一、Crypto-brainfuck
1.附件内容如下。
++++++++[>>++>++++>++++++>++++++++>++++++++++>++++++++++++>++++++++++++++>++++++++++++++++>++++++++++++++++++>++++++++++++++++++++>++++++++++++++++++++++>++++++++++++++++++++++++>++++++++++++++++++++++++++>++++++++++++++++++++++++++++>++++++++++++++++++++++++++++++<<<<<<<<<<<<<<<<-]>>>>>>>++++++.>----.<-----.>-----.>-----.<<<-.>>++..<.>.++++++.....------.<.>.<<<<<+++.>>>>+.<<<+++++++.>>>+.<<<-------.>>>-.<<<+.+++++++.--..>>>>---.-.<<<<-.+++.>>>>.<<<<-------.+.>>>>>++.
2.直接brainfuck解码即可。(https://www.splitbrain.org/services/ook)
二、Crypto-Caesar's Secert
1.附件内容如下。
kqfl{hf3x4w'x_h1umjw_n5_a4wd_3fed}
2.凯撒解码即可。(https://ctf.bugku.com/tool/caesar)
三、Crypto-Fence
1.附件内容如下。
fa{ereigtepanet6680}lgrodrn_h_litx#8fc3
2.栅栏解码即可。(https://ctf.bugku.com/tool/railfence)
四、Crypto-Vigenère
1.附件内容如下。
pqcq{qc_m1kt4_njn_5slp0b_lkyacx_gcdy1ud4_g3nv5x0}
2.维吉尼亚解码,只不过这里缺少一个密钥,,因为知道解码出来的开头肯定是flag,所以可以慢慢尝试,经过尝试密钥是kfc。(https://ctf.bugku.com/tool/vigenere)
五、Crypto-babyrsa
1.附件内容如下。
from Crypto.Util.number import *
from flag import flag
def gen_prime(n):
res = 1
for i in range(15):
res *= getPrime(n)
return res
if __name__ == '__main__':
n = gen_prime(32)
e = 65537
m = bytes_to_long(flag)
c = pow(m,e,n)
print(n)
print(c)
# 17290066070594979571009663381214201320459569851358502368651245514213538229969915658064992558167323586895088933922835353804055772638980251328261
# 14322038433761655404678393568158537849783589481463521075694802654611048898878605144663750410655734675423328256213114422929994037240752995363595
2.n分解出来有15个素因数,因为知道Φ(n)=(p-1)(q-1)=(a-1)(b-1)····(f-1)(有几个素因数就乘几个),故脚本如下。
n = 17290066070594979571009663381214201320459569851358502368651245514213538229969915658064992558167323586895088933922835353804055772638980251328261
c = 14322038433761655404678393568158537849783589481463521075694802654611048898878605144663750410655734675423328256213114422929994037240752995363595
e = 65537
primes = [2217990919, 3831680819, 3654864131, 2463878387, 3939901243, 2706073949, 2970591037, 2370292207, 2338725373,
2923072267, 4278428893, 4093178561, 2794985117, 2804303069, 3207148519]
phi = 1
for i in primes:
phi *= (i - 1)
d = invert(e, phi)
m = pow(c, d, n)
print(long_to_bytes(m)) # b'flag{us4_s1ge_t0_cal_phI}'
六、Crypto-Small d
1.附件内容如下。
from secret import flag
from Crypto.Util.number import *
p = getPrime(1024)
q = getPrime(1024)
d = getPrime(32)
e = inverse(d, (p-1)*(q-1))
n = p*q
m = bytes_to_long(flag)
c = pow(m,e,n)
print(c)
print(e)
print(n)
# c = 6755916696778185952300108824880341673727005249517850628424982499865744864158808968764135637141068930913626093598728925195859592078242679206690525678584698906782028671968557701271591419982370839581872779561897896707128815668722609285484978303216863236997021197576337940204757331749701872808443246927772977500576853559531421931943600185923610329322219591977644573509755483679059951426686170296018798771243136530651597181988040668586240449099412301454312937065604961224359235038190145852108473520413909014198600434679037524165523422401364208450631557380207996597981309168360160658308982745545442756884931141501387954248
# e = 8614531087131806536072176126608505396485998912193090420094510792595101158240453985055053653848556325011409922394711124558383619830290017950912353027270400567568622816245822324422993074690183971093882640779808546479195604743230137113293752897968332220989640710311998150108315298333817030634179487075421403617790823560886688860928133117536724977888683732478708628314857313700596522339509581915323452695136877802816003353853220986492007970183551041303875958750496892867954477510966708935358534322867404860267180294538231734184176727805289746004999969923736528783436876728104351783351879340959568183101515294393048651825
# n = 19873634983456087520110552277450497529248494581902299327237268030756398057752510103012336452522030173329321726779935832106030157682672262548076895370443461558851584951681093787821035488952691034250115440441807557595256984719995983158595843451037546929918777883675020571945533922321514120075488490479009468943286990002735169371404973284096869826357659027627815888558391520276866122370551115223282637855894202170474955274129276356625364663165723431215981184996513023372433862053624792195361271141451880123090158644095287045862204954829998614717677163841391272754122687961264723993880239407106030370047794145123292991433
2.尝试去分解n,无果。由于此题e很大,d很小,属于低解密指数攻击,直接利用脚本破解。
from Crypto.Util.number import *
def rational_to_contfrac(x, y):
'''
Converts a rational x/y fraction into
a list of partial quotients [a0, ..., an]
'''
a = x // y
if a * y == x:
return [a]
else:
pquotients = rational_to_contfrac(y, x - a * y)
pquotients.insert(0, a)
return pquotients
def convergents_from_contfrac(frac):
'''
computes the list of convergents
using the list of partial quotients
'''
convs = [];
for i in range(len(frac)):
convs.append(contfrac_to_rational(frac[0:i]))
return convs
def contfrac_to_rational(frac):
'''Converts a finite continued fraction [a0, ..., an]
to an x/y rational.
'''
if len(frac) == 0:
return (0, 1)
elif len(frac) == 1:
return (frac[0], 1)
else:
remainder = frac[1:len(frac)]
(num, denom) = contfrac_to_rational(remainder)
# fraction is now frac[0] + 1/(num/denom), which is
# frac[0] + denom/num.
return (frac[0] * num + denom, num)
def egcd(a, b):
'''
Extended Euclidean Algorithm
returns x, y, gcd(a,b) such that ax + by = gcd(a,b)
'''
u, u1 = 1, 0
v, v1 = 0, 1
while b:
q = a // b
u, u1 = u1, u - q * u1
v, v1 = v1, v - q * v1
a, b = b, a - q * b
return u, v, a
def gcd(a, b):
'''
2.8 times faster than egcd(a,b)[2]
'''
a, b = (b, a) if a < b else (a, b)
while b:
a, b = b, a % b
return a
def modInverse(e, n):
'''
d such that de = 1 (mod n)
e must be coprime to n
this is assumed to be true
'''
return egcd(e, n)[0] % n
def totient(p, q):
'''
Calculates the totient of pq
'''
return (p - 1) * (q - 1)
def bitlength(x):
'''
Calculates the bitlength of x
'''
assert x >= 0
n = 0
while x > 0:
n = n + 1
x = x >> 1
return n
def isqrt(n):
'''
Calculates the integer square root
for arbitrary large nonnegative integers
'''
if n < 0:
raise ValueError('square root not defined for negative numbers')
if n == 0:
return 0
a, b = divmod(bitlength(n), 2)
x = 2 ** (a + b)
while True:
y = (x + n // x) // 2
if y >= x:
return x
x = y
def is_perfect_square(n):
'''
If n is a perfect square it returns sqrt(n),
otherwise returns -1
'''
h = n & 0xF; # last hexadecimal "digit"
if h > 9:
return -1 # return immediately in 6 cases out of 16.
# Take advantage of Boolean short-circuit evaluation
if (h != 2 and h != 3 and h != 5 and h != 6 and h != 7 and h != 8):
# take square root if you must
t = isqrt(n)
if t * t == n:
return t
else:
return -1
return -1
def hack_RSA(e, n):
frac = rational_to_contfrac(e, n)
convergents = convergents_from_contfrac(frac)
for (k, d) in convergents:
# check if d is actually the key
if k != 0 and (e * d - 1) % k == 0:
phi = (e * d - 1) // k
s = n - phi + 1
# check if the equation x^2 - s*x + n = 0
# has integer roots
discr = s * s - 4 * n
if (discr >= 0):
t = is_perfect_square(discr)
if t != -1 and (s + t) % 2 == 0:
print("\nHacked!")
return d
def main():
n = 19873634983456087520110552277450497529248494581902299327237268030756398057752510103012336452522030173329321726779935832106030157682672262548076895370443461558851584951681093787821035488952691034250115440441807557595256984719995983158595843451037546929918777883675020571945533922321514120075488490479009468943286990002735169371404973284096869826357659027627815888558391520276866122370551115223282637855894202170474955274129276356625364663165723431215981184996513023372433862053624792195361271141451880123090158644095287045862204954829998614717677163841391272754122687961264723993880239407106030370047794145123292991433
e = 8614531087131806536072176126608505396485998912193090420094510792595101158240453985055053653848556325011409922394711124558383619830290017950912353027270400567568622816245822324422993074690183971093882640779808546479195604743230137113293752897968332220989640710311998150108315298333817030634179487075421403617790823560886688860928133117536724977888683732478708628314857313700596522339509581915323452695136877802816003353853220986492007970183551041303875958750496892867954477510966708935358534322867404860267180294538231734184176727805289746004999969923736528783436876728104351783351879340959568183101515294393048651825
d = hack_RSA(e, n)
print("d=")
print(d) # 2357048593
if __name__ == '__main__':
main()
得到d之后,就很简单了。
c = 6755916696778185952300108824880341673727005249517850628424982499865744864158808968764135637141068930913626093598728925195859592078242679206690525678584698906782028671968557701271591419982370839581872779561897896707128815668722609285484978303216863236997021197576337940204757331749701872808443246927772977500576853559531421931943600185923610329322219591977644573509755483679059951426686170296018798771243136530651597181988040668586240449099412301454312937065604961224359235038190145852108473520413909014198600434679037524165523422401364208450631557380207996597981309168360160658308982745545442756884931141501387954248
d = 2357048593
n = 19873634983456087520110552277450497529248494581902299327237268030756398057752510103012336452522030173329321726779935832106030157682672262548076895370443461558851584951681093787821035488952691034250115440441807557595256984719995983158595843451037546929918777883675020571945533922321514120075488490479009468943286990002735169371404973284096869826357659027627815888558391520276866122370551115223282637855894202170474955274129276356625364663165723431215981184996513023372433862053624792195361271141451880123090158644095287045862204954829998614717677163841391272754122687961264723993880239407106030370047794145123292991433
e = 8614531087131806536072176126608505396485998912193090420094510792595101158240453985055053653848556325011409922394711124558383619830290017950912353027270400567568622816245822324422993074690183971093882640779808546479195604743230137113293752897968332220989640710311998150108315298333817030634179487075421403617790823560886688860928133117536724977888683732478708628314857313700596522339509581915323452695136877802816003353853220986492007970183551041303875958750496892867954477510966708935358534322867404860267180294538231734184176727805289746004999969923736528783436876728104351783351879340959568183101515294393048651825
m = pow(c, d, n)
print(long_to_bytes(m)) # b'flag{learn_some_continued_fraction_technique#dc16885c}'
七、Crypto-babyxor
1.附件内容如下。
from secret import *
ciphertext = []
for f in flag:
ciphertext.append(f ^ key)
print(bytes(ciphertext).hex())
# e9e3eee8f4f7bffdd0bebad0fcf6e2e2bcfbfdf6d0eee1ebd0eabbf5f6aeaeaeaeaeaef2
2.由于此题不知道key,所以只能写脚本去破解了。
import binascii
s = "e9e3eee8f4f7bffdd0bebad0fcf6e2e2bcfbfdf6d0eee1ebd0eabbf5f6aeaeaeaeaeaef2"
unhex = binascii.unhexlify(s)
for j in range(255):
res = ''
for i in unhex:
res += chr(j ^ i)
print(res)
八、Crypto-babyencoding
1.附件内容如下。
part 1 of flag: ZmxhZ3tkYXp6bGluZ19lbmNvZGluZyM0ZTBhZDQ=
part 2 of flag: MYYGGYJQHBSDCZJRMQYGMMJQMMYGGN3BMZSTIMRSMZSWCNY=
part 3 of flag: =8S4U,3DR8SDY,C`S-F5F-C(S,S<R-C`Q9F8S87T`
2.第一段base64,第二段base32,第三段uuencode,依次解码即可。
九、Crypto-Affine
1.附件内容如下。
from flag import flag, key
modulus = 256
ciphertext = []
for f in flag:
ciphertext.append((key[0]*f + key[1]) % modulus)
print(bytes(ciphertext).hex())
# dd4388ee428bdddd5865cc66aa5887ffcca966109c66edcca920667a88312064
2.Affine是一个映射密码,y=(a*x+b)%c,所以解码需要知道a、b、c这三个参数。由于知道答案开头肯定是flag,故可以写出方程式
(102*a+b)%256=221 (1)
(108*a+b)%256=67 (2)
(97*a+b)%256=136 (3)
(103*a+b)%256=238 (4)
由(1)式和(4)式可以很容易得到a=17,接着就可以解出b=23。知道了这两个,编写脚本获取flag。
s = "dd4388ee428bdddd5865cc66aa5887ffcca966109c66edcca920667a88312064"
unhex = binascii.unhexlify(s)
res = ''
strings = string.printable
for i in unhex:
for j in strings:
if int((ord(j) * 17 + 23) % 256) == i:
res += j
print(res) # flag{4ff1ne_c1pher_i5_very_3azy}
十、Crypto-babyaes
1.附件内容如下。
from Crypto.Cipher import AES
import os
from flag import flag
from Crypto.Util.number import *
def pad(data):
return data + b"".join([b'\x00' for _ in range(0, 16 - len(data))])
def main():
flag_ = pad(flag)
key = os.urandom(16) * 2
iv = os.urandom(16)
print(bytes_to_long(key) ^ bytes_to_long(iv) ^ 1)
aes = AES.new(key, AES.MODE_CBC, iv)
enc_flag = aes.encrypt(flag_)
print(enc_flag)
if __name__ == "__main__":
main()
# 3657491768215750635844958060963805125333761387746954618540958489914964573229
# b'>]\xc1\xe5\x82/\x02\x7ft\xf1B\x8d\n\xc1\x95i'
2.整体观察一下,发现是CBC模式下的AES。key是32字节(256bits),iv是16字节(128bits),所以两者异或的结果其实是key的低128bits与iv异或,再加上key的高128bits。即输出结果的高128bits就是key的高128bits,从而能得到key。
xor = 3657491768215750635844958060963805125333761387746954618540958489914964573229
key = long_to_bytes(xor^1)[:16]*2
这里需要注意的一点是,输出的结果的高位部分在左侧,低位部分在右侧,一开始我就是想不通为什么取[:16]部分。得到了key之后,取低128bits再与输出结果的低128bits进行异或得到iv。完整脚本如下:
rom Crypto.Util.number import *
from Crypto.Cipher import AES
xor = 3657491768215750635844958060963805125333761387746954618540958489914964573229
enc_flag = b'>]\xc1\xe5\x82/\x02\x7ft\xf1B\x8d\n\xc1\x95i'
key = long_to_bytes(xor ^ 1)[:16] * 2
iv = bytes_to_long(key[16:]) ^ bytes_to_long(long_to_bytes(xor ^ 1)[16:])
iv = long_to_bytes(iv)
aes = AES.new(key, AES.MODE_CBC, iv)
flag = aes.decrypt(enc_flag)
print(flag) # b'firsT_cry_Aes\x00\x00\x00'
十一、Misc-CyberChef's Secret
1.附件内容如下。
来签到吧!下面这个就是flag,不过它看起来好像怪怪的:-)
M5YHEUTEKFBW6YJWKZGU44CXIEYUWMLSNJLTOZCXIJTWCZD2IZRVG4TJPBSGGWBWHFMXQTDFJNXDQTA=
2.依次经过base32、base58、base64解码即可。
十二、Misc-机密图片
1.附件是一张图片。
扫码得到。
看来密码不在这里。
2.尝试LSB隐写,得到flag。
十三、Misc-流量!鲨鱼!
1.附件是一个流量包,里面总共有3000多条流量,故一条一条看是不可能的,发现有http流量,将http对象提取出来。
选择“文件”->“导出对象”->"http"
将所有文件都导出来。
2.看到有很多文件名为flag的,一个一个查看,发现都是404 NOT FOUND。
再翻翻,看到最后有一个(1).ffffllllllll11111144444GGGGGG%7cbase64这样的文件。
打开。文件内容如下。
Wm14aFozdFhjbWt6TldnMGNtdGZNWE5mZFRVelpuVnNYMkkzTW1FMk1EazFNemRsTm4wSwo=
两次base64解码即可。
十四、Misc-空白格
1.附件内容如下,刚打开什么都看不到,必须全选才能看到。
2.看到有点和横线,以为是莫斯密码,尝试了一下不对。再通过空白格这条线索,找到了white_space隐写。(https://vii5ard.github.io/whitespace/)
十五、Misc-隐秘的眼睛
1.附件又是一张图片。
2.尝试了LSB隐写等等都不对。但是有经验的人根据题目名字就可以知道这是SlientEye隐写。(工具放在附件中)
十六、Misc-压缩包们
1.附件是一个无后缀名的文件,通过16进制编辑器查看,可以得到是个zip文件。
2.但是文件头不对,所以修改文件头为504B0304,修改后缀名为zip,解压得到flag.zip文件。解压flag.zip发生错误。
3.16进制编辑器打开,发现在文件尾有一串base64编码。
解码。
提示我们密码是个6位数,利用工具爆破得到密码为232311。
删除最后的base64后再保存,我发现个奇怪的问题,这个压缩包只能用bandzip打开,其他压缩软件打开都会有问题。
十七、Web-泄漏的秘密
1.直接目录扫描得到robots.txt和www.zip,访问一下拿到flag。
十八、Web-Begin of Upload
1.文件上传漏洞,前端校验后缀名。
2.故这题需要利用%00截断。
成功上传。
执行一句话木马,拿到flag。
十九、Web-ErrorFlask
1.页面叫我们传入两个参数,随便传一下看一下效果。
2.提示我们不是ssti,flag在源代码中。既然他说不是ssti,我就非要试试。果然页面报错了。
可以看到有个/app/app.py文件,点进去看看,直接得到flag。
二十、Web-Begin of HTTP
1.页面如下。
哎,这种题目就是按照提示一步步做就完事了。
又要以POST方式对secret传参,先对注释中的编码解码后再传。
又要验证power,直接把cookie中的power字段改为ctfer即可。
要通过NewStarCTF2023浏览器访问,修改User-Agent。
要从newstarctf.com这个网址访问过来的,添加referer字段。
要本地用户访问,需要添加X-Fordwarded-For之类的字段,把下列的字段全部加进去,总有一个是能成功的。
X-Custom-IP-Authorization:127.0.0.1
X-Forward-For:127.0.0.1
X-Forward:127.0.0.1
X-Forward:localhost
X-Forwarded-By:127.0.0.1
X-Forwarded-By:localhost
X-Forwarded-For-Original:127.0.0.1
X-Forwarded-For-Original:localhost
X-Forwarded-Server:127.0.0.1
X-Forwarded-Server:localhost
X-Forwarded:127.0.0.1
X-Forwarded:localhost
X-Forwarded-For:127.0.0.1
X-Forwarded-For:localhost
X-Forwarded-Host:127.0.0.1
X-Forwarded-Host:localhost
X-Host:127.0.0.1
X-Host:localhost
X-HTTP-Host-Override:127.0.0.1
X-Real-IP:127.0.0.1
X-Remote-Addr:127.0.0.1
X-Remote-Addr:localhost
X-Remote-IP:127.0.0.1
Client-IP:127.0.0.1
Forwarded-For:localhost
Forwarded-For:127.0.0.1
Forwarded:localhost
Forwarded:127.0.0.1
Forwarded-For-IP:127.0.0.1
True-Client-IP:127.0.0.1
X-Client-IP:127.0.0.1
X-Originating-IP:127.0.0.1
二十一、Web-Begin of PHP
1.源代码如下。
<?php
error_reporting(0);
highlight_file(__FILE__);
if(isset($_GET['key1']) && isset($_GET['key2'])){
echo "=Level 1=<br>";
if($_GET['key1'] !== $_GET['key2'] && md5($_GET['key1']) == md5($_GET['key2'])){
$flag1 = True;
}else{
die("nope,this is level 1");
}
}
if($flag1){
echo "=Level 2=<br>";
if(isset($_POST['key3'])){
if(md5($_POST['key3']) === sha1($_POST['key3'])){
$flag2 = True;
}
}else{
die("nope,this is level 2");
}
}
if($flag2){
echo "=Level 3=<br>";
if(isset($_GET['key4'])){
if(strcmp($_GET['key4'],file_get_contents("/flag")) == 0){
$flag3 = True;
}else{
die("nope,this is level 3");
}
}
}
if($flag3){
echo "=Level 4=<br>";
if(isset($_GET['key5'])){
if(!is_numeric($_GET['key5']) && $_GET['key5'] > 2023){
$flag4 = True;
}else{
die("nope,this is level 4");
}
}
}
if($flag4){
echo "=Level 5=<br>";
extract($_POST);
foreach($_POST as $var){
if(preg_match("/[a-zA-Z0-9]/",$var)){
die("nope,this is level 5");
}
}
if($flag5){
echo file_get_contents("/flag");
}else{
die("nope,this is level 5");
}
}
2.代码审计,第一个if判断要求两个值不等,但是两个值的md5值要想等,利用数组绕过;第二个if还是利用数组绕过;第三个if是比较两个字符串,还是用数组绕过;第四个if要求不是数字但是得大于2023,输入2024a绕过;第五个if通过正则判断你传入的是否有大小写字母和数字,故这里需要利用异或操作绕过,传入的值为flag5=true,需要把true用异或的形式表示。
<?php
$a="true";
for($i=0;$i<strlen($a);$i++){
echo "%".dechex(ord($a[$i])^0xff);
}
echo "^";
for($i=0;$i<strlen($a);$i++){
echo "%ff";
}
// %8b%8d%8a%9a^%ff%ff%ff%ff
二十二、Web-R!C!E!
1.源代码如下。
<?php
highlight_file(__FILE__);
if(isset($_POST['password'])&&isset($_POST['e_v.a.l'])){
$password=md5($_POST['password']);
$code=$_POST['e_v.a.l'];
if(substr($password,0,6)==="c4d038"){
if(!preg_match("/flag|system|pass|cat|ls/i",$code)){
eval($code);
}
}
}
2.对password和e_v.a.l传参,需要满足password的md5值的前六位为c4d038,并且e_v.a.l的值会交给eval执行,但是不能出现flag、system等关键词。
第一步:暴力破解得到应该传给password的值。
import hashlib
def md5(s):
return hashlib.md5(s.encode(encoding='UTF-8')).hexdigest()
for i in range(1000000000):
h = md5(str(i))
if h[0:6] == "c4d038":
print(i) # 114514
break
第二步给e_v.a.l传一个eval($_GET[1])就可以逃脱出不能使用那些关键字的情况了。
但是传完参,发现页面没有任何反应。
哪里错了呢,本地搭一个环境,经过测试,发现连第一个if判断都没通过,关键在给e_v.a.l这个参数传参。(这里特别感谢王马老师的解答)我们都知道这不是一个规范的变量名,所以传参的时候直接用题目所给是有问题的。这里参考(https://blog.csdn.net/qq_45086218/article/details/114113971)
所以此处应该是给e[v.a.l传参就可以了。
成功执行,获取flag。
二十三、Web-EasyLogin
1.页面是个登录框,首先注册一个用户叫admin,发现已经被注册过了。
题目既然叫easyLogin,说明这里有可能需要爆破密码。抓个包,发现password经过了处理。
查看页面源代码,发现是md5值。
知道了密码的转换过程,就可以爆破了。
爆破得到密码的md5值,解密一下密码是000000。
2.登录进去之后,按ctrl+C和ctrl+D后进入shell,输入pwd,成功执行。
按向上键,查找命令历史记录。
提示我们用burpsuite,重新回到登录界面抓包,找到一个302跳转的包,查看响应获得flag。
二十四、Reverse-easy_RE
1.ida打开,main函数反编译,可看到一部分flag,还有一部分flag需要从变量v6到v16处获得。
ascii转换一下得到另一部分flag。
拼接一下即可。
标签:127.0,return,NewStarCTF,0.1,firstweek,flag,key,print From: https://www.cnblogs.com/sbhglqy/p/18109180