首页 > Python资料 博客日记
BaseCTF week3 (web&misc 部分)wp
2024-10-05 19:00:05Python资料围观30次
BaseCTF week3
杂项
[Week3] 白丝上的flag
描述:某出题人赠送大家flag时遭遇了信号干扰, 幸好我们在不知名小网站找到了写入flag前的图片, 尝试还原信息吧!
提示:flag是单色
附件:
#task.py
from PIL import Image
from random import randint
import sys
def ez_add(a,b,c,d):
global iv
h = (a+b+c+d+iv) % 256
e = b
f = c
g = d
iv = (b+c+d+iv) % 256
return e,f,g,h
def confuse(data):
r,g,b,a = data
for _ in range(8):
r,g,b,a = ez_add(r,g,b,a)
return r,g,b,a
def confuse_image(flag):
global iv
iv = flag.getpixel((1,1))[0]
img = Image.new('RGBA', (flag.width, flag.height))
for w in range(img.width):
for h in range(img.height):
img.putpixel((w, h), confuse(flag.getpixel((w,h))))
return img
if __name__ == '__main__':
iv = 0
flag = Image.open("./de_image.png")
img = confuse_image(flag)
img.save("en_image.png")
解密思路:
- 逆向
confuse
函数: 由于confuse
函数是对像素进行简单的加法运算,我们可以通过逆向运算来解密。 - 单色图像特点: 单色图像的每个像素的 RGB 值都相同,我们可以利用这个特点来简化解密过程。
脚本:
from PIL import Image
def ez_sub(h, e, f, g):
global iv
a = (h - e - f - g - iv) % 256
iv = (e + f + g + iv) % 256
return a
def unconfuse(data):
r, g, b, a = data
for _ in range(8):
r = ez_sub(r, g, b, a)
return r, g, b, a
def unconfuse_image(img):
global iv
iv = img.getpixel((1, 1))[0]
flag = Image.new('RGBA', (img.width, img.height))
for w in range(img.width):
for h in range(img.height):
flag.putpixel((w, h), unconfuse(img.getpixel((w, h))))
return flag
if __name__ == '__main__':
iv = 0
img = Image.open("en_image.png")
flag = unconfuse_image(img)
flag.save("de_image_decrypted.png")
得到de_image_decrypted.png,使用Stegsolve.jar查看red plane 0
发现flag
BaseCTF{there_1s_the_flag@}
[Week3] 纯鹿人
附件:
cGFzc3dvcmTvvJppa3VuaWt1bg==
base64解码
password:ikunikun
这里我一开始的思路就是将文档中的表情包保存下来使用WinHex打开,并没用什么发现,然后搜索发现可能是使用jphs,但是最后发现不行
没用思路就暂时放弃了
后面就是在群里看见有人讨论上周[Week2]哇!珍德食泥鸭
的另一种解法
于是我试着将文档改为zip后缀,发现
将其丢尽WinHex编辑器中得到
使用foremost进行分离得到一个新的zip文件,密码为ikunikun
,即可得到flag
[Week3] 我要吃火腿!
附件:
#我要吃火腿!.txt
~呜嗷嗷嗷嗷呜啊嗷呜~呜嗷呜呜~嗷~嗷啊嗷啊呜嗷嗷嗷呜~嗷~呜嗷嗷~~嗷嗷嗷呜啊呜啊~呜嗷呜呜~嗷呜啊啊嗷啊呜嗷呜~呜~嗷~呜嗷~~啊嗷嗷嗷呜啊呜啊啊呜嗷呜呜~嗷嗷嗷啊嗷啊呜嗷呜~~~嗷~呜呜嗷呜~嗷嗷嗷呜呜~嗷啊呜嗷呜呜~嗷~~啊嗷啊呜嗷嗷~嗷~嗷~呜呜嗷~嗷嗷嗷嗷呜呜嗷啊~呜嗷呜呜~嗷嗷嗷啊嗷啊呜嗷嗷啊呜~嗷~呜呜呜~~嗷嗷嗷呜啊呜啊嗷呜嗷呜呜~呜啊~啊嗷啊呜~~啊啊~嗷~呜呜嗷呜呜嗷嗷嗷呜啊嗷~嗷呜嗷呜呜~嗷嗷~啊嗷啊呜嗷嗷嗷嗷~嗷~呜嗷嗷啊~嗷嗷嗷呜呜嗷嗷~呜嗷呜呜~嗷呜啊啊嗷啊呜嗷呜嗷嗷~嗷~呜呜呜嗷~嗷嗷嗷呜啊呜嗷~呜嗷呜呜~呜~嗷啊嗷啊呜嗷呜~~~嗷~呜嗷~~啊嗷嗷嗷呜啊嗷啊呜呜嗷呜呜~嗷嗷嗷啊嗷啊呜嗷嗷呜~~嗷~呜呜嗷呜嗷嗷嗷嗷呜呜嗷~嗷呜嗷呜呜啊呜嗷呜啊嗷啊呜啊啊呜呜~嗷~呜嗷嗷~~嗷嗷嗷呜呜嗷嗷~呜嗷呜呜啊嗷呜~啊嗷啊呜~嗷啊~~嗷~呜呜嗷呜~嗷嗷嗷呜啊嗷呜嗷呜嗷呜呜~嗷呜嗷啊嗷啊呜~~啊啊~嗷~呜呜嗷嗷呜嗷嗷嗷呜啊呜~嗷呜嗷呜呜~呜啊~啊嗷啊呜嗷嗷嗷嗷~嗷~呜呜呜嗷啊嗷嗷嗷呜呜嗷嗷~呜嗷呜呜啊呜呜嗷啊嗷啊呜~嗷啊~~嗷~呜嗷~啊啊嗷嗷嗷呜呜呜嗷~呜嗷呜呜~呜~~啊嗷啊呜~呜~~~嗷~呜嗷呜呜~嗷嗷嗷呜呜嗷~~呜嗷呜呜啊嗷呜~啊嗷啊呜~呜啊~~嗷~呜呜呜呜~嗷嗷嗷呜呜呜啊呜呜嗷呜呜啊呜啊嗷啊嗷啊呜~嗷呜~~嗷~呜嗷嗷~~嗷嗷嗷呜呜呜嗷~呜嗷呜呜~呜~~啊嗷啊呜~呜嗷呜~嗷~呜嗷啊嗷~嗷嗷嗷呜呜~嗷嗷呜嗷呜呜呜啊嗷呜啊嗷啊呜~嗷啊~~嗷~呜嗷嗷~~嗷嗷嗷呜呜嗷嗷~呜嗷呜呜啊嗷呜~啊嗷啊呜啊啊呜呜~嗷~呜嗷嗷~~嗷嗷嗷呜呜嗷嗷~呜嗷呜呜啊嗷呜~啊嗷啊呜~嗷啊~~嗷~呜呜呜呜啊嗷嗷嗷呜啊嗷~嗷呜嗷呜呜~呜啊~啊嗷啊呜嗷嗷嗷~~嗷~呜嗷嗷~~嗷嗷嗷呜啊嗷嗷啊呜嗷呜呜~呜呜~啊嗷啊呜嗷嗷嗷嗷~嗷~呜呜嗷~呜嗷嗷嗷呜呜嗷啊~呜嗷呜呜~嗷嗷嗷啊嗷啊呜嗷嗷啊呜~嗷~呜呜呜~~嗷嗷嗷呜啊呜啊嗷呜嗷呜呜~呜啊~啊嗷啊呜~~啊啊~嗷~呜呜嗷呜呜嗷嗷嗷呜啊嗷~嗷呜嗷呜呜~嗷嗷~啊嗷啊呜嗷嗷嗷嗷~嗷~呜嗷嗷啊~嗷嗷嗷呜呜嗷嗷~呜嗷呜呜啊嗷~啊啊嗷啊呜嗷呜~呜~嗷~呜呜嗷嗷呜嗷嗷嗷呜呜嗷啊啊呜嗷呜呜啊嗷嗷嗷啊嗷啊呜~嗷啊~~嗷~呜呜嗷嗷嗷嗷嗷嗷呜啊呜呜啊呜嗷呜呜啊嗷呜~啊嗷啊呜嗷嗷嗷呜~嗷~呜嗷呜啊呜嗷嗷嗷呜嗷啊~呜呜嗷呜呜啊嗷呜~啊嗷啊呜~嗷啊~~嗷~呜嗷嗷~~嗷嗷嗷呜呜嗷嗷~呜嗷呜呜啊嗷呜~啊嗷啊呜~嗷啊~~嗷~呜嗷嗷~~嗷嗷嗷呜呜嗷嗷~呜嗷呜呜~嗷啊~啊嗷啊呜嗷嗷~嗷~嗷~呜呜呜嗷~嗷嗷嗷呜啊嗷呜嗷呜嗷呜呜啊嗷呜~啊嗷啊呜~呜啊嗷~嗷~呜嗷嗷~~嗷嗷嗷呜啊嗷呜呜呜嗷呜呜~呜嗷嗷啊嗷啊呜嗷呜~~~嗷~呜呜嗷呜嗷嗷嗷嗷呜啊嗷呜嗷呜嗷呜呜~呜啊呜啊嗷啊呜嗷呜~呜~嗷~呜呜嗷嗷嗷嗷嗷嗷呜啊呜~嗷呜嗷呜呜啊嗷~~啊嗷啊呜嗷嗷嗷呜~嗷~呜嗷嗷~呜嗷嗷嗷呜啊呜呜呜呜嗷呜呜~嗷~嗷啊嗷啊呜嗷嗷~嗷~嗷~呜呜嗷嗷~嗷嗷嗷呜呜嗷啊~呜嗷呜呜啊嗷嗷嗷啊嗷啊呜~嗷呜嗷~嗷~呜~啊啊呜嗷嗷嗷呜嗷啊~呜呜嗷呜呜啊嗷呜~啊嗷啊呜~嗷啊~~嗷~呜嗷嗷~~嗷嗷嗷呜呜嗷嗷~呜嗷呜呜~嗷~呜啊嗷啊呜嗷嗷啊啊~嗷~呜呜呜嗷呜嗷嗷嗷呜呜嗷嗷~呜嗷呜呜~嗷嗷嗷啊嗷啊呜~嗷啊~~嗷~呜呜嗷啊嗷嗷嗷嗷呜啊嗷嗷呜呜嗷呜呜啊嗷呜~啊嗷啊呜嗷呜~呜~嗷~呜呜嗷嗷嗷嗷嗷嗷呜啊嗷嗷呜呜嗷呜呜~嗷~啊啊嗷啊呜嗷嗷嗷嗷~嗷~呜嗷嗷呜~嗷嗷嗷呜啊嗷~~呜嗷呜呜~嗷~嗷啊嗷啊呜嗷嗷啊呜~嗷~呜嗷嗷呜~嗷嗷嗷呜啊嗷呜~呜嗷呜呜~嗷啊嗷啊嗷啊呜嗷呜~~~嗷~呜呜嗷嗷嗷嗷嗷嗷呜呜嗷~嗷呜嗷呜呜啊嗷嗷嗷啊嗷啊呜~呜呜呜~嗷~呜~啊啊呜嗷嗷嗷呜呜嗷嗷~呜嗷呜呜啊嗷呜~啊嗷啊呜~嗷啊~~嗷~呜嗷嗷~~嗷嗷嗷呜呜嗷嗷~呜嗷呜呜啊嗷呜~啊嗷啊呜~嗷啊~~嗷~呜嗷嗷~~嗷嗷嗷呜啊嗷呜~呜嗷呜呜~嗷啊嗷啊嗷啊呜嗷呜~~~嗷~呜呜嗷嗷嗷嗷嗷嗷呜呜~~啊呜嗷呜呜~嗷嗷嗷啊嗷啊呜~~啊嗷~嗷~呜嗷嗷~~嗷嗷嗷呜呜~嗷呜呜嗷呜呜啊呜呜嗷啊嗷啊呜~嗷啊~~嗷~呜呜嗷呜~嗷嗷嗷呜啊嗷呜嗷呜嗷呜呜~嗷呜嗷啊嗷啊呜~~啊啊~嗷~呜呜嗷嗷呜嗷嗷嗷呜啊呜~嗷呜嗷呜呜~呜啊~啊嗷啊呜嗷嗷嗷嗷~嗷~呜呜呜嗷啊嗷嗷嗷呜呜~~啊呜嗷呜呜~嗷嗷嗷啊嗷啊呜~嗷啊~~嗷~呜嗷嗷呜嗷嗷嗷嗷呜呜嗷嗷~呜嗷呜呜啊呜啊啊啊嗷啊呜~~啊嗷~嗷~呜~啊啊呜嗷嗷嗷呜嗷啊~呜呜嗷呜呜啊嗷呜~啊嗷啊呜~嗷啊~~嗷~呜嗷嗷~~嗷嗷嗷呜呜嗷嗷~呜嗷呜呜~呜~啊啊嗷啊呜嗷嗷呜嗷~嗷~呜呜呜嗷~嗷嗷嗷呜啊嗷啊~呜嗷呜呜啊嗷呜~啊嗷啊呜嗷嗷啊啊~嗷~呜呜呜~~嗷嗷嗷呜啊嗷啊嗷呜嗷呜呜~嗷呜呜啊嗷啊呜~嗷嗷~~嗷~呜呜嗷~啊嗷嗷嗷呜啊呜啊嗷呜嗷呜呜~呜啊~啊嗷啊呜嗷呜啊~~嗷~呜呜呜呜嗷嗷嗷嗷呜啊呜呜~呜嗷呜呜啊~呜啊啊嗷啊呜嗷嗷嗷呜~嗷~呜呜嗷啊嗷嗷嗷嗷呜啊嗷~~呜嗷呜呜~嗷~嗷啊嗷啊呜~嗷呜~~嗷~呜嗷嗷~~嗷嗷嗷呜呜嗷啊啊呜嗷呜呜~呜~啊啊嗷啊呜嗷嗷~呜~嗷~呜嗷嗷呜啊嗷嗷嗷呜呜嗷~嗷呜嗷呜呜啊嗷呜~啊嗷啊呜嗷嗷~嗷~嗷~呜呜呜嗷啊嗷嗷嗷呜呜嗷嗷~呜嗷呜呜~嗷~呜啊嗷啊呜~呜呜呜~嗷~呜~啊啊呜嗷嗷嗷呜呜嗷嗷~呜嗷呜呜啊嗷呜~啊嗷啊呜~嗷啊~~嗷~呜嗷嗷~~嗷嗷嗷呜呜嗷嗷~呜嗷呜呜啊嗷呜~啊嗷啊呜~嗷啊~~嗷~呜嗷嗷~~嗷嗷嗷呜啊嗷啊呜呜嗷呜呜啊嗷呜呜啊嗷啊呜嗷呜嗷啊~嗷~呜呜呜嗷呜嗷嗷嗷呜啊嗷~嗷呜嗷呜呜~呜啊~啊嗷啊呜嗷嗷嗷嗷~嗷~呜嗷嗷呜~嗷嗷嗷呜啊嗷呜~呜嗷呜呜~嗷啊嗷啊嗷啊呜嗷呜~~~嗷~呜呜嗷嗷嗷嗷嗷嗷呜呜嗷~嗷呜嗷呜呜呜啊嗷呜啊嗷啊呜啊啊呜呜~嗷~呜呜呜呜~嗷嗷嗷呜啊嗷嗷啊呜嗷呜呜~呜啊呜啊嗷啊呜~~啊啊~嗷~呜呜呜呜啊嗷嗷嗷呜啊嗷~嗷呜嗷呜呜~呜啊~啊嗷啊呜嗷嗷嗷~~嗷~呜嗷~~啊嗷嗷嗷呜啊嗷啊~呜嗷呜呜~嗷啊嗷啊嗷啊呜嗷嗷啊嗷~嗷~呜嗷嗷呜~嗷嗷嗷呜呜嗷啊啊呜嗷呜呜啊啊~~啊嗷啊呜嗷嗷~嗷~嗷~呜呜嗷~嗷嗷嗷嗷呜啊嗷嗷啊呜嗷呜呜~呜啊呜啊嗷啊呜嗷嗷呜~~嗷~呜嗷嗷~呜嗷嗷嗷呜啊嗷~呜呜嗷呜呜~呜呜~啊嗷啊呜嗷嗷嗷啊~嗷~呜嗷嗷呜啊嗷嗷嗷呜呜嗷~~呜嗷呜呜啊嗷呜~啊嗷啊呜~嗷嗷啊~嗷~呜嗷啊呜~嗷嗷嗷呜啊嗷呜嗷呜嗷呜呜~嗷呜嗷啊嗷啊呜~嗷啊呜~嗷~呜呜嗷啊呜嗷嗷嗷呜啊呜嗷~呜嗷呜呜~嗷~啊啊嗷啊呜~嗷嗷啊~嗷~呜嗷嗷啊嗷啊
解码网站:兽音译者在线编码解码 - 兽音翻译咆哮体加密解密 (iiilab.com)
def xor_with_ham(input_file, output_file):
ham_bytes = [0x48, 0x61, 0x6D]
with open(input_file, 'rb') as f:
data = bytearray(f.read())
for i in range(len(data)):
data[i] ^= ham_bytes[i % 3]
with open(output_file, 'wb') as f:
f.write(data)
xor_with_ham('Hamorl.jpg', 'Ham.jpg')
解密脚本
def xor_with_ham_decrypt(input_file, output_file):
ham_bytes = [0x48, 0x61, 0x6D]
with open(input_file, 'rb') as f:
data = bytearray(f.read())
for i in range(len(data)):
data[i] ^= ham_bytes[i % 3]
with open(output_file, 'wb') as f:
f.write(data)
# 使用函数解密
xor_with_ham_decrypt('Ham.jpg', 'Hamorl.jpg')
得到Hamorl.jpg
不过还是损坏的,修改文件头为ffd8ffe1
保存即可
到这里就不会了,试了很大种方法
看了官方wp,真的绷不住了
之前用binwalk看了一下以为没啥,结果foremost有了(可恶
SSTV
MMSSTV & RX-SSTV 两款图像解码软件 安装文件下载 - 悟透 - 博客园 (cnblogs.com)
Virtual Audio Cable - Downloads (muzychenko.net)
[三、音频隐写Audacity、deepsound、dtmf2num、MMSSTV、虚拟声卡、MP3Stego]-CSDN博客
[Week3] Base revenge
描述:Not just Base
附件:
VGl0bGU6IFRoZSBFbmlnbWF0aWMgQ29kZSBvZiBNaXNjIEJhc2U2NE==
R3JlZXRpbmdzLCBwdXp6bGUgZW50aHVzaWFzdHMgYW5kIGNvZGVicmVha2VycyBhbGlrZSEgVG9kYXks
d2UgZGVsdmUgaW50byB0aGUgcmVhbG0gb2YgdGhlIGVuaWdtYXRpYyBNaXNjIEJhc2U2NCy=
YSBjcnlwdG9ncmFwaGljIHB1enpsZSB0aGF0IGNoYWxsZW5nZXMgdGhlIGtlZW5lc3QgbWluZHMu
QXJlIHlvdSByZWFkeSB0byBlbWJhcmsgb24gYSBqb3VybmV5IG9mIGRlY29kaW5nIGFuZCBkaXNjb3Zlcnk/
SW1hZ2luZSB5b3Vyc2VsZiBpbiB0aGUgbWlkc3Qgb2YgYSBkaWdpdGFsIGxhYnlyaW50aCy=
d2hlcmUgc3RyaW5ncyBvZiBjaGFyYWN0ZXJzIGhvbGQgc2VjcmV0cyB3YWl0aW5nIHRvIGJlIHVudmVpbGVkLm==
TWlzYyBCYXNlNjQgaXMgbm90IHlvdXIgb3JkaW5hcnkgY2lwaGVy4oCUaXQgY29uY2VhbHMgbWVzc2FnZXP=
aW4gcGxhaW4gc2lnaHQsIGF3YWl0aW5nIHRob3NlIHdpdGggdGhlIHJpZ2h0IHRvb2xz
YW5kIHNraWxscyB0byBkZWNpcGhlciBpdHMgY29kZS6=
QXMgeW91IHVucmF2ZWwgdGhlIGxheWVycyBvZiBNaXNjIEJhc2U2NCwgZWFjaCBkZWNvZGVkIG1lc3NhZ2V=
cmV2ZWFscyBhIGZyYWdtZW50IG9mIGEgbGFyZ2VyIHB1enpsZS5=
UGVyaGFwcyBpdCdzIGEgcmlkZGxlLCBhIHBpZWNlIG9mIHRyaXZpYSwgb3IgZXZlbiBhIHBsYXlmdWwgY2hhbGxlbmdlLl==
VGhlIGJlYXV0eSBvZiBNaXNjIEJhc2U2NCBsaWVzIG5vdCBvbmx5IGluIGl0cyBjb21wbGV4aXR5
YnV0IGFsc28gaW4gaXRzIGFiaWxpdHkgdG8gZW5nYWdlIGFuZCBpbnRyaWd1ZS5=
Rm9yIHRob3NlIG5ldyB0byB0aGUgd29ybGQgb2YgY3J5cHRvZ3JhcGh5LCBmZWFyIG5vdCG=
TWlzYyBCYXNlNjQgd2VsY29tZXMgYmVnaW5uZXJzIHdpdGggb3BlbiBhcm1zLB==
b2ZmZXJpbmcgYSBnYXRld2F5IGludG8gdGhlIHdvcmxkIG9mIGNvZGVzIGFuZCBjaXBoZXJzLk==
V2l0aCBhIGJpdCBvZiBwYXRpZW5jZSBhbmQgYSB3aWxsaW5nbmVzcyB0byB0aGluayBvdXRzaWRlIHRoZSBib3gs
eW91IHRvbyBjYW4gam9pbiB0aGUgcmFua3Mgb2Ygc2Vhc29uZWQgY29kZWJyZWFrZXJzLh==
SW1hZ2luZSB0aGUgdGhyaWxsIG9mIGNyYWNraW5nIGEgcGFydGljdWxhcmx5IHN0dWJib3JuIGNvZGUs
d2hlcmUgZWFjaCBjb3JyZWN0IGRlY29kaW5nIGJyaW5ncyB5b3UgY2xvc2VyIHRvIHRoZSBoZWFydE==
b2YgdGhlIHB1enpsZS5=
VGhlIHNhdGlzZmFjdGlvbiBvZiBzZWVpbmcgbGV0dGVycyBhbmQgbnVtYmVycyB0cmFuc2Zvcm2=
aW50byBjb2hlcmVudCB3b3JkcyBhbmQgc2VudGVuY2VzIGlzIHVucGFyYWxsZWxlZOKAlE==
YSB0ZXN0YW1lbnQgdG8geW91ciBwZXJzZXZlcmFuY2UgYW5kIGFuYWx5dGljYWwgcHJvd2Vzcy7=
SW4gdGhlIHJlYWxtIG9mIE1pc2MgQmFzZTY0LCBjcmVhdGl2aXR5IHJlaWducyBzdXByZW1lLl==
QXMgeW91IGVuY291bnRlciBkaWZmZXJlbnQgcHV6emxlcywgeW91J2xsIGZpbmQgeW91cnNlbGY=
dGhpbmtpbmcgaW4gbmV3IHdheXMsIGV4cGxvcmluZyB2YXJpb3VzIHRlY2huaXF1ZXMs
YW5kIGhvbmluZyB5b3VyIHByb2JsZW0tc29sdmluZyBza2lsbHMu
RWFjaCBzb2x2ZWQgcHV6emxlIGJlY29tZXMgYSBiYWRnZSBvZiBob25vcuKAlG==
YSB0ZXN0YW1lbnQgdG8geW91ciBkZWRpY2F0aW9uIGFuZCBhYmlsaXR5
dG8gbmF2aWdhdGUgdGhlIGludHJpY2F0ZSBwYXRocyBvZiBjcnlwdG9ncmFwaHku
QnV0IGJld2FyZSwgZm9yIE1pc2MgQmFzZTY0IGlzIG5vdCB3aXRob3V0IGl0cyBjaGFsbGVuZ2VzLk==
U29tZSBwdXp6bGVzIG1heSBzZWVtIGluc2NydXRhYmxlIGF0IGZpcnN0IGdsYW5jZSy=
cmVxdWlyaW5nIG5vdCBvbmx5IHRlY2huaWNhbCBrbm93bGVkZ2V=
YnV0IGFsc28gYSBkYXNoIG9mIGludHVpdGlvbm==
YW5kIGEga2VlbiBleWUgZm9yIHBhdHRlcm5zLt==
SXQncyBhIHRlc3Qgb2Ygd2l0IGFuZCBkZXRlcm1pbmF0aW9u4oCU
YSBwdXp6bGUgdGhhdCByZXdhcmRzIHRob3NlIHdobyBhcmUgd2lsbGluZ2==
dG8gcmlzZSB0byB0aGUgb2NjYXNpb24u
U28sIGZlbGxvdyBhZHZlbnR1cmVycywgYXJlIHlvdSByZWFkeX==
dG8gdGFrZSBvbiB0aGUgY2hhbGxlbmdlIG9mIE1pc2MgQmFzZTY0P0==
TGV0IGVhY2ggZW5jb2RlZCBzdHJpbmcgYmUgYSBzdGVwcGluZyBzdG9uZR==
aW4geW91ciBxdWVzdCBmb3Iga25vd2xlZGdlIGFuZCBkaXNjb3Zlcnku
V2hvIGtub3dzIHdoYXQgc2VjcmV0cyBhd2FpdCB0aG9zZSB3aG8gZGFyZU==
dG8gdmVudHVyZSBpbnRvIHRoZSB3b3JsZCBvZiBjcnlwdGljIHB1enpsZXM/
RW1icmFjZSB0aGUgdGhyaWxsIG9mIHRoZSBjaGFzZSz=
dGhlIGpveSBvZiBkZWNpcGhlcmluZyy=
YW5kIHRoZSBzYXRpc2ZhY3Rpb24gb2YgdW5yYXZlbGluZyBhIG15c3Rlcnku
SW4gdGhlIHJlYWxtIG9mIE1pc2MgQmFzZTY0LF==
ZXZlcnkgcHV6emxlIHNvbHZlZCBicmluZ3MgeW91IGNsb3Nlcj==
dG8gdW5yYXZlbGluZyB0aGUgdWx0aW1hdGUgcXVlc3Rpb246
d2hhdCBoaWRkZW4gdHJlYXN1cmVzIGxpZSBiZW5lYXRo
dGhlIHN1cmZhY2Ugb2YgZWFjaCBlbmNvZGVkIG1lc3NhZ2U/
Sm9pbiB1cyBvbiB0aGlzIGpvdXJuZXkgb2YgZXhwbG9yYXRpb24gYW5kIGludHJpZ3VlLk==
TGV0IE1pc2MgQmFzZTY0IGJlIHlvdXIgZ3VpZGV=
dG8gYSB3b3JsZCB3aGVyZSBjdXJpb3NpdHkga25vd3Mgbm8gYm91bmRz
YW5kIGV2ZXJ5IHB1enpsZSBzb2x2ZWQgaXMgYSB0cml1bXBo
b2YgdGhlIGh1bWFuIGludGVsbGVjdC5=
SGFwcHkgZGVjb2Rpbmch
VGl0bGU6IFRoZSBFbmlnbWF0aWMgQ29kZSBvZiBNaXNjIEJhc2U2NH==
R3JlZXRpbmdzLCBwdXp6bGUgZW50aHVzaWFzdHMgYW5kIGNvZGVicmVha2VycyBhbGlrZSEgVG9kYXks
d2UgZGVsdmUgaW50byB0aGUgcmVhbG0gb2YgdGhlIGVuaWdtYXRpYyBNaXNjIEJhc2U2NCx=
YSBjcnlwdG9ncmFwaGljIHB1enpsZSB0aGF0IGNoYWxsZW5nZXMgdGhlIGtlZW5lc3QgbWluZHMu
QXJlIHlvdSByZWFkeSB0byBlbWJhcmsgb24gYSBqb3VybmV5IG9mIGRlY29kaW5nIGFuZCBkaXNjb3Zlcnk/
SW1hZ2luZSB5b3Vyc2VsZiBpbiB0aGUgbWlkc3Qgb2YgYSBkaWdpdGFsIGxhYnlyaW50aCx=
d2hlcmUgc3RyaW5ncyBvZiBjaGFyYWN0ZXJzIGhvbGQgc2VjcmV0cyB3YWl0aW5nIHRvIGJlIHVudmVpbGVkLk==
TWlzYyBCYXNlNjQgaXMgbm90IHlvdXIgb3JkaW5hcnkgY2lwaGVy4oCUaXQgY29uY2VhbHMgbWVzc2FnZXM=
aW4gcGxhaW4gc2lnaHQsIGF3YWl0aW5nIHRob3NlIHdpdGggdGhlIHJpZ2h0IHRvb2xz
YW5kIHNraWxscyB0byBkZWNpcGhlciBpdHMgY29kZS5=
QXMgeW91IHVucmF2ZWwgdGhlIGxheWVycyBvZiBNaXNjIEJhc2U2NCwgZWFjaCBkZWNvZGVkIG1lc3NhZ2V=
cmV2ZWFscyBhIGZyYWdtZW50IG9mIGEgbGFyZ2VyIHB1enpsZS5=
UGVyaGFwcyBpdCdzIGEgcmlkZGxlLCBhIHBpZWNlIG9mIHRyaXZpYSwgb3IgZXZlbiBhIHBsYXlmdWwgY2hhbGxlbmdlLn==
VGhlIGJlYXV0eSBvZiBNaXNjIEJhc2U2NCBsaWVzIG5vdCBvbmx5IGluIGl0cyBjb21wbGV4aXR5
YnV0IGFsc28gaW4gaXRzIGFiaWxpdHkgdG8gZW5nYWdlIGFuZCBpbnRyaWd1ZS5=
Rm9yIHRob3NlIG5ldyB0byB0aGUgd29ybGQgb2YgY3J5cHRvZ3JhcGh5LCBmZWFyIG5vdCF=
TWlzYyBCYXNlNjQgd2VsY29tZXMgYmVnaW5uZXJzIHdpdGggb3BlbiBhcm1zLJ==
b2ZmZXJpbmcgYSBnYXRld2F5IGludG8gdGhlIHdvcmxkIG9mIGNvZGVzIGFuZCBjaXBoZXJzLn==
V2l0aCBhIGJpdCBvZiBwYXRpZW5jZSBhbmQgYSB3aWxsaW5nbmVzcyB0byB0aGluayBvdXRzaWRlIHRoZSBib3gs
eW91IHRvbyBjYW4gam9pbiB0aGUgcmFua3Mgb2Ygc2Vhc29uZWQgY29kZWJyZWFrZXJzLl==
SW1hZ2luZSB0aGUgdGhyaWxsIG9mIGNyYWNraW5nIGEgcGFydGljdWxhcmx5IHN0dWJib3JuIGNvZGUs
d2hlcmUgZWFjaCBjb3JyZWN0IGRlY29kaW5nIGJyaW5ncyB5b3UgY2xvc2VyIHRvIHRoZSBoZWFydE==
b2YgdGhlIHB1enpsZS4=
VGhlIHNhdGlzZmFjdGlvbiBvZiBzZWVpbmcgbGV0dGVycyBhbmQgbnVtYmVycyB0cmFuc2Zvcm2=
aW50byBjb2hlcmVudCB3b3JkcyBhbmQgc2VudGVuY2VzIGlzIHVucGFyYWxsZWxlZOKAlE==
YSB0ZXN0YW1lbnQgdG8geW91ciBwZXJzZXZlcmFuY2UgYW5kIGFuYWx5dGljYWwgcHJvd2Vzcy5=
SW4gdGhlIHJlYWxtIG9mIE1pc2MgQmFzZTY0LCBjcmVhdGl2aXR5IHJlaWducyBzdXByZW1lLk==
QXMgeW91IGVuY291bnRlciBkaWZmZXJlbnQgcHV6emxlcywgeW91J2xsIGZpbmQgeW91cnNlbGb=
dGhpbmtpbmcgaW4gbmV3IHdheXMsIGV4cGxvcmluZyB2YXJpb3VzIHRlY2huaXF1ZXMs
YW5kIGhvbmluZyB5b3VyIHByb2JsZW0tc29sdmluZyBza2lsbHMu
RWFjaCBzb2x2ZWQgcHV6emxlIGJlY29tZXMgYSBiYWRnZSBvZiBob25vcuKAlJ==
YSB0ZXN0YW1lbnQgdG8geW91ciBkZWRpY2F0aW9uIGFuZCBhYmlsaXR5
dG8gbmF2aWdhdGUgdGhlIGludHJpY2F0ZSBwYXRocyBvZiBjcnlwdG9ncmFwaHku
QnV0IGJld2FyZSwgZm9yIE1pc2MgQmFzZTY0IGlzIG5vdCB3aXRob3V0IGl0cyBjaGFsbGVuZ2VzLl==
U29tZSBwdXp6bGVzIG1heSBzZWVtIGluc2NydXRhYmxlIGF0IGZpcnN0IGdsYW5jZSw=
cmVxdWlyaW5nIG5vdCBvbmx5IHRlY2huaWNhbCBrbm93bGVkZ2X=
YnV0IGFsc28gYSBkYXNoIG9mIGludHVpdGlvbn==
YW5kIGEga2VlbiBleWUgZm9yIHBhdHRlcm5zLp==
SXQncyBhIHRlc3Qgb2Ygd2l0IGFuZCBkZXRlcm1pbmF0aW9u4oCU
YSBwdXp6bGUgdGhhdCByZXdhcmRzIHRob3NlIHdobyBhcmUgd2lsbGluZ2==
dG8gcmlzZSB0byB0aGUgb2NjYXNpb24u
U28sIGZlbGxvdyBhZHZlbnR1cmVycywgYXJlIHlvdSByZWFkeR==
dG8gdGFrZSBvbiB0aGUgY2hhbGxlbmdlIG9mIE1pc2MgQmFzZTY0P1==
TGV0IGVhY2ggZW5jb2RlZCBzdHJpbmcgYmUgYSBzdGVwcGluZyBzdG9uZZ==
aW4geW91ciBxdWVzdCBmb3Iga25vd2xlZGdlIGFuZCBkaXNjb3Zlcnku
V2hvIGtub3dzIHdoYXQgc2VjcmV0cyBhd2FpdCB0aG9zZSB3aG8gZGFyZX==
dG8gdmVudHVyZSBpbnRvIHRoZSB3b3JsZCBvZiBjcnlwdGljIHB1enpsZXM/
RW1icmFjZSB0aGUgdGhyaWxsIG9mIHRoZSBjaGFzZSw=
dGhlIGpveSBvZiBkZWNpcGhlcmluZyw=
YW5kIHRoZSBzYXRpc2ZhY3Rpb24gb2YgdW5yYXZlbGluZyBhIG15c3Rlcnku
SW4gdGhlIHJlYWxtIG9mIE1pc2MgQmFzZTY0LE==
ZXZlcnkgcHV6emxlIHNvbHZlZCBicmluZ3MgeW91IGNsb3Nlcj==
dG8gdW5yYXZlbGluZyB0aGUgdWx0aW1hdGUgcXVlc3Rpb246
d2hhdCBoaWRkZW4gdHJlYXN1cmVzIGxpZSBiZW5lYXRo
dGhlIHN1cmZhY2Ugb2YgZWFjaCBlbmNvZGVkIG1lc3NhZ2U/
Sm9pbiB1cyBvbiB0aGlzIGpvdXJuZXkgb2YgZXhwbG9yYXRpb24gYW5kIGludHJpZ3VlLj==
TGV0IE1pc2MgQmFzZTY0IGJlIHlvdXIgZ3VpZGU=
dG8gYSB3b3JsZCB3aGVyZSBjdXJpb3NpdHkga25vd3Mgbm8gYm91bmRz
YW5kIGV2ZXJ5IHB1enpsZSBzb2x2ZWQgaXMgYSB0cml1bXBo
b2YgdGhlIGh1bWFuIGludGVsbGVjdC6=
SGFwcHkgZGVjb2Rpbmch
VGl0bGU6IFRoZSBFbmlnbWF0aWMgQ29kZSBvZiBNaXNjIEJhc2U2NG==
R3JlZXRpbmdzLCBwdXp6bGUgZW50aHVzaWFzdHMgYW5kIGNvZGVicmVha2VycyBhbGlrZSEgVG9kYXks
d2UgZGVsdmUgaW50byB0aGUgcmVhbG0gb2YgdGhlIGVuaWdtYXRpYyBNaXNjIEJhc2U2NCz=
YSBjcnlwdG9ncmFwaGljIHB1enpsZSB0aGF0IGNoYWxsZW5nZXMgdGhlIGtlZW5lc3QgbWluZHMu
QXJlIHlvdSByZWFkeSB0byBlbWJhcmsgb24gYSBqb3VybmV5IG9mIGRlY29kaW5nIGFuZCBkaXNjb3Zlcnk/
SW1hZ2luZSB5b3Vyc2VsZiBpbiB0aGUgbWlkc3Qgb2YgYSBkaWdpdGFsIGxhYnlyaW50aCw=
d2hlcmUgc3RyaW5ncyBvZiBjaGFyYWN0ZXJzIGhvbGQgc2VjcmV0cyB3YWl0aW5nIHRvIGJlIHVudmVpbGVkLm==
TWlzYyBCYXNlNjQgaXMgbm90IHlvdXIgb3JkaW5hcnkgY2lwaGVy4oCUaXQgY29uY2VhbHMgbWVzc2FnZXN=
aW4gcGxhaW4gc2lnaHQsIGF3YWl0aW5nIHRob3NlIHdpdGggdGhlIHJpZ2h0IHRvb2xz
YW5kIHNraWxscyB0byBkZWNpcGhlciBpdHMgY29kZS4=
QXMgeW91IHVucmF2ZWwgdGhlIGxheWVycyBvZiBNaXNjIEJhc2U2NCwgZWFjaCBkZWNvZGVkIG1lc3NhZ2V=
cmV2ZWFscyBhIGZyYWdtZW50IG9mIGEgbGFyZ2VyIHB1enpsZS4=
UGVyaGFwcyBpdCdzIGEgcmlkZGxlLCBhIHBpZWNlIG9mIHRyaXZpYSwgb3IgZXZlbiBhIHBsYXlmdWwgY2hhbGxlbmdlLi==
VGhlIGJlYXV0eSBvZiBNaXNjIEJhc2U2NCBsaWVzIG5vdCBvbmx5IGluIGl0cyBjb21wbGV4aXR5
YnV0IGFsc28gaW4gaXRzIGFiaWxpdHkgdG8gZW5nYWdlIGFuZCBpbnRyaWd1ZS5=
Rm9yIHRob3NlIG5ldyB0byB0aGUgd29ybGQgb2YgY3J5cHRvZ3JhcGh5LCBmZWFyIG5vdCH=
TWlzYyBCYXNlNjQgd2VsY29tZXMgYmVnaW5uZXJzIHdpdGggb3BlbiBhcm1zLC==
b2ZmZXJpbmcgYSBnYXRld2F5IGludG8gdGhlIHdvcmxkIG9mIGNvZGVzIGFuZCBjaXBoZXJzLl==
V2l0aCBhIGJpdCBvZiBwYXRpZW5jZSBhbmQgYSB3aWxsaW5nbmVzcyB0byB0aGluayBvdXRzaWRlIHRoZSBib3gs
eW91IHRvbyBjYW4gam9pbiB0aGUgcmFua3Mgb2Ygc2Vhc29uZWQgY29kZWJyZWFrZXJzLl==
SW1hZ2luZSB0aGUgdGhyaWxsIG9mIGNyYWNraW5nIGEgcGFydGljdWxhcmx5IHN0dWJib3JuIGNvZGUs
d2hlcmUgZWFjaCBjb3JyZWN0IGRlY29kaW5nIGJyaW5ncyB5b3UgY2xvc2VyIHRvIHRoZSBoZWFydD==
b2YgdGhlIHB1enpsZS6=
VGhlIHNhdGlzZmFjdGlvbiBvZiBzZWVpbmcgbGV0dGVycyBhbmQgbnVtYmVycyB0cmFuc2Zvcm1=
give you a hint:{Gs1h_1h_nb_srmg}
对提示进行分析:
{Gs1h_1h_nb_srmg}
atbash在线解密:
{th1s_1s_my_hint}
上述base64解密发现没有什么有用的信息,提取出首写字母也没用
wp:base64隐写,第一次听说这个东西
使用b64steg
隐写工具提取出来
Nicolas-yuan/b64steganography: b64隐写提取工具 (github.com)
脚本:
'''
Author: 拾柒
Date: 2020-11-12 21:17:24
LastEditTime: 2020-11-14 18:29:23
Description: Base64 steganography
'''
'''
隐写原理:
base64将二进制以6bit为一个字符编码进行重新编码,如果二进制长度为6的倍数,则编码无冗余,
若长度不是6的倍数,则存在2bit(或4bit)长度的二进制无法编码,此时需要填充长度为4bit(或2bit)的0完成编码,
而后填充长度为12bit(或6bit)的0表示前面的数据填充了几个0,用于解码,最后填充的0编码为‘=’,
此时可把长度为4bit(或2bit)的填充数据0替换为要隐写的数据二进制值,然后再编码完成隐写.
'''
'''
提取原理1:
base64根据等号数量判断隐写bit长度,读取等号前一个字符的base64编码,提取尾部对应长度的bit,组合后解码.
提取原理2:
base64隐写的数据对解密无影响,但隐写后加密的字符与未隐写加密的字符不一样,
差值(不能用ASCII码的差值,要用base64编码的差值)是隐写的二进制对应的十进制值.
使用方法:
cmd中输入“ python b64stegano.py [filename] [a,b]”
'''
import sys
import base64
def to_bin(value, num):#十进制数据,二进制位宽
bin_chars = ""
temp = value
for i in range(num):
bin_char = bin(temp % 2)[-1]
temp = temp // 2
bin_chars = bin_char + bin_chars
return bin_chars.upper()#输出指定位宽的二进制字符串
base64_dica={
'A':'000000','B':'000001','C':'000010','D':'000011','E':'000100','F':'000101','G':'000110','H':'000111',
'I':'001000','J':'001001','K':'001010','L':'001011','M':'001100','N':'001101','O':'001110','P':'001111',
'Q':'010000','R':'010001','S':'010010','T':'010011','U':'010100','V':'010101','W':'010110','X':'010111',
'Y':'011000','Z':'011001','a':'011010','b':'011011','c':'011100','d':'011101','e':'011110','f':'011111',
'g':'100000','h':'100001','i':'100010','j':'100011','k':'100100','l':'100101','m':'100110','n':'100111',
'o':'101000','p':'101001','q':'101010','r':'101011','s':'101100','t':'101101','u':'101110','v':'101111',
'w':'110000','x':'110001','y':'110010','z':'110011','0':'110100','1':'110101','2':'110110','3':'110111',
'4':'111000','5':'111001','6':'111010','7':'111011','8':'111100','9':'111101','+':'111110','/':'111111'
}#base64编码对应表,用于提取原理1
base64_dicb={
'A':0,'B':1,'C':2,'D':3,'E':4,'F':5,'G':6,'H':7,
'I':8,'J':9,'K':10,'L':11,'M':12,'N':13,'O':14,'P':15,
'Q':16,'R':17,'S':18,'T':19,'U':20,'V':21,'W':22,'X':23,
'Y':24,'Z':25,'a':26,'b':27,'c':28,'d':29,'e':30,'f':31,
'g':32,'h':33,'i':34,'j':35,'k':36,'l':37,'m':38,'n':39,
'o':40,'p':41,'q':42,'r':43,'s':44,'t':45,'u':46,'v':47,
'w':48,'x':49,'y':50,'z':51,'0':52,'1':53,'2':54,'3':55,
'4':56,'5':57,'6':58,'7':59,'8':60,'9':61,'+':62,'/':63
}#base64编码对应表,用于提取原理2
hidebit = ''#存储隐写的bit数据
m = ''#存储结果
argvs = sys.argv#获取命令行参数
fc = open(argvs[1],'r')#打开文件
lines = fc.read().split('\n')#读取内容,并按行分割
##################提取原理1
if argvs[2] == 'a':
#判断每行是否有隐写数据,有读取存入hidebit
for line in lines:
if line != '':
if line[-1] == '=':#判断最后一个字符是不是‘=’,
if line[-2] == '=':#判断倒数第二个字符是不是‘=’
hidebit += base64_dica[line[-3]][2:]
else:
hidebit += base64_dica[line[-2]][4:]
else:
pass
###################提取原理2
elif argvs[2] == 'b':
#判断每行是否有隐写数据,有计算差值后转为二进制存入hidebit
for line in lines:
line_row = base64.b64encode(base64.b64decode(line)).decode('utf-8')
if line != '':
if line[-1] == '=':#判断最后一个字符是不是‘=’,
if line[-2] == '=':#判断倒数第二个字符是不是‘=’
temp = to_bin(base64_dicb[line[-3]]-base64_dicb[line_row[-3]],4)
hidebit += temp
else:
temp = to_bin(base64_dicb[line[-2]]-base64_dicb[line_row[-2]],2)
hidebit += temp
else:
pass
#将二进制转化十进制,即ASCII码,再转化为字符
for i in range(0,len(hidebit),8):
m += chr(int(hidebit[i:i+8],2))
print(m)
使用 python b64stegano.py stego.txt a 或 python b64stegano.py stego.txt b
即可得到隐写信息
JnUaAFMFImgANSEuAWYuBE9SyaYpC2ldBrU9
结合提示,使用atbash解码
这里在线网站解码出来的都是小写,所以写了个脚本
from string import ascii_lowercase, ascii_uppercase
def atbashAttack(plaintext: str):
dir_atbash_lower = ascii_lowercase[::-1]
dir_atbash_upper = ascii_uppercase[::-1]
res = ''
for s in plaintext:
if s.isupper():
res += dir_atbash_upper[ascii_uppercase.index(s)]
elif s.islower():
res += dir_atbash_lower[ascii_lowercase.index(s)]
else:
res += s
return res
plaintext = 'JnUaAFMFImgANSEuAWYuBE9SyaYpC2ldBrU9'
ciphertext = atbashAttack(plaintext)
print("Atbash解密结果:", ciphertext)
得到:
QmFzZUNURntZMHVfZDBfYV9HbzBkX2owYiF9
base64解码得到
BaseCTF{Y0u_d0_a_Go0d_j0b!}
[Week3] 这是一个压缩包
描述:不要只会用工具噢
附件:这是一个压缩包.zip
需要密码,WinHex打开发现
QmFzZUNURj8/Pz8/P0ZUQ2VzYUI=
base64解密:
BaseCTF??????FTCesaB
官方解:
中间缺少6位?,样式是对称的
利用python中zipfile,简单写个脚本爆破一下即可
hashcat也能解决
[https://hashcat.net/files/hashcat-5.1.0.7z]
import zipfile
zfile=zipfile.ZipFile("1.zip",'r')
for i in range(33,128):
for j in range(33,128):
for k in range(33,128):
mask="BaseCTF"+chr(i)+chr(j)+chr(k)+chr(k)+chr(j)+chr(i)+"FTCesaB"
try:
zfile.extractall(pwd=mask.encode('utf-8'))
print(mask)
exit()
except:
pass
#BaseCTF_h11h_FTCesaB
[Week3] broken.mp4
描述:
破防时刻:录屏录到一半,断电关机了。签个到吧
BaseCTF Week2 讲解视频 (broken).mp4
附件:
不是,这真是一个签到题啊
光顾着做题确实没看第一个mp4的内容,确实想到了mp4文件会损坏,但是刚接触misc有很多东西确实没见过,又学到了
视频中的原文章
【视频图像篇】MP4受损视频修复方法(一)_untrunc-CSDN博客
得到录制2.mp4_fixed.mp4,打开得到flag
[Week3] 外星信号
描述:
在一次秘密任务中截获到了一段对话,地球人向地外发送了一段秘语,外星返回了一段外星信号,赶快来破译密码吧(flag小写)
提示:
嘶…音频播放时长和总时长不不对劲啊
附件:外星信号.mp3
得到:
THERE-IS-NO-FLAG-HERE-THERE-IS-NO-FLAG-HERE-THERE-IS-NO-FLAG-HERE-LET-US-GOBASECTF#2EBE6FDC-60DC-
得到flag的前半部分
BASECTF#2EBE6FDC-60DC-
foremost一下得到一个zip,解压得到flag.mp3
使用mmsstv即可得到flag
这里我用的是mmsstv是斜的,看群里说rx-sstv是正的,这里我就不用浪费时间了
发现含有摩斯密码,抄下来解码就行了
....-/----./.-/....-/-....-/.-/
----./----./..---/-....-/...-
-/-.../-.../-../...../-..../..-./
...--/..-./-../-----/-.../---
-.-
得到
49A4-A992-3BBD56F3FD0B%u3d
转为小写得到
BaseCTF{2ebe6fdc-60dc-49a4-a992-3bbd56f3fd0b}
web
[Week3] 滤个不停
描述:过滤这么多还怎么玩!等等…不对劲
靶机:
<?php
highlight_file(__FILE__);
error_reporting(0);
$incompetent = $_POST['incompetent'];
$Datch = $_POST['Datch'];
if ($incompetent !== 'HelloWorld') {
die('写出程序员的第一行问候吧!');
}
//这是个什么东东???
$required_chars = ['s', 'e', 'v', 'a', 'n', 'x', 'r', 'o'];
$is_valid = true;
foreach ($required_chars as $char) {
if (strpos($Datch, $char) === false) {
$is_valid = false;
break;
}
}
if ($is_valid) {
$invalid_patterns = ['php://', 'http://', 'https://', 'ftp://', 'file://' , 'data://', 'gopher://'];
foreach ($invalid_patterns as $pattern) {
if (stripos($Datch, $pattern) !== false) {
die('此路不通换条路试试?');
}
}
include($Datch);
} else {
die('文件名不合规 请重试');
}
?>
写出程序员的第一行问候吧!
第一个if是基操
$incompetent = $_POST['incompetent'];
if ($incompetent !== 'HelloWorld') {
die('写出程序员的第一行问候吧!');
}
绕过:
incompetent=HelloWorld
第二个if语句要求Datch里面含有那些字符,
$Datch = $_POST['Datch'];
//这是个什么东东???
$required_chars = ['s', 'e', 'v', 'a', 'n', 'x', 'r', 'o'];
$is_valid = true;
foreach ($required_chars as $char) {
if (strpos($Datch, $char) === false) {
$is_valid = false;
break;
}
}
strpos可以使用数组形式绕过
Datch[]=xxx
参考:
Bugku——strpos数组绕过_strpos绕过-CSDN博客
也可以使用%0a
绕过,虽然这里用不到
这里由于$Datch涉及到了两个if语句
不能绕过,因为此时使用这个方法绕过时$Datch
是一个数组,而 strpos
和 stripos
函数期望的是字符串参数。会出现警告信息。(调试)
第三个if语句
if ($is_valid) {
$invalid_patterns = ['php://', 'http://', 'https://', 'ftp://', 'file://' , 'data://', 'gopher://'];
foreach ($invalid_patterns as $pattern) {
if (stripos($Datch, $pattern) !== false) {
die('此路不通换条路试试?');
}
}
include($Datch);
} else {
die('文件名不合规 请重试');
}
注意这里是stripos
tips:
strpos系列函数
函数 | 描述 | 版本 |
---|---|---|
strpos | 查找字符串首次出现的位置 | PHP 4, PHP 5, PHP 7 |
stripos | 查找字符串首次出现的位置(不区分大小写) | PHP 5, PHP 7 |
strrpos | 计算指定字符串在目标字符串中最后一次出现的位置 | PHP 4, PHP 5, PHP 7 |
strripos | 计算指定字符串在目标字符串中最后一次出现的位置(不区分大小写) | PHP 5, PHP 7 |
mb_strpos | 查找字符串在另一个字符串中首次出现的位置 | PHP 4 >= 4.0.6, PHP 5, PHP 7 |
strstr | 查找字符串的首次出现 | PHP 4, PHP 5, PHP 7 |
stristr | strstr() 函数的忽略大小写版本 | PHP 4, PHP 5, PHP 7 |
substr_count | 计算字串出现的次数 | PHP 4, PHP 5, PHP 7 |
mb* 相关的函数也可, 比如说mb_strpos是基于字符数执行一个多字节安全的 strpos() 操作。
到这里我发现行不通,于是回到第二个if条件,想着把把它们组成弄成一个不存在的后缀,然后解析时好像就会忽略这个后缀,但是下一个疑点又出来了,我不知目标网站中存在哪些文件
接着上网搜了一下nginx,发现
Nginx中的日志分两种,一种是error.log,一种是access.log。error.log可以配置成任意级别,默认级别是error,用来记录Nginx运行期间的处理流程相关的信息;access.log指的是访问日志,用来记录服务器的接入信息(包括记录用户的IP、请求处理时间、浏览器信息等)。
更好包含可以使用的字符,搜嘎
抓包传参,在ua中进行RCE,这里要发两次包
(我们写入的php代码会被解析从而进行RCE)
查看flag,这里我查看不了flag,重新开一下容器就解决了(同样发两次)
BaseCTF{2b693b60-a49b-4bf6-9798-565d0ef323f7}
参考:
ctfshow-web4(Nginx访问日志写shell) - 你呀你~ - 博客园 (cnblogs.com)
ctfshow-web4(文件包含&日志注入)_ctfshow web4-CSDN博客
[Week3] 玩原神玩的
描述:flag怎么被分解成$array了,不管了,原神,启动!
靶机:
<?php
highlight_file(__FILE__);
error_reporting(0);
include 'flag.php';
if (sizeof($_POST['len']) == sizeof($array)) {
ys_open($_GET['tip']);
} else {
die("错了!就你还想玩原神?❌❌❌");
}
function ys_open($tip) {
if ($tip != "我要玩原神") {
die("我不管,我要玩原神!😭😭😭");
}
dumpFlag();
}
function dumpFlag() {
if (!isset($_POST['m']) || sizeof($_POST['m']) != 2) {
die("可恶的QQ人!😡😡😡");
}
$a = $_POST['m'][0];
$b = $_POST['m'][1];
if(empty($a) || empty($b) || $a != "100%" || $b != "love100%" . md5($a)) {
die("某站崩了?肯定是某忽悠干的!😡😡😡");
}
include 'flag.php';
$flag[] = array();
for ($ii = 0;$ii < sizeof($array);$ii++) {
$flag[$ii] = md5(ord($array[$ii]) ^ $ii);
}
echo json_encode($flag);
} 错了!就你还想玩原神?❌❌❌
针对第一个flag,我们应该爆破出len的程度,一个一个试发现为45
len[]=0&len[]=1&len[]=2&len[]=3&len[]=4&len[]=5&len[]=6&len[]=7&len[]=8&len[]=9&len[]=10&len[]=11&len[]=12&len[]=13&len[]=14&len[]=15&len[]=16&len[]=17&len[]=18&len[]=19&len[]=20&len[]=21&len[]=22&len[]=23&len[]=24&len[]=25&len[]=26&len[]=27&len[]=28&len[]=29&len[]=30&len[]=31&len[]=32&len[]=33&len[]=34&len[]=35&len[]=36&len[]=37&len[]=38&len[]=39&len[]=40&len[]=41&len[]=42&len[]=43&len[]=44
使用hackerbar进行传参,因为BP里面输入不了中文
绕过最后两个if语句
发现只绕过了一个if语句,原来%
是一个特殊字符,因为它用于表示百分号编码(也称为URL编码)。如果你要在URL中直接包含 %
,你需要对其进行编码。%
的URL编码是 %25
。
成功绕过,回显得到
["3295c76acbf4caaed33c36b1b5fc2cb1","26657d5ff9020d2abefe558796b99584","73278a4a86960eeb576a8fd4c9ec6997","ec8956637a99787bd197eacd77acce5e","e2c420d928d4bf8ce0ff2ec19b371514","43ec517d68b6edd3015b3edc9a11367b","ea5d2f1c4608232e07d3aa3d998e5135","c8ffe9a587b126f152ed3d89a146b445","f457c545a9ded88f18ecee47145a72c0","03afdbd66e7929b125f8597834fa83a4","093f65e080a295f8076b1c5722a46aa2","03afdbd66e7929b125f8597834fa83a4","698d51a19d8a121ce581499d7b701668","d82c8d1619ad8176d665453cfb2e55f0","b53b3a3d6ab90ce0268229151c9bde11","9f61408e3afb633e50cdf1b20de6f466","7f39f8317fbdb1988ef4c628eba02591","07e1cd7dca89a1678042477183b7ac3f","a1d0c6e83f027327d8461063f4ac58a6","7f6ffaa6bb0b408017b62254211691b5","d67d8ab4f4c10bf22aa353e27879133c","9f61408e3afb633e50cdf1b20de6f466","e369853df766fa44e1ed0ff613f563bd","5fd0b37cd7dbbb00f97ba6ce92bf5add","67c6a1e7ce56d3d6fa748ab6d9af3fd7","3416a75f4cea9109507cacd8e2f2aefc","b53b3a3d6ab90ce0268229151c9bde11","1c383cd30b7c298ab50293adfecb7b18","3416a75f4cea9109507cacd8e2f2aefc","da4fb5c6e93e74d3df8527599fa62642","c8ffe9a587b126f152ed3d89a146b445","c0c7c76d30bd3dcaefc96f40275bdc0a","735b90b4568125ed6c3f678819b6e058","14bfa6bb14875e45bba028a21ed38046","fc490ca45c00b1249bbe3554a4fdf6fb","37693cfc748049e45d87b8c7d8b9aacd","37693cfc748049e45d87b8c7d8b9aacd","98f13708210194c475687be6106a3b84","3c59dc048e8850243be8079a5c74d079","fc490ca45c00b1249bbe3554a4fdf6fb","33e75ff09dd601bbe69f351039152189","4e732ced3463d06de0ca9a15b6153677","33e75ff09dd601bbe69f351039152189","c16a5320fa475530d9583c34fd356ef5","43ec517d68b6edd3015b3edc9a11367b"]
气死了气死了,这里一开始使用了python编写脚本,死活不对
发现
然后我就去试了试php,就可以了
脚本:
<?php
$md5 = [
"3295c76acbf4caaed33c36b1b5fc2cb1", "26657d5ff9020d2abefe558796b99584",
"73278a4a86960eeb576a8fd4c9ec6997", "ec8956637a99787bd197eacd77acce5e",
"e2c420d928d4bf8ce0ff2ec19b371514", "43ec517d68b6edd3015b3edc9a11367b",
"ea5d2f1c4608232e07d3aa3d998e5135", "c8ffe9a587b126f152ed3d89a146b445",
"f457c545a9ded88f18ecee47145a72c0", "03afdbd66e7929b125f8597834fa83a4",
"093f65e080a295f8076b1c5722a46aa2", "03afdbd66e7929b125f8597834fa83a4",
"698d51a19d8a121ce581499d7b701668", "d82c8d1619ad8176d665453cfb2e55f0",
"b53b3a3d6ab90ce0268229151c9bde11", "9f61408e3afb633e50cdf1b20de6f466",
"7f39f8317fbdb1988ef4c628eba02591", "07e1cd7dca89a1678042477183b7ac3f",
"a1d0c6e83f027327d8461063f4ac58a6", "7f6ffaa6bb0b408017b62254211691b5",
"d67d8ab4f4c10bf22aa353e27879133c", "9f61408e3afb633e50cdf1b20de6f466",
"e369853df766fa44e1ed0ff613f563bd", "5fd0b37cd7dbbb00f97ba6ce92bf5add",
"67c6a1e7ce56d3d6fa748ab6d9af3fd7", "3416a75f4cea9109507cacd8e2f2aefc",
"b53b3a3d6ab90ce0268229151c9bde11", "1c383cd30b7c298ab50293adfecb7b18",
"3416a75f4cea9109507cacd8e2f2aefc", "da4fb5c6e93e74d3df8527599fa62642",
"c8ffe9a587b126f152ed3d89a146b445", "c0c7c76d30bd3dcaefc96f40275bdc0a",
"735b90b4568125ed6c3f678819b6e058", "14bfa6bb14875e45bba028a21ed38046",
"fc490ca45c00b1249bbe3554a4fdf6fb", "37693cfc748049e45d87b8c7d8b9aacd",
"37693cfc748049e45d87b8c7d8b9aacd", "98f13708210194c475687be6106a3b84",
"3c59dc048e8850243be8079a5c74d079", "fc490ca45c00b1249bbe3554a4fdf6fb",
"33e75ff09dd601bbe69f351039152189", "4e732ced3463d06de0ca9a15b6153677",
"33e75ff09dd601bbe69f351039152189", "c16a5320fa475530d9583c34fd356ef5",
"43ec517d68b6edd3015b3edc9a11367b"
];
// 用于存储还原出的字符
$flag = '';
for ($i = 0; $i < count($md5); $i++) {
for ($j = 0; $j < 256; $j++) {
// 计算异或操作后的值
$xor_result = $j ^ $i;
// 计算MD5值
$calculated_md5 = md5($xor_result);
// 如果计算出的MD5值与给定的MD5值匹配,则找到了正确的字符
if ($calculated_md5 === $md5[$i]) {
$flag .= chr($j);
break;
}
}
}
echo "Flag: " . $flag . "\n";
?>
BaseCTF{9614c897-f8c3-4e70-85eb-cdc4313f4364}
标签:
相关文章
最新发布
- 【Python】selenium安装+Microsoft Edge驱动器下载配置流程
- Python 中自动打开网页并点击[自动化脚本],Selenium
- Anaconda基础使用
- 【Python】成功解决 TypeError: ‘<‘ not supported between instances of ‘str’ and ‘int’
- manim边学边做--三维的点和线
- CPython是最常用的Python解释器之一,也是Python官方实现。它是用C语言编写的,旨在提供一个高效且易于使用的Python解释器。
- Anaconda安装配置Jupyter(2024最新版)
- Python中读取Excel最快的几种方法!
- Python某城市美食商家爬虫数据可视化分析和推荐查询系统毕业设计论文开题报告
- 如何使用 Python 批量检测和转换 JSONL 文件编码为 UTF-8
点击排行
- 版本匹配指南:Numpy版本和Python版本的对应关系
- 版本匹配指南:PyTorch版本、torchvision 版本和Python版本的对应关系
- Python 可视化 web 神器:streamlit、Gradio、dash、nicegui;低代码 Python Web 框架:PyWebIO
- 相关性分析——Pearson相关系数+热力图(附data和Python完整代码)
- Python与PyTorch的版本对应
- Anaconda版本和Python版本对应关系(持续更新...)
- Python pyinstaller打包exe最完整教程
- Could not build wheels for llama-cpp-python, which is required to install pyproject.toml-based proj