##請大家不要看着writeup做題##
1、web
第一題:web簽到
直接審查頁面元素,發現提示:
<!DOCTYPE html>
<html>
<head>
<title>簽到</title>
<meta charset="utf-8">
<script type="text/javascript" src="./3719372767312836781.js"></script>
</head>
<body>
<h1>Not Found</h1>
<p>The requested URL /eighteen8.php was not found on this server.</p>
<p>Additionally, a 404 Not Found
error was encountered while trying to use an ErrorDocument to handle the request.</p>
<p style="display:none">
呀,小夥子不錯啊,還可以找到這裏,是個人才。
but,flag不在這裏,不過還是在這個頁面內,你自己看一看。
</p>
</body>
</html>
然後找到3719372767312836781.js這個文件,打開查看:
我們很明顯就可以知道102是ASCII中'f'的數字,於是使用Python編寫一個小腳本
# coding=utf-8
#--author:valecalida--
s = [102,108,97,103,58,102,108,97,103,95,105,115,95,118,101,114,121,95,101,97,115,121]
flag = ''
for i in s:
k = chr(i)
flag += k
print("web簽到的flag是",flag)
控制檯輸出:web簽到的flag是 flag:flag_is_very_easy
第二題:經典題目
<!DOCTYPE html>
<html>
<head>
<title>經典題目</title>
<meta charset="utf-8">
</head>
<body>
</body>
</html>
<?php
error_reporting(0);
include_once('flag.php');
highlight_file('index.php');
$md51 = md5('QNKCDZO');
$a = $_GET['b'];
$md52 = md5($a);
if(isset($a)){
if ($a != 'QNKCDZO' && $md51 == $md52) {
echo $flag;
} else {
echo "false!!!";
}}
?>
代碼審計,求兩個相同的md5值的字符串,將網址改爲:http://web.jasec.cn:1002/web3/?a=s155964671a&b=s878926199a
得到flag:
<!DOCTYPE html>
<html>
<head>
<title>經典題目</title>
<meta charset="utf-8">
</head>
<body>
</body>
</html>
<?php
error_reporting(0);
include_once('flag.php');
highlight_file('index.php');
$md51 = md5('QNKCDZO');
$a = $_GET['b'];
$md52 = md5($a);
if(isset($a)){
if ($a != 'QNKCDZO' && $md51 == $md52) {
echo $flag;
} else {
echo "false!!!";
}}
?> wh1te_is_very_c00l
第三題:假假真真
查看題目,給出了一個123.txt,好吧,打開
直接放入控制檯中解密,得到16進制數據:
3D45353D39333D38383D45353D39333D38383D45353D39333D38383D45353D39333D38382C3D45343D42443D41303D45383D41323D41423D45393D41413D39373D45343D42413D38362C3D0A3D45343D42383D38443D45363D39383D41463D45383D42463D39393D45343D42383D41412C3D45353D42303D42313D45393D39373D41453D45343D42443D41303D45383D41373D41333D0A3D45343D42413D38363D45353D38443D38413D45353D41343D41393D45363D42303D39343D45343D42383D38443D45363D42303D3934
寫一個Python小腳本,將16進制轉換過來:
# coding=utf-8
#--author:valecalida--
import binascii
s = '3D45353D39333D38383D45353D39333D38383D45353D39333D38383D45353D39333D38382C3D45343D42443D41303D45383D41323D41423D45393D41413D39373D45343D42413D38362C3D0A3D45343D42383D38443D45363D39383D41463D45383D42463D39393D45343D42383D41412C3D45353D42303D42313D45393D39373D41453D45343D42443D41303D45383D41373D41333D0A3D45343D42413D38363D45353D38443D38413D45353D41343D41393D45363D42303D39343D45343D42383D38443D45363D42303D3934'
print(binascii.a2b_hex(s)).decode("utf8")
解出來是:
=E5=93=88=E5=93=88=E5=93=88=E5=93=88,=E4=BD=A0=E8=A2=AB=E9=AA=97=E4=BA=86,=
=E4=B8=8D=E6=98=AF=E8=BF=99=E4=B8=AA,=E5=B0=B1=E9=97=AE=E4=BD=A0=E8=A7=A3=
=E4=BA=86=E5=8D=8A=E5=A4=A9=E6=B0=94=E4=B8=8D=E6=B0=94
發現是Quoted-printable編碼,直接在線解碼:
被出題人整了,看來思路不對,再來過,重新審計界面元素,發現後面有提示,做錯只能怪自己,我們對發現的字符串進行URL解碼:
# coding=utf-8
#--author:valecalida--
from urllib.parse import quote,unquote
str = '%3DE5%3D92%3D8C%3DE8%3DB0%3D90%3DE6%3DB0%3D91%3DE4%3DB8%3DBB%3DE5%3D92%3D8C%3DE8%3DB0%3D90%3DE6%3DB0%3D91%3DE4%3DB8%3DBB%3DE5%3D92%3D8C%3DE8%3DB0%3D90%3DE6%3D95%3DAC%3DE4%3DB8%3D9A%3DE6%3D96%3D87%3DE6%3D98%3D8E%3DE8%3DAF%3D9A%3DE4%3DBF%3DA1%3DE6%3D96%3D87%3DE6%3D98%3D8E%3DE6%3D96%3D87%3DE6%3D98%3D8E%3DE5%3DAF%3D8C%3DE5%3DBC%3DBA%3DE5%3D92%3D8C%3DE8%3DB0%3D90%3DE6%3DB0%3D91%3DE4%3DB8%3DBB%3DE5%3D92%3D8C%3DE8%3DB0%3D90%3DE5%3DAF%3D8C%3DE5%3DBC%3DBA%3DE5%3D92%3D8C%3DE8%3DB0%3D90%3DE8%3D87%3DAA%3DE7%3D94%3DB1%3DE6%3D96%3D87%3DE6%3D98%3D8E%3DE8%3DAF%3D9A%3DE4%3DBF%3DA1%3DE6%3D96%3D87%3DE6%3D98%3D8E%3DE6%3D96%3D87%3DE6%3D98%3D8E%3DE5%3DAF%3D8C%3DE5%3DBC%3DBA%3DE5%3D92%3D8C%3DE8%3DB0%3D90%3DE8%3D87%3DAA%3DE7%3D94%3DB1%3DE5%3D92%3D8C%3DE8%3DB0%3D90%3DE6%3D95%3DAC%3DE4%3DB8%3D9A%3DE6%3D96%3D87%3DE6%3D98%3D8E%3DE8%3DAF%3D9A%3DE4%3DBF%3DA1%3DE6%3D96%3D87%3DE6%3D98%3D8E%3DE6%3D96%3D87%3DE6%3D98%3D8E%3DE5%3DAF%3D8C%3DE5%3DBC%3DBA%3DE5%3D92%3D8C%3DE8%3DB0%3D90%3DE6%3DB0%3D91%3DE4%3DB8%3DBB%3DE5%3D92%3D8C%3DE8%3DB0%3D90%3DE6%3DB0%3D91%3DE4%3DB8%3DBB%3DE5%3D92%3D8C%3DE8%3DB0%3D90%3DE5%3D85%3DAC%3DE6%3DAD%3DA3%3DE6%3D96%3D87%3DE6%3D98%3D8E%3DE8%3DAF%3D9A%3DE4%3DBF%3DA1%3DE6%3D96%3D87%3DE6%3D98%3D8E%3DE6%3D96%3D87%3DE6%3D98%3D8E%3DE5%3DAF%3D8C%3DE5%3DBC%3DBA%3DE5%3D92%3D8C%3DE8%3DB0%3D90%3DE6%3DB0%3D91%3DE4%3DB8%3DBB%3DE5%3D92%3D8C%3DE8%3DB0%3D90%3DE5%3DAF%3D8C%3DE5%3DBC%3DBA%3DE5%3D92%3D8C%3DE8%3DB0%3D90%3DE6%3DB0%3D91%3DE4%3DB8%3DBB%3DE6%3D96%3D87%3DE6%3D98%3D8E%3DE5%3D8F%3D8B%3DE5%3D96%3D84%3DE5%3D85%3DAC%3DE6%3DAD%3DA3%3DE6%3D96%3D87%3DE6%3D98%3D8E%3DE5%3DAF%3D8C%3DE5%3DBC%3DBA%3DE5%3D92%3D8C%3DE8%3DB0%3D90%3DE6%3D95%3DAC%3DE4%3DB8%3D9A%3DE5%3D92%3D8C%3DE8%3DB0%3D90%3DE5%3DB9%3DB3%3DE7%3DAD%3D89%3DE6%3D96%3D87%3DE6%3D98%3D8E%3DE8%3DAF%3D9A%3DE4%3DBF%3DA1%3DE6%3D96%3D87%3DE6%3D98%3D8E%3DE6%3D96%3D87%3DE6%3D98%3D8E%3DE5%3DAF%3D8C%3DE5%3DBC%3DBA%3DE5%3D92%3D8C%3DE8%3DB0%3D90%3DE8%3D87%3DAA%3DE7%3D94%3DB1%3DE5%3D92%3D8C%3DE8%3DB0%3D90%3DE6%3D95%3DAC%3DE4%3DB8%3D9A%3DE6%3D96%3D87%3DE6%3D98%3D8E%3DE5%3D8F%3D8B%3DE5%3D96%3D84%3DE5%3D85%3DAC%3DE6%3DAD%3DA3%3DE6%3D96%3D87%3DE6%3D98%3D8E%3DE5%3DAF%3D8C%3DE5%3DBC%3DBA%3DE5%3D92%3D8C%3DE8%3DB0%3D90%3DE6%3DB0%3D91%3DE4%3DB8%3DBB%3DE5%3D92%3D8C%3DE8%3DB0%3D90%3DE6%3DB0%3D91%3DE4%3DB8%3DBB%3DE5%3D92%3D8C%3DE8%3DB0%3D90%3DE5%3DB9%3DB3%3DE7%3DAD%3D89%3DE6%3D96%3D87%3DE6%3D98%3D8E%3DE8%3DAF%3D9A%3DE4%3DBF%3DA1%3DE6%3D96%3D87%3DE6%3D98%3D8E%3DE6%3D96%3D87%3DE6%3D98%3D8E%3DE5%3DAF%3D8C%3DE5%3DBC%3DBA%3DE5%3D92%3D8C%3DE8%3DB0%3D90%3DE6%3D95%3DAC%3DE4%3DB8%3D9A%3DE5%3D92%3D8C%3DE8%3DB0%3D90%3DE5%3DB9%3DB3%3DE7%3DAD%3D89%3DE6%3D96%3D87%3DE6%3D98%3D8E%3DE8%3DAF%3D9A%3DE4%3DBF%3DA1%3DE6%3D96%3D87%3DE6%3D98%3D8E%3DE6%3D96%3D87%3DE6%3D98%3D8E%3DE5%3DAF%3D8C%3DE5%3DBC%3DBA%3DE5%3D92%3D8C%3DE8%3DB0%3D90%3DE6%3DB0%3D91%3DE4%3DB8%3DBB%3DE5%3D92%3D8C%3DE8%3DB0%3D90%3DE6%3DB0%3D91%3DE4%3DB8%3DBB%3DE5%3D92%3D8C%3DE8%3DB0%3D90%3DE5%3DB9%3DB3%3DE7%3DAD%3D89%3DE6%3D96%3D87%3DE6%3D98%3D8E%3DE8%3DAF%3D9A%3DE4%3DBF%3DA1%3DE6%3D96%3D87%3DE6%3D98%3D8E%3DE6%3D96%3D87%3DE6%3D98%3D8E%3DE5%3DAF%3D8C%3DE5%3DBC%3DBA%3DE5%3D92%3D8C%3DE8%3DB0%3D90%3DE8%3D87%3DAA%3DE7%3D94%3DB1%3DE5%3D92%3D8C%3DE8%3DB0%3D90%3DE7%3D88%3DB1%3DE5%3D9B%3DBD%3DE6%3D96%3D87%3DE6%3D98%3D8E%3DE5%3D8F%3D8B%3DE5%3D96%3D84%3DE5%3D85%3DAC%3DE6%3DAD%3DA3%3DE6%3D96%3D87%3DE6%3D98%3D8E%3DE5%3DAF%3D8C%3DE5%3DBC%3DBA%3DE5%3D92%3D8C%3DE8%3DB0%3D90%3DE6%3D95%3DAC%3DE4%3DB8%3D9A%3DE5%3D92%3D8C%3DE8%3DB0%3D90%3DE5%3DB9%3DB3%3DE7%3DAD%3D89%3DE6%3D96%3D87%3DE6%3D98%3D8E%3DE8%3DAF%3D9A%3DE4%3DBF%3DA1%3DE6%3D96%3D87%3DE6%3D98%3D8E%3DE6%3D96%3D87%3DE6%3D98%3D8E%3DE5%3DAF%3D8C%3DE5%3DBC%3DBA%3DE5%3D92%3D8C%3DE8%3DB0%3D90%3DE6%3DB0%3D91%3DE4%3DB8%3DBB%3DE5%3D92%3D8C%3DE8%3DB0%3D90%3DE5%3DAF%3D8C%3DE5%3DBC%3DBA%3DE5%3D92%3D8C%3DE8%3DB0%3D90%3DE8%3D87%3DAA%3DE7%3D94%3DB1%3DE6%3D96%3D87%3DE6%3D98%3D8E%3DE8%3DAF%3D9A%3DE4%3DBF%3DA1%3DE6%3D96%3D87%3DE6%3D98%3D8E%3DE6%3D96%3D87%3DE6%3D98%3D8E%3DE5%3DAF%3D8C%3DE5%3DBC%3DBA%3DE5%3D92%3D8C%3DE8%3DB0%3D90%3DE5%3DB9%3DB3%3DE7%3DAD%3D89%3DE5%3D92%3D8C%3DE8%3DB0%3D90%3DE6%3D96%3D87%3DE6%3D98%3D8E%3DE6%3D96%3D87%3DE6%3D98%3D8E%3DE8%3DAF%3D9A%3DE4%3DBF%3DA1%3DE6%3D96%3D87%3DE6%3D98%3D8E%3DE6%3D96%3D87%3DE6%3D98%3D8E%3DE5%3DAF%3D8C%3DE5%3DBC%3DBA%3DE5%3D92%3D8C%3DE8%3DB0%3D90%3DE6%3DB0%3D91%3DE4%3DB8%3DBB%3DE5%3D92%3D8C%3DE8%3DB0%3D90%3DE6%3DB0%3D91%3DE4%3DB8%3DBB%3DE5%3D92%3D8C%3DE8%3DB0%3D90%3DE5%3DAF%3D8C%3DE5%3DBC%3DBA%3DE6%3D96%3D87%3DE6%3D98%3D8E%3DE8%3DAF%3D9A%3DE4%3DBF%3DA1%3DE6%3D96%3D87%3DE6%3D98%3D8E%3DE6%3D96%3D87%3DE6%3D98%3D8E%3DE5%3DAF%3D8C%3DE5%3DBC%3DBA%3DE5%3D92%3D8C%3DE8%3DB0%3D90%3DE6%3DB0%3D91%3DE4%3DB8%3DBB%3DE5%3D92%3D8C%3DE8%3DB0%3D90%3DE5%3DAF%3D8C%3DE5%3DBC%3DBA%3DE5%3D92%3D8C%3DE8%3DB0%3D90%3DE5%3DAF%3D8C%3DE5%3DBC%3DBA%3DE6%3D96%3D87%3DE6%3D98%3D8E%3DE8%3DAF%3D9A%3DE4%3DBF%3DA1%3DE6%3D96%3D87%3DE6%3D98%3D8E%3DE6%3D96%3D87%3DE6%3D98%3D8E%3DE5%3DAF%3D8C%3DE5%3DBC%3DBA%3DE5%3D92%3D8C%3DE8%3DB0%3D90%3DE6%3DB0%3D91%3DE4%3DB8%3DBB%3DE5%3D92%3D8C%3DE8%3DB0%3D90%3DE6%3DB0%3D91%3DE4%3DB8%3DBB%3DE5%3D92%3D8C%3DE8%3DB0%3D90%3DE5%3DB9%3DB3%3DE7%3DAD%3D89%3DE6%3D96%3D87%3DE6%3D98%3D8E%3DE5%3D8F%3D8B%3DE5%3D96%3D84%3DE5%3D85%3DAC%3DE6%3DAD%3DA3%3DE6%3D96%3D87%3DE6%3D98%3D8E%3DE5%3DAF%3D8C%3DE5%3DBC%3DBA%3DE5%3D92%3D8C%3DE8%3DB0%3D90%3DE8%3D87%3DAA%3DE7%3D94%3DB1%3DE5%3D92%3D8C%3DE8%3DB0%3D90%3DE7%3D88%3DB1%3DE5%3D9B%3DBD%3DE6%3D96%3D87%3DE6%3D98%3D8E%3DE5%3D8F%3D8B%3DE5%3D96%3D84%3DE5%3D85%3DAC%3DE6%3DAD%3DA3%3DE6%3D96%3D87%3DE6%3D98%3D8E%3DE5%3DAF%3D8C%3DE5%3DBC%3DBA%3DE5%3D92%3D8C%3DE8%3DB0%3D90%3DE6%3DB0%3D91%3DE4%3DB8%3DBB%3DE5%3D92%3D8C%3DE8%3DB0%3D90%3DE5%3DAF%3D8C%3DE5%3DBC%3DBA%3DE5%3D92%3D8C%3DE8%3DB0%3D90%3DE6%3D95%3DAC%3DE4%3DB8%3D9A%3DE6%3D96%3D87%3DE6%3D98%3D8E%3DE8%3DAF%3D9A%3DE4%3DBF%3DA1%3DE6%3D96%3D87%3DE6%3D98%3D8E%3DE6%3D96%3D87%3DE6%3D98%3D8E%3DE5%3DAF%3D8C%3DE5%3DBC%3DBA%3DE5%3D92%3D8C%3DE8%3DB0%3D90%3DE5%3D85%3DAC%3DE6%3DAD%3DA3%3DE5%3D92%3D8C%3DE8%3DB0%3D90%3DE6%3D95%3DAC%3DE4%3DB8%3D9A'
print(unquote(str,'utf-8'))
控制檯輸出如下:
=E5=92=8C=E8=B0=90=E6=B0=91=E4=B8=BB=E5=92=8C=E8=B0=90=E6=B0=91=E4=B8=BB=E5=92=8C=E8=B0=90=E6=95=AC=E4=B8=9A=E6=96=87=E6=98=8E=E8=AF=9A=E4=BF=A1=E6=96=87=E6=98=8E=E6=96=87=E6=98=8E=E5=AF=8C=E5=BC=BA=E5=92=8C=E8=B0=90=E6=B0=91=E4=B8=BB=E5=92=8C=E8=B0=90=E5=AF=8C=E5=BC=BA=E5=92=8C=E8=B0=90=E8=87=AA=E7=94=B1=E6=96=87=E6=98=8E=E8=AF=9A=E4=BF=A1=E6=96=87=E6=98=8E=E6=96=87=E6=98=8E=E5=AF=8C=E5=BC=BA=E5=92=8C=E8=B0=90=E8=87=AA=E7=94=B1=E5=92=8C=E8=B0=90=E6=95=AC=E4=B8=9A=E6=96=87=E6=98=8E=E8=AF=9A=E4=BF=A1=E6=96=87=E6=98=8E=E6=96=87=E6=98=8E=E5=AF=8C=E5=BC=BA=E5=92=8C=E8=B0=90=E6=B0=91=E4=B8=BB=E5=92=8C=E8=B0=90=E6=B0=91=E4=B8=BB=E5=92=8C=E8=B0=90=E5=85=AC=E6=AD=A3=E6=96=87=E6=98=8E=E8=AF=9A=E4=BF=A1=E6=96=87=E6=98=8E=E6=96=87=E6=98=8E=E5=AF=8C=E5=BC=BA=E5=92=8C=E8=B0=90=E6=B0=91=E4=B8=BB=E5=92=8C=E8=B0=90=E5=AF=8C=E5=BC=BA=E5=92=8C=E8=B0=90=E6=B0=91=E4=B8=BB=E6=96=87=E6=98=8E=E5=8F=8B=E5=96=84=E5=85=AC=E6=AD=A3=E6=96=87=E6=98=8E=E5=AF=8C=E5=BC=BA=E5=92=8C=E8=B0=90=E6=95=AC=E4=B8=9A=E5=92=8C=E8=B0=90=E5=B9=B3=E7=AD=89=E6=96=87=E6=98=8E=E8=AF=9A=E4=BF=A1=E6=96=87=E6=98=8E=E6=96=87=E6=98=8E=E5=AF=8C=E5=BC=BA=E5=92=8C=E8=B0=90=E8=87=AA=E7=94=B1=E5=92=8C=E8=B0=90=E6=95=AC=E4=B8=9A=E6=96=87=E6=98=8E=E5=8F=8B=E5=96=84=E5=85=AC=E6=AD=A3=E6=96=87=E6=98=8E=E5=AF=8C=E5=BC=BA=E5=92=8C=E8=B0=90=E6=B0=91=E4=B8=BB=E5=92=8C=E8=B0=90=E6=B0=91=E4=B8=BB=E5=92=8C=E8=B0=90=E5=B9=B3=E7=AD=89=E6=96=87=E6=98=8E=E8=AF=9A=E4=BF=A1=E6=96=87=E6=98=8E=E6=96=87=E6=98=8E=E5=AF=8C=E5=BC=BA=E5=92=8C=E8=B0=90=E6=95=AC=E4=B8=9A=E5=92=8C=E8=B0=90=E5=B9=B3=E7=AD=89=E6=96=87=E6=98=8E=E8=AF=9A=E4=BF=A1=E6=96=87=E6=98=8E=E6=96=87=E6=98=8E=E5=AF=8C=E5=BC=BA=E5=92=8C=E8=B0=90=E6=B0=91=E4=B8=BB=E5=92=8C=E8=B0=90=E6=B0=91=E4=B8=BB=E5=92=8C=E8=B0=90=E5=B9=B3=E7=AD=89=E6=96=87=E6=98=8E=E8=AF=9A=E4=BF=A1=E6=96=87=E6=98=8E=E6=96=87=E6=98=8E=E5=AF=8C=E5=BC=BA=E5=92=8C=E8=B0=90=E8=87=AA=E7=94=B1=E5=92=8C=E8=B0=90=E7=88=B1=E5=9B=BD=E6=96=87=E6=98=8E=E5=8F=8B=E5=96=84=E5=85=AC=E6=AD=A3=E6=96=87=E6=98=8E=E5=AF=8C=E5=BC=BA=E5=92=8C=E8=B0=90=E6=95=AC=E4=B8=9A=E5=92=8C=E8=B0=90=E5=B9=B3=E7=AD=89=E6=96=87=E6=98=8E=E8=AF=9A=E4=BF=A1=E6=96=87=E6=98=8E=E6=96=87=E6=98=8E=E5=AF=8C=E5=BC=BA=E5=92=8C=E8=B0=90=E6=B0=91=E4=B8=BB=E5=92=8C=E8=B0=90=E5=AF=8C=E5=BC=BA=E5=92=8C=E8=B0=90=E8=87=AA=E7=94=B1=E6=96=87=E6=98=8E=E8=AF=9A=E4=BF=A1=E6=96=87=E6=98=8E=E6=96=87=E6=98=8E=E5=AF=8C=E5=BC=BA=E5=92=8C=E8=B0=90=E5=B9=B3=E7=AD=89=E5=92=8C=E8=B0=90=E6=96=87=E6=98=8E=E6=96=87=E6=98=8E=E8=AF=9A=E4=BF=A1=E6=96=87=E6=98=8E=E6=96=87=E6=98=8E=E5=AF=8C=E5=BC=BA=E5=92=8C=E8=B0=90=E6=B0=91=E4=B8=BB=E5=92=8C=E8=B0=90=E6=B0=91=E4=B8=BB=E5=92=8C=E8=B0=90=E5=AF=8C=E5=BC=BA=E6=96=87=E6=98=8E=E8=AF=9A=E4=BF=A1=E6=96=87=E6=98=8E=E6=96=87=E6=98=8E=E5=AF=8C=E5=BC=BA=E5=92=8C=E8=B0=90=E6=B0=91=E4=B8=BB=E5=92=8C=E8=B0=90=E5=AF=8C=E5=BC=BA=E5=92=8C=E8=B0=90=E5=AF=8C=E5=BC=BA=E6=96=87=E6=98=8E=E8=AF=9A=E4=BF=A1=E6=96=87=E6=98=8E=E6=96=87=E6=98=8E=E5=AF=8C=E5=BC=BA=E5=92=8C=E8=B0=90=E6=B0=91=E4=B8=BB=E5=92=8C=E8=B0=90=E6=B0=91=E4=B8=BB=E5=92=8C=E8=B0=90=E5=B9=B3=E7=AD=89=E6=96=87=E6=98=8E=E5=8F=8B=E5=96=84=E5=85=AC=E6=AD=A3=E6=96=87=E6=98=8E=E5=AF=8C=E5=BC=BA=E5=92=8C=E8=B0=90=E8=87=AA=E7=94=B1=E5=92=8C=E8=B0=90=E7=88=B1=E5=9B=BD=E6=96=87=E6=98=8E=E5=8F=8B=E5=96=84=E5=85=AC=E6=AD=A3=E6=96=87=E6=98=8E=E5=AF=8C=E5=BC=BA=E5=92=8C=E8=B0=90=E6=B0=91=E4=B8=BB=E5=92=8C=E8=B0=90=E5=AF=8C=E5=BC=BA=E5=92=8C=E8=B0=90=E6=95=AC=E4=B8=9A=E6=96=87=E6=98=8E=E8=AF=9A=E4=BF=A1=E6=96=87=E6=98=8E=E6=96=87=E6=98=8E=E5=AF=8C=E5=BC=BA=E5=92=8C=E8=B0=90=E5=85=AC=E6=AD=A3=E5=92=8C=E8=B0=90=E6=95=AC=E4=B8=9A
重新使用Quoted-printable編碼解碼:
和諧民主和諧民主和諧敬業文明誠信文明文明富強和諧民主和諧富強和諧自由文明誠信文明文明富強和諧自由和諧敬業文明誠信文明文明富強和諧民主和諧民主和諧公正文明誠信文明文明富強和諧民主和諧富強和諧民主文明友善公正文明富強和諧敬業和諧平等文明誠信文明文明富強和諧自由和諧敬業文明友善公正文明富強和諧民主和諧民主和諧平等文明誠信文明文明富強和諧敬業和諧平等文明誠信文明文明富強和諧民主和諧民主和諧平等文明誠信文明文明富強和諧自由和諧愛國文明友善公正文明富強和諧敬業和諧平等文明誠信文明文明富強和諧民主和諧富強和諧自由文明誠信文明文明富強和諧平等和諧文明文明誠信文明文明富強和諧民主和諧民主和諧富強文明誠信文明文明富強和諧民主和諧富強和諧富強文明誠信文明文明富強和諧民主和諧民主和諧平等文明友善公正文明富強和諧自由和諧愛國文明友善公正文明富強和諧民主和諧富強和諧敬業文明誠信文明文明富強和諧公正和諧敬業
這樣就更直觀了,是社會主義編碼,直接解碼:
得到了
119, 104, 49, 116, 101, 95, 49, 115, 95, 115, 48, 95, 104, 52, 110, 100, 115, 48, 109, 69
繼續使用上一個腳本進行解碼:
# coding=utf-8
#--author:valecalida--
s = [119, 104, 49, 116, 101, 95, 49, 115, 95, 115, 48, 95, 104, 52, 110, 100, 115, 48, 109, 69]
flag = ''
for i in s:
k = chr(i)
flag += k
print("真真假假的flag是",flag)
控制檯輸出如下:
真真假假的flag是 wh1te_1s_s0_h4nds0mE
第四題:網站被黑了
使用御劍掃描後臺,得到:
然後輸入http://106.13.64.168:1000/web6/shell.php,得到
用burp suite爆破
得到密碼跟flag
2、crypto
第一題:crypto簽到
6A616374667B6865785F69735F656173797D
很明顯,hex to ASCII,上python小腳本:
# coding=utf-8
#--author:valecalida--
import binascii
s = '6A616374667B6865785F69735F656173797D'
print(binascii.a2b_hex(s))
控制檯輸出如下:
jactf{hex_is_easy}
第二題:貝斯家族三英戰羣魔!
密文不寫了,太多了,直接上腳本(來自hgame的腳本,反正自己是寫不出來的......):
import base64
f = open('1.txt','r')
flag = f.read()
def decode(flag):
try:
print(flag)
flag=base64.b16decode(flag)
decode(flag)
except Exception as message:
if str(message) == 'Non-base16 digit found':
try:
flag = base64.b32decode(flag)
decode(flag)
except:
flag = base64.b64decode(flag)
decode(flag)
decode(flag)
控制檯輸出如下:
前面太長不寫了,只寫後面
b'MFWUM2TEI5NDOTSDNBUU42SSMZGXUSTGJVKFS4DGKE6T2==='
b'amFjdGZ7NChiNjRfMzJfMTYpfQ=='
b'jactf{4(b64_32_16)}'
b'jactf{4(b64_32_16)}'
第三題:easy_crypto
個人感覺就是腦洞,只要記起來摩斯密碼就解出來了
0換成. && 1換成-得到
..-. .-.. .- --. ----.-- -- ----- .-. ... . ..--.- -.-. --- -.. . ..--.- .---- ... ..--.- .. -. - . .-. . ... - .---- -. ----. -.-.-- -----.-
然後在線解一下,就得到flag了
flag{m0rse_code_1s_interest1n9!}
第四題:凱撒變異了,從第五天開始學起了仿射(這個只是思路)
首先拿到密文:fbsoXfYZ\dkU_[dX],而且已經告訴我們b=7,那麼對應表就應該是
| A | B | C | D | E | F | G | H | I | J | K | L | M | N | O | P | Q | R | S | T | U | V | W | X | Y | Z |
| 6 | 7 | 8 | 9 | 10 | 11 | 12 | 13 | 14 | 15 | 16 | 17 | 18 | 19 | 20 | 21 | 22 | 23 | 24 | 25 | 26 | 1 | 2 | 3 | 4 | 5 |
第七題:你缺錢嗎
題目是這樣的,直接上腳本了(大佬勿噴,菜狗寫的破爛腳本,只爲了完成功能)
# coding=utf-8
#--author:valecalida--
import re
dangpumima = {'口':0,'由':1,'中':2,'人':3,'工':4, '大':5 ,'王':6,'夫':7,'井':8,'羊':9}
strings = ['夫工','羊夫','羊大','夫井','工羊','王夫','井工','井夫','羊大','夫王','大大']
s = ''
k = ''
results = []
for string in strings:
for j in string:
if j in dangpumima:
k = dangpumima[j]
s += str(k)
result = re.sub(r"(?<=\w)(?=(?:\w\w)+$)", ",",s)
results = result.split(",")
flag = 'jactf{'
for i in results:
flag += chr(int(i))
print(flag + '}')
控制檯輸出如下:
jactf{Ja_N1CTW_L7}
第八題:你猜
發現開頭是504B就知道是zip文件,直接保存成16進制文件,導入得zip文件,然後使用AAPR,字典用弱口令:
得到密碼:123456
然後解壓得到flag
jactf{daczcasdqwdcsdzasd}
第十題:RSA
題目給出了一個超級大的n,但是沒有關係,強大的分析網站還是分析了出來....
或者使用yafu進行分析,將n保存到rsa.txt中:
λ yafu-x64.exe "factor(@)" -batchfile rsa.txt
分析的站點是這個http://factordb.com/index.php
然後將兩個值保存一下,之後上網上找的腳本:
# coding=utf-8
#--author:valecalida--
import binascii
def egcd(a, b):
if a == 0:
return (b, 0, 1)
else:
g, y, x = egcd(b % a, a)
return (g, x - (b // a) * y, y)
def modinv(a, m):
g, x, y = egcd(a, m)
if g != 1:
raise Exception('modular inverse does not exist')
else:
return x % m
p=31093551302922880999883020803665536616272147022877428745314830867519351013248914244880101094365815998050115415308439610066700139164376274980650005150267949853671653233491784289493988946869396093730966325659249796545878080119206283512342980854475734097108975670778836003822789405498941374798016753689377992355122774401780930185598458240894362246194248623911382284169677595864501475308194644140602272961699230282993020507668939980205079239221924230430230318076991507619960330144745307022538024878444458717587446601559546292026245318907293584609320115374632235270795633933755350928537598242214216674496409625928997877221
q=31093551302922880999883020803665536616272147022877428745314830867519351013248914244880101094365815998050115415308439610066700139164376274980650005150267949853671653233491784289493988946869396093730966325659249796545878080119206283512342980854475734097108975670778836003822789405498941374798016753689377992355122774401780930185598458240894362246194248623911382284169677595864501475308194644140602272961699230282993020507668939980205079239221924230430230318076991507619960330144745307022538024878444458717587446601559546292026245318907293584609320115374632235270795633933755350928537598242214216674496409625928797450473
e=65537
c=168502910088858295634315070244377409556567637139736308082186369003227771936407321783557795624279162162305200436446903976385948677897665466290852769877562167487142385308027341639816401055081820497002018908896202860342391029082581621987305533097386652183849657065952062433988387640990383623264405525144003500286531262674315900537001845043225363148359766771033899680111076181672797077410584747509581932045540801777738548872747597899965366950827505529432483779821158152928899947837196391555666165486441878183288008753561108995715961920472927844877569855940505148843530998878113722830427807926679324241141182238903567682042410145345551889442158895157875798990903715105782682083886461661307063583447696168828687126956147955886493383805513557604179029050981678755054945607866353195793654108403939242723861651919152369923904002966873994811826391080318146260416978499377182540684409790357257490816203138499369634490897553227763563553981246891677613446390134477832143175248992161641698011195968792105201847976082322786623390242470226740685822218140263182024226228692159380557661591633072091945077334191987860262448385123599459647228562137369178069072804498049463136233856337817385977990145571042231795332995523988174895432819872832170029690848
d=modinv(e,(p-1)*(q-1))
n=966808932627497190635859236054960349099463975227350564265384373280336699853387254070662881265937565163000758606154308757944030571837175048514574473061401566330836334647176655282619268592560172726526643074499534129878217409046045533656897050117438496357231575999185527675071002803951800635220029015932007465117818739948903750200830856115668691007706836952244842719419452946259275251773298338162389930518838272704908887016474007051397194588396039111216708866214614779627566959335170676055025850932631053641576566165694121420546081043285806783239296799795655191121966377590175780618944910532816988143056757054052679968538901460893571204904394975714081055455240523895653305315517745729334114549756695334171142876080477105070409544777981602152762154610738540163796164295222810243309051503090866674634440359226192530724635477051576515179864461174911975667162597286769079380660782647952944808596310476973939156187472076952935728249061137481887589103973591082872988641958270285169650803792395556363304056290077801453980822097583574309682935697260204862756923865556397686696854239564541407185709940107806536773160263764483443859425726953142964148216209968437587044617613518058779287167853349364533716458676066734216877566181514607693882375533
m=pow(c,d,n)
print(hex(m))
得到m:
666c61677b643166666572656e63655f6265747765656e5f705f416e645f715f31735f7430305f356d616c6c7d
然後使用轉換器轉換一下:
得到flag之後需要將flag改爲jactf,所以最終答案爲:
jactf{d1fference_between_p_And_q_1s_t00_5mall}
第十二題:羅馬帝國的奠基者
得到給出的字符串:h^_o`[pZi^i`,查看ASCII碼可知,是依次遞增的,直接上腳本,寫的比較麻煩,大傢伙將就着看吧,有能力了再修正
#coding=utf-8
#--author:valecalida--
#加2,加3,加到結束
nums = [2,3,4,5,6,7,8,9,10,11,12,13,14]
# strings = 'h^_o[pZi^i'
strings = 'h^_o`[pZi^i`'
flag = []
for string in strings:
i = ord(string)
flag.append(i)
print(flag)
final_flag = list(map(lambda x: x[0]+x[1],zip(flag,nums)))
print(final_flag)
qaq = ''
for j in final_flag:
qaq = qaq + chr(j)
print(qaq)
運行得到flag,flag根據格式修改:
[104, 94, 95, 111, 96, 91, 112, 90, 105, 94, 105, 96]
[106, 97, 99, 116, 102, 98, 120, 99, 115, 105, 117, 109]
jactfbxcsium
jactf{bxcsium}
3、Misc
第一題,簽到
沒啥說的,直接flag:
jactf{welcome_to_JACTF}
第二題:理論練習
直接flag:
flag{123}
第三題:該死的溫柔
使用exiftool查看,發現提示:
root@cat:~/ctf# exiftool flag.jpg
ExifTool Version Number : 10.10
File Name : flag.jpg
Directory : .
File Size : 17 kB
File Modification Date/Time : 2019:07:30 22:47:25+08:00
File Access Date/Time : 2019:07:30 22:47:39+08:00
File Inode Change Date/Time : 2019:07:30 22:47:25+08:00
File Permissions : rw-r--r--
File Type : JPEG
File Type Extension : jpg
MIME Type : image/jpeg
JFIF Version : 1.01
Resolution Unit : inches
X Resolution : 96
Y Resolution : 96
Exif Byte Order : Big-endian (Motorola, MM)
XP Comment : guess
Padding : (Binary data 2060 bytes, use -b option to extract)
Image Width : 175
Image Height : 220
Encoding Process : Baseline DCT, Huffman coding
Bits Per Sample : 8
Color Components : 3
Y Cb Cr Sub Sampling : YCbCr4:2:0 (2 2)
Image Size : 175x220
Megapixels : 0.038
我們可以看到提示guess,在圖片隱寫中只有outguess,直接上命令,得到flag:
root@cat:~/ctf# outguess -k 'guess' -r flag.jpg flag.txt
Reading flag.jpg....
Extracting usable bits: 11538 bits
Steg retrieve: seed: 206, len: 33
root@cat:~/ctf# cat flag.txt
jactf{jactf_guess_steganography}
第四題:這是什麼玩意兒
一看是之前用過的編碼,直接解碼,發現是與佛論禪,
發現是社會主義編碼,直接解碼:
就得到flag了,jactf{hexin_yufo_qp}
第五題:so_easy
下載文件是個exe但是打不開,於是用記事本打開,發現是字符串,經過嘗試,base58可解
一看就是bmp圖片,直接base轉圖片,
使用二維碼掃描器掃描得flag:jactf{base58_base64_flag_very_easy}
第六題:小梳子,我永遠只愛你一個
下載下來一看是wifi握手包,而且提示很明顯是手機號當字典,直接使用kali生成字典:
root@kali:~# crunch 11 11 -t 138364%%%%% -o /root/Desktop/dict.txt
Crunch will now generate the following amount of data: 1200000 bytes
1 MB
0 GB
0 TB
0 PB
Crunch will now generate the following number of lines: 100000
crunch: 100% completed generating output
生成字典之後直接爆破就行了:
root@kali:~/Desktop# aircrack-ng -w /root/Desktop/dict.txt 2.cap
Opening 2.capts, please wait...
Read 45880 packets.
# BSSID ESSID Encryption
1 0A:69:6C:9D:2D:97 CMCC-WEB None (0.0.0.0)
2 0C:D8:6C:15:5D:AE 喔雄帥 No data - WEP or WPA
3 0C:D8:6C:93:D0:82 FAST_D082 No data - WEP or WPA
4 0E:69:6C:9D:3B:BF None (100.177.92.91)
5 0E:69:6C:9D:47:2B None (100.177.92.112)
6 12:69:6C:9D:2D:97 CMCC-FJ None (0.0.0.0)
7 20:6B:E7:15:DD:5D is you dad No data - WEP or WPA
8 20:6B:E7:78:3B:42 Necros No data - WEP or WPA
9 50:BD:5F:8C:A6:E4 MERCURY_A6E4 WPA (0 handshake)
10 60:EE:5C:46:C8:F0 愛睡覺的夜貓子~ No data - WEP or WPA
11 60:EE:5C:4E:98:76 皮皮王 No data - WEP or WPA
12 B4:0F:3B:D0:7D:90 Tenda_D07D90 WPA (1 handshake)
13 C8:3A:35:D5:24:78 T216私用 No data - WEP or WPA
14 D8:32:14:47:7E:C8 mbd No data - WEP or WPA
15 D8:FE:E3:CF:69:55 D-Link_DIR-613 No data - WEP or WPA
Index number of target network ? 12
Opening 2.capts, please wait...
Read 45880 packets.
1 potential targets
Aircrack-ng 1.5.2
[00:00:04] 10216/99999 keys tested (2242.51 k/s)
Time left: 40 seconds 10.22%
Current passphrase: 13836410017
Master Key : 62 E5 42 2E 5B 37 4A C2 A4 57 BF 15 23 DE 0F 6D
25 86 67 74 E6 A9 DE 73 21 13 E0 DC 28 7D 58 5F
Transient Key : 54 CC 8F 47 73 49 15 77 40 95 3D 3D 54 EF 0A 4A
A8 0B 70 8D 2B 09 18 D0 6A C9 CE 0B 51 BF 1B D3
29 C8 99 2D 2F CA 4C 47 28 54 FA E0 CE CF 24 E9
33 8D E1 D4 4E D5 8F 09 11 04 8E 86 51 2D FA B1
EAPOL HMAC : 37 0C F7 D7 16 E2 AC 59 5D 01 04 9A F0 0B 68 80
[00:00:48] 100004/99999 keys tested (1162.17 k/s)
Time left: 0 seconds 100.00%
KEY FOUND! [ 13836458932 ]
Master Key : 3F 0F 4E C5 E9 36 83 8D 84 2C 6B 94 5E 2A 50 20
93 3F 25 6D 42 CB F9 E9 71 C5 CD 1D E0 E3 7E 33
Transient Key : 8B 8B 8B 8B DE D1 C0 53 62 7E B9 D6 DB 8E F9 D6
B9 56 DD B9 E3 5E 95 BB 50 E5 55 D5 17 47 96 8A
56 1A E7 87 6F 51 95 6D E4 0D 85 E3 45 E4 60 27
E1 2A E4 64 F4 AB CE 5E 65 D1 AA 51 B0 DD 4B E7
EAPOL HMAC : BD 74 52 8F CE DF 73 A9 92 35 EB BF BB 06 00 70
發現已經得到手機號了,也就得到了flag:jactf{13836458932}
第七題:不行,再來一個簽到
flag是:jactf{051bb6f64e70cc8766d62c3ea008eaee}
第八題:真的不是圖片
直接拿到圖片先分析下有麼有隱藏文件,發現有個zip:
root@cat:~/ctf# binwalk misc.png
DECIMAL HEXADECIMAL DESCRIPTION
--------------------------------------------------------------------------------
0 0x0 PNG image, 824 x 639, 8-bit/color RGB, non-interlaced
91 0x5B Zlib compressed data, compressed
140598 0x22536 End of Zip archive
root@cat:~/ctf# file misc.png
misc.png: PNG image data, 824 x 639, 8-bit/color RGB, non-interlaced
查看這個圖片,是個png,文件結尾爲42 60 82,直接使用010editor分離,得到一個png,一個zip,
將zip解壓出來發現變成了subject.zip,繼續解壓,發現需要密碼了,
我們之前保存成壓縮包的時候文件頭部是ja66,很符合題目,把這個當作密碼,發現解壓成功,然後對裏面所有的txt文檔綜合一下,一共有32個,肯定不能挨個寫,上腳本:
#官方腳本
import base64
flag = ''
for i in range(32):
f = open('./subject/' + str(i) +'/' + str(i) + '.txt','r')
flag += f.read()
print(base64.b64decode(flag))
#自己寫的腳本
#/usr/bin/env python3
# -*- coding: utf-8 -*-
#--author:valecalida--
import base64
import os
flag = ''
for filename in range(32):
f = open('subject/' + str(filename) + '/' + (str(filename) + '.txt'))
key = f.read()
flag += key
print(base64.b64decode(flag))
突然發現修改了腳本之後跟官方給的差不多。。。。,還是官方的最簡單。。。
第九題:修補二維碼
pass
第十題:隱寫術
下載文件得到一個hello.exe,使用ida打開,使用shift + F12進入strings view找到ciphertext:U2FsdGVkX19EEyvXloCK7ovgV04fyMsIci538oHIQnJ24ItaGk7oGrkoaYpU6L90
在Linux使用binwalk對這個文件進行分析。得到下面結果,後面有一個png圖片:
root@cat:~/ctf# binwalk hello.exe
DECIMAL HEXADECIMAL DESCRIPTION
--------------------------------------------------------------------------------
0 0x0 Microsoft executable, portable (PE)
......
73757 0x1201D Unix path: /crossdev/src/mingw-w64-v3-svn/mingw-w64-crt/crt
74581 0x12355 Unix path: /crossdev/src/mingw-w64-v3-svn/mingw-w64-crt/crt
77858 0x13022 Unix path: /crossdev/src/mingw-w64-v3-svn/mingw-w64-crt/crt
78562 0x132E2 Unix path: /crossdev/src/mingw-w64-v3-svn/mingw-w64-crt/crt
79517 0x1369D Unix path: /crossdev/src/mingw-w64-v3-svn/mingw-w64-crt/crt
127581 0x1F25D PNG image, 1890 x 1161, 8-bit/color RGB, non-interlaced
127672 0x1F2B8 Zlib compressed data, compressed
直接分離出來,修改高度04 89爲 05 89得到key,0xA是10,在線aes解密得flag
flag:jactf{hey_y0u_are_right},
第十一題:你知道bitcoin嗎
第十二題:懷疑人生
先解壓出來三個文件,第一個文件暴力破解得到密碼:password
解壓得到字符串:
XHU2Nlx1NmNcdTYxXHU2N1x1N2JcdTY4XHU2MVx1NjNcdTZiXHU2NVx1NzI=
base64解碼:
\u66\u6c\u61\u67\u7b\u68\u61\u63\u6b\u65\u72
unicode解碼,得到第一部分flag:
flag{hacker
CTF2.jpg通過binwalk分離出一個壓縮包,打開後是ook密碼,直接解碼
3oD54e
得到第二部分,第三部分是一個二維碼,直接掃碼得:
12580}
base58解碼後是:misc
得到完整flag:
flag{hackermisc12580}
第十三題:玩拼圖嗎?
得到圖片,然後拼起來
拼的不太好,中間還有條縫,不過已經不影響識別了
#base解碼
>>> import base64
>>> s = 'aGFoYSFwYXNzd29yZA=='
>>> base64.b64decode(s)
b'haha!password'
得到密碼之後分析一波原來的圖片:
root@kali:~/Desktop# binwalk unspecial.jpg
DECIMAL HEXADECIMAL DESCRIPTION
--------------------------------------------------------------------------------
0 0x0 JPEG image data, EXIF standard
12 0xC TIFF image data, big-endian, offset of first image directory: 8
48215 0xBC57 RAR archive data, version 5.x
root@kali:~/Desktop# dd if=unspecial.jpg of=1.rar skip=48215 bs=1
4537+0 records in
4537+0 records out
4537 bytes (4.5 kB, 4.4 KiB) copied, 0.033055 s, 137 kB/s
得到1.rar,解壓出來
上腳本,得到flag
import base64
flag = ''
for i in range(30):
f = open('./flag/' + str(i) +'/' + str(i) + '.txt','r')
flag += f.read()
print(flag)
λ python solve.py
jactf{w0w_This_is_zhe_answer!}
第十八題:你對我網站做了什麼
拿到流量包,直接用過濾:http contains "flag"
追蹤流,得到字符串:eJxLy0lMrw6NTzPMS4n3TVWsBQAz4wXi
編寫python小腳本
import zlib
import base64
s = 'eJxLy0lMrw6NTzPMS4n3TVWsBQAz4wXi'
print(zlib.decompress(base64.b64decode(s)))
控制檯輸出如下:
b'flag{U_f1nd_Me!}'
第十九題:春節三重禮 (這道題應該會下架,不建議大家看了)
使用zip僞加密解一下,發現接出來兩個,將文件解壓出來
C:\Users\valecalida\Desktop\掘安CTF\MISC\春節三重禮
λ java -jar ZipCenOp.jar r infosec.zip
success 2 flag(s) found
另外通過觀察10進制發現有信息附加:
使用base64解碼得:
λ python
Python 3.7.2 (tags/v3.7.2:9a3ffc0492, Dec 23 2018, 23:09:28) [MSC v.1916 64 bit (AMD64)] on win32
Type "help", "copyright", "credits" or "license" for more information.
>>> import base64
>>> s = 'a2V5MTpIQGNrM3I='
>>> base64.b64decode(s)
b'key1:H@ck3r'
第二部分編寫腳本從那20多個文件裏對比出社會主義核心價值觀編碼,得到key2
第三部分修改png文件高度,有NTFS流附加得到key3
最終得到的三個key都沒有用上,所以這道題可能會下架,這裏記錄一下思路
這裏最終flag是:flag{md5(key1+key2+key3)}
3、逆向(Reverse)
1
2
3
4
5
第六題、py
下載python_en.pyc到本地,直接使用在線反編譯https://tool.lu/pyc/,失敗,使用另外一個pyc文件與python_en.pyc文件進行比較,發現缺少了四個字節頭:6A C4 16 5D,補全,再進行反編譯,發現反編譯成功:
#!/usr/bin/env python
# encoding: utf-8
print '[-]Please input your key:'
key = raw_input()
flag = "=Xm/>*<&?*=+:)k)='@)<.@-n)mZn.<"
flags = ''
for q in range(len(key)):
if q % 2 == 0:
flags += chr(ord(key[q]) + 10)
continue
flags += chr(ord(key[q]) - 10)
if flags == flag:
print '[-]Good!'
else:
print '[-]Wrong!'
這是一個python2版本寫的代碼,進行審計,我用了python3將他改了一下。然後寫一個逆程序
flag = "=Xm/>*<&?*=+:)k)='@)<.@-n)mZn.<"
flags = ''
for i in range(len(flag)):
if i % 2 == 0:
flags += chr(ord(flag[i]) - 10)
continue
flags += chr(ord(flag[i]) + 10)
print(flags)
得到flag:3bc94420543503a331632867d3cdd82
本文將持續更新
第十二題、disk
下載下來,加載到diskgenius中,得到圖片跟desktop.ini
複製出來,然後查看圖片屬性,得到提示:
是jjdecode/aadecode,解碼得flag:
提交的時候需要將flag改成jactf