发表更新Writeup13 分钟读完 (大约1957个字)

XMUTCTF 2021 Writeup 0x1

Rank2

某校校赛,放到博客上水水,(为什么要水?题目很基础,对CTF感兴趣的可以看看)

Misc

签到

img

战队成立的日期

word

img

Word文字上个色

flag{code_monster_word_hide}

哦?队标!(二)

img

看文件头,发现是 FF D8 FF E0(jpeg)格式,改后缀,得到小恐龙

img

最后,右键属性打开得到flag

img

pdf

img

熟悉的pdf题,转成Word,把图片挪开即可

img

flag{xmutsec_pdf_hide}

你对程序熟悉吗

img

运行程序,回显 Maybe flag in Resource! 使用 Resource Hacker 打开

在窗体Label处发现 Hex 编码后的 flag

img

解密后得到一半flag a_nice_place}

img

最后在文件末尾处发现逆序后的另一半flag

img

flag{this_is_a_nice_place}

哥谭恶梦

img

hex打开,发现文件头被修改了,拉到文件尾,输入正确值

img

img

压缩包解压后得到

img

仔细看可以发现password.txt里的内容

解码过程:Hex->Str->base32->base64,解出来的值就是 第二重梦境.zip 的密码

密码:getan

img

第二重梦境.zip 内容 emo.zip(有密码)

img

翻了半天,发现密码在文件尾╰(‵□′)╯

img

解压后得到一个视频,在视频第47帧的时候出现一个BV号

img

输入视频地址,查看留言板得到flag

img

flag{This_is_a_getan_emeng}

你会倒立洗头吗

img

题目打开,发现是一堆十六进制编码

img

Winhex打开拉到末尾发现文件头为zip,每俩位反转一下,在总体反一下

img

exp

1
2
3
4
5
6
str = "那坨hex"
flag = "" 
for i in range(len(str),0,-2): 
    t=str[i-2:i] 
    flag=flag+t 
print(flag)

脚本跑出来后,解压得到一张图片。图片内容为flag

img

flag{xmut_sec_daoli_xitou}

简单的流量分析

img

题目得到一堆键位表,写个脚本跑一下就好了0009

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
000f
0004
000a
202f 
201C
0027 
0018 
002D
2004
0015
0008
002D
0019
0008
0015
001C
002D
0011
001E
0006
0008
2030

exp

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
key="0009 000f 0004 000a 202f 201C 0027 0018 002D 2004 0015 0008 002D 0019 0008 0015 001C 002D 0011 001E 0006 0008 2030"
normalKeys = {
    "04":"a", "05":"b", "06":"c", "07":"d", "08":"e",
    "09":"f", "0a":"g", "0b":"h", "0c":"i", "0d":"j",
     "0e":"k", "0f":"l", "10":"m", "11":"n", "12":"o",
      "13":"p", "14":"q", "15":"r", "16":"s", "17":"t",
       "18":"u", "19":"v", "1a":"w", "1b":"x", "1c":"y",
        "1d":"z","1e":"1", "1f":"2", "20":"3", "21":"4",
         "22":"5", "23":"6","24":"7","25":"8","26":"9",
         "27":"0","28":"","29":"","2a":"", "2b":"\t",
         "2c":"","2d":"-","2e":"=","2f":"[","30":"]","31":"\\",
         "32":"","33":";","34":"'","35":"","36":",","37":".",
         "38":"/","39":"","3a":"","3b":"", "3c":"","3d":"",
         "3e":"","3f":"","40":"","41":"","42":"","43":"",
         "44":"","45":""}
shiftKeys = {
    "04":"A", "05":"B", "06":"C", "07":"D", "08":"E",
     "09":"F", "0a":"G", "0b":"H", "0c":"I", "0d":"J",
      "0e":"K", "0f":"L", "10":"M", "11":"N", "12":"O",
       "13":"P", "14":"Q", "15":"R", "16":"S", "17":"T",
        "18":"U", "19":"V", "1a":"W", "1b":"X", "1c":"Y",
         "1d":"Z","1e":"!", "1f":"@", "20":"#", "21":"$",
          "22":"%", "23":"^","24":"&","25":"*","26":"(","27":")",
          "28":"","29":"","2a":"", "2b":"\t","2c":"",
          "2d":"_","2e":"+","2f":"{","30":"}","31":"|","32":"","33":"\"",
          "34":":","35":"","36":"<","37":">","38":"?","39":"","3a":"",
          "3b":"", "3c":"","3d":"","3e":"","3f":"","40":"",
          "41":"","42":"","43":"","44":"","45":""}
a = key.split(' ')
flag=""
t=""
for i in range(len(a)):
    t = a[i].lower()
    if(t[:2] == "20"):
        flag += shiftKeys[t[2:]]
    else:
        flag += normalKeys[t[2:]]
print(flag)

img

flag{Y0u-Are-very-n1ce}

审查日志,就这吗

文件打开,一堆log

当状态为500的时候出现了base64编码,解码一下即是flag

flag{YouShouJiuXing}

你会破解密码吗

img

flag文件打开,发现flag(base64后的)

直接上脚本跑

exp

1
2
3
4
5
6
import base64 str="MDAgMDAgMDAgMDAgMDAgMDAgMDAgMDAgMDAgMDAgMDAgMDAgMDAgMDAgMDAgMDA=,MDAgMDAgMDAgMDAgMDAgMDAgMDAgMDAgMDAgMDAgMDAgMDAgMDAgMDAgMDAgMDA=,MDAgMDAgMDAgMDAgMDAgMDAgMDAgMDAgMDAgMDAgMDAgMDAgMDAgMDAgMDAgMDA=,MDAgMDAgMDAgMDAgMDAgMDAgMDAgMDAgMDAgMDAgMDAgMDAgMDAgMDAgMDAgMDA=,MDAgMDAgMDAgMDAgMDAgMDAgMDAgMDAgMDAgMDAgMDAgMDAgMDAgMDAgMDAgMDA=,MDAgMDAgMDAgMDAgMDAgMDAgMDAgMDAgMDAgMDAgMDAgMDAgMDAgMDAgMDAgMDA=,MDAgMDAgMDAgMDAgMDAgMDAgMDAgMDAgMDAgMDAgMDAgMDAgMDAgMDAgMDAgMDA=,MDAgMDAgMDAgMDAgMDAgMDAgMDAgMDAgMDAgMDAgMDAgMDAgMDAgMDAgMDAgMDA=,MDAgMDAgMDAgMDAgMDAgMDAgMDAgMDAgMDAgMDAgMDAgMDAgMDAgMDAgMDAgMDA=,NTAgNEIgMDMgMDQgMTQgMDAgMDEgMDAgMDAgMDAgMzIgOUYgN0MgNTMgMkQgMEQ=,NDYgNkMgMkYgMDAgMDAgMDAgMjMgMDAgMDAgMDAgMDggMDAgMDAgMDAgNjYgNkM=,NjEgNjcgMkUgNzQgNzggNzQgMjcgMEEgNTcgM0QgMDEgOUUgMjYgMDIgQUUgN0U=,REMgQjIgMTkgQjYgNDEgNUUgQzkgMzUgM0YgMDEgQkMgNjIgNEMgOUUgN0QgRUE=,OUYgMDUgNEQgMDcgMUIgOTEgMkYgODMgNDUgNTIgRUYgREEgOTQgRjMgNjYgNDM=,Q0IgQjYgMTggRkEgQjAgNTAgNEIgMDEgMDIgM0YgMDAgMTQgMDAgMDEgMDAgMDA=,MDAgMzIgOUYgN0MgNTMgMkQgMEQgNDYgNkMgMkYgMDAgMDAgMDAgMjMgMDAgMDA=,MDAgMDggMDAgMjQgMDAgMDAgMDAgMDAgMDAgMDAgMDAgMjAgMDAgMDAgMDAgMDA=,MDAgMDAgMDAgNjYgNkMgNjEgNjcgMkUgNzQgNzggNzQgMEEgMDAgMjAgMDAgMDA=,MDAgMDAgMDAgMDEgMDAgMTggMDAgNDkgNkMgRUEgMjEgNEYgRTQgRDcgMDEgMjQ=,MEEgMTUgODQgNEYgRTQgRDcgMDEgMjYgNDMgQkYgMTYgNEYgRTQgRDcgMDEgNTA=,NEIgMDUgMDYgMDAgMDAgMDAgMDAgMDEgMDAgMDEgMDAgNUEgMDAgMDAgMDAgNTU=,MDAgMDAgMDAgMDAgMDA=" #str="MDAgMDAgMDAgMDAgMDAgMDAgMDAgMDAgMDAgMDAgMDAgMDAgMDAgMDAgMDAgMDA,MDAgMDAgMDAgMDAgMDAgMDAgMDAgMDAgMDAgMDAgMDAgMDAgMDAgMDAgMDAgMDA,MDAgMDAgMDAgMDAgMDAgMDAgMDAgMDAgMDAgMDAgMDAgMDAgMDAgMDAgMDAgMDA,MDAgMDAgMDAgMDAgMDAgMDAgMDAgMDAgMDAgMDAgMDAgMDAgMDAgMDAgMDAgMDA,MDAgMDAgMDAgMDAgMDAgMDAgMDAgMDAgMDAgMDAgMDAgMDAgMDAgMDAgMDAgMDA,MDAgMDAgMDAgMDAgMDAgMDAgMDAgMDAgMDAgMDAgMDAgMDAgMDAgMDAgMDAgMDA,MDAgMDAgMDAgMDAgMDAgMDAgMDAgMDAgMDAgMDAgMDAgMDAgMDAgMDAgMDAgMDA,MDAgMDAgMDAgMDAgMDAgMDAgMDAgMDAgMDAgMDAgMDAgMDAgMDAgMDAgMDAgMDA,MDAgMDAgMDAgMDAgMDAgMDAgMDAgMDAgMDAgMDAgMDAgMDAgMDAgMDAgMDAgMDA,NTAgNEIgMDMgMDQgMTQgMDAgMDEgMDAgMDAgMDAgMzIgOUYgN0MgNTMgMkQgMEQ,NDYgNkMgMkYgMDAgMDAgMDAgMjMgMDAgMDAgMDAgMDggMDAgMDAgMDAgNjYgNkM,NjEgNjcgMkUgNzQgNzggNzQgMjcgMEEgNTcgM0QgMDEgOUUgMjYgMDIgQUUgN0U,REMgQjIgMTkgQjYgNDEgNUUgQzkgMzUgM0YgMDEgQkMgNjIgNEMgOUUgN0QgRUE,OUYgMDUgNEQgMDcgMUIgOTEgMkYgODMgNDUgNTIgRUYgREEgOTQgRjMgNjYgNDM,Q0IgQjYgMTggRkEgQjAgNTAgNEIgMDEgMDIgM0YgMDAgMTQgMDAgMDEgMDAgMDA,MDAgMzIgOUYgN0MgNTMgMkQgMEQgNDYgNkMgMkYgMDAgMDAgMDAgMjMgMDAgMDA,MDAgMDggMDAgMjQgMDAgMDAgMDAgMDAgMDAgMDAgMDAgMjAgMDAgMDAgMDAgMDA,MDAgMDAgMDAgNjYgNkMgNjEgNjcgMkUgNzQgNzggNzQgMEEgMDAgMjAgMDAgMDA,MDAgMDAgMDAgMDEgMDAgMTggMDAgNDkgNkMgRUEgMjEgNEYgRTQgRDcgMDEgMjQ,MEEgMTUgODQgNEYgRTQgRDcgMDEgMjYgNDMgQkYgMTYgNEYgRTQgRDcgMDEgNTA,NEIgMDUgMDYgMDAgMDAgMDAgMDAgMDEgMDAgMDEgMDAgNUEgMDAgMDAgMDAgNTU,MDAgMDAgMDAgMDAgMDA" 
a = str.split(',') 
for i in range(len(a)): 
    flag = "" 
    flag = base64.b64decode(a[i]).decode("utf-8") 
print(flag)

img

最后得到一个zip

img

john跑一下shadow即可,密码为:e10adc3949ba59abbe56e057f20f883e

flag(welcome_to_the_codemonsterCTF}

Crypto

一顿午饭

img

培根密码,把阿替换成A,巴替换成B,即可

img

flag{peigenbuhaochi}

高等数学

img

高数题。。。。学长的字真好看

img

(1)

$$\lim\limits_{x \to 0}\frac{sinx-tanx}{(^3\sqrt{1+x^2}-1)(\sqrt{1+sinx}-1)}$$

img

(2)

$$\lim\limits_{x \to 0}\frac{tanx-sinx}{x^3}$$

img

(3)

$$\lim\limits_{x \to 0}\frac{tanx-x}{x-sinx}$$

img

(4)

$$\lim\limits_{x \to 1}\frac{x-x^x}{1-x+\ln{x}}$$

img

(5)

$$\lim\limits_{x \to 0}x^{\sin{x}}

flag{-3-1/2-2-2-1}

flag{-3-0.5-2-2-1}

线性代数

img

(1)

$$\begin{vmatrix}
1 & 2 & 3 \
3 & 1 & 2 \
2 & 3 & 1 \
\end{vmatrix}$$

$$111+333+222-312-231-231=18$$

(2)

$$\begin{pmatrix}
1 & 1 & 2 \
1 & -1 & 0 \
\end{pmatrix}
\begin{pmatrix}
3 & 4 \
5 & 4 \
2 & 7 \
\end{pmatrix}$$

img

easy_rsa

给出q、p、c、e

1
2
3
4
q= 9961202707366965556741565662110710902919441271996809241009358666778850435448710324711706845973820669201482939820488174382325795134659313309606698334978471
p= 12525187149887628510447403881107442078833803097302579419605689530714690308437476207855511625840027119860834633695330551080761572835309850579517639206740101
c= 99825057183614908787750492272634823904256549969848320330845017733290231024958858406831408456826620972650757755414065865320048636359693704223195650116200245278927814135297919980128020846659999925380668668207081398871867586714713412635145486121523684408692869804472866624405914184425850720049825033051018623742
e = 65537

这题不难,求出n,在求出d就可以了

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
import gmpy2
q=
99612027073669655567415656621107109029194412719968092410093586667788504354487103
24711706845973820669201482939820488174382325795134659313309606698334978471
p=
12525187149887628510447403881107442078833803097302579419605689530714690308437476
207855511625840027119860834633695330551080761572835309850579517639206740101
c=
99825057183614908787750492272634823904256549969848320330845017733290231024958858
40683140845682662097265075775541406586532004863635969370422319565011620024527892
78141352979199801280208466599999253806686682070813988718675867147134126351454861
21523684408692869804472866624405914184425850720049825033051018623742
e = 65537
n = q * p
d = gmpy2.invert(e,(p-1)*(q-1))
m = pow(c,d,n)
print(hex(m))

img

flag{xmut_sec_rsa_fun}

在社会主义下的base家族

img

主要考查社会主义编码(SC+999999999999999999999999999999999999999)

解出来得:SFJ4Ukw3a3drcDlvNUFNZ1NMeDFGVjVNcmZkYUFqYXc5RVBqaVBrTlFtelBj

这串为base64,然后根据题意base大家族,base1-100,全部解一遍,最后解码方式base58->base85->base92

img

flag{family_is_base}

对称加密

科普:常见的对称加密有DES、AES、RC、Rabbit

这里题目用到的是DES-ECB方式

压缩包解压后得到

img

ook!编码,解得密码为:crypto,解压后分别扫码

img

Code1为:BuB+pJN5H0UFTZ02R+

Code2为:IMCYZ0YvimZWU49h8Nh2IXyPtB6YdfmlV7V79/VxVzw+bx

密码为:XMUTSEC

img

最后解得:flag{this_a_des_code}

探索中世纪城堡

img

题目描述(要素察觉)

1
2
xxxxxxxxxx 年轻的大帝率领着64位皇珈骑士冲破了双重阻栏夺下了城池。
ReX7vPFqQd9nOYXfQN9zt2XftYvrQeFhRPJxsO53teJlv259

凯撒解密后得到

1
fa{usrb_oXaga_aoaglgsbciet_inwndmwn}

最后栏数设置为2即可

flag{subscribe_to_Xiangwan_damowang}

XMUTCTF 2021 Writeup 0x1

https://iloli.moe/2021/10/27/XMUTCTF-2021-Writeup-0x1/

作者

IceCliffs

发布于

2021-10-27

更新于

2023-10-28

许可协议

#

喜欢这篇文章?打赏一下作者吧

评论

关注我

链接

归档

分类

最新文章

标签

CTF14
CVEs1
Computer Network2
Crypto1
DN421
HAM5
HackTheBox2
Hacking6
Hardware4
Music1
OS3
Pwn1
Red Team3
Tetris1
WEB31
Web Security2
Writeup14
开箱1
随笔7
×