c91335eadbca437e6c96889da774186c2909e2c7a0962fdd07016dbb3c368e01591335eadbca437e6c96889da774186c234a7aee723181478d6fe343788a109f95a0f92fc99e8d1e5ea1677f987139c9c5ec5e06fc44cd2e99edcb67dd66ba1cb909e2c7a0962fdd07016dbb3c368e01537b8464c61284dfb3bafd47bb883c20ae56d228da8a800aa54cdc5e9c925f262cb317151da3b66e0e6584d753baf3e013d668242905a3a4bc4ec7a905b2c7677c255163951f0003f300168c9ed863e38bab20c076199ae86e5d92ea1edc1aa8f32e17a8fa2ad89536fd354d090bace195a0f92fc99e8d1e5ea1677f987139c9c336766cfc9273d47294374c4456bd7e6c62600a4b61358c21fb85b7c2945a332036f4d8d3c925c472af18052d047c6fb303ce188742781b005773b41173f8cfa'


decrypted_flag = ''
for i in range(0, len(encrypted_flag), 32):
    encrypted_block = encrypted_flag[i:i+32]
    for char, encrypted_char in encrypted_chars.items():
        if encrypted_char == encrypted_block:
            decrypted_flag += char
            break

print(decrypted_flag)

html

web签到题,直接查看源代码获取flag

i am root

访问后发现是接收get请求,当get的值为root的时候发现页面变化,在burp的response中搜索到了flag

zupload

file-get-content,直接伪协议,构建payload。php://filter/read=convert.base64-encode/resource=/flag

zupload-pro

代码查看发现仅仅是对前端进行限制了,直接burp绕过前端,上大马获取shell,拿到flag

zupload-pro-plus

查看代码,看到对文件名进行了简单的检查,文件名以.进行分割成数组,判断数组的第二个元素是否为zip,文件名为shell.zip.php成功上传,获取shell拿到flag

zupload-pro-plus-max

用了include函数来接收用户的get请求,伪协议php://filter/read=convert.base64-encode/resource=/flag获取flag

zupload-pro-plus-max-ultra

题目bug,伪协议直接过

zupload-pro-plus-max-ultra-premium

查看代码,发现上传的文件会被解压,先上传了一个包含shell的zip打开之后发现这个文件夹的内容只能下载,不会运行在服务器,后面用ln建立一个软连接链接到根目录的/flag处然后压缩进压缩包,这样这个文件在服务器上内容就会于flag同步,下载下来获取flag

opag

ida打开获取flag

nohtyp

pyc文件,进行反编译得到一个数组,ascii解密获取flag

flag = [
    125,
    51,
    56,
    97,
    117,
    103,
    110,
    64,
    108,
    95,
    56,
    110,
    49,
    109,
    109,
    97,
    114,
    103,
    48,
    114,
    112,
    95,
    99,
    49,
    109,
    64,
    110,
    121,
    100,
    95,
    114,
    48,
    102,
    95,
    101,
    53,
    114,
    101,
    118,
    51,
    114,
    123,
    103,
    97,
    108,
    102]

stick game

在文件夹里打开这个网页,他说要1000分就能获取Flag,控制台处直接修改score变量为10000,自杀获取flag

androgin

下载下来后是个apk,安装后提示要账号密码才能获取flag,直接手机上用Mt管理器打开apk在classes3.dex中找到了账号密码,获得了flag

co pack

题目提示upx,用exeinfope发现确实是套了壳的,直接用upx解密发现失败,在网上查了查可以用upxfix来修复,修复后进行upx命令执行成功,ida打开获取到了flag

文章二维码
ciscn校内赛wp
共计 0 条评论,点此发表评论
博客主页 流光博客 欢迎来到我的博客,我会在这里分享我的学习笔记,纪录一些生活。 51统计
萌ICP备20220869号 本站已运行 1 年 99 天 15 小时 26 分 自豪地使用 Typecho 建站,并搭配 MyDiary 主题 Copyright © 2022 ~ 2024. 流光博客 All rights reserved.
打赏图
打赏博主
欢迎
搜 索
足 迹
分 类
  • 📚 学习生涯
  • 📔 日常纪录
  • 🖥️ 软件分享
  • 🗂️ 杂项
  • 🖼️ 相册