XYCTF misc复现

misc

赛题

发布日期: 2024-11-04

题目附件链接

通过百度网盘分享的文件：xyctf
链接：https://pan.baidu.com/s/1iSI66Uv1sIOfhYQTAkQWCA?pwd=v11x 
提取码：v11x 
--来自百度网盘超级会员V3的分享

熊博士

题目描述:

1	熊大熊二在森林里玩耍的时候捡到了一张小纸条，可能事关森林的安危，但是上面的字他们看不懂，你能帮他们看看这些神秘的字符是什么意思吗？

下载附件

jpg文件

txt文件

看到图片，是熊出没，题目名又叫熊博士，联想到熊斐特博士发现的埃特巴什码

埃特巴什码（Atbash Cipher）是一个系统：最后一个字母代表第一个字母，倒数第二个字母代表第二个字母。
在罗马字母表中，它是这样出现的：
常文：A B C D E F G H I J K L M N O P Q R S T U V W X Y Z
密文：Z Y X W V U T S R Q P O N M L K J I H G F E D C B A

使用随波逐流工具一把梭

最后flag为XYCTF{liu_ye_mei_you_xiao_jj}

game

题目描述:

1
2

adwa最近迷恋上了一款游戏，他给我们发了这款游戏里的一个解密项目，请你根据这张图片，找出这个游戏的英文名，并用XYCTF{}包括
(每个单词开头要大写，例如XYCTF{Dead Cells}，如果其有标点符号，去掉标点符号改成空格)

下载附件

谷歌识图

最后flag为XYCTF{Papers Please}

ez_隐写

题目描述:

1	ez 隐写，so 没有提示

下载附件解压文件发现有密码

7z解压缩

保存打开文件

发现hint.png不显示，怀疑宽高有问题，宽高一把梭

得到hint，判断为压缩包密码是20240401，解压压缩包

盲水印

最后flag为XYCTF{159-WSX-IJN-852}

我的二维码为啥扫不出来？

题目描述:

1	怎么回事，我的二维码好像出了什么问题，你可以帮我修复一下吗

下载附件

查看new.png

查看secret.py源码

from PIL import Image
import random


def reverse_color(x):
    return 0 if x == 255 else 255


def reverse_row_colors(pixels, row, width, block_size=10):
    for x_block in range(width // block_size):
        x = x_block * block_size
        y = row * block_size
        for x_small in range(x, x + block_size):
            for y_small in range(y, y + block_size):
                pixel = pixels[x_small, y_small]
                pixels[x_small, y_small] = reverse_color(pixel)


def reverse_col_colors(pixels, col, height, block_size=10):
    for y_block in range(height // block_size):
        x = col * block_size
        y = y_block * block_size
        for x_small in range(x, x + block_size):
            for y_small in range(y, y + block_size):
                pixel = pixels[x_small, y_small]
                pixels[x_small, y_small] = reverse_color(pixel)


original_img = Image.open("flag.png")

new_img = original_img.copy()

width, height = new_img.size
pixels = new_img.load()

count = 0

while count < 7:
    x = random.randint(0, 1)
    if x == 0:
        reverse_col_colors(pixels, random.randint(0, height // 10 - 1), height)
    else:
        reverse_row_colors(pixels, random.randint(0, width // 10 - 1), width)
    count += 1

new_img.save("new.png")

分析代码，发现是对flag.png进行了7次操作，每次抽取随机一行或列，将像素颜色反转（每十个像素一行/列）。观察图片发现第二行，第一列，第三列，第六列明显进行了反转操作，编写代码将其颜色反转

from PIL import Image
import random
 
 
def reverse_color(x):
    return 0 if x == 255 else 255
 
 
def reverse_row_colors(pixels, row, width, block_size=10):
    for x_block in range(width // block_size):
        x = x_block * block_size
        y = row * block_size
        for x_small in range(x, x + block_size):
            for y_small in range(y, y + block_size):
                pixel = pixels[x_small, y_small]
                pixels[x_small, y_small] = reverse_color(pixel)
 
 
def reverse_col_colors(pixels, col, height, block_size=10):
    for y_block in range(height // block_size):
        x = col * block_size
        y = y_block * block_size
        for x_small in range(x, x + block_size):
            for y_small in range(y, y + block_size):
                pixel = pixels[x_small, y_small]
                pixels[x_small, y_small] = reverse_color(pixel)
 
 
original_img = Image.open("E:\\脚本合集\\赛题脚本\\xyctf\\ewm\\new.png")
 
new_img = original_img.copy()
 
width, height = new_img.size
pixels = new_img.load()
reverse_row_colors(pixels,1, height)
reverse_col_colors(pixels,0, height)
reverse_col_colors(pixels,2, height)
reverse_col_colors(pixels,5, height)
 
'''
count = 0
while count < 7:
    x = random.randint(0, 1)
    if x == 0:
        reverse_col_colors(pixels, random.randint(0, height // 10 - 1), height)
    else:
        reverse_row_colors(pixels, random.randint(0, width // 10 - 1), width)
    count += 1
'''
new_img.save("E:\\脚本合集\\赛题脚本\\xyctf\\ewm\\neww.png")

运行得到

我们只需再操作三次，编写代码遍历求flag并对flag.png进行扫码，当扫码出结果时停止并输出

from PIL import Image
from pyzbar.pyzbar import decode
import random
 
def reverse_color(x):
    return 0 if x == 255 else 255
 
def reverse_row_colors(pixels, row, width, block_size=10):
    for x_block in range(width // block_size):
        x = x_block * block_size
        y = row * block_size
        for x_small in range(x, x + block_size):
            for y_small in range(y, y + block_size):
                pixel = pixels[x_small, y_small]
                pixels[x_small, y_small] = reverse_color(pixel)
 
def reverse_col_colors(pixels, col, height, block_size=10):
    for y_block in range(height // block_size):
        x = col * block_size
        y = y_block * block_size
        for x_small in range(x, x + block_size):
            for y_small in range(y, y + block_size):
                pixel = pixels[x_small, y_small]
                pixels[x_small, y_small] = reverse_color(pixel)
 
def decode_qr_code(image_path):
    image = Image.open(image_path)
    decoded_objects = decode(image)
    if decoded_objects:
        return decoded_objects[0].data.decode('utf-8')
    else:
        return None
 
original_img = Image.open("E:\\脚本合集\\赛题脚本\\xyctf\\ewm\\neww.png")
width, height = original_img.size
pixels = original_img.load()
 
count = 0
 
while True:
    modified_img = original_img.copy()
    pixels_modified = modified_img.load()
    
    for _ in range(3):
        x = random.randint(0, 1)
        if x == 0:
            reverse_col_colors(pixels_modified, random.randint(0, height // 10 - 1), height)
        else:
            reverse_row_colors(pixels_modified, random.randint(0, width // 10 - 1), width)
    
    modified_img.save("E:\\脚本合集\\赛题脚本\\xyctf\\ewm\\modified.png")
    
    result = decode_qr_code("E:\\脚本合集\\赛题脚本\\xyctf\\ewm\\modified.png")
    if result:
        print("Found QR code in modified.png:", result)
        break
    
    count += 1
    if count % 100 == 0:
        print("Tried", count, "modifications, no QR code found yet.")

运行得到

最后flag为flag{qR_c0d3_1s_s0_fun}

出题有点烦

题目描述:

1	出题好难啊，就瞎出一道吧

下载附件

压缩包有密码，暴力破解

解压压缩包

尝试到第五个图片使用foremost提取得到压缩包

解压压缩包发现有密码

暴力破解密码

解压压缩包得到

最后flag为XYCTF{981e5_f3ca30_c841487_830f84_fb433e}

真>签到

题目描述:

我才是签到

下载附件

010查看文件

最后flag为XYCTF{59bd0e77d13c_1406b23219e_f91cf3a_153e8ea4_77508ba}

美妙的歌声

题目描述:

1	这首歌能深深地打动你吗？

下载附件

音频文件使用audacity查看

au查看频谱

题目描述“深深地打动”想到使用deepsond解密

最后flag为XYCTF{T0uch_y0ur_he3rt_d55ply!!}

ZIP神之套

题目描述:

1	前有俄罗斯套娃，今有ZIP神之套

下载附件

运行exe文件

提示掩码爆破

解压压缩包

查看文件

一眼明文攻击

明文攻击成功后打开flag.md得到flag

最后flag为XYCTF{1A4B8-C9D2F3E-6A4B8C-9D2F3E7F}

TCPL

题目描述:

1	运行就有flag,都坤吧是兄弟怎么会骗你呢。

下载附件

risc-v架构需要qemu跑

kali安装qemu

sudo apt install libc6-riscv64-cross
sudo apt install binutils-riscv64-linux-gnu
sudo apt install gcc-riscv64-linux-gnu
sudo apt install binutils-riscv64-unknown-elf
sudo apt install gcc-riscv64-unknown-elf
sudo apt install qemu-system-misc
sudo apt install qemu-user

运行得到

1替换成0

最后flag为FLAG{PLCT_An4_r0SCv_x0huann0}

又是个签到

题目描述:

1	也许你能在QQ群里签上到

下载附件

签到.txt

HWXj+kI2pS+5pSJhDS0oAzlQmziosSr7gUvdXppjSt8BNUTz8oLfE57NkCrVwBBgGul5hHzCcKqyG7U5LWMOXYtzloMsVvdZdPbMZyb+EgYF17+W/S1oLDgQcjGmP6CSHWXj+kI2pS+5pSJhDS0oA3fVDcJt/sEYpz9U0yQTrgxTN0kF5G4xTJ5IKqYil2gK3Ml6usGZsucJXa6pCovoeaGSyZNq6T3aX1NOlb5Gt4gF17+W/S1oLDgQcjGmP6CSHWXj+kI2pS+5pSJhDS0oAzlQmziosSr7gUvdXppjSt8PPIU/UwIkvINgvGw+oQMCCaOmO7bDsiSxD/r9w3RKRQEfMm/fv+a/5v/NWgauEpoF17+W/S1oLDgQcjGmP6CSHWXj+kI2pS+5pSJhDS0oA2QV+Gu05V1J2eVrbGhHB487Ns8HTVNYrll8P/Xve17NCaOmO7bDsiSxD/r9w3RKRQEfMm/fv+a/5v/NWgauEpoF17+W/S1oLDgQcjGmP6CS1yISnL45ZHzPjs5BGSboyDJXscweSL6g0ptOqql5vhY7Ns8HTVNYrll8P/Xve17NlyvQj9HulYK3sIMIiNTVrv/QYgLgLF9uO3y6uH800Gy0VvmX5a5S5ZEDlkBSgVrDb/KxZEoU9d83Nbzm7yH80p9xX+50C/29uVc+H6gx1gOTPv9mT6A8qfJoby4BoCS3by65j7WFf6d/XZX0KskX4t1SAjnDpnC8qWVbU6l6Zs9zWhqP0E6UVZEUMUcRZB43hzoYB6fvcRSs8WPoArwl6dY0JrIccPz30xmtzuOLZRKpeJ5IPHFZw5l6Zo68xW/fiYggRz/KqtgFCLvPQ+Lj+6YY1X0zgl8a3xzz5EI9efUoZd30RstP6oPDy17QzTwoaA1OLHZfyIntyJiT9r3x0kLELrvwIFczyH339IGVYqE4qA/Xsd3t/I+jStXiGGCnKCWoqABdtqk7Z22cIzn0lPAiqi9i3hd/IIgrlkygiofpTmBc34UjLRWWFjQgmDQZ8em1hDlVfgd+/93D4BVIn36xgcg2RtYCx2GmXmg5JwRj5pxcBzyOVie5m0U4zHD6Rt0T8GAvCiCf9hhYkBi7lVHe4Sb7op9fpgfXrNunluSOwxS0NlaBKwa1gvE6/BNy2CI2Uv2y4jlPTdIuCNnWbCJsTSczfPJg5PVfyXykQtg4qA/Xsd3t/I+jStXiGGCnKCWoqABdtqk7Z22cIzn0lLw/priteJqeyg6psALOE5HEboNbEbOkupEDq1HXrfGn2CI2Uv2y4jlPTdIuCNnWbCJsTSczfPJg5PVfyXykQtg4qA/Xsd3t/I+jStXiGGCnctoLlIFVYoOgnQM/2Rz5g4eIxaKQoZ+9cRB51n5yxl/BJQA5860fCnVVFSyvS40JdaogrK4AcB+C0gsnUbXVyeX1Kq+MwIHo812Z/0GIAiR+HkJQwgmO7qkogz1vcP4+q7EHUnfXquRurKvZ5jMHz4eIxaKQoZ+9cRB51n5yxl9g/v4Djdoq+YadpY2vIGrZ2CI2Uv2y4jlPTdIuCNnWbDVfnXQwmbz3jY+JyZm4sKgHDLAxJSG/IIAKk2q5C0f6l6L6v86Nra6TiDC3FBOzBEMzapQz6v9XkJfLFhywMtFLbz4PXsEvXiaFbSooHN8xVDDfRmWQyINRSNJguwiY9ElfGZnb6gHT2U5ENwxhxpxW+5Jnwn3zMCBub7HDwqyOSl5l8hKoU5obcdof5SuB3A==

asrmo rfe.txt

😸🙍👭🙅🙇👔🙊👙👺🙂👌👪😫🙈😰😳🙃🙃🙄🙊🙎👐😱🙆👮👡👚👷😵👫🙇👏🙊👲😶👤🙉👫😰😷👹🙇👨👸👓👏🙋🙋👲🙈👳😲🙎👭👨🙉😰👰👙🙇👑👸👦🙎🙊👹🙊👮👗👩🙁😹🙃👧👡👸🙁😱👤👩👣👷👕🙅👨👙👗🙄👵👐👡👢😫😸👔😳👤👬😵😯👦👱😵👭🙎🙂🙃👓😲👐👶👥😷👰😵😹😷👘👗👪👬👥👬👒👱👰😶👕👳😵😯🙇👺😳👹😱😰👵🙉🙁😽😽

颜文字解密

https://www.emojiall.com/en/text-translator-page

A bunch of tired, anxious sweats rushing down evil monkeys and screaming fear. 
In the dark and in dark, medical mask of ogre princess, evil lips clap their hands skulls. 
The girl's couch was softly tearing, slightly frowned scream, scared screamer's shirt and footprints, staff member wearing bikini clothes, man no rolling eyes, old woman opening her hands. 
An open-hand baby bra in pairs of slippers, covering the cat's tears family with medical mask costumes. 
The one with the shirt his face and headscarf eyes closed whispers.

翻译一下

一堆疲惫、焦虑的汗水冲下邪恶的猴子，尖叫着恐惧。
在黑暗和黑暗中，食人魔公主的医用面具，邪恶的嘴唇拍手骷髅头。
女孩的沙发轻轻地撕扯着，微微皱着眉头尖叫，吓坏了尖叫者的衬衫和脚印，工作人员穿着比基尼衣服，男人没有翻白眼，老太太张开双手。
一双拖鞋的开放式婴儿胸罩，用医用口罩服装覆盖猫的眼泪家庭。
那个穿着衬衫的人，他的脸和头巾，闭着眼睛，低声说。

AES解密

from Crypto.Cipher import AES
import base64

data = 'HWXj+kI2pS+5pSJhDS0oAzlQmziosSr7gUvdXppjSt8BNUTz8oLfE57NkCrVwBBgGul5hHzCcKqyG7U5LWMOXYtzloMsVvdZdPbMZyb+EgYF17+W/S1oLDgQcjGmP6CSHWXj+kI2pS+5pSJhDS0oA3fVDcJt/sEYpz9U0yQTrgxTN0kF5G4xTJ5IKqYil2gK3Ml6usGZsucJXa6pCovoeaGSyZNq6T3aX1NOlb5Gt4gF17+W/S1oLDgQcjGmP6CSHWXj+kI2pS+5pSJhDS0oAzlQmziosSr7gUvdXppjSt8PPIU/UwIkvINgvGw+oQMCCaOmO7bDsiSxD/r9w3RKRQEfMm/fv+a/5v/NWgauEpoF17+W/S1oLDgQcjGmP6CSHWXj+kI2pS+5pSJhDS0oA2QV+Gu05V1J2eVrbGhHB487Ns8HTVNYrll8P/Xve17NCaOmO7bDsiSxD/r9w3RKRQEfMm/fv+a/5v/NWgauEpoF17+W/S1oLDgQcjGmP6CS1yISnL45ZHzPjs5BGSboyDJXscweSL6g0ptOqql5vhY7Ns8HTVNYrll8P/Xve17NlyvQj9HulYK3sIMIiNTVrv/QYgLgLF9uO3y6uH800Gy0VvmX5a5S5ZEDlkBSgVrDb/KxZEoU9d83Nbzm7yH80p9xX+50C/29uVc+H6gx1gOTPv9mT6A8qfJoby4BoCS3by65j7WFf6d/XZX0KskX4t1SAjnDpnC8qWVbU6l6Zs9zWhqP0E6UVZEUMUcRZB43hzoYB6fvcRSs8WPoArwl6dY0JrIccPz30xmtzuOLZRKpeJ5IPHFZw5l6Zo68xW/fiYggRz/KqtgFCLvPQ+Lj+6YY1X0zgl8a3xzz5EI9efUoZd30RstP6oPDy17QzTwoaA1OLHZfyIntyJiT9r3x0kLELrvwIFczyH339IGVYqE4qA/Xsd3t/I+jStXiGGCnKCWoqABdtqk7Z22cIzn0lPAiqi9i3hd/IIgrlkygiofpTmBc34UjLRWWFjQgmDQZ8em1hDlVfgd+/93D4BVIn36xgcg2RtYCx2GmXmg5JwRj5pxcBzyOVie5m0U4zHD6Rt0T8GAvCiCf9hhYkBi7lVHe4Sb7op9fpgfXrNunluSOwxS0NlaBKwa1gvE6/BNy2CI2Uv2y4jlPTdIuCNnWbCJsTSczfPJg5PVfyXykQtg4qA/Xsd3t/I+jStXiGGCnKCWoqABdtqk7Z22cIzn0lLw/priteJqeyg6psALOE5HEboNbEbOkupEDq1HXrfGn2CI2Uv2y4jlPTdIuCNnWbCJsTSczfPJg5PVfyXykQtg4qA/Xsd3t/I+jStXiGGCnctoLlIFVYoOgnQM/2Rz5g4eIxaKQoZ+9cRB51n5yxl/BJQA5860fCnVVFSyvS40JdaogrK4AcB+C0gsnUbXVyeX1Kq+MwIHo812Z/0GIAiR+HkJQwgmO7qkogz1vcP4+q7EHUnfXquRurKvZ5jMHz4eIxaKQoZ+9cRB51n5yxl9g/v4Djdoq+YadpY2vIGrZ2CI2Uv2y4jlPTdIuCNnWbDVfnXQwmbz3jY+JyZm4sKgHDLAxJSG/IIAKk2q5C0f6l6L6v86Nra6TiDC3FBOzBEMzapQz6v9XkJfLFhywMtFLbz4PXsEvXiaFbSooHN8xVDDfRmWQyINRSNJguwiY9ElfGZnb6gHT2U5ENwxhxpxW+5Jnwn3zMCBub7HDwqyOSl5l8hKoU5obcdof5SuB3A=='
# qq群号
key = '798794707'
pad_data = chr(0).encode()*(16-len(key))
key = key.encode('utf-8')+pad_data
data = base64.b64decode(data)
aes = AES.new(key, AES.MODE_ECB)
print(aes.decrypt(data).decode())

运行得到

'&%$#"!~}|{zyxwvutsrqponmlkjihgfedcba`_^]\[ZYXWVUTSRQPONdihgfedcb[`_X|?>=<;:
9876543210/.-,+*)('&%$#"!~}|{zyxwvutsrqponmlkjih&%e{"y~}|{zyr8vuWmlqpoh.ONjc
bafed]b[!BA@?>=<;:9876543210/.-,+*)('&%$#"!~}|{zyxwvutsrqponmlkjihgfedcba`_^
]\[ZYXWVUTSRQPONMLKJIHGFEDCBA@?>=<;:9876543210/.-,+*)('&%$#"!~}|{zyxwvutsrqp
onmlkjihgfedcba`_^]\[ZYXWVUTSRQPONMLKJIHGFEDCBA@?>=<;:9876543210/.-,+*)('&%$
#"!~};{3216543,+0)(Lmlkjihgfedcba`_^]\[ZYXWsrqponmlkdLb(IHdcEa`_^]\UyY;QPUTM
qQ3IHl/.-,+*)('=BA@?>=<54X87w5.32+*Non,l$)('~%${Aba`_^]yxwYutsrqpi/Pf,Miha'H
GFEDCBA@?>=<;:9876543210/.-,+*)('&%$#"!~}|{zyxwvutsrqponmlkji'&}$#"!~}vuzs9Z
Yunmrqponmf,MLKJIH^c\[`_^]V[Tx;QPUNrRQPON0Fj-IHG@d>CB;_?!=<;4Xyxwvutsrqponml
kjihgfedcba`_^]\[ZYXWVUTSRQPONMLKJIHGFEDCB^]\[Z<XWPOTSLp3210/.-,+*)('&%$#"87
<;:987654-Qrqponmlkjihgfedcbawv{zyxwvutsl2SRQPONMLKJIHGFEDCBA@?>=<;:98765432
10/.-,+*)('&%$#"!~}|{zyxwvutsrqponmlkjihgfedcba`_^]\[ZYXWVUTSRQPONMLKJIHGFED
CBA@?>=<;:9876543210/.-,+*)('&%$#"!~}|{zyxwvutsrqponmlkjihgfedcba`_^]\[ZYXWV
UTSRQPONMLKJIHGFEDCBA@?>=<;:VUTSRQPON0FE-CgA@d'&B$:?>=<5:3Wxwvutsrqponmlkjih
gfedcba`_^]\[ZYXWVUTSRQPONMLKJIHGFEDCBA@?>=<XQVUTSRQPINGk.-,+*)('&%$#"!~}|{z
yxwvutsrqponmlkjihgfedcba`_^]\[ZYXWVUqponPlejibgf_%cb[`Y}]VUZSRv98TSRQ3ONMLE
i,+*)('&BA@?>=<;:3WD

Have you heard of Malbolge?

题目提示:Have you heard of Malbolge?

malbolge编程语言笔记 | 独奏の小屋

malbolge在线编译得到

最后flag为XYCTF{It’s_Easy!_Special_Signature}

Osint1

题目描述:

1	某人又在外面玩了，你能抓住他吗？flag格式：xyctf{xxx省\|xxx市\|xxx路\|xx海}

下载附件

百度识图

查看小红书内容

最后flag为xyctf{江苏省|南通市|滨海东路|黄海}

Osint2

题目描述:

1	又双叒叕出去玩了，快去抓他！！！！flag格式xyctf{列车车次名\|xxxx省\|xxxx（景区名<字数少于6）}

下载附件

查询车次

发现G3293符合要求，就差景区，百度一下洛阳有名的景区

尝试到老君山锁定答案

最后flag为xyctf{G3293|河南省|老君山}

疯狂大杂烩！九转功成

题目描述:

1	你能突破九大关卡修成神仙吗？

hint：

1.压缩包密码为比赛名称+8位什么来着？忘了。哈哈哈！
2.flag格式：XYCTF{md5(flag)}
3.第三层非夏多，看看交点
4.第六层键盘画图，狼蛛键盘最新版你值得拥有！

下载附件

根据提示1:猜测密码为比赛名称和日期，即XYCTF20240401为压缩包密码

解压压缩包

查看故事背景.txt

在远古时期，修仙过程被分为：炼气、筑基、结丹、元婴、化神、炼虚、合体、大乘、渡劫等九大层次。有多少心怀抱负的年轻一脉想要登临那巅峰的神仙境地。但对于普通人来说无疑炼气是他们拥有资格的前提。唯有一步一步跨过艰难险阻终会飞升成仙。若你想拿到属于你的那份flag，那就从炼气开始慢慢突破吧！！年轻人不是老夫瞧不起你！你可要想清楚是否要登临那虚无缥缈的神仙境地。

大概是flag被分成了好几段，要按照修仙过程顺序组成flag

练气

解压压缩包

查看hint1.txt

1
2
3

这是什么东西？

曰：玉魔命灵天观罗炁观神冥西道地真象茫华茫空吉清荡罗命色玉凶北莽人鬼乐量西北灵色净魂地魂莽玉凶阿人梵莽西量魄周界

天书解码

解压压缩包

宽高一把梭

得到flag1:XYCTF{T3e_c0mb1nation_

筑基

解压压缩包

查看hint2.txt

1	xihak-minoh-zusok-humak-zurok-gulyk-somul-nenel-dalek-nusyh-zumek-sysuk-zelil-fepak-tysok-senax

BubbleBabble解码

解压压缩包

zsteg一把梭

base64解码

得到flag2:0f_crypt0_and_

结丹

解压压缩包

查看hint3.jpg

根据提示3:第三层非夏多，看看交点

四个交点代表”-” 三个交点代表空格两个交点代表”.”

整理得到:

1	- .... . ..--.- - .... .. .-. -..

摩斯解码

得到压缩包密码:the_third

解压压缩包

查看flag.txt

1	这里啥也没有呀嘻嘻嘻

010查看flag.zip

末尾发现编码，赛博厨子一把梭

得到压缩包密码，解压压缩包得到

base32解码

得到flag3:misc_1s_re6lly_fun!!

元婴

解压压缩包

查看hint4.txt

1	都2024年了不会还有人解不出U2FsdGVkX1+y2rlJZlJCMnvyDwHwzkgHvNsG2TF6sFlBlxBs0w4EmyXdDe6s7viL吧

Triple DES解密

解压压缩包

查看hint.txt

1	wqk：1m813onn17o040358p772q37rm137qpnqppqpn38nr704m56n2m9q22po7r05r77

随波逐流一把梭

1	1a813cbb17c040358d772e37fa137edbeddedb38bf704a56b2a9e22dc7f05f77

.db是微信数据库备份文件，解密恢复文件

# jiemi.py
from Crypto.Cipher import AES
import hashlib, hmac, ctypes, sys, getopt

SQLITE_FILE_HEADER = bytes('SQLite format 3', encoding='ASCII') + bytes(1)
IV_SIZE = 16
HMAC_SHA1_SIZE = 20
KEY_SIZE = 32
DEFAULT_PAGESIZE = 4096
DEFAULT_ITER = 64000
opts, args = getopt.getopt(sys.argv[1:], 'hk:d:')
input_pass = ''
input_dir = ''

for op, value in opts:
    if op == '-k':
        input_pass = value
    else:
        if op == '-d':
            input_dir = value

password = bytes.fromhex(input_pass.replace(' ', ''))

with open(input_dir, 'rb') as (f):
    blist = f.read()
print(len(blist))
salt = blist[:16]
key = hashlib.pbkdf2_hmac('sha1', password, salt, DEFAULT_ITER, KEY_SIZE)
first = blist[16:DEFAULT_PAGESIZE]
mac_salt = bytes([x ^ 58 for x in salt])
mac_key = hashlib.pbkdf2_hmac('sha1', key, mac_salt, 2, KEY_SIZE)
hash_mac = hmac.new(mac_key, digestmod='sha1')
hash_mac.update(first[:-32])
hash_mac.update(bytes(ctypes.c_int(1)))

if hash_mac.digest() == first[-32:-12]:
    print('Decryption Success')
else:
    print('Password Error')
blist = [blist[i:i + DEFAULT_PAGESIZE] for i in range(DEFAULT_PAGESIZE, len(blist), DEFAULT_PAGESIZE)]

with open(input_dir, 'wb') as (f):
    f.write(SQLITE_FILE_HEADER)
    t = AES.new(key, AES.MODE_CBC, first[-48:-32])
    f.write(t.decrypt(first[:-48]))
    f.write(first[-48:])
    for i in blist:
        t = AES.new(key, AES.MODE_CBC, i[-48:-32])
        f.write(t.decrypt(i[:-48]))
        f.write(i[-48:])

运行命令:

1	python shuju.py -k 1a813cbb17c040358d772e37fa137edbeddedb38bf704a56b2a9e22dc7f05f77 -d MSG0.db 62914560

运行得到

使用DB Browser for SQLite查看文件

得到flag4:L1u_and_K1cky_Mu

化神

解压压缩包

查看hint5.txt

1 2	enc = 'key{liu*****' md5 = '87145027d8664fca1413e6a24ae2fbe7'

md5爆破

import hashlib
enc = 'key{liu'
md5 = '87145027d8664fca1413e6a24ae2fbe7'
 
for x in range(0,127):
    for y in range(0,127):
        for z in range(0,127):
            for k in range(0,127):
                temp1 = hashlib.md5(str(enc + chr(x) + chr(y) + chr(z) + chr(k) + "}").encode("utf-8"))
                temp2 = temp1.hexdigest()
                if(md5 == temp2):
                    print(enc + chr(x) + chr(y) + chr(z) + chr(k) + "}")

运行得到key{liuyyds}

解压压缩包

查看flag.txt

这里什么都没有呦！

查看serpent.txt根据文件名确定是serpent隐写，密码就是之前的liuyyds

下载文件

乱码，改后缀.txt查看

零宽隐写

得到flag5:_3re_so_sm4rt!

炼虚

解压压缩包

查看hint6.txt

wszrdc 
fgtrfvb 
ghytgbn 
rfctg 
yhju
frtg
uyhbghj
6yhn
uyhjujmn
tgvvghb
yhnmghj
4rfv
derf
iujkikmn

根据提示4:第六层键盘画图，狼蛛键盘最新版你值得拥有！

键盘密码画图，根据每行字母走向刻画出密码为：keeponfighting
解压压缩包

文件一个个分析发现flag都是假的，发现这几个文件除了jpg文件名其他文件都是数字命名，怀疑是jpg隐写

尝试steghide 密码为14689或者98641试试，发现98641是密码

1	steghide extract -sf yuanshen.jpg -p 98641

得到flag6:In_just_a_few_m1nutes_

合体

解压压缩包

查看hint7.txt

1
2
3

密文：Tig+AF8-viakubq+AF8-vphrz+AF8-xi+AF8-uayzdyrjs

听说维吉尼亚key大残

先进行utf-7解码，大残也就是全选，维吉尼亚表全是字母，维吉尼亚解码，赛博厨子一把梭

解压压缩包

根据颜色找对应数字

1	164 150 145 171 137 167 145 162 145 137 164 150 162 60 165 147 150 41

八进制，随波逐流八进制转字符串

得到flag7:they_were_thr0ugh!

大乘

解压压缩包

查看hint8.py

from Crypto.Util.number import bytes_to_long, getPrime
flag=b"password{xxxxx}"
p,q= getPrime(1024),getPrime(1024)
n = p * q
e = 65537
m = bytes_to_long(flag)
c = pow(m,e,n)
print("n=",n)
print("c=",c)
print("p^q=",p^q)
'''
n= 22424440693845876425615937206198156323192795003070970628372481545586519202571910046980039629473774728476050491743579624370862986329470409383215065075468386728605063051384392059021805296376762048386684738577913496611584935475550170449080780985441748228151762285167935803792462411864086270975057853459586240221348062704390114311522517740143545536818552136953678289681001385078524272694492488102171313792451138757064749512439313085491407348218882642272660890999334401392575446781843989380319126813905093532399127420355004498205266928383926087604741654126388033455359539622294050073378816939934733818043482668348065680837
c= 1400352566791488780854702404852039753325619504473339742914805493533574607301173055448281490457563376553281260278100479121782031070315232001332230779334468566201536035181472803067591454149095220119515161298278124497692743905005479573688449824603383089039072209462765482969641079166139699160100136497464058040846052349544891194379290091798130028083276644655547583102199460785652743545251337786190066747533476942276409135056971294148569617631848420232571946187374514662386697268226357583074917784091311138900598559834589862248068547368710833454912188762107418000225680256109921244000920682515199518256094121217521229357
p^q= 14488395911544314494659792279988617621083872597458677678553917360723653686158125387612368501147137292689124338045780574752580504090309537035378931155582239359121394194060934595413606438219407712650089234943575201545638736710994468670843068909623985863559465903999731253771522724352015712347585155359405585892

'''

剪纸算法

from Crypto.Util.number import *
import gmpy2
import sys  # 导入sys模块
sys.setrecursionlimit(3000)  # 将默认的递归深度修改为3000
 
n = 22424440693845876425615937206198156323192795003070970628372481545586519202571910046980039629473774728476050491743579624370862986329470409383215065075468386728605063051384392059021805296376762048386684738577913496611584935475550170449080780985441748228151762285167935803792462411864086270975057853459586240221348062704390114311522517740143545536818552136953678289681001385078524272694492488102171313792451138757064749512439313085491407348218882642272660890999334401392575446781843989380319126813905093532399127420355004498205266928383926087604741654126388033455359539622294050073378816939934733818043482668348065680837
seed = 14488395911544314494659792279988617621083872597458677678553917360723653686158125387612368501147137292689124338045780574752580504090309537035378931155582239359121394194060934595413606438219407712650089234943575201545638736710994468670843068909623985863559465903999731253771522724352015712347585155359405585892
#seed即p^q
 
def findp(p, rp):
    l = len(p)
    if l == 1024:
        rp.append(int(p, 2))
    else:
        pp = int(p, 2)
        qq = (seed ^ pp) % 2 ** l
        if pp * qq % 2 ** l == n % 2 ** l:
            findp('1' + p, rp)
            findp('0' + p, rp)
 
rp = []
findp('1', rp)
for i in rp:
    if n%i==0 & isPrime(int(i)):
        print(i)
#145805499551351837545170670839798336872366414383311042018386386595288060139791135454980413014693924866953972662266748526407954492877610429602886244372924035960962307198910659475639333945895922717307291255423855616274924584270570126180050363106535962473049107576556315461013755859097114552522187755171423621071
#153796947048270429510444756458855481287460639468563001213489907625132438953570738468181770925091867439727519074685449940618659583114338501872698220745473531199063071421852521618805765627999106188015431567625318850899895052130157037822960945909520973243793507740817436707504505709194025074527084803054107605547
 
 
p=145805499551351837545170670839798336872366414383311042018386386595288060139791135454980413014693924866953972662266748526407954492877610429602886244372924035960962307198910659475639333945895922717307291255423855616274924584270570126180050363106535962473049107576556315461013755859097114552522187755171423621071
q=n//p
c=1400352566791488780854702404852039753325619504473339742914805493533574607301173055448281490457563376553281260278100479121782031070315232001332230779334468566201536035181472803067591454149095220119515161298278124497692743905005479573688449824603383089039072209462765482969641079166139699160100136497464058040846052349544891194379290091798130028083276644655547583102199460785652743545251337786190066747533476942276409135056971294148569617631848420232571946187374514662386697268226357583074917784091311138900598559834589862248068547368710833454912188762107418000225680256109921244000920682515199518256094121217521229357
e=65537
phi = (p-1) * (q-1)
d = gmpy2.invert(e, phi)
m = pow(c, d, n)
print(long_to_bytes(m))

运行得到

解压压缩包

no为0，yes为1，01画图，但需要知道坐标

010查看压缩包发现base编码

base64解码

随言随语解码

画图

from PIL import Image
MAX1 = 548
MAX2=72
pic = Image.new("RGB",(MAX1, MAX2))
str = ""
i = 0
for y in range (0,MAX2):
    for x in range (0,MAX1):
        if(str[i] == '1'):
            pic.putpixel([x,y],(0, 0, 0))
        else:
            pic.putpixel([x,y],(255,255,255))
        i = i+1
pic.show()
pic.save("flag.png")

运行得到

原神须弥沙漠文字对照表

得到flag8:Sm3rt_y0u_can_do

渡劫

解压压缩包

查看hint9.py

from Crypto.Util.number import *
from random import randint

p = getPrime(512)
q = getPrime(512)
n = p * q
e = 65537

list = []
for _ in range(2):
    a, b = randint(0, 2**8), randint(0, 2**256)
    list.append(a * p + b * q)

password = b"xxxxx"
c = pow(bytes_to_long(password), e, n)
print(f'{n = }')
print(f'{c = }')
print(f'{list = }')


#n = 107803636687595025440095910573280948384697923215825513033516157995095253288310988256293799364485832711216571624134612864784507225218094554935994320702026646158448403364145094359869184307003058983513345331145072159626461394056174457238947423145341933245269070758238088257304595154590196901297344034819899810707
#c = 46049806990305232971805282370284531486321903483742293808967054648259532257631501152897799977808185874856877556594402112019213760718833619399554484154753952558768344177069029855164888168964855258336393700323750075374097545884636097653040887100646089615759824303775925046536172147174890161732423364823557122495
#list = [618066045261118017236724048165995810304806699407382457834629201971935031874166645665428046346008581253113148818423751222038794950891638828062215121477677796219952174556774639587782398862778383552199558783726207179240239699423569318, 837886528803727830369459274997823880355524566513794765789322773791217165398250857696201246137309238047085760918029291423500746473773732826702098327609006678602561582473375349618889789179195207461163372699768855398243724052333950197]

爆破a求q

from Crypto.Util.number import *
from itertools import product
from math import gcd
import gmpy2
 
n = 107803636687595025440095910573280948384697923215825513033516157995095253288310988256293799364485832711216571624134612864784507225218094554935994320702026646158448403364145094359869184307003058983513345331145072159626461394056174457238947423145341933245269070758238088257304595154590196901297344034819899810707
c = 46049806990305232971805282370284531486321903483742293808967054648259532257631501152897799977808185874856877556594402112019213760718833619399554484154753952558768344177069029855164888168964855258336393700323750075374097545884636097653040887100646089615759824303775925046536172147174890161732423364823557122495
list = [618066045261118017236724048165995810304806699407382457834629201971935031874166645665428046346008581253113148818423751222038794950891638828062215121477677796219952174556774639587782398862778383552199558783726207179240239699423569318, 837886528803727830369459274997823880355524566513794765789322773791217165398250857696201246137309238047085760918029291423500746473773732826702098327609006678602561582473375349618889789179195207461163372699768855398243724052333950197]
h1, h2 = list
 
for a, b in product(range(2**8), repeat=2):
    q = gcd(a * h1 - b * h2, n)
    if q != 1 and q < n:
        print(q, n)
        break
q = 12951283811821084332224320465045864899191924765916891677355364529850728204537369439910942929239876470054661306841056350863576815710640615409980095344446711
 
p = n // q
e = 65537
d = pow(e, -1, (p - 1) * (q - 1))
m = pow(c, d, n)
print(long_to_bytes(m))

运行得到

解压压缩包

查看txt文本内容

1	压缩包里的图片真的有东西吗？不如看向外面

压缩包名字猜测是oursecret隐写，根据txt文本内容确定是压缩包存在oursecret隐写

查看flag.txt

得到flag9:_nine_turns?}

合并flag为

1	XYCTF{T3e_c0mb1nation_0f_crypt0_and_misc_1s_re6lly_fun!!L1u_and_K1cky_Mu_3re_so_sm4rt!In_just_a_few_m1nutes_they_were_thr0ugh!Sm3rt_y0u_can_do_nine_turns?}

md5加密