和小伙伴们一起打了这个xctf|俄罗斯战队的比赛,题目质量真心不错hhh,部分题解小伙伴们还没更新,先发出来,嘻嘻。
WEB
Hunt (Web, Baby, 50 pts)
打断点,然后就一个一个被抓住了...
接着F12就出现了.(这个flag是白色的,藏在下面。。。。)...
RE
Baby Rev
题目给了个github项目链接 看懂就行 一个简单的疑惑加密 , key 是33
c=[92,0,74,66,116,77,126,69,17,17,102,126,
69,79,97,126,18,76,17,98,16,77,18,
86,90,82,66,72,83,67,88,66]
flag=''
for i in range(len(c)):
c[i]=c[i]^33
flag+=chr(c[i])
print (flag[::-1])
polyglot
先根据给的code.c改一下key跑出来一个c++的代码
因为递归深度限制在900,所以也要改代码,我菜所以直接手算了,t1是乘,t2是加,然后算出key,跑出来是个py+机器语言的代码:
import types
import dis
def define_func(argcount, nlocals, code, consts, names):
#PYTHON3.8!!!
def inner():
return 0
fn_code = inner.__code__
cd_new = types.CodeType(argcount,
0,
fn_code.co_kwonlyargcount,
nlocals,
1024,
fn_code.co_flags,
code,
consts,
names,
tuple(["v%d" for i in range(nlocals)]),
fn_code.co_filename,
fn_code.co_name,
fn_code.co_firstlineno,
fn_code.co_lnotab,
fn_code.co_freevars,
fn_code.co_cellvars)
inner.__code__ = cd_new
return inner
f1 = define_func(2,2,b'|x00|x01kx02Sx00', (None,), ())
f2 = define_func(1,1,b'tx00|x00x83x01Sx00', (None,), ('ord',))
f3 = define_func(0,0,b'tx00dx01x83x01Sx00', (None, 'Give me flag: '), ('input',))
f4 = define_func(1, 3, b'dx01dx02dx03dx04dx05dx01dx06dx07dx08d dx03d
dx0bdx0cd
dx08dx0cdx0edx0cdx0fdx0edx10dx11d dx12dx03dx10dx03dx0edx13dx0bd
dx14dx08dx13dx01dx01d
d dx01dx12dx0bdx10dx0fdx14dx03dx0bdx15dx16g1}x01tx00|x00x83x01tx00|x01x83x01kx03rx82tx01dx17x83x01x01x00dx18Sx00tx02|x00|x01x83x02Dx00]$}x02tx03|x02dx19x19x00tx04|x02dx1ax19x00x83x01x83x02dx18kx02rx8cx01x00dx18Sx00qx8cdx1bSx00',
(None, 99, 121, 98, 114, 105, 115, 123, 52, 97, 100, 51, 101, 55, 57, 53, 54, 48, 49, 50, 56, 102, 125, 'Length mismatch!', False, 1, 0, True),
('len', 'print', 'zip', 'f1', 'f2'))
f5 = define_func(0, 1,b'tx00x83x00}x00tx01|x00x83x01dx01kx08rx1ctx02dx02x83x01x01x00nx08tx02dx03x83x01x01x00dx00Sx00',(None, False, 'Nope!', 'Yep!'), ('f3', 'f4', 'print'))
dis.dis(f4)
然后dis得到汇编代码(关键就是给了字符串的那个)
运行结果:
F:pythonvenvpy3.8Scriptspython.exe D:/download/re2.py
7 0 LOAD_CONST 1 (99)
2 LOAD_CONST 2 (121)
4 LOAD_CONST 3 (98)
6 LOAD_CONST 4 (114)
8 LOAD_CONST 5 (105)
10 LOAD_CONST 1 (99)
12 LOAD_CONST 6 (115)
14 LOAD_CONST 7 (123)
16 LOAD_CONST 8 (52)
18 LOAD_CONST 9 (97)
20 LOAD_CONST 3 (98)
22 LOAD_CONST 10 (100)
24 LOAD_CONST 11 (51)
26 LOAD_CONST 12 (101)
28 LOAD_CONST 13 (55)
30 LOAD_CONST 8 (52)
32 LOAD_CONST 12 (101)
34 LOAD_CONST 14 (57)
36 LOAD_CONST 12 (101)
38 LOAD_CONST 15 (53)
40 LOAD_CONST 14 (57)
42 LOAD_CONST 16 (54)
44 LOAD_CONST 17 (48)
46 LOAD_CONST 9 (97)
48 LOAD_CONST 18 (49)
50 LOAD_CONST 3 (98)
52 LOAD_CONST 16 (54)
54 LOAD_CONST 3 (98)
56 LOAD_CONST 14 (57)
58 LOAD_CONST 19 (50)
60 LOAD_CONST 11 (51)
62 LOAD_CONST 10 (100)
64 LOAD_CONST 20 (56)
66 LOAD_CONST 8 (52)
68 LOAD_CONST 19 (50)
70 LOAD_CONST 1 (99)
72 LOAD_CONST 1 (99)
74 LOAD_CONST 10 (100)
76 LOAD_CONST 9 (97)
78 LOAD_CONST 1 (99)
80 LOAD_CONST 18 (49)
82 LOAD_CONST 11 (51)
84 LOAD_CONST 16 (54)
86 LOAD_CONST 15 (53)
88 LOAD_CONST 20 (56)
90 LOAD_CONST 3 (98)
92 LOAD_CONST 11 (51)
94 LOAD_CONST 21 (102)
96 LOAD_CONST 22 (125)
98 BUILD_LIST 49
100 STORE_FAST 1 (v%d)
102 LOAD_GLOBAL 0 (len)
104 LOAD_FAST 0 (v%d)
106 CALL_FUNCTION 1
108 LOAD_GLOBAL 0 (len)
110 LOAD_FAST 1 (v%d)
112 CALL_FUNCTION 1
114 COMPARE_OP 3 (!=)
116 POP_JUMP_IF_FALSE 130
118 LOAD_GLOBAL 1 (print)
120 LOAD_CONST 23 ('Length mismatch!')
122 CALL_FUNCTION 1
124 POP_TOP
126 LOAD_CONST 24 (False)
128 RETURN_VALUE
>> 130 LOAD_GLOBAL 2 (zip)
132 LOAD_FAST 0 (v%d)
134 LOAD_FAST 1 (v%d)
136 CALL_FUNCTION 2
138 GET_ITER
>> 140 FOR_ITER 36 (to 178)
142 STORE_FAST 2 (v%d)
144 LOAD_GLOBAL 3 (f1)
146 LOAD_FAST 2 (v%d)
148 LOAD_CONST 25 (1)
150 BINARY_SUBSCR
152 LOAD_GLOBAL 4 (f2)
154 LOAD_FAST 2 (v%d)
156 LOAD_CONST 26 (0)
158 BINARY_SUBSCR
160 CALL_FUNCTION 1
162 CALL_FUNCTION 2
164 LOAD_CONST 24 (False)
166 COMPARE_OP 2 (==)
168 POP_JUMP_IF_FALSE 140
170 POP_TOP
172 LOAD_CONST 24 (False)
174 RETURN_VALUE
176 JUMP_ABSOLUTE 140
>> 178 LOAD_CONST 27 (True)
180 RETURN_VALUE
Process finished with exit code 0
然后写c跑出flag
#include<iostream>
#include <stdlib.h>
#include <stdio.h>
using namespace std;
int main(){
char flag[]={99,121,98,114,105,99,115,123,52,97,98,100,51,101,55,52,101,57,101,53,57,54,48,97,49,98,54,98,57,50,51,100,56,52,50,99,99,100,97,99,49,51,54,53,56,98,51,102,125};
cout <<flag;
}
CTB
DockEsc
直接试出来,正确的没回显
CRYPTO
签到题:
已经告知是加密了,然后windows下常用
rot13解密
换个flag头即可
NETWORK
XCorp
导出smb对象
在流里有用户名
直接登录
Google Cloud
I am storing some important stuff in Google's cloud.
Nooo no no, not on Google's disks — in the cloud itself.
全是ping。。。
foremost直接读
实际上从data里拼出完整图片应该也是可行的,大佬直接看出来了。。。
Forensic
Keyshooter
视频里 mahchudqotlzeeb
再用openssl解密就行
Krevedka
wireshark过滤
http contains "User-Agent: UCWEB/2.0 (Linux; U; Opera Mini/7.1.32052/30.3697; www1.smart.com.ph/; GT-S5360) U2/1.0.0 UCBrowser/9.8.0.534 Mobile"
rebyC
Hellish Reverse
7z就可了。。。