I-SOON CTF
各種CTF遍地開花,,,,雖然一天滿課,但是做題還是要做的!!!只能做這麼幾道了,,菜~
MISC - 吹着貝斯掃二維碼
下載文件發現一堆文件,發現都是jpg文件,而且每個文件後都有個序號,進行修正:
進行拼圖掃碼,得到提示:
BASE Family Bucket ??? 85->64->85->13->16->32
然後發現flag壓縮包後面存在一串特殊字符:
提取出來,按照提示倒着進行解密,即可得到flag,注意13是rot13,,,,
最後得到壓縮包密碼,輸入得到flag:flag{Qr_Is_MeAn1nGfuL}
web - easy_web
進入頁面發現url存在文件包含,經過發現是經過兩層base64加密,還有一層文本轉16進制:
按照規則加密index.php讀取文件源碼:
得到源碼:
<?php
error_reporting(E_ALL || ~ E_NOTICE);
header('content-type:text/html;charset=utf-8');
$cmd = $_GET['cmd'];
if (!isset($_GET['img']) || !isset($_GET['cmd']))
header('Refresh:0;url=./index.php?img=TXpVek5UTTFNbVUzTURabE5qYz0&cmd=');
$file = hex2bin(base64_decode(base64_decode($_GET['img'])));
$file = preg_replace("/[^a-zA-Z0-9.]+/", "", $file);
if (preg_match("/flag/i", $file)) {
echo '<img src ="./ctf3.jpeg">';
die("xixi~ no flag");
} else {
$txt = base64_encode(file_get_contents($file));
echo "<img src='data:image/gif;base64," . $txt . "'></img>";
echo "<br>";
}
echo $cmd;
echo "<br>";
if (preg_match("/ls|bash|tac|nl|more|less|head|wget|tail|vi|cat|od|grep|sed|bzmore|bzless|pcre|paste|diff|file|echo|sh|\'|\"|\`|;|,|\*|\?|\\|\\\\|\n|\t|\r|\xA0|\{|\}|\(|\)|\&[^\d]|@|\||\\$|\[|\]|{|}|\(|\)|-|<|>/i", $cmd)) {
echo("forbid ~");
echo "<br>";
} else {
if ((string)$_POST['a'] !== (string)$_POST['b'] && md5($_POST['a']) === md5($_POST['b'])) {
echo `$cmd`;
} else {
echo ("md5 is funny ~");
}
}
?>
<html>
<style>
body{
background:url(./bj.png) no-repeat center center;
background-size:cover;
background-attachment:fixed;
background-color:#CCCCCC;
}
</style>
<body>
</body>
</html>
經過分析得知需要構造兩個不一樣的字符串,但是MD5之後的結果一樣
經過網上查找得到:
a=%D89%A4%FD%14%EC%0EL%1A%FEG%ED%5B%D0%C0%7D%CAh%16%B4%DFl%08Z%FA%1DA%05i%29%C4%FF%80%11%14%E8jk5%0DK%DAa%FC%2B%DC%9F%95ab%D2%09P%A1%5D%12%3B%1ETZ%AA%92%16y%29%CC%7DV%3A%FF%B8e%7FK%D6%CD%1D%DF/a%DE%27%29%EF%08%FC%C0%15%D1%1B%14%C1LYy%B2%F9%88%DF%E2%5B%9E%7D%04c%B1%B0%AFj%1E%7Ch%B0%96%A7%E5U%EBn1q%CA%D0%8B%C7%1BSP
b=%D89%A4%FD%14%EC%0EL%1A%FEG%ED%5B%D0%C0%7D%CAh%164%DFl%08Z%FA%1DA%05i%29%C4%FF%80%11%14%E8jk5%0DK%DAa%FC%2B%5C%A0%95ab%D2%09P%A1%5D%12%3B%1ET%DA%AA%92%16y%29%CC%7DV%3A%FF%B8e%7FK%D6%CD%1D%DF/a%DE%27%29o%08%FC%C0%15%D1%1B%14%C1LYy%B2%F9%88%DF%E2%5B%9E%7D%04c%B1%B0%AFj%9E%7Bh%B0%96%A7%E5U%EBn1q%CA%D0%0B%C7%1BSP
直接構造,繞過過濾,得到flag:
CRYPTO - easyphp
首先下載文件得到源碼:
<?php
$miwen="=Z2KqkyJnu1IKMIIHgyJDO1GBkRGCWIFWqxFSEHFXS0C/NxC80GB54mC9DQA0RGZ";
function encode($str){
$str1=array();
$str1=unpack("C*",$str);
for($aaa=0;$aaa<count($str1);$aaa++){
$bbb=$str1[$aaa];
$_=$_.$bbb;
}
$ddd=array();
for($ccc=0;$ccc<strlen($_);$ccc++){
$ddd[$ccc]=substr($_,$ccc,1);
$eee=ord($ddd[$ccc])+$ccc;
$fff=chr($eee);
$__=$__.$fff;
if($__%100==0)
$__=base64_encode($__);
}
$__=strrev(str_rot13(base64_encode($__)));
return $__;
}
$str = "123";
$anwser=encode($str);
print($anwser);
?>
emmmm,邏輯很好理解的嘛,知道php代碼就能做,,,
關鍵是unpack不知道是幹啥的,先逆出來再說,編寫php腳本:
<?php
$miwen="=Z2KqkyJnu1IKMIIHgyJDO1GBkRGCWIFWqxFSEHFXS0C/NxC80GB54mC9DQA0RGZ";
$s = base64_decode(str_rot13(strrev("=Z2KqkyJnu1IKMIIHgyJDO1GBkRGCWIFWqxFSEHFXS0C/NxC80GB54mC9DQA0RGZ")));
$_ = "";
for($i=0;$i<strlen($s);$i++){
$_ = $_.chr(ord($s[$i]) - $i);
}
echo $_;
?>
得到結果:
後來瞭解到就是10進制轉ascii碼,,,,,
得到flag:
RE - Easy_Encryption
其實這道題吧,也不知道flag對不對,,,因爲是賽後才做出來的,,,
打開題目找主函數:
那個if就是一個比較的,裏面有個base64加密,我們進行解密就能得到一個字符串:
看前面的加密函數:
邏輯很清楚~~
編寫解題腳本:
s = "artqkoehqpkbihv"
x = "abcdefghijklmnopqrstuvwxyz"
for i in range(0,15):
for j in x:
if ( (ord(j) + (32 - i) - 97) % 26 + 97 > 122 ):
v5 = (ord(j) + (32 - i) - 97) % 26 + 71
else:
v5 = (ord(j) + (32 - i) - 97) % 26 + 97
if( chr(v5) == s[i]):
print(j,end="")
break
就能得到flag:
emmm,也不知道對不對,,,,,