Lun4R-CyBRICSCTF wp
阿新 • • 發佈:2020-07-26
WEB
Hunt (Web, Baby, 50 pts)
打斷點,然後就一個一個被抓住了...
接著F12就出現了.(這個flag是白色的,藏在下面。。。。)...
RE
Baby Rev
題目給了個github專案連結 看懂就行 一個簡單的疑惑加密 , key 是33
c=[92,0,74,66,116,77,126,69,17,17,102,126, 69,79,97,126,18,76,17,98,16,77,18, 86,90,82,66,72,83,67,88,66] flag='' for i in range(len(c)): c[i]=c[i]^33 flag+=chr(c[i]) print (flag[::-1])
polyglot
先根據給的code.c改一下key跑出來一個c++的程式碼
因為遞迴深度限制在900,所以也要改程式碼,我菜所以直接手算了,t1是乘,t2是加,然後算出key,跑出來是個py+機器語言的程式碼:
import types import dis def define_func(argcount, nlocals, code, consts, names): #PYTHON3.8!!! def inner(): return 0 fn_code = inner.__code__ cd_new = types.CodeType(argcount, 0, fn_code.co_kwonlyargcount, nlocals, 1024, fn_code.co_flags, code, consts, names, tuple(["v%d" for i in range(nlocals)]), fn_code.co_filename, fn_code.co_name, fn_code.co_firstlineno, fn_code.co_lnotab, fn_code.co_freevars, fn_code.co_cellvars) inner.__code__ = cd_new return inner f1 = define_func(2,2,b'|\x00|\x01k\x02S\x00', (None,), ()) f2 = define_func(1,1,b't\x00|\x00\x83\x01S\x00', (None,), ('ord',)) f3 = define_func(0,0,b't\x00d\x01\x83\x01S\x00', (None, 'Give me flag: '), ('input',)) f4 = define_func(1, 3, b'd\x01d\x02d\x03d\x04d\x05d\x01d\x06d\x07d\x08d\td\x03d\nd\x0bd\x0cd\rd\x08d\x0cd\x0ed\x0cd\x0fd\x0ed\x10d\x11d\td\x12d\x03d\x10d\x03d\x0ed\x13d\x0bd\nd\x14d\x08d\x13d\x01d\x01d\nd\td\x01d\x12d\x0bd\x10d\x0fd\x14d\x03d\x0bd\x15d\x16g1}\x01t\x00|\x00\x83\x01t\x00|\x01\x83\x01k\x03r\x82t\x01d\x17\x83\x01\x01\x00d\x18S\x00t\x02|\x00|\x01\x83\x02D\x00]$}\x02t\x03|\x02d\x19\x19\x00t\x04|\x02d\x1a\x19\x00\x83\x01\x83\x02d\x18k\x02r\x8c\x01\x00d\x18S\x00q\x8cd\x1bS\x00', (None, 99, 121, 98, 114, 105, 115, 123, 52, 97, 100, 51, 101, 55, 57, 53, 54, 48, 49, 50, 56, 102, 125, 'Length mismatch!', False, 1, 0, True), ('len', 'print', 'zip', 'f1', 'f2')) f5 = define_func(0, 1,b't\x00\x83\x00}\x00t\x01|\x00\x83\x01d\x01k\x08r\x1ct\x02d\x02\x83\x01\x01\x00n\x08t\x02d\x03\x83\x01\x01\x00d\x00S\x00',(None, False, 'Nope!', 'Yep!'), ('f3', 'f4', 'print')) dis.dis(f4)
然後dis得到彙編程式碼(關鍵就是給了字串的那個)
執行結果:
F:\python\venv\py3.8\Scripts\python.exe D:/download/re2.py 7 0 LOAD_CONST 1 (99) 2 LOAD_CONST 2 (121) 4 LOAD_CONST 3 (98) 6 LOAD_CONST 4 (114) 8 LOAD_CONST 5 (105) 10 LOAD_CONST 1 (99) 12 LOAD_CONST 6 (115) 14 LOAD_CONST 7 (123) 16 LOAD_CONST 8 (52) 18 LOAD_CONST 9 (97) 20 LOAD_CONST 3 (98) 22 LOAD_CONST 10 (100) 24 LOAD_CONST 11 (51) 26 LOAD_CONST 12 (101) 28 LOAD_CONST 13 (55) 30 LOAD_CONST 8 (52) 32 LOAD_CONST 12 (101) 34 LOAD_CONST 14 (57) 36 LOAD_CONST 12 (101) 38 LOAD_CONST 15 (53) 40 LOAD_CONST 14 (57) 42 LOAD_CONST 16 (54) 44 LOAD_CONST 17 (48) 46 LOAD_CONST 9 (97) 48 LOAD_CONST 18 (49) 50 LOAD_CONST 3 (98) 52 LOAD_CONST 16 (54) 54 LOAD_CONST 3 (98) 56 LOAD_CONST 14 (57) 58 LOAD_CONST 19 (50) 60 LOAD_CONST 11 (51) 62 LOAD_CONST 10 (100) 64 LOAD_CONST 20 (56) 66 LOAD_CONST 8 (52) 68 LOAD_CONST 19 (50) 70 LOAD_CONST 1 (99) 72 LOAD_CONST 1 (99) 74 LOAD_CONST 10 (100) 76 LOAD_CONST 9 (97) 78 LOAD_CONST 1 (99) 80 LOAD_CONST 18 (49) 82 LOAD_CONST 11 (51) 84 LOAD_CONST 16 (54) 86 LOAD_CONST 15 (53) 88 LOAD_CONST 20 (56) 90 LOAD_CONST 3 (98) 92 LOAD_CONST 11 (51) 94 LOAD_CONST 21 (102) 96 LOAD_CONST 22 (125) 98 BUILD_LIST 49 100 STORE_FAST 1 (v%d) 102 LOAD_GLOBAL 0 (len) 104 LOAD_FAST 0 (v%d) 106 CALL_FUNCTION 1 108 LOAD_GLOBAL 0 (len) 110 LOAD_FAST 1 (v%d) 112 CALL_FUNCTION 1 114 COMPARE_OP 3 (!=) 116 POP_JUMP_IF_FALSE 130 118 LOAD_GLOBAL 1 (print) 120 LOAD_CONST 23 ('Length mismatch!') 122 CALL_FUNCTION 1 124 POP_TOP 126 LOAD_CONST 24 (False) 128 RETURN_VALUE >> 130 LOAD_GLOBAL 2 (zip) 132 LOAD_FAST 0 (v%d) 134 LOAD_FAST 1 (v%d) 136 CALL_FUNCTION 2 138 GET_ITER >> 140 FOR_ITER 36 (to 178) 142 STORE_FAST 2 (v%d) 144 LOAD_GLOBAL 3 (f1) 146 LOAD_FAST 2 (v%d) 148 LOAD_CONST 25 (1) 150 BINARY_SUBSCR 152 LOAD_GLOBAL 4 (f2) 154 LOAD_FAST 2 (v%d) 156 LOAD_CONST 26 (0) 158 BINARY_SUBSCR 160 CALL_FUNCTION 1 162 CALL_FUNCTION 2 164 LOAD_CONST 24 (False) 166 COMPARE_OP 2 (==) 168 POP_JUMP_IF_FALSE 140 170 POP_TOP 172 LOAD_CONST 24 (False) 174 RETURN_VALUE 176 JUMP_ABSOLUTE 140 >> 178 LOAD_CONST 27 (True) 180 RETURN_VALUE Process finished with exit code 0
然後寫c跑出flag
#include<iostream>
#include <stdlib.h>
#include <stdio.h>
using namespace std;
int main(){
char flag[]={99,121,98,114,105,99,115,123,52,97,98,100,51,101,55,52,101,57,101,53,57,54,48,97,49,98,54,98,57,50,51,100,56,52,50,99,99,100,97,99,49,51,54,53,56,98,51,102,125};
cout <<flag;
}
CTB
DockEsc
直接試出來,正確的沒回顯
CRYPTO
簽到題:
已經告知是加密了,然後windows下常用
rot13解密
換個flag頭即可
NETWORK
XCorp
匯出smb物件
在流裡有使用者名稱
直接登入
Google Cloud
I am storing some important stuff in Google's cloud.
Nooo no no, not on Google's disks — in the cloud itself.
全是ping。。。
foremost直接讀
實際上從data裡拼出完整圖片應該也是可行的,大佬直接看出來了。。。
Forensic
Keyshooter
視訊裡 mahchudqotlzeeb
再用openssl解密就行
Krevedka
http contains "User-Agent: UCWEB/2.0 (Linux; U; Opera Mini/7.1.32052/30.3697; www1.smart.com.ph/; GT-S5360) U2/1.0.0 UCBrowser/9.8.0.534 Mobile"
rebyC
Hellish Reverse
7z就可了。。。