Round 1
Misc
[Round 1] hide_png
stegsolve黑白通道(需要自己适当调整大小),然后丁真
YLCTF{a27f2d1a-9176-42cf-a2b6-1c87b17b98dc}
[Round 1] plain_crack
给了build.py和初始的build,
压缩后发现两个文件一样,且加密算法为zipcrypto,考虑明文攻击
APCHPR,得到秘钥就可以停了
使用bkcrack提取,提取后是deflate压缩模式,使用bkcrack的inflate.py解压缩
打开word里有个假flag,word本质是zip,将后缀改成zip并解压
word-->media-->得到flag
YLCTF{a709598c-f54c-4db5-ab69-8ddb499df053}
[Round 1] pngorzip
方法一:stegsolve
将多余数据移除
方法二:zsteg
提取对应通道的信息
zsteg -e b1,rgb,lsb,xy out.png > 1.zip
压缩包,注释提示114514????
掩码攻击
YLCTF{d359d6e4-740a-49cf-83eb-5b0308f09c8c}
[Round 1] trafficdet
喂给gpt
模型训练,通过train.csv所有标签及其lable进行训练,使用test.csv进行模拟,最后输出仅有id和label答案的csv
import pandas as pd
from sklearn.preprocessing import StandardScaler
from sklearn.ensemble import RandomForestClassifier
# 加载数据
train_df = pd.read_csv("D:\\contest\\attachments\\train.csv")
test_df = pd.read_csv("D:\\contest\\attachments\\test.csv")
# 删除不必要的列
train_df.drop('Src Port', axis=1, inplace=True)
test_df.drop('Src Port', axis=1, inplace=True)
# 分离特征和标签
X = train_df.drop('Label', axis=1)
y = train_df['Label']
# 特征缩放
scaler = StandardScaler()
X_scaled = scaler.fit_transform(X)
X_test_scaled = scaler.transform(test_df)
# 训练模型
model = RandomForestClassifier(n_estimators=100, random_state=42)
model.fit(X_scaled, y)
# 预测测试集
y_test_pred = model.predict(X_test_scaled)
# 创建提交文件
submission_df = pd.DataFrame({'id': test_df.index, 'Label': y_test_pred})
submission_df.to_csv('submission.csv', index=False)
[Round 1] 乌龟子啦
base64解码得到长图片,放大发现是01
在线ocr:图片转文字在线 - 图片文字提取 - 网页OCR文字识别 - 白描网页版 (baimiaoapp.com)
对于连续的01,识别有问题,自己缝缝补补又一题
随便放大缩小,发现是二维码
宽高知道(180x180),1--黑,0--白
YLCTF{f6a6f8cf-c25b-49a8-8f17-c8fbd751faa4}
[签到] 打卡小能手
公众号启动
Web
[Round 1] Disal
robots.txt
php特性题
a:大于999999+至少6个字母
b:numeric函数特性
[Round 1] Injct
ssti,fenjing 一把梭,无回显,使用dns外带
[Round 1] shxpl
经典命令执行,fuzz发现&没过滤,ls被ban了,用dir
再fuzz一下读取文件的函数,发现空格被ban了
nl可以,%09可以
得到源码
查看根目录
过滤了flag、?、*
用正则匹配
Reverse
[Round 1] xor
upx脱个壳先
简单的异或
list1=[0x45,0x50,0x5f,0x48,0x5a,0x67,0x7d,0x28,0x29,0x2d,0x25,0x29,0x29,0x2c,0x31,0x7d,0x7f,0x24,0x28,0x31,0x28,0x7f,0x7e,0x7e,0x31,0x25,0x25,0x7f,0x7f,0x31,0x2f,0x7d,0x28,0x2c,0x2c,0x2e,0x2b,0x7d,0x28,0x28,0x79,0x78,0x61,0x1c]
for i in range(43):
print(chr(list1[i]^0x1C),end='')
[Round 1] ezgo
全都是go的一些临时变量,主要加密逻辑就是异或,+53并异或
list = [108, 122, 116, 108, 127, 65, 11, 94, 91, 90, 90, 116, 34, 38, 110, 38, 35, 118, 114, 101, 125, 47, 114, 45, 96,
118, 124, 49, 105, 127, 103, 49, 51, 97, 110, 62, 96, 108, 105, 108, 104, 105, 34]
len = len(list)
for i in range(len):
print(chr(list[i] ^ (i + 53)), end='')
Crypto
[Round 1] BREAK
p,q给了,爆破e,直接加解密
# encoding:utf-8
from Crypto.Util.number import *
from gmpy2 import invert
c = 2924474039245207571198784141495689937992753969132480503242933533024162740004938423057237165017818906240932582715571015311615140080805023083962661783117059081563515779040295926885648843373271315827557447038547354198633841318619550200065416569879422309228789074212184023902170629973366868476512892731022218074481334467704848598178703915477912059538625730030159772883926139645914921352787315268142917830673283253131667111029720811149494108036204927030497411599878456477044315081343437693246136153310194047948564341148092314660072088671342677689405603317615027453036593857501070187347664725660962477605859064071664385456
p = 112201812592436732390795120344111949417282805598314874949132199714697698933980025001138515893011073823715376332558632580563147885418631793000008453933543935617128269371275964779672888059389120797503550397834151733721290859419396400302434404551112484195071653351729447294368676427327217463094723449293599543541
q = 177020901129489152716203177604566447047904210970788458377477238771801463954823395388149502481778049515384638107090852884561335334330598757905074879935774091890632735202395688784335456371467073899458492800214225585277983419966028073512968573622161412555169766112847647015717557828009246475428909355149575012613
n = p * q
phi = (p - 1) * (q - 1)
for e in range(55555, 66666):
if GCD(e, phi) != 1:
continue
d = invert(e, phi)
m = pow(c, d, n)
flag = long_to_bytes(m)
if 'YLCTF' in flag:
print flag
[Round 1] signrsa
主要的加密逻辑
c = pow(m,e,n1)
c = pow(c,e,n2)
两个n都可用factordb进行大素数分解,填入n1,n2进行分解,得到对应p、q
import requests
def queryFactors(n):
s=[]
url="http://factordb.com/api?query="+str(n)
r = requests.get(url)
factors=r.json()['factors']
for f in factors:
for i in range(f[1]):
s.append(int(f[0]))
return s
n1=
n2=
print(queryFactors(n1))
print(queryFactors(n2))
一层一层进行rsa解密即可
# encoding:utf-8
from Crypto.Util.number import *
from gmpy2 import invert
e = 65537
n1 = 18674375108313094928585156581138941368570022222190945461284402673204018075354069827186085851309806592398721628845336840532779579197302984987661547245423180760958022898546496524249201679543421158842103496452861932183144343315925106154322066796612415616342291023962127055311307613898583850177922930685155351380500587263611591893137588708003711296496548004793832636078992866149115453883484010146248683416979269684197112659302912316105354447631916609587360103908746719586185593386794532066034112164661723748874045470225129298518385683561122623859924435600673501186244422907402943929464694448652074412105888867178867357727
n2 = 20071978783607427283823783012022286910630968751671103864055982304683197064862908267206049336732205051588820325894943126769930029619538705149178241710069113634567118672515743206769333625177879492557703359178528342489585156713623530654319500738508146831223487732824835005697932704427046675392714922683584376449203594641540794557871881581407228096642417744611261557101573050163285919971711214856243031354845945564837109657494523902296444463748723639109612438012590084771865377795409000586992732971594598355272609789079147061852664472115395344504822644651957496307894998467309347038349470471900776050769578152203349128951
p1 = 122281872221091773923842091258531471948886120336284482555605167683829690073110898673260712865021244633908982705290201598907538975692920305239961645109897081011524485706755794882283892011824006117276162119331970728229108731696164377808170099285659797066904706924125871571157672409051718751812724929680249712137
q1 = 152715809540018210476585794506755656304018419053948315845024020442944919163424223089911596424947890322440115812073982242024003568582438886041563636295260718520579341235023201649280953992781776747918771204104127874320443126139004728988091615072560392886456699262578469698870106391640100933195833135586571108071
p2 = 122281872221091773923842091258531471948886120336284482555605167683829690073110898673260712865021244633908982705290201598907538975692920305239961645109897081011524485706755794882283892011824006117276162119331970728229108731696164377808170099285659797066904706924125871571157672409051718751812724929680249712137
q2 = 164145170653883024647553629463737123010827979171828830103523021501297388761756036648096075592988518245508893542122459154529428778971624332785030551503124716064026198761937539065927958768419405758793987137195172361163960622671936646689220816452043219075732911538605192466301352357559388894114979459113315335423
phi1 = (p1 - 1) * (q1 - 1)
phi2 = (p2 - 1) * (q2 - 1)
c2 = 12870694735548290866897639823672353371259339057761805824639632908565936588212576228170701561894938714624019797214256315619791127774911578660863180776914038219073243852067758972965837654176939513411220900256906892671727332530559672859911435188203655483295073730944835188398956395704453835920160070478734582194350774731015758752651764286801746471308589338823535488053653255016284611927915846869319917353182058315137707765063243187448090766762073836454333735044002500383946976916388370472148122113256884693336433185941799945776508628779804064191876873643116471914986013620650152736214320352131610081946978231932382638533
d2 = invert(e, phi2)
d1 = invert(e, phi1)
m1 = pow(c2,d2,n2)
m2 = pow(m1,d1,n1)
flag = long_to_bytes(m2)
print flag
[Round 1] r(A)=3
用python sympy库进行多项式求解
有时候会EOF不知道为什么(运行多几次就行了)
import socket
from sympy import *
hostname = 'challenge.yuanloo.com'
port = 37852
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((hostname, port))
x, y, z = symbols('x,y,z')
while True:
eq1, eq2, eq3 = "", "", ""
ans = {}
r = s.recv(1024).decode()
print(r)
if "function" in r and len(r) <= 15:
r = s.recv(1024)
while len(r) <= 55:
r += s.recv(1024)
print(r)
r = r.split("\n")
f1 = 0
for eq in r:
if "+" in eq and "=" in eq:
f2 = 0
a, b, c = 0, 0, 0
eq = eq.split("=")
right = int(eq[1])
shizi = eq[0].split("+")
for num in shizi:
num = num.split("*")
if f2 == 0:
a = int(num[0])
elif f2 == 1:
b = int(num[0])
else:
c = int(num[0])
f2 += 1
if f1 == 0:
eq1 = Eq((a * x + b * y + c * z), right)
elif f1 == 1:
eq2 = Eq((a * x + b * y + c * z), right)
else:
eq3 = Eq((a * x + b * y + c * z), right)
f1 = f1 + 1
ans = solve((eq1, eq2, eq3), (x, y, z))
print ans
s.sendall((str(ans[x]) + '\n').encode())
r = s.recv(1024)
s.sendall((str(ans[y]) + '\n').encode())
r = s.recv(1024)
s.sendall((str(ans[z]) + '\n').encode())
