Wuhu
No comments. The following are just some of my thoughts and analysis. If you have any questions or suggestions, you can contact me at any time.
Table of contents
As soon as the question comes, it all comes
Question 3: Let’s see who doesn’t know RSA yet
Come on everyone ( •̀ ω •́ )y and look forward to seeing you again
Problem-solving ideas and processes
Topic 1 It’s all here
Operation content:
The attachment has only one compressed package
But decompression requires a password. We checked the source code and compared it and found that it waspseudo encryption
Change 09 to 00
Get the title
Obviouslybase decoding
Put it in txt
Usenot++Open zoom and get flag
flag value:
flag{cp2ae315-eef4-3fra-a768-cd9xb19cdk4e}
Scale 2 Honor
Operation content:
There is only one picture attached
NormalView source code
Found a second picture
Kali foremostseparation
Get the picture
After trying many tools
Usestegdetect to determine the presence of steganography
Stegdetect.exe -tjopi -s 10.0 00001995.jpg
Then use stegseek to blast using the rockyou dictionary (comes with kali)
stegseek 00000000.jpg rockyou.txt
Get the final encrypted character
f6l3-a6ag3c}{-bc4c5e28-e4649c76b0-707e6069
This is notThe fence cipher is the Caesar cipher
Tried Fence password Number of 12 columns
Online website (The standard one can’t escape yet)
Fence Encryption/Decryption - Bugku CTF
flag value:
flag{424c076e-768c-3636-acb5-4676900b9eec}
Question 3 Let’s see who doesn’t know RSA
Operation content:
There is only one py
This looks at standard RSA
NeedeSource script Edited script
Two scripts are provided here
from Crypto.Util.number import *
c=8232151627233115772131180151146951323147507324390914513031444555762539986162650
p=8666789885346075954502743436174521501697
q=2449101960789395782044494299423558347143
n = p*q
phin = (p-1)*(q-1)
e=37777
m = pow(c,e,n)
print(long_to_bytes(m))
import gmpy2
from Crypto.Util.number import *
def find_m(c, d, n, p, q):
f = (p - 1) * (q - 1)
e = 37777
d_inv = gmpy2.invert(d, f)
m = pow(c, d_inv, n)
return m
c = 8232151627233115772131180151146951323147507324390914513031444555762539986162650
e=37777
p = 8666789885346075954502743436174521501697
q = 2449101960789395782044494299423558347143
n = p*q
f = (p-1)*(q-1)
d = gmpy2.invert(e,f)
m = find_m(c, d, n, p, q)
print(long_to_bytes(m))
flag value:
flag{r5a_Who_w0nt}
Scale 4 hakiehs
Operation content:
Still only one file
Vsdx suffix
Like thisdocument file we can directly convert it intocompressed package format Look for clues inside
unzip
Crypto-hakiehs\attachment\attachment\visio\media
Find the picture secret text at this address
PassedInformation retrieval
Find the correspondingComparison table
Compare lowercase letters to get the flag
flag value:
flag{linkzeldaganon}
Scale 5 Font
Operation content:
This question is a bit interesting Play with your imagination You can totally pass it off as a misc
The attachment is only one picture
The agile fox and the lazy dog
Found tips in image properties
At first I thought it was emoji decryption. I also tried aea but it didn’t work.
So this encryption method can only be created bythe questioner
The comparison table must either be in the picture or in the text.
But you must considerThis question is a password question not misc
So it shouldnot too much steganography just want to keep it simple
There are two lines in total
Guess One line is the answer and one line is the comparison
together35characters
Then look at the picture
The literal meaning of the picture is
An agile brown fox pounces on a lazy dog
Translation requires enough35 characters
theQuickbrownfoxjumpsoverthelazydog
Use this to combine withthe first line(◎☀◐♬¤☾♀☹☽§♪℗♩☑♪®♂¤☒ ♫〼♪۞◐§◎☀◐◑☼♭©☺♪√)Composition comparison table
√:g;♪:0;☺ d;© y;♭ z;☼ a;◑ l;◐ e;☀ h;◎ t;§ r;◐ e;۞ v;♪ o;〼 s;♫ p;☒ m;¤ u;♂ j;® x;♪ o;☑ f;♩ n;℗ w;♪ o;§ r;☽ b;☹ k;♀ c;☾ i;¤ u;♬ q;◐ e;☀ h;◎ t
Finally, according to this comparison table
Solve the second line to get the flag
flag value:
flag{qtsyjfgvbndhflhgfnmjfhko}
Question 6 ApeCoin
Operation content:
Use dirsearch to scan the directory and find source code leaks
Found the .txt.php backdoor file in the /static/font/ directory
Decrypt in CMD5 to get the connection password 74658263, use Ice Scorpion to connect to get the flag
flag value:
flag{50ddd4d4-c403-422f-af67-3805077076aa}
Topic 7 Easyphp
Operation content:
Use the php pseudo-protocol to read the hint.php file according to the prompts
Get the source file after Base64 decoding
According to the hint.php code, we need to construct a pop chain to execute the eval function in get->__call.
How to call each magic method
__call(): When calling a non-existent or invisible member method, PHP will first call the __call() method to store the method name and its parameters.
__isset(): Automatically called when using the isset() or empty() function on a non-existent or inaccessible property of an object, passing the property name as a parameter.
__wakeup(): Automatically called before the object is deserialized (using the unserialize() function), the object state can be reinitialized in this method.
__destruct(): The destructor of the class, which is automatically called before the object is destroyed
__toString(): When using echo or print output object to convert the object into string form, the __toString() method will be called
The constructed pop chain (backwards) is: use __isset() to trigger __call(), then use __toString to trigger __isset(), and finally use __destruct() to trigger __toString(). It should be noted that __wakeup cannot be bypassed by using a method where the value indicating the number of attributes is greater than the actual number of attributes, but we can give the address of dog->b to a, and then assign c to the ct class. get::__call()->mouse::__isset()->ct::__toString()->dog::__destruct()
And because hint.php filters many functions
Therefore, if the s representing the string type is capitalized as S, its corresponding value will be parsed as hexadecimal (the length cannot be changed)
View the files in the realflag directory
Check the you_want_flag.php file to get the flag
get flag
flag value:
flag{28fabc34-48bb-4959-b3c7-a67ddb343d8d}
Question 8 Ezupload
Operation content:
Use dirsearch to scan the directory to find the flag file, and access the flag
get flag
flag value:
flag{71a58713-31d7-4ae7-a5f7-d4889a8ec2e3}
Scale 9 get_source
Operation content:
Accessing the address found that the website uses php7.4.21. I thought of the php<=7.4.21Development Server source code leak vulnerability, and used this vulnerability to view idnex.php
To POST the three variables a, b, and pwn and a cannot be equal to b and the MD5 value of a must be equal to the sha1 value of pwn, we can use an array to bypass and get the flag
get flag
flag value:
flag{25e02e06-3553-4a5b-bfa9-b1fff4745dde}