答应我，以后打比赛不要带着情绪打好吗？

-rYu1nser

时隔4个月又来打CTF了，啊，要死要死，菜的要死

decrypt_it

流量包抓大头，跟踪TCP协议，提取出脚本

脚本如下

脚本不难，具体加密流程就是enc随机数组选一个值然后index放在编码后的最前面

大概这个样子

• 如果 enc = 1
  • 1base64en(str)
• 或者 enc = 2
  • 2caesar(str)
• 或者 enc = 3
  • 3rot13(str)

import string
import random
from base64 import b64encode, b64decode

FLAG = 'flag{xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx}'

enc_ciphers = ['rot13', 'b64e', 'caesar']
# dec_ciphers = ['rot13', 'b64d', 'caesard']

def rot13(s):
	_rot13 = string.maketrans( 
    	"ABCDEFGHIJKLMabcdefghijklmNOPQRSTUVWXYZnopqrstuvwxyz", 
    	"NOPQRSTUVWXYZnopqrstuvwxyzABCDEFGHIJKLMabcdefghijklm")
	return string.translate(s, _rot13)

def b64e(s):
	return b64encode(s)

def caesar(plaintext, shift=3):
    alphabet = string.ascii_lowercase
    shifted_alphabet = alphabet[shift:] + alphabet[:shift]
    table = string.maketrans(alphabet, shifted_alphabet)
    return plaintext.translate(table)

def encode(pt, cnt=50):
	tmp = '2{}'.format(b64encode(pt))
	for cnt in xrange(cnt):
		c = random.choice(enc_ciphers)
		i = enc_ciphers.index(c) + 1
		_tmp = globals()[c](tmp)
		tmp = '{}{}'.format(i, _tmp)

	return tmp

if __name__ == '__main__':
	print encode(FLAG,

解码脚本如下

import string
import random
from base64 import b64encode, b64decode

FLAG = 'flag{xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx}'

enc_ciphers = ['rot13', 'b64e', 'caesar']
dec_ciphers = ['rot13', 'b64d', 'caesard']

def rot13(s):
	_rot13 = string.maketrans( 
    	"ABCDEFGHIJKLMabcdefghijklmNOPQRSTUVWXYZnopqrstuvwxyz", 
    	"NOPQRSTUVWXYZnopqrstuvwxyzABCDEFGHIJKLMabcdefghijklm")
	return string.translate(s, _rot13)

def b64e(s):
	return b64encode(s)

def b64d(s):
	return b64encode(s)

def caesard(plaintext, shift=-3):
    alphabet = string.ascii_lowercase
    shifted_alphabet = alphabet[shift:] + alphabet[:shift]
    table = string.maketrans(alphabet, shifted_alphabet)
    return plaintext.translate(table)

def caesar(plaintext, shift=3):
    alphabet = string.ascii_lowercase
    shifted_alphabet = alphabet[shift:] + alphabet[:shift]
    table = string.maketrans(alphabet, shifted_alphabet)
    return plaintext.translate(table)

def encode(pt, cnt=1):
	tmp = '2{}'.format(b64encode(pt))
	for cnt in xrange(cnt):
		c = random.choice(enc_ciphers)
		print(c)
		i = enc_ciphers.index(c) + 1
		print(i)
		_tmp = globals()[c](tmp)
		print(_tmp)
		tmp = '{}{}'.format(i, _tmp)
	return tmp
def decode(pt):
	if (str(pt).startswith("2")):
		pt = b64decode(pt[1:])
		return pt
	elif(str(pt).startswith("3")):
		pt = caesard(pt[1:])
		return pt
	elif(str(pt).startswith("1")):
		pt = rot13(pt[1:])
		return pt

for i in range(100):
    flag = decode(flag)
    print(flag)

跑一下就好了

shell

流量包分离 flag.zip 压缩包

密码在流浪包最后一个位置，密码为 VVvv__==++--

解压获得flag

注入分析

比较暴力，时间=1说明执行成功，时间=3说明执行失败，写个脚本跑一下

# -*- coding: utf-8 -*-
# @Author: rYu1nser
# @Date:   2023-04-11
# @Last Modified by:   rYu1nser
# @Last Modified time: 2023-04-11
from datetime import datetime
import urllib.parse
date_format = '%d/%b/%Y:%H:%M:%S %z'
with open('log', 'r') as f:
    last_line = None
    last_time = None
    for line in f:
        if last_time is not None:
            current_time_str = line.split('[')[1].split(']')[0]
            current_time = datetime.strptime(current_time_str, date_format)
            time_difference = current_time - last_time
            if time_difference.total_seconds() < 3:
                s= urllib.parse.unquote(last_line)
                print(s[143:])
        last_line = line
        last_time_str = line.split('[')[1].split(']')[0]
        last_time = datetime.strptime(last_time_str, date_format)

结果

flag{62f4ca6cf1654106e3555c4cc2cf4087}