2018-领航杯WriteUp——flam4nplus
2018-领航杯WriteUp——flam4nplus
用户5878089
发布于 2019-07-25 16:24:48
发布于 2019-07-25 16:24:48
system
对argv[1]进行简单置换操作 Z->A,z->a,argv[1]->ADmin13trat0r
for ( i = 0; i < size; ++i )
{
if ( (*(i + string_ptr) <= 96 || *(i + string_ptr) > 121) && (*(i + string_ptr) <= 64 || *(i + string_ptr) > 89) )
{
if ( *(i + string_ptr) == 122 )
{
*(i + string_ptr) = 97;
}
else if ( *(i + string_ptr) == 90 ) // Z->A,z->a
{
*(i + string_ptr) = 65;
}
}
else
{
++*(i + string_ptr);
}
putchar(*(i + string_ptr));
}
对argv[2]进行前后颠倒,argv[2]->4331d3b4e9431e7
for ( i = 0LL; strlen(s) >> 1 > i; ++i )
{
v8 = s[i];
s[i] = s[strlen(s) - i - 1];
s[strlen(s) - i - 1] = v8;
}ZClhm13sqzs0q7e1349e4b3d1334
misc_chinese_dream
社会主义加密
590770de2fd9fc55bcf36132099e53f4
PHP
<?php
$f14g="fdsa{dasdasdsa_dsa}";
$f15g="asd{sadasdas_dffds}";
$temp="asdfgtrewq234567890yuioplkjhnbvgfcvdfgt";
$pre_flag="flag{";
$pos_flag="}";
$flag="";
for($i=0;$i<32;$i++){
$num = mt_rand(0,30);
$flag=$flag.$temp[$num];
$f146="eb1970394a431045645843996a40c6e8";
}
$f1ag=$pre_flag.$f146.$pos_flag;
print_r($f1ag);
?>
<?php
exit;
function asciitostr($sacii){$asc_arr= str_split(strtolower($sacii),2);$str=''; for($i=0;$i<count($asc_arr);$i++){$str.=chr(hexdec($asc_arr[$i][1].$asc_arr[$i][0]));}return mb_convert_encoding($str,'UTF-8','GB2312');}
function encrypt($string,$operation,$key='')
{
$key=md5($key);
$key_length=strlen($key);
$string=$operation=='D'?base64_decode($string):substr(md5($string.$key),0,8).$string;
$string_length=strlen($string);
$rndkey=$box=array();
$result='';
for($i=0;$i<=255;$i++)
{
$rndkey[$i]=ord($key[$i%$key_length]);
$box[$i]=$i;
}
for($j=$i=0;$i<256;$i++)
{
$j=($j+$box[$i]+$rndkey[$i])%256;
$tmp=$box[$i];
$box[$i]=$box[$j];
$box[$j]=$tmp;
}
for($a=$j=$i=0;$i<$string_length;$i++)
{
$a=($a+1)%256;
$j=($j+$box[$a])%256;
$tmp=$box[$a];
$box[$a]=$box[$j];
$box[$j]=$tmp;
$result.=chr(ord($string[$i])^($box[($box[$a]+$box[$j])%256]));
}
if($operation=='D')
{
if(substr($result,0,8)==substr(md5(substr($result,8).$key),0,8))
{
return substr($result,8);
}
else
{
return'';
}
}
else
{
return str_replace('=','',base64_encode($result));
}
}
$id = "yTKTBFfoj6AU4qsnucxp2OUNU9nb5AvFJZhqEqKsktDPIj0jbmsXwVoQRqQ8eyUPtBaNX1QOrj5xK6qWLB2IXV0vAjQVzjTuC7cdmazeaOkrAshuglEdh5cP3S/8bTAYM14pf0xmbb/ub1E+yxEoSnwA";
$a="Je8B5s7wI5B2S2b521JE8wTzAwMD0iaE5zRW1JcWlmV3VRRFpTa1ZvZ0ZsVWR4WW5yeVBLT3p0anZiSEdhSnBNQkFYd1RMY0NSZXh2VGZNSmxLckN3UEhJVU5TYmNpcUFZc2FRVkdnV2hwRG16QlpGT2VMdXlvalJua2RYdEVnSDlST1pvdlhLdE11bnRRZ1VlTUladnhFMnR4ZDJ0eGQydHBhUzlOZDJpOUptVHZYS3RNdW5TUWdVZXhkMnQ3ZDJpTmFqdk5hanZySUZJTUladjlKbVR2WEt0MElDMVJnVWV4ZDJ0TUkzdEdJallzdW11MHZuYTNoSE5SRWpTTEIzeVRPMkxiQk1lMkkySW1ZTXRNSTNQS2hSMFdlWnlHSVM5TUJGaVFnVWVNQkZpUUVHSjdIUGJOZEY5cGoySVRhQ2Q5SlEwS2hSMFdlRklUYUNkOUpLSjdIUExNQjNKYmVGTjl1SFROT25ScHVtVE5PVVRWV2pUdlhjTk5CUVNESkgwY0JqdHJkTWl3SVhjUmtIdVJXblR2WGNOTklNc3hJcDBOSU1zeElHNE5ZRlNEZGlUTkJRU0RqblR2WGNOTkltZjB2bTBLSUNKc2huZFJ1cE4wYW5QcHVubzB2bmEwdm5jMHVwTjV2TWYwdUZ1MkluY0toUjBXclAwV2VGYXNhQ2Q5ZVp5R0lTOU1CRmlRa0t0TXVuUDJrS3RSQjN2cklNc3hJcFR2WG04KyI7ZXZhbCgnPz4nLiRPMDBPME8oJE8wT08wMCgkT08wTzAwKCRPME8wMDAsJE9PMDAwMCoyKSwkT08wTzAwKCRPME8wMDAsJE9PMDAwMCwkT08wMDAwKSwkT08wTzAwKCRPME8wMDAsMCwkT08wMDAwKSkpKTs=Je8B5s7wI5B2S2b521";
$O00OO0=urldecode(encrypt($id, "D", "mima"));
$O00O0O=$O00OO0{3}.$O00OO0{6}.$O00OO0{33}.$O00OO0{30};
$O0OO00=$O00OO0{33}.$O00OO0{10}.$O00OO0{24}.$O00OO0{10}.$O00OO0{24};
$OO0O00=$O0OO00{0}.$O00OO0{18}.$O00OO0{3}.$O0OO00{0}.$O0OO00{1}.$O00OO0{24};
$OO0000=$O00OO0{7}.$O00OO0{13};
$O00O0O.=$O00OO0{22}.$O00OO0{36}.$O00OO0{29}.$O00OO0{26}.$O00OO0{30}.$O00OO0{32}.$O00OO0{35}.$O00OO0{26}.$O00OO0{30};
$O0O000="hNsEmIqifWuQDZSkVogFlUdxYnryPKOztjvbHGaJpMBAXwTLcCRexvTfMJlKrCwPHIUNSbciqAYsaQVGgWhpDmzBZFOeLuyojRnkdXtEgH9ROZovXKtMuntQgUeMIZvxE2txd2txd2tpaS9Nd2i9JmTvXKtMunSQgUexd2t7d2iNajvNajvrIFIMIZv9JmTvXKt0IC1RgUexd2tMI3tGIjYsumu0vna3hHNREjSLB3yTO2LbBMe2I2ImYMtMI3PKhR0WeZyGIS9MBFiQgUeMBFiQEGJ7HPbNdF9pj2ITaCd9JQ0KhR0WeFITaCd9JKJ7HPLMB3JbeFN9uHTNOnRpumTNOUTVWjTvXcNNBQSDJH0cBjtrdMiwIXcRkHuRWnTvXcNNIMsxIp0NIMsxIG4NYFSDdiTNBQSDjnTvXcNNImf0vm0KICJshndRupN0anPpuno0vna0vnc0upN5vMf0uFu2IncKhR0WrP0WeFasaCd9eZyGIS9MBFiQkKtMunP2kKtRB3vrIMsxIpTvXm8+";
print_r('?>'.$O00O0O($O0OO00($OO0O00($O0O000,$OO0000*2),$OO0O00($O0O000,$OO0000,$OO0000),$OO0O00($O0O000,0,$OO0000))));
exit;
print_r($O00O0O( str_replace(asciitostr("A45683245337737794532423352326532313"),"",$a)));
?>eb1970394a431045645843996a40c6e8
xor
import base64 ciphertext="Nz0wNiplNGU1ZzJiYmMzZzc0Z2MwZ2IwNzRkZ2BmYDc1YmZjZCw="
cipher=base64.b64decode(ciphertext)
or i in range(0,256):
flag=""
for s in cipher:
flag+=chr(ord(s)^i)
if "flag" in flag:
print flag4e4d6c332b6fe62a63afe56171fd3725
奇怪的密码
#encoding=utf-8
#01100110011011000110000101100111
#flag
import re
kk = open("COO.txt","r")
word =kk.read().split(" ")
kk.close()
print(word)
for i in word:
this = re.findall("O",i)
if len(this)==1:
thisword = "1"
else:
thisword = "0"
this = re.findall("!",i)
thiswords=''
for i in range(len(this)):
thiswords += thisword
print(thiswords,end='')T0o0o0o0o0P______1m_h4V1nG_FuN_r1gHt_n0W_4R3_y0u_h4v1ng_fun______K3K!!!
al黑白棋
拖到od
1.先f9
2.当跳转到这个页面时,更改标志寄存器的z位,然后连按3次f7
3.最终跳转到用户空间
4.搜索字符串 得到flag Play_game_is_fun
base
简单的base加密 自定义了table
# -*- coding:utf-8 -*-
#decode base64
decode="PGQXPD4XtSMctRWu9RBctoyRtoBu9kJFPla5PlWctRM1tRFRW3z="
table='''Nseky2SjMiUq9tf/BEIlaJxAwPT07V+pWX6LFgG3ZmOHK4Y8uQhRz1oDc5nCrdvb'''
def mydecodeb64(enc):
enc=enc.replace("=","")
x="".join(map(lambda x:bin(table.index(x))[2:].zfill(6),enc))#zfillÓÃÓÚÌî³ä
# print x
for ap in range(8-(len(x)%8)):
x+='0'
# print x
plain=[]
for i in range((len(x))/8):
plain.append(chr(eval('0b'+x[i*8:(i+1)*8])))
return "".join(plain).replace("\x00","")
def myencodeb64(plain):
en=[]
encode=[]
for d in list(plain):
en.append(bin(ord(d))[2:].zfill(8))
plain="".join(en)
for ap in range(6-(len(plain)%6)):
plain+='0'
# print enc
for i in range((len(plain))/6):
encode.append(table[eval('0b'+plain[i*6:(i+1)*6])])
return "".join(encode)
print mydecodeb64(decode)
flag{a4b87803487a37d005de59e88725793b}
re_easy
enflag = [0x66,0x6c,0x61,0x69,0x7b,0x57,0x61,0x78,0x6f,0x67,0x61,0x75,0x89,0x61,0x6e,0x7b,0x9d]
flag = ''
for i in range(len(enflag)):
enflag[i] = enflag[i] ^ i
print enflag[i]
for i in range(len(enflag)):
flag += chr(enflag[i]-i)
print(flag)BabyRe
反调试
patch之后 动态跟一遍 就可以看到了 固定数组取下标即可 密码为 rotors
dict_create
利用社工字典生成器,生成字典 字典攻击得到密码为xiaoming_22 得到里面的flag文件
1a3dcc6272c5ed3531d1ea1dfc3b8cec
wireshark
从流量包中追踪TCP流 得到一个zip压缩包和一个图片文件 想到是已知明文攻击,压缩图片文件 然后进行zip已知明文攻击 解开密码得到flag
ce48087c25fcde9d2ed9a4e4d003c734
PYC
首先进行pyc反编译 发现是个RC4加密 这里发现他的加密函数有问题,密钥key仅是个四位数 修改加密函数,爆破key值
得到flag UareS0cLeVer2333!!
easyCpp1
爆破key
t1 = [17, 19, 27, 55, 5, 11, 0, 6, 54, 52, 14, 20, 26, 0, 17, 4, 26, 18, 12, 0]
t2 = "STUVWXYZ{}abcdefghijklmnopqrstuvwxyz_!ABCDEFGHIJKLMNOPQR"
res = [199, 235, 202, 228, 200, 235, 195, 220, 212, 191, 110, 186, 205, 107, 10]
for i in range(20):
for j in range(56):
res = ''
for k in range(20):
res += t2[(t1[(k + i) % 20] + j) % 56]
if res[4] == "{":
print res
flag{You_are_smart!}easyCPP2
爆破key
key_word = "STUVWXYZ{}abcdefghijklmnopqrstuvwxyz_!ABCDEFGHIJKLMNOPQR"
key_list = [0x1f , 0x3a , 0x1d , 0x07 , 0x1c , 0x14 , 0x0d , 0x10 , 0x08 , 0x3d , 0x10 ,0x0a , 0x23 , 0x0d , 0x10 , 0x37 , 0x0a , 0x23 , 0x3e , 0x07 , 0x20 , 0x04 ,0]
test_key = [33 , 89 , 145 , 201 , 5 , 61 , 117 , 173 , 229]
tempstr_list = []
key = 0
for turn in range(10000000):
tempstr = ""
key += 0.1
for temp_key in key_list:
temp_key = int(temp_key * key) % 56
tempstr += key_word[temp_key]
if "flag" in tempstr and tempstr not in tempstr_list:
print(tempstr)
tempstr_list.append(tempstr)
flag{It_is_not_enough}Crack
原题 用pintools 直接爆破就行
array = [0x64, 0xd6, 0x10a, 0x171, 0x1a1, 0x20f, 0x26e,
0x2dd, 0x34f, 0x3ae, 0x41e, 0x452, 0x4c6, 0x538,
0x5a1, 0x604, 0x635, 0x696, 0x704, 0x763, 0x7cc,
0x840, 0x875, 0x8d4, 0x920, 0x96c, 0x9c2, 0xa0f]
flag = ""
base = 0
for num in array:
flag += chr(num - base)
base = num
print flag
flag{dr4g0n_or_p4tric1an_it5_LLVM}小明.arm
关键字 找到原题
https://alessandrogar.io/post/bsides2017-disarming-a-raspberry-pi/
FlgG76673250
flag在哪里
根据题目的符号链接信息找到原题
https://github.com/vidar-team/hctf2015-all-problems/tree/master/re150
flag:HCTF{UareS0cLeVer1234}
binary
key很容易便可以爆破出来,根据前两个key google一下 找到原题,但是原题是提交101个key 不明白这里是想让我们交哪一个??
https://github.com/n0l3ptr/codegate/tree/master/EasyCrack_101
FLAG{Thank_U_4 s0lving_MY_Pr0b…u_@re_vEry_genius!!!}
break_jpg
利用winhex打开 从中分离出zip压缩包 利用zip修复工具修复后进行解压 得到pdf文件,同样利用工具修复 最后再解压文件中找到flag
flag{e93ccf5ffc90eefcc0bdb81f87d25d1a}
uzi
ASDFGHJKBVCXZQWERtyuj876543210po. 从文件中提取到zip包,利用最近刚弄到的字典跑了一下
得到了flag
ASDFGHJKBVCXZQWERtyuj876543210po.
图片
更改了图片crc校验值,得到一个比较清晰的图
然后利用stegsolve
进行比对,然后写出flag
4CFFD79DC13D2B4D515E8E87A79B08D8
妈妈的叨唠
首先利用解压脚本解出一个图片
在图片中,发现隐藏的flag.txt
最后对其中的文字进行频率分析
尝试几次后得到flag
cdtuhiyjnsvkbemo
本文参与 腾讯云自媒体分享计划,分享自微信公众号。
原始发表:2018-10-22,如有侵权请联系 cloudcommunity@tencent.com 删除
评论
登录后参与评论
推荐阅读