首页 > 其他分享 >楚颖i2024polarctf夏季个人挑战赛WriteUp

楚颖i2024polarctf夏季个人挑战赛WriteUp

时间:2024-06-01 23:34:40浏览次数:30  
标签:300 WriteUp M5 M4 M1 M3 M2 i2024polarctf 楚颖

 

216fe58619c3bf75ba3c681baf9383e

PolarCTF网络安全2024夏季个人挑战赛

WRITE UP

参赛人员:

楚颖i

PolarCTF网络安全个人挑战赛组委会 制

目录

第一部分:MISC 1

1-1 祺贵人告发 1

1-2 费眼睛的flag 2

1-5 你耳机听什么 5

第二部分:CRYPTO 7

2-1 pici 7

2-2 翻栅栏 8

2-3 Hello 9

第三部分:WEB 13

3-2 审计 14

3-3 扫扫看 15

3-4 debudao 16

3-5 Dragon 17

第四部分:REVERSE 25

4-1 crc 25

第一部分:MISC

1-1 祺贵人告发

本题思路如下:

Png图片尾藏zip,foremost提取得到加密压缩包

爆破得到密码1574

flag{3bb6fa896968f804033fb85af5576762}

1-2 费眼睛的flag

本题思路如下:

典题

字体选择加粗,背景填充黑色

flag{4d58a180010fcce87d331c9ba36e3b93}

 

1-5 你耳机听什么

本题思路如下:

三个zip

第一个:

https://qr61.cn/oLHDAn/qYdgRdp

下载得到代码第一部分

第二个:

压缩包备注102 49 64 57 105 36 72 101 114 69

ascll转字符

密码f1@9i$HerE

Word改颜色

Base64解码得到第二部分代码

第三个

备注steghide

Stegseek爆破一下

得到第三部分代码

完整代码

#include <iostream>

#include <Windows.h>

#pragma comment(lib,"winmm.lib")

using namespace std;

enum Scale {

Rest = 0, C8 = 108, B7 = 107, A7s = 106, A7 = 105, G7s = 104, G7 = 103, F7s = 102, F7 = 101, E7 = 100,

D7s = 99, D7 = 98, C7s = 97, C7 = 96, B6 = 95, A6s = 94, A6 = 93, G6s = 92, G6 = 91, F6s = 90, F6 = 89,

E6 = 88, D6s = 87, D6 = 86, C6s = 85, C6 = 84, B5 = 83, A5s = 82, A5 = 81, G5s = 80, G5 = 79, F5s = 78,

F5 = 77, E5 = 76, D5s = 75, D5 = 74, C5s = 73, C5 = 72, B4 = 71, A4s = 70, A4 = 69, G4s = 68, G4 = 67,

F4s = 66, F4 = 65, E4 = 64, D4s = 63, D4 = 62, C4s = 61, C4 = 60, B3 = 59, A3s = 58, A3 = 57, G3s = 56,

G3 = 55, F3s = 54, F3 = 53, E3 = 52, D3s = 51, D3 = 50, C3s = 49, C3 = 48, B2 = 47, A2s = 46, A2 = 45,

G2s = 44, G2 = 43, F2s = 42, F2 = 41, E2 = 40, D2s = 39, D2 = 38, C2s = 37, C2 = 36, B1 = 35, A1s = 34,

A1 = 33, G1s = 32, G1 = 31, F1s = 30, F1 = 29, E1 = 28, D1s = 27, D1 = 26, C1s = 25, C1 = 24, B0 = 23,

A0s = 22, A0 = 21

};

enum Voice {

X1 = C2, X2 = D2, X3 = E2, X4 = F2, X5 = G2, X6 = A2, X7 = B2,

L1 = C3, L2 = D3, L3 = E3, L4 = F3, L5 = G3, L6 = A3, L7 = B3,

M1 = C4, M2 = D4, M3 = E4, M4 = F4, M5 = G4, M6 = A4, M7 = B4,

H1 = C5, H2 = D5, H3 = E5, H4 = F5, H5 = G5, H6 = A5, H7 = B5,

LOW_SPEED = 500, MIDDLE_SPEED = 400, HIGH_SPEED = 300,

_ = 0XFF

};

void Wind() {

HMIDIOUT handle;

midiOutOpen(&handle, 0, 0, 0, CALLBACK_NULL);

// midiOutShortMsg(handle, 2 << 8 | 0xC0);

int volume = 0x7f;

int voice = 0x0;

int sleep = 350;

int wind[] =

{

500, L6, 700, M1, 700, M5, 700, M1, 700, L4, 700, L5, 700, M5, 700, M1, 500, L1, 400, L5, M5, M1, L1, M5, L7,

M5, _, L6, M1, M5, M1, L4, L5, M5, M1, L1, L5, M5, M1, L1, M5, L7, M5, _, _, _,

300, M5, M5, M1, _, M1, _, M2, M3, _, _, M5, M5, M1, M1, M2, M3, 0, M2, M1, _, _, _, 500, 300,

300, M5, M5, M1, _, M1, _, M2, M3, _, 500, M3, _, 300, M2, M3, M4, M3, M2, M4, M3, M2, _, 500, 300,

300, L5, M1, M1, M3, M4, M3, M2, _, M1, M2, _, 300, M3, M3, M3, M3, _, M2, M3, M2, M1, 300,

400, L5, M1, _, M2, M3, M4, M3, M2, M1, M2, _, M3, M3, M3, M3, 0, M2, M3, 0, M2, M1, _, _, 500, 300,

300, L7, 300, M1, 300, M1, 300, M1, 300, M1, L7, M1, M1, _, _, M1, M1, M1, L7, M1, M1, _, _, M1, M1, M1, L7, M1,

M1, _, M1, M1, M1, M5, M5, M5, _, M5, M5, M5, M5, 0, M5, M5, _, _, _, 500, 300,

300, M5, M5, M5, _, M5, M4, M3, M3, 0, 500, 300, _, _, _,

300, M1, M1, M1, M1, L6, _, L7, M1, M5, M4, M3, M1, M1, _, _,

300, M1, M1, M1, M1, _, M3, M1, _, _, L6, L7, M1, M5, M4, M3, M1, M2, _, _, _,

400, _, _, _, _, M3, M2, M4, M3, _, _, M1, M5, M7, L7, M7, M5, M1, _, _, M1, M6, M6, _, _, M6, M5, M5, _, M5,

M4, M3, M2, M3, M4, M3, _, _,

400, M3, M4, M5, M3, _, _, M4, M5, M7, H2, M7, H1, H1, _, _,

400, H1, H1, M5, M5, M6, M5, M4, _, M2, M3, M4, M5, M6, M1, M6, _, 0, M7, M7, _, _, 500, 300,

400, M3, M2, M4, M3, _, M1, M5, M7, H1, M7, M1, M1, _, M1, M6, M6, _, M6, M5, M5, _, M5, M4, M3, M2, M3, M4, M3,

_, _,

400, M3, M4, M5, M3, _, M4, M5, M7, H2, M7, H1, H1, _, _,

400, H1, H1, M5, M5, M6, M5, M4, M2, M3, M4, M5, M6, M1, M6, M7, _, M7, _, _,

300, M3, M2, M4, M3, _, M1, M5, M7, H1, M7, H2, H1, _, _,

300, M1, M6, M6, _, M6, M5, M5, _, M5, M4, M3, M2, M3, M4, M3, _, _, _,

300, M3, M4, M5, M3, _, M4, M5, M7, H2, M7, H1, H1, _, _,

500, H1, H1, M5, M5, M6, M5, M4, L6, L7, M1, M2, M3, M2, _, _,

500, M3, _, M1, _, _, _,

};

for (auto i: wind) {

if (i == 0) {sleep = 175;continue;}

if (i == 700) {Sleep(175);continue;}

if (i == 300) {sleep = 350;continue;}

if (i == _) {

Sleep(350);

continue;

}

// if (i == 900) volume += 100;

voice = (volume << 16) + ((i) << 8) + 0x90;

midiOutShortMsg(handle, voice);

cout << voice << endl;

Sleep(sleep); // midiOutShortMsg(handle, 0x7BB0);

}

midiOutClose(handle);

}

int main() {

Wind();

return 0;

}

Dev手动链接一下库

听一下歌,结合第三个zip图片,周杰伦的晴天

flag{cbbe546304037478ce0c36437d036711}

第二部分:CRYPTO

2-1 pici

本题思路如下:

5paw5L2b5puw77ya6Ku45q+Y6Zq45YOn6ZmN5ZC96Ku45q+Y6ZmA5q+Y5pGp5q+Y6Zq45YOn57y96Jap5q+Y6aGY5q+Y5YOn6aGY5ZKk6aGY5q+Y5rOi5Zqk5q+Y6ZeN6aGY6ZeN5q+Y5Zqk5Zia5L+u5q+Y6Zq45amG6Zq45q+Y5L+u6Kum5b2M5ZOG5oSN6IGe5q+Y5amG6aCI6aCI55y+5q+Y6I6K5b+D6ZmN55y+6Jap5q+Y5ZOG5oWn5Y+75ZKk6ZeN6aGY5YWc5q+Y5Zqk5q+Y5aaCCg==

Base64:新佛曰:諸毘隸僧降吽諸毘陀毘摩毘隸僧缽薩毘願毘僧願咤願毘波嚤毘闍願闍毘嚤嘚修毘隸婆隸毘修諦彌哆愍聞毘婆須須眾毘莊心降眾薩毘哆慧叻咤闍願兜毘嚤毘如

新约佛论禅/佛曰加密 - 萌研社 - PcMoe!

新约佛论禅:huanyinglaidaowangzherongyao

flag{39c6acff08d543f5cb892bdbbdc2841f}

2-2 翻栅栏

本题思路如下:

第一个txt是兽音译者编码

第二个txt给了栅栏的key

flag{d531d5be4f3737afa979a0f77dd8b180}

 

2-3 Hello

本题思路如下:

m = 7269767679
e = 65537
n = 365354477477
print((pow(m,e,n)))

flag{124198634960}

第三部分:WEB

3-2 审计

本题思路如下:

拿自己笔记过

flag{1bc29b36f623ba82aaf6724fd3b16718}

3-3 扫扫看

本题思路如下:

御剑开扫,ctrl u 源码

flag{094c9cc14068a7d18ccd0dd3606e532f}

3-4 debudao

本题思路如下:

Ctrl u有个假flag

真正flag在cookie里

flag{72077a55w312584wb1aaa88888cd41af}

3-5 Dragon

本题思路如下:

懵逼,又是cookie

flag{72077a551386b19fb1aea77814cd41af}

3-7 你知道sys还能这样玩吗

本题思路如下:

第四部分:REVERSE

4-1 crc

本题思路如下:

喂给gpt

Exp:

import zlib

def crc32_hash(data):
return format(zlib.crc32(data.encode()) & 0xFFFFFFFF, '08x')

# Define target CRC32 values
targets = [
"d1f4eb9a",
"15d54739",
"540bbb08",
"3fcbd242",
"2479c623",
"fcb6e20c"
]

# Function to brute-force search for matching strings
def find_matching_string(length, target):
import itertools
import string
chars = string.printable # All printable characters
for candidate in itertools.product(chars, repeat=length):
candidate_str = ''.join(candidate)
if crc32_hash(candidate_str) == target:
return candidate_str
return None

# Find substrings that match the CRC32 targets
s1 = find_matching_string(4, targets[0])
c1 = find_matching_string(1, targets[1])
s2 = find_matching_string(4, targets[2])
s3 = find_matching_string(2, targets[3])
s4 = find_matching_string(4, targets[4])
c2 = find_matching_string(1, targets[5])

# Combine the results to form the final input string
if all([s1, c1, s2, s3, s4, c2]):
final_input = s1 + c1 + s2 + s3 + s4 + c2
print("Input to produce 'Very nice!':", final_input)
else:
print("Failed to find matching input for all conditions.")

flag{ezrebyzhsh}

标签:300,WriteUp,M5,M4,M1,M3,M2,i2024polarctf,楚颖
From: https://www.cnblogs.com/xhzccy/p/18226485

相关文章

  • 【CTF Web】CTFShow web13 Writeup(RCE+PHP+通配符)
    web131阿呆彻底呆了,阿呆拿起谷姐搜索好久,终于找到更狠的方法。解法可知flag在config.php。<?php#flaginconfig.phpinclude("config.php");if(isset($_GET['c'])){$c=$_GET['c'];if(!preg_match("/system|exec|highlight|cat|\.|......
  • 【CTF Web】CTFShow web9 Writeup(RCE+PHP+代码审计)
    web91阿呆在埃塞俄比亚终于找了一个网管的工作,闲暇时还能种点菜。解法可知flag在config.php。<?php#flaginconfig.phpinclude("config.php");if(isset($_GET['c'])){$c=$_GET['c'];if(preg_match("/system|exec|highlight/i",$c......
  • 【CTF Web】CTFShow web10 Writeup(RCE+PHP+代码审计)
    web101阿呆看见对面二黑急冲冲的跑过来,告诉阿呆出大事了,阿呆问什么事,二黑说:这几天天旱,你菜死了!解法可知flag在config.php。<?php#flaginconfig.phpinclude("config.php");if(isset($_GET['c'])){$c=$_GET['c'];if(!preg_match("/system|......
  • “复兴杯”2023第四届大学生网络安全精英赛排位赛 Writeup
    时间跟全国信安初赛重了(),不过也是第一次在CTFAK了(个人信息个人排名:15解题过程1观察代码,使用科学技术法进行绕过,2.023e3也就是2.023*10^3=2023,弱比较时会化为2023,但是运算时后并不绝对等于2024。输入得到flag。2打开网站可以看到电脑账号是ly,使用过滤器得到包含ly的包,如......
  • ctflearn-writeup(Exclusive Santa)
    https://ctflearn.com/challenge/851在完成这题前最好先下载foremost,unrar,stegsolve等工具首先拿到题目后,先解压得到两个图片文件1.png和3.png两张图片用exiftool,strings,binwalk试过后发现无解于是用关键命令foremost3.png-T(修复破损文件)发现有一个output的文件夹......
  • NewStarCTF 2023 week1 writeup
    NewStarCTF2023week1writeup花了几天时间,终于把week1的题目做完了,还是学到不少东西的,题目质量大多都挺高的,很适合新手入门。Web1.泄漏的秘密url/robots.txt查看robots协议,找到第一部分的flagPARTONE:flag{r0bots_1s_s0_us3fulurl/www.zip查看网站备份,找到第二部分的fla......
  • 阿里云CTF逆向题“欧拉”详细Writeup
    题目来源:阿里云CTF题目类型:逆向题目描述:欧拉欧拉欧拉欧拉![attachment](Euler.exe)题目解析:使用IDA打开,F5,整体先看一遍,100多行,没有混淆先看变量定义这里:charStr1[16];//[rsp+20h][rbp-40h]BYREF__int128v21;//[rsp+30h][rbp-30h]__int128v22;//[rsp+40h][r......
  • 2024第十五届蓝桥杯网络安全赛项部分题目 WriteUp
    2024第十五届蓝桥杯网络安全赛项部分题目WriteUp爬虫协议根据提示,访问/robots.txt,得到敏感路径/38063b612387b10e22f4bd0d71a46a4e/,访问其中的/9de33df789dc91e984a091e6dce2dfb1得到flag。flag{494547b4-f13f-47de-b1a5-a99f20495cd7}packet使用过滤器tcpcontains"fla......
  • [pwn]XYCTF 2024 个人WriteUp
    目录XYCTF2024WriteUp>pwn1.hello_world(签到)2.invisible_flag3.static_link由于本人菜鸡和时间问题,只打了前两周,打出了pwn的三道简单题目,记录自己的做题过程,如何后续复现可能也会更新。XYCTF2024WriteUp>pwn1.hello_world(签到)常规checksecIDA反编译进入主函数发......
  • HTB Headless writeup
      对IP进行信息收集,nmap和fscan扫描出只开了22和5000端口 5000端口是一个web,暂时看不出什么扫描出两个路径,/dashborad和/support 提示未登录  这个页面只有几个输入框和一个提交按钮,想到了xss? BP启动!完蛋,有waf仔细观察下来cookie的值is_admin,加上waf上面......