"科来杯"第十届山东省大学生网络安全技能大赛决赛复现WP

🆑从朋友那里得来的附件，感觉题目有意思，简单复现一下

MISC

简单编码

1、题目信息

0122 061 1101011 0172 0122 0105 061 1011010 0127 0154 0144 0110 0122 1010100 1001110 1000101 0124 110000 064 0172 1010001 060 0144 1011010 0115 1101011 0122 0116 1010100 0153 1110000 1011000 1010010 060 1101100 1100001 0126 0106 1001110 1001110 0127 1101100 0160 1001000 0124 1010100 1001110 0105 1010010 060 065 0123 0126 0105 0144 0132 1001101 060 1010010 1001000 1010100 1010110 1110000 1011010 1010010 110000 110000 0172 1010010 0105 061 1001110 1010101 1101100 0122 1001000 0122 1010110 1110000 0125 0121 060 065 0123 1010110 1010101 1100100 1001110 1010111 0125 1010010 0110 0124 1101100 0112 0130 0122 061 0154 0141 1010110 0105 1010110 1001111 1010101 1101100 1010110 0110 0127 1010100 1001010 1000101 1010100 1010101 110001 1010011 0126 060 1100100 1010110 1001101 060 1010010 0110 0124 0126 0160 0141 0122 060 061 0141 1010110 1000101 061 1001111 1010011 0154 0122 1001000 0126 1010100 1001110 0105 1010010 110000 110001 1100001 0126 110000 1100100 0132 1010111 0126 1010010 1001000 0124 0154 1001010 1011001 1010100 0126 0105 071 0120 0124 060 111001 0120 1010100 110000 111101 

2、解题方法

考察二进制和八进制转换

首先写个脚本把数据转化为字符串便于使用

data_str = "0122 061 1101011 0172 0122 0105 061 1011010 0127 0154 0144 0110 0122 1010100 1001110 1000101 0124 110000 064 0172 1010001 060 0144 1011010 0115 1101011 0122 0116 1010100 0153 1110000 1011000 1010010 060 1101100 1100001 0126 0106 1001110 1001110 0127 1101100 0160 1001000 0124 1010100 1001110 0105 1010010 060 065 0123 0126 0105 0144 0132 1001101 060 1010010 1001000 1010100 1010110 1110000 1011010 1010010 110000 110000 0172 1010010 0105 061 1001110 1010101 1101100 0122 1001000 0122 1010110 1110000 0125 0121 060 065 0123 1010110 1010101 1100100 1001110 1010111 0125 1010010 0110 0124 1101100 0112 0130 0122 061 0154 0141 1010110 0105 1010110 1001111 1010101 1101100 1010110 0110 0127 1010100 1001010 1000101 1010100 1010101 110001 1010011 0126 060 1100100 1010110 1001101 060 1010010 0110 0124 0126 0160 0141 0122 060 061 0141 1010110 1000101 061 1001111 1010011 0154 0122 1001000 0126 1010100 1001110 0105 1010010 110000 110001 1100001 0126 110000 1100100 0132 1010111 0126 1010010 1001000 0124 0154 1001010 1011001 1010100 0126 0105 071 0120 0124 060 111001 0120 1010100 110000 111101"

# 使用split()函数将字符串拆分为单个的数字  
data_list = data_str.split()  
  
# 使用map()函数将每个数字转化为字符串，并在每个数字的外边加上引号  
data_list = list(map(str, data_list))  
  
print(data_list)

然后进行转化

exp：

list = ['0122', '061', '1101011', '0172', '0122', '0105', '061', '1011010', '0127', '0154', '0144', '0110', '0122', '1010100', '1001110', '1000101', '0124', '110000', '064', '0172', '1010001', '060', '0144', '1011010', '0115', '1101011', '0122', '0116', '1010100', '0153', '1110000', '1011000', '1010010', '060', '1101100', '1100001', '0126', '0106', '1001110', '1001110', '0127', '1101100', '0160', '1001000', '0124', '1010100', '1001110', '0105', '1010010', '060', '065', '0123', '0126', '0105', '0144', '0132', '1001101', '060', '1010010', '1001000', '1010100', '1010110', '1110000', '1011010', '1010010', '110000', '110000', '0172', '1010010', '0105', '061', '1001110', '1010101', '1101100', '0122', '1001000', '0122', '1010110', '1110000', '0125', '0121', '060', '065', '0123', '1010110', '1010101', '1100100', '1001110', '1010111', '0125', '1010010', '0110', '0124', '1101100', '0112', '0130', '0122', '061', '0154', '0141', 
'1010110', '0105', '1010110', '1001111', '1010101', '1101100', '1010110', '0110', '0127', '1010100', '1001010', '1000101', '1010100', '1010101', '110001', '1010011', '0126', '060', '1100100', '1010110', '1001101', '060', '1010010', '0110', '0124', '0126', '0160', '0141', '0122', '060', '061', '0141', '1010110', '1000101', '061', '1001111', '1010011', '0154', '0122', '1001000', '0126', '1010100', '1001110', '0105', '1010010', '110000', '110001', '1100001', '0126', '110000', '1100100', '0132', '1010111', '0126', '1010010', '1001000', '0124', '0154', '1001010', '1011001', '1010100', '0126', '0105', '071', '0120', '0124', '060', '111001', '0120', '1010100', '110000', '111101']
b = "234567"
flag = ""
for i in list:
    s = str(i)
    for j in s:
        if j in b:
            back = False
            break
    if back == False:
        tmp = int(i,8)
    else:
        tmp = int(i,2)
        if tmp < 32 or tmp > 127:
            tmp = int(i,8)

    flag = flag + "" + chr(tmp)
    back = True
print(flag)

得到

R1kzRE1ZWldHRTNET04zQ0dZMkRNTkpXR0laVFNNWlpHTTNER05SVEdZM0RHTVpZR00zRE1NUlRHRVpUQ05SVUdNWURHTlJXR1laVEVOUlVHWTJETU1SV0dVM0RHTVpaR01aVE1OSlRHVTNER01aV0dZWVRHTlJYTVE9PT09PT0=

Cyber解即可

神秘的base

1、题目信息

EvAzEwo6E9RO4qSAHq42E9KvEv5zHDt34GtdHGJaHD7NHG42bwd=

神奇密码：
xbQTZqjN8ERuwlzVfUIrPkeHd******LK697o2pSsGD+ncgm3CBh/Xy1MF4JAWta

2、解题方法

Base64换表爆破

exp：

import base64
import string
import itertools


string1 = 'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/'  #标准base64编码表

strings = "ivOY50"
all_colors = (itertools.permutations(strings, 6))
for i in all_colors:
    tmp = ''.join(i)
    string2 = f'xbQTZqjN8ERuwlzVfUIrPkeHd{tmp}LK697o2pSsGD+ncgm3CBh/Xy1MF4JAWta'  # 换表后base64编码表
    encode = 'EvAzEwo6E9RO4qSAHq42E9KvEv5zHDt34GtdHGJaHD7NHG42bwd='
    decode = base64.b64decode(encode.translate(str.maketrans(string1, string2)))
    if 'flag{' in str(decode) and '}' in str(decode):
        print(decode)
#flag{8ee3021432edffaa57527461952e632c}

 签到

直接控制台运行

let r = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+=";
let cars = [25, 38, 49, 33, 25, 55, 45, 37, 12, 22, 24, 50, 12, 51, 24, 51, 13, 3, 16, 52, 13, 38, 25, 38, 13, 54, 4, 52, 13, 19, 20, 55, 12, 38, 8, 51, 12, 38, 16, 49, 14, 22, 8, 54, 13, 35, 37, 33, 12, 55, 52, 63];
let ff = "";
for (var iii = 0; iii < cars.length; iii++) {
ff = ff + r[cars[iii]];
}
/*this is flag*/
console.log(ff)

 

Stego

莫生气

1、题目信息

一张jpg图片

2、解题方法

010分析，发现尾部藏有png图片，但缺少头部消息

提取出来，补全头部

我们可以看到图片与原始一样，因此想到盲水印

B神工具一把梭，添加图片执行即可。

数独

1、题目信息

2、解题方法

先补全数独

#sage跑
n = 4
c = [0,0,0,0,
     2,0,0,0,
     0,0,1,0,
     0,4,0,3]
m = matrix(ZZ,n,c)
print(sudoku(m))

因为是隐写题，还是带密码的，想到LSB

B神工具直接梭，密码就是4132234132141423

flag{7d692a3c795478b16631eb9b43677075}

我应该去爱你

1、题目信息

一个mp3文件

2、解题方法

频谱图

取证

啊吧啊吧的数据包

打开数据包发现

命令的时间盲注，写脚本解决太麻烦，简单处理一下

手算即可

flag{3563bdb1a59309e1a4e93b65152bfbba}

金刚大战哥斯拉

根据题目信息，猜测是哥斯拉流量分析

写个脚本抽取数据包解码

function encode($D,$K){
    for($i=0;$i<strlen($D);$i++){
        $c = $K[$i+1&15];
        $D[$i] = $D[$i]^$c;
    }
    return $D;
}

$pass='DASCTF';
$payloadName='payload';
$key='9c2ffaf6a14493bf';
$data = 'fLluZmFmNmExNJEhWBG1b1XhCY%2BtGO2uCp6t3zK69FxYTKJQssNT1y5Cf45Hu3u%2Fivq08xw%2FbzMVDb2iVURKKXEgFjxjZzQ6kQjmUHpg8t9m09mKOdTLyE5V%2B%2Bzw83kQjtK%2Bl9yBKvzGCdNluDokRoC4jvtek8KVLXnlU3K366szlCn4XS%2BxolAu%2FzspbXO1wRZkj15en%2BXvDcX%2BrfySQnxMFJKl2bgedSVozzyNwPBUFxcUX3V2E%2FGyFHezDWxnihBUXutJRvu%2FuHjZwHGhu%2BpybShnSwTgYLjybXZRZC3M%2BmD04BA6ancVF5lirsWZ3gsqB3h9rvKzDvtwG3FoCM6ObODAYOcpOLtSO8xuGMciws40NV81hhXQV7ViZG9At06ypufihH4bSJ0xy1aL1T6WCPL6fcRbCaVn%2F7BYmCuoy3LzMlI3CHA0OXbds4Itwg7X0dQnKp7eiJKtV0MjJAMqAN50O9LVDaJnbQg%2Bgz2iJLLoMSCnR3v%2BbLMZAid5ESm8JoIgZk5BNpVZ5xOdquNNWFz%2BpLOR9W%2Fe%2BhjwxCiwdtfdaQj0QiC18L6TbTSMhl2qQWqZrd97KZDOI4gJ6ar1QWIgDk3D%2BO5oRFYMWRthsKfGFB38Hcn%2BqMDyOLrLqBFJXaw0Yv1YQaHyn9ycRJ7DEoWfsdCyOuH5HtW4MNp2Y72ptdqCI4RHgZryK142ucH2BCmN0oxVZr4zcMISfKEwXmyzwrX27r%2BZoYUqTwN%2FJ2NCE1%2FWNgPkChD08LLZKbS0dzIlZ3xFL2h7kbP%2FOHn8ceocxTV3q%2F%2BPjOrpsORuwQOj6pMoYB%2FSD5rUGN0KGeerrZQhUaw2u5%2FiZMj9rnlFiF3gyOtb3mTLt%2FN09poaFr9TidOFisTtU%2FnryDLT2GnIfIveQwKcwliQhVGLvWiEgIweDe3OmDeFYT8U68LU09%2BMrxGD2lYdh4tlvx9h2IttzPAc3yZna5tP%2BiZJJruPGgY40GVc9p%2Fw1%2Bixk%2F68RoLtOscCL%2FERCXz22P8xWmk9utDwSA8dyeCgj3hBQsr24nSbWJFu0%2FOSM5dOK00yD%2F8GE4fyxQ7U0IVVZ1rjdccA44j0Tt7ArMzs4d1a6k3SK2GiKM2X3dqqysh9oJ96r2iJA2R0jHvYwbKTSSLyhDT%2BpZc5Hl%2Fp6e6L5wTKuRZnhKxIDqpzpw%2BwQe6pVq0BuI5FoXQ%2F3mPydT2nkEjcLnLaxBDoVQSUd6Ba92MYcesUpZ13yAAgi%2F79ZKgithRVuwhrTCtNXAp5j6p7%2BBJdzJGV%2Bl2s33UnBjVeKqrAUATX9yY7NIql2E4SOWp4loycxh2nwR3Qe9Zi%2BKBaSmBHVy5liSgUFGOlmsWgM%2FstzXc%2F9SNQyUXALbOxa7s17A%2BDOkgUGLIBM7M6Va0Aa8A2xTnyr0SHwyQpUjE5E1x1t24X4MSADqqMIkQSEHPkgttSbALFUOd32Gko8djwakoi7rmXWAEKojSlDZffyPLwMJQjI%2B5%2FiXFfSasJP1zCbr5nl%2FKFBcomDDFy8gnLMG2zwvLRIrfDquVIhlTgF6Giq4JqWmI9ZSJG8ATh2y%2F9uXExyhdQ33b4O%2B4a9OJv%2F1MWz%2BYQqCLu9DhObYTQQThBtUcxAyF3hOD9B1Q0DWQNPu7UDMuLX57ThBw8CulWsahG7QBGOamGf23KVji%2FaQdKeXYGQohkA1oN%2FSOleQWuIJvSk1KrBDtQRU6AWG6WNqnl33Z%2B0cgBYUcg8noLHMByMkRefpLMqm%2BGH2zrdGpNgEcaCzk5ulYd9pHMdiYDfTp3sFjdsR%2FxplFSP4VfnbWpF7WsiT7WGZoPXtv%2F4gWI60ftEnJ1peYtXUlLDuv2tYt2wmpafCClt1Y0tfB51iBFGhUy7Bw%2FdbjtVxZJHB8FvsEzEGj5BWp45LAGFxpOUsKuUVdioTfyjp01%2F%2FIAsu%2FUG%2FxSpHdfR5TlGRLw0WNef7CnYxLURPTbp0ZF9MglFQGkN58Iq7RR4EFt4s4fP32AmuTUgyz7WNgqv0nswP0mPzMHiZwxBSIZTitjQ5QYbd1BlOX1cAM0TZRE2bOiDQnPjhvEC3jEp9L3ktZ1A%2BVcuXnAhInoy4Dq1%2F0%2FO5KITcyi0NR1ftNMsjzMwUZETqEcCyxr1d23lSNBEFTf4A4FJaCIfcvD0tbHoceynhSdHkRJBiUu8DULyBdcTeFFRq9jA3jwpjrbBmvYfvSBoNqYKbbPq2tErzqOA2fiPYHJkMiAPVsamUIDG4%2FzMD4SqKu6Uoj836CsY%2Fz7znvX5zh6LzB7vPoL8QUGmEd5E0SXk4vKieQkHX4vlQM%2FToQKpQRkdaMrOIs0LQFIp0D4vvEhdwJ7eK%2FmClCgCOPEpU%2F3zJhVfIZfUHgDrkUK4HOfT4piF4STR7SZCleaGDwHUkYRiLWNGrEiiNqwNPJhQ63gStGcBVIYFk%2B3F1neK32xH506xzsqjhFJnDHAbMPC47x6hXmMsm%2BTMBQNfgYyzmDyxERG3o9IuLB%2B3vzTJfaLv9bZ4aNTef%2BMwQDLojDSIiEK%2FDvw%2BuOHt5%2Fwk7cNiXWBhKCjULlR8Daukh7MFlCklEs3srvkifaW4VbF85SckpUhIjOTVTYZ4EgK1VYQ%2BK52O7kKt%2BT2kOkLDDE5JiDXApezQtbnw5yPM8WDh5c1DTaRqLsWxUTPWtVlcbzyge5D4VYWXJ0ICPpVfbeEQXutk0tMKBfY0q20%2Bo8CD6oHnm3wy5ELMeLsmXrspAmhwk2wr8d64CHizraARwvNAAX71VCPIUukAvgtEBblKi9EsFr4Or6s%2Fz1RtnxlaufSdlTCCwWTAe%2FeBK%2FKdehF4gIQ91hCWyrI6jJchH%2F5VA0sXxqVe1sBsZulTMJJJo3VZsFutboAetPCdcmEzqqIYUEuSuJf%2F5tXJm5hujq6EJ6rZbBXqnCeLDVWyhhZvy4kL9jKcF2Hp9ItvRBHP6hI%2FAEzBH%2B89XwS07WJsmlYkiQmHDYavnLbbm8sEAbGwbxCbTUJU7qKgTZff%2BWEBuQ%2BTg4mRab4%2B8SpRklCHU3QCeS1nIHPuJrdyOwMMGQ%2B%2BWEG0hDsiReJbkcG9f9mORbZpLegR5HDbiT0oYJG6GcvKxTNS6voIrE94nva0%2FeQvEgokgbBQQQoejcj1h7oStaWk5OdeWhBJaAgnFmtfGW6lyA0OQ%3D%3D';
echo base64_encode(gzdecode(encode(base64_decode(urldecode($data)),$key)));

得到

ZmlsZU5hbWUCHgAAAEM6L3BocHN0dWR5L1dXVy8xMTEvaW5kZXguaHRtbGZpbGVWYWx1ZQJUFAAAPCFET0NUWVBFIGh0bWw+DQo8aHRtbCBsYW5nPSJlbiI+DQo8aGVhZD4NCiAgICA8bWV0YSBjaGFyc2V0PSJVVEYtOCI+DQogICAgPG1ldGEgbmFtZT0idmlld3BvcnQiIGNvbnRlbnQ9IndpZHRoPWRldmljZS13aWR0aCwgaW5pdGlhbC1zY2FsZT0xLjAiPg0KICAgIDxtZXRhIGh0dHAtZXF1aXY9IlgtVUEtQ29tcGF0aWJsZSIgY29udGVudD0iaWU9ZWRnZSI+DQogICAgPHRpdGxlPkRvY3VtZW50PC90aXRsZT4NCiAgICA8c3R5bGU+DQogICAgICAgICp7Ym94LXNpemluZzogYm9yZGVyLWJveDt9DQogICAgICAgIGJvZHl7DQogICAgICAgICAgICBiYWNrZ3JvdW5kOiAjMDAwOw0KICAgICAgICAgICAgbWFyZ2luOiAwOw0KICAgICAgICAgICAgcGFkZGluZzogMDsNCiAgICAgICAgICAgIG92ZXJmbG93OiBoaWRkZW47DQogICAgICAgICAgICB0ZXh0LXNoYWRvdzogMHB4IDBweCA4MHB4Ow0KICAgICAgICB9DQogICAgICAgIGgxew0KICAgICAgICAgICAgbWFyZ2luOiAwOw0KICAgICAgICAgICAgcGFkZGluZzogMDsNCiAgICAgICAgICAgIGNvbG9yOiAjMGZmOw0KICAgICAgICB9DQogICAgICAgIGF7Y29sb3I6ICNmZmY7fQ0KICAgICAgICAvKiDnm5LlrZDihpMgKi8NCiAgICAgICAgcHsNCiAgICAgICAgICAgIG1hcmdpbjogMDsNCiAgICAgICAgfQ0KICAgICAgICAuYm94ew0KICAgICAgICAgICAgLyog55uS5a2Q5a695bqm4oaTIC0tLeacgOWlveWIq+aUuSovDQogICAgICAgICAgICB3aWR0aDogNzAwcHg7DQogICAgICAgICAgICAvKiDorqnop4bpopHlsYXkuK3lr7npvZDihpMtLS3mnIDlpb3liKvliqggKi8NCiAgICAgICAgICAgIHRleHQtYWxpZ246IGNlbnRlcjsNCiAgICAgICAgICAgIC8qIGJvcmRlcjogMXB4IHNvbGlkICNmMDA7ICovDQogICAgICAgICAgICBjb2xvcjogI2ZmZjsNCiAgICAgICAgICAgIA0KICAgICAgICAgICAgcG9zaXRpb246IGFic29sdXRlOw0KICAgICAgICAgICAgbWFyZ2luOiAyMHB4IGF1dG8gMDsNCiAgICAgICAgICAgIHRvcDogMjBweDsNCiAgICAgICAgICAgIGxlZnQ6IDA7DQogICAgICAgICAgICByaWdodDogMDsNCiAgICAgICAgfQ0KICAgICAgICAvKiDlm77niYfmoLflvI/ihpMgKi8NCg0KICAgICAgICBpbWd7DQogICAgICAgICAgICAvKiDop4bpopHlrr3luqbihpMgLS0t5pyA5aW95LiN6KaB5aSn5LqO5LiK6Z2i55uS5a2Q55qE5a695bqmKi8NCiAgICAgICAgICAgIHdpZHRoOiA3MDBweDsNCiAgICAgICAgICAgIGhlaWdodDogMzkwcHg7DQogICAgICAgICAgICAvKiDngbDoibLnmoTmj4/ovrnihpMgLS0tcHjmmK/nspfnu4Ygc29saWTmmK/lrp7nur8gIzU1NeaYr+minOiJsuS7o+eggSDlj6/ku6Xnmb7luqZodG1s6aKc6Imy5Luj56CB5L+u5pS5Ki8NCiAgICAgICAgICAgIGJvcmRlcjogMnB4IHNvbGlkICMyMjI7DQogICAgICAgICAgICAvKiDlm77niYfnmoTlnIbop5IgKi8NCiAgICAgICAgICAgIGJvcmRlci1yYWRpdXM6IDVweDsNCiAgICAgICAgICAgIC8qIOWKqOeUu+aXtumXtCAqLw0KICAgICAgICAgICAgdHJhbnNpdGlvbjogMC44czsNCiAgICAgICAgfQ0KICAgICAgICAuaW1nMjpob3Zlcntib3JkZXI6IDJweCBzb2xpZCAjOTgwYjE4fQ0KDQogICAgICAgIC5ib3g+ZGl2ew0KICAgICAgICAgICAgcGFkZGluZzogMjBweDsNCiAgICAgICAgICAgIC8qIGJvcmRlcjogMXB4IHNvbGlkICNmMDA7ICovDQogICAgICAgIH0NCiAgICAgICAgLnN6ansNCiAgICAgICAgICAgIHBvc2l0aW9uOiBhYnNvbHV0ZTsNCiAgICAgICAgICAgIHRvcDogMDsNCiAgICAgICAgICAgIGxlZnQ6IDA7DQogICAgICAgICAgICBjb2xvcjogI2ZmZjsNCiAgICAgICAgICAgIHBhZGRpbmc6IDVweDsNCiAgICAgICAgICAgIGJvcmRlcjogMXB4IHNvbGlkICNlZWU7DQogICAgICAgICAgICBiYWNrZ3JvdW5kLWNvbG9yOiByZ2IoMCwwLDAsMC43KQ0KICAgICAgICB9DQogICAgICAgIC55bHsNCiAgICAgICAgICAgIGRpc3BsYXk6IGlubGluZTsNCiAgICAgICAgICAgIGJvcmRlci1ib3R0b206MXB4IGRvdHRlZCAjMGZmOw0KICAgICAgICB9DQogICAgICAgIC55bCBhew0KICAgICAgICAgICAgdGV4dC1kZWNvcmF0aW9uOiBub25lOw0KICAgICAgICAgICAgY29sb3I6I2M2ZDQ5MTsNCiAgICAgICAgICAgIA0KICAgICAgICB9DQogICAgICAgIC55bCBzcGFuew0KICAgICAgICAgICAgbWFyZ2luLXJpZ2h0OiA4cHg7DQogICAgICAgIH0NCiAgICA8L3N0eWxlPg0KPC9oZWFkPg0KPGJvZHk+DQogICAgPGNhbnZhcyBpZD0iY2FudmFzIj48L2NhbnZhcz4NCiAgICA8ZGl2IGNsYXNzPSJib3giPg0KICAgICAgICA8IS0tIOWbvueJh+mDqOWIhiAtLT4NCiAgICAgICAgPGltZyBjbGFzcz0iaW1nMiIgc3JjPSJodHRwczovL3RpbWdzYS5iYWlkdS5jb20vdGltZz9pbWFnZSZxdWFsaXR5PTgwJnNpemU9Yjk5OTlfMTAwMDAmc2VjPTE1Njg2NDE0NzImZGk9OWRiYWNiNzVjZjI0NWQwZWI1N2U3NTdlMGQyMjQ3ZjcmaW1ndHlwZT1qcGcmZXI9MSZzcmM9aHR0cCUzQSUyRiUyRmltZzEuZG91YmFuaW8uY29tJTJGdmlldyUyRnBob3RvJTJGbCUyRnB1YmxpYyUyRnAyMjkwMDU5MTU3LmpwZyIgYWx0PSIiPg0KICAgICAgICA8ZGl2IGNsYXNzPSJ0ZXh0Ij4NCiAgICAgICAgICAgIDxoMT7mn5Dmn5Dlronlhajnu4Q8L2gxPg0KDQogICAgICAgICAgICA8YnI+DQoNCiAgICAgICAgICAgIDxzcGFuIHN0eWxlPSJjb2xvcjogIzBmMCI+5a6Y5pa5Uee+pO+8mjwvc3Bhbj48c3Bhbj48YSB0YXJnZXQ9InZpZXdfd2luZG93IiBocmVmPSJodHRwczovL3d3dy5iYWlkdS5jb20vIj4xMjM0NTY8L2E+PC9zcGFuPg0KPGJyPjxicj4NCg0KICAgICAgICAgICAgPHAgY2xhc3M9Imdsb3ciIHN0eWxlPSJjb2xvcjogI2YwMDsgZm9udC1zaXplOjIxcHg7Ij7lj4vmg4Xmo4DmtYvvvIzor7flj4rml7bkv67lpI08L3A+DQogICAgICAgICAgICA8cCBjbGFzcz0iZ2xvdyIgc3R5bGU9ImNvbG9yOiAjZjAwOyBmb250LXNpemU6MTBweDsiPuaIluiBlOezu+acrOS6uuS/ruWkjTwvcD4NCiAgICAgICAgICAgIDxicj4NCiAgICAgICAgICAgIDxzcGFuIHN0eWxlPSJjb2xvcjogIzNlZTVkZiI+5p+Q5p+Q5p+QUXHvvJo8L3NwYW4+PHNwYW4+PGEgIHN0eWxlPSJjb2xvcjogI2U1NzQzZTsiIHRhcmdldD0idmlld193aW5kb3ciIGhyZWY9Imh0dHA6Ly93cGEucXEuY29tL21zZ3JkP3Y9MyZ1aW49Mjc2ODc3Njg5NSZzaXRlPXFxJm1lbnU9eWVzIj5mbGFnezIyN2FkMjQyZmM4MDEzYzhmZThmZjhmNDY3OTMzN2U0fTwvYT48L3NwYW4+DQogICAgICAgICAgICA8YnI+PGJyPg0KICAgICAgICAgICAgPFAgY2xhc3M9Imdsb3ciPuWuieWFqOS5i+i3r++8jOawuOS4jeWmpeWNjzwvUD4NCjxicj48YnI+PGJyPjxicj4NCiAgICAgICAgICAgIDxkaXYgY2xhc3M9InlsIj48c3BhbiBzdHlsZT0iY29sb3I6ICNmMGYiPuWPi+aDhemTvuaOpe+8mjwvc3Bhbj48c3Bhbj48YSBocmVmPSJodHRwczovL3d3dy5iYWlkdS5jb20vIj7mn5DnvZHnq5k8L2E+PC9zcGFuPiA8c3Bhbj48YSBocmVmPSJodHRwczovL3d3dy5iYWlkdS5jb20vIj7mn5DnvZHnq5k8L2E+PC9zcGFuPjxzcGFuPjxhIGhyZWY9Imh0dHBzOi8vd3d3LmJhaWR1LmNvbS8iPuafkOe9keermTwvYT48L3NwYW4+PC9kaXY+DQoNCiAgICAgICAgPC9kaXY+DQogICAgPC9kaXY+DQogICAgPGRpdiBjbGFzcz0ic3pqIj4NCjxwcmU+DQogIOWFpeS+teS4ieWtl+e7jw0KDQrov5vosLfmrYwg5om+5rOo5YWlDQoNCuayoeazqOWFpSDlsLHml4Hms6gNCg0K5rKh5peB5rOoIOeUqE9kYXkNCg0K5rKhT2RheSDnjJznm67lvZUNCg0K5rKh55uu5b2VIOWwseWXheaOog0KDQrniIbotKbmiLcg5om+5ZCO5Y+wDQoNCuS8oOWwj+mprCDmlL7lpKfpqawNCg0K5ou/5p2D6ZmQIOaMgumhtemdog0KDQo8L3ByZT4NCg0KICAgIA0KDQoNCiAgICA8IS0tIOmfs+S5kOmDqOWIhiAtLT4NCiAgICA8ZW1iZWQgaGVpZ2h0PSIwIiB3aWR0aD0iMCIgc3JjPSJodHRwczovL211c2ljLjE2My5jb20vb3V0Y2hhaW4vcGxheWVyP3R5cGU9MiZpZD0yOTQwMDkyNiZhdXRvPTEmaGVpZ2h0PTY2Ij48L2VtYmVkPg0KDQogICAgDQoNCg0KICAgIDwhLS0g5Lul5LiLanMgLS0+DQoNCg0KICAgIDxzY3JpcHQ+DQogICAgdmFyIGNhbnZhcyA9IGRvY3VtZW50LmdldEVsZW1lbnRCeUlkKCdjYW52YXMnKTsNCgkJdmFyIGN0eCA9IGNhbnZhcy5nZXRDb250ZXh0KCcyZCcpOw0KDQoNCgkJY2FudmFzLmhlaWdodCA9IHdpbmRvdy5pbm5lckhlaWdodDsNCgkJY2FudmFzLndpZHRoID0gd2luZG93LmlubmVyV2lkdGg7DQogICAgICAgIC8vIOS4i+mdoueahOmbt+WGm+WwseaYr+S7o+eggembqOeahOaWh+Wtlw0KCQl2YXIgdGV4dHMgPSAn6Zu35YabJy5zcGxpdCgnJyk7DQoNCgkJdmFyIGZvbnRTaXplID0gMTY7DQoJCXZhciBjb2x1bW5zID0gY2FudmFzLndpZHRoL2ZvbnRTaXplOw0KCQkvLyDnlKjkuo7orqHnrpfovpPlh7rmloflrZfml7blnZDmoIfvvIzmiYDku6Xplb/luqbljbPkuLrliJfmlbANCgkJdmFyIGRyb3BzID0gW107DQoJCS8v5Yid5aeL5YC8DQoJCWZvcih2YXIgeCA9IDA7IHggPCBjb2x1bW5zOyB4Kyspew0KCQkJZHJvcHNbeF0gPSAxOw0KCQl9DQoNCgkJZnVuY3Rpb24gZHJhdygpew0KCQkJLy/orqnog4zmma/pgJDmuJDnlLHpgI/mmI7liLDkuI3pgI/mmI4NCgkJCWN0eC5maWxsU3R5bGUgPSAncmdiYSgwLCAwLCAwLCAwLjA1KSc7DQoJCQljdHguZmlsbFJlY3QoMCwgMCwgY2FudmFzLndpZHRoLCBjYW52YXMuaGVpZ2h0KTsNCgkJCS8v5paH5a2X6aKc6ImyDQoJCQljdHguZmlsbFN0eWxlID0gJyMwRjAnOw0KCQkJY3R4LmZvbnQgPSBmb250U2l6ZSArICdweCBhcmlhbCc7DQoJCQkvL+mAkOihjOi+k+WHuuaWh+Wtlw0KCQkJZm9yKHZhciBpID0gMDsgaSA8IGRyb3BzLmxlbmd0aDsgaSsrKXsNCgkJCQl2YXIgdGV4dCA9IHRleHRzW01hdGguZmxvb3IoTWF0aC5yYW5kb20oKSp0ZXh0cy5sZW5ndGgpXTsNCgkJCQljdHguZmlsbFRleHQodGV4dCwgaSpmb250U2l6ZSwgZHJvcHNbaV0qZm9udFNpemUpOw0KDQoJCQkJaWYoZHJvcHNbaV0qZm9udFNpemUgPiBjYW52YXMuaGVpZ2h0IHx8IE1hdGgucmFuZG9tKCkgPiAwLjk1KXsNCgkJCQkJZHJvcHNbaV0gPSAwOw0KCQkJCX0NCg0KCQkJCWRyb3BzW2ldKys7DQoJCQl9DQoJCX0NCglzZXRJbnRlcnZhbChkcmF3LCAzMyk7DQo8L3NjcmlwdD4NCjwvYm9keT4NCjwvaHRtbD5tZXRob2ROYW1lAgoAAAB1cGxvYWRGaWxl

base64解一下得到flag

小刘的硬盘

R-STUDIO扫描发现被删除掉的flag.zip，恢复一下

但是压缩的时候有密码，给了提示。太好了

属于是掩码爆破

flag{8ddeed0126f2523ae14a8a492528c9a0}

CRYPTO

小试牛刀

1、题目信息

ipfm\x82Kj]p~l?\x82ogw\x85mt[K\x8br\x97

2、解题方法

变异凯撒

exp：

from Crypto.Util.number import *
c=b'ipfm\x82Kj]p~l?\x82ogw\x85mt[K\x8br\x97'
a=3
flag=''
for i in c:
    flag+=chr(i-a)
    a+=1
print(flag)
#flag{CaSer_1s_VerY_E4sY}

easyRSA

1、题目信息

from Crypto.Util.number import getPrime,bytes_to_long
from random import randint
from gmpy2 import *

m = bytes_to_long(b'flag{xxxxxxxxxxxxxxxxxxxxxx}')
xxxxxxxxxx
p=getPrime(1024)
q=getPrime(1024)
n = p*q
e = 65537
c = pow(m,e,n)
p_2=((p>>128)<<128)
Result = []
Divisor = []
for i in range(12):
    Divisor.append(getPrime(128))
for i in range(12):
    Result.append(p_2%Divisor[i])



print(c,n,Divisor,Result)
'''
output:
16054555662735670936425135698617301522625617352711974775378018085049483927967003651984471094732778961987450487617897728621852600854484345808663403696158512839904349191158022682563472901550087364635161575687912122526167493016086640630984613666435283288866353681947903590213628040144325577647998437848946344633931992937352271399463078785332327186730871953277243410407484552901470691555490488556712819559438892801124838585002715833795502134862884856111394708824371654105577036165303992624642434847390330091288622115829512503199938437184013818346991753782044986977442761410847328002370819763626424000475687615269970113178 
23074300182218382842779838577755109134388231150042184365611196591882774842971145020868462509225850035185591216330538437377664511529214453059884932721754946462163672971091954096063580346591058058915705177143170741930264725419790244574761160599364476900422586525460981150535489695841064696962982002670256800489965431894477338710190086446895596651842542202922745215496409772520899845435760416159521297579623368414347408762466625792978844177386450506030983725234361868749543549687052221290158286459657697717436496769811720945731143244062649181615815707417418929020541958587698982776940334577355474770096580775243142909913
[205329935991133380974880368934928321273, 274334866497850560640212079966358515253, 264739757264805981824344553014559883169, 314495359937742744429284762852853819407, 197513216256198287285250395397676269263, 194633662721082002304170457215979299327, 320085578355926571635267449373645191637, 310701821184698431287158634968374845899, 198238777199475748910296932106553167589, 292201037703513010563101692415826269513, 332238634715339876614712914152080415649, 334257376383174624240445796871873866383]
[108968951841202413783269876008807200083, 29053101048844108651205043858001307413, 243503157837867321277650314313173163504, 160933173053376016589301282259056101279, 53063624128824890885455759542416407733, 34980025050049118752362228613379556692, 132553045879744579114934351230906284133, 160998336275894702559853722723725889989, 87211131829406574118795685545402094661, 36445723649693757315689763759472880579, 11133325919940126818459098315213891415, 1404668567372986395904813351317555162]
'''

2、解题方法

中国剩余定理+coppersmith

先通过CRT求出p_2

from Crypto.Util.number import *
from gmpy2 import *
from functools import reduce

c=16054555662735670936425135698617301522625617352711974775378018085049483927967003651984471094732778961987450487617897728621852600854484345808663403696158512839904349191158022682563472901550087364635161575687912122526167493016086640630984613666435283288866353681947903590213628040144325577647998437848946344633931992937352271399463078785332327186730871953277243410407484552901470691555490488556712819559438892801124838585002715833795502134862884856111394708824371654105577036165303992624642434847390330091288622115829512503199938437184013818346991753782044986977442761410847328002370819763626424000475687615269970113178
n=23074300182218382842779838577755109134388231150042184365611196591882774842971145020868462509225850035185591216330538437377664511529214453059884932721754946462163672971091954096063580346591058058915705177143170741930264725419790244574761160599364476900422586525460981150535489695841064696962982002670256800489965431894477338710190086446895596651842542202922745215496409772520899845435760416159521297579623368414347408762466625792978844177386450506030983725234361868749543549687052221290158286459657697717436496769811720945731143244062649181615815707417418929020541958587698982776940334577355474770096580775243142909913
Divisor=[205329935991133380974880368934928321273, 274334866497850560640212079966358515253, 264739757264805981824344553014559883169, 314495359937742744429284762852853819407, 197513216256198287285250395397676269263, 194633662721082002304170457215979299327, 320085578355926571635267449373645191637, 310701821184698431287158634968374845899, 198238777199475748910296932106553167589, 292201037703513010563101692415826269513, 332238634715339876614712914152080415649, 334257376383174624240445796871873866383]
Result=[108968951841202413783269876008807200083, 29053101048844108651205043858001307413, 243503157837867321277650314313173163504, 160933173053376016589301282259056101279, 53063624128824890885455759542416407733, 34980025050049118752362228613379556692, 132553045879744579114934351230906284133, 160998336275894702559853722723725889989, 87211131829406574118795685545402094661, 36445723649693757315689763759472880579, 11133325919940126818459098315213891415, 1404668567372986395904813351317555162]

def basic_CRT(ai,mi):
    assert reduce(gmpy2.gcd,mi) == 1
    assert len(ai) == len(mi)
    N = reduce(lambda x,y:x * y,mi)
    ans = 0
    for a,m in zip(ai,mi):
        t = N // m
        ans += a * t * gmpy2.invert(t,m)
    return ans % N,N
result = basic_CRT(Result,Divisor)
print(result)

(mpz(157397749849472741302651922559110947585741898399548366071672772026799823577871183957882637829089669634665699886533302712057712796808672023827078956556745522749244570015492585747076324258912525658578733402979835176037760966294532155059241756382643278063578661030876735794467422919824463419065126688059515994112), 115343256339804438488541860602807499768350592243111732022419431132087583829952557330993478731619075521301706171847716910739807488266701790937805652553244788024534230754162298101105496772540567818850570512144853594488579606954797182360716688344137783051055690460297099575344944650143959946929880492674974780957995559861235099499367407389543136733028684627735422306472504011232051138891022767098404805311381687759832357323075065923241564165806258181141497530683119)

然后再梭coppersmith

p_high=157397749849472741302651922559110947585741898399548366071672772026799823577871183957882637829089669634665699886533302712057712796808672023827078956556745522749244570015492585747076324258912525658578733402979835176037760966294532155059241756382643278063578661030876735794467422919824463419065126688059515994112
n=23074300182218382842779838577755109134388231150042184365611196591882774842971145020868462509225850035185591216330538437377664511529214453059884932721754946462163672971091954096063580346591058058915705177143170741930264725419790244574761160599364476900422586525460981150535489695841064696962982002670256800489965431894477338710190086446895596651842542202922745215496409772520899845435760416159521297579623368414347408762466625792978844177386450506030983725234361868749543549687052221290158286459657697717436496769811720945731143244062649181615815707417418929020541958587698982776940334577355474770096580775243142909913

PR. = PolynomialRing(Zmod(n))
f = x + p_high
roots = f.small_roots(X=2^128, beta=0.4)
if roots:
    p = p_high+int(roots[0])
    print("n="+str(n))
    print("p="+str(p))
    print("q="+str(n//p))
#n = 23074300182218382842779838577755109134388231150042184365611196591882774842971145020868462509225850035185591216330538437377664511529214453059884932721754946462163672971091954096063580346591058058915705177143170741930264725419790244574761160599364476900422586525460981150535489695841064696962982002670256800489965431894477338710190086446895596651842542202922745215496409772520899845435760416159521297579623368414347408762466625792978844177386450506030983725234361868749543549687052221290158286459657697717436496769811720945731143244062649181615815707417418929020541958587698982776940334577355474770096580775243142909913
#p = 157397749849472741302651922559110947585741898399548366071672772026799823577871183957882637829089669634665699886533302712057712796808672023827078956556745522749244570015492585747076324258912525658578733402979835176037760966294532155059241756382643278063578661030876735794708282102407491782299777228899079176117
#q = 146598666145389487374076474702380241089893944436923994466470555513748278755568038863819188404588602962888679358728628069490879689376996830110571995521814075973422513105805715524894550773219606972944401957227665252279176873209924236114228003156706532596699592716796867748104565680326123749660658940264843181589

最后正常解就行

import gmpy2
from Crypto.Util.number import long_to_bytes
c=16054555662735670936425135698617301522625617352711974775378018085049483927967003651984471094732778961987450487617897728621852600854484345808663403696158512839904349191158022682563472901550087364635161575687912122526167493016086640630984613666435283288866353681947903590213628040144325577647998437848946344633931992937352271399463078785332327186730871953277243410407484552901470691555490488556712819559438892801124838585002715833795502134862884856111394708824371654105577036165303992624642434847390330091288622115829512503199938437184013818346991753782044986977442761410847328002370819763626424000475687615269970113178
n=23074300182218382842779838577755109134388231150042184365611196591882774842971145020868462509225850035185591216330538437377664511529214453059884932721754946462163672971091954096063580346591058058915705177143170741930264725419790244574761160599364476900422586525460981150535489695841064696962982002670256800489965431894477338710190086446895596651842542202922745215496409772520899845435760416159521297579623368414347408762466625792978844177386450506030983725234361868749543549687052221290158286459657697717436496769811720945731143244062649181615815707417418929020541958587698982776940334577355474770096580775243142909913
p=157397749849472741302651922559110947585741898399548366071672772026799823577871183957882637829089669634665699886533302712057712796808672023827078956556745522749244570015492585747076324258912525658578733402979835176037760966294532155059241756382643278063578661030876735794708282102407491782299777228899079176117
q=146598666145389487374076474702380241089893944436923994466470555513748278755568038863819188404588602962888679358728628069490879689376996830110571995521814075973422513105805715524894550773219606972944401957227665252279176873209924236114228003156706532596699592716796867748104565680326123749660658940264843181589
e=65537

phi = (p-1) * (q-1)
n = p * q
d = gmpy2.invert(e, phi)
m = pow(c, d, n)
print('💌:',long_to_bytes(m))
#💌: b'flag{2233747d3bf06f070048e80300dac75f}'

RE

人生模拟

找到加密逻辑后，跟着跑一遍就行

exp:

v15=[0]*38
v15[0] = 432;
v15[1] = 408;
v15[2] = 429;
v15[3] = 438;
v15[4] = 452;
v15[5] = 246;
v15[6] = 243;
v15[7] = 417;
v15[8] = 423;
v15[9] = 444;
v15[10] = 240;
v15[11] = 231;
v15[12] = 203;
v15[13] = 447;
v15[14] = 207;
v15[15] = 435;
v15[16] = 253;
v15[17] = 224;
v15[18] = 204;
v15[19] = 443;
v15[20] = 419;
v15[21] = 248;
v15[22] = 442;
v15[23] = 241;
v15[24] = 203;
v15[25] = 251;
v15[26] = 445;
v15[27] = 239;
v15[28] = 441;
v15[29] = 254;
v15[30] = 417;
v15[31] = 246;
v15[32] = 203;
v15[33] = 245;
v15[34] = 255;
v15[35] = 445;
v15[36] = 248;
v15[37] = 478;
for i in range(len(v15)):
    print(chr((v15[i]>>2)^0xa),end='')
#flag{76bce638e9f529db4d684e1d5b7875e4}

 

• MISC
•     简单编码
•     神秘的base
•      签到
• Stego
•     莫生气
•     数独
•     我应该去爱你
• 取证
•     啊吧啊吧的数据包
•     金刚大战哥斯拉
•     小刘的硬盘
• CRYPTO
•     小试牛刀
•     easyRSA
• RE
•     人生模拟

_沐小琪_ CTF技术类博客

__EOF__